阅读说明：本技术 电路合成方法、设备、介质和数据存储证明系统 (Circuit synthesis method, apparatus, medium, and data storage proving system ) 是由 李星 夏坤贤 张守恒 于 2020-08-18 设计创作，主要内容包括：本发明提供了一种用于零知识证明的电路合成方法、设备、计算机存储介质和数据存储证明系统。该方法包括,由进行零知识证明的证明单元：基于待证明数据的逻辑电路为所述待证明数据产生一个父约束系统；将所述父约束系统发送给多个处理单元；接收所述多个处理单元并行产生的多个不同的一阶约束系统分量,其中每个一阶约束系统分量包括所述父约束系统和一个子约束系统,所述子约束系统基于所述父约束系统得到；对所述多个不同的一阶约束系统分量进行合并以获得所述一阶约束系统；以及基于所述一阶约束系统构造针对所述待证明数据的零知识证明。(The invention provides a circuit synthesis method, a device, a computer storage medium and a data storage certification system for zero-knowledge certification. The method comprises, by a proof unit performing zero knowledge proof: generating a parent constraint system for the data to be proved based on the logic circuit of the data to be proved; transmitting the parent restraint system to a plurality of processing units; receiving a plurality of different first-order constraint system components generated by the plurality of processing units in parallel, wherein each first-order constraint system component comprises the parent constraint system and a child constraint system, and the child constraint system is obtained based on the parent constraint system; combining the plurality of different first order constraint system components to obtain the first order constraint system; and constructing a zero-knowledge proof for the data to be proved based on the first order constraint system.)

1. A circuit synthesis method for zero knowledge proof, comprising, by a proof unit that performs zero knowledge proof:

generating a parent constraint system for the data to be proved based on the logic circuit of the data to be proved;

transmitting the parent restraint system to a plurality of processing units;

receiving a plurality of different first-order constraint system components generated by the plurality of processing units in parallel, wherein each first-order constraint system component comprises the parent constraint system and a child constraint system, and the child constraint system is obtained based on the parent constraint system;

combining the plurality of different first order constraint system components to obtain the first order constraint system; and

constructing a zero-knowledge proof for the data to be proved based on the first order constraint system.

2. The circuit synthesis method of claim 1, wherein generating a parent constraint system for the data to be certified based on the logic circuit for the data to be certified comprises:

determining a plurality of first type variables and a plurality of second type variables of the first order constraint system and the constraint number of the first order constraint system based on the logic circuit of the data to be proved;

logic circuitry based on the data to be certified determines a plurality of constraint coefficient matrices of the first order constraint system; and

determining the parent constraint system based on a common circuit portion of logic circuitry for data to be proven, wherein the parent constraint system corresponds to at least one parent constraint in the constraint coefficient matrix and a first number of variables under the at least one parent constraint, wherein the first number of variables is at least a portion of the plurality of first type variables and the plurality of second type variables.

3. The circuit synthesis method according to claim 2, wherein the plurality of constraint coefficient matrices include a first constraint coefficient matrix indicating a plurality of first constraints, a second constraint coefficient matrix indicating a plurality of second constraints, and a third constraint coefficient matrix indicating a plurality of third constraints, wherein for the plurality of constraint coefficient matrices, a product of a first constraint and a second constraint is satisfied equal to a third constraint.

4. The circuit synthesis method of claim 2, further comprising, by each processing unit of the plurality of processing units:

receiving the parent restraint system from the attestation unit;

selecting at least one child constraint different from at least one parent constraint in the parent constraint system based on the constraint coefficient matrix, and assigning a value to the at least one child constraint based on a value taken by the first number of variables under the at least one child constraint to produce a first child matrix of a child constraint system;

selecting a second number of variables from the plurality of variables of the first type and the plurality of variables of the second type, the second number of variables being different from the first number of variables in the parent constraint system, and assigning values to the second number of variables based on the constraint coefficient matrix to generate a second sub-matrix of the child constraint system; and

and forming a first-order constraint system component based on the parent constraint system, the first sub-matrix and the second sub-matrix of the child constraint system.

5. The circuit synthesis method of claim 4, wherein the processing unit constructing a first order constraint system component based on the parent constraint system, the first sub-matrix and the second sub-matrix of the child constraint system comprises:

and the processing unit forms a lower triangular matrix by the parent constraint system, the first sub-matrix and the second sub-matrix of the child constraint system and the all-zero matrix to be used as the first-order constraint system component.

6. The circuit synthesis method of claim 3, wherein the attestation unit merging the plurality of different first order constraint system components to obtain the first order constraint system comprises:

constructing the first-order constraint system by using the parent constraint system as a first sub-matrix element of the first-order constraint system, using first sub-matrices of the plurality of sub-constraint systems as column elements of the first-order constraint system, using second sub-matrices of the plurality of sub-constraint systems as diagonal elements of the first-order constraint system, and setting other elements of the first-order constraint system to 0.

7. A circuit synthesis apparatus for zero knowledge proof, comprising:

a memory having computer program code stored thereon; and

a processor configured to execute the computer program code to perform the method of any of claims 1 to 6.

8. A computer readable storage medium having stored thereon computer program code which, when executed, performs the method of any of claims 1 to 6.

9. A data storage attestation system comprising an attestation unit and a plurality of processing units, wherein the attestation unit is configured to:

performing label calculation, hash calculation and coding calculation on the original data and constructing a Merkle tree for storage;

selecting a plurality of columns of data from the stored raw data, wherein each column of data comprises a plurality of data blocks;

constructing a generic circuit for the multi-column data, the generic circuit for generating a parent constraint system for the multi-column data based on a common circuit portion of the logic circuit for the multi-column data;

transmitting the parent restraint system to a plurality of processing units;

receiving a plurality of different first order constraint system components generated in parallel by the plurality of processing elements, wherein each first order constraint system component comprises the parent constraint system and a child constraint system, and the child constraint system is obtained by the processing elements based on the parent constraint system by utilizing one of a plurality of spot check subcircuits;

combining the plurality of different first order constraint system components to obtain the first order constraint system; and

constructing a zero-knowledge proof for the columns of data based on the first order constraint system for proving that the proof unit stores the raw data.

10. The data storage attestation system of claim 9, wherein the attestation unit is further configured to:

logic circuits based on the multi-column data determine a plurality of first type variables and a plurality of second type variables of the first order constraint system and the constraint number of the first order constraint system;

logic circuitry based on the plurality of columns of data determines a plurality of constraint coefficient matrices of the first order constraint system; and

determining a parent constraint system based on a common circuit portion of the logic circuit for the plurality of columns of data, wherein the parent constraint system corresponds to at least one parent constraint in a constraint coefficient matrix and a first number of variables under the at least one parent constraint, wherein the first number of variables is at least a portion of the plurality of first type variables and the plurality of second type variables.

11. The data storage attestation system of claim 10, wherein each processing unit of the plurality of processing units is configured to:

receiving the parent restraint system from the attestation unit;

logic circuitry based on the plurality of columns of data determines a plurality of constraint coefficient matrices of the first order constraint system;

constructing a spot check sub-circuit based on the constraint coefficient matrix, and using the spot check sub-circuit to select at least one sub-constraint different from at least one parent constraint in the parent constraint system, and assigning values to the at least one sub-constraint based on the values of the first number of variables under the at least one sub-constraint to generate a first sub-matrix of a sub-constraint system;

selecting a second number of variables from the plurality of variables of the first type and the plurality of variables of the second type that is different from the first number of variables in the parent constraint system, and assigning values to the second number of variables based on the constraint coefficient matrix to generate a second sub-matrix of the child constraint system; and

and forming a first-order constraint system component based on the parent constraint system, the first sub-matrix and the second sub-matrix of the child constraint system.

Technical Field

The present invention relates to the field of zero knowledge proof, and more particularly, to a circuit synthesis method, apparatus, computer storage medium, and data storage proof system using the same for zero knowledge proof.

Background

A zero knowledge proof means that the prover can convince the verifier that some argument is correct without revealing any useful information. In a typical zero-knowledge proof process, a prover claims certain public parameters to meet certain assertions, and generates a zero-knowledge proof (ZKP) with some algorithm based on these public parameters and certain private parameters. The verifier can verify the zero-knowledge proof based on public parameters according to the corresponding algorithm, i.e. the proof is deemed to be true by verification.

Currently, the zero-knowledge proof method has been widely applied to the fields of block chain technology, digital currency, multi-party computing, security computing, and the like. However, for many zero Knowledge proof methods, such as zk-SNARK (zero Knowledge concise Non-interactive proof of Knowledge), in the case of large circuits, the proof generation time is long, which will seriously affect the implementation of applications that rely on zero Knowledge proof.

In particular, in the process of providing zero-knowledge proofs (e.g., zk-SNARK) by a prover, the logic to be proofed (also referred to as proof logic) needs to be converted into QAP (Quadratic Assignment problem). In this process, it is necessary to synthesize the logic circuit to generate a Constraint System (CS). Currently, the conventional circuit synthesis algorithm does not consider the specific situation of the logic circuit, and directly performs circuit synthesis in a serial processing manner, so that the time required by circuit synthesis is too long, which is not beneficial to the generation of zero knowledge proof.

Disclosure of Invention

In view of the above problems, the inventors of the present invention have studied and demonstrated that, by elaborately designing a constraint system, it is possible to make at least a part of the constraint system perform circuit synthesis in parallel, thereby accelerating the generation of the entire constraint system. The present invention provides a circuit synthesis method for zero-knowledge proof and a data storage proof system using the method.

According to an aspect of the present invention, there is provided a circuit synthesis method for zero knowledge proof, including, by a proof unit that performs zero knowledge proof: generating a parent constraint system for the data to be proved based on the logic circuit of the data to be proved; transmitting the parent restraint system to a plurality of processing units; receiving a plurality of different first-order constraint system components generated by the plurality of processing units in parallel, wherein each first-order constraint system component comprises the parent constraint system and a child constraint system, and the child constraint system is obtained based on the parent constraint system; combining the plurality of different first order constraint system components to obtain the first order constraint system; and constructing a zero-knowledge proof for the data to be proved based on the first order constraint system.

According to another aspect of the invention, a circuit synthesis apparatus for zero knowledge proof is provided. The apparatus comprises: a memory having computer program code stored thereon; and a processor configured to execute the computer program code to perform the method as described above.

According to yet another aspect of the invention, a computer-readable storage medium is provided, having stored thereon computer program code, which when executed performs the method as described above.

According to yet another aspect of the present invention, a data storage attestation system is provided that includes an attestation unit and a plurality of processing units. The attestation unit is configured to: performing label calculation, hash calculation and coding calculation on the original data and constructing a Merkle tree for storage; selecting a plurality of columns of data from the stored raw data, wherein each column of data comprises a plurality of data blocks; constructing a general circuit for the multi-column data, wherein the general circuit is used for generating a father constraint system for the multi-column data based on the logic circuit of the multi-column data; transmitting the parent restraint system to a plurality of processing units; receiving a plurality of different first-order constraint system components generated by the plurality of processing units in parallel, wherein each first-order constraint system component comprises the parent constraint system and a child constraint system, and the child constraint system is obtained by utilizing one of a plurality of spot-check child circuits to spot-check the child circuit based on the parent constraint system; combining the plurality of different first order constraint system components to obtain the first order constraint system; and constructing a zero-knowledge proof for the columns of data based on the first order constraint system for proving that the proof unit stores the raw data.

By using the scheme of the invention, the generation of the zero knowledge proof is accelerated by executing circuit synthesis in parallel to generate a constraint system.

Drawings

FIG. 1 shows a flow diagram of a circuit synthesis method for zero knowledge proof according to an embodiment of the invention;

FIG. 2 illustrates an exemplary flow diagram of the steps in a circuit synthesis method to generate a parent constraint system in accordance with an embodiment of the present invention;

FIG. 3 illustrates an exemplary flow diagram of the steps in a circuit synthesis method to generate first order constraint system components according to an embodiment of the invention;

FIG. 4 shows a schematic diagram of an application system utilizing the circuit synthesis method for zero knowledge proof of knowledge of the present invention;

FIG. 5 shows a schematic diagram of a data processing procedure in the application system of FIG. 4;

FIG. 6 shows a schematic diagram of a logic circuit structure in the application system of FIG. 4; and

FIG. 7 shows a schematic block diagram of an example device that may be used to implement an embodiment of the invention.

Detailed Description

The embodiments of the present invention will be described in detail below with reference to the accompanying drawings in order to more clearly understand the objects, features and advantages of the present invention. It should be understood that the embodiments shown in the drawings are not intended to limit the scope of the present invention, but are merely intended to illustrate the spirit of the technical solution of the present invention.

In the following description, for the purposes of illustrating various inventive embodiments, certain specific details are set forth in order to provide a thorough understanding of the various inventive embodiments. One skilled in the relevant art will recognize, however, that the embodiments may be practiced without one or more of the specific details. In other instances, well-known devices, structures and techniques associated with this application may not be shown or described in detail to avoid unnecessarily obscuring the description of the embodiments.

Throughout the specification and claims, the word "comprise" and variations thereof, such as "comprises" and "comprising," are to be understood as an open, inclusive meaning, i.e., as being interpreted to mean "including, but not limited to," unless the context requires otherwise.

Reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

As used in the specification and the appended claims, the singular forms "a", "an", and "the" include plural referents unless the context clearly dictates otherwise. It should be noted that the term "or" is generally employed in its sense including "and/or" unless the context clearly dictates otherwise.

As previously mentioned, there are a wide variety of existing zero-knowledge proof methods, including interactive proof methods and non-interactive proof methods, where the non-interactive proof method does not require the interaction between a prover and a verifier to generate proof, with significant advantages over interactive proof methods. zk-SNARK is a currently common class of non-interactive zero-knowledge proof of knowledge methods, and the scheme of the present invention is described herein below by way of example in Groth16, the zk-SNARK method. However, those skilled in the art will appreciate that the concepts of the present invention can be readily extended to other zero knowledge proof methods as long as the construction of the constraint system is involved in the method.

Groth16 is an effective zk-SNARK zero knowledge proof of knowledge designed by Jens Groth. Groth16 produced smaller proofs and verified more quickly. The complete Groth16 certification system includes three processes, corresponding to three algorithms: setup, certification, and verification. Wherein the set-up algorithm creates a certification key and an authentication key, the authentication algorithm using the authentication key to check a certification to decide whether to accept or reject the certification. For one QAP instance, the setup algorithm runs only once, the created attestation and verification keys are public to the prover and verifier, and the verification algorithm is very fast to compute. The key factor in determining the speed of the overall Groth16 attestation system is therefore the speed of execution of the attestation portion (attestation algorithm) therein. In performing this proof, an important process is circuit synthesis of the logic circuit to generate a Constraint System, such as a first order Constraint System (Rank-1 Constraint System, R1 CS). Thus, speeding up the generation of the constraint system will speed up the process of the entire zero knowledge proof.

FIG. 1 shows a flow diagram of a circuit synthesis method 100 for zero knowledge proof in accordance with an embodiment of the invention.

In summary, unlike the conventional method of directly constructing a complete constraint system, the circuit synthesis method for zero knowledge proof shown in fig. 1 constructs a complete first-order constraint system by constructing a plurality of first-order constraint system components in parallel and combining the components, so as to accelerate the construction process of the constraint system, and thus accelerate the process of the whole zero knowledge proof.

As shown in FIG. 1, method 100 includes step 110, in which the attestation unit generates a Parent constraint system (Parent CS, hereinafter abbreviated P) for the data to be attested based on logic of the data to be attested.

Here, as is well known to those skilled in the art, in zk-SNARK, the logic to be proved (i.e., the proving logic) may be leveled into a logical circuit relationship (referred to herein as a logic circuit) consisting of a plurality of gates (e.g., an addition gate (+), a multiplication gate (, etc., note that subtraction and division may also be represented by an addition gate or a multiplication gate).

FIG. 2 shows an exemplary flowchart of the step 110 of generating the parent constraint system P in the circuit synthesis method 100 according to an embodiment of the present invention.

As shown in FIG. 2, step 110 may include sub-step 111, where the attestation unit determines a number of variables of the first type and a number of variables of the second type for R1CS and a number of constraints for R1CS based on logic of the data to be attested.

In the Groth16 algorithm, R1CS is used to describe a constraint system in which each variable is first order. The variables of R1CS can be divided into two types, one called Public variables (Public Input) and the other called non-Public variables or auxiliary variables (Aux Input), so the total number of variables of R1CS is the sum of the number of Public variables and the number of non-Public variables. Depending on the logic, each variable may have a different assignment, referred to as a constraint. That is, variables and constraints (assignments) are two determinants of building a constraint system.

Next, at sub-step 112, the attestation unit determines a plurality of constraint coefficient matrices for R1CS based on the logic of the data to be attested.

In one embodiment, the plurality of constraint coefficient matrices includes a first constraint coefficient matrix a indicating a plurality of first constraints a, a second constraint coefficient matrix B indicating a plurality of second constraints B, and a third constraint coefficient matrix C indicating a plurality of third constraints C, wherein for the plurality of constraint coefficient matrices, a product of the first constraint and the second constraint is satisfied equal to the third constraint, i.e. a ═ B ═ C.

The constraint coefficient matrices may be stored in terms of variables, for example, each constraint coefficient matrix may be represented in the form of table 1 below, which may be sparsely represented in terms of variables to reduce memory consumption:

TABLE 1 constraint coefficient matrix

Where c0, c1, … …, c4 indicate constraints in the constraint coefficient matrix (e.g., a total of 5 constraints are assumed in table 1), i0, i1 indicate variables of the first type (e.g., a total of 2 variables of the first type are assumed in table 1), aux0 … … aux6 indicates variables of the second type (e.g., a total of 7 variables of the second type are assumed in table 1), and values in the table indicate values of corresponding variables under corresponding constraints, e.g., a value "-1" in a box corresponding to i0 and c1 indicates a value of the variable i0 under the constraint c 1. As mentioned above, the first type of variable may be a public variable, which may be known by multiple nodes or units in the system, and the second type of variable may be an auxiliary variable, which is known only by a certain node or unit itself.

Next, in sub-step 113, the proving unit determines a parent constraint system P based on the common circuit portion of the logic circuit of the data to be proved, wherein the parent constraint system P corresponds to at least one constraint (hereinafter also referred to as parent constraint) in a constraint coefficient matrix (e.g., constraint coefficient matrix a shown in table 1 above) and a first number of variables under the at least one parent constraint, wherein the first number of variables is at least a part of the plurality of first type variables i0, i1 and the plurality of second type variables aux0 … … aux 6.

For example, assuming that the parent constraint system P determined by the proving unit from the common circuit portion of the logic circuit of the data to be proved corresponds to the constraint c0 shown in table 1, the parent constraint system P contains four variables under this constraint c0, namely two first type variables i0 and i1 and two second type variables aux0 and aux1, whose values are the corresponding values 0 (null by default in the figure) of the variables i0, i1, aux0 and aux1 under the constraint c0, -1, 1 and 2.

Here, the parent constraint system P may not be unique, and may be constructed based on all or part of the common circuit portion of the logic circuit of the data to be certified, as will be appreciated by those skilled in the art. In one embodiment, the size of parent restraint system P affects the overall restraint system generation speed, which can be approximately linear acceleration if parent restraint system P is small enough, as described below.

Next, at step 120, the certifying unit transmits the generated parent restraint system P to the plurality of processing units.

At step 130, the plurality of processing units generate a plurality of different R1CS components in parallel based on the received parent constraint system P and the constraint coefficient matrix shown in table 1, respectively, wherein each R1CS component includes the parent constraint system P and a child constraint system subcbs obtained based on the parent constraint system P and the constraint coefficient matrix.

FIG. 3 shows an exemplary flow diagram of the step 130 of generating the R1CS component in the circuit synthesis method 100 according to an embodiment of the invention.

As shown in FIG. 3, step 130 includes sub-step 131 in which a processing unit receives parent constraint system P from a certifying unit. As described above, assume that the parent constraint system P corresponds to the four variables i0, i1, aux0, and aux1 under constraint c0, which take values of 0, -1, and 2, respectively.

Next, in sub-step 132, the processing unit determines at least one child constraint that is different from at least one parent constraint in P in the parent constraint system based on a constraint coefficient matrix (e.g., constraint coefficient matrix a as shown in table 1 above), and assigns a value to the at least one child constraint based on a value taken by the first number of variables under the at least one child constraint to generate a first child matrix P1 of a child constraint system subCS 1.

As described above, assuming that the parent constraint system P corresponds to four variables i0, i1, aux0 and aux1 under constraint c0, whose values are 0, -1, 1 and 2, respectively, constraints c1 and c2 may be selected as child constraints of the first sub-matrix P1 and assigned based on the values of the four variables i0, i1, aux0 and aux1 under constraints c1 and c2 as child constraints of the first sub-matrix P1, i.e., P1 contains four variables i0, i1, aux0 and aux1 under two constraints c1, c2, whose values are-1, 2, 0 and 28, 0, respectively.

In sub-step 133, the processing unit selects a second number of variables from the plurality of variables of the first type (i0, i1) and the plurality of variables of the second type (aux0 … … aux6) different from the first number of variables in the parent constraint system P, and assigns values to the second number of variables based on the constraint coefficient matrix (e.g., matrix a described above) to generate a second sub-matrix C1 of the sub-constraint system subCS 1. Here, the second number may be the same as the first number or may be different from the first number.

As described above, assuming that the first number of variables of the parent constraint system P includes four variables i0, i1, aux0 and aux1 under constraint c0, whose values are 0, -1, 1 and 2, respectively, and the first submatrix P1 of the child constraint system subCS1 determined by sub-step 131 includes four variables i0, i1, aux0 and aux1 under two child constraints c1, c2, whose values are-1, 2, 0 and 28, 0 and 0, respectively, then in sub-step 133 the processing unit may select any of the other variables except i0, i1, aux0 and aux1 (e.g., select aux2 and aux3) from all variables, and assign values of the selected variables aux2 and aux3 according to the constraint coefficient matrix, and the two variables are 5, 3 and 3, 17, respectively.

Next, in sub-step 134, the processing unit constructs an R1CS component based on the parent constraint system P, the first sub-matrix P1 and the second sub-matrix C1 of the child constraint system subCS 1.

In one embodiment, the processing unit forms a lower triangular matrix from the parent constraint system P, the first and second sub-matrices P1 and C1 of the child constraint system subCS1, and the all-zero matrix 0 as the first order constraint system component. In this case, the R1CS component a1 may be represented as:

in the same manner, a plurality of processing units (such as processing unit 460 described below in connection with FIG. 4)₁、460₂、460₃) A plurality of different R1CS components a1, a2, A3 may be obtained in parallel as shown below:

wherein P1, P2 and P3 indicate first sub-matrices of sub-constraint systems subCS1, subCS2 and subCS3 of the plurality of processing units, respectively, C1, C2 and C3 indicate second sub-matrices of sub-constraint systems subCS1, subCS2 and subCS3 of the plurality of processing units, respectively, and P1, P2 and P3 contain different constraints and the same variables from each other, and C1, C2 and C3 contain the same constraints and different variables from P1, P2 and P3, respectively.

Returning to FIG. 1, next, at step 140, the attestation unit receives a plurality of different R1CS components (e.g., R1CS components A1, A2, A3) from the plurality of processing units and merges them to obtain the complete R1 CS.

In one embodiment, the proving unit constructs the R1CS by using the parent constraint system P as a first sub-matrix element of R1CS, using first sub-matrices (e.g., first sub-matrices P1, P2, P3) of a plurality of sub-constraint systems subCS (e.g., sub-constraint systems subCS1, subCS2, subCS3) as column elements of R1CS, using second sub-matrices (e.g., second sub-matrices C1, C2, C3) of the plurality of sub-constraint systems subCS as diagonal elements of R1CS, and setting other elements of R1CS to 0. In this case, R1CS constructed can be represented as:

it can be seen that in the circuit synthesis method 100 described above, the construction process of the constraint system is accelerated by obtaining the respective R1CS components in parallel. In particular, if the parent constraint system P is constructed small enough and the individual child constraint systems are constructed substantially nearly as large, near linear acceleration can be achieved.

Next, at step 150, the proof unit performs zero-knowledge proof for its stored data to be proved based on R1CS obtained at step 140.

Specifically, when constructing the proof, the corresponding value of each constraint, i.e., the calculation result after each variable in the constraint is assigned, needs to be calculated.

Taking the child constraint system subCS1 as an example, since it is only related to the variables in the parent constraint system P and its own variables, the corresponding constraint coefficient matrix can be calculated by using the following formula:

P1*v₀+C1*v₁，

where P1 is the first sub-matrix of subBS 1, C1 is the second sub-matrix of subBS 1 (as described above), v₀Is an assignment to the parent constraint System P, v₁Is an assignment to the second sub-matrix C1 of subCS 1. Can be expressed as a function:

after obtaining the plurality of sub-constraint systems subCS1, subCS2, subCS3, the results of these sub-constraint systems may be merged and may be functionally represented as:

where P2 is the first sub-matrix of subBS 2, C2 is the second sub-matrix of subBS 2 (as described above), v₀Is an assignment to the parent constraint System P, v₂Is an assignment to the second sub-matrix C2 of subCS 2; p3 is the first sub-matrix of subBS 3, C3 is the second sub-matrix of subBS 3 (as described above), v₀Is an assignment to the parent constraint System P, v₃Is an assignment to the second sub-matrix C3 of subCS 3. Thus, merging multiple R1CS components a1, a2, A3 into R1CS may be represented as:

as described above, the circuit synthesis method 100 for zero-knowledge proof according to the present invention can be used in a variety of application fields and a variety of application scenarios that require zero-knowledge proof to be provided, such as block chaining, multi-party computation, security computation, and the like. Fig. 4 shows a schematic diagram of an application system 400 for data storage attestation in a blockchain using the circuit synthesis method 100 for zero knowledge attestation of the present invention. Fig. 5 shows a schematic diagram of a data processing procedure in the application system 400 of fig. 4. The application 400 is, for example, a mining project Fileoin blockchain. Fig. 6 shows a schematic diagram of a logic circuit structure in the application system 400 of fig. 4. The process of using the method 100 for data storage attestation in a filecoid blockchain is described below in conjunction with fig. 4-6.

Note that the circuit synthesis method 100 for zero knowledge proof is described herein in the context of a system 400 for data storage proof in a blockchain as shown in fig. 4, however, those skilled in the art will appreciate that the circuit synthesis method 100 for zero knowledge proof shown in fig. 1 can be readily applied in any scenario where zero knowledge proof needs to be provided.

The project Fileoin adopts PoRep and PoSt protocols to ensure that the storage nodes correctly store the user data. PoRep stands for Proof of replication. PoSt stands for Proof of Space time. The calculation of the two protocols needs to generate the proof through zero knowledge proof calculation and submit the proof to the block chain, so that the parallel circuit synthesis method can be utilized to accelerate the generation of the constraint system, thereby accelerating the generation of the zero knowledge proof. The system 400 is described below in conjunction with fig. 4 and 5. For the sake of brevity, the description focuses primarily on the zero-knowledge proof-of-data procedure of the data storage of the PoRep protocol. Those skilled in the art will appreciate that the description is readily applicable to the case of the PoSt protocol as well.

As shown in fig. 4, the system 400 includes a blockchain logic module 410, a storage processing and attestation module 430, an interface module 420 that interfaces between the blockchain logic module 410 and the storage processing and attestation module 430, and a zero knowledge attestation module 440. Further, the system 400 physically includes a plurality of blockchain nodes, such as the attestation unit 450 and the verification unit 470 shown in fig. 4. The blockchain logic module 410 is a code module or hardware module for implementing the underlying logic of the blockchain. In one embodiment, the blockchain logic module 410 is code-level and may be deployed on a plurality of blockchain nodes including the attestation unit 450 and the verification unit 470. For example, for a Fileoin Blockchain, module 410 may be a Fileoin Blockchain code module implemented in a go language. The storage processing and attestation module 430 is a code module or hardware module used to store and manage data and attestation of the blockchain. In one embodiment, for example for a Fileoin blockchain, the storage processing and attestation module 430 may be a run-file-profiles code module implemented in the run language for storing data as a Merkle tree. Interface module 420 is the interface between modules 410 and 430. In one embodiment, for example for a Filecoid blockchain, the interface module 420 may be a FFI code module implemented in the go language. The zero knowledge proof module 440 is a code base for performing zero knowledge proof or a hardware module carrying the code base, which can be called by the proof unit 450 and the verification unit 470. For example, for the Fileoin blockchain, which is an implementation of the certification system of Groth16, it can be implemented in rutt language, called Bellman.

The system 400 further comprises an attestation unit 450 and a verification unit 470. The proof unit 450 is used to invoke the zero knowledge proof module 440 to provide zero knowledge proof of the data it stores, the code thereon may be implemented using the rust language. Verification unit 470 is used to invoke zero knowledge proof module 440 to verify the zero knowledge proof provided by proof unit 450. In some embodiments, multiple processing units 460₁、460₂、460₃… … (hereinafter collectively referred to as processing unit 460) may also be a blockchain node within system 400, or in some other embodiments, processing unit 460 is an external processor that communicates only with attestation unit 450 or a plurality of processors contained within attestation node 450. Similarly, attestation unit 450 and/or verification unit 470 may also be a blockchain node or an attestation processing unit and/or verification processing unit located at the blockchain node within system 400.

Referring to FIG. 5, the storage processing and attestation module 430 divides the data into multiple sectors (single storage units), each of which performs independent processing and storage. For the Fileoin application, the size of the Sector defaults to 32G. The following description will be given by taking a single Sector as an example.

The data of one Sector is referred to as original data 500, and is divided into a plurality of data blocks, each of which may contain 32 bytes. The storage processing and certification module 430 performs label (Labeling) calculation on the original data 500 to generate multiple layers of label data 51, 52, … …, 5L (collectively referred to as 5i, 1 ≦ i ≦ L), where each layer of label data 5i includes multiple data chunks 5i1, 5i2, … … 5 iN. Here, L is a positive integer greater than 1. In a typical Fileoin application, L ═ 11. When one Sector includes 32G data and each data block includes 32 bytes, the number N of data blocks per layer is 32G/32 is 1G. The calculation of each data block in each layer of tag data depends on the corresponding previous layer of tag data and the first two data blocks of the current layer, as indicated by the dashed lines in the figure. In addition, the multi-layer tag data 51, 52, … …, 5L is further processed by Hash calculation (Hash), encoding calculation, and construction of a Merkle tree to generate final storage data and stored on each blockchain node. Here, the specific methods of Hash calculation, coding calculation, and Merkle tree construction can be referred to, for example, in the finechoice white paper, which is not described herein.

After a block link point stores the above information, it should submit a zero-knowledge proof to prove that it does store the corresponding original data, at which time the node is called a proof unit (e.g., unit 450 in fig. 4). However, since the data processed is large (e.g., typically exceeding 32G), it is logically impossible to generate logic circuits for all data processing. One solution currently employed to this end is to provide this zero knowledge proof by spot-checking several columns (e.g., 18 columns) in the raw data 500.

Specifically, the proving unit 450 may randomly select a plurality of columns (such as the columns formed by the data blocks 51i, 52i, … …, 5Li shown in the figure) of the original data 500 stored by the proving unit, and generate a zero-knowledge proof for the plurality of columns by parallel processing, so as to prove that the original data 500 to be proved is stored by the proving unit. Proof unit 450 may send the generated zero knowledge proof to verification unit 470 for verification. In generating the zero knowledge proof, the proof unit 450 and the plurality of processing units 460 may perform parallel operations for circuit synthesis using the method 100 as described above to generate a zero knowledge proof for the original data 500.

As described above, the certification unit 450 performs tag calculation, hash calculation, and encoding calculation on the raw data 500 and constructs a Merkle tree for storage.

Then, the proving unit 450 selects a plurality of columns of data, each of which includes a plurality of data blocks, from the stored raw data 500. For example, the selected multi-column data includes a column composed of data blocks 511, 521, … …, 5L1, a column composed of data blocks 512, 522, … …, 5L2, … …, a column composed of data blocks 51i, 52i, … …, 5Li, a column composed of data blocks 51N, 52N, … …, 5LN, and the like as shown in fig. 5, and preferably 18 columns of data may be selected.

The attestation unit 450 constructs a generic circuit 610 for the selected multiple-column data, the generic circuit 610 for generating a parent constraint system P for the multiple-column data based on the common circuit portion of the logic circuit of the multiple-column data.

In one embodiment, the attestation unit 450 can determine a number of constraints for the first and second types of variables and for R1CS of the first order constraint system R1CS based on the logic of the multi-column data, as described above in sub-step 111.

The logic of the attestation unit 450 based on the multiple columns of data determines a plurality of constraint coefficient matrices for R1CS, as described above in sub-step 112.

The proving unit 450 determines a parent constraint system P based on the common circuit portion of the logic circuit of the multi-column data, the parent constraint system P corresponding to at least one parent constraint in a constraint coefficient matrix and a first number of variables under the at least one parent constraint, wherein the first number of variables is at least a portion of the plurality of first type variables and the plurality of second type variables, as described in sub-step 113 above.

The attestation unit 450 sends the parent restraint system P to a plurality of processing units 460.

Each processing unit 460 (e.g., processing unit 460)₁) Receiving the parent constraint from attestation unit 450System P and logic based on the columns of data determines a plurality of constraint coefficient matrices for R1CS, as shown in table 1 above and described above for substep 132.

In particular, the processing unit 460₁A spot check sub-circuit 620 is constructed based on the constrained coefficient matrix (e.g., spot check sub-circuit 620 shown in fig. 6)₁) And utilizes the spot check sub-circuit 620₁At least one child constraint that is different from at least one parent constraint in the parent constraint system P is selected and assigned based on a value taken of the first number of variables under the at least one child constraint to generate a first child matrix P1 of a child constraint system subCS1, as described in sub-step 132 above. For example, as shown in FIG. 6, assuming M processing units 460 are involved in circuit synthesis, M spot check sub-circuits 620 may be constructed₁、620₂、……、620_M. In one example, M ═ 18.

Processing unit 460₁A second number of variables, different from the first number of variables in the parent restraint system P, is selected from the plurality of variables of the first type and the plurality of variables of the second type and assigned based on the constraint coefficient matrix to generate a second submatrix C1 of the child restraint system subCS1, as described in sub-step 133 above.

Processing unit 460₁The first sub-matrix P1 and the second sub-matrix C1 based on the parent constraint system P and the child constraint system subCS1 form an R1CS component.

Attestation unit 450 receives a plurality of different R1CS components from a plurality of processing units 460, respectively, wherein each R1CS component includes a parent constraint system P and a child constraint system subCS. As described above, the child constraint system subCS is derived based on the parent constraint system P using a spot check subcircuit dedicated to each processing unit 460.

The proof unit 450 merges the multiple different R1CS components to obtain R1CS, and constructs a zero-knowledge proof for the multiple columns of data based on the R1CS for the proof unit 450 to store the original data 500.

FIG. 7 shows a schematic block diagram of an example device 700 that may be used to implement an embodiment of the invention. The device 700 may be, for example, the above-mentioned proving unit 450 or the verifying unit 470, which includes a plurality of processors 710, or the above-mentioned processing unit 460. As shown, device 700 may include one or more Central Processing Units (CPUs) 710 (only one shown schematically) that may perform various appropriate actions and processes according to computer program instructions stored in a Read Only Memory (ROM)720 or loaded from a storage unit 780 into a Random Access Memory (RAM) 730. The computer program instructions may also comprise program code for implementing the method 100 described above and/or program code for implementing the modules 410 to 440 in the system 400 described above, for example. In the RAM 730, various programs and data required for the operation of the device 700 can also be stored. The CPU 710, ROM 720, and RAM 730 are connected to each other via a bus 740. An input/output (I/O) interface 750 is also connected to bus 740.

Various components in device 700 are connected to I/O interface 750, including: an input unit 760 such as a keyboard, a mouse, and the like; an output unit 770 such as various types of displays, speakers, and the like; a storage unit 780 such as a magnetic disk, an optical disk, or the like; and a communication unit 790 such as a network card, modem, wireless communication transceiver, etc. The communication unit 790 allows the device 700 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The method 100 described above may be performed, for example, by the processor 710 of the device 700. For example, in some embodiments, the method 100 may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as the storage unit 780. In some embodiments, some or all of the computer program may be loaded onto and/or installed onto device 700 via ROM 720 and/or communications unit 790. When the computer program is loaded into RAM 730 and executed by CPU 710, one or more operations of method 100 described above may be performed. Further, the communication unit 790 may support wired or wireless communication functions.

The circuit synthesis method 100 for zero knowledge proof and the data storage proof system 400 using the same according to the present invention are described above with reference to fig. 1 to 7. However, those skilled in the art will appreciate that the circuit synthesis method 100 for zero-knowledge proof described herein is not limited to the scenario shown in fig. 4, but may be used in various application fields and scenarios where zero-knowledge proof needs to be provided, such as multi-party computing, security computing, etc. Further, those skilled in the art will appreciate that the performance of the steps of method 100 is not limited to the order shown in the figures and described above, but may be performed in any other reasonable order. Device 700 also need not include all of the components shown in fig. 7, it may include only some of the components necessary to perform the functions described in the present invention, and the manner in which these components are connected is not limited to the form shown in the figures. For example, in the case where the device 700 is a portable device such as a cellular phone, the device 700 may have a different structure compared to that in fig. 7.

The present invention may be embodied as methods, apparatus, systems, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied therein for carrying out aspects of the present invention.

The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.

The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.

The computer program instructions for carrying out operations of the present invention may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present invention are implemented by personalizing an electronic circuit, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), with state information of computer-readable program instructions, which can execute the computer-readable program instructions.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terms used herein were chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.