UltraGroth

Challenge rounds in Groth16-like system

This is a continuation and clarification of my previous post which was a very rough description of a possible scheme of adding lookups (and any other challenge arguments) to Groth16.

It generated some traction and comments. Mainly I would like to thank Weikeng Chen who gave me some references on similar approaches (based on LegoSNARK), and confirmed that it should be possible to get rid of all interfacing between different argument systems (which loosely works similar to Pinoccio), instead using a singular Groth16-styled equation.

It seems that it is, indeed, possible. I describe the protocol here, and provide a sketch of proof.

Let's recall normal Groth16 protocol, first

This turned out to be quite long, tbh. Can be skipped, but it makes sense to look on zero-knowledgness / soundness proofs here to make sense of my arguments for the UltraGroth.

R1CS

In normal Groth16, we start from a rank 1 constraint system, R1CS:

L w \circ R w = O w

Here,

L, R, O

are matrices of size

m \times n

, where

m

is a size of a witness vector

w^{i}

, and

n

is the amount of constraints, and

\circ

is a Hadamard product.

Individual constraints, thus, correspond to the rows of the matrix:

L^{i} w * R^{i} w = O^{i} w

(\sum_{j} L_{j}^{i} w^{j}) * (\sum_{j} R_{j}^{i} w^{j}) = \sum_{j} O_{j}^{i} w^{j}

Some subset of indices of the witness, is also called "public inputs", and will be exposed by the proof, and all others are private.

Now, we map the set of constraints to some set

S

in the scalar field of a pairing-friendly curve - I will denote

x_{i}

the point corresponding to the constraint

i

Z (x) = \prod_{i} (x - x_{i})

denotes the vanishing polynomial of this set, and we also define

L_{j} (x), R_{j} (x), O_{j} (x)

by their Lagrange interpolation of the values over the set:

L_{j} (x_{i}) = L_{j}^{i}

(and the same for

R, O

Then, the R1CS problem can be reformulated as finding such witness vector

w^{j}

that

(\sum_{j} w_{j} L_{j} (x)) (\sum_{j} R_{j} (x)) - (\sum_{j} O_{j} (x))

vanishes on

S

, <=> divisble by

Z (x)

, <=> there exists such

H (x)

(of degree at most

n

) that:

L (x) R (x) - O (x) = Z (x) H (x)

where

L = \sum_{j} w_{j} L_{j} (x)

R = \sum_{j} w_{j} R_{j} (x)

O = \sum_{j} w_{j} O_{j} (x)

Groth16 argument

Now, lets recall how this problem is turned into a zk-proof.

We have the following toxic waste elements:

(α, β, γ, δ, τ)

, and the reference string is computed as follows:

[α]_{1}, [β]_{1}, [β]_{2}, [γ]_{2}, [δ]_{1}, [δ]_{2}

,
for

0 \leq k \leq n :

Z_{k} = [\frac{τ^{k} Z (τ)}{δ}]_{1}

<– these will allow us to compute

[\frac{H (τ) Z (τ)}{δ}]_{1}

A_{j} = [L_{j} (τ)]_{1}, B_{j} = [R_{j} (τ)]_{2}

B_{j}^{'} = [R_{j} (τ)]_{1}

for

j \in priv :

C_{j} = [\frac{O_{j} (τ) + β L_{j} (τ) + α R_{j} (τ)}{δ}]_{1}

for

j \in pub :

C_{j} = [\frac{O_{j} (τ) + β L_{j} (τ) + α R_{j} (τ)}{γ}]_{1}

[…]

The Groth16 prover (given the solution to R1CS in the polynomial form described above) creates two random blinding scalars

r, s

and computes the following:

A = [α]_{1} + \sum_{j} w_{j} A_{j} + r [δ]_{1}

B = [β]_{2} + \sum_{j} w_{j} B_{j} + s [δ]_{2}

B^{'} = [β]_{1} + \sum_{j} w_{j} B_{j}^{'} + s [δ]_{1}

C = \sum_{j \in priv} w_{j} C_{j} + \sum h_{k} Z_{k} + r B^{'} + s A - r s [δ]_{1}

and

I C

is computed from public inputs by both sides:

I C = \sum_{j \in pub} w_{j} C_{j}

And the verifier does the following check:

⟨ A, B ⟩ = ⟨ [α]_{1}, [β]_{2} ⟩ + ⟨ C, [δ]_{2} ⟩ + ⟨ I C, [γ]_{2} ⟩

Why this holds for a valid R1CS instance

Let's see why this works:

First, unwind this check to see that it passes. I will calculate LHS and RHS (and abuse notation a bit to calculate by omitting casting it to multiplication group

[]_{m}

everywhere). I will also use "A, B, C" as shorthands of their dlogs as scalars.

LHS:

A B = (α + \sum_{j} w_{j} L_{j} (τ) + r δ) (β + \sum_{j} w_{j} R_{j} (τ) + s δ)

RHS:

α β + C δ + I C γ = α β + \sum_{j} w_{j} (O_{j} (τ) + β L_{j} (τ) + α R_{j} (τ)) + H (τ) Z (τ) + r δ B + s δ A - r s δ^{2}

Now, small modification of LHS makes clear that all terms with

δ

will cancel out:

LHS:

A B = s A δ + r B δ - r s δ^{2} + (α + \sum_{j} w_{j} L_{j} (τ)) (β + \sum_{j} w_{j} R_{j} (τ))

The rest is direct inspection.

Zero-knowledge

Now, let's recall why this is perfectly zero-knowledge, and why this is computationally sound in algebraic group model.

Zero-knowledge: it is clear that

A, B

are uniformly distributed (because prover adds up random uniformly distributed elements

r [δ]_{1}, s [δ]_{2}

C

is uniquely defined if other variables are fixed (because it is a linear equation), and, therefore, the probability distribution of proofs on a space of solutions of this equation is uniformly random.

Note: even a stronger fascinating property, re-randomizability, holds. It means that having a correct proof triple (A, B, C) one can construct a new proof (A', B', C') uniformly randomly distributed in the space of all proofs, without knowing the original witness. This property will, sadly, be broken in my extended UltraGroth protocol.

Soundness in Algebraic Group Model

Soundness in AGM: I won't go into details of AGM, but this has the following intuition: imagine that

α, β, γ, δ, τ

are variables (i.e. we now calculate in a rational function ring depending on this variables). The adversary then tries to construct a proof, with

A

and

C

being linear combination of expressions

α, β, δ, \frac{τ^{k} Z (τ)}{δ}, L_{j} (τ), R_{j} (τ)

, for

j \in priv :

\frac{O_{j} (τ) + β L_{j} (τ) + α R_{j} (τ)}{δ}

, for

j \in pub :

\frac{O_{j} (τ) + α R_{j} (τ) + β L_{j} (τ)}{γ}

and

B

being linear combination of

β, δ, γ, R_{j} (τ)

And let's assume they succeed, i.e. the expressions satisfy

A B = α β + C δ + I C γ

First, let's notice that

A

must contain

α

and

B

must contain

β

. Moreover, let's wlog rescale them in such a way that both of these are with coefficient

1

Ocurrence of

β

A

is then prohibited due to the fact that

β^{2}

can not occur on RHS.

Now, let's see that in

A

there should be no terms with

δ

γ

in denominator. Indeed, if there were, their products by

β

would not be cancelled by anything in LHS, and neither in RHS (because RHS doesn't have a pole at

δ = 0

Let us also notice that occurence of

γ

B

is unwelcome because

γ α

can not occure in RHS.

Therefore, we are in a situation where

A = α + \sum a_{j} L_{j} (τ) + \sum q_{j} R_{j} (τ) + r δ

and

B = β + \sum b_{j} R_{j} (τ) + s δ

. We have neither shown that

a_{j} \neq b_{j}

yet, nor

q_{j} = 0

, nor stated anything about

C

WLOG, lets modify

A

and

B

by removing

r δ

and

s δ

, and

C

by subtracting

s A

r B

and adding

r s δ

. We have successfully exiled

δ

from LHS, now it has the form:

A = α + \sum a_{j} L_{j} (τ)

B = β + \sum b_{j} R_{j} (τ) + \sum q_{j} L_{j} (τ)

In this form, appeareance of any nonzero

L_{j} (τ)

R_{j} (τ)

α

β

C

is strictly prohibited - it will lead to occurence of the uncancelled term divisible by

δ

in RHS.

The terms with

γ

in numerator are also banned in

C

for trivial reasons.

Hence,

C

has the following form:

C = \sum_{j \in priv} c_{j} \frac{O_{j} (τ) + β L_{j} (τ) + α R_{j} (τ)}{δ} + \sum h_{k} \frac{Z (τ) τ^{k}}{δ}

Wlog, assume that there is no linear dependencies between nonzero

L_{j} (τ)

-s and

R_{j} (τ)

-s (separately). If there were, we could use them to make some of the coefficients vanish, and proceed in such assumption.

Assume also wlog that in such form no linear combination of

L_{j} (τ)

-s occuring in

B

can be expressed as a sum of

R_{j}

-s - if it was, make such substitution in

B

to increase the amount of vanishing coefficients, and proceed.

Now, we want to show that after such transformations

q_{j} = 0

, and

a_{j} = b_{j} = c_{j}

. Indeed, grabbing all terms with

β

, we see that RHS contains

\sum c_{j} β L_{j} (τ)

and LHS contains

\sum a_{j} L_{j} (τ)

, which implies

a_{j} = c_{j}

using the fact that we don't have non-trivial linear combinations.

Similarly, all terms with

α

yield in RHS contains

\sum c_{j} α R_{j} (τ)

, and LHS contains

\sum b_{j} α R_{j} (τ) + \sum q_{j} α L_{j} (τ)

. Due to our assumptions on absence of linear combinations, all

q_{j}

are forced to vanish,

b_{j} = c_{j}

UltraGroth argument

Assume, that our R1CS circuit is endowed with the additional structure. I.e., private section of the set of indices

1. . n

is separated into

d + 1

parts,

{round}_{0}

, …,

{round}_{d}

. Additionally, some public inputs are called "challenges", and the set of challenges is separated into

d

parts. The vector space

C^{k}

will denote the space of challenges in round

k

Let's define the space

V^{k}

as space of vectors with indices of nontrivial coeffs inside of

{round}_{k}

. The "old" witness then lives in

⨁_{k} V^{k} \oplus public inputs

We define

k + 1

-st round strategy as a function

F_{k} : C^{k} \times ⨁_{i \leq k} V^{k} \to V^{k + 1}

Strategy of

0

-th round is just a vector in

V^{0}

We will call a full witness the set of such strategies, for each round, which, while being used successively, succeed with overwhelming probability for random challenges.

Definition: Algebraic witness is a solution of R1CS over the field of rational functions on the space of challenges

F_{q} (C)

, such that round k+1 witness depends only on challenges from rounds up to k.

Algebraic witness trivially implies the aforementioned strategy.

It is useful to think about algebraic witnessess, but likely not so useful to work with them in practice - computations in the field of rational functions are not that friendly. I believe the mentioned above general definition in terms of strategies is a more adequate abstractions; i.e. in practice the witness to the circuit will be a bunch of functions executing some computations on the already computed part of the witness vector.

Now, we will emulate the challenge responses of the verifier, using Fiat-Shamir heuristic. Let's construct the following toxic waste:

α, β, γ, δ_{0}, . . ., δ_{d}, τ

and obtain the following reference string:
all as before, with

δ

's known in both G1 and G2, and

C_{j}

for private indices being computed as for

j \in {round}_{k} :

C_{j} = \frac{O_{j} (τ) + β L_{j} (τ) + α R_{j} (τ)}{δ_{k}}

Now, for each round but the last, lets assume that the prover also exposes some point

C^{(k)}

to the verifier, and honest prover puts

C^{(k)} = \sum_{j \in {round}_{k}} w_{j} C_{j} + r_{k} [δ_{d}]_{1}

, with

r_{k}

being the blinding factor.

Verifier, then, sends the set of challenge inputs

w_{j} | j \in {chall}_{k + 1}

by setting

{acc}_{k + 1} = Hash ({acc}_{k}, C^{(k)})

, and

w_{j} = Hash (j, {acc}_{k + 1})

!! Note: it is important that we can not just put challenge to be the hash of j and C^(k), without running the risk of prover retroactively rewinding previous rounds without changing C^(k), which might be possible in some cases.

After we have run such process non-interactively, we have obtained the full witness vector

w

. We then do the same computation as in normal R1CS to obtain

H (x)

Honest prover, then, picks two more random values

r, s

, and sets the following:

A = [α]_{1} + \sum_{j} w_{j} A_{j} + r δ_{d}

B = [β]_{2} + \sum_{j} w_{j} B_{j} + s δ_{d}

I C = \sum_{j \in pub} w_{j} C_{j}

- here as everywhere pub inputs include challenges
for k < d as before

C^{(k)} = \sum_{j \in {round}_{k}} w_{j} C_{j} + r_{k} [δ_{d}]_{1}

C^{(d)} = \sum_{j \in {round}_{d}} w_{j} C_{j} + \sum_{s \leq n} h_{s} Z_{s} + s A + r B^{'} - \sum_{k < d} r_{k} [δ_{k}]_{1} - r s [δ_{d}]_{1}

Then, the following equation (*) holds:

⟨ A, B ⟩ = ⟨ α, β ⟩ + ⟨ I C, [γ]_{2} ⟩ + \sum_{k \leq d} ⟨ C^{(k)}, [δ_{k}]_{2} ⟩

Full verification algorithm checks this equation, correctness of public input and correctness of challenges.

Why this equation holds

It is, in fact, a direct inspection. Only thing that sufficiently differs from normal Groth16 is the blinding factors. Let's see how it works: the factor

r_{k} δ_{d}

from

C^{(k)}

is multiplied by

δ_{k}

, which is exactly cancelled by the term

- r_{k} δ_{k} δ_{d}

coming from

C^{(d)}

. The remaining blinding factors look exactly as in Groth16.

Zero knowledge

I claim that the honest verifier produces an uniformly random proof. Reason for this is the fact that

A, B

and

C^{(k)}

for k<d are all equidistributed, and

C^{(d)}

is then unique.

Soundness?

I feel a bit shaky here. Anyways, let's proceed and work in AGM + ROM for the hash. Then, we first prove the following lemma:

Lemma: Any solution to equation (*) is a valid solution to R1CS, and

$C^{k}$ 's are binding commitments to the round witnesses.

The fact that solution to this equation in AGM leads to R1CS can be done with the following trick. Solution in AGM is solution in terms of some polynomials (i.e. treating toxic waste as variables). Let's substitute in this solution

δ_{k} = δ, \forall k

.
It is also easy to see that

C^{(k)}

are not allowed to contain any

C_{j}

's from different rounds as this leads to the uncancellable

\frac{δ_{k}}{δ_{s}}

factor (it can not come from RHS because

A

does no admit terms with nontrivial denominator, similar to the proof for normal Groth16). They might also contain some other terms, but because we don't know any linear dependencies between them, it is still a binding commitment.

◻

Therefore, interactive protocol of communication with verifier (which we emulate by Fiat-Shamir) can be represented as follows: prover is providing some sequence of commitments to parts of the witness, and then generates a valid zk-proof with witness it had committed to.

I am not sure if I messed up here somewhere, requires proofread / review.

UltraGroth

Challenge rounds in Groth16-like system

Let's recall normal Groth16 protocol, first

UltraGroth argument

Read more

Can Groth16 support lookups?

Untitled