appliedzkp zkevm(13)中的Public Inputs

1. 引言

以下为以太坊客户端用于计算block的所有public inputs数据:

  • 1)当前block
  • 2)之前的256个block:Previous Blocks
  • 3)全局信息
  • 4)交易
  • 5)其它所需public数据:【并不与verification circuit中的public inputs等价,因为每个circuit public input value都有验证开销,应使验证开销尽可能小。】
    • 5.1)用于同步State Trie的数据
    • 5.2)用于计算新block的数据
    • 5.3)用于验证同步的数据

2. 用于当前block的public inputs和电路

用于当前block的public inputs有:

  • Hash: 256 bits
  • Block Fields used in RLP:
    • ParentHash: 256 bits
    • UncleHash: 256 bits
    • Coinbase: 160 bits
    • Root: 256 bits (State Trie Root)
    • TxHash: 256 bits (Txs Trie Root)
    • ReceiptHash: 256 bits (Receipts Trie Root)
    • Bloom: 256 bytes
    • Difficulty: 256 bits
    • Number: 64 bits
    • GasLimit: 64 bits
    • GasUsed: 64 bits
    • Time: 64 bits
    • Extra: 0 bytes
    • MixDigest: 256 bits
    • Nonce: 64 bits
    • BaseFee: 256 bits (BaseFee was added by EIP-1559 and is ignored in legacy headers.)

用于当前block的电路有:

  • 1)Block Hash verifier
    • All fields
  • 2)EVM Circuit Block Table
    • Coinbase
    • GasLimit
    • Number
    • Time
    • Difficulty
    • BaseFee
  • 3)State Circuit
    • Block.Root

3. 用于之前256个区块的public inputs和电路

用于之前256个区块的public inputs有:

  • block[-1].Root: 256 bits
  • block[-1…-257].Hash: 256 x 256 bits

用于之前256个区块的电路有:

  • 1)EVM Circuit Block Table
    • block[-1…-257].Hash
  • 2)State Circuit
    • block[-1].Root

4. 全局信息及电路

全局信息为:

  • ChainID: 64 bits

相应的电路有:

  • 1)EVM Circuit Block Table
    • ChainID
  • 2)TxCircuit
    • ChainID

5. 用于交易的public inputs和电路

当前仅考虑定义在EIP-1559中的legacy transaction,相应的public inputs有:

  • Nonce: 64 bits
  • GasPrice: 256 bits
  • Gas: 64 bits
  • CallerAddress: 160 bits
  • CalleeAddress: 160 bits
  • IsCreate: 1 bit
  • Value: 256 bits
  • CallDataLength: 64 bits
  • CallData: CallDataLength bytes
  • TxSignHash: 256 bits
  • Signature
    • v: 256 bits
    • r: 256 bits
    • s: 256 bits

其中,TxSignHash RLP中用到的字段有:

  • Nonce
  • GasPrice
  • Gas
  • CalleeAddress
  • Value
  • CallData
  • ChainID

TxHash RLP中用到的字段有:

  • Nonce
  • GasPrice
  • Gas
  • CalleeAddress
  • Value
  • CallData
  • ChainID
  • Signature.v
  • Signature.r
  • Signature.s

交易相应的电路有:

  • TxCircuit
    • All Fields

6. 其它所需公开数据

前几节中的某些数据会在提交待验证proof时附上。为了验证某proof,严格来说还需要更多的数据来同步State Trie。

6.1 同步State Trie所需数据

为了同步新区块之后的State Trie(假设已有前一区块的state),至少需要如下数据:

  • For each tx
    • GasPrice: 256 bits
    • Gas: 64 bits
    • CallerAddress: 160 bits
    • CalleeAddress: 160 bits
    • Value: 256 bits
    • CallData: CallDataLength bytes
  • Block fields that affect EVM execution
    • Coinbase: 160 bits
    • Difficulty: 256 bits
    • Number: 64 bits
    • GasLimit: 64 bits
    • Time: 64 bits
    • BaseFee: 256 bits
  • Extra fields that affect EVM execution
    • block[-1…-257].Hash
    • ChainID: 64 bits

同步State Trie时,并不需要签名,且nonce值可从前一区块的State Trie推导出来。

6.2 计算新区块所需数据

为了计算新区块(假设已有前一区块的state),需要如下数据:

  • A way to prove that block[-1].Root (calculated from the known State Trie) is
    included in block[-1].Hash
    • A simple way to resolve this is by publishing the StateRoot with each proof (liked via public input)
    • Another way to resolve this is by publishing all block fields, so that a verifier can calculate the block hash in the circuit proving that it uses the expected StateRoot.

6.3 验证同步所需数据

即使某节点具有足够的数据来同步State Trie,该节点仍然无法验证其计算的State Trie是否正确(与proof相同),还需要如下数据:

  • StateRoot

7. Public Input方法

所需的public数据并不等同为verification circuit的public inputs,因为每个circuit public input value都有验证开销,应使验证开销尽可能小。

为了减小ciruit public inputs的size,引入了PublicInputs Circuit的思想,在PublicInputs Circit中,会验证circuit中所需的public inputs(作为witness)对应 这些public inputs之前的commitment,同时以将这些数据以剩余电路期待的形状建立(作为lookup table或者public input values)。

PublicInputs Circuit由其上层的aggregation circuit验证,仅需要一小部分的public inputs(即为,a challenge to validate the commitment of the necessary public data)。

展开来说:
有a list of raw public inputs (包含了所需的public data)必须能给到aggregation circuit。想要减少public inputs的数量以减少验证开销,为此希望能对其进行“压缩”。

有多种不同的“压缩”方式,最先进的一种是 EIP-4844,支持生成便宜的data commitment发送到以太坊,然后由合约进行“解压缩”(opened)。

EIP-4844中定义的commitment采用不同于circuit中的域,使得在circuit内open该commitment是很昂贵的,我们必须借助PublicInputs circuit来证明(circuits之外的)committed raw public inputs 与 (circuit之内的)witnessed raw public inputs等价。

详细的处理流程为:

  1. Send raw_public_inputs to Ethereum as a blob following EIP-4844
  2. Get commitment_bls=kzg_commitment(raw_public_inputs)
  3. Prove that commitment_bls has committed to the same values as the ones found in the raw_public_inputs advice column in the public_inputs_circuit. See here for a possible approach.
  4. public_inputs_circuit lays out the advice column raw_public_inputs into the tx_table, block_table, etc.
  5. When Aggregation0 circuit verifies public_inputs_circuit proof, it has access to commitments of advice columns corresponding to tx_table, block_table, etc. We call these table commitments.
  6. Aggregation0 circuit passes these table commitments around (to other aggregation circuits) until they reach the circuit that uses them
  7. aggregation circuit that verifies a circuit that uses a table, uses the table commitment in the verification of the proof.

可将1/2/3简化为:

  1. Calculate raw_public_inputs from the necessary public inputs passed via calldata in the tx where we call the zkEVM verification function
  2. p = RLC(raw_public_inputs, rand)
    rand = hash(raw_public_inputs, polynomial_commitment(public_inputs_circuit:advice_raw_public_inputs))

其中第2点需要:

  • A. Aggregation0 must have rand and polynomial_commitment(public_inputs_circuit:advice_raw_public_inputs) as public input
  • B. public_inputs_circuit must have rand as public input

注意:

  • Aggregation0 circuit为上层aggregation circuit,将在L1合约中验证。
  • 一旦穿过了Aggregation0 circuit,每个proof的验证开销将独立于“真实的”public inputs数量(即交易数 ,call data size,区块字段数等等)。
  • 计算合约内value的RLC是cheap的(仅需要MULMODADDMOD)。

以下为使用RLC捷径的流程图:
在这里插入图片描述

7.1 在circuit内验证KZG BLS commitment

以下为证明基于BLS曲线(如EIP-4844中所定义)的KZG commitment对应与circuit中advice column中的值一样 的提案:

  1. Pick random x
  2. Evaluate the polynomial used in commitment_bls at x and get y. So
    verify_kzg_bls_proof(commitment_bls, x, y, quotient_kzg) == True, where
    y is in modulus of BLS
  3. Pass (x, y) into the aggregation circuit (as public inputs)
  4. Pass (x, y) into the public_inputs_circuit (as public inputs)
  5. public_inputs_circuit contains a column with raw_public_inputs
  6. Inside the circuit, evaluate the polynomial defined with raw_public_inputs as its Lagrange coefficients in the BLS modulus at x and verify that the result is y.
    We use the barycentric formula to evaluate the polynomial using its Lagrange coefficients efficiently.

如何来选择随机challenge x呢?

  • x = hash(commitment_bls(raw_public_inputs) || poly_commitment(PublicInputsCircuit:raw_public_inputs))

原因在于:

  • The prover shouldn’t know x before the commitment_bls is calculated
  • The prover shouldn’t know x before the witness PublicInputsCircuit:raw_public_inputs is committed
  • In summary: the prover shouldn’t be able to change any of the commitments after it learns about x, otherwise the prover is able to construct a polynomial with values different than raw_public_inputs that evaluates to y on x.

8. PublicInputs Circuit

8.1 Setup

All the necessary public data is arranged in a single array of elements (called raw_public_inputs), following the layout of the block_table value column, tx_table {tx_id, index, value} columns, and extra fields in between.

8.2 Public Inputs

  • rand_rpi: Randomness used to “compress” the raw public inputs
  • rpi_rlc: Random Linear Combination of the raw public inputs (using rand_rpi as randomness)
  • chain_id: Chain ID, used to match the Chain ID public input used in the Tx Circuit
  • state_root: State Root of current block, used to match the State Root of current block public input used in the State Circuit
  • state_root_prev: State Root of previous block, used to match the State Root of previous block public input used in the State Circuit

8.3 Behaviour

  • 1)首先,the circuit calculates the Random Linear Combination of a column containing the raw public inputs array, and verifies that the result matches the rpi_rlc passed via public inputs using rand_rpi as randomness.
  • 2)其次,the circuit proves that the contained block_table -> value and tx_table -> {tx_id, index, value} columns correspond to the correct sections of the raw public inputs column.
  • 3)最后,the circuit proves that the chain_id, state_root and state_root_prev in the public inputs are found in the correct offset in the raw public inputs column.

参考资料

[1] Public Inputs

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值