Understanding of what QAP is and how to create one from R1CS.

Group theory understandings

What is a PCP:

Prover generates a PCP oracle, which can be thought of as a big message of polynomial size. Verifier queries PCP oracle at random points, and using these queries verifier can verify the computation of a polynomial.

In Linear PCP, the PCP generated by the Prover is a linear function. The Oracle responds to linear queries by doing an inner product.

Recall:

\(p(x) = (\sum_{i=1}^m c_i \times l_i(x)) \times (\sum_{i=1}^m c_i \times r_i(x)) \times (\sum_{i=1}^m c_i \times o_i(x)) = V(x).q(x)\)

To show the above can be done using a linear PCP model.

The verifier can submit only linear queries to the PCP:

\( \times - = V(\gamma)\)

**Some termonologies before we continue further:**

**Knowledge of exponentiation:**Sample random \(\alpha\), compute \(g^{\alpha .l_i(\tau)}\) for i = 1...m.

\(\pi_1 = g^{\sum_{i=1}^m c_i \times l_i (\tau)}\) and \(\pi_1^{'} = g^{\sum_{i=1}^m c_i \times l_i (\tau)}\)

\(e(\pi_1, g^\alpha) = e(\pi^{'}, g)\)

**Generic Group Model**The adversary is only given an oracle to compute the group operation.

eg. given \(g^{\alpha.l_i(\tau)}\)for i= 1,...,m. The adversary can only compute their linear combinations.

**Preprocessing ( Key Generation )**:Proving key: \(p, G, g, G_T, e\)

Compute Public Keys: \(g^{l_i(\tau)},g^{r_i(\tau)},g^{o_i(\tau)}\) for \(i=1, \ldots,m\) --- (1)

Evaluate: \(g^\tau , g^{\tau^2}, \ldots, g^{\tau^m}\) ( Public ). --- (2)

Also: \(g ^ {\beta(l_i(\tau) + r_i(\tau) + o_i(\tau))})\) for \(i \in [m]\) --- (3)

Verification Key: \(g^V(\tau) \) - this is known to the verifier

delete \(\tau\)

Prove Generation

\(\pi _1 = g^{\sum_{i=1}^m c_i \times l_i(\tau)}\) , where the term in power is the public key calculated in (1).

Similarly, calculate \(\pi _2\) and \(\pi _3\) using (1) above.

\(\pi _4 = g^{q(\tau)}\) calculated using (2) above.

\(\pi_5 = \prod _{i=1}^m (g ^ {\beta(l_i(\tau) + r_i(\tau) + o_i(\tau))})^{c_i}\)

Verification

The idea is to check the value of p(x) equation equality in the exponent.

Verify using: \(\frac{e(\pi_1, \pi_2)}{e(\pi_3, g)} = e(g^{V(\tau)}, \pi_4)\) bilinear relation.

\(e(\pi_1\pi_2\pi_3, g^\beta) = e(\pi_5, g)\): This check makes sure that the prover isn't cheating and not using the same vector \(c\) in the generation of \(\pi_1, \pi_2, \pi_3\).

The above protocol is not the real implementation. If you notice, while input in the above circuit is considered as a witness. But in practical application, a circuit has both, public and private inputs.

So to convert the above into a real protocol, notice the proof property that is generated above:

$$\pi_1 = g^{\sum_{i \in I_{mid}}c_i \times l_i(\tau)} * g^{\sum_{i \in I_{io}}c_i \times l_i(\tau)}$$

where \(I_{mid}\) is the witness, and \(I_{io}\) is the public Input/output. So now the proof becomes:

$$\pi_1 = g^{\sum_{i \in I_{mid}}c_i \times l_i(\tau)}$$

and the verifier can simply do:

$$\pi_1^* = \pi_1 . g^{\sum_{i \in I_{io}}c_i \times l_i(\tau)}$$

$$\frac{e(\pi_1*,\pi_2*)}{e(\pi_3^*, g)} = e(g^{V(\tau), \pi_4})$$

And that's Groth 16 protocol under the hood!!

$$p(x) = (\sum_{i=1}^m c_i \times l_i(x)) \times (\sum_{i=1}^m c_i \times r_i(x)) \times (\sum_{i=1}^m c_i \times o_i(x)) = V(x).q(x)$$

Proof:

\(\pi_1 = g^{\alpha + \sum_{i=1}^m c_i \times l_i (\tau)}\)

\(\pi_2 = g^{\beta + \sum_{i=1}^m c_i \times r_i (\tau)}\)

\(\pi_3 = \prod _{i=1}^m (g ^ {\sum c_i \times \beta(l_i(\tau) + r_i(\tau) + o_i(\tau)) + V(\tau)q(\tau)})\)

Verify:

- \(e(\pi_1, \pi_2) = e(\pi_3, g).e(g^\alpha, g^\beta)\)

To make the above systems Zero Knowlege, a randomizer is simply added to the proofs generated.

\(\pi _1 = g^{\sum_{i=1}^m c_i \times l_i(\tau) + \delta_1V(\tau)} \) and similarly for \(\pi_2\) and \(\pi_3\)

**Computation Cost**: The cost to generate a proof in Groth16 is relatively high compared to the verification cost. This is because the prover must perform a series of complex mathematical operations, which include polynomial evaluations and multi-exponentiations in elliptic curve groups.**Input Length Dependence**: The proving time is dependent on the length of the witness (the information that proves the statement). For more complex statements or larger datasets, the time required to generate a proof increases.**Memory Usage**: Groth16 proving can be memory-intensive. The prover needs to handle large polynomials and multiple group elements, which requires substantial computational resources, especially for complex statements.**Parallelizability**: The proving process in Groth16 can be parallelized to some extent. This means that with sufficient computational resources, the time taken to generate a proof can be reduced.**Efficient Verification**: Groth16 stands out for its extremely efficient verification process. Verifying a proof typically involves a few pairings and elliptic curve operations, which are computationally cheaper than the operations required for proof generation.**Constant Time Verification**: Regardless of the complexity of the original computation, the verification time remains constant. This is a significant advantage, especially in systems where quick verification is essential, like in blockchain transactions.**Low Resource Requirement**: The verifier does not need extensive computational resources. This asymmetry between proving and verification complexity makes Groth16 particularly suitable for systems where the verifier's resources are limited, such as in smart contracts on a blockchain.**Asymmetry Advantage**: The asymmetry in computational requirements between the prover and verifier in Groth16 is by design. While it demands more from the prover, it benefits systems where verification needs to be quick and inexpensive, a common scenario in decentralized systems like blockchains.**Scalability Impact**: This asymmetry affects scalability. The efficiency in verification means that more transactions (or other verifiable computations) can be processed in a shorter time, which is crucial for the scalability of blockchains.**Security and Trust**: The proving complexity also contributes to the security of the system, as it makes it computationally prohibitive to generate false proofs.In Groth16 variants:

Proof size: 3 group elements - 144 bytes

Verifier time: 1 pairing equation

Follow me on social media: Twitter, and LinkedIn for new updates in the cryptography space and any discussion related to computer science.

]]>R1CS

Transcript

Selector Polynomial

Vanishing Polynomial

Quadratic Arithmetic Program

The term "R1CS" stands for "Rank-1 Constraint System." It's a method used in computer science, particularly in the field of cryptography and zero-knowledge proofs. The Rank-1 Constraint System is a way to express a set of arithmetic constraints. It's commonly used in the construction of zero-knowledge proofs, particularly in systems like zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge).

An R1CS typically consists of three matrices: A, B, and C. Each row in these matrices represents a single constraint, and the system is satisfied if there exists a vector of variables \(\vec{x}\) such that for every row \( \vec{i}\), the following equation holds:

$$\vec{a}_i \cdot \vec{x} \times \vec{b}_i \cdot \vec{x} = \vec{c}_i \cdot \vec{x}$$

Trace just means Prover is just going to evaluate this entire circuit and take the values on all the wires. In Interactive proofs, the value of every gate is traced, in Plonk, the trace is defined as the left input, right input, and output of every gate.

QAP: input + output of every **multiplication gate.**

e.g.:

( image credits to Yupeng Zhang )

Let's assume a polynomial \(l_i(x)\) which means is \(c_i\) the left input of gate j, for j = 1,2,3, where \(c_i\) is the value in the i'th position in the transcript ( as in the above image ).

e.g.

\(l_1(x) : (1,0,0)\).

The polynomial interpolation at a known set \(\Omega\) : \(l_1(w) = 1, l_1(w^2) = 0, l_1(w^3) = 0\).\(l_x(x) : (0, 0 ,1)\)

Polynomial interpolation: \(l_3(w) = 0, l_3(w^2) = 0, l_w(w^3) = 0\) since value 1 is the input of the addition gate which in turn is the left input of the multiplication gate ( remember we are taking trace over multiplication gate in case of QAP )

**Properties**:

\(L(x) = \sum_{i=1}^9 c_i * l_i(x)\). If you write the trace for the entire transcript in the above example: \(L(w) = c_1 = 3\), \(L(w^3) = c_3 + c_4\). The values are the 1s that are present at the respective input column in the entire transpose.

Similarly, we calculate \(r(x)\) and create a transcript then using that a selector polynomial \(R(x)\).

Similarly, we have \(O(x)\) which represents the gate outputs.

Now we have:

$$p(x) = L(x)R(x) - O(x)$$

- Claim is \(p(w^j) = 0 , for \ j = 1,2,3..\)

- We define \(p(x) = V(x)q(x)\) , where \(V(x) = (x - w )(x-w^2)(x-w^3)\) is the vanishing polynomial of the set \(\Omega = \{ w, w^2, w^3 \}\)

Finally:

P claims to know a w such that \(C(x,w) = y\) \(<==>\)P claims to know that a vector c such that \(p(x) = V(x)q(x)\).

Where the table is a piece of public information, and generated during preprocessing phase.

Now, instead of checking the constraints in the R1CS individually, we can now check *all of the constraints at the same time* by doing the dot product check *on the polynomials*.

Lastly, follow me on social media: Twitter, and LinkedIn for new updates in the cryptography space.

References:

]]>**Want P time linear in degree, not field size**:Let's say we use a Merkle tree for commitment to values in a field f. But this is very inefficient since if field f is big, then the number of leaves, and consequently the proof length grows significantly. In FRI, rather than P merkle-commiting to all (p-1) evaluations of q, P merkle-commits to evaluations of q(x) for \(x \in \Omega\) of \(F_p\).

\(\Omega\) has size \(\rho ^ {-1} k\) where \(\rho < 1/2\) constant and k is the degree of q.

Proof length will be about \(\lambda / log(\rho ^ {-1}). log^2(k)\) hash values where \(\lambda\) is the security parameter, aka. " \(\lambda\) bits of security ".

Let \(\omega \in F_p\), n is the smallest integer such that \(\omega ^ n = 1\), then \(\Omega = \{ 1, \omega, \omega ^2, \ldots, \omega ^ {n-1} \}\)

From group theory, \(\Omega\) has size n if and only if n divides p-1.

- Hence, FRI based SNARKs work over fields like \(F_p\) with \(p = 2^{64} - 2^{32} + 1\) , p-1 is divisible by \(2^{32}\). Running FRI over the field can support any power of 2 value of n up to \(2^{32}\).

For eg. FRI commitment to univariate polynomial \(q(x)\) in \(F_{41}[X]\) when \(8 = \rho^{-1}.k\), where roots of unity = \(\{ 1, -1, 9, -9, 3, -3, 14, -14 \}\) becomes the root of the committed merkle tree.

To visualize roots of unity try this tool -> https://www.geogebra.org/m/sZFwAZfs

**V needs to know the committed vector at all evaluations over domain \(\Omega\) of some (k-1) degree polynomial.**V "inspects" a few entries of the vector to "get a sense" of whether its low-degree. This will add a Merkle authentication path ( log(n) hash values ) to the proof.

This is impractical. FRI's test will be interactive. We use a "folding phase" followed by a "query phase". The folding phase is log(k) rounds. The query phase is one round.

- The process begins with the prover having a high-degree polynomial. This polynomial is a representation of the computation or data they intend to prove something about.

- The polynomial is evaluated at various points. These points typically lie in a domain related to a specific subgroup of a finite field.

The prover reduces the degree of the polynomial. They select a subset of the evaluation points and merge the values of the polynomial at these points using a linear or affine transformation.

V picks up a random field element r, and r is used to "randomly combine" every two paired-up entries.

q(x) is split into "even and odd components" -> \(q(x) = q_e(X^2) + Xq_o(X^2)\)

The prescribed "folding" q is \(q_{fold}(Z) = q_e(Z) + rq_o(Z)\) where degree of \(q_{fold}\) is half of the degree of q.

**What Happens**: After folding, the polynomial's degree is lowered. The prover then commits to this new, reduced-degree polynomial. Folding is repeated until the degree falls to 0.**Why It Matters**: This recursive process is essential for gradually simplifying the polynomial.

**Step 5: End**

- The length of the folded vector after the degree has fallen to 0 is still \(\rho ^ {-1} >= 2\). Since the degree should be 0, P can specify the folder vector with a single field element.

( image credit: Justin Thaler lecture ( link in references ).

The calculation in the picture uses the fact that if x and -x are n'th roots of unity and z = \(x^2\). Then \(q_{fold}(z) = \frac{(r+x)}{2x} .q(x) + \frac{(r-x)}{-2x} .q(-x) \) ( derivation not covered in this post ).

FRI heavily uses the fact that the map \(x -> x^2\) is 2 to 1 on \(\Omega\), ensuring that the relevant domain halves in size with each fold.

P may have "lied":

sending a vector that is not the prescribed folding of the previous vector

To "artificially" reduce the degree of the claimed folded vector.

The Query phase is where the verifier tries to detect inconsistencies.

V picks about \(\lambda / log ( \rho ^ {-1}) \) entries of each folded vector and confirming each is the prescribed linear combination of the relevant two entries of the previous vector.

Proof length ( and V time ): roughly \((\lambda / log(\rho ^ {-1})_. log(k)^2\) hash evaluations. Each of the folded vectors ( log(k) ) is queried at \(\lambda / log ( \rho ^ {-1})\)

For security analysis, refer the links in references. This article focuses on the working only.

There is a known attack where prover folders a polynomial s rather than q, where s agrees on a set T = \(\rho n\) elements of \(\Omega\).

Problems with FRI

P has only the Merkle-committed to evaluations of q over domain \(\Omega\), not the whole field.

V only knows that q is "not too far" from low-degree, not exactly low-degree.

Solution

We know \(q(X) - v = w(X)(X-r)\) is equivalent to \(q(r) = v\) ( refer here). w is a polynomial of degree at most d.

So to confirm \(q(r) = v\) V applies FRI's fold + query procedure to the functions \((q(X) - v)(X-r)^{-1}\) using degree bound d-1. Whenever the FRI verifier queries this function at \(\Omega\), evaluation can be obtained with one query to q at the same point.

V doesn't know that q is exactly a low degree, but to pass V's check, \(v\) has to equal \(h(r)\) where h is the degree d polynomial that is closest to q.

Each FRI verifies query brings <1 bit of security to the commitment scheme. FRI today is used as a weaker primitive tha a polynomial commitment ( list polynomial commitment scheme ), which suffices for SNARK security. P is bound to a "small set" of low-degree polynomials rather than to a single one.

**Conclusion:** The FRI commitment scheme represents a significant advancement in the field of cryptographic proofs, enabling more secure and efficient verification of computations in various applications, including blockchain technology and privacy-preserving computations.

Lastly, follow me on social media: Twitter, and LinkedIn for new updates in the cryptography space.

**References**:

The integration of mathematics in cryptography has led to innovative solutions like bulletproof commitment schemes, which are essential in enhancing digital security and privacy. Bulletproofs are a form of non-interactive zero-knowledge proof system, that relies heavily on mathematical concepts to provide efficient and secure commitment schemes. In this post, we delve into the mathematical underpinnings of bulletproofs and how they revolutionize commitment schemes.

A bulletproof commitment scheme is a cryptographic protocol that allows a party to commit to a value, maintaining its confidentiality, and ensuring the integrity of the commitment. These schemes are known for their efficiency, non-reliance on a trusted setup, and their ability to produce short proofs.

**Pedersen Commitments**: The core of bulletproofs lies in Pedersen commitments, a cryptographic algorithm based on discrete logarithm problems. A Pedersen commitment to a value`v`

is of the form`C = vG + rH`

, where`G`

and`H`

are known generator points on an elliptic curve, and`r`

is a secret blinding factor.**Range Proofs**: Bulletproofs provide a way to prove that a committed number lies within a certain range without revealing the number itself. This is done through complex polynomial commitments and inner product arguments, leveraging mathematical constructs like Hadamard products and vector operations.**Inner Product Argument**: At the heart of a bulletproof range proof is an efficient protocol for proving the inner product between two vectors, which allows the verifier to check that the commitment represents a number in the desired range without learning anything more about the number.

**Transparent Setup:**

Sample random \(gp = (g_0, g_1, g_2, \ldots, g_d) \) in G.

Commit: \(f(x) = f_0 + f_1x + f_2x^2 + \ldots | f_dx^d\)

\(com_f = g_0^{f_0} + g_1^{f_1} + \ldots + g_d^{f_d}\)

**Steps in working of Poly-commitment based on BulletProofs:**

**Evaluate**\(v = f_0 + f_1u + f_2u^2 + f_3u^3\) and send to the verifier.

Compute \(L, R, v_L, v_R\)

where \(L = g_2^{f_0}.g_3^{f_1}\), \(R = g_0^{f_2}.g_1^{f_3}\) , \(v_L = f_0 + f_1u\), \(v_r = f_2 + f_3u\) and sent to verifier.

Receive \(r\) from the verifier, reduce \(f\) to \(f^{'}\) of degree \(d/2\) where new polynomials change from \(f_0, f_1, f_2, f_3\) to \(rf_0 + f2, rf_1 + f_3\)

Update the bases \(gp'\)

**Verify**Check \(v = v_L + v_R.u^{d/2}\)

Generate \(r\) randomly

Update:

\(com^{'} = L^r.com_f.R^{r^{-1}}\)

\(gp^{'}= (g_0^{r^{-1}}.g_2, g_1^{r^{-1}}.g_3)\)

\(v^{'} =r.v_L + v_R\)

Recurse log d times.

*(image credit: Yupeng Zhang lecture on ZKP MOOC)*

**Blockchain and Cryptocurrency**: In blockchain, bulletproofs enable confidential transactions by allowing the amounts to be hidden yet verifiable.**Voting Systems**: Secure voting mechanisms can utilize bulletproofs to count votes accurately while maintaining voter anonymity.**Privacy-Enhancing Technologies**: They are crucial in constructing zero-knowledge proofs, pivotal for privacy in various digital applications.

The mathematical complexity and cryptographic robustness of bulletproof commitment schemes mark a significant advancement in secure digital communications. By blending advanced mathematics with cryptographic techniques, bulletproofs offer a powerful tool for ensuring privacy and integrity in various digital applications, especially in the rapidly evolving field of blockchain technology. Understanding these schemes not only provides insight into modern cryptographic practices but also underscores the importance of mathematical principles in developing secure digital systems.

Lastly, follow me on social media: Twitter, and LinkedIn for new updates in the cryptography space.

]]>A KZG polynomial commitment scheme allows a prover to commit to a polynomial so that they can later reveal and prove properties about the polynomial (like its value at certain points) without revealing the entire polynomial. This is particularly useful in scenarios where the polynomial represents some private data or computation.

Prequistics:

How cyclic groups work in Numbers Theory

Discrete Log + Diffie-Hellman

Understanding of Bilinear Pairing

Before we start, lets see the elements we have:

Bilinear Group p, G, g, G, e.

Univariate polynomials: \(F = F_p^{<=d}[X]\)

**Step 1: Keygen**

Sample random Fp

\(gp = (g, g^{\tau}, g^{\tau^2}, \ldots, g^{\tau^d})\)

delete \(\tau\) ( trusted setup )

**Step 2: Commit**

commit (gp, f) -> \(com_f\)

\(f(x) = f_0 + f_1x + f_2x ^2 + \ldots + f_dx^d\)

\(com_f = g^{f(\tau)}\)

\(= g ^ {f_0 + f_1\tau + f_2\tau^2+ \ldots + f_d^{\tau ^ d}}\)\(= (g)^{f_0}. (g^\tau)^{f_1}. (g^{\tau^2})^{f_2}. \ldots (g^{\tau^d})^{f_d}\)

**Step 3: Proof**

\(eval(gp, f, u) -> v, \pi\): where \(u\) is a random point the verifier chooses.

\(f(x) - f(u) = (x - u)q(x)\) as u is a root of \(f(x) - f(u)\)

Compute \(q(x) \) and \(\pi = g^{q(\tau)}\) computed using gp elements.

**Step 4: Verify**

\(verify(gp, com_f, u, v, \pi )\):

where \(v = f(u)\)

The idea is to check the equation at point \(\tau\): \(g ^ {f(\tau) - f(u)} = g ^ {(\tau - u)q(\tau)}\)

Challenge: only know \(g ^ {\tau - u}\) and \(g ^ {q(\tau)}\)

Solution: pairings - \(e(com_f / g^v, g) = e(g^{\tau - u}, \pi)\)

\(=e(g,g)^{f(\tau) - f(u)} = e(g,g)^{({\tau - u}). q(\tau)}\)

The key features of KZG polynomial commitments include:

**Commitment**: The prover commits to a polynomial by computing a commitment, a concise representation of the polynomial. This commitment is computed using a bilinear pairing over elliptic curves, which forms the cryptographic backbone of the scheme.**Evaluation Proofs**: The prover can provide proofs that a committed polynomial evaluates to a certain value at a specific point. These proofs are small in size and can be verified quickly.**Hiding Property**: The commitment does not reveal the polynomial itself, preserving the privacy of the data.**Efficiency**: KZG commitments are highly efficient in terms of both computation and communication overhead, making them suitable for use in blockchain networks where resources are limited.**Applications**: They are widely used in the construction of zk-SNARKs (zero-knowledge Succinct Non-interactive ARguments of Knowledge) and other zero-knowledge proof systems. In blockchain, they enable scalable and private transactions.

The plain KZG is not ZK. Eg. \(com_f = g ^{f(\tau)}\) is deterministic.

To achieve Zero Knowledge, we mask the commitment with randomizers.

Commit: \(com_f = g^{f(\tau) + r\eta}\)

Evaluate: ( where \(r\) and \(r^{'}\) are both randomizers )

$$f(x) + ry - f(u) = (x - u)(q(x) + r^{'}y) + y(r - r^{'}(x - u))$$

$$\pi = g ^ {q(\tau) + r^{'}\eta} , g^{r-r^{'} (\tau - u)}$$

**Other Variants Of KZG**

**Batch opening: Single Polynomial:**

Prover wants to prove \(f\) at \(u_1,\ldots, u_m \) for m<d.

Steps:

Extrapolate \(f(u_1),\ldots,f(u_m)\) to get \(h(x)\)

\(f(x) - h(x) = \prod_{i=1}^m(x-u_i)q(x)\). Why? Check the roots of polynomials on LHS.

\(\pi = g ^ {q(\tau)}\)

\(e ( com_f / g^ {h(\tau)}, g) = e(g^{\prod_{i=1}^m(\tau - u_i)}, \pi)\) where \(g^{h(r)}\) verifier can calculate using the global params.

**Batch opening: Multiple Polynomials**Prover wants to prove \(f_i(u_{i,j}) = v_{i,j}\)

Steps:

Extrapolate \(f_i(u_1),\ldots,f(u_m)\) to get \(h_i(x)\) for \(i \in [n]\)

\(f_i(x) - h_i(x) = \prod_{i=1}^m(x - u_m)q_i(m)\)

Combine all \(q_i(x)\) via a random linear combination.

And that's it !!!

Lastly, follow me on social media: Twitter, and LinkedIn for new updates in the cryptography space.

]]>