1. 背景知识
Alogrand团队Gorbunov等人2020年论文《Pointproofs: Aggregating Proofs for Multiple Vector Commitments》,配套的代码实现参见:https://github.com/algorand/pointproofs
在该论文中,实现了:
- Pointproofs —— a new vector commitment scheme that supports non-interactive aggregation of proofs across multiple commitments。允许任何第三方 aggregate a collection of proofs with respect to different, independently computed commitments into a single proof represented by an elliptic curve point of 48-bytes。
- 将Pointproofs用于blockchain smart contract。相比于之前的vector commitment方案,Pointproofs可将传输一个区块交易所需的带宽开销降低至少60%。
- 以单线程运行时,generate a proof for 8 values with respect to one commitment的时间为0.08s,aggregate 4000 such proofs across multiple commitments into one proof的时间为0.25s,verify the aggregated proof的时间为23s(0.7ms per value proven)。
Vector commitment可用于减少存储空间:instead of storing a vector of values, one can store only the commitment and receive the values together with their proofs as needed。
Vector commitment可让application 在storage of all value和 bandwidth taken up by revealed values and proofs 之间进行取舍平衡。
为了在减少存储空间的同时尽可能减少带宽,需要 reduce the proof size。但是,由于需要满足cryptographically hard to forge的要求,单个proof的size cannot be reduced too far。改进的方式可为:
- 在单个proof中支持reveal multiple values。最短的单个proof size实现可参见Russell W. F. Lai 和 Giulio Malavolta 在Crypto 2019上发表的论文《Subvector Commitments with Application to Succinct Arguments》中5.2节构建的subvector commitment from Cube Diffie-Hellman Assumption:a proof takes up only 48 bytes (for typical parameter values at conjectured 128-bit security) regardless of how many elements of the vector are being revealed。(参见博客 Subvector Commitments with Application to Succinct Arguments学习笔记)
- 在分布式应用中,存在大量来源不同的commitments/values/proofs,它们相互 not aware of each other’s data。此时存在以下两个问题:
1)不存在可produce a single proof for all the values的单一实体;
2)proofs需要于多个不同的commitments关联。
Pointproofs可有效解决以上问题:a user can independently commit to her variables and provide short proofs for any subset of them; any third party can non-interactively aggregate multiple proofs with respect to different commitments into a single short proof。
Boneh等人2019年论文《Batching techniques for accumulators with applications to IOPs and stateless blockchains》可实现dynamic aggregation for proofs in a single (the same) commitment —— aggregate proofs for elements of a vector into a single proof for a subvector。(参见博客 密码学累加器cryptographic accumulator)
而在本论文中,Gorbunov等人实现了跨多个commitments的aggregate proofs。
具体的各方案对比为:
在本论文中,Gorbunov等人的主要贡献为:
-
实现了proofs for individual elements of a single vector commitment can be aggregated by any third party into a single proof for the subvector;
-
实现了proofs for subvectors of multiple commitments can be aggregated by any third party into a single proof for the multiple subvectors。
-
在实现aggregation的同时,也提供了hiding属性。
-
在Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs》构建的vector commitment基础上,增加了same-commitment aggregation和cross-commitment aggregation,从而实现了Pointproofs。
1)与此类似,Pointproofs的public parameter size is linear in the size of the committed vector(可将long vector切分为多个短的vectors,多个短的vectors的proofs可以aggregate,但是commitments不能aggregate,从而缩短了public parameter size,但是增加了total size of the commitments);
2)与此类似,Pointproofs也基于 q q q-type assumption。In order to prove security of aggregation, we have to work in the algebraic group model and the random oracle model. We can reduce these assumptions by lowering efficiency and/or security requirements. -
Pointproofs生成的proof为single point on a pairing-friendly curve (48 bytes at 128-bit security),无论是single value for a single commitment,subvector of values for a single commitment,还是set of subvectors for multiple commitments。
-
Pointproofs中实现了支持aggregation的hiding属性,仅需增加an additional exponentiation,commitment size和proof size均无需增加。而Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications[https://eprint.iacr.org/2011/495.pdf]》中提到的给Vector commitment加hiding属性的方法为:add an inner layer of hiding commitments to individual values —— first commit to each message separately using a standard commitment scheme, then apply the VC to the obtained sequence of commitments。但是该方式无法automatically extend to aggregatable vector commitments,因为proofs for the inner layer are not automatically aggregatable。
-
Pointproofs可用于reduce storage requirements for blockchains。主要针对smart contract智能合约场景。假设一个智能合约有多个变量,所有变量当前值 ( m 1 , ⋯ , m N ) (m_1,\cdots, m_N) (m1,⋯,mN) are committed to a single vector commitment C C C,每个智能合约有一个commitment。
为了与智能合约交互,one provides a 480byte proof $ \hat{\pi}$ of the current values of the variables needed for the transaction,transaction成功执行后可能会更新这些变量值。当存在多个智能合约时,cross-commitment aggregation允许compress multiple proofs π ^ 1 , ⋯ , π ^ l \hat{\pi}_1,\cdots,\hat{\pi}_l π^1,⋯,π^l into a single 48-byte proof π \pi π。从而可从根本上消除the bandwidth overhead due to proofs in a proposed block。
将Pointproofs用于智能合约存储时,针对 1 0 8 10^8 108千万级accounts,可将validators’ storage requirements降为4.5GB,assuming one open value per transaction 的情况下,仅需增加31KB per block overhead for 1000 transactions。 -
Pointproofs 代码实现https://github.com/algorand/pointproofs 中的实际性能表现为:针对a commitment for 1000 variables of a smart contract at 128-bit security level,生成任意subvector proof的时间为54~123ms;a block proposer对所有proofs进行cross-commitment aggregate的时间约为0.07ms per proof;存储了commitments 的 validator verify the aggregated proofs in a block的时间约为 0.7~1.9ms per value verified;为表示变量值的更新(通过交易执行),需要update commitments的时间约为0.2~0.3ms per variable updated。
cross-commitment aggregation of proofs可用于很多场景,如:
- signature aggregation:compress multiple signatures produced by different users into a short signature。如Jae Hyun Ahn等人2010年论文《Synchronized aggregate signatures: new definitions, constructions and applications》中介绍的sensor networks,KyleBrogle等人2012年论文《Sequential aggregate signatures with lazy verification from trapdoor permutations - (extended abstract)]( https://www.iacr.org/archive/asiacrypt2012/76580637/76580637.pdf)》中介绍的internet routing以及Drijvers等人2020年论文《Pixel: Multi-signatures for consensus》中介绍的POS (Proof-of-Stake) 共识。Aggregating commitment proofs is a natural counterpart to aggregating signatures。
- 多个用户或实体分别独立commit to their databases of records(如public keys, healthcare records, transactions等),然后同时produce proofs to reveal several committed values。在这种场景下,cross-commitment aggregation可用于减少带宽。
vector commitment的相关工作:
- 正式定义了vector commitments:Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs》,以及Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications[https://eprint.iacr.org/2011/495.pdf]》。
- 实现了constant-size proofs for a subvector of values:Kate等人2010年论文《Constant-size commitments to polynomials and their applications》,以及Thakur 2019年论文《Batching non-membership proofs with bilinear accumulators》。
但是Kate等人2010年论文《Constant-size commitments to polynomials and their applications》第3.4节定义的binding notion is not strong enough to preclude openings to two inconsistent subvectors。
而Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs》, Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications[https://eprint.iacr.org/2011/495.pdf]》,Benoˆıt Libert, Somindu C. Ramanna 和 Moti Yung 2016年论文 《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》,以及Chepurnoy等人2018年论文《Edrax: A cryptocurrency with stateless transaction validation》,这些论文中的vector commitment无法实现constant-size proofs for multiple values。 - pairing-based vector commitments:Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications[https://eprint.iacr.org/2011/495.pdf]》,Benoˆıt Libert, Somindu C. Ramanna 和 Moti Yung 2016年论文 《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》,以及Russell W. F. Lai 和 Giulio Malavolta 在Crypto 2019上发表的论文《Subvector Commitments with Application to Succinct Arguments》。
- polynomial commitments:始于Kate等人2010年论文《Constant-size commitments to polynomials and their applications》,overview信息可参看Benedikt B¨unz等人2019年论文《Proofs for inner pairing products and applications》。
在Boneh等人2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》中实现了polynomial commitments with batch opening和vector commitments with aggregation,但是其效率要低于本论文实现。
1.1 一些定义
-
Notation:
-
The Algebraic Group Model(AGM) :即adversary输出的group element值应基于其收到的group element进行有效的group operation计算得出的,而不是随意创造的。
Suppose adversary is given group elements X 1 , ⋯ , X N ∈ G 1 X_1,\cdots,X_N\in\mathbb{G}_1 X1,⋯,XN∈G1. Then, for every group element Z ∈ G 1 Z\in\mathbb{G}_1 Z∈G1 that the adversary outputs, it must also ouput z 1 , ⋯ , z N ∈ Z p z_1,\cdots,z_N\in\mathbb{Z}_p z1,⋯,zN∈Zp such that Z = ∏ i = 1 N X i z i Z=\prod_{i=1}^{N}X_i^{z_i} Z=∏i=1NXizi. -
security assumption:在bilinear pairing group中求解 l l l-wBDHE(weak bilinear Diffie-Hellman exponent problem)很难,即对任意的 α ← Z p \alpha\leftarrow \mathbb{Z}_p α←Zp已知 g 1 α , g 1 ( α 2 ) , ⋯ , g 1 ( α l ) , g 1 ( α l + 2 ) , ⋯ , g 1 ( α 3 l ) , g 2 α , g 2 ( α 2 ) , ⋯ , g 2 ( α l ) g_1^{\alpha},g_1^{(\alpha^2)},\cdots,g_1^{(\alpha^l)},g_1^{(\alpha^{l+2})},\cdots,g_1^{(\alpha^{3l})},g_2^{\alpha},g_2^{(\alpha^2)},\cdots,g_2^{(\alpha^l)} g1α,g1(α2),⋯,g1(αl),g1(αl+2),⋯,g1(α3l),g2α,g2(α2),⋯,g2(αl)
求解 g 1 ( α l + 1 ) g_1^{(\alpha^{l+1})} g1(αl+1)很难。
对于BLS12-381 pairing-friendly curve with l − 32 l-32 l−32,当前best attack has complexity 2 112 2^{112} 2112。 -
The Random Oracle Model(ROM):本文的security proofs are in the random oracle model。在本文model a cryptographic hash function as a truly random function, accessible to all parties only via oracle queries。本文使用了两个random oracles H H H和 H ‘ H^{‘} H‘,both with output space Z p \mathbb{Z}_p Zp。
2. vector commitment
采用与Libert和Yung 2010年论文《Concise mercurial vector commitments and independent zero-knowledge sets with short proofs》类似的思路,基于非对称bilinear pairing group,相应的实现细节为:
-
Setup: Let ( G 1 , G 2 , G T ) (\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T) (G1,G2,GT) be a group of prime order p p p,along with pairing e : G 1 × G 2 → G T e:\mathbb{G}_1\times\mathbb{G}_2\rightarrow \mathbb{G}_T e:G1×G2→GT and generators g 1 , g 2 , g T = e ( g 1 , g 2 ) g_1,g_2,g_T=e(g_1,g_2) g1,g2,gT=e(g1,g2) for G 1 , G 2 , G T \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T G1,G2,GT respectively. Let α ∈ Z p \alpha\in \mathbb{Z}_p α∈Zp be a secret value (known to no one after the initial generation of public parameters). The pulic parameters are given by 2 N − 1 2N-1 2N−1 values in G 1 \mathbb{G}_1 G1, N N N values in G 2 \mathbb{G}_2 G2, and one value in G T \mathbb{G}_T GT(该值易于计算获得,如 g T α N + 1 = e ( g 1 α , g 2 α N + 1 ) = e ( g 1 , g 2 ) α N + 1 g_T^{\alpha^{N+1}}=e(g_1^{\alpha},g_2^{\alpha^{N+1}})=e(g_1,g_2)^{\alpha^{N+1}} gTαN+1=e(g1α,g2αN+1)=e(g1,g2)αN+1):【注意 g 1 α N + 1 g_1^{\alpha^{N+1}} g1αN+1不应包含在public parameters中,否则Prover可伪造证明。】
g 1 α , ⋯ , g 1 α N , g 1 α N + 2 , ⋯ , g 1 α 2 N ; g 2 α , ⋯ , g 2 α N ; g T α N + 1 g_1^{\alpha},\cdots,g_1^{\alpha^{N}},g_1^{\alpha^{N+2}},\cdots,g_1^{\alpha^{2N}};g_2^{\alpha},\cdots,g_2^{\alpha^N};g_T^{\alpha^{N+1}} g1α,⋯,g1αN,g1αN+2,⋯,g1α2N;g2α,⋯,g2αN;gTαN+1 -
Commit:对vector m ⃗ = ( m 1 , ⋯ , m N ) ∈ Z p N \vec{m}=(m_1,\cdots,m_N)\in\mathbb{Z}_p^N m =(m1,⋯,mN)∈ZpN,
C = g 1 ∑ i = 1 N m i α i C=g_1^{\sum_{i=1}^{N}m_i\alpha^i} C=g1∑i=1Nmiαi -
Prove:reveal m i m_i mi,
π i = g 1 ∑ j ≠ i m j α N + 1 − I + J = ( C / g 1 m i α i ) α N + 1 − i \pi_i=g_1^{\sum_{j\neq i}m_j\alpha^{N+1-I+J}}=(C/g_1^{m_i\alpha^i})^{\alpha^{N+1-i}} πi=g1∑j=imjαN+1−I+J=(C/g1miαi)αN+1−i -
Verify:
e ( C , g 2 α N + 1 − i ) = e ( π i , g 2 ) ⋅ g T m i α N + 1 e(C,g_2^{\alpha^{N+1-i}})=e(\pi_i,g_2)\cdot g_T^{m_i\alpha^{N+1}} e(C,g2αN+1−i)=e(πi,g2)⋅gTmiαN+1
2.1 支持aggregation的vector commitment思路集锦
为了实现reveal multiple values m i : i ∈ S m_i:i\in S mi:i∈S (其中 S ⊆ [ N ] S\subseteq [N] S⊆[N]) for a single commitment C C C via a very short proof π S \pi_S πS。
-
思路一:
直接计算 π S = ∏ i ∈ S π i \pi_S=\prod_{i\in S}\pi_i πS=∏i∈Sπi,然后验证 e ( C , ∏ i ∈ S g 2 α N + 1 − i ) = e ( π S , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i e(C,\prod_{i\in S}g_2^{\alpha^{N+1-i}})=e(\pi_S,g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_i} e(C,∏i∈Sg2αN+1−i)=e(πS,g2)⋅gTαN+1∑i∈Smi。
该方式不安全,若open S = 1 , 2 S={1,2} S=1,2,可commit to ( m 1 , m 2 ) = ( 1 , 3 ) (m_1,m_2)=(1,3) (m1,m2)=(1,3)而open为 ( m 1 , m 2 ) = ( 2 , 2 ) (m_1,m_2)=(2,2) (m1,m2)=(2,2),违反了binding属性(只bound to ∑ i ∈ S m i \sum_{i\in S}m_i ∑i∈Smi,而不是 { m i : i ∈ S } \{m_i:i\in S\} {mi:i∈S}中的每一个值。)。
同时,还需要防止inconsistnent reveals for possibly two different sets,如分别open ( m 1 , m 2 ) (m_1,m_2) (m1,m2)为 ( 1 , 3 ) (1,3) (1,3), ( m 2 , m 3 ) (m_2,m_3) (m2,m3)为 ( 2 , 1 ) (2,1) (2,1)的情况是不允许的。 -
思路二:实现same-commitment aggregation
在verification方程式中引入“随机”scalars t i t_i ti,
e ( C , ∏ i ∈ S g 2 α N + 1 − i t i ) = e ( π S , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S m i t i e(C,\prod_{i\in S}g_2^{\alpha^{N+1-i}t_i})=e(\pi_S,g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S}m_it_i} e(C,∏i∈Sg2αN+1−iti)=e(πS,g2)⋅gTαN+1∑i∈Smiti
aggregated proof π S = ∏ i ∈ S π i t i \pi_S=\prod_{i\in S}\pi_i^{t_i} πS=∏i∈Sπiti
scalars t i t_i ti的值可通过applying a hash function H H H on some carefully chosen inputs depending on C , S , { m i : i ∈ S } C,S,\{m_i:i\in S\} C,S,{mi:i∈S}。类似的思路在Boneh等人2018年论文《Compact multi-signatures for smaller blockchains》的aggregating signatures中有提及。
怎样选择 t i t_i ti来保证binding属性呢?若 t i ← Z p t_i\leftarrow \mathbb{Z}_p ti←Zp为indeed random,则可保证 P r [ ∑ i ∈ S m i t i = ∑ i ∈ S m i ‘ t i ‘ ] = 1 / p Pr[\sum_{i\in S}m_it_i=\sum_{i\in S}m_i^{‘}t_i^{‘}]=1/p Pr[∑i∈Smiti=∑i∈Smi‘ti‘]=1/p,即对同一位置open为两个不同值的概率可忽略。
可将hash function H H H 看成是a random oracle。同时,还需要restrict the adversary to the so-called algebraic group model,以便可express adversarially generated commitments C C C in terms of public parameters。 -
思路三:实现cross-commitment aggregation
对多个不同的vector进行commit,第 j j j个vector 可表示为 m ⃗ j = ( m j , 1 , ⋯ , m j , N ) \vec{m}_j=(m_{j,1},\cdots,m_{j,N}) m j=(mj,1,⋯,mj,N),对应的commitment为 C j C_j Cj,对set S j S_j Sj的open proof为 π ^ j \hat{\pi}_j π^j,则满足:
e ( C j , ∏ i ∈ S j g 2 α N + 1 − i t j , i ) = e ( π ^ j , g 2 ) ⋅ g T α N + 1 ∑ i ∈ S j m j , i t j , i e(C_j,\prod_{i\in S_j}g_2^{\alpha^{N+1-i}t_{j,i}})=e(\hat{\pi}_j,g_2)\cdot g_T^{\alpha^{N+1}\sum_{i\in S_j}m_{j,i}t_{j,i}} e(Cj,∏i∈Sjg2αN+1−itj,i)=e(π^j,g2)⋅gTαN+1∑i∈Sjmj,itj,i
若直接将多个vector对应的verification equation都一起相乘,则有:
∏ j e ( C j , ∏ i ∈ S j g 2 α N + 1 − i t j , i ) = e ( ∏ j π ^ j , g 2 ) ⋅ g T α N + 1 ∑ j ∑ i ∈ S j m j , i t j , i \prod_{j}e(C_j,\prod_{i\in S_j}g_2^{\alpha^{N+1-i}t_{j,i}})=e(\prod_{j}\hat{\pi}_j,g_2)\cdot g_T^{\alpha^{N+1}\sum_{j}\sum_{i\in S_j}m_{j,i}t_{j,i}} ∏je(Cj,∏i∈Sjg2αN+1−itj,i)=e(∏jπ^j,g2)⋅gTαN+1∑j∑i∈Sjmj,itj,i
与思路一类似,上述方式是不安全的,需要在引入额外的random scalars t j ‘ t_j^{‘} tj‘,相应的aggregated proof为 π = ∏ j π ^ j \pi=\prod_{j}\hat{\pi}_j π=∏jπ^j,对应的verification equation调整为:
∏ j e ( C j , ∏ i ∈ S j g 2 α N + 1 − i t j , i ) t j ‘ = e ( π , g 2 ) ⋅ g T α N + 1 ∑ j ∑ i ∈ S j m j , i t j , i t j ‘ \prod_{j}e(C_j,\prod_{i\in S_j}g_2^{\alpha^{N+1-i}t_{j,i}})^{t_j^{‘}}=e(\pi,g_2)\cdot g_T^{\alpha^{N+1}\sum_{j}\sum_{i\in S_j}m_{j,i}t_{j,i}t_j^{‘}} ∏je(Cj,∏i∈Sjg2αN+1−itj,i)tj‘=e(π,g2)⋅gTαN+1∑j∑i∈Sjmj,itj,itj‘