@ -37,7 +37,7 @@
\maketitle
\begin { abstract}
Notes taken while reading about Spartan \cite { cryptoeprint:2023/573} , \cite { cryptoeprint:2023/552} .
Notes taken while reading about HyperNova \cite { cryptoeprint:2023/573} and CCS \cite { cryptoeprint:2023/552} .
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $ LaTeX $ .
@ -77,6 +77,8 @@ which is equivalent to the R1CS relation: $Az \circ Bz == Cz$
An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\
\href { https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage} { https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage} .
Similar relations between Plonkish and AIR arithmetizations to CCS are shown in the CCS paper \cite { cryptoeprint:2023/552} , but for now with the R1CS we have enough to see the CCS generalization idea and to use it for the HyperNova scheme.
\subsection { Committed CCS}
$ R _ { CCCS } $ instance: $ ( C, \mathsf { x } ) $ , where $ C $ is a commitment to a multilinear polynomial in $ s' - 1 $ variables.
@ -100,7 +102,7 @@ Sat if:
\section { Multifolding Scheme for CCS}
Recall sum-check protocol notation: \underline { $ C \leftarrow \langle P, V ( r ) \rangle ( g, l, d, T ) $ } :
Recall sum-check protocol notation: \underline { $ C \leftarrow \langle P, V ( r ) \rangle ( g, l, d, T ) $ } means
$$ T = \sum _ { x _ 1 \in \{ 0 , 1 \} } \sum _ { x _ 2 \in \{ 0 , 1 \} } \cdots \sum _ { x _ l \in \{ 0 , 1 \} } g ( x _ 1 , x _ 2 , \ldots , x _ l ) $$
where $ g $ is a $ l $ -variate polynomial, with degree at most $ d $ in each variable, and $ T $ is the claimed value.
@ -112,18 +114,20 @@ Let $s= \log m,~ s'= \log n$.
\item $ V \rightarrow P: \gamma \in ^ R \mathbb { F } ,~ \beta \in ^ R \mathbb { F } ^ s $
\item $ V: r _ x' \in ^ R \mathbb { F } ^ s $
\item $ V \leftrightarrow P $ : sum-check protocol:
$$ c \leftarrow \langle P, V ( r _ x' ) \rangle ( g, s, d + 1 , \overbrace { \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j } ^ \text { T } ) $$
$$ c \leftarrow \langle P, V ( r _ x' ) \rangle ( g, s, d + 1 , \underbrace { \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j } _ \text { T } ) $$
(in fact, $ T = ( \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j ) \underbrace { + \gamma ^ { t + 1 } \cdot Q ( x ) } _ { = 0 } ) = \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j $ )\\
where:
\begin { align*}
g(x) & := \left ( \sum _ { j \in [t]} \gamma ^ j \cdot L_ j(x) \right ) + \gamma ^ { t+1} \cdot Q(x)\\
g(x) & := \underbrace { \ left ( \sum _ { j \in [t]} \gamma ^ j \cdot L_ j(x) \right )} _ \text { LCCCS check} \underbrace { \ gamma ^ { t+1} \cdot Q(x)} _ \text { CCCS check} \\
\text { for LCCCS:} ~ L_ j(x) & := \widetilde { eq} (r_ x, x) \cdot \left (
\underbrace { \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 1(y)} _ \text { this is the check from LCCCS}
\right )\\
\text { for CCCS:} ~ Q(x) := & \widetilde { eq} (\beta , x) \cdot \left (
\underbrace { \sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right ) } _ \text { this is the check from Committed CCS}
\underbrace { \sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right ) } _ \text { this is the check from CCCS}
\right )
\end { align*}
Notice that $ v _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r, y ) \cdot \widetilde { z } ( y ) = \sum _ { x \in \{ 0 , 1 \} ^ s } L _ j ( x ) $ .
Notice that
$$ v _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r, y ) \cdot \widetilde { z } ( y ) = \sum _ { x \in \{ 0 , 1 \} ^ s } L _ j ( x ) $$
\item $ P \rightarrow V $ : $ \left ( ( \sigma _ 1 , \ldots , \sigma _ t ) , ( \theta _ 1 , \ldots , \theta _ t ) \right ) $ , where $ \forall j \in [ t ] $ ,
$$ \sigma _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r _ x', y ) \cdot \widetilde { z } _ 1 ( y ) $$
$$ \theta _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r _ x', y ) \cdot \widetilde { z } _ 2 ( y ) $$
@ -143,6 +147,44 @@ Let $s= \log m,~ s'= \log n$.
\item $ P $ : output folded witness: $ \widetilde { w } ' \leftarrow \widetilde { w } _ 1 + \rho \cdot \widetilde { w } _ 2 $ .
\end { enumerate}
\vspace { 1cm}
Now, to see the verifier check from step 5, observe that in LCCCS, since $ \widetilde { w } $ satisfies,
\begin { align*}
v_ j & = \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(r_ x, y) \cdot \widetilde { z} _ 1(y)\\
& = \sum _ { x \in \{ 0,1\} ^ s}
\underbrace {
\widetilde { eq} (r_ x, x) \cdot \left ( \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 1(y) \right )
} _ { L_ j(x)} \\
& = \sum _ { x \in \{ 0,1\} ^ s} L_ j(x)
\end { align*}
Observe also that in CCCS, since $ \widetilde { w } $ satisfies,
$$
0=\sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right )
$$
for $ \beta $ ,
\begin { align*}
0& =\sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(\beta , y) \cdot \widetilde { z} _ 2(y) \right )\\
& = \sum _ { x \in \{ 0,1\} ^ s}
\underbrace { \widetilde { eq} (\beta , x) \cdot
\sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right )
} _ { Q(x)} \\
& = \sum _ { x \in \{ 0,1\} ^ s} Q(x)
\end { align*}
Then we can see that
\begin { align*}
c & = g(r_ x')\\
& = \left ( \sum _ { j \in [t]} \gamma ^ j \cdot L_ j(r_ x') \right ) + \gamma ^ { t+1} \cdot Q(r_ x')\\
& = \left ( \sum _ { j \in [t]} \gamma ^ j \cdot e_ q \cdot \sigma _ j \right ) + \gamma ^ { t+1} \cdot e_ 2 \cdot \sum _ { i \in [q]} c_ i \prod _ { j \in S_ i} \theta _ j
\end { align*}
where $ e _ 1 = \widetilde { eq } ( r _ x, r _ x' ) $ and $ e _ 2 = \widetilde { eq } ( \beta , r _ x' ) $ .
Which is the check that $ V $ performs at step $ 5 $ .
% % % % % % APPENDIX
@ -172,7 +214,7 @@ $$
$ m = 3 ,~ n = 2 ,~~~ s = \lceil \log 3 \rceil = 2 ,~ s' = \lceil \log 2 \rceil = 1 $
So, $ M ( s _ 0 , s _ 1 ) = x $ , where $ s _ 0 \in \{ 0 , 1 \} ^ s,~ s _ 1 \in \{ 0 , 1 \} ^ { s' } ,~ x \in \mathbb { F } $
So, $ M ( x, y ) = x $ , where $ x \in \{ 0 , 1 \} ^ s,~ y \in \{ 0 , 1 \} ^ { s' } ,~ x \in \mathbb { F } $
$$
M = \begin { pmatrix}
@ -188,10 +230,10 @@ This logic can be defined as follows:
\caption { Generating a Sparse Multilinear Polynomial from a matrix}
\begin { algorithmic}
\State set empty vector $ v \in ( \text { index: } ~ \mathbb { Z } , x: \mathbb { F } ) ^ { s \times s' } $
\For { $ i $ to $ n $ }
\For { $ j $ to $ m $ }
\For { $ i $ to $ m $ }
\For { $ j $ to $ n $ }
\If { $ M _ { i,j } \neq 0 $ }
\State $ v. \text { append } ( \{ \text { index } : i \cdot m + j,~ x: M _ { i,j } \} ) $
\State $ v. \text { append } ( \{ \text { index } : i \cdot n + j,~ x: M _ { i,j } \} ) $
\EndIf
\EndFor
\EndFor
