Greetings! New to Zcash?
The Zcash network is young, but evolving quickly! Sign up and we'll be in touch with monthly highlights on ecosystem growth, network development and how to get started with Zcash!

言語

Explaining SNARKs Part III: The Knowledge of Coefficient Test and Assumption

Ariel Gabizon | Mar 28, 2017

<< Part II

In Part II, we saw how Alice can blindly evaluate the hiding \(E(P(s))\) of her polynomial \(P\) of degree \(d\), at a point \(s\) belonging to Bob. We called this "blind" evaluation, because Alice did not learn \(s\) in the process.

However, there was something missing in that protocol - the fact that Alice is able to compute \(E(P(s))\) does not guarantee she will indeed send \(E(P(s))\) to Bob, rather than some completely unrelated value.

Thus, we need a way to "force" Alice to follow the protocol correctly. We will explain in part IV precisely how we achieve this. In this post, we focus on explaining the basic tool needed for that - which we call here the Knowledge of Coefficient (KC) Test.

As before, we denote by \(g\) a generator of a group \(G\) of order \(|G|=p\) where the discrete log is hard. It will be convenient from this post onwards to write our group additively rather than multiplicatively. That is, for \(\alpha\in\mathbb{F}_p\), \(\alpha\cdot g\) denotes the result of summing \(\alpha\) copies of \(g\).

The KC Test

For \(\alpha\in\mathbb{F}_p^*\) [1], let us call a pair of elements \((a,b)\) in \(G\) an \(\alpha\)-pair if \(a,b \neq 0\) and \(b=\alpha\cdot a.\)

The KC Test proceeds as follows.

  1. Bob chooses random \(\alpha\in\mathbb{F}_p^*\) and \(a\in G.\) He computes \(b=\alpha\cdot a.\)
  2. He sends to Alice the "challenge" pair \((a,b).\) Note that \((a,b)\) is an \(\alpha\)-pair.
  3. Alice must now respond with a different pair \((a',b')\) that is also an \(\alpha\)-pair.
  4. Bob accepts Alice's response only if \((a',b')\) is indeed an \(\alpha\)-pair. (As he knows \(\alpha\) he can check if \(b'=\alpha\cdot a'.)\)

Now, let's think how Alice could successfully respond to the challenge. Let's assume for a second that she knew \(\alpha.\) In that case, she could simply choose any \(a'\) in \(G,\) and compute \(b'=\alpha\cdot a';\) and return \((a',b')\) as her new \(\alpha\)-pair.

However, as the only information about \(\alpha\) she has is \(\alpha\cdot a\) and \(G\) has a hard discrete log problem, we expect that Alice cannot find \(\alpha.\)

So how can she successfully respond to the challenge without knowing \(\alpha?\)

Here's the natural way to do it: Alice simply chooses some \(\gamma\in\mathbb{F}_p^*,\) and responds with \((a',b')=(\gamma\cdot a,\gamma\cdot b).\)

In this case, we have:

\(b'=\gamma \cdot b = \gamma \alpha \cdot a = \alpha (\gamma\cdot a) =\alpha \cdot a',\)

so indeed \((a',b')\) is an \(\alpha\)-pair as required.

Note that if Alice responds using this strategy, she knows the ratio between \(a\) and \(a'\). That is, she knows the coefficient \(\gamma\) such that \(a'=\gamma\cdot a.\)

The Knowledge of Coefficient Assumption [2] (KCA) states that this is always the case, namely:

KCA: If Alice returns a valid response \((a',b')\) to Bob's challenge \((a,b)\) with non-negligible probability over Bob's choices of \(a,\alpha\), then she knows \(\gamma\) such that \(a'=\gamma\cdot a.\)

The KC Test and Assumption will be important tools in Part IV.

What does "Alice knows" mean exactly?

You may wonder how we can phrase the KCA in precise mathematical terms; specifically, how do we formalize the notion that "Alice knows \(\gamma\)" in a mathematical definition?

This is done roughly as follows: We say that, in addition to Alice, we have another party which we call Alice's Extractor. Alice's Extractor has access to Alice's inner state.

We then formulate the KCA as saying that: whenever Alice successfully responds with an \(\alpha\)-pair \((a',b'),\) Alice's Extractor outputs \(\gamma\) such that \(a'=\gamma\cdot a.\) [3]

[1]\(\mathbb{F}_p^*\) denotes the non-zero elements of \(\mathbb{F}_p\). It is the same as \(\mathbb{Z}_p^*\) described in Part I.
[2]This is typically called the Knowledge of Exponent Assumption in the literature, as traditionally it was used for groups written multiplicatively.
[3]The fully formal definition needs to give the Extractor "a little slack" and states instead that the probability that Alice responds successfully but the Extractor does not output such \(\gamma\) is negligible.

Part IV >>

cryptography, zkSNARKs, explainers | 全てのタグを見る