

1. 引言

Qiang Wang等人2019年发表于Oxford University Press on behalf of the Institute of Mathematics and its Applications 的论文《A (Zero-Knowledge) Vector Commitment with Sum Binding and its Applications》中,主要内容为:

  • 在Vector commitment的基础上,提出了增加了sum binding属性的VCS。
  • 现有的vector commitment在提供position-binding属性的同时,无法提供隐私保护——即client可能可以通过proofs和commiments获取额外的committed sequence信息。本文提出了zero-knowledge VCS (ZKVCS)—— in which commitments and proofs constructed during the protocol execution leak nothing about the committed sequence。
  • 使用(ZK)VCS构建了一个支持 sum 求和运算的(zero-knowledge) verifiable database。

Commitment为密码学中的独立primitive,在zero-knowledge proof,secure computation,e-voting和verifiable secret sharing中均有重要作用。


  • Committing阶段;
  • Opening阶段。


  • committer:计算commitment C C C
  • client:接收commitment C C C和opening信息。

1.1 commitment发展史

  • 1988年,Brassard等人在论文《Minimum disclosure proofs of knowledge》中首次提出了commitment的概念。

  • 2004年Gennaro在论文《Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks》中,2004年MacKenzie等人在论文《On simulation-sound trapdoor commitments》中,2011年Xiaofeng Chen等人在论文《New receipt-free voting scheme using double-trapdoor commitment》中均提到了trapdoor commitment。在trapdoor commitment中,binding属性更灵活,知道trapdoor信息的一方可open the commitment in any possible way,而对于不知道trapdoor信息的一方,仍然具有binding属性。

  • 2005年Chase等人在论文《Mercurial commitments with applications to zero-knowledge sets》中,2008年Catalano等人在论文《Zero-knowledge sets with short proofs》中,2010年Benoît Libert和Moti Yung 在论文《Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs》中均提到了mercurial commitment。mercurial commitment与trapdoor类似,但是mercurial commitment支持2中open算法:hard open和soft open。在committing阶段,committer可选择是创建hard commitment还是soft commitment。hard commitment支持hard open和soft open,但是open的值只能是当初commit to的值。而soft commitment仅仅支持soft open,soft commitment可open为任意值。mercurial commitment要求没有任何adversary可以区分hard commitment还是soft commitment。(具体可参见博客 Concise Mercurial Vector Commitments and Independent Zero-Knowledge Sets with Short Proofs 学习笔记)

  • 2013年, Dario Catalano 和 Dario Fiore 在论文《Vector Commitments and their Applications》中首次提出了vector commitment (VC) 的概念,允许对an ordered sequence of q q q values ( m 1 , ⋯   , m 1 ) (m_1,\cdots,m_1) (m1,,m1)进行commit,同时额外满足position binding属性——即对同一个位置 ,无法open出2个不同的值。(详情参见博客 Vector Commitments and their Applications学习笔记)
    VC的position binding属性可用于check the integrity of outsourced data with fix size。即VC对应的是固定长度的vector。而对于unbounded data呢?

  • 2016年,Krupp等人在论文《 Nearly optimal verifiable data streaming》中,将VC扩展为chameleon VC (CVC),额外增加了chameleon属性——即拥有trapdoor信息的一方可在不改变commitment值的前提下替换各个位置的message值,即可open为任意值。CVC可用于支持unbounded data in verifiable data streaming setting。


  • Expressiveness:现有的VC scheme仅支持open 位置信息,但是无法满足现实世界的使用需求。如,当已知每个月降雨量的commitment值,现有VC scheme无法支持open全年的降雨量值。因此,除了open位置信息外,也应支持open更多形式的信息。
  • Privacy:现有VC scheme的position binding属性仅能保证committer无法对同一位置open出2个不同的值,但是并没有提供隐私保护,a malicious client may learn extra information about the sequence from the proofs and the commitments。

本文提出的VCS (VC with sum binding),额外支持:

  • open the sum of all elements in committed sequence。

本文提出的ZKVCS (zero-knowledge VCS),无论是open to sum 还是open at position,client都无法获取any information about the committed sequence。hiding property仅能保证malicious client cannot learn any information from the commitments,而ZKVCS可保证malicious client cannot learn any information about the committed squences from the proofs and commitments。

本文的VCS或ZKVCS用于verifiable database时,仍然存在 forward automatic update attack问题,可借助Chen, X.等人2015年论文《New publicly verifiable databases with efficient updates》中的方法进行改进。

1.2 一些定义

  • Bilinear pairing:

  • 多项式分解Polynomial decomposition:
    根据Papamanthou等人2013年论文《Signatures of correct computation》中的Lemma 1, n n n-变量多项式具有如下分解属性:

    即polynomial commitment的根本是:
    对于有 n n n个变量( x ⃗ = ( x 1 , ⋯   , x n ) \vec{x}=(x_1,\cdots,x_n) x =(x1,,xn))的多项式 f ( x ⃗ ) ∈ Z p [ x ⃗ ] f(\vec{x})\in\mathbb{Z}_p[\vec{x}] f(x )Zp[x ],对任意取值 a ⃗ ∈ Z p n \vec{a}\in\mathbb{Z}_p^n a Zpn,存在有效的算法,可找到 n n n个多项式 Q i ( x ⃗ ) Q_i(\vec{x}) Qi(x ),使得 f ( x ⃗ ) − f ( a ⃗ ) = ∑ i = 1 n ( x i − a i ) ⋅ Q i ( x ⃗ ) f(\vec{x})-f(\vec{a})=\sum_{i=1}^{n}(x_i-a_i)\cdot Q_i(\vec{x}) f(x )f(a )=i=1n(xiai)Qi(x )成立。

  • 相关符号定义:

1.3 安全假设

  • Bilinear inverse assumption:
  • Bilinear q q q-strong Diffie-Hellman assumption:

1.4 属性及性能对比

2. VCS基本定义

详情参见博客 Vector Commitments and their Applications学习笔记。

  • VC.KeyGen
  • VC.Com
  • VC.Open
  • VC.Ver
  • VC.Update
  • VC.ProofUpdate

VCS为了支持sum binding 属性,在VC的基础上,额外增加了2个算法:

  • VC.OpenSum
  • VC.VerSum

2.1 VCS算法定义


  • p p ← V C . K e y G e n ( 1 k , q ) pp\leftarrow VC.KeyGen(1^k,q) ppVC.KeyGen(1k,q):key generation算法,输入为security parameter k k k c o m m i t t e d v e c t o r committed vector committedvector的size q q q q = p o l y ( k ) q=poly(k) q=poly(k))。输出为public parameters p p pp pp(which implicitly define the message space M M M)。

  • ( C , a u x ) ← V C . C o m p p ( m 1 , ⋯   , m q ) (C,aux)\leftarrow VC.Com_{pp}(m_1,\cdots,m_q) (C,aux)VC.Compp(m1,,mq):committing算法,由committer运行。输入为a sequence of q q q messages m 1 , ⋯   , m q ∈ M m_1,\cdots,m_q\in M m1,,mqM和public parameters p p pp pp,输出为commitment值 C C C和auxiliary information a u x aux aux。( a u x aux aux为committer的私有信息。)

  • Λ i ← V C . O p e n p p ( m i , i , a u x ) \Lambda_i\leftarrow VC.Open_{pp}(m_i,i,aux) ΛiVC.Openpp(mi,i,aux):opening算法,由committer运行。输入为public parameters p p pp pp、位置 i i i、消息 m i m_i mi以及辅助信息 a u x aux aux,输出为proof Λ i \Lambda_i Λi(用于证明 m i m_i mi is the i i i-th committed message)。

  • { 0 , 1 } ← V C . V e r p p ( C , m , i , Λ i ) \{0,1\}\leftarrow VC.Ver_{pp}(C,m,i,\Lambda_i) {0,1}VC.Verpp(C,m,i,Λi):verification算法,由任意client运行。输入为public parameters p p pp pp、commitment值 C C C、位置 i i i、opened消息 m m m以及proof Λ i \Lambda_i Λi。若 Λ i \Lambda_i Λi为a valid proof that C C C is a commitment to the sequence ( m 1 , ⋯   , m q ) (m_1,\cdots,m_q) (m1,,mq) such that m = m i m=m_i m=mi,则输出为 1 1 1,否则输出为 0 0 0

  • ( C ′ , U ) ← V C . U p d a t e p p ( C , m , m ′ , i ) (C',U)\leftarrow VC.Update_{pp}(C,m,m',i) (C,U)VC.Updatepp(C,m,m,i):update算法,由生成 C C C的原始committer运行,用于update C C C by changing the i i i-th message m m m to m ′ m' m。输入为public parameters p p pp pp、commitment值 C C C、位置 i i i、老的消息 m m m、新消息 m ′ m' m,输出为新的commitment C ′ C' C和update information U U U

  • ( C ′ , Λ j ′ ) ← V C . P r o o f U p d a t e p p ( C , Λ j , m ′ , U ) (C', \Lambda_j')\leftarrow VC.ProofUpdate_{pp}(C,\Lambda_j,m',U) (C,Λj)VC.ProofUpdatepp(C,Λj,m,U):proof update 算法,由任何拥有proof Λ j \Lambda_j Λj (for some message at position j j j) client运行。输入为public parameters p p pp pp、老的commitment值 C C C、proof Λ j \Lambda_j Λj (for some message at position j j j)、新的消息 m ′ m' m (at position i i i)和update information U U U。输出为新的commitment C ′ C' C和新的updated proof Λ j \Lambda_j Λj for m j m_j mj,均对应新的sequence ( m 1 , ⋯   , m i − 1 , m ′ , m i + 1 , ⋯   , m q ) (m_1,\cdots,m_{i-1},m',m_{i+1},\cdots,m_q) (m1,,mi1,m,mi+1,,mq)

  • Λ s u m ← V C . O p e n S u m p p ( s u m , a u x ) \Lambda_{sum}\leftarrow VC.OpenSum_{pp}(sum,aux) ΛsumVC.OpenSumpp(sum,aux):sum opening算法,由committer运行。输入为public parameters p p pp pp、sum( ( m 1 , ⋯   , m q ) (m_1,\cdots,m_q) (m1,,mq)所有值之和)以及辅助信息 a u x aux aux。输出为proof Λ s u m \Lambda_{sum} Λsum(用于证明 s u m = ∑ i = 1 q m i sum=\sum_{i=1}^{q}m_i sum=i=1qmi)。

  • { 0 , 1 } ← V C . V e r S u m p p ( C , s u m , Λ s u m ) \{0,1\}\leftarrow VC.VerSum_{pp}(C,sum,\Lambda_{sum}) {0,1}VC.VerSumpp(C,sum,Λsum):sum verification算法,可由任意client运行。输入为public parameters p p pp pp、commitment值 C C C、opened和值 s u m sum sum以及proof Λ s u m \Lambda_{sum} Λsum。当 Λ s u m \Lambda_{sum} Λsum is a valid proof that C C C is a commitment to the sequence ( m 1 , ⋯   , m q ) (m_1,\cdots,m_q) (m1,,mq) such that s u m = ∑ i = 1 q m i sum=\sum_{i=1}^{q}m_i sum=i=1qmi时,输出为 1 1 1,否则输出为 0 0 0

2.2 VCS correctness定义

即只要算法是honestly executed的,a valid proof should never be rejected。

2.3 VCS position binding 定义


  • A 0 \mathcal{A}_0 A0生成任意长度为 q = p o l y ( k ) q=poly(k) q=poly(k)的vector。
  • 进行 l + 1 l+1 l+1次:对vector中的任意位置 j j j A 1 \mathcal{A}_1 A1)进行update,对任意位置 i i i A 2 \mathcal{A}_2 A2)进行Open
  • 根据所获取的 l + 1 l+1 l+1 ( U a , C a , Λ a ) (U_a,C_a,\Lambda_a) (Ua,Ca,Λa)信息, A 3 \mathcal{A}_3 A3选取任意的位置 i ∗ i^* i
  • 根据 i ∗ i^* i l + 1 l+1 l+1 ( U a , C a , Λ a ) (U_a,C_a,\Lambda_a) (Ua,Ca,Λa)信息, A 4 \mathcal{A}_4 A4生成相应的 ( m i ∗ ′ , Λ i ∗ ′ ) (m_{i^*}',\Lambda_{i^*}') (mi,Λi),使得当 m i ∗ ′ ≠ m i ∗ m_{i^*}'\neq m_{i^*} mi=mi时对 Λ i ∗ ′ ) \Lambda_{i^*}') Λi)Ver通过的概率可忽略,即不大于 n e g l ( k ) negl(k) negl(k)

    注意以上新的辅助信息 a u x a aux_a auxa可由updated information U a U_a Ua和老的辅助信息 a u x a − 1 aux_{a-1} auxa1生成。

2.4 VCS sum binding 定义

即不允许open a commitment to two different sums with respect to the committed sequence。

  • A 0 \mathcal{A}_0 A0生成任意长度为 q = p o l y ( k ) q=poly(k) q=poly(k)的vector。
  • 进行 l + 1 l+1 l+1次:对vector中的任意位置 j j j A 1 \mathcal{A}_1 A1)进行update,对该vector进行OpenSum
  • 根据所获取的 l + 1 l+1 l+1 ( U a , C a , Λ s u m a ) (U_a,C_a,\Lambda_{sum_a}) (Ua,Ca,Λsuma)信息, A 2 \mathcal{A}_2 A2选取其中任意一组vector,生成相应的 ( s u m l ′ , Λ s u m l ′ ) (sum_{l}',\Lambda_{sum_l}') (suml,Λsuml),使得当 s u m l ′ ≠ s u m l sum_{l}'\neq sum_l suml=suml时对 Λ s u m l ′ ) \Lambda_{sum_l}') Λsuml)VerSum通过的概率可忽略,即不大于 n e g l ( k ) negl(k) negl(k)

2.5 concise定义

Λ i \Lambda_i Λi Λ s u m \Lambda_{sum} Λsum与vector的长度 q q q无关。

3. VCS的具体实现

3.1 基于Bilinear pairing的VCS具体实现

  • p p ← V C . K e y G e n ( 1 k , q ) pp\leftarrow VC.KeyGen(1^k,q) ppVC.KeyGen(1k,q):key generation算法, c o m m i t t e d v e c t o r committed vector committedvector的size最大为 q q q,security parameter 为 k k k。选择具有相同order p ∈ p o l y ( k ) p\in poly(k) ppoly(k) 的two groups G 1 \mathcal{G}_1 G1 G 2 \mathcal{G}_2 G2 满足bilinear map e : G 1 × G 1 → G 2 e:\mathcal{G}_1\times \mathcal{G}_1\rightarrow \mathcal{G}_2 e:G1×G1G2。设置 G 1 \mathcal{G}_1 G1的generator为 g g g。选择2个随机数 α , β ← Z p \alpha,\beta \leftarrow \mathbb{Z}_p α,βZp,计算public parameter为:
    p p = { g , { g α i } i ∈ [ q ] , { g β i } i ∈ [ q ] , { g α i β j } i ∈ [ 2 q − 1 ] ∖ { q } , j ∈ [ q ] } pp=\{g, \{g^{\alpha^i}\}_{i\in [q]} , \{g^{\beta^i}\}_{i\in [q]}, \{g^{\alpha^i\beta^j}\}_{i\in [2q-1]\setminus \{q\},j\in [q]} \} pp={g,{gαi}i[q],{gβi}i[q],{gαiβj}i[2q1]{q},j[q]} 【长度为 2 q 2 + 1 2q^2+1 2q2+1即为 Θ ( q 2 ) \Theta(q^2) Θ(q2)
    message space为 M = Z p M=\mathbb{Z}_p M=Zp

  • ( C , a u x ) ← V C . C o m p p ( m 1 , ⋯   , m q ) (C,aux)\leftarrow VC.Com_{pp}(m_1,\cdots,m_q) (C,aux)VC.Compp(m1,,mq):committing算法,由committer运行。输入为a sequence of q q q messages m 1 , ⋯   , m q ∈ M m_1,\cdots,m_q\in M m1,,mqM和public parameters p p pp pp,计算commitment C = ∏ i = 1 q ( g α i ) m i = ∏ i = 1 q g m i α i C=\prod_{i=1}^{q}(g^{\alpha^i})^{m_i}=\prod_{i=1}^{q}g^{m_i\alpha^i} C=i=1q(gαi)mi=i=1qgmiαi,辅助信息 a u x = ( m 1 , ⋯   , m q ) aux=(m_1,\cdots,m_q) aux=(m1,,mq)
    a u x aux aux为committer的私有信息。)

  • Λ i ← V C . O p e n p p ( m i , i , a u x ) \Lambda_i\leftarrow VC.Open_{pp}(m_i,i,aux) ΛiVC.Openpp(mi,i,aux):opening算法,由committer运行。
    基本思路为通过构建2个多项式 R ( x ) \mathcal{R}(x) R(x) Q ( x , y ) \mathcal{Q}(x,y) Q(x,y)
    R ( x ) = ∑ j = 1 q m j ⋅ x j \mathcal{R}(x)=\sum_{j=1}^{q}m_j\cdot x^j R(x)=j=1qmjxj
    R ( x ) ⋅ x q − i y i = m i ⋅ x q ⋅ y i + Q ( x , y ) \mathcal{R}(x)\cdot x^{q-i}y^i=m_i\cdot x^q\cdot y^i+\mathcal{Q}(x,y) R(x)xqiyi=mixqyi+Q(x,y) 公式(1)
    Q ( x , y ) = ( ∑ j = 1 , j ≠ i q m j x j ) ⋅ x q − i y i = ∑ j = 1 , j ≠ i q ( m j ⋅ x q − i + j y i ) \mathcal{Q}(x,y)=(\sum_{j=1,j\neq i}^{q}m_jx^j)\cdot x^{q-i}y^i=\sum_{j=1,j\neq i}^{q}(m_j\cdot x^{q-i+j}y^i) Q(x,y)=(j=1,j=iqmjxj)xqiyi=j=1,j=iq(mjxqi+jyi)
    为证明 m i m_i mi is the i i i-th committed message,committer可根据public parameters p p p计算对应的proof为 Λ i = g Q ( α , β ) \Lambda_i=g^{\mathcal{Q}(\alpha,\beta)} Λi=gQ(α,β)

  • { 0 , 1 } ← V C . V e r p p ( C , m i , i , Λ i ) \{0,1\}\leftarrow VC.Ver_{pp}(C,m_i,i,\Lambda_i) {0,1}VC.Verpp(C,mi,i,Λi):verification算法,由任意client运行。输入为public parameters p p pp pp、commitment值 C C C、位置 i i i、opened消息 m i m_i mi以及proof Λ i \Lambda_i Λi
    e ( C , g α q − i β i ) = e ( g m i ⋅ β i , g α q ) ⋅ e ( Λ i , g ) e(C,g^{\alpha^{q-i}\beta^i})=e(g^{m_i\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_i,g) e(C,gαqiβi)=e(gmiβi,gαq)e(Λi,g) 公式(2)
    若公式(2)成立,则输出 1 1 1,否则输出 0 0 0

  • ( C ′ , U ) ← V C . U p d a t e p p ( C , m , m ′ , i ) (C',U)\leftarrow VC.Update_{pp}(C,m,m',i) (C,U)VC.Updatepp(C,m,m,i):update算法,由生成 C C C的原始committer运行,用于update C C C by changing the i i i-th message m m m to m ′ m' m
    输出的updated commitment C ′ = C ⋅ ( g α i ) m ′ − m C'=C\cdot (g^{\alpha^i})^{m'-m} C=C(gαi)mm,updated information U = ( m , m ′ , i ) U=(m,m',i) U=(m,m,i)

  • ( C ′ , Λ j ′ ) ← V C . P r o o f U p d a t e p p ( C , Λ j , m ′ , U ) (C', \Lambda_j')\leftarrow VC.ProofUpdate_{pp}(C,\Lambda_j,m',U) (C,Λj)VC.ProofUpdatepp(C,Λj,m,U):proof update 算法,由任何拥有proof Λ j \Lambda_j Λj (for some message at position j j j) client运行。输入为public parameters p p pp pp、老的commitment值 C C C、proof Λ j \Lambda_j Λj (for some message at position j j j)、新的消息 m ′ m' m (at position i i i)和update information U U U。输出为新的commitment C ′ C' C和新的updated proof Λ j \Lambda_j Λj for m j m_j mj,均对应新的sequence ( m 1 , ⋯   , m i − 1 , m ′ , m i + 1 , ⋯   , m q ) (m_1,\cdots,m_{i-1},m',m_{i+1},\cdots,m_q) (m1,,mi1,m,mi+1,,mq)。根据 i i i j j j的关系分为如下2中情况:
    1)当 j ≠ i j\neq i j=i时,updated commitment C ′ = C ⋅ ( g α i ) m ′ − m C'=C\cdot (g^{\alpha^i})^{m'-m} C=C(gαi)mm,updated proof为 Λ j ′ = Λ j ⋅ g ( m ′ − m ) ⋅ α q − j + i β j \Lambda_j'=\Lambda_j\cdot g^{(m'-m)\cdot \alpha^{q-j+i}\beta^j} Λj=Λjg(mm)αqj+iβj
    2)当 j = i j=i j=i时,updated commitment C ′ = C ⋅ ( g α i ) m ′ − m C'=C\cdot (g^{\alpha^i})^{m'-m} C=C(gαi)mm,updated proof仍然为 Λ j \Lambda_j Λj保持不变。

  • Λ s u m ← V C . O p e n S u m p p ( s u m , a u x ) \Lambda_{sum}\leftarrow VC.OpenSum_{pp}(sum,aux) ΛsumVC.OpenSumpp(sum,aux):sum opening算法,由committer运行。输入为public parameters p p pp pp、sum( ( m 1 , ⋯   , m q ) (m_1,\cdots,m_q) (m1,,mq)所有值之和)以及辅助信息 a u x aux aux。输出为proof Λ s u m \Lambda_{sum} Λsum(用于证明 s u m = ∑ i = 1 q m i sum=\sum_{i=1}^{q}m_i sum=i=1qmi)。
    构建多项式 R ( x ) = ∑ j = 1 q m j x j \mathcal{R}(x)=\sum_{j=1}^{q}m_jx^j R(x)=j=1qmjxj,当取 x = 1 x=1 x=1时,有 R ( 1 ) = ∑ j = 1 q m j = s u m \mathcal{R}(1)=\sum_{j=1}^{q}m_j=sum R(1)=j=1qmj=sum。同时,利用polynomial decomposition有:
    R ( x ) − R ( 1 ) = ( x − 1 ) ⋅ Q ( x ) \mathcal{R}(x)-\mathcal{R}(1)=(x-1)\cdot \mathcal{Q}(x) R(x)R(1)=(x1)Q(x)
    计算OpenSum proof 为 Λ s u m = g Q ( α ) \Lambda_{sum}=g^{\mathcal{Q}(\alpha)} Λsum=gQ(α)

  • { 0 , 1 } ← V C . V e r S u m p p ( C , s u m , Λ s u m ) \{0,1\}\leftarrow VC.VerSum_{pp}(C,sum,\Lambda_{sum}) {0,1}VC.VerSumpp(C,sum,Λsum):sum verification算法,可由任意client运行。输入为public parameters p p pp pp、commitment值 C C C、opened和值 s u m sum sum以及proof Λ s u m \Lambda_{sum} Λsum
    e ( C / g s u m , g ) = e ( Λ s u m , g α − 1 ) = e ( Λ s u m , g α / g ) e(C/g^{sum},g)=e(\Lambda_{sum},g^{\alpha-1})=e(\Lambda_{sum},g^{\alpha}/g) e(C/gsum,g)=e(Λsum,gα1)=e(Λsum,gα/g)
    是否成立,若成立,则输出 1 1 1,否则输出 0 0 0

3.2 基于Bilinear pairing VCS的security analysis

分别呼应第2节中的correctness定义、position binding定义、sum binding定义和concise定义有correctness security、position binding security、sum binding security和concise security。

  • correctness security:

  • position binding security:
    假设adversary A \mathcal{A} A可构建算法 B \mathcal{B} B,使得2.3节中的position binding的概率不可忽略,从而使position binding security不成立。
    即存在 m i ∗ ′ ≠ m i ∗ m_{i^*}'\neq m_{i^*} mi=mi,使得 V C . V e r p p ( C l , m i ∗ ′ , i ∗ , Λ i ∗ ′ ) = 1 VC.Ver_{pp}(C_l, m_{i^*}',i^*,\Lambda_{i^*}')=1 VC.Verpp(Cl,mi,i,Λi)=1成立。
    e ( C , g α q − i ∗ β i ∗ ) = e ( g m i ∗ ′ ⋅ β i , g α q ) ⋅ e ( Λ i ∗ ′ , g ) e(C,g^{\alpha^{q-i^*}\beta^{i^*}})=e(g^{m_{i^*}'\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_{i^*}',g) e(C,gαqiβi)=e(gmiβi,gαq)e(Λi,g)
    e ( C , g α q − i ∗ β i ∗ ) = e ( g m i ∗ ⋅ β i , g α q ) ⋅ e ( Λ i ∗ , g ) e(C,g^{\alpha^{q-i^*}\beta^{i^*}})=e(g^{m_{i^*}\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_{i^*},g) e(C,gαqiβi)=e(gmiβi,gαq)e(Λi,g)
    e ( g m i ∗ ′ ⋅ β i , g α q ) ⋅ e ( Λ i ∗ ′ , g ) = e ( g m i ∗ ⋅ β i , g α q ) ⋅ e ( Λ i ∗ , g ) e(g^{m_{i^*}'\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_{i^*}',g)= e(g^{m_{i^*}\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_{i^*},g) e(gmiβi,gαq)e(Λi,g)=e(gmiβi,gαq)e(Λi,g)
    对应有:【假设 c = m i ∗ ′ − m i ∗ c= m_{i^*}'- m_{i^*} c=mimi
    e ( Λ i ∗ ′ , g ) = e ( g m i ∗ ⋅ β i , g α q ) ⋅ e ( Λ i ∗ , g ) / e ( g m i ∗ ′ ⋅ β i , g α q ) = e ( g ( m i ∗ − m i ∗ ′ ) ⋅ α q β i , g ) ⋅ e ( Λ i ∗ , g ) = e ( g ( m i ∗ − m i ∗ ′ ) ⋅ α q β i ⋅ Λ i ∗ , g ) = e ( g c ⋅ α q β i ⋅ Λ i ∗ , g ) e(\Lambda_{i^*}',g)= e(g^{m_{i^*}\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_{i^*},g)/ e(g^{m_{i^*}'\cdot \beta^i}, g^{\alpha^q})= e(g^{(m_{i^*}- m_{i^*}')\cdot \alpha^q\beta^i}, g)\cdot e(\Lambda_{i^*},g)= e(g^{(m_{i^*}- m_{i^*}')\cdot \alpha^q\beta^i}\cdot \Lambda_{i^*}, g)= e(g^{c\cdot \alpha^q\beta^i}\cdot \Lambda_{i^*}, g) e(Λi,g)=e(gmiβi,gαq)e(Λi,g)/e(gmiβi,gαq)=e(g(mimi)αqβi,g)e(Λi,g)=e(g(mimi)αqβiΛi,g)=e(gcαqβiΛi,g)
    也就是说,已知 g g g e ( Λ i ∗ ′ , g ) e(\Lambda_{i^*}',g) e(Λi,g)值,adversary A \mathcal{A} A可找到相应的 Λ i ∗ ′ \Lambda_{i^*}' Λi值。而这与bilinear inverse assumption冲突。
    所以在bilinear inverse assumption条件下,position binding security可保证。

  • sum binding security
    假设adversary A \mathcal{A} A可构建算法 B \mathcal{B} B,使得2.4节中的sum binding的概率不可忽略,从而使sum binding security不成立。
    即存在 s u m l ′ ≠ s u m l sum_{l}'\neq sum_l suml=suml,使得 V C . V e r S u m p p ( C l , s u m l ′ , Λ s u m l ′ ) = 1 VC.VerSum_{pp}(C_l,sum_l',\Lambda_{sum_l}')=1 VC.VerSumpp(Cl,suml,Λsuml)=1成立。
    e ( C l / g s u m l ′ , g ) = e ( Λ s u m l ′ , g α − 1 ) e(C_l/g^{sum_l'},g)=e(\Lambda_{sum_l}',g^{\alpha-1}) e(Cl/gsuml,g)=e(Λsuml,gα1)
    e ( C l / g s u m l , g ) = e ( Λ s u m l , g α − 1 ) e(C_l/g^{sum_l},g)=e(\Lambda_{sum_l},g^{\alpha-1}) e(Cl/gsuml,g)=e(Λsuml,gα1)
    两个公式结合有:【 ∵ ( Λ s u m l = g Q l ( α ) , ( Λ s u m l ′ = g Q l ′ ( α ) \because (\Lambda_{sum_l}=g^{\mathcal{Q}_l(\alpha)},(\Lambda_{sum_l}'=g^{\mathcal{Q}_l'(\alpha)} (Λsuml=gQl(α)(Λsuml=gQl(α)
    e ( g Q l ′ ( α ) , g α − 1 ) ⋅ e ( g s u m l ′ , g ) = e ( g Q l ( α ) , g α − 1 ) ⋅ e ( g s u m l , g ) e(g^{\mathcal{Q}_l'(\alpha)},g^{\alpha-1})\cdot e(g^{sum_l'},g)= e(g^{\mathcal{Q}_l(\alpha)},g^{\alpha-1})\cdot e(g^{sum_l},g) e(gQl(α),gα1)e(gsuml,g)=e(gQl(α),gα1)e(gsuml,g)
    e ( g , g ) s u m l ′ − s u m l = e ( g , g ) ( Q l ( α ) − Q l ′ ( α ) ) ⋅ ( α − 1 ) e(g,g)^{sum_l'-sum_l}=e(g,g)^{(\mathcal{Q}_l(\alpha)-\mathcal{Q}_l'(\alpha))\cdot (\alpha-1)} e(g,g)sumlsuml=e(g,g)(Ql(α)Ql(α))(α1)
    由于 s u m l ′ ≠ s u m l sum_l'\neq sum_l suml=suml,于是有:
    e ( g , g ) 1 / α − 1 = e ( g , g ) Q l ( α ) − Q l ′ ( α ) s u m l ′ − s u m l e(g,g)^{1/{\alpha-1}}=e(g,g)^{\frac{\mathcal{Q}_l(\alpha)-\mathcal{Q}_l'(\alpha)}{sum_l'-sum_l}} e(g,g)1/α1=e(g,g)sumlsumlQl(α)Ql(α)
    也就是说,已知 g , g α , ⋯   , g α q ∈ G 1 g,g^{\alpha},\cdots,g^{\alpha^q}\in \mathcal{G}_1 g,gα,,gαqG1,adversary A \mathcal{A} A可找到 c = − 1 c=-1 c=1并计算出 e ( g , g ) 1 / ( α + c ) e(g,g)^{1/(\alpha+c)} e(g,g)1/(α+c)的值。而这与bilinear q q q-strong Diffie-Hellman assumption冲突。
    所以在bilinear q q q-strong Diffie-Hellman assumption条件下,sum binding security可保证。

  • concise security
    观察3.1节的具体实现VC.Com的输出 C C CVC.Open的输出 Λ i \Lambda_i ΛiVC.OpenSum的输出 Λ s u m \Lambda_{sum} Λsum均为one single element in G 1 \mathcal{G}_1 G1


ZKVCS,即zero-knowledge vector commitments with sum binding。
VCS的position binding和sum binding仅可保证针对同一commitment,不能对同一position open出2个不同的值,不能对同一vector open出2个sum值。并没有考虑到隐私的问题,即 What does the client may learn about the committed sequence from the commitments and proofs。
ZKVCS可保证a malicious client gets no information about the committed sequence beyond what is opened during the protocol execution。

受限于文章篇幅,主要针对ZKVCS的zero-knowledge属性,通过real/ideal experiment来定义。

4.1 ZKVCS的zero knowledge定义

直觉上来说,a ZKVCS scheme achieves zero-knowledge if there exists a simulator with no knowledge of the sequence or the updates that occur such that arbitrary adversarial client cannot distinguish whether he is interacting with the algorithms of the scheme or with the simulator。
zero-knowledge主要体现在open阶段,分别对应OpenOpenSum算法,对应有zero-knowledge opening和zero-knowledge sum opening。

4.1.1 Zero-knowledge opening定义

存在的参与方有:challenger C \mathcal{C} C,adversary A \mathcal{A} A和simulator S \mathcal{S} S

Zero-knowledge opening定义是指:adversary A \mathcal{A} A无法区分其是在跟challenger C \mathcal{C} C进行Open交互还是在跟simulator S \mathcal{S} S进行Open交互。其中simulator S \mathcal{S} S并不知道adversary A \mathcal{A} A所选择的vector信息。


  • challenger C \mathcal{C} C生成public parameter p p pp pp,并将 p p pp pp发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A选择任意的vector M 0 = ( m 1 , ⋯   , m q ) M_0=(m_1,\cdots,m_q) M0=(m1,,mq),并将 M 0 M_0 M0 发送给challenger C \mathcal{C} C
  • challenger C \mathcal{C} C运行 ( C 0 , a u x 0 ) ← V C . C o m p p ( M 0 ) (C_0,aux_0)\leftarrow VC.Com_{pp}(M_0) (C0,aux0)VC.Compp(M0),并将commitment C 0 C_0 C0发送给adversary A \mathcal{A} A
  • 运行 l + 1 l+1 l+1次( a = 0 ; a + + ; a < = l a=0;a++;a<=l a=0;a++;a<=l)(其中 l = p o l y ( k ) l=poly(k) l=poly(k)): adversary A \mathcal{A} A选择任意的 ( i , j , m j ′ ) , i ∈ [ q ] , j ∈ [ q ] (i,j,m_j'),i\in[q],j\in[q] (i,j,mj),i[q],j[q]发送给 challenger C \mathcal{C} C,其中 i i i代表要open的位置, j j j表示要update的位置;challenger C \mathcal{C} C Open 位置 i i i proof Λ a \Lambda_a Λa发送给adversary A \mathcal{A} A,update位置 j j j m j ′ m_j' mj将相应的 C a + 1 C_{a+1} Ca+1发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A 验证 Λ a \Lambda_a Λa是否正确,输出bit b b b


  • simulator S \mathcal{S} S生成public parameter p p pp pp,并将 p p pp pp发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A选择任意的vector M 0 = ( m 1 , ⋯   , m q ) M_0=(m_1,\cdots,m_q) M0=(m1,,mq)。【注意此时 M 0 M_0 M0不发送给simulator S \mathcal{S} S
  • simulator S \mathcal{S} S (without seeing M 0 M_0 M0) 运行 C 0 ← S 1 ( p p ) C_0\leftarrow \mathcal{S}_1(pp) C0S1(pp),并将 C 0 C_0 C0发送给adversary A \mathcal{A} A
  • 运行 l + 1 l+1 l+1次( a = 0 ; a + + ; a < = l a=0;a++;a<=l a=0;a++;a<=l)(其中 l = p o l y ( k ) l=poly(k) l=poly(k)): adversary A \mathcal{A} A选择任意的 ( i , j , m j ′ ) , i ∈ [ q ] , j ∈ [ q ] (i,j,m_j'),i\in[q],j\in[q] (i,j,mj),i[q],j[q]发送给 simulator S \mathcal{S} S,其中 i i i代表要open的位置, j j j表示要update的位置;simulator S \mathcal{S} S Open 位置 i i i proof Λ a \Lambda_a Λa发送给adversary A \mathcal{A} A,update位置 j j j m j ′ m_j' mj将相应的 C a + 1 C_{a+1} Ca+1发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A 验证 Λ a \Lambda_a Λa是否正确,输出bit b b b

4.1.2 Zero-knowledge sum opening定义

存在的参与方有:challenger C \mathcal{C} C,adversary A \mathcal{A} A和simulator S \mathcal{S} S

Zero-knowledge sum opening定义是指:adversary A \mathcal{A} A无法区分其是在跟challenger C \mathcal{C} C进行OpenSum交互还是在跟simulator S \mathcal{S} S进行OpenSum交互。其中simulator S \mathcal{S} S并不知道adversary A \mathcal{A} A所选择的vector信息。


  • challenger C \mathcal{C} C生成public parameter p p pp pp,并将 p p pp pp发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A选择任意的vector M 0 = ( m 1 , ⋯   , m q ) M_0=(m_1,\cdots,m_q) M0=(m1,,mq),并将 M 0 M_0 M0 发送给challenger C \mathcal{C} C
  • challenger C \mathcal{C} C运行 ( C 0 , a u x 0 ) ← V C . C o m p p ( M 0 ) (C_0,aux_0)\leftarrow VC.Com_{pp}(M_0) (C0,aux0)VC.Compp(M0),并将commitment C 0 C_0 C0发送给adversary A \mathcal{A} A
  • 运行 l + 1 l+1 l+1次( a = 0 ; a + + ; a < = l a=0;a++;a<=l a=0;a++;a<=l)(其中 l = p o l y ( k ) l=poly(k) l=poly(k)): adversary A \mathcal{A} A选择任意的 ( i , j , m j ′ ) , i ∈ [ q ] , j ∈ [ q ] (i,j,m_j'),i\in[q],j\in[q] (i,j,mj),i[q],j[q]发送给 challenger C \mathcal{C} C,其中 i i i代表要open的位置, j j j表示要update的位置;challenger C \mathcal{C} C OpenSum 位置 i i i proof Λ s u m a \Lambda_{sum_a} Λsuma发送给adversary A \mathcal{A} A,update位置 j j j m j ′ m_j' mj将相应的 C a + 1 C_{a+1} Ca+1发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A 验证 Λ s u m a \Lambda_{sum_a} Λsuma是否正确,输出bit b b b


  • simulator S \mathcal{S} S生成public parameter p p pp pp,并将 p p pp pp发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A选择任意的vector M 0 = ( m 1 , ⋯   , m q ) M_0=(m_1,\cdots,m_q) M0=(m1,,mq)。【注意此时 M 0 M_0 M0不发送给simulator S \mathcal{S} S
  • simulator S \mathcal{S} S (without seeing M 0 M_0 M0) 运行 C 0 ← S 1 ( p p ) C_0\leftarrow \mathcal{S}_1(pp) C0S1(pp),并将 C 0 C_0 C0发送给adversary A \mathcal{A} A
  • 运行 l + 1 l+1 l+1次( a = 0 ; a + + ; a < = l a=0;a++;a<=l a=0;a++;a<=l)(其中 l = p o l y ( k ) l=poly(k) l=poly(k)): adversary A \mathcal{A} A选择任意的 ( i , j , m j ′ ) , i ∈ [ q ] , j ∈ [ q ] (i,j,m_j'),i\in[q],j\in[q] (i,j,mj),i[q],j[q]发送给 simulator S \mathcal{S} S,其中 i i i代表要open的位置, j j j表示要update的位置;simulator S \mathcal{S} S OpenSum 位置 i i i proof Λ s u m a \Lambda_{sum_a} Λsuma发送给adversary A \mathcal{A} A,update位置 j j j m j ′ m_j' mj将相应的 C a + 1 C_{a+1} Ca+1发送给adversary A \mathcal{A} A
  • adversary A \mathcal{A} A 验证 Λ s u m a \Lambda_{sum_a} Λsuma是否正确,输出bit b b b

4.2 基于bilinear map的ZKVCS具体实现

  • p p ← V C . K e y G e n ( 1 k , q ) pp\leftarrow VC.KeyGen(1^k,q) ppVC.KeyGen(1k,q):key generation算法, c o m m i t t e d v e c t o r committed vector committedvector的size最大为 q q q,security parameter 为 k k k。选择具有相同order p ∈ p o l y ( k ) p\in poly(k) ppoly(k) 的two groups G 1 \mathcal{G}_1 G1 G 2 \mathcal{G}_2 G2 满足bilinear map e : G 1 × G 1 → G 2 e:\mathcal{G}_1\times \mathcal{G}_1\rightarrow \mathcal{G}_2 e:G1×G1G2。设置 G 1 \mathcal{G}_1 G1的generator为 g g g。选择2个随机数 α , β , γ ← Z p \alpha,\beta,\gamma \leftarrow \mathbb{Z}_p α,β,γZp,计算public parameter为:
    p p = { g , g γ , { g α i } i ∈ [ q ] , { g β i } i ∈ [ q ] , { g α i β j } i ∈ [ 2 q − 1 ] ∖ { q } , j ∈ [ q ] , { g α i β j γ } i ∈ [ q ] , j ∈ [ q ] , i + j = q } pp=\{g,g^{\gamma}, \{g^{\alpha^i}\}_{i\in [q]} , \{g^{\beta^i}\}_{i\in [q]}, \{g^{\alpha^i\beta^j}\}_{i\in [2q-1]\setminus \{q\},j\in [q]},\{g^{\alpha^i\beta^j\gamma}\}_{i\in [q],j\in [q],i+j=q} \} pp={g,gγ,{gαi}i[q],{gβi}i[q],{gαiβj}i[2q1]{q},j[q],{gαiβjγ}i[q],j[q],i+j=q} 【长度为 2 q 2 + q + 2 2q^2+q+2 2q2+q+2即为 Θ ( q 2 ) \Theta(q^2) Θ(q2)
    message space为 M = Z p M=\mathbb{Z}_p M=Zp
    【将 α , β , γ \alpha,\beta,\gamma α,β,γ看成trapdoor信息的话,可具有chameleon属性。】

  • ( C , a u x ) ← V C . C o m p p ( m 1 , ⋯   , m q ) (C,aux)\leftarrow VC.Com_{pp}(m_1,\cdots,m_q) (C,aux)VC.Compp(m1,,mq):committing算法,由committer运行。输入为a sequence of q q q messages m 1 , ⋯   , m q ∈ M m_1,\cdots,m_q\in M m1,,mqM和public parameters p p pp pp
    committer选择随机数 r ← Z p r\leftarrow \mathbb{Z}_p rZp,构建多项式 R ( x , z ) = ∑ j = 1 q m j ⋅ x j + r ⋅ z \mathcal{R}(x,z)=\sum_{j=1}^{q}m_j\cdot x^j+r\cdot z R(x,z)=j=1qmjxj+rz
    计算commitment C = g R ( α , γ ) = ∏ j = 1 q ( g α j ) m j ⋅ ( g γ ) r = ∏ j = 1 q g m j α j ⋅ g γ r C=g^{\mathcal{R}(\alpha,\gamma)}=\prod_{j=1}^{q}(g^{\alpha^j})^{m_j}\cdot (g^{\gamma })^r=\prod_{j=1}^{q}g^{m_j\alpha^j}\cdot g^{\gamma r} C=gR(α,γ)=j=1q(gαj)mj(gγ)r=j=1qgmjαjgγr,辅助信息 a u x = ( m 1 , ⋯   , m q , r ) aux=(m_1,\cdots,m_q,r) aux=(m1,,mq,r)
    a u x aux aux为committer的私有信息。)

  • Λ i ← V C . O p e n p p ( m i , i , a u x ) \Lambda_i\leftarrow VC.Open_{pp}(m_i,i,aux) ΛiVC.Openpp(mi,i,aux):opening算法,由committer运行。
    基本思路为通过构建2个多项式 R ( x , z ) \mathcal{R}(x,z) R(x,z) Q ( x , y , z ) \mathcal{Q}(x,y,z) Q(x,y,z)
    R ( x , z ) = ∑ j = 1 q m j ⋅ x j + r ⋅ z \mathcal{R}(x,z)=\sum_{j=1}^{q}m_j\cdot x^j+r\cdot z R(x,z)=j=1qmjxj+rz
    R ( x , z ) ⋅ x q − i y i = m i ⋅ x q ⋅ y i + Q ( x , y , z ) \mathcal{R}(x,z)\cdot x^{q-i}y^i=m_i\cdot x^q\cdot y^i+\mathcal{Q}(x,y,z) R(x,z)xqiyi=mixqyi+Q(x,y,z) 公式(11)
    Q ( x , y , z ) = ( ∑ j = 1 , j ≠ i q m j x j + r ⋅ z ) ⋅ x q − i y i = ∑ j = 1 , j ≠ i q ( m j ⋅ x q − i + j y i ) + r ⋅ x q − i y i z \mathcal{Q}(x,y,z)=(\sum_{j=1,j\neq i}^{q}m_jx^j+r\cdot z)\cdot x^{q-i}y^i=\sum_{j=1,j\neq i}^{q}(m_j\cdot x^{q-i+j}y^i)+r\cdot x^{q-i}y^iz Q(x,y,z)=(j=1,j=iqmjxj+rz)xqiyi=j=1,j=iq(mjxqi+jyi)+rxqiyiz
    为证明 m i m_i mi is the i i i-th committed message,committer可根据public parameters p p p计算对应的proof为 Λ i = g Q ( α , β , γ ) \Lambda_i=g^{\mathcal{Q}(\alpha,\beta,\gamma)} Λi=gQ(α,β,γ)

  • { 0 , 1 } ← V C . V e r p p ( C , m i , i , Λ i ) \{0,1\}\leftarrow VC.Ver_{pp}(C,m_i,i,\Lambda_i) {0,1}VC.Verpp(C,mi,i,Λi):verification算法,由任意client运行。输入为public parameters p p pp pp、commitment值 C C C、位置 i i i、opened消息 m i m_i mi以及proof Λ i \Lambda_i Λi
    e ( C , g α q − i β i ) = e ( g m i ⋅ β i , g α q ) ⋅ e ( Λ i , g ) e(C,g^{\alpha^{q-i}\beta^i})=e(g^{m_i\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_i,g) e(C,gαqiβi)=e(gmiβi,gαq)e(Λi,g) 公式(12)
    若公式(12)成立,则输出 1 1 1,否则输出 0 0 0

  • ( C ′ , U ) ← V C . U p d a t e p p ( C , m , m ′ , i ) (C',U)\leftarrow VC.Update_{pp}(C,m,m',i) (C,U)VC.Updatepp(C,m,m,i):update算法,由生成 C C C的原始committer运行,用于update C C C by changing the i i i-th message m m m to m ′ m' m
    committer选择随机数 r ′ ← Z p r'\leftarrow \mathbb{Z}_p rZp
    输出的updated commitment C ′ = C ⋅ ( g α i ) m ′ − m ⋅ g r ′ ⋅ γ C'=C\cdot (g^{\alpha^i})^{m'-m}\cdot g^{r'\cdot \gamma} C=C(gαi)mmgrγ,updated information U = ( m , m ′ , i , r ′ ) U=(m,m',i,r') U=(m,m,i,r)

  • ( C ′ , Λ j ′ ) ← V C . P r o o f U p d a t e p p ( C , Λ j , m ′ , U ) (C', \Lambda_j')\leftarrow VC.ProofUpdate_{pp}(C,\Lambda_j,m',U) (C,Λj)VC.ProofUpdatepp(C,Λj,m,U):proof update 算法,由任何拥有proof Λ j \Lambda_j Λj (for some message at position j j j) client运行。输入为public parameters p p pp pp、老的commitment值 C C C、proof Λ j \Lambda_j Λj (for some message at position j j j)、新的消息 m ′ m' m (at position i i i)和update information U U U。输出为新的commitment C ′ C' C和新的updated proof Λ j \Lambda_j Λj for m j m_j mj,均对应新的sequence ( m 1 , ⋯   , m i − 1 , m ′ , m i + 1 , ⋯   , m q ) (m_1,\cdots,m_{i-1},m',m_{i+1},\cdots,m_q) (m1,,mi1,m,mi+1,,mq)。根据 i i i j j j的关系分为如下2中情况:
    1)当 j ≠ i j\neq i j=i时,updated commitment C ′ = C ⋅ ( g α i ) m ′ − m ⋅ g r ′ ⋅ γ C'=C\cdot (g^{\alpha^i})^{m'-m}\cdot g^{r'\cdot \gamma} C=C(gαi)mmgrγ,updated proof为 Λ j ′ = Λ j ⋅ g ( m ′ − m ) ⋅ α q − j + i β j ⋅ g r ′ ⋅ α q − j β j γ \Lambda_j'=\Lambda_j\cdot g^{(m'-m)\cdot \alpha^{q-j+i}\beta^j}\cdot g^{r'\cdot \alpha^{q-j}\beta^j\gamma} Λj=Λjg(mm)αqj+iβjgrαqjβjγ
    2)当 j = i j=i j=i时,updated commitment C ′ = C ⋅ ( g α i ) m ′ − m ⋅ g r ′ ⋅ γ C'=C\cdot (g^{\alpha^i})^{m'-m}\cdot g^{r'\cdot \gamma} C=C(gαi)mmgrγ,updated proof为 Λ j ′ = Λ j ⋅ g r ′ ⋅ α q − j β j γ \Lambda_j'=\Lambda_j\cdot g^{r'\cdot \alpha^{q-j}\beta^j\gamma} Λj=Λjgrαqjβjγ

  • Λ s u m ← V C . O p e n S u m p p ( s u m , a u x ) \Lambda_{sum}\leftarrow VC.OpenSum_{pp}(sum,aux) ΛsumVC.OpenSumpp(sum,aux):sum opening算法,由committer运行。输入为public parameters p p pp pp、sum( ( m 1 , ⋯   , m q ) (m_1,\cdots,m_q) (m1,,mq)所有值之和)以及辅助信息 a u x aux aux。输出为proof Λ s u m \Lambda_{sum} Λsum(用于证明 s u m = ∑ i = 1 q m i sum=\sum_{i=1}^{q}m_i sum=i=1qmi)。
    构建多项式 R ( x , z ) = ∑ j = 1 q m j ⋅ x j + r ⋅ z \mathcal{R}(x,z)=\sum_{j=1}^{q}m_j\cdot x^j+r\cdot z R(x,z)=j=1qmjxj+rz,当取 x = 1 , z = 0 x=1,z=0 x=1,z=0时,有 R ( 1 , 0 ) = ∑ j = 1 q m j = s u m \mathcal{R}(1,0)=\sum_{j=1}^{q}m_j=sum R(1,0)=j=1qmj=sum。同时,利用polynomial decomposition有:
    R ( x , z ) − R ( 1 , 0 ) = ( x − 1 ) ⋅ Q 1 ( x , z ) + z ⋅ Q 2 ( x , z ) \mathcal{R}(x,z)-\mathcal{R}(1,0)=(x-1)\cdot \mathcal{Q}_1(x,z)+z\cdot \mathcal{Q}_2(x,z) R(x,z)R(1,0)=(x1)Q1(x,z)+zQ2(x,z)
    committer选择随机数 δ ← Z p \delta\leftarrow \mathbb{Z}_p δZp,有:
    R ( x , z ) − R ( 1 , 0 ) = [ ( x − 1 ) ⋅ Q 1 ( x , z ) + δ ⋅ ( x − 1 ) z ] + [ z ⋅ Q 2 ( x , z ) − δ ⋅ ( x − 1 ) z ] = ( x − 1 ) ⋅ ( Q 1 ( x , z ) + δ z ) + z ⋅ ( Q 2 ( x , z ) − δ ( x − 1 ) ) = ( x − 1 ) ⋅ Λ s u m 1 + z ⋅ Λ s u m 2 \mathcal{R}(x,z)-\mathcal{R}(1,0)=[(x-1)\cdot \mathcal{Q}_1(x,z)+\delta\cdot (x-1)z]+[z\cdot \mathcal{Q}_2(x,z)-\delta\cdot (x-1)z]=(x-1)\cdot( \mathcal{Q}_1(x,z)+\delta z)+z\cdot (\mathcal{Q}_2(x,z)-\delta (x-1))=(x-1)\cdot\Lambda_{sum}^1+z\cdot \Lambda_{sum}^2 R(x,z)R(1,0)=[(x1)Q1(x,z)+δ(x1)z]+[zQ2(x,z)δ(x1)z]=(x1)(Q1(x,z)+δz)+z(Q2(x,z)δ(x1))=(x1)Λsum1+zΛsum2
    计算OpenSum proof 为 Λ s u m = ( Λ s u m 1 , Λ s u m 2 ) = ( g Q 1 ( α , γ ) + δ γ , g Q 2 ( α , γ ) − δ ( α − 1 ) ) \Lambda_{sum}=(\Lambda_{sum}^1,\Lambda_{sum}^2)=(g^{\mathcal{Q}_1(\alpha,\gamma)+\delta\gamma},g^{\mathcal{Q}_2(\alpha,\gamma)-\delta(\alpha-1)}) Λsum=(Λsum1,Λsum2)=(gQ1(α,γ)+δγ,gQ2(α,γ)δ(α1))

  • { 0 , 1 } ← V C . V e r S u m p p ( C , s u m , Λ s u m ) \{0,1\}\leftarrow VC.VerSum_{pp}(C,sum,\Lambda_{sum}) {0,1}VC.VerSumpp(C,sum,Λsum):sum verification算法,可由任意client运行。输入为public parameters p p pp pp、commitment值 C C C、opened和值 s u m sum sum以及proof Λ s u m \Lambda_{sum} Λsum
    e ( C / g s u m , g ) = e ( Λ s u m 1 , g α − 1 ) ⋅ e ( Λ s u m 2 , g γ ) e(C/g^{sum},g)=e(\Lambda_{sum}^1,g^{\alpha-1})\cdot e(\Lambda_{sum}^2,g^{\gamma}) e(C/gsum,g)=e(Λsum1,gα1)e(Λsum2,gγ)
    是否成立,若成立,则输出 1 1 1,否则输出 0 0 0

4.3 ZKVCS security analysis

  • position binding security
    ZKVCS的Ver与VCS的Ver所验证的公式类似,均为 e ( C , g α q − i β i ) = e ( g m i ⋅ β i , g α q ) ⋅ e ( Λ i , g ) e(C,g^{\alpha^{q-i}\beta^i})=e(g^{m_i\cdot \beta^i}, g^{\alpha^q})\cdot e(\Lambda_i,g) e(C,gαqiβi)=e(gmiβi,gαq)e(Λi,g) 。可采用类似3.2节position binding security的方式归谬法证明。
    所以在bilinear inverse assumption条件下,ZKVCS的position binding security可保证。

  • sum binding security

    因此,在bilinear q q q-strong Diffie-Hellman assumption条件下,ZKVCS的sum binding security可保证。

  • concise security
    ZKVCS的VC.Com的输出 C C CVC.Open的输出 Λ i \Lambda_i Λi均为one single element in G 1 \mathcal{G}_1 G1。而VC.OpenSum的输出 Λ s u m \Lambda_{sum} Λsum均为2个 elements in G 2 \mathcal{G}_2 G2。都与vector size q q q无关。满足concise定义要求。

  • zero-knowledge opening security
    证明如下:(根本思路是simulator S \mathcal{S} S知道trapdoor α , β , γ \alpha,\beta,\gamma α,β,γ信息,可伪造 Q ( x , y , z ) = R ( x , z ) ⋅ x q − i y i − m i ⋅ x q ⋅ y i Q(x,y,z)=\mathcal{R}(x,z)\cdot x^{q-i}y^i-m_i\cdot x^q\cdot y^i Q(x,y,z)=R(x,z)xqiyimixqyi,使得 R ( x , z ) ⋅ x q − i y i = m i ⋅ x q ⋅ y i + Q ( x , y , z ) \mathcal{R}(x,z)\cdot x^{q-i}y^i=m_i\cdot x^q\cdot y^i+Q(x,y,z) R(x,z)xqiyi=mixqyi+Q(x,y,z)恒成立。)

  • zero-knowledge sum opening security
    证明如下:(根本思路是simulator S \mathcal{S} S知道trapdoor α , β , γ \alpha,\beta,\gamma α,β,γ信息,可伪造 Λ s u m 1 = R ( x , z ) − R ( 1 , 0 ) − δ x − 1 , Λ s u m 2 = δ z \Lambda_{sum}^1=\frac{\mathcal{R}(x,z)-\mathcal{R}(1,0)-\delta}{x-1}, \Lambda_{sum}^2=\frac{\delta}{z} Λsum1=x1R(x,z)R(1,0)δ,Λsum2=zδ 使得 R ( x , z ) − R ( 1 , 0 ) = ( x − 1 ) ⋅ Λ s u m 1 + z ⋅ Λ s u m 2 \mathcal{R}(x,z)-\mathcal{R}(1,0)=(x-1)\cdot\Lambda_{sum}^1+z\cdot \Lambda_{sum}^2 R(x,z)R(1,0)=(x1)Λsum1+zΛsum2恒成立)

