Browse Source

Add paper-notes backup

master
arnaucube 1 year ago
parent
commit
7978531260
6 changed files with 239 additions and 8 deletions
  1. +2
    -0
      .gitignore
  2. +25
    -0
      paper-notes.bib
  3. BIN
      paper-notes.pdf
  4. +200
    -0
      paper-notes.tex
  5. +3
    -2
      ring-signatures.sage
  6. +9
    -6
      ring-signatures_test.sage

+ 2
- 0
.gitignore

@ -6,3 +6,5 @@
*.out
*.synctex.gz
*.toc
*.bbl
*.blg

+ 25
- 0
paper-notes.bib

@ -0,0 +1,25 @@
@misc{cryptoeprint:2021/529,
author = {Nicolas Gailly and Mary Maller and Anca Nitulescu},
title = {SnarkPack: Practical SNARK Aggregation},
howpublished = {Cryptology ePrint Archive, Paper 2021/529},
year = {2021},
note = {\url{https://eprint.iacr.org/2021/529}},
url = {https://eprint.iacr.org/2021/529}
}
@misc{cryptoeprint:2019/099,
author = {Mary Maller and Sean Bowe and Markulf Kohlweiss and Sarah Meiklejohn},
title = {Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings},
howpublished = {Cryptology ePrint Archive, Paper 2019/099},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/099}},
url = {https://eprint.iacr.org/2019/099}
}
@misc{kzg-tmp,
author = {A. Kate and G. M. Zaverucha and and I. Goldberg},
title = {Constant-size commitments to polynomials and their application},
year = {2010},
note = {\url{https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf}},
url = {https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf}
}

BIN
paper-notes.pdf


+ 200
- 0
paper-notes.tex

@ -0,0 +1,200 @@
\documentclass{article}
\usepackage[utf8]{inputenc}
\usepackage{amsfonts}
\usepackage{amsthm}
\usepackage{amsmath}
\usepackage{enumerate}
\usepackage{hyperref}
\hypersetup{
colorlinks,
citecolor=black,
filecolor=black,
linkcolor=black,
urlcolor=blue
}
% prevent warnings of underfull \hbox:
\usepackage{etoolbox}
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
\theoremstyle{definition}
\newtheorem{definition}{Def}[section]
\newtheorem{theorem}[definition]{Thm}
\title{Paper notes}
\author{arnaucube}
\date{}
\begin{document}
\maketitle
\begin{abstract}
Notes taken while reading papers. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
The notes are not complete, don't include all the steps neither all the proofs.
\end{abstract}
\tableofcontents
\section{SnarkPack}
Notes taken while reading SnarkPack paper \cite{cryptoeprint:2021/529}.
Groth16 proof aggregation.
\begin{enumerate}[i.]
\item Simple verification:\\
Proof: $\pi_i = (A_i, B_i, C_i)$\\
Verifier checks: $e(A_i, B_i) == e(C_i, D)$\\
Where $D$ is the $CRS$.
\item Batch verification:
$r \in^\$ F_q$\\
$r^i \cdot e(A_i, B_i) == e(C_i, D)$\\
$\Longrightarrow \prod e(A_i, B_i)^{r^i} == \prod e(C_i, D)^{r^i}$\\
$\Longrightarrow \prod e(A_i, B_i^{r^i}) == \prod e(C_i^{r^i}, D)$
\item Snark Aggregation verification:\\
$z_{AB} = \prod e(A_i, B_i^{r^i})$\\
$z_C = \prod C_i^{r^i}$\\
Verification: $z_{AB} == e(z_C, D)$
\end{enumerate}
\section{Sonic}
Notes taken while reading Sonic paper \cite{cryptoeprint:2019/099}. Does not include all the steps, neither the proofs.
\subsection{Structured Reference String}
$\{ \{g^{x^i}\}_{i=-d}^d, \{ g^{\alpha x^i} \}_{i=-d, i \neq 0}^d, \{ h^{x^i}, h^{\alpha x^i} \}_{i=-d}^d, e(g, h^\alpha) \}$
\subsection{System of constraints}
Multiplication constraint: $a \cdot b = c$
$Q$ linear constraints:
$$
a \cdot u_q + b \cdot v_q + c \cdot w_q = k_q
$$
with $u_q, v_q, w_q \in \mathbb{F}^n$, and $k_q \in \mathbb{F}_p$.
\vspace{0.5cm}
Example: $x^2 + y^2 = z$
$$a = (x, y), \qquad b = (x, y), \qquad c = (x^2, y^2)$$
\begin{enumerate}[i.]
\item $(x, y) \cdot (1, 0) + (x, y) \cdot (-1, 0) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow x - x = 0$
\item $(x, y) \cdot (0, 1) + (x, y) \cdot (0, -1) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow y - y = 0$
\item $(x, y) \cdot (0, 0) + (x, y) \cdot (0, 0) + (x^2, y^2) \cdot (1, 1) = z \longrightarrow x^2 + y^2 = z$
\end{enumerate}
So,
$$u_1 = (1, 0) \quad v_1=(-1, 0) \quad w_1=(0, 0) \quad k_1=0$$
$$u_2 = (0, 1) \quad v_2=(0, -1) \quad w_2=(0, 0) \quad k_2=0$$
$$u_3 = (0, 0) \quad v_3=(0, 0) \quad w_3=(1, 1) \quad k_2=z$$
\vspace{1cm}
Compress n multiplication constraints into an equation in formal indeterminate $Y$:
$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^i = 0$$
encode into negative exponents of $Y$:
$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^-i = 0$$
Also, compress the $Q$ linear constraints, scaling by $Y^n$ to preserve linear independence:
$$
\sum_{q=1}^Q (a \cdot u_q + b \cdot v_q + c \cdot w_q - k_q) \cdot Y^{q+n} = 0
$$
Polys:
\begin{align}
\nonumber & u_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot u_{q, i}\\
\nonumber & v_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot v_{q, i}\\
\nonumber & w_i(Y) = -Y^i - Y^{-1} + \sum_{q=1}^Q Y^{q+n} \cdot w_{q, i}\\
\nonumber & k(Y) = \sum_{q=1}^Q Y^{q+n} \cdot k_q
\end{align}
Combine the multiplicative and linear constraints to:
\begin{align}
\nonumber & a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)
+ \sum_{i=1}^n a_i b_i (Y^i + Y^{-i}) - k(Y) = 0
\end{align}
where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embeded into the constant term of the polynomial $t(X, Y)$.
Define $r(X, Y)$ s.t. $r(X, Y) = r(XY, 1)$.
$$\Longrightarrow r(X, Y) = \sum_{i=1}^n (a_i X^i Y^i + b_i X^{-i} Y^{-i} + c_i X^{-i-n} Y^{-i-n})$$
$$s(X, Y) = \sum_{i=1}^n (u_i(Y) X^{-i} + v_i(Y) X^i + w_i(Y) X^{i+n})$$
$$r'(X, Y) = r(X, Y) + s(X, Y)$$
$$t(X, Y) = r(X, Y) + r'(X, Y) - k(Y)$$
The coefficient of $X^0$ in $t(X, Y)$ is the left-hand side of the equation.
Sonic demonstrates that the constant term of $t(X, Y)$ is zero, thus demonstrating that our constraint system is satisfied.
\subsubsection{The basic Sonic protocol}
\begin{enumerate}[1.]
\item Prover constructs $r(X, Y)$ using their hidden witness
\item Prover commits to $r(X, 1)$, setting the maximum degree to n
\item Verifier sends random challenge $y$
\item Prover commits to $t(X, y)$. The commitment scheme ensures that $t(X, y)$ has no constant term.
\item Verifier sends random challenge $z$
\item Prover opens commitments to $r(z, 1), r(z, y), t(z, y)$
\item Verifier calculates $r'(z, y)$, and checks that
$$r(z, y) \cdot r'(z, y) - k(y) == t(z, y)$$
\end{enumerate}
Steps $3$ and $5$ can be made non-interactive by the Fiat-Shamir transformation.
\subsubsection{Polynomial Commitment Scheme}
Sonic uses an adaptation of KZG \cite{kzg-tmp}, want:
\begin{enumerate}[i.]
\item \emph{evaluation binding}, i.e. given a commitment $F$, an adversary cannot open F to two different evaluations $v_1$ and $v_2$
\item \emph{bounded polynomial extractable}, i.e. any algebraic adversary that opens a commitment $F$ knows an opening $f(X)$ with powers $-d \leq i \leq max, i \neq 0$.
\end{enumerate}
\vspace{0.5cm}
PC scheme (adaptation of KZG):
\begin{enumerate}[i.]
\item Commit(info, $f(X)$) $\longrightarrow F$:
$$F = g^{\alpha \cdot x^{d-max}} \cdot f(x)$$
\item Open(info, $F$, $z$, $f(x)$) $\longrightarrow (f(z), W)$:
$$w(X) = \frac{f(X) - f(z)}{X-z}$$
$$W = g^{w(x)}$$
\item Verify(info, $F$, $z$, $(v, W)$) $\longrightarrow 0/1$:\\
Check:
$$e(W, h^{\alpha \cdot x}) \cdot
e(g^v W^{-z}, h^{\alpha})
== e(F, h^{x^{-d+max}})$$
\end{enumerate}
\subsection{Succint signatures of correct computation}
Signature of correct computation to ensure that an element $s=s(z, y)$ for a known polynomial
$$s(X, Y) = \sum_{i, j = -d}^d s_{i, j} \cdot X^i \cdot Y^i$$
Use the structure of $s(X, Y)$ to prove its correct calculation using a \emph{permutation argument} $\longrightarrow$ \emph{grand-product argument} inspired by Bayer and Groth, and Bootle et al.
Restrict to constraint systems where $s(X, Y)$ can be expressed as the sum of $M$ polynomials. Where $j-th$ poly is of the form:
$$
\Psi_j(X, Y) =
\sum_{i=1}^n \psi_{j, \sigma_{j, i}}
\cdot X^i \cdot Y^{\sigma_{j, i}}
$$
where $\sigma_j$ is the fixed polynomial permutation, and $\phi_{j, i} \in \mathbb{F}$ are the coefficients.
\vspace{1cm}
\framebox{WIP}
\vspace{1cm}
\bibliography{paper-notes.bib}
\bibliographystyle{unsrt}
\end{document}

+ 3
- 2
ring-signatures.sage

@ -2,6 +2,8 @@ from hashlib import sha256
# Ring Signatures
# bLSAG: Back’s Linkable Spontaneous Anonymous Group signatures
# A Rust implementation of this scheme can be found at:
# https://github.com/arnaucube/ring-signatures-rs
def hashToPoint(a):
# TODO use a proper hash-to-point
@ -54,12 +56,11 @@ class Prover(object):
c = [None] * len(R)
# c_{pi+1}
pi1 = mod(pi + 1, len(R))
c[pi1] = hash(R, m, a * self.g, a * hashToPoint(R[pi]), self.q)
c[pi1] = hash(R, m, a * self.g, hashToPoint(R[pi]) * a, self.q)
key_image = self.w * hashToPoint(self.K)
# do c_{i+1} from i=pi+1 to pi-1:
# for j in range(0, len(R)-1):
for j in range(0, len(R)-1):
i = mod(pi1+j, len(R))
i1 = mod(pi1+j +1, len(R))

+ 9
- 6
ring-signatures_test.sage

@ -1,6 +1,9 @@
import unittest, operator
load("ring-signatures.sage")
# A Rust implementation of this scheme can be found at:
# https://github.com/arnaucube/ring-signatures-rs
# ethereum elliptic curve
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
a = 0
@ -19,13 +22,13 @@ assert g * q == 0
class TestRingSignatures(unittest.TestCase):
def test_blSAG_ring_of_5(self):
test_blSAG(5, 3)
def test_blSAG_ring_of_20(self):
test_blSAG(20, 14)
def test_bLSAG_ring_of_5(self):
test_bLSAG(5, 3)
def test_bLSAG_ring_of_20(self):
test_bLSAG(20, 14)
def test_blSAG(ring_size, pi):
print(f"[blSAG] Testing with a ring of {ring_size} keys")
def test_bLSAG(ring_size, pi):
print(f"[bLSAG] Testing with a ring of {ring_size} keys")
prover = Prover(F, g)
n = ring_size
R = [None] * n

Loading…
Cancel
Save