mirror of https://github.com/zcash/halo2.git
book: Fix notation for committing to lookup permutation product columns
This commit is contained in:
parent
f30cbcbfc9
commit
2c647009fc
|
@ -45,10 +45,10 @@ now serves as a summary of the following sub-sections.
|
|||
| | $\larr$ | $F = [F_0, F_1, \dots, F_{m - 1}]$ |
|
||||
| $\mathbf{A} = [A_0, A_1, \dots, A_{m - 1}]$ | $\rarr$ | |
|
||||
| | $\larr$ | $\theta$ |
|
||||
| $\mathbf{L}_p = [(A'_0, S'_0), \dots, (A'_{m - 1}, S'_{m - 1})]$ | $\rarr$ | |
|
||||
| $\mathbf{L} = [(A'_0, S'_0), \dots, (A'_{m - 1}, S'_{m - 1})]$ | $\rarr$ | |
|
||||
| | $\larr$ | $\beta, \gamma$ |
|
||||
| $\mathbf{P} = [P_0, P_1, \dots, P_{m - 1}]$ | $\rarr$ | |
|
||||
| $\mathbf{L}_c = [L_0, L_1, \dots, L_{m - 1}]$ | $\rarr$ | |
|
||||
| $\mathbf{Z} = [Z_0, Z_1, \dots, Z_{m - 1}]$ | $\rarr$ | |
|
||||
| | $\larr$ | $y$ |
|
||||
| $h(X) = \frac{\text{gate}_0(X) + \dots + y^i \cdot \text{gate}_i(X)}{t(X)}$ | | |
|
||||
| $h(X) = h_0(X) + \dots + X^{n(d-1)} h_{d-1}(X)$ | | |
|
||||
|
|
|
@ -45,7 +45,7 @@ follows:
|
|||
|
||||
Finally, the prover creates blinding commitments for all of the lookups
|
||||
|
||||
$$\mathbf{L}_p = \left[ (\text{Commit}(A'(X))), \text{Commit}(S'(X))), \dots \right]$$
|
||||
$$\mathbf{L} = \left[ (\text{Commit}(A'(X))), \text{Commit}(S'(X))), \dots \right]$$
|
||||
|
||||
and sends them to the verifier.
|
||||
|
||||
|
@ -60,21 +60,21 @@ and sends them to the verifier.
|
|||
|
||||
and sends them to the verifier.
|
||||
|
||||
## Committing to the lookup permutations
|
||||
## Committing to the lookup permutation product columns
|
||||
|
||||
In addition to committing to the individual permuted lookups, the prover needs to commit
|
||||
to constraint polynomials that enforce the correct relation between the permuted lookups
|
||||
and their un-permuted forms:
|
||||
to the permutation product column
|
||||
|
||||
$$L(X) = \frac{(A_\text{compressed}(X) + \beta)(S_\text{compressed}(X) + \gamma)}{(A'(X) + \beta)(S'(X) + \gamma)}$$
|
||||
$$Z(X) = \frac{(A_\text{compressed}(X) + \beta)(S_\text{compressed}(X) + \gamma)}{(A'(X) + \beta)(S'(X) + \gamma)}$$
|
||||
|
||||
$\beta$ and $\gamma$ are used to combine the permutation arguments for $A'(X)$ and $S'(X)$
|
||||
while keeping them independent. We can reuse $\beta$ and $\gamma$ from the equality
|
||||
constraint permutation here because they serve the same purpose in both places, and we
|
||||
aren't trying to combine the lookup and equality constraint permutation arguments.
|
||||
|
||||
As before, the prover creates blinding commitments for every constraint polynomial
|
||||
As before, the prover creates blinding commitments to the permutation product column for
|
||||
every lookup
|
||||
|
||||
$$\mathbf{L}_c = \left[\text{Commit}(L(X))), \dots \right]$$
|
||||
$$\mathbf{Z} = \left[\text{Commit}(Z(X))), \dots \right]$$
|
||||
|
||||
and sends them to the verifier.
|
||||
|
|
Loading…
Reference in New Issue