After understanding of the folding scheme of relaxed R1CS, of which the key idea is you can “fold” two proofs to be one, with this ability of relaxed R1CS in mind, how can one build a recursive proof from scratch? in this note I will describe several attempts to build …
Author: shuangcrypto.com
About Halo2 multipoints openning
explain the multipoints opening of Halo 2, I don’t think Halo2 book explain this part clearly, and perhaps, neither my note.
the key, is the homomorphism of the commitment scheme. and combine the evaluation at different points, and combine the different polynomial evaluated at the same points. Later if I …
Wormhole
A user want to send a message from one chain to another chain
- Emitter: a contract calls the publishMessage in the core contract
- the core contract publish the emitter address, sequencenumber and consistencyLevel (The number of blocks / slots which should pass before this message is considered confirmed.) into blockchain
STARK 101 coding note
Table of Contents
resource
https://starkware.co/stark-101
low degree polynomials extension
interpolate the trace points into a polynomial in …
zkVM
Table of Contents
how to build zkVM:
What is
…A rough description for STARK
Stark can be described in 5 steps in a high level:
- Computation program
- generate an execution trace and a set of polynomial constraints, AIR (Algebraic Intermediate Representation) (no circuit)
- Transfer the execution trace to be a polynomial, extend it to a larger domain
- compute the composition polynomial, which is the
The core of FRI IOP
- prover commit to \(f(x)\)
$$f(X)=f_E(X^2)+X\cdot f_O(X^2)$$
if we take an intermediate variant \(Y\) to replace the \(X^2\)
With a fixed \(Y\), then \(f(x)\) can be considered as one degree polynomial for \(X\), as
$$f(X)=f_E(Y)+X\cdot f_O(Y)$$
and for a given \(y\), it determineds a unique line (one degree polynomial)
and the …
IPA in Bulletproof, a rough description
Building blocks
Vector Commitment on elliptic curve, useful for its additive homomorphic
Statement
$$\{(\textbf{g,h}\in \mathbb{G}^n, P \in \mathbb{G}, c \in \mathbb{Z}_p; \textbf{a,b}\in \mathbb{Z}_p^n): P=\textbf{g}^{\textbf{a}}\textbf{h}^{\textbf{b}} \wedge c=<\textbf{a},\textbf{b}>\}$$
Proving
the strategy is recursive proof. For every recursive step, keep the public statement in the same format, but the vector length, together with …
Plonk in a short description
Plonk argument of knowledge can be described in 5 steps in a high level:
- Computation
- Arithmetic circuit
- Constrain System
- Transfer the constrain system to polynomial
- Prove gate constraints are satisfied.
- Prove permutation constraints are satisfied.
Constrain System in Plonk (Plonkish constrain system)
The constraint system in Plonk is
$$(\textbf{q}_{\textbf{L}_i} )\cdot …
On Understanding of the Permutation in Plonk
Question 1:
There are two list \((a_1, a_2, a_3,…a_n)\) and \((b_1,b_2,b_3,…,b_n)\)
how can we prove they contain the same element? (now we only consider to have the same elements, permutation comes in next question) This question would help you to understand why the permutation construction in Plonk is constructed in …