# Groth09

In [1]:
%load_ext autoreload
%autoreload 2 

In [2]:
from zkp_playground.types.algebra.concrete import (
    EllipticCurveGroupSecp256k1 as ECG,
    EllipticCurveCyclicSubgroupSecp256k1 as CG,
    FiniteFieldSecp256k1 as F,
    FiniteFieldCyclicSecp256k1 as CF
)

from operator import add
G = CG.G

import random

N = 0xFFFFF
random_f = lambda: CF(random.randint(1, N) % CF.P)

q = random_f()
H = G @ q
    
Gs = [G @ random_f() for _ in range(0, 256)]

In [3]:
rand = lambda: random.randint(1, 100)

In [4]:
import numpy as np

Mat = np.matrix
Hada = lambda x, y: Mat(np.array(x) * np.array(y))

## 3 The Schwartz-Zippel Lemma



* Lemma 1 (Schwartz-Zippel). Let poly be a non-zero multivariate polynomial of degree $d$ over $\mathbb{Z}_p$ , then the probability of $poly(x_1 ; \cdots ; x_m ) = 0$ for randomly chosen $x_1 ; \cdots ; x_m) \leftarrow \mathbb{Z}_p$ is at most $d/p$.

The Schwartz-Zippel lemma is frequently used in polynomial identity testing. Given two multi-variate poly- nomials $poly_1$ and $poly_2$ we can test whether $poly_1 (x_1 ; \cdots ,x_m )-poly_2 (x_1,\cdots,x_ m ) = 0$ for random $x_1,\cdots ,x_m \leftarrow \mathbb{Z}_p$ . If the two polynomials are identical this will always be true, whereas if the two polyno- mials are different then there is only probability $max(d_1,d_2 )=p$ for the equality to hold.

## 4 Equations with Matrices and Vectors

We wish to commit to matrices and vectors of elements from $\mathbb{Z}_p$ and make SHVZK arguments for them satisfying equations commonly arising in linear algebra. We ﬁrst consider the following 6 types of equations over committed matrices $X_i ; Y_i ; Z \in Mat_{nxn} (\mathbb{Z}_p )$, committed row vectors $x_i,  y_i ,z \in \mathbb{Z}_p^n$ and committed elements $z\in \mathbb{Z}_p$ , with public $a^i \in \mathbb{Z}_p$ .

In [5]:
n = 5
m = 10
X = [[[random_f() for i in range(n)] for i in range(n)] for _ in range(m)]
Y = [[[random_f() for i in range(n)] for i in range(n)] for _ in range(m)]
a = [random_f() for _ in range(n*m)]
x = lambda e: [i[e] for i in X]
y = lambda e: [i[e] for i in Y]

In [6]:
from zkp_playground.zkp.pedersen import com
from operator import add
from functools import reduce

$$
\mathbf{z}^\top = \sum_{i=1}^m a_iX_i\mathbf{y}_i^\top
$$

$$
z=\sum_{i=1}^m a_i \mathbf{x}_i \mathbf{y}_i^\top
$$

In [7]:
zs_T = reduce(add, [(Mat(_X) * _a) * Mat(_y).T
                    for (_X, _y, _a) in zip(X, y(0), a)])

In [8]:
z = lambda e: reduce(add, [(Mat(_x) * _a) * Mat(_y).T 
                 for (_x, _y, _a) in zip(x(e), y(e), a)]).item()

In [9]:
z(0) in zs_T

True

In [10]:
zs_T.T.tolist()[0]

[FiniteFieldCyclicSecp256k1::8396719290579805322,
 FiniteFieldCyclicSecp256k1::9140068675564411316,
 FiniteFieldCyclicSecp256k1::8453501877681981600,
 FiniteFieldCyclicSecp256k1::8246393476562849390,
 FiniteFieldCyclicSecp256k1::9504037737346406753]

In [11]:
reduce(add,
    [[reduce(add,
            [(Mat(_x) * _a) * Mat(_y).T 
                for (_x, _y, _a) in zip(x(e), y(e), a)]).item()
        for e in range(n)]])

[FiniteFieldCyclicSecp256k1::8396719290579805322,
 FiniteFieldCyclicSecp256k1::8106423552603352952,
 FiniteFieldCyclicSecp256k1::7959130832723529775,
 FiniteFieldCyclicSecp256k1::8722310850715446423,
 FiniteFieldCyclicSecp256k1::8806579858388111076]

$$
Z=\sum_{i=1}^m a_i X_iY_i \\
\mathbf{z}=\sum_{i=1}^m a_i \mathbf{x}_i Y_i \\
$$

In [12]:
Z = reduce(add, [Mat(_X) * _a * Mat(_Y)
                 for (_X, _Y, _a) in zip(X, Y, a)])

In [13]:
zs = reduce(add, [Mat(_x) * _a * Mat(_Y)
                  for (_x, _Y, _a) in zip(x(0), Y, a)])

In [14]:
zs in Z

True

$$
Z=\sum_{i=1}^m a_i X_i \circ Y_i \\
\mathbf{z}=\sum_{i=1}^m a_i \mathbf{x}_i \circ Y_i \\
$$

In [15]:
Z_h = reduce(add, [Hada(Mat(_X), Mat(_Y)) * _a
                 for (_X, _Y, _a) in zip(X, Y, a)])

In [17]:
zs_h = reduce(add, [Hada(Mat(_x), Mat(_Y)) * _a 
                  for (_x, _Y, _a) in zip(x(0), Y, a)])

In [18]:
zs_h in Z_h

True

### 4.1 Reducing Many Equations of the Form $z=\sum_{i=1}^m a_i \mathbf{x}_i \mathbf{y}_i^\top
$ to a Single Equation

Randomization can be used to reduce $Q$ equations of the form $z=\sum_{i=1}^{m_q} a_i \mathbf{x}_{qi} \mathbf{y}_{qi}^\top$ to one single equation of the form $z=\sum_{i=1}^m \mathbf{x}_i \mathbf{y}_i^\top$, where $m=\sum_{q=1}^Qmq$

The $Verifier$ selects $(r_1,\cdots,r_Q)\leftarrow Van_Q(\mathbb{Z}_p)$, 

In [19]:
q = n
r0 = random_f()
r = [r0 ** i for i in range(1, q+1)]

and ask the $Prover$ to demonstrate:

$$
\sum_{q=1}^Q r_q z_q = \sum_{q=1}^Q\sum_{i=1}^{m_q}(r_q a_{qi}\mathbf{x}_{qi})\mathbf{y}^\top_{qi}
$$

This is a comparison of two degree $Q-1$ polynomials in the challenge consisting of a ﬁeld element.By the Schwartz-Zippel lemma, there is probability at most $\frac{Q-1}{p}$ for the test to pass unless indeed all the equations hold.

The probability of $\sum_{q=1}^Q r_q = 0$ is $\frac{Q-1}{p}$

By set $z=\sum_{q=1}^{Q}r_q z_q$, $x'=r_{q}a_{qi}\mathbf{x}_{qi}$, we get:

$$
z=\sum_{q=1}^Q\sum_{i=1}^{m_q} \mathbf{x}'_{qi} \mathbf{y}^\top_{qi}
$$

In [20]:
# z
z_ = reduce(add, [r[i] * z(i) for i in range(q)])

In [21]:
reduce(add, [reduce(add, [Mat(x(j)[i]) * r[j] * a[i] * Mat(y(j)[i]).T for i in range(m)])
 for j in range(q)]).tolist()[0][0]

FiniteFieldCyclicSecp256k1::984759594918231744822428911890227587993916582930

In [22]:
x_ = lambda q, i: Mat(x(q)[i]) * r[q] * a[i]

In [23]:
assert z_ == reduce(add, [reduce(add, [x_(i, j) * Mat(y(i)[j]).T 
       for j in range(m)])
       for i in range(q)]).item()

### 4.2 Reducing $\mathbf{z}=\sum_{i=1}^m a_i \mathbf{x}_i Y_i $ to the form $\mathbf{z}=\sum_{i=1}^m a_i \mathbf{x}_i \mathbf{y}_i$


* Move 1:

The $verifier$ picks $\mathbf{t} \leftarrow Van_n(\mathbb{Z}_p)$, and asks the prover to demonstrate:

$$
zt^\top = \left(\sum_{i=1}^ma_i\mathbf{x}_iY_i\right)\mathbf{t}^\top=\sum_{i=1}^m a_i\mathbf{x}_i(Y_i\mathbf{t}^\top)
$$