🪄
SNARK Fundamentals
  • 🪄SNARK Fundamentals: A Complete Beginner's Introduction
  • Part 1. What are SNARKs?
    • Argument of Knowledge
    • zkSNARKs in Action
  • Part 2. Math (to get to PLONK)
    • Fundamental Objects
    • Schwartz-Zippel and Polynomials
    • Elliptic Curves and DLOG
    • Polynomial Commitment Schemes
  • Part 3. Proof systems in the wild
    • A Bird’s Eye View of PLONK
    • Comparing Proof Systems
  • 🧙Further exploration
Powered by GitBook
On this page
  • Polynomial degree
  • Schwartz-Zippel Lemma
  1. Part 2. Math (to get to PLONK)

Schwartz-Zippel and Polynomials

We now want to introduce an idea called the Schwartz-Zippel lemma. A lemma is a proven statement used for proving other statements or theorems. The names Schwartz and Zippel reflect the names of some of the discoverers of this lemma.

This idea is statistical and it is going to be pinnacle in allowing us to check that a prover's computation has been done correctly. By choosing a random number and evaluating a polynomial there, we will be able to see whether a prover did their work in a valid way. Since the prover doesn't know what this number will be, they cannot 'prepare' their polynomial for it.

Before we formally define it, we want to touch on polynomials a little bit more. Most of what happens in zkSNARKs is to do with polynomials so spending more time on them is always worthwhile.

Polynomial degree

To recap, a polynomial is a formula where the variables have powers with positive, whole numbers, like f(x)=3x2+4f(x)=3x^2+4f(x)=3x2+4 or g(x,y)=x3y7+6x3g(x,y)=x^3y^7+6x^3g(x,y)=x3y7+6x3.

We often work with certain types of polynomials where there is an additional restriction. In SNARKs, we are interested in polynomials where the coefficients are all elements of a field.

Coefficients are numbers in front of the variables. In f(x)=3x2−8x+4f(x)=3x^2-8x+4f(x)=3x2−8x+4 the coefficients are: 333 for x2x^2x2 and −8-8−8 for xxx.

Let's say our field is F11\mathbb{F}_{11}F11​, then f(x)=3x2−8x+4f(x)=3x^2-8x+4f(x)=3x2−8x+4 would be a relevant polynomial (remember that in F11\mathbb{F}_{11}F11​ we have that 8+3=11≡0 mod 118+3=11\equiv0\bmod118+3=11≡0mod11, and therefore −8≡3 mod 11-8\equiv3\bmod11−8≡3mod11), but f(x)=3.4x2−8x+4f(x)=3.4x^2-8x+4f(x)=3.4x2−8x+4 wouldn't because it contains a fraction.

In terms of notation, we usually use F11[X]\mathbb{F}_{11}[X]F11​[X] to indicate the polynomials that we are interested in. F11\mathbb{F}_{11}F11​ indicates that we want the coefficients to be in F11\mathbb{F}_{11}F11​, whilst [X][X][X] the says that this will be a polynomial with xxx as a variable. The polynomials can have powers of xxx that are arbitrarily high, there is no limit on that.

We refer to the highest power of xxx in a polynomial as the degree of the polynomial. For example the degree of f(x)=3x7+52+2f(x)=3x^7+5^2+2f(x)=3x7+52+2 is 777. The degree will play an important part in the Schwartz-Zippel lemma.

As will almost always be the case in cryptography, we are primarily interested in evaluating it on values from a field or a group. For example we might choose to evaluate these polynomials only at values within Fq\mathbb{F}_qFq​ where qqq is some huge prime.

Schwartz-Zippel Lemma

The Schwartz-Zippel lemma essentially tells us that if we have two polynomials that have the same degree (the highest power term), for example f(x)=3x7+5x2+2f(x)=3x^7+5x^2+2f(x)=3x7+5x2+2, and some g(x)g(x)g(x) whose highest power is 7 (so its degree is also 7), then if we evaluate them at some randomly chosen point, let's say a∈Fqa\in\mathbb{F}_qa∈Fq​ (the ∈\in∈ notation simply means the thing on the left is some element from the set on the right), and they have the same evaluation, so f(a)=bf(a)=bf(a)=b and g(a)=bg(a)=bg(a)=b, then it is safe to assume that the polynomials are actually the same, i.e. that f(x)=g(x)f(x)=g(x)f(x)=g(x).

But why is it safe to assume they are the same polynomial if they have the same evaluation? There are two primary things we need to think about.

Firstly, we need to consider the degree of our polynomials. If a polynomial fff has degree ddd, then fff can cross the x-axis (i.e. evaluate to 0) at at most ddd points. In fact, fff cannot evaluate to any value b∈Fqb\in\mathbb{F}_qb∈Fq​ more than ddd times. Let's explore that visually a bit.

If we have a constant polynomial, i.e. where there are no powers of xxx, for example f(x)=4f(x)=4f(x)=4, then the graph is just a horizontal line. Okay this actually breaks our rule since f(x)=0f(x)=0f(x)=0 crosses the x-axis everywhere. But the case of a constant polynomial (there are no powers of xxx, so the degree is 000) is a special case.

What about if the degree is 111, like f(x)=xf(x)=xf(x)=x? Well this curve will just be an upwards slope of 45∘45^\circ45∘. According to our rule, this line cannot cross any horizontal line more than once.

If we were to look at f(x)=x2f(x)=x^2f(x)=x2, we would have a more bendy curve. But let's try the same thing, draw horizontal lines and try to see if the curve crosses these lines at more than two points. Again, we won't find any.

These examples show that for a degree ddd polynomial, any horizontal line in the graph cannot be crossed by the polynomial’s curve more than ddd times. If aaa is genuinely chosen at random after the polynomials are created, then it is not feasible to engineer ggg to evaluate to the same value as fff at aaa. Since the only way to arrive at the same value is by guessing, all we are left with is probability.

You might think that we can engineer ggg so that its curve is the same as the curve of fff in most places, but make them differ in a few places.This is not possible - the curves of fff and ggg can only cross in at most ddd places. If they crossed at more places, then we could look at their difference f−gf-gf−g. Since fff and ggg are both degree ddd polynomials, f−gf-gf−g will also be of degree ddd. But if fff and ggg crossed each other more than ddd times, f−gf-gf−g will equal 000 more than ddd times, violating the rule we introduced above.

So if fff and ggg are different polynomials, meaning their curves cross each others in at most ddd places, how likely is it that they evaluate to the same value at aaa?

If ppp is some number on the order of 108010^{80}1080, and the degree ddd of our polynomials is on the order of 101010^{10}1010, then the chance of choosing something from the 101010^{10}1010 bucket within the 108010^{80}1080 bucket is roughly 10101080=11070\frac{10^{10}}{10^{80}}=\frac{1}{10^{70}}10801010​=10701​. How small is that? 107010^{70}1070 is roughly the number of atoms in our galaxy, the Milky Way. It is so unlikely that it is completely unreasonable to ever expect it to happen. The numbers we chose here reflect standard values we use in our zkSNARKs.

Putting that all together, we can conclude that:

  1. If f(x)=g(x)f(x)=g(x)f(x)=g(x), then f(a)=g(a)f(a)=g(a)f(a)=g(a) for all values of a∈Fqa\in\mathbb{F}_qa∈Fq​

  2. If f(x)≠g(x)f(x)\neq g(x)f(x)=g(x), then the probability that f(a)=g(a)f(a)=g(a)f(a)=g(a) for a randomly chosen aaa is vanishingly small

Because of the above two situations, the Schwartz-Zippel lemma follows that if two polynomials of the same degree evaluate to the same value on a randomly chosen point, then they are the same polynomial. Neat!

Note: We said that aaa would have to be chosen at random after the two polynomials fff and ggg were already chosen. There is another scenario where this also works. If there is a way to keep aaa invisible but still evaluate our polynomials there, then we can keep reusing this invisible value aaa. A trusted setup lets us create this invisible value aaa, which lets us create polynomial commitment schemes that allow us to check a prover’s proof, as we will see in a later section.

PreviousFundamental ObjectsNextElliptic Curves and DLOG

Last updated 1 year ago