diff --git a/chapters/intro-moonmath.tex b/chapters/intro-moonmath.tex index 799b25f2..40969947 100644 --- a/chapters/intro-moonmath.tex +++ b/chapters/intro-moonmath.tex @@ -1,52 +1,57 @@ \chapter{Introduction} % Note: I want to avoid using links or \term{}'s or anything like this here. This is just an introduction. All the terms are defined later. Lets be as little formal as possible here -In cryptography so called \textit{zero-knowledge proofs} or \textit{zero-knowledge protocols} are a class of protocols by which one party called the prover can prove to other parties called the verifiers that a given statement is true without revealing any additional information apart from the fact that the statement is indeed true. It is the purpose of this book to introduce the mathematics behind those proving systems and their implementations to an audience with little to no knowledge in this field of research. +In the field of cryptography, \textit{zero-knowledge proofs} or \textit{zero-knowledge protocols} are a class of protocols that enable a party, known as the prover, to demonstrate the truth of a statement to other parties, referred to as verifiers, without revealing any information beyond the statement's veracity. This book is intended to provide a comprehensive introduction to the mathematical foundations and implementations of these proof systems, aimed at individuals with limited prior exposure to this area of research. -In this context, so called \textit{zero knowledge succinct, non interactive arguments of knowledge} (zk-SNARKs) are of particular interest, since the size of a zk-SNARK is much smaller than the size of the original data necessary to know that the statement is true and the prover can send a single message to the verifiers in order to convince them. +Of particular significance in this context are \textit{zero-knowledge succinct, non-interactive arguments of knowledge} (zk-SNARKs), which possess the advantage of being much smaller in size than the original data required to establish the truth of a statement, and verifiers can be conveyed through a single message from the prover. -From a practical point of view this is interesting, because zk-SNARKs are able to prove honest computation to the public without revealing the inputs to that computation, by sending a single short transaction to a verifier that is implemented as a smart contract on a public blockchain. In this case it is possible to outsource heavy computation off-chain and then to publically verify the correctness of that computation on-chain. This enables publicly verifiable computations, blockchain scaling and increases transaction privacy. +From a practical standpoint, zk-SNARKs are intriguing because they allow for the honest computation of data to be proven publicly without disclosing the inputs to the computation, through the transmission of a concise transaction to a verifier embodied as a smart contract on a public blockchain. This facilitates the public verification of computation, improves the scalability of blockchain technology, and enhances the privacy of transactions. -Because of this connection between blockchains and zk-SNARKs, increased interest in blockchain technology also increases the need for better and detailed understanding of zero knowledge protocols, their real world implementations and applications as well as their standards. Only then are developers able to implement secure and high quality code. +Based on this interconnection between blockchains and zk-SNARKs, growing interest in blockchain technology has elevated the need for a more nuanced and complete understanding of zero-knowledge protocols, their real-world applications and implementations, and the development of standards in this field. This is crucial for ensuring that developers can produce secure and high-quality code -However the details of zero knowledge proofs are complex and a deeper understanding requires insight into various mathematical and computer theoretical disciplines, including alternatives to well established computational models and programming paradigms. Unfortunately resources are often scattered across blog posts, github libraries and mathematical papers and as a result zk-SNARKs remain somewhat elusive or ''magical'' and are therefore sometimes coined as ''moon math''. This increases the barrier of entry and deters developers from exploring or utilizing them in projects, thereby slowing the widespread adoption of the technology and the transition into web3. +However, the intricacies of zero-knowledge proofs are complicated and require an in-depth comprehension of several mathematical and computer-theoretical disciplines, as well as familiarity with alternative computational models and programming paradigms. Unfortunately resources are often scattered across blog posts, github libraries and mathematical papers and as a result zk-SNARKs remain somewhat elusive or ''magical'' and are therefore sometimes coined as ''moon math''. This poses a barrier to entry and deters developers from exploring or incorporating them in their projects, hindering the widespread adoption of this technology and societies evolution towards web3. -The MoonMath Manual to zk-SNARKs is an attempt to change this as the book is specifically designed for an audience with only minimal experience in cryptography. The goal is to close knowledge gaps and to explain abstract concepts to developers in a hands-on way using simple pen-and-paper computations. As users go through the manual and calculate examples, they will grasp concepts necessary to understand the mathematics behind zk-SNARKs. +The 'MoonMath Manual to zk-SNARKs' aims to change this, designed specifically for individuals with limited prior exposure to cryptography. The manual aims to bridge knowledge gaps by providing a hands-on, practical approach to explaining abstract concepts using simple pen-and-paper calculations. As readers work through the manual, they will gain an understanding of the mathematics underlying zk-SNARKs, which will provide them with the necessary foundation for further exploration. \section{Target audience} -This book is targeted primarily to software and smart contract developers who want to understand the internals of zk-SNARKs in order to be able to develop high quality, high security code, or who want to close some knowledge gaps. It is accessible for both beginners and experienced readers alike as concepts are gradually introduced in a logical and steady pace. It is assumed though, that the reader has a basic understanding of programming and enthusiasm as well as affinity for logical thinking and strategic problem solving. +The primary focus of this book are software and smart contract developers who aim to acquire a thorough understanding of the workings of zk-SNARKs, in order to be able to develop high quality, high security code, or who want to close some knowledge gaps. The book is suitable for both novice and experienced readers, as concepts are gradually introduced in a structured and logical manner, ensuring that the information is easily comprehensible. + +While the book is accessible to a wide range of readers, it is expected that the reader has a basic knowledge of programming and an interest in logical thinking and strategic problem solving. An enthusiasm for the subject matter is also necessary, as the details of zero-knowledge proofs can be complex. \section{About the book} -How much mathematics do you need to understand and implement zero-knowledge proofs? The answer, of course, depends on the level of understanding you aim for and the level of security your application requires. It is possible to implement zero-knowledge proofs without any understanding of its underlying mathematics; however, to read a foundational paper, to understand the internals of a proof system, or to implement a secure and high quality zk-SNARK, some knowledge of mathematics is needed. +How much mathematics do you need to understand and implement zero-knowledge proofs? Of course, the answer is contingent upon the desired level of comprehension and the security demands of the application. It is possible to implement zero-knowledge proofs without any understanding of the underlying mathematics; however, to read a seminal paper, to grasp the intricacies of a proof system, or to develop secure and high-quality zk-SNARKs, some mathematical knowledge is indispensable. Without a solid grounding in mathematics, someone who is interested in learning the concepts of zero-knowledge proofs, but who has never seen or dealt with, say, a prime field, or an elliptic curve, may quickly become overwhelmed. This is not so much due to the complexity of the mathematics needed, but rather because of the vast amount of technical jargon, unknown terms, and obscure symbols that quickly makes a text unreadable, even though the concepts themselves are not actually that complicated. As a result, the reader might either lose interest, or pick up some incoherent bits and pieces of knowledge that, in the worst case scenario, result in immature and non-secure implementations. -This is why the book is dedicated large parts to explaining the mathematical foundations needed to understand the basic concepts underlying zk-SNARK development. We encourage the reader who is not familiar with basic number theory and elliptic curves to take the time and read the appropriate chapters in this book until they are able to solve at least a few exercises in each chapter. A great emphasis should be put on going through the examples in all details. +Absence of a robust mathematical background can pose significant challenges to individuals interested in learning the principles of zero-knowledge proofs, particularly if they have not encountered mathematical concepts such as prime fields or elliptic curves. This is not due to the inherent complexity of the mathematics involved, but rather the presence of a large amount of technical jargon, unfamiliar terms, and abstract symbols, which can make the text impenetrable even when the concepts themselves are not particularly challenging. As a result, the reader may become disinterested or assimilate a fragmented and inconsistent understanding, leading to insecure and immature implementations. + +Significant portions of this book are dedicated to providing a comprehensive explanation of the mathematical foundations necessary for comprehending the fundamental concepts underlying zk-SNARK development. For readers who lack familiarity with basic number theory and elliptic curves, we strongly encourage dedicated study of the relevant chapters until they are able to solve a minimum of several exercises in each chapter. A deliberate focus on working through examples in detail is encouraged. + +The book starts at a very basic level, and only assume preexisting knowledge of fundamental concepts like high school integer arithmetic. It then progresses to demonstrate that there are numbers and mathematical structures that, although initially appearing very different from what was learned in high school, are actually analogous at a deeper level. This is exemplified through a variety of examples throughout the book. -The book starts at a very basic level, and only assume pre-existing knowledge of fundamental concepts like high school integer arithmetic. Then it will show you that there are numbers and mathematical structures that appear at first to be very different from what you learned about in high school, but - on a deeper level - are actually quite similar. This will be illustrated in various examples throughout the book. +It is important to emphasize that the mathematics presented in this book is informal, incomplete, and optimized to facilitate efficient comprehension of zero-knowledge concepts. The design choice is to include only the minimum required theory, prioritizing a profusion of numerical examples. We believe that this informal, example-driven approach facilitates easier digestion of the material for beginners. -It is worth to stress though, that the mathematics in this book is informal, incomplete and optimized to enable the reader to understand zero-knowledge concepts as efficiently as possible. The design choice is to include as little theory as necessary, focusing on a wealth of numerical examples. We believe that such an informal, example-driven approach makes it easier for beginners to digest the material in the initial stages. +As a novice, it is suggested that one first computes a simple toy zk-SNARK using pen and paper, before venturing into the development of high-security real-world zk-SNARKs. However, to derive these toy examples, some mathematical preparation is necessary. This book therefore aims to guide the inexperienced reader towards the essential mathematical concepts, providing exercises that are intended to be worked through independently. Each section includes a list of progressively challenging exercises to aid in memorization and application of the concepts. -As a beginner, you would probably find it more beneficial to first compute a simple toy zk-SNARK with pen and paper all the way through, before you actually develop high security real-world zk-SNARKs. -However, in order to be able to derive these toy examples, some mathematical groundwork is needed. This book therefore will help the inexperienced reader to focus on what we believe is important, accompanied by exercises that you are encouraged to recompute yourself. Every section contains a list of exercises in increasing order of difficulty, to help you memorize and apply the concepts. +\section{Reading this Book} +The MoonMath Manual is intended to provide a comprehensive introduction to topics relevant to beginners in mathematics and cryptography. As such, there are multiple ways to read the book. The most straightforward approach is to follow the chapters in a linear order. This method is recommended for readers who have limited prior knowledge of mathematics and cryptography. The book begins with fundamental concepts such as natural numbers, prime numbers, and operations on these sets in various arithmetics. Subsequently, the book progresses to cover algebraic structures, including groups, rings, prime fields, and elliptic curves. +Throughout the book, examples are introduced and gradually expanded upon with the incorporation of new knowledge from subsequent chapters. This incremental approach allows for the development of simple, yet full-fledged cryptographic systems that can be computed by hand, in order to provide a detailed illustration of each step. -\section{How to read this book} -Since the MoonMath Manual aims to become a complete introduction to all topics relevant for beginners, there are ways of reading it. The first and most obvious one is linear, following the order of the chapters. We recommend this if you have little pre-existing knowledge of mathematics and cryptography. We start with basic concepts like natural numbers, prime numbers, and how we can perform operations on such sets in different kinds of arithmetic. Then we move on to algebraic constructs like groups, rings, prime fields and elliptic curves. +For readers interested in understanding elliptic curves as they pertain to zero-knowledge proving systems, a starting point could be the introduction to the $BLS6_6$ curve in \secname{} \ref{BLS6}. The $BLS6_6$ curve was specifically designed for the purpose of hand calculations, as the size of cryptographic elliptic curves often prohibits this type of computation. It is a pairing-friendly curve with all necessary properties to perform pairing-based computations without the aid of a computer, which can help to clarify the intricacies of the system. Additionally, the book includes a derivation of the \curvename{Tiny-jubjub} curve \ref{TJJ13-twisted-edwards}, which can be used for EdDSA calculations in circuits over $BLS6_6$. -Early in the book, we develop examples that we gradually extend with the things we learn in each chapter. This way, we incrementally build a few real-world SNARKs over full-fledged cryptographic systems that are nevertheless simple enough to be computed by pen and paper to illustrate all steps in great detail. +Readers interested in building a simple, pen-and-paper zk-SNARK from scratch may want to start with the examples related to the 3-factorization problem. In \examplename{} \ref{ex:3-factorization}, we introduce the 3-factorization problem as a statement in a formal language. If this is too abstract, the reader might start in \examplename{} \ref{ex:3-fac-zk-circuit}, where we describe the 3-factorization problem as an algebraic circuit. In \examplename{} \ref{ex:3-fac-zk-circuit_2} we execute the circuit. In \examplename{} \ref{ex:L-3fac-zk}, we introduce the concept of instance and witness into the problem in order to achieve various levels of zero knowledge later on. In \examplename{} \ref{ex:3-factorization-r1cs} we transform the circuit into an associated Rank-1 Constraint System and in \examplename{} \ref{ex:3-fac-R1CS-constr-proof} we compute a constructive proof for the problem. In \examplename{} \ref{ex:3-fac-QAP} we transform that constraint system into a Quadratic Arithmetic Program in and show how constructive proofs are transformed into polynomial divisibility problems. In \examplename{} \ref{ex:3-fac-groth-16-params}, we use the result of those examples to derive a Groth16 zk-SNARK for the 3-factorization problem. In \ref{def:groth16-crs}, we compute the prover and the verifier key. In \examplename{} \ref{3-fac-snark-compute}, we compute a zk-SNARK and in \examplename{} \ref{3-fac-snark-verifier}, we verify that zk-SNARK. In \examplename{}, \ref{3-fac-snark-simulator} we show how to simulate proofs. -Readers who mainly want to get a better understanding of elliptic curves as they arise in zero-knowledge proving systems might want to start with our introduction of the $BLS6\_6$ curve in \secname{} \ref{BLS6}, which is a pen-and-paper, pairing-friendly elliptic curve. All concepts needed to understand this curve are introduced in \chaptname{} \ref{chap:elliptic-curves}. Programmers who develop zk-SNARKs frequently face the situation where it would be useful do some pen-and-paper computations before implementing the real thing, however those calculations are often prohibited by the size of cryptographic elliptic curves. In this book, we specifically designed the $BLS6\_6$ curve for this purpose. It is a pairing friendly curve that has all the properties needed to do pairing-based computations without any computer assistance, which often helps to understand delicate details of your system. In addition we derive the \curvename{Tiny-jubjub} curve \ref{TJJ13-twisted-edwards}, which can be used for pen-and-paper EdDSA in circuits over $BLS6\_6$. +Readers desiring to implement a zk-SNARK in a practical programming language should begin with our Circom implementation of the 3-factorization problem, as described in \ref{ex:3-fac-circom}. The derivation of the corresponding Groth\_16 parameter set is outlined in \ref{ex:3-fac-groth-16-params-circom}, and the calculation of the associated Common Reference String is addressed in \ref{ex:3-fac-groth-16-setup-circom}. In \ref{ex:3-fac-groth-16-prover-circom}, we demonstrate the generation of a proof for randomly selected input values, which is then verified in \ref{ex:3-fac-groth-16-verifier-circom}. This illustration may serve as a starting point for a more in-depth understanding of the underlying mechanisms. +Individuals seeking to enhance their comprehension of the process by which high-level programs are compiled into representations that are amenable to analysis by zero-knowledge proof systems may benefit from a review of Chapter \ref{chap:circuit-compilers}, in which we develop a toy language equipped with a "brain-compiler" that converts high-level code into graphical circuit representations. The crucial representations, such as the R1CS, are detailed in Section \ref{sec:R1CS}, and the fundamental principles of constructive proofs, witnesses, and instances are elucidated in \ref{sec:formal-languages}. -Readers who are primarily interested in building a simple pen-and-paper zk-SNARK from scratch in order to close their knowledge gaps might want to go through all the examples regarding our 3-factorization problem. In \examplename{} \ref{ex:3-factorization}, we introduce the 3-factorization problem as a statement in a formal language. If this is too abstract, the reader might start in \examplename{} \ref{ex:3-fac-zk-circuit}, where we describe the 3-factorization problem as an algebraic circuit. In \examplename{} \ref{ex:3-fac-zk-circuit_2} we execute the circuit. In \examplename{} \ref{ex:L-3fac-zk}, we introduce the concept of instance and witness into the problem in order to achieve various levels of zero knowledge later on. In \examplename{} \ref{ex:3-factorization-r1cs} we transform the circuit into an associated Rank-1 Constraint System and in \examplename{} \ref{ex:3-fac-R1CS-constr-proof} we compute a constructive proof for the problem. In \examplename{} \ref{ex:3-fac-QAP} we transform that constraint system into a Quadratic Arithmetic Program in and show how constructive proofs are transformed into polynomial divisibility problems. In \examplename{} \ref{ex:3-fac-groth-16-params}, we use the result of those examples to derive a Groth16 zk-SNARK for the 3-factorization problem. In \ref{def:groth16-crs}, we compute the prover and the verifier key. In \examplename{} \ref{3-fac-snark-compute}, we compute a zk-SNARK and in \examplename{} \ref{3-fac-snark-verifier}, we verify that zk-SNARK. In \examplename{}, \ref{3-fac-snark-simulator} we show how to simulate proofs. -Reader who want to get a better understanding of how high level programs are compiled into representations which zero knowledge proof systems accept, might want to start in chapter \ref{chap:circuit-compilers}, where we derive a toy language with a ''brain-compiler'' that compiles high level code into graphical circuit representations. Important representations like the R1CS are explained in section \ref{sec:R1CS} and core concepts of constructive proofs, witness and instance are explained in \ref{sec:formal-languages}. -\section{Contributions} As zero knowledge proofing systems are a vital and fast developing field of research, getting the moonmath manual to a point where it includes most relevant topics is a huge task and hence community contributions are very welcome. +\section{Contributions}Due to the significance and rapid advancement of the field of zero knowledge proofing systems, providing comprehensive coverage of relevant topics within the moonmath manual represents a substantial challenge. Hence, the community's contributions are greatly appreciated. -If you wish to participate in the development of the moonmath manual, we encourage you to submit adapted material or material created independently to Least Authority. If you are interested in adding a major contribution to the moonmath manual, please contact Least Authority directly under mmm@leastauthority.com. See our license for more details on this. +If you would like to contribute to the development of the moonmath manual, we encourage you to submit your adapted material or original content to Least Authority. For those interested in making substantial contributions to the moonmath manual, we suggest reaching out directly to Least Authority at mmm@leastauthority.com. For further information, please refer to our license. %rest is commented out