Sign in

This is a series of articles. Part 7,​ ​ PDF version

Since the introduction of the general-purpose computation protocol (Proof of Operation section) we had to let go of the zero-knowledge property, to make the transition simpler. Until this point, we have constructed a verifiable computation protocol.

Previously to make a proof of polynomial zero-knowledge we have used the random δ-shift, which makes the proof indistinguishable from random (Zero-Knowldge section):

With the computation we are proving instead that:

This is a series of articles. Part 6,​ ​ PDF version


Our analysis has been primarily focusing on the notion of operation. However, the protocol is not actually “computing” but rather is checking that the output value is the correct result of an operation for the operand’s values. That is why it is called a constraint, i.e., a verifier is constraining a prover to provide valid values for the predefined “program” no matter what are they. A multitude of constraints is called a constraint system (in our case it is a rank 1 constraint system or R1CS).

Note: This implies…

This is a series of articles. Part 5,​ ​ PDF version

We went through many important modifications of the knowledge of polynomial protocol to make it general-purpose, so let us see how it is defined now. Assuming agreed upon function ​ f(*) the result of computation of which is the subject of the proof, with the number of operations d, the number of variables n and corresponding to them coefficients

This is a series of articles. Part 4, ​ ​PDF version

With the multi-operation polynomials approach introduced in part 4, we can prove many operations at once (e.g., millions and more), but there is a critical downside to it.

If the “program,” execution for which is being proved, uses the same variable, either as an operand or as output, in different operations, for example:

The a will have to be represented in the left operand polynomial for both operations as:

This is a series of articles. Part 3, ​ PDF version.

We have paved our way with a simple yet sufficient example involving most of the zk-SNARK machinery, and it is now possible to advance the scheme to execute zero-knowledge programs.


Let us consider a simple program in pseudocode:

Algorithm 1: Operation depends on an input
function calc(w, a, b)
if w then
return a × b
return a + b
end if
end function

From a high-level view, it is quite unrelated to polynomials, which we have the protocol for. Therefore we need to find a way…

This is a series of articles. Part 2,​ ​ PDF version


Till this point, we had an interactive zero-knowledge scheme. Why is that the case? Because the proof is only valid for the original verifier, nobody else (other verifiers) can trust the same proof since:

  • the verifier could collude with the prover and disclose those secret parameters s,α which allows to fake the proof, as mentioned in remark 3.1
  • the verifier can generate fake proofs himself for the same reason
  • verifier have to store α and t(s) until all relevant proofs are verified, which allows an extra attack surface with…

This is a series of articles. Part 1,​ ​ PDF version.

We start with a problem of proving the knowledge of a polynomial and make our way to a generic approach. We will discover many other properties of polynomials along the way.

The discussion so far has focused on a weak notion of a proof, where parties have to trust each other because there are no measures yet to enforce the rules of the protocol. For example, the prover is not required to know a polynomial, and he can use any other means available to him to come up with…

The article is an adaptation of the PDF version.

Despite the existence of multiple great resources on zk-SNARK construction, from original papers [Bit+11; Par+13] to explainers [Rei16; But16; But17; Gab17], due to the sheer number of moving parts the subject remains a black box for many. While some pieces of the puzzle are given one can not see the full picture without the missing ones.

The first time author discovered how things fit nicely together, one was astounded by the beauty of math, and the more dimensions were uncovered, the more it kept the spirit of wonderment. Hence the focus…

A private blockchain is a great way to achieve consensus between independent companies on transactions they do between each other. It brings decentralization into the equation, where no single party is responsible for maintaining master records and running business logic, and therefore has to be trusted.

While usually, parties are cooperating, they live in an open market’s competing environment, hence no chance they will open up all business activities to each-other, therefore giving up competitive advantage. This single fact has proven consortium chains to be useless if there’s no confidentiality. …

It was a great and surprisingly very welcoming experience to demo first ever Title Deed registration on the Quorum blockchain. Other physical objects such as a bar of gold and a package for shipment was demoed at Enterprise Ethereum Alliance launch event.

Discover how can you give cryptographic identity to any physical object and connect the dots between real world and the blockchain world.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store