零知识证明:什么是zk-STARKs以及它们是如何工作的?(zk-STARK V2)

发布于 2024年10月21日更新于 2024年11月10日阅读时长 10 分钟32

一、什么是储备证明和零知识证明?

1、什么是储备证明(PoR)?

储备证明(PoR)是加密货币交易所展示其拥有足够资产来覆盖所有用户余额的过程。这通过证明交易所没有隐藏任何负债,以博取信任。展示这一点的最简单方法是发布交易所的资产金额和用户余额列表,以便每个人都可以确认:

  • 欧易持有的用户资产总量等于每个用户资产余额的总和。

  • 每个用户的总余额都大于零,并对其资产进行核算,覆盖其负债并确保每个用户拥有正的净资产。

  • 交易所公布的总价值包含每个用户,因此每个用户都应该能够验证他们的净值是否包含在总价值中。

然而,泄露这些余额可能会危及用户隐私。为了解决这个问题,我们使用了一种称为零知识证明(ZKP)的方法来保护用户的隐私

2、什么是零知识证明(ZKP)?

零知识证明(ZKP)是一种安全技术,允许加密货币交易所在不透露任何额外信息的情况下证明声明的真实性。在我们的情况下,我们希望证明我们有足够的资金,而不分享特定的用户详细信息。

大多数ZKP分为两类:

  • zk-snark

  • ZK-STARK

我们使用zk-STARK是因为它更安全并且具有最低安全假设。在本文中,我们将解释如何使用zk-STARK来保护用户隐私,同时证明我们的偿付能力。

在我们继续之前,了解一些基本的ZKP术语是有帮助的,比如电路、默克尔树和承诺。对于初学者,有许多资源可以帮助你入门。对于高级用户,你可以参考MOOC课程学术专著

二、zk-STARK是如何工作的?

我们使用每个用户账户的哈希作为叶子创建一个默克尔树。每个账户都显示各种代币(例如,BTC,ETH)的USD余额。为了处理这些余额,我们将其余额分成每个代币的非负股权和债务。这样,我们只使用正数,更容易处理计算和避免错误。

例如:

  • 如果用户的BTC代币余额为 A,则其BTC权益为 A,BTC债务为 0。

  • 如果一个用户的ETH代币余额是 - B,它对应的权益是 0,债务是 B。

接下来,我们将这些账户值作为叶子构建一个Merkle树。树的根充当代表所有用户余额的单个值。每个用户都可以通过使用显示他们的账户如何连接到根的Merkle路径来证明他们的账户是这棵树的一部分。

我们还发布所有用户所有代币的总资产和债务总和。然后,我们创建一个零知识证明(ZKP)来显示两件事情:

  • 求和证明:

    默克尔树中的资产和债务价值正确相加

  • 非负证明:

    每个用户的总资产大于他们的总债务

当我们试图验证大量账户的默克尔树时,有限的计算资源无法一次整理一整颗树。为了克服这一挑战,我们将账户分成称为批次的较小组。每个批次都使用批次电路单独处理,该电路检查默克尔树的底部。

批处理不仅使其易于管理,而且允许我们同时运行这些检查(并行处理)。一旦我们有了每个批次的结果,我们就使用另一层电路,称为递归电路,将所有批次组合在一起并验证,直到我们证明了整个默克尔树。

1、什么是批处理电路?

批处理电路接受1024个账户 (acc0, acc1,..., acc1023) 作为输入,并生成3个主要输出:一个哈希 (hbatch),一个总资产价值 (ebatch),和一个总债务价值 (dbatch)。它检查:

  • 每个账户的 USD 权益总额大于债务总额。

  • ebatch是这些账户中所有以 USD 计价的权益价值的总和。

  • dbatch是这些账户中所有以 USD 计价的债务价值的总和。

  • hbatch 是使用帐户哈希创建的 Merkle 树的根。

  • 在求和 ebatchdbatch期间没有溢出。

2、什么是递归电路?

递归电路从低层电路中获取64种不同的证明(π0, ..., π63)、哈希 (h0, ..., h63)、股票(e0, ..., e63), 和债务 (d0, ..., d63)作为输入。它组合这些输入并产生3个输出:新哈希 (hrecursive)、总资产(erecursive),和总债务(drecursive)。它检查:

  • 64个证明中的每一个都是有效的。

  • 每个证明 π0, ..., π63来自下层电路是有效的。

  • erecursivee0, ..., e63 的总和

  • drecursived0, ..., d63 的总和

  • hrecursive 是串联的 h0, ..., h63, i.e.

    • hrecursive = Hash (h0 || h1 || ... || h63

  • 在求和 erecursivedrecursive 期间没有溢出。

3、批处理电路和递归电路之间的关系是什么?

下图说明了批处理电路和递归电路如何相互连接和传递数据。请记住,在图中,我们出于说明目的复制了电路,但在我们的实现中,我们只为每一层使用一个电路。

CT-web-PoR-relationship

我们的 Merkle 树的结构有点不同。在底部 10 层,每个父节点有 2 个子节点,而在上层,每个父节点有 64 个子节点。这是因为批处理电路处理底部,而递归电路管理顶部。下图使用带有“Alice”的示例来显示 Merkle 树和她的 Merkle 证明(用绿色着色)。

CT-web-PoR-example

有关更多技术细节,例如我们如何调整帐号以适应批量大小或选择正确的哈希算法,请查看此页面

三、zk-PoR版本2的进展

我们的zk-PoR版本2比以前的版本有了几个进步。

  • 更高的效率:

    它现在比以前的版本快50倍。在单个10核机器上需要3小时,而以前的版本使用9台64核机器需要36小时。这种加速是由于使用了Plonky2框架,该框架将Rust编码的电路编译成高效的机器语言,而不是使用较慢的Python脚本。我们还增强了Plonky2在GPU上运行一些计算,将时间额外减少了30%。

  • 更好的可审计性:

    在版本2中,我们使用了一个高级框架,为我们处理复杂的加密细节。这使我们的代码更清晰,更易读,更不容易出错。

  • 简明证明:

    V2证明大小(~500KB)仅为V1(~1.2GB)的0.05%。由于递归方法,证明可以重复聚合并压缩成一个证明。

四、如何执行准备金证明(PoR)的自我验证?

这是如何检查您的资产余额是否包含在zk-STARK Merkle叶子中的方法:

1、登录您的OKX帐户,转到资产,并选择 PoR报告

2、选择详细信息 ,以查看审计数据

CT-web-PoR-step2

3、通过选择复制数据获取手动验证所需的数据

CT-web-PoR-step3

4、选择复制数据后,打开文本编辑器(例如使用笔记本),然后粘贴并将JSON字符串保存为文件。文件必须以名称“_inclusion_proof. json”结尾。JSON字符串包含您的帐户余额和Merkle路径的快照,然后将文件保存在新文件夹中。

5、打开文本编辑器(例如Notebook),然后粘贴JSON字符串并将其保存为文件。文件名必须以“_inclusion_proof. json”结尾。将文件保存在新文件夹中。

  • JSON字符串包含帐户余额和Merkle路径的快照。

  • JSON文本如下所示:

{"sum_tree_siblings":["9ffb169fecf075e203edca2af65e4c69fa4331d13ac75ccae4cd5b990c91b675","7149661a789763cb61293ebf5d8bdd5570e79ee203738f87a444c79642b89a79","788aac9e392fa62bc3f79c98c7afd7bb41ee7d5bd496876cd0580080f19e002f","e828a44d345e6799e232aabc57cb2b92986ee1c52b65344d83e79d84b4b571b7","6c0675de9cd6b2be1abd6a98260e7ea776492c4aa9aadf31086f23452cb7c48d","2dfe3aadb5ac00ee0b1110ee8c313afdee85d9f9c62904d6ee79c8f02354d80a","5068ae26192587432892a6de8b54ea25a8aafd1c010ab5e67b55b2c30c6257fa","a1bb026ec9f3d8a1fa1b6f498c40ed8b117a57e1af9816d08d9135ab4fe43a60","119dfcd214191405b7f7f7c7091b89196c0cae818bfcd8252a48f20d9cf3c378","4d9403482ca177c669df34a60bb2afab7a18097012d0b70703c8e59258cdfee6"],"recursive_tree_siblings":[{"right_hashes":["e041eaa366259f873e9e1477aac77362f4b1b460c2d5e1c14907fa9288d66cff","b45a8c503e649ff39543a918996b06fc65f4df9b61d071b22f7342f94862c9be","e00ec1225dfe6b7e950f6b9b8e9d1121bf17eb60c444fd7191b861a2ddddad23","c02c12beb73c03f996508cdce7bef927f0aa8b77ebd899f6a75df83de9d4022e","d36b95f14c5fd5bfaf1347e3177340e2fc9475a77b852321b80527132e7d539c","c0b9770178e70a7bba4ac8aeaadab2bcb2ae7f90d0f678bd463f2c42ff4f4a7b","fab5e7c6f7f8bc6d51f515c5db235cc1ebe987adee8c19c9bc7313e9e266d72c","b3884fb88fc95949c78ca8867cfa9e8a3c4c59fa1a48d8371f7fbfbebda0acfd","0c6da9bdbd40065f92ddaa45297670f2f0bffedb74020c5d5752e70d8b507b77","left_hashes":["1101beee3c6a36a168ceee9d43fcf6cb6de7e5c87ed4d22cd0308c9870d17839","d40a8e9eb4c873996ec515600def480eaa9378ca8481a7bcdf5f77725dbec4ae","63b12566ba8473f502386e92d500664cb63683dca6c26593378dcc9715257b77","166440a8ccbfbc1ce6ec5efaf8bc0b25e1bf692fa972e2729e45ce709d1d35a3","724451ad1d937fc47de5ede930d159dce78093d5e6a1f2e698452f8a29b4de3a","081a88f12d4e23173a1bf5038d4a9413cc92dd421c92261065de06492b5010ec","a76dbb1d4c393539b9546f4460d50ebc7582748d7de63c62c463b793c55bac7c","91e6c21de3f4060e1bd864131a570af42de31bbcd84a5afcbbc8fedcbf806002","fad08eca5bfdc5f37d39eabb44c2216afc6498afcb6b913d72586eaaf132a572","d39b06fe28387ba8045e2b2f95e90613916beef4f79df7961514e6e4cbfd07fa","81d07e300a116a0e4fcb56c39715c5fd5921abe8d10329b07c3f33d417b70ca8","7b72a7e62a45c9958a8a55eec2ba47352f2af701bacba098668589f6a3ce0423","8766bc64c38c2bb4188d89de0e732bca103daaed0c779cba9a8b191e24b51c9c","fa57ae4409e46c605f3cbfd01dfd9ccebc86cbd765cdc067206cb9367832442f"]}, ...... "index":9583119,"account":{"id":"50f5f08cc5036e15a541c64ac4ac6d2d9aa8ddab1ec32ed58b10e6ed3edfad59","debt":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"],"equity":["8412384","9386185","45265193","0","0","8751","3824171","2716990","0","313671","28319","0","0","0","41261","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","142353","0","0","0","0","0","4435","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","662","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","993","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","25132","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","305","0","0","0","0","0","0","0","0","6141","0","0","0","0","0","0","0","0","0","0","0","5511","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0"]}}

6、下载OKX开源验证工具:zk-STARKValidator

7、将OKX开源验证工具zk-STARKValidator和JSON字符串文件一起保存在步骤5中创建的新文件夹中。在我们的例子中,我们将工具和数据文件放在名为“ por_inclusion_proof.json ”下载文件夹中,如下所示:

CT-web-PoR-json

8、打开 zk-STARKValidator;它将自动运行您保存在文件夹中的JSON文件。

9、检查结果:

  • 如果验证通过,将显示包含约束验证通过的结果:

    zero-knowledge-proofs-what-are-zk-starks-and-how-do-they-work image 21
  • 如果验证失败,将显示包含约束验证失败的结果:

    zero-knowledge-proofs-what-are-zk-starks-and-how-do-they-work image 22

五、如何验证zk-STARK总余额和非负约束?

以下是如何验证我们声称持有的资产是否属实以及没有用户持有负净资产的方法:

1、转到我们的储备证明页面并选择责任报告

2、下载 zk-STARK 文件并将其保存在新文件夹中

CT-web-PoR-self-verification-step2

3、解压文件以提取"sum_proof_data. json"文件

CT-web-PoR-json-sum

4、下载OKX开源验证工具:zk-STARKValidator

5、将OKX开源验证工具zk-STARKValidator"sum_proof_data. json"文件一起保存在步骤2中创建的新文件夹中。在我们的例子中,我们将工具和数据文件放在下载文件夹中,名为"储备证明",如下所示:

CT-web-PoR-json

6、打开zk-STARKValidator;它将自动运行您保存在文件夹中的求和证明数据文件

7、检查结果

如果验证通过,将显示结果Total sum和非负约束验证通过

zero-knowledge-proofs-what-are-zk-starks-and-how-do-they-work image 21

如果验证失败,将显示结果Total sum和非负约束验证失败

zero-knowledge-proofs-what-are-zk-starks-and-how-do-they-work image 22

为了探索更多技术细节,我们的储备证明系统是开源的,可在github上查看和使用。