mirror of https://github.com/zcash/halo2.git
Update lookup argument for zero knowledge changes in #316.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
66e4b0ee7f
commit
55c48007c9
|
@ -12,6 +12,9 @@ In addition to the [general notes on language](../design.md#note-on-language):
|
||||||
|
|
||||||
## Technique Description
|
## Technique Description
|
||||||
|
|
||||||
|
For ease of explanation, we'll first describe a simplified version of the argument that
|
||||||
|
ignores zero knowledge.
|
||||||
|
|
||||||
We express lookups in terms of a "subset argument" over a table with $2^k$ rows (numbered
|
We express lookups in terms of a "subset argument" over a table with $2^k$ rows (numbered
|
||||||
from 0), and columns $A$ and $S$.
|
from 0), and columns $A$ and $S$.
|
||||||
|
|
||||||
|
@ -36,9 +39,17 @@ these $A'$ and $S'$, respectively. We can enforce that they are permutations usi
|
||||||
permutation argument with product column $Z$ with the rules:
|
permutation argument with product column $Z$ with the rules:
|
||||||
|
|
||||||
$$
|
$$
|
||||||
Z(X) (A(X) + \beta) (S(X) + \gamma) - Z(\omega^{-1} X) (A'(X) + \beta) (S'(X) + \gamma) = 0
|
Z(\omega X) \cdot (A'(X) + \beta) \cdot (S'(X) + \gamma) - Z(X) \cdot (A(X) + \beta) \cdot (S(X) + \gamma) = 0
|
||||||
$$$$
|
$$$$
|
||||||
\ell_0(X) (Z(X) - 1) = 0
|
\ell_0(X) \cdot (Z(X) - 1) = 0
|
||||||
|
$$
|
||||||
|
|
||||||
|
i.e. provided that division by zero does not occur, we have for all $i \in [0, 2^k)$:
|
||||||
|
|
||||||
|
$$
|
||||||
|
Z_{i+1} = Z_i \cdot \frac{(A_i + \beta) \cdot (S_i + \gamma)}{(A'_i + \beta) \cdot (S'_i + \gamma)}
|
||||||
|
$$$$
|
||||||
|
Z_{2^k} = Z_0 = 1.
|
||||||
$$
|
$$
|
||||||
|
|
||||||
This is a version of the permutation argument which allows $A'$ and $S'$ to be
|
This is a version of the permutation argument which allows $A'$ and $S'$ to be
|
||||||
|
@ -69,9 +80,64 @@ $$
|
||||||
\ell_0(X) \cdot (A'(X) - S'(X)) = 0
|
\ell_0(X) \cdot (A'(X) - S'(X)) = 0
|
||||||
$$
|
$$
|
||||||
|
|
||||||
|
(The $A'(X) - A'(\omega^{-1} X)$ term of the first rule here has no effect at row $0,$ even
|
||||||
|
though $\omega^{-1} X$ "wraps", because of the second rule.)
|
||||||
|
|
||||||
Together these constraints effectively force every element in $A'$ (and thus $A$) to equal
|
Together these constraints effectively force every element in $A'$ (and thus $A$) to equal
|
||||||
at least one element in $S'$ (and thus $S$). Proof: by induction on prefixes of the rows.
|
at least one element in $S'$ (and thus $S$). Proof: by induction on prefixes of the rows.
|
||||||
|
|
||||||
|
## Zero-knowledge adjustment
|
||||||
|
|
||||||
|
In order to achieve zero knowledge for the PLONK-based proof system, we will need the last
|
||||||
|
$t$ rows of each column to be filled with random values. This requires an adjustment to the
|
||||||
|
lookup argument, because these random values would not satisfy the constraints described
|
||||||
|
above.
|
||||||
|
|
||||||
|
We limit the number of usable rows to $u = 2^k - t - 1.$ We add two selectors:
|
||||||
|
|
||||||
|
* $q_\mathit{blind}$ is set to $1$ on the last $t$ rows, and $0$ elsewhere;
|
||||||
|
* $q_\mathit{last}$ is set to $1$ only on row $u,$ and $0$ elsewhere (i.e. it is set on the
|
||||||
|
row in between the usable rows and the blinding rows).
|
||||||
|
|
||||||
|
We enable the constraints from above only for the usable rows:
|
||||||
|
|
||||||
|
$$
|
||||||
|
\big(1 - (q_\mathit{blind}(X) + q_\mathit{last}(X))\big) \cdot \big(Z(\omega X) \cdot (A'(X) + \beta) \cdot (S'(X) + \gamma) - Z(X) \cdot (A(X) + \beta) \cdot (S(X) + \gamma)\big) = 0
|
||||||
|
$$$$
|
||||||
|
\big(1 - (q_\mathit{blind}(X) + q_\mathit{last}(X))\big) \cdot (A'(X) - S'(X)) \cdot (A'(X) - A'(\omega^{-1} X)) = 0
|
||||||
|
$$
|
||||||
|
|
||||||
|
The rules that are enabled on row $0$ remain the same:
|
||||||
|
|
||||||
|
$$
|
||||||
|
\ell_0(X) \cdot (A'(X) - S'(X)) = 0
|
||||||
|
$$$$
|
||||||
|
\ell_0(X) \cdot (Z(X) - 1) = 0
|
||||||
|
$$
|
||||||
|
|
||||||
|
Since we can no longer rely on the wraparound to ensure that the product $Z$ becomes $1$
|
||||||
|
again at $\omega^{2^k},$ we would instead need to constrain $Z(\omega^u)$ to $1.$ However,
|
||||||
|
there is a potential difficulty: if any of the values $A_i + \beta$ or $S_i + \gamma$ are
|
||||||
|
zero for $i \in [0, u),$ then it might not be possible to satisfy the permutation argument.
|
||||||
|
This occurs with negligble probability over choices of $\beta$ and $\gamma,$ but is an
|
||||||
|
obstacle to achieving *perfect* zero knowledge (because an adversary can rule out witnesses
|
||||||
|
that would cause this situation), as well as perfect completeness.
|
||||||
|
|
||||||
|
To ensure both perfect completeness and perfect zero knowledge, we allow $Z(\omega^u)$
|
||||||
|
to be either zero or one:
|
||||||
|
|
||||||
|
$$
|
||||||
|
q_\mathit{last}(X) \cdot (Z(X)^2 - Z(X)) = 0
|
||||||
|
$$
|
||||||
|
|
||||||
|
Now if $A_i + \beta$ or $S_i + \gamma$ are zero for some $i,$ we can set $Z_j = 0$ for
|
||||||
|
$i < j \leq u,$ satisfying the constraint system.
|
||||||
|
|
||||||
|
Note that the challenges $\beta$ and $\gamma$ are chosen after committing to $A$ and $S$
|
||||||
|
(and to $A'$ and $S'$), so the prover cannot force the case where some $A_i + \beta$ or
|
||||||
|
$S_i + \gamma$ is zero to occur. Since this case occurs with negligible probability,
|
||||||
|
soundness is not affected.
|
||||||
|
|
||||||
## Cost
|
## Cost
|
||||||
|
|
||||||
* There is the original column $A$ and the fixed column $S$.
|
* There is the original column $A$ and the fixed column $S$.
|
||||||
|
|
Loading…
Reference in New Issue