Efficient polynomial commitment schemes for multiple points and polynomials学习笔记
1. 引言
Boneh等人2020年论文《Efficient polynomial commitment schemes for multiple points and polynomials》,暂无收录信息。
在Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中polynomial commitment scheme的基础上,进行了改进:
- 仅需a single group element即可作为an opening proof for multiple polynomials each evaluated at a different arbitrary subset of points。
已将本文的研究成果植入进了PLONK 的proving system中,实现了improved proof size和prover run time at the expense of additional verifier G 2 \mathbb{G}_2 G2 operations and pairings, and additional G 2 \mathbb{G}_2 G2 SRS elements。(Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》) - 实现了另一种scheme,其proof包含了2个group elements,相应的verifier complexity要优于[KZG10]种的batch verification method。
当需要a “universal and updatable” setup procedure时,Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中提出的polynomial commitment scheme (PCS) 已成为近期构建的succinct arguments的核心组成要素:[MBKM19, Gab19, CHM+19, GWC19, BFS19]
- Maller等人2019年论文《Sonic: Zero-knowledge snarks from linear-size universal and updateable structured reference strings》
- Gabizon等人2019年论文《Auroralight: improved prover efficiency and SRS size in a sonic-like system》
- Chiesa等人2019年论文《Marlin: Preprocessing zksnarks with universal and updatable SRS》
- Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》
- B¨unz等人2019年论文《Supersonic: Transparent snarks from DARK compilers》
以上polynomial commitment scheme中都“force” a prover to answer verifier queries according to a fixed polynomial of bounded degree。
PCS通常由Prover message
c
o
m
(
f
)
com(f)
com(f) 开始—— 表示the commitment to a polynomial
f
f
f;当Prover声称
s
=
f
(
z
)
s=f(z)
s=f(z)(其中
z
z
z对Verifier亦已知),将
s
∈
F
s\in\mathbb{F}
s∈F发送给Verifier的同时,也发送相应的“opening proof”
π
\pi
π。当协议中需要运行PCS for 多个多项式和多个evaluation points时,Prover run time 和 communication 将increase with each of these opening proofs。
因此需要构建a PCS,使得the prover overhead doesn’t grow 或者至少grow more slowly with the number of openings。
1.1 相关研究
-
Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中的polynomial commitment scheme为:
基于pairing-based scheme进行构建,其opening proof π \pi π包含了a single G 1 \mathbb{G}_1 G1 group element。 -
Maller等人2019年论文《Sonic: Zero-knowledge snarks from linear-size universal and updateable structured reference strings》中,对[KZG10]中的PCS进行了改进 in the random oracle model,使得an opening proof for several polynomials at the same point z ∈ F z\in\mathbb{F} z∈F 为a single G 1 \mathbb{G}_1 G1 group element,以适于universal and updatable SNARKs。
[Gab19, CHM+19, GWC19] Gabizon等人2019年论文《Auroralight: improved prover efficiency and SRS size in a sonic-like system》、Chiesa等人2019年论文《Marlin: Preprocessing zksnarks with universal and updatable SRS》 和 Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中,均用到了类似的single-point multi-polynomial batch protocols。 -
Kate等人2010年论文[KZG10]《Constant-size commitments to polynomials and their applications》中还包含了一个不太有名的scheme,实现了 one G 1 \mathbb{G}_1 G1 element opening proof for one polynomial at several evaluation points。[GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中有更直观的batched version of the [KZG10] scheme。
-
对于multiple polynomials和multiple evaluation points的情况,[CHM+19, GWC19] Chiesa等人2019年论文《Marlin: Preprocessing zksnarks with universal and updatable SRS》 和 Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中 使用了randomized techniques for batching pairing equations 来改进verification efficiency,但是opening proof size和prover computation仍然grow linearly with the number of distinct points。
本文构建了2种PCS for multiple evaluation points and polynomials:
- version 1:opening proof 仅为a single G 1 \mathbb{G}_1 G1 element,但是当distinct evaluation points的数量很大时,verifier operation比 [KZG10]的方案(KZG as in [GWC19])中的要重很多。
- version 2:opening proof 为 2个 G 1 \mathbb{G}_1 G1 elements,verifier complexity要优于KZG as in [GWC19] 方案。
当针对open
t
t
t polynomials all with the same degree bound
n
n
n, each at on distinct point时,各方案的性能对比如下图所示:
[GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》 中的PLONK proving system 允许generating proofs of knowledge for assignments to fan-in two arithmetic circuits with a universal and updatable SRS。其中Prover的主要算力集中在:
- commit to several polynomials
- open them at two distinct evaluation points
将本文的version 1 PCS 嵌入到PLONK中,从而可节约proof length和prover work related to the opening proof of the second evaluation point(repeat the transformation of Lemma 4.7 in [GWC19] using the PCS of Lemma 3.3 instead of the PCS used there to obtain the new result)。替换前后的性能对比如下图所示:(PLONK论文中做了两个版本的实现,一个optimizes fast proving,另一个关注small proof length。)
本文的version 2 PCS does not give interesting tradeoffs for PLONK as two evaluation points are not enough for its advantages to “kick in”。但是如 SLONK—a simple universal SNARK 中的讨论,当针对有需要多于2个evaluation points的场景时,本文的2种PCS scheme优势将更明显。
因此本文提倡 design constraint systems using multiple Shifts and Permutations over Lagrange bases for Oecumenical Noninteractive arguments of Knowledge。
2. 相关定义
2.1 相关定义
-
F \mathbb{F} F:prime order field。
-
F < d [ X ] \mathbb{F}_{<d}[X] F<d[X]:为the set of 单变量polynomials over F \mathbb{F} F of degree smaller than d d d。
-
O \mathcal{O} O:为object generator,输入为security parameter λ \lambda λ,输出为all fields and groups used。如本文, O ( λ ) = ( F , G 1 , G 2 , G t , e , g 1 , g 2 , g t ) \mathcal{O}(\lambda)=(\mathbb{F},\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_t,e,g_1,g_2,g_t) O(λ)=(F,G1,G2,Gt,e,g1,g2,gt),其中:
– 1) F \mathbb{F} F为a prime field of super-polynomial size r = λ w ( 1 ) r=\lambda^{w(1)} r=λw(1)。
– 2) G 1 , G 2 , G t \mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_t G1,G2,Gt 为 groups of size r r r, e e e为an efficiently computable non-degenerate pairing e : G 1 × G 2 → G t e:\mathbb{G}_1 \times \mathbb{G}_2\rightarrow \mathbb{G}_t e:G1×G2→Gt。
– 3) g 1 , g 2 g_1,g_2 g1,g2 为uniformly chosen generators such that e ( g 1 , g 2 ) = g t e(g_1,g_2)=g_t e(g1,g2)=gt。 -
[ x ] 1 = x ⋅ g 1 , [ x ] 2 = x ⋅ g 2 [x]_1=x\cdot g_1,[x]_2=x\cdot g_2 [x]1=x⋅g1,[x]2=x⋅g2
-
[ n ] [n] [n]:表示整数 { 1 , ⋯ , n } \{1,\cdots,n\} {1,⋯,n}
-
e.w.p:全称为”except with probability”,如e.w.p γ \gamma γ 表示 probability at least 1 − γ 1-\gamma 1−γ。
-
Universal SRS-based public coin protocols:
可借助Fiat-Shamir transform来将interactive protocol转换为non-interactive protocol。整个proof length是指由Prover发送给Verifier的总的communication length。
本文的protocol允许接触a structured reference string (SRS),其可derived in p o l y ( λ ) poly(\lambda) poly(λ)-time form an “SRS of monomials” of the form { [ x i ] 1 } a ≤ i ≤ b , { [ x i ] 2 } c ≤ i ≤ d \{[x^i]_1\}_{a\leq i\leq b},\{[x^i]_2\}_{c\leq i\leq d} {[xi]1}a≤i≤b,{[xi]2}c≤i≤d, for uniform x ∈ F x\in\mathbb{F} x∈F and some integers a , b , c , d a,b,c,d a,b,c,d with absolute value bounded by p o l y ( λ ) poly(\lambda) poly(λ)。Bowe等人2017年论文《Scalable multi-party computation for zksnark parameters in the random beacon model》中指出,the required SRS can be derived in a universal and updatable setup requiring only one honest participant,即an adversary controlling all but one of the participants in the setup does not gain more than a n e g l ( λ ) negl(\lambda) negl(λ) advantage in its probability of producing a proof of any statement。
2.2 Analysis in the AGM model
本文的安全分析是基于Fuchsbauer等人2018年论文《The algebraic group model and its applications》中的Algebraic Group Model (AGM) 来进行的。by an algebraic adversary A \mathcal{A} A in an SRS-based protocol, we mean a p o l y ( λ ) poly(\lambda) poly(λ)-time algorithm 满足如下要求:
- For i ∈ { 1 , 2 } i\in\{1,2\} i∈{1,2},whenever A \mathcal{A} A outputs an element A ∈ G i A\in\mathbb{G}_i A∈Gi,it also outputs a vector v ⃗ \vec{v} v over F \mathbb{F} F 使得 A = < v ⃗ , s r s i > A=<\vec{v},srs_i> A=<v ,srsi>成立。
若all elements of
s
r
s
i
srs_i
srsi 都具有form
[
f
(
x
)
]
i
[f(x)]_i
[f(x)]i for
f
∈
F
<
Q
[
X
]
f\in\mathbb{F}_{<Q}[X]
f∈F<Q[X] and uniform
x
∈
F
x\in\mathbb{F}
x∈F,则称
s
r
s
srs
srs具有degree
Q
Q
Q。接下来考虑的都是具有degree
Q
Q
Q的SRS。
f
i
,
j
f_{i,j}
fi,j 表示the corresponding polynomial for the
j
j
j-th element of
s
r
s
i
srs_i
srsi。
-
a ⃗ , b ⃗ \vec{a},\vec{b} a ,b :为the vectors of F \mathbb{F} F-elements,其encodings in G 1 , G 2 \mathbb{G}_1,\mathbb{G}_2 G1,G2,如the j j j-th G 1 \mathbb{G}_1 G1 element output by A \mathcal{A} A为 [ a j ] 1 [a_j]_1 [aj]1。
-
形如 ( a ⃗ ⋅ T 1 ) ⋅ ( T 2 ⋅ b ⃗ ) = 0 (\vec{a}\cdot \mathbf{T}_1)\cdot (\mathbf{T}_2\cdot \vec{b})=0 (a ⋅T1)⋅(T2⋅b )=0 的check form可称为“real pairing check”。其中矩阵 T 1 , T 2 \mathbf{T}_1,\mathbf{T}_2 T1,T2 over F \mathbb{F} F。
若已知the encoded elements 和 the pairing function e : G 1 × G 2 → G t e:\mathbb{G}_1\times \mathbb{G}_2\rightarrow \mathbb{G}_t e:G1×G2→Gt,以上check可高效执行。 -
若已知 a “real pairing check”、the adversary A \mathcal{A} A、procotol execution during which the elements were output,可定义相应的“ideal check”:
由于 A \mathcal{A} A为algebraic的,其输出 [ a j ] i [a_j]_i [aj]i的同时也输出a vector v ⃗ \vec{v} v ,使得,from linearity, a j = ∑ v l f i , l ( x ) = R i , j ( x ) a_j=\sum v_lf_{i,l}(x)=R_{i,j}(x) aj=∑vlfi,l(x)=Ri,j(x) for R i , j ( X ) = ∑ v l f i , l ( X ) R_{i,j}(X)=\sum v_lf_{i,l}(X) Ri,j(X)=∑vlfi,l(X)。
for i ∈ { 1 , 2 } i\in\{1,2\} i∈{1,2}, the vector of polynomials R i = ( R i , j ) j R_i=(R_{i,j})_j Ri=(Ri,j)j。
相应的ideal check为,验证 KaTeX parse error: Undefined control sequence: \mathb at position 31: …bf{T}_1)\cdot (\̲m̲a̲t̲h̲b̲{T_2}\cdot R_2)… -
Q-DLOG assumption:
-
knowledge soundness in the Algebraic Group Model定义为:
2.3 Polynomial commitment scheme
本文的polynomial commitment scheme与 [GWC19] Gabizon等人2019年论文《PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge》中的类似,只是将其中的Open算法定义为a batched setting having multiple polynomials and evaluation points。
针对multiple points时,可将evaluations of a polynomial
f
f
f on a set
S
⊂
F
S\subset \mathbb{F}
S⊂F 看成是 given as a polynomial
r
∈
F
<
∣
S
∣
[
X
]
r\in\mathbb{F}_{<|S|}[X]
r∈F<∣S∣[X] with
r
(
z
)
=
f
(
z
)
r(z)=f(z)
r(z)=f(z) for each
z
∈
S
z\in S
z∈S。此时:
r
(
z
)
=
f
(
z
)
r(z)=f(z)
r(z)=f(z) for each
z
∈
S
z\in S
z∈S,等价为,
f
(
X
)
−
r
(
X
)
f(X)-r(X)
f(X)−r(X) 可被
Z
S
(
X
)
Z_S(X)
ZS(X)整除,其中
Z
S
(
X
)
=
∏
z
∈
S
(
X
−
z
)
Z_S(X)=\prod_{z\in S}(X-z)
ZS(X)=∏z∈S(X−z)。
相应的polynomial commitment scheme定义为:【针对的是
k
k
k个polynomials
f
1
,
⋯
,
f
k
∈
F
<
d
[
X
]
f_1,\cdots,f_k\in\mathbb{F}_{<d}[X]
f1,⋯,fk∈F<d[X],open at
t
t
t个points
z
1
,
⋯
,
z
t
z_1,\cdots,z_t
z1,⋯,zt——对应拆分到每个polynomial的set分别为
S
1
,
⋯
,
S
k
S_1,\cdots,S_k
S1,⋯,Sk】
以上协议满足completeness和knowledge soundness in the algebraic group model:
3. polynomial commitment scheme——version 1
针对的场景是,对于evaluation point
z
∈
S
z\in S
z∈S,其
g
z
∈
S
(
z
)
=
0
g_{z\in S}(z)=0
gz∈S(z)=0,从而有:若
g
(
X
)
g(X)
g(X)可整除
Z
S
(
X
)
Z_S(X)
ZS(X),当且仅当
Z
T
∖
S
(
X
)
⋅
g
(
X
)
Z_{T \setminus S}(X)\cdot g(X)
ZT∖S(X)⋅g(X)可整除
Z
T
(
X
)
Z_T(X)
ZT(X)。
即: