You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

399 lines
16 KiB

  1. \documentclass{article}
  2. \usepackage[utf8]{inputenc}
  3. \usepackage{amsfonts}
  4. \usepackage{amsthm}
  5. \usepackage{amsmath}
  6. \usepackage{enumerate}
  7. \usepackage{hyperref}
  8. % \hypersetup{
  9. % colorlinks,
  10. % citecolor=blue,
  11. % filecolor=blue,
  12. % linkcolor=black,
  13. % urlcolor=blue
  14. % }
  15. \usepackage{xcolor}
  16. % prevent warnings of underfull \hbox:
  17. \usepackage{etoolbox}
  18. \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
  19. \theoremstyle{definition}
  20. \newtheorem{definition}{Def}[section]
  21. \newtheorem{theorem}[definition]{Thm}
  22. % custom lemma environment to set custom numbers
  23. \newtheorem{innerlemma}{Lemma}
  24. \newenvironment{lemma}[1]
  25. {\renewcommand\theinnerlemma{#1}\innerlemma}
  26. {\endinnerlemma}
  27. \title{Notes on Caulk and Caulk+}
  28. \author{arnaucube}
  29. \date{February 2023}
  30. \begin{document}
  31. \maketitle
  32. \begin{abstract}
  33. Notes taken while reading about Caulk \cite{cryptoeprint:2022/621} and Caulk+ \cite{cryptoeprint:2022/957}.
  34. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
  35. The notes are not complete, don't include all the steps neither all the proofs.
  36. \end{abstract}
  37. \tableofcontents
  38. \section{Preliminaries}
  39. \subsection{Lagrange Polynomials and Roots of Unity}
  40. Let $\omega$ denote a root of unity, such that $\omega^N=1$. Set $\mathbb{H}=\{1, \omega, \omega^2, \ldots, \omega^{N^{-1}}\}$.
  41. Let the $i^{th}$ Lagrange polynomial be $\lambda_i(X)=\prod_{s\neq i-1} \frac{X-\omega^s}{\omega^{i-1} -\omega}$.
  42. Notice that $\lambda_i(\omega^{i-1})=1$ and $\lambda_i(w^j)=0,~\forall j\neq i-1$.
  43. Let the vanishing polynomial of $\mathbb{H}$ be $z_H(X)=\prod_{i=0}^{N-1} (X - \omega^i) = X^N -1$.
  44. \subsection{KZG Commitments}
  45. KZG as a Vector Commitment.
  46. We have vector $\overrightarrow{c}=\{c_i\}_1^n$, which can be interpolated into $C(X)$ through Lagrange polynomials $\{ \lambda_i(X) \}$:
  47. $$C(X) = \sum^n_{i=1} c_i \cdot \lambda_i(X)$$
  48. so, $C(\omega^{i-1})=c_i$.
  49. Commitment:
  50. $$C = [C(X)]_1 = \sum^n_{i=1} c_i \cdot [\lambda_i(X)]_1$$
  51. Proof of \textbf{opening for single value} $v$ at position $i$:
  52. $$Q(X) = \frac{C(X) - v}{X-\omega^{i-1}}$$
  53. $$\pi_{KZG} = Q =[Q(X)]_1$$
  54. Verification:
  55. $$e(C - [v]_1, [1]_2) = e(\pi_{KZG},~[X-\omega^{i-1}]_2)$$
  56. unfold
  57. $$e([C(X)]_1 - [v]_1, [1]_2) = e([Q(X)]_1,~[X-\omega^{i-1}]_2)$$
  58. $$C(X) - v = Q(X) \cdot (X-\omega^{i-1}) \Longrightarrow Q(X) = \frac{C(X) - v}{X-\omega^{i-1}}$$
  59. Proof of \textbf{opening for a subset} of positions $I \subset [N]$:
  60. $[H_I]_1$ such that for
  61. $$C_I(X) = \sum_{i \in I} c_i \cdot \tau_i(X)$$
  62. $$z_I(X) = \prod_{i \in I} (X - \omega^{i-1})$$
  63. for $\{ \tau_i(X) \}_{i \in I}$ being the Lagrange interpolation polynomials over $\mathbb{H}_I = \{\omega^{i-1}\}_{i \in I}$.
  64. \emph{(recall, $z_H(X)=\prod_{i=0}^{N-1} (X - \omega^i) = X^N -1$))}
  65. $H_I(X)$ can be computed by
  66. $$H_I(X) = \frac{C(X) - C_I(X)}{z_I(X)}$$
  67. So, prover commits to $C_I(X)$ with $C_I = [C_I(X)]_1$, and computes $\pi_{KZG}$:
  68. $$\pi_{KZG} = H_I = [H_I(X)]_1$$
  69. Then, verification checks:
  70. $$e(C - C_I, [1]_2) = e(\pi_{KZG}, [z_I(X)]_2)$$
  71. unfold
  72. $$e([C(X)]_1 - [C_I(X)]_1, [1]_2) = e([H_I(X)]_1, [z_I(X)]_2)$$
  73. $$C(X) - C_I(X) = H_I(X) \cdot z_I(X)$$
  74. $$C(X) - C_I(X) = \frac{C(X)-C_I(X)}{z_I(X)} \cdot z_I(X)$$
  75. \subsection{Pedersen Commitments}\label{sec:pedersen}
  76. Commitment
  77. $$cm = v [1]_1 + r [h]_1 = [v + hr]_1$$
  78. Prove knowledge of $v,~r$, Verifier sends challenge $\{s_1, s_2\}$. Prover computes:
  79. $$R = s_1 [1]_1 + s_2 [h]_1 = [s_1 + h s_2]_1$$
  80. $$c= H(cm, R)$$
  81. $$t_1 = s_1 + v c, ~~ t_2=s_2 + r c$$
  82. Verification:
  83. $$R + c \cdot cm == t_1 [1]_1 + t_2 [h]_1$$
  84. unfold:
  85. $$R + c \cdot cm == t_1 [1]_1 + t_2 [h]_1 = [t_1 + h t_2]$$
  86. $$[s_1 + h s_2]_1 + c \cdot [v + hr]_1 == [s_1 + vc + h(s_2 + rc)]_1$$
  87. $$[s_1 + h s_2 + cv + rch]_1 == [s_1 + vc + h s_2 + rch]_1$$
  88. \section{Caulk}
  89. \subsection{Blinded Evaluation}
  90. Main idea: combine KZG commitments with Pedersen commitments to prove knowledge of a value $v$ which Pedersen commitment is committed in the KZG commitment.
  91. Let $C(X) = \sum^N_{i=1} c_i \lambda_i(X)$, where $\overrightarrow{c} = \{c_i\}_{i \in I}$. In normal KZG, prover would compute $Q(X)=\frac{C(X)-v}{X-\omega^{i-1}}$, and send $[Q(X)]_1$ as proof. We will obfuscate the commitment:
  92. rand $a \in \mathbb{F}$, blind commit to $z(X)=aX - b = a(X - \omega^{i-1})$, where $\omega^{i-1}=b/a$. Denote by $[z]_2$ the commitment to $[z(X)]_2$.
  93. Prover computes:
  94. \begin{enumerate}[i.]
  95. \item $\pi_{ped}$, Pedersen proof that $cm$ is from $v, r$ (section \ref{sec:pedersen})
  96. \item $\pi_{unity}$ (see \ref{sec:pi-unity})
  97. \item For random $s$ computes:
  98. $$T(X)=\frac{Q(X)}{a} + hs \longrightarrow [T]_1=[T(X)]_1$$
  99. $$S(X) = -r - s \cdot z(X) \longrightarrow [S]_2 = [S(X)]_2$$
  100. \end{enumerate}
  101. i, ii, iii defines the \emph{zk proof of membership}, which proves that $(v, r)$ is a opening of $cm$, and $v$ opens $C$ at $\omega^{i-1}$.
  102. Verifier checks proofs $\pi_{ped},~\pi_{unity}$ (i, ii), and checks
  103. $$e(C - cm, [1]_2) == e([T]_1, [z]_2) + e([h]_1, [S]_2)$$
  104. unfold:
  105. \begin{align*}
  106. C(X) - cm &== T(X) \cdot z(X) + h \cdot S(X) \\
  107. C(X) - v - hr &== (\frac{Q(X)}{a} + s h) \cdot z(X) + h (-r -s \cdot z(X)) \\
  108. C(X) - v &== hr + (\frac{Q(X)}{a}) z(X) + sh \cdot z(X) - hr - sh \cdot z(X) \\
  109. C(X) - v &== \frac{Q(X)}{a} \cdot z(X) \\
  110. C(X) - v &== \frac{Q(X)}{a} \cdot a(X-\omega^{i-1}) \\
  111. C(X) -v &== Q(X) \cdot (X - \omega^{i-1})
  112. \end{align*}
  113. Which matches with the definition of $Q(X) = \frac{C(X) - v}{X-\omega^{i-1}}$.
  114. \subsubsection{\texorpdfstring{Correct computation of $z(x)$, $\pi_{unity}$}%
  115. {Correct computation of proof unity}}\label{sec:pi-unity}
  116. Want to prove that prover knows $a, b$ such that $[z]_2 = [a X - b]_2$, and $a^N = b^N$.
  117. To prove $\frac{a}{b}$ is inside the evaluation domain (ie. $\frac{a}{b}$ is a N$^{th}$ root of unity), proves (in $log(N)$ time) that its N$^{th}$ is one ($\frac{a}{b} = 1$).
  118. Conditions:
  119. \begin{enumerate}[i.]
  120. \item $f_0=\frac{a}{b}$
  121. \item $f_i = f_{i-1}^2,~\forall~i=1, \ldots, log(N)$
  122. \item $f_{log(N)} = 1$
  123. \end{enumerate}
  124. Redefine i, and from there, redefine ii, iii:
  125. % \begin{minipage}[t]{0.45\textwidth}
  126. % \begin{enumerate}[i.]
  127. % \item \begin{align*}
  128. % f_0 &= z(1) = a - b\\
  129. % f_1 &= z(\sigma) a \sigma -b\\
  130. % f_2 &= \frac{f_0 - f_1}{1 - \sigma} = \frac{a(1-\sigma)}{1-\sigma} = a\\
  131. % f_3 &= \sigma f_2 - f_1 = \sigma a - a \sigma + b = b\\
  132. % f_4 &= \frac{f_2}{f_3} = \frac{a}{b}
  133. % \end{align*}
  134. % \end{enumerate}
  135. % \end{minipage}
  136. % \begin{enumerate}[i.]
  137. % \item $f_{5+i} = f_{4+i}^2,~~\forall i=0, \ldots, log(N)-1$
  138. % \item $f_{4+log(N)} = 1$
  139. % \end{enumerate}
  140. % \begin{minipage}[t]{0.45\textwidth}
  141. % \end{minipage}
  142. \begin{enumerate}[i.]
  143. \item \begin{align*}
  144. f_0 &= z(1) = a - b\\
  145. f_1 &= z(\sigma) a \sigma -b\\
  146. f_2 &= \frac{f_0 - f_1}{1 - \sigma} = \frac{a(1-\sigma)}{1-\sigma} = a\\
  147. f_3 &= \sigma f_2 - f_1 = \sigma a - a \sigma + b = b\\
  148. f_4 &= \frac{f_2}{f_3} = \frac{a}{b}
  149. \end{align*}
  150. \item $f_{5+i} = f_{4+i}^2,~~\forall i=0, \ldots, log(N)-1$
  151. \item $f_{4+log(N)} = 1$
  152. \end{enumerate}
  153. \begin{lemma}{1}
  154. Let $z(X)$ $deg=1$, $n=log(N)+6$, $\sigma$ such that $\sigma^n =1$.
  155. If $\exists$ $f(X) \in \mathbb{F}[X]$ such that
  156. \begin{enumerate}[1.]
  157. \item $f(X) = z(X)$, for $1, \sigma$
  158. \item $f(\sigma^2)(1-\sigma)=f(1)-f(\sigma)$
  159. \item $f(\sigma^3)=\sigma f(\sigma^2)-f(\sigma)$
  160. \item $f(\sigma^4)f(\sigma^3)=f(\sigma^2)$
  161. \item $f(\sigma^{4+i+1})=f(\sigma^{4+i})^2,~~\forall i= 0, \ldots, log(N)-1$
  162. \item $f(\sigma^{5+log(N)} \cdot \sigma^{-1})=1$
  163. \end{enumerate}
  164. then, $z(X)=aX-b$, where $\frac{b}{a}$ is a N$^{th}$ root of unity.
  165. \end{lemma}
  166. Let's see the relations between the conditions and the Lemma 1:
  167. \begin{scriptsize}
  168. \begin{align*}
  169. Conditions &\longrightarrow Lemma~1\\
  170. \begin{array}{l}
  171. f_0 = z(1) = a - b\\ f_1 = z(\sigma) a \sigma -b
  172. \end{array} &\longrightarrow 1.~f(X) = z(X), for 1, \sigma\\
  173. f_2 = \frac{f_0 - f_1}{1 - \sigma} = \frac{a(1-\sigma)}{1-\sigma} = a &\longrightarrow 2.~f(\sigma^2)(1-\sigma)=f(1)-f(\sigma)\\
  174. f_3 = \sigma f_2 - f_1 = \sigma a - a \sigma + b = b &\longrightarrow 3.~f(\sigma^3)=\sigma f(\sigma^2)-f(\sigma)\\
  175. f_4 = \frac{f_2}{f_3} = \frac{a}{b} &\longrightarrow 4.~f(\sigma^4)f(\sigma^3)=f(\sigma^2)\\
  176. f_{5+i} = f_{4+i}^2,~~\forall i=0, \ldots, log(N)-1 &\longrightarrow 5.~f(\sigma^{4+i+1})=f(\sigma^{4+i})^2,~\forall i= 0, \ldots, log(N)-1\\
  177. f_{4+log(N)} = 1 &\longrightarrow 6.~f(\sigma^{5+log(N)} \cdot \sigma^{-1})=1
  178. \end{align*}
  179. \end{scriptsize}
  180. For succintness: aggregate $\{f_i\}$ in a polynomial $f(X)$, whose coefficients in Lagrange basis associated to $\mathbb{V}_n$ are the $f_i$ (ie. s.t. $f(\omega^i)=f_i$).
  181. \begin{small}
  182. \begin{align*}
  183. f(X) &= (a-b) \rho_1(X) + (a \sigma - b) \rho_2(X) + a \rho_3(X) + b \rho_4(X) + \sum_{i=0}^{log(N)} (\frac{a}{b})^{2^i} \rho_{5+i}(X)\\
  184. &= f_0 \rho_1(X) + f_1 \rho_2(X) + f_2 \rho_3(X) + f_3 \rho_4(X) + \sum_{i=0}^{log(N)} (f_4)^{2^i} \rho_{5+i}(X)
  185. \end{align*}
  186. \end{small}
  187. Prover shows that $f(X)$ by comparing $f(\sigma^i)$ with the corresponding constraints from Lemma 1:
  188. For rand $\alpha$ (set by Verifier), set $\alpha_1 = \sigma^{-1} \alpha,~\alpha_2= \sigma^{-2} \alpha$, and send $v_1=f(\alpha_1),~v_2=f(\alpha_2)$ with corresponding proofs of opening.
  189. Given $v_1, v_2$, shows that $p_{\alpha}(X)$, which proves the constraints from Lemma 1, evaluates to $0$ at $\alpha$ (ie. $p_{\alpha}(\alpha)=0$).
  190. \begin{align*}
  191. p_{\alpha}(X) = &-h(X) z_{V_n}(\alpha) + [f(X)-z(X)]\cdot (\rho_1(\alpha) + \rho_2(\alpha))\\
  192. &+ [(1-\sigma) f(X) - f(\alpha_2) + f(\alpha_1)] \rho_3(\alpha)\\
  193. &+ [f(X) + f(\alpha_2) - \sigma f(\alpha_1)] \rho_4(\alpha)\\
  194. &+ [f(X) f(\alpha_1) - f(\alpha_2)] \rho_5(\alpha)\\
  195. &+ [f(X) - f(\alpha_1) f(\alpha_1)] \prod_{i \notin [5, \ldots, 4+log(N)]} (\alpha - \sigma^i)\\
  196. &+ [f(\alpha_1)-1] \rho_n(\alpha)
  197. \end{align*}
  198. \subsubsection{\texorpdfstring{NIZK argument of knowledge for $R_{unity}$ and $deg(z)\leq 1$}%
  199. {NIZK argument of knowledge for Runity and deg(z)<=1}}
  200. Prover:
  201. \begin{small}
  202. \begin{align*}
  203. &r_0, r_1, r_2, r_3 \leftarrow^\$ \mathbb{F},~~~ r(X)=r_1+r_2 X + r_3 X^2\\
  204. f(X) &= (a-b) \rho_1(X) + (a \sigma - b) \rho_2(X) + a \rho_3(X) + b \rho_4(X) + \sum_{i=0}^{log(N)} (\frac{a}{b})^{2^i} \rho_{5+i}(X)\\
  205. &+ r_0 \rho_{5+log(N)}(X) + r(X) z_{V_n}(X)\\
  206. \\
  207. p(X) &= [f(X) - (aX-b)](\rho_1(X) + \rho_2(X))\\
  208. &+[(1-\sigma)f(X) - f(\sigma^{-1}X) + f(\sigma^{-1}X)] \rho_3(X)\\
  209. &+ [f(X) + f(\sigma^{-2}X) - \sigma f(\sigma^{-1} X)] \rho_4(X)\\
  210. &+ [f(X)f(\sigma^{-1}X)-f(\sigma^{-2}X)] \rho_5(X)\\
  211. &+ [f(X)-f(\sigma^{-1}X)f(\sigma^{-1}X)] \prod_{i \notin [5, 4+log(N)]} (X-\sigma^i)\\
  212. &+ [f(\sigma^{-1}X)-1] \rho_n(X)
  213. \end{align*}
  214. \end{small}
  215. Set
  216. $$h'(X) = \frac{p(X)}{z_{V_n}(X)},~~h(X)=h'(X) + X^{d-1} z(X)$$
  217. output $([F]_1=[f(X)]_1, ~ [H]_1=[h(x)]_1)$.
  218. \begin{footnotesize}
  219. Note that
  220. \begin{align*}
  221. h(x)&=h'(X)+X^{d-1}z(X)\\
  222. &=\frac{p(X)}{z_{V_n}(X)} + X^{d-1} z(X) \longrightarrow p(X)+X^{d-1} z(X) = z_{V_n}(X) h(X)
  223. \end{align*}
  224. \end{footnotesize}
  225. Verifier sets challenge $\alpha \in^{\$} \mathbb{F}$ (hash of transcript by Fiat-Shamir).
  226. \begin{align*}
  227. p_{\alpha}(X) = &-h(X) z_{V_n}(\alpha)\\
  228. &+ [f(X)-z(X)]\cdot (\rho_1(\alpha) + \rho_2(\alpha))\\
  229. &+ [(1-\sigma) f(X) - f(\alpha_2) + f(\alpha_1)] \rho_3(\alpha)\\
  230. &+ [f(X) + f(\alpha_2) - \sigma f(\alpha_1)] \rho_4(\alpha)\\
  231. &+ [f(X) f(\alpha_1) - f(\alpha_2)] \rho_5(\alpha)\\
  232. &+ [f(X) - f(\alpha_1) f(\alpha_1)] \prod_{i \notin [5, \ldots, 4+log(N)]} (\alpha - \sigma^i)\\
  233. &+ [f(\alpha_1)-1] \rho_n(\alpha)
  234. \end{align*}
  235. \begin{footnotesize}
  236. Note: for the check that $[z]_1$ has degree 1, we add $-h(X) z_{V_n}(\alpha)$, to include the term $X^{d-1} z(X)$ in $h(X)$. Later the Verifier will compute $[P]_1$ without the terms including $z(X)$ (ie. without $-X^{d-1} z(X)z_{V_n}(\alpha)-z(X)[\rho_1(\alpha)+\rho_2(\alpha)]$), which the Verifier will add via the pairing:
  237. \begin{align*}
  238. -&X^{d-1} z(X)z_{V_n}(\alpha)-z(X)(\rho_1(\alpha)+\rho_2(\alpha))\\
  239. =~ &(-X^{d-1} z_{V_n}(\alpha) - (\rho_1(\alpha)+\rho_2(\alpha))) \cdot z(X)\\
  240. \longrightarrow~ &e(- (\rho_1(\alpha)+\rho_2(\alpha)) - z_{V_n}(\alpha) [X^{d-1}]_1, [z]_2)
  241. \end{align*}
  242. \end{footnotesize}
  243. Prover then generates KZG proofs
  244. \begin{align*}
  245. ((v_1, v_2), \pi_1) &\leftarrow KZG.Open(f(X), (\alpha_1, \alpha_2))\\
  246. (0, \pi_2) &\leftarrow KZG.Open(p_{\alpha}(X), \alpha)
  247. \end{align*}
  248. prover's output: $(v_1, v_2, \pi_1, \pi_2)$.
  249. Verify:
  250. set $\alpha_1=\sigma^{-1}\alpha, ~\alpha_2=\sigma^{-2}\alpha$,
  251. \begin{footnotesize}(notice that $f(X)\rightarrow [F]_1$, and $f(\alpha_1)=v_1,~f(\alpha_2)=v_2$)\end{footnotesize}
  252. \begin{align*}
  253. [P]_1 = &-z_{V_n}(\alpha)[H]_1 + [F]_1 (\rho_1(\alpha) + \rho_2(\alpha))\\
  254. &+ [(1-\sigma) [F]_1 - v_2 + v_1] \rho_3(\alpha)\\
  255. &+ [[F]_1 + v_2 - \sigma v_1] \rho_4(\alpha)\\
  256. &+ [[F]_1 v_1 - v_2] \rho_5(\alpha)\\
  257. &+ [[F]_1 - v_1^2] \prod_{i \notin [5, \ldots, 4+log(N)]} (\alpha - \sigma^i)\\
  258. &+ [v_1-1] \rho_n(\alpha)
  259. \end{align*}
  260. $$KZG.Verify((\alpha_1, \alpha_2), (v_1, v_2), \pi_1)$$
  261. $$e([P]_1, [1]_2) + e(-(\rho_1(\alpha) + \rho_2(\alpha)) - z_{V_n}(\alpha) [x^{d-1}]_1, [z]_2) = e(\pi_2, [x-\alpha]_2)$$
  262. \section{Caulk+}
  263. Main update from original Caulk: $R_{unity}$, $\pi_{unity}$ is replaced with a pairing check constraining the evaluation points to be roots of a polynomial dividing $X^n-1$.
  264. KZG commitment $c$ to $C(X)$, with evaluation points in $\mathbb{H}$.\\
  265. KZG commitment $a$ to $A(X)$, with evaluation points in $\mathbb{V}$.
  266. Witness:\\
  267. $I \subset [n], ~~ \{ c_i \}_{i \in I} ,~~ C(X), A(X) ,~~ u: [m] \rightarrow I$
  268. Precomputed:\\
  269. $[W_1^i(x)]_2 ~~\forall i \in I$, where $W_1^i(X) = \frac{C(X) - c_i)}{X-\omega^i}$\\
  270. $[W_2^i(x)]_2 ~~\forall i \in I$, where $W_2^i(X) = \frac{Z_{\mathbb{H}}(X)}{X-\omega^i}$
  271. \paragraph{Round 1}
  272. \begin{enumerate}[i.]
  273. \item rand blinding factors $r1, \ldots, r_6$
  274. \item Lagrange basis polynomials $\{ \tau_i(X) \}_{i \in [m]}$ over $\omega^j_{j \in I}$
  275. \item $Z_I'(X)= r_1 \prod_{i \in I} (X - \omega^i)$
  276. \item $C_I(X)=\sum_{i \in I} c_i \tau_i(X)$ (unblinded)
  277. \item blinded $C_I'(X)=C_I(X) + (r_2 + r_3 X + r_4 X^2) Z_I'(X)$
  278. \item set $U(x)$, being degree $m-1$ interploation over $\mathbb{V}$ with $U(v_i)=\omega^{u(i)},~ \forall i\in [m]$
  279. \item blinded $U'(X)= U(X) + (r_5 + r_6 X) Z_{\mathbb{V}}(X)$
  280. \item return $z_I=[Z_I'(x)]_1,~ c_I=[C_I'(x)]_1,~ u=[U'(X)]_1$
  281. \end{enumerate}
  282. Verifier sets random challenges $\chi_1, \chi_2$.
  283. \paragraph{Round 2}
  284. \begin{enumerate}[i.]
  285. \item $[W_1(x)+ \chi_2 W_2(x)]_2 = \sum_{i \in I} \frac{[W_1^i(x)]_2 + \chi_2 [W_2^i(x)]_2}{\prod_{j \in I,~i \neq j} \omega^i - \omega^j}$
  286. \item $H(X) = \frac{Z_I'(U'(X)) + \chi_1 (C_I'(U'(X)) - A(X))}{Z_{\mathbb{V}}(X)}$
  287. \item return $w=r_1^{-1} [W_1(x) + \chi_2 W_2(x)]_2 - [r_2 + r_3 x + r_4 x^2]_2,~ h=[H(x)]_1$
  288. \end{enumerate}
  289. Verifier sets random challenge $\alpha$.
  290. \paragraph{Round 3}
  291. Output $v_1, v_2, \pi_1, \pi_2, \pi_3$, where
  292. \begin{align*}
  293. P_1(X) &\leftarrow Z_I'(X) + \chi_1 C_I'(X)\\
  294. P_2(X) &\leftarrow Z_I'(U'(\alpha)) + \chi_1 (C_I'(U'(\alpha)) - A(X)) - Z_{\mathbb{V}}(\alpha) H(X)\\
  295. (v_1, \pi_1) &\leftarrow KZG.Open(U'(X), \alpha)\\
  296. (v_2, \pi_2) &\leftarrow KZG.Open(P_1(X), v_1)\\
  297. (0, \pi_3) &\leftarrow KZG.Open(P_2(X), \alpha)\\
  298. \end{align*}
  299. \paragraph{Verify}
  300. Compute $p_1 = z_I + \chi_1 c_I, ~~ p_2= [v_2]_1 - \chi_1 a - Z_{\mathbb{V}}(\alpha) h$, verify
  301. \begin{align*}
  302. 1 &\leftarrow KZG.Verify(u, \alpha, v_1, \pi_1)\\
  303. 1 &\leftarrow KZG.Verify(p_1, v_1, v_2, \pi_2)\\
  304. 1 &\leftarrow KZG.Verify(p_2, \alpha, 0, \pi_3)\\
  305. e((C-c_I) &+ \chi_2[x^n -1]_1, [1]_2) = e(z_I, w)
  306. \end{align*}
  307. \bibliography{paper-notes.bib}
  308. \bibliographystyle{unsrt}
  309. \end{document}