naive FRI #1
naive FRI #1
Conversation
|
|
||
| Simply put, it is a protocol for verifier to quickly check if a polynomial has a upper degree bound claimed by prover. | ||
|
|
||
| This post will explain the intuition of the math behind how polynomial folding works through some simple calculation examples end to end. These examples will demonstrate a naive version of FRI protocol without the the uses of commitment, which will explained in another post. |
There was a problem hiding this comment.
typo: "the the"
it'd be cool to incrementally build FRI here, so first fri is naive fri and doesn't use commitments, then get rid of g and h via the optimization, then add commitments, then add commitments that group some evaluations, then show how we can choose evaluations on each layer to reduce the number of queries, etc.
| ## How does FRI work? | ||
| FRI protocol relies on a fact that if a source polynomial $p_0$ can be recursively folded into a constant polynomial, then $p_0$ has an expected upper bound degree. By folding, we mean each round halves the degree of $p_0$. | ||
|
|
||
| Simply put, it is a protocol for verifier to quickly check if a polynomial has a upper degree bound claimed by prover. |
There was a problem hiding this comment.
for a verifier ... by a prover
| @@ -0,0 +1,157 @@ | |||
| ## How does FRI work? | |||
| FRI protocol relies on a fact that if a source polynomial $p_0$ can be recursively folded into a constant polynomial, then $p_0$ has an expected upper bound degree. By folding, we mean each round halves the degree of $p_0$. | |||
There was a problem hiding this comment.
if a source polynomial
$p_0$ can be recursively folded into a constant polynomial, then$p_0$ has an expected upper bound degree
I would remove the word "source" here because it's not clear what a "source polynomial" really is.
It's also not clear what that upper bound on the degree is. Perhaps rephrased like this:
The FRI protocol is an interactive protocol between a prover and a verifier in which the prover iteratively reduces the size of a (committed) polynomial via help from the verifier, until it reaches a constant degree. At the end of the protocol the verifier is convinced that the prover knows a polynomial of degree
$d$ proportional to the number of reductions in the protocol. Thus, by fixing the number of rounds/reductions, a prover can convince a verifier that the polynomial they know has a specific upper bound on its degree.
| p_1\text{ : } & 3 + 3y & \\ | ||
| p_2\text{ : } & 6 & | ||
| \end{align*} | ||
| $$ |
There was a problem hiding this comment.
maybe use a list instead of align?
|
|
||
| $p_0$ is the source polynomial. After a round of folding, it results in $p_1$. Then, the final round results in a constant polynomial $p_2$. | ||
|
|
||
| To see how this folding algorithm works, please refer to the [code](https://github.com/katat/fri/blob/ab5aad54b8fd1e37b881ed7558d6ad22b6911442/src/poly.rs#L77). |
There was a problem hiding this comment.
I think an english/math explanation would be better :p
There was a problem hiding this comment.
I think your explanation using the
|
|
||
| These folded polynomials have the following relationship with their source polynomials: | ||
|
|
||
| $$p_i\left(x^2\right)=\frac{p_{i-1}\left(x\right)+p_{i-1}\left(-x\right)}{2}+\beta_i \frac{p_{i-1}\left(x\right)-p_{i-1}\left(-x\right)}{2 x}$$ |
There was a problem hiding this comment.
this equation sorts of fall from the sky. I think it'd be better to explain the recipe of the reduction:
- if
$p_i$ is of degree$d$ , compute$g_i$ and$h_i$ as two degree$d/2$ polynomials, such that$p_i(x) = g_i(x^2) + x \cdot h_i(x^2)$ - get a random challenge
$\beta_i$ from the verifier - compute the next polynomial
$p_{i+1}(x) := g_i(x^2) + \beta_i \cdot h_i(x^2)$
There was a problem hiding this comment.
I agree. This is easier to explain on where the folded polynomial comes from.
The "fall from sky" equation is a step further and indeed difficult for others to reason where it is from without explaining the recipe of the reduction.
|
|
||
| *For simplicity, the random number $\beta$ will be assumed as 1 in this post. We would touch the implication behind this random number in another post that explains the commitment.* | ||
|
|
||
| $p_0$ is the original polynomial, and $p_2$ is a constant polynomial that can't be folded anymore. |
There was a problem hiding this comment.
I think I should be able to fold a constant polynomial without breaking the protocol (so FRI enforces an upper bound on the degree, but not a lower bound)
|
|
||
| $p_0$ is the original polynomial, and $p_2$ is a constant polynomial that can't be folded anymore. | ||
|
|
||
| These folded polynomials can be traced back to their source polynomials. Thus, the evaluations in a folded polynomial can be accumulated from the corresponding source polynomial. |
There was a problem hiding this comment.
not sure I understand this ^
|
|
||
| These folded polynomials can be traced back to their source polynomials. Thus, the evaluations in a folded polynomial can be accumulated from the corresponding source polynomial. | ||
|
|
||
| These relationships can serve as a proof for verifier to the consistency among the evaluations. The consistency check implies if there is a $p_0$ exists that the prover claimed. |
There was a problem hiding this comment.
not sure I get this one either ^
|
|
||
| These relationships can serve as a proof for verifier to the consistency among the evaluations. The consistency check implies if there is a $p_0$ exists that the prover claimed. | ||
|
|
||
| With the same folding setup, the final polynomial will be always the same value. Verifier can check against the same final value against the reduced values from different evaluation points. |
There was a problem hiding this comment.
what is a folding setup? you mean with the same polynomial and if the verifier sends the same randomness? I'm not sure I understand the paragraph here
|
|
||
| More formally, there are two properties: | ||
| - the number of rounds $k=log(d)$ to derive the final polynomial implies the expected upper bound degree $d$ | ||
| - the same final value can be re-used to check consistency of the evaluation claims across layers |
There was a problem hiding this comment.
(that second point is still not clear to me)
There was a problem hiding this comment.
Because the final layer is a constant polynomial, the verifier can expect the derived value from above layers to be always that same constant value, no matter which evaluation point is used.
Take the folding example above, the derived value should equal to 6, which is the constant polynomial
|
|
||
| for instance, $\left(a_1, w_1\right) \in \mathcal{R}$, where $a_1$ can represent a FRI query and constant value from $p_2$, while $w_1$ represents the corresponding evaluations across layers. | ||
|
|
||
| So the problem is to do the check to see if $a_1$ is in $\mathcal{L}$. In other words, the verifier checks if the prover can provide $w_1$ satisfying the query $a_1$. |
There was a problem hiding this comment.
^ not sure how useful this notation is here, and also what is exactly the relation
There was a problem hiding this comment.
I try to remark the problem that the FRI can help resolve in a compact way.
Obviously, it seems make it more confusing here :)
I think the relation
I was trying to emphasis consistent-layers, as the prover should provide corresponding evaluations for the verifier to derive the final constant value across layers. But as you pointed out in the other comments, some of the these evaluations can be deduced from evaluations at previous layers.
| p_2(x_2) &= 6 \\ | ||
| p_2((1^2)^2) &= 6 \\\\ | ||
| \end{align} | ||
| $$ |
There was a problem hiding this comment.
a think a list would render better here as well, doesn't render super well at least on github
There was a problem hiding this comment.
also I don't understand why you evaluate at 1 and -1 here? Aren't you just doing the reduction at this point? Why evaluate?
There was a problem hiding this comment.
My understanding is the prover need to evaluate the full domain and then commit the evaluations. Evaluating at 1 and -1 is an example of evaluating at point 1 and its symmetric point -1. Here I try to explain how these evaluations are done at the prover side.
There was a problem hiding this comment.
ah, I guess it is part of committing to the polynomial at each layer (but you were not talking about commitments so far). Grouping v and -v under the same leaf is an optimization :o
|
|
||
|
|
||
|
|
||
| In this manner, the prover can keep calculating for the whole domain. Then they would response the verifier query with the evaluations across layers for checking if an instance $a_i$ corresponding to the query is in the $\mathcal{L}\left(\mathcal{R}_{\text{consistent-layers }}\right)$ |
There was a problem hiding this comment.
keep calculating for the whole domain
what do you mean by that?
also it's the first time you talk about the verifier doing queries here. I think the typical explanations of FRI (ethstark, thaler, etc.) are usually clearer because they explain the commit phase and then the query phase, but here it's not clear what the protocol to follow is
There was a problem hiding this comment.
I was trying to focus on describing how the evaluations can be done using the polynomials in different layers at the prover side, with the intention to avoid touching the commitment part for now.
Then I plan to explain on why it is necessary to incorporate the challenge by verifier and commit to these evaluations in another post or later section. I guess this arrangement might help separate the concepts between the "basic core calculations" and the security component.
Maybe I should explain this intention in this section to give a better clue on the role of this part in the protocol.
|
|
||
| Based on the relationship implied from the equation of folding polynomial, the verifier can check the consistency among the evaluations between layers. Let's review and put this equation into use: | ||
|
|
||
| $$p_i\left(x^2\right)=\frac{p_{i-1}\left(x\right)+p_{i-1}\left(-x\right)}{2}+\beta_i \frac{p_{i-1}\left(x\right)-p_{i-1}\left(-x\right)}{2 x}$$ |
There was a problem hiding this comment.
here again the equation falls out of the sky. IMO a first naive FRI that doesn't do that, and use g and h would be easier. And then you can move to an optimized version of FRI that gets rid of g and h. For example:
Notice that if the verifier chooses the points they want to query carefully, for example
$p_0(v) = g_0(v^2) + v \cdot h_0(v^2)$ $p_0(-v) = g_0(v^2) - v \cdot h_0(v^2)$
which is possible as we have 2 linearly independent equations of 2 unknowns
then the next layer can be obtained locally without any further queries by the verifier:
There was a problem hiding this comment.
IIUC, the
Then, does it mean that, in the equation
Another question is, in this method, in order for the verifier to check
There was a problem hiding this comment.
Yeah, the ethstark paper says the prover will send the
There was a problem hiding this comment.
yeah at each layer you query both the evaluation at v and -v, BUT as an optimization the prover commits to both these optimization under the same leaf in the merkle tree
| $$p_i\left(x^2\right)=\frac{p_{i-1}\left(x\right)+p_{i-1}\left(-x\right)}{2}+\beta_i \frac{p_{i-1}\left(x\right)-p_{i-1}\left(-x\right)}{2 x}$$ | ||
|
|
||
|
|
||
| This equation is useful for the verifier to check the consistency of the evaluations across layers. That is, $p_i$ can be evaluated using two symmetric evaluations from its source polynomial $p_{i-1}$ by connecting the source domain $x$ and folded domain $x^2$. |
There was a problem hiding this comment.
what is a source domain and a folded domain? These seems like elements, not domains :o
|
Thanks a lot for the reviews @mimoo |
Please feel free to comment.