Today, we focus on how to construct ZKPs. We will discuss the construction of general, succinct, non-interactive, publicly verifiable zero-knowledge proofs, abbreviated as zkSNARKs. This article will outline some basic principles for constructing zkSNARKs and some commonly used tools for their construction. Specific zkSNARK construction schemes will be introduced in subsequent articles.

今天我们重点讨论如何构建ZKP。我们将讨论通用、简洁、非交互式、可公开验证的零知识证明(缩写为 zkSNARK)的构建。本文将概述构建 zkSNARK 的一些基本原则以及构建 zkSNARK 的一些常用工具。具体的zkSNARK构建方案将在后续文章中介绍。

According to the above definition, NP languages are determined by their standard verification process, which is a computation logic. Encoding NP languages essentially involves finding a way to describe "computation." A Turing machine is one way to describe computation, and another way is through circuits. Of course, higher-level programming languages can also be used.
根据上面的定义,NP语言是由其标准验证过程决定的,这是一种计算逻辑。对 NP 语言进行编码本质上涉及找到一种描述“计算”的方法。图灵机是描述计算的一种方式,另一种方式是通过电路。当然,也可以使用更高级的编程语言。

Using high-level programming languages makes writing programs relatively easy, but handling them in ZKP construction is very complex. The execution process of a Turing machine is simple, making it easier to construct ZKPs for a Turing machine, but programming with a Turing machine is not user-friendly. Therefore, we need to choose a balance between "ease of programming" and "ease of constructing ZKPs."
使用高级编程语言使编写程序相对容易,但在 ZKP 构造中处理它们却非常复杂。图灵机的执行过程很简单,使得为图灵机构建ZKP变得更加容易,但是使用图灵机编程并不方便。因此,我们需要在“易于编程”和“易于构建ZKP”之间选择一个平衡点。

One choice is circuits. Writing programs with circuits is already quite mature, for example, CPUs and various chips, embedded devices, ASIC miners, etc., are all designed with circuits. At the same time, the structure of circuits is simple enough not to bring too much trouble to ZKP construction.
一种选择是电路。用电路写程序已经相当成熟了,比如CPU和各种芯片、嵌入式设备、ASIC矿机等,都是用电路来设计的。同时,电路结构足够简单,不会给ZKP施工带来太大麻烦。

Another option is a model slightly more complex than a Turing machine, called the Random Access Machine (RAM) model, which is also a good balance. The RAM model can be considered a simple modern computer, including a CPU and memory. The CPU supports a simple instruction set, and the memory can be randomly accessed.
另一种选择是比图灵机稍微复杂的模型,称为随机存取机(RAM)模型,这也是一个很好的平衡。 RAM模型可以被认为是一个简单的现代计算机,包括CPU和内存。 CPU支持简单的指令集,内存可以随机访问。

In terms of expressiveness, the RAM is more advantageous than circuits because it is closer to modern computers. Describing the computation process using the RAM model is like programming in assembly language. Compiling high-level language into assembly is more convenient than compiling into circuits. However, possibly due to the complexity of handling the RAM model, most zkSNARKs are based on circuit models, with very few based on the RAM model. STARK is one such example, and its construction is extremely complex.
在表现力方面,RAM比电路更有优势,因为它更接近现代计算机。使用 RAM 模型描述计算过程就像用汇编语言编程一样。将高级语言编译成汇编比编译成电路更方便。然而,可能由于处理RAM模型的复杂性,大多数zkSNARK都是基于电路模型的,很少有基于RAM模型的。 STARK 就是这样的一个例子,它的结构极其复杂。

In zkSNARK construction, arithmetic circuits are commonly used rather than the boolean circuits seen in hardware. The main difference is that arithmetic circuits can be further converted into mathematical models. This process is called arithmetization. Below are some common mathematical models converted from circuits.
在 zkSNARK 构造中,通常使用算术电路,而不是硬件中看到的布尔电路。主要区别在于算术电路可以进一步转换为数学模型。这个过程称为算术化。下面是一些常见的由电路转换而来的数学模型。

By taking different matrices, the R1CS problem can represent all NP problems. Encoding an NP problem into R1CS involves first representing its verification process with an arithmetic circuit CCC, then further converting it into the R1CS problem (A,B,C)(A, B, C)(A,B,C).
通过采用不同的矩阵,R1CS问题可以代表所有NP问题。将NP问题编码为R1CS首先用算术电路CCC表示其验证过程,然后进一步将其转换为R1CS问题(A,B,C)(A,B,C)(A,B,C)。
Here are some existing models used by zkSNARKs.
以下是 zkSNARKs 使用的一些现有模型。

We've discussed that NP problems have a standard verification process. Compared to this standard verification, zkSNARKs have two advantages.
我们已经讨论过 NP 问题有一个标准的验证过程。与这种标准验证相比,zkSNARKs 有两个优点。

These two advantages are meaningful on their own. The significance of ZK (zero-knowledge) is evident. Even if there is only succinctness, i.e., SNARK (without ZK), there are important applications, such as delegated computation. For example, a mobile phone can utilize cloud servers for heavy computation while performing minimal local computations to verify the results. In this scenario, the cloud server doesn't need privacy, only succinctness is required.
这两个优点本身就很有意义。 ZK(零知识)的意义显而易见。即使只有简洁性,即SNARK(没有ZK),也有重要的应用,例如委托计算。例如,移动电话可以利用云服务器进行繁重的计算,同时执行最少的本地计算来验证结果。在这种场景下,云服务器不需要隐私,只需要简洁。

Note that for succinctness, "faster verification" faces a natural obstacle: in a general zkSNARK system, without any information about the NP language, the verifier needs to input the encoding of the NP language, denoted as CCC. CCC needs to include the entire computation process, and its scale is comparable to the computation itself. Therefore, the verifier simply reading CCC would be slower than the standard verification of the NP language.
注意,为了简洁起见,“更快的验证”面临着一个天然的障碍:在一般的 zkSNARK 系统中,没有任何有关 NP 语言的信息,验证者需要输入 NP 语言的编码,记为 CCC。 CCC需要包含整个计算过程,其规模与计算本身相当。因此,单纯读取CCC的验证者会比NP语言的标准验证慢。

This problem can be solved in two ways:
这个问题可以通过两种方式解决:
Essentially, these two methods compress CCC. If CCC represents uniform computation, it can be losslessly compressed; otherwise, cryptographic tools must be used for compression.
本质上,这两种方法都是压缩CCC。如果CCC代表统一计算,则可以进行无损压缩;否则必须使用加密工具进行压缩。
Our goal is to construct zkSNARK. In our target scenario, the prover only needs to send a short proof string to the verifier, and the verifier doesn't need to send any messages back to the prover.
我们的目标是构建 zkSNARK。在我们的目标场景中,证明者只需要向验证者发送一个短的证明字符串,而验证者不需要向证明者发送任何消息。

Directly constructing a zkSNARK for this scenario might be difficult. A more flexible approach is to first construct a proof system in an ideal model and then use a general transformation to convert this ideal model system into a zkSNARK that works in a real-world scenario.
直接为这种场景构建 zkSNARK 可能会很困难。更灵活的方法是首先在理想模型中构建证明系统,然后使用通用转换将这个理想模型系统转换为在现实场景中工作的 zkSNARK。

In an ideal model, this model uses functionalities that don't exist in the real scenario, called ideal functionalities. These ideal functionalities make constructing proofs more convenient. After construction, cryptographic tools are used to simulate these non-existent functionalities to realize the ideal model.We will introduce these models and their transformations in detail next. From the perspective of zkSNARK, the interactive system is an ideal model because it provides an ideal functionality not present in the real scenario, i.e., the verifier can send messages to the prover.
在理想模型中,该模型使用真实场景中不存在的功能,称为理想功能。这些理想的功能使构建证明更加方便。构建完成后,使用密码学工具来模拟这些不存在的功能,以实现理想的模型。接下来我们将详细介绍这些模型及其转换。从zkSNARK的角度来看,交互系统是一个理想的模型,因为它提供了真实场景中不存在的理想功能,即验证者可以向证明者发送消息。

The above method is called Fiat-Shamir transformation. Fiat-Shamir transformation can only convert public randomness interactive proofs into non-interactive proofs, so the next ideal model only considers constructing ZKPs with public randomness.
上述方法称为Fiat-Shamir变换。 Fiat-Shamir 变换只能将公共随机性交互式证明转换为非交互式证明,因此下一个理想模型只考虑构建具有公共随机性的 ZKP。

In 1991, Babai et al. proposed probabilistically checkable proofs (PCP). In the PCP model, the prover constructs a proof string called the PCP proof. The PCP proof can be very long, far exceeding the verifier's computational capacity. Therefore, the prover does not directly send the PCP proof to the verifier but sends an oracle called the PCP oracle. The verifier can query the PCP oracle at will to obtain any bit of the PCP string.
1991 年,Babai 等人。提出的概率可检查证明(PCP)。在PCP模型中,证明者构造一个称为PCP证明的证明字符串。 PCP证明可以很长,远远超过验证者的计算能力。因此,证明者并不直接将PCP证明发送给验证者,而是发送一个称为PCP预言机的预言机。验证者可以随意查询PCP预言机以获得PCP字符串的任意位。

To understand the relationship between IP and PCP, let's take a real-world example. Suppose Alice is a graduate student about to defend her thesis, and Bob's task is to evaluate whether Alice's thesis is qualified. The IP model is akin to a defense: Alice and Bob directly converse, and if Alice can successfully answer all of Bob's questions, she passes. In the PCP model, there is no defense; Alice simply submits her thesis, which is extremely long. Bob cannot read it all and can only randomly select segments to read. If the selected segments are error-free and logically coherent, Bob believes Alice's thesis is qualified.
为了理解 IP 和 PCP 之间的关系,让我们举一个现实世界的例子。假设Alice是一名研究生,即将进行论文答辩,Bob的任务是评估Alice的论文是否合格。 IP 模型类似于防御:Alice 和 Bob 直接对话,如果 Alice 能够成功回答 Bob 的所有问题,她就会通过。在PCP模型中,没有防御;爱丽丝只是提交了她的论文,论文非常长。 Bob 无法全部阅读,只能随机选择片段进行阅读。如果所选片段没有错误且逻辑连贯,则鲍勃认为爱丽丝的论文是合格的。

The PCP oracle provides this functionality: it is short and easy to transmit, yet it represents a large amount of information. Through it, one can randomly access a very long string. Clearly, a real PCP oracle doesn't exist; PCP is an idealized model.
PCP 预言机提供了此功能:它简短且易于传输,但它代表了大量信息。通过它,我们可以随机访问一个很长的字符串。显然,真正的 PCP 预言机并不存在; PCP是一个理想化的模型。

In the above process, the Merkle-Tree can be replaced by a more general cryptographic component called Vector Commitment (VC). VC allows the prover to send a short string to the verifier, representing a commitment to a vector. The verifier can then request the prover to reveal any position within this vector and provide a validity proof, which is much shorter than the vector itself. In essence, a Merkle-Tree is a simple implementation of VC.
在上述过程中,Merkle-Tree 可以被更通用的密码学组件(称为向量承诺(VC))替代。 VC 允许证明者向验证者发送一个短字符串,表示对向量的承诺。然后验证者可以要求证明者揭示该向量内的任何位置并提供有效性证明,该证明比向量本身短得多。本质上,Merkle-Tree 是 VC 的简单实现。

The IPCP (Interactive PCP) model can be seen as a combination of the IP and PCP models. In the IPCP model, after the prover sends the PCP oracle to the verifier, they continue interacting. During this interaction, the verifier can occasionally access the PCP oracle.
IPCP(Interactive PCP)模型可以看作是IP模型和PCP模型的结合。在IPCP模型中,证明者将PCP预言发送给验证者后,双方继续交互。在此交互过程中,验证者偶尔可以访问 PCP 预言机。

Continuing with the example of Alice and Bob: if the IP model is just a defense, and the PCP model is just the thesis, then the IPCP model is where Alice sends her thesis to Bob before the defense. During the defense, Bob can read the thesis while questioning Alice.
继续以Alice和Bob的例子:如果IP模型只是答辩,而PCP模型只是论文,那么IPCP模型就是Alice在答辩之前将她的论文发送给Bob的地方。在答辩过程中,鲍勃可以一边阅读论文,一边向爱丽丝提问。

Proof systems based on the IPCP model can be transformed into proof systems in the IP model through Merkle-Tree or general VC schemes, in the same way as PCP model transformations. The difference is that in the IPCP model, the verifier's queries to the PCP proof might be mixed with ordinary interactions.
基于IPCP模型的证明系统可以通过Merkle-Tree或通用VC方案转换为IP模型中的证明系统,与PCP模型转换相同。不同之处在于,在 IPCP 模型中,验证者对 PCP 证明的查询可能与普通交互混合在一起。

Both the IP and PCP models can be seen as special cases of the IPCP model. In the IP model, the prover sends an empty oracle to the verifier. In the PCP model, the prover-verifier interaction phase is omitted.
IP和PCP模型都可以看作IPCP模型的特例。在IP模型中,证明者向验证者发送一个空的预言。在PCP模型中,省略了证明者-验证者交互阶段。

If the IPCP model combines the IP and PCP models additively, then the IOP (Interactive Oracle Proof) model multiplies them. In the IOP model, the verifier sends messages to the prover, and the prover responds with a PCP oracle. The verifier can query any PCP oracle sent by the prover.
如果IPCP模型将IP和PCP模型相加,那么IOP(Interactive Oracle Proof)模型将它们相乘。在IOP模型中,验证者向证明者发送消息,证明者用PCP预言机进行响应。验证者可以查询证明者发送的任何PCP oracle。

Using the Alice and Bob example again: Alice sends her thesis to Bob, Bob responds with brief comments, Alice writes another thesis and sends it back, and this back-and-forth happens multiple times. During this process, Bob can read any of the theses sent by Alice, though his time is still limited, so he can only randomly read parts of them. Finally, Bob judges whether Alice's thesis is qualified.
再次使用爱丽丝和鲍勃的例子:爱丽丝将她的论文发送给鲍勃,鲍勃以简短的评论进行回应,爱丽丝写了另一篇论文并将其发回,这种来回发生了多次。在这个过程中,Bob可以阅读Alice发送的任何论文,但他的时间仍然有限,所以他只能随机阅读其中的部分内容。最后,Bob判断Alice的论文是否合格。

Like PCP and IPCP, proof systems constructed in the IOP model can be transformed into IP model proof systems.
与PCP和IPCP一样,IOP模型构建的证明系统可以转化为IP模型证明系统。

The IPCP model can be seen as a special case of the IOP model. In the IPCP model, viewing each message from the prover as a PCP oracle makes an IPCP protocol an IOP protocol.
IPCP模型可以看作是IOP模型的特例。在 IPCP 模型中,将来自证明者的每条消息视为 PCP 预言机,使得 IPCP 协议成为 IOP 协议。
The Polynomial IOP (PIOP) model further generalizes the IOP model. In the PIOP model, like in the IOP model, the verifier sends messages to the prover, and the prover responds with an oracle. However, this time, the prover sends a polynomial oracle.
多项式 IOP (PIOP) 模型进一步概括了 IOP 模型。在 PIOP 模型中,与 IOP 模型一样,验证者向证明者发送消息,证明者用预言机进行响应。然而,这一次,证明者发送了一个多项式预言。

Since a polynomial oracle can simulate a PCP oracle's functionality, the IOP model can be considered a special case of the PIOP model.
由于多项式预言机可以模拟 PCP 预言机的功能,因此 IOP 模型可以被视为 PIOP 模型的特例。

The basic idea of transforming proof systems constructed in the PIOP model into systems in the IP model is similar to that of PCP, IPCP, and IOP: the prover takes the role of the polynomial oracle. However, different cryptographic tools are required. Simple Merkle-Trees or VCs cannot simulate polynomial oracles. Instead, a more powerful cryptographic tool called Polynomial Commitment (PC) is needed.
将PIOP模型中构建的证明系统转换为IP模型中的系统的基本思想与PCP、IPCP和IOP类似:证明者扮演多项式预言机的角色。然而,需要不同的加密工具。简单的默克尔树或 VC 无法模拟多项式预言。相反,我们需要一种更强大的加密工具,称为多项式承诺 (PC)。

Next, we introduce two other models, LIP and LPCP. The existing zkSNARKs with constant verifier complexity and proof size are based on these models.
接下来我们介绍另外两个模型,LIP 和 LPCP。现有的具有恒定验证者复杂性和证明大小的 zkSNARK 基于这些模型。

In the Linear IP (LIP) model, the prover and verifier interact. However, compared to the IP model, there are additional constraints: the prover can only perform linear operations.
在线性 IP (LIP) 模型中,证明者和验证者进行交互。然而,与IP模型相比,还有额外的限制:证明者只能执行线性运算。
Thus, not only the prover but also the verifier can only perform linear operations. This limitation makes the system less meaningful. To allow the verifier to perform at least one nonlinear operation, a method is to introduce bilinear pairings. Bilinear pairings allow multiplication on ciphertexts, where the result remains in another ciphertext space, maintaining security.
因此,不仅证明者而且验证者都只能进行线性运算。这种限制使得该系统的意义不大。为了允许验证者执行至少一个非线性运算,一种方法是引入双线性对。双线性配对允许对密文进行乘法,结果保留在另一个密文空间中,从而保持安全性。

This article introduces the basic principles and commonly used tools for constructing general succinct zero-knowledge proofs (zkSNARKs). We discussed characterizing NP, including Turing machines, circuits, and mathematical problems like R1CS. We then explored necessary methods to achieve succinctness: assuming uniform computation or using preprocessing. Finally, constructing zero-knowledge proofs in ideal models is more convenient than directly in non-interactive scenarios. Several ideal models and the transformation of zero-knowledge proofs into zkSNARKs were introduced.
本文介绍了构建通用简洁零知识证明(zkSNARKs)的基本原理和常用工具。我们讨论了表征 NP,包括图灵机、电路和 R1CS 等数学问题。然后,我们探索了实现简洁性的必要方法:假设统一计算或使用预处理。最后,在理想模型中构建零知识证明比直接在非交互式场景中构建更加方便。介绍了几种理想模型以及零知识证明到 zkSNARK 的转换。

References: 参考:

  • S. Arora, B. Barak, "Computational Complexity: A Modern Approach"
    S. Arora、B. Barak,“计算复杂性:一种现代方法”
  • L. Babai, L. Fortnow, L. Levin, M. Szegedy, "Checking Computations in Polylogarithmic Time"
    L. Babai、L. Fortnow、L. Levin、M. Szegedy,“检查多对数时间的计算”