1 Introduction
Consider a server hosting a closedsource program that is intended to solve a specific problem (say, an advanced optimization tool). As a customer, you wish to delegate the task of running this program on your data to the server. Naturally, your limited access to the software as well as your lack of trust in the server concerns you about the validity of the returned results. How can you verify that the server is indeed running the correct program on your data and providing you with the desired outcome? To convince yourself that the server is in possession of some program that solves the claimed problem you could probe the server at random input values for which you know the outcome (say, through a different commercial software to which you only have trial access). Nevertheless, the bigger concern is whether the server continues to run the correct program on your data once this initial trust has been established. From an economic perspective, the server may have the incentive not to spend his computational resources on your data, but rather provide you with random outputs. Worse yet, a malicious server may intentionally provide you with false evaluations if he knows that you do not check the correctness of the results.
The literature on verifiable computing [1, 2, 3, 4] and functional commitment protocols [5, 6]
allow the server (prover) to generate a proof of correctness of his results which can be checked by the users (verifiers). However, verifying such proofs is only possible if one has substantial knowledge about the underlying function, or if a verification key has been generated by a trusted party. Furthermore, the soundness of these algorithms relies on heuristic hardness assumptions that may be falsified at any time due to algorithmic breakthroughs or technological advancements.
In this paper, our goal is to design a commitment and verification algorithm that overcomes these challenges. Namely, (i) the verifiability property must hold regardless of the computation power of the prover, (ii) there must be no need for a trusted party, and (iii) the verifier must not learn more than a constant number of bits about the underlying function, regardless of his computation power. In the example above, the prover should be able to keep his program private from the verifier while at the same time provide him with verifiable results. This verification is performed against an initial commitment by the prover which contains almost no information about the program itself. Once the verifier receives the commitment to a specific function, the prover will only be able to pass the verification process if he provides evaluations of the same function that he has committed to. Our focus will be specifically on functions that can be represented as polynomials. This encompasses a wide range of applications including transaction verification in cryptocurrencies [7], verifiable secret sharing [8, 6], and proofofstorage [9, 10, 4].
1.1 Our contributions
We propose InfoCommit, a protocol for polynomial commitment and verification. Specifically, InfoCommit consists of a commitment phase and and evaluation phase. During the commitment phase, the prover and the verifier engage in a private twoparty computation algorithm in such a way that the verifier learns a private commitment to the polynomial. In the evaluation phase, the verifier is interested in learning the evaluations of the polynomial at many input points with the help of the prover. InfoCommit is verifiable, doublyefficient and privacypreserving. More specifically, InfoCommit has the following salient features.

Verifiability. If the prover commits to a polynomial in the commitment phase, he must provide evaluations of the same polynomial in the evaluation phase. Otherwise, the verifier is able to detect the inconsistency with overwhelming probability. On the other hand, if the prover is honest, the verifier accepts the results with probability 1.

Doubleefficiency. For each round of evaluation, the verifier runs in whereas the prover runs in . Note that we measure the efficiency of InfoCommit in the amortized model [2] where the initial commitment phase is followed by many rounds of evaluations. As a result, the onetime cost of the commitment phase can be neglected.

Privacy. The other facet of InfoCommit is its privacypreserving property. Upon observing the initial commitment and the response of the prover to rounds of evaluation, the verifier only learns symbols over the field about the coefficients of the polynomial.

Informationtheoretic guarantees without relying on any trusted party. Both the verifiability and the privacy of InfoCommit are informationtheoretic, meaning that the verifier and the prover can have unbounded computation power and may arbitrarily deviate from the prescribed protocol. Furthermore, InfoCommit does not rely on any trusted party, not even in the initial commitment phase.
The only assumption that underlies the privacy of InfoCommit is the bounded storage assumption which states that there exists an upperbound on the storage size of the verifier. This upper bound must be publicly known and must not exceed , where is the minimum required storage for each party for the protocol to succeed. This assumption is used in the commitment phase where we rely on oblivious transfer algorithms in the bounded storage model [11, 12, 13, 14].
1.2 Related work
The closest works in the literature to the present paper are commitment protocols, including polynomial commitment [6, 15, 16, 17]
, vector commitment
[18], cryptographic accumulators [19], and more generally functional commitments [5]. These protocols allow a prover to provide a cryptographic commitment to a specific function which reveals little to no information about the underlying function. A verifier can then request the prover to “open” the commitment at specific locations. The verifier should be able to detect if the opening is inconsistent with the initial commitment. There are several factors that distinguish the model in the current paper from the traditional notion of functional commitment.The first difference is in the notion of privacy. The linear commitment model in [5] requires the initial commitment to reveal no information about the function. However, it does not impose any requirement on how much information is revealed upon observing the evaluations (opening) of the functions along with the initial commitment. On the other hand, the polynomial commitment scheme in [6] only requires the evaluations of the polynomial at unqueried points to remain hidden from the verifier, which is a rather weaker privacy constraint. In contrast, we impose rigorous informationtheoretic constraints on how much information is revealed about the coefficients of the polynomial upon observing the initial commitment and the evaluations at a constant number of input points.
Secondly, our model does not permit the assumption of a trusted party, a component that is common in functional commitment protocols [6, 5]. This trusted party is usually in charge of generating a public key (that is later used for commitment, evaluation and verification) in a setup phase which is eliminated in our model.
Thirdly, while the literature on functional commitment is more concerned with the size of the commitment and the size of the opening, we are instead focused on designing doublyefficient algorithms, i.e., algorithms with efficient provers and superefficient verifiers. Furthermore, unlike the literature on functional commitment, our verifiability is informationtheoretic.
Another relevant concept is zeroknowledge verifiable computation [20] and zeroknowledge arguments of knowledge [21, 22, 23, 24]. Such algorithms enable a verifier and a prover to interact in order to compute where is a publicly known function, is the input of the verifier and is the private input of the prover. The verifier will not learn anything about except for what is implied through . Furthermore, the verifier will be convinced that there exists some known to the prover such that the computed value corresponds to . For instance, could correspond to a Rank1 Constraint System (R1CS) [23], a public input, and a private witness such that satisfies all the quadratic constraints of the R1CS. In the context of polynomial evaluation, could be the input to the polynomial, the coefficients of the polynomial, and an operator that maps to the evaluation of the polynomial. Unfortunately, this approach does not provide any binding guarantees, as the prover may change his polynomial for every input.
2 Polynomial Commitment and Verification
Suppose a prover is in possession of a private polynomial selected uniformly at random among all polynomials of degree over . A verifier, who only knows the degree of the polynomial, wishes to delegate the evaluation of this polynomial at several input points to the prover and verify the correctness of the results in sublinear time in . Before this evaluation phase, the prover commits to the polynomial during an initialization phase. Once this commitment is done, the prover is expected to evaluate the same polynomial for every input that is provided by the verifier. The verifier should be able to detect, efficiently and with high probability, if for any input the prover instead returns . We assume that the verifier is interested in evaluating the polynomial at many input points, so that the complexity of the commitment phase amortizes over many rounds of the evaluation phase [2]. Therefore, efficiency is only measured with respect to the evaluation phase. Additionally, during the entire commitment and evaluation phase, the verifier should learn close to nothing about the coefficients of the polynomial . Note that revealing a constant number of symbols over about the coefficients of to the verifier is inevitable, since such amounts of information can be learned by investigating a single pair . Formally, a polynomial commitment and verification protocol consists of the following algorithms.

Commit. In the commitment phase the verifier and the prover engage in a secure twoparty computation algorithm commit to help the verifier learn a secret verification key VK which depends on his secret key, , the prover’s secret key, , and the polynomial coefficients .

Eval. The verifier reveals a desired input to the prover. The prover will then provide Eval to help the verifier evaluate .

Verify. The verifier checks the correctness of based on his secret key, , and the output of the commitment phase, VK. If is incompatible with the initial commitment, he will reject the evaluation. Otherwise he will proceed to recovering .

Recovery. If the verification process passes, the verifier will proceed to recover the evaluation via an algorithm Recovery.
The only assumption that underlies the privacy of InfoCommit is the bounded storage assumption stated as follows.
Definition 1 (The bounded storage assumption [13, 14])
This assumption states that there exists an upperbound on the storage size of the verifier. Furthermore, the storage size of both the verifier and the prover is at least . The upperbound is publicly known.
We are interested in polynomial commitment and verification protocols that are private (in the bounded storage model) and verifiable as defined below.
Definition 2
A polynomial commitment and verification protocol is informationtheoretically private and verifiable if it satisfies the following properties.

Correctness. If the prover follows the Commit and Eval algorithms for the same polynomial , then the Verify algorithm must return 1 with probability 1.

(Informationtheoretic) Soundness. If the prover commits to a polynomial with coefficients , then the probability that he can pass the verification test with should be negligible, regardless of his computation power.
(1) 
Efficient verification. The two functions Verify and Recovery must run in sublinear time in .

Efficient evaluation. The running time of Eval must be comparable to the time required for evaluating the polynomial , i.e., linear in .

(Informationtheoretic) Privacy. After running Commit and Eval for different inputs , the verifier should only learn symbols over the field about the coefficients of the polynomial , regardless of his computation power but under the bounded storage assumption. Importantly, should be independent of the degree of the polynomial.
(2)
3 Preliminaries
In the analysis of security and privacy of InfoCommit
, we make use of several basic properties of the entropy of random variables which we review in this section. Furthermore, in the commitment phase of
InfoCommit, we rely on a secure twoparty computation algorithm. Here we explain how this can be accomplished via a series of reductions to a much simpler problem known as oneoutoftwo Oblivious Transfer [29, 30]. An informationtheoretic solution for the latter will be outlined in the bounded storage model borrowed from [31, 11, 14, 13].3.1 Entropy of random variables
In this section we overview the definitions of various entropy functions of random variables, the notion of Markov chain, and some useful properties that will help us establish the soundness and verifiability of
InfoCommit.Definition 3 (Entropy)
Let be three random variables with domains , and respectively. Let be an arbitrary positive number.

The entropy of in base is a measure of its randomness and is defined as
(3) Note that for a uniformly distributed
over we have whereas for a deterministic we have . 
The joint entropy of and is defined as
(4) 
The conditional entropy of given is defined as
(5)
Some useful properties of the entropy terms are as follows.

Property 1. All the entropy terms defined above are nonnegative.

Property 2. . This implies that conditioning cannot increase the entropy, .

Property 3. If is independent of then .
Definition 4 (Markov Chain)
An ordered set of three random variables with domain is said to form a Markov chain if
(6) 
for every . Intuitively, this means that the two random variables and are independent, conditioned on knowing . This Markov chain is represented via .

Property 4. If forms a Markov chain, then .
3.2 Informationtheoretic Oblivious Transfer
Suppose Alice has secrets and Bob has a secret index . Bob is interested in learning without revealing any information about to Alice. On the other hand, Alice wishes to reveal no information about to Bob except for the value of . This problem is referred to as Oblivious Transfer (OT) [30]. If each of Alice’s secrets belongs to an alphabet of size , we refer to the problem as OT. In this paper we make use of an OT algorithm in the commitment phase. Informationtheoretic algorithms for and have been proposed in the literature in the bounded storage model [13, 11, 14]. Furthermore, there exist unconditional reductions from OT to OT and from OT to OT [32]. We will provide brief overviews of these algorithms here and refer the readers to the corresponding references for a more detailed description.
3.2.1 Reduction from OT to Ot.
Informationtheoretic reductions from to and from to have been presented in [32]. Here we describe a reduction from OT to OT and refer the interested reader to [32] to see the other reductions. Alice generates random symbols over the alphabet , namely . Alice and Bob agree on an ordering of the elements of . Let be the ’th element of in this ordering for . Define the summation operation over as . Bob relies on OT to request one element of each column of Table 1.
Index  Value  Value  Value  Value  

If Bob is interested in , he will choose the second row for every column , but chooses the first row for the ’th column. Bob’s request to the remaining columns does not make any difference in the overall outcome: Bob will only learn and nothing else about the remaining values. If Bob wants , he will choose the second row for every column of the table. Privacy of Bob follows from the privacy of the underlying OT algorithm.
3.2.2 OT in the bounded storage model.
Several works have proposed OT and OT algorithms in the bounded storage model which remain secure even if the two parties have infinite computation power [14, 12, 13, 11]. It is only necessary to assume that an upper bound on the storage size of Bob is known to Alice. The actual required storage size for the algorithm to succeed is much smaller than . For instance, the algorithm in [14] only needs . The general idea behind all these algorithms is as follows. Alice generates a random string of bits such that for some . Let represent the subsequence of the random string indexed by the set . Alice broadcasts this sequence, and each of Alice and Bob randomly stores a subset of the sequence of size . Let represent the indices of the bits stored by Alice and define similarly. By the birthday paradox, with high probability . Alice reveals to Bob and Bob computes two sets and . Next, the two parties engage in an interactive hashing algorithm [13] to generate two sets of equal size such that but for some chosen by Bob. The interactive hashing algorithm also guarantees that Alice does not learn . Alice encodes with and with and sends both to Bob. Bob will be able to decode , since he knows . However, his incomplete knowledge of the set prevents him from learning .
While the state of the art OT and OT algorithms [14, 13] guarantee perfect privacy for Bob, they only guarantee Alice’s privacy with probability for some security parameter and an arbitrary constant . The negligible probability that Alice’s privacy is compromised will translate to a negligible probability that InfoCommit fails to guarantee the privacy of the polynomial against the verifier. But we can choose large enough so that the privacy of Alice is virtually perfect. We will make this argument precise in the analysis of privacy of InfoCommit.
3.3 Secure Twoparty computation based on Ot
A secure twoparty computation algorithm S2PC enables two parties Alice and Bob to evaluate , where is a publicly known function, is the private input of Bob and is the private input of Alice [33]. At the end, Bob must learn but nothing else about , whereas Alice must learn nothing (not even ). S2PC can be realized via an instantiation of OT as follows. The two parties first agree on an ordering of the elements of the set . Let represent the ’th element of in this ordering. Let be such that the private input of Bob satisfies . Bob can request the ’th row of Table 2 via an OT algorithm. Bob will learn but nothing else about , whereas Alice will learn nothing about .
index  requested value 

4 An Overview of InfoCommit
We start by noting that the polynomial can be rewritten as
(7) 
where and
(8) 
4.1 A basic algorithm
A rather straightforward algorithm is for the verifier to generate a matrix uniformly at random. In the commitment phase, the verifier and the prover will engage in a secure twoparty computation algorithm to help the verifier learn
(9) 
In this process, the verifier will not learn anything about other than what is revealed through , and the prover will not learn anything about . In the evaluation phase, the verifier will ask the prover to compute Suppose the prover responds with . The verifier checks if , which can be done in If , this identity holds only with probability [28], since the prover does not know anything about . If the verification process is successful, the verifier can recover in . The main issue with this algorithm is that reveals symbols over about the polynomial during the commitment phase, and another symbols for each evaluation . We wish to reduce this to a constant. We will accomplish this in two steps: firstly, against a semihonest verifier and next against a malicious verifier.
4.2 Improved privacy against a semihonest verifier
In order to improve the privacy of this algorithm, the prover will generate a polynomial of degree uniformly among all polynomials of degree over . In the commitment phase, instead of directly committing to , the prover will commit to both and . Let and represent the matrices corresponding to the polynomials and , constructed similarly to (8). If both commitments have the same structure as in (9), the verifier will be able to gain substantial information about the matrix by choosing his two secret matrices to be linearly dependent. To prevent this, the protocol will require the prover to commit to “from left” as in (9), whereas the commitment to will be done from right. More concretely, the verifier and the prover will engage in a secure twoparty computation algorithm to help the verifier learn
(10) 
for two secret matrices and generated randomly by the verifier. To gain intuition on how this helps with preserving the privacy of , it helps to think of . Knowing any single linear combination of the rows of and any single linear combination of the columns of cannot reveal more than one symbol over about the elements of the matrix . This argument will be made precise in the analysis of privacy of the InfoCommit. In the evaluation phase, the prover will be required to compute
(11) 
Suppose the prover responds with and . The verifier will check the correctness of each result via two parities
(12) 
If both verification tests are successful, the verifier will recover
(13) 
He will then find and will accept as the correct evaluation of . This algorithm guarantees the verifiability of the results with high probability following a similar analysis to [28]. Nonetheless, the privacy only holds as long as are generated randomly, i.e., if the verifier is semihonest. We will overcome this limitation in the next subsection.
4.3 Improving privacy against a malicious verifier
If both parties follow this protocol as described, the verifier will only learn a constant number of symbols about the polynomial upon observing and the pair for a constant number of inputs (see the analysis of privacy in Section 6). However, a malicious verifier may deviate from this protocol by choosing and in a deterministic manner. To elaborate on this, suppose and the verifier chooses as the standard unit vector . This helps him learn , the first row of the matrix . Subsequently, in the evaluation phase, he requests the pair for . Based on this, he can learn , which is the first row of the matrix . He will then proceed to subtract in order to find the first row of the matrix , which reveals symbols about the polynomial .
We will propose a mechanism to resolve this threat. Suppose the verifier requests the pair for different inputs . Define the matrices and as
(14) 
and let the matrices and be the concatenation of the vectors and for all . In other words,
(15) 
Since after rounds of evaluation, the verifier learns both and , the prover must ensure that the matrices and do not contain any linear dependencies among their rows. Otherwise, this linear dependency can be exploited to extract substantial amount of information about the matrix as outlined in the example above. Since and (with high probability for randomly chosen ), the prover must be ensured that where denotes the vertical concatenation of the two matrices. Similarly, we must have that . To accomplish this, we restrict the matrices and to have the same Vandermonde structures as the matrices and , respectively. In other words, and must be of the form
(16) 
Note that as long as
(17) 
the two rank requirements will be satisfied. Note also that without loss of generality, we can assume that , and for , since the verifier cannot benefit form receiving the same evaluation twice. Restricting the structure of and as opposed to choosing them uniformly at random over would mean that the prover now has some side information about these matrices which he can utilize to bypass the verification test. Fortunately, the analysis in Section 6 shows that this probability remains sufficiently small.
It is left to convince the prover that (17) holds. For this purpose, we designate a set of prohibited values from which the elements and can be chosen. “Prohibited” means that in the evaluation phase, the verifier is not permitted to delegate the evaluation of the function at any member of to the prover. For instance, the verifier could provide an upperbound on its input values to the prover, and then could be chosen as a sufficiently large interval whose smallest member is strictly larger than .
4.4 Considerations regarding the size of the field
The privacy of InfoCommit as analyzed in Section 6 relies on the fact that the set is of the same size as where is the set of prohibited values. This property holds if the function is a permutation over which is the case if . It is also important that there exists a prohibited subset of of sufficiently large size. To ensure this, either the verifier should set his upper bound appropriately, or the field size should be increased once the verifier provides the upperbound. Of course, this adjustment must be done without violating the first property.
5 Formal Description of InfoCommit
The formal description of the four functions of InfoCommit, namely Commit, Eval, Verify and Recovery are provided in Algorithms 2,3,4 and 5. Theorem 5.1 establishes that InfoCommit satisfies the requirements of an informationtheoretically verifiable and private protocol for commitment and verification.
Theorem 5.1
InfoCommit as described by the Commit, Eval, Verify and Recovery Algorithms 2,3,4 and 5 satisfies the correctness, soundness, privacy and efficiency requirements as stated in Definition 2. Specifically,

If the prover is honest, the verifier will accept the results with probability 1.

The probability that the prover can pass the verification process with a false result is negligible,
(18) 
The verifier only learns symbols about the coefficients of the polynomial after he receives for any choice of and any input values .
(19) 
The complexity of the verifier per evaluation round is ,
(20) 
The complexity of the prover per evaluation round is ,
(21)
(22) 
(23) 
(24) 
6 The Analysis of InfoCommit
Correctness. If the prover is honest, he will provide the evaluations of the same polynomial that he has committed to. Consequently, in the verification phase, identities (23) trivially hold and the recovered value is equal to as desired.
Efficiency.The verification can be done in since it only requires multiplying matrices by vectors of length . The recovery can be done in since the main operation in this phase is inner products of vectors of length . Therefore, the overall complexity of the verifier in the evaluation phase is . The prover, on the other hand, must compute the two vectors and according to (22) which can be done in .
Soundness. The analysis of soundness relies on the fact that the prover learns nothing about the secret values , , during the commitment phase. This follows from the property that the oblivious transfer algorithms in [13, 14] provide perfect privacy for the receiver. Without loss of generality we can assume that the prover has committed to the correct polynomial . If not, we simply use the letter to denote the polynomial that the prover has committed to, and expect the soundness property to hold with respect to this . Note that such a polynomial of degree exists regardless of how the prover responds to the queries in the commitment phase.
Remember that for each input , the prover is required to provide the verifier with two vectors and as defined in (22). Here, we analyze the probability that a malicious prover can pass the verification test (23) with a () and show that this probability is negligible. Let denote a random variable from which the prover draws the evaluation . Note that is independent of . The probability that the prover can pass the first verification test with an incorrect result is given by
(25) 
where the randomness is with respect to . We need an upperbound on that holds for any and any . Define . We can see this vector as the coefficients of a polynomial of degree . The last equation is then the probability that the prover can provide a nontrivial polynomial of degree such that all , , are the roots of this polynomial. Note that the polynomial has at most roots in the set . Note also that all the terms , are distinct. This is because the field size is chosen in such a way that . As a result, the function is a permutation, and the set has distinct elements. Let of size at most represent the roots of the polynomial that are in . In other words, , if and only if and . We are interested in the probability that , . Since is independent of , so is the set . we can therefore bound as
(26) 
Similarly, one can bound the probability that the prover can pass the second verification test with as . As a result,
(27) 
For instance, by choosing and , this probability can be reduced to .
The next two lemmas will help us establish the privacy of InfoCommit.
Lemma 1
Let be three positive integers such that . Let be an random matrix uniformly distributed over . Let and be arbitrary fullrank and matrices respectively. Then
(28) 
Proof
Since, is fullrank, we have that is uniformly distributed over and as a result, . So, we only need to prove that . Let be a column vector obtained from the vertical concatenation of the columns of , such that for all , . Let where is the identity matrix and denotes the Kronecker product. Let . Since the two vectors and are rearrangements of the the two matrices and , respectively, we have that . The proof follows from the fact that the by matrix obtained from vertical concatenation of and has rank at least as long as and are fullrank (See Lemma 3 in the appendix).
Lemma 2
Let be three random variables with alphabets , satisfying the Markov chain . Let be an arbitrary function. Then, we have
(29) 
Proof
The following chain of inequalities prove the claim.
(30)  
(31)  
(32) 
Note that the first inequality is due to Property 2 of entropy terms in the preliminaries, and the last inequality follows from Property 4. Specifically, since forms a Markov chain, then forms a Markov chain too, which allows us to drop from conditioning.
Privacy. We prove that after rounds of evaluation, the verifier learns at most symbols over about the matrix which represents the polynomial . The analysis of privacy relies on the fact that the verifier learns nothing about in the commitment phase except for what is implied via . This follows because the secure twoparty computation algorithm in [13, 14] provides perfect privacy for the sender except with negligible probability. The analysis also makes use of the fact that the and values in the commitment phase are chosen from a “prohibited” set. As a result of this, the matrices and will be fullrank. Note that the verifier cannot benefit from selecting , i.e., requesting the same evaluation point twice. Similarly, he cannot benefit from setting or . Therefore, without loss of generality, we can assume that .
First, we assume that the privacy of the transmitter in the OT algorithm is perfect. At the end of the proof, we will show that the negligible probability that the privacy of the transmitter in the OT algorithm is compromised does not make a fundamental difference in our analysis. For defined as in (14),(15), we want to show that
(33) 
for any choice of the evaluation points and for any choice of . We start by simplifying the left hand side of (33).
Comments
There are no comments yet.