Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记2
1. 引言
在博客 Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记1中,主要对 Algorand团队Gorbunov等人2020年论文《Pointproofs: Aggregating Proofs for Multiple Vector Commitments》做了一个总体的梳理。该论文在 Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs》的基础上,做了以下改进:
- 采用了非对称bilinear pairing group,并针对 G 1 \mathbb{G}_1 G1域内的运算效率> G 2 \mathbb{G}_2 G2> G T \mathbb{G}_T GT,对Verify算法做了优化(计算 r = ( ∑ i ∈ S m i t i ) − 1 m o d p r=(\sum_{i\in S}m_it_i)^{-1}\ mod\ p r=(∑i∈Smiti)−1 mod p,将 G T \mathbb{G}_T GT域内的运算转移到 G 1 \mathbb{G}_1 G1域内):
- 采用Random Oracle Model,基于hash函数 H H H引入了随机参数 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) ti=H(i,C,S,m[S])来实现same-commitment aggregation;基于hash函数 H H H和 H ′ H' H′引入了随机参数 t j , i = H ( i , C j , S j , m ⃗ j [ S j ] ) t_{j,i}=H(i,C_j,S_j,\vec{m}_j[S_j]) tj,i=H(i,Cj,Sj,mj[Sj])和 t j ′ = H ′ ( j , { C j , S j , m ⃗ j [ S j ] } j ∈ [ l ] ) t_j'=H'(j,\{C_j,S_j,\vec{m}_j[S_j]\}_{j\in[l]}) tj′=H′(j,{Cj,Sj,mj[Sj]}j∈[l])来实现cross-commitment aggregation。
本博客将重点关注:
- proof of correctness/binding for same-commitment aggregation
- proof of correctness/binding for cross-commitment aggregation
- same-commitment aggregation from CDH-like assumption
- weak binding and realization
- cross-commitment aggregation from polynomial commitments
- https://github.com/algorand/pointproofs 代码解析
该论文实现的binding属性是基于AGW+ROM model under the l l l-wBDHE assumption:(详细定义参见博客 Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记1 1.1节内容)
2. proof of correctness/binding for same-commitment aggregation
2.1 same commitment aggregation
具体的实现为:
-
Setup( 1 λ , 1 N 1^{\lambda},1^N 1λ,1N):取随机值 α ← Z p \alpha\leftarrow \mathbb{Z}_p α←Zp,输出:【其中 a ⃗ = ( α , α 2 , ⋯ , α N ) \vec{a}=(\alpha,\alpha^2,\cdots,\alpha^N) a=(α,α2,⋯,αN)】
g 1 a ⃗ = ( g 1 α , ⋯ , g 1 α N ) g_1^{\vec{a}}=(g_1^\alpha,\cdots,g_1^{\alpha^N}) g1a=(g1α,⋯,g1αN)
g 1 α N a ⃗ [ − 1 ] = ( g 1 α N + 2 , ⋯ , g 1 α 2 N ) g_1^{\alpha^N\vec{a}[-1]}=(g_1^{\alpha^{N+2}},\cdots,g_1^{\alpha^{2N}}) g1αNa[−1]=(g1αN+2,⋯,g1α2N)
g 2 a ⃗ = ( g 2 α , ⋯ , g 2 α N ) g_2^{\vec{a}}=(g_2^\alpha,\cdots,g_2^{\alpha^N}) g2a=(g2α,⋯,g2αN)
g T α N + 1 = e ( g 1 α , g 2 α N ) g_T^{\alpha^{N+1}}=e(g_1^{\alpha},g_2^{\alpha^N}) gTαN+1=e(g1α,g2αN)
Prove key为: g 1 a ⃗ , g 1 α N a ⃗ [ − 1 ] g_1^{\vec{a}},g_1^{\alpha^N\vec{a}[-1]} g1a,g1αNa[−1]
Verify key为: g 2 a ⃗ , g T α N + 1 g_2^{\vec{a}},g_T^{\alpha^{N+1}} g2a,gTαN+1
而 α \alpha α为有毒垃圾,trusted setup后应直接丢弃,must never be known to the adversary。 -
Commit( m ⃗ \vec{m} m) for m ⃗ ∈ Z p N \vec{m}\in \mathbb{Z}_p^N m∈ZpN:
C = g 1 m ⃗ T a ⃗ = g 1 ∑ i ∈ N m i α i C=g_1^{\vec{m}^T\vec{a}}=g_1^{\sum_{i\in N}m_i\alpha^i} C=g1mTa=g1∑i∈Nmiαi -
UpdateCommit( C , S , m ⃗ [ S ] , m ⃗ ′ [ S ] C,S,\vec{m}[S],\vec{m}'[S] C,S,m[S],m′[S]):
C ′ = C ⋅ g 1 ( m ⃗ ′ [ S ] − m ⃗ [ S ] ) T a ⃗ [ S ] = C ⋅ g 1 ∑ i ∈ S ( m i ′ − m i ) α i C'=C\cdot g_1^{(\vec{m}'[S]-\vec{m}[S])^T\vec{a}[S]}=C\cdot g_1^{\sum_{i\in S}(m_i'-m_i)\alpha^i} C′=C⋅g1(m′[S]−m[S])Ta[S]=C⋅g1∑i∈S(mi′−mi)αi -
Prove( i , m ⃗ i,\vec{m} i,m):open第 i i i个位置。
π i = g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] = g 1 ∑ j ∈ [ N ] − { i } m j α N + 1 − i + j \pi_i=g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]}=g_1^{\sum_{j\in [N]-\{i\}}m_j\alpha^{N+1-i+j}} πi=g1αN+1−im[−i]Ta[−i]=g1∑j∈[N]−{i}mjαN+1−i+j
其中 g 1 α N + 1 − i a ⃗ [ − i ] g_1^{\alpha^{N+1-i}\vec{a}[-i]} g1αN+1−ia[−i]均已包含在了Prove key中了。
若 m j m_j mj at index j ≠ i j\neq i j=i changes to m j ′ m_j' mj′,则 π i ′ = π ⋅ g 1 ( m j ′ − m j ) α N + 1 − i + j \pi_i'=\pi\cdot g_1^{(m_j'-m_j)\alpha^{N+1-i+j}} πi′=π⋅g1(mj′−mj)αN+1−i+j,若 m i m_i mi changes to m i ′ m_i' mi′,则proof 不变 π i ′ = π i \pi_i'=\pi_i πi′=πi。但是两种情况下,commitment C C C均需要更新为 C ′ C' C′。 -
Aggregate( C , S , m ⃗ [ S ] , { π i : i ∈ S } C,S,\vec{m}[S],\{\pi_i:i\in S\} C,S,m[S],{πi:i∈S}):
π ^ = ∏ i ∈ S π i t i \hat{\pi}=\prod_{i\in S}\pi_i^{t_i} π^=∏i∈Sπiti
其中 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) ti=H(i,C,S,m[S]) -
Verify( C , S , m ⃗ [ S ] , π ^ C,S,\vec{m}[S],\hat{\pi} C,S,m[S],π^):
验证 e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Smiti 是否成立。
其中 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) ti=H(i,C,S,m[S])
2.2 proof of correctness for same-commitment aggregation
对于任意的 i ∈ [ N ] , π i = P r o v e ( i , m ⃗ ) = g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] i\in [N],\pi_i=Prove(i,\vec{m})=g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]} i∈[N],πi=Prove(i,m)=g1αN+1−im[−i]Ta[−i],对Commit/Prove/Aggregate/Verify整个流程,可分两步证明:
- 1)证明 e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e(C,g2αN+1−i)=e(πi,g2)⋅gTαN+1mi
- 2)证明 e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Smiti
具体为:
1)有 m ⃗ T a ⃗ = m ⃗ [ − i ] T a ⃗ [ − i ] + α i m i \vec{m}^T\vec{a}=\vec{m}[-i]^T\vec{a}[-i]+\alpha^im_i mTa=m[−i]Ta[−i]+αimi
等式左右两边同时乘以 α N + 1 − i \alpha^{N+1-i} αN+1−i,有:
( m ⃗ T a ⃗ ) α N + 1 − i = α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] + α N + 1 m i (\vec{m}^T\vec{a})\alpha^{N+1-i}=\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]+\alpha^{N+1}m_i (mTa)αN+1−i=αN+1−im[−i]Ta[−i]+αN+1mi
转换为pairing计算,有:
e ( g 1 m ⃗ T a ⃗ , g 2 α N + 1 − i ) = e ( g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] , g 2 ) ⋅ g T α N + 1 m i e(g_1^{\vec{m}^T\vec{a}},g_2^{\alpha^{N+1-i}})=e(g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]},g_2)\cdot g_T^{\alpha^{N+1}m_i} e(g1mTa,g2αN+1−i)=e(g1αN+1−im[−i]Ta[−i],g2)⋅gTαN+1mi
从而证明了 e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e(C,g2αN+1−i)=e(πi,g2)⋅gTαN+1mi 成立。
2)在 e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e(C,g2αN+1−i)=e(πi,g2)⋅gTαN+1mi的基础上,等式左右两侧均进行 t i t_i ti次幂乘,则有:
e ( C , g 2 α N + 1 − i t i ) = e ( π i t i , g 2 ) ⋅ g T α N + 1 m i t i e(C,g_2^{\alpha^{N+1-i}t_i})=e(\pi_i^{t_i},g_2)\cdot g_T^{\alpha^{N+1}m_it_i} e(C,g2αN+1−iti)=e(πiti,g2)⋅gTαN+1miti
将要open的 S S S集合内的所有公式均乘一块,有(for all i ∈ S i\in S i∈S):
e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( ∏ i ∈ S π i t i , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\prod_{i\in S}\pi_i^{t_i},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,g2∑i∈SαN+1−iti)=e(∏i∈Sπiti,g2)⋅gTαN+1∑i∈Smiti=e(π^,g2)⋅gTαN+1∑i∈Smiti 成立。
证明UpdateCommit算法正确性的思路为:
m ⃗ ′ T a ⃗ = ( m ⃗ ′ [ S ] − m ⃗ [ S ] ) T a ⃗ [ S ] + m ⃗ T a ⃗ \vec{m}'^T\vec{a}=(\vec{m}'[S]-\vec{m}[S])^T\vec{a}[S]+\vec{m}^T\vec{a} m′Ta=(m′[S]−m[S])Ta[S]+mTa 等式恒成立。
2.3 proof of binding for same-commitment aggregation
采用归谬法来证明,假设adversary 可计算 C = g 1 z ⃗ T a ⃗ C=g_1^{\vec{z}^T\vec{a}} C=g1zTa,并为 ( S , m ⃗ [ S ] ) (S,\vec{m}[S]) (S,m[S])提供proof π ^ \hat{\pi} π^【其中 m ⃗ [ S ] ≠ z ⃗ [ S ] \vec{m}[S]\neq \vec{z}[S] m[S]=z[S]】,使得 π ^ \hat{\pi} π^可被Verify通过。
e ( g 1 z ⃗ T a ⃗ , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(g1zTa,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti=e(π^,g2)⋅gTαN+1∑i∈Smiti
注意adversary也不知道 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1,即 log g 1 π ^ \log_{g_1}\hat{\pi} logg1π^ 中 α N + 1 \alpha^{N+1} αN+1 项的系数应为 0 0 0。
比较上述等式中 g T α N + 1 g_T^{\alpha^{N+1}} gTαN+1的系数应满足:
∑ i ∈ S m i t i ≡ p ∑ i ∈ S z i t i \sum_{i\in S}m_it_i\equiv_p \sum_{i \in S}z_it_i ∑i∈Smiti≡p∑i∈Sziti
用向量表示,应满足:
z ⃗ [ S ] T t ⃗ ≡ p m ⃗ [ S ] T t ⃗ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t} z[S]Tt≡pm[S]Tt
其中 t ⃗ = ( H ( i , C , S , m ⃗ [ S ] ) , i ∈ S ) \vec{t}=(H(i,C,S,\vec{m}[S]),i\in S) t=(H(i,C,S,m[S]),i∈S)
假设当 ( S , z ⃗ [ S ] , m ⃗ [ S ] ) (S,\vec{z}[S],\vec{m}[S]) (S,z[S],m[S])确定后, t ⃗ ← Z p ∣ S ∣ \vec{t}\leftarrow \mathbb{Z}_p^{|S|} t←Zp∣S∣为chosen uniformly at random 时,则有:
Pr t ⃗ [ z ⃗ [ S ] ̸ ≡ p m ⃗ [ S ] a n d z ⃗ [ S ] T t ⃗ ≡ p m ⃗ [ S ] T t ⃗ ] = 1 / p \Pr_{\vec{t}}[\vec{z}[S]\not\equiv_p \vec{m}[S]\ and\ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t}]=1/p Prt[z[S]≡pm[S] and z[S]Tt≡pm[S]Tt]=1/p
即相应的概率可忽略。
因此问题的关键在于:ensure the uniform choice of t ⃗ \vec{t} t for any fixed ( S , z ⃗ [ S ] , m ⃗ [ S ] ) (S,\vec{z}[S],\vec{m}[S]) (S,z[S],m[S])。
注意有:
- C C C determines z ⃗ \vec{z} z in AGM;
- C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S]为random oracle H ( i , ⋅ , ⋅ , ⋅ ) H(i,\cdot,\cdot,\cdot) H(i,⋅,⋅,⋅) 的input,输出为 t i t_i ti。
若adversary可以找到相应的 m i ≠ z i m_i\neq z_i mi=zi值,使得:
∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑i∈Sziti≡p∑i∈Smiti
成立,则binding属性不成立。
2.3.1 为何需要将 C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S]作为 H H H的input?
t i = H ( i , ⋅ , ⋅ , ⋅ ) t_i=H(i,\cdot,\cdot,\cdot) ti=H(i,⋅,⋅,⋅),为什么需要将 C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S]作为 H H H的input?
- 若 t i t_i ti与 m i m_i mi无关,则adversary可指定 ∣ S ∣ − 1 |S|-1 ∣S∣−1个 m i m_i mi的值,并根据 ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑i∈Sziti≡p∑i∈Smiti等式计算最后一个 m i m_i mi的值。从而破坏了binding属性。
- 若 t i = H ( i , C ) t_i=H(i,C) ti=H(i,C),Wanger’s attack可产生a 2 log p 2^{\sqrt{\log p}} 2logp algorithm that given { z i t i , m i t i } i ∈ [ N ] \{z_it_i,m_it_i\}_{i \in [N]} {ziti,miti}i∈[N],从而计算a set S S S of size 2 log p 2^{\sqrt{\log p}} 2logp 使得 ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑i∈Sziti≡p∑i∈Smiti 等式成立。对于128-bit security level for the curve(如 log p ≈ 256 \log p\approx 256 logp≈256), 2 log p ≈ 2 16 2^{\sqrt{\log p}}\approx 2^{16} 2logp≈216,which makes for a very pratical attack。
- 若 t i = H ( i , C , S ) t_i=H(i,C,S) ti=H(i,C,S),可能存在与 t i = H ( i , C ) t_i=H(i,C) ti=H(i,C)类似的攻击。【It seems plausible that the attack also extends to the setting of t i = H ( i , C , S ) t_i = H(i, C, S) ti=H(i,C,S): it would suffice to extend Wagner’s algorithm to finding values that sum to a given constant, because the values of the elements of S are not committed, and thus, although ∑ i ∈ S z i t i \sum_{i\in S} z_it_i ∑i∈Sziti is fixed, the attacker can choose from a list of random m i m_i mi for each i ∈ S i \in S i∈S.】
2.3.2 binding for same-commitment aggregation 分析
分为两步来分析:
1)bounding “lucky” queries。
相当于对于固定 C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S],寻找符合要求的 z ⃗ 和 y ⃗ \vec{z}和\vec{y} z和y,满足 C = g 1 z ⃗ T a ⃗ + α N y ⃗ T a ⃗ [ − 1 ] C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]} C=g1zTa+αNyTa[−1],同时满足 m ⃗ [ S ] ̸ ≡ p z ⃗ [ S ] 且 ( m ⃗ [ S ] − z ⃗ [ S ] ) T t ⃗ ≡ p 0 \vec{m}[S]\not\equiv_p\vec{z}[S]且(\vec{m}[S]-\vec{z}[S])^T\vec{t}\equiv_p 0 m[S]≡pz[S]且(m[S]−z[S])Tt≡p0。若能找到相应的 z ⃗ 和 y ⃗ \vec{z}和\vec{y} z和y,则称为“H-lucky”。
正常open为 { z i } i ∈ [ S ] \{z_i\}_{i\in [S]} {zi}i∈[S]的话,则 e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( g 1 z ⃗ T a ⃗ , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i} e(C,g2∑i∈SαN+1−iti)=e(g1zTa,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti 等式是恒成立的。若想作弊open为 { m i } i ∈ [ S ] , 其 中 m ⃗ [ S ] ≠ z ⃗ [ S ] \{m_i\}_{i\in [S]},其中\vec{m}[S]\neq \vec{z}[S] {mi}i∈[S],其中m[S]=z[S]的话,则在等式两边都乘以 e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}) e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)的话,则有:
-
等式左边为: e ( g 1 z ⃗ T a ⃗ , g 2 ∑ i ∈ S α N + 1 − i t i ) ⋅ e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( C ′ , g 2 ∑ i ∈ S α N + 1 − i t i ) e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})\cdot e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(C',g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}) e(g1zTa,g2∑i∈SαN+1−iti)⋅e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)=e(g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)=e(C′,g2∑i∈SαN+1−iti)
-
等式右边为: e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i ⋅ e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i ⋅ e ( g 1 , g 2 ) α N + 1 ∑ j ∈ [ N − 1 ] y j α j ⋅ ∑ i ∈ [ S ] α N + 1 − i t i e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}\cdot e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}\cdot e(g_1,g_2)^{\alpha^{N+1}\sum_{j\in[N-1]}y_j\alpha^j\cdot\sum_{i\in[S]}\alpha^{N+1-i}t_i} e(π^,g2)⋅gTαN+1∑i∈Sziti⋅e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti⋅e(g1,g2)αN+1∑j∈[N−1]yjαj⋅∑i∈[S]αN+1−iti
其中 ∑ j ∈ [ N − 1 ] y j α j ⋅ ∑ i ∈ [ S ] α N + 1 − i t i = ∑ i ∈ [ S ] ( t i ⋅ ∑ j ∈ [ N − 1 ] y j α N + 1 − i + j ) = ∑ i ∈ [ S ] t i x i \sum_{j\in[N-1]}y_j\alpha^j\cdot\sum_{i\in[S]}\alpha^{N+1-i}t_i=\sum_{i\in [S]}(t_i\cdot \sum_{j\in[N-1]}y_j\alpha^{N+1-i+j})=\sum_{i\in[S]}t_ix_i ∑j∈[N−1]yjαj⋅∑i∈[S]αN+1−iti=∑i∈[S](ti⋅∑j∈[N−1]yjαN+1−i+j)=∑i∈[S]tixi, x i = ∑ j ∈ [ N − 1 ] y j α N + 1 − i + j x_i=\sum_{j\in[N-1]}y_j\alpha^{N+1-i+j} xi=∑j∈[N−1]yjαN+1−i+j。
这样就有 e ( C ′ , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i ⋅ g T α N + 1 ∑ i ∈ [ S ] t i x i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S ( z i + x i ) t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C',g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i}\cdot g_T^{\alpha^{N+1}\sum_{i\in[S]}t_ix_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}(z_i+x_i)t_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C′,g2∑i∈SαN+1−iti)=e(π^,g2)⋅gTαN+1∑i∈Sziti⋅gTαN+1∑i∈[S]tixi=e(π^,g2)⋅gTαN+1∑i∈S(zi+xi)ti=e(π^,g2)⋅gTαN+1∑i∈Smiti
其中:
m i = z i + x i = z i + ∑ j ∈ [ N − 1 ] y j α N + 1 − i + j m_i=z_i+x_i=z_i+\sum_{j\in[N-1]}y_j\alpha^{N+1-i+j} mi=zi+xi=zi+∑j∈[N−1]yjαN+1−i+j
C ′ = g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j C'=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}} C′=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j
C = g 1 ∑ i ∈ [ N ] z i α i C=g_1^{\sum_{i\in[N]}z_i\alpha^i} C=g1∑i∈[N]ziαi
也就是说,若adversary可找到相应的 C ′ C' C′,使得 H ( i , C , S , m ⃗ [ S ] ) = H ( i , C ′ , S , m ⃗ [ S ] ) H(i,C,S,\vec{m}[S])=H(i,C',S,\vec{m}[S]) H(i,C,S,m[S])=H(i,C′,S,m[S])成立且 C ′ = g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j 且 C = g 1 ∑ i ∈ [ N ] z i α i C'=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}}且C=g_1^{\sum_{i\in[N]}z_i\alpha^i} C′=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j且C=g1∑i∈[N]ziαi,则可作弊成功。即: 【这段话理解有问题,不应在于Hash碰撞,而在于,应该是对于固定 C , S , m ⃗ [ S ] C,S,\vec{m}[S] C,S,m[S],寻找符合要求的 z ⃗ 和 y ⃗ \vec{z}和\vec{y} z和y,满足 C = g 1 z ⃗ T a ⃗ + α N y ⃗ T a ⃗ [ − 1 ] C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]} C=g1zTa+αNyTa[−1],同时满足 m ⃗ [ S ] ̸ ≡ p z ⃗ [ S ] 且 ( m ⃗ [ S ] − z ⃗ [ S ] ) T t ⃗ ≡ p 0 \vec{m}[S]\not\equiv_p\vec{z}[S]且(\vec{m}[S]-\vec{z}[S])^T\vec{t}\equiv_p 0 m[S]≡pz[S]且(m[S]−z[S])Tt≡p0。若能找到相应的 z ⃗ 和 y ⃗ \vec{z}和\vec{y} z和y,则称为“H-lucky”。】
e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = ( e ( π ^ , g 2 ) / e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) ) ⋅ g T α N + 1 ∑ i ∈ S m i t i = e ( g 1 , π ^ ∗ ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=(e(\hat{\pi},g_2)/e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}))\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}=e(g_1,\hat{\pi}^*)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,g2∑i∈SαN+1−iti)=(e(π^,g2)/e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti))⋅gTαN+1∑i∈Smiti=e(g1,π^∗)⋅gTαN+1∑i∈Smiti
其中 e ( g 1 ∑ j ∈ [ N − 1 ] y j α N + 1 + j , g 2 ∑ i ∈ S α N + 1 − i t i ) e(g_1^{\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i}) e(g1∑j∈[N−1]yjαN+1+j,g2∑i∈SαN+1−iti) 可根据现有的public parameter计算出来。
从而,对于 C C C,adversary可通过提供proof π ^ ∗ \hat{\pi}^* π^∗ 作弊成功——将本应为 z ⃗ [ S ] \vec{z}[S] z[S] open 为了 m ⃗ [ S ] \vec{m}[S] m[S]。
由于 Pr t ⃗ [ z ⃗ [ S ] ̸ ≡ p m ⃗ [ S ] a n d z ⃗ [ S ] T t ⃗ ≡ p m ⃗ [ S ] T t ⃗ ] = 1 / p , 其 中 t ⃗ = ( H ( i , C , S , m ⃗ [ S ] ) : i ∈ S ) \Pr_{\vec{t}}[\vec{z}[S]\not\equiv_p \vec{m}[S]\ and\ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t}]=1/p,其中\vec{t}=(H(i,C,S,\vec{m}[S]):i\in S) Prt[z[S]≡pm[S] and z[S]Tt≡pm[S]Tt]=1/p,其中t=(H(i,C,S,m[S]):i∈S),也就是说,对于固定的 ( S , m ⃗ [ S ] , z ⃗ [ S ] ) (S,\vec{m}[S],\vec{z}[S]) (S,m[S],z[S]),找到相应的 C ′ C' C′使得 H ( i , C , S , m ⃗ [ S ] ) = H ( i , C ′ , S , m ⃗ [ S ] ) H(i,C,S,\vec{m}[S])=H(i,C',S,\vec{m}[S]) H(i,C,S,m[S])=H(i,C′,S,m[S])成立,且存在 z ⃗ ∈ Z p N , y ⃗ ∈ Z p N − 1 \vec{z}\in \mathbb{Z}_p^N,\vec{y}\in\mathbb{Z}_p^{N-1} z∈ZpN,y∈ZpN−1使得 C ′ = g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j , C = g 1 ∑ i ∈ [ N ] z i α i C'=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}},C=g_1^{\sum_{i\in[N]}z_i\alpha^i} C′=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j,C=g1∑i∈[N]ziαi的概率不高于 1 / p 1/p 1/p。
By the union bound, the probability that an adversary makes an H-lucky query is at most q H / p q_H/p qH/p, where q H q_H qH is the number of queries to H H H. Below, we assume this never happens。
2)若可extracting g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1,则可破坏本论文 l l l-wBDHE security assumption。
若对于 C = g 1 z ⃗ T a ⃗ + α N y ⃗ T a ⃗ [ − 1 ] = g 1 ∑ i ∈ [ N ] z i α i + ∑ j ∈ [ N − 1 ] y j α N + 1 + j C=g_1^{\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1]}=g_1^{\sum_{i\in[N]}z_i\alpha^i+\sum_{j\in[N-1]}y_j\alpha^{N+1+j}} C=g1zTa+αNyTa[−1]=g1∑i∈[N]ziαi+∑j∈[N−1]yjαN+1+j,存在 ( S ∗ , m ⃗ ∗ , π ^ ∗ ) (S^*,\vec{m}^*,\hat{\pi}^*) (S∗,m∗,π^∗) 使得:
m ⃗ ∗ [ S ∗ ] ≠ z ⃗ [ S ∗ ] 且 V e r i f y ( C , S ∗ , m ⃗ ∗ [ S ∗ ] , π ^ ∗ ) \vec{m}^*[S^*]\neq \vec{z}[S^*] 且 Verify(C,S^*,\vec{m}^*[S^*],\hat{\pi}^*) m∗[S∗]=z[S∗]且Verify(C,S∗,m∗[S∗],π^∗) 成立。
即有 e ( C , g 2 ∑ i ∈ S ∗ α N + 1 − i t i ) = e ( π ^ ∗ , g 2 ) ⋅ g T α N + 1 m ⃗ ∗ [ S ∗ ] T t ⃗ e(C,g_2^{\sum_{i\in S^*}\alpha^{N+1-i}t_i})=e(\hat{\pi}^*,g_2)\cdot g_T^{\alpha^{N+1}\vec{m}^*[S^*]^T\vec{t}} e(C,g2∑i∈S∗αN+1−iti)=e(π^∗,g2)⋅gTαN+1m∗[S∗]Tt成立,其中 t i = H ( i , C , S ∗ , m ⃗ ∗ [ S ∗ ] ) t_i=H(i,C,S^*,\vec{m}^*[S^*]) ti=H(i,C,S∗,m∗[S∗])。
于是有: C ∑ i ∈ S ∗ α N + 1 − i t i = π ^ ∗ ⋅ g 1 α N + 1 m ⃗ ∗ [ S ∗ ] T t ⃗ C^{\sum_{i\in S^*}\alpha^{N+1-i}t_i}=\hat{\pi}^*\cdot g_1^{\alpha^{N+1}\vec{m}^*[S^*]^T\vec{t}} C∑i∈S∗αN+1−iti=π^∗⋅g1αN+1m∗[S∗]Tt 成立。
上述等式左侧展开为含 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1的项和不含 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1的项表示:
C ∑ i ∈ S ∗ α N + 1 − i t i = g 1 ( z ⃗ T a ⃗ + α N y ⃗ T a ⃗ [ − 1 ] ) ⋅ ∑ i ∈ S ∗ α N + 1 − i t i C^{\sum_{i\in S^*}\alpha^{N+1-i}t_i}=g_1^{(\vec{z}^T\vec{a}+\alpha^N\vec{y}^T\vec{a}[-1])\cdot \sum_{i\in S^*}\alpha^{N+1-i}t_i} C∑i∈S∗αN+1−iti=g1(zTa+αNyTa[−1])⋅∑i∈S∗αN+1−iti
The smallest i i i value is 1 1 1.
(1)
z ⃗ T a ⃗ ∑ i ∈ S ∗ α N + 1 − i t i = ∑ i ∈ S ∗ z ⃗ T a ⃗ α N + 1 − i t i = ∑ i ∈ S ∗ ( z i α i + z ⃗ [ − i ] a ⃗ [ − i ] ) α N + 1 − i t i = α N + 1 ∑ i ∈ S ∗ z i t i + ∑ i ∈ S ∗ α N + 1 − i z ⃗ [ − i ] a ⃗ [ − i ] t i \vec{z}^T\vec{a}\sum_{i\in S^*}\alpha^{N+1-i}t_i=\sum_{i\in S^*}\vec{z}^T\vec{a}\alpha^{N+1-i}t_i =\sum_{i\in S^*}(z_i\alpha^i+\vec{z}[-i]\vec{a}[-i])\alpha^{N+1-i}t_i=\alpha^{N+1}\sum_{i\in S^*}z_it_i+\sum_{i\in S^*}\alpha^{N+1-i}\vec{z}[-i]\vec{a}[-i]t_i zTa∑i∈S∗αN+1−iti=∑i∈S∗zTaαN+1−iti=∑i∈S∗(ziαi+z[−i]a[−i])αN+1−iti=αN+1∑i∈S∗ziti+∑i∈S∗αN+1−iz[−i]a[−i]ti
其中 ∑ i ∈ S ∗ α N + 1 − i z ⃗ [ − i ] a ⃗ [ − i ] t i \sum_{i\in S^*}\alpha^{N+1-i}\vec{z}[-i]\vec{a}[-i]t_i ∑i∈S∗αN+1−iz[−i]a[−i]ti depends on g 1 α , g 1 α 2 , ⋯ , g 1 α N , g 1 α N + 2 , ⋯ , g 1 α 2 N g_1^{\alpha},g_1^{\alpha^2},\cdots,g_1^{\alpha^N},g_1^{\alpha^{N+2}},\cdots,g_1^{\alpha^{2N}} g1α,g1α2,⋯,g1αN,g1αN+2,⋯,g1α2N。
(2)
α N y ⃗ T a ⃗ [ − 1 ] ) ⋅ ∑ i ∈ S ∗ α N + 1 − i t i \alpha^N\vec{y}^T\vec{a}[-1])\cdot \sum_{i\in S^*}\alpha^{N+1-i}t_i αNyTa[−1])⋅∑i∈S∗αN+1−iti depends on g 1 α N + 3 , ⋯ , g 1 α 3 N g_1^{\alpha^{N+3}},\cdots,g_1^{\alpha^{3N}} g1αN+3,⋯,g1α3N.
For :
C ∑ i ∈ S ∗ α N + 1 − i t i = π ^ ∗ ⋅ g 1 α N + 1 m ⃗ ∗ [ S ∗ ] T t ⃗ C^{\sum_{i\in S^*}\alpha^{N+1-i}t_i}=\hat{\pi}^*\cdot g_1^{\alpha^{N+1}\vec{m}^*[S^*]^T\vec{t}} C∑i∈S∗αN+1−iti=π^∗⋅g1αN+1m∗[S∗]Tt
Then:
( g 1 ∑ i ∈ S ∗ , j ∈ S ∗ , i ≠ j z j t i α N + 1 − i + j ) ⋅ ( g 1 z ⃗ [ − S ∗ ] T a ⃗ [ − S ∗ ] ⋅ ∑ i ∈ S ∗ α N + 1 − i t i ) ⋅ ( g 1 α N y ⃗ T a ⃗ [ − 1 ] ) ⋅ ∑ i ∈ S ∗ α N + 1 − i t i ) ⋅ ( π ^ ∗ ) − 1 = g 1 α N + 1 ∑ i ∈ S ∗ ( m i − z i ) t i (g_1^{\sum_{i\in S^*,j\in S^*,i\neq j}z_jt_i\alpha^{N+1-i+j}})\cdot(g_1^{\vec{z}[-S^*]^T\vec{a}[-S^*]\cdot{\sum_{i\in S^*}\alpha^{N+1-i}t_i}})\cdot(g_1^{\alpha^N\vec{y}^T\vec{a}[-1])\cdot \sum_{i\in S^*}\alpha^{N+1-i}t_i})\cdot (\hat{\pi}^*)^{-1}=g_1^{\alpha^{N+1}\sum_{i \in S^*}(m_i-z_i)t_i} (g1∑i∈S∗,j∈S∗,i=jzjtiαN+1−i+j)⋅(g1z[−S∗]Ta[−S∗]⋅∑i∈S∗αN+1−iti)⋅(g1αNyTa[−1])⋅∑i∈S∗αN+1−iti)⋅(π^∗)−1=g1αN+1∑i∈S∗(mi−zi)ti …<1>
当不存在H-lucky queries,且adversary可成功将 z ⃗ [ S ∗ ] \vec{z}[S^*] z[S∗] open 为不同的 m ⃗ [ S ∗ ] \vec{m}[S^*] m[S∗],则该adversary亦可根据上述公式成功计算等式右侧的 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1值。
因为:
z ⃗ [ S ∗ ] ≠ m ⃗ [ S ∗ ] \vec{z}[S^*]\neq \vec{m}[S^*] z[S∗]=m[S∗]
所以:
∑ i ∈ S ∗ ( m i − z i ) t i ̸ ≡ p 0 \sum_{i \in S^*}(m_i-z_i)t_i\not\equiv_p 0 ∑i∈S∗(mi−zi)ti≡p0
令:
r = 1 / ( ∑ i ∈ S ∗ ( m i − z i ) t i ) m o d p r=1/(\sum_{i \in S^*}(m_i-z_i)t_i)\mod p r=1/(∑i∈S∗(mi−zi)ti)modp
公式<1>左右两侧同时进行 r r r幂乘即可求得 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1值。
⇒ \Rightarrow ⇒ The winning algebraic adversary can be used to compute g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1, CONTRADICTING l l l-wBDHE.
3. proof of correctness/binding for cross-commitment aggregation
3.1 cross commitment aggregation
Aggregation of proofs across l l l commitments,在2.1 same commitment aggregation算法的基础上,增加了AggregateAcross和VerifyAcross算法,具体的实现为:
-
AggregateAcross( { C j , S j , m ⃗ j [ S j ] , π ^ j } j ∈ [ l ] \{C_j,S_j,\vec{m}_j[S_j],\hat{\pi}_j\}_{j\in [l]} {Cj,Sj,mj[Sj],π^j}j∈[l]):
π = ∏ j = 1 l π ^ j t j ′ \pi=\prod_{j=1}^{l}\hat{\pi}_j^{t_j'} π=∏j=1lπ^jtj′
其中:
t j ’ = H ’ ( j , { C j , S j , m ⃗ j [ S j ] } j ∈ [ l ] ) t_j’=H’(j,\{C_j,S_j,\vec{m}_j[S_j]\}_{j\in[l]}) tj’=H’(j,{Cj,Sj,mj[Sj]}j∈[l]) -
VerifyAcross( { C j , S j , m ⃗ j } j ∈ [ l ] , π \{C_j,S_j,\vec{m}_j\}_{j\in[l]},\pi {Cj,Sj,mj