Hyrax Primitives

We go over various sigma protocols (interactive proofs with just 3 rounds of interaction) that allow the prover to prove various statements on its committed messages without having to open the commitment. For all of these protocols, let $g_{i} \in G$ be the message commitment generators, and $h \in G$ be the blinding generator. Let $F_{p}$ be the scalar field of $G$ . Assume the prover produces the blinding factor $r \in F_{p}$ using a cryptographic PRNG.

Proof of Opening

In a Proof of Opening, $P$ shows that given a commitment $C_{0} = xg + r h$ , $P$ knows the message $x$ and blinding factor $r$ used to generate this commitment.

$P \to V :$ $P$ samples $t_{1}, t_{2} \leftarrow $ F_{p}$ uniformly from the scalar field. $P$ computes and sends over $α = t_{1} g + t_{2} h .$
$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$ $z_{1} = x \cdot c + t_{1}$ , and $z_{2} = r \cdot c + t_{2}$ .
$V$ checks: $z_{1} g + z_{2} h = ? c C_{0} + α .$

Proof of Equality

In a Proof of Equality, $P$ convinces $V$ that two commitments $C_{0} = v_{0} g + s_{0} h$ and $C_{1} = v_{1} g + s_{1} h$ commit to the same value, i.e. $v_{0} = v_{1}$ . In other words $P$ knows that $v_{0} = v_{1}$ , but $V$ only has the blinded commitments, which look uniformly random (since $s_{0} h, s_{1} h$ are uniformly randomly distributed in $G$ for uniformly random $s_{0}, s_{1} \in F_{p}$ ).

$P \to V :$ $P$ first uniformly samples a random value $r$ from $F_{p}$ . $P$ computes $α = r h$ and sends to $V$ .
$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$ $z = c \cdot (s_{0} - s_{1}) + r$
$V$ checks: $z h = ? c (C_{0} - C_{1}) + α .$

Proof of Product

Proof of product shows that a commitment $Z = z g + r_{Z} h$ is a commitment to the product of the messages committed to in $X = xg + r_{X} h$ and $Y = y g + r_{Y} h .$ In other words, $P$ knows that $x \cdot y = z$ and wants to prove this to $V$ without revealing the messages and just using the commitments.

$P \to V :$ $P$ uniformly samples $b_{1}, \dots, b_{5}$ from $F_{p}$ and computes and sends over $α = b_{1} g + b_{2} h, β = b_{3} g + b_{4} h, δ = b_{3} X + b_{5} h .$
$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$ $z_{1} = b_{1} + c \cdot x z_{2} = b_{2} + c \cdot r_{X} z_{3} = b_{3} + c \cdot y z_{4} = b_{4} + c \cdot r_{Y} z_{5} = b_{5} + c \cdot (r_{Z} - r_{X} y)$
$V$ checks: $α + c X = ? z_{1} g + z_{2} h β + c Y = ? z_{3} g + z_{4} h δ + c Z = ? z_{3} X + z_{5} h$

Proof of Dot Product

Given $P$ 's commitment to a vector $x \in F_{p}^{n}$ , $C_{0} = x_{1} g_{1} + x_{2} g_{2} + \dots + x_{n} g_{n} + r_{0} h,$ and a public vector $a$ (known to both $V$ and $P$ ), and $P$ 's commitment to the claimed dot product $⟨ x, a ⟩ = y$ , which is $C_{1} = y g_{1} + r_{1} h,$ $P$ shows $V$ that they know a vector $x$ and blinding $r_{0}$ such that $⟨ x, a ⟩$ is equal to the message committed to in $C_{1}$ , and $C_{0}$ is a vector commitment for $x$ with blinding factor $r_{0}$ .

$P \to V :$ $P$ samples a random vector in $F_{p}^{n}$ , $d$ . $P$ samples $r_{δ}, r_{β}$ and computes and sends

$δ = d_{1} g_{1} + \dots + d_{n} g_{n} + r_{δ} h β = y g_{1} + r_{β} h$

$V \to P :$ A random challenge $c$ from $F_{p}$ .
$P \to V :$

$z = c \cdot x + d z_{δ} = c \cdot r_{0} + r_{δ} z_{β} = c \cdot r_{1} + r_{β}$ 4. $V$ checks:

$c C_{0} + δ = ? z_{1} g_{1} + \dots + z_{n} g_{n} + z_{δ} h c C_{1} + β = ? ⟨ z, a ⟩ g_{1} + z_{β} h$

The Remainder Book

Hyrax Primitives

Proof of Opening

Proof of Equality

Proof of Product

Proof of Dot Product