ZKP5.2 PLONK IOP

编程入门行业动态更新时间:2024-10-12 01:24:59

ZKP5.2 <a href=https://www.elefans.com/category/jswz/34/1673870.html style= PLONK IOP"/>

ZKP学习笔记

ZK-Learning MOOC课程笔记

overview
Polynomial equality testing with KZG
- KZG: determined commitment (if the function is equal, then the commitment is equal too)
  - If the c o m f = c o m g com_f = com_g comf=comg, the verifier can tell if f = g f=g f=g on its own???
  - but
    - The verifier does not have the commitment of g 1 g 2 g 3 g_1g_2g_3 g1g2g3
Important proof gadgets for univariates
- The size k is much smaller than d
The vanishing polynomial
- Outside the Ω \Omega Ω, the polynomial could evaluate an arbitrary value
- Verifiers can evaluate the vanishing polynomial very fast.
ZeroTest
- F is zero on Ω \Omega Ω: All the elements of Ω \Omega Ω are the root of the polynomial.
- Verifier time: O(log k) and two poly queries (but can be done in one batch)
- Prover time: dominated by the time to compute q(X) and then commit to q(X)
Product check
- Polynomial t: auxiliary polynomial

- Use the ZeroTest
- Proof size: two commits, five evals (can be batched). 
- Verifier time: O(logk) 
- Prover time:O(klogk)

f ^ \hat{f} f^ and g ^ \hat{g} g^ is identical
Embellished permutation check
- The two vectors are permutations to each other
- They also satisfy a prediscribed pumutation

Step 2: proving validity of T
- (4): the output of the last gate is what the verifier is expecting
- Proving (1): T encodes the correct inputs

- Proving (2): every gate is evaluated correctly

  - S(X) is a selector- Pre-processing: create the commitment of S(X), it is independent to any input.

- Proving (3): the wiring is correct

  - The W is independent of the inputs- Prescribed pumutation check