$\newcommand{\Z}{\mathbb{Z}} \newcommand{\N}{\mathbb{N}} \newcommand{\F}{\mathbb{F}} \newcommand{\G}{\mathbb{G}} \newcommand{\g}{\mathbf{g}} \newcommand{\h}{\mathbf{h}} \newcommand{\a}{\mathbf{a}} \newcommand{\b}{\mathbf{b}} \newcommand{\CM}{\mathrm{CM}}$This is a summary of [BMMTV19]. In the previous post, we introduced the inner product argument which recursively reduces the size of the witness. In [BMMTV19], they extend this argument to general inner products with some assumptions, which is called GIPA.
Generalized inner product argument (GIPA)
Let's define the desired properties of our inner products and commitment scheme. Let $K$ be a commitment key space, $M$ be a message space, and $C$ be a commitment space. We need all the spaces $K, M, C$ to be abelian groups, and $\CM(\cdot \ ; \cdot): K \times M \to C$ to be a bilinear commitment scheme. For example, in the previous post, $K = \G^n, M = \F_p^n, C = \G$ and $\CM(\g; \a) = \sum a_i g_i$. Next, we define an inner product $\odot: M_1 \times M_2 \to M_3$ on abelian message spaces. We abuse notation for Cartesian products, that is, $\odot: M_1^n \times M_2^n \to M_3$ is defined by $(a_i) \odot (b_i) = \sum a_i \odot b_i$. For example, in the previous post, $M_1 = M_2 = \F_p$ and $\odot$ is a field multiplication.
Like the inner product argument, we want to reduce the size of messages for each round. Suppose we have a series of commitment schemes. That is, for each $n = 2^j$, we have
$$\CM_n : (K_1^n \times K_2^n \times K) \times (M_1^n \times M_2^n \times M_3) \to C_n$$
Here, $K_1, K_2, K_3, M_1, M_2, M_3$ are groups of order $p$. The collapse function is a series of functions $\mathrm{Collapse}_n : C_{2n} \to C_n$ such that
$$\mathrm{Collapse}_n(\CM_{2n} (k_1 || k'_1, k_2||k'_2, k_3; m_1||m_1, m_2||m_2, m_3)) = \CM_n ( k_1+k'_1, k_2+k'_2,k_3 ; m_1, m_2, m_3)$$
Given such a series of commitments and a collapse function, the goal of GIPA is to prove that
$$C = \CM_n(k_1, k_2, k_3; \a, \b, \a \odot \b).$$
Here, $\a \in M_1^n$ and $\b \in M_2^n$ are witnesses the prover has, and they are committed using the commitment keys $k_1, k_2, k_3$ by $C$. The process is similar to the previous post. First, the prover sends a new commitment
$$C_L = \CM_n(k_1, k_2, k_3; l(\a)||0, 0||r(\b), l(\a) \odot r(\b))$$
$$C_R = \CM_n(k_1, k_2, k_3; 0||r(\a), l(\b)||0, r(\a) \odot l(\b))$$
Then, the verifier makes a random challenge $x \in \F_p^\times$. With the new commitment keys and new witnesses
$$k'_1 = r(k_1) + x^{-1} l(k_1),$$
$$k'_2 = r(k_2) + x l(k_1),$$
$$\a' = r(\a) + x l(\a),$$
$$\b' = r(\b) + x^{-1} l(\a),$$
the prover now wants to prove that
$$\CM_{\frac{n}{2}} (k'_1, k'_2, k_3; \a', \b', \a' \odot \b') = \mathrm{Collapse}_n (x C_L + C+ x^{-1} C_R)$$
The size of the witnesses becomes half, and one can show that the correctness of the first commitment implies the last equation using bilinearity of commitment and collapse property. Also, the converse is true for high probability. Continuing this process, we can reduce the size of witnesses to $n=1$, and then send them to the verifier.
Reduce verifier time using KZG
A problem of GIPA is that the verifier should compute new commitment keys $k'_1, k'_2$ for each round. Some special commitment scheme allows removing these calculations. Instead of computing each commitment key, the verifier believes the prover is using valid commitment keys for each round. Then, the verifier checks all the commitment keys are valid simultaneously using the KZG commitment scheme. The special property is that the first commitment key $k_1$ is of the form
$$\g = (g, g^{\alpha}, \cdots, g^{\alpha^{n-1}}) \in \G_1^n$$
In order to prove each commitment key is valid, it's enough to prove that the final commitment key $v$ equals to
$$g^{\prod_{j=0}^{\log n} (1+x_j \alpha^{{j+1}})}$$
where $x_j$ is the $(\log n -j)$th challenge in GIPA. Similarly, this can be applied to $k_2$ with $x_j^{-1}$ instead of $x_j$. To prove this, we can use the KZG commitment scheme. Let
$$f(X) = \prod_{j=0}^{\log n} (1+x_j \alpha^{{j+1}}).$$
Using KZG, the prover can show that $g^f(\alpha) = v$ efficiently.
Application
As an application, I will introduce the TIPP protocol. Let $\G_1 = \langle g \rangle, \G_2 = \langle h \rangle, \G_T$ be cyclic groups of order $p$, and $e : \G_1 \times \G_2 \to \G_T$ be a non-degenerate bilinear pairing. You may think of these as paring-friendly curve groups for example. Let $\mathbf{g^\alpha} = (g, g^{\alpha}, \ldots, g^{\alpha^{n-1}} ) \in \G_1^n$ be a trusted setup, and $\mathbf{h^\beta} \in \G_2^n$ similarly. The prover has witnesses $A \in \G_1^n$ and $B \in \G_2^n$, and commits them using $T = \langle A, \mathbf{h^\beta}\rangle$ and $U =\langle \mathbf{g^\alpha} , B\rangle$. After commitment, the verifier chooses a random challenge $r \in \F$. The prover wants to prove that $(A \cdot B)^\mathbf{r} = \prod_{i=0}^{m-1} e(A_i, B_i)^{r^i}$ equals known $Z$ and the commitments are valid.
Note that the commitment scheme is bilinear, and the inner product is defined by pairing $e$. For each round, the commitment belongs to the same $\G_T$, so we can choose the collapse function as identity. Now, the prover and verifier can use GIPA with two commitment keys and two witnesses
$$(g, g^{(r^{-1} \alpha}, \ldots , g^{r^{-(n-1)} \alpha^{n-1}}), (h, h^{\beta}, \ldots, h^{\beta^{n-1}})$$
$$(A_0, A_1^r, \ldots, A_{n-1}^{r^{n-1}}), (B_0, B_1, \ldots, B_{n-1})$$
Since the first commitment keys are the desired form, the verifier needs not to compute each commitment key but needs to check final commitment keys are valid using KZG.
댓글
댓글 쓰기