3.8 KiB
Vanishing argument
Having committed to the circuit assignments, the prover now needs to demonstrate that the various circuit relations are satisfied:
- The custom gates, represented by polynomials
\text{gate}_i(X)
. - The rules of the lookup arguments.
- The rules of the equality constraint permutations.
Each of these relations is represented as a polynomial of degree d
(the maximum degree
of any of the relations) with respect to the circuit columns. Given that the degree of the
assignment polynomials for each column is n - 1
, the relation polynomials have degree
d(n - 1)
with respect to X
.
In our example, these would be the gate polynomials, of degree
3n - 3
:
\text{gate}_0(X) = a_0(X) \cdot a_1(X) \cdot a_2(X \omega^{-1}) - a_3(X)
\text{gate}_1(X) = f_0(X \omega^{-1}) \cdot a_2(X)
\text{gate}_2(X) = f_0(X) \cdot a_3(X) \cdot a_0(X)
A relation is satisfied if its polynomial is equal to zero. One way to demonstrate this is
to divide each polynomial relation by the vanishing polynomial t(X) = (X^n - 1)
, which
is the lowest-degree polynomial that has roots at every \omega^i
. If relation's polynomial
is perfectly divisible by t(X)
, it is equal to zero over the domain (as desired).
This simple construction would require a polynomial commitment per relation. Instead, we
commit to all of the circuit relations simultaneously: the verifier samples y
, and then
the prover constructs the quotient polynomial
h(X) = \frac{\text{gate}_0(X) + y \cdot \text{gate}_1(X) + \dots + y^i \cdot \text{gate}_i(X) + \dots}{t(X)},
where the numerator is a random (the prover commits to the cell assignments before the
verifier samples y
) linear combination of the circuit relations.
- If the numerator polynomial (in formal indeterminate
X
) is perfectly divisible byt(X)
, then with high probability all relations are satisfied. - Conversely, if at least one relation is not satisfied, then with high probability
h(x) \cdot t(x)
will not equal the evaluation of the numerator atx
. In this case, the numerator polynomial would not be perfectly divisible byt(X)
.
Committing to h(X)
h(X)
has degree d(n - 1) - n
(because the divisor t(X)
has degree n
). However, the
polynomial commitment scheme we use for Halo 2 only supports committing to polynomials of
degree n - 1
(which is the maximum degree that the rest of the protocol needs to commit
to). Instead of increasing the cost of the polynomial commitment scheme, the prover split
h(X)
into pieces of degree n - 1
h_0(X) + X^n h_1(X) + \dots + X^{n(d-1)} h_{d-1}(X),
and produces blinding commitments to each piece
\mathbf{H} = [\text{Commit}(h_0(X)), \text{Commit}(h_1(X)), \dots, \text{Commit}(h_{d-1}(X))].
Evaluating the polynomials
At this point, we have committed to all properties of the circuit. The verifier now
wants to see if the prover committed to the correct h(X)
polynomial. The verifier
samples x
, and the prover produces the purported evaluations of the various polynomials
at x
, for all the relative offsets used in the circuit, as well as h(X)
.
In our example, this would be:
a_0(x)
a_1(x)
a_2(x)
,a_2(x \omega^{-1})
a_3(x)
f_0(x)
,f_0(x \omega^{-1})
h_0(x)
, ...,h_{d-1}(x)
The verifier checks that these evaluations satisfy the form of h(X)
:
\frac{\text{gate}_0(x) + \dots + y^i \cdot \text{gate}_i(x) + \dots}{t(x)} = h_0(x) + \dots + x^{n(d-1)} h_{d-1}(x)
Now content that the evaluations collectively satisfy the gate constraints, the verifier
needs to check that the evaluations themselves are consistent with the original
circuit commitments, as well as \mathbf{H}
. To implement this
efficiently, we use a multipoint opening argument.