【双语学习】What is a polynomial commitment scheme?什么是多项式承诺方案?

bogu
136 阅读11分钟

5 Jul 2024 2024 年 7 月 5 日

A polynomial commitment scheme is a cryptographic protocol that allows a party to commit to a polynomial while keeping it hidden and later reveal and prove evaluations of the polynomial at specific points without revealing the polynomial itself. This is particularly useful in various cryptographic applications, including zero-knowledge proofs, verifiable computation, and blockchain systems.

多项式承诺方案是一种加密协议,允许一方在隐藏多项式的同时承诺多项式,然后在特定点揭示和证明多项式的评估,而无需透露多项式本身。这在各种密码应用程序中特别有用,包括零知识证明、可验证计算和区块链系统。

Key Properties of Polynomial Commitment Schemes

多项式承诺方案的关键属性

  1. Commitment: A party can commit to a polynomial P(x)P(x)P(x) such that it generates a commitment CCC.
    承诺:一方可以承诺多项式 P(x)P(x)P(x),从而生成承诺 CCC。

  2. Evaluation: The committing party can later provide an evaluation P(x)=yP(x) = yP(x)=y at a specific point xxx and prove that this evaluation is consistent with the committed polynomial.
    评估:提交方稍后可以在特定点 xxx 处提供评估 P(x)=yP(x) = yP(x)=y 并证明该评估与提交的多项式一致。

  3. Verification: Any verifier can check the correctness of the evaluation and proof without learning anything about the polynomial itself.
    验证:任何验证者都可以检查评估和证明的正确性,而无需了解多项式本身的任何信息。

  4. Hiding: The committed polynomial remains hidden until the committing party chooses to reveal it.
    隐藏:提交的多项式保持隐藏状态,直到提交方选择公开它。

  5. Binding: The committing party cannot change the polynomial after committing to it.
    约束性:提交方在提交多项式后不能更改该多项式。

Components of a Polynomial Commitment Scheme

多项式承诺方案的组成部分

A polynomial commitment scheme typically involves the following components:
多项式承诺方案通常涉及以下组成部分:

  1. Setup: A setup algorithm that initializes the scheme and generates any necessary public parameters.
    设置:初始化方案并生成任何必要的公共参数的设置算法。

  2. Commit: A commitment algorithm that takes a polynomial and outputs a commitment.
    提交:采用多项式并输出承诺的提交算法。

  3. Open: An opening algorithm that reveals an evaluation at a specific point along with a proof.
    开放:一种开放算法,揭示特定点的评估以及证明。

  4. Verify: A verification algorithm that checks the validity of the revealed evaluation and proof.
    验证:一种验证算法,用于检查所揭示的评估和证明的有效性。

Formal Definition 正式定义

Let P(x)P(x)P(x) be a polynomial over a field F\mathbb{F}F.
设 P(x)P(x)P(x) 是域 F\mathbb{F}F 上的多项式。

  • Setup: The setup algorithm Setup(λ)→pp\text{Setup}(\lambda) \rightarrow \text{pp}Setup(λ)→pp takes a security parameter λ\lambdaλ and outputs the public parameters pp\text{pp}pp.
    设置:设置算法Setup(λ)→pp\text{Setup}(\lambda) \rightarrow \text{pp}Setup(λ)→pp 采用安全参数 λ\lambdaλ 并输出公共参数 pp\text{pp }页。

  • Commit: The commitment algorithm Commit(pp,P(x))→C\text{Commit}(\text{pp}, P(x)) \rightarrow CCommit(pp,P(x))→C takes the public parameters pp\text{pp}pp and the polynomial P(x)P(x)P(x), and outputs a commitment CCC.
    Commit:承诺算法 Commit(pp,P(x))→C\text{Commit}(\text{pp}, P(x)) \rightarrow CCommit(pp,P(x))→C 采用公共参数pp\text{pp}pp 和多项式 P(x)P(x)P(x),并输出承诺 CCC。

  • Open: The opening algorithm Open(pp,C,P(x),x0)→(ev,π)\text{Open}(\text{pp}, C, P(x), x_0) \rightarrow (\text{ev}, \pi)Open(pp,C,P(x),x0)→(ev,π) takes the public parameters pp\text{pp}pp, the commitment CCC, the polynomial P(x)P(x)P(x), and a point x0x_0x0, and outputs an evaluation ev=P(x0)\text{ev} = P(x_0)ev=P(x0) and a proof π\piπ.
    开:开局算法 Open(pp,C,P(x),x0)→(ev,π)\text{Open}(\text{pp}, C, P(x), x_0) \rightarrow (\text {ev}, \pi)Open(pp,C,P(x),x0)→(ev,π) 采用公共参数 pp\text{pp}pp、承诺 CCC、多项式 P(x)P (x)P(x) 和点 x0x_0x0,并输出评估 ev=P(x0)\text{ev} = P(x_0)ev=P(x0) 和证明 π\piπ。

  • Verify: The verification algorithm Verify(pp,C,x0,ev,π)→{0,1}\text{Verify}(\text{pp}, C, x_0, \text{ev}, \pi) \rightarrow \{0, 1\}Verify(pp,C,x0,ev,π)→{0,1} takes the public parameters pp\text{pp}pp, the commitment CCC, the point x0x_0x0, the evaluation ev\text{ev}ev, and the proof π\piπ, and outputs 111 if the proof is valid (i.e., the evaluation is correct) and 000 otherwise.
    验证:验证算法Verify(pp,C,x0,ev,π)→{0,1}\text{Verify}(\text{pp}, C, x_0, \text{ev}, \pi) \rightarrow \{0, 1\}Verify(pp,C,x0,ev,π)→{0,1} 取公共参数 pp\text{pp}pp,承诺 CCC,点 x0x_0x0,评估 ev \text{ev}ev 和证明 π\piπ,如果证明有效(即评估正确)则输出 111,否则输出 000。

Example Schemes 示例方案

Two prominent polynomial commitment schemes are:
两个著名的多项式承诺方案是:

  1. Kate-Zaverucha-Goldberg (KZG) Commitment:
    Kate-Zaverucha-Goldberg (KZG) 承诺:

  • Setup: Uses elliptic curve pairings and trusted setup.
    设置:使用椭圆曲线配对和可信设置。

  • Commit: Generates a commitment using polynomial evaluations on elliptic curve points.
    承诺:使用椭圆曲线点的多项式评估生成承诺。

  • Open: Provides a proof using elliptic curve pairings.
    开放:使用椭圆曲线配对提供证明。

  • Verify: Uses pairing-based cryptographic checks to verify the proof.
    验证:使用基于配对的加密检查来验证证明。

  1. Bulletproofs: 防弹:

  • Setup: Requires a trusted setup or can be based on discrete logarithm assumptions.
    设置:需要可信设置或可以基于离散对数假设。

  • Commit: Uses vector commitments and inner-product arguments.
    Commit:使用向量承诺和内积参数。

  • Open: Provides a succinct proof.
    开放:提供简洁的证明。

  • Verify: Verifies the proof using efficient cryptographic operations.
    验证:使用有效的加密操作验证证明。

Applications 应用领域

  1. Zero-Knowledge Proofs: Polynomial commitments are used in zk-SNARKs and zk-STARKs to efficiently prove statements about polynomials without revealing the polynomials themselves.
    零知识证明:zk-SNARK 和 zk-STARK 中使用多项式承诺来有效地证明有关多项式的陈述,而无需透露多项式本身。

  2. Verifiable Computation: Polynomial commitments enable clients to verify the correctness of computations performed by a server.
    可验证计算:多项式承诺使客户端能够验证服务器执行的计算的正确性。

  3. Blockchain: Used in various blockchain protocols to ensure the integrity and correctness of data without revealing sensitive information.
    区块链:用于各种区块链协议中,确保数据的完整性和正确性,而不泄露敏感信息。

Polynomial commitment schemes are essential cryptographic primitives that provide both privacy and integrity for polynomial evaluations. They enable efficient and secure verification of polynomial computations, making them crucial for advanced cryptographic protocols and applications in modern secure systems.
多项式承诺方案是重要的密码原语,为多项式评估提供隐私性和完整性。它们能够对多项式计算进行高效、安全的验证,这使得它们对于现代安全系统中的高级加密协议和应用程序至关重要。

Applications in Crypto 加密货币中的应用

polynomial commitment schemes have found several applications in the crypto market, particularly in enhancing the efficiency and security of blockchain protocols and privacy-preserving technologies. Here are a few prominent examples:
多项式承诺方案在加密市场中找到了多种应用,特别是在提高区块链协议和隐私保护技术的效率和安全性方面。以下是一些突出的例子:

1. zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge)

1. zk-SNARKs(零知识简洁非交互式知识论证)

Applications: 应用:

  • Zcash: Zcash is a cryptocurrency that uses zk-SNARKs to enable private transactions. Polynomial commitments are used in zk-SNARKs to commit to polynomials representing the inputs and constraints of computations, allowing the verification of transactions without revealing their details.
    Zcash:Zcash 是一种使用 zk-SNARK 来实现私密交易的加密货币。 zk-SNARK 中使用多项式承诺来承诺代表计算输入和约束的多项式,从而允许在不泄露交易细节的情况下验证交易。

2. zk-STARKs (Zero-Knowledge Scalable Transparent Arguments of Knowledge)

2. zk-STARKs(零知识可扩展透明知识论证)

Applications: 应用:

  • StarkWare: StarkWare leverages zk-STARKs for scalable and transparent zero-knowledge proofs. Polynomial commitments in zk-STARKs are used to commit to and verify large computations efficiently. StarkWare's technology is used in applications like scalability solutions for Ethereum (e.g., StarkEx).
    StarkWare:StarkWare 利用 zk-STARK 来实现可扩展且透明的零知识证明。 zk-STARK 中的多项式承诺用于有效地提交和验证大型计算。 StarkWare 的技术用于以太坊可扩展性解决方案等应用程序(例如 StarkEx)。

3. Verifiable Delay Functions (VDFs)

3. 可验证延迟函数(VDF)

Applications: 应用:

  • Filecoin: Filecoin uses VDFs for their proof-of-spacetime and proof-of-replication protocols. Polynomial commitments help in efficiently proving that a storage provider is continuously dedicating storage space to a specific piece of data over time.
    Filecoin:Filecoin 使用 VDF 来实现时空证明和复制证明协议。多项式承诺有助于有效地证明存储提供商随着时间的推移不断地将存储空间专用于特定的数据。

  • Ethereum 2.0: Ethereum 2.0 plans to use VDFs for their randomness beacon in the consensus protocol. Polynomial commitments ensure the randomness is unbiased and verifiable.
    以太坊 2.0:以太坊 2.0 计划在共识协议中使用 VDF 作为随机性信标。多项式承诺确保随机性是公正且可验证的。

4. Rollups and Layer 2 Solutions

4. Rollups 和 Layer 2 解决方案

Applications: 应用:

  • Optimistic Rollups and zk-Rollups: Layer 2 solutions like optimistic rollups and zk-rollups use polynomial commitments to ensure data availability and correctness of state transitions. For example, zk-rollups use zero-knowledge proofs to commit to a new state after processing a batch of transactions and provide a succinct proof that the state transition is valid.
    Optimistic Rollups 和 zk-Rollups:Optimistic Rollups 和 zk-rollups 等第 2 层解决方案使用多项式承诺来确保数据可用性和状态转换的正确性。例如,zk-rollups 使用零知识证明在处理一批交易后提交到新状态,并提供状态转换有效的简洁证明。

5. Verifiable Computation

5. 可验证的计算

Applications: 应用:

  • TrueBit: TrueBit is a protocol that enables scalable off-chain computation, ensuring correctness through verifiable computation. Polynomial commitments allow validators to commit to the results of computations and prove their correctness efficiently.
    TrueBit:TrueBit 是一种能够实现可扩展的链下计算的协议,通过可验证的计算确保正确性。多项式承诺允许验证者承诺计算结果并有效地证明其正确性。

  • Celer Network: Celer Network uses polynomial commitments to enable off-chain scaling solutions for smart contracts, ensuring that off-chain computations are verifiable on-chain.
    Celer Network:Celer Network 使用多项式承诺为智能合约启用链下扩展解决方案,确保链下计算可在链上验证。

6. Privacy-Preserving Smart Contracts

6. 保护隐私的智能合约

Applications: 应用:

  • Aztec Protocol: Aztec Protocol uses zero-knowledge proofs to enable private transactions on Ethereum. Polynomial commitments are part of the cryptographic constructions that allow the protocol to hide transaction values while ensuring their correctness.
    Aztec 协议:Aztec 协议使用零知识证明来实现以太坊上的私人交易。多项式承诺是加密结构的一部分,允许协议隐藏交易值,同时确保其正确性。

  • Secret Network: Secret Network is a blockchain that supports encrypted inputs, outputs, and state for smart contracts. Polynomial commitments can be used to ensure the integrity of computations without revealing the data involved.
    Secret Network:Secret Network 是一个支持智能合约加密输入、输出和状态的区块链。多项式承诺可用于确保计算的完整性,而无需泄露所涉及的数据。

Example: Detailed Look at zk-Rollups

示例:详细了解 zk-Rollups

How zk-Rollups Use Polynomial Commitments:

zk-Rollups 如何使用多项式承诺:

  1. Batching Transactions: zk-Rollups batch multiple transactions into a single rollup block.
    批处理交易:zk-Rollups 将多个交易批处理到单个汇总块中。

  2. Generating Proofs: A zero-knowledge proof is generated to prove that the new state root is correct after applying all transactions in the batch. Polynomial commitments are used to commit to the polynomial representing the state transition function.
    生成证明:在应用批次中的所有交易后,生成零知识证明以证明新的状态根是正确的。多项式承诺用于承诺代表状态转换函数的多项式。

  3. On-Chain Verification: The succinct proof is submitted on-chain, where validators can verify the correctness of the state transition using the committed polynomial without processing each transaction individually.
    链上验证:简洁的证明在链上提交,验证者可以使用提交的多项式验证状态转换的正确性,而无需单独处理每个交易。

Benefits: 好处:

  • Scalability: By verifying state transitions with succinct proofs, zk-rollups significantly reduce the computational and storage burden on the main blockchain.
    可扩展性:通过用简洁的证明来验证状态转换,zk-rollups 显着减少了主区块链的计算和存储负担。

  • Security: Polynomial commitments ensure that the proofs are correct, maintaining the security guarantees of the underlying blockchain.
    安全性:多项式承诺确保证明正确,维护底层区块链的安全保证。

  • Privacy: In certain implementations, zk-rollups can also provide transaction privacy by hiding the details of individual transactions while still proving their correctness.
    隐私:在某些实现中,zk-rollups 还可以通过隐藏单个交易的详细信息来提供交易隐私,同时仍然证明其正确性。

Conclusion 结论

Polynomial commitment schemes are integral to various cutting-edge applications in the crypto market. They enhance the efficiency, scalability, and privacy of blockchain protocols and cryptographic systems. As the field of cryptography continues to evolve, polynomial commitments are likely to play an increasingly vital role in developing secure and efficient decentralized applications.
多项式承诺方案是加密货币市场中各种尖端应用程序不可或缺的一部分。它们提高了区块链协议和加密系统的效率、可扩展性和隐私性。随着密码学领域的不断发展,多项式承诺可能在开发安全高效的去中心化应用程序中发挥越来越重要的作用。

本文使用 文章同步助手 同步

avatar
文章
阅读
粉丝