After understanding of the folding scheme of relaxed R1CS, of which the key idea is you can “fold” two proofs to be one, with this ability of relaxed R1CS in mind, how can one build a recursive proof from scratch? in this note I will describe several attempts to build …
Category: Uncategorized
The Short NIZK Argument in Pribank
We give a commit-and-prove zero-knowledge argument Protocol for the satisfiability of a QAP for an arithmetic circuit \(C\). For wires in the circuit \(\{a_i\}_{i=0}^n\), we denote the input witnesses are \(\{a_i\}_{i=0}^k\), the inner circuit witnesses are \(\{a_{i}\}_{i=k+1}^l\) and the statements wires are \(\{a_{i}\}_{i=l+1}^n\). The quadratic arithmetic program, Pedersen commitment and …
KZG Commitment
Properties of KZG:
- Trusted setup 🙁
- Pairings
- constant sized Polynomial 🙂
Trusted Setup
To commit to degree \(\leq l\) polynomials, we need to construct Structured Reference Strings: \( (g, g^\tau, g^{\tau^2} , …, g^{\tau^l})=(g^{\tau^i})_{i\in [0,l]}\)
Note 1: The trapdoor \(\tau\) is generated by distributed protocols, for instance, ….
Note 2: …