本·菲什谈蓄电池

欢迎收听《零知识》播客，我们将带您探索区块链技术和去中心化网络的最新动态。

Welcome to Zero Knowledge, a podcast where we explore the latest in blockchain technology and the decentralized web.

本节目由我安娜主持，

The show is hosted by me, Anna

以及我弗雷德里克。

and me, Frederic.

在本周的节目中，我们将与Ben Fish一起探讨他在RSA累加器方面的最新研究成果。

In this week's episode, episode we sit down with Ben Fish to talk about his recent work in RSA accumulators.

我们将深入探讨这些技术，包括默克尔树、向量承诺及其在无状态客户端中的应用。

We dig into those, Merkle trees, vector commitments and their applications to stateless clients.

在开始之前，我们要感谢本周的赞助商StarkWare。

Before we start, we want to say thank you to this week's sponsor, StarkWare.

StarkWare将于9月16日在特拉维夫举办StarkWare技术研讨会。

StarkWare will be putting on the StarkWare sessions in Tel Aviv on September 16.

本次活动将汇聚零知识证明领域最杰出的思想者，涵盖学术界和应用界的顶尖人才。

The event will be bringing together the brightest minds in the field of zero knowledge proofs from both academic and application arenas.

主题包括自托管交易、面向第一层的Stark技术、Stark友好型哈希函数，以及其他利用Stark证明可以实现的酷炫功能。

Topics include self custodial trading, Starks for Layer one, Stark friendly hash functions, and other cool things you can do with Stark proofs.

有趣的是：我本人将主持其中一个分会场。

Fun fact: I will actually be hosting one of the stages.

所以如果你对这项激动人心的尖端技术感兴趣，请务必参加Starkware会议。

So if you're interested in this exciting, cutting edge tech, do join the Starkware sessions.

或者提前一天来参加Stark入门工作坊，在那里你可以从零开始构建一个Stark证明器。

Or come a day early for the Stark one zero one workshop where you could actually build a Stark prover from scratch.

使用优惠码ZK PODCAST可享受任何门票八折优惠。

Use the code ZK PODCAST to get 20% off any ticket.

我们仅有约50个折扣名额，请尽快获取。

We have about 50 of these available, so get it fast.

一如既往，详细信息请查看节目备注。

As always, info will be in the show notes.

再次感谢Starkware对本播客的支持。

So again, thank you, Starkware, for supporting this podcast.

现在请听我们对本·菲什的采访。

And now here's our interview with Ben Fish.

今天我们邀请到了本·菲什，他是斯坦福大学的博士生，也是丹·博内特应用密码学小组的成员。

So today we're sitting with Ben Fish, who's a PhD student at Stanford and part of Dan Bonnet's Applied Cryptography Group.

你好，本。

Hi, Ben.

你好，安娜。

Hi, Anna.

和往常一样，弗雷德里克也在场。

And as always, we're with Fredrik.

大家好。

Hello.

今天我们将讨论累加器，并希望能有机会谈谈本在RSA累加器论文和项目中的工作。

Today, we're going to be talking about accumulators and hopefully get a chance to touch on Ben's work working on the RSA accumulator paper and project.

我们已经录制了几期节目，一期关于默克尔树，一期关于多方计算。

We have recorded a few episodes, one on Merkle trees, one on MPCs.

在收听本期节目前，或许值得先听听那些内容，因为我们会涉及相关话题。

Those might be worth listening before you listen to this episode just because we're gonna be touching on those topics.

但在开始之前，我想我们应该先对你做个简单介绍，了解最初是什么让你对密码学产生兴趣的。

But I think before we start in on that, we should probably have, you know, a bit of an intro to you and find out a little bit about what got you excited about cryptography in the first place.

当然。

Sure.

这要追溯到很久以前了。

That goes back quite a while.

那时我还在读大三，主修数学，同时也涉猎一些计算机科学。

I was a junior in college and I was studying math and dabbling a little bit in computer science as well.

我在以色列魏茨曼研究所实习时，跟着密码学家Mounin Ahrb做了些应用数学方面的暑期研究。

And I did an internship at the Weitzman Institute in Israel with this cryptographer, Mounin Ahrb, just to do some kind of applied math research over the summer.

他恰好是位密码学家，我们一起做了些密码学相关的工作，从此我就迷上了密码学这个研究领域。

He happened to be a cryptographer and we did some work in cryptography and I guess I was hooked on cryptography as a research topic ever since.

是啊，那已经是七年前的事了。

So yeah, that was already seven years ago.

你是如何从从事密码学工作并沉浸在这个领域，过渡到现在所处的区块链领域的？或者说你其实并没有完全转型？

How did you bridge from like working on cryptography and just being in this world to like being in the blockchain space which you kind of are, of not?

没错，可以说我现在确实深度涉足区块链领域，因为目前我所有的研究似乎都围绕着区块链应用展开，不过这个转型过程确实经历了一段时间的反复。

Right, so yeah I would say right now I'm very much in the blockchain space because even now all of my research seems to be centered around applications to blockchain, but it did take a while going in and out.

事实上，在我最初从事密码学研究的实习期间，我们就曾将比特币作为潜在研究课题进行探讨，那还是2012年，当时几乎没有研究人员真正关注比特币。

In fact, in that first internship I did doing research in cryptography, we were looking into Bitcoin as a potential research topic, this was back in 2012 when few researchers were actually looking at Bitcoin.

我们当时做了一些分析，研究了比特币网络的图谱结构，但最终我却把精力集中在了实习期间的其他问题上，直到后来开始研究比特币矿池才重新关注比特币。

We did some analysis there, we were looking at doing some graph analysis of the Bitcoin network, But I really ended up focusing on on on other problems in that internship and didn't really return, to ever looking at Bitcoin again until, I started doing work on Bitcoin mining pools.

那是我住在纽约的时候，与康奈尔理工学院的拉斐尔·帕斯和阿比·沙拉特合作期间。

That was when I was living in New York, was working with Rafael Pass from Cornell Tech and Abhi Shalat.

我们主要试图从理论上解释什么是最优的矿池策略。

And we were looking at basically trying to explain what is the optimal mining pool.

比特币中存在如此多不同的矿池策略。

There's so many different mining pool strategies in Bitcoin.

在给定矿工风险偏好的前提下，我们能对矿工应该采取何种矿池策略得出什么结论？

What can you say about what, you know, given some assumptions about the risk profile of a miner, what mining pool strategy should they take?

我想那是我重新进入区块链研究的契机，在斯坦福，Dan Bonnet的团队专门研究可应用于区块链领域的密码学工具，那时我开始研究可验证延迟函数，后来这成为了一个重要方向。

And I guess that was my gateway back into working on research on blockchains and here at Stanford, Dan Bonnet's group does a lot of work on specifically cryptography tools that can be applied in the blockchain space and that was when I started working on verifiable delay functions which became a big thing.

我参与Filecoin是因为在研究空间证明和复制证明，特别是能实际存储有用数据的实用空间证明，这构成了Filecoin的基础。之后我持续研究更多应用于区块链的密码学课题，现在更关注如何用零知识证明在区块链中平衡隐私与透明性。

I got involved with Filecoin because I was working on proofs of space and proofs of replication, useful proofs of space, proofs of space where that you can use to actually store useful data which is the basis of Filecoin and from there I just kept on working on more topics in cryptography as applied to blockchain and right now I'm more interested in using zero knowledge to balance privacy and transparency in blockchains.

在我们深入讨论这些项目之前，我还是想回到最初的问题：密码学中到底是什么让你感到兴奋？

Before we go more into these projects, I still wanna go back to that original question of, like, what is it about cryptography that got you excited?

因为虽然你进入这个领域的经历很精彩，但最初吸引你的是什么？

Because I think this is a great, like, bio of how you got into it, but what was it?

比如，是因为它很有挑战性吗？

Like, why was it just because it was, like, challenging?

是

Was it

这是个好问题。

It's a good question.

说实话，我认为最初进入密码学领域时，更多是出于对挑战的追求，研究人员往往都是这样。

I to be brutally honest, I think that when I first got into cryptography, it was more about the challenge and then that's often the case for researchers.

我当时是数学系学生，这看起来像是数学的一个很酷的应用，仅此而已。

I was a math student and this seemed like a cool application of math and it wasn't really anything more than that.

我认为我留在密码学领域的原因，是因为我享受并在我从事的项目中找到了更高层次的意义。同时我也被这样一个事实所吸引：我们在研究中开发的密码学技术与实际应用之间存在巨大差距。你知道，2012年我刚开始做研究时，那时区块链还没开始使用这么多花哨的密码学技术，零知识证明至少还没有什么知名应用案例。

I think the reason why I stayed in cryptography was because I enjoyed or found higher meaning in the projects that I was working on and I think I was also drawn to the fact that there seems to be such gap between how much of the cryptography that we have developed in research is actually used and you know, when I was working on research back in 2012, this was before blockchain started using a lot of fancy cryptography, and so there weren't really any, at least well known applications of zero knowledge.

然而，这看起来就是如此强大的概念——你能在不透露任何额外信息的情况下证明任何你想证明的事情。

And yet, it just seems like such a powerful concept, the idea that you can, you know, prove anything without revealing details beyond what exactly you want to prove.

所以这些非常优美且看似强大实用的概念当时却未被应用，这种反差本身就令人兴奋。我当时就预感到，在不久的将来（甚至就在我的职业生涯期间），密码学家们研究的许多东西会开始被越来越广泛地应用——这个预言后来确实成真了。

And so there are these really kind of beautiful concepts that seem to be very powerful and useful but weren't being used and there was something exciting about that being, I suspected that in short time, within, you know, my own career, a lot of the things that photographers were working on would start being used increasingly more and that actually came true.

酷。

Cool.

就像往常那些做很多酷炫项目的嘉宾一样，很难只聚焦一个话题来聊。

So as usual with guests that do a lot of cool stuff, it's hard to talk about one thing.

我们和Benedict合作时也遇到同样问题——我每周都想请他回来讨论不同的工作项目。但现实不允许，我们必须限定讨论主题。这次节目我想深入探讨累加器，这是Anna之前组织过学习小组的内容，也是我们在往期节目中浅尝辄止的话题。或许我们可以从最简单的问题开始：什么是累加器？

We have the same problem with Benedict where I want him back every week to talk about a different thing that he's working on But we can't really do that, we have to define something to talk about and in this episode, I wanted to dig into accumulators and this is something that Anna has done a study group on before and it's something that we've touched on just barely in various previous episodes, maybe we just start out with a simple question, what is an accumulator?

累加器其实就是集合的紧凑表示形式。

Well an accumulator is a compact representation of a set.

最简单的理解方式是，如果你知道哈希函数是什么，那么哈希函数就像是为一个更大的文件生成指纹，也是一种对文件的承诺。它具有约束性，意味着如果我先给你哈希值再给你文件，那么我能提供的唯一匹配该哈希指纹的文件就是那个特定文件。

The easiest way to think of it is if you know what a hash function is, right, then a hash function kind of gives a fingerprint for a much larger file and it's commitment, it's also called a commitment to the file, it's binding in the sense that if I give you the file after giving you the hash, there's only one unique file that I can give you that will match that hash, that fingerprint.

而累加器则更进一步，它能让你验证集合中的单个项目是否匹配你收到的小指纹。

An accumulator allows you to go further than that and be able to give you individual items in a set, and you would be able to verify that those items match that small fingerprint that you were given.

你不需要一次性获取集合中的所有项目就能进行验证。

You don't have to be given all the items in a set at once in order to verify that.

这大致就是累加器的定义，但它听起来很像我们许多听众熟悉的默克尔树的定义。

And that's the general sort of definition of accumulator, but it also sounds a lot like a definition that a lot of our listeners will know, which is that of a Merkle tree.

确实如此。

Absolutely.

那么默克尔树算是一种累加器吗？

So is a Merkle tree an accumulator?

默克尔树绝对是累加器的一个实例。

A Merkle tree is definitely an example of an accumulator.

不过有个吹毛求疵的定义细节：如果你与密码学家交流或查阅累加器相关文献，会发现累加器有时被定义为具有恒定大小的见证，而默克尔树的见证大小是对数级的。

There's one, you know, minor nitpicky definitional thing that if you talk to cryptographers or look at the literature on accumulators, accumulators are sometimes defined to have constant size witnesses, and Merkle trees have logarithmic size witnesses.

但我认为从更灵活的角度来看，默克尔树确实是一种累加器，只是其见证（witness）规模稍大——我们可以深入讨论这些术语的具体含义——相比其他类型的累加器（如RSA累加器），它们的见证规模确实更大些。

But I would say in more flexible view of accumulators, Merkle trees are definitely an accumulator, just with slightly larger and we can get into what these different terms are called, but those have slightly larger, what's called a witness than, say other types of accumulators like RSA accumulators.

所以它们属于同一家族，但当你使用'累加器'这个术语时，实际上指的是另一类东西吗？

So they're sort of like related in the same family, but when you use the term accumulators, are you actually kind of talking about something else?

就像你刚才提到的，累加器是否必须具有固定大小的见证？

Like, do accumulators also have their own, like you just said, it needs to have a constant size witness?

没错，回到我对累加器的基础解释：当我声称给出累加器状态承诺（对于默克尔树而言就是默克尔树根）后，我可以给你一个集合中的元素及其见证，这个见证能证明该元素与我给出的状态承诺一致。

Yeah, so the witness, going back to my very basic explanation of what an accumulator is, when I claim that after giving you what's called the accumulator state commitment, which in the case of Merkle trees is the Merkle tree root, okay, then I can give you an item which is in the set and a witness which is a proof that that item is actually consistent with the state commitment that I gave you.

默克尔树会给你一个默克尔分支（Merkle branch），作为树中叶节点的见证，你可以用默克尔根来验证它。

Merkle trees will be giving you a Merkle branch, which is the witness for a leaf of the Merkle tree, and you can verify that against the Merkle root.

默克尔树是累加器的实例，我们使用'累加器'这个术语是因为它能解释这类抽象概念更广泛的潜在构造空间。

Merkle trees are examples of accumulators, the only reason why we use the term accumulator is because it explains a more general potential space of constructions of this abstract concept.

因此存在见证更小的累加器（即固定大小的见证），而默克尔树的见证大小是对数级的。

And so there are accumulators that have smaller witnesses, namely constant size witnesses, whereas Merkle trees have logarithmic size witnesses.

默克尔树实际上不仅是累加器，还是向量承诺（vector commitments），这个我们也可以讨论。

Merkle trees are actually more than accumulators, they're vector commitments and we can talk about that too.

是的，我很好奇，我们应该回到这一点，讨论像见证大小、承诺大小、存储大小等不同属性，它们有何区别，为什么你会选择使用其中一种而非另一种，因为我认为这能更清楚地说明差异所在或何时需要哪种类型。

Yeah, I'm curious, we should get back to this point of the different like properties like witness size, commitment size, storage size, like how they differ, why you would want to use one or the other cause I think that sort of clarifies what the difference is or when you would want one or the other.

稍微回顾一下定义和文献，当你阅读这个话题时，会遇到动态累加器、通用累加器、批量处理、聚合证明和见证等概念。

Going back a little bit to definitions and literature, like when you read on this topic, you will come across things like dynamic accumulators, universal accumulators, batching, aggregating proofs, witnesses.

我们或许可以从这里开始，比如动态累加器和通用累加器有什么区别？

Let's maybe start, like what's the difference between a dynamic and universal accumulator?

嗯，动态累加器其实是通用累加器的一个子集。

Well dynamic, I mean a dynamic accumulator is subset of universal accumulators.

动态性指的是能够更新累加器所承诺的集合的能力。

So dynamic refers to the ability to update the set that the accumulator commits to.

这可以是向集合中添加元素，然后更新你已给出的状态承诺，对吧？

So this could be adding elements to that set and then updating the state commitment that you've given, right?

所以回到具体例子总是比较容易的。

So it's always easy to go back to a concrete example.

以Merkle树为例，如果你有一个Merkle树的根节点，而我向Merkle树中添加一个元素，有没有办法让你能自行更新Merkle树的根节点呢？

So in the Merkle tree example, if you have the root of a Merkle tree, and I add an element to the Merkle tree, is there a way for me to have you, you know, can I, for you to be able to update the root of the Merkle tree on your own?

使累加器动态化的一种简单方法是重新计算整个根节点。

A trivial way to make an accumulated dynamic would be to just redo the entire computation of the root.

这不会被视作动态累加器。

That would not be considered a dynamic accumulator.

动态累加器特指仅持有累加器根节点时，存在某种方式可以高效更新，而无需从头开始重新构建整个累加器。

A dynamic accumulator specifically means that there's some way that you holding only the root of the accumulator can perform an efficient update without having to redo all the work that you did in the first place, building the accumulator from scratch.

这种变更通常是修改某个叶节点的值，还是改变路径？

Is that usually, that change, is that usually like changing the value of one of the leafs or is it changing the path?

修改叶节点值可视为元素的添加与删除。

Changing the value of one of the leafs could be viewed as an addition and deletion of an element.

所以那

So that

会是，你需要

would be, you would

一个动态的，或者说它应该属于动态累加器范畴。

need a dynamic, or it would sort of fall under the dynamic accumulator.

没错，在动态累加器的具体实例中，顺便说一下，Merkle树可以被动态化。

Right, in any specific example of a dynamic accumulator, Merkle trees by the way can be made dynamic.

根据累加器的具体实现方式，可能存在比先添加再删除更高效的方式来更新集合中的特定元素。

Depending on your particular instantiation of the accumulator, there may be a much more efficient way to update a particular element in the set than performing an add and then a delete.

但是，动态累加器的定义只是说，我们可以执行添加和删除操作，这至少在理论上也涵盖了更新的情况。

But, the definition of a dynamic accumulator is just saying that, okay, we can form adds, can perform deletes, that handles the case of updates as well, at least in a theoretical sense.

那么通用累加器是什么？

And a universal one is what?

对，通用累加器是动态的，但它们还同时支持成员资格和非成员资格的见证。

Right, so universal accumulators are dynamic but they also support both membership and non membership witnesses.

这是另一个概念，我们一直在讨论成员资格见证，比如Merkle分支证明某个叶子元素在Merkle树中，但你可能还想证明某物不在你的集合中，不在你的Merkle树中，这就是所谓的非成员资格证明。

So this is another thing, we've been talking about membership witnesses, are like Merkel branches that prove that a leaf element is in the Merkle tree, you also might want to give a proof that something is not in your set, right, not in your Merkle tree, and that's called a non membership proof.

允许同时进行非成员资格和成员资格证明且具有动态性的累加器基本上是通用的，它们无所不能，因此被称为通用累加器。

Accumulators which allow for both non membership and membership proofs and are dynamic are basically universal, they do everything, that's why they're called universal.

是的。

Yeah.

我最初作为区块链软件开发者的背景，让我对Merkle树世界非常熟悉。当我开始阅读和研究累加器时，发现非成员证明这种东西存在时，我简直不敢相信。

Originally my background as a developer on like blockchain software, I come very much from like the Merkle Tree world and I knew Merkle Trees intimately and then when I started reading and studying accumulators and found out that like non membership proofs are a thing, I was like, wait, really?

你居然可以拥有这种东西，可以证明某物不存在，我觉得这真的很酷。

You can have that, you can have something that where you can prove like non existence and I think, I think that's pretty cool.

没错，实际上用Merkle树就能实现。，典型的做法是维护一个叶子节点有序排列的Merkle树，然后通过找到两个比待证明元素大和小的相邻元素，并证明它们都在树中且相邻，来证明某物不在集合中。

Yeah, you can even do it with, basically Merkle trees, the typical way of doing it with a Merkle tree is maintaining a Merkle tree of sorted elements at the leaves then being able you can prove that something is not in the set by basically showing that you find two elements which are both greater and lesser than the elements that you're trying to prove is not in the set and you prove that both of them are in the tree and adjacent.

因此只要保持叶子节点元素有序排列这个不变性，你就具备了提供非成员证明的能力。

And so that shows that as long as there's this invariant that all of the elements of the leaves are maintained in the right order, you do have the capability of giving non membership proofs.

这很酷。

That's cool.

你怎么证明它们是相邻的？

How do you prove that they're adjacent?

嗯，Merkle树的所有叶子都有索引。

Well, all the leaves of the Merkle tree have indices and so this is the other thing that Merkle trees are actually

所以你实际上是在布置路径，是的。

So you're actually laying out the paths, yeah.

没错，所以这就是为什么我说默克尔树实际上比普通的累加器更强大。

Yeah, so this is why Merkle trees I said are actually more powerful than your average accumulator.

它们是向量承诺，因为它们不仅绑定到集合，还绑定到集合中元素的位置。

They're vector commitments because they not only are binding to the set, they're binding to the position of elements within the set.

你可以证明这是集合中特定位置的元素。

You can show that this is an element in the set at this particular position.

换句话说，这是向量的第I个元素。

In other words, this is the I th element of this vector.

这实际上赋予了它们在某些情境下能够定义非成员见证的特性，或者说你确实能做到，是的，这很酷。

And this actually gives them the quality of, at least in certain contexts, being able to define a non member witness, or like you were able to actually, yes, that's cool.

没错，但支持非成员见证并不一定要成为向量承诺。

That's right, but it's not necessary to be a vector commitment in order to support non membership witnesses.

RSA累加器就不是向量承诺，所以它们不是位置绑定的累加器。

So RSA accumulators are not vector commitments, so they're not position binding accumulators.

然而，使用RSA累加器确实可以给出非成员证明和成员证明，是的。

However, it is possible to give non membership proofs and membership proofs with RSA accumulators, yeah.

所以这完全取决于具体的构造方式。

So it all depends on the particulars of the construction.

我们刚刚讨论了动态累加器是通用累加器的一个子集，但我猜也存在相反的情况，对吧？

So we've just talked about the dynamic accumulators being sort of like a subset of the universal, but I'm guessing there's also like the opposite, right?

或者说，什么是不通用的累加器？

Or like, what's an accumulator that isn't universal?

通用性应该是个包容性术语，对吧？

So universal is I guess an inclusive term, right?

非通用累加器可能在某一方面特别出色，比如特别擅长成员证明或非成员证明，但不能同时支持两者；或者它们在支持添加操作的意义上是动态的，但不支持删除操作。

So accumulators which are not universal might be really good at one of these things, like really good at membership proofs or non membership proofs but don't support both, or they are dynamic in the sense that they support ads but they don't support deletes.

可能有充分理由构建一个非通用累加器，它在某一方面特别出色，但不能同时完成所有功能。

There may be good reason to construct a non universal accumulator that's really good at one of these things but doesn't do all of them at once.

在深入讨论具体细节前，最后我想提两点：批处理和聚合的概念，因为这与你稍后我们将讨论的论文相关，也可能属于累加器工作原理研究中较为前沿的课题。

Last two things that I just wanna touch on before we talk a little bit more specifics is the concepts of batching and aggregating because that's sort of relevant to your paper that we will talk about later and it's also a little bit maybe on the more forefront of research y topics in how accumulators work.

那么什么是批处理和聚合证明呢？

So what is batching and aggregating proofs?

我认为最好的解释方式可能是再次回到默克尔树的具体例子。

I think the best way to explain this is maybe to go again back to the concrete example of a Merkle tree.

默克尔树既不进行批处理也不进行聚合。

So Merkle trees do not batch or aggregate.

当你证明某个元素被包含在默克尔树中时，你需要提供该元素的默克尔分支或默克尔证明。如果要证明两个不同元素都在树中，就需要提供两个不同的默克尔分支作为证明，以此类推。

When you prove that a particular element is committed in the Merkle tree, you give a Merkle branch for that element or a Merkle proof, and if you want to prove that two different elements are in the Merkle tree, then you'll have to give two different Merkle branches as proofs, and so on and so forth.

如果要证明100个元素都在树中，就需要提供100个不同的默克尔证明，这些证明的规模基本上是线性增长的。

If you're proving 100 elements are in the tree, then you have to give 100 different Merkle proofs, and the size of this proof, basically grows linearly.

你可能会注意到，如果默克尔树中的元素彼此非常接近，那么这些证明会有部分重叠，这样能获得一些微小的节省，对吧？

Now, you might observe that if the elements in the Merkle tree are very close to each other, then some of these proofs overlap, so you may get some minor savings, right?

假设要证明某个子树前100个叶节点元素的包含性，这时确实能获得某些平摊效应——最终的证明规模不会严格等于单个元素证明的100倍。

Let's say that they're proving inclusion of the elements at the leaves of some subtree, say like the first 100 elements, then you do get some amortization, effects where you're not giving a proof which is exactly 100 times the size of proving that one element is in there.

但总体来说，这些默克尔证明的聚合效果并不理想。

But in general, these marker proofs you can observe do not aggregate very well.

所谓聚合，本质上是指我们可以将多个特定规模的独立证明，合并成一个更紧凑的单一证明来覆盖所有原始证明。

So aggregation is basically saying that we can take a bunch of individual proofs of a given size and combine them together into a more compact single proof that covers all the original proofs.

那么批处理和聚合在这里是同一个术语吗？

Are batching and aggregating the same term here then?

准确来说，它们不是同一个概念。

So to be precise, they are not.

批处理和聚合有不同的用途，不同研究者对何时使用批处理术语、何时使用聚合术语有各自的强烈观点。但一般来说，聚合指的是将多个现有证明合并成一个更小的证明，而批处理可以指更高效地生成大量证明、验证大量证明，甚至创建——这里我可能与其他研究者的观点有所不同——但我认为批处理可以用来指代从头创建一个单一证明来验证大量小证明的行为，这种证明不仅在生成过程中更高效（计算效率），而且最终得到的证明体积可能也更小。

There's different uses of, you know, batching and aggregation and I guess different researchers have different strong opinions on when you should use the term batching and when you should use the term aggregation, But generally, like aggregation refers to taking a bunch of existing proofs and combining them into a smaller proof, whereas a batching could refer to the action of generating a large set of proofs more efficiently or verifying a large set of proofs more efficiently or even creating, and I would say this is maybe where I would defer from other researchers, but I think that batching can be used to refer to the action of creating from scratch a single proof for proving a whole bunch of smaller proofs that is more efficient not only in the action of generating it, so the computational efficiency but also perhaps in the size of the proof that you end up with at the end.

这也是我的理解，不过可能因为我主要阅读的是你的研究。

That was my understanding as well but maybe that's because I've read mostly your research.

不过没错，批处理就是我想要证明这100个项目的成员资格，然后提供一个证明，就像你为那100个项目生成一个证明那样，而聚合则是你先生成100个证明

But yeah, so batching being I want to prove membership of these 100 items and here's one proof like you generate that one proof for those 100 items whereas aggregating is you generate a 100 proofs

然后事后将它们合并起来。

and then after the fact you combine them.

虽然，是的，虽然有些研究者会说聚合应该，批处理应该只用于指代效率，即你最终创建了100个证明，但你只是在这个过程中更高效地创建了它们，对吧。

Although, yeah, although some researchers would say that aggregation should, batching should only be used for referring to efficiency, that you create 100 proofs in the end, but you just create them more efficiently in this Right.

批量生成过程。

Batch generation process.

对我来说直观上，我喜欢聚合是拿现有东西进行组合这个概念，而批处理则是从一开始就能说，我要证明这100件不同的事情。

Intuitively to me, I I like the idea that aggregation is taking existing things and combining them, and batching is saying that from scratch, being able to say, I wanna prove these a 100 different things.

我不需要给你100个不同的证明。

I don't need to give you a 100 different proofs.

我可以给你一个超级高效的证明，我可以说要么更高效地创建它，要么让它变得更小，但我从一开始就在这样做。

I can give you a super efficient proof that I can say either create more efficiently or make it smaller, but I'm doing it from scratch.

这个我会称之为批处理而非聚合。

And that I would call batching rather than aggregation.

我觉得你在描述默克尔树时，你提到一个术语和成员见证是同一个概念，但你在那里称它为默克尔分支。

I think you've like, in your description of Merkle trees, you just sort of mentioned you you basically used a term that is the same term as membership witness, but there you called it the Merkle branch.

我们是这样称呼它吗？

Is that what we call it?

默克尔分支就是成员见证吗？

Like the Merkle branch is a membership witness?

在默克尔树中？

Well In a Merkle tree?

有时候确实会这么称呼它，是的。

It's sometimes referred to as that, yeah.

基本上，通过追踪从根节点延伸到该叶节点的分支路径，就能构建出特定叶节点项目的实际证明。

And basically the actual proof of a given leaf at the item is constructed by following the branch that extends from the root to that leaf.

而且实际上，你提供的并不是从根节点到叶节点路径上的那些节点，而是这些节点各自的相邻节点，对吧？

And then also, actually you don't provide the nodes on that path from root to leaf, provide the adjacent nodes to each of those nodes, right?

你提供的这组项目就可以被称为默克尔分支。

That collection of items that you give could be referred to as a Merkle branch.

或者叫成员见证。

Or a membership witness.

或者叫成员见证，没错。

Or a membership witness, right.

在默克尔树中的。

Of a Merkle tree.

所以我想讨论的最后一个定义要点，因为当我们讨论累加器时，特别是RSA累加器，这个概念也经常出现，那就是未知阶群。

So the last point of definition that I wanna cover, because this also pops up kind of everywhere when we're talking about accumulators, particularly RSA accumulators and that is groups of unknown order.

什么是未知阶群？

What are groups of unknown order?

听起来像是个非常神秘的术语。

Sounds like a very mystical term.

它们就是阶数未知的群。

They're groups for which you do not know their order.

不。

No.

这里是非常字面的术语。

Very literal term here.

首先，你有一个有限群，基本上，群是有数学定义的。

So so first, you have a finite group and basically, I mean groups have a mathematical definition.

我们不需要深入讨论群的全部定义。

We don't need to get into the full definition of a group.

我认为讨论有限群的例子更有用，对吧？

I think it's more useful to talk about examples of finite groups, right?

群的一个关键性质是，你可以对群元素执行某种运算，且该运算在群内是封闭的。

So one of the key properties of a group is that you have some operation that you perform on the elements of the group and the group is closed under that operation.

还有其他性质，比如可逆性。

There's other properties as well such as inversion.

让我们以整数为例来具体说明。

So let's talk about a concrete example like integers.

整数在加法运算下构成一个群。

The integers are a group under addition.

任意两个整数相加，结果仍是整数。

You take any two integers, you can add them together, you get another integer.

与之对应的逆运算是减法，整数不是有限群，而是无限大的群。

There's an inverse operation to that, which is subtraction, and the integers are not a finite group, they're an infinitely large group.

整数有无限多个。

There's infinitely many integers.

如果不断将整数相加，你可以得到越来越大的整数。

If you keep adding integers to each other, you're you could get ever larger integers.

现在如果你观察整数模n的情况，讨论模n加法时，你就在处理一个有限群。

Now if you look at the integers modulo n, now you're talking and you talk about addition modulo n, now you're in a finite group.

选择一个数n，整数模n恰好有n个元素。

Pick a number n and there's exactly n elements in the integers modulo n.

我们通过构造方式大致知道这个群的阶数。

We know the order of that group kind of by construction.

你可以讨论稍有不同的群，比如模n乘法群。

You can talk about slightly different groups such as multiplication modulo n, okay.

现在我们不是把数字相加再取模n的余数，而是将整数相乘后再模n约简。

So now we're not looking at adding numbers together and finding the remainder mod n, we're talking about multiplying integers together and then reducing mod n.

这个群的大小很大程度上取决于你选择的n值。

And the size of that group depends very much on the n that you pick.

如果n是素数，那么这个群恰好有p减一个元素。

So if n is prime, then there's exactly p minus one elements, in this group.

但如果选择不同的n，通常群的大小会是欧拉函数φ(n)。

But if you choose n differently, then in general the size of the group will be phi.

φ（phi）是一个可以通过n的因数分解计算得出的值。

Phi is something that you can compute knowing the factorization of n.

例如，如果n等于两个质数的乘积，即n=p×q，那么φ(n)就等于(p-1)×(q-1)。

So if n is equal to, for example, if n is equal to a product of two primes, if n is equal to p times q, then phi of n will be p minus one times q minus one.

如果你不知道n的因数分解，计算φ(n)会非常困难，或者说至少与分解n的难度相当。

If you don't know the factorization of n it's very hard to compute phi of n, or at least it's as hard as computing the factorization of n.

RSA算法之所以能在阶数未知的群中运作，是因为它工作在整数乘法模n n 的, 其中n factorial 的群中，且n的因数分解是未知的。

RSA works in groups of unknown order because it works in a group of where, you know, you're doing integer multiplication mod n and the factorization of n is not known.

所以，群的阶数就是指这个群里有多少个元素，对吗？

So yeah, the order of the group is how many elements are in that group, is that right?

是的，没错。

Yes, that's right.

在乘法模n的情况下，这取决于这两个质数。

And in the case of multiplication modulo n, it depends on these two primes.

我想任何研究过RSA RSA加密的人都会熟悉这一点，因为这是他们所谓的陷门函数的一部分。

And I think anyone who's looked into RSA crypto and is familiar with this as it's part of their like trapdoor function stuff.

那么这就是为什么它们被称为RSA累加器吗？因为它们基于两个素数相乘的相同假设？

And so is this why they're called RSA accumulators because they are based on the same assumption of multiplication of two primes?

是的，之所以称为RSA累加器，是因为通常它们使用RSA群作为未知阶群来实例化。

Yes, they're called RSA accumulators because typically they're instantiated using the RSA group as the group of unknown order.

但我们在论文中讨论的一个观点是，你也可以使用其他未知阶群。

But one of the points that we discuss in our paper is that you could use other groups of unknown order as well.

你不需要局限于RSA群，事实上在其他未知阶群中还有优势，比如不需要进行可信设置，这个我们稍后再详细讨论。

You don't need to restrict yourself to the RSA group and in fact in other groups of unknown order there's benefits such as not having to do a trusted setup, but we can get into that a little bit later.

RSA代表什么？

What does RSA stand for?

RSA算法的发明者。

The authors of RSA.

好的。

Okay.

即Ron Vest（罗恩·李维斯特）、Adi Shamir（阿迪·萨莫尔）和Leonard Adelman（伦纳德·阿德曼）。

So Ron Vest, Adi Shamir, Leonard Adelman.

对。

Yeah.

明白了。

Got it.

这个冷知识我之前还真不知道。

This was a point of trivia that I didn't actually know.

有个叫RSA实验室的机构。

There is this thing called RSA Laboratories.

对吧。

Right.

我其实不太清楚RSA实验室是什么或者做什么的。

I don't actually know what RSA Laboratories is or does.

是他们创立的公司吗？

Is it a company that they started?

我想是的，没错，曾经有家叫RSA的公司，我想他们参与了这家公司的创立，也推动了RSA加密在业界的应用。

I think so, yeah, so there was a company RSA, you know, that was I think and they were involved in the founding of this company as well that pushed forward the industry adoption of RSA encryption.

RSA实验室和RSA公司是同一家机构吗？

Is RSA laboratories the same as the RSA company?

我不是

I'm not

确定。

sure.

我也不完全确定，我不能断言，但确实是你提到的发布这些RSA群组的公司。

I'm not entirely sure either, I couldn't say but it is this company that publishes these RSA groups that you mentioned.

所以，如果你在使用这些群组，某种程度上你需要信任这家公司，或者自己构建群组。

So, you kind of need to trust this company if you're using these groups or you construct your own.

没错，我的意思是，我们知道有办法解决这个问题，你可以通过多方计算构建一个RSA群组，就像Zcash在他们的可信设置中采用多方计算一样，你也可以用这种方式建立RSA群组。

Right, I mean, is we know ways around this, you can construct an RSA group where using multi party computation, right, the same way that Zcash computation for their trusted setup, you could use a multi party computation to establish the RSA group.

在我们深入探讨RSA累加器之前，或许我们应该先简单介绍下什么是向量承诺？

Before we dig too deep into RSA accumulators particularly, maybe we cover just slightly what are vector commitments?

我们之前提到过这些，它们在这个体系中扮演什么角色？

We've mentioned these already, how do they fit into this story?

向量承诺与累加器类似，但它们是位置性承诺，意味着我有一系列项目，然后可以证明该列表中的第i个项目已被向量承诺状态承诺所包含。

So vector commitments are similar to accumulators but they're positional commitments, meaning that I have list of items and then I can prove that the I th item of this list was committed to by the vector commitment state commitment.

因此它非常类似于累加器，你有一个状态承诺，但我可以提供向量承诺的开放证明，证明特定项目位于向量的特定位置。

So it's very similar to an accumulator where you have state commitment but the state commitment I can give you vector commitment opening proofs, and it proves that a particular item is at a particular position of the vector.

所以如果是有序的，默克尔树也可以作为向量承诺。但比如以太坊的默克尔树就仍然是累加器而非向量承诺，因为它没有排序。

So a Merkle tree could be a vector commitment as well if it's sorted, But, like, the Ethereum Merkle tree wouldn't be it would still be an accumulator, but not a vector commitment because it's not sorted.

不。

No.

实际上，默克尔树本身就是向量承诺，无需对叶子节点排序，因为我可以向你证明第i个叶子节点具有某个特定值。

Actually, the the Merkle tree is just, it's a vector commitment already without having the the the leaves sorted because I can prove to you that the I th leaf has this value.

所以叶子节点是否按某种排序标准排列并不重要，重要的是我能证明树中任意位置的叶子节点是什么。

So it doesn't matter that the leaves are sorted according to some ordering criteria, right, it just matters that I can prove to you what is the leaf at any given position of the tree.

这就使它成为向量承诺。

So that makes it a vector commitment.

我明白了。

I see.

其他向量承诺的例子有哪些？

What would be an example of other vector commitments?

实际上我们在论文中构建了一种不同类型的向量承诺。

So we actually construct a different kind of vector commitment in our paper.

其他向量承诺——我的意思是，虽然存在其他类型的向量承诺，但在播客中详细解释它们的工作原理可能有些挑战性。我认为最容易解释的可能是我们论文中实现的那种，因为它本质上是利用累加器来构建向量承诺。

There other vector I mean there's other vector commitments I think would be a little bit challenging to go into the details of how they work over the podcast but I think that actually maybe the easiest vector commitment to explain is the one that we do in our paper because it's basically using an accumulator to construct a vector command.

首先想象一个所有元素仅为0或1的向量，也就是比特向量，对吧？

Think first about just a vector where all the elements are just zero or one, so like a bit vector, right?

我需要能够向你证明这个比特向量的第I位是0，或者证明它是1，明白吗？

And I want to be able to prove to you that the I th bit of this bit vector is zero or I want to be able to prove to you that it's one, right?

你需要对分割因子有某种状态承诺。

And you have some kind of state commitment to the split factor.

我们的做法是：构建一个累加所有值为1的索引的累加器。如果能提供该累加器中的包含证明和非包含证明，那么本质上告诉你这个向量第I位是0还是1，就等同于告诉你第I个索引是否被包含在这个记录所有值为1的索引的累加器中。

So what we can do is we can say that well let's build an accumulator that accumulates all the indices that are one, then if we are able to give inclusion proofs and non inclusion proofs in that accumulator, then basically telling you whether the I th bit of this vector is either zero or one is the same as telling you whether the ith index is included in the accumulator that commits to all the indices which are one, or not included in the accumulator.

如果是1，则该索引应被包含在累加器中；如果是0，则第I个索引不应被包含在累加器中。

If it's a one, then it should be included in the accumulator, and if it's a zero, then that ith index should not be included in the accumulator.

如果要在每个索引值大于1的向量上构建向量承诺，这种方法实际上效率并不高。

That wouldn't really give you an efficient vector commitment if you wanted to build vector commitments on on, where the the the values at each index are larger than one.

对吧？

Right?

假设你需要构建一个向量承诺，其中每个索引可以存储256位的值，那么如果按位处理，我就需要为每个位单独提供256个包含性和非包含性证明。

So let's say you wanted to have, vector commitments where you could have, like, a 256 bit value at any given index, then I'd have to give you two fifty six individual inclusion and non inclusion proofs of each of those bits if I did it bitwise.

我们论文中批处理和聚合技术的精妙之处——实际上也是主要理论动机——就是能够构建这种向量承诺，让你可以通过一个紧凑证明来验证这256个不同的位。

The beautiful thing about the batching and aggregation techniques of our paper, in fact the main theoretical motivation, was to be able to build this vector commitment which allows you to prove those two fifty six different bits all in one compact proof.

因此我基本上会提供一个紧凑证明来展示这个256位值中所有置零的位，再提供一个紧凑证明展示所有置一的位，这样你就能通过一个恒定大小的证明来确认这是向量承诺中该索引的值。

So I give you basically a compact proof of all the bits that are set to zero in this two fifty six bit value and a compact proof of all these bits that are set to one in this two fifty six bit value and then you have a constant size proof that this is the value at this index of the vector commitment.

那么谈谈RSA累加器，虽然我们没有正式定义它，但我觉得不需要深入数学定义，一般来说RSA累加器如何工作？与Merkle树相比有何优劣？在什么情况下会选择使用其中一种？

So speaking a little bit about RSA accumulators, we haven't really defined them but I don't think we have to go into the mathematical definition of it but generally how do RSA accumulators work, how do they compare to Merkle trees, why would you use one or the other?

没错，RSA累加器在渐近意义上能比Merkle树生成更小的成员证明，但如果只是用RSA累加器来证明单个项目的包含性，其实并不比Merkle树累加器优越多少——除非Merkle树累加器积累的项目数量极其庞大。

Well, yes, so RSA accumulators are able to achieve smaller membership proofs asymptotically than Merkle trees can but really if you're just using an RSA accumulator for proving inclusion of a single item, it's not significantly better than the accumulator than a Merkle tree accumulator unless the Merkle tree accumulator is insanely like, the number of items that are being accumulated is insanely large.

我认为我们的工作重新激发了对RSA累加器的兴趣，正是因为我们实现了成员证明的聚合与批处理。

I think why our work gives renewed interest in RSA accumulators is because we were able to achieve aggregation and batching of membership proofs.

因此，能够为RSA累加器中任意数量的项目一次性提供单一固定大小的成员证明，这是Merkle树无法实现的。

So the ability to give us a single constant size membership proof for arbitrarily many items in the RSA accumulator at once, it's something that you can't do with a Merkle tree.

这真的很有趣。

That's really interesting.

我的意思是，以以太坊为例，它实际上同时面临这两个问题。如果我们想实现'每个人都有一个以太坊账户'的目标，那么这个Merkle树的成员数量将达到数十亿级别，这可能是难以承受的。

So I mean, if we take Ethereum as an example, it kind of suffers from both problems where on you know, if we wanna realize the goal of like every human has an Ethereum account, then there will be billions of members of this Merkle tree which is probably prohibitive.

比如当我们发起客户端请求，要求提供这些合约的状态或执行某个调用并返回正确执行的证明时，我们实际上是在生成大量Merkle证明并回传。

Like when we make a like client request and say please give me, you know, the state of these contracts or like execute this call for me and give me the proofs that all these things were done correctly, we are generating a ton of Merkle proofs and sending that back.

从这个角度看，使用累加器可能也会是个好方案。

So in that sense maybe accumulating them would also be good.

没错，因此RSA累加器可以用于最终在交易中或向轻客户端发送更紧凑的总结性消息。

Right and so the RSA accumulators could be used to end up sending in a transaction or in a message to a Lite client, write a smaller compact message that summarizes Yeah.

所证明的内容。

What is being proved.

但是，我的意思是，你真的能在以太坊的架构中使用RSA累加器吗？

But, I mean, could you could you actually use the RSA accumulator in an Ethereum, setup?

因为我一直是在UTXO模型的背景下理解它的。

Because I always understood it sort of in the context of, like, a UTXO model.

它实际上也能用于基于账户的系统吗？

Could it actually also be used in an account based system?

在基于账户的系统中，你基本上需要向量承诺。

So in an account based system, you need vector commitments, basically.

实际上，是的。

Actually Yeah.

实际上，你真正需要的是稀疏向量承诺或键值承诺。

Actually, what you really want is sparse vector commitment or a key value commitment.

这样我就能给你这个键对应的项。

So I can be able to give you the the item at this key.

对吧？

Right?

而账户本质上就是键值存储，稀疏向量承诺正好提供了这种功能。

And an account is basically a key value store, and sparse vector commitments give you that.

例如，稀疏Merkle树就是一种稀疏向量承诺。

So sparse Merkle trees, for example, are sparse vector commitments.

我们也可以基于RSA累加器来构建稀疏向量承诺。

We can also construct sparse vector commitments from RSA accumulators as well.

那么你的论文具体提出了什么创新？

So what exactly is it that your paper introduces?

是新型累加器、新型向量承诺，还是对RSA累加器的改进技术或新方法？

Is it a new type of accumulator, a new type of vector commitment or modifications or new techniques on RSA accumulators?

它对RSA累加器进行了改进，能够实现我之前提到的批处理和聚合功能，并直接基于RSA累加器技术构建了一种新型向量承诺，这种承诺同样具备批处理和聚合特性。

So it has improvements on the RSA accumulator to be able to achieve you know, the the batching and aggregation I was talking about, and it gives a new kind of vector commitment that's constructed directly from the RSA accumulator techniques and is is basically able to achieve the same batching and aggregation properties but for vector commitments.

这样我就能用一个恒定大小的证明，向你验证多个账户状态与以太坊区块链的状态承诺是一致的。

So I could open, you know, say many I could I could prove to you that many different accounts are consistent with the state commitment to, you know, the Ethereum blockchain with a single constant size proof.

使用我们的结构在计算效率方面需要权衡取舍。

There there are trade offs of using our constructions in terms of computational efficiency.

细节决定成败——目前还没有人实验过这些方法是否比Merkle树或Patricia树更适合以太坊、比特币等系统中现有的应用场景。

You know, the devil's in always in the details in terms of whether this is actually going to be appropriate for for any of the systems and and nobody's quite experimented to see if if they work better than Merkle trees or Patricia trees, you know, for for the task that those are used for in in systems like Ethereum and Bitcoin.

使用能够实现巨大效率提升的技术确实存在权衡，虽然能大幅减少通信数据量，但会显著增加证明生成方的计算负担。

There are trade offs with for using something which is able to achieve, you know, massive efficiency gains in terms of the size of information that's communicated, but then ends up putting much higher computational burdens on on the parties that are trying to generate the proofs in the first place.

说到实验验证，这篇论文有附带代码吗？

Speaking about experimenting with this stuff, is there any code accompanied with the paper?

你们团队已经实现了所有这些技术吗？代码是开源的么？

Like have you guys implemented all of this and is it you know, open source anywhere?

我们确实在论文发表时同步实现了，不过现在有一个开源库完整实现了论文中的所有方案。

So we did it, directly along with the paper, however, there now is an open source library, that implements all the things that we do in our paper.

这是由Cambrian Labs公司发布的，属于开源项目。他们在开发过程中，我们协助他们理解了论文的技术细节。

It was put out by this company Cambrian Labs, so it's an open source project and we did, help them understand the details of our paper when they were developing that.

不错。

Nice.

知道是用什么语言实现的吗？

Do you know what language it's written in?

Rust。

Rust.

太好了，我可以去试试看。

Nice and I can go play with it.

你可以去试试看。

You can go play with it.

关于RSA累加器的问题我们已经提到过，它们需要某种可信设置，如果我没理解错的话有办法解决这个问题，但我并不真正理解具体是什么或其中存在的问题。

A problem with RSA accumulators that we've already touched on, they need some sort of trusted setup and there's a way to solve this if I understand correctly but I don't really understand what it is or what the problem with it is.

所以有这些叫做类群的东西，你已经提到过，Chia举办了一个竞赛来高效构建这些，类群是不存在吗？还没构建出来吗？还是说只是如何快速构建的问题？类群到底是怎么回事？

So there are these things called class groups, you already mentioned them, there's a competition by Chia to be able to construct construct these efficiently, do class groups not exist, are they not constructed yet or is it just a matter of like constructing them quickly or like what's the deal with class groups?

没错，类群确实存在，一般来说它们是定义在任何代数数域上的群，人们认为如果按照特定参数化选择——基本上当它具有所谓的大判别式时，计算类群的阶（即类群中元素的数量）就非常困难。

Right, now class groups do exist, general they're these groups that are defined over any algebraic number field and it's believed that, you know, if chosen under some particular parameterization, basically if it has what's called a large discriminant then it's very difficult to compute the order, the number of elements in the class group.

我们只是没有计算这个的高效算法，而且你可以在不先确定其阶的情况下定义类群并对类群中的元素进行操作。

We just don't have efficient algorithms for doing that and you can define the class group and operate on elements in the class group without first specifying its order.

这与RSA群不同，RSA群通过构造就知道其阶，而类群则不是这样。

Unlike RSA groups which by construction know the order, that's not the case with class groups.

这些竞赛更多是为了看看人们能多高效地对类群中的元素进行操作，并且大家对提高类群运算效率很感兴趣。

The competitions are more about trying to see how efficiently people can try to operate on elements within the class group and there's an interest in making class group operations more efficient.

RSA群运算相当直观。

RSA group operations are like pretty straightforward.

就是模n的整数乘法。

It's integer multiplication mod n.

我们对这个非常熟悉，并且知道如何在硬件上优化它，相比之下对类群运算的优化了解较少。

We know that very well and if, know how to optimize it in hardware more so than we say know how to optimize class group operations.

还有一个围绕我们认为是难题的竞赛，即一旦指定了类群，你能多高效地计算出它的阶数。

There's also a competition surrounding the problem that we believe is hard which is how efficiently can you figure out the order of a class group once you specify it.

对，所以我们不是使用阶数未知的群，而是使用阶数极难计算的群。

Right, so instead of using a group of unknown order, we use a group where the order is extremely hard to compute.

哦抱歉，那其实就是阶数未知的群。

Oh, sorry, that is a group of unknown order.

我们知道这是个有限群，但很难计算它的阶数。

So we know that it's a finite group, it's hard to compute its order.

不过与RSA群不同的是，RSA群的构造者知道其阶数，而其他人不知道，因为这个秘密信息没有被分享给他们。

Though the difference with RSA groups is that whoever constructed the RSA group knows its order and presumably nobody else does because that secret information wasn't shared with them.

我明白了。

I see.

而对于类群来说，我们可以直接定义这个群

Whereas with class groups, it's like we can specify the group

而且那些秘密信息从未存在过。

and The secret stuff never existed.

你

You

不需要为了定义正确的群而计算其阶数，对吧。

don't need to compute the order of the group in order to specify Right, the right.

群

Groups

竞赛内容更多是关于群的运算，而不是群的构造。

the competition stuff is more around operations of that group, not the construction of the group.

没错。

Right.

我想我明白了。

I think I get it.

所以这也是类群的缺点，我想人们不怎么使用它们的原因就是效率不够高。

So that's also the downside then of class groups and why I suppose people aren't using it as much is because they're not as efficient.

目前还没有，是的。

Not yet, yes.

那我们接下来讨论无状态客户端的问题吧。

So let's move into these questions of stateless clients.

Frederick，我知道这是你非常感兴趣的一个问题。

Frederick, I know this was a question you were really excited about.

那么，无状态客户端和我们讨论的这些内容之间有什么关系呢？

How how what is the relationship here between stateless clients and all of this stuff that we're talking about?

嗯，我是说，我对无感觉很兴奋。

Well, I mean, I'm I'm excited about stateless clients in general.

这显然是论文中的一个主题，而且Ben，你在论文演讲中很好地阐述了为什么我们需要无状态客户端的动机以及它们是什么。

It's obviously a topic in the paper and I think Ben, you presented very well in your presentations of this paper of like the motivation behind why we want stateless clients and sort of what they are.

比特币的默克尔树存在这个问题，但影响范围相对局限。

We have this problem in Bitcoin's Merkle tree is pretty localized.

我们主要进行简单的支付验证这类基础操作。

We're just prove like we're doing simple payment verification stuff and just kind of simple stuff.

但在以太坊中，越来越多人尝试用默克尔树实现更复杂的功能。

But in Ethereum, a lot of people are trying to do more and more complex things with the Merkle tree.

特别是人们试图进行链下计算，然后提交默克尔证明到链上验证——但这些证明体积庞大，单个区块已无法容纳，由此引发各种问题。我认为累加器通过将证明体积从100MB或10MB压缩为恒定大小或线性大小来解决这个问题。

Particularly, people are trying to do off chain computation and then, like, prove like, submit the Merkle proof on chain so that it's verified on chain, but these proofs are massive and so you can't actually fit the proof in one block anymore and you run into all of these sorts of problems and I think accumulators solve that by saying our proof is no longer 100 megabytes or 10 megabytes or whatever it may be, it's constant size or it's linear in size or whatever it may be.

本，你能谈谈无状态客户端的定义以及累加器在其中扮演的角色吗？

So maybe Ben, can you talk a little bit about what stateless clients are and how accumulators play a role?

好的，无状态客户端的基本概念——其实'无状态'这个说法有点误导性，因为你并没有真正消除任何状态。

Yeah, so the basic idea of a stateless client and unfortunately stateless is at least to me sounds slightly misleading because you're not actually getting rid of any state.

只是由他人代为存储状态而已。

It's just someone else storing it.

更准确地说，让我们先明确无状态客户端具体指代什么。

Well, more specifically, so let's first say what stateless clients refer to.

无状态客户端本质上是指构建一种区块链节点，它只需要记住某个小型状态承诺，而无需存储全部状态——比如以太坊中所有账户的余额或所有智能合约的状态值。它们只需存储某种状态承诺，然后在收到针对该状态承诺的证明时，验证交易是否正确地引用了状态中的信息。

Stateless clients refer to basically making a a blockchain node, which is only needs to remember some small state commitment, it doesn't need to store all the, you know, the entire state which includes, say, Ethereum, the balances in all accounts or the state values in all smart contracts, right, they would just need to store some kind of state commitment and then verify transactions against that state commitment when presented with proofs against that state commitment that the transaction correctly references information in the states.

基本上每笔交易都包含可以本地验证的信息，并需要正确引用某些内容——比如相对于区块链当前状态的账户余额。

Like every transaction basically has information that can be locally verified and then references something and it needs to be referencing like account balances correctly with respect to the current state of the blockchain.

除此之外，这些无状态客户端还需要能在每笔交易后更新状态。

And on top of that, these stateless clients need to be able to update the state after each transaction as well.

因此在处理完交易后，它们需要能更新状态承诺以获取下一个状态承诺，从而能从此验证后续交易。

So after processing a transaction they need to be able to update the state commitment to get the next state commitment so they can verify transactions from there.

这并不是真正意义上的无状态系统，因为它们确实需要维护这个状态承诺。

It is not a stateless system because, you know, in the true sense of the word stateless because they do need to maintain this state commitment.

它们不可能在经历断电后完全丢失所有状态承诺的记忆，然后过段时间重新上线还能继续参与网络而无需了解期间发生了什么，对吧？

They can't basically experience a power outage and completely lose all memory of the state commitment and come online a while later and be able to continue participating without trying to figure out what happened in between, right?

那才是真正意义上的无状态。

That would be the true notion of stateless.

但它们确实具有极低的状态存储需求，对吧？

But they do have very minimal state storage requirements, right?

这基本上就归结为这种紧凑的状态承诺，而不是需要存储千兆字节或兆兆字节的数据。

It's basically down to this compact state commitment rather than, you know, gigabytes or terabytes of storage.

它们与轻客户端有什么关系？

How do they relate to light clients then?

轻客户端是无状态客户端吗？

Are light clients stateless clients?

这两者之间有什么联系吗？

Is there any connection here?

是的。

Yeah.

所以，再次强调，这些术语只是被使用的词汇，有些人在区块链领域使用时可能会对这些术语产生混淆。

So, again, these I guess these are just terms that are that are used, and also some people might confuse the terms a bit when using them within the within the blockchain space.

这些术语并没有学术上严格的定义。

These don't have, like, academically defined, you know, definitions.

但根据我的理解，轻客户端通常指的是试图同步而非参与区块链交易验证的客户端，它们要与区块链当前状态同步，能够高效下载和同步数据，并能以可信方式查询区块链。

But from my understanding, light clients generally refer to a client that is trying to synchronize, not participate in validation of blockchain transactions but synchronize with the current state of the blockchain and be able to again download and sync efficiently and then be able to, you know, query the blockchain in authentic ways.