第 5 课 补充讲义 ​

Modern SNARKs consist of two components: an information-theoretic interactive oracle proof (IOP) [1]; and a compatible cryptographic commitment scheme, which "compiles" the IOP into an argument system [5]. This note introduces several commonly used commitment schemes.

An IOP is "information-theoretic" in that it provides soundness and zero-knowledge guarantees even when the prover and verifier are computationally unbounded. To make this possible, the proof system makes the idealised assumption of "oracle access": in other words, the verifier can only access the prover's messages through random queries.

The commitment scheme instantiates this oracle access using cryptographic primitives (e.g. a one-way function): as a consequence, the resulting argument system is only secure with respect to a computationally bounded prover and/or verifier. To realise a succinct argument system, the chosen commitment scheme must provide low communication complexity relative to the computation being proven.

Figure 1: A $k$-round interactive oracle proof system. In the $i$-th round: the verifier $\mathcal{V}$ sends a message $m_i$ to the prover $\mathcal{P}$; then, $\mathcal{P}$ replies with a message $f_i$, which $\mathcal{V}$ can query (via random access) in this and all later rounds. After the $k$ rounds of interaction, $\mathcal{V}$ either accepts or rejects.

Definition 1.1 (Commitment scheme). A commitment scheme is a tuple $\mathrm{\Gamma }=$ (Setup, Commit, Open) of PPT algorithms where:

• $\mathrm{Setup}\left(1^{\lambda }\right)\to \mathrm{pp}$ takes security parameter $\lambda$ (in unary) and generates public parameters $\mathrm{pp}$;

• Commit $(\mathrm{pp};m)\to (C;r)$ takes a secret message $m$ and outputs a public commitment $C$ and (optionally) a secret opening hint $r$ (which might or might not be the randomness used in the computation).

• Open $(\mathrm{pp},C;m,r)\to b\in \{0,1\}$ verifies the opening of the commitment $C$ to the message $m$ provided with the opening hint $r$.

A commitment scheme $\mathrm{\Gamma }$ is binding if for all $\mathrm{PPT}$ adversaries $\mathcal{A}$ :

Informally, this states that a valid commitment $C$ to a message $m_0$ is binding if no adversary can produce a valid opening to some different message $m_1$.

A commitment scheme $\mathrm{\Gamma }$ is hiding if for any polynomial-time adversary $\mathcal{A}$ :

Informally, this states that if a commitment is hiding if an adversary cannot "reverse-engineer" which of their messages was committed to.

Recall: "locked boxes". [Lecture 3: "Mathematical Building Blocks"]

In the Hamilton cycle example, we use a collision-resistant hash function to construct our commitment scheme:

• $r\leftarrow \{0,1{\}}^{256}$ is a randomly sampled secret key that is input to the hash function.

• Commit: hash $(m;r)=h$.

• Open : check $h\stackrel{?}{=}\mathrm{hash}(m;r)$.

A vector commitment scheme [2] for the message space $M$ is a commitment scheme for a vector $\overrightarrow{m}=(m_1,\dots ,m_k)\in {\mathrm{M}}^k$. The main security property for a vector commitment is position binding:

Definition 2.1 (Position binding). A vector commitment scheme $\mathrm{\Gamma }$ is position binding if for any PPT adversary $\mathcal{A}$ :

Informally, this states that no adversary can open $C$ to two different values at the same position.

Vector Pedersen commitment. The Pedersen commitment [9] is a binding and hiding commitment scheme for the message space ${\mathbb{F}}_q$. For a secret message $m\in {\mathbb{Z}}_q$ :

• Pedersen.Setup $(1^{\lambda },q)\to \mathrm{pp}:\mathrm{pp}=G,H\in \mathbb{G}$, where $\mathbb{G}$ is a cryptographic group of order $q$.

• Pedersen.Commit $(\mathrm{pp};m)\to (C;r):C=[m]G+[r]H$, where $r\in {\mathbb{Z}}_q$ is a random secret.

• Pedersen.Open $(\mathrm{pp},C;m,r)\to \{0,1\}:$ the prover $\mathcal{P}$ reveals $m$ and $r$, and the verifier $\mathcal{V}$ checks $C\stackrel{?}{=}[m]G+[r]H$

Note that the Pedersen commitment is additively homomorphic: