Document Setup Ceremony Math #2855
Conversation
cronokirby
changed the title
The intro page should be complete, and I don't expect to need more sections, at least for the current documentation push.
docs/protocol/src/setup.md
Outdated
| We take the convention that lowercase letters (e.g. $x, a$) | ||
| are taken to be scalars in $\mathbb{F}$, | ||
| and uppercase letters (e.g. $X, A$) are taken to be elements | ||
| of $\mathbb{G}_1$, $\mathbb{G}_2$, or $\mathbb{G}_2$. |
There was a problem hiding this comment.
last one should be target group, i.e. $\mathbb{G}_2$ -> $\mathbb{G}_T$
| - $\displaystyle B := [\beta]_2 + \sum_i z_i \cdot v_i([x]_2) + s \cdot [\delta]_2$ | ||
| - $\displaystyle \hat{B} := [\beta]_1 + \sum_i z_i \cdot v_i([x]_1) + s \cdot [\delta]_1$ | ||
|
|
||
| - $\displaystyle C := \sum_{i \geq s} z_i \cdot \left[\frac{1}{\delta} p_i^{\alpha, \beta}(x)\right]_1 + \frac{t(x)}{\delta}h([x]_1) + s \cdot A + r \cdot \hat{B} - rs\delta$ |
There was a problem hiding this comment.
In the term involving
There was a problem hiding this comment.
No, it should be the way it is now: I'm stretching the notation here a bit, but the idea is that here "rho" would be t(x)/delta, seen as a constant.
| **Verification** | ||
|
|
||
| $$ | ||
| V_{\text{DL}}(\text{ctx}, X, Y, \pi = (K, s)) := s \cdot G \overset{?}{=} K + H(\text{ctx}, (X, Y, K)) \cdot X |
There was a problem hiding this comment.
Is it a correct understanding that G = Y here?
| &\quad k \xleftarrow{\$} \mathbb{F}\cr | ||
| &\quad K \gets k \cdot Y\cr | ||
| &\quad e \gets H(\text{ctx}, (X, Y, K))\cr | ||
| &\quad (K, k + e \cdot x)\cr |
There was a problem hiding this comment.
Should there be a step in the proving stage where we generate x and then compute X?
There was a problem hiding this comment.
I don't think this is necessary. What you care about is the link between these two specific elements, and the proof here is sufficient to get knowledge extraction for x, which is the other property you want out of this for the security proof of the ceremony; if my understanding of snarky ceremonies is accurate.
| - $\hat{x}^i \cdot [x^i]_1\quad (i \in [0, \ldots, 2d - 2])$ | ||
| - $\hat{x}^i \cdot [x^i]_2\quad (i \in [0, \ldots, 2d - 2])$ | ||
| - $\hat{\alpha}\hat{x}^i \cdot [\alpha x^i]_1\quad (i \in [0, \ldots, d - 1])$ | ||
| - $\hat{\beta}\hat{x}^i \cdot [\beta x^i]_1\quad (i \in [0, \ldots, d - 1])$ |
There was a problem hiding this comment.
Doesn't need to be in this PR but at some point we should document where we deviate from KMSV21 (e.g. when I was looking at this I was comparing with Fig. 6 in the paper)
Fixes #2854.
This documents the mathy parts of the ceremony, in enough detail for us to get started on implementation.
Some undocumented aspects are touching on the coordination side of things, like how the transaction log should be organized. I think those might be better documented in situ (i.e. in the code), but we might want to backfill docs for that later.
Anyhow, I think this chunk is self-contained and worth getting out there.