We present a protocol for sparse lineval. Based on Marlin/Fractal using Justin Drake's version of sumcheck.
Let \(H\) be a multiplicative subgroup of size \(n\). Let \(L_1,\ldots,L_n\in \mathbb{F}_{<n}[X]\) be a lagrange base of \(H\).
Here a verifier has a commitment to a polynomial \(f=\sum_{i\in H} f_i\cdot L_i(X)\) and wishes to compute the polynomial \(M\cdot f\) defined as follows. \(M\cdot f\) is the polynomial of degree \(<n\) with \((M\cdot f)(i) = \sum_{j\in H} M_{i,j}f_j\) for each \(i\in H\).
This suffices for an r1cs snark:
In R1CS the instance is defined by three matrices \(M_A,M_B,M_C\). Ignoring public inputs for simplicity, \(\mathscr{P}\) wishes to show knowledge of a vector \(f\in\mathbb{F}^n\) with
\((M_A\cdot f)\circ (M_B\cdot f) = (M_C\cdot f)\)
where \(\circ\) denotes coordinate-wise multiplication of vectors.
Thus, \(P\) can commit to the corresponding \(f=\sum_{j\in H}f_jL_j\), commit to the quotient polynomial \(T\triangleq (M_A f\cdot M_B f- M_C f)/Z_H\), and \(V\) can use the lineval protocol to check the equation at a random \(z\).
We use the \(H\)-ranged polynomials protocols from PLONK.
Which means we describe protocols by \(P\) sending polynomial commitments (or the polynomial themselves to an ideal party) and \(V\) checking in the end if certain identites hold between the polynomials on \(H\).
An important component in lineval is a subprotocol for computing the value \(\sum_{i\in H}f_i\) given \(com(f)\) (or oracle access to \(f\) via other means).
Marlin/Fractal use a protocol from Aurora for this, we instead use a suggestion of Justin Drake (with a further optimization of Dan Boneh and Ben Fisch).
Note that we can always reduce to the case of proving \(\sum_{i\in H}f_i =0\) , by subtracting \(c/|H|\) from \(f\), \(c\) being the original claimed sum.
Suppose \(g\) is a generator of \(H\). The prover will commit to the poly \(Z\in \mathbb{F}_{<n}[X]\) with \(Z(1)=0\),
and \(Z(g^i)=\sum_{j<i}f(g^j)\).
The verifier will check that the following equation holds on \(H\).
Let \[A(X,Y) \triangleq \sum_{i,j\in H} M_{i,j}L_i(X)L_j(Y)\]
The verifier precomputes polynomials to aid it in computing \(A\) taking advantage of the sparsity of \(M\).
We assume for simplicity the number \(k\) of non-zeroes entries in \(M\) is equal to \(n\) (otherwise the protocol requires an additional multiplicative subgroup of size \(k\)).
Now let \(col,row,val\) be polys of deg \(<n\) such that the \(i\)'th non-zero entry of \(M\) is at location \((row(i),col(i))\) and has value \(val(i)\).
Thus we have
\[A(X,Y)= \sum_{i\in H} L_{row(i)}(X)L_{col(i)}(Y) val(i)\]
We precompute commitments to \(row,col,val\).
Suppose now we wish to evaluate \((Mf)(x)\) for some \(x\in \mathbb{F}\).
We have
\[ (Mf)(x) = \sum_{i\in H} L_i(x)\cdot \left(\sum_{j\in H}M_{i,j}f_j\right)\]
reordering the sum we get
\[= \sum_{j\in H}f_j \cdot \left(\sum_{i\in H}M_{i,j}L_i(x)\right)= \sum_{j\in H}f(j)A(x,j)\]
Define \(A_x(X)\triangleq A(x,X)\)
Hence, it suffices to run the sumcheck subprotocol
on the polynomial \(f\cdot A_x\).
The subprotocol will require oracle access to \(A_x\)
Hence to reduce to sumcheck, it suffices to show how to compute \(A_x(y)\) for given \(y\in \mathbb{F}\).
We have \[A_x(y)= \sum_{i\in H} L_{row(i)}(x)L_{col(i)}(y) val(i)\]
Using \(L_i(X)= c_i Z_H(X)/(X-i)\) we can transform this to
\[=\sum_{i\in H}\frac{Z_H(x)}{x-row(i)}\frac{Z_H(y)}{y-col(i)}val(i)\]
(Note that we can modify dfn of \(val\) to "swallow" the constants c_i so the above equation is really accurate)
This is a sum of a rational function instead of polynomial, so we need to massage it a bit.
\(P\) sends a commitment to the polynomial \(g\in \mathbb{F}_{<n}[X]\) with
\[g(i)=\frac{Z_H(x)}{x-row(i)}\frac{Z_H(y)}{y-col(i)}val(i)\]
for each \(i\in H\).
We check \(g\)'s correctness by checking on \(H\) the identity
\[ g(X)\cdot (x-row(X))(y-col(X))-Z_H(x)Z_H(y)val(X)=0\]
Knowing that \(g\) is correct, we can run the sumcheck subprotocol on \(g\) to verify the value of \(A_x(y)=A(x,y)\) which was the last missing piece in the first sumcheck, and concludes the evaluation of \(Mf\) at \(x\).
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe