Multiplication homomorphism
The last step of the Pinocchio protocol, B needs to check E(L(s)R(s)-O(s))=E(H(s)T(s)), but in fact, we only mentioned Until E(x) satisfies the additive homomorphism, B cannot calculate E(H(s)*T(s)) through E(H(s)).
The solution needs to return to our mathematical tools, we need to use the characteristics of elliptic curve pairing, here is a long story, this article only gives the conclusion. Through elliptic curve pairing, we can get a weakened version of multiplicative homomorphism.
Define E1(x):=x⋅g,E2(x):=x⋅h,E(x):=x⋅g, because the three functions are all elliptic curves, and naturally all conform to the additive homomorphism, and the ellipse The curve matching feature can ensure that we can calculate E(xy) through E1(x) and E2(y).
Reduce interaction
The last and most critical issue is that the Pinocchio protocol requires a lot of message interaction between A and B, and in the blockchain, what we want to achieve is "public authentication". The ideal situation is that as long as A puts the evidence on the chain as a string, anyone can verify the conclusion.
Unfortunately, in fact, this kind of zero-interaction proof in the strict sense has been proved to be unable to satisfy all proof scenarios. We took the second place and adopted a method called CRS (COMMON REFERENCE STRING). The principle is very simple, in fact, the random numbers α and s are built into the "system".