第 5 课补充讲义

现代 SNARK 由两个部分组成：信息论交互式预言机证明 (IOP) [1]；和一个兼容的密码承诺方案，它将 IOP“编译”成一个论证系统 [5]。本讲义介绍几种常用的承诺方案。

IOP 是“信息论的”，因为即使针对 计算无界 的证明者和验证者，它也能提供可靠性和零知识保证。为了使这成为可能，证明系统做出了“预言机访问”的理想化假设：换句话说，验证者只能通过随机查询访问证明者的消息。

承诺方案使用密码原语（例如单向函数）实例化此预言机访问：因此，由此产生的论证系统仅对于 计算有界 的证明者和验证者而言是安全的。为了实现简洁的论证系统，所选择的承诺方案必须提供相对于被证明的计算而言较低的通信复杂性。

图 1： $k$ 轮交互式预言机证明系统。在第 $i$ 轮中：验证者 $V$ 发送消息 $m_{i}$ 给证明者 $P$ ；然后， $P$ 回复消息 $f_{i}$ ， $V$ 可以在本轮和所有后续轮次中查询（通过随机访问）。在 $k$ 轮交互之后， $V$ 要么接受要么拒绝。

英文原文

Modern SNARKs consist of two components: an information-theoretic interactive oracle proof (IOP) [1]; and a compatible cryptographic commitment scheme, which "compiles" the IOP into an argument system [5]. This note introduces several commonly used commitment schemes.

An IOP is "information-theoretic" in that it provides soundness and zero-knowledge guarantees even when the prover and verifier are computationally unbounded. To make this possible, the proof system makes the idealised assumption of "oracle access": in other words, the verifier can only access the prover's messages through random queries.

The commitment scheme instantiates this oracle access using cryptographic primitives (e.g. a one-way function): as a consequence, the resulting argument system is only secure with respect to a computationally bounded prover and/or verifier. To realise a succinct argument system, the chosen commitment scheme must provide low communication complexity relative to the computation being proven.

Figure 1: A $k$ -round interactive oracle proof system. In the $i$ -th round: the verifier $V$ sends a message $m_{i}$ to the prover $P$ ; then, $P$ replies with a message $f_{i}$ , which $V$ can query (via random access) in this and all later rounds. After the $k$ rounds of interaction, $V$ either accepts or rejects.

正式定义

定义 1.1（承诺方案）。承诺方案是 PPT 算法的元组 $Γ =$ (Setup, Commit, Open)，其中：

$Setup (1^{λ}) \to pp$ 采用安全参数 $λ$ （一元）并生成公共参数 $pp$ ；
$Commit (pp; m) \to (C; r)$ 获取秘密消息 $m$ 并输出公开承诺 $C$ 和（可选）秘密打开提示 $r$ （可能为随机数）。
$Open (pp, C; m, r) \to b \in {0, 1}$ 利用打开提示 $r$ ，验证承诺 $C$ 对消息 $m$ 的打开。

承诺方案 $Γ$ 具有绑定性，如果对所有 $PPT$ 对手 $A$ 而言：

\Pr [\begin{array}{ll} pp \leftarrow Setup (1^{λ}) \\ b_{0} = b_{1} \neq 0 \land m_{0} \neq m_{1} : & (C, m_{0}, m_{1}, r_{0}, r_{1}) \leftarrow A (pp) \\ b_{0} \leftarrow Open (pp, C, m_{0}, r_{0}) \\ b_{1} \leftarrow Open (pp, C, m_{1}, r_{1}) \end{array}] \leq neg (λ)

通俗来说，这意味着如果没有对手可以生成某个不同的消息 $m_{1}$ 的有效打开并与消息 $m_{0}$ 相对应，则说明消息 $m_{0}$ 与有效承诺 $C$ 具有绑定性。

承诺方案 $Γ$ 具有隐藏性，如果对于任何多项式时间对手 $A$ 而言：

| \Pr [\begin{array}{cl} pp \leftarrow Setup (1^{λ}) \\ (m_{0}, m_{1}, s t) \leftarrow A (pp) \\ b_{0} = b^{'} : & b \overset{$}{\leftarrow} {0, 1} \\ (C_{b}; r_{b}) \leftarrow Commit (pp; m_{b}) \\ b^{'} \leftarrow A (pp, s t, C_{b}) \end{array}] - 1 / 2 | = negl (λ)

通俗来说，如果在承诺方案中，没有人能够“逆向工程”以确定到底是哪一条消息被承诺了，那么该承诺具有隐藏性。

回忆一下：“上锁的盒子”。 [第3讲：“数学基础构件”]

在汉密尔顿回路示例中，我们使用抗碰撞的哈希函数来构建我们的承诺方案：

$r \leftarrow {0, 1}^{256}$ 是输入到哈希函数的随机采样密钥。
Commit: $hash (m; r) = h$ 。
Open: 检查 $h \overset{?}{=} hash (m; r)$ .

英文原文

Definition 1.1 (Commitment scheme). A commitment scheme is a tuple $Γ =$ (Setup, Commit, Open) of PPT algorithms where:

$Setup (1^{λ}) \to pp$ takes security parameter $λ$ (in unary) and generates public parameters $pp$ ;
Commit $(pp; m) \to (C; r)$ takes a secret message $m$ and outputs a public commitment $C$ and (optionally) a secret opening hint $r$ (which might or might not be the randomness used in the computation).
Open $(pp, C; m, r) \to b \in {0, 1}$ verifies the opening of the commitment $C$ to the message $m$ provided with the opening hint $r$ .

A commitment scheme $Γ$ is binding if for all $PPT$ adversaries $A$ :

\Pr [\begin{array}{ll} pp \leftarrow Setup (1^{λ}) \\ b_{0} = b_{1} \neq 0 \land m_{0} \neq m_{1} : & (C, m_{0}, m_{1}, r_{0}, r_{1}) \leftarrow A (pp) \\ b_{0} \leftarrow Open (pp, C, m_{0}, r_{0}) \\ b_{1} \leftarrow Open (pp, C, m_{1}, r_{1}) \end{array}] \leq neg (λ)

Informally, this states that a valid commitment $C$ to a message $m_{0}$ is binding if no adversary can produce a valid opening to some different message $m_{1}$ .

A commitment scheme $Γ$ is hiding if for any polynomial-time adversary $A$ :

\Pr [\begin{array}{cl} pp \leftarrow Setup (1^{λ}) \\ (m_{0}, m_{1}, s t) \leftarrow A (pp) \\ b_{0} = b^{'} : & b \overset{$}{\leftarrow} {0, 1} \\ (C_{b}; r_{b}) \leftarrow Commit (pp; m_{b}) \\ b^{'} \leftarrow A (pp, s t, C_{b}) \end{array}] - 1 / 2 ∣= negl (λ)

Informally, this states that if a commitment is hiding if an adversary cannot "reverse-engineer" which of their messages was committed to.

Recall: "locked boxes". [Lecture 3: "Mathematical Building Blocks"]

In the Hamilton cycle example, we use a collision-resistant hash function to construct our commitment scheme:

$r \leftarrow {0, 1}^{256}$ is a randomly sampled secret key that is input to the hash function.
Commit: hash $(m; r) = h$ .
Open : check $h \overset{?}{=} hash (m; r)$ .

构造 Constructions

向量承诺 Vector commitment scheme

针对消息集 $M$ 的向量承诺方案[2]，即针对向量 $\vec{m} = (m_{1}, \dots, m_{k}) \in M^{k}$ 的承诺方案。向量承诺的主要安全性质是 位置绑定 ：

定义 2.1（位置绑定）。对于任何 PPT 敌手 $A$ 来说，向量承诺方案 $Γ$ 是位置绑定的，如果：

\Pr [\begin{array}{ll} Open (pp, C, \vec{m}, i) \to 1 \\ Open (pp, C, \vec{m^{'}}, i) & pp \overset{$}{\leftarrow} Setup (1^{λ}) \\ m \neq m^{'} & A (pp) \to (c, \vec{m}, \vec{m^{'}}, i) \end{array}] \leq negl (λ)

通俗来说，没有任何敌手可以在同一个位置上用两个不同的值打开 $C$ 。

向量 Pedersen 承诺。Pedersen 承诺[9]是一个在消息空间 $F_{q}$ 上具有绑定性和隐藏性的承诺方案。对于一个秘密消息 $m \in Z_{q}$ ：

Pedersen.Setup $(1^{λ}, q) \to pp : pp = G, H \in G$ ，其中 $G$ 是一个阶为 $q$ 的群。
Pedersen.Commit $(pp; m) \to (C; r) : C = [m] G + [r] H$ ，其中 $r \in Z_{q}$ 是一个秘密随机值。
Pedersen.Open $(pp, C; m, r) \to {0, 1} :$ 证明者 $P$ 揭示 $m$ 和 $r$ ，验证者 $V$ 检查 $C \overset{?}{=} [m] G + [r] H$ 。

需要注意的是，Pedersen 承诺具有加法同态性：

\begin{aligned} Commit (m, r) + Commit (m^{'}, r^{'}) & = [m] G + [r] H + [m^{'}] G + [r^{'}] H \\ = [m + m^{'}] G + [r + r^{'}] H \\ = Commit (m + m^{'}, r + r^{'}) . \end{aligned}

练习

证明 Pedersen 承诺方案是具有隐藏性和绑定性的。

请注意，在群 $G$ 中，找到一个给定基 $G$ 的群元素 $P$ 的离散对数一般是困难的。换句话说，即难以找到 $x$ 使得 $P = [x] G$ 。

隐藏性：在给定承诺 $C$ 的情况下，每个值 $m$ 是否均等地有可能成为 $C$ 对应的隐藏值？
绑定性：证明者是否能够找到 $m, m^{'}, m \neq m^{'}$ ，使得 $C =$ Pedersen.Commit $(pp; m) \land C =$ Pedersen.Commit $(pp; m^{'})$ ？

我们可以将 Pedersen 承诺方案扩展到消息空间 $F_{q}^{k}$ 中的向量以得到 VectorPedersen。对于一个消息 $\vec{m} = (m_{0}, \dots, m_{k - 1})$ ：

VectorPedersen.Setup $(1^{λ}, q, k) \to pp : pp = (G_{0}, \dots, G_{k - 1}), H \in G$ ，其中 $G$ 是一个阶为 $q$ 的群。
VectorPedersen.Commit $(pp; \vec{m}) \to (C; r) : C = [r] H + \sum_{i = 0}^{k - 1} [m_{i}] G_{i}$ ，其中 $r \in Z_{q}$ 是一个秘密随机值。
VectorPedersen.Open $(pp, C; \vec{m}, r) \to {0, 1} :$ 证明者 $P$ 揭示 $m$ 和 $r$ ，验证者 $V$ 检查 $C \overset{?}{=} [r] H + \sum_{i = 0}^{k - 1} [m_{i}] G_{i}$ 。

练习

证明 VectorPedersen 是具有加法同态性，即

\begin{aligned} VectorPedersen.Commit (pp; \vec{m}) + VectorPedersen.Commit (pp; \vec{m^{'}}) \\ = & VectorPedersen.Commit (pp; m + m^{'}) . \end{aligned}

Merkle 树。一个常用的构建向量承诺的解决方案是 Merkle 树 [8]。它被用于像 Git、Cassandra 和 Bitcoin 这样的分布式系统中用于汇总数据集。Merkle 树也具有隐藏性和可提取性，这些安全特性使它成为在随机预言机模型中将 IOP 编译为非交互式证明的理想选择 [1]。

图 2：Merkle 树的每个内部节点都是其两个子节点的哈希值。

Merkle.Commit $(pp; \vec{m}) \to C$ ：对于 $\vec{m}$ 中的每个 $m_{i}$ ，计算哈希值 $h_{i} = Hash (m_{i})$ 。计算 Merkle 树的内部节点 $h_{i j} = Hash (h_{i}, h_{j})$ 。输出 $C = root = h_{1 q}$ 。
Merkle.Open $(pp, C, \vec{m}, i) \to b \in {0, 1}$ ：
- a) 证明者 $P$ 计算从 $h_{i}$ 到根节点的内部节点路径，并得到证据 $π = (m_{i}, p a t h)$ 。
- b) 验证者 $V$ 检查根节点是否可以通过将 $m_{i}$ 和路径一起计算哈希得到。

英文原文

A vector commitment scheme [2] for the message space $M$ is a commitment scheme for a vector $\vec{m} = (m_{1}, \dots, m_{k}) \in M^{k}$ . The main security property for a vector commitment is position binding:

Definition 2.1 (Position binding). A vector commitment scheme $Γ$ is position binding if for any PPT adversary $A$ :

\Pr [\begin{array}{ll} Open (pp, C, \vec{m}, i) \to 1 \\ Open (pp, C, \vec{m^{'}}, i) & pp \overset{$}{\leftarrow} Setup (1^{λ}) \\ m \neq m^{'} & A (pp) \to (c, \vec{m}, \vec{m^{'}}, i) \end{array}] \leq negl (λ)

Informally, this states that no adversary can open $C$ to two different values at the same position.

Vector Pedersen commitment. The Pedersen commitment [9] is a binding and hiding commitment scheme for the message space $F_{q}$ . For a secret message $m \in Z_{q}$ :

Pedersen.Setup $(1^{λ}, q) \to pp : pp = G, H \in G$ , where $G$ is a cryptographic group of order $q$ .
Pedersen.Commit $(pp; m) \to (C; r) : C = [m] G + [r] H$ , where $r \in Z_{q}$ is a random secret.
Pedersen.Open $(pp, C; m, r) \to {0, 1} :$ the prover $P$ reveals $m$ and $r$ , and the verifier $V$ checks $C \overset{?}{=} [m] G + [r] H$

Note that the Pedersen commitment is additively homomorphic:

\begin{aligned} Commit (m, r) + Commit (m^{'}, r^{'}) & = [m] G + [r] H + [m^{'}] G + [r^{'}] H \\ = [m + m^{'}] G + [r + r^{'}] H \\ = Commit (m + m^{'}, r + r^{'}) . \end{aligned}

Exercise. Convince yourself that the Pedersen commitment scheme is hiding and binding.

Note that a cryptographic group $G$ is a group where the problem of finding a discrete logarithm of a group element $P$ to a given base $G$ is hard in general. In other words, it is hard to find $x$ such that $P = [x] G$ .

hiding: given a commitment $C$ , is every value $m$ equally likely to be the value committed in $C ?$
binding: can a prover find $m, m^{'}, m \neq m^{'}$ such that $C =$ Pedersen.Commit $(pp; m) \land C =$ Pedersen.Commit $(pp; m^{'})$ ?

We can extend the Pedersen commitment scheme to get VectorPedersen over vectors in the message space $F_{q}^{k}$ . For a message $\vec{m} = (m_{0}, \dots, m_{k - 1})$ :

VectorPedersen.Setup $(1^{λ}, q, k) \to pp : pp = (G_{0}, \dots, G_{k - 1}), H \in G$ , where $G$ is a cryptographic group of $order q$ .
VectorPedersen.Commit $(pp; \vec{m}) \to (C; r) : C = [r] H + \sum_{i = 0}^{k - 1} [m_{i}] G_{i}$ , where $r \in Z_{q}$ is a random secret.
VectorPedersen.Open $(pp, C; \vec{m}, r) \to {0, 1} :$ the prover $P$ reveals $m$ and $r$ , and the verifier $V$ checks $C \overset{?}{=} [r] H + \sum_{i = 0}^{k - 1} [m_{i}] G_{i}$

Exercise. Convince yourself that VectorPedersen is additively homomorphic, i.e.

\begin{aligned} VectorPedersen.Commit (pp; \vec{m}) + VectorPedersen.Commit (pp; \vec{m^{'}}) \\ = & VectorPedersen.Commit (pp; m + m^{'}) . \end{aligned}

Merkle tree. A well-known solution for building vector commitments is a Merkle tree [8]. It is used in distributed systems like Git, Cassandra, and Bitcoin for summarizing sets of data. Merkle trees also have hiding and extractability properties, which make them an ideal candidate for compiling an IOP into a non-interactive proof secure in the random oracle model [1].

Figure 2: Each inner node of a Merkle tree is the hashed value of its two children.

Merkle.Commit $(pp; \vec{m}) \to C$ : for each $m_{i} \in \vec{m}$ , compute a hash $h_{i} = Hash (m_{i})$ . Compute the inner nodes of the Merkle tree $h_{i j} = Hash (h_{i}, h_{j})$ . Output $C = root = h_{1 q}$ .
Merkle. Open $(pp, C, \vec{m}, i) \to b \in {0, 1}$ :

a) the prover $P$ computes the path of inner nodes from $h_{i}$ to root, and $π = (m_{i}, p a t h)$ ;

b) the verifier $V$ checks that root can be recovered by hashing $m_{i}$ with path.

多项式承诺方案

单变量多项式承诺方案是针对消息空间 $F^{\leq d} [X]$ 的一种承诺方案，其中 $d \in N$ 是最高次数，系数属于域 $F = Z_{p}$ ，表示单变量多项式的集合。

它支持证明已承诺多项式在特定点上的正确评估的知识论证。在多项式中可以编码许多信息：我们将在第 7 讲（“算术化”）和第 8 讲（“PlonK 和多项式恒等式”）中看到，任意关系都可以表示为一个多项式。

KZG 承诺方案[6]。这在像 Sonic [7]、Marlin [3] 和 PlonK [4] 这样的协议中使用。（Marlin 和 PlonK 通过构建不同的多项式 IOP 对 Sonic 进行了改进）。

回忆：双线性映射密码学

给定循环群 $G_{1}, G_{2}, G_{T}$ ，所有的阶均为素数 $p$ ，其配对是一个非退化的双线性映射

e : G_{1} \times G_{2} \to G_{T}

双线性: $e ([a] P, [b] Q) = e (P, Q)^{a \cdot b}$
非退化: 对于生成元 $G_{1} \in G_{1}$ 和 $G_{2} \in G_{2}$ ， $G_{T} := e (G_{1}, G_{2}) \in G_{T}$ 是一个生成元。

在本讲中，我们将使用简写符号 $[x]_{1} := [x] G_{1}, [x]_{2} := [x] G_{2}$ ，其中 $x \in F_{p}$ 。

KZG.Setup $(1^{λ}, d) \to s r s$ : 设置 $s r s = (ck, vk) = ({{[α^{i}]}_{1}}_{i = 0}^{d - 1}, [α]_{2})$ . $α$ 是一个秘密元素，必须在 Setup 后丢弃。
KZG.Commit $(ck; f (X)) \to C :$ 对于 $f (X) = \sum_{i = 0}^{d - 1} f_{i} X^{i}, C = \sum_{i = 0}^{d - 1} [f_{i}] {[α^{i}]}_{1} = [f (α)]_{1}$ .
KZG.Open( srs, $C, x, y; f (X)) \to {0, 1}$ : 为了在评估点 $x$ 上打开对于声称值 $y$ 的承诺
- a) 证明者 $P$ 计算商多项式 $q (X) = \frac{f (X) - y}{X - x}$ 并向验证者发送 $π = KZG \cdot$ Commit $($ ck; $q (X)) = [q (α)]_{1}$
- b) 验证者 $V$ 检查 $e (C - [y]_{1}, H) \overset{?}{=} e (π, [α]_{2} - [x]_{2})$ .

KZG.Open 中的 a) 和 b) 步骤经常被写成两个分开的算法：

Open $(ck, C, x, y; f (X)) \to π$ ：返回关系的开放证明

R := {(ck, C, x, y; f (X)) : \begin{aligned} C \deg (f (X)) \leq d \\ \land y = f (x) \end{aligned}};

Verify $(vk, C, x, y, π) \to {0, 1}$ : 验证开放证明的正确性。

英文原文

A univariate polynomial commitment scheme is a commitment scheme for the message space $F^{\leq d} [X]$ , the ring of univariate polynomials with maximum degree $d \in N$ and coefficients in the field $F = Z_{p}$

It supports an argument of knowledge for proving the correct evaluation of a committed polynomial at a given point. A lot of information can be encoded in a polynomial: we will see in Lecture 7 ("Arithmetizations") and Lecture 8 ("PlonK and polynomial identities") how an arbitrary relation can be represented as a polynomial.

KZG commitment scheme [6]. This is used in protocols like Sonic [7], Marlin [3], and PlonK [4]. (Marlin and PlonK improve on Sonic by constructing a different polynomial IOP.)

Recall: Pairing-based cryptography. [Lecture 3: "Mathematical Building Blocks"]

Given cyclic groups $G_{1}, G_{2}, G_{T}$ , all of the same prime order $p$ , a pairing is a nondegenerate bilinear map

e : G_{1} \times G_{2} \to G_{T}

a) bilinear: $e ([a] P, [b] Q) = e (P, Q)^{a \cdot b}$

b) nondegenerate: with generators $G_{1} \in G_{1}$ and $G_{2} \in G_{2}, G_{T} := e (G_{1}, G_{2}) \in G_{T}$ is a generator.

In this lecture, we will use the shorthand notation $[x]_{1} := [x] G_{1}, [x]_{2} := [x] G_{2}$ , for any $x \in F_{p}$ .

KZG.Setup $(1^{λ}, d) \to$ srs: set srs $= (ck, vk) = ({{[α^{i}]}_{1}}_{i = 0}^{d - 1}, [α]_{2}) . α$ here is a secret element and must be discarded after the Setup.
KZG.Commit $(ck; f (X)) \to C :$ for $f (X) = \sum_{i = 0}^{n - 1} f_{i} X^{i}, C = \sum_{i = 0}^{n - 1} [f_{i}] {[α^{i}]}_{1} = [f (α)]_{1}$ .
KZG.Open(srs, $C, x, y; f (X)) \to {0, 1}$ : To "open" the commitment at evaluation point $x$ to a claimed value $y$

a) the prover $P$ computes the quotient polynomial $q (X) = \frac{f (X) - y}{X - x}$ and sends the verifier $π = KZG \cdot$ Commit $($ ck; $q (X)) = [q (α)]_{1}$

b) the verifier $V$ checks $e (C - [y]_{1}, H) \overset{?}{=} e (π, [α]_{2} - [x]_{2})$ .

The a) and b) steps in KZG.Open are often written as two separate algorithms:

Open $(ck, C, x, y; f (X)) \to π$ returns an opening proof for the relation

R := {(ck, C, x, y; f (X)) : \begin{aligned} C \deg (f (X)) \leq d \\ \land y = f (x) \end{aligned}};

Verify $(vk, C, x, y, π) \to {0, 1}$ verifies the opening proof's correctness.

额外资源

本笔记旨在作为承诺方案的高级介绍，并介绍它们在现代 SNARK 建设中的应用。以下是一些进一步了解和比较承诺方案的优秀资源：

英文原文

This note hopes to serve as a high-level introduction to commitment schemes, and where they fit in the construction of modern SNARKs. Below are a few excellent resources for further understanding and comparing commitment schemes:

实现和基准测试

arkworks-rs/poly-commit：一个 Rust 库，支持四种多项式承诺方案。
多项式承诺基准测试 (Remco Bloemen)：基于 KZG、基于 IPA 和基于 FRI 的多项式承诺方案实现的 Commit 算法的基准测试。

英文原文

arkworks-rs/poly-commit: a Rust library supporting four polynomial commitment schemes.
Polynomial Commitment Benchmark (Remco Bloemen): benchmarks for the Commit algorithm in implementations of KZG, IPA-based, and FRI-based polynomial commitment schemes.

第 5 课 补充讲义 ​

正式定义 ​

构造 Constructions ​

向量承诺 Vector commitment scheme ​

多项式承诺方案 ​

额外资源 ​

更多的多项式承诺方案 ​

实现和基准测试 ​

第 5 课补充讲义

正式定义

构造 Constructions

向量承诺 Vector commitment scheme

多项式承诺方案

额外资源

更多的多项式承诺方案

实现和基准测试