admin管理员组文章数量:1530034
1. 引言
Boneh等人2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》,暂无收录信息。
要点:
- 基于Q-DLOG assumption实现2种不同的polynomial commitment,支持batch open multiple polynomials at multiple distinct evaluation points。
- 主要基于的思想为:(2个Claim)
1)对于evaluation point z ∈ S z\in S z∈S,其 g z ∈ S ( z ) = 0 g_{z\in S}(z)=0 gz∈S(z)=0,从而有:若 g ( X ) g(X) g(X)可整除 Z S ( X ) Z_S(X) ZS(X),当且仅当 Z T ∖ S ( X ) ⋅ g ( X ) Z_{T \setminus S}(X)\cdot g(X) ZT∖S(X)⋅g(X)可整除 Z T ( X ) Z_T(X) ZT(X)。
2)若 F 1 , ⋯ , F k ∈ F < n [ X ] F_1,\cdots,F_k\in\mathbb{F}_{<n}[X] F1,⋯,Fk∈F<n[X], Z ∈ F < n [ X ] Z\in\mathbb{F}_{<n}[X] Z∈F<n[X]可分解为不同的linear factors over F \mathbb{F} F。假设存在某 i ∈ [ k ] i\in [k] i∈[k],使得 Z ∤ F i Z\nmid F_i Z∤Fi,则对于uniform选择的 γ ∈ F \gamma\in\mathbb{F} γ∈F, G = ∑ j = 1 k γ j − 1 ⋅ F j G=\sum_{j=1}^{k}\gamma^{j-1}\cdot F_j G=∑j=1kγj−1⋅Fj不能整除 Z Z Z的概率高于 1 − k / ∣ F ∣ 1-k/|\mathbb{F}| 1−k/∣F∣。
在Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中polynomial commitment scheme的基础上,进行了改进:
- 仅需a single group element即可作为an opening proof for multiple polynomials each evaluated at a different arbitrary subset of points。
已将本文的研究成果植入进了PLONK 的proving system中,实现了improved proof size和prover run time at the expense of additional verifier G 2 \mathbb{G}_2 G2 operations and pairings, and additional G 2 \mathbb{G}_2 G2 SRS elements。(Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》) - 实现了另一种scheme,其proof包含了2个group elements,相应的verifier complexity要优于[KZG10]种的batch verification method。
当需要a “universal and updatable” setup procedure时,Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中提出的polynomial commitment scheme (PCS) 已成为近期构建的succinct arguments的核心组成要素:[MBKM19, Gab19, CHM+19, GWC19, BFS19]
- Maller等人2019年论文《Sonic: Zero-knowledge snarks from linear-size universal and updateable structured reference strings》
- Gabizon等人2019年论文《Auroralight: improved prover efficiency and SRS size in a sonic-like system》
- Chiesa等人2019年论文《Marlin: Preprocessing zksnarks with universal and updatable SRS》
- Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》
- B¨unz等人2019年论文《Supersonic: Transparent snarks from DARK compilers》
以上polynomial commitment scheme中都“force” a prover to answer verifier queries according to a fixed polynomial of bounded degree。
PCS通常由Prover message
c
o
m
(
f
)
com(f)
com(f) 开始—— 表示the commitment to a polynomial
f
f
f;当Prover声称
s
=
f
(
z
)
s=f(z)
s=f(z)(其中
z
z
z对Verifier亦已知),将
s
∈
F
s\in\mathbb{F}
s∈F发送给Verifier的同时,也发送相应的“opening proof”
π
\pi
π。当协议中需要运行PCS for 多个多项式和多个evaluation points时,Prover run time 和 communication 将increase with each of these opening proofs。
因此需要构建a PCS,使得the prover overhead doesn’t grow 或者至少grow more slowly with the number of openings。
1.1 相关研究
-
Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中的polynomial commitment scheme为:
基于pairing-based scheme进行构建,其opening proof π \pi π包含了a single G 1 \mathbb{G}_1 G1 group element。 -
Maller等人2019年论文《Sonic: Zero-knowledge snarks from linear-size universal and updateable structured reference strings》中,对[KZG10]中的PCS进行了改进 in the random oracle model,使得an opening proof for several polynomials at the same point z ∈ F z\in\mathbb{F} z∈F 为a single G 1 \mathbb{G}_1 G1 group element,以适于universal and updatable SNARKs。
[Gab19, CHM+19, GWC19] Gabizon等人2019年论文《Auroralight: improved prover efficiency and SRS size in a sonic-like system》、Chiesa等人2019年论文《Marlin: Preprocessing zksnarks with universal and updatable SRS》 和 Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中,均用到了类似的single-point multi-polynomial batch protocols。 -
Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中还包含了一个不太有名的scheme,实现了 one G 1 \mathbb{G}_1 G1 element opening proof for one polynomial at several evaluation points。[GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中有更直观的batched version of the [KZG10] scheme。
-
对于multiple polynomials和multiple evaluation points的情况,[CHM+19, GWC19] Chiesa等人2019年论文《Marlin: Preprocessing zksnarks with universal and updatable SRS》 和 Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中 使用了randomized techniques for batching pairing equations 来改进verification efficiency,但是opening proof size和prover computation仍然grow linearly with the number of distinct points。
本文构建了2种PCS for multiple evaluation points and polynomials:
- version 1:opening proof 仅为a single G 1 \mathbb{G}_1 G1 element,但是当distinct evaluation points的数量很大时,verifier operation比 [KZG10]的方案(KZG as in [GWC19])中的要重很多。
- version 2:opening proof 为 2个 G 1 \mathbb{G}_1 G1 elements,verifier complexity要优于KZG as in [GWC19] 方案。
当针对open
t
t
t polynomials all with the same degree bound
n
n
n, each at on distinct point时,各方案的性能对比如下图所示:
[GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中的PLONK proving system 允许generating proofs of knowledge for assignments to fan-in two arithmetic circuits with a universal and updatable SRS。其中Prover的主要算力集中在:
- commit to several polynomials
- open them at two distinct evaluation points
将本文的version 1 PCS 嵌入到PLONK中,从而可节约proof length和prover work related to the opening proof of the second evaluation point(repeat the transformation of Lemma 4.7 in [GWC19] using the PCS of Lemma 3.3 instead of the PCS used there to obtain the new result)。替换前后的性能对比如下图所示:(PLONK论文中做了两个版本的实现,一个optimizes fast proving,另一个关注small proof length。)
本文的version 2 PCS does not give interesting tradeoffs for PLONK as two evaluation points are not enough for its advantages to “kick in”。但是如 SLONK—a simple universal SNARK 中的讨论,当针对有需要多于2个evaluation points的场景时,本文的2种PCS scheme优势将更明显。
因此本文提倡 design constraint systems using multiple Shifts and Permutations over Lagrange bases for Oecumenical Noninteractive arguments of Knowledge。
2. 相关定义
2.1 相关定义
-
F \mathbb{F} F:prime order field。
-
F < d [ X ] \mathbb{F}_{<d}[X] F<d[X]:为the set of 单变量polynomials over F \mathbb{F} F of degree smaller than d d d。
-
O \mathcal{O} O:为object generator,输入为security parameter λ \lambda λ,输出为all fields and groups used。如本文, O ( λ ) = ( F , G 1 , G 2 , G t , e , g 1 , g 2 , g t ) \mathcal{O}(\lambda)=(\mathbb{F},\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_t,e,g_1,g_2,g_t) O(λ)=(F,G1,G2,Gt,e,g1,g2,gt),其中:
– 1) F \mathbb{F} F为a prime field of super-polynomial size r = λ w ( 1 ) r=\lambda^{w(1)} r=λw(1)。
– 2) G 1 , G 2 , G t \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_t G1,G2,Gt 为 groups of size r r r, e e e为an efficiently computable non-degenerate pairing e : G 1 × G 2 → G t e:\mathbb{G}_1 \times \mathbb{G}_2\rightarrow \mathbb{G}_t e:G1×G2→Gt。
– 3) g 1 , g 2 g_1,g_2 g1,g2 为uniformly chosen generators such that e ( g 1 , g 2 ) = g t e(g_1,g_2)=g_t e(g1,g2)=gt。 -
[ x ] 1 = x ⋅ g 1 , [ x ] 2 = x ⋅ g 2 [x]_1=x\cdot g_1,[x]_2=x\cdot g_2 [x]1=x⋅g1,[x]2=x⋅g2
-
[ n ] [n] [n]:表示整数 { 1 , ⋯ , n } \{1,\cdots,n\} {1,⋯,n}
-
e.w.p:全称为”except with probability”,如e.w.p γ \gamma γ 表示 probability at least 1 − γ 1-\gamma 1−γ。
-
Universal SRS-based public coin protocols:
可借助Fiat-Shamir transform来将interactive protocol转换为non-interactive protocol。整个proof length是指由Prover发送给Verifier的总的communication length。
本文的protocol允许接触a structured reference string (SRS),其可derived in p o l y ( λ ) poly(\lambda) poly(λ)-time form an “SRS of monomials” of the form { [ x i ] 1 } a ≤ i ≤ b , { [ x i ] 2 } c ≤ i ≤ d \{[x^i]_1\}_{a\leq i\leq b},\{[x^i]_2\}_{c\leq i\leq d} {[xi]1}a≤i≤b,{[xi]2}c≤i≤d, for uniform x ∈ F x\in\mathbb{F} x∈F and some integers a , b , c , d a,b,c,d a,b,c,d with absolute value bounded by p o l y ( λ ) poly(\lambda) poly(λ)。Bowe等人2017年论文《Scalable multi-party computation for zksnark parameters in the random beacon model》中指出,the required SRS can be derived in a universal and updatable setup requiring only one honest participant,即an adversary controlling all but one of the participants in the setup does not gain more than a n e g l ( λ ) negl(\lambda) negl(λ) advantage in its probability of producing a proof of any statement。
2.2 Analysis in the AGM model
本文的安全分析是基于Fuchsbauer等人2018年论文《The algebraic group model and its applications》中的Algebraic Group Model (AGM) 来进行的。by an algebraic adversary A \mathcal{A} A in an SRS-based protocol, we mean a p o l y ( λ ) poly(\lambda) poly(λ)-time algorithm 满足如下要求:
- For
i
∈
{
1
,
2
}
i\in\{1,2\}
i∈{1,2},whenever
A
\mathcal{A}
A outputs an element
A
∈
G
i
A\in\mathbb{G}_i
A∈Gi,it also outputs a vector
v
⃗
\vec{v}
v
over F \mathbb{F} F 使得 A = < v ⃗ , s r s i > A=<\vec{v},srs_i> A=<v ,srsi>成立。
若all elements of
s
r
s
i
srs_i
srsi 都具有form
[
f
(
x
)
]
i
[f(x)]_i
[f(x)]i for
f
∈
F
<
Q
[
X
]
f\in\mathbb{F}_{<Q}[X]
f∈F<Q[X] and uniform
x
∈
F
x\in\mathbb{F}
x∈F,则称
s
r
s
srs
srs具有degree
Q
Q
Q。接下来考虑的都是具有degree
Q
Q
Q的SRS。
f
i
,
j
f_{i,j}
fi,j 表示the corresponding polynomial for the
j
j
j-th element of
s
r
s
i
srs_i
srsi。
-
a ⃗ , b ⃗ \vec{a},\vec{b} a
,b :为the vectors of F \mathbb{F} F-elements,其encodings in G 1 , G 2 \mathbb{G}_1,\mathbb{G}_2 G1,G2,如the j j j-th G 1 \mathbb{G}_1 G1 element output by A \mathcal{A} A为 [ a j ] 1 [a_j]_1 [aj]1。 -
形如 ( a ⃗ ⋅ T 1 ) ⋅ ( T 2 ⋅ b ⃗ ) = 0 (\vec{a}\cdot \mathbf{T}_1)\cdot (\mathbf{T}_2\cdot \vec{b})=0 (a
⋅T1)⋅(T2⋅b )=0 的check form可称为“real pairing check”。其中矩阵 T 1 , T 2 \mathbf{T}_1,\mathbf{T}_2 T1,T2 over F \mathbb{F} F。
若已知the encoded elements 和 the pairing function e : G 1 × G 2 → G t e:\mathbb{G}_1\times \mathbb{G}_2\rightarrow \mathbb{G}_t e:G1×G2→Gt,以上check可高效执行。 -
若已知 a “real pairing check”、the adversary A \mathcal{A} A、procotol execution during which the elements were output,可定义相应的“ideal check”:
由于 A \mathcal{A} A为algebraic的,其输出 [ a j ] i [a_j]_i [aj]i的同时也输出a vector v ⃗ \vec{v} v,使得,from linearity, a j = ∑ v l f i , l ( x ) = R i , j ( x ) a_j=\sum v_lf_{i,l}(x)=R_{i,j}(x) aj=∑vlfi,l(x)=Ri,j(x) for R i , j ( X ) = ∑ v l f i , l ( X ) R_{i,j}(X)=\sum v_lf_{i,l}(X) Ri,j(X)=∑vlfi,l(X)。
for i ∈ { 1 , 2 } i\in\{1,2\} i∈{1,2}, the vector of polynomials R i = ( R i , j ) j R_i=(R_{i,j})_j Ri=(Ri,j)j。
相应的ideal check为,验证 ( R 1 ⋅ T 1 ) ⋅ ( T 2 ⋅ R 2 ) ≡ 0 (R_1\cdot \mathbf{T}_1)\cdot (\mathbf{T_2}\cdot R_2)\equiv 0 (R1⋅T1)⋅(T2⋅R2)≡0 -
Q-DLOG assumption:
-
knowledge soundness in the Algebraic Group Model定义为:
2.3 Polynomial commitment scheme
本文的polynomial commitment scheme与 [GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》中的类似,只是将其中的Open算法定义为a batched setting having multiple polynomials and evaluation points。
针对multiple points时,可将evaluations of a polynomial
f
f
f on a set
S
⊂
F
S\subset \mathbb{F}
S⊂F 看成是 given as a polynomial
r
∈
F
<
∣
S
∣
[
X
]
r\in\mathbb{F}_{<|S|}[X]
r∈F<∣S∣[X] with
r
(
z
)
=
f
(
z
)
r(z)=f(z)
r(z)=f(z) for each
z
∈
S
z\in S
z∈S。此时:
r
(
z
)
=
f
(
z
)
r(z)=f(z)
r(z)=f(z) for each
z
∈
S
z\in S
z∈S,等价为,
f
(
X
)
−
r
(
X
)
f(X)-r(X)
f(X)−r(X) 可被
Z
S
(
X
)
Z_S(X)
ZS(X)整除,其中
Z
S
(
X
)
=
∏
z
∈
S
(
X
−
z
)
Z_S(X)=\prod_{z\in S}(X-z)
ZS(X)=∏z∈S(X−z)。
相应的polynomial commitment scheme定义为:【针对的是
k
k
k个polynomials
f
1
,
⋯
,
f
k
∈
F
<
d
[
X
]
f_1,\cdots,f_k\in\mathbb{F}_{<d}[X]
f1,⋯,fk∈F<d[X],open at
t
t
t个points
z
1
,
⋯
,
z
t
z_1,\cdots,z_t
z1,⋯,zt——对应拆分到每个polynomial的set分别为
S
1
,
⋯
,
S
k
S_1,\cdots,S_k
S1,⋯,Sk】
以上协议满足completeness和knowledge soundness in the algebraic group model:
3. polynomial commitment scheme——version 1
针对的场景是,对于evaluation point
z
∈
S
z\in S
z∈S,其
g
z
∈
S
(
z
)
=
0
g_{z\in S}(z)=0
gz∈S(z)=0,从而有:若
g
(
X
)
g(X)
g(X)可整除
Z
S
(
X
)
Z_S(X)
ZS(X),当且仅当
Z
T
∖
S
(
X
)
⋅
g
(
X
)
Z_{T \setminus S}(X)\cdot g(X)
ZT∖S(X)⋅g(X)可整除
Z
T
(
X
)
Z_T(X)
ZT(X)。
即:
[GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中 Claim 4.6指出:
若
F
1
,
⋯
,
F
k
∈
F
<
n
[
X
]
F_1,\cdots,F_k\in\mathbb{F}_{<n}[X]
F1,⋯,Fk∈F<n[X],
Z
∈
F
<
n
[
X
]
Z\in\mathbb{F}_{<n}[X]
Z∈F<n[X]可分解为不同的linear factors over
F
\mathbb{F}
F。假设存在某
i
∈
[
k
]
i\in [k]
i∈[k],使得
Z
∤
F
i
Z\nmid F_i
Z∤Fi,则对于uniform选择的
γ
∈
F
\gamma\in\mathbb{F}
γ∈F,
G
=
∑
j
=
1
k
γ
j
−
1
⋅
F
j
G=\sum_{j=1}^{k}\gamma^{j-1}\cdot F_j
G=∑j=1kγj−1⋅Fj不能整除
Z
Z
Z的概率高于
1
−
k
/
∣
F
∣
1-k/|\mathbb{F}|
1−k/∣F∣。
【单polynomial 单point open的PCS细节可参考博客 polynomial commitment及实现方式对比 “3.1节 polynomial commitment定义”】
本文的version 1 polynomial commitment scheme(PCS)为:
- g e n ( d ) gen(d) gen(d):选择uniform x ∈ F x\in\mathbb{F} x∈F,输出 s r s = ( [ 1 ] 1 , [ x ] 1 , ⋯ , [ x d − 1 ] 1 , [ 1 ] 2 , [ x ] 2 , ⋯ , [ x t ] 2 ) srs=([1]_1,[x]_1,\cdots,[x^{d-1}]_1,[1]_2,[x]_2,\cdots,[x^t]_2) srs=([1]1,[x]1,⋯,[xd−1]1,[1]2,[x]2,⋯,[xt]2)。【需要 d d d个 G 1 \mathbb{G}_1 G1 elements 和 t + 1 t+1 t+1个 G 2 \mathbb{G}_2 G2 elements。】
- c o m ( f , s r s ) = [ f ( x ) ] 1 com(f,srs)=[f(x)]_1 com(f,srs)=[f(x)]1: c m 1 , ⋯ , c m k cm_1,\cdots,cm_k cm1,⋯,cmk为the alleged commitments to f 1 , ⋯ , f k f_1,\cdots,f_k f1,⋯,fk。【对于integer n ≤ d n\leq d n≤d,计算 f ∈ F < n [ X ] f\in\mathbb{F}_{<n}[X] f∈F<n[X] 的polynomial commitment需要 n n n个 G 1 \mathbb{G}_1 G1-exponentiations 运算。】
-
o
p
e
n
(
d
,
t
,
{
c
m
i
}
i
∈
[
k
]
,
T
=
{
z
1
,
⋯
,
z
t
}
⊂
F
,
{
S
i
⊂
T
}
i
∈
[
k
]
,
{
r
i
}
i
∈
[
k
]
)
open(d, t, \{cm_i\}_{i\in [k]}, T=\{z_1,\cdots,z_t\}\subset \mathbb{F}, \{S_i \subset T\}_{i\in [k]}, \{r_i\}_{i\in [k]})
open(d,t,{cmi}i∈[k],T={z1,⋯,zt}⊂F,{Si⊂T}i∈[k],{ri}i∈[k]):(其中
{
r
i
∈
F
<
∣
S
i
∣
[
X
]
}
i
∈
[
k
]
\{r_i\in \mathbb{F}_{<|S_i|}[X]\}_{i\in [k]}
{ri∈F<∣Si∣[X]}i∈[k] 为the polynomials describing the alleged correct openings,即for each
i
∈
[
k
]
,
z
∈
S
i
i\in [k], z\in S_i
i∈[k],z∈Si 有
r
i
(
z
)
=
f
i
(
z
)
r_i(z)=f_i(z)
ri(z)=fi(z))
(a) V P C V_{PC} VPC 发送a random γ ∈ F \gamma\in\mathbb{F} γ∈F。
(b) P P C P_{PC} PPC 计算the polynomial:
h ( X ) = ∑ i ∈ [ k ] γ i − 1 ⋅ f i ( X ) − r i ( X ) Z S i ( X ) h(X)=\sum_{i\in [k]}\gamma^{i-1}\cdot \frac{f_i(X)-r_i(X)}{Z_{S_i}(X)} h(X)=∑i∈[k]γi−1⋅ZSi(X)fi(X)−ri(X)
使用 s r s srs srs 计算 polynomial commitment W = [ h ( x ) ] 1 W=[h(x)]_1 W=[h(x)]1,并将 W W W发送给 V P C V_{PC} VPC。【需要将1个 G 1 \mathbb{G}_1 G1 element从 P P C P_{PC} PPC发送给 V P C V_{PC} VPC。 P P C P_{PC} PPC计算commitment W W W 时,最多需要 n n n个 G 1 \mathbb{G}_1 G1-exponentiations 运算。】
(c) V P C V_{PC} VPC 为每个 i ∈ [ k ] i\in [k] i∈[k]均计算: Z i = [ Z T ∖ S i ( x ) ] 2 Z_i=[Z_{T\setminus S_i}(x)]_2 Zi=[ZT∖Si(x)]2。【 V P C V_{PC} VPC需要 ∑ i ∈ [ k ] ( t − ∣ S i ∣ ) \sum_{i\in [k]}(t-|S_i|) ∑i∈[k](t−∣Si∣) 次 G 2 \mathbb{G}_2 G2-exponentiations 运算。???没懂论文中的 k ∗ k^* k∗的具体含义??? 】
(d) V P C V_{PC} VPC 计算: F = ∏ i ∈ [ k ] e ( γ i − 1 ⋅ ( c m i − [ r i ( x ) ] 1 ) , Z i ) F=\prod_{i\in [k]} e(\gamma^{i-1}\cdot (cm_i-[r_i(x)]_1), Z_i) F=∏i∈[k]e(γi−1⋅(cmi−[ri(x)]1),Zi) 【 V P C V_{PC} VPC需要 k k k次pairing运算,同时在计算 [ r i ( x ) ] 1 [r_i(x)]_1 [ri(x)]1时,需要 ∑ i ∈ [ k ] ( ∣ S i ∣ ) \sum_{i\in [k]}(|S_i|) ∑i∈[k](∣Si∣) 次 G 1 \mathbb{G}_1 G1-exponentiations 运算。】
(e) V P C V_{PC} VPC 验证 F = e ( W , [ Z T ( x ) ] 2 ) F=e(W,[Z_T(x)]_2) F=e(W,[ZT(x)]2) 是否成立即可。【 V P C V_{PC} VPC需要1次pairing运算和 t t t次 G 2 \mathbb{G}_2 G2-exponentiations 运算。】
4. polynomial commitment scheme——version 2
polynomial commitment scheme——version 2 在 polynomial commitment scheme——version 1 的基础上,以proof size 换取verifier 的计算压力:
- proof 中增加了1个 G 1 \mathbb{G}_1 G1 element,一共2个 G 1 \mathbb{G}_1 G1 element。
- Verifier不再需要做 G 2 \mathbb{G}_2 G2运算,同时将pairing运算降至仅需2次pairing运算。
polynomial commitment scheme——version 2的详细实现为:()
- g e n ( d ) gen(d) gen(d):选择uniform x ∈ F x\in\mathbb{F} x∈F,输出 s r s = ( [ 1 ] 1 , [ x ] 1 , ⋯ , [ x d − 1 ] 1 , [ 1 ] 2 , [ x ] 2 ) srs=([1]_1,[x]_1,\cdots,[x^{d-1}]_1,[1]_2,[x]_2) srs=([1]1,[x]1,⋯,[xd−1]1,[1]2,[x]2)。【需要 d d d个 G 1 \mathbb{G}_1 G1 elements 和 2 2 2个 G 2 \mathbb{G}_2 G2 elements。】
- c o m ( f , s r s ) = [ f ( x ) ] 1 com(f,srs)=[f(x)]_1 com(f,srs)=[f(x)]1: c m 1 , ⋯ , c m k cm_1,\cdots,cm_k cm1,⋯,cmk为the alleged commitments to f 1 , ⋯ , f k f_1,\cdots,f_k f1,⋯,fk。【对于integer n ≤ d n\leq d n≤d,计算 f ∈ F < n [ X ] f\in\mathbb{F}_{<n}[X] f∈F<n[X] 的polynomial commitment需要 n n n个 G 1 \mathbb{G}_1 G1-exponentiations 运算。】
-
o
p
e
n
(
d
,
t
,
{
c
m
i
}
i
∈
[
k
]
,
T
=
{
z
1
,
⋯
,
z
t
}
⊂
F
,
{
S
i
⊂
T
}
i
∈
[
k
]
,
{
r
i
}
i
∈
[
k
]
)
open(d, t, \{cm_i\}_{i\in [k]}, T=\{z_1,\cdots,z_t\}\subset \mathbb{F}, \{S_i \subset T\}_{i\in [k]}, \{r_i\}_{i\in [k]})
open(d,t,{cmi}i∈[k],T={z1,⋯,zt}⊂F,{Si⊂T}i∈[k],{ri}i∈[k]):(其中
{
r
i
∈
F
<
∣
S
i
∣
[
X
]
}
i
∈
[
k
]
\{r_i\in \mathbb{F}_{<|S_i|}[X]\}_{i\in [k]}
{ri∈F<∣Si∣[X]}i∈[k] 为the polynomials describing the alleged correct openings,即for each
i
∈
[
k
]
,
z
∈
S
i
i\in [k], z\in S_i
i∈[k],z∈Si 有
r
i
(
z
)
=
f
i
(
z
)
r_i(z)=f_i(z)
ri(z)=fi(z))
(a) V P C V_{PC} VPC 发送a random γ ∈ F \gamma\in\mathbb{F} γ∈F。
(b) P P C P_{PC} PPC 计算the polynomial:
f ( X ) = ∑ i ∈ [ k ] γ i − 1 ⋅ Z T ∖ S i ( X ) ⋅ ( f i ( X ) − r i ( X ) ) f(X)=\sum_{i\in [k]}\gamma^{i-1}\cdot Z_{T\setminus S_i}(X) \cdot (f_i(X)-r_i(X)) f(X)=∑i∈[k]γi−1⋅ZT∖Si(X)⋅(fi(X)−ri(X))
根据Claim 3.2可知, f f f可被 Z T Z_T ZT整除,定义:
h ( X ) = f ( X ) / Z T ( X ) h(X)=f(X)/Z_T(X) h(X)=f(X)/ZT(X)
使用 s r s srs srs 计算 polynomial commitment W = [ h ( x ) ] 1 W=[h(x)]_1 W=[h(x)]1,并将 W W W发送给 V P C V_{PC} VPC。
(c) V P C V_{PC} VPC 发送a random z ∈ F z\in\mathbb{F} z∈F。
(d) P P C P_{PC} PPC 计算the polynomial:
L ( X ) = f z ( X ) − Z T ( z ) ⋅ h ( X ) L(X)=f_z(X)-Z_T(z)\cdot h(X) L(X)=fz(X)−ZT(z)⋅h(X),其中 f z ( X ) = ∑ i ∈ [ k ] γ i − 1 ⋅ Z T ∖ S i ( z ) ⋅ ( f i ( X ) − r i ( z ) ) f_z(X)=\sum_{i\in [k]}\gamma^{i-1}\cdot Z_{T\setminus S_i}(z) \cdot (f_i(X)-r_i(z)) fz(X)=∑i∈[k]γi−1⋅ZT∖Si(z)⋅(fi(X)−ri(z))
注意 L ( z ) = f ( z ) − Z T ( z ) ⋅ h ( z ) = 0 L(z)=f(z)-Z_T(z)\cdot h(z) =0 L(z)=f(z)−ZT(z)⋅h(z)=0,因此有 ( X − z ) (X-z) (X−z) divides L L L。
使用 s r s srs srs 计算 polynomial commitment W ‘ = [ L ( x ) x − z ] 1 W‘=[\frac{L(x)}{x-z}]_1 W‘=[x−zL(x)]1,并将 W ’ W’ W’发送给 V P C V_{PC} VPC。
(e) V P C V_{PC} VPC 计算: F = ∑ i ∈ [ k ] γ i − 1 ⋅ Z T ∖ S i ( z ) ⋅ ( c m i − [ r i ( z ) ] 1 ) − Z T ( z ) ⋅ W F=\sum_{i\in [k]} \gamma^{i-1}\cdot Z_{T\setminus S_i}(z) \cdot (cm_i-[r_i(z)]_1)-Z_T(z)\cdot W F=∑i∈[k]γi−1⋅ZT∖Si(z)⋅(cmi−[ri(z)]1)−ZT(z)⋅W 【 V P C V_{PC} VPC需要 2 2 2次pairing运算,同时在计算 [ r i ( x ) ] 1 [r_i(x)]_1 [ri(x)]1时,需要 ∑ i ∈ [ k ] ( ∣ S i ∣ ) \sum_{i\in [k]}(|S_i|) ∑i∈[k](∣Si∣) 次 G 1 \mathbb{G}_1 G1-exponentiations 运算。】
(f) V P C V_{PC} VPC 验证 e ( F , [ 1 ] 2 ) = e ( W ’ , [ x − z ] 2 ) e(F,[1]_2)=e(W’,[x-z]_2) e(F,[1]2)=e(W’,[x−z]2) 是否成立即可。
注意,以上open算法中,
V
P
C
V_{PC}
VPC需计算
[
x
−
1
]
2
[x-1]_2
[x−1]2,可做如下操作,move
G
2
\mathbb{G}_2
G2 operations into
G
1
\mathbb{G}_1
G1 operations:
整个polynomial commitment scheme——version 2 的计算量为:
本文标签: 学习笔记commitmentPolynomialEfficientschemes
版权声明:本文标题:Efficient polynomial commitment schemes for multiple points and polynomials学习笔记 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://m.elefans.com/xitong/1726703205a1081366.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论