Soundness of music

This week's puzzle is all about soundness - the requirement of a proof system that it should not be possible to prove false statements.

Here, we use a toy proof system based on BCTV14 which is unsound.

The proof system

This proof system is intended to allow a prover to show that a certain set of arithmetic constraints is satisfiable. Each constraint is of the form:

[a_{1}, \dots, a_{m}] * [v_{1}, \dots, v_{m}]^{T} + [a_{1}, \dots, a_{m}] * [v_{1}, \dots, v_{m}]^{T} = [c_{1}, \dots, c_{m}] * [v_{1}, \dots, v_{m}]^{T}

If you're familiar with the concept of rank-1 constraint systems, the format of an R1CS constraint may look similar. However, our constraints are much more limited: our kind of constraint system can only describe a very specific kind of arithmetic relations. In particular, it is not universal, since multiplication of variables is not possible. However, we can still prove statements such as 1+1+1+1=4.

Constraints to polynomials

Each variable can be represented by a pair of polynomials, one which encodes every time that variable is an input in a constraint, and one polynomial which encodes every time that variable is an output in a constraint.

First, let's fix a domain

ω_{1}, \dots, ω_{m} \in F

, one field element for each constraint. (In general, these will be roots of unity; for our purposes, they only need to be distinct from each other)

Then the input polynomial

A_{i}

for

v_{i}

is defined as a polynomial of degree

n + 1

such that for all

j \in {1, \dots, n}

, if

A_{i} (ω_{j}) = a_{i}

where

a_{i}

comes from constraint

C_{j}

We can think of this polynomial as encoding the coefficients of the variable in each constraint.

Similarly, the output polynomial

C_{i}

for each variable is defined as a polynomial of degree

n + 1

such that for all

j \in {1, \dots, n}

C_{i} (ω_{j}) = c_{i}

where

c_{i}

comes from constraint

C_{j}

Together with the vanishing polynomial

Z = (x - ω_{1}) \dots (x - ω_{n})

, defined so

Z (ω_{j}) = 0

for all

j

, the polynomials

A_{1}, C_{1}, \dots, A_{m}, C_{m}, Z

define what we will call the "circuit" for our proving system.

Trusted setup

Our succinct proving system requires a trusted setup.

Suppose we have

n

constraints over

m

variables, with polynomials

A_{1}, C_{1}, \dots, A_{m}, C_{m}, Z

. We use the pairing-friendly BLS12-381 elliptic curve, with groups

G_{1}, G_{2}

Using the notation

[x]_{1} = [x] G

and

[x]_{2} = [x] H

, where

G

is a generator in

G_{1}

and

H

is a generator in

G_{2}

and

[x] G

refers to scalar multiplication by

x

Trusted setup elements
Powers of tau	$[1]_{1}, [τ]_{1}, [τ^{2}]_{1}, \dots, [τ^{m}]_{1}$
Input polynomial commitments	$[ρ A_{1} (τ)]_{1}, \dots, [ρ A_{m} (τ)]_{1}$
$α$ Input polynomial commitments	$[α_{I} ρ A_{1} (τ)]_{1}, \dots, [α_{I} ρ A_{m} (τ)]_{1}$
Output polynomial commitments	$[ρ C_{1} (τ)]_{1}, \dots, [ρ C_{m} (τ)]_{1}$
$α$ Output polynomial commitments	$[α_{O} ρ C_{j} (τ)]_{1}, \dots, [α_{O} ρ C_{m} (τ)]_{1}$
$K$	$β ρ (A_{1} (τ) + C_{1} (τ))]_{1}, \dots, [β ρ (A_{m} (τ) + C_{m} (τ))]_{1}$
$α_{I}$	$[α_{I}]_{2}$
$α_{O}$	$[α_{O}]_{2}$
$γ$	$[γ]_{2}$
$β γ$	$[β γ]_{2}$
Vanishing polynomial	$[ρ Z (τ)]_{2}$

This trusted setup mostly copies the BCTV14 trusted setup, with minor modifications to the constraint format. In theory, the elements of the trusted setup help the verifier check that a proof is properly constructed.

For the puzzle, there was no multi-party computation ceremony, or any other special measures taken; random values of

τ, ρ, α_{I}, α_{O}, β, γ

are taken and the trusted setup values computed directly and honestly.

Creating a proof

Suppose an assignment of values

x_{1}, \dots, x_{m}

to the variables

v_{1}, \dots, v_{m}

satisfies all constraints. Then equality:

(x_{1} A_{1} (ω_{1}) + \dots + x_{m} A_{m} (ω_{1})) + (x_{1} A_{1} (ω_{1}) + \dots + x_{m} A_{m} (ω_{1})) = x_{1} C_{1} (ω_{1}) + \dots + x_{m} C_{m} (ω_{1})

must hold, because it simplifies to:

[a_{1}, \dots, a_{m}] * [x_{1}, \dots, x_{m}]^{T} + [a_{1}, \dots, a_{m}] * [x_{1}, \dots, x_{m}]^{T} = [c_{1}, \dots, c_{m}] * [x_{1}, \dots, x_{m}]^{T}

which is simply constraint 1. Therefore, the polynomial equation:

(x_{1} A_{1} (x) + \dots + x_{m} A_{m} (x)) + (x_{1} A_{1} (x) + \dots + x_{m} A_{m} (x)) = x_{1} C_{1} (x) + \dots + x_{m} C_{m} (x)

must hold over the entire domain

ω_{1}, \dots, ω_{n}

. Further, this polynomial equation holds over the domain if and only if the assignment

x_{1}, \dots, x_{m}

actually satisfies every constraint; therefore, we can simply prove that this polynomial equation holds over this domain, and then conclude the constraint system is satisfied.

Rearranging everything to the left and denoting it as

P (x)

P (x) = (x_{1} A_{1} (x) + \dots + x_{m} A_{m} (x)) + (x_{1} A_{1} (x) + \dots + x_{m} A_{m} (x)) - (x_{1} C_{1} (x) + \dots + x_{m} C_{m} (x))

We get that

P (x) = 0

for all

x \in {ω_{1}, \dots, ω_{n}}

. Therefore,

P (x)

is divisible by the vanishing polynomial

Z (x)

; put another way, there exists a polynomial

H (x)

such that

P (x) = H (x) * Z (x)

Therefore, if we compute a polynomial commitment

π_{H} = [P (τ) / Z (τ)]_{1}

, a verifier should be able to confirm that

P (x) = 0

over the correct domain.

We also compute some additional proof elements, which encode the private inputs and also help the verifier verify this fact:

π_{I} = \sum_{x_{i} is private} x_{i} [ρ A_{i} (τ)]

π_{I}^{'} = \sum_{x_{i} is private} x_{i} [α_{I} ρ A_{i} (τ)]

π_{O} = \sum_{x_{i}} x_{i} [ρ C_{i} (τ)]

π_{O}^{'} = \sum_{x_{i}} x_{i} [α_{O} ρ O_{i} (τ)]

π_{K} = \sum_{x_{i}} [β ρ (A_{1} (τ) + C_{1} (τ))]_{1}, \dots, [β ρ (A_{m} (τ) + C_{m} (τ))]_{1}

The final proof is

(π_{I}, π_{I}^{'}, π_{O}, π_{O}^{'}, π_{K}, π_{H})

Verifier

The given verifier takes in the public inputs

x_{1}, \dots, x_{p}

. The public inputs get encoded into:

π_{P I} = \sum_{x_{i} is public} x_{i} [ρ A_{i} (τ)]

The verifier checks, where

e (\cdot, \cdot)

is the pairing operation:

e (π_{I}^{'}, H) = e (π_{I}, [α_{I}]_{2})

e (π_{O}^{'}, H) = e (π_{O}, [α_{O}]_{2})

e (π_{K}, [γ]_{2}) = e (π_{P I} + π_{I} + π_{O}, [β γ]_{2})

e (π_{P I} + π_{I} + π_{P I} + π_{I} - π_{O}) = e (π_{H}, [ρ Z (τ)]_{2})

The final pairing effectively checks the condition that

P (x) = H (x) Z (x)

as required.

Soundness Bugs

The proof system in this puzzle has two soundness bugs; the verifier accepts proofs even when the constraint system is unsatisfiable with given public inputs.

Bug 1

The first bug is an implementation bug. Recall that for variable

v_{i}

, the polynomials

A_{i}

and

C_{i}

were defined as a polynomial of degree

n + 1

with certain values on a domain. In the puzzle,

A_{i}

and

C_{i}

were interpolated without regard to the resulting degree, which meant that

A_{i}

sometimes was degenerate. When this happens for a public input variable, the verifier may ignore this public input.

The correct fix is to ensure that every polynomial is actually degree

n + 1

. This can be achieved by taking the polynomial mod

Z (x)

and adding

Z (x)

, since

Z (x)

is known to be exactly degree

n + 1

. Since zero-knowledge blinding wasn't necessary for this puzzle, this necessary step was omitted.

Bug 2

The second bug is a conceptual bug, based on the one that occurs in BCTV14. The trusted setup includes terms:

[α_{I} ρ A_{1} (τ)]_{1}, \dots, [α_{I} ρ A_{p} (τ)]_{1}

which are not used anywhere by the prover or verifier.

However, these elements can be used to alter any valid proof for public input

x_{1}, \dots, x_{p}

to work for an arbitrary public input:

η_{I} = π_{I} + \sum_{i = 0}^{p} (x_{i} - x_{i}^{'}) [ρ A_{i} (τ)]_{1}

η_{I}^{'} = π_{I}^{'} + \sum_{i = 0}^{p} (x_{i} - x_{i}^{'}) [α_{I} ρ A_{i} (τ)]_{1}

The proof

(η_{I}, η_{I}^{'}, π_{O}, π_{O}^{'}, π_{K}, π_{H})

will verify against the arbitrarily-chosen public input

x_{1}^{'}, \dots, x_{p}^{'}

The fix for this bug is to remove the unnecessary elements of the trusted setup.