🐬Recipe: ETA Academy ZKmeme
💓Ingredients: Each ZK terms is explained in a short, easy-to-understand article, 75 ZK terms covered, with 25 articles already written. How many left to code💓
🥰Tips: More terms and articles will be added. Dive in with us 🚀
ETA Academy is a research community dedicated to zero-knowledge proofs (zk). Fueled by a daily Twitter check-in summarizing one zk learning point, the ETAcademy-ZK-Meme series was born. With the initial 50 entries, we aim for this meme collection to become everyone's go-to pocket guide for understanding zk quickly. Join the movement and help us make zk accessible! [twitter](https://twitter.com/pwhattie/status/1744001346314134003)
Here are some ways to participate in the ETAAcademy-ZK-Meme series:
- Create your own memes and share them on Twitter with the hashtag #ETAcademyZKMeme.
- Translate the memes into other languages.
- Use the memes to teach others about zk.
By participating in the series, you can help to make zk more accessible to everyone.
Authors: Evta, looking forward to your joining
Account Abstract: EIP4337 contracts with EOAs: UserOperation(Calls)→Bundler(Miner, Relayer)→EntryPoint→Wallet(Validate, Paymaster, execute) EIP3074 EOAs with contracts:AUTH&AUTHCALL for(v, r, s), commit & call EIP2938:rlp([nonce, target, data]), PAYGAS, NONCE.
Arithmetic circuits, using ➕ and ✖️ gates, asserts inputs instance(x) and witness(w) from a finite field F, C(x, w) = y. R1CS constraint system, a circuit-based interactive proof, states multiplication or gates for left input ⊗ right input = output, L × C ⊗ R×C = O ×C.🦕
Bilinear pairing e:G1×G2→Gt for mult
if elliptic curves
Block ciphers merge the plaintext and ciphertext spaces into a block space. They serve not only for encryption but also as fundamental components in constructing various cryptographic tools like stream ciphers, hash functions, message authentication codes (MACs), and others.
CBC mode utilizes a PRP to achieve CPA security by XORing each plaintext block with the previous ciphertext block before encryption, employing an initialization vector (IV) to ensure security, and allowing parallel decryption.
Chinese Remainder states that coprime integers
CPA security, akin to semantic security, addresses chosen plaintext attacks, but in CPA, attackers can query the challenger many times, where each query involves encrypting either m_0 or m_1, maintaining equal-length plaintexts but allowing variation across queries.
CTR employs a pseudo-random function, achieves CPA security by XOR the key stream generated from an IV with plaintext during encryption and decryption.
Cyclic Group or Monogenous Group is a group generated by a single element🐬,
Direct Product, 🍬×🍤 <=> 🍱, is an operation that takes two groups G 🍬 and H 🍤and constructs a new group 🍱, usually denoted G × H, in turn, which looks like a group 🍱 has many 🍬sub.groups 🍤.
Elliptic Curve :
Elliptic curve addition: For
Fflonk & Dan: Fflonk changes single-point polynomials into a polynomial multi-point calculation, where k= 1, Dan verifies pairings on polynomials, not points, by three double-point operations.
Fiat-Shamir: Non-interactive Fiat, compared to interactive zk proof, hash c to for randomization, i.e. A:
Fields(F) extend the concepts of Groups (add, sub) and Rings (add, sub, mult) by introducing division,i.e., non-zero element has a mult inverse
Finite Fields & Point Compress (PC): 1) Elliptic curves
F/K, like F and F[x], means F is the field extension of K, if K is a subfield of F, with f(x) whose coefficients from K, if a ∈ F. All such f(x) forms an ideal J generated by the minimal polynomial f(x), or the monic, irreducible g(x) with its root "a".
Finite Field
The finite field GF(p), or
Goldwasser-Micali(GM): Legendre
Groth16: upgrades Pinocchio, also verifies bilinearpairing e( [A]1 , [B]2 ) = e(α
Halo2 like UltralPlonk, creates final-poly by Plookup, vanishing, multipoint opening argument, p(X) = q'(X) + [x_4]
Halo2 Fibonacci API utilizes a constraint system with columns for advice, instance, fixed, and selector. It's optimized by regions to implement the Fibonacci trait through configuration, chip, and circuit, e.g. f(n) = f(n-1) + f(n-2).
Homo and Iso: Similar to group homomorphisms (addition) but with multiplication, ring homomorphisms has a kernel, the inverse image of 0. The Isomorphism asserts that two rings share identical structures with different element names, e.g. the quotient ring R/Ker(f) ≅ Im(f).
Ideals (I) and Quotient Rings (R/I) are like normal subgroups with Absorption Law and quotient groups. 🐣(I) include {0}, R itself, and principal ideals (a) = {ab | b ∈ R}, while 🐥R/I has add (a+I)+(b+I)=a+b+I, mult (a+I)(b+I)=ab+I, with a congruence relation a≡b(mod I).
Infinite & Singular: 1. Elliptic curve is an affine equation,
IPAs, using elliptic curve add and mult to verify and not to reveal the polynomial
Modified IPAs have generators on elliptic curves by hashing system parameters(SP) ,
Isogeny, a group surjective homomorphism of elliptic curves, Φ: E(K) → E'(K), maps the infinite point of E(K) to that of E'(K), Φ(O) = O'. Endomorphism is an isogeny of an elliptic curve to itself, while automorphism is isogeny, endomorphism and isomorphism.
KZG obtains f(x):
Merkle commitment: By computing the Merkle root' := Merkle(c, path(c)) based on the node and its verification path (c, path(c)), where root' = root, it ensures that c exists in the Merkle tree.
Modular blockchains organize tasks into separate layers or modules, like consensus, execution, data availability, and settlement, offering enhanced flexibility and scalability compared to monolithic blockchains.
Pinocchio: 1) create elliptic curve generator for all operand to simplify constraints,
PLONK: It creates polynomials by Gate & Linear Constraints(➕, ✖️, &), not R1CS,
Plookup coordinate accumulators prove polynomial ⊂ and/or table for gate constraints; i.e., given
PRF resembles a block cipher PRP, where distinguishing between randomly chosen and key-based functions is central, with PRP serving as a pseudo-random permutation akin to PRF's deterministic function aiming for randomness with a randomly generated key.
Primitive f(x) over F_q is the minimal polynomial of a primitive element in the field
Primitive Root & Discrete Logarithm: An integer g 🐳 is a primitive root (mod n) that generates every element for a group
Polynomial P(x) =
Polynomial Constraints, to increase randomness and prevent proving forgery, use v, α,β, γ to constrain p(x)=L(x) ⋅ R(x) - O(x) in terms of value (0, 1), transforming e.g. O ⋅R = L, consistency
Polynomial ring R[x] has a and x from its base ring R, i.e., if R is a commutative or integral ring, the R[x] inherits these properties. But a field F[x] is different, e.g.
Pseudo-random sequences come in various forms, but in cryptography, a pseudo-random sequence is one that cannot be distinguished from a genuinely random sequence, Adv := | Pr[W_0] - Pr[W_1]|.
QAP, the polynomial form of R1CS, relies on li (x) and ci, public instance and private witness to produces:
Quadratic Residues:
Euler's Criterion asserts that for an odd prime p and gcd(a, p) = 1, it holds that
Ring simply seen as a group has two binary operations, ➕ and ✖️, e.g. the rings of integers Z and integers modulo n Zn are also groups. Now for a ring's interesting feature: based on Distributive Law, (-🍬)🐶 = -(🍬🐶) = 🍬(-🐶) = -(-🍬)(-🐶), if 🍬, 🐶 ∈ R 🪐.
SHA256 table generates 256-bit random zk proof by 8+64 constants, padding Delta+1+k+64 mod 512 = 0, expansion & compression
SHA256 constraints have expansion of
Simple extension K(a) is the smallest extension field of subfield K and “a”, the homomorphic image to be an isomorphism with the quotient ring ofits irreducible polynomial g(x),
Splitting field L,as simple extensions added by elements, is the minimal extension of field K and the roots of polynomial factors
Stream Ciphers use a PRG to generate a longer key from a shorter one. This extended key is then XORed with the plaintext to produce ciphertext, or with ciphertext to retrieve the original plaintext,
Trace (Tr) and Norm (N) are ➕ and ✖️ mappings from extension field to its base,a ∈ F =
Tweedledum & Amortization take parallel computation on polynomial commitments and value, add random and secret a for Sigma zk proof, C':=A' +z'U+r'H = U+r'H =
UltraPlonk: PK of Plonk KZG (or Dan + Fflonk) PK, Plookup table T*{1,i}, T*{2,i},T*{3,i},i=1,..,n, circuit to create quotient polynomial, verify bilinear pairing by VK on ETH, e(Wη(x)1 + u· W{ωη}(x) · 1, χ2) = e(η· W * η(x)1+uηω·W{ωη}x1 + F1-E1,l2).
ZK-EVMs scale ETH by improving verification or EVM compatibility from ETH-equiv(PSE, Taiko), EVM-equiv(Scroll, Polygon), Almost EVM-equiv(Gas adjust), to language-equiv(Starkware, zkSync), e.g. Geth→Trace→Roller(zkEVM Aggr. circuit →Aggr. proof) → L1 contract.
zk Homomorphism in projective coordinates: For Φ: E(K) → E'(K), E(k) be
ZK Proof: For m = 0 <=> z = r, m = 1 <=> z = rx, validators verifie the quadratic residue directly by
zkStark: RS Codes improves 2^n Trace poly on AIR, not circuit PK & VK, immune to for loops. Unchanged order blowup root
zkStark AIR & ALI convert arithmetic & boundary constraints into divisibility over a finite field that AIR use quotient polynomials verify trace
zkStark Fibonacci: F(X,Y)=Z, like zkSnark's Sigma H=wG, trace T to satisfy transition and boundary constraints by quotient polynomials
zkStark FRI reduces a polynomial of degree d to two merged into one by random weights of Fait-Shamir for Merkle commitment, after log d steps, to create a constant