PolygonPolygon Telegram
ToolszkEVMConceptsMfibonacci

Mfibonacci Example

Consider a proof-verification scheme, using an arbitrary Polynomial Commitment Scheme. In this scheme, users must prove knowledge of the $Nth$ member of a multi

Consider a proof-verification scheme, using an arbitrary Polynomial Commitment Scheme. In this scheme, users must prove knowledge of the NthNth member of a multiplicative Fibonacci series for specific initial conditions.

What is a multiplicative Fibonacci series?

The multiplicative Fibonacci series (or simply mFibonacci series), denoted by

a0,a1,a2,,an\mathbf{a_0, a_1, a_2, \dots , a_n}

has the property that the product of every two consecutive members ai1\mathbf{a_{i-1}} and ai\mathbf{a_i} gives the value of the next member ai+1\mathbf{a_{i+1}}. That is, ai+1=ai1ai\mathbf{ a_{i+1} = a_{i-1}\cdot a_i }.

Also, the initial values are specified as a0=2\mathbf{a_0} = 2 and a1=1\mathbf{a_1} = 1.

Here are the first ten terms of the mFibonacci series,

  2,  1,  2,  2,  4,  8,  32,  256,  8192,  2097152,  \mathbf{ \ \ 2,\ \ 1,\ \ 2,\ \ 2,\ \ 4,\ \ 8,\ \ 32,\ \ 256,\ \ 8192,\ \ 2097152,\ \ \dots }

As a trivial example, the challenge may be: Prove knowledge of the initial values that produced a10=17179869184\mathbf{a_{10} = 17179869184}, the eleventh member of the mFibonacci series, without revealing the initial values.

The task therefore, is to first build a state machine that would enable anyone to prove knowledge of the initial values a0\mathbf{a_0} and a1\mathbf{a_1} that yields a specific N-th member of the mFibonacci series.

Constructing mFibonacci state machine

Consider a state machine with two registries A\mathbf{A} and B\mathbf{B} where

A=[A0,A1,,AT],B=[B0,B1,,BT]\begin{aligned} &\mathbf{A} = [A_0, A_1, \dots , A_T ], \\ &\mathbf{B} = [B_0, B_ 1, \dots , B_T] \end{aligned}

such that the i-th state is the pair (Ai,Bi)\big( A_i , B_i \big).

Such a state machine is an mFibonacci state machine if indeed the registry values conform to the format of the mFibonnacci series. See Figure 4 below, for an mFibonacci state machine with the initial conditions, A0=2A_0 = 2 and B0=1B_0 = 1.

Figure 4: mFibonacci SM with two registries

The state transitions from S=(Ai,Bi)\mathtt{S} = \big( A_i , B_i \big) to S=(Ai+1,Bi+1)\mathtt{S}' = \big( A_{i+1} , B_{i+1} \big) conform to the following constraints;

Ai+1=Bi   Bi+1=AiBi\begin{aligned} { A_{i+1} = B_i \quad\text{ }\text{ }\text{ } } \\ { B_{i+1} = A_i \cdot B_i } \end{aligned}

The aim here is to; express the evolution of the execution trace in terms of polynomials, build corresponding polynomial identities, and ultimately construct a ZK proof/verification scheme for our mFibonacci state machine.

Building polynomial identities

The polynomials that represent the two registries are taken from the set of polynomials Fp[X]\mathbb{F}_p [X], where the coefficients are elements of a prime field Fp\mathbb{F}_p and p=264232+1p = 2^{64} - 2^{32} + 1.

The polynomials are evaluated over the subgroup

H={ω,ω2,ω3,,ω7,ω8=1=ω0}=ωFp{\mathcal{H}} = \{ \omega, \omega^2, \omega^3, \dots , \omega^7, \omega^8 = 1 = \omega^0 \} = \langle \omega \rangle \subseteq \mathbb{F}_p^*

of order 88.

Define two polynomials P(X)P(X) and Q(X)Q(X) such that:

P(ωi)=A[i]        A=[2,1,2,2,4,8,32,256]  Q(ωi)=B[i]        B=[1,2,2,4,8,32,256,8192]\begin{aligned} P(\omega^i) = A[i] \ \ \iff \ \ A = [2,1,2,2,4,8,32,256]\quad\text{ }\text{ } \\ Q(\omega^i) = B[i] \ \ \iff \ \ B = [1,2,2,4,8,32,256,8192] \end{aligned}

Since every XX in H{\mathcal{H}} is of the form X=ωiX = \omega^i for some ii, we have

P(Xω)=P(ωi+1)=Ai+1,Q(Xω)=Q(ωi+1)=Bi+1.\begin{aligned} P(X\cdot \omega) &= P(\omega^{i + 1}) = A_{i+1}, \\ Q(X\cdot \omega) &= Q(\omega^{i+1}) = B_{i+1}. \end{aligned}

The previously stated constraints, imposed on the state transitions SS\mathtt{S} \to \mathtt{S}' of the mFibonacci state machine, translate into the following polynomial identities;

P(Xω)=H Q(X),Q(Xω)=H P(X)Q(X)\begin{aligned} P(X\cdot \omega) &= \bigg\lvert_{\mathcal{H}}\ Q(X), \\ Q(X\cdot \omega) &= \bigg\lvert_{\mathcal{H}}\ P(X) \cdot Q(X) \end{aligned}

If these polynomial identities should accurately express the two registries, then every state transition of the mFibonacci SM must satisfy them.

Non-cyclicity of the mFibonacci state machine

Note that the definition of H{\mathcal{H}} does not restrict the values of ii to be less than 88.

Even if we set i=27i = 27, the element ω27\omega^{27} is in H{\mathcal{H}} because

ω27=w8ω8ω8ω3=111ω3=ω3\begin{aligned} \omega^{27} = w^8 \cdot \omega^8 \cdot \omega^8 \cdot \omega^3 = 1 \cdot 1 \cdot 1 \cdot \omega^3 = \omega^3 \end{aligned}

However, the unrestricted value of ii, which implies there is no bound on the number of state changes (i.e., on the clock), presents problems with the above polynomial identities.

Let us test if the polynomial identities hold true for all permissible values of ii. So let X=ω7X = \omega^7 and refer to the registry values given in Figure 4.

  • For the first identity we get,
P(Xω)=P(ω7ω)=P(ω8)=P(ω0)=A0=2   but  Q(X)=Q(ω7)=81922\begin{aligned} P(X\cdot \omega) = P(\omega^7 \cdot \omega) = P(\omega^8) = P(\omega^0) = A_0 = 2\ \ \\ \text{ but }\ Q(X) = Q(\omega^7) = 8192 \not= 2 \quad\qquad\qquad\qquad\quad \end{aligned}
  • Similarly, for the second identity, we get,
Q(Xω)=Q(ω7ω)=Q(ω8)=Q(ω0)=B0=1   but P(X)Q(X)=P(ω7)Q(ω7)=2568192=20971521\begin{aligned} Q(X\cdot \omega) = Q(\omega^7 \cdot \omega) = Q(\omega^8) = Q(\omega^0) = B_0 = 1\ \ \text{ but } \qquad \\ P(X)\cdot Q(X) = P(\omega^7)\cdot Q(\omega^7) = 256\cdot 8192 = 2097152 \not= 1 \quad \end{aligned}

Clearly, the polynomial identities are not aligned with the registry values of the mFibonacci SM. The reason for this disparity is that, whereas HH is cyclic, the polynomial identities are not.

Introducing cyclicity

In order to inject some cyclicity into the mFibonacci SM, we add a third registry C=[C1,C2,,CT]\mathbf{C} = [C_1, C_2, \dots , C_T] and set the registry values to C=[0,0,,0,1]\mathbf{C} = [0, 0, \dots , 0, 1].

Hence the mFibonacci SM is as depicted in Figure 5 below.

mFibonacci SM with three registries

The corresponding polynomial R(x)R(x) is defined as follows;

R(ωi)=C[i]R(\omega^i) = C[i]

That is;

R(ωi)=C[i]=1, if   (i+1)mod8=0R(ωi)=C[i]=0, otherwise\begin{aligned} R(\omega^i) &= C[i] = 1, \text{ if } \ \ (i+1)\mod 8 = 0 \\ R(\omega^i) &= C[i] = 0, \text{ otherwise} \end{aligned}

The polynomial R(x)R(x) is incorporated into the previous polynomial identities as follows;

P(Xω)=H  Q(X)(1R(X))+R(X)A0   Q(Xω)=H  (1R(X))P(X)Q(X)+R(X)B0\begin{aligned} P(X \cdot \omega) = \bigg\lvert_{\mathcal{H}}\ \ Q(X) \cdot \big( 1 - R(X) \big) + R(X)\cdot A_0 \quad\quad\text{ }\text{ }\text{ } \\ Q(X\cdot \omega) = \bigg\lvert_{\mathcal{H}}\ \ (1 - R(X)) \cdot P(X)\cdot Q(X) + R(X)\cdot B_0 \end{aligned}

Note that, for all the states where the new registry C[i]=0C[i] = 0, these new identities coincide with the previous ones (where only registries AA and BB were used).

These polynomial identities can be rewritten as;

(1R(X))[P(Xω)Q(X)]+R(X)[P(Xω)A0]=H 0   (1R(X))[Q(Xω)(P(X)Q(X))]+R(X)[Q(Xω)B0]=H 0\begin{aligned} \big( 1 - R(X) \big) \cdot \big[ P(X\cdot \omega) - Q(X) \big] + R(X)\cdot \big[ P(X \cdot \omega) - A_0 \big] = \bigg\lvert_{\mathcal{H}}\ 0\quad\text{ }\text{ }\text{ } \\ (1 - R(X)) · [Q(Xω) - (P(X) · Q(X))] + R(X)\cdot [Q(Xω) - B_0] = \bigg\lvert_{\mathcal{H}}\ 0 \end{aligned}

Let's check if these identities are cyclic. Again, let X=ω7X = \omega^7 and use the registry values given in the figure.

  • For the first identity, we observe that,
LHS=P(Xω)=P(ω7ω)=P(ω8)=P(ω0)=A0=2   and RHS=Q(X)(1R(X))+R(X)A0 = Q(ω7)(11)+12=2=LHS\begin{aligned} \text{LHS} &= P(X\cdot \omega) = P(\omega^7 \cdot \omega) = P(\omega^8) = P(\omega^0) = A_0 = 2\ \ \text{ and } \\ \text{RHS} &= Q(X)\cdot \big( 1 - R(X) \big) + R(X)\cdot A_0\ =\ Q(\omega^7)\cdot \big( 1 - 1 \big) + 1\cdot 2 = 2 = \text{LHS} \end{aligned}
  • Similarly, for the second identity, we observe that,
LHS=Q(Xω)=Q(ω7ω)=Q(ω8)=Q(ω0)=B0=1   and  and RHS=(1R(X))P(X)Q(X)+R(X)B0=(11)P(ω7)Q(ω7)+11=0+1=LHS\begin{aligned} \text{LHS} &= Q(X\cdot \omega) = Q(\omega^7 \cdot \omega) = Q(\omega^8) = Q(\omega^0) = B_0 = 1 \ \ \text{ and } \text{ and } \\ \text{RHS} &= (1 - R(X)) \cdot P(X)\cdot Q(X) + R(X)\cdot B_0 \\ &= (1 - 1) \cdot P(\omega^7)\cdot Q(\omega^7) + 1\cdot 1 = 0 + 1 = \text{LHS} \end{aligned}

These polynomial identities enforce correct state transitioning, and are therefore referred to as transition constraints. They apply to every pair of consecutive states. That is, every pair of consecutive rows in the execution trace of the SM.

Verifying computations

In addition to transition constraints, are boundary constraints. A boundary constraint is a constraint that enforces that a polynomial has a certain value at a particular root of unity.

Varied initial conditions

Note that instead of being restricted to the given initial conditions (A0,B0)=(2,1)\big(A_0, B_0\big) = \big(2, 1\big) the mFibonacci state machine together with its polynomial identities can be adjusted to any initial conditions (A0,B0)\big(A_0, B_0\big).

For example, for A0=23A_0 = 23 and B0=46B_0 = 46, the constraints should be;

(1R(X))[P(Xω)Q(X)]+R(X)[P(Xω)23]=H 0   (1R(X))[Q(Xω)(P(X)Q(X))]+R(X)[Q(Xω)46]=H 0\begin{aligned} \big( 1 - R(X) \big) \cdot \big[ P(X\cdot \omega) - Q(X) \big] + R(X)\cdot \big[ P(X \cdot \omega) - 23 \big] = \bigg\lvert_{\mathcal{H}}\ 0\quad\text{ }\text{ }\text{ } \\ (1 - R(X)) · [Q(Xω) - (P(X) · Q(X))] + R(X)\cdot [Q(Xω) - 46] = \bigg\lvert_{\mathcal{H}}\ 0 \end{aligned}

In the context of our mFibonacci SM, the verifier can set the initial conditions (A0,B0)\big( A_0 , B_0 \big) to values of his or her own choice, and generate the state machine while keeping A0A_0 and B0B_0 secret. The prover's task is therefore, to prove knowledge of A0A_0 and B0B_0 that led to a given N-th term of the mFibonacci series.

Boundary constraints

Boundary constraints apply to particular registry values, and are used to enforce that the correct initial state was applied.

The idea here is to set up a specific boundary constraint, which the verifier can use to check that correct initial conditions were applied, when the prover was computing a particular NthNth term of the mFibonacci series. Yet, the verifier must not disclose any information about the secret values A0A_0 and B0B_0.

Therefore, the first thing to do, is removing terms in the identities bearing the initial values A0A_0 and B0B_0. This means modifying our polynomial identities to the ones below;

(1R(X))[P(Xω)Q(X)]=H 0   (1R(X))[Q(Xω)(P(X)Q(X))]=H 0\begin{aligned} \big( 1 - R(X) \big) \cdot \big[ P(X\cdot \omega) - Q(X) \big] = \bigg\lvert_{\mathcal{H}}\ 0\qquad\text{ }\text{ }\text{ } \\ (1 - R(X)) · [Q(X\cdot \omega) - (P(X) · Q(X))] = \bigg\lvert_{\mathcal{H}}\ 0 \end{aligned}

Secondly, knowing that A0A_0 and B0B_0 yield the kk-th term Ak1=P(ωk1)=:KA_{k-1} = P(\omega^{k-1}) =: \mathcal{K}, the verifier adds the boundary constraint;

P(ωk1)=KP(\omega^{k-1}) = \mathcal{K}

In other words, the prover has to provide three polynomials P(X)P(X), Q(X)Q(X), P(Xω)P(X\omega) and Q(Xω)Q(X\omega) together with the correct kk-th term. The verifier then tests if these polynomials conform to the above constraints. If all three constraints are satisfied, then the prover knows the correct initial values A0A_0 and B0B_0.

This logic is valid simply because the computations carried out by the state machine are deterministic by nature.

Proof elements and verification

All computations are carried out in a field Fp\mathbb{F}_p , where p=264232+1p = \mathtt{2^{64}-2^{32}+1}, a Goldilocks-like prime number.

Suppose the verifier knows that an mFibonacci series starting with initial values, A0A_0 and B0B_0, yields A1023=14 823 897 298 192 278 947A_{\mathtt{1023}} = \mathtt{14\ 823\ 897\ 298\ 192\ 278\ 947} as the value of the 1024\mathtt{1024}-th term. The verifier can challenge anyone to prove knowledge of the initial condition of the mFibonacci SM to provide three polynomials and the correct 1024\mathtt{1024}-th term. That is, the verifier uses the following constraints to verify the prover's submissions:

(1R(X))[P(Xω)Q(X)]=H 0   (1R(X))[Q(Xω)(P(X)Q(X))]=H 0(P(ω1023)K)R(X)=0 \begin{aligned} \big( 1 - R(X) \big) \cdot \big[ P(X\cdot \omega) - Q(X) \big] = \bigg\lvert_H\ 0\qquad\quad\text{ }\text{ }\text{ } \\ \big(1 - R(X)\big) · [Q(X\cdot \omega) - (P(X) · Q(X))] = \bigg\lvert_H\ 0 \\ \big(P(\omega^{\mathtt{1023}}) - \mathcal{K} \big)\cdot R(X) = 0\qquad\qquad\qquad\qquad\quad\text{ } \end{aligned}

Anyone who knows the three polynomials and the correct initial conditions, say A0=234A_0 = 234 and B0=135B_0 = 135, can simply run the mFibonacci SM code to compute A1023=P(ω1023)A_{\mathtt{1023}} = P(\omega^{\mathtt{1023}}). See below figure for the JS code.

Code Example of the mFibonacci SM's Computation Trace

Edit on GitHub

Last updated on

Commitment Scheme

The framework for the proof-verification system of our mFibonacci state machine is that of a _polynomial commitment scheme_. The mechanism for proving correctne

Mfibonacci

## Introduction This document gives a short summary of the multiplicative Fibonacci state machine, presented as a simple model for the zkProver state machines.

On this page

What is a multiplicative Fibonacci series?Constructing mFibonacci state machineBuilding polynomial identitiesNon-cyclicity of the mFibonacci state machineIntroducing cyclicityVerifying computationsVaried initial conditionsBoundary constraintsProof elements and verification