ZKDL
Camp

About

ZKDL Camp is a series of lectures on zero-knowledge (ZK) proofs, conducted at Distributed Lab, in which we explore "from scratch" how modern zk-SNARKs such as Groth16, PlonK, GKR work, including all the mathematical components they rely on.

Note that this course is designed for a full low-level understanding of these protocols and, accordingly, all the mathematics on which they are based. That is why the course covers not only ZK theory itself and its applications, but also the basic mathematics level needed to understand ZK and cryptography in general.

Book

Based on the lecture material, we composed a book, which is available by the link below. Note that the book is still in active development, and we are looking forward to your feedback on it. If you want to contribute, visit our GitHub Repository and leave your comments or pull requests.

Book Cover
Open Book

Lectures

Lecture 18: UltraGroth

Speaker: Dmytro Zakharov

Content. Embedding lookup checks into Groth16 is unfortunately currently impossible. UltraGroth is a protocol designed to insignificantly modify Groth16 to introduce lookup checks that optimize arithmetical circuits written over R1CS. In this lecture, we consider the construction of UltraGroth, how to build interactive protocol over multi-round QAP, and efficiency of such construction.

Lecture 17: Lookup Tables

Speaker: Dmytro Zakharov

Content. This lecture introduces a powerful tool to reduce the number of constraints in the arithmetical circuits representing complex non-native logic in the given zero-knowledge protocol. We consider two widely used lookup protocols: plookup and logup.

Lecture 16: GKR and Offline Memory Checking

Speakers: Dmytro Zakharov and Anton Levochko

Content. This lecture introduces the first application of Sum-Check protocol for building SNARK over Circuit Satisfiability problem. Additionally, we specify how Sum-Check is used for Offline Memory Checking problem.

Lecture 15: Sum-Check Protocol

Speaker: Dmytro Zakharov

Content. This lecture introduces Sum-Check protocol which is a cornerstone of many modern zk-SNARKs. Additionally, we introduce the notion of multilinear polynomials and how to encode certain problems into the multilinear form.

Lecture 14: Bulletproofs

Speaker: Yevhen Hrubian

Content. In this lecture, we consider Bulletproofs. This zero-knowledge proof system has logarithmic proof size, requires no trusted setup, and requires minimal cryptographic assumptions: only the discrete log assumption. In this lecture, we introduce inner-product argument and corresponding polynomial commitment scheme, and explain how to use it for range proofs and arithmetic circuits satisfiability.

Lecture 13: Number Theoretic Transform (NTT/FFT)

Speaker: Dmytro Zakharov

Content. All previous lectures required (a) interpolation and (b) fast operations over polynomials. In this lecture, we consider the widely used technique to reduce the complexity of such tasks from quadratic to quasilinear. Namely, we consider:

  • Barycentric Interpolation.
  • Finite Field roots of unity.
  • What are NTT and Inverse NTT problems.
  • NTT algorithm derivation and implementation.

Lecture 12: PlonK Arithmetization

Speaker: Nikita Masych

Content. Groth16 is not the only zk-SNARK protocol used in practice! In this lecture, we will consider the PlonK protocol, which is frequently used in various zkEVM implementations. Here, we cover:

  • PlonK Arithmetization
  • How gates work in PlonK. Custom Gates.
  • Gate and Wiring Satisfiability Checks.
  • Permutation Check over Polynomials.

Lecture 11: Programming ZKPs in Circom

Speaker: Kyrylo Riabov

Content. After covering the Groth16 zk-SNARK theory, we will move to the practical part of the course. Here, we will learn how to use Circom to create circuits and generate proofs. Here, we cover:

  • Basic Circom syntax.
  • Creating circuits.
  • Generating proofs.
  • Interpreting all the generated data such as .r1cs, .sym, proof.json, and how they relate to the previously covered theory.

Lecture 10: Pairing-based zk-SNARKs

Speakers: Anton Levochko and Dmytro Zakharov

Content. Finally, we consider one of the most advanced zk-SNARKs: Pinocchio and Groth16. Here, we cover:

  • Turning QAP into succint verification over encrypted space.
  • Making SNARK sound.
  • Turning SNARK into zk-SNARK.
  • Pinocchio Protocol.
  • Groth16 Protocol.

Lecture 9: Quadratic Arithmetic Program. Probabilistically Checkable Proofs

Speaker: Anton Levochko

Content. With R1CS in our hands, we are now ready to succintly represent it as a Quadratic Arithmetic Program (QAP). Additionally, we consider other basic theory before specifying the Groth16 protocol. Here, we cover:

  • Turning R1CS into QAP.
  • What is PCP, IPCP, IOP.
  • Proof of Exponent.

Lecture 8: SNARKs. Arithmetical Circuits

Speaker: Anton Levochko

Content. This is an opening lecture on SNARKs: technology we are using daily in our projects. Here, we cover:

  • The definition of zk-SNARK.
  • Arithmetic Circuits. Circuit Satisfability Problem.
  • Rank-1 Constraint System (R1CS) in vector and matrix forms.

Lecture 7: Sigma Protocols

Speaker: Dmytro Zakharov

Content. Here, we will consider the most basic form of interactive proofs - Sigma Protocols. We will understand how to turn them into non-interactive proofs and how to use them in practice. Here, we cover:

  • Schnorr Signature Scheme.
  • Sigma Protocols.
  • Examples of Sigma Protocols: Okamoto's and Chaum-Pedersen Protocols
  • Combining Sigma Protocols.

Lecture 6: Introduction to Zero-Knowledge Proofs

Speaker: Dmytro Zakharov

Content. This lecture finally introduces the concept of Zero-Knowledge Proofs and their applications. Here, we cover:

  • What is a cryptographic proof exactly?
  • Interactive Proofs.
  • Soundness and Zero-Knowledge definitions.
  • Proof vs Proof of Knowledge.
  • Fiat-Shamir Heuristic.

Lecture 5: Cryptographic commitment schemes

Speaker: Denis Riabtsev

Content. In this lecture we will dive into the design and application of various cryptographic commit schemes that are often used in zero knowledge proof systems. All in all, here we cover:

  • Hash-based commitments.
  • Vector commitments.
  • Polynomial commitments.

Lecture 4: Projective Coordinates and Pairing

Speaker: Dmytro Zakharov

Content. This lecture will touch the central part of SNARKs: elliptic curve pairing, its properties and applications. But first, we will cover projective coordinates and how they can be used to optimize elliptic curve operations. All in all, here we cover:

  • Relations and equivalence classes.
  • Projective Coordinates.
  • Adding points in projective coordinates. Scalar multiplication using double-and-add algorithm.
  • Elliptic Curve Pairing.
  • Pairing applications.

Lecture 3: Finite Field Extensions and Elliptic Curves

Speaker: Dmytro Zakharov

Content. Our primary focus will be on Finite Field Extensions, while also covering basics of Elliptic Curves. Here, we cover:

  • Finite Field Extensions
  • Algebraic Closure
  • Elliptic Curve Definition
  • Discere Logarithm on Elliptic Curves

Lecture 2: Security, Polynomials, Lagrange Interpolation

Speakers: Dmytro Zakharov and Denis Riabtsev

Content. In this lecture, we will continue covering the basic mathematics used in cryptography. Here, we cover:

  • Basic Security Definitions
  • Polynomials
  • Lagrange Interpolation: Shamir's Secret Sharing and Reed-Solomon Codes
  • Schwarz-Zippel Lemma
  • Number Theory

Lecture 1: Algebra Basics

Speaker: Dmytro Zakharov

Content. In this lecture, we will cover the basic mathematics required for understanding Zero-Knowledge Proving Systems. Here, we cover:

  • Basic Set Theory and Logic
  • Basic Group Theory
  • Fields. Finite Field Arithmetic.