Cornell Format

Date:

Reviewed:

Topic / Chapter:

summary

❓Questions

Notes

Topic 1

Date:

Reviewed:

Topic / Chapter:

❓Questions

Notes

Introduction to Modern SNARKs
- SNARKs
  - SNARK: a succinct proof that a certain statement is true
    - i.e. “short” and “fast” to verify
    - e.g. solution itself: might not be short nor fast to verify
  - zk-SNARK: revealing nothing about $m$
  - potentially: a single reliable PC can monitor supercomputers’ operation
    - or: slow computer monitoring GPUs
    - slow computer: like layer-1s
- Blockchain applications 1
  - outsourcing computation (not zk)
    - L1: quickly verifies work of off-chain service
  - e.g. scalability: proof-based rollups (zkRollup)
    - off-chain service processes a batch of Tx
    - L1 chain: verifies a succinct proof of correct processing
  - e.g. bridging blockchains: Po-Consensus (zkBridge)
    - enables transfer of assets from one chain to another
    - proving to target chain that asset was locked in source chain
- Blockchain applications 2
  - (requiring zk)
  - private Tx on a public blockchain
    - zk proof that a private Tx is valid
  - compliance
    - proof that a private Tx is compliant w/ banking laws
    - proof that an exchange is solvent in zk
  - also: non-blockchain applications exist
    - e.g. fighting disinformation: C2PA
    - camera: w/ embedded secret key
      - and signs picture w/ location & timestamp
      - metadata: can be confirmed
    - problem: image post-processing
      - disable further C2PA verification
    - zk-SNARK solution
      - laptop: w/ (Photo, Ops)
      - $π$ : proves that “I know a pair (Orig, Sig) s.t.”
        
        Sig a valid C2PA signature on Orig
        
        Photo is result of applying Ops to Orig
        
        metadata(Photo)==metadata(Orig)
      - laptop verifies $π$ and shows metadata
      - size: ≤ 1 KB, takes ≤ 10 ms in browser
        
        proof generation: takes a few minutes w/ sufficient HW
        
        parallelizable
      - proof: must be not interactable

What is SNARK

Arithmetic circuits
- computation model: must be fixed to build SNARK
- let $F = {0, \dots, p - 1}$ for $p > 2$
  - finite field
  - closed w/ addition & multiplication
- arithmetic circuits
  - $C : F^{n} \to F$ (n input w/ 1 output)
  - directed acyclic graph, where
    - internal nodes: $+, -, \times$
    - inputs: $1, x_{1}, \dots, x_{n}$
  - defines: n-variate polynomial w/ evaluation recipe
  - $∣ C ∣$ : no. of gates in $C$
- interesting cases
  - $C_{s ha} (h, m)$ : $(S H A 256 (m) == h)? 0 : 1$
  - $C_{h S H A} (h, m) = (h - S H A 256 (m))$
    - $∣ C_{S H A} ∣ \approx 20 K$ gates (”small”)
  - $C_{s i g} (p k, m, σ)$ : output 0 if $σ$ a valid ECDSA sig of $m, p k$
- structured vs. unstructured circuits
  - unstructured: w/ arbitrary wires
  - structured: build in layers, one circuit being repeated
    - layer: aka VM
NARK: Non-interactive ARgument of Knowledge
- applied arithmetic circuit
  - $C (x, w) \to F$
    - $x$ : oublic statement in $F^{n}$
    - $w$ : secret witness in $F^{m}$
  - preprocessing: $S (C) \to$ public params ( $pp, v p$ )
    - public param for prover / verifier
- prover: $pp, x, w$
  - generate proof $π$ that $C (x, w) = 0$
- verifier: $v p, x$
- preprocessing NARK: triple $(S, P, V)$
  - $S (C)$ : description of circuit $C$
  - $P (pp, x, w) \to π$
  - $V (v p, x, π)$ : accept / reject
  - all alg. and adversary: w/ access to random oracle
- informal requirements
  - complete: $\forall x, w, : C (x, w)$ ⇒ $P r [V (v p, x, P (pp, x, w)) = 1] = 1$
    - i.e. always accept if valid
  - or: “knowledge sound”
    - if $V$ accepts ⇒ $P$ “knows” $w$ s.t. $C (x, w) = 0$
    - and extractor $E$ can extract a valid $w$
  - optional: ZK: $(C, pp, v p, x, π)$ reveals “nothing new” about $w$
- trivial NARK: $π = w$
SNARK
- succinct preprocessing NARK
- same for $S (C)$
- $P (pp, x, w)$ : short $π$
  - len($\pi$) = sublinear($|w|$)
- $V (v p, x, π)$ : fast to verify
  - time(V)= $O_{\lambda}(|x|$, sublinear($|C|$))
- i.e. anything better than NARK: technically SNARK
- however, strongly succinct NARK is:
  - len($\pi$) = $O_{\lambda}(\log |C|)$
  - time(V)= $O_{\lambda}(|x|,\log(|C|))$
    - i.e. no time to even read circuit $C$
    - thus: preprocessing needed
      - $v p$ : summary of $C$
- most SNARKs to be discussed: in constant time
- trivial SNARK: not SNARK
  - long proof
  - $C (x, w)$ might be hard (and slow)
  - $w$ : might be secret

Preprocessing (setup)

$S (C; r) \to (pp, v p)$
setup types
- trusted setup per circuit
  - run fresh for each circuit
  - and $r$ must be kept secret
    - if $r$ is learned: false statements can be proven
    - generator: destroyed after task
- trusted but universal (updatable) setup
  - secret $r$ : independent of $C$
  - $S = (S_{ini t}, S_{in d e x})$
  - $S_{ini t} (λ; r) \to g p$ (global param)
    - one-time setup, secret $r$
  - $S_{in d e x} (g p, C) \to (pp, v p)$
    - deterministic
    - can be repeated
- transparent setup
  - $S (C)$ : doesn’t use secret data

significant progress

	size of $π$	verifier time	setup	post-quantum
Groth’16	$\approx$ 200 Bytes	$\approx$ 1.5 ms	trusted per circuit	no
Plonk / Marlin	$\approx$ 400 Bytes	$\approx$ 3 ms	universal trusted setup	no
Bulletproofs	$O_{λ} (lo g ∥ C ∥)$ $\approx$ 1.5 KB	$O_{λ} (∥ C ∥)$ $\approx$ 3 sec	transparent	no
STARK	$O_{λ} (lo g^{2} ∥ C ∥)$ $\approx$ 100 KB	$O_{λ} (lo g^{2} ∥ C ∥)$ $\approx$ 10 ms	transparent	yes

prover time: almost $O_{λ} (∥ C ∥)$

Knowledge
- if $V$ accepts ⇒ $P$ knows $w$ s.t. $C (x, w) = 0$
- if $P$ knows $w$ : we can “torture” $P$ to get $w$
- formal knowledge
  - $(S, P, V)$ is knowledge sound for $C$ if
  - $\forall$ eff. adversary $A = (A_{0}, A_{1})$ s.t.
  - $g p \leftarrow S_{ini t} ()$ , $(C, x, s t) \leftarrow A_{0} (g p)$
  - $(pp, v p) \leftarrow S_{in d e x} (C)$
  - $π \leftarrow A_{1} (pp, x, s t)$
  - $P r [V (v p, x, π) = 1] > 1/1 0^{6}$
    - i.e. non-negl
  - then $\exists$ eff. extractor $E$ s.t.
    - $g p \leftarrow S_{ini t} ()$
    - $(C, x, s t) \leftarrow A_{0} (g p)$
    - $w \leftarrow E (g p, C, x)$
    - $P r [C (x, w) = 0] > 1/1 0^{6} - ε$
- i.e. if there is an efficient prover, then we can extract the knowledge

Building an eff. SNARK
- Building SNARK
  - general paradigm: two steps
    - a functional commitment scheme
      - cryptographic obj
    - a compatible interactive oracle proof (IOP)
      - info. theoretic obj
    - result: SNARK for general circuits
  - commitments scheme
    - made of commit & verify
    - must satisfy: binding & hiding property
  - standard commitment
    - $H : M \times R \to T$
    - $co mmi t (m, r)$ : com:=H(m,r)
    - $v er i f y (m, co m, r)$ : accepts if com=H(m,r)
- Functional commitment scheme
  - given a family of functions $F = {f : X \to Y}$
  - $co m_{f} \leftarrow co mmi t (f, r)$
    - sent to verifier
  - verifier: sends $x \in X$
  - prover: sends $y \in Y$ and $π$
    - proving that $f (x) = y$ and $f \in F$
  - a functional commitment scheme for $F$
    - $se t u p (1^{λ}) \to g p$ : outputs public param
    - $co mmi t (g p, f, r) \to co m_{f}$
      - binding & optional hiding (for zk-SNARK)
    - $e v a l (P, V)$
      - $P (g p, f, x, y, r) \to π$
      - $V (g p, co m_{f}, x, y, π) \to$ accept / reject
      - a SNARK for relation
        
        $f (x) = y$ , $f \in F$ , and $co mmi t (g p, f, r) = co m_{f}$
  - four important functional commitments
    - polynomial commitments
      - commit to a univariate $f (X)$ in $F_{p}^{\leq d} [X]$
    - multilinear commitments
      - commit to multilinear $f$ in $F_{p}^{\leq 1} [X_{1}, \dots, X_{k}]$
      - e.g. $f (x_{1}, \dots, x_{k}) = x_{1} x_{3} + x_{1} x_{4} x_{5} + x_{7}$
    - vector commitments (e.g. Merkle tree)
      - commit to $u \to = (u_{1} \dots, u_{d}) \in F_{p}^{d}$
      - open cells: $f_{u \to} (i) = u_{i}$
        
        prove that $i$ th index is $u_{i}$
    - inner product commitments
      - aka inner product arguments (IPA)
      - commit to $u \to \in F_{p}^{d}$
      - open an inner product $f_{u \to} (v \to) = (u \to, v \to)$
- Polynomial commitments
  - commit to a univariate $f (X)$ in $F_{p}^{\leq d} [X]$
  - eval: for public $u, v \in F_{p}$ , prover can convince
    - $f (u) = v$ and $de g (f) \leq d$
    - for verifier w/ $(d, co m_{f}, u, v)$
  - eval proof size & verifier time: $O_{λ} (lo g d)$
  - few examples
    - w/ bilinear groups: KZG’10 (trusted setup), Dory’20
    - w/ hash functions only: based on FRI (long eval proofs)
    - w/ elliptic curves: Bulletproofs (short proof, but verifier time being $O (d)$ )
    - w/ groups of unknown order: Dark’20 (slow)
    - KZG’10: most widely used
  - trivial commitment scheme: not a polynomial commitment
    - let $co mmi t (f = \sum_{i = 0}^{d} a_{i} X^{i}, r)$
      - output $co m_{f} \leftarrow H ((a_{0}, \dots, a_{d}), r)$
    - eval: prover sends $π = ((a_{0}, \dots, a_{d}), r)$ to verifier
      - verifier accepts if $f (u) = v$ and $H ((a_{0}, \dots, a_{d}), r) = co m_{f}$
      - proof size & verification time: linear in $d$
- Useful observation
  - for a non-zero $f \in F_{p}^{\leq d} [X]$
    - for $r \leftarrow $ F_{p}$ : $P r [f (r) = 0] \leq d / p$
      - aka SZDL lemma
      - also holds for multivariate polynomials
        
        $d$ : total degree of $f$
    - has at most $d$ roots in finite field
      - and $p$ possibilities for $r$
  - thus, suppose $p \approx 2^{256}$ and $d \leq 2^{40}$
    - then $d / p$ is negligible
  - and if $f (r) = 0$ , $f = 0$ for high probability
  - suppose $p \approx 2^{256}$ and $2 \leq 2^{40}$
    - let $f, g \in F_{p}^{\leq d} [X]$
    - for $r \leftarrow $ F_{p}$ : if $f (r) = g (r)$
      - ⇒ $f = g$ w.h.p.
    - as $f (r) - g (r) = 0$
      - ⇒ $f - g = 0$ w.h.p.
    - $P r [f (r) = 0] \leq d / p$
  - ⇒ simple equality test for two committed polynomials
- Equality test protocol
  - interactive protocol
    - prover: $f, g \in F_{p}^{\leq d} [X]$
    - verifier: gives $r \leftarrow $ R$
    - prover: computes $y \leftarrow f (r)$ , $y^{'} \leftarrow g (r)$
      - and attaches proof for
        
        $y = f (r)$
        
        $y^{'} = g (r)$
      - along w/ $y, y^{'}$
    - verifier: accepts if
      - valid proof
      - $y = y^{'}$
  - can be made non-interactive (Fiat-Shamir)
    - for all public-coin IP
    - prover: generates $r$ by its own w/ $H$
    - $P (pp, x = (co m_{f}, co m_{g}), w = (f, g))$
      - $r \leftarrow H (x)$
      - $y \leftarrow f (r)$ , $y^{'} \leftarrow g (r)$
      - sends $y, y^{'}, π_{f}, π_{g}$
    - $V (v p, x = (co m_{f}, co m_{g}))$
      - compute $r = H (x)$ itself as well
    - not a zk-SNARK as $f (r)$ , $g (r)$ is revealed
- F-IOP
  - goal: boost functional commitment
    - ⇒ SNARK for general circuits
  - let $C (x, w)$ be arith. circuit and $x \in F_{p}^{n}$
  - F-IOP: proof system that proves $\exists w : C (x, w) = 0$ as follows
    - $se t u p (C) \to pp, v p$
      - $= (f_{0}, f_{- 1}, \dots f_{- s})$
      - oracles for functions in $F$
        
        can be replaced into commitments
    - proof
      - prover: sends $f_{1} \in F$
        
        verifier: sends $r_{1} \leftarrow $ F_{p}$
      - prover: sends $f_{2} \in F$
        
        verifier: sends $r_{2} \leftarrow $ F_{p}$
      - … repeated t times
        
        and verifier: runs $verify^{f_{- s}, \dots f_{t}} (x, r_{1}, \dots, r_{t - 1})$
  - properties
    - complete: $\exists w : C (x, w) = 0$ then $P r [V = 1] = 1$
    - knowledge sound: unable to fake knowledge
- Example poly-IOP
  - $C (X, W) = 0$ ↔ $X \subseteq W \subseteq F_{p}$
  - prover
    - $f (Z) := \prod_{w \in W} (Z - w)$
    - $g (Z) := \prod_{x \in X} (Z - x)$
    - $q (Z) := f / g \in F_{p}^{\leq d} [X]$
      - as $X \subseteq W$ , $f / g$ is a polynomial
    - sends: $f, q$
  - verifier
    - $g (X) := \prod_{x \in X} (Z - x)$
    - $r \leftarrow $ F_{p}$ (public)
    1. query $w \leftarrow f (r)$
    2. query $q^{'} \leftarrow q (r)$
    3. compute $x \leftarrow g (r)$
    4. accept if $x \cdot q^{'} = w$
  - V accepts ⇒ $f = g \cdot q$ w.h.p. ⇒ $X \subseteq W$
    - kind of reversed logic
  - Extractor: $E (X, f, q, r)$
    - output $W$ by computing all roots of $f (Z)$
- IOP Zoo
  - ⇒ SNARKs for general circuits
  - Poly-IOP (w/ Poly-Commit)
    - Sonic
    - Marlin
    - Plonk
  - Multilinear-IOP (w/ Multilinear-Commit)
    - Spartan
    - Clover
    - Hyperplonk
  - Vector-IOP (w/ Merkle)
    - STARK
    - Breakdown
    - Orion
  - ⇒ SNARK (non-interactive via Fiat-Shamir)
- SNARKs in practice
  - programs: written in Domain-Specific Language
    - Circom, ZoKrates, Leo, Cairo, Noir..
  - compiles to SNARK friendly format
    - circuit, R1CS, …, EVM byte code
  - → SNARK backend prover (heavy computation)
    - outputs $π$

Zero Knowledge Proof MOOC