Can I prove set membership and uniqueness without revealing the element?

Question

Assuming a publicly known set $\Psi$ with $N$ unique elements.

I have a set $\Sigma=\{\sigma_1,\sigma_2,...,\sigma_m\}$ where $m\leqslant N$. I would like to publicly prove that all the elements in $\Sigma$ are unique and are also elements of $\Psi$. I would like to do this without actually revealing the elements of $\Sigma$.

I happened upon this paper. If I understand it correctly, the above should be possible by publicizing commitments for every $\sigma$. However most of the paper is way over my head and I'm not really sure what commitment scheme I should use, what extra information should be made public and how exactly would a third party Verifier go about verifying the claim.

Answer 1

Proving uniqueness

You can prove that the elements are unique in $O(m)$ time and space by pre-sorting them and then giving a zero-knowledge proof that they are in sorted order. Details follow.

Assume the elements of $\Sigma$ are integers in the range $[0,K-1]$, where $K$ is a constant chosen in advance and made public. Pick a large prime $p$ and a group element $g \in (\mathbb{Z}/p\mathbb{Z})^*$ of prime order $q$, such that $q > 2K$. The scheme is:

First, sort the elements of $\Sigma$, so $\sigma_1 < \sigma_2 < \cdots < \sigma_m$. Next, commit to all the elements, using a discrete log based commitment scheme with generator $g$; for instance, you might use Pedersen commitments. Finally, prove that the elements are in sorted value, i.e., that $\sigma_i < \sigma_{i+1}$ holds for all $i$.

You can prove they are in sorted order using a range proof for discrete logs: for all $i$, you show that $\sigma_i \in [0,K-1]$, and you show that $\sigma_{i+1} - \sigma_i \in [1,K-1]$ (again, considering the $\sigma_i$'s as integers). To prove that $\sigma_{i+1} - \sigma_i \in [1,K-1]$, it suffices to prove that $d_i = \sigma_{i+1} - \sigma_i \bmod q$ is in the range $[1,K-1]$: since you've proven that each $\sigma_i$ is in $[0,K-1]$, and since $q \ge 2K$, there can be no wrap-around modulo $q$. All that remains is how to describe that each $d_i$ is in the specified range.

One standard way to do a range proof is to express each $d_i$ in binary, i.e.,

$$d_i = \sum_j b_{i,j} 2^j.$$

Then you commit to all the $b_{i,j}$'s, use the homomorphic property of commitments to show that the $b_{i,j}$'s are consistent with the $d_i$'s (i.e., that the equation above holds), and show that $b_{i,j} \in \{0,1\}$ for each $i,j$. Of course, you can prove that the $d_i$'s were computed correctly by using the homomorphic property of discrete log-based commitment schemes: given the commitments $C(\sigma_{i+1})$ and $C(\sigma_i)$, anyone can compute a commitment $C(d_i)=C(\sigma_{i+1}-\sigma_i \bmod q)$ to $d_i$, even without knowing $\sigma_i,\sigma_{i+1}$.

When using this method of range proofs together with the idea above, it will give you a valid proof that the elements $\sigma_1,\dots,\sigma_m$ are mutually disjoint.

Proving it is a subset

You can show that $\Sigma \subseteq \Psi$ using the techniques in the paper you mentioned.

Answer 2

You can use the techniques in the paper you have linked to show that a list of commitments $C_1,\ldots,C_m$ to the elements in $\Sigma$ are elements in $\Psi$ (the commitment scheme of choice are information-theoretically hiding Pedersen commitments, which are also used in the linked paper) . Basically, this works by the "owner" of the set $\Psi$ publishing a Boneh-Boyen signature for each element in $\Psi$ and the prover commits to an element in $\Psi$ (using a Pedersen commitment) and proves in zero-knowledge that the in the commitment is indeed one for which there is a valid signature (this can be nicely done in $O(1)$). So, you can run this proof for every $C_i$ and thus this is a straighforward application of the results from the paper, where you simply make $m$ proofs of that kind.

So far no problem, the proof complexity for $\Sigma$ is $O(m)$.

The problem, however, lies within proving uniqueness. You would need to additionally prove that the values committed in $C_1,\ldots, C_m$ are mutually different, because the above proof would also work if all commitments $C_i$ are commitments to the same value in $\Psi$.

There are techniques to prove non-monotone relations about discrete logs, e.g., here, Section 5.2 or here, which allows to prove inequality of two discrete logarithms without revealing their values. I'm not sure if they are applicable to Pedersen commitments as well, but the most important issue is that they add an additional cost of $O(m^2)$ to your proof, as you have to prove the non-equality for $m(m-1)/2$ pairs of commitments. Maybe, there are however more efficient techniques which did not come to my mind.