4.2 KiB
Cryptographic groups
In the section Inverses and groups we introduced the
concept of groups. A group has an identity and a group operation. In this section we
will write groups additively, i.e. the identity is \mathcal{O} and the group operation
is +.
Some groups can be used as cryptographic groups. At the risk of oversimplifying, this
means that the problem of finding a discrete logarithm of a group element P to a given
base G, i.e. finding x such that P = [x] G, is hard in general.
Pedersen commitment
The Pedersen commitment [P99] is a way to commit to a secret message in a verifiable
way. It uses two random public generators G, H \in \mathbb{G}, where \mathbb{G} is a
cryptographic group of order q. A random secret r is chosen in \mathbb{Z}_q, and the
message to commit to m is from any subset of \mathbb{Z}_q. The commitment is
c = \text{Commit}(m,r)=[m]G + [r]H.To open the commitment, the committer reveals m and r, thus allowing anyone to verify
that c is indeed a commitment to m.
Notice that the Pedersen commitment scheme is homomorphic:
\begin{aligned}
\text{Commit}(m,r) + \text{Commit}(m',r') &= [m]G + [r]H + [m']G + [r']H \\
&= [m + m']G + [r + r']H \\
&= \text{Commit}(m + m',r + r').
\end{aligned}
Assuming the discrete log assumption holds, Pedersen commitments are also perfectly hiding and computationally binding:
- hiding: the adversary chooses messages
m_0, m_1.The committer commits to one of these messagesc = \text{Commit}(m_b,r), b \in \{0,1\}.Givenc,the probability of the adversary guessing the correctbis no more than\frac{1}{2}. - binding: the adversary cannot pick two different messages
m_0 \neq m_1,and randomnessr_0, r_1,such that\text{Commit}(m_0,r_0) = \text{Commit}(m_1,r_1).
Vector Pedersen commitment
We can use a variant of the Pedersen commitment scheme to commit to multiple messages at
once, \mathbf{m} = (m_0, \cdots, m_{n-1}). This time, we'll have to sample a corresponding
number of random public generators \mathbf{G} = (G_0, \cdots, G_{n-1}), along with a
single random generator H as before (for use in hiding). Then, our commitment scheme is:
\begin{aligned}
\text{Commit}(\mathbf{m}; r) &= \text{Commit}((m_0, \cdots, m_{n-1}); r) \\
&= [r]H + [m_0]G_0 + \cdots + [m_{n-1}]G_{n-1} \\
&= [r]H + \sum_{i= 0}^{n-1} [m_i]G_i.
\end{aligned}
TODO: is this positionally binding?
Diffie–Hellman
An example of a protocol that uses cryptographic groups is Diffie–Hellman key agreement [DH1976]. The Diffie–Hellman protocol is a method for two users, Alice and Bob, to generate a shared private key. It proceeds as follows:
- Alice and Bob publicly agree on two prime numbers,
pandG,wherepis large andGis a primitive root\pmod p.(Note thatgis a generator of the group\mathbb{F}_p^\times.) - Alice chooses a large random number
aas her private key. She computes her public keyA = [a]G \pmod p,and sendsAto Bob. - Similarly, Bob chooses a large random number
bas his private key. He computes his public keyB = [b]G \pmod p,and sendsBto Alice. - Now both Alice and Bob compute their shared key
K = [ab]G \pmod p,which Alice computes as
and Bob computes asK = [a]B \pmod p = [a]([b]G) \pmod p,K = [b]A \pmod p = [b]([a]G) \pmod p.
A potential eavesdropper would need to derive K = [ab]g \pmod p knowing only
g, p, A = [a]G, and B = [b]G: in other words, they would need to either get the
discrete logarithm a from A = [a]G or b from B = [b]G, which we assume to be
computationally infeasible in \mathbb{F}_p^\times.
More generally, protocols that use similar ideas to Diffie–Hellman are used throughout cryptography. One way of instantiating a cryptographic group is as an elliptic curve. Before we go into detail on elliptic curves, we'll describe some algorithms that can be used for any group.
Multiscalar multiplication
TODO: Pippenger's algorithm
Reference: https://jbootle.github.io/Misc/pippenger.pdf