1. 背景知识
Benoˆıt Libert, Somindu C. Ramanna 和 Moti Yung 2016年论文 《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》 中提出:
1)Functional Commitment (FC) primitive:用于概括所有的vector commitment、polynomial commitment和其它类型的commitment scheme。
- Committer: commit to vectors of elements over domain (e.g., )
- Committer:open for a function (如 【 其中 为public coefficients,此时整个过程包含了vector commitment、polynomial commitment和cryptographic accumulator。】),生成a witness for the fact that indeed evalutes to 。
- Functional Commitment (FC) 应具有function binding属性:即不可能基于同一function 将一个commitment open为2个不同的evaluation 。
- Functional Commitment (FC) 的commitment 和 opening 应具有constant size (i.e., independent of or function description)。
- Functional Commitment (FC) 应具有hiding属性,被commit的messages 为 information theoretically hidden。
- 本文构建了 Functional Commitment (FC) for a linear functions based on constant-size assumptions in composite order groups endowed with a bilinear map。
- 本文的security proof 基于:the D´ej`a Q framework of Chase and Meiklejohn (Eurocrypt 2014) and its extension by Wee (TCC 2016) to encryption primitives, thus relying on constant-size subgroup decisional assumptions.
- 本文的FC 可实现:polynomial commitment 和 accumulator for large universe。
- 基于的assumption为:
2)vector commitment:messages are and commitment is only opened with respect to specific positions。
3)polynomial commitment:commit to a polynomial and only reveal evaluations of this polynomial on certain inputs。
Functional commitment 借鉴了Functional encryption的思想。
1.1 Functional encryption
Functional encryption 由2011年Boneh等人论文《Functional Encryption: Definitions and Challenges》中提出:
Functional encryption 可 restrict what the receiver learns about encrypted data,当使用 function
的 secret key
进行解密操作时,decryptor learns
and nothing else。
与此类似的,Functional commitment 允许 committer accurately control what the opening phase can reveal about the committed message。
Functional commitment (FC) 的概念首次由Gorbunov等人在2015年论文《Leveled Fully Homomorphic Signatures from Standard Lattices》中含蓄提出,在该论文中描述了:a statistically-hiding commitment scheme for which the sender is able to only reveal a circuit evaluation when is the committed input. 该方案基于well-studied lattice assumption,可支持任意circuit,其输入 必须被committed to in a bit-by-bit manner (或者说至少应将 split into small blocks)。
若借助common reference string,ordinary statistically-hiding commitment + NIZK proof 可实现 non-interactive FC for general functionalities。
1.2 Verifiable random function
1999年,Micali,Rabin和Vadhan等人在论文《Verifiable Random Functions》 提出了Verifiable random function概念,可实现 a perfectly binding commitment to a pseudo-random function key for which the committer can convince a verifier about the correct function evaluation for the committed key on a given input。
1.3 Selective-opening security
Bellare, Hofheinz和Yilek在2009年论文《 Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening》,Dwork等人1999年论文《Magic Functions》中均提出了Selective-opening security问题,即:根据已open的信息,adversary是能根据关联性获得un-open的信息。(the security of un-opened commitments when an adversary gets to see the opening of other commitments to possibly correlated messages.)
1.4 Zero-knowledge set
Zero-knowledge set,由Micali, Rabin和Kilian在2003年论文《Zero-Knowledge Sets》中提出:commit to a set
or an elementary database,然后可提供membership proof或non-membership proof of an element without revealing any further information (not even the cardinality of the committed set
)。
Ostrovsky, Rackoff和Smith等人在2004年论文《Efficient Consistency Proofs for Generalized Queries on a Committed Database》中将committed database 概念扩展为了更general statement,而不仅仅是membership和non-membership proof。
2. Vector commitment
Vector commitment的概念首次由Libert和Yung在2010年论文《 Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs》中提出,由Catalano和Fiore在2013年论文《Vector Commitments and their Applications》中进一步完善。
主要借助Pedersen-like commitment to vector ,实现constant-size open (所谓constant是指independent of ) for without revealing anything else。
Vector commitment的设计初衷是为了通过mercurial commitment来支持short coordinate-wise opening 从而实现支持short proof的zero-knowledge databse。Vector commitment也可用于verifiable database。
参见博客 Vector Commitments and their Applications学习笔记 和博客 Vector Commitments with Efficient Proofs学习笔记 中指出,构建vector commitment可有以下四种方式:
- 基于accumulator或RSA构建的vector commitment:要求所使用的group应具有unknown order(hidden order)。
- 基于SDH assumption的vector commitment:CRS size为 ,使用了bilinear pairing。
- 基于CDH assumption的vector commitment:CRS size为 ,使用了bilinear pairing。
- 基于DHE assumption的vector commitment:CRS size为 ,使用了bilinear pairing。
3. Polynomial commitment
Polynomial commitment 由Kate, Zaverucha和Goldberg在2010年论文《 Constant-Size Commitments to Polynomials and their Applications》中提出:生成a constant-size commitment to a polynomial (constant指independent of the degree),然后存在a constant-size witness to convince a verifier that the committed indeed evaluates to for a given 。
Polynomial commitment 可用于:
- verifiable secret sharing;
- anonymous credentials with attributes;
- 不需要隐藏committed set size的zero-knowledge database;
- 利用Lagrange插值,可构建vector commitment。
4. Accumulator
密码学累加器也可理解为是commitment,especially when the hashing algorithm is randomized。累加器与zero-knowledge set类似,可提供inclusion证明(比zero-knowledge set更短的membership证明),但是不同的是,累加器通常无法隐藏the cardinality of the set。
参见博客 密码学累加器cryptographic accumulator。
累加器的构建方式主要分为三大类:
- strong RSA assumption in groups of unknown order:如RSA group或者class group。[6,3,36,11,34]。通常CRS size更short,且可提供non-membership proof从而扩展为通用累加器或动态累加器。但是需要set内的元素为co-prime。
- bilinear maps:如[41,14]。不要求set内元素为prime,但是CRS的size与累加的元素数量一样。可用于e-cash、authenticated data structure等场景,用于证明子集、交集等场景。
- Merkle hash trees:如[44, 11]。基于Merkle tree而不是number theoretic assumption。主要的缺点是使用hash tree,假设hashed set的cardinality为 ,则proof size 为 ,而基于number theoretic 的累加器,其proof size 为 。
Deler等人2015年论文《 Solving Revocation with Efficient Update of Anonymous Credentials》对the security property of accumulator进行了re-formalize,为accumulator与其它primitive建立了关联:如,拥有indistinguishability属性后,accumulator可用于non-interactive commitment scheme以及zero-knowledge set。
5. Functional commitment (FC)
本论文主要关注Functional commitment (FC) for linear function family 定义为: ,其中 。【其实即为Inner product?】
基本流程为:
- 用 来produce commitment to messages of the form over the domain 。
- 对于特定的 ,有 ,open for that indeed evaluates to 。
- 要求:commitment和witness均应为简洁的,其size应independent of the length of the messages or function description。
本文的FC scheme基于composite order bilinear group内的subgroup decision assumption建立,具有perfect hiding和computationally binding属性。
M. Izabachene, B. Libert, D. Vergnaud 2011年论文《Blockwise P-Signatures and Non-Interactive Anonymous Credentials with Efficient Attributes》中所构建的vector commitment 的secure 是 under non-standard variable-size assumption。
本文借助 M. Chase, S. Meiklejohn. 2014年论文《D´ej`a Q:Using Dual Systems to Revisit q-Type Assumptions》的 Deja Q framework 来obtain security from constant size assumption。
2010年,Benoît Libert和Moti Yung 的论文《Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs》中的思路为:【参看博客 Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs 学习笔记 第2节内容。】
- commit to 表示为 【该commitment在q-DHE assumption下具有binding属性,若q-DHE assumption不成立,则adversary可produce two distinct openings of at position 。同时,也可将该commitment看成是trapdoor commitment,其trapdoor key为 ,拥有该trapdoor key 的人可open 该commitment为任意值。】
- 为证明 为 the -th committed message,Prover提供:
- Verifier验证: 即可。
- 为实现mercurial commitment 具有更灵活的binding属性,若调整Verifier的验证公式为 则相应的binding属性将消失。基本思路为,Prover 的commitment不再只是 ,而是 ,其中 ,当 时,为hard commitment;当 时,为soft commitment。Verifier验证的公式为:
本文在Benoît Libert和Moti Yung 2010年的论文《Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs》的基础上,选择的是composite order bilinear group of order , 代表the subgroup of of order ( 可表示为 ,其中 )。总的思路为:
- Public key: for , 构建commitment key 和 。Trapdoor key 为
- 待commit messages:vector 。
- Commit算法:引入随机值 实现hiding属性,
- 待证明: 【其实即为Inner product proof?其中 为witness, 和 为public info??】
- Prover计算: ,根据收到的challenge 后,计算 ,将 发送给Verifier。【建立的基本思路为: 】
- Verifier验证: 成立。
可以借鉴2010年,Benoît Libert和Moti Yung 的论文《Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs》中的非对称pairing思路,将上述 选取在 group。
Functional commitment的基本流程为:
D´ej`a Q framework [23] 可认为是基于subgroup decision assumption的Functional commitment:
5.1 Functional commitment as Polynomial commitment
Polynomial commitment 目标:commit to polynomial of degree over and reveal an opening for for 。
采用Functional commitment来实现Polynomial commitment:先commit to 系数 ,构建challenge 即可。
其实将 设置为特定位置 ,其它位置均为 的情况,对应的即为open 位置 的vector commitment。
5.2 Functional commitment as Accumulator for large universe
参见博客 Vector Commitments and their Applications学习笔记 中的“2.2 基于RSA的Vector Commitment实现” 可知,基于accumulator可构建vector commitment。
Accumulator for large universe目标:对于集合 ,提供 membership 或 non-membership proof,证明 。
采用Functional commitment来实现Accumulator for large universe:借助5.1节的思路,构建polynomial 【可先commit to 系数vector 】,当且仅当 时, 。
密码学累加器基本流程为:
5.3 Functional commitment构建支持subset query的accumulator
假设 为支持待累加集合的最大元素数, 为支持subset证明的subset内的最大元素数。
由博客 Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs 学习笔记 第2节内容可知,若只是vector commitment的某单一位置 的open的话,仅需要构建CRS public key: ,可表述为 ,相应的trapdoor key为 ,即hole at position 。为证明第 个位置为Prover计算: 。
为了实现
个位置元素subset的open,可扩展为具有
个hole的CRS
,对应的trapdoor key 位置为
。需要将
个元素的open proof combine为constant size,方法为,将单个位置的
表示为
——the
-th position of the
-th element as a “shift” of
by a factor
in the exponent:
支持subset query 的accumulator的基本流程为:
支持subset query 的accumulator的具体算法可为: