diff --git a/content/docs/background/poly-iop.md b/content/docs/background/poly-iop.md index cde4e8c..05f4016 100644 --- a/content/docs/background/poly-iop.md +++ b/content/docs/background/poly-iop.md @@ -4,15 +4,16 @@ **Definition 1 (Polynomial Commitment Scheme).** A polynomial commitment scheme (PCS) is an interactive proof system that enables $\mathcal{P}$ to convince $\mathcal{V}$ that he knows a polynomial, without revealing the polynomial directly. $\mathcal{P}$ and $\mathcal{V}$ run the protocol in three moves: **gen**, **com**, and **open**. [Plonk] -**Definition 2 (Polynomial IOP).** Let $\mathcal{R}$ be a set of the relations among polynomials $\{P_i\}$. Let $\mathcal{C}_{P_i}$ is the commitment to $P_i$. Given common inputs $\mathcal{R}(\{P_i\})$, $\{\mathcal{C}_{P_i}\}$ to $\mathcal{P}$ and $\mathcal{V}$, and private input $\{P_i\}$ to $\mathcal{P}$, they run the following protocol: -1. $\mathcal{P}$ converts the relations into polynomials $\{Q_j\}$, commits to them, and sends to $\mathcal{V}$ -2. $\mathcal{V}$ sends a random challenge $\xi$ -3. $\mathcal{P}$ runs **open** for $\{P_i(\xi)\}$ and $\{Q_j(\xi)\}$ and outputs the result -4. $\mathcal{V}$ checks: +**Definition 2 (Polynomial IOP).** Let $\mathcal{R}$ be a set of the relations among polynomials $\{P_i\}$. Let $\mathcal{C}_f$ is the commitment to $f$. Given common input $\mathcal{R}(\{P_i\})$ to $\mathcal{P}$ and $\mathcal{V}$, and private input $\{P_i\}$ to $\mathcal{P}$, they run the following protocol: +1. $\mathcal{P}$ converts the relations into polynomials $\{Q_j\}$ +2. $\mathcal{P}$ commits to $\{P_i\}$ and $\{Q_j\}$, and sends the commitments to $\mathcal{V}$ +3. $\mathcal{V}$ sends a random challenge $\xi$ +4. $\mathcal{P}$ runs **open** for $\{P_i(\xi)\}$ and $\{Q_j(\xi)\}$ and outputs the result +5. $\mathcal{V}$ checks: - the evaluations of $P_i(\xi)$ and $Q_j(\xi)$ are correct - $\{Q_j\}$ satisfy $\mathcal{R}(\{P_i\})$ -At the end of the protocol, $\mathcal{V}$ outputs **acc** if and only if the two conditions hold, otherwise **rej**. +At the end of the protocol, $\mathcal{V}$ outputs $\textbf{acc}$ if and only if the two conditions hold, otherwise $\textbf{rej}$. Moreover, a Poly-IOP has to satisfy the following properties. @@ -20,6 +21,8 @@ Moreover, a Poly-IOP has to satisfy the following properties. **Definition 4 (Soundness).** If $(\mathcal{C}_{P_i},P_i)$ or $(\mathcal{C}_{Q_j},Q_j)$ are not a valid pair, or $\{Q_j\}$ does not satisfy $\mathcal{R}(\{P_i\})$, $\text{Pr}[out_{\mathcal{V}}=\textbf{rej}]\ge{1-\text{negl}(k)}$. +**Definition 5 (Zero Knowledge).** For every possible set of relations $\mathcal{R}$, there exists a probabilistic polynomial time simulator $\mathcal{S}$ that can produce $\{\mathcal{C}_{P_i}^*\},\{\mathcal{C}_{Q_i}^*\}$ and the corresponding proofs making $\mathcal{V}$ output $\textbf{acc}$; the proofs generated by $\mathcal{S}$ are computationally indistinguishable from those produced by $\mathcal{P}$. + ## Encoding Arrays of Data into Polynomials Data starts as a array of integers where integers in each slot are between 0 and $q-1$, where $q$ is a large (generally 256 bit) prime number. Recall that we call this set of integers $\mathbb{Z}_q$.