CN113094633A - Efficient range proving method based on scalar equality inner product - Google Patents
Efficient range proving method based on scalar equality inner product Download PDFInfo
- Publication number
- CN113094633A CN113094633A CN202110429517.2A CN202110429517A CN113094633A CN 113094633 A CN113094633 A CN 113094633A CN 202110429517 A CN202110429517 A CN 202110429517A CN 113094633 A CN113094633 A CN 113094633A
- Authority
- CN
- China
- Prior art keywords
- inner product
- scalar
- range
- commitment
- equation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The invention provides an efficient range proving method based on scalar equation inner product, which constructs a single range equation by using a range interval and a proving value and calculates a range scalar; splitting the range equation and the range scalar into inner products of fixed length respectively; encapsulating the range scalar, the aggregate inner product and the blinding factor by using the Pedersen vector commitment; calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression; generating a convergent polynomial coefficient commitment and generating an inner product range evidence set; and sending the evidence set to an intelligent contract end, verifying the inner product equation and the aggregation polynomial evidence, and finishing the proving process. The invention simultaneously represents the range interval in the form of scalar equation based on the idea of polynomial splitting, constructs the inner product with constant length according to the range interval, ensures that the calculation time is constant, replaces the legality verification of numerical value inner product with the legality verification of scalar equation inner product, and eliminates the safety threat of calculation under the chain while realizing flexible range certification; and optimizing the operation time.
Description
Technical Field
The invention belongs to the field of block chain privacy protection, and relates to a zero knowledge range proving method based on scalar equality inner product.
Background
The rapid development of the internet industry has led to the application of blockchain technology in various fields such as internet finance and electronic commerce. Due to the fact that the block chain has the decentralized characteristic, private data of a transaction layer is prone to being leaked, and the information safety problem is caused. The range proving technology in the block chain zero knowledge proving proves that the data is in a specified range interval while encrypting the privacy data so as to achieve the aim of decentralized privacy protection. The currently adopted range certification technology usually needs to rely on a third-party trusted mechanism, and the trust crisis is easily caused. And a third-party trusted mechanism certification method is not needed, so that the range of the certification is not flexible enough and the calculation credibility is weak. Therefore, a new method needs to be researched to provide safer and faster flexible range attestation without depending on a trusted mechanism.
Bulletproofs is one of the best known range certification methods. The method adopts a Pedersen vector commitment scheme to generate a group of inner product vectors for a range interval; and deducing and generating an inner product polynomial by using an inner product equation, and halving the vector calculation dimension by executing a recursive inner product protocol. Finally, proof is completed by generating evidence by an inner product polynomial. Bulletprofs does not need a public reference character string to provide a credible mechanism, and adopts the idea of inner product reduction and semi-recursion, so that the calculation dimension is reduced, and the evidence size is shortened. However, it is disadvantageous in that the certification domain is not flexible, but is affected by the certification form, and even if the inner product protocol is executed twice to certify one number in the differential range form, it still lacks a flexible certification domain and is difficult to be widely applied to the industrial modeling alliance chain or the private chain.
In order to solve the problem of lack of flexibility of Bulletprofs, some improved methods adopt Lagrange's theorem and Pedersen vector commitment ideas to verify that two groups of range equation scalars are positive numbers, flexible range certification is achieved, and execution time is constant. However, the method has two problems that in a trusted security level, only a scalar numerical value is committed, but a scope equation is not committed, malicious attacks in a construction stage under a chain cannot be protected, and a security threat of calculation under the chain is easily caused. Secondly, at the performance level, under the influence of the lagrange sum of squares problem, the inner product length is reduced to be odd number, so that the recursive inner product protocol cannot be used, and the calculation dimension and the calculation complexity are increased. In addition, verifying only the value commitments also requires constructing multiple sets of inner products, respectively, resulting in additional time overhead. Therefore, the calculation credibility under the chain is improved on the premise of realizing the flexible range certification and ensuring the constant calculation time; reducing the computational complexity and dimensionality is a worthy of research.
In summary, the invention provides a high-efficiency range proving method based on scalar equation inner product, which adopts a formal scalar equation to represent a range interval and constructs an inner product with constant length to ensure that the calculation time is constant; the legitimacy verification of the scalar equation inner product is used for replacing the legitimacy verification of the numerical value inner product, and the safety threat of calculation under the chain is eliminated while the flexible range certification is realized; and the Lagrange theorem and the recursive inner product protocol are combined, the inner product splitting method is improved, and the operation time is optimized.
Disclosure of Invention
The invention provides an efficient range proving method based on scalar equality inner product. Firstly, in order to solve the problem of calculation credibility and flexible range certification under a chain, the method converts a range interval into a group of scalar equations, and constructs an equality inner product and a scalar inner product by combining the Lagrange theorem idea and a polynomial splitting idea. Then, an aggregate inner product polynomial is designed, and the aggregate inner product and polynomial coefficients are committed by adopting a Pedersen vector commitment, and an inner product range evidence set is generated by utilizing a recursive inner product protocol. And finally, sending the evidence set to a block chain intelligent contract end for evidence verification, thereby completing range certification. In summary, the invention provides an efficient range proving method based on scalar equation inner products, which constructs double inner products by designing scalar equations of range intervals, and adopts the concept of aggregate proving to generate evidences for the double inner products. Therefore, the flexible range certification is realized, the calculation reliability under the chain is improved, the calculation time is shortened, and the calculation dimensionality and complexity are reduced under the condition that the calculation time is constant.
In order to achieve the above object, the technical solution of the new scope proving method comprises the following steps:
step 1, constructing a single range scalar equation by using a range interval and a proof value and calculating a range scalar;
step 2, splitting the range equation and the range scalar into inner products with fixed lengths respectively;
step 3, adopting Pedersen vector promise to package range scalarAggregation internal sum blinding factor;
step 4, calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression;
step 5, generating a polymerization polynomial coefficient commitment and generating an inner product range evidence set;
step 6, sending an evidence set to an intelligent contract end, and verifying an inner product equation and an aggregation polynomial evidence;
the invention has the beneficial effects that: the invention designs a dual inner product based on a joint range scalar equation aiming at a flexible range interval, and constructs a polymerization inner product commitment, so that the inner product can express the range interval in a credible mode. Then, an aggregation inner product polynomial is designed, and an improved inner product protocol is adopted to generate aggregation evidence. The method can realize flexible range interval verification without depending on any credible mechanism, and has stronger calculation credibility of the polynomial under the chain. Meanwhile, the constant calculation of the invention is faster and the calculation complexity is lower.
Drawings
FIG. 1 is a diagram of a high efficiency range proof framework based on the inner product of scalar equations;
FIG. 2 is a flow chart of a method of the present invention.
Detailed Description
The following further describes embodiments of the present invention with reference to the drawings.
FIG. 1 is a diagram of a high efficiency range proof framework based on scalar equality inner products. First, the present invention combines two inequalities of a range interval into a single range scalar equation, calculates a range scalar, and generates a commitment to the scalar. Secondly, Lagrange's quadri-quadratic sum theorem and polynomial splitting are respectively adopted, and the range scalar equation is respectively constructed into an equation inner product and a scalar inner product. Then, the two sets of inner products are aggregated using the Pedersen vector commitment and an aggregated inner product commitment is generated. Subsequently, an aggregate inner product polynomial is constructed from the inner products and range attestation is performed using a recursive inner product protocol. And finally, collecting the commitment and the evidence into an evidence set and sending the evidence set to an intelligent contract end for verification.
The method comprises the following specific steps:
step 1, constructing a single range scalar equation by using a range interval and a proof value and calculating a range scalar;
the relationship between the naturally flexible non-negative range interval and the proof value can be expressed as shown in equation (1):
m∈[a,b]∧a>0∧b>0 (1)
m-a>0∧b-m>0∧a>0∧b>0 (2)
wherein m represents a proof value, a and b represent upper and lower boundaries of the interval, respectively, and formula (1) can be equivalent to formula (2).
In zero knowledge proof, the traditional relationship is obviously not applicable to zero knowledge range proof, since the smart contract can only handle equation-validating relationships. By derivation, the range interval can be formulated as the following equation:
wherein, in the formula (3)Representing a range scalar computed from a range equation, the inequality may be converted to an equation.
If and only if m-a>0, b-m<0 is true, on the contrary m-a<0, b-m>0 holds. It follows that if and only if m-a>0∧b-m>0∧a>0∧b>At the time of 0, the number of the first,this is true. Then, in order to construct a fixed-length inner product vector by formula (3) and further generate an inner product protocol argument, formula (3) is split and merged to obtain the following scalar equation:
step 2, splitting the range equation and the range scalar into inner products with fixed lengths respectively;
the invention adopts a multinomial splitting and Lagrange theorem at a proving end, and constructs inner product commitments at two ends of a range scalar equation respectively so as to protect false construction threats calculated under a chain while a range proving does not depend on a credible mechanism.
First, a range-equality inner product is constructed for validating the scalarAnd (5) constructing legality. In particular, the length of the processing vector must be a power of 2, subject to the problem of recursive execution of the inner product protocol. Therefore, the invention adopts a multiple splitting method to design the equality inner product vector with the length constant of 4, and combines the equality inner product into a range equality inner product, and the form is shown as a formula (5):
wherein q is1And e1Respectively, representing the in-equation product vectors, with a length of 4. Q is to be1And e1Inner product processing is carried out to obtain range scalar
Then, a range scalar inner product is constructed for verifying the scalarGreater than 0. Specifically, the calculated range is labeledMeasurement ofThe split is also a 4-term square number according to the lagrange's sum of squares theorem. Lagrange's sum of squares theorem property and range scalarThe combination can be formalized as expression (6):
wherein k isiIs representable as 4 integers, if and only if there are 4 integers having their sum of squares equal toWhen the temperature of the water is higher than the set temperature,this is true. Thus, the range is scaledExpressed as the sum of 4 squares, the form is shown in equation (7), and the inner product obtained by splitting equation (7) is shown in equation (8):
wherein q is2And e2RepresentsTwo scalar inner product vectors. Thereby, the products in the range equation are obtained respectively<q1,e1>Sum range scalar inner product<q2,e2>。
For verification<q2,e2>From Lagrange splitting, designing inner product constraint to constrain q2And e2And (3) equal to each other, and the constraint formula is shown as formula (9):
wherein, ynTheoretically, it can be expressed as a set of integer ring vectors Z with length of 4 and modulo P generated by the verifying endp 8Vector of random numbers generated, but to reduce the round of interaction between the certifying and verifying ends, vector y is generated according to the Fiat-Shamir heuristicnElement y of (a) is generated by the certifying authority committing to the hash function of (a) and (S) without interacting with the verifying authority for the purpose of non-interactive certification.
Step 3, adopting Pedersen vector promise to package range scalarAggregation internal sum blinding factor;
the proving end cannot directly use the inner product of equation, the inner product of scalar and the sum of the inner product of equation in order to make the proving process zero-knowledgeAnd sending the promises to the verification end, wherein the promises are respectively encapsulated by adopting the Pedersen vector promises to replace sending plaintext. To reduce the inner product polynomial verification overhead and reduce the range evidence size, the step is to combine the single commitments into an aggregate commitment in the commitment generation process.
In particular, a set of scalar quantities with respect to a range is generated using the Pedersen vector commitmentThe commitments are merged into commitment vectors, and the commitment formula and the merged commitment vectors are shown as formulas (9) and (10):
wherein r isjRepresenting random points generated on an integer ring modulo P; w is a1,w2All represent a scalar to the rangeThe commitment of (a); w denotes by W1,w2Formed commitment vector, GpRepresents a cyclic group with prime order P; g, h represent the points at which two cyclic groups are generated.
Then, the equality inner product and the scalar inner product are combined to generate a commitment, and the expression of the aggregated commitment is shown as the formula (11):
wherein A represents an aggregate commitment to the equality inner product and the scalar inner product; h represents a random point generated on a cyclic group with prime order P; q. q.sj、eiTwo inner product vectors respectively representing an equality inner product and a scalar inner product; g, h represent the cyclic group vector G with length 8 and prime order Pp 8Two point vectors are generated; alpha represents an integer ring Z modulo PpAnd taking the random number.
To ensure zero knowledge of the equality inner product and the scalar inner product, a blinding factor is introduced and promised to blindly process the inner products. The Pedersen vector commitment generated for the blinding factor is shown in equation (12):
wherein s isL、sRRepresenting a group of groups of lengths 8Integer ring vector Zp 8The generated blinding factor; s represents the Pedersen vector commitment generated for the blinding factor; ρ represents an integer ring Z modulo PpAnd taking the random number.
Step 4, calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression;
the proof end designs an aggregate inner product polynomial for converting an equality inner product and a scalar inner product into zero knowledge proof. It is obtained by inner-integrating a vector polynomial set containing an equality inner product and a scalar inner product. So that the zeroth order term coefficients of the aggregate inner product polynomial can be formally expressed if and only if the equality inner product and scalar inner product are calculated correctly.
Specifically, according to the inner product vector and the inner product constraint formula, after blinding the equality inner product and the scalar inner product, carrying out vector splitting, and respectively aggregating and formalizing into a vector polynomial group. The vector polynomial set is shown in equation (13):
wherein l (x) and r (x) represent a vector polynomial set; x in l (x) and r (x) is generated by the verification end and sent to the certification end as a random challenge value, and is an integer ring Z with a modulus of PpTaking a random number; z and ynSimilarly, the hash function of A, S, y is generated according to the Fiat-Shamir heuristic; n is the length of the inner product vector, and the length of the equality inner product and the scalar inner product in the invention are both 4.
Then, the aggregation polynomial l (x) and r (x) are subjected to inner product to obtain an aggregation inner product polynomial shown as formula (14):
wherein t (x) represents an aggregate inner product polynomial; t is tiThe coefficient of the i-th term of t (x).
In summary, the analysis yields the zeroth-order coefficient of t (x) if and only if conditional expression (15) holdst0As shown in equation (16):
where Q is the front polymer term and E is the back polymer term, and finally t is obtained from Q, E0Special expression when the condition is satisfied.
Step 5, generating a polymerization polynomial coefficient commitment and generating an inner product range evidence set;
the proving end generates evidence in a zero knowledge state for the verifying end to verify the establishment of the aggregation inner product polynomial. Proving end aiming at polymerization inner product polynomial non-zero-order coefficient tiThe commitments are generated separately, and the zero-order coefficient can be verified by expression derivation, so that the commitments do not need to be generated. Then, the random number in the aggregate inner product commitment A, S and the random numbers in the polynomial coefficient commitment and the scalar commitment are combined to form two random number scalars for verification by the verification end. In addition, the aggregate inner product commitment A, the blinding factor commitment S and the aggregate inner product polynomial t (x) are sent to the verification end in the form of evidence. Finally, the Bulletprofs recursive inner product protocol is adopted to encapsulate l (x) and r (x) as inner product protocol demonstration. In summary, a full set of evidence of range proof is obtained.
Specifically, the commitment formula of the non-zero-order coefficient of the aggregation inner product polynomial is expressed by the formula (17) using Pedersen vector commitment:
wherein, T1、T2Respectively representing the first term coefficient and the second term coefficient commitment; tau is1、τ2Integer ring Z of the formula PpAnd taking the random number.
Combining the random number in the polynomial coefficient commitment with the scalar commitment random number to form a random number scalar, which is expressed by equation (18):
wherein, tauxRepresents T1、T2W; tau isiRepresents T1、T2Two random numbers of (1); r isjTwo random numbers in W are indicated.
Combining the aggregate inner product commitment a and the random number in the blinding factor commitment S to form a random number scalar, which is expressed by the formula (19):
μ=α·z+ρ·x (19)
where μ represents A, S formed random number scalar; α represents a random number of a, and ρ represents a random number of S.
Finally, the aggregation polynomials l (x) and r (x) are encapsulated into an inner product protocol demonstration by using a Bulletprofs recursive inner product protocol, and demonstration evidence replaces l (x) and r (x) plaintext to be sent to a verification end, so that the evidence size is reduced. The proof of inner product demonstration for l (x) and r (x) is shown in equation (20):
pt=gl(x)hr(x)u<l(x),r(x)>,u∈G (20)
wherein pt represents proof of demonstration; u denotes a random point generated on a cyclic group having a prime order of P.
To sum up, let T1、T2、t、τxμ, A, S, pt as a set of evidence for verification by the verifying end program.
Step 6, sending the evidence set to an intelligent contract verification end, and verifying the inner product equation and the polynomial evidence;
and the proof end sends the evidence set to the intelligent contract verification end, the intelligent contract performs evidence validity verification, and if the verification is passed, the integer m of the proof end is regarded as being in a specified range [ a, b ], and data is allowed to be uploaded to the block chain. Otherwise, the data uplink application of the reject terminal is received. Thus far, range attestation is completed.
Specifically, the intelligent contract constructs two groups of verification equations according to an evidence set sent by a proving end to verify the evidence set, and when two equal-sign ends of the verification equations are equal, the evidence is considered to be legal; if not, the evidence is considered illegal. The verification equations are shown in equations (21) and (22), respectively:
wherein the random challenge value x in the verification equation, and the random number z, y are also generated by the Fiat-Shamir heuristic through a hash function.
The method comprises the following steps:
the whole process of the invention is divided into four parts: an equation scalar inner product construction process, an aggregation polynomial group construction process, an aggregation inner product polynomial evidence generation process and an intelligent contract verification process. First, the present invention formalizes the range interval as an equation of the range scalar, and constructs the inner product on the equation by the Lagrangian theorem and polynomial decomposition. Secondly, a Pedersen polymerization commitment about the inner product is generated, a polymerization polynomial group is constructed according to the property of the inner product, and a polymerization inner product polynomial is calculated. Then, generating coefficient commitments corresponding to the aggregation inner product polynomial, using a recursive inner product protocol to package commitments on the polynomial to generate evidence, and forming an evidence set. And finally, sending the evidence set generated by the proof end to an intelligent contract verification end for polynomial verification, if the polynomial is established, passing, otherwise, rejecting, wherein the specific flow is shown in fig. 2.
Claims (1)
1. An efficient range proving method based on scalar equation inner product is characterized by comprising the following steps:
step 1, constructing a single range scalar equation by using a range interval and a proof value and calculating a range scalar; the relationship between the natural flexible non-negative range interval and the proof value is expressed as shown in equation (1):
m∈[a,b]∧a>0∧b>0 (1)
m-a>0∧b-m>0∧a>0∧b>0 (2)
wherein m represents a proof value, a and b represent an interval upper and lower bound, respectively, and formula (1) is equal to formula (2);
in zero knowledge proof, the traditional relation is not suitable for zero knowledge range proof because the intelligent contract can only process equation verification relation; by derivation, the range interval is formalized as the following equation:
wherein, in the formula (3)Representing a range scalar obtained by calculating a range equation, and converting an inequality into an equation;
if and only if m-a>0, b-m<0 is true, on the contrary m-a<0, b-m>0 is true; it follows that if and only if m-a>0∧b-m>0∧a>0∧b>At the time of 0, the number of the first,if true; then, in order to construct a fixed-length inner product vector by formula (3) and further generate an inner product protocol argument, formula (3) is split and merged to obtain the following scalar equation:
step 2, splitting the range equation and the range scalar into inner products with fixed lengths respectively;
adopting a multi-item splitting and Lagrange's theorem at a proving end, and respectively constructing inner product commitments at two ends of a range scalar equation so as to protect false construction threats calculated under a chain while realizing that range proving does not depend on a credible mechanism;
first, a range-equality inner product is constructed for validating the scalarConstructing legality; in particular, the length of the processing vector must be a power of 2, subject to the problem of recursive execution of the inner product protocol; therefore, a polynomial splitting method is adopted to design an equality inner product vector with the length constant of 4, and the equality inner product vector is combined into a range equality inner product, and the form is shown in formula (5):
wherein q is1And e1Respectively representing equality inner product vectors, and the length is 4; q is to be1And e1Inner product processing is carried out to obtain range scalar
Then, a range scalar inner product is constructed for verifying the scalarGreater than 0; specifically, the calculated range scalarThe splitting is also 4 square numbers according to the Lagrange's four-square sum theorem; lagrange's sum of squares theorem property and range scalarThe combined formalization is expressed as expression (6):
wherein k isiTo be at leastExpressed as 4 integers, if and only if there are 4 integers having a sum of their squares equal toWhen the temperature of the water is higher than the set temperature,if true; thus, the range is scaledExpressed as the sum of 4 squares, the form is shown in equation (7), and the inner product obtained by splitting equation (7) is shown in equation (8):
wherein q is2And e2RepresentsTwo scalar inner product vectors of (a); thereby, the products in the range equation are obtained respectively<q1,e1>Sum range scalar inner product<q2,e2>;
For verification<q2,e2>From Lagrange splitting, designing inner product constraint to constrain q2And e2And (3) equal to each other, and the constraint formula is shown as formula (9):
wherein, ynTheoretically represented as a set of integer ring vectors Z of length 4, modulo P, generated by the verifying endp 8Vector of random numbers generated, but to reduce the round of interaction between the certifying and verifying ends, vector y is generated according to the Fiat-Shamir heuristicnThe element y of (A) is generated by the Hash function of the proof end commitment A and S, and does not interact with the verification end, so as to realize the purpose of non-interactive proof;
step 3, adopting Pedersen vector promise to package range scalarAggregation internal sum blinding factor;
the proving end cannot directly use the inner product of equation, the inner product of scalar and the sum of the inner product of equation in order to make the proving process zero-knowledgeSending to a verification end, and sending promises which are respectively encapsulated by adopting the Pedersen vector promises instead of sending plain texts; in order to reduce the inner product polynomial verification overhead and the compression range evidence size, in the commitment generation process, the single commitment needs to be merged into an aggregated commitment;
in particular, a set of scalar quantities with respect to a range is generated using the Pedersen vector commitmentThe commitments are merged into commitment vectors, and the commitment formula and the merged commitment vectors are shown as formulas (9) and (10):
wherein r isjRepresenting random points generated on an integer ring modulo P; w is a1,w2All represent a scalar to the rangeThe commitment of (a); w denotes by W1,w2Formed commitment vector, GpRepresents a cyclic group with prime order P; g, h represents the point at which two cyclic groups are generated;
then, the equality inner product and the scalar inner product are combined to generate a commitment, and the expression of the aggregated commitment is shown as the formula (11):
wherein A represents an aggregate commitment to the equality inner product and the scalar inner product; h represents a random point generated on a cyclic group with prime order P; q. q.sj、eiTwo inner product vectors respectively representing an equality inner product and a scalar inner product; g, h represent the cyclic group vector G with length 8 and prime order Pp 8Two point vectors are generated; alpha represents an integer ring Z modulo PpTaking a random number;
in order to ensure zero knowledge of the equality inner product and the scalar inner product, a blinding factor is introduced and promised so as to perform blinding processing on the inner products; the Pedersen vector commitment generated for the blinding factor is shown in equation (12):
wherein s isL、sRRepresenting a set of integer ring vectors Z of length 8p 8The generated blinding factor; s represents the Pedersen vector commitment generated for the blinding factor; ρ represents an integer ring Z modulo PpTaking a random number;
step 4, calculating a polymerization inner product polynomial and calculating a zero-order item coefficient expression;
the proving end is used for converting an equality inner product and a scalar inner product into zero knowledge evidence and designing an aggregation inner product polynomial; it is obtained by inner product of vector polynomial group containing equality inner product and scalar inner product; such that the zeroth order term coefficients of the aggregate inner product polynomial are particularly formally expressed if and only if the equality inner product and the scalar inner product are calculated correctly;
specifically, according to the inner product vector and the inner product constraint formula, after blinding the equality inner product and the scalar inner product, carrying out vector splitting, and respectively polymerizing and formalizing into a vector polynomial group; the vector polynomial set is shown in equation (13):
wherein l (x) and r (x) represent a vector polynomial set; x in l (x) and r (x) is generated by the verification end and sent to the certification end as a random challenge value, and is an integer ring Z with a modulus of PpTaking a random number; z and ynSimilarly, the hash function of A, S, y is generated according to the Fiat-Shamir heuristic; n is the length of the inner product vector, and the length of the equality inner product and the scalar inner product in the invention are both 4;
then, the aggregation polynomial l (x) and r (x) are subjected to inner product to obtain an aggregation inner product polynomial shown as formula (14):
wherein t (x) represents an aggregate inner product polynomial; t is tiCoefficient of the i-th term representing t (x);
in summary, the analysis yields the zero-degree term coefficient t of t (x) if and only if conditional expression (15) holds0As shown in equation (16):
where Q is the front polymer term and E is the back polymer term, and finally t is obtained from Q, E0Special expression when conditions are met;
step 5, generating a polymerization polynomial coefficient commitment and generating an inner product range evidence set;
the proving end generates evidence in a zero-knowledge state for the verifying end to verify that the aggregation inner product polynomial is established; proving end aiming at polymerization inner product polynomial non-zero-order coefficient tiRespectively generating commitments, wherein zero-order coefficient can be deduced and verified by an expression, so that the commitments do not need to be generated; then, combining the random number in the aggregate inner product commitment A, S and the random number in the polynomial coefficient commitment and the scalar commitment to form two random number scalars for verification by a verification end; in addition, the aggregate inner product commitment A, the blinding factor commitment S and the aggregate inner product polynomial t (x) are sent to a verification end in the form of evidence; finally, encapsulating l (x) and r (x) into an inner product protocol demonstration by using a Bulletprofs recursive inner product protocol; in conclusion, a complete evidence set of range proofs is obtained;
specifically, the commitment formula of the non-zero-order coefficient of the aggregation inner product polynomial is expressed by the formula (17) using Pedersen vector commitment:
wherein, T1、T2Respectively representing the first term coefficient and the second term coefficient commitment; tau is1、τ2Integer ring Z of the formula PpTaking a random number;
combining the random number in the polynomial coefficient commitment with the scalar commitment random number to form a random number scalar, which is expressed by equation (18):
wherein, tauxRepresents T1、T2W;τirepresents T1、T2Two random numbers of (1); r isjTwo random numbers in W are represented;
combining the aggregate inner product commitment a and the random number in the blinding factor commitment S to form a random number scalar, which is expressed by the formula (19):
μ=α·z+ρ·x (19)
where μ represents A, S formed random number scalar; α represents a random number of a, and ρ represents a random number of S;
finally, packing the aggregation polynomials l (x) and r (x) into an inner product protocol demonstration by using a Bulletprofs recursive inner product protocol, and sending the demonstration evidence to a verification end instead of the plaintext of l (x) and r (x), thereby reducing the evidence size; the proof of inner product demonstration for l (x) and r (x) is shown in equation (20):
pt=gl(x)hr(x)u<l(x),r(x)>,u∈G (20)
wherein pt represents proof of demonstration; u represents a random point generated on a cyclic group with prime order P;
to sum up, let T1、T2、t、τxMu, A, S, pt as evidence set for verifying by the verifying end program;
step 6, sending the evidence set to an intelligent contract verification end, and verifying the inner product equation and the polynomial evidence;
the proof end sends the evidence set to the intelligent contract verification end, the intelligent contract carries out evidence validity verification, if the verification is passed, the integer m of the proof end is regarded as being in a specified range [ a, b ], and data are allowed to be uploaded to the block chain; otherwise, the data uplink application of the rejection certification end is carried out; thus, range attestation is completed;
specifically, the intelligent contract constructs two groups of verification equations according to an evidence set sent by a proving end to verify the evidence set, and when two equal-sign ends of the verification equations are equal, the evidence is considered to be legal; if the result is false, the evidence is considered to be illegal; the verification equations are shown in equations (21) and (22), respectively:
wherein the random challenge value x in the verification equation, and the random number z, y are also generated by the Fiat-Shamir heuristic through a hash function.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110429517.2A CN113094633A (en) | 2021-04-21 | 2021-04-21 | Efficient range proving method based on scalar equality inner product |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110429517.2A CN113094633A (en) | 2021-04-21 | 2021-04-21 | Efficient range proving method based on scalar equality inner product |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113094633A true CN113094633A (en) | 2021-07-09 |
Family
ID=76679265
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110429517.2A Pending CN113094633A (en) | 2021-04-21 | 2021-04-21 | Efficient range proving method based on scalar equality inner product |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113094633A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113630411A (en) * | 2021-08-05 | 2021-11-09 | 华中农业大学 | Method and device for auditing multi-party privacy protection data on alliance block chain |
CN113704733A (en) * | 2021-08-31 | 2021-11-26 | 上海万向区块链股份公司 | Privacy verifiable dynamic DID authentication method and system |
CN114092242A (en) * | 2021-11-03 | 2022-02-25 | 支付宝(杭州)信息技术有限公司 | Method and system for realizing private transaction based on range certification |
CN114978538A (en) * | 2022-05-17 | 2022-08-30 | 蚂蚁区块链科技(上海)有限公司 | Data relation proving method and system for protecting privacy |
-
2021
- 2021-04-21 CN CN202110429517.2A patent/CN113094633A/en active Pending
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113630411A (en) * | 2021-08-05 | 2021-11-09 | 华中农业大学 | Method and device for auditing multi-party privacy protection data on alliance block chain |
CN113704733A (en) * | 2021-08-31 | 2021-11-26 | 上海万向区块链股份公司 | Privacy verifiable dynamic DID authentication method and system |
CN113704733B (en) * | 2021-08-31 | 2024-03-08 | 上海万向区块链股份公司 | Privacy verifiable dynamic DID authentication method and system |
CN114092242A (en) * | 2021-11-03 | 2022-02-25 | 支付宝(杭州)信息技术有限公司 | Method and system for realizing private transaction based on range certification |
CN114978538A (en) * | 2022-05-17 | 2022-08-30 | 蚂蚁区块链科技(上海)有限公司 | Data relation proving method and system for protecting privacy |
CN114978538B (en) * | 2022-05-17 | 2023-11-14 | 蚂蚁区块链科技(上海)有限公司 | Privacy-protecting data relationship proving method, device, medium and computing equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113094633A (en) | Efficient range proving method based on scalar equality inner product | |
Bhadauria et al. | Ligero++: A new optimized sublinear IOP | |
CN101741560B (en) | Integral nonlinear mapping-based hash function constructing method | |
CN112446052B (en) | Aggregated signature method and system suitable for secret-related information system | |
CN101872339B (en) | Hash algorithm based on complex dynamic network | |
CN112202568A (en) | Software and hardware collaborative design SM9 digital signature communication method and system | |
CN103733564A (en) | Digital signatures with implicit certificate chains | |
Qiao et al. | Improved secure transaction scheme with certificateless cryptographic primitives for IoT-based mobile payments | |
Liu et al. | Time-release protocol from bitcoin and witness encryption for sat | |
Howe et al. | SoK: How (not) to design and implement post-quantum cryptography | |
Shao et al. | Unidirectional identity-based proxy re-signature | |
El Kassem et al. | More efficient, provably-secure direct anonymous attestation from lattices | |
CN116260587A (en) | Quantum-resistant signature authentication method based on hash signature and having small size | |
Yang et al. | A strongly unforgeable certificateless signature scheme and its application in IoT environments | |
CN110190957A (en) | Multivariable broadcasting multi-signature method based on no certificate | |
Tian et al. | Multidimensional Data Aggregation Scheme For Smart Grid with Differential Privacy. | |
Tian et al. | DIVRS: Data integrity verification based on ring signature in cloud storage | |
Wang et al. | Privacy-preserving data aggregation with dynamic billing in fog-based smart grid | |
Silva-García et al. | Generation of boxes and permutations using a bijective function and the Lorenz equations: An application to color image encryption | |
CN112217629B (en) | Cloud storage public auditing method | |
CN115529141A (en) | Traceable ring signature generation method and system for logarithmic signature size | |
KR102364047B1 (en) | Method and apparatus for public-key cryptography based on structured matrices | |
Ullah et al. | A perspective trend of hyperelliptic curve cryptosystem for lighted weighted environments | |
Zhang et al. | Efficient designated confirmer signature from bilinear pairings | |
Xu et al. | An efficient and secure certificateless aggregate signature scheme |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |