|
1 | 1 | ## 0. setup |
2 | 2 | - relation R |
| 3 | + - In DPCS(dot product constraint system), there are k constraints, each constraint has a, phi and b |
3 | 4 | - constraints |
4 | | - - $f^{(k)}(\vec{s_1}, ..., \vec{s_{r}})$ $=\sum_{i,j=1}^{r'} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ |
| 5 | + - $f^{(k)}(\vec{s_1}, ..., \vec{s_{r}})$ $=\sum_{i,j=1}^{r} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{r} <\varphi_{i}^{(k)}, \vec{s}_i> - b^{(k)} = 0$ |
5 | 6 | - $ct(f'^{(l)}(\vec{s_1}, ..., \vec{s_{l}}))$ $=ct(\sum_{i,j=1}^{L} a_{i,j}^{(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^{L} <\varphi_{i}^{(l)}, \vec{s}_i> - b^{(l)}) \mod q'$ |
6 | 7 | - norm check |
7 | 8 | - $\vec{s}$ is witness |
8 | 9 | - $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ |
9 | | - - data structure |
| 10 | + - data structure (page 10) |
10 | 11 | - $\vec{s_i}$, $\vec{s_j}$ $\in R_q^{n}$ |
11 | 12 | - $\vec{\varphi}_i^{(k)}$ $\in R_q^{n}$ |
12 | 13 | - $a_{ij}^{(k)}$ $\in R_q$ |
|
45 | 46 | - $1 \le i \le j \le r$ |
46 | 47 | - $0 \le k \le t_2 - 1$ |
47 | 48 | - $t_2$ see below decomposition section |
48 | | - - $\kappa_2$ ?? |
| 49 | + - $\kappa_2$?? |
49 | 50 | - $D_{ijk} \in R_q^{\kappa_2 \times 1}$ |
50 | 51 | - $1 \le i \le j \le r$ |
51 | 52 | - $0 \le k \le t_1 - 1$ |
|
117 | 118 | - 1: 1/4 |
118 | 119 | - prover calculate $p_j$ |
119 | 120 | - $p_j =\sum_{i=1}^r<\pi_i^{(j)}, \vec{s_i}>$ $\in Z_q$, $j = 1, . . . , 2λ$ |
| 121 | + - $\vec{\pi}_i^{(j)}$ is the j-th row of $\prod_i$ |
120 | 122 | - prover sends $\vec{p} \in Z_q^{2\lambda}$ |
121 | 123 | - verifier check $||\vec{p}||_2 \le \sqrt{\lambda}\beta$ instead of $\sum_{i=1}^r||\vec{s_i}||_2^2 \le \beta^2$ |
122 | 124 | - notes: greyhound only use {1, -1} to do the sample |
|
153 | 155 | - $+ \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}(\sum_{i=1}^r<\sigma_{-1}(\vec{\pi_i}^{(j)}), \vec{s}_i> - p_j)$ |
154 | 156 | - $=\sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i> - b_0^{''(k)}$ |
155 | 157 | - so prover gets: |
156 | | - - $a_{i,j}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}a_{i,j}^{'(l)}$ |
157 | | - - $\varphi_{i}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}\varphi_{i}^{'(l)} + \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}\sigma_{-1}(\vec{\pi_i}^{(j)})$ |
158 | | - - $b^{''(k)} = \sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i>$ |
| 158 | + - $a_{i,j}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}a_{i,j}^{'(l)}$ $\in R_q$ |
| 159 | + - $\varphi_{i}^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}\varphi_{i}^{'(l)} + \sum_{j=1}^{2\lambda}\vec{\omega}_j^{(k)}\sigma_{-1}(\vec{\pi_i}^{(j)})$ $\in R_q^n$ |
| 160 | + - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ |
159 | 161 | - extends integers $b_0^{''(k)}$ to full polynomials such that $f^{''(k)}(\vec{s_1}, ..., \vec{s_r}) = 0$ |
160 | | - - prover sends $b_0^{''(k)}$ to verifier |
161 | | - - verifier checks the constant term |
162 | | - - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ |
| 162 | + - $b^{''(k)} = \sum_{i,j=1}^r a_{i,j}^{''(k)}<\vec{s}_i, \vec{s}_j> + \sum_{i=1}^r <\varphi_{i}^{''(k)}, \vec{s}_i>$ |
| 163 | + - prover sends $b^{''(k)}$ to verifier |
| 164 | + - verifier checks the constant term of $b^{''(k)}$ |
| 165 | + - $b_0^{''(k)} = \sum_{l=1}^{|L|}\vec{\psi}_l^{(k)}b_0'^{(l)} + <\vec{\omega}^{(k)}, \vec{p}>$ |
163 | 166 | - 2. aggregate linear constraints $f^{(k)}(k = 1,..., |F|)$ and $f^{''(k)}(k = 1,..., \lceil \lambda/log_2(q) \rceil)$ |
164 | 167 | - verifier sends random samples from challenge space: $\vec{\alpha} \xleftarrow{\$} R_q^{|F|}$, $\vec{\beta} \xleftarrow{\$} R_q^{\lceil \lambda/log_2(q) \rceil}, K = |F|$ |
165 | 168 | - $F = <\vec{\alpha}, f> + <\vec{\beta}, f''>$ |
|
193 | 196 | - verifier sends challenge $c_i$ $\in R_q$ from challenge space |
194 | 197 | - prover calculates $\vec{z}, \vec{h}$ |
195 | 198 | - $\vec{z} = \sum_{i=1}^{r} c_i \vec{s}_i$ |
| 199 | + - $c_i \vec{s}_i$: multiply $c_i$ by each element of $\vec{s}_i$ then get a new vector |
196 | 200 | - provers sends $\vec{z}, \vec{t}, \vec{g}, \vec{h}$ |
197 | 201 | - data structure |
198 | 202 | - $c_i$ $\in R_q$ |
|
255 | 259 | - $\frac{n}{\nu} \approx \frac{m}{\mu}$ |
256 | 260 | - $r' = 2\nu + \mu = O(r^{1/3})$ is optimal(page 5) |
257 | 261 |
|
258 | | - |
259 | | - |
260 | | - |
|
0 commit comments