Conversation
| But for the case $600 = 10 \times 10 \times 6$ - we first ``chunk'' in 10s, then | ||
| again in 10s, leaving only 6 components for the final step. That | ||
| requires revealing $2\times 10-1 = 19$ commitments at each of the two reducing | ||
| requires revealing $2\times (10 - 2) = 18$ commitments at each of the two reducing |
There was a problem hiding this comment.
I guess we can clarify this and the next bit of arithmetic via #19 but also 2 x (10-2) is not 18 :)
There was a problem hiding this comment.
My true (in)ability is exposed!
| final step (each step a halving and a new $L, R$), and in the last step reveal | ||
| scalars for the now single values $a, b$, and the Verifier makes the final | ||
| check that $C^{*} = a^{*}b^{*}G + a^{*}G_1 + b^{*}H_1$, where * indicates the $\log_2n$-th transformed values. | ||
| check that $C^{*} = (a^{*} \cdot b^{*})G + a^{*}G_1 + b^{*}H_1$, where * indicates the $\log_2n$-th transformed values. |
There was a problem hiding this comment.
I believe these are now single values not vectors (as per previous line), so we don't want a dot product here. Admittedly it does look really crappy using a * superscript here, though.
There was a problem hiding this comment.
You're right. When I was first reading this, I thought the protocol could end on vectors of length 2, for which you would need the dot product. I think the number of messages stays the same, but I think I invented that out of thin air.
| \begin{align*} | ||
| & \textbf{H}' = \textbf{y}^{-n}\textbf{H} \\ | ||
| & P = A + xS -zG + \left(z\textbf{y}^n + z^2\textbf{2}^n\right)\textbf{H}' \\ | ||
| & P = A + xS -z\textbf{G} + \left(z\textbf{y}^n + z^2\textbf{2}^n\right)\textbf{H}' \\ |
There was a problem hiding this comment.
z is committed to via a single generator G. Whereas the vector (bolded)G is used as a shorthand. See eqns (2), (3), (4) earlier on.
There was a problem hiding this comment.
I think you might be confusing the inner product proof (which has zG) with the range proof (which has z\vec{G}). We need z\vec{G} to extract a_L and a_R (see "Then consider coefficients of G:").
|
Thanks for this review work :) It's been many years so forgive me if I struggle sometimes to answer/address points here and there :) |
2 participants
These are small errors / oddities that I noticed while going through the document. Great work, by the way.