zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update the circuit commitments section for the changes to the permutation argument. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-07-12 02:00:49 +01:00
parent 1b3241d757
commit 6a11c2b97e
1 changed files with 30 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
book/src/design/proving-system/circuit-commitments.md
View File

@ -44,32 +44,46 @@ follows:
- The prover then permutes $A_\text{compressed}(X)$ and $S_\text{compressed}(X)$ according - The prover then permutes $A_\text{compressed}(X)$ and $S_\text{compressed}(X)$ according
to the [rules of the lookup argument](lookup.md), obtaining $A'(X)$ and $S'(X)$. to the [rules of the lookup argument](lookup.md), obtaining $A'(X)$ and $S'(X)$.
Finally, the prover creates blinding commitments for all of the lookups The prover creates blinding commitments for all of the lookups
$$\mathbf{L} = \left[ (\text{Commit}(A'(X))), \text{Commit}(S'(X))), \dots \right]$$ $$\mathbf{L} = \left[ (\text{Commit}(A'(X))), \text{Commit}(S'(X))), \dots \right]$$
and sends them to the verifier. and sends them to the verifier.
## Committing to the equality constraint permutations After the verifier receives $\mathbf{A}$, $\mathbf{F}$, and $\mathbf{L}$, it samples
challenges $\beta$ and $\gamma$ that will be used in the permutation argument and the
remainder of the lookup argument below. (These challenges can be reused because the
arguments are independent.)
The verifier samples $\beta$ and $\gamma$. ## Committing to the equality constraint permutation
For each equality constraint argument: Let $c$ be the number of columns that are enabled for equality constraints.
- The prover constructs a vector $P$: Let $m$ be the maximum number of columns that can accomodated by a
[column set](permutation.md#spanning-a-large-number-of-columns) without exceeding
the PLONK configuration's polynomial degree bound.
Let $u$ be the number of “usable” rows as defined in the
[Permutation argument](permutation.md#zero-knowledge-adjustment) section.
Let $b = \mathsf{ceiling}(c/m).$
The prover constructs a vector $\mathbf{P}$ of length $bu$ such that for each
column set $0 \leq a < b$ and each row $0 \leq j < u,$
$$ $$
P_j = \prod\limits_{i=0}^{m-1} \frac{p_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{p_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma} \mathbf{P}_{au + j} = \prod\limits_{i=am}^{\min(c, (a+1)m)-1} \frac{v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma}.
$$ $$
- The prover constructs a polynomial $Z_P$ which has a Lagrange basis representation The prover then computes a running product of $\mathbf{P}$, starting at $1$,
corresponding to a running product of $P$, starting at $Z_P(1) = 1$. and a vector of polynomials $Z_{P,0..b-1}$ that each have a Lagrange basis
representation corresponding to a $u$-sized slice of this running product, as
described in the [Permutation argument](permutation.md#argument-specification)
section.
See the [Permutation argument](permutation.md#argument-specification) section for more detail. The prover creates blinding commitments to each $Z_{P,a}$ polynomial:
The prover creates blinding commitments to each $Z_P$ polynomial: $$\mathbf{Z_P} = \left[\text{Commit}(Z_{P,0}(X)), \dots, \text{Commit}(Z_{P,b-1}(X))\right]$$
$$\mathbf{Z_P} = \left[\text{Commit}(Z_P(X)), \dots \right]$$
and sends them to the verifier. and sends them to the verifier.
@ -88,12 +102,10 @@ $$
corresponding to a running product of $P$, starting at $Z_L(1) = 1$. corresponding to a running product of $P$, starting at $Z_L(1) = 1$.
$\beta$ and $\gamma$ are used to combine the permutation arguments for $A'(X)$ and $S'(X)$ $\beta$ and $\gamma$ are used to combine the permutation arguments for $A'(X)$ and $S'(X)$
while keeping them independent. We can reuse $\beta$ and $\gamma$ from the equality while keeping them independent. The important thing here is that the verifier samples
constraint permutation here because they serve the same purpose in both places, and we $\beta$ and $\gamma$ after the prover has created $\mathbf{A}$, $\mathbf{F}$, and
aren't trying to combine the lookup and equality constraint permutation arguments. The $\mathbf{L}$ (and thus commited to all the cell values used in lookup columns, as well
important thing here is that the verifier samples $\beta$ and $\gamma$ after the prover as $A'(X)$ and $S'(X)$ for each lookup).
has created $\mathbf{A}$, $\mathbf{F}$, and $\mathbf{L}$ (and thus commited to all the
cell values used in lookup columns, as well as $A'(X)$ and $S'(X)$ for each lookup).
As before, the prover creates blinding commitments to each $Z_L$ polynomial: As before, the prover creates blinding commitments to each $Z_L$ polynomial: