2. relaxed R1CS
releaxed RlCS定义: ( A , B , C , m , n , l ) (A,B,C,m,n,l) (A,B,C,m,n,l),其中 m 、 n 、 l m、n、l m、n、l为正整数,且 m > l m>l m>l, A , B , C ∈ F m × m A,B,C \in F^{m \times m} A,B,C∈Fm×m 且至多有n个non-zero entries,给定witness W ∈ F m − l − 1 W \in F^{m-l-1} W∈Fm−l−1 , relaxed R1CS满足
( A ⋅ Z ) ∘ ( B ⋅ Z ) = u ⋅ ( C ⋅ Z ) + E (A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E (A⋅Z)∘(B⋅Z)=u⋅(C⋅Z)+E
其中 Z = ( W , x , u ) , x ∈ F l , E ∈ F m , u ∈ F Z = (W,x,u), x\in F^l, E \in F^m , u \in F Z=(W,x,u),x∈Fl,E∈Fm,u∈F 。
*当 u = 1 、 E = 0 u=1、E=0 u=1、E=0时 relaxed R1CS就等于R1CS
我们继续进行首次尝试中的构造,对于 Z i = ( W i , x i , u i ) Z_i = (W_i,x_i,u_i) Zi=(Wi,xi,ui),prover和verifier 需要额外计算:
u = u 1 + r ⋅ u 2 E = E 1 + r ⋅ ( A Z 1 ∘ B Z 2 + A Z 2 ∘ B Z 1 − u 1 C Z 2 − u 2 C Z 1 ) + r 2 ⋅ E 2 u = u_1 + r \cdot u_2 \\ E = E_1 + r \cdot (AZ_1 \circ BZ_2 + AZ_2 \circ BZ_1 - u_1CZ_2-u_2CZ_1) + r^2 \cdot E_2 u=u1+r⋅u2E=E1+r⋅(AZ1∘BZ2+AZ2∘BZ1−u1CZ2−u2CZ1)+r2⋅E2
然后,设置新的instance-witness对为 ( ( E , u , X ) , W ) ((E,u,X),W) ((E,u,X),W)
对于 Z = ( W , x , u ) , r ∈ F Z = (W,x,u), r \in F Z=(W,x,u),r∈F ,有:
A Z ∘ B Z = A Z 1 ∘ B Z 1 + r ( A Z 1 ∘ B Z 2 + A Z 2 ∘ B Z 1 ) + r 2 ( A Z 2 ∘ B Z 2 ) = ( u 1 C Z 1 + E 1 ) + r ( A Z 1 ∘ B Z 2 + A Z 2 ∘ B Z 1 ) + r 2 ( u 2 C Z 2 + E 2 ) = ( u 1 + r u 2 ) ⋅ C ( Z 1 + r Z 2 ) + E = u C Z + E \begin{align} A Z \circ BZ & = AZ_1 \circ BZ_1 + r(AZ_1 \circ BZ_2+AZ_2 \circ BZ_1) + r^2(AZ_2 \circ BZ_2) \\ & = (u_1CZ_1 + E_1) + r(AZ_1 \circ BZ_2+AZ_2 \circ BZ_1) + r^2(u_2CZ_2 + E_2) \\ & = (u_1 + ru_2)\cdot C(Z_1 + rZ_2) +E \\ & = uCZ +E \end{align} AZ∘BZ=AZ1∘BZ1+r(AZ1∘BZ2+AZ2∘BZ1)+r2(AZ2∘BZ2)=(u1CZ1+E1)+r(AZ1∘BZ2+AZ2∘BZ1)+r2(u2CZ2+E2)=(u1+ru2)⋅C(Z1+rZ2)+E=uCZ+E
搞定但不完美! 这里仍然存在一个问题:
- 上述方案中,prover是将witness ( W 1 , W 2 ) (W_1,W_2) (W1,W2)明文发送给verifier的,导致该方案既不是non-trivial的,也不是zero-knowledg的
所以接下来要解决零知识的问题
为解决上面零知识问题,将 W , E W,E W,E同视为witness,prover计算 W , E W,E W,E的承诺,并将承诺值而非明文发送给verifier,从而保护了隐私。
将这种变种的relaxed R1CS称为committed relaxed R1CS
3. committed relaxed R1CS
committed releaxed RlCS定义: ( A , B , C , m , n , l ) (A,B,C,m,n,l) (A,B,C,m,n,l),其中 m 、 n 、 l m、n、l m、n、l为正整数,且 m > l m>l m>l, A , B , C ∈ F m × m A,B,C \in F^{m \times m} A,B,C∈Fm×m 且至多有n个non-zero entries, ( E ‾ , u , w ‾ , x ) (\overline{E},u,\overline{w},x) (E,u,w,x)是committed releaxed RlCS的instance,其中 ( E ‾ , w ‾ ) (\overline{E},\overline{w}) (E,w) 是 ( E , w ) (E,w) (E,w)的承诺, x ∈ F l 是公共输入和输出 , u ∈ F x\in F^l是公共输入和输出, u \in F x∈Fl是公共输入和输出,u∈F
如果 ( E , r E , W , r W ) ∈ ( F m , F , F m − l − 1 , F ) (E,r_E,W,r_W) \in (F^m,F,F^{m-l-1,F}) (E,rE,W,rW)∈(Fm,F,Fm−l−1,F)满足
- E ‾ = C o m m ( E , r E ) \overline{E} = Comm(E,r_E) E=Comm(E,rE)
- W ‾ = C o m m ( W , r W ) \overline{W} = Comm(W,r_W) W=Comm(W,rW)
- ( A ⋅ Z ) ∘ ( B ⋅ Z ) = u ⋅ ( C ⋅ Z ) + E (A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E (A⋅Z)∘(B⋅Z)=u⋅(C⋅Z)+E
则称 ( E , r E , W , r W ) (E,r_E,W,r_W) (E,rE,W,rW) 是instance ( E ‾ , u , w ‾ , x ) (\overline{E},u,\overline{w},x) (E,u,w,x)对应的witness,其中 Z = ( W , x , u ) Z = (W,x,u) Z=(W,x,u)
3.1 Committed Relaxed R1CS 的Folding Scheme
prover和verifier共同拥有:
- instances ( E 1 ‾ , u 1 , w 1 ‾ , x 1 ) (\overline{E_1},u_1,\overline{w_1},x_1) (E1,u1,w1,x1)和 ( E 2 ‾ , u 2 , w 2 ‾ , x 2 ) (\overline{E_2},u_2,\overline{w_2},x_2) (E2,u2,w2,x2)
prover独自拥有:
- witnesses ( E 1 , r E 1 , W 1 , r W 1 ) (E_1,r_{E1},W_1,r_{W1}) (E1,rE1,W1,rW1)和 ( E 2 , r E 2 , W 2 , r W 2 ) (E_2,r_{E2},W_2,r_{W2}) (E2,rE2,W2,rW2)
令 Z 1 = ( W 1 , x 1 , u 1 ) Z_1 = (W_1,x_1,u_1) Z1=(W1,x1,u1)、 Z 2 = ( W 2 , x 2 , u 2 ) Z_2 = (W_2,x_2,u_2) Z2=(W2,x2,u2),prover和verifier交互如下:
-
Prover: 发送 T ‾ = C o m m ( T , r T ) \overline{T} = Comm(T,r_T) T=Comm(T,rT) ,其中 r T ∈ F r_T \in F rT∈F, T 为交叉项:
T = A Z 1 ∘ B Z 2 + A Z 2 ∘ B Z 1 − u 1 C Z 2 − u 2 C Z 1 T = AZ_1 \circ BZ_2 + AZ_2 \circ BZ_1 - u_1CZ_2-u_2CZ_1 T=AZ1∘BZ2+AZ2∘BZ1−u1CZ2−u2CZ1
-
verifier: 选择随机数 r ∈ F r \in F r∈F并发送
-
prover & verifier 计算folded instance ( E ‾ , u , w ‾ , x ) (\overline{E},u,\overline{w},x) (E,u,w,x) :
E ‾ = E 1 ‾ + r ⋅ T ‾ + r 2 ⋅ E 2 ‾ u = u 1 + r ⋅ u 2 W ‾ = W 1 ‾ + r ⋅ W 2 ‾ x = x 1 + r ⋅ x 2 \overline{E} = \overline{E_1} + r \cdot \overline{T} + r^2 \cdot \overline{E_2} \\ u = u_1 + r \cdot u_2\\ \overline{W} = \overline{W_1} + r \cdot \overline{W_2} \\ x = x_1 + r \cdot x_2\\ E=E1+r⋅T+r2⋅E2u=u1+r⋅u2W=W1+r⋅W2x=x1+r⋅x2 -
prover: 计算 folded witness ( E , r E , W , r W ) (E,r_E,W,r_W) (E,rE,W,rW)
E = E 1 + r ⋅ T + r 2 ⋅ E 2 r E = r E 1 + r ⋅ r T + r 2 ⋅ r E 2 W = W 1 + r ⋅ W 2 r W = r W 1 + r ⋅ r W 2 E = E_1 + r \cdot T + r^2 \cdot E_2 \\ r_E = r_{E1} + r \cdot r_T + r^2 \cdot r_{E2}\\ W = W_1 + r \cdot W_2 \\ r_W = r_{W_1} + r \cdot r_{W_2} E=E1+r⋅T+r2⋅E2rE=rE1+r⋅rT+r2⋅rE2W=W1+r⋅W2rW=rW1+r⋅rW2
参考资料
Nova: Recursive Zero-Knowledge Arguments from Folding Schemes