ZK-Snarks Trilogy

This is a rough list summarizing the key points discussed in the podcast episode titled "[SNARKs: A Trilogy with Ariel Gabizon](https://www.youtube.com/watch?v=ScqVUC4BhSo)" on the Zero Knowledge Podcast. In this episode, [Ariel Gabizon](https://twitter.com/rel_zeta_tech) and Anna Rose engage in a comprehensive discussion on the history of SNARKs: ## Chapter 1 Bilinear Pairings Jens groth 2010 - when pairing based snarks started - PCBs - Really cool things pairings - Crypto assumptions - this is hard no easy way to demonstrate - Knowledge assumptions- you can do this but only in this way - GGPR - QAP - R1CS - Groth 16 ## Chapter 2: Polynomial commitment gets back - Commitment when combined with pairinings are really powerful - Universal trusted setup - Custom gates - any circuit is basically + or - but the RICS is clunky - RICS is all about constants - Sonic was pivotal- single trusted setup - Large trusted setup - Relatively complicated - Plonkish arithmetisation - Snarktember - Part 1 ends after plonk - Arithmetisation in plonk is simpler than sonic - Its not original, its the selector based polynomial - In turbo plonk we get the custom gates - Now 2.2, subject of aggregation - Classic snark circuit is prover fast, verifier fast and proof small - Now we have a lot of proofs - So circuit is a verifier circuit - 10000 proofs for one circuit - Rollup also comes up - Recursion is the most straightforward - Halo: End goal is to verify 10000 proof but it involves 10000 times running verification circuit . Can we combine all this? - First generation of Plookup table - If table is 2^14 then circuit is same - Size of the table size is dependent on prover time ## Chapter 3: Return of pairings - Pairing in chapter 2 were only restricted for proving commitments - This chapter is mainly like coming on a middle groud for using pairings. Like pairing in groth removed the universal setup so that should not be the case. There are things apart from proving step that pairings can be leveraged for. - Caulk is introduced - Lookups are great - Table has size T then circuit grows by T - What we put in the circuit is the randomized combination of value in lookup table and the witness with the randomness put in by the verifier. - Caulk is start - table size is not dependent on prover time - Then we have Caulk+, flookup, CQ - CQ- allows you to use very large tables - CQ - is a lookup protocol and can be easily integrated with plonk or any other proving system - How does CQ able to use large lookup tables **Ans.** We use pairings. Three types of commeitment schemes. FRI is the least homomorphic - FRI(f) FRI(g) cannot get FRI(f+g), KZG(f) KZG(g) can get KZG(f+g) additive homo - Homomorphic means you can do operations in two diff orders and it will not change results - f+g => commit(f+g) = commit(f) + commit(g) in KZG and bulletproof - This is additive homomorphic - Used in chaulk and NOVA - KZG has special property “partial multiplicative property” - commit(f1) commit(f2) commit(g1) commit(g2) - In KZG we dont have commit(f1) * commit(f2) = commit(f1 *f2) but we can check that if - commit(f1) * commit(f2) = commit(g1) * commit(g2) - Its partial because we can check that $f1 * f2 = g1 * g2$ but we cannot compute $commit(f1*f2)$ - How does that relate to lookup table - This is extremely powerful in Snarks. When we want to prove $Q(x)*h(x) = p(x)$ then in chaulk in lookup tables we have huge tables for checking but using ***KZG*** we can check commit(q) as its easy to compute - Does FRI uses lookup arguments- yes at polygon hermezz - Lookup and aggregation is separate - Nova style needs addititive homomorphic - Snark non friendly function are improved by CQ - Nova was popping up - For standard plonk in folding 20% cost goes away - We always need to commit the witness polynomial and compute and commit to error terms in folding. The main thing we are saving is the computation and committment to quoatient polynomial. We are avoiding the FFTs so it saves about 50%. - In hyperplonk, we use sum-checks and that also removes ffts use. Also it supports high degree gates. R1CS uses 2 gates. - Sometimes we want to use high degree gates - Commiting to error terms is same as committing to quotient polynomial so nova just provides removal of ffts. But hyperplonk does both fft removal and providing high degree gates.