CompSci 220r: Notes

Theodore Wilson October 13, 2011

?
IP B1 , . . . Bn EP (auctioneer) V (veriers)

Fp = {0, . . . , p 1}, +p, p, 0, 1 , p 2128 The bidders {B1 , . . . , B2 } have bid values {x1 , . . . , xn }. The evaluator prover (EP) performs an agreed-upon straight line computation (SLC) on the inputs {x1 , . . . , xn } to create outputs xL , xL+1 , . . . , xL+k } (*). m, n < m, i, j < m L xm = xm xi + xj (mod p) xi xj (mod p) = T ruthV alue(xi xj ), m L + 1

EP announces outputs. Upon demand provides a secrecy preserving proof of correctness. x1 , . . . , xn , . . . , xL remain secret (information theoretically secure).

2
2.1 Denition
x Fp , X = (u, v), val(X)mod p val(X) = x, X represents x Making a random representation RR(x) = X. u R [0, p 1] v = (x u)(mod p) X = (u, v)

2.2

Commitment Function COM (r, x), r-help value

Assume COM is information theoretically hiding and computationally binding (Pederson). e.g. Commit is putting value into envelope, reveal is opening the envelope. If you take two pederson commitments COM (x1 ), COM (x2 ) and multiply them, it becomes a commitment of x1 x2 .

2.3

Def./Alg.

Let X = (u, v) = u + v (mod p). A COM (X) is produced by r R , s R and COM (X) =d (COM (r, u), COM (s, v)).

2.4

Decommit/reveal X

Reveal r, u, s, v. Verifying by receiver (say, EP or V). B1 has x1 . Creates X1 = (u1 , v1 ) = RR(x1 ) and COM (X1 ) = (COM (r1 , u1 ), COM (s1 , v1 )). B1 sends r1 , u1 , s1 , v1 to EP. EP computes COM (r1 , u1 ) and compares to c1 , etc. 1

Representing values by a vector

1. IPs, B1 , . . . , Bn prepare RR(x1 ) = X1 , . . . , RR(xn ) = Xn and COM (X1 ), . . . , COM (Xn ) and send to EP. Has secure Bulletin Board (BB). 2. Then B1 , . . . , Bn decommit to EP. EP validates. 3. EP now knows input values x1 . . . , xn . Performs known SLC (*) and announces output values xL+1 , . . . , xL+k . 4. EP creates a translation TR of SLC. T R : COM (X1 ), . . . , COM (Xn ), COM (Y1 ), . . . , COM (YK ) K 11L 5. EP posts TR on BB, posts claims such as val(Y1 ) = val(X1 ) + val(X2 ) Let COM (X), COM (Y ), COM (Z) be given/posted. X = (u1 , v1 ), Y = (u2 , v2 ), Z = (u3 , v3 ). COM (X) = (COM (r1 , u1 ), COM (s1 , v1 )), etc.

P claims that val(X) + val(Y ) = val(Z). This is true i: w Fp u1 v1 + u2 v2 = u3 v3 + w w

NOTE: These are not actually fractionsdoing arrays proper in latex is just too much of a pain in the ass. 1. Verier chooses randomly c {1, 2}. 2. If c = 1 then P reveals u1 , u2 , u3 . V checks commitments and veries that u1 + u2 = u3 + w. If c = 2 then P reveals v1 , v2 , v3 . V checks commitments and veries that v1 + v2 = v3 w.

Completeness: If Ps claim (val(X) + val(Y ) = val(Z)) is true, then P will succeed (V will accept) under both c = 1, c = 2. Soundness (convincing): If Ps claim is false, then P will fail at least one of the challenges. P r(P s claim accepted) 1 2

Random stu from end of class

1. The above interactive proof is information theoretic secrecy preserving.