diff --git a/gemini/Gemini-PCS-1.md b/gemini/Gemini-PCS-1.md index 8a3dc6f..a8c8b72 100644 --- a/gemini/Gemini-PCS-1.md +++ b/gemini/Gemini-PCS-1.md @@ -234,7 +234,7 @@ Therefore, to compile the IOP protocol, we only need to commit to the polynomial **Degree Bound Proof:** To prove $deg(f)\leq d$ - The prover provides $[f(\tau)]_1$ and additionally sends $[\tau^{D-d}\cdot f(\tau)]_1$ to the verifier -- The verifier checks the equation $e([f(\tau)]_1, [1]_2) = e([\tau^{D-d}\cdot f(\tau)]_1, [\tau^{D-d}]_2)$ +- The verifier checks the equation $e([f(\tau)]_1, [\tau^{D-d}]_2) = e([\tau^{D-d}\cdot f(\tau)]_1, [1]_2)$ **Multi-point Evaluation Proof:** To prove that $f(X)$ is opened as $u_1,u_2,u_3$ at $\beta_1, \beta_2, \beta_3$ @@ -266,7 +266,7 @@ Below we first give the Multi-to-Uni AoK scheme compiled based on KZG: 4. The prover calculates the evaluation proof for each polynomial, where - $[q^{(0)}(\tau)]_1 = \frac{f^{(0)}(\tau)-g^{(0)}(\tau)}{(\tau-\beta)(\tau+\beta)}$ % $f^{(0)}(\beta), f^{(0)}(-\beta)$ - $[q^{(j)}(\tau)]_1 = \frac{f^{(j)}(\tau)-g^{(j)}(\tau)}{(\tau-\beta)(\tau+\beta)(\tau-\beta^2)}$ % $f^{(j)}(\beta), f^{(j)}(-\beta), f^{(j)}(\beta^2), j=1,...,n-1$ -5. The verifier checks: +1. The verifier checks: - The correctness of degree bound proofs $[\tau^{D-N\cdot 2^{-j} + 1}\cdot f^{(j)}(\tau)]_1, j = 0,\ldots n-1$ for $f^{(0)},...,f^{(n-1)}$ - The correctness of multi-point evaluation proofs $[q^{(0)}(\tau)]_1,\ldots [q^{(n-1)}(\tau)]_1$ for $f^{(0)},...,f^{(n-1)}$ - The correctness of split-and-fold relations, i.e., for $j = 0,...,n-1$, whether the following equation holds: diff --git a/gemini/Gemini-PCS-1.zh.md b/gemini/Gemini-PCS-1.zh.md index a64c2d8..375bf86 100644 --- a/gemini/Gemini-PCS-1.zh.md +++ b/gemini/Gemini-PCS-1.zh.md @@ -166,7 +166,7 @@ $$ # 多元到一元转换 -在介绍多元到一元转换的协议的之前,我们再深入分析一下 tensor product 协议中隐藏的一些原理。虽然 tensor product 协议的目标时证明一个多元多项式的取值,但除了输入多元多项式的系数向量以外,协议中涉及的多项式均为一元的。 +在介绍多元到一元转换的协议的之前,我们再深入分析一下 tensor product 协议中隐藏的一些原理。虽然 tensor product 协议的目标是证明一个多元多项式的取值,但除了输入多元多项式的系数向量以外,协议中涉及的多项式均为一元的。 我们不妨将 Split-and-fold 过程用一元多项式写出来: @@ -234,7 +234,7 @@ $$ **Degree Bound 证明:** 为了证明 $deg(f)\leq d$ - 证明者提供 $[f(\tau)]_1$ 并附加上 $[\tau^{D-d}\cdot f(\tau)]_1$ 发送给验证者 -- 验证者检查等式 $e([f(\tau)]_1, [1]_2) = e([\tau^{D-d}\cdot f(\tau)]_1, [\tau^{D-d}]_2)$ +- 验证者检查等式 $e([f(\tau)]_1, [\tau^{D-d}]_2) = e([\tau^{D-d}\cdot f(\tau)]_1, [1]_2)$ **多点求值证明:**为了证明 $f(X)$ 在 $\beta_1, \beta_2, \beta_3$ 公开为 $u_1,u_2,u_3$ diff --git a/gemini/Gemini-PCS-2.md b/gemini/Gemini-PCS-2.md index a103f92..1bbbc42 100644 --- a/gemini/Gemini-PCS-2.md +++ b/gemini/Gemini-PCS-2.md @@ -136,7 +136,7 @@ Obviously, the messages in steps 1 and 3 are probabilistically indistinguishable Next, we only need to show that the tensor product check protocol run by $S$ and $V^*$ in step 4 also satisfies this property. Specifically, because the protocol satisfies soundness, for each oracle $h^{(j)}, j=0,...,n-1$, it satisfies $$ -h^{(j)}(X^2)=\frac{h^{(j-1)}(X)+f^{(j-1)}(-X)}{2} + \rho \cdot \frac{h^{(j-1)}(X)-h^{(j-1)}(-X)}{2X} +h^{(j)}(X^2)=\frac{h^{(j-1)}(X)+h^{(j-1)}(-X)}{2} + \rho \cdot \frac{h^{(j-1)}(X)-h^{(j-1)}(-X)}{2X} $$ Note that for $h^{(j-1)}(X)$ on the right side of the equation, its corresponding oracle also satisfies an equation related to $h^{(j-2)}(X)$. Therefore, we can always expand the right expression satisfied by any $h^{(j)}(X^2)$ into a form that only includes $h^{(0)}(X), h^{(0)}(-X), h^{(0)}(X^2)$. Thus, the response obtained by $V^*$ querying the oracle $h^{(j)}$ at any point $\beta$ must be a linearly independent constraint on $\vec{h}$. diff --git a/gemini/Gemini-PCS-2.zh.md b/gemini/Gemini-PCS-2.zh.md index b6aebcf..cbe1fd3 100644 --- a/gemini/Gemini-PCS-2.zh.md +++ b/gemini/Gemini-PCS-2.zh.md @@ -136,7 +136,7 @@ $$ 接下来,我们只需要说明第4步中运行的 $S$ 与 $V^*$ 运行 tensor product 检查协议同样满足这一性质即可。具体来说,因为协议满足 soundness,对于每一个 oracle $h^{(j)}, j=0,...,n-1$,其满足 $$ -h^{(j)}(X^2)=\frac{h^{(j-1)}(X)+f^{(j-1)}(-X)}{2} + \rho \cdot \frac{h^{(j-1)}(X)-h^{(j-1)}(-X)}{2X} +h^{(j)}(X^2)=\frac{h^{(j-1)}(X)+h^{(j-1)}(-X)}{2} + \rho \cdot \frac{h^{(j-1)}(X)-h^{(j-1)}(-X)}{2X} $$ 注意到,对于等式右边的 $h^{(j-1)}(X)$ 它对应的 oracle 同样满足一个与 $h^{(j-2)}(X)$ 相关的等式。因此我们总能够将任意 $h^{(j)}(X^2)$ 所满足的右式展开为一个只包含 $h^{(0)}(X), h^{(0)}(-X), h^{(0)}(X^2)$ 形式。因此 $V^*$ 对 oracle $h^{(j)}$ 在任意点 $\beta$ 上进行问询所得到的回复,一定是一个关于 $\vec{h}$ 的一个线性独立的约束。