Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[book] Fix p_poly to match implementation; specify synthetic blinding factor f construction #777

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

therealyingtong
Copy link
Collaborator

p_poly is constructed as a linear combination of q_prime and the q_polys in steps 18 and 19 of the protocol description. Previously, the expression used in the protocol description did not match the implementation:

  • let (p_poly, p_poly_blind) = q_polys.into_iter().zip(q_blinds.into_iter()).fold(
    (q_prime_poly, q_prime_blind),
    |(q_prime_poly, q_prime_blind), (poly, blind)| {
    (
    q_prime_poly * *x_4 + &poly.unwrap(),
    Blind((q_prime_blind.0 * &(*x_4)) + &blind.0),
    )
    },
    );
  • // Compute the final commitment that has to be opened
    msm.append_term(C::Scalar::ONE, q_prime_commitment);
    let (msm, v) = q_commitments.into_iter().zip(u.iter()).fold(
    (msm, msm_eval),
    |(mut msm, msm_eval), ((q_commitment, _), q_eval)| {
    msm.scale(*x_4);
    msm.add_msm(&q_commitment);
    (msm, msm_eval * &(*x_4) + q_eval)
    },
    );

p_poly is constructed as a linear combination of q_prime and the
q_polys in steps 18 and 19 of the protocol description.
@therealyingtong therealyingtong changed the title Update p_poly in protocol to match implementation Fix p_poly in protocol to match implementation May 21, 2023
@therealyingtong therealyingtong changed the title Fix p_poly in protocol to match implementation [book] Fix p_poly in protocol to match implementation May 21, 2023
@therealyingtong therealyingtong added A-documentation Area: Improvements or additions to documentation A-book Area: The Halo 2 book labels May 21, 2023
book/src/design/protocol.md Outdated Show resolved Hide resolved
Copy link
Contributor

@daira daira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK with non-blocking suggestion; doc-only.

therealyingtong and others added 2 commits May 22, 2023 19:51
Co-authored-by: Daira Hopwood <[email protected]>
Co-authored-by: str4d <[email protected]>
Copy link
Contributor

@daira daira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK, this change looks correct. (I have not fully reviewed the protocol.) Doc-only.

@therealyingtong therealyingtong changed the title [book] Fix p_poly in protocol to match implementation [book] Fix p_poly to match implementation; specify synthetic blinding factor f construction May 27, 2023
book/src/design/protocol.md Outdated Show resolved Hide resolved
Copy link
Contributor

@daira daira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK with nonblocking suggestions.

book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
book/src/design/protocol.md Outdated Show resolved Hide resolved
Copy link
Contributor

@daira daira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK with suggestions.

12. $\prover$ initializes $q_0(X), q_1(X), ..., q_{n_q - 1}(X) = 0$.
* Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q_{\sigma(i)} := x_1 q_{\sigma(i)} + a'(X)$.
12. $\prover$ initializes $q_0(X), q_1(X), ..., q_{n_q - 1}(X) = 0$ and blinding factors $q^*_0, q^*_1, ..., q^*_{n_q-1} = 0$.
* Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q_{\sigma(i)} := x_1 q_{\sigma(i)} + a'(X)$ and $q^*_{\sigma(i)} := x_1 q^*_{\sigma(i)} + a^*_i$.
* $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$.
* $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$ and $q^*_0 := x_1^2 q^*_0 + x_1 h'^* + r^*$.

@@ -330,7 +330,7 @@ In the following protocol, we take it for granted that each polynomial $a_i(X, \

1. $\prover$ and $\verifier$ proceed in the following $n_a$ rounds of interaction, where in round $j$ (starting at $0$)
* $\prover$ sets $a'_j(X) = a_j(X, c_0, c_1, ..., c_{j - 1}, a_0(X, \cdots), ..., a_{j - 1}(X, \cdots, c_{j - 1}))$
* $\prover$ sends a hiding commitment $A_j = \innerprod{\mathbf{a'}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{a'}$ are the coefficients of the univariate polynomial $a'_j(X)$ and $\cdot$ is some random, independently sampled blinding factor elided for exposition. (This elision notation is used throughout this protocol description to simplify exposition.)
* $\prover$ sends a hiding commitment $A_j = \innerprod{\mathbf{a'}}{\mathbf{G}} + [a^*_j] W$ where $\mathbf{a'}$ are the coefficients of the univariate polynomial $a'_j(X)$ and $a^*_j$ is some random, independently sampled blinding factor. (Similar notation is used throughout this protocol description, if the value is not reused we will use $\cdot$ to simplify exposition.)
* $\verifier$ responds with a challenge $c_j$.
2. $\prover$ sets $g'(X) = g(X, c_0, c_1, ..., c_{n_a - 1}, \cdots)$.
3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$.
3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [r^*] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-book Area: The Halo 2 book A-documentation Area: Improvements or additions to documentation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants