## Exercise 96.

Define a decision function such that the associated language $L_{Exercise1}$ consists of all solutions to the equation $5x + 4 = 28 + 2x$ over $\mathbb{F}_{13}$. Provide a constructive proof for the claim: “There exists a word in $L_{Exercise1}$, and verify the proof.

**Solution:**

$\Sigma = \mathbb{Z}_{13}$

$R_{Exercise1} : \Sigma^* \rightarrow \{\text{true}, \text{false}\} ; \langle x_1, \ldots, x_n \rangle \mapsto
\begin{cases}
    \text{true} & \text{if } n = 1 \text{ and } 3 \cdot x_1 + 2 = 0 \\
    \text{false} & \text{else}
\end{cases} $

## Exercise 97.

Consider modular $6$ arithmetic ($\mathbb{Z}_6$) from example $11$, the alphabet $\Sigma = \mathbb{Z}_6$, and the following decision function:

$R_{example\_11} : \Sigma^* \rightarrow \{\text{true}, \text{false}\} ; \langle x_1, \ldots, x_n \rangle \mapsto
\begin{cases}
    \text{true} & \text{if } n = 1 \text{ and } 3 \cdot x_1 + 3 = 0 \\
    \text{false} & \text{else}
\end{cases} $

Compute all words in the associated language $L_{example\_11}$, provide a constructive proof for the statement “There exists a word in $L_{example\_11}$” and verify the proof.

**Solution:**

$L_{example\_11} = \{ \langle x_1, ..., x_n \rangle \in \Sigma^* | R_{example\_11}(\langle x_1, ..., x_n \rangle) = \text{true} \}$

In [16]:
Z6 = Integers(6)
Z6x = Z6['x']
print(f"L_example11 = {[x for x in range(6) if 3 * Z6x(x) + 3 == 0]}")

L_example11 = [1, 3, 5]


## Exercise 98.

Consider the modular $6$ arithmetic $\mathbb{Z}_6$ from example $11$ as the alphabets $\Sigma_I$ and $\Sigma_W$, and the following decision function: 

$R_{linear} : \Sigma_I^* \times \Sigma_W^* \rightarrow \{ \text{true}, \text{false} \};
\begin{cases}
    \text{true} & |i| = 3 \text{ and } |w| = 1 \text{ and } i_1 \cdot w_1 + i_2 = i_3\\
    \text{false} & \text{else}
\end{cases}$

Which of the following instances $(i_1, i_2, i_3)$ has a proof of knowledge in $L_{linear}$? 

$(3, 3, 0)$, $(2, 1, 0)$, $(4, 4, 2)$

**Solution:**

In [15]:
points = [(3,3,0), (2,1,0), (4,4,2)]
print("The following points have a proof of knowledge in L_linear:")
for x,y,z in points:
    for w in range(6):
        if Z6x(x) * Z6x(w) + Z6x(y) == Z6x(z):
            print(f"({x}, {y}, {z})")
            break

The following points have a proof of knowledge in L_linear:
(3, 3, 0)
(4, 4, 2)


## Exercise 99 (Edwards Addition on Tiny-jubjub).

Consider the Tiny-jubjub curve together with its twisted Edwards addition law from example $71$. Define an instance alphabet $\Sigma_I$, a witness alphabet $\Sigma_W$, and a decision function $R_{add}$ with associated language $L_{add}$ such that a string $(i; w) \in \Sigma^*_I \times \Sigma_W^*$ is a word in $L_{add}$ if and only if $i$ is a pair of curve points on the Tiny-jubjub curve in Edwards form, and $w$ is the sum of those curve points.

Choose some instance $i \in \Sigma^*_I$, provide a constructive proof for the statement “There is a witness $w \in \Sigma_W^*$ such that $(i; w)$ is a word in $L_{add}$”, and verify that proof. Then find some instance $i \in \Sigma^*_I$ such that $i$ has no knowledge proof in $L_{add}$.

**solution:**

$\Sigma_W^* = \Sigma_I^* = \mathbb{F}_{13} x \mathbb{F}_{13}$ 

$R_{add} : \Sigma^*_I x \Sigma_W^* \rightarrow \{\text{true}, \text{false}\} ; \langle (x_1, y_1), \ldots, (x_n, y_n) \rangle \mapsto
\begin{cases}
    \text{true} & \text{if } n = 3 
        \text{ and } (x_1, y_1) \in L_{tiny_jj}
        \text{ and } (x_2, y_2) \in L_{tiny_jj}
        \text{ and } x_3 = \dfrac{x_1 \cdot y_2 + y_1 \cdot x_2}{1 \cdot 8 \cdot x_1 \cdot x_2 \cdot y_1 \cdot y_2}
        \text{ and } y_3 = \dfrac{y_1 \cdot y_2 - 3 \cdot x_1 \cdot x_2}{1 - 8 * x_1 \cdot x_2 \cdot y_1 \cdot y_2}\\
    \text{false} & \text{else}
\end{cases} $

$L_{add} = \{ \langle (x_1, y_1), \ldots, (x_n, y_n) \rangle \in \Sigma^*_I x \Sigma^*_W | R_{add}(I;W) = \text{true} \}$

## Exercise 100.

> Consider the language $L_{add}$ from Exercise $99$. Define an R1CS such that words in $L_{add}$ are in 1:1 correspondence with solutions to this R1CS.

**Solution taken from [erhant' moonmath](https://github.com/erhant/moonmath)**

Twisted Edwards addition law for TinyJubJub is the following $(a = 3, d = 8)$:

$$
(x_1, y_1) \oplus (x_2, y_2) =
\left(
\frac
{x_1y_2 + y_1x_2}
{1 + 8x_1x_2y_1y_2}
,
\frac
{y_1y_2 - 3x_1x_2}
{1 - 8x_1x_2y_1y_2}
\right)
$$

solving for x_3 and y_3, we get the following two equations:

$$
\begin{align*}
    (1 + 8 \cdot x_1 \cdot x_2 \cdot y_1 \cdot y_2) \cdot x_3 = x_1 \cdot y_2 + y_1 \cdot x_2 \\
    (1 + 8 \cdot x_1 \cdot x_2 \cdot y_1 \cdot y_2) \cdot y_3 = y_1 \cdot y_2 - 3 \cdot x_1 \cdot x_2
\end{align*}
$$

Transforminging it to I and W's:
$$
\begin{align*}
    (1 + 8 \cdot I_1 \cdot I_3 \cdot I_2 \cdot I_4) \cdot W_1 = I_1 \cdot I_4 + I_2 \cdot I_3 \\
    (1 + 8 \cdot I_1 \cdot I_3 \cdot I_2 \cdot I_4) \cdot W_2 = I_2 \cdot I_4 - 3 \cdot x_I \cdot x_3
\end{align*}
$$

As a R1CS we have:

$$
\begin{align*}
    I_1 \cdot I_3 = W_3 \\
    I_2 \cdot I_4 = W_4 \\
    I_1 \cdot I_4 = W_5 \\
    I_2 \cdot I_3 = W_6 \\
    W_3 \cdot W_4 = W_7 \\
    (1 + 8 \cdot W_7) \cdot W_1 = W_8 \\
    (1 + 8 \cdot W_7) \cdot W_2 = W_9 \\
    (W_5 + W_6) \cdot 1 = W_8 \\
    (W_9 +  3 \cdot W_3) \cdot 1 = W4 \\
\end{align*}
$$

The matrices:

$$
A= (9 \times 13) = 
  \begin{bmatrix}
    0 & \ldots & a_{13}^1 \\
    \ldots & & \\
    a_0^9 & \ldots & a_{13}^9 
  \end{bmatrix}
$$

B = .., C = ...


$^*$ the column 0 correspond to the constant 1

**Own Solution:**

Run:
```bash
$ circom ex100.circom --r1cs --wasm --sym --c
```

**helper code:**

In [18]:
def addition(P, Q) -> (GF, GF):
    x1, y1 = P
    x2, y2 = Q
    x3 =  (x1 * y2 + y1 * x2) / (1 + d * x1 * x2 * y1 * y2) 
    y3 =  (y1 * y2 - a * x1 * x2) / (1 - d * x1 * x2 * y1 * y2)
    return (x3, y3)

F13 = GF(13)
a, d = (3, 8)
TE_TJJ_13 = [(x, y) for x in F13 for y in F13 if a * x^2 + y^2 == 1+ d * x^2 * y^2]

print((TE_TJJ_13[2], TE_TJJ_13[5]))
addition(TE_TJJ_13[2], TE_TJJ_13[5])

((1, 2), (2, 7))


(6, 9)

## Exercise 101.

> Consider the circuit $C_{tiny-jj}(\mathbb{F}_{13})$ from example $125$, with its associated language $L_{tiny-jj}$. Construct a proof $\pi$ for the instance $\langle 11, 6 \rangle$ and verify the proof.

From example 122:


$$
\begin{align*}
    I_1 \cdot I_1 = W_1 \\
    I_2 \cdot I_2 = W_2 \\
    (8 \cdot W_1) \cdot W_2 = W_3 \\
    (12 \cdot W_2 + W_3 + 10 \cdot W_1 + 1) \cdot = 0
\end{align*}
$$


```mermaid
flowchart TD
  %% inputs & constants
  x
  y
  10
  12
  1
  8

  %% gates
  m1((*))
  m2((*))
  m3((*))
  m4((*))
  m5((*))
  m6((*))
  a1((+))
  a2((+))
  a3((+))

  %% wirings
  10 --> m1
  m2 --S_3--> m1
  x --S_1--> m2
  x --S_1--> m2
  y --S_2--> m3
  y --S_2--> m3
  12 --> m4
  m3 --S_4--> m4
  m2 --S_3--> m5
  m3 --S_4--> m5
  m1 --> a1
  1 --> a1
  8 --> m6
  m5 --S_5--> m6
  a1 --> a2
  m6 --> a2
  a2 --> a3
  m4 --> a3
  a3 --S6--> f_tiny-jj
```

## Exercise 102.

> Consider the Rank-1 Constraint System for points on the Tiny-jubjub curve from example $121$. Compute an associated QAP for this R1CS and double-check your computation using Sage.

Taking the proof $\pi = \langle 4, 10, 8 \rangle$ for the point $\langle 11, 6 \rangle$


In [49]:
# Define the matrices A, B, C
A = Matrix([[0,1,0,0,0,0], 
            [0,0,1,0,0,0], 
            [0,0,0,8,0,0], 
            [1,0,0,10,12,1]])

B = Matrix([[0,1,0,0,0,0], 
            [0,0,1,0,0,0], 
            [0,0,0,0,1,0], 
            [1,0,0,0,0,0]])

C = Matrix([[0,0,0,1,0,0], 
            [0,0,0,0,1,0], 
            [0,0,0,0,0,1], 
            [0,0,0,0,0,0]])

F13 = GF(13)
F13x.<x> = F13[]
pi = [11, 6, 4, 10, 8]
witness = [F13(x) for x in [1] + pi]

def calculate_target(matrix, F: GF):
    # Number of random values needed
    n = matrix.nrows()  # example value for n
    values = [F.random_element() for _ in range(n)]
    print(f"random values draw: {values}")
    
    # Compute the polynomial (x - k_1)(x - k_2)...(x - k_n)
    R = PolynomialRing(F, 'x')
    x = R.gen()
    target = prod(x - k for k in values)
    print(f"target polynomial: {target}")
    return (values, target)

def matrix_polynomials(values: [GF], matrix, F_poly):
    polynomials = []
    for i in matrix.columns():
        poly = F_poly.lagrange_polynomial(zip(values, i))
        polynomials.append(poly)
    return polynomials

def polynomials_mult(polys, witness):
    return sum([poly_i * w_i for poly_i, w_i in zip(polys, witness)])

points, target_poly = calculate_target(A, F13)
Ais = matrix_polynomials(points, A, F13x)
Bis = matrix_polynomials(points, B, F13x)
Cis = matrix_polynomials(points, C, F13x)


P = polynomials_mult(Ais, witness) * polynomials_mult(Bis, witness) -  polynomials_mult(Cis, witness)
print(f"P: {P}")
assert P % target_poly == 0

random values draw: [1, 2, 9, 12]
target polynomial: x^4 + 2*x^3 + 4*x^2 + 11*x + 8
P: 12*x^6 + 2*x^5 + 7*x^4 + 11*x^3 + 9*x^2 + 11
