search

QAP

hashtag
Introduction

Given a R1CS instance A,B,CFm×n\bm{A},\bm{B},\bm{C}\in \mathbb{F}^{m\times n}, the verifier has to check if it holds:

AzBz=?Cz\bm{Az}\circ\bm{Bz}\stackrel{?}=\bm{Cz}

which is a O(m)O(m) complexity task so we want to somehow reduce this to O(1)O(1).

hashtag
Preliminaries

  1. Number Theoretic Transformarrow-up-right

  2. Schwartz-Zippel Lemmaarrow-up-right

hashtag
Protocol Explanation

Let's consider a simpler case where we want to check if Au=Bv\bm{Au}=\bm{Bv}. Denote iith column vectors of A\bm{A} and B\bm{B} as ai\bm{a}_i and bi\bm{b}_i respectively. Then, what we want to check becomes:

i=1naiui=?i=1nbivi\sum_{i=1}^n\bm{a}_iu_i\stackrel{?}=\sum_{i=1}^n\bm{b}_iv_i

So if we consider polynomials fi=INTT(ai)f_i=\mathsf{INTT}(\bm{a}_i) and gi=INTT(bi)g_i=\mathsf{INTT}(\bm{b}_i) then, it is equivalent of checking if this two are same:

i=1nfiui=?i=1ngivi\sum_{i=1}^nf_iu_i\stackrel{?}=\sum_{i=1}^n g_iv_i

Since the sum itself is another polynomial, if we denote them as ff and gg, we have simple equality check:

f=?gf\stackrel{?}=g

This check can be done using a single random challenge following the Schwartz-Zippel Lemma.

hashtag
Applying to R1CS

Similarly, let's denote the polynomial interpolation of iith column of A\bm{A}, B\bm{B}, C\bm{C} as fa,i,fb,i,fc,if_{a,i},f_{b,i}, f_{c,i}. Then, the R1CS check becomes:

i=1nfa,izii=1nfb,izi=?i=1nfc,izi\sum_{i=1}^nf_{a,i}z_i\sum_{i=1}^nf_{b,i}z_i\stackrel{?}=\sum_{i=1}^n f_{c,i}z_i

Since each sum results in a single polynomial, we can simplify this equation as:

fafb=?fcf_a\circ f_b\stackrel{?}=f_c

hashtag
Degree imbalance

The equality above is not as simple as it looks since the deg(fafb)=2m=2deg(fc)\deg (f_a\circ f_b)=2m =2\deg(f_c). Because of this imbalance, our polynomials are not necessarily equal but if we think about the INTT\mathsf{INTT}, they must be equal over the evaluation domain:

i=0,,m1:(fafb)(ωi)=fc(ωi)\forall i =0,\dots,m-1: (f_a\circ f_b)(\omega^i)= f_c(\omega^{i})

which is equivalent to checking:

i=0,,m1:(fafbfc)(ωi)=?0\forall i =0,\dots,m-1: (f_a\circ f_b-f_c)(\omega^i)\stackrel{?}=0

In other words, fafbfcf_a\circ f_b - f_c should be divisible by the degree mm zero polynomial:

t(X)=(Xw0)(Xω1)(Xwm1)=Xm1t(X)=(X-w^0)(X-\omega^1)\dots(X-w^{m-1})=X^m-1

Therefore, the quotient polynomial must be well defined:

h(X)=fafbfct(X)h(X)=\frac{f_a\circ f_b - f_c}{t}(X)

hashtag
Final formula for QAP

Prover commits to fa,fb,fc,hf_a,f_b,f_c,h polynomials and verifier checks with random challenge τRF\tau \in_R \mathbb{F}:

fa(τ)fb(τ)=fc(τ)+h(τ)t(τ)f_a(\tau)\cdot f_b(\tau)=f_c(\tau) + h(\tau)\cdot t(\tau)

hashtag
References

  1. https://rareskills.io/post/quadratic-arithmetic-program#qap-end-to-endarrow-up-right

PreviousR1CSNextPLONK

Last updated