1. 背景知识
Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications》:
1)提出了a new non-interactive primitive——Vector Commitment(VC),指的是 commit to an ordered sequence of
values
,除了具有普通commitment的binding和hiding特性外,还具有position binding特性:即可open commitment at specific positions——prove that
is the
-th committed message,不存在open a commitment to two differenct values at the same position。
2)要求 Vector Commitment 应为concise简洁的:
- commitment string的size应与vector length 无关;
- opening的size也应与vector length 无关。
3)要求Vector Commitment updatable:
- 当 the -th message 由 变成 时,允许 committer 更新commitment值——由 更新为 ,新的 中对应了更新后的 值;
- 当 the -th message 由 变成 时,允许 holders of an opening for a message at position w.r.t. to update their proof so as to become valid w.r.t. the new 。
4)提出了两种Vector Commitment实现:
- 基于RSA assumption的Vector Commitment实现;
- 基于Computational Diffie-Hellman (in bilinear groups) assumption的Vector Commitment实现。
5)指出了Vector Commitment的应用场景:
- Verifiable Databases with Efficient Updates;
- Updatable Zero-Knowledge Elementary Databases;
- Universal Dynamic Accumulators。
1.1 Trapdoor commitment schemes
又可称为chameleon commitment,若知晓trapdoor key,则可破坏commitment的binding属性,详细可看博客:
- 水银承诺mercurial commitment 。
- Almost Optimal Short Adaptive Non-Interactive Zero Knowledge学习笔记 第2.1节内容。
2. Vector Commitments
Vector Commitments 由如下基础算法组成:
1)VC.KeyGen(
):Given the security parameter
and the size
of the committed vector (with
), the key generation outputs some public parameters
(which implicitly define the message space
). 【生成Prover和Verifier的public info。】
2)VC.Com
(
):On input a sequence of
messages
and the public parameters
, the committing algorithm outputs a commitment string
and an auxiliary information
. 【Prover生成commitment。】
3)VC.Open
(
):This algorithm is run by the committer to produce a proof
that
is the
-th committed message.【Prover生成proof。】
4)VC.Ver
(
):The verification algorithm accepts (i.e., it outputs
) only if
is a valid proof that
was created to a sequence
such that
.【Verifier验证proof。】
5)VC.Update
(
):This algorithm is run by the committer who produced
and wants to update it by changing the
-th message to
. The algorithm takes as input the old message
, the new message
and the position
. It
outputs a new commitment
together with an update information
.【Prover更新commitment,为Verifier提供update information
。】
6)VC.ProofUpdate
(
):This algorithm can be run by any user who holds a proof
for some message at position
w.r.t.
, and it allows the user to compute an updated proof
(and the updated commitment
) such that
will be valid w.r.t.
which contains
as the new message at position
. Basically, the value
contains the update information which is needed to compute such values.【利用update information
,Prover 或者 Verifier更新老的proof
为
。】
2.1 基于CDH的Vector Commitment实现
Square-CDH assumption:已知
,要计算
的值为computationally infeasible。
Square-CDH assumption与standard CDH assumption等价。
基于CDH assumption in bilinear groups,本文构建的Vector Commitment采用了 Bellare and Micciancio 1997年论文《A new paradigm for collision-free hashing: Incrementality at reduced cost》 中的incremental hash function思路:
1)VC.KeyGen(
):Let
be two bilinear groups of prime order
equipped with a bilinear map
. Let
be a random generator. Randomly choose
. For all
set:
. For all
set
.
Set
. The message space is
。【CRS的length为
,且
不在CRS中(需满足CDH assumption,
对Prover不可知)。】
2)VC.Com_{pp}( ):Compute and output and the auxiliary information 。
3)VC.Open_{pp}( ):Compute 。【生成proof的multi-exponentiation复杂度为 】
4)VC.Ver_{pp}( ):If then output . Otherwise output 。
5)VC.Update_{pp}( ):Compute the updated commitment . Finally output and 。
6)VC.ProofUpdate_{pp}( ):A client who owns a proof , that is valid w.r.t. to for some message at position , can use the update information to compute the updated commitment and produce a new proof which will be valid w.r.t. . We distinguish two cases:
- :Compute the updated commitment while the updated proof is 。
- :Compute the updated commitment as while the updated proof remains the same 。
上述算法存在的一个问题是:public parameters
is
,可通过如下签名方式改进:
2.2 基于RSA的Vector Commitment实现
RSA assumption定义可参见博客密码学中的各种假设——DL/SDH…。
1)VC.KeyGen(
):随机选择两个
-bit 的素数
,设置
,选择
个不能整除
的
-bit 素数
。从
到
,设置
。
Set
. The message space is
。【CRS的length为
,且
不在CRS中(需满足RSA assumption,
对Prover不可知)。】
2)VC.Com_{pp}( ):Compute and output and the auxiliary information 。
3)VC.Open_{pp}( ):Compute 。【由于 中包含了 信息,Prover做相应的开 次方很容易计算。】
4)VC.Ver_{pp}( ):If 且 then output . Otherwise output 。
5)VC.Update_{pp}( ):Compute the updated commitment . Finally output and 。
6)VC.ProofUpdate_{pp}( ):A client who owns a proof , that is valid w.r.t. to for some message at position , can use the update information to compute the updated commitment and produce a new proof which will be valid w.r.t. . We distinguish two cases:
- :Compute the updated commitment while the updated proof is 。【由于 中包含了 信息,Prover做相应的开 次方很容易计算。】
- :Compute the updated commitment as while the updated proof remains the same 。
同时,Verifier应执行一次验证,确保 中的 与其中的 确实满足 。
在2018年论文《Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains》基于strong RSA assumption in groups of unknown order实现了Vector Commitment,相较于上述实现,做了如下改进:
- 限定了用于commit的vector 中各元素为co-prime的,减少了public info 中的 参数,减少了CRS的长度;
- 利用
Bezout
和ShamirTrick
算法,实现了batching of non-membership proofs; - 利用
RootFactor
算法,在没有 的情况下,将计算 -th root的算法复杂度由 降为了 ,同时再次减少了CRS的长度。
基于以上策略所实现的Vector Commitment,其subvector openings为constant size,public parameters也为constant size(与vector的长度无关)。
详细的算法解析参见博客:
https://blog.csdn.net/mutourend/article/details/102936314
具体的代码实现解析参见博客:
Vector Commitments代码实现 中的2.1和2.2节内容。
3. Vector Commitment的应用场景
3.1 Verifiable Databases with Efficient Updates
Verifiable Databases with Efficient Updates(VDB),由Benabbas, Gennaro and Vahlis 在 2011年论文《Verifiable delegation of computation over large datasets》中提出,可用于解决verifiable outsourcing of storage(存储外包)。client资源有限,需要将 a large database 外包给server来存储,client可获取database record,也可更新record。要求:
- For efficiency,client获取record和更新record所需的计算资源应与database的size无关(初始化阶段除外);
- For security,在client不知情的情况下,server无法篡改database的任何record。
若client不做update操作,针对此static case,可通过message authentication或signature scheme来实现,即client先对database record 签名,然后才将前面后的record发送给server,server ouput的record必须有相应的valid signature。 但是,当client需要做update操作时,该方式不可行——需要有机制来允许client撤销前面的签名。解决方案有:
- accumulators;
- authenticated data structures;
- verifiable computation 可信计算;
- authenticated remote file systems。
Benabbas 等人2011年论文《Verifiable delegation of computation over large datasets》中的方案,relies on a constant size assumption in bilinear groups of composite order, but does not support public verifiability (i.e., only the client owner of the database can verify the correctness of the proofs provided by the server)。
而采用本文的Vector Commitments方案,支持VDB的public verifiability。同时若采用VC based on CDH 方案,则可实现基于standard constant-size assumption的VDB,其efficiency improves over the scheme of Benabbas 的方案 as we can use bilinear groups of prime order。
将database 表述为由一系列tuples 组成,其中 为key, 为相应的value,表示为 。假设key的取值范围为 ,其中 ,而DB value为任意的string 。
基本的流程为:
1)VDB.Setup(
):On input the security parameter
and a database
, the setup algorithm is run by the client to generate a secret key
that is kept private by the client, a database encoding
that is given to the server, and a public key
that is distributed to all users (including the client itself) who wish to verify the proofs.
2)VDB.Query(
):On input a database key
, the query processing algorithm is run by the server, and returns a pair
.
3)VDB.Verify(
):The public verification algorithm outputs a value
if
verifies correctly w.r.t.
(i.e.,
), and an error
otherwise.
4)VDB.ClientUpdate(
):The client update algorithm is used by the client to change the value of the database record with key
, and it outputs a value
and an updated public key
.
5)VDB.ServerUpdate(
):The server update algorithm is run by the server to update the database according to the value
produced by the client.
需满足要求:
- security。
- the size of the information stored by the client as well as the time needed to compute verifications and updates must be independent of the size of the database。
若采用Vector Commitment来实现上述Verifiable Databases with Efficient Updates流程:
3.2 Updatable Zero-Knowledge Elementary Databases
Zero knowledge set(ZKS) means that users commit to a set and subsequently prove the (non-)membership of some elements without revealing any further information (not even the cardinality of the committed set).【参见博客 Vector Commitment, Zero-knowledge Set, Zero-knowledge Accumulator等区别】
一般地,ZKS都是基于 trapdoor mercurial commitments
and collision resistant hash functions 来构建的,生成membership proof和non-membership proof。
详细描述见Catalano等人2011年论文《Zero-Knowledge Sets with short proofs》。
等价为:build
-mercurial commitments (qTMC) using vector commitments。
使用(concise) vector commitment和standard trapdoor commitment来构建(concise) trapdoor qTMC的流程为:
若想qTMC支持updatable,需要额外增加两个算法:
基于Vector Commitment的详细实现为: