Proving addition of secret values in a small field

Question

Suppose that a prover holds two secret values $x,y\in\mathbb{F}$ and both the prover and verifier have $z\in\mathbb{F}$. The prover wishes to prove that $z=x+y$ without revealing $x,y$ to the verifier.
We can further assume that the verifier has access to some oracle which confirms whether commitments $X,Y$ to $x,y$ are honestly generated.

One way of doing it is the following: The prover sends $X = g^x$, $Y = g^y$, and the verifier checks if $g^{z}=XY$ (and confirms that $X,Y$ are honest).

I guess what is needed is a key-homomorphic hash function $H$, with which $X=H_x(0), Y=H_y(0)$ and $H_{x+y}(0)=H_x(0)\oplus H_y(0)$, but maybe something weaker could do the job (?).

Is there a way to solve this problem for small fields? For small we can assume that the size of the field is ~256 bits (so in particular DL is easy!). What about in general for large fields if we don't rely on DL?

Answer 1

Write the finite field as $\mathbb{F} = \mathbb{F}_q$, where $q = p^k$ is a prime power. Since $\mathbb{F}_q \cong \mathbb{F}_p^k$, we can interpret $x, y, z$ as vectors over $\mathbb{F}_p$ where addition is performed component-wise. Hence, it suffices to prove $x + y = z$ over $\mathbb{F}_p$ which is quite well studied (I believe). Simplest is something like Paillier or Pedersen. If you want to overkill, See CD97, or thesis (lattice) or other resources.

Edit: Another approach is to note that $x + y = z \iff \left(\bar{x} + \bar{y} = \bar{z}\right) \lor \left(\bar{x} + \bar{y} = \bar{z} + p\right)$, where $\bar{\cdot}$ is the integer representation of $\cdot$ within $[0, p)$. From this answer, we can focus on proving relations over integers. There are results to do this, especially since you know a bound $\bar{x}, \bar{y}, \bar{z} < p$.

Answer 2

key-homomorphic hash function can be used as you suggested. Key-homomorphic hash functions [PRF can be find here] 1 enable certain homomorphic properties that allow computations on the commitments to be performed without revealing the underlying secrets (in your case, x and y).

For small fields, you can use a key-homomorphic hash function H to generate the commitments X and Y, such that X = H(x, r1) and Y = H(y, r2), where r1 and r2 are random blinding factors. Then, you can use the homomorphic property of the hash function to compute H(x + y, r1 + r2) = H(x, r1) ⊕ H(y, r2), where ⊕ represents the field addition operation. This is possible because you mentioned that in small fields (around 256 bits), discrete logarithm (DL) is easy, and this enables efficient computation of the commitment values and their addition.

However, in larger fields, if we cannot rely on the discrete logarithm assumption being easy, finding a key-homomorphic hash function might be challenging. As the field size increases, it becomes difficult to find efficient key-homomorphic hash functions that can perform homomorphic operations on commitments.