Add paper-notes backup

.gitignore

@@ -6,3 +6,5 @@
 *.out
 *.synctex.gz
 *.toc
+*.bbl
+*.blg

paper-notes.bib

@@ -0,0 +1,25 @@
+@misc{cryptoeprint:2021/529,
+      author = {Nicolas Gailly and Mary Maller and Anca Nitulescu},
+      title = {SnarkPack: Practical SNARK Aggregation},
+      howpublished = {Cryptology ePrint Archive, Paper 2021/529},
+      year = {2021},
+      note = {\url{https://eprint.iacr.org/2021/529}},
+      url = {https://eprint.iacr.org/2021/529}
+}
+
+@misc{cryptoeprint:2019/099,
+      author = {Mary Maller and Sean Bowe and Markulf Kohlweiss and Sarah Meiklejohn},
+      title = {Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings},
+      howpublished = {Cryptology ePrint Archive, Paper 2019/099},
+      year = {2019},
+      note = {\url{https://eprint.iacr.org/2019/099}},
+      url = {https://eprint.iacr.org/2019/099}
+}
+
+@misc{kzg-tmp,
+      author = {A. Kate and G. M. Zaverucha and and I. Goldberg},
+      title = {Constant-size commitments to polynomials and their application},
+      year = {2010},
+      note = {\url{https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf}},
+      url = {https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf}
+}

paper-notes.tex

@@ -0,0 +1,200 @@
+\documentclass{article}
+\usepackage[utf8]{inputenc}
+\usepackage{amsfonts}
+\usepackage{amsthm}
+\usepackage{amsmath}
+\usepackage{enumerate}
+\usepackage{hyperref}
+\hypersetup{
+    colorlinks,
+    citecolor=black,
+    filecolor=black,
+    linkcolor=black,
+    urlcolor=blue
+}
+
+% prevent warnings of underfull \hbox:
+\usepackage{etoolbox}
+\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
+
+\theoremstyle{definition}
+\newtheorem{definition}{Def}[section]
+\newtheorem{theorem}[definition]{Thm}
+
+
+\title{Paper notes}
+\author{arnaucube}
+\date{}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+	Notes taken while reading papers. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
+
+	The notes are not complete, don't include all the steps neither all the proofs.
+\end{abstract}
+
+\tableofcontents
+
+\section{SnarkPack}
+Notes taken while reading SnarkPack paper \cite{cryptoeprint:2021/529}.
+
+Groth16 proof aggregation.
+
+\begin{enumerate}[i.]
+    \item Simple verification:\\
+	Proof: $\pi_i = (A_i, B_i, C_i)$\\
+	Verifier checks: $e(A_i, B_i) == e(C_i, D)$\\
+	Where $D$ is the $CRS$.
+    \item Batch verification:
+	$r \in^\$ F_q$\\
+	$r^i \cdot e(A_i, B_i) == e(C_i, D)$\\
+	$\Longrightarrow \prod e(A_i, B_i)^{r^i} == \prod e(C_i, D)^{r^i}$\\
+	$\Longrightarrow \prod e(A_i, B_i^{r^i}) == \prod e(C_i^{r^i}, D)$
+    \item Snark Aggregation verification:\\
+	$z_{AB} = \prod e(A_i, B_i^{r^i})$\\
+	$z_C = \prod C_i^{r^i}$\\
+	Verification: $z_{AB} == e(z_C, D)$
+\end{enumerate}
+
+\section{Sonic}
+Notes taken while reading Sonic paper \cite{cryptoeprint:2019/099}. Does not include all the steps, neither the proofs.
+
+\subsection{Structured Reference String}
+$\{ \{g^{x^i}\}_{i=-d}^d, \{ g^{\alpha x^i} \}_{i=-d, i \neq 0}^d, \{ h^{x^i}, h^{\alpha x^i} \}_{i=-d}^d, e(g, h^\alpha) \}$
+
+\subsection{System of constraints}
+Multiplication constraint: $a \cdot b = c$
+
+$Q$ linear constraints:
+$$
+a \cdot u_q + b \cdot v_q + c \cdot w_q = k_q
+$$
+
+with $u_q, v_q, w_q \in \mathbb{F}^n$, and $k_q \in \mathbb{F}_p$.
+
+\vspace{0.5cm}
+Example: $x^2 + y^2 = z$
+
+$$a = (x, y), \qquad b = (x, y), \qquad c = (x^2, y^2)$$
+\begin{enumerate}[i.]
+    \item $(x, y) \cdot (1, 0) + (x, y) \cdot (-1, 0) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow x - x = 0$
+    \item $(x, y) \cdot (0, 1) + (x, y) \cdot (0, -1) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow y - y = 0$
+    \item $(x, y) \cdot (0, 0) + (x, y) \cdot (0, 0) + (x^2, y^2) \cdot (1, 1) = z \longrightarrow x^2 + y^2 = z$
+\end{enumerate}
+
+So,
+$$u_1 = (1, 0) \quad v_1=(-1, 0) \quad w_1=(0, 0) \quad k_1=0$$
+$$u_2 = (0, 1) \quad v_2=(0, -1) \quad w_2=(0, 0) \quad k_2=0$$
+$$u_3 = (0, 0) \quad v_3=(0, 0) \quad w_3=(1, 1) \quad k_2=z$$
+
+\vspace{1cm}
+
+Compress n multiplication constraints into an equation in formal indeterminate $Y$:
+$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^i = 0$$
+encode into negative exponents of $Y$:
+$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^-i = 0$$
+
+Also, compress the $Q$ linear constraints, scaling by $Y^n$ to preserve linear independence:
+$$
+\sum_{q=1}^Q (a \cdot u_q + b \cdot v_q + c \cdot w_q - k_q) \cdot Y^{q+n} = 0
+$$
+
+Polys:
+
+\begin{align}
+\nonumber & u_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot u_{q, i}\\
+\nonumber & v_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot v_{q, i}\\
+\nonumber & w_i(Y) = -Y^i - Y^{-1} + \sum_{q=1}^Q Y^{q+n} \cdot w_{q, i}\\
+\nonumber & k(Y) = \sum_{q=1}^Q Y^{q+n} \cdot k_q
+\end{align}
+
+Combine the multiplicative and linear constraints to:
+
+\begin{align}
+\nonumber & a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)
++ \sum_{i=1}^n a_i b_i (Y^i + Y^{-i}) - k(Y) = 0
+\end{align}
+
+where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embeded into the constant term of the polynomial $t(X, Y)$.
+
+
+Define $r(X, Y)$ s.t. $r(X, Y) = r(XY, 1)$.
+
+$$\Longrightarrow r(X, Y) = \sum_{i=1}^n (a_i X^i Y^i + b_i X^{-i} Y^{-i} + c_i X^{-i-n} Y^{-i-n})$$
+
+$$s(X, Y) = \sum_{i=1}^n (u_i(Y) X^{-i} + v_i(Y) X^i + w_i(Y) X^{i+n})$$
+
+$$r'(X, Y) = r(X, Y) + s(X, Y)$$
+$$t(X, Y) = r(X, Y) + r'(X, Y) - k(Y)$$
+
+The coefficient of $X^0$ in $t(X, Y)$ is the left-hand side of the equation.
+
+Sonic demonstrates that the constant term of $t(X, Y)$ is zero, thus demonstrating that our constraint system is satisfied.
+
+
+\subsubsection{The basic Sonic protocol}
+
+\begin{enumerate}[1.]
+    \item Prover constructs $r(X, Y)$ using their hidden witness
+    \item Prover commits to $r(X, 1)$, setting the maximum degree to n
+    \item Verifier sends random challenge $y$
+    \item Prover commits to $t(X, y)$. The commitment scheme ensures that $t(X, y)$ has no constant term.
+    \item Verifier sends random challenge $z$
+    \item Prover opens commitments to $r(z, 1), r(z, y), t(z, y)$
+    \item Verifier calculates $r'(z, y)$, and checks that
+	$$r(z, y) \cdot r'(z, y) - k(y) == t(z, y)$$
+\end{enumerate}
+
+Steps $3$ and $5$ can be made non-interactive by the Fiat-Shamir transformation.
+
+\subsubsection{Polynomial Commitment Scheme}
+Sonic uses an adaptation of KZG \cite{kzg-tmp}, want:
+
+\begin{enumerate}[i.]
+    \item \emph{evaluation binding}, i.e. given a commitment $F$, an adversary cannot open F to two different evaluations $v_1$ and $v_2$
+    \item \emph{bounded polynomial extractable}, i.e. any algebraic adversary that opens a commitment $F$ knows an opening $f(X)$ with powers $-d \leq i \leq max, i \neq 0$.
+\end{enumerate}
+
+\vspace{0.5cm}
+PC scheme (adaptation of KZG):
+
+\begin{enumerate}[i.]
+    \item Commit(info, $f(X)$) $\longrightarrow F$:
+	$$F = g^{\alpha \cdot x^{d-max}} \cdot f(x)$$
+    \item Open(info, $F$, $z$, $f(x)$) $\longrightarrow (f(z), W)$:
+	$$w(X) = \frac{f(X) - f(z)}{X-z}$$
+	$$W = g^{w(x)}$$
+    \item Verify(info, $F$, $z$, $(v, W)$) $\longrightarrow 0/1$:\\
+	Check:
+	$$e(W, h^{\alpha \cdot x}) \cdot
+	e(g^v W^{-z}, h^{\alpha})
+	== e(F, h^{x^{-d+max}})$$
+\end{enumerate}
+
+\subsection{Succint signatures of correct computation}
+Signature of correct computation to ensure that an element $s=s(z, y)$ for a known polynomial
+$$s(X, Y) = \sum_{i, j = -d}^d s_{i, j} \cdot X^i \cdot Y^i$$
+
+Use the structure of $s(X, Y)$ to prove its correct calculation using a \emph{permutation argument} $\longrightarrow$ \emph{grand-product argument} inspired by Bayer and Groth, and Bootle et al.
+
+Restrict to constraint systems where $s(X, Y)$ can be expressed as the sum of $M$ polynomials. Where $j-th$ poly is of the form:
+$$
+\Psi_j(X, Y) =
+    \sum_{i=1}^n \psi_{j, \sigma_{j, i}}
+    \cdot X^i \cdot Y^{\sigma_{j, i}}
+$$
+
+where $\sigma_j$ is the fixed polynomial permutation, and $\phi_{j, i} \in \mathbb{F}$ are the coefficients.
+
+\vspace{1cm}
+\framebox{WIP}
+\vspace{1cm}
+
+
+\bibliography{paper-notes.bib}
+\bibliographystyle{unsrt}
+
+\end{document}

ring-signatures.sage

@@ -2,6 +2,8 @@ from hashlib import sha256
 
 # Ring Signatures
 # bLSAG: Back’s Linkable Spontaneous Anonymous Group signatures
+# A Rust implementation of this scheme can be found at:
+# https://github.com/arnaucube/ring-signatures-rs
 
 def hashToPoint(a):
     # TODO use a proper hash-to-point
@@ -54,12 +56,11 @@ class Prover(object):
         c = [None] * len(R)
         # c_{pi+1}
         pi1 = mod(pi + 1, len(R))
-        c[pi1] = hash(R, m, a * self.g, a * hashToPoint(R[pi]), self.q)
+        c[pi1] = hash(R, m, a * self.g, hashToPoint(R[pi]) * a, self.q)
 
         key_image = self.w * hashToPoint(self.K)
 
         # do c_{i+1} from i=pi+1 to pi-1:
-        #  for j in range(0, len(R)-1):
         for j in range(0, len(R)-1):
             i = mod(pi1+j, len(R))
             i1 = mod(pi1+j +1, len(R))

ring-signatures_test.sage

@@ -1,6 +1,9 @@
 import unittest, operator
 load("ring-signatures.sage")
 
+# A Rust implementation of this scheme can be found at:
+# https://github.com/arnaucube/ring-signatures-rs
+
 # ethereum elliptic curve
 p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
 a = 0
@@ -19,13 +22,13 @@ assert g * q == 0
 
 
 class TestRingSignatures(unittest.TestCase):
-        def test_blSAG_ring_of_5(self):
-                test_blSAG(5, 3)
-        def test_blSAG_ring_of_20(self):
-                test_blSAG(20, 14)
+        def test_bLSAG_ring_of_5(self):
+                test_bLSAG(5, 3)
+        def test_bLSAG_ring_of_20(self):
+                test_bLSAG(20, 14)
 
-def test_blSAG(ring_size, pi):
-        print(f"[blSAG] Testing with a ring of {ring_size} keys")
+def test_bLSAG(ring_size, pi):
+        print(f"[bLSAG] Testing with a ring of {ring_size} keys")
         prover = Prover(F, g)
         n = ring_size
         R = [None] * n