Arkworks for Marlin
Marlin
Fractal
Zero-knowledge proof algorithm Marlin is a R1CS based proof system, that, given a coefficient matrix parameter and a set of valid assignments ,among which x is public information, namely Instance and is private information, namely, witness if is established, R1CS is established.
If we let the above formula can be transformed into 。
Therefore, if we can prove that there are four vectors that satisfy
R1CS is established.
It’s a non-zero value if and only if
Then the polynomial is
Define:
Where is the row index of the kth non-zero value of the matrix,maps the index to the computational domain,and is the kth non-zero value of the matrix,which can be divisible by
Therefore, a polynomial can be expressed as
In order to prove ,define the polynomial
Which should satisfy
The relationship among in the group H is as shown in the following figure
Now, we multiply a factor for each element of on group ,then in order to ensure balance, we should multiply a factor for the which is as shown in the following figure
It can be seen that when the polynomial traverses the value of group , the following is satisfied
Likewise, we can also derive it from the formula
That is, if it can be proved that the accumulation of polynomials on group is 0, the linear relationship among is established.
Given a polynomial
Compute polynomial satisfying
Generate random polynomials
=> Prover
a. Commit to
b. Transcript.write
=> Oracle
Generate random numbers
=> Prover - sumcheck-1
Sumcheck for
c. Compute polynomials and such that
d. Commit to
e. Transcript.write
=> Oracle
Generate random number
=> Prover - sumcheck-1
a. Compute
b. If we send these numbers to the verifier, the verifier needs to compute
i.
ii.
iii.
Its computational complexity is ,therefore,this part of the calculation needs to be executed by the Prover as a proxy.
=> Prover -sumcheck-2
Sumcheck for
a. Compute polynomials and such that
b. Commit to
c. Transcript.write
=> Oracle
Generate random number
=> Prover - sumcheck-2
a. Compute
b. If we send these numbers to the verifier, the verifier needs to compute
i.
ii.
Its computational complexity is ,therefore,this part of the calculation needs to be executed by Prover as a proxy.
=> Prover - sumcheck-3
Sumcheck for
Define the polynomial
a. Compute polynomials and such that
which can be combined as:
where
b. Commit to
c. Transcript.write
=> Oracle
Generate random number
=> Prover - sumcheck-3
a. Compute
b. Send to the verifier
=> Verifier-sumcheck-3
a. Compute
i.
ii.
b. Verify
If it passes the verification, it means that the value computed by the Prover
is valid, then go to the previous level for verification.
=> Verifier-sumcheck-2
Recall the equality
a. Compute
i.
b. Verify
If it passes the verification, it means that the value computed by the Prover
is valid, then go to the previous level for verification.
=> Verifier-sumcheck-1
Recall the equality
a. Compute
i.
ii.
iii.
iv.
b. Verify
If it passes the verification,it means that the polynomials and satisfy a linear relationship.
=> Verifier
Verify
The protocol has carried out three rounds of interaction in total. The polynomials of each round of interaction commitment and the query points are as follows:
Generate random polynomials
Then, forsumcheck - 1
According to the optimization mentioned in the paper COS20. Claim6.7(Fractal)we make
For matrices ,the transformed matrices are
Define polynomial
Then, for sumcheck - 1,the formula becomes
Given the polynomial
Compute polynomial satisfying
Generate random polynomials
=> Prover
a. Commit to
b. Transcript.write
=> Oracle
Generate random number
=> Prover-sumcheck - 1
Sumcheck for
a. Compute polynomials and such that:
b. Commit to
c. Transcript.write
=> Oracle
Generate random number
=> Prover-sumcheck - 1
a. Compute
b. i. If we send these numbers to the verifier, the verifier needs to compute
i.
ii.
iii.
Its computational complexity is ,Therefore, this part of the calculation needs to be executed by Prover as a proxy.
=> Prover - sumcheck-2
Sumcheck for
Define the polynomial
a. Compute polynomials and such that
which can be combined as
where
b. Commit to
c. Transcript.write
=> Oracle
Generate random number
=> Prover - sumcheck-2
=> Verifier sumcheck - 2
If it passes the verification, it means that the calculation calculated by the Prover is valid, then it goes up to the previous verification.
=> Verifier sumcheck - 1
Recall the equality
a. Compute
i.
ii.
iii.
iv.
=> Verifier
Verify
Compress the current verification of the three matrices into the verification of one matrix, namely
Represent this polynomial as a sparse matrix.
Matrix polynomials are reduced from 9 to 3.
Set b = 1