Groth16于16年被提出,是一种在证明大小(证明只包含三个点)和验证时间上都具有很大优势的zkSNARK算法。zkSNARK通常需要进行可信设置(Setup),Groth16也不例外,然而Groth16的setup生成的公共参考串(CRS)不是通用的,即由该初始设置生成的CRS只能针对特定电路,而不能直接被用于任意电路的零知识证明之中,这也是Groth16在实际应用中比较鸡肋的地方。
R1CS
R1CS(rank-1 constraint system)是一个包含n个变量,m个约束,且witness w ∈ F n \pmb{w} \in F^n w∈Fn
的一阶约束系统。witness的前p个变量为公开输入,第一个公开输入
w
0
w_0
w0固定为1. m个约束满足如下等式:
(
w
⋅
a
i
)
⋅
(
w
⋅
b
i
)
=
w
⋅
c
i
(\pmb{w} \cdot \pmb{a_i}) \cdot (\pmb{w} \cdot \pmb{b_i}) = \pmb{w} \cdot \pmb{c_i}
(w⋅ai)⋅(w⋅bi)=w⋅ci
其中
(
a
i
,
b
i
,
c
i
)
∈
F
3
n
(a_i,b_i,c_i) \in F^{3n}
(ai,bi,ci)∈F3n确定了约束关系,整个约束系统也可以使用 element-wise product来表示
(
w
⋅
A
)
∘
(
w
⋅
B
)
=
w
⋅
C
(\pmb{w} \cdot \pmb{A}) \circ (\pmb{w} \cdot \pmb{B}) = \pmb{w} \cdot \pmb{C}
(w⋅A)∘(w⋅B)=w⋅C
QAP
固定一组基
x
∈
F
m
\pmb{x} \in F^m
x∈Fm,对每一个约束定义满足如下要求的多项式
A
i
(
x
j
)
=
A
i
j
\pmb{A}_i(x_j) = A_{ij}
Ai(xj)=Aij
B
,
C
\pmb{B},\pmb{C}
B,C同理,因此
A
(
X
)
=
∑
i
∈
[
0
,
n
)
w
i
⋅
A
i
(
x
)
\pmb{A}(X) = \sum_{i\in[0,n)} w_i \cdot \pmb{A}_i(x)
A(X)=∑i∈[0,n)wi⋅Ai(x),
B
(
X
)
,
C
(
X
)
\pmb{B}(X),\pmb{C}(X)
B(X),C(X)同理
经过上面转化,约束系统可以重新写成
A
(
x
i
)
⋅
B
(
x
i
)
=
C
(
x
i
)
\pmb{A}(x_i) \cdot \pmb{B}(x_i) =\pmb{C}(x_i)
A(xi)⋅B(xi)=C(xi)
这种形式即所谓QAP,可以通过一个低阶的多项式
H
(
X
)
\pmb{H}(X)
H(X)来验证
A
(
X
)
⋅
B
(
X
)
−
C
(
X
)
=
H
(
X
)
⋅
Z
(
X
)
\pmb{A}(X) \cdot \pmb{B}(X) - \pmb{C}(X) = \pmb{H}(X) \cdot \pmb{Z}(X)
A(X)⋅B(X)−C(X)=H(X)⋅Z(X)
其中
Z
(
X
)
=
∏
j
∈
[
0
,
m
)
(
x
−
x
j
)
\pmb{Z}(X) = \prod_{j \in [0,m)}(x- x_j)
Z(X)=∏j∈[0,m)(x−xj)
Trust Setup
如上面所说,Groth16需要进行Setup,并且Setup还是跟电路有关,因此Setup可以分成两部分,一部分是完全独立的,与电路无关,另一部分与电路有关。
Powers of Tau (phase 1)
选择m,此m作为电路的最大约束数,生成随机数
α
,
β
,
τ
\alpha, \beta,\tau
α,β,τ,计算
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
2
m
−
2
)
⋅
G
1
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
m
−
1
)
⋅
G
2
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
m
−
1
)
⋅
α
⋅
G
1
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
m
−
1
)
⋅
β
⋅
G
1
β
⋅
G
2
(\tau^0,\tau^1,\tau^2,....,\tau^{2m-2}) \cdot G_1 \\ (\tau^0,\tau^1,\tau^2,....,\tau^{m-1}) \cdot G_2 \\ (\tau^0,\tau^1,\tau^2,....,\tau^{m-1}) \cdot \alpha \cdot G_1 \\ (\tau^0,\tau^1,\tau^2,....,\tau^{m-1}) \cdot \beta \cdot G_1 \\ \beta \cdot G_2 \\
(τ0,τ1,τ2,....,τ2m−2)⋅G1(τ0,τ1,τ2,....,τm−1)⋅G2(τ0,τ1,τ2,....,τm−1)⋅α⋅G1(τ0,τ1,τ2,....,τm−1)⋅β⋅G1β⋅G2
phase 2
给定电路多项式
A
i
,
B
i
,
C
i
A_i,B_i,C_i
Ai,Bi,Ci ,生成随机数
γ
,
δ
\gamma, \delta
γ,δ,定义
L
i
L_i
Li多项式
L
i
=
β
⋅
A
i
(
X
)
+
α
⋅
B
i
(
X
)
+
C
i
(
X
)
L_i = \beta \cdot A_i(X) + \alpha \cdot B_i(X) + C_i(X)
Li=β⋅Ai(X)+α⋅Bi(X)+Ci(X)
我们不能直接计算
L
i
(
X
)
L_i(X)
Li(X),因为我们不知道
α
,
β
\alpha, \beta
α,β,但是我们可以通过线性组合的方式计算
L
i
(
τ
)
⋅
G
1
L_i(\tau) \cdot G_1
Li(τ)⋅G1,因此,我们可以计算
proving key:
(
α
,
β
,
δ
)
⋅
G
1
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
m
−
1
)
⋅
G
1
(
L
p
(
τ
)
,
L
p
+
1
(
τ
)
,
L
p
+
2
(
τ
)
,
.
.
.
,
L
m
−
1
(
τ
)
)
⋅
δ
−
1
⋅
G
1
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
m
−
1
)
⋅
Z
(
τ
)
⋅
δ
−
1
⋅
G
1
(
β
,
δ
)
⋅
G
2
(
τ
0
,
τ
1
,
τ
2
,
.
.
.
.
,
τ
m
−
1
)
⋅
G
2
(\alpha, \beta , \delta) \cdot G_1 \\ (\tau^0,\tau^1,\tau^2,....,\tau^{m-1}) \cdot G_1 \\ (L_p(\tau),L_{p+1}(\tau),L_{p+2}(\tau),...,L_{m-1}(\tau)) \cdot \delta^{-1} \cdot G_1 \\ (\tau^0,\tau^1,\tau^2,....,\tau^{m-1}) \cdot Z(\tau) \cdot \delta^{-1} \cdot G_1 \\ (\beta , \delta) \cdot G_2 \\ (\tau^0,\tau^1,\tau^2,....,\tau^{m-1}) \cdot G_2 \\
(α,β,δ)⋅G1(τ0,τ1,τ2,....,τm−1)⋅G1(Lp(τ),Lp+1(τ),Lp+2(τ),...,Lm−1(τ))⋅δ−1⋅G1(τ0,τ1,τ2,....,τm−1)⋅Z(τ)⋅δ−1⋅G1(β,δ)⋅G2(τ0,τ1,τ2,....,τm−1)⋅G2
verification key:
α
⋅
G
1
(
L
0
(
τ
)
,
L
1
(
τ
)
,
L
2
(
τ
)
,
.
.
.
,
L
p
−
1
(
τ
)
)
⋅
γ
−
1
⋅
G
1
(
γ
,
β
,
δ
)
⋅
G
2
\alpha \cdot G_1 \\ (L_0(\tau),L_{1}(\tau),L_{2}(\tau),...,L_{p-1}(\tau)) \cdot \gamma^{-1} \cdot G_1 \\ (\gamma, \beta , \delta) \cdot G_2 \\
α⋅G1(L0(τ),L1(τ),L2(τ),...,Lp−1(τ))⋅γ−1⋅G1(γ,β,δ)⋅G2
MPC
α , β , δ , γ , τ \alpha,\beta,\delta,\gamma,\tau α,β,δ,γ,τ也被称为 t o x i c w a s t e toxic \ waste toxic waste,在上述Setup的过程要确保 α , β , δ , γ , τ \alpha,\beta,\delta,\gamma,\tau α,β,δ,γ,τ不能被任何人知道,否则对于Groth16系统是极其不安全的。为了安全的进行Setup,我们可以使用安全多方计算协议, 满足只要有一个参与者是诚实的,该系统就是安全的,具体可参考的当年ZCash关于Groth16 Setup论文BGM17
Proving
给定一组witness
w
=
(
1
,
w
1
,
.
.
.
,
.
.
w
m
)
\pmb{w} = (1,w_1,...,..w_m)
w=(1,w1,...,..wm),我们可以按照上面的方法计算
A
,
B
,
C
,
H
A,B,C,H
A,B,C,H多项式,然后计算
L
(
X
)
=
∑
w
i
⋅
L
i
(
X
)
L(X) = \sum w_i \cdot L_i(X)
L(X)=∑wi⋅Li(X)
生成两个随机数
r
,
s
r,s
r,s,计算proof
A
=
(
α
+
r
⋅
δ
+
A
(
τ
)
)
⋅
G
1
B
=
(
β
+
s
⋅
δ
+
B
(
τ
)
)
⋅
G
2
C
=
δ
−
1
(
L
(
τ
)
+
H
(
τ
)
⋅
Z
(
τ
)
)
+
s
⋅
(
α
+
r
⋅
δ
+
A
(
τ
)
)
+
r
⋅
(
β
+
s
⋅
δ
+
B
(
τ
)
)
−
r
⋅
s
⋅
δ
A= (\alpha + r \cdot \delta + A(\tau)) \cdot G_1 \\ B= (\beta + s \cdot \delta + B(\tau)) \cdot G_2 \\ C= \delta^{-1}(L(\tau) + H(\tau) \cdot Z(\tau)) + s \cdot (\alpha + r \cdot \delta + A(\tau)) + r \cdot (\beta + s \cdot \delta + B(\tau)) - r \cdot s \cdot \delta
A=(α+r⋅δ+A(τ))⋅G1B=(β+s⋅δ+B(τ))⋅G2C=δ−1(L(τ)+H(τ)⋅Z(τ))+s⋅(α+r⋅δ+A(τ))+r⋅(β+s⋅δ+B(τ))−r⋅s⋅δ
最后的proof =
(
A
,
B
,
C
)
(A,B,C)
(A,B,C)
Verifying
给定公开输入
w
=
(
1
,
w
1
,
.
.
.
,
.
.
w
p
)
\pmb{w} = (1,w_1,...,..w_p)
w=(1,w1,...,..wp),首先计算
L
=
∑
w
i
(
γ
−
1
⋅
L
i
(
τ
)
⋅
G
1
)
L = \sum w_i (\gamma^{-1} \cdot L_i(\tau) \cdot G_1)
L=∑wi(γ−1⋅Li(τ)⋅G1)
然后验证
e
(
A
,
B
)
=
e
(
α
⋅
G
1
,
β
⋅
G
2
)
+
e
(
L
,
γ
⋅
G
2
)
+
e
(
C
,
δ
⋅
G
2
)
e(A,B) = e(\alpha \cdot G_1, \beta \cdot G_2) + e(L , \gamma \cdot G_2) + e(C, \delta \cdot G_2)
e(A,B)=e(α⋅G1,β⋅G2)+e(L,γ⋅G2)+e(C,δ⋅G2)