add discussion document
This commit is contained in:
parent
08cbd05a26
commit
3962151035
Binary file not shown.
40
src/sonic/discussion.html
Normal file
40
src/sonic/discussion.html
Normal file
@ -0,0 +1,40 @@
|
||||
<h1>S polynomial transformation for permutation argument</h1>
|
||||
<h2>Decomposition</h2>
|
||||
<p>Following the original suggestion
|
||||
<img src="https://tex.s2cms.ru/svg/%20s(X%2C%20Y)%20%3D%20X%5E%7B-N-1%7DY%5E%7BN%7D%20s_%7B1%7D(X%2C%20Y)%20-%20X%5E%7BN%7Ds2(X%2C%20Y)" alt=" s(X, Y) = X^{-N-1}Y^{N} s_{1}(X, Y) - X^{N}s2(X, Y)" /></p>
|
||||
<p align="center" style="text-align: center;"><img align="center" src="https://tex.s2cms.ru/svg/%20s_%7B1%7D(X%2CY)%20%3D%20%5Csum_%7Bi%3D1%7D%5E%7BN%7Du'_%7Bi%7D(Y)%20X%5E%7B-i%2BN%2B1%7D%20%2B%20%5Csum_%7Bi%3D1%7D%5E%7BN%7Dv'_%7Bi%7D(Y)%20X%5E%7Bi%2BN%2B1%7D%20%2B%20%5Csum_%7Bi%3D1%7D%5E%7BN%7Dw'_%7Bi%7D(Y)%20X%5E%7Bi%2B2N%2B1%7D" alt=" s_{1}(X,Y) = \sum_{i=1}^{N}u'_{i}(Y) X^{-i+N+1} + \sum_{i=1}^{N}v'_{i}(Y) X^{i+N+1} + \sum_{i=1}^{N}w'_{i}(Y) X^{i+2N+1}" /></p>
|
||||
<p><img src="https://tex.s2cms.ru/svg/%20s_2(X%2CY)%20" alt=" s_2(X,Y) " /> is not important for this discussion. <img src="https://tex.s2cms.ru/svg/%20s_1(X%2CY)%20" alt=" s_1(X,Y) " /> is in total a polynomial of degree <img src="https://tex.s2cms.ru/svg/3N%20%2B%201" alt="3N + 1" />.</p>
|
||||
<p align="center" style="text-align: center;"><img align="center" src="https://tex.s2cms.ru/svg/%20u'_%7Bi%7D(Y)%20%3D%20%5Csum_%7Bq%3D1%7D%5E%7BQ%7D%20Y%5E%7Bq%7D%20u(q%2C%20i)%20" alt=" u'_{i}(Y) = \sum_{q=1}^{Q} Y^{q} u(q, i) " /></p>
|
||||
<p>and with a similar form for <img src="https://tex.s2cms.ru/svg/%20v'(Y)%20" alt=" v'(Y) " /> and <img src="https://tex.s2cms.ru/svg/%20w'(Y)%20" alt=" w'(Y) " /></p>
|
||||
<p><img src="https://tex.s2cms.ru/svg/%20u(q%2C%20i)%20" alt=" u(q, i) " /> by itself is a constant in <img src="https://tex.s2cms.ru/svg/q" alt="q" />-th linear constraint in front of a variable <img src="https://tex.s2cms.ru/svg/a(i)" alt="a(i)" />. <img src="https://tex.s2cms.ru/svg/%20v(q%2C%20i)%20" alt=" v(q, i) " /> and <img src="https://tex.s2cms.ru/svg/%20w(q%2C%20i)%20" alt=" w(q, i) " /> have the same meaning for <img src="https://tex.s2cms.ru/svg/b(i)" alt="b(i)" /> and <img src="https://tex.s2cms.ru/svg/c(i)" alt="c(i)" />.</p>
|
||||
<p>In total <img src="https://tex.s2cms.ru/svg/%20s_1(X%2CY)%20" alt=" s_1(X,Y) " /> can be represented as a large convolution in a form <img src="https://tex.s2cms.ru/svg/%20M_%7Bq%2Ci%7D%20N%5E%7Bq%7D%20K%5E%7Bi%7D" alt=" M_{q,i} N^{q} K^{i}" /> where summing is over the same index that is placed up and down. Vectors are <img src="https://tex.s2cms.ru/svg/%20N%5E%7Bq%7D%20%3D%20%5BY%2C%20Y%5E%7B1%7D%2C%20...%2C%20Y%5E%7BQ%7D%5D" alt=" N^{q} = [Y, Y^{1}, ..., Y^{Q}]" /> and <img src="https://tex.s2cms.ru/svg/%20K%5E%7Bi%7D%20%3D%20%5BX%2C%20X%5E%7B2%7D%2C%20...%2C%20X%5E%7B3N%2B1%7D%5D" alt=" K^{i} = [X, X^{2}, ..., X^{3N+1}]" /> , so the matrix <img src="https://tex.s2cms.ru/svg/%20M_%7Bq%2Ci%7D%20" alt=" M_{q,i} " /> is sparse and <img src="https://tex.s2cms.ru/svg/q" alt="q" />-th row is formed by the concatenation of coefficients of <img src="https://tex.s2cms.ru/svg/%20u(q%2C%20i)%20" alt=" u(q, i) " />, <img src="https://tex.s2cms.ru/svg/%20v(q%2C%20i)%20" alt=" v(q, i) " /> and <img src="https://tex.s2cms.ru/svg/%20w(q%2C%20i)" alt=" w(q, i)" /> (<img src="https://tex.s2cms.ru/svg/i" alt="i" /> notation is abused). For two multiplication gates (giving variables <img src="https://tex.s2cms.ru/svg/a(1)%2C%20a(2)%2C...%2C%20c(2)" alt="a(1), a(2),..., c(2)" />) and a linear constraint <img src="https://tex.s2cms.ru/svg/10a(1)%20-%20b(1)%20-%20c(2)%20%3D%200" alt="10a(1) - b(1) - c(2) = 0" /> a first row would look like</p>
|
||||
<p align="center" style="text-align: center;"><img align="center" src="https://tex.s2cms.ru/svg/%20%5B10%2C%200%2C%20-1%2C%200%2C%200%2C%20-1%5D%20" alt=" [10, 0, -1, 0, 0, -1] " /></p>
|
||||
<p>There are three questions:</p>
|
||||
<ul>
|
||||
<li>Original paper states that <img src="https://tex.s2cms.ru/svg/%20s_1(X%2CY)%20" alt=" s_1(X,Y) " /> can be represented as a sum of three polynomials, each of those being a permutation by itself. Why three? One could try to transform a whole matrix <img src="https://tex.s2cms.ru/svg/%20M_%7Bq%2Ci%7D" alt=" M_{q,i}" /> to have one permutation argument.</li>
|
||||
<li>If <img src="https://tex.s2cms.ru/svg/s_%7B1%7D" alt="s_{1}" /> is split into sum of three polynomials, are those polynomials each form an individual permutation argument for components like <img src="https://tex.s2cms.ru/svg/%20%5Csum_%7Bi%3D1%7D%5E%7BN%7Du'_%7Bi%7D(Y)%20X%5E%7B-i%2BN%2B1%7D%20" alt=" \sum_{i=1}^{N}u'_{i}(Y) X^{-i+N+1} " /> ?</li>
|
||||
<li>What would be the most efficient procedure to do such a reduction? Just from an example above with a single constraint in a form <img src="https://tex.s2cms.ru/svg/%20%5B10%2C%200%2C%20-1%2C%200%2C%200%2C%20-1%5D%20" alt=" [10, 0, -1, 0, 0, -1] " /> a first element will contribute in a summand <img src="https://tex.s2cms.ru/svg/%2010X%5E%7B2%7DY%5E%7B1%7D" alt=" 10X^{2}Y^{1}" />, while to make a permutation argument one has to first create a term <img src="https://tex.s2cms.ru/svg/%2010X%5E%7B2%7DY%5E%7B2%7D" alt=" 10X^{2}Y^{2}" />.</li>
|
||||
</ul>
|
||||
<h2>Continuing discussion</h2>
|
||||
<p>Implementation of a permutation argument requires to have some diagonal matrix <img src="https://tex.s2cms.ru/svg/%20D_%7Bq%2Ci%7D" alt=" D_{q,i}" /> to first commit to the combination like <img src="https://tex.s2cms.ru/svg/%20%5Csum_%7Bi%3D1%7D%5E%7BN%7D%20d_%7Bi%7DX%5E%7Bi%7DY%5E%7Bi%7D%20" alt=" \sum_{i=1}^{N} d_{i}X^{i}Y^{i} " /> and later make a permutation argument to prove evaluation of <img src="https://tex.s2cms.ru/svg/%20%5Csum_%7Bi%3D1%7D%5E%7BN%7D%20d_%7B%5Csigma(i)%7DX%5E%7Bi%7DY%5E%7B%5Csigma(i)%7D%20" alt=" \sum_{i=1}^{N} d_{\sigma(i)}X^{i}Y^{\sigma(i)} " /> for a fixed permutation <img src="https://tex.s2cms.ru/svg/%20%5Csigma(i)%20" alt=" \sigma(i) " />.</p>
|
||||
<p>In principle such requirement means that decomposition of our <img src="https://tex.s2cms.ru/svg/%20M_%7Bq%2Ci%7D" alt=" M_{q,i}" /> matrix into the sum of <img src="https://tex.s2cms.ru/svg/%20j%20" alt=" j " /> matrixes (let’s call them <img src="https://tex.s2cms.ru/svg/%20J_%7Bq%2Ci%7D%5E%7Bj%7D%20" alt=" J_{q,i}^{j} " /> should have only a single coefficient in every row, so one can define a proper diagonal <img src="https://tex.s2cms.ru/svg/%20D_%7Bq%2Ci%7D%5E%7Bj%7D" alt=" D_{q,i}^{j}" />. Such decomposition and reduction needs to be done only once per circuit, cause <img src="https://tex.s2cms.ru/svg/%20D_%7Bq%2Ci%7D%5E%7Bj%7D" alt=" D_{q,i}^{j}" /> and corresponding <img src="https://tex.s2cms.ru/svg/%5Csigma%5E%7Bj%7D(i)" alt="\sigma^{j}(i)" /> will become fixed as a part of the specialized common reference.</p>
|
||||
<p>One can not directly guess how many linear constraints and multiplication gates will be in a system. For example, trivial (w/o optimizing run, as given in the original SONICs implementation) reduction of R1CS will have number of multiplication gates equal to the <img src="https://tex.s2cms.ru/svg/%20m%2F2%20%2B%20n" alt=" m/2 + n" /> where <img src="https://tex.s2cms.ru/svg/%20m%20" alt=" m " /> is a number of variables and <img src="https://tex.s2cms.ru/svg/n" alt="n" /> is a number of constraints in R1CS.</p>
|
||||
<p>Let’s take an assumption that <img src="https://tex.s2cms.ru/svg/%20N%20%3E%20Q%20" alt=" N > Q " />, so a final constraint system will have more multiplication gates that linear constraints. In this case one can propose the following reduction procedure:</p>
|
||||
<ul>
|
||||
<li>Forbid constraints that have a form <img src="https://tex.s2cms.ru/svg/%20A(1)%20%2B%20A(1)%20%2B%20...%20" alt=" A(1) + A(1) + ... " />, basically require a deduplication step.</li>
|
||||
<li>Each constraints may have one variable of flavors <img src="https://tex.s2cms.ru/svg/%20A%20" alt=" A " />, <img src="https://tex.s2cms.ru/svg/%20B%20" alt=" B " /> and <img src="https://tex.s2cms.ru/svg/%20C%20" alt=" C " /> to ensure that <img src="https://tex.s2cms.ru/svg/%20M_%7Bq%2Ci%7D%20" alt=" M_{q,i} " /> has only one coefficient for variable of each kind. In this case it can already be decomposed at three matrixes <img src="https://tex.s2cms.ru/svg/%20J_%7Bq%2Ci%7D%5E%7Bj%7D%20" alt=" J_{q,i}^{j} " />.</li>
|
||||
<li>Every constraint that breaks this rule will give raise to a new linear constraint(s) and new multiplication gate(s).</li>
|
||||
<li>Final constraints can NOT have zero coefficients in front of any flavor of variables, otherwise a permutation argument can not be made (it’s a necessary assumption for grand product argument).</li>
|
||||
<li>Reduction itself is not trivial! Let’s do it step by step.</li>
|
||||
<li>Constraint where <img src="https://tex.s2cms.ru/svg/%20NumVar(A)%20%3E%20NumVars(B)%20%3E%20NumVars(C)" alt=" NumVar(A) > NumVars(B) > NumVars(C)" />, so in a linear term number of contributions from variables of flavor <img src="https://tex.s2cms.ru/svg/A" alt="A" /> is greater than from flavor <img src="https://tex.s2cms.ru/svg/B" alt="B" />, that is in term is greater than for a flavor <img src="https://tex.s2cms.ru/svg/C" alt="C" />. In this case one can reduce <img src="https://tex.s2cms.ru/svg/%20NumVar(A)" alt=" NumVar(A)" /> and <img src="https://tex.s2cms.ru/svg/%20NumVars(B)" alt=" NumVars(B)" /> by one, and increase <img src="https://tex.s2cms.ru/svg/%20NumVar(C)" alt=" NumVar(C)" /> by one, through the introduction of a constraint <img src="https://tex.s2cms.ru/svg/%20A%20%2B%20B%20-%20C%20%3D%200" alt=" A + B - C = 0" />. This also gives one extra multiplication gate. One can continue this procedure until there is a linear constraint in one of the following forms:
|
||||
<ul>
|
||||
<li><img src="https://tex.s2cms.ru/svg/%20A%20%2B%20B%20%2B%20C%20%3D%200" alt=" A + B + C = 0" />, then reduction is over</li>
|
||||
<li><img src="https://tex.s2cms.ru/svg/%20A%20%2B%20B%20%3D%200" alt=" A + B = 0" />.</li>
|
||||
<li><img src="https://tex.s2cms.ru/svg/%20A%20%3D%200%20" alt=" A = 0 " /> (this in a case of public inputs also)</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><img src="https://tex.s2cms.ru/svg/%20A%20%2B%20B%20%3D%200" alt=" A + B = 0" /> allows to try to make a constraint system in the form <img src="https://tex.s2cms.ru/svg/%20A(1)%20%2B%20B(1)%20-%20C(2)%20%3D%200" alt=" A(1) + B(1) - C(2) = 0" />, <img src="https://tex.s2cms.ru/svg/%20A(1)%20%2B%20B(1)%20%2B%20C(2)%20%3D%200" alt=" A(1) + B(1) + C(2) = 0" /> with those two constraints going into the different <img src="https://tex.s2cms.ru/svg/%20J_%7Bq%2Ci%7D%5E%7Bj%7D%20" alt=" J_{q,i}^{j} " />.</li>
|
||||
<li><img src="https://tex.s2cms.ru/svg/%20A%20%3D%200%20" alt=" A = 0 " /> if inflated into constraints <img src="https://tex.s2cms.ru/svg/A(1)%20%2B%20B(2)%20-%20C(2)%20%3D%200" alt="A(1) + B(2) - C(2) = 0" />, <img src="https://tex.s2cms.ru/svg/A(1)%20-%20B(2)%20%2B%20C(2)%20%3D%200" alt="A(1) - B(2) + C(2) = 0" /> (TODO: check the prefactors).</li>
|
||||
<li>To have <img src="https://tex.s2cms.ru/svg/j%20%3D%203" alt="j = 3" /> one can not allow any variable of any flavor to happen more than 3 times in all the linear constraints. Otherwise for any permutation <img src="https://tex.s2cms.ru/svg/%5Csigma%5E%7Bj%7D(i)" alt="\sigma^{j}(i)" /> one can not "choose" a corresponding linear constraint index.</li>
|
||||
</ul>
|
||||
<p>Now this "simple" list of rules can be implemented :)</p>
|
@ -214,6 +214,7 @@ pub fn create_aggregate_on_srs_using_information<E: Engine, C: Circuit<E>, S: Sy
|
||||
let mut poly_positive = vec![E::Fr::zero(); 2*n];
|
||||
let mut expected_value = E::Fr::zero();
|
||||
|
||||
// TODO: this part can be further parallelized due to synthesis of S(X, y) being singlethreaded
|
||||
for (y, c_opening) in y_values.iter().zip(c_openings.iter()) {
|
||||
// Compute s(X, y_i)
|
||||
let (s_poly_negative, s_poly_positive) = {
|
||||
|
Loading…
Reference in New Issue
Block a user