diff --git a/HACKATHON_WEEK.md b/HACKATHON_WEEK.md new file mode 100644 index 0000000..082a2a3 --- /dev/null +++ b/HACKATHON_WEEK.md @@ -0,0 +1,43 @@ +# The Hacker Principle + +Your code doesn't have to be pretty or have many functions, but should be presentable and runnable. + +# Project Ideas + +The following are some project ideas to get you started. + +## 1. Token Mixer + +Reference the following starter code and instructions: +- https://securitylab.github.io/cs251-fall21/ +- https://securitylab.github.io/cs251-fall21/hw/proj4.pdf +- https://securitylab.github.io/cs251-fall21/lectures/lecture13.pdf +- https://learn.0xparc.org/materials/circom/learning-group-1/breaking-down-tornado + +## 2. ZK Calculator + +Prove your calculation is correct, you may want to reference this: https://github.com/jtriley-eth/zk-calculator + +## 3. ZK Battleship + +Read the following, understand how it works, and make your own ZK battleship game: https://github.com/darkforest-eth/circuits + +## 4. Very Simple Rollup + +This is a good example, but yours can be even simpler: https://github.com/rollupnc/RollupNC + +Reference this PDF: https://securitylab.github.io/cs251-fall21/lectures/lecture17.pdf + +## 5. Solve Some ZK Puzzles + +Some these problems and present to us how you did it: https://zkhack.dev/puzzles/ + +## 6. *OR YOUR OWN PROJECT* +!!!!!! UNVEIL YOUR POWER ANON !!!!! + +# Helpful Toolkits to Use + +- https://github.com/privacy-scaling-explorations/zkp-app-boilerplate +- https://battlezips.gitbook.io/battlezips/development/circom-tester +- https://battlezips.gitbook.io/battlezips/development/hardhat-circom +- https://battlezips.gitbook.io/battlezips/development/shield` diff --git a/MODULE_1.md b/MODULE_1.md index 353b81e..58d75b4 100644 --- a/MODULE_1.md +++ b/MODULE_1.md @@ -6,6 +6,12 @@ In this module, our primary goal is to introduce you to key concepts of ZKPs, su Let’s get started! +## Tips to Learn Zero Knowledge + +One really useful mental model to learn zero knowledge is to blackbox the concepts so that you don't get intimidated by the complexity of the topic. This doesn't mean you ignore the details, but rather, you focus on understanding the high-level concepts first and then dive into the details later. + +When you study the topic for the first time, only read the required reading. Skip the optional reading unless you are really curious of the details. This will help you to understand the topic without getting overwhelmed by the details. + ## A Primer for Zero Knowledge Proofs Before we delve into the core content of the module, consider acquainting yourself with some high-level concepts of Zero-Knowledge Proofs. The following introductory articles will help you build a robust foundational understanding: @@ -162,4 +168,4 @@ modularCalculator('*', 10, 15, 12); // Should return: 6 Feel free to use `console.log` statements in your code to verify that your function is working as expected. For convenience, consider using https://repljs.com/ and pasting in the above code snippet to get started. ## Conclusion -By the end of this module, you will have gained an understanding of the fundamental concepts in Zero-Knowledge Proofs (ZKPs). These principles will guide you in your journey towards mastering the advanced topics that will be covered in the following modules. \ No newline at end of file +By the end of this module, you will have gained an understanding of the fundamental concepts in Zero-Knowledge Proofs (ZKPs). These principles will guide you in your journey towards mastering the advanced topics that will be covered in the following modules. diff --git a/MODULE_2.md b/MODULE_2.md index 454d70d..7516934 100644 --- a/MODULE_2.md +++ b/MODULE_2.md @@ -99,7 +99,14 @@ Cryptographic commitments are essential in cryptography and blockchain technolog It helps achieve secure and efficient verification of transactions in blockchain protocols. In such contexts, sensitive information, such as transaction details or user identities, is hidden while revealing others for the verifier to authenticate the transactions. -### Pedersen Commitments +You can break down the concept of commitment into two parts: commit and open (reveal). + +![commitment scheme](./assets/commitment.png) +[Source](https://zecrey.medium.com/commmitment-schemes-in-zecrey-e6c446e2da97) + +There is always a commit phase and a reveal phase, in other words you first encrypt a secret and then reveal it later. + +### Pedersen Commitments (Optional) Pedersen Commitments are a type of cryptographic primitive that allows you to commit to a certain value while keeping it hidden, with the ability to disclose the committed value later. They're often used to achieve privacy-preserving properties in cryptographic protocols. For more on Pedersen Commitments, review these materials: - [Pedersen Commitments](https://asecuritysite.com/encryption/ped) @@ -300,4 +307,4 @@ Congrats on reaching the end of this module! ## Conclusion -In summary, we've ventured through some very important cryptographic primitives, gaining insights into encryption, hash functions, Merkle trees, and more. These components underpin blockchain technologies and zero-knowledge proofs. Moving forward, our next module will navigate the fascinating field of elliptic curve cryptography. \ No newline at end of file +In summary, we've ventured through some very important cryptographic primitives, gaining insights into encryption, hash functions, Merkle trees, and more. These components underpin blockchain technologies and zero-knowledge proofs. Moving forward, our next module will navigate the fascinating field of elliptic curve cryptography. diff --git a/MODULE_3.md b/MODULE_3.md index 5ec0705..4fa92e8 100644 --- a/MODULE_3.md +++ b/MODULE_3.md @@ -17,7 +17,7 @@ The following StackExchange answer goes over the differences between some of the - [What is the difference between the RSA, DSA, and ECDSA keys that ssh uses?](https://askubuntu.com/a/1000928/733503) -## Schnorr Signatures and EdDSA +## Schnorr Signatures and EdDSA (Optional) EdDSA modifies and extends the Schnorr signature scheme to provide additional benefits. So it is crucial to first get an understanding of Schnorr signatures. @@ -58,9 +58,17 @@ For more on EdDSA, check out the following links: ## Pairing-Based Cryptography (PBC) -Many of the following topics will depend upon what is called pairing-based cryptography. These two articles set the stage and foundation: +Many of the following topics will depend upon what is called pairing-based cryptography. +You can imagine pairing as the multiplication of elliptic curves. The original elliptic curve operation is homomorphically additive but not homomorphically multiplicative. Pairing is a way to mimic this "multiplication". + +This is largely used in zk, especially during the verification stage. + +![Pairing](./assets/elliptic-curve-pairings.jpeg) +[Source](https://www.inevitableeth.com/home/concepts/elliptic-curve-pairings) -- **[Exploring Elliptic Curve Pairings by Vitalik Buterin](https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627)** - This resource builds upon the knowledge you learned above regarding elliptic curves and sets the stage for the topics discussed below. It is an excellent introduction to the topic. +If you would like to know more about it, you can check out the following resources: + +- **[Exploring Elliptic Curve Pairings by Vitalik Buterin (optional)](https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627)** - This resource builds upon the knowledge you learned above regarding elliptic curves and sets the stage for the topics discussed below. It is an excellent introduction to the topic. - **[Pairings or Bilinear Maps by Alin Tomescu](https://alinush.github.io/2022/12/31/pairings-or-bilinear-maps.html)** - This resource begins with an introduction to the three fundamental properties of bilinear maps. Building on this foundation, it further explores applications such as the Tripartite Diffie-Hellman protocol, BLS signatures, and Identity-Based Encryption (IBE). Make sure you read these two articles in full before proceeding. @@ -78,6 +86,11 @@ For those who desire a deeper dive into bilinear maps and pairings, check out th BLS (Boneh-Lynn-Shacham) signatures are a type of cryptographic signature scheme that allows for efficient aggregation of individual signatures into a single signature. It also makes use of pairing-based cryptography. +The intuition of BLS is that it is an aggregation signature. The image below shows how the public key and signature are aggregated. The advantage is that all signatures can be verified at once. That's why it is commonly used in consensus protocols. +![BLS](./assets/bls-signatures.jpeg) + +### Optional Reading + The following articles offer a great introduction to BLS signatures and why they are important for the scaling of Ethereum (more specifically, the Beacon Chain): - [Upgrading Ethereum (chapter on BLS Signatures) by Ben Edgington](https://eth2book.info/capella/part2/building_blocks/signatures/) @@ -89,7 +102,15 @@ The following articles offer a great introduction to BLS signatures and why they ## KZG Polynomial Commitments -Polynomial Commitments are cryptographic tools that allow the hiding of some coefficients while revealing others. They're used in various cryptographic proofs and blockchain protocols. For a better understanding of Polynomial Commitments, consider these resources: +Polynomial Commitments are cryptographic tools that allow the hiding of some coefficients while revealing others. They're used in various cryptographic proofs and blockchain protocols. For a better understanding of Polynomial Commitments +The intuition of KZG is that it is a commitment scheme. It is used to commit to a polynomial and later reveal a certain point on that polynomial. All your input data "lock" a specific polynomial. + +![KZG](./assets/polynomial-commitments-1.jpeg) + +Read this article: +- [KZG commitment by Inevitable Ethereum](https://www.inevitableeth.com/home/concepts/kzg-commitment) + +### Optional Reading - [Polynomials](https://vitalik.eth.limo/general/2021/01/26/snarks.html#polynomials) section of Vitalik's article on zk-SNARKs. - [KZG in Practice: Polynomial Commitment Schemes and Their Usage in Scaling Ethereum](https://scroll.io/blog/kzg) @@ -106,6 +127,10 @@ Scroll's zk-rollup implementation makes use of this commitment scheme to commit The concept of a trusted setup is an important part of the KZG Polynomial commitment scheme, and indeed part of the wider culture of Ethereum. Here are a few resources to learn more about trusted setups. +The intuition of a trusted setup is that it is a process to generate a bunch of points on the elliptic curve, and the prover will input these points to the polynomial commitment. Therefore the output is a point on the curve as well. Specifically, the generation of these points require many people join and discard the secret value (which they used to create the point). It should not be possible to generate the points without this. That's why it is called a trusted setup. + +### Optional Reading + - [How do trusted setups work? by Vitalik Buterin](https://vitalik.eth.limo/general/2022/03/14/trustedsetup.html) - [On-Chain Trusted Setup Ceremony by a16zcrypto](https://a16zcrypto.com/posts/article/on-chain-trusted-setup-ceremony/) - [The KZG Ceremony - or How I Learnt to Stop Worrying and Love Trusted Setups by Carl Beekhuizen [27:27]](https://www.youtube.com/watch?v=dTBy661ubgg) diff --git a/MODULE_4.md b/MODULE_4.md index 27b107c..7ff1ce5 100644 --- a/MODULE_4.md +++ b/MODULE_4.md @@ -4,27 +4,13 @@ In this module, we will "look under the hood" of zkSNARKs and acquire an underst Then we will go through the process of converting a computation into a zkSNARK, starting from arithmetic circuits, to R1CS and QAP. Finally, we will explore some common proof systems like Groth16 and Plonk. -## 1. Homomorphic Hiding and Blind Evaluation - -Let's start by looking into the concepts of homomorphic hiding and blind evaluation. Although not directly related to zkSNARKs, it is one of the main ingredients or concepts that make zkSNARKs possible. - -This blog series from Electric Coin is a good start: - -- [Explaining SNARKs Part I: Homomorphic Hidings by Electric Coin Co.](https://electriccoin.co/blog/snark-explain/) -- [Explaining SNARKs Part II: Blind Evaluation of Polynomials](https://electriccoin.co/blog/snark-explain2/) - -ASecuritySite.com also has some helpful interactive examples that go along with these two blog posts: - -- [zkSNARK (Homomorphic Hiding)](https://asecuritysite.com/zero/zksnark01) -- [zkSNARK (Blind Evaluation Problem)](https://asecuritysite.com/zero/zksnark02) - -## 2. From Computation to QAP +## 1. From Computation to QAP Now that you have a general idea of the topics above, let's turn to the "pipeline" of a zkSNARK construction. The goal of our construction is to be able to create a proof that a particular computation was properly executed. In order to do that, we must first transform it into a special form. -### 2.1 Arithmetic Circuits +### 1.1 Arithmetic Circuits First, we need to convert our problem into something called an [arithmetic circuit](https://en.wikipedia.org/wiki/Arithmetic_circuit_complexity). This allows us to take an equation and "flatten" it into a series of simpler equations. Read the following: @@ -34,7 +20,7 @@ First, we need to convert our problem into something called an [arithmetic circu - [**From Theory to Practice**](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/from-theory-to-practice) - [**One line, one operation**](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/one-line-one-operation) -### 2.2 Rank-1 Constraint System (R1CS) +### 1.2 Rank-1 Constraint System (R1CS) Once we have this arithmetic circuit in the form as explained above, we can proceed to convert it into a representation of matrices and vertices known as the Rank-1 Constraint System (R1CS). @@ -43,7 +29,7 @@ To understand how it works, read the following resources: - [**R1CS: A Day in the Life of a few Equations**](https://learn.0xparc.org/materials/circom/additional-learning-resources/r1cs%20explainer/) - This 0xParc article was mentioned above, ensure you read this in full as it is a very friendly introduction to R1CS. - [**R1CS by Maurizio Binello**](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/r1cs) - This is a continuation of Maurizio Binello's series of blog posts mentioned above. You might want to revisit the other pages in this series. -### 2.3 Quadratic Arithmetic Program (QAP) +### 1.3 Quadratic Arithmetic Program (QAP) R1CS helped to reduce our computation into a set of matrices and vertices. But now, we need to convert it into a format called QAP. @@ -53,35 +39,24 @@ For understanding this, we turn to the following resources: - [**QAP by Maurizio Binello**](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/qap) - A continuation of Maurizio Binello's blog series. - [**Quadratic Arithmetic Programs: from Zero to Hero**](https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649) - Vitalik Buterin's article on getting to a QAP representation. Feel free to start from the "R1CS to QAP" section. -## 3. The Pinocchio Protocol - -The Pinocchio Protocol was first described in a paper in 2013, [**Pinocchio: Nearly Practical Verifiable Computation**](https://eprint.iacr.org/2013/279). As the name suggests, it was a big step towards the practical construction of zkSNARKs that we know today. It builds upon the QAP representations we described above and it is also here where elliptic curve pairings become relevant again. - -Admittedly, the details from here get even more technical than before. So it is important to start with a focused article before moving onwards. - -Therefore, read Vitalik's article, [**zk-SNARKs: Under the Hood**](https://medium.com/@VitalikButerin/zk-snarks-under-the-hood-b33151a013f6). This article was designed to follow his two other blog posts (on [QAP](https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649) and [Pairings](https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627)), so feel free to revisit those articles if you need to. - -Once you have done this, check out Maurizio Binello's page on the [**history of the Pinocchio paper**](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol). You can then jump back into the series by reading the page on [Hiding](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/hiding) (which follows after the page on QAP) and continue by clicking "Next" at the bottom of each page. - -Finally, Part VI of the Electric Coin series provides a brief sketch of the protocol. While Part VII ties it all up with elliptic curve pairing concepts. Both of these are worth a read: - -- [**Explaining SNARKs Part VI: The Pinocchio Protocol**](https://electriccoin.co/blog/snark-explain6/) -- [**Explaining SNARKs Part VII: Pairings of Elliptic Curves**](https://electriccoin.co/blog/snark-explain7/) - -## 4. Proof Systems +## 2. Proof Systems Two common proof systems you should know about are Groth16 and PLONK. They are significant improvements over the Pinocchio proving system. Here is a very brief [overview](https://docs.gnark.consensys.net/Concepts/schemes_curves) of the two and their tradeoffs. -### 4.1 Groth16 +### 2.1 Groth16 The efficiency of Groth16 is very hard to beat, and as such it has become a de-facto standard in many blockchain technologies that require an efficient proof system. However, the requirement of a circuit-specific trusted setup is a significant downside for some use-cases. +We may skip the details of Groth16 but just keep in mind that the advantage is its small proof size. The disadvantage is that it requires a circuit specific trusted setup. These days, we have much more advanced proof systems that improve upon these trade-offs. Nevertheless, Groth16 continues to be used in a lot of existing projects. + +#### Optional Reading + Here are a couple articles to understand how Groth16 works: - [Groth16 by Remco Bloemen](https://xn--2-umb.com/22/groth16/) - A very light article that covers the full life cycle of the Groth16 proving system. - [Groth16 by Maurizio Binello](http://www.zeroknowledgeblog.com/index.php/groth16) - A continuation of the blog series above that you should be well acquainted with. -### 4.2 PLONK +### 2.2 PLONK PLONK has fast become one of the favourite proof systems because of its "universal and updateable" trusted setup, eliminating the need to have a new trusted setup for every circuit. @@ -92,7 +67,7 @@ Here are a couple resources to understand how PLONK works: - [How PLONK Works: Part 1 by CoinGeek](https://coingeek.com/how-plonk-works-part-1/) - [How PLONK Works: Part 2 by CoinGeek](https://coingeek.com/how-plonk-works-part-2/) -## 5. Additional Study +## 3. Additional Study In the above, we have drawn very heavily from blog posts written by Vitalik Buterin, Electric Coin, and Maurizio Binello. However, these are only some of the many pathways towards understanding zkSNARK construction. @@ -102,6 +77,35 @@ Since it is always helpful to take a look at the same problem from different ang - [**ZK Whiteboard Sessions**](https://zkhack.dev/whiteboard/) - There are three videos by Dan Boneh (he's the B in BLS Signatures) providing a very compelling introduction to zkSNARKs. I highly recommend at least watching ***What is a SNARK?*** and ***Building a SNARK (Part I)***. - [**The MoonMath Manual to zkSNARKs**](https://leastauthority.com/community-matters/moonmath-manual/) - This is a free online textbook PDF that explains many of the necessary concepts. It is an excellent reference guide whenever you need to dive into specific topics. +### 3.1 Homomorphic Hiding and Blind Evaluation + +Let's start by looking into the concepts of homomorphic hiding and blind evaluation. Although not directly related to zkSNARKs, it is one of the main ingredients or concepts that make zkSNARKs possible. + +This blog series from Electric Coin is a good start: + +- [Explaining SNARKs Part I: Homomorphic Hidings by Electric Coin Co.](https://electriccoin.co/blog/snark-explain/) +- [Explaining SNARKs Part II: Blind Evaluation of Polynomials](https://electriccoin.co/blog/snark-explain2/) + +ASecuritySite.com also has some helpful interactive examples that go along with these two blog posts: + +- [zkSNARK (Homomorphic Hiding)](https://asecuritysite.com/zero/zksnark01) +- [zkSNARK (Blind Evaluation Problem)](https://asecuritysite.com/zero/zksnark02) + +### 3.2 The Pinocchio Protocol + +The Pinocchio Protocol was first described in a paper in 2013, [**Pinocchio: Nearly Practical Verifiable Computation**](https://eprint.iacr.org/2013/279). As the name suggests, it was a big step towards the practical construction of zkSNARKs that we know today. It builds upon the QAP representations we described above and it is also here where elliptic curve pairings become relevant again. + +Admittedly, the details from here get even more technical than before. So it is important to start with a focused article before moving onwards. + +Therefore, read Vitalik's article, [**zk-SNARKs: Under the Hood**](https://medium.com/@VitalikButerin/zk-snarks-under-the-hood-b33151a013f6). This article was designed to follow his two other blog posts (on [QAP](https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649) and [Pairings](https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627)), so feel free to revisit those articles if you need to. + +Once you have done this, check out Maurizio Binello's page on the [**history of the Pinocchio paper**](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol). You can then jump back into the series by reading the page on [Hiding](https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/hiding) (which follows after the page on QAP) and continue by clicking "Next" at the bottom of each page. + +Finally, Part VI of the Electric Coin series provides a brief sketch of the protocol. While Part VII ties it all up with elliptic curve pairing concepts. Both of these are worth a read: + +- [**Explaining SNARKs Part VI: The Pinocchio Protocol**](https://electriccoin.co/blog/snark-explain6/) +- [**Explaining SNARKs Part VII: Pairings of Elliptic Curves**](https://electriccoin.co/blog/snark-explain7/) + # 💪 Exercises Answer the following questions (in as much detail as you like). diff --git a/MODULE_7.md b/MODULE_7.md index 5433ab1..104017b 100644 --- a/MODULE_7.md +++ b/MODULE_7.md @@ -34,6 +34,7 @@ To get you started, here are some of the resources we recommend you go through: 2. Read Axiom’s **[Getting Started with Halo2](https://docs.axiom.xyz/zero-knowledge-proofs/getting-started-with-halo2)**. 3. Read Axiom’s **[Halo2 Cheatsheet](https://hackmd.io/@axiom/HyoXzD7Zh)**. 4. Work through 0xParc’s **[Halo2 lecture series](https://learn.0xparc.org/materials/halo2/learning-group-1/introduction)**. +5. (Optional) [An encyclopedia of halo2](https://halo2.club/) **Reference Material** diff --git a/assets/bls-signatures.jpeg b/assets/bls-signatures.jpeg new file mode 100644 index 0000000..435a68b Binary files /dev/null and b/assets/bls-signatures.jpeg differ diff --git a/assets/commitment.png b/assets/commitment.png new file mode 100644 index 0000000..04ae0b4 Binary files /dev/null and b/assets/commitment.png differ diff --git a/assets/elliptic-curve-pairings.jpeg b/assets/elliptic-curve-pairings.jpeg new file mode 100644 index 0000000..a3acccd Binary files /dev/null and b/assets/elliptic-curve-pairings.jpeg differ diff --git a/assets/polynomial-commitments-1.jpeg b/assets/polynomial-commitments-1.jpeg new file mode 100644 index 0000000..640337c Binary files /dev/null and b/assets/polynomial-commitments-1.jpeg differ