EPF Week 7 Update 8 & 9

After going through Dankrad's IPA note with Pedersen and then going through a few more resources on IPA. I finally realised how IPA multipoint really worked!

Intro

Here I'll talk about how we can open multiple polynomials at different points.
Finally aggregating to 1 proof, 1 commitment and 1 scalar.

Definition

Given

m

IPA commitments

C_{0} = [f_{0} (X)] . . . C_{m - 1} = [f_{m - 1} (X)]

, prove evaluations:

f_{0} (z_{0}) = y_{0} ⋮ f_{m - 1} (z_{m - 1}) = y_{m - 1}

where

z_{i} \in {0, . . ., d - 1}

Prover

Let
$r \leftarrow H (C_{0}, . . . C_{m - 1}, z_{0}, . . ., z_{m - 1}, y_{0}, . . ., y_{m - 1})$

g (X) = r^{0} \frac{f_{0} (X) - y_{0}}{X - z_{0}} + r^{1} \frac{f_{1} (X) - y_{1}}{X - z_{1}} + \dots + r^{m - 1} \frac{f_{m - 1} (X) - y_{m - 1}}{X - z_{m - 1}}

The prover initially commits to

g (X)

, we denote this by

D

[g (X)]

Now the prover has to convince the verifier that

D

is a commitment to

g (X)

. We do this by evaluating

g (X)

at some random point

t

We can split the evaluation into

g_{1} (t)

and

g_{2} (t)

g_{2} (t)

. These two can be computed by the verifier, while

g_{1} (t)

cannot, because it involves random evaluations at the polynomials

f_{i} (X)

Hence the verifier is able to compute

g_{2} (t)

, and the prover will compute

g_{1} (t)

and send a proof of it's correctness.

The expressions are as following:

g_{1} (t) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (t)}{t - z_{i}}

g_{2} (t) = \sum_{i = 0}^{m - 1} r^{i} \frac{y_{i}}{t - z_{i}}

Let
$t \leftarrow H (r, D)$

We note that

g_{1} (X) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{X - z_{i}}

. However, we specify it as

\sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{t - z_{i}}

because

g_{1} (t)

is also able to prove for an opening, hence the verifier is able to compute the commitment for it.

Thereby, we finally boil down to 2 IPA proofs. One for

g_{1} (X)

t

. We call this

π

. And the other one for

g (X)

t

. We call this

ρ

Hence, the prover now computes

y = g_{1} (t)

, and the proof consists of

D, (π, y), ρ

However, this is still the variant where we haven't yet aggregated the proofs.

Verifier

The Verifier ultimately wants to verify that

D

is the commitment to the polynomial

g (x)

, hence he computes

r

and

t

Then the verifier also computes

g_{2} (t)

, by themselves.

However, the verifier cannot assert to the fact that

g_{1} (t)

is the correct computation by the prover. The verifier has to separately build

[g_{1} (X)]

and then re-check it with

g_{1} (t)

The verifier proceeds with computing

[g_{1} (X)]

. The verifier as I said, is able to compute this by themselves, to cross check it with

g_{1} (t)

using the ipa_verify() function, the reference Go implementation, using (

[g_{1} (X)]

g_{1} (t)

π

) params.

g (t) = g_{1} (t) - g_{2} (t)

, now that since

g_{1} (t)

was verified to be correct and

g_{2} (t)

was computed by the verifier, we can be sure that

g (t)

is correct.

Verifying
$g (x)$ at
$t$

We now call ipa_verify() passing (

D = [g (X)] *

g (t)

ρ

) as params.

Now we have 2 IPA proofs, 1 commitment and 1 scalar.

Now we are left with aggregation to 1 final IPA proof.

Aggregating…

Prover's side

Let

q \leftarrow H (t, [g_{1} (X)])

The prover no longer computes an IPA proof for

g_{1} (X)

and

g (X)

instead they combine them using

q

g_{3} (X) = g_{1} (X) + q \cdot g (X)

Now we form an IPA Proof for

g_{3} (X)

t

. Lets call this

σ

The prover still computes

y = g_{1} (t)

The proof consists of

D, σ, y

Verifier's side

In the previous step, the verifier called

[g_{1} (X)]

g_{1} (t)

with

π

, we delay this verification and instead compute:

$[g_{3} (X)] = [g_{1} (X)] + q \cdot [g (X)]$
$g_{3} (t) = g_{1} (t) + q \cdot g (t)$

We now call ipa_verify() using (

[g_{3} (X)]

g_{3} (t)

σ

This strategy finally boils down the proof to 1 IPA proof, 1 commitment and 1 scalar.

EPF Week 7 Update 8 & 9

Intro

Definition

Prover

Verifier

Verifying g(x) at t

Aggregating…

Prover's side

Verifier's side

Read more

PeerDAS POC To-do list

A Path-based approach of Nimbus-Eth1 for Kaustinen

Post Quantum Crypto Notes

EPF Update 12 and 13

Verifying
$g (x)$ at
$t$