Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Introduction to Zero-Knowledge
ProofsSarah BordageEcole Polytechnique and Inria
Chaire Blockchain & B2B PlatformsWorking Group - May 20, 2021
How can you prove that something is true, without revealing why it is true?
TD;LR : use randomness in order to hide secrets.
1
Zero-Knowledge Interactive Proof Systems [GMR85]- Prover P pretends that some statement s is true, e.g. “the 5th transaction in block 42 is correct.”- Verifier V asks questions to the prover P in order to challenge him. - If the prover P gives correct answers to any asked questions, then the verifier V gains confidence.
The resulting conversation is a zero-knowledge interactive proof if the following properties are satisfied:
Completeness If s is true, it must exist a way to convince V.
Soundness If s is false, there is no way P can convince V (except with small probability).
Zero-knowledge If s is true, V learns nothing more than this fact.
On top of that:If P proves that he knows some piece of information, e.g. “I know the password associated to Jane_Doe.”,it’s also a proof of knowledge.
2
Zero-knowledge proof: Sudoku
Initial puzzle
Prover P claims “I know a solution to this grid of Sudoku.”
3
Zero-knowledge proof: Sudoku
Initial puzzle
Prover P claims “I know a solution to this grid of Sudoku.”
1. P samples a random permutation 𝜎 : {1, …, 9} ↦ {1, …, 9}.For each cell with value x, P sends to V a commitment for the value 𝜎(x).
Prover’s solution Scrambled solution
3
Zero-knowledge proof: Sudoku
Initial puzzle
Prover P claims “I know a solution to this grid of Sudoku.”
1. P samples a random permutation 𝜎 : {1, …, 9} ↦ {1, …, 9}.For each cell with value x, P sends to V a commitment for the value 𝜎(x).
Prover’s solution Scrambled solution Committed grid
3
Zero-knowledge proof: Sudoku2. V samples a random challenge among 28 choices: a row, a column, a subgrid, or a “consistency check”3. P opens the corresponding commitments.
3. - If challenge was row/col/subgrid, V checks that all values are different.
4
Zero-knowledge proof: Sudoku2. V samples a random challenge among 28 choices: a row, a column, a subgrid, or a “consistency check”3. P opens the corresponding commitments.
4. - If challenge was row/col/subgrid, V checks that all values are different.
4
Zero-knowledge proof: Sudoku2. V samples a random challenge among 28 choices: a row, a column, a subgrid, or a “consistency check”3. P opens the corresponding commitments.
4. - If challenge was row/col/subgrid, V checks that all values are different.
- If challenge was consistency check, V checks: a. if two values were different, then the opened values are different, b. if two values were the same, then the opened values are the same.
Initial puzzle Opened values
4
Zero-knowledge proof: Sudoku
P Vrandom challenge
response
accept / reject
commitment
5
Proving zero-knowledgeness
P V* S
indistinguishable
secretpublic
statement spublic
statement spublic
statement s
V learns nothing more from the proof… What does it means?
6
Proving zero-knowledgeness
Perfect zero-knowledge. For every efficient verifier V*, there exists an efficient simulator S such that for every true statement s, {transcript{(P, V*)(s)}} ≡ {SV*(s)}.
distributions are the same
P V*
secretpublic
statement s
real transcript S simulated
transcript
indistinguishable
public statement s
public statement s
S can run V* and rewind it
V learns nothing more from the proof… What does it means?
7
Proving knowledge soundness
P*E
secretw
public statement s
secret w
E can run P* and rewind it
V
public statement s
public statement s
accept
Proof of knowledge with knowledge error ε.There exists an efficient extractor E such that for every prover P*,
Pr [ EP*(s) outputs the secret w ] > Pr [P* convinces V ] - ε.
P knows a piece of information… What does it means?
8
ZKP for Sudoku: why it works● Completeness is straightforward.
● SoundnessIf the statement is false, then there is at least one question for which P cannot provide a correct answer.→ V accepts with proba at most 1 - 1/28.
mes to get 99% chances of rejecting a false claim.
● Zero-knowledgeIf challenge = row, column or subgrid: random permutation of {1, …, 9}.If challenge = consistency check: random injection of the predetermined values to {1, …., 9}.
● Proof of knowledge If P can convince a verifier with high probability, then P is able to answer all 28 possible questions.
9
Non-interactive ZKP using cryptographic hash function
10
public-coin ZK proof
P V
accept / reject
Non-interactive ZKP using cryptographic hash function
P Vchallenge r
commit c
response a
accept / reject
10
public-coin ZK proof
statement s statement ssecret w
Non-interactive ZKP using cryptographic hash function
P
secret w statement s
Vchallenge r
P
secret w
V
r = H(s, c)
(c, a)
commit c
response a
r = H(s, c)
c
a
accept / rejectaccept / reject
V
Random Oracle Model:assume cryptographic hash function H ≈ random function
public-coin ZK proof non-interactive ZK proofFiat-Shamir transform
10
statement sstatement s statement s
ZK proofs of computational integrity
Enable verifiable computing while keeping secrets
→ Proof of computational integrity + zero-knowledge proof of knowledge.
Additionally, we would also like: single message (no interaction) + “short” proof + “fast” verification.
● Theoretically, constructions are known since > 30 years (study of Interactive Proofs, Zero Knowledge Proofs, Probabilistically Checkable Proofs).
● Theory became truly practical ~5 years ago!
→ ZK-SNARK : Zero-Knowledge Succinct Non-interactive ARgument(1) of Knowledge
→ ZK-STARK : Zero-Knowledge Scalable Transparent ARgument of KnowledgeBased on long line of research: PCP theorem (90’s), sublinear-size NIZK (late 90’s), quasi-linear PCPs (2005), interactive oracle proofs (2016), fast univariate low-degree test (2018)
(1) Argument = proof which is sound against computationally bounded provers.
11
Let F be some program, x a public input, y a public output.Statement of the form “I know some secret input w such that F(x, w) = y.”
e.g. “I know w such that SHA256(w) = 0xdeadbeef...”
Enable verifiable computing while keeping secrets
→ Proof of computational integrity + zero-knowledge proof of knowledge.
Additionally, we would also like: single message (no interaction) + “short” proof + “fast” verification.
● Theoretically, constructions are known since > 30 years involve Interactive Proofs, Zero Knowledge Proofs, Probabilistically Checkable Proofs (PCPs), ...
● Theory became truly practical ~5 years ago!
→ ZK-SNARK : Zero-Knowledge Succinct Non-interactive ARgument(1) of Knowledge
→ ZK-STARK : Zero-Knowledge Scalable Transparent ARgument of KnowledgeBased on long line of research: PCP theorem (90’s), sublinear-size NIZK (late 90’s), quasi-linear PCPs (2005), interactive oracle proofs (2016), fast univariate low-degree test (2018)
(1) Argument = proof which is sound against computationally bounded provers.11
Let F be some program, x a public input, y a public output.Statement of the form “I know some secret input w such that F(x, w) = y.”
e.g. “I know w such that SHA256(w) = 0xdeadbeef...”
Enable verifiable computing while keeping secrets
→ Proof of computational integrity + zero-knowledge proof of knowledge.
Additionally, we would also like: single message (no interaction) + “short” proof + “fast” verification.
● Theoretically, constructions are known since > 30 years involve Interactive Proofs, Zero Knowledge Proofs, Probabilistically Checkable Proofs (PCPs), ...
● Theory became truly practical ~5 years ago!
→ ZK-SNARK : Zero-Knowledge Succinct Non-interactive ARgument(1) of Knowledge
→ ZK-STARK : Zero-Knowledge Scalable Transparent ARgument of KnowledgeBased on long line of research: PCP theorem (90’s), sublinear-size NIZK (late 90’s), quasi-linear PCPs (2005), interactive oracle proofs (2016), fast univariate low-degree test (2018)
(1) Argument = proof which is sound against computationally bounded provers.
11
Let F be some program, x a public input, y a public output.Statement of the form “I know some secret input w such that F(x, w) = y.”
e.g. “I know w such that SHA256(w) = 0xdeadbeef...”
Enable verifiable computing while keeping secrets
→ Proof of computational integrity + zero-knowledge proof of knowledge.
Additionally, we would also like: single message (no interaction) + “short” proof + “fast” verification.
● Theoretically, constructions are known since > 30 years involve Interactive Proofs, Zero Knowledge Proofs, Probabilistically Checkable Proofs (PCPs), ...
● Theory became truly practical ~5 years ago!
→ ZK-SNARK : Zero-Knowledge Succinct Non-interactive ARgument(1) of Knowledge
→ ZK-STARK : Zero-Knowledge Scalable Transparent ARgument of KnowledgeBased on long line of research: PCP theorem (90’s), sublinear-size NIZK (late 90’s), quasi-linear PCPs (2005), interactive oracle proofs (2016), fast univariate low-degree test (2018), ZK-STARK preprint (2018)
(1) Argument = proof which is sound against computationally bounded provers.
11
Let F be some program, x a public input, y a public output.Statement of the form “I know some secret input w such that F(x, w) = y.”
e.g. “I know w such that SHA256(w) = 0xdeadbeef...”
A simplified ZK-STARK example
Public input x ∊ 𝔽, number of steps TPrivate input an array K of T field elements
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
input +x ← x*x
K[0]
+x ← x*x
K[1]
+x ← x*x
K[T-1]
output...
Given public input (x, T) and public output y, P must show that he knows secret array K such that F(x, T, K) = y.
ZK-STARK toy example
12
ZK-STARK toy example
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
f
0
(X) f
1
(X)
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
C(x
t
, K[t], x
t+1
) = 0
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
X
0
X1
Y
0
C(x
t
, K[t], x
t+1
) = 0
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
X
0
X1
Y
0
C(x
t
, K[t], x
t+1
) = 0
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
X
0
X1
Y
0
C(x
t
, K[t], x
t+1
) = 0
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Observe that the execution trace is valid iff for all t ∊ {0, …, T - 2}, C(f
0
(t), f
1
(t), f
0
(t+1)) = 0 and f
0
(T - 1) = y,
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P computes two polynomials f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Observe that the execution trace is valid iff for all t ∊ {0, …, T - 2}, C(f
0
(t), f
1
(t), f
0
(t+1)) = 0 and f
0
(T - 1) = y,
iff Z(X) divides C(f
0
(X), f
1
(X), f
0
(X+1))
and (X - (T - 1)) divides f
0
(X) - y,
iff g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) is a polynomial of degree T + 1 and h(X) = (f
0
(X) - y) / (X - (T - 1)) is a polynomial of degree T - 1.
Execution trace
13
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
Recall: C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
Z(X) = X(X-1)(X-2)...(X-(T-2))
g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) h(X) = (f
0
(X) - y) / (X - (T - 1))
P computes evaluation vectors (expected to be Reed-Solomon* codewords)w
0
:= (f
0
(x))
T ≤ x < 9T
w
1
:= (f
1
(x))
T ≤ x < 9T
w
g
:= (g(x))
T ≤ x < 9T
w
h
:= (h(x))
T ≤ x < 9T
P computes Merkle trees for vectors w0
, w1
, wg
, and wh
and sends to V the Merkle rootsH
0
= MerkleRoot(w
0
) H
1
= MerkleRoot(w
1
)
H
2
= MerkleRoot(w
g
) H
3
= MerkleRoot(w
h
)
ZK-STARK toy example
14
Execution trace
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
* Reed-Solomon code of length n, dim. d → eval univariate poly of degree < d on n points.
Recall: C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
Z(X) = X(X-1)(X-2)...(X-(T-2))
g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) h(X) = (f
0
(X) - y) / (X - (T - 1))
P computes evaluation vectors (expected to be Reed-Solomon* codewords)w
0
:= (f
0
(x))
T ≤ x < 9T
w
1
:= (f
1
(x))
T ≤ x < 9T
w
g
:= (g(x))
T ≤ x < 9T
w
h
:= (h(x))
T ≤ x < 9T
P computes Merkle trees for vectors w0
, w1
, wg
, and wh
and sends to V the Merkle rootsH
0
= MerkleRoot(w
0
) H
1
= MerkleRoot(w
1
)
H
2
= MerkleRoot(w
g
) H
3
= MerkleRoot(w
h
)
Consistency check:V samples s ∊ {T, …, 9T - 1} and asks for w
0
(s), w1
(s), w
0
(s+1), wg
(s), wh
(s) (with Merkle proofs)V checks that w
h
(s) = (w
0
(s) - y) / (s - 100) and w
g
(s) = C(w
0
(s), w
1
(s), w
0
(s+1)) / Z(s).
ZK-STARK toy example
14
Execution trace
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
* Reed-Solomon code of length n, dim. d → eval univariate poly of degree < d on n points.
Recall: C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
Z(X) = X(X-1)(X-2)...(X-(T-2))
g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) h(X) = (f
0
(X) - y) / (X - (T - 1))
P computes evaluation vectors (expected to be Reed-Solomon codewords)w
0
:= (f
0
(x))
T ≤ x < 9T
w
1
:= (f
1
(x))
T ≤ x < 9T
w
g
:= (g(x))
T ≤ x < 9T
w
h
:= (h(x))
T ≤ x < 9T
P computes Merkle trees for vectors w0
, w1
, wg
, and wh
and sends to V the Merkle rootsH
0
= MerkleRoot(w
0
) H
1
= MerkleRoot(w
1
)
H
2
= MerkleRoot(w
g
) H
3
= MerkleRoot(w
h
)
Consistency check:V samples s ∊ {T, …, 9T - 1} and asks for w
0
(s), w1
(s), w
0
(s+1), wg
(s), wh
(s) (with Merkle proofs)V checks that w
h
(s) = (w
0
(s) - y) / (s - 100) and w
g
(s) = C(w
0
(s), w
1
(s), w
0
(s+1)) / Z(s).
Low-degree test:P and V engage in a protocol LDT to show that w
0
, w1
, wg
and wh
are evaluations of low-degree polynomials.
In LDT, V queries only a logarithmic number of symbols w0
, w1
, wg
and wh
.
ZK-STARK toy example
14
Execution trace
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
Achieving zero-knowledgeBy querying a symbol of w
1
, V learns a linear relation involving the coefficients of f1
(X).
Each entry of w0
, w1
, wg
, and wh
reveal some information about secret input K.
ZK simulator?For any set of queried positions Q, we want the distribution of w0|Q, w1|Q, wg|Q and wh|Q to be the uniform distribution over field elements s satisfying
w
h
(s) = (w
0
(s) - y) / (s - 100) and w
g
(s) = C(w
0
(s), w
1
(s), w
0
(s+1)) / Z(s).
To achieve zero-knowledge against k-query bounded verifiers:
P computes polynomial f0
(X) and f1
(X) of degree T such that for all t ∊ {0, …, T-1},
f
0
(t) = x
t
and f
1
(t) = K[t].
P samples uniformly at random two polynomials f
0
(X) and f1
(X) of degree T + k such that for all t ∊ {0, …, T-1}, f
0
(t) = x
t
and f
1
(t) = K[t].
15
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
f
0
(X) f
1
(X)
ZK against k-query bounded verifier.
ZK-STARK toy example
16
Given public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.
P samples uniformly at random two polynomials f0
(X) and f1
(X) of degree T + k such that for all t ∊ {0, …, T-1}, f
0
(t) = x
i
and f
1
(t) = K[t].
P and V define “constraint” polynomial C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).
Observe that the execution trace is valid iff for all t ∊ {0, …, T- 2}, C(f
0
(t), f
1
(t), f
0
(t+1)) = 0 and f
0
(T - 1) = y.
iff there exists D(X) such that C(f
0
(X), f
1
(X), f
0
(X+1)) = Z(X)D(X) and f
0
(T - 1) = z.
iff g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) is a polynomial of degree T + 1 + 2k and h(X) = (f
0
(X) - y) / (X - (T - 1)) is a polynomial of degree T - 1 + k.
Execution trace
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
Recall: C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
Z(X) = X(X-1)(X-2)...(X-(T-2))
g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) h(X) = (f
0
(X) - y) / (X - (T - 1))
P computes evaluation vectors (expected to be Reed-Solomon codewords)w
0
:= (f
0
(x))
T ≤ x < 9T
w
1
:= (f
1
(x))
T ≤ x < 9T
w
g
:= (g(x))
T ≤ x < 9T
w
h
:= (h(x))
T ≤ x < 9T
P computes Merkle trees for vectors w0
, w1
, wg
, and wh
and sends to V the Merkle rootsH
0
= MerkleRoot(w
0
) H
1
= MerkleRoot(w
1
)
H
2
= MerkleRoot(w
g
) H
3
= MerkleRoot(w
h
)
Consistency check:V samples s ∊ {T, …, 9T - 1} and asks for w
0
(s), w1
(s), w
0
(s+1), wg
(s), wh
(s). V checks that w
h
(s) = (w
0
(s) - y) / (s - 100) and w
g
(s) = C(w
0
(s), w
1
(s), w
0
(s+1)) / Z(s).
Low-degree test:P and V engage in a protocol LDT to show that w
0
, w1
, wg
and wh
are evaluations of low-degree polynomials.
In LDT, V queries only a logarithmic number of symbols w0
, w1
, wg
and wh
.
ZK against k-query bounded verifier.
ZK-STARK toy example
17
Same as before!
Execution trace
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
Recall: C(X
0
, X
1
, Y
0
) = Y
0
- (X
0
2
+ X
1
)
Z(X) = X(X-1)(X-2)...(X-(T-2))
g(X) = C(f
0
(X), f
1
(X), f
0
(X+1)) / Z(X) h(X) = (f
0
(X) - y) / (X - (T - 1))
P computes evaluation vectors (expected to be Reed-Solomon codewords)w
0
:= (f
0
(x))
T ≤ x < 9T
w
1
:= (f
1
(x))
T ≤ x < 9T
w
g
:= (g(x))
T ≤ x < 9T
w
h
:= (h(x))
T ≤ x < 9T
P computes Merkle trees for vectors w0
, w1
, wg
, and wh
and sends to V the Merkle rootsH
0
= MerkleRoot(w
0
) H
1
= MerkleRoot(w
1
)
H
2
= MerkleRoot(w
g
) H
3
= MerkleRoot(w
h
)
Consistency check:V samples s ∊ {T, …, 9T - 1} and asks for w
0
(s), w1
(s), w
0
(s+1), wg
(s), wh
(s). V checks that w
h
(s) = (w
0
(s) - y) / (s - 100) and w
g
(s) = C(w
0
(s), w
1
(s), w
0
(s+1)) / Z(s).
Low-degree test:P and V engage in a protocol LDT to show that w
0
, w1
, wg
and wh
are evaluations of low-degree polynomials.
In LDT, V queries only a logarithmic number of symbols w0
, w1
, wg
and wh
.→ set k accordingly.
ZK against k-query bounded verifier.
ZK-STARK toy example
17
Execution trace
x K
x0 K[0]
x1 K[1]
x2 K[2]
... ...
xT-2 K[T-2]
xT-1 K[T-1]
Program F(x, T, K): for i = 0 to T - 1:
x ← x*x + K[i] return x
ConclusionZero-knowledge: scramble the solution with randomness + maintain invariant for verification.
ZK-STARKs
● Exponentially small verification of correctness of a program execution ● Quasilinear prover (finite field arithmetic + hash functions)● No trusted setup● Post-quantum security● Cairo: Turing-complete language to write programs directly verifiable with STARK proofs.
A story for another day: ZK-SNARKs
● Constant-size proof, constant-time verification (pre-processing with trusted setup)● Heavy cryptography (pairings, strong assumptions)
18
Thank you!
StarkEx by - Ethereum L2 scalability solution based on validity proofs (see ZKRollups)- Self-custodial transactions (trading & payments) for applications such as DeFi
Cairo: a Turing-complete language to write programs directly verifiable with STARKs proofs. Source: https://docs.starkware.co/starkex-docs-v2