Aleo的PoSW共识

1. 引言

Aleo系列，前序博客有：

• 欢迎关注Aleo
• 使用Zexe构建Aleo隐私应用——How Zero Knowledge is Rebalancing the Scales of the Internet
• Aleo系列博客——透明的代价
• Aleo系列博客——零知识密码学技术的未来
• Aleo 提供的zero knowledge primitives

Aleo采用Proof of Succinct Work共识。

Proof of Succinct Work为SNARK-based Proof of Work算法，旨在激励对SNARKs的硬件加速。

具体为： Miner将pending交易打包，并计算a valid nonce来解决a Proof of Succinct Work puzzle。

puzzle的difficulty rate会动态调整，以反映Aleo上的miners在每秒贡献的proof数量。

• block time：是指网络生成有效区块所用的时间。基于网络的hashrate会变化。但是由blcok difficulty控制。
• block difficulty：根据最近的block times来调整，以维护整个网络的平均block time的稳定性。

解决该puzzle的miner address将的激励为：base block reward + 该区块所包含的交易的手续费。

2. Aleo中所用的曲线

Aleo中使用pairing-friendly 曲线来生成和验证proof：

*Edwards BLS12BLS12-377Edwards BW6BW6-761Curve TypeTwisted EdwardsBarreto-Lynn-ScottTwisted EdwardsBrezing–WengScalar Field Size251 bits253 bits374 bits377 bitsBase Field Size253 bits377 bits377 bits761 bitsG1 Compressed Size*32 bytes48 bytes48 bytes96 bytesG2 Compressed Size*N/A96 bytesN/A96 bytes

相关参数为：

• Edwards BLS12：

  • scalar field： 0 x 04 a a d 957 a 68 b 2955982 d 1347970 d e c 005293 a 3 a f c 43 c 8 a f e b 95 a e e 9 a c 33 f d 9 f f 0x04aad957a68b2955982d1347970dec005293a3afc43c8afeb95aee9ac33fd9ff 0x04aad957a68b2955982d1347970dec005293a3afc43c8afeb95aee9ac33fd9ff
  • scalar field root of unity： 0 x 00 b 4 b 1 d 4 c 7 e 5 e 163 b 1 a f 246173 f d b 411 b d b 82 a c 32901 d c b 9 d 289433 f f 2 b 7 d 5 c 9 0x00b4b1d4c7e5e163b1af246173fdb411bdb82ac32901dcb9d289433ff2b7d5c9 0x00b4b1d4c7e5e163b1af246173fdb411bdb82ac32901dcb9d289433ff2b7d5c9
  • base field： 0 x 12 a b 655 e 9 a 2 c a 55660 b 44 d 1 e 5 c 37 b 00159 a a 76 f e d 00000010 a 11800000000001 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001
  • base field root of unity： 0 x 0 d 1 b a 211 c 5 c c 349 c d 7 a a c c 7 c 597248269 a 14 c d a 3 e c 99772 b 3 c 3 d 3 c a 739381 f b 2 0x0d1ba211c5cc349cd7aacc7c597248269a14cda3ec99772b3c3d3ca739381fb2 0x0d1ba211c5cc349cd7aacc7c597248269a14cda3ec99772b3c3d3ca739381fb2

• BLS12-377：

  • scalar field： 0 x 12 a b 655 e 9 a 2 c a 55660 b 44 d 1 e 5 c 37 b 00159 a a 76 f e d 00000010 a 11800000000001 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001 0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001
  • scalar field root of unity： 0 x 0 d 1 b a 211 c 5 c c 349 c d 7 a a c c 7 c 597248269 a 14 c d a 3 e c 99772 b 3 c 3 d 3 c a 739381 f b 2 0x0d1ba211c5cc349cd7aacc7c597248269a14cda3ec99772b3c3d3ca739381fb2 0x0d1ba211c5cc349cd7aacc7c597248269a14cda3ec99772b3c3d3ca739381fb2
  • base field： 0 x 01 a e 3 a 4617 c 510 e a c 63 b 05 c 06 c a 1493 b 1 a 22 d 9 f 300 f 5138 f 1 e f 3622 f b a 094800170 b 5 d 44300000008508 c 00000000001 0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001 0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
  • base field root of unity： 0 x 00 f 3 c 1414 e f 58 c 54 f 95564 f 4 c b c 1 b 61 f e e 086 c 1 f e 367 c 33776 d a 78169 a 7 f 3950 f 1 b d 15 c 3898 d d 1 a f 1 c 104955744 e 6 e 0 f 0x00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f 0x00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f

• Edwards BW6：

  • scalar field： 0 x 0035 c 748 c 2 f 8 a 21 d 58 c 760 b 80 d 94292763445 b 3 e 601 e a 271 e 1 d 75 f e 7 d 6 e e b 84234066 d 10 f 5 d 893814103486497 d 95295 0x0035c748c2f8a21d58c760b80d94292763445b3e601ea271e1d75fe7d6eeb84234066d10f5d893814103486497d95295 0x0035c748c2f8a21d58c760b80d94292763445b3e601ea271e1d75fe7d6eeb84234066d10f5d893814103486497d95295
  • scalar field root of unity： 0 x 0006 b a 8 c 867 e a c c f 5 f 7 e 46 b c d b 07 d 0 f 4 b 2595092 e e d f f 5 c 5603102866827125373710874 d 7416 d 75 a 832273177 b 0 e 245 0x0006ba8c867eaccf5f7e46bcdb07d0f4b2595092eedff5c5603102866827125373710874d7416d75a832273177b0e245 0x0006ba8c867eaccf5f7e46bcdb07d0f4b2595092eedff5c5603102866827125373710874d7416d75a832273177b0e245
  • base field： 0 x 01 a e 3 a 4617 c 510 e a c 63 b 05 c 06 c a 1493 b 1 a 22 d 9 f 300 f 5138 f 1 e f 3622 f b a 094800170 b 5 d 44300000008508 c 00000000001 0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001 0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
  • base field root of unity： 0 x 00 f 3 c 1414 e f 58 c 54 f 95564 f 4 c b c 1 b 61 f e e 086 c 1 f e 367 c 33776 d a 78169 a 7 f 3950 f 1 b d 15 c 3898 d d 1 a f 1 c 104955744 e 6 e 0 f 0x00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f 0x00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f

• BW6-761：

  • scalar field： 0 x 01 a e 3 a 4617 c 510 e a c 63 b 05 c 06 c a 1493 b 1 a 22 d 9 f 300 f 5138 f 1 e f 3622 f b a 094800170 b 5 d 44300000008508 c 00000000001 0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001 0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001
  • scalar field root of unity： 0 x 00 f 3 c 1414 e f 58 c 54 f 95564 f 4 c b c 1 b 61 f e e 086 c 1 f e 367 c 33776 d a 78169 a 7 f 3950 f 1 b d 15 c 3898 d d 1 a f 1 c 104955744 e 6 e 0 f 0x00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f 0x00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f
  • base field： 0 x 0122 e 824 f b 83 c e 0 a d 187 c 94004 f a f f 3 e b 926186 a 81 d 14688528275 e f 8087 b e 41707 b a 638 e 584 e 91903 c e b a f f 25 b 423048689 c 8 e d 12 f 9 f d 9071 d c d 3 d c 73 e b f f 2 e 98 a 116 c 25667 a 8 f 8160 c f 8 a e e a f 0 a 437 e 6913 e 6870000082 f 49 d 00000000008 b 0x0122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b423048689c8ed12f9fd9071dcd3dc73ebff2e98a116c25667a8f8160cf8aeeaf0a437e6913e6870000082f49d00000000008b 0x0122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b423048689c8ed12f9fd9071dcd3dc73ebff2e98a116c25667a8f8160cf8aeeaf0a437e6913e6870000082f49d00000000008b
  • base field root of unity： 0 x 00 d 0 f 0 a 60 a 5 b e 58 c f 9 d f a a 846595555 f 73 a 18 e 069 a c 04458 d 72 c 1 d 6 f 77 d 5 f 5 c 54 d 28 b e 3 a 9 f 55 c 8155 c 81153 f 4906 e 9 f e c 5 a 3614 a c 0 b 1 d 98484 f 3089 e 56574722 b e 36179047832 b 0377738 a 6 b 6870 f 9598 c 391832 e 000739 b f 29 a 000000007 a b 6 0x00d0f0a60a5be58cf9dfaa846595555f73a18e069ac04458d72c1d6f77d5f5c54d28be3a9f55c8155c81153f4906e9fec5a3614ac0b1d98484f3089e56574722be36179047832b0377738a6b6870f9598c391832e000739bf29a000000007ab6 0x00d0f0a60a5be58cf9dfaa846595555f73a18e069ac04458d72c1d6f77d5f5c54d28be3a9f55c8155c81153f4906e9fec5a3614ac0b1d98484f3089e56574722be36179047832b0377738a6b6870f9598c391832e000739bf29a000000007ab6

3. Proof of Succinct Work (PoSW)

PoSW为比特币SHA-based difficulty adjusting算法的变种，最关键的不同之处在于：

• 底层计算不是hash运算，而是proof of knowledge计算。

使得PoSW：

• 作为PoW来保证系统共识
• 提供verification of transaction inclusion in a given block

PoSW采用异步模式，假设大多数miners（Provers）是诚实的。

PoSW中对于relation R \mathcal{R} R 的SNARK ( G , P , V ) (G,P,V) (G,P,V) 流程为：

• 1）已知a set of (valid) transactions T i = t 1 , . . . , t n T_i = { t_1, ..., t_n } Ti​=t1​,...,tn​ 和 当前state state i \text{state}_i statei​： NewState ( state i , T i ) ← ( state i + 1 , w i + 1 ) \text{NewState}(\text{state}_i, T_i) \leftarrow (\text{state}_{i+1}, w_{i+1}) NewState(statei​,Ti​)←(statei+1​,wi+1​) 其中：

  • state i \text{state}_i statei​：为第 i i i个block的state
  • w i + 1 w_{i+1} wi+1​：为auxiliary information attesting to the validity of state i + 1 \text{state}_{i+1} statei+1​

• 2）Sample a random nonce n n n 并计算：【 C R S CRS CRS为 G G G的public output】 P ( C R S , [ n , state i + 1 ] , w i + 1 ) ← π n P(CRS, [n, \text{state}_{i+1}], w_{i+1}) \leftarrow \pi_n P(CRS,[n,statei+1​],wi+1​)←πn​

• 3）若 P R F ( π n ) < = d PRF(\pi_n)