issues with Gemini optimization

Notation:
The fold operation:
Given a polynomial

h

and

u \in F

we define

f o l d (h, u) = \bar{u} h_{e v e n} + u h_{o d d},

where

\bar{u} = 1 - u

.
Crucial relation:
Given

r, u \in F

and polynomial

h

, define

α = h (r), \bar{α} = h (- r)

and

β = f o l d (h, u) (r^{2})

. Then

β = \bar{u} \frac{α + \bar{α}}{2} + u \frac{α - \bar{α}}{2 r} .

In our version of Gemini, we mostly use this equality in the reverse direction deriving

h (r)

from

h (- r)

and

f o l d (h, u) (r^{2})

. Precisely, we see from the above equation that

α = \frac{(u - \bar{u} r) \bar{α} + 2 r β}{(\bar{u} r + u)}

For brevity, we denote below this RHS by

d e r i v e (u, \bar{α}, β)

Let

d = \log n

Given this notation, we can concisely describe our optimized Gemini protocol:
(Sidenote: I think there are some confusing typos in the version here)

Given polynomial

f

of degree

< n

and opening point

(u_{0} \dots, u_{d - 1})

and the purported value

v = m l (f) (u_{0}, \dots, u_{d - 1})

We define for each
$j \in [d]$
$g_{j} = f o l d (g_{j - 1}, u_{j - 1})$
$P$ sends commitments to
$g_{1}, \dots, g_{d - 1}$
$V$ chooses random
$r$
$P$ sends for
$i \in [d - 1]$ ,
${\bar{α}}_{i} = g_{i} (- r^{2^{i}})$ . And
${\bar{α}}_{0} = f (- r)$ .
$V$ sets
$α_{d} = v$
$V$ derives the values
$α_{0}, α_{1}, \dots, α_{d - 1}$ going "backwards" via

$α_{i} = d e r i v e (u_{i}, {\bar{α}}_{i}, α_{i + 1})$
Using shplonk
$P$ proves to
$V$ the correctness of
$f (r) = α_{0}, f (- r) = {\bar{α}}_{0}, g_{1} (- r^{2}) = {\bar{α}}_{1}, g_{2} (- r^{4}) = {\bar{α}}_{2}, \dots, g_{d - 1} (- r^{2^{d - 1}}) = {\bar{α}}_{d - 1}$

Soundness issue:

In the above we don't check

α_{1}, \dots, α_{d - 1}

using shplonk.

We give an example of why these checks should be added and how we can open to the wrong value.

We use

n = 8

d = 3

.
We fix any

u = (u_{0}, u_{1}, u_{2})

.
We take

f = 0

.
we show we can successfully open

m l (f) (u) = v

for any

v

.
It will be convenient to use the notations

g = g_{1}

h = g_{2}

. Also, to start use a challenge

r^{'}

and set

r = r^{' 2}

(so that

g

is evaluated at

r

rather than

r^{2}

)

We set

α_{0} = {\bar{α}}_{0} = α_{1} = 0

,
as an honest

P

would get when starting with

f = 0

we'll choose the coefficients of

g, h

via a system of linear equations so that,
when setting "honestly"

{\bar{α}}_{1} = g (r), α_{2} = h (r^{2}), {\bar{α}}_{2} = h (- r^{2})

we get

d e r i v e (u_{1}, {\bar{α}}_{1}, α_{2}) = 0 = α_{1}

We denote by

g_{0}, g_{1}, g_{2}, g_{3}

, and

h_{0}, h_{1}

the coefficients of

g, h

respectively.

Let's set

α = α_{1}, β = α_{2}, u = u_{1}

.
We have according to the derive formula:

(\bar{u} r + u) α = (u - \bar{u} r) \bar{α} + 2 r β

So it suffices for us that

(u - \bar{u} r) \bar{α} + 2 r β = 0

Equivalently

P (r) := (u - \bar{u} r) g (- r) + 2 r h (r^{2}) = 0

Since

r

is chosen after

g, h

are committed we want to make

P

identically zero.

P

has degree four, and its coefficients are linear combinations of

g_{0}, g_{1}, g_{2}, g_{3}, h_{0}, h_{1}

.
Explicitly, if

P (X) = P_{0} + P_{1} X + P_{2} X^{2} + P_{3} X^{3} + P_{4} X^{4}

then

calculation shows

P_{0} = u g_{0}, P_{1} = 2 h_{0} - \bar{u} g_{0} - u g_{1}

P_{2} = \bar{u} g_{1} + u g_{2}, P_{3} = 2 h_{1} - \bar{u} g_{2} - u g_{3}, P_{4} = \bar{u} g_{3}

To zero out all coefficients of

P

, we can thus set

g_{0} = 0, g_{1} = 2 h_{0} / u, g_{2} = - \bar{u} g_{1} / u = - \bar{u} 2 h_{0} / u^{2}

g_{3} = 0, h_{1} = \bar{u} g_{2} / 2 = - {\bar{u}}^{2} h_{0} / u^{2}

Note that

h_{0}

is still a free variable.

We choose

h_{0}

so that

{\bar{u}}_{2} h_{0} + u_{2} h_{1} = v

P

will send commitments to

g, h

, and the "honest" values

{\bar{α}}_{0} = 0, {\bar{α}}_{1} = g (- r) {\bar{α}}_{2} = h (- r^{2})

The application of

d e r i v e

V

will set

α_{0} = 0 = f (r^{'})

So all shplonk checks will pass. It follows that

V

will accept the proof for output

v

Converging to the implemented version (case d=2)

(Written by Sergei before massive edit of the above, so might be out of context)

Say

(u_{0}, u_{1})

is the evaluation point, and

v

the claimed evaluation

m l (f) (u_{0}, u_{1})

.
Then,

$P$ sends a commitment to
$g_{1}$ .
$V$ sends
$r$ .
$P$ sends the values
${\bar{α}}_{0} = f (- r), {\bar{α}}_{1} = g (- r^{2})$ .
$V$ computes

$α_{1} = g (r^{2}) = \frac{2 r^{2} \cdot v - {\bar{α}}_{1} (r^{2} (1 - u_{1}) - u_{1})}{r^{2} (1 - u_{1}) + u_{1}}$

$α_{0} = f (r) = \frac{2 r \cdot α_{1} - {\bar{α}}_{1} (r (1 - u_{0}) - u_{0})}{r (1 - u_{0}) + u_{0}}$
KZG check the values
$α_{0}$ ,
${\bar{α}}_{0}$ , and
${\bar{α}}_{1}$

Note that the honest prover sends a commitment to

g = f o l d (f, u_{0}) := (1 - u_{0}) f_{e v e n} + u_{0} f_{o d d}

Soundness issue:

Converging to the implemented version (case d=2)

Read more

Single Validator Metrics for Aztec Nodes

From AIRs to RAPs - how PLONK-style arithmetization works

Note Attestation Spec Implementation

Unit testing Aztec.nr Contracts