 Hello, everyone. My name is Michael Reichle and I'll be presenting range proofs more specifically efficient range proofs with transparent setup from bounded integer commitments and This is joint work with Shofrell Gutheu, Michael Kluss and Wang Lin So first of all, what are range proofs? Well, it's just a way to show that some hidden but fixed integer X lies in a given range AB and This can be used in a wide range of applications for example anonymous credentials where you might want to show that you have a certain age or anonymous transactions where you might want to show that Your balance that is hidden but fixed is non-negative, so you don't have overspending in your system So before I dive into the construction, I want to Define two primitives that will be necessary. First of all, commitments. So in our case, I will draw Commitments with a blue box around the committed value X with randomness R and then given this commitment C We can open it by providing X and R to a verify and then he can check whether he's convinced by it And we want two main properties The first one being that the commitment should not reveal X So it's hiding and the second one being that the commitment should not be able to be open to something else than X So it binds the proof the committer to X So so far so good. Those are standard Requirements and now For this talk, I want two other requirements The first one being that the message base should be ZQ and this is important for the construction And the second one is homomorphi So we want additive homomorphism and additive homomorphism of the commitment So we want to be able to compute a commitment to X zero plus X one given a commitment to X zero and a commitment to X one and similarly we want to be able to compute the Commitment N times X From a commitment X where NSI scatter So the second permit if I want to introduce our Sigma protocols Here a prover can show to a verify that he knows a witness W for a statement X and Generally, he proceeds as follows. So it's always a three round protocol We are at first the prover commits to a mask of the witness Then he sends the first flow to the verifier the verifier will draw a random challenge and send it to the prover and Based on this the prover will mask the witness with respect to the challenge and also the mask that he previously committed to and Send this to the verifier and then the verify can output one if the transcript is convincing enough for him And we want two properties from this type of protocol The first one being zero knowledge. So we want that transcripts can be simulated without knowledge of W so intuitively the Prover doesn't reveal anything about W when interacting with the verifier and the second one being soundness Which states that a witness W can be extracted from exactly transcripts. So intuitively that means that the prover should know Should know W actually so in range proves we want to show that a committed value Lies inside a given range So for this we need to first of all open the committed value to the verify in a zero-knowledge way for this the verifier received the statement C and the prover has also access to the committed values and the randomness and Then the prover can show to the verifier that he knows the opening by essentially committing to masks M and S In a commitment D sending it to the verifier who draws a random challenge gamma Sends it through the prover and then the prover computes M plus gamma times X and S plus gamma times R and Sends it through a verifier and then the verifier checks whether this relation. So the linear relation between M the mask gamma the challenge and X the committed value holds inside the Commitments that you already received beforehand So for the soundness property and we can actually easily show that if we have two transcripts with the same first flow Then we can just accept Then we can just extract X Equals to that zero minus that one divided by gamma zero minus gamma one mod Q so Yeah, this is essentially very important for later So yeah, keep this in mind and your knowledge is quite easy to show because you just send committed commitments and masked values, so Let's dive deeper into the definition of range proofs and how they can be constructed so essentially the formal definition of a range proof is that we want to have a Serial knowledge proof for the following relation which essentially captures the intuitive relation where you open a Commitment and you show that the opening is Inside the given range AB so the the committed values inside the given range AB and This can be Built by two different approaches the first one being binary decomposition So he essentially you just decompose the value into a Number of bits so essentially just the binary decomposition of it and Then you show that this binary decomposition holds and that all the committed values so the X Is are actually bits and This yields through this leads to quite efficient range proofs in For some the letters what you log setting and it's also the most common approach nowadays and the second approach is Using integer commitments where you essentially show that X is in a B by showing that X minus a and B minus X is bigger or equal to zero and You can show that over the integers by showing that B minus X times X minus a is the sum of four squares and of course for this it's important that you show this over the integers and for this you need integer commitments and Generally this approach leads to Quite large parameters. So or requires quite large parameters and so large proofs and also requires trusted setup Because it's usually based on RSA or class groups with trusted setup so Now we will use this square decomposition in our construction but we Apply a different spin on it. So now we will slightly simplify the Square decomposition so we can show that X is in a B if X minus a is in zero B minus a and if we set B So capital B as B minus a and we can just show that X times B minus X is the sum of four squares in order to show that X is an AB so Essentially, it suffices to show that some integer X is in the range zero B for some integer B So essentially, we can just show that X is in zero B in order to show that X is in a B for any for any bounds a and B and This can even be further optimized by using the three-squared decomposition So we can just show that one plus four times X times B minus X is equal to the sum of three squares this decomposition can be computed very fast and It implies that X is in zero B So this is essentially what we will use and now I will go over the construction. So the setting is that We want to compute we want to build a range proof that uses a fairly generic commitment scheme That commits to values X zero over set Q So X zero is the value for which we want to show that it lies in zero B in the range zero B and We want to avoid trusted setup and we want to avoid we want to optimize efficiency So how do we do that? Well the basic idea is to just twist square decomposition in ZQ So let's just do that. We construct a sigma protocol for showing the three-squared composition So we commit to the X is we first of all come and I mean So we compute the three-squared composition. We commit to the X is And then we do a proof of opening as I shown you before so we send these set The commitments and the commitments of the masks to the verifier the verifier will draw a random challenge and then the prover can just send the The masked witnesses to the verifier and then he can check whether the Prover essentially used Consistent values throughout the proof. So he checks whether the linear relation between mask challenge and witness holds Inside the commitment scheme and also he checks the three-squared composition So I won't go into detail how this can be done. This is quite setting dependence. So I don't want to Go into detail on this for now, but it's essentially quite fast and slow overhead So of course, this is not a Sufficient range proof yet because the three-squared composition in ZQ does not actually imply positivity because even negative values have swears for example and The idea that we had in this paper is essentially to avoid overflows by Ensuring short witnesses and if there's no overflow then essentially we have a normal integer calculation So The one point is that we can't actually check whether Xi is short as a verifier because we don't have access to Xi But we can check whether Zi is short. So Zi Contains Xi so if that is short Xi should also be short intuitively So if we add that check as a verifier We will see that actually the extracted value is not necessarily short because as I've shown you before we can extract x0 from two transcripts Where we set x0 equals set 0 minus set 0 prime divided by gamma minus gamma prime So that's your and that's your prime our check to be short Gamma minus gamma prime is short because the verifier will choose a sufficiently short value but Since we divide more Q the shortness is not necessarily retained This can be seen by a very simple example for example 1 divided by 2 where 1 and 2 is obviously short Will always be able to around half of the modulus. So this is very large And so essentially this doesn't suffice yet But the main idea is essentially that we can map fractions in ZQ to integers via a division in Q so essentially What we do is we encode the committed value 1 divided by 2 mod Q To 1 divided by 2 over the integers and then we round this value So 0.5 rounded is equal to 1 and this actually retains smallness Which is what we need in order to then check the square decomposition of the integers So this yields a integer commitment scheme So essentially we relaxed the original commitment scheme We say that the commitment to z times gamma to the power of minus 1 mod Q In the original commitment and actually commits to the message x equals z divided by gamma and then round it and If we do that then we can verify very simply to a bunch of properties So first of all this is obviously still hiding because It's basically the same commitment scheme as before if gamma is equal to 1 for example then we can just commit to x and We have these standard hiding properties from before So it's also binding if z and gamma are short with respect to the modulus It also retains restricted homomorphic properties. I will go into a bit more detail later and also retains shortness as I've shown before and Also important honest commitments remain unchanged. So we can just say gamma equals 1 So committing to x is essentially just a standard commitment to x if x is short So Yeah, this leads to a bounded integer commitment scheme bounded because the committed values have to be short in order to be binding and So now we can use this in our range proof scheme, so essentially we don't We don't actually change the the range proof itself Because honest commitments remain unchanged so we can just you reuse the same scheme but We now say that The commitments we use are relaxed commitments. So the extracted values are actually short in Z and Then this suffices to actually check that the three the three squared relation holds for the extracted values over the integers So before I dive into a few So before I go over the concrete constructions and their efficiency, I want to talk about a few limitations So the first limitation is the homomorphism as I've mentioned already So honest commitments are just standard commitments and since we want Since we demand the standard commitments came to be additively homomorphic This also holds for honest commitments also small constants and work out fine. So we can just multiply small constants and And everything is is fine So homomorphic holds in this case, but as soon as we have this honest commitments where Where the prover might have gamma not equal to 1 then we don't necessarily have homomorphism That holds and this is even worse for non-equal denominator. So Intuitive this is because if there's two unequal denominators, then we multiply the challenges and at some point they might not be short anymore so This means that you have to be careful About the guarantees of the range proof As it was presented and you also have to ensure that the committed integers as the committed integers are small enough So the second limitation is the group size. This is because we need to ensure that there's no overflow in the square decomposition so We need even a stronger variant of this we need that as we can only check the size of the mask Or essentially the size of the masked witness We need that if the three square decomposition holds for the masked witness Over reset and for this there should not be overflow on either side And that means that there's quite a large requirement for the group size but This can essentially be optimized so The if we have shorter masks, then we have can have a smaller modulus and this can be this can be done via rejection sampling and Also repetitions mean shorter challenges means smaller modulus and Lastly, this is not necessarily Based on the square decomposition, but in general we can apply for your charmier and we can get non-interactive French course So Before I finish my talk, I quickly want to talk about the settings. So in the deluxe setting we Essentially construct a range proof that improves over bulletproofs on in size In lettuces we improve on the on the state of the art for standard lettuces for large patches and In class groups We construct the first concretely efficient unbounded integer commitment scheme without trusted setup in in deloc groups, we essentially just use Patterson commitments With a slight tweak. So we use the Discrete log short exponent assumption in order to have smaller randomness and The decomposition can just be shown using the homomorphic properties of the honest commitment scheme and this yields efficient range proofs for single messages or for single values X and If we compare this to the state of the art and so bulletproofs We can see that we have around 80 to 89 percent of the size of their range proofs and also Interestingly, the proofers work is quite lower and if we compare the group multiplications, of course our groups are larger so this is not necessarily a As large increase in the final computation, but at least it hints that the That the proofers work should be quite a lot faster so Secondly, we instantiated the scheme or this abstract framework in the lettuce setting where we use BDL 18 commitments and Yeah, I don't want to go into too much details But essentially we can show the decomposition with a standard polynomial trick then we perform the range proof for each component and then if we Amortize the range proof over a lot of a lot of values Then we essentially get quite efficient Quite efficient range proofs for a lot of integers and That's the we apply this framework in the class group setting where we have a group G with an order and Essentially, we have two main assumptions the order assumption and the subgroup in the single shillie assumption So in in class group since we have hidden order, we can show that we can extract in a rational number that can be written as set divided by a power of two and Essentially the range proof has the same structure as the dealer version But we require way larger groups because Because class groups in general are fairly large around the size of errors a groups and What we gain for this is that we don't have any bounds on the committed values So we can actually show a Range proof for any Any integer that we want and with that I'm finished and thank you very much for your attention