Here we present two CP-SNARKs for the commitment schemesCS1,CS2 and the relation Ropn (which essentially provides a proof of knowledge of the committed polynomials). For our results, we are inter-ested in proving this relation only over commitments of typeswh.
A CP-SNARK in the algebraic group model. The first CP-SNARK,CPAGMopn , is actually a trivial scheme in which the proof is the empty string. Its knowledge-soundness, can be shown in the algebraic group model [FKL18] where any adversary that returns a commitment is assumed to know coefficients which explain it as a linear combination of the public parameters, theck. This is an observation already done in previous work, e.g., [GWC19, CHM+20]), and thus we omit the details of the analysis.
Theorem 7.2. CPAGMopn is a CP-SNARK forRopn overCS1 (resp. CS2) that isswh`-restricted complete, perfectly zero-knowledge and knowledge-sound in the algebraic group model.
17For this reason, all the CP-SNARKs given for this commitment scheme will omitofrom the prover’s inputs.
A CP-SNARK under the mPKE assumption. The second CP-SNARK, CPPKEopn , is novel and provides extractability based on the mPKE assumption and, when used on more than one commitment, on the random oracle heuristic. In a nutshell, this scheme uses the classical technique of giving as a proof a group elementπopn such that πopn =γ·c for some secret γ ∈F, and thisπopn can be honestly computed by using the same linear combination used to compute c. What is new in our scheme is a way to batch this proof for`commitments in such a way that we have only one extra group element as a proof, instead of`elements.
CPPKEopn .KeyGen(ck): parseck as(ck1,ck2) withck1∈Gd+11 , sampleγ←$F, define ek:= (ck, γ·ck1) and vk:= [1, γ]2, and returnsrs:= (ek,vk).
CPPKEopn .Prove(ek,(cj)j∈[`],(pj)j∈[`]): for j∈[`]computeπj ←[γ·pj(s)]1, next compute (ρ1, . . . , ρ`)← H((cj)j∈[`]) and outputπopn:=P
jρjπj.
CPPKEopn .Verify(vk,(cj)j∈[`],πopn): compute (ρ1, . . . , ρ`) ← H((cj)j∈[`]) and c := P
jρjcj. Output 1 if and only ife(c,[γ]2) =e(πopn,[1]2).
Remark 11(On Updatable SRS generation). Note that the SRS of this CP-SNARK can be generated by having access to the commitment key (without need of knowing its trapdoor), and it is easy to see how it can be generated in an updatable fashion, and the correctness of every element can be efficiently checked using a pairing. Generating the SRS of CPopn after the commitment key ck would however require an additional sequence of rounds in the SRS ceremony. Although this can be still useful when re-using an existing commitment key, it is annoying if the goal is to generateck and theCPopn SRS together. In the latter case, however, it is easy to see that they can be generated together with a single sequence of rounds in the ceremony, i.e., such that at every round the i-th participant outputs its version of (ck, γ·ck1).
Efficiency. Key generation requires d+ 1 exponentiations in G1 to generate γ·ck1, and one in G2
to compute [γ]2. The prover can be implemented so as to required∗ G1-exponentiations and O(`·d∗) F-operations, where d∗maxj∈[`]{deg(pj)}. This is done by computing p∗(X) ← P
jρjpj(X) and then πopn ←[γ·p∗(s)]1. Verification requires: 2 pairings,` G1-exponentiations, and one hash computation.
Security. In the following theorem we state the security ofCPPKEopn .
Theorem 7.3. CPPKEopn is a CP-SNARK forRopn overCS1 (resp. CS2) that is swh`-restricted complete, perfectly zero-knowledge and knowledge-sound under the mPKE assumption in the random oracle model.
Proof. Completeness is obvious. Zero-knowledge is also rather easy to see: a simulator that knows γ can perfectly simulate proofs without knowing the witness. Before proving knowledge soundness we recall an useful form of the Chernoff-Hoeffding bound [DP09].
Lemma 7.4. LetX :=P
j∈[n]Xi where X1, . . . , Xn are independently distributed in[0,1]. Then for all t >0:
Pr[X < E[X]−t]≤2−2t2/n
LetAbe an (non-uniform PT) adversary andZ be an auxiliary input distribution such that for any E the probability thatAoutputs a statement(cj)j∈[`]and a valid proofπisin the gameGameKSNDRG,Z,A,E (whereRGis the dummy algorithm that outputsRopn). Moreover, letW be the event that the adversary outputs a valid statement-proof tuple. (Obviously, Pr[W] =.)
Consider the following adversary B and auxiliary distribution Z0 against the mPKE assumption.
The distribution Z0(Σ) computes the structured reference string srs of CPopn from Σ, runs auxZ ← Z(Ropn,srs) and outputssrs,auxZ.
AdversaryBi,h(Σ,(srs,auxZ);ρ):
1. LetK= 2`−1q(1 +λ), parseρ= (h(j)k )i<k≤q,j∈[K] whereh(j)k ∈Z`q andq is the maximum amount of random oracle queries made by an execution ofA.
2. Compute ck from Σ, run A(Ropn,ck,srs,auxZ) and answer the first i−1 queries of A to the random oracle with the valuesh=h1, . . . , hi−1. Letstthe state of Ajust before the i-th queried is sent.
3. Forj= 1. . . K run the following:
(a) RunA feeding it with the valueh(j)k at the k-th query.
Letˆxj,πj be the output ofA and letbj ←Verify(srs,ˆxj,πj).
(b) Rewind Ato the state st.
4. Assert P
jbj ≥`, let H be a subset of of cardinality ` of the indexes j such that bj = 1, we define the square matrixM which columns are the vectorsh(j)i ∈Z`q and j∈H.
5. Assert thatM is full rank.
6. Assert that for all j, j0 we haveˆxj = ˆxj0. If so parse them as(cj)j∈[`]. 7. Compute(dj)j∈[`]= (πj)j∈HM−1 and output(cj)j∈[`],(dj)j∈[`].
The adversaryB is parameterized by an indexiand valuesh1, . . . , h1−1 wherehj ∈Z`q.
First we notice that if the adversary B does not abort then it outputs values(cj)j∈[`] and (dj)j∈[`]
such that for all j ∈` :γ·cj =dj. Indeed the verification in step 3a, for any j, we set bj to 1 if and only if γ·P
khj,kck =πj where we parseh(j)i =xj,1, . . . , ρj,`, thus(πj)j∈H = (cj)j∈[`]·M.
We analyze the probability thatBdoes not abort. LetQj be the event that the adversaryAqueries the random oracle with (cj)j∈[`] (the output instance) at the j-th random oracle query. Let i be the index that maximizes the probability Pr[W ∧Qi]. It is easy to see that Pr[W ∧Qi]≥ q. Let hbe the assignment of the first i−1 queries that maximize the probability Pr[W ∧Qi], by average argument, we notice that there must exist hsuch that, conditioned on the assignment Pr[W ∧Qi|h]≥ q.
Given an assignmentauxZ, we call itgood if Pr[W∧Qi|h,auxZ]≥ 2q . By a simple average argument we have that with probability 12 an output auxZ ofZ is good. Also we notice that if we fixhand auxZ then the random variablesb1, . . . , bK are independent and ifauxZ is good then each of them has average greater or equal to 2q , thus by the Chernoff-Hoeffding bound we have that:
Pr[X
j
bj ≥`|h,auxZ]≥1−negl(λ).
Thus the assertion in step 4 passes with overwhelming probability. We notice that the assertion in step 5 passes with overwhelming probability as the rows ofM are random vectors inZ`q, also the assertion in step 6 passes always cause fixinghandauxZ thei-th query of the adversaryAis deterministic function of srs. Putting all together the probability that Bdoes not abort is greater than 12 −negl(λ).
We are ready to define the extractor for the knowledge soundness experiment. Roughly speaking the extractor calls the extractor ofB, however the reductionBis aprobabilisticpolynomial time algorithm.
Thanks to the non-uniformity we can fix the randomness ofBto a stringρthat maximizes the probability of Boutputting valid tuples. Thus let B0 such non-uniform PT that runsB with randomness set toρ.
Let E be the extractor of B0, assumed to exist thanks to the mKEA assumption. The extractor outputs vectors a(j) for any j ∈ [`]. We let the extractor for A simply run E and output what it does. By the mPKE assumption, we have cj = P
ka(j)k sk (as otherwise B would break the mPKE assumption).
Remark 12. (Efficiently composing CPopn with other SNARKs) All of the CP-SNARKs in this section apply CPopn to obtain extractability of the committed polynomials. More precisely, this is true only for polynomials of typeswh; we assume the adversary always opens commitments of typerel. The proofs of the CP-SNARKs we present in this section are all of the form(πopn,π)where the first part,πopn, is a proof of knowledge of a valid opening for the commitments in input. A straightforward composition of these CP-SNARKs would incur in redundantly proving the knowledge of the openings of the same commitments;
therefore, we do not use black-box composition: given a CP-SNARK CP = (KeyGen,Prove,Verify) we define the algorithms Prove andVerify respectively working just as Proveand Verify, except that they do not compute/verify the proof πopn.