Home

File download: Dark White Here I’m not going to describe the general definition of zk-SNARK or any related terms. Instead, I’ll try to help reader to understand the underling math of one of the first popular and novel zk-SNARK protocols called a Pinocchio protocol appeared in 2013. Special thanks to Anton Levochko and ZK-DL lectur...

Commitment Vortex has much in common with Ligero (frankly speaking, it has been built using Ligero idea). So, imagine we have a list of polynomials $f_0,\dots,f_{k-1}$. We want to commit them and evaluate at the same point at the same time. We describe each polynomial as vector $a_i$ where \[f_i(x) = \sum_{j=0}^{n-1} x^j\cdot a_{i,j}\] For si...

To commit to an $\ell$-variate multilinear polynomial $f(x)$ we assume it (as equivalent) to represent as a list of elements where each element at the position $i$ equals to $f(\tilde{i})$ where $\tilde{i}$ represents a bit string equivalent to the $i$ value. Then, we reorganize this list into the matrix $M$ of size $2^{\ell_0} \times 2^{\ell_1}...

Using KoalaBear field Linea and Gnark aim to operate over the koalabear field (over prime modulus 2^31 - 2^24 + 1). The usage of this field as the proving field (outer field) in modern proving backends may require implementing a field extension that increases the field size to ~128 bits. The goal they aim to achieve — enable the usage of fie...

Recently, I’ve realized that it is not so trivial to fund a precise but still quite understandable definition of RSA cipher and the underling math problem. So, here it is: The RSA problem Given $n = pq$, where $p$ and $q$ are large prime numbers, and an integer $e$ such that $e$ is coprime with $\phi(n) = (p-1)(q-1)$ (Euler’s totient function...

Twisted Edwards curves1 has a form of $ax^2 + y^2 = 1 + dx^2y^2$ (for fields with characteristic not 2) where the curve order 2 can be represented as $l \cdot 2^c$, where $c$ is a natural number, $l$ is a big prime number. So, it is obvious that our elliptic group has two subgroups and for the cryptography purposes wew always may select the grou...

Imagine Alice has $n$ values $m_i$, and she wants to share one of this value with Bob. Note that Bob does not want to reveal what exactly value he has selected. The solution to this problem is called “Oblivious transfer”. There exists a well known protocol that leverages an encryption scheme $E,D$ that owns a commutative property: \[\forall k_1...

The Weierstrass normal form of elliptic curves (in fields with characteristic != 2 and != 3) $y^2 = x^3 + ax + b$ over $Z_p$ field has found many applications in cryptography. But this curve form has also two types: non-singular ( that can be used in crypto) and singular (that can’t). Let’s take a look why singular curves causes problems in cryp...