Trustless (S)NARKs
Inner Product with KZG
a1
a_{1}
a2
a_{2}
a3
a_{3}
a5
a_{5}
a6
a_{6}
a8
a_{8}
a4
a_{4}
a7
a_{7}
b1
b_{1}
b2
b_{2}
b3
b_{3}
b4
b_{4}
b5
b_{5}
b6
b_{6}
b7
b_{7}
b8
b_{8}
a
\vec{a}
b
\vec{b}
ω0
\omega^{0}
ω1
\omega^{1}
ω2
\omega^{2}
ω3
\omega^{3}
ω4
\omega^{4}
ω5
\omega^{5}
ω6
\omega^{6}
ω7
\omega^{7}
H
\mathbb{H}
- We know a and b such that c=⟨a,b⟩
- To prove this using KZG, convert a,b to polynomials
a(X)=∑i=18ai⋅LH,i(X)
a(X) = \sum_{i=1}^{8} \textcolor{lightgreen}{a_i} \cdot \textcolor{gray}{L_{\mathbb{H},i}(X)}
KZG.open(m(X),ω0,c)
\begin{aligned}
\textcolor{gray}{\textsf{KZG.open}}\left(m(X), \omega^0, c\right)
\end{aligned}
b(X)=∑i=18bi⋅LH,i(X)
b(X) = \sum_{i=1}^{8} \textcolor{orange}{b_i} \cdot \textcolor{gray}{L_{\mathbb{H},i}(X)}
- Define a polynomial m(X):=∑i=18aibi⋅LH,i(X)
- Define r(X)=m(X)−a(z)b(X) for some z∈F
- Finally, just open the polynomials a,b,m,r:
KZG.open({a(X),b(X),r(X)},z,{aˉ,bˉ,0})
\begin{aligned}
\textcolor{gray}{\textsf{KZG.open}}\Big(\big\{a(X), b(X), r(X)\big\}, z, \big\{\bar{a}, \bar{b}, 0\big\}\Big)
\end{aligned}
- Drawback: the trusted setup!
Inner Product: Main Idea
a1
a_{1}
a2
a_{2}
a3
a_{3}
a5
a_{5}
a6
a_{6}
a8
a_{8}
a4
a_{4}
a7
a_{7}
b1
b_{1}
b2
b_{2}
b3
b_{3}
b4
b_{4}
b5
b_{5}
b6
b_{6}
b7
b_{7}
b8
b_{8}
a
\vec{a}
b
\vec{b}
G1
G_1
G2
G_2
G3
G_3
G4
G_4
G5
G_5
G6
G_6
G7
G_7
G8
G_8
G
\vec{G}
- Naive way: just send a,b to the verifier
- Randomly sample generators G,H∈G8 and Q∈G
- Pedersen commitment to the vectors a,b as:
P:=⟨a,G⟩+⟨b,H⟩+⟨a,b⟩Q
P := \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{darkgreen}{\vec{G}} \rangle
+ \langle \textcolor{orange}{\vec{b}}, \textcolor{sienna}{\vec{H}} \rangle
+ \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{orange}{\vec{b}} \rangle \textcolor{gray}{Q}
H1
H_1
H2
H_2
H3
H_3
H4
H_4
H5
H_5
H6
H_6
H7
H_7
H8
H_8
H
\vec{H}
x
x
x
x
x
x
x
x
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x
x
x
x
x
x
x
x
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
=⟨xa,x−1G⟩+⟨x−1a,xG⟩ +
= \langle \textcolor{gray}{x} \textcolor{red}{\vec{a}}, \textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} \rangle
+ \langle \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}}, \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \rangle
\ +
⟨x−1b,xH⟩+⟨xb,x−1H⟩ +
\langle \textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}}, \textcolor{gray}{x} \textcolor{red}{\vec{H}} \rangle
+ \langle \textcolor{gray}{x} \textcolor{cyan}{\vec{b}}, \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \rangle
\ +
(⟨xa,x−1b⟩+⟨x−1a,xb⟩)Q
\big(
\langle \textcolor{gray}{x} \textcolor{red}{\vec{a}}, \textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} \rangle
+ \langle \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}}, \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \rangle
\big)
\textcolor{gray}{Q}
=⟨(xa+x−1a),(x−1G+xG)⟩−x2⟨a,G⟩−x−2⟨a,G⟩+
=
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{G}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{G}} \rangle
+
⟨(x−1b+xb),(xH+x−1H)⟩−x2⟨b,H⟩−x−2⟨b,H⟩+
\Big\langle
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big),
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{cyan}{\vec{b}}, \textcolor{red}{\vec{H}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{red}{\vec{b}}, \textcolor{cyan}{\vec{H}} \rangle
+
⟨(xa+x−1a),(x−1b+xb)⟩Q−x2⟨a,b⟩Q−x−2⟨a,b⟩Q
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big)
\Big\rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{b}} \rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{b}} \rangle \textcolor{gray}{Q}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
Inner Product: Main Idea
a1
a_{1}
a2
a_{2}
a3
a_{3}
a5
a_{5}
a6
a_{6}
a8
a_{8}
a4
a_{4}
a7
a_{7}
b1
b_{1}
b2
b_{2}
b3
b_{3}
b4
b_{4}
b5
b_{5}
b6
b_{6}
b7
b_{7}
b8
b_{8}
a
\vec{a}
b
\vec{b}
G1
G_1
G2
G_2
G3
G_3
G4
G_4
G5
G_5
G6
G_6
G7
G_7
G8
G_8
G
\vec{G}
- Naive way: just send a,b to the verifier
- Randomly sample generators G,H∈G8 and Q∈G
- Pedersen commitment to the vectors a,b as:
P:=⟨a,G⟩+⟨b,H⟩+⟨a,b⟩Q
P := \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{darkgreen}{\vec{G}} \rangle
+ \langle \textcolor{orange}{\vec{b}}, \textcolor{sienna}{\vec{H}} \rangle
+ \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{orange}{\vec{b}} \rangle \textcolor{gray}{Q}
H1
H_1
H2
H_2
H3
H_3
H4
H_4
H5
H_5
H6
H_6
H7
H_7
H8
H_8
H
\vec{H}
x
x
x
x
x
x
x
x
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x
x
x
x
x
x
x
x
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
=⟨(xa+x−1a),(x−1G+xG)⟩−x2⟨a,G⟩−x−2⟨a,G⟩+
=
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{G}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{G}} \rangle
+
⟨(x−1b+xb),(xH+x−1H)⟩−x2⟨b,H⟩−x−2⟨b,H⟩+
\Big\langle
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big),
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{cyan}{\vec{b}}, \textcolor{red}{\vec{H}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{red}{\vec{b}}, \textcolor{cyan}{\vec{H}} \rangle
+
⟨(xa+x−1a),(x−1b+xb)⟩Q−x2⟨a,b⟩Q−x−2⟨a,b⟩Q
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big)
\Big\rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{b}} \rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{b}} \rangle \textcolor{gray}{Q}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
x−1
x^{\tiny -1}
=PED.commit(ahalf,Ghalf,bhalf,Hhalf)−x2L1−x−2R1
= \textcolor{gray}{\textsf{PED.commit}(}
\textcolor{lightgreen}{\vec{a}_{\textsf{half}}},
\textcolor{darkgreen}{\vec{G}_{\textsf{half}}},
\textcolor{orange}{\vec{b}_{\textsf{half}}},
\textcolor{sienna}{\vec{H}_{\textsf{half}}}
\textcolor{gray}{)}
-
\textcolor{gray}{x^{\tiny 2}}L_1 - \textcolor{gray}{x^{\tiny -2}}R_1
- Now we only need to send (ahalf,bhalf,L1,R1)
- Recursion leads to (L1,R1,L2,R2,L3,R3,alast,blast)
IPA Prover
- For j∈⌈log2(N)⌉, the prover starts by setting n=N/2:
∘ Lj=⟨a,G⟩+⟨b,H⟩+⟨a,b⟩Q
{\small\circ} \ L_j =
\langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{G}} \rangle +
\langle \textcolor{cyan}{\vec{b}}, \textcolor{red}{\vec{H}} \rangle +
\langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{b}} \rangle \textcolor{gray}{Q}
∘ (a ∥ a)←a,(b ∥ b)←b
{\small\circ} \ (\textcolor{red}{\vec{a}} \ \| \ \textcolor{cyan}{\vec{a}}) \leftarrow \textcolor{lightgreen}{\vec{a}}, \quad
(\textcolor{red}{\vec{b}} \ \| \ \textcolor{cyan}{\vec{b}}) \leftarrow \textcolor{orange}{\vec{b}}
∘ (G ∥ G)←G,(H ∥ H)←H
{\small\circ} \ (\textcolor{red}{\vec{G}} \ \| \ \textcolor{cyan}{\vec{G}}) \leftarrow \textcolor{darkgreen}{\vec{G}}, \quad
(\textcolor{red}{\vec{H}} \ \| \ \textcolor{cyan}{\vec{H}}) \leftarrow \textcolor{sienna}{\vec{H}}
∘ Rj=⟨a,G⟩+⟨b,H⟩+⟨a,b⟩Q
{\small\circ} \ R_j =
\langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{G}} \rangle +
\langle \textcolor{red}{\vec{b}}, \textcolor{cyan}{\vec{H}} \rangle +
\langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{b}} \rangle \textcolor{gray}{Q}
∘ anext=(xa+x−1a),Gnext=(x−1G+xG)
{\small\circ} \
\textcolor{lightgreen}{\vec{a}_{\textsf{next}}}
=
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\quad
\textcolor{darkgreen}{\vec{G}_{\textsf{next}}}
=
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
∘ bnext=(x−1b+xb), Hnext=(xH+x−1H)
{\small\circ} \
\textcolor{orange}{\vec{b}_{\textsf{next}}}
=
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big),
\quad \
\textcolor{sienna}{\vec{H}_{\textsf{next}}}
=
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
- Prover work: O(N)≡∑j∈ ⌈log2(N)⌉4nj
- Proof size: G→2⌈log2(N)⌉, F→2
MSM:(2n+1)
\textcolor{gray}{\textsf{MSM}:} (2n+1)
MSM:(2n+1)
\textcolor{gray}{\textsf{MSM}:} (2n+1)
MSM:(2n)
\textcolor{gray}{\textsf{MSM}:} (2n)
MSM:(2n)
\textcolor{gray}{\textsf{MSM}:} (2n)
IPA Verifier
- Given a proof ({Lj,Rj}j∈ ⌈log2(N)⌉,a,b), verifier starts by setting: Pacc=P
∘ Gnext=(x−1G+xG)
{\small\circ} \
\textcolor{darkgreen}{\vec{G}_{\textsf{next}}}
=
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
∘ Hnext=(xH+x−1H)
{\small\circ} \
\textcolor{sienna}{\vec{H}_{\textsf{next}}}
=
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
- Verifier work: O(N)≡∑j∈ ⌈log2(N)⌉2nj
- Verifier in KZG was O(1) 😳
MSM:(2n)
\textcolor{gray}{\textsf{MSM}:} (2n)
MSM:(2n)
\textcolor{gray}{\textsf{MSM}:} (2n)
∘ Pnext=x2Lj+Pacc+x−2Rj
{\small\circ} \
P_{\textsf{next}}
=
\textcolor{gray}{x^2}L_j + P_{\textsf{acc}} + \textcolor{gray}{x^{-2}}R_j
∘ Pacc←Pnext
{\small\circ} \
P_{\textsf{acc}} \leftarrow P_{\textsf{next}}
∘ Pacc=?aGlast+bHlast+⟨a,b⟩Q
{\small\circ} \
P_{\textsf{acc}}
\stackrel{?}{=}
a \textcolor{darkgreen}{G_{\textsf{last}}} +
b \textcolor{sienna}{H_{\textsf{last}}} +
\langle a, b \rangle \textcolor{gray}{Q}
- After ⌈log2(N)⌉ rounds, final verification check:
IPA Efficient Verifier
- Verifier needs MSM: 2⌈log2(N)⌉+1 to compute Pacc
- Note that Glast and Hlast only depend on G,H and challenges
aGlast+bHlast+⟨a,b⟩Q=?Pacc
a \textcolor{darkgreen}{G_{\textsf{last}}} +
b \textcolor{sienna}{H_{\textsf{last}}} +
\langle a, b \rangle \textcolor{gray}{Q}
\stackrel{?}{=}
P_{\textsf{acc}}
- After ⌈log2(N)⌉ rounds, final verification check:
(xm2Lm+⋯+(x22L2+(x12L1+P+x1−2R1)+x2−2R2)+⋯+xm2Lm)
\bigg(
\textcolor{gray}{x_m^2}L_m +
\dots +
\Big(
\textcolor{gray}{x_2^2}L_2 +
\big(\textcolor{gray}{x_1^2}L_1 + P + \textcolor{gray}{x_1^{-2}}R_1\big) +
\textcolor{gray}{x_2^{-2}}R_2
\Big) +
\dots +
\textcolor{gray}{x_m^2}L_m
\bigg)
P1
\underbrace{\hspace{5cm}}_{P_1}
P2
\underbrace{\hspace{10cm}}_{P_2}
Pm
\underbrace{\hspace{19cm}}_{P_m}
Glast=x1−1x2−1x3−1G1+x1−1x2−1x31G2+x1−1x21x3−1G3+x1−1x21x31G4 +
\textcolor{darkgreen}{G_{\textsf{last}}} =
\textcolor{gray}{x_1^{-1}x_2^{-1}x_3^{-1}}G_1 +
\textcolor{gray}{x_1^{-1}x_2^{-1}x_3^{1}}G_2 +
\textcolor{gray}{x_1^{-1}x_2^{1}x_3^{-1}}G_3 +
\textcolor{gray}{x_1^{-1}x_2^{1}x_3^{1}}G_4 \ +
x11x2−1x3−1G5+x11x2−1x31G6+x11x21x3−1G7+x11x21x31G8.
\textcolor{gray}{x_1^{1}x_2^{-1}x_3^{-1}}G_5 +
\textcolor{gray}{x_1^{1}x_2^{-1}x_3^{1}}G_6 +
\textcolor{gray}{x_1^{1}x_2^{1}x_3^{-1}}G_7 +
\textcolor{gray}{x_1^{1}x_2^{1}x_3^{1}}G_8.
- Total verifier work MSM: 2N+2⌈log2(N)⌉+1
Impact of IPA
Trustless
Trusted
Setup
IPA to PCS
f(X)=a1+a2X+a3X2+⋯+ad−1Xd−1
f(X) = a_1 + a_2X + a_3X^2 + \dots + a_{d-1}X^{d-1}
v:=f(z)=a1+a2z+a3z2+⋯+ad−1zd−1
v := f(z) = a_1 + a_2z + a_3z^2 + \dots + a_{d-1}z^{d-1}
=⟨a,z⟩
= \langle \vec{a}, \vec{z} \rangle
IPApoly.commit(f(X))≡P:=⟨a,G⟩
\begin{aligned}
\textcolor{gray}{\textsf{IPApoly.commit}}\left(f(X)\right) \equiv \quad P := \langle \vec{a}, \textcolor{darkgreen}{\vec{G}} \rangle
\end{aligned}
IPApoly.open(f(X),z,v)≡ πIPA=IPA(R)
\begin{aligned}
\textcolor{gray}{\textsf{IPApoly.open}}\left(f(X), z, v\right) \equiv \ \pi_{\textsf{IPA}} = \textcolor{gray}{\textsf{IPA}}(\mathcal{R})
\end{aligned}
R={((P,z,v); a) ∣ P=⟨a,G⟩ ∧ v=⟨a,z⟩}
\mathcal{R} = \left\{ ((P, z, v); \ \vec{a}) \ | \ P = \langle \vec{a}, \textcolor{darkgreen}{\vec{G}} \rangle \ \wedge \ v = \langle \vec{a}, \vec{z} \rangle \right\}
IPApoly.verify(πIPA,z,v)≡ {0,1}←IPA.verify(R)
\begin{aligned}
\textcolor{gray}{\textsf{IPApoly.verify}}\left(\pi_{\textsf{IPA}}, z, v\right) \equiv \ \{0,1\} \leftarrow \textcolor{gray}{\textsf{IPA.verify}}(\mathcal{R})
\end{aligned}
- Here, we just need one generator vector G (read: smaller overall MSM)
- With the Inner-product argument, we can derive a PCS:
Halo2 Recursion
aGlast+abQ=?P+vQj∈⌈log(d)⌉∑(xj2Lj+xj−2Rj)
\begin{aligned}
a \textcolor{red}{G_{\textsf{last}}} + a\textcolor{red}{b}\textcolor{gray}{Q}
\stackrel{?}{=}
P + v\textcolor{gray}{Q} \sum_{j \in \lceil \text{log}(d) \rceil} (\textcolor{gray}{x_j^2} L_j + \textcolor{gray}{x_j^{-2}}R_j)
\end{aligned}
- RHS is O(log(d)) but LHS is still O(d) as Glast=⟨s,G⟩, b=⟨s,z⟩
- We can write s as the polynomial:
- The IPA PCS verification equation:
Glast=⟨xm−1xm−1−1…x3−1x2−1x1−1xm−1xm−1−1…x3−1x2−1x11xm−1xm−1−1…x3−1x21x11xm−1xm−1−1…x31x2−1x1−1⋮xm1xm−11…x31x21x1−1xm1xm−11…x31x21x11s,G⟩
\textcolor{darkgreen}{G_{\textsf{last}}}
=
\langle
\overbrace{
\begin{pmatrix}
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3^{-1}} \textcolor{gray}{x_2^{-1}} \textcolor{gray}{x_1^{-1}} \\[5pt]
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3^{-1}} \textcolor{gray}{x_2^{-1}} \textcolor{gray}{x_1}^{1} \\[5pt]
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3^{-1}} \textcolor{gray}{x_2}^{1} \textcolor{gray}{x_1}^{1} \\[5pt]
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3}^{1} \textcolor{gray}{x_2^{-1}} \textcolor{gray}{x_1^{-1}} \\
\textcolor{gray}{\vdots} \\
\textcolor{gray}{x_m}^1 \textcolor{gray}{x_{m-1}}^1 \textcolor{gray}{\dots} \textcolor{gray}{x_3}^1 \textcolor{gray}{x_2}^{1} \textcolor{gray}{x_1^{-1}} \\[5pt]
\textcolor{gray}{x_m}^1 \textcolor{gray}{x_{m-1}}^1 \textcolor{gray}{\dots} \textcolor{gray}{x_3}^1 \textcolor{gray}{x_2}^{1} \textcolor{gray}{x_1}^{1}
\end{pmatrix}
}^{\vec{s}},
\textcolor{darkgreen}{\vec{G}}
\rangle
s(X)=j∈[k]∏(xj1+xj−1X2i−1)
\begin{aligned}
s(X) = \prod_{j\in [k]} \left(\textcolor{gray}{x_{j}^{1}} + \textcolor{gray}{x_{j}^{-1}}X^{2^{i-1}} \right)
\end{aligned}
- Thus, the verifier can compute b in O(log(d))
- What about Glast? It cannot!
- But the prover can send Glast with a proof that it was correctly computed!
Halo2 Recursion
a(1)Glast(1)+a(1)b(1)Q=?P(1)+v(1)Q+j∈[m]∑((xj(1))2Lj(1)+(xj(1))−2Rj(1))
\begin{aligned}
a^{(1)} \textcolor{orange}{G_{\textsf{last}}^{(1)}} + a^{(1)}\textcolor{red}{b^{(1)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(1)} + v^{(1)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(1)}\big)^2} L_j^{(1)} +
\textcolor{gray}{\big(x_j^{\tiny(1)}\big)^{-2}}R_j^{(1)}
\right)
\end{aligned}
π1={{Lj(1),Rj(1)}j∈[m],a(1),Glast(1)}
\begin{aligned}
\pi_1 = \left\{ \left\{ L_j^{(1)}, R_j^{(1)} \right\}_{j \in [m]}, a^{(1)}, \textcolor{orange}{G_{\textsf{last}}^{(1)}} \right\}
\end{aligned}
π2={{Lj(2),Rj(2)}j∈[m],a(2),Glast(2), πGlast(1)}
\begin{aligned}
\pi_2 = \left\{ \left\{ L_j^{(2)}, R_j^{(2)} \right\}_{j \in [m]}, a^{(2)}, \textcolor{lightgreen}{G_{\textsf{last}}^{(2)}}, \
\pi_{\textcolor{orange}{G_\textsf{last}^{(1)}}} \right\}
\end{aligned}
π3={{Lj(3),Rj(3)}j∈[m],a(3),Glast(3), πGlast(2)}
\begin{aligned}
\pi_3 = \left\{ \left\{ L_j^{(3)}, R_j^{(3)} \right\}_{j \in [m]}, a^{(3)}, \textcolor{yellow}{G_{\textsf{last}}^{(3)}}, \
\pi_{\textcolor{lightgreen}{G_\textsf{last}^{(2)}}} \right\}
\end{aligned}
π4={{Lj(4),Rj(4)}j∈[m],a(4),Glast(4), πGlast(3)}
\begin{aligned}
\pi_4 = \left\{ \left\{ L_j^{(4)}, R_j^{(4)} \right\}_{j \in [m]}, a^{(4)}, \textcolor{violet}{G_{\textsf{last}}^{(4)}}, \
\pi_{\textcolor{yellow}{G_\textsf{last}^{(3)}}} \right\}
\end{aligned}
a(2)Glast(2)+a(2)b(2)Q=?P(2)+v(2)Q+j∈[m]∑((xj(2))2Lj(2)+(xj(2))−2Rj(2))
\begin{aligned}
a^{(2)} \textcolor{lightgreen}{G_{\textsf{last}}^{(2)}} + a^{(2)}\textcolor{red}{b^{(2)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(2)} + v^{(2)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(2)}\big)^2} L_j^{(2)} +
\textcolor{gray}{\big(x_j^{\tiny(2)}\big)^{-2}}R_j^{(2)}
\right)
\end{aligned}
a(3)Glast(3)+a(3)b(3)Q=?P(3)+v(3)Q+j∈[m]∑((xj(3))2Lj(3)+(xj(3))−2Rj(3))
\begin{aligned}
a^{(3)} \textcolor{yellow}{G_{\textsf{last}}^{(3)}} + a^{(3)}\textcolor{red}{b^{(3)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(3)} + v^{(3)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(3)}\big)^2} L_j^{(3)} +
\textcolor{gray}{\big(x_j^{\tiny(3)}\big)^{-2}}R_j^{(3)}
\right)
\end{aligned}
a(4)Glast(4)+a(4)b(4)Q=?P(4)+v(4)Q+j∈[m]∑((xj(4))2Lj(4)+(xj(4))−2Rj(4))
\begin{aligned}
a^{(4)} \textcolor{violet}{G_{\textsf{last}}^{(4)}} + a^{(4)}\textcolor{red}{b^{(4)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(4)} + v^{(4)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(4)}\big)^2} L_j^{(4)} +
\textcolor{gray}{\big(x_j^{\tiny(4)}\big)^{-2}}R_j^{(4)}
\right)
\end{aligned}
πM={{Lj(M),Rj(M)}j∈[m],a(M),Glast(M)}
\begin{aligned}
\pi_M = \left\{ \left\{ L_j^{(M)}, R_j^{(M)} \right\}_{j \in [m]}, a^{(M)}, \textcolor{blue}{G_{\textsf{last}}^{(M)}} \right\}
\end{aligned}
⋮
\vdots
a(M)Glast(M)+a(M)b(M)Q=?P(M)+v(M)Q+j∈[m]∑((xj(M))2Lj(M)+(xj(M))−2Rj(M))
\begin{aligned}
a^{(M)} \textcolor{blue}{G_{\textsf{last}}^{(M)}} + a^{(M)}\textcolor{red}{b^{(M)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(M)} + v^{(M)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(M)}\big)^2} L_j^{(M)} +
\textcolor{gray}{\big(x_j^{\tiny(M)}\big)^{-2}}R_j^{(M)}
\right)
\end{aligned}
Glast(M)=?Glast(M)
\begin{aligned}
\textcolor{red}{G_{\textsf{last}}^{(M)}} \stackrel{?}{=}
\textcolor{blue}{G_{\textsf{last}}^{(M)}}
\end{aligned}
Trustless (S)NARKs
Trustless (S)NARKs
By Suyash Bagad
Trustless (S)NARKs
- 141
