SNARKs

Properties that any zero knowledge based proving system needs to entertain:

Completeness: Any honest prover can convince verifier of the statement and witness.
Soundness: Any malicious prover can never convince a verifier of the statement that it’s trying to prove. In other words, if a prover doesn’t know witness, it can never convince the verifier.

Any proving system defines an n-variate polynomial with an evaluation recipe. Two parties involved in the process are Prover and Verifier.

What is the difference between proof and argument of knowledge?

SNARKS are succinct argument of knowledge: Mostly used interchangeably but in proofs the soundness holds against a computationally unbounded adversary while in argument of knowledge soundness only holds against polynomially unbounded adversary. Arguments are thus called computationally sound proofs.

SNARK

snark

Argument system that generate succinct and fast proofs for public statement $x$ in $F^{n}$ and secret witness $w$ in $F^{m}$ . The statement and witness need to be encoded in an arithmetic circuit $C$ .

Arithmetic circuits: $C (x, w) \to F$

Requirements:

Completeness: $\forall x, w : C (x, w) = 0 \to P r [V (S_{v}, x, P (S_{p}, x, w))] = 1$
Knowledge Sound: P doesn’t know $w \to P r [V (S_{v}, x, π)] =$ negligible

why are finite fields important for SNARKs?

Because of hard DLP, group operations, roots of unity.

More formal definition:

Soundness

For dummies like me: for every polynomial time adversary, there exists an extractor that uses adversary to find out about $w$ , even though adversary doesn't know about $w$ , because if it would, then adversary can generate arbitrary proofs.

(S,P,V) is knowledge sound for a circuit if for every poly. time adversary A = (A_0, A_1) such that:

S (C) (x, s t a t e) w \to (S_{p}, S_{v}) \leftarrow A_{0} (S_{p}) \leftarrow A_{1} (x, S_{p}, s t a t e)

there is an efficient extractor $E$ , that uses $A_{1}$ s.t.

S (C) (x, s t a t e) w \to (S_{p}, S_{v}) \leftarrow A_{0} (S_{p}) \leftarrow E^{A_{1} (x, S_{p}, s t a t e)} (S_{p}, x)

Zero Knowledge

For any normal proof, there exists a simulator which can generate proofs without knowledge of $w$ .

(S,P,V) is zero knowledge for circuit C if there is an efficient Sim s.t. $\forall x \in F^{n} \to \exists w : C (x, w) = 0$ , the distribution:

$(C, S_{p}, S_{v}, x, π) : where (S_{p}, S_{v}) : S (C), π : P (S_{p}, x, w)$

is indistinguishable from the distribution:

$(C, S_{p}, S_{v}, x, π) : where (S_{p}, S_{v}, π) \leftarrow S im (C, x)$

Proofs

Two ways to prove statement:

Interactive: prover and verifier goes back and forth to agree on some random values and parameters which verifier can then verify.
Non-interactive: Pre-processing done to generate a proof $π$ that allows verifier to verify circuit.

Preprocess argument system: prover preprocesses $C$ to generate public parameters $S_{p}, S_{v}$ .

Consists of $(S, P, V)$ :

$S (C)$ : generate $S_{p}, S_{v}$
$P (S_{p}, x, w)$ : generate proof $π$
$V (S_{v}, x, π)$ : verify proof

How does $S_{p}, S_{v}$ gets generated? Is it done for every circuit or some other method? Wouldn't it be very bad UX if we have to run $S$ every time?: Each circuit needs some summary that can be used to verify the proof as no verifier will run the whole computation again, otherwise there's no benefits of these systems.

There has to be some randomisation involved that prover can’t forge by itself to generate these parameters.

First method is to generate random $r$ for every circuit outside prover.
Second is to generate a random value once $S_{ini t} (λ, r) \to pp$ , create some public parameters based on that, use those parameters to generate $S_{in d e x} (pp, C) \to S_{p}, S_{v}$
Totally transparent: no random secrets needed to generate circuit parameters.

Pipeline followed by any ZKP system:

flowchart LR
A["computation"]
B["circuit"]
C["prover"]
D["IOP"]
E["verifier"]
A-- arithmetisation --> B
B-->C
C-->D
D-->E

Any circuit need to be proven to verifier, so we need to encode and evaluate our polynomial. Thus, most SNARK system consist of two components:

Functional commitment scheme (FCS)
Interactive oracle proofs (IOP)

PLONK: poly-IOP for General Circuit

Plonk IOP can be used with different PCS to generate different proving systems. For example:

Aztec’s proving system: KZG+Plonk
Halo2: Bulletproofs + Plonk, used by zcash
Plonky2: FRI + Plonk, used by polygon zkevm
Scroll: (halo2) plonk + kzg

Step 1: Compile Circuit for a Computation Trace

Suppose you have a circuit with inputs $I : I_{x}, I_{w}$ , and gates C where $x$ is the statement inputs and $w$ is the witness input. Our goal is to prove to verifier that $C (w) = 0$ .

circuit

We put inputs $x_{1} = 5, x_{2} = 6, w_{1} = 1$ , and compute the computation trace through the circuit. The computation trace comes out to be:

inputs:	5	6	1
Gate 0:	5	6	11
Gate 1:	6	1	7
Gate 2:	11	7	77 ← Output

Step 2: Encode Trace in Polynomial $P$

Calculate $d$ of $P$ = $3∣ C ∣ + ∣ I ∣$ where |C|: no. of gates and |I|: no. of inputs
Aim: encode in a polynomial of form: $F_{p}^{(<= d)} (X)$
Encode inputs: $P (w^{- i}) = I_{i} \forall i \in I$
Encode gate $l \in C$ wirings:
- $P (w^{3 l}) =$ left input to gate l
- $P (w^{3 l + 1}) =$ right input to gate l
- $P (w^{3 l + 2}) =$ output of gate l
Prover has $d$ evaluations of $P$ , can use FFT to interpolate coefficients in $O (l o g_{2} d)$

Step 3: Prove Validity of P

What does prover needs to prove to verifier in order to convince it?

correct output: to prove that output of computation was according to the statements and witness committed.
correct inputs: proves
correct intermediate gate evaluations:
wiring between gates is according to the statement specified by prover

Proof Gadgets for IOP

equality test → to test if polynomial $f$ and $g$ are equal and note that verifier only has the commitment, verifier queries the polynomial at point $r$ or opens the commitment and test if values providied by prover are equal. But this generates soundness error.
soundness error → two polynomials in $F_{p}$ can be zero at at most d roots, if $f (r) - g (r) = 0 => f - g = 0 => f = g v.h.p$
- this assumption has error d/p such that if suppose g is not same as f, then g can have at most d different roots. thus, error → $d / p$
- this is derived from Schwartz-Zippel Lemma

let $\Upomega$ be some subset of $F_{p}$ of size $k$ . Let $f \in F_{p}^{<= d} [X]$ be the polynomial that prover wants to prove. Verifier has commitment to this polynomial $C o m (f)$ .

We can construct efficient poly-IOPs for the following tasks:

Zero Test: Prove that $f$ is identically zero on $\Upomega$
Sumcheck: Prove that $\sum_{a \in \Upomega} f (a) = 0$
Product check: Prove that $\prod_{a \in \Upomega} f (a) = 1$
Permutation check: Prove that $f (a) = g (W (a))$ where $W$ is a permutation polynomial.

Question

Why do we do these checks only? What is the significance of these checks? What other checks can be done? Can we remove some checks or combine some checks?

How does the permutation polynomial is calculated?

Find the reasons behind these checks? Could you have come up with these yourselves?

Vanishing Polynomial of $\Upomega$ is $Z_{\Upomega} (X) := \prod_{a \in \Upomega} (X - a)$ . $De g (Z_{\Upomega}) = k$ If $\Upomega$ becomes the multiplicative subgroup formed using primitive $k^{t h}$ root of unity, then VP becomes $X^{k} - 1$ . Thus, VP can be calculated in logarithmic time.

Zero Check

Let $\Upomega = 1, ω, \dots, ω^{k - 1}$ . Calculate $q (X) = f (X) / X^{k} - 1$ .

Send $C o m_{q}$ to verifier, and verifier opens commitment at point $r$ , and check $f (r) = q (r) (r^{k} - 1)$ . This proves that f(x) is divisible by X^k-1, hence, f has roots in $\Upomega$ .

Sum Check

Read Sumcheck

Product Check on $\Upomega$

We want to prove $\prod_{a \in \Upomega} f (a) = 1$ . Naively, we can send all evaluations of $f$ in $\Upomega$ but that will be quadratic in degree d. Instead, we can create a polynomial $t \in F_{p}^{<= k} (X)$ that evaluates to 1 at $ω^{k} - 1$ .

Let’s try a toy example in sage taken from here:

// verifying that f(x)=c in GF(17) for w = 4
F17 = GF(17)
R17.<x> = PolynomialRing(F17)
w = F17(4)
c0 = F17(2)
c1 = F17(3)
c2 = F17(4)
c3 = F17(5)
c = c0*c1*c2*c3
points = [(w^0, c0), (w, c1), (w^2, c2), (w^3, c3)]
R17.lagrange_polynomial(points)

So, we can define polynomial $t$ s.t. $t (1) = 1, t (ω^{s}) = \prod_{i = 0}^{s} f (ω^{i})$ for s=1,…,k-1. Now in order to prove product check, we’ll prove:

$t (ω^{k - 1}) = 1$
$t (ω . x) = t (x) . f (ω . x)$ for all $x \in \Upomega$ . This will be used to a zero test on t(X) so that verifier can get convinced that prover actually computed $t (x)$ . This is proven using: $t (ω r) - t (ω) f (ω r) = q (r) (r^{k} - 1)$ .

The same product check holds for rational function as well, i.e. $f / g$ . Prove this using: $t (ω x) g (ω x) = t (x) f (ω x)$

Permutation Check

It is used to check that two polynomials $f, g$ are permutation of each other. Mainly, prover wants to prove that: $(f (1), f (ω), \dots, f (ω^{k - 1})) \in F_{p}^{k}$ is a permutation of $(g (1), g (ω), \dots, g (ω^{k - 1})) \in F_{p}^{k}$ .

permutation

Can be done by creating two polynomials $\hat{F} = \prod_{a \in \Upomega} (X - f (a))$ and $\hat{G} = \prod_{a \in \Upomega} (X - g (a))$ and doing product check on these two polynomials. How will the product check work? It’s simply testing that $\frac{f ^ ( r )}{g ^ ( r )} = \prod_{a \in \Upomega} (\frac{r - f ( a )}{r - g ( a )}) = 1$ .

Why can't we do zero test to check that these polynomials are equal? ::

Prescribed Permutation Check

Instead of just proving the permutation, prover wants to prove that $f (x) = g (σ (x))$ , where $σ : \Upomega \to \Upomega$ is a permutation if $\forall i \in [k] : W (ω^{i}) = ω^{j}$ is a bijection.

Why can't you use zero check here to check the two polynomials are equal? :: because g(W(y)) where y in $\Upomega$ will become O(d^2) in prover time. We don't want quadratic time prover.

Observation: If $(σ (a), f (a))_{a \in \Upomega}$ is a permutation of $(a, g (a))$ then $f (y) = g (σ (y))$ . We prove this by defining bivariate polynomial:

\hat{f} (X, Y) \overset{g}{^} (X, Y) = a \in \Upomega \prod (X - Y . σ (a) - f (a)) = a \in \Upomega \prod (X - Y . a - g (a))

We do product check on these two polynomials such that $\prod_{a \in \Upomega} (\frac{r - s . σ ( a ) - f ( a )}{r - s . a - g ( a )}) = 1$ , where $r, s$ is the input queried by verifier.

Proving Validity of T(x).

T(x) is the polynomial that encodes the computation trace of the circuit.

Prove Inputs Were Correct.

Create polynomial v(y) on $\Upomega_{in p} := {ω^{- 1}, ω^{- 2}, \dots, ω^{- ∣ I x ∣}} \subseteq \Upomega$ and do zero test on:

T (y) - v (y) = 0 \forall y \in \Upomega_{in p}

Prove Gate Evaluations Are Correct

Define a selector polynomial S(X) which is:

$S (ω^{3 l}) = 1$ if gatel is an addition gate.
$S (ω^{3 l}) = 0$ if gatel is a multiplication gate.

Then, you define the polynomial:

$S (y) [T (y) + T (w y)] + (1 - S (y)) [T (y) . T (w y)] = T (w^{2} y)$

then it’s just the zero check.

Combining Gate Constraints into One Equation

You can very easily combine gate constraints into one equation:

Q_{L} (x) a (x) + Q_{R} (x) b (x) + Q_{O} (x) c (x) + Q_{M} (x) (a (x) . b (x)) + Q_{C} (x) = 0 \label e q a (1)

where,

$Q_{L}, Q_{R}$ : selector polynomial created for evaluation for left, right of a gate respectively.
$Q_{O}$ : selector polynomial for addition gate.
$Q_{M}$ : selector polynomial for multiplication gate.
$Q_{C}$ : polynomial for constant in a gate, ex: public inputs of the circuit.
$a (x), b (x), c (x)$ : polynomial for left, input and output values of the gates.

We can rewrite $\eqref e q a$ in terms of linear factors in $ω^{i}$ ,

Q_{L} (x) a (x) + Q_{R} (x) b (x) + Q_{O} (x) c (x) + Q_{M} (x) (a (x) . b (x)) + Q_{C} (x) = (x - ω) \dots (x - ω^{n}) h (X)

Term $(x - ω) \dots (x - ω^{n})$ is Vanishing Polynomial: $H (X)$ . Since, $ω$ is a primitive nth root of unity, $ω^{i}$ forms a cyclic group, and $H (X) = X^{n} - 1$ . Plonk says that, constraint system is satisfied, when the constraint equation is completely divided by Vanishing polynomial.

H (X) ∣ Q_{L} (x) a (x) + Q_{R} (x) b (x) + Q_{O} (x) c (x) + Q_{M} (x) (a (x) . b (x)) + Q_{C} (x)

Prove Gate Wirings Are Correct.

encode the wires as permutation polynomial and prove through permutation check that wiring along the circuit is correct.

$T (y) = T (σ (y)) \forall y \in \Upomega$

But we have three different n-degree poly, namely $a (X), b (X), c (X)$ , thus we join these three polys into one polynomial of degree-3n:

u = x_{l} ∣∣ x_{r} ∣∣ x_{o} = (x_{l}^{1}, \dots, x_{l}^{n}, x_{r}^{1}, \dots, x_{r}^{n}, x_{o}^{1}, \dots, x_{o}^{n})

and create a permutation $σ \in S_{3 n}$ on $u$ which gives $v$ . $σ$ is chosen such that subset of array $u$ forms cycles.

Recap

plonk-iop

Formal Protocol

Prover’s Algorithm

Round 1:

Compute $a (x), b (x), c (x)$ and send commitments $[a]_{1}, [b]_{1}, [c]_{1}$ to verifier.

Round 2:

Compute permutation challenge $β, γ$ .
Compute permutation polynomial $z (x)$ and send commitment $[z]_{1}$ to verifier.

Round 3:

Compute quotient polynomial $t (x)$ and send commitment $[t_{l o w} (x)]_{1}, [t_{mi d} (x)]_{1}, [t_{hi} (x)]_{1}$ to verifier.
It uses quotient challenge: $α$ to distinguish the three conditions.

It contains all three conditions that is to be proven to the verifier, i.e.

equality constraint involving $a (x), b (x), c (x)$
permutation constraint:
- $z (x) f^{'} (x) = g^{'} (x) z (x ω)$
- $L_{1} (z (x) - 1) = 0 \forall x \in \Upomega$

Round 4:

Evaluation of $a, b, c, S_{σ 1}, S_{σ 2}, t$ at $z$ and evaluation challenge: $z$ at $z ω$ . Namely, $\overset{a}{ˉ}, \overset{ˉ}{b}, \overset{c}{ˉ}, \overset{s}{ˉ}_{σ 1}, \overset{s}{ˉ}_{σ 2}, \overset{z}{ˉ}$ .

Round 5:

Linearisation polynomial $r (x)$ can be interpreted as $t (x) = t_{l o w} (X) + X^{n} t_{mi d} (X) + X^{2 n} t_{hi} (X) = l (X) / Z_{H} (X)$ . Thus, prover proves $r (x) = l (X) - Z_{H} (z) (t_{l o w} (X) + z^{n} t_{mi d} (X) + z^{2 n} t_{hi} (X)) = 0$ , evaluated at $z$ .

Proof polynomial: $W_{z} (x) = \frac{M ( X )}{X - z}$ , and $W_{z ω} (x) = \frac{N ( X )}{X - z ω}$ . It contains separate terms for each polynomial, separated using opening challenge: $v^{i}$ . Send $[W_{z}]_{1}$ and $[W_{z ω}]_{1}$ .

Overall Proof:

Proof consists of:

9 $G_{1}$ points: $[a]_{1}, [b]_{1}, [c]_{1}, [t_{l o w}]_{1}, [t_{mi d}]_{1}, [t_{hi}]_{1}, [z]_{1}, [W_{z}]_{1}, [W_{z ω}]_{1}$
6 $F$ evaluations: $\overset{a}{ˉ}, \overset{ˉ}{b}, \overset{c}{ˉ}, \overset{s}{ˉ}_{σ 1}, \overset{s}{ˉ}_{σ 2}, \overset{z}{ˉ}$
multipoint evaluation challenge: $u$
$54 (n + a) lo g (n + a) F m u l$ operations

Verifier Algorithm

Explained intuition behind the steps really well here. Just reiterating those here:

$W_{z} (X)$ can be written as $M (X) / (X - z)$ , and $W_{z ω} (x) = N (x) / (X - z ω)$ . Combining these two identities with multipoint evaluation challenge $u$ , we get:

X (W (X) + u W_{z ω} (X)) = z W (X) + z ω u W_{z ω} (X) + M (X) + u N (X)

Plonk Extensions

Turboplonk: Custom gates
Ultraplonk: Turboplonk+ Plookup
Hyperplonk
UniPlonk
Fflonk
Goblinplonk

TurboPlonk

Plonk’s arithmetization allows to efficiently add gates other than addition/multiplication. These gates are necessary to reduce constraints in a repetitive computation like hash function computation which involves bitwise arithmetic like XOR.

This article from Kobi explains really well, the design considerations for a custom gate model of MiMc hash.

Plonkup

Explanation of prover and verifier’s algorithm with reasoning of each step can be found in a beautiful explanation in a blog post by Joshua and by Hector.

lonerapier.xyz

Explorer

SNARKs