Browse Source
Update Caulk+ notes, add initial FRI & Nova notes
Update Caulk notes with minimal Caulk+ overview. Add initial notes on FRI & Nova.master
8 changed files with 413 additions and 2 deletions
Unified View
Diff Options
-
+3 -1README.md
-
BINnotes_caulk.pdf
-
+53 -1notes_caulk.tex
-
BINnotes_fri.pdf
-
+186 -0notes_fri.tex
-
BINnotes_nova.pdf
-
+146 -0notes_nova.tex
-
+25 -0paper-notes.bib
BIN
notes_caulk.pdf
BIN
notes_caulk.pdf
BIN
notes_fri.pdf
BIN
notes_fri.pdf
@ -0,0 +1,186 @@ |
|||||
|
\documentclass{article} |
||||
|
\usepackage[utf8]{inputenc} |
||||
|
\usepackage{amsfonts} |
||||
|
\usepackage{amsthm} |
||||
|
\usepackage{amsmath} |
||||
|
\usepackage{mathtools} |
||||
|
\usepackage{enumerate} |
||||
|
\usepackage{hyperref} |
||||
|
\usepackage{xcolor} |
||||
|
|
||||
|
% prevent warnings of underfull \hbox: |
||||
|
\usepackage{etoolbox} |
||||
|
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} |
||||
|
|
||||
|
\theoremstyle{definition} |
||||
|
\newtheorem{definition}{Def}[section] |
||||
|
\newtheorem{theorem}[definition]{Thm} |
||||
|
|
||||
|
% custom lemma environment to set custom numbers |
||||
|
\newtheorem{innerlemma}{Lemma} |
||||
|
\newenvironment{lemma}[1] |
||||
|
{\renewcommand\theinnerlemma{#1}\innerlemma} |
||||
|
{\endinnerlemma} |
||||
|
|
||||
|
|
||||
|
\title{Notes on FRI} |
||||
|
\author{arnaucube} |
||||
|
\date{February 2023} |
||||
|
|
||||
|
\begin{document} |
||||
|
|
||||
|
\maketitle |
||||
|
|
||||
|
\begin{abstract} |
||||
|
Notes taken from \href{https://sites.google.com/site/vincenzoiovinoit/}{Vincenzo Iovino} explainations and while reading about FRI \cite{fri}, \cite{cryptoeprint:2022/1216}. |
||||
|
|
||||
|
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. |
||||
|
|
||||
|
The notes are not complete, don't include all the steps neither all the proofs. |
||||
|
\end{abstract} |
||||
|
|
||||
|
\tableofcontents |
||||
|
|
||||
|
\section{Preliminaries} |
||||
|
\subsection{Low degree testing} |
||||
|
V wants to ensure that $deg(f(x)) \leq d$. |
||||
|
|
||||
|
We are in the IOP setting, V asks on a point, P sends back the opening at that point. |
||||
|
|
||||
|
TODO |
||||
|
|
||||
|
\subsubsection{General degree d test} |
||||
|
|
||||
|
Query at points $\{ x_i \}_0^{d+1},~z$ (with rand $z \overset{R}{\in} \mathbb{F}$). |
||||
|
Interpolate $p(x)$ at $\{f(x_i)\}_0^{d+1}$ to reconstruct the unique polynomial $p$ of degree $d$ such that $p(x_i)=f(x_i)~\forall i=1, \ldots, d+1$. |
||||
|
|
||||
|
V checks $p(z)=f(z)$, if the check passes, then V is convinced with high probability. |
||||
|
|
||||
|
This needs $d+2$ queries, is linear, $\mathcal{O}(n)$. With FRI we will have the test in $\mathcal{O}(\log{}d)$. |
||||
|
|
||||
|
\section{FRI protocol} |
||||
|
Allows to test if a function $f$ is a poly of degree $\leq d$ in $\mathcal{O}(\log{}d)$. |
||||
|
|
||||
|
Note: "P \emph{sends} $f(x)$ to V", "\emph{sends}", in the ideal IOP model means that all the table of $f(x)$ is sent, in practice is sent a commitment to $f(x)$. |
||||
|
|
||||
|
\subsection{Intuition} |
||||
|
V wants to check that two functions $g,~h$ are both polynomials of degree $\leq d$. |
||||
|
|
||||
|
Consider the following protocol: |
||||
|
|
||||
|
\begin{enumerate} |
||||
|
\item V sends $\alpha \in \mathbb{F}$ to P. P sends $f(x) = g(x) + \alpha h(x)$ to V. |
||||
|
\item P sends $f(x)=g(x) + \alpha h(x)$ to V. |
||||
|
\item V queries $f(r), ~g(r), ~h(r)$ for rand $r \in \mathbb{F}$. |
||||
|
\item V checks $f(r)=g(r) + \alpha h(r)$. (Schwartz-Zippel lema). |
||||
|
If holds, V can be certain that $f(x)=g(x)+ \alpha h(x)$. |
||||
|
\item P proves that $deg(f) \leq d$. |
||||
|
\item If V is convinced that $deg(f) \leq d$, V belives that both $g, h$ have $deg \leq d$. |
||||
|
\end{enumerate} |
||||
|
|
||||
|
%/// TODO tabulate this next lines |
||||
|
With high probablility, $\alpha$ will not cancel the coeffs with $deg \geq d+1$. % TODO check which is the name of this theorem or why this is true |
||||
|
|
||||
|
Let $g(x)=a \cdot x^{d+1}, ~~ h(x)=b \cdot x^{d+1}$, and set $f(x) = g(x) + \alpha h(x)$. |
||||
|
Imagine that P can chose $\alpha$ such that $a x^{d+1} + \alpha \cdot b x^{d+1} = 0$, then, in $f(x)$ the coefficients of degree $d+1$ would cancel. |
||||
|
%/// |
||||
|
|
||||
|
\quad |
||||
|
|
||||
|
Here, P proves $g,~h$ both have $deg \leq d$, but instead of doing $2 \cdot (d+2)$ queries ($d+2$ for $g$, and $d+2$ for $h$), it is done in $d+2$ queries (for $f$). |
||||
|
So we halved the number of queries. |
||||
|
|
||||
|
|
||||
|
\subsection{FRI} |
||||
|
Both P and V have oracle access to function $f$. |
||||
|
|
||||
|
V wants to test if $f$ is polynomial with $deg(f) \leq d$. |
||||
|
|
||||
|
Let $f_0(x)=f(x)$. |
||||
|
|
||||
|
Each polynomial $f(x)$ of degree that is a power of $2$, can be written as |
||||
|
$$f(x) = f^L(x^2) + x f^R(x^2)$$ |
||||
|
for some polynomials $f^L,~f^R$ of degree $\frac{deg(f)}{2}$, each one containing the even and odd degree coefficients as follows: |
||||
|
|
||||
|
% $f^L(x)$ is built from the even degree coefficients divided by $x$, and $f^R(x)$ from the odd degree coefficients divided by $x$. |
||||
|
|
||||
|
$$f^L(x)= \sum_0^{\frac{d+1}{2}-1} c_{2i} x^i ,~~ f^R(x)= \sum_0^{\frac{d+1}{2}-1} c_{2i+1} x^i$$ |
||||
|
|
||||
|
eg. for $f(x)=x^4+x^3+x^2+x+1$, |
||||
|
\begin{align*} |
||||
|
\begin{rcases} |
||||
|
f^L(x)=x^2+x+1\\ |
||||
|
f^R(x)=x+1 |
||||
|
\end{rcases} |
||||
|
~f(x) = f^L(x^2) &+ x \cdot f^R(x^2)\\ |
||||
|
= (x^2)^2 + (x^2) + 1 &+ x \cdot ((x^2) + 1)\\ |
||||
|
= x^4 + x^2 + 1 &+ x^3 + x |
||||
|
\end{align*} |
||||
|
|
||||
|
\begin{enumerate} |
||||
|
\item V sends to P some $\alpha_0 \in \mathbb{F}$. |
||||
|
Let |
||||
|
\begin{equation}\tag{$A_0$} |
||||
|
f_0(x) = f_0^L(x^2) + x f_0^R(x^2) |
||||
|
\end{equation} |
||||
|
\item P sends |
||||
|
\begin{equation}\tag{$B_0$} |
||||
|
f_1(x) = f_0^L(x) + \alpha_0 f_0^R(x) |
||||
|
\end{equation} |
||||
|
to V. |
||||
|
|
||||
|
(remember that "sends" in IOP model is that P commits to it) |
||||
|
\item V sends to P some $\alpha_1 \in \mathbb{F}$. |
||||
|
Let |
||||
|
\begin{equation}\tag{$A_1$} |
||||
|
f_1(x) = f_1^L(x^2) + x f_1^R(x^2) |
||||
|
\end{equation} |
||||
|
\item P sends |
||||
|
\begin{equation}\tag{$B_1$} |
||||
|
f_2(x) = f_1^L(x) + \alpha_1 f_1^R(x) |
||||
|
\end{equation} |
||||
|
to V. |
||||
|
\item Keep repeating the process, eg. let |
||||
|
\begin{equation}\tag{$A_2$} |
||||
|
f_2(x) = f_2^L(x^2) + x f_2^R(x^2) |
||||
|
\end{equation} |
||||
|
until $f_i^L,~ f_i^R$ are constant (degree 0 polynomials). |
||||
|
\item Once $f_i^L,~ f_i^R$ are constant, P sends them to V. |
||||
|
\end{enumerate} |
||||
|
|
||||
|
Notice that at each step, $deg(f_i)$ halves. |
||||
|
|
||||
|
\paragraph{Query phase} |
||||
|
|
||||
|
\begin{enumerate} |
||||
|
\item V sends rand $z \in \mathbb{F}$ to P |
||||
|
\item P sends $\{ f_i(z^{2^i}), f_i(- z^{2^i}) \}$ to V.\\ |
||||
|
{\scriptsize eg. $f_0(z),~ f_0(-z),~ f_1(z^2),~ f_1(-z^2),~ f_2(z^4),~ f_2(-z^4),~ f_3(z^8),~ f_3(-z^8),~ \ldots$} |
||||
|
\item V checks $f_i(a)=f_i^L(a^2) + a f_i^R(a^2)$ for $a=\{z, -z\}$ |
||||
|
$$ |
||||
|
\begin{pmatrix} |
||||
|
1 & z\\ |
||||
|
1 & -z |
||||
|
\end{pmatrix} |
||||
|
\begin{pmatrix} |
||||
|
f_i^L(z^2)\\ |
||||
|
f_i^R(z^2) |
||||
|
\end{pmatrix} |
||||
|
= |
||||
|
\begin{pmatrix} |
||||
|
f_i(z)\\ |
||||
|
f_i(-z) |
||||
|
\end{pmatrix} |
||||
|
$$ |
||||
|
\end{enumerate} |
||||
|
|
||||
|
The number of queries needed is $2 \cdot log(d)$. |
||||
|
|
||||
|
\section{FRI as polynomial commitment} |
||||
|
\emph{[WIP. Unfinished document]} |
||||
|
|
||||
|
|
||||
|
\bibliography{paper-notes.bib} |
||||
|
\bibliographystyle{unsrt} |
||||
|
|
||||
|
\end{document} |
||||
BIN
notes_nova.pdf
BIN
notes_nova.pdf
@ -0,0 +1,146 @@ |
|||||
|
\documentclass{article} |
||||
|
\usepackage[utf8]{inputenc} |
||||
|
\usepackage{amsfonts} |
||||
|
\usepackage{amsthm} |
||||
|
\usepackage{amsmath} |
||||
|
\usepackage{mathtools} |
||||
|
\usepackage{enumerate} |
||||
|
\usepackage{hyperref} |
||||
|
\usepackage{xcolor} |
||||
|
|
||||
|
% prevent warnings of underfull \hbox: |
||||
|
\usepackage{etoolbox} |
||||
|
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} |
||||
|
|
||||
|
\theoremstyle{definition} |
||||
|
\newtheorem{definition}{Def}[section] |
||||
|
\newtheorem{theorem}[definition]{Thm} |
||||
|
|
||||
|
% custom lemma environment to set custom numbers |
||||
|
\newtheorem{innerlemma}{Lemma} |
||||
|
\newenvironment{lemma}[1] |
||||
|
{\renewcommand\theinnerlemma{#1}\innerlemma} |
||||
|
{\endinnerlemma} |
||||
|
|
||||
|
|
||||
|
\title{Notes on Nova} |
||||
|
\author{arnaucube} |
||||
|
\date{February 2023} |
||||
|
|
||||
|
\begin{document} |
||||
|
|
||||
|
\maketitle |
||||
|
|
||||
|
\begin{abstract} |
||||
|
Notes taken while reading Nova \cite{cryptoeprint:2021/370} paper. |
||||
|
|
||||
|
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. |
||||
|
|
||||
|
The notes are not complete, don't include all the steps neither all the proofs. |
||||
|
\end{abstract} |
||||
|
|
||||
|
\tableofcontents |
||||
|
|
||||
|
\section{Folding Scheme for Committed Relaxed R1CS} |
||||
|
|
||||
|
\subsection{R1CS modification} |
||||
|
|
||||
|
Want: merge 2 instances of R1CS with the same matrices into a single one. Each instance has $z_i = (W_i,~ x_i)$ (public witness, private values resp.). |
||||
|
|
||||
|
\paragraph{traditional R1CS} |
||||
|
Merged instance with $z=z_1 + r z_2$, for rand $r$. But, since R1CS is not linear $\longrightarrow$ can not apply. |
||||
|
|
||||
|
eg. |
||||
|
\begin{align*} |
||||
|
Az \circ Bz &= A(z_1 + r z_2) \circ B (z_1 + r z_2)\\ |
||||
|
&= A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2)\\ |
||||
|
&\neq Cz |
||||
|
\end{align*} |
||||
|
|
||||
|
$\longrightarrow$ introduce error vector $E \in \mathbb{F}^m$, which absorbs the cross-temrs generated by folding. |
||||
|
|
||||
|
$\longrightarrow$ introduce scalar $u$, which absorbs an extra factor of $r$ in $C z_1 + r^2 C z_2$ and in $z=(W, x, 1+r\cdot 1)$. |
||||
|
|
||||
|
\paragraph{Relaxed R1CS} |
||||
|
\begin{align*} |
||||
|
&u=u_1+r u_2\\ |
||||
|
&E=E_1 + r (A z_1 \circ B z_2 + A z_2 \circ B z_1 - u_1 C z_2 - u_2 C z_1) + r^2 E_2\\ |
||||
|
&Az \circ Bz = uCz + E,~~ with~ z=(W,~x,~u) |
||||
|
\end{align*} |
||||
|
where R1CS set $E=0,~u=1$. |
||||
|
|
||||
|
\begin{align*} |
||||
|
Az \circ Bz &= A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2)\\ |
||||
|
&= (u_1 C z_1 + E_1) + r (A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (u_2 C z_2 + E_2)\\ |
||||
|
&= u_1 C z_1 + \underbrace{E_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 E_2}_\text{E} + r^1 u_2 C z_2\\ |
||||
|
&= u_1 C z_1 + r^2 u_2 C z_2 + E\\ |
||||
|
&= (u_1 + r u_2) \cdot C \cdot (z_1 + r z_2) + E\\ |
||||
|
&= uCz + E |
||||
|
\end{align*} |
||||
|
|
||||
|
For R1CS matrices $(A,~B,~C)$, the folded witness $W$ is a satisfying witness for the folded instance $(E,~u,~x)$. |
||||
|
|
||||
|
|
||||
|
|
||||
|
\vspace{20px} |
||||
|
Problem: not non-trivial, and not zero-knowledge. Solution: use polynomial commitment with hiding, binding, succintness and additively homomorphic properties. |
||||
|
|
||||
|
\paragraph{Committed Relaxed R1CS} |
||||
|
Instance for a Committed Relaxed R1CS\\ |
||||
|
$(\overline{E}, u, \overline{W}, x)$, satisfyied by a witness $(E, r_E, W, r_W)$ such that |
||||
|
\begin{align*} |
||||
|
&\overline{E} = Com(E, r_E)\\ |
||||
|
&\overline{W} = Com(E, r_W)\\ |
||||
|
&Az \circ Bz = uCz+E,~~ where~z=(W, x, u) |
||||
|
\end{align*} |
||||
|
|
||||
|
|
||||
|
\subsection{Folding protocol} |
||||
|
|
||||
|
V and P take two \emph{committed relaxed R1CS} instances |
||||
|
\begin{align*} |
||||
|
\varphi_1&=(\overline{E}_1, u_1, \overline{W}_1, x_1)\\ |
||||
|
\varphi_2&=(\overline{E}_2, u_2, \overline{W}_2, x_2) |
||||
|
\end{align*} |
||||
|
|
||||
|
P additionally takes witnesses to both instances |
||||
|
\begin{align*} |
||||
|
(E_1, r_{E_1}, W_1, r_{W_1})\\ |
||||
|
(E_2, r_{E_2}, W_2, r_{W_2}) |
||||
|
\end{align*} |
||||
|
|
||||
|
Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$. |
||||
|
|
||||
|
% \paragraph{Protocol} |
||||
|
\begin{enumerate} |
||||
|
\item P send $\overline{T} = Com(T, r_T)$,\\ |
||||
|
where $T=A z_1 \circ B z_1 + A z_2 \circ B z_2 - u_1 C z_2 - u_2 C z_2$\\ |
||||
|
and rand $r_T \in \mathbb{F}$ |
||||
|
\item V sample random challenge $r \in \mathbb{F}$ |
||||
|
\item V, P output the folded instance $(\overline{E}, u, \overline{W}, x)$ |
||||
|
\begin{align*} |
||||
|
&\overline{E}=\overline{E}_1 + r \overline{T} + r^2 \overline{E}_2\\ |
||||
|
&u = u_1 + r u_2\\ |
||||
|
&\overline{W} = \overline{W}_1 + r \overline{W}_2\\ |
||||
|
&x = x_1 + r x_2 |
||||
|
\end{align*} |
||||
|
\item P outputs the folded witness $(E, r_E, W, r_W)$ |
||||
|
\begin{align*} |
||||
|
&E = E_1 + r T + r^2 E_2\\ |
||||
|
&r_E = r_{E_1} + r \cdot r_T + r^2 r_{E_2}\\ |
||||
|
&W=W_1 + r W_2\\ |
||||
|
&r_W = r_{W_1} + r \cdot r_{W_2} |
||||
|
\end{align*} |
||||
|
\end{enumerate} |
||||
|
|
||||
|
P uses a zkSNARK showing that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value. |
||||
|
Then, vie Fiat-Shamir transform we achieve non-interactivity. |
||||
|
|
||||
|
\section{IVC proofs} |
||||
|
\textbf{WIP} |
||||
|
|
||||
|
|
||||
|
\bibliography{paper-notes.bib} |
||||
|
\bibliographystyle{unsrt} |
||||
|
|
||||
|
\end{document} |
||||