\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{amsfonts} \usepackage{amsthm} \usepackage{amsmath} \usepackage{mathtools} \usepackage{enumerate} \usepackage{hyperref} \usepackage{xcolor} \usepackage{pgf-umlsd} % diagrams \usepackage{centernot} \usepackage{algorithm} \usepackage{algpseudocode} % prevent warnings of underfull \hbox: \usepackage{etoolbox} \apptocmd{\sloppy}{\hbadness 4000\relax}{}{} \theoremstyle{definition} \newtheorem{definition}{Def}[section] \newtheorem{theorem}[definition]{Thm} % custom lemma environment to set custom numbers \newtheorem{innerlemma}{Lemma} \newenvironment{lemma}[1] {\renewcommand\theinnerlemma{#1}\innerlemma} {\endinnerlemma} \title{Notes on HyperNova} \author{arnaucube} \date{May 2023} \begin{document} \maketitle \begin{abstract} Notes taken while reading about HyperNova \cite{cryptoeprint:2023/573} and CCS\cite{cryptoeprint:2023/552}. Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$. The notes are not complete, don't include all the steps neither all the proofs. \end{abstract} \tableofcontents \section{CCS} \subsection{R1CS to CCS overview} \begin{description} \item[R1CS instance] $S_{R1CS} = (m, n, N, l, A, B, C)$\\ where $m, n$ are such that $A \in \mathbb{F}^{m \times n}$, and $l$ such that the public inputs $x \in \mathbb{F}^l$. Also $z=(w, 1, x) \in \mathbb{F}^n$, thus $w \in \mathbb{F}^{n-l-1}$. \item[CCS instance] $S_{CCS} = (m, n, N, l, t, q, d, M, S, c)$\\ where we have the same parameters than in $S_{R1CS}$, but additionally:\\ $t=|M|$, $q = |c| = |S|$, $d$= max degree in each variable. \item[R1CS-to-CCS parameters] $n=n,~ m=m,~ N=N,~ l=l,~ t=3,~ q=2,~ d=2$, $M=\{A,B,C\}$, $S=\{\{0,~1\},~ \{2\}\}$, $c=\{1,-1\}$ \end{description} The CCS relation check: $$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$ where $z=(w, 1, x) \in \mathbb{F}^n$. In our R1CS-to-CCS parameters is equivalent to \begin{align*} &c_0 \cdot ( (M_0 z) \circ (M_1 z) ) + c_1 \cdot (M_2 z) ==0\\ \Longrightarrow &1 \cdot ( (A z) \circ (B z) ) + (-1) \cdot (C z) ==0\\ \Longrightarrow &( (A z) \circ (B z) ) - (C z) ==0 \end{align*} which is equivalent to the R1CS relation: $Az \circ Bz == Cz$ An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\ \href{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}. Similar relations between Plonkish and AIR arithmetizations to CCS are shown in the CCS paper \cite{cryptoeprint:2023/552}, but for now with the R1CS we have enough to see the CCS generalization idea and to use it for the HyperNova scheme. \subsection{Committed CCS} $R_{CCCS}$ instance: $(C, \mathsf{x})$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables. Sat if: \begin{enumerate}[i.] \item $\text{Commit}(pp, \widetilde{w}) = C$ \item $\sum_{i=1}^q c_i \cdot \left( \prod_{j \in S_i} \left( \sum_{y \in \{0,1\}^{\log m}} \widetilde{M}_j(x, y) \cdot \widetilde{z}(y) \right) \right)$\\ where $\widetilde{z}(y) = \widetilde{(w, 1, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$ \end{enumerate} \subsection{Linearized Committed CCS} $R_{LCCCS}$ instance: $(C, u, \mathsf{x}, r, v_1, \ldots, v_t)$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables, and $u \in \mathbb{F},~ \mathsf{x} \in \mathbb{F}^l,~ r \in \mathbb{F}^s,~ v_i \in \mathbb{F} ~\forall i \in [t]$. Sat if: \begin{enumerate}[i.] \item $\text{Commit}(pp, \widetilde{w}) = C$ \item $\forall i \in [t],~ v_i = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_i(r, y) \cdot \widetilde{z}(y)$\\ where $\widetilde{z}(y) = \widetilde{(w, u, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$ \end{enumerate} \section{Multifolding Scheme for CCS} Recall sum-check protocol notation: \underline{$C \leftarrow \langle P, V(r) \rangle (g, l, d, T)$} means $$T=\sum_{x_1 \in \{0,1\}} \sum_{x_2 \in \{0,1\}} \cdots \sum_{x_l \in \{0,1\}} g(x_1, x_2, \ldots, x_l)$$ where $g$ is a $l$-variate polynomial, with degree at most $d$ in each variable, and $T$ is the claimed value. \vspace{1cm} Let $s= \log m,~ s'= \log n$. \begin{enumerate} \item $V \rightarrow P: \gamma \in^R \mathbb{F},~ \beta \in^R \mathbb{F}^s$ \item $V: r_x' \in^R \mathbb{F}^s$ \item $V \leftrightarrow P$: sum-check protocol: $$c \leftarrow \langle P, V(r_x') \rangle (g, s, d+1, \underbrace{\sum_{j \in [t]} \gamma^j \cdot v_j}_\text{T})$$ (in fact, $T=(\sum_{j \in [t]} \gamma^j \cdot v_j) \underbrace{+ \gamma^{t+1} \cdot Q(x)}_{=0}) = \sum_{j \in [t]} \gamma^j \cdot v_j$)\\ where: \begin{align*} g(x) &:= \underbrace{\left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right)}_\text{LCCCS check} + \underbrace{\gamma^{t+1} \cdot Q(x)}_\text{CCCS check}\\ \text{for LCCCS:}~ L_j(x) &:= \widetilde{eq}(r_x, x) \cdot \left( \underbrace{\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)}_\text{this is the check from LCCCS} \right)\\ \text{for CCCS:}~ Q(x) := &\widetilde{eq}(\beta, x) \cdot \left( \underbrace{ \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) }_\text{this is the check from CCCS} \right) \end{align*} Notice that $$v_j= \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(r, y) \cdot \widetilde{z}(y) = \sum_{x\in \{0,1\}^s} L_j(x)$$ \item $P \rightarrow V$: $\left( (\sigma_1, \ldots, \sigma_t), (\theta_1, \ldots, \theta_t) \right)$, where $\forall j \in [t]$, $$\sigma_j = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$ $$\theta_j = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_2(y)$$ where $\sigma_j,~\theta_j$ are the checks from LCCCS and CCCS respectively with $x=r_x'$. \item V: $e_1 \leftarrow \widetilde{eq}(r_x, r_x')$, $e_2 \leftarrow \widetilde{eq}(\beta, r_x')$\\ check: $$c = \left( \sum_{j \in [t]} \gamma^j e_1 \sigma_j + \gamma^{t+1} e_2 \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \sigma \right) \right)$$ which should be equivalent to the $g(x)$ computed by $V,P$ in the sum-check protocol. \item $V \rightarrow P: \rho \in^R \mathbb{F}$ \item $V, P$: output the folded LCCCS instance $(C', u', \mathsf{x}', r_x', v_1', \ldots, v_t')$, where $\forall i \in [t]$: \begin{align*} C' &\leftarrow C_1 + \rho \cdot C_2\\ u' &\leftarrow u + \rho \cdot 1\\ \mathsf{x}' &\leftarrow \mathsf{x}_1 + \rho \cdot \mathsf{x}_2\\ v_i' &\leftarrow \sigma_i + \rho \cdot \theta_i \end{align*} \item $P$: output folded witness: $\widetilde{w}' \leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2$. \end{enumerate} \vspace{1cm} Now, to see the verifier check from step 5, observe that in LCCCS, since $\widetilde{w}$ satisfies, \begin{align*} v_j &= \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x, y) \cdot \widetilde{z}_1(y)\\ &= \sum_{x \in \{0,1\}^s} \underbrace{ \widetilde{eq}(r_x, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y) \right) }_{L_j(x)}\\ &= \sum_{x \in \{0,1\}^s} L_j(x) \end{align*} Observe also that in CCCS, since $\widetilde{w}$ satisfies, $$ 0=\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) $$ for $\beta$, \begin{align*} 0&=\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(\beta, y) \cdot \widetilde{z}_2(y) \right)\\ &= \sum_{x \in \{0,1\}^s} \underbrace{\widetilde{eq}(\beta , x) \cdot \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) }_{Q(x)}\\ &= \sum_{x \in \{0,1\}^s} Q(x) \end{align*} Then we can see that \begin{align*} c &= g(r_x')\\ &= \left( \sum_{j \in [t]} \gamma^j \cdot L_j(r_x') \right) + \gamma^{t+1} \cdot Q(r_x')\\ &= \left( \sum_{j \in [t]} \gamma^j \cdot e_q \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \sum_{i \in [q]} c_i \prod_{j \in S_i} \theta_j \end{align*} where $e_1 = \widetilde{eq}(r_x, r_x')$ and $e_2=\widetilde{eq}(\beta, r_x')$. Which is the check that $V$ performs at step $5$. %%%%%% APPENDIX \appendix \section{Appendix: Some details} This appendix contains some notes on things that don't specifically appear in the paper, but that would be needed in a practical implementation of the scheme. \subsection{Matrix and Vector to Sparse Multilinear Extension} Let $M \in \mathbb{F}^{m \times n}$ be a matrix. We want to compute its MLE $$\widetilde{M}(x_1, \ldots, x_l) = \sum_{e \in \{0, 1 \}^l} M(e) \cdot \widetilde{eq}(x, e)$$ We can view the matrix $M \in \mathbb{F}^{m \times n}$ as a function with the following signature: $$M(\cdot): \{0,1\}^s \times \{0,1\}^{s'} \rightarrow \mathbb{F}$$ where $s = \lceil \log m \rceil,~ s' = \lceil \log n \rceil$. An entry in $M$ can be accessed with a $(s+s')$-bit identifier. eg.: $$ M = \begin{pmatrix} 1 & 2 & 3\\ 4 & 5 & 6\\ \end{pmatrix} \in \mathbb{F}^{3 \times 2} $$ $m = 3,~ n = 2,~~~ s = \lceil \log 3 \rceil = 2,~ s' = \lceil \log 2 \rceil = 1$ So, $M(x, y) = x$, where $x \in \{0,1\}^s,~ y \in \{0,1\}^{s'},~ x \in \mathbb{F}$ $$ M = \begin{pmatrix} M(00,0) & M(01,0) & M(10,0)\\ M(00,1) & M(01,1) & M(10,1)\\ \end{pmatrix} \in \mathbb{F}^{3 \times 2} $$ This logic can be defined as follows: \begin{algorithm}[H] \caption{Generating a Sparse Multilinear Polynomial from a matrix} \begin{algorithmic} \State set empty vector $v \in (\text{index:}~ \mathbb{Z}, x: \mathbb{F})^{s \times s'}$ \For {$i$ to $m$} \For {$j$ to $n$} \If {$M_{i,j} \neq 0$} \State $v.\text{append}( \{ \text{index}: i \cdot n + j,~ x: M_{i,j} \} )$ \EndIf \EndFor \EndFor \State return $v$ \Comment {$v$ represents the evaluations of the polynomial} \end{algorithmic} \end{algorithm} Once we have the polynomial, its MLE comes from $$\widetilde{M}(x_1, \ldots, x_{s+s'}) = \sum_{e \in \{0,1\}^{s+s'}} M(e) \cdot \widetilde{eq}(x, e)$$ $$M(X) \in \mathbb{F}[X_1, \ldots, X_s]$$ \paragraph{Multilinear extensions of vectors} Given a vector $u \in \mathbb{F}^m$, the polynomial $\widetilde{u}$ is the MLE of $u$, and is obtained by viewing $u$ as a function mapping ($s=\log m$) $$u(x): \{0,1\}^s \rightarrow \mathbb{F}$$ $\widetilde{u}(x, e)$ is the multilinear extension of the function $u(x)$ $$\widetilde{u}(x_1, \ldots, x_s) = \sum_{e \in \{0,1\}^s} u(e) \cdot \widetilde{eq}(x, e)$$ \bibliography{paper-notes.bib} \bibliographystyle{unsrt} \end{document}