Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

2G2T: Constant-Size, Statistically Sound MSM Outsourcing

Majid Khabbazian

TL;DR

2G2T is presented, a simple protocol for verifiably outsourcing MSM to an untrusted server and achieves statistical soundness: for any (even computationally unbounded) adversarial server, the probability of accepting an incorrect result is at most 1/q per query, and at most e/q over e adaptive executions, in a prime-order group of size q.

Abstract

Multi-scalar multiplication (MSM), defined as MSM(P, x) = sum_{i=1}^n x_i P_i, is a dominant computational kernel in discrete-logarithm-based cryptography and often becomes a bottleneck for verifiers and other resource-constrained clients. We present 2G2T, a simple protocol for verifiably outsourcing MSM to an untrusted server. After a one-time keyed setup for fixed bases P = (P1, ..., Pn) that produces a public merged-bases vector T and client secret state, the server answers each query x = (x1, ..., xn) with only two group elements: A claimed to equal MSM(P, x) and an auxiliary value B claimed to equal MSM(T, x). Verification requires a single length-n field inner product and a constant number of group operations (two scalar multiplications and one addition), while the server performs two MSMs. In our Ristretto255 implementation, verification is up to ~300x faster than computing the MSM locally using a highly optimized MSM routine for n up to 2^18, and the server-to-client response is constant-size (two compressed group elements, 64 bytes on Ristretto255). Despite its simplicity and efficiency, 2G2T achieves statistical soundness: for any (even computationally unbounded) adversarial server, the probability of accepting an incorrect result is at most 1/q per query, and at most e/q over e adaptive executions, in a prime-order group of size q.

2G2T: Constant-Size, Statistically Sound MSM Outsourcing

TL;DR

2G2T is presented, a simple protocol for verifiably outsourcing MSM to an untrusted server and achieves statistical soundness: for any (even computationally unbounded) adversarial server, the probability of accepting an incorrect result is at most 1/q per query, and at most e/q over e adaptive executions, in a prime-order group of size q.

Abstract

Multi-scalar multiplication (MSM), defined as MSM(P, x) = sum_{i=1}^n x_i P_i, is a dominant computational kernel in discrete-logarithm-based cryptography and often becomes a bottleneck for verifiers and other resource-constrained clients. We present 2G2T, a simple protocol for verifiably outsourcing MSM to an untrusted server. After a one-time keyed setup for fixed bases P = (P1, ..., Pn) that produces a public merged-bases vector T and client secret state, the server answers each query x = (x1, ..., xn) with only two group elements: A claimed to equal MSM(P, x) and an auxiliary value B claimed to equal MSM(T, x). Verification requires a single length-n field inner product and a constant number of group operations (two scalar multiplications and one addition), while the server performs two MSMs. In our Ristretto255 implementation, verification is up to ~300x faster than computing the MSM locally using a highly optimized MSM routine for n up to 2^18, and the server-to-client response is constant-size (two compressed group elements, 64 bytes on Ristretto255). Despite its simplicity and efficiency, 2G2T achieves statistical soundness: for any (even computationally unbounded) adversarial server, the probability of accepting an incorrect result is at most 1/q per query, and at most e/q over e adaptive executions, in a prime-order group of size q.
Paper Structure (30 sections, 5 theorems, 33 equations, 1 figure, 1 algorithm)

This paper contains 30 sections, 5 theorems, 33 equations, 1 figure, 1 algorithm.

Table of Contents

  1. Introduction
  2. Threat model and security goals
  3. Adversarial server.
  4. Communication model.
  5. Information revealed.
  6. Security goals.
  7. The 2G2T Protocol
  8. Precomputation (once).
  9. MSM outsourcing (per query).
  10. Verification.
  11. 2G2T: Completeness and Soundness
  12. Common setting.
  13. 2G2T: Performance
  14. Communication.
  15. Server computation.
  16. ...and 15 more sections

Key Result

theorem 1

In the setting of Definition def:2g2t-setup, for every $\vec{x}\in\mathbb{F}_q^n$, if the server returns then the verifier in Algorithm alg:2g2t accepts and outputs $A$.

Figures (1)

  • Figure 1: 2G2T speedup on Ristretto255 (up to $\sim300\times$ vs. optimized MSM and $\sim3000\times$ vs. naïve MSM, for $n\le 2^{18}$).

Theorems & Definitions (11)

  • definition 1: 2G2T setup
  • theorem 1: Perfect completeness of 2G2T
  • proof
  • lemma 1: Independence of $r$ and $\vec{T}$
  • proof
  • lemma 2: Uniqueness of an accepting scalar for an incorrect $A$
  • proof
  • theorem 2: Statistical soundness of 2G2T
  • proof
  • theorem 3: $e$-execution statistical soundness of 2G2T
  • ...and 1 more