Introduction

Welcome to this book dedicated to Zero-Knowledge Proofs(ZK) and their applications in modern cryptography. Zero-Knowledge Proofs are magical, inspiring, passionate, and, more importantly, breathtaking. This book will compile documentation and specifications on ZK algorithms, aiming to provide researchers, developers, and cryptography enthusiasts with in-depth insights and guidance.

As this is a work in progress, we are continually learning and evolving our understanding of the subject. If you find any errors or areas for improvement, please feel free to provide feedback.

Please note that this book is a work in progress, and not necessarily to reflecting the latest developments in the ZK field.

Terminology

This document establishes a consistent terminology and notation for the concepts commonly used in the context of zero-knowledge proofs (ZKPs). It aims to make the presentation clear and concise, particularly for readers with a background in cryptography or mathematics. The following conventions will be used throughout the book:

Fields and Curves

Finite Fields:

$F_{p}$ : Denotes a general finite field of prime order $p$ .

Elliptic Curves:

$F_{r}$ : Scalar field
$F_{q}$ : Base field

Algebra

In zero-knowledge proofs, algebra plays a crucial role as it provides the foundational framework for constructing complex mathematical structures and algorithms. These structures ensure the security and privacy of information, allowing verifiers to confirm the truth of a statement without revealing specific details. We will provide an introductory overview of groups, rings, fields, Number Theoretic Transform (NTT), and Multi-Scalar Multiplication (MSM).

Groups

Introduction

This document provides a simple introduction to group theory and its key role in cryptography. Group theory is essential for building many cryptographic systems, including encryption, digital signatures, and zero-knowledge proofs (ZKPs). These mathematical structures ensure that operations like encryption and authentication are secure and reliable.

We’ll start by defining groups, abelian groups, and cyclic groups, which are the backbone of many cryptographic algorithms. For example, the security of RSA encryption relies on group properties, and protocols like ECDSA use elliptic curves, which are based on group theory. Cyclic groups are crucial for creating secure ZKP systems like the Schnorr protocol, which is widely used for authentication.

Throughout the article, we’ll highlight how these abstract mathematical concepts directly contribute to secure communication in cryptography.

Groups And Abelian Groups

In cryptography, group theory plays a fundamental role, especially in modern public-key cryptography and protocol design. A group is an algebraic structure consisting of a set of elements and a binary operation that satisfies closure, associativity, identity element, and invertibility. Below are some key applications of group theory in cryptography:

Underpins many widely used signature schemes, such as RSA and ECDSA.
Many ZKP protocols use group operations, particularly cyclic groups, to construct secure proof systems. For instance, the Schnorr protocol is a zero-knowledge proof system based on cyclic groups and the discrete logarithm problem, widely used for authentication and privacy-preserving systems.

Let's begin with a definition and then some examples.

Basic Definitions

Binary operation: Let $G$ be a set. A binary operation is a map of sets: $\circ : G \times G \to G .$ For ease of notation we write $\circ (a, b) = a \circ b$ , for all $a, b$ in $G$ . Any binary operation on $G$ gives a way of combining elements. If $G = Z$ (the set of integers $Z$ , so denoted because the German word for numbers is Zahlen) then $+$ and $\times$ are natural examples of binary operations.

Group: A group is a set $G$ , together with a binary operation $\circ$ , such that the following hold:

(Associativity):The operation is associative;that is, $(a \circ b) \circ c = a \circ (b \circ c)$ for all $a, b, c$ in $G$ .
(Existence of identity): There is an element $e$ (called the identity) in $G$ such that $a \circ e = e \circ a = a$ for all $a$ in $G$ .
(Existence of inverses): For each element $a$ in $G$ , there is an element $b$ in $G$ (called an inverse of $a$ and denoted by $a^{- 1}$ ) such that $a \circ b = b \circ a = e$ .

Note

If $a$ is the $in v erse$ of $b$ , then $b$ is the $in v erse$ of $a$ .
The group we have just defined may be represented by the symbol $(G, \circ)$ . This notation makes it explicit that the group consists of the $se t$ $G$ and the $bina ry o p er a t i o n \circ$ .(Remember that, in general, there are other possible operations on $G$ , so it may not always be clear which is the group's operation unless we indicate it.) If there is no danger of confusion, we shall denote the group simple with the letter $G$ .

Abelian group: If the operation is $co mm u t a t i v e$ , that is the $g ro u p$ has the property that $a \circ b = b \circ a$ for every pair of elements a and b, we say the group is $A b e l ian$ .

Note

When cryptographers refer to " $g ro u p s$ ", they typically mean " $A b e l ian g ro u p s$ (a.k.a $C o mm u t a t i v e g ro u p s$ )". From now on, when we mention $g ro u p s$ , we will assume they are $A b e l ian g ro u p s$ by default.

Example of Groups

The integers $Z = {..., - 1, 0, 1, 2, ...}$ form a group under the operation of addition. The binary operation on two integers $m, n$ in $Z$ is just their sum. Since the integers under addition already have a well-established notation, we will use the operator $+$ instead of $\circ$ ; that is, we shallwrite $m + n$ instead of $m \circ n$ .The identity is 0, and the inverse of $n$ in $Z$ is written as $- n$ instead of $n^{- 1}$ .
The integers mod $n$ form a group under additon modulo $n$ .Consider $Z_{5}$ , consisting of the equivalence classes of the integers 0, 1, 2, 3, and 4. We define the group operation on $Z_{5}$ by modular addition. We write the binary operation on the group additively; that is, we write $m + n$ . The element 0 is the identity of the group and each element in $Z_{5}$ has an inverse. For instance, $3 + 2 = 2 + 3 = 0$ .
Not every set with a binary operation is a group. For example, if we let modular multiplication be the binary operation on $Z_{n}$ , then $Z_{n}$ fails to be a group. The element 1 acts as a group identity since $1 \cdot k = k \cdot 1 = k$ for all $k$ in $Z_{n}$ .Even if we consider the set $Z_{n} \ {0} = {1, 2, 3, ..., n - 1}$ , we still may not have a group. For instance, let 2 in $Z_{6}$ .Than 2 has no multiplicative inverse since $0 \cdot 2 = 0 1 \cdot 2 = 2 2 \cdot 2 = 4 3 \cdot 2 = 6 4 \cdot 2 = 8 5 \cdot 2 = 10$

Note

We can use exponential notation for groups just as we do in ordinary algebra. If $G$ is a group and $g \in G$ , then we define $g^{0} = e$ . For $n \in N$ , we define $g^{n} = n times g \circ g \circ \dots \circ g$ and $g^{- n} = n times g^{- 1} \circ g^{- 1} \circ \dots \circ g^{- 1}$

When dealing with additive abelian groups, we use additive notation for group operations and denote the identity element by $o$ instead of $e$ . We define: $[0] g = o$ , $[n] g = n times g + g + \dots + g$ and $[- n] g = n times (- g) + (- g) + \dots + (- g)$

Cyclic groups

A group $G$ is called cyclic if there exists an element $g \in G$ such that every element $a \in G$ can be written as $g^{n}$ (for some integer $n$ ).In other words: $G = g^{n} : n \in Z$ where $g^{n}$ means applying the group operation to $g$ $n$ times. In this case $g$ is a $g e n er a t or$ of $G$ .

Rings

A $g ro u p$ is a set equipped with only one binary operation.But many sets are naturally endowed with two binary operations: addition and multiplication, and are denoted as usual by "+" and $\cdot$ , respectively. Examples that quickly come to mind are the integers, the integers modulo n, the real numbers, matrices, and polynomials. When considering these sets as groups, we simply used addition and ignored multiplication. In many instances, however, one wishes to take into account both addition and multiplication. One abstract concept that does this is the concept of a $r in g$ .

Definitions

Rings

By a $r in g$ we mean a set $A$ with operations called addition and multiplication which satisfy the following axioms:

$A$ with additon alone is an abelian group.
Multiplication is associative. That is, for all a,b, and c in $A$ , $(a \cdot b) \cdot c = a \cdot (b \cdot c)$
Multiplication is distributive over addition. That is, for all a,b, and c in $A$ , $a \cdot (b + c) = a \cdot b + a \cdot c$ and $(b + c) \cdot a = b \cdot a + c \cdot a$

Since $A$ with addition alone is an abelian group, there is in $A$ a neutral element for addition: it is called the $zero$ element and is written 0. Also, every element has an additive inverse called its $n e g a t i v e$ ; the negative of $a$ is denoted by $- a$ . Subtraction is defined by $a - b = a + (- b)$

unity or identity

If there is an element $1 \in A$ such that $1 \neq = 0$ and $1 \cdot a = a \cdot 1 = a$ for each element $a \in A$ , we say that $A$ is a ring with $u ni t y$ or $i d e n t i t y$ .

commutative rings

A ring $A$ for which $a \cdot b = b \cdot a$ for all a, b in $A$ is called a $co mm u t a t i v e r in g$ .

division rings

A $d i v i s i o n r in g$ is a ring $A$ , with an identity, in which every nonzero element in $A$ is a $u ni t$ ; that is, for ech $a \in A$ with $a \neq = 0$ ,there exists a unique element $a^{- 1}$ such $a^{- 1} \cdot a = a \cdot a^{- 1} = 1$ .

Examples

The easiest examples of $r in g s$ are the traditional number systems. The set $Z$ of the integers, with conventional additon and addition and multiplication, is a ring called the $r in g o f t h e in t e g ers$ . We designate this ring simply with the letter $Z$ . Similarly, $Q$ is the ring of the rational numbers, $R$ is the ring of the real numbers; and $C$ is the ring of the complex numbers. In each case, the operations are conventional addition and multiplication.

We must remember, that the elements of a ring are not necessarily numbers(for example, there are rings of polynomials/rings of functions, rings of switching circuits, and so on);and therefore "addition" does not necessarily refer to the conventional addition of numbers, nor does multiplications necessarily refer to the conventional operation of multiplying numbers. In fact, $+$ and $\cdot$ are nothing more than symbols denoting the two operations of a $r in g$ .

for instance, $F (R)$ represents the set of all the functions from $R$ to $R$ ;that is, the set fo all real-valued functions of a real variable:if $f$ and $g$ are any two functions from $R$ to $R$ ,their sum $f + g$ and their $p ro d u c t f \cdot g$ are defined as follows: $[f + g] (x) = f (x) + g (x) for every real number x$ and $[f \cdot g] (x) = f (x) \cdot g (x) for every real number x$ $F (R)$ with these operations for adding and multiplying functions is a ring called $r in g o f re a l f u n c t i o n s$ .It is written simply as $F (R)$ .

The rings $Z, Q, R, C$ and $F (R)$ are all $in f ini t e r in g s$ , that is, rings with infinitely many elements. There are also $f ini t e r in g s$ : rings with a finite number of elements.As an important example, consider the group $Z_{n}$ ,and define an operation of multiplication on $Z_{n}$ by allowing the product $a \cdot b$ to be the remainder of the usual product of integers $a$ and $b$ after division by $n$ (For example, in $Z_{5}$ ， $2 \cdot 4 = 3, 3 \cdot 3 = 4$ , and $4 \cdot 3 = 2$ .)This operation is called $m u lt i pl i c a t i o n m o d u l o n$ . $Z_{n}$ with addition and multiplication modulo $n$ is a ring.

Fields

In many applications, a particular kind of integral domain called a $f i e l d$ is necessary.

Definition Field

Field.A commutative division ring is called a $f i e l d$ . That is, a set $A$ with operations called addition "+" and multiplication " $\cdot$ " which satisfy the following axioms:

$(A, +)$ is an abelian group.
$(A \ {0}, \cdot)$ is an abelian group.
Multiplication is distributive over addition.

Example

$Q, R, C$ are all fields;
if $p$ is a prime number, $Z_{p}$ is a field, usually denote this field by $F_{p}$ ;
- $F_{p}$ is a $f ini t e f i e l d$ . The elements of $F_{p}$ are the set of natural numbers ${0, 1, 2, 3, 4, ..., p - 1}$ . The $or d er$ of the set is $p$ . That is, the number of elements in this set is $p$ .
- The identity for addition "+" is 0
- The identity for multiplication " $\cdot$ " is 1
- Add $(x, y)$ = $(x + y) (mod p)$
- Sub $(x, y)$ = $(x - y) (mod p)$
- Mul $(x, y)$ = $(x \cdot y) (mod p)$
- Div $(x, y)$ = $(x \cdot y^{- 1}) = (x \cdot y^{p - 2}) (mod p)$
2 is a prime nummber, so $F_{2}$ is a field whose elements are ${0, 1}$ .
- $0 + 0 = 0$
- $0 + 1 = 1 + 0 = 1$
- $1 + 1 = 0$
- $0 * 0 = 0$
- $0 * 1 = 1 * 0 = 0$
- $1 * 1 = 1$
- You'll find that addition is equivalent to XOR, and multiplication is equivalent to AND.
7 is a prime number, so there is a field whose elements are ${0, 1, 2, 3, 4, 5, 6}$ .
- $\frac{1}{2} = 1 \cdot 2^{7 - 2} (mod 7) = 2^{5} (mod 7) = 32 (mod 7) = 4$
let q = 21888242871839275222246405745257275088696311157297823662689037894645226208583, q is a prime number, so there is a field whose elements are ${0, 1, 2, ..., 21888242871839275222246405745257275088696311157297823662689037894645226208582}$ .

Finite Fields and Their Efficient Implementations

The efficient implementation of finite fields can be referenced at: http://cacr.uwaterloo.ca/hac/about/chap14.pdf.

Number Theoretic Transform

Number Theoretic Transform(NTT) is an efficient algorithm for polynomial multiplication, akin to the Fast Fourier Transform (FFT). It operates in finite fields, making it particularly valuable in cryptography and coding theory, where it enables rapid computations on large numbers and polynomials. For the purposes of this document, polynomials are assumed to be defined over finite fields by default.

Polynomial Multiplication

Let's consider two polynomials: $A (x) = x^{2} + 3 x + 2$ $B (x) = 2 x^{2} + 1$
The product $C (x) = A (x) \cdot B (x)$ can be expressed as:
$C (x) = (x^{2} + 3 x + 2) (2 x^{2} + 1)$
By expanding, we find: $C (x) = x^{2} (2 x^{2} + 1) + 3 x (2 x^{2} + 1) + 2 (2 x^{2} + 1)$
$C (x) = 2 x^{4} + x^{2} + 6 x^{3} + 3 x + 4 x^{2} + 2$
$C (x) = 2 x^{4} + 6 x^{3} + 5 x^{2} + 3 x + 2$

In a programming context, we can represent polynomials as follows:
$A (x) = 2 + 3 x + x^{2} \to A = [2, 3, 1]$
$B (x) = 1 + 2 x^{2} \to B = [1, 0, 2]$
$C (x) = 2 + 3 x + 5 x^{2} + 6 x^{3} + 2 x^{4} \to C = [2, 3, 5, 6, 2]$
$C [k]$ = coefficient of $k^{t h}$ degree term of polynomial $C (x)$

$A (x) = a_{0} + a_{1} x + a_{2} x^{2} + ... + a_{d} x^{d}$
$B (x) = b_{0} + b_{1} x + b_{2} x^{2} + ... + b_{d} x^{d}$
$C (x) = c_{0} + c_{1} x + c_{2} x^{2} + ... + c_{2 d} x^{2 d}$
Using the distributive property, the runtime for multiplying two polynomials of degree $d$ is $O (d^{2})$ .However, is there a more efficient method?

Polynomial Representation

Coefficient Representation

$P (x) = p_{0} + p_{1} x \to [p_{0}, p_{1}]$
To illustrate this representation visually,we can use an interactive graph where the coefficients can be adjusted:

p_{0}

p_{1}

Value Representation

$P (x) = p_{0} + p_{1} x \to [(x_{0}, P (x_{0})), (x_{1}, P (x_{1}))]$ A polynomial can also be uniquely defined by its values at some specific points. For example, two points define a unique line:

For points $(- 2, 0)$ and $(2, 2)$ , we have $P (x) = 1 + 0.5 s$ .
For points $(3, 0)$ and $(- 1, 4)$ , we have $P (x) = 3 - x$ .

$Figure_1.png$

Three points define a quadratic polynomial:

${(- 3, 1), (- 1, - 1), (1, 3)} \to P (x) = \frac{3}{4} x^{2} + 2 x + \frac{1}{4}$
${(- 1, 0), (0, 1), (1, 0), (2, 1)} \to P (x) = \frac{2}{3} x^{3} - x^{2} - \frac{2}{3} x + 1$ $Figure_3.png$

More generally, $(d + 1)$ points uniquely define a polynomial of degree $d$ : ${(x_{0}, P (x_{0})), (x_{1}, P (x_{1})), ..., (x_{d}, P (x_{d}))}$ $P (x) = p_{0} + p_{1} x + p_{2} x^{2} + ... + p_{d} x^{d}$ $P (x_{0}) = p_{0} + p_{1} x_{0} + p_{2} x_{0}^{2} + ... + p_{d} x_{0}^{d} P (x_{1}) = p_{0} + p_{1} x_{1} + p_{2} x_{1}^{2} + ... + p_{d} x_{1}^{d} ⋮ P (x_{d}) = p_{0} + p_{1} x_{d} + p_{2} x_{d}^{2} + ... + p_{d} x_{d}^{d}$ That is: $P (x_{0}) P (x_{1}) ⋮ P (x_{d}) = M 11 ⋮ 1 x_{0} x_{1} ⋮ x_{d} x_{0}^{2} x_{1}^{2} ⋮ x_{d}^{2} \dots \dots ⋱ \dots x_{0}^{d} x_{1}^{d} ⋮ x_{d}^{d} p_{0} p_{1} ⋮ p_{d}$ $M$ is invertible for unique $x_{0}, x_{1}, ..., x_{d}$ $\Rightarrow$ Unique $p_{0}, p_{1}, ..., p_{d}$ exists $\Rightarrow$ Unique polynomial $P (x)$ exists.

Punchline: Two Unique Trpresentations for Polynomials $P (x) = p_{0} + p_{1} x + p_{2} x^{2} + ... + p_{d} x^{d}$ $1. Coefficient Representation [p_{0}, p_{1}, ..., p_{d}]$ $2. Value Representation (x_{0}, P (x_{0}), (x_{1}, P (x_{1})), ..., (x_{d}, P (x_{d})))$

Value Representation Advantages

$[(- 2, 1), (- 1, 0), (0, 1), (1, 4), (2, 9)] A (x) = x^{2} + 2 x + 1 [(- 2, 9), (- 1, 4), (0, 1), (1, 0), (2, 1)] B (x) = x^{2} - 2 x + 1 De g ree 4 \to 5 p o in t s C (x) = A (x) \cdot B (x)$
and $0 [(- 2, 1), (- 1, 0), (0, 1), (1, 4), (2, 9)] \times 0 [(- 2, 9), (- 1, 4), (0, 1), (1, 0), (2, 1)] 0 [(- 2, 9), (- 1, 0), (0, 1), (1, 0), (2, 9)]$
$\Rightarrow$ $[(- 2, 9), (- 1, 0), (0, 1), (1, 0), (2, 9)] C (x) = A (x) \cdot B (x)$ $\Rightarrow$ $[(- 2, 9), (- 1, 0), (0, 1), (1, 0), (2, 9)] C (x) = x^{4} - 2 x^{2} + 1$

In value representation, multiplication can be performed in linear time $O (d)$ rather than quadratic $O (d^{2})$ . This is especially advantageous when working with large polynomials.

Polynomial Multiplication Flowchart

$PolynomialMultiplicationFlowchart$

Polynomial Evaluation

Evaluation from Coefficients to Values

To evaluate a polynomial $P (x) = p_{0} + p_{1} x + p_{2} x^{2} + ... + p_{d} x^{d}$ at $n \geq d + 1$ points,we can compute as follows: $(1, P (1)) (2, P (2)) ⋮ (n, P (n)) \Rightarrow O (n d) ⟺ O (d^{2}) (1, p_{0} + p_{1} \cdot 1 + p_{2} \cdot 1^{2} + \dots + p_{d} \cdot 1^{d}) (2, p_{0} + p_{1} \cdot 2 + p_{2} \cdot 2^{2} + \dots + p_{d} \cdot 2^{d}) ⋮ (n, p_{0} + p_{1} \cdot n + p_{2} \cdot n^{2} + \dots + p_{d} \cdot n^{d})$ Howerer, this operation can have a complexity of $O (n d)$ , which could lead to $O (d^{2})$ .

More Efficient Strategies

For example, when evaluatiing $P (x) = x^{2}$ at 8 points, we can select symmetric points such as
$(1, 1) (- 1, 1) (2, 4) (- 2, 4) (3, 9) (- 3, 9) (4, 16) (- 4, 16)$ .
We have $P (- x) = P (x)$ .

For $P (x) = x^{3}$ we can select:
$(1, 1) (- 1, - 1) (2, 8) (- 2, - 8) (3, 27) (- 3, - 27) (4, 64) (- 4, - 64)$
We have $P (- x) = - P (x)$ .

So we only need 4 points!

$P (x) = 3 x^{5} + 2 x^{4} + x^{3} + 7 x^{2} + 5 x + 1$ $E v a l u a t e a t n p o in t s \pm x_{1}, \pm x_{2}, \dots, \pm x_{\frac{n}{2}}$ $P (x) = (2 x^{4} + 7 x^{2} + 1) + (3 x^{5} + x^{3} + 5 x) = P_{e} (x^{2}) (2 x^{4} + 7 x^{2} + 1) + x P_{o} (x^{2}) (3 x^{4} + x^{2} + 5)$ $P (x) = P_{e} (x^{2}) + x P_{o} (x^{2})$ $P (x_{i}) = P_{e} (x_{i}^{2}) + x_{i} P_{o} (x_{i}^{2}) P (- x_{i}) = P_{e} (x_{i}^{2}) - x_{i} P_{o} (x_{i}^{2})} Lot of overlap!$ $P_{e} (x^{2}) = 2 x^{2} + 7 x + 1 P_{o} (x^{2}) = 3 x^{2} + x + 5$ $P_{e} (x^{2}) and P_{o} (x^{2}) have degree 2!$
$P (x) = p_{0} + p_{1} x + p_{2} x^{2} + \dots + p_{n - 1} x^{n - 1}$ $Evaluate at n points \pm x_{1}, \pm x_{2}, \dots, \pm x_{\frac{n}{2}}$ $P (x) = P_{e} (x^{2}) + x P_{o} (x^{2})$ $P (x_{i}) = P_{e} (x_{i}^{2}) + x_{i} P_{o} (x_{i}^{2}) P (- x_{i}) = P_{e} (x_{i}^{2}) - x_{i} P_{o} (x_{i}^{2})} Lot of overlap!$ $P_{e} (x^{2}) and P_{o} (x^{2}) have degree \frac{n}{2}!$

$Same process on simpler problem Evaluate P_{e} (x^{2}) and P_{o} (x^{2}) each at x_{1}^{2}, x_{2}^{2}, \dots, x_{\frac{n}{2}}^{2} (\frac{n}{2} points)$

$NTT$

But that is one major problem. $problem$ $Points [\pm x_{1}, \pm x_{2}, \dots, \pm x_{f r a c n 2}] a re \pm p ai re d .$ $Points [x_{1}^{2}, x_{2}^{2}, \dots, x_{\frac{n}{2}}^{2}] are not \pm paired.$ $Recursion breaks!$ $Is it possible to make [x_{1}^{2}, x_{2}^{2}, \dots, x_{\frac{n}{2}}^{2} \pm paired?$ We can choose the roots of unity in the finite field.

Which Evaluation Points to Use?

To evaluation $P (x) = p_{0} + p_{1} x + p_{2} x^{2} + \dots + p_{d} x^{d}$ , we need at least $n \geq (d + 1)$ points, ideally $n = 2^{k}$ for $k \in Z$ . The points chosen should be the $n^{t h}$ roots of unity:

$Evaluate P (x) at [1, ω^{1}, ω^{2}, \dots, ω^{n - 1}]$ whers $ω$ is a root of $z^{n} = 1$ .

NTT Implementation

def FFT(P):
    # P- [p0,p1,...,p_{n-1}] coeff representation
    n=len(P) # n is a power of 2
    if n==1:
        return P
    w = get_root_of_unity(n)
    P_e,P_o = [P[0],P[2],...,P[n-2]],[P[1],P[3],...,P[n-1]]
    y_e,y_o = FFT(P_e), FFT(P_o)
    y = [0]*n
    for j in range(n/2):
        y[j] = y_e[j]+w^j*y_o[j]
        y[j+n/2] = y_e[j]-w^j*y_o[j]
    return y

Interpolation and Inverse NTT

Alternative Perspective on Evaluation/NTT

$P (x) = p_{0} + p_{1} x + p_{2} x^{2} + \dots + p_{n - 1} x^{n - 1}$ $P (x_{0}) P (x_{1}) ⋮ P (x_{n - 1}) = 11 ⋮ 1 x_{0} x_{1} ⋮ x_{n - 1} x_{0}^{2} x_{1}^{2} ⋮ x_{n - 1}^{2} \dots \dots ⋱ \dots x_{0}^{n - 1} x_{1}^{n - 1} ⋮ x_{n - 1}^{n - 1} p_{0} p_{1} ⋮ p_{n - 1}$
$x_{k} = ω^{k} where ω is a root of unity in the finite field$ That is $P (x_{0}) P (x_{1}) ⋮ P (x_{n - 1}) = Discrete Fourier Transform (DFT) matrix 11 ⋮ 1 1 ω ⋮ ω^{n - 1} 1^{2} ω^{2} ⋮ ω^{2 (n - 1)} \dots \dots ⋱ \dots 1^{n - 1} ω^{n - 1} ⋮ ω^{(n - 1) (n - 1)} p_{0} p_{1} ⋮ p_{n - 1}$

Interpolation involves inversing the DFT matrix

$P (x) = p_{0} + p_{1} x + p_{2} x^{2} + \dots + p_{n - 1} x^{n - 1}$ $p_{0} p_{1} ⋮ p_{n - 1} = 11 ⋮ 1 1 ω ⋮ ω^{n - 1} 1^{2} ω^{2} ⋮ ω^{2 (n - 1)} \dots \dots ⋱ \dots 1^{n - 1} ω^{n - 1} ⋮ ω^{(n - 1) (n - 1)}^{- 1} P (x_{0}) P (x_{1}) ⋮ P (x_{n - 1}) ⇓ p_{0} p_{1} ⋮ p_{n - 1} = \frac{1}{n} 11 ⋮ 1 1 ω^{- 1} ⋮ ω^{- (n - 1)} 1^{2} ω^{- 2} ⋮ ω^{- 2 (n - 1)} \dots \dots ⋱ \dots 1^{n - 1} ω^{- (n - 1)} ⋮ ω^{- (n - 1) (n - 1)} P (x_{0}) P (x_{1}) ⋮ P (x_{n - 1})$
The inverse matrix and original matrix look quite similar! Every $ω$ in original matrix is now $\frac{1}{n} ω^{- 1}$

$I NTT (< v a l u es >) ⟺ NTT (< v a l u es >) wit ω^{'} = \frac{1}{n} ω^{- 1}$

So the implementation of inverse NTT as follows:

def IFFT(P):
    # P- [p0,p1,...,p_{n-1}] coeff representation
    n=len(P) # n is a power of 2
    if n==1:
        return P
    w = 1/n*(get_root_of_unity(n)^{-1})
    P_e,P_o = [P[0],P[2],...,P[n-2]],[P[1],P[3],...,P[n-1]]
    y_e,y_o = FFT(P_e), FFT(P_o)
    y = [0]*n
    for j in range(n/2):
        y[j] = y_e[j]+w^j*y_o[j]
        y[j+n/2] = y_e[j]-w^j*y_o[j]
    return y

Multi-Scalar Multiplication

Bucket method

The Multi-Scalar Multiplication(MSM) problem involves calculating the sum of multiple elliptic curve points, represented ad:
$P = i = 1 \sum n k_{i} G_{i}$ Here, $k_{i}$ are scalars(integers modulo a prime), $G_{i} = (x_{i}, y_{i})$ are elliptic curve points. $k_{i} G_{i}$ indicates that $G_{i}$ is added to itself $k_{i}$ times.
Given that about 75% of the time spent producing a zk-SNARK proof is dedicated to $MSM$ , optimizing this operation is essential for enhancing overall performance.

Bucket method

We can break down the Multi-Scalar Multiplication problem into smaller sums and reduce the number of operations by applying the windowing technique. Before we compute $k_{i} G_{i}$ ,it's important to note that each scalar $k_{i}$ can be represented in binary. This representation allows us to express $k_{i} G_{i}$ in a more efficient manner.

For each $k_{i}$ , we can segment its binary representation into windows of size $c$ :
$k_{i} = k_{i, 0} + k_{i, 1} 2^{c} + k_{i, 2} 2^{2 c} + \dots + k_{i, m - 1} 2^{c (m - 1)} .$ Using this approach, we can express the scalar multiplication $k_{i} G_{i}$ as:
$k_{i} G_{i} = k_{i, 0} G_{i} + k_{i, 1} G_{i} + k_{i, 2} G_{i} + \dots + k_{i, m - 1} 2^{c (m - 1)} G_{i} .$
This allows us to rewrite the MSM problem as:
$P = i = 1 \sum n k_{i} G_{i} = i = 1 \sum n j = 0 \sum m - 1 k_{i, j} 2^{c j} G_{i}$
By changing the order of summation, we have:
$P = j = 0 \sum m - 1 2^{c j} (i = 1 \sum n k_{i, j} G_{i})$

weher we first break the scalars into windows and then aggregate the points in each window. Now we can focus on efficiently calculating each $B_{j} :$
$B_{j} = i = 1 \sum n k_{i, j} G_{i} = λ = 0 \sum 2^{c} - 1 λ u (λ) \sum G_{u}$
with the inner summation over $u (λ)$ considering only points with the coefficient $λ$ . This leads us to organize points into the corresponding lambda buckets（if $c = 3$ ):
$B_{j} = λ = 1 \sum 2^{c} - 1 λ S_{j, λ} = S_{j, 1} + 2 S_{j, 2} + 3 S_{j, 3} + 4 S_{j, 4} + 5 S_{j, 5} + 6 S_{j, 6} + 7 S_{j, 7} .$
We can compute this with minimal point additions using partial sums:
$T_{j, 1} = S_{j, 7}, T_{j, 2} = T_{j, 1} + S_{j, 6}, T_{j, 3} = T_{j, 2} + S_{j, 5}, T_{j, 4} = T_{j, 3} + S_{j, 4}, T_{j, 5} = T_{j, 4} + S_{j, 3}, T_{j, 6} = T_{j, 5} + S_{j, 2}, T_{j, 7} = T_{j, 6} + S_{j, 1} .$
Each of these operations involves just one elliptic point addition. We can obtain the final result by summing these partial sums:
$B_{j} = k \sum T_{j, k} .$

Elliptic Curve And It's Applications

Introduction

Elliptic curves are a fascinating area of mathematics with profound implications in number theory and cryptography. They provide a rich structure that can be utilized in various applications, particularly in secure communication protocols. In this article, we will explore the fundamental properties of elliptic curves, their group law, and how these mathematical concepts form the basis for several cryptographic algorithms. By understanding elliptic curves, we can gain insight into the underlying principles that ensure the security and efficiency of modern cryptographic systems.

What is Elliptic Curve

An elliptic curve is the graph of an short Weierstrass equation
$y^{2} = x^{3} + A x + B$
where $A$ and $B$ are constants. Below is an example of such a curve.

The Group Law

GroupLaw

Adding Points on an Elliptic Curve
Start with two points
$P_{1} = (x_{1}, y_{1}), P_{2} = (x_{2}, y_{2})$
on an elliptic curve $E$ given by the equation $y^{2} = x^{3} + A x + B$ . Define a new point $P_{3}$ as follows. Draw the line $L$ through $P_{1}$ and $P_{2}$ . We'll see below that $L$ intersects $E$ in a third point $P_{3}^{'}$ . Reflect $P_{3}^{'}$ across the $x -$ axis (i.e., change the sign of the $y$ -coordinate) to obtain $P_{3}$ . We define
$P_{1} + P_{2} = P_{3}$
Examples below will show that shis is not the same as adding coordinates of the points. It might be better to denote this operation by $P_{1} + P_{2}$ , but we opt for the simpler notation since we will never be adding points by adding coordinates.
Assume first that $P_{1} \neq = P_{2}$ and that neither point is $\infty$ . Draw the line $L$ through $P_{1}$ and $P_{2}$ . Its slope is
$m = \frac{y _{2} - y _{1}}{x _{2} - x _{1}} .$
If $x_{1} = x_{2}$ , then $L$ is vertical. We'll treat this case later, so let's assume that $x_{1} \neq = x_{2}$ . The equation of $L$ is then
$y = m (x - x_{1}) + y_{1} .$
To find the intersection with $E$ , substitute to get
$(m (x - x_{1}) + y_{1})^{2} = x^{3} + A x + B .$
This can be rearranged to the form
$0 = x^{3} - m^{2} x^{2} + \dots .$
The three roots of this cubic correspond to the three points of intersection of $L$ with $E$ . Generally, solving a cubic is not easy, but in the present case we already know two of the roots, namely $x_{1}$ and $x_{2}$ , since $P_{1}$ and $P_{2}$ are points on both $L$ and $E$ . Therefore, we could factor the cubic to obtain the third value of x. But there is an easier way. If we have a cubic polynomial $x^{3} + a x^{2} + b x + c$ with roots $r, s, t$ , then
$x^{3} + a x^{2} + b x + c = (x - r) (x - s) (x - t) = x^{3} - (r + s + t) x^{2} + \dots .$ Therefore,
$r + s + t = - a .$
If we know two roots $r, s$ , then we can recover the third as $t = - a - r - s$ .
In our case, we obtain
$x = m^{2} - x_{1} - x_{2}$
and
$y = m (x - x_{1}) + y_{1} .$
Now, reflect across the $x -$ axis to obtain the point $P_{3} = x_{3}, y_{3}$ :
$x_{3} = m^{2} - x_{1} - x_{2}, y_{3} = m (x_{1} - x_{3}) - y_{1} .$
In the case that $x_{1} = x_{2}$ but $y_{1} \neq = y_{2}$ , the line through $P_{1}$ and $P_{2}$ is a vertical line, which therefore intersects E in $\infty$ . REflecting $\infty$ across the $x -$ axis yields the same point $\infty$ (this is why we put $\infty$ at both the top and the bottom of the $y -$ axis).Therefore, in this case $P_{1} + P_{2} = \infty$ .
Now consider the case where $P_{1} = P_{2} = (x_{1}, y_{1}) .$ When two points on a curve are very close to each other, the line through them approximates a tangent line. Therefore, when the two points coincide, we take the line $L$ through them to be the tangent line. Implicit differentiation allows us to find the slope $m$ of $L$ :
$2 y \frac{d y}{d x} = 3 x^{2} + A, so m = \frac{d y}{d x} = \frac{3 x _{1}^{2} + A}{2 y _{1}} .$
If $y_{1} = 0$ then the line is vertical and we set $P_{1} + P_{2} = \infty$ , as before. Therefore, assume that $y_{1} \neq = 0$ . The equation of $L$ is
$y = m (x - x_{1}) + y_{1},$
as before. We obtain the cubic equation
$0 = x^{3} - m^{2} x^{2} + \dots .$ This time, we know only one root, namely $x_{1}$ , but it is a double root since $L$ is tangent to $E$ at $P_{1}$ . Therefore, proceeding as before, we obtain
$x_{3} = m^{2} - 2 x_{1}, y_{3} = m (x_{1} - x_{3}) - y_{1} .$
Finally, suppose $P_{2} = \infty$ . The line through $P_{1}$ and $\infty$ is a vertical line that intersects $E$ in the point $P_{1}^{'}$ that is the reflection of $P_{1}$ across the $x -$ axis. When we reflect $P_{1}^{'}$ across the $x -$ axis to get $P_{3} = P_{1} + P_{2}$ , we are back at $P_{1}$ . Therefore
$P_{1} + \infty = P_{1}$
for all points $P_{1}$ on $E$ . Of course, we extend this to include $\infty + \infty = \infty$ .
Let's summarize the above discussion:

Let $E$ be an elliptic curve defined by $y^{2} = x^{3} + A x + B$ . let $P_{1} = (x_{1}, y_{1})$ and $P_{2} = (x_{2}, y_{2})$ be points on $E$ with $P_{1}, P_{2} \neq = \infty$ . Define $P_{1} + P_{2} = P_{3} = (x_{3}, y_{3})$ as follows:

If $x_{1} \neq = x_{2}$ , then $x_{3} = m^{2} - x_{1} - x_{2}, y_{3} = m (x_{1} - x_{3}) - y_{1},$ where $m = \frac{y _{2} - y _{1}}{x _{2} - x _{1}}$ .
If $x_{1} = x_{2}$ but $y_{1} \neq = y_{2}$ , then $P_{1} + P_{2} = \infty$ .
If $P_{1} = P_{2}$ and $y_{1} \neq = 0$ , then $x_{3} = m^{2} - 2 x_{1}, y_{3} = m (x_{1} - x_{3}) - y_{1}$ , where $m = \frac{3 x _{1}^{2} + A}{2 y _{1}}$ .
If $P_{1} = P_{2}$ and $y_{1} = 0$ , then $P_{1} + P_{2} = \infty$ .
Moreover, define
$P + \infty = P$
for all points $P$ on $E$ .

The addition of points on an elliptic curve $E$ satisfies the following properties:

(Commutativity) $P_{1} + P_{2} = P_{2} + P_{1}$ for all $P_{1}, P_{2}$ on $E$ .
(existence of identity) $P + \infty = P$ for all points $P$ on $E$ .
(existence of inverses) Given $P$ on $E$ , there exists $P^{'}$ on $E$ with $P + P^{'} = \infty$ . This point $P^{'}$ will usually be denoted $- P$ .
(associativity) $(P_{1} + P_{2}) + P_{3} = P_{1} + (P_{2} + P_{3})$ for all $P_{1}, P_{2}, P_{3}$ on $E$ . In other words, the points on $E$ form an additive abelian group with $\infty$ as the identity element.

In cryptography, work over $F_{p}$ instead of $R$ . We writh group operation additively $(G, +)$ . Fix a generator $G \in G$ of primer order $q$ . In practice, $(G, G)$ chosen from some standard(e.g. NIST).

Elliptic Curve's Applications

What is discrete logarithm problem

screct $x R F_{q}$ , public $x G \in G$ , recovering $x$ from $x G$ is hard.

ECDSA

Elliptic Curve Digital Signature Algorithm

Diffie-Hellman Key Exchange

Schnorr protocol

$P$ wants to convince $V$ that $P$ knows a secret $s \in F_{q}$ s.t. $X = s G \in G$ .

Schnorr protocol

Short Weierstrass curves and their representations for fast computations

http://www.hyperelliptic.org/EFD/g1p/auto-shortw.html

Pairing based cryptography

Defination of Pairing

Given cyclic groups $G_{1}, G_{2}, G_{T}$ all same prime order $q$ , a $p ai r in g$ is a nondegenerate bilinera map $e : G_{1} \times G_{2} \Rightarrow G_{T}$ , $G_{1} and G_{2}$ are the generators of $G_{1} and G_{2}$ ,respectively.

Bilinearity: $e (X_{1} + X_{2}, Y) = e (X_{1}, Y) * e (X_{2}, Y)$ and $e (X, Y_{1} + Y_{2}) = e (X, Y_{1}) * e (X, Y_{2})$
Non-degeneracy: $G_{T} := e (G_{1}, G_{2}) \in G_{T}$ is a generator.
Computability: There exists an efficient algorithm to compute $e$ .

An application: BLS signature scheme

Keygen: $p, G_{1}, G_{2}, G_{T}, G_{1}, G_{2}, e$
- private key: x, and Public key $P = [x] G_{1}$
Sign(x,m): $σ := [x] H (m) \in G_{2}$ , $H (m) \in G_{2}$ , where $H$ is a cryptographic hash that maps the message space to $G_{2}$ .
Verify( $P, m, σ$ ): check $e (P, H (m)) = ? e (G_{1}, σ)$

BLS signature scheme can be extended to allow signature aggregation.

Commitments Schemes in Cryptography

Commitment schemes are fundamental cryptographic protocols that allow one party(the committer) to commit to a value while keeping it hidden from another party(the receiver) until the commitment is revealed. These schemes provide a way for the committer to ensure that the value cannot be altered after it has been committed, thus ensuring both secrecy and integrity.

Key properties

Hiding: The commitment should not reveal any information about the committed value. This means that the receiver cannot determine the value until the committer decides to reveal it.
Binding: Once the committer has made a commitment, they cannot change the committed value. This encures that the committer cannot later claim to have committed to a different value.

These properties make commitment schemes useful in various cryptographic applications, including secure voting, digital signatures, and zero-knowledge proofs.

Applications

Secure Voting: Voters can commit to their votes and later reveal them, ensuring privacy and preventing vote manipulation.
Digital Signatures: Commitment schemes are often used in the generation of digital signatures, where a message is committed to before being signed.
Zero-Knowledge Proofs: They play a critical role in zero-knowledge proofs, where one party can prove knowledge of a value without revealing the value itself.

Polynomial commitment scheme

Polynomial commitment schemes[KZG,10]

Bilinear Group: $p, G_{1}, G_{2}, G_{T}, G_{1}, G_{2}, e$ Univariate polynomials $F = F_{p}^{(\leq d)} [X]$

$k ey g e n (λ, F) \to g p$ :

Sample random $τ \in F_{p}$
$g p = ((G_{1}, [τ] G_{1}, [τ^{2}] G_{1}, \dots, [τ^{d}] G_{1}), (G_{2}, [τ] G_{2}))$
delete $τ$ !! (trusted setup)

$co mmi t (g p, f) \to C_{f}$

$f (x) = f_{0} + f_{1} x + f_{2} x^{2} + \dots + f_{d} x^{d}$
$C_{f} = [f (τ)] G_{1} = [f_{0} + f_{1} τ + f_{2} τ^{2} + \dots + f_{d} τ^{d}] G_{1} = [f_{0}] G_{1} + [f_{1}] τ G_{1} + [f_{2}] τ^{2} G_{1} + \dots + [f_{d}] τ^{d} G_{1}$

Honest prover: $C_{f} = [f (τ)] G_{1}, π = [q (τ)] G_{1}, v = f (u)$

$e v a l (g p, f, u) \to v, π$ :

$f (x) - f (u) = (x - u) q (x)$ , as $u$ is a root of $f (x) - f (u)$
Compute $q (x)$ and $π = [q (τ)] G_{1}$ , using gp

$v er i f y (g p, C_{f}, u, v, π)$ :

check $e (C_{f} - [v] G_{1}, G_{2}) = ? e (π, [τ] G_{2} - [u] G_{2})$

Opening many polynomials at $s$

Input: $f_{0}, f_{1}, \dots, f_{k - 1}, Z_{0} = f_{0} (s), z_{1} = f_{1} (s), \dots, z_{k - 1} = f_{k - 1} (s)$ .
Verifier has commitments $C_{f}$ to $f_{i}$ 's wants to verifier correctness of $z$ 's.

Naive solution

Run KZG for each $f_{i}$ . Cost: $d$ group elemets in proof, $d$ pairings for verifier.

Batched opening

Verifier sends random $γ \in F_{p}$
Prover computes combination $f (X) := \sum_{i < k} γ^{i} f_{i} (X)$
Verifier computes commitment to $f$ as $C_{f} := \sum_{i < k} γ^{i} C_{f_{i}}$
Prover and verifier use KZG to verify $f (s) = z$ for $z = \sum_{i < k} γ^{i} z_{i}$
Cost: $k - 1$ verifier scalar muls to compute $C_{f}$

open a polynomial $f$ at points $s_{0}, \dots, s_{d - 1}$

thm[BDFG]: We can open a polynomial $f$ at points $s_{0}, s_{1}, \dots, s_{k - 1}$ with 2 verifier scalar mults no matter how large $k$ is.

KZG Ceremony

A distributed generation of $g p$ s.t. no one can reconstruct the trapdoor if at least one of the participants is honest and discards their secrets.

$g p = (G, τ G, τ^{2} G, \dots, τ^{d} G) = (G_{0}, G_{1}, G_{2}, \dots, G_{d})$
Sample random $s$ , update $g p^{'} = (G_{0}, G_{1}^{'}, G_{2}^{'}, \dots, G_{d}^{'}) = (G_{0}, s G_{1}, s^{2} G_{2}, \dots, s^{d} G_{d})$ with secret $τ \cdot s$ !
Check the correctness of $g p^{'}$
- The contributor knows $s$ s.t. $G_{1}^{'} = s G_{1}$
- $g p^{'}$ consists of consecutive powers $e (G_{i}^{'}, G_{1}^{'}) = e (G_{i + 1}^{'}, G)$ and $G_{1}^{'} \neq = O$

Introductin of ZKP

What is a Zero Knowledge Proofs?

Zero-knowledge proofs (ZKPs) allow me to prove that I know a fact without revealing the fact itself. For example:

I know the private key corresponding to an Ethereum account, but I won't disclose what that key is!
I know a number $x$ such that SHA256(x)=0xa4865c2cae9713e9bcea7810ae83b14d18cfc259926cac793bf0ac7752851e8c ,but I won't reveal x!

In Ethereum, all transactions are secured using digital signatures based on public-key cryptography. Each public account is linked to a secret private key, and you cannot send funds from an account unless you possess that private key. A signature attached to every transaction essentially acts as a zero-knowledge proof that you know the corresponding private key. Although ZKPs might seem new, digital signature schemes have existed for decades.

Three properties of ZK Protocols

[Zero Knowledge] The Prover's responses do not disclose the underlying information.
[Completeness] If the Prover knows the underlying information, they can always respond satisfactorily.
[Soundness] If the Prover doesn't know the underlying information, they'll eventually get caught.

What are zkSNARKs?

zkSNARKs are a modern cryptographic tool that enables the efficient generation of a zero-knowledge protocol for any problem or function. Their properties include:

zk: Hides inputs
Succinct: Generates short proofs that can be verified quickly
Noninteractive: doesn't require a back-and-forth communication
ARgument of Knowledge: provers you know the input

Overview of ZKP Generation

Transform your problem (e.g., graph isomorphism, discrete logarithm) into a function whose inputs you wish to conceal.
Convert that function into an equivalent set of "R1CS"(Rank-1 Constraint System, or other) equations:
- This is essentially an arithmetic circuit composed of "+" and "*" operations on prime field elements.
- Simplified, the equations take the form $x_{i} + x_{j} = x_{k}$ , or $x_{i} * x_{j} = x_{k}$ .
Generate a ZKP for satisfiability of the R1CS.

Types of SNARKs

There are two main types of SNARKs:

Short Proofs with Higher Proving Time ComplexityThese SNARKs offer compact proofs but have a prover time complexity of $O (n lo g n)$ . Examples include Groth16 and Plonk-KZG.
Longer Proofs with Faster Proving Times These SNARKs prioritize faster proving times, resulting in longer proofs. Examples include FRI-based proofs, also known as STARKs (e.g., Plonky2).

The PLONK IOP for general circuits

PLONK: a poly-IOP for a general circuit $C (x, w)$

Step 1: compile circuit to a computation trace (gate fan-in=2)

sample gates
The computation trace (arithmetization):

	left inputs: $x_{1}$	right inputs: $x_{2}$	w
inputs:	5	6	1
Gate 0:	5	6	11
Gate 1:	6	1	7
Gate 2:	11	7	77

Encoding the trace as a polynomial

Notion:
$∣ C ∣ := total # of gates in C$ , $∣ I ∣ := ∣ I_{x} ∣ + ∣ I_{w} ∣ = # inputs to C$
let $d := 3∣ C ∣ + ∣ I ∣$ (in example, $d = 12$ ) and $Ω := {1, ω, ω^{2}, \dots, ω^{d - 1}}$

The plan:
prover interpolates a polynomial $T \in F_{p}^{(\leq d)} [X]$ that encodes the entire trace.

Prover interpolates $T \in F_{p}^{(\leq d)} [X]$ such that
(1) $T$ encodes all inputs: $T (ω^{- j}) = input #j$ for $j = 1, \dots, ∣ I ∣$
(2) $T$ encodes all wires: $\forall l = 0, \dots, ∣ C ∣ - 1$ :

$T (ω^{3 l}) :$ left input to gate # $l$
$T (ω^{3 l + 1}) :$ right input to gate # $l$
$T (ω^{3 l + 2}) :$ output of gate # $l$

In the example, Prover interpolates $T (X)$ such that:

inputs:	$T (ω^{- 1}) = 5$	$T (ω^{- 2}) = 6$	$T (ω^{- 3}) = 1$
Gate 0:	$T (ω^{0}) = 5$	$T (ω^{1}) = 6$	$T (ω^{2}) = 11$
Gate 1:	$T (ω^{3}) = 6$	$T (ω^{4}) = 1$	$T (ω^{5}) = 7$
Gate 2:	$T (ω^{6}) = 11$	$T (ω^{7}) = 7$	$T (ω^{8}) = 77$

degree( $T$ ) = 11
Prover can use IFFT to compute coefficients of $T$ in time $O (d lo g d)$

Step 2: proving validity of $T$

Prover needs to prove that $T$ is a correct computation trace:
(1) $T$ encodes the correct inputs,
(2) every gate is evaluated correctly,
(3) the wiring is implemented correctly,
(4) the output of last gate is 0
wiring constraints
Proving (4) is easy: prove $T (ω^{3∣ C ∣ - 1}) = 0$

Proving (1): T encodes the correct inputs

Both prover and verifier interpolate a polynomial $v (X) \in F_{p}^{(\leq ∣ I_{x} ∣)} [X]$ that encodes the $x$ -inputs to the circuit:
$for j = 1, \dots, ∣ I_{x} ∣ : v (ω^{- j}) = input#j$

In the example: $v (ω^{- 1}) = 5, v (ω^{- 2}) = 6.$ ( $v$ is linear)
constructing $v (X)$ takes time proportional to the size of input $x$ $\Rightarrow$ verifier has time do this.

Let $Ω_{in p} := {ω^{- 1}, ω^{- 2}, \dots, ω^{- ∣ I_{x} ∣}} \subseteq Ω$ (points encoding the input)
Prover proves (1) by using a ZeroTest on $Ω_{in p}$ to prove that
$T (y) - v (y) = 0 \forall y \in Ω_{in p}$

Lemma: $f$ is zero on $Ω$ if and only if $f (X)$ is divisible by $Z_{Ω} (X)$

Proving (2): every gate is evaluated correctly

Idea: encode gate types using a $se l ec t or$ polynomial $S (X)$
define $S (X) \in F_{p}^{(\leq d)} [X]$ such that $\forall l = 0, \dots, ∣ C ∣ - 1$ :

$S (ω^{3 l}) = 1$ if gate #l is an addition gate
$S (ω^{3 l}) = 0$ if gate #l is a multiplication gate

inputs:	5	6	1	S(x)
Gate 0:	5	6	11	1(+)
Gate 1:	6	1	7	1(+)
Gate 2:	11	7	77	0(\times)

Then $\forall y \in Ω_{g a t es} := {1, ω^{3}, ω^{6}, ω^{9}, \dots, ω^{3 (∣ C ∣ - 1)}}$ :
$S (y) \cdot [T (y) + T (ω y)] + (1 - S (y)) \cdot T (y) \cdot T (ω y) = T (ω^{w} y)$
Prover uses ZeroTest to prove that for all $\forall y \in Ω_{g a t es}$ : $S (y) \cdot [T (y) + T (ω y)] + (1 - S (y)) \cdot T (y) \cdot T (ω y) - T (ω^{w} y) =$

Proving (3): the wiring is correct

encode the wires of $C$ :
$⎩ ⎨ ⎧ T (ω^{- 2}) = T (ω^{1}) = T (ω^{3}) T (ω^{- 1}) = T (ω^{0}) T (ω^{2}) = T (ω^{6}) T (ω^{- 3}) = T (ω^{4}) T (ω^{5}) = T (ω^{7})$
Define a polynomial $W : Ω \to Ω$ that implements a rotation: $W (ω^{- 2}, ω^{1}, ω^{3}) = (ω^{1}, ω^{3}, ω^{- 2}), W (ω^{- 1}, ω^{0}) = (ω^{0}, ω^{- 1}), \dots$
Lemma: $\forall y \in Ω : T (y) = T (W (y)) \Rightarrow$ wire constraints are satisfied

The complete Plonk Poly-IOP (and SNARK)

Prover proves:
gates: (1) $S (y) \cdot [T (y) + T (ω y)] + (1 - S (y)) \cdot T (y) \cdot T (ω y) - T (ω^{2} y) = 0\forall y \in Ω_{g a t es}$
inputs: (2) $T (y) - v (y) = 0\forall y \in Ω_{in p}$
wires: (3) $T (y) - T (W (y)) = 0 (using prescribed perm.check) \forall y \in Ω$
output: (4) $T (ω^{3∣ C ∣ - 1}) = 0 output of last gate = 0$

The eSTARK protocol is a new probabilistic proof that generalizes the STARK family through the introduction of a more generic intermediate representation called eAIR. The details can be found in estark protocol. And the prove arguments can be found in:

1. Notation

We denote by $F$ to a finite field of prime order $p$ and $F^{\times}$ to its respective multiplicative group and define $k$ to be the biggest non-negative integer such that $2^{k} ∣ (p - 1)$ . We also write $K$ to denote a finite field extension of $F$ , of size $p^{e}$ , $e \geq 2$ . Furthermore, we write $F [X]$ (resp. $K [X]$ ) for the ring of polynomials with coefficients over $F$ (resp. $K$ ) and write $F_{< d} [X]$ (resp. $F_{< d} [X]$ ) to denote the set of polynomials of degree lower than $d$ .

2.Multiset Equality

The details and examples can be found in Permutation argument.

Grand Product

let $G = ⟨ g ⟩$ is a cyclic subgroup of $F^{\times}$ of order n.

Given two vectors $f = (f_{1}, \dots, f_{n})$ and $t = (t_{1}, \dots, t_{n})$ in $F^{n}$ , a multiset equality argument, denoted $f ≐ t$ , is used for checking that $f$ is equal to $t$ as multisets (or equivalently, that $f$ and $t$ are a permutation of each other). The protocol that instantiates the multiset equality arguments works by computing the following grand product polynomial $Z \in K_{< n} [X]$ : $Z (g^{i}) = {1, if i = 1 \prod_{j = 1}^{i - 1} \frac{f _{j} + γ}{t _{j} + γ}, if i = 2, \dots, n (1)$ where $γ \in K$ is the value sent from the verifier.

Soundness of Multiset Equality

Lemma 1: Fix two vectors $f = (f_{1}, \dots, f + n)$ and $t = (t_{1}, \dots, t_{n})$ in $F^{n}$ . If the following holds with probability larger than $ε_{M u lEq} (n) := n /∣ K ∣$ over a random $γ \in K$ : $j = 1 \prod n (f_{i} + γ) = i = 1 \prod n (t_{i} + γ) (2)$ Then $f ≐ t$ . As a consequence of Lemma 1, the identities that must be checked by the verifier for $x \in G$ are the following:

$L_{1} (x) \cdot (Z (x) - 1) = 0 Z (x \cdot g) \cdot (t (x) + γ) = Z (x) \cdot (f (x) + γ) (3)$ where $f, t \in F_{< n} [X]$ are the polynomials resulting from the interpolation of ${f_{i}}_{i \in [n]}$ and ${t_{i}}_{i \in [n]}$ over $G$ ,respectively.

The commitment polynomial is the grand product polynomial $Z \in K_{< n} [X]$ . and the two constraints is express in Eq $(3)$ .

3.Connection

The protocol for a connection argument and the definitions and results we provide next are adapted from GWC19. The details and examples can be found in Connection argument.

Given some vectors $f_{1}, \dots, f_{k} \in F^{n}$ and a partition $T = {T_{1}, \dots, T_{s}}$ of the set $[kn]$ , a connection argument, denoted $(f_{1}, \dots, f_{k}) \propto {T_{1}, \dots, T_{s}}$ , is used to check that the partition $T$ divides the field elements ${f_{i, j}}_{i \in [k], j \in [n}]$ into sets with the same value. More specifically, if we define the sequence $f_{(1)}, \dots, f_{(kn)} \in F$ by:

$f_{((i - 1) n + j)} := f_{i, j} (4)$ for each $i \in [k], j \in [n]$ , then we have $f_{(l 1)} = f_{(l 2)}$ if and only if $l_{1}, l_{2}$ belong to the same block of $T$ .

In order to express the partition $T$ within a grand product polynomial, we define a permutation $σ : [kn] \to [kn]$ as follows: $σ$ is such that for each block $T_{i}$ of $T$ , σ(T ) contains a cycle going over all elements of $T_{i}$ . Then, the protocol that instantiates the connection arguments works by computing the following grand product polynomial $Z \in K_{< n} [X]$ :

$Z (g^{i}) = {1, if i = 1 \prod_{l = 1}^{k} \prod_{j = 1}^{i - 1} \frac{f _{l, j} + γ \cdot (( l - 1 ) \cdot n + j ) + δ}{f _{l, j} + γ \cdot σ (( l - 1 ) \cdot n + j ) + δ )}, if i = 2, \dots, n (5)$ where $γ, δ \in K$ are the values sent from the verifier.

The definition of the previous polynomial is based on the following lemma, a proof of which can be found in Claim A.1. of GWC19.

Lemma 2 Fix $f_{1}, \dots, f_{k} \in F^{n}$ and a partition $T = {T_{1}, \dots, T_{s}}$ of the set $[kn]$ . If the following holds with probability larger than $ε_{C o n} (n) := kn /∣ K ∣$ over a randoms $γ, δ \in K$ : $l = 1 \prod k j = 1 \prod n (f_{l, j} + γ \cdot ((l - 1) \cdot n + j) + δ) = l = 1 \prod k j = 1 \prod n (f_{l, j} + γ \cdot σ ((l - 1) \cdot n + j) + δ) (6)$ As a consequence of Lemma 2, the identities that must be checked by the verifier for $x \in G$ are the following: $L_{1} (x) \cdot (Z (x) - 1) = 0, Z (x \cdot g) \cdot l = 1 \prod k (f_{l} (x) + γ \cdot S_{σ_{l}} (x) + δ) = Z (x) \cdot l = 1 \prod k (f_{l} (x) + γ \cdot S_{I D_{l}} (x) + δ), (7)$ where $S_{I D_{i}} (g^{j}) = (i - 1) \cdot n + j$ is the polynomial mapping G-elements to indexes in [kn] and $S_{σ_{i}} (g^{j}) = σ ((i - 1) \cdot n + j)$ is the polynomial defined by $σ$ . For more details see GWC19.

The commitment polynomial is the grand product polynomial $Z \in K_{< n} [X]$ . and the two constraints is express in Eq $(7)$ .

4.inclusion

The protocol for an inclusion argument and the definitions and results we provide next is adapted from the well-known Plookup protocol GW20, with the “alternating method” provided in [PFM+22](https://eprint.iacr.org/ 2022/086). The details and examples can be found in Inclusion argument.

Given two vectors $f = (f_{1}, \dots, f_{n})$ and $t = (t_{1}, \dots, t_{n})$ in $F^{n}$ , a inclusion argument, denoted $f \in t$ , is used for checking that the set A formed with the values ${f_{i}}_{i \in [n]}$ is contained in the set B formed with the values ${t}_{i \in [n]}$ . Notice that $∣ A ∣, ∣ B ∣ \leq n$ .

In the protocol, the prover has to construct an auxiliary vector $s = (s_{1}, \dots, s_{2 n})$ containing every element of f and t where the order of appearance is the same as in $t$ . The main idea behind the protocol is that if $f \in t$ , then f contributes to s with repeated elements. To check this fact, a vector $Δ s$ is defined as follows: $Δ s = (s_{1} + γ s_{2}, s_{2} + γ s_{3}, \dots, s_{2 n} + γ s_{1}) (8)$ Then, the protocol essentially checks that $Δ s$ is consistent with the elements of f, t and s. To do so, the vector s is split into two vectors $h_{1}, h_{2} \in F^{n}$ . In the protocol described in GW20, $h_{1}$ and $h_{2}$ contain the lower and upper halves of s, while in our protocol in [PFM+22](https://eprint.iacr.org/ 2022/086), we use $h_{1}$ to store elements with odd indexes and $h_{2}$ for even indexes, that is: $h_{1} = (s_{1}, s_{3}, s_{5}, \dots, s_{2 n - 1}) and h_{2} = (s_{2}, s_{4}, s_{6}, \dots, s_{2 n}) (9)$ With this setting in mind, the grand product polynomial is deﬁned as: $Z (g^{i}) = {1, if i = 1 (1 + γ)^{i - 1} \prod_{j = 1}^{i - 1} \frac{( δ + f _{j} ) ( δ ( 1 + γ ) + t _{j} + γ t _{j + 1} )}{( δ ( 1 + γ ) + s _{2 j - 1} + γ s _{2 j} ) ( γ ( 1 + γ ) + s _{2 j} + γ s _{2 j + 1} )}, if i = 2, \dots, n (10)$ where $γ, δ \in K$ are the values sent from the verifier.

The definition of the previous polynomial is based on the following lemma, which is a slight modification of Claim 3.1. of GW20.

Lemma 3 (Soundness of Inclusion). Fix three vectors $f = (f_{1}, \dots, f_{n}), t = (t_{1}, \dots ., t_{n})$ and $s = (s_{1}, \dots, s_{2 n})$ with elements in $F$ . If the following holds with probability larger than $ε_{I n c} (n) := \frac{( 4 n - 2 )}{∣ K ∣}$ over randoms $γ, δ \in K$ : $(1 + γ)^{n} i = 1 \prod n (γ + f_{i}) i = 1 \prod n - 1 (δ (1 + γ) + t_{i} + γ t_{i + 1}) = i = 1 \prod 2 n - 1 (δ (1 + γ) + s_{i} + γ s_{i + 1}) (11)$ then $f \in t$ and $s$ is the sorted by $t$ concatenation of $f$ and $t$ .

As a consequence of Lemma 3, the identities that must be checked by the verifier for $x \in G$ are the following: $L_{1} (x) (Z (x) - 1) = 0, Z (x \cdot g) = Z (x) \frac{( 1 + γ ) ( δ + f ( x )) ( δ ( 1 + γ ) + t ( x ) + γ t ( gx ))}{( δ ( 1 + γ ) + h _{1} ( x ) + γ h _{2} ( x )) ( δ ( 1 + γ ) + h _{2} ( x ) + γ h _{1} ( x \cdot g ))} (12)$ where $f, t \in F_{< n} [X]$ are the polynomials resulting from the interpolation of ${f_{i}}_{i \in [n]}$ and ${t_{i}}_{i \in [n]}$ over $G$ , respectively; $h_{1}$ and $h_{2} \in F_{< n} [X]$ are the polynomials resulting from the interpolation of the values defined in Eq $(8)$ over $G$ .

The commitment polynomial is the grand product polynomial $Z \in K_{< n} [X]$ and $h_{1}$ and $h_{2} \in F_{< n} [X]$ . and the two constraints is express in Eq $(12)$ .

5.From Vector Arguments to Simple Arguments

Let’s explain first how we reduce vector inclusions or multiset equalities to simple (i.e., involving only one polynomial on each side) inclusions or multiset equalities.

Definition 1 (Vector Arguments). Given polynomials $f_{i}, t_{i} \in K_{< n} [X]$ for $i \in [N]$ , a vector inclusion, denoted $(f_{1}, \dots, f_{N}) \in (t_{1}, \dots, t_{N})$ , is the argument in which for all $x \in G$ there exists some $y \in G$ such that: $(f_{1} (x), \dots, f_{N} (x)) = (t_{1} (x), \dots, t_{N} (x)) (13)$ A vector multiset equality, denoted $(f_{1}, \dots, f_{N}) ≐ (t_{1}, \dots, t_{N})$ , is the argument in which for all $y \in G$ there exists exactly one $x \in G$ for which Eq $(13)$ holds. That is, (vector) multiset equalities define a bijective mapping.

To reduce the previous vector arguments to simple ones, we make use of a uniformly sampled element $α \in K$ . Namely, instead of trying to generate an argument for the vector relation, we define the following polynomials: $F^{'} (x) := i = 1 \sum N α^{i - 1} f_{i} (X), T^{'} (x) := i = 1 \sum N α^{i - 1} t_{i} (X), (14)$ and proceed to prove the relation $F^{'} \in T^{'}$ or $F^{'} ≐ T^{'}$ . Notice that both $F^{'}$ and $T^{'}$ are in general polynomials with coefficients over the field extension $K$ even if every coefficient of $f_{i}$ , $t_{i}$ is precisely over the base field $F$ .

The previous reduction leads to the following result.

Lemma 4. Given polynomials $f_{i}, t_{i} \in K_{< n} [X]$ for $i \in [N]$ and $F^{'}, T^{'} \in K_{< n} [X]$ as defined by Eq. $(14)$ , if $F^{'} \in T^{'}$ (resp. $F^{'} ≐ T^{'}$ ), then $(f_{1}, \dots, f_{N}) \in (t_{1}, \dots, t_{N})$ (resp. $(f_{1}, \dots, f_{N}) ≐ (t_{1}, \dots, t_{N})$ ) except with probability $n \cdot (N - 1) /∣ K ∣$ over the random choice of $α$ .

6.From Selected Vector Arguments to Simple Arguments

Now, let’s go one step further by the introduction of selectors. Informally speaking, a selected inclusion (multiset equality) is an inclusion (multiset equality) not between the specified two polynomials $f$ , $t$ , but between the polynomials generated by the multiplication of $f$ and $t$ with (generally speaking) independently generated selectors. We generalize to the vector setting.

Definition 2 (Selected Vector Arguments). We are given polynomials $f_{i}, t_{i} \in K_{< n} [X]$ for $i \in [N]$ . Furthermore, we are also given two polynomials $f^{se l}, t^{se l} \in K_{< n} [X]$ whose range over the domain $G$ is {0,1}. That is, $f^{se l}$ and $t^{se l}$ are selectors. A selected vector inclusion, denoted $f^{se l} \cdot (f_{1}, \dots, f_{N}) \in t^{se l} \cdot (t_{1}, \dots, t_{N})$ , is the argument in which for all $x \in G$ there exists some $y \in G$ such that: $f^{se l} (x) \cdot (f_{1} (x), \dots, f_{N} (x)) \in t^{se l} (y) \cdot (t_{1} (y), \dots, t_{N} (y)) (15)$ where $f^{se l} (x) \cdot (f_{1} (x), \dots, f_{N} (x))$ denotes the component-wise scalar multiplication between the field element $f^{se l} (x)$ and the vector $(f_{1} (x), \dots, f_{N} (x))$ .

A selected vector multiset equality, denoted $f^{se l} \cdot (f_{1}, \dots, f_{N}) ≐ t^{se l} \cdot (t_{1}, \dots, t_{N})$ . is the argument in which for all $y \in G$ there exists exactly one $x \in G$ for which Eq. (15) holds.

Remark 1. Note that if $f^{se l} = t^{se l} = 1$ , then Eq. (15) is reduced to (13); if $f^{se l} = t^{se l} = 0$ then the argument is trivial; and if either $f^{se l}$ or $t^{se l}$ is equal to the constant 1, then we remove the need for $f^{se l}$ or $t^{se l}$ respectively.

To reduce selected vector inclusion to simple ones, we proceed in two steps. First, we use the reduction shown in Eq. $(14)$ to reduce the inner vector of polynomials to a single one. This process outputs polynomials $F^{'}, T^{'} \in K_{< n} [X]$ . Second, we make use of another uniformly sampled $β \in F$ as follows. Namely, we define the following polynomials: $T (X) := t^{se l} (X) (T^{'} (X) - β) + β, F (X) := f^{se l} (X) (F^{'} (X) - T^{'} (X)) + T^{'} (X), (16)$ and proceed to prove the relation $F \in T$ .

Importantly, the presentation “re-ordering” in Eq. $(16)$ is relevant: if $β$ had been introduced in the definition of $F$ instead, then there would be situations in which we would end up having $β$ as an inclusion value and therefore the inclusion argument not being satisfied even if the selectors are correct. See Example 1 to see why this is relevant.

Example 1. Choose $N = 1, n = 2^{3}$ . We compute the following values:

$x$	$f_{1} (x)$	$F^{'} (x)$	$f^{se l} (x)$	$F (x)$	$t_{1} (x)$	$T^{'} (x)$	$t^{se l} (x)$	$T (x)$
$g$	3	3	0	1	$1$	$1$	$1$	$1$
$g^{2}$	$7$	$7$	$1$	$7$	1	1	0	$β$
$g^{3}$	4	4	0	7	$7$	$7$	$1$	$7$
$g^{4}$	$1$	$1$	$1$	$1$	6	6	0	$β$
$g^{5}$	$5$	$5$	$1$	$5$	$5$	$5$	$1$	$5$
$g^{6}$	1	1	0	5	$5$	$5$	$1$	$5$
$g^{7}$	$2$	$2$	$1$	$2$	5	5	0	$β$
$g^{8}$	$5$	$5$	$1$	$5$	$2$	$2$	$1$	$2$

Notice how $F \in T$ . However, if we would have instead defined $F$ , $T$ as $F (X) = f^{se l} (X) [F ’ (X) - β] + β$ and $T (X) = t^{se l} (X) [T ’ (X) - F (X)] + F (X)$ then we would end up having $β$ as a inclusion value, which implies that $F \in / T$ even though $f_{1}$ , $t_{1}$ and $f^{se l}$ , $t^{se l}$ are correct.

To reduce selected vector multiset equalities to simple ones, we follow a similar process as with selected vector inclusions. We also first use the reduction in Eq. $(14)$ to reduce the inner vector argument to a simple one, but then we define the following polynomials: $T (X) := t^{se l} (X) (T^{'} (X) - β) + β F (X) := f^{se l} (X) (F^{'} (X) - β) + β (17)$ and proceed to prove the relation $F \in T$ . Here, we have been able to first define $F$ since we are dealing with multiset equalities instead of inclusions.

Similarly to Lemma 4, we obtain the following result. by observing that $β$ do not grow the total degree of polynomials $F, T$ (either from Eq. $(16)$ or Eq. $(17)$ ) over variables $α, β$ .

We generalize to selected vector arguments the protocols for (simple) inclusion arguments and multiset equality arguments explained in Section 2 and 4 by incorporating the reduction strategies explained in this section. Therefore, we give next the soundness bounds for these protocols.

Lemma 5. Given polynomials $f_{i}, t_{i} \in K_{< n} [X]$ for $i \in [N]$ and selectors $f^{se l}, t^{se l} \in K_{< n} [X]$ , we obtain:

Inclusion Protocol. Let $T \in K_{< 2 n - 1} [X]$ and $F \in K_{< 3 n - 1} [X]$ as defined by Eq. $(16)$ . The prover sends oracle functions $[f_{i}], [t_{i}], [f^{se l}], [t^{se l}]$ for $i \in [N]$ to the verifier in the first round, who responds with uniformly sampled $α, β \in K$ . Enlarge the set of identities that must be checked by the verifier in the inclusion protocol of Section 4 with:

$f^{se l} (x) (f_{se l} (x) - 1) = 0, t^{se l} (x) (t^{se l} (x) - 1) = 0, (18)$

for all $x \in G$ , i.e., the verifier checks that polynomials $f^{se l}, t^{se l}$ are valid selectors.

Multiset Equality Protocol. Let $F, T \in K_{< 2 n - 1} [X]$ as defined by Eq. $(17)$ . The prover sends oracle functions $[f_{i}], [t_{i}], [f^{se l}], [t^{se l}]$ for $i \in [N]$ to the verifier in the first round, who responds with uniformly sampled $α, β \in K$ . Enlarge the set of identities that must be checked by the verifier in the multiset equality protocol of Section 2 with: $f^{se l} (x) (f_{se l} (x) - 1) = 0, t^{se l} (x) (t^{se l} (x) - 1) = 0, (19)$ for all $x \in G$ .

Example 2. Say that for all $x \in G$ the prover wants to prove that he knows some polynomials $t r_{1}, t r_{2}, t r_{3}, t r_{4}, t r_{5} \in F_{< n - 1} [X]$ such that: $t r_{1} \in t r_{3}, t r_{3} ≐ t r_{4}, (t r_{2}, t r_{1}, t r_{5}) \propto (S_{σ_{1}}, S_{σ_{2}}, S_{σ_{3}}), (20)$ Following the previous section and this section, the polynomial constraint system $(20)$ gets transformed to the following one, so that for all $x \in G$ : $L_{1} (x) (Z_{1} (x) - 1) = 0, Z_{1} (gx) = Z_{1} (x) \frac{( 1 + β ) ( γ + tr _{1} ( x )) ( γ ( 1 + β ) + tr _{3} ( x ) + β tr _{3} ( gx ))}{( γ ( 1 + β ) + h _{1, 1} ( x ) + β h _{1, 2} ( x )) ( γ ( 1 + β ) + h _{1, 2} ( x ) + β h _{1, 1} ( gx ))} L_{1} (x) (Z_{2} (x) - 1) = 0, Z_{2} (gx) = Z_{2} (x) \frac{( γ + tr _{3} ( x ))}{( γ + tr _{4} ( x ))}, L_{1} (x) (Z_{3} (x) - 1) = 0, im_{1} (x) = (tr_{1} (x) + β k_{1} x + γ) (tr_{5} (x) + β k_{2} x + γ), im_{2} (x) = (tr_{1} (x) + S_{σ_{2}} (x) + γ) (tr_{5} (x) + S_{σ_{3}} (x) + γ), Z_{3} (gx) = Z_{3} (x) \frac{( tr _{2} ( x ) + β x + γ ) im _{1} ( x )}{( tr _{2} ( x ) + S _{σ_{1}} ( x ) + γ ) im _{2} ( x )}, (21)$ where we notice that the only type of argument that sometimes need to be adjusted is the connection argument.

7.On the Quotient Polynomial

We obtain a single random value $α \in K$ and define the quotient polynomial as a random linear combination of the rational functions $q_{i}$ as follows: $Q (X) = i = 0 \sum ℓ α^{i - 1} q_{i} (X) (22)$ Note that we use powers of a uniformly sampled value $α$ instead of sampling one value per constraint. Importantly, the soundness bound of this alternative version is linearly increased by the number of

constraints ℓ, so we might assume from now on that $ℓ$ is sublinear in $∣ K ∣$ to ensure the security of protocols.

8. Controlling the Constraint Degree with Intermediate Polynomials

In the vanilla STARK protocol, the initial set of constraints that one attest to compute the proof over is of unbounded degree. However, when one arrives at the point after computing the quotient polynomial $Q$ , it should be split into polynomials of degree lower than $n$ to ensure the same redundancy is added as with the trace column polynomials $t r_{i}$ for a sound application of the FRI protocol. In this section, we explain an alternative for this process and propose the split to happen “at the beginning” and not “at the end” of the proof computation.

Therefore, we will proceed with this approach assuming that the arguments in Section 2-4 are included among the initial set of constraints. The constraints imposed by the grand products polynomials $Z_{i}$ of multiset equalities and inclusions are of known degree: degree 2 for the former and degree 3 for the latter. Based on this information, we will propose a splitting procedure that allows for polynomial constraints up to degree 3 but will split any exceeding it.

Say the initial set of polynomial constraints $C = C_{1}, \dots ., C_{ℓ}$ contain a constraint of total degree greater or equal to 4. For instance, say that we have $C = C_{1}, C_{2}$ with: $C_{1} (X_{1}, X_{2}, X_{3}, X_{1}^{'}, X_{2}^{'}, X_{3}^{'}) = X_{1} \cdot X_{2} \cdot X_{2}^{'} \cdot X_{3}^{'} - X_{3}^{3}, C_{2} (X_{1}, X_{2}, X_{3}, X_{1}^{'}, X_{2}^{'}, X_{3}^{'}) = X_{2} - 7 \cdot X_{1}^{'} + X_{3}^{'}, (23)$ Now, instead of directly computing the (unbounded) quotient polynomial $Q$ and then doing the split, we will follow the following process:

Split the constraints of degree $t \geq 4$ into $⌈ t /3 ⌉$ constraints of degree lower or equal than 3 through the introduction of one formal variable and one constraint per split.
Compute the rational functions $q_{i}$ . Notice the previous step restricts the degree of the $q_{i}$ ‘s to be lower than 2 $n$ .
Compute the quotient polynomial $Q \in F_{< 2 n} [X]$ and then split it into (at most) two polynomials $Q_{1}$ and $Q_{2}$ of degree lower than $n$ as follows: $Q (X) = Q_{1} (X) + X^{n} \cdot Q_{2} (X) (24)$ where $Q_{1}$ is obtained by taking the first $n$ coefficients of $Q$ and $Q_{2}$ is obtained by taking the last $n$ coefficients (filling with zeros if necessary).

Remark 2*.* Here, we might have that $Q_{2}$ is identically equal to 0. This is in contrast with the technique used for the split in Vanilla STARK, where the quotient polynomial $Q$ is distributed uniformly across each of the trace quotient polynomials $Q_{i}$ .

This process will “control” the degree of $Q$ so that it will be always of a degree lower than 2 $n$ .

Following with the example in Eq. $(23)$ , we rename $C_{2}$ to $C_{3}$ and introduce the formal variable $Y_{1}$ and the constraint: $C_{2} (X_{1}, X_{2}, X_{3}, X_{1}^{'}, X_{2}^{'}, X_{3}^{'}) = X_{1} \cdot X_{2} - Y_{1} (25)$ Now, to compute the rational functions $q_{i}$ , we have to compose $C_{2}$ not only with the trace column polynomials $tr_{i}$ but also with additional polynomials corresponding with the introduced variables $Y_{i}$ . We will denote these polynomials as $im_{i}$ and refer to them as intermediate polynomials.

Hence, the set of constraints in $(23)$ gets augmented to the following set: $C_{1} (X_{1}, X_{2}, X_{3}, X_{1}^{'}, X_{2}^{'}, X_{3}^{'}, Y_{1}) = Y_{1} \cdot X_{2}^{'} \cdot X_{3}^{'} - X_{3}^{3}, C_{2} (X_{1}, X_{2}, X_{3}, X_{1}^{'}, X_{2}^{'}, X_{3}^{'}, Y_{1}) = X_{1} \cdot X_{2} - Y_{1}, C_{3} (X_{1}, X_{2}, X_{3}, X_{1}^{'}, X_{2}^{'}, X_{3}^{'}, Y_{1}) = X_{2} - 7 \cdot X_{1}^{'} + X_{3}^{'}, (26)$ where we include the variable $Y_{1}$ in $C_{3}$ for notation simplicity. Note that now what we have is two constraints of degree lower than 3, but we have added one extra variable and constraint to take into account.

Discussing more in-depth the tradeoff generated between the two approaches, we have for one side that deg( $Q$ ) = $max_{i} {deg (q_{i})} = max_{i} {deg (C_{i}) (n - 1) - ∣ G ∣}$ . Denote by $i_{max}$ the index of the $q_{i}$ where the maximum is attained. Then, the number of polynomials $S$ in the split of $Q$ is equal to: $⌈ \frac{deg ( Q )}{n} ⌉ = ⌈ \frac{deg ( C _{i_{max}} ) ( n - 1 ) - ∣ G ∣}{n} ⌉ = deg (C_{i_{max}}) + ⌈ - \frac{∣ G ∣}{n} ⌉$ which is equal to either deg( $C_{i_{max}}$ ) − 1 or deg( $C_{i_{max}}$ ).

We must compare this number with the number of additional constraints (or polynomials) added in our proposal. So, on the other side, we have that the overall number ofconstraints $ℓ$ is: $i = 1 \sum ℓ ⌈ \frac{deg ( C _{i} )}{3} ⌉$ With $ℓ \geq ℓ$ .

We conclude that the appropriate approach should be chosen based on the minimum value between $ℓ \geq ℓ$ and $S$ .

Example 3. To give some concrete numbers, let us compare both approaches using the following set of constraints: $C_{1} (X_{1}, X_{2}, X_{3}, X_{4}, X_{1}^{'}) = X_{1} \cdot X_{2}^{2} \cdot X_{3}^{4} \cdot X_{4} - X_{1}^{'}, C_{2} (X_{1}, X_{2}, X_{3}) = X_{1} \cdot X_{2}^{3} + X_{3}^{3}, C_{3} (X_{2}, X_{3}, X_{4}, X_{2}^{'}) = X_{2}^{3} \cdot X_{3} \cdot X_{4} + X_{2}^{'}, (27)$ In the vanilla STARK approach, we obtain $S = 8$ . On the other side, using the early splitting technique explained before, by substituting $X_{1} \cdot X_{2}^{2}$ by $Y_{1}$ and $X_{2} \cdot X_{3} \cdot X_{4}$ by $Y_{2}$ we transform the previous set of constraints into an equivalent one having all constraints of degree less or equal than 3. This reduction only introduces 2 additional constraints: $C_{1} (X_{1}^{'}, Y_{1}, Y_{2}) = Y_{1}^{2} \cdot Y_{2} - X_{1}^{'}, C_{2} (X_{2}, X_{3}, Y_{1}) = Y_{1} \cdot X_{2} + X_{3}^{3}, C_{3} (X_{2}, X_{2}^{'}, Y_{2}) = Y_{2} \cdot X_{2}^{2} + X_{2}^{'}, C_{4} (X_{1}, X_{2}, Y_{1}) = Y_{1} - X_{1} \cdot X_{2}^{2}, C_{5} (X_{2}, X_{3}, X_{4}, Y_{2}) = Y_{2} - X_{2} \cdot X_{3} \cdot X_{4}, (28)$ Henceforth, the early splitting technique is convenient in this case, introducing 3 new polynomials instead of the 7 that proposes the vanilla STARK approach.

Plookup

definition

Plookup was described by the original authors in [GW20] as a protocol for checking whether values of a committed polynomial, over a multiplicative subgroup $H$ of a finite field $F$ , are contained in a vector $t \in F^{d}$ that represents values of a table $T$ . More precisely, Plookup is used to check if certain evaluations of some committed polynomial are part of some row $t$ of a lookup table $T$ .

One particular use case of this primitive is: checking whether all evaluations of a polynomial $f (x)$ , restricted to values of a multiplicative subgroup $H \in F$ , fall in a given range ${0, 1, \dots, M}$ . i.e., proving that, for every $z \in H$ , we have $f (z) \in {0, 1, \dots, M}$ .

Plookup’s strategy for soundness depends on a few basic mathematical concepts described below.

Notations and preliminaries

Sets and multisets

Recall that a set is a collection of distinct objects, called elements, where repetitions and order of elements are disregarded. That is, the set ${1, 3, 7}$ is the same set as ${3, 7, 1, 7, 1, 1}$ .

Yet, as multisets, ${1, 3, 7}$ is not the same as ${3, 7, 1, 7, 1, 1}$ . It is because multisets take into consideration all instances of an element.

Given a multiset s, we define multiplicity to be the number of all instances of an element.

So, in the multiset ${3, 7, 1, 7, 1, 1}$ ; the element 3 has multiplicity 1, while 7 is of multiplicity 2 , and lastly, 1 has multiplicity 3.

A set can therefore be described as a collection of distinct objects where multiplicity and ordering of objects have no significance.

Multisets are similar to sets in that they also do not respect the ordering of elements. That is, ${1, 3, 1, 7}$ and ${1, 7, 1, 3}$ represent the same multiset, because they both contain the same elements, each with the same multiplicity.

Given multisets $t = {1, 3, 7}$ and $s = {3, 7, 1, 7, 1, 1}$ , s can be sorted by t as follows, $s = {1, 1, 1, 3, 7, 7}$ . That is, “ $s$ sorted by $t$ ” means the elements of $s$ are ordered according to the order they appear in $t$ , without losing their multiplicity.

Sorted multisets and set differences

Unless otherwise stated, all sorted multisets are henceforth sorted by $N$ , where $N$ is the set of natural numbers ${1, 2, 3, \dots}$ .

For any given sorted multiset $s = {s_{1}, s_{2}, \dots, s_{n}}$ , define the set of differences of s as the set of non-zero differences ${s_{2} - s_{1}, s_{3} - s_{2}, \dots, s_{n} - s_{n - 1}}$ . That is, zero-differences, $s_{i} - s_{i - 1} = 0$ , are discarded.

Take as examples the following sorted multisets: $t = {1, 3, 7}, s = {1, 1, 1, 3, 7, 7}$ and $r = {2, 6, 6, 6, 8}$ . These three multisets have the same set of differences, which is ${2, 4}$ .

Although $r$ has the same set of differences as $s$ and $t$ , note that the differences appear in a different order; 4 appeared first then 2.

Testing for containment

Let $s$ and $t$ be ordered multisets, $s = {s_{1}, s_{2}, \dots, s_{d}}$ and none of the elements of $t = {t_{1}, t_{2}, \dots, t_{n}}$ are repeated.

It can be observed that:

If $s \subset t$ and $s_{d} = t_{n}$ , then $s$ and $t$ have the same set of differences and the differences appear in the same order.
If $s$ and $t$ have the same set of differences except for the differences’ order of appearance, then $s \neq \subset t$ .
If $s$ and $t$ have the same set of differences and the differences appear in the same order, then $s \subset t$ .

It follows from these three observations that the criteria for testing containment $s \subset t$ boils down to checking:

The equality of the sets of differences, and
The order in which the differences $(a_{j} - a_{j - 1})$ appear in both multisets are the same.

Testing for repeated elements

Consider again the ordered multisets: $s = {s_{1}, s_{2}, \dots, s_{d}}$ and $t = {t_{1}, t_{2}, \dots, t_{n}}$ .

If $s$ has some repeated elements, $s_{i} - s_{i - 1} = 0$ for some $1 \leq i \leq n$ , then these can be tested by comparing randomized sets of differences.

A randomized set of differences related to $s$ is created by selecting a random field element $β \in F$ and defined as the set ${s_{i} + β \cdot s_{i + 1} ∣1 \leq i < d}$ .

So, instead of a pair $(s_{i}, s_{i + 1})$ of repeated elements yielding a difference of zero because $(s_{i} \equiv s_{i + 1})$ , they yield: $s_{i} + β \cdot s_{i + 1} = (1 + β) \cdot$ in the setting of randomized set of differences.

This property of repeated elements yielding a multiple of $(1 + β)$ , characterizes repeated elements in ordered multisets. Consequently, when computing randomized set of differences, repeated elements can be identified by these multiples of $(1 + β)$ .

A test can therefore be coined using a grand product argument akin to the one used in PLONK’s permutation argument [GWC19].

Vectors

The above concepts defined for multisets apply similarly to vectors, and the Plookup protocol also extends readily to vectors.

A vector is a collection of ordered field elements, for some finite field $F$ , and it is denoted by $a = (a_{1}, a_{2}, \dots, a_{n})$ .

A vector $a = (a_{1}, a_{2}, \dots, a_{n})$ is contained in a vector $b = (b_{1}, b_{2}, \dots, b_{d})$ , denoted by $a \subset b$ , if each $a_{i} \in {b_{1}, b_{2}, \dots, b_{d}}$ for $i \in {1, 2, \dots, n}$ .

The vector of differences of a given vector $a = (a_{1}, a_{2}, \dots, a_{n})$ is defined as the vector $a^{'} = (a_{2} - a_{1}, a_{3} - a_{2}, \dots, a_{n} - a_{n - 1})$ , which has one less component (or element) compared to a. That is, $∣ a^{'} ∣ = n - 1$ because $∣ a ∣ = n$ .

Given a random scalar $β$ in a field F and a vector $a = (a_{1}, a_{2}, \dots, a_{n})$ , a randomized vector of differences of $a$ is defined as $a^{'} = (a_{1} + β \cdot a_{2}, a_{2} + β \cdot a_{3}, \dots, a_{n - 1} + β \cdot a_{n})$ .

The concatenation of vectors $a = (a_{1}, a_{2}, \dots, a_{n})$ and $b = (b_{1}, b_{2}, \dots, b_{d})$ is the vector $(a, b) = (a_{1}, a_{2}, \dots, a_{n}, b_{1}, b_{2}, \dots, b_{d})$ , and it has n+d components.

Plookup protocol

The context of Plookup is within a polynomial commitment scheme, where a party $P$ ,called the prover, seeks to convince the second party $V$ , called the verifier, that it knows a certain polynomial.

The protocol, as described in the Plookup paper, mentions a third party called the Ideal party, denoted by $I$ , which is also called the trusted party.

It is this trusted party who is responsible for generating all the proof-verification system parameters. Among these parameters are the so-called preprocessed polynomials.

In the case of a non-interactive proof-verification system, the trusted party is equipped so as to act as an intermediary between the prover and the verifier.

The protocol starts with the generation of preprocessed polynomials { $t$ } and describing them as a Lookup Table.
Prover submits messages in the form of polynomials { $f$ } expressed either as multisets or vectors.
The verifier also sends randomly selected field elements $α_{i} \subset F$ , called challenges.
The prover then evaluates a special polynomial $Z [X]$ on the $α_{i}$ ’s and sends them to $I$ .
The verifier subsequently requests I to check if certain polynomial identities $F \equiv G$ hold true.
The verifier accepts the prover’s submissions as true if all identities hold true, otherwise it rejects.

The polynomials F and G in the polynomial identities {F≡G} are bi-variate polynomials in β and γ, related to randomized sets of differences associated with {f} and {t}. They are defined in terms of grand product expressions seen below: $F (β, γ) = (1 + β)^{n} i \in [n] \prod (γ + f_{i}) i \in [d - 1] \prod (γ (1 + β) + t_{i} + β t_{i + 1}) G (β, γ) = i \in [n + d + 1] \prod (γ (1 + β) + s_{i} + β \cdot s_{i + 1})$

where $β$ and $γ$ are the randomly selected field elements.

The Plookup protocol boils down to proving that the two polynomials $F$ and $G$ are the same by comparing vectors of their evaluations and multiplicities of elements in those vectors. Simply put, it checks if two polynomials are the same up to multiplicities of elements in their witness vectors.

Plookup in PIL

The test for whether the polynomial identities $F \equiv G$ hold true, is based on the following lemma (viz. Claim 3.1 as stated and proved in pages 4 and 5 of the Plookup paper).

A Plookup applies to Polynomial Commitment Scheme settings, where the polynomials are expressed as vectors; $t$ , $f$ and $s = (f, t)$ . It is therefore a test of inclusion, denoted by $f \subset t$ .

In the zkEVM setting, Plookup typically appears in PIL code as: ${f_{1}, \dots, f_{m}} in {t_{1}, \dots, t_{m}}$ where in is a PIL keyword for set inclusion, $f \subset t$ .

Plookup in zkProver

The commitment of the Plookup protocol is implemented on round 2 of eSTARK. The prover computes the reducing challenges $α, β \in F$ :

Using $α$ and $β$ , the prover computes the inclusion polynomials $h_{i, 1}, h_{i, 2} \in F_{< n} [X]$ for each inclusion argument, with $i \in [M]$ , and commits to them.

Connection arguments

The connection arguments is called copy-satisfy in GWC19. As its name, the argument is used to partition the commitment matrix and make the cells of the matrix in same partition contain the same value.

The Polynomial Identity Language (PIL) use **connect ** keyword to express connection arguments.

Definition

Given a vector $a = (a_{1}, ..., a_{n}) \in F_{n}$ and a partition $§ = {S_{1}, \dots, S_{t}}$ of [n]. If for each $S_{k} \in §$ , the $a_{i} = a_{j}$ whenever $i, j \in S_{k}$ , $i, j \in [n]$ and $k \in [t]$ , then the elements whose indices in one $S_{k}$ are connected(copy-satisfy).

Example

Let $§ = {{2}, {1, 3, 5}, {4, 6}}$ be a specified partition of column with 6 elements. Observe the two columns depicted below:

a	b
3	3
9	9
3	7
1	1
3	3
1	1

the column a is copy-satisfy because the indices of elements in $S_{2} \in §$ is 1, 3, 5. and $a_{1} \equiv a_{3} \equiv a 5 = 3$ ; the indices of elements in $S_{3} \in §$ is 4, 6. and $a_{4} \equiv a_{6} = 1$ .

the column b is not copy-satisfy because the indices of elements in $S_{2} \in §$ is 1, 3, 5. but $a_{1} = 3 \neq = a_{3} = 7$ .

Given the column a as above. we can construct a permutation map $σ : [n] - > [n]$ . Such for each $S_{k} \in §$ , the map $σ$ can make the elements whose indices in $S_{k}$ form a circle: 1 -> 3, 3 -> 5, 5 -> 1; 4 -> 6, 6 -> 4; 2->2.

In the zero-knowledge proof(ZKP), use the exponent of multiplicative generator( $g$ ) as the value of column SA of $σ$ map: $S A_{i} = g^{σ (i)}$ So in this example, the column a and the column SA as below table:

a	SA
3	$g^{3}$
9	$g^{2}$
3	$g^{5}$
1	$g^{6}$
3	$g$
1	$g^{4}$

PIL

In the PIL context, the previous connection argument between a column a and a column SA, encoding the values of $S_{a}$ as , can be declared using the keyword connect using the syntax a connect {SA}:

the snippet of code as below:

include "config.pil";

namespace Connection(%N); 
pol commit a; 
pol constant SA; 

{a} connect {SA};

Inclusion arguments

For most of the programs used in the zkEVM’s Prover, the values recorded in the columns of execution traces are field elements. In many cases, there may be a need to restrict the sizes of these values to only a certain number of bits. For example the variate with uint32 type, needs restricting the range from 0 to $2^{32} - 1$ . It is therefore necessary to devise a good control strategy for handling both underflows and overflows. This document introduces the addition of 2-byte numbers as the scene using Inclusion arguments.

Verify addition of 2-byte numbers

The addition of uint16 type is a common data type in programming. It can be constrained as the below trace table:

Row	a	b	prevCarry	Carry	Add	Reset
1	0x11	0x22	0x01	0x00	0x33	1
2	0x30	0x40	0x00	0x00	0x70	0
3	0xff	0xee	0x00	0x01	0xed	1
4	0x00	0xff	0x01	0x01	0x00	0

The constraint is: $a + b + (1 - RESET) \cdot prevCarry = carry \cdot 2^{8} + add$ We use $prevCarry$ as the carry in and $Carry$ as the carry out. becasue the lowest endian byte of uint16 not use $prevCarry$ , we use $Reset$ as the flag of the lowest endian byte.

The snippet of PIL code as follows:

namespace TwoByteAdd(%N);

pol constant RESET;
pol commit a, b;
pol commit carry , prevCarry , add;

prevCarry ' = carry;
a + b + (1-RESET)*prevCarry = carry*2**8 + add;

The above equation (1) only constrains the coerectness of addition, but not constrains the columns of $a$ , $b$ is 8-bits integer which range form 0 to 255. It also not constrains the columns of $prevCarry$ , $Carry$ , $Reset$ is 1-bit bool type.

An inclusion argument is used for this purpose.

Inclusion argument

Given two vectors, $(a = (a_{1}, ..., a_{n}) \in F_{p}^{n})$ and $b = (b_{1}, ..., b_{m}) \in F_{p}^{m}$ , it is said that:

$a$ is contained in $b$ if $\forall i \in [n], \exists j \in [m]$ such that $a_{i} = b_{j}$ .

In other words, if one thinks of $a$ and $b$ as multisets and reduce them to sets (by removing the multiplicity), then $a$ is contained in $b$ if $a$ is a subset of $b$ .

A protocol ( $P$ , $V$ ) is an inclusion argument if the protocol can be used by $P$ to prove to $V$ that one vector is contained in another vector.

In the PIL context, the implemented inclusion argument is the same as the Plookup method provided in GW20, also discussed here

An inclusion argument is invoked in PIL with the in keyword.

Specifically, given two columns $a$ and $b$ , we can declare an inclusion argument between them using the syntax: { $a$ } in { $b$ }.

Generalized inclusion arguments

In PIL we can also write inclusion arguments not only over single columns but over multiple columns. That is, given two subsets of committed columns $a_{1}, \dots, a_{m}$ and $b_{1}, \dots, b_{m}$ of some program(s) we can write as,

{ $a_{1}, \dots, a_{m}$ } in { $b_{1}, \dots, b_{m}$ }

A natural application for this generalization shows that a set of columns that a program repeatedly computes, probably with the same pair of inputs/outputs. Following on with the previous “2-byte addition” program example, one can construct five new constant polynomials; BYTE_A, BYTE_B, BIT_PRECARRY,BIT_CARRY and BYTE_ADD; containing all possible byte additions.

The execution trace of these polynomials can be constructed as follows, the total number of rows is $2^{8} \cdot 2^{8} \cdot 2$ = 131072:

row	BYTE_A	BYTE_B	BIT_PRECARRY	BIT_CARRY	BYTE_ADD
1	0x00	0x00	0x0	0x0	0x00
2	0x00	0x01	0x0	0x0	0x01
$⋮$	$⋮$	$⋮$	$⋮$	$⋮$	$⋮$
256	0x00	0xff	0x0	0x0	0xff
257	0x01	0x00	0x0	0x0	0x01
258	0x01	0x01	0x0	0x0	0x02
$⋮$	$⋮$	$⋮$	$⋮$	$⋮$	$⋮$
65535	0xff	0xfe	0x0	0x1	0xfd
65536	0xff	0xff	0x0	0x1	0xfe
65537	0x00	0x00	0x1	0x0	0x1
65538	0x00	0x01	0x1	0x0	0x2
$⋮$	$⋮$	$⋮$	$⋮$	$⋮$	$⋮$
65792	0x00	0xff	0x1	0x1	0x00
65793	0x01	0x00	0x1	0x0	0x02
65794	0x01	0x01	0x1	0x0	0x03
$⋮$	$⋮$	$⋮$	$⋮$	$⋮$	$⋮$
131071	0xff	0xfe	0x1	0x1	0xfe
131072	0xff	0xff	0x1	0x1	0xff

Recall that there is no need to enforce constraints between these polynomials since they are constant and therefore, publicly known. An inclusion argument can be utilized and thus ensure a sound description of the “2-byte addition” program. The inclusion constraint is not only ensuring that all the values are single bytes, but also that the addition is correctly computed. The input is combination of five variables : BYTE_A, BYTE_B, BIT_PRECARRY,BIT_CARRY and BYTE_ADD and it must be found in the lookup table.

In addition, recall that we only have to take into account prevCarry whenever Reset is 0. PIL is flexible enough to consider this kind of situation involving Plookups. To introduce this requirement, the inclusion check can be implemented as follows:

include "config.pil"; 

namespace TwoByteAdd(%N);

pol constant BYTE_A, BYTE_B, BYTE_PREVCARRY, BYTE_CARRY , BYTE_ADD; 
pol constant RESET;
pol commit a, b;
pol commit carry, prevCarry, add;

prevCarry' = carry;

{a, b, (1 - RESET)*prevCarry, carry, add} in {BYTE_A, BYTE_B, BYTE_PREVCARRY, BYTE_CARRY, BYTE_ADD};

Permutation arguments

Definition

Given two vectors, $a = (a_{1}, ..., a_{n})$ and $b = (b_{1}, ..., b_{n})$ $\in F_{p}^{n}$ , the vectors $a$ and $b$ are permutations of each other if there exists a bijective mapping $σ : [n] \to [n]$ such that $a = σ (b)$ , where $σ (b)$ is defined by: $σ (b) := (b_{σ (1)}, \dots, b_{σ (n)})$ A protocol ( $P$ , $V$ ) is a permutation argument if the protocol can be used by $P$ to prove to $V$ that two vectors in $F_{p}^{n}$ are a permutation of each other. Unlike inclusion arguments, the two vectors subject to a permutation argument must have the same length.

In the PIL context, the permutation argument between two columns $a$ and $b$ can be declared using the keyword is and using the syntax: { $a$ } is { $b$ }. where a and b do not necessarily need to be defined in same programs. like below snippet of permutation code:

include "config.pil"; 

namespace A(%N);
pol commit a, b;

{a} is {b};

namespace B(%N);
pol commit a, b;

{a} is {A.b};

A valid execution trace with the number of rows N=4, for the above example, is shown in the below table. A.a, A.b and B.a are permutations of each other.

a	b
8	2
1	3
2	8
3	1

namespace A

a	b
3	6
8	7
1	8
2	9

namespace B

Permutation arguments over multiple columns

Permutation arguments in PIL can be written not only over single columns but over multiple columns as well.

That is, given two subsets of committed columns $a_{1}, \dots, a_{m}$ and $b_{1}, \dots, b_{m}$ of some program(s), we can write { $a_{1}, \dots, a_{m}$ } in { $b_{1}, \dots, b_{m}$ } to denote that the rows generated by columns { $b_{1}, \dots, b_{m}$ } are a permutation of the rows generated by columns { $a_{1}, \dots, a_{m}$ }.

A natural application for this generalization is showing that a set of columns in a program is precisely a commonly known operation such as XOR, where the correct XOR operation is carried out in a distinct program (see the following example).

include "config.pil"; 

namespace Main(%N);
pol commit a, b, c;

{a,b,c} is {in1,in2,xor};

namespace XOR(%N);
pol constant in1, in2, xor;

However, the functionality is further extended by the introduction of selectors in the sense that one can still write a permutation argument even though it is not satisfied over the entire trace of a set of columns, but only over a subset.

Suppose that we are given the following execution traces:

Two Tables with Execution traces for programs A and B

Notice that columns { $a$ , $b$ , $c$ } of the program A and columns { $d$ , $e$ , $f$ } of the program B are permutations of each other only over a subset of the trace.

To still achieve a valid permutation argument over such columns, we have introduced a committed column $sel$ set to 1 in rows where a permutation argument is enforced, and is 0 elsewhere.

Therefore, the permutation argument is valid only if,

$sel$ is correctly computed, and
the subset of rows chosen by $sel$ in both programs shows a permutation.

The corresponding PIL code of the previous programs can now be written as follows:

namespace A(4);
pol commit a, b, c;
pol commit sel;

sel {a, b, c} is B.sel {B.e, B.d, B.f};

namespace B(6);
pol commit d, e, f; 
pol commit sel;

The $sel$ column should be turned on (i.e., $sel$ set to 1) the same number of times in both programs. Otherwise, a permutation cannot exist between any of the columns, since the resulting vectors would be of different lengths. This allows the use of this kind of argument even if both execution traces do not contain the same amount of rows.

fflonk

Reduce opening many polys at $s$ to opening one poly at many points, then can use BDFG.

fflonk central idea: reduce opening many polys to one using the FFT ideneity

polys $f_{0}, f_{1}, a = f_{0} (s), b = f_{1} (s)$
First attempt: Only open the sum - $F (X) := f_{0} (X) + f_{1} (X)$ . Prove that $F (s) = c = a + b$ . Problem: Doesn't constrain $a, b$ individually - for any $a^{'}, (a^{'}, c - a^{'})$ will also verify Solution: Use "FFT equation in reverse direction": $F (X) = f_{0} (X^{2}) + X f_{1} (X^{2})$
To commit to $f_{0}, f_{1}$ send $C_{F}$

Assume $s = t^{2}$ . To open $f_{0} (s), f_{1} (s)$ open $F$ at ${t, - t}$ : $b_{0} := F (t) = f_{0} (s) + t f_{1} (s) = a + tb$ $b_{1} := F (- t) = f_{0} (s) - t f_{1} (s) = a - tb$ i.e. $(b_{0}, b_{1})$ give two independent constraints on $(a, b)$ !

Similar construction can open $k$ polys at any $s = t^{k}$
Important: poly-iop based snarks work fine with a PCS that only open $k$ 'th powers.

Cheaply opening a poly at $d$ points

Notation: $[x]_{1} = x \cdot G_{1}$ Given poly $f$ with commitment $C$ , $s_{0}, \dots, s_{k - 1} \in F$ , suppose $z_{i} = f (s_{i})$ for $i < k$ .

Define poly $r$ of degree $< k$ with $r (s_{i}) = z_{i}$ for $i < k$ .
Define $Z (X) = \prod_{i < k} (X - s_{i})$ . Then we have $Z ∣ (f - r)$
Let $h (X) := \frac{( f ( X ) - r ( X ))}{Z ( X )}$ .Prover sends $π = [h (x)]_{1}$ .
From [KZG]: Verifier can now check
$e (C - [r (x)]_{1}, G_{2}) = ? e (π, [Z (x)]_{2})$
This requires $k$ $G_{1}$ and $G_{2}$ verifier scalar muls!

In[BDFG] we trade these scalar mults for an extra group element in the proof:

Verifier chooses random $α \in F$ and sends to prover.
Define the polynomial $L (X) := f (x) - r (α) - Z (α) h (X)$
If evals are correct, $L (X)$ should be zero at $α$
Verifer can compute $C_{L}$ with only two scalar muls: $C_{L} = C - [r (α)]_{1} - Z (α) π$
Prover and verifier can now use KZG to check $L (α) = 0$

ZK Book