schwartz zippel: steps documentation

shramee · Jun 12, 2024 · 6c6f891 · 6c6f891
1 parent c89d875
commit 6c6f891
Showing 1 changed file with 20 additions and 18 deletions.
diff --git a/src/groth16/schzip.cairo b/src/groth16/schzip.cairo
@@ -44,26 +44,15 @@ pub struct SchZipCommitments {
 // For A and B element of Fq12 represented as direct extensions,
 // ```A(x) * B(x) = R(x) + Q(x) * P12(x)```
 // where `R(x)` is a polynomial of degree 11 or less.
-// ### Expanding this to include the whole bit operation inside the miller loop,
-// 1. For non-zero `P`/`N` bits,
-// * Commitment contains 42 coefficients
-// * F ∈ Fq12, miller loop aggregation
-// * L1, L2, L3 ∈ Sparse01234, Loop step lines
-// * Witness ∈ Fq12, Residue witness (or it's inverse based on the bit value)
-// * ```F(x) * F(x) * L1(x) * L2(x) * L3(x) * Witness(x) = R(x) + Q(x) * P12(x)```
-// 2. For zero `O` bits,
-// * Commitment contains 64 coefficients
-// * F ∈ Fq12, miller loop aggregation
-// * L1_L2 ∈ Sparse01234, Loop step lines L1 and L2 multiplied for lower degree
-// * L3 ∈ Sparse034, // Last L3 line
-// * ```F(x) * F(x) * L1_L2(x) * L3(x) = R(x) + Q(x) * P12(x)```
-// 3. Final step,
-// * Commitment contains 42 coefficients
-// * F ∈ Fq12, miller loop aggregation
-// * L1, L2, L3 ∈ Sparse01234, Correction step lines
-// * ```F(x) * L1(x) * L2(x) * L3(x) = R(x) + Q(x) * P12(x)```
+// Expanding this to include the whole bit operation inside the miller loop,
 #[generate_trait]
 impl SchZipPolyCommitHandler of SchZipPolyCommitHandlerTrait {
+ // Handles Schwartz Zippel verification for zero `O` bits,
+ // * Commitment contains 64 coefficients
+ // * F ∈ Fq12, miller loop aggregation
+ // * L1_L2 ∈ Sparse01234, Loop step lines L1 and L2 multiplied for lower degree
+ // * L3 ∈ Sparse034, // Last L3 line
+ // * ```F(x) * F(x) * L1_L2(x) * L3(x) = R(x) + Q(x) * P12(x)```
  fn zero_bit(
  self: @SchZipCommitments, ref f: Fq12, i: u32, l1_l2: FS01234, l3: FS034, f_nz: NZ256
  ) {
@@ -87,6 +76,13 @@ impl SchZipPolyCommitHandler of SchZipPolyCommitHandlerTrait {
  *c[i + 11],
  );
  }
+
+ // Handles Schwartz Zippel verification for non-zero `P`/`N` bits,
+ // * Commitment contains 42 coefficients
+ // * F ∈ Fq12, miller loop aggregation
+ // * L1, L2, L3 ∈ Sparse01234, Loop step lines
+ // * Witness ∈ Fq12, Residue witness (or it's inverse based on the bit value)
+ // * ```F(x) * F(x) * L1(x) * L2(x) * L3(x) * Witness(x) = R(x) + Q(x) * P12(x)```
  fn nz_bit(
  self: @SchZipCommitments,
  ref f: Fq12,
@@ -114,6 +110,12 @@ impl SchZipPolyCommitHandler of SchZipPolyCommitHandlerTrait {
  *c[i + 11],
  );
  }
+
+ // Handles Schwartz Zippel verification for miller loop correction step,
+ // * Commitment contains 42 coefficients
+ // * F ∈ Fq12, miller loop aggregation
+ // * L1, L2, L3 ∈ Sparse01234, Correction step lines
+ // * ```F(x) * L1(x) * L2(x) * L3(x) = R(x) + Q(x) * P12(x)```
  fn last_step(
  self: @SchZipCommitments,
  ref f: Fq12,