Vector Commitments with Efficient Proofs Markulf Kohlweiss 1 and - - PowerPoint PPT Presentation

vector commitments with efficient proofs
SMART_READER_LITE
LIVE PREVIEW

Vector Commitments with Efficient Proofs Markulf Kohlweiss 1 and - - PowerPoint PPT Presentation

Aug 15, 2023 36 likes •236 views

Vector Commitments with Efficient Proofs Markulf Kohlweiss 1 and Alfredo Rial 2 1 Microsoft Research Cambridge 2 KU Leuven ESAT/COSIC IBBT, Belgium Provable Privacy Workshop 10 / 07 / 2012 K.U.Leuven Vector Commitments 10 July 2012 INDEX

slide-1
SLIDE 1

K.U.Leuven

Markulf Kohlweiss1 and Alfredo Rial2

Vector Commitments with Efficient Proofs

1Microsoft Research Cambridge 2KU Leuven ESAT/COSIC – IBBT, Belgium

Provable Privacy Workshop 10 / 07 / 2012

Vector Commitments 10 July 2012

slide-2
SLIDE 2

10 July 2012

  • GOAL: Efficient proofs of calculation correctness
  • MOTIVATION: Privacy-Preserving Smart Metering
  • IDEA: Intermediate tables to store partial results
  • Vector Commitments
  • Definition
  • Application to Smart Metering
  • Constructions
  • CONCLUSION

INDEX

2 Vector Commitments

slide-3
SLIDE 3

10 July 2012

  • A prover performs calculations and reveals the

result to a verifier.

  • The prover proves to the verifier correctness of

the calculations in zero-knowledge.

  • Some calculations are repetitive, but the prover

needs to reprove them each time.

  • Idea to speed up computation: prove

correctness of partial results, and reuse the results.

GOAL

3 Vector Commitments

slide-4
SLIDE 4

10 July 2012

MOTIVATION: Smart Metering

4 Vector Commitments

http://www.simcoe.com/image/821441 http://www.refusesmartmeter.com/

slide-5
SLIDE 5

10 July 2012

Privacy-Preserving Smart Metering

5 Vector Commitments

SMART METER SERVICE PROVIDER USER APP

Fee Reporting & Correctness Proof Fee Calculation Pricing Policy

http://www.givenspaceandtime.com/

Readings

http://www.hsntech.com/energy/energy-solutions/meter-data-solutions.aspx

Meter Readings Cons. Time Sig. 1456 00:00 𝜏𝑛(𝑠

1)

2341 00:15 𝜏𝑛(𝑠2) 543 00:30 𝜏𝑛(𝑠3) ⋮ ⋮ ⋮ Provider Policy Time Rate Sig. 00:00 10 𝜏𝑞(𝑠

1)

00:15 9 𝜏𝑞(𝑠

2)

00:30 8 𝜏𝑞(𝑠

3)

⋮ ⋮ ⋮ 𝑔𝑓𝑓 = 𝑑𝑝𝑜𝑡𝑗 × 𝑠𝑏𝑢𝑓𝑗

𝑜 𝑗=1

Time Index i 00:00 1 00:15 2 ⋮ ⋮

slide-6
SLIDE 6

10 July 2012

  • ZKPK of correctness of fee calculation:

Privacy-Preserving Smart Metering

6 Vector Commitments

Meter Readings Cons. Time Sig. 1456 00:00 𝜏𝑛(𝑠

1)

2341 00:15 𝜏𝑛(𝑠2) 543 00:30 𝜏𝑛(𝑠3) ⋮ ⋮ ⋮ Provider Policy Time Rate Sig. 00:00 10 𝜏𝑞(𝑠

1)

00:15 9 𝜏𝑞(𝑠

2)

00:30 8 𝜏𝑞(𝑠

3)

⋮ ⋮ ⋮ 𝑄𝐿{ 𝑑𝑝𝑜𝑡𝑗, 𝑢𝑗𝑛𝑓𝑗, 𝑠𝑏𝑢𝑓𝑗, 𝜏𝑛 𝑠𝑗 , 𝜏𝑛 𝑠𝑗

𝑗=1 𝑜

: 𝑔𝑓𝑓 = 𝑔𝑓𝑓𝑗

𝑜 𝑗=1

𝑔𝑓𝑓𝑗 = 𝑑𝑝𝑜𝑡𝑗 × 𝑠𝑏𝑢𝑓𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏𝑛 𝑠𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑞 𝑠

𝑗 ) 𝑜 𝑗=1

}

slide-7
SLIDE 7

10 July 2012

More Complex Policies

7 Vector Commitments

  • ZKPK of correctness of fee calculation:

7 Vector Commitments

Meter Readings Cons. Time Sig. 1456 00:00 𝜏𝑛(𝑠

1)

2341 00:15 𝜏𝑛(𝑠2) 543 00:30 𝜏𝑛(𝑠3) ⋮ ⋮ ⋮ Provider Policy Time Rate Sig. 00:00 10 𝜏𝑞(𝑠

1)

00:15 9 𝜏𝑞(𝑠

2)

00:30 8 𝜏𝑞(𝑠

3)

⋮ ⋮ ⋮ 𝑄𝐿{ 𝑑𝑝𝑜𝑡𝑗, 𝑢𝑗𝑛𝑓𝑗, 𝑠𝑏𝑢𝑓𝑗, 𝜏𝑛 𝑠𝑗 , 𝜏𝑛 𝑠𝑗

𝑗=1 𝑜

: 𝑔𝑓𝑓 = 𝑔𝑓𝑓𝑗

𝑜 𝑗=1

𝑔𝑓𝑓𝑗 = 𝑑𝑝𝑜𝑡𝑗 × 𝑠𝑏𝑢𝑓𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏𝑛 𝑠𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑞 𝑠

𝑗 ) 𝑜 𝑗=1

} Agency Policy Time Rate Sig. 00:00 11 𝜏𝑏(𝑠

1, 𝑉)

00:15 8 𝜏𝑏(𝑠2, 𝑉) 00:30 7 𝜏𝑏(𝑠3, 𝑉) ⋮ ⋮ ⋮ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑞 𝑠

𝑗 )

∨ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑏 𝑠𝑗, 𝑉 )}

slide-8
SLIDE 8

10 July 2012

IDEA: Intermediate Tables

8 Vector Commitments

1. User creates an intermediate table and proves it correct 2. ZKPK of correctness of fee calculation:

Provider Policy Time Rate Sig. 00:00 10 𝜏𝑞(𝑠

1)

00:15 9 𝜏𝑞(𝑠

2)

00:30 8 𝜏𝑞(𝑠

3)

⋮ ⋮ ⋮ 𝑄𝐿{ 𝑑𝑝𝑜𝑡𝑗, 𝑢𝑗𝑛𝑓𝑗, 𝑠𝑏𝑢𝑓𝑗, 𝜏𝑛 𝑠𝑗 , 𝜏𝑛 𝑠𝑗

𝑗=1 𝑜

: 𝑔𝑓𝑓 = 𝑔𝑓𝑓𝑗

𝑜 𝑗=1

𝑔𝑓𝑓𝑗 = 𝑑𝑝𝑜𝑡𝑗 × 𝑠𝑏𝑢𝑓𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏𝑛 𝑠𝑗 ∧ (𝑊𝑓𝑠𝑇𝑗𝑕 𝜏𝑞 𝑠𝑗 ∨ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏𝑏 𝑠𝑗 )

𝑜 𝑗=1

} Agency Policy Time Rate Sig. 00:00 11 𝜏𝑏(𝑠

1, 𝑉)

00:15 8 𝜏𝑏(𝑠2, 𝑉) 00:30 7 𝜏𝑏(𝑠3, 𝑉) ⋮ ⋮ ⋮ 𝑀𝑝𝑝𝑙𝑉𝑞(𝑗, 𝑠𝑏𝑢𝑓)

+ =

Intermediate Table Time Rate 00:00 10 00:15 8 00:30 7 ⋮ ⋮

slide-9
SLIDE 9

10 July 2012

If 𝑀𝑝𝑝𝑙𝑉𝑞(𝑗, 𝑠𝑏𝑢𝑓) < 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑞 𝑠𝑗 ) ∨ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑏 𝑠𝑗, 𝑉 ) THE COST OF CREATING AND PROVING CORRECTNESS OF INTERMEDIATE TABLE (STEP 1) WILL BE AMORTIZED AFTER USING IT A SUFFICIENT AMOUNT OF TIMES TO PROVE CORRECTNESS OF FEE (STEP 2)

IDEA: Intermediate Tables

9 Vector Commitments

slide-10
SLIDE 10

10 July 2012

Vector Commitments: Definition

10 Vector Commitments

slide-11
SLIDE 11

10 July 2012

Let 𝑊 = 𝑦1, … , 𝑦𝑜 .

  • 𝑻𝒇𝒖𝒗𝒒 1𝑙, 𝑚 → 𝑞𝑏𝑠
  • 𝑫𝒔𝒇𝒃𝒖𝒇 𝑞𝑏𝑠, 𝑊, 𝑠 → 𝐷
  • 𝑸𝒔𝒑𝒘𝒇 𝑞𝑏𝑠, 𝑗, 𝑊, 𝑠 → 𝑋

𝑗

  • 𝑾𝒇𝒔𝒋𝒈𝒛 𝑞𝑏𝑠, 𝐷, 𝑦, 𝑗, 𝑋 → {𝑏𝑑𝑑𝑓𝑞𝑢, 𝑠𝑓𝑘𝑓𝑑𝑢}

SIZE OF 𝑋

𝑗 IS INDEPENDENT OF 𝑜

Definition: Algorithms

11 Vector Commitments

slide-12
SLIDE 12

10 July 2012

  • ZKPK of 𝑊 committed to in 𝐷:

𝜌𝑑 = 𝑄𝐿{ 𝑊, 𝑠 : 𝐷 = 𝐷𝑠𝑓𝑏𝑢𝑓(𝑞𝑏𝑠, 𝑊, 𝑠)}

  • ZKPK of witness 𝑋

𝑗 to 𝑦𝑗 in position 𝑗:

𝜌𝑞 = 𝑄𝐿{ 𝑗, 𝑦𝑗, 𝑋

𝑗 : 𝑊𝑓𝑠𝑗𝑔𝑧 𝑞𝑏𝑠, 𝐷, 𝑦, 𝑗, 𝑋 → 𝑏𝑑𝑑𝑓𝑞𝑢}

Definition: Efficient Proofs

12 Vector Commitments

slide-13
SLIDE 13

10 July 2012

  • Hiding: a commitment 𝐷 to a vector 𝑊

does not reveal information on 𝑊.

  • Once a vector component is revealed, the other

components are not hidden anymore

  • [Eprint 2011/495] Hiding property is not required

Definitions: Hiding Property

13 Vector Commitments

slide-14
SLIDE 14

10 July 2012

  • Binding: it is not possible to prove that

(i, x) ∈ 𝑊 if 𝑊 𝑗 ≠ 𝑦.

  • [Eprint 2011/495] Stronger definition where

adversary sends the tuple (C, i, x, x’, w, w’)

  • We achieve this property via 𝜌𝑑 and 𝜌𝑞

Definitions: Binding Property

14 Vector Commitments

slide-15
SLIDE 15

10 July 2012

Application to Smart Metering: Overwiew

15 Vector Commitments

SERVICE PROVIDER USER APP Input 𝑊 Input (1𝑙, 𝑚) Setup 1𝑙, 𝑚 → 𝑞𝑏𝑠 𝐷𝑠𝑓𝑏𝑢𝑓 𝑞𝑏𝑠, 𝑊, 𝑠 → 𝐷 Compute 𝜌𝑑 𝑞𝑏𝑠 𝐷, 𝜌𝑑 𝑄𝑠𝑝𝑤𝑓 𝑞𝑏𝑠, 𝑗, 𝑊, 𝑠 → 𝑋

𝑗

Compute 𝜌𝑞 𝜌𝑞 Verify 𝜌𝑑 Verify 𝜌𝑞

slide-16
SLIDE 16

10 July 2012

  • 1. User creates an intermediate table and proves it correct
  • Let 𝑊 = 𝑠𝑏𝑢𝑓1, … , 𝑠𝑏𝑢𝑓𝑜
  • Run 𝐷𝑠𝑓𝑏𝑢𝑓 𝑞𝑏𝑠, 𝑊, 𝑠 → 𝐷
  • Compute ZKPK of intermediate table correctness:

Application to Smart Metering: Step 1

16 Vector Commitments

Provider Policy Time Rate Sig. 00:00 10 𝜏𝑞(𝑠

1)

00:15 9 𝜏𝑞(𝑠

2)

00:30 8 𝜏𝑞(𝑠

3)

⋮ ⋮ ⋮ Agency Policy Time Rate Sig. 00:00 11 𝜏𝑏(𝑠

1, 𝑉)

00:15 8 𝜏𝑏(𝑠2, 𝑉) 00:30 7 𝜏𝑏(𝑠3, 𝑉) ⋮ ⋮ ⋮

+ =

Intermediate Table Time Rate 00:00 10 00:15 8 00:30 7 ⋮ ⋮ 𝜌𝑑 = 𝑄𝐿{ 𝑊, 𝑠, 𝜏𝑞 𝑠

𝑗 , 𝜏𝑏 𝑠𝑗, 𝑉

: 𝐷 = 𝐷𝑠𝑓𝑏𝑢𝑓 𝑞𝑏𝑠, 𝑊, 𝑠 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑞 𝑠𝑗 ) ∨ 𝑊𝑓𝑠𝑇𝑗𝑕(𝜏𝑏 𝑠𝑗, 𝑉 )

𝑜 𝑗=1

}

slide-17
SLIDE 17

10 July 2012

  • ZKPK of correctness of fee calculation:

Application to Smart Metering: Step 2

17 Vector Commitments

Meter Readings Cons. Time Sig. 1456 00:00 𝜏𝑛(𝑠

1)

2341 00:15 𝜏𝑛(𝑠2) 543 00:30 𝜏𝑛(𝑠3) ⋮ ⋮ ⋮ 𝜌𝑞 = 𝑄𝐿{( 𝑗, 𝑠𝑏𝑢𝑓𝑗, 𝑋

𝑗, 𝜏𝑛 𝑠𝑗 𝑗=1 𝑜

): 𝑔𝑓𝑓 = 𝑔𝑓𝑓𝑗

𝑜 𝑗=1

𝑔𝑓𝑓𝑗 = 𝑑𝑝𝑜𝑡𝑗 × 𝑠𝑏𝑢𝑓𝑗 ∧ 𝑊𝑓𝑠𝑇𝑗𝑕 𝜏𝑛 𝑠𝑗 ∧ 𝑊𝑓𝑠𝑗𝑔𝑧 𝑞𝑏𝑠, 𝐷, 𝑠𝑏𝑢𝑓, 𝑗, 𝑋 → 𝑏𝑑𝑑𝑓𝑞𝑢)

𝑜 𝑗=1

} 𝑀𝑝𝑝𝑙𝑉𝑞(𝑗, 𝑠𝑏𝑢𝑓) Intermediate Table Time Rate 00:00 10 00:15 8 00:30 7 ⋮ ⋮

slide-18
SLIDE 18

10 July 2012

  • Polynomial Commitments [Asiacrypt 2010]
  • Imply Vector Commitments
  • Concise Mercurial Vector Commitments [TCC 2010]
  • Imply Vector Commitments
  • No ZKPK are provided
  • Vector Commitments [Eprint 2011/495]
  • No ZKPK are provided
  • Cryptographic Accumulators [Eurocrypt 1993, CRYPTO

2002]

  • Eficient ZKPK are provided
  • Do not imply vector commitments

Vector Commitments: Related Work

18 Vector Commitments

slide-19
SLIDE 19

10 July 2012

  • Construction based on SDH assumption
  • Akin to polynomial commitments [Asiacrypt 2010]
  • Construction based on BDHE assumption
  • Akin to concise mecurial vector commitments [TCC

2010]

  • Construction based on CDH assumption
  • Akin to vector commitments [Eprint 2011/495]
  • Generic construction based on any cryptographic

accumulator and any commitment scheme

Vector Commitments: Constructions

19 Vector Commitments

slide-20
SLIDE 20

10 July 2012

  • Defined vector commitments with efficient ZKPK
  • Constructions based on several assumptions
  • Utility: reuse proofs of partial calculations
  • Example: privacy-preserving smart metering

CONCLUSION

20 Vector Commitments