KR102398543B1 - Verifiable block chain virtual machine with zero knowledge algorithm - Google Patents

Abstract

The present invention relates to a verification system and, more specifically, to a zero-knowledge proof-based blockchain virtual machine verification system which defines and verifies requirements necessary for developing a zero-knowledge proof-based blockchain virtual machine. According to an embodiment of the present invention, disclosed is a virtual machine which completes general verification procedures at high speed by replacing verification for all transactions in a blockchain network through zero-knowledge proof, wherein the verification can be performed through a plurality of verification means for the virtual machine.

Description

A verifiable blockchain virtual machine with zero-knowledge proof algorithm applied {VERIFIABLE BLOCK CHAIN VIRTUAL MACHINE WITH ZERO KNOWLEDGE ALGORITHM}

The present invention relates to a blockchain virtual machine, and in particular, a verifiable blockchain to which a zero-knowledge proof algorithm is applied that can quickly verify that the contents of the block have not been forged or altered even if the block chain participants do not know the contents of the block. It's about virtual machines.

Blockchain refers to a distributed digital ledger that secures the integrity of transaction details without the intervention of a trusted third party in a peer-to-peer (P2P) network and where participants share the details.

Representative examples of blockchain applications are cryptocurrencies such as Bitcoin and Ethereum. After Ethereum introduced the Ethereum Virtual Machine (EVM), the EVM allows users to program directly according to the way they want, rather than performing a set of predefined tasks.

This EVM provides an abstraction of computation and storage similar to the well-known Java Virtual Machine (JVM). As the JVM is designed to provide a runtime environment without being bound by the underlying host OS or hardware, it aims to make it compatible with various systems, and compiles high-level programming languages such as JAVA and Scala into the bytecode instruction set of the virtual machine. can do. EVM also allows advanced smart contract programs such as Solidity, Serpent, etc. to execute their own set of bytecode instructions generated by compiling the language.

However, the EVM has a problem in that efficiency is very low compared to a conventional virtual machine such as a Java Virtual Machine (JVM), and it is difficult to support a complex application environment.

Numerous blockchain implementations have appeared in the past 10 years, but there has been no innovation in terms of accumulating and storing transactions.

Accordingly, Zero Knowledge Proof, which is limitedly applied only to processing some transactions in a simple type of block chain made of UXTO like conventional Bitcoin, is a complex form of dealing with a state tree such as Ethereum. Research to be applied to the blockchain of

The aforementioned Zero Knowledge Proof refers to a method in cryptography that prevents exposure of anything except whether the statement is true or false when someone proves that a certain state is true. The biggest feature of the protocol using zero-knowledge proof is that it can prove the 'validity' of information without disclosing it to a third party.

In order to apply this zero-knowledge proof to the blockchain virtual machine, it is required to understand the operation of the Ethereum virtual machine as a representative blockchain-related virtual machine.

Ethereum's smart contract language, Solidity, is a language created to be understood by humans. Therefore, in order to operate in a virtual machine, it is necessary to change it to a machine language that the virtual machine can understand.

The code written in the above-mentioned Solidity is changed to Ethereum bytecode by the compiler (interpreter), and the bytecode is executed by 'EVM', the virtual machine of Ethereum.

And, when a specific bytecode is executed, all nodes in the Ethereum network execute the same bytecode to verify the transaction. At this time, if the zero-knowledge proof technology that can verify general operation is applied to the virtual machine, it can be determined whether the transaction is a valid transaction by performing verification of the zero-knowledge proof without executing the transaction in the virtual machine.

Laid-open Patent Publication No. 10-2021-0122211 (published date of publication: 2021.10.08.)

The present invention relates to a verification system, and in particular, has a similar architecture to the Ethereum virtual machine, applies zero-knowledge proof technology, and has a problem in providing a blockchain virtual machine capable of verifying performance.

In order to solve the above problems, a blockchain virtual machine capable of verifying a zero-knowledge proof algorithm according to an embodiment of the present invention is a block-chain virtual machine including an interpreter for compiling a smart contract and an operator for zero-knowledge proof. In this case, the transaction is verified using an interpreter that compiles an input transaction, converts it into bytecode, and executes a smart contract according to the bytecode, and evidence generated through a circuit for general operation verification when the smart contract is executed. , wherein the interpreter includes a transaction input unit that receives a transaction input from a transaction sender, an output unit that compiles a smart contract for the input transaction and outputs bytecode, information about the currently input transaction and verified A storage for storing zero-knowledge evidence, a data input unit for receiving one or more bytecodes for a compiled smart contract, a stack for sequentially storing opcodes separated in the process of executing the bytecodes, an address of an instruction stored in the stack It may include a program counter that provides , and a memory in which local variables and solidity assembly codes for executing a transaction are stored.

The calculator includes a code execution unit that receives the bytecode and performs an operation, calculates and deducts a fee according to the operation, checks the residual code and checks the residual gas when the operation is successful, and executes the smart contract; It may include a key generator including a circuit generator for verification, and a zero-knowledge proof unit that performs general operation verification on a transaction using the prover and the verifier.

The key generator includes a circuit generator that receives the size of a reference program, the input number of commands and steps, and time to generate circuit logic for general verification, and a verifier and verification key for zk-SNARK verification from the assigned circuit. It may include a Zk-SNARK key generator that generates

The prover may be provided with a proof key from the key generator, and may generate evidence using coefficients of polynomial functions obtained through the zk-SNARK algorithm, and information necessary for verification and proof in the general operation verification circuit.

The verifier may receive the verification key from the key generator and verify whether the evidence is valid using information necessary for verification and verification in the general operation verification circuit.

According to an embodiment of the present invention, by replacing the verification of all transactions in the blockchain network through zero-knowledge proof, it is possible to provide a virtual machine that completes the general verification procedure at a high speed, and performs verification of the virtual machine. There is an effect that can be done.

1 is a diagram showing the overall structure of a verifiable blockchain virtual machine to which a zero-knowledge proof algorithm is applied according to an embodiment of the present invention.
2 is a diagram illustrating a key generator for zero-knowledge proof applied to a blockchain virtual machine according to an embodiment of the present invention.
3 is a diagram illustrating zero-knowledge proof logic using a key generator for zero-knowledge proof applied to a blockchain virtual machine according to an embodiment of the present invention.
4 and 5 are diagrams illustrating circuits and opcodes implemented in a verifiable blockchain virtual machine to which a zero-knowledge proof algorithm is applied according to an embodiment of the present invention.
6 is a diagram illustrating a method of executing a verification method of a zero-knowledge proof algorithm of a blockchain virtual machine according to an embodiment of the present invention.

The present invention as described above will be described in detail with reference to the accompanying drawings and embodiments.

It should be noted that the technical terms used in the present invention are only used to describe specific embodiments, and are not intended to limit the present invention. In addition, the technical terms used in the present invention should be interpreted as meanings generally understood by those of ordinary skill in the art to which the present invention belongs, unless otherwise specifically defined in the present invention, and excessively comprehensive It should not be construed in the meaning of a human being or in an excessively reduced meaning. In addition, when the technical term used in the present invention is an incorrect technical term that does not accurately express the spirit of the present invention, it should be understood by being replaced with a technical term that can be correctly understood by those skilled in the art. In addition, the general terms used in the present invention should be interpreted according to the definition in the dictionary or according to the context before and after, and should not be interpreted in an excessively reduced meaning.

Also, the singular expression used in the present invention includes the plural expression unless the context clearly dictates otherwise. In the present invention, terms such as “consisting of” or “comprising” should not be construed as necessarily including all of the various components or various steps described in the invention, some of which components or some steps are included. It should be construed that it may not, or may further include additional components or steps.

In addition, terms including ordinal numbers such as first, second, etc. used in the present invention may be used to describe the components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, a first component may be referred to as a second component, and similarly, a second component may also be referred to as a first component.

Hereinafter, a preferred embodiment according to the present invention will be described in detail with reference to the accompanying drawings, but the same or similar components are given the same reference numerals regardless of reference numerals, and redundant description thereof will be omitted.

In addition, in the description of the present invention, if it is determined that a detailed description of a related known technology may obscure the gist of the present invention, the detailed description thereof will be omitted. In addition, it should be noted that the accompanying drawings are only for easy understanding of the spirit of the present invention, and should not be construed as limiting the spirit of the present invention by the accompanying drawings.

In the following description, a term indicating a 'zero-knowledge proof-based blockchain virtual machine' according to an embodiment of the present invention may be abbreviated as 'verification system' or 'system'.

In addition, in the following description, "zero knowledge proof (ZKP)" in cryptography, when a prover proves to the other party verifier that a certain proposition is true, any knowledge is exposed except whether the proposition is true or false. It means a procedure of interaction that does not let it happen.

Also, the party who wants to prove that a certain proposition is true is called a prover, and the party who participates in the proof process and exchanges information with the prover is called a verifier. If the parties participating in the zero-knowledge proof arbitrarily change the protocol for the purpose of deceiving the other party, the parties are said to be dishonest or dishonest. Otherwise, it is said to be honest.

Hereinafter, a zero-knowledge proof-based blockchain virtual machine verification system according to an embodiment of the present invention will be described with reference to the drawings.

Hereinafter, a zero-knowledge proof-based blockchain virtual machine and a verification system for verifying the same according to an embodiment of the present invention will be described with reference to the drawings.

1 is a diagram showing the overall structure of a blockchain virtual machine capable of verifying a zero-knowledge proof algorithm according to an embodiment of the present invention.

Referring to FIG. 1 , the blockchain virtual machine 100 capable of verifying the zero-knowledge proof algorithm according to the embodiment of the present invention compiles the input transaction into the bytecode of the smart contract, and an interpreter ( 110) and an operator 120 that verifies the bytecode according to a zero-knowledge algorithm.

In addition, the zero-knowledge proof-based block chain virtual machine according to the embodiment of the present invention is connected to a separate verification system to be verified whether the virtual machine 100 satisfies the requirements as a stack-based block chain virtual machine such as Ethereum. can

The above-mentioned virtual machine requirements include whether it is stack-based, zero-knowledge proof technology is applied, CLI operation is possible, and data can be stored and managed through a database.

In particular, the blockchain virtual machine 100 according to the embodiment of the present invention does not provide a scheduling function as the execution order is externally configured, and provides a code hash, a nonce, and a storage root hash from the blockchain 10 It can operate as a world computer like Ethereum.

And, as the program code is executed on the blockchain virtual machine 100, the smart contract code is executed on the lion's computer, and the result is stored and shared in the blockchain 10 again, so that other users can will continue to do so.

To this end, the blockchain virtual machine 100 may include an interpreter 110 and an operator 120 for executing program codes for smart contracts and performing calculations.

In detail, the interpreter 110 includes a transaction input unit 111 that receives a transaction input from a transaction sender, a bytecode output unit 112 that compiles a smart contract for the input transaction and outputs a bytecode, and a currently inputted transaction. The storage 113 for storing transaction information and proven zero-knowledge evidence, the data input unit 114 for receiving one or more bytecodes for the compiled smart contract, and the data separated during the bytecode execution are sequentially The stack 115 may include a stored stack 115 , a program counter 116 providing an address of an instruction stored in the stack, and a memory 117 storing an execution result calculated through the operator 120 .

The transaction input unit 111 may receive a transaction to be executed in the virtual machine 100 . The transaction sender may input nonce, gas limit (STARTGAS), gas price, destination (MSG.SENDER), value (MSG.VALUE), sender's signature and data bytecode, etc. into the transaction input unit 111 . The transaction input unit 111 may check whether the corresponding transaction is in the correct format using the above-described data, and if not, may return an error.

The bytecode output unit 112 may compile the code of the smart contract executed by the transaction and output the bytecode. These bytecodes are provided to the calculator 120 to which the zero-knowledge proof algorithm is applied and go through a verification process, thereby omitting the process of verifying that a conventional transaction is distributed to all blockchain networks.

The storage 113 may store various data related to the execution of a transaction, and may be a storage in which 256-bit characters are connected in the form of a key-value. Data stored in the storage 113 include the current state, residual gas, block header, transaction sender (MSG.SENDER), transaction value expressed in WEI (MSG.VALUE), the owner of the executed code, and a bytecode contract for execution, etc. There is this. In particular, according to an embodiment of the present invention, the storage 113 may store evidence proven by the operator 120 according to a zero-knowledge algorithm.

The data input unit 114 may store transaction-related data, in particular, opcodes constituting compiled bytecodes in the stack 115 . The data input unit 114 may copy one of the top 16 elements of the stack 115 to the top or replace the topmost element with one of the 16 bottom elements. The operations may fetch the top two or 2±1 of the stack 115 and push the result onto the stack.

Data input 114 may also move stack elements to storage 113 or memory 117 for access to a deeper stack. However, unless the upper element of the stack 115 is removed, it is impossible to arbitrarily access an element existing thereunder, and the characteristics of the stack 115 may be verified by a separate verification system.

The stack 115 may sequentially store data related to a transaction for executing a smart contract. The virtual machine 100 according to an embodiment of the present invention is a stack machine, and all operations are processed in the stack area, and may have a maximum of 1024 elements and may include 256-bit words.

The program counter 116 provides the address of the instruction stored in the stack 115 , and may indicate the position of the instruction to be executed next in the opcode stored in the stack 115 .

The memory 117 may store a newly initialized instance for the message call. Memory is linear and processed at the byte level, writes can be 8 or 256 bits, and reads can be limited to 256 bits. In addition, a local variable for executing a transaction, a solidity assembly code, and the like may be stored in some pre-allocated area of the memory 117 .

In addition, the virtual machine 100 according to an embodiment of the present invention may include an operator 120 that executes a bytecode, and the operator 120 has a code execution unit ( 121) and the zero-knowledge proofing unit 200 to which the zero-knowledge proof algorithm is applied may be mounted.

The operator 120 receives the bytecode and performs an operation, calculates and deducts a fee, and when the operation of the bytecode succeeds, checks the residual code and checks the residual gas to execute the smart contract. If the operation fails or there is no residual code and residual gas, the transaction can be reversed.

The above-described gas is a unit for measuring the calculation and storage resources required for the block chain virtual machine 100 according to an embodiment of the present invention to perform a task, and is used for executing transactions and smart contracts processed in the virtual machine. It can be taken into account in all calculations performed by

As an example, adding 2 numbers can cost 3 gas, and for each 256-bit data hashed when calculating a Keccak-256 hash it can cost 30 gas + 6 gas.

However, unlike tokens, this gas cannot be owned or consumed. It is a value that merely indicates how many calculations are being performed, and is a concept that exists inside a virtual machine. Accordingly, the code execution unit 121 according to an embodiment of the present invention may return the gas consumption and residual amount generated according to the request of the verification system as gas data, as well as operations such as gas cost confirmation, consumption and residual gas refund. there is. Here, the gas data may not be a value converted into a token, but a direct gas amount may be described as a numerical value.

The zero-knowledge proof unit 200 may include a key generator including a circuit generator for general operation verification, a prover, and a verifier, through which it is possible to perform general operation verification on a transaction.

In particular, the zero-knowledge proof unit 200 generates a general operation verification circuit having the number of reference instructions, the number of reference machine steps, and the size of the reference system, which will be described later, and generates key generator information, prover information, and verifier information. After receiving, a verification key (pk) and a verification key (vk) can be generated using the security parameter and the generated general operation verification circuit.

)를 생성하고, 검증자는 검증키(vk)를 비롯하여 증명에 필요한 정보를 이용하여 증거(

)가 유효한지 검증을 실행할 수 있다.In addition, the prover uses the proof key (pk), the obtained coefficients of the polynomial function, and the information necessary for verification and proof among the general operation verification circuits.

), and the verifier uses the information necessary for proof, including the verification key (vk), to

) can be verified to be valid.

A detailed description of a key generator included in the zero-knowledge proof unit 200 and a zero-knowledge proof-based transaction verification method using the same will be described later.

And, the blockchain virtual machine 100 according to an embodiment of the present invention can be connected to a verification system that verifies whether it conforms to the specifications of Ethereum, and through this, the blockchain virtual machine of the present invention is based on zero-knowledge proof technology. It can process the transaction and verify that the above-mentioned requirements are satisfied.

According to the above-described structure, the blockchain virtual machine capable of verifying the zero-knowledge proof algorithm according to the embodiment of the present invention can reduce the amount of verification and storage space through minimal transaction verification.

Hereinafter, a blockchain virtual machine capable of verifying a zero-knowledge proof algorithm according to an embodiment of the present invention will be described with reference to the drawings.

2 is a diagram illustrating a key generator for zero-knowledge proof applied to a blockchain virtual machine according to an embodiment of the present invention.

Referring to FIG. 2 , a key generator 10 for zero-knowledge proof applied to a zero-knowledge proof-based blockchain virtual machine according to an embodiment of the present invention is a reference program size, commands and steps. A circuit generator 11 that receives the input number and time to generate circuit logic for general verification, and a proving key and verification key for zk-SNARK verification from the allocated circuit It may include a zk-SNARK key generator that generates it.

In the above structure, the circuit generator 211 of the key generator 210 receives the standard program size, the input command size and time, etc., and generates a general operation verification circuit that operates in any program to generate zk- can be assigned to the SNARK key generator 212 .

)은 이하의 '

'개 명령어, 'T '개 이하의 머신 스텝, 'n' 이하의 크기를 갖는 어떤 프로그램에서도 동작하는 서킷을 생성할 수 있다.The circuit for verification generated by the circuit generator 211 must satisfy Equation 1 below. According to Equation 1, the general circuit (

) is the following '

You can create circuits that run on any program with 't' instructions, ' T ' or fewer machine steps, or 'n' or less in size.

'은 기준 명령어의 개수, 'T '는 기준 머신 스텝의 개수, 'n'은 기준 시스템의 크기를 가리킨다.Here, 'C' is the circuit, '

' is the number of reference instructions, ' T ' is the number of reference machine steps, and 'n' is the size of the reference system.

', 'n', 'T ' 값에만 의존함에 따라 일반적(universal)이라 할 수 있고, zk-SNARK 키 생성기(212)와 결합함에 따라 검증 시스템의 파라미터 또한 일반적이게 된다.Circuit 'C' satisfying Equation 1 above does not depend on a program or main input value, only '

It can be said to be universal as it depends only on the ', 'n', and ' T ' values, and in combination with the zk-SNARK key generator 212, the parameters of the verification system also become general.

By using such a key generator 210, all programs can be verified with one key generation, and after that, a key suitable for a given calculation range can be selected, thereby reducing the cost of generating a separate key for each program. can be reduced

) 및 서킷 생성기(211)에 의해 생성된 서킷(

)을 이용하여 증명키(proving key; pk) 및 검증키(verification key; vk)를 생성할 수 있다.In addition, the zk-SNARK key generator 212 receives the key generator information, prover information, and verifier information, and then receives the security parameter (

) and the circuit generated by the circuit generator 211 (

) can be used to generate a proving key (pk) and a verification key (vk).

First, the zk-SNARK key generator 212 uses a zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) algorithm to generate evidence that can prove ownership of specific information, such as a secret key, without disclosing the information. do.

That is, the zk-SNARK key generator 212 converts the verification rule into a mathematical form indicating a triple vector, and then converts the verification rule converted into the triple vector into a Lagrange polynomial or fast Fourier to generate a polynomial function.

Specifically, the zk-SNARK key generator 212 converts the verification rule into a rank-1 constraint system (R1CS) format, and then converts the R1CS into a quadratic arithmetic program (QAP). At this time, the verification rules relate to whether the input amount is greater than the output amount, whether the transaction has an appropriate signature, or whether the input belongs to UTXO.

The R1CS is a triple vector (A, B, C), which means a mathematical form of a verification rule, and QAP is a Lagrange polynomial or fast Fourier transform to transform R1CS into a polynomial form as shown in Equation 2 below. .

를 값을 산출할 수 있다. 여기서,

는 QAP 인스턴스인 '

'으로 표현할 수 있고, QAP의 증거(

)인 '

'을 이용하여 증명키(pk) 및 검증키(vk)를 생성할 수 있다.And, the zk-SNARK key generator 212 through the random element (Γ)

value can be calculated. here,

is the QAP instance '

', and the evidence of QAP (

)sign '

' can be used to generate a proof key (pk) and a verification key (vk).

At this time, the zk-SNARK key generator 212 generates a proof key (pk) and a verification key (vk) only once per circuit.

)를 생성할 수 있고, 어느 검증자라도 검증키(vk)를 이용하여 증거(

)를 검증할 수 있다.Therefore, once created, any prover can use the proof key (pk) to

), and any validator can use the verification key (vk) to

) can be verified.

The zero-knowledge proof method applied to the system of the present invention is to achieve additional efficiency in space rather than time, and uses the structural characteristics of QAP derived from an arithmetic circuit to reduce the size of the proof key pk.

Therefore, it is possible to verify all programs by generating a circuit once, and thereafter, it becomes possible to select a key suitable for a given calculation range, thereby reducing the cost of generating a key for each program.

3 is a diagram illustrating zero-knowledge proof logic using a key generator for zero-knowledge proof applied to a blockchain virtual machine according to an embodiment of the present invention.

)를 생성하는 증명자(220) 및, 전술한 키 생성기(210)로부터 검증키(vk)를 제공받고, 일반연산 검증용 서킷 중 검증과 증명에 필요한 정보를 이용하여 증거(

)가 유효한지 검증을 실행하는 검증자(230)를 포함할 수 있다.Referring to FIG. 3 , the zero-knowledge proof logic applied to the system according to the embodiment of the present invention is provided with a proof key pk from the above-described key generator 210, and is a polynomial function obtained through the zk-SNARK algorithm. Evidence (

), a verification key (vk) is provided from the above-described key generator 210 and the prover 220, and the proof (

) may include a verifier 230 that executes verification that is valid.

The prover 220 and the verifier 230 may be implemented as one or more terminals connected to the key generator 210 .

)를 생성할 수 있다. 이러한 증명자(220)는 증인 맵(witness map; 1) 및 제1 zk-SNARK 증명자(222)를 포함할 수 있고, 증인 맵(221)은 프로그램 및 입력값을 통해 서킷을 할당하고, 제1 zk-SNARK 증명자(222)는 할당된 서킷에 따라 증명키(pk)를 zk-SNARK 알고리즘을 통해 획득된 다항함수의 계수 및 검증과 증명에 필요한 정보(

)를 이용하여 상기의 수학식 2에 따라, 증거(

)를 생성할 수 있다.The prover 220 uses the proof key (pk) generated by the key generator 210 for general operation verification to provide evidence (

) can be created. Such prover 220 may include a witness map 1 and a first zk-SNARK prover 222, and the witness map 221 allocates circuits through programs and inputs, and 1 The zk-SNARK prover 222 sets the proof key (pk) according to the assigned circuit, the coefficients of the polynomial function obtained through the zk-SNARK algorithm, and information (

) according to Equation 2 above using the evidence (

) can be created.

), QAP의 증거(

) 및 증명키(pk) 를 이용해서 증거(

)를 생성할 수 있다.In detail, the prover 220 is a coefficient of 'H(z)'

), evidence of QAP (

) and proof key (pk)

) can be created.

) 및 증거(

)를 수신하면 증거(

)가 유효한지 검증하는 역할을 한다. 검증자(230)는 탑재된 제2 zk-SNARK 증명자(231)를 통해 검증키(vk)의 일부 및 검증과 증명에 필요한 정보(

)를 이용하여 이하의 수학식 3을 산출하고, 검증키(vk) 및 수학식 3의 결과 값을 이용하여 12개의 페어링을 계산하고 필요한 점검을 수행하여 승인(accept) 또는 거절(reject)을 출력할 수 있다.In addition, the verifier 230 includes a verification key (vk), information required for verification and proof (

) and evidence (

) upon receipt of evidence (

) to verify that it is valid. The verifier 230 provides a part of the verification key (vk) through the mounted second zk-SNARK prover 231 and information required for verification and proof

) to calculate the following Equation 3, calculate 12 pairings using the verification key vk and the result value of Equation 3, and perform necessary checks to output accept or reject can do.

Here, 'vk' is a verification key, 'n' is an input size, and 'C' is a circuit.

의 계산에 필요한 연산량을 줄일 수 있고, 페어링 평가에는 입력 크기(n)와 무관하게 일정한 시간이 걸리더라도, 이러한 평가는 매우 비싸고 작은 서킷에 대해 지배적이라 할 수 있다.In the calculation process of Equation 3, the calculation result of Equation 3 using a variable-based multiple scalar multiplication technique is

Although it is possible to reduce the amount of computation required for the calculation of , and the pairing evaluation takes a certain amount of time regardless of the input size (n), this evaluation is very expensive and is dominant for small circuits.

And, if the virtual machine verifies the evidence, it is checked whether the transaction is a valid transaction. At this time, since the zero-knowledge proof technology that enables general operation verification is applied to the zero-knowledge proof part of the virtual machine, even if the transaction is not executed, if the verification of the zero-knowledge proof is performed, it can be determined whether the transaction is a valid transaction. Zero-knowledge proof can be applied to blockchain virtual machines.

4 and 5 are diagrams illustrating opcodes and defined opcodes of a circuit defined in a blockchain virtual machine according to an embodiment of the present invention.

The blockchain virtual machine according to an embodiment of the present invention provides a general circuit, supports a 32 byte word size, has a variable memory size, has no limit on the size of the stack, and sets the number of repeated calls (call depth) to 1024 By limiting it, it prevents performance degradation or security problems caused by attacks through repeated function calls, and it is characterized in that it is stack-based.

Referring to FIG. 4, a simple circuit capable of processing a transaction mounted on a verifiable blockchain virtual machine to which a zero-knowledge proof algorithm according to an embodiment of the present invention is applied is exemplified. Defines code instructions.

According to the exemplified opcode instruction, when the opcode instruction is executed, the first operand (left_operand) and the second operand (right_operand) are input, and the product of the two operands (left_operand, right_operand) divided by the greatest common divisor (gcd) is returned. It shows the opcode instruction that calculates the greatest common divisor in the form

Referring to FIG. 5, opcode commands supported by the blockchain virtual machine according to an embodiment of the present invention are exemplified, and may be similar to or the same as opcodes supported by a known Ethereum virtual machine.

Specifically, as an opcode related to a stop operation or arithmetic operation, 'STOP' to stop execution, 'ADD', 'MUL' to perform addition, subtraction, multiplication and integer division operations, respectively, 'SUB' and 'DIV', signed integer division operation 'SDIV', 'MOD' yields remainder of division, 'SMOD' yields remainder of signed integer division, special function, arbitrary without 256-bit constraint 'ADDMOD' and 'MULMOD' for performing addition and subtraction with precision of , 'EXP' for exponentiation, and 'SIGNEXTEND', a sign extension instruction, may be included. These opcode instructions may be continuously added.

In addition, since the blockchain virtual machine according to an embodiment of the present invention is stack-based, it may further provide stack, memory, and storage management commands for stack control. Examples include 'POP', which removes the top item from the stack, 'MLOAD' to load a word from memory, 'MSTORE' to store a word in memory, and 'PUSHx' to put an x-byte item onto the stack.

In addition, these commands are notified to the administrator and can be utilized to check whether the stack is normally implemented during the verification process by the verification system connected to the virtual machine.

Hereinafter, a zero-knowledge proof method of a blockchain virtual machine according to an embodiment of the present invention will be described with reference to the drawings.

6 is a diagram illustrating a zero-knowledge proof method of a blockchain virtual machine according to an embodiment of the present invention. In the following description, even if there is no separate description, the execution subject of each step becomes the block chain virtual machine and calculator according to the embodiment of the present invention, and its constituent parts.

Referring to FIG. 6 , the blockchain virtual machine capable of verifying the zero-knowledge proof algorithm of the present invention is to verify general operations and reduce the amount of transaction verification and storage space, and the blockchain virtual machine of the present invention is verified It is equipped with a circuit generator for use, and through this, a circuit for general operation verification having the number of reference instructions, the number of reference machine steps, and the size of the reference system can be generated (step S100).

Next, the circuit generator of the present invention may receive the number of reference instructions, the number of reference machine steps, and the size of the reference system, and generate a circuit for general operation verification that operates in any program.

According to an embodiment of the present invention, a circuit generator mounted on a virtual machine may generate a circuit that operates in any program having a command according to Equation 1, a machine step of T or less, and a size of n or less.

', 'T ', 'n' 값에만 의존하기 때문에 일반적이라 할 수 있다. zk-SNARK 키 생성기와 결합한다면 검증 시스템의 파라미터 또한 일반 검증이 된다.As mentioned above, circuit C running on instructions, machine steps less than T , and any program with size n or less does not depend on the program or main input values, and '

', ' T ', 'n' only depend on the values, so it's general. When combined with the zk-SNARK key generator, the parameters of the verification system are also general verification.

In particular, according to the circuit described above, all programs can be verified with one key generation, and after that, a key suitable for a given calculation range can be selected, thereby reducing the cost of generating a key for each program. there is.

Next, the operator generates a proof key and a verification key by using the general operation verification circuit and zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) algorithm (step S110).

In an embodiment for step S110, the circuit generator for general operation verification receives the key generator information, prover information, and verifier information, and then uses the security parameter and circuit for general operation verification generated by the circuit generation module to Generate proof key and verification key.

In this case, the circuit generator may generate a polynomial function by converting the verification rule into a mathematical form indicating a triple vector, and then transforming the verification rule converted into the triple vector into a Lagrange polynomial or fast Fourier.

Next, the prover generates evidence using the proof key, the coefficients of the polynomial function obtained through the zk-SNARK algorithm, and the information required for verification and proof in the general operation verification circuit (step S120).

Then, the verifier verifies whether the evidence is valid by using the verification key, information necessary for verification and verification among the general operation verification circuit, and the evidence (step S130).

According to the procedure described above, a verification circuit is created in a verifiable blockchain virtual machine to which the zero-knowledge proof algorithm according to an embodiment of the present invention is applied, and the transaction is verified through this, thereby verifying all transactions in a general blockchain network. It can be replaced, so that the verification process can be completed quickly.

Although many matters are specifically described in the above description, these should be construed as examples of preferred embodiments rather than limiting the scope of the invention. Accordingly, the invention should not be defined by the described embodiments, but should be defined by the claims and equivalents to the claims.

100: virtual machine 110: interpreter
111: transaction input unit 112: bytecode output unit
113: storage 114: data input unit
115: stack 116: program counter
117: memory 120: operator
121: code execution unit 200: zero-knowledge proof unit
210: key generator 211: circuit generator
212, 213: zk-SNARK key generator 220: prover
221: witness map 222: zk-SNARK prover
230: validator

Claims (5)

In a blockchain virtual machine comprising an interpreter for compiling a smart contract and an operator for zero-knowledge proof,
an interpreter that compiles an input transaction, converts it into bytecode, and executes a smart contract according to the bytecode; and
When the smart contract is executed, it includes a calculator that verifies the transaction by using the evidence generated through the general operation verification circuit,
The interpreter is
a transaction input unit receiving a transaction input from a transaction sender;
an output unit that compiles the smart contract for the input transaction and outputs a bytecode;
a storage for storing information about a currently input transaction and proof of zero-knowledge evidence;
a data input unit for receiving one or more bytecodes for the compiled smart contract;
a stack in which opcodes separated while the bytecode is executed are sequentially stored;
a program counter providing an address of an instruction stored in the stack; and
a memory in which local variables and solidity assembly code for executing a transaction are stored;
The data input unit,
The opcode constituting the compiled bicode is stored in the stack, and one of the top 16 elements of the stack is copied to the top of the stack, or one of the top 16 elements of the stack is copied to the top 16 interchangeable with 16 elements below an element, and capable of moving elements of the stack into the storage or the memory;
The data stored in the storage is
The current execution status of the transaction, residual gas, block header, the sender of the transaction (MSG.SENDER), the transaction value expressed in WEI (MSG.VALUE), and the owner of the executed code and a bytecode contract for execution,
The calculator is
a code execution unit that receives the bytecode and performs an operation, calculates and deducts a fee according to the operation, checks the residual code and checks the residual gas when the operation is successful, and executes the smart contract; and
A key generator including a circuit generator for general operation verification, and a zero-knowledge proof unit that performs general operation verification on a transaction using a prover and a verifier,
The key generator is
a circuit generator for generating circuit logic for general verification by receiving the size of the reference program, the number of inputs of commands and steps, and time; and
a Zk-SNARK key generator for generating a prover and a verification key for zk-SNARK verification from the assigned circuit;
The prover is
A proof key is provided from the key generator, and the proof is generated using the coefficients of the polynomial function obtained through the zk-SNARK algorithm, and information necessary for verification and proof among the general operation verification circuits,
The verifier is
A blockchain virtual machine capable of verifying a zero-knowledge proof algorithm that receives a verification key from the key generator and verifies that the evidence is valid by using the information required for verification and proof in the general operation verification circuit.
delete delete delete delete

Images