解释SNARKs 第6部分 皮诺曹协议

原文出自:https://blog.z.cash/snark-explain6/
作者:Ariel Gabizon
译者:Matter实验室

In part V we saw how a statement Alice would like to prove to Bob can be converted into an equivalent form in the “language of polynomials” called a Quadratic Arithmetic Program (QAP).

在第五部分,我们看到了Alice如何能将他想对Bob证明的语句,转换为一个我们称之为二次算术程序的采用多项式语言的等式。

In this part, we show how Alice can send a very short proof to Bob showing she has a satisfying assignment to a QAP. We will use the Pinocchio Protocol of Parno, Howell, Gentry and Raykova. But first let us recall the definition of a QAP we gave last time:

在这个部分,我们将展示Alice如何能发送一个非常短的证明给Bob,以显示她有一个满足QAP的成真指派。我们将采用皮诺曹协议(Parno, Howell, Gentry and Raykova)。但是首先让我们回忆一下我们上次学到的QAP的定义:

A Quadratic Arithmetic Program Q of degree d and size m consists of polynomials L1,…,Lm, R1,…,Rm, O1,…,Om and a target polynomial T of degree d.

一个dm大小的二次算术程序Q,由多项式L1,…,Lm, R1,…,Rm, O1,…,Om和一个d阶目标多项式T构成。

An assignment (c1,…,cm) satisfies Q if, defining

L:=∑(m,i=1) ci⋅Li
R:=∑(m,i=1) ci⋅Ri
O:=∑(m,i=1) ci⋅Oi
and
P:=L⋅R−O
we have that T divides P.

对于有一个值(c1,…,cm)满足Q,如果定义

L:=∑(m,i=1) ci⋅Li
R:=∑(m,i=1) ci⋅Ri
O:=∑(m,i=1) ci⋅Oi
并且定义
P:=L⋅R−O

我们可以判断T能整除P

As we saw in Part V, Alice will typically want to prove she has a satisfying assignment possessing some additional constraints, e.g. cm=7; but we ignore this here for simplicity, and show how to just prove knowledge of some satisfying assignment.

就像我们在第五部分看到的那样,Alice 特别想要通过证明她有个具有一些特定限制的成真指派,比如cm=7;但是为简单起见,我们在这儿忽略这个,仅仅展示如何证明一些成真指派的知识。

If Alice has a satisfying assignment it means that, defining L,R,O,P as above, there exists a polynomial H such that P=H⋅T. In particular, for any s∈Fp we have P(s)=H(s)⋅T(s).

如果Alice有一个成真指派,它意味着,像上面一样定义L,R,O,P,存在一个多项式H,满足P=H⋅T。尤其是,对于任何的s∈Fp,我们有P(s)=H(s)⋅T(s)

Suppose now that Alice doesn’t have a satisfying assignment, but she still constructs L,R,O,P as above from some unsatisfying assignment (c1,…,cm). Then we are guaranteed that T does not divide P. This means that for any polynomial H of degree at most d, P and L,R,O,H will be different polynomials. Note that P and L,R,O,H here are both of degree at most 2d.

假设现在Alice没有一个成真指派,但是她依然像上面那样用一个非成真指派(c1,…,cm)构造了L,R,O,P 。这种情况下我们确保T不能整除P。这意味着,对于任何最高为d阶的多项式HP and H⋅T 将是不同的多项式。注意到这儿的PH⋅T阶最多是2d

Now we can use the famous Schwartz-Zippel Lemma that tells us that two different polynomials of degree at most 2d can agree on at most 2d points s∈Fp. Thus, if p is much larger than 2d the probability that P(s)=H(s)⋅T(s) for a randomly chosen s∈Fp is very small.

现在我们能采用著名的Schwartz-Zippel引理,这告诉我们两个不同的最高为2d阶的多项式能够在最多2d个点s∈Fp上相等。因此,如果p2d要大的多,那么P(s)=H(s)⋅T(s)能够随机的选中s∈Fp的几率非常的小。

This suggests the following protocol sketch to test whether Alice has a satisfying assignment.

  1. Alice chooses polynomials L,R,O,H of degree at most d.

  2. Bob chooses a random point s∈Fp, and computes E(T(s)).

  3. Alice sends Bob the hidings of all these polynomials evaluated at s, i.e. E(L(s)),E(R(s)),E(O(s)),E(H(s)).

  4. Bob checks if the desired equation holds at s. That is, he checks whether E(L(s)⋅R(s)−O(s))=E(T(s)⋅H(s))

这表明接下来的协议描绘了,测试Alice是否有一个成真指派。

  1. Alice选择最大阶数为d的多项式L,R,O,H

  2. Bob选择一个随机的点s∈Fp,并计算出E(T(s))

  3. Alice将这些多项式在s点计算出的值的匿数传给Bob,比如 E(L(s)),E(R(s)),E(O(s)),E(H(s))

  4. Bob检查这是否是于s点想要的等式。那就是,他检查E(L(s)⋅R(s)−O(s))=E(T(s)⋅H(s))

Again, the point is that if Alice does not have a satisfying assignment, she will end up using polynomials where the equation does not hold identically, and thus does not hold at most choices of s. Therefore, Bob will reject with high probability over his choice of s in such a case.

接下来,如果 ALice 没有一个成真指派,她将最终使用一个让等式不成立的多项式,因此在大多数 s 的选择上不成立。因此,Bob 在这种情况下有很高的概率在s上拒绝这种情况。

The question is whether we have the tools to implement this sketch. The most crucial point is that Alice must choose the polynomials she will use, without knowing s. But this is exactly the problem we solved in the verifiable blind evaluation protocol, that was developed in Parts II-IV.

问题是是否我们有实现这个草案的工具。最至关重要的点是Alice必须选择她要用的多项式,在不知道s的情况下。但是这是一个我们已经解决的很明确的问题,那就是在2-4部分我们开发出来的可验证盲估协议。

MAKING SURE ALICE CHOOSES HER POLYNOMIALS ACCORDING TO AN ASSIGNMENT

确保Alice根据一个赋值选择她的多项式

Here is an important point: If Alice doesn’t have a satisfying assignment, it doesn’t mean she can’t find any polynomials L,R,O,H of degree at most d with L⋅R−O=T⋅H, it just means she can’t find such polynomials where L,R and O were “produced from an assignment”; namely, that L:=∑(m,i=1) ci⋅Li,R:=∑(m,i=1) ci⋅Ri,O:=∑(m,i=1) ci⋅Oi for the same (c1,…,cm).

有一个要点:如果Alice没有一个成真指派,也不意味着通过L⋅R−O=T⋅H她不能找到某个最高阶为d的多项式L,R,O,H,这仅意味着她不能找到L,RO 是“从赋值产生的”这样的多项式;也就是,从同一个(c1,…,cm),产生的L:=∑(m,i=1) ci⋅Li,R:=∑(m,i=1) ci⋅Ri,O:=∑(m,i=1) ci⋅Oi

The protocol of Part IV just guarantees she is using some polynomials L,R,O of the right degree, but not that they were produced from an assignment. This is a point where the formal proof gets a little subtle; here we sketch the solution imprecisely.

第四章的协议仅确保Alice正在使用一些阶数正确的多项式L,R,O,而非他们从某个赋值产生。这儿的形式化证明比较精妙;所以我们粗略的描述一下解决方案。

Let’s combine the polynomials L,R,O into one polynomial F as follows:

F=L+( X^(d+1) )⋅R+( X^(2(d+1)) )⋅O

The point of multiplying R by X^(d+1) and O by X^(2(d+1)) is that the coefficients of L,R,O “do not mix” in F: The coefficients of 1,X,…,X^d in F are precisely the coefficients of L, the next d+1 coefficients of ( X^( d+1 ) ) ,…, ( X^( 2d+1 ) ) are precisely the coefficients of R, and the last d+1 coefficients are those of O.

让我们像下面这样合并这三个多项式L,R,O成为一个新的多项式:

F=L+( X^(d+1) )⋅R+( X^(2(d+1)) )⋅O

RX^(d+1)相乘、OX^(2(d+1))相乘的关键点是L,R,O的系数不会在F中被混合: 1,X,…,X^dF中的系数恰好是L的系数,接下来X^( d+1 ),…,X^( 2d+1 )d+1个系数恰好是R的系数,最后d+1个系数全部都是O的。

Let’s combine the polynomials in the QAP definition in a similar way, defining for each i∈{1,…,m} a polynomial Fi whose first d+1 coefficients are the coefficients of Li, followed be the coefficients of Ri and then Oi. That is, for each i∈{1,…,m} we define the polynomial

Fi=Li+( X^(d+1) )⋅Ri+( X^2(d+1) )⋅Oi

Note that when we sum two of the Fi’s the Li, Ri, and Oi “sum separately”. For example, F1+F2=(L1+L2)+( X^(d+1) )⋅(R1+R2)+( X^(2(d+1)) )⋅(O1+O2).

让我们用类似的方法在QAP的定义里面来组合多项式,为每个i∈{1,…,m}定义一个多项式Fi,这个多项式的第一个d+1个系数是Li的系数,接下来是Ri的系数和Oi的系数。那么,对于每个i∈{1,…,m}我们定义多项式:

Fi=Li+( X^(d+1) )⋅Ri+( X^2(d+1) )⋅Oi

注意到当我们将两个Fi相加的时候,LiRiOi “分别相加”。例如F1+F2=(L1+L2)+( X^(d+1) )⋅(R1+R2)+( X^(2(d+1)) )⋅(O1+O2)

More generally, suppose that we had F=∑(m,i=1) ci⋅Fi for some (c1,…,cm). Then we’ll also have L=∑(m,i=1) ci⋅Li,R=∑(m,i=1) ci⋅Ri,O=∑(m,i=1)ci⋅Oi for the same coefficients (c1,…,cm). In other words, if F is a linear combination of the Fi’s it means that L,R,O were indeed produced from an assignment.

更一般化,假设我们对于(c1,…,cm)F=∑(m,i=1) ci⋅Fi。然后对于同样的系数(c1,…,cm),我们将同样有L=∑(m,i=1) ci⋅Li,R=∑(m,i=1) ci⋅Ri,O=∑(m,i=1)ci⋅Oi。换句话说,如果F是一个Fi的线性组合,它意味着L,R,O确实从赋值产生。

Therefore, Bob will ask Alice to prove to him that F is a linear combination of the Fi’s. This is done in a similar way to the protocol for verifiable evaluation:

所以,Bob会要求Alice向他证明,F是一个Fi的线性组合。这跟可验证评估协议的做法类似。

Bob chooses a random β∈F(∗,p), and sends to Alice the hidings E(β⋅F1(s)),…,E(β⋅Fm(s)). He then asks Alice to send him the element E(β⋅F(s)). If she succeeds, an extended version of the Knowledge of Coefficient Assumptionimplies she knows how to write F as a linear combination of the Fi’s.

Bob随机选择一个β∈F(∗,p),并且将匿数E(β⋅F1(s)),…,E(β⋅Fm(s))发送给Alice。他然后要求Alice发送给他E(β⋅F(s))。如果她成功了,作为一个知识系数假设的扩展版本,她知道如何写出F作为Fi的线性组合。

ADDING THE ZERO-KNOWLEDGE PART – CONCEALING THE ASSIGNMENT

添加零知识部分-隐藏赋值

In a zk-SNARK Alice wants to conceal all information about her assignment. However the hidings E(L(s)),E(R(s)),E(O(s)),E(H(s)) do provide some information about the assignment.

用zkSNARK,Alice想隐藏她所有赋值的信息。然而,匿数E(L(s)),E(R(s)),E(O(s)),E(H(s)) 确实提供了一些关于所赋值的信息。

For example, given some other satisfying assignment (c′1,…,c′m) Bob could compute the corresponding L′,R′,O′,H′and hidings E(L′(s)),E(R′(s)),E(O′(s)),E(H′(s)). If these come out different from Alice’s hidings, he could deduce that (c′1,…,c′m) is not Alice’s assignment.

例如,给出一些其他的成真指派(c′1,…,c′m),Bob可以计算相关的L′,R′,O′,H′以及匿数E(L′(s)),E(R′(s)),E(O′(s)),E(H′(s))。如果这些不同于Alice的匿数,她可以推断出(c′1,…,c′m)不是Alice的赋值。

To avoid such information leakage about her assignment, Alice will conceal her assignment by adding a “random T-shift” to each polynomial. That is, she chooses random δ1,δ2,δ3∈F(∗,p), and defines Lz:=L+δ1⋅T,Rz:=R+δ2⋅T,Oz:=O+δ3⋅T.

要阻止这样的关于Alice自己赋值信息的泄漏,Alice将采用对每个多项式添加一个随机的T-shift来隐藏她的赋值信息。那就是,她选择一个随机的δ1,δ2,δ3∈F(∗,p),并且定义Lz:=L+δ1⋅T,Rz:=R+δ2⋅T,Oz:=O+δ3⋅T

Assume L,R,O were produced from a satisfying assignment; hence, L⋅R−O=T⋅H for some polynomial H. As we’ve just added a multiple of T everywhere, T also divides Lz⋅Rz−Oz. Let’s do the calculation to see this:

Lz⋅Rz−Oz=
(L+δ1⋅T)(R+δ2⋅T)–O−δ3⋅T
(L⋅R−O)+L⋅δ2⋅T+δ1⋅T⋅R+δ1δ2⋅(T^2)–δ3⋅T=
T⋅(H+L⋅δ2+δ1⋅R+δ1δ2⋅T–δ3)

Thus, defining
Hz=H+L⋅δ2+δ1⋅R+δ1δ2⋅T−δ3

we have that Lz⋅Rz−Oz=T⋅Hz. Therefore, if Alice uses the polynomials Lz,Rz,Oz,Hz instead of L,R,O,H, Bob will always accept.

假设 L,R,O 是从一个成真指派所产生的;因此,对于某个多项式HL⋅R−O=T⋅H。当我们对所有地方都仅仅加上T的倍数,T同样能整除Lz⋅Rz−Oz。让我们进行一些运算看看:

Lz⋅Rz−Oz=
(L+δ1⋅T)(R+δ2⋅T)–O−δ3⋅T
(L⋅R−O)+L⋅δ2⋅T+δ1⋅T⋅R+δ1δ2⋅(T^2)–δ3⋅T=
T⋅(H+L⋅δ2+δ1⋅R+δ1δ2⋅T–δ3)

因此,定义

Hz=H+L⋅δ2+δ1⋅R+δ1δ2⋅T−δ3

我们有Lz⋅Rz−Oz=T⋅Hz。因此,如果Alice使用多项式Lz,Rz,Oz,Hz代替L,R,O,H,Bob总是可以接受。

On the other hand, these polynomials evaluated at s∈Fp with T(s)≠0 (which is all but d s’s), reveal no information about the assignment. For example, as T(s) is non-zero and δ1 is random, δ1⋅T(s) is a random value, and therefore Lz(s)=L(s)+δ1⋅T(s) reveals no information about L(s) as it is masked by this random value.

另一方面,这些多项式在s∈Fp处用T(s)≠0评估,没有披漏任何关于赋值的信息。例如,当T(s)非零而且δ1是随机的时候。δ1⋅T(s)是一个随机值,所以,Lz(s)=L(s)+δ1⋅T(s)没有披漏任何关于L(s)的信息,因为它被这个随机值给掩盖了。

WHAT’S LEFT FOR NEXT TIME?

下回文章还剩下什么?

We presented a sketch of the Pinocchio Protocol in which Alice can convince Bob she possesses a satisfying assignment for a QAP, without revealing information about that assignment. There are two main issues that still need to be resolved in order to obtain a zk-SNARK:

我们展示了皮诺曹协议的草案,用这个协议,Alice可以说服Bob 她拥有一个QAP的成真指派,而不泄漏任何关于这个赋值的信息。为了获得zkSNARK,有两个主要的问题仍然需要解决。

  • In the sketch, Bob needs an H that “supports multiplication”. For example, he needs to compute E(H(s)⋅T(s)) from E(H(s)) and E(T(s)). However, we have not seen so far an example of an H that enables this. We have only seen an H that supports addition and linear combinations.
  • 在草案中,Bob需要一个支持乘法的H。例如,他需要从E(H(s))E(T(s)) 去计算 E(H(s)⋅T(s))。然而,我们到目前未知没有见过一个H的例子能做这个事情。我们只看见一个支持加法和线性组合的H
  • Throughout this series, we have discussed interactive protocols between Alice and Bob. Our final goal, though, is to enable Alice to send single-message non-interactive proofs, that are publicly verifiable – meaning that anybody seeing this single message proof will be convinced of its validity, not just Bob (who had prior communication with Alice).

贯穿本系列,我们以及讨论了Alice和Bob的交互协议。尽管,我们最终的目的,是使Alice发送一个简单的没有交互的证明消息,这些证明消息是公开的可验证的——意味着任何人看到这个简单的证明消息,都将被它的有效性说服,而不只是Bob(他先与Alice联系)。

Both these issues can be resolved by the use of pairings of elliptic curves, which we will discuss in the next and final part.

依靠采用椭圆曲线对,这两个问题能被解决,这个我们在下一部分,也是最后一部分讨论。

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,875评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,569评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 160,475评论 0 350
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,459评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,537评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,563评论 1 293
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,580评论 3 414
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,326评论 0 270
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,773评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,086评论 2 330
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,252评论 1 343
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,921评论 5 338
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,566评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,190评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,435评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,129评论 2 366
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,125评论 2 352

推荐阅读更多精彩内容

  • "use strict";function _classCallCheck(e,t){if(!(e instanc...
    久些阅读 2,028评论 0 2
  • pyspark.sql模块 模块上下文 Spark SQL和DataFrames的重要类: pyspark.sql...
    mpro阅读 9,451评论 0 13
  • 利用jdk打包,可以替换资源文件 首先打包生成apk文件和签名文件test.keystore文件 打包步骤 1.解...
    阿两sama阅读 2,843评论 0 0
  • 农历腊月十九凌晨归家,至今八日。历经弟大婚之喜,伯寿终之悲。父因事身陷囹圄,桎梏不可自得。唯子女担责,年岁渐...
    青浩阅读 348评论 4 1
  • 文| 雯雨霏 窗外正对面有一棵树,接近四层楼高,我说不出这棵树的名字,不过好像第一次才好好欣赏这棵树。 从我小学开...
    Cynthia雯霏阅读 287评论 0 1