Skip to content

Commit

Permalink
Update 2023-07-21-PLONKWHY.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@RisenCrypto
RisenCrypto authored Aug 16, 2023
1 parent 12dfa2e commit f29d4b8
Showing 1 changed file with 55 additions and 54 deletions.
109 changes: 55 additions & 54 deletions _posts/2023-07-21-PLONKWHY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,27 +31,27 @@ Note that these $3n$ elements are used as the $y$-coordinate while doing Lagrang
#### Blinding
**Q:** In Round 1 (Page 28 of the PLONK paper), random blinding scalars are used to modify the 3 wire polynomials (the polynomials representing the left, right & output of the gates). What exactly is blinding?

**A:** Let's say you have a polynomial $f(x)$ of degree $d$ & it's commitment $C_f$. Let's say the verifier selects random value $r$ & the prover sends the evaluation of $f$ at $r$ i.e. $f(r) = z$
**A:** Let's say you have a polynomial $f(X)$ of degree $d$ & it's commitment $C_f$. Let's say the verifier selects random value $r$ & the prover sends the evaluation of $f$ at $r$ i.e. $f(r) = z$

A polynomial of degree $d$ can be recreated with $d+1$ evaluations by using Lagrange Interpolation. So, each opening of a Polynomial Commitment leaks some info about the polynomial.

Hence SNARKs use a trick called blinding to make it zero knowledge. Multiply the vanishing polynomial $Z_H$ by a random Polynomial $R(x)$ & add it to $f(x)$ to create a new polynomial $F(x)$
Hence SNARKs use a trick called blinding to make it zero knowledge. Multiply the vanishing polynomial $z_H$ by a random Polynomial $R(X)$ & add it to $f(X)$ to create a new polynomial $F(X)$

$F(x) = R(x)\star Z_H + f(x)$
$F(X) = RX)\cdot z_H + f(X)$

Instead of committing and opening $f(x)$, the prover commits & opens $F(x)$.
Instead of committing and opening $f(X)$, the prover commits & opens $F(X)$.

$Z_H$ is zero on the set the constraints are checked on - so on this set $F(x) = f(x)$. So other than in the commitment & opening, the SNARK can continue to use $f$ instead of $F$
$z_H$ is zero on the set the constraints are checked on - so on this set $F(X) = f(X)$. So other than in the commitment & opening, the SNARK can continue to use $f$ instead of $F$

The next question is what should be the degree of the random polynomial $R$. That depends on how many points you open $f$ at - if there is an opening at only one point, then $R$ needs to be of minimum degree $1$, if there are two openings, then there $R$ needs to be at least of degree $2$. The new polynomial $F(x)$ which is going to be opened instead of $f(x)$ has to be of degree of $f$ plus the number of points at which $f$ needs to be opened.
The next question is what should be the degree of the random polynomial $R$. That depends on how many points you open $f$ at - if there is an opening at only one point, then $R$ needs to be of minimum degree $1$, if there are two openings, then there $R$ needs to be at least of degree $2$. The new polynomial $F(X)$ which is going to be opened instead of $f(X)$ has to be of degree of $f$ plus the number of points at which $f$ needs to be opened.

In Round 1, the left, right & output polynomials are evaluated only at one point each & hence a random polynomial of degree $1$ is used for blinding - for e.g. for blinding the opening of $a(X)$, $R(x) = (b_1 X + b_2)$ is used as the random polynomial. The round 2 polynomial $z(X)$ is evaluated at 2 points & hence a degree 2 random polynomial $(b_7 X + b_8 X + b_9)$ is used.
In Round 1, the left, right & output polynomials are evaluated only at one point each & hence a random polynomial of degree $1$ is used for blinding - for e.g. for blinding the opening of $a(X)$, $R(X) = (b_1 X + b_2)$ is used as the random polynomial. The round 2 polynomial $z(X)$ is evaluated at 2 points & hence a degree 2 random polynomial $(b_7 X + b_8 X + b_9)$ is used.

----
#### Linear Independence
**Q:** In Round 3 (Page 29), when combining different polynomials to form $t(X)$, why are different powers of $\alpha$ i.e. $ \alpha^0, \alpha^1, \alpha^2$ used.

**A:** Let's say we have 4 polynomials - $f_1$, $f_2$, $f_3$ & $f_4 \in \mathbb F_p[x]$ where the max degree of these polynomials is $d$ which is very, very small as compared to $p$.
**A:** Let's say we have 4 polynomials - $f_1$, $f_2$, $f_3$ & $f_4 \in \mathbb F_p[X]$ where the max degree of these polynomials is $d$ which is very, very small as compared to $p$.

We want to combine them into one polynomial $f$ such that if $f$ is 0 at some point, then all of $f_i$'s are also zero at the same point.

Expand All @@ -60,25 +60,25 @@ This is a linearly independent set.

We can use this set to combine four variables $a_1, a_2, a_3$ & $a_4$ like this

$g(z) = a1 + a2\cdot z + a3\cdot z^2 + a4\cdot z^3$
$g(Z) = a1 + a2\cdot Z + a3\cdot Z^2 + a4\cdot Z^3$

If $g(z)=0$ at some $z \ne 0$, then it means $a_1 = a_2 = a_3 = a_4 = 0$ (by the definition of a linearly independent set)
If $g(Z)=0$ at some $Z \ne 0$, then it means $a_1 = a_2 = a_3 = a_4 = 0$ (by the definition of a linearly independent set)

So, we can combine the polynomials $f_i$'s as

$f(x,z) = f1(x) + z.f2(x) + z^2.f3(x) + z^3.f4(x)$
$f(X,Z) = f1(Z) + Z\cdot f2(x) + Z^2 \cdot f3(X) + Z^3\cdot f4(X)$

At some $x = r_1$, let
At some $X = r_1$, let

$f_1(r_1) = a_1$, $f_2(r_1) = a_2$, $f_3(r_1) = a_3$, $f_4(r_1) = a_4$,

So now

$f(x=r_1, z) = a1 + a2\cdot z + a3\cdot z^2 + a4\cdot z^3$
$f(X=r_1, X) = a1 + a2\cdot Z + a3\cdot Z^2 + a4\cdot Z^3$

At some random value $r_2$ chosen from $\mathbb F_p$, if

$f(x=r_1, z = r_2) = 0$
$f(X=r_1, Z = r_2) = 0$

then it means $a1 = a2 = a3 = a4 = 0$

Expand All @@ -100,116 +100,117 @@ $H = \lbrace 1, \omega, \omega^2, \omega^3, ..., \omega^{n-1} \rbrace$

In [Groth16](/R1CSQAP/) with $n$ gates, we compute the vanishing polynomial

$Z_H = (x-1)\star(x-2)\star(x-2)\star ...\star(x-n)$ (where 1, 2, 3 etc are the gate numbers)
$z_H(X) = (X-1)\cdot (X-2)\cdot(X-3) \dots \dots(X-n)$ (where 1, 2, 3 etc are the gate numbers)

The number of gates is usually very large (may be a million gates or more). So, computing the vanishing polynomial which has a million such terms is quite expensive.

PLONK numbers the gates using the elements of the multiplicative subgroup $H$. Now the vanishing polynomial becomes

$Z_H = (x-1) \star(x-\omega)\star (x-\omega^2)\star ...\star (x-\omega^{n-1})$
$z_H(X) = (X-1) \cdot(X-\omega)\cdot (X-\omega^2)\cdot ...\cdot (X-\omega^{n-1})$

Now,

Let's consider the polynomial $x^n - 1$
Let's consider the polynomial $X^n - 1$

- For $x = 1$,
- For $X = 1$,

$1^n = 1$, so $(x-1)$ is a root of $x^n - 1$
$1^n = 1$, so $(X-1)$ is a root of $X^n - 1$

- For $x = \omega$,
- For $X = \omega$,

Since $\omega$ is the $n$th root of unity, $x^n = 1$ & hence $\omega$ is a root of $x^n - 1$
Since $\omega$ is the $n$th root of unity, $X^n = 1$ & hence $\omega$ is a root of $X^n - 1$

- For $x = \omega^2$
- For $X = \omega^2$

${\omega^2}^n = {\omega^n}^2 = {1}^2 = 1$.

So $\omega^2$ is also a root of $x^n - 1$
So $\omega^2$ is also a root of $X^n - 1$

- Like this, we can prove that every element of $H$ is a root of $x^n - 1$ & since $x^n - 1$ is degree $n$, the maximum number of roots it can have is $n$.
- Like this, we can prove that every element of $H$ is a root of $X^n - 1$ & since $X^n - 1$ is degree $n$, the maximum number of roots it can have is $n$.

So $x^n - 1 = (x-1) \star(x-\omega)\star (x-\omega^2)\star ...\star (x-\omega^{n-1})$
So $X^n - 1 = (X-1) \cdot (X-\omega)\cdot (X-\omega^2) \dots \dots (X-\omega^{n-1})$

So $Z_H = x^n - 1$
So $z_H = X^n - 1$

So now the vanishing polynomial $Z_H$ is very easy to compute instead of having to multiply a million terms.


$(2)$ Using a multiplicative subgroup allows an efficient & elegant Product Check on the subgroup.

With a polynomial $M(x)$, the prover has to prove that
With a polynomial $m(X)$, the prover has to prove that

$\prod_{x\in H} M(x) = 1$
$\prod_{X\in H} m(X) = 1$


i.e. the Prover has to prove that


$M(1)\star M(\omega) \star M(\omega^2) \star \cdots \star M(\omega^{n-1}) = 1$
$m(1)\cdot m(\omega) \cdot m(\omega^2) \dots \dots m(\omega^{n-1}) = 1$

Let's define another polynomial $Z(x)$ such that
Let's define another polynomial $z(X)$ such that

- $Z(1) = 1$
- $z(1) = 1$

- $Z(x\omega) = Z(x) \star M(x)$
- $z(X\omega) = z(X) \cdot m(X)$

Considering the above definition of $R$,
Considering the above definition of $z$,

**For** $x=1$,
**For** $X=1$,

$Z(1\star \omega) = Z(1)\star M(1)$
$z(1\cdot \omega) = z(1)\cdot m(1)$

i.e. $Z(\omega) = M(1)$
i.e. $z(\omega) = m(1)$


**For** $x=\omega$,
**For** $X=\omega$,

$Z(\omega^2) = Z(\omega\star\omega) = Z(\omega)\star M(\omega) = M(1) \star M(\omega)$
$z(\omega^2) = z(\omega\cdot\omega) = z(\omega)\cdot m(\omega) = m(1) \cdot m(\omega)$

i.e. $Z(w^2) = M(1)\star M(w)$
i.e. $z(\omega^2) = m(1)\cdot m(\omega)$

**For** $x=\omega^2$,
**For** $X=\omega^2$,

$Z(\omega^3) = Z(\omega^2\star\omega) = Z(\omega^2)\star M(\omega^2) = M(1) \star M(\omega)\star M(\omega^2)$
$z(\omega^3) = z(\omega^2\cdot\omega) = z(\omega^2)\cdot m(\omega^2) = m(1) \cdot m(\omega)\cdot m(\omega^2)$

i.e. $Z(\omega^3) = M(1) \star M(\omega)\star M(\omega^2)$
i.e. $z(\omega^3) = m(1) \cdot m(\omega)\cdot m(\omega^2)$

Likewise,

$Z(\omega^4) = M(1)\star M(\omega)\star M(\omega^2)\star M(\omega^3)$
$z(\omega^4) = m(1)\cdot m(\omega)\cdot m(\omega^2)\cdot m(\omega^3)$

$\cdots$

$\cdots$

With $x = \omega^{n-1}$,
With $X = \omega^{n-1}$,

$Z(\omega^n) = M(1)\star M(\omega)\star M(\omega^2)\star \cdots \star M(\omega^{n-1})$
$z(\omega^n) = m(1)\cdot m(\omega)\cdot m(\omega^2)\dots \dots m(\omega^{n-1})$

But since $\omega^n = 1$ (because $\omega$ is the $n$th root of unity)

$Z(1) = M(1)\star M(\omega)\star M(\omega^2)\star \cdots \star M(\omega^{n-1})$
$z(1) = m(1)\cdot m(\omega)\cdot m(\omega^2) \dots \dots m(\omega^{n-1})$


So to prove $\prod_{x\in H} M(x) = 1$, the prover has to prove
So to prove $\prod_{X\in H} m(X) = 1$, the prover has to prove

$1)$ $Z(1) = 1$
$1)$ $z(1) = 1$

and that

$2)$ $Z(1)$ was built accumulatively from the earlier $R$'s
$2)$ $z(1)$ was built accumulatively from the earlier $z$'s

which can be done elegantly & efficiently as described in that section of the PLONK paper.

This proof is based on our definition of $R(x)$
This proof is based on our definition of $z(X)$

$R(x\omega) = R(x) \star M(x)$
$z(X\omega) = z(X) \cdot m(X)$

We can define $R$ so because we are operating in a multiplicative subgroup
$H = \lbrace 1,\omega, \omega^2, \omega^3, ..., \omega^{n-1} \rbrace$, where multiplying by each element $\omega$ gives us the next element & thus we get the "right shift" relation between $R$ at an element & $R$ at the next element.
We can define $z$ so because we are operating in a multiplicative subgroup
$H = \lbrace 1,\omega, \omega^2, \omega^3, ..., \omega^{n-1} \rbrace$, where multiplying by each element $\omega$ gives us the next element & thus we get the "right shift" relation between $z$ at an element & $z$ at the next element.

Section $5$ of the PLONK Paper describes "Polynomial protocols for identifying permutations" which uses the above product check to prove that $\prod_{x\in H} \frac{f'(x)}{g'(x)} = 1$ with $M(x)$ defined as $M(x) = \frac{f'(x)}{g'(x)}$
Section $5$ of the PLONK Paper describes "Polynomial protocols for identifying permutations" which uses the above product check to prove that $\prod_{X\in H} \frac{f'(X)}{g'(X)} = 1$ with $m(X)$ defined as $m(x) = \frac{f'(X)}{g'(X)}$

$(3)$ Using a multiplicative subgroup of a Finite Field is required for usage of [Fast Fourier Transform](https://vitalik.ca/general/2019/05/12/fft.html) to speed up some operations.


[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Frisencrypto.github.io%2FPLONKWHY%2F&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com)

0 comments on commit f29d4b8

Please sign in to comment.