From 581a5439b7461831d08f38ecf8ce6188cf3de04b Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Thu, 18 Jul 2024 16:22:57 +0200 Subject: [PATCH 1/2] chapter 6, example 119. correction decision function tiny_jj definition --- chapters/statements-moonmath.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index 5f083674..799407f4 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -238,7 +238,7 @@ \subsection{Instance and Witness} R_{tiny.jj\_zk} : (\F_{13})^*\times (\F_{13})^* \to \{true, false\}\;;\;\\ (;) \mapsto \begin{cases} -true & n=0,\;m=m \text{ and } 3\cdot W_1^2 + W_2^2 = 1+ 8\cdot W_1^2\cdot W_2^2\\ +true & n=0,\;m=2 \text{ and } 3\cdot W_1^2 + W_2^2 = 1+ 8\cdot W_1^2\cdot W_2^2\\ false & else \end{cases} \end{multline*} From fbbda632c5b6abff37c42c9eca1a782bdbe55418 Mon Sep 17 00:00:00 2001 From: alvaro-alonso Date: Mon, 22 Jul 2024 17:22:26 +0200 Subject: [PATCH 2/2] chapter 6, example 132. fix wrong index for Witness in R_{3.fac_zk} --- chapters/statements-moonmath.tex | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chapters/statements-moonmath.tex b/chapters/statements-moonmath.tex index 799407f4..7567342d 100644 --- a/chapters/statements-moonmath.tex +++ b/chapters/statements-moonmath.tex @@ -132,7 +132,7 @@ \subsection{Decision Functions} $$ The associated language $L_{tiny.jj}$ is then given as the set of all strings from $(\F_{13})^*$ that are mapped onto $true$ by $R_{tiny.jj}$: $$ -L_{tiny.jj} = \{\in (\F_{13})^*\;|\; R_{tiny.jj()=true}\} +L_{tiny.jj} = \{\in (\F_{13})^*\;|\; R_{tiny.jj}()=true \} $$ We can claim the statement ``There is a word in $L_{tiny.jj}$''. Because $L_{tiny.jj}$ is defined by $R_{tiny.jj}$, this statement is equivalent to the statement ``The \curvename{Tiny-jubjub} curve in its twisted Edwards form has a curve point.'' @@ -1397,12 +1397,12 @@ \subsubsection{QAP Satisfiability} One of the major points of Quadratic Arithmet Verifying a constructive proof in the case of a circuit is achieved by executing the circuit and then by comparing the result against the given proof. Verifying the same proof in the R1CS picture means checking if the elements of the proof satisfy the R1CS equations. In contrast, verifying a proof in the QAP picture is done by polynomial division of the proof $P$ by the target polynomial $T$. The proof is verified if and only if $P$ is divisible by $T$. -\begin{example} Consider the Quadratic Arithmetic Program $QAP(R_{3.fac\_zk})$ from \examplename{} \ref{ex:3-fac-QAP} and its associated R1CS from equation \ref{ex:3-factorization-r1cs}. To give an intuition of how proofs in the language $L_{QAP(R_{3.fac\_zk})}$ look like, lets consider the instance $I_1=11$. As we know from \examplename{} \ref{ex:3-fac-zk-circuit_2}, $(W_1,W_2,W_3,W_5)=(2,3,4,6)$ is a proper witness, since -$(;)=(<11>;<2,3,4,6>)$ is a valid circuit assignment and hence, a solution to $R_{3.fac\_zk}$ and a constructive proof for language $L_{R_{3.fac\_zk}}$. +\begin{example} Consider the Quadratic Arithmetic Program $QAP(R_{3.fac\_zk})$ from \examplename{} \ref{ex:3-fac-QAP} and its associated R1CS from equation \ref{ex:3-factorization-r1cs}. To give an intuition of how proofs in the language $L_{QAP(R_{3.fac\_zk})}$ look like, lets consider the instance $I_1=11$. As we know from \examplename{} \ref{ex:3-fac-zk-circuit_2}, $(W_1,W_2,W_3,W_4)=(2,3,4,6)$ is a proper witness, since +$(;)=(<11>;<2,3,4,6>)$ is a valid circuit assignment and hence, a solution to $R_{3.fac\_zk}$ and a constructive proof for language $L_{R_{3.fac\_zk}}$. In order to transform this constructive proof into a knowledge proof in language $L_{QAP(R_{3.fac\_zk})}$, a prover has to use the elements of the constructive proof, to compute the polynomial $P_{(I;W)}$. -In the case of $(;)=(<11>;<2,3,4,6>)$, the associated proof is computed as follows: +In the case of $(;)=(<11>;<2,3,4,6>)$, the associated proof is computed as follows: \begin{align*} P_{(I;W)} = & \scriptstyle \left(A_0 + \sum_{j}^n I_j\cdot A_j + \sum_{j}^m W_j\cdot A_{n+j} \right) \cdot \left(B_0 + \sum_{j}^n I_j\cdot B_j + \sum_{j}^m W_j\cdot B_{n+j} \right) -\left(C_0 + \sum_{j}^n I_j\cdot C_j + \sum_{j}^m W_j\cdot C_{n+j} \right)\\