TOTAL PRESUPUESTO INICIAL 2015 56,392,877
PRESUPUESTO DE EGRESOS POR EJERCER: $ 52,092,435.00 QUE CORRESPONDE AL PRESUPUESTO
C) NOTAS DE GESTIÓN ADMINISTRATIVA 1 INTRODUCCIÓN
3. AUTORIZACIÓN E HISTORIA a) Fecha de creación
tion Argument
We will now describe a non-membership argument with logarithmic communication complexity for a committed value not belonging to a set L = {λ1, . . . , λD}.
Similar to Brands et al.’s approach we define a polynomial P (X) = QD
i=1(X − λi) with the
elements in the set as roots. With this choice of polynomial we have u ∈ L if and only if P (u) = 0. The prover has a commitment cuand will demonstrate that the committed value u does not belong to L by
showing P (u) 6= 0.
The prover computes v = P (u), makes a commitment to v and can now give a SHVZK argument for v = P (u) using the techniques from Section 6.2. To prove non-membership they just needs to prove v 6= 0. To do this the prover commits to w = v−1 and uses an inverse argument as described in Section 5.1 to show vw = 1, which will convince the verifier that v 6= 0. The main cost in this argument is the polynomial evaluation argument, the inverse argument only costs a couple of group elements. Statement: {G, p, q}, ck, L = {λ1, . . . , λD} ⊂ Zq, P (X) =Q
D
i=1(X − λi), and cu∈ G
Prover’s witness: u, r ∈ Zqsuch that cu= comck(u; r) and u /∈ L
Argument: Compute 1. v = P (u)
2. cv= comck(v; s) where s ← Zq
3. Engage in parallel in a SHVZK inverse argument described in Section 5.2 to show v 6= 0 4. In parallel engage in the SHVZK polynomial evaluation argument from Section 6.2 to show
v = P (u). Send cv
Verification: The verifier accepts u 6∈ L if and only if 1. cv, ∈ G
7.2. Non-Membership Argument Based on our Polynomial Evaluation Argument 135 2. The two SHVZK arguments are valid.
Theorem 29. The protocol above is a public coin perfect generalized Σ−protocol of u ∈ Zqsuch that
u 6∈ L.
Proof. Perfect completeness follows from the perfect completeness of the two SHVZK arguments. The SHVZK simulator picks cv ← G at random and runs the SHVZK simulators for the two
underlying SHVZK arguments. Since the commitment scheme is perfectly hiding and the underlying SHVZK arguments are perfect SHVZK this gives us perfect SHVZK.
The protocol has perfect generalized special soundness. The extractor E runs the extractors for the two underlying SHVZK arguments to get openings u, v satisfying v 6= 0 and P (u) = v. The second condition tells us P (u) 6= 0, so u is a not a root of the polynomial and therefore not in the list.
Example: Let be G = hGi = h172i ⊂ Z∗179, which has prime order q = 89. The statement consists of a
blacklist L = {9, 26, 49, 48}, the corresponding polynomial
P (X) = X4+ 46X3+ 18X2+ 2X + 81,
cu0 = 142 and {G, p, q} = {h172i, 179, 89}, ck = {74, 172}.
The prover knows witnesses u = 84, r0= 15, such that cu0 = comck(u; r0) and u 6∈ L and wants
to convince the verifier that u is not included in the blacklist. The prover first calculates v = P (u) = 24 ∈ Z89, picks random s = 34, and calculate the commitment to v as
cv= comck(v; s) = 85.
The prover then engages in a integer inverse argument to show v 6= 0 and picking si= 88, ti= 26
they compute
cb= 83.
Both parties also engage in a polynomial argument. For this argument the prover commits them- selves to u2, u4in cu2 = comck(u 2; r 1) = 17 cu2 = comck(u 4; r 2) = 46
where r1 = 80, r2= 1. Next, the prover picks f0 = 43, f1 = 25, f2 = 44, s0= 16, s1 = 52, s2 = 47
and calculates
cf0 = 139 cf1 = 142 cf2 = 82.
Then, the prover calculates the δi’s for i = 0, 1, 2 as described in Section 6.2, which gives
136 Chapter 7. Zero-Knowledge Non-Membership And Membership Arguments The prover picks t0= 57, t1= 77, t2= 26 and compute the commitment to the δi’s:
cδ0 = 64 cδ1 = 36 cδ2= 100.
Finally the prover picks ξ0= 26, ξ1= 64 and calculates f u0= 52, f u1= 2, and
cf u0 = 110 cf u1 = 117,
and sends all the commitments
cv= comck(v; s) = 85 cd= 83 ce= 36 cf = 29
cδ0 = 64 cδ1= 36 cδ2 = 100
cf0 = 139 cf1 = 142 cf2 = 82 cf u0 = 110 cf u1= 117
to the verifier.
The verifier challenges the prover with x = 81; so the prover calculates the answers,
a = 46 r = 30
f0= 83 f1= 3 f2= 28 r0= 74 r1= 35 r2= 39
t = 73 ξ0= 10 ξ1= 83
and sends them back.
The verifier checks now if the commitments are in G and therefore valid, and also if the answers are all in Zq. Then the verifier checks if the inverse argument is valid, that means
cb= 83 = caacomck(x; r) (X)
To check the underlying polynomial argument, the verifier first calculates δ = 70 using a binary tree and tests
cxu0cf0 = 135 = comck(f0; r0) (X) cxu1cf1 = 82 = comck(f1; r1) (X) cxu2cf2= 46 = comck(f2; r2) (X) cxu 1c −f0 0 cf u0 = 81 = comck(0; ξ0) (X) c x u2c −f1 1 cf u1 = 86 = comck(0; ξ1) (X) cxv3c x2 δ2c x δ1cδ0= 46 = comck(δ; t) (X).
7.2. Non-Membership Argument Based on our Polynomial Evaluation Argument 137
7.2.1
Implementation and Practical Results
We implemented the protocol to test the real life performance and to obtain some experimental results. We chose the same groups as in the case of out polynomial argument, that means a 160-bit subgroup modulo a 1 248-bit, a 1 536-bit, and a 3 248-bit prime, and subgroups with order |p| = 256 modulo a 1 536-bit prime, a 2 432-bit prime, and a 3 248-bit prime. The groups have different levels of security, the exact values can be found in Section 4.1.1, and help to analyze the influence of different parameters, for example group size.
The non-membership proof is a direct application of our polynomial argument with the same asymp- totic cost and we expect a similar running time for this reason. To validate this assumption, we imple- mented two different versions. The first one is a conservative un-optimized version and the second one is optimized using the sliding window algorithm.
Table 7.1 states the run-time of the un-optimized version and the optimized version for a 256-bit prime modulo a 1 536-bit prime. We see that the influence of the optimization for the verifier is very small. The reason for this is that the cost of the multiplication is dominant over the very small number of exponentiations. For the prover the influence of the optimization is bigger for small D but this effect is canceled out for bigger D, as the cost of the multiplications becomes dominant.
Next, we have to analyze what happens if the order stays fixed and the moduli value increase. Table 7.2 and 7.3 give the results for the optimized version for fixed order with 160-bit and 256-bit. We see that the run-time increases slightly for bigger moduli values, but this is negligible compared to the increase of the moduli. The reason for this is that the run-time is dominated by the multiplications and this cost only depends on the subgroup size. This result means that we can increase the security of our protocol slightly by increasing the modulus value of the underlying group without compromising performance.
Table 7.4 and 7.5 state the result of the reverse case of fixed group size of 1 536-bit and 3 248-bit. Again the run-time of the protocol gets higher for bigger subgroup size, but this increase is very small, for bigger D the ratio between the different results is around one. Taking also into account that for small D the run-time is only a few milliseconds independent of the group size, we can increase the subgroup
Prover Verifier
D Conservative Optimized Ratio Conservative Optimized Ratio
10 29 ms 18 ms 0.62 24 ms 20 ms 0.85 100 46 ms 29 ms 0.63 39 ms 34 ms 0.86 1 000 70 ms 47 ms 0.68 56 ms 49 ms 0 .88 5 000 140 ms 109 ms 0 .78 77 ms 68 ms 0 .89 10 000 220 ms 189 ms 0 .86 90 ms 83 ms 0 .92 50 000 776 ms 754 ms 0 .97 152 ms 148 ms 0 .97 100 000 1 538 ms 1 495 ms 0 .97 228 ms 216 ms 0 .95 500 000 7 396 ms 7 369 ms 1.00 702 ms 693 ms 0 .99 1 000 000 20 423 ms 15 384 ms 1.00 1 469 ms 1 310 ms 0 .99
Table 7.1: Run-time in ms of the blacklist argument on a group G with 256-bit order modulo a 1 536-bit prime for degree D between 10 and 1 000 000 for the conservative and the optimized version and the ratio between the two versions.
138 Chapter 7. Zero-Knowledge Non-Membership And Membership Arguments
|q| = 160 |p| = 1 248 |p| = 1 536
D Prover Verifier Prover Verifier
10 9 ms 10 ms 12 ms 13 ms 100 15 ms 16 ms 9 ms 22 ms 1 000 26 ms 23 ms 31 ms 31 ms 5 000 80 ms 35 ms 91 ms 47 ms 10 000 150 ms 44 ms 159 ms 56 ms 50 000 670 ms 97 ms 678 ms 109 ms 100 000 1 382 ms 160 ms 1 391 ms 174 ms 500 000 6 776 ms 562 ms 6 900 ms 581 ms 1 000 000 14 370 ms 1 095 ms 14 321 ms 1 180 ms
Table 7.2: Comparison of the blacklist argument for different degree D for optimized version on different groups with fixed subgroup size of 160-bit.
|q| = 256 |p| = 1 536 |p| = 2 432 |p| = 3 248
Prover Verifier Prover Verifier Prover Verifier
10 18 ms 20 ms 39 ms 48 ms 63 ms 76 ms 100 29 ms 34 ms 62 ms 79 ms 99 ms 125 ms 1 000 47 ms 49 ms 91 ms 113 ms 144 ms 176 ms 5 000 109 ms 68 ms 164 ms 161 ms 253 ms 235 ms 10 000 189 ms 83 ms 240 ms 194 ms 361 ms 261 ms 50 000 754 ms 148 ms 773 ms 411 ms 1 114 ms 358 ms 100 000 1 495 ms 216 ms 1 500 ms 689 ms 2 130 ms 455 ms 500 000 7 369 ms 693 ms 7 445 ms 893 ms 7 827 ms 1 019 ms 1 000 000 15 384 ms 1 310 ms 15 524 ms 1 404 ms 16 137 ms 1 572 ms Table 7.3: Comparison of the blacklist argument for different degree D for optimized version on different groups with fixed subgroup size of 256-bit.
|p| = 1 536 |q| = 160 |q| = 256
D Prover Verifier Prover Verifier
10 12 ms 13 ms 18 ms 20 ms 100 19 ms 22 ms 29 ms 34 ms 1 000 31 ms 31 ms 47 ms 49 ms 5 000 91 ms 47 ms 109 ms 68 ms 10 000 159 ms 56 ms 189 ms 83 ms 50 000 678 ms 109 ms 754 ms 148 ms 100 000 1 391 ms 174 ms 1 495 ms 216 ms 500 000 6 900 ms 581 ms 7 369 ms 693 ms 1 000 000 14 321 ms 1 180 ms 15 384 ms 1 310 ms
Table 7.4: Comparison of the blacklist argument for different degree D for optimized version on different subgroups with moduli of 1 536-bit.
size and therefore the security level without compromising the performance.
All these results confirm our assumption that the protocol behaves like the polynomial evaluation argument, section 6.2, and we can therefore say that this argument is practical for all levels of security beside the case that D gets very big.
Table 7.6 gives the size of the complete argument for different groups G and different blacklist sizes D. We see that in all cases the argument size consists only of a few kilobytes, independent of the