本集简介
双语字幕
仅展示文本字幕,不包含中文音频;想边听边看,请使用 Bayt 播客 App。
欢迎来到零知识领域。
Welcome to Zero Knowledge.
我是主持人安娜·罗斯。
I'm your host, Anna Rose.
在本期播客中,我们将探索零知识研究和去中心化网络的最新进展,以及有望改变我们在线交互和交易方式的新范式。
In this podcast, we will be exploring the latest in Zero Knowledge research and the decentralized web, as well as new paradigms that promise to change the way we interact and transact online.
本周,我和尼科将与斯坦福大学博士后研究员陈斌毅进行对话。
This week, Nico and I speak with Bin Yi Chen, a postdoctoral researcher at Stanford University.
我们将讨论他的研究工作《格折叠》、《格折叠+》以及新作《交响曲》。
We discuss his work Lattice Fold, Lattice Fold Plus, and his new work Symphony.
在本期节目中,我们将向他提出一些关于格与折叠技术尚未解决的问题,并尝试探讨它们为何能如此完美结合。
In this episode, we get to ask him some of the questions we still had about lattices and folding, and try to tease out why they combine so well.
我们将回顾这项折叠技术如何始于2023年,以及当格结构被证实可以替代彼得森哈希时,这一突破带来的新机遇。
We discuss how the folding work began back in 2023, and the opportunity that the introduction of lattices created once it became clear they were a feasible replacement for Peterson hashes.
我们将探讨格基折叠技术中的一些核心概念,包括这种组合的优势与局限性。
We cover some of the key ideas in lattice based folding work, including the benefits and limitations of this combination.
接着我们转向他的新项目Symphony,探讨这项工作中描述的新技术。
We then move on to his new project, Symphony, and explore the new techniques described in this work.
本集内容研究性很强,是对最近发布的ZK白板会议模块的绝佳补充,该模块全部关于LatticeFold,同样由Binyi主持。
This episode is research heavy and serves as a great complement to the recently released ZK Whiteboard Sessions module, all about LatticeFold, which was also hosted by Binyi.
我强烈推荐将其作为补充资源观看。
I definitely recommend watching this as an additional resource.
我已将链接添加到节目说明中。
I've added the link in the show notes.
在正式开始前,我想先向大家推荐ZK招聘平台。
Before we kick off, I just want to point you towards the ZK jobs board.
在那里你可以找到来自顶尖ZK团队的工作机会。
There you can find job postings from top teams working in ZK.
如果你是招聘团队,今天就可以在上面发布职位信息。
And if you're a team looking to hire, you can also post your job there today.
我们已经收到很多团队通过这个平台找到理想人选的积极反馈,希望它也能帮到你。
We've heard great things from teams who found their perfect hire through this platform, and we hope it can help you as well.
了解更多信息,请访问jobsboard.zeronowledge.fm。
Find out more over at jobsboard.zeronowledge.fm.
你可以在我们的网站上找到这个,我也把它添加到了节目备注中。
You can find this on our website, and I've added it to the show notes.
现在,Tanya将简要介绍一下本周的赞助商。
Now Tanya will share a little bit about this week's sponsor.
Aztec发明了数学原理,编写了语言,并证明了隐私实际上是实现大规模采用所缺失的关键环节。
Aztec invented the math, wrote the language, and proved the concept that privacy is in fact the missing link to mass adoption.
现在,Aztec正在通往主网的道路上。
And now Aztec is on the road to main net.
Aztec是以隐私为先的以太坊二层解决方案,支持具有私密和公共状态以及私密和公共执行的智能合约。
Aztec is a privacy first layer two on Ethereum, supporting smart contracts with both private and public state and private and public execution.
这是目前最令人兴奋的ZK项目之一,我们期待看到它上线。
It is one of the most exciting ZK projects out there, and we are excited to see it go live.
参与的方式有很多种。
There are a ton of ways to get involved.
你可以加入测试网,探索Noir生态系统,成为社区一员,或寻找参与主网上线前最后阶段的机会。
You can join the test net, explore the Noir ecosystem, become part of the community, or look out for ways participate in the last steps before the upcoming main net launch.
关于Aztec的技术、研究和社区项目的详细信息,请访问aztec.network。
Details about Aztec's technology, research, and community programs are available at aztec.network.
现在请收听我们的节目。
And now here's our episode.
今天,我和Nico请到了斯坦福大学的博士后研究员Bin Yi Chen。
Today, Nico and I are here with Bin Yi Chen, a postdoc researcher at Stanford University.
他的顾问是Dan Bonnet,本节目听众对他应该非常熟悉。
He's been advised by Dan Bonnet, someone who listeners of this show will be very familiar with.
欢迎来到节目,Bin Yi。
Welcome to the show, Bin Yi.
谢谢你,Anna,也谢谢Nico。
Thank you, Anna, and thanks, Nico.
很高兴再次来到这里。
And nice to be for being here again.
是啊。
Yeah.
自从上次在Prostar节目里。
Since last time in the Prostar episode.
没错。
Exactly.
嘿,Nico。
Hey, Nico.
嘿,Anna。
Hey, Anna.
嘿,Binyi。
Hey, Binyi.
是的。
Yeah.
而且,Binyi,你之前上过这个节目。
And, Binyi, you have been on the show before.
上次你来的时候,是和Benedict Buntz一起,
Last time you were here, it was with Benedict Buntz, and
你们当时讨论的是Protostar项目,那是一个主要关注IVC和折叠技术的项目。
you were talking about Protostar, which was like a very, like, very focused on IVC and folding.
今天,我想我们会
Today, I think we're gonna
花更多时间讨论晶格折叠技术,算是之前工作的延续,并希望能听到一些新研究进展。
be spending more time talking about lattice fold, so kind of the continuation of that work, and hopefully get to hear about some new work.
是的。
Yeah.
不过在开始前,我想先回顾一下我们这些年的一些合作节点。
But before we do that, I just wanna highlight a few kind of connection points that we've had over the years.
其实为了准备这期节目,我特意去查了些资料。
I actually was looking, you know, just to to put together this episode.
你还主持过零知识证明学习小组呢。
But you've hosted a ZK study club.
你曾在ZK峰会上发表过演讲。
You've spoken at the ZK Summit.
我们刚刚发布了你的ZK白板课程,全是关于Lattice Fold和Lattice Fold Plus的内容。
We just released your ZK whiteboard session all about Lattice Fold and Lattice Fold Plus.
今天能邀请你上节目真的很棒。
It's just kinda cool to have you on the show today.
是啊。
Yeah.
我也是。
Me too.
非常荣幸,每次在这里主持活动或演讲时,都让我感到特别愉快。
It's a great pleasure, and it's always, like, very pleased to experience when I host anything here and, give a talk here.
没错。
Yeah.
太好了。
Cool.
我觉得如果能让我们了解一下你最新的研究和工作重点会很有意思。
I think it would be cool to bring us a little bit up to date on the research and the focus of your work.
就像上次你来时提到的,那时还是Protostar项目。
As we mentioned last time you were on, it was Protostar.
当时主要是关于折叠技术。
It was folding.
之后发生了什么让你更倾向于研究晶格方向的工作?
What what kinda happened since then that pushed you more towards the lattice work?
是的。
Yeah.
自上次之后发生了很多事,我一直在探索Snorax改进系统的多个方向,比如基于编码的Snorax,像基础折叠和emblaze方案。
Since the last time, a lot of thing has happened, and I've been exploring many directions of Snorax improved system, such as coding based Snorax, like base fold and emblaze.
不过我的主要研究方向仍然是折叠技术,尤其是最近的后量子折叠方向,比如基于晶格的折叠方案。
But still, my main focus is still in folding and especially recently on post quantum folding, like lattice based folding schemes.
我想提一下上次在Protostar节目里讨论过的一个重点。
I want to mention the one thing that I talked about in the last Protestar episodes.
我记得本和我提到过这个开放性问题
I think Ben and then I mentioned this open problem
嗯
Mhmm.
关于
On
我们是否能够实现后量子折叠方案,我们认为晶格结构正是其中一个有前景的方向。
whether we can have postcontin folding schemes, and we think that lattice is exactly one of the promising direction.
当时我们提到这相当困难,因为不会爆炸。
By that point, we mentioned this is pretty hard because non blow up.
但让我高兴的是,经过大概两年时间,我们在晶格领域取得了诸多新进展,这很酷。
But I'm pretty happy that after maybe two years, I guess, we have so many new works in the lattice setting that That's cool.
利用晶格结构进行折叠。
Do folding using lattices.
不过,那些早期的折叠工作有什么特点,使得它们无法实现后量子化?
What was it about those earlier folding works, though, that made them not post quantum or or impossible to make post quantum?
是的。
Yeah.
非常好的问题。
Very good question.
所以我会称它们为第一代折叠方案,比如从Nova和BCL MS 21开始,可能Halo也是其中之一。
So I would call them as the first generation of folding schemes, like starting from Nova and BCL MS 21, and probably Halo is also one of them.
我们还有一些后续方案,如ProtoStar、Proto Galaxy、Hypernova和Mova等等。
And we have also have some follow ups like ProtoStar, Proto Galaxy, Hypernova, and Mova, etcetera.
它们都遵循某种类似的框架,使用Patterson哈希来提交见证。
All of them are following some kind of similar framework for using Patterson hashes to, commit the witness.
而这些Peterson承诺方案,不幸的是它们容易受到量子攻击,因为基于所谓的离散对数假设。
And these Peterson commitments, they are unfortunately vulnerable to quantum attacks because they are based on these so called discrete log assumptions.
这些离散对数假设恰恰被著名的Schwarz算法所攻破。
And these discrete log assumptions are exactly broken by this very famous Schwarz algorithm.
这意味着如果你有一台强大的量子计算机,就能轻易破解这个假设,使得这类方案在量子世界中不再安全。
So that means if you have a very powerful quantum computer, you can easily break this assumption, and that makes these kind of schemes no longer secure in the quantum world.
我明白了。
I see.
这就是为什么我们需要一些新的方案。
That's why we need some new schemes.
不过它是否利用了彼得森哈希的这些特性呢?
Was it using this sort of the characteristics of the Peterson hashes, though?
比如,为什么不直接换成其他哈希函数呢?
Like, why not just switch it out with some of the other hashing functions anyway?
为什么要等到格密码出现才解决这个问题?
Like, why did you have to wait for lattices to come along?
是的。
Yes.
之前当我们进行折叠时,我们需要同态性质,这意味着你可以合并承诺,从而形成对底层公开值或见证的组合承诺。
So previously, when we did the folding, we need homomorphic property, meaning that you can combine commitments, which becomes commitments to the combination of the underlying opening or witness.
而最自然的方式就是使用彼得森哈希。
And the most natural way to do that is using Peterson hashes.
这就是人们开始使用它们的原因。
So that's why people are starting using them.
但为了使其具备可信的后量子安全性,必须改用其他承诺方案。
But in order to make it plausibly post quantum security, have to switch it into another commitments.
最自然的转换方式是使用特设承诺,这种承诺会占用大量空间。
And the most natural way to switch it is to using ad hoc commitments, which is a lot of space commitments.
最近我想提一下,Benedict和他的团队做了一些非常酷的工作,实现了无需同态承诺的折叠。
And recently, I want to mention there are also some really cool work by Benedict and his coercises that's achieved folding without homomorphic commitments.
他们基本上只用哈希或默克尔承诺就实现了,这种方式也非常优雅。
They basically just use hash or Merkel commitment to achieve it, which is also very elegant.
啊。
Ah.
顺便说一句,我当时也在研究这些线性同态承诺,突然意识到如果我们想要量子安全的方案,就不能有这种同态性。
By the way, I'll also add, at the time, we were looking at these, like, linearly homomorphic commitments, and we suddenly realized, well, if we want something quantum secure, we cannot have this homomorphism.
因为一旦具有同态性,就存在群结构,而一旦有群结构,就存在离散对数问题。
Because as soon as you have homomorphism, you have a group structure, and as soon as you have a group, you have discrete logs.
嗯。
Mhmm.
所以当时有种感觉,这到底可行还是不可行?
So there was this sort of feeling of, like, is this possible or not?
这就是为什么过去几年Biniyan和其他人解决的这个问题很酷且开放。
And that's why it was a cool open question that Biniyan and the others tackled over the past few years.
没错。
Exactly.
是的。
Yeah.
所以我想更准确地说,Niko是对的。
So I think I want to be more precise, and Niko is right.
这些AI承诺并非完全同态,在某种意义上只是微型同态,因为它们必须确保开放始终无规范。
Like, these AI commitments is not fully homomorphic and mini homomorphic in the sense that they have to make sure that the opening is always no norm.
所以,它们只是某种程度上线性同态的
So, yeah, they are only, like, somewhat linearly homomorphic
嗯
Mhmm.
与Pearson哈希相比,后者基本上在整个域上几乎是同态的。
Compared to Pearson hashes, which is basically nearly homophic over the entire field.
你描述的哈希类型是AiTai吗?
Is the type of hashes you're describing AiTai?
你是用这个词吗?
Is that the word you're using?
是AiTai。
It's AiTai.
拼写是a j t a I吗?
And this is spelled a j t a I?
嗯
Mhmm.
没错
Exactly.
好的。
Okay.
这其实是我稍后要问的问题之一。
So this is actually one of my questions that we're gonna get to later.
但那是什么工作?
But what is that work?
Itay是什么?
What is Itay?
Itay是一位非常著名的密码学家。
Itay is an a very famous cryptographer.
明白了。
Okay.
嗯。
Yeah.
这是个人名。
It's a person.
是的。
Yes.
没错。
Yes.
他是格密码学领域的先驱之一,提出了'最短整数解假设'这一密码学假设,该假设可归约为某些最坏情况下的格问题,这项工作非常了不起。
He's, like, one one of the pioneers in the lattice cryptography, and he invented this, shortest initial solution assumption, which is a cryptographic assumptions that can be reduced to some, worst case lattice problem, which is amazing work.
基于此,他利用SIS(最短整数解假设)为我们构建了非常优雅的抗碰撞哈希函数方案。
And from that, he gave us a this really elegant constructions for collision resistant hash function using SIS or shortest integer solution assumption.
在你的研究中,还有格密码学领域的其他学者工作中,经常会出现这类术语。
There's a bunch of these terms that come up in your work, but also in the work of other kind of lattice folks.
嗯。
Mhmm.
本季ZK白板课程中我们安排了两个关于格密码学的模块。
We had two modules within the ZK whiteboard sessions this season on Lattices.
一个是与Vadim Lubeshevsky合作的,另一个是与你合作的。
We had one with Vadim Lubeshevsky and one with you.
我是说,因为它们最近才发布,我真的很期待深入研究。
And I I mean, because they they've just recently come out, yeah, I'm I'm excited to kind of dig in.
对于这期节目,我们不想再重复讨论了。
I for this episode, we don't wanna go through it again.
我们会直接指向那些视频,那些是白板会议,内容非常详细。
Like, we're gonna point to those videos, like peep and and those are whiteboard sessions, so those are, like, really detailed.
我认为这是学习这些内容的绝佳方式。
I think a great way to learn about this stuff.
嗯。
Mhmm.
但我想问你一些观看时产生的问题,同时也想了解研究的背景来源。
But, yeah, I wanted to ask you sort of questions that came up as I was watching it and also to get some context around, like, you know, maybe where the research is coming from.
所以这个IT解释很有帮助。
So this, like, eye tie explanation is helpful.
不过我还有个问题:那项工作是什么时候完成的?
I one question another question I've had about that, though, is when was that work from?
这个比较旧吗?
Is this older?
非常古老。
It's very old.
好的。
Okay.
我想那大概是我出生的年份,比如1992年。
It's I think it's the year as when I was born, like, 1992.
哇。
Woah.
是的。
Yeah.
没错。
Yeah.
好的。
Okay.
所以,大约三十多年前。
So, like, thirty something years ago.
嗯。
Mhmm.
对。
Yeah.
如果我没记错的话,应该是1992年,但肯定是在那个时期。
I think it's 1992 if I didn't remember incorrectly, but definitely at that period.
是啊。
Yeah.
要知道,对人类来说不算很古老,但对密码学领域的论文来说,已经相当久远了。
Which, you know, for people is not very old, but for a paper in cryptography, surprisingly old.
是啊。
Yeah.
酷。
Cool.
在我们深入探讨Lattice Fold之前,我想先回到你提到过的另一个话题——你也研究过基于哈希的方案。
Before we actually dive into Lattice Fold, I sort of wanna bring it back to something you mentioned is you also worked on, like, hash based schemes.
是的。
Yes.
比如你提到的basefold,还有那些实现折叠功能的基于哈希的方案。
Like, basefold, you also mentioned that there are hash based schemes that do folding.
嗯。
Mhmm.
所以我很好奇,作为同时涉足当前后量子密码两大方向(哈希函数与格理论)的研究者,你如何比较这两种方案?
And so I was wondering, as someone who's worked sort of on both fronts of the current, like, post quantum ideas, how do you compare schemes that are based on hash functions and those based on lattices?
是否发现其中一类对研究者更友好,或是更有实现前景?
Do you find that some are, like, easier to work with as a researcher or more promising to implement?
你怎么看?
Like, what do you think?
没错。
Yeah.
这是个好问题。
That's a good question.
我认为这两个方向都非常有趣且前景广阔。
I think both direction are very interesting and promising.
我能做的就是对比一下它们各自的优缺点。
What I can do is just give some kind of comparison on their pros and cons.
我认为特别是基于哈希的方案,比如基于哈希的NARC,现在已经相当成熟了。
I think for hash based schemes, in particular, hash based NARC, they're pretty mature right now.
与格密码相比,它有许多工业实现案例,其底层假设也相当稳固。
There are many industrial implementation for it compared to the lattice word, and the assumption underlying it is also pretty solid.
它们仅依赖于这些对称哈希函数,我们相信只要将密钥大小或输出大小增加到足够大,就绝对具有后量子安全性。
They only rely on these symmetric hash functions, which, we believe is definitely postconsecure as long as we increase the key size or the output size large enough.
有时我们甚至不需要那么大的参数。
Sometimes we don't even need that.
因此在安全性方面,我认为它们对量子攻击更具抵抗力,而且在证明者效率方面也相当出色,因为它们基本上只是做一些纠错编码和Merkle承诺。
So in terms of security, I think they are more robust in terms of the quantum attacks, and they're also pretty efficient in terms of prover because what they do is basically just do some error correcting coding and doing Merkle commitments.
嗯。
Mhmm.
但我为什么要在意格密码呢?
But why I care about lattices?
对吧?
Right?
就像,我们已经有了非常优秀的基于哈希的解决方案。
Like, if we already have a really good hash based solutions.
我认为格密码相比哈希方案有两个非常显著的优势。
I think in terms of lattices, they have two really nice features compared to hash based schemes.
首先是它们更具代数特性。
The first one is they are more algebraic.
它们具有大量代数结构和性质,类似于基于椭圆曲线的方案,比如某些同态性之类的特性。
They have a lot of algebraic structure and a property which is similar to those ellipse curve based schemes, like some homomorphism, something.
这使得它们能够实现更强大的密码学原语。
This makes them more powerful to achieve more powerful primitives.
第二点是验证过程,当我们进行折叠时,验证器非常小,相比基于哈希的折叠方案效率要高得多。
And second is that the verification, when we do the folding, the verifier is really small, like, is much more efficient compared to hash based folding schemes.
在基于哈希的折叠方案中,验证器需要检查大量默克尔路径开放点。
In hash based folding schemes, the verifier have to check a lot of Merkel path openings.
这意味着当你想要证明这一点时,将其表示为电路时,电路规模会非常大。
And that means when you check when you want to prove this, like, when you represent it as a circuit, it's really large.
就基于格点的折叠方案而言,折叠验证器仅比那些基于椭圆曲线的方案略大,但比基于哈希的折叠方案要小得多。
In terms of lattice based folding schemes, folding verifier is only slightly larger than those leap curve based schemes but much smaller than the hash based folding scheme.
综上所述,就SNARC而言,目前基于哈希的方案更为成熟,尽管我们在格密码领域也看到了许多令人振奋的新成果。
So given that, I would say in terms of SNARC, currently, hash based schemes is a more mature even though we have seen a lot of new and very exciting result in the lattice world as well.
但在折叠技术方面,我认为基于格的折叠方案前景广阔——其证明者性能已与基于哈希的折叠方案相当,而验证者复杂度却低得多,这在需要验证折叠验证过程正确性时至关重要。
But in terms of folding, I think the glass based folding schemes is really promising in the sense that the prover is already competitive with hash based folding, but the verifier complexity is much smaller, which is very important when you do do need to prove that the folding verifier was done correctly.
嗯。
Mhmm.
因此必须确保折叠验证电路的规模足够小。
So you have to make sure the folding verifier circuit is small enough.
这是我个人的观点。
That's my personal perspective.
我不知道大家是否同意我的看法。
I don't know whether people agree with me or not.
在组合使用时,当你开始将折叠和格密码结合,是否需要重新思考整个体系?
In the combination, when you start putting folding and lattices together, do you have to rethink the entire thing?
就像你提到使用彼得森哈希时,我的思路是这样的——为什么不直接替换掉它呢?
Like, when you were talking about using the Peterson hashes, I mean, this is kinda where my mind went where it's like, well, why don't we just use why don't you just swap it out?
但如果使用格密码,你们是否以彼得森哈希相同的方式使用它们,还是在某种程度上重构了整个体系?
But if you're using lattices, you're not use like, are you using them in the same way that Peterson hashes were used, or are you, like, kinda reconstructing this entire thing?
是的。
Yeah.
我们实际上是在折中处理。
We are actually doing things in the middle.
好的。
Okay.
所以如果你能直接把皮尔逊哈希换成Ada哈希,然后其他一切照旧,那就太好了,对吧?
So it'll be nice if you can just switch Pearson hashes with that with Ada hashes, right, and then do everything the same way.
但如果这么简单的话,我们就不需要花这么多时间来研究这个了。
But then if that's so easy, then we don't need to spend so much time to come up with this.
我们早该在基于皮尔逊的投票方案中就已经实现了。
We would already have it when we have, Pearson based voting schemes.
所以最终实现这个的关键挑战在于,所谓的ITA承诺相比皮尔逊方案限制更多。
So the key challenge of achieving this in the last word is because the so called ITA commitments is kind of more restricted compared to Peterson.
因此我们对这些ITA承诺有一些额外的约束条件,即只有在开口是低范数时才是安全的。
So we have some extra constraints on these ITA commitments in the sense that it is secure only if the opening is low norm.
所谓无范数,我指的是这个向量或弱点的每个元素都是些小数值,而这在Peterson哈希中并不是一个约束条件。
By no norm, I mean that every elements of this vector or the weakness are some small values, and this is not a constraint in the Peterson hashes.
在Petersen哈希中,原像可以是任意的域元素。
In the Petersen hashes, the preimage can be arbitrary field elements.
这意味着如果你想进行折叠操作,当你将两个见证折叠在一起时,这个见证的范数会急剧增加。
So that means if you want to do folding, if you fold two witness together, this witness norm will blow up.
所以第一个问题是,如何在折叠后控制范数的膨胀?
So first question is how do you control the norm blow up after the folding?
这是第一个挑战。
This is the first challenge.
第二个挑战是证明者还需要证明这个见证开放是低范数的。
And the second challenge is that the prover also need to prove that this witness opening are no norm.
所以在页面和哈希中这不是问题。
So this is not the case in the pages and hashes.
所以这给证明者增加了更多开销和复杂性,他们还需要运行一些分支证明来论证承诺的开放是低范数的。
So you add more overhead and complexity for prover, which also needs to run some branch proof to argue that the opening of commitments is no norm.
这些是与基于Peterson的椭圆或基于椭圆的折叠方案相比的主要挑战。
So these are two main challenges compared to Peterson based Ellipse or Ellipse based folding schemes.
这就是为什么设计起来更难,但我认为它们仍然有很多相似之处。
And that's why it's harder to design, but I would say, still, they have some have many similarities.
这两种类型的折叠方案有很多相似之处,因为它们都是基于某种同态承诺的。
These two type of folding schemes, they have many similarities because they are all based on kind of homomorphic commitments.
是啊。
Yeah.
说到底,我们密码学家就掌握一个诀窍。
At the end of the day, you know, we cryptographers have one trick.
就是取两样东西和一个随机数,没错。
It's to take two things and a random number Yes.
然后把其中一样乘以随机数,再把所有东西相加。
And multiply one of the things with a random number and then add everything together.
对。
Yeah.
这是通用的技巧。
That's the universal trick.
不仅限于折叠。
Not only folding.
对吧?
Right?
也许我们确实应该讨论一下折叠技术实际提供了什么。
Maybe we should actually talk a little bit about what folding is actually offering.
比如,我们为什么要设计这样的系统?
Like, why are we designing systems like this?
我们想要实现什么目标?
Like, what are we trying to achieve?
它更快吗?
Is it faster?
它更便宜吗?
Is it cheaper?
是单方面更快吗?
Is is one site faster?
或者说,证明者速度提升但验证者变慢了?
The or, like, does the prover go faster, but the verifier slower?
我们是否面临权衡取舍?
Like, are we running into trade offs?
我只是好奇,要不我们就先从折叠开始讲起,然后再讨论格折叠部分。
I'm just curious, like, maybe let's start with just folding and then, like, the lattice folding part.
没错。
Exactly.
我认为这是个非常好的计划。
I think that's a very good plan.
首先,也许我们可以为不熟悉的观众回顾一下什么是折叠。
So first of all, maybe we can review what folding is for those audience who are not familiar with.
折叠本质上是一种机制或协议,它能让我们将多个NP语句的追踪简化为单个NP语句。
Folding is basically a mechanism or a protocol that allows us to reduce the tracking of multiple NP statements into a single NP statement.
例如,如果你想证明斐波那契数列的百万步计算,可以将其分割成许多小块语句,然后折叠成一个更小的折叠块语句。
For example, if you want to prove a million step of Fibonacci sequence, you can chunk it into many small chunk statements and fold them up into a folded chunk statement, which is much smaller.
这本质上是一种将大问题高效缩减为小问题,再解决这个小问题的方法。
So this basically is a way for us to efficiently reduce a large problem into a smaller problem and then solve this small problem.
这类似于并行化处理吗?
Is it similar to parallelization?
比如,你能用那个术语来描述它吗?还是说它有所不同?
Like, can you use that term to describe it, or is it different?
某种程度上是相似的,但它更像是数学上将一个大问题简化成一个问题。
It's kind of similar, but it's kind of more, like, mathematically reducing some large problem into one.
比如分治法、并行性,它们都是类似的概念,但这是另一种数学原语。
Like, divide, conquer, and and parallelism, they are all kind of similar notion, but this is another mathematic primitives
好的。
Okay.
来实现这一点。
To to do that.
而且我认为这也是我们为什么需要它的原因。
And I think also why we need it.
对吧?
Right?
为什么我们认为折叠是一个非常好的原语?
Why why we think folding is a really nice primitive?
为什么说折叠技术是处理可扩展计算的未来方向?
Why is the direction for the future for dealing with scalable computation?
我认为折叠技术有三个非常出色的特性。
I think there are three really nice feature about folding.
第一个特性正是其简洁性。
The first is exactly the simplicity.
通常来说,折叠协议的复杂度远低于多轮验证或完整的SNARK方案,因为它本质上只需承诺每个MP语句的弱点并进行随机组合。
So folding, typically, the protocol is much simpler than a molytic or full fledged SNARC because, basically, what it does is just to commit each MP statement's weakness and randomly combine.
验证者只需生成一些随机标量并组合承诺,证明者则相应随机组合见证,最终我们将多个输入语句编译为单个组合语句。
So the verifier just generates some random scalars and combine the commitments, and the prover just randomly combine the witness correspondingly, and then we just comp compile these many input statement into one combined statements.
因此首要优势是简洁性——这不仅更易于实现,执行速度也更快。
So first is simplicity that's much easier to implement and much faster as well.
嗯。
Mhmm.
第二个出色特性是,折叠技术还能让我们将其转换并改造为简洁的证明系统。
And the second nice feature is that folding also allows us to convert it and be transformed into a succinct proof system.
因此我要强调,折叠技术本身并不能给我们一个16进制证明系统,因为验证工作实际上是线性的。
So I would highlight that folding itself does not give us a 16 proof system because the verification work is actually linear.
但通过IVC和PCD中的编译器,利用递归方法,可以将折叠技术转化为16进制证明系统。
But it can be transformed into folding into a 16 proof system using this compiler in in IVC and the PCD, which is by recursion.
嗯。
Mhmm.
所以本质上,你是在折叠这些递归语句。
So, essentially, what you do is you fold these recursive statements.
这些递归语句不仅检查应用逻辑或计算,还要验证之前的折叠步骤是否正确执行。
These recursive statements not only check the application logic or computation, but also check that some previous folding step was done correctly.
这就是为什么我们需要将折叠验证电路嵌入这些待证明语句中并一起折叠的原因。
And this is the reason why we need to embed the folding verify circuits into these proven statements and fold them up.
我一直很好奇,当你说到递归部分时,这是在折叠之前还是之后发生的?
I always wonder when you say that, like, the recursion part, is this happening before the folding or post folding?
实际上远在折叠之前就发生了。
Long before the folding, actually.
远在折叠之前。
Long before the folding.
好的。
Okay.
是的。
Yes.
实际上,这个想法起源于递归SNARK时期,当时折叠技术还不存在。
Actually, this idea start from recursive SNARK when the folding doesn't exist.
嗯。
Mhmm.
哦,
Oh,
对。
yeah.
所以最初我们只有SNARK,人们就在思考能否递归地证明SNARK?
So initially, we'll have SNARK, and people were thinking, can we, like, re recursively prove SNARK?
比如,我们可以证明某些证明是正确的。
Like, we can prove some proof is correct.
对。
Yeah.
证明证明的过程本质上就是递归。
Proving proving proofs is recursion, basically.
是的。
It's Yes.
SNARK。
SNARK.
你看,用SNARK来证明SNARK。
You see using a SNARK to prove a SNARK.
没错。
Yes.
正是如此。
Exactly.
是的。
Yeah.
这个想法早在2008年就由Paul Valens提出了。
And this idea was already proposed in 2008 by Paul Valens.
那已经是相当久远的事了。
That's a long time ago already.
但当时他们只专注于这些SNARCs的递归研究。
But at that point, they are only focusing on recursion the these SNARCs.
我认为在当时这仅具有理论意义,因为SNARC验证器的递归电路实际上相当昂贵,没人会真正使用它。
I would say, at that point, it's only of theoretical interest because the recursive circuits for SNARC verifier is actually pretty expensive, so no one would actually use it.
但自从halo论文发表后,这种情况就改变了,随后NOVA和BCLMS 21的成果也相继问世。
But this has been changed since this halo paper has been introduced and also the follow-up of NOVA and the BCLMS 21 has been introduced.
而且它们的验证器比SNOC验证器要简单得多。
And their phoneme verifier is much simpler than SNOC verifier.
通过将递归思想结合起来,我们实际上能构建出高效得多的结构。
And by combining this idea of recursion together, we can actually obtain much more efficient constructions.
是的。
Yeah.
顺便说一句,这很有趣,因为Valiant曾提出用SNARK的SNARK来实现IVC的想法。
By the way, it's funny because Valiant had this snark of a snark idea to do IVC.
嗯。
Mhmm.
那时候我们甚至还不确定SNARK是否存在。
At a time where snarks, we weren't even sure if they existed.
对吧?
Right?
比如,哦,是的。
Like Oh, yes.
早在2008年,我们还不确定。
Back in 2008, we're still uncertain.
理论上我们能实现它们吗?
Can we do them in theory?
我们到底能在实践中实现它们吗?
Can we do them in practice at all?
就像是,这
Like, it's
当时snark这个术语还没被定义呢,我觉得。
The term snark had not been defined yet, I don't think.
那是2012年的事了。
That was 2012.
记得吗?
Remember?
至少我们在台上是这么说的,Nico,在ZK峰会上。
At least that's what we said on stage, Nico, at the ZK Summit.
我们确实是这么说的。
That is what we said on stage.
我可能会后悔这么说。
I might regret saying.
但我
But I
我认为这是首次出现在标题中,当时就像是'没错'这种感觉
think it's the first time it's written in a title, and it was like Yeah.
完全正确
Absolutely.
完全正确
Absolutely.
当时已有简洁证明和知识证明的概念,但将某物称为snark并使其成为专有名词,你知道,那是后来的事
There was the notion of succinct proofs and the notions of proofs of knowledge, but calling something a snark and making it a thing, you know, came later.
嗯
Mhmm.
是的
Yeah.
我还想提到折叠方案相比完整snark的第三个重要特性,这使得它在处理大规模流式计算时非常独特且重要——基本上就是其对流式计算的友好性,这点至关重要
I also do want to mention a third really important feature for folding compared to full fledged snarks, which makes this quite unique and quite important when we want to deal with large and streaming computation is the basically, the streaming friendliness, which is very important.
所以如果我们考虑像ZKVM这样的大型任务,或者需要验证某些机器学习过程的情况。
So if you think about we we have some really large task like ZKVM or prove some verifiable machine learning.
如果只有Spark,通常的做法是你启动计算,然后完成整个计算过程。
If you only have Spark, usually what you do is you start the computation, and you finish the entire computation.
接着生成整个计算的计算轨迹和弱点分析。
And then you generate some computational trace and the weakness for this entire computation.
只有到那时你才能开始进行证明。
And only then you can start doing the proving.
所以证明只能在这个阶段的最后才开始,这某种程度上浪费了时间。
So the the proving can only start at the very end of this stage, which is kind of wasted some time.
对吧?
Right?
但折叠方案让我们可以做得更好,因为你不需要等到计算完成才开始折叠过程。
But folding allows us to do better in the sense that you don't have to start doing folding while you finish computation.
你可以在进行计算的同时就开始折叠。
You can just start it while you're doing the computation.
你只需要获得部分结果,就可以开始进行折叠处理了。
You only need to get some partial results, then you can already start doing the folding.
这对于大规模计算来说非常重要。
And that's pretty important for this large scale computation.
就像看YouTube视频时,你不会想先缓冲完整个视频才开始观看
Like, I think analogy is that when you watch the video, like, YouTube video, you don't want to buffer the entire video first and through then watch through a video
这正是我们过去从Napster这类平台下载时的做法。
or Which is what we used to do when you download from, like, Napster or something.
没错。
Yes.
对我们这些老用户来说确实如此。
For us oldies out there.
是的。
Yes.
对。
Yeah.
展开剩余字幕(还有 480 条)
但现在我们已经习惯了YouTube。
But now we are get get used to YouTube.
对吧?
Right?
是啊。
Yeah.
所以这更像流水线作业,用户体验也好得多。
So it's it's more pipeline and it's much better experience.
有意思。
Interesting.
我认为我最初的问题其实是:递归和折叠对SNARC的哪部分功能有帮助?
I think in my initial question, it was sort of like, there's also this question of like, what part of the SNARC does recursion and folding help with?
那么是证明时间缩短了,还是验证时间受到了影响?
So does the proof time go down, or does the verifying time get affected?
没错。
Yeah.
我只是好奇是否存在某种权衡。
I'm just curious if there's like a trade off at all.
实际上,验证折叠方案会更困难吗?
Is it harder to verify a folded scheme, actually?
是的。
Yes.
我认为主要动机是缩短证明时间。
I think the main motivation is proof time.
好的。
Okay.
我想特别是为了节省内存。
And it's particular for and also memory, I guess.
既节省内存又缩短时间,但尤其适用于那些大规模问题。
Both memory and improved time, but particular for those large problem.
所以如果你的任务并不复杂,比如只是证明单笔交易或验证一个哈希值,就没必要使用折叠方案。
So if your task is not very complex, if you're just proving single transaction or just proving a hash, you don't bother to use folding.
你只需使用简单的sigma协议或SNARC即可。
You just do a simple sigma protocol or SNARC.
这样就足够了。
That's good enough.
只有当面对真正大规模的问题时才有意义,比如CK版本的机器
It makes sense only when it comes to a really large problem, like CK version machine
嗯。
Mhmm.
或者说,像可验证的机器学习这种情况。
Or, like, verifiable machine learning.
这种情况下,使用单一的整体SNARC来高效证明并不那么容易。
In this case, it's not that easy to use a monolithic SNARC to prove efficiently.
因此你必须先将这个大问题拆分成较小的问题,然后再使用SNARCs。
So you had to split this large problem into a smaller problem first and then use SNARCs.
而折叠恰恰是一种非常高效、可扩展且内存利用率高的方法,能将这个庞大的问题分解为较小的问题。
And folding is exactly a very efficient way and a scalable way and as well as memory efficient way to reduce this really large problem into smaller problem.
我记得最初分享时提到过,它特别适合处理某些重复性高的问题。
And I think I remember when it was first shared, it also is really good for certain types of problems which are, like, repetitive.
是的。
Yes.
比如你需要重复执行的步骤。
Like, you want repetitive steps.
你不想要动态电路或大量变化,而是需要相当一致的东西。
You don't want, like, dynamic circuits and lots of different like, you want something quite consistent.
没错。
Exactly.
举例来说,如果你需要一个CPU,你不会想要定制电路。
So for example, you if you want to have a CPU, right, you don't have, like, custom circuit.
你需要的就是CPU。
You want to have CPU.
每次只需运行单一指令,而折叠技术正是为此量身打造的。
Well, each time, just run a single instruction, and folding is perfect for this.
嗯,每个代码块语句只需一条指令。
Well, each chunk statement, just one single instruction.
我想提两点。
And I want to mention two things.
首先,我们选择折叠(folding)是因为它非常适合这种统一计算。
First is that, first, we do this for folding is because folding is perfect for this uniform computation.
如果这种计算具有迭代性质,就完全契合折叠框架。
So if this computation satisfies property, which is kind of iterative, it perfectly fits for the framework folding.
但我想提到最近有篇名为《Mangroove》的论文,它实际上能将任意计算
But I do want to mention that recently there's a paper called Mangroove, which actually can reduce some arbitrary computation
嗯哼。
Uh-huh.
分解为多个统一计算。
Into many uniform computation.
之后你同样可以开始进行折叠处理。
And after that, you can start doing the folding as well.
酷。
Cool.
所以它比那个更通用。
So it's more general than that.
好的。
Okay.
那么现在让我们进入第二部分,关于格点结构。
And then now let's go to that second part, which is like lattices.
所以你正在介绍格点结构。
So you're introducing lattices.
这样是否让审批时间变得更高效了?
Is approving time made even more efficient?
就像,是的。
Like, which yeah.
再问一次,哪些部分会受到影响,引入格点结构时有什么权衡吗?
Again, which part is affected, and is there any trade off when you introduce lattices?
流程中有任何部分会变慢吗?
Does any part of the process get slower?
是的。
Yeah.
非常好的问题。
Very good question.
最初,我们使用格密码的目标不仅是为了后验安全性。
So, initially, our goal for using Lattices is not only for postcon security.
实际上我们是想加速证明者的效率。
It's actually we want to accelerate the prover.
我们想让证明者比基于LipGER的流式方案更快。
We want to make prover even faster than LipGER based flowing schemes.
为什么?
Why?
因为我们在上一场战争中也获得了一些非常不错的承诺。
Because we have some really nice commitment in the last war as well.
我想澄清一下,1992年发明的原始ITI承诺方案其实效率并不高,因为它是基于某些整数格构建的。
I do want to clarify that the original ITI commitments that was invented in 1992 is actually not that efficient because it's based on some integer lattices.
但后来,在环环境下——比如多项式环环境下——它被Vadim、Chris Piker、Alan Rawson和Danielle Lee Michian Show等人进行了优化和改进,我想大概是在2006年左右。
But later, it has been adapted and optimized in the ring setting, like, polynomial ring setting by Vadim, Chris Piker, Alan Rawson, and Danielle Lee Michian Show around, I think, around 2006 or something.
是的。
Yeah.
可能是2006年。
Maybe 2006.
在那之后,这个方案变得更高效了。
So after that, the item becomes more efficient.
基本上,其复杂度从二次方降到了接近线性,速度大幅提升,而且具有高度可并行性。
They basically, the complexity goes from quadratic to cosine linear, and it's much faster than that and also highly paralyzable.
此外,你还可以用小域来实例化它。
And moreover, you can use some small fields to instantiate.
这使得它变得极其快速。
So that makes it extremely fast.
这就是我们采用这类承诺方案的动机之一。
So that's the one of the motivation for using that kind of commitments.
总结来说,我们具有可证后提交安全性,理论上还可能实现更快的证明者。
So in summary, we have plausibly post comm security, but and in theory, we might also guess even fast prover.
这确实很棒。
So that's really nice.
这就是我们研究它的动机所在。
That's why we have some motivation to study it.
是的。
Yeah.
我想补充另一个动机点。
I'll add another piece of motivation, actually.
使用Lipstick曲线承诺时,你的见证和电路都存在于某个域中
With the Lipstick curve commitments, you have your witness, your circuit lives in a field
嗯。
Mhmm.
当你进行承诺时,你需要将它们放在椭圆曲线上。
And then when you do commitments, you put them on an elliptic curve.
对。
Yes.
对吧?
Right?
然后当你想执行验证器的递归检查步骤时,现在你必须用你的域来编写关于椭圆曲线的陈述。
And then when you want to do this recursive step of checking your verifier, you now have to write statements about the elliptic curves with your field.
所以你会遇到这种奇怪的递归现象
So you have this weird recursive thing happening
是的。
Yeah.
这实际上相当麻烦。
And this is actually quite painful to do.
它会让你的电路变得非常大,这就是为什么我们处理这些曲线循环时非常痛苦,还导致了各种错误。
It makes your circuits very big, and that's why we had these cycles of curves that were very painful to deal with, that caused bugs.
所以早在Protosar和Nova问世时,我们就在想,如果能摆脱这些曲线循环该有多好?
And so even back when Protosar and Nova came out, we were all thinking, wouldn't it be nice if we could get rid of these cycles of curves?
我们能否用格密码之类的方法来实现呢?
And can we use things like lattices to do that?
是的。
Yeah.
这个观点非常到位。
That's a very good point.
引入格密码会有什么缺点吗?
Are there any downsides to introducing lattices?
有。
Yes.
确实存在。
Definitely.
有的。
Yes.
就像,每当你引入新事物时,总会有一些权衡。
Like, whenever you introduce something, there are some trade off.
好的。
Okay.
很高兴听到这个。
Good to hear.
天下没有免费的午餐。
No free lunches.
是啊。
Yeah.
完全没有免费的午餐。
No free lunches at all.
特别是在我们第一代晶格折叠简化方案中,虽然它们相当有竞争力,正在变得实用。
And especially in our first generation of lattice folding simps schemes, even though they are pretty competitive, they are becoming practical.
它们仍然没能超越椭圆曲线方案的最先进水平。
They still didn't beat the state of the art of elite of Elliptic curve schemes.
正如我之前提到的,原因在于我们实际上在处理一个更复杂的问题。
The reason is that, as I mentioned before, we actually are dealing with a harder problem.
对吧?
Right?
我们必须处理范数爆炸的问题。
We have to deal with norm blow up.
我们必须证明这些范数是低范数的。
We have to deal with proving that norm are low norm.
这些额外任务使得基于格的音位方案构建更加困难,同时也增加了音位方案的复杂度。
So these are extra tasks make the construction of lattice based phoneme schemes harder, and that also adds complexity of the phoneme schemes.
例如在第一代格折叠方案中,为了证明范数是低或小的,你必须先将原始弱点分解为多个范数更低的弱点向量。
For example, in the first generation of lattice fold, in order to prove that the norm are low or small, you have to first decompose the original weakness into multiple weakness vectors, which are even lower norms.
只有这样你才能运行所谓的拇指检查协议来证明它。
And only then you can run some so called thumb check protocol to prove it.
这意味着证明者的工作量更大,因为他们需要提交更多的向量。
And that means the provers work is more because they need to commit to more vectors.
假设最初你只需要提交一个向量,现在却需要提交比如10或16个向量,这显著增加了证明者的开销。
Suppose initially, you only need to commit to one vector, now you have to commit, say, like, 10 or 16 vectors, which is more prover expensive.
因此尽管基于RIM的临时承诺本身效率更高,但实际需要完成的工作量反而更大。
So even though ad hoc commitment itself or RIM based ad hoc commitment itself is more efficient, the work you have been done is actually more.
所以速度实际上并不比基于椭圆曲线的方案更快。
So the speed is actually not faster than ellipse based falling schemes.
为了真正提高效率,我们确实需要更高效的范围证明方案。
So in order to make it more efficient, we really need to have a more efficient range proofs.
这就是Lattice four和Lattice four plus的核心内容?
And that is the bulk of Lattice four, Lattice four plus?
是的。
Yeah.
我想这就是你在白板会议上讲解的内容。
And I think what you cover in the whiteboard sessions.
对吧?
Right?
是的。
Yes.
没错。
Exactly.
有趣的是,这个
It's funny when and this
这实际上让我想到了白板会议本身,因为在那次会议上,你提到了一些关于范围证明的查找工作,但我有点困惑,你好像说CQ在范围证明方面做了些事情,而我总觉得它们是相当独立的。
is actually bringing me to the whiteboard sessions themselves because in that, you mentioned a few, like, lookup works in that context of, like, range proofs, but I was confused what like, you sort of said, like, yeah, CQ does something with the range proofs, but I I always thought of them as being pretty separate.
查找表、查找参数的工作与范围证明之间是否存在某种联系?
Is there a connection there between, like, the lookup table, lookup argument work, and the range proofs?
如果存在的话,具体是什么联系呢?
And if so, like, what is it?
确实存在。
Definitely.
如果你仔细想想,范围证明实际上是查找参数的一种特例。
So if you think about this, range proof is actually a special case of lookup arguments.
对吧?
Right?
因为在范围证明中,你想要证明的是某个值处于特定范围内。
Because what you want to prove in a range proof is you want to prove that certain value is in certain range.
但这个范围本身也是一张表。
But this range itself is also a table.
只是张特殊的表。
It's just a special table.
哦。
Oh.
这张表包含了该范围内的所有数值。
The table includes the all the values of this range.
这意味着如果你有查找论证,那么你同时也就拥有了范围证明。
So that means if you have a lookup arguments, that you also have a range proof as well.
哦,哇。
Oh, wow.
是的。
Yeah.
不知为何,我感觉节目里从没真正提到过这一点。
For some reason, I feel like that never really came up on the show.
所以当我看着白板时,我就像这样——我举起了手,但你知道这只是视频,我人并不在场。
So that that was also like, as I was watching the whiteboard, I was like, you know, I was putting my hand up, but, you know, it's a video, and I wasn't actually there.
我没有参与录制。
I wasn't part of the recording.
不过,你知道,我
But, like, you know, I
就像那一刻,对,我当时就有这个疑问。
I it's like the moment where I, yeah, I had this question.
我当时有点困惑,但这个解释很有帮助。
I was kinda confused, but this is helpful.
实际上这很合理,你基本上只需要选择特定范围的查找。
And it makes sense, actually, that you just choose, like, the lookup of just a certain range, basically.
是的。
Yes.
对。
Yeah.
范围证明。
Range proof.
当你思考范围证明时,大家会认为它比查找问题更特殊甚至更简单。
When you think about range proof, you all think as a special or even simpler problem than lookup.
还有其他方法可以实现这个范围证明吗?
Are there any other ways to do this range proof?
我知道你们有两轮晶格折叠迭代。
I know that you have two iterations of lattice fold.
还有一篇名为NEO的论文我们应该提到——嗯。
There's also this paper called NEO that we should mention Mhmm.
那篇论文同样基于晶格进行折叠。
That also does folding based on lattices.
我在想,是的,所有这些技术,有的非常不同,有的非常相似,还有很多我想探索的吗?
I was wondering, yeah, all the techniques there, super different, super similar, and is there a lot more I'd like to explore?
是的。
Yes.
我认为基于格(lattice)的环境下,范围证明与其他基于椭圆曲线的环境略有不同。
So I think the lattice based setting, the range proof is slightly different from the other Ellipse curve based setting.
目前,我们主要有两个——或者说三个主要思路。
And currently, we have two main idea or three main ideas, I would say.
首先是做分解,其次是随机投影,这是使用Librato的思路。
First is doing decomposition, and second is to do random projection, which is the idea using Librato.
第三是LASSO plus中提出的单项式编码思路,通过重构PONOM环来证明某些查找关系。
And third is the idea in LASSO plus, which we call the monomial encoding, where you just use some kind of restructure of PONOM ring to prove some lookup relations.
这些方法各有优缺点。
All these are having their pros and cons.
我想特别提到,最近在这篇我想稍后讨论的新论文中,我们还提出了一种新的基于格的折叠方案,其中包含了一种结合投影和单项式编码的新型范围证明。
And I want I want to mention that recently in this new paper I'm I want to discuss later, we have also have a new lattice based following scheme, which has a new range proof, which is kind of combination of projection and nominal encoding.
这使得整个过程更快更简单。
That makes this much faster and much simpler.
所以Neo的主要贡献,我认为并不在于范围证明。
So Neo, I think the main contribution of Neo is, I guess, is not a range proof.
它同样采用了最后折叠分解的模式,但在支持小域和更自然地编码约束方面,具有其他非常出色的风险类特性和贡献。
It uses this paradigm of decomposition of last fold as well, But it has some other really nice, risk like, properties and contributions in terms of supporting small field and encoding the constraints in a more natural way.
嗯。
Mhmm.
所以我认为他们会用分解来做分支证明。
So I think they'll use decomposition to do the branch proof.
使用格结构或结合格结构中的折叠是否存在其他权衡或缺点?
Are there any other trade offs or downsides to using lattices or to combining folding in lattices?
是的。
Yes.
这一点我认为会与我稍后要讲的新工作有所关联。
And this is something that I think will have connection to what I said later in terms of the new work.
除了证明者的开销外,验证者的开销也是个问题。
So beyond this prover overhead, this verifier overhead is also an issue.
好的。
Okay.
尽管它比基于哈希的签名方案要好得多,但实际上仍不如基于椭圆曲线的签名方案。
Even though it's much better than hash based phoneme scheme, it's actually still worse than ELIP curve based phoneme schemes.
啊。
Ah.
原因是需要运行这个Fierce和Mir电路。
So the reason is that you have to run this Fierce and Mir circuit.
对于不熟悉的人来说,Fierce Amir是一种通过使用哈希函数在交互记录上生成这些非常远的挑战,将交互式协议转换为非交互式协议的方法。
For those who are not familiar, Fierce Amir is a way to convert an interactive protocol into a non interactive protocol by generating these very far challenges using a hash function on the transcript.
在最后的设置中,这个记录比椭圆曲线设置要大得多,因为这些ITEC承诺比片段和哈希值更大。
And in the last setting, this transcript is much larger than a ellipse curve setting because these ITEC commitments are larger compared to pieces and hashes.
每个ITEC承诺可能大到四甚至八 kilobytes。
Is each ITEC commitments can be as large as in as four kilobytes or even eight kilobytes.
如果你需要在这个记录中对许多承诺进行哈希处理,那么仅执行Fierce Amir哈希的复杂度就已经相当高了。
And you have if you have many commitments to hash inside this transcript, then this complexity of just doing the Fierce Amir hashing is already pretty expensive.
嗯。
Mhmm.
所以问题之一就是:能否在Variable中移除这个Fierce Amir电路,从而使递归电路变得更小?
So the one of the questions, can you remove this Fierce Amir circuit in the Variable to make the recursive circuit much smaller?
嗯。
Mhmm.
顺便说,作为对比,Pedersen承诺和Pedersen哈希只有几个字节大小。
By the way, for comparison, the Pedersen commitments, Pedersen hashes are, like, a few bytes.
对吧?
Right?
是的。
Yeah.
大概是32字节或48字节左右。
32 bytes or forty forty eight bytes, I guess.
是的。
Yeah.
第一个数量级的差异。
The first one magnitude difference.
对。
Yes.
嗯。
Yeah.
这算是另一个定义问题,但你在白板上提到过,实际上Vadim在他的讲解中也提到了SIS。
This is kind of another definitions question, but you mentioned it in your whiteboard, and actually Vadim mentioned it in his as well, the SIS.
嗯。
Mhmm.
你今天在采访中已经定义过了,但能谈谈它到底是什么吗?
And you you already have defined it today in in the interview, but can you talk about what that actually is?
因为它出现了。是的。
Because it comes up Yeah.
每次你们讨论格理论时都会提到。
Every time you're talking about lattices.
是的。
Yeah.
SIS(最短整数解假设)就像是连接基础格问题与密码学应用的桥梁。
So SIS or shortest integer solution assumption is kind of a bridge between this really fundamental lattice problem and the cryptographic applications.
好的。
Okay.
这是一个密码学假设,意思是给定一个随机生成的矩阵A,很难找到一个短向量X使得A乘以X等于零。
So this is a cryptographic assumptions, which is saying that given a randomly generated matrix a, it's hard to find a small vector x such that when a times x, you get zero.
如果不对这个向量X做任何限制,你其实很容易就能解出这个方程。
So if you don't have any constraints on this vector x, you can actually very easily solve this equation.
对吧?
Right?
本质上这就是一组线性方程组,可以直接求解。
Basically, there's just a bunch of linear equations and then can solve it.
这是个简单问题。
That is the easy problem.
但事实证明,当你添加这些微小约束条件——必须确保x的范数很小,或者说这个向量的每个元素都很小——这就变成了一个非常困难的问题。
But it turns out when you add these small constraints that you have to make sure this x is no norm or, like, every element of this vector is small, this turns out to be a really hard problem.
我们有一个归约证明:如果你能解决这个问题,就能解决高维格中的某些真正困难的格问题。
And we have a reduction that if you can solve this problem, you can solve some really hard lattice problems in the high dimensional lattices.
但在这个情况下,这是不是
But in this case, is this one
那种密码学时刻——你希望它很难?
of these, you know, cryptography moments where you want it to be hard?
确实如此。
We do.
是的。
Yeah.
对。
Yeah.
就是说,你希望它非常困难,因为你不希望它被破解。
Like, you want it to be very difficult because you don't want it to be breakable.
对吧?
Right?
是的。
Yes.
我们希望它真的非常难。
We want it to be really hard.
好的。
Okay.
只是每次提到SIS问题时都觉得有点好笑,听起来像是我们要解决的问题,但其实重点不在这。
It's just funny whenever like, the SIS problem, it sounds like something that we're trying to solve, but that's not the point.
不是。
No.
不是。
No.
不。
No.
我们喜欢这样。
We like it.
我们希望它很难。
We want it to be hard.
是的。
Yeah.
我们绝对希望它很难。
We definitely want it to be hard.
否则,大多数格密码学都会崩溃。
Otherwise, like, most of the lattice cryptography will collapse.
我明白了。
I got it.
嗯。
Mhmm.
是的。
Yeah.
但话说回来,这确实是个问题,我们确实希望人们尝试解决它,因为尝试的人越多,我们就越能确定它的难度。
But by the way, it is a problem, and we do want people to try to solve it because the more people try, the more we know it's hard.
对。
Yes.
所以这
So it's
就像如果SIS问题被解决了,对格密码来说会很糟糕,但也许对整体安全有好处,因为我们会知道
like if the SIS problem was solved, that would be bad for lattices, but maybe good for, like, you know, general safety and security because we would know
没错。
Yes.
这还不够
This wasn't hard
难。
enough.
是的。
Yeah.
那将是一个真正的突破,如果我们能取得这些成果,会是非常重要的。
And that would be a really breakthrough, like, very, very important results if we do have these Mhmm.
成果。
Results.
不过感觉上,量子计算机似乎无法破解它。
And the feeling, though, is that the quant like, quantum computers can't break it.
如果你觉得这不是我们要找的,那么假设就是量子计算机无法破解它。
If you're feeling it's not what we're looking for, the the assumption is that you can't break it with quantum computers.
我的意思是,目前这更多是一种普遍感觉或普遍看法。
I mean, it is, at this point, you know, a general feeling or a general sentiment.
是的。
Yeah.
这就是我们的工作方式。
Like, that that is just how we work.
是的。
Yes.
首先,我无法给出一个很好的解释说明为何它能抵御量子计算攻击。但关键在于,我们已经对这些算法进行了三十多年的密码分析,这是最成熟且经过时间检验的假设之一——至今仍未出现真正有效的攻击手段
First, I don't have a really good explanation on why it will be against quantum computing attacks, But the thing is that we have gone through thirty years or more of cryptanalysis of these words, and this is one of the most mature and time tested assumptions that no really good attacks on top of it
嗯。
Mhmm.
即便是量子计算机也无法破解。
Even for quantum computers.
而且有许多极具天赋的研究人员
And there are many really talented researchers.
他们基本上只专注于格密码分析工作
They are basically just working on cryptanalysis on lattices.
试图破解它们?
Trying to break them?
对。
Yeah.
试图破解它们,但我们目前还没有很好的解决方案。
Trying to break them, and we don't have a really good solution yet.
当你决定开始研究Lattice Fold时,在Protostar项目和我们那次访谈之间,再到Lattice Fold和Lattice Fold Plus期间,格密码领域发生了什么变化,使你们能够开始使用它们?
When you decided to start working on Lattice Fold, in that time between Protostar and that interview we did and Lattice Fold and Lattice Fold Plus, what happened in lattices that changed, that allowed you to start using them?
你在节目前面提到过,大概两年后,你们开始意识到'哦,我们其实可以做到这个'。
You sort of mentioned earlier on in the episode that, like, two years on, you started to see, oh, we can actually do this.
但具体是什么?
But what was it?
是像Labrador那样的工作吗?
Was it like the Labrador work?
是出现了什么新成果,还是发生了什么变化?
Was it something that came out, something that changed?
是的。
Yes.
我想主要是因为当时我们在这方面投入的时间还不够多。
So I think it's just we didn't spend too much time on it at that time.
然后你看了看,心想,嘿。
And then you looked, and you're like, hey.
我们可以做到。
We could do it.
是的。
Yeah.
我想可能这某种程度上是预先想好的。
I think maybe it's come kind of pre thought.
就像,当我们思考这个问题时,当我们思考折叠时,我们总是想着折叠。
Like, when we think about this problem, when we think about folding, we always think about folding.
我们从未考虑过分解。
We never think about decomposition.
这就是为什么我们认为折叠后无法控制规范。
So that's why we think there's no possibility of controlling the norm after folding.
但事实证明,如果你先分解再折叠,实际上就能控制这个规范,这是思维转变带来的第一步突破。
But it turns out if you fold if after folding, you decompose first and then you fold and you actually control this norm, and this is the first step that the change of man mindset makes it possible.
第二点是这个范围证明。
And the second is this range proof.
我认为这个范围证明某种程度上同时受到了Librato和Thumbcheck的启发。
I think that range proof is kind of inspired by both, inspired by Librato as well as Thumbcheck.
好的。
Okay.
因为我之前花了很多时间研究Thumbcheck,结果发现Thumbcheck确实是个很好的协议,能帮助你证明某些关系。
Because I'm previously, I was working a lot on Thumbcheck, and it turns out Thumbcheck is a really nice protocol to help you to prove some relations.
事实证明这种分支证明关系就是其中之一,可以被涵盖。
It turns out this branch proof relation is one of them, can be covered.
所以实际上你可以用SumCheck来为此提供分支证明。
And so you can actually use SumCheck to give a branch proof for that.
更重要的是,这个分支证明具有次线性验证复杂度,这在折叠案例中非常重要。
And moreover, this branch proof has sublinear verify complexity, which is very important in the folding case.
我们无法直接在Labrador中使用的原因,正是因为Labrador的验证复杂度实际上是线性的,这不足以支持折叠应用。
The reason we cannot directly use in Labrador is exactly because the verifier complexity of Labrador is actually linear, which is not enough for folding to be used.
这就像是几种不同研究线索的汇聚,意味着现在正是我们深入探索的好时机。
So it's like a it's sort of a convergence of a few different research threads that meant actually now is a good moment for us to really dive into this.
是的。
Yes.
没错。
Exactly.
这个领域需要来自折叠世界的人去审视所有这些格点工作,并将它们整合起来使其运作。
It's an area that needed someone who was from the folding world to go and look at all these lattice works and put things together and make it work.
而这正是Binya和Dan在Lattice Fold中所做的。
And that's exactly what Binya and Dan did with Lattice Fold.
我...我过去可能说过Lattice Fold像是Labrador之后的延续,但我觉得这个说法也需要修正。
I I I think I, in the past, have sort of talked about, like, Lattice Fold is like a continuation after Labrador, but I I feel like I've been corrected on that too.
我的意思是,它可能受到了一些影响,但本质上并不是同一种格点结构。
I mean, I'm guessing it's taking some influence from it, but it's not really the same kind of lattice.
能否请你描述一下这些研究线索是在哪里分叉的?
Like, maybe can you just describe, like, where those research threads diverge?
这是Labrador Greyhound项目,然后,是的,接着是Lattice Fold相关的工作。
This is Labrador Greyhound, and then, yeah, and then sort of the lattice fold work.
我认为Labrador项目主要是用于论证,比如简洁的论证。
I think the Labrador one is mainly for arguments, like, succinct arguments.
嗯。
Mhmm.
从某种意义上说,他们想要构建一个能直接证明这种关系的小型证明论证系统。
In a sense, they they want to prove argument system that has small proof directly proving this relation.
因此在密码学原语方面,它们与折叠方案略有不同。
So in terms of crypto primitive, they are slightly different from folding.
嗯。
Mhmm.
而后续的Greyhound项目是对Labrador的优化,它将方案的验证复杂度从线性提升到了平方根级别。
And, the follow-up, Greyhound, is kind of a optimization to Labrador, which improved the verified complexity of the scheme from linear to square root
嗯。
Mhmm.
不过它仍然比不上多对数复杂度。
Though it's still worse than polylogarithmic.
另一方面,我想提一下还有另外一些工作,比如'石头剪刀布',以及最近出现的'摇滚'。
On the other hand, I want to mention there are also some other work called the Rock and Paper and Scissors and also recently Rock and Roll.
哦,是的。
Oh, yeah.
这些是基于格论证的另一条研究路线,不仅证明规模小,验证复杂度也呈符号级缩小。
They are another line of work for lattice based arguments that not only have small proof sizes, but also a symtology small verify complexity.
我认为是多对数级别的验证复杂度。
I think it's polylogarithmic verify complexity.
但与Librato相比,它们的实际效率较低。
However, they are compared to Librato, they are less concretely efficient.
但我确实认为有许多新工作和后续研究正在尝试让它们变得更实用。
But I do think there are many new works, follow ups that try to make them more practical as well.
以上就是论证方向的第一条研究路线。
So that will be the first line in terms of arguments.
真有趣。
It's funny.
摇滚乐。
The rock and roll.
我在ZK Mesh上看到的。
I I saw that for ZK Mesh.
这是最近才发布的。
It came out really recently.
对吧?
Right?
是的。
Yes.
它始于这个石头剪刀布,而摇滚乐是对该工作的优化和后续研究。
So it starts with this rock paper scissors, and the rock and roll is kind of a optimization and a follow-up to that work.
好的。
Okay.
我得把它收录到新版里。
I'll have to include it in a in a new edition.
非常酷。
Very cool.
好的。
Okay.
那真是太棒了。
That was really great.
感谢分享这种区别。
Thanks for sharing that kind of distinction.
这一点我一直不太清楚。
This has been something I wasn't quite clear on.
我原本以为它更像是一种延续。
I really thought of it as, like, a continuation.
但你知道吗,就像晶格作为一个主题越来越受关注,然后我就明白了,哦,原来是这样。
But, you know, it's just like lattices as a theme were becoming more and then I was like, oh, this is why.
那么,宾妮,你之前提到即将开展的新工作涉及折叠技术,以及一种通过组合折叠场景来获取snorkeys的新方法。
So, Binnie, earlier you teased out that you had some new work coming up that also involves folding and a new way to combine folding scenes to get snorkeys.
能否详细谈谈这项工作的动机,以及其中的具体内容?
Can you tell us a bit more about the motivation for this work and, like, what's happening in there?
好的。
Yeah.
当然。
Definitely.
我想他们部分提到过,之前的falling方案,特别是基于last的falling方案,在证明Fierce和Mir电路时存在一些明显缺陷。
So I think they'll also partially mention this, that the previous falling schemes, especially last based falling schemes, they have some discount drawback of proving Fierce and Mir circuits.
从这个角度看,Fierce和Mir电路相当庞大,因为我们的art操作其实很简单,只是环元素的组合。
So Fierce and Mir circuit is pretty large in that sense because our art operation is pretty simple just in a combination of ring elements.
所以这是我想移除这个Fierce Schemer电路的首要原因。
So this is the first reason that I want to remove this Fierce Schemer circuit.
今年早些时候,我读到了Rong、Lev和Dimitri合著的这篇论文。
Early this year, I came across this paper by Rong and Lev and Dimitri.
他们针对基于GKR的证明系统提出了一个非常精妙的攻击方法。
They come up with this really elegant attack towards the GKR based proof system.
嗯。
Mhmm.
简单介绍一下背景,GKR 2008是一个非常优雅的交互式证明系统。
So to give a a little bit background, GKR 2,008 is a very elegant interactive proof system.
最初它们是交互式协议,意味着存在一个在线阶段。
So initially, they are interactive protocols, meaning that's an online phase.
证明者和验证者需要通过通信来确认某种算术电路计算是否正确完成。
The prover and the verifier needs to communicate to check certain kind of arithmetic circuit computation was done correctly.
但事实证明,我们也可以通过使用这种启发式方法使其非交互化,即通过对话记录的哈希计算来生成验证文件变更。
But it turns out we can also make it noninteractive by using this this heuristics that generates the very file changes using the hash computation of the transcript.
我们甚至在理想化模型中为此提供了某种安全性证明,将哈希函数视为随机预言机,即本质上是一个可以黑盒方式调用的随机函数。
And then we even have some kind of security proof for that in an idealized model, where we treat these hash functions as some random oracle, meaning that's that's basically just some random function that it can carry in a black box way.
但这个攻击表明,当你将这个哈希函数实例化为现实世界中的具体函数时,这个方案就不再安全了。
But it turns out what this attack is showing you is that whenever you instantiate this hash function into a real world concrete hash function, it turns out this scheme no longer is no longer secure.
具体而言,他们能够为某些错误陈述生成有效证明,从而破坏了系统的可靠性。
And particularly, they're able to generate a valid proof for some false statements, which break the soundness of the system.
嗯。
Mhmm.
实现这种攻击的核心思路是,它允许证明者为某些包含字段虚假启发式内容的陈述生成证明。
And the main idea of enabling this attack is because it allows the prover to generate a proof for certain statements where these statements is proving some field shammy heuristics inside the statements.
之所以这样做很重要,是因为它能让证明者在电路中预测这个极快的手势操作,凭借其能力,可被利用来为错误陈述生成虚假证明。
And the reason why why it is important to do that is because it allows the prover to generate, to predict this very fast hand inside circuit, which given its power, they can be exploited to generate a fake proof for some false statements.
这个结果其实我们早就知道了。
This is, you know, a result that we knew from back in the day.
就像那些在随机预言模型中安全的协议,当你用哈希函数替换随机预言后,在实际模型中并不总是安全的。
Like, protocols that are secure in the random Oracle model are not always secure in the real model when you change the random Oracle for a hash function.
但在当时,我们只有一些非常古怪协议的例子。
But at the time, we only had, you know, examples for very weird protocols.
是的。
Yes.
就像,你必须真正设计出一个故意要被破坏的协议。
Like, you have to really come up with a protocol that's really designed on purpose to break.
嗯。
Mhmm.
对吧?
Right?
而今年早些时候的这篇新论文,就像是首次出现了一个实际存在、被人们使用且自然产生的协议遭遇了这个问题。
And then this recent paper earlier this year was, like, the first time that there was a natural protocol that was out in the wild that people used that actually suffers this problem.
是的。
Yes.
就像Vinny说的,攻击的一部分是在电路内部进行fiat shimmer操作,我想这就是你要说的。
And like Vinny is saying, it's part of the attack was to do fiat shimmer inside the circuit, and that's, I think, where you're going.
Vinnie说的正是折叠过程中发生的情况。
Vinnie is like, exactly what's happening in folding.
我们在电路内部进行fiat shimmer操作。
We do fiat shimmer inside our circuit.
但这突然意味着所有作品都不够安全了吗?你觉得需要写篇新论文来研究如何增强安全性,还是说你们已经通过其他特性具备了更高的安全性?
But what's did that mean that all of a sudden the works were less secure, and you felt like you needed to do a new paper to, like, figure out how to make it more secure, or were you already more secure because of some other feature?
这确实是对现实世界系统的攻击,但并非对所有递归SNARK系统的中间攻击。
So this is indeed an attack to a real world system, but that's not a mid attack to all the recursive SNARK system.
好的。
Okay.
它仅适用于这种基于GKR的系统,但无法直接作用于其他证明系统如Fry、Stark、Planck、Spartan、Hyperplunk等。
It's only working for this GKR based system, but not immediately working for other poof system like Fry, Stark, Planck, Spartan, Hyperplunk, so on.
不过这仍然令人担忧。
However, it's still worrisome.
对吧?
Right?
是的。
Yeah.
它打开了这扇门。
It opens the door.
嗯
Mhmm.
这说明是有可能的。
It says it's possible.
是的。
Yeah.
这动摇了我们的信心。
It shakes our confidence.
没错。
Yeah.
它改变了人们对它的信心。
It change the confidence of it.
嗯哼。
Uh-huh.
特别是对于递归SNARK来说,因为递归SNARK在他们的攻击中做的正是同样的事情。
And especially for recursive SNARKs because recursive SNARK is exactly doing the same thing in their attack.
他们的攻击恰恰关键利用了这一点:你可以在电路内运行Firschemir验证或Firschemir哈希。
Their attack is exactly crucially exploits this fact that you can run this Firschemir verify or Firschemir hashes inside circuits.
嗯。
Mhmm.
这种能力为你提供了一种攻击该方案的方法。
And that power gives you a way to attack the scheme.
嗯。
Mhmm.
所以我认为这降低了人们对这种递归框架的信心,即通过递归将后续方案转换为IVC或PCD。
So that give I think give less confidence on this kind of framework of doing recursion and convert the following scheme into IVC or PCD using recursion.
那你们修复了吗?
So did you fix it?
我不认为这是修复。
I wouldn't say it's fixes.
我只是尝试消除这个攻击面。
I just, like, try to remove this attack surface.
比如,我们在声明中并不证明任何字段的shammer电路。
Like, we don't we don't prove any field shammer circuits in the in the statements.
如果是这种情况,处理这类攻击会容易得多,因为电路逻辑更容易审计。
If that's the case, it's much easier to handle this kind of attack because circuit logic is much easier to audit.
你只需要确保它永远不会在电路内运行这些Fierce Hammer哈希函数或实例化随机预言机。
You just make sure that it never runs these Fierce Hammer hash functions or run instantial random Oracle inside circuits.
但在之前的框架中,审计要困难得多,因为无论如何你都必须这么做。
But in the in the previous framework, it's much harder to audit because, anyway, you have to do this.
对吧?
Right?
所以你无法判断是否存在某些微小变化会导致其可被攻击。
So you don't know whether there are some kind of really tiny changes that make it techable or not.
嗯。
Mhmm.
这几乎就像是KRS攻击风格的后门,与电路应有的功能无法区分,所以是的。
It's almost like backdoor in the style of the KRS attack is indistinguishable from what the circuit is supposed to do, and so that's Yeah.
超级困难。
Super hard.
是的。
Yes.
好的。
Okay.
所以这项新工作摆脱了虚假镜像。
So this new work gets rid of fiatry mirroring.
你要怎么做呢?
How how do you do that?
是的。
Yeah.
这项新研究被称为Symphony。
So this new work is called Symphony.
在介绍它的成果之前,我想先说说为什么取这些名字?
So maybe before before what it is achieves, I want to mention this, why these names?
嗯。
Mhmm.
这个名字有两个原因。
There are two reasons for this name.
第一个原因是,如果你看Symphony,对吧,这篇论文其实受到了许多先前优秀论文的启发。
The first reason is that if you look at Symphony, right, like, this paper is actually inspired by many previous works, many elegant papers previously.
如果把每篇论文比作乐器,那么我们在这里所做的就是尝试和谐地将它们组合在一起,让所有这些乐器共同演奏出一首交响乐。
If you think about each paper as instruments, then what we do here is try to just harmoniously combine them together and play all this instrument together to get a symphony.
很美。
Beautiful.
是的。
Yeah.
这就是我称之为交响乐的一个原因。
That's one reason why I call it a symphony.
第二个原因是,我尝试倡导一种新的折叠方式,即只折叠一次或两次。
And the the second reason is that I try to advocate a new way to do the folding, which is just folding only once or twice.
所以你只需要单次折叠,就像单次折叠一样,这就是一种交响乐。
So you've you've only fold sing like, fold for single times, so it's a kind of symphony.
这是单次折叠
It's a single folding
嗯。
Mhmm.
时间。
Time.
不错。
Nice.
是的。
Yeah.
所以这篇论文的主要思想或贡献是尝试倡导一个新的框架来进行折叠,并通过两个步骤将折叠转化为证明系统。
So the main idea or main contribution of this paper is try to advocate a new framework to do the folding and convert a folding into a proof system by two steps.
第一步是进行高元折叠而非低元折叠。
The first step is to do high arity folding rather than low arity folding.
这意味着我们希望您只需运行这些折叠步骤一次,甚至两次,但在每一步中,我们都将大量陈述合并为一个。
What does it mean is that we want you just to run these folding steps once or even or just twice, but in each step, we all fold a lot of statements altogether into one.
嗯。
Mhmm.
如果您查看之前的方案,我们只折叠两个或三个输入。
If you look at the previous schemes, we only fold two inputs or three inputs.
我认为通常是将少于10个输入合并为一个输入。
I think usually less than 10 inputs into one input.
在之前的方案中我们只能这样做的原因是验证者复杂度极高。
The reason why we can only do that in the previous scheme is because the verifier complexity is extremely large.
我们不想给验证者电路复杂度增加太多开销。
We don't want to add a lot of overhead on the verifier circuit complexity.
验证者取决于我们正在一起折叠的项目数量吗?
And the verifier depends on the number of things we're folding together?
正是如此。
Exactly.
好的。
Okay.
所以这实际上是一个线性关系。
So it's actually a linear relation.
如果你折叠两个输入,那么复杂度就是两倍的x。
So if you fold two inputs, then the say the complexity is two times x.
嗯。
Mhmm.
那么如果你折叠10个输入,验证复杂度将大约增加10倍。
Then if you fold 10 inputs, then the complexity verify complexity will be approximately 10 x.
所以如果你折叠1000个输入,复杂度会变得极其庞大。
So if you fold 1,000 inputs, would be extremely large.
这就像验证复杂度会爆炸性增长1000倍。
It's like a 1,000 time blow up on the verify complexity.
这就是为什么这类方法之前被认为在实际应用中不切实际的原因。
So that's the reason this kind of approach was deemed impractical in practice before.
但事实证明,我们改变了这一现状,发现只要能将Fierce Chamire电路移出证明声明之外,这实际上是可行的。
But it turns out, we changed this status quo, and we found that, actually, it is possible to do that as long as you can remove the Fierce Chamire circuit outside the proven statements.
这就是第一个贡献。
So that's the first contribution.
我们提出了一种基于层次格的新音素方案,即使对于数千或数万的大规模输入,其验证复杂度(不包括Fierce Chamire电路)也极小。
We come up with a new hierarchy lattice based phonemes for which the verified complexity excluding the Fierce Chamire circuit is extremely small even for really large inputs, like thousands or tens of thousand inputs.
第二步是设计一种方法,将这种层次折叠整合到新的证明系统中,该系统确实不需要将FIAH CHAMMER电路嵌入证明声明。
And the second step is to come up with a way that compile this folding hierarchy folding into a new proof system, which indeed does not need to embed this FIAH CHAMMER circuit into the proven statements.
这解决了两个问题。
And that solves two issues.
对吧?
Right?
首先是效率问题。
The first, efficiency issue.
我们不再需要验证这个庞大的fear chamois电路了。
We don't need to prove this large fear chamois circuit anymore.
其次,是解决了这类安全问题。
And second is solve this kind of security issue.
我们不再拥有这种可被利用或发动类似KRS攻击的攻击面。
We no longer have this attacking surface for exploiting or conducting these KRS like attacks.
所以这基本上就是两个主要成果。
So that's basically the two main results.
那么秘诀是什么呢?
So what's the secret sauce?
你们是怎么做到的?
How do you do that?
如何实现一个基于折叠技术却无需证明递归语句的SNARK?
How do you have a a snark that from folding that doesn't need to prove recursive statements?
实际上,这是个非常简单的思路。
So, actually, this is a very simple idea.
它是基于这种名为'提交并证明SNARK'的技术构建的。
It is built from this commit so called commit and prove SNARK.
我在想是否听说过这个。
I wonder if I have heard about this.
这是一类特殊的SNARK,证明者可以预先提交部分见证数据,然后再在线证明某些内容。
It's a special class of SNARKs for which the prover can commit part of the witness beforehand, before you prove something online.
嗯。
Mhmm.
之后,你可以证明一个同时涉及这些已提交数据和某些在线数据的关系。
And then later, you can prove a relation that involves both this committed data and some online data.
我猜是不需要在电路内部进行承诺操作。
I guess without doing the commitment inside a circuit.
对吧?
Right?
因为这正是我们想要避免的。
Because that's kind of what we're trying to avoid.
完全正确。
Exactly.
不在电路内部进行承诺,这样效率也更高。
Without doing the commitment inside circuits, and that makes it much more efficient as well.
嗯。
Mhmm.
让我举个具体例子说明它在另一篇论文Veritas中的应用,那是我、Tricia和Dan合著的另一篇论文。
So let me give a concrete example on how it is used in another paper called Veritas, which is another paper of me, I, and Tricia, and Dan.
哦,其实我们在节目里经常提到这篇论文。
Oh, we've mentioned it a lot on the show, actually.
是关于证明图片编辑的。
It's about proving edits on pictures.
对吧?
Right?
没错。
Exactly.
噢,是的。
Oh, yeah.
没错。
Exactly.
在那个例子中,如果你通过拍照获得了某张高分辨率原图的数字签名。
So in that example, if you have a digital signature for some original high resolution image by taking a photo.
对吧?
Right?
你有一台带有特殊芯片的特殊相机。
You have some special camera which has a special chip.
每次拍照时,这个芯片会对照片进行标记,以确保之后可以验证这张照片是由人类而非AI拍摄的。
Whenever take a photo, the chip will assign this photo to make sure later you can verify this photo is taken by a human being rather than being by an AI.
但之后,如果你想发布一些编辑过的图片,比如想把图片裁剪得更小
But later, if you want to publish some edited images, like, if you want to crop the image into a smaller one
嗯。
Mhmm.
你如何证明这张裁剪后的照片是来自这张经过签名的原图呢?
How do you prove that this crop photo is coming from this signed original photo?
对吧?
Right?
嗯。
Mhmm.
在这种情况下,提交和ProofSnark就非常有用。
In this case, commit and ProofSnark is really useful to do that.
你只需要证明这个在线见证(即裁剪后的照片)是之前提交的见证(即签名的原始照片)的有效转换。
What you do is just to prove that this online witness, which is this cropped photo, is a valid transformation of the previously committed witness, which is designed original photo.
而且你只需要证明这个转换过程。
And you only need to prove this transformation.
你不需要证明这个承诺的开放关系,而且你还有之前生成的针对该承诺的签名。
You don't have to prove this commitment opening relation, and you also have this signature for the commitment that has been generated previously.
这就是承诺和证明snarks的一个应用案例,我们发现实际上在我们的场景中它还有更多应用。
So this is one application of commitment and prove snarks, and we found that it actually have more application for that in our scenarios.
所以我们提出了一种新方法,利用提交和证明snark将以下方案转化为非交互式论证,而无需嵌入恐惧的shammy启发式算法。
So we come up with a new way to make use of commit and prove snark to turn the following scheme into a non interactive argument without embedding fear shammy heuristics.
是的。
Yeah.
立即就冒出几个问题,你们用的是哪种提交改进的SNARK?
A few questions come up immediately, which is which commit improved snark do you use?
比如,它是否也是后量子安全的?
Like, is that also gonna be post quantum?
接下来的问题是,如果我打算用SNARK来构建论证,那我何不从一开始就直接用SNARK作为论证呢?
And then the next question is, if I'm gonna use a snark to make a argument, you know, can't I just use the snark as my argument from from the beginning?
引入折叠技术后,我是否能获得效率提升?
Like, do I gain deficiency by introducing folding in there?
CP SNARK其实非常通用。
So the CP SNARK is quite general.
你可以选用任何CP SNARK,但只有与后量子安全的提交证明SNARK配合才具有可信度。
You can use any CP SNARK you want, but it is only plausible with Postcon secure commit and proof SNARK.
嗯。
Mhmm.
如果提交和证明SNARK本身不具备后量子安全性,这个编译器也不会具备后量子安全性。
If commit and proof SNARK itself is not postcon secure, this compiler will also not be postcom secure.
但它对于选择何种类型的提交和证明SNARK具有很大的通用性和灵活性。
But it does have a lot of generality and flexibility on what kind of commit and proof SNARK you can choose.
例如,你可以选择基于哈希的方案。
For example, you can choose hash based.
你也可以选择基于KZG、多项式或IOP的SNARK方案。
You can also choose KZG based, polynomial, IOP based SNARKs.
嗯。
Mhmm.
我们能否继续留在格密码领域,使用基于格的方案?
Can we stay in Lattice land and have a Lattice based one?
是的。
Yeah.
这这正是我想问的问题。
That that was gonna be my question.
我其实想问的是,这里是否还涉及到格密码相关的工作?
This I was kind of like, is there still Lattice work involved here?
格密码的工作主要是在折叠这一侧。
So the Lattice work mostly are in the folding side.
这个CP-SNARK,我们基本上是把它当作黑箱处理。
This CP SNARK, we kind of take it as black box.
如果我们有一个非常好的基于格密码的承诺和证明SNARK,我们也可以使用它。
If we have a really nice Lattice based commit and proof SNARK, we can also use that as well.
但目前大多数基于格密码的SNARK,它们的验证复杂度相当高。
But, currently, most of the Lattice based SNARKs, they have pretty expensive verification complexity.
这就是为什么目前我们更倾向于使用基于哈希或KZG的方案。
So that's why for now, we prefer to use hash based or KZG based schemes.
但如果出现更好的基于LAS的SNARK,我们也可以使用。
But if there are even better LAS based SNARC coming up, we can also use that as well.
第二个问题是什么来着?
And the second what is the second question?
关于 Bayt 播客
Bayt 提供中文+原文双语音频和字幕,帮助你打破语言障碍,轻松听懂全球优质播客。