```# Fully non-deterministic Noir ## Afterthought After writing up this spec, I would also like to question/justify the idea as to whether we need this. My concerns are around file access for things like state management and if there are any cases where a user may, due to ignorance allow one to execute arbitrary code in a non-sandboxed way ## Problem statement **Introduction**

:::info Summary We recommend a total spend of approximately $1000 We recommend the NUC 14 Pro and the Minisforum UM790 Pro, however it can be any prebuilt setup that has:A modern CPU with:At least 8 cores and 16 threads Single thread rating of 3500 or more Multithreaded rating of 25000 or more 4TB NVMe M.2 storage

CGO_CFLAGS="-O2 -D__BLST_PORTABLE__" go test -bench=Benchmark kev@kev-Venus-series:~/Documents/c-kzg-4844/bindings/go$ go test -bench=Benchmark goos: linux goarch: amd64 pkg: github.com/ethereum/c-kzg-4844/v2/bindings/go cpu: AMD Ryzen 9 7940HS w/ Radeon 780M GraphicsBenchmark/LoadTrustedSetupFile(precompute=0)-16 1 1394717117 ns/op Benchmark/LoadTrustedSetupFile(precompute=1)-16 1 1408454235 ns/op Benchmark/LoadTrustedSetupFile(precompute=2)-16 1 1412673856 ns/op Benchmark/LoadTrustedSetupFile(precompute=3)-16 1 1419016199 ns/op

KZG - Is Zero Quotient Okay? Overview This is a note to show that the witness being zero is sound and is valid for some polynomials. This skims through the original KZG protocol as a refresher and then shows why the zero quotient/proof/witness is okay. Trusted setup In KZG, we commit to polynomials using a trusted setup of the form: $T = ({[s^0]_1, [s^1]_1, ..., [s^{n-1}]_1}, {[s^0]_2, [s^1]_2})$

Introduction In this document, we describe the API that the cryptography layer needs to expose to the verkle trie layer. If you are creating a verkle trie implementation without the cryptography fully being implemented, you can mock the following APIs. Elliptic Curve API We define a Elliptic curve $E$ over a base field $F_p$ with a scalar field $F_r$. The group exposed by $E(F_p)$ must have prime order. This is so that the verkle trie logic does not need to worry about subgroup attack vectors. The group exposes two algorithm:

Reference The formulas were derived by reading the following academic article here Problem In the multipoint protocol, we had a polynomial of the form: $$ g(X) = r^0 \frac{f_0(X) - y_0}{X-z_0} + r^1 \frac{f_1(X) - y_1}{X-z_1} + \ldots +r^{m-1} \frac{f_{m-1}(X) - y_{m-1}}{X-z_{m-1}} $$

Vector Commitment Scheme vs Polynomial Commitment Scheme We may use these two terms interchangeably however they are not the same, a vector commitment scheme is strictly more powerful than a polynomial commitment scheme. One can take the dot product between two vectors and if one vector is of the form $<1, t, t^2, t^3,..., t^n>$ then one can realise the dot product as the evaluation of a polynomial in monomial basis at the point $t$. Converting a vector to a polynomial can be done by either interpreting the elements in the vector as the coefficients for the polynomial or interpreting the elements as evaluations of the polynomial. Hence, we can state our schemes in terms of a polynomial commitment scheme and the translation would be done as mentioned above. Similarly, the term multipoint will be used when referring to a polynomial commitment scheme and multi-index when referring to a vector commitment scheme. they mean the same thing, but just in different contexts. Introduction A vector commitment scheme allows you to prove that an element $e$ in a vector $v$ is indeed at some specific index $i$, ie the fact that $v[i]=e$.

Familiarity with binary merkle trees is assumed. Commitment Scheme Commitment schemes in general are at the heart of every scenario where you want to prove something to another person. Lets list two examples from our daily lives. Lottery Before you are able to see the winning results of a lottery, you must first commit to your choice of numbers. This commitment will allow you to prove that you did indeed choose these numbers before seeing the results. This commitment is often referred to as a lottery ticket. We cannot trust people to be honest about their results, or more generously, we cannot trust people to attest to the truth; they could have bad memory.

Introduction This document explains the transformation from bandersnatch to banderwagon. The particular technique for doing this was independently found by Gottfried Herold. In short, he found that one can create a prime order subgroup by quotienting out the group of rational points in the bandersnatch group. The main purpose is to give one an intuition of why and how banderwagon works. For a concise handling of the topic, check out Gottfried's Implementation notes. Acknowledgments Thanks to Gottfried for reading, commenting and correcting both mathematical and grammar mistakes. In particular, Gottfried noted that the use of affine co-ordinates to speak about the points at infinity was imprecise. The section on special points has thus been reduced to only note that these four points exist and not on how to derive them using Bessalov's technique. Twisted Edwards Curve We define a Twisted Edwards curve over $F_p$ as:

Why are we using Banderwagon? Certainly one curve is less complex than two, and Ethereum already uses the bls12-381 curve, so why introduce another curve? Good question, I'm glad you have the mental fortitude to challenge me so early in the article. TLDR: It allows us to create efficient zero knowledge proofs in a snark. Proof of execution A proof of execution is an protocol that allows you to prove that some function $f$ executed correctly with some input $x$ and produced some output $y$. Upon receiving the proof, one can quickly verify the claim $y=f(x)$ quicker than it takes to execute $f(x)$. If one decides that they want to hide the value of $x$, then one usually calls this a zero knowledge proof. Embedded curves

Introduction Considering the case of when $(\frac{a}{p})=(\frac{d}{p})=-1$ and $p \equiv \text{1 mod 4}$. This document derives the halving formula and its necessary conditions. This is derived from Bessalov's work. Some of his work has been translated to English, however it is unfortunately behind a paywall, so we link his monograph. What does it mean to halve a point? For a twisted Edwards curve, the formula for doubling a point $(x, y)$ is: $$2(x,y) = (\frac{2xy}{1+dx^2y^2},\frac{y^2-ax^2}{1-dx^2y^2}) = (X, Y) \text{ (0)}$$

Introduction Cryptography Dividing In Lagrange basis when one of the points is zero - Generalised IPA Multipoint Ethereum specific Verkle Tree EIP