3. Breakdown Commitment
3.1 Linear Codes Polynomial Commitments
Breakown的基础就是使用线性码构建多项式承诺,优点在于证明大小和验证时间复杂度都是长度的平方根。
下面给出一个简单的线性码多项式承诺过程。假设多项式
g
g
g的系数向量的长度为
n
n
n,并且可以使用填充0的方式扩充到
d
=
k
2
d=k^2
d=k2且
d
≥
n
d \geq n
d≥n。因此有:
g
(
x
)
=
a
0
+
a
1
x
+
a
2
x
2
+
⋯
+
a
d
−
1
x
d
−
1
=
∑
i
=
0
d
−
1
a
i
x
i
=
[
1
,
x
,
x
2
,
⋯
,
x
k
−
1
]
[
b
1
,
1
b
1
,
2
⋯
b
1
,
k
b
2
,
1
b
2
,
2
⋯
b
2
,
k
⋮
⋮
⋱
⋮
b
k
,
1
b
k
,
2
⋯
b
k
,
k
]
[
1
x
k
x
2
k
⋮
x
(
k
−
1
)
k
]
=
∑
p
=
1
k
∑
q
=
1
k
b
p
,
q
x
(
p
−
1
)
+
(
q
−
1
)
k
\begin{aligned} g(x)&=a_0+a_1x+a_2x^2+\cdots+a_{d-1}x^{d-1}=\sum_{i=0}^{d-1}a_ix^i\\ &=[1,x,x^2,\cdots,x^{k-1}]\left[\begin{matrix}b_{1,1}&b_{1,2}&\cdots &b_{1,k}\\b_{2,1}&b_{2,2}&\cdots &b_{2,k}\\ \vdots &\vdots&\ddots &\vdots\\b_{k,1}&b_{k,2}&\cdots &b_{k,k}\end{matrix}\right]\left[\begin{matrix}1\\x^k\\ x^{2k}\\ \vdots\\x^{(k-1)k}\end{matrix}\right]\\ &=\sum_{p=1}^{k}\sum_{q=1}^{k}b_{p,q}x^{(p-1)+(q-1)k} \end{aligned}
g(x)=a0+a1x+a2x2+⋯+ad−1xd−1=i=0∑d−1aixi=[1,x,x2,⋯,xk−1]
b1,1b2,1⋮bk,1b1,2b2,2⋮bk,2⋯⋯⋱⋯b1,kb2,k⋮bk,k
1xkx2k⋮x(k−1)k
=p=1∑kq=1∑kbp,qx(p−1)+(q−1)k
通过上式,把长度为
d
=
k
2
d=k^2
d=k2的多项式系数转化为
k
k
k阶方阵
B
\mathbf{B}
B,我们希望仅需构造一个证明大小为行数
k
=
d
k=\sqrt{d}
k=d的多项式承诺就可等价于原长度为
d
d
d的多项式承诺,要实现这一点还需要借助线性纠错码(如上小节介绍的Linear-Time Encoding)和Merkle树。
首先,使用线性纠错码对方阵
B
\mathbf{B}
B的每一行编码,记为
E
n
c
(
B
i
)
\mathbf{Enc}(\mathbf{B}_i)
Enc(Bi),将其扩展为
k
×
m
k\times m
k×m的矩阵
C
\mathbf{C}
C,其中
l
l
l为码字长度(这里为了确保
l
l
l不会太大,所以一般采用码率为常数的编码方式)。
[
b
1
,
1
b
1
,
2
⋯
b
1
,
k
b
2
,
1
b
2
,
2
⋯
b
2
,
k
⋮
⋮
⋱
⋮
b
k
,
1
b
k
,
2
⋯
b
k
,
k
]
⟹
L
i
n
e
a
r
C
o
d
e
s
[
c
1
,
1
c
1
,
2
⋯
c
1
,
m
c
2
,
1
c
2
,
2
⋯
c
2
,
m
⋮
⋮
⋱
⋮
c
k
,
1
c
k
,
2
⋯
c
k
,
m
]
\left[\begin{matrix}b_{1,1}&b_{1,2}&\cdots &b_{1,k}\\b_{2,1}&b_{2,2}&\cdots &b_{2,k}\\ \vdots &\vdots&\ddots &\vdots\\b_{k,1}&b_{k,2}&\cdots &b_{k,k}\end{matrix}\right]\stackrel{Linear Codes}{\Longrightarrow} \left[\begin{matrix}c_{1,1}&c_{1,2}&\cdots &c_{1,m}\\c_{2,1}&c_{2,2}&\cdots &c_{2,m}\\ \vdots &\vdots&\ddots &\vdots\\c_{k,1}&c_{k,2}&\cdots &c_{k,m}\end{matrix}\right]
b1,1b2,1⋮bk,1b1,2b2,2⋮bk,2⋯⋯⋱⋯b1,kb2,k⋮bk,k
⟹LinearCodes
c1,1c2,1⋮ck,1c1,2c2,2⋮ck,2⋯⋯⋱⋯c1,mc2,m⋮ck,m
然后,对矩阵的每一列(
k
k
k个值)进行承诺并建立第一个Merkle树,并以每一列Merkle树的根哈希作为叶子节点(共
l
l
l个)建立第二个Merkle树。最后,基于第二个Merkle树来构建多项式承诺即可。
在取值证明的计算中,需要完成两步,一是Proximity Test,二是Consistency Test。Proximity Test保证了需要检查 Merkle Tree所承诺的矩阵确实承诺了 k = d k=\sqrt{d} k=d个码字。Consistency Test保证原来的求值点向量 与原始矩阵的乘积与结果向量之间的一致性。
Proximity Test :Verifier向Prover发送一个长度为 k k k的随机向量 r = [ r 1 , r 2 , ⋯ , r k ] r=[r_1,r_2,\cdots,r_k] r=[r1,r2,⋯,rk],之后Prover计算这个随机向量与方阵 B \mathbf{B} B的乘积,得到一个长度为 k k k的目标向量 u u u( u u u相当于是方阵 B \mathbf{B} B在向量 r r r下的随即线性组合),Prover 将 u u u返回给 Verifier,Verifier 收到 u u u后,需要检查其与承诺值 u ^ = [ u ^ 1 , u ^ 2 , ⋯ , u ^ m ] \hat{u}=[\hat{u}_1,\hat{u}_2,\cdots,\hat{u}_m] u^=[u^1,u^2,⋯,u^m]的一致性( u ^ i \hat{u}_i u^i表示编码后矩阵 C \mathbf{C} C的第 i ( 0 ≤ i ≤ m ) i(0\leq i \leq m) i(0≤i≤m)列)。
首先,Verifier对
u
u
u进行编码,得到
E
n
c
(
u
′
)
\mathbf{Enc}(u')
Enc(u′),然后,Verifier根据
r
r
r和
u
^
\hat{u}
u^计算一个向量
ν
\nu
ν
ν
=
∑
i
=
1
k
r
i
⋅
u
^
i
\nu=\sum_{i=1}^{k}{r_i\cdot\hat{u}_i}
ν=i=1∑kri⋅u^i
然后Verifier选择 E n c ( u ′ ) \mathbf{Enc}(u') Enc(u′)中 l l l个( l = Θ ( λ ) l=\Theta(\lambda) l=Θ(λ) 个)随机点,检查这些点是否都与向量 ν \nu ν对应位置的值相等,若均相等,则Proximity Test通过,这里用到了线性码的基本性质:码字之间的任意线性组合仍然是一个码字。
Consistency Test:该步骤和Proximity Test的工作差不多,只不过将随机向量 r r r替换为一个特定向量 q 1 \mathbf{q}_1 q1。接下来看如何获得 q 1 \mathbf{q}_1 q1。
首先多项式取值可以表示为系数矩阵与坐标矩阵的内积:
g
(
x
)
=
a
0
+
a
1
x
+
a
2
x
2
+
⋯
+
a
d
−
1
x
d
−
1
=
⟨
X
,
B
⟩
=
⟨
[
x
0
x
1
⋯
x
k
−
1
x
k
x
k
+
1
⋯
x
2
k
−
1
⋮
⋮
⋱
⋮
x
(
k
−
1
)
k
x
(
k
−
1
)
k
+
1
⋯
x
k
2
−
1
]
,
[
b
1
,
1
b
1
,
2
⋯
b
1
,
k
b
2
,
1
b
2
,
2
⋯
b
2
,
k
⋮
⋮
⋱
⋮
b
k
,
1
b
k
,
2
⋯
b
k
,
k
]
⟩
\begin{aligned} g(x)&=a_0+a_1x+a_2x^2+\cdots+a_{d-1}x^{d-1}\\ &=\langle\mathbf{X},\mathbf{B}\rangle\\ &=\Bigg\langle\left[\begin{matrix}x^{0}&x^{1}&\cdots &x^{k-1}\\x^{k}&x^{k+1}&\cdots &x^{2k-1}\\ \vdots &\vdots&\ddots &\vdots\\x^{(k-1)k}&x^{(k-1)k+1}&\cdots &x^{k^2-1}\end{matrix}\right],\left[\begin{matrix}b_{1,1}&b_{1,2}&\cdots &b_{1,k}\\b_{2,1}&b_{2,2}&\cdots &b_{2,k}\\ \vdots &\vdots&\ddots &\vdots\\b_{k,1}&b_{k,2}&\cdots &b_{k,k}\end{matrix}\right]\Bigg\rangle\\ \end{aligned}
g(x)=a0+a1x+a2x2+⋯+ad−1xd−1=⟨X,B⟩=⟨
x0xk⋮x(k−1)kx1xk+1⋮x(k−1)k+1⋯⋯⋱⋯xk−1x2k−1⋮xk2−1
,
b1,1b2,1⋮bk,1b1,2b2,2⋮bk,2⋯⋯⋱⋯b1,kb2,k⋮bk,k
⟩
在上式中,方阵
X
\mathbf{X}
X可以表示为两个长度为
k
k
k的向量
q
1
\mathbf{q}_1
q1和
q
2
\mathbf{q}_2
q2的张量积,所以有:
g
(
x
)
=
⟨
q
1
⊗
q
2
,
B
⟩
\begin{aligned} g(x)=\langle\mathbf{q}_1\otimes\mathbf{q}_2,\mathbf{B} \rangle\end{aligned}
g(x)=⟨q1⊗q2,B⟩
也就是说,对于多项式的的任意输入 q q q,均存在两个向量 q 1 \mathbf{q}_1 q1和 q 2 \mathbf{q}_2 q2,使得 g ( q ) = ⟨ q 1 ⊗ q 2 , B ⟩ \begin{aligned} g(q)=\langle\mathbf{q}_1\otimes\mathbf{q}_2,\mathbf{B} \rangle\end{aligned} g(q)=⟨q1⊗q2,B⟩。
在Consistency Test阶段就是用
q
1
\mathbf{q}_1
q1替换Proximity Test中的
r
r
r,
q
1
\mathbf{q}_1
q1与方阵
B
\mathbf{B}
B的相乘得到
u
′
′
u''
u′′,这个步骤中,如果Prover是诚实的,则
u
′
′
u''
u′′必然满足:
⟨
u
′
′
,
q
2
⟩
=
⟨
q
1
⊗
q
2
,
B
⟩
\langle u'',\mathbf{q}_2 \rangle=\langle \mathbf{q}_1 \otimes\mathbf{q}_2,\mathbf{B} \rangle
⟨u′′,q2⟩=⟨q1⊗q2,B⟩
否则测试不通过。完整的承诺方案如下所示。
Commit:
- P → V: a commit vector u ^ = ( u ^ 1 , . . . , u ^ m ) ∈ F m \hat{u} = (\hat{u}_1, ..., \hat{u}_m) \in \mathbf{F}^m u^=(u^1,...,u^m)∈Fm. If P is honest, each “row” u ^ i \hat{u}_i u^i of u ^ \hat{u} u^ contains a codeword in E n c \mathbf{Enc} Enc.
Proximity Test:
- V → P: a random vector r ∈ F k r \in \mathbf{F}^k r∈Fk.
- P → V: a vector u ′ ∈ F k u' \in \mathbf{F}^k u′∈Fk. claimed to equal v = ∑ i = 1 k r i ⋅ u i ∈ F k v = \sum_{i=1}^k r_i \cdot u_i \in \mathbf{F}^k v=∑i=1kri⋅ui∈Fk.
- // Now V probabilistically checks consistency between u ^ \hat{u} u^ and u ′ u' u′ (V reads the entirety of u ^ \hat{u} u^).
- V: chooses Q Q Q to be a random set of size l = Θ ( λ ) l = \Theta(\lambda) l=Θ(λ) . For each j ∈ Q j \in Q j∈Q:
- V queries all m m m entries of the corresponding “column” of u ^ \hat{u} u^, namely u ^ 1 , j , . . . , u ^ m , j \hat{u}_{1,j}, ..., \hat{u}_{m,j} u^1,j,...,u^m,j.
- V confirms E n c ( u ′ ) j = ∑ i = 1 m r ⋅ u ^ i , j \mathbf{En}c(u')_j = \sum_{i=1}^m r \cdot \hat{u}_{i,j} Enc(u′)j=∑i=1mr⋅u^i,j, halting and rejecting if not.
Consistency Test
- Let q 1 , q 2 ∈ F k \mathbf{q}_1, \mathbf{q}_2 \in \mathbf{F}^k q1,q2∈Fk such that g ( x ) = ( ( q 1 ⊗ q 2 ) , B ) g(x) = ((\mathbf{q}_1 \otimes \mathbf{q}_2), \mathbf{B}) g(x)=((q1⊗q2),B).
- The evaluation phase is identical to the testing phase except that r r r is replaced with q 1 \mathbf{q}_1 q1 (and fresh randomness is used to choose a set Q ′ Q' Q′ of columns for use in consistency testing).
- If all consistency tests pass, then V outputs ( u ′ ′ , q 2 ) (u'', \mathbf{q}_2) (u′′,q2) as g ( x ) g(x) g(x).
References:
[1]https://drops.dagstuhl.de/storage/00lipics/lipics-vol107-icalp2018/LIPIcs.ICALP.2018.14/LIPIcs.ICALP.2018.14.pdf
[2] Kate, A., Zaverucha, G.M., Goldberg, I.. Constant-Size Commitments to Polynomials and Their Applications. International Conference on the Theory and Application of Cryptology and Information Security, 2010.
[3] https://doc-internal.dalek.rs/bulletproofs/notes/inner_product_proof/i ndex.html
[4] Ulrich Haböck. A summary on the fri low degree test. Cryptology ePrint Archive, Paper 2022/1216, 2022.
[5] https://eprint.iacr.org/2021/1043.pdf?ref=hackernoon.com
[6] J. Bootle, A. Chiesa, and J. Groth. Linear-time arguments with sub-linear verification from tensor codes. In TCC, 2020.
[7] S. Setty. Spartan: Efficient and general-purpose zkSNARKs without trusted setup. In CRYPTO, 2020.
[8] T. Xie, Y. Zhang, and D. Song, “Orion: Zero knowledge proof with linear prover time,” Cryptology ePrint Archive, Paper 2022/1010, 2022, https://eprint.iacr.org/2022/1010.
[9] B. Diamond, J. Posen,“Succinct Arguments over Towers of Binary Fields,” Cryptology ePrint Archive, Paper 2023/1784, 2023, https://eprint.iacr.org/2023/1784.pdf
[10] https://github.com/IrreducibleOSS/binius
[11] S. Ames, C. Hazay, Y. Ishai, and M. Venkitasubramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In CCS, 2017