diff --git a/notes_halo.pdf b/notes_halo.pdf index 3ff155a..3f8f19d 100644 Binary files a/notes_halo.pdf and b/notes_halo.pdf differ diff --git a/notes_halo.tex b/notes_halo.tex index b250de7..682f1b6 100644 --- a/notes_halo.tex +++ b/notes_halo.tex @@ -112,7 +112,7 @@ Now, for $k$ rounds ($d=2^k$, from $j=k$ to $j=1$): \item Prover sets random blinding factors: $l_j, r_j \in \mathbb{F}_p$ \item Prover computes $$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$ - $$R_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$ + $$R_j = < \overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [< \overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U$$ \item Verifier sends random challenge $u_j \in \mathbb{I}$ \item Prover computes the halved vectors for next round: $$\overrightarrow{a} \leftarrow \overrightarrow{a}_{hi} \cdot u_j^{-1} + \overrightarrow{a}_{lo} \cdot u_j$$ diff --git a/notes_nova.pdf b/notes_nova.pdf index 889dd70..dca53e4 100644 Binary files a/notes_nova.pdf and b/notes_nova.pdf differ diff --git a/notes_nova.tex b/notes_nova.tex index 0bd9b54..41fa589 100644 --- a/notes_nova.tex +++ b/notes_nova.tex @@ -64,6 +64,8 @@ Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. The notes are not complete, don't include all the steps neither all the proofs. + + Thanks to \href{https://twitter.com/levs57}{Levs57}, \href{https://twitter.com/nibnalin}{Nalin Bhardwaj} and \href{https://twitter.com/cperezz19}{Carlos PĂ©rez} for clarifications on the Nova paper. \end{abstract} \tableofcontents @@ -72,7 +74,15 @@ \subsection{R1CS modification} -Want: merge 2 instances of R1CS with the same matrices into a single one. Each instance has $z_i = (W_i,~ x_i)$ (public witness, private values resp.). +\paragraph{R1CS} +R1CS instance: $(A, B, C, io, m, n)$, where $io$ denotes the public input and output, $A, B, C \in \mathbb{F}^{m \times n}$, with $m \geq |io|+1$. +R1CS is satisfied by a witness $w \in \mathbb{F}^{m-|io|-1}$ such that +$$Az \circ Bz = Cz$$ +where $z=(io, 1, w)$. + +\vspace{0.5cm} + +\textbf{Want}: merge 2 instances of R1CS with the same matrices into a single one. Each instance has $z_i = (W_i,~ x_i)$ (public witness, private values resp.). \paragraph{traditional R1CS} Merged instance with $z=z_1 + r z_2$, for rand $r$. But, since R1CS is not linear $\longrightarrow$ can not apply.