Topic 1 - Zero Knowledge Proof MOOC

Date:

Reviewed:

Topic / Chapter: SNARKs via Interactive Proofs

❓Questions

Notes

Interactive Proofs
- Motivation
  - computation-limited verifier
    - wants data analysis
  - verifier: holds data summary
    - queries to cloud provider w/ data
      - or: “challenges”
    - cloud provider: provides answer
  - interactive proofs (formally)
    - $P$ solves problem, tells $V$ the answer
      - then conversation goes
      - $P$ ’s goal: convince $V$ the answer is correct
    - requirements
      - completeness: an honest $P$ can convince $V$
      - (statistical) soundness: $V$ will catch $P$ ’s lie w.h.p.
      - if soundness holds only against “eff” provers: then it is argument not proof
- Interactive proofs vs. arguments
  - soundness vs. knowledge soundness
    - $C (x, w) \to F$
    - soundness: $V$ accepts → $\exists w$ s.t. $C (x, w) = 0$
    - knowledge soundness: $V$ accepts → $P$ “knows” $w$ s.t. $C (x, w) = 0$
      - 👨‍🏫stronger!
  - standard soundness: meaningful even when knowledge soundness isn’t
    - as there is no “natural witness”
    - e.g. $P$ claims that output of $V$ ’s program on $x$ is 42
  - reverse: prover claims he knows secret key for a certain BTC wallet
    - or: preimage of hash that gives 0
    - many “witnesses” exist
  - public verifiability
    - only convincing the party that is choosing random challenges
      - others: can’t trust the proposed verifier
    - if interactive: each run only convinces one party
    - for public coin protocols: Fiat-Shamir is used
      - to make it non-interactive
SNARKs from Interactive Proofs
- SNARK example
  - procedure
    - $P$ : commits cryptographically to $w$
    - reveals “just enough” info on commitment to allow $V$ to run checks
    - render non-interactive via Fiat-Shamir
Review of Functional Commitments
- Functional commitments
  - different types
    - polynomial commitments
      - to univariate $f (X) \in F_{p}^{\leq d} [X]$
    - multilinear commitments
      - to multilinear $f \in F_{p}^{\leq 1} [X_{1}, \dots X_{k}]$
    - vector commitments (e.g. Merkle trees)
      - to $u \to = (u_{1}, \dots, u_{d}) \in F_{p}^{d}$
      - open cells: $f_{u \to} (i) = u_{i}$
- Merkle trees: the commitment
  - uses: C.R. hash function
  - opening proof size: $O (lo g n)$
  - example: univariate $f (X) \in F_{7}^{(\leq d)} [X]$
    - $m_{1} = H (f (0), f (1))$
      - … $m_{4} = H (f (6), *)$
    - $h_{1} = H (m_{1}, m_{2})$
    - $k_{1} = H (h_{1}, h_{2})$
    - to prove value $f (4)$ , must provide
      - $k_{1}$ , $h_{1}$ , $m_{4}$ , $f (4), f (5)$
  - notation
    - $P$ Merkle-commits to all evaluations of $f$
    - upon request of $f (r)$ , $P$ reveals all associated leaf along w/ opening info
    - two problems
      - no. of leaves: $∣ F ∣$
        
        takes at least $∣ F ∣$ to compute commitment
        
        want time proportional to degree bound $d$
      - $V$ does not know $f$ has at most degree $d$
Interactive Proof Design: Technical Preliminaries
- SZDL lemma
  - FACT: let $p \neq = q$ be univariate polynomials of degree at most $d$
    - then $P r_{r \in F} [p (r) = q (r)] \leq \frac{d}{∣ F ∣}$
    - $p (r) - q (r)$ has at most $d$ zeros
  - SZDL lemma: multivariate generalization
    - let $p \neq = q$ be $l$ -variate polynomials of total degree at most $d$
    - then $P r_{r \in F^{l}} [p (r) = q (r)] \leq \frac{d}{∣ F ∣}$
    - using multivariate to lower the degree and make computation quicker
- Low-degree and multilinear extensions
  - extension: given $f : {0, 1}^{l} \to F$ , a $l$ -variate polynomial $g$ over $F$ : extend $f$
    - if $\forall x \in {0, 1}^{l} f (x) = g (x)$
  - multilinear extensions: any function $f : {0, 1}^{l} \to F$ has unique multilinear extension (MLE) $\tilde{f}$
    - multilinear: polynomial has degree at most 1 in each var
    - e.g. $(1 - x_{1}) (1 - x_{2})$ , but not in $x_{1}^{2} x_{2}$
- Example
  - let $f : {0, 1}^{2} - F$ s.t.
    
    1 2
    
    8 10
  - $\tilde{f} : F^{2} \to F$ (multilinear extension)
    - $\tilde{f} (x_{1}, x_{2}) = (1 - x_{1}) (1 - x_{2}) + 2 (1 - x_{1}) x_{2} + 8 x_{1} (1 - x_{2}) + 10 x_{1} x_{2}$
      - actually: quite similar to SoP approach!
    1 2 3 4 5 6
    
    8 10 12 14 16 18
    
    15 18 21 24 27 30
    
    22 26 30 34 38 52
    
    29 34 39 44 49 56
    - True as:
      - $\tilde{f} (0, 0) = 1$
      - $\tilde{f} (0, 1) = 2$
      - $\tilde{f} (1, 0) = 8$
      - $\tilde{f} (1, 1) = 10$
  - non-multilinear extension
    - $f : g (x_{1}, x_{2}) = - x_{1}^{2} + x_{1} x_{2} + 8 x_{1} + x_{2} + 1$
    1 2 3 4 5 6
    
    8 10 12 14 16 18
    
    13 16 19 22 25 28
    
    16 20 24 28 32 36
    
    17 22 27 32 37 42
    - True as:
      - $g (0, 0) = 1$
      - $g (0, 1) = 2$
      - $g (1, 0) = 8$
      - $g (1, 1) = 10$
- Evaluating multilinear extensions quickly
  - fact: given as input $2^{l}$ evaluations of a function $f$
    - $\forall r \in F^{l} \exists O (2^{l})$ -time algo to evaluate $\tilde{f} (r)$
    - i.e. by listing all its values with manually
  - sketch: using Lagrange interpolation
  - define $\tilde{δ}_{w} (r) = \prod_{i = 1}^{l} (r_{i} w_{i} + (1 - r_{1}) (1 - w_{i}))$
    - i.e. multilinear Lagrange basis polynomial corresponding to $w$
    - or: PoS, but from analog values of $r$
      - ( $w$ being digital)
  - fact: $f (r) = \sum_{w \in {0, 1}^{l}} f (w) \cdot δ_{w} (r)$
  - $\forall w \in {0, 1}^{l}$ , $\tilde{δ}_{w} (r)$ can be computed w/ $O (l)$ field operations
    - yields an $O (l 2^{l})$ -time also
    - can reduce to $O (2^{l})$ time via DP
Sum-Check Protocol
- Sum-check protocol
  - [LFKN90]
  - input: $V$ given oracle access to a $l$ -variate polynomial $g$ over field $F$
    - i.e. access to $g (i)$ where $i \in F$
  - goal: compute the quantity
    - $\sum_{b_{1} \in {0, 1}} \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (b_{1}, \dots, b_{l})$
    - idea: outsource the computation to prover so that it takes $O (n)$ time instead of $O (2^{n})$
  - 👟Start: $P$ sends claimed answer $C_{1}$
    - protocol checks that:
    - $C_{1} = \sum_{b_{1} \in {0, 1}} \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (b_{1}, \dots, b_{l})$
  - 👟Round 1: $P$ sends univariate polynomial $s_{1} (X_{1})$ claimed to equal
    
    $H_{1} (X_{1}) := \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (X_{1}, b_{2} \dots, b_{l})$
    - i.e. output if prover was honest
  - $V$ checks that $C_{1} = s_{1} (0) + s_{1} (1)$
    - or: $\sum_{b_{1} \in {0, 1}} s_{1} (b_{1})$
  - if check passes: safe to believe that $C_{1}$ is the correct answer
    - if $V$ believes $s_{1} = H_{1}$
    - i.e. check $s_{1} (r_{1}) = H_{1} (r_{1})$ where $r_{1} \leftarrow R$
    - $V$ can compute $s_{1} (r_{1})$ directly from $P$ ’s first message, not $H_{1} (r_{1})$ though
  - 👟Round 2: ( $P$ sends $s_{2} (X_{2})$ and) $P$ recursively check that $s_{1} (r_{1}) = H_{1} (r_{1})$
    - i.e. that $s_{1} (r_{1}) = \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (r_{1}, b_{2}, \dots, b_{l})$
  - 👟Round $l$ : ( $P$ sends $s_{l} (X_{l})$ and) $P$ check that $H_{l} := g (r_{1}, r_{2} \dots, X_{l})$
    - $V$ : checks that $s_{l - 1} (r_{l - 1}) = s_{l} (0) + s_{l} (1)$
    - by picking $s_{l} (r_{l}) = g (r_{1}, \dots r_{l})$
  - general idea: checking $s_{i}$ only on first occurrence, trusting it there after
Analysis of Sum-Check Protocol
- Completeness
  - holds by design
  - if $P$ sends the prescribed messages: all tests will pass
- Soundness
  - if some other message was sent: $V$ rejects w/ probability of at least $1 - \frac{l \cdot d}{∣ F ∣}$
  - e.g. $∣ F ∣ \approx 2^{128}$ , $d = 3$ , $l = 60$
    - then soundness error $\leq 3 \cdot 60/ 2^{128} = 2^{- 120}$
  - proof: by induction on no. of var $l$
    - base case: $l = 1$ ; $P$ sends $s_{1} (X_{1})$ claims to equal $g (X_{1})$
      - $V$ picks $r_{1}$ at random, checks that $s_{1} (r_{1}) = g (r_{1})$
      - if $s_{1} \neq = g$ , then $P r_{r_{1} \in F} [s_{1} (r_{1}) = g (r_{1})] \leq \frac{d}{∣ F ∣}$
    - inductive case $l > 1$
      - recall: $P$ ’s first message $s_{1} (X_{1})$ claimed to equal $H_{1} (X_{1}) := \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (X_{1}, b_{2}, \dots, b_{l})$
      - $V$ picks $r_{1}$ at random, (recursively) checks that $s_{1} (r_{1}) = H_{1} (r_{1})$
      - if $s_{1} \neq = H_{1}$ , then $P r_{r_{1} \in F} [s_{1} (r_{1}) = H (r_{1})] \leq \frac{d}{∣ F ∣}$
      - if $s_{1} (r_{1}) \neq = H (r_{1})$ , $P$ is left to prove a false claim in rec. call
        
        applies sum-check to $l - 1$ variate
        
        by induction: $P$ convinces $V$ w/ probability at most $\frac{d ( l - 1 )}{∣ F ∣}$
  - summary: if $s_{1} \neq = H_{1}$ , $V$ accepts at most
    - $P r_{r_{1} \in F} [s_{1} (r_{1}) = H (r_{1})] = P r_{r_{2}, \dots r_{l} \in F} [V accepts ∣ s_{1} (r_{1}) \neq = H (r_{1})] \leq \frac{d}{∣ F ∣} + \frac{d ( l - 1 )}{∣ F ∣} \leq \frac{d l}{∣ F ∣}$
- Cost of the protocol
  - total communication: $O (d l)$ field elements
    - $P$ sends $l$ messages, each at univariate degree $d$
    - $V$ sends $l - 1$ messages, each w/ 1 field element
  - $V$ ’s runtime: $O (d l + [time(g)])$
  - $P$ ’s runtime (at most)
    - $O (d \cdot 2^{l} \cdot [time(g)])$
Sum-Check Protocol Application
- Counting triangles
  - input: $A \in {0, 1}^{n \times n}$
    - representing adjacency matrix of a graph
  - desired output: $\sum_{(i, j, k) \in [n]^{3}} A_{ij} A_{jk} A_{ik}$
  - fastest known algorithm: runs in matrix-multiplication time
    - i.e. ~= $n^{2.37}$ (super linear time)
  - IP: let verifier run in $O (n^{2})$ time (minimum possible)
- Protocol
  - protocol: view $A : {0, 1}^{l o g n} \times {0, 1}^{l o g n} \to F$
  - $\tilde{A}$ : multilinear extension of $A$
  - define polynomial $g (X, Y, Z) = A (X, Y) A (Y, Z) \tilde{A} (X, Z)$
  - apply the sum-check protocol to compute
    - $\sum_{(a, b, c) \in {0, 1}^{3 l o g n}} g (a, b, c)$
- Costs
  - total communication: $O (lo g n)$
  - $V$ runtime: $O (n^{2})$
  - $P$ runtime: $O (n^{3})$
  - $V$ runtime: dominated by evaluating
    - $g (r_{1}, r_{2}, r_{3}) = A (r_{1}, r_{2}) A (r_{2}, r_{3}) \tilde{A} (r_{1}, r_{3})$
SNARK for Circuit-Satisfiability
- SNARK for circuit-satisfiability
  - $P, V$ : agreed on circuit $C$ over $F$ size $S$ and output $y$
    - $P$ claims to know $w$ s.t. $C (x, w) = y$
    - let $x$ be empty for simplicity
  - transcript $T$ for $C$ : assignment of a value to every gate
    - is correct if it assigns gate values upon evaluating $C$ on a valid $w$
- Transcript as a function
  - with domain ${0, 1}^{l o g S}$
  - assign each gate in $C$ a ( $lo g S$ )-bit label and view $T$ as a function
    - mapping gate labels to $F$
  - and final output: always $T (1, \dots, 1)$ (last gate to be computed)
Polynomial IOP Underlying the SNARK
- Polynomial IOP
  - $P$ ’s first message is a ( $lo g S$ )-variate polynomial $h$ claimed to extend a correct transcript $T$
    - i.e. $h (x) = T (x) \forall x \in {0, 1}^{l o g s}$
  - $V$ : needs to check this, but only able to learn few evaluation of $h$ (not $S$ )
- Intuition on $h$
  - $h$ : distance-amplified encoding of $T$
  - domain of $T$ : ${0, 1}^{l o g S}$
    - but domain of $h$ : much larger ( $F^{l o g S}$ )
    - 👨‍🏫small difference in $T$ → vast difference (almost all) in extension
      - due to distance-amplifying nature
      - by Schwartz-Zippel
- Two-step plan
  - step 1: given any ( $lo g S$ )-variate polynomial $h$ , identify a related ( $3 lo g S$ )-variate polynomial $g_{h}$ s.t.
    - $h$ extends a correct transcript $T$ ↔ $g_{h} (a, b, c) = 0\forall (a, b, c) \in {0, 1}^{3 l o g S}$
      - or: “vanishing” over Boolean hypercube
      - i.e. if $h$ is not a correct transcript: $\exists a, b, c s.t. g_{h} (a, b, c) \neq = 0$
      - ~= abstraction of messy structure?
    - also: to evaluate $g_{h} (r)$ at any input: evaluating $h$ at 3 inputs are enough
  - step 2: design an IP to check
    - $g_{h} (a, b, c) = 0\forall (a, b, c) \in {0, 1}^{3 l o g S}$
    - in which $V$ only needs to evaluate $g_{h} (r)$ at one point $r$
- Sketch
  - step 1 sketch: define $g_{h} (a, b, c)$ via:
    - $a dd (a, b, c) \cdot (h (a) - (h (b) + h (c))) + m u lt (a, b, c) \cdot (h (a) - (h (b) \cdot h (c)))$
    - $a dd (a, b, c)$ : gets 3 Boolean vectors in input
      - returns 1 iff $a$ is addition gate and 2 $n$ neighbors are $b, c$
      - else 0
    - $m u lt (a, b, c)$ : gets 3 Boolean vectors in input
      - returns 1 iff $a$ is multiplication gate and 2 $n$ neighbors are $b, c$
      - else 0
  - properties
    - $g_{h} (a, b, c) = h (a) - (h (b) + h (c))$
      - if $a$ is label computing sum of $b, c$
    - $g_{h} (a, b, c) = h (a) - (h (b) \cdot h (c))$
      - if $a$ is label computing multiplication of $b, c$
    - $g_{h} (a, b, c) = 0$ otherwise
    - $g_{h}$ computation: can be outsourced to $P$ as it only depends on wiring structure, and thus being able to be committed
  - step 2: how to check $g_{h} (a, b, c) = 0\forall (a, b, c) \in {0, 1}^{3 l o g S}$
    - by evaluating $g_{h}$ at a single point?
  - if $g_{h}$ were a univariate polynomial $g_{h} (X)$
    - and we need to check that $g_{h}$ vanishes over some set $H \subseteq F$ , not ${0, 1}^{3 l o g S}$
  - fact: $g_{h} (x) = 0\forall x \in H$ ↔ $g_{h}$ is divisible by $Z_{H} (x) := \prod_{a \in H} (x - a)$
    - $Z_{H}$ : vanishing polynomial for $H$
    - 🧑‍🎓kind of trivial
  - polynomial IOP
    - $P$ sends a polynomial $q$ s.t. $g_{h} (X) = q (X) \cdot Z_{H} (X)$
    - $V$ checks this by picking a random $r \in F$ and checking $g_{h} (r) = q (r) \cdot Z_{H} (r)$
- Actual protocol
  - above: not works as $g_{h}$ is not univariate
  - computing (finding $q$ ) is expensive
    - in final SNARK: it would be applying poly-commit to additional polynomials
    - Marlin, PlonK, Groth16 does this, though
  - solution: use the sum-check protocol
    - handles multivariate polynomials
    - doesn’t require $P$ to send additional large polynomials
Polynomial IOP for Circuit-Satisfiability
- Recall sum-check
  - goal: compute the quantity (all sum)
  - proof length: roughly total degree of $g$
  - no. of round: $l$
  - $V$ time: ~= time to evaluate $g (r)$
    - not necessarily revealing info on $g$ as long as it knows $g (r)$ for random $r$
- General idea
  - (works over integers, for ease of explanation)
    - $V$ : checks $\sum_{a, b, c \in {0, 1}^{l o g S}} g_{h} (a, b, c)^{2}$
    - if all terms are 0: sum is 0
      - any non-zero term: cause it to change
  - at the end of protocol: $V$ evaluates $g_{h} (r_{1}, r_{2}, r_{3})$
    - suffices to evaluate $h (r_{1}), h (r_{2}), h (r_{3})$
      - 👨‍🏫in practice, this dominates the runtime
    - outside of these: $V$ runs in time $O (lo g S)$
      - no. of variables
    - $P$ performs $O (S)$ field operations given $w$
      - even if there was no proof of correctness: same time