From 6c91082960b9277fd9c043ed98a875379708971a Mon Sep 17 00:00:00 2001 From: Sergey Kaunov Date: Sat, 4 Jan 2025 05:35:37 +0300 Subject: [PATCH] Update 2023-07-21-PLONKWHY.md typos in formula and some typesetting --- _posts/2023-07-21-PLONKWHY.md | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/_posts/2023-07-21-PLONKWHY.md b/_posts/2023-07-21-PLONKWHY.md index 111c9f5afaf72..92407aa352dbb 100644 --- a/_posts/2023-07-21-PLONKWHY.md +++ b/_posts/2023-07-21-PLONKWHY.md @@ -97,36 +97,23 @@ In Round 1, the left, right & output polynomials are evaluated only at one point We want to combine them into one polynomial $f$ such that if $f$ is 0 at some point, then all of $f_i$'s are also zero at the same point. -Consider the set ${1, z, z^2, z^3}$ +Consider the set ${1, z, z^2, z^3}$. \ This is a linearly independent set. -We can use this set to combine four variables $a_1, a_2, a_3$ & $a_4$ like this +We can use this set to combine four variables $a_1, a_2, a_3, a_4$ like this: $g(Z) = a_1 + a_2 \cdot Z + a_3 \cdot Z^2 + a_4 \cdot Z^3$. -$g(Z) = a1 + a2\cdot Z + a3\cdot Z^2 + a4\cdot Z^3$ +If $g(Z)=0$ at some $Z \ne 0$, then it means $a_1 = a_2 = a_3 = a_4 = 0$ (by the definition of linearly independent set). -If $g(Z)=0$ at some $Z \ne 0$, then it means $a_1 = a_2 = a_3 = a_4 = 0$ (by the definition of a linearly independent set) +So, we can combine the polynomials $f_i$ as $f(X,Z) = f_1(X) + Z \cdot f_2(X) + Z^2 \cdot f_3(X) + Z^3 \cdot f_4(X)$. -So, we can combine the polynomials $f_i$'s as +At some $X = r_1$, let $f_1(r_1) = a_1, f_2(r_1) = a_2, f_3(r_1) = a_3, f_4(r_1) = a_4$. -$f(X,Z) = f1(Z) + Z\cdot f2(x) + Z^2 \cdot f3(X) + Z^3\cdot f4(X)$ +So now $f(X=r_1, Z) = a_1 + a_2 \cdot Z + a_3 \cdot Z^2 + a_4 \cdot Z^3$. -At some $X = r_1$, let +At some random value $r_2$ chosen from $\mathbb F_p$, if $f(X=r_1, Z = r_2) = 0$ then it means $a_1 = a_2 = a_3 = a_4 = 0$; \ +i.e. $f_1(r_1, r_2) =f_2(r_1, r_2) = f_3(r_1, r_2) = f_4(r_1, r_2) = 0$. -$f_1(r_1) = a_1$, $f_2(r_1) = a_2$, $f_3(r_1) = a_3$, $f_4(r_1) = a_4$, - -So now - -$f(X=r_1, X) = a1 + a2\cdot Z + a3\cdot Z^2 + a4\cdot Z^3$ - -At some random value $r_2$ chosen from $\mathbb F_p$, if - -$f(X=r_1, Z = r_2) = 0$ - -then it means $a1 = a2 = a3 = a4 = 0$ - -i.e. $f_1(r_1, r_2) =f_2(r_1, r_2) = f_3(r_1, r_2) = f_4(r_1, r_2) = 0$ - -If $f_1$, $f_2$, $f_3$, $f_4$ are all $0$ at some random value $r_2$, then by the Schwartz-Zippel lemma, $f_1$, $f_2$, $f_3$, $f_4$ are all zero polynomials with very high probability because the maximum degree of these polynomials is very, very small as compared to $p$ +If $f_1$, $f_2$, $f_3$, $f_4$ are all $0$ at some random value $r_2$, then by the Schwartz-Zippel lemma, $f_1$, $f_2$, $f_3$, $f_4$ are all zero polynomials with very high probability because the maximum degree of these polynomials is very, very small as compared to $p$. So if we want to test if multiple polynomials are zero polynomials or not, we combine them using a lineraly independent set so we can test them with just one evaluation at a random point rather than testing them separately. Round 3 in the $\mathcal{P} \mathfrak{lon}\mathcal{K}$ paper creates the polynomial $t(X)$ with the linearly independent set $[1, \alpha, \alpha^2]$ to do this. In Round 5, the set $\lbrace 1, v, v^2, v^3, v^4, v^5 \rbrace$ is used to combine several polynomials to form a single opening proof polynomial $W_\zeta(X)$. It may be used at other places also.