1. 引言
Wahby等人2018年论文《Doubly-efficient zkSNARKs without trusted setup》。
代码实现参见:
https://github.com/hyraxZK
视频解说参见:
https://www.youtube.com/watch?v=ScY9Z5tZZKU
https://www.youtube.com/watch?v=yq2AfLlMww0
论文要点:
- 基于standard cryptographic assumption,无需trusted setup,对Prover和Verifier均具有low communication complexity和low concrete cost的zkSNARKs for NP。
- Communication为 Θ ( d ⋅ log G + n w ) \Theta(d\cdot \log G+\sqrt{n_w}) Θ(d⋅logG+nw),其中 d , G d,G d,G分别为verifying circuit的depth和width, w n w_n wn为witness size。
- 当用于batched statements或者data-parallel statements时,Prover的runtime为linear in the verifying circuit size,Verifier的runtime为sub-linear in the verifying circuit size。两者均具有good constants。
- 通过使用a new commitment scheme for multilinear polynomials,witness-related communication可reduced,但verifier time会增加。
- 需要在setup、complexity assumptions、proof size和computational cost之间进行取舍平衡。
- 基于discrete log assumption,采用Fiat-Shamir heuristic 实现了zkSNARK in the random oracle model,本文称之为Hyrax。
- 将Hyrax与5种系统(BCCGP-sqrt, Bulletproofs, Ligero, ZKB++和libSTARK)进行了对比。对于modest problem sizes,Hyrax具有smaller proofs,most computationally costly baseline,prover和verifier速度快于5种系统中的3种。
其中5种方案分别为:
- BCCGP-sqrt:来源于Bootle等人2016年论文《Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting》。(在Groth [57] 和 Bayer and Groth [6] 的基础上,基于hardness of discrete logarithm,提供了2种ZK argument for Arithmetic Circuit C C C’s satisfiability。第一种proof size为 O ( M ) O(\sqrt{M}) O(M),具有quasi-linear prover and verifier runtime for an AC with M M M multiplications;第二种proof size为 O ( log M ) O(\log M) O(logM) at the cost of concretely longer prover and verifier runtimes。)
- Bulletproofs:来源于Bünz等人2018年论文《Bulletproofs: Efficient range proofs for confidential transactions》。(在BCCGP-sqrt的基础上进行改进,reduce proof size and runtimes in the log scheme ≈ 3 × \approx 3\times ≈3×)
- Ligero:来源于Ames等人2017年论文《Ligero: Lightweight sublinear arguments without a trusted setup》。(在ZKB++的基础上,使用了更成熟的secure computation protocol,可prove an Arithmetic Circuit C C C’s satisfiability with proof size O ( ∣ C ∣ ) O(\sqrt{|C|}) O(∣C∣),prover和verifier work为quasi-linear in ∣ C ∣ |C| ∣C∣。)
- ZKB++:来源于Chase等人2017年论文《Post-quantum zero-knowledge and signatures from symmetric-key primitives》。(将a secure multi-party computation protocol into a ZK argument,为a ZK argument system for Boolean circuits with no trusted setup from collision-resistant hashes。concretely inexpensive for small circuits,但是costs scale linearly with circuit size。)
- libSTARK:来源于Ben-Sasson等人2018年论文《Scalable, transparent, and post-quantum secure computational integrity》。(zkSTARKs不需要trusted setup,no public-key cryptography,但是其soundness 基于non-standard conjecture related to Reed-Solomon codes。Both proof size and verifier runtime are logarithmic in circuit size (hundreds of kilobytes and tens of milliseconds, respectively, in practice), and prover runtime is quasi-linear。)
1.1 zero-knowledge proof
A zero-knowledge proof用于convince a verifier of a statement while revealing nothing but its own validity。
-
zero-knowledge proof概念由Goldwasser等人在1989年论文《The knowledge complexity of interactive proof systems》中首次提出。
-
Ben-Or等人1990年论文《Everything provable is provable in zero-knowledge》中指出:
any problem solvable by an interactive proof (IP) is also solvable by a computational zero-knowledge proof or pefect zero-knowledge argument。
也就是说,given an interactive proof for any NP-complete problem, one can construct zero-knowledge proofs or arguments for any NP statement。
1.2 本文算法性能表现
本文主要关注的点有:
- proof应为succinct,sub-linear in the size of the statement and the witness to the statement’s validity;
- verifier应run in time linear in input plus proof size;
- prover,given a witness to the statement’s validity,应run in time linear in the cost of the NP verification procedure;
- 整个scheme应既不需要trusted setup,也不需要common reference string;
- soundness and zero-knowledge应为statistical或者基于standard cryptographic assumptions。实际上,security in the random oracle model就足够。
本文主要做了以下两方面的改进:
- 1)在verification procedure中整合了multi-commitment scheme和Schnorr-style proof。
- 2)设计了一种新的witness commitment scheme,可产生a succinct argument and asymptotically reducing the verifier’s cost associated with the witness。
具体的性能表现为:
1.3 Polynomial commitment scheme
- Polynomial commitment scheme 首次由Kate等人2010年论文《Constant-size commitments to polynomials and their applications》中提出,并基于pairing assumption 构建了单变量polynomial commitment。
- Papamanthou等人2013年论文《Signatures of correct computation》、Zhang等人2017年论文《vSQL: veriifying arbitrary SQL queries over dynamic outsourced databases》、Zhang等人2017年论文《A zero-knowledge version of vSQL》、Zhang等人2018年论文《vRAM: Faster verifiable RAM with program-independent preprocessing》等论文中,将其扩展为多变量polynomial commitment。
- Libert等人2016年论文《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators》中构建了Functional Commitment (FC) for a linear functions based on constant-size assumptions in composite order groups endowed with a bilinear map。设置其challenge为 x ⃗ = ( 1 , x , ⋯ , x n − 1 ) \vec{x}=(1,x,\cdots,x^{n-1}) x=(1,x,⋯,xn−1)即可实现polynomial commitment。
- Fujisaki等人1997年论文《Statistical zero knowledge protocols to prove modular polynomial relations》中 give a construction for polynomial evaluation based on the RSA problem that can be immediately adapted to polynomial commitment。
- Bootle等人2017年论文《Linear-time zero-knowledge proofs for arithmetic circuit satisfiability》 和 Bootle等人2018年论文《Efficient batch zero knowledge arguments for low degree polynomials》中基于discrete log assumption构建了单变量polynomial commitment。本文主要在此基础上,将其扩展为了multilinear polynomials。同时,Bootle等人2018年论文《Efficient batch zero knowledge arguments for low degree polynomials》中还 give a framework for expressing simple relations between commitments and field elements。
1.4 一些定义
-
Arithmetic circuit (AC) C C C:
由加法门和乘法门组成,每个门最多由2个输入fan-in,所有计算基于finite field F \mathbb{F} F。 C C C为分层设计,具有depth d d d,input x ⃗ \vec{x} x with length ∣ x ∣ |x| ∣x∣。
目的是evaluate C C C on input x ⃗ \vec{x} x。在interactive proof or argument中,prover发送 y y y,声称 y = C ( x ⃗ ) y=C(\vec{x}) y=C(x)并提供相应的证明。
本文的目的是为这种arithmetic circuit satisfiability problem提供efficient protocol。
Let C ( ⋅ , ⋅ ) C(\cdot,\cdot) C(⋅,⋅)为layered arithmetic circuit of fan-in two。已知输入 x ⃗ \vec{x} x和输出 y y y,目的是确认是否存在 witness w ⃗ \vec{w} w,使得 C ( x ⃗ , w ⃗ ) = y C(\vec{x},\vec{w})=y C(x,w)=y 成立。相应的witness relation可表示为: R ( x ⃗ , y ) = { w ⃗ : C ( x ⃗ , w ⃗ ) = y } R_(\vec{x},y)=\{\vec{w}:C(\vec{x},\vec{w})=y\} R(x,y)={w:C(x,w)=y}。 -
Interactive arguments and proofs:
-
Zero-knowledge (ZK):
-
Witness-extended emulation:
-
Generalized special soundness:
-
Collection of non-interactive commitment:
-
Additive homomorphism加法同态属性:
2. Arithmetic circuit evaluation problem
主要的研究有:(Arithmetic circuit C C C with depth d d d, input x x x, output y y y。)
- 【54】Goldwasser等人2015年论文《Delegating computation: Interactive proofs for muggles》中主要针对boolean circuit with depth d d d and input length n n n。其Verifier runs in time n ⋅ p o l y ( d , log ( n ) ) n\cdot poly(d,\log(n)) n⋅poly(d,log(n)) and space O ( log ( n ) ) O(\log(n)) O(log(n)),communication complexity为 p o l y ( d , log ( n ) ) poly(d,\log(n)) poly(d,log(n)),Prover runs in time p o l y ( n ) poly(n) poly(n)。
- 【37】【107】Cormode等人2012年论文《Practical verified computation with streaming interactive proofs》、Vu等人2013年论文《A hybrid architecture for interactive verifiable computation》中在【54】的基础上进行了改进,giving O ( ∣ C ∣ log ∣ C ∣ ) O(|C|\log|C|) O(∣C∣log∣C∣) prover and O ( ∣ x ∣ + ∣ y ∣ + d log ∣ C ∣ ) O(|x|+|y|+d\log|C|) O(∣x∣+∣y∣+dlog∣C∣) verifier runtimes, for AC C C C with depth d d d, input x x x, and output y y y。
- 【102】Thaler 2013年论文《Time-optimal interactive proofs for circuit evaluation》,针对 C C C 为data parallel,即包含 N N N个相同的sub-computations run on different inputs,可称其为sub-AC of C C C(sub-AC的width为 G G G,有 ∣ C ∣ = d ⋅ N ⋅ G |C|=d\cdot N\cdot G ∣C∣=d⋅N⋅G),可进一步优化,将Prover runtimet由 O ( ∣ C ∣ log ∣ C ∣ ) O(|C|\log|C|) O(∣C∣log∣C∣)降为 O ( ∣ C ∣ log G ) O(|C|\log G) O(∣C∣logG)。
- 【109】Wahby等人2017年论文《 Full accounting for verifiable outsourcing》中介绍了Giraffe算法,可将Prover runtime降为 O ( ∣ C ∣ + d ⋅ G ⋅ log G ) O(|C|+d\cdot G\cdot \log G) O(∣C∣+d⋅G⋅logG),由于 ∣ C ∣ = d ⋅ N ⋅ G |C|=d\cdot N\cdot G ∣C∣=d⋅N⋅G,当 N ≥ log G N\geq \log G N≥logG时,Prover runtime可进一步降为 O ( ∣ C ∣ ) O(|C|) O(∣C∣)。即for sufficient data parallelism, the prover’s runtime is just a constant factor slower than evaluating the circuit gate-by-gate without providing any proof of correctness。
- 【35】Chiesa等人2017年论文《A zero knowledge sumcheck and its applications》在Giraffe算法的基础上进行了优化,称为Gir++算法。
- 本文在Gir++算法的基础上进行了简单调整。假设
N
,
G
N,G
N,G均为powers of 2,设置
b
N
=
log
2
N
,
b
G
=
log
2
G
b_N=\log_2N,b_G=\log_2G
bN=log2N,bG=log2G。在
C
C
C的每一层,每个gate都标记为 a pair
(
i
,
j
)
∈
{
0
,
1
}
b
N
×
{
0
,
1
}
b
G
(i,j)\in\{0,1\}^{b_N}\times\{0,1\}^{b_G}
(i,j)∈{0,1}bN×{0,1}bG。
C
C
C的每层序号标记为
0
0
0到
d
d
d,实际执行时是从
d
d
d到
0
0
0,即
0
0
0对应为output层,
d
d
d对应为input层。每层
i
i
i对应有一个evaluator function
V
i
:
{
0
,
1
}
b
N
×
{
0
,
1
}
b
G
→
F
V_i:\{0,1\}^{b_N}\times\{0,1\}^{b_G}\rightarrow \mathbb{F}
Vi:{0,1}bN×{0,1}bG→F 用于map a gate’s label to the output of that gate when
C
C
C is evaluated on input
x
x
x。比如,
V
0
(
i
,
j
)
V_0(i,j)
V0(i,j)为
j
j
j-th output of the
i
i
i-th sub-AC,
V
d
(
i
,
j
)
V_d(i,j)
Vd(i,j)为为
j
j
j-th input to the
i
i
i-th sub-AC。
从更宏观层面看,在circuit的每一层,protocol都是以迭代方式运行: - Prover发送声称的outputs y ⃗ \vec{y} y of C C C(如 all the claimed evaluations of V 0 V_0 V0);
- 第一次迭代:reduce the claim about V 0 V_0 V0 to a claim about V 1 V_1 V1(若Verifier 信任 the former claim,则也信任 the latter。但是Verifier 无法直接验证 the claim about V 1 V_1 V1,因为验证过程中所有evaluating all of the gates in C C C other than the outputs themselves。);
- 第二次迭代:reduce the claim about V 1 V_1 V1 to a claim about V 2 V_2 V2。
- ⋯ \cdots ⋯
- 以此类推,直到reduce to a claim about V d V_d Vd (此时即为inputs to C C C),此时Verifier可直接check。
为了更好的描述how a reduction from a claim about V i V_i Vi to a claim about V i + 1 V_{i+1} Vi+1 is performed,引入了multilinear extensions,the sum-check protocol和wiring predicates概念。
-
Multilinear extensions定义:
a function f : { 0 , 1 } l → F f:\{0,1\}^l\rightarrow \mathbb{F} f:{0,1}l→F 为具有 l l l 个变量的多项式,若对于所有的 x ⃗ ∈ { 0 , 1 } l \vec{x}\in\{0,1\}^l x∈{0,1}l都有 g ( x ⃗ ) = f ( x ⃗ ) g(\vec{x})=f(\vec{x}) g(x)=f(x)【每个变量 x i x_i xi的取值仅能为0或1】,则 g g g可称为an extension of f f f。任意这样的function f f f,都有唯一的multilinear extension (MLE)——a multilinear polynomial——表示为 f ~ \tilde{f} f~。
任意的vector z ⃗ ∈ F m \vec{z}\in\mathbb{F}^m z∈Fm,其中 m = 2 l m=2^l m=2l,可将该向量理解为a function z : { 0 , 1 } l → F z:\{0,1\}^l\rightarrow\mathbb{F} z:{0,1}l→F 用于mapping indices to vector entries(其实就是每个变量 x i x_i xi的取值仅能为0或1,所有 x 1 , ⋯ , x l x_1,\cdots,x_l x1,⋯,xl的组合有 2 l 2^l 2l个,对应的多项式值即为 2 l 2^l 2l个),使用 z ~ \tilde{z} z~来表示 z z z的MLE。 -
sum-check protocol定义:
Lund等人1992年论文《Algebraic methods for interactive proof systems》中描述的sum-check interactive proof为:
Goldwasser等人2015年论文《Delegating computation: Interactive proofs for muggles》中描述的interactive sum-check protocol为:
g g g为有限域 F \mathbb{F} F内,具有 l l l 个变量的多项式 , d e g i ( g ) deg_i(g) degi(g)表示the degree of g g g in variable i i i。The sum-check protocol is an interactive proof that allows P P P to convince V V V of a claim about the value of ∑ x ⃗ ∈ { 0 , 1 } l g ( x ⃗ ) \sum_{\vec{x}\in\{0,1\}^l}g(\vec{x}) ∑x∈{0,1}lg(x) by reducing it to a claim about the value of g ( r ⃗ ) g(\vec{r}) g(r),其中 r ⃗ ∈ F l \vec{r}\in\mathbb{F}^l r∈Fl are randomly chosen by V V V。存在 l l l rounds,且 V V V的run time 为 O ( ∑ i = 1 l d e g i ( g ) ) O(\sum_{i=1}^{l}deg_i(g)) O(∑i=1ldegi(g)) + the cost of evaluating g ( r ⃗ ) g(\vec{r}) g(r)。 -
Wiring predicates:
用于capture the wiring information of the sub-ACs。
定义wiring predicate a d d i : { 0 , 1 } 3 b G ← { 0 , 1 } add_i:\{0,1\}^{3b_G}\leftarrow\{0,1\} addi:{0,1}3bG←{0,1},其中 a d d i ( g , h 0 , h 1 ) add_i(g,h_0,h_1) addi(g,h0,h1)返回1值,若:
– a) within each sub-AC, gate g g g at layer i − 1 i-1 i−1 is an add gate;
– b) and the left and right inputs of g g g are respectively h 0 h_0 h0 and h 1 h_1 h1 at layer i i i。
否则输出0值。
m u l t i mult_i multi对乘法门的定义类似。
定义equality predicate e q : { 0 , 1 } 2 b N ← { 0 , 1 } eq:\{0,1\}^{2b_N}\leftarrow\{0,1\} eq:{0,1}2bN←{0,1}, e q ( a , b ) = 1 eq(a,b)=1 eq(a,b)=1 iff a = b a=b a=b。
3. Pedersen commitment相关
3.1 Pedersen commitment scheme定义
Pedersen commitment scheme 为a non-interactive commitment scheme assuming the hardness of the discrete logarithm problem in
G
\mathcal{G}
G。
3.2 proof of opening
3.3 proof of commitment to the same value
注意,博客 基于Sigma protocol实现的零知识证明protocol集锦 2.6节的Protocol 6. Equality of message in 2 Pedersen commitment 证明方法则略有不同 (此处的proof size更精简):
3.4 proof of product
4. Dot-prodcut proof protocol
基本内容为:
- public info: a ⃗ = ( a 1 , ⋯ , a n ) ∈ F n \vec{a}=(a_1,\cdots,a_n)\in\mathbb{F}^n a=(a1,⋯,an)∈Fn、multi-commitment ξ = C o m ( x ⃗ ; r ξ ) \xi=Com(\vec{x};r_{\xi}) ξ=Com(x;rξ)和scalar commitment τ = C o m ( y ; r τ ) \tau=Com(y;r_{\tau}) τ=Com(y;rτ)。
- private info: x ⃗ = ( x 1 , ⋯ , x n ) ∈ F n \vec{x}=(x_1,\cdots,x_n)\in\mathbb{F}^n x=(x1,⋯,xn)∈Fn、 y ∈ F y\in\mathbb{F} y∈F、 r ξ r_{\xi} rξ 和 r τ r_{\tau} rτ。
- relation: y = < a ⃗ , x ⃗ > y=<\vec{a},\vec{x}> y=<a,x>。
证明的基础为:
<
z
⃗
,
a
⃗
>
=
<
c
x
⃗
+
d
⃗
,
a
⃗
>
=
c
<
x
⃗
,
a
⃗
>
+
<
d
⃗
,
a
⃗
>
=
c
y
+
<
d
⃗
,
a
⃗
>
<\vec{z},\vec{a}>=<c\vec{x}+\vec{d},\vec{a}>=c<\vec{x},\vec{a}>+<\vec{d},\vec{a}>=cy+<\vec{d},\vec{a}>
<z,a>=<cx+d,a>=c<x,a>+<d,a>=cy+<d,a>
4.1 ZK vector dot-product proof
直观的证明过程如下,需要的proof size为
O
(
n
)
。
O(n)。
O(n)。
详细的证明思路为:
4.2 dot-product proof with Bulletproofs
2018年论文《Bulletproofs: Short Proofs for Confidential Transactions and More》中针对的场景为:【未引入随机值 r ξ r_{\xi} rξ来对commitment进行hiding操作。】
- public info: commitment P = g ⃗ a ⃗ h ⃗ b ⃗ P=\vec{g}^{\vec{a}}\vec{h}^{\vec{b}} P=gahb、 c ∈ F c\in\mathbb{F} c∈F 和 generators g , h g,h g,h。
- private info: a ⃗ = ( a 1 , ⋯ , a n ) ∈ F n \vec{a}=(a_1,\cdots,a_n)\in\mathbb{F}^n a=(a1,⋯,an)∈Fn、 b ⃗ = ( b 1 , ⋯ , b n ) ∈ F n \vec{b}=(b_1,\cdots,b_n)\in\mathbb{F}^n b=(b1,⋯,bn)∈Fn。
- relation:
c
=
<
a
⃗
,
b
⃗
>
c=<\vec{a},\vec{b}>
c=<a,b>。
如博客 Proofs for Inner Pairing Products and Applications 学习笔记 4.2节所述,Bulletproofs论文中构建的commitment scheme为 C M ( ( g ⃗ , h ⃗ ) ; ( a ⃗ , b ⃗ ) ) = g ⃗ a ⃗ h ⃗ b ⃗ u < a ⃗ , b ⃗ > CM((\vec{g},\vec{h});(\vec{a},\vec{b}))=\vec{g}^{\vec{a}}\vec{h}^{\vec{b}}u^{<\vec{a},\vec{b}>} CM((g,h);(a,b))=gahbu<a,b>,再对该scheme采用二分法利用迭代进行证明。
本文针对的场景为:【引入了随机值 r ξ 、 r τ r_{\xi}、r_{\tau} rξ、rτ来对commitment进行hiding操作。】
- public info: a ⃗ = ( a 1 , ⋯ , a n ) ∈ F n \vec{a}=(a_1,\cdots,a_n)\in\mathbb{F}^n a=(a1,⋯,an)∈Fn、multi-commitment ξ = C o m ( x ⃗ ; r ξ ) \xi=Com(\vec{x};r_{\xi}) ξ=Com(x;rξ)和scalar commitment τ = C o m ( y ; r τ ) \tau=Com(y;r_{\tau}) τ=Com(y;rτ)。
- private info: x ⃗ = ( x 1 , ⋯ , x n ) ∈ F n \vec{x}=(x_1,\cdots,x_n)\in\mathbb{F}^n x=(x1,⋯,xn)∈Fn、 y ∈ F y\in\mathbb{F} y∈F、 r ξ r_{\xi} rξ 和 r τ r_{\tau} rτ。
- relation: y = < a ⃗ , x ⃗ > y=<\vec{a},\vec{x}> y=<a,x>。
注意:根据博客 Halo: Recursive Proof Composition without a Trusted Setup 学习笔记 第3节“Polynomial commitments”指出的,
p
r
o
o
f
l
o
g
−
o
f
−
d
o
t
−
p
r
o
d
proof_{log}-of-dot-prod
prooflog−of−dot−prod的实现存在Prover作弊的情况。需要将
b
u
l
l
e
t
−
r
e
d
u
c
e
bullet-reduce
bullet−reduce算法中的
g
g
g改为
g
=
g
α
g=g^{\alpha}
g=gα,以及做如下调整:(与Bulletproofs中的Protocol 1类似)
– Verifier:收到commitment
ξ
=
C
o
m
(
x
⃗
;
r
ξ
)
,
τ
=
C
o
m
(
y
;
r
τ
)
\xi=Com(\vec{x};r_{\xi}),\tau=Com(y;r_{\tau})
ξ=Com(x;rξ),τ=Com(y;rτ)
– Verifier:random challenge
α
←
Z
q
G
\alpha\leftarrow\mathbb{Z}_{q \mathcal{G}}
α←ZqG,将
α
←
Z
q
G
\alpha\leftarrow\mathbb{Z}_{q \mathcal{G}}
α←ZqG发送给Prover。
– Prover和Verifer:计算
g
=
g
α
g=g^{\alpha}
g=gα,
Υ
’
=
ξ
⊙
τ
α
=
h
r
Υ
⊙
g
y
⊙
⨀
i
=
1
n
g
i
x
i
\Upsilon’=\xi\odot \tau^{\alpha}=h^{r_{\Upsilon}}\odot g^y\odot \bigodot_{i=1}^ng_i^{x_i}
Υ’=ξ⊙τα=hrΥ⊙gy⊙⨀i=1ngixi,其中
r
Υ
=
α
r
τ
+
r
ξ
r_{\Upsilon}=\alpha r_{\tau}+r_{\xi}
rΥ=αrτ+rξ。
– 调用bullet-reduce。。。
5. 基于Giraffe和Gir++算法构建的Arithmetic circuit zk argument 算法
待补充。。。
主要基于Wahby等人2017年论文《Full accounting for verifiable outsourcing》和 Chiesa等人2017年论文《A zero knowledge sumcheck and its applications》。