You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/notes.md
+17-8Lines changed: 17 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -270,30 +270,36 @@ we finally obtain
270
270
\\]
271
271
This is equivalent to the original inner-product equation, but has a single
272
272
inner product with \\({\mathbf{a}}\_{L}\\) on the left, \\({\mathbf{a}}\_{R}\\) on
273
-
the right, and non-secret terms factored out.
273
+
the right, and non-secret terms factored out. Let's call the left-hand side of the single inner product equation "unblinded" \\({\mathbf{l}(x)}\\) and the right-hand side "unblinded" \\({\mathbf{r}(x)}\\), such that
274
+
\\[
275
+
\begin{aligned}
276
+
\text{unblinded } \mathbf{l}(x) &= {\mathbf{a}}\_{L} - z {\mathbf{1}} \\\\
These are the left and right sides of the combined inner product with \\({\mathbf{a}}\_{L}\\), \\({\mathbf{a}}\_{R}\\)
295
-
replaced by blinded terms \\({\mathbf{a}}\_{L} + {\mathbf{s}}\_{L} x\\),
296
-
\\({\mathbf{a}}\_{R} + {\mathbf{s}}\_{R} x\\). Notice that since only the
301
+
The "blinded" \\({\mathbf{l}}(x)\\) and \\({\mathbf{r}}(x)\\) have \\({\mathbf{a}}\_{L}\\), \\({\mathbf{a}}\_{R}\\) replaced by blinded terms \\({\mathbf{a}}\_{L} + {\mathbf{s}}\_{L} x\\),
302
+
\\({\mathbf{a}}\_{R} + {\mathbf{s}}\_{R} x\\). The \\({\mathbf{l}}\_{0}\\) and \\({\mathbf{r}}\_{0}\\) terms represent the degree-zero terms of the polynomial with respect to \\(x\\), and the \\({\mathbf{l}}\_{1}\\) and \\({\mathbf{r}}\_{1}\\) terms represent the degree-one terms. Notice that since only the
297
303
blinding factors \\({\mathbf{s}}\_{L}\\), \\({\mathbf{s}}\_{R}\\) are multiplied
298
304
by \\(x\\), the vectors \\({\mathbf{l}}\_{0}\\) and \\({\mathbf{r}}\_{0}\\) are
299
305
exactly the left and right sides of the unblinded single inner-product:
@@ -519,7 +525,7 @@ check the final equality directly.
519
525
520
526
If the prover can demonstrate that the above \\(P'\\) has such structure
521
527
over generators \\({\mathbf{G}}\\), \\({\mathbf{H}}\\) and \\(Q\\) for all
522
-
\\(w \in {\mathbb Z\_{p}^{*}}\\), then the original \\(P\\) and \\(c\\) must satisfy
528
+
\\(w \in {\mathbb Z\_{p}^{\*}}\\), then the original \\(P\\) and \\(c\\) must satisfy
\wedge c = {\langle {\mathbf{a}}, {\mathbf{b}} \rangle})\\).
@@ -606,7 +612,10 @@ additional and final step involves sending a pair of scalars
606
612
Aggregated Range Proof
607
613
======================
608
614
609
-
We want to take advantage of the logarithmic size of the inner-product protocol, by creating an aggregated range proof for \\(m\\) values that is smaller than \\(m\\) individual range proofs.
615
+
The goal of an _aggregated range proof_ is to enable a group of parties to produce proofs of their individual statements
616
+
(individual range proofs for the corresponding value commitments), that can be aggregated in a more compact proof.
617
+
This is more efficient due to the logarithmic size of the inner-product protocol: an aggregated range proof for \\(m\\)
618
+
values is smaller than \\(m\\) individual range proofs.
610
619
611
620
The aggregation protocol is a multi-party computation protocol, involving \\(m\\) parties (one party per value) and one dealer, where the parties don't reveal their secrets to each other. The parties share their commitments with the dealer, and the dealer generates and returns challenge variables. The parties then share their proof shares with the dealer, and the dealer combines their shares to create an aggregated proof.
0 commit comments