Open oleganza opened 6 years ago
Is the above strategy for non-power of two secret vectors implemented anywhere? I am working on a bulletproofs-like protocol for a different problem. Seems like it is unavoidable to use non-power of two in my protocol. Any help is much appreciated.
I could be mistaken, but no, I don't think so.
Problem
Inner product proof requires inputs with power-of-two items. This could hurt performance of proving and verification up to 2x on input sizes that are just-a-bit-larger that a power of two.
For example, a confidential assets scheme has 8+64 multipliers per transfer, where 8 are used for mixes and shuffles, and 64 are for the range proof. This means, the closest power of two is exceeded by merely 11%, making the padding increase the cost almost two-fold.
Suggestion
We can modify the IPP in a compatible manner (that is, when the input length is power-of-two, IPP remains exactly the same) by padding the inputs with zero scalars
0
and identity pointsO
. This padding does not change the original relation and, due to the use of challenges when folding the lo/hi halves of the vectors, does not interfere with other scalars or generators.This way, the verifier does not have to include operations on the identity points in the megacheck, and therefore removes the overhead.
To make it similarly more efficient for the prover, we can rearrange the padding in the following manner:
n
be size of inputs andk = ceil(log_2(n))
the next power of two.n' = 2*ceil(n/2)
. In other words, add0
andO
to the scalars and generators accordingly, if the input size is odd. Otherwise, do nothing.n'' = 2*ceil(n'/2)
again (if needed).We need 14 zeroes which we will arrange as
2*(4+2+1)
:The result is equivalent to padding the input as:
The big downside of this approach is that indices of the points get shifted in a funny pattern that the megacheck has to be aware of. But hopefully there is a not very horrible formula to do that.