Table of Contents

1. Source: Quadratic Arithmetic Programs: from Zero to Hero by Vitalik Buterin

A way of representing any computational problem with a polynomial equation that is much more amenable to various forms of mathematical trickery.

In zero-knowledge proofs, especially in zk-SNARKs, we often start with a statement of the form "I know a witness (\( s \)) such that a certain NP relation is satisfied." For arithmetic circuits, we represent this statement as a set of constraints (an R1CS). However, verifying the R1CS directly can be cumbersome. Therefore, we convert R1CS into a form called a Quadratic Arithmetic Program (QAP), which is a set of polynomials and more naturally lends itself to succinct and non-interactive proofs.

Please note that the "Quadratric" in QAP doesn't refer to the degree of polynomials being strictly 2, as in the mathematical definition of a quadratic function. The "quadratic" part refers to the structure of the equations that QAPs encode, which is a quadratic relationship, so-called pairwise multiplicative.

1.1. Problem Statement

  • We want to prove knowledge of a secret \( x \) such that: \[ x^3 + x + 5 = 35. \]
  • In this example, \( x = 3 \).

1.2. Flattening the Computation

The first step is to "flatten" the original expression into simple operations: 

sym_1 = x * x      ;; intermediate variable storing x^2
y     = sym_1 * x  ;; y = x^3
sym_2 = y + x      ;; sym_2 = x^3 + x
~out  = sym_2 + 5  ;; ~out = x^3 + x + 5

Here, we label new intermediate variables as `sym1`, `y`, and `sym2`.

1.3. Rank-1 Constraint System (R1CS)

We convert the above into a set of R1CS constraints of the form: \[ (s \cdot a) \times (s \cdot b) - (s \cdot c) = 0 \] where \( s \) is the full assignment vector (secrect witness).

1.3.1. Variables

We have 6 variables in total:

  1. \( ~one \) (a constant set to 1)
  2. \( x \)
  3. \( ~out \)
  4. \( sym_1 \)
  5. \( y \)
  6. \( sym_2 \)

The final solution vector is: 

s = [1, 3, 35, 9, 27, 30]

Explanation:

  • \( ~one = 1 \)
  • \( x = 3 \)
  • \( ~out = 35 \)
  • \( sym_1 = x^2 = 9 \)
  • \(y = x^3 = 27 \)
  • \(sym_2 = x^3 + x = 30 \)

1.3.2. R1CS Matrices

We form three matrices A, B, C such that each constraint is of the form \( (A_i ⋅ s) * (B_i ⋅ s) - (C_i ⋅ s) = 0 \).

  • Constraint 1 \( ( sym_1 = x * x) \):
    • \( a = [0, 1, 0, 0, 0, 0] \)
    • \( b = [0, 1, 0, 0, 0, 0] \)
    • \( c = [0, 0, 0, 1, 0, 0] \)
  • Constraint 2 \( (y = sym_1 * x) \):
    • \( a = [0, 0, 0, 1, 0, 0] \)
    • \( b = [0, 1, 0, 0, 0, 0] \)
    • \( c = [0, 0, 0, 0, 1, 0] \)
  • Constraint 3 \( (sym_2 = y + x) \):
    • \( a = [0, 1, 0, 0, 1, 0] \)
    • \( b = [1, 0, 0, 0, 0, 0] \)
    • \( c = [0, 0, 0, 0, 0, 1] \)
  • Constraint 4 \( (~out = sym_2 + 5) \):
    • \( a = [5, 0, 0, 0, 0, 1] \)
    • \( b = [1, 0, 0, 0, 0, 0] \)
    • \( c = [0, 0, 1, 0, 0, 0] \)

For example, for secrect witnes \(s = [1, 3, 35, 9, 27, 30] \), if we pick \(i = 1\):

  • \( a_1 = [0, 1, 0, 0, 0, 0] \)
  • \( b_1 = [0, 1, 0, 0, 0, 0] \)
  • \( c_1 = [0, 0, 0, 1, 0, 0] \)

We then have: (a1 ⋅ s) ⋅ (a2 ⋅ s) - (c1 ⋅ s) = 0

The secret witness \(s\) also represents the correct intermediate steps (value of inter-variables) during the entire computation.

1.3.3. Combined Matrices

Writing them out as full matrices:

A: 

[0 1 0 0 0 0]
[0 0 0 1 0 0]
[0 1 0 0 1 0]
[5 0 0 0 0 1]

B: 

[0 1 0 0 0 0]
[0 1 0 0 0 0]
[1 0 0 0 0 0]
[1 0 0 0 0 0]

C: 

[0 0 0 1 0 0]
[0 0 0 0 1 0]
[0 0 0 0 0 1]
[0 0 1 0 0 0]

1.4. From R1CS to QAP

The next step is transforming these matrices into polynomial form via Lagrange interpolation.

1.4.1. Interpolation of Each Column

  • For each column j of A, B, and C, we collect the values at rows x = 1..4, and use Lagrange interpolation to form the polynomial \( A_j(x) \), \( B_j(x) \), \( C_j(x) \).
  • Example: for the first column in A: \[ A_1(1) = 0,\ A_1(2) = 0,\ A_1(3) = 0,\ A_1(4) = 5. \] Interpolate these points to get a degree-3 polynomial.

1.4.2. Final Polynomials

After interpolation, we have sets of polynomials \( A_j(x) \), \( B_j(x) \), \( C_j(x) \). Each set has 6 polynomials (one for each variable in \( s \)). 

A polynomials
[-5.0, 9.166, -5.0, 0.833]
[8.0, -11.333, 5.0, -0.666]
[0.0, 0.0, 0.0, 0.0]
[-6.0, 9.5, -4.0, 0.5]
[4.0, -7.0, 3.5, -0.5]
[-1.0, 1.833, -1.0, 0.166]
B polynomials
[3.0, -5.166, 2.5, -0.333]
[-2.0, 5.166, -2.5, 0.333]
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
C polynomials
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
[-1.0, 1.833, -1.0, 0.166]
[4.0, -4.333, 1.5, -0.166]
[-6.0, 9.5, -4.0, 0.5]
[4.0, -7.0, 3.5, -0.5]

1.5. Constructing P(x)

Once we have: \[ A(s, x) = \sum_{j=1}^n s_j A_j(x),\quad B(s, x) = \sum_{j=1}^n s_j B_j(x),\quad C(s, x) = \sum_{j=1}^n s_j C_j(x), \] we define: \[ P(x) = A(s, x)\cdot B(s, x)\;-\;C(s, x). \] If all the R1CS constraints are satisfied at the points \(x = 1, 2, 3, 4 \), then \(P(x)\) has roots at those four points: \[ P(1) = 0, P(2) = 0, P(3) = 0, P(4) = 0 \] Having thsoe specific points be roots mean the vanishing polynomial: \[ Z(x) = (x - 1)(x - 2)(x - 3)(x - 4). \] must be a factor of \(P(x)\). Equivalently, \[ P(x) = H(x) \cdot Z(x) \] for some other quotent polynomial \(H(x)\), with no remainder (Factorization).

No remainder means there won't have expressions like \(\frac{3}{x^2}\), or formally if: \[ \frac{p(x)}{d(x)} = q(x) + \frac{r(x)}{d(x)} \] We say that the division yields a quotient \(q(x)\) with a remainder \(r(x)\)

Then the prover will send the constructed polynomial equation \(P(x) = H(x) \cdot Z(x) \) to the verifier for further validation.

1.6. Soundness

Once the verifer recieved the polynomial equation, there are two checks need to performed to ensure soundness:

  1. Check \(P(x)\) is correctly formed from the circuit QAP and the valid secrect witness \(s\)

  2. Perform random challenge \(r\) on the recieved polynomial equation:

    If a valid \(P(x)\) only pretents to factorize as \(H(x) Z(x)\) by the prover but really doesn't, the Schwartz-Zippel lemma tells us that for a random \(r \neq 1,2,3,4 \), the probability of: \[ P(r) = H(r) \cdot Z(r) \] accidentally holding is negligible unless \(P(x) - H(x) Z(x)\) is the zero polynomial (which means \( P(x) \) is genuinely divisible by \( Z(x)\)) Another nature conclusion is that: the witness \(s\) is actually the correct value of intermediate variables (or correct value after each constrains) So if prover knows the correct \(s\) that can pass the random challenge, it can also perfectly prove that the prover perfoms the correct computation that satisfy each constrains, This effectively prove the correctness of the entire circuit.

For 1, the verifier doesn't want to (or can't) reconstruct \(P(x)\) itself for large circuit (even if \(s\) is being revealed, that would be expensive), hence, pairings Elliptic Curves in zk-SNARKs brings cryptographic machinery ensure the verifier can be confident that \(P(x)\) is formed correctly from the circuit and check polynomial identity at a single random point r with much lower ovearhead.

2. Source: Exploring Elliptic Curve Pairings by Vitalik Buterin

2.2. Notion of Pairings and Trapdoor Fuction: RSA

Ron Rivest, Adi Shamir and Leonard Adleman developed the RSA encryption algorithm in 1977.

2.2.1. Generate Public & Private Keys:

  1. Choose two large, random secret prime numbers: \( p, q \).
  2. Compute \( n := p × q \).
  3. Choose \( e \): a relatively small (often fixed) integer that is coprime with \( (p-1)(q-1) \).
  4. Compute d such that:

\[ d \times e \equiv 1 \pmod{(p-1)(q-1)} \] After that, the Private Key is d and Public Key is \( (e, n) \).

2.2.2. Encrypt & Decrypt:

  1. Encryption

    When we encrypt a message m, we compute: \( c = m^e \pmod{n} \)

  2. Decryption

    To decrypt, we compute: \( D(c) = c^d \pmod{n} \)

2.2.3. Mathematical Backbone:

Basically, the mathmatical backbone of this encryption algorithm are follows:

  1. i. Euler's Theroem

    Euler's Theorem ensures that the encryption and decryption process is correct. It gives us a rigorous proof that decrypting after encrypting returns the original message without leaking the private key. Euler's Theorem says that if \( gcd(m, n) = 1 \) (m and n are co-prime) then: \( m^phi(n) == 1 (\pmod{n}) \). The \( \phi(n) \) here, which is called Euler's totient of n, counts how many integers from 1 up to n-1 are coprime to n. (The breakability of number n) Since here n can be factorized into \( p \times q \), the number of integers coprime to n ends up being \( (p-1)(q-1) \).

    The math of Euler's Theorem ensures that no matter what message m you start with, encrypting with e, n and then decrypting with d returns m. By choosing d and e so that: \[ d \times e \equiv 1 \pmod{\phi(n)} \]

    we have: \[ m^{e d} = m^{1 + k \phi(n)} = m \times m^{k \phi(n)} \equiv m \times 1 = m \pmod{n} \]

    This ensures that: Encrypting \(m^e \mod{n} \) and then decrypting \(c^d \mod{n}\) returns the original message m.

  2. ii. Large Number Cannot be Factorized Efficiently (Trapdoor Function)

    The trapdoor function ensures that even though every one knows n and e, they cannot comopute d (the "key" to decrypt) without factoring n. The difficulty in factoring large numbers makes RSA safe to use in practice.

2.2.4. Multiplicative Homomorphic Property of RSA

One of the remarkable features of RSA is that it is multiplicatively homomorphic. This property allows certain computations to be performed directly on encrypted data without needing to decrypt it first.

  1. Homomorphic Encryption Basics
    • Homomorphic Operations: Two operations are homomorphic if applying them in either order yields the same result.
    • Homomorphic Encryption: Enables computations on ciphertexts that correspond to meaningful operations on the plaintexts.
  2. Multiplicative Homomorphism in RSA

    For RSA, the homomorphic property specifically pertains to multiplication. Formally, this can be expressed as:

    \[ E(x) \times E(y) \equiv E(x \times y) \pmod{n} \]

    Where:

    • \( E(m) = m^e \mod n \) is the RSA encryption function.
    • \( x \) and \( y \) are plaintext messages.
    • \( n \) is the RSA modulus.
  3. Step-by-Step Explanation
    1. Encryption of Two Messages:
      • Encrypt message \( x \): \[ E(x) = x^e \mod n \]
      • Encrypt message \( y \): \[ E(y) = y^e \mod n \]
    2. Multiplying the Ciphertexts: \[ E(x) \times E(y) = (x^e \mod n) \times (y^e \mod n) \mod n \] Since multiplication is distributive over modular arithmetic: \[ E(x) \times E(y) \equiv x^e \times y^e \mod n \] \[ E(x) \times E(y) \equiv (x \times y)^e \mod n \]
    3. Encryption of the Product:
      • Encrypt the product \( x \times y \): \[ E(x \times y) = (x \times y)^e \mod n \]
    4. Equivalence: \[ E(x) \times E(y) \equiv E(x \times y) \mod n \] This shows that multiplying the ciphertexts \( E(x) \) and \( E(y) \) results in the ciphertext of the product \( E(x \times y) \).
  4. Implications for Zero-Knowledge Proofs

    This homomorphic property allows for zero-knowledge proofs of multiplication. Here's how it works:

    1. Prover's Knowledge:
      • The prover knows secret values \( x \) and \( y \).
      • The prover computes their product \( x \times y \).
    2. Prover Sends Encrypted Values:
      • \( a = E(x) \)
      • \( b = E(y) \)
      • \( c = E(x \times y) \)
    3. Verifier's Check:
      • The verifier checks if: \[ (a \times b) \mod n \equiv c \mod n \]
      • If the equality holds, the verifier is convinced that \( c \) is indeed the encryption of \( x \times y \).
    4. Privacy Preserved:
      • The verifier learns only the encrypted product \( c \).
      • The actual values of \( x \), \( y \), and \( x \times y \) remain hidden.

    To ensure robustness, the prover must also prove - without revealing \( x \) that \(a\) really is the encryption of some valid plaintext \(x \) and so on. To ensure that each ciphertext really corresponds to a well-defined plaintext Here is an example of a Zero-Knowledge Proof:

    Example for Robustness: Prover try to convinces Verifier that "I know a \( x \) for which \( a = x^e \mod{n} \)." without revealing \( x \).

    1. 1. Setting
      • RSA modulus: \( n \) (unknown factorization).
      • Public exponent: \( e \).
      • Ciphertext: \( a \equiv x^e \pmod{n} \).
      • Prover knows \( x \), wants to prove \( a = x^e \pmod{n} \) without revealing \( x \).
      • Verifier knows \(n \), \( e \), and \( a \).
    2. 2. Protocol Outline
      1. Prover picks a random \( r \) in \([1, n-1] \) and computes: \( T := r^e \mod{n} \), After that prover sends \( T \) to Verifier.
      2. Verifier chooses a random challenge \( c \) and sends it to Prover.
      3. Prover computes: \( z := r * (x^c) \mod{n} \), And then Prover sends \( z \) to Verifier.
      4. Verifier checks: \( z^e = T * a^c \pmod{n} \)
    3. 3. Why It Works
      • Expand the left side: \( z^e = (r * x^c)^e = r^e * x^{c e} \).
      • Expand the right side: \( T * a^c = (r^e) * (x^e)^c = r^e * x^{e c} \).
      • Since both expansions are \( r^e * x^{c e} \), equality holds exactly if \( a \equiv x^e \mod{n} \).
    4. 4. Zero-Knowledge Aspect
      • Prover never reveals \( x \); only sends random \( T \) and the response \( z \).
      • The random \( r \) hides \( x \) from the Verifier.
      • If Prover did not know \( x \), producing correct \( z \) for a random \( c \) would be infeasible.
      • Verifier gains no information about \( x \) itself - only the certainty that Prover knows it.
  5. Connection to zk-SNARKs and Elliptic Curves
    • Zero-Knowledge Proofs: The ability to prove computations on encrypted data without revealing the data itself is foundational for zero-knowledge proofs.
    • Elliptic Curves in zk-SNARKs: While RSA uses multiplicative groups, zk-SNARKs often leverage the algebraic structure of elliptic curves to achieve more efficient and versatile proofs.
    • Foundation for Advanced Cryptography: This property is an essential concept that leads to the development and understanding of more sophisticated systems like zk-SNARKs, which utilize different mathematical structures for enhanced functionality.

2.3. Core Security of Elliptic Curves: The Trapdoor Function

2.3.1. Forward Computation

  • Scalar Multiplication: Given a base point \( G \) on an elliptic curve and a scalar \( p \), computing \( P = pG \) is efficient.
    • Efficiency: This operation is performed in \( O(\log n) \) time, making it practical even for large \( p \) (e.g., a 256-bit number).
    • Methods Used: Techniques like double-and-add are employed to speed up computations.

2.3.2. Inverse Problem: Elliptic Curve Discrete Logarithm Problem (ECDLP)

  • Hardness: Given \( P \) and \( G \), finding the scalar \( p \) such that \( P = pG \) is computationally infeasible.
    • Brute-Force Infeasibility:
      • For a 256-bit key, there are \( 2^{256} \) possible values of \( p \).
      • Total computation time would be \( O(2^{256} \times 256) \), which is practically impossible to perform.
    • Security Basis: This hardness forms the "trapdoor" function that underpins the security of elliptic curve cryptography (ECC).

2.4. Elliptic Curves in zk-SNARKs

2.4.1. Zero-Knowledge Proofs of Calculations

  • Objective: Prove that a computation is correct (e.g., \( 5p + 7q = 11r \)) without revealing the actual values of \( p \), \( q \), or \( r \).
  • Importance in zk-SNARKs: These proofs allow for privacy-preserving verification of computations, which is essential in zero-knowledge protocols.

2.4.2. Properties Leveraged

  1. Linear Verification with Traditional ECC
    • Linear Relationships:
      • Given:
        • \( P = pG \)
        • \( Q = qG \)
        • \( R = rG \)
      • Verification:
        • Check if \( 5P + 7Q = 11R \).
        • This corresponds to verifying \( 5p + 7q = 11r \) without knowing \( p \), \( q \), or \( r \).
    • Why It Works:
      • Point Addition and Scalar Multiplication:
        • Elliptic curve operations preserve linear relationships.
      • Security Aspect:
        • Due to the ECDLP, knowing \( P \), \( Q \), \( R \), or \( G \) doesn't reveal \( p \), \( q \), or \( r \).
  2. Multiplicative Relations Verified with Pairings
    • Pairings on Elliptic Curves:
      • Definition: A pairing \( e \) is a function that maps two points on an elliptic curve to an element in a finite field.
      • Bilinearity Property:
        • \( e(aP, bQ) = e(P, Q)^{ab} \).
        • This property allows the pairing to convert point multiplications into exponentiations.
    • Verifying Multiplicative Relationships:
      • Objective: Verify \( p \times q = r \) without revealing \( p \), \( q \), or \( r \).
      • Given:
        • \( P = pG \)
        • \( Q = qG \)
        • \( R = rG \)
      • Verification Steps:
        1. Compute \( e(P, Q) \):
          • \( e(P, Q) = e(pG, qG) = e(G, G)^{pq} \).
        2. Compute \( e(G, R) \):
          • \( e(G, R) = e(G, rG) = e(G, G)^{r} \).
        3. Compare:
          • If \( e(P, Q) = e(G, R) \), then it follows that \( pq = r \).
      • Explanation:
        • The pairing function's bilinearity translates the multiplicative relationship into a form that can be compared in the finite field.

2.5. Achieving Key Features in zk-SNARKs

  • Zero-Knowledge Proofs:
    • By utilizing the above properties, zk-SNARKs enable one party to prove knowledge of a sotion to a computational problem without revealing any information about the solution itself.
  • Applications:
    • Privacy: Ensures that sensitive data remains confidential.
    • Efficiency: Proofs are succinct and can be verified quickly.
    • Security: Relies on the hardness of the ECDLP and properties of pairings.

Created: 2025-01-22 Wed 19:03

Validate