Merge pull request #1292 from o1-labs/volhovm/rfc3-cosmetics

Cosmetics on the book/lookups

.gitignore

@@ -25,4 +25,6 @@ _build
 
 *.html
 # If symlink created for kimchi-visu
-tools/srs
+tools/srs
+
+.ignore

book/src/SUMMARY.md

@@ -9,15 +9,15 @@
 - [Rings](./fundamentals/zkbook_rings.md)
 - [Fields](./fundamentals/zkbook.md)
 - [Polynomials](./fundamentals/zkbook_polynomials.md)
-  - [Multiplying polynomials](./fundamentals/zkbook_multiplying_polynomials.md)
-  - [Fast Fourier transform](./fundamentals/zkbook_fft.md)
+  - [Multiplying Polynomials](./fundamentals/zkbook_multiplying_polynomials.md)
+  - [Fast Fourier Transform](./fundamentals/zkbook_fft.md)
 
 # Cryptographic tools
 
 - [Commitments](./fundamentals/zkbook_commitment.md)
-- [Polynomial commitments](./plonk/polynomial_commitments.md)
-  - [Inner product argument](./plonk/inner_product.md)
-  - [Different functionnalities](./plonk/inner_product_api.md)
+- [Polynomial Commitments](./plonk/polynomial_commitments.md)
+  - [Inner Product Argument](./plonk/inner_product.md)
+  - [Different Functionnalities](./plonk/inner_product_api.md)
 - [Two Party Computation](./fundamentals/zkbook_2pc/overview.md)
   - [Garbled Circuits](./fundamentals/zkbook_2pc/gc.md)
     - [Basics](./fundamentals/zkbook_2pc/basics.md)
@@ -45,16 +45,16 @@
 - [Overview](./plonk/overview.md)
 - [Glossary](./plonk/glossary.md)
 - [Domain](./plonk/domain.md)
-- [Lagrange basis in multiplicative subgroups](./plonk/lagrange.md)
-- [Non-interaction with fiat-shamir](./plonk/fiat_shamir.md)
+- [Lagrange Basis in Multiplicative Subgroups](./plonk/lagrange.md)
+- [Non-interaction with Fiat-Shamir](./plonk/fiat_shamir.md)
 - [Plookup](./plonk/plookup.md)
-- [Maller's optimization](./plonk/maller.md)
+- [Maller's Optimization](./plonk/maller.md)
 
 # Kimchi
 
 - [Overview](./kimchi/overview.md)
   - [Arguments](./kimchi/arguments.md)
-    - [Custom gates](./kimchi/gates.md)
+    - [Custom Gates](./kimchi/gates.md)
     - [Permutation](./kimchi/permut.md)
     - [Lookup](./kimchi/lookup.md)
 
@@ -67,20 +67,20 @@
 
 # RFCs
 
-- [RFC 0: Alternative zero-knowledge](./plonk/zkpm.md)
-- [RFC 1: Final check](./plonk/final_check.md)
-- [RFC 2: Maller's optimization for kimchi](./plonk/maller_15.md)
-- [RFC 3: Plookup integration in kimchi](./rfcs/3-lookup.md)
-- [RFC 4: Extended lookup tables](./rfcs/extended-lookup-tables.md)
+- [RFC 0: Alternative Zero-Knowledge](./plonk/zkpm.md)
+- [RFC 1: Final Check](./plonk/final_check.md)
+- [RFC 2: Maller's Optimization for Kimchi](./plonk/maller_15.md)
+- [RFC 3: Plookup Integration in Kimchi](./rfcs/3-lookup.md)
+- [RFC 4: Extended Lookup Tables](./rfcs/extended-lookup-tables.md)
 - [RFC 5: Foreign Field Addition](./rfcs/foreign_field_add.md)
 - [RFC 6: Foreign Field Multiplication](./rfcs/foreign_field_mul.md)
 - [RFC 7: Keccak](./rfcs/keccak.md)
-  
+
 # Specifications
 
 - [Poseidon hash](./specs/poseidon.md)
-- [Polynomial commitment](./specs/poly-commitment.md)
-- [Pasta curves](./specs/pasta.md)
+- [Polynomial Commitment](./specs/poly-commitment.md)
+- [Pasta Curves](./specs/pasta.md)
 - [Kimchi](./specs/kimchi.md)
 - [Universal Reference String (URS)](./specs/urs.md)
 - [Pickles](./specs/pickles.md)

book/src/kimchi/overview.md

@@ -1,11 +1,11 @@
 # Overview
 
-Here we explain how the Kimchi protocol design is translated into the `proof-systems` repository, from a high level perspective, touching briefly on all the involved aspects of cryptography. The concepts that we will be introducing can be studied more thoroughly by accessing the specific sections in the book. 
+Here we explain how the Kimchi protocol design is translated into the `proof-systems` repository, from a high level perspective, touching briefly on all the involved aspects of cryptography. The concepts that we will be introducing can be studied more thoroughly by accessing the specific sections in the book.
 
-In brief, the Kimchi protocol requires three different types of arguments `Argument`: 
-- **Custom gates:** they correspond to each of the specific functions performed by the circuit, which are represented by gate constraints. 
+In brief, the Kimchi protocol requires three different types of arguments `Argument`:
+- **Custom gates:** they correspond to each of the specific functions performed by the circuit, which are represented by gate constraints.
 - **Permutation:** the equality between different cells is constrained by copy constraints, which are represented by a permutation argument. It represents the wiring between gates, the connections from/to inputs and outputs.
-- **Lookup tables:** for efficiency reasons, some public information can be stored by both parties (prover and verifier) instead of wired in the circuit. Examples of these are boolean functions. 
+- **Lookup tables:** for efficiency reasons, some public information can be stored by both parties (prover and verifier) instead of wired in the circuit. Examples of these are boolean functions.
 
 All of these arguments are translated into equations that must hold for a correct witness for the full relation. Equivalently, this is to say that a number of expressions need to evaluate to zero on a certain set of numbers. So there are two problems to tackle here:
 
@@ -24,31 +24,31 @@ $$q(X) := \frac{p(X)}{v_S(X)}$$
 
 And still, where's the hype? If you can provide such a quotient polynomial, one could easily check that if $q(a) = p(a) / v_S(a)$ for a random number $a\in\mathbb{F}$ \ $S$ (recall you will check in a point out of the set, otherwise you would get a $0/0$), then with very high probability that would mean that actually $p(X) = q(X) \cdot v_S(X)$, meaning that $p(X)$ vanishes on the whole set $S$, with **just one point**!
 
-Let's take a deeper look into the _"magic"_ going on here. First, what do we mean by _high probability_? Is this even good enough? And the answer to this question is: as good as you want it to be. 
+Let's take a deeper look into the _"magic"_ going on here. First, what do we mean by _high probability_? Is this even good enough? And the answer to this question is: as good as you want it to be.
 
 **First** we analyse the math in this check. If the polynomial form of $p(X) = q(X) \cdot v_S(X)$ actually holds, then of course for any possible $a\in\mathbb{F}$ \ $S$ the check $p(a) =_? q(a) \cdot v_S(a)$ will hold. But is there any unlucky instantiation of the point $a$ such that $p(a) = q(a) \cdot v_S(a)$ but $p(X) \neq q(X) \cdot v_S(X)$? And the answer is, yes, there are, BUT not many. But how many? How unlikely this is? You already know the answer to this: **Schwartz-Zippel**. Recalling this lemma:
 
-> Given two different polynomials $f(X)$ and $g(X)$ of degree $d$, they can at most intersect (i.e. _coincide_) in $d$ points. Or what's equivalent, let $h(X) := f(X) - g(X)$, the polynomial $h(X)$ can only evaluate to $0$ in at most $d$ points (its roots). 
+> Given two different polynomials $f(X)$ and $g(X)$ of degree $d$, they can at most intersect (i.e. _coincide_) in $d$ points. Or what's equivalent, let $h(X) := f(X) - g(X)$, the polynomial $h(X)$ can only evaluate to $0$ in at most $d$ points (its roots).
 
 Thus, if we interchange $p(X) \rightarrow f(X)$ and $q(X)\cdot v_S(X) \rightarrow g(X)$, both of degree $d$, there are at most $\frac{d}{|\mathbb{F}- S|}$ unlucky points of $a$ that could trick you into thinking that $p(X)$ was a multiple of the vanishing polynomial (and thus being equal to zero on all of $S$). So, how can you make this error probability negligible? By having a field size that is big enough (the formal definition says that the inverse of its size should decrease faster than any polynomial expression). Since we are working with fields of size $2^{255}$, we are safe on this side!
 
 **Second**, is this really faster than checking that $p(x)=0$ for all $x\in S$ ? At the end of the day, it seems like we need to evaluate $v_S(a)$, and since this is a degree $|S|$ polynomial it looks like we are still performing about the same order of computations. But here comes math again. _In practice_, we want to define this set $S$ to have a _nice structure_ that allows us to perform some computations more efficiently than with arbitrary sets of numbers. Indeed, this set will normally be a **multiplicative group** (normally represented as $\mathbb{G}$ or $\mathbb{H}$), because in such groups the vanishing polynomial $v_\mathbb{G}(X):=\prod_{\omega\in\mathbb{G}}(X-\omega)$ has an efficient representation $v_\mathbb{G}(X)=X^{|\mathbb{G}|}-1$, which is much faster to evaluate than the above product.
 
-**Third**, we may want to understand what happens with the evaluation of $p(a)$ instead. Since this is a degree $d ≥ |\mathbb{G}|$, it may look like this will as well take a lot of effort. But here's where cryptography comes into play, since the verifier will _never_ get to evaluate the actual polynomial by themselves. Various reasons why. One, if the verifier had access to the full polynomial $p(X)$, then the prover should have sent it along with the proof, which would require $d+1$ coefficients to be represented (and this is no longer succinct for a SNARK). Two, this polynomial could carry some secret information, and if the verifier could recompute evaluations of it, they could learn some private data by evaluating on specific points. So instead, these evaluations will be a "mental game" thanks to **polynomial commitments** and **proofs of evaluation** sent by the prover (for whom a computation in the order of $d$ is not only acceptable, but necessary). The actual proof length will depend heavily on the type of polynomial commitments we are using. For example, in Kate-like commitments, committing to a polynomial takes a constant number of group elements (normally one), whereas in Bootleproof it is logarithmic. But in any case this will be shorter than sending $O(d)$ elements. 
+**Third**, we may want to understand what happens with the evaluation of $p(a)$ instead. Since this is a degree $d ≥ |\mathbb{G}|$, it may look like this will as well take a lot of effort. But here's where cryptography comes into play, since the verifier will _never_ get to evaluate the actual polynomial by themselves. Various reasons why. One, if the verifier had access to the full polynomial $p(X)$, then the prover should have sent it along with the proof, which would require $d+1$ coefficients to be represented (and this is no longer succinct for a SNARK). Two, this polynomial could carry some secret information, and if the verifier could recompute evaluations of it, they could learn some private data by evaluating on specific points. So instead, these evaluations will be a "mental game" thanks to **polynomial commitments** and **proofs of evaluation** sent by the prover (for whom a computation in the order of $d$ is not only acceptable, but necessary). The actual proof length will depend heavily on the type of polynomial commitments we are using. For example, in Kate-like commitments, committing to a polynomial takes a constant number of group elements (normally one), whereas in Bootleproof it is logarithmic. But in any case this will be shorter than sending $O(d)$ elements.
 
 
 ### Aggregation
 
-So far we have seen how to check that a polynomial equals zero on all of $\mathbb{G}$, with just a single point. This is somehow an aggregation _per se_. But we are left to analyse how we can prove such a thing, for many polynomials. Altogether, if they hold, this will mean that the polynomials encode a correct witness and the relation would be satisfied.  These checks can be performed one by one (checking that each of the quotients are indeed correct), or using an efficient aggregation mechanism and checking only **one longer equation at once**. 
+So far we have seen how to check that a polynomial equals zero on all of $\mathbb{G}$, with just a single point. This is somehow an aggregation _per se_. But we are left to analyse how we can prove such a thing, for many polynomials. Altogether, if they hold, this will mean that the polynomials encode a correct witness and the relation would be satisfied.  These checks can be performed one by one (checking that each of the quotients are indeed correct), or using an efficient aggregation mechanism and checking only **one longer equation at once**.
 
 So what is the simplest way one could think of to perform this one-time check? Perhaps one could come up with the idea of adding up all of the equations $p_0(X),...,p_n(X)$ into a longer one $\sum_{i=0}^{n} p_i(X)$. But by doing this, we may be cancelling out terms and we could get an incorrect statemement.
 
 So instead, we can multiply each term in the sum by a random number. The reason why this trick works is the independence between random numbers. That is, if two different polynomials $f(X)$ and $g(X)$ are both equal to zero on a given $X=x$, then with very high probability the same $x$ will be a root of the random combination $\alpha\cdot f(x) + \beta\cdot g(x) = 0$. If applied to the whole statement, we could transform the $n$ equations into a single equation,
 
-$$\bigwedge_{i_n} p_i(X) =_? 0 \iff_{w.h.p.} \sum_{i=0}^{n} \rho_i \cdot p_i(X) =_? 0 $$
+$$\bigwedge_{i_n} p_i(X) \stackrel{?}{=} 0 \text{\quad iff w.h.p. \quad} \sum_{i=0}^{n} \rho_i \cdot p_i(X) \stackrel{?}{=} 0$$
 
-This sounds great so far. But we are forgetting about an important part of proof systems which is proof length. For the above claim to be sound, the random values used for aggregation should be verifier-chosen, or at least prover-independent. So if the verifier had to communicate with the prover to inform about the random values being used, we would get an overhead of $n$ field elements. 
+This sounds great so far. But we are forgetting about an important part of proof systems which is proof length. For the above claim to be sound, the random values used for aggregation should be verifier-chosen, or at least prover-independent. So if the verifier had to communicate with the prover to inform about the random values being used, we would get an overhead of $n$ field elements.
 
 Instead, we take advantage of another technique that is called **powers-of-alpha**. Here, we make the assumption that powers of a random value $\alpha^i$ are indistinguishable from actual random values $\rho_i$. Then, we can twist the above claim to use only one random element $\alpha$ to be agreed with the prover as:
 
-$$\bigwedge_{i_n} p_i(X) =_? 0 \iff_{w.h.p.} \sum_{i=0}^{n} \alpha^i \cdot p_i(X) =_? 0 $$
+$$\bigwedge_{i_n} p_i(X) \stackrel{?}{=} 0 \text{\quad iff w.h.p. \quad} \sum_{i=0}^{n} \alpha^i \cdot p_i(X) \stackrel{?}{=} 0$$