arnaucube
/
math
mirror of https://github.com/arnaucube/math.git

\documentclass{article}
\usepackage[utf8]{inputenc}
\usepackage{amsfonts}
\usepackage{amsthm}
\usepackage{amsmath}
\usepackage{mathtools}
\usepackage{enumerate}
\usepackage{hyperref}
\usepackage{xcolor}
\usepackage{centernot}
\usepackage{algorithm}
\usepackage{algpseudocode}

\usepackage{pgf-umlsd} % diagrams

% message between threads. From https://tex.stackexchange.com/a/174765
% Example:
% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
\newcommand{\bloodymess}[7][0]{
  \stepcounter{seqlevel}
  \path
  (#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
  \addtocounter{seqlevel}{#1}
  \path
  (#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
  \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
  {#3};

  \if R#5
  \node (\detokenize{#3} from) at (mess from) {\llap{#6~}};
  \node (\detokenize{#3} to) at (mess to) {\rlap{~#7}};
  \else\if L#5
  \node (\detokenize{#3} from) at (mess from) {\rlap{~#6}};
  \node (\detokenize{#3} to) at (mess to) {\llap{#7~}};
       \else
       \node (\detokenize{#3} from) at (mess from) {#6};
       \node (\detokenize{#3} to) at (mess to) {#7};
       \fi
  \fi
}


% prevent warnings of underfull \hbox:
\usepackage{etoolbox}
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}

\theoremstyle{definition}
\newtheorem{definition}{Def}[section]
\newtheorem{theorem}[definition]{Thm}

% custom lemma environment to set custom numbers
\newtheorem{innerlemma}{Lemma}
\newenvironment{lemma}[1]
{\renewcommand\theinnerlemma{#1}\innerlemma}
{\endinnerlemma}


\title{Notes on HyperNova}
\author{arnaucube}
\date{May 2023}

\begin{document}

\maketitle

\begin{abstract}
	Notes taken while reading about HyperNova \cite{cryptoeprint:2023/573} and CCS\cite{cryptoeprint:2023/552}.

	Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.

	The notes are not complete, don't include all the steps neither all the proofs.

	Thanks to \href{https://twitter.com/asn_d6}{George Kadianakis} for clarifications, and the authors \href{https://twitter.com/srinathtv}{Srinath Setty} and \href{https://twitter.com/abhiramko}{Abhiram Kothapalli} for answers on chats and twitter.
\end{abstract}

\tableofcontents


\section{CCS}
\subsection{R1CS to CCS overview}

\begin{description}
	\item[R1CS instance] $S_{R1CS} = (m, n, N, l, A, B, C)$\\
		where $m, n$ are such that $A \in \mathbb{F}^{m \times n}$, and $l$ such that the public inputs $x \in \mathbb{F}^l$. Also $z=(w, 1, x) \in \mathbb{F}^n$, thus $w \in \mathbb{F}^{n-l-1}$.
	\item[CCS instance] $S_{CCS} = (m, n, N, l, t, q, d, M, S, c)$\\
		where we have the same parameters than in $S_{R1CS}$, but additionally:\\
		$t=|M|$, $q = |c| = |S|$, $d$= max degree in each variable.
	\item[R1CS-to-CCS parameters] $n=n,~ m=m,~ N=N,~ l=l,~ t=3,~ q=2,~ d=2$, $M=\{A,B,C\}$, $S=\{\{0,~1\},~ \{2\}\}$, $c=\{1,-1\}$
\end{description}

The CCS relation check:
$$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$

where $z=(w, 1, x) \in \mathbb{F}^n$.

In our R1CS-to-CCS parameters is equivalent to

\begin{align*}
	&c_0 \cdot ( (M_0 z) \circ (M_1 z) ) + c_1 \cdot (M_2 z) ==0\\
	\Longrightarrow &1 \cdot ( (A z) \circ (B z) ) + (-1) \cdot (C z) ==0\\
	\Longrightarrow &( (A z) \circ (B z) ) - (C z) ==0
\end{align*}

which is equivalent to the R1CS relation: $Az \circ Bz == Cz$

An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\
\href{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}.

Similar relations between Plonkish and AIR arithmetizations to CCS are shown in the CCS paper \cite{cryptoeprint:2023/552}, but for now with the R1CS we have enough to see the CCS generalization idea and to use it for the HyperNova scheme.

\subsection{Committed CCS}
$R_{CCCS}$ instance: $(C, \mathsf{x})$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables.

Sat if:
\begin{enumerate}[i.]
	\item $\text{Commit}(pp, \widetilde{w}) = C$
	\item $\sum_{i=1}^q c_i \cdot \left( \prod_{j \in S_i} \left( \sum_{y \in \{0,1\}^{\log m}} \widetilde{M}_j(x, y) \cdot \widetilde{z}(y) \right) \right)$\\
		where $\widetilde{z}(y) = \widetilde{(w, 1, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$
\end{enumerate}


\subsection{Linearized Committed CCS}
$R_{LCCCS}$ instance: $(C, u, \mathsf{x}, r, v_1, \ldots, v_t)$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables, and $u \in \mathbb{F},~ \mathsf{x} \in \mathbb{F}^l,~ r \in \mathbb{F}^s,~ v_i \in \mathbb{F} ~\forall i \in [t]$.

Sat if:
\begin{enumerate}[i.]
	\item $\text{Commit}(pp, \widetilde{w}) = C$
	\item $\forall i \in [t],~ v_i = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_i(r, y) \cdot \widetilde{z}(y)$\\
		where $\widetilde{z}(y) = \widetilde{(w, u, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$
\end{enumerate}


\section{Multifolding Scheme for CCS}
Recall sum-check protocol notation: \underline{$C \leftarrow \langle P, V(r) \rangle (g, l, d, T)$} means
$$T=\sum_{x_1 \in \{0,1\}} \sum_{x_2 \in \{0,1\}} \cdots \sum_{x_l \in \{0,1\}} g(x_1, x_2, \ldots, x_l)$$
where $g$ is a $l$-variate polynomial, with degree at most $d$ in each variable, and $T$ is the claimed value.

\vspace{1cm}

Let $s= \log m,~ s'= \log n$.

\begin{enumerate}
	\item $V \rightarrow P: \gamma \in^R \mathbb{F},~ \beta \in^R \mathbb{F}^s$
	\item $V: r_x' \in^R \mathbb{F}^s$
	\item $V \leftrightarrow P$: sum-check protocol:
		$$c \leftarrow \langle P, V(r_x') \rangle (g, s, d+1, \underbrace{\sum_{j \in [t]} \gamma^j \cdot v_j}_\text{T})$$
		(in fact, $T=(\sum_{j \in [t]} \gamma^j \cdot v_j) \underbrace{+ \gamma^{t+1} \cdot Q(x)}_{=0}) = \sum_{j \in [t]} \gamma^j \cdot v_j$)\\
		where:
		\begin{align*}
			g(x) &:= \underbrace{\left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right)}_\text{LCCCS check} + \underbrace{\gamma^{t+1} \cdot Q(x)}_\text{CCCS check}\\
			\text{for LCCCS:}~ L_j(x) &:= \widetilde{eq}(r_x, x) \cdot \left(
				\underbrace{\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)}_\text{this is the check from LCCCS}
			\right)\\
				\text{for CCCS:}~ Q(x) := &\widetilde{eq}(\beta, x) \cdot \left(
				\underbrace{ \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) }_\text{this is the check from CCCS}
			\right)
		\end{align*}
		Notice that
		$$v_j= \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(r, y) \cdot \widetilde{z}(y) = \sum_{x\in \{0,1\}^s} L_j(x)$$
	\item $P \rightarrow V$: $\left( (\sigma_1, \ldots, \sigma_t), (\theta_1, \ldots, \theta_t) \right)$, where $\forall j \in [t]$,
		$$\sigma_j = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$
		$$\theta_j = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_2(y)$$
		where $\sigma_j,~\theta_j$ are the checks from LCCCS and CCCS respectively with $x=r_x'$.
	\item V: $e_1 \leftarrow \widetilde{eq}(r_x, r_x')$, $e_2 \leftarrow \widetilde{eq}(\beta, r_x')$\\
		check:
		$$c = \left( \sum_{j \in [t]} \gamma^j e_1 \sigma_j + \gamma^{t+1} e_2 \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \sigma \right) \right)$$
		which should be equivalent to the $g(x)$ computed by $V,P$ in the sum-check protocol.
	\item $V \rightarrow P: \rho \in^R \mathbb{F}$
	\item $V, P$: output the folded LCCCS instance $(C', u', \mathsf{x}', r_x', v_1', \ldots, v_t')$, where $\forall i \in [t]$:
		\begin{align*}
			C' &\leftarrow C_1 + \rho \cdot C_2\\
			u' &\leftarrow u + \rho \cdot 1\\
			\mathsf{x}' &\leftarrow \mathsf{x}_1 + \rho \cdot \mathsf{x}_2\\
			v_i' &\leftarrow \sigma_i + \rho \cdot \theta_i
		\end{align*}
	\item $P$: output folded witness: $\widetilde{w}' \leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2$.
\end{enumerate}


\vspace{1cm}
Multifolding flow:
\begin{center}
	\begin{sequencediagram}
		\newinst[1]{p}{Prover}
		\newinst[3]{v}{Verifier}

		\bloodymess[1]{v}{$\gamma,~\beta,~r_x'$}{p}{L}{
			\shortstack{
				$\gamma \in \mathbb{F},~ \beta \in \mathbb{F}^s$\\
				$r_x' \in \mathbb{F}^s$
			}
		}{}
		\bloodymess[1]{p}{$c,~ \pi_{SC}$}{v}{R}{sum-check prove}{sum-check verify}
		\bloodymess[1]{p}{$\{\sigma_j\},~\{\theta_j\}$}{v}{R}{compute $\{\sigma_j\}, \{\theta_j\}~ \forall j \in [t]$}{verify $c$ with $\{\sigma_j\}, \{\theta_j\}$ relation}
		\bloodymess[1]{v}{$\rho$}{p}{L}{$\rho \in^R \mathbb{F}$}{}
		\callself[0]{p}{fold LCCCS instance}{p}
		\prelevel
		\callself[0]{v}{fold LCCCS instance}{v}
		\callself[0]{p}{fold $\widetilde{w}$}{p}
	\end{sequencediagram}
\end{center}

\vspace{1cm}

Now, to see the verifier check from step 5, observe that in LCCCS, since $\widetilde{w}$ satisfies,
\begin{align*}
	v_j &= \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x, y) \cdot \widetilde{z}_1(y)\\
	    &= \sum_{x \in \{0,1\}^s}
		\underbrace{
			\widetilde{eq}(r_x, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y) \right)
		}_{L_j(x)}\\
	    &= \sum_{x \in \{0,1\}^s} L_j(x)
\end{align*}

Observe also that in CCCS, since $\widetilde{w}$ satisfies,
$$
0=\underbrace{\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)}_{q(x)}
$$

we have that
$$
G(X) = \sum_{x \in \{0,1\}^s} eq(X, x) \cdot q(x)
$$
is multilinear, and can be seen as a Lagrange polynomial where coefficients are evaluations of $q(x)$ on the hypercube.

For an honest prover, all these coefficients are zero, thus $G(X)$ must necessarily be the zero polynomial. Thus $G(\beta)=0$ for $\beta \in^R \mathbb{F}^s$.
\begin{align*}
	% 0&=\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(\beta, y) \cdot \widetilde{z}_2(y) \right)\\
	0&=G(\beta) = \sum_{x \in \{0,1\}^s} eq(\beta, x) \cdot q(x)\\
	 &= \sum_{x \in \{0,1\}^s}
	 \underbrace{\widetilde{eq}(\beta , x) \cdot
		 \overbrace{
			\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)
		}^{q(x)}
	}_{Q(x)}\\
	 &= \sum_{x \in \{0,1\}^s} Q(x)
\end{align*}

\framebox{\begin{minipage}{4.3 in}
\begin{footnotesize}

\textbf{Note}: notice that this past equation is related to Spartan paper \cite{cryptoeprint:2019/550}, lemmas 4.2 and 4.3, where instead of 

$$q(x) = \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)$$

for our R1CS example, we can restrict it to just $M_0,M_1,M_2$, which would be

$$=\left( \sum_{y \in \{0,1\}^s} \widetilde{M_0}(x, y) \cdot \widetilde{z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{M_1}(x, y) \cdot \widetilde{z}(y) \right) - \sum_{y \in \{0,1\}^s} \widetilde{M_2}(x, y) \cdot \widetilde{z}(y)$$

and we can see that $q(x)$ is the same equation $\widetilde{F}_{io}(x)$ that we had in Spartan:

$$
\widetilde{F}_{io}(x)=\left( \sum_{y \in \{0,1\}^s} \widetilde{A}(x, y) \cdot \widetilde{z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{B}(x, y) \cdot \widetilde{z}(y) \right) - \sum_{y \in \{0,1\}^s} \widetilde{C}(x, y) \cdot \widetilde{z}(y)
$$

where
$$Q_{io}(t) = \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t,x)=0$$
and V checks $Q_{io}(\tau)=0$ for $\tau \in^R \mathbb{F}^s$, which in HyperNova is $G(\beta)=0$ for $\beta \in^R \mathbb{F}^s$.

$Q_{io}(\cdot)$ is a zero-polynomial ($G(\cdot)$ in HyperNova), it evaluates to zero for all points in its domain iff $\widetilde{F}_{io}(\cdot)$ evaluates to zero at all points in the $s$-dimensional boolean hypercube.
\begin{align*}
	\text{Spartan} &\longleftrightarrow \text{HyperNova}\\
	\tau &\longleftrightarrow \beta\\
	\widetilde{F}_{io}(x) &\longleftrightarrow q(x)\\
	Q_{io}(\tau) &\longleftrightarrow G(\beta)
\end{align*}

So, in HyperNova
$$0 = \sum_{x \in \{0,1\}^s} Q(x) = \sum_{x \in \{0,1\}^s} \widetilde{eq}(\beta,x) \cdot q(x)$$

\end{footnotesize}
\end{minipage}}

\vspace{1cm}

Comming back to HyperNova equations, we can now see that

\begin{align*}
	c &= g(r_x')\\
	  &= \left( \sum_{j \in [t]} \gamma^j \cdot L_j(r_x') \right) + \gamma^{t+1} \cdot Q(r_x')\\
	  &= \left( \sum_{j \in [t]} \gamma^j \cdot \overbrace{e_1 \cdot \sigma_j}^{L_j(r_x')} \right) + \gamma^{t+1} \cdot \overbrace{e_2 \cdot \sum_{i \in [q]} c_i \prod_{j \in S_i} \theta_j}^{Q(x)}
\end{align*}

where $e_1 = \widetilde{eq}(r_x, r_x')$ and $e_2=\widetilde{eq}(\beta, r_x')$.

Which is the check that $V$ performs at step $5$.


%%%%%% APPENDIX
\appendix
\section{Appendix: Some details}
This appendix contains some notes on things that don't specifically appear in the paper, but that would be needed in a practical implementation of the scheme.

\subsection{Matrix and Vector to Sparse Multilinear Extension}

Let $M \in \mathbb{F}^{m \times n}$ be a matrix. We want to compute its MLE
$$\widetilde{M}(x_1, \ldots, x_l) = \sum_{e \in \{0, 1 \}^l} M(e) \cdot \widetilde{eq}(x, e)$$

We can view the matrix $M \in \mathbb{F}^{m \times n}$ as a function with the following signature:
$$M(\cdot): \{0,1\}^s \times \{0,1\}^{s'} \rightarrow \mathbb{F}$$
where $s = \lceil \log m \rceil,~ s' = \lceil \log n \rceil$.

An entry in $M$ can be accessed with a $(s+s')$-bit identifier.

eg.:
$$
M = \begin{pmatrix}
1 & 2 & 3\\
4 & 5 & 6\\
\end{pmatrix}
\in \mathbb{F}^{3 \times 2}
$$

$m = 3,~ n = 2,~~~ s = \lceil \log 3 \rceil = 2,~ s' = \lceil \log 2 \rceil = 1$

So, $M(x, y) = x$, where $x \in \{0,1\}^s,~ y \in \{0,1\}^{s'},~ x \in \mathbb{F}$

$$
M = \begin{pmatrix}
M(00,0) & M(01,0) & M(10,0)\\
M(00,1) & M(01,1) & M(10,1)\\
\end{pmatrix}
\in \mathbb{F}^{3 \times 2}
$$

This logic can be defined as follows:

\begin{algorithm}[H]
\caption{Generating a Sparse Multilinear Polynomial from a matrix}
\begin{algorithmic}
	\State set empty vector $v \in (\text{index:}~ \mathbb{Z}, x: \mathbb{F}^{s \times s'})$
	\For {$i$ to $m$}
	\For {$j$ to $n$}
		\If {$M_{i,j} \neq 0$}
			\State $v.\text{append}( \{ \text{index}: i \cdot n + j,~ x: M_{i,j} \} )$
		\EndIf
	\EndFor
	\EndFor
	\State return $v$    \Comment {$v$ represents the evaluations of the polynomial}
\end{algorithmic}
\end{algorithm}

Once we have the polynomial, its MLE comes from
$$\widetilde{M}(x_1, \ldots, x_{s+s'}) = \sum_{e \in \{0,1\}^{s+s'}} M(e) \cdot \widetilde{eq}(x, e)$$

$$M(X) \in \mathbb{F}[X_1, \ldots, X_s]$$

\paragraph{Multilinear extensions of vectors}
Given a vector $u \in \mathbb{F}^m$, the polynomial $\widetilde{u}$ is the MLE of $u$, and is obtained by viewing $u$ as a function mapping ($s=\log m$)
$$u(x): \{0,1\}^s \rightarrow \mathbb{F}$$
$\widetilde{u}(x, e)$ is the multilinear extension of the function $u(x)$
$$\widetilde{u}(x_1, \ldots, x_s) = \sum_{e \in \{0,1\}^s} u(e) \cdot \widetilde{eq}(x, e)$$

\bibliography{paper-notes.bib}
\bibliographystyle{unsrt}

\end{document}