constant size commitments to polynomials and their
play

Constant-Size Commitments to Polynomials and Their Applications Ian - PowerPoint PPT Presentation

Constant-Size Commitments to Polynomials and Their Applications Ian Goldberg Cryptography, Security, and Privacy Research Lab University of Waterloo ECRYPT II Provable Privacy Workshop 10 July 2012 Coauthors Aniket Kate (Max Planck


  1. Constant-Size Commitments to Polynomials and Their Applications Ian Goldberg Cryptography, Security, and Privacy Research Lab University of Waterloo ECRYPT II Provable Privacy Workshop 10 July 2012

  2. Coauthors Aniket Kate (Max Planck Institutes) Gregory Zaverucha (Microsoft Research) Ryan Henry (University of Waterloo) Femi Olumofin (Pitney Bowes) Yizhou Huang (University of Waterloo) Ian Goldberg Polynomial Commitments 2 / 26

  3. Commitments One of the most common cryptographic primitives Ian Goldberg Polynomial Commitments 3 / 26

  4. Commitments One of the most common cryptographic primitives Ian Goldberg Polynomial Commitments 3 / 26

  5. Commitments One of the most common cryptographic primitives Commit Ian Goldberg Polynomial Commitments 3 / 26

  6. Commitments One of the most common cryptographic primitives Ian Goldberg Polynomial Commitments 3 / 26

  7. Commitments One of the most common cryptographic primitives Binding, Hiding Ian Goldberg Polynomial Commitments 3 / 26

  8. Commitments One of the most common cryptographic primitives Open Ian Goldberg Polynomial Commitments 3 / 26

  9. Hash commitments Simplest kind of commitment C ( m ) = H ( m ) Ian Goldberg Polynomial Commitments 4 / 26

  10. Hash commitments Simplest kind of commitment C ( m ) = H ( r , m ) Ian Goldberg Polynomial Commitments 4 / 26

  11. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  12. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  13. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  14. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  15. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  16. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  17. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  18. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  19. Homomorphic commitments Ian Goldberg Polynomial Commitments 5 / 26

  20. Homomorphic commitments C ( a ⊕ b ) = C ( a ) ⊗ C ( b ) Ian Goldberg Polynomial Commitments 5 / 26

  21. Homomorphic commitments Simplest homomorphic commitment C ( m ) = g m Ian Goldberg Polynomial Commitments 6 / 26

  22. Homomorphic commitments Simplest homomorphic commitment C ( m ) = g m g a + b = g a · g b Ian Goldberg Polynomial Commitments 6 / 26

  23. Homomorphic commitments Simplest homomorphic commitment C ( m ) = g m C ( a + b ) = C ( a ) · C ( b ) Ian Goldberg Polynomial Commitments 6 / 26

  24. Homomorphic commitments Simplest homomorphic commitment C ( m ) = g m h r Ian Goldberg Polynomial Commitments 6 / 26

  25. Polynomial commitments Until now: Commit to a numbery A Ap Ian Goldberg Polynomial Commitments 7 / 26

  26. Polynomial commitments Next: Commit to a polynomial A Ap Ian Goldberg Polynomial Commitments 7 / 26

  27. Polynomial commitments Next: Commit to a polynomial And:A Open evaluationsAp Ian Goldberg Polynomial Commitments 7 / 26

  28. Polynomial commitments Previous method: f ( x ) = f 0 + f 1 x + f 2 x 2 + · · · + f t x t Ian Goldberg Polynomial Commitments 8 / 26

  29. Polynomial commitments Previous method: f ( x ) = f 0 + f 1 x + f 2 x 2 + · · · + f t x t Ian Goldberg Polynomial Commitments 8 / 26

  30. Polynomial commitments Previous method: f ( x ) = f 0 + f 1 x + f 2 x 2 + · · · + f t x t C ( f ) = � C ( f 0 ) , C ( f 1 ) , C ( f 2 ) , . . . , C ( f t ) � Ian Goldberg Polynomial Commitments 8 / 26

  31. Polynomial commitments Previous method: f ( x ) = f 0 + f 1 x + f 2 x 2 + · · · + f t x t C ( f ) = � C ( f 0 ) , C ( f 1 ) , C ( f 2 ) , . . . , C ( f t ) � � g f 0 , g f 1 , g f 2 , . . . , g f t � C ( f ) = Ian Goldberg Polynomial Commitments 8 / 26

  32. Opening polynomial commitments To open C ( f ) at a given point ( i , y = f ( i )): Ian Goldberg Polynomial Commitments 9 / 26

  33. Opening polynomial commitments To open C ( f ) at a given point ( i , y = f ( i )): Alice sends ( i , y ) to Bob Ian Goldberg Polynomial Commitments 9 / 26

  34. Opening polynomial commitments To open C ( f ) at a given point ( i , y = f ( i )): Alice sends ( i , y ) to Bob Bob checks: = C ( f 0 ) · C ( f 1 ) i · C ( f 2 ) i 2 · · · · · C ( f t ) i t ? g y Ian Goldberg Polynomial Commitments 9 / 26

  35. Opening polynomial commitments To open C ( f ) at a given point ( i , y = f ( i )): Alice sends ( i , y ) to Bob Bob checks: = C ( f 0 ) · C ( f 1 ) i · C ( f 2 ) i 2 · · · · · C ( f t ) i t ? g y g y = g f 0 · g f 1 i · g f 2 i 2 · · · · · g f t i t g i t Ian Goldberg Polynomial Commitments 9 / 26

  36. Opening polynomial commitments To open C ( f ) at a given point ( i , y = f ( i )): Alice sends ( i , y ) to Bob Bob checks: = C ( f 0 ) · C ( f 1 ) i · C ( f 2 ) i 2 · · · · · C ( f t ) i t ? g y g y = g f 0 + f 1 i + f 2 i 2 + ··· + f t i t g i t Ian Goldberg Polynomial Commitments 9 / 26

  37. Opening polynomial commitments To open C ( f ) at a given point ( i , y = f ( i )): Alice sends ( i , y ) to Bob Bob checks: = C ( f 0 ) · C ( f 1 ) i · C ( f 2 ) i 2 · · · · · C ( f t ) i t ? g y g y = g f ( i ) g i t Ian Goldberg Polynomial Commitments 9 / 26

  38. A slight variation C ( f ) = � ( i 0 , C ( f ( i 0 )) ), ( i 1 , C ( f ( i 1 )) ), . . . , ( i t , C ( f ( i t )) ) � Ian Goldberg Polynomial Commitments 10 / 26

  39. A slight variation C ( f ) = � ( i 0 , C ( f ( i 0 )) ), ( i 1 , C ( f ( i 1 )) ), . . . , ( i t , C ( f ( i t )) ) � Ian Goldberg Polynomial Commitments 10 / 26

  40. A slight variation C ( f ) = � ( i 0 , C ( f ( i 0 )) ), ( i 1 , C ( f ( i 1 )) ), . . . , ( i t , C ( f ( i t )) ) � ? = C ( f ( i 0 )) Λ 0 · C ( f ( i 1 )) Λ 1 · · · · · C ( f ( i t )) Λ t g y i − i k � Λ j = i j − i k k Ian Goldberg Polynomial Commitments 10 / 26

  41. Size matters Both types of polynomial commitments grow in size with the degree of the polynomial! Ian Goldberg Polynomial Commitments 11 / 26

  42. Constant-size polynomial commitments Trick #1: Committing Commit to a single evaluation of f Ian Goldberg Polynomial Commitments 12 / 26

  43. Constant-size polynomial commitments Trick #1: Committing Commit to a single evaluation of f . . . at a point α no one knows Ian Goldberg Polynomial Commitments 12 / 26

  44. Constant-size polynomial commitments Trick #1: Committing Commit to a single evaluation of f . . . at a point α no one knows Public key of the system: � g , g α , g α 2 , . . . , g α t � Ian Goldberg Polynomial Commitments 12 / 26

  45. Constant-size polynomial commitments Trick #1: Committing Commit to a single evaluation of f . . . at a point α no one knows Public key of the system: � g , g α , g α 2 , . . . , g α t � � f 0 · g α � f 1 · g α 2 � f 2 ·· · ·· g α t � f t g f ( α ) = � � � � g Ian Goldberg Polynomial Commitments 12 / 26

  46. Constant-size polynomial commitments Trick #2: Opening If f ( i ) = y , then w ( x ) = f ( x ) − y is a x − i polynomial, which Alice can compute Ian Goldberg Polynomial Commitments 13 / 26

  47. Constant-size polynomial commitments Trick #2: Opening If f ( i ) = y , then w ( x ) = f ( x ) − y is a x − i polynomial, which Alice can compute Alice forms a polynomial commitment ω = g w ( α ) to w Ian Goldberg Polynomial Commitments 13 / 26

  48. Constant-size polynomial commitments Trick #2: Opening If f ( i ) = y , then w ( x ) = f ( x ) − y is a x − i polynomial, which Alice can compute Alice forms a polynomial commitment ω = g w ( α ) to w Alice sends ( i , y , ω ) to Bob Ian Goldberg Polynomial Commitments 13 / 26

  49. Constant-size polynomial commitments Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → G T Ian Goldberg Polynomial Commitments 14 / 26

  50. Constant-size polynomial commitments Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → G T e ( g a , g b ) = e ( g , g ) ab Ian Goldberg Polynomial Commitments 14 / 26

  51. Constant-size polynomial commitments Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → G T Bob checks: ? = e ( ω, g α / g i ) e ( g y , g ) e ( C , g ) Ian Goldberg Polynomial Commitments 14 / 26

  52. Constant-size polynomial commitments Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → G T Bob checks: ? = e ( ω, g α / g i ) e ( g y , g ) e ( C , g ) e ( g f ( α ) , g ) ? = e ( g w ( α ) , g α − i ) e ( g y , g ) e ( g , g ) f ( α ) ? = e ( g , g ) w ( α )( α − i )+ y Ian Goldberg Polynomial Commitments 14 / 26

  53. Variants Can open multiple evaluations with only a single witness Can perform various ZKPoKs; e.g. prove knowledge of f ( i ) � = 0 without revealing f or f ( i ) to Bob Can use a Pedersen-like scheme to achieve perfect hiding Ian Goldberg Polynomial Commitments 15 / 26

  54. Provable security properties Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t Ian Goldberg Polynomial Commitments 16 / 26

Recommend


More recommend