Halo——zcash新的零知识证明机制,无需Trusted Setup

Halo zcash新的零知识证明机制,无需Trusted Setup过程。

具体可参见论文《Halo: Recursive Proof Composition without a Trusted Setup》。

1. 论文解析

《Halo: Recursive Proof Composition without a Trusted Setup》论文主要结合《Doubly-efficient zkSNARKs without trusted setup》和《Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting》和《Bulletproofs: Short Proofs for Confidential Transactions and More》,改进了bulletproofs中存在的verification expensive的问题,将bulletproofs 递归迭代出最终值的过程改为递归迭代展开成多项式。

在Halo论文第3.1节有提及。
b → = ( x 0 , x 1 , x 2 , . . . , x n − 1 ) \overrightarrow{b}=(x^0,x^1,x^2,...,x^{n-1}) b =(x0,x1,x2,...,xn1)
b = < s → , b → > = ∏ i = 1 k ( u i + u i − 1 x 2 i − 1 ) b=< \overrightarrow{s}, \overrightarrow{b}>=\prod_{i=1}^{k}(u_i+u_i^{-1}x^{2^{i-1}}) b=<s ,b >=i=1k(ui+ui1x2i1)

∴ s → = ( u 1 u 2 ⋯ u k , u 1 − 1 u 2 ⋯ u k , u 1 u 2 − 1 ⋯ u k , u 1 − 1 u 2 − 1 ⋯ u k , ⋮ u 1 − 1 u 2 − 1 ⋯ u k − 1 ) \therefore \overrightarrow{s}= \begin{matrix} (u_1u_2\cdots u_k,& \\ u_1^{-1}u_2\cdots u_k,& \\ u_1u_2^{-1}\cdots u_k,& \\ u_1^{-1}u_2^{-1}\cdots u_k,& \\ \vdots & \\ u_1^{-1}u_2^{-1}\cdots u_k^{-1})& \end{matrix} s =(u1u2uk,u11u2uk,u1u21uk,u11u21uk,u11u21uk1)


2. 代码

2.1 scalar和field域内数据

sage脚本如下:

sage: primitive_root(0x5c5e464a35c12769bac2a757742b393081be9c1a3201248299fffe7d00000001)
7
sage: primitive_root(0x5c5e464a35c12769bac2a757742b39311b849d0f1801860419fffe7d00000001)
5
//ec0和ec1两条曲线为新的cycle曲线。
sage: q = 0x5c5e464a35c12769bac2a757742b39311b849d0f1801860419fffe7d00000001
sage: E0=EllipticCurve(GF(q),[0,0,0,0,5])
sage: E0
Elliptic Curve defined by y^2 = x^3 + 5 over Finite Field of size 41779350816691014953522156191564118733065404123040873871217559960624522330113
sage: E0.cardinality()
41779350816691014953522156191564118732861004145504938180595018507596047843329
sage: p = 0x5c5e464a35c12769bac2a757742b393081be9c1a3201248299fffe7d00000001
sage: p== E0.cardinality()
True
sage: E1=EllipticCurve(GF(p),[0,0,0,0,7])
sage: E1
Elliptic Curve defined by y^2 = x^3 + 7 over Finite Field of size 41779350816691014953522156191564118732861004145504938180595018507596047843329
sage: q==E1.cardinality()
True
sage:

//ec0和ec1的endomorphism特性。
sage: q
41779350816691014953522156191564118733065404123040873871217559960624522330113
sage: p
41779350816691014953522156191564118732861004145504938180595018507596047843329
sage: q_beta=0x5c5e464a35c1276928cbb3fac2af2389230cec8b8a02aa85c0fffc3880000002
sage: p_beta=0x5c5e464a35c1276896d4c09e11330ddec37d38346402490533fffcfa00000002
sage: x=1
sage: y=0xcd539c198b2acdf622572e64860fa80f027d2b37cab63258470e2773a41d265
sage: P=E0(x,y)
sage: P
(1 : 5804491226689437426855821919313525377189926834495828430948346565900107895397 : 1)
sage: P*p_beta
(41779350816691014949943113365249179279869108102716172661067806050794577330178 : 5804491226689437426855821919313525377189926834495828430948346565900107895397 : 1)
sage: P*p_beta==E0(x*q_beta,y)
True
sage: q_beta
41779350816691014949943113365249179279869108102716172661067806050794577330178
sage: x_1=1
sage: y_1=0x5e808425ee1f35fbecc40aa0beec5c0f33aba0091f5fdeb793f9e8949e6de0d
sage: Q=E1(x_1,y_1)
sage: Q
(1 : 2671529765264477597923934889184897926137220120483125568397984615967312240141 : 1)
sage: Q*q_beta
(41779350816691014946364070538934239825855212172247728688497926313579905024002 : 2671529765264477597923934889184897926137220120483125568397984615967312240141 : 1)
sage: Q*q_beta==E1(x_1*p_beta,y_1)
True
sage:

// RESCUE_INVALPHA * RESCUE_ALPHA = 1 mod (p - 1)
// 注意有限域内模运算有:x^(p-1) mod p=1,x^p mod p=x。
sage: mod(1/5,p-1)
25067610490014608972113293714938471239716602487302962908357011104557628705997
sage: mod(1/5,q-1)
16711740326676405981408862476625647493226161649216349548487023984249808932045
sage: hex(1671174032667640598140886247662564749322616164921634954848702398424980
....: 8932045)
'24f282841580762a4ab442efc8114a13a49b7206099a359b3d9998fecccccccd'
sage: hex(2506761049001460897211329371493847123971660248730296290835701110455762
....: 8705997)
'376bc3c62040b13f700e6467ac19ef1d1aa590dc846715e7f5ffff17cccccccd'

Halo中的Field域内参数有做montgomery封装,可参看博客curve25519-dalek中的montgomery_reduce算法细节第一节内容及博客Montgomery reduction——多精度模乘法运算算法第2.4.2节内容,以src\fields\fp.rs中代码为例对应为:
b = 2 64 b=2^{64} b=264
p = m = ( m 3 m 2 m 1 m 0 ) b = ( m 3 m 2 m 1 m 0 ) 2 64 p=m=(m_3m_2m_1m_0)_b=(m_3m_2m_1m_0)_{2^{64}} p=m=(m3m2m1m0)b=(m3m2m1m0)264
n = 4 n=4 n=4
R = 2 256 R=2^{256} R=2256
I N V = m ′ = − m − 1   m o d   b = − m − 1   m o d   2 64 INV=m'=-m^{-1}\ mod\ b=-m^{-1}\ mod\ 2^{64} INV=m=m1 mod b=m1 mod 264
⇒ \Rightarrow 某数据 T T T的montgomery_reduction值为: T R − 1   m o d   m TR^{-1}\ mod\ m TR1 mod m

在Halo源码src\fields\fp.rs中的to_bytes()函数中,有对输入参数做montgomery_reduction:
Halo——zcash新的零知识证明机制,无需Trusted Setup_第1张图片
所以当输入参数为 T R TR TR,经过to_bytes调用后的输出参数即为: T R R − 1   m o d   m = T   m o d   m TRR^{-1}\ mod\ m = T\ mod\ m TRR1 mod m=T mod m
因此,对fp域内的参数就易于理解了:

/// INV = -(p^{-1} mod 2^64) mod 2^64
const INV: u64 = 0x99fffe7cffffffff;

/// R = 2^256 mod p
const R: Fp = Fp([
    0xcc000305fffffffe,
    0xfc82c7cb9bfdb6fa,
    0x8a7ab15117a98d9e,
    0x4743736b947db12c,
]);

/// R^2 = 2^512 mod p
const R2: Fp = Fp([
    0xd21bca6b0eb7ce9,
    0xc614650905b5e467,
    0x55a4ae6f7ea066f2,
    0x2e5132263865a7a9,
]);

/// R^3 = 2^768 mod p
const R3: Fp = Fp([
    0xac7322921fbf5412,
    0xbc777a2173080bf6,
    0xeb3580f5a4178af9,
    0x4d3b7a048e8aadd0,
]);

const S: u32 = 32;

/// GENERATOR^t where t * 2^s + 1 = p
/// with t odd. In other words, this
/// is a 2^s root of unity.
///
/// `GENERATOR = 7 mod p` is a generator
/// of the p - 1 order multiplicative
/// subgroup.
const ROOT_OF_UNITY: Fp = Fp([
    0xb257e41b129e5b76,
    0x373020854649fe24,
    0xabfc522920f57d27,
    0x267b428852549f85,
]);

相应的sage脚本为:

sage: p = 0x5c5e464a35c12769bac2a757742b393081be9c1a3201248299fffe7d00000001
sage: E1=EllipticCurve(GF(p),[0,0,0,0,7])
sage: n=E1.cardinality()
sage: n
41779350816691014953522156191564118733065404123040873871217559960624522330113
sage: mod(p,6)
1
sage: k=GF(p)
//有t*2^s+1=p,相应的s=32,
sage: factor(p-1) 
2^32 * 3^2 * 197 * 4598831 * 7813987 * 794236439 * 192230877197148812576275018793540833079827
sage: t= 3^2 * 197 * 4598831 * 7813987 * 794236439 * 192230877197148812576275018
....: 793540833079827
sage: t
9727513142090992758404965557056506800665753927432219074246245088893
sage: root=k.zeta(2^32) //对应的为p域内的2^32-th root of unity。
//或者采用如下方法来计算
sage: primitive_root(p) //即为p域内的generator
7
sage: root=power_mod(7,t,p)
15597833531057113827281213877381453461893547087947030063083486787097767520449
//即为p域内的2^32-th root of unity。
sage: root
15597833531057113827281213877381453461893547087947030063083486787097767520449
sage: hex(1559783353105711382728121387738145346189354708794703006308348678709776
....: 7520449)
'227c0f98b53c91d483f087ca0f9e864db17c48f7e98126d779fb63ab307928c1'
//计算TR mod p,其中的t=root,结果即为源码中的ROOT_OF_UNITY值
sage: mod(root*(2^256),p)
17405669625613918795168124414946147739282306685263100669544894026073350495094
sage: hex(1740566962561391879516812441494614773928230668526310066954489402607335
....: 0495094)
'267b428852549f85abfc522920f57d27373020854649fe24b257e41b129e5b76'
// 以下即为计算$INV=m'=-m^{-1}\ mod\ b=-m^{-1}\ mod\ 2^{64}$
sage: INV= mod(-1/p,2^64)
sage: INV
11096867819688558591
sage: hex(11096867819688558591)
'99fffe7cffffffff'

对于fq域同理:

sage: q = 0x5c5e464a35c12769bac2a757742b39311b849d0f1801860419fffe7d00000001
sage: factor(q-1)
2^32 * 3^2 * 59 * 197 * 1093 * 4598831 * 6259817 * 2955369790000036875180183355219370645532736961
sage: k=GF(q)
sage: k.zeta(2^32)
2629786716961282729573895092084088844933342487815945274033332136506229449494
sage: Tq=k.zeta(2^32)
sage: mod(Tq*(2^256),q)
21313189591908438004548468899723250764052003389148632446968856998302430734774
sage: hex(2131318959190843800454846889972325076405200338914863244696885699830243073
....: 4774)
'2f1ed67b4030702cfd1fba57e713394ed58c9c00bb70545a19b9e2a2025f29b6'

2.2 Halo中的sponge海绵函数证明

Halo中的代码src\gadgets\rescue.rs对应的是对sponge海绵函数的证明过程。
sponge海绵函数的背景知识可参看博客密码学中的sponge函数。


2.3 Halo中的sha256证明

Halo中的代码src\gadgets\sha256.rs对应的是对sha256的证明过程。
sha256的背景知识可参看博客SHA256算法原理详解

/// Represents an interpretation of 32 `Boolean` objects as an
/// unsigned integer.
#[derive(Clone)]
pub struct UInt32 {
    // Least significant bit first
    bits: Vec,
    value: Option,
}

其中的test_blank_hash是对一个空格的hash计算。使用hash工具,对一个空格的sha256计算值为:
Halo——zcash新的零知识证明机制,无需Trusted Setup_第2张图片
Halo——zcash新的零知识证明机制,无需Trusted Setup_第3张图片

2.4 Halo中的fft

FFT背景知识可参看博客十分简明易懂的FFT(快速傅里叶变换)。

增加代码中的调试信息:
Halo——zcash新的零知识证明机制,无需Trusted Setup_第4张图片
Halo——zcash新的零知识证明机制,无需Trusted Setup_第5张图片
会将原始值 T T T和加工后的 T R TR TR值都打印出来。(结合本博客2.1节内容)

cargo test test_fft -- --nocapture

在这里插入图片描述
对应的sage(结合本博客2.1节内容):

sage: root
15597833531057113827281213877381453461893547087947030063083486787097767520449
sage: p
41779350816691014953522156191564118732861004145504938180595018507596047843329
sage: power_mod(root,2^21,p) //21=32-exp
35014335792849108923302692126549442116295992392289760687159465394416590439942
sage: hex(3501433579284910892330269212654944211629599239228976068715946539441659043
....: 9942)
'4d696968d9c7e5b55e6a88fe57cbaa9e166872f777629c2cd200ba70d7cec606'
sage: a= power_mod(root,2^21,p)
sage: power_mod(a, 2^11,p) //a为2^exp primitive root of unity
1
sage: mod(a*2^256,p) //a*R
10730775495674742377894163791485024158738844901508842762311051545948678259111
sage: hex(1073077549567474237789416379148502415873884490150884276231105154594867825
....: 9111)
'17b96758b3b7fcc1cac00d74474232a71d0e8942edff11e01593bff8955001a7'


2.5 执行

基于bitcoin block hash的recursive原型验证正在开发中,可参见:https://github.com/ebfull/halo
目前代码仍在迭代开发,cargo test有测试用例失败。
cargo run --example bitcoin计算复杂度很高,待优化。具体见下图。
Halo——zcash新的零知识证明机制,无需Trusted Setup_第6张图片

参考资料:
[1] 论文《Halo: Recursive Proof Composition without a Trusted Setup》
[2] https://electriccoin.co/zh/blog/halo-recursive-proof-composition-without-a-trusted-setup/
[3] https://github.com/ebfull/halo

你可能感兴趣的:(零知识证明)