diff --git a/chapters/arithmetics-moonmath.tex b/chapters/arithmetics-moonmath.tex index a85b25de..c87c786f 100644 --- a/chapters/arithmetics-moonmath.tex +++ b/chapters/arithmetics-moonmath.tex @@ -1077,7 +1077,7 @@ \subsection{Prime Factors} Recall that the fundamental theorem of arithmetic \re \begin{example} \label{example:irreducible_integer_polynomial_1} - Consider the polynomial expression $P=x^2-3$. When we interpret $P$ as an integer polynomial $P\in\Z[x]$, we find that this polynomial is irreducible, since any factorization other then $1\cdot(x^2-3)$, must look like $(x-a)(x+a)$ for some integer $a$, but there is no integers $a$ with $a^2=3$. + Consider the polynomial expression $P=x^2-3$. When we interpret $P$ as an integer polynomial $P\in\Z[x]$, we find that this polynomial is irreducible, since any factorization other than $1\cdot(x^2-3)$, must look like $(x-a)(x+a)$ for some integer $a$, but there is no integers $a$ with $a^2=3$. \begin{sagecommandline} sage: Zx = ZZ['x'] sage: p = Zx(x^2-3) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index 13022782..b98ae158 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -1381,7 +1381,7 @@ \subsubsection{The Unsigned Integer Type} Unsigned integers of size \texttt{N}, \paragraph{The uN Constraint System} Many high-level circuit languages define the various \texttt{uN} types as arrays of size \texttt{N}, where each element is of boolean type. This parallels their representation on common computer hardware and allows for efficient and straightforward definition of common operators, like the various shift operators, or the logical operators. -Assuming that some unsigned integer \texttt{N} is known at compile time in \lgname{PAPER}, we define the following \texttt{uN} type\_function, which casts a an unsigned integer into an array of boolean variables: +Assuming that some unsigned integer \texttt{N} is known at compile time in \lgname{PAPER}, we define the following \texttt{uN} type\_function, which casts an unsigned integer into an array of boolean variables: \begin{lstlisting} type_function uN -> BOOL[N] { let base2 : BOOL[N] ; @@ -1700,7 +1700,7 @@ \subsubsection{The Unsigned Integer Type} Unsigned integers of size \texttt{N}, \end{comment} % ===================================== \begin{exercise} -Let \texttt{F}$=\F_{13}$ and \texttt{N=4} be fixed and let $x$ be of $uN$ type. Define circuits and associated R1CS for the left and right bit-shift operators $x<<2$ as well as $x>>2$. Execute the associated circuit for $x : u4 = 11$ and generate a constructive proof for $R1CS$ satisfyability. +Let \texttt{F}$=\F_{13}$ and \texttt{N=4} be fixed and let $x$ be of $uN$ type. Define circuits and associated R1CS for the left and right bit-shift operators $x<<2$ as well as $x>>2$. Execute the associated circuit for $x : u4 = 11$ and generate a constructive proof for $R1CS$ satisfiability. \end{exercise} \begin{exercise} Let \texttt{F}$=\F_{13}$ and \texttt{N=2} be fixed. Define a circuit and associated R1CS for the addition operator $\mathtt{ADD}: uN \times uN \to uN$. Execute the associated circuit to compute $\mathtt{ADD}(2,7)$ for $2,7\in uN$. @@ -2140,7 +2140,7 @@ \subsection{Cryptographic Primitives} In applications, it is often required to do cryptography in a circuit. To do this, basic cryptographic primitives like hash functions or elliptic curve cryptography needs to be implemented as circuits. In this section, we give a few basic examples of how to implement such primitives. \subsubsection{Twisted Edwards curves} Implementing elliptic curve cryptography in circuits means to implement the defining curve equations as well as the algebraic operations, like the group law or the scalar multiplication as circuits. To do this efficiently, the curve must be defined over the same base field as the field that is used in the circuit. -For efficiency reasons, it is advantageous to choose an elliptic curve such that that all required constraints and operations can be implement with as few gates as possible. Twisted Edwards curves are particularly useful for that matter, since their group law is particularly simple and the same calculation can be used for all curve points including the point at infinity. This simplifies the circuit a lot. +For efficiency reasons, it is advantageous to choose an elliptic curve such that that all required constraints and operations can be implemented with as few gates as possible. Twisted Edwards curves are particularly useful for that matter, since their group law is particularly simple and the same calculation can be used for all curve points including the point at infinity. This simplifies the circuit a lot. % implementations https://github.com/iden3/circomlib/blob/master/circuits/babyjub.circom \paragraph{Twisted Edwards curve constraints} As we have seen in \ref{sec:edwards}, a twisted Edwards curve over a finite field $F$ is defined as the set of all pairs of points $(x,y)\in \F\times \F$ such that $x$ and $y$ satisfy the equation $a\cdot x^2+y^2= 1+d\cdot x^2y^2$ and as we have seen in \examplename{} \ref{ex:TJJ-circuit_1}, we can transform this equation into the following circuit: \begin{center} diff --git a/chapters/elliptic-curves-moonmath.tex b/chapters/elliptic-curves-moonmath.tex index 66e5fbaf..4abe4b8d 100644 --- a/chapters/elliptic-curves-moonmath.tex +++ b/chapters/elliptic-curves-moonmath.tex @@ -1522,7 +1522,7 @@ \subsection{Try-and-increment hash functions} % https://www.cs.umd.edu/users/gasarch/TOPICS/res/burgess.pdf on a prime field, only half of the field elements are quadratic residues. Hence, assuming an even distribution of the hash values in the field, this method would fail to generate a curve point in about half of the attempts. -One way to account for this problem is the following so-called \term{try-and-increment} method. Instead of simply hashing a binary string $s$ to the field, this method use a try-and-increment hash to the base field as described in \ref{def:try_and_increment_hash} in combination with a single auxiliary bit derived from the underlying cryptographic hash function. +One way to account for this problem is the following so-called \term{try-and-increment} method. Instead of simply hashing a binary string $s$ to the field, this method uses a try-and-increment hash to the base field as described in \ref{def:try_and_increment_hash} in combination with a single auxiliary bit derived from the underlying cryptographic hash function. If any try of hashing to the field does not result in a field element or a valid curve point, the counter is incremented, and the hashing is repeated. This is done until a valid curve point is found (see the algorithm below). diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index 34d23ac0..5f083674 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -917,7 +917,7 @@ \subsubsection{Circuit Satisfiability} \end{remark} \begin{example}[3-Factorization]Consider the circuit $C_{3.fac}$ from \examplename{} \ref{ex:3-fac-zk-circuit} again. We call the associated language $L_{3.fac\_circ}$. -To understand how a constructive proof of a statement in $L_{3.fac\_circ}$ looks like, consider the instance $I_1= 11$. To provide a proof for the statement ``There exist a witness $W$ such that $(I_1;W)$ is a word in $L_{3.fac\_circ}$'' a proof therefore has to consists of proper values for the variables $W_1$, $W_2$, $W_3$ and $W_4$. Any prover therefore has to find input values for $W_1$, $W_2$ and $W_3$ and then execute the circuit to compute $W_4$ under the assumption $I_1=11$. +To understand how a constructive proof of a statement in $L_{3.fac\_circ}$ looks like, consider the instance $I_1= 11$. To provide a proof for the statement ``There exists a witness $W$ such that $(I_1;W)$ is a word in $L_{3.fac\_circ}$'' a proof therefore has to consists of proper values for the variables $W_1$, $W_2$, $W_3$ and $W_4$. Any prover therefore has to find input values for $W_1$, $W_2$ and $W_3$ and then execute the circuit to compute $W_4$ under the assumption $I_1=11$. Example \ref{ex:3-fac-zk-circuit_2}implies that $<2,3,4,6>$ is a proper constructive proof and in order to verify the proof a verifier needs to execute the circuit with instance $I_1=11$ and inputs $W_1=2$, $W_2=3$ and $W_3=4$ to decide whether the proof is a valid assignment or not. \end{example} @@ -1045,7 +1045,7 @@ \subsubsection{Associated Constraint Systems} \end{center} To compute the number of constraints, observe that we have $3$ multiplication gates that have labels on their outgoing edges and $1$ addition gate that has a label on its outgoing edge. We therefore have to compute $4$ quadratic constraints. -In order to derive the associated R1CS, we have start with an empty R1CS and then iterate over the set $$ of all edge labels, in order to generate the constraints. +In order to derive the associated R1CS, we have to start with an empty R1CS and then iterate over the set $$ of all edge labels, in order to generate the constraints. Considering edge label $S_1$, we see that the associated edges are not outgoing edges of any algebraic gate, and we therefore have to add no new constraint to the system. The same holds true for edge label $S_2$. Looking at edge label $S_3$, we see that the associated edges are outgoing edges of a multiplication gate and that the associated subgraph is given by: \begin{center} @@ -1338,7 +1338,7 @@ \subsubsection{QAP representation} To understand what Quadratic Arithmetic Progr & = 7(x-5) = 7x + 4 & \text{\# } -5 = 8 \text{ and } 7\cdot 8 = 4 \end{align*} -Using Lagrange's interpolation, we can deduce that $A_2=B_3=C_5$ as well as $A_5=B_4=C_1$, since they are polynomials of degree $1$ that evaluate to same values on $2$ points. Using this, we get the following set of polynomials +Using Lagrange's interpolation, we can deduce that $A_2=B_3=C_5$ as well as $A_5=B_4=C_1$, since they are polynomials of degree $1$ that evaluate to the same values on $2$ points. Using this, we get the following set of polynomials \begin{center} \begin{tabular}{|l|l|l|}\hline $A_{0}(x)=0 $ &$ B_{0}(x)=0 $ & $C_{0}(x)=0$ \tabularnewline\hline diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 4c347fe5..b42a1980 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -28,18 +28,18 @@ \section{Proof Systems} \end{itemize} In addition, a proof system is called \term{zero-knowledge} if the verifier learns nothing about $x$ other than $x\in L$. -The previous definition of proof systems is very general, and many subclasses of proof systems are known in the field. For example, some proof systems restrict the computational power of the prover, while some proof systems assume that the verifier has access to randomness. In addition, proof systems are classified by the number of messages that can be exchanged. If the system only requires to send a single message from the prover to the verifier, the proof system is called \term{non-interactive}, because no interaction other then sending the actual proof is required. In contrast, any other proof system is called \term{interactive}. +The previous definition of proof systems is very general, and many subclasses of proof systems are known in the field. For example, some proof systems restrict the computational power of the prover, while some proof systems assume that the verifier has access to randomness. In addition, proof systems are classified by the number of messages that can be exchanged. If the system only requires to send a single message from the prover to the verifier, the proof system is called \term{non-interactive}, because no interaction other than sending the actual proof is required. In contrast, any other proof system is called \term{interactive}. A proof system is usually called \term{succinct} if the size of the proof is shorter than the witness necessary to generate the proof. Moreover, a proof system is called \term{computationally sound} if soundness only holds under the assumption that the computational capabilities of the prover are polynomial bound. To distinguish general proofs from computationally sound proofs, the latter are often called \term{arguments}. -Since the term \term{zk-SNARKs} is an abbreviation for "Zero-knowledge, succinct, non-interactive argument of knowledge", proof system able to generate zk-SNARKS therefore have the zero-knowledge property, are able to generate proofs that require less space then the original witness and require no interaction between prover and verifier, other then transmitting the zk-SNARK itself. However those systems are only sound under the assumption that the prover's computational capabilities are polynomial bound. -\begin{example}[Constructive Proofs for Algebraic Circuits] We have seen in \ref{circuit-satisfiability} how algebraic circuit give rise to formal languages and constructive proofs for knowledge claims. +Since the term \term{zk-SNARKs} is an abbreviation for "Zero-knowledge, succinct, non-interactive argument of knowledge". These proof systems are able to generate zk-SNARKS therefore have the zero-knowledge property, are able to generate proofs that require less space than the original witness and require no interaction between prover and verifier, other than transmitting the zk-SNARK itself. However those systems are only sound under the assumption that the prover's computational capabilities are polynomial bound. +\begin{example}[Constructive Proofs for Algebraic Circuits] We have seen in \ref{circuit-satisfiability} how algebraic circuits give rise to formal languages and constructive proofs for knowledge claims. To reformulate this notion of constructive proofs for algebraic circuits into a proof system, let $\F$ be a finite field, and let $C(\F)$ be an algebraic circuit over $\F$ with associated language $L_{C(\F)}$. A non-interactive proof system for $L_{C(\F)}$ is given by the following two algorithms: \term{Prover Algorithm}: The prover $P$ is defined by circuit execution. Given some instance $I$ the prover executes circuit $C(\F)$ to compute a witness $W$ such that the pair $(I;W)$ is a valid assignment to $C(\F)$ whenever the circuit is satisfiable for $I$. The prover then sends the constructive proof $(I;W)$ to the verifier. -\term{Verifier Algorithm}: On receiving a message $(I;W)$, the verifier algorithm $V$ inserts $(I;W)$ into the associated R1CS of the circuit. If $(I;W)$ is a solution to the $R1CS$, the verifier returns \texttt{accepts}, if not, it returns \texttt{reject}. +\term{Verifier Algorithm}: On receiving a message $(I;W)$, the verifier algorithm $V$ inserts $(I;W)$ into the associated R1CS of the circuit. If $(I;W)$ is a solution to the $R1CS$, the verifier returns \texttt{accept}, if not, it returns \texttt{reject}. To see that this proof system is complete and sound, let $C(\F)$ be a circuit of the field $\F$, and let $I$ be an instance. The circuit may or may not have a witness $W$ such that $(I;W)$ is a valid assignment to $C(\F)$.