arnaucube
/
math
mirror of https://github.com/arnaucube/math.git


								\documentclass{article}

								\usepackage[utf8]{inputenc}

								\usepackage{amsfonts}

								\usepackage{amsthm}

								\usepackage{amsmath}

								\usepackage{mathtools}

								\usepackage{enumerate}

								\usepackage{hyperref}

								\usepackage{xcolor}


								% prevent warnings of underfull \hbox:

								\usepackage{etoolbox}

								\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}


								\theoremstyle{definition}

								\newtheorem{definition}{Def}[section]

								\newtheorem{theorem}[definition]{Thm}


								% custom lemma environment to set custom numbers

								\newtheorem{innerlemma}{Lemma}

								\newenvironment{lemma}[1]

								{\renewcommand\theinnerlemma{#1}\innerlemma}

								{\endinnerlemma}


								\title{Notes on Nova}

								\author{arnaucube}

								\date{February 2023}


								\begin{document}


								\maketitle


								\begin{abstract}

									Notes taken while reading Nova \cite{cryptoeprint:2021/370} paper.


									Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.


									The notes are not complete, don't include all the steps neither all the proofs.

								\end{abstract}


								\tableofcontents


								\section{Folding Scheme for Committed Relaxed R1CS}


								\subsection{R1CS modification}


								Want: merge 2 instances of R1CS with the same matrices into a single one. Each instance has $z_i = (W_i,~ x_i)$ (public witness, private values resp.).


								\paragraph{traditional R1CS}

								Merged instance with $z=z_1 + r z_2$, for rand $r$. But, since R1CS is not linear $\longrightarrow$ can not apply.


								eg.

								\begin{align*}

									Az \circ Bz &= A(z_1 + r z_2) \circ B (z_1 + r z_2)\\

									&= A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2)\\

									&\neq Cz

								\end{align*}


								$\longrightarrow$ introduce error vector $E \in \mathbb{F}^m$, which absorbs the cross-temrs generated by folding.


								$\longrightarrow$ introduce scalar $u$, which absorbs an extra factor of $r$ in $C z_1 + r^2 C z_2$ and in $z=(W, x, 1+r\cdot 1)$.


								\paragraph{Relaxed R1CS}

								\begin{align*}

									&u=u_1+r u_2\\

									&E=E_1 + r (A z_1 \circ B z_2 + A z_2 \circ B z_1 - u_1 C z_2 - u_2 C z_1) + r^2 E_2\\

									&Az \circ Bz = uCz + E,~~ with~ z=(W,~x,~u)

								\end{align*}

								where R1CS set $E=0,~u=1$.


								\begin{align*}

									Az \circ Bz &= A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2)\\

										    &= (u_1 C z_1 + E_1) + r (A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (u_2 C z_2 + E_2)\\

										    &= u_1 C z_1 + \underbrace{E_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 E_2}_\text{E} + r^1 u_2 C z_2\\

										    &= u_1 C z_1 + r^2 u_2 C z_2 + E\\

										    &= (u_1 + r u_2) \cdot C \cdot (z_1 + r z_2) + E\\

										    &= uCz + E

								\end{align*}


								For R1CS matrices $(A,~B,~C)$, the folded witness $W$ is a satisfying witness for the folded instance $(E,~u,~x)$.


								\vspace{20px}

								Problem: not non-trivial, and not zero-knowledge. Solution: use polynomial commitment with hiding, binding, succintness and additively homomorphic properties.


								\paragraph{Committed Relaxed R1CS}

								Instance for a Committed Relaxed R1CS\\

								$(\overline{E}, u, \overline{W}, x)$, satisfyied by a witness $(E, r_E, W, r_W)$ such that

								\begin{align*}

									&\overline{E} = Com(E, r_E)\\

									&\overline{W} = Com(E, r_W)\\

									&Az \circ Bz = uCz+E,~~ where~z=(W, x, u)

								\end{align*}


								\subsection{Folding protocol}


								V and P take two \emph{committed relaxed R1CS} instances

								\begin{align*}

									\varphi_1&=(\overline{E}_1, u_1, \overline{W}_1, x_1)\\

									\varphi_2&=(\overline{E}_2, u_2, \overline{W}_2, x_2)

								\end{align*}


								P additionally takes witnesses to both instances

								\begin{align*}

									(E_1, r_{E_1}, W_1, r_{W_1})\\

									(E_2, r_{E_2}, W_2, r_{W_2})

								\end{align*}


								Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$.


								% \paragraph{Protocol}

								\begin{enumerate}

									\item P send $\overline{T} = Com(T, r_T)$,\\

										where $T=A z_1 \circ B z_1 + A z_2 \circ B z_2 - u_1 C z_2 - u_2 C z_2$\\

										and rand $r_T \in \mathbb{F}$

									\item V sample random challenge $r \in \mathbb{F}$

									\item V, P output the folded instance $\varphi = (\overline{E}, u, \overline{W}, x)$

										\begin{align*}

											&\overline{E}=\overline{E}_1 + r \overline{T} + r^2 \overline{E}_2\\

											&u = u_1 + r u_2\\

											&\overline{W} = \overline{W}_1 + r \overline{W}_2\\

											&x = x_1 + r x_2

										\end{align*}

									\item P outputs the folded witness $(E, r_E, W, r_W)$

										\begin{align*}

											&E = E_1 + r T + r^2 E_2\\

											&r_E = r_{E_1} + r \cdot r_T + r^2 r_{E_2}\\

											&W=W_1 + r W_2\\

											&r_W = r_{W_1} + r \cdot r_{W_2}

										\end{align*}

								\end{enumerate}


								P uses a zkSNARK showing that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.

								Then, vie Fiat-Shamir transform we achieve non-interactivity.


								\section{IVC proofs}

								\textbf{WIP}


								\bibliography{paper-notes.bib}

								\bibliographystyle{unsrt}


								\end{document}