## Notes for Oscar:
we will start from here.
### Requirements of proof system:
$V$ --> verifier.
$P$ --> prover.
$C$ --> the circuit.
- Completeness: If i run a computation, I can compute a proof that the output is correct.
that is, if the prover is actually honest, and does have a statement $x$ and witness $w$ that evaluates to zero, then the verifier will accept the proof from the prover with probability 1.
$\forall\, x, w; C(x,w) = 0 \Rightarrow
\textrm{Proof}[V(\textrm{vkey}, x, P[\textrm{pkey}, x, w]) = accept] = 1$
- Soundness: I cannot convince you that the results is correct if it's not.
i.e., Adaptively knowledge sound:
$V$ accepts that $P$ "knows" $w$ such that $C(x,w) = 0$, and that an extractor $E
can extract a valid $w$ from the prover.
- Zero-Knowledge (Optional for ZK): If I want to, I can hide some or all of the inputs to the computation.
$(C, \textrm{pkey}, \textrm{vkey}, x, Proof)$ reveal nothing new about $w$. A witness exists that can simulate the proof.
### SNARKS, Plonk, PCS related:
In general building SNARKs can be done in two steps:
(1) a function commitment scheme.
(2) a suitable interactive oracle proof (IOP).
Within halo2 (an others) we use for:
(1) a polynomial commitment scheme (PCS) as the commitment scheme.
(2) a polynomial interactive oracle proof (poly-IOP) for the IOP.
Plonk + PCS $\rightarrow$ SNARK.
### Components of:
(1) Arithmetic Circuit $C$:
- Need to fix some finite filed $\mathbb{F} = \{0,...,p-1 \}$ for some $p>2$, where you can do addition and multpication $\textrm{mod } p$.
- Construct a arithmetic circuit $C$, where $C: \mathbb{F}^n \rightarrow \mathbb{F}$.
Which is a DAG with the nodes labeled $+, - \textrm{ or } \times$, i.e. these are the "Gates".
The circuit $C$ then defines a $n$-variant polynomial with an evaluation recipe.
(2) has an Argument System:
a public arithmetic circuit $C(x,w) \rightarrow \mathbb{F}$, takes a public statement $x$ in $\mathbb{F}$, and a secret witness $w$ in $\mathbb{F}^m$ and outputs a finite field element $\mathbb{F}$.
i.e.,
Public arithmetic circuit:
$C(x,w) = \mathbb{F}$
where:
$x$ is the public statement in $\mathbb{F}^n$ (known to Prover & Verifier).
$w$ is the secret witness in $\mathbb{F}^m$ (known to only Prover).
The Provers ($P$) goal is to convince the Verifier ($V$) that there exists some witness $w$ such that $C(x,w) = 0$
### Preprocessing/Setup of a NARK / SNARK:
As above the public arithmetic circuit: $C(x,w) \rightarrow \mathbb{F}$
A preprocessing circuit ("Setup") will take a public circuit (a Synthesized circuit) through a setup algorithm $S(c)$ which will output parameters for the prover and verifier, $\textrm{vkey}, \textrm{pkey}$.
In preprocessing/ssetup we fix the arithmetic circuit $C$ by taking $x$ a public statement in $\mathbb{F}^{n}$, and a secret witness $w$ in $\mathbb{F}^{m}$, and outputting the finite field element $\mathbb{F}$.
Preprocessing (Setup): $S(C) \rightarrow \textrm{public paramaters}(S\textrm{pkey}, S\textrm{vkey})$
where $\textrm{pkey}$ is the proving key, and $\textrm{vkey}$ is the verification key. i.e., the `.params` files.
The Prover $P$, takes $\textrm{pkey}, x,w$ and produces a Proof. The Prover proves that the circuit evaluates to zero at the point $(x,w)$. $\textrm{Proof that } C(x,w) = 0$. The Verifier either accepts or rejects the proof.
In the a (preprocessing/setup based) NARK/SNARK is three algorithms:
- $S(C) \rightarrow$ public parameters $(\textrm{vkey}, \textrm{pkey})$ for provers and verifier.
- $P(\textrm{pkey}, x,w) \rightarrow$ produces a proof
- $V(\textrm{vkey}, x) \rightarrow$ accepts or rejects the proof.
a SNARK is just a NARK, retians all the same properties of completeness, soundness, but prodcues succinct public parameters $S\textrm{vkey}, S\textrm{pkey}$.
------------------------------
## zkWasm related:
```console!
git clone https://github.com/DelphinusLab/zkWasm.git
cd zkWasm
git submodule init
git submodule update
cargo build --release
```
### wasm:
**Wasmi:**
outputs the two traces --> Web assembily bytecode and host API.
generates the execution trace and the host call trace.
records the order of the host api calls and their input and ooutput.
When combining the two traces we need to make sure the order of the host call trace, is the same as the order embedded in the ececution trace. Including the same arguements.
The execution trace is the input to the guestVM (which generates the proof). The proof is; the instance.data (Public input) and the proof (transcript.data).
The host call trance, is fed into the hostVM, which generates a proof (host-transcript.data).
```clike
#include "zkwasmsdk.h"
__attribute__((visibility("default")))
int zkmain() {
int sum = wasm_input(1);
return sum + 1;
}
```
**The setup phase generates the output:**
```
#!/bin/bash
RUST_LOG=info cargo run --release --features cuda -- -k 18 --function zkmain --output ./output --wasm ./crates/zkwasm/wasm/wasm_output.wasm setup
```
**no cuda**
End: create proof ..............................................................60.607s
**cuda:**
End: create proof ..............................................................6.157s
```
$ ls -la ./output/
K18.params
K22.params
zkwasm.0.vkey.data
```
Generates vkey.data for the image. The vkey is a circui that commits its constant column. That is, the program has been fixed. Whereas the next time the proof is submitted it will open and check the cimmitment of this vkey, to make sure the same program is being executed. This is the combination of the .param and vkey.data files.
For the zk host wasm. There will be a setup to get the host.vkey.
**Single-proof:**
```
#!/bin/bash
RUST_LOG=info cargo run --release --features cuda -- -k 18 --function zkmain --output ./output --wasm ./crates/zkwasm/wasm/wasm_output.wasm single-prove --public 133:i64 --public 2:i64
```
outputs files in ./output/:
additional files created:
```
zkwasm.0.transcript.data
zkwasm.0.instance.data
```
**Verification phase:**
verify.sh
```
#!/bin/bash
RUST_LOG=info cargo run --release --features cuda -- -k 18 --function zkmain --output ./output --wasm ./crates/zkwasm/wasm/wasm_output.wasm single-verify --proof output/zkwasm.0.transcript.data --instance output/zkwasm.0.instance.data
```
### Diagrams:
### Resources:
https://wasdk.github.io/WasmFiddle/
https://delphinuslab.github.io/Delphinus-Lab-Book/docs_pages/zkWASM_Playground/README.html
https://zkwasm-explorer.delphinuslab.com/
https://delphinuslab.github.io/Delphinus-Lab-Book/docs_pages/zkWASM/Setup_and_Proof.html
Sign in with Wallet
Connect another wallet