Ring Proof Specification

22-08-2024-draft-6

Abstract

This document describes a cryptographic scheme based on SNARKs (Succinct Non-Interactive Arguments of Knowledge) that enables a prover to demonstrate knowledge of a secret scalar

t and a secret index
k
within a group of public keys, where each public key is a point on an elliptic curve. The scheme ensures that, when combined with a public elliptic curve point
H
, the relation
R=PKk+t·H
is satisfied. It leverages elliptic curve operations, a polynomial commitment scheme, and the Fiat-Shamir heuristic to achieve non-interactivity and zero-knowledge properties.

1. Notation

1.1. Basics

Basic Sets

  • Nk={0,,k1}
  • B=N2

Vectors Operations

  • x=(x0,,xn1), xi=xi, 0i<n
  • ab=(a0,,an1,b0,,bm1)
  • xn=(x,,x)Xn

Kronecker Delta

  • δij={1i=j0ij

Lagrange Basis Polynomials

  • Li=LD,iF[X]<N,  iNN,  Li(ωj)=δij

1.2. Curves and Fields

  • ω=DF,  |D|=NN
    • Cyclic subgroup generated by
      ω
      in the multiplicative group
      F
      .

Elliptic Curves

  • J=J/F
    Elliptic curve
    J
    defined over the field
    F
    .
  • J~=J(F)
    Group of
    F
    -rational points on
    J
    .
  • JJ~
    Prime order subgroup of
    J~
    .

Scalar Field

  • FJ
    Field associated with the elliptic curve
    J
    , with
    |FJ|=|J|
    .
  • NJ=log2|FJ|
    Number of bits to represent an element of
    FJ
    .
  • NK=NNJ4
    Maximum size of the ring handled with a domain of size
    N
    .

1.3. Support Functions

Unzip

  • unzip:Jk(Fk,Fk);  p(px,py)
    • Given a vector
      p
      of
      k
      elliptic curve points,
      unzip
      separates
      p
      into two vectors:
      px
      and
      py
      , containing the
      x
      and
      y
      coordinates of each point, respectively.

Polynomial Interpolation

  • Interpolate:FkF[x]<k;  xf
    • Construct a polynomial by interpolating the vector values over
      D

Polynomial Commitment Scheme

  • PCS.Commit:F[x]G;  fCf

    • Commits to a polynomial
      f
      over
      F
      , with commitment in group
      G
      .
  • PCS.Open:(G,F)(F,Π);  (Cf,x)(y,π)

    • Evaluates the committed polynomial
      f
      at point
      x
      , returning evaluation
      y
      and proof
      π
      . The proof domain
      Π
      depends on the PCS.
  • PCS.Verify:(G,F,F,Π)B;  (Cf,x,y,π)(0|1)

    • Verifies whether
      y=f(x)
      given the commitment
      Cf
      and proof
      π
      .

Fiat-Shamir Transform

  • FS:SF; sx
    • Maps a serializable object
      sS
      to
      F
      , typically via some cryptographically secure hash function.

2. Parameters

2.1. Scheme Specific

  • J
    Padding element, a point on
    J
    with unknown discrete logarithm.
  • HJ
    Pedersen blinding base point.
  • H=(H,2H,4H,,2NJ1H)JNJ
    Vector of scaled multiples of
    H
    .
  • SJ~J
    Point in
    J~
    used as seed for accumulation, ensuring the result is never the identity.

2.2. Public Data

  • PKJNK
    Vector of public keys in the ring, padded with
    to length
    NK
    if needed.

2.3. Witness Data

  • tFJ
    Prover's one-time secret.
  • kNNK
    Prover's index within the ring, identifying which public key in
    PK
    belongs to the prover.

2.4. Preprocessing

2.4.1. Public Input Preprocessing

Concatenate ring points with scaled multiples of

H:
P=PKH=(P0,,PN5)JN4
px=(Px,0,,Px,N5,0,0,0,0)FN
py=(Py,0,,Py,N5,0,0,0,0)FN

Ring items selector:

s=1NK  0NNKFN

2.4.1 Interpolation

The resulting vectors are interpolated over

D:
px=Interpolate(px)
py=Interpolate(py)
s=Interpolate(s)

2.4.2. Commit to the constructed vectors

Cpx=PCS.Commit(px)
Cpy=PCS.Commit(py)
Cs=PCS.Commit(s)

2.5. Relation to Prove

Knowledge of

k and
t
such that
R=PKk+tH
.
RH={(R,PK;k,t)R=PKk+tH;RJ,PKJNK,kNNK,tFJ}


3. Prover

3.1. Witness Polynomials

3.1.1. Bits Vector

  • kBNK Binary vector representing the index
    k
    in the ring.
    k
    has
    NK
    elements where
    ki=δik

  • tBNJ Binary representation of the secret scalar
    t
    , with
    ti
    representing the
    i
    -th bit of
    t
    in little-endian order, i.e.,
    t=ti2i
    , for
    iNNJ

The bits vector

b is constructed by concatenating
k
and
t
, followed by a single 0.

b=kt(0)

3.1.2. Conditional Sum Accumulator Vectors

ACC0=S,ACCi=ACCi1+bi1Pi1,i=1,,N4

  • The accumulator is initialized with the seed point
    S
    .
  • The accumulator is updated at each index
    i
    based on the previous value and the product of
    bi1
    and
    Pi1
    .

The resulting accumulator points are finally separated into

x and
y
coordinates:
(accx,accy)=unzip(ACC)

3.1.3. Inner Product Accumulator Vector

accip0=0,accipi=accipi1+bi1si1,i=1,,N4

  • The accumulator is initialized with
    0
    .
  • The accumulator is updated at each index
    i
    based on the previous value and the product of
    bi1
    and
    si1

3.1.4. Interpolation and Commitments

The resulting vectors are interpolated over

D with random values
{ri}
appended as padding for the final entries. This padding helps obscure the resulting polynomial, even when committing to identical witness values.
b=Interpolate(b(r1,r2,r3))
accx=Interpolate(accx(r4,r5,r6))
accy=Interpolate(accy(r7,r8,r9))
accip=Interpolate(accip(r10,r11,r12))

Commit to the witness derived polynomials:

Cb=PCS.Commit(b)
Caccip=PCS.Commit(accip)
Caccx=PCS.Commit(accx)
Caccy=PCS.Commit(accy)

3.2. Constraints

Constraints are polynomials constructed to evaluate to zero when satisfied; a non-zero evaluation indicates a violation.

Note. When evaluating a polynomial

f at
x=ωkD
for some
kN
,
f(ωx)
gives the value of the polynomial at the next position in the evaluation domain (
ωx=ωk+1
).

3.2.1. Inner Product

c1(x)=(accip(ωx)accip(x)b(x)s(x))(xωN4)

This constraint ensures the inner product accumulator

accip(x) is correctly updated, satisfying
accip(ωx)=accip(x)+b(x)s(x)
.

The factor

(xωN4) ensures the constraint holds at all points including
x=ωN4
, where
c1(x)
automatically vanishes.

3.2.2. Conditional Addition

c2(x)=(b(x)((accx(x)px(x))2(accx(x)+px(x)+accx(ωx))(py(x)accy(x))2)+(1b(x))(accx(ωx)accx(x)))×(xωN4)
c3(x)=(b(x)((accx(x)px(x))(accy(ωx)+accy(x))(py(x)accy(x))(accx(ωx)accx(x)))+(1b(x))(accx(ωx)accx(x)))×(xωN4)

These constraints enforce correct elliptic curve addition for the

x and
y
components, respectively, controlled by the Boolean variable
b(x)
:

  • When
    b(x)=1
    :
    c2(x)
    and
    c3(x)
    enforce the correct elliptic curve addition for the
    x
    and
    y
    components, respectively.
  • When
    b(x)=0
    : both constraints ensure the accumulator remains unchanged.

The factor

(xωN4) nullifies the constraint at
x=ωN4
, where it does not apply.

3.2.3. Booleanity

c3(x)=b(x)(1b(x))

Ensures that the polynomial

b(x) acts as a Boolean variable, taking only values 0 or 1.

  • If
    b(x)=0
    or
    b(x)=1
    , then
    c3(x)=0
    .
  • If
    b(x)
    takes any value other than 0 or 1,
    c3(x)
    will be non-zero, violating the constraint.

3.2.4. Conditional Addition Boundary

Given the seed point

S=(sx,sy) and the expected result delta from the seed point
R=(rx,ry)
, the constraints are:
c5(x)=(accx(x)sx)L0(x)+(accx(x)rxsx)LN4(x)
c6(x)=(accy(x)sy)L0(x)+(accy(x)rysy)LN4(x)

These constraints ensure the accumulator components take specific values at the conditional addition boundaries:

  • At
    x=ω0
    :
    L0(x)=1
    and
    LN4(x)=0
    , enforcing
    accx(ω0)=sx
    and
    accy(ω0)=sy
    .
  • At
    x=ωN4
    :
    L0(x)=0
    and
    LN4(x)=1
    , enforcing
    accx(ωN4)=rx+sx
    and
    accy(ωN4)=ry+sy
    .

3.2.5. Inner Product Boundary

c7(x)=accip(x)L0(x)+(accip(x)1)LN4(x)

This constraint ensure the accumulator components take specific values at the conditional addition boundaries:

  • At
    x=ω0
    :
    L0(x)=1
    and
    LN4(x)=0
    , enforcing
    accip(ω0)=0
    .
  • At
    x=ωN4
    :
    L0(x)=0
    and
    LN4(x)=1
    , enforcing
    accip(ωN4)=1
    .

3.3. Constraints Aggregation

3.3.1. Aggregation Polynomial

The protocol aggregates all constraints into a single polynomial for efficiency.

Using the Fiat-Shamir heuristic, sample the aggregation coefficients:

{αi}i=17FS(Cb,Caccip,Caccx,Caccy)

Construct the aggregated polynomial:

c(x)=(i=17αici(x))k=13(xωNk)

The factor

k=13(xωNk) ensures that
c(x)
vanishes at the last three points of the domain, thereby enforcing the constraints across the entire evaluation domain, including the last three points where random evaluation values were used during the witness polynomials interpolation phase.

3.3.2. Quotient Polynomial

The quotient polynomial is computed as:

q(x)=c(x)xN1

Dividing by

XN1 ensures that the aggregated constraints encoded in
c(x)
are enforced consistently across the entire evaluation domain
D
while reducing the degree of the polynomial.

3.3.3. Quotient Polynomial Commitment and Challenge

The prover commits to the quotient polynomial

q:
Cq=PCS.Commit(q)

The prover receives the evaluation point

ζ in response:
ζFS(Cq)

3.3.4. Relevant Polynomials Evaluation

Evaluate the relevant polynomials at the sampled evaluation point

ζ:
px,ζ=px(ζ)
py,ζ=py(ζ)
sζ=s(ζ)
bζ=b(ζ)
accip,ζ=accip(ζ)
accx,ζ=accx(ζ)
accy,ζ=accy(ζ)

3.3.5. Linearization Polynomial

The linearization polynomials are constructed to enable the verifier to evaluate certain parts of the constraint polynomials at

ζω while independently reconstructing the evaluation of
q
at
ζ
using the "relevant polynomial evaluations" provided by the prover as part of the proof.

In particular we require these contributions just for the accumulators contraints.

Accumulator inner product (

c1) contribution:
l1(x)=(ζωN4)accip(x)

Conditional addition accumulators (

c2,3) contributions:
l2(x)=(ζωN4)(bζ(accx,ζpx,ζ)2accx(x)+(1bζ)accy(x))
l3(x)=(ζωN4)((bζ(accy,ζpy,ζ)+1bζ)accx(x)+bζ(accx,ζpx,ζ)accy(x))

Linearized constraints are aggregated using

{αi} coefficients and evaluated at
ζω
:
l(x)=i=13αili(x)
lζω=l(ζω)

3.3.6. Sample Aggregation Coefficients

Sample the aggregation coefficients

{νi} using the Fiat-Shamir heuristic and compute the aggregate polynomial
agg
:
{νi}i=18FS(px,ζ,py,ζ,sζ,bζ,accip,ζ,accx,ζ,accy,ζ,lζω)

Construct the aggregate polynomial:

agg(x)=ν1px(x)+ν2py(x)+ν3s(x)+ν4b(x)+ν5accip(x)+ν6accx(x)+ν7accy(x)+ν8q(x)

3.3.7. Proof Construction

Open the aggregate polynomial

agg at
ζ
and the linearization polynomial
l
at
ζω
:
Πζ=PCS.Open(agg,ζ)
Πζω=PCS.Open(l,ζω)

Construct the proof as follows:

Π=(Cb,Caccip,Caccx,Caccy,px,ζ,py,ζ,sζ,bζ,accip,ζ,accx,ζ,accy,ζ,Cq,lζω,Πζ,Πζω)


4. Verifier

4.1. Inputs

Commitments to the ring public keys and the selector, prepared during the pre-processing phase:

(Cpx,Cpy,Cs)

The claimed accumulation result, allegedly

PKk+tH for some
k
and
t
known to the prover. This is the primary element to be assessed:
R=(rx,ry)

Proof which contains all the necessary commitments, evaluations, and openings needed for the verifier to perform the validation checks:

Π=(Cb,Caccip,Caccx,Caccy,px,ζ,py,ζ,sζ,bζ,ipζ,acx,ζ,acy,ζ,Cq,lζω,Πζ,Πζω)

4.2. Verification

4.2.1. Fiat-Shamir Challenges

Recovery of aggregation coefficients and evaluation point:

{αi}i=17FS(Cb,Cip,Caccx,Caccy)
ζFS(Cq)
{νi}i=18FS(px,ζ,py,ζ,sζ,bζ,accip,ζ,accx,ζ,accy,ζ,lζω)

4.2.2. Contributions to the Constraints Evaluated at
ζ

The following expressions represent the contributions to the constraint polynomials evaluated at the point

ζ:
c~1,ζ=(accip,ζ+bζsζ)(ζωN4)
c~2,ζ={bζ[(accx,ζpx,ζ)2(accx,ζ+px,ζ)(py,ζaccy,ζ)2](1bζ)accy,ζ}(ζωN4)
c~3,ζ={bζ[(accx,ζpx,ζ)accy,ζ+(py,ζaccy,ζ)accx,ζ](1bζ)accx,ζ}(ζωN4)
c4=bζ(1bζ)
c5=(accx,ζsx)L0(ζ)+(accx,ζrxsx)LN4(ζ)
c6=(accy,ζsy)L0(ζ)+(accy,ζrysy)LN4(ζ)
c7=accip,ζL0(ζ)+(accip,ζ1)LN4(ζ)

Note: The tilde (

~ ) above the first three polynomials indicates that these are only partial contributions, representing the components evaluated at
ζ
. The components evaluated at
ζω
are added later by the linearization aggregated polynomial found within the proof (
lζω
).

4.2.3. Evaluation of the Quotient Polynomial at
ζ

Aggregate the contributions along with the linearization polynomial evaluated at

ζω to compute the evaluation of the quotient polynomial at
ζ
:
qζ=(i=17αici+lζω)k=13(ζωNk)ζN1

Compute the aggregate commitment

Cagg using the aggregation coefficients
νi
:
Cagg=ν1Cpx+ν2Cpy+ν3Cs+ν4Cb+ν5Caccip+ν6Caccx+ν7Caccy+ν8Cq

Compute the aggregate evaluation

aggζ using the same coefficients:
aggζ=ν1px,ζ+ν2py,ζ+ν3sζ+ν4bζ+ν5accip,ζ+ν6accx,ζ+ν7accy,ζ+ν8qζ

Verify the aggregate polynomial opening at

ζ using
Πζ
:
PCS.Verify(Cagg,ζ,aggζ,Πζ)

4.2.4. Evaluation of the Linearization Polynomial at
ζω

Compute the individual linearization polynomial commitments:

Cl1=(ζωN4)Caccip
Cl2=(ζωN4)(bζ(accx,ζpx,ζ)2Caccx+(1bζ)Caccy)
Cl3=(ζωN4)((bζ(accy,ζpy,ζ)+1bζ)Caccx+bζ(accx,ζpx,ζ)Caccy)

Aggregate the linearization polynomial commitments using

{αi} coefficients.
Cl=i=13αiCli

Verify the aggregate linearization polynomial opening at

ζω using
Πζω
:
PCS.Verify(Cl,ζω,lζω,Πζω)

5. Acknowledgements

This specification is primarily derived from Sergey Vasilyev's original writeup and reference implementation, as cited in the references.

6. References

  • These notes on hackmd: https://hackmd.io/@davxy/r1SVPqQc0.
  • Sergey Vasilyev original writeup: https://hackmd.io/ulW5nFFpTwClHsD0kusJAA
  • W3F reference implementation: https://github.com/w3f/ring-proof