BLS based universal accumulator

This write-up follows this following paper.

Intro

In this write-up, we will discuss the practical implementation of a pairing based (bls12-381) dynamic universal accumulator. This basically means the ability to succinctly commit to a set of unique elements onchain, and prove (non)-membership (making it universal), while maintaining the ability to add and remove elements (making it dynamic). This all in the trustless setting of a plutus script (this design does use a trusted setup, which can be generated via an MPC). The nice thing about this approach is that the homomorphic property of the pairing, naturally allows for the batching of either membership or non-membership proofs, while keeping the proof size constant.

The intuition behind the Pairing

The fundamental property of the pairing that allows us to do interesting stuff is the possibility to multiply polynomials and compare them in a hidden way that ensures correctness. For this, we need a trusted setup of a secret value

τ

and its powers that no one knows. This setup is often called a common reference string, and we denote it with

C R S_{G_{1}} = {g_{1}, g_{1}^{τ}, g_{1}^{τ^{2}}, . . ., g_{1}^{τ^{d}}}

, and similar for

C R S_{G_{2}}

. We can use these

G_{1}

and

G_{2}

points to evaluate any polynomial in this secret value. This is done by calculating the coefficients of the polynomial and evaluating this via the common reference string in the secret value tau. As an example, consider the polynomial,

f (x) = 5 x^{3} + 2 x^{2} + x + 10

We can then evaluate it in

τ

over G1 via its values

C R S_{i}

A c c = C R S_{3}^{5} + C R S_{2}^{2} + C R S_{1} + C R S_{0}^{10}

Since

A c c = (g_{1}^{τ^{3}})^{5} + (g_{1}^{τ^{2}})^{2} + (g_{1}^{τ^{1}}) + (g_{1}^{τ^{0}})^{10} = g^{5 τ^{3} + 2 τ^{2} + τ + 10} = g^{f (τ)}

Now, besides this, there is a canonical way of multiplying polynomials and equating them to others via a pairing. In math notation, this means that if we have the three polynomials

f (x)

r (x)

and

h (x)

and the statement

f (x) = r (x) h (x)

, then we can prove this equality without providing the coefficients by first calculating

l_{1} = g_{1}^{f (τ)}, r_{1} = g_{1}^{h (τ)} and r_{2} = g_{2}^{r (τ)}

via the

C R S

as above. And then we can check via fixed sized commitments that

e (l_{1}, g_{2}) \overset{?}{=} e (r_{1}, r_{2})

To prove that

f (x) = r (x) h (x)

. In expanded form, this would be

e (g_{1}^{f (τ)}, g_{2}) \overset{?}{=} e (g_{1}^{h (τ)}, g_{2}^{r (τ)})

And it checks that the constructed commitments over the CRS are equal in

τ

f (τ) \overset{?}{=} h (τ) r (τ)

Now this last line is of course true if indeed

f (x) = r (x) h (x)

, and the converse of this statement is also true via Schwartz–Zippel lemma in this setting. This theorem basically says that the chance of this evaluation being correct in a random point

τ

that no one knows, is negligible.

So to reiterate and conclude, via the pairing we can commit to polynomials without providing the full polynomial, this while maintaining the ability to multiply them and equating them.

Setup for an accumulator

The basic idea of this accumulator is to represent the set of members as a polynomial with zero-point matching the set. So for a set of

n

unique element

S = {x_{1}, x_{2}, . . ., x_{n}}

we have the accumulation polynomial

A c c (x) = \prod_{i = 1}^{n} (x + x_{i})

making each

- x_{i}

a non-degenerate zero point of

A c c (x)

. Using a trusted setup (a power of tau) given by

C R S_{G 2} = {g_{2}, g_{2}^{τ}, g_{2}^{τ^{2}}, . . ., g_{2}^{τ^{d}}}

where

d > n

, we can calculate the coefficients of

A c c (x)

and map these over the G2 points in the

C R S_{G 2}

. As an example, consider the set

S = {2, 3, 5, 7, 11}

, then we have that

(x + 2) (x + 3) (x + 5) (x + 7) (x + 11) = x^{5} + 28 x^{4} + 288 x^{3} + 1358 x^{2} + 2927 x + 2310

A c c = g^{A c c (τ)} = C R S_{5} + C R S_{4}^{28} + C R S_{3}^{288} + C R S_{2}^{1358} + C R S_{1}^{2927} + C R S_{0}^{2310}

here

C R S_{i} = g_{2}^{τ^{i}}

Prove membership

Say now we want to prove for a set

S = {x_{1}, x_{2}, . . ., x_{n}}

, that a set

s = {x_{s_{1}}, x_{s_{2}}, . . ., x_{s_{k}}}

is a subset of

S

, then we can use the polynomial remainder theorem to do so. This theorem relates a divider of a polynomial with the remainder and the quotient. That is, for any polynomial

f (x)

and

h (x)

, we have that

f (x) = q (x) h (x) + r (x)

where

q (x)

is the unique quotient and

r (x)

the remainder of a division of

f (x)

with

h (x)

. Moreover, this theorem says that

r (x)

is zero, if all zero points of

h (x)

are also zero points of

f (x)

. So to use this to our advantage for a subset

s

, we construct the polynomial

h (x) = \prod_{i = 1}^{k} (x + x_{s_{i}})

then the polynomial remainder theorem gives us that there exist another unique polynomial

q (x)

such that

f (x) = h (x) q (x)

And given the definition of

f (x)

, it is clear that the only possible definition of this divisor should be the accumulation polynomial over the set

S ∖ s

. So

q (x) = \prod_{x_{i} \in S ∖ s} (x + x_{i})

because clearly,

f (x) = \prod_{i = 1}^{n} (x + x_{i}) = (\prod_{x_{i} \in S ∖ s} (x + x_{i})) * (\prod x_{j} \in s (x + x_{j})) + 0 = q (x) * h (x) + r (x)

And since our subset is indeed a proper subset,

h (x)

and

f (x)

divide without a remainder (

r (x) = 0

). Now, using the trick where we evaluate these polynomials over the CRS and compare them using the pairing, we can prove onchain membership. That is, given a commitment of set

A c c

in G2, we calculate

p r o o f = g_{2}^{q (τ)} = \sum_{i} C R S_{i}^{c_{i}}

and verify that for the coefficients

e_{i}

of the polynomial

h (x) = \prod_{i = 1}^{k} (x + x_{s_{i}})

e (g_{1}, A c c) \overset{?}{=} e (\sum_{j} C R S_{j}^{e_{i}}, p r o o f)

Note that if you do this onchain, you need to perform

n + 1

G1 addition and scalar multiplication, as the sum is performed onchain.

Prove non-membership

Say now we want to prove for a set

S = {x_{1}, x_{2}, . . ., x_{n}}

, that a set

s = {x_{s_{1}}, x_{s_{2}}, . . ., x_{s_{k}}}

is not a subset of

S

, then we can use Bézout's identity. This relates the zero points of two polynomials by saying that the greatest common divisor between them is precisely their overlap in zero points. Moreover, for

f (x)

and

h (x)

, there exist an

a (x)

and

b (x)

so that

g c d (f (x), h (x)) = f (x) * a (x) + h (x) * b (x)

Now if there is no overlap in zero points, the gcd is one, which is something we can verify succinctly via the pairing check! This

a (x)

and

b (x)

can be calculated via the extended Euclidean algorithm for polynomials. And thus, given this setup, we can prove non membership via

e (g_{1}, g_{2}) = e (A c c, A) * e (\sum_{j} C R S_{j}^{e_{i}}, B)

Here

A

and

B

are the polynomials found by the extended Euclidean algorithm committed over the CRS. The sum of coefficients of our disjoint set is the same as in the membership proofs. This above equation thus checks that

1 \overset{?}{=} a c c (τ) * a (τ) + h (τ) * b (τ)

Discussion

The above two ways of proving (non)-membership can be combined to make a dynamic onchain accumulator. For removal of a set a membership proof has to be provided, and since the proof is precisely the remainder of the accumulated set without the subset that is being proved, this proof can be used as the new accumulator.

For adding a set of elements, one first has to prove that the elements were not a member, after which the found commitment to the disjoint set can be multiplied with the old accumulator. This effectively is a membership proof of the new state with as proof the old accumulator (the reverse of removal).

We see that in the removal case, this method is highly efficient as there is no overhead since the proof is the new state. For the addition, this unfortunately requires both kind proofs.