Learning new things!
Take example circuit in figure 1, following the Arithmetization described in post, a step by step description of GKR arithmetication of a concrete example.
\(q’\in \{0,1\}^{b_N}\): The index of one of the \(N\) identical copies of the base circuit \(C_0\) within \(C\).…
To understand the attack on Nova, I figure out I need to understand the role of the hash function and the validation check of hash function in Nova, from the first paper where the “cycle of curves” is not introduced, the circuit is illustrated as
to …
After understanding of the folding scheme of relaxed R1CS, of which the key idea is you can “fold” two proofs to be one, with this ability of relaxed R1CS in mind, how can one build a recursive proof from scratch? in this note I will describe several attempts to build …
explain the multipoints opening of Halo 2, I don’t think Halo2 book explain this part clearly, and perhaps, neither my note.
the key, is the homomorphism of the commitment scheme. and combine the evaluation at different points, and combine the different polynomial evaluated at the same points. Later if I …
Stark can be described in 5 steps in a high level:
$$f(X)=f_E(X^2)+X\cdot f_O(X^2)$$
if we take an intermediate variant \(Y\) to replace the \(X^2\)
With a fixed \(Y\), then \(f(x)\) can be considered as one degree polynomial for \(X\), as
$$f(X)=f_E(Y)+X\cdot f_O(Y)$$
and for a given \(y\), it determineds a unique line (one degree polynomial)
and the …
Vector Commitment on elliptic curve, useful for its additive homomorphic
$$\{(\textbf{g,h}\in \mathbb{G}^n, P \in \mathbb{G}, c \in \mathbb{Z}_p; \textbf{a,b}\in \mathbb{Z}_p^n): P=\textbf{g}^{\textbf{a}}\textbf{h}^{\textbf{b}} \wedge c=<\textbf{a},\textbf{b}>\}$$
the strategy is recursive proof. For every recursive step, keep the public statement in the same format, but the vector length, together with …
Plonk argument of knowledge can be described in 5 steps in a high level:
The constraint system in Plonk is
$$(\textbf{q}_{\textbf{L}_i} )\cdot …
There are two list \((a_1, a_2, a_3,…a_n)\) and \((b_1,b_2,b_3,…,b_n)\)
how can we prove they contain the same element? (now we only consider to have the same elements, permutation comes in next question) This question would help you to understand why the permutation construction in Plonk is constructed in …
Let \(C: \ \mathbb{F}^n \ \rightarrow \ \mathbb{F}^k\) be a map which takes \(n\) arguments from a finite field \(\mathbb{F}\) as inputs and compute \(k\) outputs in \(\mathbb{F}\). \(C\) is an arithmetic circuit if the outputs are determined by the operations \(+\) and \(\times\) to the