前序博客有:
Rescue-Prime STARK 针对的场景为:
其中 H ( ∗ ) H(*) H(∗) 为Rescue-Prime hash函数。
Rescue-Prime hash运算中涉及:
直观版的Rescue-Prime hash运算中trace、boundary constraints、transition constraints 之间的关系可参看:
详细的Zero-Knowledge Rescue-Prime STARK证明测试用例可参看:【其中trace为private info,boundary constraints和transition constraints为public info。】
基于该Rescue-Prime STARK生成的non-interactive proof可用于构建post-quantum signature scheme。
Rescue-Prime: a Standard Specification (SoK) 为面向arithmetization的hash函数,其具有a compact description in terms of AIR。
Rescue-Prime的sponge函数构建自Rescue-XLIX permutation f R X L I X : F m → F m f_{\mathrm{R}^{\mathrm{XLIX}}} : \mathbb{F}^m \rightarrow \mathbb{F}^m fRXLIX:Fm→Fm,具有多个几乎完全相同的rounds。每个round包含了6个步骤:
所有round几乎完全相同,不同至此在于每个round中的常量值是不同的。Backward S-box
步骤看起来是high degree operation。
以上Rescue-XLIX round function中的6个步骤,可看成是non-deterministic transition constraints of degree α \alpha α。
一旦定义了Rescue-XLIX permutation,可使用a sponge function对其实例化来获得Rescue-Prime。
构建过程中,input field elements are absorbed into the top r r r elements of the state in between permutations. After one final permutation, the top r r r elements are read out. The Rescue-Prime hash digest consists of these r r r elements.
常用的STARK proof参数有:
此外,the input to the hash computation will be a single field element. So in particular, there will be only one round of absorbing and one application of the permutation。
The transition constraints for a single round of the Rescue-XLIX permutation are obtained expressing the state values in the middle of the round in terms of the state values at the beginning, and again in terms of the state values at the end, and then equating both expressions.
令 s i \boldsymbol{s}_ {i} si 为round i i i的初始state values, c 2 i \boldsymbol{c}_ {2i} c2i 和 c 2 i + 1 \boldsymbol{c}_{2i+1} c2i+1 分别为该round步骤3)和步骤6)中所用的round constants, M M M为MDS矩阵,令下图的superscript表示的是element-wise powering。则有:
s i + 1 = M ( ( M ( s i α ) + c 2 i ) 1 α ) + c 2 i + 1 \boldsymbol{s}_{i+1} =M(( M (\boldsymbol{s}_i^\alpha) + \boldsymbol{c}_{2i})^{\frac{1}{\alpha}} )+ \boldsymbol{c}_{2i+1} si+1=M((M(siα)+c2i)α1)+c2i+1
从而可将single round的transition以如下等式表示:
M ( s i α ) + c 2 i = ( M − 1 ( s i + 1 − c 2 i + 1 ) ) α . M (\boldsymbol{s}_i^\alpha) + \boldsymbol{c}_{2i} = \left(M^{-1} (\boldsymbol{s}_{i+1} - \boldsymbol{c}_{2i+1})\right)^\alpha \enspace . M(siα)+c2i=(M−1(si+1−c2i+1))α.
为了将其用于STARK,transition constraints 应与round无关,换句话说,即需要用一个单独的等式来描述所有round,而不是值针对某round i i i。
令 X \boldsymbol{X} X为表示current state(beginning of the round)的变量向量, Y \boldsymbol{Y} Y 为表示 next state (at the end of the round)的变量向量。
令 f c 2 i ( W ) \mathbf{f}_ {\boldsymbol{c}_ {2i}}(W) fc2i(W) 表示 the vector of m m m polynomials that take the value c 2 i \boldsymbol{c}_ {2i} c2i on ο i \omicron^i οi, f c 2 i + 1 ( W ) \mathbf{f}_ {\boldsymbol{c}_{2i+1}}(W) fc2i+1(W) 表示the vector of m m m polynomials that take the value c 2 i + 1 \boldsymbol{c}_ {2i+1} c2i+1 on ο i \omicron^i οi。
execution trace 的插值domain为 { ο i ∣ 0 ≤ i ≤ T } \lbrace \omicron^i \vert 0 \leq i \leq T\rbrace {οi∣0≤i≤T} for some T T T。
以上 arithmetic transition constraints 等价为:【一共有 2 m + 1 2m+1 2m+1个变量, m = w m= \mathsf{w} m=w 个 registers。】
M ( X α ) + f c 2 i ( W ) = ( M − 1 ( Y − f c 2 i + 1 ( W ) ) ) α M(\boldsymbol{X}^\alpha) + \mathbf{f}_ {\boldsymbol{c}_ {2i}}(W) = \left(M^{-1}(\boldsymbol{Y} - \mathbf{f}_ {\boldsymbol{c}_{2i+1}}(W))\right)^\alpha M(Xα)+fc2i(W)=(M−1(Y−fc2i+1(W)))α
这样,boundary constraints就要简单很多了。
# absorb。最开始
state = [input_element] + [self.field.zero()] * (self.m - 1)
# permutation。N round处理。
for r in range(self.N):
.........
# squeeze。最后
return state[0]
初始,根据sponge construction的定义,第一个state element是unknown secret,第二个state element为0。
最后(after all N N N rounds或 T T T cycles),第一个state element即为已知的hash digest [ h ] [h] [h] 中的一个元素,第二个state element不做限制。但是,这第二个state element必须keep secret to be secure,否则attacker可invert该permutation。
从而有boundary constraints ( c , r , e ) ∈ { 0 , … , T } × { 0 , … , w − 1 } × F (c, r, e) \in \lbrace 0, \ldots, T \rbrace \times \lbrace 0, \ldots, \mathsf{w}-1 \rbrace \times \mathbb{F} (c,r,e)∈{0,…,T}×{0,…,w−1}×F:【其中, c c c为cycle, r r r为第 r r r个element(从0开始), e e e为value。】
STARKs中的witness为 the execution trace。此处的execution trace为第一轮的state + 每一轮运行后的state。
a non-interactive zero-knowledge proof system可转换为a signature scheme。
STARK可用于证明任意复杂的computational statements。
Rescue-Prime可用于生成cryptographically hard problem instances in a STARK-friendly way——with a compact AIR。因此,可将Rescue-Prime STARK转换为a signature scheme。
为了实现non-interactive,需引入Message-Dependent Fiat-Shamir。
相应的Rescue-Prime STARK Signature Scheme(RPSSS)定义为:
# class RPSSS:
def keygen( self ):
sk = self.field.sample(os.urandom(17)) # 签名私钥
pk = self.rp.hash(sk) # 验签公钥
return sk, pk
def sign( self, sk, document ): # document为待签名消息,
sps = SignatureProofStream(document) # SignatureProofStream实际为SHA256 hash运算。
signature = self.stark_prove(sk, sps)
return signature
def verify( self, pk, document, signature ):
sps = SignatureProofStream(document)
return self.stark_verify(pk, signature, sps)
Rescue-Prime STARK Signature Scheme(RPSSS)具有:
RPSSS的性能为:
可进一步优化减少proof size,如open a batch of Merkle leafs时,合并common paths。
速度方面可采用C/Rust进一步优化。python性能较弱。也可以对key operations使用更快的算法,从而使得整个RPSSS签名验签速度进一步提升。
如借助FFT,可提升多项式相乘、插值、evaluation等运算,将RPSSS的性能提升为:
[1] Anatomy of a STARK, Part 5: A Rescue-Prime STARK
[2] Anatomy of a STARK, Part 6: Speeding Things Up