sketch defintion of zero knowledge

content/docs/background/poly-iop.md

@@ -4,22 +4,25 @@
 
 **Definition 1 (Polynomial Commitment Scheme).** A polynomial commitment scheme (PCS) is an interactive proof system that enables $\mathcal{P}$ to convince $\mathcal{V}$ that he knows a polynomial, without revealing the polynomial directly. $\mathcal{P}$ and $\mathcal{V}$ run the protocol in three moves: **gen**, **com**, and **open**. [Plonk]
 
-**Definition 2 (Polynomial IOP).** Let $\mathcal{R}$ be a set of the relations among polynomials $\{P_i\}$. Let $\mathcal{C}_{P_i}$ is the commitment to $P_i$. Given common inputs $\mathcal{R}(\{P_i\})$, $\{\mathcal{C}_{P_i}\}$ to $\mathcal{P}$ and $\mathcal{V}$, and private input $\{P_i\}$ to $\mathcal{P}$, they run the following protocol:
-1. $\mathcal{P}$ converts the relations into polynomials $\{Q_j\}$, commits to them, and sends to $\mathcal{V}$
-2. $\mathcal{V}$ sends a random challenge $\xi$
-3. $\mathcal{P}$ runs **open** for $\{P_i(\xi)\}$ and $\{Q_j(\xi)\}$ and outputs the result
-4. $\mathcal{V}$ checks:
+**Definition 2 (Polynomial IOP).** Let $\mathcal{R}$ be a set of the relations among polynomials $\{P_i\}$. Let $\mathcal{C}_f$ is the commitment to $f$. Given common input $\mathcal{R}(\{P_i\})$ to $\mathcal{P}$ and $\mathcal{V}$, and private input $\{P_i\}$ to $\mathcal{P}$, they run the following protocol:
+1. $\mathcal{P}$ converts the relations into polynomials $\{Q_j\}$
+2. $\mathcal{P}$ commits to $\{P_i\}$ and $\{Q_j\}$, and sends the commitments to $\mathcal{V}$
+3. $\mathcal{V}$ sends a random challenge $\xi$
+4. $\mathcal{P}$ runs **open** for $\{P_i(\xi)\}$ and $\{Q_j(\xi)\}$ and outputs the result
+5. $\mathcal{V}$ checks:
     - the evaluations of $P_i(\xi)$ and $Q_j(\xi)$ are correct
     - $\{Q_j\}$ satisfy $\mathcal{R}(\{P_i\})$
 
-At the end of the protocol, $\mathcal{V}$ outputs **acc** if and only if the two conditions hold, otherwise **rej**.
+At the end of the protocol, $\mathcal{V}$ outputs $\textbf{acc}$ if and only if the two conditions hold, otherwise $\textbf{rej}$.
 
 Moreover, a Poly-IOP has to satisfy the following properties.
 
 **Definition 3 (Completeness).** If each pair of $(\mathcal{C}_{P_i},P_i)$ and $(\mathcal{C}_{Q_j},Q_j)$ is valid and $\{Q_j\}$ satisfy $\mathcal{R}(\{P_i\})$, $\text{Pr}[out_{\mathcal{V}}=\textbf{acc}]=1$.
 
 **Definition 4 (Soundness).** If $(\mathcal{C}_{P_i},P_i)$ or $(\mathcal{C}_{Q_j},Q_j)$ are not a valid pair, or $\{Q_j\}$ does not satisfy $\mathcal{R}(\{P_i\})$, $\text{Pr}[out_{\mathcal{V}}=\textbf{rej}]\ge{1-\text{negl}(k)}$.
 
+**Definition 5 (Zero Knowledge).** For every possible set of relations $\mathcal{R}$, there exists a probabilistic polynomial time simulator $\mathcal{S}$ that can produce $\{\mathcal{C}_{P_i}^*\},\{\mathcal{C}_{Q_i}^*\}$ and the corresponding proofs making $\mathcal{V}$ output $\textbf{acc}$; the proofs generated by $\mathcal{S}$ are computationally indistinguishable from those produced by $\mathcal{P}$.
+
 ## Encoding Arrays of Data into Polynomials
 
 Data starts as a array of integers where integers in each slot are between 0 and $q-1$, where $q$ is a large (generally 256 bit) prime number. Recall that we call this set of integers $\mathbb{Z}_q$.