Incidencias en el contexto y en las personas

We describe an RS-encoded IPCP protocol for the R1CS relation (see Definition 7.1). This can be viewed as an interleaved analogue of the RS-encoded IOP for R1CS in Section 7, and is a modification of the IPCP for arithmetic circuits in [AHIV17] to work for R1CS.

Let(F, k, n, m, A, B, C, v)be an R1CS instance andwa witness for it. The prover and verifier receive the instance as input, and the prover additionally receives the witness as input. Definez:= (1, v, w)∈Fn+1.

LetL, H be disjoint subsets ofFof sizesl, hrespectively (withl≥h) and letm2, m1be integers such

thatm1h=mandm2h= 1 +n. Letbbe the query bound for zero knowledge.

The protocol below is summarized in Fig. 14, and implicitly assumes an orderingγH:H → {1, . . . , h}

onH. The parameterλicontrols the number of repetitions of the sub-protocols, andλqcontrols the number

of query repetitions in the verifier.

• Oracle:The proverP sends an oracleF∈RS [L, ~ρ]m2+3m1+4λi that is computed as follows.

Extend the witness w ∈ _Fn−k _{to w := (0}1+k_{, w) ∈}

F1+n, and sample a random codeword Fw ∈

RS

L,h+_lbm2

such that the evaluation overHof the interpolation of thei-th row ofFw is thei-th block

ofhentries inw(note that1 +n=m2h). Compute vectorsa:=Az, b:=Bz, c:=Cz ∈Fm, and sample random codewordsFa, Fb, Fc∈RS

L,h+_lbm1

such that the evaluation overHof the interpolation of

everyι∈[λi], sample random codewordsqιa, qιb, qιc∈RS

L,2h+_lb−1

such that each ofqˆ_ιa,qˆ_ιb,qˆ_ιcsums

to zero onH, and random codewordqROW

ι ∈RS

L,2h+2_lb−1such thatqˆROW

ι vanishes everywhere on

H. The oracleFis the vertical juxtaposition ofFw, Fa, Fb, Fcas well asqιa, qbι, qιc, qROWι . Note that each

codeword inFw, Fa, Fb, Fcisb-wise independent (because of the way they are sampled), and thus any set

ofbevaluations are uniformly distributed (in particular, they reveal no information aboutw, a, b, c).

• The interactive protocol:

1. The proverP and verifierV extend the public inputvtov:= (1, v,0n−k), and compute the codeword

Fv ∈RS

L,h_lm2

such that the evaluation overHof the interpolation of thei-th row ofFvis thei-th

block ofhentries inv(note that1 +n=m2h). By linearity,Fv+Fwencodesz= (1, v, w)∈Fn+1. 2. For everyι∈[λi],V samples vectorsrι,1, . . . , rι,m1 ←F

h_{(for lincheck) andt}

ι ∈Fm1 (for rowcheck). 3. For everyι∈[λi], the proverP and verifierV compute several vectors:

(sa_ι,1, . . . , sa_ι,m2) := (rι,1, . . . , rι,m1) >_{A ,} (sb_ι,1, . . . , sb_ι,m2) := (rι,1, . . . , rι,m1) >_{B ,} (sc_ι,1, . . . , sc_ι,m2) := (rι,1, . . . , rι,m1) >_{C .}

They also find the polynomialˆrι,iof degree less thanhthat evaluates torι,i onH(fori∈[m1]), and

the polynomialssˆa_ι,i,sˆ_ι,ib ,sˆc_ι,iof degree less thanhthat evaluate tosa_ι,i, sb_ι,i, sc_ι,i onH(fori∈[m2]).

4. For everyι∈[λi],Presponds with (the coefficients of) several polynomials:

– For every ∈ {a, b, c}, a lincheck polynomialpˆ_ι of degree less than2h+b−1defined as ˆ p_ι := ˆq_ι+ m1 X i=1 ˆ rι,i·fˆ,i− m2 X i=1 ˆ

s_ι,i·( ˆfv,i+ ˆfw,i)

where

∗ fˆ,iis the polynomial of degree less thanh+bthat interpolate thei-th row ofF (fori∈[m1]);

∗ fˆv,iis the polynomial of degree less thanh+bthat interpolates thei-th row ofFv (fori∈[m2]);

∗ fˆw,iis the polynomial of degree less thanh+bthe interpolates thei-th row ofFw (fori∈[m2]).

– A rowcheck polynomialpˆROW

ι of degree less than2h+ 2b−1defined as

ˆ pROW ι := ˆqROWι + m1 X i=1

tι,i·( ˆfa,i·fˆb,i−fˆc,i)

where{fˆa,i,fˆb,i,fˆc,i}are the polynomials of degree less thanh+bthat interpolate thei-th row of {Fa, Fb, Fc}respectively.

5. The verifier V samples random indicesα1, . . . , αλq ← L and, for everyk ∈ [λq], queriesF atαk

thereby obtaining

F[αk] = (Fw[αk], Fa[αk], Fb[αk], Fc[αk], qιa[αk], qbι[αk], qιc[αk], qROWι [αk]) .

– Lincheck tests.For every ∈ {a, b, c},P

α∈Hpˆι(α) = 0and for everyk∈[λq]it holds that

ˆ p_ι(αk) =qι[αk] + m1 X i=1 ˆ rι,i(αk)·F[i, αk]− m2 X i=1 ˆ s_ι,i(αk)·(Fv[i, αk] +Fw[i, αk]) .

– Rowcheck test.pˆROW

ι (H) ={0}and for everyk∈[λq]it holds that

ˆ pROW ι (αk) =qROWι [αk] + m1 X i=1 tι,i·(Fa[i, αk]·Fb[i, αk]−Fc[i, αk]) .

Completeness. Ifwis in fact a satisfying witness for the R1CS instance, and the prover is honest, then the

rowcheck and lincheck correctness tests pass, by arguments analogous to those made for the previous two protocols. The masking codewords{q_ιa, qb_ι, q_ιc, qROW

ι }ι∈[λi]are chosen so that completeness is unaffected.

Soundness. Assume that the R1CS instance is not satisfiable. LetF˜be the codeword sent by the prover.

Letw˜be the candidate witness encoded inF˜; note thatAz˜◦Bz˜ 6= Cz˜wherez˜= (1, v,w˜). Let˜a,˜b,˜c

be the alleged linear transformations of z˜encoded inF˜. One of the following equations cannot hold:

˜

a = Az,˜ ˜b = Bz,˜ c˜= Cz,˜ a˜◦˜b = ˜c. If one of the first three equations fails to hold, the corresponding

lincheck sub-protocol will reject with high probability; if the last equation fails to hold, the rowcheck sub-protocol will reject with high probability. The interactive phase of each of these sub-protocols is repeated

λitimes, bringing the corresponding soundness error down from1/|F|to1/|F|λi; the subsequent query phase is repeatedλqtimes, bringing the corresponding soundness error down from 2h+2_lb−2 to(2h+2_lb−2)λq.

Note that the masking codewordsq_ιa, qb_ι, q_ιc, qROW

ι do not affect soundness, as we now explain. In the

“no” case for the lincheck protocol, the summationP

α∈Hpˆ(α)is uniform overF. In the “no” case for the

rowcheck protocol, there exists someα∈Hsuch thatpˆ(α)is uniform overF. Thus in both cases, regardless of the (possibly malicious) choice of mask the probability that the verifier accepts remains1/|F|.

Zero knowledge. We construct a probabilistic simulatorSthat, given as input a satisfiable R1CS instance

(F, k, n, m, A, B, C, v) and straightline access to a b-query malicious verifier V˜, outputs a view that is identically distributed as_V˜_{’s view when interacting with an honest prover.}

1. Use the public inputvto computeFv ∈RS

L,h_lm2

like the honest prover does. 2. SampleFw ∈ (FL)m2 and_F

a, Fb, Fc ∈ (FL)m1 uniformly at random. For every_{ι∈ [λ}

i], sample

q_ιa, q_ιb, q_ιc∈RSL,2h+_lb−1uniformly at random given that the interpolation ofq_ιa, q_ιb, q_ιcsums to

zero onH. For everyι ∈ [λi], sampleqιROW ∈ RS

L,2h+2_lb−1uniformly at random given that

its interpolation vanishes everywhere on H. SetF = (Fw, Fa, Fb, Fc, qιa, qbι, qιc, qιROW), and start

simulating_V˜_.

3. UseFto answer any queries byV˜. LetQ⊆Lbe the queries asked byV˜ until the next step.

4. Receive a challenge{rι,1, . . . , rι,m1, tι}ι∈[λi]fromV˜.

5. For everyι ∈ [λi], sample pˆaι,pˆbι,pˆcι ∈ RS

L,2h+_lb−1 uniformly at random such that each of

ˆ

pa_ι,pˆb_ι,pˆc_ι sums to 0 onHand, for everyα∈Q, the following hold:

• pˆa_ι(α) =Pm1 i=1rˆι,i(α)·Fa[i, α] +Pmi=12 sˆaι,i(α)·(Fv[i, α] +Fw[i, α])−qιa[α], • pˆb_ι(α) =Pm1 i=1rˆι,i(α)·Fb[i, α] + Pm2 i=1sˆbι,i(α)·(Fv[i, α] +Fw[i, α])−qbι[α], • pˆc_ι(α) =Pm1 i=1rˆι,i(α)·Fc[i, α] +Pmi=12 sˆcι,i(α)·(Fv[i, α] +Fw[i, α])−qcι[α].

6. For everyι∈[λi], samplepˆROWι ∈RS

L,2h+2_lb−1uniformly at random such thatpˆROW

ι evaluates

• pˆROW ι (α) = Pm1 i=1tι,i·(Fa[i, α]·Fb[i, α]−Fc[i, α])−qιROW[α]. 7. Send{pˆa_ι,pˆ_ιb,pˆc_ι,pˆROW ι }ι∈[λi]toV˜.

8. Answer any queryα∈LbyV˜ by usingFw, Fa, Fb, Fc(as before) but forqιa, qbι, qιc, qιROWuse: • qa_ι[α] = ˆpa_ι(α)−Pm1 i=1rˆι,i(α)·Fa[i, α] +Pmi=12 sˆaι,i(α)·(Fv[i, α] +Fw[i, α]), • qb_ι[α] = ˆpb_ι(α)−Pm1 i=1rˆι,i(α)·Fb[i, α] +Pmi=12 sˆbι,i(α)·(Fv[i, α] +Fw[i, α]), • qc_ι[α] = ˆpc_ι(α)−Pm1 i=1rˆι,i(α)·Fc[i, α] +Pmi=12 sˆcι,i(α)·(Fv[i, α] +Fw[i, α]), • qROW ι [α] = ˆpROWι (α)− Pm1 i=1tι,i·(Fa[i, α]·Fb[i, α]−Fc[i, α]).

To see that the view of_V˜ _{is perfectly simulated, we consider a hybrid experiment in which a “hybrid}

prover” sends actual codewords for the blinding vectors (like the honest prover in the real world) but can modify messages after they are sent (like the simulator in the ideal world).

1. Use the public inputvto computeFv ∈RS

L,h_lm2

like the honest prover does. 2. SampleFw ∈ (FL)m2 and_F

a, Fb, Fc ∈ (FL)m1 uniformly at random. For every_{ι∈ [λ}

i], sample

q_ιa, q_ιb, q_ιc∈RSL,2h+_lb−1uniformly at random given that the interpolation ofq_ιa, q_ιb, q_ιcsums to

zero onH. For everyι ∈ [λi], sampleqιROW ∈ RS

L,2h+2_lb−1uniformly at random given that

its interpolation vanishes everywhere on H. SetF = (Fw, Fa, Fb, Fc, qιa, qbι, qιc, qιROW), and start

simulating_V˜_.

3. UseFto answer any queries byV˜. LetQ⊆Lbe the queries asked byV˜ until the next step.

4. Receive a challenge{rι,1, . . . , rι,m1, tι}ι∈[λi]fromV˜.

5. For everyι ∈ [λi], sample pˆaι,pˆbι,pˆcι ∈ RS

L,2h+_lb−1 uniformly at random such that each of

ˆ

pa_ι,pˆb_ι,pˆc_ι sums to 0 onHand, for everyα∈Q, the following hold:

• pˆa_ι(α) =Pm1 i=1rˆι,i(α)·Fa[i, α] +Pmi=12 sˆaι,i(α)·(Fv[i, α] +Fw[i, α])−qιa[α], • pˆb_ι(α) =Pm1 i=1rˆι,i(α)·Fb[i, α] + Pm2 i=1sˆbι,i(α)·(Fv[i, α] +Fw[i, α])−qbι[α], • pˆc_ι(α) =Pm1 i=1rˆι,i(α)·Fc[i, α] +Pmi=12 sˆcι,i(α)·(Fv[i, α] +Fw[i, α])−qcι[α].

6. For everyι∈[λi], samplepˆROWι ∈RS

L,2h+2_lb−1

uniformly at random such thatpˆROW

ι evaluates

to 0 everywhere onH, and, for everyα∈Q, the following hold:

• pˆROW ι (α) = Pm1 i=1tι,i·(Fa[i, α]·Fb[i, α]−Fc[i, α])−qιROW[α]. 7. Send{pˆa_ι,pˆ_ιb,pˆc_ι,pˆROW ι }ι∈[λi]toV˜.

8. For everyι∈[λi], replaceqιa, qιb, qιc, qROWι with the following codewords respectively: • {pˆa_ι(α)−Pm1 i=1rˆι,i(α)·Fa[i, α] + Pm2 i=1sˆaι,i(α)·(Fv[i, α] +Fw[i, α])}α∈L; • {pˆb_ι(α)−Pm1 i=1ˆrι,i(α)·Fb[i, α] +Pmi=12 ˆsbι,i(α)·(Fv[i, α] +Fw[i, α])}α∈L; • {pˆc_ι(α)−Pm1 i=1ˆrι,i(α)·Fc[i, α] +Pmi=12 ˆscι,i(α)·(Fv[i, α] +Fw[i, α])}α∈L; • {pˆROW ι (α)− Pm1 i=1tι,i·(Fa[i, α]·Fb[i, α]−Fc[i, α])}α∈L.

9. Finish simulating the interaction with_V˜_.

The distribution of_V˜_{’s view in the real protocol is identical to the distribution ofV}˜_{’s view in the above}

experiment. In particular, since_V˜ _{makes at mostbqueries, the answers to its queries toFa, Fb, Fc, Fw are}

uniformly random in the real world, and hence are perfectly simulated, and it is easy to check that its queries toq_ιa, qb_ι, q_ιc, qROW

ι after their replacement by the new values have the correct distribution. Moreover, it is not

hard to see that_V˜_{’s view in the above experiment andS’s output are identically distributed.}

Efficiency. Both the prover and the verifier perform matrix multiplications, which take time proportional

over the systematic subspaceH (of sizeh ≤l) and the codeword subspaceL(of sizel) to construct the

codewords inFand, later, also to construct the response polynomials. The verifier performs FFTs to evaluate

the four response polynomials overH; then, after interpolating its challenges, the verifier also performs O((m2+m1)h)field operations for each interactive repetition and each query.

Summary. The aforementioned protocol is an RS-encoded IOP with the following parameters. One should

think ofm1, m2, has on the order of square root of the number of constraints/variables in the R1CS instance.

To achieve soundness2−λ, we can setλi:=bλ/log|F|c+ 1andλq:=bλ/log(_2h+2l_b−2)c+ 1for example. alphabet Σ = _F number of rounds k = 2 oracle length p = (m2+ 3m1+ 4λi)l communication c = 4λi(8h+ 5b−4) query complexity q = (m2+ 3m1+ 4λi)λq

randomness (ri,rq) = ((m1+ 1)hλilog|F|, λqlogl)

soundness error (εi, εq) = (_|1 F|) λi_,(2h+2b−2 l ) λq

prover time tP = O(kAk+kBk+kCk) +O(m2+m1+λi)FFT(F, l)

verifier time tV = O(kAk+kBk+kCk) +O(m2+m1+λi)FFT(F, l) +O(λiλq(m2+m1)h) .

In document La Educación Física constructora de significado en el ocio a través de la experiencia corporal (página 102-118)