U-Prove Range Proof Extension
Draft Revision 1
Microsoft Research
Author: Mira Belenkiy
June 2014
© 2014 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this
document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This
document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use
this document for your internal, reference purposes.
Summary
This document extends the U-Prove Cryptographic Specification [UPCS] by specifying set membership proofs.
This allows proving that a committed value is less than, less than or equal to, greater than, or greater than or
equal to another (committed) value.
U-Prove Range Proof Extension
June 2014
Contents
Summary ...................................................................................................................................................................... 1
1
2
3
Introduction ......................................................................................................................................................... 3
1.1
Notation ...................................................................................................................................................... 3
1.2
Feature overview ........................................................................................................................................ 5
Protocol specification ......................................................................................................................................... 5
2.1
Common Protocols ..................................................................................................................................... 6
2.2
Presentation ............................................................................................................................................... 8
2.3
Verification ................................................................................................................................................ 15
Security Considerations .................................................................................................................................... 18
References ................................................................................................................................................................. 18
List of Figures
Figure 1: EQProofParams. ........................................................................................................................................... 7
Figure 2: RangeProve .................................................................................................................................................. 8
Figure 3: ComputeC ..................................................................................................................................................... 9
Figure 4: GetBitProofs. .............................................................................................................................................. 10
Figure 5: GenerateBitDecomposition ....................................................................................................................... 11
Figure 6: DefaultBitDecomposition .......................................................................................................................... 11
Figure 7: ComputeD................................................................................................................................................... 12
Figure 8: ComputeX. .................................................................................................................................................. 12
Figure 9: ComputeE ................................................................................................................................................... 13
Figure 10: MainProof. ................................................................................................................................................ 14
Figure 11: EqualityOfDL. ........................................................................................................................................... 15
Change history
Version
Revision 1
Microsoft Research
Description
Initial draft
Page 2
U-Prove Range Proof Extension
June 2014
1 Introduction
This document extends the U-Prove Cryptographic Specification [UPCS] by specifying range proofs. The Prover
will prove to the Verifier that a committed value is less than, less than or equal to, greater than, or greater than
or equal to another (committed) value.
The Prover knows a secret value π, and will prove to the Verifier an inequality relation between π and another
value π that may or may not be known to the Verifier. The Prover and Verifier have as common input a pair of
generators π, β β πΊπ . The Prover will create one of the following proofs:
πβ = ππΎ{πΌ, π½, πΎ, πΏ|πΆπ΄ = πβ βπΎ β© πΆπ΅ = ππ½ βπΏ β© ββ π½}
or
πβ = ππΎ{πΌ, πΎ|πΆπ΄ = πβ βπΎ β© ββ b}
where β β {<, β€, >, β₯}. The Prover knows assignments for (πΌ, π½, πΎ, πΏ).
The proof relies on comparing the bit decompositions of π and π. The Prover computes Pedersen commitments
to the bit decompositions and then proves they are formed correctly. Then, the Prover compares each π bit prefix
of π and π; the results of the comparisons are stored in helper commitments π·π . The Prover creates an Equality
Proof to show that the π·π are computed correctly. The committed value in π·πβ1 is equal to {β1,0,1} depending
on the relationship between π and π. The Prover adds an auxiliary proof showing that the committed value in
π·πβ1 is equal to the appropriate value given β.
The U-Prove Cryptographic Specification [UPCS] allows the Prover, during the token presentation protocol, to
create a Pedersen Commitment and show that the committed value is the equal to a particular token attribute.
The Prover MAY use this Pedersen Commitment as either πΆπ΄ or πΆπ΅ . The Issuance and Token Presentation
protocols are unaffected by this extension. The Prover may choose to create a range proof after these two
protocols complete.
The committed values in πΆπ΄ and πΆπ΅ MUST NOT be hashed. If any of these values are U-Prove token attributes,
the attributes also MUST NOT be hashed.
The Range Proof protocol makes use of the following U-Prove Extensions: Set Membership Proof Extension
[EXSM], Bit Decomposition Extension [EXBD], and Equality Proof Extension [EXEQ].
1.1 Notation
In addition to the notation defined in [UPCS], the following notation is used throughout the document. The range
proof consists of many sub-protocols; local variables are omitted from this list unless they consistently appear
with the same meaning/value.
π
Value to be compared to π, known only to Prover.
π
Value to be compared to π, MAY be known to Verifier.
πΆπ΄
Pedersen Commitment to π. IOnly Prover knowns opening.
πΆπ΅
Pedersen Commitment to π, or null if Verifier knows π.
ππΌπ πΎπππ€π
Microsoft Research
True if Verifier knows π.
Page 3
U-Prove Range Proof Extension
June 2014
πππ
A value in the set{<, β€, >, β₯} indicating the relationship between π
and π that needs to be proven.
Minimum possible value for π and π.
πππ₯
Maximum possible value for π and π.
β, πππππππ¦ππ
β³
π΄ΜΏπ
πΜΏπ,π
π₯ΜΏπ,π
πβ = (π0 , π0 ), (π1 , π1 ), β¦ , (ππβ1 , ππβ1 )
πββ = (π0 , π 0 ), (π1 , π 1 ) β¦ , (ππβ1 , π πβ1 )
πβ = (π0 , π¦0 ), (π1 , π¦1 ) β¦ , (ππβ1 , π¦πβ1 )
πβ = (π1 , π‘1 ) β¦ , (ππβ1 , π‘πβ1 )
πβ = (π1 , π1 ) β¦ , (ππβ1 , ππβ1 )
π₯β = (π1 , π1 ) β¦ , (ππβ1 , ππβ1 )
π΄β=π΄0 , π΄1 , β¦ , π΄πβ1
ββ = π΅0 , π΅1 , β¦ , π΅πβ1
π΅
Pedersen Commitments to πββ.
πΆβ = πΆ0 , πΆ1 , β¦ , πΆπβ1
Pedersen Commitments to πβ.
ββ = π·1 , β¦ , π·πβ1
π·
Pedersen Commitment to πβ.
πΈββ = πΈ1 , β¦ , πΈπβ1
Pedersen Commitment to πβ.
πβ = π1 , β¦ , ππβ1
Pedersen Commitment to π₯β.
ππ΄
ππ΅
Microsoft Research
An equality map, as defined in U-Prove Equality Proof Extension
[EXEQ]. Range proofs require multiple different equality maps; this
document uses local variable β³ to refer to a map.
The value of a DL Equation, as defined in U-Prove Equality Proof
Extension [EXEQ]. Range proofs create multiple different equality
proofs; this document uses local variable π΄ΜΏπ to refer to the DL
Equation values.
The bases of a DL Equation, as defined in U-Prove Equality Proof
Extension [EXEQ]. Range proofs create multiple different equality
proofs; this document uses local variable πΜΏπ,π to refer to the DL
Equation bases.
The witnesses (exponents) for a DL Equation, as defined in U-Prove
Equality Proof Extension [EXEQ]. Range proofs create multiple
different equality proofs; this document uses local variable π₯ΜΏπ,π to
refer to the DL Equation witnesses.
The opening information for Pedersen Commitments π΄β. The ππ
contain the bit decomposition of π β πππ, while the ππ are the second
exponent.
ββ. The ππ
The opening information for Pedersen Commitments π΅
contain the bit decomposition of π β πππ, while the π π are the second
exponent. If the Verifier knows b, then π π = 0.
The opening information for Pedersen Commitments πΆβ. The ππ
contain the difference between πβ and πββ: ππ = ππ β ππ , while the π¦π are
the second exponent.
ββ. Each ππ
The opening information for Pedersen Commitments π·
stores the inequality relationship between the π least significant bits
of π and π, represented as a value in {β1,0,1}. The π‘π are the second
exponent.
The opening information for Pedersen Commitments πΈββ . Each ππ is
actually equal to ππβ1, while the ππ are the second exponent.
The opening information for Pedersen Commitments πβ. Each ππ is
actually equal to the ππ in πβ, while the ππ are the second exponent.
Pedersen Commitments to πβ.
Proof that π΄β is a valid commitment to the bit decomposition of π β
πππ.
ββ is a valid commitment to the bit decomposition of π β
Proof that π΅
πππ. Null if the Verifier knows π.
Page 4
U-Prove Range Proof Extension
June 2014
ππΆ
ββ and πβ are formed correctly.
Main equality proof showing that π·
ππ·
Auxiliary proof showing that π·πβ1 contains the correct value; either
and equality proof or a set membership proof.
πβπ΄
Choose π uniformly at random from set π΄.
The key words βMUSTβ, βMUST NOTβ, βSHOULDβ, βRECOMMENDEDβ, βMAYβ, and βOPTIONALβ in this document
are to be interpreted as described in [RFC 2119].
1.2 Feature overview
The Prover knows the opening of a Pedersen Commitments πΆπ΄ = ππ βπ and πΆπ΅ = ππ β π (optionally, π may be
public knowledge). The Prover needs to show that the relationship π β π holds, where β β {<, β€, >, β₯} is also
known to the Verifier. For efficiency, the Prover and Verifier both know that π and π fall inside the range
[πππ, πππ₯]. The Prover will create a special-honest verifier zero-knowledge proof of knowledge that the Prover
knows a tuple of values (π, π, π, π ) such that:
1
2
3
πΆπ΄ = ππ βπ .
πΆπ΅ = ππ β π .
The relationship π β π holds, where β β {<, β€, >, β₯} .
The range proof consists of the following components:
1. Pedersen commitments π΄0 , π΄1 , β¦ , π΄πβ1 to the bit decomposition of π β πππ, as well as a Bit
Decomposition Proof [EXBD] showing the π΄π are constructed correctly.
2. (Optional) Pedersen commitments π΅0 , π΅1 , β¦ , π΅πβ1 to the bit decomposition of π β πππ, as well as a Bit
Decomposition Proof [EXBD] showing the π΅π are constructed correctly.
3. Pedersen commitments π0 , β¦ , ππβ1 to ππ = (ππ β ππ )2 . These are helper values
4. Pedersen commitments π·1 , β¦ , π·πβ1 to ππ β {β1,0,1}, which represents the inequality relationship
between the π least significant bits of π and π. We compute it as follows:
ππ = {
ππ β ππ
π=0
ππβ1 β ππβ1 (ππ β ππ )2 + (ππ β ππ ) π > 0
5. An Equality Proof [EXEQ] showing the ππ and π·π are formed correctly.
6. An auxiliary proof showing that π·πβ1 is a commitment to the appropriate value in {β1,0,1} given the type
of inequality relationship the Prover is trying to prove.
2 Protocol specification
As the range proof can be performed independently of the U-Prove token presentation protocols, the common
parameters consist simply of the group πΊπ , two generators π and β, and a cryptographic function β. The
commitments πΆπ΄ and πΆπ΅ MAY be generated by the Prover.
The remaining parameters may be chosen by either the Prover or Verifier: The values πππ and πππ₯ indicate the
maximum span for secret values π and π. The variable ππΌπ πΎπππ€π indicates whether the Verifier knows π. The
πππππππ¦ππ indicates the inequality relationship between π and π that the Prover wishes to demonstrate.
Microsoft Research
Page 5
U-Prove Range Proof Extension
June 2014
2.1 Common Protocols
The main body of the range proof is an Equality Proof defined in the U-Prove Equality Proof Extension [EXEQ]
EQProofParams() returns the common parameters for the main proof. It generates an equality map β³ and sets
π β1 πΌπ,π
up the DL equations π΄ΜΏπ = β π πΜΏ where the π΄ΜΏπ and πΜΏπ,π are public values returned by this protocol, while the
π=0
π,π
πΌπ,π are secret values known only to the Prover.
Microsoft Research
Page 6
U-Prove Range Proof Extension
June 2014
EQProofParams ( )
Input
Parameters: πππ π(πΊπ ),UIDβ , π, β
Commitment to π/π: πΆβ = πΆ0 , πΆ1 , β¦ , πΆπβ1
ββ = π·1 , β¦ , π·πβ1
Commitment to π: π·
Commitment to (π/π)2 : πβ = π1 , β¦ , ππβ1
Commitment to π: πΈββ = πΈ1 , β¦ , πΈπβ1
Computation
β³ββ
ππ βΆ= 0
// π·π = ππΏπ β
βππ
For π βΆ= 0 to π β 1
β³. π΄ππ(("delta", π), (ππ ,0))
π΄ΜΏππ β π·π
πΜΏππ ,0 β π
πΜΏππ ,1 β β
ππ β ππ + 1
End
// π΄π /π΅π = π ππ β
βππ
For π βΆ= 1 to π β 1
β³. π΄ππ(("chi", π), (ππ ,0))
π΄ΜΏππ β πΆπ
πΜΏππ ,0 β π
πΜΏππ ,1 β β
ππ β ππ + 1
End
// ππ = (π΄π /π΅π ) ππ β
βππ
For π βΆ= 1 to π β 1
β³. π΄ππ(("chi", π), (ππ ,0))
π΄ΜΏππ β ππ
πΜΏππ ,0 β πΆπ
1ββ
ππ β ππ + 1
End
// πΈπ = (ππβ1 )πΏπβ1 β
βππ
For π βΆ= 0 to π β 1
β³. π΄ππ(("delta", π β 1), (ππ ,0))
π΄ΜΏππ β πΈπ
πΜΏππ ,0 β ππβ1
πΜΏππ ,1 β β
ππ β ππ + 1
End
Output
Return β³, π΄ΜΏ, πΜΏ
Figure 1: EQProofParams.
Microsoft Research
Page 7
U-Prove Range Proof Extension
June 2014
2.2 Presentation
The Prover calls RangeProve to generate a range proof. We break up the range proof presentation protocol into
various sub-protocols for ease of exposition. The range proof also requires calling protocols from Bit
Decomposition Proof [EXBD], Set Membership Proof [EXSM], and Equality Proof [EXEQ].
RangeProve( )
Input
Parameters: desc(πΊπ ), UIDβ , π, β, πππ, πππ₯, ππΌπ πΎπππ€π, π, πππππππ¦ππ
Commitment to π: πΆπ΄
Opening information to πΆπ΄ : π, π
Commitment to π: πΆπ΅
Opening information to πΆπ΅ : π, π
Computation
ββ, πββ, ππ΅
π΄β, πβ, ππ΄ , π΅
β GetBitProofs(desc(πΊπ ), UIDβ , π, β, πππ, πππ₯, ππΌπ πΎπππ€π, πΆπ΄ , π, π, πΆπ΅ , π, π )
πΆβ, πβ β ComputeC(π΄β, πβ, ββββ
π΅ , πββ)
βπ·β, πβ β ComputeD(desc(πΊπ ), π, β, πΆβ, πβ)
πβ, π₯β β ComputeX(desc(πΊπ ), π, β, πΆβ, πβ)
ββ, πβ, πβ, π₯β)
πΈββ , πβ β ComputeE(desc(πΊπ ), π, β, πΆβ, πβ, π·
ββ, πβ, πΈββ )
β³, π΄ΜΏ, πΜΏ β EQProofParams(πππ π(πΊπ ), π, β, πΆβ , π·
ππΆ β MainProof(desc(πΊπ ), UIDβ , π, β, π, β³, π΄ΜΏ, πΜΏ , πβ, πβ, π₯β, πβ)
If πππππππ¦ππ π’π¬ > then
ππ· β EqualityOfDL(desc(πΊπ ), UIDβ , π, β, 1, π·πβ1 , (ππβ1 , π‘πβ1 ))
Else if πππππππ¦ππ π’π¬ < then
ππ· β EqualityOfDL(desc(πΊπ ), UIDβ , π, β, β1, π·πβ1 , (ππβ1 , π‘πβ1 ))
Else if πππππππ¦ππ π’π¬ β₯ then
ππ· β SetMembershipProve(desc(πΊπ ), UIDβ , π, β, {0,1}, π·πβ1 , (ππβ1 , π‘πβ1 ))
Else
ππ· β SetMembershipProve(desc(πΊπ ), UIDβ , π, β, {0,1}, π·πβ1 , (ππβ1 , π‘πβ1 ))
End
If ππΌπ πΎπππ€π then
ββ β β
π΅
End
Output
ββ, π·
ββ, πβ, ππ΄ , ππ΅ , ππΆ , ππ·
Return π΄β, π΅
Figure 2: RangeProve
The range proof requires dividing the bit decomposition of π΄ by the bit decomposition of π΅ to get an array of
Pedersen commitments πΆβ and their openings πβ. This step is performed in the function ComputeC().
Microsoft Research
Page 8
U-Prove Range Proof Extension
June 2014
ComputeC ( )
Input
Parameters: πππ π(πΊπ )
Commitment to π: π΄β = π΄0 , π΄1 , β¦ , π΄πβ1
Opening information to π΄π : πβ = (π0 , π0 ), (π1 , π1 ), β¦ , (ππβ1 , ππβ1 )
ββ = π΅0 , π΅1 , β¦ , π΅πβ1
Commitment to π: π΅
Opening information to π΅π : πββ = (π0 , π 0 ), (π1 , π 1 ) β¦ , (ππβ1 , π πβ1 )
Computation
For π = 0 to π β 1
ππ β ππ β ππ
π¦π β ππ β π π
πΆπ β π΄π /π΅π
End
πΆβ β πΆ0 , πΆ1 , β¦ , πΆπβ1
πβ β (π0 , π¦0 ), (π, π¦1 ) β¦ , (π, π¦πβ1 )
Output
Return πΆβ, πβ
Figure 3: ComputeC
The range proof performs bit decompositions of π and π with the help of protocols from U-Prove Bit
Decomposition Extension [EXBD]. For efficiency, it normalizes the range from [πππ, πππ₯] to [0, πππ₯ β πππ]. This
step is important since the length of the range proof depends on the length of the bit decomposition. If the value
of π is known to the Verifier, the Prover will generate a default Pedersen Commitments to the bit decomposition
of π and omit the bit decomposition proof.
Microsoft Research
Page 9
U-Prove Range Proof Extension
June 2014
GetBitProofs( )
Input
Parameters: desc(πΊπ ), UIDβ , π, β, πππ, πππ₯, ππΌπ πΎπππ€π,
Commitment to π: πΆπ΄
Opening information to πΆπ΄ : π, π
Commitment to π: πΆπ΅
Opening information to πΆπ΅ : π, π
Computation
π β βlog 2 (πππ₯ β πππ)β
πΜ β π β πππ
πΆΜπ΄ β πΆπ΄ β πβπππ
π΄β, πβ β GenerateBitDecomposition(πππ π(πΊπ ), π, β, π, πΆΜπ΄ , πΜ, π)
ππ΄ β BitDecompositionProve(πππ π(πΊπ ), UIDβ , π, β, πΆΜπ΄ , π΄β, πβ)
πΜ β π β πππ
If ππΌπ πΎπππ€π then
Μ
πΆΜπ΅ β ππ
ββ, πββ β DefaultBitDecomposition(πππ π(πΊπ ), π, β, π, πΜ)
π΅
ππ΅ β β
Else
πΆΜπ΅ β πΆπ΅ β πβπππ
ββ, πββ β GenerateBitDecomposition(πππ π(πΊπ ), π, β, π, πΆΜπ΅ , πΜ, π )
π΅
ββ, πββ)
ππ΅ β BitDecompositionProve(πππ π(πΊπ ), UIDβ , π, β, πΆΜπ΅ , π΅
End
Output
ββ, πββ, ππ΅
Return π΄β, πβ, ππ΄ , π΅
Figure 4: GetBitProofs.
The following two protocols generate a bit decomposition of an integer π₯ and return Pedersen Commitments and
their openings to this decomposition. GenerateBitDecomposition() generates random Pedersen Commitments,
while DefaultBitDecomposition() sets the second exponent to 0.
Microsoft Research
Page 10
U-Prove Range Proof Extension
June 2014
GenerateBitDecomposition( )
Input
Parameters: πππ π(πΊπ ), π, β, π
Commitment to π₯: πΆ
Opening information to πΆ: π₯, π¦
Computation
π₯0 , π₯1 , β¦ , π₯πβ1 β bit decomposition of π₯
π¦0 , π¦, β¦ , π¦πβ1 β β€βπ
For π βΆ= 0 to π β 1
πΆπ β π π₯π β π¦π
End
πΆβ β πΆ0 , πΆ1 , β¦ , πΆπβ1
π₯β β (π₯0 , π¦0 ), (π₯1 , π¦1 ), β¦ , (π₯πβ1 , π¦πβ1 )
Output
Return πΆβ, π₯β
Figure 5: GenerateBitDecomposition
DefaultBitDecomposition( )
Input
Parameters: πππ π(πΊπ ), π, β, π
Integer: π₯
Computation
π₯0 , π₯1 , β¦ , π₯πβ1 β bit decomposition of π₯
π¦0 , π¦, β¦ , π¦πβ1 β 0,0, β¦ ,0
For π βΆ= 0 to π β 1
πΆπ β π π₯π
End
πΆβ β πΆ0 , πΆ1 , β¦ , πΆπβ1
π₯β β (π₯0 , π¦0 ), (π₯1 , π¦1 ), β¦ , (π₯πβ1 , π¦πβ1 )
Output
Return πΆβ, π₯β
Figure 6: DefaultBitDecomposition
The range proof compares A to B bit by bit. It does so by computing Pedersen commitments π·1 , β¦ , π·πβ1 to ππ β
{β1,0,1}, which represents the inequality relationship between the π least significant bits of π and π. We compute
the ππ as follows:
ππ = {
ππ β ππ
π=0
ππβ1 β ππβ1 (ππ β ππ )2 + (ππ β ππ ) π > 0
The function ComputeD() takes as input ππ = ππ β ππ , which is substituted into the above formula.
Microsoft Research
Page 11
U-Prove Range Proof Extension
June 2014
ComputeD ( )
Input
Parameters: πππ π(πΊπ ), π, β
Commitment to π/π: πΆβ = πΆ0 , πΆ1 , β¦ , πΆπβ1
Opening information to πΆπ : πβ = (π0 , π¦0 ), (π1 , π¦1 ) β¦ , (ππβ1 , π¦πβ1 )
Computation
π0 β π0
For π βΆ= 1 to π β 1
ππ β ππβ1 β ππβ1 ππ 2 + ππ
π‘π β β€βπ
π·π β πππ βπ‘π
End
ββ β π·1 , β¦ , π·πβ1
π·
πβ β (π1 , π‘1 ), β¦ , (ππβ1 , π‘πβ1 )
Output
ββ, πβ
Return π·
Figure 7: ComputeD.
π
Proving that the π·π are formed correctly requires helper values ππ = πΆπ π βππ .
ComputeX ( )
Input
Parameters: πππ π(πΊπ ), π, β
Commitment to π/π: πΆβ = πΆ0 , πΆ1 , β¦ , πΆπβ1
Opening information to πΆπ : πβ = (π0 , π¦0 ), (π1 , π¦1 ) β¦ , (ππβ1 , π¦πβ1 )
Computation
For π βΆ= 1 to π β 1
ππ β β€βπ
π
ππ β πΆπ π βππ
End
πβ β π1 , β¦ , ππβ1
π₯β β (π₯1 , π1 ), β¦ , (π₯πβ1 , ππβ1 )
Output
Return πβ, π₯β
Figure 8: ComputeX.
Microsoft Research
Page 12
U-Prove Range Proof Extension
June 2014
Proving that the π·π are formed correctly also requires helper values πΈπ = (ππβ1 )ππβ1 βππ = π·π β
(π·πβ1 )β1 β
(πΆπ )β1 .
ComputeE ( )
Input
Parameters: πππ π(πΊπ ), π, β
Commitment to π/π: πΆβ = πΆ0 , πΆ1 , β¦ , πΆπβ1
Opening information to πΆβ: πβ = (π0 , π¦0 ), (π1 , π¦1 ) β¦ , (ππβ1 , π¦πβ1 )
ββ = π·1 , β¦ , π·πβ1
Commitment to π: π·
ββ: πβ = (π1 , π‘1 ) β¦ , (ππβ1 , π‘πβ1 )
Opening information to π·
2
Commitment to (π/π) : πβ = π1 , β¦ , ππβ1
Opening information to πβ: π₯β = (π1 , π1 ) β¦ , (ππβ1 , ππβ1 )
Computation
For π βΆ= 1 to π β 1
ππ β π‘π β π‘πβ1 + π¦π + (ππβ1 β
π¦π β
ππ ) + (ππβ1 β
ππ )
πΈπ β (ππβ1 )ππβ1 βππ
End
πΈββ β πΈ1 , β¦ , πΈπβ1
πβ β (π1 , π1 ), β¦ , (ππβ1 , ππβ1 )
Output
Return πΈββ , πβ
Figure 9: ComputeE
ββ, πβ, πΈββ are formed correctly.
The main body of the range proof is an Equality Proof [EXEQ] showing that π·
Microsoft Research
Page 13
U-Prove Range Proof Extension
June 2014
MainProof ( )
Input
Parameters: πππ π(πΊπ ), UIDβ , π, β,
EQ Proof parameters: β³, π΄ΜΏ, πΜΏ
Opening information to πΆβ: πβ = (π0 , π¦0 ), (π1 , π¦1 ) β¦ , (ππβ1 , π¦πβ1 )
ββ: πβ = (π1 , π‘1 ) β¦ , (ππβ1 , π‘πβ1 )
Opening information to π·
Opening information to πβ: π₯β = (π1 , π1 ) β¦ , (ππβ1 , ππβ1 )
Opening information to πΈββ : πβ β (π1 , π1 ), β¦ , (ππβ1 , ππβ1 )
Computation
π₯ΜΏ β β
ππ βΆ= 0
// π·π = ππΏπ β
βππ
For π βΆ= 0 to π β 1
π₯ΜΏππ ,0 β ππ
π₯ΜΏππ ,1 β π‘π
ππ β ππ + 1
End
// π΄π /π΅π = π ππ β
βππ
For π βΆ= 1 to π β 1
π₯ΜΏππ ,0 β ππ
π₯ΜΏππ ,1 β π¦π
ππ β ππ + 1
End
// ππ = (π΄π /π΅π ) ππ β
βππ
For π βΆ= 1 to π β 1
π₯ΜΏππ ,0 β ππ
π₯ΜΏππ ,1 β ππ
ππ β ππ + 1
End
// πΈπ = (ππβ1 )πΏπβ1 β
βππ
For π βΆ= 0 to π β 1
π₯ΜΏππ ,0 β ππ
π₯ΜΏππ ,1 β ππ
ππ β ππ + 1
End
ππΆ β EqualityProve(πππ π(πΊπ ),UIDβ , π΄ΜΏ, πΜΏ , β³, π₯ΜΏ )
Output
Return ππΆ
Figure 10: MainProof.
EqualityOfDL is a small helper proof that shows that π· = ππ β
βπ‘ is a Pedersen Commitment to some integer π₯
known to the Verifier. The protocol generates an Equality Proof [EXEQ].
Microsoft Research
Page 14
U-Prove Range Proof Extension
June 2014
EqualityOfDL ( )
Input
Parameters: πππ π(πΊπ ),UIDβ , π, β, π₯
Commitment to π: π·
Opening information to π·: (π, π‘)
Computation
β³ββ
π΄ΜΏ0 = π· β
πβπ₯
πΜΏ0,0 β β
π₯ΜΏ0,0 β π‘
π β EqualityProve(πππ π(πΊπ ),UIDβ , π΄ΜΏ, πΜΏ , β³, π₯ΜΏ )
Output
Return π
Figure 11: EqualityOfDL.
2.3 Verification
The Verifier receives the common parameters, as well as commitments to π and π and the proof. The Verifier
returns true if the verification passes, false otherwise. Verification requires checking the bit decomposition
proofs ππ΄ and ππ΅ , the main equality proof ππΆ , and the auxiliary proof ππ· that depends on the proof type.
Microsoft Research
Page 15
U-Prove Range Proof Extension
June 2014
RangeVerify( )
Input
Parameters: desc(πΊπ ), UIDβ , π, β, πππ, πππ₯, ππΌπ πΎπππ€π, π, πππππππ¦ππ
Commitment to π: πΆπ΄
Commitment to π: πΆπ΅
ββ, π·
ββ, πβ, ππ΄ , ππ΅ , ππΆ , ππ·
Proof: π΄β, π΅
Computation
π β π‘ππ’π
π: = π πππ BitDecompositionVerify(desc(πΊπ ), UIDβ , π, β, πΆπ΄ /ππππ , π΄β, ππ΄ )
If ππΌπ πΎπππ€π then
ββ, πββ β DefaultBitDecomposition(πππ π(πΊπ ), π, β, π, π β πππ)
π΅
Else
ββ, ππ΅ )
π: = π πππ BitDecompositionVerify(desc(πΊπ ), UIDβ , π, β, πΆπ΅ /ππππ , π΅
End
ββ)
πΆβ β ComputeClosedC(desc(πΊπ ), π΄β, π΅
ββ, πΆβ)
πΈββ β ComputeClosedE(desc(πΊπ ), π·
ΜΏ
ββ, πβ, πΈββ )
β³, π΄, πΜΏ β EQProofParams(πππ π(πΊπ ), π, β, πΆβ , π·
π β π πππ EqualityVerify(desc(πΊπ ), UIDβ , π΄ΜΏ, πΜΏ , β³, ππΆ )
If πππππππ¦ππ π’π¬ > then
π β π πππ EqualityOfDLVerify(desc(πΊπ ), UIDβ , π, β, π·πβ1 , 1, ππ· )
Else if πππππππ¦ππ π’π¬ < then
π β π πππ EqualityOfDLVerify(desc(πΊπ ), UIDβ , π, β, π·πβ1 , β1, ππ· )
Else if πππππππ¦ππ π’π¬ β₯ then
π β π πππ SetMembershipVerify(desc(πΊπ ), UIDβ , π, β, π·πβ1 , {0,1}, ππ· )
Else
π β π πππ SetMembershipProve(desc(πΊπ ), UIDβ , π, β, π·πβ1 , {β1,0}, ππ· )
End
Output
Return π
The Verifier uses the function ComputeClosedC() to compute πΆπ = π΄π /π΅π , which are needed to verify ππΆ .
Microsoft Research
Page 16
U-Prove Range Proof Extension
June 2014
ComputeClosedC ( )
Input
Parameters: πππ π(πΊπ )
Commitment to π: π΄β = π΄0 , π΄1 , β¦ , π΄πβ1
ββ = π΅0 , π΅1 , β¦ , π΅πβ1
Commitment to π: π΅
Computation
For π βΆ= 0 to π β 1
πΆπ β π΄π /π΅π
End
πΆβ β πΆ0 , πΆ1 , β¦ , πΆπβ1
Output
Return πΆβ
The Verifier calls function ComputeClosedE() to compute πΈπ = π·π β
(π·πβ1 )β1 β
πΆπβ1 , which are needed to
verify ππΆ .
ComputeClosedE ( )
Input
Parameters: πππ π(πΊπ )
ββ = π·1 , β¦ , π·πβ1
Commitment to π: π·
Commitment to π: πΆβ = πΆ0 , πΆ1 , β¦ , πΆπβ1
Computation
π·0 β πΆ0
For π βΆ= 1 to π β 1
πΈπ β π·π β
(π·πβ1 )β1 β
πΆπβ1
End
πΈββ β πΈ0 , πΈ1 , β¦ , πΈπβ1
Output
Return πΈββ
The Verifier calls EqualityOfDLVerify to check that π· is a Pedersen Commitment to π₯.
Microsoft Research
Page 17
U-Prove Range Proof Extension
June 2014
EqualityOfDLVerify ( )
Input
Parameters: πππ π(πΊπ ),UIDβ , π, β, π₯
Commitment to π: π·
Proof: π
Computation
β³ββ
π΄ΜΏ0 β π· β
πβπ₯
πΜΏ0,0 β β
πππ π β EqualityVerify(πππ π(πΊπ ),UIDβ , π΄ΜΏ, πΜΏ , β³, π)
Output
Return πππ π
3 Security Considerations
The range proof invokes protocols from U-Prove Equality Proof Extension [EXEQ], U-Prove Bit Decomposition
Extension [EXBD], and U-Prove Set Membership Proof Extension [EXSM]. Its security relies on their security. The
following restriction apply:
ο·
The Prover and the Verifier MUST NOT know the relative discrete logarithm log π β of the generators π
and β. This is not an issue if the generators are chosen from the list of U-Prove recommended
parameters.
References
[Brands]
Stefan Brands. Rethinking Public Key Infrastructures and Digital Certificates. The MIT Press,
August 2000. http://www.credentica.com/the_mit_pressbook.html.
[EXBD]
Mira Belenkiy. U-Prove Bit Decomposition Extension. Microsoft, June 2014.
http://www.microsoft.com/u-prove.
[EXEQ]
Mira Belenkiy. U-Prove Equality Proof Extension. Microsoft, June 2014.
http://www.microsoft.com/u-prove.
[EXSM]
Mira Belenkiy. U-Prove Set Membership Proof Extension. Microsoft, June 2014.
http://www.microsoft.com/u-prove.
[RFC2119]
Scott Bradner. RFC 2119: Key words for use in RFCs to Indicate Requirement Levels,
1997. ftp://ftp.rfc-editor.org/in-notes/rfc2119.txt.
[UPCS]
Christian Paquin, Greg Zaverucha. U-Prove Cryptographic Specification V1.1 (Revision 3).
Microsoft, December 2013. http://www.microsoft.com/u-prove.
Microsoft Research
Page 18
© Copyright 2026 Paperzz