ECC Posts Expiring SNARK: Pat WF Hom ta ake nd Euston a Potnamal Vertble Explaining SNARKs Part IV: How to make Blind Evaluation of Polynomials Verifiable ‘viol Gabizon | April 11, 2017 << Part Il In this part, we build on Par Il and Ito develop a protocol for verifiable blind evaluation of polynomials, which we will define shorty In Part V well start to see how such a protocol can be used for constructing SNARKs, so bear with me alte bit longer for he connection to SNARKS } ‘Suppose, as in Part that Alice has a polynomial Poceown das Bob has a point s © I, that he chose randomly, We wantto construct a protocol that allows Bob to leam E(P(s)), i.e. the hiding of P evaluated at s, with two additional properties: a This is what we cal vevifabl blind evaluation of a polynomial. The protocol in Part Il gave us the frst item but not the second. To get veritiabllty we need an extended version of the Knowledge of Coetficiont Assumption (KCA) that was presented in Part Il 's, na sense, commits Alice to an “answer polynomial” without seeing the “challenge point” s. This intuition will become more clear in the next parts of the series. An Extended KCA Te Ka we deinen Pal ser all bret ie tHE) aves AEE Se Pa (= a) ARNE! “orbiates ahother cpa (al(B),therlshelknoWs ésuehihat al = ean other words, Alice knows the relation between a’ and a Now, suppose tat instead of one, Bob sends Alice several c-pair (a1;bi),..., (ag bs) for the same a}: and that again after receiving these pairs, Alice is challenged to generate some other a-pair (a’,'). Recall thatthe main point is that Alice must do so although she does not know a. ‘As we saw in Par Il anatural way for Alice to generate such an pair, would be to take one ofthe pairs (a, by) she received from Bob, and mutiply both elements by some c € Fs: if (ai B)) was an e-pair, then (Ca, ¢-5,) will be one too. ‘The answer is yes: For example, Alice can choose two values ¢;,¢2 © Fy and compute the pair (al,¥) = (cr a1 + 62 a2,€1 by + 2 - By). An easy computation shows that, as long as ais non-zero, ths is also an a: Web bene be ye ay + 690-2 = ae a1 + 62 a3) More generaly, Alice can take any Zine combination ofthe given d pa (@',#) = (Thi ea, Dh ob). Note tat. Ace uses his sate to generat he FSH Wi GW A IEF ERRTS are aad tat se knows ¢1,...,¢4 such that a’ = J e+ a, s¢¢ € Fy and detine ‘The extended KOA states, The o-power Knowledge of Coefficient Assumption (d-KOA) [2 in G is as follows:KCA: Suppose Bob chooses random © Fy ands © Fy, and sends to Alice the a-pairs (gcc 9), (8- 9,48 -9),....(s%- 9,84 9). Suppose that Alice then outouts another a-pair (a',6'). Then, except with negligible probably, | Note tain the KA Mla NO an tay Hapa, but one with cuan “polramil tcl” Tis Wl be usaf In the protocol below. The Veri ble Blind Evalua' n Protocol ‘Assume hat ou Lis the mapping (2) = gfora generator go! a above: Fer simply, we presen’ the prtocel fr this parila 1. Bob chooses arandom a © F;, and sends to Alc the hidings 9,5 9 9(0f1, 4... $8) and also the hidings a-gas-9,...,ast- glota,as,...,as4) 2. Alice computes a — P(s)- g and b = aP(s) gusing the elements sent in the first step, and sends both to Bob. 3. Bob checks that ‘aa, and accepts it and only if this equality holds, | Fe rote that oven he cosets of PP) gana coring, 9-9,..34- ga aP(s} 9a irae conbiation of -g,as-g,...,a8%- 9, Thus, simlaly to the protocol of Part I, Alice can indeed compute these values from Bob's messages for a polynomial P that she knows. Second, by the d-KCA if Alice sends a, such that b = cr -athen almost surely she knows cp... 2a © Fy such that Dias! -g.Inthat case, a = P(s) -g for the polynomial P(X) = S2}_y 6 - X* known to Alice. In other words, the probabilty ‘that Bob accepts in Step 3 while at the same time Alice does not know such a P is negligible. To summarize, using the d-KCA we've developed a protocol for veritable blind how this building block comes to play in SNARK constructions. /aluation of polynomials. Inthe next posts, we will see [1) Inthe fuly formal poo, things are somewhat more subtle, as Alice abes see some information about s betore deciding on her P—for example, the hidings of s,... $4 < Bellman: 2k-SNARKS in Rust | Security Anouncement 2017-04-12 >Contact Us Mesia kit Copyright Paley ECC Code of Conduct Unitediealtheare MRF Zoash Trademark Policy ‘Cypherpunk Zero NFT Terms & Conditions Zeath Manage Cookies Newsletter signup Ema Submit Feedback