A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
OUR RESULTS A new efficient CRS-based NIZK shuffle argument
OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work
OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical
OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model
OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof
OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq.
OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq. Esp. to find Gröbner bases
A BIT OF MOTIVATION: E-VOTING
A BIT OF MOTIVATION: E-VOTING
A BIT OF MOTIVATION: E-VOTING
A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes - Can we get away with that? - I m 140% sure!
A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness - Can we get away with that? - I m 140% sure!
A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness Data is public (Data, source) is private - Can we get away with that? - I m 140% sure!
SIMPLE MIX-NETS
SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 )
SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r d 1 =c π(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) Encryption protects against eavesdropping on the Internet
SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r ψ,s d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) Encryption protects against eavesdropping on the Internet
SIMPLE MIX-NETS π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet
SIMPLE MIX-NETS Anonymity π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server
SIMPLE MIX-NETS Anonymity Correctness π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server Not enough: what if a server cheats?
ACCOUNTABLE MIX-NETS pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))
ACCOUNTABLE MIX-NETS proof pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))
ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3))
ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) Verify all proofs m ψ(π(1)) m ψ(π(2)) m ψ(π(3))
ACCOUNTABLE MIX-NETS Anonymity Correctness proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 3 =d ψ(3) Verify all proofs m ψ(π(3))
SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly.
SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly. Existing CRS model arguments not very efficient
CRS-BASED SHUFFLE ARGUMENTS Assumption proposed in that paper, proof in GBGM Assmpt. proposed 2010+, but not in that paper, proof in GBGM Lipmaa-Zhang (2012) Fauzi-Lipmaa (2016) This paper CRS length 7n + 6 8n + 17 3n + 14 Communic. 12n + 11 9n + 2 7n + 3 P comp. (units) 36 19.8 24.3 V comp. (units) 196 126 36.3 GBGM? PSDL, DLIN (comp.) TSDH, PCDH, PSP (comp.) Pure GBGM Soundness KE, PKE (knowledge) Full 2x PKE (knowledge) Culpable Full n: number of ciphertexts (say 100,000) 1 unit = n million machine cycles According to speed records on BN curves
ZERO KNOWLEDGE: CRS MODEL crs
ZERO KNOWLEDGE: CRS MODEL x, w crs
ZERO KNOWLEDGE: CRS MODEL crs x, w x
ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L
ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
ZERO KNOWLEDGE: CRS MODEL td crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
ZERO KNOWLEDGE: CRS MODEL td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
ZERO KNOWLEDGE: CRS MODEL Correctness Soundness Zero knowledge crs td Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects
BILINEAR PAIRINGS
BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T
BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T
BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T
BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T Requirements: Efficiently computable Non-degeneracy: e (g 1, g 2 ) 1 Bilinearity: e (g 1a, g 2b ) = e (g 1, g 2 ) ab
ASSUMPTIONS & PAIRINGS Inverting pairings should be hard
ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B
ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a
ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a What else should be hard?
NON-GENERIC APPROACH Protocol
NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known)
NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new)
NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model
NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or
NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or Con: each arrow might mean a loss in efficiency
GENERIC MODEL APPROACH Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency
GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to
GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests
GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements
GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates
GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates Note: we do not handle G T as a generic group
SOUNDNESS IN GBGM
SOUNDNESS IN GBGM X 1 X s Random variables (TTP)
SOUNDNESS IN GBGM Polynomials (TTP knows X) X 1 [X] = g X {[f 1i (X)] 1 } {[f 2i (X)] 2 } X s Random variables (TTP) CRS (TTP)
SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) X 1 [X] = g X {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary)
SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) Quadratic tests (can use bilinear map) X 1 [X] = g X V 1 (X)=Σ ij b 1ij h 1i (X) h 2i (X)=0 {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } V u (X)=Σ ij b uij h 1i (X) h 2i (X)=0 X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Verifications (verifier) {h ji } = {f ji, h ji }
SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0
SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary
SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice
SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice = restricted to be as in the honest case
INTUITION: CONSTRUCTING ARGUMENT Decomposing:
INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument
INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing)
INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently
INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition:
INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition: Compose CRS-s of individual subarguments together, getting one big CRS
INTUITION: CONSTRUCTING ARGUMENT
INTUITION: CONSTRUCTING ARGUMENT
INTUITION: CONSTRUCTING ARGUMENT Soundness check: Is the composed protocol sound? Subarguments get extra inputs in CRS If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate
SUBARGUMENTS Permutation matrix argument :
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument :
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument :
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through
SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through
PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero
PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero
1-SPARSITY ARGUMENT Commitment:
1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2
1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs
1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1
1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials
1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2
1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk )
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 Goal: find coefficients s.t. verification equation is satisfied CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )
SOLVING SYSTEM OF POL. EQUATIONS
SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0
SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0
SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0 This is a system of polynomial equations and a nasty one of more than 20 polynomial equations
SOLVING
SOLVING Used a mixture of computer algebra system and manual labor
SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients
SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS
SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS
SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS Obtain that A i (X) = a I P I (X) => Sound
THANK YOU!