Building Eff. SNARK

Date: 2024-08-28 21:09:49

Reviewed:

Topic / Chapter: Building Eff. SNARK

summary

❓Questions

Notes

Overview

General idea
- poly-commit + poly-IOP ⇒ SNARK for general circuits
Polynomial commitment review
- $P$ commits to $f (X) \in F_{p}^{(\leq d)} [X]$
- eval: for public $u, v \in F_{p}$ , prover can convince, for committed $f$ ,
  - ⭐ $f (u) = v$ and $de g (f) \leq d$
  - $V$ : with $(d, co m_{f}, u, v)$
- proof size & verif time: $O_{λ} (lo g d)$

KZG poly-commit scheme (2010)

⭐group: $G := {0, G, 2 \cdot G, \dots, (p - 1) \cdot G}$
- or order $p$ , and is cyclic
setup( $1^{λ}$ )→ $g p$
- $τ \leftarrow R F_{p}$
- $g p = (H_{i} = τ^{i} \cdot G \forall i \in {0, 1, \dots d}) \in G^{d + 1}$
- delete $τ$ (trusted setup)
⭐commit( $g p, f$ )→ $co m_{f}$ where $co m_{f} := f (τ) \cdot G \in G$
- use $g p$ to compute $f (τ)$
- 👨‍🏫is binds, but not hides!
$f (X) = \sum_{i = 0}^{d} f_{i} X^{i}$
- ⇒ $co m_{f} = \sum_{i = 0}^{d} f_{i} \cdot H_{i}$
- $= \sum_{i = 0}^{d} f_{i} G τ^{i} = f (X) \cdot G$

Evaluation

commit( $g p, f) \to co m_{f} = f (τ) \cdot G \in G$
$P (g p, g, u, v)$ and $V (g p, co m_{f}, u, v)$
$f (u) = v$ ↔ $u$ being root of $\hat{f} := f - v$
- ↔ $(X - u)$ divides $\hat{f}$
- ↔ $\exists q \in F_{p} [X]$ s.t. $q (X) \cdot (X - u) = f (X) - v$
  - i.e. divisible
⭐ $P$ : compute $q (X)$ , and $co m_{q} = q (τ) \cdot G$
- ⭐⭐ $π := co m_{q} \in G$
- proof size: $O (1)$
- 👨‍🏫computationally expensive!
accepts if $(τ - u) \cdot co m_{q} = co m_{f} - v \cdot G$
- i.e. $(τ - u) \cdot q (τ) \cdot G = f (τ) \cdot G - v \cdot G$
  - $(τ - u) \cdot q (τ) = f (τ) - v$
- if agrees: true w.h.p.
- $(τ - u)$ : computed using “pairing” from $H_{0}, H_{1}$ from $g p$

KZG poly-commit scheme

generalization
- can commit to $k$ -variate polynomials
batch proofs
- assume $V$ has $co m_{f 1}, \dots, co m_{f n}$
- $P$ proving $f_{i} (u_{i, j}) = v_{i, j}$ for $i \in [n]$ , $j \in [m]$
- batch proof $π$ : only one group element!
linear time commitment
- two ways to commit $f (X)$
- coefficient representation: $f (X) = \sum_{i = 0}^{d} f_{i} X^{i}$
  - ⇒computing $co m_{f} = \sum_{i = 0}^{d} f_{i} \cdot H_{i}$
    - takes $O (d)$ time
- point-value representation: $(a_{0}, f (a_{0})), \dots, (a_{d}, f (a_{d}))$
  - computing $co m_{f}$ naively: construct coeffs. $(f_{0}, \dots, f_{d})$
  - ⇒ time $O (d lo g d)$ w/ Num. Th. Transform
point-value representation: better
- Lagrange interpolation: $f (τ) = \sum_{i = 0}^{d} λ_{i} (τ) \cdot f (a_{i})$
- $λ_{i} (τ) = \frac{\prod _{j = 0, j \neq = i}^{d} ( τ - a _{j} )}{\prod _{j = 0, j \neq = i}^{d} ( a _{i} - a _{j} )} \in F_{p}$
  - =1 if $τ = a_{i}$ , 0 otherwise
idea: transform $g p$ into Lagrange (linear map)
- $g p = (\sum_{i = 0}^{d} \hat{H}_{i} = λ_{i} (τ) \cdot G) \in G^{d + 1}$
- now: $co m_{f} = f (τ) \cdot G = \sum_{i = 0}^{d} f (a_{i}) \cdot \hat{H}_{i}$
- ⇒ in $O (d)$ time, not $O (d lo g d)$
multi-point proof generation
- $P$ w/ $f (X) \in F_{p}^{(\leq d)} [X]$
- $Ω \subseteq F_{p}$ and $∣Ω∣ = d$
if $P$ needs $π_{a} \in G$ $\forall a \in Ω$
- naive: takes $O (d^{2})$ , $d$ proofs each taking $O (d)$
- Feist-Khovratovich (2020):
  - if $Ω$ a multiplicative subgroup: time $O (d lo g d)$
  - else: $O (d lo g^{2} d)$

Dory polynomial commitment

difficulties w/ KZG: trusted setup for $g p$ , $∣ g p ∣ = O (d)$
- Dory:
  - transparent setup: no secret randomness in setup
  - $co m_{f}$ : single group element (independent of $d$ )
  - eval proof size: $O (lo g d)$ group elements
    - verify time: constant in KZG
  - eval verify time: $O (lo g d)$ ; prover: $O (d)$
    - verify time: constant in KZG

PCS applications

e.g. vector commitment (replacing Merkle trees)
$P$ : vector $(u_{1}, \dots, u_{k}) \in F_{p}^{(\leq d)}$
- interpolate poly $f (i) := u_{i}$
- sends $co m_{f}$ to $V$
$V$ : asks to prove $u_{2} = a$ , $u_{4} = b$
$P$ : generate $π :=$ eval proof that $f (2) = a; f (4) = b$
- w/ KZG: a single group element
- shorter than Merkle proof
- sends $V$ $π \in G$
$V$ : accept / reject

Zero Knowledge Proof MOOC

Building Eff. SNARK

Date: 2024-08-28 21:09:49

Reviewed:

Topic / Chapter: Building Eff. SNARK

Notes