Crate hacspec_halo2
source ·Expand description
Protocol
Let $\omega \in \field$ be a $n = 2^k$ primitive root of unity forming the domain $D = (\omega^0, \omega^1, …, \omega^{n - 1})$ with $t(X) = X^n - 1$ the vanishing polynomial over this domain. Let $n_g, n_a, n_e$ be positive integers with $n_a, n_e \lt n$ and $n_g \geq 4$. We present an interactive argument $\halo = (\setup, \prover, \verifier)$ for the relation
$$ \relation = \left\{ \begin{array}{ll} &\left( \begin{array}{ll} \left( g(X, C_0, …, C_{n_a - 1}, a_0(X), …, a_{n_a - 1}\left(X, C_0, …, C_{n_a - 1}, a_0(X), …, a_{n_a - 2}(X) \right)) \right); \ \left( a_0(X), a_1(X, C_0, a_0(X)), …, a_{n_a - 1}\left(X, C_0, …, C_{n_a - 1}, a_0(X), …, a_{n_a - 2}(X) \right) \right) \end{array} \right) : \ \ & g(\omega^i, \cdots) = 0 , , , , \forall i \in [0, 2^k) \end{array} \right\} $$
where $a_0, a_1, …, a_{n_a - 1}$ are (multivariate) polynomials with degree $n - 1$ in $X$ and $g$ has degree $n_g(n - 1)$ at most in any indeterminates $X, C_0, C_1, …$.
$\setup(\sec)$ returns $\pp = (\group, \field, \mathbf{G} \in \group^n, U, W \in \group)$.
For all $i \in [0, n_a)$:
- Let $\mathbf{p_i}$ be the exhaustive set of integers $j$ (modulo $n$) such that $a_i(\omega^j X, \cdots)$ appears as a term in $g(X, \cdots)$.
- Let $\mathbf{q}$ be a list of distinct sets of integers containing $\mathbf{p_i}$ and the set $\mathbf{q_0} = {0}$.
- Let $\sigma(i) = \mathbf{q}_j$ when $\mathbf{q}_j = \mathbf{p_i}$.
Let $n_q \leq n_a$ denote the size of $\mathbf{q}$, and let $n_e$ denote the size of every $\mathbf{p_i}$ without loss of generality.
In the following protocol, we take it for granted that each polynomial $a_i(X, \cdots)$ is defined such that $n_e + 1$ blinding factors are freshly sampled by the prover and are each present as an evaluation of $a_i(X, \cdots)$ over the domain $D$. In all of the following, the verifier’s challenges cannot be zero or an element in $D$, and some additional limitations are placed on specific challenges as well.
| Step | Spec | Impl. | Protocol | Notes |
|---|---|---|---|---|
| 1 | NA | ? | $\prover$ and $\verifier$ proceed in the following $n_a$ rounds of interaction, where in round $j$ (starting at $0$) | |
| * $\prover$ sets $a^\prime_j(X) = a_j(X, c_0, c_1, …, c_{j - 1}, a_0(X, \cdots), …, a_{j - 1}(X, \cdots, c_{j - 1}))$ | ||||
| * $\prover$ sends a hiding commitment $A_j = \innerprod{\mathbf{a^\prime}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{a^\prime}$ are the coefficients of the univariate polynomial $a^\prime_j(X)$ and $\cdot$ is some random, independently sampled blinding factor elided for exposition. (This elision notation is used throughout this protocol description to simplify exposition.) | We denote the blinding $\cdot$ used in round $j$ as $a^* _j$ | |||
| * $\verifier$ responds with a challenge $c_j$. | ||||
| 2 | NA | ? | $\prover$ sets $g^\prime(X) = g(X, c_0, c_1, …, c_{n_a - 1}, \cdots)$. | |
| 3 | NA | link | $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$. | We denote the blinding $\cdot$ used as $r^*$ |
| 4 | step_4 | link | $\prover$ computes univariate polynomial $h(X) = \frac{g^\prime(X)}{t(X)}$ of degree $n_g(n - 1) - n$. | |
| 5 | step_5 | link | $\prover$ computes at most $n - 1$ degree polynomials $h_0(X), h_1(X), …, h_{n_g - 2}(X)$ such that $h(X) = \sum\limits_{i=0}^{n_g - 2} X^{ni} h_i(X)$. | |
| 6 | step_6 | link | $\prover$ sends commitments $H_i = \innerprod{\mathbf{h_i}}{\mathbf{G}} + [\cdot] W$ for all $i$ where $\mathbf{h_i}$ denotes the vector of coefficients for $h_i(X)$. | We denote the blinding $\cdot$ used in round $j$ as $h^* _j$ |
| 7 | step_7 | link(?) | $\verifier$ responds with challenge $x$ and computes $H^\prime = \sum\limits_{i=0}^{n_g - 2} [x^{ni}] H_i$. | |
| 8 | step_8 | link | $\prover$ sets $h^\prime(X) = \sum\limits_{i=0}^{n_g - 2} x^{ni} h_i(X)$. | $\prover$ sets $h^{\prime *} = \sum\limits_{i=0}^{n_g - 2} x^{ni} h_i^*$. |
| 9 | step_9 | link | $\prover$ sends $r = r(x)$ and for all $i \in [0, n_a)$ sends $\mathbf{a_i}$ such that $(\mathbf{a_i})_j = a^\prime_i(\omega^{(\mathbf{p_i})_j} x)$ for all $j \in [0, n_e - 1]$. | |
| 10 | step_10 | link(?) | For all $i \in [0, n_a)$ $\prover$ and $\verifier$ set $s_i(X)$ to be the lowest degree univariate polynomial defined such that $s_i(\omega^{(\mathbf{p_i})_j} x) = (\mathbf{a_i})_j$ for all $j \in [0, n_e - 1)$. | |
| 11 | step_11 | link | $\verifier$ responds with challenges $x_1, x_2$ and initializes $Q_0, Q_1, …, Q_{n_q - 1} = \zero$. | |
| * Starting at $i=0$ and ending at $n_a - 1$ $\verifier$ sets $Q_{\sigma(i)} := [x_1] Q_{\sigma(i)} + A_i$. | ||||
| * $\verifier$ finally sets $Q_0 := [x_1^2] Q_0 + [x_1] H^\prime + R$. | ||||
| 12 | step_12 | link | $\prover$ initializes $q_0(X), q_1(X), …, q_{n_q - 1}(X) = 0$. | $\prover$ initializes $q^*_0, q^*_1, …, q^* _{n_q-1} = 0$. |
| * Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q_{\sigma(i)} := x_1 q_{\sigma(i)} + a^\prime(X)$. | Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q^* _{\sigma(i)} := x_1 q^* _{\sigma(i)} + a^*_i$. | |||
| * $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h^\prime(X) + r(X)$. | $\prover$ finally sets $q^* _{0} := x_1^2 q^* _{0} + x_1 h^{\prime *} + r^*$ | |||
| 13 | step_13 | ? | $\prover$ and $\verifier$ initialize $r_0(X), r_1(X), …, r_{n_q - 1}(X) = 0$. | |
| * Starting at $i = 0$ and ending at $n_a - 1$ $\prover$ and $\verifier$ set $r_{\sigma(i)}(X) := x_1 r_{\sigma(i)}(X) + s_i(X)$. | ||||
| * Finally $\prover$ and $\verifier$ set $r_0 := x_1^2 r_0 + x_1 h + r$ and where $h$ is computed by $\verifier$ as $\frac{g^\prime(x)}{t(x)}$ using the values $r, \mathbf{a}$ provided by $\prover$. | ||||
| 14 | step_14 | link | $\prover$ sends $Q^\prime = \innerprod{\mathbf{q^\prime}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{q^\prime}$ defines the coefficients of the polynomial $q^\prime(X) = \sum\limits_{i=0}^{n_q - 1} x_2^{n_q-1-i} \left( \frac {q_i(X) - r_i(X)} {\prod\limits_{j=0}^{n_e - 1} \left( X - \omega^{\left( \mathbf{q_i} \right)_j} x \right) } \right) $ | The blinding $\cdot$ used here is denoted as $q^{\prime *}$. |
| 15 | step_15 | link | $\verifier$ responds with challenge $x_3$. | |
| 16 | step_16 | link | $\prover$ sends $\mathbf{u} \in \field^{n_q}$ such that $\mathbf{u}_i = q_i(x_3)$ for all $i \in [0, n_q)$. | |
| 17 | step_17 | link | $\verifier$ responds with challenge $x_4$. | |
| 18 | step_18 | link | $\verifier$ sets $P = [x_4^{n_q}]Q’ + \sum\limits_{i=0}^{n_q - 1} [x_4^{n_q - 1 - i}] Q_i$ and $$v = x_4^{n_q} \cdot \sum_{i=0}^{n_q - 1} \left(x_2^{n_q - 1 - i} \left(\frac{\mathbf{u}_i - r_i(x_3)}{\prod\ _{j=0}^{n_e - 1}(x_3 - \omega^{(\mathbf{q}_i)_j}x)}\right)\right) + \sum\ _{i=0}^{n_q - 1} x_4^{n_q - 1 - i} \mathbf{u}_i$$ | |
| 19 | step_19 | link | $\prover$ sets $p(X) = x_4^{n_q} \cdot q’(X) + \sum\limits_{i=0}^{n_q - 1} x_4^{n_q - 1 - i} \cdot q_i(X)$. | $\prover$ sets $p^* = x_4^{n_q} \cdot q’^* + \sum\limits_{i=0}^{n_q - 1} x_4^{n_q - 1 - i} \cdot q^*_i$. |
| 20 | step_20 | link | $\prover$ samples a random polynomial $s(X)$ of degree $n - 1$ with a root at $x_3$ and sends a commitment $S = \innerprod{\mathbf{s}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{s}$ defines the coefficients of $s(X)$. | The blinding $\cdot$ used here is denoted as $s^{*}$. |
| 21 | step_21 | link | $\verifier$ responds with challenges $\xi, z$. | |
| 22 | step_22 | link | $\verifier$ sets $P^\prime = P - [v] \mathbf{G}_0 + [\xi] S$. | |
| 23 | step_23 | link | $\prover$ sets $p^\prime(X) = p(X) - p(x_3) + \xi s(X)$ (where $p(x_3)$ should correspond with the verifier’s computed value $v$). | $\prover$ sets $p^{\prime *} = s^* \cdot \xi + p^*$ |
| 24 | step_24 | link | Initialize $\mathbf{p^\prime}$ as the coefficients of $p^\prime(X)$ and $\mathbf{G^\prime} = \mathbf{G}$ and $\mathbf{b} = (x_3^0, x_3^1, …, x_3^{n - 1})$. $\prover$ and $\verifier$ will interact in the following $k$ rounds, where in the $j$th round starting in round $j=0$ and ending in round $j=k-1$ : | |
| * $\prover$ sends $L_j = \innerprod{\mathbf{p^\prime}\hi}{\mathbf{G^\prime}\lo} + [z \innerprod{\mathbf{p^\prime}\hi}{\mathbf{b}\lo}] U + [\cdot] W$ and $R_j = \innerprod{\mathbf{p^\prime}\lo}{\mathbf{G^\prime}\hi} + [z \innerprod{\mathbf{p^\prime}\lo}{\mathbf{b}\hi}] U + [\cdot] W$. | The blinding $\cdot$ used for $L_j$ is denoted $L_j^*$ and the blinding used for $R_j$ is denoted $R_j^*$ | |||
| * $\verifier$ responds with challenge $u_j$ chosen such that $1 + u_{k-1-j} x_3^{2^j}$ is nonzero. | ||||
| * $\prover$ and $\verifier$ set $\mathbf{G^\prime} := \mathbf{G^\prime}\lo + u_j \mathbf{G^\prime}\hi$ and $\mathbf{b} := \mathbf{b}\lo + u_j \mathbf{b}\hi$. | ||||
| * $\prover$ sets $\mathbf{p^\prime} := \mathbf{p^\prime}\lo + u_j^{-1} \mathbf{p^\prime}\hi$. | ||||
| 25 | step_25 | link | $\prover$ sends $c = \mathbf{p^\prime}_0$ and synthetic blinding factor $f$ computed from the elided blinding factors. | $\prover$ sets $f = p^{\prime *} + \sum_{j=0}^{k - 1}L_j^* \cdot u_j^{-1}+r_j^* \cdot u_j$ |
| 26 | step_26 | link | $\verifier$ accepts only if $\sum_{j=0}^{k - 1} [u_j^{-1}] L_j + P^\prime + \sum_{j=0}^{k - 1} [u_j] R_j = [c] \mathbf{G^\prime}_0 + [c \mathbf{b}_0 z] U + [f] W$. |
Functions
Add two polynomials, return resulting polynomial
Add a scalar (constant) from a polynomial, return resulting polynomial
Auxilary function for computing L_j or R_j in step 24
Checks if all entries in a polynomial is 0
Pedersen vector commitment
Compute vanishing polynomial over n-order multiplicative subgroup H with root of unity omega
Get the degree of a polynomial
divide the leading terms of two polynomials, returning a single term (e.g. 5x^3) represented as a polynomial
(helper function for divide_poly)
Perform polynomial long division, returning the quotient and the remainder.
The algorithm is from https://en.wikipedia.org/wiki/Polynomial_long_division.
Evaluate a polynomial at point, return the evaluation
Inner product, between to equal length vectors of field elements
Finds the Lagrange basis for a set of
points and a single evaluation point x
This will produce a polynomial that evaluates to 1 at xand to 0 at all other x-values in the set points
No other guarentees are given about the resulting polynomialFind lowest degree polynomial passing through a set points using legrange interpolation
msm 🔒
Multiscalar multiplicatoin, auxiliary function for Pedersen vector commitment
Polynomial multiplication using sparse multiplication.
This can be more efficient than operand scanning but also prone to side-channel
attacks.
Mostly copied from hacspec’s poly_mul
Multiply a polynomial by a scalar, return resulting polynomial
Wrapper function for multiplying a polynomial with the indeterminate
Wrapper function for multiplying a polynomial with the indeterminate multiple times
Rotate a polynomial
sigma 🔒
Implementation of the σ mapping from the protocol
step_4 🔒
Step 4
Beginning of the vanishing argument
step_5 🔒
Step 5
split polynomial of degree n_g(n-1)-n up into n_(g-2) polynomials of degree at most n-1
step_6 🔒
Step 6
commit to each h_i polynomial keeping them in the seq to peserve the power (i)
step_7 🔒
Step 7
Computes the sum from step 7 in the protocol description
step_8 🔒
Step 8
This functions calculates h’(X) from the h_i parts created in step 5 and the challenge x
step_9 🔒
Step 9
This functions returns r(x) and creates a seq filled with a_i from the second part of step 9
step_10 🔒
Step 10
This function initializes the s sequence of length n_a and fills it with polynomials of degree n_e-1 made with legrange interpolation
step_11 🔒
Step 11
Get the list of Q’s (Q_0, …, Q_{n_q - 1})
step_12 🔒
Step 12
Get the list of q’s (q_0, …, q_{n_q - 1}) and q_blinds (accumulated blindness)
step_13 🔒
Step 13
Get the list of r’s (r_0, …, r_{n_q - 1})
step_14 🔒
Step 14
Get the commitment Q’, poly q’ and the blindness used
step_15 🔒
Step 15
This function emulates sending a challenge.
step_16 🔒
Step 16
Get the u ∈ F^{n_q} vector
step_17 🔒
Step 17
This function emulates sending a challenge.
step_18 🔒
Step 18
Get P and the v
step_19 🔒
Step 19
Get the p(X) polynomial
step_20 🔒
Step 20
Get the commitment S and the blindness used
step_21 🔒
Step 21
Get the xi and z challenges. They have to be fed into hacspec, since there is no randomness.
step_22 🔒
Step 22
Get the P’ curve-point/group-element
step_23 🔒
Step 23
Get the p’(X) polynomial and p’ blindness
step_24 🔒
Step 24
Get G‘, p’, b, L, R, and {L,R} blinds
step_25 🔒
Step 25
Get the zeroth entry in p and synthetic blinding factor f
step_26 🔒
Step 26
Verifiers final check of the protocol
Subtract two polynomials, return resulting polynomial
Subtract a scalar (constant) from a polynomial, return resulting polynomial
Trim a polynomial of trailing zeros (zero-terms) and return it