Skip to content

第 9 课 补充讲义

本文介绍了一些端到端证明系统的构建方法,并希望开始构建某种分类法。我们简要探讨了递归,这让我们能够使用常量大小的证明来检查任意长的计算链;以及证明组合,其中多个证明系统嵌入到单个协议中。

英文原文

This note illustrates a few more end-to-end constructions of proof systems, with the hope of beginning to construct some kind of taxonomy. We briefly explore recursion, which lets us check an arbitrarily long chain of computation with a constant-size proof; and proof composition, where multiple proof systems are embedded in a single protocol.

证明系统分类

大多数现代证明系统都是以模块化方式设计的,使用代数全息证明作为信息论组件。这些是多项式交互式 Oracle 证明 (PIOPs),其中验证者无法访问被证明关系的完整编码,而是通过 Oracle 访问来进行“查询”。因为 AHP 可以使用任何多项式承诺方案,所以这些证明系统的设置仅特定于所选择的承诺方案,而不是被证明的关系。为了将基于 IOP 的方法与旧方案进行对比,我们通过两个证明系统堆栈,这两个堆栈都从 R1CS 算术化开始:Pinocchio [6] 构建了一个线性概率可检查证明 (LPCP),然后使用基于配对密码学的编译,而 Marlin [2] 和 Spartan [7] 构建了代数全息证明 (AHPs),使用多项式承诺方案进行编译。

图 1:现代 SNARKs 的分类法。从 [9] 的图 19.1 改编。

英文原文

Most modern proof systems are designed in a modular way, using algebraic holographic proofs as the information-theoretic component. These are polynomial interactive oracle proofs (PIOPs) where the verifier does not have access to the full encoding of the relation being proven, but instead queries it via oracle access. Because AHPs work with any polynomial commitment scheme, the setups for these proof systems are specific to just the chosen commitment scheme, and not the relation being proven. To contrast the IOP-based approach against older schemes, we go through two proof system stacks that both start with the R1CS arithmetisation: Pinocchio [6] constructs a linear probabilistically checkable proof (LPCP), which is then compiled using pairing-based cryptography, while Marlin [2] and Spartan [7] construct algebraic holographic proofs (AHPs), compiled using a polynomial commitment scheme.

Figure 1: A taxonomy of modern SNARKs. Adapted from Fig. 19.1 of [9].

R1CS QAP + LPCP + 双线性映射 (Pinocchio)

回顾第7讲(算术化),一个Rank-1约束系统(R1CS)由矩阵L,R,O组成。一个满足的赋值a=(a0,,am1)满足La+RaOa=0

R1CS可以表示为一个二次算术程序(QAP)Q,它由多项式{Lj},{Rj},{Oj},j[m]和一个目标多项式T(X)组成,该多项式在所有i[d]处求值为零。要检查一个赋值a是否满足,我们检查

H(X):=P(X)/T(X)

其中:

  • P(X):=L(X)R(X)O(X)检查评估域中的每个点的赋值;
  • L(X):=ajLj(X),R(X):=ajRj(X),O(X):=ajOj(X)

定义1.1. [线性概率可检验证明(LPCP)]

长度为m的线性概率可检验证明(LPCP)是一个计算线性函数π:FmF的oracle;即每个oracle查询qiFm的答案是ai=π,qi

英文原文

Recall from Lecture 7 (Arithmetisations) that a Rank-1 Constraint System (R1CS) consists of the matrices L,R,O. A satisfying assignment a=(a0,,am1) fulfils La+RaOa=0.

The R1CS can be expressed as a Quadratic Arithmetic Program (QAP) Q, which consists of the polynomials {Lj},{Rj},{Oj},j[m], and a target polynomial T(X) that evaluates to zero at all i[d]. To check that an assignment a is satisfying, we check that

H(X):=P(X)/T(X)

where:

  • P(X):=L(X)R(X)O(X) checks the assignment at each point in the evaluation domain;
  • L(X):=ajLj(X),R(X):=ajRj(X),O(X):=ajOj(X).

Definition 1.1. [Linear Probabilistically Checkable Proof (LPCP)]

A Linear Probabilistically Checkable Proof (LPCP) of length m is an oracle computing a linear function π:FmF; namely, the answer to each oracle query qiFm is ai=π,qi.

QAP 可除性检查

为了检查QAP的正确性,Pinocchio [6]使用基于配对密码学的LPCP进行编译。在这里,我们使用对称配对e:G1×G1GT,其中GG1是一个生成元。我们按照以下步骤检查QAP的可除性:

QAP可除性检查

  • Setup({Lj},{Rj},{Oj},T(X))srs:

    • 采样一个随机的评估点s
    • 输出QAP的多项式在s处的评估的承诺:
    srs=({[Lj(s)]1},{[Rj(s)]1},{[Oj(s)]1},[T(s)]1)
  • Prove(srs,a)π :

    • 计算
    πL=j=0m1[aj][Lj(s)]1,πR=j=0m1[aj][Rj(s)]1,πO=j=0m1[aj][Oj(s)]1
    • 计算πH=[H(s)]1
    • 输出π=(πL,πR,πO,πH)
  • Verify([T(s)]1,π){0,1}:checke(πL,πR)e(πO,G)=?e([T(s)]1,πH); 这相当于在“指数”中检查L(s)R(s)O(s)=T(s)H(s)

英文原文

To check the correctness of the QAP, Pinocchio [6] constructs an LPCP compiled with pairingbased cryptography. Here, we use a symmetric pairing e:G1×G1GT where GG1 is a generator. We proceed as follows to check the divisibility of the QAP:

QAP divisibility check

  • Setup({Lj},{Rj},{Oj},T(X))srs:

    • sample a random evaluation point s;
    • output the commitments to the evaluations of the QAP's polynomials at s :
    srs=({[Lj(s)]1},{[Rj(s)]1},{[Oj(s)]1},[T(s)]1)
  • Prove(srs,a)π :

    • compute
    πL=j=0m1[aj][Lj(s)]1,πR=j=0m1[aj][Rj(s)]1,πO=j=0m1[aj][Oj(s)]1
    • compute πH=[H(s)]1
    • output π=(πL,πR,πO,πH)
  • Verify([T(s)]1,π){0,1}:checke(πL,πR)e(πO,G)=?e([T(s)]1,πH); this corresponds to checking L(s)R(s)O(s)=T(s)H(s) "in the exponent".

QAP 线性组合检查

然而,我们实际上并没有限制证明者使用设置中提供的 {Lj},{Rj},{Oj} 多项式。为了强制要求 πL,πR,πO 确实是 srs 元素的线性组合构造而成,我们按以下步骤进行:

QAP 线性组合检查

  • Setup({Lj},{Rj},{Oj},T(X)) srs:

    • 采样随机偏移量 αL,αR,αO
    • 计算在 s 处的“α-偏移”Lj多项式的评估的承诺:{[Lj(s)]1}={[αLLj(s)]1}
    • 同样地,计算
    {[Rj(s)]1}={[αRRj(s)]1},{[Oj(s)]1}={[αOOj(s)]1}
    • 像 QAP 可除性检查中一样计算剩余的 srs,并输出
    srs=({[Lj(s)]1},{[Rj(s)}1},{[Oj(s)]1}{[Lj(s)]1},{[Rj(s)]1},{[Oj(s)]1}[αL]1,[αR]1,[αO]1)
  • Prove(srs,a)π :

    • 计算“α-偏移”:
    πL=j=0m1[aj][Lj(s)]1,πR=j=0m1[aj][Rj(s)]1,πO=j=0m1[aj][Oj(s)]1
    • 像 QAP 可除性检查中一样计算 πL,πR,πO
    • 输出 π=(πL,πR,πO,πL,πR,πO)
  • 验证 ([αL]1,[αR]1,[αO]1,π){0,1} :检查

    e(πL,[αL]1)=?e(πL,G1),e(πR,[αR]1)=?e(πR,G1),e(πO,[αO]1)=?e(πO,G1).

由于证明者不知道移位值 αL,αR,αO,他们唯一能够构造有效的 α-移位对的方法是使用提供在 srs 中的 QAP 多项式和它们的 α-移位版本的实际承诺。换句话说,由于证明者不知道值 s 并且无法从 srs 中的加密值中恢复它,他们只能计算加密的 QAP 多项式的线性组合来计算证明。

英文原文

However, we haven't actually constrained the prover to use the provided {Lj},{Rj},{Oj} polynomials from the setup. To enforce that πL,πR,πO were indeed constructed as linear combinations of the srs elements, we proceed as follows:

QAP linear combination check

  • Setup({Lj},{Rj},{Oj},T(X)) srs:

    • sample random shifts αL,αR,αO;
    • compute the commitments to the evaluations of the " α shifted" Lj polynomials at s:{[Lj(s)]1}={[αLLj(s)]1}
    • similarly, compute
    {[Rj(s)]1}={[αRRj(s)]1},{[Oj(s)]1}={[αOOj(s)]1}
    • compute the rest of the srs as in the QAP divisibility check, and output
    srs=({[Lj(s)]1},{[Rj(s)]1},{[Oj(s)]1}{[Lj(s)]1},{[Rj(s)]1},{[Oj(s)]1}[αL]1,[αR]1,[αO]1)
  • Prove(srs,a)π :

    • compute the " α-shifted"
    πL=j=0m1[aj][Lj(s)]1,πR=j=0m1[aj][Rj(s)]1,πO=j=0m1[aj][Oj(s)]1
    • compute