CN113806059A - Proof method, system, electronic device and storage medium for zero-knowledge proof - Google Patents

Proof method, system, electronic device and storage medium for zero-knowledge proof Download PDF

Info

Publication number
CN113806059A
CN113806059A CN202111375621.4A CN202111375621A CN113806059A CN 113806059 A CN113806059 A CN 113806059A CN 202111375621 A CN202111375621 A CN 202111375621A CN 113806059 A CN113806059 A CN 113806059A
Authority
CN
China
Prior art keywords
r1cs
data
sub
subdata
cpu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111375621.4A
Other languages
Chinese (zh)
Other versions
CN113806059B (en
Inventor
李浩天
江寒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Fangzhou Technology Co ltd
Original Assignee
Hangzhou Fangzhou Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Fangzhou Technology Co ltd filed Critical Hangzhou Fangzhou Technology Co ltd
Priority to CN202111375621.4A priority Critical patent/CN113806059B/en
Publication of CN113806059A publication Critical patent/CN113806059A/en
Application granted granted Critical
Publication of CN113806059B publication Critical patent/CN113806059B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/5038Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the execution order of a plurality of tasks, e.g. taking priority or time dependency constraints into consideration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T1/00General purpose image data processing
    • G06T1/20Processor architectures; Processor configuration, e.g. pipelining

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)
  • Power Sources (AREA)

Abstract

The present application relates to the field of zero-knowledge proof technology, and more particularly, to a proof method, system, electronic device, and computer-readable storage medium for zero-knowledge proof. According to the method, when R1CS sub-data which is not subjected to FFT calculation processing exists, based on the R1CS sub-data, the GPU is used for carrying out the FFT calculation processing, and polynomial data corresponding to the R1CS sub-data are obtained; and performing MultiExp calculation processing by using a CPU (central processing unit) based on the R1CS subdata and the polynomial data corresponding to the R1CS subdata to obtain a certification component corresponding to the R1CS subdata. When all the R1CS subdata is subjected to FFT calculation processing, performing multiExp calculation processing in parallel by using a CPU and a GPU on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata to obtain a proving component corresponding to the R1CS subdata; finally, based on the certification components corresponding to all the R1CS subdata in the R1CS data, a certification is generated. The method and the device can accelerate generation of the zero-knowledge proof.

Description

Proof method, system, electronic device and storage medium for zero-knowledge proof
Technical Field
The present invention relates to the field of zero-knowledge proof technology, and in particular, to a proof method, system, electronic device, and computer-readable storage medium for zero-knowledge proof.
Background
A zero knowledge proof means that the prover can convince the verifier that some argument is correct without revealing any useful information. The zero-knowledge proof method is widely applied to scenes such as block chains, multi-party security computing (MPC), privacy computing and the like.
Existing zero-knowledge proof methods are diverse, including Interactive proof methods and Non-Interactive line products (NILP) methods, which do not require the interaction between a prover and a verifier to generate proof, with significant advantages over Interactive proof methods. Among Non-interactive proof methods, zero Knowledge concise Non-interactive proof of Knowledge (zk-SNARK) is a type of Non-interactive zero Knowledge proof method commonly used at present, and a representative proof method such as Groth16 proof algorithm is compared.
Groth16 demonstrates the satisfiability of the System using Quadratic Arithmetic Program (QAP) to represent an example of a first order Constraint System (Rank-1 Constraint System, R1 CS). The complete Groth16 attestation system includes three processes, a setup process, an attestation process, and a verification process, respectively. Wherein, for each QAP instance, the setup process is run only once, the setup process will create a certification key and a verification key, both public to the prover and verifier; the authentication process then checks a certificate with the authentication key to decide whether to accept or reject the certificate. The certification process needs to generate a certification according to a certification key, and the process mainly comprises two calculation parts, namely FFT calculation and MultiExp calculation, which involve a large amount of calculation and are long in time consumption.
Currently, the Groth16 certification method is implemented in bellperson, an open source project in which the certification process is mainly calculated using a GPU. With the implementation provided by this open source project, even a computer system equipped with AMD's 7542 model 64-core CPU and Nvidia's 2080Ti series GPU would still take tens of minutes to complete a zero-knowledge proof with a billion number of circuit constraints.
Disclosure of Invention
To speed up the generation of zero-knowledge proofs, embodiments of the present application provide a proof method, system, electronic device, and computer-readable storage medium for zero-knowledge proofs.
In a first aspect, an embodiment of the present application provides an attestation method for zero-knowledge attestation, including:
obtaining certification parameters and to-be-certified data, and performing circuit synthesis processing on the certification parameters and the to-be-certified data to obtain R1CS data, wherein a circuit for the circuit synthesis processing comprises at least one sub-circuit, the R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data;
when the R1CS sub-data which is not processed by FFT calculation exists, based on the R1CS sub-data, using a GPU to perform FFT calculation processing to obtain polynomial data corresponding to the R1CS sub-data;
when the R1CS subdata which is not processed by FFT calculation exists, performing MultiExp calculation processing by using a CPU (Central processing Unit) based on the R1CS subdata and polynomial data corresponding to the R1CS subdata to obtain a proving component corresponding to the R1CS subdata;
when all the R1CS subdata is subjected to FFT calculation processing, on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata, the CPU and the GPU are used for carrying out multiExp calculation processing in parallel to obtain a proving component corresponding to the R1CS subdata;
and generating a certificate based on the certificate components corresponding to all the R1CS subdata in the R1CS data.
By the method, the computing resources of the CPU and the GPU are guaranteed to be utilized to the maximum extent, and generation of zero knowledge proof is accelerated.
In some embodiments, the CPU is a multi-core multi-threaded CPU, and the CPU performs a MultiExp calculation process using at least one thread, where each thread includes multiple coroutines, and the multiple coroutines are used to concurrently process a attestation component corresponding to one of the R1CS child data.
By the mode, the multi-protocol process concurrently processes one R1CS subdata, and can ensure that each R1CS subdata can be orderly calculated according to a certain sequence, thereby being beneficial to accelerating the resource scheduling and recovery of the CPU.
In some embodiments, the CPU is a multi-core and multi-threaded CPU, and the CPU performs a MultiExp calculation process using multiple threads, where the multiple threads are used to process a credential component corresponding to one R1CS sub-data in parallel.
By the method, the resource isolation is carried out on the MultiExp calculation process corresponding to different certification components, and the speed of the whole certification process can be increased.
In some embodiments, performing FFT computation processing using a GPU based on the R1CS sub-data to obtain polynomial data corresponding to the R1CS sub-data includes:
and sequentially performing FFT (fast Fourier transform) calculation processing on the at least one R1CS sub-data by using a GPU (graphics processing Unit) to obtain polynomial data corresponding to each R1CS sub-data.
By the method, resource competition and conflict can be reduced, and the resource recovery efficiency of the GPU is accelerated.
In some embodiments, performing, by using a CPU, MultiExp calculation processing based on the R1CS sub-data and polynomial data corresponding to the R1CS sub-data, to obtain a certification component corresponding to the R1CS sub-data includes:
based on the R1CS subdata, performing MultiExp calculation processing by using a CPU (Central processing Unit) to obtain first component data of a proving component corresponding to the R1CS subdata, wherein the first component data is irrelevant to polynomial data corresponding to the R1CS subdata;
performing MultiExp calculation processing by using a CPU based on the R1CS sub-data and polynomial data corresponding to the R1CS sub-data to obtain second component data of a proof component corresponding to the R1CS sub-data, wherein the second component data is related to the polynomial data corresponding to the R1CS sub-data;
and obtaining a certification component corresponding to the R1CS sub-data based on the first component data and the second component data.
In the above manner, the process of the MultiExp calculation process can be further divided into the calculation process of the first component data unrelated to the polynomial data, which can be calculated in parallel at the time of FFT calculation, and the calculation process of the second component data related to the polynomial data, thereby further increasing the calculation speed of each of the proof components.
In a second aspect, an embodiment of the present application provides an attestation system for zero-knowledge attestation, including: an input device, a circuit, a GPU and a CPU, wherein the input device is connected with the circuit, the circuit is connected with the CPU, the CPU is connected with the GPU,
the input device is used for acquiring the certification parameters and the data to be certified;
the circuit comprises at least one sub-circuit, the circuit is used for carrying out circuit synthesis processing on the certification parameters and the data to be certified to obtain R1CS data, wherein the R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data;
the GPU is used for performing FFT calculation processing on the basis of the R1CS sub-data when the R1CS sub-data which is not processed by FFT calculation exists, so as to obtain polynomial data corresponding to the R1CS sub-data; the GPU is used for performing multiExp calculation processing in parallel with the CPU based on polynomial data corresponding to the R1CS subdata and the R1CS subdata when all the R1CS subdata is subjected to FFT calculation processing to obtain a proving component corresponding to the R1CS subdata;
the CPU is used for performing multiExp calculation processing on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata when the R1CS subdata which is not subjected to FFT calculation processing exists, so as to obtain a proving component corresponding to the R1CS subdata; the CPU is used for performing multiExp calculation processing in parallel with the GPU on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata when all the R1CS subdata is subjected to FFT calculation processing, so as to obtain a proving component corresponding to the R1CS subdata;
the CPU is further configured to generate a certification based on the certification components corresponding to all the R1CS sub-data in the R1CS data.
In some embodiments, the CPU is a multi-core multi-threaded CPU, and the CPU performs a MultiExp calculation process using at least one thread, where each thread includes multiple coroutines, and the multiple coroutines are used to concurrently process a attestation component corresponding to one of the R1CS child data.
In some embodiments, the CPU is a multi-core and multi-threaded CPU, and the CPU performs a MultiExp calculation process using multiple threads, where the multiple threads are used to process a credential component corresponding to one R1CS sub-data in parallel.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor, when executing the computer program, implements the steps of the attestation method for zero-knowledge attestation according to the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium, which stores a computer program that, when executed by a processor, implements the steps of the attestation method for zero knowledge attestation as described in the first aspect.
In summary, with the proving method, system, electronic device and computer-readable storage medium for zero knowledge proving provided in the embodiments of the present application, when R1CS sub-data that has not been subjected to FFT computation exists, based on R1CS sub-data, a GPU is used to perform FFT computation to obtain polynomial data corresponding to R1CS sub-data; and performing MultiExp calculation processing by using a CPU (central processing unit) based on the R1CS subdata and the polynomial data corresponding to the R1CS subdata to obtain a certification component corresponding to the R1CS subdata. When all the R1CS subdata is subjected to FFT calculation processing, performing multiExp calculation processing in parallel by using a CPU and a GPU on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata to obtain a proving component corresponding to the R1CS subdata; finally, based on the certification components corresponding to all the R1CS subdata in the R1CS data, a certification is generated. Compared with the mode that the proving process is mainly calculated in the GPU in the related technology, the method and the device can at least accelerate the generation of the zero-knowledge proving.
Drawings
Fig. 1 is a flowchart of an attestation method for zero knowledge attestation provided by an embodiment of the present application.
Fig. 2 is a schematic diagram of a proof method of zero knowledge proof provided by the related art.
Fig. 3 is a schematic diagram of a zero knowledge proof certification method provided by an embodiment of the present application.
Fig. 4 is a block diagram of an attestation system for zero knowledge attestation provided by an embodiment of the present application.
Fig. 5 is a schematic diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The Groth16 certification system includes three processes, a setup process, a certification process, and a verification process. The embodiment of the application provides an attestation method for zero-knowledge attestation, and aims to optimize an attestation process of Groth16 so as to accelerate generation of zero-knowledge attestation.
An instance of a QAP can be represented by the following relationship:
Figure 838669DEST_PATH_IMAGE001
(formula 1)
Wherein the content of the first and second substances,
Figure 487956DEST_PATH_IMAGE002
a finite field is represented in which the number of fields,
Figure 71253DEST_PATH_IMAGE003
in public information representing input
Figure 882214DEST_PATH_IMAGE004
The number of the elements in (1) is,
Figure 918172DEST_PATH_IMAGE005
Figure 105571DEST_PATH_IMAGE006
Figure 543375DEST_PATH_IMAGE007
representing a polynomial, the number of which is m respectively,
Figure 790816DEST_PATH_IMAGE008
a polynomial expression representing a particular root component。
Expressed by QAP problem, the above relation defines public information
Figure 314071DEST_PATH_IMAGE004
And private information
Figure 836319DEST_PATH_IMAGE009
The expression is satisfied:
Figure 613782DEST_PATH_IMAGE010
as can be seen from the above expressions, it is known that
Figure 287252DEST_PATH_IMAGE011
Figure 517376DEST_PATH_IMAGE012
Figure 92583DEST_PATH_IMAGE013
Figure 458973DEST_PATH_IMAGE014
And
Figure 579376DEST_PATH_IMAGE015
in the case of (2), can calculate
Figure 77222DEST_PATH_IMAGE016
Wherein the content of the first and second substances,
Figure 410115DEST_PATH_IMAGE017
=1,
Figure 411437DEST_PATH_IMAGE016
ratio of orders of
Figure 437162DEST_PATH_IMAGE015
Is smaller than 2.
The computation of the proof process of the Groth16 algorithm can be divided into two parts, an FFT computation part and a MultiExp computation part.
The purpose of the FFT computation is, among other things, to convert the R1CS data resulting from circuit synthesis into a description of the QAP problem. For one QAP instance, on a selected domain S, according to equation (1), it is known
Figure 891146DEST_PATH_IMAGE012
Figure 762150DEST_PATH_IMAGE013
Figure 883559DEST_PATH_IMAGE014
In the case of the value of (d), it can be obtained by inverse Fourier transform (iFFT)
Figure 611344DEST_PATH_IMAGE012
Figure 37777DEST_PATH_IMAGE013
Figure 492898DEST_PATH_IMAGE014
Polynomial, and in the other field T, is known
Figure 219545DEST_PATH_IMAGE012
Figure 587073DEST_PATH_IMAGE013
Figure 750070DEST_PATH_IMAGE014
In the case of a polynomial, this can be obtained by Fourier transform (FFT)
Figure 494035DEST_PATH_IMAGE012
Figure 318597DEST_PATH_IMAGE013
Figure 857026DEST_PATH_IMAGE014
The value of (c). On the basis of the field T,
Figure 38477DEST_PATH_IMAGE016
the value of (c) can then be calculated by the following formula:
Figure 586133DEST_PATH_IMAGE018
equation (2).
In the known domain T and corresponding
Figure 21794DEST_PATH_IMAGE016
In the case of the value of (a), it can be calculated by inverse Fourier transform
Figure 245971DEST_PATH_IMAGE016
A polynomial expression. That is, calculating
Figure 134292DEST_PATH_IMAGE016
The polynomial requires 4 inverse fourier transforms (iFFT) and 3 fourier transforms (FFT). In the embodiment of the present application, the whole process of iFFT and FFT calculation described above is referred to as FFT calculation.
The purpose of the MultiExp computation is then to generate a proof based on the description of the QAP problem. In the MultiExp calculation, the prover selects two random numbers r, s and calculates the proof
Figure 469327DEST_PATH_IMAGE019
Wherein the content of the first and second substances,
Figure 25074DEST_PATH_IMAGE020
formula (3);
Figure 905305DEST_PATH_IMAGE021
formula (4);
Figure 795770DEST_PATH_IMAGE022
equation (5).
Wherein the content of the first and second substances,
Figure 419649DEST_PATH_IMAGE023
Figure 344748DEST_PATH_IMAGE024
Figure 130302DEST_PATH_IMAGE025
is a random number, and is a random number,
Figure 508062DEST_PATH_IMAGE026
and
Figure 935633DEST_PATH_IMAGE027
refers to points on the elliptic curve generated by different generators (generators are selected during the setup process). As can be seen from equation (5), the above-mentioned proof
Figure 465971DEST_PATH_IMAGE028
In (1), only prove
Figure 937273DEST_PATH_IMAGE029
And
Figure 287483DEST_PATH_IMAGE016
it is related.
Fig. 1 is a flowchart of an attestation method for zero knowledge attestation provided by an embodiment of the present application, where the flowchart includes the following steps, as shown in fig. 1:
step S101, a CPU obtains certification parameters and data to be certified, the CPU transmits the certification parameters and the data to be certified to a circuit, so that circuit synthesis processing is carried out on the certification parameters and the data to be certified through the circuit, and R1CS data are obtained, wherein the circuit used for the circuit synthesis processing comprises at least one sub-circuit, the R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data.
The attestation parameters are generated in the setting process, and may be Common Reference String (CRS) data generated in advance by multi-party security computing (MPC). The proof parameters are synthesized (synthesized) by an R1CS circuit, and the R1CS circuit is a previously constructed circuit. The circuit for circuit synthesis processing in this embodiment includes at least one sub-circuit, each sub-circuit for constructing one R1CS sub-data. In this embodiment, the circuit is split into at least one sub-circuit, and then the R1CS sub-data constructed by each sub-circuit can generate the proof components respectively, so that each calculation process for generating the proof components occupies smaller resources, and the process for generating the proof components is conveniently parallelized, thereby shortening the overall duration of the proof generation.
Step S102, the CPU judges whether R1CS sub-data which is not processed by FFT calculation exists in the memory, if yes, at least one R1CS sub-data is copied to the GPU, so that the GPU carries out FFT calculation processing according to the R1CS sub-data to obtain polynomial data corresponding to the R1CS sub-data.
Because a large amount of parallel calculation is involved in the FFT calculation, the time consumption of the FFT calculation processing can be obviously shortened by adopting the GPU for the FFT calculation processing.
Step S103, meanwhile, when the CPU judges that R1CS subdata which is not processed by FFT calculation exists in the memory, the CPU also carries out multiExp calculation processing based on polynomial data corresponding to the R1CS subdata and the R1CS subdata to obtain a certification component corresponding to the R1CS subdata.
Step S104, when the CPU determines that there is no R1CS sub-data that has not been processed by FFT calculation in the memory, that is, all R1CS sub-data have been processed by FFT calculation, the CPU copies at least one R1CS sub-data and its corresponding polynomial data to the GPU, so that the GPU performs the MultiExp calculation processing based on the R1CS sub-data and its corresponding polynomial data. Meanwhile, the CPU also performs a MultiExp calculation process based on the remaining R1CS sub-data and its corresponding polynomial data. And performing MultiExp calculation processing in parallel by using the CPU and the GPU to obtain certification components corresponding to all the R1CS subdata.
In step S105, after the certification components corresponding to all the R1CS child data are obtained, a certification is generated based on these certification components. The finally generated proof may be a set of these proof components or may be a proof result obtained by the calculation of these proof components.
Through the steps, the circuit is divided into at least one sub-circuit, so that the generation process of one certificate is changed into the process of generating a plurality of certificate components to realize the calculation of the plurality of certificate components. In the generation of the proof component, the GPU is preferentially used for FFT calculation, and the CPU is used for MultiExp calculation while the GPU is used for FFT calculation. Since the time consumption of the MultiExp calculation is usually larger than that of the FFT calculation, when all FFT calculations are completed and the MultiExp calculation is not completed, the CPU allocates a part of the task of the MultiExp calculation to the GPU again to enable the CPU and the GPU to perform the remaining MultiExp calculations in parallel. Through the steps, the computing resources of the CPU and the GPU are guaranteed to be utilized to the maximum, and the generation of the zero knowledge proof is accelerated.
Fig. 2 is a schematic diagram of a zero-knowledge proof method provided by the related art, in the related art shown in fig. 2, after a proof parameter and data to be proved are subjected to circuit synthesis processing, FFT calculation is performed by a GPU, and at this time, a CPU is idle; and after the FFT calculation of the GPU is finished, performing MultiExp calculation by the CPU and the GPU. With this attestation method, it took approximately 40 minutes to perform a zero-knowledge attestation task with a billion number of circuit constraints in a computer device configured with 8 Nvidia 2080Ti series GPUs.
Fig. 3 is a schematic diagram of a zero-knowledge proof method provided in this embodiment of the present application, and as shown in fig. 3, in this embodiment of the present application, after a circuit synthesis process is performed on proof parameters and data to be proved, a GPU performs an FFT calculation, and when polynomial data corresponding to the first R1CS sub-data is not calculated yet, a CPU may be idle or may perform a partial MultiExp calculation simultaneously, for example, perform an and-do calculation with the polynomial data
Figure 773871DEST_PATH_IMAGE016
Irrelevant sections are calculated MultiExp. After obtaining the polynomial data corresponding to at least one R1CS sub-data, the CPU will perform all or the remaining part of the Multi according to the polynomial data and the corresponding R1CS dataAnd (4) calculating Exp. Since the time consumption of the MultiExp calculation is usually longer than that of the FFT calculation, which means that there are unfinished MultiExp calculations after the FFT calculation of the whole certification task is completed, the CPU and the GPU will share the unfinished MultiExp calculations until the certification is obtained after all the certification components are calculated. With this proof method, a zero-knowledge proof task with a number of billions of circuit constraints, requiring only about 25 minutes, is performed in a computer device that is also configured with 8 Nvidia 2080Ti series GPUs.
As previously described, as can be seen from formula (3), formula (4) and formula (5), it turns out that
Figure 424295DEST_PATH_IMAGE028
In (1), only prove
Figure 817230DEST_PATH_IMAGE029
And
Figure 169583DEST_PATH_IMAGE016
it is related. This means that the process of the MultiExp calculation process can be further divided into a process of calculating first component data that is independent of the polynomial data, and a process of calculating second component data that is dependent on the polynomial data. Therefore, step S103 may include the steps of:
step S103-1, the CPU performs MultiExp calculation processing based on the R1CS subdata to obtain first component data of the certification component corresponding to the R1CS subdata, wherein the first component data is irrelevant to polynomial data corresponding to the R1CS subdata.
Step S103-2, the CPU performs MultiExp calculation processing based on the R1CS sub-data and the polynomial data corresponding to the R1CS sub-data to obtain second component data of the proving component corresponding to the R1CS sub-data, wherein the polynomial data corresponding to the R1CS sub-data of the second component data is related.
In step S103-3, the CPU obtains the certification component corresponding to the R1CS sub-data based on the first component data and the second component data.
Specifically, the first component data includes:
Figure 204535DEST_PATH_IMAGE030
Figure 178307DEST_PATH_IMAGE031
and
Figure 256991DEST_PATH_IMAGE032
(ii) a The second component data includes:
Figure 316213DEST_PATH_IMAGE033
. Obviously, the first component data comprises a plurality of mutually independent parts, which can also be calculated in parallel.
In some embodiments, the CPU is a multi-core and multi-threaded CPU, and the CPU performs a MultiExp calculation process using at least one thread, where each thread includes multiple coroutines, and the multiple coroutines are used to concurrently process a certification component corresponding to one R1CS subdata. When performing the MultiExp calculation in each thread, the coroutines in the thread concurrently perform the calculation of the first component data and/or the second component data. Through the concurrent processing of one R1CS subdata by the multi-protocol process, the R1CS subdata can be calculated orderly according to a certain sequence, and the resource scheduling and recovery of the CPU are accelerated.
In the embodiment of the application, one attestation process is divided into a plurality of attestation components, and the computation process of the attestation components can be regarded as parallel processing of a plurality of subtasks. The parallel processing of multiple sub-tasks results in a large amount of resource contention and conflict, which in turn results in increased time consumption for the entire attestation process due to resource contention and conflict. Therefore, resource competition and conflict can be relieved by carrying out resource isolation on the calculation processes of the respective certification components. In this embodiment, the speed of the whole attestation process is increased by performing resource isolation on the MultiExp calculation processes corresponding to different attestation components, where the isolation is performed by using an independent thread for each MultiExp calculation. That is, in the present embodiment, a multi-core and multi-thread CPU is adopted, and the CPU performs a MultiExp calculation process using a plurality of threads, where the plurality of threads are used to process in parallel a certification component corresponding to one R1CS sub-data.
Also in order to reduce resource contention and conflict and speed up the efficiency of resource recovery, in some embodiments, when performing FFT computation on at least one R1CS sub-data, the GPU is used to sequentially perform FFT computation on at least one R1CS sub-data, so as to obtain polynomial data corresponding to each R1CS sub-data.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
The embodiment of the present application further provides a proof system for zero knowledge proof, where the system may be used to implement the above-mentioned proof method for zero knowledge proof, and the description already performed in the above-mentioned method embodiment may be combined with the description and explanation of the working process of the proof system in this embodiment, which will not be described again here.
Referring to fig. 4, the certification system includes: an input device 41, a circuit 42, a GPU 44 and a CPU 43, wherein the input device is connected to the circuit, the circuit is connected to the CPU, and the CPU is connected to the GPU.
An input device 41 for acquiring certification parameters and data to be certified;
the circuit 42 comprises at least one sub-circuit, and the circuit 42 is configured to perform circuit synthesis processing on the certification parameters and the data to be certified to obtain R1CS data, where the R1CS data includes at least one R1CS sub-data, and each sub-circuit is configured to construct one R1CS sub-data;
the GPU 44 is configured to, when R1CS sub-data which has not been processed by FFT calculation exists, perform FFT calculation processing based on the R1CS sub-data to obtain polynomial data corresponding to the R1CS sub-data; the GPU 44 is configured to perform, when all the R1CS sub-data have been processed by FFT calculation, MultiExp calculation processing in parallel with the CPU 43 based on polynomial data corresponding to the R1CS sub-data and the R1CS sub-data, to obtain a certification component corresponding to the R1CS sub-data;
the CPU 43 is configured to, when R1CS sub-data which has not been subjected to FFT calculation processing exists, perform MultiExp calculation processing based on polynomial data corresponding to the R1CS sub-data and the R1CS sub-data to obtain a certification component corresponding to the R1CS sub-data; the CPU 43 is configured to perform, when all the R1CS subdata has been processed by FFT calculation, multiExp calculation processing in parallel with the GPU 44 based on polynomial data corresponding to the R1CS subdata and the R1CS subdata, so as to obtain a certification component corresponding to the R1CS subdata;
the CPU 43 is further configured to generate a certification based on the certification components corresponding to all the R1CS sub-data in the R1CS data.
In some embodiments, the CPU 43 is a multi-core multi-threaded CPU, and the CPU 43 performs a MultiExp calculation process using at least one thread, where each thread includes multiple coroutines for concurrently processing a proof component corresponding to one R1CS child data.
In some embodiments, the CPU 43 is a multi-core multi-threaded CPU, and the CPU 43 performs the MultiExp calculation processing using a plurality of threads, wherein the plurality of threads are used for processing the certification component corresponding to one R1CS subdata in parallel.
An embodiment of the present application further provides an electronic device, where the electronic device may be a server, and an internal structure diagram of the electronic device may be as shown in fig. 5. The electronic device includes a processor 51, a memory 52, and a network interface 53 connected by a system bus 54. Wherein the processor 51 of the electronic device is used to provide computing and control capabilities. The memory 52 of the electronic device includes a nonvolatile storage medium, an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface 53 of the electronic apparatus is used for communicating with an external terminal through a network connection. The computer program when executed by a processor is operative to perform the steps of:
s1, obtaining proving parameters and data to be proved, and performing circuit synthesis processing on the proving parameters and the data to be proved to obtain R1CS data, wherein a circuit used for the circuit synthesis processing comprises at least one sub-circuit, R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data;
s2, when R1CS sub-data which are not processed by FFT calculation exist, based on the R1CS sub-data, using GPU to process FFT calculation to obtain polynomial data corresponding to the R1CS sub-data;
s3, when R1CS subdata which is not processed by FFT calculation exists, performing MultiExp calculation processing by using a CPU (central processing unit) based on the R1CS subdata and polynomial data corresponding to the R1CS subdata to obtain a certification component corresponding to the R1CS subdata;
s4, when all the R1CS subdata is processed by FFT calculation, based on the R1CS subdata and polynomial data corresponding to the R1CS subdata, using a CPU and a GPU to perform multiExp calculation in parallel to obtain a proving component corresponding to the R1CS subdata;
s5, based on the certification component corresponding to all R1CS subdata in the R1CS data, generating the certification.
The computer program is capable of implementing any of the above-described method embodiments for proof of zero knowledge when executed by a processor.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following steps:
s1, obtaining proving parameters and data to be proved, and performing circuit synthesis processing on the proving parameters and the data to be proved to obtain R1CS data, wherein a circuit used for the circuit synthesis processing comprises at least one sub-circuit, R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data;
s2, when R1CS sub-data which are not processed by FFT calculation exist, based on the R1CS sub-data, using GPU to process FFT calculation to obtain polynomial data corresponding to the R1CS sub-data;
s3, when R1CS subdata which is not processed by FFT calculation exists, performing MultiExp calculation processing by using a CPU (central processing unit) based on the R1CS subdata and polynomial data corresponding to the R1CS subdata to obtain a certification component corresponding to the R1CS subdata;
s4, when all the R1CS subdata is processed by FFT calculation, based on the R1CS subdata and polynomial data corresponding to the R1CS subdata, using a CPU and a GPU to perform multiExp calculation in parallel to obtain a proving component corresponding to the R1CS subdata;
s5, based on the certification component corresponding to all R1CS subdata in the R1CS data, generating the certification.
The computer program is capable of implementing any of the above-described method embodiments for proof of zero knowledge when executed by a processor.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, databases, or other media used in embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the claims.

Claims (10)

1. An attestation method for zero knowledge attestation, comprising:
obtaining certification parameters and to-be-certified data, and performing circuit synthesis processing on the certification parameters and the to-be-certified data to obtain R1CS data, wherein a circuit for the circuit synthesis processing comprises at least one sub-circuit, the R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data;
when the R1CS sub-data which is not processed by FFT calculation exists, based on the R1CS sub-data, using a GPU to perform FFT calculation processing to obtain polynomial data corresponding to the R1CS sub-data;
when the R1CS subdata which is not processed by FFT calculation exists, performing MultiExp calculation processing by using a CPU (Central processing Unit) based on the R1CS subdata and polynomial data corresponding to the R1CS subdata to obtain a proving component corresponding to the R1CS subdata;
when all the R1CS subdata is subjected to FFT calculation processing, on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata, the CPU and the GPU are used for carrying out multiExp calculation processing in parallel to obtain a proving component corresponding to the R1CS subdata;
and generating a certificate based on the certificate components corresponding to all the R1CS subdata in the R1CS data.
2. The attestation method for zero-knowledge attestation of claim 1, wherein the CPU is a multi-core multi-threaded CPU, the CPU performs a MultiExp computing process using at least one thread, wherein each thread comprises a plurality of coroutines, and the plurality of coroutines are configured to concurrently process an attestation component corresponding to one of the R1CS child data.
3. The attestation method for zero-knowledge attestation of claim 1, wherein the CPU is a multi-core multi-threaded CPU, and the CPU performs a MultiExp computing process using multiple threads, wherein the multiple threads are configured to process in parallel an attestation component corresponding to one of the R1CS sub-data.
4. The proof method for zero knowledge proof of claim 1, wherein the obtaining of the polynomial data corresponding to the R1CS sub-data by performing FFT computation using a GPU based on the R1CS sub-data comprises:
and sequentially performing FFT (fast Fourier transform) calculation processing on the at least one R1CS sub-data by using a GPU (graphics processing Unit) to obtain polynomial data corresponding to each R1CS sub-data.
5. The proof method for zero-knowledge proof of claim 1, wherein performing a MultiExp calculation process using a CPU based on the R1CS sub-data and polynomial data corresponding to the R1CS sub-data to obtain the proof component corresponding to the R1CS sub-data comprises:
based on the R1CS subdata, performing MultiExp calculation processing by using a CPU (Central processing Unit) to obtain first component data of a proving component corresponding to the R1CS subdata, wherein the first component data is irrelevant to polynomial data corresponding to the R1CS subdata;
performing MultiExp calculation processing by using a CPU based on the R1CS sub-data and polynomial data corresponding to the R1CS sub-data to obtain second component data of a proof component corresponding to the R1CS sub-data, wherein the second component data is related to the polynomial data corresponding to the R1CS sub-data;
and obtaining a certification component corresponding to the R1CS sub-data based on the first component data and the second component data.
6. An attestation system for zero knowledge attestation, comprising: an input device, a circuit, a GPU and a CPU, wherein the input device is connected with the circuit, the circuit is connected with the CPU, the CPU is connected with the GPU,
the input device is used for acquiring the certification parameters and the data to be certified;
the circuit comprises at least one sub-circuit, the circuit is used for carrying out circuit synthesis processing on the certification parameters and the data to be certified to obtain R1CS data, wherein the R1CS data comprises at least one R1CS sub-data, and each sub-circuit is used for constructing one R1CS sub-data;
the GPU is used for performing FFT calculation processing on the basis of the R1CS sub-data when the R1CS sub-data which is not processed by FFT calculation exists, so as to obtain polynomial data corresponding to the R1CS sub-data; the GPU is used for performing multiExp calculation processing in parallel with the CPU based on polynomial data corresponding to the R1CS subdata and the R1CS subdata when all the R1CS subdata is subjected to FFT calculation processing to obtain a proving component corresponding to the R1CS subdata;
the CPU is used for performing multiExp calculation processing on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata when the R1CS subdata which is not subjected to FFT calculation processing exists, so as to obtain a proving component corresponding to the R1CS subdata; the CPU is used for performing multiExp calculation processing in parallel with the GPU on the basis of polynomial data corresponding to the R1CS subdata and the R1CS subdata when all the R1CS subdata is subjected to FFT calculation processing, so as to obtain a proving component corresponding to the R1CS subdata;
the CPU is further configured to generate a certification based on the certification components corresponding to all the R1CS sub-data in the R1CS data.
7. The attestation system for zero-knowledge attestation of claim 6, wherein the CPU is a multi-core, multi-threaded CPU, the CPU performing a MultiExp computing process using at least one thread, wherein each thread comprises a plurality of coroutines for concurrently processing an attestation component corresponding to one of the R1CS child data.
8. The attestation system for zero-knowledge attestation of claim 6, wherein the CPU is a multi-core multi-threaded CPU, the CPU performing a MultiExp computing process using multiple threads, wherein the multiple threads are configured to process in parallel an attestation component corresponding to one of the R1CS sub-data.
9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the attestation method for zero knowledge attestation of any of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, storing a computer program which, when being executed by a processor, carries out the steps of the attestation method for zero knowledge attestation of any one of claims 1 to 5.
CN202111375621.4A 2021-11-19 2021-11-19 Proof method, system, electronic device and storage medium for zero-knowledge proof Active CN113806059B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111375621.4A CN113806059B (en) 2021-11-19 2021-11-19 Proof method, system, electronic device and storage medium for zero-knowledge proof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111375621.4A CN113806059B (en) 2021-11-19 2021-11-19 Proof method, system, electronic device and storage medium for zero-knowledge proof

Publications (2)

Publication Number Publication Date
CN113806059A true CN113806059A (en) 2021-12-17
CN113806059B CN113806059B (en) 2022-06-03

Family

ID=78937489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111375621.4A Active CN113806059B (en) 2021-11-19 2021-11-19 Proof method, system, electronic device and storage medium for zero-knowledge proof

Country Status (1)

Country Link
CN (1) CN113806059B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113383A (en) * 2019-04-10 2019-08-09 广东工业大学 A kind of common recognition mechanism implementation method for alleviating book keeping operation power centralization under PoS mechanism
CN111585770A (en) * 2020-01-21 2020-08-25 上海致居信息科技有限公司 Method, device, medium and system for distributed acquisition of zero-knowledge proof
US20210194861A1 (en) * 2019-12-20 2021-06-24 AT&T Global Network Services Hong Kong LTD Zero-Knowledge Proof Network Protocol for N-Party Verification of Shared Internet of Things Assets
CN113177225A (en) * 2021-03-16 2021-07-27 深圳市名竹科技有限公司 Block chain-based data storage certification method, device, equipment and storage medium
CN113569294A (en) * 2021-09-22 2021-10-29 浙江大学 Zero knowledge proving method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113383A (en) * 2019-04-10 2019-08-09 广东工业大学 A kind of common recognition mechanism implementation method for alleviating book keeping operation power centralization under PoS mechanism
US20210194861A1 (en) * 2019-12-20 2021-06-24 AT&T Global Network Services Hong Kong LTD Zero-Knowledge Proof Network Protocol for N-Party Verification of Shared Internet of Things Assets
CN111585770A (en) * 2020-01-21 2020-08-25 上海致居信息科技有限公司 Method, device, medium and system for distributed acquisition of zero-knowledge proof
CN113177225A (en) * 2021-03-16 2021-07-27 深圳市名竹科技有限公司 Block chain-based data storage certification method, device, equipment and storage medium
CN113569294A (en) * 2021-09-22 2021-10-29 浙江大学 Zero knowledge proving method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
程豪: "CPU-GPU并行矩阵乘法的实现与性能分析", 《计算机工程》 *
程豪: "CPU-GPU并行矩阵乘法的实现与性能分析", 《计算机工程》, no. 13, 31 July 2010 (2010-07-31), pages 1 - 4 *

Also Published As

Publication number Publication date
CN113806059B (en) 2022-06-03

Similar Documents

Publication Publication Date Title
CN108683539B (en) Block chain network management method, block chain network management device, block chain network management medium and electronic equipment
JP7003133B2 (en) Computer-enhanced systems and methods for enabling complex functions on the blockchain while maintaining security-based limits on script size and opcode limits.
Fernandez-Viagas et al. Efficiency of the solution representations for the hybrid flow shop scheduling problem with makespan objective
Qamhieh et al. A stretching algorithm for parallel real-time dag tasks on multiprocessor systems
CN111373694B (en) Zero knowledge proof hardware accelerator and method thereof
Turina et al. Combining split and federated architectures for efficiency and privacy in deep learning
CN111800274B (en) Verifiable calculation energy consumption optimization method based on block chain
Naghibzadeh Modeling and scheduling hybrid workflows of tasks and task interaction graphs on the cloud
Ni et al. Enabling zero knowledge proof by accelerating zk-SNARK kernels on GPU
Hunold One step toward bridging the gap between theory and practice in moldable task scheduling with precedence constraints
CN113541921A (en) Fully homomorphic encryption GPU high-performance implementation method
CN113806059B (en) Proof method, system, electronic device and storage medium for zero-knowledge proof
Meseguer Taming distributed system complexity through formal patterns
US20210266168A1 (en) Zero knowledge proof hardware accelerator and the method thereof
Alam et al. GPU-based parallel algorithm for generating massive scale-free networks using the preferential attachment model
Hunold Low-cost tuning of two-step algorithms for scheduling mixed-parallel applications onto homogeneous clusters
Zhang et al. Optimizing completion time and resource provisioning of pig programs
Duan et al. A Verifiable and Privacy-Preserving Federated Learning Training Framework
Derei Accelerating the PlonK zkSNARK Proving System using GPU Architectures
Carroll et al. An incentive-based distributed mechanism for scheduling divisible loads in tree networks
CN114880109B (en) Data processing method and device based on CPU-GPU heterogeneous architecture and storage medium
Kanstrén et al. Distributed online test generation for model-based testing
Fang et al. Brief Industry Paper: A DAG Generator with Full Topology Coverage
Ezhova Verification of BSF Parallel Computational Model
CN114637704B (en) Multi-interface excitation implementation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Proof methods, systems, electronic devices, and storage media for zero knowledge proof

Granted publication date: 20220603

Pledgee: Bank of Beijing Co.,Ltd. Hangzhou Yuhang sub branch

Pledgor: Hangzhou Fangzhou Technology Co.,Ltd.

Registration number: Y2024980014378