Suyash Bagad
Cryptography Engineer
Commitment Schemes
Aztec Study Club - 3
23 Feb 2022
Recap
- A group is a set with a binary operation: \((\mathbb{G}, +)\)
- Associativity, Identity element, Inverse
\(0\)
\(1\)
\(2\)
\(6\)
\(4\)
\(3\)
\(5\)
\(7\)
- ECC over \(\mathbb{R}\): Set \(E\) of real solutions \((x,y)\):
y^2 = x^3 + ax + b
\(y^{2\ }=x^{3}-x+2\)
- A field is a set with two binary operations: \((\mathbb{F}, +, *)\)
- \((\mathbb{F}, +)\) and \((\mathbb{F}, *)\) is an Abelian group
- Prime field: \(\mathbb{F}_p := \{0, 1, 2, 3, \dots, p-1\}\) for a prime \(p\)
- ECC over prime field \(\mathbb{F}_p\)
Recap: Point Addition over \(\mathbb{R}\)
\(y^{2\ }=x^{3}-x+2\)
Recap: Point Addition over \(\mathbb{F}_p\)
\(y^2 = x^3+10x+2\) over \(\mathbb{F}_{11}\)
\((3,2) + (6,5) = \)
\((3,9)\)
Recap: Point Addition over \(\mathbb{F}_p\)
\(y^2 = x^3+10x+2\) over \(\mathbb{F}_{11}\)
\((3,2) + (6,5) = \)
\((3,9)\)
\((3,9)+(5,10) = \)
\((6,6)\)
Commitment Schemes
- Cryptographic way to commit to a value without revealing it
- Ability to reveal the value at a later point in time
- Two important properties:
- Hiding - a commitment hides the secret value
- Binding - a commitment is tamper-proof
Secret
Box
Commitment Schemes
- Cryptographic way to commit to a value without revealing it
- Ability to reveal the value at a later point in time
- Two important properties:
- Hiding - a commitment hides the secret value
- Binding - a commitment is tamper-proof
Box
Commit
Commitment
Open
Secret
Example: Auctions
Alice
Bob
Charlie
Example: Auctions
Alice
Bob
Charlie
Example: Auctions
Alice
Bob
Charlie
Example: Auctions
Alice
Bob
Charlie
Open!
Example: Auctions
Alice
Bob
Charlie
Open!
Example: Auctions
Alice
Bob
Charlie
Open!
Example: Auctions
Alice
Bob
Charlie
Open!
Example: Auctions
Alice
Bob
Charlie
Open!
Example: Auctions
Alice
Bob
Charlie
Open!
Discrete Logarithm
- A cyclic group \((\mathbb{G}, +)\) with order \(q\) and generator \(G\) is written as:
- Given some \(H\in \mathbb{G}\), the discrete log of \(H\) w.r.t \(G\) is \(x \in \mathbb{F}_q\) s.t.
\mathbb{G}=\{\mathcal{O}, G, 2G, 3G, \dots, (q-1)G\}
H = xG
- Example: Group \((\mathbb{Z}_5^{\ast}=\{1,2,3,4\}, * \text{ mod }5)\) has generator \(g=2\)
\begin{aligned}
g &= 2 \\
g*g &= 4 \\
g*g*g &= 3 \\
g*g*g*g &= 1
\end{aligned}
\begin{aligned}
\text{log}_2(1) &= 4 \\
\text{log}_2(2) &= 1 \\
\text{log}_2(3) &= 3 \\
\text{log}_2(4) &= 2
\end{aligned}
Discrete Logarithm in ECC
- Elliptic curve group \((\mathbb{G}, +)\) with prime-order \(q\) and generator \(G\)
- If \(q\) is a large prime, then DL in \(\mathbb{G}\) is hard
- Given a random \(H\in \mathbb{G}\), it is infeasible to find \(x \in \mathbb{F}_q\) s.t. \(H = xG\)
- Known discrete log algorithms are exponential in \(n=\text{log}_2(q)\)
\text{DL}(E) = \mathcal{O}(2^{n/2})
- For BN254 \((n=254)\), we'll need \(\approx 2^{127}\) computations to break DL
- What about the discrete log in the \((\mathbb{F}_p^{\ast}=\{1,2,3,\dots, p-1\}, * \text{ mod }p)\)?
\text{DL}(\mathbb{F}_p^{\ast}) = \mathcal{O}(e^{m^{1/3} (\text{log}(m \text{ log}2))^{2/3}})
- For same level of security, we need \((m,n) \equiv (173,1024),(373,4096)\).
Thus, \(\text{ECC} \gg \text{RSA}\)!
Pedersen Commitments
- Elliptic curve group \((\mathbb{G},+)\), randomly chosen generators \(G,H \in \mathbb{G}\)
- Since \(|\mathbb{G}|=q\) is a prime, each element in \(\mathbb{G} \setminus \{\mathcal{O}\}\) is a generator!
- For a secret \(m\in \mathbb{F}_q\) and a blinding factor \(r\leftarrow \mathbb{F}_q\), we define
C = \textsf{com}(m,r) = mG + rH
- Hiding: given \(C\in \mathbb{G}\), one can't know what \(m,r\) was
- Binding: if \(\text{log}_G(H)\) is unknown, then its impossible to tamper
- Homomorphic:
C_1 = \textsf{com}(m_1,r_1) = m_1G + r_1H
C_2 = \textsf{com}(m_2,r_2) = m_2G + r_2H
C_1+C_2 = (m_1+m_2)G + (r_1+r_2)H
+
Pedersen Commitments
- What happens if \(\text{log}_G(H)\) is known?
- Suppose a malicious actor knows \(\text{log}_G(H)=10\)
\begin{aligned}
C = \textsf{com}(m,r) &= mG + rH \\
&= mG + r(10G) \\
&= (m+10r)G \\
&= (m-1 + 10r+1)G \\
&= (m-1)G + \left(\frac{10r+1}{10}\right)(10G) \\
&= (m-1)G + \left(10^{-1}(10r+1)\right)H \\
&= \textsf{com}(m-1,\ 10^{-1}(10r+1))
\end{aligned}
Pedersen Commitments
- We use Pedersen commitments to compress note data
\textsf{claim} \equiv \{ \ v,\ a,\ A,\ s,\ n_d \ \}
value
asset
owner public key
defi nonce
secret
Pedersen Commitments
- We use Pedersen commitments to compress note data
C_{\textsf{claim}} = vG_1 + aG_2 + (A_x)G_3 + (A_y)G_4 + sG_5 + n_dG_6
\textsf{claim} \equiv \{ \ v,\ a,\ A,\ s,\ n_d \ \}
value
asset
owner public key
defi nonce
secret
- But claim note is to be revealed to rollup provider!
C_{\textsf{owner}}=
(A_x)G_3 + (A_y)G_4 + sG_5
n_dG_6
Pedersen Commitments
- We use Pedersen commitments to compress note data
C_{\textsf{claim}} = vG_1 + aG_2 + (A_x)G_3 + (A_y)G_4 + sG_5 + n_dG_6
\textsf{claim} \equiv \{ \ v,\ a,\ A,\ s,\ n_d \ \}
value
asset
owner public key
defi nonce
secret
- But claim note is to be revealed to rollup provider!
\textcolor{teal}{C_{\textsf{owner}}}=
(A_x)G_3 + (A_y)G_4 + sG_5
n_dG_6
\therefore\ C_{\textsf{claim}} = vG_1 + aG_2 + \textcolor{teal}{C_{\textsf{owner}}} + \textcolor{orange}{n_dG_6}
- Leverage homomorphic property of Pedersen commitments
Summary
- ECC recap
- Point addition example over finite field
- Commitment schemes and fair auctioning
- Building on ECC:
- Discrete log problem
- How hard is it to break ECC?
- Pedersen commitments and its properties
- Up next:
- How do you sign cryptographically?
- Identity protocol
- What's homomorphic computation?
Aztec Study Club 3 - Commitment Schemes
By Suyash Bagad
Aztec Study Club 3 - Commitment Schemes
Aztec Study Club's thrid presentation on basics of commitment schemes based on ECC.
