gkr-protocol
is a Rust library that implements the GKR protocol
The GKR is an interactive proof protocol widely used in ZK/Validity proofs.
- Prover P and Verifier V both agree on input
x
(element of finite field F) and some fan-2 arithmetic circuitC
overF
, wherex
is an input, andy
is an output. - GKR is interactive proof protocol for claim
C(x) = y
- For instance, circuit input size is 4, circuit size is 11 gates.
- If circuit size is much bigger than input, V saves a bunch of time on it.
- GKR protocol has a layered structure :
- input layer
- intermediate layers
- output layer
- For every layer gate-value function
W
is computed - For every layer MLE(multilinear extension) of
W
id computed
- P sends a claimed output
y
. Lety_tilda
be an MLE ofy
. - V picks tandom
r
from fieldF
- By Schwarz-Zipper lemma it is "safe" for V to belive
C(x) = y
- V checks if
s_tilda(r) = y_tilda(r)
holds, wheres_tilda
MLE computed by V,y_tilda
is claimed output(MLE) by P. If it does hold,a_tilda
andy_tilda
are equal. Therefore, polynomials are equal with the high probability, according to Schwarz-Zippel lemma. - Apply sumcheck protocol (described below) to compute the sum for every layer
- For instance for protocol with 3 layers, it looks like that,
w_0_tilda(r)
(output layet ) ->w_1_tilda(r0)
(intemediate layer) ->w_2_tilda(r1)
(input layer )r
,r0
,r1
is random field elements for every layerw0_tilda
is lagrange interpolation of gate-value function for layer 0w1_tilda
is lagrange interpolation of gate-value function for layer 1w2_tilda
is lagrange interpolation of gate-value function for layer 2
The whole point of GKR protocol is to avoid committing to intermediate values of a circuit. Assumption: Without commitments, V knows an input and goes layer by layer.
Let g
be n-variate polynomial over finite field F
. Let g
have degree 3.
Compute sum of g(x)
over input x = {0,1}^n
Task: offload hard work of computing a sum to prover P.
This is public coin procool, so we can apply Fiat-Shamir to make it non-interactive.
Procotol has of n
rounds ( number of variables in polynomial g
).
Verifier V
time O(n) field ops
P
sends claimed answer C,S1(x)
claimed to be equalh(x) = sum of g(x) over input (x1...xn)
- V picks random
r
from finite fieldF
and sends it to P - V checks if
S(r) = h(r)
holds. Completeness: if prover P honest, this check will pass. - Repeat this process
n
rounds. Soundness error <= n/|F|. As long as field F is big enouph, we keep this probability negligible.
WARNING: This is an academic proof-of-concept prototype, and in particular has not received careful code review. This implementation is NOT ready for production use.
WARNING: This is an academic proof-of-concept prototype, and in particular has not received careful code review. This implementation is NOT ready for production use.
The library compiles on the stable
toolchain of the Rust compiler. To install the latest version of Rust, first install rustup
by following the instructions here, or via your platform's package manager. Once rustup
is installed, install the Rust toolchain by invoking:
rustup install stable
After that, use cargo
(the standard Rust build tool) to build the library:
git clone https://github.com/cyberbono3/gkr-protocol.git
cd gkr-protocol
cargo build --release
This library comes with some unit and integration tests. Run these tests with:
cargo test
Lastly, this library is instrumented with profiling infrastructure that prints detailed traces of execution time. To enable this, compile with cargo build --features print-trace
.
This library is licensed under either of the following licenses, at your discretion.
Unless you explicitly state otherwise, any contribution that you submit to this library shall be dual licensed as above (as defined in the Apache v2 License), without any additional terms or conditions.
Proofs, Arguments, and Zero-Knowledge
Justin Thaler