1. 引言
sum-check protocol首次由Lund等人在1992年论文《Algebraic Methods for Interactive Proof Systems》中提出。
sum-check protocol的价值在当前的ZKProofs community是被低估了的,被低估的原因主要有:
- sum-check protocol 的proof size至少为logarithmic length,对于区块链等对存储敏感的应用,关注的是能提供super short proofs的算法(如 Gennaro等人2012年论文《Quadratic Span Programs and Succinct NIZKs without PCPs》基于pairing的zkSNARKs算法可提供constant proof length)。
- sum-check protocol本身并既不具有zero-knowledge属性,也不具有“succinct for NP statements”。即对于NP statements,通过sum-check protocol实现的proof length is not sublinear in the size of the NP witness。
当前有强证据表明,对于NP statements,不存在succinct interactive proof。这不同于argument system,对于argument system,仅具有computationally sound。
要点:
- 借助sum-check protocol可实现super-efficient IP for matrix-powering。如已知任意的 n × n n\times n n×n矩阵 A A A over field F \mathbb{F} F,该IP可计算any desired entry of the powered matrix A k A^k Ak。整个IP的round和communication cost为 O ( log ( k ) ⋅ log n ) O(\log(k)\cdot \log n) O(log(k)⋅logn),而verifier的runtime为 O ( n 2 + log ( k ) ⋅ log n ) O(n^2+\log(k)\cdot \log n) O(n2+log(k)⋅logn)。
- Goldwasser, Kalai和Rothblum (GKR) 2008年论文《Delegating Computation: Interactive Proofs for Muggles》中正是利用了matrix-powering protocol 实现了arithmetic circuit证明。
近几年的研究中指出,将sum-check protocol与cryptographic commitments结合,可实现arguments——同时具有zero-knowledge属性和succinct for NP statements。实现的相关zk-SNARKs具有state of the art performance,如Hyrax, zk-VSQL, Libra, Virgo, Spartan。
若对zk-SNARKs感兴趣且对具有logarithmic length的proof size满意,可对sum-check protocol进行深入学习。
本文主要关注的是interactive proofs (IPs),关注的场景为:
Verifier
V
V
V 将 expensive computation 外包给 an untrusted prover
P
P
P,从而节约verifier的工作量。
要求:
- verifier V V V的验证工作量为run in time linear in the input size。
- proof size 为short的(logarithmic size)。
- prover P P P 为efficient的。
1.1 多项式及其low-degree extension
- polynomial
G
\mathcal{G}
G over
F
\mathbb{F}
F 表示的是:
monomials(单项式)之和
其中每个单项式是 the product of a constant (from F \mathbb{F} F) and powers of one or more variables (which take values from F \mathbb{F} F)。所有的计算都performed over F \mathbb{F} F。 - 单项式的degree为:the sum of the exponents of variables in the monomial。
- 多项式的degree为:the maximum degree of any monomial in G \mathcal{G} G。
- 多项式的degree in a particular variable x i x_i xi为:the maximum exponent that x i x_i xi takes in any of the monomials in G \mathcal{G} G。
- 多变量多项式是指:具有不只一个变量的多项式。只有一个变量的多项式称为univariate polynomial单变量多项式。
- multilinear polynomial是指:多变量多项式的任一变量的degree均不大于1.
- low-degree polynomial是指:多变量多项式 G \mathcal{G} G over a finite field F \mathbb{F} F 的degree in each variable is exponentially smaller than ∣ F ∣ |\mathbb{F}| ∣F∣。
- Low-degree extensions (LDEs)是指:假设
g
:
{
0
,
1
}
m
→
F
g:\{0,1\}^m\rightarrow \mathbb{F}
g:{0,1}m→F为a function that maps
m
m
m-bit elements into an element of
F
\mathbb{F}
F。 A polynomial extension of
g
g
g is a low-degree
m
m
m-variate polynomial
g
~
(
⋅
)
\tilde{g}(\cdot)
g~(⋅) 使得
g
~
(
x
)
=
g
(
x
)
\tilde{g}(x)=g(x)
g~(x)=g(x) for all
x
∈
{
0
,
1
}
m
x\in\{0,1\}^m
x∈{0,1}m。
【若 g ~ ( x ) \tilde{g}(x) g~(x)为multilinear polynomial (degree at most 1 in each variable),则low-degree extension也可成为multilinear polynomial extension。】 - multilinear polynomial extension (简称为MLE) 是指:Given a function
Z
:
{
0
,
1
}
m
→
F
Z:\{0,1\}^m\rightarrow \mathbb{F}
Z:{0,1}m→F,the multilinear extension of
Z
(
⋅
)
Z(\cdot)
Z(⋅) is the unique multilinear polynomial
Z
~
:
F
m
→
F
\tilde{Z}: \mathbb{F}^m\rightarrow \mathbb{F}
Z~:Fm→F。计算方式为:
Z ~ ( x 1 , ⋯ , x m ) = ∑ e ∈ { 0 , 1 } m Z ( e ) ⋅ ∏ i = 1 m ( x i ⋅ e i + ( 1 − x i ) ⋅ ( 1 − e i ) ) = ∑ e ∈ { 0 , 1 } m Z ( e ) ⋅ e q ~ ( x , e ) = < ( Z ( 0 ) , ⋯ , Z ( 2 m − 1 ) ) , ( e q ~ ( x , 0 ) , ⋯ , e q ~ ( x , 2 m − 1 ) ) > \tilde{Z}(x_1,\cdots,x_m)=\sum_{e\in\{0,1\}^m}Z(e)\cdot \prod_{i=1}^{m}(x_i\cdot e_i+(1-x_i)\cdot (1-e_i))=\sum_{e\in\{0,1\}^m}Z(e)\cdot \tilde{eq}(x,e)=<(Z(0),\cdots,Z(2^m-1)), (\tilde{eq}(x,0),\cdots, \tilde{eq}(x,2^m-1))> Z~(x1,⋯,xm)=∑e∈{0,1}mZ(e)⋅∏i=1m(xi⋅ei+(1−xi)⋅(1−ei))=∑e∈{0,1}mZ(e)⋅eq~(x,e)=<(Z(0),⋯,Z(2m−1)),(eq~(x,0),⋯,eq~(x,2m−1))>
其中 e q ~ ( x , e ) = ∏ i = 1 m ( e i ⋅ x i + ( 1 − e i ) ⋅ ( 1 − x i ) ) \tilde{eq}(x,e)=\prod_{i=1}^{m}(e_i\cdot x_i+(1-e_i)\cdot (1-x_i)) eq~(x,e)=∏i=1m(ei⋅xi+(1−ei)⋅(1−xi)), e q ~ ( x , e ) \tilde{eq}(x,e) eq~(x,e) is the MLE of the following function:
e q ( x , e ) = { 1 if x=e 0 otherwise eq(x,e)= \left\{\begin{matrix} 1 & \text{if x=e} \\ 0 &\text{otherwise} \end{matrix}\right. eq(x,e)={10if x=eotherwise
对于任一的 r ∈ F m r\in\mathbb{F}^m r∈Fm,可在 O ( 2 m ) O(2^m) O(2m)次operations in F \mathbb{F} F 之内计算出 Z ~ ( r ) \tilde{Z}(r) Z~(r)的值。
由于a function的MLE是唯一的,因此MLE可用于represent 任意的multilinear polynomial。对于a multilinear polynomial G ( ⋅ ) : F m → F \mathcal{G}(\cdot):\mathbb{F}^m\rightarrow \mathbb{F} G(⋅):Fm→F,可唯一表示为 the list of evaluations of G ( ⋅ ) \mathcal{G}(\cdot) G(⋅) over the Boolean hypercube { 0 , 1 } m \{0,1\}^m {0,1}m (如a function that maps { 0 , 1 } m → F \{0,1\}^m\rightarrow \mathbb{F} {0,1}m→F)。
其中关键的技术点——multilinear extension lemma(follow from Lagrange interpolation):【引入multilinear extension可ensure fast computation for the prover。】
设
f
:
{
0
,
1
}
n
→
F
f:\{0,1\}^n\rightarrow \mathbb{F}
f:{0,1}n→F,则存在唯一的multilinear polynomial
f
~
\tilde{f}
f~ over
F
\mathbb{F}
F 使得
f
~
(
x
)
=
f
(
x
)
\tilde{f}(x)=f(x)
f~(x)=f(x) for all
x
∈
{
0
,
1
}
n
x\in\{0,1\}^n
x∈{0,1}n。
f
~
\tilde{f}
f~称为the multilinear extension (MLE) of
f
f
f。
若已知a list of all 2 n 2^n 2n evaluations of f f f 和 an arbitrary point r ⃗ ∈ F n \vec{r}\in\mathbb{F}^n r∈Fn,则存在an algorithm that can evaluate f ~ ( r ⃗ ) \tilde{f}(\vec{r}) f~(r) in O ( 2 n ) O(2^n) O(2n) time。
2. the sum-check protocol
有:
v
v
v-variate polynomial
g
g
g defined over a finite field
F
\mathbb{F}
F。
此处约定 g g g具有degree at most 2 in each variable。【而对于multilinear polynomial,则要求degree at most 1 1 1 in each variable。】
sum-check protocol的主要目标是求和:
H
:
=
∑
b
1
∈
{
0
,
1
}
∑
b
2
∈
{
0
,
1
}
⋯
∑
b
v
∈
{
0
,
1
}
g
(
b
1
,
⋯
,
b
v
)
H:=\sum_{b_1\in\{0,1\}}\sum_{b_2\in\{0,1\}}\cdots\sum_{b_v\in\{0,1\}}g(b_1,\cdots,b_v)
H:=∑b1∈{0,1}∑b2∈{0,1}⋯∑bv∈{0,1}g(b1,⋯,bv) ……(1)
以上(1)方程式本质是 sum up the evaluations of a polynomial over all Boolean inputs,初看该求和似乎并不实用,但是后续介绍中会指出many natural problems可转化为an inatance of Equation (1)。
【借助sum-check protocol,Verifier不需要evaluate the entire boolean hypercube to verify the claim。相反的,Verifier仅需选择random points
(
r
1
,
r
2
,
r
v
)
(r_1,r_2,r_v)
(r1,r2,rv)。】
为了便于理解,可假设Verifier具有oracle access to
g
g
g,即
V
V
V可evaluate
g
(
r
1
,
⋯
,
r
v
)
g(r_1,\cdots,r_v)
g(r1,⋯,rv) for a randomly chosen vector
(
r
1
,
⋯
,
r
v
)
∈
F
v
(r_1,\cdots,r_v)\in\mathbb{F}^v
(r1,⋯,rv)∈Fv with a single query to an oracle,尽管在实际应用中该假设不成立。实际应用中,
V
V
V可自己efficiently evaluate
g
(
r
1
,
⋯
,
r
v
)
g(r_1,\cdots,r_v)
g(r1,⋯,rv),或者要求Prover告诉它
g
(
r
1
,
⋯
,
r
v
)
g(r_1,\cdots,r_v)
g(r1,⋯,rv)的结果值的同时,
P
P
P提供该结果值正确的证明(借助the sum-checkprotocol)。
整个sum-check protocol包含
v
v
v轮,每一轮对应
g
g
g中的一个变量。
第1轮:
- Prover:发送polynomial
g
1
(
X
1
)
g_1(X_1)
g1(X1),同时声明
g
1
(
X
1
)
=
∑
x
2
,
⋯
,
x
v
∈
{
0
,
1
}
v
−
1
g
(
X
1
,
x
2
,
⋯
,
x
v
)
g_1(X_1)=\sum_{x_2,\cdots,x_v\in\{0,1\}^{v-1}}g(X_1,x_2,\cdots,x_v)
g1(X1)=∑x2,⋯,xv∈{0,1}v−1g(X1,x2,⋯,xv)。
若 g 1 g_1 g1是正确的,则有 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)。
【本文约定了该单变量多项式degree为不高于 2 2 2, g j ( X j ) = c 0 , j + c 1 , j X j + c 2 , j X j 2 g_j(X_j)=c_{0,j}+c_{1,j}X_j+c_{2,j}X_j^2 gj(Xj)=c0,j+c1,jXj+c2,jXj2,可以系数 ( c 0 , j , c 1 , j , c 2 , j ) (c_{0,j},c_{1,j},c_{2,j}) (c0,j,c1,j,c2,j)来表示多项式 g j g_j gj,或者以 [ ( b 1 , g j ( b 1 ) ) , ( b 2 , g j ( b 2 ) ) , ( b 3 , g j ( b 3 ) ) ] [(b_1,g_j(b_1)),(b_2,g_j(b_2)),(b_3,g_j(b_3))] [(b1,gj(b1)),(b2,gj(b2)),(b3,gj(b3))] 这样的3组eavaluations值 来表示。】【即每轮Prover将发送3个field elements。】【Hyrax以及Spartan论文中引入了extension e q ~ ( t , x ) \tilde{eq}(t,x) eq~(t,x),因此 g j ( X j ) = c 0 , j + c 1 , j X j + c 2 , j X j 2 + c 3 , j X j 3 g_j(X_j)=c_{0,j}+c_{1,j}X_j+c_{2,j}X_j^2+c_{3,j}X_j^3 gj(Xj)=c0,j+c1,jXj+c2,jXj2+c3,jXj3 的degree 为3,但是不影响总体理解。所以本博文后续都是以degree为2举例的。】 - Verifier:
验证 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)是否成立,若成立,则发送random challenege r 1 ← F r_1\leftarrow \mathbb{F} r1←F。
第2轮:
- Prover:发送polynomial
g
2
(
X
2
)
g_2(X_2)
g2(X2),同时声明
g
2
(
X
2
)
=
∑
(
x
3
,
⋯
,
x
v
)
v
−
2
g
(
r
1
,
X
2
,
x
3
,
⋯
,
x
v
)
g_2(X_2)=\sum_{(x_3,\cdots,x_v)^{v-2}}g(r_1,X_2,x_3,\cdots,x_v)
g2(X2)=∑(x3,⋯,xv)v−2g(r1,X2,x3,⋯,xv)。
若 g 2 g_2 g2是正确的,则有 g 2 ( 0 ) + g 2 ( 1 ) = g 1 ( r 1 ) g_2(0)+g_2(1)=g_1(r_1) g2(0)+g2(1)=g1(r1)。 - Verifier:
验证 g 2 ( 0 ) + g 2 ( 1 ) = g 1 ( r 1 ) g_2(0)+g_2(1)=g_1(r_1) g2(0)+g2(1)=g1(r1)是否成立,若成立,则发送random challenege r 2 ← F r_2\leftarrow \mathbb{F} r2←F。
⋮ \vdots ⋮
第 j > 1 j>1 j>1轮:
- Prover:发送polynomial
g
j
(
X
j
)
g_j(X_j)
gj(Xj),同时声明
g
j
(
X
j
)
=
∑
(
x
j
+
1
,
⋯
,
x
v
)
v
−
j
g
(
r
1
,
⋯
,
r
j
−
1
,
X
j
,
x
j
+
1
,
⋯
,
x
v
)
g_j(X_j)=\sum_{(x_{j+1},\cdots,x_v)^{v-j}}g(r_1,\cdots,r_{j-1},X_j,x_{j+1},\cdots,x_v)
gj(Xj)=∑(xj+1,⋯,xv)v−jg(r1,⋯,rj−1,Xj,xj+1,⋯,xv)。
若 g j g_j gj是正确的,则有 g j ( 0 ) + g j ( 1 ) = g j − 1 ( r j − 1 ) g_j(0)+g_j(1)=g_{j-1}(r_{j-1}) gj(0)+gj(1)=gj−1(rj−1)。 - Verifier:验证 g j ( 0 ) + g j ( 1 ) = g j − 1 ( r j − 1 ) g_j(0)+g_j(1)=g_{j-1}(r_{j-1}) gj(0)+gj(1)=gj−1(rj−1)是否成立,若成立,则发送random challenege r j ← F r_j\leftarrow \mathbb{F} rj←F。
⋮ \vdots ⋮
最后一轮:
- Prover:发送polynomial
g
v
(
X
v
)
g_v(X_v)
gv(Xv),同时声明
g
(
r
1
,
⋯
,
r
v
−
1
,
X
v
)
g(r_1,\cdots,r_{v-1},X_v)
g(r1,⋯,rv−1,Xv)。
若 g v g_v gv是正确的,则有 g v ( 0 ) + g v ( 1 ) = g v − 1 ( r v − 1 ) g_v(0)+g_v(1)=g_{v-1}(r_{v-1}) gv(0)+gv(1)=gv−1(rv−1)。 - Verifier:验证 g v ( 0 ) + g v ( 1 ) = g v − 1 ( r v − 1 ) g_v(0)+g_v(1)=g_{v-1}(r_{v-1}) gv(0)+gv(1)=gv−1(rv−1)是否成立,若成立,则Verifier选择random challenge r v ← F r_v\leftarrow \mathbb{F} rv←F并evaluates g ( r 1 , ⋯ , r v ) g(r_1,\cdots,r_v) g(r1,⋯,rv) with a single oracle query to g g g,Verifier验证 g v ( r v ) = g ( r 1 , ⋯ , r v ) g_v(r_v)=g(r_1,\cdots,r_v) gv(rv)=g(r1,⋯,rv)是否成立,若成立,则Verifier可信任 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)。
以上整个sum-check protocol的描述可表示为:
整个sum-check protocol的开销为:
微软研究中心2020年论文《Spartan: Efficient and general-purpose zkSNARKs without trusted setup》中,则从Verifier的角度描述了整个sum-check protocol:
The verifier可process each message sent by the prover in O ( 1 ) O(1) O(1) time,at the very end of the sum-check protocol,verifier仍然需要evaluate g g g at signle point。
在此约定,在 F \mathbb{F} F域内的任意的加法或乘法运算均take O ( 1 ) O(1) O(1) time。
3. verifier的角度看sum-check protocol
Verifier若自己直接计算方程式(1)中的
H
H
H值,则需要evaluate
g
g
g at
2
v
2^v
2v inputs(即,all inputs in
{
0
,
1
}
v
\{0,1\}^v
{0,1}v)。当
2
v
2^v
2v为unacceptably large runtime for the verifier时,则需要借助sum-check protocol。
借助sum-check protocol,verifier的runtime为:
O
(
v
+
[
the cost to evaluate
g
at a single input in
F
v
]
)
O(v+[\text{the cost to evaluate }g\text{ at a single input in }\mathbb{F}^v])
O(v+[the cost to evaluate g at a single input in Fv])
该runtime远远优于 直接计算 2 v 2^v 2v evaluations of g g g。
sum-check protocol中的prover可计算all of its prescribed messages by evaluating g g g at O ( 2 v ) O(2^v) O(2v) inputs in F v \mathbb{F}^v Fv。This is only a constant factor more than what is required simply to compute H H H without proving correctness。
sum-check protocol 的soundness error为 O ( v / ∣ F ∣ ) O(v/|\mathbb{F}|) O(v/∣F∣)。只要 g g g is defined over a field of size significantly greater than v v v,则该soundness error可忽略。
4. sum-check protocol 的应用
应用场景之一为:
Verifier有input
x
x
x,需要Prover计算
F
(
x
)
F(x)
F(x)。
为了使用sum-check protocol,需将 F ( x ) F(x) F(x) 表示为类似方程式(1)的形式,即需要 identify some v v v-variate polynomial g g g of degree 2 in each variable,使得 F ( x ) F(x) F(x) can be inferred from the some of g g g's values over all inputs in { 0 , 1 } v \{0,1\}^v {0,1}v。同时要求Verifier可evaluate g ( r ⃗ ) g(\vec{r}) g(r) at any desired input r ⃗ ∈ F v \vec{r}\in\mathbb{F}^v r∈Fv in linear time。
举例:
input
x
x
x为the adjacency matrix of a graph,
F
(
x
)
F(x)
F(x) 为the number of triangles in that graph。
即,假设
G
G
G为 具有
n
n
n个顶点的无向图,其edge set为
E
E
E。假设
A
∈
{
0
,
1
}
n
×
n
A\in\{0,1\}^{n\times n}
A∈{0,1}n×n为相应的adjacency matrix,即
A
i
,
j
=
1
A_{i,j}=1
Ai,j=1当且仅当
(
i
,
j
)
∈
E
(i,j)\in E
(i,j)∈E。(对于无向图,其邻接矩阵是对称的,且主对角线一定为0,存储空间实际仅需
n
(
n
−
1
)
/
2
n(n-1)/2
n(n−1)/2即可。)
而在counting triangles问题中,输入为邻接矩阵
A
A
A,输出要求为the number of vertex triples
(
i
,
j
,
k
)
(i,j,k)
(i,j,k) that are all connected to each other by edges。
不将邻接矩阵 A A A看成是矩阵,而将其看成是a function f A f_A fA mapping { 0 , 1 } log n × { 0 , 1 } log n \{0,1\}^{\log n}\times \{0,1\}^{\log n} {0,1}logn×{0,1}logn to { 0 , 1 } \{0,1\} {0,1},则可定义 f A ( x ⃗ , y ⃗ ) f_A(\vec{x},\vec{y}) fA(x,y),其中 x ⃗ , y ⃗ \vec{x},\vec{y} x,y为整数 i , j ∈ [ 1 , n ] i,j\in[1,n] i,j∈[1,n]的二进制表示,输出结果为 A i , j A_{i,j} Ai,j。
相应的,the number of triangels in
G
G
G可简单表示为:
Δ
=
1
6
∑
x
⃗
,
y
⃗
,
z
⃗
∈
{
0
,
1
}
log
n
f
A
(
x
⃗
,
y
⃗
)
⋅
f
A
(
y
⃗
,
z
⃗
)
⋅
f
A
(
x
⃗
,
z
⃗
)
\Delta=\frac{1}{6}\sum_{\vec{x},\vec{y},\vec{z}\in\{0,1\}^{\log n}}f_A(\vec{x},\vec{y})\cdot f_A(\vec{y},\vec{z})\cdot f_A(\vec{x},\vec{z})
Δ=61∑x,y,z∈{0,1}lognfA(x,y)⋅fA(y,z)⋅fA(x,z) ……(2)
以上方程式(2)中的
1
6
\frac{1}{6}
61 是因为针对的是无向图。
6
Δ
=
∑
x
⃗
,
y
⃗
,
z
⃗
∈
{
0
,
1
}
log
n
f
A
(
x
⃗
,
y
⃗
)
⋅
f
A
(
y
⃗
,
z
⃗
)
⋅
f
A
(
x
⃗
,
z
⃗
)
6\Delta=\sum_{\vec{x},\vec{y},\vec{z}\in\{0,1\}^{\log n}}f_A(\vec{x},\vec{y})\cdot f_A(\vec{y},\vec{z})\cdot f_A(\vec{x},\vec{z})
6Δ=∑x,y,z∈{0,1}lognfA(x,y)⋅fA(y,z)⋅fA(x,z)
设 F \mathbb{F} F为a finite field,其field size p ≥ n 3 p\geq n^3 p≥n3且 p p p为prime,同时将矩阵 A A A中的所有元素都看成是 F \mathbb{F} F域内的元素,则选择足够大的 p p p值以保证 6 Δ 6\Delta 6Δ 在 [ 0 , p − 1 ] [0,p-1] [0,p−1]范围内。
假设
f
~
A
\tilde{f}_A
f~A为the MLE of
f
A
f_A
fA over
F
\mathbb{F}
F,则可定义
(
3
log
n
)
(3\log n)
(3logn)-variate polynomial
g
g
g为:
g
(
X
,
Y
,
Z
)
=
f
~
A
(
X
,
Y
)
⋅
f
~
A
(
Y
,
Z
)
⋅
f
~
A
(
X
,
Z
)
g(X,Y,Z)=\tilde{f}_A(X,Y)\cdot \tilde{f}_A(Y,Z)\cdot \tilde{f}_A(X,Z)
g(X,Y,Z)=f~A(X,Y)⋅f~A(Y,Z)⋅f~A(X,Z)
从而满足
6
Δ
=
∑
x
,
y
,
z
∈
{
0
,
1
}
log
n
g
(
x
,
y
,
z
)
6\Delta=\sum_{x,y,z\in\{0,1\}^{\log n}}g(x,y,z)
6Δ=∑x,y,z∈{0,1}logng(x,y,z)。
整个IP(interactive proof) 过程需要
3
log
n
3\log n
3logn轮,每轮Prover将发送3个field elements。
而Verifier的runtime主要在于:
evaluate
g
g
g at single input
(
r
1
,
r
2
,
r
3
)
∈
F
3
log
n
(r_1,r_2,r_3)\in\mathbb{F}^{3\log n}
(r1,r2,r3)∈F3logn,即相当于evaluate
f
~
A
\tilde{f}_A
f~A at three inputs
(
r
1
,
r
2
)
,
(
r
2
,
r
3
)
,
(
r
1
,
r
3
)
(r_1,r_2),(r_2,r_3),(r_1,r_3)
(r1,r2),(r2,r3),(r1,r3)。借助Multilinear Extension Lemma 仅需
O
(
n
2
)
O(n^2)
O(n2) time。
Prover的runtime为:【该runtime matches the naive algorithm for counting triangles that iterates over all triples of vertices in
G
G
G and checks if they are all connected to each other。】【Prover端可直接运行the best-known algorithm to solve the triangles problem,然后仅需做额外多一点点工作来证明the answer is correct。当前不存在有任何其它IPs或argument systems可实现super-efficiency for the prover的同时,keep the proof length sublinear in the input size。】
compute all of its prescribed messages in
O
(
n
3
)
O(n^3)
O(n3) time。
当前已知的最快的count triangles算法,其需要matrix multiplication time (superlinear in the input size),而借助sum-check protocol的速度更优。
此外,借助sum-check protocol可实现super-efficient IP for matrix-powering。如已知任意的 n × n n\times n n×n矩阵 A A A over field F \mathbb{F} F,该IP可计算any desired entry of the powered matrix A k A^k Ak。整个IP的round和communication cost为 O ( log ( k ) ⋅ log n ) O(\log(k)\cdot \log n) O(log(k)⋅logn),而verifier的runtime为 O ( n 2 + log ( k ) ⋅ log n ) O(n^2+\log(k)\cdot \log n) O(n2+log(k)⋅logn)。
Goldwasser, Kalai和Rothblum (GKR) 2008年论文《Delegating Computation: Interactive Proofs for Muggles》中正是利用了matrix-powering protocol证明了:
all problems solvable in logarithmic space have an IP with a quasilinear-time verifier, polynomial time prover, and polylogarithmic proof length。
该proof的核心思想为:
excute any Turing Machine
M
M
M that uses
s
s
s bits of space可reduce 为 the problem of computing a single entry of
A
2
s
A^{2^s}
A2s for a certain matrix
A
A
A (
A
A
A is in fact the configuration graph of
M
M
M)。
因此,one can just apply the matrix-powering IP to
A
A
A to determine the output of
M
M
M。当
A
A
A为huge matrix时(至少有
2
s
2^s
2s行和
2
s
2^s
2s列),则configuration graph具有a ton of structure,借助matrix-powering IP,使得Verifier evaluate
f
~
A
\tilde{f}_A
f~A at a single input的时间为
O
(
s
⋅
n
)
O(s\cdot n)
O(s⋅n),当
s
s
s为logarithmic in the input size时,即意味着Verifier in the IP的runtime为
O
(
n
log
n
)
O(n\log n)
O(nlogn)。
在GKR论文中,构建了an arithmetic circuit for computing
A
2
s
A^{2^s}
A2s and then apply a sophisticated IP for arithmetic circuit evaluation to that circuit。
5. sum-check protocol + zero-knowledge
sum-check protocol 本身不具备zero-knowledge属性,而在 Wahby等人2018年论文《Hyrax Doubly-efficient zkSNARKs without trusted setup》中,实现了a zero-knowledge variant for the sum-check protocol:
借助“commit-and-prove”技术,在第2节的每一轮,Prover不再直接给Verifier 发送 多项式
g
j
(
X
j
)
g_j(X_j)
gj(Xj),而是利用commitment的同态属性,对该多项式进行commit。
在讨论具体的zero-knowledge sum-check protocol实现细节之前,先介绍3个基于commitment的sub-protocol:
-
proof-of-opening
:
-
proof-of-equality
:(proof of commitment to the same value)
-
proof-of-product
:
5.1 直观版 zero-knowledge sum-check protocol
整个sum-check protocol包含
v
v
v轮,每一轮对应
g
g
g中的一个变量。【利用“commit-and-prove”,添加zero-knowledge属性。】
第1轮:
- Prover:计算polynomial
g
1
(
X
1
)
g_1(X_1)
g1(X1),同时声明
g
1
(
X
1
)
=
∑
x
2
,
⋯
,
x
v
∈
{
0
,
1
}
v
−
1
g
(
X
1
,
x
2
,
⋯
,
x
v
)
=
c
0
,
1
+
c
1
,
1
X
1
+
c
2
,
1
X
1
2
g_1(X_1)=\sum_{x_2,\cdots,x_v\in\{0,1\}^{v-1}}g(X_1,x_2,\cdots,x_v)=c_{0,1}+c_{1,1}X_1+c_{2,1}X_1^2
g1(X1)=∑x2,⋯,xv∈{0,1}v−1g(X1,x2,⋯,xv)=c0,1+c1,1X1+c2,1X12。
若 g 1 g_1 g1是正确的,则有 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)。
Prover对多项式的系数进行commit, δ c 0 , 1 = C o m ( c 0 , 1 ) , δ c 1 , 1 = C o m ( c 1 , 1 ) , δ c 2 , 1 = C o m ( c 2 , 1 ) \delta_{c_{0,1}}=Com(c_{0,1}),\delta_{c_{1,1}}=Com(c_{1,1}),\delta_{c_{2,1}}=Com(c_{2,1}) δc0,1=Com(c0,1),δc1,1=Com(c1,1),δc2,1=Com(c2,1),将这些commitment值发送给Verifier。 - Prover & Verifier:对
δ
c
0
,
1
、
δ
c
1
,
1
、
δ
c
2
,
1
\delta_{c_{0,1}}、\delta_{c_{1,1}}、\delta_{c_{2,1}}
δc0,1、δc1,1、δc2,1运行
proof-of-opening
。 - Verifier:
【由于 g 1 ( 0 ) + g 1 ( 1 ) = 2 c 0 , 1 + c 1 , 1 + c 2 , 1 g_1(0)+g_1(1)=2c_{0,1}+c_{1,1}+c_{2,1} g1(0)+g1(1)=2c0,1+c1,1+c2,1,利用Pedersen commitment的加法同态属性,对于 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)有:】
验证 C o m ( H ; 0 ) = δ c 0 , 1 2 ⋅ δ c 1 , 1 ⋅ δ c 2 , 1 Com(H;0)=\delta_{c_{0,1}}^2\cdot\delta_{c_{1,1}}\cdot \delta_{c_{2,1}} Com(H;0)=δc0,12⋅δc1,1⋅δc2,1是否成立,若成立,则发送random challenege r 1 ← F r_1\leftarrow \mathbb{F} r1←F。
第2轮:
- Prover:计算polynomial
g
2
(
X
2
)
g_2(X_2)
g2(X2),同时声明
g
2
(
X
2
)
=
∑
(
x
3
,
⋯
,
x
v
)
v
−
2
g
(
r
1
,
X
2
,
x
3
,
⋯
,
x
v
)
=
c
0
,
2
+
c
1
,
2
X
2
+
c
2
,
2
X
2
2
g_2(X_2)=\sum_{(x_3,\cdots,x_v)^{v-2}}g(r_1,X_2,x_3,\cdots,x_v)=c_{0,2}+c_{1,2}X_2+c_{2,2}X_2^2
g2(X2)=∑(x3,⋯,xv)v−2g(r1,X2,x3,⋯,xv)=c0,2+c1,2X2+c2,2X22。
若 g 2 g_2 g2是正确的,则有 g 2 ( 0 ) + g 2 ( 1 ) = g 1 ( r 1 ) g_2(0)+g_2(1)=g_1(r_1) g2(0)+g2(1)=g1(r1)。
Prover对多项式的系数进行commit, δ c 0 , 2 = C o m ( c 0 , 2 ) , δ c 1 , 2 = C o m ( c 1 , 2 ) , δ c 2 , 2 = C o m ( c 2 , 2 ) \delta_{c_{0,2}}=Com(c_{0,2}),\delta_{c_{1,2}}=Com(c_{1,2}),\delta_{c_{2,2}}=Com(c_{2,2}) δc0,2=Com(c0,2),δc1,2=Com(c1,2),δc2,2=Com(c2,2),将这些commitment值发送给Verifier。 - Prover & Verifier:对
δ
c
0
,
2
、
δ
c
1
,
2
、
δ
c
2
,
2
\delta_{c_{0,2}}、\delta_{c_{1,2}}、\delta_{c_{2,2}}
δc0,2、δc1,2、δc2,2运行
proof-of-opening
。 - Verifier:
【由于 g 1 ( r 1 ) = c 0 , 1 + c 1 , 1 ⋅ r 1 + c 2 , 1 ⋅ r 1 2 g_1(r_1)=c_{0,1}+c_{1,1}\cdot r_1+c_{2,1}\cdot r_1^2 g1(r1)=c0,1+c1,1⋅r1+c2,1⋅r12 及 g 2 ( 0 ) + g 2 ( 1 ) = 2 c 0 , 2 + c 1 , 2 + c 2 , 2 g_2(0)+g_2(1)=2c_{0,2}+c_{1,2}+c_{2,2} g2(0)+g2(1)=2c0,2+c1,2+c2,2,利用Pedersen commitment的加法同态属性,对于 g 2 ( 0 ) + g 2 ( 1 ) = g 1 ( r 1 ) g_2(0)+g_2(1)=g_1(r_1) g2(0)+g2(1)=g1(r1)有:】
验证 δ c 0 , 2 2 ⋅ δ c 1 , 2 ⋅ δ c 2 , 2 = δ c 0 , 1 ⋅ δ c 1 , 1 r 1 ⋅ δ c 2 , 1 r 1 2 \delta_{c_{0,2}}^2\cdot\delta_{c_{1,2}}\cdot \delta_{c_{2,2}}=\delta_{c_{0,1}}\cdot\delta_{c_{1,1}}^{r_1}\cdot \delta_{c_{2,1}}^{r_1^2} δc0,22⋅δc1,2⋅δc2,2=δc0,1⋅δc1,1r1⋅δc2,1r12是否成立,若成立,则发送random challenege r 2 ← F r_2\leftarrow \mathbb{F} r2←F。
⋮ \vdots ⋮
第 j > 1 j>1 j>1轮:
- Prover:计算polynomial
g
j
(
X
j
)
g_j(X_j)
gj(Xj),同时声明
g
j
(
X
j
)
=
∑
(
x
j
+
1
,
⋯
,
x
v
)
v
−
j
g
(
r
1
,
⋯
,
r
j
−
1
,
X
j
,
x
j
+
1
,
⋯
,
x
v
)
=
c
0
,
j
+
c
1
,
j
X
j
+
c
2
,
j
X
j
2
g_j(X_j)=\sum_{(x_{j+1},\cdots,x_v)^{v-j}}g(r_1,\cdots,r_{j-1},X_j,x_{j+1},\cdots,x_v)=c_{0,j}+c_{1,j}X_j+c_{2,j}X_j^2
gj(Xj)=∑(xj+1,⋯,xv)v−jg(r1,⋯,rj−1,Xj,xj+1,⋯,xv)=c0,j+c1,jXj+c2,jXj2。
若 g j g_j gj是正确的,则有 g j ( 0 ) + g j ( 1 ) = g j − 1 ( r j − 1 ) g_j(0)+g_j(1)=g_{j-1}(r_{j-1}) gj(0)+gj(1)=gj−1(rj−1)。
Prover对多项式的系数进行commit, δ c 0 , j = C o m ( c 0 , j ) , δ c 1 , j = C o m ( c 1 , j ) , δ c 2 , j = C o m ( c 2 , j ) \delta_{c_{0,j}}=Com(c_{0,j}),\delta_{c_{1,j}}=Com(c_{1,j}),\delta_{c_{2,j}}=Com(c_{2,j}) δc0,j=Com(c0,j),δc1,j=Com(c1,j),δc2,j=Com(c2,j),将这些commitment值发送给Verifier。 - Prover & Verifier:对
δ
c
0
,
j
、
δ
c
1
,
j
、
δ
c
2
,
j
\delta_{c_{0,j}}、\delta_{c_{1,j}}、\delta_{c_{2,j}}
δc0,j、δc1,j、δc2,j运行
proof-of-opening
。 - Verifier:
【由于 g j − 1 ( r j − 1 ) = c 0 , j − 1 + c 1 , j − 1 ⋅ r j − 1 + c 2 , j − 1 ⋅ r j − 1 2 g_{j-1}(r_{j-1})=c_{0,j-1}+c_{1,j-1}\cdot r_{j-1}+c_{2,{j-1}}\cdot r_{j-1}^2 gj−1(rj−1)=c0,j−1+c1,j−1⋅rj−1+c2,j−1⋅rj−12 及 g j ( 0 ) + g j ( 1 ) = 2 c 0 , j + c 1 , j + c 2 , j g_j(0)+g_j(1)=2c_{0,j}+c_{1,j}+c_{2,j} gj(0)+gj(1)=2c0,j+c1,j+c2,j,利用Pedersen commitment的加法同态属性,对于 g j ( 0 ) + g j ( 1 ) = g j − 1 ( r j − 1 ) g_j(0)+g_j(1)=g_{j-1}(r_{j-1}) gj(0)+gj(1)=gj−1(rj−1)有:】
验证 δ c 0 , j 2 ⋅ δ c 1 , j ⋅ δ c 2 , j = δ c 0 , j − 1 ⋅ δ c 1 , j − 1 r j − 1 ⋅ δ c 2 , j − 1 r j − 1 2 \delta_{c_{0,j}}^2\cdot\delta_{c_{1,j}}\cdot \delta_{c_{2,j}}=\delta_{c_{0,j-1}}\cdot\delta_{c_{1,j-1}}^{r_{j-1}}\cdot \delta_{c_{2,j-1}}^{r_{j-1}^2} δc0,j2⋅δc1,j⋅δc2,j=δc0,j−1⋅δc1,j−1rj−1⋅δc2,j−1rj−12是否成立,若成立,则发送random challenege r j ← F r_j\leftarrow \mathbb{F} rj←F。
⋮ \vdots ⋮
最后一轮:
- Prover:计算polynomial
g
v
(
X
v
)
g_v(X_v)
gv(Xv),同时声明
g
(
r
1
,
⋯
,
r
v
−
1
,
X
v
)
=
c
0
,
v
+
c
1
,
v
X
v
+
c
2
,
v
X
v
2
g(r_1,\cdots,r_{v-1},X_v)=c_{0,v}+c_{1,v}X_v+c_{2,v}X_v^2
g(r1,⋯,rv−1,Xv)=c0,v+c1,vXv+c2,vXv2。
若 g v g_v gv是正确的,则有 g v ( 0 ) + g v ( 1 ) = g v − 1 ( r v − 1 ) g_v(0)+g_v(1)=g_{v-1}(r_{v-1}) gv(0)+gv(1)=gv−1(rv−1)。
Prover对多项式的系数进行commit, δ c 0 , v = C o m ( c 0 , v ) , δ c 1 , v = C o m ( c 1 , v ) , δ c 2 , v = C o m ( c 2 , v ) \delta_{c_{0,v}}=Com(c_{0,v}),\delta_{c_{1,v}}=Com(c_{1,v}),\delta_{c_{2,v}}=Com(c_{2,v}) δc0,v=Com(c0,v),δc1,v=Com(c1,v),δc2,v=Com(c2,v),将这些commitment值发送给Verifier。 - Prover & Verifier:对
δ
c
0
,
v
、
δ
c
1
,
v
、
δ
c
2
,
v
\delta_{c_{0,v}}、\delta_{c_{1,v}}、\delta_{c_{2,v}}
δc0,v、δc1,v、δc2,v运行
proof-of-opening
。 - Verifier:
【由于 g v − 1 ( r v − 1 ) = c 0 , v − 1 + c 1 , v − 1 ⋅ r v − 1 + c 2 , v − 1 ⋅ r v − 1 2 g_{v-1}(r_{v-1})=c_{0,v-1}+c_{1,v-1}\cdot r_{v-1}+c_{2,{v-1}}\cdot r_{v-1}^2 gv−1(rv−1)=c0,v−1+c1,v−1⋅rv−1+c2,v−1⋅rv−12 及 g v ( 0 ) + g v ( 1 ) = 2 c 0 , v + c 1 , v + c 2 , v g_v(0)+g_v(1)=2c_{0,v}+c_{1,v}+c_{2,v} gv(0)+gv(1)=2c0,v+c1,v+c2,v,利用Pedersen commitment的加法同态属性,对于 g v ( 0 ) + g v ( 1 ) = g v − 1 ( r v − 1 ) g_v(0)+g_v(1)=g_{v-1}(r_{v-1}) gv(0)+gv(1)=gv−1(rv−1)有:】
验证 δ c 0 , v 2 ⋅ δ c 1 , v ⋅ δ c 2 , v = δ c 0 , v − 1 ⋅ δ c 1 , v − 1 r v − 1 ⋅ δ c 2 , v − 1 r v − 1 2 \delta_{c_{0,v}}^2\cdot\delta_{c_{1,v}}\cdot \delta_{c_{2,v}}=\delta_{c_{0,v-1}}\cdot\delta_{c_{1,v-1}}^{r_{v-1}}\cdot \delta_{c_{2,v-1}}^{r_{v-1}^2} δc0,v2⋅δc1,v⋅δc2,v=δc0,v−1⋅δc1,v−1rv−1⋅δc2,v−1rv−12是否成立,若成立,则Verifier选择random challenge r v ← F r_v\leftarrow \mathbb{F} rv←F并evaluates g ( r 1 , ⋯ , r v ) g(r_1,\cdots,r_v) g(r1,⋯,rv) with a single oracle query to g g g。
【由于 g v ( r v ) = c 0 , v + c 1 , v ⋅ r v + c 2 , v ⋅ r v 2 g_{v}(r_{v})=c_{0,v}+c_{1,v}\cdot r_{v}+c_{2,v}\cdot r_{v}^2 gv(rv)=c0,v+c1,v⋅rv+c2,v⋅rv2 ,利用Pedersen commitment的加法同态属性,对于 g v ( r v ) = g ( r 1 , ⋯ , r v ) g_v(r_v)=g(r_1,\cdots,r_v) gv(rv)=g(r1,⋯,rv)有:】
Verifier验证 C o m ( g ( r 1 , ⋯ , r v ) ; 0 ) = δ c 0 , v ⋅ δ c 1 , v r v ⋅ δ c 2 , v r v 2 Com(g(r_1,\cdots,r_v);0)=\delta_{c_{0,v}}\cdot\delta_{c_{1,v}}^{r_{v}}\cdot \delta_{c_{2,v}}^{r_{v}^2} Com(g(r1,⋯,rv);0)=δc0,v⋅δc1,vrv⋅δc2,vrv2是否成立,若成立,则Verifier可信任 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)。
5.2 reduce cost版 zero-knowledge sum-check protocol
【具体参考Hyrax论文第4和第5章内容。】
在以上“5.1 直观版”中,Prover为每一轮的每个多项式系数都单独生成发送相应的commitment,同时需在每一轮为每个commitment都运行proof-of-opening
,存在的问题是:
- proof size会很长;
- Verifier需运行expensive crytographic operations。
可记住multi-commitment scheme(即Pedersen vector commitment)来reduce the communication and number of cryptographic operations for the verifier。
以
v
=
3
v=3
v=3为例,可将“5.1 直观版”中Verifier在每一轮验证的关系表示为
2
c
0
,
j
+
c
1
,
j
+
c
2
,
j
−
c
0
,
j
−
1
−
c
1
,
j
−
1
⋅
r
j
−
1
−
c
2
,
j
−
1
⋅
r
j
−
1
2
=
0
2c_{0,j}+c_{1,j}+c_{2,j}-c_{0,j-1}-c_{1,j-1}\cdot r_{j-1}-c_{2,{j-1}}\cdot r_{j-1}^2=0
2c0,j+c1,j+c2,j−c0,j−1−c1,j−1⋅rj−1−c2,j−1⋅rj−12=0,在最后一轮额外增加了
g
v
(
r
v
)
=
c
0
,
v
+
c
1
,
v
⋅
r
v
+
c
2
,
v
⋅
r
v
2
g_{v}(r_{v})=c_{0,v}+c_{1,v}\cdot r_{v}+c_{2,v}\cdot r_{v}^2
gv(rv)=c0,v+c1,v⋅rv+c2,v⋅rv2关系判断,可将该关系以matrix-vector product表示为:
[
2
1
1
0
0
0
0
0
0
−
1
−
r
1
−
r
1
2
2
1
1
0
0
0
0
0
0
−
1
−
r
2
−
r
2
2
2
1
1
0
0
0
0
0
0
1
r
3
r
3
2
]
⋅
[
c
0
,
1
c
1
,
1
c
2
,
1
c
0
,
2
c
1
,
2
c
2
,
2
c
0
,
3
c
1
,
3
c
2
,
3
]
=
M
⋅
π
⃗
=
[
M
⃗
1
M
⃗
2
M
⃗
3
M
⃗
4
]
⋅
π
⃗
=
[
H
0
0
g
3
(
r
3
)
]
\begin{bmatrix} 2 & 1 & 1 & 0 & 0 & 0 & 0 & 0 & 0\\ -1 & -r_1 & -r_1^2 & 2 & 1 & 1 & 0 & 0 & 0\\ 0 & 0 & 0 & -1 & -r_2 & -r_2^2 & 2 & 1 & 1\\ 0 & 0 & 0 & 0 & 0 & 0 & 1 & r_3 & r_3^2 \end{bmatrix}\cdot \begin{bmatrix} c_{0,1}\\ c_{1,1}\\ c_{2,1}\\ c_{0,2}\\ c_{1,2}\\ c_{2,2}\\ c_{0,3}\\ c_{1,3}\\ c_{2,3} \end{bmatrix}=\mathbf{M}\cdot \vec{\pi}=\begin{bmatrix} \vec{M}_1\\ \vec{M}_2\\ \vec{M}_3\\ \vec{M}_4 \end{bmatrix}\cdot \vec{\pi}=\begin{bmatrix} H\\ 0\\ 0\\ g_3(r_3) \end{bmatrix}
⎣⎢⎢⎡2−1001−r1001−r120002−1001−r2001−r2200021001r3001r32⎦⎥⎥⎤⋅⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡c0,1c1,1c2,1c0,2c1,2c2,2c0,3c1,3c2,3⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤=M⋅π=⎣⎢⎢⎢⎡M1M2M3M4⎦⎥⎥⎥⎤⋅π=⎣⎢⎢⎡H00g3(r3)⎦⎥⎥⎤ ……(5)
其中 π ⃗ = [ c 0 , 1 , c 1 , 1 , c 2 , 1 , c 0 , 2 , c 1 , 2 , c 2 , 2 , c 0 , 3 , c 1 , 3 , c 2 , 3 ] \vec{\pi}=[c_{0,1},c_{1,1},c_{2,1},c_{0,2},c_{1,2},c_{2,2},c_{0,3},c_{1,3},c_{2,3}] π=[c0,1,c1,1,c2,1,c0,2,c1,2,c2,2,c0,3,c1,3,c2,3] 为Prover witness。
将矩阵
M
\mathbf{M}
M的每一行
k
k
k引入随机系数
ρ
k
\rho_k
ρk,然后行加,可将
v
+
1
v+1
v+1个验证压缩为1个验证:【根据Schwartz-Zippel lemma,该soundness error不高于
1
/
∣
F
∣
1/|\mathbb{F}|
1/∣F∣。】
[
2
∗
ρ
1
−
1
∗
ρ
2
,
1
∗
ρ
1
−
r
1
∗
ρ
2
,
1
∗
ρ
1
−
r
1
2
∗
ρ
2
,
2
∗
ρ
2
−
1
∗
ρ
3
,
1
∗
ρ
2
−
r
2
∗
ρ
3
,
1
∗
ρ
2
−
r
2
2
∗
ρ
3
,
2
∗
ρ
3
+
1
∗
ρ
4
,
1
∗
ρ
3
+
r
3
∗
ρ
4
,
1
∗
ρ
3
+
r
3
2
∗
ρ
4
]
⋅
[
c
0
,
1
c
1
,
1
c
2
,
1
c
0
,
2
c
1
,
2
c
2
,
2
c
0
,
3
c
1
,
3
c
2
,
3
]
=
<
∑
ρ
k
⋅
M
⃗
k
,
π
⃗
>
=
<
M
⃗
,
π
⃗
>
=
[
H
∗
ρ
1
+
g
3
(
r
3
)
∗
ρ
4
]
[2*\rho_1-1*\rho_2,1*\rho_1-r_1*\rho_2, 1*\rho_1-r_1^2*\rho_2, 2*\rho_2-1*\rho_3,1*\rho_2-r_2*\rho_3 ,1*\rho_2-r_2^2*\rho_3 , 2*\rho_3+1*\rho_4,1*\rho_3+r_3*\rho_4, 1*\rho_3+r_3^2*\rho_4]\cdot \begin{bmatrix} c_{0,1}\\ c_{1,1}\\ c_{2,1}\\ c_{0,2}\\ c_{1,2}\\ c_{2,2}\\ c_{0,3}\\ c_{1,3}\\ c_{2,3} \end{bmatrix}=<\sum\rho_k\cdot \vec{M}_k, \vec{\pi}>=<\vec{M}, \vec{\pi}>=\begin{bmatrix} H*\rho_1+g_3(r_3)*\rho_4 \end{bmatrix}
[2∗ρ1−1∗ρ2,1∗ρ1−r1∗ρ2,1∗ρ1−r12∗ρ2,2∗ρ2−1∗ρ3,1∗ρ2−r2∗ρ3,1∗ρ2−r22∗ρ3,2∗ρ3+1∗ρ4,1∗ρ3+r3∗ρ4,1∗ρ3+r32∗ρ4]⋅⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡c0,1c1,1c2,1c0,2c1,2c2,2c0,3c1,3c2,3⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤=<∑ρk⋅Mk,π>=<M,π>=[H∗ρ1+g3(r3)∗ρ4]
以上可转为 dot product(inner product) 证明,但是,sum-check protocol中要求Prover必须先commit
c
0
,
j
,
c
1
,
j
,
c
2
,
j
c_{0,j},c_{1,j},c_{2,j}
c0,j,c1,j,c2,j 然后Verifier在发送
r
j
r_j
rj,因此Prover不能 直接对
π
⃗
\vec{\pi}
π 所有内容进行commit。
Prover需commit to
π
⃗
\vec{\pi}
π incrmentally,using one group element per round of the sum-check。即在sum-check protocol的每一轮:
- Prover commit to a vector encoding the coefficients of that round’s polynomial,即有commitment α j = C o m ( ( c 0 , j , c 1 , j , c 2 , j ) ; r α j ) \alpha_j=Com((c_{0,j},c_{1,j},c_{2,j});r_{\alpha_j}) αj=Com((c0,j,c1,j,c2,j);rαj);
- Verifier responds with random challenge r j r_j rj。
直到最后Prover has committed to all of its messages for the sum-check,运行如下sum-check protocol:
第1轮:
-
Prover:计算polynomial g 1 ( X 1 ) g_1(X_1) g1(X1),同时声明 g 1 ( X 1 ) = ∑ x 2 , ⋯ , x v ∈ { 0 , 1 } v − 1 g ( X 1 , x 2 , ⋯ , x v ) = c 0 , 1 + c 1 , 1 X 1 + c 2 , 1 X 1 2 g_1(X_1)=\sum_{x_2,\cdots,x_v\in\{0,1\}^{v-1}}g(X_1,x_2,\cdots,x_v)=c_{0,1}+c_{1,1}X_1+c_{2,1}X_1^2 g1(X1)=∑x2,⋯,xv∈{0,1}v−1g(X1,x2,⋯,xv)=c0,1+c1,1X1+c2,1X12。
若 g 1 g_1 g1是正确的,则有 H = g 1 ( 0 ) + g 1 ( 1 ) H=g_1(0)+g_1(1) H=g1(0)+g1(1)。
Prover对多项式的系数进行vector commit, α 1 = C o m ( ( c 0 , 1 , c 1 , 1 , c 2 , 1 ) ; r α 1 ) \alpha_1=Com((c_{0,1},c_{1,1},c_{2,1});r_{\alpha_1}) α1=Com((c0,1,c1,1,c2,1);rα1),将该commitment值发送给Verifier。 -
Verifier:
发送random challenege r 1 ← F r_1\leftarrow \mathbb{F} r1←F。
第2轮:
-
Prover:计算polynomial g 2 ( X 2 ) g_2(X_2) g2(X2),同时声明 g 2 ( X 2 ) = ∑ ( x 3 , ⋯ , x v ) v − 2 g ( r 1 , X 2 , x 3 , ⋯ , x v ) = c 0 , 2 + c 1 , 2 X 2 + c 2 , 2 X 2 2 g_2(X_2)=\sum_{(x_3,\cdots,x_v)^{v-2}}g(r_1,X_2,x_3,\cdots,x_v)=c_{0,2}+c_{1,2}X_2+c_{2,2}X_2^2 g2(X2)=∑(x3,⋯,xv)v−2g(r1,X2,x3,⋯,xv)=c0,2+c1,2X2+c2,2X22。
若 g 2 g_2 g2是正确的,则有 g 2 ( 0 ) + g 2 ( 1 ) = g 1 ( r 1 ) g_2(0)+g_2(1)=g_1(r_1) g2(0)+g2(1)=g1(r1)。
Prover对多项式的系数进行 vector commit, α 2 = C o m ( ( c 0 , 2 , c 1 , 2 , c 2 , 2 ) ; r α 2 ) \alpha_2=Com((c_{0,2},c_{1,2},c_{2,2});r_{\alpha_2}) α2=Com((c0,2,c1,2,c2,2);rα2),将该commitment值发送给Verifier。 -
Verifier:
【由于 g 1 ( r 1 ) = c 0 , 1 + c 1 , 1 ⋅ r 1 + c 2 , 1 ⋅ r 1 2 g_1(r_1)=c_{0,1}+c_{1,1}\cdot r_1+c_{2,1}\cdot r_1^2 g1(r1)=c0,1+c1,1⋅r1+c2,1⋅r12 及 g 2 ( 0 ) + g 2 ( 1 ) = 2 c 0 , 2 + c 1 , 2 + c 2 , 2 g_2(0)+g_2(1)=2c_{0,2}+c_{1,2}+c_{2,2} g2(0)+g2(1)=2c0,2+c1,2+c2,2,利用Pedersen commitment的加法同态属性,对于 g 2 ( 0 ) + g 2 ( 1 ) = g 1 ( r 1 ) g_2(0)+g_2(1)=g_1(r_1) g2(0)+g2(1)=g1(r1)有:】
发送random challenege r 2 ← F r_2\leftarrow \mathbb{F} r2←F。
⋮ \vdots ⋮
第 j > 1 j>1 j>1轮:
- Prover:计算polynomial
g
j
(
X
j
)
g_j(X_j)
gj(Xj),同时声明
g
j
(
X
j
)
=
∑
(
x
j
+
1
,
⋯
,
x
v
)
v
−
j
g
(
r
1
,
⋯
,
r
j
−
1
,
X
j
,
x
j
+
1
,
⋯
,
x
v
)
=
c
0
,
j
+
c
1
,
j
X
j
+
c
2
,
j
X
j
2
g_j(X_j)=\sum_{(x_{j+1},\cdots,x_v)^{v-j}}g(r_1,\cdots,r_{j-1},X_j,x_{j+1},\cdots,x_v)=c_{0,j}+c_{1,j}X_j+c_{2,j}X_j^2
gj(Xj)=∑(xj+1,⋯,xv)v−jg(r1,⋯,rj−1,Xj,xj+1,⋯,xv)=c0,j+c1,jXj+c2,jXj2。
若 g j g_j gj是正确的,则有 g j ( 0 ) + g j ( 1 ) = g j − 1 ( r j − 1 ) g_j(0)+g_j(1)=g_{j-1}(r_{j-1}) gj(0)+gj(1)=gj−1(rj−1)。
Prover对多项式的系数进行vector commit, α j = C o m ( ( c 0 , j , c 1 , j , c 2 , j ) ; r α j ) \alpha_j=Com((c_{0,j},c_{1,j},c_{2,j});r_{\alpha_j}) αj=Com((c0,j,c1,j,c2,j);rαj),将该commitment值发送给Verifier。 - Verifier:
【由于 g j − 1 ( r j − 1 ) = c 0 , j − 1 + c 1 , j − 1 ⋅ r j − 1 + c 2 , j − 1 ⋅ r j − 1 2 g_{j-1}(r_{j-1})=c_{0,j-1}+c_{1,j-1}\cdot r_{j-1}+c_{2,{j-1}}\cdot r_{j-1}^2 gj−1(rj−1)=c0,j−1+c1,j−1⋅rj−1+c2,j−1⋅rj−12 及 g j ( 0 ) + g j ( 1 ) = 2 c 0 , j + c 1 , j + c 2 , j g_j(0)+g_j(1)=2c_{0,j}+c_{1,j}+c_{2,j} gj(0)+gj(1)=2c0,j+c1,j+c2,j,利用Pedersen commitment的加法同态属性,对于 g j ( 0 ) + g j ( 1 ) = g j − 1 ( r j − 1 ) g_j(0)+g_j(1)=g_{j-1}(r_{j-1}) gj(0)+gj(1)=gj−1(rj−1)有:】
发送random challenege r j ← F r_j\leftarrow \mathbb{F} rj←F。
⋮ \vdots ⋮
最后一轮:
-
Prover:计算polynomial g v ( X v ) g_v(X_v) gv(Xv),同时声明 g ( r 1 , ⋯ , r v − 1 , X v ) = c 0 , v + c 1 , v X v + c 2 , v X v 2 g(r_1,\cdots,r_{v-1},X_v)=c_{0,v}+c_{1,v}X_v+c_{2,v}X_v^2 g(r1,⋯,rv−1,Xv)=c0,v+c1,vXv+c2,vXv2。
若 g v g_v gv是正确的,则有 g v ( 0 ) + g v ( 1 ) = g v − 1 ( r v − 1 ) g_v(0)+g_v(1)=g_{v-1}(r_{v-1}) gv(0)+gv(1)=gv−1(rv−1)。
Prover对多项式的系数进行vector commit, α v = C o m ( ( c 0 , v , c 1 , v , c 2 , v ) ; r α v ) \alpha_v=Com((c_{0,v},c_{1,v},c_{2,v});r_{\alpha_v}) αv=Com((c0,v,c1,v,c2,v);rαv),将这些commitment值发送给Verifier。 -
Verifier:
【由于 g v − 1 ( r v − 1 ) = c 0 , v − 1 + c 1 , v − 1 ⋅ r v − 1 + c 2 , v − 1 ⋅ r v − 1 2 g_{v-1}(r_{v-1})=c_{0,v-1}+c_{1,v-1}\cdot r_{v-1}+c_{2,{v-1}}\cdot r_{v-1}^2 gv−1(rv−1)=c0,v−1+c1,v−1⋅rv−1+c2,v−1⋅rv−12 及 g v ( 0 ) + g v ( 1 ) = 2 c 0 , v + c 1 , v + c 2 , v g_v(0)+g_v(1)=2c_{0,v}+c_{1,v}+c_{2,v} gv(0)+gv(1)=2c0,v+c1,v+c2,v,利用Pedersen commitment的加法同态属性,对于 g v ( 0 ) + g v ( 1 ) = g v − 1 ( r v − 1 ) g_v(0)+g_v(1)=g_{v-1}(r_{v-1}) gv(0)+gv(1)=gv−1(rv−1)有:】
Verifier选择random challenge r v ← F r_v\leftarrow \mathbb{F} rv←F并evaluates g ( r 1 , ⋯ , r v ) g(r_1,\cdots,r_v) g(r1,⋯,rv) with a single oracle query to g g g。
【由于 g v ( r v ) = c 0 , v + c 1 , v ⋅ r v + c 2 , v ⋅ r v 2 g_{v}(r_{v})=c_{0,v}+c_{1,v}\cdot r_{v}+c_{2,v}\cdot r_{v}^2 gv(rv)=c0,v+c1,v⋅rv+c2,v⋅rv2 ,利用Pedersen commitment的加法同态属性,对于 g v ( r v ) = g ( r 1 , ⋯ , r v ) g_v(r_v)=g(r_1,\cdots,r_v) gv(rv)=g(r1,⋯,rv)有:】 -
Prover:选择 r δ 1 , ⋯ , r δ n ∈ R F r_{\delta_1},\cdots,r_{\delta_n}\in_R\mathbb{F} rδ1,⋯,rδn∈RF 以及 d ⃗ ∈ R F = ( d c 0 , 1 , d c 1 , 1 , d c 2 , 1 , ⋯ , d c 0 , v , d c 1 , v , d c 2 , v ) \vec{d}\in_R\mathbb{F}=(d_{c_{0,1}},d_{c_{1,1}},d_{c_{2,1}},\cdots,d_{c_{0,v}},d_{c_{1,v}},d_{c_{2,v}}) d∈RF=(dc0,1,dc1,1,dc2,1,⋯,dc0,v,dc1,v,dc2,v),Prover计算并发送:
δ j = C o m ( ( d c 0 , j , d c 1 , j , d c 2 , j ) ; r δ j ) , j ∈ { 1 , ⋯ , v } \delta_j=Com((d_{c_{0,j}},d_{c_{1,j}},d_{c_{2,j}});r_{\delta_j}),j\in\{1,\cdots,v\} δj=Com((dc0,j,dc1,j,dc2,j);rδj),j∈{1,⋯,v} -
Verifier:发送随机数 ρ 1 , ⋯ , ρ v + 1 ∈ R F \rho_1,\cdots,\rho_{v+1}\in_R\mathbb{F} ρ1,⋯,ρv+1∈RF
-
Prover和Verifier:均计算 J ⃗ = ∑ ρ k ⋅ M ⃗ k \vec{J}=\sum\rho_k\cdot\vec{M}_k J=∑ρk⋅Mk。
-
Prover:选择随机数 r C ∈ R F r_C\in_R\mathbb{F} rC∈RF,计算并发送:
C = C o m ( < J ⃗ , d ⃗ > ; r C ) C=Com(<\vec{J},\vec{d}>;r_C) C=Com(<J,d>;rC) -
Verifier:发送random challenge c ∈ R F c\in_R\mathbb{F} c∈RF。
-
Prover:
计算并发送:
z ⃗ = c ⋅ π ⃗ + d ⃗ \vec{z}=c\cdot\vec{\pi}+\vec{d} z=c⋅π+d
z δ j = c ⋅ r α j + r δ j , j ∈ { 1 , ⋯ , v } z_{\delta_j}=c\cdot r_{\alpha_j}+r_{\delta_j},j\in\{1,\cdots,v\} zδj=c⋅rαj+rδj,j∈{1,⋯,v} -
Verifier:
– 解析 z ⃗ = ( z c 0 , 1 , z c 1 , 1 , z c 2 , 1 , ⋯ , z c 0 , v , z c 1 , v , z c 2 , v ) \vec{z}=(z_{c_{0,1}},z_{c_{1,1}},z_{c_{2,1}},\cdots,z_{c_{0,v}},z_{c_{1,v}},z_{c_{2,v}}) z=(zc0,1,zc1,1,zc2,1,⋯,zc0,v,zc1,v,zc2,v)
验证 C o m ( ( z c 0 , j , z c 1 , j , z c 2 , j ) ; z δ j ) = C o m ( c ( c 0 , j , c 1 , j , c 2 , j ) + ( d c 0 , j , d c 1 , j , d c 2 , j ) ; c ⋅ r α j + r δ j ) = α j c ⋅ δ j , j ∈ { 1 , ⋯ , v } Com((z_{c_{0,j}},z_{c_{1,j}},z_{c_{2,j}});z_{\delta_j})=Com(c(c_{0,j},c_{1,j},c_{2,j})+(d_{c_{0,j}},d_{c_{1,j}},d_{c_{2,j}});c\cdot r_{\alpha_j}+r_{\delta_j})=\alpha_j^c\cdot \delta_j,j\in\{1,\cdots,v\} Com((zc0,j,zc1,j,zc2,j);zδj)=Com(c(c0,j,c1,j,c2,j)+(dc0,j,dc1,j,dc2,j);c⋅rαj+rδj)=αjc⋅δj,j∈{1,⋯,v} 是否成立。
– 验证 C o m ( ρ 1 ⋅ H + ρ v ⋅ g v ( r v ) ; 0 ) c ⋅ C = C o m ( < J ⃗ , z ⃗ > ; r c ) Com(\rho_1\cdot H+\rho_v\cdot g_v(r_v);0)^c\cdot C=Com(<\vec{J},\vec{z}>;r_c) Com(ρ1⋅H+ρv⋅gv(rv);0)c⋅C=Com(<J,z>;rc) 是否成立。
6. zero-knowledge sum-check protocol + succinct evaluation proof
以实现sub-linear verification cost 和 sub-linear communication cost。
在 “5. sum-check protocol + zero-knowledge” 中,添加了zero-knowledge 属性后,需要由Prover来计算
g
(
r
1
,
⋯
,
r
v
)
g(r_1,\cdots,r_v)
g(r1,⋯,rv)的值,其中
g
g
g为multilinear polynomial,可借助Hyrax论文 “6.1 A commitment scheme for multilinear polynomials” 中的算法来实现:
在此基础上,在借助Bulletproofs思路进一步压缩,有:
【具体可参见博客 Spartan: zkSNARKS without trusted setup 源代码解析
中的:
// 拆分为 <(\vec{L}\cdot \mathbf{Z}), \vec{R}> 进行evaluation计算。
let eval_with_LR = evaluate_with_LR(&Z, &r);
】
参考资料
[1] Justin Thaler博客 The Unreasonable Power of the Sum-Check Protocol
[2] utexas大学课件 Lecture 3: The Sum Check Protocol
[3] Justin Thaler 在georgetown大学的课件 The Sum-Check Protocol
[4] adjacency matrix 邻接矩阵
[5] Gorka Irazoqui Apecechea medium博客 Spartan: zkSNARKS without trusted setup