CCS

Table of contents

CCS

Credits

CCS and R1CS (an intro)

CCS in general

R1CS -> CCS

CCS and Plonkish (intro)

Plonkish -> CCS

Matrix derivation

Obtaining c

Obtaining S

Code to verify the previous example

SuperSpartan

SuperSpartan - IOP for CCS to Snark for CCS

CCS+ & SuperSpartan+

CCS+

SuperSpartan+

Questions left:

Credits

This document has been possible thanks to the reviews of @asn-d6 and @oskarth as well as the immense help from @arnaucube and Edu(from PSE) who almost completely derived R1CS&Plonkish -> CCS.
Also thanks to Srinath Setty for his help on any question we've had while reading his paper as well as while elaborating this doc.

CCS and R1CS (an intro)

Due to NP-completeness equivalence, we can easily translate any R1CS statement and translate it into a CCS statement which is completelly equivalent.

To do so, it contais certain information as:

$m$ = Number of constraints.
$n$ = Number of columns of matrices.
$N$ = Number of non-zero entries on rows.
$l$ = Size of the public input vector.
$x$ = A vector containing public input instances.
$w$ = A vector containing the witness that satisfies the instance
$S$ .

An R1CS structure

S

is satisfied if:

(A \cdot z) \circ (B \cdot z) - (C \cdot z) = 0

where

z = (w, 1, x) \in F^{n}

CCS in general

In general, a CCS structure

S

consists of:

Size bounds {
$m, n, N, l, t, q, d \in N$ where
$n < l$ }
- $t$ => Maximum size of the domain of the multisets.
- $q$ => Number of multisets used within the CCS instance.
- $d$ => Represents the maximum cardinality of each multiset. Which translates to the amount of different elements contained inside each multiset.
A sequence of matrices
$M_{0} . . M_{t - 1}$ that define the fixed parts of our circuit.
A sequence of multisets
$S_{0}, . . ., S_{q - 1}$ where
$\forall s \in S_{i}$ ,
$d o m (s) = {0. . t - 1}$
A sequence of constants
$[c_{0}, . . ., c_{q - 1}]$

Some of thesedon't really translate to any property in particular. Indeed they're just parameters that are used to be able to adapt all the arithmetizations into CCS.

A CCS instance

(S, x)

is satisfied if only if:

\sum_{i = 0}^{q - 1} c_{i} \cdot ◯_{j \in S_{i}} (M_{j} \cdot \vec{z}) = \vec{0}

If we re-write this a bit, we get:

{c_{0} \cdot {(M_{S_{0} [0]} \cdot z) \circ (M_{S_{0} [1]} \cdot z) \circ . . . \circ (M_{S_{0} [t - 1]} \cdot z)}_{\forall M_{i} \in S_{0}} \cdot z} + . . . + {c_{q - 1} \cdot {(M_{S_{q - 1} [0]} \cdot z) \circ (M_{S_{q - 1} [1]} \cdot z) \circ . . . \circ (M_{S_{q - 1} [t - 1]} \cdot z)}_{\forall M_{i} \in S_{q - 1}} \cdot z} = 0

R1CS -> CCS

Let's actually see how we can translate R1CS into CCS:

To do so, we need to set some parameters:

$m$ =
$m$ in the R1CS instance.
$n$ =
$n$ in the R1CS instance.
$N$ =
$N$ in the R1CS instance.
$l$ =
$l$ in the R1CS instance.
$t$ = 3
$q$ = 2
$d$ = 2
$\vec{M}$ =
$[M_{A}, M_{B}, M_{C}]$ (R1CS matrices A, B and C)
$\vec{S}$ =
$[S_{0} = {0, 1}, S_{1} = {2}]$
$\vec{c}$ =
${c_{0} = 1, c_{1} = - 1}$

If we apply these constants to the aformentioned equation of a CCS instance:

1 \cdot {A \cdot z \circ B \cdot z} - 1 \cdot {C \cdot z} = 0

Let's actually see a sage example done by @arnaucube:

# R1CS-to-CCS (https://eprint.iacr.org/2023/552) Sage prototype

# utils
def matrix_vector_product(M, v):
    n = M.nrows()
    r = [F(0)] * n
    for i in range(0, n):
        for j in range(0, M.ncols()):
            r[i] += M[i][j] * v[j]
    return r
def hadamard_product(a, b):
    n = len(a)
    r = [None] * n
    for i in range(0, n):
        r[i] = a[i] * b[i]
    return r
def vec_add(a, b):
    n = len(a)
    r = [None] * n
    for i in range(0, n):
        r[i] = a[i] + b[i]
    return r
def vec_elem_mul(a, s):
    r = [None] * len(a)
    for i in range(0, len(a)):
        r[i] = a[i] * s
    return r
# end of utils


# can use any finite field, using a small one for the example
F = GF(101)

# R1CS matrices for: x^3 + x + 5 = y (example from article
# https://www.vitalik.ca/general/2016/12/10/qap.html )
A = matrix([
    [F(0), 1, 0, 0, 0, 0],
    [0, 0, 0, 1, 0, 0],
    [0, 1, 0, 0, 1, 0],
    [5, 0, 0, 0, 0, 1],
    ])
B = matrix([
    [F(0), 1, 0, 0, 0, 0],
    [0, 1, 0, 0, 0, 0],
    [1, 0, 0, 0, 0, 0],
    [1, 0, 0, 0, 0, 0],
    ])
C = matrix([
    [F(0), 0, 0, 1, 0, 0],
    [0, 0, 0, 0, 1, 0],
    [0, 0, 0, 0, 0, 1],
    [0, 0, 1, 0, 0, 0],
    ])

print("R1CS matrices:")
print("A:", A)
print("B:", B)
print("C:", C)


z = [F(1), 3, 35, 9, 27, 30]
print("z:", z)

assert len(z) == A.ncols()

n = A.ncols() # == len(z)
m = A.nrows()
#  l = len(io) # not used for now

# check R1CS relation
Az = matrix_vector_product(A, z)
Bz = matrix_vector_product(B, z)
Cz = matrix_vector_product(C, z)
print("\nR1CS relation check (Az ∘ Bz == Cz):", hadamard_product(Az, Bz) == Cz)
assert hadamard_product(Az, Bz) == Cz


# Translate R1CS into CCS:
print("\ntranslate R1CS into CCS:")

# fixed parameters (and n, m, l are direct from R1CS)
t=3
q=2
d=2
S1=[0,1]
S2=[2]
S = [S1, S2]
c0=1
c1=-1
c = [c0, c1]

M = [A, B, C]

print("CCS values:")
print("n: %s, m: %s, t: %s, q: %s, d: %s" % (n, m, t, q, d))
print("M:", M)
print("z:", z)
print("S:", S)
print("c:", c)

# check CCS relation (this is agnostic to R1CS, for any CCS instance)
r = [F(0)] * m
for i in range(0, q):
    hadamard_output = [F(1)]*m
    for j in S[i]:
        hadamard_output = hadamard_product(hadamard_output,
                matrix_vector_product(M[j], z))

    r = vec_add(r, vec_elem_mul(hadamard_output, c[i]))

print("\nCCS relation check (∑ cᵢ ⋅ ◯ Mⱼ z == 0):", r == [0]*m)
assert r == [0]*m

Output:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

CCS and Plonkish (intro)

Before starting, there are a few new things to notice here:
We define a plonkish instance

S

to have the following:

$m$ = Number of constraints.
$n$ = Number of public and private witness.
$l$ = Size of the public input vector.
$e$ = Size of the selectors vector (amount of different selector values).
$t$ = Domain of the
$S$ instance. Translates to the length of a
$T_{i}$ instance. ie. Number of columns involved on a constraint inside
$T$ .
$g$ = A multivariate polynomial with
$t$ variables which is represented as a sum of
$q$ monomials of at most degree
$d$ .
$s$ = A vector of constants called selectors of size
$e$ .
$T$ = A matrix which contains the indexes of values at
$z$ which build up to
$g$ .

Plonkish -> CCS

Let's actually see how we can translate Plonkish into CCS:

Before starting, there are a few new things to notice here:
Differently from R1CS translation which is direct, we have some work to do which isn't simply set

\vec{S}

and

\vec{c}

Note that the vanilla plonk equation is:

q_{m} a b + q_{l} a + q_{r} b + q_{o} c + q_{c} = 0

P l o n k i s h = [\begin{matrix} q m & q l & q r & q o & q c & a & b & c \\ 1 & 0 & 0 & - 1 & 0 & x_{0} & x_{0} & x_{0} \\ 1 & 0 & 0 & - 1 & 0 & x_{1} & x_{1} & x_{1} \\ 0 & 2 & 2 & - 1 & 0 & x_{2} & x_{3} & x_{4} \\ 0 & 0 & 0 & 0 & 0 & x_{5} & x_{5} & x_{5} \end{matrix}]

Note that the Vanilla Plonk on the top is doing:

r_{0}

-> Bool check of

x_{0}

r_{1}

-> Bool check of

x_{1}

r_{2}

-> Addition check:

2 \cdot a + 2 \cdot b = c

r_{3}

-> Null constrait (this checks nothing)

After seeing the Plonkish we want to translate, we alreay can infer some things:

$m$ = 4 (4 rows in our plonkish = 4 constraints).
$n$ =
$F^{n}$ = 6 (We have 6 different witness variables
${x_{0} . . . x_{5}}$ .
We will go through each
$T_{i}$ and each value of the row
$i$ is the index of the vector
$s$ from which we will get a value from to set it in our matrix.
$t$ =
$8$ (Number of Plonkish instance columns).
$e$ =
$5$ (Number of different values ammong the selectors).
$d$ =
$3$ Note that
$q_{m} a b$ has degree 3.

To start, we need to define our selectors

s

instance and also, our witness instance

w

\vec{s} = [0, 1, - 1, 2] \vec{w} = [x_{0}, x_{1}, x_{2}, x_{3}, x_{4}, x_{5}]

With this, we can define our instance

z

.
Remember that in the paper, we have 2

z

instances defined. The plonkish one and the CCS one.
If we focus on the Plonkish one, we can see the definition:

z = (w, x, s) \in F^{n + e}

Hence, this means we can define

z

as the union of

w

and

s

(and also

x

but we don't have public witness in this scheme).

z_{P l o n k i s h} = [x_{0}, x_{1}, x_{2}, x_{3}, x_{4}, x_{5}, 0, 1, - 1, 2]

Note that we have also our

z

definition for CCS. Which will also be used here.

z_{C C S} = {w, 1, x} \in F^{n} z_{C C S} = [x_{0}, x_{1}, x_{2}, x_{3}, x_{4}, x_{5}, 1]

Remember that we can see

g

as a multivariate polynomial from it's definition if we consider each of the plonkish instance columns one variable:

g (q_{m}, q_{m}, q_{l}, q_{o}, q_{c}, a, b, c) = q_{m} a b + q_{l} a + q_{r} b + q_{o} c + q_{c}

The next step is to define

T

. Which remember, indexes into

g

elements of

z_{P l o n k i s h}

(which is collecting all the values that are used in the plonkish instance) and setting them into

g

With that, we define

T

for this example as:

T = [\begin{matrix} 0 & 0 & 0 & 7 & 6 & 6 & 8 & 6 \\ 1 & 1 & 1 & 7 & 6 & 6 & 8 & 6 \\ 2 & 3 & 4 & 6 & 9 & 9 & 7 & 6 \\ 5 & 5 & 5 & 6 & 6 & 6 & 6 & 6 \end{matrix}]

Matrix derivation

The following rust code summarizes the actual algorithm to derive the matrixes for the CCS instance

# The following CCS instance values have been provided by Carlos
# (https://github.com/CPerezz) and Edu (https://github.com/ed255),
# and this sage script was made to check the CCS relation.
T = [
    [0, 0, 0, 7, 6, 6, 8, 6],
    [1, 1, 1, 7, 6, 6, 8, 6],
    [2, 3, 4, 6, 9, 9, 7, 6],
    [5, 5, 5, 6, 6, 6, 6, 6]
]

# z_plonkish = [F(1), 0, 1, 2, 3, 10, 42, 0,1,-1,2]
# z_ccs = [F(1), 0, 1, 2, 3, 10, 42, 1]

z_plonkish = [x_0,x_1,x_2,x_3,x_4,x_5,0,1,-1,2,]
z_ccs = [1,x_0,x_1,x_2,x_3,x_4,x_5]
## Checks performed by this Plonk/CCS instance:
# - binary check for x0, x1
# - 2*x2 + 2*x3 == x4


# CCS parameters
q=5
d=3
S = [[3,0,1], [4,0], [5,1], [6,2], [7]]
c = [1, 1, 1, 1, 1]
t = 8
n = 6
l = 0
m=4

# Initialize the result matrixes
matrixes = [[[0 for _ in range(t-1)] for _ in range(m)] for _ in range(t)]

# Iterate over i and j
for i in range(m):
    for j in range(t):
        k_j = T[i][j]
        if k_j >= n:
            matrixes[j][i][n - l - 1] = z_plonkish[k_j - n]  
        elif k_j >= n - l - 1:
            matrixes[j][i][k_j + 1] = 1
        else:
            matrixes[j][i][k_j] = 1

Let's run the first iteration of this step explaining it here. Then the rest can be inferred.

Step i=0, j=0..t-1

Here, we select the row

i

from

T

and call it

T_{i}

T_{0} = [0, 0, 0, 7, 6, 6, 8, 6]

When
$j = 0$ ->
$k_{j} = 0$ .

Note that

z_{P l o n k i s h} [0] = 0

(which indexes to

x_{0}

z

So following the algorithm above, sice

k_{j} < n

we select

1

.
Then we can set the coeff of

M [0]_{0, 0} = 1

M [0]_{00} = 1

When
$j = 1$ ->
$k_{j} = 0$ -> We therefore select
$1$ .
Then we set
$M [1]_{0, 0} = 1$
When
$j = 2$ ->
$k_{j} = 0$ . -> We therefore select
$1$ .
Then we set
$M [2]_{0, 0} = 1$
When
$j = 3$ ->
$k_{j} = 7$ . Note now we fall into the
$k_{j} \geq n$ . Hence we take
$k_{j} - n$ as result.

z_{P l o n k i s h} [7 - 6] = 1

(Note here that this 1 points to the second position of
$s$ which actually corresponds to the value 1 of the selector).

Then we set

M [3]_{i_{0}} = s [k_{j} - n]

M [3]_{0, 0} = 1

When
$j = 4$ ->
$k_{j} = 6$ ->
$s [6 - 6] = s [0] = 0$
Then we set
$M [4]_{0, 0} = 0$
When
$j = 5$ -> Happens the same as above.
Then we set
$M [5]_{0, 0} = 0$
When
$j = 6$ ->
$k_{j} = 8$ ->
$s [8 - 6] = s [2] = - 1$ (Assume
$- 1$ in some
$G F$ is essentially a positive number (p-1)).
Then we set
$M [6]_{0, 0} = - 1$
When
$j = 7$ ->
$k_{j} = 6$ ->
$s [6 - 6] = s [0] = 0$
Then we set
$M [7]_{0, 0} = 0$

Up to this point, we should have the following matrixes:

M_{0} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{1} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{2} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{3} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{4} = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{5} = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{6} = [\begin{matrix} - 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{7} = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

Note that in the paper is mentioned that any coefficient of the matrixes contained in

\vec{M}

that is not set is equal to 0!

Step i=3, j=7 (end of the algorithm)

After the 4th iteration (So

i = 3

j = 7

) the algorithm stops and we should obtain the following matrix vector

\vec{M}

as a result:

M_{0} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 \end{matrix}]

M_{1} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 \end{matrix}]

M_{2} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 \end{matrix}]

M_{3} = [\begin{matrix} 1 & 0 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{4} = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 2 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{5} = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 2 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{6} = [\begin{matrix} - 1 & 0 & 0 & 0 & 0 & 0 \\ - 1 & 0 & 0 & 0 & 0 & 0 \\ - 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

M_{7} = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 0 & 0 \end{matrix}]

Now that we have obtained

\vec{M}

it's time to get

\vec{c}

and

\vec{S}

. And it's also time to add the 1 fixed instance for which we have padded our matrixes to our vector

z

Leading on

z = [1, x_{0}, x_{1}, x_{2}, x_{3}, x_{4}, x_{5}, 0, 1, - 1, 2]

Obtaining c

c

is defined in a CCS instance as a vector of constants.
In the paper, we read:

For
$i \in {0, 1, . . ., q - 1}$ , set
$c_{i}$ to the coefficient of the
$i$ th monomial of
$g$ .

This is easy to see. If we represent the multivariate polynomial

g

understanding each column name as a variable:

g = q_{m} a b + q_{l} a + q_{r} b + q_{o} c + q_{c}

where the monomials that form it are:

{q_{m} a b, q_{l} a, q_{r} b, q_{o} c, q_{c}}

We can easily see that we don't have any constants/coefficients multiplying any of the monomials.
Hence, we conclude that they're all

$1$ .

\vec{c} = [1, 1, 1, 1, 1]

Obtaining S

\vec{S}

is defined as multisets of domain

t - 1

.
This has a really easy translation if we actually name things.

Let's name each variable of the

g

polynomial (same as naming each column of the plonkish instance).

In this case, if we recall, the plonkish instance was:

P l o n k i s h = [\begin{matrix} a & b & c & q m & q l & q r & q o & q c \\ x_{0} & x_{0} & x_{0} & 1 & 0 & 0 & - 1 & 0 \\ x_{1} & x_{1} & x_{1} & 1 & 0 & 0 & - 1 & 0 \\ 0 & 2 & 2 & - 1 & 0 & x_{2} & x_{3} & x_{4} \\ 0 & 0 & 0 & 0 & 0 & x_{5} & x_{5} & x_{5} \end{matrix}]

We will name/index all the columns in the

PLONKISH

matrix from

{0. .7}

Naming therefore ->

{q_{m} = 0, q_{l} = 1, q_{r} = 2, q_{o} = 3, q_{c} = 4, a = 5, b = 6, c = 7}

Then we read in the paper:

For
$i \in {0, 1, . . ., q - 1}$ , set if the
$i$ th monomial contains a variable
$j$ , where
$j \in {0, 1, . . ., t - 1}$ , add
$j$ to the multiset
$S_{i}$ with multiplicity equal to the degree of the variable.

Note that if we represent the multivariate polynomial

g

with the indexes instead of the string-based representation of them we obtain:

\vec{S} = [[3, 0, 1], [4, 0], [5, 1] [6, 2], [7]]

Code to verify the previous example

@arnaucube provided a modified version of the above code in which we can verify the instance used for the example on it.

# Plonk-CCS (https://eprint.iacr.org/2023/552) Sage prototype

# utils
def matrix_vector_product(M, v):
    n = M.nrows()
    r = [F(0)] * n
    for i in range(0, n):
        for j in range(0, M.ncols()):
            r[i] += M[i][j] * v[j]
    return r
def hadamard_product(a, b):
    n = len(a)
    r = [None] * n
    for i in range(0, n):
        r[i] = a[i] * b[i]
    return r
def vec_add(a, b):
    n = len(a)
    r = [None] * n
    for i in range(0, n):
        r[i] = a[i] + b[i]
    return r
def vec_elem_mul(a, s):
    r = [None] * len(a)
    for i in range(0, len(a)):
        r[i] = a[i] * s
    return r
# end of utils


# can use any finite field, using a small one for the example
F = GF(101)

# The following CCS instance values have been provided by Carlos
# (https://github.com/CPerezz) and Edu (https://github.com/ed255),
# and this sage script was made to check the CCS relation.

## Checks performed by this Plonk/CCS instance:
# - binary check for x0, x1
# - 2*x2 + 2*x3 == x4
M0 = matrix([
    [F(0),   1, 0, 0, 0, 0, 0],
    [0,   0, 1, 0, 0, 0, 0],
    [0,   0, 0, 1, 0, 0, 0],
    [0,   0, 0, 0, 0, 0, 1],
    ])
M1 = matrix([
    [F(0),   1, 0, 0, 0, 0, 0],
    [0,   0, 1, 0, 0, 0, 0],
    [0,   0, 0, 0, 1, 0, 0],
    [0,   0, 0, 0, 0, 0, 1],
    ])
M2 = matrix([
    [F(0),   1, 0, 0, 0, 0, 0],
    [0,   0, 1, 0, 0, 0, 0],
    [0,   0, 0, 0, 0, 1, 0],
    [0,   0, 0, 0, 0, 0, 1],
    ])
M3 = matrix([
    [F(1), 0, 0, 0, 0, 0,   0],
    [1, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    ])
M4 = matrix([
    [F(0), 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    [2, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    ])
M5 = matrix([
    [F(0), 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    [2, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    ])
M6 = matrix([
    [F(-1), 0, 0, 0, 0, 0,   0],
    [-1, 0, 0, 0, 0, 0,   0],
    [-1, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,    0],
    ])
M7 = matrix([
    [F(0), 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    [0, 0, 0, 0, 0, 0,   0],
    ])

z = [F(1), 0, 1, 2, 3, 10, 42]

print("z:", z)

assert len(z) == M0.ncols()

# CCS parameters
n = M0.ncols() # == len(z)
m = M0.nrows()
t=8
q=5
d=3
S = [[3,0,1], [4,0], [5,1], [6,2], [7]]
c = [1, 1, 1, 1, 1]

M = [M0,M1,M2,M3,M4,M5,M6,M7]

print("CCS values:")
print("n: %s, m: %s, t: %s, q: %s, d: %s" % (n, m, t, q, d))
print("M:", M)
print("z:", z)
print("S:", S)
print("c:", c)

# check CCS relation (this is agnostic to Plonk, for any CCS instance)
r = [F(0)] * m
for i in range(0, q):
    hadamard_output = [F(1)]*m
    for j in S[i]:
        hadamard_output = hadamard_product(hadamard_output,
                matrix_vector_product(M[j], z))

    r = vec_add(r, vec_elem_mul(hadamard_output, c[i]))

print("\nCCS relation check (∑ cᵢ ⋅ ◯ Mⱼ z == 0):", r == [0]*m)
assert r == [0]*m

The most important thing for the code above is if we use the example with symbols rather than GF elements. If we do this symbolic analisis, we get the following r relation as a result of applying all the Haddamard products.

r = [x0^2 - x0, x1^2 - x1, 2*x2 + 2*x3 - x4, 0]

If we see the following r expresion that results from each of it's elements represent exactly the constraints our plonkish instance had.
If you recall, our plonkish instance was defined as:

r_{0}

-> Bool check of

x_{0}

r_{1}

-> Bool check of

x_{1}

r_{2}

-> Addition check:

2 \cdot a + 2 \cdot b = c

r_{3}

-> Null constrait (this checks nothing)

So as you see, each row of Plonkish has translated into an element of the vector r which represents the symbolic result of

S_{C C S}

The first and the second elements of
$r$ actually encode the same operation: x^2 - x Which is the boolean constraint!.
The third element of
$r$ actually contains the third constraint in the plonkish instance. Is obvious that 2*x2 + 2*x3 - x4 is doublings of two variables and equaling it to another one as a constraint.
Finally, the last is a null constraint, hence the last element of r equals 0.

SuperSpartan

SuperSpartan translates to simply to the classical Spartan protocol but using CCS as arithmetization system.

To check the correctness of

(I, W) \in R_{C C S}

(instance

(I, W)

actually satisfies the RCCS structure) is based on checking that the following identity holds:

0 \overset{?}{=} \sum_{a \in {0, 1}^{l o g_{m}}} \tilde{e q} (τ, a) \cdot \sum_{i = 0}^{q - 1} c_{i} \cdot \prod_{j \in S_{i}} (\sum_{y \in {0, 1}^{l o g_{m}}} \tilde{M_{j}} (a, y) \cdot \tilde{Z} (y)) (1)

What this is saying, is that if

(I, W) \in R_{C C S}

, then, we can apply the sumcheck protocol to the polynomial:

g (a) := \tilde{e q} (τ, a) \cdot \sum_{i = 0}^{q - 1} c_{i} \prod_{j \in S_{i}} (\sum_{y \in {0, 1}^{l o g_{m}}} \tilde{M_{j}} (a, y) \cdot \tilde{Z} (y)) (2)

This is esentially saving to the verifier the costs of computing the right hand side of the first equation of this section to actually evaluate

g

at a random input

r_{a}

So once we are here, we can see that the problem can actually be translated to compute

t

sumchecks in parallel for:

\forall j \in {0, . ., t - 1} \sum_{y \in {0, 1}^{l o g_{m}}} \tilde{M_{j}} (r_{a}, y) \cdot \tilde{Z} (y) (3)

Note that here

\tilde{Z}

is defined as:

\tilde{Z} (X_{0}, . ., X_{l o g n - 1}) = (1 - X_{0}) \cdot \tilde{W} (X_{1}, . ., X_{l o g n - 1}) + X_{0} \cdot \tilde{(1, x)} (X_{1}, . ., X_{l o g n - 1}) (4)

In Spartan we use a trick to actually move from N sumchecks to 2 using fiat shamir. But here we have

$t$ . But here there's no mention on how we do reduce the sumcheck number so that we can actually lower the work load

SuperSpartan - IOP for CCS to Snark for CCS

In this section we get a clear description of the protocol which I think is worth rephrasing here:

Prover's work

Commit to an
$O (l o g n)$ -variate polynomial
$\tilde{Z}$ .
Performs the sumcheck of equation:

$\tilde{Z} (X_{0}, . ., X_{l o g n - 1}) = (1 - X_{0}) \cdot \tilde{W} (X_{1}, . ., X_{l o g n - 1}) + X_{0} \cdot \tilde{(1, x)} (X_{1}, . ., X_{l o g n - 1})$
Proves the evaluations of
$\tilde{Z}$ at particular random points sampled by the Verifier.
If the CCS instance is not uniform (Different
$M_{i}$ 's within the same
$R_{C C S}$ ), prove one evaluation at a random point sampled by de Verifier (
$r_{y}, r_{a}$ ) of each of the
$[M_{0}, . ., M_{t - 1}]$ instances.
Note that it's possible depending on the proving system to actually batch together all the
$M$ instances so that a single evaluation can be performed instead of
$t - 1$

Verifier's work

Participates in the sumcheck protocol over:

$\tilde{Z} (X_{0}, . ., X_{l o g n - 1}) = (1 - X_{0}) \cdot \tilde{W} (X_{1}, . ., X_{l o g n - 1}) + X_{0} \cdot \tilde{(1, x)} (X_{1}, . ., X_{l o g n - 1})$
I should elaborate more on what that exactly means.
Verifies the proofs of the evaluations of
$\tilde{Z}$ .
If the CCS instance is not uniform (Different
$M_{i}$ 's within the same
$R_{C C S}$ ), verify the evaluation at a random point previously sampled (
$r_{y}, r_{a}$ ) for each of the
$[M_{0}, . ., M_{t - 1}]$ instances.
Note that it's possible depending on the proving system to actually batch together all the
$M$ instances so that a single evaluation can be performed instead of
$t - 1$

CCS+ & SuperSpartan+

The paper also mentions the existance of an extension over SuperSpartan called SuperSpartan+ and an extension over CCS called CCS+.

CCS+

The description for this is very brief. Indeed it only mentions that in addition to the terms we already know a CCS instance has, a CCS+ instance also contains:

A lookup table
$T$ which is a set of field elements.
A sequence of lookup operations
$L$ where each entry is in the range
$[n]$ .

Then, it's mentioned that in addition to all the previous requirements for a

R_{C} C S

instance to be correct, now, in addition,

\forall o \in L, z [o] \in T

(for each lookup operation

o

L

, the witness

z [o]

actually needs to be inside of the lookup table

T

for the

R_{C C S +}

instance to actually be valid).

SuperSpartan+

In order for this to work, the Verifier needs to have oracle access to the polynomials

T

and

a

where

T

is the table that encodes the range or set and

a

the values claimed to be inside of

T

In order to support lookups, SuperSpartan+ encodes all the lookup operations

L

in a sparse matrix

M_{L}

where

\forall i \in [L], M_{L} [i] [L [i]] = 1

and all other entries are set to 0.

Then the prover sets the polynomial

\tilde{a}

together with

\tilde{w}

and

a

is claimed to be the MLE of the vector

M_{L} \cdot z

As done in the original protocol, using the sum-check invocation the problem is reduced to check that the claimed relationship

M_{L} \cdot z = a

Questions left:

How do we go from
$t - 1$ sumchecks to just 1 for the
$M_{i}$ instances? I assume doing the same tricks as in Spartan. But it's not clear.
Is the mermaid diagram acurate? Is it missing anything? Does it relate/map 1:1 to this section?
How do lookups fit into this? CCS+ does not define any equation that considers it.

asn-d6

2023/05/23 08:54:14

In this section

Slightly confused. What is this section doing? Are we still at superspartan? Does it just put the protocol of the previous section in a more clear format? Or what? (Edited)

DoHoon Kim

2023/05/25 03:44:36

:::info A CCS instance $(\mathbb{S}, x)$ is satisfied if only if: $$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} (M_j \cdot \vec{z}) = \vec{0}$$ If we re-write this a bit, we get: $$\{c_0 \cdot \{ (M_{S_{0}[0]}\cdot z) \circ (M_{S_{0}[1]} \cdot z) \circ ... \circ (M_{S_{0}[t-1]} \cdot z) \}_{\forall M_i\in \mathbb{S}_0} \cdot z\} \\ \texttt{+} ... \texttt{+} \\ \{c_{q-1} \cdot \{(M_{S_{q-1}[0]} \cdot z )\circ (M_{S_{q-1}[1]} \cdot z) \circ ... \circ (M_{S_{q-1}[t-1]} \cdot z) \}_{\forall M_i\in \mathbb{S}_{q-1}} \cdot z\} = 0$$

I think if we have parentheses around the product of $M_j$ matrix and $z$ vector, it would be more clear! (Edited)

Carlos Pérez

2023/05/25 07:56:13

Yes. We're still at SuperSpartan. We just give a different and more explainatory description of the protocol than the diagram above. Should I maybe change the title to make it clear that we're still in SuperSpartan? (Edited)

arnaucube

2023/06/08 14:48:53

After the 4th iteration (So $i=3$, $j=7$) the algorithm stops and we should obtain the following matrix vector $\vec{M}$ as a result:

Should those matrices contain the extra column that Edu suggested this morning to make the math work out? (which was also confirmed in the Sage checks https://github.com/arnaucube/math/blob/master/ccs-plonk.sage#L44 ) (Edited)

2023/06/08 15:44:51

Yes! I'll add them now! I just wanted to think on the best way to do so! I also do need to add the 1 to the Z instance (Edited)

2023/06/08 16:14:39

I see that now that a 0-column has been added to all the matrices at the beginning. Note that in the Sage example is not in that way, and only the first 3 matrices have the 0-column at the beginning, and from M_3 to M_7, they have the 0-column at the end and this was what Edu suggested and what made it work when running the code. (Edited)

2023/06/08 16:16:52

Hmmm right! We can discuss that with Srinath tomorrow and make sure on which is the exact rule for padding this. So that we can formalize it more! (Edited)

2023/06/08 16:17:41

_z ``` ## Supe

Ping @asn-d6 (Edited)

2023/06/08 16:24:03

Fine with asking Srinath, but just to put the info on the table, I've tested the Sage script with the all the 0-columns on the left, and the ccs-relation-check passes (wrongly) even for witnesses that should not pass (eg. a non-binary value in a position that should have a binary-check). With the 0-column distributed as in the original sage script, the tests work as expected. (Edited)

Guest Nelson2023/06/08 16:24:16

lgtm (Edited)

2023/06/08 16:26:38

(example of a z that should not pass the CCS relation check but that with the 0-col on the left for all the matrices passes: z=[1, 0, 3, 2, 3, 10, 42] (the '3' is in the element that should be binary-checked)) (Edited)

Guest Butler2023/08/16 12:51:23

So once we are here, we can see that the problem can actually be translated to compute $t$ sumchecks in parallel for: $$ \forall j \in \{0,..,t-1\} \ \ \ \sum_{y \in \{0,1\}^{log_m}} \widetilde{M_j}(r_a,y) \cdot \widetilde{Z}(y)\ \ (3) $$

NOT y \in {0, 1}^{\log m}, should be y \in {0, 1}^{\log n}. The number of witnesses (Edited)

Guest Keller2023/09/21 19:00:56

plonkish instance columns

according to the T correct order should be (a,b,c, q_m, q_r, q_l, q_o, q_c) ?

Guest Keller2023/09/21 19:02:15

Number of different

probably e = 4 if it is the size of the fixed value set

CCS

Credits

CCS and R1CS (an intro)

CCS in general

R1CS -> CCS

CCS and Plonkish (intro)

Plonkish -> CCS

Matrix derivation

Step i=0, j=0..t-1

Step i=3, j=7 (end of the algorithm)

Obtaining c

Obtaining S

Code to verify the previous example

SuperSpartan

SuperSpartan - IOP for CCS to Snark for CCS

Prover's work

Verifier's work

CCS+ & SuperSpartan+

CCS+

SuperSpartan+

Questions left:

Read more

Summary on A short note on PQ-Verkle

A short note on PQ-Verkle

Privacy-preserving & secure web-search

Privacy is power.