zkStudyClub - cqlin: Efficient linear operations on KZG commitments

cqlin
New Applications for Universal, Pairing Based SNARKs
with Preprocessing
Liam Eagen
Blockstream Research
June 2, 2023
Liam Eagen (Blockstream Research) cqlin June 2, 2023 1 / 17

Motivation
Lin-check problem is ubiquitous in SNARKs

Motivation
Many approaches linear in sparsity (number of non-zero entries) of
matrix

Motivation
matrix
This is O(n2) for dense matrices

Motivation
matrix
Dense matrix multiplication useful in zkML

Motivation
matrix
Dense matrix multiplication useful in zkML
Prior work [GKMMM] implies O(n) lin-check protocol
▶ Special SRS depends on the size of the matrix
▶ Has O(n3
) setup time

Why Pairings and Preprocessing?
Ariel’s SNARK trilogy (zkSummit 9/Zero Knowledge Podcast ep.
274)

274)
1 Pairings get succinctness without PCP, need per-circuit trusted setup

274)
2 Polynomial commitment schemes abstract pairing, universal trusted
setup

274)
setup
3 Pairing with preprocessing breaks PCS abstraction for more power in
particular applications, e.g. lookup arguments

274)
setup
What other applications benefit from pairings and preprocessing?

274)
setup
What other applications benefit from pairings and preprocessing?
cqlin!

Preliminaries
Fix a pairing friendly curve

Preliminaries
Commit to polynomials using KZG, write [F(x)] for commitment to
polynomial F(X)

Preliminaries
polynomial F(X)
Prove F(a) = b by proving Q(X) = (F(X) − b)/(X − a) is a
polynomial

Preliminaries
polynomial F(X)
polynomial
More generally for Z(X) =
Q
i (X − ai ), F(ai ) = G(ai ) iff
F(X) = G(X) mod Z(X)

Preliminaries
polynomial F(X)
polynomial
More generally for Z(X) =
Q
i (X − ai ), F(ai ) = G(ai ) iff
F(X) = G(X) mod Z(X)
Equivalently, if there exists a polynomial
Q(X) = (F(X) − G(X))/Z(X)

Preliminaries
Let ω be a root of unity or order N

Preliminaries
Lagrange polynomials Li (ωj ) = δi,j

Preliminaries
Encode vector ⃗
v ∈ FN as F(ωi ) = vi

Preliminaries
Encode vector ⃗
Equivalently F(X) =
P
i∈[n] vi Li (X)

Preliminaries
Encode vector ⃗
Equivalently F(X) =
P
i∈[n] vi Li (X)
If deg F(X) < N, then F(0) =
P
i∈[N] F(ωi ) [Aurora]

Sparse Commitments
What is a Sparse Commitment?

Sparse Commitments
Let P(X) be a degree d polynomial
In general, committing to [P(x)] requires d scalar multiplications

Sparse Commitments
Sometimes, P(X) is sparse with respect to some basis Bi (X) of
n ≤ d polynomials

Sparse Commitments
n ≤ d polynomials
That is P(X) =
P
i∈[n] fi Bi (X) where at most k values of fi are
non-zero and k << d

Sparse Commitments
n ≤ d polynomials
That is P(X) =
P
non-zero and k << d
When P(X) is k, Bi (X) sparse, we can compute a commitment to
P(X) in O(k) time given precomputed commitments to Bi (X)

Sparse Commitments
n ≤ d polynomials
That is P(X) =
P
non-zero and k << d
P(X) =
P
i∈[n] ki [Bi (x)]

Sparse Commitments
n ≤ d polynomials
That is P(X) =
P
non-zero and k << d
P(X) =
P
i∈[n] ki [Bi (x)]
Sparsity is linear: if P(X) is Bi (X) sparse, then P(X)F(X) is
Bi (X)F(X) sparse

Sparse Commitments: Simple Examples
Assume P(X) is Bi (X) sparse

1 Degree Checks

1 Degree Checks
1 Suppose want to show deg P(X) = d, but SRS has degree N

1 Degree Checks
2 Precompute Di = [xN−d
Bi (x)]

1 Degree Checks
Bi (x)]
3 Prover can compute D =
P
i∈[n] fi Di in O(k) time
4 Verifier checks e([P(x)], [xN−d
]) = e(D, [1])

1 Degree Checks
Bi (x)]
P
]) = e(D, [1])
2 Opening at fixed value

1 Degree Checks
Bi (x)]
P
]) = e(D, [1])
1 Suppose prover wants to open P(0) = c, for example as part of
sum-check

1 Degree Checks
Bi (x)]
P
]) = e(D, [1])
sum-check
2 Precompute Zi = [Bi (x) − Bi (0)/x]

1 Degree Checks
Bi (x)]
P
]) = e(D, [1])
sum-check
2 Precompute Zi = [Bi (x) − Bi (0)/x]
3 Prover can compute Z =
P
i∈[n] fi Zi in O(k) time
4 Verifier checks e([P(x)] − c[1], [1]) = e(Z, [x])

Sparse Commitments: cq and Lookup Arguments
Sparse commitments are a key part of lookup arguments [Caulk,etc.]
especially cq

especially cq
Given T(X) encoding a table ⃗
t ∈ FN, want to prove T(ωi ) = v for
some i

especially cq
some i
Let A(X) be n Lagrange sparse and B(X) and Q(X) satisfy
T(X)A(X) = B(X) + (XN − 1)Q(X)

especially cq
some i
T(X)A(X) = B(X) + (XN − 1)Q(X)
T(ωi )A(ωi ) = B(ωi ), so B(X) is also n Lagrange sparse

especially cq
some i
T(X)A(X) = B(X) + (XN − 1)Q(X)
Q(X) is n sparse wrt to the basis Qi (X) such that
T(X)Li (X) = ti Li (X) + (XN − 1)Qi (X)

especially cq
some i
T(X)A(X) = B(X) + (XN − 1)Q(X)
Can compute all [Qi (x)] in O(N log N) time using FK technique

especially cq
some i
T(X)A(X) = B(X) + (XN − 1)Q(X)
Can commit to [A(x)], [B(x)], and [Q(x)] in O(n) scalar
multiplications

especially cq
some i
T(X)A(X) = B(X) + (XN − 1)Q(X)
Can commit to [A(x)], [B(x)], and [Q(x)] in O(n) scalar
multiplications
cq defines A(X) and B(X) to encode log derivative lookup [BP++,
MVLookup]

Lin-Check
Fix n × n matrix M

Lin-Check
Fix n × n matrix M
Given commitments to vectors ⃗
a and ⃗
b show M⃗
a = ⃗
b

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
Goal: do this in O(n) group and scalar operations

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?
1 State M⃗
a = ⃗
b in terms of (bivariate) polynomials

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?
1 State M⃗
a = ⃗
2 Use a pairing to perform M⃗
a as polynomial multiplication

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?
1 State M⃗
a = ⃗
3 Exploit the fact M is fixed and precompute quotients

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?
1 State M⃗
a = ⃗
4 Find a sparse basis for all commitments

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?
1 State M⃗
a = ⃗
5 Commit to everything in O(n) group scalar multiplications

Lin-Check
Fix n × n matrix M
a and ⃗
b show M⃗
a = ⃗
b
How?
1 State M⃗
a = ⃗
5 Commit to everything in O(n) group scalar multiplications
6 Reduce bivariate form to univariate form

Encode into Polynomials
Recall: M⃗
a =
P
i∈[n] ai ⃗
ci where ⃗
ci the columns of M

Recall: M⃗
a =
P
i∈[n] ai ⃗
ci where ⃗
ci the columns of M
Encode ⃗
b and ⃗
ci pointwise as polynomials B(X) and Ci (X)

Recall: M⃗
a =
P
i∈[n] ai ⃗
ci where ⃗
ci the columns of M
Encode ⃗
b and ⃗
Now: M⃗
a = ⃗
b iff
P
i∈[n] ai Ci (X) = B(X)

Recall: M⃗
a =
P
i∈[n] ai ⃗
ci where ⃗
ci the columns of M
Encode ⃗
b and ⃗
Now: M⃗
a = ⃗
b iff
P
M is a vector of vectors, so we can encode into bivariate M(X, Y )
such that M(X, ωi ) = Ci (X)

Recall: M⃗
a =
P
i∈[n] ai ⃗
ci where ⃗
ci the columns of M
Encode ⃗
b and ⃗
Now: M⃗
a = ⃗
b iff
P
Encode ⃗
a as polynomial A(Y )

Recall: M⃗
a =
P
i∈[n] ai ⃗
ci where ⃗
ci the columns of M
Encode ⃗
b and ⃗
Now: M⃗
a = ⃗
b iff
P
Encode ⃗
a as polynomial A(Y )
Now: M⃗
a = ⃗
b iff
P
i∈[n] A(ωi )M(X, ωi ) = B(X)

Encode into Polynomials (cont.)
Let R(X, ωi ) = M(X, ωi )A(ωi ) = ai Ci (X)

Which means R(X, Y ) = M(X, Y )A(Y ) mod Y n − 1

Which means R(X, Y ) = M(X, Y )A(Y ) + (Y n − 1)Q(X, Y )

Now: M⃗
a = ⃗
b iff
1 R(X, Y ) = M(X, Y )A(Y ) + (Y n
− 1)Q(X, Y )
2
P
i∈[n] R(X, ωi
) = B(X)
3 degY R(X, Y ) < n, etc.

Now: M⃗
a = ⃗
b iff
1 R(X, Y ) = M(X, Y )A(Y ) + (Y n
− 1)Q(X, Y )
2
P
i∈[n] R(X, ωi
) = B(X)
3 degY R(X, Y ) < n, etc.
Sum-check equivalent to R(X, 0) = B(X)

Proving in Linear Time
Want to construct [A(y)], [B(x)], [R(x, y)], and [Q(x, y)] in O(n)
time

time
Need to find basis for each that is n sparse

time
Commitments to A(Y ) and B(X) are easy given [Li (x)] and [Li (y)]

time
Degree checks are also easy

time
Can compute [R(x, y)] =
P
i∈[n] ai [Li (y)Ci (x)] in O(n) scalar
multiplications given precomputed [Li (y)Ci (x)]

time
P
The sum check can be computed in O(n) time using KZG openings
of Li (Y )Ci (X) at Y = 0

time
P
How to compute Q(X, Y )? Use the cq technique

time
P
Define Qi (X, Y ) such that
Ci (X)Li (Y ) = M(X, Y )Li (Y ) + (Y n − 1)Qi (X, Y )

time
P
Define Qi (X, Y ) such that
Ci (X)Li (Y ) = M(X, Y )Li (Y ) + (Y n − 1)Qi (X, Y )
Now [Q(X, Y )] =
P
i∈[n] ai [Qi (x, y)] can be computed in O(n) time

Final touches
Prefer to use a univariate SRS

Final touches
Can make the substitution Y = Xn

Final touches
Prefer to accept the input vector via F(X) that pointwise encodes ⃗
a
rather than A(Y )

Final touches
a
rather than A(Y )
Can check A(α) = F(αn) at a random point in O(n) time

Final touches
a
rather than A(Y )
Can check A(α) = F(αn) at a random point in O(n) time
That’s it! Given O(n) precomputed commitments can prove lin-check
in O(n) time

Future Work
Improvements to cqlin

Future Work
▶ Generalize to other vanishing sets

Future Work
▶ Reduce prover work and/or proof size

Future Work
▶ Improve setup time and SRS size for sparse matrices

Future Work
▶ Improve setup time and SRS size for sparse matrices
Other applications of precomputation and pairings?

Thank You!

Precomputation
Most of the precomputation straightforward
1 Degree checks very simple
2 Openings at zero for Li (X) follow from symmetry
Complicated part: computing Qi (X, Y ) in O(n2) group operations
Solution: use the FK technique on the rows of M(X, Y ) and sum the
results
FK technique
1 Want to compute KZG openings at N roots of unity
2 Write vector of KZG openings as a 2N × 2N circulant matrix times
vector of [xi
]
3 Circulant matrix diagonalizes as FDF−1
where F is the DFT matrix
4 This product computable in
O(N log N) + O(N) + O(N log N) = O(N log N) time
Takes O(n log n) per row, for a total of O(n2 log n)

Precomputation (cont.)
Naive FK takes O(n2 log n) group and field operations
It is possible to exploit the structure of FK to avoid the extra log n
1 Precompute F−1
times vector of [xi
]
2 Compute D multiplication in O(n)
3 The final F multiplication is linear, so first add the results and then do
a single F multiplication
4 Takes O(n2
) + O(n log n) = O(n2
) time.

zkStudyClub - cqlin: Efficient linear operations on KZG commitments

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a zkStudyClub - cqlin: Efficient linear operations on KZG commitments

Similar a zkStudyClub - cqlin: Efficient linear operations on KZG commitments (20)

Más de Alex Pruden

Más de Alex Pruden (12)

Último

Último (20)

zkStudyClub - cqlin: Efficient linear operations on KZG commitments