加法/乘法同态加密算法及在zk-SNARK中的应用

目前，全同态加密（Fully Homomorphic Encryption, FHE）因当前算法复杂度问题，离实用仍有距离。
半同态加密一般指的是：加法同态和乘法同态。

• 加法同态：满足E(X)E(Y)=E(X+Y)。典型的例子为：椭圆曲线加密算法中，E(x)=g^x（其中g为椭圆曲线的generator），则E(x)E(y)=g^xg^y=g^(x+y)=E(x+y)，具有加法同态性。 以及Pedersen Commit也具有加法同态性。
• 乘法同态：满足E(X)E(Y)=E(XY)。典型的例子为：RSA加密算法中，E(x)=x^e（其中e为公钥），则E(x)E(y)=x^ey^e=(xy)^e=E(xy)，具有乘法同态性。

1. zk-SNARK算法中的加法，可利用椭圆曲线加密算法自身的加法同态性来实现，即E(X+Y)=E(X)E(Y)；
2. zk-SNARK算法中的乘法，可换用椭圆曲线pairing的特征——e(g^x,g^y)=e(g,g)^xy来实现，即e(E(x), E(y))=e(g,g)^xy。举例： W := E(w(s))，W’ := E(α w(s))，则e(W’, E(1)) = e(E(α w(s)), E(1)) = e(g,g)^αw(s) = e(g^w(s),g^α) = e(E(w(s)), E(α)) = e(W, E(α))。这个特征可用于zk-SNARK verfier判断等式成立，即多项式条件成立。

The pairing Zcash actually uses is the optimal Ate pairing, which is based on the Tate reduced pairing, and can be computed more efficiently than TateTate.

摘自 https://blog.ethereum.org/2016/12/05/zksnarks-in-a-nutshell/ ：
The addition comes from the fact that the encryption itself is already additively homomorphic and the single multiplication is realized by the two arguments the pairing function has. So e(W’, E(1)) = e(W, E(α)) basically multiplies W’ by 1 in the encrypted space and compares that to W multiplied by α in the encrypted space. If you look up the value W and W’ are supposed to have - E(w(s)) and E(α w(s)) - this checks out if the prover supplied a correct proof.

摘自：https://electriccoin.co/blog/snark-explain
HH is ultimately used in snarks to conceal verifier challenges rather than prover secrets.即同态加密在zk-SNARKS中用于verfier，而不是prover。

[2]Bob does learn some information about x and y. For example, he can choose a random x’, and check whether x=x’ by computing E(x’). For this reason the above protocol is not really a Zero-Knowledge protocol, and is only used here for explanatory purposes. In fact, as we shall see in later posts, HH is ultimately used in snarks to conceal verifier challenges rather than prover secrets.