Advance ZK improvements (#1017)

* Changes for lectures 2,5,7,11

* run linter

* Advanced ZK-Proofs

* reveal lint

---------

Co-authored-by: Nikos Kontakis <[email protected]>

syllabus/1-Cryptography/10-Advanced_ZK_proofs-slides.md

@@ -25,19 +25,19 @@ duration: 2 hour
 
 <pba-flex center>
 
-1. [Under the hood of zk-SNARKs](#zk-practice) <!-- .element: class="fragment" data-fragment-index="4" -->
-1. [Introduction to Plonk](#plonk) <!-- .element: class="fragment" data-fragment-index="4" -->
-1. [Polynomial commitment](#polynomial-commitment) <!-- .element: class="fragment" data-fragment-index="4" -->
-1. [Generating ZK-proofs using Circom and snarkjs](#circom-snarkjs) <!-- .element: class="fragment" data-fragment-index="6" -->
+1. [Under the hood of zk-SNARKs](#zk-practice) <!-- .element: class="fragment" data-fragment-index="1" -->
+1. [Introduction to Plonk](#plonk) <!-- .element: class="fragment" data-fragment-index="2" -->
+1. [Polynomial commitment](#polynomial-commitment) <!-- .element: class="fragment" data-fragment-index="3" -->
+1. [Generating ZK-proofs using Circom and snarkjs](#circom-snarkjs) <!-- .element: class="fragment" data-fragment-index="4" -->
 
 </pba-flex>
 
 ---
 
 ## Circuit to SNARK Strategy
 
-- To represent the circuit as a univariate polynomial called the "Trace Polynomial".<!-- .element: class="fragment" data-fragment-index="1" -->
-- The trace polynomial is equal to zero at each "gate" of the circuit if the solution satisfies the gate relation.<!-- .element: class="fragment" data-fragment-index="2" -->
+- To represent the circuit as a univariate polynomial called the "All Gate Polynomial".<!-- .element: class="fragment" data-fragment-index="1" -->
+- The all-gate polynomial is equal to zero at each "gate" of the circuit if the solution satisfies the gate relation.<!-- .element: class="fragment" data-fragment-index="2" -->
 - Then the verifier should be able to test if the polynomial actually has a root for every gate.<!-- .element: class="fragment" data-fragment-index="3" -->
 - ... without knowing the polynomial: This is done using "polynomial commitment".<!-- .element: class="fragment" data-fragment-index="4" -->
 
@@ -51,7 +51,7 @@ duration: 2 hour
 - Then we could encode all of these operations as:<!-- .element: class="fragment" data-fragment-index="2" -->
   $Q_l\times a + Q_r \times b + Q_o \times c + Q_m \times a\times b + Q_c = 0$<!-- .element: class="fragment" data-fragment-index="3" -->
 - for some constant $Q_l$ $Q_r$ $Q_o$ $Q_m$ and $Q_c$<!-- .element: class="fragment" data-fragment-index="4" -->
-- in fact all the operation we discussed can be written using one of these gates.<!-- .element: class="fragment" data-fragment-index="5" -->
+- In fact all the operation we discussed can be written using one of these gates.<!-- .element: class="fragment" data-fragment-index="5" -->
 
 ---
 
@@ -88,27 +88,26 @@ $Q_l\times a + Q_r\times b + Q_o\times c + Q_m\times a\times b + Q_c = 0$
 
 ---
 
-## Encode the trace as a polynomial T
+## Encode all gate values as a polynomial G
 
 - You can always encode a column of a table into a polynomial.<!-- .element: class="fragment" data-fragment-index="1" -->
 - $Q_l(x)$ such that $Q_l(1) = 0, Q_l(2) = 1, Q_l(3) = 1, Q_l(4) = -1 ,...$<!-- .element: class="fragment" data-fragment-index="2" -->
-  <img style="height: 300px; padding-left:100px" src="./img/gate-table-left-input-less-than-8-and-not-1.png" /><!-- .element: class="fragment" data-fragment-index="2" --> sa
+  <img style="height: 300px; padding-left:100px" src="./img/gate-table-left-input-less-than-8-and-not-1.png" /><!-- .element: class="fragment" data-fragment-index="2" -->
 - When you have one polynomial for each column then you can turn the whole table into a polynomial:<!-- .element: class="fragment" data-fragment-index="3" -->
   $Q_l(x)\times a(x) + Q_r(x)\times b(x) + Q_o(x)\times  c(x) + Q_m(x)\times a(x)\times b(x) + Q_c(x)$<!-- .element: class="fragment" data-fragment-index="4" -->
   $= 0$<!-- .element: class="fragment" data-fragment-index="4" -->
 
 ---
 
-## Compute the trace polynomial from the gate table
+## Compute the all-gate polynomial from the gate table
 
 SAGE demo
 
 ---
 
-## Prove that Validity of T
+## Prove the Validity of G
 
-- T encode every gate is evaluated correctly: Zero test.
-- The wiring is correct: Permutation test.
+- G encode every gate is evaluated correctly: Zero test.
 
 ---
 
@@ -137,86 +136,107 @@ SAGE demo
 
 ---
 
-# The wiring in a glance
+# The Wiring in a Glance
 
-- TODO: wired table
+## <img style="height: 700px; padding-left:100px" src="./img/wiring-fans-with-constraints.png" />
+
+# The Trace polynomial
+
+<img style="height: 700px; padding-left:100px" src="./img/trace-polynomial-known-points.png" />
 
 ---
 
-# The Trace polynomial
+# The Trace poly with Wiring
+
+<img style="height: 700px; padding-left:100px" src="./img/trace-polynomial-known-points-with-wiring.png" />
 
 ---
 
-# The wiring permutation we want to prove
+# The wiring permutation: $T(i)=T(\psi(i))$
 
--- Define the permutation.
+<img style="height: 700px; padding-left:100px" src="./img/psi-with-wiring.png" />
 
 ---
 
 # Naive Permutation check wtih zero test
 
+- We could find polynomial $\psi$. <!-- .element: class="fragment" data-fragment-index="1" -->
+- Then compute $T(\psi(x))$. <!-- .element: class="fragment" data-fragment-index="2" -->
+- Then compute $T(\psi(x)) - T(x)$. <!-- .element: class="fragment" data-fragment-index="3" -->
+- Run Zero-test to erify that $T(\psi(x)) - T(x)/((x - 1)...(x - 39))$ is a polynomial. <!-- .element: class="fragment" data-fragment-index="4" -->
+- We will end up with a degree $38\times38 = 1444$ polynomial. <!-- .element: class="fragment" data-fragment-index="5" -->
+- It is impractical. <!-- .element: class="fragment" data-fragment-index="6" -->
+
+---
+
+# SAGE demo: Computing the trace and the wiring
+
+SAGE demo
+
 ---
 
 # Developing a wiring enforcement gadget/polynomial
 
-- We take a step back and develop some tool to tackle this. <!-- .element: class="fragment" data-fragment-index="1" -->
-- They sound random and irrelevant at first but it all make sense at the end. <!-- .element: class="fragment" data-fragment-index="2" -->
+- We take a step back and develop some tools to tackle this. <!-- .element: class="fragment" data-fragment-index="1" -->
+- They sound random and irrelevant at first but it all makes sense at the end. <!-- .element: class="fragment" data-fragment-index="2" -->
 
 ---
 
 # Product check
 
 - We have a polynomial $f(x)$ and we want to prove that:<!-- .element: class="fragment" data-fragment-index="1" -->
-- $\prod_{i in \{1..39\}}f(i) = 1$.<!-- .element: class="fragment" data-fragment-index="2" -->
-- We could perform a a zero test $\prod_{i in \{1..39\}}f(i)$ but the degree is huge. <!-- .element: class="fragment" data-fragment-index="3" -->
+- $\prod_{i \in \{1..39\}}f(i) = 1$.<!-- .element: class="fragment" data-fragment-index="2" -->
+- We could perform a a zero test $\prod_{i \in \{1..39\}}f(i)$ but the degree is huge. <!-- .element: class="fragment" data-fragment-index="3" -->
 - Instead we introduce a new polynomial: <!-- .element: class="fragment" data-fragment-index="4" -->
-- $t(x) = $\prod_{i in \{1..x+1}}f(i)$ <!-- .element: class="fragment" data-fragment-index="5" -->.
-- We have a nice recursion: $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$
+- $t(x) = \prod_{i \in \{1..x+1}}f(i)$ <!-- .element: class="fragment" data-fragment-index="5" -->.
+- We have a nice recursion: $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$ <!-- .element: class="fragment" data-fragment-index="6" -->
 
 ---
 
 # Product check
 
-- The observeration is that if you have the recursion:
-  $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$ <!-- .element: class="fragment" data-fragment-index="1" -->
-- And you know $ t(39) = 1 $ then you know that:
-- $\prod\_{i in \{1..39}}f(i).
-- We intepolate $t$ and it will have order 38 (vs 38 \* 13)$ <!-- .element: class="fragment" data-fragment-index="2" -->
-- We run a zero test on $t(x + 1) - t(x)f(x+1) = 0$ for $\{1,...,39\}$ <!-- .element: class="fragment" data-fragment-index="3" -->
+- The observeration is that if you have the recursion: <!-- .element: class="fragment" data-fragment-index="1" -->
+- $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$ <!-- .element: class="fragment" data-fragment-index="2" -->
+- And you know $ t(39) = 1 $ then you know that: <!-- .element: class="fragment" data-fragment-index="3" -->
+- $\prod\_{i \in \{1..39}}f(i) = 1$ . <!-- .element: class="fragment" data-fragment-index="4" -->
+- We intepolate $t$ and it will have degree 38 (vs $38 \times 38$) <!-- .element: class="fragment" data-fragment-index="5" -->
+- We run a zero test on $t(x + 1) - t(x)f(x+1) = 0$ for $\{1,...,39\}$. <!-- .element: class="fragment" data-fragment-index="6" -->
 
 ---
 
 # Ratio check
 
-- We can run the product check to prove $\prod_{i in \{1..39\}}f(i)/g(i) = 1$.<!-- .element: class="fragment" data-fragment-index="2" -->
+- We can run the product check to prove $\prod_{i \in \{1..39\}}f(i)/g(i) = 1$.<!-- .element: class="fragment" data-fragment-index="1" -->
 - $t(x + 1) = t(x)f(x+1)/g(x + 1)$ <!-- .element: class="fragment" data-fragment-index="2" -->
 - We can only run a zero test polynomials. <!-- .element: class="fragment" data-fragment-index="3" -->
-- Run zero test on $t(x + 1)g(x + 1) - t(x)f(x+1)$.
+- Run zero test on $t(x + 1)g(x + 1) - t(x)f(x+1)$. <!-- .element: class="fragment" data-fragment-index="4" -->
 
 ---
 
 # Permutation check
 
-- Now we want to use the ratio check to enforce the wiring we have.
-- note that let $\psi$ be a permutation which preserve $T$ i.e. we have $T(a) = T(\psi(a))$ then
-- ${(a, T(a))| for all a in \{1,..,39}} == {(\psi(a), T(a))| for all a \in \{1,...,39\}\}$
-- Then for any random $u_1, u_2$
-  $\prod\_{a\in\{1,..,39\}}\frac{u*1 - u_2 * a - T(a)}{u*1 - u_2 * \psi(a) - T(\psi(a))} = 1.
+- Now we want to use the ratio check to enforce our wiring. <!-- .element: class="fragment" data-fragment-index="1" -->
+- We have $T(a) = T(\psi(a))$ then <!-- .element: class="fragment" data-fragment-index="2" -->
+- $\{ (a, T(a))| \textrm{ for all } a \in \{1,..,39\}\} == {(\psi(a), T(a))| \textrm{ for all } a \in \{1,...,39\}\}$ <!-- .element: class="fragment" data-fragment-index="3" -->
+- Then for any random $u_1, u_2$ <!-- .element: class="fragment" data-fragment-index="4" -->
+- $\prod_{a\in\{1,..,39\}}\frac{u_1 - u_2 \times a - T(a)}{u_1 - u_2 \times \psi(a) - T(\psi(a))} = 1$. <!-- .element: class="fragment" data-fragment-index="5" -->
 
 ---
 
 # Proof of wiring being correct
 
 - The verifier runs a zero test on $T(x) - N$.
-- The verifier runs a zero test on $T(3x) - a(x)$, $T(3x+1) - b(x), $T(3x+2) - c(x)$
-- A Permutation check on $T(x)$ and $T(\psi(x))$ Which is a zero test on
-- $t(x + 1)(u_1 - u_2* (x+1) - T(x + 1)) - t(x)(u_1 - u_2 * (psi(x)+1) - T(psi(x)+1) = 0$
+- The verifier runs a zero test on $T(3x) - a(x)$, $T(3x+1) - b(x)$, $T(3x+2) - c(x)$
+- A Permutation check on $T(x)$ and $T(\psi(x))$
 
 ---
 
-# Proof of correctness of the wiring on the trace polynomial.
+# SAGE demo: Proof of correctness of the wiring on the trace polynomial.
 
-SAGE demo
+SAGE Demo
+
+Zero test on:
+$t(x + 1)(u_1 - u_2 \times (x+1) - T(x + 1)) - t(x)(u_1 - u_2 \times (\psi(x)+1) - T(\psi(x)+1) = 0$
 
 ---
 
@@ -234,20 +254,20 @@ SAGE demo
 
 - The prover claims it has $f(x)$ passing the zero test.<!-- .element: class="fragment" data-fragment-index="1" -->
 - The prover is also able to compute $q(x)$ such that <!-- .element: class="fragment" data-fragment-index="2" -->
-- $f(x) = q(x) \times  \prod(x-1)..(x-13)$<!-- .element: class="fragment" data-fragment-index="2" -->
-- The prover commit to $f$ and $q$.<!-- .element: class="fragment" data-fragment-index="3" -->
-- The verifier ask the prover to provide them with $f(u)$ and $q(u)$ for some random point $u$<!-- .element: class="fragment" data-fragment-index="4" -->
-- It is very unlikely that the prover is able to lie about $f(u)$ and $q(u)$ given he has commited to $f$ and $q$.
-- The verifier computes $\prod(u-1)...(u-13)$<!-- .element: class="fragment" data-fragment-index="5" -->
-- The verifier verifies that $f(u) = q(u)\times \prod(u-1)...(u-13)$ and if so believes that the prover has a solution.<!-- .element: class="fragment" data-fragment-index="6" -->
+- $f(x) = q(x) \times  \prod(x-1)..(x-13)$<!-- .element: class="fragment" data-fragment-index="3" -->
+- The prover commit to $f$ and $q$.<!-- .element: class="fragment" data-fragment-index="4" -->
+- The verifier ask the prover to provide them with $f(u)$ and $q(u)$ for some random point $u$<!-- .element: class="fragment" data-fragment-index="5" -->
+- It is very unlikely that the prover is able to lie about $f(u)$ and $q(u)$ given he has commited to $f$ and $q$. <!-- .element: class="fragment" data-fragment-index="6" -->
+- The verifier computes $\prod(u-1)...(u-13)$<!-- .element: class="fragment" data-fragment-index="7" -->
+- The verifier verifies that $f(u) = q(u)\times \prod(u-1)...(u-13)$ and if so believes that the prover has a solution.<!-- .element: class="fragment" data-fragment-index="8" -->
 
 ---
 
 # KZG Polynomial-commitment
 
-- Is the most space efficient polynomial commitment.<!-- .element: class="fragment" data-fragment-index="1" -->
+- Is one of the most space efficient polynomial commitment.<!-- .element: class="fragment" data-fragment-index="1" -->
 - Uses elliptic curve cryptography.<!-- .element: class="fragment" data-fragment-index="2" -->
-- It requires trusted setup: a pre-computation with toxic waste which needs to be discarded to keep the scheme secure.<!-- .element: class="fragment" data-fragment-index="2" -->
+- It requires trusted setup: a pre-computation with toxic waste which needs to be discarded to keep the scheme secure.<!-- .element: class="fragment" data-fragment-index="3" -->
 
 ---
 
@@ -276,3 +296,7 @@ Generate proof demo with snarkjs
 Verify the proof snarkjs
 
 ---
+
+<!-- .slide: data-background-color="#4A2439" -->
+
+# Questions