|
1 | 1 | ## 0. setup |
2 | 2 | - relation R |
| 3 | + - In DPCS(dot product constraint system), there are k constraints, each constraint has a, phi and b |
3 | 4 | - constraints |
4 | | - - $f^{(k)}(\vec{s_1}, ..., \vec{s_{r}})$ $=\sum_{i,j=1}^{r'} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ |
| 5 | + - $f^{(k)}(\vec{s_1}, ..., \vec{s_{r}})$ $=\sum_{i,j=1}^{r} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ |
5 | 6 | - $ct(f'^{(l)}(\vec{s_1}, ..., \vec{s_{l}}))$ $=ct(\sum_{i,j=1}^{L} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{L} <\varphi_{i}^{(l)}, \vec{s}_i> - b^{(l)}) \mod q'$ |
6 | 7 | - norm check |
7 | 8 | - $\vec{s}$ is witness |
8 | 9 | - $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ |
9 | | - - data structure |
10 | | - - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ |
| 10 | + - data structure (page 10) |
| 11 | + - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ |
11 | 12 | - $\vec{\varphi}_i^{(k)}$ $\in R_q^{n}$ |
12 | 13 | - $a_{ij}^{(k)}$ $\in R_q$ |
13 | 14 | - $b^{(k)}$ $\in R_q$ |
|
45 | 46 | - $1 \le i \le j \le r$ |
46 | 47 | - $0 \le k \le t_2 - 1$ |
47 | 48 | - $t_2$ see below decomposition section |
48 | | - - $\kappa_2$ ?? |
| 49 | + - $\kappa_2$?? |
49 | 50 | - $D_{ijk} \in R_q^{\kappa_2 \times 1}$ |
50 | 51 | - $1 \le i \le j \le r$ |
51 | 52 | - $0 \le k \le t_1 - 1$ |
|
58 | 59 | - $\vec{t_i} = A\vec{s_i} \in R_q^{\kappa}$, this is Ajtai commitment |
59 | 60 | - decompose and combine |
60 | 61 | - problems |
61 | | - - problem 1: |
| 62 | + - problem 1: |
62 | 63 | - costly to send $t_i$ directly to verifier |
63 | 64 | - solution: combine all inner commitments $\vec{t_i}$ into a shorter outer commitment |
64 | | - - problem 2: |
| 65 | + - problem 2: |
65 | 66 | - ring elements $\vec{t}_{i, j}, g_{i, j} \in R_q$ have arbitrary length of coefficients, not good for commitment |
66 | 67 | - solution: decompose and concatenate |
67 | 68 | - each coefficient of ring element need to be decomposed to same length with a proper basis, then concatenate them together |
|
78 | 79 | - in total there are $(r^2+r)/2$ $R_q$ in $\vec{g}$ , means $\vec{g} \in R_q^{(r^2+r)/2}$ |
79 | 80 | - choose length $t_2$, basis $b_2$ |
80 | 81 | - decompose $\vec{g}_{k}$, which $k \in [(r^2+r)/2]$, output decomposed $\vec{g}_{k} = \vec{g}_{k}^{(0)} + ... + \vec{g}_{g}^{(t_2 - 1)}b_2^{t_2 - 1} \in R_q^{t_2}$ |
81 | | - - concatenate all decomposed $\vec{g}_{k}$, get decomposed $\vec{g} \in R_q^{t_2 (r^2+r)/2}$ |
| 82 | + - concatenate all decomposed $\vec{g}_{k}$, get decomposed $\vec{g} \in R_q^{t_2 (r^2+r)/2}$ |
82 | 83 | - decomposition params(page 16, 19) |
83 | 84 | - $\tau$: variance for the sum of the coefficients of a challenge polynomial |
84 | | - - $\mathfrak{s} = \beta / \sqrt{r n d}$ : standard deviation for the $Z_q$ coefficients of the vectors $\vec{s}_i$ |
| 85 | + - $\mathfrak{s} = \beta / \sqrt{r n d}$ : standard deviation for the $Z_q$ coefficients of the vectors $\vec{s}_i$ |
85 | 86 | - $b \approx b_1 \approx b_2 = \sqrt{\sqrt{12 r \tau \mathfrak{s}}}$ , b is used in recurse section |
86 | | - - $t_1 = \lfloor \frac{\log q}{\log b} \rceil$ |
87 | | - - $t_2 = \lfloor \frac{\log{(\sqrt{24 n d \mathfrak{s^2}})}}{\log b} \rceil$ |
| 87 | + - $t_1 = \lfloor \frac{\log q}{\log b} \rceil$ |
| 88 | + - $t_2 = \lfloor \frac{\log{(\sqrt{24 n d \mathfrak{s^2}})}}{\log b} \rceil$ |
88 | 89 | - combine |
89 | 90 | - combine all inner commitments $\vec{t_i}$ with random matrix B to get a shooter outer commitment $\vec{u_1} = B\vec{t} \in R_q^{\kappa_1}$ |
90 | 91 | - also put $g_{ij} \in R_q$ combination here, because $g_{ij}$ is dependent of all the challenges, so compute it in the very beginning of the protocol |
|
103 | 104 | - $\vec{u_1} = B\vec{t} + C\vec{g} \in R_q^{\kappa_1}$ |
104 | 105 |
|
105 | 106 | ## 2. project |
106 | | -- goal: norm check can be replaced by Johnson-Lindenstrauss projection. |
| 107 | +- goal: norm check can be replaced by Johnson-Lindenstrauss projection. |
107 | 108 | - why: because the JL proof is more compact than check the long vector $\vec{s}$ |
108 | 109 | - need to reach a security level $\lambda(\lambda = 128)$ |
109 | 110 | - steps |
|
117 | 118 | - 1: 1/4 |
118 | 119 | - prover calculate $p_j$ |
119 | 120 | - $p_j =\sum_{i=1}^r<\pi_i^{(j)}, \vec{s_i}>$ $\in Z_q$, $j = 1, . . . , 2λ$ |
| 121 | + - $\vec{\pi}_i^{(j)}$ is the j-th row of $\prod_i$ |
120 | 122 | - prover sends $\vec{p} \in Z_q^{2\lambda}$ |
121 | 123 | - verifier check $||\vec{p}||_2 \le \sqrt{\lambda}\beta$ instead of $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ |
122 | 124 | - notes: greyhound only use {1, -1} to do the sample |
|
132 | 134 | - d: $Z_q$, degree of $\vec{s_i}$ |
133 | 135 | - $1 \le i \le r$ |
134 | 136 | - $j = 1, . . . , 2λ$ |
135 | | - - $\prod_i \in \{-1, 0, 1\}^{2\lambda \times nd}$ |
| 137 | + - $\prod_i \in \{-1, 0, 1\}^{2\lambda \times nd}$ |
136 | 138 | - $\pi_i^{(j)}$: $\in \{-1, 0, 1\}^{nd}$ |
137 | 139 | - $p_j \in Z_q$ |
138 | 140 | - $\vec{p} \in Z_q^{2\lambda}$ |
|
153 | 155 | - $+ \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}(\sum_{i=1}^r<\sigma_{-1}(\vec{\pi_i}^{(j)}), \vec{s}_i> - p_j)$ |
154 | 156 | - $=\sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i> - b_0^{''(k)}$ |
155 | 157 | - so prover gets: |
156 | | - - $a_{i,j}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}a_{i,j}^{'(l)}$ |
157 | | - - $\varphi_{i}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}\varphi_{i}^{'(l)} + \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}\sigma_{-1}(\vec{\pi_i}^{(j)})$ |
158 | | - - $b^{''(k)} = \sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i>$ |
| 158 | + - $a_{i,j}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}a_{i,j}^{'(l)}$ $\in R_q$ |
| 159 | + - $\varphi_{i}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}\varphi_{i}^{'(l)} + \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}\sigma_{-1}(\vec{\pi_i}^{(j)})$ $\in R_q^n$ |
| 160 | + - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ |
159 | 161 | - extends integers $b_0^{''(k)}$ to full polynomials such that $f^{''(k)}(\vec{s_1}, ..., \vec{s_r}) = 0$ |
160 | | - - prover sends $b_0^{''(k)}$ to verifier |
161 | | - - verifier checks the constant term |
162 | | - - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ |
| 162 | + - $b^{''(k)} = \sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i>$ |
| 163 | + - prover sends $b^{''(k)}$ to verifier |
| 164 | + - verifier checks the constant term of $b^{''(k)}$ |
| 165 | + - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ |
163 | 166 | - 2. aggregate linear constraints $f^{(k)}(k = 1,..., |F|)$ and $f^{''(k)}(k = 1,..., \lceil \lambda/log_2(q) \rceil)$ |
164 | 167 | - verifier sends random samples from challenge space: $\vec{\alpha} \xleftarrow{\$} R_q^{|F|}$, $\vec{\beta} \xleftarrow{\$} R_q^{\lceil \lambda/log_2(q) \rceil}, K = |F|$ |
165 | | - - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ |
166 | | - - $F(\vec{s_1}, ..., \vec{s_r})$ |
167 | | - - $= \sum_{k=1}^K \vec{\alpha}_k f^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k f^{''(k)}$ |
| 168 | + - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ |
| 169 | + - $F(\vec{s_1}, ..., \vec{s_r})$ |
| 170 | + - $= \sum_{k=1}^K \vec{\alpha}_k f^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k f^{''(k)}$ |
168 | 171 | - $=\sum_{i,j=1}^r a_{i,j}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}, \vec{s}_i> - b$ |
169 | 172 | - compute outer commitment $\vec{u}_2$ |
170 | 173 | - $\vec{\varphi}_i = \sum_{k=1}^K \vec{\alpha}_k \varphi_{i}^{(k)} + \sum_{k=1}^{\lceil \lambda/log_2(q) \rceil} \vec{\beta}_k \varphi_{i}^{''(k)}$ |
|
193 | 196 | - verifier sends challenge $c_i$ $\in R_q$ from challenge space |
194 | 197 | - prover calculates $\vec{z}, \vec{h}$ |
195 | 198 | - $\vec{z} = \sum_{i=1}^{r} c_i \vec{s}_i$ |
| 199 | + - $c_i \vec{s}_i$: multiply $c_i$ by each element of $\vec{s}_i$ then get a new vector |
196 | 200 | - provers sends $\vec{z}, \vec{t}, \vec{g}, \vec{h}$ |
197 | 201 | - data structure |
198 | 202 | - $c_i$ $\in R_q$ |
|
201 | 205 | ## 5. verifier checks(without recursion) |
202 | 206 | - $\kappa + \kappa_1 + \kappa_2 + 3$ dot product constraints |
203 | 207 | - 3 dot product constraints check |
204 | | - - (1) $<\vec{z}, \vec{z}> = \sum_{i,j=1}^{r} g_{i,j} c_i c_j$ |
| 208 | + - (1) $<\vec{z}, \vec{z}> = \sum_{i,j=1}^{r} g_{i,j} c_i c_j$ |
205 | 209 | - (2) $\sum_{i=1}^r <\vec{\varphi}_i, \vec{z}> c_i =\sum_{i,j=1}^{r} h_{i,j} c_i c_j$ |
206 | 210 | - (3) $\sum_{i,j=1}^{r} a_{i,j} g_{i,j} + \sum_{i=1}^{r} h_{i,i} - b = 0$ |
207 | 211 | - $\kappa + \kappa_1 + \kappa_2$ dot product constraints check |
|
216 | 220 | - $\gamma, \gamma_1, \gamma_2, \beta'$ see page 19 |
217 | 221 |
|
218 | 222 | ## 6. recurse |
219 | | -- goal: prove the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) |
220 | | -- steps: |
221 | | - - 1. convert last message to new witness vector $\vec{s}_i^\prime$ , $i \in [r']$ |
| 223 | +- goal: prove the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ($\vec{z}, \vec{t}, \vec{g}, \vec{h}$) |
| 224 | +- steps: |
| 225 | + - 1. convert last message to new witness vector $\vec{s}_i^\prime$ , $i \in [r']$ |
222 | 226 | - decompose $\vec{z}$ |
223 | 227 | - $\vec{z} = \vec{z}^{(0)} + b\vec{z}^{(1)}$ , $\vec{z}^{(0)}, \vec{z}^{(1)} \in R_q^n$ |
224 | 228 | - combine $\vec{t}, \vec{g}, \vec{h}$ |
|
227 | 231 | - compose $\vec{s}_i^\prime$ |
228 | 232 | - choose $\nu, \mu$ how to choose?? |
229 | 233 | - $\vec{s}_i^\prime$ part 1: |
230 | | - - $\vec{z}^{(0)} = \vec{s}_1^\prime ||... || \vec{s}_{\nu}^\prime$ |
231 | | - - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ |
| 234 | + - $\vec{z}^{(0)} = \vec{s}_1^\prime ||... || \vec{s}_{\nu}^\prime$ |
| 235 | + - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ |
232 | 236 | - $\vec{s}_i^\prime$ part 2: |
233 | 237 | - $\vec{z}^{(1)} = \vec{s}_{\nu+1}^\prime ||... || \vec{s}_{2\nu}^\prime$ |
234 | | - - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ |
| 238 | + - $\vec{s}_i^\prime$ $\in R_q^{\lceil n/\nu \rceil}$ |
235 | 239 | - $\vec{s}_i^\prime$ part 3: |
236 | | - - $\vec{v} = \vec{s}_{2\nu+1}^\prime ||... || \vec{s}_{2\nu + \mu}^\prime$ |
237 | | - - $\vec{s}_i^\prime$ $\in R_q^{\lceil m/\mu \rceil}$ |
| 240 | + - $\vec{v} = \vec{s}_{2\nu+1}^\prime ||... || \vec{s}_{2\nu + \mu}^\prime$ |
| 241 | + - $\vec{s}_i^\prime$ $\in R_q^{\lceil m/\mu \rceil}$ |
238 | 242 | - 2. use base protocol to prove the new witness |
239 | 243 | - get new relation $g^{(k)}(\vec{s_1}, ..., \vec{s_{r'}})$ $=\sum_{i,j=1}^{r'} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r'} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ |
240 | | - - $k = 1, ..., \kappa + \kappa_1 + \kappa_2 + 3$ |
| 244 | + - $k = 1, ..., \kappa + \kappa_1 + \kappa_2 + 3$ |
241 | 245 | - $a_{ij}$ value refer page 15 |
242 | 246 | - 3. keep recursing, until proof is small enough |
243 | 247 | - need O(log log n) iterations |
|
247 | 251 | - verifier checks(without recursion) |
248 | 252 | - data structure |
249 | 253 | - $\vec{z}^{(0)}, \vec{z}^{(1)} \in R_q^n$ |
250 | | - - $\vec{z}^{(0)} || \vec{z}^{(1)} \in R_q^{2n}$ |
| 254 | + - $\vec{z}^{(0)} || \vec{z}^{(1)} \in R_q^{2n}$ |
251 | 255 | - $\vec{v}$ $\in R_q^m$ |
252 | 256 | - params |
253 | | - - $2n \approx m$ |
| 257 | + - $2n \approx m$ |
254 | 258 | - $\gamma, \gamma_1, \gamma_2, \beta'$ (page 19) |
255 | | - - $\frac{n}{\nu} \approx \frac{m}{\mu}$ |
| 259 | + - $\frac{n}{\nu} \approx \frac{m}{\mu}$ |
256 | 260 | - $r' = 2\nu + \mu = O(r^{1/3})$ is optimal(page 5) |
257 | 261 |
|
258 | | - |
259 | | - |
260 | | - |
|
0 commit comments