阅读说明：本技术 一种sha256哈希算法零知识证明电路的合成加速方法及装置 (Synthesis acceleration method and device of SHA256 Hash algorithm zero-knowledge proof circuit ) 是由 李星 夏坤贤 张守恒 于 2021-09-13 设计创作，主要内容包括：本发明实施例公开了一种SHA256哈希算法零知识证明电路的合成加速方法及装置,预生成电路变量约束关系表,根据所述电路变量约束关系表,利用32位无符号整数算术运算输出变量数组以及约束向量值完成证明电路的合成加速。利用32位无符号整数算术运算的速度优势,可以将SHA256证明电路合成的时间降低到原来的1/3左右,通过对哈希计算的零知识证明加速可进一步实现对数据安全以及数据一致性的有效验证。(The embodiment of the invention discloses a synthesis acceleration method and a synthesis acceleration device for a SHA256 Hash algorithm zero knowledge proof circuit, wherein a circuit variable constraint relation table is pre-generated, and the synthesis acceleration of the proof circuit is completed by utilizing a 32-bit unsigned integer arithmetic operation output variable array and a constraint vector value according to the circuit variable constraint relation table. By utilizing the speed advantage of 32-bit unsigned integer arithmetic, the synthesis time of the SHA256 proof circuit can be reduced to about 1/3 of the original time, and effective verification on data safety and data consistency can be further realized by zero knowledge proof acceleration of hash calculation.)

1. A synthesis acceleration method for a SHA256 hash algorithm zero-knowledge proof circuit is characterized by comprising the following steps:

pre-generating a circuit variable constraint relation table;

and according to the circuit variable constraint relation table, outputting a variable array and a constraint vector value by using 32-bit unsigned integer arithmetic operation to finish the synthesis acceleration of the proving circuit.

2. The method for accelerating synthesis of a SHA256 hash algorithm zero knowledge proof circuit according to claim 1, wherein the pre-generating of the circuit variable constraint relation table specifically includes:

the variable constraint relation table records the mapping relation between Boolean variables and SHA256 intermediate values in the SHA256 calculation process and the mapping relation between constraint vectors and variable arrays, and the types of the SHA256 intermediate values are 32-bit unsigned integers.

3. The method as claimed in claim 2, wherein the synthesizing acceleration of the SHA256 hash algorithm zero knowledge proof circuit is accomplished by using 32-bit unsigned integer arithmetic operation output variable array and constraint vector value according to the circuit variable constraint relation table, and specifically comprises:

and outputting the variable array according to the mapping relation between the variable and the SHA256 intermediate value and the input SHA256 intermediate value.

4. The method as claimed in claim 3, wherein the synthesis acceleration of the SHA256 hash algorithm zero knowledge proof circuit is performed by using 32-bit unsigned integer arithmetic operation output variable array and constraint vector value according to the circuit variable constraint relation table, and specifically comprises:

and outputting the value of the constraint vector according to the mapping relation between the constraint vector and the variable array and the obtained variable array.

5. An apparatus for accelerating synthesis of SHA256 hash algorithm zero knowledge proof of knowledge circuit, the apparatus comprising:

the pre-operation module is used for pre-generating a circuit variable constraint relation table;

and the parameter operation module is used for finishing the synthesis acceleration of the proving circuit by utilizing the 32-bit unsigned integer arithmetic operation output variable array and the constraint vector value according to the circuit variable constraint relation table.

6. The synthesis acceleration device for the SHA256 hash algorithm zero knowledge proof circuit of claim 5, wherein the pre-operation module is specifically configured to:

the variable constraint relation table records the mapping relation between Boolean variables and SHA256 intermediate values in the SHA256 calculation process and the mapping relation between constraint vectors and variable arrays, and the types of the SHA256 intermediate values are 32-bit unsigned integers.

7. The synthesis acceleration device for the SHA256 hash algorithm zero knowledge proof circuit of claim 5, wherein the parameter operation module is specifically configured to:

and outputting the variable array according to the mapping relation between the variable and the SHA256 intermediate value and the input SHA256 intermediate value.

8. The synthesis acceleration device for the SHA256 hash algorithm zero knowledge proof circuit of claim 5, wherein the parameter operation module is further configured to:

and outputting the value of the constraint vector according to the mapping relation between the constraint vector and the variable array and the obtained variable array.

9. A computer storage medium comprising one or more program instructions for executing the synthesis acceleration method of any one of claims 1 to 4 by a synthesis acceleration apparatus of a SHA256 hash algorithm zero knowledge proof circuit.

Technical Field

The embodiment of the invention relates to the technical field of data security, in particular to a synthesis acceleration method and device of a SHA256 Hash algorithm zero knowledge proof circuit.

Background

The SHA256 hash algorithm is a classical hash algorithm that can convert data of an arbitrary length into data of a fixed length. The SHA256 hash algorithm is very collision resistant and is not reversible. The SHA hash algorithm is widely applied in the aspects of data signature, data consistency, privacy protection, user password protection and the like. Zero knowledge proof is a cryptographic technique that proves that data satisfies certain properties without revealing the data itself. In some scenarios, in addition to SHA256 hash computation results, a proof of SHA256 hash computation may be generated by a zero knowledge proof. For example, in a privacy-preserving scenario, the result of SHA256 hash calculation can be proved to be correct without revealing the original data. In addition, the SHA256 hash calculation has been proved to be well applied in the block chain industry. Such as the firchoice project, by providing proof of SHA256 calculations, the existence of data can be proved without providing the original data.

The calculation process of SHA256 can be divided into two parts: 1. input data expansion, and 2 and 64 rounds of iterative calculation of data. The output of each iteration is the input of the next iteration, and the iterative algorithm is fixed. The conventional SHA256 proves that the circuit configuration is a corresponding constraint that is generated step by step according to the calculation process of SHA 256. The input expansion can increase some variables, the constraint relation of the variables meets the input expansion algorithm, and then, aiming at 64 rounds of iterative operation, each iteration is formed by sequentially constructing individual constraints according to the iterative algorithm, so that the time consumption is long, and the effective verification of data safety and data consistency is not facilitated.

Disclosure of Invention

Therefore, the embodiment of the invention provides a synthesis acceleration method and a synthesis acceleration device for a SHA256 hash algorithm zero knowledge proof circuit, which can further realize effective verification on data safety and data consistency by accelerating zero knowledge proof of hash calculation.

In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:

according to a first aspect of the embodiments of the present invention, a synthesis acceleration method for a SHA256 hash algorithm zero knowledge proof circuit is provided, where the method includes:

pre-generating a circuit variable constraint relation table;

and according to the circuit variable constraint relation table, outputting a variable array and a constraint vector value by using 32-bit unsigned integer arithmetic operation to finish the synthesis acceleration of the proving circuit.

Further, the pre-generating of the circuit variable constraint relation table specifically includes:

the variable constraint relation table records the mapping relation between Boolean variables and SHA256 intermediate values in the SHA256 calculation process and the mapping relation between constraint vectors and variable arrays, and the types of the SHA256 intermediate values are 32-bit unsigned integers.

Further, according to the circuit variable constraint relation table, the synthesis acceleration of the proving circuit is completed by using a 32-bit unsigned integer arithmetic operation output variable array and a constraint vector value, and the method specifically comprises the following steps:

and outputting the variable array according to the mapping relation between the variable and the SHA256 intermediate value and the input SHA256 intermediate value.

Further, according to the circuit variable constraint relation table, the synthesis acceleration of the proving circuit is completed by using a 32-bit unsigned integer arithmetic operation output variable array and a constraint vector value, and the method specifically comprises the following steps:

and outputting the value of the constraint vector according to the mapping relation between the constraint vector and the variable array and the obtained variable array.

According to a second aspect of the embodiments of the present invention, there is provided a synthesis acceleration apparatus for a SHA256 hash algorithm zero-knowledge proof circuit, the apparatus including:

the pre-operation module is used for pre-generating a circuit variable constraint relation table;

and the parameter operation module is used for finishing the synthesis acceleration of the proving circuit by utilizing the 32-bit unsigned integer arithmetic operation output variable array and the constraint vector value according to the circuit variable constraint relation table.

Further, the pre-operation module is specifically configured to:

the variable constraint relation table records the mapping relation between Boolean variables and SHA256 intermediate values in the SHA256 calculation process and the mapping relation between constraint vectors and variable arrays, and the types of the SHA256 intermediate values are 32-bit unsigned integers.

Further, the parameter operation module is specifically configured to:

and outputting the variable array according to the mapping relation between the variable and the SHA256 intermediate value and the input SHA256 intermediate value.

Further, the parameter operation module is specifically further configured to:

and outputting the value of the constraint vector according to the mapping relation between the constraint vector and the variable array and the obtained variable array.

According to a third aspect of embodiments of the present invention, there is provided a computer storage medium having one or more program instructions embodied therein, the one or more program instructions being configured to be executed by a synthesis acceleration apparatus of a SHA256 hash algorithm zero knowledge proof of knowledge circuit to perform the synthesis acceleration method as described in any one of the above.

The embodiment of the invention has the following advantages:

the embodiment of the invention provides a synthesis acceleration method and a synthesis acceleration device for a SHA256 Hash algorithm zero knowledge proving circuit. By utilizing the speed advantage of 32-bit unsigned integer arithmetic, the synthesis time of the SHA256 proof circuit can be reduced to about 1/3 of the original time, and effective verification on data safety and data consistency can be further realized by zero knowledge proof acceleration of hash calculation.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.

Fig. 1 is a schematic flowchart of a synthesis acceleration method for a SHA256 hash algorithm zero-knowledge proof circuit according to embodiment 1 of the present invention;

FIG. 2 is a schematic diagram of SHA256 Hash algorithm zero knowledge proof;

FIG. 3 is a synthesis process of a SHA256 conventional hash zero knowledge proof circuit;

fig. 4 is a synthesis process of a SHA256 hash algorithm zero knowledge proof circuit according to embodiment 1 of the present invention;

fig. 5 is an operation flowchart of a synthesis acceleration method for an SHA256 hash algorithm zero knowledge proof circuit according to embodiment 1 of the present invention.

Detailed Description

The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1

As shown in fig. 1, this embodiment proposes a synthesis acceleration method for a SHA256 hash algorithm zero-knowledge proof circuit, where the method includes:

s100, pre-generating a circuit variable constraint relation table;

s200, according to the circuit variable constraint relation table, the synthesis acceleration of the proving circuit is completed by using a 32-bit unsigned integer arithmetic operation output variable array and a constraint vector value.

The calculation process of the SHA256 algorithm is composed of a series of simpler operations, and each intermediate operation has input and output. The inputs and outputs of these intermediate operations are numbered and are said to be "variables".

Further, the pre-generating of the circuit variable constraint relation table specifically includes:

the variable constraint relation table records the mapping relation between Boolean variables and SHA256 intermediate values in the SHA256 calculation process and the mapping relation between constraint vectors and variable arrays, and the types of the SHA256 intermediate values are 32-bit unsigned integers.

Further, according to the circuit variable constraint relation table, the synthesis acceleration of the proving circuit is completed by using a 32-bit unsigned integer arithmetic operation output variable array and a constraint vector value, and the method specifically comprises the following steps:

and outputting the variable array according to the mapping relation between the variable and the SHA256 intermediate value and the input SHA256 intermediate value.

Further, according to the circuit variable constraint relation table, the synthesis acceleration of the proving circuit is completed by using a 32-bit unsigned integer arithmetic operation output variable array and a constraint vector value, and the method specifically comprises the following steps:

and outputting the value of the constraint vector according to the mapping relation between the constraint vector and the variable array and the obtained variable array.

The conventional sha256 circuit construction generates corresponding constraints step by step according to the calculation process of the sha 256. The input expansion adds variables whose constraint relationships satisfy the input expansion algorithm. Next, for 64 rounds of iterative operations, constraints of each iteration are respectively constructed in sequence according to an iterative algorithm, as shown in fig. 2 and 3. In fact, there is a fixed relationship (determined by the sha256 algorithm) between the variables and the constraints of these circuits. If these relationships are known, the construction of the circuit constraints can be constructed from the relationship table, and no longer need to be generated step by step as the computational construction. The relationship table of the circuit constraints can be generated in advance, and then the specific circuit constraints are directly used when generated, as shown in fig. 4.

In the method, SHA256 proof circuit synthesis is divided into two stages:

1. a pre-calculation stage;

2. and (5) calculating a variable vars and a vector.

In our scenario (zero knowledge proof of knowledge technique), the function of the logic circuit is represented by a set of complex quadratic equations. Such as: or (XOR), x \ XOR y ═ z, we describe by x + y-z ═ (2 x) y, x, y, z are variables, constraint values a, b, c are 2 x: a, y: b, x + y-z: c.

Specifically, the group information is obtained by pre-calculating the SHA256 function. Again using this information, as shown in fig. 5, SHA256 circuit synthesis is divided into three steps:

1. calculating SHA256 words;

2. using var _ map to assist the calculation SHA256 to prove the values of all the bootean variables vars in the circuit;

3. three sets of vectors are calculated using r1cs _ a _ map, r1cs _ b _ map, r1cs _ c _ map and vars calculated in the first step.

Wherein, the intermediate results in the SHA256 calculation process are all data with a length of 32-bit, which is referred to as SHA256 words (1word is 32-bit data); the var _ map is a pre-calculated relation table and records the relation between the variable value and the SHA256 intermediate result; r1cs _ a _ map, a pre-calculated relationship table, which records the linear combination relationship a _ i ═ sum Aij × j. Due to the particularities of the SHA256 circuit, A _ ij, xj are both Boolean values (0/1).

1. Precomputation phase

At this stage, we have to process the SHA256 function. The basic operation unit of the SHA256 function is 32bits, and the types of calculation performed can be classified into the following three types:

and (3) shifting: move to the right and left cyclically

Bit operation not, and, xor

Integer addition method

The result of the pre-calculation is to output the association between the boulean variable and the SHA256 words, so that the value of the boulean variable can be calculated by the SHA256 words.

·VAR_MAP

The type declares as int- > (int, int, boost).

If is _ not ═ true, then vars [ var _ idx ] } is! words [ word _ idx ] [ bit _ idx ];

if is _ not ═ false, vars [ var _ idx ] ═ words [ word _ idx ] [ bit _ idx ].

The method specifically comprises the following steps: traversing the mapping table of the var _ map, setting the value of the element subscripted as the var _ idx in the vars array as the bit of the second bit _ idx of the element subscripted as the word _ idx in the words array according to the quadruple (var _ idx, word _ idx, bit _ idx, is _ not) of each row in the table, and if the is _ not is true, then performing inverse assignment on the value at the position.

·R1CS_MAP

r1cs _ a _ map: cs _ idx- > vector < (sign, w, var _ idx) >, type declaration is int- > (int, int, int).

a＝\sum(-1)^sign 2^w*vars[var_idx]

r1cs _ b _ map is defined similarly to r1cs _ a _ map;

r1cs _ c _ map is defined similarly to r1cs _ a _ map.

The method specifically comprises the following steps: go through r1cs _ a _ map this mapping table, according to each row in the table, consisting of an integer cs _ idx and an array containing triples (sign, w, var _ idx). Firstly, calculating an array arr, each term of which is equal to (-1) ^ sign ^ 2^ w ^ vars [ var _ idx ]; and then summing, and finally setting the value of the element with the index cs _ idx in the a array as the sum obtained by the previous calculation.

The processing of these three basic calculations is different:

shift: only one word is added, variables are not added, and constraint vectors are not added;

bit operation: adding word and adding 32 coolean variables;

the specific process for obtaining the table r1cs _ a _ map by pre-calculation is as follows:

c＝and(a,b)

r1cs _ a _ map increment (cs _ idx, [ (0,0, idx _ a) ])

An increase in r1cs _ b _ map (cs _ idx, [ (0,0, idx _ b) ])

An increase in r1cs _ c _ map (cs _ idx, [ (0,0, idx _ c) ])

c＝xor(a,b)

An increase in r1cs _ a _ map (cs _ idx, [ (0,1, idx _ a) ])

An increase in r1cs _ b _ map (cs _ idx, [ (0,0, idx _ b) ])

r1cs _ c _ map is incremented by (cs _ idx, [ (0,0, idx _ a), (0,0, idx _ b), (1,0, idx _ c) ]

Integer addition (ret ═ a1+ a2+. + an): adding two words and adding at least 32 borolean variables, adding at least 32 borolean constraints, a constraint of the form (\ sum a1_ bits [ i ]. times.2 ^ i + a2_ bits [ i ]. times.2 ^ i +. + an _ bits [ i ]. times.2 ^ i) } 1 ═ 2^ j.

r1cs _ a _ map is incremented by (cs _ idx, [ (0,0, a1_ bits [0]), (0,31, a1_ bits [31]), (0,0, an _ bits [0]), (0,31, an _ bits [31])

An increase in r1cs _ b _ map (cs _ idx, [ (0,0,0) ])

r1cs _ c _ map is increased by (cs _ idx, [ (0,0, res [0]), (0,31, res [31]), (0,31,) and

2. calculation phase

2.1 calculate vars

The algorithm inputs are

Int-int (int, int, bool) from the pre-computation stage

·SHA256 words

The algorithm comprises the following steps:

1. initializing an array vars [ ];

2. traversing each key-value item of the var _ map, (var _ idx, (word _ idx, bit _ idx, is _ not)) b ═ word [ word _ idx ] > (bit _ idx)) & 1;

if b is equal to 0, let bit be equal to false; otherwise, making bit equal to true;

if is _ not ═ true, let vars [ var _ idx ] ═ bit;

otherwise let vars [ var _ idx ] ═ |! And (6) bit.

3. Output array vars

2.2 calculation of a

The algorithm inputs are:

r1cs _ a _ map: int- > vector < (int, int, int) >, obtained by calculation in the pre-calculation stage

Array vars calculated in 2.1

The algorithm flow is as follows:

1. initializing an array a [ ];

2. each key-value entry of traversal r1cs _ a _ map, (cs _ idx, vector < (sign, w, var _ idx) >)

Initializing a [ cs _ idx ] ═ 0;

traversing each entry in the array (sign, w, var _ idx)

If sign is equal to 1, let coeff be (1< < w) > vars [ var _ idx ];

otherwise let coeff ═ - (1< < w) × vars [ var _ idx ];

a[cs_idx]+＝coeff；

3. and outputting the array a.

2.3 calculation of b

The algorithm inputs are:

r1cs _ b _ map: int- > vector < (int, int, int) >, obtained by calculation in the pre-calculation stage

Array vars calculated in 2.1

The calculation procedure is the same as in section 2.2.

2.4 calculation of c

The algorithm inputs are:

r1cs _ c _ map: int- > vector < (int, int, int) >, obtained by calculation in the pre-calculation stage

Array vars calculated in 2.1

The calculation procedure was the same as 2.2.

In the prior art, SHA256 circuit synthesis (circuit synthesis) is implemented, values of variables are obtained by calculation through addition and multiplication on a finite field, and constraint vectors are also obtained by calculation through finite field arithmetic operation.

Example 2

Corresponding to the above embodiment 1, this embodiment proposes a synthesis acceleration apparatus for a SHA256 hash algorithm zero-knowledge proof circuit, the apparatus including:

the pre-operation module is used for pre-generating a circuit variable constraint relation table;

and the parameter operation module is used for finishing the synthesis acceleration of the proving circuit by utilizing the 32-bit unsigned integer arithmetic operation output variable array and the constraint vector value according to the circuit variable constraint relation table.

Further, the pre-operation module is specifically configured to:

the variable constraint relation table records the mapping relation between Boolean variables and SHA256 intermediate values in the SHA256 calculation process and the mapping relation between constraint vectors and variable arrays, and the types of the SHA256 intermediate values are 32-bit unsigned integers.

Further, the parameter operation module is specifically configured to:

and outputting the variable array according to the mapping relation between the variable and the SHA256 intermediate value and the input SHA256 intermediate value.

Further, the parameter operation module is specifically further configured to:

and outputting the value of the constraint vector according to the mapping relation between the constraint vector and the variable array and the obtained variable array.

The functions executed by each component in the synthesis accelerator of the SHA256 hash algorithm zero knowledge proof circuit provided in the embodiment of the present invention are described in detail in the above embodiment 1, and therefore, redundant description is not repeated here.

Example 3

In correspondence with the above embodiments, the present embodiment proposes a computer storage medium containing one or more program instructions for executing the method of embodiment 1 by a synthesis acceleration apparatus of a SHA256 hash algorithm zero knowledge proof circuit.

Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.