Linear-time zero-knowledge proofs for arithmetic circuit satisfiability 学习笔记

1. 引言

Bootle等人2017年论文《Linear-time zero-knowledge proofs for arithmetic circuit satisfiability》，发表于ASIACRYPT 2017。

---

要点：
1）不要求commiment scheme具有任何同态属性，而仅需依赖linear secret sharing scheme with product reconstruction——本文实际使用的是linear error-correcting codes。
可供选择的commitment scheme有：

• 1.a）具有statistically binding 的 commitment scheme【可为pseudorandom number generators，伪随机数生成器，使用Ishai等人 [IKOS08] 2008年论文《Cryptography with constant computational overhead》中的linear-time computable pseudorandom number generators，可实现linear-time computable statistically binding commitments。】
• 1.b）具有statistically hiding 的 commitment scheme【可为collision-resistant hash functions，hash函数，如使用Applebaum等人[AHI+17] 2017年论文《Low-complexity cryptographic hash functions》中的hash函数，可hash $t$ field elements at a cost equivalent to $O(t)$ field addtions。】
  

2）对于arithmetic circuit satisfiability 所实现的zero-knowledge，不仅verification time最优，且prover computation cost也降低了。（不同于之前的zero-knowledge proof 中 Prover的computation cost都为super-linear的。）【对于Boolean circuit satisfiability来说优势不明显。】
为the first time for any general class of NP-complete language that true linear cost is achieved for the prover when compared to the time it takes to evaluate the statement directly given the prover’s witness。

3）构建多变量多项式，将matrix Hadamard product 表示为：

将矩阵$\mathbf{A}$看成是a collection of $mn$ row vectors ${\vec{a}}_{i,j}\in {\mathbb{F}}^k$ for $0\le i\le m-1,1\le j\le n$，同理有${\vec{b}}_{i,j},{\vec{c}}_{i,j}$。若$\mathbf{A}\circ \mathbf{B}=\mathbf{C}$，则有${\vec{a}}_{i,j}\circ {\vec{b}}_{i,j}={\vec{c}}_{i,j}$ for $0\le i\le m-1,1\le j\le n$。其中$i_{\mu -1}{i}_{\mu -2}\cdots i_0$ 为 $i$ 的二进制表示

---

提供了computationally efficient zero-knowledge proofs of knowledge for arithmetic circuit satisfiablity over a large field。

对于an arithmetic circuit with $N$ fan-in addition and multiplication gates over a finite field $\mathbb{F}$ and a specification of the values of some of the wires。A witness consists of the remaining wires such that the values are consistent with the gates and the wire values specified in the circuit。本文生成的zero-knowledge proof 具有：

• Prover time 为 $O(N)$ field additions and multiplications。
• Verifier time 为 $O(N)$ field additions。

若所采用的commitment scheme具有statistically binding属性，则相应的zero-knowledge proof具有unconditional soundness；若所采用的commitment scheme具有statistically hiding属性，则相应的zero-knowledge proof具有computational soundness。
若采用compact commitment scheme，本文的zero-knowledge proof仍然具有sub-linear communication。

zero-knowledge proof可广泛用于：

• digital signatures
• public-key encryption
• secure multi-party computation
• verifiable cloud computing

对于大型复杂的statements 应用，效率是关键要素，评估效率的维度有：

• the time complexity of the prover。
• the time complexity fo the verifier。
• the amount of communication measured in bits。
• the number of rounds the prover and verifier need to interact。

最近30多年的zero-knowledge proof研究都旨在改进以上效率因素。

[IKOS09,KR08,GGI+14] 等研究中指出，具有unconditional soundness的zero-knowledge proof，其communication可reduce为the witness size；[Kil92] 中指出，具有computational soundness 的zero-knowledge argument，其可实现sub-linear communication complexity。

当前最主要的瓶颈在于：
the time complexity of the prover （即 the prover’s computation）。

• 经典的number-theoetic constructions for circuit satisfiability，如[CD98]，需要a linear number of exponentiations，如，the cost of $O(\lambda N)$ group multiplications where $N$ is the number of gates and $\lambda$ is a security parameter。
• [DIK10] 中采用不同的技术，将相应的computaion complexity降为了$O(\log (\lambda ))$。
• 公开的问题在于，是否可实现$O(1)$ 的computation complexity，即make the prover’s cost within a constant factor of the time it takes to verify $(u,w)\in R$ directly。

不同的commitment scheme选型：

• 当采用具有statistically binding 的 commitment scheme时【可为pseudorandom number generators，伪随机数生成器，使用Ishai等人 [IKOS08] 2008年论文《Cryptography with constant computational overhead》中的linear-time computable pseudorandom number generators，可实现linear-time computable statistically binding commitments。】，可实现 proof (statistically knowledge sound) with computational zero-knowledge；（相应的communication complexity为$O(N)$ field element。）
• 当采用具有statistically hiding 的 commitment scheme时【可为collision-resistant hash functions，hash函数，如使用Applebaum等人[AHI+17] 2017年论文《Low-complexity cryptographic hash functions》中的hash函数，可hash $t$ field elements at a cost equivalent to $O(t)$ field addtions。】，可实现 argument of knowledge with statistical special honest verifier zero-knowledge。
• 当采用compact commitment scheme时，具有sub-linear communication of $poly(\lambda )\sqrt{N}$ field elements。相应的round complexity可为$O(\log \log N)$。

1.1 关键技术

本文协议采用模块化方式构建，由3部分组成：

• 1）a zero-knowledge proof for arithmetic circuit satisfiability in an Ideal Linear Commitment (ILC) model where the prover may commit to secret vectors of field elements, and the verifier can receive certified linear combinations of those vectors。
  在ILC model中，Prover 可 commit to secret vectors of field elements, 然后Verifier 可 query openings to linear combinations of the committed vectors。
  通过对Groth等人[Gro09,BCC+16] (Groth 2009年论文 《Linear algebra with sub-linear zero-knowledge arguments》和 Bootle等人2016年论文 《Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting》) 中的技术进行idealizing，即可实现 efficient proofs in the ILC model。主要对prover computation 进行改进，其次改进round efficiency，可实现$O(\log \log N)$ round complexity，优于 Bootle等人2016年论文 《Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting》 中的$O(\log N)$ rounds that optimized for communication complexity。

• 2）the ideal linear commitment proof can be instantiated using error-correcting codes and non-interactive commitments。
  即需compile proofs in the ILC model into proof and argument systems using non-interactive commitment schemes。但是与之前的研究成果不同，不直接commit to the vectors，而是encode the vectors as randomized codewords using a linear error-correcting code。将这些codewords看成是rows of a matrix，然后commit to the columns of that matrix。
  当Verifier asks for a linear combination of the vectors时，Prover simply tells Verifier what the linar combination is。但是，Verifier不需要盲目信任Prover，Verifier可ask for openings of some of the committed columns，然后使用这些openings来spot check that the resulting codeword is correct。
  可采用具体的erro-correcting codes和non-interactive commitment schemes来实例化：
  – error-correcting code可为：
  Druk和Ishai [DI14] 2014年论文《.Linear-time encodable codes meeting the Gilbert-Varshamov bound and their cryptographic applications》中的error-correcting codes，允许encode of $k$ field elements using $O(k)$ additions in the field。
  – non-interactive commitment scheme可为：
  当采用具有statistically binding 的 commitment scheme时【可为pseudorandom number generators，伪随机数生成器，使用Ishai等人 [IKOS08] 2008年论文《Cryptography with constant computational overhead》中的linear-time computable pseudorandom number generators，可实现linear-time computable statistically binding commitments。】；
  当采用具有statistically hiding 的 commitment scheme时【可为collision-resistant hash functions，hash函数，如使用Applebaum等人[AHI+17] 2017年论文《Low-complexity cryptographic hash functions》中的hash函数，可hash $t$ field elements at a cost equivalent to $O(t)$ field addtions。】

• 3）选择efficient instantiations of the primitives，可实现linear-time zero-knowledge proofs。

1.2 相关研究

目前有大量关于zero-knowledge proofs的研究。

• 早期的practical zero-knowledge proofs，如 Schnoor [Sch91] 和 Guillou-Quisquater [GQ88] S使用number-theoretic assumptions。可扩展至证明更通用的statements [CDS94, CD98, Gro09, BCC+16] with the latter giving discrete-logarithm based arguments for arithmetic circuit satisfiability with logarithmic communication complexity and a linear number of exponentiations for the prover，即，a computation cost of $O(\lambda N)$ group multiplications for $\lambda$-bit exponents and a circuit with $N$ multiplication gates。

• Ishai等人 [IKOS08] 2008年论文《Cryptography with constant computational overhead》中展示了如何使用secure multi-party computation (MPC) protocols来构建zero-knowledge proofs。这种构建方式背后的直觉为：
  – Prover首先 executes in her head an MPC protocol for computing a circuit verifying some relation $R$，然后commit to the views of all the virtual parties。
  – Verifier asks Prover to open a subset of those views，然后验证their correctness and consistency with each other。
  整个Soundness和zero-knowledge遵从 robustness and privacy of the MPC protocol。
  Applying this framework to efficient MPCs gives asymptotically efficient zero-knowledge proofs。如，[IKOS09] Ishai等人2009年论文《Zero-knowledge proofs from secure multiparty computation》中使用[DI06] Damg˚ard等人 2006年论文《Scalable secure multiparty computation》 中的perfectly secure MPC来实现zero-knowledge proof for the satisfiability of Boolean circuits with communication linear in the circuit size, $O(N)$, and a computational cost of $\Omega (\lambda N)$, for circuit of size $N$ and security parameter $\lambda$ 。
  [DIK10] Damg˚ard等人 2010年论文《Perfectly secure multiparty computation and the computational overhead of cryptography》中使用MPC framework 构建了zero-knowledge proof for the satisfiability of arithmetic circuit。该论文中的实现方式具有more balanced efficiency and achieves $O(polylog(\lambda )N)$ complexity for both computation and communication。

• [JKO13] Jawurek等人2013年论文《Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently》中提供了不同的方法来build zero-knowledge proof based on garbled circuit。该方法已被证明 [FNO15,CGM16] 实际上是efficient in practice for constructing proofs for languages represented as Boolean circuits。
  当用于证明small statements时，该技术具有优势，其仅需要a constant number of symmetric-key operations per gate，而主要瓶颈在于其communication complexity。其computational and communication complexity 分别为 $O(\lambda N)$ bit operations and bits，其中$\lambda$为the cost of a single symmetric-key operation。
  最近将这些技术用于zero-knowledge proofs中 for checking the execution of RAM progams [HMR15, MRS17]。For instances that can be represented as RAM programs terminating in $T$ steps and using memory of size $M$, these zero-knowledge proofs yield communication and computation with $polylog(M)$ overhead compared to the running time $T$ of the RAM program。

• [CDP12] Cramer等人2012年论文《On the amortized complexity of zero knowledge protocols for multiplicative relations》中采用本文类似的技术用于构建zero-knowledge proof for verifying multiplicative relations of committed values。当用于zero-knowledge proof for the satisfiability of Boolean circuit时，[CDP12]的communication and computation complexity与[IKOS09]接近，仅少一点点。
  与[CDP12]不同，本文不要求commitment scheme具有任何同态属性，而仅需依赖linear secret sharing scheme with product reconstruction——本文实际使用的是linear error-correcting codes。

• 过去有大量关于succinct non-interactive arguments of knowledge (SNARKs) [Gro10, BCCT12, GGPR13, BCCT13, PHGR13, BCG+13, Gro16]，这些研究具有very compact arguments，同时具有very efficient verification time。大多数情况下，这些arguments仅需包含a constant number of group elements，且verification 包含 a constant number of pairings and a number of group exponentiations that is linear in the instance size but indepedent of the witness size。主要的瓶颈在于Prover 需要计算$O(N)$ group exponentiations，即Prover的computational complexity过大。

• 最近，[BSCS16] Ben-Sasson等人2016年论文《Interactive oracle proofs》中提出了interactive oracle proofs (IOPs)的概念，即为 interactive protocols where the Prover may send a probabilisticaly checkable proof (PCP) in each round。
  Ben-Sasson等人[BSCG+16] 2016年论文《Short interactive oracle proofs with constant query complexity, via composition and sumcheck》中构建了 a 3-round public-coin IOP (with soundness error $1/2$) for Boolean circuit satisfiability with linear proof length and quasi-linear running times for both the prover and the verifier。此外，所构建的IOP还具有constant query complexity (the number of opening queries requested by the verifier)，而之前的PCP constructions 需要sub-linear query complexity。
  Ben-Sasson等人[BSCGV16] 2016年论文《Quasi-linear size zero knowledge from linear-algebraic PCPs》中实现了2-round zero-knowledge IOPs (duplex PCPs) for any language in $NTIME(T(n))$ with quasi-linear prover computation in $n+T(n)$。

以上这些proofs存在一个共性问题是：
Prover的computation cost为super-linear的。
而本文构建的zero-knowledge proof for arithmetic circuit，对于Prover来说其computation 效率更高，同时verification time is optimal for an instance of size $\Omega (N)$ field elements since the verification time is comparable to the time it takes just to read the instance。
本文的算法对于Boolean circuit satisfiability无优势，因为存在额外的开销来将bits表示为field elements。

1.3 相关约定

• 假设Prover和Verifier为RAM machines，where operations on $W$-bit words have unit cost。
  a field element：表示为 $O(\frac{\log |\mathbb{F}|}{W})$ words。
  additions in $\mathbb{F}$：需要 a cost of $O(\frac{\log |\mathbb{F}|}{W})$ machine operations。
  multiplications in $\mathbb{F}$：需要 a higher cost of $w(\frac{\log |\mathbb{F}|}{W})$ machine operations。

• 其它约定：
  

• standard communication channel：
  

• ILC channel （ideal linear commitment channel）：【简化起见，本文主要关注non-adaptive ILC proof system。】
  
  
  本文的ILC proof system 不同于 [BCI+13] (Bitansky等人2013年论文《Erratum: Succinct non-interactive arguments via linear interactive proof》) 中提到的linear interactive proof：
  – linear interactive proof中，Prover和Verifier都可以send vectors of field elements，但是仅有Prover可send linear (or affine) transformations of the verifier’s previously sent vectors。
  – ILC proof system中，Prover可compute on field elements received by the verifier and for instance evaluate polynomials。

• instance、witness等定义：
  
  
  与pairing-based SNARKs中仅考虑circuits with fixed wires不同，本文支持a fully adaptive choice of the arithmetic circuit。

2. Linear-Time Linear Error-Correcting Codes

A code over an alphabet $\sum$ is a subset $\mathcal{C}\subseteq {\sum }^n$。
A code $\mathcal{C}$ 与编码函数有关：$E_{\mathcal{C}}:{\sum }^k\to {\sum }^n$，即mapping messages of length $k$ into codewords of length $n$。假设存在setup algorithm $Ge{n}_{E_{\mathcal{C}}}$，其输入为 finite field $\mathbb{F}$ 和 parameter $k\in \mathbb{N}$，输出为 编码函数$E_{\mathcal{C}}$。

本文主要关注$\mathbb{F}$-linear codes，其中：

• alphabet为a finite field $\mathbb{F}$
• code $\mathcal{C}$ 为a $k$-dimensional linear subspace of ${\mathbb{F}}^n$
• $E_{\mathcal{C}}$ 为 an $\mathbb{F}$-linear map。

the rate of the code定义为：$\frac{k}{n}$。

Hamming distance between two vectors $\vec{x},\vec{y}\in {\mathbb{F}}^n$ 表示为：$hd(\vec{x},\vec{y})$，是指 the number of coordinates in which $\vec{x},\vec{y}$ differ。

最小distance of a code 是指：the minimum Hamming distnace $h{d}_{min}$ between distinct codewords in $\mathcal{C}$。

将$[n,k,h{d}_{min}{]}_{\mathbb{F}}$ 表示为 a linear code over $\mathbb{F}$ with length $n$，dimension $k$ and minimum distance $h{d}_{min}$。

the Hamming weight of a vector $\vec{x}$ 是指： w t ( x ⃗ ) = ∣ { i ∈ [ n ] : x i ≠ 0 } ∣ wt(\vec{x})=|\{i\in [n]: x_i\neq 0\}| wt(x )=∣{i∈[n]:xi​​=0}∣。

本文要求 codes with linear length $n=\Theta (k)$, and linear distnace $h{d}_{min}=\Theta (k)$, in the dimension $k$ of the code。

由于 random linear codes在distance 和 rate之间取得了很好的平衡，而本文重点关注computational efficiency of the encoding procedure，而random codes并不以效率高见长。
为了实现具有linear cost for prover and verifier的zero-knowledge proof/argument，需使用codes that can be encoded in linear time。linear codes with linear-time encoding的相关研究有 [Spi95, GI01, GI02, GI03, GI05, DI14, CDD+16]，本文主要选择[DI14] codes进行了实例化。

3. commitment scheme

A non-interactive commitment scheme是指：允许a sender to commit to a secret message，然后reveal the message in a verifiable way。
本文主要关注可 take as input an arbitrary length message so the message space is { 0 , 1 } ∗ \{0,1\}^* {0,1}∗ 的commitment scheme。

commitment scheme 可由一组PPT算法 $(Setup,Commit)$ 组成：

• $Setup(1^{\lambda })\to ck$：输入为security parameter $\lambda$，输出为 commitment key $ck$。
• $Commi{t}_{ck}(m)\to c$：输入为 message $m$ 和随机数 r ← { 0 , 1 } p o l y ( λ ) r\leftarrow \{0,1\}^{poly(\lambda)} r←{0,1}poly(λ)，输出为 a commitment $c=Commi{t}_{ck}(m;r)$。

Commitment scheme应具有binding和hiding属性：

• linear-time commtiment scheme是指：
  计算 $Commi{t}_{ck}(m)$ 的时间为 $poly(\lambda )+\mathcal{O}(|m|)$ bit operations，对应为 $poly(\lambda )+\mathcal{O}(\frac{|m|}{W})$ machine operations on $W$-bit RAM machine。

• compact commitment scheme是指：
  存在a polynomial $l(\lambda )$ 使得 commitments have size at most $l(\lambda )$ regardless of how long the message is。

• public-coin commitment scheme是指：
  存在a polynomial $l(\lambda )$ 使得 $Setup(1^{\lambda })$ picks the commitment key uniformly at random as c k ← { 0 , 1 } l ( λ ) ck\leftarrow \{0,1\}^{l(\lambda)} ck←{0,1}l(λ)。

候选的linear-time commitment scheme有：

• Applebaum等人[AHI+17] 2017年论文《Low-complexity cryptographic hash functions》基于 the binary shortest vector problem assumption （即 find non-trivial low-weight vectors in the null space of a matrix over ${\mathbb{F}}_2$），构建了 low-complexity families of collision-resistant hash functions，使得可以 evaluate the hash function in linear time in the message size。其猜测 the shortest vector problem is hard when the matrix is sparse，如 an LDPC parity check matrix [Gal62]。
  Halevi和Micali [HM96] 中指出，collision-resistant hash function可实现compact statistically hiding commitment scheme，其transformation非常高效，因此基于linear-time hash function可实现linear-time statistically hiding compact commitment scheme。
  若基于[AHI+17] 中的public-coin linear-time hash function，则可实现 linear-time public-coin statistically hiding commitment scheme。

• Ishai等人 [IKOS08] 2008年论文《Cryptography with constant computational overhead》中提出了linear-cime computable pseudorandom generators。statistically binding commitment scheme是指：
  可commit to an arbitrary length message $m$ by picking a seed $s$ for the pseudorandom generator，stretch it to $t=PRG(s)$ of length $|m|$ and let $(Commi{t}_{ck}(s),t\oplus m)$ 为the commitment to $m$。这种构建方式保留了seed commitment scheme 的public-coin属性。
  Assuming the commitment scheme is statistically binding, this gives us a linear-time statistically binding, this gives us a linear-time statistically binding commitment scheme for arbitrary length messages。也可理解为 commitments have the same length as the messages plus an additive polynomial overhead that depends only on the security parameter。

4. zero-knowledge proofs for arithmetic circuit satisfiability in the ideal linear commitment model

在本章构建了a SHVZK proof of knowledge for arithmetic circuit satisfiability relations $R_{AC}$ in the ILC model。本章的proof可看成是 Groth等人[Gro09,BCC+16] (Groth 2009年论文 《Linear algebra with sub-linear zero-knowledge arguments》 中zero-knowledge argument in an idealized vector commitment setting 的抽象。

在ILC model中：

• Prover：可commit to vectors in ${\mathbb{F}}^k$ by sendding them to the channel。ILC channel中存储the received vectors，然后告知Verifier the number of vectors it received。
• Verifier：可send messages to the Prover via the ILC channel，在[Gro09]以及本文中这些messages为field elements in $\mathbb{F}$。
• Verifier：可query the channel to open arbitrary linear combinations of the committed vectors sent by the prover。

其中 field $\mathbb{F}$ 和 vector length $k$ 由public parameter $p{p}_{ILC}$确定。稍后将证明为了取得the best communication and computation complexity for arithmetic circuits with $N$ gates， $k$应接近于$\sqrt{N}$。

针对有$N$ fan-in 2 addition gates/ multiplication gates over a field $\mathbb{F}$ 的circuit，每个gate有2个inputs (左和右) 以及1个ouput wire，每个output wire可能是其它多个gate的input。最终，总共有$3N$ inputs and outputs to gates。

关于arithmetic circuit的描述中，应包含：

• a set of gates
• the connection of wires between gates
• 以及 known values assgined to some of the inputs and outputs。

a circuit is said to be satisfiable if there exists an assignment complying with all the gates, the wiring, and the known values specified in the instance。

从更宏观的角度来看，proof是指Prover commit to the $3N$ inputs and outputs of all the gates in the circuit，然后证明 these assignments are consistent with the circuit description。
arithmetic circuit satisfiability proof 中主要包含以下任务：【即存在以下4类constraints。】

• Prove for each value specified in the instance that this is indeed the value the prover has committed to。
• Prove for each addition gate that the committed output is the sum of the committed input。
• Prove for each multiplication gate that the committed output is the product of the committed input。
• Prove for each wire that all committed values corresponding to this wire are the same。

为了利用这些proofs，可将the committed values 布局为类似[Gro09] 中的 row vectors ${\vec{v}}_i\in {\mathbb{F}}^k$。
不失一般性地（可通过add few dummy gates to the circuit 实现），假设addition gates的数量和multiplication gates的数量都能整除$k$。

对addition gates进行编号 from $(1,1)$ to $(m_A,k)$，对multiplication进行编号 from $(m_A+1,1)$ to $(m_A+m_M,k)$。
对addition gates的left inputs, right inputs和outputs分别赋值3个矩阵 $\mathbf{A},\mathbf{B},\mathbf{C}\in {\mathbb{F}}^{m_A\times k}$，使得$\mathbf{A}+\mathbf{B}=\mathbf{C}$。
同理对multiplication gates的left inputs, right inputs和outputs分别赋值3个矩阵 $\mathbf{D},\mathbf{E},\mathbf{F}\in {\mathbb{F}}^{m_M\times k}$，使得$\mathbf{D}\circ \mathbf{E}=\mathbf{F}$。（Hadamard product of matrices，也称为 entry-wise product of matrices。）
对矩阵的entries进行排序，使得the wires attached to the same gate correspond to the same entry of the three matrices，如下图2所示：

【其实就是将6个矩阵（前3个表示加法关系，后3个表示乘法关系）合并为一个大矩阵，同时保证各个位置之间的加法或乘法关系的一一对应。】

从而使得整个arithmetic circuit relation可表示为：

其中$u$为instance，即为public info；$w$为witness。
即上图中的 ( m A , m M , π , { v ⃗ i } i ∈ S ) (m_A,m_M,\pi,\{\vec{v}_i\}_{i\in S}) (mA​,mM​,π,{v i​}i∈S​) 为public info，$\pi$表示的是各个wire之间的对应关系，以准确描述各个gate之间的输入输出关系，即$V_{i,j}=V_{\pi (i,j)}\forall (i,j)\in [m]\times [k]$。
对于每根wire，可write a cycle $((i_1,j_1),\cdots ,(i_t,j_t))$ that lists the location of the committed values corresponding to this wire。
设 $\pi \in {\sum }_{[m]\times [k]}$ 为the product of all these cycles，从而可明确定义the wiring of the circuit。仍然以上图2为例，1号加法门的输出为1号乘法门和2号加法门的输入，在合并矩阵 V = { v ⃗ i } i = 1 m \mathbf{V}=\{\vec{v}_i\}_{i=1}^{m} V={v i​}i=1m​ 中分别对应的entries为 $(5,1),(9,1),(1,2)$，这就意味着可使用cycle $((5,1),(9,1),(1,2))$ 来表示cycles中的entries必须完全相同；2号加法门的输出为3号乘法门的输入，因此有cycle $((5,2),(4,1))$内entries必须具有相同值。。。
而permutation $\pi$ 为 the product of all these cycles that define which entries should have the same value。

在证明arithmetic circuit satisfiability的过程中：【以中括号表示为commitment值，如$[\vec{a}]$表示为对vector $\vec{a}$ 的commitment值。】

• Prover首先commit to all values { v ⃗ i } i = 1 m \{\vec{v}_i\}_{i=1}^{m} {v i​}i=1m​
• Prover使用sub-proof来证明以上arithmetic circuit中的4类constraints。
  （1）Prove for each value specified in the instance that this is indeed the value the prover has committed to。
  
  （2）Prove for each addition gate that the committed output is the sum of the committed input。
  
  （3）Prove for each multiplication gate that the committed output is the product of the committed input。
  
  （4）Prove for each wire that all committed values corresponding to this wire are the same。
  
  完整的arithmetic circuit satisfiability proof in the ILC model 架构可表示为：
  
  整个ILC proof for arithmetic circuit satisfiability 可分解表示为：
  

以上arithmetic circuit satisfiability proof in the ILC model 算法的效率分析为：

4.1 Proof for the correct opening of committed vectors

Prove for each value specified in the instance that this is indeed the value the prover has committed to。
即证明Prover所commit的公有信息是正确的。

• Prover发送 $(commit,{\vec{u}}_1,\cdots ,{\vec{u}}_t)$ 给ILC，由于这些向量之前已存储在ILC中了，Prover不需要其它额外操作。设$\mathbf{U}=({\vec{u}}_i{)}_{i=1}^t$，则$[\mathbf{U}]$ 表示the commitments stored in the ILC。

Proof for the correct opening of committed vectors，对应想要证明的relation为：

具体证明思路为：

相应的计算分析为：

4.2 Proof for the sum of committed matrices

Prove for each addition gate that the committed output is the sum of the committed input。

相应的relation可表示为：

具体的证明思路为：

相应的计算分析为：

4.3 proof for the Hadamard product of committed matrices

Prove for each multiplication gate that the committed output is the product of the committed input。

相应的relation可表示为：

将矩阵$\mathbf{A}$看成是a collection of $mn$ row vectors ${\vec{a}}_{i,j}\in {\mathbb{F}}^k$ for $0\le i\le m-1,1\le j\le n$，同理有${\vec{b}}_{i,j},{\vec{c}}_{i,j}$。若$\mathbf{A}\circ \mathbf{B}=\mathbf{C}$，则有${\vec{a}}_{i,j}\circ {\vec{b}}_{i,j}={\vec{c}}_{i,j}$ for $0\le i\le m-1,1\le j\le n$。

不失一般性地，可假设$m=2^{\mu }$ for some integer $\mu$，则可引入$\mu$个challenges $X_0,X_1,\cdots ,X_{\mu -1}$ ，压缩$2mn$ vectors ${\vec{a}}_{i,j},{\vec{b}}_{i,j}$ of length $k$ (分别对应乘法门的左侧和右侧输入) 为 $2n$ vectors ${\dot{\vec{a}}}_j,{\dot{\vec{b}}}_j$ of the same length ($k$)。具体的压缩算法为insert vectors ${\vec{a}}_{i,j}$ (resp. ${\vec{b}}_{i,j}$) into distinct coefficients of $n$个多变量多项式 in $X_0,X_1,\cdots ,X_{\mu -1}$，使得vector ${\vec{a}}_{i,j}$ is positioned in the $j$th polynomial as coefficient of $X_0^{i_0}\cdots X_{\mu -1}^{i_{\mu -1}}$，其中$i_{\mu -1}{i}_{\mu -2}\cdots i_0$ 为 $i$ 的二进制表示。对该多变量多项式evaluate at challenges $(x_0,x_1,\cdots ,x_{\mu -1})$ 即可获得 $2n$ vectors of length $k$：

类似地，再将以上$2n$ vectors embed into the coefficients of two polynomials in $X$ of degree $n$：

对以上 two vectors of polynomials 进行Hadamard product，则有：

注意，different Hadamard products are separated by different powers of $y$。
同时，以上polynomials 会leak information about the wire values，因此需引入random blinders来实现zero-knowledge。

完整的Hadamard product relation ${\mathcal{R}}_{prod}$证明思路为：

Hadamard product relation ${\mathcal{R}}_{prod}$证明算法的计算分析为：

4.4 proof for the Double-shift of Committed Matrices

double-shift proof常用于证明：
the product of all entries in one matrix is equal to the product of all entries in another matrices。

本文考虑的shift 是指：【将矩阵以行向量形式表示。则proof of double-shift 可看成是proof of knowledge of vectors satisfying the stated shift condition。】

本文考虑的double-shift 是指：
已知 committed matrices $\mathbf{A},\mathbf{B},\mathbf{C},\mathbf{D}$，其中$\mathbf{A}$ 为 the shift of $\mathbf{B}$，$\mathbf{C}$ 为 the shift of $\mathbf{D}$，$\mathbf{B}$和$\mathbf{D}$最右下角的元素相同，即$b_{mn,k}=d_{mn,k}$。

相应的double-shift relation 表示为：

double-shift condition可encoded as many linear consistency constraints between the entries of $\mathbf{A},\mathbf{B},\mathbf{C}$ and $\mathbf{D}$，如$({\vec{a}}_{0,1}{)}_2-({\vec{b}}_{0,1}{)}_1=\vec{0}$。可引入randomn challenge $y$ 来embed all linear consistency constraints into one, with each individual constraint embedded with a different power of $y$。

与Hadamard product proof类似，假设$m=2^{\mu }$，引入challenges $X_0,\cdots ,X_{\mu -1}$ 来压缩，将vectors的数量由$4mn$ reduce为$4n$，压缩后的向量可表示为：

再将这些压缩后的向量embed into polynomials in $X$，有：

将所有的linear consistency constraints embed into vecots ${\hat{\vec{w}}}_a,{\hat{\vec{w}}}_b,{\hat{\vec{w}}}_c,{\hat{\vec{w}}}_d$，设$\vec{y}=(1,y,\cdots ,y^{k-1})$，有：

相应的计算有：

引入random blinders ${\hat{\vec{a}}}_0,{\hat{\vec{b}}}_0,{\hat{\vec{c}}}_0,{\hat{\vec{d}}}_0$ 实现的zero-knowledge double-shift proof算法为：【$N=\frac{knm}{3}$，为the total number of gates。】



double-shift不成立，即为以下5种情况中的一种：

以上zero-knowledge double-shift proof算法的计算分析为：【Verifier query for $\hat{\vec{a}},\hat{\vec{b}},\hat{\vec{c}},\hat{\vec{d}}$ 以及 $\hat{e}$，因此其query complexity为 $5$。】

4.5 proof for the same-product of matrices

基于double-shift proof 和 Hadamard product proof，很容易构建proof for：
the product of all entries in a matrix $\mathbf{A}$ is the same of the product of all entries of a matrix $\mathbf{B}$。
对应的same-product of matrices relation可表示为：

核心思路为：
构建中间矩阵 ${\mathbf{A}}_1,{\mathbf{A}}_2,{\mathbf{B}}_1,{\mathbf{B}}_2$，使得 ${\mathbf{A}}_2=\mathbf{A}\circ {\mathbf{A}}_1,{\mathbf{B}}_2=\mathbf{B}\circ {\mathbf{B}}_1$。

因此，same-product of matrices 可拆分为以下sub-proof来证明：

• 1）证明 ${\mathbf{A}}_2=\mathbf{A}\circ {\mathbf{A}}_1$
• 2）证明 ${\mathbf{B}}_2=\mathbf{B}\circ {\mathbf{B}}_1$
• 3）证明 ${\mathbf{A}}_1,{\mathbf{A}}_2,{\mathbf{B}}_1,{\mathbf{B}}_2$ 满足double shift条件，即 ${\mathbf{A}}_2$为the shift of ${\mathbf{A}}_1$，${\mathbf{B}}_2$为the shift of ${\mathbf{B}}_1$，且 ${{\mathbf{B}}_2}_{N-1}={{\mathbf{A}}_2}_{N-1}$ 【即矩阵最右小角的元素值相同。】
• 4）证明 ${\mathbf{A}}_1和{\mathbf{A}}_2$ 为 the partial product of $\mathbf{A}$，${\mathbf{B}}_1和{\mathbf{B}}_2$ 为 the partial product of $\mathbf{B}$ 【以下证明协议中没体现这部分证明？】

整个same-product of matrices proof算法的计算分析为：

4.6 proof for known permutation of matrices

场景描述为：

• instance （即 public info）： $u=(\pi ,[\mathbf{A}],[\mathbf{B}])$，其中$\pi \in {\sum }_{[m]\times [k]}$
• witness：$\mathbf{A},\mathbf{B}\in {\mathbb{F}}^{m\times k}$
• relation：$\mathbf{B}={\mathbf{A}}^{\pi }$ 且 相应的commitments正确。【其中${\mathbf{A}}^{\pi }$ 为the matrix with entries $a_{i,j}^{\pi }=a_{\pi (i,j)}$】

相应的known permutation of matrices relation可表示为：

若permutation $\pi$为公开已知的，在 [Gro09] Groth 2009年论文 《Linear algebra with sub-linear zero-knowledge arguments》 中 的knwon permutation argument 需依赖于计算powers of a challenge，使得 Verifier需 use a linear number of multiplications，详细见博客 Linear Algebra with Sub-linear Zero-Knowledge Arguments学习笔记 中 “5.9 证明矩阵之间的known permutation”：

而本文实现的 known permutation proof for matrices，其Verifier 仅需a linear number of additions，详细的思路为：【其中】

• Prover：commit to the rows of two matrices $\mathbf{A},\mathbf{B}\in {\mathbb{F}}^{m\times k}$。
  permuation $\pi \in {\sum }_{[m]\times [k]}$ 以矩阵 $\mathbf{V}$表示为：
  
  定义全1矩阵 $\mathbf{J}\in {\mathbb{F}}^{m\times k}$，其矩阵内所有元素均为1，即：
  
• Verifer：发送challenge $x,y$。
• Prover：commit to $\mathbf{A}+y\mathbf{V}-x\mathbf{J}$ 和 $\mathbf{B}+y{\mathbf{V}}^{\pi }-x\mathbf{J}$。
  注意若 $\mathbf{B}={\mathbf{A}}^{\pi }$，则意味着 $\mathbf{B}+y{\mathbf{V}}^{\pi }$ 中 包含a permutation of the entries in $\mathbf{A}+y\mathbf{V}$；若 $\mathbf{B}\ne {\mathbf{A}}^{\pi }$，则有 overwhelming probability over $y$ there will be entries in $\mathbf{B}+y{\mathbf{V}}^{\pi }$ that do not appear anywhere in $\mathbf{A}+y\mathbf{V}$。
  转为由Prover证明 the product of the entries in $\mathbf{A}+y\mathbf{V}-x\mathbf{J}$ 等于 the product of the entries in $\mathbf{B}+y{\mathbf{V}}^{\pi }-x\mathbf{J}$，即：
  
  根据Schwartz-Zippel lemma，over random choice of $x$，以上等式成立，而 $\mathbf{B}+y{\mathbf{V}}^{\pi }$不是 the permuation of the entries in $\mathbf{A}+y\mathbf{V}$ 的概率可忽略。

完整的证明思路为：

known permutation of matrices 算法的计算分析为：

4.7 efficiency of the proof for arithmetic circuit satisfiability

完整的arithmetic circuit satisfiability proof in the ILC model 为：

相应的计算可进行优化，对于arithmetic circuit with $N$ gates，Verifier cost可由$O(kmn)$ additions 优化为 $O(N)$ additions：

5. Compiling ideal linear commitment proofs Into Standard proofs

注意，ILC channel 允许 Prover submit vectors of length $k$ to the channel，使得 Verifier 可 query linear combinations of those vectors。

具体思路为：【 $\mathbf{V}$ 为 $t$ 行 $k$ 列矩阵。】

• Prover 使用linear error-correcting code $E_C$ 来 encodes each vector ${\vec{v}}_{\tau }$ as $E_C({\vec{v}}_{\tau })$。
  在任意round，可将codewords看成是 rows $E_C({\vec{v}}_{\tau })$ in a matrix $E_C(\mathbf{V})$。
• Prover commit to the columns of the matrix。
  当Verifier 想open linear combination of the original vectors时，Verifier 发送系数 $\vec{q}=(q_1,\cdots ,q_t)$ of the linear combination to the prover，Prover返回 ${\vec{v}}_{\vec{q}}\leftarrow \vec{q}\mathbf{V}$。
• 为了抽查Prover未给出错误的${\vec{v}}_{\vec{q}}$值，Verifer可request the $j$th element of each committed codeword $e_{\tau }$，这相当于 reveal the $j$th column of error-corrected matrix $E_C(\mathbf{V})$。
  由于 the code $E_C$ 为linear的，因此 the revealed elements 应满足 $E_C({\vec{v}}_{(\vec{q})}{)}_j={\sum }_{\tau =1}^t{q}_{\tau }{E}_C({\vec{v}}_{\tau }{)}_j=\vec{q}(E_C(\mathbf{V}){|}_j)$。
  Verifier可抽查多列，若 the code has sufficiently large minimum distance and the prover gives a wrong ${\vec{v}}_{(\vec{q})}$，则很大概率（with overwhelming probability），Verifier将open at least one column $j$ where the above equality does not hold。

Revealing entries in a codeword may leak information about the encoded vector，为实现zero-knowledge，改为使用randomized encoding ${\tilde{E}}_C$ 使得 ${\tilde{E}}_C(\vec{v};\vec{r})=(E_C(\vec{v})+\vec{r},\vec{r})$。这种方女士将doubles the code-length to $2n$ 但是可保证 when yo reveval entry $j$, but not entry $j+n$，则Verifier only learns a random field element。

具体实现为：

相应的计算分析为：

使用不同的commitment scheme实现对比为：

参考资料

1. 博客LDC——Locally Decodable Code