原文出自:https://blog.z.cash/snark-explain7/
作者:Ariel Gabizon
译者:Matter实验室
In Part VI, we saw an outline of the Pinocchio zk-SNARK. We were missing two things – an HH that supports both addition and multiplication that is needed for the verifier’s checks, and a transition from an interactive protocol to a non-interactive proof system.
在第六部分,我们见到了一个zkSNARK皮诺曹的概述。但是我们遗漏了两个东西——一个支持加法和乘法的同态隐藏,这是验证者校验必须的东西;以及一个从交互式协议向非交互式证明系统的转换。
In this post we will see that using elliptic curves we can obtain a limited, but sufficient for our purposes, form of HH that supports multiplication. We will then show that this limited HH also suffices to convert our protocol to the desired non-interactive system.
在本文中,我们将看到采用椭圆曲线,我们能获得有限制的,但足以满足我们需要的,支持乘法的同态隐藏的方式。我们届时将展示这种带有限制的同态隐藏,同样足以转换我们的协议到我们想要的非交互式系统。
We begin by introducing elliptic curves and explaining how they give us the necessary HH.
我们从介绍椭圆曲线和解释它如何给我们带来必要的同态隐藏开始。
ELLIPTIC CURVES AND THEIR PAIRINGS
椭圆曲线和他们的配对
Assume p is a prime larger than 3, and take some u,v∈Fp such that 4( u^3 )+27( v^2 )≠0. We look at the equation
( Y^2 )=( X^3 )+u⋅( X )+v
An elliptic curve C is the of set of points (x,y) [1] that satisfy such an equation. These curves give us an interesting way to construct groups. The group elements will be the points (x,y)∈F(2,p) that are on the curve, i.e., that satisfy the equation, together with a special point O, that for technical reasons is sometimes refered to as the “point at infinity”, and serves as the identity element, i.e. the zero of the group.
[1] * You may ask ‘The set of points from where?’. We mean the set of points with coordinates in the algebraic closure of Fp. Also, the curve has an affine and projective version. When we are referring to the projective version we also include the “point at infinity” O as an element of the curve.
假定p是一个大于3的素数,并且取u,v∈Fp满足4( u^3 )+27( v^2 )≠0。我们可以看到一个等式:
( Y^2 )=( X^3 )+u⋅( X )+v
一个椭圆曲线C是点(x,y)的集合[1],这些点满足上面那个等式。这个曲线给我们一个有趣的方法构建群。这样的群的元素是(x,y)∈F(2,p)并在曲线上的点。就是说,这些点满足上面的等式,并且有一个特殊的点O,因为技术原因有时候被称之为“无限远上的点”,作为恒等元素,即这个群里面的零。
- [1] 你可以问‘这些点的集合来自哪儿?’。我们的意思是这些坐标在代数闭包Fp中的点的集合。同时,曲线有一个仿射和投射的版本。当我们提及投射版本时,我们同样包含“无限远的点” O 作为曲线的一个元素。
Now the question is how we add two points P=(x1,y1),Q=(x2,y2) to get a third? The addition rule is derived from a somewhat abstract object called the divisor class group of the curve. For our purposes, all you have to know about this divisor class group is that it imposes the following constraint on the definition of addition: The sum of points on any line must be zero, i.e., O.
现在的问题是,我们如何通过两个点 P=(x1,y1),Q=(x2,y2) 相加来得到第三个点?加法规则继承自有些抽象的被称为曲线的除数类群的对象。作为我们的目的,你只需知道这个群在加法定义上有下述强制的限制:任何直线上的点加起来必须是零,也就是O。
Let’s see how the addition rule is derived from this constraint. Look at a vertical line, defined by an equation of the form X=c. Suppose this line intersects the curve at a point P=(x1,y1). Because the curve equation is of the form ( Y^2 )=f(X), if (x1,y1) is on the curve, so is the point Q:=(x1,−y1). Moreover, since it’s a vertical line and the curve equation is of degree two in Y, we can be sure these are the only points where the line and curve intersect.
让我们看一下加法规则如何从这个限制演化。看一条垂直的线,我们用等式X=c定义。假设这条线与曲线在点P=(x1,y1)相交。如果(x1,y1)在曲线上,因为曲线等式是( Y^2 )=f(X)这样的形式,所以点Q:=(x1,−y1)也在曲线上。此外,既然它是垂直线并且曲线等式在Y上是2阶,我们能够确保这是直线和曲线相交的唯两个点。
Thus, we must have P+Q=O which means P=−Q; that is, Q is the inverse of P in the group.
Now let us look at points P and Q that have a different first coordinate – that is, x1≠x2, and see how to add them. We pass a line through P and Q.
因此,我们必须有P+Q=O,这意味着P=−Q;那就是,在群里面 Q 是 P 的逆。
现在让我们看一下第一个坐标是不同的点P和Q——也就是,x1≠x2 ,并且看出如何将他们相加。我们作一根直线穿过这两点。
Since the curve is defined by a degree three polynomial in X and already intersects this (non-vertical) line at two points, it is guaranteed to intersect the line at a third point, that we denote R=(x,y), and no other points.
既然曲线在X上定义为三阶多项式,并且已经在这条线(非垂直)上有两个交点,它能确保这条线相交于第三个交点。我们标记为R=(x,y),并且不再有其他点相交。
So we must have P+Q+R=O, which means P+Q=−R; and we know by now that −R is obtained from R by flipping the second coordinate from y to −y.
Thus, we have derived the addition rule for our group: Given points P and Q, pass a line through them, and then take the “mirror” point of the third intersection point of the line as the addition result. [2]
- [2] We did not address the case of adding P to itself. This is done by using the line that is tangent to the curve at P, and taking R to be the second intersection point of this line with the curve.
因此我们必须有P+Q+R=O,这意味着P+Q=−R;并且我们知道到目前为止,-R是从R反转第二个坐标从y到-y得到的。
因此,我们已经为我们的群继承了加法规则:给定点P和Q,作一条线通过他们,并且取线上第三个交点的镜像点作为加法的结果[2]。
- [2]我们没有解决将P加到他自己上的情况。这可以靠在P处作一条切线来处理,并且获取R作为第二个直线和曲线的交点
This group is usually called C(Fp) – as it consists of points on the curve C with coordinates in Fp; but let’s denote it by G1 from now on. Assume for simplicity that the number of elements in G1 is a prime number r, and is different from p. This is many times the case, for example in the curve that Zcash is currently using. In this case, any element g∈G1 different from O generates G1.
这个群通常被称为 C(Fp) ——因为她由曲线C上以Fp中的元素为坐标的点构成;但是让我们从现在开始用G1表示这个群。为简单起见,假设G1中元素的数量是质素r,并且与p不同。这种情况非常常见,Zcash现在用的曲线就是。在这种情况下,任何g∈G1并且不是O的元素都可以产生G1。
The smallest integer k such that r divides ( p^k )−1 is called the embedding degree of the curve. It is conjectured that when k is not too small, say, at least 6, then the discrete logarithm problem in G1, i.e. finding α from g and α⋅g, is very hard. (In BN curves [3] currently used by Zcash k=12.)
最小的整数k满足r能整除( p^k )−1这个特性被称为曲线嵌入度。可以推测当k不太小的时候,一般来说,至少是6,在G1中的离散对数问题,即从g和α⋅g反推α是非常困难的。(Zcash当前使用的BN曲线[3]k=12)
The multiplicative group of F( p^k ) contains a subgroup of order r that we denote G(T). We can look at curve points with coordinates in F( p^k ) and not just in Fp. Under the same addition rule, these points also form a group together with O called C(F( p^k )). Note that C(F( p^k )) clearly contains G1. Besides G1, C(F( p^k )) will contain an additional subgroup G2 of order r (in fact, r−1 additional subgroups of order r).
乘法群F( p^k )包含了一个r阶子群我们表示为GT。我们可以看到曲线上的点的坐标在F( p^k )中,而不只是在Fp中。在类似的加法规则下,这些点和O一起也形成了一个群,被称为C(F( p^k ))。注意到C(F( p^k ))清楚的包含了G1。除了G1,C(F( p^k ))包含一个以r为阶的加法子群G2(实事上,r的加法子群的阶是r-1)。
Fix generators g∈G1,h∈G2. It turns out that there is an efficient map, called the Tate reduced pairing, taking a pair of elements from G1 and G2 into an element of GT,
such that
Tate(g,h)=g() for a generator g() of GT, and
given a pair of elements a,b∈Fr, we have Tate(a⋅g,b⋅h)=( g()^(ab) ).
固定生成器g∈G1,h∈G2。很快会发现,有一个高效的map,称为Tate-缩减配对,接收一对G1和G2的元素,生成一个GT的元素。
就像这样:
Tate(g,h)=g()得到一个GT的生成器g(),并且
给定一对元素a,b∈Fr,我们有Tate(a⋅g,b⋅h)=( g()^(ab) )
Defining Tate is a bit beyond the scope of this series, and relies on concepts from algebraic geometry, most prominently that of divisors. Here’s a sketch of Tate’s definition: [4]
[4] The pairing Zcash actually uses is the optimal Ate pairing, which is based on the Tate reduced pairing, and can be computed more efficiently than Tate.
Tate的定义有些超出本系列的范围来,根据代数理论的概念,其中最重要的是除数。这是Tate定义的概要:[4]
- [4] Zcash确实在使用的配对是最佳配对,它基于Tate缩减配对,并且比Tate更高效。
For a∈Fp the polynomial ( (X−a)^r ) has a zero of multiplicity r at the point a, and no other zeroes. For a point P∈G1, divisors enable us to prove there exists a function fP from the curve to Fp that also has, in some precise sense, a zero of multiplicity r at P and no other zeroes. Tate(P,Q) is then defined as ( fP(Q)^((pk−1)/r) ).
对于a∈Fp,多项式( (X−a)^r )在点a有一个重数为r的零,并且再没有其他的零了。对于点P∈G1,除数使我们可以证明这儿存在一个函数fP,从曲线映射到Fp,从某种意义上说,除了在P上的重数为r的零之外,没有其他的零了。Tate(P,Q)定义为( fP(Q)^((pk−1)/r) )。
It may not seem at all clear what this definition has to do with the stated properties, and indeed the proof that Tate has these properties is quite complex.
对于这个定义是否必须处理状态属性似乎一点也不清楚,而且确切的证明Tate具有这些属性非常的复杂。
Defining E1(x):=x⋅g,E2(x):=x⋅h,E(x):=x⋅g(), we get a weak version of an HH that supports both addition and multiplication: E1,E2,E are HHs that support addition, and given the hidings E1(x), E2(y) we can compute E(xy). In other words, if we have the ”right” hidings of x and y we can get a (different) hiding of xy. But for example, if we had hidings of x,y,z we couldn’t get a hiding of xyz.
定义E1(x):=x⋅g,E2(x):=x⋅h,E(x):=x⋅g(),我们得到一个支持加法和乘法的弱同态隐藏版本:E1,E2,E是支持加法的同态隐藏,并且给定匿数E1(x)、 E2(y)我们能计算出E(xy)。用另外的话说,如果我们有正确的x 和 y的匿数,我们可以得到一个(不同的)xy的匿数。但是,比如,如果我们有x,y,z的匿数,那么我们无法计算出xyz的匿数。
We move on to discussing non-interactive proof systems. We begin by explaining exactly what we mean by ‘non-interactive’.
我们接下来讨论非交互证明系统。我们从清楚的解释什么是我们所说的“非交互”开始。
NON-INTERACTIVE PROOFS IN THE COMMON REFERENCE STRING MODEL
公共引用串模式的非交互证明
The strongest and most intuitive notion of a non-interactive proof is probably the following. In order to prove a certain claim, a prover broadcasts a single message to all parties, with no prior communication of any kind; and anyone reading this message would be convinced of the prover’s claim. This can be shown to be impossible in most cases. [5]
[5] In computational complexity theory terms, one can show that only languages in BPP have non-interactive zero-knowledge proofs in this strong sense. The type of claims we need to prove in Zcash transactions, e.g. ‘I know a hash preimage of this string’, correspond to the complexity class NP which is believed to be much larger than BPP.
对于非交互证明,最强列直觉上的感觉应该是下面这样的。为了证明某个声明,一个证明者无差别的广播一个简单的消息给所有的当事人;任何阅读到这个消息的人都可以确信证明者的声明。在大多数情况下,这可以认为是不可能的[5]。
- [5]在计算复杂度理论术语中,人们可以证明只有在BPP中的语言才从根本上具有非交互零知识证明。我们在Zcash交易中需要证明的声明类型,即,“我知道这个串的一个hash原像”,对应着NP类型的复杂度,这比BPP要大得多。
A slightly relaxed notion of non-interactive proof is to allow a common reference string (CRS). In the CRS model, before any proofs are constructed, there is a setup phase where a string is constructed according to a certain randomized process and broadcast to all parties. This string is called the CRS and is then used to help construct and verify proofs. The assumption is that the randomness used in the creation of the CRS is not known to any party – as knowledge of this randomness might enable constructing proofs of false claims.
一个稍微宽松的非交互证明的概念是允许一个公共引用串(CRS)。在这个CRS模式下,在证明被构造前,有一个安装阶段,这个阶段中,一个串根据某种随机过程构造出来,并且广播给所有的当事人。这个串被称为CRS并用来帮助构造证明。假定,用于创造CRS的随机性并不被任何当事人所知——作为这个随机性的知识可以用来构造假的证明。
We will explain how in the CRS model we can convert the verifiable blind evaluation protocol of Part IV into a non-interactive proof system. As the protocol of Part VI consisted of a few such subprotocols it can be turned into a non-interactive proof system in a similar way.
我们将解释在CRS的模式下我们如何将第四部分的可验证盲估协议转为非交互证明系统。由于第六部分的协议由几个子协议组成,这些子协议可以采用相似的方式转换为非交互证明系统。
A NON-INTERACTIVE EVALUATION PROTOCOL
非交互评估协议
The non-interactive version of the evaluation protocol basically consists of publishing Bob’s first message as the CRS. Recall that the purpose of the protocol is to obtain the hiding E(P(s)) of Alice’s polynomial P at a randomly chosen s∈Fr.
评估协议的非交互版本从根本上说由公布Bob的第一条作为CRS的消息构成。回忆一下,协议的目的是获取Alice的多项式P在随机选择的s∈Fr点上匿数E(P(s))
Setup: Random α∈F(∗,r),s∈Fr are chosen and the CRS:
( E1(1),E1(( s )),…,E1( s^d ) , E2(α),E2(α( s )),…,E2(α( s^d )) )
is published.
Proof: Alice computes a=E1(P(s)) and b=E2(αP(S)) using the elements of the CRS, and the fact that E1 and E2 support linear combinations.
Verification: Fix the x,y∈Fr such that a=E1(x) and b=E2(y). Bob computes E(αx)=Tate(E1(x),E2(α)) and E(y)=Tate(E1(1),E2(y)), and checks that they are equal. (If they are equal it implies αx=y.)
安装:随机选择α∈F(∗,r),s∈Fr,CRS是:
( E1(1),E1(( s )),…,E1( s^d ) , E2(α),E2(α( s )),…,E2(α( s^d )) )
被发布出来。
证明:Alice使用CRS的元素计算a=E1(P(s)) 和 b=E2(αP(S)),事实上E1和E2支持线性组合。
验证:固定x,y∈Fr,使之满足a=E1(x)和b=E2(y)。Bob计算E(αx)=Tate(E1(x),E2(α))和E(y)=Tate(E1(1),E2(y)),并且检查他们是否相等。(如果他们相等,这代表了αx=y。)
As explained in Part IV, Alice can only construct a,b that will pass the verification check if a is the hiding of P(s) for a polynomial P of degree d known to her. The main difference here is that Bob does not need to know α for the verification check, as he can use the pairing function to compute E(αx) only from E1(x) and E2(α). Thus, he does not need to construct and send the first message himself, and this message can simply be fixed in the CRS.
像第四部分所说明的,Alice只能构造a,b,这会通过验证检查,是否,对于d阶多项式P,a是她所知道的P(s)的匿数。主要不同之处是Bob在验证检查的时候不需要知道α,因为他能使用配对函数从 E1(x) 和 E2(α) 来计算E(αx)。因此,他不需要构造并传送第一个消息,这个消息可以简单的在CRS中被固定。