|
| 1 | +--- |
| 2 | +title: Fast Fourier Inspired Folding for Sangria |
| 3 | +date: 2023-04-03 |
| 4 | +--- |
| 5 | + |
| 6 | +This is a crosspost with [zkresear.ch/t/fast-fourier-inspired-sangria](https://zkresear.ch/t/fast-fourier-inspired-sangria). |
| 7 | + |
| 8 | +## Introduction |
| 9 | + |
| 10 | +[Sangria](https://geometry.xyz/notebook/sangria-a-folding-scheme-for-plonk) is the folding protocol for Plonk prover. In the original model, the prover works iteratively and merges a new execution trace with an execution trace accumulator. |
| 11 | + |
| 12 | +Here we will show, how to build an optimized folding process, requiring only 2 or 1 scalar multiplications per folding on the verifier side. |
| 13 | + |
| 14 | +## Original Protocol |
| 15 | + |
| 16 | +Accumulated instance and witness: |
| 17 | + |
| 18 | +$U'_n := (\mathbf{X}'_n, u'_n, \overline{W}'_n, \overline{E}'_n),$ |
| 19 | +$W'_n := (\mathbf{W}'_n, \mathbf{e}'_n, r'_{Wn}, r'_{En})$ |
| 20 | + |
| 21 | +Iteration instance and witness: |
| 22 | + |
| 23 | +$U_n := (\mathbf{X}_n, u_n, \overline{W}_n, \overline{E}_n),$ |
| 24 | +$W_n := (\mathbf{W}_n, \mathbf{e}, r_{Wn}, r_{En})$ |
| 25 | + |
| 26 | +Where $\overline{W}=\text{Com}(\text{pp}_W, \mathbf{W}, r_W),\ \overline{E} = \text{Com}(\text{pp}_W, \mathbf{e}, r_E)$. |
| 27 | + |
| 28 | +We use a relaxed Plonk gate equation: |
| 29 | +$C(\mathbf{a}, {\mathbf{b}}, {\mathbf{c}}, u, {\mathbf{e}})={\mathbf{a}} {\mathbf{b}} {\mathbf{q_M}} + {\mathbf{q_C}} {u}^{2} + {\left({\mathbf{a}} {\mathbf{q_L}} + {\mathbf{c}} {\mathbf{q_O}} + {\mathbf{b}} {\mathbf{q_R}}\right)} {u} + {\mathbf{e}}$ |
| 30 | + |
| 31 | +1. Prover send to Verifier $\overline{T}_n = \text{Com}(\text{pp}_W, \mathbf{t}_n, r_{Tn})$, |
| 32 | +## Introduction |
| 33 | + |
| 34 | +[Sangria](https://geometry.xyz/notebook/sangria-a-folding-scheme-for-plonk) is the folding protocol for Plonk prover. In the original model, the prover works iteratively and merges a new execution trace with an execution trace accumulator. |
| 35 | + |
| 36 | +Here we will show, how to build an optimized folding process, requiring only 2 or 1 scalar multiplications per folding on the verifier side. |
| 37 | + |
| 38 | +## Original Protocol |
| 39 | + |
| 40 | +Accumulated instance and witness: |
| 41 | + |
| 42 | +$U'_n := (\mathbf{X}'_n, u'_n, \overline{W}'_n, \overline{E}'_n),$ |
| 43 | +$W'_n := (\mathbf{W}'_n, \mathbf{e}'_n, r'_{Wn}, r'_{En})$ |
| 44 | + |
| 45 | +Iteration instance and witness: |
| 46 | + |
| 47 | +$U_n := (\mathbf{X}_n, u_n, \overline{W}_n, \overline{E}_n),$ |
| 48 | +$W_n := (\mathbf{W}_n, \mathbf{e}, r_{Wn}, r_{En})$ |
| 49 | + |
| 50 | +Where $\overline{W}=\text{Com}(\text{pp}_W, \mathbf{W}, r_W),\ \overline{E} = \text{Com}(\text{pp}_W, \mathbf{e}, r_E)$. |
| 51 | + |
| 52 | +We use a relaxed Plonk gate equation: |
| 53 | +$C(\mathbf{a}, {\mathbf{b}}, {\mathbf{c}}, u, {\mathbf{e}})={\mathbf{a}} {\mathbf{b}} {\mathbf{q_M}} + {\mathbf{q_C}} {u}^{2} + {\left({\mathbf{a}} {\mathbf{q_L}} + {\mathbf{c}} {\mathbf{q_O}} + {\mathbf{b}} {\mathbf{q_R}}\right)} {u} + {\mathbf{e}}$ |
| 54 | + |
| 55 | +1. Prover send to Verifier $\overline{T}_n = \text{Com}(\text{pp}_W, \mathbf{t}_n, r_{Tn})$, |
| 56 | +where $t_n=2 \, {\mathbf{q_C}} {u'_n} {u_n} + {\left({\mathbf{a}_n} {\mathbf{b}'_n} + {\mathbf{a}'_n} {\mathbf{b}_n}\right)} {\mathbf{q_M}} + {\left({\mathbf{a}_n} {\mathbf{q_L}} + {\mathbf{c}_n} {\mathbf{q_O}} + {\mathbf{b}_n} {\mathbf{q_R}}\right)} {u'_n} + {\left({\mathbf{a}'_n} {\mathbf{q_L}} + {\mathbf{c}'_n} {\mathbf{q_O}} + {\mathbf{b}'_n} {\mathbf{q_R}}\right)} {u_n}$ |
| 57 | +where $t_n=2 \, {\mathbf{q_C}} {u'_n} {u_n} + {\left({\mathbf{a}_n} {\mathbf{b}'_n} + {\mathbf{a}'_n} {\mathbf{b}_n}\right)} {\mathbf{q_M}} + {\left({\mathbf{a}_n} {\mathbf{q_L}} + {\mathbf{c}_n} {\mathbf{q_O}} + {\mathbf{b}_n} {\mathbf{q_R}}\right)} {u'_n} +\\ {\left({\mathbf{a}'_n} {\mathbf{q_L}} + {\mathbf{c}'_n} {\mathbf{q_O}} + {\mathbf{b}'_n} {\mathbf{q_R}}\right)} {u_n}$ |
| 58 | +2. Verifier sends to prover random $r$ |
| 59 | +3. Prover and Verifier output the folded instance |
| 60 | +$U'_{n+1}=(\mathbf{X}'_{n+1}, u'_{n+1}, \overline{W}'_{n+1}, \overline{E}'_{n+1}),$ |
| 61 | +where |
| 62 | +$\mathbf{X}'_{n+1} = \mathbf{X}'_n + r \mathbf{X}_n,$ |
| 63 | +$u'_{n+1} = u'_n + r u_n,$ |
| 64 | +$\overline{W}'_{n+1} = \overline{W}'_n + r \overline{W}_n,$ |
| 65 | +$\overline{E}'_{n+1} = \overline{E}'_n + r^2 \overline{E}_n - r \overline{T}_n.$ |
| 66 | +4. Prover output the folded witness |
| 67 | +$W'_{n+1} = (\mathbf{W}'_{n+1}, \mathbf{e}'_{n+1}, r'_{W\ n+1}, r'_{E\ n+1}),$ |
| 68 | +where |
| 69 | +$\mathbf{W}'_{n+1} = \mathbf{W}'_n + r \mathbf{W}_n,$ |
| 70 | +$\mathbf{e}'_{n+1} = \mathbf{e}'_n + r^2 \mathbf{e}_n - r \mathbf{t}_n,$ |
| 71 | +$r'_{W\ n+1} = r'_{W\ n} + r r_{Wn},$ |
| 72 | +$r'_{E\ n+1} = r'_{E\ n} + r^2 r_{En} - r r_{Tn}.$ |
| 73 | + |
| 74 | +We can check, that $C(\mathbf{a}'_{n+1}, \mathbf{b}'_{n+1}, \mathbf{c}'_{n+1}, u'_{n+1}, \mathbf{e}'_{n+1}) = C(\mathbf{a}'_n, \mathbf{b}'_n, \mathbf{c}'_n, u'_n, \mathbf{e}'_n) + r^2 C(\mathbf{a}_n, \mathbf{b}_n, \mathbf{c}_n, u_n, \mathbf{e}_n)$. |
| 75 | + |
| 76 | +## Fast-Fourier Inspired Approach |
| 77 | + |
| 78 | +We see, that most operations on the verifier side are linear. So, we can use the approach from [GW21](https://eprint.iacr.org/2021/1167.pdf). |
| 79 | + |
| 80 | +Let's define the following functions: |
| 81 | + |
| 82 | +$f_L(X) = a(X^4) + X b(X^4) + X^2 c(X^4) + X^3 e(X^4),$ |
| 83 | +$f_R(X) = a(X^4) + X b(X^4) + X^2 c(X^4) - X^3 t(X^4),$ |
| 84 | +$\epsilon_R(X) = X^3 e(X^4)$ |
| 85 | + |
| 86 | +where $a, b, c, e, t$ are polynomials corresponding to vectors $\mathbf{a}, \mathbf{b}, \mathbf{c}, \mathbf{e}, \mathbf{t}$. It is important, that the field has a multiplicative subgroup of order $4$. If we need more columns, we can use the same approach with bigger subgroups. |
| 87 | + |
| 88 | +Then we can rewrite the witness part of the folding procedure as follows: |
| 89 | + |
| 90 | +1. Prover computes $\mathbf{t}$ and sends to verifier $[f_{R\ n}]$, $[\epsilon_{R\ n}]$ |
| 91 | +2. Verifier sends to prover random $r$ |
| 92 | +3. Prover and Verifier output the folded instance |
| 93 | + |
| 94 | +$[f'_{L\ n+1}] = [f'_{L\ n}] + r [f_{R\ n}] + r^2 [\epsilon_{R\ n}]$ |
| 95 | + |
| 96 | +4. Prover output the folded witness |
| 97 | + |
| 98 | +$f'_{L\ n+1} = f'_{L\ n} + r f_{R\ n} + r^2 \epsilon_{R\ n},$ |
| 99 | + |
| 100 | + |
| 101 | +For final check we should make openings of $f_L$ at points $x, x \sqrt{-1}, -x, -x \sqrt{-1}$, where $x$ is random, and recover $a(x^4), b(x^4), c(x^4), e(x^4)$. |
| 102 | + |
| 103 | +It is important to note that the folding process complexity is still linear. We don't need an explicit representation of f(x) in the prover-side folding process: |
| 104 | + |
| 105 | +$[f_L(x)] = [\sum_{i=0}^{n-1} (a_i + b_i x \lambda_i(x^4) + c_i x^2 \lambda_i(x^4) + e_i x^3 \lambda_i(x^4))] =\\ |
| 106 | + \sum_{i=0}^{n-1} ([a_i] + b_i [x \lambda_i(x^4)] + c_i [x^2 \lambda_i(x^4)] + e_i [x^3 \lambda_i(x^4)]).$ |
| 107 | + |
| 108 | + |
| 109 | +The proposed method provides only 2 scalar multiplications per folding instead of 5 or more. And it requires 4 times bigger CRS. |
| 110 | + |
| 111 | +UPD: |
| 112 | +In the case of IVC, when the 2nd instance is original Plonk, $\epsilon_R(X)=0$ and we need only one scalar multiplication per folding. |
| 113 | + |
0 commit comments