tl;dr: A list of (related) works on inner-product arguments.
Bootle et al.1
Bootle et al. 1 introduce a logarithmic-sized inner-product argument and use it to build a transparent, logarithmic-sized zero-knowledge argument for arithmetic circuit satisfiability in the discrete log setting. Both the prover and the verifier time are linear.
The first idea behind Bootle et al. is to evenly-split $\u$ and $\v$ into left and right halves:
\begin{align}
\u &= \u_L || \u_R \\
\v &= \v_L || \v_R\\
\end{align}
The second ideas is to pick a random challenge $x$ and fold $\u$ and $\v$ as:
\begin{align}
\u’ &= x\u_L +\u_R \\
\v’ &= x^{-1}\v_L + \v_R\\
\end{align}
This way:
\begin{align}
\langle \u’, \v’ \rangle
&= \langle x\cdot \u_L + \u_R,\ x^{-1}\v_L + \v_R \rangle\\
&= \langle x\cdot \u_L,\ x^{-1}\v_L + \v_R \rangle + \langle \u_R,\ x^{-1}\v_L + \v_R \rangle\\
&= \langle x\cdot \u_L,\ x^{-1}\v_L \rangle + \langle x\cdot \u_L,\ \v_R \rangle + \langle \u_R,\ x^{-1}\v_L \rangle + \langle \u_R,\ \v_R \rangle\\
&= x\cdot x^{-1}\langle \u_L,\ \v_L \rangle + x\langle \u_L,\ \v_R \rangle + x^{-1}\langle \u_R,\ \v_L \rangle + \langle \u_R,\ \v_R \rangle\\
&= \underbrace{\langle \u_L, \v_L \rangle + \langle \u_R, \v_R \rangle}_{\langle \u, \v \rangle} + x\langle \u_L, \v_R \rangle + x^{-1}\langle \u_R, \v_L \rangle\\
&= \langle \u, \v \rangle + x\langle \u_L, \v_R \rangle + x^{-1}\langle \u_R, \v_L \rangle
\end{align}
Note that there are these nasty cross terms next to the $\langle \u,\v\rangle$ inner product.
The third idea is to have the prover send (commitments to) $L = \langle \u_R, \v_L \rangle$ and $R = \langle \u_L, \v_R \rangle$ before the challenge $x$ is chosen, and the verifier updates the target to $\langle \u’, \v’ \rangle = x^{-1}L + \langle \u, \v \rangle + xR$.
Related work
- Bünz et al. 2 improve upon the concrete efficiency of Bootle et al.’s inner-product argument1 and use it to get a highly-efficient, transparent, zero-knowledge range proof, known as Bulletproofs.
- They reduce the proof size from $\approx 6\log{n}$ to $\approx 2\log{n}$
- They propose batching techniques for the IPA and thus the ZK range proof
- Linear-map Vector Commitments3 constructs vector commitments with linear-map openings (LVCs).
- They build two pairing-based LVC constructions for inner products (monomial and Lagrange basis), but these are vector commitment schemes that support inner-product openings, not inner-product arguments in the Bootle et al. sense.
- They use existing Inner Pairing Product (IPP) arguments as a building block.
- Lipmaa et al.4 propose a new univariate sumcheck argument called “Count” and use it to build an updatable zk-SNARK called “Vampire.”
- Count is built on top of the existing inner-product commitment scheme5
- The paper doesn’t propose a new IPA, but instead uses inner-product commitments as a tool for the sumcheck.
References
For cited works, see below 👇👇
-
Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting, by Jonathan Bootle and Andrea Cerulli and Pyrros Chaidos and Jens Groth and Christophe Petit, in Cryptology ePrint Archive, Report 2016/263, 2016, [URL] ↩ ↩2 ↩3
-
Bulletproofs: Short Proofs for Confidential Transactions and More, by Benedikt Bünz and Jonathan Bootle and Dan Boneh and Andrew Poelstra and Pieter Wuille and Greg Maxwell, in Cryptology ePrint Archive, Report 2017/1066, 2017, [URL] ↩
-
Linear-map Vector Commitments and their Practical Applications, by Matteo Campanelli and Anca Nitulescu and Carla Rafols and Alexandros Zacharakis and Arantxa Zapico, in Cryptology ePrint Archive, Paper 2022/705, 2022, [URL] ↩
-
Counting Vampires: From Univariate Sumcheck to Updatable ZK-SNARK, by Helger Lipmaa and Janno Siim and Michal Zajac, in Cryptology ePrint Archive, Report 2022/406, 2022, [URL] ↩
-
Block-Wise P-Signatures and Non-interactive Anonymous Credentials with Efficient Attributes, by Izabachène, Malika and Libert, Benoît and Vergnaud, Damien, in Cryptography and Coding, 2011 ↩