From d1527d3ecdcacd26d4231cefce8522d2e0d31741 Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Mon, 11 Nov 2024 16:15:22 +0300 Subject: [PATCH 01/14] introduction --- docs/intro.md | 33 ++++++++++++++++++++++++++++++++- src/docs.rs | 2 +- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/docs/intro.md b/docs/intro.md index f65718f..7399608 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -1 +1,32 @@ -**Telescope ALBA** documentation. +- ALBA is a system which allows a prover to _quickly and succinctly_ convince a verifier of their knowledge regarding a large number of _valid elements_, even when presenting only a _subset_. +- It approximates a lower bound on the prover's knowledge which permits a gap between + - what the prover actually knows and + - what the verifier is convinced they know. +- This approach enables efficient proofs, with nearly optimal proof sizes in both _noninteractive_ and _distributed_ settings. +- Key applications: + - Large-scale decentralized signatures, + - Universal composability in general-purpose succinct proof systems. +- Particularly, it provides communication efficiency in decentralized or blockchain contexts where multiple provers share evidence. + +## Overview +- **The protocol** + - The protocol addresses the problem where a prover possesses a large set of verifiable evidence that would be costly to present in its entirety. + - The prover's goal is to convince the verifier of their knowledge by revealing only a subset of this evidence, thus achieving efficiency in both time and communication. + - Given a large set $S_p$ that satisfies a predicate $R$ such that $|S_p| \geq n_p$, the prover wants to convince the verifier that the set contains at least $n_f$ elements, where $n_f$ is a threshold smaller than $n_p$. + - This creates an _approximate_ lower bound, as the verifier is convinced that $S_p$ meets or exceeds a threshold, though the actual size might be greater. + - ALBA achieves efficiency by allowing a small gap between the provable lower bound and the actual knowledge, enabling rapid verification without compromising security. +- **Historical context** + - The concept builds on classic approaches in proof systems, where similar challenges in communication complexity were addressed by using probabilistic techniques or interactive protocols. + - Previous methods were largely theoretical and less efficient for practical, large-scale applications. +- **Design goals** + - ALBA aims to minimize both proof size and computational load, making it feasible for high-throughput settings like blockchain networks. + - The protocol is versatile, supporting both noninteractive proofs in a random oracle model and multi-prover scenarios in decentralized environments. + - This makes it adaptable for contexts where multiple provers collaborate, such as a blockchain where many parties collectively validate transactions. +- **Setup and interaction models** + - Noninteractive Model: + - ALBA provides a noninteractive proof (_NIROPK_) in the random oracle model, where the verifier can extract knowledge directly from observing queries. + - Decentralized Model: + - ALBA is also adapted for decentralized, multi-prover settings, where several entities hold parts of $S_p$ and communicate over a network to jointly prove possession of evidence, achieving efficiency in both communication and computation. +- **Applications** + - ALBA has practical applications in large-scale decentralized signatures and in enhancing universal composability in general-purpose succinct proof systems (such as *SNARK*s). + - These applications are particularly relevant for cryptographic protocols in distributed systems, where rapid verification of large data sets is essential. diff --git a/src/docs.rs b/src/docs.rs index b452890..c69dde0 100644 --- a/src/docs.rs +++ b/src/docs.rs @@ -1,3 +1,3 @@ -//! Telescope-ALBA documentation +//! Approximate Lower Bound Arguments (_ALBA_) documentation. #![doc = include_str!("../docs/intro.md")] From 5220e66d9bfe12d6b643de7308bbbbd51a433be9 Mon Sep 17 00:00:00 2001 From: curiecrypt <36852463+curiecrypt@users.noreply.github.com> Date: Mon, 11 Nov 2024 18:44:26 +0300 Subject: [PATCH 02/14] Apply suggestions from code review Co-authored-by: Raphael --- docs/intro.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/intro.md b/docs/intro.md index 7399608..fbf4ff2 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -10,18 +10,18 @@ ## Overview - **The protocol** - - The protocol addresses the problem where a prover possesses a large set of verifiable evidence that would be costly to present in its entirety. - - The prover's goal is to convince the verifier of their knowledge by revealing only a subset of this evidence, thus achieving efficiency in both time and communication. - - Given a large set $S_p$ that satisfies a predicate $R$ such that $|S_p| \geq n_p$, the prover wants to convince the verifier that the set contains at least $n_f$ elements, where $n_f$ is a threshold smaller than $n_p$. + - The protocol addresses the problem of succinctly proving knowledge of a large set of verifiable evidence. + - The prover convinces the verifier by revealing only a subset of this evidence, thus achieving efficiency in both time and communication. + - Given a large set $S_p$ that satisfies a predicate $R$ such that $|S_p| \geq n_p$, the prover wants to convince the verifier that the set contains at least $n_f$ elements, where $n_f$ is a threshold strictly smaller than $n_p$. - This creates an _approximate_ lower bound, as the verifier is convinced that $S_p$ meets or exceeds a threshold, though the actual size might be greater. - - ALBA achieves efficiency by allowing a small gap between the provable lower bound and the actual knowledge, enabling rapid verification without compromising security. + - ALBA achieves efficiency by making use of the gap between the provable lower bound and the actual size, enabling rapid verification without compromising security. The greater the gap, the smaller the proof, and the faster its generation. - **Historical context** - The concept builds on classic approaches in proof systems, where similar challenges in communication complexity were addressed by using probabilistic techniques or interactive protocols. - Previous methods were largely theoretical and less efficient for practical, large-scale applications. - **Design goals** - ALBA aims to minimize both proof size and computational load, making it feasible for high-throughput settings like blockchain networks. - - The protocol is versatile, supporting both noninteractive proofs in a random oracle model and multi-prover scenarios in decentralized environments. - - This makes it adaptable for contexts where multiple provers collaborate, such as a blockchain where many parties collectively validate transactions. + - The protocol is versatile and adaptable, supporting non-interactive proofs in both the random oracle and common reference string model as well as allowing multi-prover scenarii in decentralized environments. + - This makes it of special interest for multi-party environment, such as a blockchain where many parties collectively validate transactions. - **Setup and interaction models** - Noninteractive Model: - ALBA provides a noninteractive proof (_NIROPK_) in the random oracle model, where the verifier can extract knowledge directly from observing queries. From a8c1b58ac689de94a6cf219a9d4b4d4e625909ad Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Mon, 11 Nov 2024 19:05:16 +0300 Subject: [PATCH 03/14] readme v0 --- README.md | 31 ++++++++++++++++++++++++++----- src/lib.rs | 2 -- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3c80eef..ef05e23 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,32 @@ # ALBA +This is the rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. -Implementation of _Approximate Lower Bound Arguments_ from the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/) published by IOG Research: +### Introduction +The ALBA system enables a prover to efficiently demonstrate their knowledge of a large set of valid elements to a verifier, while only needing to present a smaller portion of these elements. By approximating a lower bound on the prover's knowledge, ALBA allows a controlled gap between the prover's actual knowledge and what the verifier believes they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both noninteractive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes and achieving universal composability in general-purpose succinct proof systems. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing evidence. -> **Approximate Lower Bound Arguments**, _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_, May 2024, Eurocrypt'24 +The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction enables a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. Pre-hashing improves this by precomputing hashes to group elements into “bins,” reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the Simple Lottery Construction, where each party holding an element decides to share it based on a random “lottery” mechanism, with an aggregator forming the proof from a target number of shared elements. The Decentralized Telescope adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. + +The library covers the following constructions of the ALBA protocol: +1. Centralized Telescope +2. Simple Lottery Construction +3. Decentralized Telescope +4. Wighted-Decentralized Telescope + +### Disclaimer -> [!IMPORTANT] > This code is NOT fit for production, it's not been optimised, thoroughly tested, nor audited by competent cryptographers. -> Its one and only purpose is to help people who are more familiar with code than equations to have a better understanding of ALBAs +> Its one and only purpose is to help people who are more familiar with code than equations to have a better understanding of ALBAs. + +### Documentation +👉 We deliver comprehensive [documentation][crate::docs] aimed at connecting theory with practical implementation. + +👉 Checkout website on this [link](https://alba.cardano-scaling.org). + +### Compiling the library +Compile the library: +```shell +cargo build --release +``` -👉 Checkout documentation on https://alba.cardano-scaling.org +### Tests and Benchmarks +Run tests with `cargo test`. Run benchmarks with `cargo bench`. diff --git a/src/lib.rs b/src/lib.rs index e3ba07f..eb0baf3 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,8 +1,6 @@ // #![deny(missing_docs)] #![doc = include_str!("../README.md")] -//! An implementation of Approximate Lower Bound Arguments -//! (ALBA, ). mod utils; pub mod centralized_telescope; From 58867cb09d9ca90e0f496854cdf0f412321b769a Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Mon, 11 Nov 2024 19:08:53 +0300 Subject: [PATCH 04/14] typo --- docs/intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/intro.md b/docs/intro.md index fbf4ff2..63b1918 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -20,7 +20,7 @@ - Previous methods were largely theoretical and less efficient for practical, large-scale applications. - **Design goals** - ALBA aims to minimize both proof size and computational load, making it feasible for high-throughput settings like blockchain networks. - - The protocol is versatile and adaptable, supporting non-interactive proofs in both the random oracle and common reference string model as well as allowing multi-prover scenarii in decentralized environments. + - The protocol is versatile and adaptable, supporting non-interactive proofs in both the random oracle and common reference string model as well as allowing multi-prover scenario in decentralized environments. - This makes it of special interest for multi-party environment, such as a blockchain where many parties collectively validate transactions. - **Setup and interaction models** - Noninteractive Model: From 9b2b54026dfe31773d694388dd71643610049d35 Mon Sep 17 00:00:00 2001 From: curiecrypt <36852463+curiecrypt@users.noreply.github.com> Date: Mon, 11 Nov 2024 19:10:31 +0300 Subject: [PATCH 05/14] Apply suggestions from code review v1 Co-authored-by: Raphael --- docs/intro.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/intro.md b/docs/intro.md index 63b1918..f7a01f9 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -2,7 +2,7 @@ - It approximates a lower bound on the prover's knowledge which permits a gap between - what the prover actually knows and - what the verifier is convinced they know. -- This approach enables efficient proofs, with nearly optimal proof sizes in both _noninteractive_ and _distributed_ settings. +- This approach enables efficient proofs, with nearly optimal proof sizes in both _non-interactive_ and _distributed_ settings. - Key applications: - Large-scale decentralized signatures, - Universal composability in general-purpose succinct proof systems. @@ -23,8 +23,8 @@ - The protocol is versatile and adaptable, supporting non-interactive proofs in both the random oracle and common reference string model as well as allowing multi-prover scenario in decentralized environments. - This makes it of special interest for multi-party environment, such as a blockchain where many parties collectively validate transactions. - **Setup and interaction models** - - Noninteractive Model: - - ALBA provides a noninteractive proof (_NIROPK_) in the random oracle model, where the verifier can extract knowledge directly from observing queries. + - Non-interactive Model: + - ALBA provides a non-interactive proof of knowledge in the random oracle model (_NIROPK_), where the verifier can extract knowledge directly from observing queries. - Decentralized Model: - ALBA is also adapted for decentralized, multi-prover settings, where several entities hold parts of $S_p$ and communicate over a network to jointly prove possession of evidence, achieving efficiency in both communication and computation. - **Applications** From 79303c64b11aac58ce215c9e0ac93773736c7fd3 Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Mon, 11 Nov 2024 20:21:59 +0300 Subject: [PATCH 06/14] addressing the review suggestions v0 --- docs/intro.md | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/docs/intro.md b/docs/intro.md index f7a01f9..a78afae 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -1,12 +1,9 @@ -- ALBA is a system which allows a prover to _quickly and succinctly_ convince a verifier of their knowledge regarding a large number of _valid elements_, even when presenting only a _subset_. -- It approximates a lower bound on the prover's knowledge which permits a gap between - - what the prover actually knows and - - what the verifier is convinced they know. -- This approach enables efficient proofs, with nearly optimal proof sizes in both _non-interactive_ and _distributed_ settings. -- Key applications: - - Large-scale decentralized signatures, - - Universal composability in general-purpose succinct proof systems. -- Particularly, it provides communication efficiency in decentralized or blockchain contexts where multiple provers share evidence. +- Assume that, a prover, who has a large collection of data, wants to convince a verifier that their set contains at least a minimum number of items that satisfy a specific condition, known as a predicate, even if the prover only shares a portion of it. +- The Approximate Lower Bound Argument (ALBA) protocol is a new cryptographic primitive that solves this problem efficiently. +- The protocol makes use of a small gap between the size of what the prover actually has and the threshold the verifier knows they have. +- . This gap makes ALBA very efficient, as it reduces the data the prover needs to share, enabling compact and efficient proofs. +- ALBA also supports weighted items, where each item has an assigned importance or weight. This allows the prover to demonstrate that the total weight of their set meets a required threshold, rather than simply the count of items. +- ALBA supports scalable and efficient proof mechanisms in decentralized systems, i.e., voting schemes. ## Overview - **The protocol** @@ -27,6 +24,3 @@ - ALBA provides a non-interactive proof of knowledge in the random oracle model (_NIROPK_), where the verifier can extract knowledge directly from observing queries. - Decentralized Model: - ALBA is also adapted for decentralized, multi-prover settings, where several entities hold parts of $S_p$ and communicate over a network to jointly prove possession of evidence, achieving efficiency in both communication and computation. -- **Applications** - - ALBA has practical applications in large-scale decentralized signatures and in enhancing universal composability in general-purpose succinct proof systems (such as *SNARK*s). - - These applications are particularly relevant for cryptographic protocols in distributed systems, where rapid verification of large data sets is essential. From 822bbaa5554319bda55d332346a34a2296f9e425 Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Mon, 11 Nov 2024 20:31:37 +0300 Subject: [PATCH 07/14] Readme corrected --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ef05e23..a382f40 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ This is the rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. ### Introduction -The ALBA system enables a prover to efficiently demonstrate their knowledge of a large set of valid elements to a verifier, while only needing to present a smaller portion of these elements. By approximating a lower bound on the prover's knowledge, ALBA allows a controlled gap between the prover's actual knowledge and what the verifier believes they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both noninteractive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes and achieving universal composability in general-purpose succinct proof systems. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing evidence. +ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of items that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing evidence. -The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction enables a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. Pre-hashing improves this by precomputing hashes to group elements into “bins,” reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the Simple Lottery Construction, where each party holding an element decides to share it based on a random “lottery” mechanism, with an aggregator forming the proof from a target number of shared elements. The Decentralized Telescope adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. +The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction enables a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. _Pre-hashing_ improves this by precomputing hashes to group elements into _bins_, reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the _Simple Lottery Construction_, where each party holding an element decides to share it based on a random _lottery_ mechanism, with an aggregator forming the proof from a target number of shared elements. The _Decentralized Telescope_ adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. The library covers the following constructions of the ALBA protocol: 1. Centralized Telescope From 49712eacac1d25d83cf51a9d5a5fb39935bd6fa2 Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Tue, 12 Nov 2024 19:05:38 +0300 Subject: [PATCH 08/14] variable mapping v0 --- docs/varmap.md | 24 ++++++++++++++++++++++++ src/docs.rs | 3 +++ 2 files changed, 27 insertions(+) create mode 100644 docs/varmap.md diff --git a/docs/varmap.md b/docs/varmap.md new file mode 100644 index 0000000..59f19f7 --- /dev/null +++ b/docs/varmap.md @@ -0,0 +1,24 @@ +In the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), numerous variables are represented by various letters. To enhance the simplicity and readability of our code, we have opted for descriptive names. A mapping between the variable names used in the paper and those in the code is provided for reference. + + +| Paper | Code | +|--------------------|--------------------------------------------------------------------------------------------------| +| $\lambda_{sec}$ | [`soundness_param`][crate::centralized_telescope::params::Params::soundness_param] | +| $\lambda_{rel}$ | [`completeness_param`][crate::centralized_telescope::params::Params::completeness_param] | +| $S_p$ | `prover_set` | +| $n_p$ | [`set_size`][crate::centralized_telescope::params::Params::set_size] | +| $n_f$ | [`lower_bound`][crate::centralized_telescope::params::Params::lower_bound] | +| $u$ | [`proof_size`][crate::centralized_telescope::setup::Setup::proof_size] | +| $r$ | [`max_retries`][crate::centralized_telescope::setup::Setup::max_retries] | +| $d$ | [`search_width`][crate::centralized_telescope::setup::Setup::search_width] | +| $q$ | [`valid_proof_probability`][crate::centralized_telescope::setup::Setup::valid_proof_probability] | +| $b$ | [`dfs_bound`][crate::centralized_telescope::setup::Setup::dfs_bound] | +| $v$ | `retry_counter` | +| $t$ | `search_counter` | +| $H_0$ | `bin_hash` | +| $H_1$ | `round_hash` | +| $H_2$ | `proof_hash` | +| $s_i$ | `Element` | +| $s_1, \ldots, s_u$ | `element_sequence` | +| $p$ | [`lottery_probability`][crate::simple_lottery::setup::Setup::lottery_probability] | + diff --git a/src/docs.rs b/src/docs.rs index c69dde0..8295dff 100644 --- a/src/docs.rs +++ b/src/docs.rs @@ -1,3 +1,6 @@ //! Approximate Lower Bound Arguments (_ALBA_) documentation. #![doc = include_str!("../docs/intro.md")] + +#[doc = include_str!("../docs/varmap.md")] +pub mod variables {} From 01b8e6924b092f3daab842e0f0cdf894bc26624a Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Tue, 12 Nov 2024 19:18:40 +0300 Subject: [PATCH 09/14] variable mapping v1 --- docs/varmap.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/varmap.md b/docs/varmap.md index 59f19f7..30e344c 100644 --- a/docs/varmap.md +++ b/docs/varmap.md @@ -21,4 +21,5 @@ In the [paper](https://iohk.io/en/research/library/papers/approximate-lower-boun | $s_i$ | `Element` | | $s_1, \ldots, s_u$ | `element_sequence` | | $p$ | [`lottery_probability`][crate::simple_lottery::setup::Setup::lottery_probability] | +| $limit$ | `step` | From e9f5d3ce522c6575bda10892c1232595296912b4 Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Wed, 13 Nov 2024 19:04:05 +0300 Subject: [PATCH 10/14] readme example --- README.md | 4 +++- docs/varmap.md | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a382f40..fde8910 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,9 @@ This is the rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. ### Introduction -ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of items that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing evidence. +ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of items that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. + +In a decentralized voting system, participants (voters) submit votes that support different options or candidates. To validate the results without revealing individual votes, an ALBA protocol could be used. Each voter's choice can be considered an _element_ that meets a certain predicate (e.g., a valid vote for a candidate). Instead of tallying every vote publicly, ALBA allows an aggregator (like an election authority) to generate a compact proof showing that a sufficient number of valid votes has been cast for each candidate to meet the required threshold for a decision (such as reaching a quorum or winning a majority). This approach keeps individual votes private while enabling quick, efficient validation of the voting outcome, making it particularly useful for secure, private, and scalable voting systems where privacy and efficiency are critical. The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction enables a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. _Pre-hashing_ improves this by precomputing hashes to group elements into _bins_, reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the _Simple Lottery Construction_, where each party holding an element decides to share it based on a random _lottery_ mechanism, with an aggregator forming the proof from a target number of shared elements. The _Decentralized Telescope_ adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. diff --git a/docs/varmap.md b/docs/varmap.md index 30e344c..2b55121 100644 --- a/docs/varmap.md +++ b/docs/varmap.md @@ -1,3 +1,5 @@ +Variable name mapping. + In the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), numerous variables are represented by various letters. To enhance the simplicity and readability of our code, we have opted for descriptive names. A mapping between the variable names used in the paper and those in the code is provided for reference. From a71b273b80ebd5335d09978997033aa8172d1950 Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Wed, 13 Nov 2024 19:04:56 +0300 Subject: [PATCH 11/14] Capital letter Rust --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fde8910..2e9f0b6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # ALBA -This is the rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. +This is the Rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. ### Introduction ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of items that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. From 945695a0a43c34e07c95d6b3811537ba19373adf Mon Sep 17 00:00:00 2001 From: curiecrypt <36852463+curiecrypt@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:58:52 +0300 Subject: [PATCH 12/14] Apply suggestions from code review Co-authored-by: Raphael Co-authored-by: Tolik Zinovyev --- README.md | 4 ++-- docs/intro.md | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2e9f0b6..0118e39 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ This is the Rust library of _Approximate Lower Bound Arguments_ proposed in the ### Introduction ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of items that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. -In a decentralized voting system, participants (voters) submit votes that support different options or candidates. To validate the results without revealing individual votes, an ALBA protocol could be used. Each voter's choice can be considered an _element_ that meets a certain predicate (e.g., a valid vote for a candidate). Instead of tallying every vote publicly, ALBA allows an aggregator (like an election authority) to generate a compact proof showing that a sufficient number of valid votes has been cast for each candidate to meet the required threshold for a decision (such as reaching a quorum or winning a majority). This approach keeps individual votes private while enabling quick, efficient validation of the voting outcome, making it particularly useful for secure, private, and scalable voting systems where privacy and efficiency are critical. +In a decentralized voting system, participants (voters) submit votes that support different options or candidates. To validate the results without revealing all individual votes, an ALBA protocol could be used. Each voter's choice can be considered an _element_ that meets a certain predicate (e.g., a valid vote for a candidate). Instead of tallying every vote publicly, ALBA allows an aggregator (like an election authority) to generate a compact proof showing that a sufficient number of valid votes has been cast for each candidate to meet the required threshold for a decision (such as reaching a quorum or winning a majority). Combining ALBA with zero-knowledge technology such as zkSNARKs, we can efficiently keep individual votes private while enabling quick, efficient validation of the voting outcome, making it particularly useful for secure, private, and scalable voting systems where privacy and efficiency are critical. -The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction enables a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. _Pre-hashing_ improves this by precomputing hashes to group elements into _bins_, reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the _Simple Lottery Construction_, where each party holding an element decides to share it based on a random _lottery_ mechanism, with an aggregator forming the proof from a target number of shared elements. The _Decentralized Telescope_ adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. +The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction allows a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. _Pre-hashing_ improves this by precomputing hashes to group elements into _bins_, reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the _Simple Lottery Construction_, where each party holding an element decides to share it based on a random _lottery_ mechanism, with an aggregator forming the proof from a target number of shared elements. The _Decentralized Telescope_ adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. The library covers the following constructions of the ALBA protocol: 1. Centralized Telescope diff --git a/docs/intro.md b/docs/intro.md index a78afae..bdab535 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -1,15 +1,14 @@ - Assume that, a prover, who has a large collection of data, wants to convince a verifier that their set contains at least a minimum number of items that satisfy a specific condition, known as a predicate, even if the prover only shares a portion of it. - The Approximate Lower Bound Argument (ALBA) protocol is a new cryptographic primitive that solves this problem efficiently. -- The protocol makes use of a small gap between the size of what the prover actually has and the threshold the verifier knows they have. -- . This gap makes ALBA very efficient, as it reduces the data the prover needs to share, enabling compact and efficient proofs. +- The protocol makes use of a small gap between the size of what the prover actually has and the threshold the verifier knows they have, enabling small proofs and short prover and verifier running times. - ALBA also supports weighted items, where each item has an assigned importance or weight. This allows the prover to demonstrate that the total weight of their set meets a required threshold, rather than simply the count of items. - ALBA supports scalable and efficient proof mechanisms in decentralized systems, i.e., voting schemes. ## Overview - **The protocol** - The protocol addresses the problem of succinctly proving knowledge of a large set of verifiable evidence. - - The prover convinces the verifier by revealing only a subset of this evidence, thus achieving efficiency in both time and communication. - - Given a large set $S_p$ that satisfies a predicate $R$ such that $|S_p| \geq n_p$, the prover wants to convince the verifier that the set contains at least $n_f$ elements, where $n_f$ is a threshold strictly smaller than $n_p$. + - The prover convinces the verifier by revealing only a subset of this evidence, thus achieving efficiency in both proof size and communication. + - Given a large set $S_p$ that satisfies a predicate $R$ such that $|S_p| \geq n_p$, the prover wants to convince the verifier that the set contains more than $n_f$ elements, where $n_f$ is a threshold strictly smaller than $n_p$. - This creates an _approximate_ lower bound, as the verifier is convinced that $S_p$ meets or exceeds a threshold, though the actual size might be greater. - ALBA achieves efficiency by making use of the gap between the provable lower bound and the actual size, enabling rapid verification without compromising security. The greater the gap, the smaller the proof, and the faster its generation. - **Historical context** From 77afbea326a4d0ea5d9ebad77657c06e902ea30b Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Thu, 14 Nov 2024 16:06:40 +0300 Subject: [PATCH 13/14] minor corrections - review suggestions --- README.md | 6 +++--- docs/intro.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 0118e39..651ed69 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # ALBA -This is the Rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Prof Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. +This is a Rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. ### Introduction -ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of items that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. +ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of elements that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. In a decentralized voting system, participants (voters) submit votes that support different options or candidates. To validate the results without revealing all individual votes, an ALBA protocol could be used. Each voter's choice can be considered an _element_ that meets a certain predicate (e.g., a valid vote for a candidate). Instead of tallying every vote publicly, ALBA allows an aggregator (like an election authority) to generate a compact proof showing that a sufficient number of valid votes has been cast for each candidate to meet the required threshold for a decision (such as reaching a quorum or winning a majority). Combining ALBA with zero-knowledge technology such as zkSNARKs, we can efficiently keep individual votes private while enabling quick, efficient validation of the voting outcome, making it particularly useful for secure, private, and scalable voting systems where privacy and efficiency are critical. @@ -17,7 +17,7 @@ The library covers the following constructions of the ALBA protocol: ### Disclaimer > This code is NOT fit for production, it's not been optimised, thoroughly tested, nor audited by competent cryptographers. -> Its one and only purpose is to help people who are more familiar with code than equations to have a better understanding of ALBAs. +> Its one and only purpose is to help people who are more familiar with code than equations to prototype larger protocols using ALBA. ### Documentation 👉 We deliver comprehensive [documentation][crate::docs] aimed at connecting theory with practical implementation. diff --git a/docs/intro.md b/docs/intro.md index bdab535..8abdb2d 100644 --- a/docs/intro.md +++ b/docs/intro.md @@ -1,7 +1,7 @@ -- Assume that, a prover, who has a large collection of data, wants to convince a verifier that their set contains at least a minimum number of items that satisfy a specific condition, known as a predicate, even if the prover only shares a portion of it. +- Assume that, a prover, who has a large collection of data, wants to convince a verifier that their set contains at least a minimum number of elements that satisfy a specific condition, known as a predicate, even if the prover only shares a portion of it. - The Approximate Lower Bound Argument (ALBA) protocol is a new cryptographic primitive that solves this problem efficiently. - The protocol makes use of a small gap between the size of what the prover actually has and the threshold the verifier knows they have, enabling small proofs and short prover and verifier running times. -- ALBA also supports weighted items, where each item has an assigned importance or weight. This allows the prover to demonstrate that the total weight of their set meets a required threshold, rather than simply the count of items. +- ALBA also supports weighted elements, where each element has an assigned importance or weight. This allows the prover to demonstrate that the total weight of their set meets a required threshold, rather than simply the count of elements. - ALBA supports scalable and efficient proof mechanisms in decentralized systems, i.e., voting schemes. ## Overview From 01e001a6917bd9a696957efe1410a975dada757c Mon Sep 17 00:00:00 2001 From: curiecrypt Date: Thu, 14 Nov 2024 16:17:49 +0300 Subject: [PATCH 14/14] splitting each sentence to a single line --- README.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 651ed69..ae641d7 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,25 @@ This is a Rust library of _Approximate Lower Bound Arguments_ proposed in the [paper](https://iohk.io/en/research/library/papers/approximate-lower-bound-arguments/), May 2024, Eurocrypt'24 by _Pyrros Chaidos, Aggelos Kiayias, Leonid Reyzin, Anatoliy Zinovyev_. ### Introduction -ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of elements that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. ALBA's primary applications include large-scale decentralized signature schemes. It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. - -In a decentralized voting system, participants (voters) submit votes that support different options or candidates. To validate the results without revealing all individual votes, an ALBA protocol could be used. Each voter's choice can be considered an _element_ that meets a certain predicate (e.g., a valid vote for a candidate). Instead of tallying every vote publicly, ALBA allows an aggregator (like an election authority) to generate a compact proof showing that a sufficient number of valid votes has been cast for each candidate to meet the required threshold for a decision (such as reaching a quorum or winning a majority). Combining ALBA with zero-knowledge technology such as zkSNARKs, we can efficiently keep individual votes private while enabling quick, efficient validation of the voting outcome, making it particularly useful for secure, private, and scalable voting systems where privacy and efficiency are critical. - -The paper introduces various ALBA protocol constructions tailored to different needs. The basic construction allows a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. _Pre-hashing_ improves this by precomputing hashes to group elements into _bins_, reducing computation and enhancing performance, especially with large sets. For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. Decentralized versions of ALBA include the _Simple Lottery Construction_, where each party holding an element decides to share it based on a random _lottery_ mechanism, with an aggregator forming the proof from a target number of shared elements. The _Decentralized Telescope_ adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. +ALBA enables a prover who has a large collection of data to convince a verifier that their set includes at least a minimum number of elements that meet a specific condition, called a predicate, even though the prover only reveals a subset of the data. +By approximating a lower bound on the prover's knowledge, ALBA makes use of a controlled gap between the size of prover's actual knowledge and the threshold of the verifier checks they know. +This design results in highly efficient proofs, achieving nearly optimal proof sizes in both non-interactive and distributed environments. +ALBA's primary applications include large-scale decentralized signature schemes. +It is particularly well-suited for decentralized or blockchain scenarios, where it enhances communication efficiency among multiple provers sharing witness. + +In a decentralized voting system, participants (voters) submit votes that support different options or candidates. +To validate the results without revealing all individual votes, an ALBA protocol could be used. +Each voter's choice can be considered an _element_ that meets a certain predicate (e.g., a valid vote for a candidate). +Instead of tallying every vote publicly, ALBA allows an aggregator (like an election authority) to generate a compact proof showing that a sufficient number of valid votes has been cast for each candidate to meet the required threshold for a decision (such as reaching a quorum or winning a majority). +Combining ALBA with zero-knowledge technology such as _zkSNARKs_, we can efficiently keep individual votes private while enabling quick, efficient validation of the voting outcome, making it particularly useful for secure, private, and scalable voting systems where privacy and efficiency are critical. + +The paper introduces various ALBA protocol constructions tailored to different needs. +The basic construction allows a prover to show possession of a large set by creating a proof sequence of elements that meet staged hash-based conditions, efficiently excluding small sets. +_Pre-hashing_ improves this by precomputing hashes to group elements into _bins_, reducing computation and enhancing performance, especially with large sets. +For smaller sets, the generalized Telescope scheme allows multiple attempts to form a proof, adjusting parameters to maintain efficiency across sizes. +Decentralized versions of ALBA include the _Simple Lottery Construction_, where each party holding an element decides to share it based on a random _lottery_ mechanism, with an aggregator forming the proof from a target number of shared elements. +The _Decentralized Telescope_ adapts the Telescope scheme for multiple parties, who individually apply it and share qualifying elements with an aggregator. +Finally, the weighted extension supports elements with integer weights, allowing the prover to meet a total weight threshold, making ALBA versatile for contexts where elements have varying significance. The library covers the following constructions of the ALBA protocol: 1. Centralized Telescope