Getting Started

⚡Lazarus⚡

A Framework of Lattice-based Zero-knowledge Arguments in Rust

0. setup

relation R
- constraints
  - $f^{(k)} (s_{1}, ..., s_{r})$ $= \sum_{i, j = 1}^{r^{'}} a_{i, j}^{(k)} < s_{i}, s_{j} > + \sum_{i = 1}^{r} < φ_{i}^{(k)}, s_{i} > - b^{(k)} = 0$
  - $c t (f^{' (l)} (s_{1}, ..., s_{l}))$ $= c t (\sum_{i, j = 1}^{L} a_{i, j}^{(k)} < s_{i}, s_{j} > + \sum_{i = 1}^{L} < φ_{i}^{(l)}, s_{i} > - b^{(l)}) mod q^{'}$
  - norm check
    - $s$ is witness
    - $\sum_{i = 1}^{r} ∣∣ s_{i} ∣ ∣_{2}^{2} \leq β^{2}$
- data structure
  - $s_{i}$ , $s_{j}$ $\in R_{q}^{n}$
  - $φ_{i}^{(k)}$ $\in R_{q}^{n}$
  - $a_{ij}^{(k)}$ $\in R_{q}$
  - $b^{(k)}$ $\in R_{q}$
  - $φ_{i}^{^{'} (l)}$ $\in R_{q}^{n}$
  - $a_{ij}^{^{'} (l)}$ $\in R_{q}$
  - $b^{^{'} (l)}$ $\in R_{q}$
  - $b_{0}^{^{'} (l)}$ is the constant term of $b^{^{'} (l)}$
  - $< s_{i}, s_{j} >$ $\in R_{q}$
  - $< φ_{i}, s_{i} >$ $\in R_{q}$
  - $k \in [K]$
  - $l \in [L]$
- params
  - $φ_{i}^{(k)}$ , $a_{ij}^{(k)}$ , $b^{(k)}$ , $φ_{i}^{^{'} (l)}$ , $a_{ij}^{^{'} (l)}$ , $b^{^{'} (l)}$ are public inputs of dot product constraint system(DPCS)
    - each iteration they are the same?
  - $d = 64$ (page 26)
  - $q \approx 2^{32}$ (page 26)
  - $β = 128/30 (n + (3 + l) k) d /2$ (page 26)
    - use K and L??
sample A, B, C, D in challenge space
- they are common reference string(CRS)
- challenge space
  - sample ring element from ring $R = Z_{q} [X] / (X^{64} + 1)$
  - sampled ring element should meet below requirements
    - 23 zero coefficients
    - 31 coefficient that are ±1
    - 10 coefficients that are ±2
  - coefficients are total 64
- data structure
  - $A \in R_{q}^{κ \times n}$
  - $B_{ik} \in R_{q}^{κ_{1} \times κ}$
    - $1 \leq i \leq r$
    - $0 \leq k \leq t_{1} - 1$
    - $t_{1}$ see below decomposition section
  - $C_{ijk} \in R_{q}^{κ_{2} \times 1}$
    - $1 \leq i \leq j \leq r$
    - $0 \leq k \leq t_{2} - 1$
    - $t_{2}$ see below decomposition section
    - $κ_{2}$ ??
  - $D_{ijk} \in R_{q}^{κ_{2} \times 1}$
    - $1 \leq i \leq j \leq r$
    - $0 \leq k \leq t_{1} - 1$
questions
- use K and L to compute $β$ ??
- how to get the values of $κ_{i}$ ??

1. commit

commit $s_{i}, i \in 1.. r$
- $t_{i} = A s_{i} \in R_{q}^{κ}$ , this is Ajtai commitment
decompose and combine
- problems
  - problem 1:
    - costly to send $t_{i}$ directly to verifier
    - solution: combine all inner commitments $t_{i}$ into a shorter outer commitment
  - problem 2:
    - ring elements $t_{i, j}, g_{i, j} \in R_{q}$ have arbitrary length of coefficients, not good for commitment
    - solution: decompose and concatenate
      - each coefficient of ring element need to be decomposed to same length with a proper basis, then concatenate them together
- decompose
  - decompose $t_{i, j}$
    - $t_{i, j} \in R_{q}, i \in [r], j \in [κ]$
    - in total there are $r \times κ$ $R_{q}$ in $t$ , means $t \in R_{q}^{r κ}$
    - choose length $t_{1}$ , basis $b_{1}$
    - decompose $t_{i, j}$ , output decomposed $t_{i, j} = t_{i, j}^{(0)} + ... + t_{i, j}^{(t_{1} - 1)} b_{1}^{t_{1} - 1} \in R_{q}^{t_{1}}$
    - concatenate all decomposed $t_{i, j}$ , get decomposed $t \in R_{q}^{t_{1} κ r}$
  - decompose $g_{i, j}$
    - $g_{i, j} =< s_{i}, s_{j} >$ $\in R_{q}, i \in [r], j \in [i, r]$
    - since $g_{i, j} =< s_{i}, s_{j} >$ , means choose any 2 items from r items, this a classical combination problem, the result is $r (r + 1) /2 = (r^{2} + r) /2$
    - in total there are $(r^{2} + r) /2$ $R_{q}$ in $g$ , means $g \in R_{q}^{(r^{2} + r) /2}$
    - choose length $t_{2}$ , basis $b_{2}$
    - decompose $g_{k}$ , which $k \in [(r^{2} + r) /2]$ , output decomposed $g_{k} = g_{k}^{(0)} + ... + g_{g}^{(t_{2} - 1)} b_{2}^{t_{2} - 1} \in R_{q}^{t_{2}}$
    - concatenate all decomposed $g_{k}$ , get decomposed $g \in R_{q}^{t_{2} (r^{2} + r) /2}$
  - decomposition params(page 16, 19)
    - $τ$ : variance for the sum of the coefficients of a challenge polynomial
    - $s = β / r n d$ : standard deviation for the $Z_{q}$ coefficients of the vectors $s_{i}$
    - $b \approx b_{1} \approx b_{2} = 12 r τ s$ , b is used in recurse section
    - $t_{1} = ⌊ \frac{l o g q}{l o g b} ⌉$
    - $t_{2} = ⌊ \frac{l o g ( 24 n d s ^{2} )}{l o g b} ⌉$
- combine
  - combine all inner commitments $t_{i}$ with random matrix B to get a shooter outer commitment $u_{1} = B t \in R_{q}^{κ_{1}}$
  - also put $g_{ij} \in R_{q}$ combination here, because $g_{ij}$ is dependent of all the challenges, so compute it in the very beginning of the protocol
  - finally get: $u_{1} = B t + C g \in R_{q}^{κ_{1}}$
- prover sends $u_{1}$ to verifier
data structure
- $s_{i} \in R_{q}^{n}$
- $A \in R_{q}^{κ \times n}$
- $t_{i} = A s_{i} \in R_{q}^{κ}$ , $1 \leq i \leq r$
- $g_{i, j} =< s_{i}, s_{j} >\in R_{q}$ , $1 \leq i \leq j \leq r$
- after decompose
  - $t_{i} \in R_{q}^{t_{1} κ}, i \in [r]$
  - $t \in R_{q}^{t_{1} κ r}$
  - $g_{i, j} \in R_{q}^{t_{2}}$ , $1 \leq i \leq j \leq r$
  - $g \in R_{q}^{t_{2} (r^{2} + r) /2}$
  - $u_{1} = B t + C g \in R_{q}^{κ_{1}}$

2. project

goal: norm check can be replaced by Johnson-Lindenstrauss projection.
why: because the JL proof is more compact than check the long vector $s$
need to reach a security level $λ (λ = 128)$
steps
- verifier do a random sample get $\prod_{i} \in {- 1, 0, 1}^{2 λ \times n d}$ then send to prover
  - $s_{i} \in R_{q}^{n}$
  - n: length of $s_{i}$
  - d: degree of each element( $R_{q}$ ) in $s_{i}$
  - sample probability
    - -1: 1/4
    - 0: 1/2
    - 1: 1/4
- prover calculate $p_{j}$
  - $p_{j} = \sum_{i = 1}^{r} < π_{i}^{(j)}, s_{i} >$ $\in Z_{q}$ , $j = 1, ..., 2 λ$
- prover sends $p \in Z_{q}^{2 λ}$
- verifier check $∣∣ p ∣ ∣_{2} \leq λ β$ instead of $\sum_{i = 1}^{r} ∣∣ s_{i} ∣ ∣_{2}^{2} \leq β^{2}$
- notes: greyhound only use {1, -1} to do the sample
new constraint added to: (1) make sure final projection is correct, (2) aggregate
- $\sum_{i = 1}^{r} < τ (π_{i}^{(j)}), τ (s_{i}) > - p_{j} = 0$
- => $c t (\sum_{i = 1}^{r} < σ_{- 1} (π_{i}^{(j)}), s_{i} >) - p_{j} = 0$
- => $c t (\sum_{i = 1}^{r} < σ_{- 1} (π_{i}^{(j)}), s_{i} > - p_{j}) = 0$
- $π_{i}^{(j)}$ is the j-th row of $\prod_{i}$
- $σ_{- 1} (f (x)) = f (x^{- 1})$ , just replace $x$ with $x^{- 1}$
- this defines a LaBRADOR compatible constant-term constraint( $F^{'}$ ) that can be aggregated
data structure
- n: $Z_{q}$ , length of $s_{i}$
- d: $Z_{q}$ , degree of $s_{i}$
- $1 \leq i \leq r$
- $j = 1, ..., 2 λ$
- $\prod_{i} \in {- 1, 0, 1}^{2 λ \times n d}$
- $π_{i}^{(j)}$ : $\in {- 1, 0, 1}^{n d}$
- $p_{j} \in Z_{q}$
- $p \in Z_{q}^{2 λ}$

3. aggregate

goal: aggregate all dot product constraints
- aggregate $(F, F^{'}) = F$ $\in R_{q}$
steps
- 1. aggregate $F^{'}$
  - for security $λ$ , F' is aggregated to $⌈ λ / l o g_{2} (q)⌉$ constant-term constraints(why??)
  - F' includes constant-term constraints related to $f^{'}$ and $p_{j}$
  - steps
    - verifier sends random samples: $ψ^{(k)} $ Z_{q}^{∣ L ∣}$ , $ω^{(k)} $ Z_{q}^{2 λ}$
    - aggregate:
      - $k = 1, ..., ⌈ λ / l o g_{2} (q)⌉$ , $j = 1, ..., 2 λ$
      - $f^{^{''} (k)} (s_{1}, ..., s_{r})$
        
        $= \sum_{l = 1}^{∣ L ∣} ψ_{l}^{(k)} f^{^{'} (l)} (s_{1}, ..., s_{r})$
        
        $+ \sum_{j = 1}^{2 λ} ω_{j}^{(k)} (\sum_{i = 1}^{r} < σ_{- 1} (π_{i}^{(j)}), s_{i} > - p_{j})$
        
        $= \sum_{i, j = 1}^{r} a_{i, j}^{^{''} (k)} < s_{i}, s_{j} > + \sum_{i = 1}^{r} < φ_{i}^{^{''} (k)}, s_{i} > - b_{0}^{^{''} (k)}$
      - so prover gets:
        
        $a_{i, j}^{^{''} (k)} = \sum_{l = 1}^{∣ L ∣} ψ_{l}^{(k)} a_{i, j}^{^{'} (l)}$
        
        $φ_{i}^{^{''} (k)} = \sum_{l = 1}^{∣ L ∣} ψ_{l}^{(k)} φ_{i}^{^{'} (l)} + \sum_{j = 1}^{2 λ} ω_{j}^{(k)} σ_{- 1} (π_{i}^{(j)})$
        
        $b^{^{''} (k)} = \sum_{i, j = 1}^{r} a_{i, j}^{^{''} (k)} < s_{i}, s_{j} > + \sum_{i = 1}^{r} < φ_{i}^{^{''} (k)}, s_{i} >$
    - extends integers $b_{0}^{^{''} (k)}$ to full polynomials such that $f^{^{''} (k)} (s_{1}, ..., s_{r}) = 0$
    - prover sends $b_{0}^{^{''} (k)}$ to verifier
    - verifier checks the constant term
      - $b_{0}^{^{''} (k)} = \sum_{l = 1}^{∣ L ∣} ψ_{l}^{(k)} b_{0}^{(l)} + < ω^{(k)}, p >$
- 1. aggregate linear constraints $f^{(k)} (k = 1, ..., ∣ F ∣)$ and $f^{^{''} (k)} (k = 1, ..., ⌈ λ / l o g_{2} (q)⌉)$
  - verifier sends random samples from challenge space: $α $ R_{q}^{∣ F ∣}$ , $β $ R_{q}^{⌈ λ / l o g_{2} (q)⌉}, K = ∣ F ∣$
  - $F =< α, f > + < β, f^{''} >$
  - $F (s_{1}, ..., s_{r})$
    - $= \sum_{k = 1}^{K} α_{k} f^{(k)} + \sum_{k = 1}^{⌈ λ / l o g_{2} (q)⌉} β_{k} f^{^{''} (k)}$
    - $= \sum_{i, j = 1}^{r} a_{i, j} < s_{i}, s_{j} > + \sum_{i = 1}^{r} < φ_{i}, s_{i} > - b$
  - compute outer commitment $u_{2}$
    - $φ_{i} = \sum_{k = 1}^{K} α_{k} φ_{i}^{(k)} + \sum_{k = 1}^{⌈ λ / l o g_{2} (q)⌉} β_{k} φ_{i}^{^{''} (k)}$
    - $h_{ij} = \frac{1}{2} (< φ_{i}, s_{j} > + < φ_{j}, s_{i} >)$
    - decompose $h_{i, j}$
      - $h_{i, j} \in R_{q}, i \in [r], j \in [r]$
      - in total there are $(r^{2} + r) /2$ $R_{q}$ in $h$ , means $h \in R_{q}^{(r^{2} + r) /2}$
      - choose length $t_{1}$ , basis $b_{1}$
      - decompose $h_{i, j}$ , output decomposed $h_{i, j} = h_{i, j}^{(0)} + ... + h_{i, j}^{(t_{1} - 1)} b_{1}^{t_{1} - 1} \in R_{q}^{t_{1}}$
      - concatenate all decomposed $h_{i, j}$ , get decomposed $h \in R_{q}^{t_{1} (r^{2} + r) /2}$
    - $u_{2} = D h$ $\in R_{q}^{κ_{2}}$
data structure
- $1 \leq i, j \leq r$
- $φ_{i}$ $\in R_{q}^{n}$
- $h_{ij} = \frac{1}{2} (< φ_{i}, s_{j} > + < φ_{j}, s_{i} >) \in R_{q}$
- after decompose
  - $h_{i, j} \in R_{q}^{t_{1}}$
  - $h \in R_{q}^{t_{1} (r^{2} + r) /2}$
  - $u_{2} = D h$ $\in R_{q}^{κ_{2}}$
questions

4. amortize

purpose: achieve small proof size
method: instead of checking $F$ is satisfied by the witness, verifier will check 3 dot product constraints hold
steps
- verifier sends challenge $c_{i}$ $\in R_{q}$ from challenge space
- prover calculates $z, h$
  - $z = \sum_{i = 1}^{r} c_{i} s_{i}$
- provers sends $z, t, g, h$
data structure
- $c_{i}$ $\in R_{q}$
- $z$ $\in R_{q}^{n}$

5. verifier checks(without recursion)

$κ + κ_{1} + κ_{2} + 3$ dot product constraints
- 3 dot product constraints check
  - (1) $< z, z >= \sum_{i, j = 1}^{r} g_{i, j} c_{i} c_{j}$
  - (2) $\sum_{i = 1}^{r} < φ_{i}, z > c_{i} = \sum_{i, j = 1}^{r} h_{i, j} c_{i} c_{j}$
  - (3) $\sum_{i, j = 1}^{r} a_{i, j} g_{i, j} + \sum_{i = 1}^{r} h_{i, i} - b = 0$
- $κ + κ_{1} + κ_{2}$ dot product constraints check
  - $A z = \sum_{i = 1}^{r} c_{i} t_{i}$ $\in R_{q}^{κ}$
  - $u_{1} = B t + C g$ $\in R_{q}^{κ_{1}}$
  - $u_{2} = D h$ $\in R_{q}^{κ_{2}}$
norm check for $z, t, g, h$
- $∣∣ z ∣∣ \leq γ$
- $∣∣ t ∣∣ \leq γ_{1}$
- $∣∣ g ∣ ∣^{2} + ∣∣ h ∣ ∣^{2} \leq γ_{2}$
params
- $γ, γ_{1}, γ_{2}, β^{'}$ see page 19

6. recurse

goal: prove the last message ( $z, t, g, h$ ) of each iteration with base protocol recursively until get shooter witness and proof, then output the last message ( $z, t, g, h$ )
steps:
- 1. convert last message to new witness vector $s_{i}^{'}$ , $i \in [r^{'}]$
  - decompose $z$
    - $z = z^{(0)} + b z^{(1)}$ , $z^{(0)}, z^{(1)} \in R_{q}^{n}$
  - combine $t, g, h$
    - $v = t ∣∣ g ∣∣ h$ $\in R_{q}^{m}$
    - $m = r t_{1} κ + (t_{1} + t_{2}) (r^{2} + r) /2$
  - compose $s_{i}^{'}$
    - choose $ν, μ$ how to choose??
    - $s_{i}^{'}$ part 1:
      - $z^{(0)} = s_{1}^{'} ∣∣...∣∣ s_{ν}^{'}$
      - $s_{i}^{'}$ $\in R_{q}^{⌈ n / ν ⌉}$
    - $s_{i}^{'}$ part 2:
      - $z^{(1)} = s_{ν + 1}^{'} ∣∣...∣∣ s_{2 ν}^{'}$
      - $s_{i}^{'}$ $\in R_{q}^{⌈ n / ν ⌉}$
    - $s_{i}^{'}$ part 3:
      - $v = s_{2 ν + 1}^{'} ∣∣...∣∣ s_{2 ν + μ}^{'}$
      - $s_{i}^{'}$ $\in R_{q}^{⌈ m / μ ⌉}$
- 1. use base protocol to prove the new witness
  - get new relation $g^{(k)} (s_{1}, ..., s_{r^{'}})$ $= \sum_{i, j = 1}^{r^{'}} a_{i, j}^{(k)} < s_{i}, s_{j} > + \sum_{i = 1}^{r^{'}} < φ_{i}^{(k)}, s_{i} > - b^{(k)} = 0$
  - $k = 1, ..., κ + κ_{1} + κ_{2} + 3$
  - $a_{ij}$ value refer page 15
- 1. keep recursing, until proof is small enough
  - need O(log log n) iterations
  - in practice , 6-7 iterations gives the best results
- 1. norm check
  - $∣∣ z^{(0)} ∣ ∣^{2} + ∣∣ z^{(1)} ∣ ∣^{2} + ∣∣ v ∣ ∣^{2} \leq \frac{2}{b ^{2}} γ^{2} + γ_{1}^{2} + γ_{2}^{2}$
  - verifier checks(without recursion)
data structure
- $z^{(0)}, z^{(1)} \in R_{q}^{n}$
- $z^{(0)} ∣∣ z^{(1)} \in R_{q}^{2 n}$
- $v$ $\in R_{q}^{m}$
params
- $2 n \approx m$
- $γ, γ_{1}, γ_{2}, β^{'}$ (page 19)
- $\frac{n}{ν} \approx \frac{m}{μ}$
- $r^{'} = 2 ν + μ = O (r^{1/3})$ is optimal(page 5)