<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>We want to commit to some polynomial <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">p</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mclose">]</span></span></span></span>, and be able to provably
<p>Given a parameter <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal">d</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.0435em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8491em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mpunct">,</span></span></span></span> we generate the common reference string
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">σ</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mopen">(</span><spanclass="mord mathbb">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathbf">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span> defining certain constants for this
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6889em;"></span><spanclass="mord mathbb">G</span></span></span></span> is a group of prime order <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">p</span><spanclass="mpunct">;</span></span></span></span></li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7252em;vertical-align:-0.0391em;"></span><spanclass="mord mathbf">G</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8491em;"></span><spanclass="mord"><spanclass="mord mathbb">G</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8491em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">d</span></span></span></span></span></span></span></span></span></span></span> is a vector of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal">d</span></span></span></span> random group elements;</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7224em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.6889em;"></span><spanclass="mord mathbb">G</span></span></span></span> is a random group element; and</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.975em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span></span></span></span> is the finite field of order <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">p</span><spanclass="mord">.</span></span></span></span></li>
<p>The Pedersen vector commitment <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord text"><spanclass="mord">Commit</span></span></span></span></span> is defined as</p>
<p>for some polynomial <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">p</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mclose">]</span></span></span></span> and some blinding factor
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.975em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mord">.</span></span></span></span> Here, each element of the vector <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6891em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">a</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.975em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span></span></span></span> is
the coefficient for the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6595em;"></span><spanclass="mord mathnormal">i</span></span></span></span>th degree term of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">p</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mclose">)</span><spanclass="mpunct">,</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">p</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mclose">)</span></span></span></span> is of maximal degree
<h3id="open-prover-and-openverify-verifier"><aclass="header"href="#open-prover-and-openverify-verifier"><code>Open</code> (prover) and <code>OpenVerify</code> (verifier)</a></h3>
<p>where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathbf">b</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.0991em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord">1</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">x</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal">x</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="minner">⋯</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal">x</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8491em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">d</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span> is composed of increasing powers of the
evaluation point <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">x</span><spanclass="mord">.</span></span></span></span> This allows a prover to demonstrate to a verifier that the
polynomial contained “inside” the commitment <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span></span></span></span> evaluates to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span></span></span></span> at <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">x</span><spanclass="mpunct">,</span></span></span></span> and moreover,
that the committed polynomial has maximum degree <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7778em;vertical-align:-0.0833em;"></span><spanclass="mord mathnormal">d</span><spanclass="mspace"style="margin-right:0.2222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.6444em;"></span><spanclass="mord">1.</span></span></span></span></p>
<p>The inner product argument proceeds in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.9386em;vertical-align:-0.2441em;"></span><spanclass="mop"><spanclass="mop">lo<spanstyle="margin-right:0.01389em;">g</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.207em;"><spanstyle="top:-2.4559em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2441em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">d</span></span></span></span> rounds. For our purposes, it is
<p>Before beginning the argument, the verifier selects a random group element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">U</span></span></span></span> and sends it
to the prover. We initialize the argument at round <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mpunct">,</span></span></span></span> with the vectors
<li>the prover computes two values <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9694em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathnormal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9694em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:-0.0077em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span></span></span></span> by taking some inner product of
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.888em;"></span><spanclass="mord"><spanclass="mord mathbf">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.888em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mopen mtight">(</span><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span></span></span></span> with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.888em;"></span><spanclass="mord"><spanclass="mord mathbf">G</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.888em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mopen mtight">(</span><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.888em;"></span><spanclass="mord"><spanclass="mord mathbf">b</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.888em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mopen mtight">(</span><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span></span></span></span>. Note that are in some
sense "cross-terms": the lower half of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4444em;"></span><spanclass="mord mathbf">a</span></span></span></span> is used with the higher half of
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6861em;"></span><spanclass="mord mathbf">G</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathbf">b</span></span></span></span>, and vice versa:</li>
next round <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.854em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="mspace"style="margin-right:0.2222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.6444em;"></span><spanclass="mord">1.</span></span></span></span></li>
<p>Note that at the end of the last round <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.854em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.05724em;">j</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8389em;vertical-align:-0.1944em;"></span><spanclass="mord">1</span><spanclass="mpunct">,</span></span></span></span> we are left with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">a</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">:=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.888em;"></span><spanclass="mord"><spanclass="mord mathbf">a</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.888em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mopen mtight">(</span><spanclass="mord mtight">0</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span></span></span></span>,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal">G</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">:=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.888em;"></span><spanclass="mord"><spanclass="mord mathbf">G</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.888em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mopen mtight">(</span><spanclass="mord mtight">0</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span></span></span></span>, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">:=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.0824em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord mathbf">b</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.888em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mopen mtight">(</span><spanclass="mord mtight">0</span><spanclass="mclose mtight">)</span></span></span></span></span></span></span></span></span><spanclass="mpunct">,</span></span></span></span> each of length 1. The intuition is that
these final scalars, together with the challenges <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mclose">}</span></span></span></span> and "cross-terms"
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:-0.0077em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mclose">}</span></span></span></span> from each round, encode the compression in each round. Since the prover did
not know the challenges <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">U</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mclose">}</span></span></span></span> in advance, they would have been unable to manipulate
that the compression had been performed correctly, and that the original <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4444em;"></span><spanclass="mord mathbf">a</span></span></span></span>
<p>Note that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">b</span></span></span></span> are simply rearrangements of the publicly known <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord mathbf">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathbf">b</span><spanclass="mpunct">,</span></span></span></span>
with the round challenges <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.0361em;vertical-align:-0.2861em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3117em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span><spanclass="mclose">}</span></span></span></span> mixed in: this means the verifier can compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">b</span></span></span></span>