-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
90 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| ### Some notes on the KZG proof construction: | ||
| Lets start simple with a finite field and work up to creating two elliptic curve *groups* that have a pairing or bilinear map (more on that later). | ||
| First lets pick a finite field of prime order $p$, we pick $p=101$ since it is small and we are able to follow along plonk-by-hand. | ||
| In general large primes are good but we will use a small one just for the sake of example. | ||
| Next lets pick an elliptic curve $y^2=x^3+3$, there are some heuristics to curves that i encourage you to learn more about if you like but you can also black box and know that this is a good curve. | ||
| So now we have two algebraic structures: | ||
| - finite field $F_{101}$ | ||
| - curve $y^2=x^3+3$ | ||
| Initially this elliptic curve is just a continuous squiggle, which isn't the most useful. But we can make it discrete by constraining it's points to reside in the field. | ||
| Now it doesn't look like the squiggle we know and love but instead a lattice (you can see [here](https://andrea.corbellini.name/ecc/interactive/modk-add.html) by switching from real numbers to finite fields ). | ||
|
|
||
| Now we have a set of discrete points on the curve over the finite field that form a *[group](https://en.wikipedia.org/wiki/Group_(mathematics))*, a group has a single operation called the group operation, it is perhaps more abstract than a field. | ||
| The group operation on this set of curve points is point addition which we all know and love with the squiggly lines, intersections and reflections. From this group operation we can create point doubling, and as a result, scalar multiplication (how many times do we double a point) as handy abstractions over the single group operation. | ||
|
|
||
| To review we have a curve group call it $E1$ and the base field $F_{101}$ | ||
| Elements in the curve group are points (pairs of integers) that lie in the field $F_{101}$. | ||
|
|
||
| Now to create a pairing friendly curve we first must find the curve groups order. | ||
| The order is how many times do we double the generator to get the generator again, the reason we can do this is because our group is cyclic. | ||
| Now if our base field $F_{101}$ is of prime order, then any point in the curve group is a generator. | ||
| So in practice you can pick a point and double it untill you get back to itself (remember to check the inverse!). | ||
| This defines the scalar field $F_r$ where $r$ is the order. | ||
| In our case this is $17$. | ||
| Once we have have this we can computer the embedding degree. | ||
| The embedding degree is the smallest number $k$ such that $r | p^k - 1$ where $r$ is the order of the curve: $17$ | ||
| For us this is $2$, we can check that 17 divides $101^2 -1$ as $10200 / 17 = 600$ ✅. | ||
| So now we have an embedding degree of our curve. | ||
|
|
||
| The next step is to construct a field extension from the first field such that $f_{p^2}$ is a field extension of $f_p$, we extend with $x^2 + 2$ which is irreducible in $F_{101}$ | ||
| The elements of the extension field are two degree polynomials where the coefficients are in $F_{101}$ | ||
| Now we can construct pairing friendly curve over the field extension and get a generator point for the second curve: $g2 = (31, 36x)$ | ||
| Our second curve group now E2, is over the same curve but now over the field extension. | ||
| It's points are now represented by two degree polynomials (because our embedding degree is two), not integers. | ||
| We now have two pairing friendly groups $E1$ and $E2$ and generators for both of them. | ||
|
|
||
| The next step is to construct the structured refrence string SRS with g1 and g2. The structured refrence string is generated by multiplying the generator points by some randomness $\{S^i\}$, the SRS needs to be a vector of length $t$ where $t$ is the number of constraints in the proof. | ||
| This is same as the degree of the polynomial which we would like to prove knowledge of. | ||
| KZG Proves an arbitrary polynomial. Plonk can be used to represent some computation as a polynomial. | ||
|
|
||
| Commit to a polynomial using the g1_SRS: This is done by multiplying the polynomial coefficients by the g1_SRS points (scalar multiplication in the curve group) and adding the resulting points to each other to get a single point that represents the commitment call it `p_commit`. | ||
|
|
||
| Opening involves choosing a point to evauluate the polynomial at and dividing the polynomial by .... (need the notes for this). the resulting polynomial is also combined with the g1_SRS to get a new commitment curve point call it `q_commit`. | ||
|
|
||
| Then we do the pairing check. | ||
|
|
||
| $e(q_{commit}, g2srs[0] - g2* point) = e(p_{commit} - g1srs[0] * val, g2)$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Tiny RSA | ||
|
|
||
| RSA was one of the firs assymetric cryptographic primitives in which the key used for encryption is different from the key used for decryption. | ||
| The security of RSA is based on the difficulty of factoring large integers. | ||
|
|
||
| ## Key Generation | ||
|
|
||
| 1. Consider two large prime numbers $p$ and $q$. | ||
| 2. Calculate $n = p \times q$ | ||
| 3. Calculate $\phi(n) = (p-1) \times (q-1)$ | ||
| 4. Choose $e$ such that $1 < e < \phi(n)$ and $e$ is coprime to $\phi(n)$, or in other words $gcd(e, \phi(n)) = 1$ | ||
| 5. Calculate $d$ such that $d \times e \equiv 1 \mod \phi(n)$ | ||
|
|
||
| ## Keys | ||
| Private Key = $(d, n)$ | ||
| Public Key = $(e, n)$ | ||
|
|
||
| ## Encryption | ||
| - $c = m^e \mod n$ | ||
|
|
||
| ## Decryption | ||
| - $m = c^d \mod n$ | ||
|
|
||
| See the examples in the tests.rs file | ||
|
|
||
| ## Security Assumptions | ||
| The security of RSA relies on the assumption that it is computationally infeasible to factor large composite numbers into their prime factors, known as the factoring assumption. This difficulty underpins the RSA problem, which involves computing eth roots modulo n without the private key. |