From 8add2bbab3606d15c48403fa6ba3a49339f4cece Mon Sep 17 00:00:00 2001 From: Harry Liu <2411mail@gmail.com> Date: Mon, 23 Dec 2024 19:06:13 +0800 Subject: [PATCH 1/2] Update dev_notes.md --- docs/src/dev_notes.md | 75 ++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/docs/src/dev_notes.md b/docs/src/dev_notes.md index 6884541..24aa1e9 100644 --- a/docs/src/dev_notes.md +++ b/docs/src/dev_notes.md @@ -1,13 +1,14 @@ ## 0. setup - relation R + - In DPCS(dot product constraint system), there are k constraints, each constraint has a, phi and b - constraints - - $f^{(k)}(\vec{s_1}, ..., \vec{s_{r}})$ $=\sum_{i,j=1}^{r'} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ + - $f^{(k)}(\vec{s_1}, ..., \vec{s_{r}})$ $=\sum_{i,j=1}^{r} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ - $ct(f'^{(l)}(\vec{s_1}, ..., \vec{s_{l}}))$ $=ct(\sum_{i,j=1}^{L} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{L} <\varphi_{i}^{(l)}, \vec{s}_i> - b^{(l)}) \mod q'$ - norm check - $\vec{s}$ is witness - $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ - - data structure - - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ + - data structure (page 10) + - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ - $\vec{\varphi}_i^{(k)}$ $\in R_q^{n}$ - $a_{ij}^{(k)}$ $\in R_q$ - $b^{(k)}$ $\in R_q$ @@ -45,7 +46,7 @@ - $1 \le i \le j \le r$ - $0 \le k \le t_2 - 1$ - $t_2$ see below decomposition section - - $\kappa_2$ ?? + - $\kappa_2$?? - $D_{ijk} \in R_q^{\kappa_2 \times 1}$ - $1 \le i \le j \le r$ - $0 \le k \le t_1 - 1$ @@ -58,10 +59,10 @@ - $\vec{t_i} = A\vec{s_i} \in R_q^{\kappa}$, this is Ajtai commitment - decompose and combine - problems - - problem 1: + - problem 1: - costly to send $t_i$ directly to verifier - solution: combine all inner commitments $\vec{t_i}$ into a shorter outer commitment - - problem 2: + - problem 2: - ring elements $\vec{t}_{i, j}, g_{i, j} \in R_q$ have arbitrary length of coefficients, not good for commitment - solution: decompose and concatenate - each coefficient of ring element need to be decomposed to same length with a proper basis, then concatenate them together @@ -78,13 +79,13 @@ - in total there are $(r^2+r)/2$ $R_q$ in $\vec{g}$ , means $\vec{g} \in R_q^{(r^2+r)/2}$ - choose length $t_2$, basis $b_2$ - decompose $\vec{g}_{k}$, which $k \in [(r^2+r)/2]$, output decomposed $\vec{g}_{k} = \vec{g}_{k}^{(0)} + ... + \vec{g}_{g}^{(t_2 - 1)}b_2^{t_2 - 1} \in R_q^{t_2}$ - - concatenate all decomposed $\vec{g}_{k}$, get decomposed $\vec{g} \in R_q^{t_2 (r^2+r)/2}$ + - concatenate all decomposed $\vec{g}_{k}$, get decomposed $\vec{g} \in R_q^{t_2 (r^2+r)/2}$ - decomposition params(page 16, 19) - $\tau$: variance for the sum of the coefficients of a challenge polynomial - - $\mathfrak{s} = \beta / \sqrt{r n d}$ : standard deviation for the $Z_q$ coefficients of the vectors $\vec{s}_i$ + - $\mathfrak{s} = \beta / \sqrt{r n d}$ : standard deviation for the $Z_q$ coefficients of the vectors $\vec{s}_i$ - $b \approx b_1 \approx b_2 = \sqrt{\sqrt{12 r \tau \mathfrak{s}}}$ , b is used in recurse section - - $t_1 = \lfloor \frac{\log q}{\log b} \rceil$ - - $t_2 = \lfloor \frac{\log{(\sqrt{24 n d \mathfrak{s^2}})}}{\log b} \rceil$ + - $t_1 = \lfloor \frac{\log q}{\log b} \rceil$ + - $t_2 = \lfloor \frac{\log{(\sqrt{24 n d \mathfrak{s^2}})}}{\log b} \rceil$ - combine - combine all inner commitments $\vec{t_i}$ with random matrix B to get a shooter outer commitment $\vec{u_1} = B\vec{t} \in R_q^{\kappa_1}$ - also put $g_{ij} \in R_q$ combination here, because $g_{ij}$ is dependent of all the challenges, so compute it in the very beginning of the protocol @@ -103,7 +104,7 @@ - $\vec{u_1} = B\vec{t} + C\vec{g} \in R_q^{\kappa_1}$ ## 2. project -- goal: norm check can be replaced by Johnson-Lindenstrauss projection. +- goal: norm check can be replaced by Johnson-Lindenstrauss projection. - why: because the JL proof is more compact than check the long vector $\vec{s}$ - need to reach a security level $\lambda(\lambda = 128)$ - steps @@ -117,6 +118,7 @@ - 1: 1/4 - prover calculate $p_j$ - $p_j =\sum_{i=1}^r<\pi_i^{(j)}, \vec{s_i}>$ $\in Z_q$, $j = 1, . . . , 2λ$ + - $\vec{\pi}_i^{(j)}$ is the j-th row of $\prod_i$ - prover sends $\vec{p} \in Z_q^{2\lambda}$ - verifier check $||\vec{p}||_2 \le \sqrt{\lambda}\beta$ instead of $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ - notes: greyhound only use {1, -1} to do the sample @@ -132,7 +134,7 @@ - d: $Z_q$, degree of $\vec{s_i}$ - $1 \le i \le r$ - $j = 1, . . . , 2λ$ - - $\prod_i \in \{-1, 0, 1\}^{2\lambda \times nd}$ + - $\prod_i \in \{-1, 0, 1\}^{2\lambda \times nd}$ - $\pi_i^{(j)}$: $\in \{-1, 0, 1\}^{nd}$ - $p_j \in Z_q$ - $\vec{p} \in Z_q^{2\lambda}$ @@ -153,18 +155,19 @@ - $+ \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}(\sum_{i=1}^r<\sigma_{-1}(\vec{\pi_i}^{(j)}), \vec{s}_i> - p_j)$ - $=\sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i> - b_0^{''(k)}$ - so prover gets: - - $a_{i,j}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}a_{i,j}^{'(l)}$ - - $\varphi_{i}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}\varphi_{i}^{'(l)} + \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}\sigma_{-1}(\vec{\pi_i}^{(j)})$ - - $b^{''(k)} = \sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i>$ + - $a_{i,j}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}a_{i,j}^{'(l)}$ $\in R_q$ + - $\varphi_{i}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}\varphi_{i}^{'(l)} + \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}\sigma_{-1}(\vec{\pi_i}^{(j)})$ $\in R_q^n$ + - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ - extends integers $b_0^{''(k)}$ to full polynomials such that $f^{''(k)}(\vec{s_1}, ..., \vec{s_r}) = 0$ - - prover sends $b_0^{''(k)}$ to verifier - - verifier checks the constant term - - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ + - $b^{''(k)} = \sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i>$ + - prover sends $b^{''(k)}$ to verifier + - verifier checks the constant term of $b^{''(k)}$ + - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ - 2. aggregate linear constraints $f^{(k)}(k = 1,..., |F|)$ and $f^{''(k)}(k = 1,..., \lceil \lambda/log_2(q) \rceil)$ - verifier sends random samples from challenge space: $\vec{\alpha} \xleftarrow{\$} R_q^{|F|}$, $\vec{\beta} \xleftarrow{\$} R_q^{\lceil \lambda/log_2(q) \rceil}, K = |F|$ - - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ - - $F(\vec{s_1}, ..., \vec{s_r})$ - - $= \sum_{k=1}^K \vec{\alpha}_k f^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k f^{''(k)}$ + - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ + - $F(\vec{s_1}, ..., \vec{s_r})$ + - $= \sum_{k=1}^K \vec{\alpha}_k f^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k f^{''(k)}$ - $=\sum_{i,j=1}^r a_{i,j}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}, \vec{s}_i> - b$ - compute outer commitment $\vec{u}_2$ - $\vec{\varphi}_i = \sum_{k=1}^K \vec{\alpha}_k \varphi_{i}^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k \varphi_{i}^{''(k)}$ @@ -193,6 +196,7 @@ - verifier sends challenge $c_i$ $\in R_q$ from challenge space - prover calculates $\vec{z}, \vec{h}$ - $\vec{z} = \sum_{i=1}^{r} c_i \vec{s}_i$ + - $c_i \vec{s}_i$: multiply $c_i$ by each element of $\vec{s}_i$ then get a new vector - provers sends $\vec{z}, \vec{t}, \vec{g}, \vec{h}$ - data structure - $c_i$ $\in R_q$ @@ -201,7 +205,7 @@ ## 5. verifier checks(without recursion) - $\kappa + \kappa_1 + \kappa_2 + 3$ dot product constraints - 3 dot product constraints check - - (1) $<\vec{z}, \vec{z}> = \sum_{i,j=1}^{r} g_{i,j} c_i c_j$ + - (1) $<\vec{z}, \vec{z}> = \sum_{i,j=1}^{r} g_{i,j} c_i c_j$ - (2) $\sum_{i=1}^r <\vec{\varphi}_i, \vec{z}> c_i =\sum_{i,j=1}^{r} h_{i,j} c_i c_j$ - (3) $\sum_{i,j=1}^{r} a_{i,j} g_{i,j} + \sum_{i=1}^{r} h_{i,i} - b = 0$ - $\kappa + \kappa_1 + \kappa_2$ dot product constraints check @@ -216,9 +220,9 @@ - $\gamma, \gamma_1, \gamma_2, \beta'$ see page 19 ## 6. recurse -- goal: prove the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) -- steps: - - 1. convert last message to new witness vector $\vec{s}_i^\prime$ , $i \in [r']$ +- goal: prove the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) +- steps: + - 1. convert last message to new witness vector $\vec{s}_i^\prime$ , $i \in [r']$ - decompose $\vec{z}$ - $\vec{z} = \vec{z}^{(0)} + b\vec{z}^{(1)}$ , $\vec{z}^{(0)}, \vec{z}^{(1)} \in R_q^n$ - combine $\vec{t}, \vec{g}, \vec{h}$ @@ -227,17 +231,17 @@ - compose $\vec{s}_i^\prime$ - choose $\nu, \mu$ how to choose?? - $\vec{s}_i^\prime$ part 1: - - $\vec{z}^{(0)} = \vec{s}_1^\prime ||... || \vec{s}_{\nu}^\prime$ - - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ + - $\vec{z}^{(0)} = \vec{s}_1^\prime ||... || \vec{s}_{\nu}^\prime$ + - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ - $\vec{s}_i^\prime$ part 2: - $\vec{z}^{(1)} = \vec{s}_{\nu+1}^\prime ||... || \vec{s}_{2\nu}^\prime$ - - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ + - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ - $\vec{s}_i^\prime$ part 3: - - $\vec{v} = \vec{s}_{2\nu+1}^\prime ||... || \vec{s}_{2\nu + \mu}^\prime$ - - $\vec{s}_i^\prime$ $\in R_q^{\lceil m/\mu \rceil}$ + - $\vec{v} = \vec{s}_{2\nu+1}^\prime ||... || \vec{s}_{2\nu + \mu}^\prime$ + - $\vec{s}_i^\prime$ $\in R_q^{\lceil m/\mu \rceil}$ - 2. use base protocol to prove the new witness - get new relation $g^{(k)}(\vec{s_1}, ..., \vec{s_{r'}})$ $=\sum_{i,j=1}^{r'} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r'} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ - - $k = 1, ..., \kappa + \kappa_1 + \kappa_2 + 3$ + - $k = 1, ..., \kappa + \kappa_1 + \kappa_2 + 3$ - $a_{ij}$ value refer page 15 - 3. keep recursing, until proof is small enough - need O(log log n) iterations @@ -247,14 +251,11 @@ - verifier checks(without recursion) - data structure - $\vec{z}^{(0)}, \vec{z}^{(1)} \in R_q^n$ - - $\vec{z}^{(0)} || \vec{z}^{(1)} \in R_q^{2n}$ + - $\vec{z}^{(0)} || \vec{z}^{(1)} \in R_q^{2n}$ - $\vec{v}$ $\in R_q^m$ - params - - $2n \approx m$ + - $2n \approx m$ - $\gamma, \gamma_1, \gamma_2, \beta'$ (page 19) - - $\frac{n}{\nu} \approx \frac{m}{\mu}$ + - $\frac{n}{\nu} \approx \frac{m}{\mu}$ - $r' = 2\nu + \mu = O(r^{1/3})$ is optimal(page 5) - - - From 77cf35182049033cb57e83cc53892d68d48ee0a2 Mon Sep 17 00:00:00 2001 From: Harry Liu <2411mail@gmail.com> Date: Mon, 23 Dec 2024 19:08:18 +0800 Subject: [PATCH 2/2] Update dev_notes.md update format --- docs/src/dev_notes.md | 50 +++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/docs/src/dev_notes.md b/docs/src/dev_notes.md index 24aa1e9..14f023c 100644 --- a/docs/src/dev_notes.md +++ b/docs/src/dev_notes.md @@ -8,7 +8,7 @@ - $\vec{s}$ is witness - $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ - data structure (page 10) - - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ + - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ - $\vec{\varphi}_i^{(k)}$ $\in R_q^{n}$ - $a_{ij}^{(k)}$ $\in R_q$ - $b^{(k)}$ $\in R_q$ @@ -59,10 +59,10 @@ - $\vec{t_i} = A\vec{s_i} \in R_q^{\kappa}$, this is Ajtai commitment - decompose and combine - problems - - problem 1: + - problem 1: - costly to send $t_i$ directly to verifier - solution: combine all inner commitments $\vec{t_i}$ into a shorter outer commitment - - problem 2: + - problem 2: - ring elements $\vec{t}_{i, j}, g_{i, j} \in R_q$ have arbitrary length of coefficients, not good for commitment - solution: decompose and concatenate - each coefficient of ring element need to be decomposed to same length with a proper basis, then concatenate them together @@ -79,13 +79,13 @@ - in total there are $(r^2+r)/2$ $R_q$ in $\vec{g}$ , means $\vec{g} \in R_q^{(r^2+r)/2}$ - choose length $t_2$, basis $b_2$ - decompose $\vec{g}_{k}$, which $k \in [(r^2+r)/2]$, output decomposed $\vec{g}_{k} = \vec{g}_{k}^{(0)} + ... + \vec{g}_{g}^{(t_2 - 1)}b_2^{t_2 - 1} \in R_q^{t_2}$ - - concatenate all decomposed $\vec{g}_{k}$, get decomposed $\vec{g} \in R_q^{t_2 (r^2+r)/2}$ + - concatenate all decomposed $\vec{g}_{k}$, get decomposed $\vec{g} \in R_q^{t_2 (r^2+r)/2}$ - decomposition params(page 16, 19) - $\tau$: variance for the sum of the coefficients of a challenge polynomial - - $\mathfrak{s} = \beta / \sqrt{r n d}$ : standard deviation for the $Z_q$ coefficients of the vectors $\vec{s}_i$ + - $\mathfrak{s} = \beta / \sqrt{r n d}$ : standard deviation for the $Z_q$ coefficients of the vectors $\vec{s}_i$ - $b \approx b_1 \approx b_2 = \sqrt{\sqrt{12 r \tau \mathfrak{s}}}$ , b is used in recurse section - - $t_1 = \lfloor \frac{\log q}{\log b} \rceil$ - - $t_2 = \lfloor \frac{\log{(\sqrt{24 n d \mathfrak{s^2}})}}{\log b} \rceil$ + - $t_1 = \lfloor \frac{\log q}{\log b} \rceil$ + - $t_2 = \lfloor \frac{\log{(\sqrt{24 n d \mathfrak{s^2}})}}{\log b} \rceil$ - combine - combine all inner commitments $\vec{t_i}$ with random matrix B to get a shooter outer commitment $\vec{u_1} = B\vec{t} \in R_q^{\kappa_1}$ - also put $g_{ij} \in R_q$ combination here, because $g_{ij}$ is dependent of all the challenges, so compute it in the very beginning of the protocol @@ -104,7 +104,7 @@ - $\vec{u_1} = B\vec{t} + C\vec{g} \in R_q^{\kappa_1}$ ## 2. project -- goal: norm check can be replaced by Johnson-Lindenstrauss projection. +- goal: norm check can be replaced by Johnson-Lindenstrauss projection. - why: because the JL proof is more compact than check the long vector $\vec{s}$ - need to reach a security level $\lambda(\lambda = 128)$ - steps @@ -134,7 +134,7 @@ - d: $Z_q$, degree of $\vec{s_i}$ - $1 \le i \le r$ - $j = 1, . . . , 2λ$ - - $\prod_i \in \{-1, 0, 1\}^{2\lambda \times nd}$ + - $\prod_i \in \{-1, 0, 1\}^{2\lambda \times nd}$ - $\pi_i^{(j)}$: $\in \{-1, 0, 1\}^{nd}$ - $p_j \in Z_q$ - $\vec{p} \in Z_q^{2\lambda}$ @@ -165,9 +165,9 @@ - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ - 2. aggregate linear constraints $f^{(k)}(k = 1,..., |F|)$ and $f^{''(k)}(k = 1,..., \lceil \lambda/log_2(q) \rceil)$ - verifier sends random samples from challenge space: $\vec{\alpha} \xleftarrow{\$} R_q^{|F|}$, $\vec{\beta} \xleftarrow{\$} R_q^{\lceil \lambda/log_2(q) \rceil}, K = |F|$ - - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ - - $F(\vec{s_1}, ..., \vec{s_r})$ - - $= \sum_{k=1}^K \vec{\alpha}_k f^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k f^{''(k)}$ + - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ + - $F(\vec{s_1}, ..., \vec{s_r})$ + - $= \sum_{k=1}^K \vec{\alpha}_k f^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k f^{''(k)}$ - $=\sum_{i,j=1}^r a_{i,j}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}, \vec{s}_i> - b$ - compute outer commitment $\vec{u}_2$ - $\vec{\varphi}_i = \sum_{k=1}^K \vec{\alpha}_k \varphi_{i}^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k \varphi_{i}^{''(k)}$ @@ -205,7 +205,7 @@ ## 5. verifier checks(without recursion) - $\kappa + \kappa_1 + \kappa_2 + 3$ dot product constraints - 3 dot product constraints check - - (1) $<\vec{z}, \vec{z}> = \sum_{i,j=1}^{r} g_{i,j} c_i c_j$ + - (1) $<\vec{z}, \vec{z}> = \sum_{i,j=1}^{r} g_{i,j} c_i c_j$ - (2) $\sum_{i=1}^r <\vec{\varphi}_i, \vec{z}> c_i =\sum_{i,j=1}^{r} h_{i,j} c_i c_j$ - (3) $\sum_{i,j=1}^{r} a_{i,j} g_{i,j} + \sum_{i=1}^{r} h_{i,i} - b = 0$ - $\kappa + \kappa_1 + \kappa_2$ dot product constraints check @@ -220,9 +220,9 @@ - $\gamma, \gamma_1, \gamma_2, \beta'$ see page 19 ## 6. recurse -- goal: prove the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) -- steps: - - 1. convert last message to new witness vector $\vec{s}_i^\prime$ , $i \in [r']$ +- goal: prove the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) +- steps: + - 1. convert last message to new witness vector $\vec{s}_i^\prime$ , $i \in [r']$ - decompose $\vec{z}$ - $\vec{z} = \vec{z}^{(0)} + b\vec{z}^{(1)}$ , $\vec{z}^{(0)}, \vec{z}^{(1)} \in R_q^n$ - combine $\vec{t}, \vec{g}, \vec{h}$ @@ -231,17 +231,17 @@ - compose $\vec{s}_i^\prime$ - choose $\nu, \mu$ how to choose?? - $\vec{s}_i^\prime$ part 1: - - $\vec{z}^{(0)} = \vec{s}_1^\prime ||... || \vec{s}_{\nu}^\prime$ - - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ + - $\vec{z}^{(0)} = \vec{s}_1^\prime ||... || \vec{s}_{\nu}^\prime$ + - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ - $\vec{s}_i^\prime$ part 2: - $\vec{z}^{(1)} = \vec{s}_{\nu+1}^\prime ||... || \vec{s}_{2\nu}^\prime$ - - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ + - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ - $\vec{s}_i^\prime$ part 3: - - $\vec{v} = \vec{s}_{2\nu+1}^\prime ||... || \vec{s}_{2\nu + \mu}^\prime$ - - $\vec{s}_i^\prime$ $\in R_q^{\lceil m/\mu \rceil}$ + - $\vec{v} = \vec{s}_{2\nu+1}^\prime ||... || \vec{s}_{2\nu + \mu}^\prime$ + - $\vec{s}_i^\prime$ $\in R_q^{\lceil m/\mu \rceil}$ - 2. use base protocol to prove the new witness - get new relation $g^{(k)}(\vec{s_1}, ..., \vec{s_{r'}})$ $=\sum_{i,j=1}^{r'} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r'} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ - - $k = 1, ..., \kappa + \kappa_1 + \kappa_2 + 3$ + - $k = 1, ..., \kappa + \kappa_1 + \kappa_2 + 3$ - $a_{ij}$ value refer page 15 - 3. keep recursing, until proof is small enough - need O(log log n) iterations @@ -251,11 +251,11 @@ - verifier checks(without recursion) - data structure - $\vec{z}^{(0)}, \vec{z}^{(1)} \in R_q^n$ - - $\vec{z}^{(0)} || \vec{z}^{(1)} \in R_q^{2n}$ + - $\vec{z}^{(0)} || \vec{z}^{(1)} \in R_q^{2n}$ - $\vec{v}$ $\in R_q^m$ - params - - $2n \approx m$ + - $2n \approx m$ - $\gamma, \gamma_1, \gamma_2, \beta'$ (page 19) - - $\frac{n}{\nu} \approx \frac{m}{\mu}$ + - $\frac{n}{\nu} \approx \frac{m}{\mu}$ - $r' = 2\nu + \mu = O(r^{1/3})$ is optimal(page 5)