Prove you have a pre image to a hash function
Prove your account has enough monies for a transaction
Prove you are part of a group without revealing your identity
Prove who won, without revealing any of the bids
For some cryptographic schemes this also works for encrypted values
A relation between 2 group elements that gives an output, that has this algebraic relation to the inputs
Verifier generates circuit representation and shares
Prover evaluates the constraints
for the function homomorphically and obtains the output and witness
Verifier verifies using pairing on the homomorphic output to verify the witness
Prove you evaluated $$ m^2 + 36 - n $$
correctly with $$ m = 2, n = 3 $$
Convert \(m^2 + 36 - n \) so it only contains commands in the form
And with the help of some pretty instances
We can represent each one of our constraints
as a set of 3 polynomials
We are going to construct a clever polynomial that only is 0 on correct inputs
Each constraint can be represented as a relation between vectors.
The witness is the assignment to all variables.
Execute the flattened commands and set the values as you go
Initial state ( with our inputs )
satisfy :: [Rational] -> R1C -> Bool satisfy s (R1C v w y) = (sv * sw) - sy == 0 where sv = dot s v sw = dot s w sy = dot s y dot a b = sum (zipWith (*) a b)
Given a set of points, give me a polynomial that passes through all of those points.
Thanks to this we can check
the witness in a single step
All our arithmetic operations would be not be done with regular numbers.
Instead it'd be
elliptic curve elements
finite field with a prime modulus.
A \( (x, y) \) coordinate on a curve that looks like
Instead of being a real curve, you have a set of discrete points.
( Barreto-Naehrig Curve: BN128 )
The final verification step, relates the circuit output, the witness, and the circuit description, checked without having access the the private inputs.
It's computationally infeasible to construct a forged proof