In the halo2 protocol, we commit a polynomial and then evaluate, and later check whether the committed polynomial is the same as the evaluated one. To do this, the original halo2 by ZCash uses inner product argument. The main reference is [BCMS20] and [4.2] in halo2 book.
Assume that we have a polynomial $f(X) \in \mathbb{F}_p[X]$ of degree $d$, and $d+1$ is a power of 2. Let $\mathbb{G}$ be an additive group of prime order with DLP security. We randomly sampled nonzero $G_i \in \mathbb{G}$ for $0 \leq i \leq d$. We also choose a random nonzero hiding factor $W, H \in \mathbb{G}$. For convenience, every vector notation denotes its vector form, for example, $\vec{G} = (G_i)$ and $\vec{f} = (m_i)$ if $f(X) = \sum_{i=0}^d m_i X^d$. And, $l$ and $r$ function make a vector into a half-lengthed vector which output the left half and right half respectively.
Commitment
To commit the polynomial $f(X)$, let $m_i$ be a $i$-th coefficient of $f$. The prover chooses a random $\xi \in \mathbb{F}_p$, and commits
$$C = \text{Commit}(f, \xi) = \sum_{i=0}^d m_i G_i + \xi W.$$
Note that this commitment is linear in $m_i$ and $\xi$.
Open and Check
In this stage, the prover evaluates $f(x)$ for some $x \in \mathbb{F}_p$ and makes an evaluation proof so that the verifier can check the evaluation is valid.
Let $v = f(x)$. The prover samples a random polynomial $\bar{f}(X)$ of degree $d$ with zero at $x$. This can be done by choosing a random polynomial of degree $d-1$ and multiplying $X-x$. Now, for a random $\bar{\xi}$, commit $\bar{f}$.
$$\bar{C} = \text{Commit}(\bar{f}, \bar{\xi})$$
The verifier makes a random challenge $z, \bar{z} \in \mathbb{F}_p^\times$. Then, the prover sets
$$f'(X) = f(X) - v + \bar{z} \bar{f}(X).$$
and commits $f'$ by $C' = \langle \vec{f'}, \vec{G} \rangle$ without hiding factor. Now, we want to recursively reduce the size of the proof as in [BCCGP16]. Let $\vec{x} = (1, x, x^2, \ldots, x^{d-1})$. I'd like to emphasize that the prover wants to prove $\langle \vec{f'}, \vec{x} \rangle = 0$ and $\langle \vec{f'}, \vec{G} \rangle = C'$. For the first round, let $\vec{G}_0 = \vec{G}$, $\vec{x}_0 = \vec{x}$, and $\vec{f'}_0 = \vec{f'}$. The prover sends
$$L_0 = \langle r(\vec{f'}), l(\vec{G}) \rangle + (z \langle r(\vec{f'}), l(\vec{x}) \rangle) H + L_0^* W$$
$$R_0 = \langle l(\vec{f'}), r(\vec{G}) \rangle + (z \langle l(\vec{f'}), r(\vec{x}) \rangle) H + R_0^* W$$
with random $L_0^*$ and $R_0^*$. The verifier makes a random challenge $u_0$. To make a half-lengthed proof, let
$$\vec{G_1} = l(\vec{G}) + u_0 r(\vec{G})$$
$$\vec{x_1} = l(\vec{x}) + u_0 r(\vec{x})$$
and the prover calculates new witness
$$\vec{f'_1} = l(\vec{f'}) + u_0^{-1} r(\vec{f'})$$
Since $\langle l(\vec{f'}), l(\vec{x}) \rangle + \langle r(\vec{f'}), r(\vec{x}) \rangle = 0$ and $\langle l(\vec{f'}), l(\vec{G}) \rangle + \langle r(\vec{f'}), r(\vec{G}) \rangle = C'$, direct computation yields
$$\langle \vec{f'_1}, \vec{x}_1 \rangle = u_0 \langle r(\vec{f'}), l(\vec{x}) \rangle + u_0^{-1} \langle l(\vec{f'}), r(\vec{x}) \rangle,$$
$$\langle \vec{f'}_1, \vec{G_1} \rangle = C' + u_0 \langle r(\vec{f'}), l(\vec{G}) \rangle + u_0^{-1} \langle l(\vec{f'}), r(\vec{G}) \rangle,$$
and
$$z \langle \vec{f'_1}, \vec{x_1} \rangle H + \langle \vec{f'_1}, \vec{G_1} \rangle = C' + u_0 L_0 + u_0^{-1} R_0 - (u_0 L_0^* + u_0^{-1} R_0^*)W.$$
By applying this process for $m+1 = \log(d+1)$ rounds, the last $\vec{G_m}$, $\vec{x_m}$, and $\vec{f'_m}$ is just length-one vectors. By accumulating calculations,
$$z \vec{f'_m} \vec{x_m} H + \vec{f'_m} \vec{G_m} = C' + \sum_{j=0}^{m-1} (u_j L_j + u_j^{-1} R_j) - \sum_{j=0}^{m-1} (u_j L_j^* + u_j^{-1} R_j^*) W.$$
The prover sent each $L_j$ and $R_j$ for each round, and lastly send witness $\vec{f'_m}$ and blinding factors $L_j^*$ and $R_j^*$. Then, the verifier accepts only if the above equation holds.
Multipoint opening argument
We explained how to check evaluation for one polynomial $f(X)$. However, in the halo2 protocol, we use multiple polynomials corresponding to each column and multiple evaluations corresponding to each rotation. To check several evaluations work well with commitments efficiently, halo2 uses a multipoint opening argument.
Let's explain this using an example. What the prover committed is a set of polynomials and rotated polynomials. Say $a_i(X)$ for $0 \leq i \leq 8$, $a_i(\omega X)$ for $3 \leq i \leq 8$, and $a_i(\omega^2 X)$ for $6 \leq i \leq 8$ are committed. We can group $\{a_i\}$ by which rotations are used. That is, non-rotated $\{a_0(X), a_1(X), a_2(X)\}$ are group one, $\{a_3(X), a_4(X), a_5(X)\}$ are group two, and $\{a_6(X), a_7(X), a_8(X)\}$ are group three. For each group, let
$$q_1(X) = a_0(X) + x_1 a_1(X) + x_1^2 a_2(X)$$
$$q_2(X) = a_3(X) + x_1 a_4(X) + x_1^2 a_5(X)$$
$$q_3(X) = a_6(X) + x_1 a_7(X) + x_1^2 a_8(X)$$
where $x_1$ is a random challenge given by the verifier. Now, calculate an interpolation polynomial for each group. Recall that $x$ is a random challenge. $r_1(X)$ interpolates $(x, q_1(x))$. $r_2(X)$ interpolates $(x, q_2(x))$ and $(\omega x, q_2(\omega x))$, and $r_3(X)$ interpolates $(x, q_3(x)), (\omega x, q_3(\omega x)), (\omega^2 x, q_3(\omega^2 x))$.
Next, the prover computes
$$f_1(X) = \frac{q_1(X) - r_1(X)}{X-x}$$
$$f_2(X) = \frac{q_2(X) - r_2(X)}{(X-x)(X-\omega x)}$$
$$f_3(X) = \frac{q_3(X) - r_3(X)}{(X-x)(X-\omega x)(X-\omega^2 x)}$$
and for random $x_2$ given by the verifier, the prover computes
$$f(X) = f_1(X) + x_2 f_2(X) + x_2^2 f_3(X).$$
The verifier makes a random challenge $x_3$, then the prover sends evaluations $q_i(x_3)$. After receiving, the verifier sends a challenge $x_4$ again. Then, we use the inner product argument with
$$f_{\text{final}}(X) = f(X) + x_4 q_1(X) + x_4^2 q_2(X) + x_4^3 q_3(X).$$
You can find the full process of halo2 using IPA here. I tried to use consistent notation from there.
댓글
댓글 쓰기