Theory and Applications of Zero-Knowledge Proof - Part 1: Introduction

5IFPSZBOE"QQMJDBUJPOTPG
;FSP,OPXMFEHF1SPPG
1BSU*OUSPEVDUJPO
%FQBSUNFOUPG*OGPSNBUJPOBOE$PNNVOJDBUJPO&OHJOFFSJOH
5IF6OJWFSTJUZPG5PLZP
4PSB4VFHBNJ

View Slide

Introduce myself
Name: Sora Suegami,
Twitter: @SoraSue77,
Affiliation: Department of Information and
Communication Engineering, The
University of Tokyo
My favorite: Ethereum, Cryptography

View Slide

What is Zero-Knowledge Proof?
1. A prover wants to prove that he knows a solution to a problem.
2. The prover cannot teach the solution itself.
3. A verifier wants to verify the solution with small computation
and data volume.
prover verifier
Proof of possession of the solution
(The solution itself is ❌)
Accept / Reject

View Slide

Problem Conversion
1. Arithmetic Circuit /
RAM Program
2. Constraints
3. Polynomial /
Inner Product

View Slide

Problem Conversion
RAM Program
2. Constraints
3. Polynomial /
Inner Product
.BOVBM
4FNJBVUPNBUJD
"VUPNBUJD

View Slide

In Plonk [GWC19]…
RAM Program
2. Constraints
3. Polynomial /
Inner Product
.BOVBM
4FNJBVUPNBUJD
"VUPNBUJD

View Slide

What is Arithmetic Circuit?
×
+
× ×
+
Input 1 Input 2 Input 3 Input 4 Input 5
× Multiplication Gate
+ Addition Gate
Output
Input 6

View Slide

Arithmetic Circuit -> Constraint
The output of a gate is the result of adding/
multiplying two inputs.
The correct input-output result for a gate should
satisfy a particular equation.

View Slide

Gate Constraint
Addition Gate:
𝑋𝐿
𝑋𝑅
𝑋𝑂
𝑋𝐿
+ 𝑋𝑅
− 𝑋𝑂
= 0
+

View Slide

Gate Constraint
𝑋𝐿
𝑋𝑅
𝑋𝑂
× 𝑋𝐿
𝑋𝑅
− 𝑋𝑂
= 0
Multiplication Gate:

View Slide

Gate Constraint
All kinds of gates are represented by one equation:
Addition =>
Multiplication =>
Constant =>
𝑄𝐿
𝑋𝐿
+ 𝑄𝑅
𝑋𝑅
+ 𝑄𝑀
𝑋𝐿
𝑋𝑅
+ 𝑄𝐶
+ 𝑄𝑂
𝑋𝑂
= 0
QL
= 1, QR
= 1, 𝑄𝑀
= 0, 𝑄𝐶
= 0, 𝑄𝑂
= − 1
𝑄𝐿
= 0, 𝑄𝑅
= 0, 𝑄𝑀
= 1, 𝑄𝐶
= 0, 𝑄𝑂
= − 1
𝑄𝐿
= 1, 𝑄𝑅
= 0, 𝑄𝑀
= 0, 𝑄𝑐
= − 𝑐, 𝑄𝑂
= 0

View Slide

×
+
× ×
+
𝑋𝐿1
𝑋𝑅1
𝑋𝑂1
𝑋𝐿2
𝑋𝑅2
𝑋𝐿3
𝑋𝑅3
𝑋𝑂2
𝑋𝑂3
𝑋𝐿4
𝑋𝑅4
𝑋𝑂4
𝑋𝐿5
𝑋𝑅5
𝑋𝑂5
Gate Constraint
+ Addition Gate

View Slide

Gate Constraint
0XL1
+ 0XR1
+ 1XL1
XR1
+ 0 + (−1)XO1
= 0
×
𝑋𝐿1
𝑋𝑅1
𝑋𝑂1
×
𝑋𝐿2
𝑋𝑅2
𝑋𝑂2
0XL2
+ 0XR2
+ 1XL2
XR2
+ 0 + (−1)XO2
= 0
+
𝑋𝐿3
𝑋𝑅3
𝑋𝑂3
1XL3
+ 1XR3
+ 0XL3
XR3
+ 0 + (−1)XO3
= 0
+
𝑋𝐿4
𝑋𝑅4
1XL3
+ 1XR3
+ 0XL3
XR3
+ 0 + (−1)XO3
= 0
𝑋𝑂4
×
𝑋𝐿5
𝑋𝑅5
𝑋𝑂5
0XL5
+ 0XR5
+ 1XL5
XR5
+ 0 + (−1)XO5
= 0

View Slide

×
+
× ×
+
𝑋𝐿1
𝑋𝑅1
𝑋𝑂1
𝑋𝐿2
𝑋𝑅2
𝑋𝐿3
𝑋𝑅3
𝑋𝑂2
𝑋𝑂3
𝑋𝐿4
𝑋𝑅4
𝑋𝑂4
𝑋𝐿5
𝑋𝑅5
𝑋𝑂5
Copy Constraint is also necessary!

+ Addition Gate

View Slide

Prepare constraints for each wire?
<- However, we want to avoid increasing the types of
constraints!
=> We only need to know if all the equations hold. (We
don’t need detailed information.)
=> Compute one value that aggregates all variables
(accumulator)!
(xO1
= xL5
, xO2
= xR5
, …)

View Slide

What does it mean that two variables are
equivalent?
=> Swapping two variables does not change
the result of the accumulator.
=> We only verify
“accumulator without variable swapping” =
“accumulator with variable swapping”
(xO1
= xL5
, xO2
= xR5
, …)

View Slide

Example of Copy Constraint
+
× ×
𝑋𝐿1
𝑋𝑅1
𝑋𝑂1
𝑋𝐿2
𝑋𝑅2
𝑋𝑂2
𝑋𝐿3
𝑋𝑅3
𝑋𝑂3

xL
= (xL1
, xL2
, xL3
)
xR
= (xR1
, xR2
, xR3
)
xO
= (xO1
, xO2
, xO3
)

View Slide

Index Permuted index Variable (Wire)
1 1
2 2
3 7
4 4
5 5
6 8
7 3
8 6
9 9
xL1
→ x1
xL2
→ x2
xL3
→ x3
xR1
→ x4
xR2
→ x5
xR3
→ x6
xO1
→ x7
xO2
→ x8
xO3
→ x9

View Slide

Index Permuted
index
Variable
(Wire)
Polynomial
f(Y,Z)
Polynomial
g(Y,Z)
1 1
2 2
3 7
4 4
5 5
6 8
7 3
8 6
9 9
xL1
→ x1
xL2
→ x2
xL3
→ x3
xR1
→ x4
xR2
→ x5
xR3
→ x6
xO1
→ x7
xO2
→ x8
xO3
→ x9
x1
+ 1Y + Z
x2
+ 2Y + Z
x3
+ 3Y + Z
x4
+ 4Y + Z
x5
+ 5Y + Z
x6
+ 6Y + Z
x7
+ 7Y + Z
x8
+ 8Y + Z
x9
+ 9Y + Z
x1
+ 1Y + Z
x2
+ 2Y + Z
x3
+ 7Y + Z
x4
+ 4Y + Z
x5
+ 5Y + Z
x6
+ 8Y + Z
x7
+ 3Y + Z
x8
+ 6Y + Z
x9
+ 9Y + Z

View Slide

For all ,
𝑌, 𝑍 ∈ 𝐹𝑟
𝑥3
+ 3𝑌 + 𝑍 = 𝑥7
+ 3𝑌 + 𝑍
𝑥6
+ 6𝑌 + 𝑍 = 𝑥8
+ 6𝑌 + 𝑍
𝑥7
+ 7𝑌 + 𝑍 = 𝑥3
+ 7𝑌 + 𝑍
𝑥8
+ 8𝑌 + 𝑍 = 𝑥6
+ 8𝑌 + 𝑍
𝑥3
= 𝑥7
𝑥6
= 𝑥8
𝑥7
= 𝑥3
𝑥8
= 𝑥6

View Slide

For all ,
(x3
+ 3Y + Z)(x6
+ 6Y + Z)
(x7
+ 7Y + Z)(x8
+ 8Y + Z)
=
(x3
+ 7Y + Z)(x6
+ 8Y + Z)
(x7
+ 3Y + Z)(x8
+ 6Y + Z)
𝑥3
+ 3𝑌 + 𝑍 = 𝑥7
+ 3𝑌 + 𝑍
𝑥6
+ 6𝑌 + 𝑍 = 𝑥8
+ 6𝑌 + 𝑍
𝑥7
+ 7𝑌 + 𝑍 = 𝑥3
+ 7𝑌 + 𝑍
𝑥8
+ 8𝑌 + 𝑍 = 𝑥6
+ 8𝑌 + 𝑍

View Slide

For all ,
9
∏
𝑖=1
(𝑥𝑖
+ 𝑖𝑌 + 𝑍) =
9
∏
𝑖=1
(𝑥𝑖
+ 𝜎(𝑖)𝑌 + 𝑍)

View Slide

n
∏
𝑖=1
(𝑥𝑖
+ 𝑖𝜷 + 𝜸) =
n
∏
𝑖=1
(𝑥𝑖
+ 𝜎(𝑖)𝜷 + 𝜸)
For all ,
Uniformly sample ,
β, γ ∈ Fr

View Slide

In Plonk [GWC19]…
RAM Program
2. Constraints
3. Polynomial /
Inner Product
.BOVBM
4FNJBVUPNBUJD
"VUPNBUJD

View Slide

d-degree Polynomial
𝑓(𝑥) =
𝑑
∑
𝑖=0
𝑎𝑖
𝑥𝑖 = 𝑎0
+ 𝑎1
𝑥 + 𝑎2
𝑥2 + ⋯ + 𝑎𝑑
𝑥𝑑
Polynomial Commitment

View Slide

What is cryptographic commitment ?
If you want to play online rock-paper-scissors-paper between two
players…?
1. Neither player’s respective hands should be revealed to the other
until everyone has made his hand. (Hiding)
2. When revealing his hand, he must not be able to change his hand
sent in 1. (Binding)

View Slide

Commitment [Oka19]:
Alice Bob
h𝑎𝑠h𝐴
= 𝐻𝑎𝑠h(𝑥𝑅𝑜𝑐𝑘
, 𝑟)
[Commitment]
Bob cannot tell Alice’s hand because it is difficult to reverse
the hash function. (Hiding)

View Slide

Commitment [Oka19]:
Alice Bob
[Opening]
𝑥𝑅𝑜𝑐𝑘
, r h𝑎𝑠h𝐴
Alice cannot change her hand because it is difficult to find a hash
collision. (Binding)

View Slide

What is Polynomial Commitment [KZG10] [Fei20]?
1. Commit coefficients of a polynomial .
2. Open an evaluation point and its evaluation result .
3. As long as the verifier knows the commitment of the
polynomial (without knowing the coefficients of the
polynomial),  
he/she can verify whether a given evaluation point
and evaluation result satisfy the relationship of the
committed polynomial ( ).
f(x)
𝑎 𝑧 = 𝑓(𝑎)
a
z
z = f(a)

View Slide

The advantage of Kate Commitment [KZG10] [Fei20]
• A commitment hides coefficients of
the polynomial.
• The size of the commitment is
constant regardless of the degree.
(e.g. 32 bytes, 48 bytes)
• The size of the proof is also constant
regardless of the degree.
• The computation amount of the
verification is also constant
regardless of the degree.
If we can convert a problem to prove into
some polynomials…
• A prover can prove the correctness
while keeping a solution confidential.
• A verifier can verify the proof with small
computation and data volume.

View Slide

How to achieve Kate Commitment ?
Using pairing for points on an
elliptic curve, prove the
knowledge of the polynomial
.
f(x) − z
x − a
Kate Commitment [KZG10]

View Slide

Alice Bob
If we do not use an elliptic curve…
[Commitment]
[Opening]
a, z, t(x) =
f(x) − z
x − a
f(x)

View Slide

Alice Bob
f(x) − z? = t(x)(x − a)
If we do not use an elliptic curve…

View Slide

Alice Bob
ପԁۂઢΛ࢖Θͳ͚Ε͹…
f(x) − z? = t(x)(x − a)
The coefficients of are not hidden!
f(x)
The computation and data volume for the verifier
increases according to the polynomial degree!
AND

View Slide

Alice Bob
f(x) − z? = t(x)(x − a)
Evaluate the polynomial on the secret point
(SRS) generated by a trusted third party.
The coefficients of are not hidden!
f(x)
The computation and data volume for the verifier
increases according to the polynomial degree!
AND

View Slide

Properties of pairing (more generally, bilinear maps)
1. Bilinear
For all ,
2. Non-degenerate
If satisfies for all ,
P1
, P2
∈ 𝔾1
, Q1
, Q2
∈ 𝔾2
e(P1
+ P2
, Q1
) = e(P1
, Q1
)e(P2
, Q2
)
e(P1
, Q1
+ Q2
) = e(P1
, Q1
)e(P1
, Q2
)
Q ∈ 𝔾2
e(P, Q) = 1 P ∈ 𝔾1
Q = O
What is pairing [ASTTM16] ?
e(xP, yQ) = e(P, Q)xy

View Slide

Setup SRS by a trusted third party:
The order of is denoted by , the maximum degree
of a supported is .
Uniformly sample , SRS is defined as
follows.
P ∈ 𝔾1
, Q ∈ 𝔾2
r
𝒇(𝒙) 𝑑
𝑠 ∈ 𝐹𝑟
𝒔𝒓𝒔 ≔ {𝒔𝑷, 𝒔𝟐𝑷, ⋯, 𝒔𝒅𝑷, 𝒔𝑸}

View Slide

When , its commitment is
defined as follows.
𝑓(𝑥) = 𝑎0
+ 𝑎1
𝑥 + ⋯ + 𝑎𝑑
𝑥𝑑
f(s)P = (a0
+ a1
s + … + ad
sd)P
= a0
P + a1
(sP) + … + ad
(sdP)
The prover can compute from SRS,
without knowing !
f(s)P
s
A commitment of the polynomial f(x)

View Slide

When ,
its opening is defined as follows.
t(x) =
f(x) − z
x − a
= t0
+ t1
x + … + td
xd
t(s)P = (t0
+ t1
s + … + td
sd)P
= t0
P + t1
(sP) + … + td
(sdP)
The prover can also compute from
SRS, without knowing !
t(s)P
s
A opening of the polynomial evaluation f(a) = z

View Slide

𝑒(𝑓(𝑠)𝑃 − 𝑧𝑃, 𝑄)? = 𝑒(𝑡(𝑠)𝑃, 𝑠𝑄 − 𝑎𝑄)
[Correctness]
(RHS) (LHS)
[Hiding]
Because of the difficulty of the discrete logarithm problem.
= 𝑒(𝑃, 𝑄)𝑡(𝑠)(𝑠−𝑎) = 𝑒(𝑃, 𝑄)𝑓(𝑠) − 𝑧
𝑠 − 𝑎
(𝑠−𝑎) = 𝑒(𝑃, 𝑄)𝑓(𝑠)−𝑧 =
Verification of the opening:

View Slide

𝑒(𝑓(𝑠)𝑃 − 𝑧𝑃, 𝑄)? = 𝑒(𝑡(𝑠)𝑃, 𝑠𝑄 − 𝑎𝑄)
[Binding]
Why is it sufficiently secure to evaluate the equation at
one random point?
(e.g. An adversary might be able to forge an invalid polynomial
where the equation holds only on that random point.)
Verification of the opening:

View Slide

A degree- polynomial that are not
identically zero on a finite field .
d f(x)
Fr
Uniformly sample from a subset .
r S ⊂ Fr
Pr[𝑓(𝑟) = 0] ≤
𝑑
|𝑆|
Schwartz-Zippel Lemma [Har11]

View Slide

The number of points where
is at most .
f(x) = 0 d
The number of candidates of
is
r |S|
Pr[𝑓(𝑟) = 0] ≤
𝑑
|𝑆|
Schwartz-Zippel Lemma [Har11]

View Slide

Since is sampled from sufficiently large finite field ,
the probability is negligible.
r Fr
d
|Fr
|
[Binding]
Why is it sufficiently secure to evaluate the equation at
one random point?

View Slide

Supplement: Multi-Party Trusted Setup
"SBOEPNOVNCFSHFOFSBUFEJOBUSVTUFETFUVQ
UPYJDXBTUF
NVTUOPUCFSFWFBMFEFJUIFSUPB
QSPWFSPSBWFSJpFS
5IFUSVTUFETFUVQJTQFSGPSNFECZNVMUJ
QBSUJFTTPUIBUUIFUPYJDXBTUFJTOFWFS
SFDPWFSFEVOMFTTBMMQBSUJDJQBOUTDPNQSPNJTFE

View Slide

𝔾1
𝔾2
𝑠1
𝑠2
𝑠3
𝑠4
s1
P
s2
1
P
s1
Q
s2
s1
P
s2
2
s2
1
P
s2
s1
Q
s3
s2
s1
P
s2
3
s2
2
s2
1
P
s3
s2
s1
Q
s4
s3
s2
s1
P
s2
4
s2
3
s2
2
s2
1
P
s4
s3
s2
s1
Q
*GBUMFBTUPOFQBSUJDJQBOUEFTUSPZTIJTSBOEPNOVNCFS
UIFUPYJDXBTUF JTOFWFSSFDPWFSFE
s = s4
s3
s2
s1
s2
1
Q s2
2
s2
1
Q s2
3
s2
2
s2
1
Q s2
4
s2
3
s2
2
s2
1
Q

View Slide

𝔾1
𝔾2
s1
s2
𝑠3
s4
s1
P
s2
1
P
s1
Q
s2
s1
P
s2
2
s2
1
P
s2
s1
Q
s3
s2
s1
P
s2
3
s2
2
s2
1
P
s3
s2
s1
Q
s4
s3
s2
s1
P
s2
4
s2
3
s2
2
s2
1
P
s4
s3
s2
s1
Q
s2
1
Q s2
2
s2
1
Q s2
3
s2
2
s2
1
Q s2
4
s2
3
s2
2
s2
1
Q
*GBUMFBTUPOFQBSUJDJQBOUEFTUSPZTIJTSBOEPNOVNCFS
UIFUPYJDXBTUF JTOFWFSSFDPWFSFE
s = s4
s3
s2
s1

View Slide

In Plonk [GWC19]…
RAM Program
2. Constraints
3. Polynomial /
Inner Product
.BOVBM
4FNJBVUPNBUJD
"VUPNBUJD

View Slide

0XL1
+ 0XR1
+ 1XL1
XR1
+ 0 + (−1)XO1
= 0
×
𝑋𝐿1
𝑋𝑅1
𝑋𝑂1
×
𝑋𝐿2
𝑋𝑅2
𝑋𝑂2
0XL2
+ 0XR2
+ 1XL2
XR2
+ 0 + (−1)XO2
= 0
+
𝑋𝐿3
𝑋𝑅3
𝑋𝑂3
1XL3
+ 1XR3
+ 0XL3
XR3
+ 0 + (−1)XO3
= 0
+
𝑋𝐿4
𝑋𝑅4
1XL3
+ 1XR3
+ 0XL3
XR3
+ 0 + (−1)XO3
= 0
𝑋𝑂4
×
𝑋𝐿5
𝑋𝑅5
𝑋𝑂5
0XL5
+ 0XR5
+ 1XL5
XR5
+ 0 + (−1)XO5
= 0
Gate Constraint

View Slide

index Q_L Q_R Q_M Q_C Q_O
1 0 0 1 0 -1
2 0 0 1 0 -1
3 1 0 0 -5 0
4 0 0 1 0 -1
5 1 1 0 0 -1
6 0 0 1 0 -1
Gate Constraint
The values of the parameters for each constraint are
summarized in the below table.

View Slide

index Q_L(i) Q_R(i) Q_M(i) Q_C(i) Q_O(i)
1 0 0 1 0 -1
2 0 0 1 0 -1
3 1 0 0 -5 0
4 0 0 1 0 -1
5 1 1 0 0 -1
6 0 0 1 0 -1
Parameter as a polynomial of the index
Gate Constraint -> Polynomial

View Slide

5IFQBSBNFUFSWBMVF

*OEFY

[email protected]
[email protected]
[email protected]
[email protected]$
[email protected]

View Slide

N constraints
N points through which the polynomial passes
Degree N-1 polynomial

View Slide

is a root of unity. For all ,
The above polynomials are built beforehand
because they depend no witness.
𝑤 i ∈ {0, ⋯, 𝑛−1}
𝑄𝐿(𝑤𝑖) = 𝑄𝐿𝑖
𝑄𝑅(𝑤𝑖) = 𝑄𝑅𝑖
𝑄𝑀(𝑤𝑖) = 𝑄𝑀𝑖
𝑄𝐶(𝑤𝑖) = 𝑄𝐶𝑖
𝑄𝑂(𝑤𝑖) = 𝑄𝑂𝑖

View Slide

is a root of unity. For all ,
The above polynomials are built for each proof.
𝑤 i ∈ {0, ⋯, 𝑛−1}
xL
(ωi) = xLi
xR
(ωi) = xRi
xO
(ωi) = xOi

View Slide

For all ,
i ∈ {0,…, n − 1}
QL
(ωi)xL
(ωi) + QR
(ωi)xR
(ωi) + QM
(ωi)xL
(ωi)xR
(ωi) + QC
(ωi) + QO
(ωi)xO
(ωi) = 0
satisfies all constraints.
{xLi
, xRi
, xOi
}i∈{1,…,n}
n

View Slide

For all ,
n
∏
𝑖=1
(𝑥𝑖
+ 𝑖𝑌 + 𝑍) =
n
∏
𝑖=1
(𝑥𝑖
+ 𝜎(𝑖)𝑌 + 𝑍)
Copy Constraint

View Slide

n
∏
𝑖=1
(𝑥𝑖
+ 𝑖𝜷 + 𝜸) =
n
∏
𝑖=1
(𝑥𝑖
+ 𝜎(𝑖)𝜷 + 𝜸)
For all ,
Uniformly sample ,
β, γ ∈ Fr
Copy Constraint
Schwartz-Zippel Lemma guarantees that
it remains secure.

View Slide

Choose such that
[GWC19].
Index corresponding to ->
k1
, k2
∈ Fr
k1
H ≠ H, k2
H ≠ H, k1
H ≠ k2
H
(H = {1,ω, ω2, …, ωn−1})
xL
ωi
xR
k1
ωi
xO
k2
ωi
Copy Constraint -> Polynomial

View Slide

Accumulator of copy constraints [GWC19].
Z(x)
Z(1) = 1
Z(ωi+1) = Z(ωi)
(xL
(ωi) + βωi + γ)(xR
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)
(xL
(ωi) + βσ(i) + γ)(xR
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)

View Slide

Verification of the accumulator [GWC19].
Z(x)
Z(1)? = 1
Z(ωi+1)(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? = Z(ωi)(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)

View Slide

Verification of the accumulator [GWC19].
Z(x)
Z(ωi+1)(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? = Z(ωi)(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)
i = n − 1
(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? = Z(ωi)(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)
(wi+1 = wn = 1)

View Slide

(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? = Z(ωi)(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)
n−1
∏
i=0
(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? =
n−1
∏
i=0
(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)

View Slide

n−1
∏
i=0
(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? =
n−1
∏
i=0
(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)
Accumulator with variable swapping
Accumulator without variable swapping

View Slide

Problem Conversion in Plonk
RAM Program
2. Constraints
3. Polynomial /
Inner Product

View Slide

Arithmetic Circuit
×
+
× ×
+
Input 1 Input 2 Input 3 Input 4 Input 5
+ Addition Gate
Output
Input 6

View Slide

Constraints
(BUF$POTUSBJOUT $PQZ$POTUSBJOUT
QL
XL
+ QR
XR
+ QM
XL
XR
+ QC
+ QO
XO
= 0
n
∏
𝑖=1
(𝑥𝑖
+ 𝑖𝜷 + 𝜸) =
n
∏
𝑖=1
(𝑥𝑖
+ 𝜎(𝑖)𝜷 + 𝜸)

View Slide

Polynomial
(BUF$POTUSBJOUT $PQZ$POTUSBJOUT
QL
(ωi)xL
(ωi) + QR
(ωi)xR
(ωi) + QM
(ωi)xL
(ωi)xR
(ωi)
+QC
(ωi) + QO
(ωi)xO
(ωi) = 0
Z(ωi+1)(xL
(ωi) + βσ(n + i) + γ)(xO
(ωi) + βσ(2n + i) + γ)
? = Z(ωi)(xL
(ωi) + βk1
ωi + γ)(xO
(ωi) + βk2
ωi + γ)

View Slide

Kate Commitment
Alice Bob
[Commitment]
[Opening]
a, z, t(s)P =
f(s) − z
s − a
P
f(s)P

View Slide

Reference
• [Oka19] Ԭຊ ཾ໌, ݱ୅҉߸ͷ஀ੜͱൃల ϙετྔࢠ҉߸ɾԾ૝௨՟ɾ৽͍͠҉߸, ۙ୅Պֶࣾ, 2019.
• [GWC19] Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. PlonK: Permutations over Lagrange-bases for
Oecumenical Noninteractive arguments of Knowledge. IACR Cryptol. ePrint Arch., 2019, 953.
• [But19] Vitalik Buterin. Understanding PLONK. Vitalik Buterin's website. https://vitalik.ca/index.html ,2019
(Accessed on 09/03/2021).
• [KZG10] Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Constant-size commitments to polynomials and their
applications. In International conference on the theory and application of cryptology and information security (pp.
177-194). Springer, Berlin, Heidelberg, 2010.
• [Fei20] Dankrad Feist. KZG polynomial commitments. https://dankradfeist.de/ethereum/2020/06/16/kate-
polynomial-commitments.html , 2020 (Accessed on 09/03/2021).
• [Har11] Nick Harvey. CPSC 536N: Randomized Algorithms, Lecture 9. https://www.cs.ubc.ca/~nickhar/W12/
Lecture9Notes.pdf , 2011 (Accessed on 09/04/2021).
• [Ll21] Star Ll. ZKP— PlonK Algorithm Introduction. https://starli.medium.com/zkp-plonk-algorithm-
introduction-834556a32a , 2021 (Accessed on 09/03/2021).
• [Fit20] Joshua Fitzgerald. PLONK by Hand (Part 1: Setup), METASTATE TEAM. https://research.metastate.dev/plonk-
by-hand-part-1/ , 2020 (Accessed on 09/03/2021).
• [ASTTM16] ༗ా ਖ਼߶, ڥ ོҰ, ୞໦ ޹ଠ࿠, ᪅ ً৾, দඌ ࿨ਓ, ҉߸ཧ࿦ͱପԁۂઢ, ৿๺ग़൛גࣜձࣾ, 2016.
• [Gro16] Jens Groth. On the Size of Pairing-based Non-interactive Arguments. In Annual international conference on
the theory and applications of cryptographic techniques (pp. 305-326). Springer, Berlin, Heidelberg, 2016.
• [BBB18] Benedikt BÜNZ, et al. Bulletproofs: Short proofs for confidential transactions and more. In: 2018 IEEE
Symposium on Security and Privacy (SP). IEEE, 2018. p. 315-334.
• [BBH18] Eli Ben-Sasson, et al. Scalable, transparent, and post-quantum secure computational integrity. Cryptology
ePrint Archive, 2018.
• [SP19] Kineret Segal and Shir Peled. Arithmetization I, StarkWare, Medium. https://medium.com/starkware/
arithmetization-i-15c046390862, 2019 (Accessed on 05/25/2022).

View Slide

Reference
• [CW18] Antonio Salazar Cardozo and Zachary Williamson. EIP-1108: Reduce alt_bn128 precompile gas costs. https://
eips.ethereum.org/EIPS/eip-1108, 2018 (Accessed on 05/25/2022).
• [Tor22] Tornado Cash. github.com - tornado-core, https://github.com/tornadocash/tornado-core, 2022. (Accessed on
04/25/2022)
• [Azt22] Aztec. Aztec homepage, https://aztec.network/, 2022. (Accessed on 05/25/2022)
• [Mor] Monero. Moneropedia - Bulletproofs, https://web.getmonero.org/resources/moneropedia/bulletproofs.html,
n.d. (Accessed on 05/25/2022)
• [Zca] Zcash. Zcash - What are zk-SNARKs?, https://z.cash/technology/zksnarks/, n.d. (Accessed on 05/25/2022)
• [Pom19] poma. Ethereum Research - Benchmark: Circom vs Bellman (wasm) in Chrome on Mobile, https://
ethresear.ch/t/benchmark-circom-vs-bellman-wasm-in-chrome-on-mobile/5261, 2019. (Accessed on 05/26/2022)
• [PSS19] Pertsev A, Semenov R, and Storm R. Tornado Cash Privacy Solution Version 1.4, 2019, https://tornado.cash/
audits/TornadoCash_whitepaper_v1.4.pdf (Accessed on 05/26/2022)
• [But22] Vitalik Buterin. How do trusted setups work?, https://vitalik.ca/general/2022/03/14/trustedsetup.html
(Accessed on 06/01/2022)

View Slide

Theory and Applications of Zero-Knowledge Proof - Part 1: Introduction

Theory and Applications of Zero-Knowledge Proof - Part 1: Introduction

SoraSuegami

More Decks by SoraSuegami

Other Decks in Technology

Featured

Transcript