Halo2 学习笔记——设计之Proving system之Multipoint opening argument
Posted mutourend
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Halo2 学习笔记——设计之Proving system之Multipoint opening argument相关的知识,希望对你有一定的参考价值。
1. 引言
假设
A
,
B
,
C
,
D
A,B,C,D
A,B,C,D分别对应多项式
a
(
X
)
,
b
(
X
)
,
c
(
X
)
,
d
(
X
)
a(X), b(X), c(X), d(X)
a(X),b(X),c(X),d(X)的commitment。
假设
a
(
X
)
,
b
(
X
)
a(X), b(X)
a(X),b(X) are queried at point
x
x
x,
c
(
X
)
,
d
(
X
)
c(X), d(X)
c(X),d(X) are queried at point
x
x
x和
ω
x
\\omega x
ωx。(此处,
ω
\\omega
ω为the primitive root of unity in the multiplicative subgroup over which we constructed the polynomials。)
为了open这些commitments,可构建多项式 Q Q Q for each point that queried at(对应为circuit中的每个relative rotation),但是这样的circuit效率并不开,如 c ( X ) c(X) c(X)将在多个多项式中出现。
相反,可将commitments和queried points 进行分组:
{
x
}
{
x
,
ω
x
}
A
C
B
D
\\begin{array}{cccc} &\\{x\\}& &\\{x, \\omega x\\}& \\\\ &A& &C& \\\\ &B& &D& \\end{array}
{x}AB{x,ωx}CD
对于每组,可combine为a polynomial set,然后create a single Q Q Q for that set,which we open at each rotation。
2. Optimization steps
multipoint opening optimization 的输入有:
- 由Verifier提供的随机值 x x x,基于该随机值来evaluate a ( X ) , b ( X ) , c ( X ) , d ( X ) a(X), b(X), c(X), d(X) a(X),b(X),c(X),d(X)。
- 在每个point每个多项式的evaluations值,由Prover提供:
a ( x ) , b ( x ) , c ( x ) , d ( x ) , c ( ω x ) , d ( ω x ) a(x), b(x), c(x), d(x), c(\\omega x), d(\\omega x) a(x),b(x),c(x),d(x),c(ωx),d(ωx)
这些都是vanishing argument的输出。
multipoint opening optimization的处理流程为:
- 1)引入随机值 x 1 x_1 x1,来keep a , b , c , d a,b,c,d a,b,c,d linearly independent。
- 2)Accumulate polynomials and their corresponding evaluations according to the point set at which they were queried:
q_polys:
q 1 ( X ) = a ( X ) + x 1 b ( X ) q 2 ( X ) = c ( X ) + x 1 d ( X ) \\begin{array}{rccl} q_1(X) &=& a(X) &+& x_1 b(X) \\\\ q_2(X) &=& c(X) &+& x_1 d(X) \\end{array} q1(X)q2(X)==a(X)c(X)++x1b(X)x1d(X)
q_eval_sets:【为a vector of sets of evaluations,其中最外层vector对应为polynomial sets,最里层vector对应为evaluation of point sets in each polynomial set。】[ [a(x) + x_1 b(x)], [ c(x) + x_1 d(x), c(\\omega x) + x_1 d(\\omega x) ] ] - 3) 对
q_eval_sets中每个set of values进行插值:
r_polys:
r 1 ( X ) s . t . r 1 ( x ) = a ( x ) + x 1 b ( x ) r 2 ( X ) s . t . r 2 ( x ) = c ( x ) + x 1 d ( x ) r 2 ( ω x ) = c ( ω x ) + x 1 d ( ω x ) \\begin{array}{cccc} r_1(X) s.t.&&& \\\\ &r_1(x) &=& a(x) + x_1 b(x) \\\\ r_2(X) s.t.&&& \\\\ &r_2(x) &=& c(x) + x_1 d(x) \\\\ &r_2(\\omega x) &=& c(\\omega x) + x_1 d(\\omega x) \\\\ \\end{array} r1(X)s.t.r2(X)s.t.r1(x)r2(x)r2(ωx)===a(x)+x1b(x)c(x)+x1d(x)c(ωx)+x1d(ωx) - 4)构建
f_polys来checkq_polys的正确性:
f_polys
f 1 ( X ) = q 1 ( X ) − r 1 ( X ) X − x f 2 ( X ) = q 2 ( X ) − r 2 ( X ) ( X − x ) ( X − ω x ) \\begin{array}{rcl} f_1(X) &=& \\frac{ q_1(X) - r_1(X)}{X - x} \\\\ f_2(X) &=& \\frac{ q_2(X) - r_2(X)}{(X - x)(X - \\omega x)} \\\\ \\end{array} f1(X)f2(X)==X−xq1(X)−r1(X)(X−x)(X−ωx)q2(X)−r2(X)
若 q 1 ( x ) = r 1 ( x ) q_1(x) = r_1(x) q1(x)=r1(x), 则 f 1 ( X ) f_1(X) f1(X)应为 a polynomial.
若 q以上是关于Halo2 学习笔记——设计之Proving system之Multipoint opening argument的主要内容,如果未能解决你的问题,请参考以下文章
Halo2 学习笔记——设计之Proving system之Permutation argument
Halo2 学习笔记——设计之Proving system之Lookup argument
Halo2 学习笔记——设计之Proving system之Circuit commitments
Halo2 学习笔记——设计之Proving system之Vanishing argument