<a href="https://colab.research.google.com/github/YolaYing/zk-toolkit/blob/main/Plonk%2BKZG_Implementation(Python_Version).ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Develope Environment Preparation
Curve we used is BLS12-381
- Library we used: BLS21-381 curve implemented by Ethereum, using Python
- Lib link: https://github.com/ethereum/py_ecc/tree/main

You can use the following command to install all the packages we needed. Note that if you are using anaconda, package installation may be failed. Highly recommand using colab or some development friendly environment.

In [3]:
!pip3 install py_ecc

Collecting py_ecc
  Downloading py_ecc-7.0.0-py3-none-any.whl (43 kB)
[?25l     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/43.6 kB[0m [31m?[0m eta [36m-:--:--[0m[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m43.6/43.6 kB[0m [31m1.2 MB/s[0m eta [36m0:00:00[0m
[?25hCollecting eth-typing>=3.0.0 (from py_ecc)
  Downloading eth_typing-3.5.2-py3-none-any.whl (14 kB)
Collecting eth-utils>=2.0.0 (from py_ecc)
  Downloading eth_utils-2.3.1-py3-none-any.whl (77 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m77.8/77.8 kB[0m [31m4.8 MB/s[0m eta [36m0:00:00[0m
[?25hCollecting cached-property>=1.5.1 (from py_ecc)
  Downloading cached_property-1.5.2-py2.py3-none-any.whl (7.6 kB)
Collecting eth-hash>=0.3.1 (from eth-utils>=2.0.0->py_ecc)
  Downloading eth_hash-0.5.2-py3-none-any.whl (8.6 kB)
Collecting cytoolz>=0.10.1 (from eth-utils>=2.0.0->py_ecc)
  Downloading cytoolz-0.12.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_

# Preliminaries


## Form of Polynomial Representations(using baby parameters for demonstration)

A polynomial $\Phi(x) = \sum_{i = 0}^{n - 1} \phi_ix^i$ have two representation forms:
1. Coefficient Form
  - $\Phi(x)$ can be represeneted as a tuple of $n$ coefficients: $[\phi_0, \phi_1, ..., \phi_{n-1}]$
2. Evaluation Form
  - $\Phi(x)$ can be represeneted as a tuple of $n$ distinct evaluations: $[\Phi(x_0), \Phi(x_1), ..., \Phi(x_{n-1})]$
    - the set of values $\\{ x_0, x_1, ..., x_{n-1} \\}$ over which the polynomial is defined over is known as "evaluation domain"

In [4]:
# For example, assume we have a polynomial Φ(𝑥)=4x^3+5x^2+3x+2 and some points on the polynomials
poly_coefs = [2, 3, 5, 4]
evaluation_domain = [1, 4, 16, 13]
poly_evals = [14, 10, 0, 1]

print(f'coefficient form of phi(x) is {poly_coefs}')
print(f'evaluation form of phi(x) is {poly_evals}, defined over evaluation domain {evaluation_domain}')

coefficient form of phi(x) is [2, 3, 5, 4]
evaluation form of phi(x) is [14, 10, 0, 1], defined over evaluation domain [1, 4, 16, 13]


## Convert between Coefficient Form and Evaluation Form

### Defination
- **Fourier Transform**: convert from coefficient to evaluation
- **inverse Fourier Transform**: convert from evaluation to coefficient


### Naive Way
In naive way, each of those two transformation takes $O(n^2)$ computation
- **Fourier Transform**: evaluate $\Phi(x)$ at each $x_i$ in the evaluation domain
- **inverse Fourier Transform**: use *Lagrange Interpolation* to obtain unique degree $(n-1)$ polynomial passes through each of the $n$ points


### Optimized Way: Fast Fourier Transformation(FFT)
To improve the effectiveness of the transformation, we need to do the following steps:
- defined polynomials over finite field
  - restrict each coefficient $p_i \in F_q$ and each evaluation point $\Phi(x_i) \in F_q$
  - $q$ stands for curve order
- defined the evaluation domain as a multiplicative subgroup of $F_q$
  - evaluation domain is a set of "$n^{th}$ roots of unity", $\{ \omega_0, \omega_1, ..., \omega_{n-1} \}$ for some element $\omega \in F_q$ with order $n$(i.e. $\omega^n = 1$ mod $q$)
- implementation of FFT algorithm
  - if you are not familiar with FFT, highly recommend this video: https://www.youtube.com/watch?v=h7apO7q16V0

In [5]:
import random

def FFT(poly_coefs, q):
  '''
  Args:
  poly_coefs: coefficient representation of the polynomial

  Returns:
  y: evaluation form of the polynomial
  '''
  # get the degree of the polynomial
  n = len(poly_coefs)
  if n == 1:
    return poly_coefs

  # in theory, omega should be the nth root of unity, which is a complex number
  # to use it in finite field, we use a algorithm here
  omega = find_nth_root_of_unity(n, q)
  print(f'{n}^th of unity is {omega}')
  poly_coefs_e = poly_coefs[::2]
  poly_coefs_o = poly_coefs[1::2]
  y_e = FFT(poly_coefs_e, q)
  y_o = FFT(poly_coefs_o, q)
  y = [0] * n
  for j in range(int(n/2)):
    y[j] = int(y_e[j] + (omega**j)*y_o[j]) % q
    y[j + int(n/2)] = int(y_e[j] - (omega**j)*y_o[j]) % q
  return y


def find_nth_root_of_unity(n, q):
  '''
  Args:
  n: nth root of unity, which is the degree of polynomial
  q: finite field q

  Returns:
  omega: the nth root of unity, which is a element in finite field
  '''
  omega = 1
  while(omega**(n/2) == 1 and omega != 0):
    x = random.randint(0, q)
    omega = x**((q-1)/n) % q
  return omega

print(f'coefficient form of phi(x) is {poly_coefs}, after FFT, we can get the evaluation form of phi(x) is {FFT(poly_coefs, 17)}')


4^th of unity is 4.0
2^th of unity is 16.0
2^th of unity is 16.0
coefficient form of phi(x) is [2, 3, 5, 4], after FFT, we can get the evaluation form of phi(x) is [14, 10, 0, 1]


In [6]:
# verification of FFT result
omega = 13
q = 17
for i in range(len(poly_coefs)):
    x = omega**i % q
    print(f'x = {x}, poly(x) = {(4*(x**3)+5*(x**2)+3*x+2) % q}')

x = 1, poly(x) = 14
x = 13, poly(x) = 1
x = 16, poly(x) = 0
x = 4, poly(x) = 10


Because the calculation of finding evaluation domain is a repeated and computation intensive step, so usually we just build a lookup table to store the pre-calculated result. Here we just slightly revise FFT algorithm to meet the lookup needs.

In [7]:
# omega generation can be quite computational intensive, so we tend to pre-calculate the lookup table for omega
# we assume n = 8, and we have a multiplication cyclic group with ord = 8, which is [1,2,4,8,16,15,13,9] with 2 as its generator and 17 as module

# create a lookup table
n_max = 8
q = 17
omega_list = [1,2,4,8,16,15,13,9]

def build_lookup_table(n, omega_list):
  lookup = {}
  lookup[n] = omega_list
  while n > 2:
    n = int(n/2)
    omega_list = omega_list[::2]
    lookup[n] = omega_list
  return lookup

lookup  = build_lookup_table(n_max, omega_list)
print(f'lookup table of list of omega is {lookup}')

lookup table of list of omega is {8: [1, 2, 4, 8, 16, 15, 13, 9], 4: [1, 4, 16, 13], 2: [1, 16]}


In [8]:
# revise FFT using omega lookup table
def FFT_using_exist_omega(poly_coefs, q, lookup):
  '''
  Args:
  poly_coefs: coefficient representation of the polynomial
  lookup: pre-determined omega list

  Returns:
  y: evaluation form of the polynomial
  '''
  # get the degree of the polynomial
  n = len(poly_coefs)
  if n == 1:
    return poly_coefs

  # in theory, omega should be the nth root of unity, which is a complex number
  # to use it in finite field, we use a algorithm here
  omega = lookup[n][1]
  # print(f'n = {n}, omega = {omega}')
  poly_coefs_e = poly_coefs[::2]
  poly_coefs_o = poly_coefs[1::2]
  y_e = FFT_using_exist_omega(poly_coefs_e, q, lookup)
  y_o = FFT_using_exist_omega(poly_coefs_o, q, lookup)
  y = [0] * n
  for j in range(int(n/2)):
    y[j] = int(y_e[j] + (omega**j)*y_o[j]) % q
    y[j + int(n/2)] = int(y_e[j] - (omega**j)*y_o[j]) % q
  return y

print(f'coefficient form of phi(x) is {poly_coefs}, after FFT(use exist omega lookup table), we can get the evaluation form of phi(x) is {FFT_using_exist_omega(poly_coefs, q, lookup)}')

coefficient form of phi(x) is [2, 3, 5, 4], after FFT(use exist omega lookup table), we can get the evaluation form of phi(x) is [14, 10, 0, 1]


### Inverse Fast Fourier Transformation(IFFT)
We have used FFT to achieve fast transformation from coefficient to evaluation. Now we will implement the inverse transformation, which is from evaluation to coefficient with slightly changing in the algorithm: update $\omega$ to $\frac{1}{n}\omega^{-1}$

detailed info: https://decentralizedthoughts.github.io/2023-09-01-FFT/#mjx-eqn-%5Cstar

In [9]:
# inverse the lookup table
# the only thing we need to modify in FFT is to update its omega
omega_list = [1,2,4,8,16,15,13,9]

def inverse_element(omega_list, q):
  inverse_omega_list = []
  inverse_omega_dict = {}

  for i in omega_list:
    for candidate in omega_list:
      if i*candidate%q == 1:
        inverse_omega_list.append(candidate)
        inverse_omega_dict[i] = candidate
  return inverse_omega_list, inverse_omega_dict

inverse_omega_list, inverse_omega_dict= inverse_element(omega_list, q)
print(f'inverse omega list is {inverse_omega_list}, inverse omega dict is {inverse_omega_dict}')
inverse_lookup = build_lookup_table(n_max, inverse_omega_list)
print(f'lookup table of list of omega is {inverse_lookup}')

inverse omega list is [1, 9, 13, 15, 16, 8, 4, 2], inverse omega dict is {1: 1, 2: 9, 4: 13, 8: 15, 16: 16, 15: 8, 13: 4, 9: 2}
lookup table of list of omega is {8: [1, 9, 13, 15, 16, 8, 4, 2], 4: [1, 13, 16, 4], 2: [1, 16]}


In [10]:
# revise FFT using omega lookup table
def IFFT_using_exist_omega(poly_evals, q, inverse_lookup, inverse_omega_dict):
  recursion_result = IFFT_recursion_part(poly_evals, q, inverse_lookup)
  IFFT_final_result = [ x * inverse_omega_dict[len(poly_evals)] % q for x in recursion_result]
  return IFFT_final_result

def IFFT_recursion_part(poly_evals, q, inverse_lookup):
  '''
  Args:
  poly_coefs: coefficient representation of the polynomial
  lookup: pre-determined omega list

  Returns:
  y: evaluation form of the polynomial
  '''
  # get the degree of the polynomial
  n = len(poly_evals)
  if n == 1:
    return poly_evals

  # in theory, omega should be the nth root of unity, which is a complex number
  # to use it in finite field, we use a algorithm here
  omega = inverse_lookup[n][1]
  poly_evals_e = poly_evals[::2]
  poly_evals_o = poly_evals[1::2]
  y_e = IFFT_recursion_part(poly_evals_e, q, inverse_lookup)
  y_o = IFFT_recursion_part(poly_evals_o, q, inverse_lookup)
  y = [0] * n
  for j in range(int(n/2)):
    y[j] = int(y_e[j] + (omega**j)*y_o[j]) % q
    y[j + int(n/2)] = int(y_e[j] - (omega**j)*y_o[j]) % q
  return y

print(f'evaluation form of phi(x) is {poly_evals}, after IFFT(use exist omega lookup table), we can get the coefficient form of phi(x) is {IFFT_using_exist_omega(poly_evals, q, inverse_lookup, inverse_omega_dict)}')

evaluation form of phi(x) is [14, 10, 0, 1], after IFFT(use exist omega lookup table), we can get the coefficient form of phi(x) is [2, 3, 5, 4]


## Polynomial Representations, FFT and IFFT(using real numbers for KZG usage)

### Polynomial Representations

Real proving system only consider polynomials over a finite field, and so we will restrict：
- each coefficient $p_i$
- each evaluation point $\Phi(x_i)$ to be elements of a finite field $F_q$
- the evaluation domain(the $\omega_i$'s) to be a mulyiplicative subgroup of $F_q$

For BLS12-381:
- the finite field modulus $q$ is pre-determined, which is 'curve order'
- "$n^{th}$ roots of unity" are confirmed, can be get using the function 'find_nth_root_of_unity($n$, $q$)'

In [11]:
from py_ecc.bls12_381 import curve_order
from py_ecc.fields.field_elements import FQ as Field

# construct a data structure F_q
class FQ(Field):
    field_modulus = curve_order
q = curve_order

# For example, assume we have a polynomial Φ(𝑥)=4x^3+5x^2+3x+2 and some points on the polynomials
poly_coefs = [FQ(2), FQ(3), FQ(5), FQ(4)]
poly_evals = [FQ(14), FQ(52435875175126190475982595682112313518914282969839895044333406231173219221502), FQ(0), FQ(3465144826073652318776269530687742778270252468765361963005)]

def find_nth_root_of_unity_realnum(n, q):
  '''
  Args:
  n: nth root of unity, which is the degree of polynomial
  q: finite field q

  Returns:
  omega: the nth root of unity, which is a element in finite field
  '''
  omega = FQ(5) ** ((q - 1) // n)
  return omega

omega = find_nth_root_of_unity_realnum(len(poly_coefs), q)
evaluation_domain = [omega**0, omega**1, omega**2, omega**3]

print(f'coefficient form of phi(x) is {poly_coefs}')
print(f'evaluation form of phi(x) is {poly_evals}, defined over evaluation domain {evaluation_domain}')

coefficient form of phi(x) is [2, 3, 5, 4]
evaluation form of phi(x) is [14, 52435875175126190475982595682112313518914282969839895044333406231173219221502, 0, 3465144826073652318776269530687742778270252468765361963005], defined over evaluation domain [1, 3465144826073652318776269530687742778270252468765361963008, 52435875175126190479447740508185965837690552500527637822603658699938581184512, 52435875175126190475982595682112313518914282969839895044333406231173219221505]


### Fast Fourier Transformation(FFT)

In [134]:
import random

class FQ(Field):
    field_modulus = curve_order

q = curve_order
poly_coefs = [FQ(2), FQ(3), FQ(5), FQ(4)]

def FFT(poly_coefs, q):
  '''
  Args:
  poly_coefs: coefficient representation of the polynomial

  Returns:
  y: evaluation form of the polynomial
  '''
  # get the degree of the polynomial
  n = len(poly_coefs)
  if n == 1:
    return poly_coefs

  # in theory, omega should be the nth root of unity, which is a complex number
  # to use it in finite field, we use a algorithm here
  omega = find_nth_root_of_unity_realnum(n, q)
  # print(f'{n}^th of unity is {omega}')
  poly_coefs_e = poly_coefs[::2]
  poly_coefs_o = poly_coefs[1::2]
  y_e = FFT(poly_coefs_e, q)
  y_o = FFT(poly_coefs_o, q)
  y = [0] * n
  for j in range(int(n/2)):
    y[j] = y_e[j] + (omega**j)*y_o[j]
    y[j + int(n/2)] = y_e[j] - (omega**j)*y_o[j]
  return y

poly_evals = FFT(poly_coefs, q)
print(f'coefficient form of phi(x) is {poly_coefs}, after FFT, we can get the evaluation form of phi(x) is {poly_evals}')

coefficient form of phi(x) is [2, 3, 5, 4], after FFT, we can get the evaluation form of phi(x) is [14, 52435875175126190475982595682112313518914282969839895044333406231173219221502, 0, 3465144826073652318776269530687742778270252468765361963005]


### Inverse Fast Fourier Transformation(IFFT)

In [46]:
# revise FFT using omega lookup table
def IFFT(poly_evals, q):
  recursion_result = IFFT_recursion_part(poly_evals, q)
  # all elenent in result mutiply 1/n, which is inverse of n
  IFFT_final_result = [ x * (FQ(1)/FQ(len(poly_evals))) for x in recursion_result]
  return IFFT_final_result

def IFFT_recursion_part(poly_evals, q):
  '''
  Args:
  poly_coefs: coefficient representation of the polynomial
  lookup: pre-determined omega list

  Returns:
  y: evaluation form of the polynomial
  '''
  # get the degree of the polynomial
  n = len(poly_evals)
  if n == 1:
    return poly_evals

  # in theory, omega should be the nth root of unity, which is a complex number
  # to use it in finite field, we use a algorithm here
  omega = find_nth_root_of_unity_realnum(n, q)
  # inverse omega
  omega_inv = omega**(n-1)
  poly_evals_e = poly_evals[::2]
  poly_evals_o = poly_evals[1::2]
  y_e = IFFT_recursion_part(poly_evals_e, q)
  y_o = IFFT_recursion_part(poly_evals_o, q)
  y = [0] * n
  for j in range(int(n/2)):
    y[j] = int(y_e[j] + (omega_inv**j)*y_o[j])
    y[j + int(n/2)] = int(y_e[j] - (omega_inv**j)*y_o[j])
  return y

print(f'evaluation form of phi(x) is {poly_evals}, after IFFT(use exist omega lookup table), we can get the coefficient form of phi(x) is {IFFT(poly_evals, q)}')

evaluation form of phi(x) is [14, 52435875175126190475982595682112313518914282969839895044333406231173219221502, 0, 3465144826073652318776269530687742778270252468765361963005], after IFFT(use exist omega lookup table), we can get the coefficient form of phi(x) is [2, 3, 5, 4]


# KZG Implementation(Python Version)

The KZG Commitment Scheme is a commitment scheme that allows to commit to a polynomial $\Phi(x) = \phi_0 +\phi_1x+\phi_2x^2+...+\phi_lx^l$, where $\Phi(x) \in F_p[x]$ . 'to commit' means proving that you know the polynomial $\Phi(x)$ without revealing it.

The KZG commitment scheme consists of 4 steps:
1. Setup
2. Commit to Polynomials
3. Prove an Evaluation
4. Verify an Evaluation Proof

## Step 1: Setup

The first step is an one-time trusted setup and once it has done once, the following steps can be done repeatedly
1. Let $G_1$ and $G_2$ be pairing-friendly elliptic curve groups, determined by curve BLS12-381
2. Let $g_1$ be a generator of $G_1$ and $g_2$ be a generator of $G_2$
3. Let $l$ be the maximum degree of the polymonials we want to commit to ($l < p$)
4. Pick a random field element as secret parameter $\tau \in F_p$(usually done by MPC, to simplify, we just randomly choose one here)
5. Compute pp(public parameters, including proving key $pk$, and verifying key $vk$)$$pk = (g_1, g_1^\tau, g_1^{\tau^2},...,g_1^{\tau^l}), vk = g_2^\tau$$ and release it publicly
6. Discard secret parameter $\tau$ once the setup ceremony is done so that nobody can figure out its value

In [14]:
from py_ecc.bls12_381 import G1, G2, Z1, multiply, add

# 1. Let G1,G2 be pairing-friendly elliptic curve groups, which are determined by the curve

# 2. Let g be a generator of G
g1 = G1
g2 = G2

# 3. Let l be the maximum degree of the polymonials, which is 16
l = 16

# 4. Pick a random field element from field F_p and p = curve order as secret parameter t
p = q
# t = 0 will lose all the security, so t cannot be 0
t = FQ(random.randint(1, p-1))
print(f'secret parameter 𝜏 is {t}')

# 5. Compute pp(public parameters)
def compute_public_parameters(g1, g2, t, l):

    pk = []
    accumulated = 1
    t_scalar = t
    for i in range(l + 1):
        # calculate g1, g1^t, g1^{t^2}...
        pk.append(multiply(g1, int(accumulated)))
        # calculate the exponential t, t^2, t^3, ...
        accumulated = accumulated * t_scalar
    vk = multiply(g2, int(t))
    return pk, vk

pk, vk = compute_public_parameters(g1, g2, t, l)
print(f'proving key pk: {pk}')
print(f'verifying key vk: {vk}')

secret parameter 𝜏 is 46942211166835833991683064364326860739544285566615246342751875185128670898648
proving key pk: [(3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507, 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569), (1795103602721386634937363161179568768307019266415250945809382725166576812669031579523368689255428135946934798328148, 3014891104350764861968495713382186266685767901309902093275917382931294710126949488477141959837455815812770802259472), (3217931901451400946143212119068165856090377619448170719687244831052153824312656166671426338089550832670520580126402, 1651515442625391667445734328117195907039897446140881559219045893363380495874382483933700347444265998250377706531356), (2733870609416011624467755838194404597743925245918362194499105190351331491264080814604594697524560481400774103096812, 652203280270163666412418640022161530522470239413868344069

## Step 2: Commit to Polynomials
In reality, we arithmetize circuits and use Plonkish to get polynomials in this step
1. Given a polynomial $\Phi(x) = \sum_{i=0}^l \phi_i x^i$
2. Compute and output commitment $c = g^{\Phi(\tau)}$
   - Wait! $\tau$ has already been discard right? How can committer compute $\tau$?
   - Although he cannot compute $\Phi(\tau)$ directly, he can use public parameters to help with it:
$$\prod_{i=0}^l(g^{\tau^i})^{\phi_i} = g^{\sum_{i=0}^l \phi_i \tau^i} = g^{\Phi(\tau)}$$

In [15]:
# assume we have a polynomial Φ(𝑥)=4x^3+5x^2+3x+2 or some points on the polynomials
# we can use FFT or IFFT to do the transformation between the two forms
poly_coefs = [FQ(2), FQ(3), FQ(5), FQ(4)]

In [16]:
# compute commitment of the polynomial
def poly_commitment(pk, g1, poly_coefs):

  com = Z1
  for i in range(len(poly_coefs)):
    com = add(multiply(pk[i], int(poly_coefs[i])), com)
  return com

com = poly_commitment(pk, g1, poly_coefs)
print(f'commitment of polynomial is {com}')

commitment of polynomial is (3794386381163135840839771574063933893220934881388293774895517444148210079055214593881616833855292359746771744128299, 2925274371990950592732967531230763732420574621742051773526932453746597484212541971947003007463545299840843447732561)


## Step 3: Prove an Evaluation
In this period, the Verifier will ask Prover to 'OPEN' the commitment $c$ to a random specific point $a \in F_p$, in other word, Prover have to evaluation $\Phi(x)$ and commit the result in the form of opening triplet $OT = (a, b, \pi)$
1. Given an evaluation $\Phi(a) = b$
2. Compute and output proof of the evaluation $\pi = g^{q(\tau)}$, where $q(x) := \frac{\Phi(x)-b}{x-a}$
    - $q(x)$ is quotient polynomial: if $\Phi(a) = b$, that means $a$ is a root of $\Phi(x) - b$
    - so $\Phi(x) - b$ can be expressed as $\Phi(x) - b = q(x)(x-a)$, $q(x)$ is a polynomial
    - on the other hand, $q(x)$ exists if and only if $\Phi(a) = b$, so the existence of this quotient polynomial therefore serves as a proof of the evaluation

In [17]:
# Verifier first choose the random point a
def evaluation_poly(a, poly_coefs):
  b = FQ(0)
  for i in range(len(poly_coefs)):
    b += (a**i)*(poly_coefs[i])
  return b

# according to defination
def random_generate_a(poly_coefs, p):
  # create a list of omega
  n = len(poly_coefs)
  omega = find_nth_root_of_unity_realnum(n, p)
  omega_list = []
  for i in range(n):
    omega_list.append(omega**i)

  # a cannot in omega list, otherwise x-a will be 0
  a = FQ(random.randint(0, p))
  while a in omega_list:
    a = FQ(random.randint(0, p))

  return a

a = random_generate_a(poly_coefs, p)
b = evaluation_poly(a, poly_coefs)
print(f'random element we chosen is {a}, the evaluation b is {b}')

random element we chosen is 12107572540821366498207314727511316122512528569372591180374236150875721988723, the evaluation b is 30674397879604745785130549996261545677174304146429618164391323134984419006411


In [19]:
# compute q(x)
# 1. if poly in coefficient form, convert poly_coefs to evals
# 2. calculate quotient polynomial in evaluation form
# 3. convert quotient poly evals to coefs if needed

def quotient_poly(a, b, poly_evals, p):
  '''Args:
  a: randomly sampled field element
  b: evaluation on a
  poly_evals: input of poly need to be in evaluation form

  Returns:
  q_poly_evals: q poly in evaluation form
  '''
  q_poly_evals = []
  n = len(poly_evals)
  omega = find_nth_root_of_unity_realnum(n, p)

  for i in range(len(poly_evals)):
    q_poly_evals.append((poly_evals[i]-b)/(omega**i-a))

  return q_poly_evals

q_poly_evals = quotient_poly(a, b, poly_evals, p)
print(f'quotient polynomial in evaluation form is {q_poly_evals}')

quotient polynomial in evaluation form is [26842127815094403715092454765955610704544244668315868571978075999656491037462, 46037274770395707132610273567492680803741801401361007930484239786957006665517, 34853297838775852688329417962237013399825121114390414774191504192527877496694, 15658150883474549270811599160699943300627564381345275415685340405227361868623]


In [20]:
# convert quotient polynomial from evaluation form to coefficient form
q_poly_coefs = IFFT(q_poly_evals, q)
print(f'quotient polynomial in coefficient form is {q_poly_coefs}')

quotient polynomial in coefficient form is [30847712826935128201710936364096312052184682891353141673084790096092184267074, 48430290163285465992829258910045264490050114277490364721496944603502887954897, 4, 0]


In [21]:
# compute proof of the evaluation pi
pi = poly_commitment(pk, g1,  q_poly_coefs)
print(f'proof of the evaluation pi is {pi}')

proof of the evaluation pi is (2977221597219854831046351341594561060394902694295869262429649987002354397699009825438399140826453541742850738083072, 2129875378888582557943188234217988506340627226565718318066554731769626151233311950086257762133896672262166585040778)


## Step 4: Verify an Evaluation Proof
1. Given a commitment $c = g^{\Phi(\tau)}$, and an evaluation $\Phi(a) = b$, and a proof $\pi = g^{q(\tau)}$
2. Verify that $e(\frac{c}{g^b}, g) = e(\pi,\frac{g^\tau}{g^a})$, where $e$ is a non-trivial bilinear mapping
    - the purpose of verification: $\Phi(x) - b = q(x)(x-a)$, checking this equality holds for $x = \tau$
    - according to the definition of bilinear mapping, it is equivalent to: $e(g_1, g_2)^{\Phi(\tau) - b} = e(g_1, g_2)^{q(\tau)(\tau-a)}$, that is $e(g_1^{\Phi(\tau) - b}, g_2) = e(g_1^{q(\tau)}, g_2^{\tau-a})$
    - that is $e(com-g_1^b, g_2) = e(\pi, vk - g_2^a)$

In [22]:
from py_ecc.bls12_381 import pairing, neg

# now it is time to do the varification
print(f'result of verification: {pairing(g2, add(com, neg(multiply(g1, int(b))))) == pairing(add(vk, neg(multiply(g2, int(a)))), pi)}')

result of verification: True


# Plonk Implementation(Python Version)

## Problem Definition

We take **Square-Fibonacci** as an example to demonstrate the process of proof generation

Defination of Square-Fibonacci Problem:
- Let $f_0 = 1, f_1 = 1$
- For $i \ge 2$, define $f_i:=(f_{i-2})^2+(f_{i-1})^2 \ mod \ q$
    - $q$ is a large prime integer, used to bound the size of each element, so that it can be represented by some predetermined number of bits.

Let $n$ be some very large integer. For convenience, we assume $n$ is a power of 2

Let $k$ be the $n^{th}$ Square-Fibonacci number

**Our goal**: generate an efficiently-verifiable proof $\pi$ showing that indeed $k$ is the $n^{th}$ Square-Fibonacci number(i.e. $f_n = k$)

## Phases of Proof Generation
The Plonk-based proof generation consists of 3 steps:
1. Filling in the trace table
2. Committing to the trace table
3. Proving the trace table's correctness

In [106]:
# some basic statement
# q here is equialent to the q above
q = curve_order

# assume we hope to prove '8th Square-Fibonacci number is k'
n = 8
k = FQ(317754178345286893212434)

# according to defination, f(0) = 1, f(1) = 1
f_0 = FQ(1)
f_1 = FQ(1)

## Step 1: Filling in the Trace Table
The trace table is a 2-dimensional matrix where 'witness' or 'trace' is written down, that is (n rows * 5 cols)
- 5 columns:
    - $A, B, C$: represent witness data / private input, each row lists 3 sequential Sequare-Fibonacci numbers
        - e.g. the $i^{th}$ row $(f_i, f_{i+1}, f_{i+2})$ is a witness for $(i+2)^{th}$ Sequare-Fibonacci number
    - $S$: represents selector column, indicating a certain mathmatical relation should hold over the element of the row.
        - $1$ represents the first 3 elements of the row $(a, b, c)$ must satisfy $c = a^2 + b^2 \ mod \ q$
        - $0$ represents the condition does not need to be satisfied.
    - $P$: represents public inputs, inputs to the circuit that are public known.
        - e.g. the first two values of the sequence $f_0, f_1$ and $k$ as the value to be proved
- n rows: left a blank row, so that the height of the table becomes $n$, an even power of 2
    - $1^{st}$ row: $f_0, f_1, f_2, 1, f_0$
    - $2^{nd}$ row: $f_1, f_2, f_3, 1, f_1$
    - $3^{rd}$ row: $f_2, f_3, f_4, 1, k$
    - ...
    - $(n-2)^{th}$ row: $f_{n-2}, f_{n-1}, f_n, 1, "" $
    - $(n-1)^{th}$ row: $"", "", "", 0, ""$

Next step is to fill in the trace table: either copy or compute over $F_q$

In [24]:
# generate witness/fill in the trace table
def witness_generation(f_0, f_1, k, n):

    trace_table = []

    # init col A, B, C, S
    f_a = f_0
    f_b = f_1
    f_c = f_b
    S = FQ(1)
    placeholder = FQ(0)

    for i in range(n-1):
        f_a = f_b
        f_b = f_c
        f_c = f_a**2 + f_b**2
        trace_table.append([f_a, f_b, f_c, S, placeholder])

    # add a blank row to get n row
    S = FQ(0)
    trace_table.append([placeholder, placeholder, placeholder, S, placeholder])

    # add public parameters
    trace_table[0][4] = f_0
    trace_table[1][4] = f_1
    trace_table[2][4] = k

    return trace_table

trace_table = witness_generation(f_0, f_1, k, n)

print(f"trace table is: {trace_table}")

trace table is: [[1, 1, 2, 1, 1], [1, 2, 5, 1, 1], [2, 5, 29, 1, 317754178345286893212434], [5, 29, 866, 1, 0], [29, 866, 750797, 1, 0], [866, 750797, 563696885165, 1, 0], [750797, 563696885165, 317754178345286893212434, 1, 0], [0, 0, 0, 0, 0]]


## Step 2: Commit to the Trace Table

### interpret the trace table columns as polynomials

Each column can be considered as a length-$n$ vector of finite field elements $\rightarrow$ this vector can be regarded as the evaluation form of a polynomial $A(x)$ with degree $(n-1)$: the $i^{th}$ element of $A$ corresponds to the evaluation $A(\omega^i)$, where $\omega \in F_q$ is **$n^{th}$ root of unity** and has order $n$

In [25]:
# inverse trace table and get the evaluation form of column polynomials
inverse_trace_table = list(zip(*trace_table))
inverse_trace_table

[(1, 1, 2, 5, 29, 866, 750797, 0),
 (1, 2, 5, 29, 866, 750797, 563696885165, 0),
 (2, 5, 29, 866, 750797, 563696885165, 317754178345286893212434, 0),
 (1, 1, 1, 1, 1, 1, 1, 0),
 (1, 1, 317754178345286893212434, 0, 0, 0, 0, 0)]

### Commit to column polynomials
Now that we have known how to interpret the columns as polynomials, we can commit to each of them using a polynomial commitment scheme.

In [26]:
com_list = []
for i in range(len(inverse_trace_table)):
    col_poly_coefs = IFFT(inverse_trace_table[i], p)
    com = poly_commitment(pk, g1, col_poly_coefs)
    com_list.append(com)
print(com_list)

[(1968158310118774215484859485398590964116607283622052674569848142432783170757536741038440888972056304886057528129797, 846042479001169439009335496235517321339541651735195861536293494681244715120629192029546100494892431962266159752419), (1171061799777620673867655424374715577582177306611001531210590865654381251970153513006028068940215634913847581031395, 2595215317901239985734659238207103927602892260523464320976166135808300856424043282727694396478686099172919425456118), (1042435896795603712299232635039217889721266410966803706066025611312710922478002808729556214636814454701004962830713, 632270327697579045951009473937327738530136306014483539591217468025113067034178196725302287074880654232255120701939), (840371205256064111691451747337257231534390898827973703407196447599864914958277242765167232326819752092704097297539, 1336274383085092942068272524763832707955227364154091401603261332352062484722318169564825566553088301123156091146175), (221224663386271979960777395509219716929202732051818920425

## Step 3: Proving the Trace Table's Correctness
### Define the constraints of the trace table
In order to ensure the original trace table to be valid, we should have the following constraints:
- Square-Fibonaci constraints:
    - each selected row $i$'s first three elements is $(a,b,c)$ must satisfy $c_i = a_i^2 + b_i^2 \ mod \ q$
- Wiring constraints:
    - for consecutive rows with value $[a_i, b_i, c_i]$ and $[a_{i+1}, b_{i+1}, c_{i+1}]$, we require $a_{i+1} = b_i$ and $b_{i+1} = c_i$
- Public input constraints:
    - the first row must start with the first two Square-Fibonacci numbers: $a_0 = p_0, b_0 = p_1$
    - the $n^{th}$ Square-Fibonacci must match the claimed result value: $c_{n-2} = p_2$

The above constraints can be represented by one or more relations between the column polynomials. For example, Square-Fibonaci constraints can be expressed as $S(x)·(A(x)^2 + B(x)^2 - C(x))=0, for\ all\ x\in \{w^0, w^1, ..., w^{n-1}\}$. For shorten, we will label left-hand side $\phi_0(x):=S(x)·(A(x)^2 + B(x)^2 - C(x))$  All our constraints can be expressed as $\phi_i(x) = 0,\ for\ all\ x\in \{w^0, w^1, ..., w^{n-1}\}$

In [170]:
from itertools import zip_longest

def square_fib_constraint_poly(inverse_trace_table, n, p):

  a_poly_coefs = IFFT(inverse_trace_table[0], p)
  b_poly_coefs = IFFT(inverse_trace_table[1], p)
  c_poly_coefs = IFFT(inverse_trace_table[2], p)
  s_poly_coefs = IFFT(inverse_trace_table[3], p)

  # construct a polynomial phi_0(x) = S(x)(A(x)^2+B(x)^2-C(x))
  phi_0_coefs = mul_poly(s_poly_coefs,sub_poly(add_poly(mul_poly(a_poly_coefs, a_poly_coefs), mul_poly(b_poly_coefs, b_poly_coefs)),c_poly_coefs))

  return phi_0_coefs


def mul_poly(poly1_coefs, poly2_coefs):
  multiply_poly = [0]*(len(poly1_coefs)+len(poly2_coefs)-1)
  for o1,i1 in enumerate(poly1_coefs):
    for o2,i2 in enumerate(poly2_coefs):
      multiply_poly[o1+o2] += i1*i2
  return multiply_poly

def add_poly(poly1_coefs, poly2_coefs):
  return [x+y for x, y in zip_longest(poly1_coefs, poly2_coefs, fillvalue=0)]

def sub_poly(poly1_coefs, poly2_coefs):
  return [x-y for x, y in zip_longest(poly1_coefs, poly2_coefs, fillvalue=0)]

square_fib_constraint_poly(inverse_trace_table, n, p)

[9217243683127650670215423136204564307406542431733373805594493117736508689447,
 6666845327329705532963430625265951311576613171241245242132100072955433688671,
 44267534341411372821110843579994475498172624576994019134899687329660324137538,
 27734915317295573979553823553557321860270268471208809659398702095994161952080,
 37702370013672502632704303140624342804248711303899845502198214997157027878207,
 11583562288821433247490937116774158461617493607772389006562557827980992423716,
 19431544404868491752428433057080910022889750308878986243969634670562912518450,
 12399440026714068747233115926566936096429177141939361413989904821957360748254,
 20041303549030907216090313199445756936739800542200228711060022339667450807871,
 1640433480202112741396001466119286110343076964539974284673711265395784145821,
 13311292830147122275312324513496984175656020478185536494792425391434485506145,
 41059692124944929433452274305014365636083572356756835655701111647528539392349,
 487287176898972862051909273570054856936489

In [114]:
# Square-Fibonaci constraints
def square_fib_constraint_poly(inverse_trace_table, n, p):
  # construct a polynomial phi_0(x) = S(x)(A(x)^2+B(x)^2-C(x))
  # S(x) & C(x)'s degree n, A(x)^2 & B(x)^2's degree n^2, so the overall degree is 3n-3
  # we need at least 3n-2 evaluation points to represent phi_0(x)

  # extend A,B,C,S evaluation form to 3n-2
  omega = find_nth_root_of_unity_realnum(3*n-2, p)

  a_ex_poly = poly_eval_extension(inverse_trace_table[0], p, omega, 3*n-2)
  b_ex_poly = poly_eval_extension(inverse_trace_table[1], p, omega, 3*n-2)
  c_ex_poly = poly_eval_extension(inverse_trace_table[2], p, omega, 3*n-2)
  s_ex_poly = poly_eval_extension(inverse_trace_table[3], p, omega, 3*n-2)

  square_fib_constraint_poly_evals = []

  for i in range(3*n-2):
    square_fib_constraint_poly_evals.append(s_ex_poly[i]*(a_ex_poly[i]**2 + b_ex_poly[i]**2 - c_ex_poly[i]))

  return square_fib_constraint_poly_evals


def poly_eval_extension(poly_evals, p, omega, extension):

  poly_coefs = IFFT(poly_evals,p)
  poly_evals_extension = []

  for i in range(extension):
    poly_evals_extension.append(evaluation_poly(omega**i, poly_coefs))

  return poly_evals_extension


phi_0_evals = square_fib_constraint_poly(inverse_trace_table, n, p)
phi_0_coefs = IFFT(phi_0_evals, p)
phi_0_coefs

[9217243683127650670215423136204564307406542431733373805594493117736508689447,
 10379985986062778082577661417203023547630980126845170375807436638472603969752,
 42850139717079355063891636149033819297086311226526078373140579167839440898000,
 41330376867899979502286498011913298469356633334316879100951931624945774925505,
 44835706239583131891015530795013508118108072075523931899721709291628663927334,
 35191195026347652344285995896956568606196585892028776014300851231888925506367,
 29910861316715482671464165321295958504920848136236554930106925821276970060201,
 44579222180158983534128629011991477848661538887895498126879799108602796333451,
 2641477070336103791853956304424529419267409503559042780502688355603803133997,
 49213376399468131133645091668983705402814179929401399596523065348757623191412,
 0,
 41059692124944929433452274305014365636083572356756835655701111647528539392349,
 8190586657991074232522172801822171432042455566569971383373299898496711480509,
 43302068254308088528420175568592773849

In [113]:
# wiring constraints
# using Fi_1 to represent a_i+1 = b_i
def wiring_constraint_poly(inverse_trace_table, n, p):
  # construct a polynomial phi_0(x) = S(x+1)(A(x+1)-B(x))
  omega = find_nth_root_of_unity_realnum(2*n, p)

  a_ex_poly = poly_eval_extension(inverse_trace_table[0], p, omega, 2*n-1)
  b_ex_poly = poly_eval_extension(inverse_trace_table[1], p, omega, 2*n-1)
  s_ex_poly = poly_eval_extension(inverse_trace_table[3], p, omega, 2*n-1)

  wiring_constraint_poly_evals = []

  for i in range(2*n - 1):
    wiring_constraint_poly_evals[i].append(s_ex_poly[i+1]*(a_ex_poly[i+1]- b_ex_poly[i]))

  return wiring_constraint_poly_evals

wiring_constraint_poly(inverse_trace_table[0], inverse_trace_table[1], n)

TypeError: ignored

In [90]:
constraints_poly = []

# Square-Fibonaci constraints
constraints_poly.append(square_fib_constraint_poly(inverse_trace_table[0], inverse_trace_table[1], inverse_trace_table[2], n))

# wiring constraints
# using Fi_1 to represent a_i+1 = b_i
constraints_poly.append(wiring_constraint_poly(inverse_trace_table[0], inverse_trace_table[1], n))

# using Fi_2 to represent b_i+1 = c_i
constraints_poly.append(wiring_constraint_poly(inverse_trace_table[1], inverse_trace_table[2], n))

constraints_poly

[[0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0]]

### Combine constraints

- **Naive way to proof the contraints**

    In general, we have $m$ constraint polynomials $\phi_0(x), \phi_1(x), ..., \phi_{m-1}(x)$. Sample a random field element $\gamma \in F_q$, and then take a random linear combination of the individual constraints:$$\phi(x) := \gamma^0·\phi_0(x) + \gamma^1·\phi_1(x)+...+\gamma^{m-1}·\phi_{m-1}(x)$$
    and we need the constraints satisfied at every row, that is $\phi(\omega^i) = 0 \ for \ all\ 0\le i <n$, in this case we need $n$ evaluation proofs


- **Using quotient polynomial**

    we can prove such constraint $\phi(x)$ using only one evaluation proof:
    - quotient polynomial:
        \begin{aligned}
        \phi(\omega^i) = 0 \ for \ all\ 0\le i <n\ &{\Leftrightarrow}\ (x-\omega^i)|\phi(x)\ for \ all\ 0\le i<n\\
        &{\Leftrightarrow}\ \prod^{n-1}_{i=0}(x-\omega^i)|\phi(x)\ for \ all\ 0\le i <n\\
        &{\Leftrightarrow}\ (x^n-1)|\phi(x)\\
        &{\Leftrightarrow}\ \exists Q(x)\ s.t.\phi(x)=Q(x)·(x^n-1)
        \end{aligned}
      now we just need to prove there exists a polynomial $Q(x)$
    - compute the quotient polynomial:
        $$
        Q(x):= {\phi(x) \over {x^n-1}} = {{\gamma^0·\phi_0(x) + \gamma^1·\phi_1(x)+...+\gamma^{m-1}·\phi_{m-1}(x)} \over {x^n-1}}
        $$
      degree of $Q(x)$ is $2n-3$, so we need at least $2n-2$ evaluation points to represent it
      
      we make it a round number and use $2n$ evaluation points, our previous evaluation domain do not work anymore, because the order of $\omega$ is only $n$. We therefore need to pick some other element $\beta \in F_q$ with order $2n$. Then we evaluate $Q(x)$ over the evaluation domain $\{\beta^0, \beta^1,...,\beta^{2n-1}\}$

In [102]:
# define Phi(x)
def Phi(constraints_poly, n, p):
  # randomly gerenate gamma in F_p
  gamma_list = []
  Phi_poly = [0] * n

  for i in range(len(constraints_poly)):
      gamma = FQ(random.randint(0, p))
      gamma_list.append(gamma)
      phi_i = [gamma * constraints_poly[i][j] for j in range(n)]
      Phi_poly = [phi_i[j] + Phi_poly[j] for j in range(n)]

  return Phi_poly, gamma_list

Phi_poly, gamma_list = Phi(constraints_poly, n, p)
print(f'the combination of contraints is {Phi_poly}, and the ramdom generated list of gamma is {gamma_list}')

the combination of contraints is [0, 0, 0, 0, 0, 0, 0, 0], and the ramdom generated list of gamma is [18695682625519108157471983605394659832090688078928869562401742199514958518746, 50156698985080153854477879780975312017559457157741019734000403691121293590310, 41587535479776530447750180094211285845041450353237309821308359439951620143765]


In [105]:
def Quotient_poly(Phi_poly, n, p):
  '''Args:
  a: randomly sampled field element
  b: evaluation on a
  poly_evals: input of poly need to be in evaluation form

  Returns:
  Q_poly_evals: q poly in evaluation form
  '''
  Q_poly_evals = []
  omega = find_nth_root_of_unity_realnum(n, p)

  for i in range(n):
    Q_poly_evals.append(Phi_poly[i]/((omega**i)**n-FQ(1)))

  return Q_poly_evals

Q_poly_evals = Quotient_poly(Phi_poly, n, p)
print(f'quotient polynomial in evaluation form is {Q_poly_evals}')

quotient polynomial in evaluation form is [0, 0, 0, 0, 0, 0, 0, 0]


### Committing to the quotient polynomial
Now we have get the evaluation form of $Q(x)$, we can compute its commitment. Note, degree of $Q(x)$ is larger than the column polynomials, so it requires a larger KZG setup

(in practice, we can use a trick here: split $Q(x)$ into 2 smaller polynomials with each one's degree $<n$, and commit them seperately: $Q(x) = Q_{lo}(x) + x^n·Q_{hi}(x)$ )

In [107]:
Q_poly_coefs = IFFT(Q_poly_evals, p)
Q_com = poly_commitment(pk, g1, Q_poly_evals)
print(f'commitment of polynomial is {Q_com}')

commitment of polynomial is None


### Proving the quotient polynomial's existence
Now we have committed all column polynomials from the trace table and have also committed to the quotient polynomial. Now the prover needs to demonstrate the quotient polynimial really exist and it was computed correctly.

This can be achieve through the following steps:
1. sample a random point $\alpha \in F_q$
2. generate and output KZG proofs for all column polynimials and the quotient polynomials at point $\alpha$ $$ Q(\alpha):= {\phi(\alpha) \over {\alpha^n-1}} = {{\gamma^0·\phi_0(\alpha) + \gamma^1·\phi_1(\alpha)+...+\gamma^{m-1}·\phi_{m-1}(\alpha)} \over {\alpha^n-1}}$$
$\alpha$ is sampled at random, so the property holds at $\alpha$, then it holds everywhere

In [None]:
# Verifier first choose the random point a
# a = F_p.random_element()
a = 1

# calculate evaluation for all polynomials, and proof of the evaluation pi
## for column polynomials
col_evaluation = []
col_q_poly = []
col_pi = []
for poly in poly_list:
    # compute evaluation at a
    b = poly(a)
    col_evaluation.append(b)
    # compute q(x)
    q_poly = ((poly-b)/(x-a)).numerator()
    col_q_poly.append(q_poly)
    # compute proof of the evaluation pi
    pi = poly_commitment(pk, g1,  q_poly)
    col_pi.append(pi)
print(f'evalutions for column polynomials are {col_evaluation}, and proof of evaluations are {col_pi}')

## for quotient polynomials
# compute evaluation at a
Q_evaluation = Q_poly(a)
# compute q(x)
Q_q_poly = ((poly-Q_evaluation)/(x-a)).numerator()
# compute proof of the evaluation pi
Q_pi = poly_commitment(pk, g1,  Q_q_poly)
print(f'evaluation for quotient polynomial is {Q_evaluation},and proof of evaluations are {Q_pi}')

### Verifying the quotient polynomial
the verifier need to check two things:
1. each evaluation proof is correct
2. the quotient polynomial holds at point $\alpha$

In [None]:
# verify each evaluation proof is correct
for i in range(len(com_list)):
    print(f'verification result of column {i} : {evaluation_verification(com_list[i], col_evaluation[i], a, col_pi[i], g1, g2, vk)}')

# verify the quotient polynomial holds at point a
# assert GT.pairing(Q_com - g1*Scalar(Q_evaluation), g2) == GT.pairing(Q_pi, vk - g2*Scalar(a))

print(f'verification result:{evaluation_verification(Q_com, Q_evaluation, a, Q_pi, g1, g2, vk)}')