本文主要是介绍ZKP9 SNARKs based on Linear PCP (Pinocchio Groth16),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
ZKP学习笔记
ZK-Learning MOOC课程笔记
Lecture 9: SNARKs based on Linear PCP (Yupeng Zhang)
-
SNARKs learned so far
-
Earliest Implemented SNARKs
- Pros
- Shortest proof size (3 elements [Groth16])
- Fast verifier (bilinear pairing)
- Cons
- FFT and group exponentiations on the prover
- Circuit-specific trusted setup
- Pros
-
History of SNARKs
9.1 Quadratic Arithmetic Program (QAP)
-
Recall: SNARKs for circuit-satisfiability
-
Transcript/trace of Circuit
- Interactive proof (lecture 4, slide 76): value of every gate
- Plonk (lecture 5, slide 42): left input, right input, output of every gate
- QAP: input + output of every multiplication gate
-
QAP
-
Ignore the output of the addition gates
-
Labeling multiplication gates
-
Selector Polynomials
-
l i ( x ) l_i(x) li(x): is c i c_i ci the left input of gate 𝑗, for 𝑗 = 1,2,3?
-
Examples:
For l 1 ( x ) l_1(x) l1(x):
- 3 is the left input of gate 1? Yes! -> 1
- 3 is the left input of gate 2? No! -> 0
- 3 is the left input of gate 3? No! -> 0
For l 3 ( x ) l_3(x) l3(x):
- 1 is the left input of gate 1? No! -> 0
- 1 is the left input of gate 2? No! -> 0
- 1 is the left input of gate 3?
- Yes! -> 1
- Because “1” is the input of the addition gate, and the addition gate is the left input of gate 3
-
-
Properties of the selector polynomials
-
More Selector Polynomials
-
r i ( x ) r_i(x) ri(x): is c i c_i ci the right input of gate 𝑗, for 𝑗 = 1,2,3?
-
o i ( x ) o_i(x) oi(x): is c i c_i ci the output of gate 𝑗, for 𝑗 = 1,2,3?
-
-
Master polynomial
-
Vanishing polynomial
-
-
-
Circuit-SAT to QAP [GGPR13, PGHR13]
- The table is sparse.
9.2 From QAP to SNARK
-
Probabilistically Checkable Proofs (PCP)
-
IPCP [Kalai-Raz’08] and IOP [Ben-Sasson-Chiesa-Spooner’16]
-
Polynomial IOP [Bünz-Fisch-Szepieniec’20]
-
Linear PCP [Ishai-Kushilevitz-Ostrovsky’07]
-
QAP and Linear PCP
- We don’t use random checks.
-
Key Generation
- The c i c_i ci and q ( x ) q(x) q(x) are private
- The selector polynomials and the vanishing polynomial are public.
- The circuit can be pre-processed. (The preprocessing phase is circuit-dependent)
-
Prove
-
Verify
-
Towards the real protocol
-
Q1: How to make sure π 1 \pi_1 π1 is computed from g l i ( τ ) g^{l_i(\tau)} gli(τ)
-
Solution: Knowledge of Exponent assumption (KoE) or Generic Group Model (GGM)
-
Recall: KoE
-
Recall: GGM
-
-
Q2: how to make sure the same c c c is used in π 1 \pi_1 π1, π 2 \pi_2 π2 and π 3 \pi_3 π3?
- Solution
- Solution
-
Q3: What about public input and output?
- I m i d I_{mid} Imid: secret witness
- I i o I_{io} Iio: public input and public output
-
-
Putting everything together
-
Properties of SNARK [PGHR13]
9.3 Other variants
-
Rank-1-Constraint-System (R1CS)
-
QAP
-
R1CS:
- Advantages
- Can support generalized constraints or gates
- more convenient to use in practice
- Matrix View of R1CS
- Advantages
-
-
Groth16
- Combine the π 3 \pi_3 π3, π 4 \pi_4 π4, π 5 \pi_5 π5 of [PGHR13] together
- α \alpha α and β \beta β are secret keys in the trusted key generation, and g α g^\alpha gα and g β g^\beta gβ are public parameters for the prover and the verifier
- π 3 \pi_3 π3: move the Σ i = 1 m c i × o i ( x ) \Sigma_{i=1}^m c_i \times o_i(x) Σi=1mci×oi(x) to the right side of the equation -> Σ i = 1 m c i × o i ( x ) + V ( x ) q ( x ) \Sigma_{i=1}^m c_i \times o_i(x) + V(x)q(x) Σi=1mci×oi(x)+V(x)q(x)
- Change the keygen accordingly
- Proof size: 3 group elements, 144 bytes
- Verifier time: 1 pairing equation
- Combine the π 3 \pi_3 π3, π 4 \pi_4 π4, π 5 \pi_5 π5 of [PGHR13] together
-
Achieving Zero-Knowledge
- The above is not zero-knowledge, because the adversary can infer some information by brute force attack.
- Solution: add some random values (times the vanishing polynomial)
- The [PGHR13] version:
- The [PGHR13] version:
这篇关于ZKP9 SNARKs based on Linear PCP (Pinocchio Groth16)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
