ZKP5.2 PLONK IOP

news2024/11/16 1:55:21

ZKP学习笔记

ZK-Learning MOOC课程笔记

overview
Polynomial equality testing with KZG
- KZG: determined commitment (if the function is equal, then the commitment is equal too)
  - If the $com_f = com_g$ , the verifier can tell if $f = g$ on its own???
  - but
    - The verifier does not have the commitment of $g_1g_2g_3$
Important proof gadgets for univariates
- The size k is much smaller than d
The vanishing polynomial
- Outside the $\Omega$ , the polynomial could evaluate an arbitrary value
- Verifiers can evaluate the vanishing polynomial very fast.
ZeroTest
- F is zero on $\Omega$ : All the elements of $\Omega$ are the root of the polynomial.
- Verifier time: O(log k) and two poly queries (but can be done in one batch)
- Prover time: dominated by the time to compute q(X) and then commit to q(X)
Product check
- Polynomial t: auxiliary polynomial

在这里插入图片描述

- Use the ZeroTest
- Proof size: two commits, five evals (can be batched). 
- Verifier time: O(logk) 
- Prover time:O(klogk)

在这里插入图片描述

$\hat{f}$ and $\hat{g}$ is identical
Embellished permutation check
- The two vectors are permutations to each other
- They also satisfy a prediscribed pumutation

在这里插入图片描述

在这里插入图片描述

Step 2: proving validity of T
- (4): the output of the last gate is what the verifier is expecting
- Proving (1): T encodes the correct inputs

在这里插入图片描述

- Proving (2): every gate is evaluated correctly

在这里插入图片描述

  - S(X) is a selector
  - Pre-processing: create the commitment of S(X), it is independent to any input.

在这里插入图片描述

- Proving (3): the wiring is correct

在这里插入图片描述

  - The W is independent of the inputs
  - Prescribed pumutation check

在这里插入图片描述