You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Suppose now that Alice doesn’t have a satisfying assignment, but she still constructs as above from some unsatisfying assignment . Then we are guaranteed that does not divide . This means that for any polynomial of degree at most , and will be different polynomials. Note that here is of degree at most , here are of degree at most and here is degree at most .
Now we can use the famous Schwartz-Zippel Lemma that tells us that two different polynomials of degree at most can agree on at most points . Thus, if is much larger than the probability that for a randomly chosen is very small.
This suggests the following protocol sketch to test whether Alice has a satisfying assignment.
Alice chooses polynomials of degree at most .
Bob chooses a random point , and computes .
Alice sends Bob the hidings of all these polynomials evaluated at , i.e. .
Bob checks if the desired equation holds at . That is, he checks whether .
📖 建议的检查 Alice 是否有满足条件的赋值的协议:
Alice 选择最大 阶多项式 .
Bob 选择一个随机点 并且计算 .
Alice 发送给 Bob 在 隐藏的多项式, 例如 .
Bob 检查在 对应的多项式是否满足: .
Again, the point is that if Alice does not have a satisfying assignment, she will end up using polynomials where the equation does not hold identically, and thus does not hold at most choices of . Therefore, Bob will reject with high probability over his choice of in such a case.
📖 另外如果 Alice 没有满足的赋值, 那么她最终给出的等式最终无法相等, 而且是在大多数的 都不成立. 因此, Bob 会大概率拒绝 Alice 提供的多项式在他选择的 的情况下.
Making sure Alice chooses her polynomials according to an assignment
Here is an important point: If Alice doesn’t have a satisfying assignment, it doesn’t mean she can’t find any polynomials of degree at most with , it just means she can’t find such polynomials where and were “produced from an assignment”; namely, that for the same.
The protocol of Part IV just guarantees she is using some polynomials of the right degree, but not that they were produced from an assignment. This is a point where the formal proof gets a little subtle; here we sketch the solution imprecisely.
Let’s combine the polynomials into one polynomial as follows:
让我们组合多项式到同一个多项式如下所示:
Note that when we sum two of the ’s the , , and “sum separately”. For example,
现在但我们将两个所包含的, , 和 相加,举例来说:
More generally, suppose that we had for some . Then we’ll also have for the same coefficients . In other words, if is a linear combination of the ’s it means that were indeed produced from an assignment.
Therefore, Bob will ask Alice to prove to him that is a linear combination of the ’s. This is done in a similar way to the protocol for verifiable evaluation:
Bob chooses a random , and sends to Alice the hidings . He then asks Alice to send him the element . If she succeeds, an extended version of the Knowledge of Coefficient Assumption implies she knows how to write as a linear combination of the ’s.
Adding the zero-knowledge part – concealing the assignment
In a zk-SNARK Alice wants to conceal all information about her assignment. However the hidings do provide some information about the assignment.
在zk-SNARK中 Alice 想要隐瞒关于她的等式所有信息. 然而隐藏式已经确实提供了一些信息在等式中.
For example, given some other satisfying assignment Bob could compute the corresponding and hidings . If these come out different from Alice’s hidings, he could deduce that is not Alice’s assignment.
To avoid such information leakage about her assignment, Alice will conceal her assignment by adding a “random -shift” to each polynomial. That is, she chooses random , and defines .
为了避免关于她等式的这些信息的提供, Alice 会在每一个等式中增加一个“随机T”. 然后, 她就选择随机数, 并定义.
Assume were produced from a satisfying assignment; hence, for some polynomial . As we’ve just added a multiple of everywhere, also divides . Let’s do the calculation to see this:
Thus, defining , we have that . Therefore, if Alice uses the polynomials instead of , Bob will always accept.
那么, 定义, 我们有. 因此, 如果 Alice 使用多项式代替, Bob往往可以接受.
On the other hand, these polynomials evaluated at with (which is all but d s’s), reveal no information about the assignment. For example, as is non-zero and is random, is a random value, and therefore reveals no information about as it is masked by this random value.
We presented a sketch of the Pinocchio Protocol in which Alice can convince Bob she possesses a satisfying assignment for a QAP, without revealing information about that assignment. There are two main issues that still need to be resolved in order to obtain a zk-SNARK:
In the sketch, Bob needs an that "supports multiplication". For example, he needs to compute from and . However, we have not seen so far an example of an that enables this. We have only seen an that supports addition and linear combinations.
Throughout this series, we have discussed interactive protocols between Alice and Bob. Our final goal, though, is to enable Alice to send single-message non-interactive proofs, that are publicly verifiable – meaning that anybody seeing this single message proof will be convinced of its validity, not just Bob (who had prior communication with Alice).
Both these issues can be resolved by the use of pairings of elliptic curves, which we will discuss in the next and final part.
of degree at most
.
, and computes
.
, i.e.
.
.
that "supports multiplication". For example, he needs to compute
from
and