JP2023110884A - Data processing device and data processing method - Google Patents

Abstract

To provide a data processing device for converting executable source code into zero-knowledge proof capable of verifying the correctness of the execution process of the source code, and a data processing method.SOLUTION: The data processing device includes: an arithmetic circuit constraint generation unit that is configured to automatically analyze source code and decompose the source code into code structure and to generate arithmetic circuit constraints that describe code structure; and a zero-knowledge proof generation unit that is configured to generate zero-knowledge proof by using the arithmetic circuit constraints. The zero-knowledge proof is constituted of polynomials that are formed based on the arithmetic circuit constraints.SELECTED DRAWING: Figure 1

Description

TECHNICAL FIELD The present invention relates to the technical field of data processing, and in particular, converts executable source code into zero-knowledge proof for verifying the correctness of the execution process of the source code. The present invention relates to a data processing apparatus and data processing method for conversion.

In various conventional data processing techniques, when the business (service) logic involved in data processing becomes relatively complex, the performance of data processing can be significantly degraded, and the associated costs of data processing can be increased accordingly.

In order to solve the above-mentioned problems existing in the prior art, the present invention provides a data processing technology for transforming executable source code into zero-knowledge proofs for verifying the correctness of the execution process of the source code. The task is to provide

According to one aspect of the present invention, there is provided a data processing apparatus used for converting executable source code into zero-knowledge proofs for verifying the correctness of the execution process of the source code, the data processing apparatus comprising: The device
an arithmetic circuit constraint generation unit configured to automatically analyze source code to decompose the source code into code structures and generate arithmetic circuit constraints that describe the code structures; and using the arithmetic circuit constraints. A zero-knowledge proof generation unit configured to generate a zero-knowledge proof, the zero-knowledge proof including a zero-knowledge proof generation unit constructed by polynomials formed based on arithmetic circuit constraints.

According to another aspect of the present invention, there is provided a data processing method for transforming executable source code into zero-knowledge proofs for verifying the correctness of an execution process of the source code, the data processing method comprising: teeth,
automatically analyzing source code to decompose the source code into code structures, generating arithmetic circuit constraints that describe the code structures; and generating zero-knowledge proofs using the arithmetic circuit constraints,
Zero-knowledge proofs are constructed by polynomials formed based on arithmetic circuit constraints.

According to another aspect of the present invention, there is provided a computer program capable of implementing the data processing method described above. Also provided is a computer program product in the form of at least a computer readable medium, in which is stored computer program code for implementing the data processing method described above.

According to the data processing technology for converting executable source code into zero-knowledge proof for verifying the correctness of the execution process of the source code in the present invention, complex on-chain business logic can be converted off-chain and automatically generate zero-knowledge proofs for off-chain computations and their associated data, ensuring the accuracy of off-chain computations. In particular, the data processing technique can automatically analyze the source code for off-chain computation to translate the computation process into circuit constraints, and generate proofs for it using an optimized zero-knowledge proof protocol. In this way, security can be ensured and the computational cost of the blockchain can also be reduced.

1 is a block diagram of a data processing device in an embodiment of the present invention; FIG. FIG. 2 illustrates exemplary processing performed by a data processing apparatus in an embodiment of the present invention; FIG. 4 is a block diagram of an arithmetic circuit constraint generation unit in an embodiment of the present invention; FIG. 4 illustrates exemplary processing performed by the static analysis subunit in an embodiment of the invention; FIG. 4 shows an exemplary process performed by a static analysis subunit on a first code structure in an embodiment of the present invention; FIG. 4 shows an exemplary process performed by the static analysis subunit on the second code structure in an embodiment of the present invention; FIG. 4 illustrates an exemplary process performed by the static analysis subunit on the third code structure in an embodiment of the present invention; FIG. 10 illustrates an exemplary process performed by the static analysis subunit on the fourth code structure in an embodiment of the present invention; FIG. 4 illustrates exemplary processing performed by the dynamic analysis subunit in an embodiment of the invention; FIG. 10 illustrates an exemplary process performed by the dynamic analysis subunit for fifth through eighth code structures in an embodiment of the present invention; Fig. 3 shows an exemplary process performed by a zero-knowledge proof generation unit in an embodiment of the present invention; FIG. 4 illustrates an exemplary cumulative proof generation process performed by a zero-knowledge proof generation unit in an embodiment of the present invention; FIG. 4 is a diagram showing an example of cumulative proof processing executed by a zero-knowledge proof generation unit in an embodiment of the present invention; 4 is a flow chart of a data processing method according to an embodiment of the present invention; 1 is a configuration diagram of a general-purpose machine that can implement a data processing method and a data processing device according to an embodiment of the present invention; FIG.

Preferred embodiments for carrying out the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that these examples are merely illustrative and do not limit the present invention.

Zero-knowledge proofs can verify the correctness of general-purpose computations without exposing information about the computations. Zero-knowledge proof transforms general-purpose computations into arithmetic circuits according to the computation steps, constrains each circuit gate, formalizes and unifies the constraints of all circuit gates, and integrates them to form an arithmetic circuit constraint system. do. We translate the correctness of general-purpose computations into the satisfiability of arithmetic circuit constraint systems. We transform the arithmetic circuit constraint system into a polynomial representation, and transform the general computational accuracy back into polynomial accuracy. Verification of the correctness of general-purpose computations can be achieved by sampling and verifying values in the domain of the polynomial. In this process, cryptographic schemes allow verifiers to verify against the correctness of general-purpose computations without obtaining information about the general-purpose computations.

A blockchain can be viewed as a distributed database that operates in a manner of decentralization. By using means such as data encryption, timestamps, decentralized consensus, and economic incentives, blockchain technology enables decentralization-based points without the need for mutual trust of transaction nodes in decentralized systems. Because it can realize two-point transaction, coordination and collaboration, it can solve the problems such as high cost, low efficiency and data storage insecurity that are commonly present in centralization mechanisms.

In recent years, as a new form of universal distributed infrastructure architecture, blockchain has been widely applied in various fields such as finance, economy, technology, and even politics.

However, in current blockchain systems, on-chain business logic is realized by smart contracts. When the on-chain business logic becomes relatively complex, the performance of uploading transactions to the chain may be significantly degraded, and transaction processing fees may increase accordingly.

In addition, to ensure safety, blockchain application developers manually perform zero-knowledge proof for this part of the smart contract code when transferring the business logic in the on-chain smart contract to off-chain. It must be generated to ensure that the off-chain business logic execution process is accurate. As for developers, generating zero-knowledge proofs requires a grasp of the relevant knowledge of cryptography and mathematics. However, most blockchain application developers have no knowledge of cryptography. Also, manually writing the arithmetic circuit constraints for zero-knowledge proofs is very time-consuming. Even if developers can manually generate arithmetic circuit constraints, they still need to use traditional zero-knowledge proof protocols when generating zero-knowledge proofs. generation time cannot be shortened.

According to the data processing technology of the present invention, which will be described in detail below, based on static code analysis of program source code, circuit constraints are applied to sequential structures, all branches, loops, API (Application Program Interface) interface function calls, and the like. and based on dynamic code analysis of program source code, circuit constraints can be generated for dynamic arrays, dynamic loops, specifically executed branches, recursive functions, and the like. Also, the assignment of code variables can be stored in the computational process of dynamic execution of the source code. Also, in the zero-knowledge proof generation process, we optimize the conventional zero-knowledge proof generation method. Specifically, zero-knowledge proofs are generated concurrently for code structures with different (non-overlapping) structures, and zero-knowledge proofs are generated by accumulation for code structures with the same (overlapping) structure.

Note that the terms “arithmetic circuit constraint”, “circuit constraint”, “constraint” and “multiplication circuit constraint” have the same meaning and can be used together in the specification. Also, as used herein, the terms "zero-knowledge proof" and "proof" have the same meaning and may be used interchangeably in the specification.

Data for converting executable source code into zero-knowledge proof for verifying the correctness of the execution process of the source code in the present invention, based on the embodiment of the present invention, with reference to the drawings. Processing technology will be described in detail.

FIG. 1 is a block diagram of a data processing device 100 according to an embodiment of the invention. FIG. 2 is a diagram illustrating exemplary processing performed by data processing apparatus 100 in an embodiment of the present invention.

As shown in FIG. 1, a data processing apparatus 100 in an embodiment of the present invention may include an arithmetic circuit constraint generation unit 101 and a zero-knowledge proof generation unit 102. As shown in FIG.

As shown in FIG. 2, according to embodiments of the present invention, the input of the data processing device 100 may include program source code, e.g., source code written in C language, Java language, Golong language, etc. . Also, as shown in FIG. 2, the output of the data processing device 100 may be a zero-knowledge proof for verifying the correctness of the execution process of the source code.

Also, as indicated by the dashed box in FIG. 2, according to another embodiment of the present invention, the input of data processing apparatus 100 may further include parameters of functions in the program.

According to embodiments of the present invention, the source code is used to perform off-chain pre-processing of data for applications in a blockchain architecture. The applications referred to here may, for example, be on-chain transactions implemented in the form of smart contracts in a blockchain architecture. It should be understood by those skilled in the art that the data processing device and data processing method in the embodiments of the present invention have been described in detail by taking the source code for blockchain smart contract as an example. It is not limited to this. Without departing from the spirit and scope of the present invention, the concept of the present invention can be applied not only to blockchain, but also to source code in other technical fields of data processing. For example, in technical fields where the source code itself cannot be made public due to security reasons, the concept of the present invention can be used to convert the source code into a zero-knowledge proof, thereby verifying the correctness of the source code execution process.

As shown in FIGS. 1 and 2, according to the embodiment of the present invention, the arithmetic circuit constraint generation unit 101 automatically analyzes the source code to decompose the source code into code structures and describes the code structures. Arithmetic circuit constraints can be generated.

As shown in FIG. 2, according to an embodiment of the present invention, the arithmetic circuit constraint generation unit 101 analyzes the static code structure of the source code to generate arithmetic circuit constraints for the static code structure. The static code structure is unchanged during the execution period of the source code, and the dynamic code structure of the source code can be executed to generate arithmetic circuit constraints on the dynamic code structure. The static code structure can change dynamically according to variables during execution of the source code. Also, as indicated by the dashed frame in FIG. 2, according to another embodiment of the present invention, the arithmetic circuit constraint generation unit 101 can further perform variable assignment of the arithmetic circuit. As shown in FIG. 2, according to the embodiment of the present invention, the arithmetic circuit constraint generation unit 101, based on the analysis and execution of the code structure of the source code, the multiplication formula form of the variables contained in the source code. can generate an arithmetic circuit constraint with The configuration and functions of the arithmetic circuit constraint generation unit 101 will be described in more detail below with reference to FIGS. 3 to 10. FIG.

As shown in FIGS. 1 and 2, according to embodiments of the present invention, the zero-knowledge proof generation unit 102 can use the arithmetic circuit constraints generated by the arithmetic circuit constraint generation unit 101 to generate zero-knowledge proofs. Among them, zero-knowledge proofs can be constructed by polynomials formed based on arithmetic circuit constraints. As described above, according to another embodiment of the present invention, zero-knowledge proof generation unit 102 generates arithmetic circuit constraints generated by arithmetic circuit constraint generation unit 101 and circuit variables can be used to generate zero-knowledge proofs.

As shown in FIG. 2, according to an embodiment of the present invention, the zero-knowledge proof generation unit 102 can simultaneously generate zero-knowledge proofs for code structures with different (non-overlapping) structures and also for code structures with the same (overlapping) structures. ), we can generate zero-knowledge proofs by accumulation. The structure and function of the zero-knowledge proof generation unit 102 will be described in more detail below with reference to FIGS. 11 to 13. FIG.

FIG. 3 is a block diagram of the arithmetic circuit constraint generation unit 101 in the embodiment of the invention. As shown in FIG. 3, according to embodiments of the present invention, arithmetic circuit constraint generation unit 101 may include static analysis subunit 1011 and dynamic analysis subunit 1012 . The configurations and functions of the static analysis subunit 1011 and the dynamic analysis subunit 1012 will be described in detail below.

FIG. 4 is a diagram illustrating exemplary processing performed by static analysis subunit 1011 in an embodiment of the present invention.

According to an embodiment of the present invention, the static analysis subunit 1011 can analyze the static code structure of the source code to generate arithmetic circuit constraints for the static code structure, wherein the static code structure is It is immutable within the execution period of the source code.

As shown in FIG. 4, the static analysis subunit 1011 can generate an abstract syntax tree based on the code structure of the source code through static analysis, and analyze the dependencies between the code structures. An Abstract Syntax Tree (AST) is a kind of abstract representation of the source code syntactic structure, which expresses the syntactic structure of the source code in a tree-like form, and each node in the tree is one in the source code. represents a single code structure. Since the abstract syntax tree is known to those skilled in the art, detailed description thereof is omitted here for convenience of description.

As shown in FIG. 4, according to an embodiment of the present invention, static analysis subunit 1011 analyzes source code to find code structures with uncertainty, thereby identifying code structures with uncertainty. can be fixed. This is because, in the zero-knowledge proof arithmetic circuit constraint system, the number of constraints of the arithmetic circuit and the multiplication circuit gates are always fixed and cannot be changed. If an indeterminate code structure exists, the code structure will be different when different parameters are assigned to the function code of the program, and therefore the arithmetic circuits will also be different. Therefore, it is necessary to analyze the uncertain code structure of the program's source code.

As shown in FIG. 4, according to an embodiment of the present invention, a code structure with indeterminacy is a recursive call without a return result (recursively calling a function is called a recursive call). including at least one of a code construct, an infinite loop code construct, and an undetermined branching code construct. According to embodiments of the present invention, if there are structures with such ambiguities in the source code, the developer may be suggested to modify or remove such code structures.

As shown in FIG. 4, according to an embodiment of the present invention, the static analysis subunit 1011 performs an operation having the form of a multiplication formula of variables contained in the source code on the static code structure in a rule matching manner. Can generate circuit constraints. According to an embodiment of the present invention, the static code structure includes a first code structure of sequential execution, a second code structure of fixed oriented branch (oriented constant branch), and a fixed number of loops (number of loops). and at least one of a third code structure of a constant count loop) and a fourth code structure of an interface function.

FIG. 5 is a diagram illustrating exemplary processing performed by static analysis subunit 1011 on a first code structure in an embodiment of the present invention.

As shown in FIG. 5, according to an embodiment of the present invention, static analysis subunit 1011 first analyzes variables (var) for constants for the first code structure of sequential execution, and then You can compute all variable values in terms of constants. After that, the static analysis subunit 1011 can filter variables that are unrelated to the function params and do not generate arithmetic circuit constraints for this part of the code. Also, the static analysis subunit 1011 does not generate arithmetic circuit constraints for variables unrelated to function parameters and return values (Result). The static analysis subunit 1011 can then transform all algebraic computations into the form of multiplicative formulas, of which each multiplicative formula represents one arithmetic circuit constraint. The static analysis subunit 1011 can also, for the generated set of multiplication formulas, merge computations of multiplication of variables and constants to obtain arithmetic circuit constraints having the form of multiplication circuit constraints.

For example, as shown in FIG. 5, an exemplary first code structure has four variables (var) a, b, c, and d, of which variables a and b are associated with function parameters (param). and the variables c and d are associated with constants, ie given the values of 12 and 3 respectively. The first code structure also has intermediate variables (var) tmp1, tmp2, and can obtain the final return value Result.

As shown in FIG. 5, according to an embodiment of the present invention, static analysis subunit 1011 computes all variable values associated with constants and replaces intermediate variable tmp2 with 14, for example. As described above, static analysis subunit 1011 does not generate arithmetic circuit constraints for this portion of code. In FIG. 5, the portion of the source code related to the generation of the arithmetic circuit constraint is indicated by a gray frame, and the portion of the source code unrelated to the generation of the arithmetic circuit constraint is indicated by a white frame. Therefore, as shown in FIG. 5, the static analysis subunit 1011 obtains arithmetic circuit constraints for indicating the first code structure by merging the multiplication formulas obtained in the above manner, namely: Result=14*param1*param2.

FIG. 6 shows an exemplary process performed by static analysis subunit 1011 on the second code structure in an embodiment of the present invention.

As shown in FIG. 6, according to an embodiment of the present invention, if the source code's branch decision statements (statements) are definite, i.e., static code, the static analysis subunit 1011 specifically You can directly generate the multiplier circuit constraint by computing the branch taken to .

Also, according to an embodiment of the present invention, the static analysis subunit 1011 lists all branch structures when the branch decision statements in the source code are associated with parameters of functions, i.e. dynamic code. , and for each branch, a range proof multiplication circuit constraint and an internal code multiplication circuit constraint for that branch can be generated.

For example, as shown in FIG. 6, the branch decision statement directs two different branches based on whether the value of the function's parameter param1 is greater than ten. Therefore, as shown in FIG. 6, the static analysis subunit 1011 applies the range proof multiplication circuit constraints “param1>10” and “param1<=(≦)10” of the two branch structures, and the two Multiplication circuit constraints “Result=param1*param2” and “Result=param1*param3” of the branch structure internal code can be generated.

FIG. 7 shows an exemplary process performed by static analysis subunit 1011 on the third code structure in an embodiment of the present invention.

As shown in FIG. 7, according to an embodiment of the present invention, for a third code structure with a fixed number of loops, if the number of loops length in the source code is constant, the static analysis subunit 1011 performs the loop , and for each loop, the same circuit constraint can be generated repeatedly, the number of repetitions (duplicates) being the aforementioned constant. Also, if the number of loops length in the source code is a variable, the dynamic analysis subunit 1012 described below generates the associated multiplier circuit constraints.

FIG. 8 shows an exemplary process performed by static analysis subunit 1011 on the fourth code structure in an embodiment of the present invention.

As shown in FIG. 8, according to an embodiment of the present invention, if a source code has a fourth code structure of an interface function, such as an application program interface (API) function, the static analysis subunit 1011 directly: Circuit constraints for API functions can be obtained from the database. According to embodiments of the present invention, the arithmetic circuit constraints of the fourth code structure may be pre-determined. For example, according to an embodiment of the present invention, circuit constraints for each API function are pre-generated by the method static analysis subunit 1011 described above generates circuit constraints for the first through third code structures, and stored in a database. May be stored.

Returning now to FIG. 3, according to an embodiment of the present invention, the dynamic analysis subunit 1012 can execute the dynamic code structure of the source code to generate arithmetic circuit constraints for the dynamic code structure, among which: A dynamic code structure changes dynamically according to variables during the execution of the source code.

FIG. 9 illustrates exemplary processing performed by the dynamic analysis subunit 1012 in an embodiment of the invention.

As shown in FIG. 9, according to an embodiment of the present invention, the dynamic analysis subunit 1012 performs dynamic execution on the source code of a function to determine the size of dynamic structures in the code, such as dynamic arrays. You can record the length of the , the number of loops, the specific branch taken, the number of recursive calls, etc.

According to an embodiment of the present invention, the dynamic code structures analyzed by the dynamic analysis subunit 1012 are: a fifth code structure of arrays containing variables; a sixth code structure of non-constant number of loops; At least one of a seventh code structure of branching and an eighth code structure of recursive call may be included.

Also, according to embodiments of the present invention, the dynamic analysis subunit 1012 can store the assignment of each code variable in the source code, eg, by code instrumentation. Code instrumentation is a basic dynamic testing method, which adds some statements to the source code to check the execution of the program, the change of variables, etc. can be used to obtain program control flow and data flow information. It should be noted that code instrumentation is well known to those skilled in the art and will not be described in detail here for the sake of convenience.

Also, as shown in FIG. 9, according to another embodiment of the present invention, the dynamic analysis subunit 1012 uses values of variables in the dynamic code structure to assign values to circuit variables in arithmetic circuit constraints. ) can be given.

FIG. 10 is a diagram illustrating exemplary processing performed by the dynamic analysis subunit 1012 for fifth through eighth code structures in an embodiment of the present invention.

As shown in FIG. 10, according to an embodiment of the present invention, dynamic analysis subunit 1012 uses the static analysis results of static analysis subunit 1011 described above, for example, when executing dynamic code structures. can be used to generate arithmetic circuit constraints for dynamic code structures.

Specifically, a fifth code construct embodiment of an array containing variables may be a positive array. As shown in FIG. 10, according to an embodiment of the present invention, the dynamic analysis subunit 1012 determines the size of the array, the length of the array, and the code variables within the array based on the results of executing the dynamic code. can be determined. The dynamic analysis subunit 1012 can then select the multiplication circuit constraints associated with the array variables from among the circuit constraints (static analysis results) obtained by the static analysis subunit 1011 .

For example, according to an embodiment of the present invention, the dynamic analysis subunit 1012 fixes the variables of the dynamic array and associates the array variables from among the multiplier circuit constraints obtained by the static analysis subunit 1011. You can choose a multiplier circuit constraint that

Also, as shown in FIG. 10, according to an embodiment of the present invention, for a sixth code structure (ie, a dynamic loop structure) of a loop with a non-fixed number of times, the dynamic analysis subunit 1012 Based on the results of execution, the number of loops can be determined. The dynamic analysis subunit 1012 may then iterate the multiplier circuit constraint inside the loop obtained by the static analysis subunit 1011, the number of iterations being the same as the number of loops.

Also, as shown in FIG. 10, according to an embodiment of the present invention, for the seventh code structure of non-fixed oriented branching (i.e., dynamic branching structure), the dynamic analysis subunit 1012 performs dynamic code A particular branch of dynamic execution can be determined based on the results of the execution. Then, the dynamic analysis subunit 1012 selects the multiplication circuit constraint of the particular branch from among all the branch multiplication circuit constraints (static analysis results) obtained by the static analysis subunit 1011, and Similarly, one can add a range proof multiplication circuit constraint for that particular branch.

Also, as shown in FIG. 10, according to an embodiment of the present invention, for an eighth code structure of recursive calls, the dynamic analysis subunit 1012 calculates the number of recursive calls based on the results of executing the dynamic code. can be determined. Then the dynamic analysis subunit 1012 can obtain the internal multiplication circuit constraints of the function based on the static analysis results of the static analysis subunit 1011, and then iterate all the multiplication circuit constraints of the recursive function. , the number of iterations is the same as the number of recursive calls. Also, according to embodiments of the present invention, the dynamic analysis subunit 1012 also needs to add additional relevant constraints that can ensure that the recursive call parameters are the same as the recursive function's assignment parameters.

According to the configuration and function of the arithmetic circuit constraint generation unit 101 as described above, multiplication circuit constraints can be generated, for example, for sequential structures, all branches, loops, API function calls, based on static code analysis, Multiplier circuit constraints can also be generated for dynamic arrays, dynamic loops, specifically executed branches, recursive functions, for example, based on dynamic code execution. Also, the process of dynamic execution may record the allocation of code variables.

Returning now to FIG. 1, according to an embodiment of the present invention, the zero-knowledge proof generation unit 102 can use the arithmetic circuit constraints generated by the arithmetic circuit constraint generation unit 101 to generate zero-knowledge proofs, wherein: Zero-knowledge proofs are constructed by polynomials formed based on arithmetic circuit constraints.

FIG. 11 is a diagram illustrating exemplary processing performed by the zero-knowledge proof generation unit 102 in an embodiment of the present invention.

Specifically, as shown in FIG. 11, according to an embodiment of the present invention, for the fourth code structure of an interface function, if there are multiple different interface function calls, the zero-knowledge proof generation unit 102 generates a zero-knowledge proof Proofs can be generated at the same time.

Also, as shown in FIG. 11, according to an embodiment of the present invention, for the sixth code structure of loops with a non-fixed number of loops, the zero-knowledge proof generation unit 102 uses cumulative proofs for overlapping dynamic loop structures. to generate a zero-knowledge proof.

Similarly, as shown in FIG. 11, according to an embodiment of the present invention, for the eighth code structure of the recursive call, the zero-knowledge proof generation unit 102 uses cumulative proofs to zero Proof of knowledge can be generated.

Hereinafter, based on FIGS. 12 and 13, the process of generating zero-knowledge proof using cumulative proof by zero-knowledge proof generation unit 102 will be described in more detail.

Also shown in FIG. 11, according to an embodiment of the present invention, a first code structure for sequential execution, a second code structure for fixed-oriented branching, a third code structure for fixed-number of loops, an array containing variables , and the seventh code structure of non-fixed-oriented branches, the zero-knowledge proof generation unit 102 can generate zero-knowledge proofs using conventional zero-knowledge protocols.

After that, the zero-knowledge proof generation unit 102 can merge the zero-knowledge proofs of the above first to eighth code structures as one zero-knowledge proof.

As described above, according to embodiments of the present invention, zero-knowledge proof generation unit 102 uses a conventional zero-knowledge protocol when the code structures have different multiplier circuit constraints (e.g., a fourth code structure). Then, for each code structure, zero-knowledge proofs can be generated simultaneously, thereby reducing proof generation time. Also, if the circuit constraints of multiple code structures are the same (eg, the sixth code structure and the eighth code structure), the zero-knowledge proof generation unit 102 can use cumulative proofs to generate the zero-knowledge proof.

Specifically, according to an embodiment of the present invention, for the sixth code structure or the eighth code structure, the zero-knowledge proof generation unit 102 can use the accumulation of polynomials based on its arithmetic circuit constraints as its zero-knowledge proof. .

According to embodiments of the present invention, cumulative proofs generate one zero-knowledge proof for multiple duplicated code structures, thereby reducing the number of arithmetic circuit constraints and shortening the zero-knowledge proof generation time. . For the sixth code structure of a loop with a non-fixed number of times and the eighth code structure of a recursive call, the zero-knowledge proof generation unit 102 can use cumulative proofs to accelerate the generation of zero-knowledge proofs.

FIG. 12 illustrates an exemplary cumulative proof generation process performed by zero-knowledge proof generation unit 102 in an embodiment of the present invention.

According to an embodiment of the present invention, the cumulative proof algorithm is as follows.

As mentioned above, the code structure arithmetic circuit constraint can be expressed by three polynomials as L(x)*R(x)=O(x).

Thus, the generated zero-knowledge proof may contain three polynomials L(x), R(x), O(x). The polynomial L(x) is

と表すことができ、そのうち、ｖ_ｉは演算回路の変数の割り当てを示し、ｌ_ｉ（ｘ）は演算回路変数の係数を示し、ｎは演算回路の変数の数を示す。多項式Ｒ（ｘ）及びＯ（ｘ）は多項式Ｌ（ｘ）と同じ方式で表すことができ、即ち、

where v _i indicates the assignment of variables of the arithmetic circuit, l _i (x) indicates the coefficients of the variables of the arithmetic circuit, and n indicates the number of variables of the arithmetic circuit. Polynomials R(x) and O(x) can be expressed in the same way as polynomial L(x), i.e.

及び

as well as

である。

is.

As shown in FIG. 12, each of the polynomials L(x), R(x), O(x) represents the arithmetic circuit constraints of one code structure. For example, for the same code structure, the coefficients of the arithmetic circuit variables are the same, and the difference is the assignment (value) v _i of the arithmetic circuit variables. Therefore, according to an embodiment of the present invention, the zero-knowledge proof generation unit 102 combines two polynomials A( X), B(X) can be obtained as the final cumulative zero-knowledge proof.

FIG. 13 is a diagram showing an example of cumulative proof processing executed by the zero-knowledge proof generation unit 102 in the embodiment of the present invention.

As shown in FIG. 13, for two arithmetic circuit constraints (2a+b)*b=a and (4a−b)*b=a, there are arithmetic circuit variables a and b. The coefficients of the variable a can be represented by a first degree polynomial, and by solving the equation (i.e., finding the coefficients _c0 and _c1 for each term of the polynomial), the coefficient polynomials of the variable a can be expressed as l _a (x)= 2x can be determined. If there are two identical circuit constraint structures, their zero-knowledge proof information contains the same coefficient polynomial, but the values of the arithmetic circuit constraint variable a are different (i.e., a_value1 and a_value2 in FIG. 13), so the accumulation You can merge them in the form of

According to an embodiment of the present invention, the zero-knowledge proof generation unit 102 can simultaneously generate zero-knowledge proofs for multiplication circuit constraints without duplicate structures, and cumulative proofs for multiplication circuit constraints with duplicate structures. can be used to generate zero-knowledge proofs, which can reduce proof generation time.

The present invention further provides a data processing method for converting executable source code into zero-knowledge proofs for verifying the correctness of the execution process of the source code. FIG. 14 is a flowchart of a data processing method 1400 according to an embodiment of the invention.

The data processing method 1400 starts at step S1401.

Then, in step S1402, the source code is automatically analyzed to decompose the source code into code structures, and arithmetic circuit constraints describing the code structures are generated. The processing in step S1402 can be realized, for example, by the arithmetic circuit constraint generation unit 101 included in the data processing apparatus 100 described above with reference to FIGS. 1 to 13, so detailed description thereof will be omitted here.

Then, in step S1403, the arithmetic circuit constraints are used to generate a zero-knowledge proof, wherein the zero-knowledge proof is constructed by polynomials formed based on the arithmetic circuit constraints. The processing in step S1403 can be realized, for example, by the zero-knowledge proof generation unit 102 included in the data processing apparatus 100 described above with reference to FIGS. 1 to 13, so detailed description thereof will be omitted here.

Finally, the data processing method 1400 ends at step S1404.

According to the data processing technology for converting executable source code into zero-knowledge proof for verifying the correctness of the execution process of the source code in the present invention, for example, a blockchain architecture-based data processing process off-chain computation, as it can transfer complex on-chain business logic to off-chain computation and automatically generate zero-knowledge proofs for off-chain computation and its associated data when applied to can ensure the accuracy of In particular, the data processing technology can automatically analyze the source code for off-chain computations to translate the computational process into circuit constraints, and zero-knowledge optimization for generating concurrent proofs and cumulative proofs, as described above. Proof protocols can be used to generate proofs. In this way, the security can be ensured and at the same time the computational cost of the blockchain can be reduced.

FIG. 15 is a configuration diagram of a general-purpose machine 1500 that can implement the data processing method 1400 and data processing apparatus 100 in the embodiment of the present invention. General purpose machine 1500 may be, for example, a computer system. Note that the general-purpose machine 1500 is merely an example, and does not limit the scope of use or the functions of the data processing method and data processing apparatus of the present invention.

In FIG. 15, a central processing unit (CPU) 1501 performs various processes based on programs stored in a ROM 1502 or programs loaded from a storage unit 1508 to a RAM 1503 . The RAM 1503 can store data necessary for the CPU 1501 to perform various processes according to needs. The CPU 1501 , ROM 1502 and RAM 1503 are interconnected via a bus 1504 . Input/output interface 1505 is also connected to bus 1504 .

The input/output interface 1505 is further connected with the following components: an input unit 1506 including a keyboard, etc., an output unit 1507 including a display such as a liquid crystal display (LCD) and a speaker. , a storage unit 1508 including a hard disk, etc., and a communication unit 1509 including a network interface card such as a LAN card, a modem, and the like. A communication unit 1509 performs communication processing via a network such as the Internet or LAN, for example. Drives 1510 may be connected to input/output interface 1505 as desired. A removable medium 1511 , such as a semiconductor memory, can be set in the drive 1510 as necessary to install a computer program read therefrom into the storage unit 1508 .

Additionally, the present invention further provides a program product including machine-readable instruction code. Such instruction codes, when read and executed by a machine, are capable of performing the methods in the embodiments of the present invention described above. Correspondingly, for carrying such program products, for example magnetic disks (including floppy disks), optical disks (including CD-ROMs and DVDs), magneto-optical disks (MD®) ), and various storage media such as semiconductor storage devices are also included in the present invention.

The storage medium described above may include, for example, a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor storage device, etc., but is not limited to these.

Each operation (process) in the above-described method can also be implemented in the form of a computer-executable program stored on various machine-readable storage media.

In addition, the above examples and the like are further disclosed as supplementary notes as follows.

(Appendix 1)
A data processing apparatus for converting executable source code into zero-knowledge proofs for verifying the correctness of an execution process of said source code, comprising:
an arithmetic circuit constraint generation unit configured to automatically analyze the source code to decompose the source code into code structures and to generate arithmetic circuit constraints that describe the code structures; and a zero-knowledge proof generation unit configured to generate the zero-knowledge proof using
An apparatus, wherein said zero-knowledge proof is constructed by polynomials formed based on said arithmetic circuit constraints.

(Appendix 2)
The data processing device according to Appendix 1,
The apparatus, wherein the source code is used to perform off-chain pre-processing on data related to an application in a blockchain architecture.

(Appendix 3)
The data processing device according to Appendix 1,
The apparatus, wherein the arithmetic circuit constraint has the form of a multiplication formula for variables contained in the source code.

(Appendix 4)
The data processing device according to any one of Appendices 1 to 3,
The arithmetic circuit constraint generation unit includes:
a static analysis subunit configured to analyze a static code structure of the source code to generate operational circuit constraints for the static code structure, wherein the static code structure is the source code and a dynamic analysis subunit configured to execute dynamic code structures of said source code to generate arithmetic circuit constraints for said dynamic code structures. A unit comprising a dynamic analysis subunit, wherein said dynamic code structure dynamically changes according to a variable within execution of said source code.

(Appendix 5)
The data processing device according to appendix 4,
The apparatus, wherein the static analysis subunit analyzes the source code to find code structures with ambiguity and corrects the code structures with ambiguity.

(Appendix 6)
The data processing device according to appendix 5,
The apparatus, wherein the code structure with uncertainty includes at least one of a code structure of a recursive call with no return result, a code structure of an infinite loop, and a code structure of an uncertainly oriented branch.

(Appendix 7)
The data processing device according to appendix 4,
The static code structure is at least one of a first code structure for sequential execution, a second code structure for branch with fixed orientation, a third code structure for loop with fixed count, and a fourth code structure for interface function. equipment, including

(Appendix 8)
The data processing device according to appendix 7,
The apparatus, wherein arithmetic circuit constraints of the fourth code structure are predetermined.

(Appendix 9)
The data processing device according to appendix 4,
The dynamic code structure comprises a fifth code structure of an array containing variables, a sixth code structure of a loop with an unfixed count, a seventh code structure of an unfixed branch, and an eighth code structure of a recursive call. An apparatus comprising at least one.

(Appendix 10)
The data processing device according to appendix 4,
The apparatus, wherein the dynamic analysis subunit uses static analysis results of the static analysis subunit to generate arithmetic circuit constraints for the dynamic code structure when executing the dynamic code structure.

(Appendix 11)
The data processing device according to Appendix 9,
The apparatus, wherein for the sixth code structure or the eighth code structure, the zero-knowledge proof generation unit uses accumulation of polynomials based on the arithmetic circuit constraints to make the zero-knowledge proof.

(Appendix 12)
A data processing method for converting executable source code into zero-knowledge proofs for verifying the correctness of an execution process of said source code, comprising:
automatically analyzing the source code to decompose the source code into code structures, and generating arithmetic circuit constraints that describe the code structures; and generating the zero-knowledge proof using the arithmetic circuit constraints. including
A method wherein said zero-knowledge proof is constructed by a polynomial formed based on said arithmetic circuit constraint.

(Appendix 13)
The data processing method according to Appendix 12,
The method, wherein the source code is used for off-chain pre-processing of data for an application in a blockchain architecture.

(Appendix 14)
The data processing method according to Appendix 12,
The method, wherein the arithmetic circuit constraint has the form of a multiplicative formula for variables contained in the source code.

(Appendix 15)
15. The data processing method according to any one of Appendices 12 to 14,
automatically analyzing the source code to decompose the source code into code structures and generating arithmetic circuit constraints describing the code structures;
analyzing a static code structure of the source code to generate arithmetic circuit constraints for the static code structure, wherein the static code structure is unchanged during execution of the source code; and to generate arithmetic circuit constraints for the dynamic code structure, wherein the dynamic code structure dynamically changes according to variables during execution of the source code including, method.

(Appendix 16)
The data processing method according to appendix 15,
A method, wherein analyzing static code structures of the source code includes analyzing the source code to find code structures with ambiguity and modifying the code structures with ambiguity.

(Appendix 17)
The data processing method according to Appendix 16,
The method, wherein the code constructs with uncertainty include at least one of code constructs of recursive calls with no return results, code constructs of infinite loops, and code constructs of undetermined oriented branches.

(Appendix 18)
The data processing method according to appendix 15,
The static code structure is at least one of a first code structure for sequential execution, a second code structure for branch with fixed orientation, a third code structure for loop with fixed count, and a fourth code structure for interface function. A method, including

(Appendix 19)
The data processing method according to appendix 15,
The dynamic code structure comprises a fifth code structure of an array containing variables, a sixth code structure of a loop with an unfixed count, a seventh code structure of an unfixed branch, and an eighth code structure of a recursive call. A method comprising at least one.

(Appendix 20)
A computer readable storage medium,
the program is stored
the program, when executed by a computer, causes the computer to perform a data processing method;
The data processing method is used to convert executable source code into zero-knowledge proofs for verifying the correctness of an execution process of the source code, and
automatically analyzing the source code to decompose the source code into code structures, and generating arithmetic circuit constraints that describe the code structures; and generating the zero-knowledge proof using the arithmetic circuit constraints. including
A storage medium, wherein the zero-knowledge proof is constructed by a polynomial formed based on the arithmetic circuit constraint.

Although the preferred embodiment of the present invention has been described above, the present invention is not limited to this embodiment, and all modifications to the present invention fall within the technical scope of the present invention as long as they do not depart from the gist of the present invention.

Claims (10)

A data processing apparatus for converting executable source code into zero-knowledge proofs for verifying the correctness of an execution process of said source code, comprising:
an operational circuit constraint generation unit configured to automatically analyze the source code to decompose the source code into code structures and generate operational circuit constraints that describe the code structures; and using the operational circuit constraints. a zero-knowledge proof generation unit configured to generate the zero-knowledge proof in
The data processing device, wherein the zero-knowledge proof is constructed by polynomials formed based on the arithmetic circuit constraints. The data processing device according to claim 1,
A data processing apparatus, wherein the source code is used to perform off-chain pre-processing on data related to an application in a blockchain architecture. The data processing device according to claim 1,
The data processing apparatus, wherein the arithmetic circuit constraint has the form of a multiplication formula for variables contained in the source code. The data processing device according to any one of claims 1 to 3,
The arithmetic circuit constraint generation unit includes:
a static analysis subunit configured to analyze a static code structure of said source code to generate operational circuit constraints for said static code structure, said static code structure being an execution of said source code; a static analysis subunit that is invariant in time; and a dynamic analysis subunit that is configured to execute a dynamic code structure of said source code to generate arithmetic circuit constraints for said dynamic code structure. A data processing apparatus, comprising a dynamic analysis subunit, wherein said dynamic code structure dynamically changes according to variables during execution of said source code. The data processing device according to claim 4,
A data processing apparatus, wherein the static analysis subunit analyzes the source code to find code structures with ambiguity and corrects the code structures with ambiguity. The data processing device according to claim 4,
The static code structure is at least one of a first code structure for sequential execution, a second code structure for branch with fixed orientation, a third code structure for loop with fixed count, and a fourth code structure for interface function. data processing equipment, including The data processing device according to claim 4,
The dynamic code structure comprises a fifth code structure of an array containing variables, a sixth code structure of a loop with an unfixed count, a seventh code structure of an unfixed branch, and an eighth code structure of a recursive call. Data processing apparatus, including at least one. The data processing device according to claim 4,
data processing, wherein the dynamic analysis subunit uses static analysis results of a static analysis subunit to generate arithmetic circuit constraints for the dynamic code structure when executing the dynamic code structure; Device. The data processing device according to claim 7,
A data processing apparatus, wherein for the sixth code structure or the eighth code structure, the zero-knowledge proof generation unit uses the accumulation of polynomials based on its arithmetic circuit constraints as its zero-knowledge proof. A data processing method for converting executable source code into zero-knowledge proofs for verifying the correctness of an execution process of said source code, comprising:
automatically analyzing the source code to decompose the source code into code structures, generating arithmetic circuit constraints that describe the code structures; and generating the zero-knowledge proof using the arithmetic circuit constraints. including
A data processing method, wherein the zero-knowledge proof is constructed by a polynomial formed based on the arithmetic circuit constraint.

Images