mirror of https://github.com/zcash/halo2.git
book: Add section about circuit commitments
This commit is contained in:
parent
e666f8b966
commit
9e9a92a912
|
@ -16,6 +16,7 @@
|
||||||
- [Proving system](design/proving-system.md)
|
- [Proving system](design/proving-system.md)
|
||||||
- [Lookup argument](design/proving-system/lookup-argument.md)
|
- [Lookup argument](design/proving-system/lookup-argument.md)
|
||||||
- [Permutation argument](design/proving-system/permutation.md)
|
- [Permutation argument](design/proving-system/permutation.md)
|
||||||
|
- [Circuit commitments](design/proving-system/circuit-commitments.md)
|
||||||
- [Multipoint opening argument](design/proving-system/multipoint-opening.md)
|
- [Multipoint opening argument](design/proving-system/multipoint-opening.md)
|
||||||
- [Comparison to other work](design/proving-system/comparison.md)
|
- [Comparison to other work](design/proving-system/comparison.md)
|
||||||
- [Implementation](design/implementation.md)
|
- [Implementation](design/implementation.md)
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Circuit commitments
|
||||||
|
|
||||||
|
## Committing to the circuit assignments
|
||||||
|
|
||||||
|
At the start of proof creation, the prover has a table of cell assignments that it claims
|
||||||
|
satisfy the constraint system. The table has $n = 2^k$ rows, and is broken into advice,
|
||||||
|
auxiliary, and fixed columns. We define $F_{i,j}$ as the assignment in the $j$th row of
|
||||||
|
the $i$th fixed column. Without loss of generality, we'll similarly define $A_{i,j}$ to
|
||||||
|
represent the advice and auxiliary assignments.
|
||||||
|
|
||||||
|
> The only difference between advice and auxiliary columns, is that the commitments to
|
||||||
|
> auxiliary columns are not placed in the proof, and are instead computed by the verifier.
|
||||||
|
|
||||||
|
To commit to these assignments, we construct Lagrange polynomials of degree $n - 1$ for
|
||||||
|
each column, over an evaluation domain of size $n$ (where $\omega$ is the $n$th primitive
|
||||||
|
root of unity):
|
||||||
|
|
||||||
|
- $a_i(X)$ interpolates such that $a_i(\omega^j) = A_{i,j}$.
|
||||||
|
- $f_i(X)$ interpolates such that $f_i(\omega^j) = F_{i,j}$.
|
||||||
|
|
||||||
|
We then create a blinding commitment to the polynomial for each column:
|
||||||
|
|
||||||
|
$$\mathbf{A} = [\text{Commit}(a_0(X)), \dots, \text{Commit}(a_i(X))]$$
|
||||||
|
$$\mathbf{F} = [\text{Commit}(f_0(X)), \dots, \text{Commit}(f_i(X))]$$
|
||||||
|
|
||||||
|
$\mathbf{F}$ is constructed as part of key generation (pre-computed by both the prover and
|
||||||
|
verifier, using a blinding factor of $1$). $\mathbf{A}$ is constructed by the prover and
|
||||||
|
sent to the verifier.
|
||||||
|
|
||||||
|
## Committing to the lookup permutations and equality constraint permutations
|
||||||
|
|
||||||
|
TBD.
|
||||||
|
|
||||||
|
The prover ends up with vectors of commitments $\mathbf{L}$ and $\mathbf{P}$.
|
Loading…
Reference in New Issue