|
|
\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{amsfonts} \usepackage{amsthm} \usepackage{amsmath} \usepackage{mathtools} \usepackage{enumerate} \usepackage{hyperref} \usepackage{xcolor} \usepackage{centernot} \usepackage{algorithm} \usepackage{algpseudocode}
\usepackage{pgf-umlsd} % diagrams
% message between threads. From https://tex.stackexchange.com/a/174765
% Example:
% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
\newcommand{\bloodymess}[7][0]{ \stepcounter{seqlevel} \path (#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {}; \addtocounter{seqlevel}{#1} \path (#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {}; \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {#3};
\if R#5 \node (\detokenize{#3} from) at (mess from) {\llap{#6~}}; \node (\detokenize{#3} to) at (mess to) {\rlap{~#7}}; \else\if L#5 \node (\detokenize{#3} from) at (mess from) {\rlap{~#6}}; \node (\detokenize{#3} to) at (mess to) {\llap{#7~}}; \else \node (\detokenize{#3} from) at (mess from) {#6}; \node (\detokenize{#3} to) at (mess to) {#7}; \fi \fi }
% prevent warnings of underfull \hbox:
\usepackage{etoolbox} \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
\theoremstyle{definition} \newtheorem{definition}{Def}[section] \newtheorem{theorem}[definition]{Thm}
% custom lemma environment to set custom numbers
\newtheorem{innerlemma}{Lemma} \newenvironment{lemma}[1] {\renewcommand\theinnerlemma{#1}\innerlemma} {\endinnerlemma}
\title{Notes on HyperNova} \author{arnaucube} \date{May 2023}
\begin{document}
\maketitle
\begin{abstract} Notes taken while reading about HyperNova \cite{cryptoeprint:2023/573} and CCS\cite{cryptoeprint:2023/552}.
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
The notes are not complete, don't include all the steps neither all the proofs.
Thanks to \href{https://twitter.com/asn_d6}{George Kadianakis} for clarifications, and the authors \href{https://twitter.com/srinathtv}{Srinath Setty} and \href{https://twitter.com/abhiramko}{Abhiram Kothapalli} for answers on chats and twitter. \end{abstract}
\tableofcontents
\section{CCS} \subsection{R1CS to CCS overview}
\begin{description} \item[R1CS instance] $S_{R1CS} = (m, n, N, l, A, B, C)$\\ where $m, n$ are such that $A \in \mathbb{F}^{m \times n}$, and $l$ such that the public inputs $x \in \mathbb{F}^l$. Also $z=(w, 1, x) \in \mathbb{F}^n$, thus $w \in \mathbb{F}^{n-l-1}$. \item[CCS instance] $S_{CCS} = (m, n, N, l, t, q, d, M, S, c)$\\ where we have the same parameters than in $S_{R1CS}$, but additionally:\\ $t=|M|$, $q = |c| = |S|$, $d$= max degree in each variable. \item[R1CS-to-CCS parameters] $n=n,~ m=m,~ N=N,~ l=l,~ t=3,~ q=2,~ d=2$, $M=\{A,B,C\}$, $S=\{\{0,~1\},~ \{2\}\}$, $c=\{1,-1\}$ \end{description}
The CCS relation check: $$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$
where $z=(w, 1, x) \in \mathbb{F}^n$.
In our R1CS-to-CCS parameters is equivalent to
\begin{align*} &c_0 \cdot ( (M_0 z) \circ (M_1 z) ) + c_1 \cdot (M_2 z) ==0\\ \Longrightarrow &1 \cdot ( (A z) \circ (B z) ) + (-1) \cdot (C z) ==0\\ \Longrightarrow &( (A z) \circ (B z) ) - (C z) ==0 \end{align*}
which is equivalent to the R1CS relation: $Az \circ Bz == Cz$
An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\ \href{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}.
Similar relations between Plonkish and AIR arithmetizations to CCS are shown in the CCS paper \cite{cryptoeprint:2023/552}, but for now with the R1CS we have enough to see the CCS generalization idea and to use it for the HyperNova scheme.
\subsection{Committed CCS} $R_{CCCS}$ instance: $(C, \mathsf{x})$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables.
Sat if: \begin{enumerate}[i.] \item $\text{Commit}(pp, \widetilde{w}) = C$ \item $\sum_{i=1}^q c_i \cdot \left( \prod_{j \in S_i} \left( \sum_{y \in \{0,1\}^{\log m}} \widetilde{M}_j(x, y) \cdot \widetilde{z}(y) \right) \right)$\\ where $\widetilde{z}(y) = \widetilde{(w, 1, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$ \end{enumerate}
\subsection{Linearized Committed CCS} $R_{LCCCS}$ instance: $(C, u, \mathsf{x}, r, v_1, \ldots, v_t)$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables, and $u \in \mathbb{F},~ \mathsf{x} \in \mathbb{F}^l,~ r \in \mathbb{F}^s,~ v_i \in \mathbb{F} ~\forall i \in [t]$.
Sat if: \begin{enumerate}[i.] \item $\text{Commit}(pp, \widetilde{w}) = C$ \item $\forall i \in [t],~ v_i = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_i(r, y) \cdot \widetilde{z}(y)$\\ where $\widetilde{z}(y) = \widetilde{(w, u, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$ \end{enumerate}
\section{Multifolding Scheme for CCS} Recall sum-check protocol notation: \underline{$C \leftarrow \langle P, V(r) \rangle (g, l, d, T)$} means $$T=\sum_{x_1 \in \{0,1\}} \sum_{x_2 \in \{0,1\}} \cdots \sum_{x_l \in \{0,1\}} g(x_1, x_2, \ldots, x_l)$$ where $g$ is a $l$-variate polynomial, with degree at most $d$ in each variable, and $T$ is the claimed value.
\vspace{1cm}
Let $s= \log m,~ s'= \log n$.
\begin{enumerate} \item $V \rightarrow P: \gamma \in^R \mathbb{F},~ \beta \in^R \mathbb{F}^s$ \item $V: r_x' \in^R \mathbb{F}^s$ \item $V \leftrightarrow P$: sum-check protocol: $$c \leftarrow \langle P, V(r_x') \rangle (g, s, d+1, \underbrace{\sum_{j \in [t]} \gamma^j \cdot v_j}_\text{T})$$ (in fact, $T=(\sum_{j \in [t]} \gamma^j \cdot v_j) \underbrace{+ \gamma^{t+1} \cdot Q(x)}_{=0}) = \sum_{j \in [t]} \gamma^j \cdot v_j$)\\ where: \begin{align*} g(x) &:= \underbrace{\left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right)}_\text{LCCCS check} + \underbrace{\gamma^{t+1} \cdot Q(x)}_\text{CCCS check}\\ \text{for LCCCS:}~ L_j(x) &:= \widetilde{eq}(r_x, x) \cdot \left( \underbrace{\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)}_\text{this is the check from LCCCS} \right)\\ \text{for CCCS:}~ Q(x) := &\widetilde{eq}(\beta, x) \cdot \left( \underbrace{ \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) }_\text{this is the check from CCCS} \right) \end{align*} Notice that $$v_j= \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(r, y) \cdot \widetilde{z}(y) = \sum_{x\in \{0,1\}^s} L_j(x)$$ \item $P \rightarrow V$: $\left( (\sigma_1, \ldots, \sigma_t), (\theta_1, \ldots, \theta_t) \right)$, where $\forall j \in [t]$, $$\sigma_j = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$ $$\theta_j = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_2(y)$$ where $\sigma_j,~\theta_j$ are the checks from LCCCS and CCCS respectively with $x=r_x'$. \item V: $e_1 \leftarrow \widetilde{eq}(r_x, r_x')$, $e_2 \leftarrow \widetilde{eq}(\beta, r_x')$\\ check: $$c = \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)$$ which should be equivalent to the $g(x)$ computed by $V,P$ in the sum-check protocol. \item $V \rightarrow P: \rho \in^R \mathbb{F}$ \item $V, P$: output the folded LCCCS instance $(C', u', \mathsf{x}', r_x', v_1', \ldots, v_t')$, where $\forall i \in [t]$: \begin{align*} C' &\leftarrow C_1 + \rho \cdot C_2\\ u' &\leftarrow u + \rho \cdot 1\\ \mathsf{x}' &\leftarrow \mathsf{x}_1 + \rho \cdot \mathsf{x}_2\\ v_i' &\leftarrow \sigma_i + \rho \cdot \theta_i \end{align*} \item $P$: output folded witness and the folded $r_w'$ (random value used for the witness commitment $C$): \begin{align*} \widetilde{w}' &\leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2\\ r_w' &\leftarrow r_{w_1} + \rho \cdot r_{w_2} \end{align*} \end{enumerate}
\vspace{1cm} Multifolding flow: \begin{center} \begin{sequencediagram} \newinst[1]{p}{Prover} \newinst[3]{v}{Verifier}
\bloodymess[1]{v}{$\gamma,~\beta,~r_x'$}{p}{L}{ \shortstack{ $\gamma \in \mathbb{F},~ \beta \in \mathbb{F}^s$\\ $r_x' \in \mathbb{F}^s$ } }{} \bloodymess[1]{p}{$c,~ \pi_{SC}$}{v}{R}{sum-check prove}{sum-check verify} \bloodymess[1]{p}{$\{\sigma_j\},~\{\theta_j\}$}{v}{R}{compute $\{\sigma_j\}, \{\theta_j\}~ \forall j \in [t]$}{verify $c$ with $\{\sigma_j\}, \{\theta_j\}$ relation} \bloodymess[1]{v}{$\rho$}{p}{L}{$\rho \in^R \mathbb{F}$}{} \callself[0]{p}{fold LCCCS instance}{p} \prelevel \callself[0]{v}{fold LCCCS instance}{v} \callself[0]{p}{fold $\widetilde{w}$}{p} \end{sequencediagram} \end{center}
\vspace{1cm}
Recall that we are folding 2 instances: \begin{itemize} \item[] LCCCS: $(C, u, \textcolor{orange}{x_1}, \textcolor{magenta}{r_x}, \textcolor{orange}{v_1, \ldots, v_t})$ \item[] CCCS: $(C, \textcolor{cyan}{x_2})$ \end{itemize}
Now, to see the verifier check from step 5, observe that in LCCCS, since $\widetilde{w}$ satisfies, \begin{align*} \textcolor{orange}{L_j(x)} &:= \widetilde{eq}(\textcolor{magenta}{r_x}, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{orange}{\widetilde{z}_1(y)} \right)\\ &\textcolor{orange}{v_j}= \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(\textcolor{magenta}{r_x}, y) \cdot \textcolor{orange}{\widetilde{z}_1(y)})\\ &~~=\sum_{x \in \{0,1\}^s} \widetilde{eq}(\textcolor{magenta}{r_x},y) \cdot (\sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(x,y)\cdot \textcolor{orange}{\widetilde{z}_1(y)})\\ &~~=\sum_{x \in \{0,1\}^s} \textcolor{orange}{L_j(x)} \end{align*}
Observe also that in CCCS, since $\widetilde{w}$ satisfies,\\ we have that $$
G(X) = \sum_{x \in \{0,1\}^s} \widetilde{eq}(X, x) \cdot \textcolor{cyan}{q(x)} $$
is multilinear, and can be seen as a Lagrange polynomial where coefficients are evaluations of $q(x)$ on the hypercube.
\begin{align*} \textcolor{cyan}{Q(x)} := &\widetilde{eq}(\textcolor{magenta}{\beta}, x) \cdot \left( \overbrace{ \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{cyan}{\widetilde{z}_2(y)} \right) }^\textcolor{cyan}{q(x)} \right)\\ 0= &\sum_{i=1}^q c_i \prod_{j\in S_i} \left( \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(\textcolor{magenta}{\beta}, y) \cdot \textcolor{cyan}{\widetilde{z}_2(y)}\right)\\ =&\sum_{x \in \{0,1\}^s} \widetilde{eq}(\textcolor{magenta}{\beta}, x) \cdot \left( \sum_{i=1}^q c_i \prod_{j\in S_i} ( \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{cyan}{\widetilde{z}_2(y)}) \right) \\ =&\sum_{x \in \{0,1\}^s} \textcolor{cyan}{Q(x)} = G(\textcolor{magenta}{\beta}) \end{align*}
%
For an honest prover, all these coefficients are zero, thus $G(X)$ must necessarily be the zero polynomial. Thus $G(\beta)=0$ for $\beta \in^R \mathbb{F}^s$.
\vspace{1cm}
We can now see that
$$\textcolor{orange}{\sigma_j} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(\textcolor{pink}{r_x'}, y) \cdot \textcolor{orange}{\widetilde{z}_1(y)},
~~~\textcolor{cyan}{\theta_j} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(\textcolor{pink}{r_x'}, y) \cdot \textcolor{cyan}{\widetilde{z}_2(y)}$$
$$e_1 \leftarrow \widetilde{eq}(\textcolor{magenta}{r_x}, \textcolor{pink}{r_x'}),~ e_2 \leftarrow \widetilde{eq}(\textcolor{magenta}{\beta}, \textcolor{pink}{r_x'})$$
so the Verifier's check: \begin{align*} c &= \left( \sum_{j \in [t]} \gamma^j \cdot \underbrace{e_1 \cdot \textcolor{orange}{\sigma_j} }_\textcolor{orange}{L_j}(\textcolor{pink}{r_x'}) \right) + \gamma^{t+1} \cdot \underbrace{e_2 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \textcolor{cyan}{\theta_j} \right) }_\textcolor{cyan}{Q}(\textcolor{pink}{r_x'})\\ &= \left( \sum_{j\in [t]} \gamma^j \cdot \textcolor{orange}{L_j}(\textcolor{pink}{r_x'}) \right) + \gamma^{t+1} \cdot \textcolor{cyan}{Q}(\textcolor{pink}{r_x'})\\ &= g(\textcolor{pink}{r_x'}) \end{align} $$\textcolor{gray}{(Recall,~ g(x) := \left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right) + \gamma^{t+1} \cdot Q(x))}$$
Outputed LCCCS: $(C', u', x', \textcolor{pink}{r_x'}, v_1', \ldots, v_t')$
\framebox{\begin{minipage}{4.3 in} \begin{footnotesize}
\textbf{Note}: notice that this past equation is related to Spartan paper \cite{cryptoeprint:2019/550}, lemmas 4.2 and 4.3, where instead of
$$q(x) = \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)$$
for our R1CS example, we can restrict it to just $M_0,M_1,M_2$, which would be
$$=\left( \sum_{y \in \{0,1\}^s} \widetilde{M_0}(x, y) \cdot \widetilde{z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{M_1}(x, y) \cdot \widetilde{z}(y) \right) - \sum_{y \in \{0,1\}^s} \widetilde{M_2}(x, y) \cdot \widetilde{z}(y)$$
and we can see that $q(x)$ is the same equation $\widetilde{F}_{io}(x)$ that we had in Spartan:
$$
\widetilde{F}_{io}(x)=\left( \sum_{y \in \{0,1\}^s} \widetilde{A}(x, y) \cdot \widetilde{z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{B}(x, y) \cdot \widetilde{z}(y) \right) - \sum_{y \in \{0,1\}^s} \widetilde{C}(x, y) \cdot \widetilde{z}(y) $$
where $$Q_{io}(t) = \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t,x)=0$$ and V checks $Q_{io}(\tau)=0$ for $\tau \in^R \mathbb{F}^s$, which in HyperNova is $G(\beta)=0$ for $\beta \in^R \mathbb{F}^s$.
$Q_{io}(\cdot)$ is a zero-polynomial ($G(\cdot)$ in HyperNova), it evaluates to zero for all points in its domain iff $\widetilde{F}_{io}(\cdot)$ evaluates to zero at all points in the $s$-dimensional boolean hypercube. \begin{align*} \text{Spartan} &\longleftrightarrow \text{HyperNova}\\ \tau &\longleftrightarrow \beta\\ \widetilde{F}_{io}(x) &\longleftrightarrow q(x)\\ Q_{io}(\tau) &\longleftrightarrow G(\beta) \end{align*}
So, in HyperNova $$0 = \sum_{x \in \{0,1\}^s} Q(x) = \sum_{x \in \{0,1\}^s} \widetilde{eq}(\beta,x) \cdot q(x)$$
\end{footnotesize} \end{minipage}}
\vspace{1cm}
\subsection{Multifolding for multiple instances} The multifolding of multiple LCCCS \& CCCS instances is not shown in the HyperNova paper, but Srinath Setty gave an overview in the PSE HyperNova presentation. This section unfolds it.
We're going to do this example with parameters \textcolor{orange}{LCCCS: $\mu = 2$}, \textcolor{cyan}{CCCS: $\nu = 2$}, which means that we have 2 LCCCS instances and 2 CCCS instances.
Assume we have 4 $z$ vectors, $z_1,~ \textcolor{orange}{z_2}$ for the two LCCCS instances, and $z_3,~ \textcolor{cyan}{z_4}$ for the two CCCS instances, where $z_1,~z_3$ are the vectors that we already had in the example with $\mu=1,\nu=1$, and $z_2,~z_4$ are the extra ones that we're adding now.
In \emph{step 3} of the multifolding with more than one LCCCS and more than one CCCS instances, we have:
\begin{align*} g(x) &:= \left( \sum_{j \in [t]} \gamma^j \cdot L_{1,j}(x) + \textcolor{orange}{\gamma^{t+j} \cdot L_{2,j}(x)} \right) + \gamma^{2t+1} \cdot Q_1(x) + \textcolor{cyan}{\gamma^{2t+2} \cdot Q_2(x)} \\ &L_{1,j}(x) := \widetilde{eq}(r_{1,x}, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y) \right)\\ &\textcolor{orange}{L_{2,j}(x)} := \widetilde{eq}(\textcolor{orange}{r_{2,x}}, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{orange}{\widetilde{z}_2(y)} \right)\\ &Q_1(x) := \widetilde{eq}(\beta, x) \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_3(y) \right)\right)\\ &\textcolor{cyan}{Q_2(x)} := \widetilde{eq}(\textcolor{cyan}{\beta}, x) \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{cyan}{\widetilde{z}_4(y)} \right)\right) \end{align*}
\framebox{\begin{minipage}{4.3 in} A generic definition of $g(x)$ for $\mu>1~\nu>1$, would be
$$
g(x) := \left( \sum_{i \in [\mu]} \left( \sum_{j \in [t]} \gamma^{i \cdot t+j} \cdot L_{i,j}(x) \right) \right) + \left( \sum_{i \in [\nu]} \gamma^{\mu \cdot t + i} \cdot Q_i(x) \right) $$
\end{minipage}}
Recall, the original $g(x)$ definition was $$\textcolor{gray}{g(x) := \left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right) + \gamma^{t+1} \cdot Q(x)}$$
\vspace{0.5cm} In \emph{step 4}, $P \rightarrow V$: $(\{\sigma_{1,j}\}, \textcolor{orange}{\{\sigma_{2,j}\}}, \{\theta_{1,j}\}, \textcolor{cyan}{\{\theta_{2,j}\}}),~ \text{where} ~\forall j \in [t]$,
$$\sigma_{1,j} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$ $$\textcolor{orange}{\sigma_{2,j}} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \textcolor{orange}{\widetilde{z}_2(y)}$$ $$\theta_{1,j} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_3(y)$$ $$\textcolor{cyan}{\theta_{2,j}} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \textcolor{cyan}{\widetilde{z}_4(y)}$$
\framebox{\begin{minipage}{4.3 in} so in a generic way,\\ $P \rightarrow V$: $(\{\sigma_{i,j}\}, \{\theta_{k,j}\}),~ \text{where} ~\forall~ j \in [t],~ \forall~ i \in [\mu],~ \forall~ k \in [\nu]$ where $$\sigma_{i,j} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_i(y)$$ $$\theta_{k,j} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_{\mu+k}(y)$$ \end{minipage}}
\vspace{1cm}
And in \emph{step 5}, $V$ checks
\begin{align*} c &= \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_{1,j} ~\textcolor{orange}{+ \gamma^{t+j} \cdot e_2 \cdot \sigma_{2,j}}\right)\\ &+ \gamma^{2t+1} \cdot e_3 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right) + \textcolor{cyan}{\gamma^{2t+2} \cdot e_4 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)} \end{align*}
where $e_1 \leftarrow \widetilde{eq}(r_{1,x}, r_x'),~ e_2 \leftarrow \widetilde{eq}(r_{2,x}, r_x')$, $e_3, e_4 \leftarrow \widetilde{eq}(\beta, r_x')$.
\vspace{0.5cm}
\framebox{\begin{minipage}{4.3 in} A generic definition of the check would be $$
c = \sum_{i \in [\mu]} \left(\sum_{j \in [t]} \gamma^{i \cdot t + j} \cdot e_i \cdot \sigma_{i,j} \right) \\ + \sum_{k \in [\nu]} \gamma^{\mu \cdot t+k} \cdot e_k \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_{k,j} \right) $$
\end{minipage}}
where the original check was\\ $\textcolor{gray}{c = \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)}$
% TODO
% Pending questions:
% - \beta & \beta' can be the same? or related somehow like \beta'=\beta^2 ?
\vspace{0.5cm}
And for the \emph{step 7}, \begin{align*} C' &\leftarrow C_1 + \rho \cdot C_2 + \rho^2 C_3 + \rho^3 C_4 + \ldots = \sum_{i \in [\mu + \nu]} \rho^i \cdot C_i \\ u' &\leftarrow \sum_{i \in [\mu]} \rho^i \cdot u_i + \sum_{i \in [\nu]} \rho^{\mu + i-1} \cdot 1\\ \mathsf{x}' &\leftarrow \sum_{i \in [\mu+\nu]} \rho^i \cdot \mathsf{x}_i\\ v_i' &\leftarrow \sum_{i \in [\mu]} \rho^i \cdot \sigma_i + \sum_{i \in [\nu]} \rho^{\mu + i-1} \cdot \theta_i\\ \end{align*}
and \emph{step 8}, \begin{align*} \widetilde{w}' &\leftarrow \sum_{i \in [\mu+\nu]} \rho^i\cdot \widetilde{w}_i\\ r_w' &\leftarrow \sum_{i \in [\mu+\nu]} \rho^i \cdot r_{w_i}\\ \end{align*}
Note that over all the multifolding for $\mu >1$ and $\nu>1$, we can easily parallelize most of the computation.
\vspace{2cm}
%%%%%% APPENDIX
\appendix \section{Appendix: Some details} This appendix contains some notes on things that don't specifically appear in the paper, but that would be needed in a practical implementation of the scheme.
\subsection{Matrix and Vector to Sparse Multilinear Extension}
Let $M \in \mathbb{F}^{m \times n}$ be a matrix. We want to compute its MLE $$\widetilde{M}(x_1, \ldots, x_l) = \sum_{e \in \{0, 1 \}^l} M(e) \cdot \widetilde{eq}(x, e)$$
We can view the matrix $M \in \mathbb{F}^{m \times n}$ as a function with the following signature: $$M(\cdot): \{0,1\}^s \times \{0,1\}^{s'} \rightarrow \mathbb{F}$$ where $s = \lceil \log m \rceil,~ s' = \lceil \log n \rceil$.
An entry in $M$ can be accessed with a $(s+s')$-bit identifier.
eg.: $$
M = \begin{pmatrix} 1 & 2 & 3\\ 4 & 5 & 6\\ \end{pmatrix} \in \mathbb{F}^{3 \times 2} $$
$m = 3,~ n = 2,~~~ s = \lceil \log 3 \rceil = 2,~ s' = \lceil \log 2 \rceil = 1$
So, $M(x, y) = x$, where $x \in \{0,1\}^s,~ y \in \{0,1\}^{s'},~ x \in \mathbb{F}$
$$
M = \begin{pmatrix} M(00,0) & M(01,0) & M(10,0)\\ M(00,1) & M(01,1) & M(10,1)\\ \end{pmatrix} \in \mathbb{F}^{3 \times 2} $$
This logic can be defined as follows:
\begin{algorithm}[H] \caption{Generating a Sparse Multilinear Polynomial from a matrix} \begin{algorithmic} \State set empty vector $v \in (\text{index:}~ \mathbb{Z}, x: \mathbb{F}^{s \times s'})$ \For {$i$ to $m$} \For {$j$ to $n$} \If {$M_{i,j} \neq 0$} \State $v.\text{append}( \{ \text{index}: i \cdot n + j,~ x: M_{i,j} \} )$ \EndIf \EndFor \EndFor \State return $v$ \Comment {$v$ represents the evaluations of the polynomial} \end{algorithmic} \end{algorithm}
Once we have the polynomial, its MLE comes from $$\widetilde{M}(x_1, \ldots, x_{s+s'}) = \sum_{e \in \{0,1\}^{s+s'}} M(e) \cdot \widetilde{eq}(x, e)$$
$$M(X) \in \mathbb{F}[X_1, \ldots, X_s]$$
\paragraph{Multilinear extensions of vectors} Given a vector $u \in \mathbb{F}^m$, the polynomial $\widetilde{u}$ is the MLE of $u$, and is obtained by viewing $u$ as a function mapping ($s=\log m$) $$u(x): \{0,1\}^s \rightarrow \mathbb{F}$$ $\widetilde{u}(x, e)$ is the multilinear extension of the function $u(x)$ $$\widetilde{u}(x_1, \ldots, x_s) = \sum_{e \in \{0,1\}^s} u(e) \cdot \widetilde{eq}(x, e)$$
\bibliography{paper-notes.bib} \bibliographystyle{unsrt}
\end{document}
|