diff --git a/src/sonic/S_poly.pdf b/src/sonic/S_poly.pdf deleted file mode 100644 index a3d626e..0000000 Binary files a/src/sonic/S_poly.pdf and /dev/null differ diff --git a/src/sonic/discussion.html b/src/sonic/discussion.html new file mode 100644 index 0000000..abe1c98 --- /dev/null +++ b/src/sonic/discussion.html @@ -0,0 +1,40 @@ +

S polynomial transformation for permutation argument

+

Decomposition

+

Following the original suggestion + s(X, Y) = X^{-N-1}Y^{N} s_{1}(X, Y) - X^{N}s2(X, Y)

+

s_{1}(X,Y) = \sum_{i=1}^{N}u'_{i}(Y) X^{-i+N+1} + \sum_{i=1}^{N}v'_{i}(Y) X^{i+N+1} + \sum_{i=1}^{N}w'_{i}(Y) X^{i+2N+1}

+

s_2(X,Y) is not important for this discussion. s_1(X,Y) is in total a polynomial of degree 3N + 1.

+

u'_{i}(Y) = \sum_{q=1}^{Q} Y^{q} u(q, i)

+

and with a similar form for v'(Y) and w'(Y)

+

u(q, i) by itself is a constant in q-th linear constraint in front of a variable a(i). v(q, i) and w(q, i) have the same meaning for b(i) and c(i).

+

In total s_1(X,Y) can be represented as a large convolution in a form M_{q,i} N^{q} K^{i} where summing is over the same index that is placed up and down. Vectors are N^{q} = [Y, Y^{1}, ..., Y^{Q}] and K^{i} = [X, X^{2}, ..., X^{3N+1}] , so the matrix M_{q,i} is sparse and q-th row is formed by the concatenation of coefficients of u(q, i) , v(q, i) and w(q, i) (i notation is abused). For two multiplication gates (giving variables a(1), a(2),..., c(2)) and a linear constraint 10a(1) - b(1) - c(2) = 0 a first row would look like

+

[10, 0, -1, 0, 0, -1]

+

There are three questions:

+ +

Continuing discussion

+

Implementation of a permutation argument requires to have some diagonal matrix D_{q,i} to first commit to the combination like \sum_{i=1}^{N} d_{i}X^{i}Y^{i} and later make a permutation argument to prove evaluation of \sum_{i=1}^{N} d_{\sigma(i)}X^{i}Y^{\sigma(i)} for a fixed permutation \sigma(i) .

+

In principle such requirement means that decomposition of our M_{q,i} matrix into the sum of j matrixes (let’s call them J_{q,i}^{j} should have only a single coefficient in every row, so one can define a proper diagonal D_{q,i}^{j}. Such decomposition and reduction needs to be done only once per circuit, cause D_{q,i}^{j} and corresponding \sigma^{j}(i) will become fixed as a part of the specialized common reference.

+

One can not directly guess how many linear constraints and multiplication gates will be in a system. For example, trivial (w/o optimizing run, as given in the original SONICs implementation) reduction of R1CS will have number of multiplication gates equal to the m/2 + n where m is a number of variables and n is a number of constraints in R1CS.

+

Let’s take an assumption that N > Q , so a final constraint system will have more multiplication gates that linear constraints. In this case one can propose the following reduction procedure:

+ +

Now this "simple" list of rules can be implemented :)

diff --git a/src/sonic/helped/helper.rs b/src/sonic/helped/helper.rs index f8823e7..b755a36 100644 --- a/src/sonic/helped/helper.rs +++ b/src/sonic/helped/helper.rs @@ -214,6 +214,7 @@ pub fn create_aggregate_on_srs_using_information, S: Sy let mut poly_positive = vec![E::Fr::zero(); 2*n]; let mut expected_value = E::Fr::zero(); + // TODO: this part can be further parallelized due to synthesis of S(X, y) being singlethreaded for (y, c_opening) in y_values.iter().zip(c_openings.iter()) { // Compute s(X, y_i) let (s_poly_negative, s_poly_positive) = {