zcash-hackworks
/
design-of-sapling-book
mirror of https://github.com/zcash-hackworks/design-of-sapling-book.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

working on groth16

This commit is contained in:
Sean Bowe 2018-06-21 17:46:30 -06:00
parent b84fcfdb72
commit 9f0912a304
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zksnarks/README.md
View File

@ -1,12 +1,12 @@
# zk-SNARKs
[Zero-knowledge proofs](https://en.wikipedia.org/wiki/Zero-knowledge_proof) allow you to demonstrate that you performed a computation correctly without revealing all of the inputs to that computation. We can think of the computation as some $$f(x, w)$$, where the **statement** $$x$$ is known to both the verifier and the prover, but the **witness** $$w$$ is known only to the prover.
[Zero-knowledge proofs](https://en.wikipedia.org/wiki/Zero-knowledge_proof) allow you to demonstrate that you performed a computation correctly without revealing all of the inputs to that computation. We can think of the computation as some $$f(p, w)$$, where the **statement** $$p$$ is known to both the verifier and the prover, but the **witness** $$w$$ is known only to the prover.
The fundamental tool underlying Zcash is an advanced zero-knowledge proof called a **zk-SNARK**. These proofs are only hundreds of bytes long and are inexpensive to verify, even if the underlying computation $$f(x, w)$$ is large in complexity. These proofs are also **non-interactive**: the prover can publish a proof that anyone can verify without interacting with the prover, making them very useful for cryptocurrencies.
The fundamental tool underlying Zcash is an advanced zero-knowledge proof called a **zk-SNARK**. These proofs are only hundreds of bytes long and are inexpensive to verify, even if the underlying computation $$f(p, w)$$ is large in complexity. These proofs are also **non-interactive**: the prover can publish a proof that anyone can verify without interacting with the prover, making them very useful for cryptocurrencies.
zk-SNARKs do come with some downsides, which are being addressed by the Sapling upgrade:
* zk-SNARKs require a setup phase where, for a given computation $$f(x, w)$$, some **public parameters** are constructed. These parameters are needed to create and verify proofs, but if the creator of the parameters "remembers" how they were constructed, they can create false proofs.
* zk-SNARKs require a setup phase where, for a given computation $$f(p, w)$$, some **public parameters** are constructed. These parameters are needed to create and verify proofs, but if the creator of the parameters "remembers" how they were constructed, they can create false proofs.
* Sapling uses a gigantic and public [multi-party computation](https://en.wikipedia.org/wiki/Secure_multi-party_computation) (MPC) ceremony to construct the parameters. In order to corrupt the parameters, a large number of reputable individuals must *all* be colluding in secret or compromised.
* [Pairing-friendly elliptic curves](https://en.wikipedia.org/wiki/Pairing-based_cryptography) are needed, and relatively strong cryptographic assumptions are made.
* Sapling switches to a more secure and more rigid pairing-friendly elliptic curve.

8
zksnarks/groth16.md
View File

@ -1 +1,9 @@
# Groth16
QAPs allow us to demonstrate that a statement is true with a single identity test:
$$
\langle \textbf{u(x)}, \textbf{z} \rangle \cdot \langle \textbf{v(x)}, \textbf{z} \rangle - \langle \textbf{w(x)}, \textbf{z} \rangle = \langle \textbf{x}^{k-1}, \textbf{h} \rangle \cdot t(x)
$$
In order to achieve zero-knowledge and short proofs, we need the prover to calculate the inner products and send the results to the verifier. However, the prover cannot know the point $$x$$ at which the QAP will be evaluated, or they will be able to find $$h(x)$$ for which the identity holds for any statement.

6
zksnarks/r1cs.md
View File

@ -11,7 +11,7 @@ In order to explain how zk-SNARKs work, we'll borrow notation common in the Bull
## R1CS
zk-SNARKs are zero-knowledge proofs which allow us to prove that we performed a computation $$f(x, w)$$ over some witness $$w$$ without revealing that witness. We express our computations in the form of arithmetic constraint systems.
zk-SNARKs are zero-knowledge proofs which allow us to prove that we performed a computation $$f(p, w)$$ over some witness $$w$$ without revealing that witness. We express our computations in the form of arithmetic constraint systems.
Given an assignment $$\textbf{z}$$ of variables in $$\mathbb{F}_q$$, a **rank-1 constraint system** is a system of quadratic constraints of the form $$a \cdot b = c$$, where $$a, b, c$$ are linear combinations of our variable assignment. If we always set $$z_0 = 1$$, then these constraint systems can express any bounded computation.
@ -33,10 +33,10 @@ All of the terms of the constraint system are linear combinations of every varia
* $$(\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) \cdot (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) = (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3)$$
* $$(\phantom{-}2z_1 + \phantom{-}0z_2 + \phantom{-}0z_3) \cdot (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) = (\phantom{-}1z_1 + \phantom{-}1z_2 + -1z_3)$$
Let's begin to describe our constraint system generally, using inner product notation:
Let's begin to describe our constraint system using the inner product notation and coefficients represented by fixed vectors $$\textbf{a}, \textbf{b}, \textbf{c}$$:
* $$\langle \textbf{a}_0, \textbf{z} \rangle \cdot \langle \textbf{b}_0, \textbf{z} \rangle = \langle \textbf{c}_0, \textbf{z} \rangle$$
* $$\langle \textbf{a}_1, \textbf{z} \rangle \cdot \langle \textbf{b}_1, \textbf{z} \rangle = \langle \textbf{c}_1, \textbf{z} \rangle$$
* $$\langle \textbf{a}_2, \textbf{z} \rangle \cdot \langle \textbf{b}_2, \textbf{z} \rangle = \langle \textbf{c}_2, \textbf{z} \rangle$$
Generally, our goal is to demonstrate that we know a satisfying assignment $$\textbf{z} = (1, \textbf{x}, \textbf{w})$$ for which $$\langle \textbf{a}_i, \textbf{z} \rangle \cdot \langle \textbf{b}_i, \textbf{z} \rangle = \langle \textbf{c}_i, \textbf{z} \rangle$$ holds for all $$i$$ given fixed coefficients $$\textbf{a}, \textbf{b}, \textbf{c}$$.
More generally, our goal is to demonstrate that we know a satisfying assignment $$\textbf{z} = (1, \textbf{p}, \textbf{w})$$ for which $$\langle \textbf{a}_i, \textbf{z} \rangle \cdot \langle \textbf{b}_i, \textbf{z} \rangle = \langle \textbf{c}_i, \textbf{z} \rangle$$ holds for all $$i$$ given fixed coefficients $$\textbf{a}, \textbf{b}, \textbf{c}$$. If we can do this without revealing $$\textbf{w}$$, and non-interactively with succinct proofs, we'll have a zk-SNARK.