Professional Documents
Culture Documents
?
IP B1 , . . . Bn EP (auctioneer) V (veriers)
Fp = {0, . . . , p 1}, +p, p, 0, 1 , p 2128 The bidders {B1 , . . . , B2 } have bid values {x1 , . . . , xn }. The evaluator prover (EP) performs an agreed-upon straight line computation (SLC) on the inputs {x1 , . . . , xn } to create outputs xL , xL+1 , . . . , xL+k } (*). m, n < m, i, j < m L xm = xm xi + xj (mod p) xi xj (mod p) = T ruthV alue(xi xj ), m L + 1
EP announces outputs. Upon demand provides a secrecy preserving proof of correctness. x1 , . . . , xn , . . . , xL remain secret (information theoretically secure).
2
2.1 Denition
x Fp , X = (u, v), val(X)mod p val(X) = x, X represents x Making a random representation RR(x) = X. u R [0, p 1] v = (x u)(mod p) X = (u, v)
2.2
Assume COM is information theoretically hiding and computationally binding (Pederson). e.g. Commit is putting value into envelope, reveal is opening the envelope. If you take two pederson commitments COM (x1 ), COM (x2 ) and multiply them, it becomes a commitment of x1 x2 .
2.3
Def./Alg.
Let X = (u, v) = u + v (mod p). A COM (X) is produced by r R , s R and COM (X) =d (COM (r, u), COM (s, v)).
2.4
Decommit/reveal X
Reveal r, u, s, v. Verifying by receiver (say, EP or V). B1 has x1 . Creates X1 = (u1 , v1 ) = RR(x1 ) and COM (X1 ) = (COM (r1 , u1 ), COM (s1 , v1 )). B1 sends r1 , u1 , s1 , v1 to EP. EP computes COM (r1 , u1 ) and compares to c1 , etc. 1
NOTE: These are not actually fractionsdoing arrays proper in latex is just too much of a pain in the ass. 1. Verier chooses randomly c {1, 2}. 2. If c = 1 then P reveals u1 , u2 , u3 . V checks commitments and veries that u1 + u2 = u3 + w. If c = 2 then P reveals v1 , v2 , v3 . V checks commitments and veries that v1 + v2 = v3 w.
Completeness: If Ps claim (val(X) + val(Y ) = val(Z)) is true, then P will succeed (V will accept) under both c = 1, c = 2. Soundness (convincing): If Ps claim is false, then P will fail at least one of the challenges. P r(P s claim accepted) 1 2