1. 引言
由于Halo2 circuit中的gate是operate “locally”(on cells in the current row or defined relative rows),因此,通常需要从 任意cell中复制a value 到 gate所在当前行中。通常以equality argument的方式来实现,用于约束source cell和destination cell中的值相同。
Halo2中通过构建a permutation来实现equality constraints,并在proof中使用a permutation argument来完成相应约束。
所谓permutation:
为a one-to-one and onto mapping of a set onto itself。
可将a permutation唯一分解为cycles组合(up to ordering of cycles, and rotation of each cycle)。
有时,也会用cycle notation来表示permutation。令 ( a b c ) (a\ b\ c) (a b c)表示a cycle,其中 a a a maps to b b b, b b b maps to c c c, c c c maps to a a a,可将此扩展为任意size的cycle。
将两个或多个cycles写在一起,表示相应的permutation组合。如 ( a b ) ( c d ) (a\ b)\ (c\ d) (a b) (c d)表示a permutation:
a a a maps to b b b, b b b maps to a a a, c c c maps to d d d,以及 d d d maps to c c c。
2. 构建permutation
2.1 目标
想要构建a permutation,其中,a equality-constraint set中的每个subset of variables可形成a cycle。
如,假设具有定义了如下equality constraints的circuit:
- a ≡ b a \equiv b a≡b
- a ≡ c a \equiv c a≡c
- d ≡ e d \equiv e d≡e
从而具有equality-constraint sets { a , b , c } \{a,b,c\} {
a,b,c}和 { d , e } \{d,e\} {
d,e}。即想构建permutation:
( a b c ) ( d e ) (a\ b\ c)\ (d\ e) (a b c) (d e)
其中定义了mapping of [ a , b , c , d , e ] [a,b,c,d,e] [a,b,c,d,e] to [ b , c , a , e , d ] [b,c,a,e,d] [b,c,a,e,d]。
2.2 算法
为了跟踪the set of cycles,需使用 disjoint set data structure,这种方式比较简单也易于实现,尽管不是最优的方案。
将current state 表示为:
- 1)一个数组 m a p p i n g \mathsf{mapping} mapping 来表示permutation 本身。
- 2)一个辅助数组 a u x \mathsf{aux} aux 来跟踪每个cycle的distinguished element。
- 3)另一个数组 s i z e s \mathsf{sizes} sizes 来跟踪每个cycle的size。
对于cycle C C C中的每个元素 c c c,有 a u x ( x ) \mathsf{aux}(x) aux(x)指向该元素 c ∈ C c\in C c∈C。这可支持快速判断2个element x , y x,y x,y是否在同一cycle——check a u x ( x ) = a u x ( y ) \mathsf{aux}(x)=\mathsf{aux}(y) aux(x)=aux(y)是否成立。
同理, s i z e s ( a u x ( x ) ) \mathsf{sizes}(\mathsf{aux}(x)) sizes(aux(x)) 为包含 x x x的cycle size。(仅适于 s i z e s ( a u x ( x ) ) \mathsf{sizes}(\mathsf{aux}(x)) sizes(aux(x)),而不是 s i z e s ( x ) \mathsf{sizes}(x) sizes(x)。)
以identity permutation为例:
对于所有的 x x x,有 m a p p i n g ( x ) = x , a u x ( x ) = x , s i z e s ( x ) = 1 \mathsf{mapping}(x)=x,\mathsf{aux}(x)=x,\mathsf{sizes}(x)=1 mapping(x)=x,aux(x)=x,sizes(x)=1。
为了增加an equality constraint l e f t ≡ r i g h t \mathit{left} \equiv \mathit{right} left≡right:
- 1)check l e f t \mathit{left} left 和 r i g h t \mathit{right} right 是否在同一cycle,即判断 a u x ( l e f t ) = a u x ( r i g h t ) \mathsf{aux}(left)=\mathsf{aux}(right) aux(left)=aux(right)是否成立,若成立,则直接返回。
- 2)若不成立,则 l e f t \mathit{left} left 和 r i g h t \mathit{right} right分属不同的cycle。将 l e f t \mathit{left} left 标记为larger cycle, r i g h t \mathit{right} right 标记为smaller cycle。若 s i z e s ( a u x ( l e f t ) ) < s i z e s ( a u x ( r i g h t ) ) \mathsf{sizes}(\mathsf{aux}(\mathit{left})) < \mathsf{sizes}(\mathsf{aux}(\mathit{right})) sizes(aux(left))<sizes(aux(right)),则将 l e f t \mathit{left} left 和 r i g h t \mathit{right} right 两者交换。
- 3)设置 s i z e s ( a u x ( l e f t ) ) = s i z e s ( a u x ( l e f t ) ) + s i z e s ( a u x ( r i g h t ) ) \mathsf{sizes}(\mathsf{aux}(\mathit{left})) = \mathsf{sizes}(\mathsf{aux}(\mathit{left})) + \mathsf{sizes}(\mathsf{aux}(\mathit{right})) sizes(aux(left))=sizes(aux(left))+sizes(aux(right))。
- 4)跟随 r i g h t \mathit{right} right (smaller)cycle的mapping around步骤,对于每一个元素 x x x,设置 a u x ( x ) = a u x ( l e f t ) \mathsf{aux}(x)=\mathsf{aux}(\mathit{left}) aux(x)=aux(left)。
- 5)通过交换 m a p p i n g ( l e f t ) \mathsf{mapping}(\mathit{left}) mapping(left)和 m a p p i n g ( r i g h t ) \mathsf{mapping}(\mathit{right}) mapping(right),将smaller cycle 拼接成 larger cycle。
比如,已知2个disjoint cycles ( A B C D ) (A\ B\ C\ D) (A B C D) 和 ( E F G H ) (E\ F\ G\ H) (E F G H):
A +---> B
^ +
| |
+ v
D <---+ C E +---> F
^ +
| |
+ v
H <---+ G
在增加constraint B ≡ E B \equiv E B≡E 后,以上算法生成的cycle为:
A +---> B +-------------+
^ |
| |
+ v
D <---+ C <---+ E F
^ +
| |
+ v
H <---+ G
若不在第1)步中验证 l e f t \mathit{left} left和 r i g h t \mathit{right} right是否在同一cycle,则将end up undoing an equality constraint。以如下constraints为例:
- a ≡ b a \equiv b a≡b
- b ≡ c b \equiv c b≡c
- c ≡ d c \equiv d c≡d
- b ≡ d b \equiv d b≡d
若只使用上述算法中的步骤5)来add an equality constraint,则最终构造的cycle为 ( a b ) ( c d ) (a\ b)\ (c\ d) (a b) (c d),而不是正确的cycle ( a b c d ) (a\ b\ c\ d) (a b c d)。
3. Argument specification
如需check a permutation of cells in m m m columns,可使用Lagrange basis polynomial v 0 , … , v m − 1 v_0, \ldots, v_{m-1} v0,…,vm−1 来表示。
可将 m m m columns中的每个cell 以a unique element of F × \mathbb{F}^{\times} F×来标记。
假设有permutation:
σ ( c o l u m n : i , r o w : j ) = ( c o l u m n : i ′ , r o w : j ′ ) \sigma(\mathsf{column}: i, \mathsf{row}: j) = (\mathsf{column}: i', \mathsf{row}: j') σ(column:i,row:j)=(column:i′,row:j′)
其中cycles 对应为 equality-constraint sets。
若针对 { ( l a b e l , v a l u e ) } \{(\mathit{label}, \mathit{value})\} {
(label,value)} pairs set,则the values within each cycle are equal if and only if permuting the label in each pair by σ \sigma σ yields the same set:
由于 l a b e l label label是不同的,则set equality 等价为 multiset equality,可使用product argument来check。
令:
- ω \omega ω为 a 2 k 2^k 2k root of unity
- δ \delta δ为 a T T T root of unity
其中 T ⋅ 2 S + 1 = p T\cdot 2^S+1=p T⋅2S+1=p, T T T为奇数, k ≤ S k\leq S k≤S。
使用 δ i ⋅ ω j ∈ F × \delta^i\cdot \omega^j\in\mathbb{F}^{\times} δi⋅ωj∈F× 来表示 permutation argument中第 i i i列第 j j j行的cell。
将 σ \sigma σ 表示为 a vector of m m m polynomials s i ( X ) s_i(X) si(X) 使得 s i ( ω j ) = δ i ′ ⋅ ω j ′ s_i(\omega^j) = \delta^{i'} \cdot \omega^{j'} si(ωj)=δi′⋅ωj′。
identity permutation可表示为 a vector of m m m polynomials I D i ( ω j ) \mathsf{ID}_i(\omega^j) IDi(ωj) 使得 I D i ( ω j ) = δ i ⋅ ω j \mathsf{ID}_i(\omega^j) = \delta^i \cdot \omega^j IDi(ωj)=δi⋅ωj。
使用challenge β \beta β 将pair ( l a b e l , v a l u e ) (\mathit{label}, \mathit{value}) (label,value) 压缩为 l a b e l + β ⋅ v a l u e \mathit{label}+\beta \cdot \mathit{value} label+β⋅value。类似于lookup argument中的product argument,也引入challenge γ \gamma γ 来randomize each term of the product。
此时,已知a permutation represented by s 0 , ⋯ , s m − 1 s_0,\cdots, s_{m-1} s0,⋯,sm−1 over columns represented by v 0 , ⋯ , v m − 1 v_0,\cdots,v_{m-1} v0,⋯,vm−1,需保证:
∏ i = 0 m − 1 ∏ j = 0 n − 1 ( v i ( ω j ) + β ⋅ δ i ⋅ ω j + γ v i ( ω j ) + β ⋅ s i ( ω j ) + γ ) = 1 \prod\limits_{i=0}^{m-1} \prod\limits_{j=0}^{n-1} \left(\frac{v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma}\right) = 1 i=0∏m−1j=0∏n−1(vi(ωj)+β⋅si(ωj)+γvi(ωj)+β⋅δi⋅ωj+γ)=1
【此时, v i ( ω j ) + β ⋅ δ i ⋅ ω j v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j vi(ωj)+β⋅δi⋅ωj 表示的是 unpermuted pair ( l a b e l , v a l u e ) (\mathit{label}, \mathit{value}) (label,value), 而 v i ( ω j ) + β ⋅ s i ( ω j ) + γ v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma vi(ωj)+β⋅si(ωj)+γ 表示permuted pair ( σ ( l a b e l ) , v a l u e ) (\sigma(\mathit{label}), \mathit{value}) (σ(label),value)。 】
令 Z P Z_P ZP 满足 Z P ( ω 0 ) = Z P ( ω n ) = 1 Z_P(\omega^0) = Z_P(\omega^n) = 1 ZP(ω0)=ZP(ωn)=1 且对于 0 ≤ j < n 0 \leq j < n 0≤j<n有:
Z P ( ω j + 1 ) = ∏ h = 0 j ∏ i = 0 m − 1 v i ( ω h ) + β ⋅ δ i ⋅ ω h + γ v i ( ω h ) + β ⋅ s i ( ω h ) + γ = Z P ( ω j ) ∏ i = 0 m − 1 v i ( ω j ) + β ⋅ δ i ⋅ ω j + γ v i ( ω j ) + β ⋅ s i ( ω j ) + γ \begin{array}{rl} Z_P(\omega^{j+1}) &= \prod\limits_{h=0}^{j} \prod\limits_{i=0}^{m-1} \frac{v_i(\omega^h) + \beta \cdot \delta^i \cdot \omega^h + \gamma}{v_i(\omega^h) + \beta \cdot s_i(\omega^h) + \gamma} \\ &= Z_P(\omega^j) \prod\limits_{i=0}^{m-1} \frac{v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma} \end{array} ZP(ωj+1)=h=0∏ji=0∏m−1vi(ωh)+β⋅si(ωh)+γvi(ωh)+β⋅δi⋅ωh+γ=ZP(ωj)i=0∏m−1vi(ωj)+β⋅si(ωj)+γvi(ωj)+β⋅δi⋅ωj+γ
然后足够enforce the rules:
Z P ( ω X ) ⋅ ∏ i = 0 m − 1 ( v i ( X ) + β ⋅ s i ( X ) + γ ) − Z P ( X ) ⋅ ∏ i = 0 m − 1 ( v i ( X ) + β ⋅ δ i ⋅ X + γ ) = 0 ℓ 0 ⋅ ( 1 − Z P ( X ) ) = 0 Z_P(\omega X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right) = 0 \\ \ell_0 \cdot (1 - Z_P(X)) = 0 ZP(ωX)⋅i=0∏m−1(vi(X)+β⋅si(X)+γ)−ZP(X)⋅i=0∏m−1(vi(X)+β⋅δi⋅X+γ)=0ℓ0⋅(1−ZP(X))=0
4. 调整为具有zero-knowledge属性
第3节中的证明不具有zero-knowledge 属性。类似于lookup argument,可将以上证明中每列的最后 t t t行都以随机值填充。
限制usable rows的数量为 u = 2 k − t − 1 u=2^k-t-1 u=2k−t−1,与lookup argument中类似,引入2个selector:
- 1) q b l i n d q_{blind} qblind is set to 1 1 1 on the last t t t rows, and 0 0 0 elsewhere;
- 2) q l a s t q_{last} qlast is set to 1 1 1 only on row u u u, and 0 0 0 elsewhere(即,设置usable rows和blinding rows之间的过渡row)。
对于usable rows的product rule为:
( 1 − ( q l a s t ( X ) + q b l i n d ( X ) ) ) ⋅ \big(1 - (q_\mathit{last}(X) + q_\mathit{blind}(X))\big) \cdot (1−(qlast(X)+qblind(X)))⋅
( Z P ( ω X ) ⋅ ∏ i = 0 m − 1 ( v i ( X ) + β ⋅ s i ( X ) + γ ) − Z P ( X ) ⋅ ∏ i = 0 m − 1 ( v i ( X ) + β ⋅ δ i ⋅ X + γ ) ) = 0 \hspace{1em}\left(Z_P(\omega X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right)\right) = 0 (ZP(ωX)⋅i=0∏m−1(vi(X)+β⋅si(X)+γ)−ZP(X)⋅i=0∏m−1(vi(X)+β⋅δi⋅X+γ))=0
同理,对于row 0 0 0的约束仍然为:
ℓ 0 ( X ) ⋅ ( 1 − Z P ( X ) ) = 0 \ell_0(X) \cdot (1 - Z_P(X)) = 0 ℓ0(X)⋅(1−ZP(X))=0
由于此处不再依赖wraparound来保证the product Z ( ω 2 k ) = 1 Z(\omega^{2^k})=1 Z(ω2k)=1,因此,可替换为constrain Z ( ω u ) = 1 Z(\omega^{u})=1 Z(ωu)=1,但是这存在潜在的难点:
若存在某 i ∈ [ 0 , u ) i\in[0,u) i∈[0,u)使得 A i + β A_i+\beta Ai+β或 S i + γ S_i+\gamma Si+γ为 0 0 0,则可能就没法满足permutation argument。
这种情况发生的概率相对于 β , γ \beta,\gamma β,γ可忽略,但是这将是实现 perfect zero knowledge 和 perfect completeness 的一个障碍——因为adversary可rule out witnesses that would cause this situation。
为了保证perfect completeness和perfect zero knowledge,可约束 Z ( ω u ) Z(\omega^u) Z(ωu)要么为 0 0 0要么为 1 1 1:
q l a s t ( X ) ⋅ ( Z ( X ) 2 − Z ( X ) ) = 0 q_\mathit{last}(X) \cdot (Z(X)^2 - Z(X)) = 0 qlast(X)⋅(Z(X)2−Z(X))=0
此时,若存在某个 i i i使得 A i + β = 0 A_i+\beta=0 Ai+β=0或者 S i + γ = 0 S_i+\gamma=0 Si+γ=0,则可设置 Z j = 0 Z_j=0 Zj=0 for i < j ≤ u i<j\leq u i<j≤u,从而满足constraint system。
注意,challenges β , γ \beta, \gamma β,γ是在 A , S , A ′ , S ′ A,S,A',S' A,S,A′,S′ commit之后才发送的,因此,Prover无法强制使 A i + β = 0 A_i+\beta=0 Ai+β=0或 S i + γ = 0 S_i+\gamma=0 Si+γ=0。由于这种情况发生的概率可忽略,不会影响soundness。
5. Spanning a large number of columns
第3节中的rules:
Z P ( ω X ) ⋅ ∏ i = 0 m − 1 ( v i ( X ) + β ⋅ s i ( X ) + γ ) − Z P ( X ) ⋅ ∏ i = 0 m − 1 ( v i ( X ) + β ⋅ δ i ⋅ X + γ ) = 0 ℓ 0 ⋅ ( 1 − Z P ( X ) ) = 0 Z_P(\omega X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right) = 0 \\ \ell_0 \cdot (1 - Z_P(X)) = 0 ZP(ωX)⋅i=0∏m−1(vi(X)+β⋅si(X)+γ)−ZP(X)⋅i=0∏m−1(vi(X)+β⋅δi⋅X+γ)=0ℓ0⋅(1−ZP(X))=0
可假设第一条rule中的column number m m m 会小于等于 PLONK中设置的maximum degree bound。若column number m m m 大于PLONK中设置的 maximum degree bound,则可做如下优化:
spanning a large number of columns。
Halo2实际实现时,并未限制equality constraints中columns的数量。但是,需要处理product rule中生成的多项式degree 大于 PLONK中配置的degree bound 的情况。可提升degree bound,但是若其它rule不需要a larger degree,这将使其它rule的效率降低。
可将product across b b b sets of m m m columns,切分为 product columns Z P , 0 , … Z P , b − 1 Z_{P,0}, \ldots Z_{P,b-1} ZP,0,…ZP,b−1,然后引入另一个rule来:
copy the product from the end of one column set to the beginning of the next。
对于 0 ≤ a < b 0\leq a < b 0≤a<b,有:
( 1 − ( q l a s t ( X ) + q b l i n d ( X ) ) ) ⋅ \big(1 - (q_\mathit{last}(X) + q_\mathit{blind}(X))\big) \cdot (1−(qlast(X)+qblind(X)))⋅
( Z P , a ( ω X ) ⋅ ∏ i = a m ( a + 1 ) m − 1 ( v i ( X ) + β ⋅ s i ( X ) + γ ) − Z P ( X ) ⋅ ∏ i = a m ( a + 1 ) m − 1 ( v i ( X ) + β ⋅ δ i ⋅ X + γ ) ) \hspace{1em}\left(Z_{P,a}(\omega X) \cdot \!\prod\limits_{i=am}^{(a+1)m-1}\! \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \!\prod\limits_{i=am}^{(a+1)m-1}\! \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right)\right) (ZP,a(ωX)⋅i=am∏(a+1)m−1(vi(X)+β⋅si(X)+γ)−ZP(X)⋅i=am∏(a+1)m−1(vi(X)+β⋅δi⋅X+γ))
= 0 \hspace{2em}= 0 =0
为了简单起见,可假设enabled for equality constraints的列数量为 m m m的倍数;如果不是整数倍,则最后一列的set具有少于 m m m个项。
- 对于第一列set,有:
ℓ 0 ⋅ ( 1 − Z P , 0 ( X ) ) = 0 \ell_0 \cdot (1 - Z_{P,0}(X)) = 0 ℓ0⋅(1−ZP,0(X))=0 - 对于subsequent column set 0 < a < b 0<a<b 0<a<b,可采用如下rule来copy Z P , a − 1 ( ω u ) Z_{P,a-1}(\omega^u) ZP,a−1(ωu) 到下一列set Z P , a ( ω 0 ) Z_{P,a}(\omega^0) ZP,a(ω0) 的起始位置:
ℓ 0 ⋅ ( Z P , a ( X ) − Z P , a − 1 ( ω u X ) ) = 0 \ell_0 \cdot \left(Z_{P,a}(X) - Z_{P,a-1}(\omega^u X)\right) = 0 ℓ0⋅(ZP,a(X)−ZP,a−1(ωuX))=0 - 对于最后一列set, 令 Z P , b − 1 ( ω u ) Z_{P,b-1}(\omega^u) ZP,b−1(ωu) 要么为 0 0 0要么为 1 1 1:
q l a s t ( X ) ⋅ ( Z P , b − 1 ( X ) 2 − Z P , b − 1 ( X ) ) = 0 q_\mathit{last}(X) \cdot \left(Z_{P,b-1}(X)^2 - Z_{P,b-1}(X)\right) = 0 qlast(X)⋅(ZP,b−1(X)2−ZP,b−1(X))=0
从而具有perfect completeness 和 zero knowledge。