Commit Twin

Create a zero-knowledge equality proof from two commitments.

This project demonstrates how to create a zero-knowledge proof that two commitments hide the same secret using elliptic curves.

This project has two implementations: golang and rust.

Primitives

The protocol uses any elliptic curve.

The curve $E$ parameters are denoted as

$k$ : The security parameter in bits.
$p$ : The field modulus
$q$ : The subgroup order
$H_q$ : A hash function which outputs bytes less than $q^1$ .
$G$ : Points in the cyclic group of order $p$
$P$ : The base point in $G$
$Q_1$ : A point in $G$ whose discrete log is not known or relative to $P^{2}$
$Q_2$ : A point in $G$ whose discrete log is not known or relative to $P^{2}$
$1_G$ : The point at infinity

Scalars operate in $\mathbb{Z}_q$ and are denoted as lower case letters.

Points operating in $G$ are denoted as capital letters.

$^1$ A common approach is to use SHA256 to hash to byte sequence then reduce modulo $q$ . However, this results in a biased result that isn't uniform. Instead more bytes should be generated then reduced modulo $q$ . The number of bytes is calculated with L = ceil((ceil(log2(p)) + k) / 8).

$^2$ Consider this when choosing $Q_1$ , $Q_2$ from Appendix A "The problem of mapping arbitrary bit strings to elliptic curve points has been the subject of both practical and theoretical research. This section briefly describes the background and research results that underly the recommendations in this document. A naive but generally insecure method of mapping a string msg to a point on an elliptic curve $E$ having $p$ points is to first fix a point $P$ that generates the elliptic curve group, and a hash function Hp from bit strings to integers less than $p$ ; then compute $Hp(msg)\cdot P$ , where the $\cdot$ operator represents scalar multiplication. The reason this approach is insecure is that the resulting point has a known discrete log relationship to $P$ . Thus, except in cases where this method is specified by the protocol, it must not be used; doing so risks catastrophic security failures."

Also, $Q_1$ , $Q_2$ should not be generated by randomly choosing a scalar $r$ and computing $r \cdot P$ . The best method to choose $Q_1$ , $Q_2$ is to pick a nothing up my sleeve value and compute the hash to curve of the bit string.

If using pairing friendly curves this same protocol can be used to compare commitments in $G_1$ and $G_2$ .

Setup

Alice secretly holds $x \in \mathbb{Z}_q*$ and randomly chooses $r_1, r_2 \in \mathbb{Z}_q*$ in order to compute two commitments $B = x \cdot P + r_1 \cdot Q_1$ and $C = x \cdot P + r_2 \cdot Q_2$ .

Bob knows $B, C$ but doesn't know $x, r_1, r_2$ .

Protocol

Bob sends nonce $o \in Z_q*$ to Alice
Alice picks random $w, n_1, n_2 \in \mathbb{Z}_q*$ .
She computes $W_1 = w \cdot P + n_1 \cdot Q_1$ and $W_2 = w \cdot P + n_2 \cdot Q_2$ .
She computes $c = H_q(W_1\ ||\ W_2\ ||\ o)$
She computes $d = w - cx, d_1 = n_1 - c r_1, d_2 = n_2 - c r_2$ all in $\mathbb{Z}_q*$
Alice sends $\{c, d, d_1, d_2\}$ to Bob.
Bob computes $D = d \cdot P$
Bob checks that $c \overset{?}{=} H_q(D + d_1 \cdot Q_1 + c \cdot B\ ||\ D + d_2 \cdot Q_2 + c \cdot C\ ||\ o)$

Note

The commitment $C$$ doesn't have to use $x \cdot P$ but could be another point like $P_1$ . The protocol will still work.

$o$ can also be a nothing up my sleeve value chosen by Alice as long as its not used more than once like a timestamp in milliseconds in which case Bob doesn't need to send it Alice. The security concern is that Alice should not be able to pick a value that allows her to cheat in the proof by biasing the result.

If Bob knows $B$ but not $C$ , then $C$ could also be part of the proof and sent.

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
go		go
rust		rust
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Commit Twin

Primitives

Setup

Protocol

Note

About

Releases

Packages

Languages

License

mikelodder7/commit_twin

Folders and files

Latest commit

History

Repository files navigation

Commit Twin

Primitives

Setup

Protocol

Note

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages