From 9e9a92a91214f7a53638a7e8be9d4963ffa9c568 Mon Sep 17 00:00:00 2001
From: Jack Grigg <jack@electriccoin.co>
Date: Thu, 11 Feb 2021 03:08:54 +0000
Subject: [PATCH] book: Add section about circuit commitments

---
 book/src/SUMMARY.md                           |  1 +
 .../proving-system/circuit-commitments.md     | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 book/src/design/proving-system/circuit-commitments.md

diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md
index ecfd6654..a9213463 100644
--- a/book/src/SUMMARY.md
+++ b/book/src/SUMMARY.md
@@ -16,6 +16,7 @@
   - [Proving system](design/proving-system.md)
     - [Lookup argument](design/proving-system/lookup-argument.md)
     - [Permutation argument](design/proving-system/permutation.md)
+    - [Circuit commitments](design/proving-system/circuit-commitments.md)
     - [Multipoint opening argument](design/proving-system/multipoint-opening.md)
     - [Comparison to other work](design/proving-system/comparison.md)
   - [Implementation](design/implementation.md)
diff --git a/book/src/design/proving-system/circuit-commitments.md b/book/src/design/proving-system/circuit-commitments.md
new file mode 100644
index 00000000..2f354a86
--- /dev/null
+++ b/book/src/design/proving-system/circuit-commitments.md
@@ -0,0 +1,34 @@
+# Circuit commitments
+
+## Committing to the circuit assignments
+
+At the start of proof creation, the prover has a table of cell assignments that it claims
+satisfy the constraint system. The table has $n = 2^k$ rows, and is broken into advice,
+auxiliary, and fixed columns. We define $F_{i,j}$ as the assignment in the $j$th row of
+the $i$th fixed column. Without loss of generality, we'll similarly define $A_{i,j}$ to
+represent the advice and auxiliary assignments.
+
+> The only difference between advice and auxiliary columns, is that the commitments to
+> auxiliary columns are not placed in the proof, and are instead computed by the verifier.
+
+To commit to these assignments, we construct Lagrange polynomials of degree $n - 1$ for
+each column, over an evaluation domain of size $n$ (where $\omega$ is the $n$th primitive
+root of unity):
+
+- $a_i(X)$ interpolates such that $a_i(\omega^j) = A_{i,j}$.
+- $f_i(X)$ interpolates such that $f_i(\omega^j) = F_{i,j}$.
+
+We then create a blinding commitment to the polynomial for each column:
+
+$$\mathbf{A} = [\text{Commit}(a_0(X)), \dots, \text{Commit}(a_i(X))]$$
+$$\mathbf{F} = [\text{Commit}(f_0(X)), \dots, \text{Commit}(f_i(X))]$$
+
+$\mathbf{F}$ is constructed as part of key generation (pre-computed by both the prover and
+verifier, using a blinding factor of $1$). $\mathbf{A}$ is constructed by the prover and
+sent to the verifier.
+
+## Committing to the lookup permutations and equality constraint permutations
+
+TBD.
+
+The prover ends up with vectors of commitments $\mathbf{L}$ and $\mathbf{P}$.