2- Commitment Phase

The commitment phase contains two parts; AHP commitment and PFR commitment. After reviewing the algorithm, we also provide an example to clarify the method.

Let $\textit{I}_f$ be a functional set that contains triple matrices $i_f=(A,B,C)\in (\mathbb{F}^{n\times n})^3$ so that for all input vector $X$, there exists a unique vector $Y$ and a witness (intermediate) $W$ such that $Az\hspace{1mm} o\hspace{1mm} Bz=Cz$ where $z=(1,X,W,Y)$. Note that a triple of matrices $(A,B,C)\in (\mathbb{F}^{n\times n})^3$ is a functional triple if and only if $A$ and $B$ are $t-$strictly lower triangular matrices $(t-SLT)$ and $C$ is $t$-diagonal matrix $(t-Diag)$. Here, $t=|X|+1$ . The Prover obtains $t-SLT$ matrices $A$, $B$ and $t-Diag$ matrix $C$ for the arithmetic circuit that is a directed acyclic graph of gates and wire inputs where wires carry values from $\mathbb{F}$ and each gate adds or multiplies. This work is done based on the following construction:

1- Initialize three zero square matrices $A, B, C$ over $\mathbb{F}$ of order $n_g +n_i + 1$ where $n_g$ is the number of gates and $n_i$ is the number of inputs. Here, rows and columns of matrices are indexed on $\{0,1,...,n_g+n_i\}$. Here, the gate $i$ is corresponding to tuple $(l_i, r_i, s_i)$ where $l_i$ and $r_i$ are left and right input indices in $z$, respectively where $z$ is indexed on $\{0,1,..,n_g+n_i\}$ and $s_i$ is gate selector, addition or multiplication. Note that if left input is a value $v$, then $l_i=0$ or right input is a value $v$, then $r_i=0$.

2- For $i=0.., n_g-1:$ $a)$ Set $C_{1+n_i+i, 1+n_i+i}=1$ $b)$ If $s_i$ is addition - $A_{1+n_i+i,0}=1$ - $B_{1+n_i+i,l_i}=\begin{cases}\text{left input}\hspace{1cm}l_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases}$ - $B_{1+n_i+i,r_i}=\begin{cases}\text{right input}\hspace{1cm}r_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases}$ $b)$ If $s_i$ is multiplication - $A_{1+n_i+i,l_i}=\begin{cases}\text{left input}\hspace{1cm}l_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases}$ - $B_{1+n_i+i,r_i}=\begin{cases}\text{right input}\hspace{1cm}r_i=0\\1\hspace{2.2cm}\text{otherwise}\end{cases}$

3- Outputs matrices $A, B$ and $C$.

Note 1: Here, input vector contains 32 registers. Therefore, $n_i=32$ and $X=(x_1,x_2,...,x_{32})$ where $x_i$ corresponds to $i^{th}$ register, $R_i$.

Note 2: For example, if $k+1^{th}$ gate is "add $R_1$ , $R_1$, 5", that means $R_1^{(k+1)}=5+R_1^{(k)}$ then since $z=(1,x_1,x_2,..x_{32},w_1,..,w_{n_g-n_e},y_1,..,y_{n_e})$, where $n_e$ is the number of registers that change in all program, "For" loop in $i=k$, obtains $C_{1+32+k,1+32+k}=1$ , $A_{1+32+k,0}=1$, $B_{1+32+k,l_{k}=0}=5$ and $B_{1+32+k,r_k=1}=1$.

2-1- PFR Commitment

$Commit(ck,i_f=(A,B,C)\in \textit{I}_f,r\in R)$: This function outputs

$Com_{PFR}=(Com_{row_A},Com_{col_A},Com_{val_A},Com_{row_B},Com_{col_B},Com_{val_B},Com_{row_C},Com_{col_C},Com_{val_C})$

as following: 1 - The Prover selects randomness $r=(r_1,...,r_{s_{AHP}(0)})$ of randomness space $R$ . 2- The Prover calculates $\overrightarrow{O}_{PFR}=Enc(i_f=(A,B,C))$ as encoded index as following:

The Prover encodes each matrix $A, B$ and $C$ by three polynomials. The matrix $M$, $M\in\{A, B, C\}$, is encoded by polynomials $row_{M}(x)$, $col_M(x)$ and $val_M(x)$ so that $row_M(\gamma^i)=\omega^{r_i}$, $col_M(\gamma^i)=\omega^{c_i}$ and $val_M(\gamma^i)=v_i$ for $i\in\{0,1,2,..,m-1\}$ where $m=2n_g$ is maximum of the number of nonzero entries in the matrix $M$, The value of $n=n_g+n_i+1$ is the order of the matrix. Also, $\gamma$ is a generator of multiplicative subgroup $\mathbb{K}$ of $\mathbb{F}$ of order $m$ ($\mathbb{K}=<\gamma>$ and $|\mathbb{K}|=m$) and $\omega$ is a generator of multiplicative subgroup $\mathbb{H}$ of $\mathbb{F}$ of order $n$ ($\mathbb{H}=<\omega>$ and $|\mathbb{H}|=n$). Also $r_i,c_i\in \{0,1,...,n-1\}$ and $v_i\in \mathbb{F}$ are row number, column number and value of $i^{th}$ nonzero entry, respectively. Then, lets $O_{PFR}=(row_{A_0},....,row_{A_{m-1}},col_{A_0},...,col_{A_{m-1}},val_{A_0},...,val_{A_{m-1}},row_{B_0},....,row_{B_{m-1}},col_{B_0},...,col_{B_{m-1}},$ $val_{B_0},...,val_{B_{m-1}},row_{C_0},....,row_{C_{m-1}},col_{C_0},...,col_{C_{m-1}},val_{C_0},...,val_{C_{m-1}})$

where $row_{M_i}$, $col_{M_i}$and $val_{M_i}$ are coefficient of $x^i$ of polynomials $row_{M}(x)$, $col_{M}(x)$and $val_{M}(x)$ , respectively. The vector $O_{PFR}$ is called as encoded index.

3- The Prover calculates $Com_{T}=PC.Commit(ck,T,d_{AHP}(N,0,i)=m,r_{T})$ for each polynomial $T(x)$. Note that $T\in\{Row_M,Col_M,val_M\hspace{2mm}|\hspace{2mm}M\in\{A,B,C\}\}$.

For example, if the polynomial commitment scheme $KZG$ is used, then $Com_{T}=\sum_{i=0}^{deg_T}a_ig\tau^i=\sum_{i=0}^{deg_T}a_ick(i)$ where $a_i$ is coefficient of $x^i$ in polynomial $T(x)$.

Size of Commitment: $|Com_{PFR}|=9$.

4- The Prover sends $Com_{PFR}$ to the Verifier.

CommitmentID= Lower4Bytes(SHA256(Manufacturer_Name, Device_Type, Device_Hardware_Version, Firmware_Version, Lines Vec<u64>))

2-2- AHP Commitment

$Commit(ck',i_f=(A,B,C)\in \textit{I}_f,r\in R)$: This function outputs $Com_{AHP}=(Com_{AHP}^{0},Com_{AHP}^1,Com_{AHP}^2,Com_{AHP}^3,Com_{AHP}^4,Com_{AHP}^5,Com_{AHP}^6,Com_{AHP}^7,Com_{AHP}^8)$

as following: 1 - The Prover selects randomness $r=(r_1,...,r_{s_{AHP}(0)})$ of random space $R$. 2- The Prover calculates $\overrightarrow{O}_{AHP}=Enc(i_f=(A,B,C))$ as encoded index as following:

For $M\in \{A,B,C\}$, the polynomial $row'_M:\mathbb{K}\to\mathbb{H}$ with $row'_M(k=\gamma^i)=\omega^{r_i}$ for $1\leq i\leq ||M||=m$ , $||M||$ is the number of nonzero entries in $M$, and $r_i\in \{0,1,...,n-1\}$ is row number of $i^{th}$ nonzero entry, $\gamma$ is a generator of multiplicative subgroup $\mathbb{K}$ of $\mathbb{F}$ of order $m$ ($\mathbb{K}=<\gamma>$ and $|\mathbb{K}|=m$) and $\omega$ is a generator of multiplicative subgroup $\mathbb{H}$ of $\mathbb{F}$ of order $n$ ($\mathbb{H}=<\omega>$ and $|\mathbb{H}|=n$). The value of $n$ is the order of the matrix and otherwise $row'_M(k)$ returns an arbitrary element in $\mathbb{H}$.

The polynomial $col'_M:\mathbb{K}\to\mathbb{H}$ with $col'_M(k=\gamma^i)=\omega^{c_i}$ for $1\leq i\leq ||M||$ and $c_i\in \{0,1,...,n-1\}$ is column number of $i^{th}$ nonzero entry and otherwise $col'_M(k)$ returns an arbitrary element in $\mathbb{H}$. And , the polynomial $val'_M:\mathbb{K}\to\mathbb{H}$ with $val'_M(k=\gamma^i)=\frac{v_i}{u_{\mathbb{H}}(row'_M(k),row'_M(k))u_{\mathbb{H}}(col'_M(k),col'_M(k))}$ for $1\leq i\leq ||M||$ where $v_i$ is value of $i^{th}$ nonzero entry and otherwise $val'_M(k)$ returns zero where for each $x \in \mathbb{H}$, $u_{\mathbb{H}}(x,x)=|\mathbb{H}|x^{|\mathbb{H}|-1}$. Now, $\hat{row'_M}$, $\hat{col'_M}$ and $\hat{val'_M}$ are extensions of $row'_M$, $col'_M$ and $val'_M$ so that are agree on $\mathbb{K}$.$\overrightarrow{O}_{AHP}=(\hat{row'}_{A_0},....,\hat{row'}_{A_{m-1}},\hat{col'}_{A_0},...,\hat{col'}_{A_{m-1}},\hat{val'}_{A_0},...,\hat{val'}_{A_{m-1}},\hat{row'}_{B_0},....,\hat{row'}_{B_{m-1}},\hat{col'}_{B_0},...,\hat{col'}_{B_{m-1}},$$\hat{val'}_{B_0},...,\hat{val'}_{B_{m-1}},\hat{row'}_{C_0},....,\hat{row'}_{C_{m-1}},\hat{col'}_{C_0},...,\hat{col'}_{C_{m-1}},\hat{val'}_{C_0},...,\hat{val'}_{C_{m-1}})$

where $\hat{row'}_{M_i}$, $\hat{col'}_{M_i}$and $\hat{val'}_{M_i}$ are coefficient of $x^i$ of polynomials $\hat{row'}_{M}(x)$, $\hat{col'}_{M}(x)$and $\hat{val'}_{M}(x)$ , respectively. The vector $\overrightarrow{O}_{AHP}$ is called as encoded index.

3- The Prover calculates commitment for $i^{th}$ polynomial $T(x)$ of encoded index as$Com_{T}=PC.Commit(ck',T,d_{AHP}(N,0,i)=m,r_{T})$ where $ck'(i)=ck(i )\hspace{1mm}r^i$ with random $r$. Note that $T\in\{\hat{Row'}_M,\hat{Col'}_M,\hat{val'}_M\hspace{2mm}|\hspace{2mm}M\in\{A,B,C\}\}$.

For example, if the polynomial commitment scheme $KZG$ is used, then $Com_{T}=\sum_{i=0}^{deg_T}a_ick'(i)$ where $a_i$ is coefficient of $x^i$ in polynomial $T(x)$.

4- The Prover sends $Com_{AHP}^0=\sum_{i=0}^{deg_{\hat{row'}_A(x)}}\hat{row'}_{A_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^1=\sum_{i=0}^{deg_{\hat{col'}_A(x)}}\hat{col'}_{A_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^2=\sum_{i=0}^{deg_{\hat{val'}_A(x)}}\hat{val'}_{A_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^3=\sum_{i=0}^{deg_{\hat{row'}_B(x)}}\hat{row'}_{B_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^4=\sum_{i=0}^{deg_{\hat{col'}_B(x)}}\hat{col'}_{B_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^5=\sum_{i=0}^{deg_{\hat{val'}_B(x)}}\hat{val'}_{B_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^6=\sum_{i=0}^{deg_{\hat{row'}_C(x)}}\hat{row'}_{C_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^7=\sum_{i=0}^{deg_{\hat{col'}_C(x)}}\hat{col'}_{C_i}\hspace{1.1mm}ck'(i)$, $Com_{AHP}^8=\sum_{i=0}^{deg_{\hat{val'}_C(x)}}\hat{val'}_{C_i}\hspace{1.1mm}ck'(i)$.

2-3- PFR and AHP Commitment.json File Format

{
    "CommitmentID":  64-bit,
    "Class": 32-bit Integer,
    "IoT_Manufacturer_Name": String,
    "IoT_Device_Name": String,
    "Device_Hardware_Version": float,
    "Firmware_Version": float,
    "Lines": = 64-bit Array,
    "vk'":=
    
    // PFR Commitment   
    "ComRowA": 64-bit Integer,
    "ComColA": 64-bit Integer,
    "ComValA": 64-bit Integer,
    "ComRowB": 64-bit Integer,
    "ComColB": 64-bit Integer,
    "ComValB": 64-bit Integer,
    "ComRowC": 64-bit Integer,
    "ComColC": 64-bit Integer,
    "ComValC": 64-bit Integer,
    "RowA": 64-bit Integer,
    "ColA": 64-bit Integer,
    "ValA": 64-bit Integer,
    "RowB": 64-bit Integer,
    "ColB": 64-bit Integer,
    "ValB": 64-bit Integer,
    "RowC": 64-bit Integer,
    "ColC": 64-bit Integer,
    "ValC": 64-bit Integer,

    // AHP Commitment
    "ComRow'A": 64-bit Integer,
    "ComCol'A": 64-bit Integer,
    "ComVal'A": 64-bit Integer,
    "ComRow'B": 64-bit Integer,
    "ComCol'B": 64-bit Integer,
    "ComVal'B": 64-bit Integer,
    "ComRow'C": 64-bit Integer,
    "ComCol'C": 64-bit Integer,
    "ComVal'C": 64-bit Integer,
    "Row'A": 64-bit Integer,
    "Col'A": 64-bit Integer,
    "Val'A": 64-bit Integer,
    "Row'B": 64-bit Integer,
    "Col'B": 64-bit Integer,
    "Val'B": 64-bit Integer,
    "Row'C": 64-bit Integer,
    "Col'C": 64-bit Integer,
    "Val'C": 64-bit Integer,
    
    "Curve": String,
    "PolynomialCommitment": String
}

Param.json File Format