arnaucube/math
1
1
Fork 0
mirror of https://github.com/arnaucube/math.git synced 2026-01-10 16:01:31 +01:00
Code Issues Projects Releases Wiki Activity

Add first part Spartan notes, continue Nova notes

Browse Source
This commit is contained in:
arnaucube
2023-04-15 20:44:54 +02:00
parent d509900028
commit 5e138717c5
5 changed files with 357 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
notes_nova.pdf
View File

Binary file not shown.

148
notes_nova.tex
View File

@@ -8,6 +8,33 @@
\usepackage{hyperref}
\usepackage{xcolor}
\usepackage{pgf-umlsd} % diagrams
% message between threads
% Example:
% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
\newcommand{\bloodymess}[7][0]{
\stepcounter{seqlevel}
\path
(#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
\addtocounter{seqlevel}{#1}
\path
(#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
{#3};
\if R#5
\node (\detokenize{#3} from) at (mess from) {\llap{#6~}};
\node (\detokenize{#3} to) at (mess to) {\rlap{~#7}};
\else\if L#5
\node (\detokenize{#3} from) at (mess from) {\rlap{~#6}};
\node (\detokenize{#3} to) at (mess to) {\llap{#7~}};
\else
\node (\detokenize{#3} from) at (mess from) {#6};
\node (\detokenize{#3} to) at (mess to) {#7};
\fi
\fi
}
% prevent warnings of underfull \hbox:
\usepackage{etoolbox}
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
@@ -41,7 +68,7 @@
\tableofcontents
\section{Folding Scheme for Committed Relaxed R1CS}
\section{NIFS}
\subsection{R1CS modification}
@@ -95,7 +122,7 @@ $(\overline{E}, u, \overline{W}, x)$, satisfyied by a witness $(E, r_E, W, r_W)$
\end{align*}
\subsection{Folding protocol}
\subsection{Folding scheme for committed relaxed R1CS}
V and P take two \emph{committed relaxed R1CS} instances
\begin{align*}
@@ -133,11 +160,120 @@ Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$.
\end{align*}
\end{enumerate}
P uses a zkSNARK showing that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.
Then, via Fiat-Shamir transform we achieve non-interactivity.
P will proof that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.
\section{IVC proofs}
\textbf{WIP}
\begin{center}
\begin{sequencediagram}
\newinst[1]{p}{Prover}
\newinst[3]{v}{Verifier}
\bloodymess[1]{p}{$\overline{T}$}{v}{R}{
\shortstack{
$T=A z_1 \circ B z_1 + A z_2 \circ B z_2 - u_1 C z_2 - u_2 C z_2$\\
$\overline{T}=Commit(T, r_T)$
}
}{
\shortstack{
$r \in^R \mathbb{F}_p$\\
$\overline{E} = \overline{E}_1 + r \overline{T} + r^2 \overline{E}_2$\\
$u= u_1 + r u_2$\\
$\overline{W} = \overline{W}_1 + r \overline{W}_2$\\
$\overline{x} = \overline{x}_1 + r \overline{x}_2$\\
$\varphi=(\overline{E}, u, \overline{W}, x)$
}
}
\bloodymess[1]{v}{$r$}{p}{L}{}{
\shortstack{
$E = E_1 + r T + r^2 E_2$\\
$u= u_1 + r u_2$\\
$W = W_1 + r W_2$\\
$r_{W} = r_{W_1} + r r_{W_2}$\\
$(E, r_E, W, r_W)$
}
}
\end{sequencediagram}
\end{center}
The previous protocol achieves non-interactivity via Fiat-Shamir transform, obtaining a \emph{Non-Interactive Folding Scheme for Committed Relaxed R1CS}.
Note: the paper later uses $\mathsf{u}_i,~ \mathsf{U}_i$ for the two inputed $\varphi_1,~ \varphi_2$, and later $\mathsf{u}_{i+1}$ for the outputed $\varphi$. Also, the paper later uses $\mathsf{w},~ \mathsf{W}$ to refer to the witnesses of two folded instances (eg. $\mathsf{w}=(E, r_E, W, r_W)$).
\section{Nova}
IVC (Incremental Verifiable Computation) scheme for a non-interactive folding scheme.
\subsection{IVC proofs}
Allows prover to show $z_n = F^{(n)}(z_0)$, for some count $n$, initial input $z_0$, and output $z_n$.\\
$F$: program function (polynomial-time computable)\\
$F'$: augmented function, invokes $F$ and additionally performs fold-related stuff.
\vspace{0.5cm}
Two committed relaxed R1CS instances:\\
$\mathsf{U}_i$: represents the correct execution of invocations $1, \ldots, i-1$ of $F'$\\
$\mathsf{u}_i$: represents the correct execution of invocations $i$ of $F'$
\paragraph{Simplified version of $F'$ for intuition}
\vspace{0.5cm}
$F'$ performs two tasks:
\begin{enumerate}[i.]
\item execute a step of the incremental computation:
instance $\mathsf{u}_i$ contains $z_i$, used to output $z_{i+1}=F(z_i)$
\item invokes the verifier of the non-interactive folding scheme to fold the task of checking $\mathsf{u}_i$ and $\mathsf{U}_i$ into the task of checking a single instance $\mathsf{U}_{i+1}$
\end{enumerate}
\vspace{0.5cm}
$F'$ proves that:
\begin{enumerate}
\item $\exists ( (i, z_0, z_i, \mathsf{u}_i, \mathsf{U}_i), \mathsf{U}_{i+1}, \overline{T})$ such that
\begin{enumerate}[i.]
\item $\mathsf{u}_i.x = H(vk, i, z_0, z_i, \mathsf{U}_i)$
\item $h_{i+1} = H(vk, i+1, z_0, F(z_i), \mathsf{U}_{i+1})$
\item $\mathsf{U}_{i+1} = NIFS.V(vk, \mathsf{U}_i, \mathsf{u}_i, \overline{T})$
\end{enumerate}
\item $F'$ outputs $h_{i+1}$
\end{enumerate}
$F'$ is described as follows:\\
$F'(vk, \mathsf{U}_i, \mathsf{u}_i, (i, z_0, z_i), w_i, \overline{T}) \rightarrow x$:\\
if $i=0$, output $H(vk, 1, z_0, F(z_0, w_i), \mathsf{u}_{\bot})$\\
otherwise
\begin{enumerate}
\item check $\mathsf{u}_i.x = H(vk, i, z_0, z_i, \mathsf{U}_i)$
\item check $(\mathsf{u}_i.\overline{E}, \mathsf{u}_i.u) = (\mathsf{u}_{\bot}.\overline{E}, 1)$
\item compute $\mathsf{U}_{i+1} \leftarrow NIFS.V(vk, U, u, \overline{T})$
\item output $H(vk, i+1, z_0, F(z_i, w_i), \mathsf{U}_{i+1})$
\end{enumerate}
% TODO add diagram
\paragraph{IVC Proof}
iteration $i+1$: prover runs $F'$ and computes $\mathsf{u}_{i+1},~ \mathsf{U}_{i+1}$, with corresponding witnesses $\mathsf{w}_{i+1},~ \mathsf{W}_{i+1}$.
$(\mathsf{u}_{i+1},~ \mathsf{U}_{i+1})$ attest correctness of $i+1$ invocations of $F'$, the IVC proof is $\pi_{i+1} = ( (\mathsf{U}_{i+1}, \mathsf{W}_{i+1}), (\mathsf{u}_{i+1}, \mathsf{w}_{i+1}))$.
\vspace{0.5cm}
\underline{$P(pk, (i, z_0, z_i), \mathsf{w}_i, \pi_i) \rightarrow \pi_{i+1}$}:\\
Parse $\pi_i = ( (\mathsf{U}_i, \mathsf{W}_i), (\mathsf{u}_i, \mathsf{w}_i))$, then
\begin{enumerate}
\item if $i=0$: $(\mathsf{U}_{i+1}, \mathsf{W}_{i+1}, \overline{T}) \leftarrow (\mathsf{u}_{\perp}, \mathsf{w}_{\perp}, \mathsf{u}_{\perp}.{\overline{E}})$\\
otherwise: $(\mathsf{U}_{i+1}, \mathsf{W}_{i+1}, \overline{T}) \leftarrow NIFS.P(pk, (\mathsf{U}_i, \mathsf{W}_i), (\mathsf{u}_i, \mathsf{w}_i))$
\item compute $(\mathsf{u}_{i+1}, \mathsf{w}_{i+1}) \leftarrow trace(F', (vk, \mathsf{U}_i, \mathsf{u}_i, (i, z_0, z_i), \mathsf{w}_i, \overline{T}))$
\item output $\pi_{i+1} \leftarrow ((\mathsf{U}_{i+1}, \mathsf{W}_{i+1}), (\mathsf{u}_{i+1}, \mathsf{w}_{i+1}))$
\end{enumerate}
\underline{$V(vk, (i, z_0, z_i), \pi_i) \rightarrow \{0,1\}$}:
if $i=0$: check that $z_i=z_0$\\
otherwise, parse $\pi_i = ( (\mathsf{U}_i, \mathsf{W}_i), (\mathsf{u}_i, \mathsf{w}_i))$, then
\begin{enumerate}
\item check $\mathsf{u}_i.x = H(vk, i, z_0, z_i, \mathsf{U}_i)$
\item check $(\mathsf{u}_i.{\overline{E}}, \mathsf{u}_i.u) = (\mathsf{u}_{\perp}.{\overline{E}}, 1)$
\item check that $\mathsf{W}_i,~ \mathsf{w}_i$ are satisfying witnesses to $\mathsf{U}_i,~ \mathsf{u}_i$ respectively
\end{enumerate}
\paragraph{A zkSNARK of a Valid IVC Proof}
\bibliography{paper-notes.bib}

BIN
notes_spartan.pdf Normal file
View File

Binary file not shown.

206
notes_spartan.tex Normal file
View File

@@ -0,0 +1,206 @@
\documentclass{article}
\usepackage[utf8]{inputenc}
\usepackage{amsfonts}
\usepackage{amsthm}
\usepackage{amsmath}
\usepackage{mathtools}
\usepackage{enumerate}
\usepackage{hyperref}
\usepackage{xcolor}
\usepackage{pgf-umlsd} % diagrams
\usepackage{centernot}
% prevent warnings of underfull \hbox:
\usepackage{etoolbox}
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
\theoremstyle{definition}
\newtheorem{definition}{Def}[section]
\newtheorem{theorem}[definition]{Thm}
% custom lemma environment to set custom numbers
\newtheorem{innerlemma}{Lemma}
\newenvironment{lemma}[1]
{\renewcommand\theinnerlemma{#1}\innerlemma}
{\endinnerlemma}
\title{Notes on Spartan}
\author{arnaucube}
\date{April 2023}
\begin{document}
\maketitle
\begin{abstract}
Notes taken while reading about Spartan \cite{cryptoeprint:2019/550}.
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
The notes are not complete, don't include all the steps neither all the proofs.
\end{abstract}
\tableofcontents
\section{Encoding R1CS instances as low-degree polynomials}
\begin{definition}{R1CS}
$\exists w \in \mathbb{F}^{m - |io| - 1}$ such that $(A \cdot z) \circ (B \cdot z) = (C \cdot z)$, where $z=(io, 1, w)$.
\end{definition}
\textbf{Thm 4.1} $\forall$ R1CS instance $x = (\mathbb{F}, A, B, C, io, m, n)$, $\exists$ a degree-3 log m-variate polynomial $G$ such that $\sum_{x \in \{0,1\}^{log m}} G(x) = 0$.
% \begin{theorem}{4.1} // TODO use theorem gadget
% $\forall$
% \begin{end}
\vspace{0.5cm}
For a RCS instance $x$, let $s = \lceil log m \rceil$.
We can view matrices $A, B, C \in \mathbb{F}^{m \times m}$ as functions $\{0,1\}^s \times \{0,1\}^s \rightarrow \mathbb{F}$.
For a given witness $w$ to $x$, let $z=(io, 1, w)$.
View $z$ as a function $\{0,1\}^s \rightarrow \mathbb{F}$, so any entry in $z$ can be accessed with a $s$-bit identifier.
$$
F_{io}(x)=
$$
$$
\left( \sum_{y \in \{0,1\}^s} A(x, y) \cdot Z(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} B(x, y) \cdot Z(y) \right) - \left( \sum_{y \in \{0,1\}^s} C(x, y) \cdot Z(y) \right)
$$
\begin{lemma}{4.1}
$\forall x \in \{0,1\}^s,~ F_{io}(x)=0$ iff $Sat_{R1CS}(x,w)=1$.
\end{lemma}
$F_{io}(\cdot)$ is a function, not a polynomial, so it can not be used in the Sum-check protocol.
consider its polynomial extension $\widetilde{F}_{io}(x): \mathbb{F}^s \rightarrow \mathbb{F}$,
$$\widetilde{F}_{io}(x)=$$
$$
\left( \sum_{y \in \{0,1\}^s} \widetilde{A}(x, y) \cdot \widetilde{Z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{B}(x, y) \cdot \widetilde{Z}(y) \right) - \left( \sum_{y \in \{0,1\}^s} \widetilde{C}(x, y) \cdot \widetilde{Z}(y) \right)
$$
\begin{lemma}{4.2}
$\forall x \in \{0,1\}^s,~ \widetilde{F}_{io}(x)=0$ iff $Sat_{R1CS}(x, w)=1$.
\end{lemma}
(proof: $\forall x \in \{0,1\}^s,~ \widetilde{F}_{io}(x)=F_{io}(x)$, so, result follows from Lemma 4.1.) % TODO link to lemma
\vspace{0.5cm}
$\widetilde{F}_{io}(\cdot)$: low-degree multivariate polynomial over $\mathbb{F}$ in $s$ variables.
Verifier can check if $\sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x)=0$ using the Sum-check protocol.
But: $\sum_{x\in \{0,1\}^s} \widetilde{F}_{io}(x)=0 \centernot\Longleftrightarrow F_{io}(x)=0 \forall x \in \{0,1\}^s$.
Bcs: the $2^s$ terms in the sum might cancel each other even when the individual terms are not zero.
Solution: consider
$$Q_{io}(t)= \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t, x)$$
where $\widetilde{eq}(t, x) = \prod_{i=1}^s (t_i \cdot x_i + (1- t_i) \cdot (1- x_i))$.
Basically $Q_{io}(\cdot)$ is a multivariate polynomial such that
$$Q_{io}(t) = \widetilde{F}_{io}(t) ~\forall t \in \{0,1\}^s$$
thus, $Q_{io}(\cdot)$ is a zero-polynomial iff $\widetilde{F}_{io}(x)=0 ~\forall x\in \{0,1\}^s$.
$\Longleftrightarrow$ iff $\widetilde{F}_{io}(\cdot)$ encodes a witness $w$ such that $Sat_{R1CS}(x, w)=1$.
To check that $Q_{io}(\cdot)$ is a zero-polynomial: check $Q_{io}(\tau)=0,~ \tau \in^R \mathbb{F}^s$ (Schwartz-Zippel-DeMilloLipton lemma).
\section{NIZKs with succint proofs for R1CS}
From Thm 4.1: to check R1CS instance $(\mathbb{F}, A, B, C, io, m, n)$ V can check if
$$\sum_{x \in \{0,1\}^s} G_{io, \tau} (r_x)$$
where $r_x \in \mathbb{F}^s$.
Recall: $G_{io, \tau}(x) = \widetilde{F}_{io}(x) \cdot \widetilde{eq}(\tau, x)$.
To evaluate $\widetilde{F}_{io}(r_x)$, V needs to evaluate
$$\forall y \in \{0,1\}^s: \widetilde{A}(r_x, y), \widetilde{B}(r_x, y), \widetilde{C}(r_x, y), \widetilde{Z}(y)$$
evaluations of $\widetilde{Z}(y) ~\forall y \in \{0,1\}^s ~\Longleftrightarrow (io, 1, w)$.
Solution: combination of 3 protocols:
\begin{itemize}
\item Sum-check protocol
\item randomized mini protocol
\item polynomial commitment scheme
\end{itemize}
Observation: let $\widetilde{F}_{io}(r_x) = \bar{A}(r_x) \cdot \bar{B}(r_x) - \bar{C}(r_x)$, where
$$\bar{A}(r_x) = \sum_{y \in \{0,1\}} \widetilde{A}(r_x, y) \cdot \widetilde{Z}(y)$$
$$\bar{B}(r_x) = \sum_{y \in \{0,1\}} \widetilde{B}(r_x, y) \cdot \widetilde{Z}(y)$$
$$\bar{C}(r_x) = \sum_{y \in \{0,1\}} \widetilde{C}(r_x, y) \cdot \widetilde{Z}(y)$$
Prover makes 3 separate claims: $\bar{A}(r_x)=v_A,~ \bar{B}(r_x)=v_B,~ \bar{C}(r_x)=v_C$,
then V evaluates:
$$G_{io, \tau}(r_x) = (v_A \cdot v_B - v_C) \cdot \widetilde{eq}(r_x, \tau)$$
which could be 3 sum-check protocol instances. Instead: combine 3 claims into a single claim:
V samples $r_A, r_B, r_C \in^R \mathbb{F}$, and computes $c= r_A v_A + r_B v_B + r_C v_C$.
V, P use sum-check protocol to check:
$$r_A \cdot \bar{A}(r_x) + r_B \cdot \bar{B}(r_x) + r_C \cdot \bar{C}(r_x) == c$$
Let $L(r_x) = r_A \cdot \bar{A}(r_x) +r_B \cdot \bar{B}(r_x) +r_C \cdot \bar{C}(r_x)$,
\begin{align*}
L(r_x) &= \sum_{y \in \{0,1\}^s}
r_A \cdot \widetilde{A}(r_x, y) \cdot \widetilde{Z}(y)
+ r_B \cdot \widetilde{B}(r_x, y) \cdot \widetilde{Z}(y)
+ r_C \cdot \widetilde{C}(r_x, y) \cdot \widetilde{Z}(y)\\
&= \sum_{y \in \{0,1\}^s} M_{r_x}(y)
\end{align*}
$M_{r_x}(y)$ is a s-variate polynomial with deg $\leq 2$ in each variable ($\Longleftrightarrow \mu = s,~ l=2,~ T=c$).
\begin{align*}
M_{r_x}(r_y) &=
r_A \cdot \widetilde{A}(r_x, r_y) \cdot \widetilde{Z}(r_y)
+ r_B \cdot \widetilde{B}(r_x, r_y) \cdot \widetilde{Z}(r_y)
+ r_C \cdot \widetilde{C}(r_x, r_y) \cdot \widetilde{Z}(r_y)\\
&=
(r_A \cdot \widetilde{A}(r_x, r_y)
+ r_B \cdot \widetilde{B}(r_x, r_y)
+ r_C \cdot \widetilde{C}(r_x, r_y)) \cdot \widetilde{Z}(r_y)\\
\end{align*}
only one term in $M_{r_x}(r_y)$ depends on prover's witness: $\widetilde{Z}(r_y)$
P sends a commitment to $\widetilde{w}(\cdot)$ (= MLE of the witness $w$) to V before the first instance of the sum-check protocol.
\subsection{Full protocol}
\begin{itemize}
\item $pp \leftarrow Setup(1^{\lambda})$: invoke $pp \leftarrow PC.Setup(1^{\lambda}, log m)$; output $pp$
\item $b \leftarrow <P(w), V(r)>(\mathbb{F}, A,B,C, io, m, n)$:
\begin{enumerate}
\item P: $(C, S) \leftarrow PC.Commit(pp, \widetilde{w})$ and send $C$ to V
\item V: send $\tau \in^R \mathbb{F}^{log~m}$ to P
\item let $T_1=0,~ \mu_1=log~m,~ l_1=3$
\item V: set $r_x \in^R \mathbb{F}^{\mu_1}$
\item Sum-check 1. $e_x \leftarrow <P_{SC}(G_{io,\tau}), V_{SC}(r_x)>(\mu_1, l_1, T_1)$
\item P: compute $v_A=\overline{A}(r_x),~ v_B=\overline{B}(r_x),~ v_C=\overline{C}(r_x)$, send $(v_A, v_B, v_C)$ to V
\item V: abort with $b=0$ if $e_x \neq (v_A \cdot v_B - v_C)\cdot \widetilde{eq}(r_x, \tau)$
\item V: send $r_A, r_B, r_C \in^R \mathbb{F}$ to P
\item let $T_2 = r_A \cdot v_A + r_B \cdot v_B + r_C \cdot v_C,~ \mu_2=log~m,~ l_2=2$
\item V: set $r_y \in^R \mathbb{F}^{\mu_2}$
\item Sum-check 2. $e_y \leftarrow <P_{SC}(M_{r_x}), V_{SC}(r_y)>(\mu_2, l_2, T_2)$
\item P: $v \leftarrow \widetilde{w}(r_y[1..])$, send $v$ to V
\item $b_e \leftarrow <P_{PC.Eval}(\widetilde{w}, S), V_{PC.Eval}(r)>(pp, C, r_y, v, \mu_2)$
\item V: abourt with $b=0$ if $b_e==0$
\item V: $v_z \leftarrow (1 - r_y[0]) \cdot \widetilde{w}(r_y [1..]) + r_y[0] \widetilde{(io, 1)} (r_y[1..])$
\item V: $v_1 \leftarrow \widetilde{A}(r_x, r_y),~ v_2 \leftarrow \widetilde{B}(r_x, r_y),~ v_3 \leftarrow \widetilde{C}(r_x, r_y)$
\item V: abort with $b=0$ if $e_y \neq (r_A v_1 + r_B v_2 + r_C v_3) \cdot v_z$
\item V: output $b=1$
\end{enumerate}
\end{itemize}
\vspace{2cm}
\framebox{WIP: covered until sec.6}
\bibliography{paper-notes.bib}
\bibliographystyle{unsrt}
\end{document}

9
paper-notes.bib
View File

@@ -100,3 +100,12 @@
note = {\url{https://github.com/arnaucube/fri-commitment}},
url = {https://github.com/arnaucube/fri-commitment}
}
@misc{cryptoeprint:2019/550,
author = {Srinath Setty},
title = {Spartan: Efficient and general-purpose zkSNARKs without trusted setup},
howpublished = {Cryptology ePrint Archive, Paper 2019/550},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/550}},
url = {https://eprint.iacr.org/2019/550}
}