owned this note
owned this note
Published
Linked with GitHub
**Notation:**
*The fold operation:*
Given a polynomial $h$ and $u\in F$ we define
$$fold(h,u)= \bar{u} h_{even}+ u h_{odd},$$
where $\bar{u}=1-u$.
**Crucial relation:**
Given $r,u\in F$ and polynomial $h$, define
$\alpha=h(r), \bar{\alpha}=h(-r)$ and
$\beta = fold(h,u)(r^2)$. Then
$$\beta = \bar{u}\frac{\alpha+\bar{\alpha}}{2} + u\frac{\alpha-\bar{\alpha}}{2r}. $$
In our version of Gemini, we mostly use this equality in the reverse direction deriving $h(r)$ from $h(-r)$ and $fold(h,u)(r^2)$. Precisely, we see from the above equation that
$$ \alpha = \frac{(u-\bar{u}r)\bar{\alpha}+ 2r \beta}{(\bar{u}r + u)} $$
For brevity, we denote below this RHS by
$derive(u,\bar{\alpha},\beta)$
Let $d=\log n$
Given this notation, we can concisely describe our optimized Gemini protocol:
(*Sidenote: I think there are some confusing typos in the version [here](https://hackmd.io/VpdZslmHRy-j11qnkebLnA?view#A-new-folding-argument)*)
Given polynomial $f$ of degree $<n$ and opening point $(u_0\ldots,u_{d-1})$ and the purported value $v=ml(f)(u_0,\ldots,u_{d-1})$
1. We define for each $j \in [d]$ $g_j=fold(g_{j-1},u_{j-1})$
2. $P$ sends commitments to $g_1,\ldots, g_{d-1}$
3. $V$ chooses random $r$
4. $P$ sends for $i\in [d-1]$, $\bar{\alpha}_i=g_i(-r^{2^i})$. And $\bar{\alpha}_0 = f(-r)$.
5. $V$ sets $\alpha_d=v$
6. $V$ derives the values $\alpha_0,\alpha_1,\ldots,\alpha_{d-1}$ going "backwards" via
$$\alpha_i = derive(u_i,\bar{\alpha}_i,\alpha_{i+1})$$
7. Using shplonk $P$ proves to $V$ the correctness of $$f(r)=\alpha_0,f(-r)=\bar{\alpha}_0,g_1(-r^2)=\bar{\alpha}_1,g_2(-r^4)=\bar{\alpha}_2,\ldots,g_{d-1}(-r^{2^{d-1}})=\bar{\alpha}_{d-1}$$
### Soundness issue:
In the above we don't check $\alpha_1,\ldots,\alpha_{d-1}$ using shplonk.
We give an example of why these checks should be added and how we can open to the wrong value.
We use $n=8$ so $d=3$.
We fix any $u=(u_0,u_1,u_2)$.
We take $f=0$.
we show we can successfully open $ml(f)(u)=v$ for any $v$.
It will be convenient to use the notations $g=g_1$, $h=g_2$. Also, to start use a challenge $r'$ and set $r=r'^2$ (so that $g$ is evaluated at $r$ rather than $r^2$)
We set $\alpha_0=\bar{\alpha}_0=\alpha_1=0$,
as an honest $P$ would get when starting with $f=0$.
we'll choose the coefficients of $g,h$ via a system of linear equations so that,
when setting "honestly" $\bar{\alpha}_1=g(r),\alpha_2=h(r^2),\bar{\alpha}_2=h(-r^2)$
we get
$$derive(u_1,\bar{\alpha}_1,\alpha_2)=0=\alpha_1$$
We denote by $g_0,g_1,g_2,g_3$, and $h_0,h_1$ the coefficients of $g,h$ respectively.
Let's set $\alpha=\alpha_1,\beta=\alpha_2,u=u_1$.
We have according to the derive formula:
$$ (\bar{u}r + u)\alpha = (u-\bar{u}r)\bar{\alpha}+ 2r \beta $$
So it suffices for us that
$$(u-\bar{u}r)\bar{\alpha}+ 2r \beta=0$$
Equivalently
$$P(r):=(u-\bar{u}r)g(-r)+ 2r h(r^2)=0$$
Since $r$ is chosen after $g,h$ are committed we want to make $P$ identically zero.
$P$ has degree four, and its coefficients are linear combinations of $g_0,g_1,g_2,g_3,h_0,h_1$.
Explicitly, if $P(X)=P_0 +P_1 X+ P_2 X^2 +P_3X^3 + P_4X^4$ then
calculation shows
$P_0= ug_0, P_1 = 2h_0 - \bar{u}g_0-ug_1$,
$P_2 = \bar{u}g_1+u g_2,P_3=2h_1-\bar{u}g_2-ug_3, P_4= \bar{u}g_3$
To zero out all coefficients of $P$, we can thus set
$g_0=0,g_1=2h_0/u,g_2=-\bar{u}g_1/u= -\bar{u}2h_0/u^2$
$g_3=0, h_1=\bar{u}g_2/2 = -\bar{u}^2 h_0/u^2$
Note that $h_0$ is still a free variable.
We choose $h_0$ so that
$$ \bar{u}_2 h_0 + u_2 h_1 = v$$
$P$ will send commitments to $g,h$, and the "honest" values $\bar{\alpha}_0=0, \bar{\alpha}_1=g(-r) \bar{\alpha}_2=h(-r^2)$
The application of $derive$ by $V$ will set
$\alpha_0=0=f(r')$.
So all shplonk checks will pass. It follows that $V$ will accept the proof for output $v$.
#### Converging to the implemented version (case d=2)
*(Written by Sergei before massive edit of the above, so might be out of context)*
Say $(u_0,u_1)$ is the evaluation point, and $v$ the claimed evaluation $ml(f)(u_0,u_1)$.
Then,
1. $P$ sends a commitment to $g_1$.
1. $V$ sends $r$.
2. $P$ sends the values $\bar{\alpha}_0=f(-r), \bar{\alpha}_1 = g(-r^2)$.
3. $V$ computes
$$\alpha_1 = g(r^2) = \frac{2 r^2 \cdot v - \bar{\alpha}_1 (r^2 (1-u_1) - u_1)}{r^2 ( 1- u_1) + u_1} $$
$$\alpha_0 = f(r) = \frac{2 r\cdot \alpha_1 - \bar{\alpha}_1(r (1 - u_0) - u_0)}{r(1-u_0) + u_0}$$
4. KZG check the values $\alpha_0$, $\bar{\alpha}_0$, and $\bar{\alpha}_1$
Note that the honest prover sends a commitment to
$g=fold(f,u_0):=(1-u_0) f_{even}+ u_0 f_{odd}$
Google Drive
Gist
Clipboard
Sign in with Wallet
