Changes from September 20 meeting #35
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
daira
commented
Sep 20, 2024
daira
commented
- Define shortcut
$[i, j]$ notation and use it consistently. - Clarifications to the definition of a correctness-preserving translation.
- Make notation in the definition of
$\mathcal{R}_{\mathsf{concrete}}$ more consistent. - Move explanations of the FIND_ROW_MAPPING algorithm to its definition.
- Complete the (informal) proof for FIND_ROW_MAPPING.
Signed-off-by: Daira-Emma Hopwood <[email protected]>
…ion. Signed-off-by: Daira-Emma Hopwood <[email protected]>
…more consistent. Co-authored-by: Mary Maller <[email protected]> Co-authored-by: Jack Grigg <[email protected]> Signed-off-by: Daira-Emma Hopwood <[email protected]>
Co-authored-by: Mary Maller <[email protected]> Co-authored-by: Jack Grigg <[email protected]> Signed-off-by: Daira-Emma Hopwood <[email protected]>
daira
commented
Sep 20, 2024
| * Completeness is preserved: given a satisfying instance $x$ and witness $w$ for the abstract circuit, $w' = \mathcal{F}(w)$ is a satisfying witness for the concrete circuit with instance $\mathcal{I}(x)$. | ||
| * Knowledge soundness is preserved: given a satisfying instance $x'$ and witness $w'$ for the concrete circuit, we can efficiently compute some satisfying witness $w$ for the abstract circuit with instance $\mathcal{I}^{-1}(x')$. | ||
|
|
||
| We also claim that a correctness-preserving translation in this sense, when used with a concrete proof system that is zero-knowledge, necessarily yields an overall proof system for the abstract relation that is zero-knowledge. That is, informally, no additional information about the abstract witness is revealed beyond the fact that the prover knows such a witness. | ||
|
|
||
| > Aside: we could have required there to be an efficient reverse witness translation function $\mathcal{F}' \mathrel{⦂} \mathbb{F}^{m' \times n'} \rightarrow \mathbb{F}^{m \times n}$ from concrete witnesses to abstract witnesses, and then used $w = \mathcal{F}'(w')$ in the definition of knowledge soundness preservation. We do not take that approach because strictly speaking it would be an overspecification: we do not need the satisfying abstract witness to be *deterministically* and efficiently computable from the concrete witness; we only need it to be efficiently computable. Also, in general $w$ could also depend on the instance $x'$, not just $w'$. In practice, specifying such a function $\mathcal{F}'$ is likely to be the easiest way to prove knowledge soundness preservation. |
There was a problem hiding this comment.
I'm open to just requiring this to be a deterministic function
Co-authored-by: Mary Maller <[email protected]> Co-authored-by: Jack Grigg <[email protected]> Signed-off-by: Daira-Emma Hopwood <[email protected]>
daira
force-pushed
the
meeting-september-20
branch
from
60f11a6
to
e82162f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.