Computational Proof Systems
  • πŸ‘‹Cryptography and ZKP research note
  • Protocol and Primitives
    • Chapter One: ZK fundamentals
      • Overview of Computation in Zero-Knowledge Proofs
      • Arithemetic Circuit
      • Arithemetic Circuit (RUST)
      • Polynomial
      • R1CS to QAP
      • Univariate Polynomial Multiplication Using FFT
    • Chapter Two: Interative and non-interative proof
      • Interactive and Non-interactive Zero-Knowledge Proof Systems
    • Chapter Three: Ploynomial Commitment Schemes
      • KZG Polynomial Commitment Scheme
        • Univariate KZG Polynomial Commitment Scheme
        • Multilinear KZG Polynomial commitment scheme
        • Batch Univariate KZG Polynomial Commitment Scheme
      • FRI Polynomial commitment scheme
    • Chapter Four: Sum Check Protocol
    • Chapter Five: GRK Protocol
      • The Protocol
      • Succinct GKR Protocol
    • Chapter Six: Groth16 Protocol
    • Chapter Seven: PLONK Protocol
    • Chapter Eight: PLONK Protocol Extensions
      • TurboPLONK
      • Lookup Arguments and PLONKUP
        • PLOOKUP
        • Halo2 Lookup Protocol
      • HYPERPLONK
Powered by GitBook
On this page
  1. Protocol and Primitives

Chapter Six: Groth16 Protocol

Exploring the Groth16 protocol

PreviousSuccinct GKR ProtocolNextChapter Seven: PLONK Protocol

Last updated 16 days ago

Rust Implementation:

prerequisite for this study are;

  • Bilinear pairings and elliptic curves

  • Quadratic arithmetic programs (QAPs)

Bilinear pairings and elliptic curves are fundamental to the Groth16 proving system and many other advanced cryptographic protocols. Elliptic curves provide a secure and efficient foundation, while bilinear pairings enable the construction of succinct, non-interactive proofs that are both powerful and practical for real-world applications.

Elliptic Curves

Elliptic Curves Overview: An elliptic curve is a set of points that satisfy a specific mathematical equation. Over a finite field Fq​\mathbb{F}_q​Fq​​, an elliptic curve EEE is typically defined by an equation of the form: y2=x3+ax+by^2 = x^3 + ax + by2=x3+ax+b where aaa and bbb are coefficients in Fq\mathbb{F}_qFq​, and the curve is non-singular (i.e., it has no cusps or self-intersections), which requires the discriminant 4a3+27b2β‰ 04a^3 + 27b^2 \neq 04a3+27b2ξ€ =0.

Bilinear Pairings in Groth16

In the context of the Groth16 proving system, bilinear pairings are used to construct efficient proofs that are both small in size and quick to verify. The system relies on the properties of bilinear pairings to ensure that the proof verification can be performed using simple algebraic operations, making the process efficient even for complex statements.

Example Use in Groth16:

  • Setup Phase: During the setup phase, a trusted party generates public parameters that include elements in G1G_1G1​​, G2G_2G2​​, and GTG_TGT​​.

  • Proving Phase: The prover uses these parameters to create a proof that certain computations were performed correctly. This involves operations in G1G1G1​ and G2G2G2.

  • Verification Phase: The verifier checks the proof by performing pairing operations eee and ensures that certain equations hold in GTG_TGT​​. The bilinear nature of the pairing allows these checks to be performed efficiently.

The Protocol

The Groth16 protocol in most cases, starts with a Circuit. A Circuit in ZKP is a structured way to represent a computation. It is analogous to a digital logic circuit used in computer engineering.

Structure:

  • A circuit is composed of inputs, gates, and outputs.

  • Inputs: These are the values that the prover knows and wants to keep private (often called witnesses) along with the public inputs.

  • Gates: These perform basic operations (such as addition, multiplication, logical AND, OR) on the inputs.

  • Outputs: These are the results of the computations performed by the gates.

Types of Circuits:

  • Arithmetic Circuits: These circuits use arithmetic gates (addition, multiplication) over a finite field. They are often used in zk-SNARKs because they can efficiently represent the types of computations involved in many cryptographic applications.

  • Boolean Circuits: These circuits use logical gates (AND, OR, NOT) and are more common in classical computer science but can be transformed into arithmetic circuits for use in zk-SNARKs.

The next stage of the protocol is to convert this Circuit to a format called R1CS

After obtaining this R1CS representation, it needs to be transformed into its QAP representation to go further in this proof system.

Trusted Setup

This next stage of the groth16 protocol is the trusted setup stage, in this stage, something called the Common reference string or Public parameter is obtained. This Groth16 proof system has two phases;

  1. The Powers of Tau

  2. Circuit Specific Common reference string generation

Powers of Tau

This completes the phase one process of the trusted setup.

Circuit Specific Common reference string generation This phase involves doing some operations that are circuit-specific.

Verification key;

We would have to break this down;

Reference;

Remco Bloemen

https://www.rareskills.io/post/groth16

A rank-1 constraint system (R1CS) with n variables and m constraints and p public inputs has a witness vector w∈Fnw∈F^nw∈Fn. By convention, the first p elements of w are the public input and the first public input w0​w_0​w0​​ is fixed to 1. The m constraints in R1CS are a product equation between three inner products:

(wβ‹…ai​)β‹…(wβ‹…bi​)=wβ‹…ci​(wβ‹…ai​)β‹…(wβ‹…bi​)=wβ‹…ci​(wβ‹…ai​)β‹…(wβ‹…bi​)=wβ‹…ci​

where vectors (ai​,bi​,ci​)∈F3β‹…n(a_i​,b_i​,c_i​)∈F^3β‹…^n(ai​​,bi​​,ci​​)∈F3β‹…n specify the constraint. The constraint vectors are usually very sparse, typically only nonzero for a single or few values. These constraint vectors can be aggregated in nΓ—mnΓ—mnΓ—m matrices so that the whole constraint system can be concisely written using an element-wise product.

(wβ‹…A)∘(wβ‹…B)=wβ‹…C(wβ‹…A)∘(wβ‹…B)=wβ‹…C(wβ‹…A)∘(wβ‹…B)=wβ‹…C

During this process, we would be generating Ο„,Ξ±,Ξ²Ο„,Ξ±,Ξ²Ο„,Ξ±,Ξ² having in mind that the number of constraints in the Circuit is mmm, we would compute the following;

(Ο„0,Ο„1,Ο„2,…,Ο„2β‹…mβˆ’2)β‹…G1​(Ο„^0,Ο„^1,Ο„^2,…,Ο„^{2β‹…mβˆ’2})β‹…G_1​(Ο„0,Ο„1,Ο„2,…,Ο„2β‹…mβˆ’2)β‹…G1​​

(Ο„0,Ο„1,Ο„2,…,Ο„mβˆ’1)β‹…G2​(Ο„^0,Ο„^1,Ο„^2,…,Ο„^{mβˆ’1})β‹…G_2​(Ο„0,Ο„1,Ο„2,…,Ο„mβˆ’1)β‹…G2​​

Ξ±β‹…(Ο„0,Ο„1,Ο„2,…,Ο„mβˆ’1)β‹…G1​α⋅(Ο„^0,Ο„^1,Ο„^2,…,Ο„^{mβˆ’1})β‹…G_1​α⋅(Ο„0,Ο„1,Ο„2,…,Ο„mβˆ’1)β‹…G1​​

Ξ²β‹…(Ο„0,Ο„1,Ο„2,…,Ο„mβˆ’1)β‹…G1​β⋅(Ο„^0,Ο„^1,Ο„^2,…,Ο„^{mβˆ’1})β‹…G_1​β⋅(Ο„0,Ο„1,Ο„2,…,Ο„mβˆ’1)β‹…G1​​

Ξ²β‹…G2​β⋅G_2​β⋅G2​​

Given circuit polynomials Ai​,Bi​,CiA_i​,B_i​,C_iAi​​,Bi​​,Ci​​, generate random values Ξ³,δγ,δγ,Ξ΄ and define the polynomials LiL_iLi​​ by:

Li​(X)=Ξ²β‹…Ai​(X)+Ξ±β‹…Bi​(X)+Ci​(X)L_i​(X)=Ξ²β‹…A_i​(X)+Ξ±β‹…B_i​(X)+C_i​(X)Li​​(X)=Ξ²β‹…Ai​​(X)+Ξ±β‹…Bi​​(X)+Ci​​(X)

We can not compute the Li​(X)L_i​(X)Li​​(X) directly since we don't know Ξ±Ξ±Ξ± and Ξ²Ξ²Ξ², but we can still construct Li​(Ο„)β‹…G1​L_i​(Ο„)β‹…G_1​Li​​(Ο„)β‹…G1​​ using linear combinations of the values from the previous step. This way, we compute the proving key:

(Ξ±,Ξ²,Ξ΄)β‹…G1​(Ξ±,Ξ²,Ξ΄)β‹…G_1​(Ξ±,Ξ²,Ξ΄)β‹…G1​​

(Ο„0,Ο„1,Ο„2,Ο„3,…,Ο„mβˆ’1)β‹…G1​(Ο„^0,Ο„^1,Ο„^2,Ο„^3,…,Ο„^{mβˆ’1})β‹…G_1​(Ο„0,Ο„1,Ο„2,Ο„3,…,Ο„mβˆ’1)β‹…G1​​

Ξ΄βˆ’1β‹…(Lp​(Ο„),Lp+1​(Ο„),…,Lmβˆ’1​(Ο„))β‹…G1​,Ξ΄^{βˆ’1}β‹…(L_p​(Ο„),L_{p+1}​(Ο„),…,L_{mβˆ’1}​(Ο„))β‹…G_1​,Ξ΄βˆ’1β‹…(Lp​​(Ο„),Lp+1​​(Ο„),…,Lmβˆ’1​​(Ο„))β‹…G1​​,

Ξ΄βˆ’1β‹…(Ο„0,Ο„1,Ο„2,Ο„3,…,Ο„mβˆ’2)β‹…Zx​(Ο„)β‹…G1​δ^{βˆ’1}β‹…(Ο„^0,Ο„^1,Ο„^2,Ο„3,…,Ο„^{mβˆ’2})β‹…Z_x​(Ο„)β‹…G_1β€‹Ξ΄βˆ’1β‹…(Ο„0,Ο„1,Ο„2,Ο„3,…,Ο„mβˆ’2)β‹…Zx​​(Ο„)β‹…G1​​

(Ξ²,Ξ΄)β‹…G2​(Ξ²,Ξ΄)β‹…G_2​(Ξ²,Ξ΄)β‹…G2​​

(Ο„0,Ο„1,Ο„2,Ο„3,…,Ο„mβˆ’1)β‹…G2​(Ο„^0,Ο„^1,Ο„^2,Ο„^3,…,Ο„^{mβˆ’1})β‹…G_2​(Ο„0,Ο„1,Ο„2,Ο„3,…,Ο„mβˆ’1)β‹…G2​​

Ξ±β‹…G1​α⋅G_1​α⋅G1​​

Ξ³βˆ’1β‹…(L0​(Ο„),L1​(Ο„),L2​(Ο„),…,Lpβˆ’1​(Ο„))β‹…G)1​γ^{βˆ’1}β‹…(L_0​(Ο„),L_1​(Ο„),L_2​(Ο„),…,L_{pβˆ’1}​(Ο„))β‹…G)_1β€‹Ξ³βˆ’1β‹…(L0​​(Ο„),L1​​(Ο„),L2​​(Ο„),…,Lpβˆ’1​​(Ο„))β‹…G)1​​

(Ξ²,Ξ³,Ξ΄)β‹…G2​(Ξ²,Ξ³,Ξ΄)β‹…G_2​(Ξ²,Ξ³,Ξ΄)β‹…G2​​

Instead of providing Ξ±β‹…G1Ξ±β‹…G1Ξ±β‹…G1​ and Ξ²β‹…G2​β⋅G_2​β⋅G2​​ we could also provide Ξ±β‹…Ξ²β‹…G3​α⋅β⋅G_3​α⋅β⋅G3​​ in the verifying key, but G3G_3G3​​elements tend to be big and weird so we avoid them.

The Phase 2 ceremony is critical for soundness. If δδδ is known the prover can construct any Ξ΄βˆ’1β‹…P(Ο„)β‹…G1Ξ΄^{βˆ’1}β‹…P(Ο„)β‹…G_1Ξ΄βˆ’1β‹…P(Ο„)β‹…G1​​ of degree 2β‹…nβˆ’12β‹…nβˆ’12β‹…nβˆ’1 where otherwise it is constraint to the form Ξ΄βˆ’1β‹…H(Ο„)β‹…Zx​(Ο„)β‹…G1Ξ΄^{βˆ’1}β‹…H(Ο„)β‹…Z_x​(Ο„)β‹…G_1Ξ΄βˆ’1β‹…H(Ο„)β‹…Zx​​(Ο„)β‹…G1​​. The forced factorization into HHH and ZxZ_xZx​ is critical for soundness.

Linear combination if you are as smart as I am Phase two is very confusing, but before we can break this down, we need to look into linear combination; how we can construct information concerning from secret even though we have just the encrypted version of this secret (G.secretG.secretG.secret).

Keep your eyes on this ∏i=0l​(G.Ο„i)Ο•i​=G.Ο•(Ο„)∏_{i=0}^l​(G.{Ο„^i})^{Ο•_i}​=G.{Ο•(Ο„)}∏i=0l​​(G.Ο„i)Ο•i​​=G.Ο•(Ο„)

Having in mind that G.Ο„iG.{Ο„^i}G.Ο„i are the elements of the powers of tau.

To achieve this Li​(X).G1=Ξ²β‹…Ai​(X).G1+Ξ±β‹…Bi​(X).G1+Ci​(X).G1L_i​(X).G_1 =Ξ²β‹…A_i​(X).G_1 +Ξ±β‹…B_i​(X).G_1+C_i​(X).G_1Li​​(X).G1​=Ξ²β‹…Ai​​(X).G1​+Ξ±β‹…Bi​​(X).G1​+Ci​​(X).G1​,

Ξ²β‹…Ai​(Ο„).G1Ξ²β‹…A_i​(Ο„).G_1Ξ²β‹…Ai​​(Ο„).G1​

Ξ±β‹…Bi​(Ο„).G1Ξ±β‹…B_i​(Ο„).G_1Ξ±β‹…Bi​​(Ο„).G1​

Ci​(X).G1C_i​(X).G_1Ci​​(X).G1​

https://github.com/developeruche/cryptography-n-zk-research/tree/main/groth16