Zcash中的zk-SNARK statements
1. 引言
zero-knowledge proving system为a cryptographic protocol,用于证明:
- a particular statement,dependent on primary and auxiliary inputs, in zero knowledge —— 即,不需要reveal auxiliary inputs信息的情况下,可证明该statement。
Zcash中使用的zero-knowledge proving system类型为:
- preprocessing zk-SNARK [BCCGLRT2014-Zerocash: Decentralized Anonymous Payments from Bitcoin (extended vesion)]
preprocessing zk-SNARK instance中定义了如下类型:
- ZK.ProvingKeyZK.ProvingKeyZK.ProvingKey
- ZK.VerifyingKeyZK.VerifyingKeyZK.VerifyingKey
- ZK.PrimaryInputZK.PrimaryInputZK.PrimaryInput
- ZK.AuxiliaryInputZK.AuxiliaryInputZK.AuxiliaryInput
- ZK.ProofZK.ProofZK.Proof
- ZK.Satisfyinginputs⊆ZK.PrimaryInput×ZK.AuxiliaryInputZK.Satisfyinginputs\subseteq ZK.PrimaryInput \times ZK.AuxiliaryInputZK.Satisfyinginputs⊆ZK.PrimaryInput×ZK.AuxiliaryInput
- ZK.Gen:()→RZK.ProvingKey×ZK.VerifyingKeyZK.Gen:()\rightarrow_R ZK.ProvingKey\times ZK.VerifyingKeyZK.Gen:()→RZK.ProvingKey×ZK.VerifyingKey
- ZK.Prove:ZK.ProvingKey×ZK.SatisfyingInputs→ZK.ProofZK.Prove: ZK.ProvingKey\times ZK.SatisfyingInputs\rightarrow ZK.ProofZK.Prove:ZK.ProvingKey×ZK.SatisfyingInputs→ZK.Proof
- ZK.Verify:ZK.VerifyingKey×ZK.PrimaryInput×ZK.Proof→BZK.Verify: ZK.VerifyingKey\times ZK.PrimaryInput\times ZK.Proof\rightarrow \mathbb{B}ZK.Verify:ZK.VerifyingKey×ZK.PrimaryInput×ZK.Proof→B
zk-SNARK应满足如下安全属性:
- completeness
- knowledge soundness
- statistical zero knowledge
Zcash中采用了2种proving system:
- BCTV14,采用BN-254 pairing来prove and verify Sprout JoinSplit statement。
- Groth16,采用BLS12-381 pairing来prove and verify Sapling Spend Statement和Output Statement。
Zcash中涉及的zk-SNARK statements主要有:
- JoinSplit Statement (Sprout)——ZKJoinSplit
- Spend Statement (Sapling)——ZKSpend
- Output Statement (Sapling)——ZKOutput
2. Spend Statement (Sapling)
Spend Statement πZKSpend\pi_{ZKSpend}πZKSpend 中的primary input 有:【即public input】
- rtSapling:B[lMerkleSapling]rt^{Sapling}:\mathbb{B}^{[l_{Merkle}^{Sapling}]}rtSapling:B[lMerkleSapling]:为anchor。
- cvoldcv^{old}cvold:为ValueCommitSapling.OutputValueCommit^{Sapling}.OutputValueCommitSapling.Output,为J\mathbb{J}J类型。
- nfoldnf^{old}nfold:为BY[lPRFnfSapling/8]\mathbb{B}^{\mathbb{Y}^{[l_{PRFnfSapling}/8]}}BY[lPRFnfSapling/8]。
- rkrkrk:为SpendAuthSigSapling.PublicSpendAuthSig^{Sapling}.PublicSpendAuthSigSapling.Public,为J\mathbb{J}J类型。
仅Prover知道的auxiliary input有:【即witness】
- pathpathpath:为B[lMerkleSapling][MerkleDepthSapling]\mathbb{B}^{[l_{Merkle}^{Sapling}][MerkleDepth^{Sapling}]}B[lMerkleSapling][MerkleDepthSapling]
- pospospos:取值范围为 {0..2MerkleDepthSapling−1}\{0..2^{MerkleDepth^{Sapling}}-1\}{0..2MerkleDepthSapling−1}
- gdg_dgd:J\mathbb{J}J
- pkdpk_dpkd:J\mathbb{J}J
- voldv^{old}vold:取值范围为 {0..2lvalue−1}\{0..2^{l_{value}}-1\}{0..2lvalue−1}
- rcvoldrcv^{old}rcvold:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
- cmoldcm^{old}cmold:J\mathbb{J}J
- rcmoldrcm^{old}rcmold:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
- α\alphaα:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
- akakak:为SpendAuthSigSapling.PublicSpendAuthSig^{Sapling}.PublicSpendAuthSigSapling.Public,为J\mathbb{J}J类型。
- nsknsknsk:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
πZKSpend\pi_{ZKSpend}πZKSpend 需证明以下关系:
- 1)Note commitment integrity,即:cmold=NoteCommitrcmoldSapling(reprJ(gd),reprJ(pkd),vold)cm^{old}=NoteCommit_{rcm^{old}}^{Sapling}(repr_{\mathbb{J}}(g_d),repr_{\mathbb{J}}(pk_d),v^{old})cmold=NoteCommitrcmoldSapling(reprJ(gd),reprJ(pkd),vold)。【注意,不会check that rcmold<rJrcm^{old}<r_{\mathbb{J}}rcmold<rJ。】
- 2)Merkle path validity,即:要么vold=0v^{old}=0vold=0;要么,(pos,path)(pos,path)(pos,path)为 由 cmu=ExtractJ(r)(cmold)cm_u=Extract_{\mathbb{J}^{(r)}}(cm^{old})cmu=ExtractJ(r)(cmold) 到 anchor(即merkle root)rtSaplingrt^{Sapling}rtSapling 的valid Merkle path of depth MerkleDepthSaplingMerkleDepth^{Sapling}MerkleDepthSapling。【在Merkle path vvalidity check中,每一层都不会check that its input bit sequence is a cannonical encoding (in {0..qJ−1}\{0..q_{\mathbb{J}}-1\}{0..qJ−1}) of the integer from the previous layer。】
- 3)Value commitment integerity,即:cvold=ValueCommitrcvoldSapling(vold)cv^{old}=ValueCommit_{rcv^{old}}^{Sapling}(v^{old})cvold=ValueCommitrcvoldSapling(vold)。【注意,不会check that rcvold<rJrcv^{old}<r_{\mathbb{J}}rcvold<rJ。】
- 4)Small order checks,即:gd和akg_d和akgd和ak 不是small order的,即 [hJ]gd≠OJ[h_{\mathbb{J}}]g_d\neq \mathcal{O}_{\mathbb{J}}[hJ]gd=OJ 且 [hJ]ak≠OJ[h_{\mathbb{J}}]ak\neq \mathcal{O}_{\mathbb{J}}[hJ]ak=OJ。
- 5)Nullifier integrity,即:nfold=PRFnk⋆nfSapling(ρ⋆)nf^{old}=PRF_{nk\star}^{nfSapling}(\rho\star)nfold=PRFnk⋆nfSapling(ρ⋆),其中nk⋆=reprJ([nsk]HSapling),ρ⋆=reprJ(MixingPedersenHash(cmold,pos))nk\star=repr_{\mathbb{J}}([nsk]\mathcal{H}^{Sapling}),\rho\star=repr_{\mathbb{J}}(MixingPedersenHash(cm^{old},pos))nk⋆=reprJ([nsk]HSapling),ρ⋆=reprJ(MixingPedersenHash(cmold,pos))。
- 6)Spend authority,即:rk=SpendAuthSigSapling.RandomizePublic(α,ak)=ak+[α]GSaplingrk=SpendAuthSig^{Sapling}.RandomizePublic(\alpha,ak)=ak+[\alpha]\mathcal{G}^{Sapling}rk=SpendAuthSigSapling.RandomizePublic(α,ak)=ak+[α]GSapling。【注意,在Spend statement中不会check that rkrkrk is not of small order,但是在Spend statement之外会check。】
- 7)Diversified address integrity,即:pkd=[ivk]gdpk_d=[ivk]g_dpkd=[ivk]gd,其中ivk=CRHivk(ak⋆,nk⋆),ak⋆=reprJ(ak)ivk=CRH^{ivk}(ak\star,nk\star),ak\star=repr_{\mathbb{J}}(ak)ivk=CRHivk(ak⋆,nk⋆),ak⋆=reprJ(ak)。
3. Output Statement (Sapling)
相关参数有:
- lMerkleSaplingl_{Merkle}^{Sapling}lMerkleSapling:255
- lscalarSaplingl_{scalar}^{Sapling}lscalarSapling:252
Output Statement πZKOutput\pi_{ZKOutput}πZKOutput 中的primary input 有:【即public input】
- cvnewcv^{new}cvnew:ValueCommitSapling.OutputValueCommit^{Sapling}.OutputValueCommitSapling.Output,为J\mathbb{J}J类型。
- cmucm_{u}cmu:B[lMerkleSapling]\mathbb{B}^{[l_{Merkle}^{Sapling}]}B[lMerkleSapling]。
- epkepkepk:为J\mathbb{J}J类型。
仅Prover知道的auxiliary input有:【即witness】
- gdg_dgd:J\mathbb{J}J
- pk⋆dpk\star_dpk⋆d:J\mathbb{J}J
- vnewv^{new}vnew:取值范围为 {0..2lvalue−1}\{0..2^{l_{value}}-1\}{0..2lvalue−1}
- rcvnewrcv^{new}rcvnew:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
- rcmnewrcm^{new}rcmnew:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
- eskeskesk:取值范围为 {0..2lscalarSapling−1}\{0..2^{l_{scalar}^{Sapling}}-1\}{0..2lscalarSapling−1}
πZKOutput\pi_{ZKOutput}πZKOutput 需证明以下关系:
- 1)Note commitment integrity,即:cmu=ExtractJ(r)(NoteCommitrcmnewSapling(g⋆d,pk⋆d,vnew))cm_{u}=Extract_{\mathbb{J}^{(r)}}(NoteCommit_{rcm^{new}}^{Sapling}(g\star_d,pk\star_d,v^{new}))cmu=ExtractJ(r)(NoteCommitrcmnewSapling(g⋆d,pk⋆d,vnew)),其中g⋆d=reprJ(gd)g\star_d=repr_{\mathbb{J}}(g_d)g⋆d=reprJ(gd)。【注意,不会check that rcmnew<rJrcm^{new}<r_{\mathbb{J}}rcmnew<rJ。】【注意,the validity of pk⋆dpk\star_dpk⋆d is not checked in this circuit。】
- 2)Value commitment integerity,即:cvnew=ValueCommitrcvnewSapling(vnew)cv^{new}=ValueCommit_{rcv^{new}}^{Sapling}(v^{new})cvnew=ValueCommitrcvnewSapling(vnew)。【注意,不会check that rcvnew<rJrcv^{new}<r_{\mathbb{J}}rcvnew<rJ。】
- 3)Small order checks,即:gdg_dgd 不是small order的,即 [hJ]gd≠OJ[h_{\mathbb{J}}]g_d\neq \mathcal{O}_{\mathbb{J}}[hJ]gd=OJ。
- 4)Ephemeral public key integrity,即:epk=[esk]gdepk=[esk]g_depk=[esk]gd。
4. Zcash中的Groth16 zk-SNARKs proving system
Zcash在Sapling中使用的zk-SNARKs proving system 为Groth16,对应的论文为:
- BGM2017-Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model
该论文在 Groth16-On the Size of Pairing-based Non-interactive Arguments 的基础上进行了改进。
对应的独立的security proof和setup见 Maller2018-A Proof of Security for the Sapling Generation of zk-SNARK Parameters in the Generic Group Model。
Groth16 zk-SNARK proof 支持的是 version 4 transaction,可用于:
- Sprout JoinSplit descriptions
- Sapling Spend descriptions
- Sapling Output descriptions
Groth16 proof组成为:(πA:S1(r)∗,πB:S2(r)∗,πC:S1(r)∗)(\pi_A:\mathbb{S}_1^{(r)*}, \pi_B:\mathbb{S}_2^{(r)*}, \pi_C:\mathbb{S}_1^{(r)*})(πA:S1(r)∗,πB:S2(r)∗,πC:S1(r)∗)
当采用BLS12-381 pairing时,整个proof可encode为:【共 192 bytes。】
除了采用Groth16方案验证以上proof是否正确之外,Verifier 还需额外做如下验证:
- encoding proof中的每个元素的leading bitfield为符合要求的form;
- encoding proof中每个元素 除leading bitfield之外的 remaining bits 以big-endian的形式表示了an integer,该integer的取值范围为{0,qs−1}\{0,q_{\mathbb{s}}-1\}{0,qs−1}。对于πB\pi_BπB,则表示的是two integers,者两个integer的取值范围为{0,qs−1}\{0,q_{\mathbb{s}}-1\}{0,qs−1}。
- encoding proof中的每个元素表示的是point in S1(r)∗\mathbb{S}_1^{(r)*}S1(r)∗ 或者 S2(r)∗\mathbb{S}_2^{(r)*}S2(r)∗(πB\pi_BπB),需验证该point的order为rSr_{\mathbb{S}}rS。
参考资料
[1] Zcash Protocol Specification
Zcash中的zk-SNARK statements相关推荐
- Mina中的Kimchi SNARK
1. 引言 Mina系列博客有: Mina概览 Mina的支付流程 Mina的zkApp Mina中的Pasta(Pallas和Vesta)曲线 Mina中的Schnorr signature Min ...
- Zcash中的signatures
1. 引言 在 Zcash Protocol Specification 中,约定对signature是"validate",对zk-SNARK proof是"verif ...
- Zcash中的加解密机制
1. 引言 接前序博客 Zcash中的Notes. Sapling note的组成为tuple n=(d,pkd,v,rcm)\mathbf{n}=(d, pk_d, v, rcm)n=(d,pkd ...
- Zcash中的Notes
1. 引言 本文主要关注Sapling note. Zcash中Sapling note以n\mathbf{n}n表示,其代表a value vvv is spendable by the recip ...
- Zcash中的description
1. 引言 Zcash 中支持的description类型有: JoinSplit description Spend description Output description JoinSplit ...
- Zcash中的keys和addresses
1. 引言 [还有个ockockock:outgoing cipher key,用于encrypt an outgoing ciphertext.] 在Zcash协议中,用户若想接收shielded ...
- Zcash中的hash函数
1. 引言 Zcash中的hash函数主要有: BLAKE2 Hash Function Group Hash into Jubjub Pedersen Hash Function Mixing Pe ...
- Mina中的wrap snark
1. 引言 前序博客有: Mina技术白皮书 所谓wrap snark,是将Tick snark(Mina代码中称为step proof)包裹为Tock snark(Mina代码中称为wrap pro ...
- Kubernetes通过一行shell命令给pod中的zk节点添加权限
问题 一个需求:需要写一个shell脚本部署Zookeeper,并且在脚本里需要去对zk的 /节点进行digest权限配置. 尝试了以下命令: kubectl exec -ti podName -n ...
最新文章
- 中国现代化进程专题讲座——有感
- 浅谈Android组件化
- POJ-1322 Chocolate 动态规划
- linux python默认安装目录_非root用户在linux服务器自己目录下安装需要的python版本及其模块...
- Qt CMake变量参考
- java解析xml实例_在java中使用dom解析xml的示例分析
- CAMoE——屠榜 video retrieval challenge
- 【4】基于深度神经网络的脑电睡眠分期方法研究(训练模型)
- python matplotlib 矢量图svg emf
- Excel如何判断数据是否重复
- 写代码有这16个好习惯,可以减少80%非业务的bug
- 通过JS代码动态生成HTML表格(Table),Input框,Button按钮.并且通过Input框的值进行查询动态生成数据填写在指定的表格里
- (详细)华为荣耀8X JSN-AL00的usb调试模式在哪里开启的教程
- C++设计模式概念与设计模式描述语言(UML)
- 米扑科技助力公益:寻找失踪儿童一起回家
- Virt-manager虚拟机键盘错乱
- SRM 615 D1L2: LongLongTripDiv1
- Android基于XMPP Smack openfire 开发的聊天室
- 微信公众平台推数据统计功能 商业价值可量化
- cocos2dx 3D游戏制作参考