@ -37,7 +37,7 @@
\maketitle \maketitle
\begin { abstract} \begin { abstract}
Notes taken while reading about Spartan \cite { cryptoeprint:2023/573} , \cite { cryptoeprint:2023/552} .
Notes taken while reading about HyperNova \cite { cryptoeprint:2023/573} and CCS \cite { cryptoeprint:2023/552} .
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $ LaTeX $ . Usually while reading papers I take handwritten notes, this document contains some of them re-written to $ LaTeX $ .
@ -77,6 +77,8 @@ which is equivalent to the R1CS relation: $Az \circ Bz == Cz$
An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\ An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\
\href { https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage} { https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage} .\href { https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage} { https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage} .
Similar relations between Plonkish and AIR arithmetizations to CCS are shown in the CCS paper \cite { cryptoeprint:2023/552} , but for now with the R1CS we have enough to see the CCS generalization idea and to use it for the HyperNova scheme.
\subsection { Committed CCS} \subsection { Committed CCS}
$ R _ { CCCS } $ instance: $ ( C, \mathsf { x } ) $ , where $ C $ is a commitment to a multilinear polynomial in $ s' - 1 $ variables.$ R _ { CCCS } $ instance: $ ( C, \mathsf { x } ) $ , where $ C $ is a commitment to a multilinear polynomial in $ s' - 1 $ variables.
@ -100,7 +102,7 @@ Sat if:
\section { Multifolding Scheme for CCS} \section { Multifolding Scheme for CCS}
Recall sum-check protocol notation: \underline { $ C \leftarrow \langle P, V ( r ) \rangle ( g, l, d, T ) $ } :
Recall sum-check protocol notation: \underline { $ C \leftarrow \langle P, V ( r ) \rangle ( g, l, d, T ) $ } means
$$ T = \sum _ { x _ 1 \in \{ 0 , 1 \} } \sum _ { x _ 2 \in \{ 0 , 1 \} } \cdots \sum _ { x _ l \in \{ 0 , 1 \} } g ( x _ 1 , x _ 2 , \ldots , x _ l ) $$ $$ T = \sum _ { x _ 1 \in \{ 0 , 1 \} } \sum _ { x _ 2 \in \{ 0 , 1 \} } \cdots \sum _ { x _ l \in \{ 0 , 1 \} } g ( x _ 1 , x _ 2 , \ldots , x _ l ) $$
where $ g $ is a $ l $ -variate polynomial, with degree at most $ d $ in each variable, and $ T $ is the claimed value.where $ g $ is a $ l $ -variate polynomial, with degree at most $ d $ in each variable, and $ T $ is the claimed value.
@ -112,18 +114,20 @@ Let $s= \log m,~ s'= \log n$.
\item $ V \rightarrow P: \gamma \in ^ R \mathbb { F } ,~ \beta \in ^ R \mathbb { F } ^ s $ \item $ V \rightarrow P: \gamma \in ^ R \mathbb { F } ,~ \beta \in ^ R \mathbb { F } ^ s $
\item $ V: r _ x' \in ^ R \mathbb { F } ^ s $ \item $ V: r _ x' \in ^ R \mathbb { F } ^ s $
\item $ V \leftrightarrow P $ : sum-check protocol: \item $ V \leftrightarrow P $ : sum-check protocol:
$$ c \leftarrow \langle P, V ( r _ x' ) \rangle ( g, s, d + 1 , \overbrace { \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j } ^ \text { T } ) $$
$$ c \leftarrow \langle P, V ( r _ x' ) \rangle ( g, s, d + 1 , \underbrace { \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j } _ \text { T } ) $$
(in fact, $ T = ( \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j ) \underbrace { + \gamma ^ { t + 1 } \cdot Q ( x ) } _ { = 0 } ) = \sum _ { j \in [ t ] } \gamma ^ j \cdot v _ j $ )\\
where: where:
\begin { align*} \begin { align*}
g(x) & := \left ( \sum _ { j \in [t]} \gamma ^ j \cdot L_ j(x) \right ) + \gamma ^ { t+1} \cdot Q(x)\\
g(x) & := \underbrace { \ left ( \sum _ { j \in [t]} \gamma ^ j \cdot L_ j(x) \right )} _ \text { LCCCS check} \underbrace { \ gamma ^ { t+1} \cdot Q(x)} _ \text { CCCS check} \\
\text { for LCCCS:} ~ L_ j(x) & := \widetilde { eq} (r_ x, x) \cdot \left ( \text { for LCCCS:} ~ L_ j(x) & := \widetilde { eq} (r_ x, x) \cdot \left (
\underbrace { \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 1(y)} _ \text { this is the check from LCCCS} \underbrace { \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 1(y)} _ \text { this is the check from LCCCS}
\right )\\ \right )\\
\text { for CCCS:} ~ Q(x) := & \widetilde { eq} (\beta , x) \cdot \left ( \text { for CCCS:} ~ Q(x) := & \widetilde { eq} (\beta , x) \cdot \left (
\underbrace { \sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right ) } _ \text { this is the check from Committed CCS}
\underbrace { \sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right ) } _ \text { this is the check from CCCS}
\right ) \right )
\end { align*} \end { align*}
Notice that $ v _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r, y ) \cdot \widetilde { z } ( y ) = \sum _ { x \in \{ 0 , 1 \} ^ s } L _ j ( x ) $ .
Notice that
$$ v _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r, y ) \cdot \widetilde { z } ( y ) = \sum _ { x \in \{ 0 , 1 \} ^ s } L _ j ( x ) $$
\item $ P \rightarrow V $ : $ \left ( ( \sigma _ 1 , \ldots , \sigma _ t ) , ( \theta _ 1 , \ldots , \theta _ t ) \right ) $ , where $ \forall j \in [ t ] $ , \item $ P \rightarrow V $ : $ \left ( ( \sigma _ 1 , \ldots , \sigma _ t ) , ( \theta _ 1 , \ldots , \theta _ t ) \right ) $ , where $ \forall j \in [ t ] $ ,
$$ \sigma _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r _ x', y ) \cdot \widetilde { z } _ 1 ( y ) $$ $$ \sigma _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r _ x', y ) \cdot \widetilde { z } _ 1 ( y ) $$
$$ \theta _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r _ x', y ) \cdot \widetilde { z } _ 2 ( y ) $$ $$ \theta _ j = \sum _ { y \in \{ 0 , 1 \} ^ { s' } } \widetilde { M } _ j ( r _ x', y ) \cdot \widetilde { z } _ 2 ( y ) $$
@ -143,6 +147,44 @@ Let $s= \log m,~ s'= \log n$.
\item $ P $ : output folded witness: $ \widetilde { w } ' \leftarrow \widetilde { w } _ 1 + \rho \cdot \widetilde { w } _ 2 $ . \item $ P $ : output folded witness: $ \widetilde { w } ' \leftarrow \widetilde { w } _ 1 + \rho \cdot \widetilde { w } _ 2 $ .
\end { enumerate} \end { enumerate}
\vspace { 1cm}
Now, to see the verifier check from step 5, observe that in LCCCS, since $ \widetilde { w } $ satisfies,
\begin { align*}
v_ j & = \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(r_ x, y) \cdot \widetilde { z} _ 1(y)\\
& = \sum _ { x \in \{ 0,1\} ^ s}
\underbrace {
\widetilde { eq} (r_ x, x) \cdot \left ( \sum _ { y \in \{ 0,1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 1(y) \right )
} _ { L_ j(x)} \\
& = \sum _ { x \in \{ 0,1\} ^ s} L_ j(x)
\end { align*}
Observe also that in CCCS, since $ \widetilde { w } $ satisfies,
$$
0=\sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right )
$$
for $ \beta $ ,
\begin { align*}
0& =\sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(\beta , y) \cdot \widetilde { z} _ 2(y) \right )\\
& = \sum _ { x \in \{ 0,1\} ^ s}
\underbrace { \widetilde { eq} (\beta , x) \cdot
\sum _ { i=1} ^ q c_ i \cdot \prod _ { j \in S_ i} \left ( \sum _ { y \in \{ 0, 1\} ^ { s'} } \widetilde { M} _ j(x, y) \cdot \widetilde { z} _ 2(y) \right )
} _ { Q(x)} \\
& = \sum _ { x \in \{ 0,1\} ^ s} Q(x)
\end { align*}
Then we can see that
\begin { align*}
c & = g(r_ x')\\
& = \left ( \sum _ { j \in [t]} \gamma ^ j \cdot L_ j(r_ x') \right ) + \gamma ^ { t+1} \cdot Q(r_ x')\\
& = \left ( \sum _ { j \in [t]} \gamma ^ j \cdot e_ q \cdot \sigma _ j \right ) + \gamma ^ { t+1} \cdot e_ 2 \cdot \sum _ { i \in [q]} c_ i \prod _ { j \in S_ i} \theta _ j
\end { align*}
where $ e _ 1 = \widetilde { eq } ( r _ x, r _ x' ) $ and $ e _ 2 = \widetilde { eq } ( \beta , r _ x' ) $ .
Which is the check that $ V $ performs at step $ 5 $ .
% % % % % % APPENDIX% % % % % % APPENDIX
@ -172,7 +214,7 @@ $$
$ m = 3 ,~ n = 2 ,~~~ s = \lceil \log 3 \rceil = 2 ,~ s' = \lceil \log 2 \rceil = 1 $ $ m = 3 ,~ n = 2 ,~~~ s = \lceil \log 3 \rceil = 2 ,~ s' = \lceil \log 2 \rceil = 1 $
So, $ M ( s _ 0 , s _ 1 ) = x $ , where $ s _ 0 \in \{ 0 , 1 \} ^ s,~ s _ 1 \in \{ 0 , 1 \} ^ { s' } ,~ x \in \mathbb { F } $
So, $ M ( x, y ) = x $ , where $ x \in \{ 0 , 1 \} ^ s,~ y \in \{ 0 , 1 \} ^ { s' } ,~ x \in \mathbb { F } $
$$ $$
M = \begin { pmatrix} M = \begin { pmatrix}
@ -188,10 +230,10 @@ This logic can be defined as follows:
\caption { Generating a Sparse Multilinear Polynomial from a matrix} \caption { Generating a Sparse Multilinear Polynomial from a matrix}
\begin { algorithmic} \begin { algorithmic}
\State set empty vector $ v \in ( \text { index: } ~ \mathbb { Z } , x: \mathbb { F } ) ^ { s \times s' } $ \State set empty vector $ v \in ( \text { index: } ~ \mathbb { Z } , x: \mathbb { F } ) ^ { s \times s' } $
\For { $ i $ to $ n $ }
\For { $ j $ to $ m $ }
\For { $ i $ to $ m $ }
\For { $ j $ to $ n $ }
\If { $ M _ { i,j } \neq 0 $ } \If { $ M _ { i,j } \neq 0 $ }
\State $ v. \text { append } ( \{ \text { index } : i \cdot m + j,~ x: M _ { i,j } \} ) $
\State $ v. \text { append } ( \{ \text { index } : i \cdot n + j,~ x: M _ { i,j } \} ) $
\EndIf \EndIf
\EndFor \EndFor
\EndFor \EndFor
