第 9 课 补充讲义
本文介绍了一些端到端证明系统的构建方法,并希望开始构建某种分类法。我们简要探讨了递归,这让我们能够使用常量大小的证明来检查任意长的计算链;以及证明组合,其中多个证明系统嵌入到单个协议中。
英文原文
This note illustrates a few more end-to-end constructions of proof systems, with the hope of beginning to construct some kind of taxonomy. We briefly explore recursion, which lets us check an arbitrarily long chain of computation with a constant-size proof; and proof composition, where multiple proof systems are embedded in a single protocol.
证明系统分类
大多数现代证明系统都是以模块化方式设计的,使用代数全息证明作为信息论组件。这些是多项式交互式 Oracle 证明 (PIOPs),其中验证者无法访问被证明关系的完整编码,而是通过 Oracle 访问来进行“查询”。因为 AHP 可以使用任何多项式承诺方案,所以这些证明系统的设置仅特定于所选择的承诺方案,而不是被证明的关系。为了将基于 IOP 的方法与旧方案进行对比,我们通过两个证明系统堆栈,这两个堆栈都从 R1CS 算术化开始:Pinocchio [6] 构建了一个线性概率可检查证明 (LPCP),然后使用基于配对密码学的编译,而 Marlin [2] 和 Spartan [7] 构建了代数全息证明 (AHPs),使用多项式承诺方案进行编译。
图 1:现代 SNARKs 的分类法。从 [9] 的图 19.1 改编。
英文原文
Most modern proof systems are designed in a modular way, using algebraic holographic proofs as the information-theoretic component. These are polynomial interactive oracle proofs (PIOPs) where the verifier does not have access to the full encoding of the relation being proven, but instead queries it via oracle access. Because AHPs work with any polynomial commitment scheme, the setups for these proof systems are specific to just the chosen commitment scheme, and not the relation being proven. To contrast the IOP-based approach against older schemes, we go through two proof system stacks that both start with the R1CS arithmetisation: Pinocchio [6] constructs a linear probabilistically checkable proof (LPCP), which is then compiled using pairing-based cryptography, while Marlin [2] and Spartan [7] construct algebraic holographic proofs (AHPs), compiled using a polynomial commitment scheme.
Figure 1: A taxonomy of modern SNARKs. Adapted from Fig. 19.1 of [9].
R1CS QAP + LPCP + 双线性映射 (Pinocchio)
回顾第7讲(算术化),一个Rank-1约束系统(R1CS)由矩阵
R1CS可以表示为一个二次算术程序(QAP)
其中:
检查评估域中的每个点的赋值; 。
定义1.1. [线性概率可检验证明(LPCP)]
长度为
英文原文
Recall from Lecture 7 (Arithmetisations) that a Rank-1 Constraint System (R1CS) consists of the matrices
The R1CS can be expressed as a Quadratic Arithmetic Program (QAP)
where:
checks the assignment at each point in the evaluation domain; .
Definition 1.1. [Linear Probabilistically Checkable Proof (LPCP)]
A Linear Probabilistically Checkable Proof (LPCP) of length
QAP 可除性检查
为了检查QAP的正确性,Pinocchio [6]使用基于配对密码学的LPCP进行编译。在这里,我们使用对称配对
QAP可除性检查
- 采样一个随机的评估点
; - 输出QAP的多项式在
处的评估的承诺:
- 采样一个随机的评估点
: - 计算
- 计算
- 输出
这相当于在“指数”中检查 。
英文原文
To check the correctness of the QAP, Pinocchio [6] constructs an LPCP compiled with pairingbased cryptography. Here, we use a symmetric pairing
QAP divisibility check
- sample a random evaluation point
; - output the commitments to the evaluations of the QAP's polynomials at
:
- sample a random evaluation point
: - compute
- compute
- output
this corresponds to checking "in the exponent".
QAP 线性组合检查
然而,我们实际上并没有限制证明者使用设置中提供的
QAP 线性组合检查
srs: - 采样随机偏移量
; - 计算在
处的“ -偏移” 多项式的评估的承诺: - 同样地,计算
- 像 QAP 可除性检查中一样计算剩余的 srs,并输出
- 采样随机偏移量
: - 计算“
-偏移”:
- 像 QAP 可除性检查中一样计算
; - 输出
。
- 计算“
验证
:检查
由于证明者不知道移位值
英文原文
However, we haven't actually constrained the prover to use the provided
QAP linear combination check
srs: - sample random shifts
; - compute the commitments to the evaluations of the "
shifted" polynomials at - similarly, compute
- compute the rest of the srs as in the QAP divisibility check, and output
- sample random shifts
: - compute the "
-shifted"
- compute
- compute the "