## Exercise 96.

Define a decision function such that the associated language $L_{Exercise1}$ consists of all solutions to the equation $5x + 4 = 28 + 2x$ over $\mathbb{F}_{13}$. Provide a constructive proof for the claim: “There exists a word in $L_{Exercise1}$, and verify the proof.

**Solution:**

$\Sigma = \mathbb{Z}_{13}$

$R_{Exercise1} : \Sigma^* \rightarrow \{\text{true}, \text{false}\} ; \langle x_1, \ldots, x_n \rangle \mapsto
\begin{cases}
    \text{true} & \text{if } n = 1 \text{ and } 3 \cdot x_1 + 2 = 0 \\
    \text{false} & \text{else}
\end{cases} $

## Exercise 97.

Consider modular $6$ arithmetic ($\mathbb{Z}_6$) from example $11$, the alphabet $\Sigma = \mathbb{Z}_6$, and the following decision function:

$R_{example\_11} : \Sigma^* \rightarrow \{\text{true}, \text{false}\} ; \langle x_1, \ldots, x_n \rangle \mapsto
\begin{cases}
    \text{true} & \text{if } n = 1 \text{ and } 3 \cdot x_1 + 3 = 0 \\
    \text{false} & \text{else}
\end{cases} $

Compute all words in the associated language $L_{example\_11}$, provide a constructive proof for the statement “There exists a word in $L_{example\_11}$” and verify the proof.

**Solution:**

$L_{example\_11} = \{ \langle x_1, ..., x_n \rangle \in \Sigma^* | R_{example\_11}(\langle x_1, ..., x_n \rangle) = \text{true} \}$

In [16]:
Z6 = Integers(6)
Z6x = Z6['x']
print(f"L_example11 = {[x for x in range(6) if 3 * Z6x(x) + 3 == 0]}")

L_example11 = [1, 3, 5]


## Exercise 98.

Consider the modular $6$ arithmetic $\mathbb{Z}_6$ from example $11$ as the alphabets $\Sigma_I$ and $\Sigma_W$, and the following decision function: 

$R_{linear} : \Sigma_I^* \times \Sigma_W^* \rightarrow \{ \text{true}, \text{false} \};
\begin{cases}
    \text{true} & |i| = 3 \text{ and } |w| = 1 \text{ and } i_1 \cdot w_1 + i_2 = i_3\\
    \text{false} & \text{else}
\end{cases}$

Which of the following instances $(i_1, i_2, i_3)$ has a proof of knowledge in $L_{linear}$? 

$(3, 3, 0)$, $(2, 1, 0)$, $(4, 4, 2)$

**Solution:**

In [15]:
points = [(3,3,0), (2,1,0), (4,4,2)]
print("The following points have a proof of knowledge in L_linear:")
for x,y,z in points:
    for w in range(6):
        if Z6x(x) * Z6x(w) + Z6x(y) == Z6x(z):
            print(f"({x}, {y}, {z})")
            break

The following points have a proof of knowledge in L_linear:
(3, 3, 0)
(4, 4, 2)


## Exercise 99 (Edwards Addition on Tiny-jubjub).

Consider the Tiny-jubjub curve together with its twisted Edwards addition law from example $71$. Define an instance alphabet $\Sigma_I$, a witness alphabet $\Sigma_W$, and a decision function $R_{add}$ with associated language $L_{add}$ such that a string $(i; w) \in \Sigma^*_I \times \Sigma_W^*$ is a word in $L_{add}$ if and only if $i$ is a pair of curve points on the Tiny-jubjub curve in Edwards form, and $w$ is the sum of those curve points.

Choose some instance $i \in \Sigma^*_I$, provide a constructive proof for the statement “There is a witness $w \in \Sigma_W^*$ such that $(i; w)$ is a word in $L_{add}$”, and verify that proof. Then find some instance $i \in \Sigma^*_I$ such that $i$ has no knowledge proof in $L_{add}$.

**solution:**

$\Sigma_W^* = \{ (x, y) | 3 \cdot x^2 + y^2 == 1 + 8 * x^2 * y^2 \} \cup \{ (0, 1) \}$

$\Sigma_I^* = \Sigma_W^* x \Sigma_W^*$

$R_{add} : \Sigma^*_I x \Sigma_W^* \rightarrow \{\text{true}, \text{false}\} ; \langle (x_1, y_1), \ldots, (x_n, y_n) \rangle \mapsto
\begin{cases}
    \text{true} & \text{if } n = 3 
        \text{ and } x_3 = \dfrac{x_1 \cdot y_2 + y_1 \cdot x_2}{1 \cdot 8 \cdot x_1 \cdot x_2 \cdot y_1 \cdot y_2}
        \text{ and } y_3 = \dfrac{y_1 \cdot y_2 - 3 \cdot x_1 \cdot x_2}{1 - 8 * x_1 \cdot x_2 \cdot y_1 \cdot y_2}\\
    \text{false} & \text{else}
\end{cases} $

$L_{add} = \{ \langle (x_1, y_1), \ldots, (x_n, y_n) \rangle \in \Sigma^*_I x \Sigma^*_W | R_{add}(I;W) = \text{true} \}$

In [18]:
def addition(P, Q) -> (GF, GF):
    x1, y1 = P
    x2, y2 = Q
    x3 =  (x1 * y2 + y1 * x2) / (1 + d * x1 * x2 * y1 * y2) 
    y3 =  (y1 * y2 - a * x1 * x2) / (1 - d * x1 * x2 * y1 * y2)
    return (x3, y3)

F13 = GF(13)
a, d = (3, 8)
TE_TJJ_13 = [(x, y) for x in F13 for y in F13 if a * x^2 + y^2 == 1+ d * x^2 * y^2]

print((TE_TJJ_13[2], TE_TJJ_13[5]))
addition(TE_TJJ_13[2], TE_TJJ_13[5])

((1, 2), (2, 7))


(6, 9)

## Exercise 100.

Consider the language $L_{add}$ from Exercise $99$. Define an R1CS such that words in $L_{add}$ are in 1:1 correspondence with solutions to this R1CS.

## Exercise 101.

Consider the circuit $C_{tiny-jj}(\mathbb{F}_{13})$ from example $125$, with its associated language $L_{tiny-jj}$. Construct a proof $\pi$ for the instance $\langle 11, 6 \rangle$ and verify the proof.

## Exercise 102.

Consider the Rank-1 Constraint System for points on the Tiny-jubjub curve from example $121$. Compute an associated QAP for this R1CS and double-check your computation using Sage.
