您的位置: 首页  >  文章  >  Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials 学习笔记

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials 学习笔记

分类: 文章 2023-11-22 19:05:04

1. 引言

Bootle和Groth 2018年论文《Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials》,发表于IACR-PKC-2018。

  • 基于discrete logarithm assumption。

  • 本文主要关注对 relations between commitments and field elements 的zero-knowledge argument,具有constant-round和fewer group operations,其中构建的polynomials in the relation具有low degree。

  • 本文构建了a batch protocol,以支持 many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies O ( N ) O(\sqrt{N}) O(N ),其中 N N N为相同relation的copy数。

  • 可实现membership proof,polynomial evaluation proof以及range proof。

1.1 本文主要贡献

如 Bayer和Groth 2013年论文[2]《Zero-Knowledge Argument for Polynomial Evaluation with Application to Blacklists》 中的用于prover membership 的polynomial evaluation argument和 Groth和Kohlweiss 2015年论文[28]《One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin》 中的1-out-of-N membership argument,其witness为zeores of low-degree polynomial relations。

在Bootle等人2016年论文 [7]《Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting》中,将a polynomial evaluation argument for a polynomial of degree N N N 嵌入在 a low degree polynomial with log ⁡ N \log N logN inputs and degree log ⁡ N \log N logN,最终的argument具有 O ( log ⁡ N ) O(\log N) O(logN) communication using 3 moves,需要 O ( log ⁡ N ) O(\log N) O(logN) exponentiations in a suitably chosen cryptographic group。
另外,由于a polynomial of degree N N N需要 N N N multiplication gates to evaluate in general,因此当前最好的arithmetic circuit protocol [7] 仅能达成 O ( log ⁡ N ) O(\log N) O(logN) communication in O ( log ⁡ N ) O(\log N) O(logN) moves and uses O ( N ) O(N) O(N) group exponentiations。另外,由于discrete logarithm setting下的group exponentiation计算开销远高于 finite-field multiplications计算开销,因此,若能由 O ( N ) O(N) O(N) group exponentiations reduce为 O ( log ⁡ N ) O(\log N) O(logN) group exponentiations,则对整体性能的提升明显。

Bayer 2014年博士论文[1]《Practical zero-knowledge Protocols based on the discrete logarithm Assumption》中,利用Lagrange插值来embed many instances of the same relation into a single field element,提供了2种高效的batch proofs for multiplication and polynomial evaluation,其communication cost为 O ( t ) O(\sqrt{t}) O(t ) t t t为the number of proofs to be batched。
这种 利用Lagrange插值来embed many instances of the same relation into a single field element 的方法,也可用于本文的batch proofs for the low-degree relations。此外,结合本文第三章的polynomial commitment subprotocol,相应的batch proof的communication cost由 t c \sqrt{t}c t c 降为了 t c \sqrt{tc} tc ,其中 c c c为the communication cost of the original non-batched proof, t t t为a large number representing the number of proofs to be batched together。

  • 本文构建了新的 1-out-of-N membership argument和polynomial evaluation argument,可在保持原有的simple 3-move structure的同时,降低communication cost和reduce prover and verifier computation。
    实现了communication 效率最高的 ∑ \sum -protocols for membership or non-membership of a committed value in a public list, in the discrete logarithm setting。

  • 本文构建了an argument of range proofs。

  • 本文 对 Bootle等人2016年论文 [7]《Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting》中 的polynomial commitment 进行了改进,以支持the prover to commit to a polynomial so that the verifier can learn an evaluation of the polynomial in a secure manner。

1.2 性能对比

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials 学习笔记

相关推荐