Maller optimization to reduce proof size
In the PLONK paper, they make use of an optimization from Mary Maller in order to reduce the proof size. This is a note explaining this optimization. If you have no idea what these words are, you might want to skip reading this post :)
Explanation
Maller’s optimization is used in the “polynomial dance” between the prover and the verifier to reduce the number of openings the prover send.
Recall that the polynomial dance is the process where the verifier and the prover form polynomials together so that:
the prover doesn’t leak anything important to the verifier the verifier doesn’t give the prover too much freedomIn the dance, the prover can additionally perform some steps that will keep the same properties but with reduced communication.
Let’s see the protocol where Prover wants to prove to Verifier that
given commitments of .
Note left of Prover: commits to h1, h2, h3 Prover->Verifier: com(h1), com(h2), com(h3) Note right of Verifier: generates random point s Verifier-->Prover: s Note left of Prover: evaluates at point s Prover->Verifier: h1(s), h2(s), h3(s) Prover->Verifier: 3 proofs of openings Note right of Verifier: verifies that n h1(s)h2(s) - h3(s) = 0
A shorter proof exists. Essentially, if the verifier already has the opening h1(s), they can reduce the problem to showing that
given commitments of and evaluation of at a point .
Note left of Prover: commits to h1, h2, h3 Prover->Verifier: com(h1), com(h2), com(h3) Note right of Verifier: generates random point s Verifier-->Prover: s Note left of Prover: evaluates at point s Prover->Verifier: h1(s), L(s) Prover->Verifier: 2 proofs of openings Note right of Verifier: forms polynomial com(L) = n h1(s)com(h2) - com(h3) Note right of Verifier: checks that L(s) = 0
Notes
Why couldn’t the prover open the polynomial directly?
By doing
Note left of Prover: commits to h1, h2, h3 Prover->Verifier: com(h1), com(h2), com(h3) Note right of Verifier: generates random point s Verifier-->Prover: s Note left of Prover: evaluates at point s Prover->Verifier: L'(s), 1 proof of opening Note right of Verifier: forms polynomial com(L') = n com(h1)com(h2) - com(h3) Note right of Verifier: verifies that n h1(s)h2(s) - h3(s) = 0
The problem here is that you can’t multiply the commitments together without using a pairing (if you’re using a pairing-based polynomial commitment scheme), and you can only use that pairing once in the protocol.
If you’re using an inner-product-based commitment, you can’t even multiply commitments anyway.
Appendix: Original explanation from the PLONK paper
https://eprint.iacr.org/2019/953.pdf
For completion, the lemma 4.7:
相关知识
Vegetable Container Size Standards (With Chart)
Container Size Chart: Plant Pot Sizing Guide
Vegetable Container Size Chart & Pot Size Calculator
Plant Container Size Chart
5 Gallon Pot Size for Gardening Enthusiasts
Pot size inches to gallon to liters conversion
220W Jebao super eco pond pump AMP18000
Jebao eco pond pump AMP
不同施肥方式对设施菜地氮、磷地下淋溶的影响研究.doc 免费在线阅读
best selling Jebao eco pond pump 35W FTP4600
网址: Maller optimization to reduce proof size https://m.huajiangbk.com/newsview2275649.html
| 上一篇: Knowledge Graph |
下一篇: 铁皮石斛最爱怎样的土壤?种植小白 |
