You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
469 lines
20 KiB
469 lines
20 KiB
\documentclass{article}
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage{amsfonts}
|
|
\usepackage{amsthm}
|
|
\usepackage{amsmath}
|
|
\usepackage{mathtools}
|
|
\usepackage{enumerate}
|
|
\usepackage{hyperref}
|
|
\usepackage{xcolor}
|
|
\usepackage{centernot}
|
|
\usepackage{algorithm}
|
|
\usepackage{algpseudocode}
|
|
|
|
\usepackage{pgf-umlsd} % diagrams
|
|
|
|
% message between threads. From https://tex.stackexchange.com/a/174765
|
|
% Example:
|
|
% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
|
|
\newcommand{\bloodymess}[7][0]{
|
|
\stepcounter{seqlevel}
|
|
\path
|
|
(#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
|
|
\addtocounter{seqlevel}{#1}
|
|
\path
|
|
(#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
|
|
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
|
|
{#3};
|
|
|
|
\if R#5
|
|
\node (\detokenize{#3} from) at (mess from) {\llap{#6~}};
|
|
\node (\detokenize{#3} to) at (mess to) {\rlap{~#7}};
|
|
\else\if L#5
|
|
\node (\detokenize{#3} from) at (mess from) {\rlap{~#6}};
|
|
\node (\detokenize{#3} to) at (mess to) {\llap{#7~}};
|
|
\else
|
|
\node (\detokenize{#3} from) at (mess from) {#6};
|
|
\node (\detokenize{#3} to) at (mess to) {#7};
|
|
\fi
|
|
\fi
|
|
}
|
|
|
|
|
|
% prevent warnings of underfull \hbox:
|
|
\usepackage{etoolbox}
|
|
\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
|
|
|
|
\theoremstyle{definition}
|
|
\newtheorem{definition}{Def}[section]
|
|
\newtheorem{theorem}[definition]{Thm}
|
|
|
|
% custom lemma environment to set custom numbers
|
|
\newtheorem{innerlemma}{Lemma}
|
|
\newenvironment{lemma}[1]
|
|
{\renewcommand\theinnerlemma{#1}\innerlemma}
|
|
{\endinnerlemma}
|
|
|
|
|
|
\title{Notes on HyperNova}
|
|
\author{arnaucube}
|
|
\date{May 2023}
|
|
|
|
\begin{document}
|
|
|
|
\maketitle
|
|
|
|
\begin{abstract}
|
|
Notes taken while reading about HyperNova \cite{cryptoeprint:2023/573} and CCS\cite{cryptoeprint:2023/552}.
|
|
|
|
Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
|
|
|
|
The notes are not complete, don't include all the steps neither all the proofs.
|
|
|
|
Thanks to \href{https://twitter.com/asn_d6}{George Kadianakis} for clarifications, and the authors \href{https://twitter.com/srinathtv}{Srinath Setty} and \href{https://twitter.com/abhiramko}{Abhiram Kothapalli} for answers on chats and twitter.
|
|
\end{abstract}
|
|
|
|
\tableofcontents
|
|
|
|
|
|
\section{CCS}
|
|
\subsection{R1CS to CCS overview}
|
|
|
|
\begin{description}
|
|
\item[R1CS instance] $S_{R1CS} = (m, n, N, l, A, B, C)$\\
|
|
where $m, n$ are such that $A \in \mathbb{F}^{m \times n}$, and $l$ such that the public inputs $x \in \mathbb{F}^l$. Also $z=(w, 1, x) \in \mathbb{F}^n$, thus $w \in \mathbb{F}^{n-l-1}$.
|
|
\item[CCS instance] $S_{CCS} = (m, n, N, l, t, q, d, M, S, c)$\\
|
|
where we have the same parameters than in $S_{R1CS}$, but additionally:\\
|
|
$t=|M|$, $q = |c| = |S|$, $d$= max degree in each variable.
|
|
\item[R1CS-to-CCS parameters] $n=n,~ m=m,~ N=N,~ l=l,~ t=3,~ q=2,~ d=2$, $M=\{A,B,C\}$, $S=\{\{0,~1\},~ \{2\}\}$, $c=\{1,-1\}$
|
|
\end{description}
|
|
|
|
The CCS relation check:
|
|
$$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$
|
|
|
|
where $z=(w, 1, x) \in \mathbb{F}^n$.
|
|
|
|
In our R1CS-to-CCS parameters is equivalent to
|
|
|
|
\begin{align*}
|
|
&c_0 \cdot ( (M_0 z) \circ (M_1 z) ) + c_1 \cdot (M_2 z) ==0\\
|
|
\Longrightarrow &1 \cdot ( (A z) \circ (B z) ) + (-1) \cdot (C z) ==0\\
|
|
\Longrightarrow &( (A z) \circ (B z) ) - (C z) ==0
|
|
\end{align*}
|
|
|
|
which is equivalent to the R1CS relation: $Az \circ Bz == Cz$
|
|
|
|
An example of the conversion from R1CS to CCS implemented in SageMath can be found at\\
|
|
\href{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}{https://github.com/arnaucube/math/blob/master/r1cs-ccs.sage}.
|
|
|
|
Similar relations between Plonkish and AIR arithmetizations to CCS are shown in the CCS paper \cite{cryptoeprint:2023/552}, but for now with the R1CS we have enough to see the CCS generalization idea and to use it for the HyperNova scheme.
|
|
|
|
\subsection{Committed CCS}
|
|
$R_{CCCS}$ instance: $(C, \mathsf{x})$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables.
|
|
|
|
Sat if:
|
|
\begin{enumerate}[i.]
|
|
\item $\text{Commit}(pp, \widetilde{w}) = C$
|
|
\item $\sum_{i=1}^q c_i \cdot \left( \prod_{j \in S_i} \left( \sum_{y \in \{0,1\}^{\log m}} \widetilde{M}_j(x, y) \cdot \widetilde{z}(y) \right) \right)$\\
|
|
where $\widetilde{z}(y) = \widetilde{(w, 1, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$
|
|
\end{enumerate}
|
|
|
|
|
|
\subsection{Linearized Committed CCS}
|
|
$R_{LCCCS}$ instance: $(C, u, \mathsf{x}, r, v_1, \ldots, v_t)$, where $C$ is a commitment to a multilinear polynomial in $s'-1$ variables, and $u \in \mathbb{F},~ \mathsf{x} \in \mathbb{F}^l,~ r \in \mathbb{F}^s,~ v_i \in \mathbb{F} ~\forall i \in [t]$.
|
|
|
|
Sat if:
|
|
\begin{enumerate}[i.]
|
|
\item $\text{Commit}(pp, \widetilde{w}) = C$
|
|
\item $\forall i \in [t],~ v_i = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_i(r, y) \cdot \widetilde{z}(y)$\\
|
|
where $\widetilde{z}(y) = \widetilde{(w, u, \mathsf{x})}(x) ~\forall x \in \{0, 1\}^{s'}$
|
|
\end{enumerate}
|
|
|
|
|
|
\section{Multifolding Scheme for CCS}
|
|
Recall sum-check protocol notation: \underline{$C \leftarrow \langle P, V(r) \rangle (g, l, d, T)$} means
|
|
$$T=\sum_{x_1 \in \{0,1\}} \sum_{x_2 \in \{0,1\}} \cdots \sum_{x_l \in \{0,1\}} g(x_1, x_2, \ldots, x_l)$$
|
|
where $g$ is a $l$-variate polynomial, with degree at most $d$ in each variable, and $T$ is the claimed value.
|
|
|
|
\vspace{1cm}
|
|
|
|
Let $s= \log m,~ s'= \log n$.
|
|
|
|
\begin{enumerate}
|
|
\item $V \rightarrow P: \gamma \in^R \mathbb{F},~ \beta \in^R \mathbb{F}^s$
|
|
\item $V: r_x' \in^R \mathbb{F}^s$
|
|
\item $V \leftrightarrow P$: sum-check protocol:
|
|
$$c \leftarrow \langle P, V(r_x') \rangle (g, s, d+1, \underbrace{\sum_{j \in [t]} \gamma^j \cdot v_j}_\text{T})$$
|
|
(in fact, $T=(\sum_{j \in [t]} \gamma^j \cdot v_j) \underbrace{+ \gamma^{t+1} \cdot Q(x)}_{=0}) = \sum_{j \in [t]} \gamma^j \cdot v_j$)\\
|
|
where:
|
|
\begin{align*}
|
|
g(x) &:= \underbrace{\left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right)}_\text{LCCCS check} + \underbrace{\gamma^{t+1} \cdot Q(x)}_\text{CCCS check}\\
|
|
\text{for LCCCS:}~ L_j(x) &:= \widetilde{eq}(r_x, x) \cdot \left(
|
|
\underbrace{\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)}_\text{this is the check from LCCCS}
|
|
\right)\\
|
|
\text{for CCCS:}~ Q(x) := &\widetilde{eq}(\beta, x) \cdot \left(
|
|
\underbrace{ \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) }_\text{this is the check from CCCS}
|
|
\right)
|
|
\end{align*}
|
|
Notice that
|
|
$$v_j= \sum_{y\in \{0,1\}^{s'}} \widetilde{M}_j(r, y) \cdot \widetilde{z}(y) = \sum_{x\in \{0,1\}^s} L_j(x)$$
|
|
\item $P \rightarrow V$: $\left( (\sigma_1, \ldots, \sigma_t), (\theta_1, \ldots, \theta_t) \right)$, where $\forall j \in [t]$,
|
|
$$\sigma_j = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$
|
|
$$\theta_j = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_2(y)$$
|
|
where $\sigma_j,~\theta_j$ are the checks from LCCCS and CCCS respectively with $x=r_x'$.
|
|
\item V: $e_1 \leftarrow \widetilde{eq}(r_x, r_x')$, $e_2 \leftarrow \widetilde{eq}(\beta, r_x')$\\
|
|
check:
|
|
$$c = \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)$$
|
|
which should be equivalent to the $g(x)$ computed by $V,P$ in the sum-check protocol.
|
|
\item $V \rightarrow P: \rho \in^R \mathbb{F}$
|
|
\item $V, P$: output the folded LCCCS instance $(C', u', \mathsf{x}', r_x', v_1', \ldots, v_t')$, where $\forall i \in [t]$:
|
|
\begin{align*}
|
|
C' &\leftarrow C_1 + \rho \cdot C_2\\
|
|
u' &\leftarrow u + \rho \cdot 1\\
|
|
\mathsf{x}' &\leftarrow \mathsf{x}_1 + \rho \cdot \mathsf{x}_2\\
|
|
v_i' &\leftarrow \sigma_i + \rho \cdot \theta_i
|
|
\end{align*}
|
|
\item $P$: output folded witness and the folded $r_w'$ (random value used for the witness commitment $C$):
|
|
\begin{align*}
|
|
\widetilde{w}' &\leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2\\
|
|
r_w' &\leftarrow r_{w_1} + \rho \cdot r_{w_2}
|
|
\end{align*}
|
|
\end{enumerate}
|
|
|
|
|
|
\vspace{1cm}
|
|
Multifolding flow:
|
|
\begin{center}
|
|
\begin{sequencediagram}
|
|
\newinst[1]{p}{Prover}
|
|
\newinst[3]{v}{Verifier}
|
|
|
|
\bloodymess[1]{v}{$\gamma,~\beta,~r_x'$}{p}{L}{
|
|
\shortstack{
|
|
$\gamma \in \mathbb{F},~ \beta \in \mathbb{F}^s$\\
|
|
$r_x' \in \mathbb{F}^s$
|
|
}
|
|
}{}
|
|
\bloodymess[1]{p}{$c,~ \pi_{SC}$}{v}{R}{sum-check prove}{sum-check verify}
|
|
\bloodymess[1]{p}{$\{\sigma_j\},~\{\theta_j\}$}{v}{R}{compute $\{\sigma_j\}, \{\theta_j\}~ \forall j \in [t]$}{verify $c$ with $\{\sigma_j\}, \{\theta_j\}$ relation}
|
|
\bloodymess[1]{v}{$\rho$}{p}{L}{$\rho \in^R \mathbb{F}$}{}
|
|
\callself[0]{p}{fold LCCCS instance}{p}
|
|
\prelevel
|
|
\callself[0]{v}{fold LCCCS instance}{v}
|
|
\callself[0]{p}{fold $\widetilde{w}$}{p}
|
|
\end{sequencediagram}
|
|
\end{center}
|
|
|
|
\vspace{1cm}
|
|
|
|
Now, to see the verifier check from step 5, observe that in LCCCS, since $\widetilde{w}$ satisfies,
|
|
\begin{align*}
|
|
v_j &= \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x, y) \cdot \widetilde{z}_1(y)\\
|
|
&= \sum_{x \in \{0,1\}^s}
|
|
\underbrace{
|
|
\widetilde{eq}(r_x, x) \cdot \left( \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y) \right)
|
|
}_{L_j(x)}\\
|
|
&= \sum_{x \in \{0,1\}^s} L_j(x)
|
|
\end{align*}
|
|
|
|
Observe also that in CCCS, since $\widetilde{w}$ satisfies,
|
|
$$
|
|
0=\underbrace{\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)}_{q(x)}
|
|
$$
|
|
|
|
we have that
|
|
$$
|
|
G(X) = \sum_{x \in \{0,1\}^s} eq(X, x) \cdot q(x)
|
|
$$
|
|
is multilinear, and can be seen as a Lagrange polynomial where coefficients are evaluations of $q(x)$ on the hypercube.
|
|
|
|
For an honest prover, all these coefficients are zero, thus $G(X)$ must necessarily be the zero polynomial. Thus $G(\beta)=0$ for $\beta \in^R \mathbb{F}^s$.
|
|
\begin{align*}
|
|
% 0&=\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(\beta, y) \cdot \widetilde{z}_2(y) \right)\\
|
|
0&=G(\beta) = \sum_{x \in \{0,1\}^s} eq(\beta, x) \cdot q(x)\\
|
|
&= \sum_{x \in \{0,1\}^s}
|
|
\underbrace{\widetilde{eq}(\beta , x) \cdot
|
|
\overbrace{
|
|
\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)
|
|
}^{q(x)}
|
|
}_{Q(x)}\\
|
|
&= \sum_{x \in \{0,1\}^s} Q(x)
|
|
\end{align*}
|
|
|
|
\framebox{\begin{minipage}{4.3 in}
|
|
\begin{footnotesize}
|
|
|
|
\textbf{Note}: notice that this past equation is related to Spartan paper \cite{cryptoeprint:2019/550}, lemmas 4.2 and 4.3, where instead of
|
|
|
|
$$q(x) = \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right)$$
|
|
|
|
for our R1CS example, we can restrict it to just $M_0,M_1,M_2$, which would be
|
|
|
|
$$=\left( \sum_{y \in \{0,1\}^s} \widetilde{M_0}(x, y) \cdot \widetilde{z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{M_1}(x, y) \cdot \widetilde{z}(y) \right) - \sum_{y \in \{0,1\}^s} \widetilde{M_2}(x, y) \cdot \widetilde{z}(y)$$
|
|
|
|
and we can see that $q(x)$ is the same equation $\widetilde{F}_{io}(x)$ that we had in Spartan:
|
|
|
|
$$
|
|
\widetilde{F}_{io}(x)=\left( \sum_{y \in \{0,1\}^s} \widetilde{A}(x, y) \cdot \widetilde{z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{B}(x, y) \cdot \widetilde{z}(y) \right) - \sum_{y \in \{0,1\}^s} \widetilde{C}(x, y) \cdot \widetilde{z}(y)
|
|
$$
|
|
|
|
where
|
|
$$Q_{io}(t) = \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t,x)=0$$
|
|
and V checks $Q_{io}(\tau)=0$ for $\tau \in^R \mathbb{F}^s$, which in HyperNova is $G(\beta)=0$ for $\beta \in^R \mathbb{F}^s$.
|
|
|
|
$Q_{io}(\cdot)$ is a zero-polynomial ($G(\cdot)$ in HyperNova), it evaluates to zero for all points in its domain iff $\widetilde{F}_{io}(\cdot)$ evaluates to zero at all points in the $s$-dimensional boolean hypercube.
|
|
\begin{align*}
|
|
\text{Spartan} &\longleftrightarrow \text{HyperNova}\\
|
|
\tau &\longleftrightarrow \beta\\
|
|
\widetilde{F}_{io}(x) &\longleftrightarrow q(x)\\
|
|
Q_{io}(\tau) &\longleftrightarrow G(\beta)
|
|
\end{align*}
|
|
|
|
So, in HyperNova
|
|
$$0 = \sum_{x \in \{0,1\}^s} Q(x) = \sum_{x \in \{0,1\}^s} \widetilde{eq}(\beta,x) \cdot q(x)$$
|
|
|
|
\end{footnotesize}
|
|
\end{minipage}}
|
|
|
|
\vspace{1cm}
|
|
|
|
Comming back to HyperNova equations, we can now see that
|
|
|
|
\begin{align*}
|
|
c &= g(r_x')\\
|
|
&= \left( \sum_{j \in [t]} \gamma^j \cdot L_j(r_x') \right) + \gamma^{t+1} \cdot Q(r_x')\\
|
|
&= \left( \sum_{j \in [t]} \gamma^j \cdot \overbrace{e_1 \cdot \sigma_j}^{L_j(r_x')} \right) + \gamma^{t+1} \cdot \overbrace{e_2 \cdot \sum_{i \in [q]} c_i \prod_{j \in S_i} \theta_j}^{Q(x)}
|
|
\end{align*}
|
|
|
|
where $e_1 = \widetilde{eq}(r_x, r_x')$ and $e_2=\widetilde{eq}(\beta, r_x')$.
|
|
|
|
Which is the check that $V$ performs at step $5$.
|
|
|
|
\subsection{Multifolding for multiple instances}
|
|
The multifolding of multiple LCCCS \& CCCS instances is not shown in the HyperNova paper, but Srinath Setty gave an overview in the PSE HyperNova presentation. This section unfolds it.
|
|
|
|
We're going to do this example with parameters \textcolor{orange}{LCCCS: $\mu = 2$}, \textcolor{cyan}{CCCS: $\nu = 2$}, which means that we have 2 LCCCS instances and 2 CCCS instances.
|
|
|
|
Assume we have 4 $z$ vectors, $z_1,~ \textcolor{orange}{z_2}$ for the two LCCCS instances, and $z_3,~ \textcolor{cyan}{z_4}$ for the two CCCS instances, where $z_1,~z_3$ are the vectors that we already had in the example with $\mu=1,\nu=1$, and $z_2,~z_4$ are the extra ones that we're adding now.
|
|
|
|
In \emph{step 3} of the multifolding with more than one LCCCS and more than one CCCS instances, we have:
|
|
|
|
\begin{align*}
|
|
g(x) &:= \left( \sum_{j \in [t]} \gamma^j \cdot L_{1,j}(x) + \textcolor{orange}{\gamma^{t+j} \cdot L_{2,j}(x)} \right)
|
|
+ \gamma^{2t+1} \cdot Q_1(x) + \textcolor{cyan}{\gamma^{2t+2} \cdot Q_2(x)} \\
|
|
&L_{1,j}(x) := \widetilde{eq}(r_{1,x}, x) \cdot \left(
|
|
\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)
|
|
\right)\\
|
|
&\textcolor{orange}{L_{2,j}(x)} := \widetilde{eq}(\textcolor{orange}{r_{2,x}}, x) \cdot \left(
|
|
\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{orange}{\widetilde{z}_2(y)}
|
|
\right)\\
|
|
&Q_1(x) := \widetilde{eq}(\beta, x) \cdot \left(
|
|
\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_3(y) \right)\right)\\
|
|
&\textcolor{cyan}{Q_2(x)} := \widetilde{eq}(\textcolor{cyan}{\beta'}, x) \cdot \left(
|
|
\sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \textcolor{cyan}{\widetilde{z}_4(y)} \right)\right)
|
|
\end{align*}
|
|
|
|
\framebox{\begin{minipage}{4.3 in}
|
|
A generic definition of $g(x)$ for $\mu>1~\nu>1$, would be
|
|
|
|
$$
|
|
g(x) := \left( \sum_{i \in [\mu]} \left( \sum_{j \in [t]} \gamma^{i \cdot t+j} \cdot L_{i,j}(x) \right) \right)
|
|
+ \left( \sum_{i \in [\nu]} \gamma^{\mu \cdot t + i} \cdot Q_i(x) \right)
|
|
$$
|
|
\end{minipage}}
|
|
|
|
Recall, the original $g(x)$ definition was
|
|
$$\textcolor{gray}{g(x) := \left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right) + \gamma^{t+1} \cdot Q(x)}$$
|
|
|
|
|
|
|
|
\vspace{0.5cm}
|
|
In \emph{step 4}, $P \rightarrow V$:
|
|
$(\{\sigma_{1,j}\}, \textcolor{orange}{\{\sigma_{2,j}\}}, \{\theta_{1,j}\}, \textcolor{cyan}{\{\theta_{2,j}\}}),~ \text{where} ~\forall j \in [t]$,
|
|
|
|
$$\sigma_{1,j} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$
|
|
$$\textcolor{orange}{\sigma_{2,j}} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \textcolor{orange}{\widetilde{z}_2(y)}$$
|
|
$$\theta_{1,j} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_3(y)$$
|
|
$$\textcolor{cyan}{\theta_{2,j}} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \textcolor{cyan}{\widetilde{z}_4(y)}$$
|
|
|
|
\framebox{\begin{minipage}{4.3 in}
|
|
so in a generic way,\\
|
|
$P \rightarrow V$:
|
|
$(\{\sigma_{i,j}\}, \{\theta_{k,j}\}),~ \text{where} ~\forall~ j \in [t],~ \forall~ i \in [\mu],~ \forall~ k \in [\nu]$
|
|
where
|
|
$$\sigma_{i,j} = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_i(y)$$
|
|
$$\theta_{k,j} = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_{\mu+k}(y)$$
|
|
\end{minipage}}
|
|
|
|
\vspace{1cm}
|
|
|
|
And in \emph{step 5}, $V$ checks
|
|
|
|
\begin{align*}
|
|
c &= \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_{1,j}
|
|
~\textcolor{orange}{+ \gamma^{t+j} \cdot e_2 \cdot \sigma_{2,j}}\right)\\
|
|
&+ \gamma^{2t+1} \cdot e_3 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)
|
|
+ \textcolor{cyan}{\gamma^{2t+2} \cdot e_4 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)}
|
|
\end{align*}
|
|
|
|
where
|
|
$e_1 \leftarrow \widetilde{eq}(r_{1,x}, r_x'),~ e_2 \leftarrow \widetilde{eq}(r_{2,x}, r_x')$, $e_3, e_4 \leftarrow \widetilde{eq}(\beta, r_x')$.
|
|
|
|
\vspace{0.5cm}
|
|
|
|
\framebox{\begin{minipage}{4.3 in}
|
|
A generic definition of the check would be
|
|
$$
|
|
c = \sum_{i \in [\mu]} \left(\sum_{j \in [t]} \gamma^{i \cdot t + j} \cdot e_i \cdot \sigma_{i,j} \right) \\
|
|
+ \sum_{k \in [\nu]} \gamma^{\mu \cdot t+k} \cdot e_k \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_{k,j} \right)
|
|
$$
|
|
\end{minipage}}
|
|
|
|
where the original check was\\
|
|
$\textcolor{gray}{c = \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)}$
|
|
|
|
% TODO
|
|
% Pending questions:
|
|
% - \beta & \beta' can be the same? or related somehow like \beta'=\beta^2 ?
|
|
|
|
\vspace{0.5cm}
|
|
|
|
And for the \emph{step 7},
|
|
\begin{align*}
|
|
C' &\leftarrow C_1 + \rho \cdot C_2 + \rho^2 C_3 + \rho^3 C_4 + \ldots = \sum_{i \in [\mu + \nu]} \rho^i \cdot C_i \\
|
|
u' &\leftarrow \sum_{i \in [\mu]} \rho^i \cdot u_i + \sum_{i \in [\nu]} \rho^{\mu + i-1} \cdot 1\\
|
|
\mathsf{x}' &\leftarrow \sum_{i \in [\mu+\nu]} \rho^i \cdot \mathsf{x}_i\\
|
|
v_i' &\leftarrow \sum_{i \in [\mu]} \rho^i \cdot \sigma_i + \sum_{i \in [\nu]} \rho^{\mu + i-1} \cdot \theta_i\\
|
|
\end{align*}
|
|
|
|
and \emph{step 8},
|
|
\begin{align*}
|
|
\widetilde{w}' &\leftarrow \sum_{i \in [\mu+\nu]} \rho^i\cdot \widetilde{w}_i\\
|
|
r_w' &\leftarrow \sum_{i \in [\mu+\nu]} \rho^i \cdot r_{w_i}\\
|
|
\end{align*}
|
|
|
|
|
|
Note that over all the multifolding for $\mu >1$ and $\nu>1$, we can easily parallelize most of the computation.
|
|
|
|
|
|
\vspace{2cm}
|
|
|
|
%%%%%% APPENDIX
|
|
\appendix
|
|
\section{Appendix: Some details}
|
|
This appendix contains some notes on things that don't specifically appear in the paper, but that would be needed in a practical implementation of the scheme.
|
|
|
|
\subsection{Matrix and Vector to Sparse Multilinear Extension}
|
|
|
|
Let $M \in \mathbb{F}^{m \times n}$ be a matrix. We want to compute its MLE
|
|
$$\widetilde{M}(x_1, \ldots, x_l) = \sum_{e \in \{0, 1 \}^l} M(e) \cdot \widetilde{eq}(x, e)$$
|
|
|
|
We can view the matrix $M \in \mathbb{F}^{m \times n}$ as a function with the following signature:
|
|
$$M(\cdot): \{0,1\}^s \times \{0,1\}^{s'} \rightarrow \mathbb{F}$$
|
|
where $s = \lceil \log m \rceil,~ s' = \lceil \log n \rceil$.
|
|
|
|
An entry in $M$ can be accessed with a $(s+s')$-bit identifier.
|
|
|
|
eg.:
|
|
$$
|
|
M = \begin{pmatrix}
|
|
1 & 2 & 3\\
|
|
4 & 5 & 6\\
|
|
\end{pmatrix}
|
|
\in \mathbb{F}^{3 \times 2}
|
|
$$
|
|
|
|
$m = 3,~ n = 2,~~~ s = \lceil \log 3 \rceil = 2,~ s' = \lceil \log 2 \rceil = 1$
|
|
|
|
So, $M(x, y) = x$, where $x \in \{0,1\}^s,~ y \in \{0,1\}^{s'},~ x \in \mathbb{F}$
|
|
|
|
$$
|
|
M = \begin{pmatrix}
|
|
M(00,0) & M(01,0) & M(10,0)\\
|
|
M(00,1) & M(01,1) & M(10,1)\\
|
|
\end{pmatrix}
|
|
\in \mathbb{F}^{3 \times 2}
|
|
$$
|
|
|
|
This logic can be defined as follows:
|
|
|
|
\begin{algorithm}[H]
|
|
\caption{Generating a Sparse Multilinear Polynomial from a matrix}
|
|
\begin{algorithmic}
|
|
\State set empty vector $v \in (\text{index:}~ \mathbb{Z}, x: \mathbb{F}^{s \times s'})$
|
|
\For {$i$ to $m$}
|
|
\For {$j$ to $n$}
|
|
\If {$M_{i,j} \neq 0$}
|
|
\State $v.\text{append}( \{ \text{index}: i \cdot n + j,~ x: M_{i,j} \} )$
|
|
\EndIf
|
|
\EndFor
|
|
\EndFor
|
|
\State return $v$ \Comment {$v$ represents the evaluations of the polynomial}
|
|
\end{algorithmic}
|
|
\end{algorithm}
|
|
|
|
Once we have the polynomial, its MLE comes from
|
|
$$\widetilde{M}(x_1, \ldots, x_{s+s'}) = \sum_{e \in \{0,1\}^{s+s'}} M(e) \cdot \widetilde{eq}(x, e)$$
|
|
|
|
$$M(X) \in \mathbb{F}[X_1, \ldots, X_s]$$
|
|
|
|
\paragraph{Multilinear extensions of vectors}
|
|
Given a vector $u \in \mathbb{F}^m$, the polynomial $\widetilde{u}$ is the MLE of $u$, and is obtained by viewing $u$ as a function mapping ($s=\log m$)
|
|
$$u(x): \{0,1\}^s \rightarrow \mathbb{F}$$
|
|
$\widetilde{u}(x, e)$ is the multilinear extension of the function $u(x)$
|
|
$$\widetilde{u}(x_1, \ldots, x_s) = \sum_{e \in \{0,1\}^s} u(e) \cdot \widetilde{eq}(x, e)$$
|
|
|
|
\bibliography{paper-notes.bib}
|
|
\bibliographystyle{unsrt}
|
|
|
|
\end{document}
|