diff --git a/notes_bls-sig.pdf b/notes_bls-sig.pdf new file mode 100644 index 0000000..537b48f Binary files /dev/null and b/notes_bls-sig.pdf differ diff --git a/notes_bls-sig.tex b/notes_bls-sig.tex new file mode 100644 index 0000000..9b3b925 --- /dev/null +++ b/notes_bls-sig.tex @@ -0,0 +1,87 @@ +\documentclass{article} +\usepackage[utf8]{inputenc} +\usepackage{amsfonts} +\usepackage{amsthm} +\usepackage{amsmath} +\usepackage{enumerate} +\usepackage{hyperref} +\hypersetup{ + colorlinks, + citecolor=black, + filecolor=black, + linkcolor=black, + urlcolor=blue +} +\usepackage{xcolor} + +% prevent warnings of underfull \hbox: +\usepackage{etoolbox} +\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} + +\theoremstyle{definition} +\newtheorem{definition}{Def}[section] +\newtheorem{theorem}[definition]{Thm} + + +\title{Notes on BLS Signatures} +\author{arnaucube} +\date{} + +\begin{document} + +\maketitle + +\begin{abstract} + Notes taken while reading about BLS signatures \cite{bls-sig-eth2}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. + + The notes are not complete, don't include all the steps neither all the proofs. +\end{abstract} + +% \tableofcontents + +\section{BLS signatures} + +\paragraph{Key generation} +$sk \in \mathbb{Z}_q$, $pk = [sk] \cdot g_1$, where $g_1 \in G_1$, and is the generator. + +\paragraph{Signature} +$$\sigma = [sk] \cdot H(m)$$ +where $H$ is a function that maps to a point in $G_2$. So $H(m), \sigma \in G_2$. + +\paragraph{Verification} +$$e(g_1, \sigma) == e(pk, H(m))$$ + +Unfold: +$$e(pk, H(m)) = e([sk] \cdot g_1, H(m) = e(g_1, H(m))^{sk} = e(g_1, [sk] \cdot H(m)) = e(g_1, \sigma))$$ + +\paragraph{Aggregation} +Signatures aggregation: +$$\sigma_{aggr} = \sigma_1 + \sigma_2 + \ldots + \sigma_n$$ +where $\sigma_{aggr} \in G_2$, and an aggregated signatures is indistinguishible from a non-aggregated signature. + +\vspace{0.5cm} +Public keys aggregation: +$$pk_{aggr} = pk_1 + pk_2 + \ldots + pk_n$$ +where $pk_{aggr} \in G_1$, and an aggregated public keys is indistinguishible from a non-aggregated public key. + + +\paragraph{Verification of aggregated signatures} +Identical to verification of a normal signature as long as we use the same corresponding aggregated public key: +$$e(g_1, \sigma_{aggr})==e(pk_{aggr}, H(m))$$ + +Unfold: +$$\fbox{e(pk_{aggr}, H(m))}= e(pk_1 + pk_2 + \ldots + pk_n, H(m)) =$$ +$$=e([sk_1] \cdot g_1 + [sk_2] \cdot g_1 + \ldots + [sk_n] \cdot g_1, H(m))=$$ +$$=e([sk_1 + sk_2 + \ldots + sk_n] \cdot g_1, H(m))=$$ +$$=e(g_1, H(m))^{(sk_1 + sk_2 + \ldots + sk_n)}=$$ +$$=e(g_1, [sk_1 + sk_2 + \ldots + sk_n] \cdot H(m))=$$ +$$=e(g_1, [sk_1] \cdot H(m) + [sk_2] \cdot H(m) + \ldots + [sk_n] \cdot H(m))=$$ +$$=e(g_1, \sigma_1 + \sigma_2 + \ldots + \sigma_n)= \fbox{e(g_1, \sigma_{aggr})}$$ + + +Note: in the current notes $pk \in G_1$ and $\sigma, H(m) \in G_2$, but we could use $\sigma, H(m) \in G_1$ and $pk \in G_2$. + +\bibliography{paper-notes.bib} +\bibliographystyle{unsrt} + +\end{document} diff --git a/notes_halo.pdf b/notes_halo.pdf new file mode 100644 index 0000000..a30b457 Binary files /dev/null and b/notes_halo.pdf differ diff --git a/notes_halo.tex b/notes_halo.tex new file mode 100644 index 0000000..698efa8 --- /dev/null +++ b/notes_halo.tex @@ -0,0 +1,145 @@ +\documentclass{article} +\usepackage[utf8]{inputenc} +\usepackage{amsfonts} +\usepackage{amsthm} +\usepackage{amsmath} +\usepackage{enumerate} +\usepackage{hyperref} +\hypersetup{ + colorlinks, + citecolor=black, + filecolor=black, + linkcolor=black, + urlcolor=blue +} +\usepackage{xcolor} + +% prevent warnings of underfull \hbox: +\usepackage{etoolbox} +\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} + +\theoremstyle{definition} +\newtheorem{definition}{Def}[section] +\newtheorem{theorem}[definition]{Thm} + + +\title{Notes on Halo} +\author{arnaucube} +\date{} + +\begin{document} + +\maketitle + +\begin{abstract} + Notes taken while reading Halo paper \cite{cryptoeprint:2019/1021}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. + + The notes are not complete, don't include all the steps neither all the proofs. +\end{abstract} + +\tableofcontents + +\section{modified IPA (from Halo paper)} +Notes taken while reading about the modified Inner Product Argument (IPA) from the Halo paper \cite{cryptoeprint:2019/1021}. + +\subsection{Notation} +\begin{description} + \item[Scalar mul] $[a]G$, where $a$ is a scalar and $G \in \mathbb{G}$ + \item[Inner product] $<\overrightarrow{a}, \overrightarrow{b}> = a_0 b_0 + a_1 b_1 + \ldots + a_{n-1} b_{n-1}$ + \item[Multiscalar mul] $<\overrightarrow{a}, \overrightarrow{b}> = [a_0] G_0 + [a_1] G_1 + \ldots [a_{n-1}] G_{n-1}$ +\end{description} + + +\subsection{Transparent setup} +$\overrightarrow{G} \in^r \mathbb{G}^d$, $H \in^r \mathbb{G}$ + +Prover wants to commit to $p(x)=a_0$ +\subsection{Protocol} +Prover: +$$P=<\overrightarrow{a}, \overrightarrow{G}> + [r]H$$ +$$v=<\overrightarrow{a}, \{1, x, x^2, \ldots, x^{d-1} \} >$$ + +where $\{1, x, x^2, \ldots, x^{d-1} \} = \overrightarrow{b}$. + +We can see that computing $v$ is the equivalent to evaluating $p(x)$ at $x$ ($p(x)=v$). + +We will prove: +\begin{enumerate}[i.] + \item polynomial $p(X) = \sum a_i X^i$\\ + $p(x) = v$ (that $p(X)$ evaluates $x$ to $v$). + \item $deg(p(X)) \leq d-1$ +\end{enumerate} + + +Both parties know $P$, point $x$ and claimed evaluation $v$. For $U \in^r \mathbb{G}$, + +$$P' = P + [v] U = <\overrightarrow{a}, G> + [r]H + [v] U$$ + +Now, for $k$ rounds ($d=2^k$, from $j=k$ to $j=1$): +\begin{itemize} + \item random blinding factors: $l_j, r_j \in \mathbb{F}_p$ + \item + $$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$ + $$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$ + \item Verifier sends random challenge $u_j \in \mathbb{I}$ + \item Prover computes the halved vectors for next round: + $$\overrightarrow{a} \leftarrow \overrightarrow{a}_{hi} \cdot u_j^{-1} + \overrightarrow{a}_{lo} \cdot u_j$$ + $$\overrightarrow{b} \leftarrow \overrightarrow{b}_{lo} \cdot u_j^{-1} + \overrightarrow{b}_{hi} \cdot u_j$$ + $$\overrightarrow{G} \leftarrow \overrightarrow{G}_{lo} \cdot u_j^{-1} + \overrightarrow{G}_{hi} \cdot u_j$$ +\end{itemize} + +After final round, $\overrightarrow{a}, \overrightarrow{b}, \overrightarrow{G}$ are each of length 1. + +Verifier can compute +$$G = \overrightarrow{G}_0 = < \overrightarrow{s}, \overrightarrow{G} >$$ +and $$b = \overrightarrow{b}_0 = < \overrightarrow{s}, \overrightarrow{b} >$$ +where $\overrightarrow{s}$ is the binary counting structure: + +\begin{align*} + &s = (u_1^{-1} ~ u_2^{-1} \cdots ~u_k^{-1},\\ + &~~~~~~u_1 ~~~ u_2^{-1} ~\cdots ~u_k^{-1},\\ + &~~~~~~u_1^{-1} ~~ u_2 ~~\cdots ~u_k^{-1},\\ + &~~~~~~~~~~~~~~\vdots\\ + &~~~~~~u_1 ~~~~ u_2 ~~\cdots ~u_k) +\end{align*} + + +And verifier checks: +$$[a]G + [r'] H + [ab] U == P' + \sum_{j=1}^k ( [u_j^2] L_j + [u_j^{-2}] R_j)$$ + +where the synthetic blinding factor $r'$ is $r' = r + \sum_{j=1}^k (l_j u_j^2 + r_j u_j^{-2})$. + +\vspace{1cm} + +Unfold: + +$$ +\textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U} +== +\textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j}) +$$ + +\begin{align*} +&Right~side = \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})\\ +&= \textcolor{blue}{< \overrightarrow{a}, \overrightarrow{G}> + [r] H + [v] U}\\ +&+ \sum_{j=1}^k (\\ +&\textcolor{violet}{[u_j^2] \cdot <\overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [<\overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U}\\ +&\textcolor{orange}{+ [u_j^{-2}] \cdot <\overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [<\overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U} +) +\end{align*} + +\begin{align*} +&Left~side = \textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}\\ +& = \textcolor{brown}{< \overrightarrow{a}, \overrightarrow{G} >}\\ +&+ \textcolor{cyan}{[r + \sum_{j=1}^k (l_j \cdot u_j^2 + r_j u_j^{-2})] \cdot H}\\ +&+ \textcolor{magenta}{< \overrightarrow{a}, \overrightarrow{b} > U} +\end{align*} + + +\section{Amortization Strategy} +TODO + +\bibliography{paper-notes.bib} +\bibliographystyle{unsrt} + +\end{document} diff --git a/notes_sonic.pdf b/notes_sonic.pdf new file mode 100644 index 0000000..194a304 Binary files /dev/null and b/notes_sonic.pdf differ diff --git a/notes_sonic.tex b/notes_sonic.tex new file mode 100644 index 0000000..03c0cf8 --- /dev/null +++ b/notes_sonic.tex @@ -0,0 +1,181 @@ +\documentclass{article} +\usepackage[utf8]{inputenc} +\usepackage{amsfonts} +\usepackage{amsthm} +\usepackage{amsmath} +\usepackage{enumerate} +\usepackage{hyperref} +\hypersetup{ + colorlinks, + citecolor=black, + filecolor=black, + linkcolor=black, + urlcolor=blue +} +\usepackage{xcolor} + +% prevent warnings of underfull \hbox: +\usepackage{etoolbox} +\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} + +\theoremstyle{definition} +\newtheorem{definition}{Def}[section] +\newtheorem{theorem}[definition]{Thm} + + +\title{Notes on Sonic} +\author{arnaucube} +\date{} + +\begin{document} + +\maketitle + +\begin{abstract} + Notes taken while reading Sonic paper \cite{cryptoeprint:2019/099}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. + + The notes are not complete, don't include all the steps neither all the proofs. +\end{abstract} + +\tableofcontents + + +\section{Sonic} + +\subsection{Structured Reference String} +$\{ \{g^{x^i}\}_{i=-d}^d, \{ g^{\alpha x^i} \}_{i=-d, i \neq 0}^d, \{ h^{x^i}, h^{\alpha x^i} \}_{i=-d}^d, e(g, h^\alpha) \}$ + +\subsection{System of constraints} +Multiplication constraint: $a \cdot b = c$ + +$Q$ linear constraints: +$$ +a \cdot u_q + b \cdot v_q + c \cdot w_q = k_q +$$ + +with $u_q, v_q, w_q \in \mathbb{F}^n$, and $k_q \in \mathbb{F}_p$. + +\vspace{0.5cm} +Example: $x^2 + y^2 = z$ + +$$a = (x, y), \qquad b = (x, y), \qquad c = (x^2, y^2)$$ +\begin{enumerate}[i.] + \item $(x, y) \cdot (1, 0) + (x, y) \cdot (-1, 0) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow x - x = 0$ + \item $(x, y) \cdot (0, 1) + (x, y) \cdot (0, -1) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow y - y = 0$ + \item $(x, y) \cdot (0, 0) + (x, y) \cdot (0, 0) + (x^2, y^2) \cdot (1, 1) = z \longrightarrow x^2 + y^2 = z$ +\end{enumerate} + +So, +$$u_1 = (1, 0) \quad v_1=(-1, 0) \quad w_1=(0, 0) \quad k_1=0$$ +$$u_2 = (0, 1) \quad v_2=(0, -1) \quad w_2=(0, 0) \quad k_2=0$$ +$$u_3 = (0, 0) \quad v_3=(0, 0) \quad w_3=(1, 1) \quad k_2=z$$ + +\vspace{1cm} + +Compress n multiplication constraints into an equation in formal indeterminate $Y$: +$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^i = 0$$ +encode into negative exponents of $Y$: +$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^-i = 0$$ + +Also, compress the $Q$ linear constraints, scaling by $Y^n$ to preserve linear independence: +$$ +\sum_{q=1}^Q (a \cdot u_q + b \cdot v_q + c \cdot w_q - k_q) \cdot Y^{q+n} = 0 +$$ + +Polys: + +\begin{align} +\nonumber & u_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot u_{q, i}\\ +\nonumber & v_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot v_{q, i}\\ +\nonumber & w_i(Y) = -Y^i - Y^{-1} + \sum_{q=1}^Q Y^{q+n} \cdot w_{q, i}\\ +\nonumber & k(Y) = \sum_{q=1}^Q Y^{q+n} \cdot k_q +\end{align} + +Combine the multiplicative and linear constraints to: + +\begin{align} +\nonumber & a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y) ++ \sum_{i=1}^n a_i b_i (Y^i + Y^{-i}) - k(Y) = 0 +\end{align} + +where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embeded into the constant term of the polynomial $t(X, Y)$. + + +Define $r(X, Y)$ s.t. $r(X, Y) = r(XY, 1)$. + +$$\Longrightarrow r(X, Y) = \sum_{i=1}^n (a_i X^i Y^i + b_i X^{-i} Y^{-i} + c_i X^{-i-n} Y^{-i-n})$$ + +$$s(X, Y) = \sum_{i=1}^n (u_i(Y) X^{-i} + v_i(Y) X^i + w_i(Y) X^{i+n})$$ + +$$r'(X, Y) = r(X, Y) + s(X, Y)$$ +$$t(X, Y) = r(X, Y) + r'(X, Y) - k(Y)$$ + +The coefficient of $X^0$ in $t(X, Y)$ is the left-hand side of the equation. + +Sonic demonstrates that the constant term of $t(X, Y)$ is zero, thus demonstrating that our constraint system is satisfied. + + +\subsubsection{The basic Sonic protocol} + +\begin{enumerate}[1.] + \item Prover constructs $r(X, Y)$ using their hidden witness + \item Prover commits to $r(X, 1)$, setting the maximum degree to n + \item Verifier sends random challenge $y$ + \item Prover commits to $t(X, y)$. The commitment scheme ensures that $t(X, y)$ has no constant term. + \item Verifier sends random challenge $z$ + \item Prover opens commitments to $r(z, 1), r(z, y), t(z, y)$ + \item Verifier calculates $r'(z, y)$, and checks that + $$r(z, y) \cdot r'(z, y) - k(y) == t(z, y)$$ +\end{enumerate} + +Steps $3$ and $5$ can be made non-interactive by the Fiat-Shamir transformation. + +\subsubsection{Polynomial Commitment Scheme} +Sonic uses an adaptation of KZG \cite{kzg-tmp}, want: + +\begin{enumerate}[i.] + \item \emph{evaluation binding}, i.e. given a commitment $F$, an adversary cannot open F to two different evaluations $v_1$ and $v_2$ + \item \emph{bounded polynomial extractable}, i.e. any algebraic adversary that opens a commitment $F$ knows an opening $f(X)$ with powers $-d \leq i \leq max, i \neq 0$. +\end{enumerate} + +\vspace{0.5cm} +PC scheme (adaptation of KZG): + +\begin{enumerate}[i.] + \item Commit(info, $f(X)$) $\longrightarrow F$: + $$F = g^{\alpha \cdot x^{d-max}} \cdot f(x)$$ + \item Open(info, $F$, $z$, $f(x)$) $\longrightarrow (f(z), W)$: + $$w(X) = \frac{f(X) - f(z)}{X-z}$$ + $$W = g^{w(x)}$$ + \item Verify(info, $F$, $z$, $(v, W)$) $\longrightarrow 0/1$:\\ + Check: + $$e(W, h^{\alpha \cdot x}) \cdot + e(g^v W^{-z}, h^{\alpha}) + == e(F, h^{x^{-d+max}})$$ +\end{enumerate} + +\subsection{Succint signatures of correct computation} +Signature of correct computation to ensure that an element $s=s(z, y)$ for a known polynomial +$$s(X, Y) = \sum_{i, j = -d}^d s_{i, j} \cdot X^i \cdot Y^i$$ + +Use the structure of $s(X, Y)$ to prove its correct calculation using a \emph{permutation argument} $\longrightarrow$ \emph{grand-product argument} inspired by Bayer and Groth, and Bootle et al. + +Restrict to constraint systems where $s(X, Y)$ can be expressed as the sum of $M$ polynomials. Where $j-th$ poly is of the form: +$$ +\Psi_j(X, Y) = + \sum_{i=1}^n \psi_{j, \sigma_{j, i}} + \cdot X^i \cdot Y^{\sigma_{j, i}} +$$ + +where $\sigma_j$ is the fixed polynomial permutation, and $\phi_{j, i} \in \mathbb{F}$ are the coefficients. + +\vspace{1cm} +\framebox{WIP} +\vspace{1cm} + + + +\bibliography{paper-notes.bib} +\bibliographystyle{unsrt} + +\end{document} diff --git a/paper-notes.pdf b/paper-notes.pdf deleted file mode 100644 index 6bcc9cd..0000000 Binary files a/paper-notes.pdf and /dev/null differ diff --git a/paper-notes.tex b/paper-notes.tex deleted file mode 100644 index f47a2d7..0000000 --- a/paper-notes.tex +++ /dev/null @@ -1,340 +0,0 @@ -\documentclass{article} -\usepackage[utf8]{inputenc} -\usepackage{amsfonts} -\usepackage{amsthm} -\usepackage{amsmath} -\usepackage{enumerate} -\usepackage{hyperref} -\hypersetup{ - colorlinks, - citecolor=black, - filecolor=black, - linkcolor=black, - urlcolor=blue -} -\usepackage{xcolor} - -% prevent warnings of underfull \hbox: -\usepackage{etoolbox} -\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} - -\theoremstyle{definition} -\newtheorem{definition}{Def}[section] -\newtheorem{theorem}[definition]{Thm} - - -\title{Paper notes} -\author{arnaucube} -\date{} - -\begin{document} - -\maketitle - -\begin{abstract} - Notes taken while reading papers. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. - - The notes are not complete, don't include all the steps neither all the proofs. -\end{abstract} - -\tableofcontents - -\section{SnarkPack} -Notes taken while reading SnarkPack paper \cite{cryptoeprint:2021/529}. - -Groth16 proof aggregation. - -\begin{enumerate}[i.] - \item Simple verification:\\ - Proof: $\pi_i = (A_i, B_i, C_i)$\\ - Verifier checks: $e(A_i, B_i) == e(C_i, D)$\\ - Where $D$ is the $CRS$. - \item Batch verification: - $r \in^\$ F_q$\\ - $r^i \cdot e(A_i, B_i) == e(C_i, D)$\\ - $\Longrightarrow \prod e(A_i, B_i)^{r^i} == \prod e(C_i, D)^{r^i}$\\ - $\Longrightarrow \prod e(A_i, B_i^{r^i}) == \prod e(C_i^{r^i}, D)$ - \item Snark Aggregation verification:\\ - $z_{AB} = \prod e(A_i, B_i^{r^i})$\\ - $z_C = \prod C_i^{r^i}$\\ - Verification: $z_{AB} == e(z_C, D)$ -\end{enumerate} - -\section{Sonic} -Notes taken while reading Sonic paper \cite{cryptoeprint:2019/099}. Does not include all the steps, neither the proofs. - -\subsection{Structured Reference String} -$\{ \{g^{x^i}\}_{i=-d}^d, \{ g^{\alpha x^i} \}_{i=-d, i \neq 0}^d, \{ h^{x^i}, h^{\alpha x^i} \}_{i=-d}^d, e(g, h^\alpha) \}$ - -\subsection{System of constraints} -Multiplication constraint: $a \cdot b = c$ - -$Q$ linear constraints: -$$ -a \cdot u_q + b \cdot v_q + c \cdot w_q = k_q -$$ - -with $u_q, v_q, w_q \in \mathbb{F}^n$, and $k_q \in \mathbb{F}_p$. - -\vspace{0.5cm} -Example: $x^2 + y^2 = z$ - -$$a = (x, y), \qquad b = (x, y), \qquad c = (x^2, y^2)$$ -\begin{enumerate}[i.] - \item $(x, y) \cdot (1, 0) + (x, y) \cdot (-1, 0) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow x - x = 0$ - \item $(x, y) \cdot (0, 1) + (x, y) \cdot (0, -1) + (x^2, y^2) \cdot (0, 0) = 0 \longrightarrow y - y = 0$ - \item $(x, y) \cdot (0, 0) + (x, y) \cdot (0, 0) + (x^2, y^2) \cdot (1, 1) = z \longrightarrow x^2 + y^2 = z$ -\end{enumerate} - -So, -$$u_1 = (1, 0) \quad v_1=(-1, 0) \quad w_1=(0, 0) \quad k_1=0$$ -$$u_2 = (0, 1) \quad v_2=(0, -1) \quad w_2=(0, 0) \quad k_2=0$$ -$$u_3 = (0, 0) \quad v_3=(0, 0) \quad w_3=(1, 1) \quad k_2=z$$ - -\vspace{1cm} - -Compress n multiplication constraints into an equation in formal indeterminate $Y$: -$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^i = 0$$ -encode into negative exponents of $Y$: -$$\sum_{i=1}^n (a_i b_i - c_i) \cdot Y^-i = 0$$ - -Also, compress the $Q$ linear constraints, scaling by $Y^n$ to preserve linear independence: -$$ -\sum_{q=1}^Q (a \cdot u_q + b \cdot v_q + c \cdot w_q - k_q) \cdot Y^{q+n} = 0 -$$ - -Polys: - -\begin{align} -\nonumber & u_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot u_{q, i}\\ -\nonumber & v_i(Y) = \sum_{q=1}^Q Y^{q+n} \cdot v_{q, i}\\ -\nonumber & w_i(Y) = -Y^i - Y^{-1} + \sum_{q=1}^Q Y^{q+n} \cdot w_{q, i}\\ -\nonumber & k(Y) = \sum_{q=1}^Q Y^{q+n} \cdot k_q -\end{align} - -Combine the multiplicative and linear constraints to: - -\begin{align} -\nonumber & a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y) -+ \sum_{i=1}^n a_i b_i (Y^i + Y^{-i}) - k(Y) = 0 -\end{align} - -where $a \cdot u(Y) + b \cdot v(Y) + c \cdot w(Y)$ is embeded into the constant term of the polynomial $t(X, Y)$. - - -Define $r(X, Y)$ s.t. $r(X, Y) = r(XY, 1)$. - -$$\Longrightarrow r(X, Y) = \sum_{i=1}^n (a_i X^i Y^i + b_i X^{-i} Y^{-i} + c_i X^{-i-n} Y^{-i-n})$$ - -$$s(X, Y) = \sum_{i=1}^n (u_i(Y) X^{-i} + v_i(Y) X^i + w_i(Y) X^{i+n})$$ - -$$r'(X, Y) = r(X, Y) + s(X, Y)$$ -$$t(X, Y) = r(X, Y) + r'(X, Y) - k(Y)$$ - -The coefficient of $X^0$ in $t(X, Y)$ is the left-hand side of the equation. - -Sonic demonstrates that the constant term of $t(X, Y)$ is zero, thus demonstrating that our constraint system is satisfied. - - -\subsubsection{The basic Sonic protocol} - -\begin{enumerate}[1.] - \item Prover constructs $r(X, Y)$ using their hidden witness - \item Prover commits to $r(X, 1)$, setting the maximum degree to n - \item Verifier sends random challenge $y$ - \item Prover commits to $t(X, y)$. The commitment scheme ensures that $t(X, y)$ has no constant term. - \item Verifier sends random challenge $z$ - \item Prover opens commitments to $r(z, 1), r(z, y), t(z, y)$ - \item Verifier calculates $r'(z, y)$, and checks that - $$r(z, y) \cdot r'(z, y) - k(y) == t(z, y)$$ -\end{enumerate} - -Steps $3$ and $5$ can be made non-interactive by the Fiat-Shamir transformation. - -\subsubsection{Polynomial Commitment Scheme} -Sonic uses an adaptation of KZG \cite{kzg-tmp}, want: - -\begin{enumerate}[i.] - \item \emph{evaluation binding}, i.e. given a commitment $F$, an adversary cannot open F to two different evaluations $v_1$ and $v_2$ - \item \emph{bounded polynomial extractable}, i.e. any algebraic adversary that opens a commitment $F$ knows an opening $f(X)$ with powers $-d \leq i \leq max, i \neq 0$. -\end{enumerate} - -\vspace{0.5cm} -PC scheme (adaptation of KZG): - -\begin{enumerate}[i.] - \item Commit(info, $f(X)$) $\longrightarrow F$: - $$F = g^{\alpha \cdot x^{d-max}} \cdot f(x)$$ - \item Open(info, $F$, $z$, $f(x)$) $\longrightarrow (f(z), W)$: - $$w(X) = \frac{f(X) - f(z)}{X-z}$$ - $$W = g^{w(x)}$$ - \item Verify(info, $F$, $z$, $(v, W)$) $\longrightarrow 0/1$:\\ - Check: - $$e(W, h^{\alpha \cdot x}) \cdot - e(g^v W^{-z}, h^{\alpha}) - == e(F, h^{x^{-d+max}})$$ -\end{enumerate} - -\subsection{Succint signatures of correct computation} -Signature of correct computation to ensure that an element $s=s(z, y)$ for a known polynomial -$$s(X, Y) = \sum_{i, j = -d}^d s_{i, j} \cdot X^i \cdot Y^i$$ - -Use the structure of $s(X, Y)$ to prove its correct calculation using a \emph{permutation argument} $\longrightarrow$ \emph{grand-product argument} inspired by Bayer and Groth, and Bootle et al. - -Restrict to constraint systems where $s(X, Y)$ can be expressed as the sum of $M$ polynomials. Where $j-th$ poly is of the form: -$$ -\Psi_j(X, Y) = - \sum_{i=1}^n \psi_{j, \sigma_{j, i}} - \cdot X^i \cdot Y^{\sigma_{j, i}} -$$ - -where $\sigma_j$ is the fixed polynomial permutation, and $\phi_{j, i} \in \mathbb{F}$ are the coefficients. - -\vspace{1cm} -\framebox{WIP} -\vspace{1cm} - -\section{BLS signatures} -Notes taken while reading about BLS signatures \cite{bls-sig-eth2}. - -\paragraph{Key generation} -$sk \in \mathbb{Z}_q$, $pk = [sk] \cdot g_1$, where $g_1 \in G_1$, and is the generator. - -\paragraph{Signature} -$$\sigma = [sk] \cdot H(m)$$ -where $H$ is a function that maps to a point in $G_2$. So $H(m), \sigma \in G_2$. - -\paragraph{Verification} -$$e(g_1, \sigma) == e(pk, H(m))$$ - -Unfold: -$$e(pk, H(m)) = e([sk] \cdot g_1, H(m) = e(g_1, H(m))^{sk} = e(g_1, [sk] \cdot H(m)) = e(g_1, \sigma))$$ - -\paragraph{Aggregation} -Signatures aggregation: -$$\sigma_{aggr} = \sigma_1 + \sigma_2 + \ldots + \sigma_n$$ -where $\sigma_{aggr} \in G_2$, and an aggregated signatures is indistinguishible from a non-aggregated signature. - -\paragraph{Public keys aggregation} -$$pk_{aggr} = pk_1 + pk_2 + \ldots + pk_n$$ -where $pk_{aggr} \in G_1$, and an aggregated public keys is indistinguishible from a non-aggregated public key. - - -\paragraph{Verification of aggregated signatures} -Identical to verification of a normal signature as long as we use the same corresponding aggregated public key: -$$e(g_1, \sigma_{aggr})==e(pk_{aggr}, H(m))$$ - -Unfold: -$$\fbox{e(pk_{aggr}, H(m))}= e(pk_1 + pk_2 + \ldots + pk_n, H(m)) =$$ -$$=e([sk_1] \cdot g_1 + [sk_2] \cdot g_1 + \ldots + [sk_n] \cdot g_1, H(m))=$$ -$$=e([sk_1 + sk_2 + \ldots + sk_n] \cdot g_1, H(m))=$$ -$$=e(g_1, H(m))^{(sk_1 + sk_2 + \ldots + sk_n)}=$$ -$$=e(g_1, [sk_1 + sk_2 + \ldots + sk_n] \cdot H(m))=$$ -$$=e(g_1, [sk_1] \cdot H(m) + [sk_2] \cdot H(m) + \ldots + [sk_n] \cdot H(m))=$$ -$$=e(g_1, \sigma_1 + \sigma_2 + \ldots + \sigma_n)= \fbox{e(g_1, \sigma_{aggr})}$$ - - - - - -\section{modified IPA (from Halo)} -Notes taken while reading about the modified Inner Product Argument (IPA) from the Halo paper \cite{cryptoeprint:2019/1021}. - -\subsection{Notation} -\begin{description} - \item[Scalar mul] $[a]G$, where $a$ is a scalar and $G \in \mathbb{G}$ - \item[Inner product] $<\overrightarrow{a}, \overrightarrow{b}> = a_0 b_0 + a_1 b_1 + \ldots + a_{n-1} b_{n-1}$ - \item[Multiscalar mul] $<\overrightarrow{a}, \overrightarrow{b}> = [a_0] G_0 + [a_1] G_1 + \ldots [a_{n-1}] G_{n-1}$ -\end{description} - - -\subsection{Transparent setup} -$\overrightarrow{G} \in^r \mathbb{G}^d$, $H \in^r \mathbb{G}$ - -Prover wants to commit to $p(x)=a_0$ -\subsection{Protocol} -Prover: -$$P=<\overrightarrow{a}, \overrightarrow{G}> + [r]H$$ -$$v=<\overrightarrow{a}, \{1, x, x^2, \ldots, x^{d-1} \} >$$ - -where $\{1, x, x^2, \ldots, x^{d-1} \} = \overrightarrow{b}$. - -We can see that computing $v$ is the equivalent to evaluating $p(x)$ at $x$ ($p(x)=v$). - -We will prove: -\begin{enumerate}[i.] - \item polynomial $p(X) = \sum a_i X^i$\\ - $p(x) = v$ (that $p(X)$ evaluates $x$ to $v$). - \item $deg(p(X)) \leq d-1$ -\end{enumerate} - - -Both parties know $P$, point $x$ and claimed evaluation $v$. For $U \in^r \mathbb{G}$, - -$$P' = P + [v] U = <\overrightarrow{a}, G> + [r]H + [v] U$$ - -Now, for $k$ rounds ($d=2^k$, from $j=k$ to $j=1$): -\begin{itemize} - \item random blinding factors: $l_j, r_j \in \mathbb{F}_p$ - \item - $$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$ - $$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$ - \item Verifier sends random challenge $u_j \in \mathbb{I}$ - \item Prover computes the halved vectors for next round: - $$\overrightarrow{a} \leftarrow \overrightarrow{a}_{hi} \cdot u_j^{-1} + \overrightarrow{a}_{lo} \cdot u_j$$ - $$\overrightarrow{b} \leftarrow \overrightarrow{b}_{lo} \cdot u_j^{-1} + \overrightarrow{b}_{hi} \cdot u_j$$ - $$\overrightarrow{G} \leftarrow \overrightarrow{G}_{lo} \cdot u_j^{-1} + \overrightarrow{G}_{hi} \cdot u_j$$ -\end{itemize} - -After final round, $\overrightarrow{a}, \overrightarrow{b}, \overrightarrow{G}$ are each of length 1. - -Verifier can compute -$$G = \overrightarrow{G}_0 = < \overrightarrow{s}, \overrightarrow{G} >$$ -and $$b = \overrightarrow{b}_0 = < \overrightarrow{s}, \overrightarrow{b} >$$ -where $\overrightarrow{s}$ is the binary counting structure: - -\begin{align*} - &s = (u_1^{-1} ~ u_2^{-1} \cdots ~u_k^{-1},\\ - &~~~~~~u_1 ~~~ u_2^{-1} ~\cdots ~u_k^{-1},\\ - &~~~~~~u_1^{-1} ~~ u_2 ~~\cdots ~u_k^{-1},\\ - &~~~~~~~~~~~~~~\vdots\\ - &~~~~~~u_1 ~~~~ u_2 ~~\cdots ~u_k) -\end{align*} - - -And verifier checks: -$$[a]G + [r'] H + [ab] U == P' + \sum_{j=1}^k ( [u_j^2] L_j + [u_j^{-2}] R_j)$$ - -where the synthetic blinding factor $r'$ is $r' = r + \sum_{j=1}^k (l_j u_j^2 + r_j u_j^{-2})$. - -\vspace{1cm} - -Unfold: - -$$ -\textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U} -== -\textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j}) -$$ - -\begin{align*} -&Right~side = \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})\\ -&= \textcolor{blue}{< \overrightarrow{a}, \overrightarrow{G}> + [r] H + [v] U}\\ -&+ \sum_{j=1}^k (\\ -&\textcolor{violet}{[u_j^2] \cdot <\overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [<\overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U}\\ -&\textcolor{orange}{+ [u_j^{-2}] \cdot <\overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [<\overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U} -) -\end{align*} - -\begin{align*} -&Left~side = \textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}\\ -& = \textcolor{brown}{< \overrightarrow{a}, \overrightarrow{G} >}\\ -&+ \textcolor{cyan}{[r + \sum_{j=1}^k (l_j \cdot u_j^2 + r_j u_j^{-2})] \cdot H}\\ -&+ \textcolor{magenta}{< \overrightarrow{a}, \overrightarrow{b} > U} -\end{align*} - - -\bibliography{paper-notes.bib} -\bibliographystyle{unsrt} - -\end{document}