本文主要是介绍ZKP7.2 Polynomial Commitments Based on Error-correcting Code,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
ZKP学习笔记
ZK-Learning MOOC课程笔记
Lecture 7: Polynomial Commitments Based on Error-correcting Codes (Yupeng Zhang)
7.2 Polyneomial commitment based on error-correcting codes
-
Recall: polynomial commitment
- Four algorithms
- Keygen, Commit, Eval, Verify
- Keygen, Commit, Eval, Verify
- Four algorithms
-
Polynomial coefficients in a matrix
-
The coefficients of the polynomial is a matrix
-
If the number of degrees of the polynomial is not the power of an integer, you can pad it.
-
Argument for Vec-Mat product
- Polynomial commitment with d \sqrt{d} d proof size
-
-
Encoding the polynomial
-
Design a scheme to test the Vec-Mat product without sending the matrix directly to the verifier
- Encode each row of the matrix to a linear code
-
-
Committing the polynomial: Merkle Hash Tree
- Commit to each column of the encoded matrix using Merkle tree (each column is a leaf, verifier can choose a column to ask prover to open)
-
Step 1: Proximity test
- Ligero [AHIV’2017] and [BCGGHJ’2017]
- [BCGGHJ’2017] : Ideal linear commitment model. Linear-time encodable code → first SNARK with linear prover time
- One optimization
- Prover decodes the proof to a message (size k), and sends k to the verifier
- Decrease the size of proof from n to k
- The Verifier does not take the first step of check
- Prover decodes the proof to a message (size k), and sends k to the verifier
- Ligero [AHIV’2017] and [BCGGHJ’2017]
-
Step 2: Consistency check
- The vector u is not random chosen, so the Proximity test is necessary.
- The vector u is not random chosen, so the Proximity test is necessary.
-
Summary: Poly-commit based on linear code
- Keygen: sample a hash function
- Commit: encode the coefficient matrix of f row-wise with a linear code, compute the Merkle tree commitment
- Eval and Verify:
- Proximity test: random linear combination of all rows, check its consistency with t random columns
- Consistency test: u × F = m u \times F = m u×F=m, encode m and check its consistency with t random columns
- f(u) = m × u ′ m \times u' m×u′
-
Properties of the polynomial commitment
- Keygen: O(1), transparent setup!
- Commit:
- Encoding: O(d logd) field multiplications using RS code, O(d) using linear-time encodable code
- Merkle tree: O(d) hashes, O(1) commitment size
- Eval: O(d) field multiplications (non-interactive via Fiat Shamir)
- Proof size: O( d \sqrt{d} d)
- Verifier time: O( d \sqrt{d} d)
这篇关于ZKP7.2 Polynomial Commitments Based on Error-correcting Code的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
