Halo2学习笔记——设计之Proving system

Posted mutourend

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Halo2学习笔记——设计之Proving system相关的知识,希望对你有一定的参考价值。

1. 引言

Halo2中,采用不同语言来描述PLONK概念:

  • 1)将类似PLONK argument都想象成table,每一列对应a “wire”,将table中的entries称为“cells”。
  • 2)将“selector polynomials”称为“fixed columns”,当a cell in a fixed column is being used to control whether a particular constraint is enable in that row时,则使用a “selector constraint”。
  • 3)将仅由Prover掌握的其他polynomials统称为“advice columns”。
  • 4)将“gate”称为rule,如:
    A ( X ) ⋅ q A ( X ) + B ( X ) ⋅ q B ( X ) + A ( X ) ⋅ B ( X ) ⋅ q M ( X ) + C ( X ) ⋅ q C ( X ) = 0 A(X) \\cdot q_A(X) + B(X) \\cdot q_B(X) + A(X) \\cdot B(X) \\cdot q_M(X) + C(X) \\cdot q_C(X) = 0 A(X)qA(X)+B(X)qB(X)+A(X)B(X)qM(X)+C(X)qC(X)=0
  • 5)将 Z ( X ) Z(X) Z(X)多项式(the grand product argument polynomial for the permutation argument)称为"permutation product" column。

2. Proving system

Halo2中的proving system可分为以下5个阶段:

  1. Commit to polynomials encoding the main components of the circuit:
    • Cell assignments.
    • Permuted values and products for each lookup argument.
    • Equality constraint permutations.
  2. Construct the vanishing argument to constrain all circuit relations to zero:
    • Standard and custom gates.
    • Lookup argument rules.
    • Equality constraint permutation rules.
  3. Evaluate the above polynomials at all necessary points:
    • All relative rotations used by custom gates across all columns.
    • Vanishing argument pieces.
  4. Construct the multipoint opening argument to check that all evaluations are consistent
    with their respective commitments.
  5. Run the inner product argument to create a polynomial commitment opening proof for the multipoint opening argument polynomial.

为了便于解释,接下来以如下constraint system为例:

  • 有4个advice columns: a , b , c , d a,b,c,d a,b,c,d
  • 有1个fixed column: f f f
  • 有3个custom gates:
    • a ⋅ b ⋅ c − 1 − d = 0 a\\cdot b\\cdot c_{-1}-d=0 abc1d=0
    • f − 1 ⋅ c = 0 f_{-1}\\cdot c=0 f1c=0
    • f ⋅ d ⋅ a = 0 f\\cdot d\\cdot a =0 fda=0

3. Halo2协议的简化描述

详细可参看Halo2论文,整个Halo2协议可简化描述为:【注意,如下协议不具有zero-knowledge属性。】

ProverVerifier
← \\larr t ( X ) = ( X n − 1 ) t(X) = (X^n - 1) t(X)=(Xn1)
← \\larr F = [ F 0 , F 1 , … , F m − 1 ] F = [F_0, F_1, \\dots, F_{m - 1}] F=[F0,F1,,Fm1]
A = [ A 0 , A 1 , … , A m − 1 ] \\mathbf{A} = [A_0, A_1, \\dots, A_{m - 1}] A=[A0,A1,,Am1] → \\rarr
← \\larr θ \\theta θ
L = [ ( A 0 ′ , S 0 ′ ) , … , ( A m − 1 ′ , S m − 1 ′ ) ] \\mathbf{L} = [(A'_0, S'_0), \\dots, (A'_{m - 1}, S'_{m - 1})] L=[(A0,S0),,(Am1,Sm1)] → \\rarr
← \\larr β , γ \\beta, \\gamma β,γ
Z P = [ Z P , 0 , Z P , 1 , … ] \\mathbf{Z_P} = [Z_{P,0}, Z_{P,1}, \\ldots] ZP=[ZP,0,ZP,1,] → \\rarr
Z L = [ Z L , 0 , Z L , 1 , … ] \\mathbf{Z_L} = [Z_{L,0}, Z_{L,1}, \\ldots] ZL=[ZL,0,ZL,1,] → \\rarr
← \\larr y y y
h ( X ) = gate 0 ( X ) + ⋯ + y i ⋅ gate i ( X ) t ( X ) h(X) = \\frac{\\text{gate}_0(X) + \\dots + y^i \\cdot \\text{gate}_i(X)}{t(X)} h(X)=t(X)gate0(X)++yigatei(X)
h ( X ) = h 0 ( X ) + ⋯ + X n ( d − 1 ) h d − 1 ( X ) h(X) = h_0(X) + \\dots + X^{n(d-1)} h_{d-1}(X) h(X)=h0(X)++Xn(d1)hd1(X)
H = [ H 0 , H 1 , … , H d − 1 ] \\mathbf{H} = [H_0, H_1, \\dots, H_{d-1}] H=[H0,H1,,Hd1] → \\rarr
← \\larr x x x
e v a l s = [ A 0 ( x ) , … , H d − 1 ( x ) ] evals = [A_0(x), \\dots, H_{d - 1}(x)] evals=[A0(x),,Hd1以上是关于Halo2学习笔记——设计之Proving system的主要内容,如果未能解决你的问题,请参考以下文章

Halo2 学习笔记——设计之Proving system之Permutation argument

Halo2 学习笔记——设计之Proving system之Lookup argument

Halo2 学习笔记——设计之Proving system之Circuit commitments

Halo2 学习笔记——设计之Proving system之Vanishing argument

Halo2 学习笔记——设计之Proving system之Multipoint opening argument

Halo2学习笔记——设计之Protocol Description

(c)2006-2024 SYSTEM All Rights Reserved IT常识