1. Halo2中的Proof实现
1.1 Proof以opaque byte stream表示
与bellman proving system实现不同,bellman中有明确的Proof
结构体封装可proof data,该结构体由Prover返回,并传送给Verifier。
而Halo2中并不包含类似的proof的结构体,基于以下原因:
- Proof结构体中将包含vectors of (vectors of) curve points and scalars。这将使proof的序列化和反序列化变复杂,因为这些vectors的长度将取决于circuit的配置。但是,我们并不想在proof中encode the lengths of vectors,因为at runtime the circuit is fixed, and thus so are the proof sizes。
- 很容易意外地将内容放入一个Proof结构中,而并没有放在transcript中,这在开发和实施proving system时是一种危险。
- 需要能同时创建多个PLONK proofs,对于同一circuit,这些proofs共享很多不同的子结构体。
相反,Halo2中将proof objects当成opaque byte streams。通过transcript来创建和消费这些byte streams:
TranscriptWrite
trait表示something that we can write proof components to (at proving time)。TranscriptRead
trait表示something that we can read proof components from (at verifying time)。
最关键的是,TranscriptWrite
的实现应负责支持同时写入some std::io::Write
buffer that they hash things into the transcript,TranscriptRead
的实现应负责支持同时读取some std::io::Read
buffer。
将proofs以opaque byte streams表示,可确保verification时会考虑到反序列化的开销,由于point compression,这种开销不可忽略。
1.2 Proof encoding
Halo2 proof,基于curve E ( F p ) E(\mathbb{F}_p) E(Fp)构建的,encode为a stream of:
- Points P ∈ E ( F p ) P\in E(\mathbb{F}_p) P∈E(Fp) (for commitments to polynomials)
- Scalars s ∈ F q s\in\mathbb{F}_q s∈Fq(for evaluations of polynomials以及blinding values)
对于Pallas和Vesta curves,points和scalars均具有32-byte encodings,即意味着proof的大小总为32 bytes的倍数。
halo2
crate支持同时对同一circuit的多个instance进行证明,可共享共同的proof components和protocol logic。
实际encoding过程中,使用了如下circuit-specific constants:
- k k k - the size parameter of the circuit (which has 2 k 2^k 2k rows).
- A A A - the number of advice columns.
- F F F - the number of fixed columns.
- I I I - the number of instance columns.
- L L L - the number of lookup arguments.
- P P P - the number of permutation arguments.
- Col P \textsf{Col}_P ColP - the number of columns involved in permutation argument P P P.
- D D D - the maximum degree for the quotient polynomial.
- Q A Q_A QA - the number of advice column queries.
- Q F Q_F QF - the number of fixed column queries.
- Q I Q_I QI - the number of instance column queries.
- M M M - the number of instances of the circuit that are being proven simultaneously.
由于proof encoding 直接follow the transcript,可将encoding切分为以下sections来匹配Halo2 协议:
-
PLONK commitments:
- A A A points (repeated M M M times).
- 2 L 2L 2L points (repeated M M M times).
- P P P points (repeated M M M times).
- L L L points (repeated M M M times).
-
Vanishing argument:
- D − 1 D - 1 D−1 points.
- Q I Q_I QI scalars (repeated M M M times).
- Q A Q_A QA scalars (repeated M M M times).
- Q F Q_F QF scalars.
- D − 1 D - 1 D−1 scalars.
-
PLONK evaluations:
- ( 2 + Col P ) × P (2 + \textsf{Col}_P) \times P (2+ColP)×P scalars (repeated M M M times).
- 5 L 5L 5L scalars (repeated M M M times).
-
Multiopening argument:
- 1 point.
- 1 scalar per set of points in the multiopening argument.
-
Polynomial commitment scheme:
- 1 + 2 k 1 + 2k 1+2k points.
- 2 2 2 scalars.
2. Halo2中的Fields实现
Halo2中使用的Pasta curves,特意设计为具有high 2-adic,即在每个field都有large
2
S
2^S
2S multiplicative subgroup 存在。
p
−
1
≡
2
S
⋅
T
p-1\equiv2^S\cdot T
p−1≡2S⋅T,其中
T
T
T为奇数。
对于Halo2中使用Pallas和Vesta curve,其 S = 32 S=32 S=32。
2.1 采用Sarkar square-root算法(table-based variant)
Halo2中使用 Sarkar2020中的算法 来计算 square roots平方根。
使用该算法的原因是,可split the task into computing square roots in each multiplicative subgroup。
假设我们需找到
u
u
u modulo one of the Pasta primes
p
p
p 的平方根,其中
u
u
u为a non-zero square in
Z
p
×
\mathbb{Z}_p^{\times}
Zp×。
定义a
2
S
2^S
2S root of unity
g
=
z
T
g=z^T
g=zT,其中
z
z
z为a non-square in
Z
p
×
\mathbb{Z}_p^{\times}
Zp×,然后预计算出如下tables:
g
t
a
b
=
[
g
0
g
1
.
.
.
g
2
8
−
1
(
g
2
8
)
0
(
g
2
8
)
1
.
.
.
(
g
2
8
)
2
8
−
1
(
g
2
16
)
0
(
g
2
16
)
1
.
.
.
(
g
2
16
)
2
8
−
1
(
g
2
24
)
0
(
g
2
24
)
1
.
.
.
(
g
2
24
)
2
8
−
1
]
gtab = \begin{bmatrix} g^0 & g^1 & ... & g^{2^8 - 1} \\ (g^{2^8})^0 & (g^{2^8})^1 & ... & (g^{2^8})^{2^8 - 1} \\ (g^{2^{16}})^0 & (g^{2^{16}})^1 & ... & (g^{2^{16}})^{2^8 - 1} \\ (g^{2^{24}})^0 & (g^{2^{24}})^1 & ... & (g^{2^{24}})^{2^8 - 1} \end{bmatrix}
gtab=⎣⎢⎢⎢⎡g0(g28)0(g216)0(g224)0g1(g28)1(g216)1(g224)1............g28−1(g28)28−1(g216)28−1(g224)28−1⎦⎥⎥⎥⎤
i n v t a b = [ ( g − 2 24 ) 0 ( g − 2 24 ) 1 . . . ( g − 2 24 ) 2 8 − 1 ] invtab = \begin{bmatrix} (g^{-2^{24}})^0 & (g^{-2^{24}})^1 & ... & (g^{-2^{24}})^{2^8 - 1} \end{bmatrix} invtab=[(g−224)0(g−224)1...(g−224)28−1]
令
v
=
u
(
T
−
1
)
/
2
v=u^{(T-1)/2}
v=u(T−1)/2,则可定义
x
=
u
v
⋅
v
=
u
T
x=uv\cdot v=u^{T}
x=uv⋅v=uT为an element of the
2
S
2^S
2S multiplicative subgroup。
令
x
3
=
x
,
x
2
=
x
3
2
S
,
x
1
=
x
2
2
S
,
x
0
=
x
1
2
S
x_3=x,x_2=x_3^{2^S}, x_1=x_2^{2^S},x_0=x_1^{2^S}
x3=x,x2=x32S,x1=x22S,x0=x12S。
2.1.1 当 i = 0 , 1 i=0,1 i=0,1时
使用
i
n
v
t
a
b
invtab
invtab, we lookup
t
0
t_0
t0 使得:
x
0
=
(
g
−
2
24
)
t
0
⟹
x
0
⋅
g
t
0
⋅
2
24
=
1.
x_0 = (g^{-2^{24}})^{t_0} \implies x_0 \cdot g^{t_0 \cdot 2^{24}} = 1.
x0=(g−224)t0⟹x0⋅gt0⋅224=1.
定义 α 1 = x 1 ⋅ ( g 2 16 ) t 0 \alpha_1 = x_1 \cdot (g^{2^{16}})^{t_0} α1=x1⋅(g216)t0。
2.1.2 当 i = 2 i=2 i=2时
Lookup
t
1
t_1
t1 满足:
α
1
=
(
g
−
2
24
)
t
1
⟹
x
1
⋅
(
g
2
16
)
t
0
=
(
g
−
2
24
)
t
1
⟹
x
1
⋅
g
(
t
0
+
2
8
⋅
t
1
)
⋅
2
16
=
1.
\begin{array}{ll} \alpha_1 = (g^{-2^{24}})^{t_1} &\implies x_1 \cdot (g^{2^{16}})^{t_0} = (g^{-2^{24}})^{t_1} \\ &\implies x_1 \cdot g^{(t_0 + 2^8 \cdot t_1) \cdot 2^{16}} = 1. \end{array}
α1=(g−224)t1⟹x1⋅(g216)t0=(g−224)t1⟹x1⋅g(t0+28⋅t1)⋅216=1.
定义 α 2 = x 2 ⋅ ( g 2 8 ) t 0 + 2 8 ⋅ t 1 \alpha_2 = x_2 \cdot (g^{2^8})^{t_0 + 2^8 \cdot t_1} α2=x2⋅(g28)t0+28⋅t1。
2.1.3 当 i = 3 i=3 i=3时
Lookup
t
2
t_2
t2满足:
α
2
=
(
g
−
2
24
)
t
2
⟹
x
2
⋅
(
g
2
8
)
t
0
+
2
8
⋅
t
1
=
(
g
−
2
24
)
t
2
⟹
x
2
⋅
g
(
t
0
+
2
8
⋅
t
1
+
2
16
⋅
t
2
)
⋅
2
8
=
1.
\begin{array}{ll} \alpha_2 = (g^{-2^{24}})^{t_2} &\implies x_2 \cdot (g^{2^8})^{t_0 + 2^8\cdot {t_1}} = (g^{-2^{24}})^{t_2} \\ &\implies x_2 \cdot g^{(t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2) \cdot 2^8} = 1. \end{array}
α2=(g−224)t2⟹x2⋅(g28)t0+28⋅t1=(g−224)t2⟹x2⋅g(t0+28⋅t1+216⋅t2)⋅28=1.
定义 α 3 = x 3 ⋅ g t 0 + 2 8 ⋅ t 1 + 2 16 ⋅ t 2 \alpha_3 = x_3 \cdot g^{t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2} α3=x3⋅gt0+28⋅t1+216⋅t2。
2.1.4 Final result
Lookup t 3 t_3 t3 使得:
α 3 = ( g − 2 24 ) t 3 ⟹ x 3 ⋅ g t 0 + 2 8 ⋅ t 1 + 2 16 ⋅ t 2 = ( g − 2 24 ) t 3 ⟹ x 3 ⋅ g t 0 + 2 8 ⋅ t 1 + 2 16 ⋅ t 2 + 2 24 ⋅ t 3 = 1. \begin{array}{ll} \alpha_3 = (g^{-2^{24}})^{t_3} &\implies x_3 \cdot g^{t_0 + 2^8\cdot {t_1} + 2^{16} \cdot t_2} = (g^{-2^{24}})^{t_3} \\ &\implies x_3 \cdot g^{t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2 + 2^{24} \cdot t_3} = 1. \end{array} α3=(g−224)t3⟹x3⋅gt0+28⋅t1+216⋅t2=(g−224)t3⟹x3⋅gt0+28⋅t1+216⋅t2+224⋅t3=1.
令 t = t 0 + 2 8 ⋅ t 1 + 2 16 ⋅ t 2 + 2 24 ⋅ t 3 t = t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2 + 2^{24} \cdot t_3 t=t0+28⋅t1+216⋅t2+224⋅t3。
此时有:
x
3
⋅
g
t
=
1
⟹
x
3
=
g
−
t
⟹
u
v
2
=
g
−
t
⟹
u
v
=
v
−
1
⋅
g
−
t
⟹
u
v
⋅
g
t
/
2
=
v
−
1
⋅
g
−
t
/
2
.
\begin{array}{lclcl} x_3 \cdot g^{t} = 1 &\implies& x_3 &=& g^{-t} \\ &\implies& uv^2 &=& g^{-t} \\ &\implies& uv &=& v^{-1} \cdot g^{-t} \\ &\implies& uv \cdot g^{t / 2} &=& v^{-1} \cdot g^{-t / 2}. \end{array}
x3⋅gt=1⟹⟹⟹⟹x3uv2uvuv⋅gt/2====g−tg−tv−1⋅g−tv−1⋅g−t/2.
对右侧求平方,有 ( v − 1 g − t / 2 ) 2 = v − 2 g − t = u . (v^{-1} g^{-t / 2})^2 = v^{-2}g^{-t} = u. (v−1g−t/2)2=v−2g−t=u. 从而可知, u u u 的平方根为 u v ⋅ g t / 2 uv \cdot g^{t / 2} uv⋅gt/2,其中第一部分之前已计算出了,第二部分可使用 g t a b gtab gtab中的3个multiplication来计算。
参考资料
[1] Halo2中的proof实现
[2] Halo2中的Field实现