Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications》:
1)提出了a new non-interactive primitive——Vector Commitment(VC),指的是 commit to an ordered sequence of q q q values ( m 1 , ⋯ , m q ) (m_1,\cdots, m_q) (m1,⋯,mq),除了具有普通commitment的binding和hiding特性外,还具有position binding特性:即可open commitment at specific positions——prove that m i m_i mi is the i i i-th committed message,不存在open a commitment to two differenct values at the same position。
2)要求 Vector Commitment 应为concise简洁的:
3)要求Vector Commitment updatable:
4)提出了两种Vector Commitment实现:
5)指出了Vector Commitment的应用场景:
又可称为chameleon commitment,若知晓trapdoor key,则可破坏commitment的binding属性,详细可看博客:
Vector Commitments 由如下基础算法组成:
1)VC.KeyGen( 1 , q 1,q 1,q):Given the security parameter k k k and the size q q q of the committed vector (with q = p o l y ( k ) q = poly(k) q=poly(k)), the key generation outputs some public parameters p p pp pp (which implicitly define the message space M M M). 【生成Prover和Verifier的public info。】
2)VC.Com p p _{pp} pp( m 1 , ⋯ , m q m_1,\cdots,m_q m1,⋯,mq):On input a sequence of q q q messages m 1 , ⋯ , m q ∈ M m_1, \cdots , m_q \in M m1,⋯,mq∈M and the public parameters p p pp pp, the committing algorithm outputs a commitment string C C C and an auxiliary information a u x aux aux. 【Prover生成commitment。】
3)VC.Open p p _{pp} pp( m , i , a u x m,i,aux m,i,aux):This algorithm is run by the committer to produce a proof Λ i \Lambda _i Λi that m m m is the i i i-th committed message.【Prover生成proof。】
4)VC.Ver p p _{pp} pp( C , m , i , Λ i C,m,i,\Lambda _i C,m,i,Λi):The verification algorithm accepts (i.e., it outputs 1 1 1) only if Λ i \Lambda _i Λi is a valid proof that C C C was created to a sequence m 1 , ⋯ , m q m_1,\cdots,m_q m1,⋯,mq such that m = m i m = m_i m=mi.【Verifier验证proof。】
5)VC.Update p p _{pp} pp( C , m , m ′ , i C,m,m^{'},i C,m,m′,i):This algorithm is run by the committer who produced C C C and wants to update it by changing the i i i-th message to m ′ m^{'} m′. The algorithm takes as input the old message m m m, the new message m ′ m^{'} m′ and the position i i i. It
outputs a new commitment C ′ C^{'} C′ together with an update information U U U.【Prover更新commitment,为Verifier提供update information U U U。】
6)VC.ProofUpdate p p _{pp} pp( C , Λ j , m ′ , i , U C,\Lambda _j,m^{'},i,U C,Λj,m′,i,U):This algorithm can be run by any user who holds a proof Λ j \Lambda _j Λj for some message at position j j j w.r.t. C C C, and it allows the user to compute an updated proof Λ j ′ \Lambda _j^{'} Λj′ (and the updated commitment C ′ C^{'} C′) such that Λ j ′ \Lambda _j^{'} Λj′ will be valid w.r.t. C ′ C^{'} C′ which contains m ′ m^{'} m′ as the new message at position i i i. Basically, the value U U U contains the update information which is needed to compute such values.【利用update information U U U,Prover 或者 Verifier更新老的proof Λ j \Lambda _j Λj为 Λ j ′ \Lambda _j^{'} Λj′。】
Square-CDH assumption:已知 g , g a ∈ G g,g^a\in \mathbb{G} g,ga∈G,要计算 g a 2 g^{a^2} ga2的值为computationally infeasible。
Square-CDH assumption与standard CDH assumption等价。
基于CDH assumption in bilinear groups,本文构建的Vector Commitment采用了 Bellare and Micciancio 1997年论文《A new paradigm for collision-free hashing: Incrementality at reduced cost》 中的incremental hash function思路:
1)VC.KeyGen( 1 k , q 1^k,q 1k,q):Let G , G T \mathbb{G},\mathbb{G}_T G,GT be two bilinear groups of prime order p p p equipped with a bilinear map e : G × G → G T e : \mathbb{G}\times \mathbb{G}\rightarrow \mathbb{G}_T e:G×G→GT. Let g ∈ G g \in G g∈G be a random generator. Randomly choose z 1 , ⋯ , z q ← Z p z_1,\cdots, z_q \overset{}{\leftarrow} \mathbb{Z}_p z1,⋯,zq←Zp. For all i = 1 , ⋯ , q i = 1,\cdots,q i=1,⋯,q set: h i = g z i h_i = g^{z_i} hi=gzi . For all i , j = 1 , ⋯ , q , i ≠ j i, j = 1,\cdots, q, i \neq j i,j=1,⋯,q,i=j set h i , j = g z i z j h_{i,j} = g^{z_iz_j} hi,j=gzizj .
Set p p = ( g , { h i } i ∈ [ q ] , { h i , j } i , j ∈ [ q ] , i ≠ j ) pp=(g,\{h_i\}_{i\in[q]}, \{h_{i,j}\}_{i,j\in[q],i\neq j}) pp=(g,{hi}i∈[q],{hi,j}i,j∈[q],i=j). The message space is M = Z p M=\mathbb{Z}_p M=Zp。【CRS的length为 Θ ( q 2 ) \Theta(q^2) Θ(q2),且 g z i 2 g^{z_i^2} gzi2不在CRS中(需满足CDH assumption, g z i 2 g^{z_i^2} gzi2对Prover不可知)。】
2)VC.Com_{pp}( m 1 , ⋯ , m q m_1,\cdots,m_q m1,⋯,mq):Compute C = h 1 m 1 h 2 m 2 ⋯ h q m q = ∏ i = 1 q h i m i C=h_1^{m_1}h_2^{m_2}\cdots h_q^{m_q}=\prod_{i=1}^{q}h_i^{m_i} C=h1m1h2m2⋯hqmq=∏i=1qhimi and output C C C and the auxiliary information a u x = ( m 1 , ⋯ , m q ) aux=(m_1,\cdots,m_q) aux=(m1,⋯,mq)。
3)VC.Open_{pp}( m i , i , a u x m_i,i,aux mi,i,aux):Compute Λ i = ∏ j = 1 , j ≠ i q h i , j m j = ( ∏ j = 1 , j ≠ i q h j m j ) z i \Lambda _i=\prod_{j=1,j\neq i}^{q}h_{i,j}^{m_j}=(\prod_{j=1,j\neq i}^{q}h_j^{m_j})^{z_i} Λi=∏j=1,j=iqhi,jmj=(∏j=1,j=iqhjmj)zi。【生成proof的multi-exponentiation复杂度为 Θ ( q ) \Theta(q) Θ(q)】
4)VC.Ver_{pp}( C , m i , i , Λ i C,m_i,i,\Lambda _i C,mi,i,Λi):If e ( C / h i m i , h i ) = e ( Λ i , g ) e(C/{h_i^{m_i}},h_i)=e(\Lambda _i,g) e(C/himi,hi)=e(Λi,g) then output 1 1 1. Otherwise output 0 0 0。
5)VC.Update_{pp}( C , m , m ‘ , i C,m,m^{‘},i C,m,m‘,i):Compute the updated commitment C ‘ = C ⋅ h i m ‘ − m C^{‘}=C\cdot h_i^{m^{‘}-m} C‘=C⋅him‘−m. Finally output C ‘ C^{‘} C‘ and U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m‘,i)。
6)VC.ProofUpdate_{pp}( C , Λ j , m ‘ , U C,\Lambda_j,m^{‘},U C,Λj,m‘,U):A client who owns a proof Λ j \Lambda_j Λj, that is valid w.r.t. to C C C for some message at position j j j, can use the update information U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m‘,i) to compute the updated commitment C ‘ C^{‘} C‘ and produce a new proof Λ j ‘ \Lambda_j^{‘} Λj‘ which will be valid w.r.t. C ‘ C^{‘} C‘. We distinguish two cases:
上述算法存在的一个问题是:public parameters p p pp pp is Θ ( q 2 ) \Theta(q^2) Θ(q2),可通过如下签名方式改进:
RSA assumption定义可参见博客密码学中的各种假设——DL/SDH…。
1)VC.KeyGen( 1 k , q 1^k,q 1k,q):随机选择两个 k / 2 k/2 k/2-bit 的素数 p 1 , p 2 p_1,p_2 p1,p2,设置 N = p 1 p 2 N=p_1p_2 N=p1p2,选择 q q q个不能整除 ϕ ( N ) \phi(N) ϕ(N)的 ( l + 1 ) (l+1) (l+1)-bit 素数 e 1 , ⋯ , e q e_1,\cdots,e_q e1,⋯,eq。从 i = 1 i=1 i=1到 q q q,设置 S i = a ∏ j = 1 , j ≠ i q e j S_i=a^{\prod_{j=1,j\neq i}^{q}e_j} Si=a∏j=1,j=iqej。
Set p p = ( N , a , S 1 , ⋯ , S q , e 1 , ⋯ , e q ) pp=(N,a,S_1,\cdots,S_q,e_1,\cdots,e_q) pp=(N,a,S1,⋯,Sq,e1,⋯,eq). The message space is M = { 0 , 1 } l M=\{0,1\}^l M={0,1}l。【CRS的length为 Θ ( 2 q ) \Theta(2q) Θ(2q),且 p 1 , p 2 p_1,p_2 p1,p2不在CRS中(需满足RSA assumption, p 1 , p 2 p_1,p_2 p1,p2对Prover不可知)。】
2)VC.Com_{pp}( m 1 , ⋯ , m q m_1,\cdots,m_q m1,⋯,mq):Compute C = S 1 m 1 S 2 m 2 ⋯ S q m q = ∏ i = 1 q S i m i C=S_1^{m_1}S_2^{m_2}\cdots S_q^{m_q}=\prod_{i=1}^{q}S_i^{m_i} C=S1m1S2m2⋯Sqmq=∏i=1qSimi and output C C C and the auxiliary information a u x = ( m 1 , ⋯ , m q ) aux=(m_1,\cdots,m_q) aux=(m1,⋯,mq)。
3)VC.Open_{pp}( m i , i , a u x m_i,i,aux mi,i,aux):Compute Λ i = ∏ j = 1 , j ≠ i q S j m j e i m o d N \Lambda _i=\sqrt[e_i]{\prod_{j=1,j\neq i}^{q}S_j^{m_j}} \mod\ N Λi=ei∏j=1,j=iqSjmjmod N。【由于 p p pp pp中包含了 a , e 1 . ⋯ , e q a,e_1.\cdots,e_q a,e1.⋯,eq信息,Prover做相应的开 e i e_i ei次方很容易计算。】
4)VC.Ver_{pp}( C , m i , i , Λ i C,m_i,i,\Lambda _i C,mi,i,Λi):If m ∈ M m\in M m∈M且 C = S i m Λ i e i m o d N C=S_i^m\Lambda _i^{e_i}\ \mod\ N C=SimΛiei mod N then output 1 1 1. Otherwise output 0 0 0。
5)VC.Update_{pp}( C , m , m ‘ , i C,m,m^{‘},i C,m,m‘,i):Compute the updated commitment C ‘ = C ⋅ S i m ‘ − m C^{‘}=C\cdot S_i^{m^{‘}-m} C‘=C⋅Sim‘−m. Finally output C ‘ C^{‘} C‘ and U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m‘,i)。
6)VC.ProofUpdate_{pp}( C , Λ j , m ‘ , U C,\Lambda_j,m^{‘},U C,Λj,m‘,U):A client who owns a proof Λ j \Lambda_j Λj, that is valid w.r.t. to C C C for some message at position j j j, can use the update information U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m‘,i) to compute the updated commitment C ‘ C^{‘} C‘ and produce a new proof Λ j ‘ \Lambda_j^{‘} Λj‘ which will be valid w.r.t. C ‘ C^{‘} C‘. We distinguish two cases:
同时,Verifier应执行一次验证,确保 p p pp pp中的 S i S_i Si与其中的 a , e 1 , ⋯ , e q a,e_1,\cdots,e_q a,e1,⋯,eq确实满足 S i = a ∏ j = 1 , j ≠ i q e j S_i=a^{\prod_{j=1,j\neq i}^{q}e_j} Si=a∏j=1,j=iqej。
在2018年论文《Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains》基于strong RSA assumption in groups of unknown order实现了Vector Commitment,相较于上述实现,做了如下改进:
Bezout
和ShamirTrick
算法,实现了batching of non-membership proofs;RootFactor
算法,在没有 e 1 . ⋯ , e q e_1.\cdots,e_q e1.⋯,eq的情况下,将计算 e j e_j ej-th root的算法复杂度由 Θ ( q 2 ) \Theta(q^2) Θ(q2)降为了 Θ ( q log ( q ) ) \Theta(q\log(q)) Θ(qlog(q)),同时再次减少了CRS的长度。基于以上策略所实现的Vector Commitment,其subvector openings为constant size,public parameters也为constant size(与vector的长度无关)。
详细的算法解析参见博客:
https://blog.csdn.net/mutourend/article/details/102936314
具体的代码实现解析参见博客:
Vector Commitments代码实现 中的2.1和2.2节内容。
Verifiable Databases with Efficient Updates(VDB),由Benabbas, Gennaro and Vahlis 在 2011年论文《Verifiable delegation of computation over large datasets》中提出,可用于解决verifiable outsourcing of storage(存储外包)。client资源有限,需要将 a large database 外包给server来存储,client可获取database record,也可更新record。要求:
若client不做update操作,针对此static case,可通过message authentication或signature scheme来实现,即client先对database record 签名,然后才将前面后的record发送给server,server ouput的record必须有相应的valid signature。 但是,当client需要做update操作时,该方式不可行——需要有机制来允许client撤销前面的签名。解决方案有:
Benabbas 等人2011年论文《Verifiable delegation of computation over large datasets》中的方案,relies on a constant size assumption in bilinear groups of composite order, but does not support public verifiability (i.e., only the client owner of the database can verify the correctness of the proofs provided by the server)。
而采用本文的Vector Commitments方案,支持VDB的public verifiability。同时若采用VC based on CDH 方案,则可实现基于standard constant-size assumption的VDB,其efficiency improves over the scheme of Benabbas 的方案 as we can use bilinear groups of prime order。
将database D D D 表述为由一系列tuples ( x , v x ) (x,v_x) (x,vx)组成,其中 x x x为key, v x v_x vx为相应的value,表示为 D ( x ) = v x D(x)=v_x D(x)=vx。假设key的取值范围为 { 1 , ⋯ , q } \{1,\cdots,q\} {1,⋯,q},其中 q = p o l y ( k ) q=poly(k) q=poly(k),而DB value为任意的string v ∈ { 0 , 1 } ∗ v\in\{0,1\}^{*} v∈{0,1}∗。
基本的流程为:
1)VDB.Setup( 1 k , D 1^k,D 1k,D):On input the security parameter k k k and a database D D D, the setup algorithm is run by the client to generate a secret key S K SK SK that is kept private by the client, a database encoding S S S that is given to the server, and a public key P K PK PK that is distributed to all users (including the client itself) who wish to verify the proofs.
2)VDB.Query( P K , S , x PK, S, x PK,S,x):On input a database key x x x, the query processing algorithm is run by the server, and returns a pair τ = ( v , π ) \tau=(v,\pi) τ=(v,π).
3)VDB.Verify( P K , x , τ PK, x,\tau PK,x,τ):The public verification algorithm outputs a value v v v if τ \tau τ verifies correctly w.r.t. x x x (i.e., D ( x ) = v D(x) = v D(x)=v), and an error ⊥ \perp ⊥ otherwise.
4)VDB.ClientUpdate( S K , x , v ‘ SK, x, v^{‘} SK,x,v‘):The client update algorithm is used by the client to change the value of the database record with key x x x, and it outputs a value t x ‘ t_x^{‘} tx‘ and an updated public key P K ‘ PK^{‘} PK‘.
5)VDB.ServerUpdate( P K , S , x , t x ‘ PK,S,x,t_x^{‘} PK,S,x,tx‘):The server update algorithm is run by the server to update the database according to the value t x ‘ t_x^{‘} tx‘ produced by the client.
需满足要求:
若采用Vector Commitment来实现上述Verifiable Databases with Efficient Updates流程:
Zero knowledge set(ZKS) means that users commit to a set and subsequently prove the (non-)membership of some elements without revealing any further information (not even the cardinality of the committed set).【参见博客 Vector Commitment, Zero-knowledge Set, Zero-knowledge Accumulator等区别】
一般地,ZKS都是基于 trapdoor mercurial commitments
and collision resistant hash functions 来构建的,生成membership proof和non-membership proof。
详细描述见Catalano等人2011年论文《Zero-Knowledge Sets with short proofs》。
等价为:build q q q-mercurial commitments (qTMC) using vector commitments。
使用(concise) vector commitment和standard trapdoor commitment来构建(concise) trapdoor qTMC的流程为:
若想qTMC支持updatable,需要额外增加两个算法:
基于Vector Commitment的详细实现为: