\documentclass{article}
\usepackage[utf8]{inputenc}
\usepackage{amsfonts}
\usepackage{amsthm}
\usepackage{amsmath}
\usepackage{enumerate}
\usepackage{hyperref}
\hypersetup{
    colorlinks,
    citecolor=black,
    filecolor=black,
    linkcolor=black,
    urlcolor=blue
}
\usepackage{xcolor}

\usepackage{pgf-umlsd} % diagrams
% message between threads
% Example:
% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
\newcommand{\bloodymess}[7][0]{
  \stepcounter{seqlevel}
  \path
  (#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
  \addtocounter{seqlevel}{#1}
  \path
  (#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
  \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
  {#3};

  \if R#5
    \node (#3 from) at (mess from) {\llap{#6~}};
    \node (#3 to) at (mess to) {\rlap{~#7}};
  \else\if L#5
         \node (#3 from) at (mess from) {\rlap{~#6}};
         \node (#3 to) at (mess to) {\llap{#7~}};
       \else
         \node (#3 from) at (mess from) {#6};
         \node (#3 to) at (mess to) {#7};
       \fi
  \fi
}

% prevent warnings of underfull \hbox:
\usepackage{etoolbox}
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}

\theoremstyle{definition}
\newtheorem{definition}{Def}[section]
\newtheorem{theorem}[definition]{Thm}


\title{Notes on Halo}
\author{arnaucube}
\date{July 2022}

\begin{document}

\maketitle

\begin{abstract}
	Notes taken while reading Halo paper \cite{cryptoeprint:2019/1021}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.

	The notes are not complete, don't include all the steps neither all the proofs.
\end{abstract}

\tableofcontents

\section{modified IPA (from Halo paper)}
Notes taken while reading about the modified Inner Product Argument (IPA) from the Halo paper \cite{cryptoeprint:2019/1021}.

\paragraph{Objective:}
Prover wants to prove that the polynomial $p(X)$ from the commitment $P$ evaluates to $v$ at $x$, and that $deg(p(X)) \leq d-1$.

\subsection{Notation}
\begin{description}
    \item[Scalar mul] $[a]G$, where $a$ is a scalar and $G \in \mathbb{G}$
    \item[Inner product] $<\overrightarrow{a}, \overrightarrow{b}> = a_0 b_0 + a_1 b_1 + \ldots + a_{n-1} b_{n-1}$
    \item[Multiscalar mul] $<\overrightarrow{a}, \overrightarrow{G}> = [a_0] G_0 + [a_1] G_1 + \ldots + [a_{n-1}] G_{n-1}$
\end{description}


\subsection{Transparent setup}
$\overrightarrow{G} \in^r \mathbb{G}^d$, $H \in^r \mathbb{G}$

Prover wants to commit to $p(x)=a_0$
\subsection{Protocol}
Prover:
$$P=<\overrightarrow{a}, \overrightarrow{G}> + [r]H$$
$$v=<\overrightarrow{a}, \{1, x, x^2, \ldots, x^{d-1} \} >$$

where $\{1, x, x^2, \ldots, x^{d-1} \} = \overrightarrow{b}$.

We can see that computing $v$ is the equivalent to evaluating $p(X)$ at $x$ ($p(x)=v$).

We will prove:
\begin{enumerate}[i.]
    \item polynomial $p(X) = \sum a_i X^i$\\
	$p(x) = v$ (that $p(X)$ evaluates $x$ to $v$).
    \item $deg(p(X)) \leq d-1$
\end{enumerate}


Both parties know $P$, point $x$ and claimed evaluation $v$. For $U \in^r \mathbb{G}$.

Prover computes $P'$:

$$P' = P + [v] U = <\overrightarrow{a}, G> + [r]H + [v] U$$

Now, for $k$ rounds ($d=2^k$, from $j=k$ to $j=1$):
\begin{itemize}
    \item Prover sets random blinding factors: $l_j, r_j \in \mathbb{F}_p$
    \item Prover computes
	$$L_j = < \overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [< \overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U$$
	$$R_j = < \overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [< \overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U$$
    \item Verifier sends random challenge $u_j \in \mathbb{I}$
    \item Prover computes the halved vectors for next round:
	$$\overrightarrow{a} \leftarrow \overrightarrow{a}_{hi} \cdot u_j^{-1} + \overrightarrow{a}_{lo} \cdot u_j$$
	$$\overrightarrow{b} \leftarrow \overrightarrow{b}_{lo} \cdot u_j^{-1} + \overrightarrow{b}_{hi} \cdot u_j$$
	$$\overrightarrow{G} \leftarrow \overrightarrow{G}_{lo} \cdot u_j^{-1} + \overrightarrow{G}_{hi} \cdot u_j$$
\end{itemize}

After final round, $\overrightarrow{a}, \overrightarrow{b}, \overrightarrow{G}$ are each of length 1.

Verifier can compute
$$G = \overrightarrow{G}_0 = < \overrightarrow{s}, \overrightarrow{G} >$$
and $$b = \overrightarrow{b}_0 = < \overrightarrow{s}, \overrightarrow{b} >$$
where $\overrightarrow{s}$ is the binary counting structure:

\begin{align*}
    &s = (u_1^{-1} ~ u_2^{-1} \cdots ~u_k^{-1},\\
    &~~~~~~u_1 ~~~ u_2^{-1} ~\cdots ~u_k^{-1},\\
    &~~~~~~u_1^{-1} ~~ u_2 ~~\cdots ~u_k^{-1},\\
    &~~~~~~~~~~~~~~\vdots\\
    &~~~~~~u_1 ~~~~ u_2 ~~\cdots ~u_k)
\end{align*}


And verifier checks:
$$[a]G + [r'] H + [ab] U == P' + \sum_{j=1}^k ( [u_j^2] L_j + [u_j^{-2}] R_j)$$

where the synthetic blinding factor $r'$ is $r' = r + \sum_{j=1}^k (l_j u_j^2 + r_j u_j^{-2})$.

\vspace{1cm}

Unfold:

$$
\textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}
==
\textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})
$$

\begin{align*}
&Left~side = \textcolor{brown}{[a]G} + \textcolor{cyan}{[r'] H} + \textcolor{magenta}{[ab] U}\\
& = \textcolor{brown}{< \overrightarrow{a}, \overrightarrow{G} >}\\
&+ \textcolor{cyan}{[r + \sum_{j=1}^k (l_j \cdot u_j^2 + r_j u_j^{-2})] \cdot H}\\
&+ \textcolor{magenta}{< \overrightarrow{a}, \overrightarrow{b} > U}
\end{align*}


\begin{align*}
&Right~side = \textcolor{blue}{P'} + \sum_{j=1}^k ( \textcolor{violet}{[u_j^2] L_j} + \textcolor{orange}{[u_j^{-2}] R_j})\\
&= \textcolor{blue}{< \overrightarrow{a}, \overrightarrow{G}> + [r] H + [v] U}\\
&+ \sum_{j=1}^k (
\textcolor{violet}{[u_j^2] \cdot <\overrightarrow{a}_{lo}, \overrightarrow{G}_{hi}> + [l_j] H + [<\overrightarrow{a}_{lo}, \overrightarrow{b}_{hi}>] U}\\
&\textcolor{orange}{+ [u_j^{-2}] \cdot <\overrightarrow{a}_{hi}, \overrightarrow{G}_{lo}> + [r_j] H + [<\overrightarrow{a}_{hi}, \overrightarrow{b}_{lo}>] U}
)
\end{align*}


\vspace{1.5cm}
The following diagram ilustrates the main steps in the scheme:

\begin{center}
\begin{sequencediagram}
    \newinst[1]{p}{Prover}
    \newinst[3]{v}{Verifier}

    \bloodymess[1]{p}{P}{v}{R}{knows $p(X)\in \mathbb{F[X]}$, commits to $p(X)$, $P$}{rand $x \in \mathbb{F},~U\in \mathbb{G},~\overrightarrow{u} \in \mathbb{F}^d$}
    \bloodymess[1]{v}{$x, U, u$}{p}{R}{}{}
    \bloodymess[1]{p}{$proof, a, L_j, R_j, v$}{v}{R}{gen proof}{$verify(proof, P, a, x, L_j, R_j)$}

    % \begin{callself}{p}{knows $p(X) \in \mathbb{F}[X]$}{}
    % \end{callself}
    % \begin{callself}{p}{commit to $p(X),~P$}{}
    % \end{callself}
    % 
    % \mess[0]{p}{$P$}{v}
    % \begin{callself}{v}{rand $x \in \mathbb{F},~U\in \mathbb{G},~\overrightarrow{u} \in \mathbb{F}^d$}{}
    % \end{callself}
    % 
    % \mess[0]{v}{$x,U,u$}{p}

    % \node[anchor=west] (p2) at (mess to) {gen proof2}

    % \begin{callself}{p}{gen proof $\pi$}{}
    % \end{callself}
    % 
    % \mess[0]{p}{$a, L_j, R_j, v$}{v}
    % 
    % \begin{callself}{v}{$verify(P, a, x, v, L_j, R_k$)}{}
    % \end{callself}
\end{sequencediagram}
\end{center}

\section{Amortization Strategy}
TODO

\bibliography{paper-notes.bib}
\bibliographystyle{unsrt}

\end{document}