多项式承诺Polynomial commitment方案汇总

Posted mutourend

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了多项式承诺Polynomial commitment方案汇总相关的知识,希望对你有一定的参考价值。

1. 引言

目前的多项式承诺Polynomial commitment方案主要有:

其中,Kate polynomial commitment需要用到 elliptic curve pairing
相对来说,FRI更容易理解。

2. Kate多项式承诺

Kate多项式承诺又称KZG承诺,基于pairing曲线构建,满足bilinear属性:

详细的Kate多项式承诺方案见Kate等人2010年论文《Constant-Size Commitments to Polynomials and Their Applications》:

3. Bulletproofs多项式承诺

见博客 Halo: Recursive Proof Composition without a Trusted Setup 学习笔记 中“3. Polynomial commitments”:
假设polynomial p ( X ) p(X) p(X) 的degree bound为 d − 1 d-1 d1,则:

  • S e t u p ( 1 λ , d ) Setup(1^\\lambda, d) Setup(1λ,d):输出为common reference string σ = ( G , F p , G ⃗ , H ) \\sigma=(\\mathbbG,\\mathbbF_p,\\vecG,H) σ=(G,Fp,G ,H) for group G \\mathbbG G of prime order p p p, with random G ⃗ ∈ G d \\vecG\\in\\mathbbG^d G Gd and H ∈ G H\\in\\mathbbG HG
  • C o m m i t ( σ , p ( X ) ; r ) = < a ⃗ , G ⃗ > + [ r ] H Commit(\\sigma,p(X);r)=<\\veca,\\vecG>+[r]H Commit(σ,p(X);r)=<a ,G >+[r]H,其中 r r r为blinding factor, a i ∈ F a_i\\in\\mathbbF aiF为多项式 p ( X ) p(X) p(X) i i ith degree term 系数, p ( X ) ∈ F p [ X ] p(X)\\in\\mathbbF_p[X] p(X)Fp[X]为maximal degree d − 1 d-1 d1。可将其看成是对多项式系数的Pedersen vector commitment,具有很好的hiding和加法同态属性——对于 ∀ a , b , r , s ∈ F p , p ( X ) , q ( X ) ∈ F p [ X ] \\forall a,b,r,s\\in\\mathbbF_p, p(X),q(X)\\in\\mathbbF_p[X] a,b,r,sFp,p(X),q(X)Fp[X],有:
    [ a ] C o m m i t ( σ , p ( X ) ; r ) + [ b ] C o m m i t ( σ , q ( X ) ; s ) = C o m m i t ( σ , a ⋅ p ( X ) + b ⋅ q ( X ) ; a r + b s ) [a]Commit(\\sigma,p(X);r)+[b]Commit(\\sigma,q(X);s)=Commit(\\sigma,a\\cdot p(X)+b\\cdot q(X); ar+bs) [a]Commit(σ,p(X);r)+[b]Commit(σ,q(X);s)=Commit(σ,ap(X)+bq(X);ar+bs)
  • O p e n ( p ( X ) , x ) Open(p(X),x) Open(p(X),x):输出为 v ∈ F p v\\in\\mathbbF_p vFp
  • V e r i f y O p e n ( P , x , v ) VerifyOpen(P,x,v) VerifyOpen(P,x,v):判断the polynomial contained “inside” the commitment P P P evaluates to v v v at x x x。输出为1表示接受,0表示拒绝。

然后可将 ( S e t u p , O p e n , V e r i f y O p e n ) (Setup,Open,VerifyOpen) (Setup,Open,VerifyOpen)看成是a PSHVZK (perfect special honest-verifier zero knowledge) argument of knowledge for the relation:
( ( P , x , v ) : ( a ⃗ , r ) ) : P = < a ⃗ , G ⃗ > + [ r ] H ∧ v = < a ⃗ , ( 1 , x , x 2 , ⋯   , x d − 1 ) > \\((P,x,v):(\\veca,r)): P=<\\veca,\\vecG>+[r]H\\wedge v=<\\veca,(1,x,x^2,\\cdots,x^d-1)>\\ ((P,x,v):(a ,r)):P=<a ,G >+[r]Hv=<a ,(1,x,x2,,xd1)>
以上relation 可用于证明 the polynomial contained “inside” the commitment P P P evaluates to v v v at x x x,甚至 the committed polynomial has maximum degree d − 1 d-1 d1

基本信息展开为: