Russell W. F. Lai 和 Giulio Malavolta 在Crypto 2019上发表的论文《Subvector Commitments with Application to Succinct Arguments》中主要关注的是subvector commitment (SVC):
SVC可看成是支持batch opening和batch updating的VC。
Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications》(参见博客 Vector Commitments and their Applications学习笔记)的算法无法实现reveal multiple locations of the committed vector(除非repeat the protocol in parallel,但是相应opening size会grow linearly with the amount of revealed locations。)。
Benoˆıt Libert, Somindu C. Ramanna 和 Moti Yung 2016年论文 《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》(参见博客 Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators学习笔记)的算法无法实现reveal multiple function outputs (除非repeat the protocol in parallel,但是相应opening size会grow linearly with the amount of revealed function outputs。)。
从中可观察其open 单独位置时,其verification equation e ( C , U n − i + 1 ) = e ( G 1 , U n ) m i ⋅ e ( g , W i ) e(C,U_{n-i+1})=e(G_1,U_n)^{m_i}\cdot e(g,W_i) e(C,Un−i+1)=e(G1,Un)mi⋅e(g,Wi) 为 m i m_i mi的线性方程式,a natural way to support batching openings is to define the new verification equation as a random linear combination of previous ones。从而要求,在public parameters中嵌入a secret linear combination,and show that the resulting construction is function binding in the generic bilinear group model。
现有各方案对比(vector length为 l l l ,open位置数为 q q q )
其中:
目前的SNARK (succinct non-interactive argument of knowledge )方案,基于pre-processing model的方案,无论在communication还是在computation效率上,都要优于基于public-coin-setup 的方案。相当于,将verifier的一些工作转移给了offline preprocessing 阶段,从而减少整个online phase的工作量。
但在cryptocurrency等应用场景,则需要public-coin setup,可借助random oracle来实现public initialize。
在standard model下不存在public-coin-setup的non-interactive argument for NP,但是在random oracle model情况下可以存在。
通过“CS proof”(computationally sound proof) paradigm based on probabilistically checkable proof (PCP) 来构建public-coin-setup SNARK,分两步来实现:【通常,该argument system有public-coin verifier,且可利用Fiat-Shamir transform来实现non-interactive。】
根据Micali 1994年论文《CS proofs (extended abstracts)》可知,在CS proof paradigm中,a proof 的组成有:
对于 q q q-query 2 − σ 2^{-\sigma} 2−σ-soundness PCP scheme, allows the prover to efficiently compute a PCP strign which encodes the witness of the sttement to be proven, the verifier can then decide wheteher the statement is true with probability close to 1 − 2 − σ 1-2^{-\sigma} 1−2−σ by inspecting q q q entries of the PCP string。
具体地,对于 3 3 3-query PCP and l = 2 30 l=2^{30} l=230, for 2 − 80 2^{-80} 2−80-soundness against a 2 128 2^{128} 2128-time adversary, the proof size is around 113KB。
截止目前为止,Bulletproof 【主要论文为Jonathan Bootle等人2016年论文《Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting》和Benedikt Bunz、Jonathan Bootle等人2018年论文《Bulletproofs: Short proofs for confidential transactions and more》】为目前为止最使用的non-interactive argument,尽管Bulletproof具有linear verification time问题(因此不能称为SNARK)。Bulletproof中的proof有 2 log n + 13 2\log n+13 2logn+13 (group and field) elements, where n n n is the number of multiplication gates in the arithmetic circuit representation of the verification algorithm of L L L。基于secp256k1实现的Bulletproof中,每个group element和integer可由 ∼ 256 \sim 256 ∼256 bits,所以整个proof 大约有 512 log n + 3328 512\log n+3328 512logn+3328 bits。
自Gennaro等人2013年论文《Quadratic span programs and succinct NIZKs without PCPs》起,有大量SNARK出现 based on pairings and linear interactive proofs (LIP) in pre-processing model。其中linear interactive proofs (LIP)可从linear PCPs中获得。
Linear PCP=传统PCP + encode PCP string in a linear form。在 q q q-query linear PCP中,Verifier可oracle access to the linear form,然后仅需 q q q queries就可以以overwhelming probability来确定statement 的真实性。这种类型的SNARK存在的一个典型的问题为:需要有昂贵的pre-processing phase,且该pre-processing为statement-dependent的,意味着每证明一种statement,就需要建立相应的public parameters。
基于Danezis等人2014年论文《Square span programs with applications to succinct NIZK arguments》可构建standard model下具有最短proof(4 group elements)的SNARK。
而在generic bilinear group model情况下,Groth 2016年论文《On the size of pairing-based non-interactive arguments》中指出,基于LIP的SNARK proof至少具有2个group elements,同时proposed a scheme with only 3 group elements。该scheme可基于pairing-friendly elliptic curve来实现,比较流行的曲线有256-bit Barreto-Naehrig curve(每个group element 由256bit表示)等。
C l ( Δ ) Cl(\Delta) Cl(Δ)表示:class group of imaginary quadratic order with discriminant Δ \Delta Δ。
Prover的computation压力和proof的长度之间需要平衡:
若可接受expensive prover computation,追求extremely short proof,则可将 3 3 3-query 2 − 1 2^{-1} 2−1-soundness PCP 放大为 3 σ 3\sigma 3σ-query 2 − σ 2^{-\sigma} 2−σ-soundness PCP,实现shortest SNARK。Hamdy 2000年论文《Security of cryptosystems based on class groups of imaginary quadratic orders》中指出,based on the best known attacks on the root problem in class groups, for a soundness error of 2 − 80 2^{-80} 2−80 against a 2 128 2^{128} 2128-time adversary, 可获得的proof size为5360 bits。【当 n > 16 n>16 n>16时,其proof长度要短于Bulletproof。】
如Bitansky等人2013年论文《Succinct non-interactive arguments via linear interactive proofs》中基于pairing group over 256-bit Barreto-Naehrig curve可实现5 elements(1280 bits)的proof。
与Groth 2016年论文《On the size of pairing-based non-interactive arguments》相比,本论文构建的compiler可支持任意linear PCPs,且不要求verifier仅能evaluate quadratic polynomials。
现有各方案的对比:
而且本论文的setup phase与待证明的statement无关,所以相同的public parameters可重复用于证明不同的statement。
通过a higher prover complexity和使用密码学public-key技术,本问可实现更短的proof,同时支持更广类型的PCP(与schemes under the CS proofs paradigm和pairing-based schemes相比)。
SVC为当前社区关注的热点,Boneh等人2018年论文《Batching techniques for accumulators with applications to iops and stateless blockchains》展示的是how SVCs can be used as a drop-in replacement for Merkle-trees in SNARKs based on interactive oracle proofs(IOPs) which generalizes PCPs,利用class group-based SVCs 结构reduce the proof size to ( r + 1 ) (r+1) (r+1) group elements and r r r integers,其中 r r r 表示 the number of iterations of the underlying IOP。Boneh还提出了可用于提高verification algorithm效率的方法,预计可将verification time下降约 80 80% 80,并指出可使用SVC来改进the current design of blockchain-based transaction ledger in such a way that no user has to store the entire state of the ledger in memory。
Benoˆıt Libert, Somindu C. Ramanna 和 Moti Yung 2016年论文《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》中实现了accumulator for subset query(参见博客 Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators学习笔记 5.3节内容“Functional commitment构建支持subset query的accumulator”),与SVC最大的不同是不具有position binding属性。
(Public-Coin) Adaptive Root 定义:
即(Public-Coin) Adaptive Root可概括为:已知 e e e和 X X X值,求相应的 Y Y Y值使得 e ∘ Y = X e\circ Y=X e∘Y=X成立的概率可忽略。
(Public-Coin) Strong Distinct-Prime-Product (Divisible) Root 定义:
即Strong Distinct-Prime-Product (Divisible) Root可概括为:不存在co-prime ( e 1 , ⋯ , e l ) (e_1,\cdots,e_l) (e1,⋯,el)和 Y Y Y,使得 A A A可分解表示为 ( ∏ i ∈ S e i ) ∘ Y (\prod_{i\in S}e_i)\circ Y (∏i∈Sei)∘Y。
subvector commitment (SVC) 定义为:
commit to a vector x ⃗ \vec{x} x of length l l l,然后允许open to a subvector of an arbitrary length ≤ l \leq l ≤l。
Given an ordered index set I ⊆ [ l ] I\subseteq [l] I⊆[l], define the I I I-subvector of x ⃗ \vec{x} x as the vector formed by collecting the i i i-th component of x ⃗ \vec{x} x for all i ∈ I i\in I i∈I。
SVC应succinct:
本文将SVC的概念归纳为 linear map commitments (LMC),即:
允许prover reveal arbitrary linear maps f : F l → F q f:\mathbb{F}^l\rightarrow\mathbb{F}^q f:Fl→Fq computed over the committed vector。
为满足SVC的succinct特性,相应地要求LMC为be compact,其commitment size和proof size与 l l l 和 q q q 均无关。SVC看做LMC的话,要求linear map 可以矩阵表示,该矩阵内每行只有一个 1 1 1,其它均为 0 0 0。
function binding为position binding的加强版。
直观的,对于position binding,以LMC表示时,Prover cannot open a commitment to ( f , y ⃗ ) (f,\vec{y}) (f,y) and ( f , y ⃗ ′ ) (f,\vec{y}^{'}) (f,y′) with y ⃗ ≠ y ⃗ ′ \vec{y}\neq\vec{y}^{'} y=y′,其中 f f f 为linear map, y ⃗ , y ⃗ ′ ∈ F k \vec{y},\vec{y}^{'}\in{\mathbb{F}^k} y,y′∈Fk 为vectors。
仅如上一条约束仍然不够,Prover 通过form an inconsistent system of linear equations的方式,可能存在open to ( f , y ⃗ ) (f,\vec{y}) (f,y) and ( f ′ , y ⃗ ′ ) (f^{'},\vec{y}^{'}) (f′,y′) with f ≠ f ′ f\neq f^{'} f=f′ and y ⃗ ≠ y ⃗ ′ \vec{y}\neq\vec{y}^{'} y=y′。
从而要求SVC应具有function binding 属性:
no efficient algorithm can produce openings for Q Q Q function-value tuples { ( f k , y ⃗ k ) } k ∈ [ Q ] \{(f_k,\vec{y}_k)\}_{k\in[Q]} {(fk,yk)}k∈[Q] for any Q ∈ p o l y ( λ ) Q\in poly(\lambda) Q∈poly(λ), such that there does not exist x ⃗ \vec{x} x with f k ( x ⃗ ) = y ⃗ k f_k(\vec{x})=\vec{y}_k fk(x)=yk for all k ∈ [ Q ] k\in [Q] k∈[Q]。【即要求open Q Q Q组信息时,不存在统一的 x ⃗ \vec{x} x满足所有open linear function f k f_k fk。】
为便于描述,采用的是对称pairing group来示例,如上图所示。
其基本实现思路与Dario Catalano 和 Dario Fiore 2013年论文《Vector Commitments and their Applications》中的“基于CDH的Vector Commitment实现”类似——基于的是Square-CDH assumption:已知 g , g a ∈ G g,g^{a}\in\mathbb{G} g,ga∈G,要计算 g a 2 g^{a^2} ga2的值为computationally infeasible。(参见博客 Vector Commitments and their Applications学习笔记 第2.1节内容)
不同之处在于:
本文LMC的构建方式受到Benoˆıt Libert, Somindu C. Ramanna 和 Moti Yung 2016年论文 《Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions》启发,并基于以下观察:
可通过“traditional PCP + SVC“ 或 ”linear PCP + LMC“ 来构建4-move interactive arguments of knowledge:
其中的Record、Reconstruct和Decide算法含义为: