PLONK(零知识证明)最终版原文解读(四)--------多项式承诺
这是P的最后一步操作,首先介绍一下什么叫密码学中的承诺:
A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.
A way to visualize a commitment scheme is to think of a sender as putting a message in a locked box, and giving the box to a receiver. The message in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the message inside cannot be changed—merely revealed if the sender chooses to give them the key at some later time.
Interactions in a commitment scheme take place in two phases:
- the commit phase during which a value is chosen and specified the
- reveal phase during which the value is revealed and checked
In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called the commitment. It is essential that the specific value chosen cannot be known by the receiver at that time (this is called the hiding property). A simple reveal phase would consist of a single message, the opening, from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the binding property).
PLONK中介绍了一个叫做Kate Commitment,其表达形式其实是减除操作:
要证明P(z) = a,需要证明
我们看一下论文中的定义式:
我们看到有两个相同形式的表达式,第一个是Wz(X),其实际是多个承诺的集合,每一行都可以是一个单独的承诺,他们都是取的点z处的承诺。
第二个是在点zw处的承诺。
也就是说,其实最后验证者要验证这两个点处的承诺是否符合。
这样Prover的所有任务就完成了,最终发送:
我们注意这里发送t(x)的三部分并没有带它们的系数(X^n,
与X^2n)。
所以接下来就是V收到后如何进行验证,验证的话就比较简单,我们下一次再探讨。
总结起来,我们拿到一个方程:
- 首先转化为电路
- 将门分别转化为相应的式子
- 将所有门的式子转化为统一的多项式---->门的约束
- 保证线上的值相等,构造坐标对累加器
- 保证(a)(b)约束成立------>线的约束
- 取一个点值带入简化多项式
- 将范围取到合适范围内
- 多项式承诺将之前计算的多项式组合起来用来验证
P的工作大致就是这样子了!
Over~