From 3731e23c124c6b6958a5cea793a2c83d9565bc69 Mon Sep 17 00:00:00 2001 From: "keroroxx520@gmail.com" Date: Thu, 26 Sep 2024 14:41:59 +0800 Subject: [PATCH] fix the evaluation of constraint polynomial A --- posts/circlestarks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/posts/circlestarks.md b/posts/circlestarks.md index 5120a070..7dabe1b8 100644 --- a/posts/circlestarks.md +++ b/posts/circlestarks.md @@ -13,7 +13,7 @@ This switch has already led to demonstrated massive improvements in proving spee One of the most important "tricks" when making hash-based proofs (or really, any kind of proof) is the idea of proving things about evaluations of a polynomial as a random point, as a substitute for proving things about the underlying polynomials. -For example, suppose that a proof system requires you to generate a commitment to a polynomial, $A$, which must satisfy $A^3(x) + x - A(\omega*x) = x^N$ (a pretty common type of claim to prove in ZK-SNARK protocols). The protocol can require you to pick a random coordinate $r$, and prove that $A(r) + r - A(\omega*r) = r^N$. And then in turn, to prove that $A(r) = c$, you prove that $Q = \frac{A - c}{X - r}$ is a polynomial (as opposed to a fractional expression). +For example, suppose that a proof system requires you to generate a commitment to a polynomial, $A$, which must satisfy $A^3(x) + x - A(\omega*x) = x^N$ (a pretty common type of claim to prove in ZK-SNARK protocols). The protocol can require you to pick a random coordinate $r$, and prove that $A^3(r) + r - A(\omega*r) = r^N$. And then in turn, to prove that $A(r) = c$, you prove that $Q = \frac{A - c}{X - r}$ is a polynomial (as opposed to a fractional expression). If you know $r$ _ahead of time_, you can always cheat these protocols. In this case, you could just set $A(r)$ to be zero, retrofit $A(\omega * r)$ to satisfy the equation, and then let $A$ be the line that passes through those two points. And similarly for the second step, if you know $r$ ahead of time, you can generate whatever $Q$ you want, and then retrofit $A$ to match it, even if $A$ is a fractional (or other non-polynomial) expression.