1. 引言
zero-knowledge proving system为a cryptographic protocol,用于证明:
- a particular statement,dependent on primary and auxiliary inputs, in zero knowledge —— 即,不需要reveal auxiliary inputs信息的情况下,可证明该statement。
Zcash中使用的zero-knowledge proving system类型为:
- preprocessing zk-SNARK [BCCGLRT2014-Zerocash: Decentralized Anonymous Payments from Bitcoin (extended vesion)]
preprocessing zk-SNARK instance中定义了如下类型:
- Z K . P r o v i n g K e y ZK.ProvingKey ZK.ProvingKey
- Z K . V e r i f y i n g K e y ZK.VerifyingKey ZK.VerifyingKey
- Z K . P r i m a r y I n p u t ZK.PrimaryInput ZK.PrimaryInput
- Z K . A u x i l i a r y I n p u t ZK.AuxiliaryInput ZK.AuxiliaryInput
- Z K . P r o o f ZK.Proof ZK.Proof
- Z K . S a t i s f y i n g i n p u t s ⊆ Z K . P r i m a r y I n p u t × Z K . A u x i l i a r y I n p u t ZK.Satisfyinginputs\subseteq ZK.PrimaryInput \times ZK.AuxiliaryInput ZK.Satisfyinginputs⊆ZK.PrimaryInput×ZK.AuxiliaryInput
- Z K . G e n : ( ) → R Z K . P r o v i n g K e y × Z K . V e r i f y i n g K e y ZK.Gen:()\rightarrow_R ZK.ProvingKey\times ZK.VerifyingKey ZK.Gen:()→RZK.ProvingKey×ZK.VerifyingKey
- Z K . P r o v e : Z K . P r o v i n g K e y × Z K . S a t i s f y i n g I n p u t s → Z K . P r o o f ZK.Prove: ZK.ProvingKey\times ZK.SatisfyingInputs\rightarrow ZK.Proof ZK.Prove:ZK.ProvingKey×ZK.SatisfyingInputs→ZK.Proof
- Z K . V e r i f y : Z K . V e r i f y i n g K e y × Z K . P r i m a r y I n p u t × Z K . P r o o f → B ZK.Verify: ZK.VerifyingKey\times ZK.PrimaryInput\times ZK.Proof\rightarrow \mathbb{B} ZK.Verify:ZK.VerifyingKey×ZK.PrimaryInput×ZK.Proof→B
zk-SNARK应满足如下安全属性:
- completeness
- knowledge soundness
- statistical zero knowledge
Zcash中采用了2种proving system:
- BCTV14,采用BN-254 pairing来prove and verify Sprout JoinSplit statement。
- Groth16,采用BLS12-381 pairing来prove and verify Sapling Spend Statement和Output Statement。
Zcash中涉及的zk-SNARK statements主要有:
- JoinSplit Statement (Sprout)——ZKJoinSplit
- Spend Statement (Sapling)——ZKSpend
- Output Statement (Sapling)——ZKOutput
2. Spend Statement (Sapling)
Spend Statement π Z K S p e n d \pi_{ZKSpend} πZKSpend 中的primary input 有:【即public input】
- r t S a p l i n g : B [ l M e r k l e S a p l i n g ] rt^{Sapling}:\mathbb{B}^{[l_{Merkle}^{Sapling}]} rtSapling:B[lMerkleSapling]:为anchor。
- c v o l d cv^{old} cvold:为 V a l u e C o m m i t S a p l i n g . O u t p u t ValueCommit^{Sapling}.Output ValueCommitSapling.Output,为 J \mathbb{J} J类型。
- n f o l d nf^{old} nfold:为 B Y [ l P R F n f S a p l i n g / 8 ] \mathbb{B}^{\mathbb{Y}^{[l_{PRFnfSapling}/8]}} BY[lPRFnfSapling/8]。
- r k rk rk:为 S p e n d A u t h S i g S a p l i n g . P u b l i c SpendAuthSig^{Sapling}.Public SpendAuthSigSapling.Public,为 J \mathbb{J} J类型。
仅Prover知道的auxiliary input有:【即witness】
- p a t h path path:为 B [ l M e r k l e S a p l i n g ] [ M e r k l e D e p t h S a p l i n g ] \mathbb{B}^{[l_{Merkle}^{Sapling}][MerkleDepth^{Sapling}]} B[lMerkleSapling][MerkleDepthSapling]
- p o s pos pos:取值范围为 { 0.. 2 M e r k l e D e p t h S a p l i n g − 1 } \{0..2^{MerkleDepth^{Sapling}}-1\} {0..2MerkleDepthSapling−1}
- g d g_d gd: J \mathbb{J} J
- p k d pk_d pkd: J \mathbb{J} J
- v o l d v^{old} vold:取值范围为 { 0.. 2 l v a l u e − 1 } \{0..2^{l_{value}}-1\} {0..2lvalue−1}
- r c v o l d rcv^{old} rcvold:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
- c m o l d cm^{old} cmold: J \mathbb{J} J
- r c m o l d rcm^{old} rcmold:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
- α \alpha α:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
- a k ak ak:为 S p e n d A u t h S i g S a p l i n g . P u b l i c SpendAuthSig^{Sapling}.Public SpendAuthSigSapling.Public,为 J \mathbb{J} J类型。
- n s k nsk nsk:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
π Z K S p e n d \pi_{ZKSpend} πZKSpend 需证明以下关系:
- 1)Note commitment integrity,即: c m o l d = N o t e C o m m i t r c m o l d S a p l i n g ( r e p r J ( g d ) , r e p r J ( p k d ) , v o l d ) cm^{old}=NoteCommit_{rcm^{old}}^{Sapling}(repr_{\mathbb{J}}(g_d),repr_{\mathbb{J}}(pk_d),v^{old}) cmold=NoteCommitrcmoldSapling(reprJ(gd),reprJ(pkd),vold)。【注意,不会check that r c m o l d < r J rcm^{old}<r_{\mathbb{J}} rcmold<rJ。】
- 2)Merkle path validity,即:要么 v o l d = 0 v^{old}=0 vold=0;要么, ( p o s , p a t h ) (pos,path) (pos,path)为 由 c m u = E x t r a c t J ( r ) ( c m o l d ) cm_u=Extract_{\mathbb{J}^{(r)}}(cm^{old}) cmu=ExtractJ(r)(cmold) 到 anchor(即merkle root) r t S a p l i n g rt^{Sapling} rtSapling 的valid Merkle path of depth M e r k l e D e p t h S a p l i n g MerkleDepth^{Sapling} MerkleDepthSapling。【在Merkle path vvalidity check中,每一层都不会check that its input bit sequence is a cannonical encoding (in { 0.. q J − 1 } \{0..q_{\mathbb{J}}-1\} {0..qJ−1}) of the integer from the previous layer。】
- 3)Value commitment integerity,即: c v o l d = V a l u e C o m m i t r c v o l d S a p l i n g ( v o l d ) cv^{old}=ValueCommit_{rcv^{old}}^{Sapling}(v^{old}) cvold=ValueCommitrcvoldSapling(vold)。【注意,不会check that r c v o l d < r J rcv^{old}<r_{\mathbb{J}} rcvold<rJ。】
- 4)Small order checks,即: g d 和 a k g_d和ak gd和ak 不是small order的,即 [ h J ] g d ≠ O J [h_{\mathbb{J}}]g_d\neq \mathcal{O}_{\mathbb{J}} [hJ]gd=OJ 且 [ h J ] a k ≠ O J [h_{\mathbb{J}}]ak\neq \mathcal{O}_{\mathbb{J}} [hJ]ak=OJ。
- 5)Nullifier integrity,即: n f o l d = P R F n k ⋆ n f S a p l i n g ( ρ ⋆ ) nf^{old}=PRF_{nk\star}^{nfSapling}(\rho\star) nfold=PRFnk⋆nfSapling(ρ⋆),其中 n k ⋆ = r e p r J ( [ n s k ] H S a p l i n g ) , ρ ⋆ = r e p r J ( M i x i n g P e d e r s e n H a s h ( c m o l d , p o s ) ) nk\star=repr_{\mathbb{J}}([nsk]\mathcal{H}^{Sapling}),\rho\star=repr_{\mathbb{J}}(MixingPedersenHash(cm^{old},pos)) nk⋆=reprJ([nsk]HSapling),ρ⋆=reprJ(MixingPedersenHash(cmold,pos))。
- 6)Spend authority,即: r k = S p e n d A u t h S i g S a p l i n g . R a n d o m i z e P u b l i c ( α , a k ) = a k + [ α ] G S a p l i n g rk=SpendAuthSig^{Sapling}.RandomizePublic(\alpha,ak)=ak+[\alpha]\mathcal{G}^{Sapling} rk=SpendAuthSigSapling.RandomizePublic(α,ak)=ak+[α]GSapling。【注意,在Spend statement中不会check that r k rk rk is not of small order,但是在Spend statement之外会check。】
- 7)Diversified address integrity,即: p k d = [ i v k ] g d pk_d=[ivk]g_d pkd=[ivk]gd,其中 i v k = C R H i v k ( a k ⋆ , n k ⋆ ) , a k ⋆ = r e p r J ( a k ) ivk=CRH^{ivk}(ak\star,nk\star),ak\star=repr_{\mathbb{J}}(ak) ivk=CRHivk(ak⋆,nk⋆),ak⋆=reprJ(ak)。
3. Output Statement (Sapling)
相关参数有:
- l M e r k l e S a p l i n g l_{Merkle}^{Sapling} lMerkleSapling:255
- l s c a l a r S a p l i n g l_{scalar}^{Sapling} lscalarSapling:252
Output Statement π Z K O u t p u t \pi_{ZKOutput} πZKOutput 中的primary input 有:【即public input】
- c v n e w cv^{new} cvnew: V a l u e C o m m i t S a p l i n g . O u t p u t ValueCommit^{Sapling}.Output ValueCommitSapling.Output,为 J \mathbb{J} J类型。
- c m u cm_{u} cmu: B [ l M e r k l e S a p l i n g ] \mathbb{B}^{[l_{Merkle}^{Sapling}]} B[lMerkleSapling]。
- e p k epk epk:为 J \mathbb{J} J类型。
仅Prover知道的auxiliary input有:【即witness】
- g d g_d gd: J \mathbb{J} J
- p k ⋆ d pk\star_d pk⋆d: J \mathbb{J} J
- v n e w v^{new} vnew:取值范围为 { 0.. 2 l v a l u e − 1 } \{0..2^{l_{value}}-1\} {0..2lvalue−1}
- r c v n e w rcv^{new} rcvnew:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
- r c m n e w rcm^{new} rcmnew:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
- e s k esk esk:取值范围为 { 0.. 2 l s c a l a r S a p l i n g − 1 } \{0..2^{l_{scalar}^{Sapling}}-1\} {0..2lscalarSapling−1}
π Z K O u t p u t \pi_{ZKOutput} πZKOutput 需证明以下关系:
- 1)Note commitment integrity,即: c m u = E x t r a c t J ( r ) ( N o t e C o m m i t r c m n e w S a p l i n g ( g ⋆ d , p k ⋆ d , v n e w ) ) cm_{u}=Extract_{\mathbb{J}^{(r)}}(NoteCommit_{rcm^{new}}^{Sapling}(g\star_d,pk\star_d,v^{new})) cmu=ExtractJ(r)(NoteCommitrcmnewSapling(g⋆d,pk⋆d,vnew)),其中 g ⋆ d = r e p r J ( g d ) g\star_d=repr_{\mathbb{J}}(g_d) g⋆d=reprJ(gd)。【注意,不会check that r c m n e w < r J rcm^{new}<r_{\mathbb{J}} rcmnew<rJ。】【注意,the validity of p k ⋆ d pk\star_d pk⋆d is not checked in this circuit。】
- 2)Value commitment integerity,即: c v n e w = V a l u e C o m m i t r c v n e w S a p l i n g ( v n e w ) cv^{new}=ValueCommit_{rcv^{new}}^{Sapling}(v^{new}) cvnew=ValueCommitrcvnewSapling(vnew)。【注意,不会check that r c v n e w < r J rcv^{new}<r_{\mathbb{J}} rcvnew<rJ。】
- 3)Small order checks,即: g d g_d gd 不是small order的,即 [ h J ] g d ≠ O J [h_{\mathbb{J}}]g_d\neq \mathcal{O}_{\mathbb{J}} [hJ]gd=OJ。
- 4)Ephemeral public key integrity,即: e p k = [ e s k ] g d epk=[esk]g_d epk=[esk]gd。
4. Zcash中的Groth16 zk-SNARKs proving system
Zcash在Sapling中使用的zk-SNARKs proving system 为Groth16,对应的论文为:
该论文在 Groth16-On the Size of Pairing-based Non-interactive Arguments 的基础上进行了改进。
对应的独立的security proof和setup见 Maller2018-A Proof of Security for the Sapling Generation of zk-SNARK Parameters in the Generic Group Model。
Groth16 zk-SNARK proof 支持的是 version 4 transaction,可用于:
- Sprout JoinSplit descriptions
- Sapling Spend descriptions
- Sapling Output descriptions
Groth16 proof组成为: ( π A : S 1 ( r ) ∗ , π B : S 2 ( r ) ∗ , π C : S 1 ( r ) ∗ ) (\pi_A:\mathbb{S}_1^{(r)*}, \pi_B:\mathbb{S}_2^{(r)*}, \pi_C:\mathbb{S}_1^{(r)*}) (πA:S1(r)∗,πB:S2(r)∗,πC:S1(r)∗)
当采用BLS12-381 pairing时,整个proof可encode为:【共 192 bytes。】
除了采用Groth16方案验证以上proof是否正确之外,Verifier 还需额外做如下验证:
- encoding proof中的每个元素的leading bitfield为符合要求的form;
- encoding proof中每个元素 除leading bitfield之外的 remaining bits 以big-endian的形式表示了an integer,该integer的取值范围为 { 0 , q s − 1 } \{0,q_{\mathbb{s}}-1\} {0,qs−1}。对于 π B \pi_B πB,则表示的是two integers,者两个integer的取值范围为 { 0 , q s − 1 } \{0,q_{\mathbb{s}}-1\} {0,qs−1}。
- encoding proof中的每个元素表示的是point in S 1 ( r ) ∗ \mathbb{S}_1^{(r)*} S1(r)∗ 或者 S 2 ( r ) ∗ \mathbb{S}_2^{(r)*} S2(r)∗( π B \pi_B πB),需验证该point的order为 r S r_{\mathbb{S}} rS。
818
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
