Topics:
- Polynomial Introduction
- Polynomial Commitment Schemes
- Proving Systems in general
- zkSNARK process
- Plonkish protocols
Same as from 3.7 to 3.11 from Lesson 1
A polynomial commiment is a short object that "represents" a polynomial, and allows you to verify evaluations of that polynomial, without needing to actually contain all of the data in the polynomial.
That is, if someone gives you a commitment
For example, if
A general approach is to have the evaluations in a merkle tree, the leaves of which the verifier can select at random, along with merkle proof of their membership.
Commitment schemes generally allow the properties of:
- Binding. Given a commitment
$c$ , it is hard to compute a different pair of message and randomness whose commitment is$c$ . This property guarantees that there is no ambiguity in the commitment scheme, and thus after$c$ is published it is hard to open it to a different value. - Hiding. It is hard to compute any information about
$m$ given$c$ .
Given the size of the polynomials used in ZKPs, with say
There is much missed out, and assumed here, this is just to show a general process.
The prover uses randomness to achieve zero knowledge, the verifier uses randomness when generating queries to the prover, to detect cheating by the prover.
Steps:
- Prover claims Statement
$S$ - Verifier provides some constraints about the polynomials
- Prover provides (or commits to)
$P_i...P_k$ : polynomials - Verifier provides
$z ∈ 0, ... p − 1$ - Prover provides evaluations of polynomials:
$P_1(z). . . P_k(z)$ - Verifier decides whether to accept
$S$
The degree expected are typically about
Note the probability of accepting a false proof is < 10.d/p , where p is the size of the field, so of the order of 2 to power -230 if our finite field has p of ~ 2 to the power 256.
Typically the number of queries is 3 - 10, much less than the degree.
The only randomness we use here is sampling
Why doesn't the verifier evaluate the polynomials themselves?
- Because the prover doesn't actually send all the polynomials to the verifier, if they did we would lose succinctness, they contain more information than our original statement, so the prover just provides a commitment to the polynomials.
If we have polynomials of degree
This goes back to the concept of Schwartz-Zippel Lemma, where two different polynomials do not intersect at very many points.
This also helps with succinctness.
Imagine we want to prove that a large degree polynomial
Imagine that our statement is that P vanishes on these points.
If the verifier just uses sampling the prover could easily cheat by providing a point that evaluates to zero, but the other 999,999 could be non zero. We solve this by:
Take a set
Define
This is good because
$P(x) = P^′(x). V(x)$ - The degree of
$P^′$ = degree of$P$ - size of$S$
It is the introduction of
We can 'wrap' a constraint around a polynomial.
For example if we have the constraint
You could imagine this constraining an output to be a boolean, something that may be useful for computational integrity. But here instead of
We can then make the claim, that if
If
In short, we do not want the prover to send the polynomial to the verifier since:
- That would give them all the information, which we don't want them to have.
- It wouldn't be succinct, it's too much data to send them.
- It even helps the verifier ensure that the prover is not lying since the prover has already committed to the PCS they provided to the verifier. Thus, they cannot change their mind mid way.
General Process:
- Arithmetisation
- Flatten code
- Arithmetic Circuit
- Polynomials
- Polynomial Commitment Scheme
- Cryptographic proving system
- Make non interactive
ZKSNarks require a one off set up step to produce prover and verifier keys. This step is generally seen as a drawback to zkSNARKS, it requires an amount of trust, if details of the setup are later leaked it would be possible to create false proofs.
From ZCash explanation: "SNARKs require something called “the public parameters”. The SNARK public parameters are numbers with a specific cryptographic structure that are known to all of the participants in the system. They are baked into the protocol and the software from the beginning.
The obvious way to construct SNARK public parameters is just to have someone generate a public/private keypair, similar to an ECDSA keypair, (See ZCash explanation)(https://electriccoin.co/blog/snark-parameters/#id2) and then destroy the private key.
The problem is that private key. Anybody who gets a copy of it can use it to counterfeit money. (However, it cannot violate any userʼs privacy — the privacy of transactions is not at risk from this.)"
ZCash used a secure multiparty computation in which multiple people each generate a “shard” of the public/private keypair, then they each destroy their shard of the toxic waste private key, and then they all bring together their shards of the public key to to form the SNARK public parameters. If that process works — i.e. if at least one of the participants successfully destroys their private key shard — then the toxic waste byproduct never comes into existence at all.
Same from zkSNARK Process from Lesson 2
For this we use the Common Reference String from the trusted setup.
In the CRS model, before any proofs are constructed, there is a setup phase where a string is constructed according to a certain randomised process and broadcast to all parties. This string is called the CRS and is then used to help construct and verify proofs. The assumption is that the randomness used in the creation of the CRS is not known to any party – as knowledge of this randomness might enable constructing proofs of false claims.
Victor is sending challenges to Peggy, if Peggy could know what exactly the challenge is going to be, she could choose its randomness in such a way that it could satisfy the challenge, even if she did not know the correct solution for the instance (that is, faking the proof). So, Victor must only issue the challenge after Peggy has already fixed her randomness. This is why Peggy first commits to her randomness, and implicitly reveals it only after the challenge, when she uses that value to compute the proof.
That ensures two things:
- Victor cannot guess what value Peggy committed to;
- Peggy cannot change the value she committed to.
This is a process by which we can make an interactive proof non-interactive. It works by providing commitments to the messages that would form the interaction. The hash functions are used as a source of randomness.
Early SNARK implementations such as Groth16 depend on a common reference string, this is a large set of points on an elliptic curve. Whilst these numbers are created out of randomness, internally the numbers in this list have strong algebraic relationships to one another. These relationships are used as shortcuts for the complex mathematics required to create proofs.
Knowledge of the randomness could give an attacker the ability to create false proofs.
A trusted-setup procedure generates a set of elliptic curve points
A problem remains that if you change your program and introduce a new circuit you require a fresh trusted setup.
In January 2019 Mary Maller, Sean Bowe et al released SONIC that has a universal setup, with just one setup, it could validate any conceivable circuit (up to a predefined level of complexity).
This was unfortunately not very efficient, PLONK managed to optimise the process to make the proof process feasible.
Trusted setup is still needed but it is a "universal and updateable" trusted setup.
- There is one single trusted setup for the whole scheme after which you can use the scheme with any program (up to some maximum size chosen when making the setup).
- There is a way for multiple parties to participate in the trusted setup such that it is secure as long as any one of them is honest, and this multi-party procedure is fully sequential: