--- breaks: false --- $$ \def\Fp{\mathbb{F}_p} \def\FF{\Fp^{\scriptscriptstyle{(<n)}}[X]} \def\com{\mathbf{com}} \def\range#1{[{#1}]} $$ # A Simple Range Proof From Polynomial Commitments ### Dan Boneh, Ben Fisch, Ariel Gabizon, and Zac Williamson --- Let's construct a simple zero knowledge range proof from a hiding polynomial commitment scheme (PCS). ### The setup Let $p$ be a prime, where $p > 2^n$ for some $n$. We want a commitment scheme for elements in $\Fp$ that allows a prover to efficiently convince a verifier that a committed quantity $z \in \Fp$ is in the range $0 \leq z < 2^n$. We show that for a committed $z \in \Fp$, the prover can provide an HVZK proof to convince the verifier that $0 \leq z < 2^n$ by committing to **two** polynomials of degree $(n+1)$, and running the polynomial evaluation protocol **three** times. Therefore: - For the pairing-based polynomial commitment scheme of Kate, Zaverucha and Goldberg, this gives a range proof of length $O_\lambda(1)$ that can be verified in time $O_\lambda(1)$, with a trusted setup and an updatable SRS of size $O_\lambda(n)$. - For the DARK polynomial commitment scheme of Bünz, Fisch, and Szepieniec, this gives a range proof of length $O_\lambda(\log n)$ that can be verified in time $O_\lambda(\log n)$, with no trusted setup. - For comparison, recall that Bulletproofs give a range proof with no trusted setup of length $O_\lambda(\log n)$ that can be verified in time $O_\lambda(n)$. In what follows we use $\FF$ to denote polynomials in $\Fp[X]$ of degree less than $n$. We assume that $n$ divides $p-1$ so that there is an element $\omega \in \Fp$ of order $n$. Let $H = \{1,\omega,\omega^2,\ldots,\omega^{n-1}\}$. ### The commitment scheme Suppose that we have available a hiding and binding PCS for polynomials in $\FF$. Moreover, we assume that the polynomial evaluation protocol is HVZK. To commit to an element $z \in \Fp$, choose an arbitrary polynomial $f \in \FF$ such that $f(1) = z$. Taking $f$ as the constant polynomial $f(X) = z$ is sufficient. The commitment to $z$ is the polynomial commitment $\com_f$ to $f$. If the PCS is additive, then the commitment scheme is additively homomorphic: given commitments to $z_1$ and $z_2$ in $\Fp$, anyone can construct a commitment to $z_1+z_2$. ### Range proof for the range $[0,2^n)$ Let $\com_f$ be a commitment to $z \in \Fp$ so that $f(1) = z$, as above. Let $z_0, \ldots, z_{n-1} \in \{0,1\}$ be the binary digits of $z$, so that $z = \sum_{i=0}^{n-1} 2^{i} \cdot z_i$. Now, given $\com_f$, the prover proves that $0 \leq z < 2^n$, by constructing a degree-$(n-1)$ polynomial $g \in \FF$ such that $$ g(\omega^{n-1}) = z_{n-1} \quad\text{and}\quad \text{$g(\omega^{i}) = 2 g(\omega^{i+1}) + z_{i}\ $ for all $i=n-2,\ldots,0$.} $$ Observe that $g(1) = g(\omega^0) = \sum_{i=0}^{n-1} 2^{i} \cdot z_i = z$. Now the prover needs to prove three things: 1. $\ \ g(1) = f(1)$, 2. $\ \ g(\omega^{n-1}) \in \{0,1\}$, &nbsp; and 3. $\ \ g(X) - 2 g(X \omega) \in \{0,1\}$ &nbsp; for all $x \in H \setminus \{\omega^{n-1}\}$. Condition (1) proves that $g(1) = z$; Conditions (2) and (3) prove that $z_0, \ldots, z_{n-1}$ are all in $\{0,1\}$ and are the binary digital of $z$. Together, these conditions prove that $0 \leq z < 2^n$, as required. To prove Conditions (1)-(3), the prover sends to the verifier a polynomial commitment to $g$. It then proves to the verifier that the following polynomials evaluate to zero for all $x \in H$: $$ \begin{align*} w_1(X) & = (g - f) \cdot \textstyle{\left(\frac{X^{n}-1}{X-1}\right)} , \\[2mm] w_2(X) & = g \cdot (1 - g) \cdot \textstyle{\left(\frac{X^{n}-1}{X-\omega^{n-1}}\right)} , \quad\text{and} \\[2mm] w_3(X) & = \big[g(X) - 2 g(X \omega)\big] \cdot \big[1 - g(X) + 2 g(X \omega)\big] \cdot (X - \omega^{n-1}). \end{align*} $$ This can be done efficiently using a batch opening technique described in [this paper](https://eprint.iacr.org/2020/081). The verifier sends a radom $\tau \in \Fp$ to the prover, and the prover computes the quotient polynomial $$q(X) = (w_1 + \tau w_2 + \tau^2 w_3) / (X^{n}-1).$$ The prover sends a polynomial commitment to $q$ to the verifier, and then proves that the polynomial $$ w(X) = w_1 + \tau w_2 + \tau^2 w_3 - q \cdot (X^{n}-1) $$ is the zero polynomial. To do so, the verifier sends a random $\rho \in \Fp$ to the prover, and together they run the evaluation protocol three times: once for $g(\rho)$, once for $g(\rho \omega)$, and once for evaluating $\hat{w}(\rho)$, where $\hat{w}(X) = f(X) \cdot \left(\frac{\rho^n - 1}{\rho-1}\right) + q(X) \cdot (\rho^n-1)$. This $\hat{w}$ is a linear combination of $f$ and $q$, and therefore the verifier can construct a commitment to $\hat{w}$ using the additiving property of the PCS. The three evaluations, $g(\rho)$, $\hat{w}(\rho)$, and $g(\rho \omega)$, along with $\rho$ and $\tau$, are sufficient to evaluate $w(\rho)$ and confirm that the result is zero. This proves, with high probability, that $w$ is the zero polynomial. There is one remaining issue, which is that revealing $g(\rho)$, $\hat{w}(\rho)$, and $g(\rho \omega)$ is not zero-knowledge. The fix is simple: the prover constructs $g$ as a degree $n+1$ polynomial by interpolating $g$ to a random value at two more points $\omega', \omega''$ outside $H$. That is, $g$ is defined in exactly the same way on all points in $H$, but $g(\omega') = \alpha$ and $g(\omega'') = \beta$ for random $\alpha, \beta \in \Fp$ and $\omega, \omega' \not \in H$. Since $g$ has the same values over all points in $H$, this has no effect on the relations checked above. This is zero-knowledge because $g(\rho)$ and $g(\rho \omega)$ can now be simulated as independent random values in $\Fp$. Moreover, the value of $\hat{w}(\rho)$ is completely determined by the fact that $w(\rho) = 0$, and can therefore also be simulated. Note that we need to restrict the choice of $\rho$ to $(\Fp \setminus H)$ to ensure that the simulation is valid. This entire process makes two polynomial commitments, to $g$ and $q$, and uses the polynomial evaluation protocol three times to evaluate $g(\rho)$, $\hat{w}(\rho)$, and $g(\rho \omega)$. We note that, if needed, it is possible to reduce the degree of $g$ by writing $z$ in a base greater than 2. ### Other constructions The [Bulletproofs paper](https://eprint.iacr.org/2017/1066.pdf) (Section 4.1) shows how to implement a range proof using an inner-product argument. The DARK paper shows how to implemement an inner-product argument using a polynomial commitment scheme. Combining the two gives another way to construct a range proof from a polynomial commitment scheme with similar properties as the range proof described above. Interestingly, the resulting protocol is quite different. ### Implementation/related work This scheme initially appeared as a component of [Turbo Plonk](https://github.com/AztecProtocol/barretenberg/blob/master/src/barretenberg/waffle/proof_system/widgets/turbo_range_widget.cpp) by Ariel Gabizon and Zac Williamson
Last changed by  
dabo
6203

Read more

How to Build a Private DAO on Ethereum

$$ \def\Zq{\mathbb{Z}_q} \def\EE{\mathbb{E}} \def\deq{\mathrel{\mathop:}=} \def\range#1{[{#1}]} \def\PK{\textit{pk}} \def\SK{\textit{sk}} \def\ct{\textit{ct}} $$

4/30/2022
How to Store a Permutation Compactly

$$ \def\Fp{\mathbb{F}_p} \def\deq{\mathrel{\mathop:}=} \def\range#1{[{#1}]} \def\alg#1{\textsf{#1}} \def\rank{\textsf{rank}} \def\msb{\textsf{msb}} \def\bit{\textsf{bit}} \def\mib#1{\color{blue}{\mathbf{{#1}}}} \def\mir#1{\color{red}{\mathbf{{#1}}}}

2/19/2022
Read more from dabo
Published on HackMD