zk-SNARKの理論

Transcript

1. ౦ژཧՊେ ཧ޻ֶ෦৘ใՊֶՊ zk-SNARKͷཧ࿦ ௴ژհ 2021 ೥ 02 ݄ 01 ೔

2. ໨࣍ 1 ংষ 1 2 zk-SNARK ʹ͍ͭͯ 2 2.1 θϩ஌ࣝূ໌ͱ͸

   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 ର࿩ܕͱඇର࿩ܕͷθϩ஌ࣝূ໌ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.3 zk-SNARK ͱ͸ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 ਺ֶత४උ 5 3.1 Ϋϥε NP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 ૒ઢܗࣸ૾ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3 ූ߸ԽεΩʔϜ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4 ཭ࢄର਺໰୊ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4 zk-SNARK ͷߏ੒ 8 4.1 Quadratic Arithmetic Programs for Arithmetic Circuits . . . . . . . . . . . . . . . . . 9 4.2 Probabilistically Checkable Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.3 Blind Evaluation of Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.4 Pinocchio Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.5 Knowledge of Exponent Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.6 From Quadratic Arithmetic Programs to zk-SNRAK . . . . . . . . . . . . . . . . . . . 15 4.7 Zero-Knowledge SNARK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 i

3. 1 ংষ ϒϩοΫνΣʔϯ͸ɺ2008 ೥ʹατγɾφΧϞτͱ͍͏ਓ෺ʹΑͬͯൃද͞Εͨ࿦จʹج͖ͮग़ݱͨ͠ɻ ϒϩοΫνΣʔϯͱ͸ɺ෼ࢄܕωοτϫʔΫΛߏ੒͢Δෳ਺ͷίϯϐϡʔλʔʹɺ҉߸ٕज़Λ૊Έ߹Θͤɺ औҾ৘ใͳͲͷσʔλΛಉظͯ͠ه࿥͢Δख๏Ͱ͋Γɺ2009 ೥ʹϒϩοΫνΣʔϯΛ༻͍ͨϏοτίΠϯ ͷӡ༻͕։࢝͞ΕͨɻϏοτίΠϯ͸౰ࣄऀؒͷऔҾΛޮ཰త͔ͭݕূՄೳͰ߃ٱతͳํ๏Ͱه࿥͢Δ͜ ͱ͕Ͱ͖ΔΦʔϓϯͳ෼ࢄܕ୆ாͱͯ͠ͷ໾ׂΛ࣋ͭɻτϥϯβΫγϣϯͱݺ͹ΕΔϒϩοΫνΣʔϯ্ ʹอଘ͞ΕΔऔҾͷσʔλ͸શੈքʹެ։͞Ε͍ͯΔͨΊɺଟ͘ͷ৔߹ͰػີੑΛඞཁͱ͢Δۚ༥ͳͲͷ

   Ϣʔεέʔεʹ͓͚ΔτϥϯβΫγϣϯͷ಺༰Λඇެ։ʹͰ͖Δ͜ͱ͕๬·Ε͍ͯΔɻࠓ೔Ͱ͸͜ͷΑ͏ ͳϓϥΠόγʔڧԽΛՄೳʹ͢ΔςΫϊϩδʔͷؔ৺͕ߴ·͍ͬͯΔɻ͜ͷ෼໺Ͱ࠷΋ظ଴͞Ε͍ͯΔٕ ज़ͷҰͭ͸θϩ஌ࣝূ໌ɺಛʹ zk-SNARKʢZero Knowledge Succinct Non-interactive ARguments of KnowledgeʣͰ͋Δɻ͜ͷٕज़͸ɺূ໌ͷαΠζ͕খ͘͞ɺݕূ͕࣌ؒඇৗʹ୹͘ɺ؆ܿͰ͋Γͳ͕Βڧ ྗͳඇର࿩ܕͷθϩ஌ࣝূ໌ͷߏங͕͞Ε͍ͯΔɻτϥϯβΫγϣϯʹؚ·ΕΔશͯͷݸਓ৘ใΛඇެ։ ʹ͢Δͱಉ࣌ʹɺτϥϯβΫγϣϯͷ੔߹ੑͱਖ਼֬ੑΛอূ͠ɺεϚʔτίϯτϥΫτʹΑͬͯνΣʔϯ ্Ͱݕূ͞Ε͍ͯΔɻ͜ͷ࿦จͰ͸ zk-SNARK ͷ֓ཁͱɺ͜ͷٕज़͕ͲͷΑ͏ͳ਺ֶతख๏Λ༻͍ͯθϩ ஌ࣝূ໌Λ࣮ݱ͍ͯ͠Δ͔ʹ͍ͭͯઆ໌͢Δɻ 1

4. 2 zk-SNARK ʹ͍ͭͯ 2.1 θϩ஌ࣝূ໌ͱ͸ θϩ஌ࣝূ໌ͱ͸ূ໌ऀ͕ݕূऀʹରͯ͠ɺ͋Δ৘ใ͕ਖ਼͍͜͠ͱΛɺͦΕ͕ਖ਼͍͜͠ͱҎ֎ͷ৘ใΛ ໌Β͔ʹͤͣʹূ໌Ͱ͖Δख๏ͷ͜ͱͰ͋Δɻྫ͑͹ɺӡస໔ڐূ΍อݥূΛఏࣔͯ͠૬खʹࣗ෼ͷ਎ݩ Λ໌Β͔ʹ͍ͨ͠ͱ͖ʹɺ໔ڐূʹؚ·ΕΔॅॴ΍ɺੜ೥݄೔౳ͷݸਓ৘ใΛӅṭͭͭ͠ɺ͍࣋ͬͯΔͦͷ ໔ڐূ͕ຊ౰ʹࣗ෼ͷ΋ͷͰ͋Γɺਖ਼͍͠৘ใؚ͕·Ε͍ͯΔ͜ͱΛূ໌͢ΔͨΊʹ͸θϩ஌ࣝূ໌͕ඞ ཁͰ͋Δɻ

   θϩ஌ࣝূ໌͸ҎԼͷ 3 ͭͷੑ࣭Λ࣋ͭɻ • ׬શੑʢCompletenessʣ ɿਅͰ͋Δ͜ͱΛ֬ೝ͢Δଆʢݕূऀʣ͸ɺূ໌͢Δଆʢূ໌ऀʣͷ࣋ͬͯ ͍Δ໋୊͕ਅͰ͋ΔͳΒ͹ɺਅͰ͋Δ͜ͱ͕ඞͣΘ͔Δ͜ͱɻ • ݈શੑʢSoundnessʣ ɿূ໌ऀͷ໋࣋ͭ୊ِ͕Ͱ͋ΔͳΒɺݕূऀ͸ߴ͍֬཰ͰͦΕِ͕Ͱ͋Δͱݟ ൈ͚Δ͜ͱɻ • θϩ஌ࣝʢZero Knowledgeʣ ɿূ໌ऀͷ໋࣋ͭ୊͕ਅͰ͋ΔͳΒɺݕূऀ͕ෆਖ਼ͯ͠ূ໌ऀ͔Β஌ࣝ Λ౪΋͏ͱͯ͠΋ʮ໋୊͕ਅͰ͋ΔʯҎ֎ͷԿͷ஌ࣝ΋ಘΒΕͳ͍͜ͱɻ 2.2 ର࿩ܕͱඇର࿩ܕͷθϩ஌ࣝূ໌ ର࿩ܕͷθϩ஌ࣝূ໌ͱ͸ɺূ໌ऀͱݕূऀ͕ϝοηʔδͷ΍ΓͱΓΛߦ͏ର࿩ূ໌Ͱ͋Δɻ͜ͷθϩ ஌ࣝͷඪ४తͳϞσϧͰ͋Δର࿩ܕͷθϩ஌ࣝূ໌͸ɺୈࡾऀͷΑ͏ͳ৴པͷԾఆΛҰ੾ߦΘͣʹڧྗͳ ηΩϡϦςΟอূΛ࣋ͭର࿩ܕϓϩτίϧʹґଘ͍ͯ͠Δɻ͜ͷܭࢉϞσϧͰ͸ɺ߈ܸऀ͸ར༻Մೳͳ࣌ ؒͱܭࢉೳྗʹΑͬͯͷΈ੍ݶ͞Ε͍ͯΔɻ͔͠͠ɺԿ΋৴པ͢Δଘࡏ͕͍ͳ͍৔߹ɺର࿩ܕͷθϩ஌ࣝ ূ໌ʹ͸҆શੑ΍ޮ཰ੑͷݶք͕͋Δɻର࿩ճ਺͕ଟ͍΄ͲͦΕʹ͔͔Δܭࢉྔ͕ଟ͘ɺݕূʹ͕͔࣌ؒ ͔Δ͜ͱ͕͋Δɻ Ұํɺ ඇର࿩ܕͷθϩ஌ࣝূ໌ͱ͸ূ໌ऀͱݕূऀ͕ର࿩Λͤͣʹূ໌͢Δख๏Ͱ͋ΔɻCRS ʢCommon Reference Stringʣ[14] ϞσϧΛԠ༻͢Δ͜ͱͰର࿩͕ෆཁͳθϩ஌ࣝূ໌͕࡞ΕΔ͜ͱ͕஌ΒΕ͓ͯΓɺ ඇର࿩θϩ஌ࣝূ໌ʢNon-Interactive Zero-Knowledge proof; NIZK) ͱݺ͹Ε͍ͯΔɻCRS Ϟσϧͱ͸ શͯͷؔ܎ऀ͕ɺҰ༷෼෍ͳͲͷ෼෍͔Βऔಘͨ͠จࣈྻʢCRSʣʹΞΫηε͢Δ͜ͱ͕Ͱ͖Δ৴པ͞Ε ͨηοτΞοϓ͕ଘࡏ͢Δͱ͍͏Ծఆʹج͍ͮͨϞσϧͰ͋Δɻ͜ͷ CRS Ϟσϧ͸ɺڧྗͳηΩϡϦςΟ Λ࣋ͪɺޮ཰తͳূ໌ϓϩηεΛߏங͢Δ͜ͱ͕Ͱ͖Δɻ৴པͷ͓͚ΔୈࡾऀʹΑͬͯੜ੒͞Εͨ CRS Λ ূ໌ऀͱݕূऀʹఏڙ͢Δ͜ͱͰɺূ໌ऀͱݕূऀ͸Ұ੾ର࿩ΛߦΘͣʹθϩ஌ࣝূ໌͕ՄೳʹͳΔɻ 2.3 zk-SNARK ͱ͸ zk-SNARK ͱ͸ඇର࿩ܕͷθϩ஌ࣝূ໌Λߏங͢Δख๏ͷҰͭͰ͋Γɺθϩ஌ࣝূ໌͕࣋ͭ 3 ͭͷੑ࣭ ʹՃ͑ͯ͞Βʹ SNARK Λࣔ͢ҎԼͷ 4 ͭͷੑ࣭Λ࣋ͭɻzk-SNARK ͸ϒϩοΫνΣʔϯͰͷτϥϯβ ΫγϣϯͷൿಗԽɺϒϩοΫνΣʔϯϓϥοτϑΥʔϜͰ͋ΔΠʔαϦΞϜͷεέʔϦϯά໰୊ͷιϦϡʔ γϣϯͱͯ͠Ԡ༻͞Ε͍ͯΔɻ • Succinctɿূ໌ͷαΠζ͕εςʔτϝϯτͷαΠζͱൺ΂ͯඇৗʹখ͍͞ɻ 2

5. • Non-interactiveɿূ໌ऀͱݕূऀͷؒͰର࿩Λ͢Δඞཁ͕ͳ͍ɻηοτΞοϓϑΣʔζͰੜ੒͞Ε Δ CRS ͕ެ։͞ΕɺͦΕΛ༻͍ͯূ໌ऀ͔Βݕূऀ΁୯ҰͷϝοηʔδΛૹΔ͜ͱͰݕূϓϩηε ͕ߦ͑Δɻ • ARgumentɿূ໌ऀͷܭࢉೳྗʹ͸ݶΓ͕͋Δɻ • Knowledgeɿূ໌ऀ͸ɺ஌ࣝʢwitnessʣͳ͠Ͱ͸ূ໌Λੜ੒͢Δ͜ͱ͸೉͍͠ɻ

   zk-SNARK ͸؆ܿͳੑ࣭Λ࣋ͭͷͰɺθϩ஌ࣝূ໌͚ͩͰ͸ͳ͘ɺݕূϓϩηεʹ͓͚Δίετͷ࡟ݮ ʹ΋େ͖ͳར఺Λ࣋ͭɻྫ͑͹ɺෳ਺ͷτϥϯβΫγϣϯΛҰͭͷτϥϯβΫγϣϯͷதʹ·ͱΊɺҰͭ ͷτϥϯβγϣϯͷ༗ޮੑΛݕূ͢Δ͜ͱͰίετΛେ෯ʹ࡟ݮ͢Δ͜ͱ͕ՄೳͰ͋Δɻ Ұൠʹɺzk-SNARK ͸࣍ͷΑ͏ʹಈ࡞͢Δ 3 ͭͷΞϧΰϦζϜʢKey GeneratorɺProverɺVerifierʣʹ Αͬͯߏ੒͞Ε͍ͯΔɻ ҎԼͷਤ͸ࡾऀؒͷؔ܎Λදͨ͠΋ͷͰ͋Δɻ ਤ 1 zk-SNARK ʹ͓͚Δɺূ໌ऀɺݕূऀɺ伴ੜ੒ऀͷؔ܎ Key Generator Gen(1λ, R) • ηΩϡϦςΟύϥϝʔλ λ ∈ Nɺؔ܎ R Λೖྗͱ͢Δʢؔ܎ R ʹ͍ͭͯ͸ޙड़͢Δʣ ɻ৴པ͞ΕΔ ୈࡾऀʹΑͬͯূ໌ऀͱݕূऀʹࣄલʹ౉͞ΕΔ CRS Λੜ੒͢ΔηοτΞοϓΞϧΰϦζϜͰ͋ Δɻ͜ͷ CRS ʹ͸ূ໌ऀʹ౉͢ධՁ伴ͱݺ͹ΕΔ pkʢProving keyʣͱݕূऀʹ౉͢ݕূ伴ͱݺ͹ ΕΔ vkʢVerification keyʣؚ͕·Ε͍ͯΔɻ Prover P(pk, x, w) • ূ໌ऀ͸ pk ͱɺεςʔτϝϯτ xɺূڌ w Λೖྗͱͯ͠ड͚औΓɺূ໌ π Λग़ྗ͢Δূ໌Ξϧΰ ϦζϜɻ Verifier V (vk, π, x) 3

6. • ݕূऀ͸ vkɺεςʔτϝϯτ xɺূ໌ π Λೖྗͱͯ͠ड͚औΓɺͦͷূ໌͕ਖ਼͍͠΋ͷͰ͋Ε͹̍ɺ ͦ͏Ͱͳ͚Ε͹ 0 Λฦ͢ݕূΞϧΰϦζϜɻ 4

7. 3 ਺ֶత४උ ”N”ɺ”R”ΛͦΕͧΕɺࣗવ਺શମͷू߹ɺ࣮਺શମͷू߹Λද͢ɻS ͕༗ݶू߹ͷ৔߹ɺ”x ← S”Ͱ S ͔ΒཁૉΛҰ༷ϥϯμϜʹબͼɺx ʹ୅ೖ͢Δૢ࡞Λද͢ɻ”ηΩϡϦςΟύϥϝʔλ”Λ”λ”Ͱද͢ɻؔ਺ f

   : N → [0, 1] ͕શͯਖ਼ͷଟ߲ࣜ p ͱे෼େ͖ͳશͯͷ k ∈ N ʹର͠ f(k) < 1/p(k) Λຬͨ͢৔߹ɺf Λ” ແࢹͰ͖Δ”ʢnegligibleʣͱ͍͏ɻ”negl”ͱॻ͍ͯɺඇಛఆͷແࢹͰ͖Δؔ਺Λද͢͜ͱʹ͢Δɻ 3.1 Ϋϥε NP Ϋϥε NP ͱ͸ 2 ͭͷ x, w Λೖྗͱ͠ɺଟ߲ࣜ࣌ؒʢx ͷେ͖͞ʣͰ w ͕ x ∈ L Ͱ͋Δ͜ͱͷ༗ޮͳূ ໌͔Ͳ͏͔ܾఆ͢ΔΞϧΰϦζϜ͕ଘࡏ͢Δݴޠ L ͷΫϥεͰ͋Δɻw ͕ਖ਼͍͔͠Ͳ͏͔ͷ൑ఆ͸ଟ߲ࣜ ࣌ؒͰղ͘͜ͱ͕Ͱ͖Δɻ Ұൠʹɺ ∑ ্ͷݴޠ L ʹରͯ࣍͠ͷ৚݅Λຬͨ͢ଟ߲ࣜ q ͱଟ߲ࣜ࣌ؒͰܭࢉՄೳͳؔ܎ R ͕ଘࡏ͠ ͨͱ͢Δɻ ∑ Λ༗ݶͷΞϧϑΝϕοτɺ ∑ ্ͷ༗ݶจࣈྻͷू߹Λ ∑ ∗ ͱ͢Δɻ ֤ x ∈ ∑ ∗ ͰҎԼΛຬͨ͢ͱ͖ݴޠ L ͕Ϋϥε NP ʹଐ͢Δͱ͍͏ɻ x ∈ L ⇐⇒ ∃w(|w| ≤ q(|x|) ∧ R(x, w)) ҎԼɺݴޠ L ͕Ϋϥε NP ଐ͢Δ͜ͱΛ NP ݴޠ L ͱ͢Δɻଟ߲ࣜ࣌ؒͰܭࢉՄೳͳؔ܎Λؔ܎ R ͱ ͢Δɻx ∈ L Λεςʔτϝϯτͱ͍͍ɺw Λ (x, w) ∈ R ͱͳΔ x ∈ L Λূ໌͢ΔͨΊͷূڌ (witness) ͱ ͍͏ɻ͜ͷΫϥεͰ͸ΞϧΰϦζϜͷ৚݅Λຬͨ͢ղ͕༩͑ΒΕΔͱɺଟ߲ࣜ࣌ؒͰͦͷղ͕ਖ਼͍͔֬͠ ͔ΊΔ͜ͱ͕Ͱ͖Δ͕ɺࣗ෼Ͱ৚݅Λຬͨ͢ղΛݟ͚ͭΔʹ͸ࢦ਺͔͔࣌ؒΔՄೳੑ͕͋Δͱ͍͏ੑ࣭Λ ࣋ͭɻ NP ׬શ໰୊ͱ͸Ϋϥε NP ʹଐ͢Δ໰୊ͷ͏ͪɺղ͘ͷ͕΋ͬͱ΋೉͍͠໰୊Λ NP ׬શ໰୊ͱݺͿɻ NP ׬શ໰୊ͷҰͭͱ໋ͯ͠୊࿦ཧࣜͷॆ଍Մೳੑ໰୊ʢSATʣͱ͍͏໰୊͕஌ΒΕ͍ͯΔɻ͜Ε͸ɺҰͭ ͷ໋୊࿦ཧ͕ࣜ༩͑ΒΕͨ࣌ɺͦΕʹؚ·ΕΔม਺ͷ஋Λِ·ͨ͸ਅʹ͏·͘ఆΊΔ͜ͱͰશମͷ஋Λਅ ʹͰ͖Δ͔ͱ͍͏໰୊Λ͍͏ɻ 3.2 ૒ઢܗࣸ૾ ੔਺ n ʹରͯ͠ɼ๏ n ʹؔ͢Δ͢΂ͯͷ৒༨ྨΛݩͱ͢Δू߹Λɼ๏ n ʹؔ͢Δ৒༨؀ͱ͍͍ɺZn Ͱ ද͢ɻ·ͨ n Λ 2 Ҏ্ͷ੔਺ͱͨ͠ͱ͖ɺ๏ n ʹؔ͢ΔٯݩΛ΋ͭ৒༨ྨΛɺ๏ n ʹؔ͢Δط໿৒༨ྨͱ ͍͏ɻ·ͨɺͦΕΒશମΛͳ͢ू߹Λɺ๏ n ʹؔ͢Δط໿৒༨ྨ܈ͱ͍͍ Z∗ n Ͱද͢ɻ p ͕ૉ਺ͳΒ͹৒༨؀ Zp ͸ɺp Λ๏ͱ͢Δ৒༨ମͱ΋ݺ͹ΕΔҐ਺ p ͷ༗ݶମΛ੒͠ɺFp ͱද͢ɻ· ͨɺ༗ݶମ F ͷ༗ݶ n ࣍ݩΛ Fn ͱද͢ɻ p Λେ͖ͳૉ਺ͱ͠ɺG1 ͱ G2 ΛҐ਺ p ͷՃ๏܈ͱ͠ɺGT ΛҐ਺ p ͷ৐๏܈ͱ͢Δɻͦͷͱ͖ɺࣸ૾ e ͕ҎԼͷΑ͏ʹఆٛ͞Εɺ e : G1 × G2 → GT (1) 5

8. (i) bilinearity e(P, Q + R) = e(P, Q) ·

   e(P, R) ∀P ∈ G1 , ∀Q, R ∈ G2 e(P + Q, R) = e(P, R) · e(Q, R) ∀P, Q ∈ G1 , ∀R ∈ G2 (2) Λຬͨ͢ͱ͖ɺe ͸૒ઢܗϖΞϦϯάࣸ૾ͱ͍ΘΕΔɻ·ͨ (ii) non-degeneracy ∀P ∈ G1 , P ̸= 0, ∃Q ∈ G2 : e(P, Q) ̸= 1 ∀Q ∈ G2 , Q ̸= 0, ∃P ∈ G1 : e(P, Q) ̸= 1 (3) ͱ͍͏ੑ࣭Λ࣋ͭͱ͖ɺe ͸ඇୀԽͰ͋Δͱ͍͏ɻ༗ݶମ্ͷପԁۂઢΛར༻ͨ͠ Tate ϖΞϦϯά͸ɺඇ ୀԽͳ૒ઢܗϖΞϦϯάࣸ૾Ͱ͋Γɺଟ߲ࣜ࣌ؒΞϧΰϦζϜʹΑͬͯޮ཰తʹܭࢉՄೳͰ͋Δ͜ͱ͕஌ ΒΕ͍ͯΔɻ ηΩϡϦςΟʔύϥϝʔλ λ Ͱ༩͑ΒΕΔ८ճ܈Λ G, GT ͱ͠ɺඇୀԽͳ૒ઢܗࣸ૾ e : G × G → GT ͕ఆٛ͞Ε͍ͯΔΑ͏ͳ܈Λ૒ઢܗ܈ͱݺͼɺ(p, G, GT , e) ͱॻ͘ɻͨͩ͠ɺp ͸ λ Ϗοτͷૉ਺Ͱ͋Δͱ ͢Δɻ͜ΕΒΛ·ͱΊΔͱ, ૒ઢܗ܈ gk := (p, G, GT , e) ʹ͓͍ͯɺ • G, GT ͸Ґ਺ p ͷ८ճ܈ • e := G × G → GT ͸૒ઢܗࣸ૾ ∀a, b ∈ Zp : e(ga, gb) = e(g, g)ab • ⟨g⟩ = G ͳΒ͹ɺ⟨e(g, g)⟩ = GT Ͱ͋Δɻ 3.3 ූ߸ԽεΩʔϜ Ґ਺ p ͷ८ճ܈ G ͷݪ࢝ݩ g ʹର͠ɺූ߸ԽεΩʔϜ E(x) ΛҎԼͷΑ͏ʹఆٛ͢Δɻ E(x) = gx E(x) ͸Ұํ޲ੑؔ਺Ͱ͋ΓɺҎԼͷੑ࣭Λຬͨ͢ɻ (i) ΄ͱΜͲͷ x ʹؔͯ͠ɺE(x) ͔Β x Λಛఆ͢Δͷ͕೉͍͠ʢ཭ࢄର਺໰୊ʣ (ii) ೖྗ͕ҟͳΔͱग़ྗ΋ҟͳΔ (x ̸= y → E(x) ̸= E(y)) (iii) E(αx + βy) = αE(x) + βE(y) 3.4 ཭ࢄର਺໰୊ Pinocchio Protocol[9] ͕࣋ͭ࣍ͷ҉߸Ծఆʹ͍ͭͯड़΂Δɻ • q-PKE (The q-Power Knowledge of Exponent) • q-PDH (The q-Power Diffie-Hellman) • q-SDH (The q-strong Diffie-Hellman) Ծఆ 1 q-PKE (The q-Power Knowledge of Exponent) ૒ ઢ ܗ ܈ Λ ੜ ੒ ͢ Δ Ξ ϧ ΰ Ϧ ζ Ϝ Λ ੜ ੒ ث G ͱ ͢ Δ ɻG ͸ η Ω ϡ Ϧ ς Ο ʔ ύ ϥ ϝ ʔ λ λ ͔ Β ૒ ઢ ܗ ܈ (p, G, GT , e) ← G(1λ) Λ ग़ ྗ ͢ Δ ɻ· ͨ ɺg ← G \ {1}, α, s ← Z∗ p ͱ ͢ Δ ɻ 6

9. g, gs, gs2 , . . . , gsq ,

   gα, gαs, . . . , gαsq ͕༩͑ΒΕͨͱ͖ɺc = ∏ q i=0 (gsi )ai Λຬͨ͢ a0 , a1 , . . . , aq Λ ஌Βͣʹ c, cα Λ࡞Δ͜ͱ͸ࠔ೉Ͱ͋Δɻ ඇҰ༷ͳ֬཰తଟ߲ࣜ࣌ؒΛ࣋ͭ߈ܸऀ A ʹରͯ͠ɺඇҰ༷ͳ֬཰తଟ߲ࣜ࣌ؒΛ࣋ͭநग़ث XA ͕ଘ ࡏ͢Δͱ͖ɺҎԼͷԾఆ͕੒Γཱͭɻ Pr [ (p, G, GT , e) ← G(1λ); g ← G \ {1}; α, s ← Z∗ p ; σ ← (p, G, GT , e, g, gs, . . . , gsq , gα, gαs . . . , gαsq ); (c, ˆ c; a0 , . . . , aq ) ← (A||XA )(σ, z) : ˆ c = cα ∧ c ̸= n ∏ i=0 gaisi ] ≤ negl(λ) (4) Ұൠʹ߈ܸऀ A ΛඇҰ༷ͳ֬཰తଟ߲ࣜ࣌ؒΞϧΰϦζϜͷ଒ͱΈͳ͢ɻҎԼɺ߈ܸऀɺநग़ثͳͲ͸ ಛʹஅΒͳͯ͘΋ඇҰ༷ͳΞϧΰϦζϜͱΈͳ͢ɻ Ծఆ 2 q-PDH (The q-Power Diffie-Hellman) ૒ઢܗ܈Λੜ੒͢ΔΞϧΰϦζϜΛੜ੒ث G ͱ͢ΔɻG ͸ηΩϡϦςΟʔύϥϝʔλ λ ͔Β૒ઢܗ܈ (p, G, GT , e) ← G(1λ) Λग़ྗ͢Δɻ·ͨɺg ← G \ {1}, s ← Z∗ p ͱ͢Δɻg, gs, . . . , gsq , gsq+2 , . . . , gs2q ͕ ༩͑ΒΕͨ࣌ɺy = gsq+1 ΛٻΊΔͷ͸ࠔ೉Ͱ͋Δɻ Pr [ (p, G, GT , e) ← G(1λ); g ← G \ {1}; s ← Z∗ p ; σ ← (p, G, GT , e, g, gs, . . . , gsq , gsq+2 , . . . , gs2q ); y ← A(σ) : y = gsq+1 ] ≤ negl(λ) (5) Ծఆ 3 q-SDH (The q-strong Diffie-Hellman) ૒ઢܗ܈Λੜ੒͢ΔΞϧΰϦζϜΛੜ੒ث G ͱ͢ΔɻG ͸ηΩϡϦςΟʔύϥϝʔλ λ ͔Β૒ઢܗ܈ (p, G, GT , e) ← G(1λ) Λग़ྗ͢Δɻ·ͨɺg ← G \ {1}, s ← Z∗ p ͱ͢Δɻg, gs, . . . , gsq ͕༩͑ΒΕͨ࣌ɺ ϥϯμϜͳ r ∈ Z∗ p ͔Β y = g 1 s+r Λ࡞Δ͜ͱ͸ࠔ೉Ͱ͋Δɻ Pr [ (p, G, GT , e) ← G(1λ); g ← G \ {1}; s ← Z∗ p ; σ ← (p, G, GT , e, g, gs, . . . , gsq ); y ← A(σ) : y = e(g, g) 1 s+r , r ∈ Z∗ p ] ≤ negl(λ) (6) 7

10. 4 zk-SNARK ͷߏ੒ ਤ 2 zk-SNARK ʹ͓͚Δɺূ໌ऀɺݕূऀɺ伴ੜ੒ऀͷؔ܎ NP ݴޠ L

    Λ L := {x ∈ Fn|∃w ∈ Fh, (x, w) ∈ R}ɺଟ߲ࣜ࣌ؒͰܭࢉՄೳͳؔ܎ R Λ R := {(x, w) ∈ Fn ×Fh} ͱ͢Δɻ͜ͷ࣌ɺ x Λεςʔτϝϯτɺ w Λ x ∈ L Λূ໌͢Δূڌ (witness) ͱ͢Δɻ(x, w) ∈ R ͷ৔߹ͷΈɺf(x, w) = 1 ͱͳΔΑ͏ͳؔ਺ f ͕ଘࡏ͢Δɻূ໌ऀ͸ؔ਺ f ʹର͢Δ f(x, w) = 1 ͱͳΔ w Λ͍࣋ͬͯΔ͜ͱΛ w ࣗମΛ໌Β͔ʹͤͣʹݕূऀʹূ໌͢Δ͜ͱΛ໨తͱ͢ΔɻຊઅͰ͸ɺ࣍ͷॱͰ zk-SNARK ʹ͍ͭͯઆ໌͢Δ͕ɺ·ུͣ֓Λड़΂Δɻ (i) Quadratic Arithmetic Programs for Arithmetic Circuits ؔ਺ f Λճ࿏ͷॆ଍ੑܾఆ໰୊ʢCircuit-SATʣͱͯ͠ Arithmetic CircuitsʢҎԼɺԋࢉճ࿏ʣC Λఆٛ͢Δɻ͜ͷԋࢉճ࿏ͷग़ྗΛਅʹ͢ΔೖྗʢׂΓ౰ͯʣΛ஌͍ͬͯΔ͜ͱ͕ f(x, w) = 1 Λ ຬͨ͢Α͏ͳ x ʹର͢Δ w Λ஌͍ͬͯΔ͜ͱͱಉٛͰ͋Δɻ࣍ʹɺQAPʢQuadratic Arithmetic ProgramsʣΛߏங͠ɺճ࿏ʹର͢Δ༗ޮͳׂΓ౰ͯΛଟ߲ࣜͷ୅਺తੑ࣭ʹม׵Λ͢Δɻ͜Ε͸ x ∈ L ʹର͢Δূڌ w ͕ਖ਼͍͔͠Ͳ͏͔Λޮ཰తʹݕূΛՄೳʹ͢Δɻ (ii) Probabilistically Checkable Proof NP ׬શ໰୊ʹର͢Δ PCPʢProbabilistically Checkable ProofʣʹΑΓɺQAP ͰಘΒΕͨଟ߲ࣜ ʹ NP ׬શੑΛอ࣋ͨ͠··ɺ֬཰తख๏ΛదԠ͢Δɻ (iii) Blind Evaluation of Polynomials θϩ஌ࣝূ໌ԽΛ͢ΔͨΊʹ QAP ͰಘΒΕͨଟ߲ࣜ΍ଟ߲ࣜΛධՁ͢ΔධՁ఺ͳͲݕূऀ΍ূ໌ ऀ͕໌Β͔ʹͨ͘͠ͳ͍஋Λූ߸ԽεΩʔϜͰఆٛ͞ΕͨҰํ޲ੑؔ਺ E(x) ͰԠ༻͢Δɻ͜͜Ͱ ͸ݕূऀͱূ໌ऀͷ̎ऀؒʹΑΔର࿩ܕͷθϩ஌ࣝূ໌ͷߏஙΛྫͱͯ͠આ໌Λߦ͏ɻ (iv) Pinocchio Protocol ඇର࿩ܕθϩ஌ࣝূ໌ͷ݈શੑ͸ Pinocchio Protocol ͷ̏ͭͷԾఆ q-PKE, q-SDH, q-PDH ʹґ ڌ͢Δɻ͜ΕʹΑͬͯূ໌ऀͷܭࢉೳྗʹ੍ݶΛ͔͚ɺෆਖ਼ͳূ໌ͷ࡞੒ΛෆՄೳʹ͍ͯ͠Δɻ· ͨݕূऀ͸ূ໌ऀ͕࡞੒͢Δূ໌ π ͔Βূڌ w Λ஌Δ͜ͱ΋ෆՄೳͰ͋Γɺzk-SNARK ͷ࣋ͭ׬ શੑɺ݈શੑΛ࣮ݱ͍ͯ͠Δɻ (v) Knowledge of Exponent Assumption Pinocchio Protocol Ͱ঺հͨ͠ 3 ͭͷԾఆͷ͏ͪͷҰͭͰ͋Δ q-PKE ͕࣮ࡍʹͲͷΑ͏ʹ࢖ΘΕ ͍ͯΔ͔Λઆ໌͢Δɻ 8

11. (vi) From Quadratic Arithmetic Programs to zk-SNRAK ূ໌ऀͱݕূऀʹ CRS Λఏڙ͢Δ৴པ͞Εͨ伴ੜ੒ऀͱূ໌ऀɺݕূऀʹΑΔඇର࿩ͳθϩ஌ࣝূ

    ໌ͷߏஙΛߦ͏ɻ伴ੜ੒ऀ͸ධՁ伴 pk ͱݕূ伴 vk Λ࡞੒͠ɺpk Λূ໌ऀʹɺvk Λݕূऀʹ౉͢ɻ ূ໌ऀ͸ pk ͱεςʔτϝϯτ x ͱূڌ w ͔Βূ໌ π Λੜ੒͠ɺݕূऀʹૹΔɻݕূऀ͸ূ໌ π ʹ ରͯ͠ vk ͱ x Λ༻͍ͯϖΞϦϯάʹΑΔݕূΛߦ͏ɻͦͷݕূͰ͸ɺূ໌ऀ͕ੜ੒ͨ͠ূ໌͕ෆਖ਼ ͔Ͳ͏͔Λݕূ͠ɺਖ਼͍͠৔߹͸डཧ͠ɺਖ਼͘͠ͳ͍৔߹͸ڋ൱Λ͢Δɻ (vii) Zero-Knowledge SNARK ࠷ޙʹূ໌ π ʹཚ਺ΛՃ͑ɺূ໌ͷ࡞੒ΛϥϯμϜԽΛߦ͏ɻ͜ΕʹΑΓ׬શͳθϩ஌ࣝূ໌͕ߦ ΘΕΔɻ 4.1 Quadratic Arithmetic Programs for Arithmetic Circuits 2013 ೥ʹ Gennaro, Gentry, Parno, Raykova ͸ɺܭࢉΛೋ࣍ܭը๏ͱͯ͠ූ߸Խ͢Δํ๏ΛఏҊͨ͠ɻ ͜͜Ͱ͸ Quadratic Span Programs ͱ Quadratic Arithmetic ProgramsʢҎԼɺQSP ͱ QAP ͱݺͿʣ ͕ෳࡶੑΫϥε NP ͷ৽͍͠ಛ௃෇͚ͱͯ͠ఆٛ͞ΕͯΓɺϒʔϧճ࿏ʢBoolean CircuitʣΛ QSP ʹɺ ԋࢉճ࿏ʢArithmetic CircuitʣΛ QAP ʹม׵͢Δํ๏Λ͍ࣔͯ͠Δɻϒʔϧճ࿏͸֤ήʔτ͕ ANDɺ ORɺXOR ͳͲͷ࿦ཧԋࢉ͔Β੒Δճ࿏Ͱɺԋࢉճ࿏͸Ճࢉ΍৐ࢉήʔτ͔Β੒Δճ࿏Ͱܗ੒͞Ε͍ͯΔɻ ࠓճ͸ԋࢉճ࿏͔Β QAP ʹม׵͢ΔํࣜΛ༻͍ͯ zk-SNARK ͷߏஙΛߦ͏ɻ ਤ 3 ؔ਺ f(x1 , x2 ) = (2x1 × x2 ) × ((x1 + x2 ) × x2 ) Λද͢ԋࢉճ࿏ͷྫ ؔ਺ f(x1 , x2 ) = (2x1 × x2 ) × ((x1 + x2 ) × x2 ) Λද͢ԋࢉճ࿏ʢਤ 3ʣΛྫͱͯ͠ߟ͑Δɻؔ਺ f ͸ೖ ྗม਺Λ x1 , x2 ͱ͠ɺͦΕͧΕͷ৐ࢉήʔτͰํఔ͕ࣜఆٛ͞Εͨճ࿏΁ͱද͢͜ͱ͕Ͱ͖Δɻgate1 Ͱ ͸ࠨ͔ΒͷೖྗΛ 2x1 ɺӈ͔ΒͷೖྗΛ x2 ͱ͠ɺํఔࣜ 2x1 × x2 = z1 ͕ఆٛ͞ΕΔɻz1 Λ gate1 ͷग़ྗ ஋ͱ͢Δɻgate2 Ͱ͸ࠨ͔ΒͷೖྗΛ (x1 + x2 )ɺӈ͔ΒͷೖྗΛ x2 ͱ͠ɺํఔࣜ (x1 + x2 ) × x2 = z2 ͕ ఆٛ͞ΕΔɻಉ༷ʹ gate3 Ͱ͸ gate1 ͱ gate2 ͷग़ྗΛೖྗͱ͢Δํఔࣜ z1 × z2 = z3 ͕ఆٛ͞ΕΔɻ͜ ͷ̏ͭͷ৐ࢉήʔτ͸੍໿ήʔτͱݺ͹Εɺ̏ͭͷ੍໿ήʔτͰఆٛ͞ΕΔํఔ͕ࣜؔ਺ f ͱͯ͠දݱͰ ͖ΔɻՃࢉήʔτ͸੍໿ήʔτʹؚ·Εͳ͍ɻͦΕͧΕήʔτͷࠨೖྗɺӈೖྗɺग़ྗ͕̏ͭͷଟ߲ࣜͱ ͯ͠දݱ͞ΕΔɻ͜ͷ̏ͭͷଟ߲͔ࣜΒ QAP ͕ఆٛͰ͖ɺ ʮճ࿏Λຬ଍ͤ͞ΔೖྗͷଘࡏʯΛʮ͋Δଟ߲ ࣜͷଘࡏʯ΁ͱม׵Ͱ͖Δɻ͜ͷΑ͏ʹճ࿏ͷॆ଍ՄೳੑΛ୅਺ֶతੑ࣭ʹஔ͖׵͑Δ͜ͱͰɺ҉߸ཧ࿦ ΁ͱల։͕Ͱ͖ΔɻҎԼɺԋࢉճ࿏ͷྫΛՃ͑ɺԋࢉճ࿏ɺQAP ͷఆٛΛઆ໌͢Δɻ 9

12. ԋࢉճ࿏Λ C : Fn × Fh → Fl ͱͯ͠ఆٛ͠ɺn +

    h Λೖྗɺl Λग़ྗͷେ͖͞ͱ͠ɺೖग़ྗͷ૯਺Λ N = n + h + l ͱ͢Δɻԋࢉճ࿏͸ C(c1 , . . . , cn+h ) = (cn+h+1 , . . . , cN ) Ͱද͢͜ͱ͕Ͱ͖Δɻ·ͨɺؔ ܎ R Λ R = {(x, w) ∈ Fn × Fh}ɺNP ݴޠ L Λ L = {x ∈ Fn|∃w ∈ Fh, (x, w) ∈ R} ͱͯ͠ఆٛ͢Δɻ͜ ͷ࣌ɺx Λεςʔτϝϯτɺw Λ x ∈ L Λূ໌͢Δূڌ (witness) ͱݺͿɻ ఆٛ 1 Quadratic Arithmetic Programs F ্ͷ 3 ͭͷ࣍਺ d − 1 ҎԼɺ m + 1 ݸͷଟ߲ࣜू߹Λ V = {vk (x) : k ∈ {0, . . . , m}}ɺW = {wk (x) : k ∈ {0, . . . , m}}ɺY = {yk (x) : k ∈ {0, . . . , m}} ͱఆٛ͢Δɻ࣍਺ d ͷ໨తଟ߲ࣜΛ t(x) ͱ͢Δɻਖ਼ͷ੔ ਺ m Λԋࢉճ࿏΁ͷೖྗ਺ͱ৐ࢉήʔτͷ਺ͷ૯਺ͱ͢ΔɻQAP Λ Q := (V, W, Y, t(t)) ͱఆٛ͠ɺQ Λ F ্ͷେ͖͞ mɺ࣍਺ d ͱ͢Δɻ (c1 , . . . , cN ) ∈ FN ͕ؔ਺ f ͷೖग़ྗม਺΁ͷ༗ޮͳׂΓ౰ͯͰ͋Δͱ͸ɺ࣍ͷΑ͏ʹఆٛ͞Εͨ p(x) ͕ t(x) ΛׂΓ੾ΔΑ͏ͳ (cN+1 , . . . , cm ) ͕ଘࡏ͢Δ͜ͱͰ͋Δɻ p(x) = ( v0 (x) + m ∑ k=1 ck · vk (x) ) · ( w0 (x) + m ∑ k=1 ck · wk (x) ) − ( y0 (x) + m ∑ k=1 ck · yk (x) ) ҎԼͷਤͷԋࢉճ࿏Λߟ͑Δɻ֤৐ࢉήʔτͷೖྗ͓Αͼग़ྗΛઢܗؔ਺ͱͯ͠දݱ͢Δɻ ਤ 4 ԋࢉճ࿏ͷྫ ৐ࢉήʔτ g ͷग़ྗ͓Αͼɺࠨೖྗɺӈೖྗ͸ҎԼͷΑ͏ʹද͢ɻ cg = ( ∑ k∈Lg,L ck · ag,L,k ) · ( ∑ k∈Lg,L ck · ag,R,k ) cg ͸৐ࢉήʔτ g ͷग़ྗ஋Λද͠ɺήʔτ g ΁ͷೖྗͱͳΔ ck ͸ήʔτ g ͷԼҐʹଘࡏ͢Δ৐ࢉήʔ 10

13. τͷग़ྗɺ·ͨ͸୯ͳΔೖྗͰ͋ΔɻLg,L ͸ήʔτ g ΁ͷؒ઀తͳࠨೖྗͰ͋Δ৐ࢉήʔτͷग़ྗ΍ճ࿏ ΁ͷೖྗͷ෦෼ू߹Λද͢ɻLg,R ΋ಉ༷ʹήʔτ g ͷӈೖྗͱͳΔ෦෼ू߹ɻag,L,k , ag,R,k

    ͸ͦΕͧΕࠨ ͔Βήʔτ g ʹೖΔ ck ʹର͢ΔεΧϥʔͱӈ͔Βήʔτ g ʹೖΔ ck ʹର͢ΔεΧϥʔΛද͍ͯ͠Δɻྫ ͑͹ɺਤ 4 Ͱ͸ c5 = (c1 + 7c2 ) · (c2 − 2c3 ) ͱͳΔɻc1 ͱ c2 ͸ gate5 ΁ͷؒ઀తͳࠨೖྗͰ͋Γɺc2 ͱ c3 ͸ؒ઀తͳӈೖྗͰ͋Δɻ M ΛͦΕͧΕͷ৐ࢉήʔτʹؔ͢ΔΠϯσοΫεͱ͠ɺ֤৐ࢉήʔτ g ∈ M ʹ஋͢Δࠜ {ri ∈ F : i ∈ M} Λ rg ͱ͢Δͱɺ໨తଟ߲ࣜ t(x) ͕ҎԼͷΑ͏ʹఆٛ͞ΕΔɻ t(x) = ∏ g∈M (x − rg ) ਤ 4 ΑΓ gate5ɺ6 ͷग़ྗ஋Ͱ͋Δ஋ 5ɺ6 ʹؔ࿈͚ͮΒΕͨࠜ r5 , r6 ∈ F Λબ୒͢Δɻ͕ͨͬͯ͠ଟ߲ ࣜ t(x) ͸ t(x) = (x − r5 )(x − r6 ) ͱͳΔɻ ೖྗଟ߲ࣜ V = {vk (x) : k ∈ {0, . . . , m}}, W = {wk (x) : k ∈ {0, . . . , m}} ͓Αͼɺग़ྗଟ߲ࣜ Y = {yk (x) : k ∈ {0, . . . , m}} ͸ҎԼͷΑ͏ʹද͞ΕΔɻ vk (rg ) = { ag,L,k ∀k ∈ Lg,L 0 ∀k / ∈ Lg,L wk (rg ) = { ag,R,k ∀k ∈ Lg,R 0 ∀k / ∈ Lg,R yk (rg ) = { 1 ∀k ∈ M 0 ∀k / ∈ M ͕ͨͬͯ͠ v(rg ), w(rg ), y(rg ) ͸ҎԼͷΑ͏ʹͳΔɻ v(rg ) = v0 (rg ) + m ∑ k=1 ck · vk (rg ) = v0 (rg ) + ∑ k∈Lg,L ck · ag,L,k w(rg ) = w0 (rg ) + m ∑ k=1 ck · wk (rg ) = w0 (rg ) + ∑ k∈Lg,R ck · ag,R,k y(rg ) = y0 (rg ) + m ∑ k=1 ck · yk (rg ) = cg Αͬͯ t(x) ͱಉ༷ p(rg ) = 0 ͱͳΔࠜ rg Λ࣋ͭɻ ( m ∑ k=1 ck · vk (rg ) ) · ( m ∑ k=1 ck · wk (rg ) ) − ( m ∑ k=1 ck · yk (rg ) ) = 0 ਤ 4 ʹؔͯ͠ {vk (x)}k∈[6] , {wk (x)}k∈[6] {yk (x)}k∈[6] ͷଟ߲ࣜ͸͢΂ͯͷ࣍਺͕࠷େ 1 Ͱ͋Δɻy ͸ y5 (x) = (1, 0), y6 (x) = (0, 1) Λআ͍ͯ͢΂ͯ 0 Ͱ͋Δɻଟ߲ࣜ v5 (x), v6 (x), w5 (x), w6 (x) ͸Ͳͷήʔ τ΁ͷࠨӈͷೖྗͰ͸ͳ͍ͷͰ͢΂ͯ 0 Ͱ͋Δɻ࢒Γͷଟ߲ࣜ v1 (x) = (1, 0), w1 (x) = (0, 0), v2 (x) = (7, 1), w2 (1, 0), v3 (x) = (0, −2), w3 = (−2, 0), v4 (x) = (0, 0), w4 (x) = (0, 1) Ͱ͋Δɻc2 ͸ gate5 ΁ͷؒ 11

14. ઀తͳࠨೖྗͰ͋Γɺgate6 ΁ͷؒ઀తͳࠨೖྗͱͳ͍ͬͯΔͨΊ v2 (x) = (7, 1) ͱͳΔɻ͕ͨͬͯ͠ɺਤ 4 ͷճ࿏΁ͷׂΓ౰ͯ

    (c1 , . . . , c6 ) Λ༻͍ͯҎԼͷΑ͏ʹදͤΔɻ 6 ∑ k=1 ck · vk (r5 ) = c1 + 7c2 , 6 ∑ k=1 ck · wk (r5 ) = c2 − 2c3 , 6 ∑ k=1 ck · yk (r5 ) = c5 6 ∑ k=1 ck · vk (r6 ) = c2 − 2c3 , 6 ∑ k=1 ck · wk (r6 ) = a4 , 6 ∑ k=1 ck · yk (r6 ) = c6 c5 = (c1 + 7c2 ) · (c2 − 2c3 ), c6 = (c2 − 2c3 ) · c4 Ͱ͋Γɺ(c1 , . . . , c6 ) ͕༗ޮͳೖग़ྗͰ͋Ε͹ɺ ( ∑ 6 k=1 ck · vk (x) · ∑ 6 k=1 ck · wk (x) ) − ( ∑ 6 k=1 ck · yk (x) ) ͕ t(x) ΛׂΓ੾Δ͜ͱ͕Ͱ͖Δɻ·ͨɺޓ ͍ʹࠜ r5 , r6 Λ࣋ͭ͜ͱ͔Β΋Θ͔Δɻ ͕ͨͬͯ͠ɺp(x) ͕ t(x) ΛׂΓ੾Δͱ͸ɺh(x) · t(x) = p(x) Λຬͨ͢Α͏ͳଟ߲ࣜ h(x) ͕ଘࡏ͢Δͱ ͍͑Δɻ h(x) := (v0 (x) + v(x))(w0 (x) + w(x)) − (y0 (x) + y(x)) t(x) ͭ·Γɺh(x) ͷଘࡏΛࣔ͢͜ͱͰೖग़ྗ (c1 , . . . , cN ) ͕ؔ਺ f ʹରͯ͠༗ޮͰ͋Δ͜ͱΛূ໌Ͱ͖Δɻ 4.2 Probabilistically Checkable Proof ূ໌ऀ͸ x, w ͔Βԋࢉճ࿏ΛධՁ͠ɺଟ߲ࣜ v(x), w(x), y(x), h(x), t(x) Λূ໌ π ͱͯ͠࡞੒ͨ͠ɻূ ໌ऀ͕࣋ͭ w ͕ x ∈ L ʹରͯ͠ਖ਼͍͠ͱ͖ɺҎԼͷଟ߲ࣜ P(x) ͕ৗʹ߃౳తʹ 0 ͱͳΔɻ P(x) = h(x)t(x) − p(x) ͜ͷଟ߲͕ࣜ߃౳తʹ 0 ͔Ͳ͏͔൑அ͢ΔͨΊʹɺ୯ʹࣜΛల։͠ɺશͯͷ܎਺͕ 0 Ͱ͋Δ͜ͱΛ͔֬ ΊΔʹ͸ܭࢉίετ͕͔͔Γɺࢦ਺ؔ਺తͳ͕࣌ؒඞཁʹͳΔɻ͜ΕΛղܾ͢Δܭࢉෳࡶੑཧ࿦ʹ͓͚Δ PCPʢ֬཰తݕࠪՄೳূ໌ɺProbabilistically Checkable Proofʣ[15] Λߟ͑Δɻ PCP ͱ͸ NP ݴޠ L ʹ͓͚Δɺূ໌ऀͷೖྗʹର͢Δ x ∈ L ͱ͍͏ओுʹରͯ͠ɺݕূऀ͸ূ໌͔Β Θ͔ͣ਺Ϗοτ͚ͩΛಡΈऔΔ͚ͩͰͦͷূ໌͕༗ޮ͔Ͳ͏͔Λߴ͍֬཰Ͱ൑அ͢Δ͜ͱ͕ՄೳͰ͋Δɻ x ̸∈ L Ͱ͋ͬͨ৔߹ɺݕূऀ͸গͳ͘ͱ΋ 1/2 ͷ֬཰Ͱڋઈ͢Δɻଟ߲͕ࣜ߃౳తʹ 0 Ͱͳ͍৔߹ɺϥϯ μϜʹબ୒͞Εͨ఺Ͱଟ߲ࣜΛධՁ͢Δͱɺߴ͍֬཰Ͱޡͬͨ౴͑Λग़͞ΕΔ͜ͱࣔͨ͠ Schwartz-Zippel ͷิ୊ [12][13] ͱ͍͏΋ͷ͕͋Δɻ ิ୊ 1 Schwartz-Zippel ͷิ୊ p(x1 , . . . , xn ) Λମ F ্ͷ࣍਺ d Λ΋ͭඇθϩଟ߲ࣜͱ͢ΔɻS Λ F ͷ༗ݶ෦෼ू߹ͱ͠ɺr1 , . . . , rn Λ S ͔ΒҰ༷ϥϯμϜಠཱʹબΜͩͱ͖ɺҎԼ͕੒Γཱͭɻ Pr[P(r1 , r2 , . . . , rn ) = 0] ≤ d |S| ଟ߲ࣜͷಉҰੑΛ͢΂ͯͷ఺Ͱ͸ͳ͘୯Ұͷ఺͚ͩͰνΣοΫ͢Δͱ҆શੑ͕௿Լ͢Δ͕ɺ͜ͷิ୊ʹ ΑΔͱɺ༗ݶମ F ্ͷ࣍਺ d ͷ 2 ͭͷҟͳΔଟ߲ࣜ h(x)t(x), p(x) ͸ɺF ্ͷ఺ͷ࠷େ d/|F| ͷ֬཰ͰҰ 12

15. க͢Δ͜ͱ͕Ͱ͖Δɻ ͕ͨͬͯ͠ɺP(x) = h(x)t(x) − p(x) ͕߃౳తʹ 0 Ͱͳ͍৔߹ɺϥϯμϜʹબ͹Εͨ s

    ∈ F ʹରͯ͠Ҏ Լ͕੒Γཱͭ͜ͱ͕Θ͔Δɻଟ߲ࣜ P(x) ͕डཧ͞ΕΔ֬཰͸ແࢹͰ͖Δ΄Ͳখ͍͞ɻ Pr[P(s) = 0] ≤ d |F| ·ͨɺ͜ΕΒ͸ɺଟ߲͕ࣜ߃౳తʹ 0 Ͱ͋ͬͨ৔߹͸֬཰̍Ͱड͚ೖΕΔ׬શੑͱɺِͷূ໌Λߴ͍֬ ཰Ͱڋ൱͢Δ݈શੑΛ΋ͭ͜ͱ͕Θ͔Δɻ 4.3 Blind Evaluation of Polynomials ͜͜Ͱ͸ݕূऀͱূ໌ऀͷ 2 ऀؒͰූ߸ԽεΩʔϜͰఆٛͨ͠Ұํ޲ੑؔ਺ E(x) ΛదԠͨ͠ର࿩ܕͷθ ϩ஌ࣝূ໌Λߦ͏ɻNP ݴޠ L Λ L := {x ∈ Fn|∃w ∈ Fh, (x, w) ∈ R}ɺଟ߲ࣜ࣌ؒͰܭࢉՄೳͳؔ܎ R Λ R := {(x, w) ∈ Fn × Fh} ͱ͢Δɻ͜ͷ࣌ɺx Λεςʔτϝϯτɺw Λ x ∈ L Λূ໌͢Δূڌ (witness) ͱ͢Δɻ(x, w) ∈ R ͷ৔߹ͷΈɺf(x, w) = 1 ͱͳΔΑ͏ͳؔ਺ f ͕ଘࡏ͢Δɻূ໌ऀ͕ f(x, w) = 1 ͱ ͳΔΑ͏ͳ w Λ͍࣋ͬͯΔ͜ͱΛ w ࣗମΛ໌Β͔ʹͤͣʹݕূऀʹূ໌͢Δ͜ͱΛߟ͑Δɻ f(x, w) = { 1 ∀(x, w) ∈ R 0 ∀(x, w) / ∈ R ݕূऀ͸ԋࢉճ࿏ C : Fn × Fh → Fl ͔Β QAPQ := (V, W, Y, t(x)) Λߏங͢Δɻೖྗɺग़ྗΛද͢ 3 ͭͷଟ߲ࣜू߹ͷ૊͕ E(x) Ͱූ߸Խ͞Εͨ {gvk(x)}k∈[m] , {gwk(x)}k∈[m] , {gyk(x)}k∈[m] ͱͯ͠ಘΒΕΔɻ ݕূऀ͸ϥϯμϜͳ s ← F Λબͼɺ{gvk(s)}k∈[m] , {gwk(s)}k∈[m] , {gyk(s)}k∈[m] , {gsi }i∈[d] Λ࡞ΓɺͦΕΒ Λূ໌ऀʹૹΔɻE(x) ʹΑͬͯූ߸Խ͞Ε͍ͯΔͨΊɺ఺ s ʹ͍ͭͯ͸໌Β͔ʹ͞Ε͍ͯͳ͍ɻূ໌ऀ͸ ԋࢉճ࿏ C ͱ x, w Λ͔ΒҎԼͷࣜΛຬͨ͢Α͏ͳ {ci }i∈[m] ΛಘΔ͜ͱ͕Ͱ͖Δɻw ͸ x ∈ L Λূ໌͢Δ ূڌʹͳ͍ͬͯΔͨΊূ໌ऀͷΈ͕ {ci }i∈[m] Λ஌Δ͜ͱ͕Ͱ͖Δɻ p(x) = ( v0 (x) + m ∑ k=1 ck · vk (x) ) · ( w0 (x) + m ∑ k=1 ck · wk (x) ) − ( y0 (x) + m ∑ k=1 ck · yk (x) ) Αͬͯূ໌ऀ͸ݕূऀ͔Βड͚औͬͨ {gvk(s)}k∈[m] , {gwk(s)}k∈[m] , {gyk(s)}k∈[m] ͱ {ci }i∈[m] ͔Βූ߸ Խ͞Εͨ·· gv(s), gw(s), gy(s) ΛҎԼͷΑ͏ʹͦΕͧΕܭࢉ͢Δ͜ͱ͕Ͱ͖Δɻ gv(s) = gv0(s)+c1·v1(s)+c2·v2(s)+···+cm·vm(s) = gv0(s) · gc1·v1(s) · gc2·v2(s) · · · gcm·vm(s) = (gv0(s))1 · (gv1(s))c1 · (gv2(s))c2 · · · (gvm(s))cm gw(s) = gw0(s)+c1·w1(s)+c2·w2(s)+···+cm·wm(s) = gw0(s) · gc1·w1(s) · gc2·w2(s) · · · gcm·wm(s) = (gw0(s)) · (gw1(s))c1 · (gw2(s))c2 · · · (gwm(s))cm gy(s) = gy0(s)+c1·y1(s)+c2·y2(s)+···+cm·ym(s) = gy0(s) · gc1·y1(s) · gc2·y2(s) · · · gcm·ym(s) = (gy0(s))1 · (gy1(s))c1 · (gy2(s))c2 · · · (gym(s))cm 13

16. ·ͨɺ(x, w) ∈ R Ͱ͋Δ࣌ɺh(x)t(x) = p(x) Λຬͨ͢Α͏ͳ h(x) ͕ଘࡏ͠ɺ{gsi

    }i∈[d] ͔Β gh(s) ΛҎ ԼͷΑ͏ʹܭࢉͰ͖Δɻ gh(s) = gh0+h1·s+h2·s2+···+hd·sd = gh0 · gh1·s · gh2·s2 · · · ghd·sd = (g)h0 · (gs)h1 · (gs2 )h2 · · · (gsd )hd ಘΒΕͨ gv(s), gw(s), gy(s), gh(s) ΛݕূʹૹΔɻݕূऀ͸ͦΕΒ͕ h(x)t(x) = p(x) Λຬ͔ͨ͢Ͳ͏͔Λ v(s), w(s), y(s), h(s) Λ஌Δ͜ͱͳ͘ޙड़͢ΔϖΞϦϯάʹΑΔݕূͰ֬ೝՄೳͰ͋Δɻ 4.4 Pinocchio Protocol Pinocchio Protocol[9] ͱ͸ʮ҉߸ͷԾఆ͚ͩʹཔΓͳ͕ΒҰൠతͳܭࢉΛޮ཰తʹݕূ͢ΔͨΊʹߏங ͞ΕͨγεςϜʯͰ͋Δɻθϩ஌ࣝͰݕূՄೳͳܭࢉͰ͋Γɺূ໌ऀͷೖྗʹؔ͢Δ৘ใΛҰ੾໌͔ͣ͞ ʹਖ਼͍͠ೖྗͰ͋Δͱ͜Λূ໌Ͱ͖Δɻࠓճ zk-SNARK ͸ Pinocchio Protocol ʹैͬͯߏஙΛߦ͏ɻ ͜ͷϓϩτίϧͰ͸ɺDHɺSDHɺKEA ԾఆΛͦΕͧΕҰൠԽͨ͠ q-PDHɺq-SDHɺq-PKE ͷ 3 ͭͷ ҉߸ֶతԾఆʹґڌͯ͠Δɻ͜ͷϓϩτίϧʹैͬͯ zk-SNARKs Λߏங͢Δ͜ͱͰɺ҆શ͔ͭޮ཰తͳ ূ໌ϓϩηεΛ࣮ݱ͢Δ͜ͱ͕Ͱ͖ΔɻPinocchio Protocol ͸ q ܕԾఆͷ҉߸ֶతԾఆΛ༻͍͍ͯΔɻै དྷͷඪ४తͳԾఆʢDDHɺCDH ͳͲʣ͸ύϥϝʔλʔԽ͞Ε͓ͯΒͣɺৗʹҰఆͷαΠζʢ੩తʣͰ͋ ΔɻҰํɺඇ੩తͳ q ܕԾఆ͸ q ʹΑͬͯύϥϝʔλʔԽ͞Ε͍ͯΔɻূ໌͕ඇ੩తͳ΋ͷʹґଘ͍ͯ͠ Δ৔߹ɺq ͸௨ৗɺ߈ܸऀ͕ߦ͏ΫΤϦͷ਺ɺೖྗαΠζɺ·ͨ͸ϓϩτίϧʹඞཁͳܭࢉεςοϓͷ਺ʹ ؔ࿈͢ΔɻΫΤϦͷ਺͕ଟ͚Ε͹ଟ͍΄ͲԾఆ͕ڧ͘ͳΓɺ߈ܸऀ͕ͦͷԾఆΛഁΔ͜ͱ͕ΑΓ೉͍͠ͱ ݴΘΕͯΔɻ 4.5 Knowledge of Exponent Assumption 4.3 Ͱূ໌ऀ͸ {gvk(x)}k∈[m] , {gwk(x)}k∈[m] , {gyk(x)}k∈[m] , {gsi }i∈[d] ͱ x, w ͔Β gv(s), gw(s), gy(s), gh(s) ΛܭࢉͰ͖Δ͜ͱΛࣔͨ͠ɻ͔͠͠ɺূ໌ऀ͕ gv(s), gw(s), gy(s), gh(s) ΛܭࢉͰ͖Δͱ͍͏͜ͱ͸ɺ࣮ࡍ ʹݕূऀʹͦͷ஋ΛૹΔ͜ͱΛอূͰ͖͍ͯͳ͍ɻ͜Ε͸ɺѱҙͷ͋Δূ໌ऀ͕ෆਖ਼ͳূ໌Λ࡞Δ͜ͱΛ Մೳʹ͍ͯ͠Δɻ͕ͨͬͯ͠ɺূ໌ऀʹ੍ݶΛ͔͚ɺਖ਼࣮͘͠ߦͤ͞Δඞཁ͕͋ΔɻPinocchio Protocol ͷ q-PKE ͱ͍͏҉߸ֶతԾఆʹґڌ͢Δ͜ͱͰূ໌ऀ͕ਖ਼࣮͘͠ߦ͢Δ͜ͱΛՄೳʹ͍ͯ͠Δɻྫ͑ ͹ɺݕূऀ͸Ұ༷ϥϯμϜʹ s, α ∈ F Λબͼ {gsd }i∈d ʹՃ͑ͯɺ{gαsd }i∈d ΋ূ໌ऀʹૹΔɻূ໌ऀ͕ gh(s)gαh(s) ͷΑ͏ͳ૊Λฦ͢͜ͱ͕Ͱ͖Ε͹ɺड͚औͬͨ஋ {gsd }i∈d Λ࢖ͬͯධՁͨ͜͠ͱΛอূ͍ͯ͠ ΔɻҎԼɺ͜ΕΒ͕ q-PKE ԾఆΛຬͨ͢͜ͱΛ֬ೝ͢Δɻ ༗ݶମ F ্ͷପԁۂઢ E ͷ֤఺ Pi , αPi Λ༩͑ͨͱ͖ɺα Λ஌Βͣʹ఺ Q, αQ Λ࡞Δ͜ͱߟ͑Δɻ΋ ͠ɺα ͷ஋Λ஌͍ͬͯͨͱ͢Δͱɺద౰ͳ఺ S ͔Β αS Λ࡞Δ͜ͱ͕ՄೳͰ͋Δ͕ɺূ໌ऀʹ͸ α ʹؔ ͯ͠ αPi ͔͠৘ใ͕༩͑ΒΕͯͳ͍ɻΑͬͯ༗ݶ८ճ܈্ͷ཭ࢄର਺໰୊ʹΑΓ఺ S, αS Λ࡞Δ͜ͱ͸ࠔ ೉Ͱ͋Δ͜ͱ͕Θ͔Δɻ఺ Q, αQ ΛಘΔʹ͸ Pi ͷઢܗ݁߹͔Β࡞Δඞཁ͕͋Δɻ܎਺ ai ∈ F Λ༻͍ͯ Q = a1 P1 + a2 P2 + · · · + aq Pq ͱͳΔઢܗ݁߹Λ࡞Γɺ͜ΕΑΓ ˆ Q = a1 (αP1 ) + a2 (αP2 ) + · · · + aq (αPq ) = α(a1 P1 + a2 P2 + · · · + aq Pq ) = αQ 14

17. ͕ಘΒΕΔɻ͜Ε͸ α Λ஌Βͣʹ఺ Q, αQ ͕࡞Δ͜ͱ͕Ͱ͖Δɻͭ·Γɺ఺ Q, αQ Λ࡞Δʹ͸ɺ༩͑ ΒΕͨ఺

    Pi , αPi ͷઢܗ݁߹Ͱ࡞Δඞཁ͕͋Δɻ Ҏ্ΑΓɺ ূ໌ऀ͸ {gvk(s)}k∈[m] , {gαvk(s)}k∈[m] ,{gwk(s)}k∈[m] , {gαwk(s)}k∈[m] ,{gyk(s)}k∈[m] , {gαyk(s)}k∈[m] , {gsi }i∈[d] , {gαsi }i∈[d] ͔Β gv(s), gαv(s), gw(s), gαw(s), gy(s), gαy(s), gh(s), gαh(s) Λ࡞Δ͜ͱΛٻΊΒΕΔɻ 4.6 From Quadratic Arithmetic Programs to zk-SNRAK ͜Ε·Ͱূ໌ऀͱݕূऀͷ̎ऀؒʹΑΔର࿩ܕͷθϩ஌ࣝূ໌Λߦͬͨɻ͜͜Ͱ͸ূ໌ऀͱݕূऀͷؒ ʹ৴པͰ͖ΔୈࡾऀΛ͓͖ɺඇର࿩ܕͷθϩ஌ࣝূ໌ͷߏஙΛߦ͏ɻؔ܎ R := {(x, w) ∈ Fn × Fh} ͱ͠ɺ x Λεςʔτϝϯτɺw Λূڌͱ͢Δɻ͜ͷؔ܎ R ͸ԋࢉճ࿏ C ͰݕূͰ͖ΔͷͰɺ(x, w) ∈ R ͱͳΔ ৔߹ͷΈɺf(x, w) = 1 ͱͳΔؔ਺ f ͕͋Γɺೖྗ͕ f Λຬͨ͢৔߹ʹ͸ɺԋࢉճ࿏ͷग़ྗ͕ 1ɺͦ͏Ͱͳ ͍৔߹͸ग़ྗ͕ 0 ͱͳΔ͜ͱΛҙຯ͍ͯ͠Δɻ f(x, w) = { 1 ∀(x, w) ∈ R 0 ∀(x, w) / ∈ R ؔ܎ R ͱ F ্ͷؔ਺ f Λ༻͍ͯɺԋࢉճ࿏ C ͔Βେ͖͞ mɺ࣍਺ deg(t(x)) = d ͱͳΔ QAPQ := (V, W, Y, t(x)) Λߏங͢ΔɻN Λؔ਺ f ͷೖग़ྗ਺ͱ͠ɺΠϯσοΫε I = {1, . . . , m} Λ 2 ͭͷू߹ Ifree , Ilabeled ʹ෼ׂ͠ɺIlabeled = {1, . . . , N}, Ifree = {N + 1, . . . , m} ͱදͤΔɻ·ͨɺIlabeled ͷ෦෼ ू߹ Iin = ∪i∈[n] Ii = {1, . . . , n} ͱͨ͠ͱ͖ɺImid = I \ Iin ͱ͢Δɻ Gen(1λ, R) → CRS(pk, vk) ηΩϡϦςΟʔύϥϝʔλ λ ͱؔ܎ R ͔Β CRS ͱͳΔূ໌ऀʹ༩͑Δ pk ͱɺݕূऀʹ༩͑Δ vk Λੜ ੒͢ΔɻҰ༷ͳϥϯμϜͳ α, s ← F Λબ୒͠ɺҎԼΛߏங͢Δɻ {gsi }i∈[d] , {gαsi }i∈[d] ༩͑ΒΕͨଟ߲ࣜू߹ QAP Q := (V, W, Y, t(x)) ͔ΒɺҎԼΛߏங͢Δɻ {gvk(s)}k∈Lmid , {gαvk(s)}k∈Lmid , {gwk(s)}k∈[m] , {gαwk(s)}k∈[m] , {gyk(s)}k∈[m] , {gαyk(s)}k∈[m] ·ͨɺϥϯμϜͳ βv , βw , βy , γ ← F ΛબͼɺҎԼΛߏங͢Δɻ gβvt(s), gβwt(s), gβyt(s), {gβvvk(s)}k∈Imid , {gβwwk(s)}k∈[m] , {gβyyk(s)}k∈[m] , gβvγ, gβwγ, gβyγ, gγ ͜ΕΒ͕ηοτΞοϓͰੜ੒͞ΕΔ CRS Ͱ͋Δɻ࣍ʹ pk ͱ vk Λߏங͢Δɻ pk = ({gsi }i∈[d] , {gαsi }i∈[d] , {gvk(s)}k∈Lmid , {gαvk(s)}k∈Lmid , {gβvvk(s)}k∈Lmid , {gwk(s)}k∈[m] , {gαwk(s)}k∈[m] , {gβwwk(s)}k∈[m] , {gyk(s)}k∈[m] , {gαyk(s)}k∈[m] , {gβyyk(s)}k∈[m] ) vk = (g, gα, gγ, gβvγ, gβwγ, gβyγ, gt(s), {gvk(s)}k∈Iin , gv0(s), gw0(s), gy0(s)) 15

18. P(pk, x, w) → π : (x, w) ∈ R

    ূ໌ऀ͸ pk ͱεςʔτϝϯτ xɺূڌ w ͔Βݕূऀʹରͯ͠ (x, w) ∈ R Λূ໌͢Δɻ(x, w) ∈ R Ͱ͋ Δͱ͖ɺf(x, w) = 1 ͕੒Γཱͭɻ ূ໌ऀ͸ (x, w) ͔Β QAP Q ΛධՁͯ͠ɺ࣍ͷࣜΛຬͨ͢Α͏ͳ (c1 , . . . , cm ) ΛಘΔɻ h(x) · t(x) = ( v0 (x) + m ∑ k=1 ck · vk (x) ) · ( w0 (x) + m ∑ k=1 ck · wk (x) ) − ( y0 (x) + m ∑ k=1 ck · yk (x) ) ͕ͨͬͯ͠ɺp(x) ͕ t(x) ΛׂΓ੾ΔΑ͏ͳؔ܎ʹ͋Γɺ࣍ͷΑ͏ͳଟ߲ࣜ h(x) ͕ଘࡏ͢Δͱݴ͑Δɻ h(x) := (v0 (x) + v(x))(w0 (x) + w(x)) − (y0 (x) + y(x)) t(x) Imid Λߟྀ͠ɺଟ߲ࣜ vmid (x), w(x), y(x) Λੜ੒͢Δɻ vmid (x) = ∑ k∈Lmid ck · vk (x), w(x) = ∑ k∈[m] ck · wk (x), y(x) = ∑ k∈[m] ck · yk (x) Αͬͯɺvmid (x), w(x), y(x), h(x) ͱ༩͑ΒΕͨ pk ͔Βূ໌ π Λੜ੒͠ɺݕূऀʹૹΔɻ π = (gvmid(s), gw(s), gy(s), gh(s), gαvmid(s), gαw(s), gαy(s), gαh(s), gβvvmid(s)+βww(s)+βyy(s)) ͱͳΓɺͦΕΒΛҎԼͷΑ͏ද͢ɻ π = (πvmid , πw , πy , πh , πv′ mid , πw′ , πy′ , πh′ , πβ ) V (vk, x, π) → {0, 1} ݕূऀ͸ূ໌ π Λड͚औΓɺvk ͱεςʔτϝϯτ x ͔Βͦͷূ໌͕ਖ਼͍͔͠Ͳ͏͔Λݕূ͠·͢ɻx ͔ Β v(s) = vin (s) + vmid (s) Λຬͨ͢ v(s) ͷܽଛ෦෼ vin (s) Λܭࢉ͢Δ͜ͱ͕Ͱ͖Δɻ vin (s) = ∑ k∈Iin ck · vk (s) - நग़Մೳੑ ূ໌ऀ͕ pk ͔Βଟ߲ࣜ vmid (s), w(s), y(s), h(s) ΛධՁ͔ͨ͠Ͳ͏͔Λݕূ͢Δɻ e(πvmid , gα) = e(πv′ mid , g) e(πw , gα) = e(πw′ , g) e(πy , gα) = e(πy′ , g) e(πh , gα) = e(πh′ , g) - ઢܗแੑ vmid (s), w(s), y(s) ͷઢܗ݁߹ F(s) = βv vmid (s) + βw w(s) + βy y(s) ΛධՁ͢Δɻ͜Ε͸ɺূ໌ऀ͕೚ ҙͷଟ߲ࣜू߹Λ࢖༻͍ͯ͠ͳ͍͔Ͳ͏͔Λ֬ೝ͢Δɻ e(πβ , gγ) = e(gβvγ, πvmid ) · e(gβwγ, πw ) · e(gβyγ, πy ) ূ໌ 16

19. e(πβ , gγ) = e(gβvvmid(s)+βww(s)+βyy(s), gγ) = e(g, g)γ(βvvmid(s)+βww(s)+βyy(s)) =

    e(g, g)βvγvmid(s) · e(g, g)βwγw(s) · e(g, g)βyγy(s) = e(gβvγ, gvmid(s)) · e(gβwγ, gw(s)) · e(gβyγ, gy(s)) = e(gβvγ, πvmid ) · e(gβwγ, πw ) · e(gβyγ, πy ) - ෼ׂՄೳੑ h(s)t(s) = p(s) ͕੒ཱ͢Δ͜ͱΛݕূ͢Δɻ͜Ε͸ߏஙͨ͠ QAP ͕ਖ਼͍͠ূ໌Λநग़͔ͨ͠Ͳ͏͔Λ ֬ೝ͢Δɻ e(πh , gt(s)) = e(gv0(s)gvin(s)πvmid , gw0(s)πw )/e(gy0(s)gy(s), g) ূ໌ e(πh , gt(s)) = e(gh(s), gt(s)) = e(g, g)h(s)t(s) = e(g, g)(v0(s)+vin(s)+vmid(s))(w0(s)+w(s))−(y0(s)+y(s)) = e(gv0(s)gvin(s)gvmid(s), gw0(s)gw(s))/e(gy0(s)gy(s), g) = e(gv0(s)gvin(s)πvmid , gw0(s)πw )/e(gy0(s)πy , g) ͜ΕΒશͯͷݕূ͕੒ޭ͢Ε͹ɺূ໌ π Λडཧ͠ɺͦ͏Ͱͳ͚Ε͹ڋ൱Λ͢Δɻ 4.7 Zero-Knowledge SNARK ࠷ޙʹɺ׬શͳθϩ஌ࣝূ໌Λߏங͢ΔͨΊʹ͸ vmid (x), w(x), y(x), h(x) ΛϥϯμϜԽ͢Δඞཁ͕ ͋Δɻྫ͑͹ɺѱҙͷ͋Δݕূऀ͕ূ໌ʹຬ଍͢Δ (c′ 1 , . . . , c′ m ) ͔Β v′ mid (s), w′(s), y′(s) Λܭࢉ͢Δ͜ ͱ͕Ͱ͖ͨͱ͢Δɻ͜ͷ࣌ɺূ໌ऀ͔ΒૹΒΕ͖ͯͨ vmid (s), w(s), y(s) ͱ஋͕ҟͳΔ৔߹ɺݕূऀ͸ (c′ 1 , . . . , c′ m ) ͕ূ໌ऀͷ΋ͭ৘ใͰ͸ͳ͍͜ͱΛਪଌ͢Δ͜ͱ͕ՄೳͰ͋Δɻ͕ͨͬͯ͠ɺ͜ΕΒͷূ໌Λ ౷ܭతʹθϩ஌ࣝʹ͢ΔͨΊʹɺvmid (x), w(x), y(x), h(x) ͷؒʹ͋Δ෼ׂՄೳੑͷؔ܎Λҡ࣋ͨ͠··ɺ Ұ༷ʹαϯϓϦϯά͞Εͨ஋Λଟ߲ࣜʹՃ͑Δ͜ͱͰϥϯμϜԽΛߦ͏ɻ ূ໌ऀ͸ཚ਺ δvmid , δw , δy ∈ F Λબͼɺ࣍਺ d ͷଟ߲ࣜ v′ mid (x), w′(x), y′(x) Λੜ੒͢Δɻ v′ mid (x) = vmid (x) + δvmid t(x) w′(x) = w(x) + δw t(x) y′(x) = y(x) + δy t(x) p′(x) = (v0 (x) + vin (x) + v′ mid (x))(w0 (x) + w′(x)) − (y0 (x) + y′(x)) ͜͜Ͱ vin (x) = ∑ k∈Iin ck · vk (x), vmid (x) = ∑ k∈Lmid ck · vk (x) ͱఆٛ͢Δɻ v(x) = ∑ k∈Iin ck · vk (x) + ∑ k∈Lmid ck · vk (x) Αͬͯ h′(x) · t(x) = p′(x) Λຬͨ͢Α͏ͳ h′(x) ͕ଘࡏ͢Δɻ 17

20. h′(x) := (v0 (x) + vin (x) + v′ mid

    (x))(w0 (x) + w′(x)) − (y0 (x) + y′(x)) t(x) p′(x) = (v0 (x) + vin (x) + vmid (x) + δvmid t(x))(w0 (x) + w(x) + δw t(x)) − (y0 (x) + y(x) + δy t(x)) = (v0 (x) + vin (x) + vmid (x))(w0 (x) + w(x)) − (y0 (x) + y(x)) + t(x)D D = δw (v0 (x) + vin (x) + vmid (x)) + δvmid (w0 (x) + w(x)) − δy + δvmid δw t(x) ͱ͢Δɻ ͜ΕΑΓ t(x) ͸ p′(x) ΛׂΓ੾Δ͜ͱΛূ໌͢Δʹ͸े෼Ͱ͋Δɻ͕ͨͬͯ͠ɺh′(x) ͸ h(x) Λ༻͍ͯ ҎԼͷΑ͏ʹදͤΔɻ h′(x) = h(s) + D ͕ͨͬͯ͠ɺv′ mid (s), w′(s), y′(s), h′(s) ʹΑͬͯಘΒΕΔ৘ใ͸ t(x) ͱͷ෼ׂՄೳੑͷΈͰ͋ΓɺͦΕ Ҏ্ͷ৘ใ͸໌Β͔ʹͤͣʹূ໌͢Δ͜ͱ͕Ͱ͖Δɻূ໌ऀ͕ݕূऀʹૹΔূ໌ π ͸ π′ = (gv′ mid (s), gw′(s), gy′(s), gh′(s), gαv′ mid (s), gαw′(s), gαy′(s), gαh′(s), gβvv′ mid (s)+βww′(s)+βyy′(s)) ͱͳΓɺͦΕΒΛҎԼͷΑ͏ද͢ɻ π′ = (π′ vmid , π′ w , π′ y , π′ h , π′ v′ mid , π′ w′ , π′ y′ , π′ h′ , π′ β ) ͜ͷϥϯμϜԽ͞Εͨূ໌΋લड़ͨ͠ಉ༷ͷํ๏ͰݕূΛߦ͑ΔɻҎ্ΑΓɺඇର࿩ܕͷθϩ஌ࣝূ໌ Ͱ͋Δ zk-SNARK ͷߏஙΛऴ͑Δɻ 18

21. ࢀߟจݙ [1] Alberto Ballesteros Rodriguez, Jordi Herrera Joanncomarti. zk-SNARKs Analysis

    and Implemen- tation on Ethereum. Inter-university Master’s Degree in Security of Information and Communi- cation Technologies. [2] Mihir Bellare and Adriana Palacio. The knowledge-of-exponent assumptions and 3-round zero- knowledge protocols. In Proceedings of the 18th Annual International Cryptology Conference, CRYPTO ʟ98, pages 408 r 423, 1998. [3] Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, Madars Virza. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. In Proceedings of the 23rd USENIX conference on Security Symposium on August 2014, pages 781-796. [4] Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Omer Paneth, Rafail Ostrovsky. (2013) Succinct Non-interactive Arguments via Linear Interactive Proofs. In: Sahai A. (eds) Theory of Cryptog- raphy. TCC 2013. Lecture Notes in Computer Science, vol 7785. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36594-2-18. [5] Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. Quadratic span programs and succinct NIZKs without PCPs. In Proceedings of the 32nd Annual International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT ʟ13, pages 626 r 645, 2013. [6] Jens Groth. Short pairing-based non-interactive zero-knowledge arguments. In Proceedings of the 16th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT ʟ10, pages 321 r 340, 2010. [7] Yuval Ishai, Mohammad Mahmoody and Amit Sahai. (2012) On Efficient Zero-Knowledge PCPs. In: Cramer R. (eds) Theory of Cryptography. TCC 2012. Lecture Notes in Computer Science, vol 7194. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28914-9-9. [8] Anca Nitulescu. A Gentle Introduction to SNARKs. Published 2019. [9] Brian Parno, Craig Gentry, Jon Howell, and Mariana Raykova. Pinocchio: Nearly practical verifi- able computation. In Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland ʟ13, pages 238 r 252, 2013. [10] http://www.math.sci.hiroshima-u.ac.jp/m-mat/TEACH/elliptic.pdf [11] https://blog.ethereum.org/2016/12/05/zksnarks-in-a-nutshell/ [12] http://www.kurims.kyoto-u.ac.jp/coss/coss2011/okamoto-handout.pdf [13] https://en.wikipedia.org/wiki/Schwartz [14] https://en.wikipedia.org/wiki/Common-reference-string-model [15] https://en.wikipedia.org/wiki/Probabilistically-checkable-proof 19