diff --git a/syllabus/1-Cryptography/10-Advanced_ZK_proofs-slides.md b/syllabus/1-Cryptography/10-Advanced_ZK_proofs-slides.md
index 33df9572b..0b9311293 100644
--- a/syllabus/1-Cryptography/10-Advanced_ZK_proofs-slides.md
+++ b/syllabus/1-Cryptography/10-Advanced_ZK_proofs-slides.md
@@ -25,10 +25,10 @@ duration: 2 hour
-1. [Under the hood of zk-SNARKs](#zk-practice)
-1. [Introduction to Plonk](#plonk)
-1. [Polynomial commitment](#polynomial-commitment)
-1. [Generating ZK-proofs using Circom and snarkjs](#circom-snarkjs)
+1. [Under the hood of zk-SNARKs](#zk-practice)
+1. [Introduction to Plonk](#plonk)
+1. [Polynomial commitment](#polynomial-commitment)
+1. [Generating ZK-proofs using Circom and snarkjs](#circom-snarkjs)
@@ -36,8 +36,8 @@ duration: 2 hour
## Circuit to SNARK Strategy
-- To represent the circuit as a univariate polynomial called the "Trace Polynomial".
-- The trace polynomial is equal to zero at each "gate" of the circuit if the solution satisfies the gate relation.
+- To represent the circuit as a univariate polynomial called the "All Gate Polynomial".
+- The all-gate polynomial is equal to zero at each "gate" of the circuit if the solution satisfies the gate relation.
- Then the verifier should be able to test if the polynomial actually has a root for every gate.
- ... without knowing the polynomial: This is done using "polynomial commitment".
@@ -51,7 +51,7 @@ duration: 2 hour
- Then we could encode all of these operations as:
$Q_l\times a + Q_r \times b + Q_o \times c + Q_m \times a\times b + Q_c = 0$
- for some constant $Q_l$ $Q_r$ $Q_o$ $Q_m$ and $Q_c$
-- in fact all the operation we discussed can be written using one of these gates.
+- In fact all the operation we discussed can be written using one of these gates.
---
@@ -88,27 +88,26 @@ $Q_l\times a + Q_r\times b + Q_o\times c + Q_m\times a\times b + Q_c = 0$
---
-## Encode the trace as a polynomial T
+## Encode all gate values as a polynomial G
- You can always encode a column of a table into a polynomial.
- $Q_l(x)$ such that $Q_l(1) = 0, Q_l(2) = 1, Q_l(3) = 1, Q_l(4) = -1 ,...$
- 
sa
+
- When you have one polynomial for each column then you can turn the whole table into a polynomial:
$Q_l(x)\times a(x) + Q_r(x)\times b(x) + Q_o(x)\times c(x) + Q_m(x)\times a(x)\times b(x) + Q_c(x)$
$= 0$
---
-## Compute the trace polynomial from the gate table
+## Compute the all-gate polynomial from the gate table
SAGE demo
---
-## Prove that Validity of T
+## Prove the Validity of G
-- T encode every gate is evaluated correctly: Zero test.
-- The wiring is correct: Permutation test.
+- G encode every gate is evaluated correctly: Zero test.
---
@@ -137,86 +136,107 @@ SAGE demo
---
-# The wiring in a glance
+# The Wiring in a Glance
-- TODO: wired table
+## 
+
+# The Trace polynomial
+
+
---
-# The Trace polynomial
+# The Trace poly with Wiring
+
+
---
-# The wiring permutation we want to prove
+# The wiring permutation: $T(i)=T(\psi(i))$
--- Define the permutation.
+
---
# Naive Permutation check wtih zero test
+- We could find polynomial $\psi$.
+- Then compute $T(\psi(x))$.
+- Then compute $T(\psi(x)) - T(x)$.
+- Run Zero-test to erify that $T(\psi(x)) - T(x)/((x - 1)...(x - 39))$ is a polynomial.
+- We will end up with a degree $38\times38 = 1444$ polynomial.
+- It is impractical.
+
+---
+
+# SAGE demo: Computing the trace and the wiring
+
+SAGE demo
+
---
# Developing a wiring enforcement gadget/polynomial
-- We take a step back and develop some tool to tackle this.
-- They sound random and irrelevant at first but it all make sense at the end.
+- We take a step back and develop some tools to tackle this.
+- They sound random and irrelevant at first but it all makes sense at the end.
---
# Product check
- We have a polynomial $f(x)$ and we want to prove that:
-- $\prod_{i in \{1..39\}}f(i) = 1$.
-- We could perform a a zero test $\prod_{i in \{1..39\}}f(i)$ but the degree is huge.
+- $\prod_{i \in \{1..39\}}f(i) = 1$.
+- We could perform a a zero test $\prod_{i \in \{1..39\}}f(i)$ but the degree is huge.
- Instead we introduce a new polynomial:
-- $t(x) = $\prod_{i in \{1..x+1}}f(i)$ .
-- We have a nice recursion: $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$
+- $t(x) = \prod_{i \in \{1..x+1}}f(i)$ .
+- We have a nice recursion: $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$
---
# Product check
-- The observeration is that if you have the recursion:
- $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$
-- And you know $ t(39) = 1 $ then you know that:
-- $\prod\_{i in \{1..39}}f(i).
-- We intepolate $t$ and it will have order 38 (vs 38 \* 13)$
-- We run a zero test on $t(x + 1) - t(x)f(x+1) = 0$ for $\{1,...,39\}$
+- The observeration is that if you have the recursion:
+- $t(x + 1) = t(x)f(x+1)$ for $x \in \{1..39}$
+- And you know $ t(39) = 1 $ then you know that:
+- $\prod\_{i \in \{1..39}}f(i) = 1$ .
+- We intepolate $t$ and it will have degree 38 (vs $38 \times 38$)
+- We run a zero test on $t(x + 1) - t(x)f(x+1) = 0$ for $\{1,...,39\}$.
---
# Ratio check
-- We can run the product check to prove $\prod_{i in \{1..39\}}f(i)/g(i) = 1$.
+- We can run the product check to prove $\prod_{i \in \{1..39\}}f(i)/g(i) = 1$.
- $t(x + 1) = t(x)f(x+1)/g(x + 1)$
- We can only run a zero test polynomials.
-- Run zero test on $t(x + 1)g(x + 1) - t(x)f(x+1)$.
+- Run zero test on $t(x + 1)g(x + 1) - t(x)f(x+1)$.
---
# Permutation check
-- Now we want to use the ratio check to enforce the wiring we have.
-- note that let $\psi$ be a permutation which preserve $T$ i.e. we have $T(a) = T(\psi(a))$ then
-- ${(a, T(a))| for all a in \{1,..,39}} == {(\psi(a), T(a))| for all a \in \{1,...,39\}\}$
-- Then for any random $u_1, u_2$
- $\prod\_{a\in\{1,..,39\}}\frac{u*1 - u_2 * a - T(a)}{u*1 - u_2 * \psi(a) - T(\psi(a))} = 1.
+- Now we want to use the ratio check to enforce our wiring.
+- We have $T(a) = T(\psi(a))$ then
+- $\{ (a, T(a))| \textrm{ for all } a \in \{1,..,39\}\} == {(\psi(a), T(a))| \textrm{ for all } a \in \{1,...,39\}\}$
+- Then for any random $u_1, u_2$
+- $\prod_{a\in\{1,..,39\}}\frac{u_1 - u_2 \times a - T(a)}{u_1 - u_2 \times \psi(a) - T(\psi(a))} = 1$.
---
# Proof of wiring being correct
- The verifier runs a zero test on $T(x) - N$.
-- The verifier runs a zero test on $T(3x) - a(x)$, $T(3x+1) - b(x), $T(3x+2) - c(x)$
-- A Permutation check on $T(x)$ and $T(\psi(x))$ Which is a zero test on
-- $t(x + 1)(u_1 - u_2* (x+1) - T(x + 1)) - t(x)(u_1 - u_2 * (psi(x)+1) - T(psi(x)+1) = 0$
+- The verifier runs a zero test on $T(3x) - a(x)$, $T(3x+1) - b(x)$, $T(3x+2) - c(x)$
+- A Permutation check on $T(x)$ and $T(\psi(x))$
---
-# Proof of correctness of the wiring on the trace polynomial.
+# SAGE demo: Proof of correctness of the wiring on the trace polynomial.
-SAGE demo
+SAGE Demo
+
+Zero test on:
+$t(x + 1)(u_1 - u_2 \times (x+1) - T(x + 1)) - t(x)(u_1 - u_2 \times (\psi(x)+1) - T(\psi(x)+1) = 0$
---
@@ -234,20 +254,20 @@ SAGE demo
- The prover claims it has $f(x)$ passing the zero test.
- The prover is also able to compute $q(x)$ such that
-- $f(x) = q(x) \times \prod(x-1)..(x-13)$
-- The prover commit to $f$ and $q$.
-- The verifier ask the prover to provide them with $f(u)$ and $q(u)$ for some random point $u$
-- It is very unlikely that the prover is able to lie about $f(u)$ and $q(u)$ given he has commited to $f$ and $q$.
-- The verifier computes $\prod(u-1)...(u-13)$
-- The verifier verifies that $f(u) = q(u)\times \prod(u-1)...(u-13)$ and if so believes that the prover has a solution.
+- $f(x) = q(x) \times \prod(x-1)..(x-13)$
+- The prover commit to $f$ and $q$.
+- The verifier ask the prover to provide them with $f(u)$ and $q(u)$ for some random point $u$
+- It is very unlikely that the prover is able to lie about $f(u)$ and $q(u)$ given he has commited to $f$ and $q$.
+- The verifier computes $\prod(u-1)...(u-13)$
+- The verifier verifies that $f(u) = q(u)\times \prod(u-1)...(u-13)$ and if so believes that the prover has a solution.
---
# KZG Polynomial-commitment
-- Is the most space efficient polynomial commitment.
+- Is one of the most space efficient polynomial commitment.
- Uses elliptic curve cryptography.
-- It requires trusted setup: a pre-computation with toxic waste which needs to be discarded to keep the scheme secure.
+- It requires trusted setup: a pre-computation with toxic waste which needs to be discarded to keep the scheme secure.
---
@@ -276,3 +296,7 @@ Generate proof demo with snarkjs
Verify the proof snarkjs
---
+
+
+
+# Questions
diff --git a/syllabus/1-Cryptography/img/psi-with-wirings.png b/syllabus/1-Cryptography/img/psi-with-wirings.png
new file mode 100644
index 000000000..53bebe02d
Binary files /dev/null and b/syllabus/1-Cryptography/img/psi-with-wirings.png differ
diff --git a/syllabus/1-Cryptography/img/trace-polynomial-known-points-with-wiring.png b/syllabus/1-Cryptography/img/trace-polynomial-known-points-with-wiring.png
new file mode 100644
index 000000000..2cf1b388f
Binary files /dev/null and b/syllabus/1-Cryptography/img/trace-polynomial-known-points-with-wiring.png differ
diff --git a/syllabus/1-Cryptography/img/trace-polynomial-known-points.png b/syllabus/1-Cryptography/img/trace-polynomial-known-points.png
new file mode 100644
index 000000000..a140473ef
Binary files /dev/null and b/syllabus/1-Cryptography/img/trace-polynomial-known-points.png differ
diff --git a/syllabus/1-Cryptography/img/wiring-fans-with-constraints.png b/syllabus/1-Cryptography/img/wiring-fans-with-constraints.png
new file mode 100644
index 000000000..8a6705088
Binary files /dev/null and b/syllabus/1-Cryptography/img/wiring-fans-with-constraints.png differ
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/all-constraints-for-wiring.png b/syllabus/1-Cryptography/materials/zk-factorization-example/all-constraints-for-wiring.png
new file mode 100644
index 000000000..971920b18
Binary files /dev/null and b/syllabus/1-Cryptography/materials/zk-factorization-example/all-constraints-for-wiring.png differ
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.org b/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.org
index 235153595..b4a8f838c 100644
--- a/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.org
+++ b/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.org
@@ -84,23 +84,78 @@
| 13 | 0 | -1 | 0 | 1 | -1 | s | (s-1)^-1 | 0 |
|---------+-----+-----+-----+-----+-----+-----+----------+-----|
+* Trace polynomial for wiring with omega
+ | Gate | a | b | c |
+ |------+-------------------------+------------------------------+-------------------------|
+ | 1 | $T(\omega^1) := r$ | $T(\omega^2):=s$ | $T(\omega^3) := 0$ |
+ | 2 | $T(\omega^4) := r0$ | $T(\omega^5):=r1$ | $T(\omega^6) := r01$ |
+ | 3 | $T(\omega^7) := r01$ | $T(\omega^8) := r2$ | $T(\omega^9) := r$ |
+ | 4 | $T(\omega^{10}) := r0$ | $T(\omega^{11}) := r0$ | $T(\omega^{12}) := 0$ |
+ | 5 | $T(\omega^{13}) := r1$ | $T(\omega^{14}) := r1$ | $T(\omega^{15}) := 0$ |
+ | 6 | $T(\omega^{16}) := r2$ | $T(\omega^{17}) := r2$ | $T(\omega^{18}) := 0$ |
+ | 7 | $T(\omega^{19}) := r$ | $T(\omega^{20}) := (r-1)^-1$ | $T(\omega^{21}) := 0$ |
+ | 8 | $T(\omega^{22}) := s0$ | $T(\omega^{23}) := s1$ | $T(\omega^{24}) := s01$ |
+ | 9 | $T(\omega^{25}) := s01$ | $T(\omega^{26}) := s2$ | $T(\omega^{27}) := s$ |
+ | 10 | $T(\omega^{28}) := s0$ | $T(\omega^{29}) := s0$ | $T(\omega^{30}) := 0$ |
+ | 11 | $T(\omega^{31}) := s1$ | $T(\omega^{32}) := s1$ | $T(\omega^{33}) := 0$ |
+ | 12 | $T(\omega^{34}) := s2$ | $T(\omega^{35}) := s2$ | $T(\omega^{36}) := 0$ |
+ | 13 | $T(\omega^{37}) := s$ | $T(\omega^{38}) := (s-1)^-1$ | $T(\omega^{39}) := 0$ |
+ |------+-------------------------+------------------------------+-------------------------|
+
+
+* Permutation Psi with omega
+ | Gate | a | b | c |
+ |------+------------------------------------+------------------------------------+------------------------------------|
+ | 1 | $\Psi(\omega^1) := \omega^9$ | $\Psi(\omega^2):=\omega^{27}$ | $\Psi(\omega^3) := \omega^3$ |
+ | 2 | $\Psi(\omega^4) := \omega^{10}$ | $\Psi(\omega^5):=\omega^{13}$ | $\Psi(\omega^6) := \omega^7$ |
+ | 3 | $\Psi(\omega^7) := \omega^6$ | $\Psi(\omega^8) := \omega^{16}$ | $\Psi(\omega^9) := \omega^{19}$ |
+ | 4 | $\Psi(\omega^{10}) := \omega^{11}$ | $\Psi(\omega^{11}) := \omega^4$ | $\Psi(\omega^{12}) := \omega^{12}$ |
+ | 5 | $\Psi(\omega^{13}) := \omega^{14}$ | $\Psi(\omega^{14}) := \omega^{5}$ | $\Psi(\omega^{15}) := \omega^{15}$ |
+ | 6 | $\Psi(\omega^{16}) := \omega^{17}$ | $\Psi(\omega^{17}) := \omega^{8}$ | $\Psi(\omega^{18}) := \omega^{18}$ |
+ | 7 | $\Psi(\omega^{19}) := \omega^{1}$ | $\Psi(\omega^{20}) := \omega^{20}$ | $\Psi(\omega^{21}) := \omega^{21}$ |
+ | 8 | $\Psi(\omega^{22}) := \omega^{28}$ | $\Psi(\omega^{23}) := \omega^{31}$ | $\Psi(\omega^{24}) := \omega^{25}$ |
+ | 9 | $\Psi(\omega^{25}) := \omega^{24}$ | $\Psi(\omega^{26}) := \omega^{34}$ | $\Psi(\omega^{27}) := \omega^{37}$ |
+ | 10 | $\Psi(\omega^{28}) := \omega^{29}$ | $\Psi(\omega^{29}) := \omega^{22}$ | $\Psi(\omega^{30}) := \omega^{30}$ |
+ | 11 | $\Psi(\omega^{31}) := \omega^{31}$ | $\Psi(\omega^{32}) := \omega^{31}$ | $\Psi(\omega^{33}) := \omega^{33}$ |
+ | 12 | $\Psi(\omega^{34}) := \omega^{35}$ | $\Psi(\omega^{35}) := \omega^{35}$ | $\Psi(\omega^{36}) := \omega^{36}$ |
+ | 13 | $\Psi(\omega^{37}) := \omega^{2}$ | $\Psi(\omega^{38}) := \omega^{38}$ | $\Psi(\omega^{39}) := \omega^{39}$ |
+ |------+------------------------------------+------------------------------------+------------------------------------|
+
* Trace polynomial for wiring
- | Gate No | a | b | c |
- |---------+--------------------+------------------+--------------------|
- | 1 | $T(\omega^0) := r$ | $T(\omega^1):=s$ | $T(\omega^3) = 0$ |
- | 2 | r0 | r1 | r01 |
- | 3 | r01 | r2 | r |
- | 4 | r0 | r0 | 0 |
- | 5 | r1 | r1 | 0 |
- | 6 | r2 | r2 | 0 |
- | 7 | r | (r-1)^-1 | 0 |
- | 8 | s0 | s1 | s01 |
- | 9 | s01 | s2 | s |
- | 10 | s0 | s0 | 0 |
- | 11 | s1 | s1 | 0 |
- | 12 | s2 | s2 | 0 |
- | 13 | s | (s-1)^-1 | 0 |
- |---------+--------------------+------------------+--------------------|
+ | Gate | a | b | c |
+ |------+------------------+-----------------------+------------------|
+ | 1 | $T(1) := r$ | $T(2):=s$ | $T(3) := 0$ |
+ | 2 | $T(4) := r0$ | $T(5):=r1$ | $T(6) := r01$ |
+ | 3 | $T(7) := r01$ | $T(8) := r2$ | $T(9) := r$ |
+ | 4 | $T({10}) := r0$ | $T({11}) := r0$ | $T({12}) := 0$ |
+ | 5 | $T({13}) := r1$ | $T({14}) := r1$ | $T({15}) := 0$ |
+ | 6 | $T({16}) := r2$ | $T({17}) := r2$ | $T({18}) := 0$ |
+ | 7 | $T({19}) := r$ | $T({20}) := (r-1)^-1$ | $T({21}) := 0$ |
+ | 8 | $T({22}) := s0$ | $T({23}) := s1$ | $T({24}) := s01$ |
+ | 9 | $T({25}) := s01$ | $T({26}) := s2$ | $T({27}) := s$ |
+ | 10 | $T({28}) := s0$ | $T({29}) := s0$ | $T({30}) := 0$ |
+ | 11 | $T({31}) := s1$ | $T({32}) := s1$ | $T({33}) := 0$ |
+ | 12 | $T({34}) := s2$ | $T({35}) := s2$ | $T({36}) := 0$ |
+ | 13 | $T({37}) := s$ | $T({38}) := (s-1)^-1$ | $T({39}) := 0$ |
+ |------+------------------+-----------------------+------------------|
+
+* Permutation Psi
+ | Gate | a | b | c |
+ |------+----------------------+----------------------+----------------------|
+ | 1 | $\Psi(1) := 9$ | $\Psi(2):={27}$ | $\Psi(3) := 3$ |
+ | 2 | $\Psi(4) := {10}$ | $\Psi(5):={13}$ | $\Psi(6) := 7$ |
+ | 3 | $\Psi(7) := 6$ | $\Psi(8) := {16}$ | $\Psi(9) := {19}$ |
+ | 4 | $\Psi({10}) := {11}$ | $\Psi({11}) := 4$ | $\Psi({12}) := {12}$ |
+ | 5 | $\Psi({13}) := {14}$ | $\Psi({14}) := {5}$ | $\Psi({15}) := {15}$ |
+ | 6 | $\Psi({16}) := {17}$ | $\Psi({17}) := {8}$ | $\Psi({18}) := {18}$ |
+ | 7 | $\Psi({19}) := {1}$ | $\Psi({20}) := {20}$ | $\Psi({21}) := {21}$ |
+ | 8 | $\Psi({22}) := {28}$ | $\Psi({23}) := {31}$ | $\Psi({24}) := {25}$ |
+ | 9 | $\Psi({25}) := {24}$ | $\Psi({26}) := {34}$ | $\Psi({27}) := {37}$ |
+ | 10 | $\Psi({28}) := {29}$ | $\Psi({29}) := {22}$ | $\Psi({30}) := {30}$ |
+ | 11 | $\Psi({31}) := {31}$ | $\Psi({32}) := {31}$ | $\Psi({33}) := {33}$ |
+ | 12 | $\Psi({34}) := {35}$ | $\Psi({35}) := {35}$ | $\Psi({36}) := {36}$ |
+ | 13 | $\Psi({37}) := {2}$ | $\Psi({38}) := {38}$ | $\Psi({39}) := {39}$ |
+ |------+----------------------+----------------------+----------------------|
* Gate Polynomial
Summerizing all of our constrains in one polynomial:
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.tex b/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.tex
index 7b400e743..0a9969b32 100644
--- a/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.tex
+++ b/syllabus/1-Cryptography/materials/zk-factorization-example/gate-constrains.tex
@@ -1,4 +1,4 @@
-% Created 2023-12-19 Tue 10:19
+% Created 2024-05-22 Wed 06:20
% Intended LaTeX compiler: pdflatex
\documentclass[11pt]{article}
\usepackage[utf8]{inputenc}
@@ -19,23 +19,23 @@
pdftitle={},
pdfkeywords={},
pdfsubject={},
- pdfcreator={Emacs 29.1 (Org mode 9.6.6)},
+ pdfcreator={Emacs 29.3 (Org mode 9.6.15)},
pdflang={English}}
\begin{document}
\section{Gate constrains:}
-\label{sec:org3f61f29}
+\label{sec:org949341d}
\subsection{Multiplication constrain:}
-\label{sec:orgf218bc2}
+\label{sec:org23a6312}
\begin{itemize}
\item \(r * s = n\)
\end{itemize}
\subsection{constraining \(r \neq 1\)}
-\label{sec:org6d50148}
+\label{sec:org60688ab}
\begin{itemize}
\item Making sure that the prover doesn't fool the verifier by using 1 as a factor.
\item We force them to use r-1's inverse.
@@ -43,7 +43,7 @@ \subsection{constraining \(r \neq 1\)}
\end{itemize}
\subsection{constraining \(0< r < 8\):}
-\label{sec:org5d55729}
+\label{sec:orgd3ea1d2}
We need to make sure r \% p = r
otherwise prover can cheat because everything has an inverse in \(FF_p\)
We use Binary decomposition:
@@ -56,7 +56,7 @@ \subsection{constraining \(0< r < 8\):}
\end{itemize}
\subsection{similarly constraining \(b\):}
-\label{sec:orga5c2f3e}
+\label{sec:org3a9fab7}
\begin{itemize}
\item \(s0 + 2 * s1 = s01\)
@@ -68,11 +68,11 @@ \subsection{similarly constraining \(b\):}
\end{itemize}
\section{Universal way of summerizing constrains:}
-\label{sec:orgef1d037}
+\label{sec:org9c3240b}
\(Q_l*a + Q_r*b + Q_o*c + Q_m*a*b + Q_c = 0\)
\section{Constrain for factorization:}
-\label{sec:orgdababe0}
+\label{sec:orgea626c6}
\(Q_l*a + Q_r*b + Q_o*c + Q_m*a*b + Q_c = 0\)
\begin{center}
@@ -84,7 +84,7 @@ \section{Constrain for factorization:}
\end{center}
\section{Constrain table \(a\)}
-\label{sec:orga0851f0}
+\label{sec:orgfa4de93}
\(Q_l*a + Q_r*b + Q_o*c + Q_m*a*b + Q_c = 0\)
\begin{center}
@@ -102,7 +102,7 @@ \section{Constrain table \(a\)}
\end{center}
\section{Constrain table \(b\)}
-\label{sec:orgbae5eb4}
+\label{sec:orgcce3822}
\(Q_l*a + Q_r*b + Q_o*c + Q_m*a*b + Q_c = 0\)
\begin{center}
@@ -119,9 +119,125 @@ \section{Constrain table \(b\)}
\end{tabular}
\end{center}
-\section{Trace Polynomial}
-\label{sec:orgf389178}
+\section{all constraints for wiring}
+\label{sec:org582ca25}
+\begin{center}
+\begin{tabular}{rrrrrrllr}
+Gate No & Q\textsubscript{l} & Q\textsubscript{r} & Q\textsubscript{o} & Q\textsubscript{m} & Q\textsubscript{c} & a & b & c\\[0pt]
+\hline
+1 & 0 & 0 & 0 & 1 & -n & r & s & 0\\[0pt]
+2 & 1 & 2 & -1 & 0 & 0 & r0 & r1 & r01\\[0pt]
+3 & 1 & 4 & -1 & 0 & 0 & r01 & r2 & r\\[0pt]
+4 & -1 & 0 & 0 & 1 & 0 & r0 & r0 & 0\\[0pt]
+5 & -1 & 0 & 0 & 1 & 0 & r1 & r1 & 0\\[0pt]
+6 & -1 & 0 & 0 & 1 & 0 & r2 & r2 & 0\\[0pt]
+7 & 0 & -1 & 0 & 1 & -1 & r & (r-1)\textsuperscript{-1} & 0\\[0pt]
+8 & 1 & 2 & -1 & 0 & 0 & s0 & s1 & s01\\[0pt]
+9 & 1 & 4 & -1 & 0 & 0 & s01 & s2 & s\\[0pt]
+10 & -1 & 0 & 0 & 1 & 0 & s0 & s0 & 0\\[0pt]
+11 & -1 & 0 & 0 & 1 & 0 & s1 & s1 & 0\\[0pt]
+12 & -1 & 0 & 0 & 1 & 0 & s2 & s2 & 0\\[0pt]
+13 & 0 & -1 & 0 & 1 & -1 & s & (s-1)\textsuperscript{-1} & 0\\[0pt]
+\hline
+\end{tabular}
+\end{center}
+
+\section{Trace polynomial for wiring with omega}
+\label{sec:org836884f}
+\begin{center}
+\begin{tabular}{rlll}
+Gate & a & b & c\\[0pt]
+\hline
+1 & \(T(\omega^1) := r\) & \(T(\omega^2):=s\) & \(T(\omega^3) := 0\)\\[0pt]
+2 & \(T(\omega^4) := r0\) & \(T(\omega^5):=r1\) & \(T(\omega^6) := r01\)\\[0pt]
+3 & \(T(\omega^7) := r01\) & \(T(\omega^8) := r2\) & \(T(\omega^9) := r\)\\[0pt]
+4 & \(T(\omega^{10}) := r0\) & \(T(\omega^{11}) := r0\) & \(T(\omega^{12}) := 0\)\\[0pt]
+5 & \(T(\omega^{13}) := r1\) & \(T(\omega^{14}) := r1\) & \(T(\omega^{15}) := 0\)\\[0pt]
+6 & \(T(\omega^{16}) := r2\) & \(T(\omega^{17}) := r2\) & \(T(\omega^{18}) := 0\)\\[0pt]
+7 & \(T(\omega^{19}) := r\) & \(T(\omega^{20}) := (r-1)^-1\) & \(T(\omega^{21}) := 0\)\\[0pt]
+8 & \(T(\omega^{22}) := s0\) & \(T(\omega^{23}) := s1\) & \(T(\omega^{24}) := s01\)\\[0pt]
+9 & \(T(\omega^{25}) := s01\) & \(T(\omega^{26}) := s2\) & \(T(\omega^{27}) := s\)\\[0pt]
+10 & \(T(\omega^{28}) := s0\) & \(T(\omega^{29}) := s0\) & \(T(\omega^{30}) := 0\)\\[0pt]
+11 & \(T(\omega^{31}) := s1\) & \(T(\omega^{32}) := s1\) & \(T(\omega^{33}) := 0\)\\[0pt]
+12 & \(T(\omega^{34}) := s2\) & \(T(\omega^{35}) := s2\) & \(T(\omega^{36}) := 0\)\\[0pt]
+13 & \(T(\omega^{37}) := s\) & \(T(\omega^{38}) := (s-1)^-1\) & \(T(\omega^{39}) := 0\)\\[0pt]
+\hline
+\end{tabular}
+\end{center}
+
+
+\section{Permutation Psi with omega}
+\label{sec:org35f2b9a}
+\begin{center}
+\begin{tabular}{rlll}
+Gate & a & b & c\\[0pt]
+\hline
+1 & \(\Psi(\omega^1) := \omega^9\) & \(\Psi(\omega^2):=\omega^{27}\) & \(\Psi(\omega^3) := \omega^3\)\\[0pt]
+2 & \(\Psi(\omega^4) := \omega^{10}\) & \(\Psi(\omega^5):=\omega^{13}\) & \(\Psi(\omega^6) := \omega^7\)\\[0pt]
+3 & \(\Psi(\omega^7) := \omega^6\) & \(\Psi(\omega^8) := \omega^{16}\) & \(\Psi(\omega^9) := \omega^{19}\)\\[0pt]
+4 & \(\Psi(\omega^{10}) := \omega^{11}\) & \(\Psi(\omega^{11}) := \omega^4\) & \(\Psi(\omega^{12}) := \omega^{12}\)\\[0pt]
+5 & \(\Psi(\omega^{13}) := \omega^{14}\) & \(\Psi(\omega^{14}) := \omega^{5}\) & \(\Psi(\omega^{15}) := \omega^{15}\)\\[0pt]
+6 & \(\Psi(\omega^{16}) := \omega^{17}\) & \(\Psi(\omega^{17}) := \omega^{8}\) & \(\Psi(\omega^{18}) := \omega^{18}\)\\[0pt]
+7 & \(\Psi(\omega^{19}) := \omega^{1}\) & \(\Psi(\omega^{20}) := \omega^{20}\) & \(\Psi(\omega^{21}) := \omega^{21}\)\\[0pt]
+8 & \(\Psi(\omega^{22}) := \omega^{28}\) & \(\Psi(\omega^{23}) := \omega^{31}\) & \(\Psi(\omega^{24}) := \omega^{25}\)\\[0pt]
+9 & \(\Psi(\omega^{25}) := \omega^{24}\) & \(\Psi(\omega^{26}) := \omega^{34}\) & \(\Psi(\omega^{27}) := \omega^{37}\)\\[0pt]
+10 & \(\Psi(\omega^{28}) := \omega^{29}\) & \(\Psi(\omega^{29}) := \omega^{22}\) & \(\Psi(\omega^{30}) := \omega^{30}\)\\[0pt]
+11 & \(\Psi(\omega^{31}) := \omega^{31}\) & \(\Psi(\omega^{32}) := \omega^{31}\) & \(\Psi(\omega^{33}) := \omega^{33}\)\\[0pt]
+12 & \(\Psi(\omega^{34}) := \omega^{35}\) & \(\Psi(\omega^{35}) := \omega^{35}\) & \(\Psi(\omega^{36}) := \omega^{36}\)\\[0pt]
+13 & \(\Psi(\omega^{37}) := \omega^{2}\) & \(\Psi(\omega^{38}) := \omega^{38}\) & \(\Psi(\omega^{39}) := \omega^{39}\)\\[0pt]
+\hline
+\end{tabular}
+\end{center}
+
+\section{Trace polynomial for wiring}
+\label{sec:org232436d}
+\begin{center}
+\begin{tabular}{rlll}
+Gate & a & b & c\\[0pt]
+\hline
+1 & \(T(1) := r\) & \(T(2):=s\) & \(T(3) := 0\)\\[0pt]
+2 & \(T(4) := r0\) & \(T(5):=r1\) & \(T(6) := r01\)\\[0pt]
+3 & \(T(7) := r01\) & \(T(8) := r2\) & \(T(9) := r\)\\[0pt]
+4 & \(T({10}) := r0\) & \(T({11}) := r0\) & \(T({12}) := 0\)\\[0pt]
+5 & \(T({13}) := r1\) & \(T({14}) := r1\) & \(T({15}) := 0\)\\[0pt]
+6 & \(T({16}) := r2\) & \(T({17}) := r2\) & \(T({18}) := 0\)\\[0pt]
+7 & \(T({19}) := r\) & \(T({20}) := (r-1)^-1\) & \(T({21}) := 0\)\\[0pt]
+8 & \(T({22}) := s0\) & \(T({23}) := s1\) & \(T({24}) := s01\)\\[0pt]
+9 & \(T({25}) := s01\) & \(T({26}) := s2\) & \(T({27}) := s\)\\[0pt]
+10 & \(T({28}) := s0\) & \(T({29}) := s0\) & \(T({30}) := 0\)\\[0pt]
+11 & \(T({31}) := s1\) & \(T({32}) := s1\) & \(T({33}) := 0\)\\[0pt]
+12 & \(T({34}) := s2\) & \(T({35}) := s2\) & \(T({36}) := 0\)\\[0pt]
+13 & \(T({37}) := s\) & \(T({38}) := (s-1)^-1\) & \(T({39}) := 0\)\\[0pt]
+\hline
+\end{tabular}
+\end{center}
+
+\section{Permutation Psi}
+\label{sec:org8d7dfb9}
+\begin{center}
+\begin{tabular}{rlll}
+Gate & a & b & c\\[0pt]
+\hline
+1 & \(\Psi(1) := 9\) & \(\Psi(2):={27}\) & \(\Psi(3) := 3\)\\[0pt]
+2 & \(\Psi(4) := {10}\) & \(\Psi(5):={13}\) & \(\Psi(6) := 7\)\\[0pt]
+3 & \(\Psi(7) := 6\) & \(\Psi(8) := {16}\) & \(\Psi(9) := {19}\)\\[0pt]
+4 & \(\Psi({10}) := {11}\) & \(\Psi({11}) := 4\) & \(\Psi({12}) := {12}\)\\[0pt]
+5 & \(\Psi({13}) := {14}\) & \(\Psi({14}) := {5}\) & \(\Psi({15}) := {15}\)\\[0pt]
+6 & \(\Psi({16}) := {17}\) & \(\Psi({17}) := {8}\) & \(\Psi({18}) := {18}\)\\[0pt]
+7 & \(\Psi({19}) := {1}\) & \(\Psi({20}) := {20}\) & \(\Psi({21}) := {21}\)\\[0pt]
+8 & \(\Psi({22}) := {28}\) & \(\Psi({23}) := {31}\) & \(\Psi({24}) := {25}\)\\[0pt]
+9 & \(\Psi({25}) := {24}\) & \(\Psi({26}) := {34}\) & \(\Psi({27}) := {37}\)\\[0pt]
+10 & \(\Psi({28}) := {29}\) & \(\Psi({29}) := {22}\) & \(\Psi({30}) := {30}\)\\[0pt]
+11 & \(\Psi({31}) := {31}\) & \(\Psi({32}) := {31}\) & \(\Psi({33}) := {33}\)\\[0pt]
+12 & \(\Psi({34}) := {35}\) & \(\Psi({35}) := {35}\) & \(\Psi({36}) := {36}\)\\[0pt]
+13 & \(\Psi({37}) := {2}\) & \(\Psi({38}) := {38}\) & \(\Psi({39}) := {39}\)\\[0pt]
+\hline
+\end{tabular}
+\end{center}
+
+\section{Gate Polynomial}
+\label{sec:org5caea92}
Summerizing all of our constrains in one polynomial:
\(Q_l(x)*a(x) + Q_r(x)*b(x) + Q_o(x)* c(x) + Q_m(x)*a(x)*b(x) + Q_c(x) = 0\)
-\end{document}
\ No newline at end of file
+\end{document}
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/interpolation.sage b/syllabus/1-Cryptography/materials/zk-factorization-example/interpolation.sage
index 144a11c43..be6358815 100644
--- a/syllabus/1-Cryptography/materials/zk-factorization-example/interpolation.sage
+++ b/syllabus/1-Cryptography/materials/zk-factorization-example/interpolation.sage
@@ -1,3 +1,5 @@
+from hashlib import sha256
+
circom_p = 21888242871839275222246405745257275088548364400416034343698204186575808495617
our_p = 89
ZKField = FiniteField(our_p)
@@ -48,16 +50,101 @@ bx = PolysOnZKField.lagrange_polynomial(zip(x_values,right_input_values))
cx = PolysOnZKField.lagrange_polynomial(zip(x_values,c_output_values))
#Q_l(x)*a(x) + Q_r(x)*b(x) + Q_o(x)* c(x) + Q_m(x)*a(x)*b(x) + Q_c(x) = 0
-trace_poly = Qlx * ax + Qrx*bx+ Qox * cx + Qmx*ax*bx + Qcx
+gate_poly = Qlx * ax + Qrx*bx+ Qox * cx + Qmx*ax*bx + Qcx
+
+zero_test_poly = prod(list(map(lambda x_val: x - x_val,x_values)))
+
+print("All Gate polynomial: ", gate_poly)
+print("Zero test polynomial:", zero_test_poly)
+print("The remainder of gatepoly/zerotest: ",gate_poly % zero_test_poly)
+
+qx = gate_poly / zero_test_poly
+print("q(x):",qx)
+
+# bulid the trace polynomial T
+T = [0]*39
+for i in range(0,13):
+ T[i*3] = left_input_values[i]
+ T[i*3 + 1 ] = right_input_values[i]
+ T[i*3 + 2 ] = c_output_values[i]
+
+psi = [ 9, 27, 3,
+ 10, 13, 7,
+ 6, 16, 19,
+ 11, 4, 12,
+ 14, 5, 15,
+ 17,8,18,
+ 1,20, 21,
+ 28, 31, 25,
+ 24, 34, 37,
+ 29, 22, 30,
+ 32, 23, 33,
+ 35, 26, 36,
+ 2, 38, 39,
+ ]
+
+#check the permutation
+for i in range(0,39):
+ if (T[i] != T[psi[i]-1]):
+ print("T's wiring doesn't match at index ", i)
+
+#naive wire test
+x_values = range(1, 40)
+
+Tx = PolysOnZKField.lagrange_polynomial(zip(x_values, T))
+psix = PolysOnZKField.lagrange_polynomial(zip(x_values, psi))
zero_test_poly = prod(list(map(lambda x_val: x - x_val,x_values)))
-print("Trace polynomial: ", trace_poly)
+naive_wire_poly = Tx(psix(x)) - Tx(x)
+
+print("Naive wire polynomial: ", naive_wire_poly)
+print("Zero test polynomial:", zero_test_poly)
+print("The remainder of wirepoly/zerotest: ",naive_wire_poly % zero_test_poly)
+
+
+u1 = ZKField('0x'+hashlib.sha256("Hello, PBA! I'm u1".encode()).hexdigest())
+u2 = ZKField('0x'+hashlib.sha256("Hello, PBA! I'm u2".encode()).hexdigest())
+
+u1 = ZKField(-1)
+u2 = ZKField(1)
+#$\prod_{a\in\{1,..,39\}}\frac{u_1 - u_1 \times a - T(a)}{u_1 - u_2 \times \psi(a) - T(\psi(a))}
+f_numerator = [0]*39
+g_denominator = [0]*39
+for i in range(0, 39):
+ f_numerator[i] = u1 - u2 * psi[i] - T[psi[i]-1]
+ g_denominator[i] = u1 - u2 * (i + 1) - T[i]
+
+for i in range(0, 39):
+ if (f_numerator[i] != g_denominator[psi[i]-1]):
+ print("perm wiring doesn't match at index ", i)
+
+p_acc = ZKField(1)
+for i in range(0, 39):
+ p_acc *= f_numerator[i]/g_denominator[psi[i]-1]
+
+print(p_acc)
+
+t = [0]*39
+t[0] = f_numerator[0]/g_denominator[0]
+for i in range(1,39):
+ t[i] = t[i-1] * f_numerator[i]/g_denominator[i]
+
+fx = PolysOnZKField.lagrange_polynomial(zip(x_values,f_numerator))
+gx = PolysOnZKField.lagrange_polynomial(zip(x_values,g_denominator))
+tx = PolysOnZKField.lagrange_polynomial(zip(x_values,t))
+
+perm_poly = tx(x+1) * gx(x+1) - tx(x) * fx(x+1)
+for i in range(1,40):
+ print(perm_poly(i))
+
+print("Perm check polynomial: ", perm_poly)
print("Zero test polynomial:", zero_test_poly)
-print("The remainder of trace/zerotest: ",trace_poly % zero_test_poly)
+print("The remainder of permpoly/zerotest: ",perm_poly % zero_test_poly)
-qx = trace_poly / zero_test_poly
+qx = perm_poly / zero_test_poly
print("q(x):",qx)
# y^2 = x^3 + 8*x + 10 embeding degree 8 on 101 order 89
# (trace_poly(r) - trace_poly(tau)) / (r - tau)
+for i in range(0, 39):
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/psi-with-wirings.xopp b/syllabus/1-Cryptography/materials/zk-factorization-example/psi-with-wirings.xopp
new file mode 100644
index 000000000..26c9c05cb
Binary files /dev/null and b/syllabus/1-Cryptography/materials/zk-factorization-example/psi-with-wirings.xopp differ
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/psi.png b/syllabus/1-Cryptography/materials/zk-factorization-example/psi.png
new file mode 100644
index 000000000..620742a51
Binary files /dev/null and b/syllabus/1-Cryptography/materials/zk-factorization-example/psi.png differ
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/trace-polynomial-known-points-with-wirings.xopp b/syllabus/1-Cryptography/materials/zk-factorization-example/trace-polynomial-known-points-with-wirings.xopp
new file mode 100644
index 000000000..9102ad5e6
Binary files /dev/null and b/syllabus/1-Cryptography/materials/zk-factorization-example/trace-polynomial-known-points-with-wirings.xopp differ
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/trace-polynomial-known-points.png b/syllabus/1-Cryptography/materials/zk-factorization-example/trace-polynomial-known-points.png
new file mode 100644
index 000000000..a140473ef
Binary files /dev/null and b/syllabus/1-Cryptography/materials/zk-factorization-example/trace-polynomial-known-points.png differ
diff --git a/syllabus/1-Cryptography/materials/zk-factorization-example/wirings-on-gate-constrains.xopp b/syllabus/1-Cryptography/materials/zk-factorization-example/wirings-on-gate-constrains.xopp
new file mode 100644
index 000000000..4c9d798a2
Binary files /dev/null and b/syllabus/1-Cryptography/materials/zk-factorization-example/wirings-on-gate-constrains.xopp differ