├── main.pdf ├── sprmindx.sty ├── latexpand ├── version.txt ├── LICENCE ├── README └── latexpand ├── update-references.sh ├── llncs-readme.txt ├── .gitignore ├── abstract.tex ├── Makefile ├── README.md ├── includes.tex ├── appendix.tex ├── remreset.sty ├── conclusion.tex ├── llncsdoc.sty ├── tables.tex ├── appendix-dft-pp.tex ├── aliascnt.sty ├── main.txss ├── references-extra.bib ├── main.tex ├── defs.tex ├── appendix-sec-proofs.tex ├── history.txt ├── background.tex ├── asvc.tex ├── appendix-complexity-hog.tex ├── asvc-kzg.tex ├── intro.tex ├── apps.tex ├── splncs.bst └── appendix-complexity-kog.tex /main.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alinush/asvc-paper/HEAD/main.pdf -------------------------------------------------------------------------------- /sprmindx.sty: -------------------------------------------------------------------------------- 1 | delim_0 "\\idxquad " 2 | delim_1 "\\idxquad " 3 | delim_2 "\\idxquad " 4 | delim_n ",\\," 5 | -------------------------------------------------------------------------------- /latexpand/version.txt: -------------------------------------------------------------------------------- 1 | latexpand version v1.6 (ce086093a2413c99af11cc08aceab8e5483d65ff). 2 | Committed on Thu Dec 12 09:37:27 2019 +0000. 3 | -------------------------------------------------------------------------------- /update-references.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | scriptdir=$(cd $(dirname $0); pwd -P) 5 | 6 | cd $scriptdir 7 | rm -f main.blg main.bbl 8 | ck genbib references.bib 9 | -------------------------------------------------------------------------------- /llncs-readme.txt: -------------------------------------------------------------------------------- 1 | Dear LLNCS user, 2 | 3 | The files in this directory belong to the LaTeX2e package for 4 | Lecture Notes in Computer Science (LNCS) of Springer-Verlag. 5 | 6 | It consists of the following files: 7 | 8 | readme.txt this file 9 | 10 | history.txt the version history of the package 11 | 12 | llncs.cls the LaTeX2e document class 13 | 14 | samplepaper.tex a sample paper 15 | fig1.eps a figure used in the sample paper 16 | 17 | llncsdoc.pdf the documentation of the class (PDF version) 18 | 19 | splncs04.bst current LNCS BibTeX style with alphabetic sorting 20 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /README.html 2 | .DS_Store 3 | /*.pdf 4 | /*.aux 5 | /*.bbl 6 | /*.blg 7 | /*.log 8 | /*.lof 9 | /*.lot 10 | /*.toc 11 | /*.fls 12 | /*.fdb_latexmk 13 | /\_*.tex 14 | /*.out 15 | /*.synctex.gz 16 | /*.synctex(busy) 17 | /TODO.html 18 | /*.dvi 19 | 20 | acmart.pdf 21 | acmguide.pdf 22 | sample-*.pdf 23 | *.log 24 | *.aux 25 | *.cfg 26 | *.glo 27 | *.idx 28 | *.toc 29 | *.ilg 30 | *.ind 31 | *.out 32 | *.lof 33 | *.lot 34 | *.bbl 35 | *.blg 36 | *.gls 37 | *.cut 38 | *.hd 39 | *.dvi 40 | *.ps 41 | *.thm 42 | *.tgz 43 | *.zip 44 | *.rpi 45 | *~ 46 | *.bcf 47 | *.run.xml 48 | *.synctex.gz(busy) 49 | camera-ready/ 50 | camera-ready.tar.gz 51 | -------------------------------------------------------------------------------- /abstract.tex: -------------------------------------------------------------------------------- 1 | An \textit{aggregatable subvector commitment (aSVC)} scheme is a \textit{vector commitment (VC)} scheme that can aggregate multiple proofs into a single, small subvector proof. 2 | In this paper, we formalize aSVCs and give a construction from constant-sized polynomial commitments. 3 | Our construction is unique in that it has linear-sized public parameters, it can compute all constant-sized proofs in quasilinear time, it updates proofs in constant time and it can aggregate multiple proofs into a constant-sized subvector proof. 4 | Furthermore, our concrete proof sizes are small due to our use of pairing-friendly groups. 5 | We use our aSVC to obtain a payments-only stateless cryptocurrency with very low communication and computation overheads. 6 | Specifically, our constant-sized, aggregatable proofs reduce each block's proof overhead to a single group element, which is optimal. 7 | Furthermore, our subvector proofs speed up block verification and our smaller public parameters further reduce block size. 8 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | TEXNAME=main 2 | 3 | all: clean figures latexmk 4 | 5 | svg_to_eps: 6 | #figures/accaad.eps figures/precomp-memb.eps figures/AT.eps figures/forest.eps figures/frontier.eps figures/model.eps 7 | 8 | svg_to_pdf: 9 | #figures/accaad.pdf figures/precomp-memb.pdf figures/AT.pdf figures/forest.pdf figures/frontier.pdf figures/model.pdf 10 | 11 | figures: svg_to_eps svg_to_pdf 12 | 13 | figures/%.eps: figures/%.svg 14 | inkscape -D -z --file=$(realpath $<) --export-eps=$(realpath .)/$@ 15 | 16 | figures/%.pdf: figures/%.svg 17 | inkscape -D -z --file=$(realpath $<) --export-dpi=300 --export-pdf=$(realpath .)/$@ 18 | 19 | clean: 20 | $(RM) ${TEXNAME}.pdf *.log *.aux \ 21 | *.fls *.fdb_latexmk *.synctex.gz *.bcf\ 22 | *.cfg *.glo *.idx *.toc \ 23 | *.ilg *.ind *.out *.lof \ 24 | *.lot *.bbl *.blg *.gls *.cut *.hd \ 25 | *.dvi *.ps *.thm *.tgz *.zip *.rpi 26 | 27 | latexmk: 28 | # For some reason using -auxdir=build/ will result in failed builds 29 | latexmk -pdf ${TEXNAME} 30 | 31 | open: 32 | xdg-open ${TEXNAME}.pdf 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Aggregatable Subvector Commitments for Stateless Cryptocurrencies 2 | 3 | This repo has both the SCN 2020 "camera-ready" version of the paper and the IACR Cryptology ePrint version (which is posted [here](http://eprint.iacr.org/2020/527)). 4 | 5 | You can use the `build-camera-ready.sh` script to generate the camera-ready version in `camera-ready/main.pdf`, which you can open with your favorite PDF viewer. 6 | 7 | For the ePrint version, just do a `make` and then open `main.pdf` with your favorite PDF viewer. 8 | 9 | ## Errata 10 | 11 | In section 3.4.2, in "The $i\ne j$ Case", at some point the text says: $W_{i,j}(X) = c_i \frac{1}{X-\omega^i} + c_j \frac{1}{X-\omega_j}$. 12 | This is an unfortunate typo. 13 | The correct form is $W_{i,j}(X) = A(X) \left(c_i \frac{1}{X-\omega^i} + c_j \frac{1}{X-\omega_j}\right) = c_i \frac{A(X)}{X-\omega^i} + c_j \frac{A(X)}{X-\omega_j}$. 14 | 15 | In section 3.4, 2nd paragraph, $A'_I(X)=\prod_{j\in[0,n)} A_I(X)/(X-\omega^j)$ is incorrectly defined. 16 | The correct form is $A'_I(X)=\prod_{j\in I} A_I(X)/(X-\omega^j)$ 17 | 18 | -------------------------------------------------------------------------------- /includes.tex: -------------------------------------------------------------------------------- 1 | \usepackage[usenames,dvipsnames,svgnames,table]{xcolor} % \textcolor for coloring text 2 | 3 | \usepackage{amsmath} 4 | \usepackage{amssymb} 5 | \usepackage{bm} % for bolding math text 6 | \usepackage{booktabs} % for table spacing, \midrule, \toprule 7 | \usepackage{cite} 8 | \usepackage{fancyhdr} 9 | \usepackage[linguistics]{forest} 10 | \ifNotCameraReady 11 | \usepackage[margin=.7in,bmargin=.7in]{geometry} 12 | \fi 13 | \usepackage{hyperref} 14 | \usepackage[misc]{ifsym} % use \Letter for corresponding author 15 | \usepackage{makecell} % use \makecell{text\\ new line} to break up lines inside table cells 16 | \usepackage{mathtools} 17 | \usepackage{polynom} % useful for dividing polynomials 18 | \usepackage{xspace} 19 | \usepackage{verbatim} % for \begin{comment} 20 | 21 | \usepackage[noabbrev,capitalize]{cleveref} 22 | 23 | % for some reason, these are not defined in cleveref and I was getting '??' in my crefs to subsubsections in the appendix 24 | \crefformat{subsubsubappendix}{Appendix #2#1#3} 25 | \crefmultiformat{subsubsubappendix}{Appendices #2#1#3}{ and~#2#1#3}{, #2#1#3}{, and~#2#1#3} 26 | -------------------------------------------------------------------------------- /appendix.tex: -------------------------------------------------------------------------------- 1 | \ifCameraReady 2 | \else 3 | \section{Closed-form Formula for Evaluating the Derivative of $X^n - 1$ at Roots of Unity} 4 | \label{app:xn-1-derivative} 5 | 6 | Let $A(X)=X^n - 1$ and recall that $\lagr_i(X) = \frac{A(X)}{A'(\omega^i)\cdot(X-\omega^i)}$ (see \cref{s:prelim:partial-fraction-decomposition}). 7 | Let $A'(X)$ be the derivative of $X^n - 1$ and let $g(x)=A(X)/(X-\omega^i)$. 8 | 9 | First, note that $A'(\omega^i)=g(\omega^i)$. 10 | Second, by carrying out the division of $X^n -1$ by $(X-\omega^i)$, one can verify that: 11 | 12 | \begin{align} 13 | g(x) = (\omega^i)^0 X^{n-1} + (\omega^i)^1 X^{n-2} + (\omega^i)^2 X^{n-3} + \dots + (\omega^i)^{n-2} X^1 + (\omega^i)^{n-1} X^0 14 | \end{align} 15 | 16 | Third, evaluating $A'(X)$ at $X=\omega^i$ gives: 17 | 18 | \begin{align} 19 | A'(\omega^i) = g(\omega^i) &= (\omega^i)^0 \omega^{i(n-1)} + (\omega^i)^1 \omega^{i(n-2)} + (\omega^i)^2 \omega^{i(n-3)} + \dots + (\omega^i)^{n-2} \omega^{i\cdot1} + (\omega^i)^{n-1} \omega^{i\cdot0}\\ 20 | &= n\omega^{i(n-1)} = n(\omega^{i\cdot n-i})=n\omega^{-i} 21 | \end{align} 22 | 23 | \input{appendix-dft-pp} 24 | \input{appendix-sec-proofs} 25 | \input{appendix-complexity-kog} 26 | \input{appendix-complexity-hog} 27 | \fi 28 | -------------------------------------------------------------------------------- /remreset.sty: -------------------------------------------------------------------------------- 1 | % remreset package 2 | %%%%%%%%%%%%%%%%%% 3 | 4 | % Copyright 1997 David carlisle 5 | % This file may be distributed under the terms of the LPPL. 6 | % See 00readme.txt for details. 7 | 8 | % 1997/09/28 David Carlisle 9 | 10 | % LaTeX includes a command \@addtoreset that is used to declare that 11 | % a counter should be reset every time a second counter is incremented. 12 | 13 | % For example the book class has a line 14 | % \@addtoreset{footnote}{chapter} 15 | % So that the footnote counter is reset each chapter. 16 | 17 | % If you wish to bas a new class on book, but without this counter 18 | % being reset, then standard LaTeX gives no simple mechanism to do 19 | % this. 20 | 21 | % This package defines |\@removefromreset| which just undoes the effect 22 | % of \@addtorest. So for example a class file may be defined by 23 | 24 | % \LoadClass{book} 25 | % \@removefromreset{footnote}{chapter} 26 | 27 | 28 | \def\@removefromreset#1#2{{% 29 | \expandafter\let\csname c@#1\endcsname\@removefromreset 30 | \def\@elt##1{% 31 | \expandafter\ifx\csname c@##1\endcsname\@removefromreset 32 | \else 33 | \noexpand\@elt{##1}% 34 | \fi}% 35 | \expandafter\xdef\csname cl@#2\endcsname{% 36 | \csname cl@#2\endcsname}}} 37 | 38 | 39 | -------------------------------------------------------------------------------- /conclusion.tex: -------------------------------------------------------------------------------- 1 | \section{Conclusion} 2 | In this paper, we formalized a new cryptographic primitive called an \textit{aggregatable subvector commitment (aSVC)} that supports aggregating and updating proofs (and commitments) using only constant-sized, static auxiliary information referred to as an ``update key.'' 3 | We constructed an efficient aSVC from KZG commitments to Lagrange polynomials which, compared to other pairing-based schemes, can precompute, aggregate and update proofs efficiently and, compared to schemes from hidden-order groups, has smaller proofs and should perform better in practice. 4 | Lastly, we continued the study of stateless validation initiated by Chepurnoy et al., improving block validation time and block size, while addressing attacks and limitations. 5 | We hope our work will ignite further research into stateless validation for payments and smart contracts and lead to improvements both at the theoretical and practical level. 6 | 7 | \subsubsection*{Acknowledgements} 8 | The authors want to thank Madars Virza for pointing out the Lagrange-based approach to VCs and the DFT technique for computing all KZG commitments to Lagrange polynomials. 9 | We also thank Leonid Reyzin and Dimitris Kolonelos for corrections and productive conversations that helped improve this paper. 10 | -------------------------------------------------------------------------------- /llncsdoc.sty: -------------------------------------------------------------------------------- 1 | % This is LLNCSDOC.STY the modification of the 2 | % LLNCS class file for the documentation of 3 | % the class itself. 4 | % 5 | \def\AmS{{\protect\usefont{OMS}{cmsy}{m}{n}% 6 | A\kern-.1667em\lower.5ex\hbox{M}\kern-.125emS}} 7 | \def\AmSTeX{{\protect\AmS-\protect\TeX}} 8 | % 9 | \def\ps@myheadings{\let\@mkboth\@gobbletwo 10 | \def\@oddhead{\hbox{}\hfil\small\rm\rightmark 11 | \qquad\thepage}% 12 | \def\@oddfoot{}\def\@evenhead{\small\rm\thepage\qquad 13 | \leftmark\hfil}% 14 | \def\@evenfoot{}\def\sectionmark##1{}\def\subsectionmark##1{}} 15 | \ps@myheadings 16 | % 17 | \setcounter{tocdepth}{2} 18 | % 19 | \renewcommand{\labelitemi}{--} 20 | \newenvironment{alpherate}% 21 | {\renewcommand{\labelenumi}{\alph{enumi})}\begin{enumerate}}% 22 | {\end{enumerate}\renewcommand{\labelenumi}{enumi}} 23 | % 24 | \def\bibauthoryear{\begingroup 25 | \def\thebibliography##1{\section*{References}% 26 | \small\list{}{\settowidth\labelwidth{}\leftmargin\parindent 27 | \itemindent=-\parindent 28 | \labelsep=\z@ 29 | \usecounter{enumi}}% 30 | \def\newblock{\hskip .11em plus .33em minus -.07em}% 31 | \sloppy 32 | \sfcode`\.=1000\relax}% 33 | \def\@cite##1{##1}% 34 | \def\@lbibitem[##1]##2{\item[]\if@filesw 35 | {\def\protect####1{\string ####1\space}\immediate 36 | \write\@auxout{\string\bibcite{##2}{##1}}}\fi\ignorespaces}% 37 | \begin{thebibliography}{} 38 | \bibitem[1982]{clar:eke3} Clarke, F., Ekeland, I.: Nonlinear 39 | oscillations and boundary-value problems for Hamiltonian systems. 40 | Arch. Rat. Mech. Anal. 78, 315--333 (1982) 41 | \end{thebibliography} 42 | \endgroup} 43 | -------------------------------------------------------------------------------- /latexpand/LICENCE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2012-2019, Matthieu Moy and 2 | contributors. 3 | 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are 8 | met: 9 | 10 | 1. Redistributions of source code must retain the above copyright 11 | notice, this list of conditions and the following disclaimer. 12 | 13 | 2. Redistributions in binary form must reproduce the above copyright 14 | notice, this list of conditions and the following disclaimer in the 15 | documentation and/or other materials provided with the distribution. 16 | 17 | 3. Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 22 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 23 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 24 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 25 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 26 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 27 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | -------------------------------------------------------------------------------- /tables.tex: -------------------------------------------------------------------------------- 1 | % macros for proving/verification times and other VC things 2 | \newcommand{\bbfc}{\ensuremath{N \lg{N}}} % time for BBF19 to commit 3 | \newcommand{\bbvy}{\ensuremath{\myred{\ell\lg{N}+\lambda}}} % time for BBF19 to verify one (individual) proof 4 | \newcommand{\bbvys}{\ensuremath{b\ell\lg{N}+\lambda}} % time for BBF19 to verify one subvector proof 5 | \newcommand{\btc}{\ensuremath{\mlgsm+\nlgn}} % batch proof computation time for KZG-based schemes 6 | \newcommand{\cfoo}{\ensuremath{N\lg{N}}} % time for CFG_1 to prove one position 7 | \newcommand{\cfos}{\ensuremath{\ell(n-b)\lg{N}}} % time for CFG_1 to prove a subvector 8 | \newcommand{\cftc}{\ensuremath{N \lg{n}}} % time for CFG_2 to commit 9 | \newcommand{\cfto}{\ensuremath{N \lg{n}}} % time for CFG_2 to prove one position 10 | \newcommand{\cfts}{\ensuremath{\ell(n-b)\lg{(n-b)}}} % time for CFG_2 to prove a subvector 11 | \newcommand{\cftvs}{\ensuremath{\ell b}} % time for CFG_2 to verify one subvector proof 12 | \newcommand{\cfgOne}{CFG$_\ell^1$} 13 | \newcommand{\cfgTwo}{CFG$_\ell^2$} 14 | \newcommand{\tcz}{\ensuremath{\lgn + b}} % |\vrk| for TCZ+20 15 | 16 | % shorthand macros to keep TeX tables small 17 | \newcommand{\lgn}{\ensuremath{\lg{n}}} 18 | \newcommand{\lgr}{\ensuremath{\myred{\lg{n}}}} 19 | \newcommand{\llgn}{\ensuremath{\ell \lg{N}}} 20 | \newcommand{\lln}{\ensuremath{\log{(\ell n)}}} 21 | \newcommand{\mlgm}{\ensuremath{b\lg{b}}} 22 | \newcommand{\mlgsm}{\ensuremath{b\lg^2{b}}} 23 | \newcommand{\nlgn}{\ensuremath{n\lg{n}}} 24 | \newcommand{\nlgsn}{\ensuremath{n\lg^2{n}}} 25 | \newcommand{\nop}{\myred{$\times$}} 26 | \newcommand{\ns}{\ensuremath{\myred{n^2}}} 27 | \newcommand{\rbl}{\ensuremath{\myred{{b\log{n}}}}} 28 | \newcommand{\rl}{\myred{\log{n}}} 29 | \newcommand{\rlgn}{\ensuremath{\myred{\llgn}}} 30 | \newcommand{\rblb}{\ensuremath{\myred{b\lg^2{b}}}} % note \bm{\log^2{b}} errors for some reason 31 | \newcommand{\rn}{\ensuremath{\myred{{n}}}} 32 | 33 | % macros for group element sizes, pairing operations, field operations, etc. 34 | \newcommand{\Gsz}{\ensuremath{\ |\G|}} 35 | \newcommand{\Gexp}{\ensuremath{\ \G}} 36 | %\newcommand{\Fsz}{\ensuremath{\ |\mathbb{F}|}} 37 | \newcommand{\Fop}{\ensuremath{\ \mathbb{F}}} 38 | 39 | \newcommand{\Pair}{\ensuremath{\ \mathbb{P}}} 40 | %\newcommand{\Bits}{\ensuremath{\ |\mathsf{bit}|}} 41 | 42 | \newcommand{\Ghop}{\ensuremath{\ \myred{\Gho}}} 43 | \newcommand{\Ghsz}{\ensuremath{\ \myred{|\Gho|}}} 44 | -------------------------------------------------------------------------------- /appendix-dft-pp.tex: -------------------------------------------------------------------------------- 1 | \section{Computing all $u_i=g^\frac{\lagr_i(\tau) - 1}{\tau - \omega^i}$ in $O(n\log{n})$ time from $g^{\tau^i}$'s} 2 | \label{s:computing-all-uis} 3 | 4 | In \cref{s:asvc:from-kzg:public-params}, we argued all $u_i$'s can be computed in $O(n\log{n})$ time. 5 | Here, we prove correctness of the formula for the $q_i(X)$'s from \cref{eq:ui-qi}. 6 | As an example, let us look at the quotient $q_1(X)$ obtained when dividing $\psi_1(X)$ by $X-\omega^1$, assuming $n=8$: 7 | \\ 8 | 9 | \polylongdiv{\omega^0 X^7 + \omega^1 X^6 + \omega^2 X^5 + \omega^3 X^4 + \omega^4 X^3 + \omega^5 X^2 + \omega^6 X + \omega^7}{X-\omega} 10 | 11 | In general, we want to show that: 12 | \begin{align} 13 | q_i(X) &= \sum_{j\in [0,n-2]} (j+1)(\omega^i)^j X^{(n - 2) - j},\forall i \in [0,n) 14 | \end{align} 15 | We do this by showing that the polynomial remainder theorem holds; 16 | i.e., $\psi_i(X) = q_i(X)(X-\omega^i) + \psi_i(\omega_i)$: 17 | { 18 | \allowdisplaybreaks % Not sure if this only allows breaks in this block or in the rest of the document. 19 | %\small 20 | \begin{flalign} 21 | & q_i(X)(X-\omega^i) + \psi_i(\omega_i) = & 22 | \end{flalign} 23 | \vspace{-2.5em} 24 | \begin{align} 25 | &= q_i(X)(X-\omega^i) + n\omega^{-i}\\ 26 | &= n\omega^{-i} + (X-\omega^i)\sum_{j\in [0,n-2]} (j+1)(\omega^i)^j X^{(n - 2) - j}\\ 27 | &= n\omega^{-i} + X\cdot\sum_{j\in [0,n-2]} (j+1)(\omega^i)^j X^{(n - 2) - j} - \omega^i\cdot \sum_{j\in [0,n-2]} (j+1)(\omega^i)^j X^{(n - 2) - j}\\ 28 | &= n\omega^{-i} + \sum_{j\in [0,n-2]} (j+1)(\omega^i)^j X^{(n - 1) - j} - \sum_{j\in [0,n-2]} (j+1)(\omega^i)^{j+1} X^{(n - 2) - j}\\ 29 | &= n\omega^{-i} + \sum_{j\in [0,n-2]} (j+1)\omega^{ij} X^{(n - 1) - j} - \sum_{j\in [1,n-1]} j \omega^{ij} X^{(n - 2) - (j-1)}\\ 30 | &= n\omega^{-i} + \sum_{j\in [0,n-2]} (j+1)\omega^{ij} X^{(n - 1) - j} - \sum_{j\in [1,n-1]} j \omega^{ij} X^{(n - 1) - j}\\ 31 | &= n\omega^{-i} + \left(X^{n - 1} + \sum_{j\in [1,n-2]} (j+1)\omega^{ij} X^{(n - 1) - j}\right) - \left((n-1) \omega^{i(n-1)} X^0 + \sum_{j\in [1,n-2]} j \omega^{ij} X^{(n - 1) - j}\right)\\ 32 | &= \left(X^{n - 1} + \sum_{j\in [1,n-2]} (j+1)\omega^{ij} X^{(n - 1) - j} - \sum_{j\in [1,n-2]} j \omega^{ij} X^{(n - 1) - j}\right) - \left((n-1) \omega^{i(n-1)} X^0 - n\omega^{-i}\right)\\ 33 | &= \left(X^{n - 1} + \sum_{j\in [1,n-2]} \omega^{ij} X^{(n - 1) - j}\right) - \left((n-1) \omega^{-i} X^0 - n\omega^{-i} X^0\right)\\ 34 | &= \sum_{j\in [0,n-2]} \omega^{ij} X^{(n - 1) - j} + \omega^{-i} X^0\\ 35 | &= \sum_{j\in [0,n-2]} \omega^{ij} X^{(n - 1) - j} + \omega^{in-i} X^0\\ 36 | &= \sum_{j\in [0,n-2]} \omega^{ij} X^{(n - 1) - j} + \omega^{i(n-1)} X^0\\ 37 | &= \sum_{j\in [0,n)} \omega^{ij} X^{(n - 1) - j}\\ 38 | &= \psi_i(X) 39 | \end{align} 40 | } -------------------------------------------------------------------------------- /aliascnt.sty: -------------------------------------------------------------------------------- 1 | %% 2 | %% This is file `aliascnt.sty', 3 | %% generated with the docstrip utility. 4 | %% 5 | %% The original source files were: 6 | %% 7 | %% aliascnt.dtx (with options: `package') 8 | %% 9 | %% This is a generated file. 10 | %% 11 | %% Project: aliascnt 12 | %% Version: 2009/09/08 v1.3 13 | %% 14 | %% Copyright (C) 2006, 2009 by 15 | %% Heiko Oberdiek 16 | %% 17 | %% This work may be distributed and/or modified under the 18 | %% conditions of the LaTeX Project Public License, either 19 | %% version 1.3c of this license or (at your option) any later 20 | %% version. This version of this license is in 21 | %% http://www.latex-project.org/lppl/lppl-1-3c.txt 22 | %% and the latest version of this license is in 23 | %% http://www.latex-project.org/lppl.txt 24 | %% and version 1.3 or later is part of all distributions of 25 | %% LaTeX version 2005/12/01 or later. 26 | %% 27 | %% This work has the LPPL maintenance status "maintained". 28 | %% 29 | %% This Current Maintainer of this work is Heiko Oberdiek. 30 | %% 31 | %% This work consists of the main source file aliascnt.dtx 32 | %% and the derived files 33 | %% aliascnt.sty, aliascnt.pdf, aliascnt.ins, aliascnt.drv. 34 | %% 35 | \NeedsTeXFormat{LaTeX2e} 36 | \ProvidesPackage{aliascnt}% 37 | [2009/09/08 v1.3 Alias counter (HO)]% 38 | \newcommand*{\newaliascnt}[2]{% 39 | \begingroup 40 | \def\AC@glet##1{% 41 | \global\expandafter\let\csname##1#1\expandafter\endcsname 42 | \csname##1#2\endcsname 43 | }% 44 | \@ifundefined{c@#2}{% 45 | \@nocounterr{#2}% 46 | }{% 47 | \expandafter\@ifdefinable\csname c@#1\endcsname{% 48 | \AC@glet{c@}% 49 | \AC@glet{the}% 50 | \AC@glet{theH}% 51 | \AC@glet{p@}% 52 | \expandafter\gdef\csname AC@cnt@#1\endcsname{#2}% 53 | \expandafter\gdef\csname cl@#1\expandafter\endcsname 54 | \expandafter{\csname cl@#2\endcsname}% 55 | }% 56 | }% 57 | \endgroup 58 | } 59 | \newcommand*{\aliascntresetthe}[1]{% 60 | \@ifundefined{AC@cnt@#1}{% 61 | \PackageError{aliascnt}{% 62 | `#1' is not an alias counter% 63 | }\@ehc 64 | }{% 65 | \expandafter\let\csname the#1\expandafter\endcsname 66 | \csname the\csname AC@cnt@#1\endcsname\endcsname 67 | }% 68 | } 69 | \newcommand*{\AC@findrootcnt}[1]{% 70 | \@ifundefined{AC@cnt@#1}{% 71 | #1% 72 | }{% 73 | \expandafter\AC@findrootcnt\csname AC@cnt@#1\endcsname 74 | }% 75 | } 76 | \def\AC@patch#1{% 77 | \expandafter\let\csname AC@org@#1reset\expandafter\endcsname 78 | \csname @#1reset\endcsname 79 | \expandafter\def\csname @#1reset\endcsname##1##2{% 80 | \csname AC@org@#1reset\endcsname{##1}{\AC@findrootcnt{##2}}% 81 | }% 82 | } 83 | \RequirePackage{remreset} 84 | \AC@patch{addto} 85 | \AC@patch{removefrom} 86 | \endinput 87 | %% 88 | %% End of file `aliascnt.sty'. 89 | -------------------------------------------------------------------------------- /main.txss: -------------------------------------------------------------------------------- 1 | [InternalPDFViewer] 2 | Embedded=true 3 | File=main.pdf 4 | 5 | [Session] 6 | Bookmarks=@Invalid() 7 | CurrentFile=references-extra.bib 8 | File0\Col=15 9 | File0\EditorGroup=0 10 | File0\FileName=main.tex 11 | File0\FirstLine=8 12 | File0\FoldedLines= 13 | File0\Line=35 14 | File1\Col=13 15 | File1\EditorGroup=0 16 | File1\FileName=abstract.tex 17 | File1\FirstLine=0 18 | File1\FoldedLines= 19 | File1\Line=16 20 | File10\Col=71 21 | File10\EditorGroup=0 22 | File10\FileName=conclusion.tex 23 | File10\FirstLine=0 24 | File10\FoldedLines= 25 | File10\Line=6 26 | File11\Col=20 27 | File11\EditorGroup=0 28 | File11\FileName=appendix.tex 29 | File11\FirstLine=0 30 | File11\FoldedLines= 31 | File11\Line=0 32 | File12\Col=135 33 | File12\EditorGroup=0 34 | File12\FileName=appendix-dft-pp.tex 35 | File12\FirstLine=24 36 | File12\FoldedLines= 37 | File12\Line=41 38 | File13\Col=52 39 | File13\EditorGroup=0 40 | File13\FileName=appendix-sec-proofs.tex 41 | File13\FirstLine=50 42 | File13\FoldedLines= 43 | File13\Line=81 44 | File14\Col=96 45 | File14\EditorGroup=0 46 | File14\FileName=appendix-complexity-kog.tex 47 | File14\FirstLine=227 48 | File14\FoldedLines= 49 | File14\Line=244 50 | File15\Col=174 51 | File15\EditorGroup=0 52 | File15\FileName=appendix-complexity-hog.tex 53 | File15\FirstLine=8 54 | File15\FoldedLines= 55 | File15\Line=14 56 | File16\Col=0 57 | File16\EditorGroup=0 58 | File16\FileName=references.bib 59 | File16\FirstLine=0 60 | File16\FoldedLines= 61 | File16\Line=29 62 | File17\Col=27 63 | File17\EditorGroup=0 64 | File17\FileName=references-extra.bib 65 | File17\FirstLine=0 66 | File17\FoldedLines= 67 | File17\Line=34 68 | File2\Col=19 69 | File2\EditorGroup=0 70 | File2\FileName=defs.tex 71 | File2\FirstLine=0 72 | File2\FoldedLines= 73 | File2\Line=7 74 | File3\Col=16 75 | File3\EditorGroup=0 76 | File3\FileName=includes.tex 77 | File3\FirstLine=0 78 | File3\FoldedLines= 79 | File3\Line=11 80 | File4\Col=79 81 | File4\EditorGroup=0 82 | File4\FileName=tables.tex 83 | File4\FirstLine=134 84 | File4\FoldedLines= 85 | File4\Line=183 86 | File5\Col=23 87 | File5\EditorGroup=0 88 | File5\FileName=intro.tex 89 | File5\FirstLine=80 90 | File5\FoldedLines= 91 | File5\Line=133 92 | File6\Col=39 93 | File6\EditorGroup=0 94 | File6\FileName=background.tex 95 | File6\FirstLine=32 96 | File6\FoldedLines= 97 | File6\Line=29 98 | File7\Col=0 99 | File7\EditorGroup=0 100 | File7\FileName=asvc.tex 101 | File7\FirstLine=100 102 | File7\FoldedLines= 103 | File7\Line=147 104 | File8\Col=207 105 | File8\EditorGroup=0 106 | File8\FileName=asvc-kzg.tex 107 | File8\FirstLine=240 108 | File8\FoldedLines= 109 | File8\Line=255 110 | File9\Col=67 111 | File9\EditorGroup=0 112 | File9\FileName=apps.tex 113 | File9\FirstLine=131 114 | File9\FoldedLines= 115 | File9\Line=148 116 | FileVersion=1 117 | MasterFile=main.tex 118 | -------------------------------------------------------------------------------- /references-extra.bib: -------------------------------------------------------------------------------- 1 | @misc{Buterin16, 2 | author = {Vitalik Buterin}, 3 | howpublished = {{Medium.com}}, 4 | title = {{Thoughts on UTXOs by Vitalik Buterin, Co-Founder of Ethereum}}, 5 | year = 2016, 6 | note = {\url{https://medium.com/@ConsenSys/thoughts-on-utxo-by-vitalik-buterin-2bb782c67e53}}, 7 | } 8 | 9 | @misc{Buterin17, 10 | author={Vitalik Buterin}, 11 | title ={{The stateless client concept}}, 12 | year=2017, 13 | howpublished={ethresear.ch}, 14 | note={\url{https://ethresear.ch/t/ the-stateless-client-concept/172}}, 15 | } 16 | 17 | @misc{Cor16, 18 | author = {{Corda}}, 19 | title = {{Rationale for and tradeoffs in adopting a UTXO-style model}}, 20 | howpublished = {{Corda Blog}}, 21 | year = 2016, 22 | note = {\url{https://www.corda.net/blog/rationale-for-and-tradeoffs-in-adopting-a-utxo-style-model/}}, 23 | } 24 | 25 | @misc{Dai17, 26 | author = {{Patrick Dai}}, 27 | title = {{Why Qtum Choose UTXO Model and the Benefits}}, 28 | howpublished = {{8BTC}}, 29 | year = 2017, 30 | note = {\url{http://news.8btc.com/why-qtum-choose-utxo-model-and-the-benefits}} 31 | } 32 | 33 | @misc{Eth17, 34 | author = {{Ethereum Community}}, 35 | title = {{Design rationale: Blockchain-level protocol: Account and not utxos}}, 36 | howpublished = {{Ethereum Wiki}}, 37 | year = 2017, 38 | note = {\url{https://github.com/ethereum/wiki/wiki/Design-Rationale#accounts-and-not-utxos}}, 39 | } 40 | 41 | @misc{Ethereum, 42 | author = {Gavin Wood}, 43 | title = {{Ethereum: A Secure Decentralised Generalised Transaction Ledger}}, 44 | note = {\url{http://gavwood.com/paper.pdf}}, 45 | } 46 | 47 | @misc{EthereumSharding, 48 | author={Ethereum Community}, 49 | title={{Sharding FAQ}}, 50 | year={2016}, 51 | howpublished={\url{https://github.com/ethereum/wiki/wiki/Sharding-FAQ}}, 52 | } 53 | 54 | @misc{Miller12, 55 | author = {Andrew Miller}, 56 | title = {{Storing UTXOs in a balanced Merkle tree (zero-trust nodes with O(1)-storage)}}, 57 | year = 2012, 58 | note = {\url{https://bitcointalk.org/index.php?topic=101734.msg1117428}}, 59 | } 60 | 61 | 62 | @misc{PartialFractionDecomposition, 63 | author = "{Wikipedia contributors}", 64 | title = "Partial fraction decomposition --- {Wikipedia}{,} The Free Encyclopedia", 65 | year = "2019", 66 | url = "https://en.wikipedia.org/w/index.php?title=Partial_fraction_decomposition&oldid=931350868", 67 | note = "[Online; accessed 11-April-2020]" 68 | } 69 | 70 | @misc{Todd16, 71 | author = {Peter Todd}, 72 | title = {{Making UTXO set growth irrelevant with low-latency delayed TXO commitments}}, 73 | year = 2016, 74 | note = {\url{https://petertodd.org/2016/delayed-txo-commitments}}, 75 | } 76 | 77 | @misc{Yangrui16, 78 | author = {{Yangrui}}, 79 | howpublished = {{StackExchange Bitcoin}}, 80 | year = 2016, 81 | title = {{Utxo model vs. account/balance model (forum thread)}}, 82 | note = {\url{https://bitcoin.stackexchange.com/questions/49853/utxo-model-vs-account-balance-model}}, 83 | } 84 | -------------------------------------------------------------------------------- /main.tex: -------------------------------------------------------------------------------- 1 | % This is based on the LLNCS.DEM the demonstration file of 2 | % the LaTeX macro package from Springer-Verlag 3 | % for Lecture Notes in Computer Science, 4 | % version 2.4 for LaTeX2e as of 16. April 2010 5 | % 6 | % See http://www.springer.com/computer/lncs/lncs+authors?SGWID=0-40209-0-0-0 7 | % for the full guidelines. 8 | 9 | % 10 | % Defines for camera-ready version 11 | % 12 | \newif\ifCameraReady 13 | %\CameraReadytrue % uncomment for camera-ready version 14 | % You can now use \ifCameraReady bla \else blabla \fi throughout paper 15 | 16 | \newif\ifNotCameraReady 17 | \ifCameraReady\NotCameraReadyfalse\else\NotCameraReadytrue\fi 18 | % You can also use \ifNotCameraReady bla \fi (in case you want to avoid the annoying extra \else) 19 | 20 | \documentclass[runningheads]{llncs} 21 | 22 | \input{includes} 23 | \input{defs} 24 | 25 | \raggedbottom % otherwise pages that have just a few sentences on it get "stretched" so the sentences take up all vertical space 26 | % make sure we have numbering for \subsubsection 27 | \setcounter{secnumdepth}{3} 28 | 29 | \title{Aggregatable Subvector Commitments for Stateless Cryptocurrencies} 30 | 31 | % 32 | %\titlerunning{Hamiltonian Mechanics} % abbreviated title (for running head) 33 | % also used for the TOC unless 34 | % \toctitle is used 35 | % 36 | \author{ 37 | Alin Tomescu\textsuperscript{\Letter,} \inst{1}$^,$\orcidID{0000-0002-6896-1380} 38 | \and 39 | Ittai Abraham\inst{1} \and 40 | Vitalik Buterin\inst{2} \and\\ 41 | Justin Drake\inst{2} \and 42 | Dankrad Feist\inst{2} \and 43 | Dmitry Khovratovich\inst{2}\\ 44 | \email{\{alint,iabraham\}@vmware.com}, 45 | \email{\{vitalik,justin,dankrad,dmitry.khovratovich\}@ethereum.org} 46 | } 47 | 48 | \authorrunning{ 49 | Tomescu et al. 50 | } % abbreviated author list (for running head) 51 | 52 | %%%% list of authors for the TOC (use if author list has to be modified) 53 | %\tocauthor{Ivar Ekeland, Roger Temam, Jeffrey Dean, David Grove, 54 | %Craig Chambers, Kim B. Bruce, and Elisa Bertino} 55 | % 56 | % \institute{Princeton University, Princeton NJ 08544, USA,\\ 57 | 58 | % %WWW home page: \texttt{http://users/\homedir iekeland/web/welcome.html} 59 | % \and 60 | % Universit\'{e} de Paris-Sud, 61 | % Laboratoire d'Analyse Num\'{e}rique, B\^{a}timent 425,\\ 62 | % F-91405 Orsay Cedex, France} 63 | 64 | \institute{ 65 | VMware Research, Palo Alto, CA, US 66 | \and Ethereum Foundation, Singapore, Singapore 67 | } 68 | 69 | %\pagestyle{plain} 70 | %\pagestyle{fancy} 71 | %\fancyhf{} 72 | %\lhead{Please do \textbf{NOT} distribute.} 73 | %\rhead{Thank you!} 74 | %\lfoot{Please do \textbf{NOT} distribute.} 75 | %\rfoot{Thank you! Page \thepage} 76 | 77 | \begin{document} 78 | 79 | \maketitle % typeset the title of the contribution 80 | 81 | \begin{abstract} 82 | \input{abstract} 83 | \end{abstract} 84 | 85 | %\newpage 86 | 87 | \input{tables} 88 | 89 | \input{intro} 90 | \input{background} 91 | \input{asvc} 92 | \input{asvc-kzg} 93 | \input{apps} 94 | \input{conclusion} 95 | 96 | % 97 | % ---- Bibliography ---- 98 | % 99 | \ifNotCameraReady 100 | \pagebreak 101 | \fi 102 | %\bibliographystyle{abbrv} % for numbers 103 | \bibliographystyle{alpha} % for letters 104 | \bibliography{references,references-extra} 105 | \pagebreak 106 | 107 | % 108 | % ---- Appendix ---- 109 | % 110 | \pagebreak 111 | \appendix 112 | \input{appendix} 113 | \end{document} 114 | -------------------------------------------------------------------------------- /defs.tex: -------------------------------------------------------------------------------- 1 | % 2 | % Styling 3 | % 4 | \newcommand{\parhead}[1]{\medskip\noindent{\bfseries\boldmath\ignorespaces{#1}}} 5 | \newcommand{\api}{\hangindent=\parindent \hangafter=1 \noindent} 6 | 7 | \newcommand{\condcite}[2]{\ifCameraReady\cite{#1}\else\cite{#1,#2}\fi} 8 | 9 | % 10 | % Some nice colors: 11 | % Blue: #268bd2 12 | % (Grey) Blue: #657b83 13 | % Green: #859900 14 | % (Dark) Orange: #cb4b16 15 | % Red: #dc322f 16 | % Periwinkle: #6c71c4 17 | % Pink: #d33682 18 | % Teal: #2aa198 19 | % Yellow: #b58900 20 | % 21 | \definecolor{myBlueColor}{HTML}{268BD2} 22 | \definecolor{myYellowColor}{HTML}{B58900} 23 | \definecolor{myGreenColor}{HTML}{859900} 24 | \definecolor{myRedColor}{HTML}{DC322F} 25 | \definecolor{myOrangeColor}{HTML}{CB4B16} 26 | 27 | % Without this macro if I do $b\textcolor{red}{\log{n}}$, then there's no space put between b and \log{n}. 28 | % \mathcolor fixes that. 29 | \makeatletter 30 | \def\mathcolor#1#{\@mathcolor{#1}} 31 | \def\@mathcolor#1#2#3{% 32 | \protect\leavevmode 33 | \begingroup 34 | \color#1{#2}#3% 35 | \endgroup 36 | } 37 | \makeatother 38 | 39 | \newcommand{\myblue}[1]{\textcolor{myBlueColor}{#1}} 40 | \newcommand{\myred}[1]{\mathcolor{myRedColor}{#1}} 41 | \newcommand{\myyellow}[1]{\textcolor{myYellowColor}{#1}} 42 | \newcommand{\mygreen}[1]{\textcolor{myGreenColor}{#1}} 43 | \newcommand{\myorange}[1]{\textcolor{myOrangeColor}{#1}} 44 | 45 | % 46 | % Notes and TODOs 47 | % 48 | %\newcommand{\todo}[1]{\noindent\textcolor{red}{\textbf{(}\textsc{\textbf{{TODO: }}}}#1\textcolor{red}{\textbf{)}}} 49 | %\newcommand{\anote}[1]{\textcolor{blue}{[\textbf{Alin}: #1]}} 50 | %\newcommand{\inote}[1]{\textcolor{green}{[\textbf{Ittai}: #1]}} 51 | % A footnote without a marker 52 | \makeatletter 53 | \def\blfootnote{\gdef\@thefnmark{}\@footnotetext} 54 | \makeatother 55 | 56 | % 57 | % Some mathy things 58 | % 59 | \DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} 60 | \DeclarePairedDelimiter{\floor}{\lfloor}{\rfloor} 61 | \newcommand{\dom}{\mathsf{Domain}} 62 | \newcommand{\bezout}{B\'ezout\xspace} 63 | \newcommand{\G}{\mathbb{G}} 64 | \newcommand{\Gho}{\mathbb{G}_{?}} 65 | \newcommand{\Fp}{\mathbb{F}_p} 66 | \newcommand{\GT}{\mathbb{G}_T} 67 | \newcommand{\Zp}{\mathbb{Z}_p} 68 | \newcommand{\poly}{\mathsf{poly}} 69 | \newcommand{\negl}{\mathsf{negl}} 70 | \newcommand{\lagr}{\ensuremath{\mathcal{L}}} 71 | \newcommand{\Adv}{\ensuremath{\mathcal{A}}\xspace} % adversary 72 | 73 | % 74 | % Vector Commitment things 75 | % 76 | \newcommand{\vect}[1]{\ensuremath{\bm{\mathrm{#1}}}} 77 | 78 | \newcommand{\vcsetup}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{KeyGen}}\xspace} 79 | \newcommand{\vccommit}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{Commit}}\xspace} 80 | \newcommand{\vcopenpos}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{ProvePos}}\xspace} 81 | \newcommand{\vcverifypos}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{VerifyPos}}\xspace} 82 | \newcommand{\vcverifyaggpos}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{VerifyAggPos}}\xspace} 83 | \newcommand{\vcverifyupk}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{VerifyUPK}}\xspace} 84 | \newcommand{\vccommupdate}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{UpdateComm}}\xspace} 85 | \newcommand{\vcproofupdate}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{UpdateProof}}\xspace} 86 | 87 | \newcommand{\vcopenall}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{ProveAll}}\xspace} 88 | \newcommand{\vcaggregateproofs}{\ensuremath{\mathsf{VC}}.\ensuremath{\mathsf{AggregateProofs}}\xspace} 89 | 90 | \newcommand{\emptydigest}{d_\varnothing} 91 | \newcommand{\pp}{\ensuremath{\mathsf{PP}}\xspace} 92 | \newcommand{\prk}{\ensuremath{\mathsf{prk}}\xspace} 93 | \newcommand{\vrk}{\ensuremath{\mathsf{vrk}}\xspace} 94 | \newcommand{\upk}{\ensuremath{\mathsf{upk}}\xspace} 95 | \newcommand{\uph}{\ensuremath{\mathsf{uph}}\xspace} 96 | 97 | \newcommand{\treepath}{\ensuremath{\mathsf{treepath}}} 98 | 99 | % 100 | % \Sys things 101 | % 102 | \newcommand{\addr}{\ensuremath{\mathsf{addr}}\xspace} 103 | \newcommand{\bal}{\ensuremath{\mathsf{bal}}\xspace} 104 | \newcommand{\cnt}{\ensuremath{\mathsf{cnt}}\xspace} 105 | \newcommand{\inittxn}{\texttt{\textbf{INIT}}\xspace} 106 | \newcommand{\initspendtxn}{\texttt{INITSPEND}\xspace} 107 | \newcommand{\minttxn}{\texttt{\textbf{MINT}}\xspace} 108 | \newcommand{\pk}{\ensuremath{\mathbf{\mathsf{pk}}}\xspace} 109 | \newcommand{\PK}{\ensuremath{\mathbf{\mathsf{FPK}}}\xspace} 110 | \newcommand{\spendtxn}{\texttt{\textbf{SPEND}}\xspace} 111 | \newcommand{\tpk}{\ensuremath{\mathsf{tpk}}\xspace} 112 | \newcommand{\tsk}{\ensuremath{\mathsf{tsk}}\xspace} 113 | \newcommand{\tx}{\ensuremath{\mathsf{tx}}\xspace} 114 | -------------------------------------------------------------------------------- /appendix-sec-proofs.tex: -------------------------------------------------------------------------------- 1 | \section{Security Proofs} 2 | 3 | \subsection{KZG Batch Opening Binding (Re)definition} 4 | \label{s:kzg-batch-def} 5 | 6 | We strengthen the \textit{batch opening binding definition} of KZG~\cite[Sec. 3.4, pg. 9]{KZG10a} and prove KZG still satisfies it. 7 | 8 | \begin{definition}[Batch Opening Binding] 9 | \label{def:kzg:batch-opening-binding} 10 | $\forall$ adversaries $\Adv$ running in time $\poly(\lambda)$: 11 | \begin{align} 12 | \Pr \left[ \begin{array}{c} 13 | \mathsf{pp} \leftarrow \mathsf{KZG.Setup}(1^\lambda, n), \\ 14 | c, I, J, v_I(X), v_J(X), \pi_I, \pi_J \leftarrow \Adv(\mathsf{pp}, 1^\lambda) : \\ 15 | \mathsf{KZG.VerifyEvalBatch}(\mathsf{pp}, c, I, \pi_I, v_I(X)) = T\ \wedge \\ 16 | \mathsf{KZG.VerifyEvalBatch}(\mathsf{pp}, c, J, \pi_J, v_J(X)) = T\ \wedge \\ 17 | \exists k \in I\cap J,\ \text{such that}\ v_I(k) \ne v_J(k) 18 | \end{array} \right] \le \mathsf{negl}(\lambda) 19 | \end{align} 20 | \end{definition} 21 | 22 | Suppose an adversary breaks the definition. 23 | Let $A_I(X)= \prod_{i\in I} (X - i)$. 24 | Then, the following holds: 25 | \begin{align} 26 | e(c,g) &= e(\pi_I, g^{A_I(\tau)}) e(g^{v_I(\tau)},g)\\ 27 | e(c,g) &= e(\pi_J, g^{A_J(\tau)}) e(g^{v_J(\tau)},g) 28 | \end{align} 29 | Divide the top equation by the bottom one to get: 30 | \begin{align} 31 | \mathbf{1}_T &= \frac{e(g^{v_I(\tau)},g)}{e(g^{v_J(\tau)},g)} \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})}\Leftrightarrow\\ 32 | \mathbf{1}_T &= e(g^{v_I(\tau)-v_J(\tau)},g) \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})}\Leftrightarrow\\ 33 | e(g^{v_J(\tau)-v_I(\tau)},g) &= \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})} 34 | \end{align} 35 | Let $v_k = v_I(k)$ and $v_k' = v_J(k)$. 36 | We can rewrite $v_I(X)$ using the polynomial remainder theorem as $v_I(X)=q_I(X)(X-k) + v_k$. 37 | Similarly, $v_J(X)=q_J(X)(X-k) + v_k'$. 38 | \begin{align} 39 | e(g^{q_J(\tau)(\tau - k) + v_k'-q_I(\tau)(\tau -k)-v_k},g) &= \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})}\Leftrightarrow\\ 40 | e(g^{(\tau - k)(q_J(\tau) -q_I(\tau)) + v_k'-v_k},g) &= \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})}\Leftrightarrow\\ 41 | e(g^{(\tau - k)(q_J(\tau) -q_I(\tau))}, g) e(g^{v_k'-v_k},g) &= \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})}\Leftrightarrow\\ 42 | e(g^{q_J(\tau) -q_I(\tau)}, g)^{\tau - k} e(g,g)^{v_k'-v_k} &= \frac{e(\pi_I, g^{A_I(\tau)})}{e(\pi_J, g^{A_J(\tau)})} 43 | \end{align} 44 | Factor out $(X-k)$ in $A_I(X)$ to get $A_I(X)=a_I(X)(\tau - k)$. 45 | Similarly, $A_J(X)=a_J(X)(\tau - k)$. 46 | \begin{align} 47 | e(g^{q_J(\tau) -q_I(\tau)}, g)^{\tau - k} e(g,g)^{v_k'-v_k} &= \left(\frac{e(\pi_I, g^{a_I(\tau)})}{e(\pi_J, g^{a_J(\tau)})}\right)^{\tau -k}\Leftrightarrow\\ 48 | e(g^{q_J(\tau) -q_I(\tau)}, g) e(g,g)^\frac{v_k'-v_k}{\tau - k} &= \frac{e(\pi_I, g^{a_I(\tau)})}{e(\pi_J, g^{a_J(\tau)})}\Leftrightarrow\\ 49 | e(g,g)^\frac{v_k'-v_k}{\tau - k} &= \frac{e(\pi_I, g^{a_I(\tau)})}{e(\pi_J, g^{a_J(\tau)}) e(g^{q_J(\tau) - q_I(\tau)}, g)}\Leftrightarrow\\ 50 | e(g,g)^\frac{1}{\tau - k} &= \left(\frac{e(\pi_I, g^{a_I(\tau)})}{e(\pi_J, g^{a_J(\tau)}) e(g^{q_J(\tau) - q_I(\tau)}, g)}\right)^{\frac{1}{v_k'-v_k}} 51 | \end{align} 52 | 53 | Since the commitments to $a_I(X),a_J(X),q_I(X),q_J(X)$ can be easily reconstructed from $v_I(X),v_J(X), I$ and $J$, and since $v_k'\ne v_k$, this constitutes a direct break of $n$-SBDH. 54 | 55 | \subsection{Update Key Uniqueness} 56 | \label{s:update-key-uniqueness-proof} 57 | 58 | We prove that our aSVC scheme from \cref{s:svc} has \textit{Update Key Uniqueness} as defined in \cref{def:vc:update-key-uniquness}. 59 | Let $a$ be the commitment to $A(X)=X^n - 1$ from the verification key \vrk. 60 | Suppose an adversary outputs two update keys $\upk_i = (a_i, u_i)$ and $\upk_i'=(a_i',u_i')$ at position $i$ that both pass \vcverifyupk but $\upk_i\ne \upk_i'$. 61 | Then, it must be the case that either $a_i \ne a_i'$ or that $u_i \ne u_i'$. 62 | 63 | \parhead{$a_i\ne a_i'$ Case:} 64 | Since both update keys pass verification, the following pairing equations hold: 65 | \begin{align} 66 | e(a_i, g^\tau / g^{\omega^i}) &= e(a, g)\\ 67 | e(a_i', g^\tau / g^{\omega^i}) &= e(a, g) 68 | \end{align} 69 | 70 | Thus, it follows that: 71 | \begin{align} 72 | e(a_i, g^\tau / g^{\omega^i}) &= e(a_i', g^\tau / g^{\omega^i})\Leftrightarrow\\ 73 | e(a_i, g) &= e(a_i', g)\Leftrightarrow\\ 74 | a_i = a_i' 75 | \end{align} 76 | 77 | Contradiction. 78 | 79 | \parhead{$u_i\ne u_i'$ Case:} 80 | Let $A'(X)$ denote the derivative of $A(X)=X^n - 1$. 81 | Let $\ell_i=a_i^{1/A'(\omega^i)}=g^{\lagr_i(\tau)}$. 82 | 83 | Since both update keys pass verification, the following pairing equations hold: 84 | \begin{align} 85 | e(\ell_i/g^1, g) &= e(u_i,g^\tau/g^{\omega^i})\\ 86 | e(\ell_i/g^1, g) &= e(u_i',g^\tau/g^{\omega^i}) 87 | \end{align} 88 | 89 | Thus, it follows that: 90 | \begin{align} 91 | e(u_i,g^\tau/g^{\omega^i}) &= e(u_i',g^\tau/g^{\omega^i})\\ 92 | e(u_i, g) &= e(u_i', g)\Leftrightarrow\\ 93 | u_i = u_i' 94 | \end{align} 95 | 96 | Contradiction. -------------------------------------------------------------------------------- /latexpand/README: -------------------------------------------------------------------------------- 1 | NAME 2 | latexpand - Flatten LaTeX file by expanding \include and \input, ... and 3 | remove comments 4 | 5 | SYNOPSIS 6 | latexpand [options] FILE... 7 | 8 | Options: 9 | --verbose show what's going on 10 | --keep-comments don't strip comments (comments are lines 11 | starting with %, and anything below 12 | \end{document}) 13 | --empty-comments keep empty comments (i.e. % at end of lines) for clarity 14 | --keep-includes don't expand \input and \include directives 15 | --expand-usepackage 16 | Expand \usepackage{...} directives if the 17 | corresponding .sty file is found in 18 | $TEXINPUTS (or the current directory if 19 | $TEXINPUTS is not set) 20 | --expand-bbl FILE 21 | Expand the bibliography by inlining FILE 22 | (should be a *.bbl file) 23 | --biber FILE Include \bibliography{} with FILE's content, 24 | as needed by biblatex with the biber backend. 25 | (similar to --expand-bbl FILE, but for 26 | biber+biblatex). 27 | --help this help message 28 | --output , -o 29 | generate output in 30 | --explain generate explanatory comments in output 31 | --show-graphics show included graphics 32 | --graphics_extensions 33 | colon-separated list of possible graphics extensions 34 | (used by --show-graphics to find the actual graphics files) 35 | --fatal Die in case a file can't be found. 36 | --makeatletter Insert a \makeatletter in the preamble. In some 37 | rare cases it may break your document, but it 38 | may help fixing bad interactions between 39 | @-commands and inclusion (see BUGS section). 40 | --in-encoding FMT, --out-encoding FMT 41 | File encoding used by input and output files. 42 | This uses the same syntax as PerlIO's layers. 43 | Example: 44 | --in-encoding 'encoding(UTF-8)' 45 | The default is 'bytes' and should always work. 46 | 47 | USES 48 | The most common use of latexpand is to simplify distribution of source 49 | LaTeX files, typically to satisfy the requirement of editors and 50 | archival sites (springer, arXiv.org, ...) who force the authors to 51 | submit sources. One does not necessarily want to submit sources with 52 | comments, and uploading a document made of several files including each 53 | other is a bit painful. By default, latexpand answers both problems by 54 | outputing a single LaTeX file that contain no comment. 55 | 56 | GETTING LATEXPAND 57 | The latest version of latexpand is available here: 58 | 59 | https://gitlab.com/latexpand/latexpand 60 | 61 | Versions are uploaded to ctan.org from time to time: 62 | 63 | http://www.ctan.org/pkg/latexpand 64 | 65 | BUGS 66 | Please, report bugs on the issue tracker on the project site: 67 | 68 | https://gitlab.com/latexpand/latexpand/issues 69 | 70 | Known bugs 71 | Verbatim 72 | latexpand currently ignores \begin{verbatim} ... \end{verbatim}, and 73 | will therefore process any \include, \input, ... directives that appear 74 | within verbatim environments (while it shouldn't). 75 | 76 | LaTeX comments inside verbatim environments are also incorrectly 77 | stripped. You can use --keep-comments as a workaround to avoid this. 78 | 79 | Comment environment 80 | It would be nice to remove code between \begin{comment} and 81 | \end{comment} too if \usepackage{comment} is used. 82 | 83 | Code like 84 | 85 | foo% 86 | \begin{comment} 87 | 88 | will produce the incorrect 89 | 90 | foo\begin{comment} 91 | 92 | A workaround is to use --empty-comments when such tricky usage of the 93 | comments package is done. 94 | 95 | \makeatletter and use with transfig/xfig with \scalebox{} 96 | If \input{} or \include{} appears as argument to a command, and the file 97 | included contains \makeatletter, then after expansion, the \makeatletter 98 | and the @-command appear as argument to the command, which is forbidden 99 | because the argument is parsed (and the @-command badly tokenized) 100 | before being executed. 101 | 102 | This happens with 103 | 104 | \scalebox{ \input{file-generated-by-xfig.pdf_t} } 105 | 106 | Workaround: add \makeatletter before the scalebox manually in your code, 107 | like 108 | 109 | \makeatletter{} 110 | \scalebox{ \input{file-generated-by-xfig.pdf_t} } 111 | \makeatother{} 112 | 113 | In the case of xfig generated files, it is necessary only for the first 114 | occurence. 115 | 116 | A more brute-force workaround is to use latexpand --makeatletter. 117 | 118 | SEE ALSO 119 | Instructions to include only the relevant .bib items (french): 120 | 121 | https://lacl.fr/~caubert/notes/portabilite-du-tex.html#dependances 122 | 123 | VERSION 124 | This is latexpand version v1.6. 125 | 126 | -------------------------------------------------------------------------------- /history.txt: -------------------------------------------------------------------------------- 1 | Version history for the LLNCS LaTeX2e class 2 | 3 | date filename version action/reason/acknowledgements 4 | ---------------------------------------------------------------------------- 5 | 29.5.96 letter.txt beta naming problems (subject index file) 6 | thanks to Dr. Martin Held, Salzburg, AT 7 | 8 | subjindx.ind renamed to subjidx.ind as required 9 | by llncs.dem 10 | 11 | history.txt introducing this file 12 | 13 | 30.5.96 llncs.cls incompatibility with new article.cls of 14 | 1995/12/20 v1.3q Standard LaTeX document class, 15 | \if@openbib is no longer defined, 16 | reported by Ralf Heckmann and Graham Gough 17 | solution by David Carlisle 18 | 19 | 10.6.96 llncs.cls problems with fragile commands in \author field 20 | reported by Michael Gschwind, TU Wien 21 | 22 | 25.7.96 llncs.cls revision a corrects: 23 | wrong size of text area, floats not \small, 24 | some LaTeX generated texts 25 | reported by Michael Sperber, Uni Tuebingen 26 | 27 | 16.4.97 all files 2.1 leaving beta state, 28 | raising version counter to 2.1 29 | 30 | 8.6.97 llncs.cls 2.1a revision a corrects: 31 | unbreakable citation lists, reported by 32 | Sergio Antoy of Portland State University 33 | 34 | 11.12.97 llncs.cls 2.2 "general" headings centered; two new elements 35 | for the article header: \email and \homedir; 36 | complete revision of special environments: 37 | \newtheorem replaced with \spnewtheorem, 38 | introduced the theopargself environment; 39 | two column parts made with multicol package; 40 | add ons to work with the hyperref package 41 | 42 | 07.01.98 llncs.cls 2.2 changed \email to simply switch to \tt 43 | 44 | 25.03.98 llncs.cls 2.3 new class option "oribibl" to suppress 45 | changes to the thebibliograpy environment 46 | and retain pure LaTeX codes - useful 47 | for most BibTeX applications 48 | 49 | 16.04.98 llncs.cls 2.3 if option "oribibl" is given, extend the 50 | thebibliograpy hook with "\small", suggested 51 | by Clemens Ballarin, University of Cambridge 52 | 53 | 20.11.98 llncs.cls 2.4 pagestyle "titlepage" - useful for 54 | compilation of whole LNCS volumes 55 | 56 | 12.01.99 llncs.cls 2.5 counters of orthogonal numbered special 57 | environments are reset each new contribution 58 | 59 | 27.04.99 llncs.cls 2.6 new command \thisbottomragged for the 60 | actual page; indention of the footnote 61 | made variable with \fnindent (default 1em); 62 | new command \url that copys its argument 63 | 64 | 2.03.00 llncs.cls 2.7 \figurename and \tablename made compatible 65 | to babel, suggested by Jo Hereth, TU Darmstadt; 66 | definition of \url moved \AtBeginDocument 67 | (allows for url package of Donald Arseneau), 68 | suggested by Manfred Hauswirth, TU of Vienna; 69 | \large for part entries in the TOC 70 | 71 | 16.04.00 llncs.cls 2.8 new option "orivec" to preserve the original 72 | vector definition, read "arrow" accent 73 | 74 | 17.01.01 llncs.cls 2.9 hardwired texts made polyglot, 75 | available languages: english (default), 76 | french, german - all are "babel-proof" 77 | 78 | 20.06.01 splncs.bst public release of a BibTeX style for LNCS, 79 | nobly provided by Jason Noble 80 | 81 | 14.08.01 llncs.cls 2.10 TOC: authors flushleft, 82 | entries without hyphenation; suggested 83 | by Wiro Niessen, Imaging Center - Utrecht 84 | 85 | 23.01.02 llncs.cls 2.11 fixed footnote number confusion with 86 | \thanks, numbered institutes, and normal 87 | footnote entries; error reported by 88 | Saverio Cittadini, Istituto Tecnico 89 | Industriale "Tito Sarrocchi" - Siena 90 | 91 | 28.01.02 llncs.cls 2.12 fixed footnote fix; error reported by 92 | Chris Mesterharm, CS Dept. Rutgers - NJ 93 | 94 | 28.01.02 llncs.cls 2.13 fixed the fix (programmer needs vacation) 95 | 96 | 17.08.04 llncs.cls 2.14 TOC: authors indented, smart \and handling 97 | for the TOC suggested by Thomas Gabel 98 | University of Osnabrueck 99 | 100 | 07.03.06 splncs.bst fix for BibTeX entries without year; patch 101 | provided by Jerry James, Utah State University 102 | 103 | 14.06.06 splncs_srt.bst a sorting BibTeX style for LNCS, feature 104 | provided by Tobias Heindel, FMI Uni-Stuttgart 105 | 106 | 16.10.06 llncs.dem 2.3 removed affiliations from \tocauthor demo 107 | 108 | 11.12.07 llncs.doc note on online visibility of given e-mail address 109 | 110 | 15.06.09 splncs03.bst new BibTeX style compliant with the current 111 | requirements, provided by Maurizio "Titto" 112 | Patrignani of Universita' Roma Tre 113 | 114 | 30.03.10 llncs.cls 2.15 fixed broken hyperref interoperability; 115 | patch provided by Sven Koehler, 116 | Hamburg University of Technology 117 | 118 | 15.04.10 llncs.cls 2.16 fixed hyperref warning for informatory TOC entries; 119 | introduced \keywords command - finally; 120 | blank removed from \keywordname, flaw reported 121 | by Armin B. Wagner, IGW TU Vienna 122 | 123 | 15.04.10 llncs.cls 2.17 fixed missing switch "openright" used by \backmatter; 124 | flaw reported by Tobias Pape, University of Potsdam 125 | 126 | 27.09.13 llncs.cls 2.18 fixed "ngerman" incompatibility; solution provided 127 | by Bastian Pfleging, University of Stuttgart 128 | 129 | 04.09.17 llncs.cls 2.19 introduced \orcidID command 130 | 131 | 10.03.18 llncs.cls 2.20 adjusted \doi according to CrossRef requirements; 132 | TOC: removed affiliation numbers 133 | 134 | splncs04.bst added doi field; 135 | bold journal numbers 136 | 137 | samplepaper.tex new sample paper 138 | 139 | llncsdoc.pdf new LaTeX class documentation 140 | -------------------------------------------------------------------------------- /background.tex: -------------------------------------------------------------------------------- 1 | \section{Preliminaries} 2 | \label{s:prelim} 3 | 4 | \parhead{Notation.} 5 | $\lambda$ is our security parameter. 6 | $\G_1,\G_2$ are groups of prime order $p$ endowed with a \textit{pairing} $e : \G_1 \times \G_2 \rightarrow \G_T$\ifNotCameraReady~\cite{MVO91,Joux00}\fi. 7 | (We assume symmetric pairings where $\G_1=\G_2$ for simplicity of exposition.) 8 | $\Gho$ is a hidden-order group. 9 | We use multiplicative notation for all groups. 10 | $\omega$ is a primitive $n$th root of unity in $\Zp$~\cite{vG13ModernCh8}. 11 | $\poly(\cdot)$ is any function upper-bounded by some univariate polynomial. 12 | $\negl(\cdot)$ is any negligible function. 13 | $\log{x}$ and $\lg{x}$ are shorthand for $\log_2{x}$. 14 | $[i,j] = \{i,i+1,\dots,j-1,j\}$, $[0,n) =[0,n-1]$ and $[n]=[1,n]$. 15 | $\vect{v}=(v_i)_{i\in[0,n)}$ is a vector of size $n$ with elements $v_i\in \Zp$. 16 | 17 | \ifCameraReady 18 | \parhead{Lagrange Interpolation.} 19 | \else 20 | \subsection{Lagrange Polynomial Interpolation} 21 | \label{s:prelim:interpolation} 22 | \fi 23 | Given $n$ pairs $(x_i, y_i)_{i\in[0,n)}$, we can find or \textit{interpolate} the \textit{unique} polynomial $\phi(X)$ of degree $ d$, the verifier can interpolate $\phi(X)$ directly from the evaluations, which makes verifying any $\phi(i)$ trivial. 64 | 65 | \subsection{Account-based Stateless Cryptocurrencies} 66 | \label{s:prelim:stateless-cryptocurrency} 67 | 68 | In a stateless cryptocurrency based on VCs~\cite{CPZ18}, there are \textit{miners} running a permissionless consensus algorithm~\cite{Nakamoto08} and \textit{users}, numbered from $0$ to $n-1$ who have \textit{accounts} with a \textit{balance} of coins. 69 | ($n$ can be $\infty$ if the VC is unbounded.) 70 | For simplicity of exposition, we do not give details on the consensus algorithm, on transaction signature verification nor on monetary policy. 71 | \ifNotCameraReady 72 | These all remain the same as in previous stateful cryptocurrencies. 73 | \fi 74 | 75 | \parhead{The (Authenticated) State.} 76 | The \textit{state} is an \textit{authenticated data structure (ADS)} mapping each user $i$'s \textit{public key} to their account balance $\bal_i$. 77 | (In practice, the mapping is also to a \textit{transaction counter} $c_i$, which is necessary to avoid transaction replay attacks. 78 | We address this in \cref{s:discussion:txn-counters}.) 79 | Importantly, miners and users are \textit{stateless}: they do not store the state, just its \textit{digest} $d_t$ at the latest block $t$ they are aware of. 80 | Additionally, each user $i$ stores a proof $\pi_{i,t}$ for their account balance that verifies against $d_t$. 81 | %Note that some miners and/or users might be out of sync and have an earlier digest $d_{t-\Delta}$. 82 | 83 | \parhead{Miners.} 84 | Despite miners being stateless, they can still validate transactions, assemble them into a new \textit{block}, and propose that block. 85 | Specifically, a miner can verify every new transaction spends valid coins by checking the sending user's balance against the latest digest $d_t$. 86 | This requires each user $i$ who sends coins to $j$ to include her proof $\pi_{i,t}$ in her transaction. 87 | Importantly, user $i$ should not have to include the recipient's proof $\pi_{j,t}$ in the transaction, since that would require interacting with \textit{proof-serving nodes} (see \cref{s:stateless-cryptocurrency:proof-serving-nodes}) 88 | 89 | Once the miner has a set $V$ of valid transactions, he can use them to create the next block ${t+1}$ and propose it. 90 | The miner obtains this new block's digest $d_{t+1}$ by ``applying'' all transactions in $V$ to $d_t$. 91 | When other miners receive this new block ${t+1}$, they can validate its transactions from $V$ against $d_t$ and check that the new digest $d_{t+1}$ was produced correctly from $d_t$ by ``reapplying'' all the transactions from $V$. 92 | 93 | \parhead{Users.} 94 | When creating a transaction \tx for block $t+1$, user $i$ includes her proof $\pi_{i,t}$ for miners to verify she has sufficient balance. 95 | % ...and her counter is correct. 96 | When she sees a new block ${t+1}$, she can update her proof $\pi_{i,t}$ to a new proof $\pi_{i,t+1}$, which verifies against the new digest $d_{t+1}$. 97 | For this, she will look at all changes in balances $(j, \Delta\bal_j)_{j\in J}$, where $J$ is the set of users with transactions in block ${t+1}$, and ``apply'' those changes to her proof. 98 | %(Similarly, when a miner sees a transaction from a user with a proof $\pi_{i,t-\Delta}$ w.r.t. to an earlier digest, the miner can update that proof to $\pi_{i,t}$ by keeping a window of the last $\Delta+1$ blocks and its transactions and applying those to the users proof.) 99 | Similarly, miners can also update proofs of pending transactions which did not make it in block $t$ and now need a proof w.r.t. $d_{t+1}$ 100 | 101 | Users assume that the consensus mechanism produces correct blocks. 102 | As a result, they do \textit{not} need to verify transactions in the block; they only need to update their own proof. 103 | Nonetheless, since block verification is stateless and fast, users could easily participate as block validators, should they choose to. -------------------------------------------------------------------------------- /asvc.tex: -------------------------------------------------------------------------------- 1 | \section{Aggregatable Subvector Commitment (aSVC) Schemes} 2 | \label{s:svc} 3 | 4 | In this section, we introduce the notion of \textit{aggregatable subvector commitments (aSVCs)} as a natural extension to \textit{subvector commitments (SVCs)}~\cite{LM19} where anybody can aggregate $b$ proofs for individual positions into a single constant-sized \textit{subvector proof} for those positions. 5 | Our formalization differs from previous work~\cite{BBF19,GRWZ20} in that it accounts for (static) update keys as the \textit{verifiable} auxiliary information needed to update commitments and proofs. 6 | This is useful in distributed settings where the public parameters of the scheme are split amongst many participants, such as in stateless cryptocurrencies. 7 | \ifNotCameraReady 8 | In \cref{s:asvc:from-kzg}, we introduce an efficient aSVC construction \textit{with scalable updates} from KZG commitments to Lagrange polynomials. 9 | \fi 10 | 11 | \subsection{aSVC API} 12 | \label{s:prelim:vcs:api} 13 | \label{s:asvc:defs} 14 | 15 | Our API resembles the VC API by Chepurnoy et al.~\cite{CPZ18} and the SVC API by Lai and Malavolta~\cite{LM19}, extended with an API for verifying update keys (see \cref{s:stateless-cryptocurrency:dos-update-key}) and an API for aggregating proofs. 16 | Unlike \cite{CPZ18}, our \vcproofupdate API receives both $\upk_i$ and $\upk_j$ as input. 17 | This is reasonable in the stateless setting, since each user has to store their $\upk_i$ anyway and they extract $\upk_j$ from the transactions (see \cref{s:stateless-cryptocurrency}). 18 | \\ 19 | 20 | \api $\vcsetup(1^\lambda, n)\rightarrow \prk,\vrk,(\upk_j)_{j\in[0,n)}$. 21 | Randomized algorithm that, given a security parameter $\lambda$ and an upper-bound $n$ on vector size, returns a \textit{proving key} \prk, a \textit{verification key} \vrk and \textit{update keys} $(\upk_j)_{j\in[0,n)}$. 22 | 23 | \api $\vccommit(\prk, \vect{v}) \rightarrow c$. 24 | Deterministic algorithm that returns a commitment $c$ to any vector $\vect{v}$ of size $\le n$. 25 | 26 | \api $\vcopenpos(\prk, I, \vect{v}) \rightarrow \pi_I$. 27 | Deterministic algorithm that returns a proof $\pi_I$ that $\vect{v}_I = (v_i)_{i\in I}$ is the $I$-subvector of $\vect{v}$. 28 | For notational convenience, $I$ can be either an index set $I\subseteq [0,n)$ or an individual index $I = i\in [0,n)$. 29 | 30 | \api $\vcverifypos(\vrk, c, \vect{v}_I, I, \pi_I) \rightarrow T/F$. 31 | Deterministic algorithm that verifies the proof $\pi_I$ that $\vect{v}_I$ is the $I$-subvector of the vector committed in $c$. 32 | As before, $I$ can be either an index set $I\subseteq [0,n)$ or an individual index $I = i\in [0,n)$. 33 | 34 | \api $\vcverifyupk(\vrk, i, \upk_i) \rightarrow T/F$. 35 | Deterministic algorithm that verifies that $\upk_i$ is indeed the $i$th update key. 36 | 37 | \api $\vccommupdate(c, \delta, j,\upk_j)\rightarrow c'$. 38 | Deterministic algorithm that returns a new commitment $c'$ to $\vect{v'}$ obtained by updating $v_j$ to $v_j+\delta$ in the vector $\vect{v}$ committed in $c$. 39 | Needs $\upk_j$ associated with the updated position $j$. 40 | 41 | \api $\vcproofupdate(\pi_i, \delta, i, j, \upk_i, \upk_j)\rightarrow \pi'_i$. 42 | Deterministic algorithm that updates an old proof $\pi_i$ for the $i$th element $v_i$, given that the $j$th element was updated to $v_j + \delta$. 43 | Note that $i$ can be equal to $j$. 44 | 45 | \api $\vcaggregateproofs(I, (\pi_i)_{i\in I})\rightarrow \pi_I$ 46 | Deterministic algorithm that, given proofs $\pi_i$ for $v_i,\forall i\in I$, aggregates them into a succinct $I$-subvector proof $\pi_I$. 47 | 48 | \subsection{aSVC Correctness and Security Definitions} 49 | \label{s:prelim:vcs:correctness-and-security} 50 | 51 | \ifNotCameraReady 52 | We argue why our aSVC from \cref{s:svc} satisfies these definitions in \cref{s:svc:correctness-and-security}. 53 | \fi 54 | 55 | %\setlength{\columnsep}{1cm} 56 | %\noindent\fbox{\parbox{\textwidth}{% 57 | %\begin{multicols}{2} 58 | %\small 59 | \begin{definition}[Aggregatable SVC Scheme] 60 | \label{def:vc} 61 | $(\vcsetup$, $\vccommit$, \ifCameraReady\linebreak[4]\fi$\vcopenpos$, $\vcverifypos$, $\vcverifyupk$, $\vccommupdate$, $\vcproofupdate$, $\vcaggregateproofs)$ is a secure aggregatable subvector commitment scheme if 62 | $\forall$ upper-bounds $n=\poly(\lambda)$ 63 | it satisfies the following properties: 64 | \end{definition} 65 | 66 | \ifCameraReady 67 | \begin{definition}[Correctness] 68 | $\forall$ honestly generated $\prk,\vrk,(\upk_j)_{j\in[0,n)}$ via \ifCameraReady\linebreak[4]\fi\vcsetup, $\forall$ vectors $\vect{v}=(v_j)_{j\in [0,n)}$ with commitment $c$ obtained via \vccommit and, optionally, \vccommupdate calls, $\forall I\subseteq[0,n)$, if $\pi_I$ is a (sub)vector proof for $\vec{v}_I=(v_i)_{i\in I}$ obtained via any valid interleaving of \vcopenpos, \ifCameraReady\linebreak[4]\fi\vcaggregateproofs and \vcproofupdate, then $\vcverifypos(\vrk, c, \vec{v}_I, I, \pi_I)$ returns true. 69 | Furthermore, $\vcverifyupk(\vrk, i, \upk_i) = T,\forall i\in[0,n)$. 70 | \end{definition} 71 | \else 72 | \begin{definition}[Opening Correctness] 73 | \label{def:vc:opening-correctness} 74 | $\forall$ vectors $\vect{v}=(v_j)_{j\in [0,n)}$, $\forall$ index sets $I\subseteq[0,n)$: 75 | \begin{align*} 76 | \Pr \left[ \begin{array}{c} 77 | \prk,\vrk,(\upk_j)_{j\in[0,n)}\leftarrow \vcsetup(1^\lambda, n), \\ 78 | c \leftarrow \vccommit(\prk,\vect{v}),\\ 79 | \pi_I \leftarrow \vcopenpos(\prk, I, \vect{v}):\\ 80 | \vcverifypos(\vrk, c, \vect{v}_I, I, \pi_I) = T 81 | \end{array} \right] \ge 1 - \mathsf{negl}(\lambda) 82 | \end{align*} 83 | \end{definition} 84 | 85 | \begin{definition}[Commitment and Proof Update Correctness] 86 | $\forall$ vectors $\vect{v}=(v_j)_{j\in [0,n)}$, $\forall$ positions $i,k\in[0,n)$, $\forall$ updates $\delta\in \Zp$, let $\vect{u}=(u_j)_{j\in[0,n)}$ be the same vector as $\vect{v}$ except with $v_k+\delta$ rather than $v_k$ at position $k$. 87 | Then: 88 | \begin{align*} 89 | \Pr \left[ \begin{array}{c} 90 | \prk,\vrk,(\upk_j)_{j\in[0,n)} \leftarrow \vcsetup(1^\lambda, n), \\ 91 | c \leftarrow \vccommit(\prk, \vect{v}),\\ 92 | \hat{c}\leftarrow \vccommupdate(c, \delta, k,\upk_k),\\ 93 | c' \leftarrow \vccommit(\prk, \vect{u}):\\ 94 | c' = \hat{c} 95 | \end{array} \right] \ge 1 - \mathsf{negl}(\lambda)\\ 96 | \\ 97 | \Pr \left[ \begin{array}{c} 98 | \prk,\vrk,(\upk_j)_{j\in[0,n)} \leftarrow \vcsetup(1^\lambda, n), \\ 99 | c \leftarrow \vccommit(\prk, \vect{v}),\\ 100 | c' \leftarrow \vccommupdate(c, \delta, k,\upk_k),\\ 101 | \pi_i \leftarrow \vcopenpos(\prk, i, \vect{v}),\\ 102 | \pi'_i \leftarrow \vcproofupdate(\pi_i, \delta, i, k,\upk_i, \upk_k):\\ 103 | \vcverifypos(\vrk, c', u_i, i, \pi'_i) = T 104 | % Note: We use u_i here to handle the case when i = k, and v_i wouldn't pass VC.VerifyPos because it was updated, but u_i = v_i + \delta would pass. 105 | \end{array} \right] \ge 1 - \mathsf{negl}(\lambda) 106 | \end{align*} 107 | \end{definition} 108 | 109 | \begin{definition}[Aggregation Correctness] 110 | $\forall$ vectors $\vect{v}=(v_j)_{j\in [0,n)}$, $\forall$ index sets $I\subseteq[0,n)$: 111 | \begin{align*} 112 | \Pr \left[ \begin{array}{c} 113 | \prk,\vrk,(\upk_j)_{j\in[0,n)}\leftarrow \vcsetup(1^\lambda, n), \\ 114 | c \leftarrow \vccommit(\prk,\vect{v}),\\ 115 | (\pi_i \leftarrow \vcopenpos(\prk, i, \vect{v}))_{i\in I},\\ 116 | \pi_I \leftarrow \vcaggregateproofs(I, (\pi_i)_{i\in I}):\\ 117 | \vcverifypos(\vrk, c, \vect{v}_I, I, \pi_I) = T 118 | \end{array} \right] \ge 1 - \mathsf{negl}(\lambda) 119 | \end{align*} 120 | \end{definition} 121 | 122 | \begin{definition}[Update Key Correctness] 123 | $\forall$ positions $i\in[0,n)$: 124 | \begin{align*} 125 | \Pr \left[ \begin{array}{c} 126 | \prk,\vrk,(\upk_j)_{j\in[0,n)} \leftarrow \vcsetup(1^\lambda, n):\\ 127 | \vcverifyupk(\vrk, i, \upk_i) = T 128 | \end{array} \right] \ge 1 - \mathsf{negl}(\lambda) 129 | \end{align*} 130 | \end{definition} 131 | \fi 132 | 133 | \begin{definition}[Update Key Uniqueness] 134 | \label{def:vc:update-key-uniquness} 135 | $\forall$ adversaries $\Adv$ running in time $\poly(\lambda)$: 136 | \begin{align*} 137 | \Pr \left[ \begin{array}{c} 138 | \prk,\vrk,(\upk_j)_{j\in[0,n)} \leftarrow \vcsetup(1^\lambda, n),\\ 139 | i, \upk,\upk' \leftarrow \Adv(1^\lambda, \prk,\vrk,(\upk_j)_{j\in[0,n)}):\\ 140 | \vcverifyupk(\vrk, i, \upk) = T\ \wedge \\ 141 | \vcverifyupk(\vrk, i, \upk') = T \wedge \\ 142 | \upk \ne \upk' 143 | \end{array} \right] \le \mathsf{negl}(\lambda) 144 | \end{align*} 145 | \end{definition} 146 | 147 | \paragraph{Observation:} 148 | Definitions that allow for \textit{dynamic} update hints rather than \textit{unique} update keys are possible too, but would be less simple to state and less useful for stateless cryptocurrencies (see \cref{s:stateless-cryptocurrency}). 149 | 150 | \begin{definition}[Position Binding Security] 151 | \label{def:svc:position-binding-security} 152 | $\forall$ adversaries $\Adv$ running in time $\poly(\lambda)$, if $\vect{v}_I=(v_i)_{i\in I}$ and $\vect{v}'_J=(v'_j)_{j\in J}$, then: 153 | \begin{align*} 154 | \Pr \left[ \begin{array}{c} 155 | %pp \leftarrow \vcsetup(1^\lambda, n), \\ 156 | %\prk,\vrk,(\upk_i)_{i\in[0,n)}\leftarrow pp,\\ 157 | %(c,I,J,\vect{v}_I,\vect{v}'_J, \pi_I,\pi_J) \leftarrow\Adv(1^\lambda, pp): \\ 158 | \prk,\vrk,(\upk_i)_{i\in[0,n)} \leftarrow \vcsetup(1^\lambda, n), \\ 159 | (c,I,J,\vect{v}_I,\vect{v}'_J, \pi_I,\pi_J) \leftarrow\Adv(1^\lambda, \prk,\vrk,(\upk_i)_{i\in[0,n)}): \\ 160 | \vcverifypos(\vrk, c, \vect{v}_I, I, \pi_I) = T\ \wedge \\ 161 | \vcverifypos(\vrk, c, \vect{v}'_J, J, \pi_J) = T\ \wedge \\ 162 | \exists k \in I\cap J,\ \text{such that}\ v_k \ne v'_k 163 | \end{array} \right] \le \mathsf{negl}(\lambda) 164 | \end{align*} 165 | \end{definition} 166 | %\end{multicols} 167 | %}} 168 | 169 | \begin{table*}[t] 170 | %\large 171 | %\small 172 | %\footnotesize 173 | %\scriptsize 174 | \centering 175 | \caption{ 176 | Asymptotic comparison of our aSVC with other (aS)VCs based on prime-order groups. 177 | $n$ is the vector size and $b$ is the subvector size. 178 | See \ifCameraReady our extended paper~\cite{TAB+20e} \else \cref{s:complexity:kog}\xspace\fi for a more detailed analysis. 179 | All schemes have $O(n)$-sized parameters (except ~\cite{LM19} has $O(n^2)$ and ~\cite{CFG+20} has $O(1)$); 180 | can update commitments in $O(1)$ time (except for \cite{KZG10a}); 181 | have $O(1)$-sized proofs that verify in $O(1)$ time (except \cite{CPZ18} and \cite{Tomescu20} proofs are $O(\lg{n})$). 182 | \textit{Com.} is the time to commit to a size-$n$ vector. 183 | \textit{Proof upd.} is the time to update \textit{one} individual proof $\pi_i$ after a change to \textit{one} vector element $v_j$. 184 | \textit{Prove one}, \textit{Prove subv.} and \textit{Prove each} are the times to compute a proof $\pi_i$ for one $v_i$, a size-$b$ subvector proof $\pi_I$ and proofs for all $(v_i)_{i\in[0,n)}$, respectively. 185 | % \textit{Prove each} is useful when a proof-serving node computes the VC from scratch given all account balances and then computes all proofs. 186 | } 187 | \label{t:asvc-comparison} % must go after \caption{} for \cref{} to work 188 | \setlength{\tabcolsep}{.22em} % space between columns 189 | \begin{tabular}{lcccccccccccc} 190 | %\toprule 191 | {\makecell{(aS)VC\\scheme}} 192 | & \makecell{$\vert\vrk\vert$} 193 | & \makecell{$\vert \upk_i\vert$} 194 | & \makecell{Com.} 195 | & \makecell{Prove\\one} 196 | & \makecell{Proof\\upd.} 197 | & \makecell{Prove\\subv.} 198 | & \makecell{Verify\\subv.} 199 | & \makecell{Aggr-\\egate} 200 | & \makecell{Prove\\each} 201 | \\ 202 | \toprule 203 | \cite{LM19} & \rn & \rn & $n$ & $n$ & $1$ & $\myred{bn}$ & $b$ & \nop & \ns\\ 204 | 205 | \cite{KZG10a} & $b$ & \nop & \nlgsn & $n$ & \nop & \btc & \mlgsm & \nop & \ns\\ 206 | 207 | \cite{CDHK15} & \rn & \rn & \nlgsn & $n$ & 1 & $n\lg^2{n}$ & \mlgsm & \nop & \ns\\ 208 | 209 | \cite{CPZ18} & \lgn & \lgr & $n$ & $n$ & \lgr & \nop & \nop & \nop & \ns\\ 210 | 211 | \cite{Tomescu20} & \tcz & \lgr & \nlgn & \nlgn & \lgr & \btc & \mlgsm & \nop & \nlgn\\ 212 | 213 | \cite{GRWZ20} & \rn & \rn & $n$ & $n$ & $1$ & $\myred{bn}$ & $b$ & $b$ & \ns\\ 214 | 215 | \cite{CFG+20} & $1$ & 1 & \nlgn & \nlgn & $1$ & $(n-b)\lg{(n-b)}$ & $b$ & \mlgsm & \nlgn\\ 216 | \toprule 217 | 218 | \textbf{Our work} & $b$ & $1$ & $n$ & $n$ & $1$ & \btc & \mlgsm & $b\lg^2{b}$ & \nlgn\\ 219 | 220 | \textbf{Our work}$^*$ & $b$ & $1$ & \nlgn & $1$ & $1$ & \mlgsm & \mlgsm & \mlgsm & \nlgn 221 | 222 | \end{tabular} 223 | \end{table*} 224 | -------------------------------------------------------------------------------- /appendix-complexity-hog.tex: -------------------------------------------------------------------------------- 1 | \section{Complexity of VCs Based on Hidden-order Groups} 2 | \label{s:complexity:hog} 3 | 4 | \begin{table*}[t] 5 | %\large 6 | %\small 7 | %\footnotesize 8 | \scriptsize 9 | \centering 10 | \caption{ 11 | Asymptotic comparison of our aSVC with (aS)VCs based on hidden-order groups. 12 | $n$ is the vector size, $b$ is the subvector size, $\ell$ is the length in bits of vector elements, $N=n\ell$ and $\lambda$ is the security parameter. 13 | For schemes based on hidden-order groups, the complexities in the table are \textit{asymptotic} in terms group operations rather than exponentiations. 14 | This gives a better sense of performance, since exponents cannot be ``reduced'' in hidden-order groups as they can in known-order groups. 15 | We try to account for field operations (of size ${2\lambda}$ bits), but quantifying them precisely in these schemes can be very cumbersome. 16 | Also, since field operations are much faster, they can be mostly ignored. 17 | For our aSVC scheme, we give the same complexities in terms of group \textit{exponentiations}, pairings and field operations\ifNotCameraReady\xspace(see \cref{s:complexity-lagrange-asvc} for details)\fi. 18 | Because of this, the reader must be careful when comparing our scheme with the other schemes in this table: a group exponentiation in our scheme is roughly equivalent to $O(\lambda)$ group operations in the hidden-order group schemes. 19 | (*Updating the commitment in CFG$_\ell^1$ only works in a weaker security model where the commitment is not produced adversarially.) 20 | } 21 | \label{t:rsa-asvc-comparison-appendix} % must go after \caption{} for \cref{} to work 22 | \setlength{\tabcolsep}{.3em} % space between columns 23 | \begin{tabular}{lccccccccccccc} 24 | %\toprule 25 | {\makecell{(aS)VC scheme}} 26 | & \makecell{$\vert \prk\vert$} 27 | & \makecell{$\vert\vrk\vert$} 28 | & \makecell{$\vert \upk_i\vert$ or\\$\vert\uph_i\vert$} 29 | & \makecell{Com.} 30 | & \makecell{Com.\\upd.} 31 | & \makecell{$\vert\pi_i\vert$} 32 | & \makecell{Prove\\one\\$v_i$} 33 | & \makecell{Verify\\one\\$v_i$} 34 | & \makecell{Proof\\upd.} 35 | & \makecell{Prove\\subv.\\$(v_i)_{i\in I}$} 36 | & \makecell{Verify\\subv.\\$(v_i)_{i\in I}$} 37 | & \makecell{Aggr-\\egate} 38 | & \makecell{Prove\\each\\$(v_i)_{i\in[n]}$} 39 | \\ 40 | \toprule 41 | 42 | BBF$_\ell$~\cite{BBF19} & $1$ & $1$ & $1$ & \bbfc & \rlgn & \rlgn\xspace bits & \bbfc & \bbvy & \nop & \bbfc & \bbvys & $\ell b\lg{N}$ & $N\lg^2{N}$\\ 43 | 44 | \cfgOne~\cite{CFG+20} & $1$ & $1$ & 1 & \bbfc & $1^*$ & $1\ |\G_?|$ & \cfoo & \bbvy & 1 & \cfos & \bbvys & $\ell b\lg{b}\lg{N}$ & $N\lg^2{N}$\\ 45 | 46 | \cfgTwo~\cite{CFG+20} & $1$ & $1$ & 1 & \cftc & 1 & $1\ |\G_?|$ & \cfto & $\ell$& 1 & \cfts & \cftvs & $\ell b\lg^2{b}$ & $N\lg{n}$\\ 47 | 48 | \toprule 49 | 50 | \textbf{Our aSVC} & $n$ & $b$ & $1$ & $n$ & $1$ & $1$ & $n$ & $1$ & $1$ & \btc & \mlgsm & $b\lg^2{b}$ & \nlgn 51 | \end{tabular} 52 | %\toprule 53 | \end{table*} 54 | 55 | We give complexities of VCs based on hidden-order groups in \cref{t:rsa-asvc-comparison-appendix}. 56 | These can be challenging to describe succinctly due to the many variable-length integer operations that arise. 57 | In an effort to keep complexities simple without leaving out too much detail, we often measure (and even approximate) complexities in terms of operations in a finite field of size $2^{2\lambda}$ (e.g., additions, multiplications, computing \bezout coefficients, Shamir tricks), where $\lambda$ is our security parameter. 58 | Another reason to do so is for fairness with VC schemes in known-order groups, which also use finite fields of size $2^{2\lambda}$. 59 | Otherwise, a $2\lambda$-bit multiplication would be counted as $O(\lambda \log\lambda)$ in schemes such as BBF$_\ell$~\cite{BBF18}\footnote{Assuming recent progress on multiplying $b$-bit integers in $O(b\log{b})$ time.} and as $O(1)$ time for schemes like KZG (see \cref{s:complexity-kzg}). 60 | 61 | \parhead{The Shamir Trick.} 62 | The ``Shamir Trick''~\cite{Shamir83,BBF18} can be used to compute an $e$th root of $g$ given an $e_1$th root and an $e_2$th root where $e=e_1 e_2$ and $\gcd(e_1,e_2)=1$. 63 | The idea is to compute \bezout coefficients $a,b$ such that $a e_1 + b e_2 = 1$. 64 | Then, $\left(g^\frac{1}{e_1}\right)^b \left(g^\frac{1}{e_2}\right)^a=g^\frac{b e_2}{e_1 e_2} g^\frac{a e_1}{e_1 e_2} = g^\frac{a e_1 + b e_2}{e_1 e_2} = g^\frac{1}{e_1 e_2}$. 65 | Note that $|a|\approx|e_2|$ and $|b|\approx|e_1|$. 66 | 67 | \subsection{Complexity of BBF$_\ell$~\cite{BBF19}} 68 | \label{s:complexity-bbf} 69 | In this scheme, we assume the vector $\vect{v}=[v_1, v_2, \dots, v_n]$ is indexed from 1 to $n$. 70 | 71 | \parhead{Public Parameters.} 72 | Let $\ell$ denote the size of vector elements in bits. 73 | Let $n$ denote the number of vector elements. 74 | Let $N=\ell n$. 75 | Let $\Gho$ denote a hidden-order group and $g$ be a random group element in $\Gho$. 76 | Let $H : [N] \rightarrow \mathsf{Primes}$ be a bijective function that on input $i$ outputs the $i$th prime number $p_i$. 77 | (Note that $|p_N|=\lln$ bits.) 78 | The \prk and \vrk consist of only $g$. 79 | This scheme does not use ``fixed'' update keys compatible with our definitions. 80 | Instead, this scheme uses \textit{``dynamic'' update hints}: the $i$th update hint w.r.t. a commitment $c$ is a VC proof for $v_i$ that verifies against $c$. 81 | In this sense, similar to Merkle trees, this scheme is less suitable for account-based stateless cryptocurrencies~\cite{CPZ18}, since it requires user $i$ to fetch user $j$'s proof too, before sending her money. 82 | 83 | \parhead{Commitment.} 84 | An $\ell$-bit vector element $v_i$ can be written as a vector of $\ell$ bits $(v_{i,j})_{j\in [0,\ell-1]}$ 85 | Then, each bit $v_{i,j}$ is mapped to the unique prime $p_{(i-1)\cdot \ell + j}$. 86 | Put differently, each $v_i$ is mapped to $\ell$ unique primes $(p_{(i-1)\cdot \ell + 0}, p_{(i-1)\cdot \ell + 1},\dots$, $p_{(i-1)\cdot \ell+ (\ell - 1)})$. 87 | Then, for each $v_i$, take the product of all primes corresponding to non-zero bits as $P_i = \prod_{j\in[0,\ell-1]} {v_{i,j}}\cdot \left(p_{(i-1)\cdot \ell + j}\right)$. 88 | Note that $|P_i| = O(\ell \lln)$. 89 | A commitment to the vector $\vect{v}=(v_i)_{i\in [n]}$ will be an RSA accumulator over these $P_i$'s: 90 | \begin{align} 91 | c 92 | &=g^{\prod_{i\in [n]}\prod_{j\in[0,\ell-1]} v_{i,j}\cdot \left( p_{(i-1)\cdot \ell + j} \right)}\\ 93 | &=g^{\prod_{i\in [n]} P_i} 94 | \end{align} 95 | 96 | The exponent of $c$ is a product of at most $\ell n$ primes, with the biggest prime having size $O(\lln)$. 97 | Thus, computing the $O(1)$-sized commitment $c$ takes $O(\ell n \lln)$ group operations. 98 | (Note that, for hidden-order groups, we are counting group operations rather than exponentiations. 99 | This is to give a better sense of performance, which varies with the exponent size, since exponents cannot be ``reduced'' in hidden-order groups.) 100 | 101 | Since updating commitments requires update hints, which are VC proofs, we must first discuss VC proofs. 102 | 103 | \subsubsection{Proofs for a $v_i$} 104 | \label{s:complexity-bbf:compute-one-proof} 105 | A proof $\pi_i$ for $v_i$ must show two things: 106 | \begin{enumerate} 107 | \item That $P_i$ corresponding to all non-zero bits is accumulated in $c$. 108 | \item That $Z_i= \prod_{j\in[0,\ell-1]} {(1-v_{i,j})}\cdot \left(p_{(i-1)\cdot \ell + j}\right)$ corresponding to all zero bits is \textit{not} accumulated in $c$. 109 | (Note that $|Z_i|=|P_i|=O(\ell\lln)$.) 110 | \end{enumerate} 111 | 112 | \parhead{Proving ``One'' Bits are Accumulated.} 113 | To prove $P_i$ is ``in'', an $O(1)$-sized RSA accumulator subset proof w.r.t. $c$ can be computed with $O(\ell n \lln)$ group operations (via \textit{A}.$\mathsf{MemWitCreate}^*$ in~\cite[Sec 4.2, pg. 15]{BBF18}): 114 | \begin{align} 115 | \label{eq:bbf:pi_i1} 116 | \pi_i^{[1]} &=g^{\prod_{j\in [n],j \ne i} P_j} = c^{1/P_i} 117 | \end{align} 118 | 119 | To speed up the verification of this (part of) the proof, a constant-sized \textit{proof of exponentiation (PoE)}~\cite{BBF18} is computed in $O(\ell\lln)$ field and group operations. 120 | We discuss this later in~\cref{s:complexity-bbf:verify-one-proof}. 121 | % These correspond to dividing $P_i$, which is $O(\ell \log{(\ell n)})$-sized by a random $O(\lambda)$-bit number in the PoE proof computation & verification (see~\cite[Sec 4.2.1, pg. 48]{Tomescu20}). 122 | % We have to say it takes at least $\ell\log{\ell n}$ time, which is the size of $|P_i|$. 123 | 124 | \parhead{Proving ``Zero'' Bits are Accumulated.} 125 | To prove $Z_i$ is ``out'', an $O(\ell \lln)$-sized disjointness proof $\pi_i^{[0]}$ can be computed w.r.t. $c$ (via \textit{A}.$\mathsf{NonMemWitCreate}$ in~\cite[Sec 4.1, pg. 14]{BBF18}). 126 | First, $Z_i$ must be computed, but we assume this can be done in $O(\ell\lln)$ field operations. 127 | Second, \bezout coefficients are computed such that $\alpha \prod_{i\in n} P_i + \beta Z_i =1$. 128 | Then, the disjointness proof is $\pi_i^{[0]}=(g^{\beta},\alpha)$. 129 | Since $|\alpha| \approx |Z_i|$, the proof is $O(\ell \lln)$-sized. 130 | Although this disjointness proof can be made $O(1)$-sized via \textit{proofs of knowledge of exponent (PoKE)} proofs, this seems to break the ability to aggregate VC proofs in BBF$_\ell$~\cite[Sec 5.2, pg. 20]{BBF18}. 131 | However, the prover can still include two constant-sized PoE proofs for $(g^{\beta})^{Z_i}$ and for $c^{\alpha}$ to make the verifier's job easier, which costs him only $O(\ell \lln)$ field and group operations. 132 | 133 | To analyze the time complexity of computing $\pi_i^{[0]}$, recall that: 134 | \begin{enumerate} 135 | \item The asymptotic complexity of computing \bezout coefficients on $b$-bit numbers is $O(b\log^2{b})$ time. 136 | \item $b=\left|\prod_{i\in n} P_i\right|=O(n\ell \lln)$. 137 | \end{enumerate} 138 | As a result, the \bezout coefficients take $O((n\ell\lln) \log^2{(n \ell\lln)=O(n\ell\lln (\log{n\ell} + \log{\lln})^2)}={}$\linebreak[4]$O(n\ell\log^3(\ell n))$ time. 139 | However, since these are bit operations, we will count them as $O(n\ell \lln)$ field operations. 140 | Furthermore, computing $g^{\beta}$, where $|\beta|\approx|\prod_{i\in[n]}P_i|=O(n\ell\lln)$ takes $O(n\ell\lln)$ group operations. 141 | 142 | Overall, the time to compute $\pi_i$ is $O(\ell n\lln)=O(\ell n\log{n})$. 143 | 144 | \subsubsection{Verifying a Proof for $v_i$} 145 | \label{s:complexity-bbf:verify-one-proof} 146 | 147 | To verify $\pi_i = (\pi_{i}^{[0]}, \pi_i^{[1]})$, the verifier proceeds as follows. 148 | First, he computes $P_i$ in $O(\ell\lln)$ field operations. 149 | Second, he checks that $\left(\pi_i^{[1]}\right)^{P_i} = c$ via the PoE proof in $\pi_i^{[1]}$ using $O(\lambda)$ group operations and $O(\ell\log{n})$ field operations. 150 | Third, he parses $(g^{\beta}, \alpha)$ from $\pi_i^{[0]}$ and checks if $(g^{\beta})^{Z_i} c^\alpha=g$. 151 | Since the prover included PoE proofs, this can be verified with $O(\lambda)$ group operations and $O(\ell\lln)$ field operations. 152 | 153 | \subsubsection{Updates} 154 | \label{s:complexity-bbf:proof-updates} 155 | 156 | \parhead{Updating Commitments.} 157 | Suppose $v_i$ changes to $v_i'$. 158 | For message bits that are changed from $0$ to $1$, updating the commitment $c$ involves ``accumulating'' new primes associated with those bits in $c$. 159 | For message bits that are changed from $1$ to $0$, updating $c$ involves removing the primes associated with those bits from $c$. 160 | Recall that, in BBF$_\ell$, the $i$th update hint $\uph_i$ is actually the VC proof $\pi_i$ for $v_i$ w.r.t. $c$. 161 | Also recall that $\pi_i^{[1]}=c^{1/P_i}$ from $\pi_i$ is exactly the commitment $c$ without any of the primes associated with $v_i$. 162 | Thus, to update the commitment, we can compute $P_i'=\prod_{j\in [0,\ell-1]} v'_{i,j} p_{(i-1)\cdot\ell + j}$ in $O(\ell)$ field operations and set $c' = \left(\pi_i^{[1]}\right)^{P_i'}$ in $O(\ell \lln)$ group operations. 163 | 164 | To process several updates for $b$ updated elements $(v_i)_{i\in I}$ with $\uph_i$'s that all verify w.r.t. $c$, we have to take an additional step. 165 | First, we use $O(b)$ Shamir tricks on the $\pi_i^{[1]}$'s from $\uph_i$ to obtain the commitment $c^{1/\prod_{i\in I} P_i}$, which no longer accumulates any primes associated with the old elements $(v_i)_{i\in I}$. 166 | Then, we can add back the new primes $P_i'$ associated with the new elements $(v'_i)_{i\in I}$ in $O(b\ell \lln)$ group operations. 167 | We assume the $O(b)$ Shamir tricks can be done in $O(b)$ field operations. 168 | 169 | \parhead{Updating Proofs.} 170 | Proof updates are not discussed in~\cite{BBF19}, but seem possible. 171 | We leave it to future work to describe them and their complexity. 172 | 173 | \subsubsection{Subvector Proofs for $(v_i)_{i\in I}$} 174 | Recall that a normal VC proof for $v_i$ reasons about which primes associated with $v_i$ are (not) accumulated in $c$. 175 | A subvector proof will do the same, except it will reason about primes associated with all $(v_i)_{i\in I}$. 176 | Thus, instead of reasoning about two $O(\ell \lln)$-sized $P_i$ and $Z_i$, it will reason about two $O(b\ell\lln)$-sized $\prod_{i\in I} P_i$ and $\prod_{i\in I} Z_i$. 177 | Specifically, an $I$-subvector proof consists of: 178 | \begin{align} 179 | \pi_I^{[1]} &=g^{\prod_{j\in [n]\setminus I} P_j} = c^{1/\prod_{i\in I} P_i}\\ 180 | \pi_I^{[0]} &= \left(g^\beta, \alpha\right)\ \text{such that}\ (g^\beta)^{\prod_{i\in I} Z_i} c^\alpha = g 181 | \end{align} 182 | 183 | Let us analyze the proving time and the proof size. 184 | First, computing $\pi_I^{[1]}$ can be done in $O(\ell (n-b) \lln)$ group operations, which is slightly faster than the $O(\ell n\lln)$ time for computing $\pi_i^{[1]}$ in an individual proof for $v_i$ (see \cref{eq:bbf:pi_i1}). 185 | Second, computing the PoE for $\left(\pi_I^{[1]}\right)^{\prod_{i\in I} P_i} = c$ can be done in $O(b\ell\lln)$ field and group operations. 186 | Third, computing $\pi_I^{[0]}$ maintains the same asymptotic complexity, since it is dominated by the time to compute $g^\beta$, which remains just as expensive. 187 | However, $\pi_I^{[0]}$'s size would increase to $O(b\ell\lln)$, since the \bezout coefficient $\alpha$ will be roughly of size $|\prod_{i\in I} Z_i|$. 188 | Fortunately, the prover can avoid this by giving $c^\alpha$ rather than $\alpha$ along with a PoKE proof (i.e., one group element and one $2\lambda$-bit integer), while maintaining the same asymptotic complexity. 189 | As before, the prover also gives a PoE proof for $\left(g^{\beta}\right)^{Z_i}$ to speed up the verifier's job. 190 | 191 | Because of the PoE proof, verification of $\pi_I^{[1]}$ only requires $O(\lambda)$ group operations as before, but the number of field operations increases to $O(b\ell\lln)$. 192 | Similarly, the PoKE proof will speed up verification of $\pi_I^{[0]}$ to $O(\lambda)$ group operations, but the $O(b\ell\lln)$ field operations remain for verifying the PoE proof for $\left(g^{\beta}\right)^{Z_i}$. 193 | 194 | \subsubsection{Aggregating Proofs} 195 | Since aggregating RSA membership and non-membership witnesses is possible~\cite{BBF18}, and BBF$_\ell$ VC proofs consist of one RSA membership (subset) proof and one non-membership (disjointness) proof, it follows that aggregating proofs is possible. 196 | We leave it to future work to analyze the complexity of aggregation, which has to be at least $\Omega(b\ell\lln)$ since it must read all $b$ VC proofs as input, which are each $O(\ell\lln)$-sized. 197 | 198 | \subsubsection{Precomputing All Proofs} 199 | Computing all membership and non-membership witnesses for an RSA accumulators over $N$ elements is possible in $O(N\log{N})$ exponentiations~\cite{BBF18,SSY01}. 200 | Since for BBF$_\ell$ we have $N=\ell n$ and an exponentiation costs $O(\lln)$ group operations, this would take $O(\ell n \log^2{(\ell n)})$ group operations. 201 | We are ignoring (1) the overhead of aggregating membership and non-membership witnesses and (2) the overhead of computing PoE proofs, which we assume is dominated by the cost to compute the witnesses. 202 | 203 | \subsection{Complexity of \cfgOne~\cite{CFG+20} and \cfgTwo~\cite{CF13,LM19,CFG+20}} 204 | % In Sec 3.7, they say both universal and specialized CRS has length 1. 205 | 206 | We refer the reader to~\cite[Table 1, pg. 35]{CFG+20} for most of these these complexities. 207 | 208 | \parhead{Aggregating Proofs.} 209 | For CFG$_{\ell}^1$, aggregating $b$ proofs into an $I$-subvector proof takes $O(b\log{b}\log{N})$ group operations~\cite[Sec 5.1, pg. 23]{CFG+20}. 210 | For CFG$_{\ell}^2$, this takes $O(\ell b\log^2{b})$ group operations~\cite[Sec 5.2, pg. 32]{CFG+20}. 211 | 212 | \parhead{Precomputing All Proofs.} 213 | The paper gives a generic technique of using incremental (dis)aggregation to precompute auxiliary information for serving proofs fast. 214 | This technique can also be used to precompute all proofs fast in quasilinear time. 215 | In CFG$_\ell^{1}$, we believe this will take $O(N\log^2{N})$ group operations, dominated by the complexity of computing all $N=\ell n$ RSA accumulator membership witnesses. 216 | In CFG$_\ell^{2}$, we estimate this will take $O(\ell n\log{n})$ group operations (since disaggregating a proof of size $m$ into two proofs of size $m/2$ takes $O(\ell m)$ group operations). 217 | -------------------------------------------------------------------------------- /asvc-kzg.tex: -------------------------------------------------------------------------------- 1 | \subsection{aSVC From KZG Commitments to Lagrange Polynomials} 2 | \label{s:asvc:from-kzg} 3 | 4 | In this subsection, we present our aSVC from KZG commitments to Lagrange polynomials. 5 | Similar to previous work, we represent a vector $\vect{v} = [v_0, v_1, \dots, v_{n-1}]$ as a polynomial $\phi(X)=\sum_{i\in[0,n)} \lagr_i(X)v_i$ in Lagrange basis~\cite{KZG10a,CDHK15,Tomescu20,GRWZ20}. 6 | However, unlike previous work, we add support for efficiently updating and aggregating proofs. 7 | For aggregation, we use known techniques for aggregating KZG proofs via \textit{partial fraction decomposition}~\cite{Buterin20UsingPoly}. 8 | For updating proofs, we introduce a new mechanism to reduce the update key size from linear to constant. 9 | We use \textit{roots of unity} and ``store'' $v_i$ as $\phi(\omega^i)=v_i$, which means our Lagrange polynomials are $\lagr_i(X)=\prod_{j\in [0,n),j\ne i} \frac{X-\omega^j}{\omega^i - \omega^j}$. 10 | For this to work \textit{efficiently}, we assume without loss of generality that $n$ is a power of two. 11 | 12 | 13 | \parhead{Committing.} 14 | A commitment to $\vect{v}$ is just a KZG commitment $c=g^{\phi(\tau)}$ to $\phi(X)$, where $\tau$ is the trapdoor of the KZG scheme (see \cref{s:prelim:polycommit:kzg}). 15 | Similar to previous work~\cite{CDHK15}, the proving key includes commitments to all Lagrange polynomials $\ell_i = g^{\lagr_i(\tau)}$. 16 | Thus, we can compute $c=\prod_{i=1}^n (\ell_i)^{v_i}$ in $O(n)$ time without interpolating $\phi(X)$ and update it as 17 | $c' = c\cdot (\ell_i)^{\delta}$ after adding $\delta$ to $v_i$. 18 | Note that $c'$ is just a commitment to an updated $\phi'(X)=\phi(X)+\delta\cdot\lagr_i(X)$. 19 | 20 | \parhead{Proving.} 21 | A proof $\pi_i$ for a single element $v_i$ is just a KZG evaluation proof for $\phi(\omega^i)$. 22 | A subvector proof $\pi_I$ for for $v_I,I\subseteq[0,n)$ is just a KZG batch proof for all $\phi(\omega^i)_{i\in I}$ evaluations. 23 | Importantly, we use the Feist-Khovratovich (FK)~\cite{FK20} technique to compute all proofs $(\pi_i)_{i\in[0,n)}$ in $O(n\log{n})$ time. 24 | % Note: $\phi(X)$ can be interpolated in $O(n\log{n})$ time via an inverse DFT. 25 | This allows us to aggregate $I$-subvector proofs faster in $O(\vert I \vert \log^2{|I|})$ time (see \cref{t:asvc-comparison}). 26 | 27 | \subsection{Partial Fraction Decomposition} 28 | \label{s:prelim:partial-fraction-decomposition} 29 | 30 | A key ingredient in our aSVC scheme is \textit{partial fraction decomposition}\ifNotCameraReady~\cite{PartialFractionDecomposition}\fi, which we re-explain from the perspective of Lagrange interpolation. 31 | First, let us rewrite the Lagrange polynomial for interpolating $\phi(X)$ given all $\left(\phi(\omega^i)\right)_{i\in I}$: 32 | {\ifCameraReady\small\fi 33 | \begin{align} 34 | \lagr_i(X)=\prod_{j\in I, j\ne i} \frac{X-\omega^j}{\omega^i - \omega^j}=\frac{A_I(X)}{A'_I(\omega^i) (X-\omega^i)},\ \text{where}\ A_I(X)=\prod_{i\in I} (X-\omega^i) 35 | \end{align} 36 | }% 37 | Here, $A'_I(X)=\sum_{j\in I} A_I(X)/(X-\omega^j)$ is the derivative of $A_I(X)$~\cite{vG13ModernCh10}. 38 | Next, for any $\phi(X)$, we can rewrite the Lagrange interpolation formula as $\phi(X) = A_I(X)\sum_{i\in[0,n)} \frac{y_i}{A'_I(\omega^i)(X-\omega^i)}$. 39 | In particular, for $\phi(X)=1$, this implies $\frac{1}{A_I(X)} = \sum_{i\in[0,n)} \frac{1}{A'_I(\omega^i)(X-\omega^i)}$. 40 | In other words, we can decompose $A_I(X)$ as: 41 | {\ifCameraReady\small\fi 42 | \begin{align} 43 | \frac{1}{A_I(X)} = \frac{1}{\prod_{i \in I} (X-\omega^i)} &= \sum_{i\in[0,n)} c_i\cdot \frac{1}{X-\omega^i},\ \text{where}\ c_i=\frac{1}{A'_I(\omega^i)} 44 | \end{align} 45 | }% 46 | $A_I(X)$ can be computed in $O(|I|\log^2{|I|})$ time\ifNotCameraReady\xspace using a \textit{subproduct tree} and DFT-based polynomial multiplication\fi\xspace\cite{vG13ModernCh10}. 47 | Its derivative, $A'_I(X)$, can be computed in $O(|I|)$ time and evaluated at all $\omega^i$'s in $O(|I|\log^2{|I|})$ time \cite{vG13ModernCh10}. 48 | Thus, all $c_i$'s can be computed in $O(|I|\log^2{|I|})$ time. 49 | For the special case of $I=[0,n)$, we have $A_I(X)=A(X)=\prod_{i\in[0,n)} (X-\omega^i)=X^n - 1$ and $A'(\omega^i)=n\omega^{-i}$ \ifCameraReady~\cite[Appendix A]{TAB+20e}\else\xspace(see \cref{app:xn-1-derivative})\fi. 50 | In this case, any $c_i$ can be computed in $O(1)$ time. 51 | 52 | \subsubsection{Aggregating Proofs} 53 | \label{s:asvc:from-kzg:aggregating-proofs} 54 | We build upon Drake and Buterin's observation~\cite{Buterin20UsingPoly} that partial fraction decomposition (see \cref{s:prelim:partial-fraction-decomposition}) can be used to aggregate KZG evaluation proofs. 55 | Since our VC proofs are KZG proofs, we show how to aggregate a set of proofs $(\pi_i)_{i\in I}$ for elements $v_i$ of $\vect{v}$ into a constant-sized $I$-subvector proof $\pi_I$ for $(v_i)_{i\in I}$. 56 | 57 | Recall that $\pi_i$ is a commitment to $q_i(X)=\frac{\phi(X)-v_i}{X-\omega^i}$ and $\pi_I$ is a commitment to $q(X) = \frac{\phi(X)-R(X)}{A_I(X)}$, where $A_I(X)=\prod_{i\in I} (X-\omega^i)$ and $R(X)$ is interpolated such that $R(\omega^i)=v_i,\forall i\in I$. 58 | Our goal is to find coefficients $c_i\in \Zp$ such that $q(X)=\sum_{i\in I} c_i q_i(X)$ and thus aggregate $\pi_I=\prod_{i\in I} \pi_i^{c_i}$. 59 | We observe that: 60 | {\ifCameraReady\small\fi 61 | \begin{align} 62 | q(X)&= \phi(X)\frac{1}{A_I(X)}- R(X)\frac{1}{A_I(X)}\\ 63 | &= \phi(X)\sum_{i\in I} \frac{1}{A_I'(\omega^i)(X-\omega^i)} - \left(A_I(X)\sum_{i\in I} \frac{v_i}{A_I'(\omega^i)(X-\omega^i)}\right)\cdot \frac{1}{A_I(X)} \\ 64 | &= \sum_{i\in I} \frac{\phi(X)}{A_I'(\omega^i)(X-\omega^i)} - \sum_{i\in I} \frac{v_i}{A_I'(\omega^i)(X-\omega^i)} 65 | = \sum_{i\in I} \frac{1}{A_I'(\omega^i)}\cdot \frac{\phi(X) - v_i}{X-\omega^i}\\ 66 | &= \sum_{i\in I} \frac{1}{A_I'(\omega^i)}\cdot q_i(X) 67 | \end{align} 68 | }% 69 | Thus, we can compute all $c_i={1}/{A_I'(\omega^i)}$ using $O(\vert I\vert \log^2{\vert I \vert})$ field operations (see \cref{s:prelim:partial-fraction-decomposition}) and compute $\pi_I=\prod_{i\in I} \pi_i^{c_i}$ with an $O(|I|)$-sized multi-exponentiation. 70 | 71 | \subsubsection{Updating Proofs} 72 | \label{s:asvc:from-kzg:updating-proofs} 73 | 74 | When updating $\pi_i$ after a change to $v_j$, it could be that either $i=j$ or $i\ne j$. 75 | First, recall that $\pi_i$ is a KZG commitment to $q_i(X)=\frac{\phi(X)-v_i}{X-\omega^i}$. 76 | Second, recall that, after a change $\delta$ to $v_j$, the polynomial $\phi(X)$ is updated to $\phi'(X)=\phi(X)+\delta\cdot\lagr_j(X)$. 77 | We refer to the party updating their proof $\pi_i$ as the \textit{proof updater}. 78 | 79 | \parhead{The $i=j$ Case.} 80 | Consider the quotient polynomial $q_i'(X)$ in the updated proof $\pi_i'$ after $v_i$ changed to $v_i+\delta$: 81 | {\ifCameraReady\small\fi 82 | \begin{align} 83 | q_i'(X) &=\frac{\phi'(X)-(v_i+\delta)}{X-\omega^i}=\frac{\left(\phi(X) + \delta\lagr_i(X)\right) - v_i -\delta}{X-\omega^i}\\ 84 | &=\frac{\phi(X) - v_i}{X-\omega^i}+\frac{\delta(\lagr_i(X)-1)}{X-\omega^i} = q_i(X) + \delta\left(\frac{\lagr_i(X)-1}{X-\omega^i}\right) 85 | \end{align} 86 | }% 87 | This means the proof updater needs a KZG commitment to $\frac{\lagr_i(X)-1}{X-\omega^i}$, which is just a KZG evaluation proof that $\lagr_i(\omega^i)=1$. 88 | This can be addressed very easily by making this commitment part of $\upk_i$. 89 | To conclude, to update $\pi_i$, the proof updater obtains $u_i=g^{\frac{\lagr_i(\tau)-1}{\tau - \omega^i}}$ from $\upk_i$ and computes $\pi_i'=\pi_i \cdot \left(u_i\right)^\delta$. 90 | (Remember that the proof updater, who calls $\vcproofupdate(\pi_i, \delta,i,i,\upk_i,\upk_i)$, has $\upk_i$.) 91 | 92 | \parhead{The $i\ne j$ Case.} 93 | Now, consider the quotient polynomial $q_i'(X)$ after $v_j$ changed to $v_j+\delta$: 94 | {\ifCameraReady\small\fi 95 | \begin{align} 96 | q_i'(X) &= \frac{\phi'(X)-v_i}{X-\omega^i}=\frac{\left(\phi(X) + \delta\lagr_j(X)\right) - v_i}{X-\omega^i}\\ 97 | &= \frac{\phi(X) - v_i}{X-\omega^i}+\frac{\delta\lagr_j(X)}{X-\omega^i} = q_i(X) + \delta\left(\frac{\lagr_j(X)}{X-\omega^i}\right) 98 | \end{align} 99 | }% 100 | In this case, the proof updater will need to construct a KZG commitment to $\frac{\lagr_j(X)}{X-\omega^i}$. 101 | For this, we put enough information in $\upk_i$ and $\upk_j$, which the proof updater has (see \cref{s:asvc:defs}), to help her do so. 102 | 103 | Since $U_{i,j}(X)=\frac{A(X)}{A'(\omega^j)(X-\omega^j)(X-\omega^i)}$ and $A'(\omega^j) = n\omega^{-j}$\ifNotCameraReady\xspace(see \cref{app:xn-1-derivative})\fi, it is sufficient to reconstruct a KZG commitment to $W_{i,j}(X)=\frac{A(X)}{(X-\omega^j)(X-\omega^i)}$, which can be decomposed as $W_{i,j}(X)=A(X) \left(c_i \frac{1}{X-\omega^i} + c_j \frac{1}{X-\omega_j}\right) = c_i \frac{A(X)}{X-\omega^i} + c_j \frac{A(X)}{X-\omega^j}$, where $c_i = 1/(\omega^i-\omega^j)$ and $c_j=1/(\omega^j-\omega^i)$ (see \cref{s:prelim:partial-fraction-decomposition}). 104 | Thus, if we include $a_j=g^{{A(\tau)}/(\tau-\omega^j)}$ in each $\upk_j$, the proof updater can first compute $w_{i,j} = a_i^{c_i} a_j^{c_j}$, then compute $u_{i,j}=\left(w_{i,j}\right)^{\frac{1}{A'(\omega^j)}}$ and finally update the proof as $\pi_i' = \pi_i \cdot (u_{i,j})^\delta$. 105 | 106 | \subsubsection{aSVC Algorithms} 107 | \label{s:asvc:from-kzg:algorithms} 108 | Having established the intuition for our aSVC, we can now describe it in detail using the aSVC API from \cref{s:prelim:vcs:api}. 109 | \ifNotCameraReady 110 | To support verifying $I$-subvector proofs, our verification key is $O(|I|)$-sized. 111 | \fi 112 | \\ 113 | 114 | \api $\vcsetup(1^\lambda, n) \rightarrow \prk,\vrk,(\upk_j)_{j\in[0,n)}$. 115 | Generates $n$-SDH public parameters $g,g^\tau,g^{\tau^2},\dots,g^{\tau^n}$. 116 | Computes $a=g^{A(\tau)}$, where $A(X)=X^n - 1$. 117 | Computes $a_i=g^{A(\tau)/(X-\omega^i)}$ and $\ell_i = g^{\lagr_i(\tau)}, \forall i\in[0,n)$. 118 | Computes KZG proofs $u_i=g^{\frac{\lagr_i(\tau)-1}{X-\omega^i}}$ for $\lagr_i(\omega^i) = 1$. 119 | Sets 120 | $\upk_i = (a_i, u_i)$, 121 | $\prk = \bigl((g^{\tau^i})_{i\in[0,n]},(\ell_i)_{i\in[0,n)}$, $(\upk_i)_{i\in[0,n)}\bigr)$ 122 | and $\vrk = ((g^{\tau^i})_{i\in [0,|I|]},a)$. 123 | % Note: User $i$ needs $u_i$ to update their own proof. 124 | % Note: Does user $j\in[0,n)$ need $\ell_i$ to update digest? If they want to, they can derive $\ell_i$ from $a_i$ which is in $\upk_i$. 125 | % Note: Miners need $\ell_i$ to update digest, but they derive it from the $a_i$ in $\upk_i$ 126 | 127 | \api $\vccommit(\prk, \vect{v}) \rightarrow c$. %, \left[(\pi_i)_{i\in[0,n)}\right]$. 128 | Returns $c=\prod_{i\in[0,n)} (\ell_i)^{v_i}$. 129 | 130 | \api $\vcopenpos(\prk, I, \vect{v}) \rightarrow \pi_I$. 131 | Computes $A_I(X)=\prod_{i\in I} (X-\omega^i)$ in $O(\vert I\vert \log^2{\vert I \vert})$ time. 132 | Divides $\phi(X)$ by $A_I(X)$ in $O(n\log{n})$ time, obtaining a quotient $q(X)$ and a remainder $r(X)$. 133 | Returns $\pi_I = g^{q(\tau)}$. 134 | (We give an $O(n)$ time algorithm in \ifCameraReady~\cite[Appendix D.7]{TAB+20e}\else\cref{s:complexity-lagrange-asvc}\fi\xspace for the $\vert I\vert = 1$ case.) 135 | 136 | \api $\vcverifypos(\vrk, c, \vect{v}_I, I, \pi_I) \rightarrow T/F$. 137 | Computes $A_I(X)=\prod_{i\in I} (X-\omega^i)$ in $O(\vert I\vert \log^2{\vert I \vert})$ time and commits to it as $g^{A_I(\tau)}$ in $O(\vert I \vert)$ time. 138 | Interpolates $R_I(X)$ such that $R_I(i) = v_i,\forall i \in I$ in $O(\vert I\vert \log^2{\vert I \vert})$ time and commits to it as $g^{R_I(\tau)}$ in $O(\vert I \vert)$ time. 139 | Returns $T$ iff. $e(c/g^{R_I(\tau)},g)=e(\pi_I, g^{A_I(\tau)})$. 140 | (When $I=\{i\}$, we have $A_I(X)=X-\omega^i$ and $R_I(X)=v_i$.) 141 | 142 | \api $\vcverifyupk(\vrk,i, \upk_i) \rightarrow T/F$. 143 | Checks that $\omega^i$ is a root of $X^n-1$ (which is committed in $a$) via $e(a_i, g^\tau/g^{(\omega^i)}) = e(a,g)$. 144 | Checks that $\lagr_i(\omega^i) = 1$ via $e(\ell_i/g^1, g) =e(u_i,g^\tau/g^{(\omega^i)})$, where $\ell_i=a_i^{1/A'(\omega^i)}=g^{\lagr_i(\tau)}$. 145 | 146 | \api $\vccommupdate(c, \delta, j,\upk_j)\rightarrow c'$. 147 | Returns $c'=c\cdot (\ell_j)^\delta$, where $\ell_j=a_j^{1/A'(\omega^j)}$. 148 | 149 | \api $\vcproofupdate(\pi_i, \delta, i,j, \upk_i, \upk_j)\rightarrow \pi'_i$. 150 | If $i=j$, returns $\pi_i'=\pi_i \cdot (u_i)^\delta$. 151 | If $i\ne j$, computes $w_{i,j}=a_i^{1/(\omega^i - \omega^j)}\cdot a_j^{1/(\omega^j - \omega^i)}$ and $u_{i,j}=w_{i,j}^{1/A'(\omega^j)}$ (see \cref{s:asvc:from-kzg:updating-proofs}) and returns $\pi_i'=\pi_i \cdot (u_{i,j})^\delta$. 152 | % If implemented carefully, this should take 2 exps and 3 group operations: 153 | % \pi_i' = \pi_i \cdot (a_i^\frac{1}{\omega^i - \omega^j} a_j^\frac{1}{\omega^j - \omega^i})^\frac{\delta}{A'(\omega^j)} 154 | % = \pi_i \dot (a_i^\frac{\delta}{A'(\omega^j)(\omega^i - \omega^j)} a_j^\frac{\delta}{A'(\omega^j)(\omega^j - \omega^i)}) 155 | 156 | \api $\vcaggregateproofs(I, (\pi_i)_{i\in I})\rightarrow \pi_I$. 157 | Computes $A_I(X)=\prod_{i\in I} (X-\omega^i)$, its derivative $A'_I(X)$ and all $c_i = (A'_I(\omega^i))_{i\in I}$ in $O(\vert I\vert \log^2{\vert I \vert})$ time. 158 | Returns $\pi_I = \prod_{i\in I} \pi_i^{c_i}$. 159 | 160 | \subsubsection{Distributing the Trusted Setup} 161 | \label{s:asvc:from-kzg:public-params} 162 | Our aSVC requires a centralized, trusted setup phase that computes its public parameters. 163 | We can decentralize this phase using highly-efficient MPC protocols that generate $(g^{\tau^i})$'s in a distributed fashion~\cite{BGM17}. 164 | Then, we can derive the remaining parameters from the $(g^{\tau^i})$'s, which has the advantage of keeping our parameters \textit{updatable}. 165 | First, the commitment $a=g^{A(\tau)}$ to $A(X)=X^{n} - 1$ can be computed in $O(1)$ time via an exponentiation. 166 | Second, the commitments $\ell_i=g^{\lagr_i(\tau)}$ to Lagrange polynomials can be computed via a single DFT on the $(g^{\tau^i})$'s~\cite[Sec 3.12.3, pg. 97]{Virza17}. 167 | % Also in BCG+15: Oakland paper I-C-2, page 5 168 | Third, each $a_i = g^{A(\tau)/(\tau -\omega^i)}$ is a bilinear accumulator membership proof for $\omega^i$ w.r.t. $A(X)$ and can all be computed in $O(n\log{n})$ time using FK~\cite{FK20}. 169 | But what about computing each $u_i = g^{\frac{\lagr_i(\tau)-1}{X-\omega^i}}$? 170 | 171 | \parhead{Computing All $u_i$'s Fast.} 172 | Inspired by the FK technique~\cite{FK20}, we show how to compute all $n$ $u_i$'s in $O(n\log{n})$ time using a single DFT on group elements. 173 | First, note that $u_i=g^{\frac{\lagr_i(\tau)-1}{X-\omega^i}}$ is a KZG evaluation proof for $\lagr_i(\omega^i)=1$. 174 | Thus, $u_i = g^{Q_i(\tau)}$ where $Q_i(X) = \frac{\lagr_i(X)-1}{X-\omega^i}$. 175 | Second, let $\psi_i(X)=A'(\omega^i)\lagr_i(X)=\frac{X^n - 1}{X-\omega^i}$. 176 | Then, let $\pi_i=g^{q_i(\tau)}$ be an evaluation proof for $\psi_i(\omega^i)=A'(\omega^i)$ where $q_i(X) = \frac{\psi_i(X)-A'(\omega^i)}{X-\omega^i}$ and note that $Q_i(X)=\frac{1}{A'(\omega^i)}q_i(X)$. % so 177 | Thus, computing all $u_i$'s reduces to computing all $\pi_i$'s. 178 | However, since each proof $\pi_i$ is for a \textit{different} polynomial $\psi_i(X)$, directly applying FK does not work. 179 | Instead, we give a new algorithm that leverages the structure of $\psi_i(X)$ when divided by $X-\omega^i$. 180 | Specifically, in\ifCameraReady~\cite[Appendix B]{TAB+20e}\else~\cref{s:computing-all-uis}\fi, we show that: 181 | \begin{align} 182 | \label{eq:ui-qi} 183 | q_i(X) &= \sum_{j\in [0,n-2]} H_j(X) \omega^{ij},\forall i \in [0,n),\ \text{where}\ H_j(X) = (j+1) X^{(n-2)-j} 184 | \end{align} 185 | If we let $h_j$ be a KZG commitment to $H_j(X)$, then we have $\pi_i = \prod_{j\in [0,n-2]} h_j^{(\omega^{ij})}$, $\forall i \in [0,n)$. 186 | Next, recall that the Discrete Fourier Transform (DFT) \textit{on a vector of group elements} $\vect{a}=[a_0, a_1, \dots, a_{n-1}]\in \G^n$ is: 187 | \begin{align} 188 | \mathsf{DFT}_n(\vect{a}) = \vect{\hat{a}}=[\hat{a}_0, \hat{a}_1, \dots, \hat{a}_{n-1}]\in \G^n,\ \text{where}\ \hat{a}_i= \prod_{j\in [0,n)} a_j^{(\omega^{ij})} 189 | \end{align} 190 | 191 | If we let $\vect{\pi}=[\pi_0, \pi_1, \dots, \pi_{n-1}]$ and $\vect{h} = [h_0, h_1, \dots, h_{n-2}, 1_\G, 1_\G]$, then $\vect{\pi} = \mathsf{DFT_n}(\vect{h})$. 192 | Thus, computing all $n$ $h_i$'s takes $O(n)$ time and computing all $n$ $\pi_i$'s takes an $O(n\log{n})$ time DFT. 193 | As a result, computing all $u_i$'s from the $(g^{\tau^i})$'s takes $O(n\log{n})$ time overall. 194 | 195 | \subsubsection{Correctness and Security} 196 | \label{s:svc:correctness-and-security} 197 | The correctness of our aSVC scheme follows naturally from Lagrange interpolation. 198 | Aggregation and proof updates are correct by the arguments laid out in \cref{s:asvc:from-kzg:aggregating-proofs,s:asvc:from-kzg:updating-proofs}, respectively. 199 | Subvector proofs are correct by the correctness of KZG batch proofs~\cite{KZG10a}. 200 | \ifCameraReady 201 | We prove our aSVC is position binding and has update key uniqueness in the extended version ~\cite[Appendix C]{TAB+20e}. 202 | \else 203 | 204 | The security of our aSVC schemes does \textit{not} follow naturally from the security of KZG polynomial commitments. 205 | Specifically, as pointed out in~\cite{GRWZ20}, two inconsistent subvector proofs do \textit{not} lead to a direct break of KZG's \textit{batch evaluation binding}, as defined in~\cite[Sec. 3.4]{KZG10a}. 206 | To address this, we propose a stronger batch evaluation binding definition (see \cref{def:kzg:batch-opening-binding} in \cref{s:kzg-batch-def}) and prove KZG satisfies it under $n$-SBDH. 207 | This new definition is directly broken by two inconsistent subvector proofs, which implies our aSVC is secure under $n$-SBDH. 208 | Lastly, we prove update key uniqueness holds unconditionally in \cref{s:update-key-uniqueness-proof}. 209 | \fi 210 | -------------------------------------------------------------------------------- /intro.tex: -------------------------------------------------------------------------------- 1 | % 2 | \section{Introduction} 3 | 4 | \blfootnote{An errata for this paper can be found at \url{https://github.com/alinush/asvc-paper}.} 5 | In a \textit{stateless cryptocurrency}, neither \textit{miners} nor cryptocurrency \textit{users} need to store the full \textit{ledger state}. 6 | Instead, this state consisting of users' account balances is split among all users using an \textit{authenticated data structure}. 7 | This way, miners only store a succinct \textit{digest} of the ledger state and each user stores their account balance. 8 | Nonetheless, miners can still validate transactions sent by users, who now include \textit{proofs} that they have sufficient balance. 9 | Furthermore, miners can still propose new \textit{blocks} of transactions and users can easily \textit{synchronize} or \textit{update} their proofs as new blocks get published. 10 | 11 | Stateless cryptocurrencies have received increased attention~\condcite{Dryja19,RMCI17,CPZ18,BBF19,GRWZ20}{ST99,Miller12,Todd16,Buterin17} due to several advantages. 12 | First, stateless cryptocurrencies eliminate hundreds of gigabytes of miner storage needed to validate blocks. 13 | Second, statelessness makes scaling consensus via \textit{sharding} much easier, by allowing miners to efficiently switch from one shard to another~\condcite{KJG+18}{EthereumSharding}. 14 | Third, statelessness lowers the barrier to entry for full nodes, resulting in a much more resilient, distributed cryptocurrency. 15 | 16 | \parhead{Stateless Cryptocurrencies from VCs.} 17 | At a high level, a VC scheme allows a \textit{prover} to compute a succinct \textit{commitment} $c$ to a \textit{vector} $\vect{v}=[v_0, v_1, \dots, v_{n-1}]$ of $n$ \textit{elements} where $v_i\in \Zp$. 18 | %Although we are referring to it as a ``commitment'', we will be more interested in its \textit{binding}, rather than its \textit{hiding}, properties. 19 | Importantly, the prover can generate a \textit{proof} $\pi_i$ that $v_i$ is the element at position $i$ in $\vect{v}$, and any \textit{verifier} can check it against the commitment $c$. 20 | The prover needs a \textit{proving key} $\prk$ to commit to vectors and to compute proofs, while the verifier needs a \textit{verification key} $\vrk$ to verify proofs. 21 | (Usually $|\vrk| \ll |\prk|$.) 22 | Some VC schemes support \textit{updates}: if one or more elements in the vector change, the commitment and proofs can be updated efficiently. 23 | For this, a static \textit{update key} $\upk_j$ tied only to the updated position $j$ is necessary. 24 | Alternatively, some schemes require dynamic \textit{update hints} $\uph_j$, typically consisting of the actual proof $\pi_j$. 25 | The proving, verification and update keys comprise the VC's \textit{public parameters}. 26 | Lastly, \textit{subvector commitment (SVC)} schemes~\cite{LM19} support computing succinct proofs for \textit{$I$-subvectors} $(v_i)_{i\in I}$ where $I\subset [0,n)$. 27 | Furthermore, some schemes are \textit{aggregatable}: multiple proofs $\pi_i$ for $v_i, \forall i \in I$ can be aggregated into a single, succinct $I$-subvector proof. 28 | 29 | Chepurnoy, Papamanthou and Zhang pioneered the idea of building \textit{account-based}~\cite{Ethereum}, stateless cryptocurrencies on top of any \textit{vector commitment (VC)} scheme~\cite{CPZ18}. 30 | Ideally, such a VC would have (1) sublinear-sized, updatable proofs with sublinear-time verification, (2) updatable commitments and (3) sublinear-sized update keys. 31 | In particular, static update keys (rather than dynamic update hints) help reduce interaction and thus simplify the design (see \cref{s:stateless-cryptocurrency:edrax}). 32 | We say such a VC has ``\textit{scalable updates}.'' 33 | Unfortunately, most VCs do not have scalable updates (see \cref{s:related-work\ifNotCameraReady,t:asvc-comparison,t:rsa-asvc-comparison-appendix\fi}) or, if they do~\cite{CPZ18,Tomescu20}, they are not optimal in their proof and update key sizes. 34 | Lastly, while some schemes in hidden-order groups have scalable updates~\cite{CFG+20}, they suffer from larger concrete proof sizes and are likely to require more computation in practice. 35 | 36 | \parhead{Our Contributions.} 37 | In this paper, we formalize a new \textit{aggregatable subvector commitment (aSVC)} notion that supports commitment updates, proof updates and aggregation of proofs into subvector proofs. 38 | Then, we construct an aSVC \textit{with scalable updates} over pairing-friendly groups. 39 | Compared to other pairing-based VCs, our aSVC has constant-sized, aggregatable proofs that can be updated with constant-sized update keys (see \cref{t:asvc-comparison}). 40 | Furthermore, our aSVC supports computing all proofs in quasilinear time. 41 | \ifCameraReady 42 | We prove our aSVC secure under $q$-SBDH~\cite{Goyal07} in the extended version of our paper~\cite{TAB+20e}. 43 | \else 44 | We prove security of our aSVC by strengthening (and re-proving) the security definition of KZG polynomial commitments~\cite{KZG10a}. 45 | \fi 46 | 47 | \begin{table*}[t] 48 | %\large 49 | %\small 50 | %\footnotesize 51 | %\scriptsize 52 | \centering 53 | \caption{ 54 | Asymptotic comparison of our work with other stateless cryptocurrencies. 55 | $n$ is the number of users, $\lambda$ is the security parameter, and $b$ is the number of transactions in a block. 56 | $\Gexp$ is an \textit{exponentiation} in a known-order group. 57 | $\mathbb{G}_?$ is a (slower) \textit{exponentiation} (of size $2\lambda$ bits) in a hidden-order group. 58 | $\mathbb{P}$ is a pairing computation. 59 | $|\pi_i|$ is the size of a proof for a user's account balance. 60 | $|\upk_i|$ is the size of user $i$'s update key. 61 | $|\pi_I|$ is the size of a proof aggregated from all $\pi_i$'s in a block. 62 | We give each \textit{Miner's storage} in terms of VC public parameters (e.g., update keys). 63 | A miner takes: (1) \textit{Check digest time}, to check that, by ``applying'' the transactions from block $t+1$ to block $t$'s digest, he obtains the correct digest for block $t+1$, 64 | % Note: This can be further asymptotically reduced (see Overleaf notes) 65 | (2) \textit{Aggr. proofs time}, to aggregate $b$ transaction proofs, and 66 | (3) \textit{Vrfy. $|\pi_I|$ time}, to verify the aggregated proof. 67 | A user takes \textit{Proof synchr. time} to ``synchronize'' or update her proof by ``applying'' all the transactions in a new block. 68 | We treat \cite{GRWZ20} and \cite{CFG+20} as a payments-only stateless cryptocurrency without smart contracts. 69 | Our aggregation and verification times have an extra $b\log^2{b}\Fop$ term, consisting of very fast field operations. 70 | \ifNotCameraReady A detailed analysis of the underlying VCs can be found in \cref{s:complexity:pointproofs,s:complexity-lagrange-asvc,s:complexity:cpz,s:complexity-bbf}.\xspace\fi 71 | } 72 | \label{t:stateless-comparison} % must go after \caption{} for \cref{} to work 73 | \setlength{\tabcolsep}{.4em} % space between columns 74 | \begin{tabular}{ccccc} 75 | %\toprule 76 | {\makecell{Account-based\\stateless\\cryptocurrencies}} 77 | & \makecell{Edrax\\\cite{CPZ18}} 78 | & \makecell{Pointproofs\\\cite{GRWZ20}} 79 | & \makecell{2nd VC of\\~\cite{CFG+20}} 80 | & \textbf{Our work}\\ 81 | \toprule 82 | $|\pi_i|$ & $\rl\Gsz$ & 1\Gsz & 1\Ghsz & 1\Gsz\\ 83 | $|\upk_i|$ & $\rl\Gsz$ & \rn\Gsz & 1\Ghsz & 1\Gsz\\ 84 | $|\pi_I|$ & $\rbl\Gsz$ & 1\Gsz & 1\Ghsz & 1\Gsz\\ 85 | Miner's storage & $\rn\Gsz$ & $\rn\Gsz$ & 1\Ghsz & $b\Gsz$\\ 86 | Vrfy. $|\pi_I|$ time & $b\rl\Pair$ & $2\Pair+b\Gexp$ & $b\myred{\log{b}}\Ghop$ & $2\Pair+ b\Gexp + \rblb\Fop$\\ 87 | Check digest time & $b \Gexp$ & $b\Gexp$ & $b\Ghop$ & $b\Gexp$\\ 88 | Aggr. proofs time & \nop & $b\Gexp$ & $b\myred{\log^2{b}} \Ghop$ & $b\Gexp + \rblb\Fop $\\ 89 | Proof synchr. time & $b\rl\Gexp$ & $b\Gexp$ & $b\Ghop$ & $b\Gexp$\\ 90 | \end{tabular} 91 | \end{table*} 92 | 93 | \paragraph{A Highly-Efficient Stateless Cryptocurrency.} 94 | We use our aSVC to construct a stateless cryptocurrency based on the elegant design of Edrax\xspace\cite{CPZ18}. 95 | Our stateless cryptocurrency has very low storage, communication and computation overheads (see \cref{t:stateless-comparison}). 96 | First, our constant-sized update keys have a smaller impact on block size and help users update their proofs faster. 97 | Second, our proof aggregation drastically reduces block size and speeds up block validation. 98 | Third, our verifiable update keys remove the need for miners to either (1) store all $O(n)$ update keys or (2) interact during transaction validation to check update keys. 99 | 100 | \subsection{Related Work} 101 | \label{s:related-work} 102 | 103 | \parhead{Vector Commitments (VCs).} 104 | The notion of VCs appears early in~\cite{CFM08,LY10,KZG10a} but Catalano and Fiore~\cite{CF13} are the first to formalize it. 105 | They introduce schemes based on the Computational Diffie-Hellman (CDH), with $O(n^2)$-sized public parameters, and on the RSA problem, with $O(1)$-sized public parameters, which can be \textit{specialized} into $O(n)$-sized ones when needed. 106 | %Neither scheme is aggregatable. 107 | Lai and Malavolta~\cite{LM19} formalize \textit{subvector commitments (SVCs)} and extend both constructions from~\cite{CF13} with constant-sized $I$-subvector proofs. 108 | Camenisch et al.~\cite{CDHK15} build VCs from KZG commitments~\cite{KZG10a} to Lagrange polynomials\ifNotCameraReady\xspace(see \cref{s:prelim:interpolation})\fi\xspace that are not only \textit{binding} but also \textit{hiding}. 109 | However, their scheme intentionally prevents aggregation of proofs as a security feature. 110 | %Their \textit{verification key} (see \cref{s:prelim:vcs}) is $O(n)$-sized and they do not discuss updating proofs. 111 | Feist and Khovratovich~\cite{FK20} introduce a technique for precomputing all \textit{constant-sized} evaluation proofs in KZG commitments when the evaluation points are all roots of unity. 112 | We use their technique to compute VC proofs fast. 113 | Chepurnoy et al.~\cite{CPZ18} instantiate VCs using multivariate polynomial commitments~\cite{PST13} but with logarithmic rather than constant-sized proofs. 114 | Then, they build the first efficient, account-based, stateless cryptocurrency on top of their scheme. 115 | Later on, Tomescu~\cite{Tomescu20} presents a very similar scheme but from univariate polynomial commitments~\cite{KZG10a} which supports subvector proofs. 116 | 117 | Boneh et al.~\cite{BBF19} instantiate VCs using hidden-order groups. 118 | They are the first to support aggregating multiple proofs (under certain conditions\ifNotCameraReady; see \cite[Sec. 5.2, p. 20]{BBF18}\fi). 119 | They are also the first to have constant-sized public parameters, without the need to specialize them into $O(n)$-sized ones. 120 | However, their VC uses update hints (rather than keys), which is less suitable for stateless cryptocurrencies. 121 | \ifNotCameraReady 122 | Furthermore, they introduce \textit{key-value map commitments (KVCs)}, which support a larger set of positions from $[0, 2^{2\lambda})$ rather than $[0,n)$, where $\lambda$ is a security parameter. 123 | They argue their KVC can be used for account-based stateless cryptocurrencies, but do not explore a construction in depth. 124 | \fi 125 | % They do not talk about updating KVC proofs. 126 | Campanelli et al.~\cite{CFG+20} also formalize SVCs with a more powerful notion of \textit{infinite (dis)aggregation} of proofs. 127 | In contrast, our aSVC only supports ``one hop'' aggregation and does not support disaggregation. 128 | They also formalize a notion of updatable, distributed VCs as Verified Decentralized Storage (VDS). 129 | However, their use of hidden-order groups leads to larger concrete proof sizes. 130 | % Note: Regarding "and to formalize the notion of \textit{specialization} for public parameters," it's probably more fair to attribute this to CF13. 131 | \ifNotCameraReady 132 | Both of their schemes have $O(1)$-sized public parameters and can compute all proofs efficiently in quasilinear time. 133 | One scheme supports update hints while the other supports update keys. 134 | \fi 135 | 136 | Concurrent with our work, Gorbunov et al.~\cite{GRWZ20} also formalize aSVCs with a stronger notion of \textit{cross-commitment aggregation}. 137 | However, their formalization lacks (verifiable) update keys, which hides many complexities that arise in stateless cryptocurrencies (see \cref{s:stateless-cryptocurrency:dos-update-key}). 138 | Their VC scheme extends~\cite{LY10} with (1) aggregating proofs into $I$-subvector proofs and (2) aggregating multiple $I$-subvector proofs \textit{with respect to different VCs} into a single, constant-sized proof. 139 | However, this versatility comes at the cost of (1) losing the ability to precompute all proofs fast, (2) $O(n)$-sized update keys for updating proofs, and (3) $O(n)$-sized verification key. 140 | % Note: For updating comitments, the update key for position $i$ is just one group element. 141 | This makes it difficult to apply their scheme in a stateless cryptocurrency for payments such as Edrax~\cite{CPZ18}. 142 | Furthermore, Gorbunov et al. also enhance KZG-based VCs with proof aggregation, but they do not consider proof updates. 143 | Lastly, they show it is possible to aggregate $I$-subvector proofs across different commitments for KZG-based VCs. 144 | 145 | %Libert et al.~\cite{LRY16} generalize VCs to \textit{functional commitments (FCs)} which, instead of revealing $v_i$ when opening, reveals $\sum_{i\in[0,n)} x_i v_i$, for any $\vect{x}=(x_i)_{i\in[0,n)}$ given as input to the opening algorithm. 146 | %Lai and Malavolta~\cite{LM19} generalize FCs to \textit{linear map commitments (LMCs)} which reveals $f(\vect{v})$ for any linear map $f : \Fp^n \rightarrow \Fp^q$ given as input to the opening algorithm ($q$ is fixed at setup). 147 | Kohlweiss and Rial~\cite{KR13} extend VCs with zero-knowledge protocols for proving correct computation of a new commitment, for opening elements at secret positions, and for proving secret updates of elements at secret positions. 148 | 149 | % Note: BCFK19 for zero-knowledge sets from CPZ18 VC. Cool, but unrelated. 150 | % Note: Thakur19 claims VC from bilinear accs, but does not give full description. 151 | 152 | \parhead{Stateless Cryptocurrencies.} 153 | The concept of stateless validation appeared early in the cryptocurrency community~\cite{Miller12,Todd16,Buterin17} and later on in the academic community~\cite{RMCI17,Dryja19,CPZ18,BBF19,GRWZ20}. 154 | \ifNotCameraReady\paragraph{UTXO-based.}\fi 155 | Initial proposals for UTXO-based cryptocurrencies used Merkle hash trees~\cite{Miller12,Todd16,Dryja19,CPZ18}. 156 | In particular, Dryja~\cite{Dryja19} gives a beautiful Merkle forest construction that significantly reduces communication. 157 | Boneh et al.~\cite{BBF19} further reduce communication by using RSA accumulators\ifNotCameraReady~\cite{Bd93,LLX07}\fi. 158 | 159 | \ifNotCameraReady\paragraph{Account-based.}\fi 160 | Reyzin et al.~\cite{RMCI17} introduce a Merkle-based construction for account-based stateless cryptocurrencies. 161 | Unfortunately, their construction relies on \textit{proof-serving nodes}: every user sending coins has to fetch the recipient's Merkle proof from a node and include it with her own proof in the transaction. 162 | % Note: Fundamentally, this is because Merkle trees use update hints $\uph_i$ consisting of the Merkle proof $\pi_i$. 163 | Edrax~\cite{CPZ18} obviates the need for proof-serving nodes by using a vector commitment (VC) with update keys (rather than update hints like Merkle trees). 164 | Nonetheless, proof-serving nodes can still be used to assist users who do not want to manually update their proofs (which is otherwise very fast). 165 | Unfortunately, Edrax's (non-aggregatable) proofs are logarithmic-sized and thus sub-optimal. 166 | 167 | Gorbunov et al.~\cite{GRWZ20} introduce \textit{Pointproofs}, a versatile VC scheme which can aggregate proofs across \textit{different} commitments. 168 | They use this power to solve a slightly different problem: stateless block validation for smart contract executions (rather than for payments as in Edrax). 169 | Unfortunately, their approach requires miners to store a different commitment for each smart contract, or around 4.5 GBs of (dynamic) state in a system with $10^8$ smart contracts. 170 | This could be problematic in applications such as sharded cryptocurrencies, where miners would have to download part of this large state from one another when switching shards. 171 | Lastly, the verification key in Pointproofs is $O(n)$-sized, which imposes additional storage requirements on miners. 172 | Furthermore, Gorbunov et al. do not discuss how to update nor precompute proofs efficiently. 173 | Instead they assume that all contracts have $n\le 10^3$ memory locations and users can compute all proofs in $O(n^2)$ time. 174 | In contrast, our aSVC can compute all proofs in $O(n\log{n})$ time~\cite{FK20}. 175 | Nonetheless, their approach is a very promising direction for supporting smart contracts in stateless cryptocurrencies. 176 | 177 | Bonneau et al.~\cite{BMRS20} use recursively-composable, succinct non-interactive arguments of knowledge (SNARKs) \cite{BCTV14} for stateless validation. 178 | However, while block validators do not have to store the full state in their system, miners who propose blocks still have to. 179 | \ifNotCameraReady 180 | In contrast, in previous stateless cryptocurrencies (including ours), even miners who propose blocks are stateless. 181 | \fi 182 | -------------------------------------------------------------------------------- /apps.tex: -------------------------------------------------------------------------------- 1 | \section{A Highly-efficient Stateless Cryptocurrency} 2 | \label{s:stateless-cryptocurrency} 3 | 4 | In this section, we enhance Edrax's elegant design by replacing their VC with our secure \textit{aggregatable} subvector commitment (aSVC) scheme from \cref{s:asvc:from-kzg}. 5 | As a result, our stateless cryptocurrency has smaller, aggregatable proofs and smaller update keys. 6 | This leads to smaller, faster-to-verify blocks for miners and faster proof synchronization for users (see \cref{t:stateless-comparison}). 7 | Furthermore, our verifiable update keys reduce the storage overhead of miners from $O(n)$ update keys to $O(1)$. 8 | We also address a denial of service (DoS) attack in Edrax's design. 9 | 10 | \subsection{From VCs to Stateless Cryptocurrencies} 11 | \label{s:stateless-cryptocurrency:edrax} 12 | Edrax pioneered the idea of building account-based, stateless cryptocurrencies on top of any VC scheme~\cite{CPZ18}. 13 | In contrast, previous approaches were based on \textit{authenticated dictionaries (ADs)}~\cite{RMCI17,Buterin17}, for which efficient constructions with static update keys are not known. 14 | In other words, these AD-based approaches used \textit{dynamic update hints} $\uph_j$ consisting of the proof for position $j$. 15 | This complicated their design, requiring user $i$ to ask a \textit{proof-serving node} for user $j$'s proof in order to create a transaction sending money to $j$. 16 | 17 | \parhead{Trusted Setup.} 18 | To support up to $n$ users, public parameters $(\prk,\vrk$, \ifCameraReady\linebreak[4]\fi$(\upk_i)_{i\in[0,n)})\leftarrow \vcsetup(1^{\lambda}, n)$ are generated via a \textit{trusted setup}, which can be decentralized using MPC protocols~\cite{BGM17}. 19 | Miners need to store all $O(n)$ update keys to propose blocks and to validate blocks (which we fix in \cref{s:stateless-cryptocurrency:dos-update-key}). 20 | The $\prk$ is only needed for \textit{proof-serving nodes} (see \cref{s:stateless-cryptocurrency:proof-serving-nodes}). 21 | 22 | \parhead{The (Authenticated) State.} 23 | The state is a vector $\vect{v}=(v_i)_{i\in[0,n)}$ of size $n$ that maps user $i$ to $v_i=(\addr_i|\bal_i)\in \Zp$, where $\bal_i$ is her balance and $\addr_i$ is her \textit{address}, which we define later. 24 | (We discuss including transaction counters for preventing replay attacks in \cref{s:discussion:txn-counters}.) 25 | Importantly, since $p \approx 2^{256}$, the first 224 bits of $v_i$ are used for $\addr_i$ and the last 32 bits for $\bal_i$. 26 | %This means that $H(\cdot)$ outputs only 224 bits. 27 | The genesis block's state is the all zeros vector with digest $d_0$ 28 | (e.g., in our aSVC, $d_0=g^0$). 29 | Initially, each user $i$ is \textit{unregistered} and starts with a proof $\pi_{i,0}$ that their $v_i = 0$. 30 | % i.e., $\forall i, \vcverifypos(\vrk, d_0, 0, i,\pi_{i,0})=T$. 31 | 32 | \parhead{``Full'' vs. ``Traditional'' Public Keys.} 33 | User $i$'s address is computed as $\addr_i=H(\PK_i)$, where $\PK_i=(i,\upk_i,\tpk_i)$ is her \textit{full public key}\ifNotCameraReady\xspace and $H$ is a collision-resistant hash function\fi. 34 | Here, $\tpk_i$ denotes a \textit{``traditional'' public key} for a digital signature scheme, with corresponding secret key $\tsk_i$ used to authorize user $i$'s transactions. 35 | To avoid confusion, we will clearly refer to public keys as either ``full'' or ``traditional.'' 36 | 37 | \parhead{Registering via \inittxn Transactions.} 38 | \inittxn transactions are used to \textit{register} new users and assign them a unique, ever-increasing number from $1$ to $n$. 39 | For this, each block $t$ stores a \textit{count of users registered so far} $\cnt_t$. 40 | To register, a user generates a \textit{traditional secret key} $\tsk$ with a corresponding \textit{traditional public key} $\tpk$. 41 | Then, she broadcasts an \inittxn transaction: 42 | $$\tx=[\inittxn, \tpk]$$ 43 | A miner working on block ${t+1}$ who receives $\tx$, proceeds as follows. 44 | \begin{enumerate} 45 | \item He sets $i=\cnt_{t+1}$ and increments the count $\cnt_{t+1}$ of registered users, 46 | \item He updates the VC via $d_{t+1}=\vccommupdate(d_{t+1}, (\addr_i\vert 0), i, \upk_i)$, 47 | \item He incorporates $\tx$ in block $t+1$ as $\tx' = [\inittxn, (i, \upk_i,\tpk_i)]=[\inittxn, \PK_i]$. 48 | \end{enumerate} 49 | The full public key with $\upk_i$ is included so other users can correctly update their VC when they process $\tx'$. 50 | \ifNotCameraReady 51 | (The index $i$ is not necessary, since it can be computed from the block's $\cnt_{t+1}$ and the number of \inittxn transactions processed in the block so far.) 52 | \fi 53 | Note that to compute $\addr_i=H(\PK_i)$, the miner needs to have the correct $\upk_i$ which requires $O(n)$ storage. 54 | We discuss how to avoid this in \cref{s:stateless-cryptocurrency:dos-update-key}. 55 | 56 | \parhead{Transferring Coins via \spendtxn Transactions.} 57 | When transferring $v$ coins to user $j$, user $i$ (who has $v'\ge v$ coins) must first obtain $\PK_j=(j, \upk_j,\tpk_j)$. 58 | This is similar to existing cryptocurrencies, except the (full) public key is now slightly larger. 59 | Then, user $i$ broadcasts a \spendtxn transaction, signed with her $\tsk_i$: 60 | $$\tx=[\spendtxn, t, \PK_i, j, \upk_j, v,\pi_{i,t}, v']$$ 61 | % Note that miners will use $\tpk_i$ from $\PK_i$ to verify user $i$'s signature on this transaction, but they do not need user $j$'s $\tpk_j$ for anything. 62 | % Don't they need \tpk_j to compute addr_j and update the digest with j's new balance? 63 | % Nope, because only the value 'v' needs to be accumulated in the digest, while leaving addr_j intact. 64 | 65 | A miner working on block ${t+1}$ processes this \spendtxn transaction as follows: 66 | \begin{enumerate} 67 | \item He checks that $v\le v'$ and verifies the proof $\pi_{i,t}$ that user $i$ has $v'$ coins via $\vcverifypos(\vrk, d_t, (\addr_i|v'), i, \pi_{i,t})$. 68 | (If the miner receives another transaction from user $i$, it needs to carefully account for $i$'s new $v'-v$ balance.) 69 | \item He updates $i$'s balance in block $t+1$ with $d_{t+1}=\vccommupdate(d_{t+1}, -v, i$, $\upk_i)$, 70 | which only sets the lower order bits of $v_i$ corresponding to $\bal_i$, without touching the higher order bits for $\addr_i$. 71 | \item He does the same for $j$ with $d_{t+1}=\vccommupdate(d_{t+1}$, $+v, j, \upk_j)$. 72 | \end{enumerate} 73 | % To verify a batch of txns from $i$, just verify all the proofs first, then update commitment! 74 | 75 | \parhead{Validating Blocks.} 76 | Suppose a miner receives a new block $t+1$ with digest $d_{t+1}$ that has $b$ \spendtxn transactions: 77 | $$\tx=[\spendtxn, t, \PK_{i}, {j}, \upk_{j}, v, \pi_{i,t}, v']$$ 78 | To validate this block, the miner (who has $d_t$) proceeds in three steps (\inittxn transactions can be handled analogously): 79 | 80 | \paragraph{Step 1: Check Balances.} 81 | First, for each $\tx$, he checks that $v \le v'$ and that user $i$ has balance $v'$ via $\vcverifypos(\vrk, d_t$, $(\addr_{i}|v'), i, \pi_{i,t})=T$. 82 | Since the sending user $i$ might have multiple transactions in the block, the miner has to carefully keep track of each sending user's balance to ensure it never goes below zero. 83 | 84 | \paragraph{Step 2: Check Digest.} 85 | Second, he checks $d_{t+1}$ has been computed correctly from $d_t$ and from the new transactions in block $t+1$. 86 | Specifically, he sets $d'=d_t$ and for each $\tx$, he computes $d' = \vccommupdate(d', -v, i, \upk_{i})$ and $d'=\vccommupdate(d',+v$, $j,\upk_{j})$. 87 | Then, he checks that $d'=d_{t+1}$. 88 | 89 | \paragraph{Step 3: Update Proofs, If Any.} 90 | If the miner lost the race to build block $t+1$, he can start mining block $t+2$ by ``moving over'' the \spendtxn transactions from his unmined block. 91 | For this, he updates all proofs in those \spendtxn transactions, so they are valid against the new digest $d_{t+1}$. 92 | %However, some of those transactions might now be invalid because the sending users' balance is too low. 93 | % For example, this can happen if that user sent another transaction that got included in block $t+1$ and consumed too much of her balance. 94 | Similarly, the miner must also ``move over'' all \inittxn transactions, since block $t+1$ might have registered new users. 95 | 96 | \parhead{User Proof Synchronization.} 97 | Consider a user $i$ who has processed the ledger up to time $t$ and has digest $d_t$ and proof $\pi_{i,t}$. 98 | Eventually, she receives a new block $t+1$ with digest $d_{t+1}$ and needs to update her proof so it verifies against $d_{t+1}$. 99 | Initially, she sets $\pi_{i,t+1} = \pi_{i,t}$. 100 | For each $[\inittxn,\PK_j]$ transaction, she updates her proof $\pi_{i,t+1} = \vcproofupdate(\pi_{i,t+1}, (H(\PK_j)|0), i,j, \upk_i, \upk_j)$. 101 | For each $[\spendtxn, t, \PK_j, k, \upk_k, v,\pi_{j,t}, v']$, she updates her proof twice: $\pi_{i,t+1} =\vcproofupdate(\pi_{i,t+1}, -v, i,j, \upk_i,\upk_j)$ and $\pi_{i,t+1} =\vcproofupdate(\pi_{i,t+1}$, $+v, i, k, \upk_i,\upk_k)$. 102 | We stress that users can safely be offline and miss new blocks. 103 | Eventually, when a user comes back online, she downloads the missed blocks, updates her proof and is ready to transact. 104 | 105 | \subsection{Efficient Stateless Cryptocurrencies from aSVCs} 106 | In this subsection, we explain how replacing the Edrax VC with our aSVC from \cref{s:asvc:from-kzg} results in a more efficient stateless cryptocurrency (see \cref{t:stateless-comparison}). 107 | Then, we address a denial of service attack on user registrations in Edrax. 108 | 109 | \subsubsection{Smaller, Faster, Aggregatable Proofs} 110 | Our aSVC enables miners to aggregate all $b$ proofs in a block of $b$ transactions into a single, constant-sized proof. 111 | This drastically reduces Edrax's per-block proof overhead from $O(b\log{n})$ group elements to just one group element. 112 | Unfortunately, the $b$ update keys cannot be aggregated, but we still reduce their overhead from $O(b\log{n})$ to $b$ group elements per block (see \cref{s:stateless-cryptocurrency:smaller-update-keys}). 113 | % (for users and miners to update their proofs and/or digest) 114 | Our smaller proofs are also faster to update, taking $O(1)$ time rather than $O(\log{n})$. 115 | While verifying an aggregated proof in our aSVC is $O(b\log^2{b})$ time, which is asymptotically slower than the $O(b)$ time for verifying $b$ individual ones, it is still \textit{concretely} faster as it only requires two, rather than $O(b)$, cryptographic pairings. 116 | This makes validating new blocks much faster in practice. 117 | 118 | \subsubsection{Reducing Miner Storage Using Verifiable Update Keys} 119 | \label{s:stateless-cryptocurrency:dos-update-key} 120 | 121 | We stress that miners must validate update keys before using them to update a digest. 122 | Otherwise, they risk corrupting that digest, which results in a denial of service. 123 | Edrax miners sidestep this problem by simply storing all $O(n)$ update keys. 124 | Alternatively, Edrax proposes outsourcing update keys to an untrusted third party via a static Merkle tree. 125 | Unfortunately, this would either require interaction \textit{during block proposal and block validation} or would double the update key size. 126 | \ifNotCameraReady 127 | For example, miners would need to fetch the correct update key and/or its Merkle proof to process a \spendtxn transaction. 128 | \fi 129 | Our implicitly-verifiable update keys avoid these pitfalls, since miners can directly verify the update keys in a \spendtxn transaction via \vcverifyupk. 130 | Furthermore, for \inittxn transactions, miners can fetch (in the background) a running window of the update keys needed for the next $k$ registrations. 131 | By carefully upper-bounding the number of registrations expected in the near future, we can avoid interaction during the block proposal. 132 | This background fetching could be implemented in Edrax too, either with a small overhead via Merkle proofs or by making their update keys verifiable (which seems possible). 133 | 134 | \subsubsection{Smaller Update Keys} 135 | \label{s:stateless-cryptocurrency:smaller-update-keys} 136 | Although, in our aSVC, $\upk_i$ contains $a_i=g^{A(\tau)/(X-\omega^i)}$ and $u_i=g^{\frac{\lagr_i(\tau)-1}{X-\omega^i}}$, miners only need to include $a_i$ in the block. 137 | This is because of two reasons. 138 | First, user $i$ already has $u_i$ to update her own proof after changes to her own balance. 139 | Second, no other user $j\ne i$ will need $u_i$ to update her proof $\pi_j$. 140 | However, as hinted in \cref{s:stateless-cryptocurrency:edrax}, miners actually need $u_i$ when only a subset of $i$'s pending transactions get included in block $t$. 141 | In this case, the excluded transactions must have their proofs updated using $u_i$ so they can be included in block $t+1$. 142 | Fortunately, this is not a problem, since miners always receive $u_i$ with user $i$'s transactions. 143 | The key observation is that they do not have to include $u_i$ in the mined block, since users do not need it. 144 | 145 | \subsubsection{Addressing DoS Attacks on User Registrations.} 146 | \label{s:stateless-cryptocurrency:dos-registration} 147 | 148 | Unfortunately, the registration process based on \inittxn transactions is susceptible to Denial of Service (DoS) attacks: 149 | an attacker can simply send a large number of \inittxn transactions and quickly exhaust the free space in the vector $\vect{v}$. 150 | There are several ways to address this. 151 | First, one can use an aSVC from hidden-order groups, which supports an unbounded number of elements~\cite{CFG+20}. 152 | However, that would negatively impact performance. 153 | Second, as future work, one could develop and use unbounded, authenticated dictionaries \textit{with scalable updates}. 154 | Third, one could simply use multiple bounded aSVCs together with cross-commitment proof aggregation, which our aSVC supports~\cite{GRWZ20}. 155 | Lastly, one can add a cost to user registrations via a new \initspendtxn transaction that registers a user $j$ by having user $i$ send her some coins: 156 | $$[\initspendtxn, t, \PK_i, \tpk,v,\pi_{i,t}, v'],\ \text{where}\ 0 < v \le v'$$ 157 | %User $i$ would sign this \initspendtxn transaction using her $\tpk_i$, similar to a \spendtxn transaction. 158 | Miners processing this transaction would first register a new user $j$ with traditional public key $\tpk$ and then transfer her $v$ coins. 159 | We stress that this is how existing cryptocurrencies operate anyway: in order to join, one has to be transferred some coins from existing users. 160 | Lastly, we can ensure that each \tpk is only registered once by including in each \inittxn/\initspendtxn transaction a non-membership proof for $\tpk$ in a Merkle prefix tree of all TPKs. 161 | We leave a careful exploration of this to future work. 162 | 163 | Finally, miners (and only miners) will be allowed to create a \textit{single} $[\inittxn, \PK_i]$ transaction per block to register themselves. 164 | This has the advantage of letting new miners join, without ``permission'' from other miners or users, while severely limiting DoS attacks, since malicious miners can only register a new user per block. 165 | Furthermore, transaction fees and/or additional proof-of-work can also severely limit the frequency of \initspendtxn transactions. 166 | 167 | \subsubsection{Minting Coins and Transaction Fees.} 168 | Support for minting new coins can be added with a new \minttxn transaction type: 169 | $$\tx = [\minttxn, i, \upk_i, v]$$ 170 | Here, $i$ is the miner's user account and $v$ is the amount of newly minted coins. 171 | (Note that miners must register as users using $\inittxn$ transactions if they are to receive block rewards.) 172 | %When this \minttxn transaction is processed by other users or miners, they update their digest $d_t$ using $\vccommupdate(d_t, +v, i, \upk_i)$. 173 | %(In addition, users also update their proofs.) 174 | To support transaction fees, we can extend the \spendtxn transaction format to include a fee, which is then added to the miner's block reward specified in the \minttxn transaction. 175 | 176 | \subsection{Discussion} 177 | 178 | \subsubsection{Making Room for Transaction Counters} 179 | \label{s:discussion:txn-counters} 180 | As mentioned in \cref{s:prelim:stateless-cryptocurrency}, to prevent transaction replay attacks, account-based stateless cryptocurrencies such as Edrax should actually map a user $i$ to $v_i = (\addr_i\vert c_i\vert\bal_i)$, where $c_i$ is her \textit{transaction counter}. 181 | This change is trivial, but does leave less space in $v_i$ for $\addr_i$, depending on how many bits are needed for $c_i$ and $\bal_i$. 182 | (Recall that $v_i\in\Zp$ typically has $\approx$ 256 bits.) 183 | To address this, we propose using one aSVC for mapping $i$ to $\addr_i$ and another aSVC for mapping $i$ to $(c_i\vert\bal_i)$. 184 | Our key observation is that if the two aSVCs use different $n$-SDH parameters (e.g., $(g^{\tau^i})$'s and $(h^{\tau^i})$'s, such that $\log_g{h}$ is unknown), then we could aggregate commitments, proofs and update keys so as to introduce zero computational and communication overhead in our stateless cryptocurrency. 185 | Security of this scheme could be argued similar to security of perfectly hiding KZG commitments~\cite{KZG10a}, which commit to $\phi(X)$ as $g^{\phi(\tau)}h^{r(\tau)}$ in an analogous fashion. 186 | We leave investigating the details of this scheme to future work. 187 | 188 | \subsubsection{Overhead of Synchronizing Proofs} 189 | \label{s:stateless-cryptocurrency:proof-serving-nodes} 190 | In a stateless cryptocurrency, users need to keep their proofs updated w.r.t. the latest block. 191 | For example, in our scheme, each user spends $O(b\cdot \Delta{t})$ time updating her proof, if there are $\Delta{t}$ new blocks of $b$ transactions each. 192 | Fortunately, when the underlying VC scheme supports precomputing all $n$ proofs fast~\cite{Tomescu20}, this overhead can be shifted to untrusted third parties called \textit{proof-serving nodes}~\cite{CPZ18}. 193 | Specifically, a proof-serving node would have access to the proving key \prk and periodically compute all proofs for all $n$ users. 194 | Then, any user with an out-of-sync proof could ask a node for their proof and then manually update it, should it be slightly out of date with the latest block. 195 | Proof-serving nodes save users a significant amount of proof update work, which is important for users running on constrained devices such as mobile phones. 196 | -------------------------------------------------------------------------------- /latexpand/latexpand: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # Inspired by latexpand by D. Musliner, University of Michigan 3 | # 2012-2019: Matthieu Moy 4 | # BSD License 5 | 6 | use strict; 7 | use Cwd; 8 | use Getopt::Long; 9 | use IO::Handle; 10 | use File::Spec; 11 | 12 | my $TEXINPUTS = $ENV{'TEXINPUTS'}; 13 | # By default, search in current directory. We use '.' and not getcwd() 14 | # to avoid issues if the working directory contains a ':' character. 15 | if (!$TEXINPUTS) { $TEXINPUTS = '.'; } 16 | 17 | my $verbose; 18 | my $keep_comments; 19 | my $keep_includes; 20 | my $empty_comments; 21 | my $help; 22 | my $long_help; 23 | my $output; 24 | my $explain; 25 | my $show_graphics; 26 | my $graphics_extensions = ":.pdf:.png:.jpg:.eps"; 27 | my $expand_usepackage; 28 | my $expand_bbl; 29 | my $biber; 30 | my $fatal; 31 | my $version; 32 | my $makeatletter; 33 | my $inside_import; 34 | my $in_enc = "bytes"; 35 | my $out_enc = "bytes"; 36 | 37 | GetOptions ( 38 | 'h' => \$help, 39 | 'help' => \$long_help, 40 | 'verbose|v' => \$verbose, 41 | 'keep-comments' => \$keep_comments, 42 | 'keep-includes' => \$keep_includes, 43 | 'empty-comments' => \$empty_comments, 44 | 'output|o=s' => \$output, 45 | 'explain' => \$explain, 46 | 'show-graphics' => \$show_graphics, 47 | 'graphics-extensions' => \$graphics_extensions, 48 | 'expand-usepackage' => \$expand_usepackage, 49 | 'expand-bbl=s' => \$expand_bbl, 50 | 'biber=s' => \$biber, 51 | 'fatal' => \$fatal, 52 | 'version' => \$version, 53 | 'makeatletter' => \$makeatletter, 54 | 'in-encoding=s' => \$in_enc, 55 | 'out-encoding=s' => \$out_enc, 56 | ) or pod2usage_wrapper(2); 57 | version() if $version; 58 | pod2usage_wrapper(0) if $help; 59 | pod2usage_wrapper(-exitstatus => 0, -output => \*STDOUT, -verbose => 2) if $long_help; 60 | 61 | sub pod2usage_wrapper 62 | { 63 | # Like pod2usage, but fall back to a simpler implem in case 64 | # pod2usage can't be found. 65 | if (eval {require Pod::Usage;1;} ne 1) { 66 | print "Please install perldoc and Pod::Usage to get proper help.\n"; 67 | my $started = 0; 68 | open (my $in, '<', "$0") or die $!; 69 | while (<$in>) { 70 | if ($started) { 71 | print; 72 | } 73 | if (/^__END__$/) { 74 | $started = 1; 75 | } 76 | } 77 | } else { 78 | Pod::Usage->import(); 79 | pod2usage(@_); 80 | } 81 | } 82 | 83 | sub get_version 84 | { 85 | # $VERSION's value will be substituted by 'make dist', but the 86 | # next line won't (the string has to be broken to avoid it). 87 | my $VERSION = 'v1.6'; 88 | if ($VERSION eq '@LATEXPAND' . '_VERSION@') { 89 | my($vol,$dir,$file) = File::Spec->splitpath($0); 90 | chdir($dir); 91 | $VERSION = `git describe --tags HEAD 2>/dev/null`; 92 | } 93 | if ($VERSION eq '') { 94 | $VERSION = ''; 95 | } 96 | $VERSION =~ s/^\s+|\s+$//g; 97 | return $VERSION; 98 | } 99 | 100 | sub version 101 | { 102 | print "latexpand version ". get_version() .".\n"; 103 | exit(0); 104 | } 105 | 106 | my $nl = ""; 107 | if ($empty_comments) { 108 | $nl = "%\n"; 109 | } 110 | 111 | if ($output && $output ne "-") { 112 | open (my $OUTPUT, '>', "$output") or die $!; 113 | STDOUT->fdopen(\*$OUTPUT, 'w') or die $!; 114 | } 115 | 116 | sub say 117 | { 118 | if ($verbose) { 119 | print STDERR "$_[0]"; 120 | } 121 | } 122 | 123 | my $makeatletter_found; 124 | my $in_preamble; 125 | 126 | use open IN => ":$in_enc", OUT => ":$out_enc"; 127 | 128 | foreach my $file (@ARGV) 129 | { 130 | say "processing $file\n"; 131 | $makeatletter_found = 0; 132 | $in_preamble = 1; 133 | $inside_import = ""; 134 | process_file($file, " "); 135 | } 136 | 137 | sub cat_file 138 | { 139 | my $file = shift; 140 | open (my $INFILE, "<", $file) || die "could not open input file '$file'\n"; 141 | while (<$INFILE>) { 142 | print; 143 | } 144 | close ($INFILE); 145 | } 146 | 147 | sub process_file 148 | { 149 | my $file = shift; 150 | my $prefix = (shift || ""); 151 | my $in_comment = 0; 152 | open(my $FILE, "<", $file) or die "could not open input file '$file'\n"; 153 | my $commented_newline = 0; 154 | while (my $line = <$FILE>) { 155 | if ($line =~ /^[ \t]*\\endinput/) { 156 | $line =~ s/(\\endinput.*)\n/% $1/; 157 | $in_comment = 1; 158 | process_line($line, $prefix, \$commented_newline); 159 | last; 160 | } 161 | process_line($line, $prefix, \$commented_newline, $file); 162 | if ($line =~ /^%.*[^\n]\z/ || $line =~ /[^\\]%.*[^\n]\z/) { 163 | # file ends with a comment not ending with a newline 164 | print "\n"; 165 | } 166 | # Garbage at end of line after \end{document} is 167 | # ignored by LaTeX, but we don't allow anything before 168 | # to avoid e.g. \verb|\end{document}| from terminating 169 | # the file. 170 | if (!$keep_comments && $line =~ /^[ \t]*\\end\{document\}/) { 171 | last; 172 | } 173 | } 174 | close($FILE); 175 | return $in_comment; 176 | } 177 | 178 | sub process_line 179 | { 180 | my ($line, $prefix, $commented_newline, $file) = @_; 181 | $_ = $line; 182 | if ($$commented_newline) { 183 | # Leading whitespaces after a comment is ignored. 184 | # There's no space in: 185 | # Line 1% 186 | # Line 2. 187 | # Match just space and tabs (\s would match \n) 188 | s/^[ \t]*//; 189 | if (/^$/) { 190 | # Deal with: 191 | # 192 | # Line 1 % comment 193 | # 194 | # Line 2 195 | # 196 | # The newline after Line 1 is commented, but we still 197 | # want a new paragraph. We strip the comment together 198 | # with its newline, but re-add a newline to chnge 199 | # paragraph here if needed: 200 | print "\n"; 201 | } 202 | } 203 | $$commented_newline = 0; 204 | # Consider \makeatletter only in preamble, because we do want 205 | # to warn on \someCommand{\makeatletter\command@with@arobase}. 206 | if ($in_preamble && /^[^%]*\\makeatletter/) { 207 | $makeatletter_found = 1; 208 | } 209 | if ($in_preamble && /^[^%]*\\makeatother/) { 210 | $makeatletter_found = 0; 211 | } 212 | my $command; 213 | if (!$makeatletter && !$makeatletter_found 214 | && (($command) = /^[^%]*(\\[[:alpha:]]*@[[:alpha:]]*)/) 215 | && ($command ne '\@')) { 216 | print STDERR "Warning: command $command containing @ found in\n"; 217 | print STDERR "Warning: $file.\n"; 218 | print STDERR "Warning: consider using --makeatletter if the result is not compilable.\n"; 219 | } 220 | 221 | # non-comment is a sequence of: 222 | # - escaped character (\\.), including \% and \\ 223 | # - neither '%' nor '\'. 224 | my $NON_COMMENT = '([^\\\\%]|\\\\.)*'; 225 | 226 | unless ($keep_comments) { 227 | if (!$empty_comments) { 228 | # Include \n in pattern to avoid matching 229 | # comments at end of files 230 | 231 | # remove comments + whitespace-only lines completely 232 | if (s/^\s*%.*\n//) { 233 | $$commented_newline = 1; 234 | } 235 | 236 | # Special-case commands at end of line. We 237 | # don't want "\\foo%\nbar" to become 238 | # "\\foobar" 239 | if (s/^($NON_COMMENT\\[[:alpha:]@]+)%.*\n/$1 /) { 240 | $$commented_newline = 1; 241 | } elsif (s/^($NON_COMMENT)%.*\n/$1/) { 242 | # remove only the comment if the line has actual content 243 | $$commented_newline = 1; 244 | } 245 | } 246 | # Apply the "empty comments" treatment unconditionally 247 | # for comments not matched above (it doesn't harm to 248 | # keep an empty comment sometimes, but it may harm to 249 | # leave a real comment if the goal was to strip them). 250 | s/^(([^\\%]|\\.)*)%.*$/$1%/; 251 | } 252 | 253 | unless ($keep_includes) { 254 | # \input{foo.tex} 255 | my $ARGBRACES = '\{\\s*([^"}\\s][^}]*)(\\s*)\}'; 256 | # \input{"foo bar.tex"} 257 | my $ARGQUOTED = '\{\\s*"([^"]*)"(\\s*)\}'; 258 | # \input foo.tex 259 | my $ARGSPACES = '\\s([^\{\\s][^\\s]+?)\\s()'; 260 | my $ARGUMENT = "\\s*?(?|$ARGBRACES|$ARGQUOTED|$ARGSPACES)"; 261 | 262 | if (my ($before, $ignored, $full_filename, $trailing, $after) 263 | = /^($NON_COMMENT)\\include$ARGUMENT(.*)$/) { 264 | $full_filename = find_tex_file($full_filename . ".tex"); 265 | if ($full_filename) { 266 | say $prefix . "Found include for file: $full_filename\n"; 267 | print $before . $nl; 268 | print '\clearpage{}' . $nl; 269 | print "% start include $full_filename\n" if ($explain); 270 | my $in_comment = process_file($full_filename, $prefix . " "); 271 | if ($explain) { 272 | print " % end include $full_filename\n"; 273 | } elsif ($in_comment) { 274 | print "\n"; 275 | } 276 | print '\clearpage{}' . $nl; 277 | print $nl . $after . "\n"; 278 | $_ = ""; 279 | } 280 | } elsif (my ($before, $ignored, $full_filename, $trailing, $after) 281 | = /^($NON_COMMENT)\\input$ARGUMENT(.*)$/) { 282 | if ($inside_import) { 283 | $full_filename = $inside_import . $full_filename; 284 | } 285 | $full_filename = find_tex_file($full_filename, ":.tex"); 286 | if ($full_filename) { 287 | say $prefix . "Found input for file: $full_filename\n"; 288 | # Surprisingly, space after filename 289 | # in \input{foo.tex } is inserted 290 | # _before_ the inclusion. Apply this 291 | # rule in latexpand. 292 | print $before . $trailing . $nl; 293 | print "% start input $full_filename\n" if ($explain); 294 | my $in_comment = process_file($full_filename, $prefix . " "); 295 | if ($explain) { 296 | print " % end input $full_filename\n"; 297 | } elsif ($in_comment) { 298 | print "\n"; 299 | } 300 | if ($after =~ /[^\s]/) { 301 | # LaTeX produces this space, so let's do it also 302 | print " " . $nl . $after . "\n"; 303 | } else { 304 | print " "; 305 | } 306 | $_ = ""; 307 | } 308 | } elsif (my ($before, $ignored, $dir, $ignored, $full_filename, $ignored, $after) 309 | = /^($NON_COMMENT)\\(?:sub)?import$ARGUMENT$ARGUMENT(.*)$/) { 310 | if ($explain) { 311 | print "% dir " . $dir ."\n"; 312 | print "% full_filename " . $full_filename ."\n"; 313 | print "% after " . $after ."\n"; 314 | print "% inside_import $inside_import\n"; 315 | } 316 | $full_filename = $dir . $full_filename; 317 | if ($inside_import) { 318 | $full_filename = $inside_import . $full_filename; 319 | } 320 | print "% cat(inside_import,dir,full_filename) " . $full_filename ."\n" if ($explain); 321 | $full_filename = find_tex_file($full_filename, ":.tex"); 322 | if ($full_filename) { 323 | say $prefix . "Found input for file: $full_filename\n"; 324 | print $before . $nl; 325 | print "% start input $full_filename\n" if ($explain); 326 | my $previous_import_dir = $inside_import; 327 | $inside_import = $inside_import . $dir; 328 | my $in_comment = process_file($full_filename, $prefix . " "); 329 | $inside_import = $previous_import_dir; 330 | if ($explain) { 331 | print " % end input $full_filename\n"; 332 | } elsif ($in_comment) { 333 | print "\n"; 334 | } 335 | if ($after =~ /[^\s]/) { 336 | # LaTeX produces this space, so let's do it also 337 | print " " . $nl . $after . "\n"; 338 | } else { 339 | print " "; 340 | } 341 | $_ = ""; 342 | } 343 | } elsif (my ($before, $ignored, $args, $full_filename, $ignored, $after) 344 | = /^($NON_COMMENT)\\includegraphics[\[\s]+(.*?)[\s\]]$ARGUMENT(.*)$/) { 345 | if ($explain) { 346 | print "% inside_import " . $inside_import ."\n"; 347 | print "% before " . $before ."\n"; 348 | print "% ignored " . $ignored ."\n"; 349 | print "% args " . $args ."\n"; 350 | print "% full_filename " . $full_filename ."\n"; 351 | print "% after " . $after ."\n"; 352 | } 353 | if ($inside_import) { 354 | $full_filename = $inside_import . $full_filename; 355 | print "$before\\includegraphics[$args]{$full_filename}$after\n"; 356 | $_ = ""; 357 | } 358 | } elsif (my ($before, $ignored, $args, $full_filename, $ignored, $after) 359 | = /^($NON_COMMENT)\\lstinputlisting[\[\s]+(.*?)[\s\]]$ARGUMENT(.*)$/) { 360 | if ($explain) { 361 | print "% inside_import " . $inside_import ."\n"; 362 | print "% before " . $before ."\n"; 363 | print "% ignored " . $ignored ."\n"; 364 | print "% args " . $args ."\n"; 365 | print "% full_filename " . $full_filename ."\n"; 366 | print "% after " . $after ."\n"; 367 | } 368 | if ($inside_import) { 369 | $full_filename = $inside_import . $full_filename; 370 | print "$before\\lstinputlisting[$args]{$full_filename}$after\n"; 371 | $_ = ""; 372 | } 373 | } 374 | } 375 | if ($expand_usepackage) { 376 | # Don't bother with before and after text, we just require the 377 | # usepackage to be alone on its line. 378 | if (my ($package_name) = /^\s*\\usepackage\{([^\}]*)\}\s*(%.*)?$/) { 379 | my $full = find_file($package_name . ".sty", $TEXINPUTS); 380 | if ($full) { 381 | say $prefix . "Found package file: $full\n"; 382 | process_file($full, $prefix . " "); 383 | $_ = ""; 384 | # Forget about any commented newline 385 | # before the \usepackage: 386 | $$commented_newline = 0; 387 | } else { 388 | say $prefix . "Not including external package $package_name\n"; 389 | } 390 | } 391 | } 392 | if ($expand_bbl) { 393 | if (my ($before, $bib_name, $after) 394 | = /^(.*)\\(?:bibliography|bibselect)\{([^\}]*)\}(.*)$/) { 395 | # The BBL file is not necessarily $bib_name. 396 | # Take it from the command-line. 397 | print $before . $nl; 398 | say $prefix . "Expanding BBL file: $expand_bbl\n"; 399 | process_file($expand_bbl, $prefix . " "); 400 | print " " . $nl . $after . "\n"; 401 | $_ = ""; 402 | } 403 | } 404 | if ($biber) { 405 | if (my ($before, $after) 406 | = /^(.*)\\(?:addbibresource)\{[^\}]*\}(.*)$/) { 407 | # See https://tex.stackexchange.com/questions/166518/biblatex-include-bbl-problem-with-verb-field/166526#166526 408 | my $biber_noext = $biber; 409 | $biber_noext =~ s/.bbl//; 410 | print $before . $nl; 411 | say $prefix . "Expanding Biber BBL file: $biber\n"; 412 | print '\begin{filecontents*}{' . $biber . '}' . "\n"; 413 | cat_file($biber); 414 | print "\n"; 415 | print '\end{filecontents*} 416 | 417 | \usepackage{xpatch} 418 | 419 | %Patch the biblatex input command. 420 | %replace "testinput-bbl" if you change the name above. 421 | %disable if you want to run biblatex/biber normally 422 | \makeatletter 423 | \patchcmd\blx@bblinput{\blx@blxinit} 424 | {\blx@blxinit 425 | \def\jobname{' . $biber_noext . '}%new jobname 426 | }{}{\fail} 427 | \makeatother 428 | '; 429 | say $prefix . "End expansion of Biber BBL file: $biber\n"; 430 | print " " . $nl . $after . "\n"; 431 | $_ = ""; 432 | } 433 | } 434 | if ($show_graphics) { 435 | if (/\\includegraphics(\[[^\]]*\])?{([^}]*)}/) { 436 | my $full_filename = $2; 437 | if ($inside_import) { 438 | $full_filename = $inside_import . $full_filename; 439 | } 440 | my $full = find_tex_file($full_filename, $graphics_extensions); 441 | say $prefix . "needs graphics file: "; 442 | print STDERR "$full\n"; 443 | } 444 | } 445 | if (/^[ \t]*\\begin\{document\}/) { 446 | $in_preamble = 0; 447 | if ($makeatletter) { 448 | print '\makeatletter' . $nl; 449 | } 450 | } 451 | print; 452 | } 453 | 454 | sub unquote 455 | { 456 | my $str = shift; 457 | my $x = substr($str, 0, 1); 458 | my $y = substr($str, -1, 1); 459 | if ($x eq $y && ($x eq '"' || $x eq "'")) { 460 | $str = substr($str, 1, -1); 461 | } 462 | # There's a weird LaTeX syntax: \include{"file\space 463 | # with\space spaces"}, so remove these \space when unquoting. 464 | $str =~ s/\\space / /g; 465 | return $str; 466 | } 467 | 468 | # search $1 in $TEXINPUTS, with possible extensions in $2 469 | sub find_tex_file 470 | { 471 | my $file = unquote(shift); 472 | my $extensions = (shift || ":"); 473 | foreach my $ext (split(':', $extensions, -1)) { 474 | my $full = find_file_global($file . $ext); 475 | if ($full) { 476 | return $full; 477 | } 478 | } 479 | if ($fatal) { 480 | die "ERROR: Could not find file [$file]\n"; 481 | } else { 482 | print STDERR "Warning: Could not find file [$file]\n"; 483 | return; 484 | } 485 | } 486 | 487 | sub find_file_global 488 | { 489 | my $file = shift; 490 | if (open(my $fh, "-|", "kpsewhich", $file)) { 491 | my $full = <$fh>; 492 | $full =~ s/\s+$//; 493 | close($fh); 494 | if ($full) { 495 | return $full; 496 | } 497 | } 498 | # Should be useless, but fall-back in case kpsewhich fails (or is not installed, or ...): 499 | return find_file($file, $TEXINPUTS); 500 | } 501 | 502 | # Find files, not searching for global files (to allow not expanding global .sty packages) 503 | sub find_file 504 | { 505 | my ($file, $path) = @_; 506 | if (File::Spec->file_name_is_absolute($file)) { 507 | if (-e "$file" && ! -d "$file") { 508 | return $file; 509 | } else { 510 | return; 511 | } 512 | } 513 | 514 | # TEXINPUTS=...: (trailing :) means "append default search 515 | # directories". We don't want global directories here, but 516 | # still add . that may be needed. 517 | if (substr($path, -1) eq ':') { 518 | $path .= '.'; 519 | } 520 | foreach my $dir (split(':', $path)) { 521 | if (-e "$dir/$file" && ! -d "$dir/$file") { 522 | return("$dir/$file"); 523 | } 524 | } 525 | return; 526 | } 527 | 528 | 529 | __END__ 530 | 531 | =head1 NAME 532 | 533 | latexpand - Flatten LaTeX file by expanding \include and \input, ... and remove comments 534 | 535 | =head1 SYNOPSIS 536 | 537 | latexpand [options] FILE... 538 | 539 | =head2 Options: 540 | 541 | --verbose show what's going on 542 | --keep-comments don't strip comments (comments are lines 543 | starting with %, and anything below 544 | \end{document}) 545 | --empty-comments keep empty comments (i.e. % at end of lines) for clarity 546 | --keep-includes don't expand \input and \include directives 547 | --expand-usepackage 548 | Expand \usepackage{...} directives if the 549 | corresponding .sty file is found in 550 | $TEXINPUTS (or the current directory if 551 | $TEXINPUTS is not set) 552 | --expand-bbl FILE 553 | Expand the bibliography by inlining FILE 554 | (should be a *.bbl file) 555 | --biber FILE Include \bibliography{} with FILE's content, 556 | as needed by biblatex with the biber backend. 557 | (similar to --expand-bbl FILE, but for 558 | biber+biblatex). 559 | --help this help message 560 | --output , -o 561 | generate output in 562 | --explain generate explanatory comments in output 563 | --show-graphics show included graphics 564 | --graphics_extensions 565 | colon-separated list of possible graphics extensions 566 | (used by --show-graphics to find the actual graphics files) 567 | --fatal Die in case a file can't be found. 568 | --makeatletter Insert a \makeatletter in the preamble. In some 569 | rare cases it may break your document, but it 570 | may help fixing bad interactions between 571 | @-commands and inclusion (see BUGS section). 572 | --in-encoding FMT, --out-encoding FMT 573 | File encoding used by input and output files. 574 | This uses the same syntax as PerlIO's layers. 575 | Example: 576 | --in-encoding 'encoding(UTF-8)' 577 | The default is 'bytes' and should always work. 578 | 579 | =head1 USES 580 | 581 | The most common use of latexpand is to simplify distribution of source 582 | LaTeX files, typically to satisfy the requirement of editors and 583 | archival sites (springer, arXiv.org, ...) who force the authors to 584 | submit sources. One does not necessarily want to submit sources with 585 | comments, and uploading a document made of several files including 586 | each other is a bit painful. By default, latexpand answers both 587 | problems by outputing a single LaTeX file that contain no comment. 588 | 589 | =head1 GETTING LATEXPAND 590 | 591 | The latest version of latexpand is available here: 592 | 593 | https://gitlab.com/latexpand/latexpand 594 | 595 | Versions are uploaded to ctan.org from time to time: 596 | 597 | http://www.ctan.org/pkg/latexpand 598 | 599 | =head1 BUGS 600 | 601 | Please, report bugs on the issue tracker on the project site: 602 | 603 | https://gitlab.com/latexpand/latexpand/issues 604 | 605 | =head2 Known bugs 606 | 607 | =head3 Verbatim 608 | 609 | latexpand currently ignores \begin{verbatim} ... \end{verbatim}, and 610 | will therefore process any \include, \input, ... directives that 611 | appear within verbatim environments (while it shouldn't). 612 | 613 | LaTeX comments inside verbatim environments are also incorrectly 614 | stripped. You can use --keep-comments as a workaround to avoid this. 615 | 616 | =head3 Comment environment 617 | 618 | It would be nice to remove code between \begin{comment} and 619 | \end{comment} too if \usepackage{comment} is used. 620 | 621 | Code like 622 | 623 | foo% 624 | \begin{comment} 625 | 626 | will produce the incorrect 627 | 628 | foo\begin{comment} 629 | 630 | A workaround is to use --empty-comments when such tricky usage of the 631 | comments package is done. 632 | 633 | =head3 \makeatletter and use with transfig/xfig with \scalebox{} 634 | 635 | If \input{} or \include{} appears as argument to a command, and the 636 | file included contains \makeatletter, then after expansion, the 637 | \makeatletter and the @-command appear as argument to the command, 638 | which is forbidden because the argument is parsed (and the @-command 639 | badly tokenized) before being executed. 640 | 641 | This happens with 642 | 643 | \scalebox{ \input{file-generated-by-xfig.pdf_t} } 644 | 645 | Workaround: add \makeatletter before the scalebox manually in your 646 | code, like 647 | 648 | \makeatletter{} 649 | \scalebox{ \input{file-generated-by-xfig.pdf_t} } 650 | \makeatother{} 651 | 652 | In the case of xfig generated files, it is necessary only for the 653 | first occurence. 654 | 655 | A more brute-force workaround is to use latexpand --makeatletter. 656 | 657 | =head1 SEE ALSO 658 | 659 | Instructions to include only the relevant .bib items (french): 660 | 661 | https://lacl.fr/~caubert/notes/portabilite-du-tex.html#dependances 662 | 663 | =head1 VERSION 664 | 665 | This is latexpand version v1.6. 666 | -------------------------------------------------------------------------------- /splncs.bst: -------------------------------------------------------------------------------- 1 | % BibTeX bibliography style `splncs' 2 | 3 | % An attempt to match the bibliography style required for use with 4 | % numbered references in Springer Verlag's "Lecture Notes in Computer 5 | % Science" series. (See Springer's documentation for llncs.sty for 6 | % more details of the suggested reference format.) Note that this 7 | % file will not work for author-year style citations. 8 | 9 | % Use \documentclass{llncs} and \bibliographystyle{splncs}, and cite 10 | % a reference with (e.g.) \cite{smith77} to get a "[1]" in the text. 11 | 12 | % Copyright (C) 1999 Jason Noble. 13 | % Last updated: Friday 07 March 2006, 08:04:42 Frank Holzwarth, Springer 14 | % 15 | % Based on the BibTeX standard bibliography style `unsrt' 16 | 17 | ENTRY 18 | { address 19 | author 20 | booktitle 21 | chapter 22 | edition 23 | editor 24 | howpublished 25 | institution 26 | journal 27 | key 28 | month 29 | note 30 | number 31 | organization 32 | pages 33 | publisher 34 | school 35 | series 36 | title 37 | type 38 | volume 39 | year 40 | } 41 | {} 42 | { label } 43 | 44 | INTEGERS { output.state before.all mid.sentence after.sentence 45 | after.block after.authors between.elements} 46 | 47 | FUNCTION {init.state.consts} 48 | { #0 'before.all := 49 | #1 'mid.sentence := 50 | #2 'after.sentence := 51 | #3 'after.block := 52 | #4 'after.authors := 53 | #5 'between.elements := 54 | } 55 | 56 | STRINGS { s t } 57 | 58 | FUNCTION {output.nonnull} 59 | { 's := 60 | output.state mid.sentence = 61 | { " " * write$ } 62 | { output.state after.block = 63 | { add.period$ write$ 64 | newline$ 65 | "\newblock " write$ 66 | } 67 | { 68 | output.state after.authors = 69 | { ": " * write$ 70 | newline$ 71 | "\newblock " write$ 72 | } 73 | { output.state between.elements = 74 | { ", " * write$ } 75 | { output.state before.all = 76 | 'write$ 77 | { add.period$ " " * write$ } 78 | if$ 79 | } 80 | if$ 81 | } 82 | if$ 83 | } 84 | if$ 85 | mid.sentence 'output.state := 86 | } 87 | if$ 88 | s 89 | } 90 | 91 | FUNCTION {output} 92 | { duplicate$ empty$ 93 | 'pop$ 94 | 'output.nonnull 95 | if$ 96 | } 97 | 98 | FUNCTION {output.check} 99 | { 't := 100 | duplicate$ empty$ 101 | { pop$ "empty " t * " in " * cite$ * warning$ } 102 | 'output.nonnull 103 | if$ 104 | } 105 | 106 | FUNCTION {output.bibitem} 107 | { newline$ 108 | "\bibitem{" write$ 109 | cite$ write$ 110 | "}" write$ 111 | newline$ 112 | "" 113 | before.all 'output.state := 114 | } 115 | 116 | FUNCTION {fin.entry} 117 | { write$ 118 | newline$ 119 | } 120 | 121 | FUNCTION {new.block} 122 | { output.state before.all = 123 | 'skip$ 124 | { after.block 'output.state := } 125 | if$ 126 | } 127 | 128 | FUNCTION {stupid.colon} 129 | { after.authors 'output.state := } 130 | 131 | FUNCTION {insert.comma} 132 | { output.state before.all = 133 | 'skip$ 134 | { between.elements 'output.state := } 135 | if$ 136 | } 137 | 138 | FUNCTION {new.sentence} 139 | { output.state after.block = 140 | 'skip$ 141 | { output.state before.all = 142 | 'skip$ 143 | { after.sentence 'output.state := } 144 | if$ 145 | } 146 | if$ 147 | } 148 | 149 | FUNCTION {not} 150 | { { #0 } 151 | { #1 } 152 | if$ 153 | } 154 | 155 | FUNCTION {and} 156 | { 'skip$ 157 | { pop$ #0 } 158 | if$ 159 | } 160 | 161 | FUNCTION {or} 162 | { { pop$ #1 } 163 | 'skip$ 164 | if$ 165 | } 166 | 167 | FUNCTION {new.block.checka} 168 | { empty$ 169 | 'skip$ 170 | 'new.block 171 | if$ 172 | } 173 | 174 | FUNCTION {new.block.checkb} 175 | { empty$ 176 | swap$ empty$ 177 | and 178 | 'skip$ 179 | 'new.block 180 | if$ 181 | } 182 | 183 | FUNCTION {new.sentence.checka} 184 | { empty$ 185 | 'skip$ 186 | 'new.sentence 187 | if$ 188 | } 189 | 190 | FUNCTION {new.sentence.checkb} 191 | { empty$ 192 | swap$ empty$ 193 | and 194 | 'skip$ 195 | 'new.sentence 196 | if$ 197 | } 198 | 199 | FUNCTION {field.or.null} 200 | { duplicate$ empty$ 201 | { pop$ "" } 202 | 'skip$ 203 | if$ 204 | } 205 | 206 | FUNCTION {emphasize} 207 | { duplicate$ empty$ 208 | { pop$ "" } 209 | { "" swap$ * "" * } 210 | if$ 211 | } 212 | 213 | FUNCTION {bold} 214 | { duplicate$ empty$ 215 | { pop$ "" } 216 | { "\textbf{" swap$ * "}" * } 217 | if$ 218 | } 219 | 220 | FUNCTION {parens} 221 | { duplicate$ empty$ 222 | { pop$ "" } 223 | { "(" swap$ * ")" * } 224 | if$ 225 | } 226 | 227 | INTEGERS { nameptr namesleft numnames } 228 | 229 | FUNCTION {format.springer.names} 230 | { 's := 231 | #1 'nameptr := 232 | s num.names$ 'numnames := 233 | numnames 'namesleft := 234 | { namesleft #0 > } 235 | { s nameptr "{vv~}{ll}{, jj}{, f{.}.}" format.name$ 't := 236 | nameptr #1 > 237 | { namesleft #1 > 238 | { ", " * t * } 239 | { numnames #1 > 240 | { ", " * } 241 | 'skip$ 242 | if$ 243 | t "others" = 244 | { " et~al." * } 245 | { "" * t * } 246 | if$ 247 | } 248 | if$ 249 | } 250 | 't 251 | if$ 252 | nameptr #1 + 'nameptr := 253 | namesleft #1 - 'namesleft := 254 | } 255 | while$ 256 | } 257 | 258 | FUNCTION {format.names} 259 | { 's := 260 | #1 'nameptr := 261 | s num.names$ 'numnames := 262 | numnames 'namesleft := 263 | { namesleft #0 > } 264 | { s nameptr "{vv~}{ll}{, jj}{, f.}" format.name$ 't := 265 | nameptr #1 > 266 | { namesleft #1 > 267 | { ", " * t * } 268 | { numnames #2 > 269 | { "," * } 270 | 'skip$ 271 | if$ 272 | t "others" = 273 | { " et~al." * } 274 | { " \& " * t * } 275 | if$ 276 | } 277 | if$ 278 | } 279 | 't 280 | if$ 281 | nameptr #1 + 'nameptr := 282 | namesleft #1 - 'namesleft := 283 | } 284 | while$ 285 | } 286 | 287 | FUNCTION {format.authors} 288 | { author empty$ 289 | { "" } 290 | { author format.springer.names } 291 | if$ 292 | } 293 | 294 | FUNCTION {format.editors} 295 | { editor empty$ 296 | { "" } 297 | { editor format.springer.names 298 | editor num.names$ #1 > 299 | { ", eds." * } 300 | { ", ed." * } 301 | if$ 302 | } 303 | if$ 304 | } 305 | 306 | FUNCTION {format.title} 307 | { title empty$ 308 | { "" } 309 | { title "t" change.case$ } 310 | if$ 311 | } 312 | 313 | FUNCTION {n.dashify} 314 | { 't := 315 | "" 316 | { t empty$ not } 317 | { t #1 #1 substring$ "-" = 318 | { t #1 #2 substring$ "--" = not 319 | { "--" * 320 | t #2 global.max$ substring$ 't := 321 | } 322 | { { t #1 #1 substring$ "-" = } 323 | { "-" * 324 | t #2 global.max$ substring$ 't := 325 | } 326 | while$ 327 | } 328 | if$ 329 | } 330 | { t #1 #1 substring$ * 331 | t #2 global.max$ substring$ 't := 332 | } 333 | if$ 334 | } 335 | while$ 336 | } 337 | 338 | FUNCTION {format.date} 339 | { year empty$ 340 | { month empty$ 341 | { "" } 342 | { "there's a month but no year in " cite$ * warning$ 343 | month 344 | } 345 | if$ 346 | } 347 | { month empty$ 348 | 'year 349 | { month " " * year * } 350 | if$ 351 | } 352 | if$ 353 | } 354 | 355 | FUNCTION {format.btitle} 356 | { title emphasize 357 | } 358 | 359 | FUNCTION {tie.or.space.connect} 360 | { duplicate$ text.length$ #3 < 361 | { "~" } 362 | { " " } 363 | if$ 364 | swap$ * * 365 | } 366 | 367 | FUNCTION {either.or.check} 368 | { empty$ 369 | 'pop$ 370 | { "can't use both " swap$ * " fields in " * cite$ * warning$ } 371 | if$ 372 | } 373 | 374 | FUNCTION {format.bvolume} 375 | { volume empty$ 376 | { "" } 377 | { "Volume" volume tie.or.space.connect 378 | series empty$ 379 | 'skip$ 380 | { " of " * series emphasize * } 381 | if$ 382 | add.period$ 383 | "volume and number" number either.or.check 384 | } 385 | if$ 386 | } 387 | 388 | FUNCTION {format.number.series} 389 | { volume empty$ 390 | { number empty$ 391 | { series field.or.null } 392 | { output.state mid.sentence = 393 | { "number" } 394 | { "Number" } 395 | if$ 396 | number tie.or.space.connect 397 | series empty$ 398 | { "there's a number but no series in " cite$ * warning$ } 399 | { " in " * series * } 400 | if$ 401 | } 402 | if$ 403 | } 404 | { "" } 405 | if$ 406 | } 407 | 408 | FUNCTION {format.edition} 409 | { edition empty$ 410 | { "" } 411 | { output.state mid.sentence = 412 | { edition "l" change.case$ " edn." * } 413 | { edition "t" change.case$ " edn." * } 414 | if$ 415 | } 416 | if$ 417 | } 418 | 419 | INTEGERS { multiresult } 420 | 421 | FUNCTION {multi.page.check} 422 | { 't := 423 | #0 'multiresult := 424 | { multiresult not 425 | t empty$ not 426 | and 427 | } 428 | { t #1 #1 substring$ 429 | duplicate$ "-" = 430 | swap$ duplicate$ "," = 431 | swap$ "+" = 432 | or or 433 | { #1 'multiresult := } 434 | { t #2 global.max$ substring$ 't := } 435 | if$ 436 | } 437 | while$ 438 | multiresult 439 | } 440 | 441 | FUNCTION {format.pages} 442 | { pages empty$ 443 | { "" } 444 | { pages multi.page.check 445 | { "" pages n.dashify tie.or.space.connect } 446 | { "" pages tie.or.space.connect } 447 | if$ 448 | } 449 | if$ 450 | } 451 | 452 | FUNCTION {format.vol} 453 | { volume bold 454 | } 455 | 456 | FUNCTION {format.vol.num} 457 | { volume bold 458 | number empty$ 459 | { } 460 | { number "(" swap$ * * ")" * } 461 | if$ 462 | } 463 | 464 | FUNCTION {pre.format.pages} 465 | { pages empty$ 466 | 'skip$ 467 | { duplicate$ empty$ 468 | { pop$ format.pages } 469 | { " " * pages n.dashify * } 470 | if$ 471 | } 472 | if$ 473 | } 474 | 475 | FUNCTION {format.chapter.pages} 476 | { chapter empty$ 477 | 'format.pages 478 | { type empty$ 479 | { "chapter" } 480 | { type "l" change.case$ } 481 | if$ 482 | chapter tie.or.space.connect 483 | pages empty$ 484 | 'skip$ 485 | { " " * format.pages * } 486 | if$ 487 | } 488 | if$ 489 | } 490 | 491 | FUNCTION {format.in.ed.booktitle} 492 | { booktitle empty$ 493 | { "" } 494 | { editor empty$ 495 | { "In: " booktitle emphasize * } 496 | { "In " format.editors * ": " * booktitle emphasize * } 497 | if$ 498 | } 499 | if$ 500 | } 501 | 502 | FUNCTION {empty.misc.check} 503 | { author empty$ title empty$ howpublished empty$ 504 | month empty$ year empty$ note empty$ 505 | and and and and and 506 | { "all relevant fields are empty in " cite$ * warning$ } 507 | 'skip$ 508 | if$ 509 | } 510 | 511 | FUNCTION {format.thesis.type} 512 | { type empty$ 513 | 'skip$ 514 | { pop$ 515 | type "t" change.case$ 516 | } 517 | if$ 518 | } 519 | 520 | FUNCTION {format.tr.number} 521 | { type empty$ 522 | { "Technical Report" } 523 | 'type 524 | if$ 525 | number empty$ 526 | { "t" change.case$ } 527 | { number tie.or.space.connect } 528 | if$ 529 | } 530 | 531 | FUNCTION {format.article.crossref} 532 | { key empty$ 533 | { journal empty$ 534 | { "need key or journal for " cite$ * " to crossref " * crossref * 535 | warning$ 536 | "" 537 | } 538 | { "In {\em " journal * "\/}" * } 539 | if$ 540 | } 541 | { "In " key * } 542 | if$ 543 | " \cite{" * crossref * "}" * 544 | } 545 | 546 | FUNCTION {format.crossref.editor} 547 | { editor #1 "{vv~}{ll}" format.name$ 548 | editor num.names$ duplicate$ 549 | #2 > 550 | { pop$ " et~al." * } 551 | { #2 < 552 | 'skip$ 553 | { editor #2 "{ff }{vv }{ll}{ jj}" format.name$ "others" = 554 | { " et~al." * } 555 | { " and " * editor #2 "{vv~}{ll}" format.name$ * } 556 | if$ 557 | } 558 | if$ 559 | } 560 | if$ 561 | } 562 | 563 | FUNCTION {format.book.crossref} 564 | { volume empty$ 565 | { "empty volume in " cite$ * "'s crossref of " * crossref * warning$ 566 | "In " 567 | } 568 | { "Volume" volume tie.or.space.connect 569 | " of " * 570 | } 571 | if$ 572 | " \cite{" * crossref * "}" * 573 | } 574 | 575 | FUNCTION {format.incoll.inproc.crossref} 576 | { editor empty$ 577 | editor field.or.null author field.or.null = 578 | or 579 | { key empty$ 580 | { booktitle empty$ 581 | { "need editor, key, or booktitle for " cite$ * " to crossref " * 582 | crossref * warning$ 583 | "" 584 | } 585 | { "" } 586 | if$ 587 | } 588 | { "" } 589 | if$ 590 | } 591 | { "" } 592 | if$ 593 | " \cite{" * crossref * "}" * 594 | } 595 | 596 | FUNCTION {and.the.note} 597 | { note output 598 | note empty$ 599 | 'skip$ 600 | { add.period$ } 601 | if$ 602 | } 603 | 604 | FUNCTION {article} 605 | { output.bibitem 606 | format.authors "author" output.check 607 | stupid.colon 608 | format.title "title" output.check 609 | new.block 610 | crossref missing$ 611 | { journal emphasize "journal" output.check 612 | format.vol.num output 613 | format.date parens output 614 | format.pages output 615 | } 616 | { format.article.crossref output.nonnull 617 | format.pages output 618 | } 619 | if$ 620 | and.the.note 621 | fin.entry 622 | } 623 | 624 | FUNCTION {book} 625 | { output.bibitem 626 | author empty$ 627 | { format.editors "author and editor" output.check } 628 | { format.authors output.nonnull 629 | crossref missing$ 630 | { "author and editor" editor either.or.check } 631 | 'skip$ 632 | if$ 633 | } 634 | if$ 635 | stupid.colon 636 | format.btitle "title" output.check 637 | new.sentence 638 | crossref missing$ 639 | { format.edition output 640 | format.bvolume output 641 | new.block 642 | format.number.series output 643 | new.sentence 644 | publisher "publisher" output.check 645 | address empty$ 646 | 'skip$ 647 | { insert.comma } 648 | if$ 649 | address output 650 | format.date parens output 651 | } 652 | { format.book.crossref output.nonnull 653 | } 654 | if$ 655 | and.the.note 656 | fin.entry 657 | } 658 | 659 | FUNCTION {booklet} 660 | { output.bibitem 661 | format.authors output 662 | stupid.colon 663 | format.title "title" output.check 664 | howpublished address new.block.checkb 665 | howpublished output 666 | address empty$ 667 | 'skip$ 668 | { insert.comma } 669 | if$ 670 | address output 671 | format.date parens output 672 | and.the.note 673 | fin.entry 674 | } 675 | 676 | FUNCTION {inbook} 677 | { output.bibitem 678 | author empty$ 679 | { format.editors "author and editor" output.check } 680 | { format.authors output.nonnull 681 | crossref missing$ 682 | { "author and editor" editor either.or.check } 683 | 'skip$ 684 | if$ 685 | } 686 | if$ 687 | stupid.colon 688 | crossref missing$ 689 | { chapter output 690 | new.block 691 | format.number.series output 692 | new.sentence 693 | "In:" output 694 | format.btitle "title" output.check 695 | new.sentence 696 | format.edition output 697 | format.bvolume output 698 | publisher "publisher" output.check 699 | address empty$ 700 | 'skip$ 701 | { insert.comma } 702 | if$ 703 | address output 704 | format.date parens output 705 | } 706 | { chapter output 707 | new.block 708 | format.incoll.inproc.crossref output.nonnull 709 | } 710 | if$ 711 | format.pages output 712 | and.the.note 713 | fin.entry 714 | } 715 | 716 | FUNCTION {incollection} 717 | { output.bibitem 718 | format.authors "author" output.check 719 | stupid.colon 720 | format.title "title" output.check 721 | new.block 722 | crossref missing$ 723 | { format.in.ed.booktitle "booktitle" output.check 724 | new.sentence 725 | format.bvolume output 726 | format.number.series output 727 | new.block 728 | format.edition output 729 | publisher "publisher" output.check 730 | address empty$ 731 | 'skip$ 732 | { insert.comma } 733 | if$ 734 | address output 735 | format.date parens output 736 | format.pages output 737 | } 738 | { format.incoll.inproc.crossref output.nonnull 739 | format.chapter.pages output 740 | } 741 | if$ 742 | and.the.note 743 | fin.entry 744 | } 745 | 746 | FUNCTION {inproceedings} 747 | { output.bibitem 748 | format.authors "author" output.check 749 | stupid.colon 750 | format.title "title" output.check 751 | new.block 752 | crossref missing$ 753 | { format.in.ed.booktitle "booktitle" output.check 754 | new.sentence 755 | format.bvolume output 756 | format.number.series output 757 | address empty$ 758 | { organization publisher new.sentence.checkb 759 | organization empty$ 760 | 'skip$ 761 | { insert.comma } 762 | if$ 763 | organization output 764 | publisher empty$ 765 | 'skip$ 766 | { insert.comma } 767 | if$ 768 | publisher output 769 | format.date parens output 770 | } 771 | { insert.comma 772 | address output.nonnull 773 | organization empty$ 774 | 'skip$ 775 | { insert.comma } 776 | if$ 777 | organization output 778 | publisher empty$ 779 | 'skip$ 780 | { insert.comma } 781 | if$ 782 | publisher output 783 | format.date parens output 784 | } 785 | if$ 786 | } 787 | { format.incoll.inproc.crossref output.nonnull 788 | } 789 | if$ 790 | format.pages output 791 | and.the.note 792 | fin.entry 793 | } 794 | 795 | FUNCTION {conference} { inproceedings } 796 | 797 | FUNCTION {manual} 798 | { output.bibitem 799 | author empty$ 800 | { organization empty$ 801 | 'skip$ 802 | { organization output.nonnull 803 | address output 804 | } 805 | if$ 806 | } 807 | { format.authors output.nonnull } 808 | if$ 809 | stupid.colon 810 | format.btitle "title" output.check 811 | author empty$ 812 | { organization empty$ 813 | { address new.block.checka 814 | address output 815 | } 816 | 'skip$ 817 | if$ 818 | } 819 | { organization address new.block.checkb 820 | organization output 821 | address empty$ 822 | 'skip$ 823 | { insert.comma } 824 | if$ 825 | address output 826 | } 827 | if$ 828 | new.sentence 829 | format.edition output 830 | format.date parens output 831 | and.the.note 832 | fin.entry 833 | } 834 | 835 | FUNCTION {mastersthesis} 836 | { output.bibitem 837 | format.authors "author" output.check 838 | stupid.colon 839 | format.title "title" output.check 840 | new.block 841 | "Master's thesis" format.thesis.type output.nonnull 842 | school empty$ 843 | 'skip$ 844 | { insert.comma } 845 | if$ 846 | school "school" output.check 847 | address empty$ 848 | 'skip$ 849 | { insert.comma } 850 | if$ 851 | address output 852 | format.date parens output 853 | and.the.note 854 | fin.entry 855 | } 856 | 857 | FUNCTION {misc} 858 | { output.bibitem 859 | format.authors "author" output.check 860 | stupid.colon 861 | format.title "title" output.check 862 | howpublished new.block.checka 863 | howpublished output 864 | format.date parens output 865 | and.the.note 866 | fin.entry 867 | empty.misc.check 868 | } 869 | 870 | FUNCTION {phdthesis} 871 | { output.bibitem 872 | format.authors "author" output.check 873 | stupid.colon 874 | format.btitle "title" output.check 875 | new.block 876 | "PhD thesis" format.thesis.type output.nonnull 877 | school empty$ 878 | 'skip$ 879 | { insert.comma } 880 | if$ 881 | school "school" output.check 882 | address empty$ 883 | 'skip$ 884 | { insert.comma } 885 | if$ 886 | address output 887 | format.date parens output 888 | and.the.note 889 | fin.entry 890 | } 891 | 892 | FUNCTION {proceedings} 893 | { output.bibitem 894 | editor empty$ 895 | { organization empty$ 896 | { "" } 897 | { organization output 898 | stupid.colon } 899 | if$ 900 | } 901 | { format.editors output.nonnull 902 | stupid.colon 903 | } 904 | if$ 905 | format.btitle "title" output.check 906 | new.block 907 | crossref missing$ 908 | { format.in.ed.booktitle "booktitle" output.check 909 | new.sentence 910 | format.bvolume output 911 | format.number.series output 912 | address empty$ 913 | { organization publisher new.sentence.checkb 914 | organization empty$ 915 | 'skip$ 916 | { insert.comma } 917 | if$ 918 | organization output 919 | publisher empty$ 920 | 'skip$ 921 | { insert.comma } 922 | if$ 923 | publisher output 924 | format.date parens output 925 | } 926 | { insert.comma 927 | address output.nonnull 928 | organization empty$ 929 | 'skip$ 930 | { insert.comma } 931 | if$ 932 | organization output 933 | publisher empty$ 934 | 'skip$ 935 | { insert.comma } 936 | if$ 937 | publisher output 938 | format.date parens output 939 | } 940 | if$ 941 | } 942 | { format.incoll.inproc.crossref output.nonnull 943 | } 944 | if$ 945 | and.the.note 946 | fin.entry 947 | } 948 | 949 | FUNCTION {techreport} 950 | { output.bibitem 951 | format.authors "author" output.check 952 | stupid.colon 953 | format.title "title" output.check 954 | new.block 955 | format.tr.number output.nonnull 956 | institution empty$ 957 | 'skip$ 958 | { insert.comma } 959 | if$ 960 | institution "institution" output.check 961 | address empty$ 962 | 'skip$ 963 | { insert.comma } 964 | if$ 965 | address output 966 | format.date parens output 967 | and.the.note 968 | fin.entry 969 | } 970 | 971 | FUNCTION {unpublished} 972 | { output.bibitem 973 | format.authors "author" output.check 974 | stupid.colon 975 | format.title "title" output.check 976 | new.block 977 | note "note" output.check 978 | format.date parens output 979 | fin.entry 980 | } 981 | 982 | FUNCTION {default.type} { misc } 983 | 984 | MACRO {jan} {"January"} 985 | 986 | MACRO {feb} {"February"} 987 | 988 | MACRO {mar} {"March"} 989 | 990 | MACRO {apr} {"April"} 991 | 992 | MACRO {may} {"May"} 993 | 994 | MACRO {jun} {"June"} 995 | 996 | MACRO {jul} {"July"} 997 | 998 | MACRO {aug} {"August"} 999 | 1000 | MACRO {sep} {"September"} 1001 | 1002 | MACRO {oct} {"October"} 1003 | 1004 | MACRO {nov} {"November"} 1005 | 1006 | MACRO {dec} {"December"} 1007 | 1008 | MACRO {acmcs} {"ACM Computing Surveys"} 1009 | 1010 | MACRO {acta} {"Acta Informatica"} 1011 | 1012 | MACRO {cacm} {"Communications of the ACM"} 1013 | 1014 | MACRO {ibmjrd} {"IBM Journal of Research and Development"} 1015 | 1016 | MACRO {ibmsj} {"IBM Systems Journal"} 1017 | 1018 | MACRO {ieeese} {"IEEE Transactions on Software Engineering"} 1019 | 1020 | MACRO {ieeetc} {"IEEE Transactions on Computers"} 1021 | 1022 | MACRO {ieeetcad} 1023 | {"IEEE Transactions on Computer-Aided Design of Integrated Circuits"} 1024 | 1025 | MACRO {ipl} {"Information Processing Letters"} 1026 | 1027 | MACRO {jacm} {"Journal of the ACM"} 1028 | 1029 | MACRO {jcss} {"Journal of Computer and System Sciences"} 1030 | 1031 | MACRO {scp} {"Science of Computer Programming"} 1032 | 1033 | MACRO {sicomp} {"SIAM Journal on Computing"} 1034 | 1035 | MACRO {tocs} {"ACM Transactions on Computer Systems"} 1036 | 1037 | MACRO {tods} {"ACM Transactions on Database Systems"} 1038 | 1039 | MACRO {tog} {"ACM Transactions on Graphics"} 1040 | 1041 | MACRO {toms} {"ACM Transactions on Mathematical Software"} 1042 | 1043 | MACRO {toois} {"ACM Transactions on Office Information Systems"} 1044 | 1045 | MACRO {toplas} {"ACM Transactions on Programming Languages and Systems"} 1046 | 1047 | MACRO {tcs} {"Theoretical Computer Science"} 1048 | 1049 | READ 1050 | 1051 | STRINGS { longest.label } 1052 | 1053 | INTEGERS { number.label longest.label.width } 1054 | 1055 | FUNCTION {initialize.longest.label} 1056 | { "" 'longest.label := 1057 | #1 'number.label := 1058 | #0 'longest.label.width := 1059 | } 1060 | 1061 | FUNCTION {longest.label.pass} 1062 | { number.label int.to.str$ 'label := 1063 | number.label #1 + 'number.label := 1064 | label width$ longest.label.width > 1065 | { label 'longest.label := 1066 | label width$ 'longest.label.width := 1067 | } 1068 | 'skip$ 1069 | if$ 1070 | } 1071 | 1072 | EXECUTE {initialize.longest.label} 1073 | 1074 | ITERATE {longest.label.pass} 1075 | 1076 | FUNCTION {begin.bib} 1077 | { preamble$ empty$ 1078 | 'skip$ 1079 | { preamble$ write$ newline$ } 1080 | if$ 1081 | "\begin{thebibliography}{" longest.label * "}" * write$ newline$ 1082 | } 1083 | 1084 | EXECUTE {begin.bib} 1085 | 1086 | EXECUTE {init.state.consts} 1087 | 1088 | ITERATE {call.type$} 1089 | 1090 | FUNCTION {end.bib} 1091 | { newline$ 1092 | "\end{thebibliography}" write$ newline$ 1093 | } 1094 | 1095 | EXECUTE {end.bib} -------------------------------------------------------------------------------- /appendix-complexity-kog.tex: -------------------------------------------------------------------------------- 1 | \section{Complexities of Pairing-based VCs in \cref{t:asvc-comparison}} 2 | \label{s:complexity:kog} 3 | 4 | We survey each \textit{pairing-based} VC scheme from \cref{t:asvc-comparison} and explain its complexities. 5 | In \cref{s:complexity:hog}, we do the same for VCs based on hidden-order groups. 6 | Despite our best efforts to understand the complexities of each scheme, we recognize there could be better upper bounds for some of them. 7 | 8 | \subsection{Complexities of CDH-based~\cite{LM19}} 9 | 10 | This scheme was originally proposed by Catalano and Fiore~\cite{CF13} and extended by Lai and Malavolta to support subvector proofs~\cite{LM19}. 11 | 12 | \parhead{Public Parameters.} 13 | % |\prk| = 1+n+n/2 to be more exact 14 | The proving key is $\prk=(h_{i,j})_{i,j\in [0,n)}$ and is $O(n^2)$ sized. 15 | Here, $h_{i,j}=g^{z_i \cdot z_j}$ when $i\ne j$ and $h_{i,i} = h_i=g^{z_i}$, with each $z_i \in \Zp$ picked uniformly at random. 16 | The verification key is $\vrk=(h_i)_{i\in [0,n)}$ and is $O(n)$-sized. 17 | % |\vrk|: each player needs h_i to verify position i 18 | % (unclear if you can include h_i with proof: what could I verify $h_i = h^{z_i}$ against?) 19 | The $i$th update key is $\upk_i = (h_i, (h_{i,j})_{j\in [0,n)})$. 20 | % |\upk_i|: player $i$ needs to include $h_{i,j}$ for all $j$ so any player $j$ can update her proof 21 | Note that $h_{i,j} = h_j^{z_i} = h_i^{z_j}$. 22 | 23 | \parhead{Commitment.} 24 | A commitment is $c=\prod_{i\in [0,n)} h_i^{v_i}$ and can be computed with $O(n)$ exponentiations. 25 | If any vector element $v_j$ changes to $v_j + \delta$, the commitment can be updated in $O(1)$ time using $h_j$ from $\upk_j$ as $c' = c \cdot (h_j)^{\delta}$. 26 | 27 | \parhead{Proofs for a $v_i$.} 28 | A proof for $v_i$ is: 29 | \begin{align} 30 | \pi_i = \prod_{j\in [0,n)\setminus\{i\}} h_{i,j}^{v_j}=\left(\prod_{j\in [0,n)\setminus\{i\}} h_{j}^{v_j}\right)^{z_i} 31 | \end{align} 32 | The proof is $O(1)$-sized and can be computed from the $h_{i,j}$'s in the \prk with $O(n)$ exponentiations. 33 | It can be verified in $O(1)$ time using $h_i$ from the \vrk as: 34 | \begin{align} 35 | e(C/h_i^{v_i}, h_i) = e(\pi_i, g) 36 | \end{align} 37 | If any vector element $v_j,j\ne i$ changes to $v_j + \delta$, the proof $\pi_i$ can be updated in $O(1)$ time using $h_{i,j}$ from $\upk_j$ as $\pi_i' = \pi_i \cdot \left(h_{i,j}^{\delta}\right)$. 38 | This new $\pi_i'$ will verify against the updated $c'$ commitment defined earlier. 39 | If $v_i$ changes to $v_i + \delta$, the proof $\pi_i$ need not be updated. 40 | 41 | \parhead{Subvector Proofs for $(v_i)_{i\in I}$} 42 | A $O(1)$-sized subvector proof for $\vect{v}_I$ is: 43 | \begin{align} 44 | \pi_I = \prod_{i \in I}\prod_{j \in [0,n)\setminus I} h_{i,j}^{v_j}=\prod_{i \in I}\left(\prod_{j \in [0,n)\setminus I} h_{j}^{v_j}\right)^{z_i}=\prod_{i\in I} \pi_i^* 45 | \end{align} 46 | As intuition, note that the inner product $\pi_i^*=\left(\prod_{j \in [0,n)\setminus I} h_{j}^{v_j}\right)^{z_i}$ is very similar to a proof $\pi_i=\left(\prod_{j \in [0,n) \setminus \{i\}} h_{j}^{v_j}\right)^{z_i}$ for $v_i$. 47 | Let $b=|I|$. 48 | The proof can be computed from the $h_{i,j}$'s in the \prk with $O(b(n-b))$ exponentiations (because each $\pi_i^*$ can be computed in $O(n-b)$ exponentiations). 49 | % Note: It might seem like things repeat, but the bases $h_{i,j}$ are different for each $i$ 50 | A subvector proof $\pi_I$ can be verified using $(h_i)_{i\in I}$ from \vrk by checking in $O(b)$ time if: 51 | \begin{align} 52 | e\left(c/\prod_{j\in I} h_j^{v_j}, \prod_{i\in I} h_i\right) &= e(\pi_I, g)\Leftrightarrow\\ 53 | e\left(\prod_{j\in [0,n)\setminus I} h_j^{v_j}, \prod_{i\in I} g^{z_i}\right) &= e\left(\prod_{i \in I}\prod_{j \in [0,n)\setminus I} h_{i,j}^{v_j}, g\right)\\ 54 | e\left(\prod_{j\in [0,n)\setminus I} h_j^{v_j}, g^{\sum_{i\in I} z_i}\right) &= e\left(\prod_{i \in I}\left(\prod_{j \in [0,n)\setminus I} h_{j}^{v_j}\right)^{z_i}, g\right)\\ 55 | e\left(\left(\prod_{j\in [0,n)\setminus I} h_j^{v_j}\right)^{\sum_{i\in I} z_i},g\right) &= e\left(\left(\prod_{j \in [0,n)\setminus I} h_{j}^{v_j}\right)^{\sum_{i \in I}z_i}, g\right) 56 | \end{align} 57 | % TODO: Aggregation seems possible in CDH-based CF13/LM19: Just tweak a $\pi_i$ into a $\pi_i^*$, by removing $h_{i,j}^v_j$ \forall j \in I\setminus\{i\}$. However, it requires $h_{i,j}$'s $\forall i,j\in I$, I think. 58 | % TODO: Updating subvector proofs seems possible too. 59 | 60 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 61 | Aggregating proofs is not discussed in~\cite{CF13,LM19}, but it seems possible. 62 | Finally, precomputing all proofs efficiently is not discussed. 63 | Naively, it can be done inefficiently in $O(n^2)$ time. 64 | 65 | \subsection{Complexities of KZG~\cite{KZG10a}} 66 | \label{s:complexity-kzg} 67 | Kate, Zaverucha and Goldberg also discuss using their polynomial commitment scheme~\cite{KZG10a} to commit to a sequence of messages, thus implicitly obtaining a VC scheme. 68 | Although they do not analyze its complexity in their paper, we do so here. 69 | 70 | \parhead{Public Parameters.} 71 | The proving key is $\prk=(g^{\tau^i})_{i\in [0,n-1]}$ and is $O(n)$ sized. 72 | The verification key is $\vrk=(g,(g^{\tau^i})_{i\in b})$, where $b=|I|$ is the size of the largest subvector whose proof the verifier should be able to check, and is thus $O(b)$-sized. 73 | There is no support for updating commitments and proofs using update keys, although our work shows this is possible (see \cref{s:asvc:from-kzg}). 74 | 75 | \parhead{Commitment.} 76 | A commitment is $c=g^{\phi(\tau)}$ where $\phi(X)=\sum_{i\in [0,n)} \lagr_i(X) v_i$ and can be computed with $O(n\log^2{n})$ field operations (see \cref{s:prelim:interpolation}) and $O(n)$ exponentiations. 77 | Commitment updates are not discussed, but the scheme could be modified to support them (see \cref{s:asvc:from-kzg}). 78 | 79 | \parhead{Proofs for a $v_i$.} 80 | A proof for $v_i$ is: 81 | \begin{align} 82 | \pi_i = g^{\frac{\phi(\tau)-v_i}{\tau - i}} = g^{q_i(\tau)} 83 | \end{align} 84 | The proof is $O(1)$-sized and can be computed by dividing $\phi(X)$ by $(X-i)$ in $O(n)$ field operations, obtaining $q_i(X)$, and committing to $q_i(X)$ using the $g^{\tau^i}$'s in the \prk with $O(n)$ exponentiations. 85 | The proof can be verified in $O(1)$ time using $g^\tau$ from the \vrk by computing two pairings: 86 | \begin{align} 87 | e(c/g^{v_i}, g) = e(\pi_i, g^{\tau}/g^{i}) 88 | \end{align} 89 | Proof updates are not discussed, but the scheme could be modified to support them (see \cref{s:asvc:from-kzg}). 90 | 91 | \parhead{Subvector Proofs for $(v_i)_{i\in I}$} 92 | A $O(1)$-sized subvector proof for $\vect{v}_I$ is: 93 | \begin{align} 94 | \pi_I=g^\frac{\phi(\tau)-R_I(\tau)}{A_I(\tau)}=g^{q_I(\tau)} 95 | \end{align} 96 | Here, $R_I(X)$ of degree $\le b-1$ is interpolated in $O(b\log^2{b})$ field operations so that $R_I(i) = v_i,\forall i\in I$ (see \cref{s:prelim:interpolation}). 97 | Also, $A_I(X)= \prod_{i\in I} (X-i)$ is computed in $O(b\log^2{b})$ field operations via a \textit{subproduct tree}~\cite{vG13ModernCh10}. 98 | The proof leverages the fact that dividing $\phi(X)$ by $A_I(X)$ gives quotient $q_I(X)$ and remainder $R_I(X)$. 99 | The quotient $q_I(X)$ can be obtained in $O(n\log{n})$ field operations via a DFT-based division~\cite{vG13ModernCh9}. 100 | Given $g^{\tau^i}$'s from the \prk, committing to $q_I(X)$ takes $O(n-b)$ exponentiations, since $\deg(q_I)=\deg(\phi)-\deg(A_I)\le (n-1)-b$. 101 | Thus, the overall subvector proving time is $O(n\log{n}+b\log^2{b})$. 102 | 103 | To verify a subvector proof $\pi_I$, first, the verifier must recompute $R_I(X)$ and $A_I(X)$ in $O(b\log^2{b})$ field operations. 104 | Then, the verifier uses $(g^{\tau^i})_{i\in b}$ from the \vrk to compute KZG commitments $g^{R_I(\tau)}$ and $g^{A_I(\tau)}$ in $O(b)$ exponentiations. 105 | Finally, the verifier checks using two pairings if: 106 | \begin{align} 107 | e(c/g^{R_I(\tau)},g) &= e(\pi_I, g^{A_I(\tau)}) 108 | \end{align} 109 | Thus, the overall subvector proof verification time is $O(b\log^2{b})$ time. 110 | 111 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 112 | Aggregating proofs is not discussed, but the scheme can be modified to support them (see \cref{s:asvc:from-kzg:aggregating-proofs}). 113 | Finally, precomputing all proofs efficiently is not discussed, but is possible (see \cref{s:asvc:from-kzg}). 114 | Naively, it can be done inefficiently in $O(n^2)$ time. 115 | 116 | \subsection{Complexity of CDHK~\cite{CDHK15}} 117 | \label{s:complexity-kzg-lagr} 118 | In this scheme, we assume the vector $\vect{v}=[v_1, v_2, \dots, v_n]$ is indexed from 1 to $n$. 119 | This scheme is similar to a KZG-based VC, except (1) it is randomized, (2) it computes proofs in a slightly different way and (3) it \textit{willfully} prevents aggregation of proofs as a security feature. 120 | 121 | \parhead{Public Parameters.} 122 | % Note: Need g^{\tau^{n+1}} for accumulator $X\prod_{i\in [n]}(X-i)$ 123 | The proving key is $\prk=\left((g^{\tau^i})_{i\in [0,n+1]}, (g^{\lagr_i(\tau)})_{i\in[0,n]},g^{P(\tau)}\right)$, where $P(X)=X\cdot \prod_{i\in[n]} (X-i)$ and is $O(n)$ sized. 124 | (Note that the Lagrange polynomials $\lagr_i(X)=\prod_{j\in[0,n],j\ne i} \frac{X-j}{i-j}$ are defined over the points $[0,n]$, not $[n]$.) 125 | The verification key is $\vrk=(g,(g^{\lagr_i(\tau)})_{i\in [n]},(g^{\tau^i})_{i\in [0,b+1]})$, where $b=|I|$ is the size of the largest subvector whose proof the verifier should be able to check. 126 | Unfortunately, the verification key is $O(n)$-sized. 127 | There is no support for updating commitments and proofs using update keys, although adding it is possible via our techniques (see \cref{s:asvc:from-kzg}). 128 | As a result, we treat this scheme as if it used an $O(n)$-sized update key $\upk_i=\left(g^{\lagr_i(\tau)}, \left(g^\frac{\lagr_j(\tau)}{\tau - i}\right)_{j\in[n]}\right)$ 129 | 130 | \parhead{Commitment.} 131 | A commitment is $c=\prod_{i\in[n]} \left(g^{\lagr_i(\tau)}\right)^{v_i} \left(g^{P(\tau)}\right)^{r}= g^{\phi(\tau) + r\cdot P(\tau)}$ where $\phi(X)=\sum_{i\in [0,n]} \lagr_i(X) v_i$, with $v_0 = 0$. 132 | To compute the commitment, $\phi(X)$ must first be interpolated using $O(n\log^2{n})$ field operations. 133 | Then, $c$ can be computed with $O(n)$ exponentiations, given the Lagrange commitments and $g^{P(\tau)}$ from \prk. 134 | Commitment updates are not discussed, but they can be trivially implemented by setting $\upk_i = g^{\lagr_i(\tau)}$ and having $c' = c \cdot \left(g^{\lagr_j(\tau)}\right)^{\delta}$ be the new commitment after a change $\delta$ to $v_j$. 135 | We reflect this in \cref{t:asvc-comparison}. 136 | 137 | \parhead{Proofs for a $v_i$.} 138 | A proof for $v_i$ is: 139 | \begin{align} 140 | \pi_i = g^{\frac{\left(\phi(\tau)+r\cdot P(\tau)\right)-v_i\lagr_i(\tau)}{\tau - i}} = g^{q_i(\tau)} 141 | \end{align} 142 | The proof is $O(1)$-sized and can be computed by dividing $\phi(X)+r\cdot P(X)-v_i\lagr_i(X)$ by $(X-i)$ in $O(n)$ field operations, obtaining $q_i(X)$, and committing to $q_i(X)$ using the $g^{\tau^i}$'s in the \prk with $O(n)$ exponentiations. 143 | The proof can be verified in $O(1)$ time using $g^{\lagr_i(\tau)}$ from the \vrk by computing two pairings: 144 | \begin{align} 145 | e\left(c/\left(g^{\lagr_i(\tau)}\right)^{v_i}, g\right) = e(\pi_i, g^{\tau}/g^{i}) 146 | \end{align} 147 | Proof updates are not discussed, but the scheme could be modified to support them (see \cref{s:asvc:from-kzg}). 148 | 149 | \parhead{Subvector Proofs for $(v_i)_{i\in I}$} 150 | A $O(1)$-sized subvector proof for $\vect{v}_I$ is: 151 | \begin{align} 152 | \pi_I=g^\frac{\phi(\tau)+r\cdot P(\tau) - R_I(\tau)}{A_I(\tau)}=g^{q_I(\tau)} 153 | \end{align} 154 | Here, $R_I(X)$ is defined so that $R_I(i) = v_i,\forall i\in I$ \textbf{and} $R_I(i) = 0, \forall i \in [0,n]\setminus I$. 155 | (In particular, this means $R_I(0) = 0$.) 156 | Interpolating $R_I(X)$ takes $O(n\log^2{n})$ field operations. 157 | Also, $A_I(X)= X\prod_{i\in I} (X-i)$ is computed in $O(b\log^2{b})$ field operations via a \textit{subproduct tree}~\cite{vG13ModernCh10}. 158 | Given $g^{\tau^i}$'s from the \prk, committing to $q_I(X)$ takes $O(n-b)$ exponentiations (because $\deg(q_I) = \deg(\phi)-\deg(A_I)\le n-(b+1)$). 159 | Thus, the overall subvector proving time is $O(n\log^2{n})$. 160 | 161 | To verify a subvector proof $\pi_I$, first, the verifier recomputes the commitment to $g^{R_I(\tau)}=\sum_{i\in I} \left(g^{\lagr_i(\tau)}\right)^{v_i}$ using $O(b)$ exponentiations. 162 | (Recall that $\lagr_i(X)$ is defined over $[0,n]$ and has its KZG commitment in the \vrk.) 163 | Then, he computes $A_I(X)$ in $O(b\log^2{b})$ field operations using a \textit{subproduct tree}~\cite{vG13ModernCh10}. 164 | Then, the verifier uses $(g^{\tau^i})_{i\in [0,b+1]}$ from the \vrk to compute a KZG commitment to $g^{A_I(\tau)}$ in $O(b)$ exponentiations. 165 | Finally, the verifier checks if: 166 | \begin{align} 167 | e(c/g^{R_I(\tau)},g) &= e(\pi_I, g^{A_I(\tau)}) 168 | \end{align} 169 | Thus, the overall subvector proof verification time is $O(b\log^2{b})$. 170 | 171 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 172 | Aggregating proofs is \textit{willfully} prevented by this scheme, as a security feature. 173 | Finally, precomputing all proofs efficiently is not discussed, but it can be done inefficiently in $O(n^2)$ time. 174 | Importantly, because the proofs are slightly different from KZG, they are not amenable to known techniques for precomputing all $n$ proofs in $O(n\log{n})$ time~\cite{FK20}. 175 | % TODO: Unclear if faster than $O(n^2)$ time OpenAll algorithm exists, given the proof verification using $-v\lagr_i(\tau)$. 176 | 177 | \subsection{Complexities of CPZ~\cite{CPZ18}} 178 | \label{s:complexity:cpz} 179 | 180 | Since the Edrax paper clearly summarizes its performance, we refer the reader to~\cite[Table 1]{CPZ18}, with one exception discussed below. 181 | 182 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 183 | Aggregating proofs is not discussed and it is unclear if the scheme can be modified to support it. 184 | Precomputing all proofs efficiently is not discussed either to the best of our knowledge, but could be possible. 185 | % The key idea is to notice that computing $n$ proofs separately actually repeats a lot of work. 186 | % If we avoid re-doing previously-done work, all proofs can be computed in $O(n\log{n})$ time. 187 | 188 | \subsection{Complexities of TCZ~\cite{TCZ+20,Tomescu20}} 189 | \label{s:complexity-tcz} 190 | 191 | In their paper on scaling threshold cryptosystems, Tomescu et al.~\cite{TCZ+20} present a technique for computing $n$ \textit{logarithmic-sized} evaluation proofs for a KZG committed polynomial of degree $t$ in $O(n\log{t})$ time. 192 | Later on, Tomescu extends these results to obtain a full VC scheme~\cite[Sec 9.2]{Tomescu20}. 193 | 194 | \parhead{Public Parameters.} 195 | The proving key is $\prk=((g^{\tau^i})_{i\in [0,n-1]},(g^{\lagr_i(\tau)})_{i\in [0,n)})$ and is $O(n)$ sized. 196 | Importantly, $n$ is assumed to be a power of two, and $\lagr_i(X)=\prod_{j\in [0,n),j\ne i} \frac{X-\omega^j}{\omega^i - \omega^j}$ where $\omega$ is a primitive $n$th root of unity~\cite{vG13ModernCh8}. 197 | The verification key is $\vrk=(g,(g^{\tau^{2^i}})_{i\in [\floor{\log_2{(n-1)}}]}, (g^{\tau^i})_{i\in[b]})$, where $b=|I|$ is the size of the largest subvector whose proof the verifier should be able to check, and is thus $O(b)$-sized. 198 | The $i$th update key $\upk_i$ is the \textit{authenticated multipoint evaluation tree (AMT)} of $\lagr_i(X)$ at all points $(\omega^i)_{i\in [0,n)}$ (see \cite[Sec III-B]{TCZ+20} and~\cite[Ch 9]{Tomescu20}). 199 | This AMT will be $O(\log{n})$-sized, consisting of a single path of non-zero quotient commitments leading to the evaluation of $\lagr_i(\omega^i)$~\cite[Sec 9.2.2]{Tomescu20}, since all other evaluations $\lagr_i(\omega^j), j\ne i$ are zero. 200 | 201 | \parhead{Commitment.} 202 | A commitment is $c=g^{\phi(\tau)}$ where $\phi(\omega^i)=v_i,\forall i\in[0,n)$. 203 | Note that $\phi(X)$ can be computed with $O(n\log{n})$ field operations via an inverse Discrete Fourier Transform (DFT)~\cite[Ch 30.2]{CLRS09}. 204 | Then, computing $c$ requires $O(n)$ exponentiations. 205 | Commitment updates remain the same as in the KZG-based scheme from \cref{s:complexity-kzg-lagr}: $c' = c\cdot \left(g^{\lagr_j(\tau)}\right)^{\delta}$, where $\delta$ is the change at position $j$ in the vector and the Lagrange polynomial commitment can be obtained from $\upk_j$. 206 | 207 | \parhead{Proofs for a $v_i$.} 208 | A proof for $v_i$ is: 209 | \begin{align} 210 | \pi_i = (g^{q_w(\tau)})_{w\in \left[1+\floor{\log{(n-1)}}\right]} 211 | \end{align} 212 | Here, each $q_w(X)$ is a quotient polynomial along the AMT tree path to $\phi(\omega^i)$. 213 | The proof is $O(\log{n})$-sized and can be computed by ``repeatedly'' dividing $\phi(X)$ by accumulator polynomials of ever-decreasing sizes $n/2, \dots, 4,2,1$ in $T(n)=O(n\log{n}) + T(n/2) = O(n\log{n})$ field operations, and committing to each $q_w(X)$ using the $g^{\tau^i}$'s in the \prk with $T'(n) = O(n) + T'(n/2)=O(n)$ exponentiations. 214 | (``Repeatedly'' dividing means we first divide $\phi(X)$ by a degree $n/2$ accumulator. Then, we take the remainder of this division and divide it by the degree $n/4$ accumulator. We then take this remainder and divide it by a degree $n/8$ accumulator. And so on. This ensures the remainder degrees always halve.) 215 | % i.e., T(n) = n(\log{n} + 1/2\log{n/2} + 1/4 \log{n/4} + ...) \le n(\log{n} + 1/2 \log{n} + 1/4 \log{n} + ....) \le n(2*\log{n}) 216 | The proof can be verified in $O(\log{n})$ time using the $g^{\tau^{2^i}}$'s from the \vrk: 217 | \begin{align} 218 | e(c/g^{v_i}, g) = \prod_{w\in \left[1+\floor{\log{(n-1)}}\right]}e(g^{q_w(\tau)}, g^{a_w(\tau)}) 219 | \end{align} 220 | Here, the $a_w(X)$'s denote the accumulator polynomials along the AMT path to $\phi(\omega^i)$, which are always of the form $X^{2^i} - c$ for some constant $c$ and some $i\in [0,\floor{\log{(n-1)}}]$. 221 | 222 | \parhead{Proof Updates.} 223 | If any vector element $v_j$ changes to $v_j + \delta$, the proof $\pi_i$ can be updated in $O(\log{n})$ time. 224 | (It could be that $j=i$.) 225 | The idea is to consider the quotient commitments $g^{q_{w}(\tau)}$ along $\pi_i$'s AMT path and the $g^{u_w(\tau)}$ commitments along $\upk_j$'s AMT path. 226 | For all locations $w$ where the two paths intersect, the quotient commitments are combined in constant time as $g^{q'_w(\tau)} = g^{q_w(\tau)} \cdot \left(g^{u_w(\tau)}\right)^\delta.$ 227 | Since there are at most $O(\log{n})$ locations $w$ to intersect in, this takes $O(\log{n})$ exponentiations. 228 | This new $\pi_i'$ with quotient commitments $g^{q'_w(\tau)}$ will verify against the updated $c'$ commitment defined earlier. 229 | 230 | \parhead{Subvector Proofs for $(v_i)_{i\in I}$} 231 | This scheme uses the same subvector proof as the original KZG-based scheme in \cref{s:complexity-kzg}. 232 | Thus, the subvector proving time is $O(n\log{n}+b\log^2{b})$ and the verification time is $O(b\log^2{b})$ time. 233 | 234 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 235 | Aggregating proofs is not discussed and it is unclear if the scheme can be modified to support it. 236 | Precomputing all \textit{logarithmic-sized} proofs efficiently is possible via the AMT technique in $O(n\log{n})$ time. 237 | 238 | \subsection{Complexity of Pointproofs~\cite{GRWZ20,LY10}} 239 | \label{s:complexity:pointproofs} 240 | Gorbunov et al.~\cite{GRWZ20} enhance the VC by Libert and Yung~\cite{LY10} with the ability to aggregate multiple VC proofs into a subvector proof. 241 | Additionally, they also enable aggregation of subvector proofs across different vector commitments, which they show is useful for stateless smart contract validation in cryptocurrencies. 242 | In this scheme, we assume the vector $\vect{v}=[v_1, v_2, \dots, v_n]$ is indexed from 1 to $n$. 243 | 244 | \parhead{Public Parameters.} 245 | Their scheme works over Type III pairings $e : \G_1 \times \G_2\rightarrow \G_T$. 246 | Let $g_1,g_2,g_T$ be generators of $\G_1, \G_2$ and $\G_T$ respectively. 247 | The proving key $\prk = (g_1, (g_1^{\alpha^i})_{i\in[1,2n]\setminus\{n+1\}},g_2,(g_2^{\alpha^i})_{i\in[1,n]}, g_T^{\alpha^{n+1}})$. 248 | Note that $g_1^{\alpha^{n+1}}$ is ``missing'' from the proving key, which is essential for security. 249 | The verification key $\vrk=((g_2^{\alpha^i})_{i\in[1,n]},g_T^{\alpha^{n+1}})$ is $O(n)$ -sized. 250 | The $i$th update key is $\upk_i=g_1^{\alpha^i}$. 251 | They only support updating commitments, but proofs could be made updatable at the cost of linear-sized update keys. 252 | 253 | \parhead{Commitment.} 254 | A commitment is $c=\prod_{i\in[n]} \left(g_1^{\alpha^i}\right)^{v_i}=g_1^{\sum_{i\in [n]} v_i\alpha^i}$ and can be computed with $O(n)$ exponentiations. 255 | If any vector element $v_j$ changes to $v_j + \delta$, the commitment can be updated in $O(1)$ time as $c' = c \cdot (\upk_j)^{\delta} = c\cdot (g_1^{\alpha^j})^{\delta}$. 256 | 257 | \parhead{Proofs for a $v_i$.} 258 | A proof for $v_i$ is obtained by re-committing to $v$ so that $v_i$ ``lands'' at position $n+1$ (i.e., has coefficient $\alpha^{n+1}$) rather than position $i$ (i.e., has coefficient $\alpha^i$). 259 | Furthermore, this commitment will \textbf{not} contain $v_i$: it cannot, since that would require having $g_1^{\alpha^{n+1}}$. 260 | To get position $i$ to $n+1$, we must ``shift'' it (and every other position) by $(n + 1) - i$. 261 | Thus, the proof is: 262 | \begin{align} 263 | \pi_i &= g_1^{\sum_{j\in[n]\setminus\{i\}} v_j \alpha^{j + (n+1) - i}}\\ 264 | &= g_1^{\sum_{j\in[n]\setminus\{i\}} v_j \alpha^{j} \alpha^{(n+1) - i}}\\ 265 | &= \left(g_1^{\sum_{j\in[n]\setminus\{i\}} v_j \alpha^{j}}\right)^{\alpha^{(n+1) - i}}\\ 266 | &= \left(\frac{g_1^{\sum_{j\in[n]} v_j \alpha^{j}}}{g_1^{v_i \alpha^i}}\right)^{\alpha^{(n+1) - i}}\\ 267 | &= (c / g_1^{v_i \alpha^i})^{\alpha^{(n+1) - i}} 268 | \end{align} 269 | The proof is constant-sized and can be computed with $O(n)$ exponentiations. 270 | It can be verified in $O(1)$ time using $g_2^{\alpha^{(n+1) - i}}$ from \vrk: 271 | \begin{align} 272 | e(c, g_2^{\alpha^{(n+1)-i}})=e(\pi_i, g_2) \left(g_T^{\alpha^{n+1}}\right)^{v_i} 273 | \end{align} 274 | Updating the proof is not discussed but can be done in $O(1)$ time, if the update keys are tweaked to be linear rather than constant-sized. 275 | 276 | \parhead{Subvector Proofs for $(v_i)_{i\in I}$} 277 | An $O(1)$-sized subvector proof for $\vect{v}_I$ is just a random linear combination of all proofs $\pi_i,\forall i\in I$. 278 | First, all $b$ proofs $\pi_i$ are computed in $O(bn)$ exponentiations as described above. 279 | Second, for each $i\in I$, $t_i = H(c, I, (v_i)_{i\in I})$ is computed using a random oracle $H : \{0,1\}^*\rightarrow \Zp$. 280 | Third, the subvector proof $\pi_I$ is computed as: 281 | \begin{align} 282 | \pi_I = \prod_{i\in I} \pi_i^{t_i} 283 | \end{align} 284 | If computed this way, a subvector proof would take $O(bn)$ exponentiations. 285 | However, Gorbunov et al. observe that $\pi_I$ can be computed with an $O(n)$-sized multi-exponentiation on a subset of the $2n$ generators $(g_1^{\alpha^i})_{i\in[0,2n]\setminus \{n+1\}}$. 286 | The exponents will be a combination of the messages and the $t_i$'s (see~\cite[Sec 4.1]{GRWZ20} for more details). 287 | However, they do not bound the time to compute these exponents, which appears to be $O(bn)$ field operations in the worst-case. 288 | 289 | The subvector proof can be verified in $O(b)$ time using $(g_2^{\alpha^{(n+1) - i}})_{i\in I}$ from \vrk as: 290 | \begin{align} 291 | e\left(c, \prod_{i\in I}\left(g_2^{\alpha^{(n+1)-i}}\right)^{t_i}\right) &= e(\pi_I, g_2) \left(g_T^{\alpha^{n+1}}\right)^{\sum_{i\in I} v_i t_i}\Leftrightarrow\\ 292 | e\left(c, g_2^{\sum _{i\in I}t_i \alpha^{(n+1)-i}}\right) &= e\left(\prod_{i\in I} \pi_i^{t_i}, g_2\right) g_T^{\alpha^{n+1}\sum_{i\in I} v_i t_i}\Leftrightarrow\\ 293 | &= e\left(\prod_{i\in I} \pi_i^{t_i}, g_2\right) e\left(g_1^{\alpha^{n+1}\sum_{i\in I} v_i t_i}, g_2\right)\Leftrightarrow\\ 294 | &= e\left(\prod_{i\in I} \pi_i^{t_i} \cdot g_1^{\alpha^{n+1}\sum_{i\in I} v_i t_i},g_2\right)\Leftrightarrow\\ 295 | &= e\left(\prod_{i\in I} \pi_i^{t_i} \cdot \prod_{i\in I} g_1^{\alpha^{n+1} v_i t_i},g_2\right)\Leftrightarrow\\ 296 | &= e\left(\prod_{i\in I} \left(\pi_i \cdot g_1^{\alpha^{n+1} v_i}\right)^{t_i},g_2\right) 297 | \end{align} 298 | Recall that $\pi_i= (c / g_1^{v_i \alpha^i})^{\alpha^{(n+1) - i}}$. 299 | \begin{align} 300 | e\left(c, g_2^{\sum _{i\in I}t_i \alpha^{(n+1)-i}}\right) &= e\left(\prod_{i\in I} \left((c / g_1^{v_i \alpha^i})^{\alpha^{(n+1) - i}} \cdot g_1^{\alpha^{n+1} v_i}\right)^{t_i},g_2\right)\Leftrightarrow\\ 301 | &= e\left(\prod_{i\in I} \left((c / g_1^{v_i \alpha^i}) \cdot g_1^\frac{\alpha^{n+1} v_i}{\alpha^{(n+1) - i}}\right)^{t_i \alpha^{(n+1) - i}},g_2\right)\Leftrightarrow\\ 302 | &= e\left(\prod_{i\in I} \left((c / g_1^{v_i \alpha^i}) \cdot g_1^{v_i\alpha^i}\right)^{t_i \alpha^{(n+1) - i}},g_2\right)\Leftrightarrow\\ 303 | &= e\left(\prod_{i\in I} c^{t_i \alpha^{(n+1) - i}},g_2\right)\Leftrightarrow\\ 304 | &= e\left( c^{\sum_{i\in I}t_i \alpha^{(n+1) - i}},g_2\right)\Leftrightarrow\\ 305 | &= e\left( c,g_2^{\sum_{i\in I}t_i \alpha^{(n+1) - i}}\right) 306 | \end{align} 307 | 308 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 309 | A subvector proof requires $b$ hash computations and an $O(b)$-sized multi-exponentiation and thus takes $O(b)$ time. 310 | Precomputing all proofs efficiently is not discussed. 311 | Naively, it can be done in $O(n^2)$ time. 312 | 313 | \subsection{Complexity of our Lagrange-based aSVC from \cref{s:asvc:from-kzg}} 314 | \label{s:complexity-lagrange-asvc} 315 | Our scheme builds upon previous VCs using KZG commitments~\cite{CDHK15, KZG10a}. 316 | Since we give its full algorithmic description in \cref{s:asvc:from-kzg:algorithms}, this section will be briefer than previous ones. 317 | 318 | \parhead{Public Parameters.} 319 | The proving key, verification key and $i$th update key are $O(n), O(b)$ and $O(1)$-sized, respectively. 320 | Similar to \cref{s:complexity-tcz}, $n$ is assumed to be a power of two, and $\lagr_i(X)=\prod_{j\in [0,n),j\ne i} \frac{X-\omega^j}{\omega^i - \omega^j}$ where $\omega$ is a primitive $n$th root of unity~\cite{vG13ModernCh8}. 321 | 322 | \parhead{Commitment.} 323 | A commitment is $c=\prod_{i\in[0,n)} \ell_i^{v_i}=g^{\phi(\tau)}$ where $\phi(X)=\sum_{i\in [0,n)} \lagr_i(X) v_i$ and $\phi(\omega^i) = v_i$. 324 | % and can be computed with $O(n\log^2{n})$ field operations (see \cref{s:prelim:interpolation}) and $O(n)$ exponentiations. 325 | If any vector element $v_j$ changes to $v_j + \delta$, the commitment can be updated in $O(1)$ time using as $c' = c \cdot (\upk_j)^{\delta} = c\cdot (\ell_j)^{\delta}$. 326 | 327 | \parhead{Proofs for a $v_i$.} 328 | \label{s:complexity-lagrange-asvc:proof} 329 | A proof for $v_i$ is: 330 | \begin{align} 331 | \pi_i = g^{\frac{\phi(\tau)-v_i}{\tau - \omega^i}} = g^{q_i(\tau)} 332 | \end{align} 333 | However, note that: 334 | \begin{align} 335 | \frac{\phi(\tau)-\phi(\omega^i)}{\tau - \omega^i} 336 | &= \frac{\sum_{j\in [0,n)} \lagr_j(\tau) v_j - v_i}{\tau - \omega^i}\\ 337 | &= \frac{\sum_{j\in [0,n)\setminus \{i\}} \lagr_j(\tau) v_j}{\tau - \omega^i} + \frac{\lagr_i(\tau)v_i - v_i}{\tau - \omega^i}\\ 338 | &= \sum_{j\in [0,n)\setminus \{i\}}v_j\frac{\lagr_j(\tau)}{\tau - \omega^i} + v_i\frac{\lagr_i(\tau) - 1}{\tau - \omega^i} 339 | \end{align} 340 | Recall from \cref{s:asvc:from-kzg:updating-proofs} that (1) the $i$th update key contains a KZG commitment $u_i$ to $\frac{\lagr_i(\tau) - 1}{\tau - \omega^i}$ and that (2) the $a_i$'s and $a_j$'s from $\upk_i$ and $\upk_j$ can be used to compute in $O(1)$ time a KZG commitment $u_{i,j}$ to $\frac{\lagr_j(\tau)}{\tau - \omega^i}$. 341 | (Note that the partial fraction decomposition only requires evaluating a degree-1 polynomial at two points. Also, computing $A'(\omega^j)$ can be done in $O(1)$ time as explained in \cref{app:xn-1-derivative}.) 342 | Thus, the proof $\pi_i$ can be computed in $O(n)$ field operations and $O(n)$ exponentiations as: 343 | \begin{align} 344 | \pi_i &= g^{q_i(\tau)}=\prod_{j\in [0,n)\setminus \{i\}} \left(u_{i,j}\right)^{v_j} \cdot \left(u_i\right)^{v_i} 345 | \end{align} 346 | 347 | The proof can be verified in $O(1)$ time using $g^\tau$ from the \vrk by computing two pairings: 348 | \begin{align} 349 | e(c/g^{v_i}, g) = e(\pi_i, g^{\tau}/g^{\omega^i}) 350 | \end{align} 351 | 352 | \parhead{Proof Updates.} 353 | If any vector element $v_j,j\ne i$ changes to $v_j + \delta$, the proof $\pi_i$ can be updated in $O(1)$ time using $a_i,a_j$ from $\upk_i,\upk_j$. 354 | First, one computes $u_{i,j}$ in $O(1)$ time as described in the previous paragraph. 355 | Then, one updates $\pi_i' = \pi_i \cdot \left(u_{i,j}\right)^{\delta}$ in $O(1)$ time. 356 | This new $\pi_i'$ will verify against the updated $c'$ commitment defined earlier. 357 | If $v_i$ changes to $v_i + \delta$, the proof $\pi_i$ is updated in $O(1)$ time using $u_i$ from $\upk_i$ as $\pi_i' = \pi_i \cdot \left(u_i\right)^{\delta}$ (see \cref{s:asvc:from-kzg:updating-proofs}). 358 | 359 | \parhead{Subvector Proofs for $(v_i)_{i\in I}$} 360 | % TODO: Is it possible to compute a batch proof from the \ell_i's and/or \upk_i's (just like normal proofs can be computed from these)? 361 | We use the same style of subvector proofs as in \cref{s:complexity-kzg}. 362 | Thus, the subvector proving time is $O(n\log{n}+b\log^2{b})$ and the subvector proof verification time is $O(b\log^2{b})$ time. 363 | 364 | \parhead{Aggregating Proofs and Precomputing All Proofs.} 365 | Aggregating all proofs $(\pi_i)_{i\in I}$ requires computing coefficients $c_i=1/A'_I(\omega^i),\forall i \in I$ using partial fraction decomposition (see \cref{s:asvc:from-kzg:aggregating-proofs}). 366 | This can be done by (1) computing $A_I(X)=\prod_{i \in I} (X-\omega^i)$ in $O(b\log^2{b})$ field operations, (2) computing its derivative $A'_I(X)$ in $O(b)$ field operations and (3) evaluating $A'_I(X)$ at all $(\omega^i)_{i\in I}$ using a multipoint evaluation in $O(b\log^2{b})$ field operations~\cite{vG13ModernCh10}. 367 | Then, the subvector proof can be aggregated with $O(b)$ exponentiations as: 368 | \begin{align} 369 | \pi_I = \prod_{i\in I}\pi_i^{c_i} 370 | \end{align} 371 | Thus, aggregation takes $O(b\log^2{b})$ time. 372 | 373 | Finally, precomputing all proofs can be done efficiently in $O(n\log{n})$ time using the FK technique~\cite{FK20}. 374 | 375 | \parhead{Slower Commitment Time for Faster (Subvector) Proofs.} 376 | When comitting to a vector, we can use the FK technique to precompute all $n$ proofs in $O(n\log{n})$ time and store them as \textit{auxiliary information}. 377 | Then, we can serve any individual proof $\pi_i$ in $O(1)$ time and any subvector proof in $O(b\log^2{b})$ time by aggregating it from the $\pi_i$'s. 378 | --------------------------------------------------------------------------------