You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

213 lines
7.1 KiB

  1. \documentclass{article}
  2. \usepackage[utf8]{inputenc}
  3. \usepackage{amsfonts}
  4. \usepackage{amsthm}
  5. \usepackage{amsmath}
  6. \usepackage{enumerate}
  7. \usepackage{hyperref}
  8. \hypersetup{
  9. colorlinks,
  10. citecolor=black,
  11. filecolor=black,
  12. linkcolor=black,
  13. urlcolor=blue
  14. }
  15. \usepackage{xcolor}
  16. \usepackage{pgf-umlsd} % diagrams
  17. % message between threads
  18. % Example:
  19. % \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
  20. \newcommand{\bloodymess}[7][0]{
  21. \stepcounter{seqlevel}
  22. \path
  23. (#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
  24. \addtocounter{seqlevel}{#1}
  25. \path
  26. (#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
  27. \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
  28. {#3};
  29. \if R#5
  30. \node (#3 from) at (mess from) {\llap{#6~}};
  31. \node (#3 to) at (mess to) {\rlap{~#7}};
  32. \else\if L#5
  33. \node (#3 from) at (mess from) {\rlap{~#6}};
  34. \node (#3 to) at (mess to) {\llap{#7~}};
  35. \else
  36. \node (#3 from) at (mess from) {#6};
  37. \node (#3 to) at (mess to) {#7};
  38. \fi
  39. \fi
  40. }
  41. % prevent warnings of underfull \hbox:
  42. \usepackage{etoolbox}
  43. \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
  44. \theoremstyle{definition}
  45. \newtheorem{definition}{Def}[section]
  46. \newtheorem{theorem}[definition]{Thm}
  47. \title{Notes on Halo}
  48. \author{arnaucube}
  49. \date{July 2022}
  50. \begin{document}
  51. \maketitle
  52. \begin{abstract}
  53. Notes taken while reading Halo paper \cite{cryptoeprint:2019/1021}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
  54. The notes are not complete, don't include all the steps neither all the proofs.
  55. \end{abstract}
  56. \tableofcontents
  57. \section{modified IPA (from Halo paper)}
  58. Notes taken while reading about the modified Inner Product Argument (IPA) from the Halo paper \cite{cryptoeprint:2019/1021}.
  59. \paragraph{Objective:}
  60. Prover wants to prove that the polynomial $p(X)$ from the commitment $P$ evaluates to $v$ at $x$, and that $deg(p(X)) \leq d-1$.
  61. \subsection{Notation}
  62. \begin{description}
  63. \item[Scalar mul] $[a]G$, where $a$ is a scalar and $G \in \mathbb{G}$
  64. \item[Inner product] $<\overrightarrow{a}, \overrightarrow{b}> = a_0 b_0 + a_1 b_1 + \ldots + a_{n-1} b_{n-1}$
  65. \item[Multiscalar mul] $<\overrightarrow{a}, \overrightarrow{G}> = [a_0] G_0 + [a_1] G_1 + \ldots + [a_{n-1}] G_{n-1}$
  66. \end{description}
  67. \subsection{Transparent setup}
  68. $\overrightarrow{G} \in^r \mathbb{G}^d$, $H \in^r \mathbb{G}$
  69. Prover wants to commit to $p(x)=a_0$
  70. \subsection{Protocol}
  71. Prover:
  72. $$P=<\overrightarrow{a}, \overrightarrow{G}> + [r]H$$
  73. $$v=<\overrightarrow{a}, \{1, x, x^2, \ldots, x^{d-1} \} >$$
  74. where $\{1, x, x^2, \ldots, x^{d-1} \} = \overrightarrow{b}$.
  75. We can see that computing $v$ is the equivalent to evaluating $p(X)$ at $x$ ($p(x)=v$).
  76. We will prove:
  77. \begin{enumerate}[i.]
  78. \item polynomial $p(X) = \sum a_i X^i$\\
  79. $p(x) = v$ (that $p(X)$ evaluates $x$ to $v$).
  80. \item $deg(p(X)) \leq d-1$
  81. \end{enumerate}
  82. Both parties know $P$, point $x$ and claimed evaluation $v$. For $U \in^r \mathbb{G}$.
  83. Prover computes $P'$:
  84. $$P' = P + [v] U = <\overrightarrow{a}, G> + [r]H + [v] U$$
  85. Now, for $k$ rounds ($d=2^k$, from $j=k$ to $j=1$):
  86. \begin{itemize}
  87. \item Prover sets random blinding factors: $l_j, r_j \in \mathbb{F}_p$
  88. \item Prover computes
  89. $$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$
  90. $$R_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$
  91. \item Verifier sends random challenge $u_j \in \mathbb{I}$
  92. \item Prover computes the halved vectors for next round:
  93. $$\overrightarrow{a} \leftarrow \overrightarrow{a}_{hi} \cdot u_j^{-1} + \overrightarrow{a}_{lo} \cdot u_j$$
  94. $$\overrightarrow{b} \leftarrow \overrightarrow{b}_{lo} \cdot u_j^{-1} + \overrightarrow{b}_{hi} \cdot u_j$$
  95. $$\overrightarrow{G} \leftarrow \overrightarrow{G}_{lo} \cdot u_j^{-1} + \overrightarrow{G}_{hi} \cdot u_j$$
  96. \end{itemize}
  97. After final round, $\overrightarrow{a}, \overrightarrow{b}, \overrightarrow{G}$ are each of length 1.
  98. Verifier can compute
  99. $$G = \overrightarrow{G}_0 = < \overrightarrow{s}, \overrightarrow{G} >$$
  100. and $$b = \overrightarrow{b}_0 = < \overrightarrow{s}, \overrightarrow{b} >$$
  101. where $\overrightarrow{s}$ is the binary counting structure:
  102. \begin{align*}
  103. &s = (u_1^{-1} ~ u_2^{-1} \cdots ~u_k^{-1},\\
  104. &~~~~~~u_1 ~~~ u_2^{-1} ~\cdots ~u_k^{-1},\\
  105. &~~~~~~u_1^{-1} ~~ u_2 ~~\cdots ~u_k^{-1},\\
  106. &~~~~~~~~~~~~~~\vdots\\
  107. &~~~~~~u_1 ~~~~ u_2 ~~\cdots ~u_k)
  108. \end{align*}
  109. And verifier checks:
  110. $$[a]G + [r'] H + [ab] U == P' + \sum_{j=1}^k ( [u_j^2] L_j + [u_j^{-2}] R_j)$$
  111. where the synthetic blinding factor $r'$ is $r' = r + \sum_{j=1}^k (l_j u_j^2 + r_j u_j^{-2})$.
  112. \vspace{1cm}
  113. Unfold:
  114. $$
  115. \textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}
  116. ==
  117. \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})
  118. $$
  119. \begin{align*}
  120. &Left~side = \textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}\\
  121. & = \textcolor{brown}{< \overrightarrow{a}, \overrightarrow{G} >}\\
  122. &+ \textcolor{cyan}{[r + \sum_{j=1}^k (l_j \cdot u_j^2 + r_j u_j^{-2})] \cdot H}\\
  123. &+ \textcolor{magenta}{< \overrightarrow{a}, \overrightarrow{b} > U}
  124. \end{align*}
  125. \begin{align*}
  126. &Right~side = \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})\\
  127. &= \textcolor{blue}{< \overrightarrow{a}, \overrightarrow{G}> + [r] H + [v] U}\\
  128. &+ \sum_{j=1}^k (
  129. \textcolor{violet}{[u_j^2] \cdot <\overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [<\overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U}\\
  130. &\textcolor{orange}{+ [u_j^{-2}] \cdot <\overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [<\overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U}
  131. )
  132. \end{align*}
  133. \vspace{1.5cm}
  134. The following diagram ilustrates the main steps in the scheme:
  135. \begin{center}
  136. \begin{sequencediagram}
  137. \newinst[1]{p}{Prover}
  138. \newinst[3]{v}{Verifier}
  139. \bloodymess[1]{p}{P}{v}{R}{knows $p(X)\in \mathbb{F[X]}$, commits to $p(X)$, $P$}{rand $x \in \mathbb{F},~U\in \mathbb{G},~\overrightarrow{u} \in \mathbb{F}^d$}
  140. \bloodymess[1]{v}{$x, U, u$}{p}{R}{}{}
  141. \bloodymess[1]{p}{$proof, a, L_j, R_j, v$}{v}{R}{gen proof}{$verify(proof, P, a, x, L_j, R_j)$}
  142. % \begin{callself}{p}{knows $p(X) \in \mathbb{F}[X]$}{}
  143. % \end{callself}
  144. % \begin{callself}{p}{commit to $p(X),~P$}{}
  145. % \end{callself}
  146. %
  147. % \mess[0]{p}{$P$}{v}
  148. % \begin{callself}{v}{rand $x \in \mathbb{F},~U\in \mathbb{G},~\overrightarrow{u} \in \mathbb{F}^d$}{}
  149. % \end{callself}
  150. %
  151. % \mess[0]{v}{$x,U,u$}{p}
  152. % \node[anchor=west] (p2) at (mess to) {gen proof2}
  153. % \begin{callself}{p}{gen proof $\pi$}{}
  154. % \end{callself}
  155. %
  156. % \mess[0]{p}{$a, L_j, R_j, v$}{v}
  157. %
  158. % \begin{callself}{v}{$verify(P, a, x, v, L_j, R_k$)}{}
  159. % \end{callself}
  160. \end{sequencediagram}
  161. \end{center}
  162. \section{Amortization Strategy}
  163. TODO
  164. \bibliography{paper-notes.bib}
  165. \bibliographystyle{unsrt}
  166. \end{document}