Constant-Size Commitments to Polynomials and Their Applications Ian - - PowerPoint PPT Presentation

Constant-Size Commitments to Polynomials and Their Applications

Ian Goldberg

Cryptography, Security, and Privacy Research Lab University of Waterloo

ECRYPT II Provable Privacy Workshop 10 July 2012

Coauthors

Aniket Kate (Max Planck Institutes) Gregory Zaverucha (Microsoft Research) Ryan Henry (University of Waterloo) Femi Olumofin (Pitney Bowes) Yizhou Huang (University of Waterloo)

Ian Goldberg Polynomial Commitments 2 / 26

Commitments

One of the most common cryptographic primitives

Ian Goldberg Polynomial Commitments 3 / 26

Commitments

One of the most common cryptographic primitives

Ian Goldberg Polynomial Commitments 3 / 26

Commitments

One of the most common cryptographic primitives Commit

Ian Goldberg Polynomial Commitments 3 / 26

Commitments

One of the most common cryptographic primitives

Ian Goldberg Polynomial Commitments 3 / 26

Commitments

One of the most common cryptographic primitives Binding, Hiding

Ian Goldberg Polynomial Commitments 3 / 26

Commitments

One of the most common cryptographic primitives Open

Ian Goldberg Polynomial Commitments 3 / 26

Hash commitments

Simplest kind of commitment

C(m) = H(m)

Ian Goldberg Polynomial Commitments 4 / 26

Hash commitments

Simplest kind of commitment

C(m) = H(r,m)

Ian Goldberg Polynomial Commitments 4 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

C(a ⊕ b) = C(a) ⊗ C(b)

Ian Goldberg Polynomial Commitments 5 / 26

Homomorphic commitments

Simplest homomorphic commitment

C(m) = g m

Ian Goldberg Polynomial Commitments 6 / 26

Homomorphic commitments

Simplest homomorphic commitment

C(m) = g m g a+b = g a · g b

Ian Goldberg Polynomial Commitments 6 / 26

Homomorphic commitments

Simplest homomorphic commitment

C(m) = g m C(a + b) = C(a) · C(b)

Ian Goldberg Polynomial Commitments 6 / 26

Homomorphic commitments

Simplest homomorphic commitment

C(m) = g mhr

Ian Goldberg Polynomial Commitments 6 / 26

Polynomial commitments

Until now:

Commit to a numbery

A

Ap

Ian Goldberg Polynomial Commitments 7 / 26

Polynomial commitments

Next:

Commit to a polynomial

A

Ap

Ian Goldberg Polynomial Commitments 7 / 26

Polynomial commitments

Next:

Commit to a polynomial

And:A

Open evaluationsAp

Ian Goldberg Polynomial Commitments 7 / 26

Polynomial commitments

Previous method: f (x) = f0 + f1 x + f2 x2 + · · · + ft xt

Ian Goldberg Polynomial Commitments 8 / 26

Polynomial commitments

Previous method: f (x) = f0 + f1 x + f2 x2 + · · · + ft xt

Ian Goldberg Polynomial Commitments 8 / 26

Polynomial commitments

Previous method: f (x) = f0 + f1 x + f2 x2 + · · · + ft xt C(f ) = C(f0), C(f1), C(f2), . . . , C(ft)

Ian Goldberg Polynomial Commitments 8 / 26

Polynomial commitments

Previous method: f (x) = f0 + f1 x + f2 x2 + · · · + ft xt C(f ) = C(f0), C(f1), C(f2), . . . , C(ft) C(f ) =

• g f0, g f1, g f2, . . . , g ft

Ian Goldberg Polynomial Commitments 8 / 26

Opening polynomial commitments

To open C(f ) at a given point (i, y = f (i)):

Ian Goldberg Polynomial Commitments 9 / 26

Opening polynomial commitments

To open C(f ) at a given point (i, y = f (i)): Alice sends (i, y) to Bob

Ian Goldberg Polynomial Commitments 9 / 26

Opening polynomial commitments

To open C(f ) at a given point (i, y = f (i)): Alice sends (i, y) to Bob Bob checks: g y

?

= C(f0) · C(f1)i · C(f2)i2 · · · · · C(ft)it

Ian Goldberg Polynomial Commitments 9 / 26

Opening polynomial commitments

To open C(f ) at a given point (i, y = f (i)): Alice sends (i, y) to Bob Bob checks: g y

?

= C(f0) · C(f1)i · C(f2)i2 · · · · · C(ft)it g y = g f0 · g f1 i · g f2 i2 · · · · · g ft itg it

Ian Goldberg Polynomial Commitments 9 / 26

Opening polynomial commitments

To open C(f ) at a given point (i, y = f (i)): Alice sends (i, y) to Bob Bob checks: g y

?

= C(f0) · C(f1)i · C(f2)i2 · · · · · C(ft)it g y = g f0+f1 i+f2 i2+···+ft itg it

Ian Goldberg Polynomial Commitments 9 / 26

Opening polynomial commitments

To open C(f ) at a given point (i, y = f (i)): Alice sends (i, y) to Bob Bob checks: g y

?

= C(f0) · C(f1)i · C(f2)i2 · · · · · C(ft)it g y = g f (i)g it

Ian Goldberg Polynomial Commitments 9 / 26

A slight variation

C(f ) = (i0, C(f (i0)) ), (i1, C(f (i1)) ), . . . , (it, C(f (it)) )

Ian Goldberg Polynomial Commitments 10 / 26

A slight variation

C(f ) = (i0, C(f (i0)) ), (i1, C(f (i1)) ), . . . , (it, C(f (it)) )

Ian Goldberg Polynomial Commitments 10 / 26

A slight variation

C(f ) = (i0, C(f (i0)) ), (i1, C(f (i1)) ), . . . , (it, C(f (it)) )

g y

?

= C(f (i0))Λ0 · C(f (i1))Λ1 · · · · · C(f (it))Λt Λj =

• k

i − ik ij − ik

Ian Goldberg Polynomial Commitments 10 / 26

Size matters

Both types of polynomial commitments grow in size with the degree of the polynomial!

Ian Goldberg Polynomial Commitments 11 / 26

Constant-size polynomial commitments

Trick #1: Committing Commit to a single evaluation of f

Ian Goldberg Polynomial Commitments 12 / 26

Constant-size polynomial commitments

Trick #1: Committing Commit to a single evaluation of f . . . at a point α no one knows

Ian Goldberg Polynomial Commitments 12 / 26

Constant-size polynomial commitments

Trick #1: Committing Commit to a single evaluation of f . . . at a point α no one knows Public key of the system:

• g, g α, g α2, . . . , g αt

Ian Goldberg Polynomial Commitments 12 / 26

Constant-size polynomial commitments

Trick #1: Committing Commit to a single evaluation of f . . . at a point α no one knows Public key of the system:

• g, g α, g α2, . . . , g αt

g f (α) =

• g

f0 ·

• g αf1 ·
• g α2f2 ·· · ··
• g αtft

Ian Goldberg Polynomial Commitments 12 / 26

Constant-size polynomial commitments

Trick #2: Opening If f (i) = y, then w(x) = f (x)−y

x−i

is a polynomial, which Alice can compute

Ian Goldberg Polynomial Commitments 13 / 26

Constant-size polynomial commitments

Trick #2: Opening If f (i) = y, then w(x) = f (x)−y

x−i

is a polynomial, which Alice can compute Alice forms a polynomial commitment ω = g w(α) to w

Ian Goldberg Polynomial Commitments 13 / 26

Constant-size polynomial commitments

Trick #2: Opening If f (i) = y, then w(x) = f (x)−y

x−i

is a polynomial, which Alice can compute Alice forms a polynomial commitment ω = g w(α) to w Alice sends (i, y, ω) to Bob

Ian Goldberg Polynomial Commitments 13 / 26

Constant-size polynomial commitments

Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → GT

Ian Goldberg Polynomial Commitments 14 / 26

Constant-size polynomial commitments

Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → GT

e(g a, g b) = e(g, g)ab

Ian Goldberg Polynomial Commitments 14 / 26

Constant-size polynomial commitments

Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → GT Bob checks: e(C, g)

?

= e(ω, g α/g i) e(g y, g)

Ian Goldberg Polynomial Commitments 14 / 26

Constant-size polynomial commitments

Trick #3: Verifying The group G generated by g should admit a bilinear pairing e : G × G → GT Bob checks: e(C, g)

?

= e(ω, g α/g i) e(g y, g) e(g f (α), g) ? = e(g w(α), g α−i) e(g y, g) e(g, g)f (α) ? = e(g, g)w(α)(α−i)+y

Ian Goldberg Polynomial Commitments 14 / 26

Variants

Can open multiple evaluations with only a single witness Can perform various ZKPoKs; e.g. prove knowledge of f (i) = 0 without revealing f or f (i) to Bob Can use a Pedersen-like scheme to achieve perfect hiding

Ian Goldberg Polynomial Commitments 15 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t

Compute (c, g 1/(α+c))

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t Strong correctness (cannot commit to a poly of degree > t): t-polyDH Batch openings: t-BSDH

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t Strong correctness (cannot commit to a poly of degree > t): t-polyDH Batch openings: t-BSDH

Compute (f , g f (α)) where t < deg f < √q

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t Strong correctness (cannot commit to a poly of degree > t): t-polyDH Batch openings: t-BSDH

Ian Goldberg Polynomial Commitments 16 / 26

Provable security properties

Polynomial binding: t-SDH Evaluation binding: t-SDH Hiding: perfect when < t openings revealed; DL when t Strong correctness (cannot commit to a poly of degree > t): t-polyDH Batch openings: t-BSDH

Compute (c, e(g, g)1/(α+c))

Ian Goldberg Polynomial Commitments 16 / 26

Applications

Ian Goldberg Polynomial Commitments 17 / 26

Nearly Zero-Knowledge Sets

Commit to a set

Ian Goldberg Polynomial Commitments 18 / 26

Nearly Zero-Knowledge Sets

Commit to a set Prove a given value is (not) in the set

Ian Goldberg Polynomial Commitments 18 / 26

Nearly Zero-Knowledge Sets

Commit to a set Prove a given value is (not) in the set Commit to

• i∈S

(x − i)

Ian Goldberg Polynomial Commitments 18 / 26

Nearly ZK Elementary Databases

Commit to a set of (ki, vi) pairs

Ian Goldberg Polynomial Commitments 19 / 26

Nearly ZK Elementary Databases

Commit to a set of (ki, vi) pairs Commit to

• i

(x − ki) and the polynomial interpolating the (ki, vi)

Ian Goldberg Polynomial Commitments 19 / 26

Similarly

Same trick: vector commitments content extraction signatures credentials

Ian Goldberg Polynomial Commitments 20 / 26

Verifiable secret sharing

Convince each party that her share is consistent with a global commitment

Ian Goldberg Polynomial Commitments 21 / 26

Symmetric Private Information Retrieval

Ensure the client only receives the one block she requested ρj = [f1(j) . . . fr(j) ] Rj = ρj · D

Ian Goldberg Polynomial Commitments 22 / 26

Symmetric Private Information Retrieval

Ensure the client only receives the one block she requested ρj = [f1(j) . . . fr(j) g(j) ] Rj = ρj · D∗

Ian Goldberg Polynomial Commitments 22 / 26

All-but-k commitments

Commit to n − k values

Ian Goldberg Polynomial Commitments 23 / 26

All-but-k commitments

Commit to n − k values Open n values

Ian Goldberg Polynomial Commitments 23 / 26

All-but-k commitments

Commit to n − k values Open n values Assured that at most k of the

• pened values were selected

post-commitment

Ian Goldberg Polynomial Commitments 23 / 26

All-but-k commitments

Commit: |H| = n − k fH(x) = r1 ·

• i∈H

(x − i) C = PolyCommit(fH)

Ian Goldberg Polynomial Commitments 24 / 26

All-but-k commitments

Open: |O| = n, H ⊂ O, S = O\H fS(x) = r2 ·

• i∈S

(x − i), fO(x) =

• i∈O

(x − i) G = PolyCommit(fS) Reveal O, G, ZKP of: r s.t. e(C, G) = e(PolyCommit(fO), g)r knowledge of fH, fS with deg fS ≤ k

Ian Goldberg Polynomial Commitments 25 / 26

Takeaways

Commit to a bunch of values with a single value Homomorphic flexibility Provable security Various applications

Ian Goldberg Polynomial Commitments 26 / 26