Introduction

information

This is a poorly written note of ZKP MOOC

Introduction

information

This is lecture 1: Introduction and History of ZKP

Introduction and History of ZKP

Date: 2024-08-25 03:05:06

Reviewed:

Topic / Chapter: Introduction and History of ZKP

summary

❓Questions

Notes

Introduction

classical proofs: Gauss, Euclid, Turing…
- e.g. Prime number proof
ours: interactive proof
- w/ prover & verifier, as “algorithms”
“efficiently” verifiable proofs
- aka “NP-proofs”
- msg {prover → verifier} is short
  - of polynomial size in length
    - time taken to proof: not considered
  - $∣ w ∣ = O (p (∣ x ∣))$
- and verifiable in a polynomial time
  - $O (p (∣ x ∣))$
  - i.e. time to compute $V (x, w) == 1$
example claim: $N = p * q$
- $p, q$ : large prime
- proof 1: provides value of $p, q$
  - after interaction, $V$ knows:
    - $N = p * q$
    - value of $p, q$ // revealed!
example claim 2: $\exists x \in Z_{N}^{*} s . t . y = x^{2} mod N$
- $y$ : quadratic residue $mod N$
- 👨‍🏫finding such number: hard
- proof 1: can simply provide $x$
  - verifier: compute $y == x^{2} mod N$
  - after interaction, $V$ knows:
    - $y == x^{2} mod N$
    - value of $y$
example claim 3: two graphs are isomorphic
- proof: $π : [N] \to [N]$
- verification 1: $\forall i, j : (π (i), π (j)) \in E_{1}$
  - iff $(i, j) \in E_{0}$
  - such verification: hard
  - after interaction, V knows:
    - $G_{0}$ being isomorphic to $G_{1}$
    - isomorphism $π$
general form
- language $L :=$ set of strings $x$
- NP language: $L$ s.t. in $p (∣ x ∣)$ time some verifier can show:
  - completeness: true claims have short proofs
    - if $x \in L$ : $\exists p (∣ x ∣)$ -long witness $w \in {0, 1}^{*} s . t . V (x, w) = 1$
    - allows “honest provers” to convince $V$
  - soundness: false theorems have no proofs
    - if $x \neq \in L$ : $\forall w \in {0, 1}^{*}, V (x, w) = 0$
    - unable to convince wrong claim
can we prove something without revealing information?
- yes!
- rather proves: “prove that I could prove it if I felt like it”
- and $V$ : knows nothing more than that claim is right

Paradigm shift

interactive and probabilistic proofs
- interaction: verifier engages in an interaction w/ the prover
  - 👨‍🏫could be mostly removed later
- randomness: verifier is randomized
  - and tolerant to accept potential error w/ small probability
  - e.g. smaller than Avogadro’s number
Again, the idea:
- only transfers the claim (as knowledge)
- e.g. page w/ 2 colors
  - flips the page “probabilistically” (e.g. flip if coin’s on head)
  - V: sends the page
  - P: interpret the event happened
    - e.g. the coin was on head
- accepts the proof if it is right repeatedly
  - $\forall$ provers $P (V = 1) \leq 1/2$
    - $P (V = 1)$ : probability of accepting wrongly
  - if repeat $k$ times:
    - $P (V = 1) \leq 1/ 2^{k}$
example: quadratic residue
- proof of existence of a pair
- prover: choose random $r$ s.t. $1 \leq r \leq N$
  - s.t. $g cd (r, N) = 1$
- sends $s := r^{2}$
- after, by providing $s$ and $sy mod N$ , claim can be proven
  - however: from $s$ and $sy$ , $y mod N$ can be computed
  - which are $r, r x, x$ respectively
  - but: reveal of both are undesirable
- to convince: must be able to answer ANY ONE of two (but not answering both)
  - verifier: chooses randomly
- verifier: accepts only when the prover’s submission $z$ is what he asked
  - technically: when submission’s “square” is what he asked for
  - if $z^{2} == s$ and he wanted that: yes
    - $z = r$
  - or: if $z^{2} == sy$ and he wanted that: yes
    - $z = r y mod N$
- all prover need to know: value of $x = y$
- repeat: 100 times
idea: many possible proofs are available
- prover: chooses one at random
proof: made up of 2 parts
- which, is only meaningful if both are available

More

formal definition
- $(P, V)$ is an interactive proof for $L$ , if $V$ is probabilistic $p (∣ x ∣)$ time &
- completeness: $x \in L$ : $V$ always accepts
  - notation:
  - $x \in L \Rightarrow P r [(P, V) (x) = accept] = 1$
- soundness: if $x \neq \in L$ , for all cheating prover strategy, $V$ will not accept except for negligible probability
  - $x \neq \in L \Rightarrow \forall P^{*}, P r [(P^{*}, V) (x) = accept] = n e g l (∣ x ∣)$
    - $P^{*}$ : cheating prober
  - $n e g l (λ) < \frac{1}{p ( λ )}$ for all polynomials
    - growing very slowly (exponentially)
for homework: just make sure:
- $x \in L \Rightarrow P r [(P, V) (x) = accept] \geq c$
- $x \neq \in L \Rightarrow \forall P^{,} P r [(P^{,} V) (x) = accept] \leq s$
- and show: $c - s \leq 1/ p (∣ x ∣)$
  - (actually equivalent)
Classes
- class of languages $I P$ : all $L$ w/ interactive proof
  - w/ verifier being in probabilistic polynomial time

what is zero knowledge?

true statement: verifier cannot compute anything new
- for even malicious verifier
after interaction, V learned:
- theorem $T$ being true, or $x \in L$
- a view of interaction
  - i.e. transcript & coins V tossed
- $view_{v} (P, V) [s] := {(q_{1}, a_{1}, \dots, coin_{V})}$
  - probability distribution over coins of V and P
the view gives V nothing new if:
- V could have simulated it its own
  - w/ probabilistic distribution
- and two views are “computationally-indistinguishable”
  - i.e. undistinguishable by external, poly-time distinguisher
  - or: can’t tell if V is lying
- (aka simulation paradigm)
computationally-indistinguishability
- if no distinguisher can tell apart two probability distributions
- or: $P [D = 1] < 1/2 + n e g l (k)$
zero knowledge definition:
- for IP $(P, V)$ for $L$ , exists a PPT algorithm simulator $S im$ s.t.
  - $S im$ : “may (very unluckily)” not run in polynomial time
    - “expected” polynomial time
- $\forall x \in L$ (when it’s true), following two are poly-time indistinguishable
  - $view_{V} (P, V) [x] = (q_{1}, a_{1}, \dots coin_{V})$
  - $S im (x, 1^{λ})$
    - $1^{λ}$ : technicality
    - only effective for small $x$
- $(P, V)$ : a ZK-IP if it is complete, sound, and zero-knowledge
  - for any $V$ , even dishonest ones
final def:
- IP is ZK for $L$ if $\forall$ PPT $V^{*}$ , $\exists$ PPT $S im$ s.t., $\forall x \in L$
  - $view_{V} (P, V) [x] ≃ S im (x, 1^{λ})$
Different types of ZK
- CZK: computationally indistinguishable distribution
- PZK: perfectly identical distributions
- SZK: statistically close distribution

example w/ QR

example w/ QR
- (honest verifier) PZK
- simulator: picks random bit $b$
- pick a random $z \in Z_{N}^{*}$
- compute $s = z^{2} / y^{b}$
- output (view): $(s, b, z)$
honest: checks $z^{2} = s y^{b} mod N$
- key: not releasing $s$ initially
dishonest verifier
- compute $b$ based on complex process $f (s)$
- yet: the view would be the same as simulator.
simulator for baddie
- pick a random bit $b$
- pick a random $z \in Z_{N}^{*}$
- compute $s = z^{2} / y^{b}$
- RUNS BAD Verifier (both are poly-time)
  - if $V^{*} (N, y, s) = b$
    - if $b$ was to be asked:
    - output (view): $(s, b, z)$
  - else: repeat the whole process (50/50)

POK

prover: actually also proved
- “I can solve it (but won’t do it for you)”
- “knowledge”: can also be defined
- consider $L_{R} = {x : \exists w s . t . R (x, w) = 1}$ for poly-time relation $R$
- if the knowledge can be gained by running program w/ multiple inputs:
  - the algorithm has “knowledge”
$(P, V) :=$ proof of knowledge (POK) for $L_{R}$
- if $\exists$ PPT extractor algorithm $E$ s.t. $\forall x \in L$ , PPT $E^{P} (x)$ outputs $w$ s.t. $V (x, w) = 1$
- $E^{P} (X)$ : may run $P$ repeatedly on the same randomness
  - but may also run different questions each executions
  - aka: rewinding technique
    - as: one can “rewind” the algorithm to start from the same point
ZKPOK on QR
- on input $(y, N)$
- run prover & receive $s$
- set verifier message to head (1), store $r$
- rewind (to $s$ value), and runs tail
  - gets $r x$
- output: $r x / r = x mod N$
ZKPOK on graph isomorphism
- produce random graph $H$ s.t. either one is available
  - isomorphism $γ_{0}$ from $G_{0}$ to $H$
  - isomorphism $γ_{1}$ from $G_{1}$ to $H$
- thus, $\exists$ isomorphism $σ$ from $G_{0} \to G_{1}$
- verifier: randomly choose between two isomorphism
- proof:
  - $H = γ_{0} (G_{0})$
  - $H = γ_{1} (G_{1})$
  - $G_{1} = γ_{1}^{- 1} (γ_{0} (G_{0}))$
  - set $σ = γ_{1}^{- 1} γ_{0}$
- claim:
  - statement true: can correctly answer for either
  - false: P(mistake)≥1/2
    - and make it 1-1/2^k by repetition
  - prove that it is a perfect ZK
- ZKPOK
  - store $γ_{0}$
  - rewind & get $γ_{1}$
  - then output: $γ_{1}^{- 1} (γ_{0})$
first application: identity theft
- Alice: wants to prove her identity over the net (insecure)
  - to Bob: or Amazon
- password shouldn’t be stored: even as a an encryption
solution: let’s say: password = hard theorem
- one who knows the answer: Alice
  - ~= one who can pick up Excalibur: the Brave
- but Alice’s proof: must be ZKP
do all NP languages have ZK-IP?
- Yes
- if one-way functions exist, every L in NP has computational ZK-IP
- idea:
  - show an NP-complete problem has a ZK-IP
    - if a language is NP-complete: every string s can be reduced to a graph
  - one way function → hiding & binding bit commitment protocol
Properties of bit commitment scheme
- hiding: the view (of $b, b^{'}$ ) is computationally indistinguishable
  - key: must be randomized in order to keep it secure
- binding: probability of accepting different values are negligible

G3-colorable theorem

common input graph: $G = (V, E)$
- prover input coloring $π : V \to {0, 1, 2}$
procedure
1. prover: pic random permutation $σ$ on colors and apply it on graph
  1. $ϕ (v) = σ (π (v))$
  2. and commit $ϕ (v)$ for each $v$
  3. permutation: prevents accumulation of knowledge
2. verifier: select a random edge $e = (a, b)$ , and send it to prover
3. prover: decommit colors $ϕ (a), ϕ (b)$
4. decision: rejects if $ϕ (a) = ϕ (b)$
  1. and accepts after $k$ iterations
ZK testing
- completeness
  - honest prover: can always prove it & accepted
- soundness
  - if $G$ is not 3-colorable, then $\forall P^{*}$ $P r [accept] < (1 - 1/∣ E ∣)^{k} < 1/ e^{∣ E ∣}$
  - for $k = ∣ E ∣^{2}$
- zk-ness
  - easy to see informally
  - messy to prove formally
honest verifier computational ZK
- choose challenge at random in advance
  - $(a, b)$ for honest $V$
- choose random edge $(a, b)$ in $G$
- choose colors $ϕ_{a}, ϕ_{b}$ in ${0, 1, 2}$ s.t. $ϕ_{a} \neq = ϕ_{b}$ at random
  - and for all other $v \neq = a, b$ , set $ϕ_{v} = 2$
- simulated-view: commitments to edges
  - and decommitting the challenge $ϕ_{a}, ϕ_{b}$
- however: all except the challenge: the same color
  - although computationally indistinguishable
simulation for any verifier
- simulator $S$ on input $G$ and verifier $V^{*}$ for $i = 1, \dots, ∣ E ∣^{2}$
- choose random edge $(a, b)$
- generate commitments $co m$ to colors as in honest simulation
- run $V^{*}$ on $co m$ to obtain challenge $(a^{*}, b^{*})$
- $(a^{*}, b^{*}) = (a, b)$ ⇒ then output simulation as honest case
- if “all” iterations fail: output $⊥$
now: we haze many CZK examples as NP-languages

Protocol design applications

can prover properties on $m$ without revealing $m$
- only $E (m)$ of $h (m)$
- as well as on relationship
generally: a tool to enforce honest behavior in protocols w/o revealing any information
idea: protocol players sends along w/ each next-msg, a ZK proof that *next-msg* = Protocol(history h, randomness r) on history h & c=commit(r)
- possible since $L = {\exists r$ s.t. *next-msg* = Protocol(h,r) & c=commit(r) $}$ in NP
used in
- preventing identity theft
- computation delegation
- ??? nuclear disarmament, forensics
- ⭐Zcash: Bit Coin w/ privacy and anonymity
- ZK and verification dilemmas in the law
interactive proof: also used in complexity theory
- can we do something in IP that traditional proof can’t?
  - 🧑‍🏫 yes
- classical verification on proving non-isomorphic
  - e.g. checking edge-by-edge
  - takes $n!$ time → efficient verification is impossible
in IP
- input: $G_{0}, G_{1}$
- V: flip coin $c \in {0, 1}$ , pick random $γ$
  - $H = γ (G_{c})$
- P: if $H$ is isomorphic to $G_{0}$ : then $b = 0$ , else 1
- V: reject if $b \neq = c$
  - accept after $k$ repetitions
  - $V$ : learns whether graph $H$ of his choice is isomorphic to $G_{0}$ or $G_{1}$
    - to fix: V must prove to P in ZK that he knows isomorphism $γ$
- however: it’s not zero-knowledge for any $V^{*}$ (unless it’s honest)
Fiat-Shamir: removal of interaction?
- given ideal hash $h$
- $a_{1}, r, a_{2} \to V (x, a_{1}, r, a_{2})$
- can be replaced by $V (x, a_{1}, h (a_{1}), a_{2})$

Highlights

before IP: notion of proof was NP
NP verification: sending solution ( $\exists$ solution)
Co-NP verification: impossible (0 solutions)
number of solutions for a statement
- cannot be verified
PSPACE: not known
- i.e. alternation of quantifier
w/ IP: all can be done!
- PSPACE = IP
arriver of the second prover: MIP (2020)
- can get unconditional ZK for all NP
- lead to PCP theorem
- and combined w/ quantum computing: and.. smth crazy

Introduction

information

This is lecture 2: Introduction and History of ZKP

Cornell Format

Date:

Reviewed:

Topic / Chapter:

summary

❓Questions

Notes

Topic 1

Date:

Reviewed:

Topic / Chapter:

❓Questions

Notes

Introduction to Modern SNARKs
- SNARKs
  - SNARK: a succinct proof that a certain statement is true
    - i.e. “short” and “fast” to verify
    - e.g. solution itself: might not be short nor fast to verify
  - zk-SNARK: revealing nothing about $m$
  - potentially: a single reliable PC can monitor supercomputers’ operation
    - or: slow computer monitoring GPUs
    - slow computer: like layer-1s
- Blockchain applications 1
  - outsourcing computation (not zk)
    - L1: quickly verifies work of off-chain service
  - e.g. scalability: proof-based rollups (zkRollup)
    - off-chain service processes a batch of Tx
    - L1 chain: verifies a succinct proof of correct processing
  - e.g. bridging blockchains: Po-Consensus (zkBridge)
    - enables transfer of assets from one chain to another
    - proving to target chain that asset was locked in source chain
- Blockchain applications 2
  - (requiring zk)
  - private Tx on a public blockchain
    - zk proof that a private Tx is valid
  - compliance
    - proof that a private Tx is compliant w/ banking laws
    - proof that an exchange is solvent in zk
  - also: non-blockchain applications exist
    - e.g. fighting disinformation: C2PA
    - camera: w/ embedded secret key
      - and signs picture w/ location & timestamp
      - metadata: can be confirmed
    - problem: image post-processing
      - disable further C2PA verification
    - zk-SNARK solution
      - laptop: w/ (Photo, Ops)
      - $π$ : proves that “I know a pair (Orig, Sig) s.t.”
        
        Sig a valid C2PA signature on Orig
        
        Photo is result of applying Ops to Orig
        
        metadata(Photo)==metadata(Orig)
      - laptop verifies $π$ and shows metadata
      - size: ≤ 1 KB, takes ≤ 10 ms in browser
        
        proof generation: takes a few minutes w/ sufficient HW
        
        parallelizable
      - proof: must be not interactable

What is SNARK

Arithmetic circuits
- computation model: must be fixed to build SNARK
- let $F = {0, \dots, p - 1}$ for $p > 2$
  - finite field
  - closed w/ addition & multiplication
- arithmetic circuits
  - $C : F^{n} \to F$ (n input w/ 1 output)
  - directed acyclic graph, where
    - internal nodes: $+, -, \times$
    - inputs: $1, x_{1}, \dots, x_{n}$
  - defines: n-variate polynomial w/ evaluation recipe
  - $∣ C ∣$ : no. of gates in $C$
- interesting cases
  - $C_{s ha} (h, m)$ : $(S H A 256 (m) == h)? 0 : 1$
  - $C_{h S H A} (h, m) = (h - S H A 256 (m))$
    - $∣ C_{S H A} ∣ \approx 20 K$ gates (”small”)
  - $C_{s i g} (p k, m, σ)$ : output 0 if $σ$ a valid ECDSA sig of $m, p k$
- structured vs. unstructured circuits
  - unstructured: w/ arbitrary wires
  - structured: build in layers, one circuit being repeated
    - layer: aka VM
NARK: Non-interactive ARgument of Knowledge
- applied arithmetic circuit
  - $C (x, w) \to F$
    - $x$ : oublic statement in $F^{n}$
    - $w$ : secret witness in $F^{m}$
  - preprocessing: $S (C) \to$ public params ( $pp, v p$ )
    - public param for prover / verifier
- prover: $pp, x, w$
  - generate proof $π$ that $C (x, w) = 0$
- verifier: $v p, x$
- preprocessing NARK: triple $(S, P, V)$
  - $S (C)$ : description of circuit $C$
  - $P (pp, x, w) \to π$
  - $V (v p, x, π)$ : accept / reject
  - all alg. and adversary: w/ access to random oracle
- informal requirements
  - complete: $\forall x, w, : C (x, w)$ ⇒ $P r [V (v p, x, P (pp, x, w)) = 1] = 1$
    - i.e. always accept if valid
  - or: “knowledge sound”
    - if $V$ accepts ⇒ $P$ “knows” $w$ s.t. $C (x, w) = 0$
    - and extractor $E$ can extract a valid $w$
  - optional: ZK: $(C, pp, v p, x, π)$ reveals “nothing new” about $w$
- trivial NARK: $π = w$
SNARK
- succinct preprocessing NARK
- same for $S (C)$
- $P (pp, x, w)$ : short $π$
  - len($\pi$) = sublinear($|w|$)
- $V (v p, x, π)$ : fast to verify
  - time(V)= $O_{\lambda}(|x|$, sublinear($|C|$))
- i.e. anything better than NARK: technically SNARK
- however, strongly succinct NARK is:
  - len($\pi$) = $O_{\lambda}(\log |C|)$
  - time(V)= $O_{\lambda}(|x|,\log(|C|))$
    - i.e. no time to even read circuit $C$
    - thus: preprocessing needed
      - $v p$ : summary of $C$
- most SNARKs to be discussed: in constant time
- trivial SNARK: not SNARK
  - long proof
  - $C (x, w)$ might be hard (and slow)
  - $w$ : might be secret

Preprocessing (setup)

$S (C; r) \to (pp, v p)$
setup types
- trusted setup per circuit
  - run fresh for each circuit
  - and $r$ must be kept secret
    - if $r$ is learned: false statements can be proven
    - generator: destroyed after task
- trusted but universal (updatable) setup
  - secret $r$ : independent of $C$
  - $S = (S_{ini t}, S_{in d e x})$
  - $S_{ini t} (λ; r) \to g p$ (global param)
    - one-time setup, secret $r$
  - $S_{in d e x} (g p, C) \to (pp, v p)$
    - deterministic
    - can be repeated
- transparent setup
  - $S (C)$ : doesn’t use secret data

significant progress

	size of $π$	verifier time	setup	post-quantum
Groth’16	$\approx$ 200 Bytes	$\approx$ 1.5 ms	trusted per circuit	no
Plonk / Marlin	$\approx$ 400 Bytes	$\approx$ 3 ms	universal trusted setup	no
Bulletproofs	$O_{λ} (lo g ∥ C ∥)$ $\approx$ 1.5 KB	$O_{λ} (∥ C ∥)$ $\approx$ 3 sec	transparent	no
STARK	$O_{λ} (lo g^{2} ∥ C ∥)$ $\approx$ 100 KB	$O_{λ} (lo g^{2} ∥ C ∥)$ $\approx$ 10 ms	transparent	yes

prover time: almost $O_{λ} (∥ C ∥)$

Knowledge
- if $V$ accepts ⇒ $P$ knows $w$ s.t. $C (x, w) = 0$
- if $P$ knows $w$ : we can “torture” $P$ to get $w$
- formal knowledge
  - $(S, P, V)$ is knowledge sound for $C$ if
  - $\forall$ eff. adversary $A = (A_{0}, A_{1})$ s.t.
  - $g p \leftarrow S_{ini t} ()$ , $(C, x, s t) \leftarrow A_{0} (g p)$
  - $(pp, v p) \leftarrow S_{in d e x} (C)$
  - $π \leftarrow A_{1} (pp, x, s t)$
  - $P r [V (v p, x, π) = 1] > 1/1 0^{6}$
    - i.e. non-negl
  - then $\exists$ eff. extractor $E$ s.t.
    - $g p \leftarrow S_{ini t} ()$
    - $(C, x, s t) \leftarrow A_{0} (g p)$
    - $w \leftarrow E (g p, C, x)$
    - $P r [C (x, w) = 0] > 1/1 0^{6} - ε$
- i.e. if there is an efficient prover, then we can extract the knowledge

Building an eff. SNARK
- Building SNARK
  - general paradigm: two steps
    - a functional commitment scheme
      - cryptographic obj
    - a compatible interactive oracle proof (IOP)
      - info. theoretic obj
    - result: SNARK for general circuits
  - commitments scheme
    - made of commit & verify
    - must satisfy: binding & hiding property
  - standard commitment
    - $H : M \times R \to T$
    - $co mmi t (m, r)$ : com:=H(m,r)
    - $v er i f y (m, co m, r)$ : accepts if com=H(m,r)
- Functional commitment scheme
  - given a family of functions $F = {f : X \to Y}$
  - $co m_{f} \leftarrow co mmi t (f, r)$
    - sent to verifier
  - verifier: sends $x \in X$
  - prover: sends $y \in Y$ and $π$
    - proving that $f (x) = y$ and $f \in F$
  - a functional commitment scheme for $F$
    - $se t u p (1^{λ}) \to g p$ : outputs public param
    - $co mmi t (g p, f, r) \to co m_{f}$
      - binding & optional hiding (for zk-SNARK)
    - $e v a l (P, V)$
      - $P (g p, f, x, y, r) \to π$
      - $V (g p, co m_{f}, x, y, π) \to$ accept / reject
      - a SNARK for relation
        
        $f (x) = y$ , $f \in F$ , and $co mmi t (g p, f, r) = co m_{f}$
  - four important functional commitments
    - polynomial commitments
      - commit to a univariate $f (X)$ in $F_{p}^{\leq d} [X]$
    - multilinear commitments
      - commit to multilinear $f$ in $F_{p}^{\leq 1} [X_{1}, \dots, X_{k}]$
      - e.g. $f (x_{1}, \dots, x_{k}) = x_{1} x_{3} + x_{1} x_{4} x_{5} + x_{7}$
    - vector commitments (e.g. Merkle tree)
      - commit to $u \to = (u_{1} \dots, u_{d}) \in F_{p}^{d}$
      - open cells: $f_{u \to} (i) = u_{i}$
        
        prove that $i$ th index is $u_{i}$
    - inner product commitments
      - aka inner product arguments (IPA)
      - commit to $u \to \in F_{p}^{d}$
      - open an inner product $f_{u \to} (v \to) = (u \to, v \to)$
- Polynomial commitments
  - commit to a univariate $f (X)$ in $F_{p}^{\leq d} [X]$
  - eval: for public $u, v \in F_{p}$ , prover can convince
    - $f (u) = v$ and $de g (f) \leq d$
    - for verifier w/ $(d, co m_{f}, u, v)$
  - eval proof size & verifier time: $O_{λ} (lo g d)$
  - few examples
    - w/ bilinear groups: KZG’10 (trusted setup), Dory’20
    - w/ hash functions only: based on FRI (long eval proofs)
    - w/ elliptic curves: Bulletproofs (short proof, but verifier time being $O (d)$ )
    - w/ groups of unknown order: Dark’20 (slow)
    - KZG’10: most widely used
  - trivial commitment scheme: not a polynomial commitment
    - let $co mmi t (f = \sum_{i = 0}^{d} a_{i} X^{i}, r)$
      - output $co m_{f} \leftarrow H ((a_{0}, \dots, a_{d}), r)$
    - eval: prover sends $π = ((a_{0}, \dots, a_{d}), r)$ to verifier
      - verifier accepts if $f (u) = v$ and $H ((a_{0}, \dots, a_{d}), r) = co m_{f}$
      - proof size & verification time: linear in $d$
- Useful observation
  - for a non-zero $f \in F_{p}^{\leq d} [X]$
    - for $r \leftarrow $ F_{p}$ : $P r [f (r) = 0] \leq d / p$
      - aka SZDL lemma
      - also holds for multivariate polynomials
        
        $d$ : total degree of $f$
    - has at most $d$ roots in finite field
      - and $p$ possibilities for $r$
  - thus, suppose $p \approx 2^{256}$ and $d \leq 2^{40}$
    - then $d / p$ is negligible
  - and if $f (r) = 0$ , $f = 0$ for high probability
  - suppose $p \approx 2^{256}$ and $2 \leq 2^{40}$
    - let $f, g \in F_{p}^{\leq d} [X]$
    - for $r \leftarrow $ F_{p}$ : if $f (r) = g (r)$
      - ⇒ $f = g$ w.h.p.
    - as $f (r) - g (r) = 0$
      - ⇒ $f - g = 0$ w.h.p.
    - $P r [f (r) = 0] \leq d / p$
  - ⇒ simple equality test for two committed polynomials
- Equality test protocol
  - interactive protocol
    - prover: $f, g \in F_{p}^{\leq d} [X]$
    - verifier: gives $r \leftarrow $ R$
    - prover: computes $y \leftarrow f (r)$ , $y^{'} \leftarrow g (r)$
      - and attaches proof for
        
        $y = f (r)$
        
        $y^{'} = g (r)$
      - along w/ $y, y^{'}$
    - verifier: accepts if
      - valid proof
      - $y = y^{'}$
  - can be made non-interactive (Fiat-Shamir)
    - for all public-coin IP
    - prover: generates $r$ by its own w/ $H$
    - $P (pp, x = (co m_{f}, co m_{g}), w = (f, g))$
      - $r \leftarrow H (x)$
      - $y \leftarrow f (r)$ , $y^{'} \leftarrow g (r)$
      - sends $y, y^{'}, π_{f}, π_{g}$
    - $V (v p, x = (co m_{f}, co m_{g}))$
      - compute $r = H (x)$ itself as well
    - not a zk-SNARK as $f (r)$ , $g (r)$ is revealed
- F-IOP
  - goal: boost functional commitment
    - ⇒ SNARK for general circuits
  - let $C (x, w)$ be arith. circuit and $x \in F_{p}^{n}$
  - F-IOP: proof system that proves $\exists w : C (x, w) = 0$ as follows
    - $se t u p (C) \to pp, v p$
      - $= (f_{0}, f_{- 1}, \dots f_{- s})$
      - oracles for functions in $F$
        
        can be replaced into commitments
    - proof
      - prover: sends $f_{1} \in F$
        
        verifier: sends $r_{1} \leftarrow $ F_{p}$
      - prover: sends $f_{2} \in F$
        
        verifier: sends $r_{2} \leftarrow $ F_{p}$
      - … repeated t times
        
        and verifier: runs $verify^{f_{- s}, \dots f_{t}} (x, r_{1}, \dots, r_{t - 1})$
  - properties
    - complete: $\exists w : C (x, w) = 0$ then $P r [V = 1] = 1$
    - knowledge sound: unable to fake knowledge
- Example poly-IOP
  - $C (X, W) = 0$ ↔ $X \subseteq W \subseteq F_{p}$
  - prover
    - $f (Z) := \prod_{w \in W} (Z - w)$
    - $g (Z) := \prod_{x \in X} (Z - x)$
    - $q (Z) := f / g \in F_{p}^{\leq d} [X]$
      - as $X \subseteq W$ , $f / g$ is a polynomial
    - sends: $f, q$
  - verifier
    - $g (X) := \prod_{x \in X} (Z - x)$
    - $r \leftarrow $ F_{p}$ (public)
    1. query $w \leftarrow f (r)$
    2. query $q^{'} \leftarrow q (r)$
    3. compute $x \leftarrow g (r)$
    4. accept if $x \cdot q^{'} = w$
  - V accepts ⇒ $f = g \cdot q$ w.h.p. ⇒ $X \subseteq W$
    - kind of reversed logic
  - Extractor: $E (X, f, q, r)$
    - output $W$ by computing all roots of $f (Z)$
- IOP Zoo
  - ⇒ SNARKs for general circuits
  - Poly-IOP (w/ Poly-Commit)
    - Sonic
    - Marlin
    - Plonk
  - Multilinear-IOP (w/ Multilinear-Commit)
    - Spartan
    - Clover
    - Hyperplonk
  - Vector-IOP (w/ Merkle)
    - STARK
    - Breakdown
    - Orion
  - ⇒ SNARK (non-interactive via Fiat-Shamir)
- SNARKs in practice
  - programs: written in Domain-Specific Language
    - Circom, ZoKrates, Leo, Cairo, Noir..
  - compiles to SNARK friendly format
    - circuit, R1CS, …, EVM byte code
  - → SNARK backend prover (heavy computation)
    - outputs $π$

Introduction

information

This is lecture 3: Introduction and History of ZKP

Cornell Format

Date:

Reviewed:

Topic / Chapter:

summary

❓Questions

Notes

Topic 1

Date: 2024년 7월 2일

Reviewed:

Topic / Chapter:

❓Questions

Notes

Programming ZKP
- Programming ZKP
  - converting idea into work
    - programmer: idea → high-level language
    - compiler: high-level language → R1CS
      - focus of today
    - setup: R1CS → param
    - prove: param → ZKP
    - verify: param * ZKP → {0,1}
- ZKP basics
  - ZKPs for a predicate $ϕ$
    - prover knows $ϕ, x, w$
    - verifier: knows $ϕ, x$
    - proof $π$ : shows $ϕ (x, w)$ holds
      - but not reveals $w$
    - what can be $ϕ$ ?
  - $ϕ$ in theory: any NP problem
    - e.g. $w$ : factorization of $x$
    - e.g. $w$ secret key for public key $x$
    - etc.
  - $ϕ$ in practice: arithmetic circuit over input $x, w$
- Arithmetic circuits (ACs)
  - domain: prime field
    - $p$ : a large (~255 bit) prime
    - $Z_{p}$ : integers $mod p$
      - (modular) operations: $+, \times, =$
  - approach 1: as a systems of field equations
    - e.g. $w_{0} \times w_{0} \times w_{0} = x$
      - $w_{1} \times w_{1} = x$
  - approach 2: as circuits
    - directed, acyclic graph
    - nodes: inputs, gates, constants
    - edges: wires / connections
    - (for the same eg)
```
graph LR
  w_0[w_0] --> OPtimes_0([x])
  w_0[w_0] --> OPtimes_0([x])
  w_0[w_0] --> OPtimes_0([x])
  OPtimes_0([x]) --> OPeq_0([=])
  w_1[w_1] --> OPtimes_1([x])
  w_1[w_1] --> OPtimes_1([x])
  OPtimes_1([x]) --> OPeq_1([=])
  
  x[x] --> OPeq_0([=])
  x[x] --> OPeq_1([=])
  
```
- Approach 3: Rank 1 Constraint Systems (R1CS)
  - R1CS: format for ZKP ACs
  - definition (linear combination)
    - $x$ : field elements $x_{1}, \dots, x_{l}$
    - $w$ : $w_{1}, \dots, w_{m - l - 1}$
    - $ϕ$ : $n$ equations of form
      - $α \times β = γ$
      - $α, β, γ$ : affine combination of variables / constants
    - examples
      - $w_{2} \times (w_{3} - w_{2} - 1) = x_{1}$
        
        $α = w_{2}$
        
        $β = w_{3} - w_{2} - 1$
        
        $γ = x_{1}$
      - $w_{2} \times w_{2} = w_{2}$
      - ❌ $w_{2} \times w_{2} \times w_{2} = x_{1}$
        
        $w_{2} \times w_{2} = w_{4}$
        
        $w_{4} \times w_{2} = x_{1}$
  - matrix definition
    - $x$ : vector of $l$ field elements
    - $w$ : vector of $m - l - 1$ field elements
    - $ϕ$ : matrices $A, B, C \in Z_{p}^{n \times m}$
      - $z = (1∣∣ x ∣∣ w) \in Z_{p}^{m}$
      - holds when $A z \circ B z = C z$
        
        i.e. element-wise product
    - each rows of $A, B, C$ : coefficients for each R1CS
      - width: 1 more than no. of variables to include constants
- Writing an AC as R1CS
  - example illustrated
```
graph LR
  w_0[w_0] --> OPtimes_0([x])
  w_1[w_1] --> OPtimes_0([x])
  w_1[w_1] --> OPtimes_1([x])
  OPtimes_0([x]) --w_2--> OPplus_0([+])
  OPplus_0([+]) --w_3--> OPeq_0([=])
  
  x_0[x_0] --> OPplus_0([+])
  x_0[x_0] --> OPtimes_1([x])
  OPtimes_1([x]) --w_4--> OPeq_0([=])

  
```
  - procedure
    1. write intermediate $w$ s
    2. write equations
      1. $w_{0} \times w_{1} = w_{2}$
      2. $w_{3} = w_{2} + x_{0}$
        
        $β = 1$ ; $γ = w_{2} + x_{0}$
      3. $w_{1} \times x_{0} = w_{4}$
      4. $w_{3} = w_{4}$
  - now: how to convert high-level $ϕ$ to R1CS?
    - R1CS: like assembly
    - conversion from $ϕ \to$ R1CS: w/ libraries, compilers, etc.
  - most zk products: built similarly
    - high-level code → compiler / library → R1CS → ZK proof system
  - example: Zcash
    - $ϕ$ : definition of “spending money anonymously”
    - circuit: involves
      - Merkle tree
      - Pedersen hash
      - signatures
      - spend logic
      - etc.
    - written in Bellman library ⇒ R1CS
      - three tool types:
        
        HDL
        
        Library
        
        PL + compiler
    - R1CS: fed into Groth16 (runs on user computer)
Using an HDL
- Circom basics
  - Circom: Hardware Description Language
    - ≠ programming languages
  PL HDL
  
  Objects variables
  
  operations
  
  programs / func wires
  
  gates
  
  circuit / sub-circ
  
  Actions mutate variables
  
  call functions connect wires
  
  create sub-circuits
  - HDLs for Digital Circuits
    - Verilog (dominate)
    - System Verilog
    - VHDL
    - Chisel
  - Circom: HDL for R1CS
    - wires: R1CS variables
    - gates: R1CS constraints
    - circuit: does 2 things
      - sets variable values
      - create R1CS constraints
- Circom: base language
  - example code
```
template Multiply() {
	signal input x;
	signal input y;
	signal output z;
	
	z <-- x * y;
	z === x * y;
	
}

component main {public [x]} =
	Multiply();
```
  - a template: is a (sub) circuit
  - a signal is a wire
    - input or output as property
  - <--: sets signal values
  - ===: creates constraints
    - must be rank-1
    - one side: linear; another: quadratic
  - <==: does both (shorthand)
  - specify that this template is the main
    - also which signals are public and which are not
    - input: implicitly private
    - output: implicitly public
- Circom: metaprogramming language
  - example
```
template RepeatedSquaring(n) {
	signal input x;
	signal output y;
	
	signal xs[n+1];
	xs[0] <== x;
	for (var i = 0; i < n; i++) {
		xs[i+1] <== xs[i] * xs[i];
	}
	y <== xs[n];
}

component main {public [x]} = 
	RepeatedSquaring(1000);
```
  - template arguments (fixed at compile time)
    - e.g. length for signal arrays
  - variables
    - mutable
    - not signals
    - evaluated at compile-time
  - loops
  - if statements
  - array accesses
- Circom: witness computation & sub-circuits
  - guaranteeing non-zero
```
template NonZero() {
	signal input in;
	signal inverse;
	inverse <-- 1 / in; // not R1CS
	1 === in * signal; // is R1CS
}

template Main() {
	signal input a; signal input b;
	component nz = NonZero();
	nz.in <== a; // quits if a == 0
	0 === a * b; // asking: is B zero?
}
```
  - idea: to ask whether there exists multiplicative inverse
  - <--: more general than ===
  - components hold sub-circuits
    - access inputs / outputs w/ dot-notation
Circom Tutorial
- Implementing sudoku
  - $x$ : puzzle
  - $w$ : solution
  - $ϕ$ : goal & rules
    - for simplification: forcing only no-duplicates-in-a-row rule
  - roadmap
    - implement notEqual (i.e. difference ≠ 0)
    - implement Distinct(n) from not Equal
    - implement Bits4 or in % 16 === in
    - implement OneToNice by computing
      - Bits4 on in-1
      - Bits4 on in+6
    - implement Sudoku by
      - check whether all numbers are in range
      - check whether solution matches the puzzle
      - check whether all numbers in the same row are distinct

	PL	HDL
Objects	variables
operations
programs / func	wires
gates
circuit / sub-circ
Actions	mutate variables
call functions	connect wires
create sub-circuits

Using a Library

Library for R1CS
- Circom key features
  - direct control over constraints
  - custom language
    - can be good / bad
- alternative: library in a host language
  - Rust, OCaml, C++, Go…
- key type: constraint system
  - maintains state about R1CS constraints & variable
    - i.e. value for variables & $A, B, C$
  - key operations
    - create variable
    - create linear combinations of variables
    - add constraint
Pseudo-rust example
- variable creation
  - cs.add_var(p, v) -> id
  - cs: constraint system
  - p: visibility of variable
  - v: assigned value
  - id: variable handle
- linear combination creation
  - cs.zero(): returns the empty LC
  - lc.add(c, id) -> lc'
  - id: variable (handle)
  - c: coefficient
  - lc' := lc + c * id
- adding constraints
  - cs.constrain(lc_a, lc_b, lc_c)
  - adds constraint lc_a * lc_b = lc_c

Example code: Boolean AND

#![allow(unused)]
fn main() {
fn and(cs: ConstraintSystem, a: Var, b: Var) -> Var {
	let result = cs.new_witness_var(|| a.value() & b.value());
	self.cs.enforce_constrant(
		lc!() + a,
		lc!() + b,
		lc!() + result,
	);
	result
}
}

Leverage language abstractions

e.g. using structs, operator overloading, etc.

#![allow(unused)]
fn main() {
struct Boolean {var: Var};

// i.e. & overloading
impl BitAnd for Boolean {
	fn and(self: Boolean, other: Boolean) -> Boolean {
		// same as before
		Boolean {var: result}
	}
}
}

example usage

#![allow(unused)]
fn main() {
let a = Boolean::new_witness(|| true);
let b = Boolean::new_witness(|| false);
(a & b).enforce_equal(Boolean::FALSE);
}

many different gadget libraries
- libsnark: gadgetlib (C++)
- arkworks: r1cs-srd + crypto-primitives (Rust)
- Snarky (Ocaml)
- Gnark (Go)

Witness computation

can perform arbitrary computations to generate witnesses
- more freedom as it’s general-purposed language!

#![allow(unused)]
fn main() {
let a = Boolean::new_witness(|| (4 == 5) & (x < y));
let b = Boolean::new_witness(|| false);
(a & b).enforce_equal(Boolean::FALSE);
}

closure / lambda ||: executed only during proving

Arkworks Tutorial (Rust)

Using a Compiler

HDL & circuit libraries comparison
- differences:
  - host language vs. custom language
- similarities
  - explicit wire creation
  - explicit constraint creation
  - 👨‍🏫is it necessary?
    - No! by creating a new language, we can avoid it!

ZoKrates syntax

#![allow(unused)]
fn main() {
type F = field;

def main(public F x, private F[2] ys) {
	field y0 = y[0];
	field y1 = y[1];
	assert(x = y0 * y1);
}
}

struct syntax for custom types
variables: contain values during execution / proving
can annotate privacy
“assert” creates constraints
main function exists
other language features
- integer generics
- arrays
- variables
  - mutable
- fixed-length loops
- if expressions
- array accesses

feature example

#![allow(unused)]
fn main() {
def repeated_squaring<N>(field x) -> field {
	field[N] mut xs;
	xs[0] = x;
	for u32 i in 0..N {
		xs[i + 1] = xs[i] * xs[i];
	}
	return xs[N];
}

def main (public field x) -> field {
	repeated_squaring::<1000>(x)
}
}

short: no way to compute witnesses

all witnesses: must be provided as input

#![allow(unused)]
fn main() {
def main(private field a, public field b) {
	assert(a * b == 1)
}
}

ZoKrates Tutorial (~= Rust)
- Compilation
  - compile: zokrates compile -i root.zok
  - setup: zokrates setup
  - witness computation: zokrates compute-witness -a 1 0 0 2 1 2 1 2
    - or: [[1,0], [0,2]] and [[1,2],[1,2]]
  - proof generation: zokrates generate-proof
  - verification: zokrates verify

Overview of Prominent ZKP Toolchains

A quick tour

toolchain type
- HDL: language for circuit synthesis description
- library: library for describing circuit synthesis
- PL + compiler: a language, compiled to a circuit
organized view

language type standalone?

no yes

circuit library (Arkworks) HDL (Circom)

program PR (ZoKrates)

language type	standalone?
	no	yes
circuit	library (Arkworks)	HDL (Circom)
program		PR (ZoKrates)

pros and cons

type	Circom	Arkworks	ZoKrates
pros	clear constraints
elegant syntax	clear constraints
as expressive as Rust	easiest to learn
elegant syntax
cons	hard to learn
limited abstraction (no types, etc.)	need to know Rust
few optimizations	limited witness computation

other toolchains

HDL Library PL + Compiler

Circom Arkworks (Rust) ZoKrates

Gadgetlib (C++) Noir

Bellman (Rust) Leo

Snarky (OCaml) Cairo

PLONKish (Rust)
timeline
shared compiler infrastructure?
- source: (many PLs)
- target: R1CS, Plonk, AIR
- common techniques
  - Boolean
  - fixed-width ints
  - variables
  - mutation
  - structures
  - control flow
  - optimization
  - arrays
- 👨‍🏫can we build a library to create a PL for ZKP with this common ground?
  - attempt: CirC

HDL	Library	PL + Compiler
Circom	Arkworks (Rust)	ZoKrates
	Gadgetlib (C++)	Noir
	Bellman (Rust)	Leo
	Snarky (OCaml)	Cairo
	PLONKish (Rust)

Introduction

information

This is lecture 4: Introduction and History of ZKP

Date:

Reviewed:

Topic / Chapter: SNARKs via Interactive Proofs

❓Questions

Notes

Interactive Proofs
- Motivation
  - computation-limited verifier
    - wants data analysis
  - verifier: holds data summary
    - queries to cloud provider w/ data
      - or: “challenges”
    - cloud provider: provides answer
  - interactive proofs (formally)
    - $P$ solves problem, tells $V$ the answer
      - then conversation goes
      - $P$ ’s goal: convince $V$ the answer is correct
    - requirements
      - completeness: an honest $P$ can convince $V$
      - (statistical) soundness: $V$ will catch $P$ ’s lie w.h.p.
      - if soundness holds only against “eff” provers: then it is argument not proof
- Interactive proofs vs. arguments
  - soundness vs. knowledge soundness
    - $C (x, w) \to F$
    - soundness: $V$ accepts → $\exists w$ s.t. $C (x, w) = 0$
    - knowledge soundness: $V$ accepts → $P$ “knows” $w$ s.t. $C (x, w) = 0$
      - 👨‍🏫stronger!
  - standard soundness: meaningful even when knowledge soundness isn’t
    - as there is no “natural witness”
    - e.g. $P$ claims that output of $V$ ’s program on $x$ is 42
  - reverse: prover claims he knows secret key for a certain BTC wallet
    - or: preimage of hash that gives 0
    - many “witnesses” exist
  - public verifiability
    - only convincing the party that is choosing random challenges
      - others: can’t trust the proposed verifier
    - if interactive: each run only convinces one party
    - for public coin protocols: Fiat-Shamir is used
      - to make it non-interactive
SNARKs from Interactive Proofs
- SNARK example
  - procedure
    - $P$ : commits cryptographically to $w$
    - reveals “just enough” info on commitment to allow $V$ to run checks
    - render non-interactive via Fiat-Shamir
Review of Functional Commitments
- Functional commitments
  - different types
    - polynomial commitments
      - to univariate $f (X) \in F_{p}^{\leq d} [X]$
    - multilinear commitments
      - to multilinear $f \in F_{p}^{\leq 1} [X_{1}, \dots X_{k}]$
    - vector commitments (e.g. Merkle trees)
      - to $u \to = (u_{1}, \dots, u_{d}) \in F_{p}^{d}$
      - open cells: $f_{u \to} (i) = u_{i}$
- Merkle trees: the commitment
  - uses: C.R. hash function
  - opening proof size: $O (lo g n)$
  - example: univariate $f (X) \in F_{7}^{(\leq d)} [X]$
    - $m_{1} = H (f (0), f (1))$
      - … $m_{4} = H (f (6), *)$
    - $h_{1} = H (m_{1}, m_{2})$
    - $k_{1} = H (h_{1}, h_{2})$
    - to prove value $f (4)$ , must provide
      - $k_{1}$ , $h_{1}$ , $m_{4}$ , $f (4), f (5)$
  - notation
    - $P$ Merkle-commits to all evaluations of $f$
    - upon request of $f (r)$ , $P$ reveals all associated leaf along w/ opening info
    - two problems
      - no. of leaves: $∣ F ∣$
        
        takes at least $∣ F ∣$ to compute commitment
        
        want time proportional to degree bound $d$
      - $V$ does not know $f$ has at most degree $d$
Interactive Proof Design: Technical Preliminaries
- SZDL lemma
  - FACT: let $p \neq = q$ be univariate polynomials of degree at most $d$
    - then $P r_{r \in F} [p (r) = q (r)] \leq \frac{d}{∣ F ∣}$
    - $p (r) - q (r)$ has at most $d$ zeros
  - SZDL lemma: multivariate generalization
    - let $p \neq = q$ be $l$ -variate polynomials of total degree at most $d$
    - then $P r_{r \in F^{l}} [p (r) = q (r)] \leq \frac{d}{∣ F ∣}$
    - using multivariate to lower the degree and make computation quicker
- Low-degree and multilinear extensions
  - extension: given $f : {0, 1}^{l} \to F$ , a $l$ -variate polynomial $g$ over $F$ : extend $f$
    - if $\forall x \in {0, 1}^{l} f (x) = g (x)$
  - multilinear extensions: any function $f : {0, 1}^{l} \to F$ has unique multilinear extension (MLE) $\tilde{f}$
    - multilinear: polynomial has degree at most 1 in each var
    - e.g. $(1 - x_{1}) (1 - x_{2})$ , but not in $x_{1}^{2} x_{2}$
- Example
  - let $f : {0, 1}^{2} - F$ s.t.
    
    1 2
    
    8 10
  - $\tilde{f} : F^{2} \to F$ (multilinear extension)
    - $\tilde{f} (x_{1}, x_{2}) = (1 - x_{1}) (1 - x_{2}) + 2 (1 - x_{1}) x_{2} + 8 x_{1} (1 - x_{2}) + 10 x_{1} x_{2}$
      - actually: quite similar to SoP approach!
    1 2 3 4 5 6
    
    8 10 12 14 16 18
    
    15 18 21 24 27 30
    
    22 26 30 34 38 52
    
    29 34 39 44 49 56
    - True as:
      - $\tilde{f} (0, 0) = 1$
      - $\tilde{f} (0, 1) = 2$
      - $\tilde{f} (1, 0) = 8$
      - $\tilde{f} (1, 1) = 10$
  - non-multilinear extension
    - $f : g (x_{1}, x_{2}) = - x_{1}^{2} + x_{1} x_{2} + 8 x_{1} + x_{2} + 1$
    1 2 3 4 5 6
    
    8 10 12 14 16 18
    
    13 16 19 22 25 28
    
    16 20 24 28 32 36
    
    17 22 27 32 37 42
    - True as:
      - $g (0, 0) = 1$
      - $g (0, 1) = 2$
      - $g (1, 0) = 8$
      - $g (1, 1) = 10$
- Evaluating multilinear extensions quickly
  - fact: given as input $2^{l}$ evaluations of a function $f$
    - $\forall r \in F^{l} \exists O (2^{l})$ -time algo to evaluate $\tilde{f} (r)$
    - i.e. by listing all its values with manually
  - sketch: using Lagrange interpolation
  - define $\tilde{δ}_{w} (r) = \prod_{i = 1}^{l} (r_{i} w_{i} + (1 - r_{1}) (1 - w_{i}))$
    - i.e. multilinear Lagrange basis polynomial corresponding to $w$
    - or: PoS, but from analog values of $r$
      - ( $w$ being digital)
  - fact: $f (r) = \sum_{w \in {0, 1}^{l}} f (w) \cdot δ_{w} (r)$
  - $\forall w \in {0, 1}^{l}$ , $\tilde{δ}_{w} (r)$ can be computed w/ $O (l)$ field operations
    - yields an $O (l 2^{l})$ -time also
    - can reduce to $O (2^{l})$ time via DP
Sum-Check Protocol
- Sum-check protocol
  - [LFKN90]
  - input: $V$ given oracle access to a $l$ -variate polynomial $g$ over field $F$
    - i.e. access to $g (i)$ where $i \in F$
  - goal: compute the quantity
    - $\sum_{b_{1} \in {0, 1}} \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (b_{1}, \dots, b_{l})$
    - idea: outsource the computation to prover so that it takes $O (n)$ time instead of $O (2^{n})$
  - 👟Start: $P$ sends claimed answer $C_{1}$
    - protocol checks that:
    - $C_{1} = \sum_{b_{1} \in {0, 1}} \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (b_{1}, \dots, b_{l})$
  - 👟Round 1: $P$ sends univariate polynomial $s_{1} (X_{1})$ claimed to equal
    
    $H_{1} (X_{1}) := \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (X_{1}, b_{2} \dots, b_{l})$
    - i.e. output if prover was honest
  - $V$ checks that $C_{1} = s_{1} (0) + s_{1} (1)$
    - or: $\sum_{b_{1} \in {0, 1}} s_{1} (b_{1})$
  - if check passes: safe to believe that $C_{1}$ is the correct answer
    - if $V$ believes $s_{1} = H_{1}$
    - i.e. check $s_{1} (r_{1}) = H_{1} (r_{1})$ where $r_{1} \leftarrow R$
    - $V$ can compute $s_{1} (r_{1})$ directly from $P$ ’s first message, not $H_{1} (r_{1})$ though
  - 👟Round 2: ( $P$ sends $s_{2} (X_{2})$ and) $P$ recursively check that $s_{1} (r_{1}) = H_{1} (r_{1})$
    - i.e. that $s_{1} (r_{1}) = \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (r_{1}, b_{2}, \dots, b_{l})$
  - 👟Round $l$ : ( $P$ sends $s_{l} (X_{l})$ and) $P$ check that $H_{l} := g (r_{1}, r_{2} \dots, X_{l})$
    - $V$ : checks that $s_{l - 1} (r_{l - 1}) = s_{l} (0) + s_{l} (1)$
    - by picking $s_{l} (r_{l}) = g (r_{1}, \dots r_{l})$
  - general idea: checking $s_{i}$ only on first occurrence, trusting it there after
Analysis of Sum-Check Protocol
- Completeness
  - holds by design
  - if $P$ sends the prescribed messages: all tests will pass
- Soundness
  - if some other message was sent: $V$ rejects w/ probability of at least $1 - \frac{l \cdot d}{∣ F ∣}$
  - e.g. $∣ F ∣ \approx 2^{128}$ , $d = 3$ , $l = 60$
    - then soundness error $\leq 3 \cdot 60/ 2^{128} = 2^{- 120}$
  - proof: by induction on no. of var $l$
    - base case: $l = 1$ ; $P$ sends $s_{1} (X_{1})$ claims to equal $g (X_{1})$
      - $V$ picks $r_{1}$ at random, checks that $s_{1} (r_{1}) = g (r_{1})$
      - if $s_{1} \neq = g$ , then $P r_{r_{1} \in F} [s_{1} (r_{1}) = g (r_{1})] \leq \frac{d}{∣ F ∣}$
    - inductive case $l > 1$
      - recall: $P$ ’s first message $s_{1} (X_{1})$ claimed to equal $H_{1} (X_{1}) := \sum_{b_{2} \in {0, 1}} \dots \sum_{b_{l} \in {0, 1}} g (X_{1}, b_{2}, \dots, b_{l})$
      - $V$ picks $r_{1}$ at random, (recursively) checks that $s_{1} (r_{1}) = H_{1} (r_{1})$
      - if $s_{1} \neq = H_{1}$ , then $P r_{r_{1} \in F} [s_{1} (r_{1}) = H (r_{1})] \leq \frac{d}{∣ F ∣}$
      - if $s_{1} (r_{1}) \neq = H (r_{1})$ , $P$ is left to prove a false claim in rec. call
        
        applies sum-check to $l - 1$ variate
        
        by induction: $P$ convinces $V$ w/ probability at most $\frac{d ( l - 1 )}{∣ F ∣}$
  - summary: if $s_{1} \neq = H_{1}$ , $V$ accepts at most
    - $P r_{r_{1} \in F} [s_{1} (r_{1}) = H (r_{1})] = P r_{r_{2}, \dots r_{l} \in F} [V accepts ∣ s_{1} (r_{1}) \neq = H (r_{1})] \leq \frac{d}{∣ F ∣} + \frac{d ( l - 1 )}{∣ F ∣} \leq \frac{d l}{∣ F ∣}$
- Cost of the protocol
  - total communication: $O (d l)$ field elements
    - $P$ sends $l$ messages, each at univariate degree $d$
    - $V$ sends $l - 1$ messages, each w/ 1 field element
  - $V$ ’s runtime: $O (d l + [time(g)])$
  - $P$ ’s runtime (at most)
    - $O (d \cdot 2^{l} \cdot [time(g)])$
Sum-Check Protocol Application
- Counting triangles
  - input: $A \in {0, 1}^{n \times n}$
    - representing adjacency matrix of a graph
  - desired output: $\sum_{(i, j, k) \in [n]^{3}} A_{ij} A_{jk} A_{ik}$
  - fastest known algorithm: runs in matrix-multiplication time
    - i.e. ~= $n^{2.37}$ (super linear time)
  - IP: let verifier run in $O (n^{2})$ time (minimum possible)
- Protocol
  - protocol: view $A : {0, 1}^{l o g n} \times {0, 1}^{l o g n} \to F$
  - $\tilde{A}$ : multilinear extension of $A$
  - define polynomial $g (X, Y, Z) = A (X, Y) A (Y, Z) \tilde{A} (X, Z)$
  - apply the sum-check protocol to compute
    - $\sum_{(a, b, c) \in {0, 1}^{3 l o g n}} g (a, b, c)$
- Costs
  - total communication: $O (lo g n)$
  - $V$ runtime: $O (n^{2})$
  - $P$ runtime: $O (n^{3})$
  - $V$ runtime: dominated by evaluating
    - $g (r_{1}, r_{2}, r_{3}) = A (r_{1}, r_{2}) A (r_{2}, r_{3}) \tilde{A} (r_{1}, r_{3})$
SNARK for Circuit-Satisfiability
- SNARK for circuit-satisfiability
  - $P, V$ : agreed on circuit $C$ over $F$ size $S$ and output $y$
    - $P$ claims to know $w$ s.t. $C (x, w) = y$
    - let $x$ be empty for simplicity
  - transcript $T$ for $C$ : assignment of a value to every gate
    - is correct if it assigns gate values upon evaluating $C$ on a valid $w$
- Transcript as a function
  - with domain ${0, 1}^{l o g S}$
  - assign each gate in $C$ a ( $lo g S$ )-bit label and view $T$ as a function
    - mapping gate labels to $F$
  - and final output: always $T (1, \dots, 1)$ (last gate to be computed)
Polynomial IOP Underlying the SNARK
- Polynomial IOP
  - $P$ ’s first message is a ( $lo g S$ )-variate polynomial $h$ claimed to extend a correct transcript $T$
    - i.e. $h (x) = T (x) \forall x \in {0, 1}^{l o g s}$
  - $V$ : needs to check this, but only able to learn few evaluation of $h$ (not $S$ )
- Intuition on $h$
  - $h$ : distance-amplified encoding of $T$
  - domain of $T$ : ${0, 1}^{l o g S}$
    - but domain of $h$ : much larger ( $F^{l o g S}$ )
    - 👨‍🏫small difference in $T$ → vast difference (almost all) in extension
      - due to distance-amplifying nature
      - by Schwartz-Zippel
- Two-step plan
  - step 1: given any ( $lo g S$ )-variate polynomial $h$ , identify a related ( $3 lo g S$ )-variate polynomial $g_{h}$ s.t.
    - $h$ extends a correct transcript $T$ ↔ $g_{h} (a, b, c) = 0\forall (a, b, c) \in {0, 1}^{3 l o g S}$
      - or: “vanishing” over Boolean hypercube
      - i.e. if $h$ is not a correct transcript: $\exists a, b, c s.t. g_{h} (a, b, c) \neq = 0$
      - ~= abstraction of messy structure?
    - also: to evaluate $g_{h} (r)$ at any input: evaluating $h$ at 3 inputs are enough
  - step 2: design an IP to check
    - $g_{h} (a, b, c) = 0\forall (a, b, c) \in {0, 1}^{3 l o g S}$
    - in which $V$ only needs to evaluate $g_{h} (r)$ at one point $r$
- Sketch
  - step 1 sketch: define $g_{h} (a, b, c)$ via:
    - $a dd (a, b, c) \cdot (h (a) - (h (b) + h (c))) + m u lt (a, b, c) \cdot (h (a) - (h (b) \cdot h (c)))$
    - $a dd (a, b, c)$ : gets 3 Boolean vectors in input
      - returns 1 iff $a$ is addition gate and 2 $n$ neighbors are $b, c$
      - else 0
    - $m u lt (a, b, c)$ : gets 3 Boolean vectors in input
      - returns 1 iff $a$ is multiplication gate and 2 $n$ neighbors are $b, c$
      - else 0
  - properties
    - $g_{h} (a, b, c) = h (a) - (h (b) + h (c))$
      - if $a$ is label computing sum of $b, c$
    - $g_{h} (a, b, c) = h (a) - (h (b) \cdot h (c))$
      - if $a$ is label computing multiplication of $b, c$
    - $g_{h} (a, b, c) = 0$ otherwise
    - $g_{h}$ computation: can be outsourced to $P$ as it only depends on wiring structure, and thus being able to be committed
  - step 2: how to check $g_{h} (a, b, c) = 0\forall (a, b, c) \in {0, 1}^{3 l o g S}$
    - by evaluating $g_{h}$ at a single point?
  - if $g_{h}$ were a univariate polynomial $g_{h} (X)$
    - and we need to check that $g_{h}$ vanishes over some set $H \subseteq F$ , not ${0, 1}^{3 l o g S}$
  - fact: $g_{h} (x) = 0\forall x \in H$ ↔ $g_{h}$ is divisible by $Z_{H} (x) := \prod_{a \in H} (x - a)$
    - $Z_{H}$ : vanishing polynomial for $H$
    - 🧑‍🎓kind of trivial
  - polynomial IOP
    - $P$ sends a polynomial $q$ s.t. $g_{h} (X) = q (X) \cdot Z_{H} (X)$
    - $V$ checks this by picking a random $r \in F$ and checking $g_{h} (r) = q (r) \cdot Z_{H} (r)$
- Actual protocol
  - above: not works as $g_{h}$ is not univariate
  - computing (finding $q$ ) is expensive
    - in final SNARK: it would be applying poly-commit to additional polynomials
    - Marlin, PlonK, Groth16 does this, though
  - solution: use the sum-check protocol
    - handles multivariate polynomials
    - doesn’t require $P$ to send additional large polynomials
Polynomial IOP for Circuit-Satisfiability
- Recall sum-check
  - goal: compute the quantity (all sum)
  - proof length: roughly total degree of $g$
  - no. of round: $l$
  - $V$ time: ~= time to evaluate $g (r)$
    - not necessarily revealing info on $g$ as long as it knows $g (r)$ for random $r$
- General idea
  - (works over integers, for ease of explanation)
    - $V$ : checks $\sum_{a, b, c \in {0, 1}^{l o g S}} g_{h} (a, b, c)^{2}$
    - if all terms are 0: sum is 0
      - any non-zero term: cause it to change
  - at the end of protocol: $V$ evaluates $g_{h} (r_{1}, r_{2}, r_{3})$
    - suffices to evaluate $h (r_{1}), h (r_{2}), h (r_{3})$
      - 👨‍🏫in practice, this dominates the runtime
    - outside of these: $V$ runs in time $O (lo g S)$
      - no. of variables
    - $P$ performs $O (S)$ field operations given $w$
      - even if there was no proof of correctness: same time

1	2
8	10

1	2	3	4	5	6
8	10	12	14	16	18
15	18	21	24	27	30
22	26	30	34	38	52
29	34	39	44	49	56

1	2	3	4	5	6
8	10	12	14	16	18
13	16	19	22	25	28
16	20	24	28	32	36
17	22	27	32	37	42

Introduction

information

This is lecture 5: The Plonk SNARK

Building Eff. SNARK

Date: 2024-08-28 21:09:49

Reviewed:

Topic / Chapter: Building Eff. SNARK

summary

❓Questions

Notes

Overview

General idea
- poly-commit + poly-IOP ⇒ SNARK for general circuits
Polynomial commitment review
- $P$ commits to $f (X) \in F_{p}^{(\leq d)} [X]$
- eval: for public $u, v \in F_{p}$ , prover can convince, for committed $f$ ,
  - ⭐ $f (u) = v$ and $de g (f) \leq d$
  - $V$ : with $(d, co m_{f}, u, v)$
- proof size & verif time: $O_{λ} (lo g d)$

KZG poly-commit scheme (2010)

⭐group: $G := {0, G, 2 \cdot G, \dots, (p - 1) \cdot G}$
- or order $p$ , and is cyclic
setup( $1^{λ}$ )→ $g p$
- $τ \leftarrow R F_{p}$
- $g p = (H_{i} = τ^{i} \cdot G \forall i \in {0, 1, \dots d}) \in G^{d + 1}$
- delete $τ$ (trusted setup)
⭐commit( $g p, f$ )→ $co m_{f}$ where $co m_{f} := f (τ) \cdot G \in G$
- use $g p$ to compute $f (τ)$
- 👨‍🏫is binds, but not hides!
$f (X) = \sum_{i = 0}^{d} f_{i} X^{i}$
- ⇒ $co m_{f} = \sum_{i = 0}^{d} f_{i} \cdot H_{i}$
- $= \sum_{i = 0}^{d} f_{i} G τ^{i} = f (X) \cdot G$

Evaluation

commit( $g p, f) \to co m_{f} = f (τ) \cdot G \in G$
$P (g p, g, u, v)$ and $V (g p, co m_{f}, u, v)$
$f (u) = v$ ↔ $u$ being root of $\hat{f} := f - v$
- ↔ $(X - u)$ divides $\hat{f}$
- ↔ $\exists q \in F_{p} [X]$ s.t. $q (X) \cdot (X - u) = f (X) - v$
  - i.e. divisible
⭐ $P$ : compute $q (X)$ , and $co m_{q} = q (τ) \cdot G$
- ⭐⭐ $π := co m_{q} \in G$
- proof size: $O (1)$
- 👨‍🏫computationally expensive!
accepts if $(τ - u) \cdot co m_{q} = co m_{f} - v \cdot G$
- i.e. $(τ - u) \cdot q (τ) \cdot G = f (τ) \cdot G - v \cdot G$
  - $(τ - u) \cdot q (τ) = f (τ) - v$
- if agrees: true w.h.p.
- $(τ - u)$ : computed using “pairing” from $H_{0}, H_{1}$ from $g p$

KZG poly-commit scheme

generalization
- can commit to $k$ -variate polynomials
batch proofs
- assume $V$ has $co m_{f 1}, \dots, co m_{f n}$
- $P$ proving $f_{i} (u_{i, j}) = v_{i, j}$ for $i \in [n]$ , $j \in [m]$
- batch proof $π$ : only one group element!
linear time commitment
- two ways to commit $f (X)$
- coefficient representation: $f (X) = \sum_{i = 0}^{d} f_{i} X^{i}$
  - ⇒computing $co m_{f} = \sum_{i = 0}^{d} f_{i} \cdot H_{i}$
    - takes $O (d)$ time
- point-value representation: $(a_{0}, f (a_{0})), \dots, (a_{d}, f (a_{d}))$
  - computing $co m_{f}$ naively: construct coeffs. $(f_{0}, \dots, f_{d})$
  - ⇒ time $O (d lo g d)$ w/ Num. Th. Transform
point-value representation: better
- Lagrange interpolation: $f (τ) = \sum_{i = 0}^{d} λ_{i} (τ) \cdot f (a_{i})$
- $λ_{i} (τ) = \frac{\prod _{j = 0, j \neq = i}^{d} ( τ - a _{j} )}{\prod _{j = 0, j \neq = i}^{d} ( a _{i} - a _{j} )} \in F_{p}$
  - =1 if $τ = a_{i}$ , 0 otherwise
idea: transform $g p$ into Lagrange (linear map)
- $g p = (\sum_{i = 0}^{d} \hat{H}_{i} = λ_{i} (τ) \cdot G) \in G^{d + 1}$
- now: $co m_{f} = f (τ) \cdot G = \sum_{i = 0}^{d} f (a_{i}) \cdot \hat{H}_{i}$
- ⇒ in $O (d)$ time, not $O (d lo g d)$
multi-point proof generation
- $P$ w/ $f (X) \in F_{p}^{(\leq d)} [X]$
- $Ω \subseteq F_{p}$ and $∣Ω∣ = d$
if $P$ needs $π_{a} \in G$ $\forall a \in Ω$
- naive: takes $O (d^{2})$ , $d$ proofs each taking $O (d)$
- Feist-Khovratovich (2020):
  - if $Ω$ a multiplicative subgroup: time $O (d lo g d)$
  - else: $O (d lo g^{2} d)$

Dory polynomial commitment

difficulties w/ KZG: trusted setup for $g p$ , $∣ g p ∣ = O (d)$
- Dory:
  - transparent setup: no secret randomness in setup
  - $co m_{f}$ : single group element (independent of $d$ )
  - eval proof size: $O (lo g d)$ group elements
    - verify time: constant in KZG
  - eval verify time: $O (lo g d)$ ; prover: $O (d)$
    - verify time: constant in KZG

PCS applications

e.g. vector commitment (replacing Merkle trees)
$P$ : vector $(u_{1}, \dots, u_{k}) \in F_{p}^{(\leq d)}$
- interpolate poly $f (i) := u_{i}$
- sends $co m_{f}$ to $V$
$V$ : asks to prove $u_{2} = a$ , $u_{4} = b$
$P$ : generate $π :=$ eval proof that $f (2) = a; f (4) = b$
- w/ KZG: a single group element
- shorter than Merkle proof
- sends $V$ $π \in G$
$V$ : accept / reject

Proving Properties of Committed Polynomials

Date: 2024-08-28 21:10:30

Reviewed:

Topic / Chapter: Proving Properties of Committed Polynomials

summary

❓Questions

Notes

Topic 1

Proving Properties of Committed Polynomials
- Meaning of proof
  - $P (f, g)$ and $V (co m_{f}, co m_{g})$
  - goal: convince $V$ that $f, g \in F_{p}^{(\leq d)} [X]$ satisfy some properties
  - proof system (IOP)
    - $V \to P$ : $r$
    - $P \to V$ : $q$
    - $V \to P$ : query: $f (x), g (x), q (x)$ for $x \in F_{p}$
    - $P \to V$ : $f (x), π$
- Example: polynomial equality testing
  - $p \approx 2^{256}$ , $d \leq 2^{40}$ (i.e. $d / p$ is negl.)
  - let $f, g \in F_{p}^{(\leq d)} [X]$
    - for $r \leftarrow r F_{p}$ , $f (r) = g (r)$ then $f = g$ w.h.p.
    - simple equality test
  - proof as IOP: ↔ query $f (X)$ and $g (X)$ at $r$
  - procedure (after compile)
    - $P$ w/ $f, g \in F_{p}^{\leq d} [X]$
    - $V$ query $f (r), g (r)$
      - learns them
    - $P$ sends $y \leftarrow f (r), π_{f}$ and $y^{'} \leftarrow g (r), π_{g}$
    - $V$ : accepts if valid $π$ s and $y = y^{'}$
- Example: polynomial equality testing w/ KZG
  - $f = g \Leftrightarrow co m_{f} = co m_{g}$
    - ⇒ $V$ can tell if $f = g$ on its own (no need extra computation)
  - however: $P$ needed to test equality of “computed polynomials”
    - e.g. $V$ w/ $co m_{f}, co m_{g 1}, co m_{g 2}, co m_{g 3}$
    - and testing $f = g_{1} g_{2} g_{3}$
    - required prover to give values at $r$
    - in this case: complete and sound if $3 d / p$ is negl
      - $de g (g_{1} g_{2} g_{3}) \leq 3 d$
- Important proof gadgets for univariates
  - let $Ω \subseteq F_{p}$ and $∣Ω∣ = k$
  - let $f \in F_{p}^{(\leq d)} [X]$ , $(d \geq k)$
    - $V$ with $co m_{f}$
  - goal for eff. Poly-IOP: following
    - task 1: ZeroTest
      - prove that $f$ is identically zero on $Ω$
    - task 2: SumCheck
      - prove that $\sum_{a \in Ω} (a) = 0$
    - task 3: ProdCheck
      - prove that $\prod_{a \in Ω} f (a) = 1$
- Vanishing polynomial
  - let $Ω \subseteq F_{p}$ and $∣Ω∣ = k$
  - vanishing polynomial of $Ω$ :
    - $Z_{Ω} (X) := \prod_{a \in Ω} (X - a)$
      - i.e. 0 for everywhere in $Ω$
    - $de g (Z_{Ω}) = k$
  - $Ω$ being multiplicative subgroup of $F_{p}$ : important
  - let $ω \in F_{p}$ primitive $k$ th root of unity
    - i.e. $ω^{k} = 1$
    - if $Ω = {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$
      - then $Z_{Ω} (X) = X^{k} - 1$
    - for $r \in F_{p}$ , evaluating $Z_{Ω} (r)$ takes $\leq 2 lo g_{2} k$ field operations
- ZeroTest on ( $Ω = {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$ )
  - lemma: $f (a) = 0\forall a \in Ω ⟺ Z_{Ω} (X) ∣ f (X)$
  - ⭐ $P (f)$ : $q (X) \leftarrow f (X) / Z_{Ω} (X)$
    - if $f (a) = 0\forall a \in Ω$ , then leads to “clean” polynomial
    - $co m_{q} = q \in F_{p}^{\leq d} [X]$
      - it not polynomial: cannot commit
  - $V$ : $r \leftarrow s F_{p}$
    - query $q (X), f (X)$ at $r$
    - accept if $f (r) = ? q (r) \cdot Z_{Ω} (r)$
    - 👨‍🏫 $Z_{Ω} (r)$ to be computed by $V$ !
  - complete & sound assuming $d / p$ is negl.
  - $V$ time: $O (lo g k)$ and 2 (or: one) poly queries
  - $P$ time: computing and committing $q (X)$
    - $O (k)$ or $O (k lo g k)$
- ProductTest on ( $Ω = {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$ )
  - set $t \in F_{p}^{(\leq k)} [X]$ be degree- $k$ polynomial:
    - $t (1) = f (1)$ , $t (ω^{s}) = \prod_{i = 0}^{s} f (ω^{i})$
      - for $s = 1, \dots, k - 1$
    - example
      - $t (ω) = f (1) \cdot f (ω)$
      - $t (ω^{2}) = f (1) \cdot f (ω) \cdot f (ω^{2})$
      - $t (ω^{k - 1}) = \prod_{a \in Ω} f (a) = 1$
        
        (supposedly)
      - and $t (ω \cdot x) = t (x) \cdot f (ω \cdot x)$
        
        $\forall x \in Ω$ , including $x = ω^{k - 1}$
  - lemma: if $t (ω^{k - 1}) = 1$ and
    - $t (ω \cdot x) - t (x) \cdot f (ω \cdot x) = 0$ $\forall x \in Ω$
    - ⇒ $\prod_{a \in Ω} f (a) = 1$
  - (unoptimized) procedure
    - $t (X) \in F_{p}^{(\leq k)}$
    - $t_{1} (X) = t (ω \cdot X) - t (X) \cdot f (ω \cdot X)$
      - should be 0 on $Ω$
    - set $q (X) = t_{1} (X) / (X^{k} - 1) \in F_{p}^{(\leq d)}$
      - leads to clean polynomial if $t_{1} (a) = 0\forall a \in Ω$
    - $P$ : sends $co m_{t}, co m_{q}$
    - $V$ : query $t (X)$ at $ω^{k - 1}, r, ω r$
      - also $q (X)$ at $r$ , and $f (X)$ at $ω r$
      - learns $t (ω^{k - 1}), t (r), t (ω r), q (r), f (ω r)$
    - $V$ : accepts if $t (ω^{k - 1}) = 1$ and $t (ω r) - t (r) f (ω r) = q (r) \cdot (r^{k} - 1)$
    - proof size: 2 commits, 5 eval. = 3 groups
    - $V$ time: $O (lo g k)$ (for $r^{k} - 1, ω^{k} - 1$ )
    - $P$ time: $O (k lo g k)$ (for quotient)
- Approach on rational functions

The PLONK IOP for General Circuits

Date: 2024-08-28 21:10:53

Reviewed:

Topic / Chapter: The PLONK IOP for General Circuits

summary

❓Questions

Notes

The PLONK IOP for General Circuits

Zero Knowledge Proof MOOC