mirror of
https://github.com/arnaucube/math.git
synced 2026-01-08 15:01:31 +01:00
small update to IPA notes
This commit is contained in:
5
ipa.sage
5
ipa.sage
@@ -186,6 +186,9 @@ class IPA_halo:
|
||||
def verify(self, P, a, v, x_powers, r, u, U, lj, rj, L, R):
|
||||
print("methid verify()")
|
||||
|
||||
# compute P' = P + [v] U
|
||||
P = P + int(v) * U
|
||||
|
||||
s = build_s_from_us(u, self.d)
|
||||
b = inner_product_field(s, x_powers)
|
||||
G = inner_product_point(s, self.gs)
|
||||
@@ -445,8 +448,6 @@ class TestIPA_halo(unittest.TestCase):
|
||||
while (u[j] == 0): # prevent u[j] from being 0
|
||||
u[j] = ipa.F.random_element()
|
||||
|
||||
P = P + int(v) * U
|
||||
|
||||
# prover
|
||||
a_ipa, lj, rj, L, R = ipa.ipa(a, x_powers, u, U)
|
||||
|
||||
|
||||
BIN
notes_halo.pdf
BIN
notes_halo.pdf
Binary file not shown.
@@ -14,6 +14,33 @@
|
||||
}
|
||||
\usepackage{xcolor}
|
||||
|
||||
\usepackage{pgf-umlsd} % diagrams
|
||||
% message between threads
|
||||
% Example:
|
||||
% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
|
||||
\newcommand{\bloodymess}[7][0]{
|
||||
\stepcounter{seqlevel}
|
||||
\path
|
||||
(#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
|
||||
\addtocounter{seqlevel}{#1}
|
||||
\path
|
||||
(#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
|
||||
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
|
||||
{#3};
|
||||
|
||||
\if R#5
|
||||
\node (#3 from) at (mess from) {\llap{#6~}};
|
||||
\node (#3 to) at (mess to) {\rlap{~#7}};
|
||||
\else\if L#5
|
||||
\node (#3 from) at (mess from) {\rlap{~#6}};
|
||||
\node (#3 to) at (mess to) {\llap{#7~}};
|
||||
\else
|
||||
\node (#3 from) at (mess from) {#6};
|
||||
\node (#3 to) at (mess to) {#7};
|
||||
\fi
|
||||
\fi
|
||||
}
|
||||
|
||||
% prevent warnings of underfull \hbox:
|
||||
\usepackage{etoolbox}
|
||||
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
|
||||
@@ -42,11 +69,14 @@
|
||||
\section{modified IPA (from Halo paper)}
|
||||
Notes taken while reading about the modified Inner Product Argument (IPA) from the Halo paper \cite{cryptoeprint:2019/1021}.
|
||||
|
||||
\paragraph{Objective:}
|
||||
Prover wants to prove that the polynomial $p(X)$ from the commitment $P$ evaluates to $v$ at $x$, and that $deg(p(X)) \leq d-1$.
|
||||
|
||||
\subsection{Notation}
|
||||
\begin{description}
|
||||
\item[Scalar mul] $[a]G$, where $a$ is a scalar and $G \in \mathbb{G}$
|
||||
\item[Inner product] $<\overrightarrow{a}, \overrightarrow{b}> = a_0 b_0 + a_1 b_1 + \ldots + a_{n-1} b_{n-1}$
|
||||
\item[Multiscalar mul] $<\overrightarrow{a}, \overrightarrow{b}> = [a_0] G_0 + [a_1] G_1 + \ldots [a_{n-1}] G_{n-1}$
|
||||
\item[Multiscalar mul] $<\overrightarrow{a}, \overrightarrow{G}> = [a_0] G_0 + [a_1] G_1 + \ldots + [a_{n-1}] G_{n-1}$
|
||||
\end{description}
|
||||
|
||||
|
||||
@@ -61,7 +91,7 @@ $$v=<\overrightarrow{a}, \{1, x, x^2, \ldots, x^{d-1} \} >$$
|
||||
|
||||
where $\{1, x, x^2, \ldots, x^{d-1} \} = \overrightarrow{b}$.
|
||||
|
||||
We can see that computing $v$ is the equivalent to evaluating $p(x)$ at $x$ ($p(x)=v$).
|
||||
We can see that computing $v$ is the equivalent to evaluating $p(X)$ at $x$ ($p(x)=v$).
|
||||
|
||||
We will prove:
|
||||
\begin{enumerate}[i.]
|
||||
@@ -71,16 +101,18 @@ We will prove:
|
||||
\end{enumerate}
|
||||
|
||||
|
||||
Both parties know $P$, point $x$ and claimed evaluation $v$. For $U \in^r \mathbb{G}$,
|
||||
Both parties know $P$, point $x$ and claimed evaluation $v$. For $U \in^r \mathbb{G}$.
|
||||
|
||||
Prover computes $P'$:
|
||||
|
||||
$$P' = P + [v] U = <\overrightarrow{a}, G> + [r]H + [v] U$$
|
||||
|
||||
Now, for $k$ rounds ($d=2^k$, from $j=k$ to $j=1$):
|
||||
\begin{itemize}
|
||||
\item random blinding factors: $l_j, r_j \in \mathbb{F}_p$
|
||||
\item
|
||||
$$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$
|
||||
\item Prover sets random blinding factors: $l_j, r_j \in \mathbb{F}_p$
|
||||
\item Prover computes
|
||||
$$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$
|
||||
$$R_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$
|
||||
\item Verifier sends random challenge $u_j \in \mathbb{I}$
|
||||
\item Prover computes the halved vectors for next round:
|
||||
$$\overrightarrow{a} \leftarrow \overrightarrow{a}_{hi} \cdot u_j^{-1} + \overrightarrow{a}_{lo} \cdot u_j$$
|
||||
@@ -119,15 +151,6 @@ $$
|
||||
\textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})
|
||||
$$
|
||||
|
||||
\begin{align*}
|
||||
&Right~side = \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})\\
|
||||
&= \textcolor{blue}{< \overrightarrow{a}, \overrightarrow{G}> + [r] H + [v] U}\\
|
||||
&+ \sum_{j=1}^k (\\
|
||||
&\textcolor{violet}{[u_j^2] \cdot <\overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [<\overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U}\\
|
||||
&\textcolor{orange}{+ [u_j^{-2}] \cdot <\overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [<\overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U}
|
||||
)
|
||||
\end{align*}
|
||||
|
||||
\begin{align*}
|
||||
&Left~side = \textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}\\
|
||||
& = \textcolor{brown}{< \overrightarrow{a}, \overrightarrow{G} >}\\
|
||||
@@ -136,6 +159,51 @@ $$
|
||||
\end{align*}
|
||||
|
||||
|
||||
\begin{align*}
|
||||
&Right~side = \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})\\
|
||||
&= \textcolor{blue}{< \overrightarrow{a}, \overrightarrow{G}> + [r] H + [v] U}\\
|
||||
&+ \sum_{j=1}^k (
|
||||
\textcolor{violet}{[u_j^2] \cdot <\overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [<\overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U}\\
|
||||
&\textcolor{orange}{+ [u_j^{-2}] \cdot <\overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [<\overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U}
|
||||
)
|
||||
\end{align*}
|
||||
|
||||
|
||||
\vspace{1.5cm}
|
||||
The following diagram ilustrates the main steps in the scheme:
|
||||
|
||||
\begin{center}
|
||||
\begin{sequencediagram}
|
||||
\newinst[1]{p}{Prover}
|
||||
\newinst[3]{v}{Verifier}
|
||||
|
||||
\bloodymess[1]{p}{P}{v}{R}{knows $p(X)\in \mathbb{F[X]}$, commits to $p(X)$, $P$}{rand $x \in \mathbb{F},~U\in \mathbb{G},~\overrightarrow{u} \in \mathbb{F}^d$}
|
||||
\bloodymess[1]{v}{$x, U, u$}{p}{R}{}{}
|
||||
\bloodymess[1]{p}{$proof, a, L_j, R_j, v$}{v}{R}{gen proof}{$verify(proof, P, a, x, L_j, R_j)$}
|
||||
|
||||
% \begin{callself}{p}{knows $p(X) \in \mathbb{F}[X]$}{}
|
||||
% \end{callself}
|
||||
% \begin{callself}{p}{commit to $p(X),~P$}{}
|
||||
% \end{callself}
|
||||
%
|
||||
% \mess[0]{p}{$P$}{v}
|
||||
% \begin{callself}{v}{rand $x \in \mathbb{F},~U\in \mathbb{G},~\overrightarrow{u} \in \mathbb{F}^d$}{}
|
||||
% \end{callself}
|
||||
%
|
||||
% \mess[0]{v}{$x,U,u$}{p}
|
||||
|
||||
% \node[anchor=west] (p2) at (mess to) {gen proof2}
|
||||
|
||||
% \begin{callself}{p}{gen proof $\pi$}{}
|
||||
% \end{callself}
|
||||
%
|
||||
% \mess[0]{p}{$a, L_j, R_j, v$}{v}
|
||||
%
|
||||
% \begin{callself}{v}{$verify(P, a, x, v, L_j, R_k$)}{}
|
||||
% \end{callself}
|
||||
\end{sequencediagram}
|
||||
\end{center}
|
||||
|
||||
\section{Amortization Strategy}
|
||||
TODO
|
||||
|
||||
|
||||
Reference in New Issue
Block a user