Zero-Knowledge Proof (ZKP) Scheme

Function-hiding functional commitment

In this page, we will review function-hiding functional commitment zero-knowledge proof (ZKP) scheme. This scheme is a tuple $\red{(Setup,\hspace{1mm}, Commit,\hspace{1mm}Eval)}$that utilizes the following three protocols:

1- A polynomial commitment scheme

$PC=(PC.\hspace{1mm} Setup,\hspace{1mm} PC.\hspace{1mm}Commit,\hspace{1mm} PC.\hspace{1mm}Eval,\hspace{1mm}PC.\hspace{1mm}Check)$,

2- A proof of function relation (PFR)

A proof of function relation ($PFR$) $\pi=(P_{f}, \hspace{1mm}V_{f},\hspace{1mm}k_{f},\hspace{1mm}s_{f},\hspace{1mm}d_{f})$contains $k_f$wehre is the number of rounds, $s_f:\mathbb{N}\to\mathbb{N}$ where that $s_f(i)$ is the number polynomials that the Prover $P_f$sends to the Verifier $V_f$ in round $i$ and $d_f:\mathbb{N}^3\to\mathbb{N}$ so that $d_f(N,i,j)$ is the degree bound for $j^{th}$polynomial in round . Let $N$ be the maximum supported index size.

3- An algebric holographic proof (AHP)

An algebric holographic proof $AHP=(Enc_{AHP},P_{AHP}, \hspace{1mm}V_{AHP},\hspace{1mm}k_{AHP},\hspace{1mm}s_{AHP},\hspace{1mm}d_{AHP})$ contains $k_{AHP}$ where is the number of rounds, $s_{AHP}:\mathbb{N}\to\mathbb{N}$ so that $s_{AHP}(i)$ is the number polynomials that the Prover $P_{AHP}$sends to the Verifier $V_{AHP}$ in round $i$ and $d_{AHP}:\mathbb{N}^3\to\mathbb{N}$ so that $d_{AHP}(N,i,j)$ is the degree bound for $j^{th}$ polynomial in round $i$.

• Note that $s_{AHP}(0)=s_{f}(0)$ and for all $i\in [s_{AHP}(0)]$, $d_{AHP}(N,0,i)=d_{f}(N,0,i)$.

We now review the three main elements in the tuple.

• $\red{Setup(1^{\lambda},N)}$: The is function creates output $pp=PC.Commit(1^{\lambda},d)$ where $\lambda$ is security parameter and $d= \{d_{AHP}(N,i,j)\}_{i\in [k_{AHP}]\bigcup\{0\},j\in [s_{AHP}(i)]}\}\bigcup\{d_f(N,i,j)\}_{i\in[k_f],j\in[s_f(i)]}$. For example, if polynomial commitment scheme $KZG$ is used, $pp=(g,\hspace{1mm}g^d,\hspace{1mm}g^{d^2},...,\hspace{1mm}g^{d^l})$where $g$ is a generator of field $\mathbb{F}$ with large prime order $p$ such that $log(p) = Ω(λ)$ and $l$ is maximum degree of polynomials that want to commit them.

• $\red{Commit(pp,i\in \textit{I}_f,r\in R=\mathbb{R}^{s_{AHP}(0)})}$: This function contains the following steps: A- Parse $r=(r_1,...,r_{s_{AHP}(0)})$ and $pp=(ck,vk)$. B- Set $\overrightarrow{o}=Enc_{AHP}(i)$.

Note that $\textit{I}_f$ is a functional set that contains triple matrices $i=(A,B,C)\in (\mathbb{F}^{n\times n})^3$ so that for all input $x\in X$, there exists a unique $y\in Y$ and a witness (intermediate) $\omega \in W$ such that $Az\hspace{1mm} o\hspace{1mm} Bz=Cz$ where $z=(x,w,y)$. Note that a triple of matrices $(A,B,C)\in (\mathbb{F}^{n\times n})^3$ is a functional triple if and only if $A$ and $B$ are $t-$strictly lower triangular matrices $(t-SLT)$ and $C$ is $t$-diagonal matrix $(t-Diag)$. Here, $t$ is the size of the input. Note that the Prover obtains $t-SLT$ matrices $A$, $B$ and $t-Diag$ matrix $C$ for the arithmetic circuit based on the following construction: 1- Initialize three zero square matrices $A, B, C$ over $\mathbb{F}$ of order $n_g +n_i + 1$ where $n_g$ is the number of gates and $n_i$ is the number of inputs. Here, the gate $i$ is corresponding to tuple $(l_i, r_i, s_i)$ where $l_i$ and $r_i$ are left and right input wire indices, respectively and $s_i$ is gate selector, addition or multiplication. Also in the following construction $n_i$ is the number of inputs. 2- For $i=0.., n_g-1:$ $a)$ $C_{1+n_i+i, 1+n_i+i}=1$ $b)$ if $s_i$ is addition - $A_{1+n_i+i,0}=1$ - $B_{1+n_i+i,l_i}=1$ ( if the left input is a number, value of input is placed ) - $B_{1+n_i+i,r_i}=1$ ( if the right input is a number, value of input is placed) $c)$ If $s_i$ is multiplication - $A_{1+n_i+i,l_i}=1$ ( if the left input is a number, value of input is placed) - $B_{1+n_i+i,r_i}=1$ ( if the right input is a number, value of input is placed) 3- Outputs matrices $A, B$ and $C$. Note that the Prover encodes each matrix $A, B$ and $C$ by three polynomials such that encodes matrix $M$, $M\in\{A, B, C\}$, by polynomials $row_{M}(x)$, $col_M(x)$ and $val_M(x)$ so that $row_M(\gamma^i)=\omega^{r_i}$, $col_M(\gamma^i)=\omega^{c_i}$ and $val_M(\gamma^i)=v_i$ for $i\in\{0,1,2,..,m-1\}$ where $\gamma$ is a generator of multiplicative subgroup $\mathbb{K}$of $\mathbb{F}$ of order $m$ ($\mathbb{K}=<\gamma>$ and $|\mathbb{K}|=m$) and $\omega$ is a generator of multiplicative subgroup $\mathbb{H}$ of $\mathbb{F}$ of order n ($\mathbb{H}=<\omega>$ and $|\mathbb{H}|=n$). Also $m$ is maximum of the number of nonzero entries in the matrix $M$. $n$ is the order of the matrix. Also $r_i,c_i\in \{0,1,...,n-1\}$ and $v_i\in \mathbb{F}$ are row number, column number and value of $i^{th}$ nonzero entry, respectively. Therefore $\overrightarrow{O}=(row_A(x),col_A(x),val_A(x),row_B(x),col_B(x),val_B(x),row_C(x),col_C(x),val_C(x))$. C- For $i\in s_{AHP}(0)$, $c_{O_{0,i}}=PC.Commit(ck,\overrightarrow{O}[i],d_{AHP}(N,0,i),r_{O_{0,i}})$.

For example, if the polynomial commitment scheme$KZG$ is used, $c_{O_{0,i}}=\prod_{i\in\{0,1,...,deg_{\overrightarrow{O}[i]}\}}(g^{d^i})^{a_i}$ where $a_i$ is coefficient of $x^i$ in polynomial $O_{0,i}$.

We now review the last step for the commitment phase D- Output $c=(c_{O_{0,1}},c_{O_{0,2}},...,c_{O_{0,s_{AHP}(0)}})$.

• $\red{Eval(P_E(pp,i,r,x,y),V_E(pp,c,x,y))}$ $\huge{\bold{.}}$ The Prover $P_E$ and the Verifier $V_E$ parse $pp=(ck,vk)$. $\huge{\bold{.}}$ The Prover $P_E$ computes $\overrightarrow{o}=Enc_{AHP}(i)$. $\huge{\bold{.}}$ The Prover $P_E$ and the Verifier $V_E$ run polynomial interactive oracle proofs ($piop$) , $AHP$ or $PFR$.

A- $PFR$ commitment checking The Prover $P_f$ and the Verifier $V_f$ run polynomial oracle proof $PFR$ $<P_f(\overrightarrow{O},,i),V_f^{\overrightarrow{O}}()>$. This polynomial oracle proof is described in $\red{ Supplement \hspace{1mm}1}$. Note that in this polynomial oracle proof, the Prover wants to prove three following claims: $1.$ $\overrightarrow{O}[1]=row_A(x)$ , $\overrightarrow{O}[2]=col_A(x)$ and$\overrightarrow{O}[3]=val_A(x)$is encoding of a $t-SLT$ matrix. $2.$ $\overrightarrow{O}[4]=row_B(x)$ , $\overrightarrow{O}[5]=col_B(x)$ and$\overrightarrow{O}[6]=val_B(x)$is encoding of a $t-SLT$ matrix. $3.$ $\overrightarrow{O}[7]=row_C(x)$ , $\overrightarrow{O}[8]=col_C(x)$ and$\overrightarrow{O}[9]=val_C(x)$is encoding of a $t-Diag$ matrix.

B- $PFR$ and$AHP$ proof generating and verifying The Prover $P_{AHP}$ and the Verifier $V_{AHP}$ run polynomial oracle proof $AHP$ $<P_{AHP}(i,(x,y),w),V_{AHP}^{\overrightarrow{O}}((x,y))>$. Note that in this polynomial oracle proof, by keeping the function $(A,B,C)$ hidden, the Prover wants to prove that input $x$ gives output $y$.

$\huge{\bold{.}}$ For all $i\in[k_{piop}]$ and $j\in s_{piop}(i)$ when $P_{piop}$ sends oracle polynomial $o_{i,j}$ . $P_E$ computes and sends $c_{o_{i,j}}=PC.Commit(ck,o_{i,j},d_{piop}(N,i,j),r_{o_{i,j}})$

$\huge{\bold{.}}$ When $V_{piop}$ derives an oracle $o$ that is a linear combination of other oracles, $V_E$ derives $c_o$ through the $PCS$ homomorphism. $P_E$ similarly derives the commitment randomness $r_o$.

$\huge{\bold{.}}$When $V_{piop}$ queries oracle polynomial $o$ with degree bound $d_o$at $z\in \mathbb{F}$ to receive $y=o(z)$ : $\huge{.}$ $V_E$ sends $z$. $\huge{.}$ $P_E$ retrieves $r_o$, then computes $\pi=PC.Eval(ck,o,d_o,r_o,z)$and sends $\pi$ and $y=o(z)$. For example, if polynomial commitment scheme $KZG$ is used, $\pi=g^{q(d)}$ where $q(x)=\frac{o(x)-y}{x-z}$.

$\huge{.}$ $P_E$ retrieves $r_o$, then computes $\pi=PC.Eval(ck,o,d_o,r_o,z)$and sends $\pi$ and $y=o(z)$.

For example, if polynomial commitment scheme $KZG$ is used, $\pi=g^{q(d)}$ where $q(x)=\frac{o(x)-y}{x-z}$.

$\huge{.}$$V_E$ retrieves $c_o$ and asserts $1=PC.Check(vk,c_o,d_o,z,y,\pi)$. For example, if polynomial commitment scheme $KZG$ is used, $\pi$ check as following: $e(\frac{c_o}{g^y},g)=e(\pi,\frac{g^d}{g^z})$ , $e(g^{o(d)-y},g)=e(g^{q(d)},g^{d-z})$, $e(g,g)^{o(d)-y}=e(g,g)^{q(d)(d-z)}$ and $o(d)-y=q(d)(d-z)$.

$\red{Supplement\hspace{1mm}1}$

polyIOP $PFR$ includes: $1)$To prove strictly lower triangularity of the matrices $A$ and $B$ must prove that $\log^{row_M(\gamma^i)}_{\omega}> \log^{col_M(\gamma^i)}_{\omega}$ for $i \in \{0,1,..,m-1\}$and $M\in\{A,B\}$. This does by $\red{Discrete-log\hspace{1mm} comparison\hspace{1mm} protocol}$. $2)$ To prove the first $t$ rows of $A$ and $B$ are all zeros must prove that $row_M(\mathbb{K})\subseteq\{\omega^t,\omega^{t+1},...,\omega^{n-1}\}$. This does by $\red{subset\hspace{1mm} over \hspace{1mm}\mathbb{K}\hspace{1mm} protocol}$. $3)$ To prove the diagonality of the matrix $C$ must prove that $seq_{\mathbb{K}}(row_C)=seq_{\mathbb{K}}(col_C)$where $seq_{\mathbb{K}}(h)=(h(k):k\in\mathbb{K})$. This does by $\red{Geometric\hspace{1mm} sequence}$ and $\red{zero\hspace{1mm}over\hspace{1mm}\mathbb{K}\hspace{1mm}protocols}$. $4)$ To prove the first $t$ rows of $C$ are all zeros must prove that there is a vector $v\in(\mathbb{F^*})^{n-t}$ so that $seq_{\mathbb{K}}(val_C)=\vec{v}||\vec{0}$ . This does by $\red{Geometric\hspace{1mm} sequence}$ and $\red{zero\hspace{1mm}over\hspace{1mm}\mathbb{K}\hspace{1mm}protocols}$.

$3$ and $4$ result that all the non-zero entries of the matrix $C$ are in the positions $(\omega^t,\omega^t),(\omega^{t+1},\omega^{t+1}),...,(\omega^n,\omega^n)$.

$\red{Supplement\hspace{1mm}2}$

polyIOP $AHP$ includes:

Example

40380552: 02f407b3 mul a1,s0,5 4038055e: 004c addi a1,s0,11 40380552: 02f407b3 mul a1,s0,26

LD R1, 4 Mul R1, 5 => Gate 1, p=181 Add R1, 11 => Gate 2, p=181 Mul R1, 26 (== Div R1, 7) => Gate 3, p=181

$R_1^{(1)}-4=0$ $R_1^{(2)}-5R_1^{(1)}=0$ $R_1^{(3)}-R_1^{(2)}-11=0$ $R_1^{(4)}-\frac{R_1^{(3)}}{7}=0$

• $\red{Setup(1^{\lambda},N)}$:

Suppose $d=111213119$. Run $PC.\hspace{1mm}Setup(1^{\lambda},d)$ based on $KZG$ as following: $PC.\hspace{1mm}Setup(1^{\lambda},d)$ outputs $pp=(g,\hspace{1mm}g^d,\hspace{1mm}g^{d^2},...,\hspace{1mm}g^{d^l})$ where $l$ is the maximum degree of polynomials that are used in scheme . Let the computation be done in $\mathbb{F}$ of order $p=181$. A generator of $\mathbb{F}$ is $g=2$, therefore $pp=(g,\hspace{1mm}g^d,\hspace{1mm}g^{d^2},...,\hspace{1mm}g^{d^l})=(2,2^{111213119},...,2^{111213119^8})$. Because $ord(2)=180$, then $2^{111213119}=(2^{180})^{617850}2^{119} \equiv2^{119}\equiv66(\textrm{mod}\hspace{1mm}181)$. Similarly, the rest of entries are computed and as a result $pp=(2,66,83,91,96,24,2,66,83)$.

• $\red{Commit(pp=(2,66,83,91,96,24,2,66,83),i=(A,B,C),r\in R=\mathbb{R}^{s_{AHP}(0)})}$:

A- Parse $r=(r_1,...,r_{s_{AHP}(0)})$ and $pp=(ck,vk)$.

B- Set $\overrightarrow{o}=Enc_{AHP}(i)$.

We consider $z=(1,x,w_1,w_2,y)$ where $w_1=5x$, $w_2=w_1+11$ and $y=\frac{w_2}{7}$. Therefore with input $x=4$, $z=(1,4,20,31,82)$. Note that the inverse of number $a$ in this field is $a^{p-2} (\textrm{mod}\hspace{1mm}p)$ , so $7^{-1}\equiv 26\hspace{1mm}(mod\hspace{1mm}181)$.

Based on $\blue{\bold{Construction}}$ obtain:

$A=\begin{bmatrix} 0&0&0&0&0\\ 0&0&0&0&0\\ 0&1&0&0&0\\ 1&0&0&0&0\\ 0&0&0&1&0\\ \end{bmatrix}$, $B=\begin{bmatrix}0&0&0&0&0\\0&0&0&0&0\\5&0&0&0&0\\11&0&1&0&0\\26&0&0&0&0\\\end{bmatrix}$and $C=\begin{bmatrix}0&0&0&0&0\\0&0&0&0&0\\0&0&1&0&0\\0&0&0&1&0\\0&0&0&0&1\\\end{bmatrix}$.

It can be seen that matrices $A$ and $B$ are $2-SLT$ and matrix $C$ is $2-Diag$. Also $Az\hspace{1mm}o\hspace{1mm}Bz=\begin{bmatrix}0\\0\\20\\31\\82\\\end{bmatrix}=Cz$.

To encode matrix $A$, consider multiplicative subgroup $\mathbb{H}$ of order $n=n_g+n_i+1=5$ with generator $\omega=2^{36}\equiv 59 (\textrm{mod}\hspace{1mm}181)$. Note that if $g$ is a generator of field $\mathbb{F}$ of order $p$, then $g^{\frac{p-1}{n}}$is a generator of a multiplicative subgroup of it of order $n$. Therefore $\mathbb{H}=\{1,\omega,\omega^2,\omega^3,\omega^4\}=\{1,59,42,125,135\}$.

Also, consider multiplicative subgroup $\mathbb{K}$ of order $m=\frac{n^2-n}{2}-\frac{t^2-t}{2}=9$ where $t=n_i+1$ with generator $\gamma=g^{\frac{p-1}{m}}=2^{20}\equiv43(\textrm{mod}\hspace{1mm}181)$. Therefore $\mathbb{K}=\{1,\gamma,\gamma^2,...,\gamma^8\}=\{1,43,39,48,73,62,132,65,80\}$.

First, build the polynomial $row_A(x)$. Since matrix $A$ has three non-zero entries the first of them is in the second row, so $c_0=2$ and $row_A(\gamma^0)=\omega^2$ , note that rows numbered of zero, the second is in the third row, so $c_1=3$ and $row_A(\gamma^1)=\omega^3$ and the third is in the fourth row, so $c_2=4$ and $row_A(\gamma^2)=\omega^4$.

According to the values ​​defined for $\gamma$ and $\omega$, we have $row_A(1)=42$, $row_A(43)=125$ and $row_A(39)=135$. Therefore based on Lagrange polynomials, have $row_A(x)=\sum_{i=1}^{3}y_iL_i(x)$, so$row_A(x)=42L_1(x)+125L_2(x)+135L_3(x)$, where $L_1(x)=\frac{(x-43)(x-39)}{(1-43)(1-39)}=\frac{(x-43)(x-39)}{(-42)(-38)}$. Now, since $-42\equiv139\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$, $-38\equiv143\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$, $-43\equiv138\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$and $-39\equiv142\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$, therefore $L_1(x)=\frac{(x+138)(x+142)}{(139)(143)}$and since $(139)(143)\equiv 148\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$and $148^{-1}\equiv 170\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$, have $L_1(x)=170(x+138)(x+142)=170x^2+178x+15$. We get in a similar way that $L_2(x)=167x^2+17x+178$ and $L_3(x)=25x^2+167x+170$. Therefore $row_A(x)=77x^2+109x+37$.

Now, we obtain $col_A(x)$. Since matrix $A$ has three non-zero entries the first of them is in the first column, so $r_0=1$ and $col_A(\gamma^0)=\omega^1$ , note that columns numbered of zero, the second is in the zero column, so $r_1=0$ and $col_A(\gamma^1)=\omega^0$ and the third is in the third column, so $r_2=3$ and $col_A(\gamma^2)=\omega^3$. Therefore $col_A(1)=59$, $col_A(43)=1$ and $col_A(39)=125$. So $col_A(x)=59L_1(x)+L_2(x)+125L_3(x)=109x^2+81x+50$.

Now, we obtain $val_A(x)$. Since matrix $A$ has three non-zero entries such that the value of all of them is one, therefore $v_0=v_1=v_2=1$. So, $val_A(x)=L_1(x)+L_2(x)+L_3(x)=1$.

Therefore, the matrix $A$ encodes by $row_A(x)=77x^2+109x+37$, $col_A(x)=109x^2+81x+50$ and $val_A(x)=1$.

Now, encode the matrix $B$. First, build the polynomial $row_B(x)$. Since matrix $B$ has four non-zero entries such that the first of them is in the second row, so $c_0=2$ and $row_B(\gamma^0)=\omega^2$ . The second and the third are in the third row, so $c_1=c_2=3$ and $row_B(\gamma^1)=row_B(\gamma^2)=\omega^3$ and the fourth is in the fourth row, so $c_3=4$ and $row_B(\gamma^3)=\omega^4$. Therefore, $row_B(1)=42$, $row_B(43)=125$, $row_B(39)=125$ and $row_B(48)=135$. So $row_B(x)=42L_1(x)+125L_2(x)+125L_3(x)+135L_4(x)$ where $L_1(x)=\frac{(x-43)(x-39)(x-48)}{(1-43)(1-39)(1-48)}=\frac{(x+138)(x+142)(x+133)}{(139)(143)(134)}=\frac{(x+138)(x+142)(x+133)}{103}$. Since $103^{-1}\equiv58\hspace{1mm}(\textrm{mod}\hspace{1mm}181)$, so $L_1(x)=58(x+138)(x+142)(x+133)=58x^3+62x^2+116x+127$. We get in a similar way that $L_2(x)=39x^3+7x^2+19x+116$, $L_3(x)=138x^3+155x^2+7x+62$ and $L_4(x)=127x^3+138x^2+39x+58$. Therefore $row_B(x)=76x^3+35x^2+174x+119$.

Now, we obtain $col_B(x)$. Since matrix $B$ has four non-zero entries that the first, second and fourth of them are in zero column, so $r_0=r_1=r_3=0$ and $col_B(\gamma^0)=col_B(\gamma^1)=col_B(\gamma^3)=\omega^0$ and the third is in the second column, so $r_2=2$ and $col_B(\gamma^2)=\omega^2$ . Therefore $col_B(1)=1$, $col_B(43)=1$, $col_B(39)=42$and $col_B(48)=1$. So $col_B(x)=L_1(x)+L_2(x)+42L_3(x)+L_4(x)=47x^3+20x^2+106x+9$.

Now, we obtain $val_B(x)$. Since matrix $B$ has four non-zero entries that value of them are $5$, $11$, $1$ and $26$, respectively. Therefore $v_0=v_1=v_2=1$$val_B(\gamma^0)=5$, $val_B(\gamma^1)=11$, $val_B(\gamma^2)=1$and $val_B(\gamma^3)=26$. So, $val_B(1)=5$, $val_B(43)=11$, $val_B(39)=1$and $val_B(48)=26$. Therefore $val_B(x)=5L_1(x)+11L_2(x)+L_3(x)+26L_4(x)=177x^3+148x^2+42$.

Therefore, the matrix $B$ encodes by $row_B(x)=76x^3+35x^2+174x+119$, $col_B(x)=47x^3+20x^2+106x+9$ and $val_B(x)=177x^3+148x^2+42$.

Now, build polynomial $row_C(x)$. In a similar way, Since matrix $C$ has three non-zero entries that are in the third, fourth and fifth rows, therefore $row_C(\gamma^0)=\omega^2$ , $row_C(\gamma^1)=\omega^3$ and $row_C(\gamma^2)=\omega^4$. Then $row_C(1)=42$ , $row_C(43)=125$ and $row_C(39)=135$. So$row_C(x)=42L_1(x)+125L_2(x)+135L_3(x)$, therefore $row_C(x)=77x^2+109x+37$.

Now, since $C$ is a diagonal matrix, polynomials $row_C(x)$ and $col_C(x)$are equal. Also, since the matrix $C$ has three non-zero entries such that the value of all of them is one, therefore $v_0=v_1=v_2=1$. So, $val_C(x)=L_1(x)+L_2(x)+L_3(x)=1$.