<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>To do this we write down a <em><strong>relation</strong></em>, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal">R</span></span></span></span>, that specifies which
<p>To be precise, we should distinguish between the relation <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal">R</span></span></span></span>, and its
implementation to be used in a proof system. We call the latter a <em><strong>circuit</strong></em>.</p>
<p>The language that we use to express circuits for a particular proof system is called an
<em><strong>arithmetization</strong></em>. Usually, an arithmetization will define circuits in terms of
polynomial constraints on variables over a field.</p>
<blockquote>
<p>The <em>process</em> of expressing a particular relation as a circuit is also sometimes called
"arithmetization", but we'll avoid that usage.</p>
</blockquote>
<p>To create a proof of a statement, the prover will need to know the private inputs,
and also intermediate values, called <em><strong>advice</strong></em> values, that are used by the circuit.</p>
<p>We assume that we can compute advice values efficiently from the private and public inputs.
The particular advice values will depend on how we write the circuit, not only on the
high-level statement.</p>
<p>The private inputs and advice values are collectively called a <em><strong>witness</strong></em>.</p>
<blockquote>
<p>Some authors use "witness" as just a synonym for private inputs. But in our usage,
a witness includes advice, i.e. it includes all values that the prover supplies to
the circuit.</p>
</blockquote>
<p>For example, suppose that we want to prove knowledge of a preimage <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span> of a
hash function <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> for a digest <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span></span></span></span>:</p>
<ul>
<li>
<p>The private input would be the preimage <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>.</p>
</li>
<li>
<p>The public input would be the digest <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span></span></span></span>.</p>
<p>The relation would be <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{(</span><spanclass="mord mathnormal">x</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="mclose">}</span></span></span></span>.</p>
<p>For a particular public input <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.22222em;">Y</span></span></span></span>, the statement would be: <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.22222em;">Y</span><spanclass="mclose">}</span></span></span></span>.</p>
<p>The advice would be all of the intermediate values in the circuit implementing the
hash function. The witness would be <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span> and the advice.</p>
</li>
</ul>
<p>A <em><strong>Non-interactive Argument</strong></em> allows a <em><strong>prover</strong></em> to create a <em><strong>proof</strong></em> for a
given statement and witness. The proof is data that can be used to convince a <em><strong>verifier</strong></em>
that <em>there exists</em> a witness for which the statement holds. The security property that
such proofs cannot falsely convince a verifier is called <em><strong>soundness</strong></em>.</p>
<p>A <em><strong>Non-interactive Argument of Knowledge</strong></em> (<em><strong>NARK</strong></em>) further convinces the verifier
that the prover <em>knew</em> a witness for which the statement holds. This security property is
called <em><strong>knowledge soundness</strong></em>, and it implies soundness.</p>
<p>In practice knowledge soundness is more useful for cryptographic protocols than soundness:
if we are interested in whether Alice holds a secret key in some protocol, say, we need
Alice to prove that <em>she knows</em> the key, not just that it exists.</p>
<p>Knowledge soundness is formalized by saying that an <em><strong>extractor</strong></em>, which can observe
precisely how the proof is generated, must be able to compute the witness.</p>