diff --git a/.gitignore b/.gitignore index 94fb0c5..d9643ad 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,5 @@ *.out *.synctex.gz *.toc +*.bbl +*.blg diff --git a/paper-notes.bib b/paper-notes.bib new file mode 100644 index 0000000..c584017 --- /dev/null +++ b/paper-notes.bib @@ -0,0 +1,25 @@ +@misc{cryptoeprint:2021/529, + author = {Nicolas Gailly and Mary Maller and Anca Nitulescu}, + title = {SnarkPack: Practical SNARK Aggregation}, + howpublished = {Cryptology ePrint Archive, Paper 2021/529}, + year = {2021}, + note = {\url{https://eprint.iacr.org/2021/529}}, + url = {https://eprint.iacr.org/2021/529} +} + +@misc{cryptoeprint:2019/099, + author = {Mary Maller and Sean Bowe and Markulf Kohlweiss and Sarah Meiklejohn}, + title = {Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings}, + howpublished = {Cryptology ePrint Archive, Paper 2019/099}, + year = {2019}, + note = {\url{https://eprint.iacr.org/2019/099}}, + url = {https://eprint.iacr.org/2019/099} +} + +@misc{kzg-tmp, + author = {A. Kate and G. M. Zaverucha and and I. Goldberg}, + title = {Constant-size commitments to polynomials and their application}, + year = {2010}, + note = {\url{https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf}}, + url = {https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf} +} diff --git a/paper-notes.pdf b/paper-notes.pdf new file mode 100644 index 0000000..3744804 Binary files /dev/null and b/paper-notes.pdf differ diff --git a/paper-notes.tex b/paper-notes.tex new file mode 100644 index 0000000..1015466 --- /dev/null +++ b/paper-notes.tex @@ -0,0 +1,200 @@ +\documentclass{article} +\usepackage[utf8]{inputenc} +\usepackage{amsfonts} +\usepackage{amsthm} +\usepackage{amsmath} +\usepackage{enumerate} +\usepackage{hyperref} +\hypersetup{ + colorlinks, + citecolor=black, + filecolor=black, + linkcolor=black, + urlcolor=blue +} + +% prevent warnings of underfull \hbox: +\usepackage{etoolbox} +\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} + +\theoremstyle{definition} +\newtheorem{definition}{Def}[section] +\newtheorem{theorem}[definition]{Thm} + + +\title{Paper notes} +\author{arnaucube} +\date{} + +\begin{document} + +\maketitle + +\begin{abstract} + Notes taken while reading papers. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. + + The notes are not complete, don't include all the steps neither all the proofs. +\end{abstract} + +\tableofcontents + +\section{SnarkPack} +Notes taken while reading SnarkPack paper \cite{cryptoeprint:2021/529}. + +Groth16 proof aggregation. + +\begin{enumerate}[i.] + \item Simple verification:\\ + Proof: $\pi_i = (A_i, B_i, C_i)$\\ + Verifier checks: $e(A_i, B_i) == e(C_i, D)$\\ + Where $D$ is the $CRS$. + \item Batch verification: + $r \in^\$ F_q$\\ + $r^i \cdot e(A_i, B_i) == e(C_i, D)$\\ + $\Longrightarrow \prod e(A_i, B_i)^{r^i} == \prod e(C_i, D)^{r^i}$\\ + $\Longrightarrow \prod e(A_i, B_i^{r^i}) == \prod e(C_i^{r^i}, D)$ + \item Snark Aggregation verification:\\ + $z_{AB} = \prod e(A_i, B_i^{r^i})$\\ + $z_C = \prod C_i^{r^i}$\\ + Verification: $z_{AB} == e(z_C, D)$ +\end{enumerate} + +\section{Sonic} +Notes taken while reading Sonic paper \cite{cryptoeprint:2019/099}. Does not include all the steps, neither the proofs. + +\subsection{Structured Reference String} +$\{ \{g^{x^i}\}_{i=-d}^d, \{ g^{\alpha x^i} \}_{i=-d, i \neq 0}^d, \{ h^{x^i}, h^{\alpha x^i} \}_{i=-d}^d, e(g, h^\alpha) \}$ + +\subsection{System of constraints} +Multiplication constraint: $a \cdot b = c$ + +$Q$ linear constraints: +$$ +a \cdot u_q + b \cdot v_q + c \cdot w_q = k_q +$$ + +with $u_q, v_q, w_q \in \mathbb{F}^n$, and $k_q \in \mathbb{F}_p$. + +\vspace{0.5cm} +Example: $x^2 + y^2 = z$ + +$$a = (x, y), \qquad b = (x, y), \qquad c = (x^2, y^2)$$ +\begin{enumerate}[i.] + \item $(x, y) \cdot (1, 0) + (x, y) \cdot (-1, 0) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow x - x = 0$ + \item $(x, y) \cdot (0, 1) + (x, y) \cdot (0, -1) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow y - y = 0$ + \item $(x, y) \cdot (0, 0) + (x, y) \cdot (0, 0) + (x^2, y^2) \cdot (1, 1) = z \longrightarrow x^2 + y^2 = z$ +\end{enumerate} + +So, +$$u_1 = (1, 0) \quad v_1=(-1, 0) \quad w_1=(0, 0) \quad k_1=0$$ +$$u_2 = (0, 1) \quad v_2=(0, -1) \quad w_2=(0, 0) \quad k_2=0$$ +$$u_3 = (0, 0) \quad v_3=(0, 0) \quad w_3=(1, 1) \quad k_2=z$$ + +\vspace{1cm} + +Compress n multiplication constraints into an equation in formal indeterminate $Y$: +$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^i = 0$$ +encode into negative exponents of $Y$: +$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^-i = 0$$ + +Also, compress the $Q$ linear constraints, scaling by $Y^n$ to preserve linear independence: +$$ +\sum_{q=1}^Q (a \cdot u_q + b \cdot v_q + c \cdot w_q - k_q) \cdot Y^{q+n} = 0 +$$ + +Polys: + +\begin{align} +\nonumber & u_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot u_{q, i}\\ +\nonumber & v_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot v_{q, i}\\ +\nonumber & w_i(Y) = -Y^i - Y^{-1} + \sum_{q=1}^Q Y^{q+n} \cdot w_{q, i}\\ +\nonumber & k(Y) = \sum_{q=1}^Q Y^{q+n} \cdot k_q +\end{align} + +Combine the multiplicative and linear constraints to: + +\begin{align} +\nonumber & a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y) ++ \sum_{i=1}^n a_i b_i (Y^i + Y^{-i}) - k(Y) = 0 +\end{align} + +where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embeded into the constant term of the polynomial $t(X, Y)$. + + +Define $r(X, Y)$ s.t. $r(X, Y) = r(XY, 1)$. + +$$\Longrightarrow r(X, Y) = \sum_{i=1}^n (a_i X^i Y^i + b_i X^{-i} Y^{-i} + c_i X^{-i-n} Y^{-i-n})$$ + +$$s(X, Y) = \sum_{i=1}^n (u_i(Y) X^{-i} + v_i(Y) X^i + w_i(Y) X^{i+n})$$ + +$$r'(X, Y) = r(X, Y) + s(X, Y)$$ +$$t(X, Y) = r(X, Y) + r'(X, Y) - k(Y)$$ + +The coefficient of $X^0$ in $t(X, Y)$ is the left-hand side of the equation. + +Sonic demonstrates that the constant term of $t(X, Y)$ is zero, thus demonstrating that our constraint system is satisfied. + + +\subsubsection{The basic Sonic protocol} + +\begin{enumerate}[1.] + \item Prover constructs $r(X, Y)$ using their hidden witness + \item Prover commits to $r(X, 1)$, setting the maximum degree to n + \item Verifier sends random challenge $y$ + \item Prover commits to $t(X, y)$. The commitment scheme ensures that $t(X, y)$ has no constant term. + \item Verifier sends random challenge $z$ + \item Prover opens commitments to $r(z, 1), r(z, y), t(z, y)$ + \item Verifier calculates $r'(z, y)$, and checks that + $$r(z, y) \cdot r'(z, y) - k(y) == t(z, y)$$ +\end{enumerate} + +Steps $3$ and $5$ can be made non-interactive by the Fiat-Shamir transformation. + +\subsubsection{Polynomial Commitment Scheme} +Sonic uses an adaptation of KZG \cite{kzg-tmp}, want: + +\begin{enumerate}[i.] + \item \emph{evaluation binding}, i.e. given a commitment $F$, an adversary cannot open F to two different evaluations $v_1$ and $v_2$ + \item \emph{bounded polynomial extractable}, i.e. any algebraic adversary that opens a commitment $F$ knows an opening $f(X)$ with powers $-d \leq i \leq max, i \neq 0$. +\end{enumerate} + +\vspace{0.5cm} +PC scheme (adaptation of KZG): + +\begin{enumerate}[i.] + \item Commit(info, $f(X)$) $\longrightarrow F$: + $$F = g^{\alpha \cdot x^{d-max}} \cdot f(x)$$ + \item Open(info, $F$, $z$, $f(x)$) $\longrightarrow (f(z), W)$: + $$w(X) = \frac{f(X) - f(z)}{X-z}$$ + $$W = g^{w(x)}$$ + \item Verify(info, $F$, $z$, $(v, W)$) $\longrightarrow 0/1$:\\ + Check: + $$e(W, h^{\alpha \cdot x}) \cdot + e(g^v W^{-z}, h^{\alpha}) + == e(F, h^{x^{-d+max}})$$ +\end{enumerate} + +\subsection{Succint signatures of correct computation} +Signature of correct computation to ensure that an element $s=s(z, y)$ for a known polynomial +$$s(X, Y) = \sum_{i, j = -d}^d s_{i, j} \cdot X^i \cdot Y^i$$ + +Use the structure of $s(X, Y)$ to prove its correct calculation using a \emph{permutation argument} $\longrightarrow$ \emph{grand-product argument} inspired by Bayer and Groth, and Bootle et al. + +Restrict to constraint systems where $s(X, Y)$ can be expressed as the sum of $M$ polynomials. Where $j-th$ poly is of the form: +$$ +\Psi_j(X, Y) = + \sum_{i=1}^n \psi_{j, \sigma_{j, i}} + \cdot X^i \cdot Y^{\sigma_{j, i}} +$$ + +where $\sigma_j$ is the fixed polynomial permutation, and $\phi_{j, i} \in \mathbb{F}$ are the coefficients. + +\vspace{1cm} +\framebox{WIP} +\vspace{1cm} + + +\bibliography{paper-notes.bib} +\bibliographystyle{unsrt} + +\end{document} diff --git a/ring-signatures.sage b/ring-signatures.sage index c1314c1..b32acbc 100644 --- a/ring-signatures.sage +++ b/ring-signatures.sage @@ -2,6 +2,8 @@ from hashlib import sha256 # Ring Signatures # bLSAG: Back’s Linkable Spontaneous Anonymous Group signatures +# A Rust implementation of this scheme can be found at: +# https://github.com/arnaucube/ring-signatures-rs def hashToPoint(a): # TODO use a proper hash-to-point @@ -54,12 +56,11 @@ class Prover(object): c = [None] * len(R) # c_{pi+1} pi1 = mod(pi + 1, len(R)) - c[pi1] = hash(R, m, a * self.g, a * hashToPoint(R[pi]), self.q) + c[pi1] = hash(R, m, a * self.g, hashToPoint(R[pi]) * a, self.q) key_image = self.w * hashToPoint(self.K) # do c_{i+1} from i=pi+1 to pi-1: - # for j in range(0, len(R)-1): for j in range(0, len(R)-1): i = mod(pi1+j, len(R)) i1 = mod(pi1+j +1, len(R)) diff --git a/ring-signatures_test.sage b/ring-signatures_test.sage index d9b86f4..f91babc 100644 --- a/ring-signatures_test.sage +++ b/ring-signatures_test.sage @@ -1,6 +1,9 @@ import unittest, operator load("ring-signatures.sage") +# A Rust implementation of this scheme can be found at: +# https://github.com/arnaucube/ring-signatures-rs + # ethereum elliptic curve p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F a = 0 @@ -19,13 +22,13 @@ assert g * q == 0 class TestRingSignatures(unittest.TestCase): - def test_blSAG_ring_of_5(self): - test_blSAG(5, 3) - def test_blSAG_ring_of_20(self): - test_blSAG(20, 14) + def test_bLSAG_ring_of_5(self): + test_bLSAG(5, 3) + def test_bLSAG_ring_of_20(self): + test_bLSAG(20, 14) -def test_blSAG(ring_size, pi): - print(f"[blSAG] Testing with a ring of {ring_size} keys") +def test_bLSAG(ring_size, pi): + print(f"[bLSAG] Testing with a ring of {ring_size} keys") prover = Prover(F, g) n = ring_size R = [None] * n