From dfd8f704bf358ed085ead861a09d466a52819564 Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Sun, 17 Mar 2024 11:32:05 -0400 Subject: [PATCH 1/9] Correct typo --- chapters/elliptic-curves-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/elliptic-curves-moonmath.tex b/chapters/elliptic-curves-moonmath.tex index 66e5fbaf..4abe4b8d 100644 --- a/chapters/elliptic-curves-moonmath.tex +++ b/chapters/elliptic-curves-moonmath.tex @@ -1522,7 +1522,7 @@ \subsection{Try-and-increment hash functions} % https://www.cs.umd.edu/users/gasarch/TOPICS/res/burgess.pdf on a prime field, only half of the field elements are quadratic residues. Hence, assuming an even distribution of the hash values in the field, this method would fail to generate a curve point in about half of the attempts. -One way to account for this problem is the following so-called \term{try-and-increment} method. Instead of simply hashing a binary string $s$ to the field, this method use a try-and-increment hash to the base field as described in \ref{def:try_and_increment_hash} in combination with a single auxiliary bit derived from the underlying cryptographic hash function. +One way to account for this problem is the following so-called \term{try-and-increment} method. Instead of simply hashing a binary string $s$ to the field, this method uses a try-and-increment hash to the base field as described in \ref{def:try_and_increment_hash} in combination with a single auxiliary bit derived from the underlying cryptographic hash function. If any try of hashing to the field does not result in a field element or a valid curve point, the counter is incremented, and the hashing is repeated. This is done until a valid curve point is found (see the algorithm below). From deedb52767d89fc9b783785ab6a8ad79f115ef57 Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Sun, 24 Mar 2024 13:51:33 -0400 Subject: [PATCH 2/9] Typos --- chapters/statements-moonmath.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index 443578a5..cc181578 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -917,7 +917,7 @@ \subsubsection{Circuit Satisfiability} \end{remark} \begin{example}[3-Factorization]Consider the circuit $C_{3.fac}$ from \examplename{} \ref{ex:3-fac-zk-circuit} again. We call the associated language $L_{3.fac\_circ}$. -To understand how a constructive proof of a statement in $L_{3.fac\_circ}$ looks like, consider the instance $I_1= 11$. To provide a proof for the statement ``There exist a witness $W$ such that $(I_1;W)$ is a word in $L_{3.fac\_circ}$'' a proof therefore has to consists of proper values for the variables $W_1$, $W_2$, $W_3$ and $W_4$. Any prover therefore has to find input values for $W_1$, $W_2$ and $W_3$ and then execute the circuit to compute $W_4$ under the assumption $I_1=11$. +To understand how a constructive proof of a statement in $L_{3.fac\_circ}$ looks like, consider the instance $I_1= 11$. To provide a proof for the statement ``There exists a witness $W$ such that $(I_1;W)$ is a word in $L_{3.fac\_circ}$'' a proof therefore has to consists of proper values for the variables $W_1$, $W_2$, $W_3$ and $W_4$. Any prover therefore has to find input values for $W_1$, $W_2$ and $W_3$ and then execute the circuit to compute $W_4$ under the assumption $I_1=11$. Example \ref{ex:3-fac-zk-circuit_2}implies that $<2,3,4,6>$ is a proper constructive proof and in order to verify the proof a verifier needs to execute the circuit with instance $I_1=11$ and inputs $W_1=2$, $W_2=3$ and $W_3=4$ to decide whether the proof is a valid assignment or not. \end{example} @@ -1045,7 +1045,7 @@ \subsubsection{Associated Constraint Systems} \end{center} To compute the number of constraints, observe that we have $3$ multiplication gates that have labels on their outgoing edges and $1$ addition gate that has a label on its outgoing edge. We therefore have to compute $4$ quadratic constraints. -In order to derive the associated R1CS, we have start with an empty R1CS and then iterate over the set $$ of all edge labels, in order to generate the constraints. +In order to derive the associated R1CS, we have to start with an empty R1CS and then iterate over the set $$ of all edge labels, in order to generate the constraints. Considering edge label $S_1$, we see that the associated edges are not outgoing edges of any algebraic gate, and we therefore have to add no new constraint to the system. The same holds true for edge label $S_2$. Looking at edge label $S_3$, we see that the associated edges are outgoing edges of a multiplication gate and that the associated subgraph is given by: \begin{center} From 2b0bc821e85637d9dd2231c7116b251f8f86c02a Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Sun, 31 Mar 2024 22:10:05 -0400 Subject: [PATCH 3/9] Typo --- chapters/statements-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index cc181578..3e144a51 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -1338,7 +1338,7 @@ \subsubsection{QAP representation} To understand what Quadratic Arithmetic Progr & = 7(x-5) = 7x + 4 & \text{\# } -5 = 8 \text{ and } 7\cdot 8 = 4 \end{align*} -Using Lagrange's interpolation, we can deduce that $A_2=B_3=C_5$ as well as $A_5=B_4=C_1$, since they are polynomials of degree $1$ that evaluate to same values on $2$ points. Using this, we get the following set of polynomials +Using Lagrange's interpolation, we can deduce that $A_2=B_3=C_5$ as well as $A_5=B_4=C_1$, since they are polynomials of degree $1$ that evaluate to the same values on $2$ points. Using this, we get the following set of polynomials \begin{center} \begin{tabular}{|l|l|l|}\hline $A_{0}(x)=0 $ &$ B_{0}(x)=0 $ & $C_{0}(x)=0$ \tabularnewline\hline From b940ffbfa7dc6f9386edcc4a7c335c252c1d1e11 Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Fri, 5 Apr 2024 21:16:34 -0400 Subject: [PATCH 4/9] Typo --- chapters/circuit-compilers-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index 13022782..f152e98c 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -1381,7 +1381,7 @@ \subsubsection{The Unsigned Integer Type} Unsigned integers of size \texttt{N}, \paragraph{The uN Constraint System} Many high-level circuit languages define the various \texttt{uN} types as arrays of size \texttt{N}, where each element is of boolean type. This parallels their representation on common computer hardware and allows for efficient and straightforward definition of common operators, like the various shift operators, or the logical operators. -Assuming that some unsigned integer \texttt{N} is known at compile time in \lgname{PAPER}, we define the following \texttt{uN} type\_function, which casts a an unsigned integer into an array of boolean variables: +Assuming that some unsigned integer \texttt{N} is known at compile time in \lgname{PAPER}, we define the following \texttt{uN} type\_function, which casts an unsigned integer into an array of boolean variables: \begin{lstlisting} type_function uN -> BOOL[N] { let base2 : BOOL[N] ; From e96f178a1316aea13054e98c14ac1ba1f113467b Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Fri, 5 Apr 2024 21:38:52 -0400 Subject: [PATCH 5/9] typo --- chapters/circuit-compilers-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index f152e98c..27c540dd 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -1700,7 +1700,7 @@ \subsubsection{The Unsigned Integer Type} Unsigned integers of size \texttt{N}, \end{comment} % ===================================== \begin{exercise} -Let \texttt{F}$=\F_{13}$ and \texttt{N=4} be fixed and let $x$ be of $uN$ type. Define circuits and associated R1CS for the left and right bit-shift operators $x<<2$ as well as $x>>2$. Execute the associated circuit for $x : u4 = 11$ and generate a constructive proof for $R1CS$ satisfyability. +Let \texttt{F}$=\F_{13}$ and \texttt{N=4} be fixed and let $x$ be of $uN$ type. Define circuits and associated R1CS for the left and right bit-shift operators $x<<2$ as well as $x>>2$. Execute the associated circuit for $x : u4 = 11$ and generate a constructive proof for $R1CS$ satisfiability. \end{exercise} \begin{exercise} Let \texttt{F}$=\F_{13}$ and \texttt{N=2} be fixed. Define a circuit and associated R1CS for the addition operator $\mathtt{ADD}: uN \times uN \to uN$. Execute the associated circuit to compute $\mathtt{ADD}(2,7)$ for $2,7\in uN$. From bc85e0291b4e670c07e0a26b0fc7d9b37f41c3c7 Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Fri, 5 Apr 2024 22:28:29 -0400 Subject: [PATCH 6/9] typo --- chapters/circuit-compilers-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index 27c540dd..b98ae158 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -2140,7 +2140,7 @@ \subsection{Cryptographic Primitives} In applications, it is often required to do cryptography in a circuit. To do this, basic cryptographic primitives like hash functions or elliptic curve cryptography needs to be implemented as circuits. In this section, we give a few basic examples of how to implement such primitives. \subsubsection{Twisted Edwards curves} Implementing elliptic curve cryptography in circuits means to implement the defining curve equations as well as the algebraic operations, like the group law or the scalar multiplication as circuits. To do this efficiently, the curve must be defined over the same base field as the field that is used in the circuit. -For efficiency reasons, it is advantageous to choose an elliptic curve such that that all required constraints and operations can be implement with as few gates as possible. Twisted Edwards curves are particularly useful for that matter, since their group law is particularly simple and the same calculation can be used for all curve points including the point at infinity. This simplifies the circuit a lot. +For efficiency reasons, it is advantageous to choose an elliptic curve such that that all required constraints and operations can be implemented with as few gates as possible. Twisted Edwards curves are particularly useful for that matter, since their group law is particularly simple and the same calculation can be used for all curve points including the point at infinity. This simplifies the circuit a lot. % implementations https://github.com/iden3/circomlib/blob/master/circuits/babyjub.circom \paragraph{Twisted Edwards curve constraints} As we have seen in \ref{sec:edwards}, a twisted Edwards curve over a finite field $F$ is defined as the set of all pairs of points $(x,y)\in \F\times \F$ such that $x$ and $y$ satisfy the equation $a\cdot x^2+y^2= 1+d\cdot x^2y^2$ and as we have seen in \examplename{} \ref{ex:TJJ-circuit_1}, we can transform this equation into the following circuit: \begin{center} From 44a606fd784c597159dcfc026c77bb2a3a1d971f Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Fri, 5 Apr 2024 22:46:56 -0400 Subject: [PATCH 7/9] typo --- chapters/zk-protocols-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 4c347fe5..84eae85f 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -33,7 +33,7 @@ \section{Proof Systems} A proof system is usually called \term{succinct} if the size of the proof is shorter than the witness necessary to generate the proof. Moreover, a proof system is called \term{computationally sound} if soundness only holds under the assumption that the computational capabilities of the prover are polynomial bound. To distinguish general proofs from computationally sound proofs, the latter are often called \term{arguments}. Since the term \term{zk-SNARKs} is an abbreviation for "Zero-knowledge, succinct, non-interactive argument of knowledge", proof system able to generate zk-SNARKS therefore have the zero-knowledge property, are able to generate proofs that require less space then the original witness and require no interaction between prover and verifier, other then transmitting the zk-SNARK itself. However those systems are only sound under the assumption that the prover's computational capabilities are polynomial bound. -\begin{example}[Constructive Proofs for Algebraic Circuits] We have seen in \ref{circuit-satisfiability} how algebraic circuit give rise to formal languages and constructive proofs for knowledge claims. +\begin{example}[Constructive Proofs for Algebraic Circuits] We have seen in \ref{circuit-satisfiability} how algebraic circuits give rise to formal languages and constructive proofs for knowledge claims. To reformulate this notion of constructive proofs for algebraic circuits into a proof system, let $\F$ be a finite field, and let $C(\F)$ be an algebraic circuit over $\F$ with associated language $L_{C(\F)}$. A non-interactive proof system for $L_{C(\F)}$ is given by the following two algorithms: From 67aa5f46b0c752b43b8fa4823c2053df0f8de83b Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Fri, 5 Apr 2024 22:50:34 -0400 Subject: [PATCH 8/9] typo --- chapters/zk-protocols-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 84eae85f..06d1b804 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -39,7 +39,7 @@ \section{Proof Systems} \term{Prover Algorithm}: The prover $P$ is defined by circuit execution. Given some instance $I$ the prover executes circuit $C(\F)$ to compute a witness $W$ such that the pair $(I;W)$ is a valid assignment to $C(\F)$ whenever the circuit is satisfiable for $I$. The prover then sends the constructive proof $(I;W)$ to the verifier. -\term{Verifier Algorithm}: On receiving a message $(I;W)$, the verifier algorithm $V$ inserts $(I;W)$ into the associated R1CS of the circuit. If $(I;W)$ is a solution to the $R1CS$, the verifier returns \texttt{accepts}, if not, it returns \texttt{reject}. +\term{Verifier Algorithm}: On receiving a message $(I;W)$, the verifier algorithm $V$ inserts $(I;W)$ into the associated R1CS of the circuit. If $(I;W)$ is a solution to the $R1CS$, the verifier returns \texttt{accept}, if not, it returns \texttt{reject}. To see that this proof system is complete and sound, let $C(\F)$ be a circuit of the field $\F$, and let $I$ be an instance. The circuit may or may not have a witness $W$ such that $(I;W)$ is a valid assignment to $C(\F)$. From d6a38aaa827ff061dbb025752c9962cf541a851e Mon Sep 17 00:00:00 2001 From: Justin Frevert Date: Sun, 7 Apr 2024 12:44:44 -0400 Subject: [PATCH 9/9] Sentence structure --- chapters/arithmetics-moonmath.tex | 2 +- chapters/zk-protocols-moonmath.tex | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chapters/arithmetics-moonmath.tex b/chapters/arithmetics-moonmath.tex index a85b25de..c87c786f 100644 --- a/chapters/arithmetics-moonmath.tex +++ b/chapters/arithmetics-moonmath.tex @@ -1077,7 +1077,7 @@ \subsection{Prime Factors} Recall that the fundamental theorem of arithmetic \re \begin{example} \label{example:irreducible_integer_polynomial_1} - Consider the polynomial expression $P=x^2-3$. When we interpret $P$ as an integer polynomial $P\in\Z[x]$, we find that this polynomial is irreducible, since any factorization other then $1\cdot(x^2-3)$, must look like $(x-a)(x+a)$ for some integer $a$, but there is no integers $a$ with $a^2=3$. + Consider the polynomial expression $P=x^2-3$. When we interpret $P$ as an integer polynomial $P\in\Z[x]$, we find that this polynomial is irreducible, since any factorization other than $1\cdot(x^2-3)$, must look like $(x-a)(x+a)$ for some integer $a$, but there is no integers $a$ with $a^2=3$. \begin{sagecommandline} sage: Zx = ZZ['x'] sage: p = Zx(x^2-3) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 06d1b804..b42a1980 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -28,11 +28,11 @@ \section{Proof Systems} \end{itemize} In addition, a proof system is called \term{zero-knowledge} if the verifier learns nothing about $x$ other than $x\in L$. -The previous definition of proof systems is very general, and many subclasses of proof systems are known in the field. For example, some proof systems restrict the computational power of the prover, while some proof systems assume that the verifier has access to randomness. In addition, proof systems are classified by the number of messages that can be exchanged. If the system only requires to send a single message from the prover to the verifier, the proof system is called \term{non-interactive}, because no interaction other then sending the actual proof is required. In contrast, any other proof system is called \term{interactive}. +The previous definition of proof systems is very general, and many subclasses of proof systems are known in the field. For example, some proof systems restrict the computational power of the prover, while some proof systems assume that the verifier has access to randomness. In addition, proof systems are classified by the number of messages that can be exchanged. If the system only requires to send a single message from the prover to the verifier, the proof system is called \term{non-interactive}, because no interaction other than sending the actual proof is required. In contrast, any other proof system is called \term{interactive}. A proof system is usually called \term{succinct} if the size of the proof is shorter than the witness necessary to generate the proof. Moreover, a proof system is called \term{computationally sound} if soundness only holds under the assumption that the computational capabilities of the prover are polynomial bound. To distinguish general proofs from computationally sound proofs, the latter are often called \term{arguments}. -Since the term \term{zk-SNARKs} is an abbreviation for "Zero-knowledge, succinct, non-interactive argument of knowledge", proof system able to generate zk-SNARKS therefore have the zero-knowledge property, are able to generate proofs that require less space then the original witness and require no interaction between prover and verifier, other then transmitting the zk-SNARK itself. However those systems are only sound under the assumption that the prover's computational capabilities are polynomial bound. +Since the term \term{zk-SNARKs} is an abbreviation for "Zero-knowledge, succinct, non-interactive argument of knowledge". These proof systems are able to generate zk-SNARKS therefore have the zero-knowledge property, are able to generate proofs that require less space than the original witness and require no interaction between prover and verifier, other than transmitting the zk-SNARK itself. However those systems are only sound under the assumption that the prover's computational capabilities are polynomial bound. \begin{example}[Constructive Proofs for Algebraic Circuits] We have seen in \ref{circuit-satisfiability} how algebraic circuits give rise to formal languages and constructive proofs for knowledge claims. To reformulate this notion of constructive proofs for algebraic circuits into a proof system, let $\F$ be a finite field, and let $C(\F)$ be an algebraic circuit over $\F$ with associated language $L_{C(\F)}$. A non-interactive proof system for $L_{C(\F)}$ is given by the following two algorithms: