Skip to content

Commit

Permalink
Slide corrections
Browse files Browse the repository at this point in the history
  • Loading branch information
@rasmus-kirk
rasmus-kirk committed Feb 3, 2025
1 parent 96959fe commit 9e1e031
Showing 1 changed file with 96 additions and 85 deletions.
181 changes: 96 additions & 85 deletions slides/slides.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ toc: true
\vspace{0.5em}
\end{block}

- _How can we verify $F^n(s_0)$ without re-executing the computation?_
- _How can we verify $s_n = F^n(s_0)$ without re-executing the computation?_

## IVC chain

Expand All @@ -66,10 +66,10 @@ toc: true
\end{block}

### $\Pc(s_i, \pi_i)$ represents:
- $s_i = F(s_{i-1})$
- $\pi_i = \SNARKProver(R, x = \{ s_0, s_i \}, w = \{ s_{i-1}, \pi_{i-1} \})$
- $R := \text{I.K.} \; w = \{ \pi_{i-1}, s_{i-1} \} \; \text{ s.t. }$
- $s_i \meq F(s_{i-1}) \; \land \; (s_{i-1} \meq s_0 \lor \Vc(R_F, x = \{ s_0, s_i \}, \pi_{i-1}))$
- $\pi_i = \SNARKProver(R_F, x = \{ s_0, s_i \}, w = \{ s_{i-1}, \pi_{i-1} \})$
- $s_i = F(s_{i-1})$

## Proof

Expand All @@ -93,7 +93,7 @@ $$
\end{alignedat}
$$

# PCS
# PCS based on DL

## Polynomial Commitment Scheme

Expand Down Expand Up @@ -124,17 +124,18 @@ $$q: \Instance = (C: \Eb(\Fb_q), d: \Nb, z: \Fb_q, v: \Fb_q, \pi: \EvalProof)$$
\begin{enumerate}
\item $\pi = \vec{L}, \vec{R}, U, c$
\item $C_{lg(n)} \meq cU + ch(z) H' = c^{(0)}G^{(0)} + c^{(0)}z^{(0)} H'$
\item $U \meq \CMCommit(\vec{G}, \vec{h}^{\text{(coeffs)}})$
\item $U \meq \CMCommit(\vec{G}, \vec{h}^{\text{(coeffs)}}) \meq \ip{G}{\vec{h}^{\text{(coeffs)}}}$
\end{enumerate}
\vspace{0.5em}
\end{block}

- $h(X) := \prod^{\lg(n)-1}_{i=0} (1 + \xi_{\lg(n) - i} X^{2^i})$:
- Degree-d, $\Oc(\lg(d))$ evaluation time.
- Compression polynomial for $\vec{G} \to G^{(0)}, z \to z^{(0)}$.
- $U$:
- Represents $G^{(0)}$.
- May be wrong!
- $\PCDLSuccinctCheck$ either rejects or accepts and returns:
- $U$:
- Represents $G^{(0)}$.
- May be wrong!
- $h(X) := \prod^{\lg(n)-1}_{i=0} (1 + \xi_{\lg(n) - i} X^{2^i})$:
- Compression polynomial for $\vec{G} \to G^{(0)}, z \to z^{(0)}$.
- Degree-d, $\Oc(\lg(d))$ evaluation time.

# $\AS$ based on DL

Expand Down Expand Up @@ -166,9 +167,9 @@ $$q: \Instance = (C: \Eb(\Fb_q), d: \Nb, z: \Fb_q, v: \Fb_q, \pi: \EvalProof)$$
\begin{algorithmic}[1]
\Require $\forall d_i \in \vec{q}, \forall d_j \in \vec{q} : d_i = d_j \land d_i \leq D$
\Require $(d_i+1) = 2^k$, where $k \in \Nb$
\State Compute the tuple $(\bar{C}, d, z, h(X)) := \ASDLCommonSubroutine(\vec{q})$.
\State Generate the evaluation proof $\pi := \PCDLOpen(h(X), \bar{C}, d, z)$.
\State Finally, output the accumulator $\acc_i = (\bar{C}, d, z, v := h(z), \pi)$.
\State Compute the tuple $(\bar{C}, d, z, \bar{h}(X)) := \ASDLCommonSubroutine(\vec{q})$.
\State Generate the evaluation proof $\pi := \PCDLOpen(\bar{h}(X), \bar{C}, d, z)$.
\State Finally, output the accumulator $\acc_i = (\bar{C}, d, z, v := \bar{h}(z), \pi)$.
\end{algorithmic}
\end{algorithm}

Expand All @@ -183,9 +184,9 @@ $$q: \Instance = (C: \Eb(\Fb_q), d: \Nb, z: \Fb_q, v: \Fb_q, \pi: \EvalProof)$$
\Desc{$\Result(\top, \bot)$}{}
\begin{algorithmic}[1]
\Require $(d+1) = 2^k$, where $k \in \Nb$
\State Parse $\acc_i$ as $(\bar{C}, d, z, v, \_)$
\State Compute $(\bar{C}', d', z', h(X)) := \ASDLCommonSubroutine(\vec{q})$
\State Then check that $\bar{C}' \meq \bar{C}, d' \meq d, z' \meq z$, and $h(z) \meq v$.
\State Parse $\acc_i$ as $(\bar{C}_\acc, d_\acc, z_\acc, v_\acc, \_)$
\State Compute $(\bar{C}, d, z, \bar{h}(X)) := \ASDLCommonSubroutine(\vec{q})$
\State Then check that $C_\acc \meq \bar{C}, d_\acc \meq d, z_\acc \meq z$, and $v_\acc \meq \bar{h}(z)$.
\end{algorithmic}
\end{algorithm}

Expand All @@ -200,8 +201,7 @@ $$q: \Instance = (C: \Eb(\Fb_q), d: \Nb, z: \Fb_q, v: \Fb_q, \pi: \EvalProof)$$
\begin{algorithmic}[1]
\Require $\acc_i.d \leq D$
\Require $(\acc_i.d+1) = 2^k$, where $k \in \Nb$
\State Parse $\acc_i$ as $(\bar{C}, d, z, v, \pi)$
\State Check $\top \meq \PCDLCheck(\bar{C}, d, z, v, \pi)$
\State Check $\top \meq \PCDLCheck(\acc_i)$
\end{algorithmic}
\end{algorithm}

Expand All @@ -216,70 +216,72 @@ $$q: \Instance = (C: \Eb(\Fb_q), d: \Nb, z: \Fb_q, v: \Fb_q, \pi: \EvalProof)$$
\begin{algorithmic}[1]
\Require $(d+1) = 2^k$, where $k \in \Nb$
\State Parse $d$ from $q_1$.
\For{$j \in [m]$}
\State Parse $q_j$ as a tuple $(C_j, d_j, z_j, v_j, \pi_j)$.
\State Compute $(h_j(X), U_j) := \PCDLSuccinctCheck^{\rho_0}(C_j, d_j, z_j, v_j, \pi_j)$.
\For{$q_j \in \vec{q}$}
\State Parse $d_j$ from $q_j$.
\State Compute $(h_j(X), U_j) := \PCDLSuccinctCheck^{\rho_0}(q_j)$.
\State Check that $d_j \meq d$
\EndFor
\State Compute the challenge $\a := \rho_1(\vec{h}, \vec{U})$
\State Let the polynomial $h(X) := \sum^m_{j=1} \a^j h_j(X)$
\State Compute: $\bar{C} := \sum^m_{j=1} \a^j U_j, \; z := \rho_1(C, h(X))$
\State Output $(\bar{C}, D, z, h(X))$.
\State Linearize $h_j, U_j$: $\bar{h}(X) := \sum^m_{j=1} \a^j h_j(X)$, $\bar{C} := \sum^m_{j=1} \a^j U_j$
\State Compute: $z := \rho_1(\bar{C}, \bar{h}(X))$
\State Output $(\bar{C}, d, z, \bar{h}(X))$.
\end{algorithmic}
\end{algorithm}

# $\AS$ Properties

## $\AS$ Completeness

Assuming that $\PCDL$ is complete.

- $\ASDLVerifier$:
- Runs the same algorithm ($\ASDLCommonSubroutine$) with the same inputs
- Given that $\ASDLProver$ is honest, $\ASDLVerifier$ will get the
same outputs, these outputs are checked to be equal to the ones received
from the prover.
- Since these were generated honestly by the prover, also using
$\ASDLCommonSubroutine$, the $\ASDLVerifier$ will accept with probability 1.
- Runs the same deterministic $\ASDLCommonSubroutine$ with the same inputs.
- Given that $\ASDLProver$ is honest, $\ASDLVerifier$ will get the same outputs.
- These are checked to be equal to the ones from $\acc_i$.
- Therefore $\ASDLVerifier$ accepts with probability 1.

- $\ASDLDecider$:
- Runs $\PCDLCheck$ on the provided accumulator, which represents a evaluation
proof i.e. an instance. This check will always pass, as the prover
constructed the accumulator honestly.
- Runs $\PCDLCheck$ on the $\acc_i$, representing an evaluation proof (instance).
- The prover constructed the $\acc_i$ honestly.
- Therefore this check will pass with probability 1.

## $\AS$ Soundness

- $\ASDLVerifier$ shows that $h(X), \bar{C}$ are linear combinations of $h_j(X), U_j$'s.
- $\ASDLDecider$ shows that $\bar{C} = \PCDLCommit(h(X), d)$, checks all $U_j$'s.
- $\PCDLCheck$ shows that $C_{\acc_i}$ is a commitment to $h'(X)$ and $h'(z) = v_{\acc_i}$.
- $\ASDLVerifier$ shows that $C_{\acc_i} = \sum_{j=1}^m \a^j U_j$, $h(z) = v_{\acc_i}$.
- Since $v_{\acc_i} = h(z) = h'(z)$ then $h(X) = h'(X)$ with $1 - \Pr[d/|\Fb_q|]$.
- $\ASDLVerifier$ shows that $\bar{h}(X), \bar{C}$ are linear combinations of $h_j(X), U_j$'s.
- $\ASDLDecider$ shows that $\bar{C} = \PCDLCommit(\bar{h}(X), d)$, checks all $U_j$'s.
- Let $\acc_i = (\bar{C}, d, z, v, \pi)$
- $\PCDLCheck$ shows that $\bar{C}$ is a commitment to $\bar{h}'(X)$ and $\bar{h}'(z) = v$.
- $\ASDLVerifier$ shows that $\bar{C} = \sum_{j=1}^m \a^j U_j$, $\bar{h}(z) = v$.
- Since $v = \bar{h}(z) = \bar{h}'(z)$ then $\bar{h}(X) = \bar{h}'(X)$ with $1 - \Pr[d/|\Fb_q|]$.
- Define $\forall j \in [m] : B_j = \ip{\vec{G}}{\vec{h_j}^{(\text{coeffs})}}$. If $\exists j \in [m]$ $B_j \neq U_j$ then:
- $U_j$ is not a valid commitment to $h_j(X)$ and,
- $\sum_{j=1}^m \a_j B_j \neq \sum_{j=1}^m \a_j U_j$
- $\sum_{j=1}^m \a^j B_j \neq \sum_{j=1}^m \a^j U_j$

As such $C_{\acc_i}$ will not be a valid commitment to $h_{\acc_i}(X)$. Unless,
- $\a := \rho_1(\vec{h}, \vec{U})$ or $z = \rho_1(C, h(X))$ is constructed maliciously.
As such $\bar{C}$ will not be a valid commitment to $\bar{h}(X)$. Unless,
- $\a := \rho_1(\vec{h}, \vec{U})$ or $z = \rho_1(\bar{C}, \bar{h}(X))$ is constructed maliciously.
- Previous accumulators are instances, as such, they will also be checked.
- More formal argument in the report
- More formal argument in the report.

## $\AS$ Efficiency

\begin{block}{Analysis}
\begin{itemize}
\item $\ASDLCommonSubroutine$:
\begin{itemize}
\item Step 6: $m$ calls to $\PCDLSuccinctCheck$, $\Oc(m\lg(d))$ scalar muls.
\item Step 11: $m$ scalar muls.
\item Step 4: $m$ calls to $\PCDLSuccinctCheck$, $\Oc(m\lg(d))$ scalar muls.
\item Step 8: $m\lg(d)$ scalar muls.
\item Step 8: $m$ scalar muls.
\end{itemize}
Step 6 dominates with $\Oc(m\lg(d))$ scalar muls.
Step 4 and 8 dominates with $\Oc(m\lg(d))$ scalar muls.
\end{itemize}
\begin{itemize}
\item $\ASDLProver$:
\begin{itemize}
\item Step 4: Call to $\ASDLCommonSubroutine$, $\Oc(m\lg(d))$ scalar muls.
\item Step 5: Evaluation of $h(X)$, $\Oc(\lg(d))$ scalar muls.
\item Step 6: Call to $\PCDLOpen$, $\Oc(d)$ scalar muls.
\item Step 1: Call to $\ASDLCommonSubroutine$, $\Oc(m\lg(d))$ scalar muls.
\item Step 2: Call to $\PCDLOpen$, $\Oc(d)$ scalar muls.
\item Step 3: Evaluation of $h(X)$, $\Oc(\lg(d))$ scalar muls.
\end{itemize}
Step 6 dominates with $\Oc(d)$ scalar muls.
Step 2 dominates with $\Oc(d)$ scalar muls.
\end{itemize}
\begin{itemize}
\item $\ASDLVerifier$:
Expand All @@ -290,18 +292,16 @@ $$q: \Instance = (C: \Eb(\Fb_q), d: \Nb, z: \Fb_q, v: \Fb_q, \pi: \EvalProof)$$
\begin{itemize}
\item $\ASDLDecider$:
\begin{itemize}
\item Step 2: Call to $\PCDLCheck$, with $\Oc(d)$ scalar muls.
\item Step 1: Call to $\PCDLCheck$, with $\Oc(d)$ scalar muls.
\end{itemize}
\end{itemize}
\end{block}

So $\ASDLProver, \ASDLDecider$ are linear and $\ASDLVerifier$ is sub-linear.

<!-- TODO: steps -->

# IVC based on $\AS$

## Prerequisites test
## Assuming a Nark

- We assume we have an underlying NARK which proof consists of only instances
$\pi \in \Proof = [\vec{q}]^m$. We assume this NARK has three algorithms:
Expand Down Expand Up @@ -402,10 +402,10 @@ So $\ASDLProver, \ASDLDecider$ are linear and $\ASDLVerifier$ is sub-linear.
\Desc{$(S, \Proof, \Acc)$}{The values for the next IVC iteration.}
\begin{algorithmic}[1]
\Require $x = \{ s_0 \}, \; \; w = \{ s_{i-1}, \pi_{i-1}, \acc_{i-1} \} \lor w = \bot$
\State \textbf{If} $w = \bot$ \textbf{Then} $w = \{ s_{i-1} = s_0 \}, x' = x \cup \{ R_{IVC} \}$ \textbf{Else}:
\State \algind Run the accumulation prover: $\acc_i = \ASProver(\pi_{i-1} = \vec{q}, \acc_{i-1})$.
\State \algind Compute the next value: $s_i = F(s_{i-1})$.
\State \algind Define $x' = x \cup \{ R_{IVC}, s_i, \acc_i \}$.
\State \textbf{If} (base-case) \textbf{Then} $\dots$ \textbf{Else}
\State Run the accumulation prover: $\acc_i = \ASProver(\pi_{i-1} = \vec{q}, \acc_{i-1})$.
\State Compute the next value: $s_i = F(s_{i-1})$.
\State Define $x' = x \cup \{ R_{IVC}, s_i, \acc_i \}$.
\State Generate a NARK proof using $R_{IVC}$: $\pi_i = \NARKProver(R_{IVC}, x', w)$.
\State Output $(s_i, \pi_i, \acc_i)$
\end{algorithmic}
Expand Down Expand Up @@ -436,42 +436,51 @@ $$
&\IVCVerifier(R_{IVC}, x_n = \{ s_0, s_n, \acc_i \}, \pi_n) = \top &&\then \\
&\forall i \in [n], \forall q_j \in \pi_i = \vec{q} : \PCDLCheck(q_j) = \top &&\;\; \land \\
&F(s_{n-1}) = s_n \land (s_{n-1} = s_0 \lor ( \Vc_1 \land \Vc_2 )) &&\then \\
&\ASVerifier(\pi_{n-1}, \acc_{n-1}, \acc_n) = \top &&\;\; \land \\
&\ASVerifier(\vec{q} = \pi_{n-1}, \acc_{n-1}, \acc_n) = \top &&\;\; \land \\
&\NARKVerifierFast(R_{IVC}, x_{n-1}, \pi_{n-1}) = \top &&\then \dots \\
&F(s_0) = s_1 \land (s_0 = s_0 \lor ( \Vc_1 \land \Vc_2 )) &&\then \\
&F(s_0) = s_1 &&\then \\
\end{alignedat}
$$

1. $\forall i \in [2, n] : \ASVerifier(\pi_{i-1}, \acc_{i-1}, \acc_i) = \top$, i.e, all accumulators are accumulated correctly.
1. $\forall i \in [2, n] : \ASVerifier(\pi_{i-1}, \acc_{i-1}, \acc_i) = \top$, i.e, all accumulators are valid.
2. $\forall i \in [2, n] : \NARKVerifierFast(R_{IVC}, x_{i-1}, \pi_{i-1})$, i.e, all the proofs are valid.

## Efficiency Analysis

- The $\NARKProver$ runtime scales linearly with the $d$ ($\Oc(d)$)
- The $\NARKVerifierFast$ runtime scales logarithmically with $d$ ($\Oc(\lg(d))$)
- The $\NARKVerifier$ runtime scales linearly with the degree-bound $d$ ($\Oc(d)$)
- The $F$ runtime is less than $\Oc(d)$, since $|R_F| \approx d$

Then we can conclude:

- The runtime of $\IVCProver$ is:
- Step 5: The cost of running $\ASDLProver$, $\Oc(d)$.
- Step 6: The cost of computing $F$, $\Oc(F(x))$.
- Step 7: The cost of running $\NARKProver$, $\Oc(d)$.

Totalling $\Oc(F(x) + d)$. So $\Oc(d)$.
- The runtime of $\IVCVerifier$ is:
- Step 2: The cost of running $\ASDLDecider$, $\Oc(d)$ scalar muls.
- Step 3: The cost of running $\NARKVerifier$, $\Oc(d)$ scalar muls.
\begin{block}{Assumptions}
\begin{itemize}
\item $\NARKProver$ runtime scales linearly with $d$ ($\Oc(d)$)
\item $\NARKVerifier$ runtime scales linearly with $d$ ($\Oc(d)$)
\item $\NARKVerifierFast$ runtime scales logarithmically with $d$ ($\Oc(\lg(d))$)
\item $F$ runtime is less than $\Oc(d)$, since $|R_F| \lessapprox d$
\end{itemize}
\end{block}

Totalling $\Oc(2d)$. So $\Oc(d)$
\begin{block}{Analysis}
\begin{itemize}
\item $\IVCProver$:
\begin{itemize}
\item Step 2: The cost of running $\ASDLProver$, $\Oc(d)$.
\item Step 3: The cost of computing $F$, $\Oc(F(x))$.
\item Step 5: The cost of running $\NARKProver$, $\Oc(d)$.
\end{itemize}
Totalling $\Oc(d)$.
\end{itemize}
\begin{itemize}
\item $\IVCVerifier$:
\begin{itemize}
\item Step 2: The cost of running $\ASDLDecider$, $\Oc(d)$ scalar muls.
\item Step 3: The cost of running $\NARKVerifier$, $\Oc(d)$ scalar muls.
\end{itemize}
Totalling $\Oc(d)$
\end{itemize}
\end{block}

Notice that although the runtime of $\IVCVerifier$ is linear, it scales
with $d$, _not_ $n$. So the cost of verifying does not scale with the number
of iterations.
Although the runtime of $\IVCVerifier$ is linear, it scales with $d$,
**not** $n$.

# Conclusion & Benchmarks
# Benchmarks & Conclusion

## Benchmarks

Expand All @@ -492,17 +501,19 @@ of iterations.
]
\addplot[color=GbBlueDk, mark=*] coordinates {(512, 0.941) (1024, 1.504) (2048, 2.558) (4096, 4.495) (8196, 8.372) (16384, 15.253)};
\addplot[color=GbRedDk, mark=square*] coordinates {(512, 0.607) (1024, 0.662) (2048, 0.798) (4096, 1.014) (8196, 1.161) (16384, 1.648)};
\legend {acc\_cmp\_s, acc\_cmp\_f}
\legend {$\PCDLCheck$, $\ASDLVerifier$}
\end{axis}
\end{tikzpicture}
\end{figure}

## Conclusion

### The project:
- Learned a lot...
- Implementing IVC is _hard_.
- Learned a lot of deep cryptographic theory.
- Learned a lot about implementating advanced cryptography
- Implementing full IVC is _hard_.
- Benchmarks looks good, excited to see degree bound increase.
- Future work.

# TO BE REMOVED

Expand Down Expand Up @@ -658,4 +669,4 @@ $$
- Because $\a$ is sampled using the RO, $\Bc_b$ wins against $CM_b$
$\Pr[\Bc_a \text{ wins} \lor \Bc_b \text{ wins}] = \delta - \negl(\l), \Pr[\Bc_a \text{ wins} \land \Bc_b \text{ wins}] = 0$.

<!-- TODO: this -->
<!-- TODO: step 2 -->

0 comments on commit 9e1e031

Please sign in to comment.