ZKP学习笔记

Lecture 5: The Plonk SNARK (Dan Boneh)

overview
Polynomial equality testing with KZG
- KZG: determined commitment (if the function is equal, then the commitment is equal too)
  - If the $com_f = com_g$, the verifier can tell if $f=g$ on its own???
  - but
    - The verifier does not have the commitment of $g_1g_2g_3$
Important proof gadgets for univariates
- The size k is much smaller than d
The vanishing polynomial
- Outside the $\Omega$, the polynomial could evaluate an arbitrary value
- Verifiers can evaluate the vanishing polynomial very fast.
ZeroTest
- F is zero on $\Omega$: All the elements of $\Omega$ are the root of the polynomial.
- Verifier time: O(log k) and two poly queries (but can be done in one batch)
- Prover time: dominated by the time to compute q(X) and then commit to q(X)
Product check
- Polynomial t: auxiliary polynomial
  - Use the ZeroTest
  - Proof size: two commits, five evals (can be batched).
  - Verifier time: O(logk)
  - Prover time:O(klogk)
- For rational functions
Permutation check
- $\hat{f}$ and $\hat{g}$ is identical
Embellished permutation check
- The two vectors are permutations to each other
- They also satisfy a prediscribed pumutation
Summary of proof gadgets

- Proving (3): the wiring is correct

- The W is independent of the inputs
- Prescribed pumutation check