From a46c3290a47fe8d771f9dd4ae834912e2ff69b43 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Wed, 26 Jun 2024 15:55:31 +0200 Subject: [PATCH 01/22] fix usage of `W_5` in ex. 132 (L_QAP(R3.fac_zk)) It should be W_4, same as in the previous (referenced) examples. --- chapters/statements-moonmath.tex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index 5f083674..d65b525e 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -1397,12 +1397,12 @@ \subsubsection{QAP Satisfiability} One of the major points of Quadratic Arithmet Verifying a constructive proof in the case of a circuit is achieved by executing the circuit and then by comparing the result against the given proof. Verifying the same proof in the R1CS picture means checking if the elements of the proof satisfy the R1CS equations. In contrast, verifying a proof in the QAP picture is done by polynomial division of the proof $P$ by the target polynomial $T$. The proof is verified if and only if $P$ is divisible by $T$. -\begin{example} Consider the Quadratic Arithmetic Program $QAP(R_{3.fac\_zk})$ from \examplename{} \ref{ex:3-fac-QAP} and its associated R1CS from equation \ref{ex:3-factorization-r1cs}. To give an intuition of how proofs in the language $L_{QAP(R_{3.fac\_zk})}$ look like, lets consider the instance $I_1=11$. As we know from \examplename{} \ref{ex:3-fac-zk-circuit_2}, $(W_1,W_2,W_3,W_5)=(2,3,4,6)$ is a proper witness, since -$(;)=(<11>;<2,3,4,6>)$ is a valid circuit assignment and hence, a solution to $R_{3.fac\_zk}$ and a constructive proof for language $L_{R_{3.fac\_zk}}$. +\begin{example} Consider the Quadratic Arithmetic Program $QAP(R_{3.fac\_zk})$ from \examplename{} \ref{ex:3-fac-QAP} and its associated R1CS from equation \ref{ex:3-factorization-r1cs}. To give an intuition of how proofs in the language $L_{QAP(R_{3.fac\_zk})}$ look like, lets consider the instance $I_1=11$. As we know from \examplename{} \ref{ex:3-fac-zk-circuit_2}, $(W_1,W_2,W_3,W_4)=(2,3,4,6)$ is a proper witness, since +$(;)=(<11>;<2,3,4,6>)$ is a valid circuit assignment and hence, a solution to $R_{3.fac\_zk}$ and a constructive proof for language $L_{R_{3.fac\_zk}}$. In order to transform this constructive proof into a knowledge proof in language $L_{QAP(R_{3.fac\_zk})}$, a prover has to use the elements of the constructive proof, to compute the polynomial $P_{(I;W)}$. -In the case of $(;)=(<11>;<2,3,4,6>)$, the associated proof is computed as follows: +In the case of $(;)=(<11>;<2,3,4,6>)$, the associated proof is computed as follows: \begin{align*} P_{(I;W)} = & \scriptstyle \left(A_0 + \sum_{j}^n I_j\cdot A_j + \sum_{j}^m W_j\cdot A_{n+j} \right) \cdot \left(B_0 + \sum_{j}^n I_j\cdot B_j + \sum_{j}^m W_j\cdot B_{n+j} \right) -\left(C_0 + \sum_{j}^n I_j\cdot C_j + \sum_{j}^m W_j\cdot C_{n+j} \right)\\ From c2bc7d17f4a02f2eff57b22114bf22cb413f4f93 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Wed, 26 Jun 2024 16:04:24 +0200 Subject: [PATCH 02/22] use `\text{Malbolge}` for Malbolge 'language' --- chapters/statements-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index d65b525e..6462fd53 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -79,7 +79,7 @@ \subsection{Decision Functions} To give an unusual example strange enough to highlight the point, consider the programming language \href{https://en.wikipedia.org/wiki/Malbolge}{Malbolge}. This language was specifically designed to be almost impossible to use, and writing programs in this language is a difficult task. An interesting claim is therefore the statement: ``There exists a computer program in Malbolge". As it turned out, proving this statement constructively, that is, providing an example instance of such a program, is not an easy task: it took two years after the introduction of Malbolge to write a program that its compiler accepts. So, for two years, no one was able to prove the statement constructively. -To look at the high-level description of Malbolge more formally, we write $L_{Malbolge}$ for the language that uses the ASCII table as its alphabet, and its words are strings of ASCII letters that the Malbolge compiler accepts. Proving the statement ``There exists a computer program in Malbolge'' is equivalent to the task of finding some word $x\in L_{Malbolge}$. The string in \eqref{malbolge-string} below is an example of such a proof, as it is excepted by the Malbolge compiler, which compiles it to an executable binary that displays ``Hello, World.'' \sme{add reference}. In this example, the Malbolge compiler therefore serves as the verification process. +To look at the high-level description of Malbolge more formally, we write $L_{\text{Malbolge}}$ for the language that uses the ASCII table as its alphabet, and its words are strings of ASCII letters that the Malbolge compiler accepts. Proving the statement ``There exists a computer program in Malbolge'' is equivalent to the task of finding some word $x\in L_{\text{Malbolge}}$. The string in \eqref{malbolge-string} below is an example of such a proof, as it is excepted by the Malbolge compiler, which compiles it to an executable binary that displays ``Hello, World.'' \sme{add reference}. In this example, the Malbolge compiler therefore serves as the verification process. \begin{multline}\label{malbolge-string} \scriptstyle (=<':9876Z4321UT.-Q+*)M'\&\%\$H"!~\}|Bzy?=|\{z]KwZY44Eq0/ From c040f5dcdd3bbb307821bec1875acdb8d61c873f Mon Sep 17 00:00:00 2001 From: Vindaar Date: Wed, 26 Jun 2024 16:19:21 +0200 Subject: [PATCH 03/22] wrap lagrange polynomial calc in \left( \right) parens --- chapters/statements-moonmath.tex | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index 6462fd53..413fa4ce 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -1323,8 +1323,8 @@ \subsubsection{QAP representation} To understand what Quadratic Arithmetic Progr To compute $A_2$ we note that the set $S_{A_2}$ in our version of Lagrange's interpolation is given by $S_{A_2}=\{(m_1,a^1_2), (m_2,a_2^2)\} = \{(5,1), (7,0)\}$. Using this set we get: \begin{align*} -A_2(x) & = a^1_2\cdot(\frac{x-m_2}{m_1-m_2}) + a^2_2\cdot(\frac{x-m_1}{m_2-m_1}) - = 1\cdot(\frac{x-7}{5-7}) + 0\cdot(\frac{x-5}{7-5}) \\ +A_2(x) & = a^1_2\cdot \left(\frac{x-m_2}{m_1-m_2}\right) + a^2_2\cdot\left(\frac{x-m_1}{m_2-m_1}\right) + = 1\cdot\left(\frac{x-7}{5-7}\right) + 0\cdot\left(\frac{x-5}{7-5}\right) \\ & = \frac{x-7}{-2} = \frac{x-7}{11} & \text{\# } 11^{-1}=6 \\ & = 6(x-7) @@ -1332,8 +1332,8 @@ \subsubsection{QAP representation} To understand what Quadratic Arithmetic Progr \end{align*} To compute $A_5$, we note that the set $S_{A_5}$ in our version of Lagrange's method is given by $S_{A_5}=\{(m_1,a^1_5), (m_2,a^2_5)\} = \{(5,0), (7,1)\}$. Using this set we get: \begin{align*} -A_5(x) & = a^1_5\cdot(\frac{x-m_2}{m_1-m_2}) + a^2_5\cdot(\frac{x-m_1}{m_2-m_1}) - = 0\cdot(\frac{x-7}{5-7}) + 1\cdot(\frac{x-5}{7-5}) \\ +A_5(x) & = a^1_5\cdot\left(\frac{x-m_2}{m_1-m_2}\right) + a^2_5\cdot\left(\frac{x-m_1}{m_2-m_1}\right) + = 0\cdot\left(\frac{x-7}{5-7}\right) + 1\cdot\left(\frac{x-5}{7-5}\right) \\ & = \frac{x-5}{2} & \text{\# } 2^{-1}=7 \\ & = 7(x-5) = 7x + 4 & \text{\# } -5 = 8 \text{ and } 7\cdot 8 = 4 From 4ff96b21bca4c244a95453da538234c99c73d158 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Wed, 26 Jun 2024 16:58:55 +0200 Subject: [PATCH 04/22] [circom] input signals are always private, cannot be marked as such As far as I understand in the JS 'Circom 1' this was supported. But at this point, I suppose it's more sensible to have code that is valid for Circom 2. --- chapters/circuit-compilers-moonmath.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index b98ae158..f074b15c 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -179,8 +179,8 @@ \subsection{Circom} \begin{lstlisting} template trivial_circuit() { - signal private input in1 ; - signal private input in2 ; + signal input in1 ; + signal input in2 ; var outc1 = 0 ; var inc1 = 7 ; From 187094384faa6d812cb7a7b00d3a019e6ab0e99a Mon Sep 17 00:00:00 2001 From: Vindaar Date: Wed, 26 Jun 2024 17:25:42 +0200 Subject: [PATCH 05/22] fix labels in example circuits Instance variables and witness variables in the previous part always individually start from index 1. This rule is broken in the first fixed circuit. In the second one this is also broken and in addition in the simplified circuit we should rename the witnesses to go from 1 to 3 instead of having {1, 3, 4}. --- chapters/circuit-compilers-moonmath.tex | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index f074b15c..d0492c8e 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -370,7 +370,7 @@ \subsubsection{The base-field type} } // subgraph connectors nin1 -> {nmul1, nadd1} [xlabel="W_1", style=dashed, color=grey] ; - nin2 -> {nmul2, nadd2} [xlabel="I_2 ", style=dashed, color=grey] ; + nin2 -> {nmul2, nadd2} [xlabel="I_1 ", style=dashed, color=grey] ; nmul4 -> nout1 [headlabel="W_3 ", style=dashed, color=grey] ; nadd4 -> nout2 [headlabel="W_4 ", style=dashed, color=grey] ; } @@ -393,9 +393,9 @@ \subsubsection{The base-field type} n6 [label="+"] ; n1 -> {n5, n6} [xlabel="W_1"] ; - n2 -> {n5, n6} [xlabel="I_2 "] ; - n5 -> n3 [xlabel="W_3 "] ; - n6 -> n4 [label=" W_4"] ; + n2 -> {n5, n6} [xlabel="I_1 "] ; + n5 -> n3 [xlabel="W_2 "] ; + n6 -> n4 [label=" W_3"] ; } \end{center} \end{example} From 58cd170165b72c9c17bd109c0c629a6a3f483144 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 09:45:47 +0200 Subject: [PATCH 06/22] minor syntax fixes in PAPER fn AND, NOT --- chapters/circuit-compilers-moonmath.tex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index d0492c8e..3ee8ca8c 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -796,8 +796,8 @@ \subsubsection{The boolean Type} \end{equation} Common circuit languages typically provide a gadget or a function to abstract over this circuit such that programers can use the $\wedge$ operator without caring about the associated circuit. In \lgname{PAPER}, we define the following function that compiles to the $\wedge$-operator's circuit: \begin{lstlisting} -fn AND(b_1 : BOOL, b_2 : BOOL) -> BOOL{ - let AND : BOOL ; +fn AND(b_1 : BOOL, b_2 : BOOL) -> BOOL { + let AND : BOOL ; AND <== MUL( b_1 , b_2) ; return AND ; } @@ -939,7 +939,7 @@ \subsubsection{The boolean Type} \end{align*} Common circuit languages typically provide a gadget or a function to abstract over this circuit such that programers can use the $\lnot$ operator without caring about the associated circuit. In \lgname{PAPER}, we define the following function that compiles to the $\lnot$-operator's circuit: \begin{lstlisting} -fn NOT(b : BOOL -> BOOL{ +fn NOT(b : BOOL) -> BOOL{ let NOT : BOOL ; let const c1 = 1 ; let const c2 = -1 ; From ec4436f44f6f10ad7d9120b507cc83394cf20b84 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 09:53:16 +0200 Subject: [PATCH 07/22] fix I_5 -> I_1 for prover example --- chapters/circuit-compilers-moonmath.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index 3ee8ca8c..dc8dda8e 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -1290,9 +1290,9 @@ \subsubsection{The boolean Type} \end{align*} The reason why this R1CS only contains a single constraint for the multiplication gate in the OR-circuit, while the general definition \ref{def:boolean-or} requires two constraints, is that the second constraint in \ref{def:boolean-or_constraints} only appears because the final addition gate is connected to an output node. In this case, however, the final addition gate from the OR-circuit is enforced in the left factor of the $I_{1}$ constraint. Something similar holds true for the negation circuit. -During a prover-phase, some public instance $I_5$ must be given. To compute a constructive proof for the statement of the associated languages with respect to instance $I_5$, a prover has to find four boolean values $W_1$, $W_2$, $W_3$ and $W_4$ such that +During a prover-phase, some public instance $I_1$ must be given. To compute a constructive proof for the statement of the associated languages with respect to instance $I_1$, a prover has to find four boolean values $W_1$, $W_2$, $W_3$ and $W_4$ such that $$ -\left( W_1 \vee W_2 \right) \wedge (W_3 \wedge \lnot W_4) = I_5 +\left( W_1 \vee W_2 \right) \wedge (W_3 \wedge \lnot W_4) = I_1 $$ holds true. In our case neither the circuit nor the \lgname{PAPER} statement specifies how to find those values, and it is a problem that any prover has to solve outside of the circuit. This might or might not be true for other problems, too. In any case, once the prover found those values, they can execute the circuit to find a valid assignment. From e67e7ca7e4245b99acd0753591cf0b1481fcdcc1 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 12:12:42 +0200 Subject: [PATCH 08/22] fix m -> m-1 indices in binary field reps Note: I also changed the 0 \leq j < m to 0 \leq j \leq m because I first didn't realize the second operator was not a less than equal, but a real less than. --- chapters/circuit-compilers-moonmath.tex | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/chapters/circuit-compilers-moonmath.tex b/chapters/circuit-compilers-moonmath.tex index dc8dda8e..20db6d46 100644 --- a/chapters/circuit-compilers-moonmath.tex +++ b/chapters/circuit-compilers-moonmath.tex @@ -2025,11 +2025,19 @@ \subsubsection{Loops} In many programming languages, various loop control struct \subsection{Binary Field Representations} In applications, it is often necessary to enforce a binary representation of elements from the \texttt{field} type. To derive an appropriate circuit over a prime field $\F_p$, let $m=|p|_2$ be the smallest number of bits necessary to represent the prime modulus $p$. Then a bitstring $\in \{0,1\}^m$ is a binary representation of a field element $x\in\F_p$, if and only if \begin{equation} \label{def:binary_field_rep} -x = b_0\cdot 2^0 + b_1\cdot 2^1 + \ldots + b_m\cdot 2^{m-1} +x = b_0\cdot 2^0 + b_1\cdot 2^1 + \ldots + b_{m-1}\cdot 2^{m-1} \end{equation} -In this expression, addition and exponentiation is considered to be executed in $\F_p$, which is well defined since all terms $2^j$ for $0\leq j < m$ are elements of $\F_p$. Note, however, that in contrast to the binary representation of unsigned integers $n\in\N$, this representation is not unique in general, since the modular $p$ equivalence class might contain more than one binary representative. - -Considering that the underlying prime field is fixed and the most significant bit of the prime modulus is $m$, the following circuit flattens equation \ref{def:binary_field_rep}, assuming all inputs $b_1$, $\ldots$, $b_m$ are of boolean type. +In this expression, addition and exponentiation is considered to be +executed in $\F_p$, which is well defined since all terms $2^j$ for +$0 \leq j \leq m$ are elements of $\F_p$. Note, however, that in +contrast to the binary representation of unsigned integers $n\in\N$, +this representation is not unique in general, since the modular $p$ +equivalence class might contain more than one binary representative. + +Considering that the underlying prime field is fixed and the most +significant bit of the prime modulus is $m-1$, the following circuit +flattens equation \ref{def:binary_field_rep}, assuming all inputs +$b_0$, $\ldots$, $b_{m-1}$ are of boolean type. \begin{center} \digraph[scale=0.3]{BINARYREP}{ forcelabels=true; From 895f7a2ace7f0322934bcad6b5470c72da0ee5c5 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 13:04:57 +0200 Subject: [PATCH 09/22] [groth16] use curly braces for parameter sets --- chapters/zk-protocols-moonmath.tex | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 3d74cb41..6c280050 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -60,7 +60,7 @@ \section{The ``Groth16'' Protocol} To be more precise, let $R$ be a Rank-1 Constraint System defined over some finite field $\F_r$. Then \term{Groth\_16 parameters} for $R$ are given by the following set: \begin{equation} \label{groth16-parameters} -\mathtt{Groth\_16-Param}(R)=(r, \G_1, \G_2, e(\cdot,\cdot), g_1,g_2) +\mathtt{Groth\_16-Param}(R)= \{ r, \G_1, \G_2, e(\cdot,\cdot), g_1,g_2 \} \end{equation} Here, $\G_1$ and $\G_2$ are finite cyclic groups of order $r$, $g_1$ is a generator of $\G_1$, $g_2$ is a generator of $\G_2$ and $e: \G_1 \times \G_2 \to \G_T$ is an efficiently computable, non-degenerate, bilinear pairing for some target group $\G_T$. In real-world applications, the parameter set is usually agreed on in advance. @@ -77,13 +77,13 @@ \section{The ``Groth16'' Protocol} Assuming a trusted third party or the presence of a corresponding multi-party computation for the setup, the protocol is capable of deriving a zk-SNARK from a constructive proof for $R$, provided that the group order $r$ is suitably large, with the requirement being particularly applicable to being larger than the number of constraints in the associated R1CS. \begin{example}[The 3-Factorization Problem] -\label{ex:3-fac-groth-16-params} Consider the $3$-factorization problem from \ref{ex:3-factorization} and its associated algebraic circuit \ref{ex:3-fac-zk-circuit} as well the Rank-1 Constraint System from \ref{ex:3-factorization-r1cs}. In this example, we want to agree on a parameter set $(r, \G_1, \G_2, e(\cdot,\cdot), g_1, g_2)$ in order to use the Groth\_16 protocol for our $3$-factorization problem. +\label{ex:3-fac-groth-16-params} Consider the $3$-factorization problem from \ref{ex:3-factorization} and its associated algebraic circuit \ref{ex:3-fac-zk-circuit} as well the Rank-1 Constraint System from \ref{ex:3-factorization-r1cs}. In this example, we want to agree on a parameter set $\{r, \G_1, \G_2, e(\cdot,\cdot), g_1, g_2\}$ in order to use the Groth\_16 protocol for our $3$-factorization problem. To find proper parameters, first observe that the circuit \ref{ex:3-fac-zk-circuit}, as well as its associated R1CS $R_{3.fac\_zk}$ \ref{ex:3-factorization-r1cs} and the derived QAP \ref{ex:3-fac-QAP}, are defined over the field $\F_{13}$. We therefore have to choose pairing groups $\G_1$ and $\G_2$ of order $13$. We know from \ref{BLS6} that the moon-math curve \texttt{BLS6\_6} has two subgroups $\G_1[13]$ and $\G_2[13]$, which are both of order $13$. The associated Weil pairing $e(\cdot,\cdot)$ \ref{BLS6-weil-pairing} is efficiently computable, bilinear as well as non-degenerate. We therefore choose those groups and the Weil pairing together with the generators $g_1 = (13,15) $ and $g_2=(7v^2,16v^3)$ of $\G_1[13]$ and $\G_2[13]$, as a parameter set: $$ -\mathtt{Groth\_16-Param}(R_{3.fac\_zk})=(13, \G_1[13], \G_2[13], e(\cdot,\cdot), (13,15),(7v^2,16v^3)) +\mathtt{Groth\_16-Param}(R_{3.fac\_zk})= \{ 13, \G_1[13], \G_2[13], e(\cdot,\cdot), (13,15),(7v^2,16v^3) \} $$ It should be noted that our choice is not unique. Every pair of finite cyclic groups of order $13$ that has an efficiently computable, non-degenerate, bilinear pairing qualifies as a Groth\_16 parameter set. The situation is similar to real-world applications, where SNARKs with equivalent behavior are defined over different curves, used in different applications. \end{example} From 79deb5ab9b497fc0351f62e5ef933ef2a0ce381c Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 13:26:54 +0200 Subject: [PATCH 10/22] add missing space --- chapters/zk-protocols-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 6c280050..0620fa2c 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -151,7 +151,7 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th \Tau = (6,5,4,3,2) $$ -We keep this secret in order to simulate proofs later on, but we are careful to hide $\Tau$ from anyone who hasn't read this book. Then we instantiate the \concept{Common Reference String} \ref{def:groth16-crs}from those values. Since our groups are subgroups of the \texttt{BLS6\_6} elliptic curve, we use scalar product notation instead of exponentiation. +We keep this secret in order to simulate proofs later on, but we are careful to hide $\Tau$ from anyone who hasn't read this book. Then we instantiate the \concept{Common Reference String} \ref{def:groth16-crs} from those values. Since our groups are subgroups of the \texttt{BLS6\_6} elliptic curve, we use scalar product notation instead of exponentiation. To compute the $\G_1$ part of the \concept{Common Reference String}, we use the logarithmic order of the group $\G_1$ \ref{BLS6-G1-log}, the generator $g_1=(13,15)$, as well as the values from the simulation trapdoor. Since $deg(T)=2$, we get the following: \begin{align*} From 1e07645f32b6c0fc6ec68c6aa45a59d3e9aa47b4 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 18:23:51 +0200 Subject: [PATCH 11/22] add missing example label (3-fac CRS), fix reference to equation --- chapters/zk-protocols-moonmath.tex | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 0620fa2c..a7dd35ac 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -140,6 +140,7 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th However, finding a trusted third party can be challenging, thus alternative methods have been developed in practical applications. These utilize multi-party computation in the setup phase, which can be publicly verified for proper execution, and the simulation trapdoor is not recoverable if at least one participant destroys their contribution. Each participant holds only a fraction of the trapdoor, making it recoverable only if all participants collaborate and share their parts. \begin{example}[The $3$-factorization Problem] +\label{ex:3-fac-groth-16-crs} To see how the setup phase of a Groth\_16 zk-SNARK can be computed, consider the $3$-factorization problem from \ref{ex:3-factorization} and the Groth\_16 parameters from \examplename{} \ref{ex:3-fac-groth-16-params}. As we have seen in \ref{ex:3-fac-QAP}, an associated Quadratic Arithmetic Program is given by the following set: \begin{multline*} QAP(R_{3.fac\_zk}) =\{x^{2}+x+9,\\ @@ -200,7 +201,7 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th \end{align*} Putting all those values together, we see that the $\mathbb{G}_1$ part of the \concept{Common Reference String} is given by the following set of $12$ points from the \texttt{BLS6\_6} $13$-torsion group $\G_1$: \begin{equation} -\label{ex:3-fac-groth-16-crs} +\label{eq:3-fac-groth-16-crs} CRS_{\mathbb{G}_{1}}=\left\{ \begin{array}{c} (27,34),(26,34),(38,15),\Big((13,15),(33,34)\Big), \Big(\mathcal{O}, (33,9)\Big)\\ @@ -392,7 +393,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan The witness in a zk-SNARK is encoded in the exponent of a generator of a secure elliptic curve, making it invisible to anyone except the prover. Additionally, the presence of random field elements $r$ and $t$ randomizes each proof, ensuring that no two proofs correspond to the same witness. \begin{example}[The $3$-factorization Problem]\label{3-fac-snark-compute} To see how a prover might compute -a zk-SNARK, consider the $3$-factorization problem from \examplename{} \ref{ex:3-factorization}, our protocol parameters from \examplename{} \ref{ex:3-fac-groth-16-params} as well as the \concept{Common Reference String} from \eqref{ex:3-fac-groth-16-crs}. +a zk-SNARK, consider the $3$-factorization problem from \examplename{} \ref{ex:3-factorization}, our protocol parameters from \examplename{} \ref{ex:3-fac-groth-16-params} as well as the \concept{Common Reference String} from \eqref{eq:3-fac-groth-16-crs}. Our task is to compute a zk-SNARK for the instance $I_1=<11>$ and its constructive proof $=<2,3,4,6>$ as computed in \examplename{} \ref{ex:3-fac-R1CS-constr-proof}. As we know from \examplename{} \ref{ex:3-fac-QAP}, the associated polynomial $P_{(I;W)}$ of the Quadratic Arithmetic Program from \examplename{} \ref{ex:3-fac-QAP} is given as follows: $$ @@ -402,7 +403,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan $$ H(x)= H_0 \cdot x^0 = 1 \cdot x^0 $$ -We therefore use $[\frac{\tau^0\cdot T(\tau)}{\delta}]g_1=(26,34)$ from our \concept{Common Reference String} \eqref{ex:3-fac-groth-16-crs} of the $3$-factorization problem and compute as follows: +We therefore use $[\frac{\tau^0\cdot T(\tau)}{\delta}]g_1=(26,34)$ from our \concept{Common Reference String} \eqref{eq:3-fac-groth-16-crs} of the $3$-factorization problem and compute as follows: \begin{align*} [\frac{H(\tau)\cdot T(\tau)}{\delta}]g_1 &= [H_0](26,34)=[1](26,34)\\ &= (26,34) From b1108b7246cc16b82a4233bd6e3c2da6e0004942 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 18:24:19 +0200 Subject: [PATCH 12/22] add labels to [A2]g_1, [A5]g_1 3-fac example, reference for clarity --- chapters/zk-protocols-moonmath.tex | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index a7dd35ac..6b245f84 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -241,7 +241,7 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th To understand how this \concept{Common Reference String} can be used to evaluate polynomials at the secret evaluation point in the exponent of a generator, let's assume that we have deleted the simulation trapdoor. In that case, assuming that the discrete logarithm problem is hard in our groups, we have no way to know the secret evaluation point anymore, hence, we cannot evaluate polynomials at that point. However, we can evaluate polynomials of smaller degree than the degree of the target polynomial in the exponent of both generators at that point. To see that, consider e.g. the polynomials $A_2(x)= 6x +10$ and $A_5(x)=7x+4$ from the QAP of this problem. To evaluate these polynomials in the exponent of $g_1$ and $g_2$ at the secret point $\tau$ without knowing the value of $\tau$ (which is $2$ in our case), we can use the \concept{Common Reference String} and equation \ref{eq:exp_evaluation-poly}. Using the scalar product notation instead of exponentiation, we get the following: -\begin{align*} +\begin{align} \label{eq:3-fac-A2-A5-g1} [A_2(\tau)]g_1 & = [6\cdot \tau^1 + 10\cdot \tau^0] g_1 \\ & = [6](33,34) + [10](13,15) & \text{\# } [\tau^0]g_1 = (13,15), [\tau^1]g_1 = (33,34)\\ & = [6\cdot 2](13,15) + [10](13,15) = [9](13,15) & \text{\# logarithmic order on } \G_1 \\ @@ -250,10 +250,10 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th & = [7](33,34) + [4](13,15) \\ & = [7\cdot 2](13,15) + [4](13,15) = [5](13,15)\\ & = (26,34) -\end{align*} +\end{align} Indeed, we are able to evaluate the polynomials in the exponent at a secret evaluation point, because that point is encrypted in the curve point $(33,34)$ and its secrecy is protected by the discrete logarithm assumption. Of course, in our computation, we recovered the secret point $\tau=2$, but that was only possible because we know the logarithmic order of our groups with respect to the generators. Such an order is infeasible in cryptographically secure curves. We can do the same computation on $\G_2$ and get the following: -\begin{align*} +\begin{align} \label{eq:3-fac-A2-A5-g2} [A_2(\tau)]g_2 & = [6\cdot \tau^1 + 10\cdot \tau^0] g_2 \\ & = [6](10v^2,28v^3) + [10](7v^2,16v^3) \\ & = [6\cdot 2](7v^2,16v^3) + [10](7v^2,16v^3) = [9](7v^2,16v^3) \\ @@ -262,7 +262,7 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th & = [7](10v^2,28v^3) + [4](7v^2,16v^3) \\ & = [7\cdot 2](7v^2,16v^3) + [4](7v^2,16v^3) = [5](7v^2,16v^3)\\ & = (16v^2,28v^3) -\end{align*} +\end{align} Apart from the target polynomial $T$, all other polynomials of the Quadratic Arithmetic Program can be evaluated in the exponent this way. \end{example} @@ -433,7 +433,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan & \oplus [W_3][A_4(\tau)]g_1\oplus [W_4][A_5(\tau)]g_1\oplus [r][\delta]g_1 \end{align*} -Since we don't know what $\alpha$, $\delta$ and $\tau$ are, we look up $[\alpha]g_1$ and $[\delta]g_1$ from the \concept{Common Reference String}. According to \examplename{} \ref{ex:3-fac-groth-16-crs}, we have $[A_2(\tau)]g_1=(35,15)$, $[A_5(\tau)]g_1=(26,34)$ and $[A_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: +Since we don't know what $\alpha$, $\delta$ and $\tau$ are, we look up $[\alpha]g_1$ and $[\delta]g_1$ from the \concept{Common Reference String}. According to \examplename{} \ref{ex:3-fac-groth-16-crs}, equation \eqref{eq:3-fac-A2-A5-g1}, we have $[A_2(\tau)]g_1=(35,15)$, $[A_5(\tau)]g_1=(26,34)$ and $[A_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: \begin{align*} [A]g_1 &= (27,34) \oplus \mathcal{O} \oplus [11]\mathcal{O}\oplus [2](35,15) \oplus [3]\mathcal{O} \oplus [4]\mathcal{O}\oplus [6](26,34)\oplus [11](38,15)\\ &= (27,34)\oplus [2](35,15)\oplus [6](26,34)\oplus [11](38,15)\\ @@ -451,7 +451,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan & \oplus [W_3][B_4(\tau)]g_2\oplus [W_4][B_5(\tau)]g_2\oplus [t][\delta]g_2\\ \end{align*} -Since we don't know what $\beta$, $\delta$ and $\tau$ are, we look up the associated group elements from the \concept{Common Reference String}. Recall from \ref{ex:3-fac-groth-16-crs} that we can evaluate $[B_j(\tau)]g_1$ without knowing the secret evaluation point $\tau$. Since $B_3=A_2$ and $B_4=A_5$, we have $[B_3(\tau)]g_1=(35,15)$, $[B_4(\tau)]g_1=(26,34)$ according to the computation in \ref{ex:3-fac-groth-16-crs}, and $[B_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: +Since we don't know what $\beta$, $\delta$ and $\tau$ are, we look up the associated group elements from the \concept{Common Reference String}. Recall from \examplename{} \ref{ex:3-fac-groth-16-crs} that we can evaluate $[B_j(\tau)]g_1$ without knowing the secret evaluation point $\tau$. Since $B_3=A_2$ and $B_4=A_5$, we have $[B_3(\tau)]g_1=(35,15)$, $[B_4(\tau)]g_1=(26,34)$ according to the computation in eq. \eqref{eq:3-fac-A2-A5-g1}, and $[B_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: \begin{align*} [B]g_1 &= (26,34) \oplus \mathcal{O}\oplus [11]\mathcal{O}\oplus [2]\mathcal{O} \oplus [3](35,15) \oplus [4](26,34)\oplus [6]\mathcal{O}\oplus [4](38,15)\\ &= (26,34)\oplus [3](35,15) \oplus [4](26,34)\oplus [4](38,15)\\ From 9c0991fc74c8b943a1a11a0f07492822427e0199 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 19:34:50 +0200 Subject: [PATCH 13/22] [groth16] add labels to prover / verifier eqs, ref them --- chapters/zk-protocols-moonmath.tex | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 6b245f84..792c0589 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -371,13 +371,13 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan \end{align*} After this has been done, the prover samples two random field elements $r,t\in \F_r$, and uses the \concept{Common Reference String}, the instance variables $I_1$, $\ldots$, $I_n$ and the witness variables $W_1$, $\ldots$, $W_m$ to compute the following curve points: -\begin{align*} +\begin{align}\label{eq:groth16_prover} g_1^W & = \Big( g_1^{\frac{\beta\cdot A_{1+n}(\tau)+\alpha\cdot B_{1+n}(\tau)+C_{1+n}(\tau)}{\delta}}\Big)^{W_1}\cdots \Big(g_1^{\frac{\beta\cdot A_{m+n}(\tau)+\alpha\cdot B_{m+n}(\tau)+C_{m+n}(\tau)}{\delta}}\Big)^{W_m}\\ g_1^A & = g_1^\alpha \cdot g_1^{A_0(\tau)} \cdot \Big(g_1^{A_1(\tau)}\Big)^{I_1}\cdots \Big(g_1^{A_n(\tau)}\Big)^{I_n} \cdot \Big(g_1^{A_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_1^{A_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_1^\delta\Big)^r \\ g_1^B & = g_1^\beta \cdot g_1^{B_0(\tau)} \cdot \Big(g_1^{B_1(\tau)}\Big)^{I_1}\cdots \Big(g_1^{B_n(\tau)}\Big)^{I_n} \cdot \Big(g_1^{B_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_1^{B_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_1^\delta\Big)^t\\ g_2^B & = g_2^\beta \cdot g_2^{B_0(\tau)} \cdot \Big(g_2^{B_1(\tau)}\Big)^{I_1}\cdots \Big(g_2^{B_n(\tau)}\Big)^{I_n} \cdot \Big(g_2^{B_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_2^{B_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_2^\delta\Big)^t \\ g_1^C & = g_1^W\cdot g_1^{\frac{H(\tau)\cdot T(\tau)}{\delta}} \cdot \Big(g_1^A\Big)^t \cdot \Big(g_1^B\Big)^r \cdot \Big(g_1^\delta\Big)^{-r\cdot t} -\end{align*} +\end{align} During this calculation, the group elements $g_1^{A_j(\tau)}$, $g_1^{B_j(\tau)}$, and $g_2^{B_j(\tau)}$ can be obtained from the Common Reference String and the Quadratic Arithmetic Program associated with the problem, as demonstrated in \ref{eq:exp_evaluation-poly}. These points only need to be computed once, and can be made public and reused for multiple proof generations as they are consistent across all instances and witnesses. The remaining group elements are part of the Common Reference String. @@ -409,7 +409,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (26,34) \end{align*} -In the next step, we have to compute all group elements required for a proper Groth16 zk-SNARK \eqref{def:groth16-snark}. We start with $g_1^W$. Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \curvename{BLS6\_6} curve, we have to compute the point $[W]g_1$: +In the next step, we have to compute all group elements required for a proper Groth16 zk-SNARK \eqref{def:groth16-snark}. We start with $g_1^W$ (see eq. \eqref{eq:groth16_prover}). Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \curvename{BLS6\_6} curve, we have to compute the point $[W]g_1$: \begin{align*} [W]g_1 = & \phantom{\oplus} [W_1] g_1^{\frac{\beta\cdot A_{2}(\tau)+\alpha\cdot B_{2}(\tau)+C_{2}(\tau)}{\delta}} \oplus [W_2] g_1^{\frac{\beta\cdot A_{3}(\tau)+\alpha\cdot B_{3}(\tau)+C_{3}(\tau)}{\delta}} @@ -426,7 +426,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan & = (38,28) \end{align*} -In a next step, we compute $g_1^A$. We sample the random point $r=11$ from $\F_{13}$, using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve. We then have to compute the following expression: +In a next step, we compute $g_1^A$ (see eq. \eqref{eq:groth16_prover}). We sample the random point $r=11$ from $\F_{13}$, using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve. We then have to compute the following expression: \begin{align*} [A]g_1 = &\phantom{\oplus} [\alpha]g_1 \oplus [A_0(\tau)]g_1 \oplus [I_1][A_1(\tau)]g_1\oplus [W_1][A_2(\tau)]g_1 \oplus [W_2][A_3(\tau)]g_1\\ @@ -442,7 +442,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (35,15) \end{align*} -In order to compute the two curve points $[B]g_1$ and $[B]g_2$, we sample another random element $t=4$ from $\F_{13}$. Using the scalar product instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the following expressions: +In order to compute the two curve points $[B]g_1$ and $[B]g_2$ (see eq. \eqref{eq:groth16_prover}), we sample another random element $t=4$ from $\F_{13}$. Using the scalar product instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the following expressions: \begin{align*} [B]g_1 = &\phantom{\oplus} [\beta]g_1 \oplus [B_0(\tau)]g_1 \oplus [I_1][B_1(\tau)]g_1\oplus [W_1][B_2(\tau)]g_1 \oplus [W_2][B_3(\tau)]g_1\\ @@ -468,7 +468,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (7v^2,27v^3) \end{align*} -In a last step, we combine the previous computations to compute the point $[C]g_1$ in the group $\G_1$ as follows: +In a last step, we combine the previous computations to compute the point $[C]g_1$ (see eq. \eqref{eq:groth16_prover}) in the group $\G_1$ as follows: \begin{align*} [C]g_1 & = [W]g_1\oplus [\frac{H(s)\cdot T(\tau)}{\delta}]g_1 \oplus [t][A]g_1 \oplus [r][B]g_1 \oplus [-r\cdot t][\delta]g_1\\ & = (38,28)\oplus (26,34) \oplus [4](35,15) \oplus [11](13,28) \oplus [-11\cdot 4](38,15)\\ @@ -536,9 +536,9 @@ \subsection{The Verification Phase} The objective of the verification phase in a Groth\_16 zk-SNARK, given a Rank-1 Constraint System $R$, an instance $I = $, and a zk-SNARK $\pi$ (as defined in \ref{def:groth16-snark}), is to confirm that $\pi$ constitutes a valid proof. If the simulation trapdoor is no longer present and the proof passes the verification checks, the verifier can be convinced that there exists a witness $W = $ such that $(I;W)$ belongs to the language of $R$. To achieve this in the Groth\_16 protocol, we assume that any verifier is able to compute the pairing map $e(\cdot,\cdot)$ efficiently, and has access to the \concept{Common Reference String} used to produce the zk-SNARK $\pi$. In order to verify the zk-SNARK with respect to the instance $$, the verifier computes the following curve point: -\begin{align*} +\begin{align}\label{eq:groth16_verify} g_1^I & = \Big(g_1^{\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}}\Big)\cdot \Big(g_1^{\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}}\Big)^{I_1} \cdots \Big(g_1^{\frac{\beta\cdot A_{n}(\tau)+\alpha\cdot B_{n}(\tau)+C_{n}(\tau)}{\gamma}}\Big)^{I_n}\\ -\end{align*} +\end{align} With this group element, the verifier is able to verify the zk-SNARK $\pi=(g_1^A,g_1^C,g_2^B)$ by checking the following equation using the pairing map: \begin{equation} \label{def:groth16-verifier-equation} @@ -557,7 +557,7 @@ \subsection{The Verification Phase} \label{3-fac-snark-verifier} To see how a verifier might verify a zk-SNARK for some given instance $I$, consider the $3$-factorization problem from \examplename{} \ref{ex:3-factorization}, our protocol parameters from \examplename{} \ref{ex:3-fac-groth-16-params}, the \concept{Common Reference String} from \eqref{ex:3-fac-groth-16-crs} as well as the zk-SNARK $\pi=((35,15),(27,9),(7v^2,27v^3))$ from \examplename{} \eqref{ex:3-fac-groth-16-snark}, which claims to be an argument of knowledge for a witness for the instance $I_1=<11>$. -In order to verify the zk-SNARK for that instance, we first compute the curve point $g_1^I$. Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the point $[I]g_1$ as follows: +In order to verify the zk-SNARK for that instance, we first compute the curve point $g_1^I$ (see eq. \eqref{eq:groth16_verify}). Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the point $[I]g_1$ as follows: \begin{align*} [I]g_1 = & [\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}]g_1 \oplus [I_1][\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}]g_1 From 948f1bd8db7afafe7417e5efc9f422a181f78d2e Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 19:35:28 +0200 Subject: [PATCH 14/22] [groth16] add missing reference to CRS for 3-fac example --- chapters/zk-protocols-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 792c0589..5aa1f475 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -563,7 +563,7 @@ \subsection{The Verification Phase} [I]g_1 = & [\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}]g_1 \oplus [I_1][\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}]g_1 \end{align*} -To compute this point, we have to remember that a verifier should not be in possession of the simulation trapdoor, which means that they should not know what $\alpha$, $\beta$, $\gamma$ and $\tau$ are. In order to compute this group element, the verifier therefore needs the \concept{Common Reference String}. Using the logarithmic order from \eqref{BLS6-G1-log} and instance $I_1$, we get the following: +To compute this point, we have to remember that a verifier should not be in possession of the simulation trapdoor, which means that they should not know what $\alpha$, $\beta$, $\gamma$ and $\tau$ are. In order to compute this group element, the verifier therefore needs the \concept{Common Reference String} (\eqref{eq:3-fac-groth-16-crs}). Using the logarithmic order from \eqref{BLS6-G1-log} and instance $I_1$, we get the following: \begin{align*} [I]g_1 & = [\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}]g_1 \oplus [I_1][\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}]g_1\\ From a31e0ff00bf81c8860802b5cf9fafa564851d5d9 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 19:44:30 +0200 Subject: [PATCH 15/22] [groth16] explicitly state g_1^C in proof sim equation --- chapters/zk-protocols-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 5aa1f475..2c1b52ed 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -650,7 +650,7 @@ \subsection{Proof Simulation} \begin{align} \label{def:groth16-simulated-proof} -g_1^{\frac{A\cdot B}{\delta}}\cdot g_1^{-\frac{\alpha\cdot \beta}{\delta}}\cdot g_1^{-\frac{\beta A_0(\tau) + \alpha B_0(\tau)+ C_0(\tau)}{\delta}}\cdot \Big(g_1^{-\frac{\beta A_1(\tau) + \alpha B_1(\tau)+ C_1(\tau)}{\delta}}\Big)^{I_1}\cdots \Big(g_1^{-\frac{\beta A_n(\tau) + \alpha B_n(\tau)+ C_n(\tau)}{\delta}}\Big)^{I_n}\ +g_1^C = g_1^{\frac{A\cdot B}{\delta}}\cdot g_1^{-\frac{\alpha\cdot \beta}{\delta}}\cdot g_1^{-\frac{\beta A_0(\tau) + \alpha B_0(\tau)+ C_0(\tau)}{\delta}}\cdot \Big(g_1^{-\frac{\beta A_1(\tau) + \alpha B_1(\tau)+ C_1(\tau)}{\delta}}\Big)^{I_1}\cdots \Big(g_1^{-\frac{\beta A_n(\tau) + \alpha B_n(\tau)+ C_n(\tau)}{\delta}}\Big)^{I_n}\ \end{align} The forger then publishes the zk-SNARK $\pi_{forged} = (g_1^A, g_1^C, g_2^B)$, which will pass the verification process and is computable without the existence of a witness $$. From 6e501dcf7a7fb0147f19e2983369592c37a3a0ed Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 20:12:02 +0200 Subject: [PATCH 16/22] fix labeling of [A2/5]g_1/2 eqs in align sections --- chapters/zk-protocols-moonmath.tex | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 2c1b52ed..7e2781fd 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -241,27 +241,27 @@ \subsection{The Setup Phase} Generating zk-SNARKs from constructive proofs in th To understand how this \concept{Common Reference String} can be used to evaluate polynomials at the secret evaluation point in the exponent of a generator, let's assume that we have deleted the simulation trapdoor. In that case, assuming that the discrete logarithm problem is hard in our groups, we have no way to know the secret evaluation point anymore, hence, we cannot evaluate polynomials at that point. However, we can evaluate polynomials of smaller degree than the degree of the target polynomial in the exponent of both generators at that point. To see that, consider e.g. the polynomials $A_2(x)= 6x +10$ and $A_5(x)=7x+4$ from the QAP of this problem. To evaluate these polynomials in the exponent of $g_1$ and $g_2$ at the secret point $\tau$ without knowing the value of $\tau$ (which is $2$ in our case), we can use the \concept{Common Reference String} and equation \ref{eq:exp_evaluation-poly}. Using the scalar product notation instead of exponentiation, we get the following: -\begin{align} \label{eq:3-fac-A2-A5-g1} -[A_2(\tau)]g_1 & = [6\cdot \tau^1 + 10\cdot \tau^0] g_1 \\ - & = [6](33,34) + [10](13,15) & \text{\# } [\tau^0]g_1 = (13,15), [\tau^1]g_1 = (33,34)\\ - & = [6\cdot 2](13,15) + [10](13,15) = [9](13,15) & \text{\# logarithmic order on } \G_1 \\ - & = (35,15)\\ -[A_5(\tau)]g_1 & = [7\cdot \tau^1 + 4\cdot \tau^0] g_1 \\ - & = [7](33,34) + [4](13,15) \\ - & = [7\cdot 2](13,15) + [4](13,15) = [5](13,15)\\ - & = (26,34) +\begin{align} +[A_2(\tau)]g_1 & = [6\cdot \tau^1 + 10\cdot \tau^0] g_1 \nonumber \\ + & = [6](33,34) + [10](13,15) & \text{\# } [\tau^0]g_1 = (13,15), [\tau^1]g_1 = (33,34) \nonumber \\ + & = [6\cdot 2](13,15) + [10](13,15) = [9](13,15) & \text{\# logarithmic order on } \G_1 \nonumber \\ + & = (35,15) \label{eq:3-fac-A2-g1} \\ +[A_5(\tau)]g_1 & = [7\cdot \tau^1 + 4\cdot \tau^0] g_1 \nonumber \\ + & = [7](33,34) + [4](13,15) \nonumber \\ + & = [7\cdot 2](13,15) + [4](13,15) = [5](13,15) \nonumber \\ + & = (26,34) \label{eq:3-fac-A5-g1} \end{align} Indeed, we are able to evaluate the polynomials in the exponent at a secret evaluation point, because that point is encrypted in the curve point $(33,34)$ and its secrecy is protected by the discrete logarithm assumption. Of course, in our computation, we recovered the secret point $\tau=2$, but that was only possible because we know the logarithmic order of our groups with respect to the generators. Such an order is infeasible in cryptographically secure curves. We can do the same computation on $\G_2$ and get the following: -\begin{align} \label{eq:3-fac-A2-A5-g2} -[A_2(\tau)]g_2 & = [6\cdot \tau^1 + 10\cdot \tau^0] g_2 \\ - & = [6](10v^2,28v^3) + [10](7v^2,16v^3) \\ - & = [6\cdot 2](7v^2,16v^3) + [10](7v^2,16v^3) = [9](7v^2,16v^3) \\ - & = (37v^2,16v^3)\\ -[A_5(\tau)]g_2 & = [7\cdot \tau^1 + 4\cdot \tau^0] g_1 \\ - & = [7](10v^2,28v^3) + [4](7v^2,16v^3) \\ - & = [7\cdot 2](7v^2,16v^3) + [4](7v^2,16v^3) = [5](7v^2,16v^3)\\ - & = (16v^2,28v^3) +\begin{align} +[A_2(\tau)]g_2 & = [6\cdot \tau^1 + 10\cdot \tau^0] g_2 \nonumber \\ + & = [6](10v^2,28v^3) + [10](7v^2,16v^3) \nonumber \\ + & = [6\cdot 2](7v^2,16v^3) + [10](7v^2,16v^3) = [9](7v^2,16v^3) \nonumber \\ + & = (37v^2,16v^3) \label{eq:3-fac-A2-g2} \\ +[A_5(\tau)]g_2 & = [7\cdot \tau^1 + 4\cdot \tau^0] g_1 \nonumber \\ + & = [7](10v^2,28v^3) + [4](7v^2,16v^3) \nonumber \\ + & = [7\cdot 2](7v^2,16v^3) + [4](7v^2,16v^3) = [5](7v^2,16v^3) \nonumber \\ + & = (16v^2,28v^3) \label{eq:3-fac-A5-g2} \end{align} Apart from the target polynomial $T$, all other polynomials of the Quadratic Arithmetic Program can be evaluated in the exponent this way. @@ -433,7 +433,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan & \oplus [W_3][A_4(\tau)]g_1\oplus [W_4][A_5(\tau)]g_1\oplus [r][\delta]g_1 \end{align*} -Since we don't know what $\alpha$, $\delta$ and $\tau$ are, we look up $[\alpha]g_1$ and $[\delta]g_1$ from the \concept{Common Reference String}. According to \examplename{} \ref{ex:3-fac-groth-16-crs}, equation \eqref{eq:3-fac-A2-A5-g1}, we have $[A_2(\tau)]g_1=(35,15)$, $[A_5(\tau)]g_1=(26,34)$ and $[A_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: +Since we don't know what $\alpha$, $\delta$ and $\tau$ are, we look up $[\alpha]g_1$ and $[\delta]g_1$ from the \concept{Common Reference String}. According to \examplename{} \ref{ex:3-fac-groth-16-crs} we have $[A_2(\tau)]g_1=(35,15)$ \eqref{eq:3-fac-A2-g1}, $[A_5(\tau)]g_1=(26,34)$ \eqref{eq:3-fac-A5-g1} and $[A_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: \begin{align*} [A]g_1 &= (27,34) \oplus \mathcal{O} \oplus [11]\mathcal{O}\oplus [2](35,15) \oplus [3]\mathcal{O} \oplus [4]\mathcal{O}\oplus [6](26,34)\oplus [11](38,15)\\ &= (27,34)\oplus [2](35,15)\oplus [6](26,34)\oplus [11](38,15)\\ @@ -451,7 +451,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan & \oplus [W_3][B_4(\tau)]g_2\oplus [W_4][B_5(\tau)]g_2\oplus [t][\delta]g_2\\ \end{align*} -Since we don't know what $\beta$, $\delta$ and $\tau$ are, we look up the associated group elements from the \concept{Common Reference String}. Recall from \examplename{} \ref{ex:3-fac-groth-16-crs} that we can evaluate $[B_j(\tau)]g_1$ without knowing the secret evaluation point $\tau$. Since $B_3=A_2$ and $B_4=A_5$, we have $[B_3(\tau)]g_1=(35,15)$, $[B_4(\tau)]g_1=(26,34)$ according to the computation in eq. \eqref{eq:3-fac-A2-A5-g1}, and $[B_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: +Since we don't know what $\beta$, $\delta$ and $\tau$ are, we look up the associated group elements from the \concept{Common Reference String}. Recall from \examplename{} \ref{ex:3-fac-groth-16-crs} that we can evaluate $[B_j(\tau)]g_1$ without knowing the secret evaluation point $\tau$. Since $B_3=A_2$ and $B_4=A_5$, we have $[B_3(\tau)]g_1=(35,15)$, $[B_4(\tau)]g_1=(26,34)$ according to the computation in eq. \eqref{eq:3-fac-A2-g1} and \eqref{eq:3-fac-A5-g1}, and $[B_j(\tau)]g_1=\mathcal{O}$ for all other indices $0\leq j\leq 5$. Since $\mathcal{O}$ is the neutral element on $\G_1$, we get the following: \begin{align*} [B]g_1 &= (26,34) \oplus \mathcal{O}\oplus [11]\mathcal{O}\oplus [2]\mathcal{O} \oplus [3](35,15) \oplus [4](26,34)\oplus [6]\mathcal{O}\oplus [4](38,15)\\ &= (26,34)\oplus [3](35,15) \oplus [4](26,34)\oplus [4](38,15)\\ From 1d7bd386a423a32f2509bc014ffd3125c3e284da Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 20:13:03 +0200 Subject: [PATCH 17/22] fix references to g_1^A, ... eqs in prover example --- chapters/zk-protocols-moonmath.tex | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 7e2781fd..d838470e 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -371,12 +371,12 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan \end{align*} After this has been done, the prover samples two random field elements $r,t\in \F_r$, and uses the \concept{Common Reference String}, the instance variables $I_1$, $\ldots$, $I_n$ and the witness variables $W_1$, $\ldots$, $W_m$ to compute the following curve points: -\begin{align}\label{eq:groth16_prover} -g_1^W & = \Big( g_1^{\frac{\beta\cdot A_{1+n}(\tau)+\alpha\cdot B_{1+n}(\tau)+C_{1+n}(\tau)}{\delta}}\Big)^{W_1}\cdots \Big(g_1^{\frac{\beta\cdot A_{m+n}(\tau)+\alpha\cdot B_{m+n}(\tau)+C_{m+n}(\tau)}{\delta}}\Big)^{W_m}\\ -g_1^A & = g_1^\alpha \cdot g_1^{A_0(\tau)} \cdot \Big(g_1^{A_1(\tau)}\Big)^{I_1}\cdots \Big(g_1^{A_n(\tau)}\Big)^{I_n} \cdot \Big(g_1^{A_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_1^{A_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_1^\delta\Big)^r \\ -g_1^B & = g_1^\beta \cdot g_1^{B_0(\tau)} \cdot \Big(g_1^{B_1(\tau)}\Big)^{I_1}\cdots \Big(g_1^{B_n(\tau)}\Big)^{I_n} \cdot \Big(g_1^{B_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_1^{B_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_1^\delta\Big)^t\\ -g_2^B & = g_2^\beta \cdot g_2^{B_0(\tau)} \cdot \Big(g_2^{B_1(\tau)}\Big)^{I_1}\cdots \Big(g_2^{B_n(\tau)}\Big)^{I_n} \cdot \Big(g_2^{B_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_2^{B_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_2^\delta\Big)^t \\ -g_1^C & = g_1^W\cdot g_1^{\frac{H(\tau)\cdot T(\tau)}{\delta}} \cdot \Big(g_1^A\Big)^t \cdot \Big(g_1^B\Big)^r \cdot \Big(g_1^\delta\Big)^{-r\cdot t} +\begin{align} +g_1^W & = \Big( g_1^{\frac{\beta\cdot A_{1+n}(\tau)+\alpha\cdot B_{1+n}(\tau)+C_{1+n}(\tau)}{\delta}}\Big)^{W_1}\cdots \Big(g_1^{\frac{\beta\cdot A_{m+n}(\tau)+\alpha\cdot B_{m+n}(\tau)+C_{m+n}(\tau)}{\delta}}\Big)^{W_m} \label{eq:groth16_prover:g1W} \\ +g_1^A & = g_1^\alpha \cdot g_1^{A_0(\tau)} \cdot \Big(g_1^{A_1(\tau)}\Big)^{I_1}\cdots \Big(g_1^{A_n(\tau)}\Big)^{I_n} \cdot \Big(g_1^{A_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_1^{A_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_1^\delta\Big)^r \label{eq:groth16_prover:g1A} \\ +g_1^B & = g_1^\beta \cdot g_1^{B_0(\tau)} \cdot \Big(g_1^{B_1(\tau)}\Big)^{I_1}\cdots \Big(g_1^{B_n(\tau)}\Big)^{I_n} \cdot \Big(g_1^{B_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_1^{B_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_1^\delta\Big)^t \label{eq:groth16_prover:g1B} \\ +g_2^B & = g_2^\beta \cdot g_2^{B_0(\tau)} \cdot \Big(g_2^{B_1(\tau)}\Big)^{I_1}\cdots \Big(g_2^{B_n(\tau)}\Big)^{I_n} \cdot \Big(g_2^{B_{n+1}(\tau)}\Big)^{W_1}\cdots \Big(g_2^{B_{n+m}(\tau)}\Big)^{W_m} \cdot \Big(g_2^\delta\Big)^t \label{eq:groth16_prover:g2B}\\ +g_1^C & = g_1^W\cdot g_1^{\frac{H(\tau)\cdot T(\tau)}{\delta}} \cdot \Big(g_1^A\Big)^t \cdot \Big(g_1^B\Big)^r \cdot \Big(g_1^\delta\Big)^{-r\cdot t} \label{eq:groth16_prover:g1C} \end{align} During this calculation, the group elements $g_1^{A_j(\tau)}$, $g_1^{B_j(\tau)}$, and $g_2^{B_j(\tau)}$ can be obtained from the Common Reference String and the Quadratic Arithmetic Program associated with the problem, as demonstrated in \ref{eq:exp_evaluation-poly}. These points only need to be computed once, and can be made public and reused for multiple proof generations as they are consistent across all instances and witnesses. The remaining group elements are part of the Common Reference String. @@ -409,7 +409,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (26,34) \end{align*} -In the next step, we have to compute all group elements required for a proper Groth16 zk-SNARK \eqref{def:groth16-snark}. We start with $g_1^W$ (see eq. \eqref{eq:groth16_prover}). Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \curvename{BLS6\_6} curve, we have to compute the point $[W]g_1$: +In the next step, we have to compute all group elements required for a proper Groth16 zk-SNARK \eqref{def:groth16-snark}. We start with $g_1^W$ \eqref{eq:groth16_prover:g1W}. Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \curvename{BLS6\_6} curve, we have to compute the point $[W]g_1$: \begin{align*} [W]g_1 = & \phantom{\oplus} [W_1] g_1^{\frac{\beta\cdot A_{2}(\tau)+\alpha\cdot B_{2}(\tau)+C_{2}(\tau)}{\delta}} \oplus [W_2] g_1^{\frac{\beta\cdot A_{3}(\tau)+\alpha\cdot B_{3}(\tau)+C_{3}(\tau)}{\delta}} @@ -426,7 +426,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan & = (38,28) \end{align*} -In a next step, we compute $g_1^A$ (see eq. \eqref{eq:groth16_prover}). We sample the random point $r=11$ from $\F_{13}$, using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve. We then have to compute the following expression: +In a next step, we compute $g_1^A$ \eqref{eq:groth16_prover:g1A}. We sample the random point $r=11$ from $\F_{13}$, using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve. We then have to compute the following expression: \begin{align*} [A]g_1 = &\phantom{\oplus} [\alpha]g_1 \oplus [A_0(\tau)]g_1 \oplus [I_1][A_1(\tau)]g_1\oplus [W_1][A_2(\tau)]g_1 \oplus [W_2][A_3(\tau)]g_1\\ @@ -442,7 +442,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (35,15) \end{align*} -In order to compute the two curve points $[B]g_1$ and $[B]g_2$ (see eq. \eqref{eq:groth16_prover}), we sample another random element $t=4$ from $\F_{13}$. Using the scalar product instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the following expressions: +In order to compute the two curve points $[B]g_1$ \eqref{eq:groth16_prover:g1B} and $[B]g_2$ \eqref{eq:groth16_prover:g2B}, we sample another random element $t=4$ from $\F_{13}$. Using the scalar product instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the following expressions: \begin{align*} [B]g_1 = &\phantom{\oplus} [\beta]g_1 \oplus [B_0(\tau)]g_1 \oplus [I_1][B_1(\tau)]g_1\oplus [W_1][B_2(\tau)]g_1 \oplus [W_2][B_3(\tau)]g_1\\ @@ -468,7 +468,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (7v^2,27v^3) \end{align*} -In a last step, we combine the previous computations to compute the point $[C]g_1$ (see eq. \eqref{eq:groth16_prover}) in the group $\G_1$ as follows: +In a last step, we combine the previous computations to compute the point $[C]g_1$ \eqref{eq:groth16_prover:g1C} in the group $\G_1$ as follows: \begin{align*} [C]g_1 & = [W]g_1\oplus [\frac{H(s)\cdot T(\tau)}{\delta}]g_1 \oplus [t][A]g_1 \oplus [r][B]g_1 \oplus [-r\cdot t][\delta]g_1\\ & = (38,28)\oplus (26,34) \oplus [4](35,15) \oplus [11](13,28) \oplus [-11\cdot 4](38,15)\\ From 238153b048d06be0e98a21802911383aa53f8d5d Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 20:13:48 +0200 Subject: [PATCH 18/22] clean up equations for [B]g_1, [B]g_2, one align for better alignment --- chapters/zk-protocols-moonmath.tex | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index d838470e..5f018627 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -457,10 +457,7 @@ \subsection{The Prover Phase} Given some Rank-1 Constraint System $R$ and instan &= (26,34)\oplus [3](35,15) \oplus [4](26,34)\oplus [4](38,15)\\ &= [5](13,15)\oplus [3\cdot 9](13,15) \oplus [4\cdot 5](13,15)\oplus [4\cdot 3](13,15)\\ &= [5+3\cdot 9+4\cdot 5+4\cdot 3](13,15) = [12](13,15) \\ - &= (13,28) -\end{align*} - -\begin{align*} + &= (13,28) \\ \\ [B]g_2 &=(16v^2,28v^3) \oplus \mathcal{O} \oplus [11]\mathcal{O}\oplus [2]\mathcal{O} \oplus [3](37v^2,16v^3)\oplus [4](16v^2,28v^3)\oplus [6]\mathcal{O}\oplus [4](42v^2,16v^3)\\ &=(16v^2,28v^3)\oplus [3](37v^2,16v^3)\oplus [4](16v^2,28v^3)\oplus [4](42v^2,16v^3)\\ &=[5](7v^2,16v^3)\oplus [3\cdot 9](7v^2,16v^3)\oplus [4\cdot 5](7v^2,16v^3)\oplus [4\cdot 3](7v^2,16v^3)\\ From 5519c0e17006f20416b0b95c045031d03c91f2c0 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 20:14:19 +0200 Subject: [PATCH 19/22] remove trailing line break in g_1^I eq --- chapters/zk-protocols-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index 5f018627..cc859042 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -534,7 +534,7 @@ \subsection{The Verification Phase} To achieve this in the Groth\_16 protocol, we assume that any verifier is able to compute the pairing map $e(\cdot,\cdot)$ efficiently, and has access to the \concept{Common Reference String} used to produce the zk-SNARK $\pi$. In order to verify the zk-SNARK with respect to the instance $$, the verifier computes the following curve point: \begin{align}\label{eq:groth16_verify} -g_1^I & = \Big(g_1^{\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}}\Big)\cdot \Big(g_1^{\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}}\Big)^{I_1} \cdots \Big(g_1^{\frac{\beta\cdot A_{n}(\tau)+\alpha\cdot B_{n}(\tau)+C_{n}(\tau)}{\gamma}}\Big)^{I_n}\\ +g_1^I & = \Big(g_1^{\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}}\Big)\cdot \Big(g_1^{\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}}\Big)^{I_1} \cdots \Big(g_1^{\frac{\beta\cdot A_{n}(\tau)+\alpha\cdot B_{n}(\tau)+C_{n}(\tau)}{\gamma}}\Big)^{I_n} \end{align} With this group element, the verifier is able to verify the zk-SNARK $\pi=(g_1^A,g_1^C,g_2^B)$ by checking the following equation using the pairing map: \begin{equation} From 4d79f1d62114705ba28fad10561c669309b0a545 Mon Sep 17 00:00:00 2001 From: Vindaar Date: Thu, 27 Jun 2024 20:14:49 +0200 Subject: [PATCH 20/22] clean up eq ref, replace single eq in align -> equation --- chapters/zk-protocols-moonmath.tex | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chapters/zk-protocols-moonmath.tex b/chapters/zk-protocols-moonmath.tex index cc859042..628181db 100644 --- a/chapters/zk-protocols-moonmath.tex +++ b/chapters/zk-protocols-moonmath.tex @@ -554,7 +554,7 @@ \subsection{The Verification Phase} \label{3-fac-snark-verifier} To see how a verifier might verify a zk-SNARK for some given instance $I$, consider the $3$-factorization problem from \examplename{} \ref{ex:3-factorization}, our protocol parameters from \examplename{} \ref{ex:3-fac-groth-16-params}, the \concept{Common Reference String} from \eqref{ex:3-fac-groth-16-crs} as well as the zk-SNARK $\pi=((35,15),(27,9),(7v^2,27v^3))$ from \examplename{} \eqref{ex:3-fac-groth-16-snark}, which claims to be an argument of knowledge for a witness for the instance $I_1=<11>$. -In order to verify the zk-SNARK for that instance, we first compute the curve point $g_1^I$ (see eq. \eqref{eq:groth16_verify}). Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the point $[I]g_1$ as follows: +In order to verify the zk-SNARK for that instance, we first compute the curve point $g_1^I$ \eqref{eq:groth16_verify}. Using scalar products instead of the exponential notation, and $\oplus$ for the group law on the \texttt{BLS6\_6} curve, we have to compute the point $[I]g_1$ as follows: \begin{align*} [I]g_1 = & [\frac{\beta\cdot A_{0}(\tau)+\alpha\cdot B_{0}(\tau)+C_{0}(\tau)}{\gamma}]g_1 \oplus [I_1][\frac{\beta\cdot A_{1}(\tau)+\alpha\cdot B_{1}(\tau)+C_{1}(\tau)}{\gamma}]g_1 @@ -645,10 +645,10 @@ \subsection{Proof Simulation} To achieve this in the Groth\_16 protocol, the forger can use the simulation trapdoor in combination with the QAP and two arbitrary field elements $A$ and $B$ from the scalar field $\F_r$ of the pairing groups to compute $g_1^C$ for the instance $$ as follows: -\begin{align} +\begin{equation} \label{def:groth16-simulated-proof} -g_1^C = g_1^{\frac{A\cdot B}{\delta}}\cdot g_1^{-\frac{\alpha\cdot \beta}{\delta}}\cdot g_1^{-\frac{\beta A_0(\tau) + \alpha B_0(\tau)+ C_0(\tau)}{\delta}}\cdot \Big(g_1^{-\frac{\beta A_1(\tau) + \alpha B_1(\tau)+ C_1(\tau)}{\delta}}\Big)^{I_1}\cdots \Big(g_1^{-\frac{\beta A_n(\tau) + \alpha B_n(\tau)+ C_n(\tau)}{\delta}}\Big)^{I_n}\ -\end{align} +g_1^C = g_1^{\frac{A\cdot B}{\delta}}\cdot g_1^{-\frac{\alpha\cdot \beta}{\delta}}\cdot g_1^{-\frac{\beta A_0(\tau) + \alpha B_0(\tau)+ C_0(\tau)}{\delta}}\cdot \Big(g_1^{-\frac{\beta A_1(\tau) + \alpha B_1(\tau)+ C_1(\tau)}{\delta}}\Big)^{I_1}\cdots \Big(g_1^{-\frac{\beta A_n(\tau) + \alpha B_n(\tau)+ C_n(\tau)}{\delta}}\Big)^{I_n} +\end{equation} The forger then publishes the zk-SNARK $\pi_{forged} = (g_1^A, g_1^C, g_2^B)$, which will pass the verification process and is computable without the existence of a witness $$. From 9a01c170a2e0416888e6571e64515ed990e92e78 Mon Sep 17 00:00:00 2001 From: filip Date: Tue, 9 Jul 2024 21:01:00 +0200 Subject: [PATCH 21/22] fix the description --- chapters/algebra-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/algebra-moonmath.tex b/chapters/algebra-moonmath.tex index 51cc315e..72259b60 100644 --- a/chapters/algebra-moonmath.tex +++ b/chapters/algebra-moonmath.tex @@ -1185,7 +1185,7 @@ \subsection{Prime Field Extensions}\label{field-extension} \begin{remark} Similarly to the way prime fields $\F_p$ are generated by starting with the ring of integers and then dividing by a prime number $p$ and keeping the remainder, prime field extensions $\F_{p^m}$ are generated by starting with the ring $\F_p[x]$ of polynomials and then dividing them by an irreducible polynomial of degree $m$ and keeping the remainder. -In fact, it can be shown that $\F_{p^m}$ is the set of all remainders when dividing any polynomial $Q\in \F_p[x]$ by an irreducible polynomial $P$ of degree $m$. This is analogous to how $\F_p$ is the set of all remainders when dividing integers by $p$. +In fact, it can be shown that $\F_{p^m}$ is the set of all remainders when dividing all of the polynomials $Q\in \F_p[x]$ by an irreducible polynomial $P$ of degree $m$. This is analogous to how $\F_p$ is the set of all remainders when dividing integers by $p$. \end{remark} Any field $\F_{p^m}$ constructed in the above manner is a field extension of $\F_p$. To be more general, a field $\F_{p^{m_2}}$ is a field extension of a field $\F_{p^{m_1}}$ if and only if $m_1$ divides $m_2$. From this, we can deduce that, for any given fixed prime number, there are nested sequences of subfields whenever the power $m_j$ divides the power $m_{j+1}$: From 47462150fac3393e9833f83dd8f58c9566593ef0 Mon Sep 17 00:00:00 2001 From: Kanguk Lee <68288688+p51lee@users.noreply.github.com> Date: Thu, 1 Aug 2024 15:16:23 +0900 Subject: [PATCH 22/22] Correct typos in Chapter 5 --- chapters/elliptic-curves-moonmath.tex | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/chapters/elliptic-curves-moonmath.tex b/chapters/elliptic-curves-moonmath.tex index 05baa6eb..0e98337f 100644 --- a/chapters/elliptic-curves-moonmath.tex +++ b/chapters/elliptic-curves-moonmath.tex @@ -537,11 +537,11 @@ \subsection{Projective \concept{short Weierstrass} form} Recalling the definition of projective planes \ref{sec:planes},\sme{S: move that section here?} we know that points at infinity are handled as ordinary points in projective geometry. Therefore, it makes sense to look at the definition of a \concept{short Weierstrass} curve in projective geometry. -To see what a \concept{short Weierstrass} curve in projective coordinates is, let $\F$ be a finite field of order $q$ and characteristic $>3$, let $a,b\in \F$ be two field elements such that $\Zmod{4a^3+ 27b^2}{q}\neq 0$ and let $\F\mathrm{P}^2$ be the projective plane over $\F$ as introduced in \secname{} \ref{sec:planes}. Then a \term{projective \concept{short Weierstrass} elliptic curve} over $\F$ is the set of all points $[X:Y:Z]\in \F\mathrm{P}^2$ from the projective plane that satisfy the cubic equation $Y^2\cdot Z = X^3+a\cdot X\cdot Z^2 + b\cdot Z^3$: +To see what a \concept{short Weierstrass} curve in projective coordinates is, let $\F$ be a finite field of order $q$ and characteristic $>3$, let $a,b\in \F$ be two field elements such that $\Zmod{4a^3+ 27b^2}{q}\neq 0$ and let $\F\mathbb{P}^2$ be the projective plane over $\F$ as introduced in \secname{} \ref{sec:planes}. Then a \term{projective \concept{short Weierstrass} elliptic curve} over $\F$ is the set of all points $[X:Y:Z]\in \F\mathbb{P}^2$ from the projective plane that satisfy the cubic equation $Y^2\cdot Z = X^3+a\cdot X\cdot Z^2 + b\cdot Z^3$: \begin{equation} \label{def:projective_cubic_equation} -E(\F\mathrm{P}^2) = \{[X:Y:Z]\in \F\mathrm{P}^2\;|\; Y^2\cdot Z = X^3+a\cdot X\cdot Z^2 + b\cdot Z^3 \} +E(\F\mathbb{P}^2) = \{[X:Y:Z]\in \F\mathbb{P}^2\;|\; Y^2\cdot Z = X^3+a\cdot X\cdot Z^2 + b\cdot Z^3 \} \end{equation} To understand how the point at infinity is unified in this definition, recall from \secname{} \ref{sec:planes} that, in projective geometry, points at infinity are given by projective coordinates $[X:Y:0]$. Inserting representatives $(x_1,y_1,0)\in [X:Y:0]$ from those coordinates into the defining cubic equation \ref{def:projective_cubic_equation} results in the following identity: @@ -688,10 +688,10 @@ \subsubsection{Projective Group law} \subsubsection{Coordinate Transformations} As we can see by comparing the examples \ref{ex:E1F5-projective} and \ref{ex:E1F5-projective},\sme{same example twice} there is a close relation between the affine and the projective representation of a \concept{short Weierstrass} curve. This is not a coincidence. In fact, from a mathematical point of view, projective and affine \concept{short Weierstrass} curves describe the same thing, as there is a one-to-one correspondence (an isomorphism) between both representations for any parameters $a$ and $b$. -To specify the correspondence, let $E(\F)$ and $E(\F\mathrm{P}^2)$ be an affine and a projective \concept{short Weierstrass} curve defined for the same parameters $a$ and $b$. Then, the function in \eqref{eq:weierstrass-isomorphism-map} maps points from the affine representation to points from the projective representation of a \concept{short Weierstrass} curve. In other words, if the pair of field elements $(x,y)$ satisfies the affine \concept{short Weierstrass} equation $y^2= x^3 + ax + b$, then all homogeneous coordinates $(x_1,y_1,z_1)\in [x:y:1]$ satisfy the projective \concept{short Weierstrass} equation $y_1^2\cdot z_1= x_1^3 + ay_1\cdot z_1^2 + b\cdot z_1^3$. +To specify the correspondence, let $E(\F)$ and $E(\F\mathbb{P}^2)$ be an affine and a projective \concept{short Weierstrass} curve defined for the same parameters $a$ and $b$. Then, the function in \eqref{eq:weierstrass-isomorphism-map} maps points from the affine representation to points from the projective representation of a \concept{short Weierstrass} curve. In other words, if the pair of field elements $(x,y)$ satisfies the affine \concept{short Weierstrass} equation $y^2= x^3 + ax + b$, then all homogeneous coordinates $(x_1,y_1,z_1)\in [x:y:1]$ satisfy the projective \concept{short Weierstrass} equation $y_1^2\cdot z_1= x_1^3 + ay_1\cdot z_1^2 + b\cdot z_1^3$. \begin{equation}\label{eq:weierstrass-isomorphism-map} -I : E(\F) \to E(\F\mathrm{P}^2)\;:\; +I : E(\F) \to E(\F\mathbb{P}^2)\;:\; \begin{array}{lcl} (x,y) &\mapsto & [x:y:1]\\ \mathcal{O} &\mapsto & [0:1:0] @@ -1002,7 +1002,7 @@ \subsection{Twisted Edwards group law} (x_1, y_1) \oplus (x_2, y_2) =\left(\frac{x_1y_2+y_1x_2}{1 +dx_1x_2y_1y_2},\frac{y_1y_2-ax_1x_2}{1-dx_1x_2y_1y_2}\right) \end{equation} -In order to see what the neutral element of the group law is, first observe that the point $(0,1)$ is a solution to the \concept{twisted Edwards} equation $a\cdot x^{2} + y^2 =1+ d\cdot x^{2}\cdot y^2$ for any parameters $a$ an $d$, and hence $(0,1)$ is a point on any \concept{twisted Edwards} curve. It can be shown that $(0,1)$ serves as the neutral element, and that the inverse of a point $(x_1, y_1)$ is given by the point $(-x_1, y1)$. +In order to see what the neutral element of the group law is, first observe that the point $(0,1)$ is a solution to the \concept{twisted Edwards} equation $a\cdot x^{2} + y^2 =1+ d\cdot x^{2}\cdot y^2$ for any parameters $a$ an $d$, and hence $(0,1)$ is a point on any \concept{twisted Edwards} curve. It can be shown that $(0,1)$ serves as the neutral element, and that the inverse of a point $(x_1, y_1)$ is given by the point $(-x_1, y_1)$. \begin{example} \label{example:TETJJ13} Let's look at the \curvename{Tiny-jubjub} curve in Edwards form from \eqref{TJJ13-twisted-edwards} again. As we have seen, this curve is given by as follows: