CN113094633A - Efficient range proving method based on scalar equality inner product - Google Patents

Efficient range proving method based on scalar equality inner product Download PDF

Info

Publication number
CN113094633A
CN113094633A CN202110429517.2A CN202110429517A CN113094633A CN 113094633 A CN113094633 A CN 113094633A CN 202110429517 A CN202110429517 A CN 202110429517A CN 113094633 A CN113094633 A CN 113094633A
Authority
CN
China
Prior art keywords
inner product
scalar
range
commitment
equation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110429517.2A
Other languages
Chinese (zh)
Inventor
周宽久
李一聪
王梓仲
李浚瑀
王洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dalian University of Technology
Original Assignee
Dalian University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dalian University of Technology filed Critical Dalian University of Technology
Priority to CN202110429517.2A priority Critical patent/CN113094633A/en
Publication of CN113094633A publication Critical patent/CN113094633A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The invention provides an efficient range proving method based on scalar equation inner product, which constructs a single range equation by using a range interval and a proving value and calculates a range scalar; splitting the range equation and the range scalar into inner products of fixed length respectively; encapsulating the range scalar, the aggregate inner product and the blinding factor by using the Pedersen vector commitment; calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression; generating a convergent polynomial coefficient commitment and generating an inner product range evidence set; and sending the evidence set to an intelligent contract end, verifying the inner product equation and the aggregation polynomial evidence, and finishing the proving process. The invention simultaneously represents the range interval in the form of scalar equation based on the idea of polynomial splitting, constructs the inner product with constant length according to the range interval, ensures that the calculation time is constant, replaces the legality verification of numerical value inner product with the legality verification of scalar equation inner product, and eliminates the safety threat of calculation under the chain while realizing flexible range certification; and optimizing the operation time.

Description

Efficient range proving method based on scalar equality inner product
Technical Field
The invention belongs to the field of block chain privacy protection, and relates to a zero knowledge range proving method based on scalar equality inner product.
Background
The rapid development of the internet industry has led to the application of blockchain technology in various fields such as internet finance and electronic commerce. Due to the fact that the block chain has the decentralized characteristic, private data of a transaction layer is prone to being leaked, and the information safety problem is caused. The range proving technology in the block chain zero knowledge proving proves that the data is in a specified range interval while encrypting the privacy data so as to achieve the aim of decentralized privacy protection. The currently adopted range certification technology usually needs to rely on a third-party trusted mechanism, and the trust crisis is easily caused. And a third-party trusted mechanism certification method is not needed, so that the range of the certification is not flexible enough and the calculation credibility is weak. Therefore, a new method needs to be researched to provide safer and faster flexible range attestation without depending on a trusted mechanism.
Bulletproofs is one of the best known range certification methods. The method adopts a Pedersen vector commitment scheme to generate a group of inner product vectors for a range interval; and deducing and generating an inner product polynomial by using an inner product equation, and halving the vector calculation dimension by executing a recursive inner product protocol. Finally, proof is completed by generating evidence by an inner product polynomial. Bulletprofs does not need a public reference character string to provide a credible mechanism, and adopts the idea of inner product reduction and semi-recursion, so that the calculation dimension is reduced, and the evidence size is shortened. However, it is disadvantageous in that the certification domain is not flexible, but is affected by the certification form, and even if the inner product protocol is executed twice to certify one number in the differential range form, it still lacks a flexible certification domain and is difficult to be widely applied to the industrial modeling alliance chain or the private chain.
In order to solve the problem of lack of flexibility of Bulletprofs, some improved methods adopt Lagrange's theorem and Pedersen vector commitment ideas to verify that two groups of range equation scalars are positive numbers, flexible range certification is achieved, and execution time is constant. However, the method has two problems that in a trusted security level, only a scalar numerical value is committed, but a scope equation is not committed, malicious attacks in a construction stage under a chain cannot be protected, and a security threat of calculation under the chain is easily caused. Secondly, at the performance level, under the influence of the lagrange sum of squares problem, the inner product length is reduced to be odd number, so that the recursive inner product protocol cannot be used, and the calculation dimension and the calculation complexity are increased. In addition, verifying only the value commitments also requires constructing multiple sets of inner products, respectively, resulting in additional time overhead. Therefore, the calculation credibility under the chain is improved on the premise of realizing the flexible range certification and ensuring the constant calculation time; reducing the computational complexity and dimensionality is a worthy of research.
In summary, the invention provides a high-efficiency range proving method based on scalar equation inner product, which adopts a formal scalar equation to represent a range interval and constructs an inner product with constant length to ensure that the calculation time is constant; the legitimacy verification of the scalar equation inner product is used for replacing the legitimacy verification of the numerical value inner product, and the safety threat of calculation under the chain is eliminated while the flexible range certification is realized; and the Lagrange theorem and the recursive inner product protocol are combined, the inner product splitting method is improved, and the operation time is optimized.
Disclosure of Invention
The invention provides an efficient range proving method based on scalar equality inner product. Firstly, in order to solve the problem of calculation credibility and flexible range certification under a chain, the method converts a range interval into a group of scalar equations, and constructs an equality inner product and a scalar inner product by combining the Lagrange theorem idea and a polynomial splitting idea. Then, an aggregate inner product polynomial is designed, and the aggregate inner product and polynomial coefficients are committed by adopting a Pedersen vector commitment, and an inner product range evidence set is generated by utilizing a recursive inner product protocol. And finally, sending the evidence set to a block chain intelligent contract end for evidence verification, thereby completing range certification. In summary, the invention provides an efficient range proving method based on scalar equation inner products, which constructs double inner products by designing scalar equations of range intervals, and adopts the concept of aggregate proving to generate evidences for the double inner products. Therefore, the flexible range certification is realized, the calculation reliability under the chain is improved, the calculation time is shortened, and the calculation dimensionality and complexity are reduced under the condition that the calculation time is constant.
In order to achieve the above object, the technical solution of the new scope proving method comprises the following steps:
step 1, constructing a single range scalar equation by using a range interval and a proof value and calculating a range scalar;
step 2, splitting the range equation and the range scalar into inner products with fixed lengths respectively;
step 3, adopting Pedersen vector promise to package range scalar
Figure BDA0003030836580000021
Aggregation internal sum blinding factor;
step 4, calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression;
step 5, generating a polymerization polynomial coefficient commitment and generating an inner product range evidence set;
step 6, sending an evidence set to an intelligent contract end, and verifying an inner product equation and an aggregation polynomial evidence;
the invention has the beneficial effects that: the invention designs a dual inner product based on a joint range scalar equation aiming at a flexible range interval, and constructs a polymerization inner product commitment, so that the inner product can express the range interval in a credible mode. Then, an aggregation inner product polynomial is designed, and an improved inner product protocol is adopted to generate aggregation evidence. The method can realize flexible range interval verification without depending on any credible mechanism, and has stronger calculation credibility of the polynomial under the chain. Meanwhile, the constant calculation of the invention is faster and the calculation complexity is lower.
Drawings
FIG. 1 is a diagram of a high efficiency range proof framework based on the inner product of scalar equations;
FIG. 2 is a flow chart of a method of the present invention.
Detailed Description
The following further describes embodiments of the present invention with reference to the drawings.
FIG. 1 is a diagram of a high efficiency range proof framework based on scalar equality inner products. First, the present invention combines two inequalities of a range interval into a single range scalar equation, calculates a range scalar, and generates a commitment to the scalar. Secondly, Lagrange's quadri-quadratic sum theorem and polynomial splitting are respectively adopted, and the range scalar equation is respectively constructed into an equation inner product and a scalar inner product. Then, the two sets of inner products are aggregated using the Pedersen vector commitment and an aggregated inner product commitment is generated. Subsequently, an aggregate inner product polynomial is constructed from the inner products and range attestation is performed using a recursive inner product protocol. And finally, collecting the commitment and the evidence into an evidence set and sending the evidence set to an intelligent contract end for verification.
The method comprises the following specific steps:
step 1, constructing a single range scalar equation by using a range interval and a proof value and calculating a range scalar;
the relationship between the naturally flexible non-negative range interval and the proof value can be expressed as shown in equation (1):
m∈[a,b]∧a>0∧b>0 (1)
m-a>0∧b-m>0∧a>0∧b>0 (2)
wherein m represents a proof value, a and b represent upper and lower boundaries of the interval, respectively, and formula (1) can be equivalent to formula (2).
In zero knowledge proof, the traditional relationship is obviously not applicable to zero knowledge range proof, since the smart contract can only handle equation-validating relationships. By derivation, the range interval can be formulated as the following equation:
Figure BDA0003030836580000031
wherein, in the formula (3)
Figure BDA0003030836580000032
Representing a range scalar computed from a range equation, the inequality may be converted to an equation.
If and only if m-a>0, b-m<0 is true, on the contrary m-a<0, b-m>0 holds. It follows that if and only if m-a>0∧b-m>0∧a>0∧b>At the time of 0, the number of the first,
Figure BDA0003030836580000033
this is true. Then, in order to construct a fixed-length inner product vector by formula (3) and further generate an inner product protocol argument, formula (3) is split and merged to obtain the following scalar equation:
Figure BDA0003030836580000034
step 2, splitting the range equation and the range scalar into inner products with fixed lengths respectively;
the invention adopts a multinomial splitting and Lagrange theorem at a proving end, and constructs inner product commitments at two ends of a range scalar equation respectively so as to protect false construction threats calculated under a chain while a range proving does not depend on a credible mechanism.
First, a range-equality inner product is constructed for validating the scalar
Figure BDA0003030836580000035
And (5) constructing legality. In particular, the length of the processing vector must be a power of 2, subject to the problem of recursive execution of the inner product protocol. Therefore, the invention adopts a multiple splitting method to design the equality inner product vector with the length constant of 4, and combines the equality inner product into a range equality inner product, and the form is shown as a formula (5):
Figure BDA0003030836580000036
wherein q is1And e1Respectively, representing the in-equation product vectors, with a length of 4. Q is to be1And e1Inner product processing is carried out to obtain range scalar
Figure BDA0003030836580000037
Then, a range scalar inner product is constructed for verifying the scalar
Figure BDA0003030836580000038
Greater than 0. Specifically, the calculated range is labeledMeasurement of
Figure BDA0003030836580000039
The split is also a 4-term square number according to the lagrange's sum of squares theorem. Lagrange's sum of squares theorem property and range scalar
Figure BDA00030308365800000310
The combination can be formalized as expression (6):
Figure BDA0003030836580000041
wherein k isiIs representable as 4 integers, if and only if there are 4 integers having their sum of squares equal to
Figure BDA0003030836580000042
When the temperature of the water is higher than the set temperature,
Figure BDA0003030836580000043
this is true. Thus, the range is scaled
Figure BDA0003030836580000044
Expressed as the sum of 4 squares, the form is shown in equation (7), and the inner product obtained by splitting equation (7) is shown in equation (8):
Figure BDA0003030836580000045
Figure BDA0003030836580000046
wherein q is2And e2Represents
Figure BDA0003030836580000047
Two scalar inner product vectors. Thereby, the products in the range equation are obtained respectively<q1,e1>Sum range scalar inner product<q2,e2>。
For verification<q2,e2>From Lagrange splitting, designing inner product constraint to constrain q2And e2And (3) equal to each other, and the constraint formula is shown as formula (9):
Figure BDA0003030836580000048
wherein, ynTheoretically, it can be expressed as a set of integer ring vectors Z with length of 4 and modulo P generated by the verifying endp 8Vector of random numbers generated, but to reduce the round of interaction between the certifying and verifying ends, vector y is generated according to the Fiat-Shamir heuristicnElement y of (a) is generated by the certifying authority committing to the hash function of (a) and (S) without interacting with the verifying authority for the purpose of non-interactive certification.
Step 3, adopting Pedersen vector promise to package range scalar
Figure BDA0003030836580000049
Aggregation internal sum blinding factor;
the proving end cannot directly use the inner product of equation, the inner product of scalar and the sum of the inner product of equation in order to make the proving process zero-knowledge
Figure BDA00030308365800000410
And sending the promises to the verification end, wherein the promises are respectively encapsulated by adopting the Pedersen vector promises to replace sending plaintext. To reduce the inner product polynomial verification overhead and reduce the range evidence size, the step is to combine the single commitments into an aggregate commitment in the commitment generation process.
In particular, a set of scalar quantities with respect to a range is generated using the Pedersen vector commitment
Figure BDA00030308365800000411
The commitments are merged into commitment vectors, and the commitment formula and the merged commitment vectors are shown as formulas (9) and (10):
Figure BDA00030308365800000412
Figure BDA00030308365800000413
wherein r isjRepresenting random points generated on an integer ring modulo P; w is a1,w2All represent a scalar to the range
Figure BDA00030308365800000414
The commitment of (a); w denotes by W1,w2Formed commitment vector, GpRepresents a cyclic group with prime order P; g, h represent the points at which two cyclic groups are generated.
Then, the equality inner product and the scalar inner product are combined to generate a commitment, and the expression of the aggregated commitment is shown as the formula (11):
Figure BDA0003030836580000051
wherein A represents an aggregate commitment to the equality inner product and the scalar inner product; h represents a random point generated on a cyclic group with prime order P; q. q.sj、eiTwo inner product vectors respectively representing an equality inner product and a scalar inner product; g, h represent the cyclic group vector G with length 8 and prime order Pp 8Two point vectors are generated; alpha represents an integer ring Z modulo PpAnd taking the random number.
To ensure zero knowledge of the equality inner product and the scalar inner product, a blinding factor is introduced and promised to blindly process the inner products. The Pedersen vector commitment generated for the blinding factor is shown in equation (12):
Figure BDA0003030836580000052
wherein s isL、sRRepresenting a group of groups of lengths 8Integer ring vector Zp 8The generated blinding factor; s represents the Pedersen vector commitment generated for the blinding factor; ρ represents an integer ring Z modulo PpAnd taking the random number.
Step 4, calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression;
the proof end designs an aggregate inner product polynomial for converting an equality inner product and a scalar inner product into zero knowledge proof. It is obtained by inner-integrating a vector polynomial set containing an equality inner product and a scalar inner product. So that the zeroth order term coefficients of the aggregate inner product polynomial can be formally expressed if and only if the equality inner product and scalar inner product are calculated correctly.
Specifically, according to the inner product vector and the inner product constraint formula, after blinding the equality inner product and the scalar inner product, carrying out vector splitting, and respectively aggregating and formalizing into a vector polynomial group. The vector polynomial set is shown in equation (13):
Figure BDA0003030836580000053
wherein l (x) and r (x) represent a vector polynomial set; x in l (x) and r (x) is generated by the verification end and sent to the certification end as a random challenge value, and is an integer ring Z with a modulus of PpTaking a random number; z and ynSimilarly, the hash function of A, S, y is generated according to the Fiat-Shamir heuristic; n is the length of the inner product vector, and the length of the equality inner product and the scalar inner product in the invention are both 4.
Then, the aggregation polynomial l (x) and r (x) are subjected to inner product to obtain an aggregation inner product polynomial shown as formula (14):
Figure BDA0003030836580000061
wherein t (x) represents an aggregate inner product polynomial; t is tiThe coefficient of the i-th term of t (x).
In summary, the analysis yields the zeroth-order coefficient of t (x) if and only if conditional expression (15) holdst0As shown in equation (16):
Figure BDA0003030836580000062
Figure BDA0003030836580000063
where Q is the front polymer term and E is the back polymer term, and finally t is obtained from Q, E0Special expression when the condition is satisfied.
Step 5, generating a polymerization polynomial coefficient commitment and generating an inner product range evidence set;
the proving end generates evidence in a zero knowledge state for the verifying end to verify the establishment of the aggregation inner product polynomial. Proving end aiming at polymerization inner product polynomial non-zero-order coefficient tiThe commitments are generated separately, and the zero-order coefficient can be verified by expression derivation, so that the commitments do not need to be generated. Then, the random number in the aggregate inner product commitment A, S and the random numbers in the polynomial coefficient commitment and the scalar commitment are combined to form two random number scalars for verification by the verification end. In addition, the aggregate inner product commitment A, the blinding factor commitment S and the aggregate inner product polynomial t (x) are sent to the verification end in the form of evidence. Finally, the Bulletprofs recursive inner product protocol is adopted to encapsulate l (x) and r (x) as inner product protocol demonstration. In summary, a full set of evidence of range proof is obtained.
Specifically, the commitment formula of the non-zero-order coefficient of the aggregation inner product polynomial is expressed by the formula (17) using Pedersen vector commitment:
Figure BDA0003030836580000064
wherein, T1、T2Respectively representing the first term coefficient and the second term coefficient commitment; tau is1、τ2Integer ring Z of the formula PpAnd taking the random number.
Combining the random number in the polynomial coefficient commitment with the scalar commitment random number to form a random number scalar, which is expressed by equation (18):
Figure BDA0003030836580000065
wherein, tauxRepresents T1、T2W; tau isiRepresents T1、T2Two random numbers of (1); r isjTwo random numbers in W are indicated.
Combining the aggregate inner product commitment a and the random number in the blinding factor commitment S to form a random number scalar, which is expressed by the formula (19):
μ=α·z+ρ·x (19)
where μ represents A, S formed random number scalar; α represents a random number of a, and ρ represents a random number of S.
Finally, the aggregation polynomials l (x) and r (x) are encapsulated into an inner product protocol demonstration by using a Bulletprofs recursive inner product protocol, and demonstration evidence replaces l (x) and r (x) plaintext to be sent to a verification end, so that the evidence size is reduced. The proof of inner product demonstration for l (x) and r (x) is shown in equation (20):
pt=gl(x)hr(x)u<l(x),r(x)>,u∈G (20)
wherein pt represents proof of demonstration; u denotes a random point generated on a cyclic group having a prime order of P.
To sum up, let T1、T2、t、τxμ, A, S, pt as a set of evidence for verification by the verifying end program.
Step 6, sending the evidence set to an intelligent contract verification end, and verifying the inner product equation and the polynomial evidence;
and the proof end sends the evidence set to the intelligent contract verification end, the intelligent contract performs evidence validity verification, and if the verification is passed, the integer m of the proof end is regarded as being in a specified range [ a, b ], and data is allowed to be uploaded to the block chain. Otherwise, the data uplink application of the reject terminal is received. Thus far, range attestation is completed.
Specifically, the intelligent contract constructs two groups of verification equations according to an evidence set sent by a proving end to verify the evidence set, and when two equal-sign ends of the verification equations are equal, the evidence is considered to be legal; if not, the evidence is considered illegal. The verification equations are shown in equations (21) and (22), respectively:
Figure BDA0003030836580000071
Figure BDA0003030836580000072
wherein the random challenge value x in the verification equation, and the random number z, y are also generated by the Fiat-Shamir heuristic through a hash function.
The method comprises the following steps:
the whole process of the invention is divided into four parts: an equation scalar inner product construction process, an aggregation polynomial group construction process, an aggregation inner product polynomial evidence generation process and an intelligent contract verification process. First, the present invention formalizes the range interval as an equation of the range scalar, and constructs the inner product on the equation by the Lagrangian theorem and polynomial decomposition. Secondly, a Pedersen polymerization commitment about the inner product is generated, a polymerization polynomial group is constructed according to the property of the inner product, and a polymerization inner product polynomial is calculated. Then, generating coefficient commitments corresponding to the aggregation inner product polynomial, using a recursive inner product protocol to package commitments on the polynomial to generate evidence, and forming an evidence set. And finally, sending the evidence set generated by the proof end to an intelligent contract verification end for polynomial verification, if the polynomial is established, passing, otherwise, rejecting, wherein the specific flow is shown in fig. 2.

Claims (1)

1. An efficient range proving method based on scalar equation inner product is characterized by comprising the following steps:
step 1, constructing a single range scalar equation by using a range interval and a proof value and calculating a range scalar; the relationship between the natural flexible non-negative range interval and the proof value is expressed as shown in equation (1):
m∈[a,b]∧a>0∧b>0 (1)
m-a>0∧b-m>0∧a>0∧b>0 (2)
wherein m represents a proof value, a and b represent an interval upper and lower bound, respectively, and formula (1) is equal to formula (2);
in zero knowledge proof, the traditional relation is not suitable for zero knowledge range proof because the intelligent contract can only process equation verification relation; by derivation, the range interval is formalized as the following equation:
Figure FDA0003030836570000011
wherein, in the formula (3)
Figure FDA0003030836570000012
Representing a range scalar obtained by calculating a range equation, and converting an inequality into an equation;
if and only if m-a>0, b-m<0 is true, on the contrary m-a<0, b-m>0 is true; it follows that if and only if m-a>0∧b-m>0∧a>0∧b>At the time of 0, the number of the first,
Figure FDA0003030836570000013
if true; then, in order to construct a fixed-length inner product vector by formula (3) and further generate an inner product protocol argument, formula (3) is split and merged to obtain the following scalar equation:
Figure FDA0003030836570000014
step 2, splitting the range equation and the range scalar into inner products with fixed lengths respectively;
adopting a multi-item splitting and Lagrange's theorem at a proving end, and respectively constructing inner product commitments at two ends of a range scalar equation so as to protect false construction threats calculated under a chain while realizing that range proving does not depend on a credible mechanism;
first, a range-equality inner product is constructed for validating the scalar
Figure FDA0003030836570000015
Constructing legality; in particular, the length of the processing vector must be a power of 2, subject to the problem of recursive execution of the inner product protocol; therefore, a polynomial splitting method is adopted to design an equality inner product vector with the length constant of 4, and the equality inner product vector is combined into a range equality inner product, and the form is shown in formula (5):
Figure FDA0003030836570000021
wherein q is1And e1Respectively representing equality inner product vectors, and the length is 4; q is to be1And e1Inner product processing is carried out to obtain range scalar
Figure FDA0003030836570000022
Then, a range scalar inner product is constructed for verifying the scalar
Figure FDA0003030836570000023
Greater than 0; specifically, the calculated range scalar
Figure FDA0003030836570000024
The splitting is also 4 square numbers according to the Lagrange's four-square sum theorem; lagrange's sum of squares theorem property and range scalar
Figure FDA0003030836570000025
The combined formalization is expressed as expression (6):
Figure FDA0003030836570000026
wherein k isiTo be at leastExpressed as 4 integers, if and only if there are 4 integers having a sum of their squares equal to
Figure FDA0003030836570000027
When the temperature of the water is higher than the set temperature,
Figure FDA0003030836570000028
if true; thus, the range is scaled
Figure FDA0003030836570000029
Expressed as the sum of 4 squares, the form is shown in equation (7), and the inner product obtained by splitting equation (7) is shown in equation (8):
Figure FDA00030308365700000210
Figure FDA00030308365700000211
wherein q is2And e2Represents
Figure FDA00030308365700000212
Two scalar inner product vectors of (a); thereby, the products in the range equation are obtained respectively<q1,e1>Sum range scalar inner product<q2,e2>;
For verification<q2,e2>From Lagrange splitting, designing inner product constraint to constrain q2And e2And (3) equal to each other, and the constraint formula is shown as formula (9):
Figure FDA00030308365700000213
wherein, ynTheoretically represented as a set of integer ring vectors Z of length 4, modulo P, generated by the verifying endp 8Vector of random numbers generated, but to reduce the round of interaction between the certifying and verifying ends, vector y is generated according to the Fiat-Shamir heuristicnThe element y of (A) is generated by the Hash function of the proof end commitment A and S, and does not interact with the verification end, so as to realize the purpose of non-interactive proof;
step 3, adopting Pedersen vector promise to package range scalar
Figure FDA0003030836570000031
Aggregation internal sum blinding factor;
the proving end cannot directly use the inner product of equation, the inner product of scalar and the sum of the inner product of equation in order to make the proving process zero-knowledge
Figure FDA0003030836570000032
Sending to a verification end, and sending promises which are respectively encapsulated by adopting the Pedersen vector promises instead of sending plain texts; in order to reduce the inner product polynomial verification overhead and the compression range evidence size, in the commitment generation process, the single commitment needs to be merged into an aggregated commitment;
in particular, a set of scalar quantities with respect to a range is generated using the Pedersen vector commitment
Figure FDA0003030836570000033
The commitments are merged into commitment vectors, and the commitment formula and the merged commitment vectors are shown as formulas (9) and (10):
Figure FDA0003030836570000037
Figure FDA0003030836570000034
wherein r isjRepresenting random points generated on an integer ring modulo P; w is a1,w2All represent a scalar to the range
Figure FDA0003030836570000035
The commitment of (a); w denotes by W1,w2Formed commitment vector, GpRepresents a cyclic group with prime order P; g, h represents the point at which two cyclic groups are generated;
then, the equality inner product and the scalar inner product are combined to generate a commitment, and the expression of the aggregated commitment is shown as the formula (11):
Figure FDA0003030836570000036
wherein A represents an aggregate commitment to the equality inner product and the scalar inner product; h represents a random point generated on a cyclic group with prime order P; q. q.sj、eiTwo inner product vectors respectively representing an equality inner product and a scalar inner product; g, h represent the cyclic group vector G with length 8 and prime order Pp 8Two point vectors are generated; alpha represents an integer ring Z modulo PpTaking a random number;
in order to ensure zero knowledge of the equality inner product and the scalar inner product, a blinding factor is introduced and promised so as to perform blinding processing on the inner products; the Pedersen vector commitment generated for the blinding factor is shown in equation (12):
Figure FDA0003030836570000041
wherein s isL、sRRepresenting a set of integer ring vectors Z of length 8p 8The generated blinding factor; s represents the Pedersen vector commitment generated for the blinding factor; ρ represents an integer ring Z modulo PpTaking a random number;
step 4, calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression;
the proving end is used for converting an equality inner product and a scalar inner product into zero knowledge evidence and designing an aggregation inner product polynomial; it is obtained by inner product of vector polynomial group containing equality inner product and scalar inner product; such that the zeroth order term coefficients of the aggregate inner product polynomial are particularly formally expressed if and only if the equality inner product and the scalar inner product are calculated correctly;
specifically, according to the inner product vector and the inner product constraint formula, after blinding the equality inner product and the scalar inner product, carrying out vector splitting, and respectively polymerizing and formalizing into a vector polynomial group; the vector polynomial set is shown in equation (13):
Figure FDA0003030836570000042
wherein l (x) and r (x) represent a vector polynomial set; x in l (x) and r (x) is generated by the verification end and sent to the certification end as a random challenge value, and is an integer ring Z with a modulus of PpTaking a random number; z and ynSimilarly, the hash function of A, S, y is generated according to the Fiat-Shamir heuristic; n is the length of the inner product vector, and the length of the equality inner product and the scalar inner product in the invention are both 4;
then, the aggregation polynomial l (x) and r (x) are subjected to inner product to obtain an aggregation inner product polynomial shown as formula (14):
Figure FDA0003030836570000051
wherein t (x) represents an aggregate inner product polynomial; t is tiCoefficient of the i-th term representing t (x);
in summary, the analysis yields the zero-degree term coefficient t of t (x) if and only if conditional expression (15) holds0As shown in equation (16):
Figure FDA0003030836570000052
Figure FDA0003030836570000053
where Q is the front polymer term and E is the back polymer term, and finally t is obtained from Q, E0Special expression when conditions are met;
step 5, generating a polymerization polynomial coefficient commitment and generating an inner product range evidence set;
the proving end generates evidence in a zero-knowledge state for the verifying end to verify that the aggregation inner product polynomial is established; proving end aiming at polymerization inner product polynomial non-zero-order coefficient tiRespectively generating commitments, wherein zero-order coefficient can be deduced and verified by an expression, so that the commitments do not need to be generated; then, combining the random number in the aggregate inner product commitment A, S and the random number in the polynomial coefficient commitment and the scalar commitment to form two random number scalars for verification by a verification end; in addition, the aggregate inner product commitment A, the blinding factor commitment S and the aggregate inner product polynomial t (x) are sent to a verification end in the form of evidence; finally, encapsulating l (x) and r (x) into an inner product protocol demonstration by using a Bulletprofs recursive inner product protocol; in conclusion, a complete evidence set of range proofs is obtained;
specifically, the commitment formula of the non-zero-order coefficient of the aggregation inner product polynomial is expressed by the formula (17) using Pedersen vector commitment:
Figure FDA0003030836570000061
wherein, T1、T2Respectively representing the first term coefficient and the second term coefficient commitment; tau is1、τ2Integer ring Z of the formula PpTaking a random number;
combining the random number in the polynomial coefficient commitment with the scalar commitment random number to form a random number scalar, which is expressed by equation (18):
Figure FDA0003030836570000062
wherein, tauxRepresents T1、T2W;τirepresents T1、T2Two random numbers of (1); r isjTwo random numbers in W are represented;
combining the aggregate inner product commitment a and the random number in the blinding factor commitment S to form a random number scalar, which is expressed by the formula (19):
μ=α·z+ρ·x (19)
where μ represents A, S formed random number scalar; α represents a random number of a, and ρ represents a random number of S;
finally, packing the aggregation polynomials l (x) and r (x) into an inner product protocol demonstration by using a Bulletprofs recursive inner product protocol, and sending the demonstration evidence to a verification end instead of the plaintext of l (x) and r (x), thereby reducing the evidence size; the proof of inner product demonstration for l (x) and r (x) is shown in equation (20):
pt=gl(x)hr(x)u<l(x),r(x)>,u∈G (20)
wherein pt represents proof of demonstration; u represents a random point generated on a cyclic group with prime order P;
to sum up, let T1、T2、t、τxMu, A, S, pt as evidence set for verifying by the verifying end program;
step 6, sending the evidence set to an intelligent contract verification end, and verifying the inner product equation and the polynomial evidence;
the proof end sends the evidence set to the intelligent contract verification end, the intelligent contract carries out evidence validity verification, if the verification is passed, the integer m of the proof end is regarded as being in a specified range [ a, b ], and data are allowed to be uploaded to the block chain; otherwise, the data uplink application of the rejection certification end is carried out; thus, range attestation is completed;
specifically, the intelligent contract constructs two groups of verification equations according to an evidence set sent by a proving end to verify the evidence set, and when two equal-sign ends of the verification equations are equal, the evidence is considered to be legal; if the result is false, the evidence is considered to be illegal; the verification equations are shown in equations (21) and (22), respectively:
Figure FDA0003030836570000071
Figure FDA0003030836570000072
wherein the random challenge value x in the verification equation, and the random number z, y are also generated by the Fiat-Shamir heuristic through a hash function.
CN202110429517.2A 2021-04-21 2021-04-21 Efficient range proving method based on scalar equality inner product Pending CN113094633A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110429517.2A CN113094633A (en) 2021-04-21 2021-04-21 Efficient range proving method based on scalar equality inner product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110429517.2A CN113094633A (en) 2021-04-21 2021-04-21 Efficient range proving method based on scalar equality inner product

Publications (1)

Publication Number Publication Date
CN113094633A true CN113094633A (en) 2021-07-09

Family

ID=76679265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110429517.2A Pending CN113094633A (en) 2021-04-21 2021-04-21 Efficient range proving method based on scalar equality inner product

Country Status (1)

Country Link
CN (1) CN113094633A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630411A (en) * 2021-08-05 2021-11-09 华中农业大学 Method and device for auditing multi-party privacy protection data on alliance block chain
CN113704733A (en) * 2021-08-31 2021-11-26 上海万向区块链股份公司 Privacy verifiable dynamic DID authentication method and system
CN114092242A (en) * 2021-11-03 2022-02-25 支付宝(杭州)信息技术有限公司 Method and system for realizing private transaction based on range certification
CN114978538A (en) * 2022-05-17 2022-08-30 蚂蚁区块链科技(上海)有限公司 Data relation proving method and system for protecting privacy

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630411A (en) * 2021-08-05 2021-11-09 华中农业大学 Method and device for auditing multi-party privacy protection data on alliance block chain
CN113704733A (en) * 2021-08-31 2021-11-26 上海万向区块链股份公司 Privacy verifiable dynamic DID authentication method and system
CN113704733B (en) * 2021-08-31 2024-03-08 上海万向区块链股份公司 Privacy verifiable dynamic DID authentication method and system
CN114092242A (en) * 2021-11-03 2022-02-25 支付宝(杭州)信息技术有限公司 Method and system for realizing private transaction based on range certification
CN114978538A (en) * 2022-05-17 2022-08-30 蚂蚁区块链科技(上海)有限公司 Data relation proving method and system for protecting privacy
CN114978538B (en) * 2022-05-17 2023-11-14 蚂蚁区块链科技(上海)有限公司 Privacy-protecting data relationship proving method, device, medium and computing equipment

Similar Documents

Publication Publication Date Title
CN113094633A (en) Efficient range proving method based on scalar equality inner product
Bhadauria et al. Ligero++: A new optimized sublinear IOP
CN101741560B (en) Integral nonlinear mapping-based hash function constructing method
CN112446052B (en) Aggregated signature method and system suitable for secret-related information system
CN101872339B (en) Hash algorithm based on complex dynamic network
CN112202568A (en) Software and hardware collaborative design SM9 digital signature communication method and system
CN103733564A (en) Digital signatures with implicit certificate chains
Qiao et al. Improved secure transaction scheme with certificateless cryptographic primitives for IoT-based mobile payments
Liu et al. Time-release protocol from bitcoin and witness encryption for sat
Howe et al. SoK: How (not) to design and implement post-quantum cryptography
Shao et al. Unidirectional identity-based proxy re-signature
El Kassem et al. More efficient, provably-secure direct anonymous attestation from lattices
CN116260587A (en) Quantum-resistant signature authentication method based on hash signature and having small size
Yang et al. A strongly unforgeable certificateless signature scheme and its application in IoT environments
CN110190957A (en) Multivariable broadcasting multi-signature method based on no certificate
Tian et al. Multidimensional Data Aggregation Scheme For Smart Grid with Differential Privacy.
Tian et al. DIVRS: Data integrity verification based on ring signature in cloud storage
Wang et al. Privacy-preserving data aggregation with dynamic billing in fog-based smart grid
Silva-García et al. Generation of boxes and permutations using a bijective function and the Lorenz equations: An application to color image encryption
CN112217629B (en) Cloud storage public auditing method
CN115529141A (en) Traceable ring signature generation method and system for logarithmic signature size
KR102364047B1 (en) Method and apparatus for public-key cryptography based on structured matrices
Ullah et al. A perspective trend of hyperelliptic curve cryptosystem for lighted weighted environments
Zhang et al. Efficient designated confirmer signature from bilinear pairings
Xu et al. An efficient and secure certificateless aggregate signature scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination