Building a SNARK
Functional Commitment Scheme
- Committing to a function
  - Function Families
  - Polynomial Commitment Scheme (PCS)
KZG PCS
- Setup
- Commitment
- Evaluation
  - Remarks
Polynomial Interactive Oracle Proof
The Resulting SNARK
Key Observations
- Zero Test
- Equality Test
Useful Proof Gadgets
- Zero Test on $H$
PLONK

Building a SNARK

There are various paradigms on building SNARKs, but the general paradigm is two step:

A functional commitment scheme, where most of cryptography takes place
A suitable interactive oracle proof (IOP), where most of the information theory takes place

Functional Commitment Scheme

Well, first, what is a commitment scheme? A cryptographic commitment is like a physical-world envelope. For instance, Bob can put a data in an envelope, and when Alice receives this envelope she can be sure that Bob has committed to whatever value is in it. Alice can later reveal that value.

The commitment scheme has two algorithms:

$co mmi t (m, r) \to co m$ for some randomly chosen $r$
$v er i f y (m, co m, r) \to accept or reject$

The scheme must have the following properties:

Binding: cannot produce two valid openings for $co m$
Hiding: $co m$ reveals nothing about the committed data

There is a standard construction using hash functions. Fix a hash function $H : M \times R \to C$ where

$co mmi t (m, r) = H (m, r)$
$v er i f y (m, co m, r) = accept if co m = H (m, r)$

Committing to a function

Choose a family of functions $F = {f : X \to Y}$ . What does it really mean to commit to a function? Well, consider the following interaction:

sequenceDiagram
	actor P as Prover
	actor V as Verifier

	note over P: f ∈ F
	P ->> V: com_f := commit(f, r)
	V ->> P: x ∈ X
	P ->> V: y ∈ Y, proof π
	note over V: Accept or Reject

Here, the proof $π$ is to show that $f (x) = y$ and $f \in F$ .

More formally, a functional commitment scheme for $F$ :

$se t u p (λ) \to pp$ is public parameters $pp$
$co mmi t (pp, f, r) \to co m_{f}$ is commitment to $f \in F$ with $r \in R$
- this should be a binding scheme
- optionally, it can be hiding, which is good for zk-SNARK
$e v a l (P, V)$ with a prover $P$ and verifier $V$ , where for a given $co m_{f}$ and $x \in X, y \in Y$ :
- $P (pp, f, x, y, r) \to short proof π$ , which is a SNARK for the relation: $f (x) = y$ and $f \in F$ and $co mmi t (pp, f, r) = co m_{f}$ .
- $V (pp, co m_{f}, x, y, π) \to accept or reject$
- Basically, the $e v a l$ system is a SNARK

Function Families

There are 3 very important functional commitment types:

Polynomial Commitments: Committing to a univariate polynomial $f (X) \in F_{p}^{(\leq d)} [X]$ where that fancy notation stands for the set of all univariate polynomials of degree at most $d$ .
Multilinear Commitments: Committing to a multilinear polynomial in $F_{p}^{(\leq 1)} [X_{1}, \dots, X_{k}]$ which is the set of all the multilinear polynomials in at most $k$ variables.
- A multilinear polynomial is when all the variables have degree at most 1. Here is an example: $f (x_{1}, \dots, x_{7}) = x_{1} x_{3} + x_{1} x_{4} x_{5} + x_{7}$ .
Linear Commitments: Committing to a linear function $f_{v} (u) = ⟨ u, v ⟩ = \sum_{i = 1}^{n} u_{i} v_{i}$ which is just the dot product of two vectors.

Different SNARK systems may use different commitments. Note that linear commitments can be transformed into multilinear commitments, and those can be transformed into polynomial commitments. A good exercise!

From here on we will talk about Polynomial Commitments.

Polynomial Commitment Scheme (PCS)

A PCS is a functional commitment for the family $F = F_{p}^{(\leq d)} [X]$ . The prover commits to a univariate polynomial $f \in F_{p}^{(\leq d)} [X]$ , later, they can prove that $v = f (u)$ for some public $u, v \in F_{p}$ . As this is a SNARK, the proof size and verifier time should be $O_{λ} (lo g d)$ .

Using basic elliptic curves: Bulletproofs
Using bilinear groups: KZG (trusted setup) (2010), Dory (transparent) (2020)
Using groups of unknown order: Dark (20)
Using hash functions only: based on FRI

We will focus on KZG, as it is much simpler and commonly used.

KZG PCS

The name stands for Kate-Zaverucha-Goldberg. It operates on a cyclic group $G := {0, G, 2 G, 3 G, \dots, (p - 1) G}$ of order $p$ where $G$ is the generator. Note that in such a setting, $pG = 0$ .

Setup

The setup phase $se t u p (λ) \to pp$ works as follows:

Sample random $α \in F_{p}$
$pp = (H_{0} = G, H_{1} = α G, H_{2} = α^{2} G, \dots, H_{d} = α^{d} G) \in G^{d + 1}$
Delete $α$ or you get in trouble! (trusted setup)

Note that you can't do something like $H_{0} / H_{1} = α$ because division is not defined for these guys!

Commitment

The commitment phase $co mmi t (pp, f) \to co m_{f}$ is as follows:

Compute $co m_{f} := f (α) G \in G$ , but wait we don't have $α$ so what do we do?
We have a univariate polynomial $f (X) = f_{0} + f_{1} X + \dots + f_{d} X^{d}$
We use the public parameters $pp$ to compute $co m_{f} = f_{0} H_{0} + f_{1} H_{1} + \dots + f_{d} H_{d}$
If you expand $H$ in there, you will notice that the entire thing is equal to $f (α) G$ .
This is a binding commitment, but it is not hiding for now.

Evaluation

We have $co mmi t (pp, f) \to co m_{f}$ where $co m_{f} = f (α) G \in G$ at this point. The evaluation phase $e v a l (P, V)$ will work as follows:

Prover $P (pp, f, u, v)$ has the goal of proving $f (u) = v$ and generate some proof $π$ .
Verifier $V (pp, co m_{f}, u, v, π)$ will verify that proof.

The trick is to see that if $f (u) = v$ then $u$ is a root of $\hat{f} = f - v$ . It is because $\hat{f} (u) = f (u) - v = v - v = 0$ . There is a very well known result of this, that $(X - u)$ divides $\hat{f}$ . This also means that there is quotient polynomial $\exists q \in F_{p} [X]$ such that $q (x) (X - u) = f (X) - v$ .

With this, the Prover will calculate the quotient polynomial $q (X)$ and will commit to it to find $co m_{q}$ . This will be the proof $π = co m_{q} \in G$ . The verifier will accept the proof $π$ only if $(α - u) co m_{q} = co m_{f} - v G$ .

Note that verifier is using $α$ here, even though it was secret. The truth is, it is not actually using $α$ but instead uses a pairing, and the only thing verifier needs to know for that is $H_{0} = G$ and $H_{1} = α G$ , which are part of public parameters $pp$ .

Computing $q (x)$ is pretty expensive for large $d$ , and this part takes most of the computational time of the entire algorithm.

Remarks

KZG has been generalized for committing to $k$ -variate polynomials (PST 2013). There are many more generalizations of it. KZG also provides batch proofs, where a prover can prove a bunch of commitments in a single computation.

The difficulty with KZG is that it requires a trusted setup for $pp$ , and $pp$ size is linear in $d$ .

Polynomial Interactive Oracle Proof

Now we are at the second part of a SNARK. Let $C (x, w)$ be some arithmetic circuit. Let $x \in F_{p}^{n}$ . Poly-IOP is a proof system that proves $\exists w : C (x, w) = 0$ as follows:

We preprocess the circuit $C$ as similar to previous steps. $se t u p (C) \to (S_{p}, S_{v})$ where $S_{v} = (co m_{f_{0}}, co m_{f_{- 1}}, \dots, co m_{f_{- s}})$ .
An interactive proof is played as shown below:

sequenceDiagram
	actor P as Prover P(S_p, x, w)
	actor V as Verifier V(S_v, x)

	loop i = 1, 2, ..., (t-1)
	P ->> V: f_i ∈ F
	note over V: r_i ← F_p
	V ->> P: r_i
	end

	P ->> V: f_t ∈ F
	note over V: verify^(f_{-s}, ..., f_t)(x, r_1, ..., r_(t-1))

Here the $v er i f y$ in the end is just an efficient function that can evaluate $f_{i}$ at any point in $F_{p}$ . Also note that $r_{i}$ is randomly chosen only after the prover has committed to $f_{i}$ .

The Verifier here is just creating random numbers. Using Fiat-Shamir transform, such an interactive proof can be made non-interactive!

As usual, we expect the following properties:

Complete: if $\exists w : C (x, w) = 0$ then verifier always accepts.
Knowledge Sound: Let $x \in F_{p}^{n}$ . For every $P *$ that convinces the verifier with some non-negligible probability $β$ , there is an efficient extractor $E$ such that for some negligible $ϵ$ :

$Pr [E (x, f_{1}, r_{1}, \dots, f_{t - 1}, r_{t - 1}, f_{t}) \to w : C (x, w) = 0] \geq β - ϵ$

Zero-Knowledge: This is optional, but will be required for a zk-SNARK.

The Resulting SNARK

The resulting SNARK will look the following: there will be $t$ number of polynomials committed, and $q$ number of evaluation queries (points) for the verification. This is parameterized as $(t, q)$ POLY-IOP.

For the SNARK:

Prover send $t$ polynomial commitments
During Poly-IOP verify, the PCS $e v a l$ is run $q$ times.
Note that $e v a l$ is made non-interactive via Fiat-Shamir transform.

The length of the SNARK proof is $t$ polynomial commitments + $q$ evaluation proofs.

Prover Time: $t \times time (co mmi t) + q \times time (p ro v e) + time (I O P_{p ro v e})$
Verifier Time: $q \times time (e v a l_{v er i f y}) + time (I O P_{v er i f y})$

Usually, both $t, q \leq 3$ so these times are really short, in fact, in constant time w.r.t the polynomial count which is awesome.

We will build a Poly-IOP called Plonk. Plonk + PCS will make up a SNARK, and optionally can be extended to a zk-SNARK.

Key Observations

We can do zero test and equality test on committed polynomials, and these are used on almost all SNARK constructions.

Zero Test

A really key fact for $0 \neq = f \in F_{p}^{(\leq d)} [X]$ (for some random non-zero polynomial with degree at most $d$ ) is as follows:

for $r \leftarrow F_{p}$ it holds that $Pr [f (r) = 0] \leq d / p$

We know that $f$ has at most $d$ roots. $r$ is chosen at random from a size $p$ , do the probability that $r$ "hits" a root value is easy to see that $d / p$ .

Suppose that $p \approx 2^{256}$ and $d \leq 2^{40}$ . Then, $d / p$ is negligible! So it is really unlikely that a randomly chosen field element will be the root for $f$ .

With this in mind, if you do get $f (r) = 0$ for $r \leftarrow F_{p}$ then $f$ is identically zero with very high probability. This gives you a simple zero test for a committed polynomial!

This condition holds even for multi-variate polynomials!

Equality Test

Here is a related observation from the Zero Test.

Let $f, g \in F_{p}^{(\leq d)} [X]$ . For $r \leftarrow F_{p}$ , if $f (r) = g (r)$ then $f = g$ with very high probability! This comes from the observation above (think of $f - r = 0$ ).

Useful Proof Gadgets

Let $w \in F_{p}$ be a primitive $k$ -th root of unity (meaning that $w^{k} = 1)$ . Set $H := {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$ . Let $f \in F_{p}^{(\leq d)} [X]$ and $b, c \in F_{p}$ where $d \geq k$ .

There are efficient poly-IOPs for the following tasks:

Zero Test: Prove that $f$ is identically zero on $H$
Sum Check: Prove that $\sum_{a \in H} f (a) = b$ where the verifier has $co m_{f}, b$ .
Product Check: Prove that $\prod_{a \in H} f (a) = c$ where the verifier has $co m_{f}, c$ .

We will only look at zero test.

Zero Test on $H$

There is a cute lemma that will be used here: $f$ is zero on $H$ if and only if $f (X)$ is divisible by $X^{k} - 1$ .

sequenceDiagram
	actor P as Prover
	actor V as Verifier

	note over P: q(X) ← f(X) / (X^k - 1)
  	P ->> V: q
	note over V: r ← F_p
	V ->> P: r
	note over P: evaluate q(r) and f(r)
	P ->> V: q(r), f(r)
	note over V: accept if f(r) = q(r) * (r^k - 1)

This protocol is complete and sound, assuming $d / p$ is negligible.

PLONK

PLONK is a Poly-IOP for a general circuit $C (x, w)$ .

Step 1: Compile Circuit to a Computation Circuit

Consider the following circuit (gate fan-in: 2, meaning that gates can take 2 inputs):

flowchart LR
	x1((x1)) --> +1[+ g0]
	x2((x2)) --> +1
	x2 --> +2[+ g1]
	w1((w1)) --> +2
	+1 --> x[x g2]
	+2 --> x
	x --> r(( ))

There are 3 gates here (namely $g_{0}, g_{1}, g_{2}$ ), 2 statement inputs $x_{1}, x_{2}$ and a witness input $w_{1}$ . The circuit outputs $(x_{1} + x_{2}) (x_{2} + w_{1})$ . Consider giving $x_{1} = 5, x_{2} = 6, w_{1} = 1$ . Here is what that computation would look like:

flowchart LR
	x1((x1)) -- 5 --> +1[+ g0]
	x2((x2)) -- 6 --> +1
	x2 -- 6 --> +2[+ g1]
	w1((w1)) -- 1 --> +2
	+1 -- 11 --> x[x g2]
	+2 -- 7 --> x
	x -- 77 --> r((77))

We would like to obtain a computation trace of this circuit evaluation. A computation trace is simply a table that shows the inputs, and the state of each gate (input1, input2, output). The output of the circuit is the output of the last gate in the circuit. Here is the computation trace for the circuit evaluation above:


Inputs	5	6	1
Gate 0	5	6	11
Gate 1	6	1	7
Gate 2	11	7	77

At this point, we can forget about the circuit and focus on proving that a computation trace is valid. Note that input count does not have to be equal to number of inputs & output of a gate.

Step 1.5: Encoding the Trace as a Polynomial

First, some notation:

$∣ C ∣$ is the total number of gates in circuit $C$
$∣ I ∣$ is equal to $∣ I_{x} ∣ + ∣ I_{w} ∣$ which is total number of inputs to $C$
Let $d = 3∣ C ∣ + ∣ I ∣$ which gives us the number of entries in the computation trace. In the example, that is $d = 12$ .
$H = {1, ω, ω^{2}, \dots, ω^{d - 1}}$

The plan: the prover will interpolate a polynomial $P \in F_{p}^{(\leq d)} [X]$ that encodes the entire trace, such that:

$P$ encodes all inputs: $P (ω^{- j}) = input #j$ for $j = 1, \dots, ∣ I ∣$ .
$P$ encodes all wires: $\forall l = 0, \dots, ∣ C ∣ - 1$ :
1. $P (ω^{3 l})$ gives the left input to gate # $l$
2. $P (ω^{3 l + 1})$ gives the right input to gate # $l$
3. $P (ω^{3 l + 2})$ gives the output of gate # $l$

Prover uses FFT (Fast Fourier Transform) to compute the coefficients of $P$ in time $d lo g_{2} d$ , almost in linear time!

Step 2: Proving validity of $P$

Prover needs to prove that $P$ is a correct computation trace, which means the following:

$P$ encodes the correct inputs
Every gate is evaluated correctly
The "wiring" is implemented correctly
The output of last gate is 0

(1) $P$ encodes the correct inputs

Remember both prover and verifier has the statement $x$ . They will interpolate a polynomial $v (X) \in F_{p}^{(\leq ∣ I_{x} ∣} [X]$ that encodes the $x$ -inputs to the circuit:

for $j = 1, \dots, ∣ I_{x} ∣ : v (ω^{- j}) = input #j$

Constructing $v (X)$ takes time proportional to the size of input $x$ .

In our example: $v (ω^{- 1}) = 5, v (ω^{- 2}) = 6, v (ω^{- 3}) = 1$ so $v$ is quadratic.

Next, they will agree on the points encoding the input:

$H_{in p} := {ω^{- 1}, ω^{- 2}, \dots, ω^{- ∣ I_{x} ∣}}$

Prover will prove (1) by using a zero-test on $H_{in p}$ to prove that:

$P (y) - v (y) = 0$ for all $y \in H_{in p}$

(2): Every gate is evaluated correctly

The idea here is to encode gate types using a selector polynomial $S (X)$ . Remember that in our example we encoded the two gate inputs and an output as $ω$ to the power $3 l, 3 l + 1, 3 l + 2$ for some gate $l$ . Now, we will encode the "types" of these gates.

Define $S (X) \in F_{p}^{(\leq d)} [X]$ such that $\forall l = 0, \dots, ∣ C ∣ - 1$ :

$S (ω^{3 l}) = 1$ if gate $# l$ is an addition gate +
$S (ω^{3 l}) = 0$ if gate $# l$ is a multiplication gate x

In our example, $S (ω^{0}) = 1, S (ω^{3}) = 1, S (ω^{6}) = 0$ , so $S$ is a quadratic polynomial.

Now, we make a really nice observation: $\forall y \in H_{g a t es} := {1, ω^{3}, ω^{6}, \dots, ω^{3 (∣ C ∣ - 1)}}$ it should hold that:

$S (y) \times (P (y) + P (ω y)) + (1 - S (y)) (P (y) \times P (ω y)) = P (ω^{2} y)$

Here, $P (y), P (ω y), P (ω^{2} y)$ are left input, right input and output respectively.

Prover will use a zero-test on the set $H_{g a t es}$ to prove that $\forall y \in H_{g a t es}$ :

$S (y) \times (P (y) + P (ω y)) + (1 - S (y)) (P (y) \times P (ω y)) - P (ω^{2} y) = 0$

(3) The wiring is correct

What do we mean by wiring? Well, if you look at the circuit (or the table) you will notice that some outputs become inputs on other gates. For example, the input 6 is a right input for gate 0, and a left input for gate 1 and such. Prover will have to prove that this wiring has been done correctly.

For that, the wires of $C$ are encoded with respect to their constraints. In our example:

$P (ω^{- 2}) = P (ω^{1}) = P (ω^{3})$
$P (ω^{- 1}) = P (ω^{0})$
$P (ω^{2}) = P (ω^{6})$
$P (ω^{- 3}) = P (ω^{4})$

Define a polynomial $W : H \to H$ that implements a rotation:

$W (ω^{- 2}, ω^{1}, ω^{3}) = (ω^{1}, ω^{3}, ω^{- 2})$
$W (ω^{0}) = (ω^{- 1})$
$W (ω^{6}) = (ω^{2})$
$W (ω^{4}) = (ω^{- 3})$

Why we do this fantastic thing is due to a lemma; if $\forall y \in H : P (y) = P (W (y))$ then the wire constraints are satisfied.

However, there is a problem: $P (W (y))$ has degree $d \times d = d^{2}$ but we want prover to work in linear time $d$ only! PLONK uses a very nice trick: use product check proof to reduce this to a constraint of linear degree. This trick is called the "PLONK Permutation" trick.

(4) Output of last gate is 0

Proving the last one is easy, just show $P (3^{3∣ C ∣ - 1}) = 0$ .

Final PLONK Poly-IOP

In the setup phase:

$S e t u p (C) \to (S_{p}, S_{v})$ where
- $S_{p} := (S, W)$
- $S_{v} := (co m_{S}, co m_{W})$

The prover has $(S_{p}, x, w)$ and the verifier has $(S_{v}, x)$ .

The prover will build $P (X) \in F_{p}^{(\leq d)} [X]$ and give the commitment $co m_{P}$ to the verifier.
The verifier will then build $v (X) \in F_{p}^{(\leq ∣ I_{x} ∣)} [X]$

Finally, the prover will prove the four things described before:

Inputs

$\forall y \in H_{in p} : P (y) - v (y) = 0$

Gates

$\forall y \in H_{g a t es} : S (y) \times (P (y) + P (ω y)) + (1 - S (y)) (P (y) \times P (ω y)) - P (ω^{2} y) = 0$

Wires

$\forall y \in H : P (y) - P (W (y)) = 0$

Output

$P (3^{3∣ C ∣ - 1}) = 0$

There is a theorem that shows this PLONK Poly-IOP is knowledge sound and complete! The resulting proof is around 400 bytes, and verification takes around 6ms. PLONK can actually handle circuits with more general gates than + and x, although we only used those operations in our gate constraints. The resulting SNARK can be made into a zk-SNARK, though it is not covered here.

There is also something called PLOOKUP: efficient Poly-IOP for circuits with lookup tables, which is very very useful.

Cryptonotes