1. 引言
在博客 Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记1 中,主要对 Alogrand团队Gorbunov等人2020年论文《Pointproofs: Aggregating Proofs for Multiple Vector Commitments 》做了一个总体的梳理。该论文在 Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs 》的基础上,做了以下改进:
采用了非对称bilinear pairing group,并针对G 1 \mathbb{G}_1 G 1 域内的运算效率>G 2 \mathbb{G}_2 G 2 >G T \mathbb{G}_T G T ,对Verify算法做了优化(计算r = ( ∑ i ∈ S m i t i ) − 1 m o d p r=(\sum_{i\in S}m_it_i)^{-1}\ mod\ p r = ( ∑ i ∈ S m i t i ) − 1 m o d p ,将G T \mathbb{G}_T G T 域内的运算转移到G 1 \mathbb{G}_1 G 1 域内):
采用Random Oracle Model,基于hash函数H H H 引入了随机参数t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) t i = H ( i , C , S , m [ S ] ) 来实现same-commitment aggregation;基于hash函数H H H 和H ′ H' H ′ 引入了随机参数t j , i = H ( i , C j , S j , m ⃗ j [ S j ] ) t_{j,i}=H(i,C_j,S_j,\vec{m}_j[S_j]) t j , i = H ( i , C j , S j , m j [ S j ] ) 和t j ′ = H ′ ( j , { C j , S j , m ⃗ j [ S j ] } j ∈ [ l ] ) t_j'=H'(j,\{C_j,S_j,\vec{m}_j[S_j]\}_{j\in[l]}) t j ′ = H ′ ( j , { C j , S j , m j [ S j ] } j ∈ [ l ] ) 来实现cross-commitment aggregation。
本博客将重点关注:
proof of correctness/binding for same-commitment aggregation
proof of correctness/binding for cross-commitment aggregation
same-commitment aggregation from CDH-like assumption
weak binding and realization
cross-commitment aggregation from polynomial commitments
https://github.com/algorand/pointproofs 代码解析
该论文实现的binding属性是基于AGW+ROM model under the l l l -wBDHE assumption:(详细定义参见博客 Pointproofs: Aggregating Proofs for Multiple Vector Commitments 学习笔记1 1.1节内容)
2. proof of correctness/binding for same-commitment aggregation
2.1 same commitment aggregation
具体的实现为:
Setup(1 λ , 1 N 1^{\lambda},1^N 1 λ , 1 N ):取随机值α ← Z p \alpha\leftarrow \mathbb{Z}_p α ← Z p ,输出:【其中a ⃗ = ( α , α 2 , ⋯ , α N ) \vec{a}=(\alpha,\alpha^2,\cdots,\alpha^N) a = ( α , α 2 , ⋯ , α N ) 】g 1 a ⃗ = ( g 1 α , ⋯ , g 1 α N ) g_1^{\vec{a}}=(g_1^\alpha,\cdots,g_1^{\alpha^N}) g 1 a = ( g 1 α , ⋯ , g 1 α N ) g 1 α N a ⃗ [ − 1 ] = ( g 1 α N + 2 , ⋯ , g 1 α 2 N ) g_1^{\alpha^N\vec{a}[-1]}=(g_1^{\alpha^{N+2}},\cdots,g_1^{\alpha^{2N}}) g 1 α N a [ − 1 ] = ( g 1 α N + 2 , ⋯ , g 1 α 2 N ) g 2 a ⃗ = ( g 2 α , ⋯ , g 2 α N ) g_2^{\vec{a}}=(g_2^\alpha,\cdots,g_2^{\alpha^N}) g 2 a = ( g 2 α , ⋯ , g 2 α N ) g T α N + 1 = e ( g 1 α , g 2 α N ) g_T^{\alpha^{N+1}}=e(g_1^{\alpha},g_2^{\alpha^N}) g T α N + 1 = e ( g 1 α , g 2 α N )
Prove key为:g 1 a ⃗ , g 1 α N a ⃗ [ − 1 ] g_1^{\vec{a}},g_1^{\alpha^N\vec{a}[-1]} g 1 a , g 1 α N a [ − 1 ]
Verify key为:g 2 a ⃗ , g T α N + 1 g_2^{\vec{a}},g_T^{\alpha^{N+1}} g 2 a , g T α N + 1
而α \alpha α 为有毒垃圾,trusted setup后应直接丢弃,must never be known to the adversary。
Commit(m ⃗ \vec{m} m ) for m ⃗ ∈ Z p N \vec{m}\in \mathbb{Z}_p^N m ∈ Z p N :C = g 1 m ⃗ T a ⃗ = g 1 ∑ i ∈ S m i α i C=g_1^{\vec{m}^T\vec{a}}=g_1^{\sum_{i\in S}m_i\alpha^i} C = g 1 m T a = g 1 ∑ i ∈ S m i α i
UpdateCommit(C , S , m ⃗ [ S ] , m ⃗ ′ [ S ] C,S,\vec{m}[S],\vec{m}'[S] C , S , m [ S ] , m ′ [ S ] ):C ′ = C ⋅ g 1 ( m ⃗ ′ [ S ] − m ⃗ [ S ] ) T a ⃗ [ S ] = C ⋅ g 1 ∑ i ∈ S ( m i ′ − m i ) α i C'=C\cdot g_1^{(\vec{m}'[S]-\vec{m}[S])^T\vec{a}[S]}=C\cdot g_1^{\sum_{i\in S}(m_i'-m_i)\alpha^i} C ′ = C ⋅ g 1 ( m ′ [ S ] − m [ S ] ) T a [ S ] = C ⋅ g 1 ∑ i ∈ S ( m i ′ − m i ) α i
Prove(i , m ⃗ i,\vec{m} i , m ):open第i i i 个位置。π i = g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] = g 1 ∑ j ∈ [ N ] − { i } m j α N + 1 − i + j \pi_i=g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]}=g_1^{\sum_{j\in [N]-\{i\}}m_j\alpha^{N+1-i+j}} π i = g 1 α N + 1 − i m [ − i ] T a [ − i ] = g 1 ∑ j ∈ [ N ] − { i } m j α N + 1 − i + j
其中g 1 α N + 1 − i a ⃗ [ − i ] g_1^{\alpha^{N+1-i}\vec{a}[-i]} g 1 α N + 1 − i a [ − i ] 均已包含在了Prove key中了。
若m j m_j m j at index j ≠ i j\neq i j = i changes to m j ′ m_j' m j ′ ,则π i ′ = π ⋅ g 1 ( m j ′ − m j ) α N + 1 − i + j \pi_i'=\pi\cdot g_1^{(m_j'-m_j)\alpha^{N+1-i+j}} π i ′ = π ⋅ g 1 ( m j ′ − m j ) α N + 1 − i + j ,若m i m_i m i changes to m i ′ m_i' m i ′ ,则proof 不变π i ′ = π i \pi_i'=\pi_i π i ′ = π i 。但是两种情况下,commitment C C C 均需要更新为C ′ C' C ′ 。
Aggregate(C , S , m ⃗ [ S ] , { π i : i ∈ S } C,S,\vec{m}[S],\{\pi_i:i\in S\} C , S , m [ S ] , { π i : i ∈ S } ):π ^ = ∏ i ∈ S π i t i \hat{\pi}=\prod_{i\in S}\pi_i^{t_i} π ^ = ∏ i ∈ S π i t i
其中 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) t i = H ( i , C , S , m [ S ] )
Verify(C , S , m ⃗ [ S ] , π ^ C,S,\vec{m}[S],\hat{\pi} C , S , m [ S ] , π ^ ):
验证e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i 是否成立。
其中 t i = H ( i , C , S , m ⃗ [ S ] ) t_i=H(i,C,S,\vec{m}[S]) t i = H ( i , C , S , m [ S ] )
2.2 proof of correctness for same-commitment aggregation
对于任意的i ∈ [ N ] , π i = P r o v e ( i , m ⃗ ) = g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] i\in [N],\pi_i=Prove(i,\vec{m})=g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]} i ∈ [ N ] , π i = P r o v e ( i , m ) = g 1 α N + 1 − i m [ − i ] T a [ − i ] ,对Commit
/Prove
/Aggregate
/Verify
整个流程,可分两步证明:
1)证明e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i
2)证明e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i
具体为:
1)有 m ⃗ T a ⃗ = m ⃗ [ − i ] T a ⃗ [ − i ] + α i m i \vec{m}^T\vec{a}=\vec{m}[-i]^T\vec{a}[-i]+\alpha^im_i m T a = m [ − i ] T a [ − i ] + α i m i
等式左右两边同时乘以α N + 1 − i \alpha^{N+1-i} α N + 1 − i ,有:( m ⃗ T a ⃗ ) α N + 1 − i = α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] + α N + 1 m i (\vec{m}^T\vec{a})\alpha^{N+1-i}=\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]+\alpha^{N+1}m_i ( m T a ) α N + 1 − i = α N + 1 − i m [ − i ] T a [ − i ] + α N + 1 m i
转换为pairing计算,有:e ( g 1 m ⃗ T a ⃗ , g 2 α N + 1 − i ) = e ( g 1 α N + 1 − i m ⃗ [ − i ] T a ⃗ [ − i ] , g 2 ) ⋅ g T α N + 1 m i e(g_1^{\vec{m}^T\vec{a}},g_2^{\alpha^{N+1-i}})=e(g_1^{\alpha^{N+1-i}\vec{m}[-i]^T\vec{a}[-i]},g_2)\cdot g_T^{\alpha^{N+1}m_i} e ( g 1 m T a , g 2 α N + 1 − i ) = e ( g 1 α N + 1 − i m [ − i ] T a [ − i ] , g 2 ) ⋅ g T α N + 1 m i
从而证明了e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i 成立。
2)在e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{\alpha^{N+1}m_i} e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T α N + 1 m i 的基础上,等式左右两侧均进行t i t_i t i 次幂乘,则有:e ( C , g 2 α N + 1 − i t i ) = e ( π i t i , g 2 ) ⋅ g T α N + 1 m i t i e(C,g_2^{\alpha^{N+1-i}t_i})=e(\pi_i^{t_i},g_2)\cdot g_T^{\alpha^{N+1}m_it_i} e ( C , g 2 α N + 1 − i t i ) = e ( π i t i , g 2 ) ⋅ g T α N + 1 m i t i
将要open的S S S 集合内的所有公式均乘一块,有(for all i ∈ S i\in S i ∈ S ):e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( ∏ i ∈ S π i t i , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\prod_{i\in S}\pi_i^{t_i},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e ( C , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( ∏ i ∈ S π i t i , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i 成立。
证明UpdateCommit
算法正确性的思路为:m ⃗ ′ T a ⃗ = ( m ⃗ ′ [ S ] − m ⃗ [ S ] ) T a ⃗ [ S ] + m ⃗ T a ⃗ \vec{m}'^T\vec{a}=(\vec{m}'[S]-\vec{m}[S])^T\vec{a}[S]+\vec{m}^T\vec{a} m ′ T a = ( m ′ [ S ] − m [ S ] ) T a [ S ] + m T a 等式恒成立。
2.3 proof of binding for same-commitment aggregation
采用归谬法来证明,假设adversary 可计算C = g 1 z ⃗ T a ⃗ C=g_1^{\vec{z}^T\vec{a}} C = g 1 z T a ,并为( S , m ⃗ [ S ] ) (S,\vec{m}[S]) ( S , m [ S ] ) 提供proof π ^ \hat{\pi} π ^ 【其中m ⃗ [ S ] ≠ z ⃗ [ S ] \vec{m}[S]\neq \vec{z}[S] m [ S ] = z [ S ] 】,使得π ^ \hat{\pi} π ^ 可被Verify通过。e ( g 1 z ⃗ T a ⃗ , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i e(g_1^{\vec{z}^T\vec{a}},g_2^{\sum_{i\in S}\alpha^{N+1-i}t_i})=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i}=e(\hat{\pi},g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}z_it_i} e ( g 1 z T a , g 2 ∑ i ∈ S α N + 1 − i t i ) = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i = e ( π ^ , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S z i t i
注意adversary也不知道g 1 α N + 1 g_1^{\alpha^{N+1}} g 1 α N + 1 ,即log g 1 π ^ \log_{g_1}\hat{\pi} log g 1 π ^ 中 α N + 1 \alpha^{N+1} α N + 1 项的系数应为 0 0 0 。
比较上述等式中g T α N + 1 g_T^{\alpha^{N+1}} g T α N + 1 的系数应满足:∑ i ∈ S m i t i ≡ p ∑ i ∈ S z i t i \sum_{i\in S}m_it_i\equiv_p \sum_{i \in S}z_it_i ∑ i ∈ S m i t i ≡ p ∑ i ∈ S z i t i
用向量表示,应满足:z ⃗ [ S ] T t ⃗ ≡ p m ⃗ [ S ] T t ⃗ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t} z [ S ] T t ≡ p m [ S ] T t
其中t ⃗ = ( H ( i , C , S , m ⃗ [ S ] ) , i ∈ S ) \vec{t}=(H(i,C,S,\vec{m}[S]),i\in S) t = ( H ( i , C , S , m [ S ] ) , i ∈ S )
假设当( S , z ⃗ [ S ] , m ⃗ [ S ] ) (S,\vec{z}[S],\vec{m}[S]) ( S , z [ S ] , m [ S ] ) 确定后,t ⃗ ← Z p ∣ S ∣ \vec{t}\leftarrow \mathbb{Z}_p^{|S|} t ← Z p ∣ S ∣ 为chosen uniformly at random 时,则有:Pr t ⃗ [ z ⃗ [ S ] ̸ ≡ p m ⃗ [ S ] a n d z ⃗ [ S ] T t ⃗ ≡ p m ⃗ [ S ] T t ⃗ ] = 1 / p \Pr_{\vec{t}}[\vec{z}[S]\not\equiv_p \vec{m}[S]\ and\ \vec{z}[S]^T\vec{t}\equiv_p \vec{m}[S]^T\vec{t}]=1/p Pr t [ z [ S ] ≡ p m [ S ] a n d z [ S ] T t ≡ p m [ S ] T t ] = 1 / p
即相应的概率可忽略。
因此问题的关键在于:ensure the uniform choice of t ⃗ \vec{t} t for any fixed ( S , z ⃗ [ S ] , m ⃗ [ S ] ) (S,\vec{z}[S],\vec{m}[S]) ( S , z [ S ] , m [ S ] ) 。
注意有:
C C C determines z ⃗ \vec{z} z in AGM;
C , S , m ⃗ [ S ] C,S,\vec{m}[S] C , S , m [ S ] 为random oracle H ( i , ⋅ , ⋅ , ⋅ ) H(i,\cdot,\cdot,\cdot) H ( i , ⋅ , ⋅ , ⋅ ) 的input,输出为 t i t_i t i 。
若adversary可以找到相应的m i ≠ z i m_i\neq z_i m i = z i 值,使得:∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i
成立,则binding属性不成立。
t i = H ( i , ⋅ , ⋅ , ⋅ ) t_i=H(i,\cdot,\cdot,\cdot) t i = H ( i , ⋅ , ⋅ , ⋅ ) ,为什么需要将S , m ⃗ [ S ] S,\vec{m}[S] S , m [ S ] 作为H H H 的input?
若t i t_i t i 与m i m_i m i 无关,则adversary可指定∣ S ∣ − 1 |S|-1 ∣ S ∣ − 1 个m i m_i m i 的值,并根据∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i 等式计算最后一个m i m_i m i 的值。从而破坏了binding属性。
若t i = H ( i , C ) t_i=H(i,C) t i = H ( i , C ) ,Wanger’s attack可产生a 2 log p 2^{\sqrt{\log p}} 2 log p algorithm that given { z i t i , m i t i } i ∈ [ N ] \{z_it_i,m_it_i\}_{i \in [N]} { z i t i , m i t i } i ∈ [ N ] ,从而计算a set S S S of size 2 log p 2^{\sqrt{\log p}} 2 log p 使得 ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i \sum_{i\in S}z_it_i\equiv_p \sum_{i \in S}m_it_i ∑ i ∈ S z i t i ≡ p ∑ i ∈ S m i t i 等式成立。对于128-bit security level for the curve(如 log p ≈ 256 \log p\approx 256 log p ≈ 2 5 6 ),2 log p ≈ 2 16 2^{\sqrt{\log p}}\approx 2^{16} 2 log p ≈ 2 1 6 ,which makes for a very pratical attack。
若t i = H ( i , C , S ) t_i=H(i,C,S) t i = H ( i , C , S ) ,可能存在与t i = H ( i , C ) t_i=H(i,C) t i = H ( i , C ) 类似的攻击。【It seems plausible that the attack also extends to the setting of t i = H ( i , C , S ) t_i = H(i, C, S) t i = H ( i , C , S ) : it would suffice to extend Wagner’s algorithm to finding values that sum to a given constant, because the values of the elements of S are not committed, and thus, although ∑ i ∈ S z i t i \sum_{i\in S} z_it_i ∑ i ∈ S z i t i is fixed, the attacker can choose from a list of random m i m_i m i for each i ∈ S i \in S i ∈ S .】