Proving Properties of Committed Polynomials

Date: 2024-08-28 21:10:30

Reviewed:

Topic / Chapter: Proving Properties of Committed Polynomials

summary

❓Questions

Notes

Topic 1

Proving Properties of Committed Polynomials
- Meaning of proof
  - $P (f, g)$ and $V (co m_{f}, co m_{g})$
  - goal: convince $V$ that $f, g \in F_{p}^{(\leq d)} [X]$ satisfy some properties
  - proof system (IOP)
    - $V \to P$ : $r$
    - $P \to V$ : $q$
    - $V \to P$ : query: $f (x), g (x), q (x)$ for $x \in F_{p}$
    - $P \to V$ : $f (x), π$
- Example: polynomial equality testing
  - $p \approx 2^{256}$ , $d \leq 2^{40}$ (i.e. $d / p$ is negl.)
  - let $f, g \in F_{p}^{(\leq d)} [X]$
    - for $r \leftarrow r F_{p}$ , $f (r) = g (r)$ then $f = g$ w.h.p.
    - simple equality test
  - proof as IOP: ↔ query $f (X)$ and $g (X)$ at $r$
  - procedure (after compile)
    - $P$ w/ $f, g \in F_{p}^{\leq d} [X]$
    - $V$ query $f (r), g (r)$
      - learns them
    - $P$ sends $y \leftarrow f (r), π_{f}$ and $y^{'} \leftarrow g (r), π_{g}$
    - $V$ : accepts if valid $π$ s and $y = y^{'}$
- Example: polynomial equality testing w/ KZG
  - $f = g \Leftrightarrow co m_{f} = co m_{g}$
    - ⇒ $V$ can tell if $f = g$ on its own (no need extra computation)
  - however: $P$ needed to test equality of “computed polynomials”
    - e.g. $V$ w/ $co m_{f}, co m_{g 1}, co m_{g 2}, co m_{g 3}$
    - and testing $f = g_{1} g_{2} g_{3}$
    - required prover to give values at $r$
    - in this case: complete and sound if $3 d / p$ is negl
      - $de g (g_{1} g_{2} g_{3}) \leq 3 d$
- Important proof gadgets for univariates
  - let $Ω \subseteq F_{p}$ and $∣Ω∣ = k$
  - let $f \in F_{p}^{(\leq d)} [X]$ , $(d \geq k)$
    - $V$ with $co m_{f}$
  - goal for eff. Poly-IOP: following
    - task 1: ZeroTest
      - prove that $f$ is identically zero on $Ω$
    - task 2: SumCheck
      - prove that $\sum_{a \in Ω} (a) = 0$
    - task 3: ProdCheck
      - prove that $\prod_{a \in Ω} f (a) = 1$
- Vanishing polynomial
  - let $Ω \subseteq F_{p}$ and $∣Ω∣ = k$
  - vanishing polynomial of $Ω$ :
    - $Z_{Ω} (X) := \prod_{a \in Ω} (X - a)$
      - i.e. 0 for everywhere in $Ω$
    - $de g (Z_{Ω}) = k$
  - $Ω$ being multiplicative subgroup of $F_{p}$ : important
  - let $ω \in F_{p}$ primitive $k$ th root of unity
    - i.e. $ω^{k} = 1$
    - if $Ω = {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$
      - then $Z_{Ω} (X) = X^{k} - 1$
    - for $r \in F_{p}$ , evaluating $Z_{Ω} (r)$ takes $\leq 2 lo g_{2} k$ field operations
- ZeroTest on ( $Ω = {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$ )
  - lemma: $f (a) = 0\forall a \in Ω ⟺ Z_{Ω} (X) ∣ f (X)$
  - ⭐ $P (f)$ : $q (X) \leftarrow f (X) / Z_{Ω} (X)$
    - if $f (a) = 0\forall a \in Ω$ , then leads to “clean” polynomial
    - $co m_{q} = q \in F_{p}^{\leq d} [X]$
      - it not polynomial: cannot commit
  - $V$ : $r \leftarrow s F_{p}$
    - query $q (X), f (X)$ at $r$
    - accept if $f (r) = ? q (r) \cdot Z_{Ω} (r)$
    - 👨‍🏫 $Z_{Ω} (r)$ to be computed by $V$ !
  - complete & sound assuming $d / p$ is negl.
  - $V$ time: $O (lo g k)$ and 2 (or: one) poly queries
  - $P$ time: computing and committing $q (X)$
    - $O (k)$ or $O (k lo g k)$
- ProductTest on ( $Ω = {1, ω, ω^{2}, \dots, ω^{k - 1}} \subseteq F_{p}$ )
  - set $t \in F_{p}^{(\leq k)} [X]$ be degree- $k$ polynomial:
    - $t (1) = f (1)$ , $t (ω^{s}) = \prod_{i = 0}^{s} f (ω^{i})$
      - for $s = 1, \dots, k - 1$
    - example
      - $t (ω) = f (1) \cdot f (ω)$
      - $t (ω^{2}) = f (1) \cdot f (ω) \cdot f (ω^{2})$
      - $t (ω^{k - 1}) = \prod_{a \in Ω} f (a) = 1$
        
        (supposedly)
      - and $t (ω \cdot x) = t (x) \cdot f (ω \cdot x)$
        
        $\forall x \in Ω$ , including $x = ω^{k - 1}$
  - lemma: if $t (ω^{k - 1}) = 1$ and
    - $t (ω \cdot x) - t (x) \cdot f (ω \cdot x) = 0$ $\forall x \in Ω$
    - ⇒ $\prod_{a \in Ω} f (a) = 1$
  - (unoptimized) procedure
    - $t (X) \in F_{p}^{(\leq k)}$
    - $t_{1} (X) = t (ω \cdot X) - t (X) \cdot f (ω \cdot X)$
      - should be 0 on $Ω$
    - set $q (X) = t_{1} (X) / (X^{k} - 1) \in F_{p}^{(\leq d)}$
      - leads to clean polynomial if $t_{1} (a) = 0\forall a \in Ω$
    - $P$ : sends $co m_{t}, co m_{q}$
    - $V$ : query $t (X)$ at $ω^{k - 1}, r, ω r$
      - also $q (X)$ at $r$ , and $f (X)$ at $ω r$
      - learns $t (ω^{k - 1}), t (r), t (ω r), q (r), f (ω r)$
    - $V$ : accepts if $t (ω^{k - 1}) = 1$ and $t (ω r) - t (r) f (ω r) = q (r) \cdot (r^{k} - 1)$
    - proof size: 2 commits, 5 eval. = 3 groups
    - $V$ time: $O (lo g k)$ (for $r^{k} - 1, ω^{k} - 1$ )
    - $P$ time: $O (k lo g k)$ (for quotient)
- Approach on rational functions

Zero Knowledge Proof MOOC

Proving Properties of Committed Polynomials

Date: 2024-08-28 21:10:30

Reviewed:

Topic / Chapter: Proving Properties of Committed Polynomials

Notes