Crypto Book (Work in Progress)

Initial Inspection

First, let us try to define more precisely the goal of the puzzle just from the instructions, without looking into the code yet.

Notation

Given a group $\mathbb{G}$ of order $q,$ we will write vectors of scalars and vectors of group elements in bold font, e.g. $\mathbf{a}=(a_0,\dots ,a_{n-1})\in ({\mathbb{Z}}_q{)}^n$ and $\mathbf{G}=(G_0,\dots ,G_{n-1})\in {\mathbb{G}}^n.$ For two vectors $\mathbf{a}=(a_0,\dots ,a_{n-1})\in ({\mathbb{Z}}_q{)}^n$ and $\mathbf{b}=(b_0,\dots ,b_{n-1})\in ({\mathbb{Z}}_q{)}^n,$ their scalar product is defined as $$⟨\mathbf{a},\mathbf{b}⟩:=\sum _{i=0}^{n-1}{a}_i{b}_i\mathrm{mod}q.$$ Similarly, given $\mathbf{a}=(a_0,\dots ,a_{n-1})\in ({\mathbb{Z}}_q{)}^n$ and $\mathbf{G}=(G_0,\dots ,G_{n-1})\in {\mathbb{G}}^n,$ we let $$⟨\mathbf{a},\mathbf{G}⟩:=\sum _{i=0}^{n-1}{a}_i{G}_i.$$

Definition of the Proof System

Let us first try to specify the language for which the proof system is designed. We assume that the cyclic group $\mathbb{G}$ of prime order $q$ and generators $\mathbf{G}=(G_0,\dots ,G_{n-1})$ and $H$ are agreed upon by the prover and the verifier. Then, from the puzzle's description (and also from the code, as we will see), the language $\mathcal{L}$ of interest is defined by the relation $$\mathcal{R}=\{(x,w)\mid x=(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n,w=(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q,C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H\}.$$

Recall that the language $\mathcal{L}$ defined by this relation consists of all instances $x$ such that there exists a witness $w$ such that $(x,w)\in \mathcal{R}.$

The protocol itself goes as follows:

$$\boxed{\begin{array}{lcl}\text{Prover}& & \text{Verifier}\\ \text{parameters: }(\mathbb{G},q,\mathbf{G},H)& & \text{parameters: }(\mathbb{G},q,\mathbf{G},H)\\ \text{instance: }(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n& & \text{instance: }(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n\\ \text{witness: }(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q& & \\ \text{relation: }{C}_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H& & \\ \mathbf{r}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n& & \\ \rho ,\tau ,\nu {\leftarrow }_{\$}{\mathbb{Z}}_q& & \\ C_r:=⟨\mathbf{r},\mathbf{G}⟩+\rho H& & \\ C_1:=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H& & \\ C_2:=⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H& & \\ & \stackrel{C_r,C_1,C_2}{\to }& \\ & & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \stackrel{\gamma }{\leftarrow }& \\ \mathbf{s}:=\mathbf{a}+\gamma \mathbf{r}\mathrm{mod}q& & \\ u:=\alpha +\gamma \rho \mathrm{mod}q& & \\ t:=\tau +\gamma \nu \mathrm{mod}q& & \\ & \stackrel{\mathbf{s},u,t}{\to }& \\ & & \text{check that}\\ & & ⟨\mathbf{s},\mathbf{G}⟩+uH=C_a+\gamma C_r\\ & & ⟨\mathbf{s},\mathbf{b}⟩G_1+tH=C_1+\gamma C_2\end{array}}$$

The protocol is complete, meaning that for any instance $(C_a,\mathbf{b})\in \mathcal{L},$ an honestly generated proof is always accepted by the verifier. This holds because $$\begin{array}{rl}⟨\mathbf{s},\mathbf{G}⟩+uH& =⟨\mathbf{a}+\gamma \mathbf{r},\mathbf{G}⟩+(\alpha +\gamma \rho )H\\ & =(⟨\mathbf{a},\mathbf{G}⟩+\alpha H)+\gamma (⟨\mathbf{r},\mathbf{G}⟩+\rho H)\\ & =C_a+\gamma C_r\end{array}$$ and $$\begin{array}{rl}⟨\mathbf{s},\mathbf{b}⟩G_1+tH& =⟨\mathbf{a}+\gamma \mathbf{r},\mathbf{b}⟩G_1+(\tau +\gamma \nu )H\\ & =(⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H)+\gamma (⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H)\\ & =C_1+\gamma C_2.\end{array}$$

Proof of Knowledge

One can also check that the proof system is extractable, which follows from a property called special soundness: for any instance in language $\mathcal{L},$ given two accepting transcripts with the same commitments $(C_r,C_1,C_2)$ but different challenges ${\gamma }^{(1)}$ and ${\gamma }^{(2)},$ one can compute a witness. Indeed, let $$\begin{array}{rl}& ((C_r,C_1,C_2),{\gamma }^{(1)},({\mathbf{s}}^{(1)},u^{(1)},t^{(1)})),\\ & ((C_r,C_1,C_2),{\gamma }^{(2)},({\mathbf{s}}^{(2)},u^{(2)},t^{(2)}))\end{array}$$ be two accepting transcripts for some instance $(C_a,\mathbf{b})$ such that ${\gamma }^{(1)}\ne {\gamma }^{(2)}.$ Let $$\begin{array}{r}\mathbf{a}:=\frac{{\gamma }^{(1)}{\mathbf{s}}^{(2)}-{\gamma }^{(2)}{\mathbf{s}}^{(1)}}{{\gamma }^{(1)}-{\gamma }^{(2)}},\\ \alpha :=\frac{{\gamma }^{(1)}{u}^{(2)}-{\gamma }^{(2)}{u}^{(1)}}{{\gamma }^{(1)}-{\gamma }^{(2)}}.\end{array}$$ Since both transcripts are accepting, we have $$\begin{array}{rl}& ⟨{\mathbf{s}}^{(1)},\mathbf{G}⟩+u^{(1)}H=C_a+{\gamma }^{(1)}{C}_r,\\ & ⟨{\mathbf{s}}^{(2)},\mathbf{G}⟩+u^{(2)}H=C_a+{\gamma }^{(2)}{C}_r.\end{array}$$ Then $$\begin{array}{rl}⟨\mathbf{a},\mathbf{G}⟩+\alpha H& =\frac{1}{{\gamma }^{(1)}-{\gamma }^{(2)}}\left({\gamma }^{(1)}⟨{\mathbf{s}}^{(2)},\mathbf{G}⟩-{\gamma }^{(2)}⟨{\mathbf{s}}^{(1)},\mathbf{G}⟩+{\gamma }^{(1)}{u}^{(2)}H-{\gamma }^{(2)}{u}^{(1)}H\right)\\ & =\frac{1}{{\gamma }^{(1)}-{\gamma }^{(2)}}\left({\gamma }^{(1)}(C_a+{\gamma }^{(2)}{C}_r-u^{(2)}H)-{\gamma }^{(2)}(C_a+{\gamma }^{(1)}{C}_r-u^{(1)}H)+{\gamma }^{(1)}{u}^{(2)}H-{\gamma }^{(2)}{u}^{(1)}H\right)\\ & =C_a.\end{array}$$ Hence, the relation defining the language is satisfied and $(\mathbf{a},\alpha )$ is indeed a witness that the instance $(C_a,\mathbf{b})$ is in $\mathcal{L}.$

Zero-Knowledge?

The puzzle instructions asks us to find $\mathbf{a},$ which is part of the witness, from a few proofs generated by Bob. If the protocol is zero-knowledge, this shouldn't be possible. Is it zero-knowledge, though, from a theoretical point of view?

The answer is yes. Namely, the interactive protocol as defined above can be shown to be honest-verifier zero-knowledge. The simulator, whose task is to generate a fake transcript distributed as a true transcript between a prover and an honest verifier without knowing the witness $(\mathbf{a},\alpha ),$ works as follows:

$$\begin{array}{rl}& \mathbf{s}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n,u{\leftarrow }_{\$}{\mathbb{Z}}_q,t{\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & C_r:={\gamma }^{-1}(⟨\mathbf{s},\mathbf{G}⟩+uH-C_a)\\ & C_1{\leftarrow }_{\$}\mathbb{G}\\ & C_2:={\gamma }^{-1}(⟨\mathbf{s},\mathbf{b}⟩G_1+tH-C_1)\\ & \mathbf{return}((C_r,C_1,C_2),\gamma ,(\mathbf{s},u,t))\end{array}$$

Something Strange

There is something odd with the way we described the proof system: vector $\mathbf{b}$ plays no role in the relation $$\mathcal{R}=\{(x,w)\mid x=(C_a,\mathbf{b})\in \mathbb{G}\times ({\mathbb{Z}}_q{)}^n,w=(\mathbf{a},\alpha )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q,C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H\}.$$ In particular, note that the proof that the system is extractable did not use the second equation checked by the verifier (meaning extractability still holds even if this check is omitted).

For this reason, it would make more sense to actually include $C_1,$ the commitment to the inner product $⟨\mathbf{a},\mathbf{b}⟩,$ in the instance and randomness $\tau$ in the witness and to define the relation as $$\begin{array}{r}{\mathcal{R}}^{\prime }=\{(\sigma ,\omega )\mid \sigma =(C_a,C_1,\mathbf{b})\in \mathbb{G}\times \mathbb{G}\times ({\mathbb{Z}}_q{)}^n,\omega =(\mathbf{a},\alpha ,\tau )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q\times {\mathbb{Z}}_q,\\ C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H,C_1=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H\}.\end{array}$$

By doing this, the protocol would now be specified as follows:

$$\boxed{\begin{array}{lcl}\text{Prover}& & \text{Verifier}\\ \text{parameters: }(\mathbb{G},q,\mathbf{G},H)& & \text{parameters: }(\mathbb{G},q,\mathbf{G},H)\\ \text{instance: }& & \text{instance: }\\ (C_a,C_1,\mathbf{b})\in \mathbb{G}\times \mathbb{G}\times ({\mathbb{Z}}_q{)}^n& & (C_a,C_1,\mathbf{b})\in \mathbb{G}\times \mathbb{G}\times ({\mathbb{Z}}_q{)}^n\\ \text{witness: }& & \\ (\mathbf{a},\alpha ,\tau )\in {\mathbb{G}}^n\times {\mathbb{Z}}_q\times {\mathbb{Z}}_q& & \\ \text{relation: }& & \\ C_a=⟨\mathbf{a},\mathbf{G}⟩+\alpha H& & \\ C_1=⟨\mathbf{a},\mathbf{b}⟩G_1+\tau H& & \\ \mathbf{r}{\leftarrow }_{\$}({\mathbb{Z}}_q{)}^n& & \\ \rho ,\nu {\leftarrow }_{\$}{\mathbb{Z}}_q& & \\ C_r:=⟨\mathbf{r},\mathbf{G}⟩+\rho H& & \\ C_2:=⟨\mathbf{r},\mathbf{b}⟩G_1+\nu H& & \\ & \stackrel{C_r,C_2}{\to }& \\ & & \gamma {\leftarrow }_{\$}{\mathbb{Z}}_q\\ & \stackrel{\gamma }{\leftarrow }& \\ \mathbf{s}:=\mathbf{a}+\gamma \mathbf{r}\mathrm{mod}q& & \\ u:=\alpha +\gamma \rho \mathrm{mod}q& & \\ t:=\tau +\gamma \nu \mathrm{mod}q& & \\ & \stackrel{\mathbf{s},u,t}{\to }& \\ & & \text{check that}\\ & & ⟨\mathbf{s},\mathbf{G}⟩+uH=C_a+\gamma C_r\\ & & ⟨\mathbf{s},\mathbf{b}⟩G_1+tH=C_1+\gamma C_2\end{array}}$$

However, this is not important for solving the puzzle and we will stick to the original, albeit unnatural, description.