PLONK个人笔记

文章目录

  • 个人总结
  • 如何理解电路
  • Gate Constraints
  • Copy constraints
  • 多项式承诺
  • 参考资料

个人总结

PlonK相比起之前的zkSNARK协议来说,主要区别在于三点,

1-首先是在将电路解释为多项式的时候,SNARK协议一般采用R1CS到QAP的做法,最后要证明的多项式形式
L ( x ) × R ( x ) − O ( x ) = H ( x ) T ( x ) , L(x)\times R(x)-O(x)=H(x)T(x), L(x)×R(x)O(x)=H(x)T(x),
而PLONK使用的是Gate Constraints和Copy Constraints形式,最后要证明的多项式形式
Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = 0. Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=0. QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=0.
个人认为这样的表达方法其实直观上更加好理解。

2-其次,zkSNARK中通过一个 α \alpha α来对多项式做绑定,最后验证者需要验证 e ( g L ( x ) , g α ) = e ( g L ′ ( x ) , g ) e(g^{L(x)},g^\alpha)=e(g^{L'(x)},g) e(gL(x),gα)=e(gL(x),g)。而Plonk采用了Kate Polynomial Commitment的Batch版本,直接用承诺方案来代替了验证步骤,最后只需要将Commitment Open出来就行了。

3-PLONK是一个universal的SNARK协议,即它的CRS[Common Reference String](文章里叫做SRS [Structured Reference String])是可以更新并复用的,也就是说,不需要每证明一个电路就重新进行一次Trusted Setup。

如何理解电路

比如有一个问题,是要找到 P ( x ) = x 3 + x + 5 = 35 P(x)=x^3+x+5=35 P(x)=x3+x+5=35的解,(解为 x = 3 x=3 x=3

现在要将其转变为电路形式,其实很简单
PLONK个人笔记_第1张图片

那将一个门电路分为左右两个部分,左边为 a a a,右边为 b b b,那么上述电路可以表达为以下的算式:

a 0 ∗ b 0 = c 0 a 1 ∗ b 1 = c 1 a 2 + b 2 = c 2 a 3 + 5 = 35 → a 3 = 30 \begin{aligned} a_0*b_0&=c_0\\ a_1*b_1&=c_1\\ a_2+b_2&=c_2\\ a_3+5&=35\to a_3=30\\ \end{aligned} a0b0a1b1a2+b2a3+5=c0=c1=c2=35a3=30
上述算式主要由三种构成,分别为加法,乘法和常数赋值。这些操作都可以用gate constraints方法来表示。

但光有这四条分别表示每个门的式子是不够的,因为门之间还有联系,比如
a 0 = b 0 = b 1 = a 2 , c 0 = a 1 , c 1 = b 2 , c 2 = a 3 a_0=b_0=b_1=a_2,c_0=a_1,c_1=b_2,c_2=a_3 a0=b0=b1=a2,c0=a1,c1=b2,c2=a3
这些需要用到Copy Constraints。

上述的 a , b , c a,b,c a,b,c的值为

w i r e wire wire 0 0 0 1 1 1 2 2 2 3 3 3
a a a x x x x 2 x^2 x2 x x x x 3 + x x^3+x x3+x
b b b x x x x x x x 3 x^3 x3 / / /
c c c x 2 x^2 x2 x 3 x^3 x3 x 3 + x x^3+x x3+x / / /

Gate Constraints

首先看如何将上面的4条constraint
a 0 ∗ b 0 = c 0 a 1 ∗ b 1 = c 1 a 2 + b 2 = c 2 a 3 = 30 \begin{aligned} a_0*b_0&=c_0\\ a_1*b_1&=c_1\\ a_2+b_2&=c_2\\ a_3&=30\\ \end{aligned} a0b0a1b1a2+b2a3=c0=c1=c2=30
变为
Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = 0. Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=0. QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=0.
的形式,首先忽略多项式的部分,将上面的式子看为4条这种形式的式子:
Q L i a i + Q R i b i + Q O i c i + Q M i a i b i + Q C i = 0 Q_{L_i}a_i+Q_{R_i}b_i+Q_{O_i}c_i+Q_{M_i}a_ib_i+Q_{C_i}=0 QLiai+QRibi+QOici+QMiaibi+QCi=0
分别为:
( 0 ) a 0 + ( 0 ) b 0 + ( − 1 ) c 0 + ( 1 ) a 0 b 0 + ( 0 ) = 0 ( 0 ) a 1 + ( 0 ) b 1 + ( − 1 ) c 1 + ( 1 ) a 1 b 1 + ( 0 ) = 0 ( 1 ) a 2 + ( 1 ) b 2 + ( − 1 ) c 2 + ( 0 ) a 2 b 2 + ( 0 ) = 0 ( 1 ) a 3 + ( 0 ) b 3 + ( 0 ) c 3 + ( 0 ) a 3 b 3 + ( − 30 ) = 0 \begin{aligned} (0)a_0+(0)b_0+(-1)c_0+(1)a_0b_0+(0)=0\\ (0)a_1+(0)b_1+(-1)c_1+(1)a_1b_1+(0)=0\\ (1)a_2+(1)b_2+(-1)c_2+(0)a_2b_2+(0)=0\\ (1)a_3+(0)b_3+(0)c_3+(0)a_3b_3+(-30)=0 \end{aligned} (0)a0+(0)b0+(1)c0+(1)a0b0+(0)=0(0)a1+(0)b1+(1)c1+(1)a1b1+(0)=0(1)a2+(1)b2+(1)c2+(0)a2b2+(0)=0(1)a3+(0)b3+(0)c3+(0)a3b3+(30)=0

可以看出这个式子是和上面的四条constraints一一对应的,将 Q L , Q R , Q M , Q O , Q C Q_L,Q_R,Q_M,Q_O,Q_C QL,QR,QM,QO,QC写到一起,则变为:

Q L = ( 0 , 0 , 1 , 1 ) , Q R = ( 0 , 0 , 1 , 0 ) , Q O = ( − 1 , − 1 , − 1 , 0 ) , Q M = ( 1 , 1 , 0 , 0 ) , Q C = ( 0 , 0 , 0 , − 30 ) Q_L=(0,0,1,1),Q_R=(0,0,1,0),Q_O=(-1,-1,-1,0),Q_M=(1,1,0,0),Q_C=(0,0,0,-30) QL=(0,0,1,1),QR=(0,0,1,0),QO=(1,1,1,0),QM=(1,1,0,0),QC=(0,0,0,30)

可以将其看做是一个多项式的点值表达形式,比如 Q L ( x ) Q_L(x) QL(x)就是经过点 ( 0 , 0 ) , ( 1 , 0 ) , ( 2 , 1 ) , ( 3 , 1 ) (0,0),(1,0),(2,1),(3,1) (0,0),(1,0),(2,1),(3,1)的一条3次多项式,使用插值法计算出来的结果为: Q L ( x ) = − 1 3 x 3 + 3 2 x 2 − 7 6 x Q_L(x)=-\frac{1}{3}x^3+\frac{3}{2}x^2-\frac{7}{6}x QL(x)=31x3+23x267x。可以验证一下这条线是经过上面那些点的。由于点值表达和系数表达可以互相转换。也就是说

Q L ( x ) = ( 0 , 0 , 1 , 1 ) ∼ Q L ( x ) = − 1 3 x 3 + 3 2 x 2 − 7 6 Q_L(x)=(0,0,1,1)\sim Q_L(x)=-\frac{1}{3}x^3+\frac{3}{2}x^2-\frac{7}{6} QL(x)=(0,0,1,1)QL(x)=31x3+23x267

这两个式子是等价的。因此下面全都使用点值表达,比较清楚。
那么就可以得到

Q L ( x ) = ( 0 , 0 , 1 , 1 ) , Q R ( x ) = ( 0 , 0 , 1 , 0 ) , Q O ( x ) = ( − 1 , − 1 , − 1 , 0 ) , Q C ( x ) = ( 0 , 0 , 0 , − 30 ) Q_L(x)=(0,0,1,1),Q_R(x)=(0,0,1,0),Q_O(x)=(-1,-1,-1,0),Q_C(x)=(0,0,0,-30) QL(x)=(0,0,1,1),QR(x)=(0,0,1,0),QO(x)=(1,1,1,0),QC(x)=(0,0,0,30)

同样的,如果知道了 x 3 + x + 5 = 35 x^3+x+5=35 x3+x+5=35的解 x = 3 x=3 x=3的值,那么也可以把 a , b , c a,b,c a,b,c也使用多项式表示:

a ( x ) = ( 3 , 9 , 3 , 30 ) , b ( x ) = ( 3 , 3 , 27 , / ) , c ( x ) = ( 9 , 27 , 30 , / ) a(x)=(3,9,3,30),b(x)=(3,3,27,/),c(x)=(9,27,30,/) a(x)=(3,9,3,30),b(x)=(3,3,27,/),c(x)=(9,27,30,/)

b ( x ) b(x) b(x) c ( x ) c(x) c(x)的最后一个点可以是任意值。

综上所述,可以构造出了如下的式子:
Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = 0. Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=0. QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=0.

其中 Q L ( x ) , Q R ( x ) , Q M ( x ) , Q O ( x ) , Q C ( x ) Q_L(x),Q_R(x),Q_M(x),Q_O(x),Q_C(x) QL(x),QR(x),QM(x),QO(x),QC(x)只需要知道证明的东西是什么就可以构造,也就是说可以通过ZKP中的statement构造,而 a ( x ) , b ( x ) , c ( x ) a(x),b(x),c(x) a(x),b(x),c(x)是需要知道statement的某个答案才能构造的,也就是说要掌握了witness才可以构造。

而由于上述的多项式是经过 ( 0 , 1 , 2 , 3 ) (0,1,2,3) (0,1,2,3)四个横坐标构造的,所以 x = 0 , x = 1 , x = 2 , x = 3 x=0,x=1,x=2,x=3 x=0,x=1,x=2,x=3是上述多项式 Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = 0 Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=0 QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=0的其中4个解,那么令 Z ( x ) = x ( x − 1 ) ( x − 2 ) ( x − 3 ) Z(x)=x(x-1)(x-2)(x-3) Z(x)=x(x1)(x2)(x3),存在 H ( x ) H(x) H(x)使得:
Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = Z ( x ) H ( x ) Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=Z(x)H(x) QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=Z(x)H(x)

这个多项式的意思是,除了(0,1,2,3)这四个横坐标要求 Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = 0 Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=0 QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=0,其他的横坐标不管,但是Verifier在做证明的时候是使用其他的某个横坐标 s s s来进行挑战,虽然 Z ( s ) H ( s ) Z(s)H(s) Z(s)H(s)不要求等于0,但是要求和左边的表达式相等。证明了 Z ( x ) Z(x) Z(x)是左边表达式的一个因子就相当于证明了

Q L ( x ) a ( x ) + Q R ( x ) b ( x ) + Q O ( x ) c ( x ) + Q M ( x ) a ( x ) b ( x ) + Q C ( x ) = 0 , f o r   i ∈ { 0 , 1 , 2 , 3 } Q_{L}(x) a(x)+Q_{R}(x) b(x)+Q_{O}(x) c(x)+Q_{M}(x) a(x) b(x)+Q_{C}(x)=0, for~i\in \{0,1,2,3\} QL(x)a(x)+QR(x)b(x)+QO(x)c(x)+QM(x)a(x)b(x)+QC(x)=0,for i{0,1,2,3}

通过上述的Constraints系统,已经可以在理想模型下构建一个证明系统了,假设 P r o v e r Prover Prover V e r i f i e r Verifier Verifier都是诚实的,那么下面的证明系统可以成立:

现在Prover和Verifier都知道 Q L ( x ) , Q R ( x ) , Q M ( x ) , Q O ( x ) , Q C ( x ) , Z ( x ) Q_L(x),Q_R(x),Q_M(x),Q_O(x),Q_C(x),Z(x) QL(x),QR(x),QM(x),QO(x),QC(x),Z(x),Prover知道 a ( x ) , b ( x ) , c ( x ) , H ( x ) a(x),b(x),c(x),H(x) a(x),b(x),c(x),H(x)

P r o v e r V e r i f i e r ↔          Q L , Q R , Q M , Q O , Q C , Z        ←                              s                          r a n d o m   s a = a ( s ) , b = b ( s ) , c = c ( s ) , h = h ( s ) →                      a , b , c , h                        Check  Q L ( s ) a + Q R ( s ) b + Q O ( s ) + Q M ( s ) a b + Q C ( s ) = Z ( s ) ⋅ h \begin{aligned} &\quad\quad\quad\bold{Prover} &&\quad\quad\quad\bold{Verifier}\\ &&\xleftrightarrow{~~~~~~~~Q_L,Q_R,Q_M,Q_O,Q_C,Z~~~~~~}\\ &&\xleftarrow{~~~~~~~~~~~~~~~~~~~~~~~~~~~~s~~~~~~~~~~~~~~~~~~~~~~~~}&\quad random~s\\ &a=a(s),b=b(s),\\&c=c(s),h=h(s)&\xrightarrow{~~~~~~~~~~~~~~~~~~~~a,b,c,h~~~~~~~~~~~~~~~~~~~~~~}& \quad \text{Check } Q_{L}(s) a+Q_{R}(s) b+Q_{O}(s) +Q_{M}(s) a b+Q_{C}(s)=Z(s)\cdot h\\ \end{aligned} Provera=a(s),b=b(s),c=c(s),h=h(s)        QL,QR,QM,QO,QC,Z                                   s                                             a,b,c,h                       Verifierrandom sCheck QL(s)a+QR(s)b+QO(s)+QM(s)ab+QC(s)=Z(s)h

Copy constraints

注意到,上述的4个constraints,只是说明了第 i i i ( a i , b i , c i ) (a_i,b_i,c_i) (ai,bi,ci)之间的关系,没有说明相等的约束,因此这四个只是分散的式子,并不能代表 x 3 + x + 5 = 35 x^3+x+5=35 x3+x+5=35的关系。
a 0 ∗ b 0 = c 0 a 1 ∗ b 1 = c 1 a 2 + b 2 = c 2 a 3 = 30 \begin{aligned} a_0*b_0&=c_0\\ a_1*b_1&=c_1\\ a_2+b_2&=c_2\\ a_3&=30\\ \end{aligned} a0b0a1b1a2+b2a3=c0=c1=c2=30

比如Prover可以令 a = ( 1 , 1 , 1 , 30 ) , b = ( 1 , 1 , 1 , / ) , c = ( 1 , 1 , 2 , / ) a=(1,1,1,30),b=(1,1,1,/),c=(1,1,2,/) a=(1,1,1,30),b=(1,1,1,/),c=(1,1,2,/),一样可以通过上面构造的证明系统。因此要对电路的相等关系也进行描述,比如在
PLONK个人笔记_第2张图片
这条电路中, a 0 = b 0 = b 1 = a 2 , c 0 = a 1 , c 1 = b 2 , c 2 = a 3 a_0=b_0=b_1=a_2,c_0=a_1,c_1=b_2,c_2=a_3 a0=b0=b1=a2,c0=a1,c1=b2,c2=a3有这些约束条件在。

首先来看一下在一个变量中的两个值相等如何表示。在PLONK中使用置换来表示这样的一个关系,假设存在一个置换 σ ( ⋅ ) \sigma(\cdot) σ()使得 a ( σ ( i ) ) = a ′ ( i ) a(\sigma(i))=a'(i) a(σ(i))=a(i),记为 a ′ = σ ( a ) a'=\sigma(a) a=σ(a),那么只要证明 a ′ ( x ) = a ( x ) a'(x)=a(x) a(x)=a(x)就可以证明 a ( x ) a(x) a(x)中对应的置换位相等。举个例子,比如 a 0 = a 2 a_0=a_2 a0=a2,原始的 i = ( 0 , 1 , 2 , 3 ) i=(0,1,2,3) i=(0,1,2,3)置换之后为 σ ( i ) = ( 2 , 1 , 0 , 3 ) \sigma(i)=(2,1,0,3) σ(i)=(2,1,0,3)
那么假设 a ′ ( x ) = a ( x ) a'(x)=a(x) a(x)=a(x)
a ( σ ( i ) ) = a ′ ( i ) i = 0 : a ( 0 ) = a ′ ( 0 ) = a ( 2 ) i = 1 : a ( 1 ) = a ′ ( 1 ) i = 2 : a ( 2 ) = a ′ ( 2 ) = a ( 0 ) i = 3 : a ( 3 ) = a ′ ( 3 ) a(\sigma(i))=a'(i)\\ \begin{aligned} &i=0:&&a(0)=a'(0)=a(2)\\ &i=1:&&a(1)=a'(1)\\ &i=2:&&a(2)=a'(2)=a(0)\\ &i=3:&&a(3)=a'(3) \end{aligned} a(σ(i))=a(i)i=0:i=1:i=2:i=3:a(0)=a(0)=a(2)a(1)=a(1)a(2)=a(2)=a(0)a(3)=a(3)
就可以得到 a ( x ) a(x) a(x) a ( 0 ) = a ( 2 ) a(0)=a(2) a(0)=a(2)了。

但是问题在于Verifer不可能去比较每一个点的相等关系,因为Verifier不知道 a ( x ) a(x) a(x)的系数,而如果一次次进行多项式的交互证明就太麻烦了,需要进行 n n n次,这个例子里 n = 4 n=4 n=4,分别证明 a ( i ) = a ′ ( i ) a(i)=a'(i) a(i)=a(i)。所以这里采用了一个range proof,一次性可以证明 a ( x ) = a ′ ( x ) a(x)=a'(x) a(x)=a(x)的关系成立。

假如 a ( x ) = a ′ ( x ) a(x)=a'(x) a(x)=a(x),则 ∏ i ∈ [ n ] ( a ( i ) ) = ∏ i ∈ [ n ] ( a ′ [ i ] ) \prod_{i\in [n]}(a(i))=\prod_{i \in [n]}(a'[i]) i[n](a(i))=i[n](a[i])

又由于 a ( σ ( i ) ) = a ′ ( i ) = a ( i ) a(\sigma(i))=a'(i)=a(i) a(σ(i))=a(i)=a(i),可以得到 a ( i ) + i = a ′ ( i ) + σ ( i ) a(i)+i=a'(i)+\sigma(i) a(i)+i=a(i)+σ(i)
在里面再加入两个随机数 γ , β \gamma,\beta γ,β(作为Challenge)
就得到了

∏ i ∈ [ n ] ( a ( i ) + β ⋅ i + γ ) = ∏ i ∈ [ n ] ( a ′ [ i ] + β ⋅ σ ( i ) + γ ) \prod_{i\in [n]}(a(i)+\beta \cdot i + \gamma)=\prod_{i \in [n]}(a'[i] + \beta \cdot \sigma(i) + \gamma) i[n](a(i)+βi+γ)=i[n](a[i]+βσ(i)+γ)

为了方便,构造一个 P ( x ) P(x) P(x),使得 P ( j ) = ∏ i < j ( a ( i ) + β ⋅ i + γ ) ∏ i < j ( a ′ [ i ] + β ⋅ σ ( i ) + γ ) P(j)=\frac{\prod_{ i< j}(a(i)+\beta \cdot i + \gamma)}{\prod_{i P(j)=i<j(a[i]+βσ(i)+γ)i<j(a(i)+βi+γ)

现在要证明的是 P ( x ) P(x) P(x)对于所有的 x = 0 , 1 , 2 , 3 x=0,1,2,3 x=0,1,2,3时, P ( x ) = 1 P(x)=1 P(x)=1

将其转化一下,变为证明

1. P ( 0 ) = 1 , 2. P ( i + 1 ) = P ( i ) ⋅ a ( i ) + β ⋅ i + γ a ′ ( i ) + β ⋅ σ ( i ) + γ , 即 P ( i + 1 ) ⋅ ( a ′ ( i ) + β ⋅ σ ( i ) + γ ) = P ( i ) ⋅ ( a ( i ) + β ⋅ i + γ ) \begin{aligned} &1.&P(0)&=1,\\ &2.&P(i+1)&=P(i)\cdot \frac{a(i)+\beta \cdot i + \gamma}{a'(i)+\beta \cdot \sigma(i) + \gamma},\\ &\text{即}&P(i+1) \cdot (a'(i)+\beta \cdot \sigma(i) + \gamma)&=P(i)\cdot (a(i)+\beta \cdot i + \gamma) \end{aligned} 1.2.P(0)P(i+1)P(i+1)(a(i)+βσ(i)+γ)=1,=P(i)a(i)+βσ(i)+γa(i)+βi+γ=P(i)(a(i)+βi+γ)

由于上面的部分只证明了 a ( x ) a(x) a(x)的复制约束,如何证明类似 a 0 = b 0 a_0=b_0 a0=b0这样的约束?这里是比较直观的,令 i ∈ [ 3 n ] i\in[3n] i[3n],对于 a 0 = a 2 a_0=a_2 a0=a2这样的复制约束来说, σ ( i ) = ( 2 , 1 , 0 , 3 ) \sigma(i)=(2,1,0,3) σ(i)=(2,1,0,3),那么对于 a 0 = b 0 a_0=b_0 a0=b0来说,就是 σ ( i ) = ( 4 , 1 , 2 , 3 , 0 , 5 , 6 , 7 , 8 , 9 , 10 , 11 ) \sigma(i)=(4,1,2,3,0,5,6,7,8,9,10,11) σ(i)=(4,1,2,3,0,5,6,7,8,9,10,11)。所以在

PLONK个人笔记_第3张图片
示例的电路中, a 0 ( i = 0 ) = a 2 ( i = 2 ) = b 0 ( i = 4 ) = b 1 ( i = 5 ) , a 1 ( i = 1 ) = c 0 ( i = 8 ) , b 2 ( i = 6 ) = c 1 ( i = 9 ) , a 3 ( i = 3 ) = c 2 ( i = 10 ) a_0(i=0)=a_2(i=2)=b_0(i=4)=b_1(i=5),a_1(i=1)=c_0(i=8),b_2(i=6)=c_1(i=9),a_3(i=3)=c_2(i=10) a0(i=0)=a2(i=2)=b0(i=4)=b1(i=5),a1(i=1)=c0(i=8),b2(i=6)=c1(i=9),a3(i=3)=c2(i=10),将其写为置换的形式就是:

i: 0 1 2 3 4 5 6 7 8 9 10 11
σ ( i ) \sigma(i) σ(i) 2 8 4 10 5 0 9 7 1 6 3 11

然后将 σ ( x ) \sigma(x) σ(x)分为三个不同的多项式,分别为 σ a ( x ) = ( 2 , 8 , 4 , 10 ) \sigma_a(x)=(2,8,4,10) σa(x)=(2,8,4,10), σ b ( x ) = ( 5 , 0 , 9 , 7 ) \sigma_b(x)=(5,0,9,7) σb(x)=(5,0,9,7), σ c ( x ) = ( 1 , 6 , 3 , 11 ) \sigma_c(x)=(1,6,3,11) σc(x)=(1,6,3,11)

证明 P ( x ) = 1 P(x)=1 P(x)=1也变为了相应的证明 P a ( X ) = 1 , P b ( X ) = 1 , P c ( X ) = 1 P_a(X)=1,P_b(X)=1,P_c(X)=1 Pa(X)=1,Pb(X)=1,Pc(X)=1。也可以一起做,变为证明 P a ( X ) ⋅ P b ( X ) ⋅ P c ( X ) = 1 P_a(X)\cdot P_b(X) \cdot P_c(X)=1 Pa(X)Pb(X)Pc(X)=1

而由于引入了 3 3 3 P ( x ) P(x) P(x)的证明,横坐标由 ( 0 , 1 , 2 , 3 ) (0,1,2,3) (0,1,2,3)变为了 ( 0 , . . . , 11 (0,...,11 (0,...,11)。出于这个考虑,采用了单位根作为横坐标,即 x n = 1 x^n=1 xn=1的根 ω \omega ω,他具有性质为 ω n + i = ω i \omega^{n+i}=\omega^i ωn+i=ωi

证明变为了
P ( x ) = P a ( X ) ⋅ P b ( X ) ⋅ P c ( X ) 1. P ( ω 0 ) = 1 , 2. P ( ω n ) = 1 , 3. P a ( ω x ) = P a ( x ) ⋅ f a ( x ) g a ( x ) 4. P b ( ω x ) = P a ( x ) ⋅ f b ( x ) g c ( x ) 5. P c ( ω x ) = P a ( x ) ⋅ f c ( x ) g c ( x ) P(x)=P_a(X)\cdot P_b(X)\cdot P_c(X) \\ \begin{aligned} &1.&P(\omega^0)&=1,\\ &2.&P(\omega^n)&=1,\\ &3.&P_a(\omega x)&=P_a(x)\cdot \frac{f_a(x)}{g_a(x)}\\ &4.&P_b(\omega x)&=P_a(x)\cdot \frac{f_b(x)}{g_c(x)}\\ &5.&P_c(\omega x)&=P_a(x)\cdot \frac{f_c(x)}{g_c(x)}\\ \end{aligned} P(x)=Pa(X)Pb(X)Pc(X)1.2.3.4.5.P(ω0)P(ωn)Pa(ωx)Pb(ωx)Pc(ωx)=1,=1,=Pa(x)ga(x)fa(x)=Pa(x)gc(x)fb(x)=Pa(x)gc(x)fc(x)
其中 f a ( x ) = a ( x ) + β ⋅ x + γ , g a ( x ) = a ′ ( x ) + β ⋅ σ a ( x ) + γ f_a(x)=a(x)+\beta\cdot x +\gamma,g_a(x)=a'(x)+\beta \cdot \sigma_a(x)+\gamma fa(x)=a(x)+βx+γ,ga(x)=a(x)+βσa(x)+γ

上述式子对于 x ∈ { ω 0 , ω 1 , ω 2 , ω 3 } x\in \{\omega^0,\omega^1,\omega^2,\omega^3\} x{ω0,ω1,ω2,ω3}成立,那么可以令 Z ( x ) = ( x − ω 0 ) ( x − ω 1 ) ( x − ω 2 ) ( x − ω 3 ) = x 4 − 1 Z(x)=(x-\omega^0)(x-\omega^1)(x-\omega^2)(x-\omega^3)=x^4-1 Z(x)=(xω0)(xω1)(xω2)(xω3)=x41

公式3,4,5变为
P a ( ω x ) ⋅ g a ( x ) − P a ( x ) ⋅ f a ( x ) = H a ( x ) ⋅ Z ( x ) P b ( ω x ) ⋅ g b ( x ) − P b ( x ) ⋅ f b ( x ) = H b ( x ) ⋅ Z ( x ) P c ( ω x ) ⋅ g c ( x ) − P c ( x ) ⋅ f c ( x ) = H c ( x ) ⋅ Z ( x ) P_a(\omega x)\cdot g_a(x) - P_a(x)\cdot f_a(x)=H_a(x)\cdot Z(x)\\ P_b(\omega x)\cdot g_b(x) - P_b(x)\cdot f_b(x)=H_b(x)\cdot Z(x)\\ P_c(\omega x)\cdot g_c(x) - P_c(x)\cdot f_c(x)=H_c(x)\cdot Z(x) Pa(ωx)ga(x)Pa(x)fa(x)=Ha(x)Z(x)Pb(ωx)gb(x)Pb(x)fb(x)=Hb(x)Z(x)Pc(ωx)gc(x)Pc(x)fc(x)=Hc(x)Z(x)

那么证明 a ( x ) , b ( x ) , c ( x ) a(x),b(x),c(x) a(x),b(x),c(x)之间的copy constraint的交互式证明为:

P r o v e r V e r i f i e r ←                      β , γ                    r a n d o m   β , γ c o n s t r u c t   f a ( x ) , g a ( x ) . . . , H a ( x ) , . . . . , P a ( x ) , . . . ←                        s                      r a n d o m   s c a l c u l a t e   f a ( s ) , . . . P a ( ω s ) , P a ( s ) , . . . →               f a ( s ) , . . .                   Check the validity of the above eqation 1,2,3,4,5 \begin{aligned} &\quad\quad\quad\bold{Prover} &&\quad\quad\quad\bold{Verifier}\\ &&\xleftarrow{~~~~~~~~~~~~~~~~~~~~\beta,\gamma~~~~~~~~~~~~~~~~~~}&\quad random~\beta,\gamma\\ &construct~f_a(x),g_a(x) ...,H_a(x),....,P_a(x),... \\ &&\xleftarrow{~~~~~~~~~~~~~~~~~~~~~~s~~~~~~~~~~~~~~~~~~~~}&\quad random~s \\&calculate~f_a(s),...P_a(\omega s),P_a(s),...&\xrightarrow{~~~~~~~~~~~~ ~f_a(s),...~~~~~~~~~~~~~~~~~}& \quad \text{Check the validity of the above eqation 1,2,3,4,5} \\ \end{aligned} Proverconstruct fa(x),ga(x)...,Ha(x),....,Pa(x),...calculate fa(s),...Pa(ωs),Pa(s),...                    β,γ                                         s                                  fa(s),...                  Verifierrandom β,γrandom sCheck the validity of the above eqation 1,2,3,4,5

多项式承诺

上述证明过程还是一个交互式的证明,运用Fiat Shamir转换,可以将 β , γ \beta,\gamma β,γ变为使用哈希函数生成,而 s s s则是通过一个公共的参考串得到,因此很容易将上述的协议变为一个非交互式的协议。

但这样的协议还是要求双方都是诚实的,因为没有对Prover给出约束,要求他算出的所有结果都是用多项式计算出来,而不是通过其他方式伪造。因此要加入一个多项式承诺。

多项式承诺的作用在于Prover将多项式承诺 c m i = c o m ( f i , c r s ) cm_i=com(f_i,crs) cmi=com(fi,crs)以及多项式计算结果 z i = f i ( s ) z_i=f_i(s) zi=fi(s)发送给Verifier,Verifier可以使用使用打开协议对 z i z_i zi进行验证,保证它是由 f i ( s ) f_i(s) fi(s)计算得出。

加入多项式承诺后的协议变为了

P r o v e r V e r i f i e r ↔                   Q L , Q R , Q M , Q O , Q C , Z                ↔                    c h e c k   c o p y   c o n s t r a i n t                 →           c o m m i t m e n t   f o r   a ( ) , b ( ) , c ( ) , h ( )         ←                                        s                                 r a n d o m   s a = a ( s ) , b = b ( s ) , c = c ( s ) , h = h ( s ) →      o p e n   c o m m i t m e n t   a ( s ) , b ( s ) , c ( s ) , h ( s )      Check  Q L ( s ) a + Q R ( s ) b + Q O ( s ) + Q M ( s ) a b + Q C ( s ) = Z ( s ) ⋅ h \begin{aligned} &\quad\quad\quad\bold{Prover} &&\quad\quad\quad\bold{Verifier}\\ &&\xleftrightarrow{~~~~~~~~~~~~~~~~~Q_L,Q_R,Q_M,Q_O,Q_C,Z~~~~~~~~~~~~~~}\\ &&\xleftrightarrow{~~~~~~~~~~~~~~~~~~check~copy~constraint~~~~~~~~~~~~~~~}\\ &&\xrightarrow{~~~~~~~~~commitment ~ for~a(),b(),c(),h()~~~~~~~}\\ &&\xleftarrow{~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~s~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~}&\quad random~s\\ &a=a(s),b=b(s),\\&c=c(s),h=h(s)&\xrightarrow{~~~~open~commitment~a(s),b(s),c(s),h(s)~~~~}& \quad \text{Check } Q_{L}(s) a+Q_{R}(s) b+Q_{O}(s) +Q_{M}(s) a b+Q_{C}(s)=Z(s)\cdot h\\ \end{aligned} Provera=a(s),b=b(s),c=c(s),h=h(s)                 QL,QR,QM,QO,QC,Z                                 check copy constraint                         commitment for a(),b(),c(),h()                                              s                                    open commitment a(s),b(s),c(s),h(s)     Verifierrandom sCheck QL(s)a+QR(s)b+QO(s)+QM(s)ab+QC(s)=Z(s)h

多项式承诺的方案为


  1. g e n ( d ) {\sf gen}(d) gen(d) 输出 s r s = ( [ 1 ] 1 , [ x ] 1 , . . . , [ x d − 1 ] 1 , [ 1 ] 2 , [ x ] 2 {\rm srs}=([1]_1,[x]_1,...,[x^{d-1}]_1,[1]_2,[x]_2 srs=([1]1,[x]1,...,[xd1]1,[1]2,[x]2),这里的 [ x ] 1 [x]_1 [x]1指的是双线性配对中 e ( g 1 , g 2 ) e(g_1,g_2) e(g1,g2)中的 g 1 g_1 g1部分,本文采用的是加法群表示,即 [ x ] 1 = x ⋅ g 1 [x]_1=x\cdot g_1 [x]1=xg1。用乘法群表示则为 [ x ] 1 = g 1 x [x]_1=g_1^x [x]1=g1x
  2. c o m ( f , s r s ) : c m = [ f ( x ) ] 1 {\sf com}(f,{\rm srs}): cm=[f(x)]_1 com(f,srs):cm=[f(x)]1
  3. o p e n ( c m , z , s ) {\sf open}(cm,z,s) open(cm,z,s): 计算 H ( x ) = f ( x ) − f ( z ) x − z , W = [ h ( x ) ] 1 , F = c m , v = s H(x)=\frac{f(x)-f(z)}{x-z},W=[h(x)]_1,F=cm,v=s H(x)=xzf(x)f(z),W=[h(x)]1,F=cm,v=s,发送给Verifier。
    Verifier验证 e ( F − v , [ 1 ] 2 ) ⋅ e ( − W , [ x − z ] 2 ) = 1 e(F-v,[1]_2)\cdot e(-W,[x-z]_2)=1 e(Fv,[1]2)e(W,[xz]2)=1是否成立。

这是一个单独的多项式承诺,除此之外文章中还提出了batch版本的,笔记中就省略了。

参考资料

  1. vitalik写的Understanding PLONK文章
  2. Plonk论文 PlonK : Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge
  3. Plonk Tutorial (对于vitalik博客的python实现) https://github.com/barryWhiteHat/plonk_tutorial

你可能感兴趣的:(零知识证明,阅读笔记,密码学,数论,数学,抽象代数,零知识证明,PLONK)