diff --git a/notes_hypernova.pdf b/notes_hypernova.pdf index b9f7b44..e978acc 100644 Binary files a/notes_hypernova.pdf and b/notes_hypernova.pdf differ diff --git a/notes_hypernova.tex b/notes_hypernova.tex index e42c815..336efd9 100644 --- a/notes_hypernova.tex +++ b/notes_hypernova.tex @@ -7,11 +7,38 @@ \usepackage{enumerate} \usepackage{hyperref} \usepackage{xcolor} -\usepackage{pgf-umlsd} % diagrams \usepackage{centernot} \usepackage{algorithm} \usepackage{algpseudocode} +\usepackage{pgf-umlsd} % diagrams + +% message between threads. From https://tex.stackexchange.com/a/174765 +% Example: +% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note} +\newcommand{\bloodymess}[7][0]{ + \stepcounter{seqlevel} + \path + (#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {}; + \addtocounter{seqlevel}{#1} + \path + (#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {}; + \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] + {#3}; + + \if R#5 + \node (\detokenize{#3} from) at (mess from) {\llap{#6~}}; + \node (\detokenize{#3} to) at (mess to) {\rlap{~#7}}; + \else\if L#5 + \node (\detokenize{#3} from) at (mess from) {\rlap{~#6}}; + \node (\detokenize{#3} to) at (mess to) {\llap{#7~}}; + \else + \node (\detokenize{#3} from) at (mess from) {#6}; + \node (\detokenize{#3} to) at (mess to) {#7}; + \fi + \fi +} + % prevent warnings of underfull \hbox: \usepackage{etoolbox} @@ -147,6 +174,30 @@ Let $s= \log m,~ s'= \log n$. \item $P$: output folded witness: $\widetilde{w}' \leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2$. \end{enumerate} + +\vspace{1cm} +Multifolding flow: +\begin{center} + \begin{sequencediagram} + \newinst[1]{p}{Prover} + \newinst[3]{v}{Verifier} + + \bloodymess[1]{v}{$\gamma,~\beta,~r_x'$}{p}{L}{ + \shortstack{ + $\gamma \in \mathbb{F},~ \beta \in \mathbb{F}^s$\\ + $r_x' \in \mathbb{F}^s$ + } + }{} + \bloodymess[1]{p}{$c,~ \pi_{SC}$}{v}{R}{sum-check prove}{sum-check verify} + \bloodymess[1]{p}{$\{\sigma_j\},~\{\theta_j\}$}{v}{R}{compute $\{\sigma_j\}, \{\theta_j\}~ \forall j \in [t]$}{verify $c$ with $\{\sigma_j\}, \{\theta_j\}$ relation} + \bloodymess[1]{v}{$\rho$}{p}{L}{$\rho \in^R \mathbb{F}$}{} + \callself[0]{p}{fold LCCCS instance}{p} + \prelevel + \callself[0]{v}{fold LCCCS instance}{v} + \callself[0]{p}{fold $\widetilde{w}$}{p} + \end{sequencediagram} +\end{center} + \vspace{1cm} Now, to see the verifier check from step 5, observe that in LCCCS, since $\widetilde{w}$ satisfies, @@ -178,7 +229,7 @@ Then we can see that \begin{align*} c &= g(r_x')\\ &= \left( \sum_{j \in [t]} \gamma^j \cdot L_j(r_x') \right) + \gamma^{t+1} \cdot Q(r_x')\\ - &= \left( \sum_{j \in [t]} \gamma^j \cdot e_q \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \sum_{i \in [q]} c_i \prod_{j \in S_i} \theta_j + &= \left( \sum_{j \in [t]} \gamma^j \cdot \overbrace{e_1 \cdot \sigma_j}^{L_j(r_x')} \right) + \gamma^{t+1} \cdot \overbrace{e_2 \cdot \sum_{i \in [q]} c_i \prod_{j \in S_i} \theta_j}^{Q(x)} \end{align*} where $e_1 = \widetilde{eq}(r_x, r_x')$ and $e_2=\widetilde{eq}(\beta, r_x')$. @@ -229,7 +280,7 @@ This logic can be defined as follows: \begin{algorithm}[H] \caption{Generating a Sparse Multilinear Polynomial from a matrix} \begin{algorithmic} - \State set empty vector $v \in (\text{index:}~ \mathbb{Z}, x: \mathbb{F})^{s \times s'}$ + \State set empty vector $v \in (\text{index:}~ \mathbb{Z}, x: \mathbb{F}^{s \times s'})$ \For {$i$ to $m$} \For {$j$ to $n$} \If {$M_{i,j} \neq 0$} diff --git a/notes_nova.pdf b/notes_nova.pdf index dca53e4..9dc4afe 100644 Binary files a/notes_nova.pdf and b/notes_nova.pdf differ diff --git a/notes_nova.tex b/notes_nova.tex index 41fa589..de93eac 100644 --- a/notes_nova.tex +++ b/notes_nova.tex @@ -170,7 +170,7 @@ Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$. \end{align*} \end{enumerate} -P will proof that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value. +P will prove that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value. \begin{center} \begin{sequencediagram} diff --git a/notes_spartan.pdf b/notes_spartan.pdf index d7e50d6..92245c5 100644 Binary files a/notes_spartan.pdf and b/notes_spartan.pdf differ diff --git a/notes_spartan.tex b/notes_spartan.tex index ef71f50..ccff831 100644 --- a/notes_spartan.tex +++ b/notes_spartan.tex @@ -89,24 +89,33 @@ $$ \vspace{0.5cm} -$\widetilde{F}_{io}(\cdot)$: low-degree multivariate polynomial over $\mathbb{F}$ in $s$ variables. -Verifier can check if $\sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x)=0$ using the Sum-check protocol. +So, for this, V will need to check that $\widetilde{F}_{io}$ vanishes over the boolean hypercube ($\widetilde{F}_{io}(x)=0 ~\forall x \in \{0,1\}^s$). -But: $\sum_{x\in \{0,1\}^s} \widetilde{F}_{io}(x)=0 \centernot\Longleftrightarrow F_{io}(x)=0 \forall x \in \{0,1\}^s$. +Recall that $\widetilde{F}_{io}(\cdot)$ is a low-degree multivariate polynomial over $\mathbb{F}$ in $s$ variables. +Thus, checking that $\widetilde{F}_{io}$ vanishes over the boolean hypercube is equivalent to checking that $\widetilde{F}_io=0$. + +Thus, V can check $\sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x)=0$ using the Sum-check protocol (through SZ lemma, V can check if for a random value it equals to 0, and be convinced that applies to all the points whp.). + +But: as $\widetilde{F}_{io}(x)$ is not multilinear, so $\sum_{x\in \{0,1\}^s} \widetilde{F}_{io}(x)=0 \centernot\Longleftrightarrow F_{io}(x)=0 ~\forall x \in \{0,1\}^s$. Bcs: the $2^s$ terms in the sum might cancel each other even when the individual terms are not zero. -Solution: combine $\widetilde{F}_{io}(x)$ with $\widetilde{eq}(t, x)$ to get $Q_{io}(t, x)$ as a zero-polynomial +Solution: combine $\widetilde{F}_{io}(x)$ with $\widetilde{eq}(t, x)$ to get $Q_{io}(t, x)$ which will be the unique multilinear polynomial, and then check that it is a zero-polynomial $$Q_{io}(t)= \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t, x)$$ where $\widetilde{eq}(t, x) = \prod_{i=1}^s (t_i \cdot x_i + (1- t_i) \cdot (1- x_i))$, which is the MLE of $eq(x,e)= \{ 1 ~\text{if}~ x=e,~ 0 ~\text{otherwise} \}$. -Basically $Q_{io}(\cdot)$ is a multivariate polynomial such that +Basically $Q_{io}(\cdot)$ is a multivariate (the unique multilinear) polynomial such that $$Q_{io}(t) = \widetilde{F}_{io}(t) ~\forall t \in \{0,1\}^s$$ thus, $Q_{io}(\cdot)$ is a zero-polynomial iff $\widetilde{F}_{io}(x)=0 ~\forall x\in \{0,1\}^s$. $\Longleftrightarrow$ iff $\widetilde{F}_{io}(\cdot)$ encodes a witness $w$ such that $Sat_{R1CS}(x, w)=1$. -To check that $Q_{io}(\cdot)$ is a zero-polynomial: check $Q_{io}(\tau)=0,~ \tau \in^R \mathbb{F}^s$ (Schwartz-Zippel-DeMillo–Lipton lemma). +$\widetilde{F}_{io}(x)$ has degree 2 in each variable, and $\widetilde{eq}(t, x)$ has degree 1 in each variable, so $Q_{io}(t)$ has degree 3 in each variable. + +To check that $Q_{io}(\cdot)$ is a zero-polynomial: check $Q_{io}(\tau)=0,~ \tau \in^R \mathbb{F}^s$ (Schwartz-Zippel-DeMillo–Lipton lemma) through the sum-check protocol. + +This would mean that the R1CS instance is satisfied. + \paragraph{Recap} \begin{itemize} @@ -125,7 +134,12 @@ Recall: $G_{io, \tau}(x) = \widetilde{F}_{io}(x) \cdot \widetilde{eq}(\tau, x)$. Evaluating $\widetilde{eq}(\tau, r_x)$ takes $O(log~m)$, but to evaluate $\widetilde{F}_{io}(r_x)$, V needs to evaluate $$\widetilde{A}(r_x, y), \widetilde{B}(r_x, y), \widetilde{C}(r_x, y), \widetilde{Z}(y),~ \forall y \in \{0,1\}^s$$ -But: evaluations of $\widetilde{Z}(y) ~\forall y \in \{0,1\}^s ~\Longleftrightarrow (io, 1, w)$. + +which requires 3 sum-check instances (\begin{scriptsize} +$\left( \sum_{y \in \{0,1\}^s} \widetilde{A}(x, y) \cdot \widetilde{Z}(y) \right)$,\\ $\left( \sum_{y \in \{0,1\}^s} \widetilde{B}(x, y) \cdot \widetilde{Z}(y) \right)$, $\left( \sum_{y \in \{0,1\}^s} \widetilde{C}(x, y) \cdot \widetilde{Z}(y) \right)$ +\end{scriptsize}), one for each summation in\\ $\widetilde{F}_{io}(x)$. + +But note that evaluations of $\widetilde{Z}(y) ~\forall y \in \{0,1\}^s$ are already known as $(io, 1, w)$. Solution: combination of 3 protocols: \begin{itemize} @@ -133,6 +147,7 @@ Solution: combination of 3 protocols: \item randomized mini protocol \item polynomial commitment scheme \end{itemize} +Basically to do a random linear combination of the 3 summations to end up doing just a single sum-check. Observation: let $\widetilde{F}_{io}(r_x) = \overline{A}(r_x) \cdot \overline{B}(r_x) - \overline{C}(r_x)$, where $$\overline{A}(r_x) = \sum_{y \in \{0,1\}} \widetilde{A}(r_x, y) \cdot \widetilde{Z}(y),~~\overline{B}(r_x) = \sum_{y \in \{0,1\}} \widetilde{B}(r_x, y) \cdot \widetilde{Z}(y)$$ @@ -242,6 +257,8 @@ Instead of evaluating $\widetilde{Z}(r_y)$ in $O(|w|)$ communications, P sends a Section 6 of the paper, describes how in step 16, instead of evaluating $\widetilde{A},~\widetilde{B},~\widetilde{C}$ at $r_x,~r_y$ with $O(n)$ costs, P commits to $\widetilde{A},~\widetilde{B},~\widetilde{C}$ and later provides proofs of openings. +In a practical implementation those commits to $\widetilde{A},~\widetilde{B},~\widetilde{C}$ could be done in a preprocessing step. + \vspace{1cm} \framebox{WIP: covered until sec.6} diff --git a/r1cs-ccs.sage b/r1cs-ccs.sage index bf60dec..06bfccc 100644 --- a/r1cs-ccs.sage +++ b/r1cs-ccs.sage @@ -98,7 +98,7 @@ print("z:", z) print("S:", S) print("c:", c) -# check CCS relation +# check CCS relation (this is agnostic to R1CS, for any CCS instance) r = [F(0)] * m for i in range(0, q): hadamard_output = [F(1)]*m