co-learn-notes

Plonk/co-learn notes/Eta/01_R1CS_Plonklish.md

@@ -0,0 +1,154 @@
+# 01. R1CS V.S. Plonkish
+
+<table>
+  <tr>
+    <th>title</th>
+    <th>tags</th>
+  </tr>
+  <tr>
+    <td>01. R1CS_Plonkish</td>
+    <td>
+      <table>
+        <tr>
+          <th>zk-meme</th>
+          <th>basic</th>
+          <th>quick_read</th>
+          <td>R1CS_Plonkish</td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+
+[Github](https://github.com/ETAAcademy)｜[Twitter](https://twitter.com/ETAAcademy)｜[ETA-ZK-Meme](https://github.com/ETAAcademy/ETAAcademy-ZK-Meme)
+
+Authors: [Eta](https://twitter.com/pwhattie), looking forward to your joining
+
+## Plonkish Arithmetization
+
+Plonkish Arithmetization represents a significant advancement in Zero-knowledge proofs (ZKPs) that allow one party, the Prover, to prove to another party, the Verifier, that a statement is true without revealing any additional information. Let's delve into the intricacies of Plonkish Arithmetization and its comparison with the well-established R1CS framework.
+
+### 1. R1CS: A Foundation in Multiplication Gates
+
+R1CS, or Rank-1 Constraint Systems, **revolves around multiplication gates**, where three "selector" matrices - U, V, and W - designate the "left input", "right input", and "output" of each multiplication gate, respectively, 1 of which indicates involvement in computations and 0 non-involvement. The selector matrix usually has a number of columns equivalent to the number of variables, with the number of rows matching the count of multiplication gates. Additionally, R1CS accommodates constant multiplication gates, a special case treated as addition gates.
+
+<div  align="center"> 
+<img src="images/29_plonkish.png" width="50%" />
+</div>
+
+Consider a scenario where we have four input variables labeled $(x_1, x_2, x_3, x_4).$ In this scenario, $x_5$ acts as the output of the second multiplication gate and also functions as the right input of the first multiplication gate, while \(out\) represents the output of the first multiplication gate.
+
+$$\vec{a} = (x_1, x_2, x_3,x_4,x_5,out)$$
+
+Imagine a circuit with multiplication gates. Three matrices \(U\), \(V\), and \(W \in \mathbb{F}^{n\times m}\) describe how the gates are connected (circuit's setup). W is a table with rows matching the number of gates (n) and columns hinting at the number of wires (m). Each row in W tells how the corresponding gate connects its inputs and output.
+
+Left input matrix \(U\):
+
+$$
+\begin{array}{|c|c|c|c|c|}
+\hline
+x_1 & x_2 & x_3 & x_4 & x_5 & out & \texttt{i} \\
+\hline
+1 & 1 & 0 & 0 & 0 & 0 & \texttt{1}\\
+\hline
+0 & 0 & 1 & 0 & 0 & 0 & \texttt{2}\\
+\hline
+\end{array}
+$$
+
+Right input matrix \(V\):
+
+$$
+\begin{array}{|c|c|c|c|c|}
+\hline
+x_1 & x_2 & x_3 & x_4 & x_5 & out &\texttt{i}\\
+\hline
+0 & 0 & 0 & 0 & 1 & 0 & \texttt{1}\\
+\hline
+0 & 0 & 0 & 1 & 0 & 0 & \texttt{2}\\
+\hline
+\end{array}
+$$
+
+Output matrix \(W\):
+
+$$
+\begin{array}{|c|c|c|c|c|}
+\hline
+x_1 & x_2 & x_3 & x_4 & x_5 & out & \texttt{i}\\
+\hline
+0 & 0 & 0 & 0 & 0 & 1 & \texttt{1}\\
+\hline
+0 & 0 & 0 & 0 & 1 & 0 & \texttt{2}\\
+\hline
+\end{array}
+$$
+
+We can easily verify the following equation:
+$$(U \cdot \vec{a}) \circ (V \cdot \vec{a}) = (W \cdot\vec{a})$$
+
+## 2. Plonkish Arithmetization: A Leap Forward
+
+Plonkish arithmetization is a more efficient way to express circuits for zero-knowledge proofs:
+
+**Circuit Setup:**
+
+Instead of three tables (U,V,W) with potentially many columns, Plonk uses a single W table with just 3 columns to reduces complexity.
+
+Plonk can handle more than just addition and multiplication gates, such as comparisons, lookups, and even memory access (RAM).
+
+**Key Tables: $\mathsf{Plonkish}_0 \triangleq (Q, \sigma;$ W)**
+
+- W table: Stores assignments (secret).
+- Q table (Selector): Defines operation for each row (addition or multiplication).
+- Permutation table: Ensures consistency when values are moved around in W.
+
+We define a matrix $W\in\mathbb{F}^{n\times 3}$ to represent constraints where n is the number of arithmetic gates):
+
+$$
+\begin{array}{c|c|c|c|}
+i & w_a & w_b & w_c  \\
+\hline
+1 & \boxed{x_6} & \underline{x_5} & [out] \\
+2 & x_1 & x_2 & \boxed{x_6} \\
+3 & x_3 & x_4 & \underline{x_5} \\
+4 & 0 & 0 & [out] \\
+\end{array}
+$$
+
+To distinguish addition and multiplication, we define a vector $Q\in\mathbb{F}^{n\times 5}$ to represent operators:
+
+$$
+\begin{array}{c|c|c|c|}
+i & q_L & q_R & q_M & q_C & q_O  \\
+\hline
+1 & 0 & 0 & 1 & 0& 1 \\
+2 & 1 & 1 & 0 & 0& 1 \\
+3 & 0 & 0 & 1 & 0& 1 \\
+4 & 0 & 0 & 0 & out& 1 \\
+\end{array}
+$$
+
+Permutation proofs confirm this consistency post rearrangement, verified by Prover.
+
+$$
+\begin{array}{c|c|c|c|}
+i & w_a & w_b & w_c  \\
+\hline
+1 & \boxed{x_6} & \underline{x_5} & out \\
+2 & x_1 & x_2 & \boxed{x_6} \\
+3 & x_3 & x_4 & \underline{x_5} \\
+\end{array}
+$$
+
+If three or more vector positions must share a value, Prover cyclically shifts them, ensuring equality with the original.
+
+$$
+  A = (b_1, b_2, \underline{a_1}, b_3, \underline{a_2}, b_4, \underline{a_3}) =  (b_1, b_2, \underline{a_3}, b_3, \underline{a_1}, b_2, \underline{a_2}) = A'
+$$
+
+To ensure that $w_c$ in the first row equal to the out variable, an additional copy constraint is added to the $\sigma$ matrix. In short, if the Prover is honest, then for $i \in (1,2,3,4),$ the following arithmetic constraint equation holds:
+
+$$
+q_{L,i} \circ w_{a,i} + q_{R,i} \circ w_{b,i} + q_{M,i}\circ(w_{a,i}\cdot w_{b,i}) + q_{C,i} -  q_{O,i}\circ w_{c,i} = 0
+$$

Plonk/co-learn notes/Eta/02_Lagrange.md

@@ -0,0 +1,88 @@
+# 02. Lagrange Interpolation
+
+<table>
+  <tr>
+    <th>title</th>
+    <th>tags</th>
+  </tr>
+  <tr>
+    <td>02. Lagrange Interpolation</td>
+    <td>
+      <table>
+        <tr>
+          <th>zk-meme</th>
+          <th>basic</th>
+          <th>quick_read</th>
+          <td>Lagrange_Interpolation</td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+
+[Github](https://github.com/ETAAcademy)｜[Twitter](https://twitter.com/ETAAcademy)｜[ETA-ZK-Meme](https://github.com/ETAAcademy/ETAAcademy-ZK-Meme)
+
+Authors: [Eta](https://twitter.com/pwhattie), looking forward to your joining
+
+## Lagrange Interpolation
+
+Provers can combine multiple constraints into a single polynomial, which reduces communication and simplifies verification for Verifiers.
+
+### Probabilistic Check of Polynomials
+
+1. **Schwartz-Zippel Theorem**: The Verifier provides a random challenge $\zeta \in \mathbb{F}$ for two polynomials $f(\zeta) = g(\zeta)$. If the degree of the polynomials is small compared to the size of the field they're working in (like the number of elements in a set), the chance of $f(X) = g(X)$ getting a wrong answer is less than $\leq \frac{d}{|\mathbb{F}|}$(since a polynomial of degree d is determined by \(d+1\) points).
+
+2. **Vector Verification**: Similar to above, vectors (lists of numbers) can be encoded as polynomials. To verify that three vectors $\vec{a} + \vec{b} = \vec{c}$, the direct method is to encode the vectors into polynomials (using the vector as polynomial coefficients), such as $a(X) = a_0 + a_1X + a_2X^2 + \cdots + a_{n-1}X^{n-1}$. We can create polynomials a(X), b(X), and c(X) from the lists a, b, and c, respectively. If the property $a_i + b_i = c_i$ holds true, then interestingly, adding the polynomials a(X) + b(X) will result in the polynomial c(X), a(X) + b(X) = c(X). By challenging with a random number $\zeta$, If we evaluate both sides of the equation a(ζ) + b(ζ) = c(ζ), then $\vec{a} + \vec{b} = \vec{c}$.
+
+### Lagrange Interpolation and Evaluation Form
+
+Multiplying polynomials can get messy. So, for checking if the element-wise product (think multiplication of corresponding entries) of two vectors equals a third vector, a special kind of polynomial encoding is used called Lagrange interpolation.
+
+- Using Lagrange Interpolation to validate $\vec{a} \circ \vec{b} \overset{?}{=} \vec{c}$, where terms $a_i \cdot b_i$ and $c_i$ do not correspond to the coefficients of $X^i$.
+- Instead, we use Lagrange interpolation polynomials Interpolation: $\{L_i(X)\}_{i\in[0,N-1]}$, where $L_i(w_i)=1$, and $L_i(w_j)=0 (j\neq i)$. Then $\vec{a}$ can be encoded as follows:
+
+$$
+a(X)=a_0\cdot L_0(X) + a_1\cdot L_1(X)+ a_2\cdot L_2(X) + \cdots + a_{N-1}\cdot L_{N-1}(X)
+$$
+
+- The element-wise product of vectors $a_i \cdot b_i = c_i$ resulting in $a(w_i) \cdot b(w_i) = c(w_i)$. Similarly, $\vec{a} \circ \vec{b} = \vec{c}$ translates to functions $a(X) \cdot b(X) = c(X)$ for all $X \in H$.
+
+### Single Challenge Verification
+
+To detect Prover’s cheating with a single challenge, transform the above equality by removing the specific X values (since X should cover a large range like $\mathbb{F}:$
+
+$$
+a(X) \cdot b(X) - c(X) = q(X) \cdot z_H(X), \quad \forall X \in \mathbb{F}
+$$
+
+Since $f(X) = 0$ for all $X \in H$ and $f(X) = a(X) \cdot b(X) - c(X)$,H is the root set of f(X):
+
+$$
+f(X)=(X-w_0)(X-w_1)(X-w_2)\cdots(X-w_{N-1})\cdot q(X)
+$$
+
+Thus, f(X) is divisible by the vanishing polynomial $z_H(X) = (X - w_0)(X - w_1) \cdots (X - w_{N-1})$. The Prover computes q(X) and sends it to the Verifier. Since H is a known system parameter, the Verifier can compute $z_H(X)$ and check:
+
+$$a(\zeta) \cdot b(\zeta) - c(\zeta) \overset{?}{=} q(\zeta) \cdot z_H(\zeta)$$
+
+### Optimization: Roots of Unity
+
+There's a clever way to choose the roots of unity to simplify calculations. The subgroup H is formed by the powers of $\omega$:
+
+$$
+H = (1, \omega, \omega^2, \ldots, \omega^{N-1})
+$$
+
+These elements satisfy certain symmetries, e.g., $\omega = -\omega^{\frac{N}{2} + 1}$ and $\omega^i = -\omega^{\frac{N}{2} + i}$. Summing all roots of unity yields zero:
+
+$$
+\sum\_{i=0}^{N-1} \omega^i = 0
+$$
+
+In practical, we choose a large finite field with a large powers-of-2 multiplicative subgroup. Due to the symmetry of $\omega^i$, on the subgroup H, we have:
+
+$$
+z_H(X) = \prod*{i=0}^{N-1} (X - \omega^i) = X^N - 1
+$$
+
+In essence, polynomial encoding and Lagrange interpolation provide a powerful way to compress and verify complex relationships between data, simplifies many calculations and enhances efficiency in verification.

Plonk/co-learn notes/Eta/03_Permutation.md

@@ -0,0 +1,121 @@
+# 03. Permutation
+
+<table>
+  <tr>
+    <th>title</th>
+    <th>tags</th>
+  </tr>
+  <tr>
+    <td>03. Permutation</td>
+    <td>
+      <table>
+        <tr>
+          <th>zk-meme</th>
+          <th>basic</th>
+          <th>quick_read</th>
+          <td>Permutation</td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+
+[Github](https://github.com/ETAAcademy)｜[Twitter](https://twitter.com/ETAAcademy)｜[ETA-ZK-Meme](https://github.com/ETAAcademy/ETAAcademy-ZK-Meme)
+
+Authors: [Eta](https://twitter.com/pwhattie), looking forward to your joining
+
+## Permutation
+
+A verifier can verify multiple copy constraints within a table $\omega$ using just one random challenge, without even seeing the table itself. For $\omega$, cyclic permutations are performed for the positions that need to be equal, and then the prover demonstrates that the original $\omega$ table is equal to the cyclically permuted $\omega'$ table. **Verifying table equality can be achieved through polynomial encoding and probabilistic checking**
+
+### Cold Start: Grand Product
+
+1. **Product Relation:**
+   The product $p = q_0 \cdot q_1 \cdot q_2 \cdot \cdots \cdot q_{n-2}$ is proved by converting a cumulative product calculation into multiple single multiplication. An auxiliary vector $\vec{r}$, acting as an accumulator, is introduced to represent the "intermediate values" after each multiplication, essentially capturing the entire calculation trace of the product process. The leftmost column represents the original vector to be multiplied { $q_i$ }, the middle column { $r_i$ } is the auxiliary variable that stores the intermediate value "before each single multiplication," and the rightmost column shows the value after each multiplication.
+
+   Interestingly, when we shift the "middle column" vector, r , up one row, it becomes almost identical to the "rightmost column," except for the last element.
+
+2. **Polynomial Constraints:**
+   When we encode the three columns of the table as polynomials, they satisfy three specific constraints based on Lagrange Basis polynomials:
+
+   - Initial value: $r_0 = 1, r_{n-1} = p$:
+     $L_0(X) \cdot (r(X) - 1) = 0,$
+     $L_{n-1}(X) \cdot (r(X) - p) = 0, \quad \forall X \in H.$
+   - Recursive multiplication relation (removing $\omega^{-1}$ from the set):
+     $q(X) \cdot r(X) = r(\omega \cdot X), \quad \forall X \in H \setminus \{\omega^{-1}\}.$
+
+   Simplifying the Constraints:
+
+   - We add a row to the product table, setting $q_{n-1} = 1/p$ (note: p is the product of vector $\vec{q}$. Thus, $r_n = r_0 = 1$. The rightmost column is exactly a cyclic shift of $vec{r}$.
+   - The verifier can challenge the following polynomial equation:
+     $L_0(X) \cdot (r(X) - 1) + \alpha \cdot (q(X) \cdot r(X) - r(\omega \cdot X)) = h(X) \cdot z_H(X).$
+     Here, $\alpha$ is a random challenge number used to combine multiple polynomial constraints, and $h(X)$ represents the quotient polynomial, with $z_H(X) = (X-1)(X-\omega) \cdots (X-\omega^{n-1})$.
+
+$$
+\begin{array}{c|c|c}
+q_i & r_i & q_i\cdot r_i \\
+\hline
+q_0 & 1  & r_0\\
+q_1 & r_0 & r_1\\
+q_2 & r_1 & r_2\\
+\vdots & \vdots & \vdots\\
+q_{n-2} & r_{n-2} & r_{n-1}\\
+q_{n-1}=\frac{1}{p} & r_{n-1} & 1 \\
+\end{array}
+$$
+
+### Using Grand Product to Prove Multiset Equality:
+
+1. If two polynomials p(X) and q(X) are equal, they must share the same set of roots { $q_i$ }.
+   For example: $\prod_{i}(X - q_i) = q(X) = p(X) = \prod_{i}(X - p_i),$ $\\{q_i\\}=_{multiset}\\{p_i\\}$.
+
+   By requesting a random number $\gamma$ from the verifier, the prover can prove that the vectors { $p_i$ } and { $q_i$} are equal in the multiset sense through the following equation:
+   $\prod_{i \in [n]}(\gamma - p_i) = \prod_{i \in [n]}(\gamma - q_i)$
+
+2. **Product Proof:**
+   As mentioned earlier, the multiplication process is converted into a series of single multiplications using auxiliary vectors. Interestingly, two multiplications can be merged into one, as shown here:
+   $\prod_{i \in [n]} \frac{(\gamma - p_i)}{(\gamma - q_i)} = 1.$
+
+### From Multiset Equality to Permutation Proof:
+
+If two vectors $\vec{a}$ and $\vec{b}$ satisfy a permutation $\sigma$, the combined vectors $\vec{a}'$ and $\vec{b}'$ will satisfy the multiset equality relationship. By combining vectors and position values, treating $(a_i, i)$ as one element and $(b_i, \sigma(i))$ as another element, a "permutation proof" can be converted into a "multiset equality." By requesting a random number $\beta$ from the verifier, the tuples can be "folded" into a single value.
+
+$$
+\begin{array}{|c|c | c|c|}
+a_i & {i} & b_i & \sigma({i}) \\
+\hline
+a_0 & 0 & b_0=a_1 & 1 \\
+a_1 & 1 & b_1=a_0 & 0 \\
+a_2 & 2 & b_2=a_3 & 3 \\
+a_3 & 3 & b_3=a_2 & 2 \\
+\vdots & \vdots & \vdots & \vdots \\
+a_{n-1} & n-1 & b_{n-1}=a_n & n \\
+a_n & n & b_n=a_{n-1} & n-1 \\
+\end{array}
+$$
+
+$$
+\begin{array}{|c|c|}
+a'_i=(a_i, i) & b'_i=({b}_i, \sigma(i)) \\
+\hline
+(a_0, 0) & (b_0=a_1, 1) \\
+(a_1, 1) & (b_1=a_0, 0) \\
+\vdots & \vdots \\
+(a\_{n-1}, n-1) & (b\_{n-1}=a\_{n}, n) \\
+(a\_n, n) & (b\_n=a\_{n-1}, n-1) \\
+\end{array}
+$$
+
+$$
+\begin{array}{|c|c|}
+a'_i=(a_i+\beta\cdot i) & b_i'=(b + \beta\cdot \sigma(i)) \\
+\hline
+(a_0 + \beta\cdot 0) & (b_0 + \beta\cdot 1) \\
+(a_1 + \beta\cdot 1) & (b_1 + \beta\cdot 0) \\
+\vdots & \vdots \\
+(a\_{n-1} + \beta\cdot n-1) & (b\_{n-1} + \beta\cdot n) \\
+(a\_n + \beta\cdot n) & (b\_n + \beta\cdot (n-1))\\
+\end{array}
+$$
+
+The verification process leverages multiset equivalence as a stepping stone to prove the existence of a permutation between two vectors, which relies on random challenges and polynomial encoding to ensure the validity of the proof.