22-08-2024-draft-6
This document describes a cryptographic scheme based on SNARKs (Succinct Non-Interactive Arguments of Knowledge) that enables a prover to demonstrate knowledge of a secret scalar and a secret index within a group of public keys, where each public key is a point on an elliptic curve. The scheme ensures that, when combined with a public elliptic curve point , the relation is satisfied. It leverages elliptic curve operations, a polynomial commitment scheme, and the Fiat-Shamir heuristic to achieve non-interactivity and zero-knowledge properties.
Concatenate ring points with scaled multiples of :
Ring items selector:
The resulting vectors are interpolated over :
Knowledge of and such that .
– Binary vector representing the index in the ring. has elements where
– Binary representation of the secret scalar , with representing the -th bit of in little-endian order, i.e., , for
The bits vector is constructed by concatenating and , followed by a single 0.
The resulting accumulator points are finally separated into and coordinates:
The resulting vectors are interpolated over with random values appended as padding for the final entries. This padding helps obscure the resulting polynomial, even when committing to identical witness values.
Commit to the witness derived polynomials:
Constraints are polynomials constructed to evaluate to zero when satisfied; a non-zero evaluation indicates a violation.
Note. When evaluating a polynomial at for some , gives the value of the polynomial at the next position in the evaluation domain ().
This constraint ensures the inner product accumulator is correctly updated, satisfying .
The factor ensures the constraint holds at all points including , where automatically vanishes.
These constraints enforce correct elliptic curve addition for the and components, respectively, controlled by the Boolean variable :
The factor nullifies the constraint at , where it does not apply.
Ensures that the polynomial acts as a Boolean variable, taking only values 0 or 1.
Given the seed point and the expected result delta from the seed point , the constraints are:
These constraints ensure the accumulator components take specific values at the conditional addition boundaries:
This constraint ensure the accumulator components take specific values at the conditional addition boundaries:
The protocol aggregates all constraints into a single polynomial for efficiency.
Using the Fiat-Shamir heuristic, sample the aggregation coefficients:
Construct the aggregated polynomial:
The factor ensures that vanishes at the last three points of the domain, thereby enforcing the constraints across the entire evaluation domain, including the last three points where random evaluation values were used during the witness polynomials interpolation phase.
The quotient polynomial is computed as:
Dividing by ensures that the aggregated constraints encoded in are enforced consistently across the entire evaluation domain while reducing the degree of the polynomial.
The prover commits to the quotient polynomial :
The prover receives the evaluation point in response:
Evaluate the relevant polynomials at the sampled evaluation point :
The linearization polynomials are constructed to enable the verifier to evaluate certain parts of the constraint polynomials at while independently reconstructing the evaluation of at using the "relevant polynomial evaluations" provided by the prover as part of the proof.
In particular we require these contributions just for the accumulators contraints.
Accumulator inner product () contribution:
Conditional addition accumulators () contributions:
Linearized constraints are aggregated using coefficients and evaluated at :
Sample the aggregation coefficients using the Fiat-Shamir heuristic and compute the aggregate polynomial :
Construct the aggregate polynomial:
Open the aggregate polynomial at and the linearization polynomial at :
Construct the proof as follows:
Commitments to the ring public keys and the selector, prepared during the pre-processing phase:
The claimed accumulation result, allegedly for some and known to the prover. This is the primary element to be assessed:
Proof which contains all the necessary commitments, evaluations, and openings needed for the verifier to perform the validation checks:
Recovery of aggregation coefficients and evaluation point:
The following expressions represent the contributions to the constraint polynomials evaluated at the point :
Note: The tilde ( ) above the first three polynomials indicates that these are only partial contributions, representing the components evaluated at . The components evaluated at are added later by the linearization aggregated polynomial found within the proof ().
Aggregate the contributions along with the linearization polynomial evaluated at to compute the evaluation of the quotient polynomial at :
Compute the aggregate commitment using the aggregation coefficients :
Compute the aggregate evaluation using the same coefficients:
Verify the aggregate polynomial opening at using :
Compute the individual linearization polynomial commitments:
Aggregate the linearization polynomial commitments using coefficients.
Verify the aggregate linearization polynomial opening at using :
This specification is primarily derived from Sergey Vasilyev's original writeup and reference implementation, as cited in the references.
https://hackmd.io/@davxy/r1SVPqQc0
.https://hackmd.io/ulW5nFFpTwClHsD0kusJAA
https://github.com/w3f/ring-proof