Powers of Tau Proofs

Here's a starting point for the proofs: https://github.com/a16z/evm-powers-of-tau/blob/master/techreport/main.pdf.

You have P1,j1,P2,j1,,Pn,j1;P+,j1P_{1, j - 1}, P_{2, j - 1}, \ldots, P_{n, j - 1}; P_{+, j - 1}.

Participant generates rRF_pr \xleftarrow{R} \mathbb{F}\_p^*, and publishes P1,j,P2,j,;P+,jP_{1, j}, P_{2, j}, \ldots; P_{+, j}. This should satisfy:

P1,j=rP1,j1P2,j=r2P2,j1 P+,j=rP+,j1\begin{aligned} P_{1, j} &= r \cdot P_{1, j - 1}\cr P_{2, j} &= r^2 \cdot P_{2, j - 1}\cr &\ \vdots\cr P_{+, j} &= r \cdot P_{+, j - 1}\cr \end{aligned}

The following properties need to be proved:

  1. The prover knows rr
  2. The prover correctly used rr, or at least, Pi,jP_{i, j} consist of a valid powers of tau setup, assuming the Pi,j1P_{i, j-1} did.
  3. r0r \neq 0

The protocol above does 2. with pairings.

Using Maurer Proofs

c.f. my blog post on Maurer proofs

As a starting point, consider the following toy relation:

{(A,B,G;a,b) craG=AbG=Bb=a2}\begin{aligned} &\{(A, B, G; a, b)\ |\\cr &\quad a \cdot G = A\cr &\quad b \cdot G = B\cr &\quad b = a^2\cr &\}\cr \end{aligned}

The tricky aspect is the b=a2b = a^2 part. The rest can be done with a Maurer proof.

One way around this is to tweak the relation slightly:

{(A,B,G;a,b) craG=AaA=BbG=B}\begin{aligned} &\{(A, B, G; a, b)\ |\\cr &\quad a \cdot G = A\cr &\quad a \cdot A = B\cr &\quad b \cdot G = B\cr &\}\cr \end{aligned}

Because b=a2b = a^2, we have aA=a2G=bG=Ba \cdot A = a^2 \cdot G = b \cdot G = B, so this relation is equivalent. Notice also that this relation is captured by the homomorphism:

φ(a,b):=(aG,aA,bG)\varphi(a, b) := (a \cdot G, a \cdot A, b \cdot G)

A Maurer proof will work, wherein you check that φ(a,b)=(A,B,B)\varphi(a, b) = (A, B, B)

We can extend this to the degree 33 case as well:

{(A,B,C,G;a,b,c) craG=AbG=BcG=Cb=a2c=a3}\begin{aligned} &\{(A, B, C, G; a, b, c)\ |\\cr &\quad a \cdot G = A\cr &\quad b \cdot G = B\cr &\quad c \cdot G = C\cr &\quad b = a^2\cr &\quad c = a^3\cr &\}\cr \end{aligned}

this time, we use the homomorphism:

φ(a,b,c):=(aG,aA,bG,aB,cG)\varphi(a, b, c) := (a \cdot G, a \cdot A, b \cdot G, a \cdot B, c \cdot G)

with expected output (A,B,B,C,C)(A, B, B, C, C).

Tau Proof

The relation you want to prove is:

{(Pi,j,Pi,j1;r)  riPi,j1=Pi,j}\{(P_{i, j}, P_{i, j - 1}; r)\ |\ r^i \cdot P_{i, j - 1} = P_{i, j}\}

(taking the convention τ+=τ\tau^+ = \tau)

If you had a vector r\bold{r} such that ri=ri\bold{r}_i = r^i, then you could just use a standard Maurer proof here. The issue with that is that you need to enforce a specific relation between the vector elements.

We can use the proof we developed in the previous section to get around this restriction though.

We publish R:=rG\bold{R} := \bold{r} \cdot G, and then create a proof for the following relation:

{(Pi,j,Pi,j1,R;r) cri[n1]. r1Ri=Ri+1i[n]. riG=Rii[n]. riPi,j1=Pi,j}\begin{aligned} &\{(P_{i, j}, P_{i, j - 1}, \bold{R}; \bold{r})\ |\\cr &\quad \forall i \in [n - 1].\ \bold{r}_1 \cdot \bold{R}_i = \bold{R}_{i + 1}\cr &\quad \forall i \in [n].\ \bold{r}_i \cdot G = \bold{R}_{i}\cr &\quad \forall i \in [n].\ \bold{r}_i \cdot P_{i, j - 1} = P_{i, j}\cr &\}\cr \end{aligned}

This can be done via a Maurer proof for the following homomorphism:

φ(r):=([r_iR_i],[r_iP_i,j1])\varphi(\bold{r}) := ([\bold{r}\_i \cdot \bold{R}\_i], [\bold{r}\_i \cdot P\_{i, j - 1}])

With the expected output being:

(R_i2,[P_i,j])(\bold{R}\_{i \geq 2}, [P\_{i, j}])

The vector r\bold{r} has to be initialized to the powers of rr.