文章用戶圈子话题

ZKSwap團隊深入解讀零知識證明算法之Zk-stark(四)——FRI協議

??:????”???????? Zk-stark”?????,?????????,???????zk-stark ???????????????:Arithmetization????????:Low Degree Testing???????????,???? zk-stark ????????????;???????,?????????????????????????(?????????????????,???????),??????????

??????,??????,????????????????????????????????????,?????????? LDT ??;????????????????,????????????,???,?????????????????????,????????,????????????????,????? FRI ???????,??,???????? FRI ?????,

FRI??

??,???????? FRI ??????FRI,? Fast RS IOPP,?? Fast Reed-Solomen Interactive Oracle Proofs of Proximity,??????? proximiary ????,??????????????????????????,??????????????????????,???????FRI????,???????????,

  • ???? F ?,??????? L0,???? 2^n;
  • ??,??????? f0:L0–>F ??? RS[F,L0,?] ?????????,? f0 ????????? d

??,? f0=P ?,?? IFFT ??,?? P1?P2 ? deg(P1?P2) < 1/2?2^n,??:

f0(x) = P(x) = P1(x^2) + x * P2(x^2) (1)

? Q(x, y) = P1(y) + x * P2(y),???? Q(x, y)?? x ?? d < 2;?? y ?? d < 1/2?2^n;??,?????????? x0 ??????,???

f1(y) = Q(x0, y) = P1(y) + x0 * P2(y) (2)

?? f1(y),y=x^2,?? x ??????1????,?? x^(2^n) = 1 ==> (x^2)(2^(n-1)) = 1 ==> y(2^(n-1)) = 1,?y?????? L1,? L1 ?????:

  • ???? 2^(n-1);
  • ? L1 ???????? L0 ?????,?? L1 ??? y,? L0 ???? x ?(-x)mod F,?? x^2 mod F = y && (-x)^2mod F = y;

??,????????? f1(y) ?? d < 1/2?2^n,???????? f1 ? f0 ????,???????????:

  • ??????? L1 ?? L0 ????? y,s0,s1?? s0!=s1 && s0^2 = s1^2 = y
  • ????? f0(s0),f0(s1),f1(y)???
  • ????? f0(s0),f0(s1) ??????? x ? d<2 ???? g(x)
  • ????? g(s0) = f1(y),???,???

?????:???? f1 ????? f0 ????,???? (1) ???? P1(x^2) ?P2(x^2)??? (2) ???? P1(y) ? P2(y) ????,???????? d < 1/2?2^n,???????? 2^(n-1),???????????????,????????? 1/2?2^n / 2^(n-1) = ??? ? coderates,?? ? = 2^(-8),?????????????? 1/256,????????,??????????????? 0?

????,??? f1 ???????,??fr????????????,????????????,

??,?????FRI???????,?? 1 ??:

FRI ????????:Commit ??? Query ??,????????????,???????,??:

  1. ???????? x0
  2. ????????? f1
  3. ???????

FRI ???????? 2 ???? Commit ??,??3????? Query ??,?? Commit ??,??????? f0~fr,r ??????,??? Query ??,????,

??,????? Commit ? Query ??????????????,???????????,

Commit:

  • Common input
  • R RS ????
  • i ??????,?? {0~r}
  • r ???? ?? k0-R/?
  • ? ?????? x–>x^(2^?)
  • L0 ??? 2^k0
  • RS[F,Li,?] ????[ ???,???,???? ]
  • q0(x) = x^(2^?)(???????,??????),L(i+1) = q0(Li),??? Li ?? L(i+1) ? 2^? –> 1 ??
  • Prover input
  • fi ? i ????????
  • Li ? i ?????,?? 2^(n-i)
  • RSi fi ???????
  • LOOP i <= r
  • 1
  • xi ?????????
  • 2
  • Sy ? L(i+1)?????????? Li ??????
  • f(i+1)(y) ?? f(i+1)?? L(i+1)??????
  • 3 i==r
  • ?? fr ? 2 ????
  • ??? P(x)
  • d ???? P(x) ??
  • ?? d+1 ???? P(x) ??? a0~ad
  • Commit ????
  • 4 i < r
  • ?? f(i+1) ??? 2 ??????
  • ?? f(i+1)??,?? L(i+1)
  • ???????

Query

  • verifier input
  • R /? /Li /RSi /xi /fi /P(x) ?Commit
  • l query??
  • ?? fr
  • ?? a0~ad,??P`(x)
  • ?? P`(x)?? Lr ??????,???? fr,? fr ?? RSr
  • repeat l times
  • i = {0~r-1}
  • Si ?? s(i+1) = q0(x)? x ???
  • i = {0~r-1}
  • ? Si ?,??? Pi(x)
  • round consistency check i = {0~r-1}
  • f(i+1)(s(i+1)) = Pi(xi)
  • ???,?????

??,? ? = 1(?,q0(x) = x^2)??,FRI ???????????? 2 ??:

?????????:

  • ????????????,???????? f0 ???? d < ?*2^n
  • ?????? l ?,??????????????

??

???? FRI ???????,????,??????????? r = Log2(?2^n),?????,????????? f0 ??? ?2^n ?,??? round consistency ??????????????????,??????? DEEP-FRI ??,??? FRI,DEEP-FRI ?????????????????,?????????? ????????????,?? ZK-STARK ?????:

  1. ???????:???? LDT
  2. ???????????????????? LDT ??
  3. LDT ???? FRI ??,?????????????????????
  4. ??????????????????????,????????????
  5. ???????????,???????????????,????????????
  6. ????,??????? CRS
  7. ????,?????????

??

??FRI????? https://medium.com/starkware/low-degree-testing-f7614f5172db

FRI paper https://eccc.weizmann.ac.il/report/2017/134/

DEEP-FRI paper https://arxiv.org/abs/1903.12243https://en.wikipedia.org/wiki/Reed–Solomon_error_correction

ZKSwap算法零知識證明
0 条回复 A文章作者 M管理員
    暫無討論,說說你的看法吧