qap explanation

SUMMARY.md

@@ -3,6 +3,7 @@
 * [Introduction](README.md)
 * [zk-SNARKs](zksnarks/README.md)
     * [BLS12-381](zksnarks/bls12_381.md)
+    * [Rank-1 Constraint Systems](zksnarks/r1cs.md)
     * [Quadratic Arithmetic Programs](zksnarks/qaps.md)
     * [Groth16](zksnarks/groth16.md)
     * [Parameter Generation](zksnarks/paramgen.md)

zksnarks/README.md

@@ -2,7 +2,7 @@
 
 [Zero-knowledge proofs](https://en.wikipedia.org/wiki/Zero-knowledge_proof) allow you to demonstrate that you performed a computation correctly without revealing all of the inputs to that computation. We can think of the computation as some $$f(x, w)$$, where the **statement** $$x$$ is known to both the verifier and the prover, but the **witness** $$w$$ is known only to the prover.
 
-The fundamental tool underlying Zcash is an advanced zero-knowledge proof called a **zk-SNARK**. These proofs are only hundreds of bytes long and are inexpensive to verify, even if the underlying computation $$f(x, w)$$ is large in complexity. These proofs are also **non-interactive**, so the prover can publish the proof and anyone can verify it without interacting with the prover, making them very useful for cryptocurrencies.
+The fundamental tool underlying Zcash is an advanced zero-knowledge proof called a **zk-SNARK**. These proofs are only hundreds of bytes long and are inexpensive to verify, even if the underlying computation $$f(x, w)$$ is large in complexity. These proofs are also **non-interactive**: the prover can publish a proof that anyone can verify without interacting with the prover, making them very useful for cryptocurrencies.
 
 zk-SNARKs do come with some downsides, which are being addressed by the Sapling upgrade:
 

zksnarks/bls12_381.md

@@ -50,7 +50,7 @@ Given primes $$p$$ and $$q$$ parameterized as above, we can construct an ellipti
 
 We can find an appropriate $$x$$ by applying some simple criteria:
 
-* We desire $$q < 2^{255}$$ both for cheap reductions and so that the scalar field of our elliptic curve can be used for keying material in our construction. This gives rise to curves that have approximately 120 bits of security under conservative assumptions.
+* We desire $$q < 2^{255}$$ both for cheap reductions and so that the "scalar field" $$\mathbb{F}_q$$ of our construction can be used for keying material. This gives rise to curves that have approximately 120 bits of security under conservative assumptions.
 * We desire an $$\mathbb{F}_q$$ with a large $$2^n$$ root of unity for performing efficient fast-Fourier transforms, which is very useful for the intense polynomial arithmetic needed in zk-SNARKs.
 * We desire an efficient extension field tower and twisting isomorphism. Subfamilies of BLS12 curves (where $$x \textrm{ mod } 72 = \{16, 64\}$$ for our purposes) have such properties, along with immediately determined curve parameters.
 * We desire an $$x$$ of low Hamming weight, to ensure the pairing function is efficient.

zksnarks/groth16.md

@@ -0,0 +1 @@
+# Groth16

zksnarks/qaps.md

@@ -0,0 +1,31 @@
+# Quadratic Arithmetic Programs (QAPs)
+
+## QAPs from R1CS
+
+One way to prove that we know a satisfying assignment to some rank-1 constraint system is to actually reveal our assignment $$\textbf{z}$$ to the verifier. The verifier can check that $$\langle \textbf{a}_i, \textbf{z} \rangle \cdot \langle \textbf{b}_i, \textbf{z} \rangle = \langle \textbf{c}_i, \textbf{z} \rangle$$ holds for all $$i$$. However, this isn't zero-knowledge, nor does it lead to short proofs.
+
+Our first goal is to compress the $$i$$ different inner product equations into a *single* equation. We do this through the use of [interpolation polynomials](https://en.wikipedia.org/wiki/Polynomial_interpolation). Let $$u_i(x)$$ be a polynomial that interpolates over all of the $$i$$th elements in $$\textbf{a}$$ at $$k$$ distinct points $$r_0, r_1, ..., r_{k-1}$$. Do the same for $$v_i(x)$$ with $$\textbf{b}$$ and $$w_i(x)$$ with $$\textbf{c}$$.
+
+We can now express our constraint system in a single equation:
+
+$$
+\langle \textbf{u(x)}, \textbf{z} \rangle \cdot \langle \textbf{v(x)}, \textbf{z} \rangle = \langle \textbf{w(x)}, \textbf{z} \rangle
+$$
+
+If we evaluate this equation at the point $$x = r_i$$, the vectors of interpolation polynomials will evaluate into vectors of coefficients that correspond to the $$i$$th constraint. This means that although we have simplified the condition into a single equation, we still have to check that the equation is satisfied at $$k$$ different points.
+
+Let's rearrange the equation slightly by setting the right hand side to zero:
+
+$$
+\langle \textbf{u(x)}, \textbf{z} \rangle \cdot \langle \textbf{v(x)}, \textbf{z} \rangle - \langle \textbf{w(x)}, \textbf{z} \rangle = 0
+$$
+
+It is possible for us to check that this equation holds at each of the points $$r_0, r_1, ..., r_{k-1}$$ by constructing a **target polynomial** $$t(x) = \prod_{i=0}^{k-1} (x - r_i)$$ which has roots at each point. It turns out that if $$\langle \textbf{u(x)}, \textbf{z} \rangle \cdot \langle \textbf{v(x)}, \textbf{z} \rangle - \langle \textbf{w(x)}, \textbf{z} \rangle$$ really is zero at each point, then $$t(x)$$ will divide it. Let's call the $$k - 2$$ degree quotient polynomial $$h(x)$$.
+
+The prover now gives the verifier the assignment $$\textbf{z}$$ and the coefficients $$\textbf{h}$$ of the $$h(x)$$ polynomial, and the verifier can [probabilistically check](https://en.wikipedia.org/wiki/Schwartz%E2%80%93Zippel_lemma) that the constraint system is satisfied by choosing a random $$x \in \mathbb{F}_q$$ and checking that the following equation holds:
+
+$$
+\langle \textbf{u(x)}, \textbf{z} \rangle \cdot \langle \textbf{v(x)}, \textbf{z} \rangle - \langle \textbf{w(x)}, \textbf{z} \rangle = \langle \textbf{x}^{k-1}, \textbf{h} \rangle \cdot t(x)
+$$
+
+We call this relation a quadratic arithmetic program or QAP for short.

zksnarks/r1cs.md

@@ -0,0 +1,42 @@
+# Rank-1 Constraint Systems
+
+## Notation
+
+In order to explain how zk-SNARKs work, we'll borrow notation common in the Bulletproofs literature, as it may be familiar with readers.
+
+* We use uppercase letters like $$A$$, $$B$$, and $$C$$ to describe elements of a group $$\mathbb{G}$$ which is of prime order $$q$$. In practice these will be elements of either $$\mathbb{G}_1$$ or $$\mathbb{G}_2$$.
+* We use lowercase letters like $$a$$, $$b$$ and $$c$$ to describe scalars — elements of $$\mathbb{F}_q$$.
+* We use boldface to describe vectors: $$\textbf{a}$$ is a vector of scalars and $$\textbf{A}$$ is a vector of group elements. We use $$\textbf{p(x)}$$ to describe vectors of polynomials with indeterminate $$x$$. We use $$\textbf{x}^n$$ to describe vectors of scalars that are sequences of powers of some $$x \in \mathbb{F}_q$$.
+* We use the notation $$\langle \textbf{a}, \textbf{b} \rangle$$ to describe the inner product of two vectors — in other words, the elements of each vector are multiplied pairwise, and the products are summed together. Note that $$\langle \textbf{a}, \textbf{b} \rangle$$ produces a scalar and $$\langle \textbf{a}, \textbf{B} \rangle$$ produces a group element.
+
+## R1CS
+
+zk-SNARKs are zero-knowledge proofs which allow us to prove that we performed a computation $$f(x, w)$$ over some witness $$w$$ without revealing that witness. We express our computations in the form of arithmetic constraint systems.
+
+Given an assignment $$\textbf{z}$$ of variables in $$\mathbb{F}_q$$, a **rank-1 constraint system** is a system of quadratic constraints of the form $$a \cdot b = c$$, where $$a, b, c$$ are linear combinations of our variable assignment. If we always set $$z_0 = 1$$, then these constraint systems can express any bounded computation.
+
+* We can **boolean constrain** a variable $$z_i$$ with the constraint $$(z_i) \cdot (z_i) = (z_i)$$, because squaring is the identity for only $$0$$ and $$1$$ in a field.
+* Given a boolean constrained variable $$z_i$$, we can express $$\neg z_i$$ as $$z_0 - z_i$$.
+* Given two boolean constrained variables $$z_i, z_j$$, we can express $$z_i \land z_j$$ as $$z_i \cdot z_j$$.
+
+As an example, consisider the constraint system:
+
+1. $$(z_1) \cdot (z_1) = (z_1)$$
+2. $$(z_2) \cdot (z_2) = (z_2)$$
+3. $$(2z_1) \cdot (z_2) = (z_1 + z_2 - z_3)$$
+
+The first two constraints are boolean constraints over $$z_1$$ and $$z_2$$, respectively. The third constraint is actually an XOR constraint: you'll see through substitution that $$z_3$$ *must* equal $$z_1 \oplus z_2$$.
+
+All of the terms of the constraint system are linear combinations of every variable; in other words, the above constraint system can be equivalently expressed with a zero coefficient for every omitted variable:
+
+* $$(\phantom{-}1z_1 + \phantom{-}0z_2 + \phantom{-}0z_3) \cdot (\phantom{-}1z_1 + \phantom{-}0z_2 + \phantom{-}0z_3) = (\phantom{-}1z_1 + \phantom{-}0z_2 + \phantom{-}0z_3)$$
+* $$(\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) \cdot (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) = (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3)$$
+* $$(\phantom{-}2z_1 + \phantom{-}0z_2 + \phantom{-}0z_3) \cdot (\phantom{-}0z_1 + \phantom{-}1z_2 + \phantom{-}0z_3) = (\phantom{-}1z_1 + \phantom{-}1z_2 + -1z_3)$$
+
+Let's begin to describe our constraint system generally, using inner product notation:
+
+* $$\langle \textbf{a}_0, \textbf{z} \rangle \cdot \langle \textbf{b}_0, \textbf{z} \rangle = \langle \textbf{c}_0, \textbf{z} \rangle$$
+* $$\langle \textbf{a}_1, \textbf{z} \rangle \cdot \langle \textbf{b}_1, \textbf{z} \rangle = \langle \textbf{c}_1, \textbf{z} \rangle$$
+* $$\langle \textbf{a}_2, \textbf{z} \rangle \cdot \langle \textbf{b}_2, \textbf{z} \rangle = \langle \textbf{c}_2, \textbf{z} \rangle$$
+
+Generally, our goal is to demonstrate that we know a satisfying assignment $$\textbf{z} = (1, \textbf{x}, \textbf{w})$$ for which $$\langle \textbf{a}_i, \textbf{z} \rangle \cdot \langle \textbf{b}_i, \textbf{z} \rangle = \langle \textbf{c}_i, \textbf{z} \rangle$$ holds for all $$i$$ given fixed coefficients $$\textbf{a}, \textbf{b}, \textbf{c}$$.