-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[book] Fix p_poly
to match implementation; specify synthetic blinding factor f
construction
#777
base: main
Are you sure you want to change the base?
Conversation
p_poly is constructed as a linear combination of q_prime and the q_polys in steps 18 and 19 of the protocol description.
p_poly
in protocol to match implementationp_poly
in protocol to match implementation
p_poly
in protocol to match implementationp_poly
in protocol to match implementation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK with non-blocking suggestion; doc-only.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Co-authored-by: Daira Hopwood <daira@jacaranda.org> Co-authored-by: str4d <jack@electriccoin.co>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, this change looks correct. (I have not fully reviewed the protocol.) Doc-only.
p_poly
in protocol to match implementationp_poly
to match implementation; specify synthetic blinding factor f
construction
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK with nonblocking suggestions.
Co-authored-by: Lasse Bramer Schmidt <lasse@lasses-air.eduroam.net.au.dk>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK with suggestions.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
book/src/design/protocol.md
Outdated
12. $\prover$ initializes $q_0(X), q_1(X), ..., q_{n_q - 1}(X) = 0$. | ||
* Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q_{\sigma(i)} := x_1 q_{\sigma(i)} + a'(X)$. | ||
12. $\prover$ initializes $q_0(X), q_1(X), ..., q_{n_q - 1}(X) = 0$ and blinding factors $q^*_0, q^*_1, ..., q^*_{n_q-1} = 0$. | ||
* Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q_{\sigma(i)} := x_1 q_{\sigma(i)} + a'(X)$ and $q^*_{\sigma(i)} := x_1 q^*_{\sigma(i)} + a^*_i$. | ||
* $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$. | |
* $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$ and $q^*_0 := x_1^2 q^*_0 + x_1 h'^* + r^*$. |
book/src/design/protocol.md
Outdated
@@ -330,7 +330,7 @@ In the following protocol, we take it for granted that each polynomial $a_i(X, \ | |||
|
|||
1. $\prover$ and $\verifier$ proceed in the following $n_a$ rounds of interaction, where in round $j$ (starting at $0$) | |||
* $\prover$ sets $a'_j(X) = a_j(X, c_0, c_1, ..., c_{j - 1}, a_0(X, \cdots), ..., a_{j - 1}(X, \cdots, c_{j - 1}))$ | |||
* $\prover$ sends a hiding commitment $A_j = \innerprod{\mathbf{a'}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{a'}$ are the coefficients of the univariate polynomial $a'_j(X)$ and $\cdot$ is some random, independently sampled blinding factor elided for exposition. (This elision notation is used throughout this protocol description to simplify exposition.) | |||
* $\prover$ sends a hiding commitment $A_j = \innerprod{\mathbf{a'}}{\mathbf{G}} + [a^*_j] W$ where $\mathbf{a'}$ are the coefficients of the univariate polynomial $a'_j(X)$ and $a^*_j$ is some random, independently sampled blinding factor. (Similar notation is used throughout this protocol description, if the value is not reused we will use $\cdot$ to simplify exposition.) | |||
* $\verifier$ responds with a challenge $c_j$. | |||
2. $\prover$ sets $g'(X) = g(X, c_0, c_1, ..., c_{n_a - 1}, \cdots)$. | |||
3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$. | |
3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [r^*] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$. |
p_poly
is constructed as a linear combination of q_prime and the q_polys in steps 18 and 19 of the protocol description. Previously, the expression used in the protocol description did not match the implementation:halo2/halo2_proofs/src/poly/multiopen/prover.rs
Lines 105 to 113 in 5678a50
halo2/halo2_proofs/src/poly/multiopen/verifier.rs
Lines 120 to 129 in 5678a50