diff --git a/zksnarks/README.md b/zksnarks/README.md index f782885..a314da2 100644 --- a/zksnarks/README.md +++ b/zksnarks/README.md @@ -1,12 +1,12 @@ # zk-SNARKs -[Zero-knowledge proofs](https://en.wikipedia.org/wiki/Zero-knowledge_proof) allow you to demonstrate that you performed a computation correctly without revealing all of the inputs to that computation. We can think of the computation as some $$f(x, w)$$, where the **statement** $$x$$ is known to both the verifier and the prover, but the **witness** $$w$$ is known only to the prover. +[Zero-knowledge proofs](https://en.wikipedia.org/wiki/Zero-knowledge_proof) allow you to demonstrate that you performed a computation correctly without revealing all of the inputs to that computation. We can think of the computation as some $$f(p, w)$$, where the **statement** $$p$$ is known to both the verifier and the prover, but the **witness** $$w$$ is known only to the prover. -The fundamental tool underlying Zcash is an advanced zero-knowledge proof called a **zk-SNARK**. These proofs are only hundreds of bytes long and are inexpensive to verify, even if the underlying computation $$f(x, w)$$ is large in complexity. These proofs are also **non-interactive**: the prover can publish a proof that anyone can verify without interacting with the prover, making them very useful for cryptocurrencies. +The fundamental tool underlying Zcash is an advanced zero-knowledge proof called a **zk-SNARK**. These proofs are only hundreds of bytes long and are inexpensive to verify, even if the underlying computation $$f(p, w)$$ is large in complexity. These proofs are also **non-interactive**: the prover can publish a proof that anyone can verify without interacting with the prover, making them very useful for cryptocurrencies. zk-SNARKs do come with some downsides, which are being addressed by the Sapling upgrade: -* zk-SNARKs require a setup phase where, for a given computation $$f(x, w)$$, some **public parameters** are constructed. These parameters are needed to create and verify proofs, but if the creator of the parameters "remembers" how they were constructed, they can create false proofs. +* zk-SNARKs require a setup phase where, for a given computation $$f(p, w)$$, some **public parameters** are constructed. These parameters are needed to create and verify proofs, but if the creator of the parameters "remembers" how they were constructed, they can create false proofs. * Sapling uses a gigantic and public [multi-party computation](https://en.wikipedia.org/wiki/Secure_multi-party_computation) (MPC) ceremony to construct the parameters. In order to corrupt the parameters, a large number of reputable individuals must *all* be colluding in secret or compromised. * [Pairing-friendly elliptic curves](https://en.wikipedia.org/wiki/Pairing-based_cryptography) are needed, and relatively strong cryptographic assumptions are made. * Sapling switches to a more secure and more rigid pairing-friendly elliptic curve. diff --git a/zksnarks/groth16.md b/zksnarks/groth16.md index ca99d14..25ed805 100644 --- a/zksnarks/groth16.md +++ b/zksnarks/groth16.md @@ -1 +1,9 @@ # Groth16 + +QAPs allow us to demonstrate that a statement is true with a single identity test: + +$$ +\langle \textbf{u(x)}, \textbf{z} \rangle \cdot \langle \textbf{v(x)}, \textbf{z} \rangle - \langle \textbf{w(x)}, \textbf{z} \rangle = \langle \textbf{x}^{k-1}, \textbf{h} \rangle \cdot t(x) +$$ + +In order to achieve zero-knowledge and short proofs, we need the prover to calculate the inner products and send the results to the verifier. However, the prover cannot know the point $$x$$ at which the QAP will be evaluated, or they will be able to find $$h(x)$$ for which the identity holds for any statement. diff --git a/zksnarks/r1cs.md b/zksnarks/r1cs.md index b26b7f0..679e257 100644 --- a/zksnarks/r1cs.md +++ b/zksnarks/r1cs.md @@ -11,7 +11,7 @@ In order to explain how zk-SNARKs work, we'll borrow notation common in the Bull ## R1CS -zk-SNARKs are zero-knowledge proofs which allow us to prove that we performed a computation $$f(x, w)$$ over some witness $$w$$ without revealing that witness. We express our computations in the form of arithmetic constraint systems. +zk-SNARKs are zero-knowledge proofs which allow us to prove that we performed a computation $$f(p, w)$$ over some witness $$w$$ without revealing that witness. We express our computations in the form of arithmetic constraint systems. Given an assignment $$\textbf{z}$$ of variables in $$\mathbb{F}_q$$, a **rank-1 constraint system** is a system of quadratic constraints of the form $$a \cdot b = c$$, where $$a, b, c$$ are linear combinations of our variable assignment. If we always set $$z_0 = 1$$, then these constraint systems can express any bounded computation. @@ -33,10 +33,10 @@ All of the terms of the constraint system are linear combinations of every varia * $$(\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) \cdot (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) = (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3)$$ * $$(\phantom{-}2z_1 + \phantom{-}0z_2 + \phantom{-}0z_3) \cdot (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) = (\phantom{-}1z_1 + \phantom{-}1z_2 + -1z_3)$$ -Let's begin to describe our constraint system generally, using inner product notation: +Let's begin to describe our constraint system using the inner product notation and coefficients represented by fixed vectors $$\textbf{a}, \textbf{b}, \textbf{c}$$: * $$\langle \textbf{a}_0, \textbf{z} \rangle \cdot \langle \textbf{b}_0, \textbf{z} \rangle = \langle \textbf{c}_0, \textbf{z} \rangle$$ * $$\langle \textbf{a}_1, \textbf{z} \rangle \cdot \langle \textbf{b}_1, \textbf{z} \rangle = \langle \textbf{c}_1, \textbf{z} \rangle$$ * $$\langle \textbf{a}_2, \textbf{z} \rangle \cdot \langle \textbf{b}_2, \textbf{z} \rangle = \langle \textbf{c}_2, \textbf{z} \rangle$$ -Generally, our goal is to demonstrate that we know a satisfying assignment $$\textbf{z} = (1, \textbf{x}, \textbf{w})$$ for which $$\langle \textbf{a}_i, \textbf{z} \rangle \cdot \langle \textbf{b}_i, \textbf{z} \rangle = \langle \textbf{c}_i, \textbf{z} \rangle$$ holds for all $$i$$ given fixed coefficients $$\textbf{a}, \textbf{b}, \textbf{c}$$. +More generally, our goal is to demonstrate that we know a satisfying assignment $$\textbf{z} = (1, \textbf{p}, \textbf{w})$$ for which $$\langle \textbf{a}_i, \textbf{z} \rangle \cdot \langle \textbf{b}_i, \textbf{z} \rangle = \langle \textbf{c}_i, \textbf{z} \rangle$$ holds for all $$i$$ given fixed coefficients $$\textbf{a}, \textbf{b}, \textbf{c}$$. If we can do this without revealing $$\textbf{w}$$, and non-interactively with succinct proofs, we'll have a zk-SNARK.