在可信设置 (trusted setup) 上评估 Quadratic Arithmetic Program (QAP) 使得证明者能够在不泄露 witness 的情况下,使用固定大小的证明来证明 QAP 已被满足。
具体来说,QAP 多项式在一个未知点 τ \tau τ a \mathbf{a} a
∑ i = 1 m a i u i ( x ) ∑ i = 1 m a i v i ( x ) = ∑ i = 1 m a i w i ( x ) + h ( x ) t ( x ) \sum_{i=1}^m a_iu_i(x)\sum_{i=1}^m a_iv_i(x) = \sum_{i=1}^m a_iw_i(x) + h(x)t(x) i = 1 ∑ m a i u i ( x ) i = 1 ∑ m a i v i ( x ) = i = 1 ∑ m a i w i ( x ) + h ( x ) t ( x )
将会是平衡的(等式两边相等);否则,它以压倒性的概率是不平衡的。
此处展示的方案并不是一个安全的 ZK Proof,但它是展示 Groth16 工作原理的垫脚石。
一个具体示例
为了让这不那么抽象,假设 Rank 1 Constraint System (R1CS) 的矩阵 L \mathbf{L} L R \mathbf{R} R O \mathbf{O} O
L a ∘ R a = O a \mathbf{L}\mathbf{a} \circ \mathbf{R}\mathbf{a} = \mathbf{O}\mathbf{a} La ∘ Ra = Oa
由于我们有 3 行,这意味着我们的插值多项式的最高次数将是 2。因为我们有 4 列,每个矩阵将产生 4 个多项式(总共 12 个多项式)。
我们的 QAP 将会是
∑ i = 1 4 a i u i ( x ) ∑ i = 1 4 a i v i ( x ) = ∑ i = 1 4 a i w i ( x ) + h ( x ) t ( x ) \sum_{i=1}^4a_iu_i(x)\sum_{i=1}^4a_iv_i(x) = \sum_{i=1}^4a_iw_i(x) + h(x)t(x) i = 1 ∑ 4 a i u i ( x ) i = 1 ∑ 4 a i v i ( x ) = i = 1 ∑ 4 a i w i ( x ) + h ( x ) t ( x )
符号与预备知识
我们将群 G 1 \mathbb{G}_1 G 1 G 2 \mathbb{G}_2 G 2 G 1 G_1 G 1 G 2 G_2 G 2 G 1 \mathbb{G}_1 G 1 [ X ] 1 [X]_1 [ X ] 1 G 2 \mathbb{G}_2 G 2 [ X ] 2 [X]_2 [ X ] 2 X ∈ G 1 X \in \mathbb{G}_1 X ∈ G 1 X ∈ G 2 X \in \mathbb{G}_2 X ∈ G 2 椭圆曲线配对 记作 [ X ] 1 ∙ [ Y ] 2 [X]_1 \bullet [Y]_2 [ X ] 1 ∙ [ Y ] 2
设 L ( ∗ , j ) \mathbf{L}_{(*,j)} L ( ∗ , j ) L \mathbf{L} L j j j ( 1 , 2 , 3 ) (1,2,3) ( 1 , 2 , 3 ) ( 1 , 2 , 3 , 4 ) (1,2,3,4) ( 1 , 2 , 3 , 4 ) L ( L ( ∗ , j ) ) \mathcal{L}(\mathbf{L}_{(*,j)}) L ( L ( ∗ , j ) ) x x x ( 1 , 2 , 3 ) (1,2,3) ( 1 , 2 , 3 ) j j j y y y L \mathbf{L} L j j j
因为我们有 4 列,所以我们从 L \mathbf{L} L
u 1 ( x ) = L ( L ( ∗ , 1 ) ) = u 12 x 2 + u 11 x + u 10 u 2 ( x ) = L ( L ( ∗ , 2 ) ) = u 22 x 2 + u 21 x + u 20 u 3 ( x ) = L ( L ( ∗ , 3 ) ) = u 32 x 2 + u 31 x + u 30 u 4 ( x ) = L ( L ( ∗ , 4 ) ) = u 42 x 2 + u 41 x + u 40 \begin{align*}
u_1(x) = \mathcal{L}(\mathbf{L}_{(*,1)}) =u_{12}x^2 + u_{11}x+u_{10}\\
u_2(x) = \mathcal{L}(\mathbf{L}_{(*,2)}) =u_{22}x^2 + u_{21}x+u_{20}\\
u_3(x) = \mathcal{L}(\mathbf{L}_{(*,3)}) =u_{32}x^2 + u_{31}x+u_{30}\\
u_4(x) = \mathcal{L}(\mathbf{L}_{(*,4)}) =u_{42}x^2 + u_{41}x+u_{40}\\
\end{align*} u 1 ( x ) = L ( L ( ∗ , 1 ) ) = u 12 x 2 + u 11 x + u 10 u 2 ( x ) = L ( L ( ∗ , 2 ) ) = u 22 x 2 + u 21 x + u 20 u 3 ( x ) = L ( L ( ∗ , 3 ) ) = u 32 x 2 + u 31 x + u 30 u 4 ( x ) = L ( L ( ∗ , 4 ) ) = u 42 x 2 + u 41 x + u 40
从 R \mathbf{R} R
v 1 ( x ) = L ( R ( ∗ , 1 ) ) = v 12 x 2 + v 11 x + v 10 v 2 ( x ) = L ( R ( ∗ , 2 ) ) = v 22 x 2 + v 21 x + v 20 v 3 ( x ) = L ( R ( ∗ , 3 ) ) = v 32 x 2 + v 31 x + v 30 v 4 ( x ) = L ( R ( ∗ , 4 ) ) = v 42 x 2 + v 41 x + v 40 \begin{align*}
v_1(x) = \mathcal{L}(\mathbf{R}_{(*,1)}) =v_{12}x^2 + v_{11}x+v_{10}\\
v_2(x) = \mathcal{L}(\mathbf{R}_{(*,2)}) =v_{22}x^2 + v_{21}x+v_{20}\\
v_3(x) = \mathcal{L}(\mathbf{R}_{(*,3)}) =v_{32}x^2 + v_{31}x+v_{30}\\
v_4(x) = \mathcal{L}(\mathbf{R}_{(*,4)}) =v_{42}x^2 + v_{41}x+v_{40}\\
\end{align*} v 1 ( x ) = L ( R ( ∗ , 1 ) ) = v 12 x 2 + v 11 x + v 10 v 2 ( x ) = L ( R ( ∗ , 2 ) ) = v 22 x 2 + v 21 x + v 20 v 3 ( x ) = L ( R ( ∗ , 3 ) ) = v 32 x 2 + v 31 x + v 30 v 4 ( x ) = L ( R ( ∗ , 4 ) ) = v 42 x 2 + v 41 x + v 40
以及从 O \mathbf{O} O
w 1 ( x ) = L ( O ( ∗ , 1 ) ) = w 12 x 2 + w 11 x + w 10 w 2 ( x ) = L ( O ( ∗ , 2 ) ) = w 22 x 2 + w 21 x + w 20 w 3 ( x ) = L ( O ( ∗ , 3 ) ) = w 32 x 2 + w 31 x + w 30 w 4 ( x ) = L ( O ( ∗ , 4 ) ) = w 42 x 2 + w 41 x + w 40 \begin{align*}
w_1(x) = \mathcal{L}(\mathbf{O}_{(*,1)}) =w_{12}x^2 + w_{11}x+w_{10}\\
w_2(x) = \mathcal{L}(\mathbf{O}_{(*,2)}) =w_{22}x^2 + w_{21}x+w_{20}\\
w_3(x) = \mathcal{L}(\mathbf{O}_{(*,3)}) =w_{32}x^2 + w_{31}x+w_{30}\\
w_4(x) = \mathcal{L}(\mathbf{O}_{(*,4)}) =w_{42}x^2 + w_{41}x+w_{40}\\
\end{align*} w 1 ( x ) = L ( O ( ∗ , 1 ) ) = w 12 x 2 + w 11 x + w 10 w 2 ( x ) = L ( O ( ∗ , 2 ) ) = w 22 x 2 + w 21 x + w 20 w 3 ( x ) = L ( O ( ∗ , 3 ) ) = w 32 x 2 + w 31 x + w 30 w 4 ( x ) = L ( O ( ∗ , 4 ) ) = w 42 x 2 + w 41 x + w 40
多项式 p i j p_{ij} p ij i i i j j j j = 2 j=2 j = 2 x 2 x^2 x 2
我们示例的 QAP 是
∑ i = 1 4 a i u i ( x ) ∑ i = 1 4 a i v i ( x ) = ∑ i = 1 4 a i w i ( x ) + h ( x ) t ( x ) \sum_{i=1}^4a_iu_i(x)\sum_{i=1}^4a_iv_i(x) = \sum_{i=1}^4a_iw_i(x) + h(x)t(x) i = 1 ∑ 4 a i u i ( x ) i = 1 ∑ 4 a i v i ( x ) = i = 1 ∑ 4 a i w i ( x ) + h ( x ) t ( x )
其中 t ( x ) = ( x − 1 ) ( x − 2 ) ( x − 3 ) t(x) = (x - 1)(x - 2)(x - 3) t ( x ) = ( x − 1 ) ( x − 2 ) ( x − 3 ) h ( x ) h(x) h ( x )
h ( x ) = ∑ i = 1 4 a i u i ( x ) ∑ i = 1 4 a i v i ( x ) − ∑ i = 1 4 a i w i ( x ) t ( x ) h(x)=\frac{\sum_{i=1}^4a_iu_i(x)\sum_{i=1}^4a_iv_i(x) - \sum_{i=1}^4a_iw_i(x)}{t(x)} h ( x ) = t ( x ) ∑ i = 1 4 a i u i ( x ) ∑ i = 1 4 a i v i ( x ) − ∑ i = 1 4 a i w i ( x )
QAP 中多项式的次数与 R1CS 大小的关系
关于一般情况下多项式次数的几点观察:
u ( x ) u(x) u ( x ) v ( x ) v(x) v ( x ) n − 1 n - 1 n − 1 n n n n n n 如果多项式之和 ∑ i = 0 m a i w i ( x ) \sum_{i=0}^m a_iw_i(x) ∑ i = 0 m a i w i ( x ) w ( x ) w(x) w ( x )
根据定义,t ( x ) t(x) t ( x ) n n n
多项式相乘会将其次数相加,而多项式相除会将其次数相减。
因此,h ( x ) h(x) h ( x ) n − 2 n - 2 n − 2
n − 1 ⏟ deg u ( x ) + n − 1 ⏟ deg v ( x ) − n ⏟ deg t ( x ) = n − 2 \underbrace{n - 1}_{
\deg{u(x)}} + \underbrace{n - 1}_{\deg{v(x)}} - \underbrace{n}_{\deg{t(x)}} = n - 2 d e g u ( x ) n − 1 + d e g v ( x ) n − 1 − d e g t ( x ) n = n − 2
展开各项
如果我们展开前面示例中的求和公式,我们会得到以下结果:
∑ i = 1 4 a i u i ( x ) = a 1 ( u 12 x 2 + u 11 x + u 10 ) + a 2 ( u 22 x 2 + u 21 x + u 20 ) + a 3 ( u 32 x 2 + u 31 x + u 30 ) + a 4 ( u 42 x 2 + u 41 x + u 40 ) = ( a 1 u 12 + a 2 u 22 + a 3 u 32 + a 4 u 42 ) x 2 + ( a 1 u 11 + a 2 u 21 + a 3 u 31 + a 4 u 41 ) x + ( a 1 u 10 + a 2 u 20 + a 3 u 30 + a 4 u 40 ) = u 2 a x 2 + u 1 a x + u 0 a ∑ i = 1 4 a i v i ( x ) = a 1 ( v 12 x 2 + v 11 x + v 10 ) + a 2 ( v 22 x 2 + v 21 x + v 20 ) + a 3 ( v 32 x 2 + v 31 x + v 30 ) + a 4 ( v 42 x 2 + v 41 x + v 40 ) = ( a 1 v 12 + a 2 v 22 + a 3 v 32 + a 4 v 42 ) x 2 + ( a 1 v 11 + a 2 v 21 + a 3 v 31 + a 4 v 41 ) x + ( a 1 v 10 + a 2 v 20 + a 3 v 30 + a 4 v 40 ) = v 2 a x 2 + v 1 a x + v 0 a ∑ i = 1 4 a i w i ( x ) = a 1 ( w 12 x 2 + w 11 x + w 10 ) + a 2 ( w 22 x 2 + w 21 x + w 20 ) + a 3 ( w 32 x 2 + w 31 x + w 30 ) + a 4 ( w 42 x 2 + w 41 x + w 40 ) = ( a 1 w 12 + a 2 w 22 + a 3 w 32 + a 4 w 42 ) x 2 + ( a 1 w 11 + a 2 w 21 + a 3 w 31 + a 4 w 41 ) x + ( a 1 w 10 + a 2 w 20 + a 3 w 30 + a 4 w 40 ) = w 2 a x 2 + w 1 a x + w 0 a \begin{align*}
\sum_{i=1}^4 a_iu_i(x) &= a_1(u_{12}x^2 + u_{11}x+u_{10}) + a_2(u_{22}x^2 + u_{21}x+u_{20}) + a_3(u_{32}x^2 + u_{31}x+u_{30}) + a_4(u_{42}x^2 + u_{41}x+u_{40})\\
&= (a_1u_{12}+a_2u_{22}+a_3u_{32}+a_4u_{42})x^2 + (a_1u_{11}+a_2u_{21}+a_3u_{31}+a_4u_{41})x + (a_1u_{10}+a_2u_{20}+a_3u_{30}+a_4u_{40})\\
&=u_{2a}x^2+u_{1a}x+u_{0a}\\
\sum_{i=1}^4 a_iv_i(x) &= a_1(v_{12}x^2 + v_{11}x+v_{10}) + a_2(v_{22}x^2 + v_{21}x+v_{20}) + a_3(v_{32}x^2 + v_{31}x+v_{30}) + a_4(v_{42}x^2 + v_{41}x+v_{40})\\
&= (a_1v_{12}+a_2v_{22}+a_3v_{32}+a_4v_{42})x^2 + (a_1v_{11}+a_2v_{21}+a_3v_{31}+a_4v_{41})x + (a_1v_{10}+a_2v_{20}+a_3v_{30}+a_4v_{40})\\
&=v_{2a}x^2+v_{1a}x+v_{0a}\\
\sum_{i=1}^4 a_iw_i(x) &= a_1(w_{12}x^2 + w_{11}x+w_{10}) + a_2(w_{22}x^2 + w_{21}x+w_{20}) + a_3(w_{32}x^2 + w_{31}x+w_{30}) + a_4(w_{42}x^2 + w_{41}x+w_{40})\\
&= (a_1w_{12}+a_2w_{22}+a_3w_{32}+a_4w_{42})x^2 + (a_1w_{11}+a_2w_{21}+a_3w_{31}+a_4w_{41})x + (a_1w_{10}+a_2w_{20}+a_3w_{30}+a_4w_{40})\\
&=w_{2a}x^2+w_{1a}x+w_{0a}\\
\end{align*} i = 1 ∑ 4 a i u i ( x ) i = 1 ∑ 4 a i v i ( x ) i = 1 ∑ 4 a i w i ( x ) = a 1 ( u 12 x 2 + u 11 x + u 10 ) + a 2 ( u 22 x 2 + u 21 x + u 20 ) + a 3 ( u 32 x 2 + u 31 x + u 30 ) + a 4 ( u 42 x 2 + u 41 x + u 40 ) = ( a 1 u 12 + a 2 u 22 + a 3 u 32 + a 4 u 42 ) x 2 + ( a 1 u 11 + a 2 u 21 + a 3 u 31 + a 4 u 41 ) x + ( a 1 u 10 + a 2 u 20 + a 3 u 30 + a 4 u 40 ) = u 2 a x 2 + u 1 a x + u 0 a = a 1 ( v 12 x 2 + v 11 x + v 10 ) + a 2 ( v 22 x 2 + v 21 x + v 20 ) + a 3 ( v 32 x 2 + v 31 x + v 30 ) + a 4 ( v 42 x 2 + v 41 x + v 40 ) = ( a 1 v 12 + a 2 v 22 + a 3 v 32 + a 4 v 42 ) x 2 + ( a 1 v 11 + a 2 v 21 + a 3 v 31 + a 4 v 41 ) x + ( a 1 v 10 + a 2 v 20 + a 3 v 30 + a 4 v 40 ) = v 2 a x 2 + v 1 a x + v 0 a = a 1 ( w 12 x 2 + w 11 x + w 10 ) + a 2 ( w 22 x 2 + w 21 x + w 20 ) + a 3 ( w 32 x 2 + w 31 x + w 30 ) + a 4 ( w 42 x 2 + w 41 x + w 40 ) = ( a 1 w 12 + a 2 w 22 + a 3 w 32 + a 4 w 42 ) x 2 + ( a 1 w 11 + a 2 w 21 + a 3 w 31 + a 4 w 41 ) x + ( a 1 w 10 + a 2 w 20 + a 3 w 30 + a 4 w 40 ) = w 2 a x 2 + w 1 a x + w 0 a
在每种情况下,由于我们将 4 个最高次数为 2 的多项式相加,我们会得到一个次数为 2 的多项式。
在一般表达式中,∑ i = 1 m a i p i ( x ) \sum_{i=1}^m a_ip_i(x) ∑ i = 1 m a i p i ( x ) p ( x ) p(x) p ( x ) ( a 1 w 12 + a 2 w 22 + a 3 w 32 + a 4 w 42 ) x 2 (a_1w_{12}+a_2w_{22}+a_3w_{32}+a_4w_{42})x^2 ( a 1 w 12 + a 2 w 22 + a 3 w 32 + a 4 w 42 ) x 2 p i a p_{ia} p ia i i i a _a a a \mathbf{a} a
以下是以这种方式化简后的多项式:
∑ i = 1 4 a i u i ( x ) = u 2 a x 2 + u 1 a x + u 0 a ∑ i = 1 4 a i v i ( x ) = v 2 a x 2 + v 1 a x + v 0 a ∑ i = 1 4 a i w i ( x ) = w 2 a x 2 + w 1 a x + w 0 a \begin{align*}
\sum_{i=1}^4 a_iu_i(x) &= u_{2a}x^2+u_{1a}x+u_{0a}\\
\sum_{i=1}^4 a_iv_i(x) &= v_{2a}x^2+v_{1a}x+v_{0a}\\
\sum_{i=1}^4 a_iw_i(x) &= w_{2a}x^2+w_{1a}x+w_{0a}\\
\end{align*} i = 1 ∑ 4 a i u i ( x ) i = 1 ∑ 4 a i v i ( x ) i = 1 ∑ 4 a i w i ( x ) = u 2 a x 2 + u 1 a x + u 0 a = v 2 a x 2 + v 1 a x + v 0 a = w 2 a x 2 + w 1 a x + w 0 a
将可信设置与 QAP 结合
我们现在可以应用从可信设置中获取的结构化参考字符串 (structured reference string) 来评估这些多项式。
也就是说,给定一个结构化参考字符串
[ Ω 2 , Ω 1 , G 1 ] , [ Θ 2 , Θ 1 , G 2 ] , Ω i ∈ G 1 , Θ i ∈ G 2 [\Omega_2, \Omega_1, G_1], [\Theta_2, \Theta_1, G_2], \space\Omega_i \in \mathbb{G}_1, \space\Theta_i \in \mathbb{G}_2 [ Ω 2 , Ω 1 , G 1 ] , [ Θ 2 , Θ 1 , G 2 ] , Ω i ∈ G 1 , Θ i ∈ G 2
它在可信设置中是这样计算得出的:
[ Ω 2 , Ω 1 , G 1 ] = [ τ 2 G 1 , τ G 1 , G 1 ] , Ω i ∈ G 1 [ Θ 2 , Θ 1 , G 2 ] = [ τ 2 G 2 , τ G 2 , G 2 ] , Θ i ∈ G 2 \begin{align*}
[\Omega_2, \Omega_1, G_1] &= [\tau^2G_1, \tau G_1, G_1], \space\Omega_i \in \mathbb{G}_1\\
[\Theta_2, \Theta_1, G_2] &= [\tau^2G_2, \tau G_2, G_2], \space\Theta_i \in \mathbb{G}_2
\end{align*} [ Ω 2 , Ω 1 , G 1 ] [ Θ 2 , Θ 1 , G 2 ] = [ τ 2 G 1 , τ G 1 , G 1 ] , Ω i ∈ G 1 = [ τ 2 G 2 , τ G 2 , G 2 ] , Θ i ∈ G 2
我们可以计算:
[ A ] 1 = ∑ i = 1 4 a i u i ( τ ) = ⟨ [ u 2 a , u 1 a , u 0 a ] , [ Ω 2 , Ω 1 , G 1 ] ⟩ [ B ] 2 = ∑ i = 1 4 a i v i ( τ ) = ⟨ [ v 2 a , v 1 a , v 0 a ] , [ Θ 2 , Θ 1 , G 2 ] ⟩ [ C ] 1 = ∑ i = 1 4 a i w i ( τ ) = ⟨ [ v 2 a , v 1 a , v 0 a ] , [ Ω 2 , Ω 1 , G 1 ] ⟩ \begin{align*}
[A]_1 &=\sum_{i=1}^4 a_iu_i(\tau) = \langle[u_{2a}, u_{1a}, u_{0a}],[\Omega_2, \Omega_1, G_1]\rangle\\
[B]_2 &=\sum_{i=1}^4 a_iv_i(\tau) = \langle[v_{2a}, v_{1a}, v_{0a}],[\Theta_2, \Theta_1, G_2]\rangle\\
[C]_1 &=\sum_{i=1}^4 a_iw_i(\tau) = \langle[v_{2a}, v_{1a}, v_{0a}],[\Omega_2, \Omega_1, G_1]\rangle \\
\end{align*} [ A ] 1 [ B ] 2 [ C ] 1 = i = 1 ∑ 4 a i u i ( τ ) = ⟨[ u 2 a , u 1 a , u 0 a ] , [ Ω 2 , Ω 1 , G 1 ]⟩ = i = 1 ∑ 4 a i v i ( τ ) = ⟨[ v 2 a , v 1 a , v 0 a ] , [ Θ 2 , Θ 1 , G 2 ]⟩ = i = 1 ∑ 4 a i w i ( τ ) = ⟨[ v 2 a , v 1 a , v 0 a ] , [ Ω 2 , Ω 1 , G 1 ]⟩
在这里,u i ( τ ) , v i ( τ ) , w i ( τ ) u_i(\tau), v_i(\tau), w_i(\tau) u i ( τ ) , v i ( τ ) , w i ( τ ) τ \tau τ τ \tau τ τ \tau τ τ \tau τ
我们已经使用 srs 计算了 QAP 的大部分内容,但我们还没有计算 h ( x ) t ( x ) h(x)t(x) h ( x ) t ( x )
∑ i = 1 m a i u i ( x ) ⏟ [ A ] 1 ∑ i = 1 m a i v i ( x ) ⏟ [ B ] 2 = ∑ i = 1 m a i w i ( x ) ⏟ [ C ] 1 + h ( x ) t ( x ) ⏟ ? ? \underbrace{\sum_{i=1}^m a_iu_i(x)}_{[A]_1}\underbrace{\sum_{i=1}^m a_iv_i(x)}_{[B]_2} = \underbrace{\sum_{i=1}^m a_iw_i(x)}_{[C]_1} + \underbrace{h(x)t(x)}_{??} [ A ] 1 i = 1 ∑ m a i u i ( x ) [ B ] 2 i = 1 ∑ m a i v i ( x ) = [ C ] 1 i = 1 ∑ m a i w i ( x ) + ?? h ( x ) t ( x )
计算 h ( x ) t ( x ) h(x)t(x) h ( x ) t ( x )
回顾一下,t ( x ) t(x) t ( x ) n n n h ( x ) h(x) h ( x ) n − 2 n - 2 n − 2 h ( x ) t ( x ) h(x)t(x) h ( x ) t ( x )
执行可信设置的人知道 t ( x ) t(x) t ( x ) ( x − 1 ) ( x − 2 ) . . . ( x − n ) (x - 1)(x - 2)...(x - n) ( x − 1 ) ( x − 2 ) ... ( x − n ) h ( x ) h(x) h ( x ) a \mathbf{a} a
请注意,我们不能分别评估 h ( τ ) h(\tau) h ( τ ) t ( τ ) t(\tau) t ( τ ) G 1 \mathbb{G}_1 G 1
多项式乘积的 SRS
观察到以下计算都会得出相同的值:
多项式 h ( x ) t ( x ) h(x)t(x) h ( x ) t ( x ) u u u ( h ( x ) t ( x ) ) ( u ) (h(x)t(x))(u) ( h ( x ) t ( x )) ( u )
h ( u ) h(u) h ( u ) t ( u ) t(u) t ( u ) h ( u ) t ( u ) h(u)t(u) h ( u ) t ( u ) h h h u u u t t t u u u h ( x ) h(x) h ( x ) t ( u ) t(u) t ( u ) u u u ( h ( x ) t ( u ) ) ( u ) (h(x)t(u))(u) ( h ( x ) t ( u )) ( u )
我们将使用第三种方法来计算 h ( τ ) t ( τ ) h(\tau)t(\tau) h ( τ ) t ( τ ) h ( x ) h(x) h ( x ) 3 x 2 + 6 x + 2 3x^2 + 6x + 2 3 x 2 + 6 x + 2 t ( u ) = 4 t(u) = 4 t ( u ) = 4
h ( x ) t ( u ) = ( 3 x 2 + 6 x + 2 ) ⋅ 4 = 12 x 2 + 24 x + 8 h(x)t(u) = (3x^2 + 6x + 2) \cdot 4 = 12x^2 + 24x + 8 h ( x ) t ( u ) = ( 3 x 2 + 6 x + 2 ) ⋅ 4 = 12 x 2 + 24 x + 8
如果我们将 u u u 12 x 2 + 24 x + 8 12x^2 + 24x + 8 12 x 2 + 24 x + 8 h ( u ) t ( u ) h(u)t(u) h ( u ) t ( u )
然而,在 τ \tau τ τ \tau τ
h ( u ) t ( u ) = ⟨ [ 3 , 6 , 2 ] , [ 4 u 2 , 4 u , 4 ] ⟩ = 12 u 2 + 24 u + 8 h(u)t(u) = \langle[3, 6, 2], [4u^2, 4u, 4]\rangle=12u^2+24u+8 h ( u ) t ( u ) = ⟨[ 3 , 6 , 2 ] , [ 4 u 2 , 4 u , 4 ]⟩ = 12 u 2 + 24 u + 8
如果可信设置提供 [ 4 u 2 , 4 u , 4 ] [4u^2, 4u, 4] [ 4 u 2 , 4 u , 4 ] [ 3 , 6 , 2 ] [3, 6, 2] [ 3 , 6 , 2 ] u u u h ( u ) t ( u ) h(u)t(u) h ( u ) t ( u ) u u u
用于 h ( τ ) t ( τ ) h(\tau)t(\tau) h ( τ ) t ( τ )
为了给 h ( τ ) t ( τ ) h(\tau)t(\tau) h ( τ ) t ( τ ) n − 1 n - 1 n − 1 t ( τ ) t(\tau) t ( τ ) τ \tau τ
[ Υ n − 2 , Υ n − 3 , . . . , Υ 1 , Υ 0 ] = [ τ n − 2 t ( τ ) G 1 , τ n − 3 t ( τ ) G 1 , . . . , τ t ( τ ) G 1 , t ( τ ) G 1 ] [\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0] = [\tau^{n-2}t(\tau)G_1, \tau^{n-3}t(\tau)G_1, ..., \tau t(\tau)G_1, t(\tau)G_1] [ Υ n − 2 , Υ n − 3 , ... , Υ 1 , Υ 0 ] = [ τ n − 2 t ( τ ) G 1 , τ n − 3 t ( τ ) G 1 , ... , τ t ( τ ) G 1 , t ( τ ) G 1 ]
(有点令人困惑的是,一个 k k k k + 1 k+1 k + 1 k − 2 k - 2 k − 2 k − 1 k - 1 k − 1 n − 1 {n-1} n − 1
在这里,n n n h h h n − 2 n - 2 n − 2
为了使用结构化参考字符串计算 h ( τ ) t ( τ ) h(\tau)t(\tau) h ( τ ) t ( τ )
h ( τ ) t ( τ ) = ⟨ [ h n − 2 , h n − 3 , . . . , h 1 , h 0 ] , [ Υ n − 2 , Υ n − 3 , . . . , Υ 1 , Υ 0 ] ⟩ h(\tau)t(\tau) = \langle[h_{n-2}, h_{n-3}, ..., h_1, h_0], [\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0] \rangle h ( τ ) t ( τ ) = ⟨[ h n − 2 , h n − 3 , ... , h 1 , h 0 ] , [ Υ n − 2 , Υ n − 3 , ... , Υ 1 , Υ 0 ]⟩
在可信设置上评估 QAP
我们现在将一切联系起来。假设我们有一个 R1CS,其矩阵有 n n n m m m
∑ i = 1 m a i u i ( x ) ∑ i = 1 m a i v i ( x ) = ∑ i = 1 m a i w i ( x ) + h ( x ) t ( x ) \sum_{i=1}^m a_iu_i(x)\sum_{i=1}^m a_iv_i(x) = \sum_{i=1}^m a_iw_i(x) + h(x)t(x) i = 1 ∑ m a i u i ( x ) i = 1 ∑ m a i v i ( x ) = i = 1 ∑ m a i w i ( x ) + h ( x ) t ( x )
每个求和项将产生一个最高次数为 n − 1 n - 1 n − 1 h ( x ) h(x) h ( x ) n − 2 n - 2 n − 2 t ( x ) t(x) t ( x ) n n n
可信设置生成一个随机域元素 τ \tau τ
[ Ω n − 1 , Ω n − 2 , . . . , Ω 1 , G 1 ] = [ τ n − 1 G 1 , τ n − 2 G 1 , … , τ G 1 , G 1 ] [ Θ n − 1 , Θ n − 2 , . . . , Θ 1 , G 2 ] = [ τ n − 1 G 2 , τ n − 2 G 2 , … , τ G 2 , G 2 ] [ Υ n − 2 , Υ n − 3 , . . . , Υ 1 , Υ 0 ] = [ τ n − 2 t ( τ ) G 1 , τ n − 3 t ( τ ) G 1 , . . . , τ t ( τ ) G 1 , t ( τ ) G 1 ] \begin{align*}
[\Omega_{n-1},\Omega_{n-2},..., \Omega_1, G_1] &= [\tau^{n-1}G_1, \tau^{n-2}G_1,\dots, \tau G_1, G_1]\\
[\Theta_{n-1}, \Theta_{n-2}, ..., \Theta_1, G_2] &= [\tau^{n-1}G_2, \tau^{n-2}G_2,\dots, \tau G_2, G_2]\\
[\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0] &= [\tau^{n-2}t(\tau)G_1, \tau^{n-3}t(\tau)G_1, ..., \tau t(\tau)G_1, t(\tau)G_1]
\end{align*} [ Ω n − 1 , Ω n − 2 , ... , Ω 1 , G 1 ] [ Θ n − 1 , Θ n − 2 , ... , Θ 1 , G 2 ] [ Υ n − 2 , Υ n − 3 , ... , Υ 1 , Υ 0 ] = [ τ n − 1 G 1 , τ n − 2 G 1 , … , τ G 1 , G 1 ] = [ τ n − 1 G 2 , τ n − 2 G 2 , … , τ G 2 , G 2 ] = [ τ n − 2 t ( τ ) G 1 , τ n − 3 t ( τ ) G 1 , ... , τ t ( τ ) G 1 , t ( τ ) G 1 ]
请注意,结构化参考字符串需要有足够的项来容纳 QAP 中的多项式。
然后,可信设置销毁 τ \tau τ
( [ Ω 2 , Ω 1 , G 1 ] , [ Θ 2 , Θ 1 , G 2 ] , [ Υ n − 2 , Υ n − 3 , . . . , Υ 1 , Υ 0 ] ) ([\Omega_2, \Omega_1, G_1], [\Theta_2, \Theta_1, G_2], [\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0]) ([ Ω 2 , Ω 1 , G 1 ] , [ Θ 2 , Θ 1 , G 2 ] , [ Υ n − 2 , Υ n − 3 , ... , Υ 1 , Υ 0 ])
证明者对 QAP 的各个组成部分进行如下评估:
∑ i = 1 m a i u i ( x ) ⏟ A ∑ i = 1 m a i v i ( x ) ⏟ B = ∑ i = 1 m a i w i ( x ) + h ( x ) t ( x ) ⏟ C \underbrace{\sum_{i=1}^m a_iu_i(x)}_{A}\underbrace{\sum_{i=1}^m a_iv_i(x)}_B = \underbrace{\sum_{i=1}^m a_iw_i(x) + h(x)t(x)}_{C} A i = 1 ∑ m a i u i ( x ) B i = 1 ∑ m a i v i ( x ) = C i = 1 ∑ m a i w i ( x ) + h ( x ) t ( x )
[ A ] 1 = ∑ i = 1 m a i u i ( τ ) = ⟨ [ u n − 1 a , u n − 2 a , … , u 1 a , u 0 a ] , [ Ω n − 1 , Ω n − 2 , … , Ω 1 , G 1 ] ⟩ [ B ] 2 = ∑ i = 1 m a i v i ( τ ) = ⟨ [ v n − 1 a , v n − 2 a , … , v 1 a , v 0 a ] , [ Θ n − 1 , Θ n − 2 , … , Θ 1 , G 2 ] ⟩ [ C ] 1 = ∑ i = 1 m a i w i ( τ ) + h ( τ ) t ( τ ) = ⟨ [ w n − 1 a , w n − 2 a , … , w 1 a , w 0 a ] , [ Ω n − 1 , Ω n − 2 , … , Ω 1 , G 1 ] ⟩ + ⟨ [ h n − 2 , h n − 3 , … , h 1 , h 0 ] , [ Υ n − 2 , Υ n − 3 , … , Υ 1 , Υ 0 ] ⟩ \begin{align*}
[A]_1 &=\sum_{i=1}^m a_iu_i(\tau) = \langle[u_{{n-1}a}, u_{{n-2}a}, \dots, u_{1a}, u_{0a}],[\Omega_{n-1}, \Omega_{n-2}, \dots, \Omega_1, G_1]\rangle\\
[B]_2 &=\sum_{i=1}^m a_iv_i(\tau) = \langle[v_{{n-1}a}, v_{{n-2}a}, \dots, v_{1a}, v_{0a}],[\Theta_{n-1}, \Theta_{n-2}, \dots, \Theta_1, G_2]\rangle\\
[C]_1 &=\sum_{i=1}^m a_iw_i(\tau) + h(\tau)t(\tau) = \langle[w_{{n-1}a}, w_{{n-2}a}, \dots, w_{1a}, w_{0a}],[\Omega_{n-1}, \Omega_{n-2}, \dots, \Omega_1, G_1]\rangle \\
&+\langle[h_{n-2}, h_{n-3}, \dots, h_1, h_0], [\Upsilon_{n-2}, \Upsilon_{n-3}, \dots, \Upsilon_1, \Upsilon_0] \rangle\\
\end{align*} [ A ] 1 [ B ] 2 [ C ] 1 = i = 1 ∑ m a i u i ( τ ) = ⟨[ u n − 1 a , u n − 2 a , … , u 1 a , u 0 a ] , [ Ω n − 1 , Ω n − 2 , … , Ω 1 , G 1 ]⟩ = i = 1 ∑ m a i v i ( τ ) = ⟨[ v n − 1 a , v n − 2 a , … , v 1 a , v 0 a ] , [ Θ n − 1 , Θ n − 2 , … , Θ 1 , G 2 ]⟩ = i = 1 ∑ m a i w i ( τ ) + h ( τ ) t ( τ ) = ⟨[ w n − 1 a , w n − 2 a , … , w 1 a , w 0 a ] , [ Ω n − 1 , Ω n − 2 , … , Ω 1 , G 1 ]⟩ + ⟨[ h n − 2 , h n − 3 , … , h 1 , h 0 ] , [ Υ n − 2 , Υ n − 3 , … , Υ 1 , Υ 0 ]⟩
证明者发布 ( [ A ] 1 , [ B ] 2 , [ C ] 1 ) ([A]_1, [B]_2, [C]_1) ([ A ] 1 , [ B ] 2 , [ C ] 1 )
[ A ] 1 ∙ [ B ] 2 = ? [ C ] 1 ∙ G 2 [A]_1 \bullet [B]_2 \stackrel{?}= [C]_1 \bullet G_2 [ A ] 1 ∙ [ B ] 2 = ? [ C ] 1 ∙ G 2
如果 witness a \mathbf{a} a a \mathbf{a} a
证明非常小
观察到证明仅由三个椭圆曲线点组成。如果一个 G 1 \mathbb{G}_1 G 1 G 2 \mathbb{G}_2 G 2 无论 R1CS 的大小如何,这都是成立的!
R1CS 越大,证明者的工作量就越大,但验证者的工作量保持不变。
解决此问题的方法在下一章关于 Groth16 protocol 中有描述。
在 Groth16 中,证明仍然保持固定大小,这可以从 Tornado Cash 源代码中名为 Proof 的 struct 处看到。
最初发布于 2023 年 8 月 28 日