Kate commitments入门
1. 引言
Polynomial commitment schemes (PCSs):
可load a large amount of information (the ‘execution trace of a circuit’) into a single elliptic curve point —— a single ‘number’。
SNARKs需prove to a verifier that large computations have taken place without the verifier having to re run the whole computation (which would defeat the point)。
在Web3世界,Veriifer为a blockchain。对于区块链来说,proof应尽可能简短(即,keep the amount of data that needs to be sent to the verifier as small as possible),因为链上数据存储是非常昂贵的。
2. 何为“trace of a circuit”?
举例:
给定初始
x
x
x,进行100万次
x
→
x
3
+
5
x\rightarrow x^3+5
x→x3+5运算。
最终目的是:在Verifier无需重新运行整个运算过程的情况下,证明结果是正确的。
假设 x x x的初始值为2,即 x = 2 x=2 x=2。
第一次,Prover运算为:
- x 2 = 4 x^2=4 x2=4
- x 3 = x 2 × x = 4 × 2 = 8 x^3=x^2\times x=4\times 2=8 x3=x2×x=4×2=8
- x 3 + 5 = 13 x^3+5=13 x3+5=13
所以对应的trace为 { 2 , 4 , 8 , 13 , ⋯ } \{2,4,8,13,\cdots\} {2,4,8,13,⋯}。
即意味着,100万次运算,需产生3,000,001个trace数字——that’s a lot of data to send, especially given the vastness of the numbers later in the sequence。
如何在不通过网络给Verifier传输这300多万个数字的基础上,使Verifier信任计算结果呢?
—— 可 ‘commit’ to some piece of data that is a digest of all these 3,000,000 numbers,即借助commit-challenge-prove策略:
- 若使用 H ( a 0 ∣ ⋯ ∣ a d ) H(a_0|\cdots|a_d) H(a0∣⋯∣ad)来commit,则reveal时需传输公开所有 a i a_i ai值。
- polynomial commitment schemes使用类似vector space的polynomials,each ‘dimension’ is ‘loaded’ with one of the numbers in the ‘trace’ of computing a programme (by ‘trace’, we mean the sequence of all inputs, intermediary values and outputs computed/used in the course of running the algorithm concerned).
2020年,Kate scheme (又名Kate-Zaverucha-Goldberg scheme),允许a prover to create some data which binds them to an evaluation of a polynomial f ( X ) = ∑ i = 0 k a i X i f(X)=\sum_{i=0}^{k}a_iX^i f(X)=∑i=0kaiXi in a provable fashion。
3. Kate commitment中的reference string
Kate commitment中的reference string为:a list of successive powers of an unknown quantitiy,生成方式类似有 AZTEC Ignition Ceremony :
<
g
,
g
α
,
⋯
,
g
α
t
>
∈
G
t
+
1
<g,g^{\alpha},\cdots,g^{\alpha^t}>\in\mathbb{G}^{t+1}
<g,gα,⋯,gαt>∈Gt+1
其中
G
\mathbb{G}
G为某一elliptic curve group。
这些对应为多项式中的单项式 1 , X , X 2 , ⋯ , X t 1,X,X^2,\cdots,X^t 1,X,X2,⋯,Xt,evaluated at a number α \alpha α,然后表示为elliptic curve form而不是integer form。
4. Kate commitment的假设
Kate commitment的假设为:t-Strong Discrete Log Assumption,即:
已知
g
,
g
α
,
⋯
,
g
α
t
g,g^{\alpha},\cdots,g^{\alpha^t}
g,gα,⋯,gαt,无法计算出
α
\alpha
α值。
但是,当 t t t非常大时,如Aztec选择的BN254 curve,当 t t t接近 2 40 2^{40} 240时,以上安全将无法保证。
4.1 Commitment
C
=
g
f
(
α
)
=
g
a
0
+
a
1
⋅
α
+
a
2
⋅
α
2
+
⋯
a
d
⋅
α
d
=
(
g
)
a
0
⋅
(
g
α
1
)
a
1
⋯
(
g
α
d
)
a
d
C=g^{f(\alpha)}=g^{a_0+a_1\cdot\alpha+a_2\cdot \alpha^2+\cdots a_d\cdot \alpha^d}=(g)^{a_0}\cdot (g^{\alpha^1})^{a_1}\cdots (g^{\alpha^d})^{a_d}
C=gf(α)=ga0+a1⋅α+a2⋅α2+⋯ad⋅αd=(g)a0⋅(gα1)a1⋯(gαd)ad
为多项式
f
(
X
)
=
∑
i
=
1
n
a
i
⋅
X
i
f(X)=\sum_{i=1}^{n}a_i\cdot X^i
f(X)=∑i=1nai⋅Xi的commitment。
要求
d
e
g
(
f
)
≤
t
deg(f)\leq t
deg(f)≤t。
4.2 Opening
Verifier指定任意 opening point
β
≠
α
\beta\neq \alpha
β=α,有:
ψ
β
(
α
)
=
f
(
α
)
−
f
(
β
)
α
−
β
\psi_{\beta}(\alpha)=\frac{f(\alpha)-f(\beta)}{\alpha-\beta}
ψβ(α)=α−βf(α)−f(β)
Prover给Verifier发送的证明内容为:
<
f
(
β
)
,
g
ψ
β
(
α
)
>
<f(\beta), g^{\psi_{\beta}(\alpha)}>
<f(β),gψβ(α)>
4.3 Verify
验证过程为判断:
e
(
C
,
g
)
=
e
(
g
ψ
β
(
α
)
,
g
α
⋅
g
−
β
)
⋅
e
(
g
,
g
)
f
(
β
)
e(C,g)=e(g^{\psi_{\beta}(\alpha)}, g^{\alpha}\cdot g^{-\beta})\cdot e(g,g)^{f(\beta)}
e(C,g)=e(gψβ(α),gα⋅g−β)⋅e(g,g)f(β)
是否成立即可。