Version A: The simplest approach with a non-anonymous setting

  • User's public key:
    gf(0)
  • User submits the commitment of the polynomial, its public key, and the opening proof:
    gf(α),gf(0),gψ0(α)

The verifier checks if the user's public key is on the committed polynomial by verifying the opening of the KZG commitment:

e(gψ0(α),gα)e(g,gf(0))=?e(g,gf(α))
If this check passes, the verifier trusts the public key and the commitment. However, this trust may be misplaced due to a vulnerability in the setup phase. The prover can manipulate the public key by choosing a random number
γ
. The prover then multiplies
gψ(α)
and
gf(0)
with
gγ
to produce
gψ(α)gγ
and
gf(0)gαgγ
. This results in a manipulated pairing check that still passes. If the verifier attempts to interpolate the polynomial by Lagrange interpolation, they will get a private key that does not correspond to the crafted public key. This highlights a significant vulnerability in the setup phase of Version A.

The manipulated pairing check the verifier ends up checking is:

e(gψ0(α)gγ,gα)e(g,gf(0)gαγ)=?e(g,gf(α))

Breaking down the left side of this equation:

  1. Expand the pairing:

e(gψ0(α)gγ,gα)e(g,gf(0)gαγ)=e(gψ0(α),gα)e(gγ,gα)e(g,gf(0))e(g,gαγ)

  1. Use the property of bilinear pairings where
    e(ga,gb)=e(g,g)ab
    :

=e(g,g)ψ0(α)αe(g,g)γαe(g,g)f(0)e(g,g)γα

  1. Combine like terms:

=e(g,g)ψ0(α)α+γα+f(0)γα

  1. Recall that
    ψ0(α)α=f(α)f(0)
    , so substitute:

=e(g,g)f(α)f(0)+γα+f(0)γα

  1. Cancel out
    f(0)
    and
    γα
    :

=e(g,g)f(α)

This is equal to the right side of the original equation

e(g,gf(α)), and hence the check passes. The prover successfully manipulates the values with
γ
while still passing the verification, leading to the vulnerability. The verifier ends up wrongly trusting the commitment associated with the false public key.

Why Pok can solve this?

Recall that in a Proof of Knowledge (PoK), the prover must convince the verifier that they possess knowledge of the secret value without revealing any information about the secret itself. This is achieved through a challenge-response protocol, where the verifier presents a random challenge to the prover, who must then provide a valid response.

Given the construction of the manipulated public key, the corresponding private key is

f(0)αγ. However,
α
is a value from the Structured Reference String (SRS), and in a secure setup, this value is not known by the prover or any participant in the protocol, only the trusted setup coordinator knows it and should delete it after setup. Hence, the prover cannot construct the corresponding private key.

Therefore, if a verifier requests a PoK for the private key, the prover would be unable to provide a valid PoK. This is because constructing a valid PoK would require knowledge of both

f(0) and
α
, and while the prover knows
f(0)
, they do not know
α
. As a result, the prover would be unable to craft a valid response to the verifier's challenge, and the verifier would reject the prover's submission.

Thus, integrating a PoK protocol into this scheme would effectively prevent the described attack, as it would prevent the verifier from accepting a manipulated public key, addressing the vulnerability in the original setup.

In the Schnorr Proof of Knowledge (PoK) protocol, the prover generates a random number

r, and calculates
R
using the equation
R=rG
. Here,
G
is the generator point of an elliptic curve group.

The verifier then sends a challenge number,

c, to the prover. In response, the prover sends back
z
, calculated using the equation
z=r+cprivateKey
.

Finally, the verifier checks whether

zG equals
R+cpublicKey
. If this equation holds true, the prover has successfully demonstrated knowledge of the private key without revealing it.

For the prover to provide a valid Proof of Knowledge (PoK) in a Schnorr-style protocol, they need to be able to correctly compute

z=r+cprivateKey and withstand the verifier's check of whether
zG
equals
R+cpublicKey
.

Given that the manipulated public key is

gf(0)gαγ, the corresponding private key is indeed
f(0)αγ
. Since
α
is securely hidden and not known to the prover, they are unable to compute the correct private key that corresponds to the manipulated public key.

Therefore, when challenged by the verifier, the prover would not be able to compute the correct response

z, since they cannot calculate
f(0)αγ
without knowing
α
. As a result, the verifier's check
zG=R+cpublicKey
would fail, and the verifier would reject the prover's claim.