diff --git a/README.md b/README.md index 51951ee..7d74049 100644 --- a/README.md +++ b/README.md @@ -14,5 +14,6 @@ Notes, code and documents done while reading books and papers. - [Notes on FRI](notes_fri.pdf) - [Notes on Spartan](notes_spartan.pdf) - [Notes on Nova](notes_nova.pdf) +- [Notes on HyperNova](notes_hypernova.pdf) Also some Sage implementations can be found in the `*.sage` files of this repo. diff --git a/notes_hypernova.pdf b/notes_hypernova.pdf new file mode 100644 index 0000000..c558ff3 Binary files /dev/null and b/notes_hypernova.pdf differ diff --git a/notes_hypernova.tex b/notes_hypernova.tex new file mode 100644 index 0000000..87102c4 --- /dev/null +++ b/notes_hypernova.tex @@ -0,0 +1,140 @@ +\documentclass{article} +\usepackage[utf8]{inputenc} +\usepackage{amsfonts} +\usepackage{amsthm} +\usepackage{amsmath} +\usepackage{mathtools} +\usepackage{enumerate} +\usepackage{hyperref} +\usepackage{xcolor} +\usepackage{pgf-umlsd} % diagrams +\usepackage{centernot} + + +% prevent warnings of underfull \hbox: +\usepackage{etoolbox} +\apptocmd{\sloppy}{\hbadness 4000\relax}{}{} + +\theoremstyle{definition} +\newtheorem{definition}{Def}[section] +\newtheorem{theorem}[definition]{Thm} + +% custom lemma environment to set custom numbers +\newtheorem{innerlemma}{Lemma} +\newenvironment{lemma}[1] +{\renewcommand\theinnerlemma{#1}\innerlemma} +{\endinnerlemma} + + +\title{Notes on HyperNova} +\author{arnaucube} +\date{May 2023} + +\begin{document} + +\maketitle + +\begin{abstract} + Notes taken while reading about Spartan \cite{cryptoeprint:2023/573}, \cite{cryptoeprint:2023/552}. + + Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. + + The notes are not complete, don't include all the steps neither all the proofs. +\end{abstract} + +\tableofcontents + + +\section{CCS} +\subsection{R1CS to CCS overview} + +\begin{itemize} + \item[] R1CS instance: $S_{R1CS} = (m, n, N, l, A, B, C)$ + \item[] CCS instance: $S_{CCS} = (m, n, N, l, t, q, d, M, S, c)$ + \item[] R1CS-to-CCS parameters:\\ + $n=n,~ m=m,~ N=N,~ l=l,~ t=3,~ q=2,~ d=2$\\ + $M=\{A,B,C\}$, $S=\{\{0,~1\},~ \{2\}\}$, $c=\{1,-1\}$ +\end{itemize} + +Then, we can see that the CCS relation: +$$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$ + +where $z=(w, 1, x) \in \mathbb{F}^n$. + +In our R1CS-to-CCS parameters is equivalent to + +\begin{align*} + &c_0 \cdot ( (M_0 z) \circ (M_1 z) ) + c_1 \cdot (M_2 z) ==0\\ + \Longrightarrow &1 \cdot ( (A z) \circ (B z) ) + (-1) \cdot (C z) ==0\\ + \Longrightarrow &( (A z) \circ (B z) ) - (C z) ==0 +\end{align*} + +which is equivalent to the R1CS relation: $Az \circ Bz == Cz$ + +An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\ +\href{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}. + +\subsection{Committed CCS} +$R_{CCCS}$ instance: $(C, \mathsf{x})$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables. + +Sat if: +\begin{enumerate}[i.] + \item $\text{Commit}(pp, \widetilde{w}) = C$ + \item $\sum_{i=1}^q c_i \cdot \left( \prod_{j \in S_i} \left( \sum_{y \in \{0,1\}^{\log m}} \widetilde{M}_j(x, y) \cdot \widetilde{z}(y) \right) \right)$\\ + where $\widetilde{z}(y) = \widetilde{(w, 1, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$ +\end{enumerate} + + +\subsection{Linearized Committed CCS} +$R_{LCCCS}$ instance: $(C, u, \mathsf{x}, r, v_1, \ldots, v_t)$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables, and $u \in \mathbb{F},~ \mathsf{x} \in \mathbb{F}^l,~ r \in \mathbb{F}^s,~ v_i \in \mathbb{F} ~\forall i \in [t]$. + +Sat if: +\begin{enumerate}[i.] + \item $\text{Commit}(pp, \widetilde{w}) = C$ + \item $\forall i \in [t],~ v_i = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_i(r, y) \cdot \widetilde{z}(y)$\\ + where $\widetilde{z}(y) = \widetilde{(w, u, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$ +\end{enumerate} + + +\section{Multifolding Scheme for CCS} +Recall sum-check protocol:\\ +\underline{$C \leftarrow (g, l, d, T)$}:\\ % TODO use proper <, > +$T=\sum_{x_1 \in \{0,1\}} \sum_{x_2 \in \{0,1\}} \cdots \sum_{x_l \in \{0,1\}} g(x_1, x_2, \ldots, x_l)$ +$l$-variate polynomial g, degree $\leq d$ in each variable. + +let $s= \log m,~ s'= \log n$. + +\begin{enumerate} + \item $V \rightarrow P: \gamma \in^R \mathbb{F},~ \beta \in^R \mathbb{F}^s$ + \item $V: r_x' \in^R \mathbb{F}^s$ + \item $V \leftrightarrow P$: sum-check protocol:\\ + $$c \leftarrow (g, s, d+1, \sum_{j \in [t]} \gamma^j \cdot v_j)$$ + where:\\ + \begin{align*} + g(x) &:= \left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right) + \gamma^{t+1} \cdot Q(x)\\ + L_j(x) &:= \widetilde{eq}(r_x, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y) \right)\\ + Q(x) &:= \widetilde{eq}(\beta, x) \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) \right) + \end{align*} + \item $P \rightarrow V$: $\left( (\sigma_1, \ldots, \sigma_t), (\theta_1, \ldots, \theta_t) \right)$ + where + $$\sigma_j = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)$$ + $$\theta_j = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y)$$ + \item V: $e_1 \leftarrow \widetilde{eq}(r_x, r_x')$, $e_2 \leftarrow \widetilde{eq}(\beta, r_x')$\\ + check: + $$c = \left( \sum_{j \in [t]} \gamma^j e_1 \sigma_j + \gamma^{t+1} e_2 \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \sigma \right) \right)$$ + \item $V \rightarrow P: \rho \in^R \mathbb{F}$ + \item $V, P$: output the folded LCCCS instance $(C', u', \mathsf{x}', r_x', v_1', \ldots, v_t')$, where $\forall i \in [t]$: + \begin{align*} + C' &\leftarrow C_1 + \rho \cdot C_2\\ + u' &\leftarrow u + \rho \cdot 1\\ + \mathsf{x}' &\leftarrow \mathsf{x}_1 + \rho \cdot \mathsf{x}_2\\ + v_i' &\leftarrow \sigma_i + \rho \cdot \theta_i + \end{align*} + \item $P$: output folded witness: $\widetilde{w}' \leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2$. +\end{enumerate} + + +\bibliography{paper-notes.bib} +\bibliographystyle{unsrt} + +\end{document} diff --git a/paper-notes.bib b/paper-notes.bib index 0090122..91c271a 100644 --- a/paper-notes.bib +++ b/paper-notes.bib @@ -109,3 +109,20 @@ note = {\url{https://eprint.iacr.org/2019/550}}, url = {https://eprint.iacr.org/2019/550} } + +@misc{cryptoeprint:2023/552, + author = {Srinath Setty and Justin Thaler and Riad Wahby}, + title = {Customizable constraint systems for succinct arguments}, + howpublished = {Cryptology ePrint Archive, Paper 2023/552}, + year = {2023}, + note = {\url{https://eprint.iacr.org/2023/552}}, + url = {https://eprint.iacr.org/2023/552} +} +@misc{cryptoeprint:2023/573, + author = {Abhiram Kothapalli and Srinath Setty}, + title = {HyperNova: Recursive arguments for customizable constraint systems}, + howpublished = {Cryptology ePrint Archive, Paper 2023/573}, + year = {2023}, + note = {\url{https://eprint.iacr.org/2023/573}}, + url = {https://eprint.iacr.org/2023/573} +}