The stream link is here for all lectures. Please reach out to **zk-iap-2023@0xparc.org **with any questions!

# What is this course?

The Modern Zero Knowledge Cryptography IAP program surveys recent advancements in zero-knowledge cryptography over the last ten years, with a strong emphasis on their practical and user-facing applications.

Topics covered range from the mathematical foundations of modern zero-knowledge protocols (interactive protocols, elliptic curve cryptography, pairing-based cryptography, polynomial commitment schemes, zkSNARKs, and more) to practical constructions of digital systems enabled by ZK primitives (privacy-preserving identity and reputation systems, anonymous digital transaction systems, verifiable computation, and more). Towards the end of the course, students will implement their own “zero-knowledge circuits” that can be integrated into practical applications.

The focus of this course will be on developing a *conceptual understanding* of modern zero-knowledge. As this four-week course is intended to be a survey of the “full-stack” landscape, from theory to application, less emphasis is placed on precise mathematical rigor, and more emphasis is placed on conveying the big picture ideas and methods that commonly appear in modern ZK applications.

The Modern ZK Crypto program has three components: lectures and workshops, optional (ungraded) problem sets and exercises, and an optional project component which interested students are highly encouraged to participate in.

- What is this course?
- Lecture schedule & materials
- Student Notes
- Course Staff
- Prerequisites
- Logistics
- Class components
- Recommended Project
- Optional Exercises and Problem Sets

# Lecture schedule & materials

**Recordings, slides, notes, and exercises **are included in the dropdowns, updated after each session. Sessions are 90m each, held on **MWF from 2-3:30pm in 4-237** (with the exception of MLK day, when lecture is held on Tuesday instead).

**(Brian Gu)**

**Session 1 (Monday 1/9) Introduction to ZK****(Brian Gu)**

**Session 2 (Wednesday 1/11) Circom 1****(Yufei Zhao)**

**Session 3 (Friday 1/13) Mathematical building blocks****(Vivek Bhupatiraju)**

**Session 4 (Tuesday 1/17) Circom 2****Session 5 (Wednesday 1/18) Commitment Schemes**(Ying Tong Lai)

**(Jason Morton)**

**Session 6 (Friday 1/20) Algorithms for Efficient Cryptographic Operations****(Ying Tong Lai)**

**Session 7 (Monday 1/23) Arithmetizations****(Jason Morton)**

**Session 8 (Wednesday 1/25) PLONK and polynomial identities.****(Ying Tong Lai)**

**Session 9 (Friday 1/27) Proving systems stack; recursion and composition.****(Aayush Gupta)**

**Session 10 (Monday 1/30) Applied ZK Constructions 1****(Brian Gu)**

**Session 11 (Wednesday 2/1) Applied ZK Constructions 2**

**Session 12 (Friday 2/3) Student and Staff Demos**# Student Notes

- This excellent set of notes by ZKIAP participant Fareed Sheriff goes through a lot of the prerequisite material found at learn.0xparc.org
- Currently goes up to Lecture 9 - Proof Systems

# Course Staff

This course is designed and taught by a team of researchers and developers, with experience across the applied zero-knowledge cryptography “stack.”

**Ying Tong Lai** is a researcher at Geometry and 0xPARC. Previously, she was a senior engineer at Electric Coin Company, and a core developer of the Halo2 zkSNARK protocol and library.

**Yufei Zhao **is an Associate Professor of Mathematics at MIT.

**Brian Gu** is co-founder of 0xPARC Foundation, an R&D organization developing open-source infrastructure for applications of zero-knowledge cryptography.

**Jason Morton** is an Associate Professor of Mathematics at Penn State and the CEO of ZKonduit, where he is building tools for zero-knowledge machine learning inference.

**Aayush Gupta** is a research steward at ZK Email, a research group focused on building zero-knowledge primitives based on emails.

**Vivek Bhupatiraju** is building useful applications using cryptography.

# Prerequisites

You should have familiarity with:

- Elementary number theory and group theory. You should be comfortable working through the material in this handout from MIT’s 6.875 (Foundations of Cryptography) course.
- Basic cryptographic primitives. You should be comfortable with the idea of hash functions, encryption and signature schemes, and cryptographic accumulators (i.e. Merkle Trees); ideally, you’ve had some experience using and manipulating these primitives in practical settings (for example, perhaps you’ve implemented or used a signature verification API in an application).
- Basic algebraic concepts. You should be comfortable with basic manipulation of polynomials, perhaps with a bit of reading: polynomial multiplication and division, Lagrange interpolation, probabilistic polynomial identity testing, fast Fourier transform, and working in field extensions.

Some engineering or software development experience will also be beneficial, as we’ll be discussing the practical use of modern cryptographic primitives for real applications.

# Logistics

This program will take place during MIT’s Independent Activities Period (1/9 - 2/3). This is a not-for-credit program. Communication will take place on a class Discord server. We expect the time commitment for this program to range from 10 to 20 hours per week, depending on whether you opt to join the optional project component, and whether you opt to complete the optional and ungraded problem sets.

**Lectures and workshops**

**When:**Mondays, Wednesdays, and Fridays, from 2:00 - 3:30PM (with the exception of 1/16, which is MLK day—that session will instead take place on 1/17).Classroom 4-237**Where:**

Anyone is welcome to attend any lectures, regardless of whether or you are working on a project, or whether you’ve attended previous lectures. Lectures will be recorded and made publicly available.

**Office hours**

: Tuesdays 10AM - 12PM and Thursdays 5PM - 7PM.**When**: 2-136**Where**

On Tuesdays and Thursdays, we’ll run smaller office hours / co-working sessions, for students interested in building a ZK project, receiving guidance on the optional problem sets, or learning about supplementary topics.

# Class components

## Recommended P**roject**

**We highly encourage interested to participate in the optional project component, to solidify their understanding of the material. **Course staff will provide mentorship for students interested in building a ZK project over the course of the month. Projects may include:

- A full-stack application of ZK crypto, such as an anonymous voting app, a p2p/decentralized game, a cryptocurrency mixer, etc.
- A library of useful ZK primitives, such as ZK circuits for a ZK-friendly encryption scheme.
- An implementation of a zero-knowledge proof system or some key component parts, along with a series of tutorials or writeups.
- Documentation or educational material, such as a series of blog posts or tutorials explaining a ZK proof system.

Projects from teams that have participated in past 0xPARC educational programs have included:

**zkREPL**, an in-browser collaborative development environment for writing ZK circuits.**circom-ecdsa**, an implementation of Ethereum’s signature algorithms in zkSNARK circuits.**zkmessage.xyz**, a demonstration of how zkSNARKs can be used to emulate and extend other cryptographic primitives, such as ring signatures.**Zordle**, a webapp that allows you to generate zero-knowledge proofs that your Wordle guess diagram is legitimate. A subproject of Zordle involved porting the Halo2 ZK proving system to WASM.

Certain Tuesday and Thursday office hour sessions will be set aside for project brainstorming, team-matching, and mentorship and co-working sessions.

Interested students should submit a project proposal during the second week of the program. A final demos session will be scheduled in the last week of the program.

## Optional Exercises and Problem Sets

Most lectures will be accompanied by problems sets or sets of “conceptual exercises.” These sets may include math problems; understanding questions which ask you to sketch out a protocol at a high level; coding tasks; and more. **Problem sets are ungraded, though we highly recommend that you complete them for your own understanding**; you’re also welcome to come in on Tuesdays and Thursdays to ask course staff to review your solutions, or to check your understanding.