mirror of https://github.com/zcash/halo2.git
Update lookup argument for zero knowledge changes in #316.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
66e4b0ee7f
commit
55c48007c9
|
@ -12,6 +12,9 @@ In addition to the [general notes on language](../design.md#note-on-language):
|
|||
|
||||
## Technique Description
|
||||
|
||||
For ease of explanation, we'll first describe a simplified version of the argument that
|
||||
ignores zero knowledge.
|
||||
|
||||
We express lookups in terms of a "subset argument" over a table with $2^k$ rows (numbered
|
||||
from 0), and columns $A$ and $S$.
|
||||
|
||||
|
@ -36,9 +39,17 @@ these $A'$ and $S'$, respectively. We can enforce that they are permutations usi
|
|||
permutation argument with product column $Z$ with the rules:
|
||||
|
||||
$$
|
||||
Z(X) (A(X) + \beta) (S(X) + \gamma) - Z(\omega^{-1} X) (A'(X) + \beta) (S'(X) + \gamma) = 0
|
||||
Z(\omega X) \cdot (A'(X) + \beta) \cdot (S'(X) + \gamma) - Z(X) \cdot (A(X) + \beta) \cdot (S(X) + \gamma) = 0
|
||||
$$$$
|
||||
\ell_0(X) (Z(X) - 1) = 0
|
||||
\ell_0(X) \cdot (Z(X) - 1) = 0
|
||||
$$
|
||||
|
||||
i.e. provided that division by zero does not occur, we have for all $i \in [0, 2^k)$:
|
||||
|
||||
$$
|
||||
Z_{i+1} = Z_i \cdot \frac{(A_i + \beta) \cdot (S_i + \gamma)}{(A'_i + \beta) \cdot (S'_i + \gamma)}
|
||||
$$$$
|
||||
Z_{2^k} = Z_0 = 1.
|
||||
$$
|
||||
|
||||
This is a version of the permutation argument which allows $A'$ and $S'$ to be
|
||||
|
@ -69,9 +80,64 @@ $$
|
|||
\ell_0(X) \cdot (A'(X) - S'(X)) = 0
|
||||
$$
|
||||
|
||||
(The $A'(X) - A'(\omega^{-1} X)$ term of the first rule here has no effect at row $0,$ even
|
||||
though $\omega^{-1} X$ "wraps", because of the second rule.)
|
||||
|
||||
Together these constraints effectively force every element in $A'$ (and thus $A$) to equal
|
||||
at least one element in $S'$ (and thus $S$). Proof: by induction on prefixes of the rows.
|
||||
|
||||
## Zero-knowledge adjustment
|
||||
|
||||
In order to achieve zero knowledge for the PLONK-based proof system, we will need the last
|
||||
$t$ rows of each column to be filled with random values. This requires an adjustment to the
|
||||
lookup argument, because these random values would not satisfy the constraints described
|
||||
above.
|
||||
|
||||
We limit the number of usable rows to $u = 2^k - t - 1.$ We add two selectors:
|
||||
|
||||
* $q_\mathit{blind}$ is set to $1$ on the last $t$ rows, and $0$ elsewhere;
|
||||
* $q_\mathit{last}$ is set to $1$ only on row $u,$ and $0$ elsewhere (i.e. it is set on the
|
||||
row in between the usable rows and the blinding rows).
|
||||
|
||||
We enable the constraints from above only for the usable rows:
|
||||
|
||||
$$
|
||||
\big(1 - (q_\mathit{blind}(X) + q_\mathit{last}(X))\big) \cdot \big(Z(\omega X) \cdot (A'(X) + \beta) \cdot (S'(X) + \gamma) - Z(X) \cdot (A(X) + \beta) \cdot (S(X) + \gamma)\big) = 0
|
||||
$$$$
|
||||
\big(1 - (q_\mathit{blind}(X) + q_\mathit{last}(X))\big) \cdot (A'(X) - S'(X)) \cdot (A'(X) - A'(\omega^{-1} X)) = 0
|
||||
$$
|
||||
|
||||
The rules that are enabled on row $0$ remain the same:
|
||||
|
||||
$$
|
||||
\ell_0(X) \cdot (A'(X) - S'(X)) = 0
|
||||
$$$$
|
||||
\ell_0(X) \cdot (Z(X) - 1) = 0
|
||||
$$
|
||||
|
||||
Since we can no longer rely on the wraparound to ensure that the product $Z$ becomes $1$
|
||||
again at $\omega^{2^k},$ we would instead need to constrain $Z(\omega^u)$ to $1.$ However,
|
||||
there is a potential difficulty: if any of the values $A_i + \beta$ or $S_i + \gamma$ are
|
||||
zero for $i \in [0, u),$ then it might not be possible to satisfy the permutation argument.
|
||||
This occurs with negligble probability over choices of $\beta$ and $\gamma,$ but is an
|
||||
obstacle to achieving *perfect* zero knowledge (because an adversary can rule out witnesses
|
||||
that would cause this situation), as well as perfect completeness.
|
||||
|
||||
To ensure both perfect completeness and perfect zero knowledge, we allow $Z(\omega^u)$
|
||||
to be either zero or one:
|
||||
|
||||
$$
|
||||
q_\mathit{last}(X) \cdot (Z(X)^2 - Z(X)) = 0
|
||||
$$
|
||||
|
||||
Now if $A_i + \beta$ or $S_i + \gamma$ are zero for some $i,$ we can set $Z_j = 0$ for
|
||||
$i < j \leq u,$ satisfying the constraint system.
|
||||
|
||||
Note that the challenges $\beta$ and $\gamma$ are chosen after committing to $A$ and $S$
|
||||
(and to $A'$ and $S'$), so the prover cannot force the case where some $A_i + \beta$ or
|
||||
$S_i + \gamma$ is zero to occur. Since this case occurs with negligible probability,
|
||||
soundness is not affected.
|
||||
|
||||
## Cost
|
||||
|
||||
* There is the original column $A$ and the fixed column $S$.
|
||||
|
|
Loading…
Reference in New Issue