Vector Commitments and their Applications学习笔记

1. 背景知识

Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications》:
1)提出了a new non-interactive primitive——Vector Commitment(VC),指的是 commit to an ordered sequence of q q q values ( m 1 , ⋯   , m q ) (m_1,\cdots, m_q) (m1,,mq),除了具有普通commitment的binding和hiding特性外,还具有position binding特性:即可open commitment at specific positions——prove that m i m_i mi is the i i i-th committed message,不存在open a commitment to two differenct values at the same position。
Vector Commitments and their Applications学习笔记_第1张图片

2)要求 Vector Commitment 应为concise简洁的:

  • commitment string的size应与vector length q q q 无关;
  • opening的size也应与vector length q q q 无关。

在这里插入图片描述

3)要求Vector Commitment updatable:

  • 当 the i i i-th message 由 m i m_i mi 变成 m i ′ m_i^{'} mi 时,允许 committer 更新commitment值——由 C o m Com Com 更新为 C o m ′ Com^{'} Com ,新的 C o m ′ Com^{'} Com 中对应了更新后的 m i ′ m_i^{'} mi 值;
  • 当 the i i i-th message 由 m i m_i mi 变成 m i ′ m_i^{'} mi 时,允许 holders of an opening for a message at position j j j w.r.t. C o m Com Com to update their proof so as to become valid w.r.t. the new C o m ′ Com^{'} Com

4)提出了两种Vector Commitment实现:

  • 基于RSA assumption的Vector Commitment实现;
  • 基于Computational Diffie-Hellman (in bilinear groups) assumption的Vector Commitment实现。

5)指出了Vector Commitment的应用场景:

  • Verifiable Databases with Efficient Updates;
  • Updatable Zero-Knowledge Elementary Databases;
  • Universal Dynamic Accumulators。

1.1 Trapdoor commitment schemes

又可称为chameleon commitment,若知晓trapdoor key,则可破坏commitment的binding属性,详细可看博客:

  • 水银承诺mercurial commitment 。
  • Almost Optimal Short Adaptive Non-Interactive Zero Knowledge学习笔记 第2.1节内容。

2. Vector Commitments

Vector Commitments 由如下基础算法组成:
1)VC.KeyGen( 1 , q 1,q 1,q):Given the security parameter k k k and the size q q q of the committed vector (with q = p o l y ( k ) q = poly(k) q=poly(k)), the key generation outputs some public parameters p p pp pp (which implicitly define the message space M M M). 【生成Prover和Verifier的public info。】
2)VC.Com p p _{pp} pp( m 1 , ⋯   , m q m_1,\cdots,m_q m1,,mq):On input a sequence of q q q messages m 1 , ⋯   , m q ∈ M m_1, \cdots , m_q \in M m1,,mqM and the public parameters p p pp pp, the committing algorithm outputs a commitment string C C C and an auxiliary information a u x aux aux. 【Prover生成commitment。】
3)VC.Open p p _{pp} pp( m , i , a u x m,i,aux m,i,aux):This algorithm is run by the committer to produce a proof Λ i \Lambda _i Λi that m m m is the i i i-th committed message.【Prover生成proof。】
4)VC.Ver p p _{pp} pp( C , m , i , Λ i C,m,i,\Lambda _i C,m,i,Λi):The verification algorithm accepts (i.e., it outputs 1 1 1) only if Λ i \Lambda _i Λi is a valid proof that C C C was created to a sequence m 1 , ⋯   , m q m_1,\cdots,m_q m1,,mq such that m = m i m = m_i m=mi.【Verifier验证proof。】
5)VC.Update p p _{pp} pp( C , m , m ′ , i C,m,m^{'},i C,m,m,i):This algorithm is run by the committer who produced C C C and wants to update it by changing the i i i-th message to m ′ m^{'} m. The algorithm takes as input the old message m m m, the new message m ′ m^{'} m and the position i i i. It
outputs a new commitment C ′ C^{'} C together with an update information U U U.【Prover更新commitment,为Verifier提供update information U U U。】
6)VC.ProofUpdate p p _{pp} pp( C , Λ j , m ′ , i , U C,\Lambda _j,m^{'},i,U C,Λj,m,i,U):This algorithm can be run by any user who holds a proof Λ j \Lambda _j Λj for some message at position j j j w.r.t. C C C, and it allows the user to compute an updated proof Λ j ′ \Lambda _j^{'} Λj (and the updated commitment C ′ C^{'} C) such that Λ j ′ \Lambda _j^{'} Λj will be valid w.r.t. C ′ C^{'} C which contains m ′ m^{'} m as the new message at position i i i. Basically, the value U U U contains the update information which is needed to compute such values.【利用update information U U U,Prover 或者 Verifier更新老的proof Λ j \Lambda _j Λj Λ j ′ \Lambda _j^{'} Λj。】

2.1 基于CDH的Vector Commitment实现

Square-CDH assumption:已知 g , g a ∈ G g,g^a\in \mathbb{G} g,gaG,要计算 g a 2 g^{a^2} ga2的值为computationally infeasible。
Square-CDH assumption与standard CDH assumption等价。

基于CDH assumption in bilinear groups,本文构建的Vector Commitment采用了 Bellare and Micciancio 1997年论文《A new paradigm for collision-free hashing: Incrementality at reduced cost》 中的incremental hash function思路:
1)VC.KeyGen( 1 k , q 1^k,q 1k,q):Let G , G T \mathbb{G},\mathbb{G}_T G,GT be two bilinear groups of prime order p p p equipped with a bilinear map e : G × G → G T e : \mathbb{G}\times \mathbb{G}\rightarrow \mathbb{G}_T e:G×GGT. Let g ∈ G g \in G gG be a random generator. Randomly choose z 1 , ⋯   , z q ← Z p z_1,\cdots, z_q \overset{}{\leftarrow} \mathbb{Z}_p z1,,zqZp. For all i = 1 , ⋯   , q i = 1,\cdots,q i=1,,q set: h i = g z i h_i = g^{z_i} hi=gzi . For all i , j = 1 , ⋯   , q , i ≠ j i, j = 1,\cdots, q, i \neq j i,j=1,,q,i=j set h i , j = g z i z j h_{i,j} = g^{z_iz_j} hi,j=gzizj .
Set p p = ( g , { h i } i ∈ [ q ] , { h i , j } i , j ∈ [ q ] , i ≠ j ) pp=(g,\{h_i\}_{i\in[q]}, \{h_{i,j}\}_{i,j\in[q],i\neq j}) pp=(g,{hi}i[q],{hi,j}i,j[q],i=j). The message space is M = Z p M=\mathbb{Z}_p M=Zp。【CRS的length为 Θ ( q 2 ) \Theta(q^2) Θ(q2),且 g z i 2 g^{z_i^2} gzi2不在CRS中(需满足CDH assumption, g z i 2 g^{z_i^2} gzi2对Prover不可知)。】

2)VC.Com_{pp}( m 1 , ⋯   , m q m_1,\cdots,m_q m1,,mq):Compute C = h 1 m 1 h 2 m 2 ⋯ h q m q = ∏ i = 1 q h i m i C=h_1^{m_1}h_2^{m_2}\cdots h_q^{m_q}=\prod_{i=1}^{q}h_i^{m_i} C=h1m1h2m2hqmq=i=1qhimi and output C C C and the auxiliary information a u x = ( m 1 , ⋯   , m q ) aux=(m_1,\cdots,m_q) aux=(m1,,mq)

3)VC.Open_{pp}( m i , i , a u x m_i,i,aux mi,i,aux):Compute Λ i = ∏ j = 1 , j ≠ i q h i , j m j = ( ∏ j = 1 , j ≠ i q h j m j ) z i \Lambda _i=\prod_{j=1,j\neq i}^{q}h_{i,j}^{m_j}=(\prod_{j=1,j\neq i}^{q}h_j^{m_j})^{z_i} Λi=j=1,j=iqhi,jmj=(j=1,j=iqhjmj)zi。【生成proof的multi-exponentiation复杂度为 Θ ( q ) \Theta(q) Θ(q)

4)VC.Ver_{pp}( C , m i , i , Λ i C,m_i,i,\Lambda _i C,mi,i,Λi):If e ( C / h i m i , h i ) = e ( Λ i , g ) e(C/{h_i^{m_i}},h_i)=e(\Lambda _i,g) e(C/himi,hi)=e(Λi,g) then output 1 1 1. Otherwise output 0 0 0

5)VC.Update_{pp}( C , m , m ‘ , i C,m,m^{‘},i C,m,m,i):Compute the updated commitment C ‘ = C ⋅ h i m ‘ − m C^{‘}=C\cdot h_i^{m^{‘}-m} C=Chimm. Finally output C ‘ C^{‘} C and U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m,i)

6)VC.ProofUpdate_{pp}( C , Λ j , m ‘ , U C,\Lambda_j,m^{‘},U C,Λj,m,U):A client who owns a proof Λ j \Lambda_j Λj, that is valid w.r.t. to C C C for some message at position j j j, can use the update information U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m,i) to compute the updated commitment C ‘ C^{‘} C and produce a new proof Λ j ‘ \Lambda_j^{‘} Λj which will be valid w.r.t. C ‘ C^{‘} C. We distinguish two cases:

  • i ≠ j i\neq j i=j:Compute the updated commitment C ‘ = C ⋅ h i m ‘ − m C^{‘}=C\cdot h_i^{m^{‘}-m} C=Chimm while the updated proof is Λ j ‘ = Λ j ⋅ ( h i m ‘ − m ) z j = Λ j ⋅ h j , i m ‘ − m \Lambda_j^{‘}=\Lambda_j\cdot (h_i^{m^{‘}-m})^{z_j}=\Lambda_j\cdot h_{j,i}^{m^{‘}-m} Λj=Λj(himm)zj=Λjhj,imm
  • i = j i=j i=j:Compute the updated commitment as C ‘ = C ⋅ h i m ‘ − m C^{‘}=C\cdot h_i^{m^{‘}-m} C=Chimm while the updated proof remains the same Λ i \Lambda_i Λi

上述算法存在的一个问题是:public parameters p p pp pp is Θ ( q 2 ) \Theta(q^2) Θ(q2),可通过如下签名方式改进:
Vector Commitments and their Applications学习笔记_第2张图片

2.2 基于RSA的Vector Commitment实现

RSA assumption定义可参见博客密码学中的各种假设——DL/SDH…。

1)VC.KeyGen( 1 k , q 1^k,q 1k,q):随机选择两个 k / 2 k/2 k/2-bit 的素数 p 1 , p 2 p_1,p_2 p1,p2,设置 N = p 1 p 2 N=p_1p_2 N=p1p2,选择 q q q个不能整除 ϕ ( N ) \phi(N) ϕ(N) ( l + 1 ) (l+1) (l+1)-bit 素数 e 1 , ⋯   , e q e_1,\cdots,e_q e1,,eq。从 i = 1 i=1 i=1 q q q,设置 S i = a ∏ j = 1 , j ≠ i q e j S_i=a^{\prod_{j=1,j\neq i}^{q}e_j} Si=aj=1,j=iqej
Set p p = ( N , a , S 1 , ⋯   , S q , e 1 , ⋯   , e q ) pp=(N,a,S_1,\cdots,S_q,e_1,\cdots,e_q) pp=(N,a,S1,,Sq,e1,,eq). The message space is M = { 0 , 1 } l M=\{0,1\}^l M={0,1}l。【CRS的length为 Θ ( 2 q ) \Theta(2q) Θ(2q),且 p 1 , p 2 p_1,p_2 p1,p2不在CRS中(需满足RSA assumption, p 1 , p 2 p_1,p_2 p1,p2对Prover不可知)。】

2)VC.Com_{pp}( m 1 , ⋯   , m q m_1,\cdots,m_q m1,,mq):Compute C = S 1 m 1 S 2 m 2 ⋯ S q m q = ∏ i = 1 q S i m i C=S_1^{m_1}S_2^{m_2}\cdots S_q^{m_q}=\prod_{i=1}^{q}S_i^{m_i} C=S1m1S2m2Sqmq=i=1qSimi and output C C C and the auxiliary information a u x = ( m 1 , ⋯   , m q ) aux=(m_1,\cdots,m_q) aux=(m1,,mq)

3)VC.Open_{pp}( m i , i , a u x m_i,i,aux mi,i,aux):Compute Λ i = ∏ j = 1 , j ≠ i q S j m j e i m o d      N \Lambda _i=\sqrt[e_i]{\prod_{j=1,j\neq i}^{q}S_j^{m_j}} \mod\ N Λi=eij=1,j=iqSjmj mod N。【由于 p p pp pp中包含了 a , e 1 . ⋯   , e q a,e_1.\cdots,e_q a,e1.,eq信息,Prover做相应的开 e i e_i ei次方很容易计算。】

4)VC.Ver_{pp}( C , m i , i , Λ i C,m_i,i,\Lambda _i C,mi,i,Λi):If m ∈ M m\in M mM C = S i m Λ i e i   m o d      N C=S_i^m\Lambda _i^{e_i}\ \mod\ N C=SimΛiei mod N then output 1 1 1. Otherwise output 0 0 0

5)VC.Update_{pp}( C , m , m ‘ , i C,m,m^{‘},i C,m,m,i):Compute the updated commitment C ‘ = C ⋅ S i m ‘ − m C^{‘}=C\cdot S_i^{m^{‘}-m} C=CSimm. Finally output C ‘ C^{‘} C and U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m,i)

6)VC.ProofUpdate_{pp}( C , Λ j , m ‘ , U C,\Lambda_j,m^{‘},U C,Λj,m,U):A client who owns a proof Λ j \Lambda_j Λj, that is valid w.r.t. to C C C for some message at position j j j, can use the update information U = ( m , m ‘ , i ) U=(m,m^{‘},i) U=(m,m,i) to compute the updated commitment C ‘ C^{‘} C and produce a new proof Λ j ‘ \Lambda_j^{‘} Λj which will be valid w.r.t. C ‘ C^{‘} C. We distinguish two cases:

  • i ≠ j i\neq j i=j:Compute the updated commitment C ‘ = C ⋅ S i m ‘ − m C^{‘}=C\cdot S_i^{m^{‘}-m} C=CSimm while the updated proof is Λ j ‘ = Λ j ⋅ S i m ‘ − m e j \Lambda_j^{‘}=\Lambda_j\cdot \sqrt[e_j]{S_i^{m^{‘}-m}} Λj=ΛjejSimm 。【由于 p p pp pp中包含了 a , e 1 . ⋯   , e q a,e_1.\cdots,e_q a,e1.,eq信息,Prover做相应的开 e j e_j ej次方很容易计算。】
  • i = j i=j i=j:Compute the updated commitment as C ‘ = C ⋅ S i m ‘ − m C^{‘}=C\cdot S_i^{m^{‘}-m} C=CSimm while the updated proof remains the same Λ i \Lambda_i Λi

同时,Verifier应执行一次验证,确保 p p pp pp中的 S i S_i Si与其中的 a , e 1 , ⋯   , e q a,e_1,\cdots,e_q a,e1,,eq确实满足 S i = a ∏ j = 1 , j ≠ i q e j S_i=a^{\prod_{j=1,j\neq i}^{q}e_j} Si=aj=1,j=iqej


在2018年论文《Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains》基于strong RSA assumption in groups of unknown order实现了Vector Commitment,相较于上述实现,做了如下改进:

  • 限定了用于commit的vector m 1 , ⋯   , m q m_1,\cdots,m_q m1,,mq中各元素为co-prime的,减少了public info p p pp pp 中的 ( S 1 , ⋯   , S q ) (S_1,\cdots,S_q) (S1,,Sq) 参数,减少了CRS的长度;
  • 利用BezoutShamirTrick算法,实现了batching of non-membership proofs;
  • 利用RootFactor算法,在没有 e 1 . ⋯   , e q e_1.\cdots,e_q e1.,eq的情况下,将计算 e j e_j ej-th root的算法复杂度由 Θ ( q 2 ) \Theta(q^2) Θ(q2)降为了 Θ ( q log ⁡ ( q ) ) \Theta(q\log(q)) Θ(qlog(q)),同时再次减少了CRS的长度。

基于以上策略所实现的Vector Commitment,其subvector openings为constant size,public parameters也为constant size(与vector的长度无关)。
Vector Commitments and their Applications学习笔记_第3张图片
详细的算法解析参见博客:
https://blog.csdn.net/mutourend/article/details/102936314
具体的代码实现解析参见博客:
Vector Commitments代码实现 中的2.1和2.2节内容。


3. Vector Commitment的应用场景

3.1 Verifiable Databases with Efficient Updates

Verifiable Databases with Efficient Updates(VDB),由Benabbas, Gennaro and Vahlis 在 2011年论文《Verifiable delegation of computation over large datasets》中提出,可用于解决verifiable outsourcing of storage(存储外包)。client资源有限,需要将 a large database 外包给server来存储,client可获取database record,也可更新record。要求:

  • For efficiency,client获取record和更新record所需的计算资源应与database的size无关(初始化阶段除外);
  • For security,在client不知情的情况下,server无法篡改database的任何record。

若client不做update操作,针对此static case,可通过message authentication或signature scheme来实现,即client先对database record 签名,然后才将前面后的record发送给server,server ouput的record必须有相应的valid signature。 但是,当client需要做update操作时,该方式不可行——需要有机制来允许client撤销前面的签名。解决方案有:

  • accumulators;
  • authenticated data structures;
  • verifiable computation 可信计算;
  • authenticated remote file systems。

Benabbas 等人2011年论文《Verifiable delegation of computation over large datasets》中的方案,relies on a constant size assumption in bilinear groups of composite order, but does not support public verifiability (i.e., only the client owner of the database can verify the correctness of the proofs provided by the server)。

而采用本文的Vector Commitments方案,支持VDB的public verifiability。同时若采用VC based on CDH 方案,则可实现基于standard constant-size assumption的VDB,其efficiency improves over the scheme of Benabbas 的方案 as we can use bilinear groups of prime order。

将database D D D 表述为由一系列tuples ( x , v x ) (x,v_x) (x,vx)组成,其中 x x x为key, v x v_x vx为相应的value,表示为 D ( x ) = v x D(x)=v_x D(x)=vx。假设key的取值范围为 { 1 , ⋯   , q } \{1,\cdots,q\} {1,,q},其中 q = p o l y ( k ) q=poly(k) q=poly(k),而DB value为任意的string v ∈ { 0 , 1 } ∗ v\in\{0,1\}^{*} v{0,1}

基本的流程为:
1)VDB.Setup( 1 k , D 1^k,D 1k,D):On input the security parameter k k k and a database D D D, the setup algorithm is run by the client to generate a secret key S K SK SK that is kept private by the client, a database encoding S S S that is given to the server, and a public key P K PK PK that is distributed to all users (including the client itself) who wish to verify the proofs.
2)VDB.Query( P K , S , x PK, S, x PK,S,x):On input a database key x x x, the query processing algorithm is run by the server, and returns a pair τ = ( v , π ) \tau=(v,\pi) τ=(v,π).
3)VDB.Verify( P K , x , τ PK, x,\tau PK,x,τ):The public verification algorithm outputs a value v v v if τ \tau τ verifies correctly w.r.t. x x x (i.e., D ( x ) = v D(x) = v D(x)=v), and an error ⊥ \perp otherwise.
4)VDB.ClientUpdate( S K , x , v ‘ SK, x, v^{‘} SK,x,v):The client update algorithm is used by the client to change the value of the database record with key x x x, and it outputs a value t x ‘ t_x^{‘} tx and an updated public key P K ‘ PK^{‘} PK.
5)VDB.ServerUpdate( P K , S , x , t x ‘ PK,S,x,t_x^{‘} PK,S,x,tx):The server update algorithm is run by the server to update the database according to the value t x ‘ t_x^{‘} tx produced by the client.

需满足要求:

  • security。
  • the size of the information stored by the client as well as the time needed to compute verifications and updates must be independent of the size ∣ D ∣ |D| D of the database。

若采用Vector Commitment来实现上述Verifiable Databases with Efficient Updates流程:
Vector Commitments and their Applications学习笔记_第4张图片

3.2 Updatable Zero-Knowledge Elementary Databases

Zero knowledge set(ZKS) means that users commit to a set and subsequently prove the (non-)membership of some elements without revealing any further information (not even the cardinality of the committed set).【参见博客 Vector Commitment, Zero-knowledge Set, Zero-knowledge Accumulator等区别】

一般地,ZKS都是基于 trapdoor mercurial commitments
and collision resistant hash functions 来构建的,生成membership proof和non-membership proof。
在这里插入图片描述
详细描述见Catalano等人2011年论文《Zero-Knowledge Sets with short proofs》。
Vector Commitments and their Applications学习笔记_第5张图片
等价为:build q q q-mercurial commitments (qTMC) using vector commitments。

使用(concise) vector commitment和standard trapdoor commitment来构建(concise) trapdoor qTMC的流程为:
Vector Commitments and their Applications学习笔记_第6张图片
Vector Commitments and their Applications学习笔记_第7张图片
若想qTMC支持updatable,需要额外增加两个算法:
Vector Commitments and their Applications学习笔记_第8张图片
基于Vector Commitment的详细实现为:
Vector Commitments and their Applications学习笔记_第9张图片

你可能感兴趣的:(零知识证明)