Skip to main content

Running Sangria final proof in shielded mode on untrusted 3rd party prover

· 4 min read

This is a crosspost with


Sangria is a folding protocol for the Plonk prover. In the original model, the prover works iteratively and merges a new execution trace with an execution trace accumulator.

Here we will show, how to build a special high entropy execution trace. After merging with the accumulator, the resulting execution trace could be shown by an untrusted prover with zero data leaks.

This approach allows us to perform linear complexity execution on a thin client and do hard computations on the server without data leaks.

Original protocol

Accumulated instance and witness:

Un:=(Xn,un,Wn,En),U'_n := (\mathbf{X}'_n, u'_n, \overline{W}'_n, \overline{E}'_n),

Wn:=(Wn,en,rWn,rEn)W'_n := (\mathbf{W}'_n, \mathbf{e}'_n, r'_{Wn}, r'_{En})

Iteration instance and witness:

Un:=(Xn,un,Wn,En),U_n := (\mathbf{X}_n, u_n, \overline{W}_n, \overline{E}_n),

Wn:=(Wn,e,rWn,rEn)W_n := (\mathbf{W}_n, \mathbf{e}, r_{Wn}, r_{En})

Where W=Com(ppW,W,rW), E=Com(ppW,e,rE)\overline{W}=\text{Com}(\text{pp}_W, \mathbf{W}, r_W),\ \overline{E} = \text{Com}(\text{pp}_W, \mathbf{e}, r_E).

We use the relaxed Plonk gate equation:

C(a,b,c,u,e)=abqM+qCu2+(aqL+cqO+bqR)u+eC(\mathbf{a}, {\mathbf{b}}, {\mathbf{c}}, u, {\mathbf{e}})={\mathbf{a}} {\mathbf{b}} {\mathbf{q_M}} + {\mathbf{q_C}} {u}^{2} + {\left({\mathbf{a}} {\mathbf{q_L}} + {\mathbf{c}} {\mathbf{q_O}} + {\mathbf{b}} {\mathbf{q_R}}\right)} {u} + {\mathbf{e}}

  1. Prover send to Verifier Tn=Com(ppW,tn,rTn)\overline{T}_n = \text{Com}(\text{pp}_W, \mathbf{t}_n, r_{Tn}),

where tn=2qCunun+(anbn+anbn)qM+(anqL+cnqO+bnqR)un+(anqL+cnqO+bnqR)unt_n=2 \, {\mathbf{q_C}} {u'_n} {u_n} + {\left({\mathbf{a}_n} {\mathbf{b}'_n} + {\mathbf{a}'_n} {\mathbf{b}_n}\right)} {\mathbf{q_M}} + {\left({\mathbf{a}_n} {\mathbf{q_L}} + {\mathbf{c}_n} {\mathbf{q_O}} + {\mathbf{b}_n} {\mathbf{q_R}}\right)} {u'_n} + {\left({\mathbf{a}'_n} {\mathbf{q_L}} + {\mathbf{c}'_n} {\mathbf{q_O}} + {\mathbf{b}'_n} {\mathbf{q_R}}\right)} {u_n}

  1. Verifier sends to prover random rr

  2. Prover and Verifier output the folded instance

Un+1=(Xn+1,un+1,Wn+1,En+1),U'_{n+1}=(\mathbf{X}'_{n+1}, u'_{n+1}, \overline{W}'_{n+1}, \overline{E}'_{n+1}),


Xn+1=Xn+rXn,\mathbf{X}'_{n+1} = \mathbf{X}'_n + r \mathbf{X}_n,

un+1=un+run,u'_{n+1} = u'_n + r u_n,

Wn+1=Wn+rWn,\overline{W}'_{n+1} = \overline{W}'_n + r \overline{W}_n,

En+1=En+r2EnrTn.\overline{E}'_{n+1} = \overline{E}'_n + r^2 \overline{E}_n - r \overline{T}_n.

  1. Prover output the folded witness

Wn+1=(Wn+1,en+1,rW n+1,rE n+1),W'_{n+1} = (\mathbf{W}'_{n+1}, \mathbf{e}'_{n+1}, r'_{W\ n+1}, r'_{E\ n+1}),


Wn+1=Wn+rWn,\mathbf{W}'_{n+1} = \mathbf{W}'_n + r \mathbf{W}_n,

en+1=en+r2enrtn,\mathbf{e}'_{n+1} = \mathbf{e}'_n + r^2 \mathbf{e}_n - r \mathbf{t}_n,

rW n+1=rW n+rrWn,r'_{W\ n+1} = r'_{W\ n} + r r_{Wn},

rE n+1=rE n+r2rEnrrTn.r'_{E\ n+1} = r'_{E\ n} + r^2 r_{En} - r r_{Tn}.

We can check, that C(an+1,bn+1,cn+1,un+1,en+1)=C(an,bn,cn,un,en)+r2C(an,bn,cn,un,en)C(\mathbf{a}'_{n+1}, \mathbf{b}'_{n+1}, \mathbf{c}'_{n+1}, u'_{n+1}, \mathbf{e}'_{n+1}) = C(\mathbf{a}'_n, \mathbf{b}'_n, \mathbf{c}'_n, u'_n, \mathbf{e}'_n) + r^2 C(\mathbf{a}_n, \mathbf{b}_n, \mathbf{c}_n, u_n, \mathbf{e}_n).

Sangria zero-knowledge protocol for untrusted 3rd party prover

Instead of proving the execution trace after the last step, we can merge it with a random execution trace and send the result to 3rd party prover. Zero-knowledge property means, that 3rd party prover can't learn anything about the initial execution trace.

Let's replace the final proving protocol with an additional round, where the client mixes the state with a special generated random trace and send the result to the untrusted 3rd party prover.

We will prove, that the prover can not learn anything about the initial execution trace.

Let's consider (Un+1,Wn+1)(U'_{n+1}, W'_{n+1}) as the final state of the protocol, (Un,Wn)(U'_n, W'_n) as the initial state of the protocol (Un,Wn)(U_n, W_n) as the random state.

For any possible initial state (U,W)(U', W') we try to roll back the protocol on the 3rd party prover side and find the corresponding merged state (U,W)(U, W).

W=Wn+1Wr,\mathbf{W} = \frac{\mathbf{W}'_{n+1} - \mathbf{W}'}{r},

rW=rW n+1rWr,r_W = \frac{r'_{W\ n+1} - r'_{W}}{r},

t=t(W,W)\mathbf{t} = \mathbf{t}(W, W')

e=en+1e+rtr2\mathbf{e} = \frac{\mathbf{e}'_{n+1} - \mathbf{e}' + r \mathbf{t}}{r^2}

rE=rE n+1rE+rrTnr2r_E = \frac{r'_{E\ n+1} - r'_{E} + r r_{Tn}}{r^2}

u=un+1uru = \frac{u'_{n+1} - u'}{r}

Assuming, that

C(an+1,bn+1,cn+1,un+1,en+1)=0,C(\mathbf{a}'_{n+1}, \mathbf{b}'_{n+1}, \mathbf{c}'_{n+1}, u'_{n+1}, \mathbf{e}'_{n+1}) = 0,

C(a,b,c,u,e)=0,C(\mathbf{a}', \mathbf{b}', \mathbf{c}', u', \mathbf{e}') = 0,

and substituting the variables, we get

C(a,b,c,u,e)=0.C(\mathbf{a}, \mathbf{b}, \mathbf{c}, u, \mathbf{e}) = 0.

That means that for the given to 3rd party prover execution trace and any possible initial execution trace, there is an existing execution trace, that can be merged with the given trace and the result will be the given trace.

Considering an,bn,cna_n, b_n, c_n as independent random variables, we get, that all initial information is hidden.

UPD: all intermediate computations are available on sage math here: snjax/sangria-delegated-zk