2- Commitment Phase

The commitment phase contains two parts; AHP commitment and PFR commitment. After reviewing the algorithm, we will provide an example to clarify each parts.

Let Mf\textit{M}_f be a functional set which contains triple matrices mf=(A,B,C)(Fn×n)3m_f=(A,B,C)\in (\mathbb{F}^{n\times n})^3 such that for each input vector X X, there is a unique output vector Y Y as well as a witness (intermediate) WW where AzoBz=CzAz\hspace{1mm} o\hspace{1mm} Bz=Cz considering z=(1,X,W,Y)z=(1,X,W,Y). The triplet (A,B,C)(Fn×n)3(A,B,C)\in (\mathbb{F}^{n\times n})^3 is a functional set if and only if AA and BB are tt-strictly lower triangular matrices (tSLT)(t-SLT) and CC is tt-diagonal matrix (tDiag)(t-Diag) [1]. Here, t=X+1t=|X|+1 . The Prover obtains tSLTt-SLT matrices AA, BB and tDiagt-Diag matrix CC for the arithmetic circuit that is a directed acyclic graph of gates and wire inputs. Wires carry values from F\mathbb{F} and gates are add or multiplication. This work is done based on the two steps of the following construction:

  • Initialize three zero square matrices A,B,CA, B, C over F\mathbb{F} of order n=ng+ni+1n=n_g +n_i + 1 where ngn_g is the number of gates and nin_i is the number of inputs. Rows and columns of matrices are indexed on {0,1,...,ng+ni}\{0,1,...,n_g+n_i\}. Also, Gate ii with two left L and right R inputs and a selector S. We show the Gate ii with a tuple (li,ri,si)(l_i, r_i, s_i) where lil_i and rir_i are the left and right inputs' indexes in zz, respectively. Note that zz is indexed on {0,1,..,ng+ni}\{0,1,..,n_g+n_i\}. Hence, lil_i and rir_i are between 00 and ng+nin_g+n_i. Also, sis_i is either "Addition" or "Multiplication". Note, if the left input is a value vv, then li=0l_i=0 or if the right input is a value vv, then ri=0r_i=0.

  • For i=0..,ng1: i=0.., n_g-1: a)a) Set C1+ni+i,1+ni+i=1C_{1+n_i+i, 1+n_i+i}=1 b)b) If si s_i is "Addition" - A1+ni+i,0=1A_{1+n_i+i,\hspace{1mm}0}=1 - B1+ni+i,li={left inputli=01otherwiseB_{1+n_i+i,\hspace{1mm}l_i}=\begin{cases}\text{left input}\hspace{1cm}l_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases} - B1+ni+i,ri={right inputri=01otherwiseB_{1+n_i+i,\hspace{1mm}r_i}=\begin{cases}\text{right input}\hspace{1cm}r_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases} b)b) If sis_i is multiplication - A1+ni+i,li={left inputli=01otherwiseA_{1+n_i+i,\hspace{1mm}l_i}=\begin{cases}\text{left input}\hspace{1cm}l_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases} - B1+ni+i,ri={right inputri=01otherwiseB_{1+n_i+i,\hspace{1mm}r_i}=\begin{cases}\text{right input}\hspace{1cm}r_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases}

If our processing machine has 32 registers, then the size of the input vector XX will be 32. Therefore, ni=32n_i=32 and X=(x1,x2,...,x32)X=(x_1,x_2,...,x_{32}) where xix_i corresponds to ithi^{th} register, RiR_i. Also, z=(1,x1,x2,..x32,w1,..,wngnr,y1,..,ynr)z=(1,x_1,x_2,..x_{32},w_1,..,w_{n_g-n_r},y_1,..,y_{n_r}) where nrn_r is the number of registers that change during a program execution. For example, assume the first gate in a computation is the instruction "add R1R_1 , R1R_1, 5", which means R1(2)=R1(1)+5R_1^{(2)}=R_1^{(1)}+5 . In the above "for" loop in step i=0i=0, s0s_0="Addition", l0=1l_0=1, and r0=0r_0=0, hence C1+32,1+32=1C_{1+32,\hspace{1mm}1+32}=1 , A1+32,0=1A_{1+32,\hspace{1mm}0}=1, , and B1+32,0=5B_{{1+32},\hspace{1mm}0}=5.

2-1- PFR Commitment

PFR aims to prove the target program is a function with mentioned characteristics in A,B,CA, B, C. PFR function will be edited later.

Commit(ck,mf=(A,B,C)Mf,sR)Commit(ck,m_f=(A,B,C)\in \textit{M}_f,s\in R): This function outputs

ComPFR=(ComPFR0,ComPFR1,ComPFR2,ComPFR3,ComPFR4,ComPFR5,ComPFR6,ComPFR7,ComPFR8)Com_{PFR}=(Com_{PFR}^0,Com_{PFR}^1,Com_{PFR}^2,Com_{PFR}^3,Com_{PFR}^4,Com_{PFR}^5,Com_{PFR}^6,Com_{PFR}^7,Com_{PFR}^8)

as following:

1 - The Prover selects randomness s=(s1,...,ssAHP(0))s=(s_1,...,s_{s_{AHP}(0)}) of randomness space RR . 2- The Prover calculates OPFR=Enc(mf=(A,B,C))\overrightarrow{O}_{PFR}=Enc(m_f=(A,B,C)) as encoded index as following:

The Prover encodes each matrix A,BA, B and CC by three polynomials. The matrix NN, N{A,B,C}N\in\{A, B, C\}, is encoded by polynomials rowPFRN(x)row_{PFR_N}(x), colPFRN(x)col_{PFR_N}(x) and valPFRN(x)val_{PFR_N}(x) so that rowPFRN(γi)=ωrirow_{PFR_N}(\gamma^i)=\omega^{r_i}, colPFRN(γi)=ωcicol_{PFR_N}(\gamma^i)=\omega^{c_i} and valPFRN(γi)=vival_{PFR_N}(\gamma^i)=v_i for i{0,1,2,..,m1}i\in\{0,1,2,..,m-1\} where m=2ngm=2n_g is maximum of the number of nonzero entries in the matrix NN, The value of n=ng+ni+1n=n_g+n_i+1 is the order of the matrix. Also, γ\gamma is a generator of multiplicative subgroup K\mathbb{K} of F\mathbb{F} of order mm (K=<γ>\mathbb{K}=<\gamma> and K=m|\mathbb{K}|=m) and ω\omega is a generator of multiplicative subgroup H\mathbb{H} of F\mathbb{F} of order nn (H=<ω>\mathbb{H}=<\omega> and H=n|\mathbb{H}|=n). Also ri,ci{0,1,...,n1}r_i,c_i\in \{0,1,...,n-1\} and viFv_i\in \mathbb{F} are row number, column number and value of ithi^{th} nonzero entry, respectively. Then, lets OPFR=(rowPFRA0,....,rowPFRAm1,colPFRA0,...,colPFRAm1,valPFRA0,...,valPFRAm1,O_{PFR}=(row_{PFR_{A_0}},....,row_{PFR_{A_{m-1}}},col_{PFR_{A_0}},...,col_{PFR_{A_{m-1}}},val_{PFR_{A_0}},...,val_{PFR_{A_{m-1}}}, rowPFRB0,...,rowPFRBm1,colPFRB0,...,colPFRBm1,valPFRB0,....,valPFRCm1,row_{PFR_{B_0}},...,row_{PFR_{B_{m-1}}},col_{PFR_{B_0}},...,col_{PFR_{B_{m-1}}},val_{PFR_{B_0}},....,val_{PFR_{C_{m-1}}}, rowPFRC0,...,rowPFRCm1,colPFRC0,...colPFRCm1,valPFRC0,...,valPFRCm1)row_{PFR_{C_0}},...,row_{PFR_{C_{m-1}}},col_{PFR_{C_0}},...col_{PFR_{C_{m-1}}},val_{PFR_{C_0}},...,val_{PFR_{C_{m-1}}})

where rowPFRNirow_{PFR_{N_i}}, colPFRNicol_{PFR_{N_i}}and valPFRNival_{PFR_{N_i}} are coefficient of xix^i of polynomials rowPFRN(x)row_{PFR_N}(x), colPFRN(x)col_{PFR_N}(x)and valPFRN(x)val_{PFR_N}(x) , respectively. The vector OPFRO_{PFR} is called as encoded index.

3- The Prover calculates ComPFRT=PC.Commit(ck,T,dAHP(N,0,i)=m,rT)Com_{PFR_T}=PC.Commit(ck,T,d_{AHP}(N,0,i)=m,r_{T}) for each polynomial T(x)T(x). Note that T{rowPFRN,colPFRN,valPFRNN{A,B,C}}T\in\{row_{PFR_N},col_{PFR_N},val_{PFR_N}\hspace{2mm}|\hspace{2mm}N\in\{A,B,C\}\}.

For example, if the polynomial commitment scheme KZGKZG is used, then ComT=i=0degTaigτi=i=0degTaick(i)Com_{T}=\sum_{i=0}^{deg_T}a_ig\tau^i=\sum_{i=0}^{deg_T}a_ick(i) where aia_i is coefficient of xix^i in polynomial T(x)T(x).

Size of Commitment: ComPFR=9|Com_{PFR}|=9.

4- The Prover sends ComPFRCom_{PFR} to the Verifier.

CommitmentID= Lower4Bytes(SHA256(Manufacturer_Name, Device_Type, Device_Hardware_Version, Firmware_Version, Lines Vec<u64>))

2-2- AHP Commitment

As mentioned before AHP phase aims, without revealing any information about function ff, to prove that y=f(x)y=f(x) for public xx and yy. Now, we create a commitment for Algebraic Holographic Proof (AHP), AHPComAHP\hspace{1mm}Com , in this section.

Commit(ck,mf=(A,B,C)Mf,sR)Commit(ck',m_f=(A,B,C)\in \textit{M}_f,s\in R): This function outputs AHPCom=(AHPCom0,AHPCom1,AHPCom2,AHPCom3,AHPCom4,AHPCom5,AHPCom6,AHP\hspace{1mm}Com=(AHP\hspace{1mm}Com_0,AHP\hspace{1mm}Com_1,AHP\hspace{1mm}Com_2,AHP\hspace{1mm}Com_3,AHP\hspace{1mm}Com_4,AHP\hspace{1mm}Com_5,AHP\hspace{1mm}Com_6,AHPCom7,AHPCom8)AHP\hspace{1mm}Com_7,AHP\hspace{1mm}Com_8)

where ck(i)=ck(i)rick'(i)=ck(i )\hspace{1mm}r'^i with random rr'. 1 - The Prover selects random s=(s1,...ssAHP(0))s=(s_1,...s_{s_{AHP}(0)}) from random space RR. Note that sAHP(0)=9s_{AHP}(0)=9 as explained in the setup phase. 2- The Prover calculates OAHP=Enc(mf=(A,B,C))\overrightarrow{O}_{AHP}=Enc(m_f=(A,B,C)) as encoded index as following:

  • Considering γ\gamma as a generator of multiplicative subgroup K\mathbb{K} of F\mathbb{F} of order mm (i.e., K=<γ>\mathbb{K}=<\gamma> and K=m|\mathbb{K}|=m), ω\omega as a generator of multiplicative subgroup H\mathbb{H} of F\mathbb{F} of order nn (i.e., H=<ω>\mathbb{H}=<\omega> and H=n|\mathbb{H}|=n), for each matrix N{A,B,C}N\in \{A,B,C\}, we generate 3 polynomials AHProwN(x)AHProw_N(x), AHPcolN(x)AHPcol_N(x), and AHPvalN(x)AHPval_N(x) as described in the following steps:

  • The polynomial AHProwN:KHAHProw_N:\mathbb{K}\to\mathbb{H} is constructed by AHProwN(k=γi)=ωriAHProw_N(k=\gamma^i)=\omega^{r_i} for 0iN10\leq i\leq ||N||-1 where N||N|| is the number of nonzero entries in NN, and ri{0,1,...,n1}r_i\in \{0,1,...,n-1\} is the row number of ithi^{th} nonzero entry and otherwise, AHProwN(k)AHProw_N(k) is an arbitrary element in H\mathbb{H}. Note that ii starts from zero. This step generate 3 polynomials; AHProwA(x)AHProw_A(x), AHProwB(x)AHProw_B(x), AHProwC(x)AHProw_C(x).

  • The polynomial AHPcolN:KHAHPcol_N:\mathbb{K}\to\mathbb{H} is constructed by AHPcolN(k=γi)=ωciAHPcol_N(k=\gamma^i)=\omega^{c_i} for 0iN10\leq i\leq ||N||-1 and ci{0,1,...,n1}c_i\in \{0,1,...,n-1\} is column number of ithi^{th} nonzero entry and otherwise AHPcolN(k)AHPcol_N(k) returns an arbitrary element in H\mathbb{H}. This step generate 3 polynomials; AHPcolA(x)AHPcol_A(x), AHPcolB(x)AHPcol_B(x), AHPcolC(x)AHPcol_C(x).

  • The polynomial AHPvalN:KHAHPval_N:\mathbb{K}\to\mathbb{H} is constructed by AHPvalN(k=γi)=viuH(AHProwN(k),AHProwN(k))uH(AHPcolN(k),AHPcolN(k))AHPval_N(k=\gamma^i)=\frac{v_i}{u_{\mathbb{H}}(AHProw_N(k),AHProw_N(k))u_{\mathbb{H}}(AHPcol_N(k),AHPcol_N(k))} for 0iN10\leq i\leq ||N||-1 where viv_i is value of ithi^{th} nonzero entry and otherwise AHPvalN(k)AHPval_N(k) returns zero where for each xHx \in \mathbb{H}, uH(x,x)=HxH1u_{\mathbb{H}}(x,x)=|\mathbb{H}|x^{|\mathbb{H}|-1}.

Now, we define AHProwN^\hat{AHProw_N}, AHPcolN^\hat{AHPcol_N} and AHPvalN^\hat{AHPval_N} as domain-extend of polynomials AHProwNAHProw_N, AHPcolNAHPcol_N and AHPvalNAHPval_N where their domains are extended from subgroup K\mathbb{K} to filed F\mathbb{F}. Therefore, kK\forall k \in \mathbb{K} , AHProwN(k)=AHProwN^(k)AHProw_N(k) = \hat{AHProw_N}(k), AHPcolN(k)=AHPcolN^(k)AHPcol_N(k) = \hat{AHPcol_N}(k), and AHPvalN(k)=AHPvalN^(k)AHPval_N(k) = \hat{AHPval_N}(k). OAHP=(AHProw^A0,....,AHProw^Am1,AHPcol^A0,...,AHPcol^Am1,AHPval^A0,...,AHPval^Am1,\overrightarrow{O}_{AHP}=(\hat{AHProw}_{A_0},....,\hat{AHProw}_{A_{m-1}},\hat{AHPcol}_{A_0},...,\hat{AHPcol}_{A_{m-1}},\hat{AHPval}_{A_0},...,\hat{AHPval}_{A_{m-1}},AHProw^B0,...,AHProw^Bm1,AHPcol^B0,....,AHPcol^Bm1,AHPval^B0,...,AHPval^Bm1,\hat{AHProw}_{B_0},...,\hat{AHProw}_{B_{m-1}},\hat{AHPcol}_{B_0},....,\hat{AHPcol}_{B_{m-1}},\hat{AHPval}_{B_0},...,\hat{AHPval}_{B_{m-1}}, AHProw^C0,...,AHProw^Cm1,AHPcol^C0,...,AHPcol^Cm1,AHPval^C0,....,AHPval^Cm1)\hat{AHProw}_{C_0},...,\hat{AHProw}_{C_{m-1}},\hat{AHPcol}_{C_0},...,\hat{AHPcol}_{C_{m-1}},\hat{AHPval}_{C_0},....,\hat{AHPval}_{C_{m-1}})

where AHProw^Ni\hat{AHProw}_{N_i}, AHPcol^Ni\hat{AHPcol}_{N_i}and AHPval^Ni\hat{AHPval}_{N_i} are coefficient of xix^i of polynomials AHProw^N(x)\hat{AHProw}_{N}(x), AHPcol^N(x)\hat{AHPcol}_{N}(x) and AHPval^N(x)\hat{AHPval}_{N}(x), respectively. The vector OAHP\overrightarrow{O}_{AHP} is called the encoded index.

3- The Prover calculates commitment for polynomial T{AHProw^N,AHPcol^N,AHPval^NN{A,B,C}}T\in\{\hat{AHProw}_N,\hat{AHPcol}_N,\hat{AHPval}_N\hspace{2mm}|\hspace{2mm}N\in\{A,B,C\}\} as AHPComT=PC.Commit(ck,T,dAHP(N,0,i)=m,si)AHP\hspace{1mm}Com_{T}=PC.Commit(ck',T,d_{AHP}(N,0,i)=m,s_i).

For example, if the polynomial commitment scheme KZGKZG is used, then AHPcomT=i=0degTaick(i)AHP\hspace{1mm}com_{T}=\sum_{i=0}^{deg_T}a_ick'(i) where aia_i is coefficient of xix^i in polynomial T(x)T(x) are calculated by the Prover as follows: AHPCom0=i=0degAHProw^A(x)AHProw^Aick(i)AHP\hspace{1mm}Com_0=\sum_{i=0}^{deg_{\hat{AHProw}_A(x)}}\hat{AHProw}_{A_i}\hspace{1.1mm}ck'(i), AHPCom1=i=0degAHPcol^A(x)AHPcol^Aick(i)AHP\hspace{1mm}Com_1=\sum_{i=0}^{deg_{\hat{AHPcol}_A(x)}}\hat{AHPcol}_{A_i}\hspace{1.1mm}ck'(i), AHPCom2=i=0degAHPval^A(x)AHPval^Aick(i)AHP\hspace{1mm}Com_2=\sum_{i=0}^{deg_{\hat{AHPval}_A(x)}}\hat{AHPval}_{A_i}\hspace{1.1mm}ck'(i), AHPCom3=i=0degAHProw^B(x)AHProw^Bick(i)AHP\hspace{1mm}Com_3=\sum_{i=0}^{deg_{\hat{AHProw}_B(x)}}\hat{AHProw}_{B_i}\hspace{1.1mm}ck'(i), AHPCom4=i=0degAHPcol^B(x)AHPcol^Bick(i)AHP\hspace{1mm}Com_4=\sum_{i=0}^{deg_{\hat{AHPcol}_B(x)}}\hat{AHPcol}_{B_i}\hspace{1.1mm}ck'(i), AHPCom5=i=0degAHPval^B(x)AHPval^Bick(i)AHP\hspace{1mm}Com_5=\sum_{i=0}^{deg_{\hat{AHPval}_B(x)}}\hat{AHPval}_{B_i}\hspace{1.1mm}ck'(i), AHPCom6=i=0degAHProw^C(x)AHProw^Cick(i)AHP\hspace{1mm}Com_6=\sum_{i=0}^{deg_{\hat{AHProw}_C(x)}}\hat{AHProw}_{C_i}\hspace{1.1mm}ck'(i), AHPCom7=i=0degAHPcol^C(x)AHPcol^Cick(i)AHP\hspace{1mm}Com_7=\sum_{i=0}^{deg_{\hat{AHPcol}_C(x)}}\hat{AHPcol}_{C_i}\hspace{1.1mm}ck'(i), AHPCom8=i=0degAHPval^C(x)AHPval^Cick(i)AHP\hspace{1mm}Com_8=\sum_{i=0}^{deg_{\hat{AHPval}_C(x)}}\hat{AHPval}_{C_i}\hspace{1.1mm}ck'(i).

4- The prover send the calculated commitment values to the Verifier.

2-3- PFR and AHP Commitment.json File Format

{
    "commitment_id": String,
    "iot_developer_name": String,
    "iot_device_name": String,
    "device_hardware_version": String,
    "firmware_version": String,
    "class": 32-bit Integer,
    "m": 64-bit Integer,
    "n": 64-bit Integer,
    "p": 64-bit Integer,
    "g": 64-bit Integer,   
        
    // PFR Commitment   
    "PFRrow_A": 64-bit Array,
    "PFRcol_A": 64-bit Array,
    "PFRval_A": 64-bit Array,
    "PFRrow_B": 64-bit Array,
    "PFRcol_B": 64-bit Array,
    "PFRval_B": 64-bit Array,
    "PFRrow_C": 64-bit Array,
    "PFRcol_C": 64-bit Array,
    "PFRval_C": 64-bit Array,
    
    "PFR Com0": 64-bit Integer,
    "PFR Com1": 64-bit Integer,
    "PFR Com2": 64-bit Integer,
    "PFR Com3": 64-bit Integer,
    "PFR Com4": 64-bit Integer,
    "PFR Com5": 64-bit Integer,
    "PFR Com6": 64-bit Integer,
    "PFR Com7": 64-bit Integer,
    "PFRCom8": 64-bit Integer,   

    // AHP Commitment
    "AHProw_A": 64-bit Array,
    "AHPcol_A": 64-bit Array,
    "AHPval_A": 64-bit Array,
    "AHProw_B": 64-bit Array,
    "AHPcol_B": 64-bit Array,
    "AHPval_B": 64-bit Array,
    "AHProwC_": 64-bit Array,
    "AHPcol_C": 64-bit Array,
    "AHPval_C": 64-bit Array,
    
    "AHP Com0": 64-bit Integer,
    "AHP Com1": 64-bit Integer,
    "AHP Com2": 64-bit Integer,
    "AHP Com3": 64-bit Integer,
    "AHP Com4": 64-bit Integer,
    "AHP Com5": 64-bit Integer,
    "AHP Com6": 64-bit Integer,
    "AHP Com7": 64-bit Integer,
    "AHP Com8": 64-bit Integer,    
    
    "curve": String,
    "polynomial_commitment": String
}

Param.json File Format

PreviousExample 2NextTarget architecture - RISC-V RV32IM

Last updated