Git-Mirrors/decentralized-cryptography-toolkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move old resources from protocol toolkit

Browse source
This commit is contained in:
bt3gl 2024-11-04 17:30:01 +07:00
parent 88a381fd34
commit 632be7cbf5
31 changed files with 357 additions and 466 deletions
Download patch file Download diff file Expand all files Collapse all files

71
zero_knowledge/proofs/README.md Normal file
View file

@ -0,0 +1,71 @@
## zero-knowledge proofs
<br>
### tl; dr
<br>
* suppose that you have a (public) function `f`, a (private) input `x`, and a (public) output `y`.
* you want to prove that you know an `x` such that `f(x) = y`, without revealing what `x` is.
* for the proof to be succinct, you want it to be verifiable much more quickly than computing itself.
* a **trusted setup ceremony** is a procedure that is done to generate a piece of data that must be used every time some cryptographic protocol is run.
* for some proofs to work, such as zk-snarks, it's necessary to create a **common reference string (CRS)**, which provides public parameters for proving and verifying validity proofs.
* the security of the proving system depends on the csr setup and some zk-rollups attempt to solve this problem by using a **multi-party computation ceremony (mpc)** with trusted individuals.
* modern protocols use the **power-of-tau** setup, which has 1-of-N trust model, with N around hundreds.
<br>
<p align="center">
<img width="300" src="https://user-images.githubusercontent.com/1130416/234407214-ed3974fd-85cc-471b-a08b-e2edf0efd1a2.png">
</p>
<br>
#### comparison of proof systems
<p align="center">
<img width="300" src="https://user-images.githubusercontent.com/1130416/234476377-f7c88f31-919f-4503-8b60-203ca9b0c06d.png">
<img width="300" src="https://user-images.githubusercontent.com/1130416/234476566-df847c7f-b1ad-42cf-b5dd-85ba2cf7a997.png">
</p>
<br>
#### common reference strings, structured reference strings, trusted setup, multi-party computation ceremony
<br>
<p align="center">
<img width="250" src="https://user-images.githubusercontent.com/1130416/235269418-3cb7b4ca-83b7-4930-a367-586cb8be4fc7.png">
</p>
<br>
<br>
----
### chapters
<br>
* **[zk-snarks](zk-snarks)**
* **[zk-starks](zk-starks)**
* **[plonk](plonk)**
* **[halo2](halo2)**
* **[nova](nova)**
* **[bulletproofs](bulletproofs)**
* **[kate](kate)**
<br>
---
### cool resources
<br>
* **[how do trusted setups work, by vub](https://vitalik.ca/general/2022/03/14/trustedsetup.html)**
* **[the original paper for sonic, by m. maller et al](https://eprint.iacr.org/2019/099)**
* **[a python script for trusted setup](https://github.com/ethereum/research/blob/master/trusted_setup/trusted_setup.py)**

7
zero_knowledge/proofs/bulletproofs/README.md Normal file
View file

@ -0,0 +1,7 @@
## bulletproofs
<br>
<p align="center">
<img width="600" src="https://user-images.githubusercontent.com/1130416/234164194-032fe86c-c0c6-4479-ac14-859759356641.png">
</p>

22
zero_knowledge/proofs/halo2/README.md Normal file
View file

@ -0,0 +1,22 @@
## halo2
<br>
### tl; dr
<br>
* halo2 us based on ultraplonk and uses several plonkish functions.
* it replaces the kzg polynomial commitment with inner-product argument, which has weaker security assumptions than plonk.
* halo2 does not need setup and implement a powerful recusive proof function. therefore, zkevm can improve the time and efficiency of generating block proof.
<br>
----
### cool resources
<br>
* **[0xparc on halo2](https://learn.0xparc.org/halo2/)**
* **[intro to PLONKish/halo2, by y. tong](https://docs.google.com/presentation/d/1UpMo2Ze5iwzpwICPoKkeT04-xGFRp7ZzVPhgnidr-vs/edit#slide=id.g133c45f1bcd_3_36)**

31
zero_knowledge/proofs/kate/README.md Normal file
View file

@ -0,0 +1,31 @@
## kate polynomial commitment scheme (pronounced kah-tay)
<br>
### tl; dr
<br>
* it allows a prover to compute a commitment to a polynomial, with the properties that this commitment can later be opened at any position.
* the prover shows that the value of the polynomial at a certan position is equal to a claimed value.
* once a **commitment** (an elliptic curve point) is sent to the verifier, the prover cannot change the polynomial they are working with.
* a merkle tree is a "vector commitment": using a merkle tree of depth, you can compute a commitment to a list of elements of fixed length. using merkle proofs, you can provide a proof that an element is a member of this vector at position using hashes.
* in the kate commitment scheme, the element is the commitment to the polynomial: could the prover (without knowing) find another polynomial that has the same commitment.x
<br>
<p align="center">
<img width="586" src="https://user-images.githubusercontent.com/1130416/234472661-000ccabb-2bce-4e16-8a51-f599c04b643d.png">
</p>
<br>
----
### cool resources
<br>
* **[the original kate paper](https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf)**
* **[kzg polynomial commitments, by d. feist](https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html)**
* **[the kzg ceremony, by c. beekhuizen](https://archive.devcon.org/archive/watch/6/the-kzg-ceremony-or-how-i-learnt-to-stop-worrying-and-love-trusted-setups/?tab=YouTube)**

20
zero_knowledge/proofs/nova/README.md Normal file
View file

@ -0,0 +1,20 @@
## nova
<br>
### tl; dr
<br>
* nova is the state of the art and high-speed for recursive snarks, using R1CS arithmetization, it can be thought of as a preprocessor for zksnarks.
* nova can shrink the cost (in number of r1cs constraints) of checking N instances of a problem to one instance of the same problem.
<br>
---
### cool resources
<br>
* **[nova: recursive snarks without trusted setup, by microsoft](https://github.com/microsoft/Nova)**

36
zero_knowledge/proofs/plonk/README.md Normal file
View file

@ -0,0 +1,36 @@
## plonk
<br>
### tl; dr
<br>
* **[introduced in 2019](https://eprint.iacr.org/2019/953.pdf)**, plonk stands for **"permutations over lagrange-bases for ecumenical noninteractive arguments of knowledge"**, brining enhancements to the usability of zkps by giving a **universal fully-succinct zk-SNARK with significantly improved prover run time compared to fully-succinct sonic**.
* while plonk still requires a trusted setup procedure similar to snarks, but it's **universal and updateable trusted setup**, meaning:
- instead of there being one separate trusted setup for every program to be proved, there is one single trusted setup for the whole scheme.
- there is a way for multiple parties to participate in the trsuted setup such that it's secure as long as any one of them is honest, and this multi-party procedure is fully sequential (polynomial commitment, in this case, kate).
* there are two types of constraints:
- gate constraints (equations between wires attached to the same gate, e.g., `a1 * b1 = c1`).
- copy constraints (claims about equality of different wires anywhere in the circuit, e.g., `ao = a1`)
* **polynomial commitments** is a short object that represents a polynomial, allowing evaluations verification without needing all the data in the polynomial.
* if someone gives you a commitment representing `c` they can give you a proof that can convince you, for some specific `z`, what the value of `P(z)`.
* a commitment to a degree-d polynomial is made by multiplying each of the first d+1 points in the proving key by the corresponding coefficient in the polynomial, and adding the results together, providing an evaluation of that polynomial at `s` without knowing `s`.
<br>
<p align="center">
<img width="593" src="https://user-images.githubusercontent.com/1130416/234398674-d7af7145-e9c8-4dc6-b13a-003745765600.png">
</p>
<br>
---
### cool resources
<br>
* **[understanding plonk, by vub](https://vitalik.ca/general/2019/09/22/plonk.html)**
* **[plonk original paper, by a. gabizon et al.](https://eprint.iacr.org/2019/953.pdf)**
* **[plookup original paper, by a. gabizon et al.](https://eprint.iacr.org/2020/315)**

61
zero_knowledge/proofs/zk-snarks/README.md Normal file
View file

@ -0,0 +1,61 @@
## zk-snarks
<br>
### tl; dr
<br>
* introduced in 2011, **zk-snarks stands for "zero-knowledge succint non-interactive argument of knowledge"**, and refers to a proof construction where one can prove possession of certain information, without revealing the information nor any interaction between the prover and verifier.
* it made it possible to efficiently scale the nuber of polynomials that can be gated, improving speed and potential complex applications.
* a **"succinct" proof is one where both the size of the proof and the time required to verify it grow much more slowly than the computation to be verified**".
* succint zk proofs can be verified within a few milliseconds, with a proof length of only a few hundred bytes even for large statements.
* this entails enconding the computation into polynomials.
* **a polynomial commitment** is way to hash a polynomial, and the equations between polynomials can be checked by checking equations between hashes.
* **zcash was the first widespread application of zk-snarks** by encoding some of the networks consensus rules into it.
* in may '22, zcash introduced the orchard shielded payment protocol, which utilizes the halo2 zk proving system (and replace trusted ceremonies).
<br>
#### implementation
* **encoding a polynomial problem**: the program that is to be checked is compiled into a quadractic equation of polynomials, where the equality holds if and only if the program is computed correctly - the prover wants to convince the verifier that this equality holds.
* **succinctness by random sampling**: the verifier chooses a secret evaluation point to reduce the problem from multiplying polynomials and verifying polynomial function equality to simple multiplication and equality check on numbers. - this reduces both the proof size and the verification time.
* **homomorphic enconding/encryption**: an encoding/encryption function E is used that has some homomorphic properties (two operations are homomorphic if you can exchange their order without affecting the resul).
* **zero-knowledge**; verifier can check correct structure without knowing the actual encoded values.
<br>
#### building circuits
1. the first step in turning a tx validity function into a mathematical representation is to break down the logical steps into the smallest possible operations, creating an "arithmetic circuit". this is similar to a boolean circuit where a program is compiled down to discrete AND, OR, NOT.
2. next is to build a **rank 1 constraint system (r1cs)**, to check the values. it's only needed to check that 2 polynomials match at one randoly chosen point in order to verify the proof with high probability. with zk-snarks, techniques such as **homomorphic encryption** and **pairings of elliptic curves** are used to evaluate polynomials blindly.
3. the zero-knowledge part comes from having the prover using "random shifts" of the original polynomials that still satisfy the identity.
<br>
#### zk-snarks applied to create a shielded tx (zcash)
* the sender of a shielded tx constructs a proof to show that, with high probability:
1. the input values sum to the output values for each shielded transfer.
2. the sender proves that they have the private spending keys of the input notes, giving them the authority to spend.
3. the private spending keys of the input notes are linked to a signature over the whole tx, in such a way that the tx cannot be modified by a party that doesn't not have the priv keys.
<br>
---
### cool resources
<br>
* **[what are zk-snarks, by z-cash](https://z.cash/technology/zksnarks/)**
* **[libsnark, C++ lib for zkSNARKS](https://github.com/scipr-lab/libsnark)**
* **[zk-snarks in a nutshell, by ef](https://blog.ethereum.org/2016/12/05/zksnarks-in-a-nutshell)**
* **[bellman, a crate for building zk-SNARK circuits](https://github.com/zkcrypto/bellman)**
* **[an approximate introduction to how zk-snarks are possible, by vub](https://vitalik.ca/general/2021/01/26/snarks.html)**
* **[the crazy security behind the birth of zcash](https://spectrum.ieee.org/the-crazy-security-behind-the-birth-of-zcash)**
* **[bitcoin-monero cross-chain atomic swap](https://eprint.iacr.org/2020/1126.pdf)**
* **[atomic swaps between bitcoin and monero](https://arxiv.org/pdf/2101.12332.pdf)**

26
zero_knowledge/proofs/zk-starks/README.md Normal file
View file

@ -0,0 +1,26 @@
## zk-starks
<br>
### tl; dr
<br>
* the T stands for "transparent", resolving one of the primary weakness of zk-snarks, its reliance on a trusted setup (they can work without the trusted setup of common reference string (crs)). instead, they rely on publicly verifiable randomness to setup parameters for generating and verifying proofs.
* thye also come with much simpler cryptographic assumptions, avoiding the need for elliptic curves, pairings, and knowledge of expoent assumptions - instead relying on hashes and information theory (secure on the quantum standard).
* the size of a proof goes up from 288 bytes to a few hundred kilobytes (making it more expensive to verify on ethereum).
* it provides more scalability because the time needed to prove and verify validity proofs increases quasilinearly in relation to the complexity of the underlying computation.
<br>
---
### cool resources
<br>
* **[risc0, zk platform based on zk-starks and risc-v microarchtecture](https://github.com/risc0/risc0)**
* **[starks, part I: proof with polynomials, by vub](https://vitalik.ca/general/2017/11/09/starks_part_1.html)**
* **[starks, part II: thank you goodness it's fri-day, by vub ](https://vitalik.ca/general/2017/11/22/starks_part_2.html)**
* **[starks, part III: into the weeds, by vub](https://vitalik.ca/general/2018/07/21/starks_part_3.html)**
* **[stark 101 videos, by starkware](https://www.youtube.com/watch?v=iuNbrTkH2ik)**