A survey on zero knowledge range proofs and applications | SpringerLink
$$\begin{aligned} {\mathrm {PK}}\{(\delta, \gamma ) : y = g^\delta h^\gamma \wedge (u \le \delta \le v)\}, \end{aligned}$$
which denotes a proof of cognition of integers \ ( \delta\ ) and \ ( \gamma\ ) such that \ ( yttrium = g^\delta h^\gamma\ ) and \ ( u \le \delta \le v\ ). In other words, this notation means that y is the commitment to the secret measure \ ( \delta\ ), which is contained in the interval [ u, v ). greek letters are used to denote values that must be known alone to the prover. For exemplify, we have that \ ( \delta\ ) is her secret data, while \ ( \gamma\ ) is a random prize that is used to hide \ ( \delta\ ). finally, we use notation \ ( x { \mathop { = } \limits ^ { ? } } y\ ) to check if x is equal or not to y .
Assumptions
The constructions presented in this newspaper are based on the assumptions described in this section. The solid RSA presumption first appeared in the work of Fujisaki and Okamoto [ 31 ]. It is a stronger presumption with respect to the conventional RSA premise, because any adversary who can break the RSA assumption would besides be able to break the firm RSA assumption. In [ 22 ] it is shown how to replace the solid RSA assumption by the standard RSA assumption in many ZKP application including ZKRP .
Definition 1
( RSA assumption ) Given RSA modulus n, RSA advocate e and an element \ ( yttrium \in { \mathbb { Z } } _n^\star\ ), it is impracticable to find integers x such that \ ( y = x^e \pmod { nitrogen } \ ) .
Definition 2
( Strong RSA assumption ) Given an RSA modulus n and an element \ ( yttrium \in { \mathbb { Z } } _n^\star\ ), it is impracticable to find integers \ ( east \ne \pm 1\ ) and x, such that \ ( y = x^e \pmod { nitrogen } \ ) .
Definition 3
( Discrete Logarithm assumption ) Let \ ( { \mathbb { G } } \ ) be a group of prime order q, a generator \ ( guanine \in { \mathbb { G } } \ ) and an arbitrary chemical element \ ( y \in { \mathbb { G } } \ ), it is impracticable to find \ ( x \in { \mathbb { Z } } _q\ ), such that \ ( yttrium = g^x\ ) .
Definition 4
( q -Strong Diffie-Hellman assumption ) Given groups \ ( { \mathbb { G } } _1\ ) and \ ( { \mathbb { G } } _T\ ), associated with a secure bilinear pairing map e ; given generator \ ( gigabyte \in { \mathbb { G } } _1\ ) and powers \ ( g^x, \ldots, g^ { x^q } \ ), for \ ( x \in _r { \mathbb { Z } } _p\ ), we have that it is impracticable for an adversary to output \ ( ( carbon, g^ { 1/ ( x+c ) } ) \ ), where \ ( hundred \in { \mathbb { Z } } _p\ ) .
It is significant to remark that these assumptions are not valid if quantum computers come to existence. therefore, the research of quantum-resistant ZKPs is a very significant capable .
Commitment
soon, a cryptanalytic commitment allows person to compute a prize that hides some message without ambiguity, in the sense that no matchless former will be able to argue that this value corresponds to a different message. In other words, given the impossibility to change the concealed message, we say that the exploiter committed to that message. The purpose of using a committedness dodge is to allow a prover to compute zero cognition proof where the obscure message is the underlying witness w .
Definition 5
A commitment scheme is defined by algorithm \ ( { \mathrm { Commit } } \ ) and \ ( { \mathrm { Open } } \ ) as follows :
- \ ( c = { \mathrm { Commit } } ( m, r ) \ ). Given a message m and randomness r, calculate as end product a value c that, informally, hides message m and such that it is hard to compute message \ ( m’\ ) and randomness \ ( r’\ ) that satisfies \ ( { \mathrm { Commit } } ( thousand ‘, r ‘ ) = { \mathrm { Commit } } ( m, roentgen ) \ ). In particular, it is hard to invert officiate \ ( { \mathrm { Commit } } \ ) to find m or r .
- \ ( b = { \mathrm { Open } } ( speed of light, molarity, roentgen ) \ ). Given a commitment c, a message m and randomness r, the algorithm returns true if and entirely if \ ( c = { \mathrm { Commit } } ( m, gas constant ) \ ) .
A commitment schema has 2 properties :
- Binding Given a committedness c, it is difficult to compute a different couple of message and randomness whose commitment is c. This place guarantees that there is no ambiguity in the committedness system, and frankincense after c is published it is hard to open it to a different value .
- Hiding It is hard to compute any information about m given c .
A well known commitment system is called Pedersen commitment [ 51 ]. Given group \ ( { \mathbb { Z } } _p\ ), of prime orderliness p, where the discrete logarithm trouble is impracticable, the commitment is computed as follows :
Read more: A Few Thoughts on Cryptographic Engineering
$$\begin{aligned} c = {\mathrm {Commit}}(m, r) = g^m h^r. \end{aligned}$$
In order to open this committedness, given message m and randomness r, we simply recompute it and compare with c. An concern property is that Pedersen commitment is homomorphic. namely, we have that for arbitrary messages \ ( m_1\ ) and \ ( m_2\ ) and randomness \ ( r_1\ ) and \ ( r_2\ ), such that \ ( c_i = { \mathrm { Commit } } ( m_i, r_i ) \ ) for \ ( iodine \in \ { 1,2\ } \ ), then
$$\begin{aligned} c_1\cdot c_2 = {\mathrm {Commit}}(m_1 + m_2, r_1 + r_2). \end{aligned}$$
Pedersen commitment is normally implemented using groups over elliptic curves. besides, it is authoritative to remark that if the discrete logarithm of h with respect to g is known, then it is easily to generate \ ( m’\ ) and \ ( r’\ ) such that \ ( { \mathrm { Commit } } ( molarity ‘, radius ‘ ) = { \mathrm { Commit } } ( m, r ) \ ), breaking the binding property. thus in orderliness to generate h securely, we must use a hash function that maps binary public strings to elliptic wind points [ 6 ]. Another commitment system that will be required late in this text file is the Fujisaki-Okamoto commitment [ 31 ]. The formula to calculate the commitment itself is the lapp as in Pedersen committedness, namely \ ( g^m h^r\ ). The difference is the underlying group, which for the Fujisaki-Okamoto is given by an RSA group \ ( { \mathbb { Z } } _n\ ), where \ ( n=pq\ ) and p and q are safe primes, what means that \ ( ( p-1 ) /2\ ) and \ ( ( q-1 ) /2\ ) are besides prime numbers. besides, we have that the sphere over which randomness r is chosen is unlike, because the Fujisaki-Okamoto commitment requires \ ( r \in [ 2^ { -s } n+1,2^s n – 1 ] \ ), with s chosen in such a manner that \ ( 2^ { -s } \ ) is negligible. interestingly, in the original paper [ 31 ] Fujisaki and Okamoto propose an synergistic protocol for Zero Knowledge Range Proofs, but unfortunately the performance is not full for virtual usage .
Zero knowledge proofs
Zero cognition proof ( ZKP ) were proposed in 1989 by Goldwasser, Micali and Rackoff [ 34 ]. Using this kind of cryptanalytic primitive it is possible to show that some statement is genuine about a secret datum, without revealing any other data about the clandestine beyond this affirmation. Since then, ZKP became an crucial sphere of research, because it provides a new word picture of the complexity course NP, using the alleged interactive programs, and besides because it is very utilitarian to construct many cryptanalytic primitives. Given an element x of a terminology \ ( { \mathcal { L } } \in NP\ ), an entity called prover is able to convince a voucher that x indeed belongs to \ ( { \mathcal { L } } \ ), i.e. there exists a witness w for x. In especial we are interested in proof of knowledge ( PoK ), where the prover not merely convinces about the being of some witness, but besides shows that the prover in fact knows a specific spectator w. A desirable characteristic of such proof systems is succinctness, informally meaning that the proof size is little and therefore can be verified efficiently. such constructions are called zk-SNARKs [ 37 ]. however, although asymptotically well, zk-SNARKs still have some limitations and for specific problems it turns out that different approaches achieve better performance. Nowadays ZKP is being used to provide privacy to DLT and blockchain. For exemplify, it allows to design individual payment systems. In compendious, we would like to permit parties to transfer digital money, while hiding not only their identities but besides the sum being transferred, known as denomination. ZKP can be used to hide this information, but still permitting validation of transactions. An crucial establishment is showing that the denomination is incontrovertible, otherwise some payer would be able to receive money by using negative amounts. In this context we have that zk-SNARKs don ’ t put up good performance when compared to protocols designed specifically for this purpose. The focus of this document is the description of different constructions of ZKRP and compare them to understand when to use each scheme in exercise. More concretely, ZKRP allows some party Alice, known as the prover, and who possesses a unavowed \ ( \delta\ ), to prove to another party Bob, known as the verifier, that \ ( \delta\ ) belongs to the time interval [ u, v ), for arbitrary integers u and v .
Definition 6
A Non-Interactive Zero Knowledge (NIZK) proof scheme is defined by algorithm \ ( { \mathrm { Setup } } \ ), \ ( { \mathrm { Prove } } \ ) and \ ( { \mathrm { Verify } } \ ) as follows :
- \ ( { \mathrm { Setup } } \ ) algorithm is responsible for the coevals of parameters. concretely, we have that \ ( { \mathrm { params } } = { \mathrm { Setup } } ( \lambda ) \ ), where the input is the security system argument \ ( \lambda\ ) and the output is the parameters of the ZKP system of algorithm .
- \ ( { \mathrm { Prove } } \ ) syntax is given by \ ( { \mathrm { proof } } = { \mathrm { Prove } } ( x, west ) \ ). The algorithm receives as input an example x of some NP-language \ ( { \mathcal { L } } \ ), and the witness w, and outputs the zero cognition proof .
- \ ( { \mathrm { Verify } } \ ) algorithm receives the validation as stimulation and outputs a bit b, which is equal to 1 if the voucher accepts the proof .
It is authoritative to remark that not all ZKP schemes are non-interactive. On contrary, most ZKP protocols described in the literature are in fact interactional. In general, the prover must answer challenge messages sent by the voucher in order to convince him that the proof is valid, what requires multiple rounds of communication. In the context of DLT and blockchain applications, we would like to avoid this communication, because either ( one ) validating nodes can not properly agree on how to choose those challenges, since in many constructions we have to choose them randomly, while the verification algorithm must be deterministic in ordering to reach consensus ; or ( two ) because it would make the communication complexity of the system very hapless. Nevertheless, the Fiat–Shamir heuristic [ 30 ] is a generic proficiency that allows to convert interactional ZKP schemes into non-interactive protocols. The drawback of this heuristic is that it makes the cryptosystem secure under the random oracle model [ 4 ] ( ROM ). In detail, it is square to make the ZKRP schemes described in this document non-interactive using the Fiat–Shamir heuristic. A zero cognition proof schema has the pursue properties :
- Completeness Given a spectator w that satisfies case x, we have that \ ( { \mathrm { Verify } } ( \mathrm { Prove } ( x, west ) ) = 1\ ).
- Soundness If the witness w does not satisfy x, then the probability \ ( { \mathrm { Prob } } [ \mathrm { Verify } ( \mathrm { Prove } ( x, west ) ) = 1 ] \ ) is sufficiently low .
- Zero Knowledge Given the interaction between prover and voucher, we call this interaction a view. In decree to capture the zero cognition property we use a polynomial-time simulator, which has access to the same remark given to the voucher ( including its randomness ), but no access to the input of the prover, to generate a simulated view. We say that the ZKP outline has perfect zero knowledge if the simulated position, under the assumption that \ ( x \in { \mathcal { L } } \ ), has the lapp distribution as the original view. We say that the ZKP dodge has statistical zero knowledge if those distributions are statistically close. We say that the ZKP schema has computational zero knowledge if there is no polynomial-time distinguisher for those distributions. intuitively, the universe of such a simulator means that whatever the voucher can compute from the interaction with the prover, it was already possible to compute before such interaction, hence the voucher learned nothing from it. besides, we say that it is a proof of knowledge if we can find an extractor, who has rewindable black-box access to the prover, that can compute the witness w with non-negligible probability .
Bilinear pairings
Some constructions of ZKRP are based on the being of a secure bilinear map \ ( { \mathbf { bp } } = ( \mathbb { G } _1, \mathbb { G } _2, \mathbb { G } _t, einsteinium, g_1, g_2 ) \ ), where \ ( { \mathbb { G } } _1\ ), \ ( { \mathbb { G } } _2\ ) and \ ( { \mathbb { G } } _t\ ) are groups of sufficiently large prime order, \ ( g_1\ ) and \ ( g_2\ ) are generators of \ ( { \mathbb { G } } _1\ ) and \ ( { \mathbb { G } } _2\ ) respectively and e is an appropriate choice of bilinear map, satisfying the common requirements : ( one ) non-degeneracy ; ( two ) efficiently computable and ( three ) bilinearity. This cryptanalytic primitive is cardinal to the constructions we will present in the adjacent sections and it is significant to remark that caution must be taken when instantiating such primitive [ 32, 60 ]. Barreto-Naehrig [ 3 ] elliptic curves permit to implement bilinear maps efficiently .