Lin2-Xor Membership Proofs

Suyash Bagad

Merkle Tree

  • Suppose we want to store \(2^{k}\) files in a decentralized and succinct way

\(h = H\big(\)

\(\big)\)

  • Here, \(h\) indeed is a succinct representation of the files \(\{f_i\}_{i \in [8]}\)
  • The problem is: to check if a file in included in \(h\), you need all \(\{f_i\}_{i \in [8]}\) files
  • A better way to achieve this is using Merkle trees!

\(f_1\)

\(f_2\)

\(f_3\)

\(f_4\)

\(f_5\)

\(f_6\)

\(f_7\)

\(f_8\)

Merkle Tree

  • Suppose we want to store \(2^{k}\) files in a decentralized and succinct way

\(f_1\)

\(f_2\)

\(f_3\)

\(f_4\)

\(f_5\)

\(f_6\)

\(f_7\)

\(f_8\)

\(H(f_1)\)

\(H(f_2)\)

\(H(f_3)\)

\(H(f_4)\)

\(H(f_5)\)

\(H(f_6)\)

\(H(f_7)\)

\(H(f_8)\)

Merkle Tree

  • Suppose we want to store \(2^{k}\) files in a decentralized and succinct way

\(H(f_1)\)

\(H(f_2)\)

\(H(f_3)\)

\(H(f_4)\)

\(H(f_5)\)

\(H(f_6)\)

\(H(f_7)\)

\(H(f_8)\)

\(H'(H(f_1), H(f_2))\)

\(H'(H(f_3), H(f_4))\)

\(H'(H(f_5), H(f_6))\)

\(H'(H(f_7), H(f_8))\)

\(h^1_1\)

\(h^1_2\)

\(h^1_3\)

\(h^1_4\)

\(h^2_1\)

\(h^2_2\)

\(h^3_1\)

\(H'(h^1_1, h^1_2)\)

\(H'(h^1_3, h^1_4)\)

\(H'(h^2_1, h^2_2)\)

Merkle Tree

\(H(f_1)\)

\(H(f_2)\)

\(H(f_3)\)

\(H(f_4)\)

\(H(f_5)\)

\(H(f_6)\)

\(H(f_7)\)

\(H(f_8)\)

\(h^1_1\)

\(h^1_2\)

\(h^1_3\)

\(h^1_4\)

\(h^2_1\)

\(h^2_2\)

\(h^3_1\)

  • Indeed, \(h_1^3\) is succinct form of the files. How do we prove inclusion?

Merkle Tree

\(H(f_1)\)

\(H(f_2)\)

\(H(f_3)\)

\(H(f_4)\)

\(H(f_5)\)

\(H(f_6)\)

\(H(f_7)\)

\(H(f_8)\)

\(h^1_1\)

\(h^1_2\)

\(h^1_3\)

\(h^1_4\)

\(h^2_1\)

\(h^2_2\)

\(h^3_1\)

  • Indeed, \(h_1^3\) is succinct form of the files. How do we prove inclusion?

Merkle Tree

\(H(f_1)\)

\(H(f_2)\)

\(H(f_3)\)

\(H(f_4)\)

\(H(f_5)\)

\(H(f_6)\)

\(H(f_7)\)

\(H(f_8)\)

\(h^1_1\)

\(h^1_2\)

\(h^1_3\)

\(h^1_4\)

\(h^2_1\)

\(h^2_2\)

\(h^3_1\)

  • Only \(\left( H(f_6), h^1_4, h_1^2 \right)\) are enough to prove inclusion of \(f_5\)! Sister nodes!

DL Based Merkle Tree

  • Suppose \(\{L_i, R_i\}_{i\in [4]} \in \mathbb{G}^{8}\) and the node operation be \(H : \mathbb{G}^2 \rightarrow \mathbb{G}\) s.t. \(H(L, R) \coloneqq L + x^jR\) for some \(x \in \mathbb{F}_p, \ j \in \mathbb{N}\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(h^1_1\)

\(h^1_2\)

\(h^1_3\)

\(h^1_4\)

\(1\)

\(1\)

\(x_1\)

\(x_1^2\)

\(x_1^3\)

\(x_1^4\)

\(1\)

\(1\)

\(h^2_1\)

\(h^2_2\)

\(x_2\)

\(x_2^2\)

\(1\)

\(1\)

\(h^3_1\)

\(1\)

\(x_3\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 1(a): Generate \(q_1 \leftarrow \mathbb{F}_p\) and send \(H_1 = q_1^{-1}l \cdot R_6\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 1(b): Send \(r_1 = q_1\left(y_1 - \frac{r}{l}\right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 2(a): Generate \(q_2 \leftarrow \mathbb{F}_p\)  and send \(H_2 = q_2^{-1} l \left( L_5 + x_1R_5 \right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 2(b): Send \(r_2 = q_2 \left( x_2^{-1} - \frac{r}{l} \right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 3(a): Gen \(q_3 \leftarrow \mathbb{F}_p\)  and send \(H_3 = q_3^{-1} l \left( y_2^{-1}(L_7 + x_1R_7) + L_8 + y_1R_8 \right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 3(b): Send \(r_3 = q_3 \left( y_3 - \frac{r}{l} \right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 4(a): Gen \(q_4 \leftarrow \mathbb{F}_p\)  and send \(H_4 = q_3^{-1} l \left( R_{\text{sum}}(L_1, \dots, R_4) \right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 4(b): Send \(r_4 = q_4 \left( x_4^{-1} \right)\)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given \(Z\), we wish to prove: \(\mathcal{L} = \left\{(l, r) \in \mathbb{F}^2_p \ | \ Z = lL_6 + rR_6 \right\}\)
    • Step 5: Gen \(q \leftarrow \mathbb{F}_p\), send \(T = q \left( Z + \sum_{i=1}^{4}r_iH_i \right), \ t = \left( q - \frac{x_2^{-1}x_4^{-1}}{l} \cdot c \right) \)

\(T\)

Lin2-Selector Proof

\(L_5\)

\(R_5\)

\(L_6\)

\(R_6\)

\(L_3\)

\(R_3\)

\(L_7\)

\(R_7\)

\(L_8\)

\(R_8\)

\(L_1\)

\(R_1\)

\(L_2\)

\(R_2\)

\(L_3\)

\(R_3\)

\(L_3\)

\(R_3\)

\(L_4\)

\(R_4\)

\(H_2\)

\(H_3\)

\(H_4\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(y_1\)

\(x_2^{-1}\)

\(y_2^{-1}\)

\(x_3\)

\(y_3\)

\(1\)

\(1\)

\(1\)

\(y_1\)

\(y_1\)

\(y_1\)

\(x_1\)

\(x_1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(1\)

\(x_1\)

\(x_2^{-1}\)

\(1\)

\(1\)

\(y_2^{-1}\)

\(x_4^{-1}\)

  • Given a proof \(\Pi = \left\{ \{r_i, H_i\}_{i \in [4]}, T, t \right\}\), we need to check the following
    • \(tW + cR \stackrel{?}{=} T\) where \(W := \left(Z + \sum_{i=1}^{4}r_iH_i\right), \ R := R_{\text{sum}}(L_1, \dots, R_8) \)

\(T\)

Lin2-Xor Membership Proofs

By Suyash Bagad

Made with Slides.com

Lin2-Xor Membership Proofs

Brief overview of the Lin2-Xor based Membership NIZK protocol.

  • 66

More from Suyash Bagad