The mathematical foundations of zero-knowledge proofs: interactive proof systems, Sigma protocols, Fiat-Shamir, polynomial commitments, R1CS, QAPs, Groth16, PLONK, and STARKs.
Zero-knowledge proofs are the mathematical machinery behind privacy-preserving computation, zkRollups, and verifiable computation. This course builds the complete mathematical stack: interactive proof systems, Sigma protocols and special soundness, the Fiat-Shamir transform, polynomial commitments (KZG, FRI), R1CS constraint systems, Quadratic Arithmetic Programs, Groth16, PLONK, and STARKs with recursive composition. Every concept is illustrated with worked Python implementations.
Built by Lakshya Kumar
Paste this into any AI chat. Fill in the bracketed parts with your context — you'll get back a straight answer on whether this belongs on your plate.
We grant free access case-by-case — students, career-switchers, builders on a tight budget. Sign in to send us a note.
Sign in to applyComplete all modules, then submit the required number of capstone projects. Each must earn a passing rating from an admin reviewer.
Choose one: implement the Schnorr identification protocol and convert to a Fiat-Shamir NIZK with a special-soundness extractor; implement a Groth16 verifier in Python that checks the pairing equation for a given R1CS and proof; or implement PLONK gate satisfaction for a 3-gate circuit with permutation argument. Include a 6–8 page analysis of completeness, soundness, and zero-knowledge.
I'm studying ZKP Mathematics: interactive proof systems, Sigma protocols, special soundness, the Fiat-Shamir transform, Pedersen commitments, KZG polynomial commitments, R1CS, QAPs, Groth16, PLONK (permutation argument), and STARKs (FRI, AIR, recursive composition). Context: 1. My goal: [e.g. "understand zkRollups", "build circuits in Circom/Noir", "audit a ZK protocol"] 2. My background: [e.g. "completed Cryptography module", "blockchain engineer using ZK libraries"] 3. One thing I'm stuck on: [e.g. "how does the QAP satisfiability check prevent cheating?", "what does zero-knowledge formally mean?"] Answer: - For (3): give a precise definition then a counterexample showing what breaks without it. - What's the most important module for my goal? - What's the key mathematical insight separating Groth16 from PLONK from STARKs?
Implement KZG (or FRI) polynomial commitment from scratch. Commit to a degree-N polynomial; open at a point; verify the proof. Benchmark commitment, opening, and verification at N=128, 1024, 8192.
Translate a simple computation (Poseidon-style hash) into Plonk-style custom gates with copy constraints. Document the gate count, the witness layout, and the constraint system. Compare to an R1CS arithmetization of the same computation.
Run a 3-party trusted setup ceremony for a small Groth16 circuit: each party contributes randomness, verifies the previous transcript, and produces a new transcript. Generate proofs with the resulting CRS. Document the security properties.
Implement a small STARK proof for a Fibonacci sequence (10-step). Use FFT-based polynomial operations, FRI commitment, and Merkle verification. Verify the proof's soundness via tampered-witness experiments.
Excellent intuitive walkthrough from R1CS to Groth16. Read before Module 7.