zoukankan      html  css  js  c++  java
  • zksnarks笔记

    源自: https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649

    def qeval(x):
        y = x**3
        return x + y + 5
    

    1 Flattening program => gates

    只包含两种形式 x = yx = y (op) z (where op can be +, -, *, / and y and z can be variables, numbers or themselves sub-expressions)

    // 每一行可以理解为1个Gate
    sym_1 = x * x
    y = sym_1 * x
    sym_2 = y + x
    ~out = sym_2 + 5
    

    2 Gates to R1CS

    An R1CS is a sequence of groups of three vectors (a, b, c), and the solution to an R1CS is a vector s, where s must satisfy the equation s . a * s . b - s . c = 0

    The length of each vector is equal to the total number of variables in the system

    上面的例子中, 有6个变量 '~one', 'x', '~out', 'sym_1', 'y', 'sym_2'(~one~out是必须的), 因此向量的长度为6

    第一个gate对应的 (a,b,c)

    a = [0, 1, 0, 0, 0, 0] // x
    b = [0, 1, 0, 0, 0, 0] // x
    c = [0, 0, 0, 1, 0, 0] // sym_1
    

    第二个gate对应的 (a,b,c)

    a = [0, 0, 0, 1, 0, 0] // sym_1
    b = [0, 1, 0, 0, 0, 0] // x
    c = [0, 0, 0, 0, 1, 0] // y
    

    第三个gate对应的为

    a = [0, 1, 0, 0, 1, 0] // y + x
    b = [1, 0, 0, 0, 0, 0] // ~one
    c = [0, 0, 0, 0, 0, 1] // sym_2
    

    第四个gate对应的为

    a = [5, 0, 0, 0, 0, 1] // 5 * ~one + sym_2
    b = [1, 0, 0, 0, 0, 0] // ~one
    c = [0, 0, 1, 0, 0, 0] // ~out
    

    同时满足这四个gate的(a,b,c)s . a * s . b - s . c = 0的解 s

    [1, 3, 35, 9, 27, 30]
    

    将所有的a, b, c放到一起

    A
    [0, 1, 0, 0, 0, 0]
    [0, 0, 0, 1, 0, 0]
    [0, 1, 0, 0, 1, 0]
    [5, 0, 0, 0, 0, 1]
    B
    [0, 1, 0, 0, 0, 0]
    [0, 1, 0, 0, 0, 0]
    [1, 0, 0, 0, 0, 0]
    [1, 0, 0, 0, 0, 0]
    C
    [0, 0, 0, 1, 0, 0]
    [0, 0, 0, 0, 1, 0]
    [0, 0, 0, 0, 0, 1]
    [0, 0, 1, 0, 0, 0]
    

    3 R1CS to QAP

    QAP form: implements the exact same logic except using polynomials instead of dot products

    多项式的阶取决于有多少gate, 这里有4个gate, 所以为3阶

    A polynomials
    [-5.0, 9.166, -5.0, 0.833] // 0.833 * x**3 — 5*x**2 + 9.166*x - 5, 经过(1,0) (2,0) (3,0) (4,5)这几个点
    [8.0, -11.333, 5.0, -0.666] // 经过点 (1,1) (2,0) (3,1) (4,0)
    [0.0, 0.0, 0.0, 0.0] // 经过点(1,0) (2,0) (3,0) (4,0) , 上面A的第三列
    [-6.0, 9.5, -4.0, 0.5]
    [4.0, -7.0, 3.5, -0.5]
    [-1.0, 1.833, -1.0, 0.166] // 经过点 (1,0) (2,0) (3,0) (4,1), 上面A的第6列
    
    B polynomials
    [3.0, -5.166, 2.5, -0.333]
    [-2.0, 5.166, -2.5, 0.333]
    [0.0, 0.0, 0.0, 0.0]
    [0.0, 0.0, 0.0, 0.0]
    [0.0, 0.0, 0.0, 0.0]
    [0.0, 0.0, 0.0, 0.0]
    
    C polynomials
    [0.0, 0.0, 0.0, 0.0]
    [0.0, 0.0, 0.0, 0.0]
    [-1.0, 1.833, -1.0, 0.166]
    [4.0, -4.333, 1.5, -0.166]
    [-6.0, 9.5, -4.0, 0.5]
    [4.0, -7.0, 3.5, -0.5]
    

    为什么要转成QAP
    instead of checking the constraints in the R1CS individually, we can now check all of the constraints at the same time by doing the dot product check on the polynomials.

    A(x) = A . s = [43.0, -73.333, 38.5, -5.166]
    B(x) = B . s = [-3.0, 10.333, -5.0, 0.666]
    C(x) = C . s = [-41.0, 71.666, -24.5, 2.833]
    

    A . s * B . s — C . s:

    t = [-88.0, 592.666, -1063.777, 805.833, -294.777, 51.5, -3.444]
    

    Z = (x - 1) * (x - 2) * (x - 3) * (x - 4) (因为有4个gate)

    Z = [24, -50, 35, -10, 1]
    h = t / Z = [-3.666, 17.055, -3.444] // 因为t(1),t(2),t(3),t(4)都为0, 所以t(x)能够整除Z(x)
    

    我们现在不用分别计算t(1), t(2), t(3), t(4)是否为0, 转而判断t(x)能否整除Z(x)

    回顾:我们将R1CS的s . a * s . b - s . c = 0的验证 转化为 判断QAP的t(x)在对应取值处(这里为1,2,3,4)是否为0, 然后再转化为t(x)能否整除Z(x)

  • 相关阅读:
    使用代理加快SDK Manager的下载速度
    ADT-Bundle运行的错误的排错
    转:Android开发之JNI入门-NDK从入门到精通
    Android NDK的总总误解
    mysql 数据库 一些常用语句 查内存 索引内存
    递归方法 练习编写
    ES 搜索概述
    PHP 数字类型 加 减 乘 除运算 bc函数
    php 控制反转 和 依赖注入
    Thinkphp 3 和 Thinkphp5 区别
  • 原文地址:https://www.cnblogs.com/elimsc/p/14787898.html
Copyright © 2011-2022 走看看