This is a summary of [BMMTV19]. In the previous post, we introduced the inner product argument which recursively reduces the size of the witness. In [BMMTV19], they extend this argument to general inner products with some assumptions, which is called GIPA.
Generalized inner product argument (GIPA)
Let's define the desired properties of our inner products and commitment scheme. Let be a commitment key space, be a message space, and be a commitment space. We need all the spaces to be abelian groups, and to be a bilinear commitment scheme. For example, in the previous post, and . Next, we define an inner product on abelian message spaces. We abuse notation for Cartesian products, that is, is defined by . For example, in the previous post, and is a field multiplication.
Like the inner product argument, we want to reduce the size of messages for each round. Suppose we have a series of commitment schemes. That is, for each , we have
Here, are groups of order . The collapse function is a series of functions such that
Given such a series of commitments and a collapse function, the goal of GIPA is to prove that
Here, and are witnesses the prover has, and they are committed using the commitment keys by . The process is similar to the previous post. First, the prover sends a new commitment
Then, the verifier makes a random challenge . With the new commitment keys and new witnesses
the prover now wants to prove that
The size of the witnesses becomes half, and one can show that the correctness of the first commitment implies the last equation using bilinearity of commitment and collapse property. Also, the converse is true for high probability. Continuing this process, we can reduce the size of witnesses to , and then send them to the verifier.
Reduce verifier time using KZG
A problem of GIPA is that the verifier should compute new commitment keys for each round. Some special commitment scheme allows removing these calculations. Instead of computing each commitment key, the verifier believes the prover is using valid commitment keys for each round. Then, the verifier checks all the commitment keys are valid simultaneously using the KZG commitment scheme. The special property is that the first commitment key is of the form
In order to prove each commitment key is valid, it's enough to prove that the final commitment key equals to
where is the th challenge in GIPA. Similarly, this can be applied to with instead of . To prove this, we can use the KZG commitment scheme. Let
Using KZG, the prover can show that efficiently.
Application
As an application, I will introduce the TIPP protocol. Let be cyclic groups of order , and be a non-degenerate bilinear pairing. You may think of these as paring-friendly curve groups for example. Let be a trusted setup, and similarly. The prover has witnesses and , and commits them using and . After commitment, the verifier chooses a random challenge . The prover wants to prove that equals known and the commitments are valid.
Note that the commitment scheme is bilinear, and the inner product is defined by pairing . For each round, the commitment belongs to the same , so we can choose the collapse function as identity. Now, the prover and verifier can use GIPA with two commitment keys and two witnesses
Since the first commitment keys are the desired form, the verifier needs not to compute each commitment key but needs to check final commitment keys are valid using KZG.
댓글
댓글 쓰기