<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="../print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>However, the computation of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> requires a length-<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span> multiexponentiation
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">⟨</span><spanclass="mord mathbf">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathbf">s</span><spanclass="mclose">⟩</span><spanclass="mpunct">,</span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord mathbf">s</span></span></span></span> is composed of the round
challenges <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="minner">⋯</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> arranged in a binary counting structure. This is the
linear-time computation that we want to amortise across a batch of proof instances.
Instead of computing <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span></span></span></span> notice that we can express <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> as a commitment to a polynomial</p>
<tr><td><imgsrc="https://i.imgur.com/vMXKFDV.png"width=1900></td><td>Since <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> is a commitment, it can be checked in an inner product argument. The verifier circuit witnesses <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span></span></span></span> and brings <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="minner">⋯</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> out as public inputs to the proof <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">π</span><spanclass="mord">.</span></span></span></span> The next verifier instance checks <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">π</span></span></span></span> using the inner product argument; this includes checking that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord text"><spanclass="mord">Commit</span></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.07847em;">X</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><span