PrivacyIN Week2 | Doctoral supervisor Zhang Yupeng gave a lecture on the design principle of the classic zero-knowledge proof protocol

foreword

Privacy Research Institute [PrivacyIN] The first phase of the ZK training camp course is online. In this class, Zhang Yupeng, an assistant professor from the School of Computer Science and Engineering at Texas A&M University (Texas A&M University), is invited to introduce the classic zero-knowledge proof protocol design. Principles, the class theme is "Basic Principles of the Classic ZK Protocols (Groth16 Plonk Stark)".

Course Intensive Lecture Full Text

Since Zero-Knowledge-Proofs was first proposed by Goldwasser, Micali and Rackof in 1985, with the advancement of zero-knowledge proof theory and technology, many classic zero-knowledge proof systems have emerged, such as: Groth16, Pinocchio, Plonk , Marlin, Stark, Halo2, etc. These zero-knowledge proof systems have promoted zero-knowledge proofs from theory to practical applications. At the same time, understanding the working mechanism and construction principles of these protocols is of great significance for designing ZKP application systems.

In this class, Mr. Zhang Yupeng analyzed the design principles of these three typical protocols (non-universal) SNARK, PLONK and STARK. The main contents include: polynomial commitment, introduction to cryptography number theory, PlONK protocol, SNARK protocol, STARK protocol, etc.

At the beginning of the class, Mr. Zhang Yupeng first briefly reviewed the zero-knowledge proof system in the previous class to help students deepen their understanding of the ZKP concept and computing model.

polynomial commitment

Polynomial commitment (polynomial commitment) is a common cryptographic tool for constructing zero-knowledge proof systems. In its construction model, prover/verifer is the main participant, and it is constructed in an interactive proof method (it can be converted to a non-interactive method using Fiat–Shamir-heuristic). In fact, polynomial commitment can be considered as a special kind of zero-knowledge proof, which also satisfies the characteristics of Correctness, Soundness, and Zero-knowledge of zero-knowledge proof.

The rationale for polynomial commitments is:

• The prover has a polynomial, and it constructs a commitment to this polynomial $d_f$, then will commit to $d_f$send to verifier

• Commitment received by verifier $d_f$, take a point arbitrarily, send this point to the prover, and request to calculate the result on this point

• The prover receives the calculation request and uses the polynomial to calculate $f\left(a\right)$ , and generate a proof proof, then$Both\; f\left(a\right)$ and proof proof are sent to verifer for verification

Many classic zero-knowledge proof protocols are constructed based on polynomial commitments, such as Plonk, Dark, Stark, Supersonic, etc.

KZG polynomial commitment is a very classic and efficient implementation of a polynomial commitment construction, especially in the Plonk protocol is a very basic component. KGZ polynomial commitment is based on Bilinear-Pairing and generating group (note: the following content will be introduced in detail), where generating group is generally generated in a finite field based on elliptic curve (for example, g is determined after selecting elliptic curve), the main steps of KGZ commitment:

1. trust setup generation parameters

Generally, the public parameter primes p and g (associated with an elliptic curve) are selected and generated using the MPC ritual:

$$\left\{\begin{array}{c}g,g^s,g^{s^2},g^{s^3},\cdots ,g^{s^d}\end{array}\right\}$$

where s is a random number and will be discarded during generation (s is kept secret)

2. Create promises and proofs

The generating group has additive homomorphism and scale multiplicative properties, and the commitment is expressed as:

$$g^{f(s)}=g^{\sum c_i{s}^i}=Pi{\left(g^{s^i}\right)}^{c_i}$$

Based on Schwartz-Zippel Lemma, that is, for any random number $s$ , take a point$a$ opens to evaluate$f\left(a\right)$ , then:$f\left(s\right)-f(a)=(s-a)q\left(s\right)$ , so$f(s)-f(a)$、$s-a$、$q\left(s\right)$ is expressed using generators as,$g^{f(s)}/g^{f(a)}$、$g^{s-a}$、$g^{q\left(s\right)}$ (can be understood as an encrypted value with additive homomorphic properties).

3. Commitment + proof verification

Verify using Bilinear-Pairing:

$$e(g^f(s)/g^f(a),g)=e(g^{s-a},g^{q(s)}$$

Is it true, that is, it is verified that $f(s)-f(a)=(s-a)q\left(s\right)$ holds.

Fundamentals of Cryptography Number Theory

Zero-knowledge proof has very heavy number theory requirements. In order to overcome serious mathematical problems and help everyone understand the mathematical principles behind the construction of classic protocols, Mr. Zhang Yupeng led everyone to start learning number theory from the most basic definition of prime numbers and modulo operations.

A prime number p is an integer whose number p is greater than or equal to 2 and can only be divisible by itself p and 1;

Modal arithmetic means that any number or its arithmetic operation value (including intermediate operations) requires a positive integer (such as p) specified on the modulus, which can ensure that the number after the modal operation falls between (0,p) , such as the modulo 13 operation:

-1mod13=-1 +1x13=12;
-1+2mod13, namely: (-1mod13)+(2mod13)=(12+2)mod13=1.

A group Group is defined on a set of numbers and satisfies an operator:

• Closure closure (the elements in the group are still in the defined group after performing the operator operation)

• Associative law associativity (the elements in the group satisfy the commutative law for the definition operator operation, such as: (a+b)+c=a+(b+c))

• Zero-element identity element (there is an element e in the group, any element in the group and e performing the definition operation is the element itself)

• Inverse element (any element a in the group, there is an element b in the group, satisfying a+b=e)

For example, the group of integers for addition +, and the group of integers modulo addition.

The domain Field is a group Group, which satisfies the operation (+, x):

• Field Field is an additive group

• The field Field is a group on the "x" operation that removes additive zeros

Rational numbers, real numbers, complex numbers, and integer modulo prime p (finite fields) are all fields, and finite fields are very commonly used in cryptography.

A finite field has a characteristic that it can always find a generator (Generator), and the cyclic multiplication operation of the generator on itself can get all the elements of the finite field, that is, a cyclic group, so the exponential form elements generated by the generator can be used As a representation of finite fields, there are fast algorithms that can find generators of finite fields.

Bilinear pairing Bilinear-Pairing is a very efficient cryptographic tool that maps two element pairs in a base multiplication cyclic group to a target target group, namely:

$$e(p^a,Q^b)=e(P,Q{)}^{a}b:G\times G\to G_T$$

Bilinear-Pairing can be used to verify the multiplicative relationship between the elements of the multiplicative cyclic group (whether they are equal), but it cannot be used for calculation, and its implementation is more complicated. The course mainly introduces the operational characteristics of Bilinear-Pairing, and provides examples of use, such as:

$$e(g^a,G^b)=e{(g,g)}^{a}b=e(g^{a}b,g)$$

PLONK protocol

In order to better explain the construction principle of Plonk, Mr. Zhang Yupeng gave a general ZKP construction model, in which the prover has the secret data secret data, and the calculation problem is converted into a general circuit C calculation problem. The prover proves to the verifier that he uses the secret data as input and Execute the circuit to get the output, and the verifier verifies whether the proof of the prover is correct.

The Plonk protocol is a universal-trusted-setup zero-knowledge proof protocol, which uses SRC (Structure-Reference-String) in the form of:

$$\left\{\begin{array}{c}g,g^s,g^{s^2},g^{s^3},\cdots ，g^{s^d}\end{array}\right\}$$
's structural parameters, which have generic and updatable characteristics. Plonk is mainly realized by designing a unique circuit representation, based on KZG commitment and permutation. Plonk circuit gates use the Plonkish format (different from R1CS) to uniformly represent the constraints of circuit gates, namely:

$$q_{L_i}{a}_i+q_{R_i}{b}_i+q_{M_i}{a}_i\times b_i+q_{O_i}{c}_i+q_{c_i}=0$$

In this way, addition, multiplication, public input, and output can all be expressed by this formula.

For example, an addition gate can be expressed as:

$$q_{L_1}=1,q_{R_1}=1，q_{M_1}=0，q_{O_1}=-1，q_{c_1}=0$$

For example a multiplication gate can be expressed as:

$$q_{L_2}=0,q_{R_2}=0，q_{M_2}=1，q_{O_2}=-1，q_{c_1}=0$$

The Plonk protocol construction is mainly divided into two parts: circuit gate constraint processing and copy (line) constraint processing.

The main steps of circuit gate constraint processing:

prover, verifier preprocessing, using polynomial interpolation to solve the coefficient polynomial $qL(x)$、$qR(x)$、$qM\left(x\right)$、$qO\left(x\right)$、$qC\left(x\right)$ ; prover gets the circuit gate line input polynomial$a(x)$、$b(x)$、$c\left(x\right)$ , which solves for interpolated roots:

$$x=w^i,i=0,\dots ,n-1$$

prover These polynomials are compressed into a polynomial, and then a target polynomial $t(x)$：

$$q_L(x)a(x)+q_R(x)b(x)+q_M(x)a(x)b(x)+q_o(x)c(x)+q_c(x)=V_H(x)t(x)$$

$V_H\left(x\right)={\prod }_i(x-w^i)$vanishing polynomial

(Note: $The\; realization\; of\; t\left(x\right)$ in the original paper is composed of two parts of polynomials constructed by circuit gate constraints and copy constraints)

The prover uses the KZG commitment to create $a(x)$、$b(x)$、$c(x)$、$t\left(x\right)$ is used as a proof, which is provided to the verifier for the commitment to open and verify the correctness.

The main idea of ​​Plonk's copy constraint is that by replacing (rearranging) equal circuit lines, the elements after replacement are equal to the elements, introducing a permutation polynomial, and then further converting it into an equivalent constraint polynomial:

and finally converted to a special polynomial Z ( X ) Z(X) based on Lagrangian polynomials$Z\left(X\right)$ , and then use this polynomial and the gate constraint polynomial to form a compressed new polynomial for proof and verification.

The main steps in the processing of copy (line) constraints:

• Prover and verifier preprocessing, polynomial interpolation to solve permutation polynomial:

$S_{ID}(x),S_{}(x)$

(Note: The original paper of Plonk uses similar multiple permutation functions, and the principle is similar)

• prover against Z ( x ) Z(x)Polynomials such as$Z$$($$x$$)\; carry\; out\; KZG\; commitment\; and\; output\; proof.$

• The verifier performs KZG commitment opening and polynomial relationship correctness verification.

The overall execution of the Plonk protocol:

The overall implementation of the Plonk protocol is actually the processing of gate constraints and replication constraints, and then construct a large polynomial constraint associated with large gate constraints and replication constraints, mainly based on KZG polynomial commitment and Lagrange interpolation to build a complete protocol, and finally use Bilinear- Pairing for verification.

SNARK protocol

The traditional SNARK protocol mainly refers to the public parameters and public keys (certification key and verification key) required to generate zero-knowledge proofs using non-universal trusted-setup. It is generally a concise non-interactive zero-knowledge proof protocol based on Billlinear-Pairing. Here The more classic constructions include Pinocchio and Groth16 protocols, which mainly use R1CS to construct circuit constraints, then convert them to QAP to construct polynomial proofs, and use Billlinear-Pairing to verify polynomials.

The general workflow of traditional SNARK computing problems is as follows:

• Transform a computational problem into a circuit problem (represented as a circuit)

• Represent the circuit as R1CS constraints (multiplicative gate constraints)

• The R1CS constraint is solved by polynomial interpolation to obtain QAP, and the QAP polynomial and the target polynomial t(x) are converted to the group G in encrypted form as the proof part
  

• Use Billlinear-Pairing for QAP polynomial and target polynomial t ( x ) t(x)Definition of$t$$($$x$$)$
  $$\text{ Verification: }e\left(p_1,{Pi}_2\right)/e\left(p_3,g\right)=e\left(g^{t(s)},{Pi}_4\right)$$

STARK agreement

STARK is a simple non-interactive zero-knowledge proof protocol that does not require trusted-setup. The front-end of STARK mainly adopts RAM (Random-Access-Memory) Program for co-construction. A typical RAM-program is composed of CPU (including many registers, etc.) , Memory Memory, program execution instruction program, etc.

STARK transforms the proof problem into proving whether the RAM Program is executed correctly, which is very different from the traditional zkSNARK protocol verification circuit execution. STARK uses RAM Program for front-end program construction, so that the design program can run a large number of times and cyclic instruction steps with very few instruction codes, without being limited to the circuit size; Random Access operation has advantages such as constant complexity.

STARK uses RAM-to-cuirt-Reduction technology for proof, which records all interactions with RAM and CPU State changes during the entire calculation process, and then connects or aggregates them, and converts them into similar circuit constraints to prove and Verify that the RAW Program is executed correctly.

The arithmetic operation of STARK is expressed by a series of polynomials, such as the state of program execution step 1 is $P1(X,\cdots ,Y)$ , the state of executing step 2 is$P2(X,\cdots ,Y)$ , each step can construct a polynomial.

The back-end implementation of STARK can convert the execution step polynomial into a polynomial constraint similar to SNARK or Plonk, and then perform Random linear combination on a certain degree to build a large verification polynomial to prove and verify the correctness of program execution.

In fact, STARK uses the FRI protocol (low degree test) based on the Merkle tree to realize the back-end construction. In addition, additional Permutation tests and public constraints are required in STARK. The theory of the FRI part is relatively complicated, and it was not discussed in depth in the classroom.

In the free discussion session, Zhang Yupeng patiently answered a series of related questions about the principle of protocol design for the students.

ClosePrivacyIN

PrivacyIN Privacy Institute (Privacy Institution) is initiated by the LatticeX Foundation and is committed to building an open cryptographic and privacy technology evangelism and research community. Join the world's top scholars and privacy technology developers to promote the innovation and implementation of ZK (Zero-Knowledge Proof), MPC (Secure Multi-Party Computation), and FHE (Fully Homomorphic Encryption).

About the LatticeX Foundation

The LatticeX Foundation (LatticeX Foundation) is a global open source technology community, with the vision of returning user data sovereignty, protecting data privacy, and realizing data value exchange by building complex calculations, aiming to build a completely decentralized computing interoperability network , promote the transaction of data usage rights under the premise of protecting data sovereignty and privacy, and fund various academic research and scientific research projects to realize the vision of LatticeX.