docs
  • README
  • Browsing the Fides Innova ZKP Network
  • Connecting Your MetaMask to the Network
  • Full Node
  • Introduction
  • Mobile App
  • Publishing Service Contracts on the Fides Innova Blockchain
  • Web App (User Panel, Admin Panel)
  • Fides Zero-Knowledge Proof (ZKP) Algorithm
    • 1- Setup Phase
      • 1- Setup Phase
      • Example 1
      • Example 2
    • 2-commitment-phase
      • 2- Commitment Phase
      • Example 1
      • Example 2
    • 3- Proof Generation Phase
      • 3- Proof Generation Phase
      • Example 1
      • Example 2
    • 4- Proof Verification Phase
      • 4- Proof Verification Phase
      • Example 1
      • Example 2
    • 5-target-architecture
      • Target architecture - RISC-V RV32IM
      • Target architecture - ARMv6-M Cortex-M0 32-bit ARM - RaspberryPi Pico
      • Target architecture - Cortex-A53 - for Siemens SIMATIC IOT2050
  • Tech Stack
    • Message Queuing Telemetry Transport (MQTT) protocol
    • Service Contract
    • Service Market
    • ZKP-enabled JavaScript Execution
  • ZKP and IoT Device Firmware Integration (zk-Device Design)
    • E-Card; a sample zk-Device
      • Installation
      • Instruction Set Architecture (ISA)
      • Mesh IoT Network
      • Reset
Powered by GitBook
On this page
  • PFR Proof
  • AHP Proof
  • Proof JSON file Example 1
  1. Fides Zero-Knowledge Proof (ZKP) Algorithm
  2. 3- Proof Generation Phase

Example 1

Previous3- Proof Generation PhaseNextExample 2

Last updated 2 months ago

PFR Proof

The Prover interpolates polynomial hhh such that seqK(h)=ωt,ωt+1,..,ωn−1,0,..,0seq_{\mathbb{K}}(h)=\omega^t,\omega^{t+1},..,\omega^{n-1},0,..,0seqK​(h)=ωt,ωt+1,..,ωn−1,0,..,0. Here t=2t=2t=2 and n=5n=5n=5, therefore seqK(h)=ω2,ω3,ω4,0,..,0seq_{\mathbb{K}}(h)=\omega^2,\omega^3,\omega^4,0,..,0seqK​(h)=ω2,ω3,ω4,0,..,0. This means that {h(k):k∈K={1,43,39,48,73,62,132,65,80}}={ω2,ω3,ω4,0,..,0}={42,125,135,0,0,0,0,0,0}\{h(k):\hspace{1mm}k\in\mathbb{K}=\{1,43,39,48,73,62,132,65,80\}\}=\{\omega^2,\omega^3,\omega^4,0,..,0\}=\{42,125,135,0,0,0,0,0,0\}{h(k):k∈K={1,43,39,48,73,62,132,65,80}}={ω2,ω3,ω4,0,..,0}={42,125,135,0,0,0,0,0,0}Therefore h(1)=42h(1)=42h(1)=42, h(43)=125h(43)=125h(43)=125 , h(39)=135h(39)=135h(39)=135, h(48)=h(73)=h(62)=h(132)=h(65)=h(80)=0h(48)=h(73)=h(62)=h(132)=h(65)=h(80)=0h(48)=h(73)=h(62)=h(132)=h(65)=h(80)=0. So h(x)=42L1(x)+125L2(x)+135L3(x)h(x)=42L_1(x)+125L_2(x)+135L_3(x)h(x)=42L1​(x)+125L2​(x)+135L3​(x) where L1(x)=(x−43)(x−39)(x−48)(x−73)(x−62)(x−132)(x−65)(x−80)(−42)(−38)(−47)(−72)(−61)(−131)(−64)(−79)=161x8+161x7+161x6+161x5+161x4+161x3+161x2+161x+161L_1(x)=\frac{(x-43)(x-39)(x-48)(x-73)(x-62)(x-132)(x-65)(x-80)}{(-42)(-38)(-47)(-72)(-61)(-131)(-64)(-79)}=161x^8+161x^7+161x^6+161x^5+161x^4+161x^3+161x^2+161x+161L1​(x)=(−42)(−38)(−47)(−72)(−61)(−131)(−64)(−79)(x−43)(x−39)(x−48)(x−73)(x−62)(x−132)(x−65)(x−80)​=161x8+161x7+161x6+161x5+161x4+161x3+161x2+161x+161,

L2(x)=45x8+125x7+126x6+169x5+27x4+75x3+148x2+29x+161L_2(x)=45x^8+125x^7+126x^6+169x^5+27x^4+75x^3+148x^2+29x+161L2​(x)=45x8+125x7+126x6+169x5+27x4+75x3+148x2+29x+161,

L3(x)=125x8+169x7+75x6+29x5+45x4+126x3+27x2+148x+161L_3(x)=125x^8+169x^7+75x^6+29x^5+45x^4+126x^3+27x^2+148x+161L3​(x)=125x8+169x7+75x6+29x5+45x4+126x3+27x2+148x+161,

Therefore h(x)=121x8+133x7+57x6+127x5+103x4+24x3+128x2+140x+114h(x)=121x^8+133x^7+57x^6+127x^5+103x^4+24x^3+128x^2+140x+114h(x)=121x8+133x7+57x6+127x5+103x4+24x3+128x2+140x+114. The Prover sends π1=(h0,h1,...,h8)\pi_1=(h_0,h_1,...,h_8)π1​=(h0​,h1​,...,h8​) where hih_ihi​ is coefficients of polynomial h(x)h(x)h(x) to the Verifier.

3-5-1-2- Step 2

The Prover and the Verifier do GeometricSequenceTestGeometric\hspace{1mm}Sequence\hspace{1mm}TestGeometricSequenceTest on hhh (to verify correct construction of polynomial hhh). In GeometricSequenceTestGeometric\hspace{1mm} Sequence\hspace{1mm} TestGeometricSequenceTest want to prove that SeqK(h)=a1,a1r,..,a1rc1−1,a2,a2r,...,a2rc2−1,...,av,avr,...,avrcv−1Seq_{\mathbb{K}}(h)=a_1,a_1r,..,a_1r^{c_1-1},a_2, a_2r,..., a_2r^{c_2-1},...,a_v,a_vr,...,a_vr^{c_v-1}SeqK​(h)=a1​,a1​r,..,a1​rc1​−1,a2​,a2​r,...,a2​rc2​−1,...,av​,av​r,...,av​rcv​−1.

3-5-1-2- Step 2-A- Geometric Sequence Test

Since h(γ0)=ω2h(\gamma^0)=\omega^2h(γ0)=ω2, h(γ1)=ω3h(\gamma^1)=\omega^3h(γ1)=ω3 ,h(γ2)=ω4h(\gamma^2)=\omega^4h(γ2)=ω4 and h(γ3)=...=h(γ8)=0h(\gamma^3)=...=h(\gamma^8)=0h(γ3)=...=h(γ8)=0, then Geometric Sequence Test with a1=ω2a_1=\omega^2a1​=ω2, a2=0a_2=0a2​=0, r=ωr=\omegar=ω, c1=n−t=3c_1=n-t=3c1​=n−t=3 and c2=m−(n−t)=9−3=6c_2=m-(n-t)=9-3=6c2​=m−(n−t)=9−3=6 run. Let pi=∑j<icjp_i=\sum_{j<i}c_jpi​=∑j<i​cj​ for i∈{1,2,..,v}i\in \{1,2,..,v\}i∈{1,2,..,v}. Here vvv is the number of cic_ici​ that are non-zero. Therefore v=2v=2v=2 , p1=0p_1=0p1​=0 and p2=c1=3p_2=c_1=3p2​=c1​=3.

The Prover and the Verifier run ZeroOverKZero\hspace{1mm}Over\hspace{1mm}\mathbb{K}ZeroOverK (see the next section) to check that for all k∈Kk\in\mathbb{K}k∈K, have (h(γk)−rh(k))∏i=1v(k−γpi+ci−1)=0(h(\gamma k)-rh(k))\prod_{i=1}^{v}(k-\gamma^{p_i+c_i-1})=0(h(γk)−rh(k))∏i=1v​(k−γpi​+ci​−1)=0. Here, ZeroOverKZero\hspace{1mm}Over\hspace{1mm}\mathbb{K}ZeroOverK run to check that for all k∈K={1,γ,γ2,..,γ8}k\in\mathbb{K}=\{1,\gamma,\gamma^2,..,\gamma^8\}k∈K={1,γ,γ2,..,γ8}, have (h(γk)−ωh(k))(k−γ2)(k−ω8)=0(h(\gamma k)-\omega h(k))(k-\gamma^2)(k-\omega^8)=0(h(γk)−ωh(k))(k−γ2)(k−ω8)=0. NoteNoteNote: It is clear that if the construction of hhh is correct, it applies this equality, because if k=1k=1k=1, h(γk)=h(γ)=ωh(1)h(\gamma k)=h(\gamma)=\omega h(1)h(γk)=h(γ)=ωh(1) then h(γk)−ωh(k)=0h(\gamma k)-\omega h(k)=0h(γk)−ωh(k)=0. If k=γk=\gammak=γ, h(γk)=h(γ2)=ωh(γ)h(\gamma k)=h(\gamma^2)=\omega h(\gamma)h(γk)=h(γ2)=ωh(γ), then h(γk)−ωh(k)=0h(\gamma k)-\omega h(k)=0h(γk)−ωh(k)=0. If k=γ2k=\gamma^2k=γ2, then k−γ2=0k-\gamma^2=0k−γ2=0. If k=ω3,...,ω7k=\omega^3,...,\omega^7k=ω3,...,ω7, then h(γk)=ωh(k)=0h(\gamma k)=\omega h(k)=0h(γk)=ωh(k)=0 and if k=γ8k=\gamma^8k=γ8, then k−γ8=0k-\gamma^8=0k−γ8=0.

3-5-1-2-Step 2-B- Zero over K

In ZeroOverKZero\hspace{1mm}Over\hspace{1mm}\mathbb{K}ZeroOverK, want to prove that for all k∈Kk\in\mathbb{K}k∈K, F(k)=0F(k)=0F(k)=0 where F(x)=G(x,fj1(α1x),fj2(α2x),...,fjt(αtx))F(x)=G(x,f_{j_1}(\alpha_1x),f_{j_2}(\alpha_2x),...,f_{j_{t}}(\alpha_{t}x))F(x)=G(x,fj1​​(α1​x),fj2​​(α2​x),...,fjt​​(αt​x)). Here F(x)=(h(γx)−ωh(x))(x−γ2)(x−γ8)F(x)=(h(\gamma x)-\omega h(x))(x-\gamma^2)(x-\gamma^8)F(x)=(h(γx)−ωh(x))(x−γ2)(x−γ8), therefore since t=2t=2t=2, F(x)=G(x,fj1(α1x),fj2(α2x))=(h(γx)−ωh(x))(x−γ2)(x−γ8)F(x)=G(x,f_{j_1}(\alpha_1x),f_{j_2}(\alpha_2x))=(h(\gamma x)-\omega h(x))(x-\gamma^2)(x-\gamma^8)F(x)=G(x,fj1​​(α1​x),fj2​​(α2​x))=(h(γx)−ωh(x))(x−γ2)(x−γ8), so h1=fj1=hh_1=f_{j_1}=hh1​=fj1​​=h, h2=fj2=hh_2=f_{j_2}=hh2​=fj2​​=h, α1=γ\alpha_1=\gammaα1​=γ and α2=1\alpha_2=1α2​=1.

2-2-1 The Prover selects polynomials ri∈F<2[x]r_i\in \mathbb{F}^{<2}[x]ri​∈F<2[x], i∈{1,2,..,t}i\in \{1,2,..,t\}i∈{1,2,..,t}. Then computes masks mi(x)=ri(αi−1x)ZK(αi−1x)m_i(x)=r_i(\alpha_i^{-1}x)Z_{\mathbb{K}}(\alpha_i^{-1}x)mi​(x)=ri​(αi−1​x)ZK​(αi−1​x) and computes hi′(x)=hi(x)+mi(x)h'_i(x)=h_i(x)+m_i(x)hi′​(x)=hi​(x)+mi​(x) for i∈{1,2,..,t}i\in\{1,2,..,t\}i∈{1,2,..,t}.

Here, the Prover selects r1,r2r_1,r_2r1​,r2​. For example, let r1(x)=2+xr_1(x)=2+xr1​(x)=2+x and r2(x)=2xr_2(x)=2xr2​(x)=2x. Therefore m1(x)=r1(α1−1x)ZK(α1−1x)m_1(x)=r_1(\alpha_1^{-1}x)Z_{\mathbb{K}}(\alpha_1^{-1}x)m1​(x)=r1​(α1−1​x)ZK​(α1−1​x) where α1=γ=48\alpha_1=\gamma=48α1​=γ=48 and ZK(x)=∏x∈K(x−k)=(x−1)(x−43)(x−39)(x−48)(x−73)(x−62)(x−132)(x−65)(x−80)=x9+180Z_{\mathbb{K}}(x)=\prod_{x\in\mathbb{K}}(x-k)=(x-1)(x-43)(x-39)(x-48)(x-73)(x-62)(x-132)(x-65) (x-80)=x^9+180ZK​(x)=∏x∈K​(x−k)=(x−1)(x−43)(x−39)(x−48)(x−73)(x−62)(x−132)(x−65)(x−80)=x9+180. Therefore m1(x)=r1(80x)ZK(80x)=80x10+2x9+101x+179m_1(x)=r_1(80x)Z_{\mathbb{K}}(80x)=80x^{10}+2x^9+101x+179m1​(x)=r1​(80x)ZK​(80x)=80x10+2x9+101x+179 m2(x)=r2(α2−1x)ZK(α2−1x)=r2(x)ZK(x)=2x(x9+180)=2x10+179xm_2(x)=r_2(\alpha_2^{-1}x)Z_{\mathbb{K}}(\alpha_2^{-1}x)=r_2(x)Z_{\mathbb{K}}(x)=2x(x^9+180)=2x^{10}+179xm2​(x)=r2​(α2−1​x)ZK​(α2−1​x)=r2​(x)ZK​(x)=2x(x9+180)=2x10+179x. Then computes h1′(x)=h1(x)+m1(x)=h(x)+m1(x)=80x10+2x9+121x8+133x7+57x6+127x5+103x4+h'_1(x)=h_1(x)+m_1(x)=h(x)+m_1(x)=80x^{10}+2x^9+121x^8+133x^7+57x^6+127x^5+103x^4+h1′​(x)=h1​(x)+m1​(x)=h(x)+m1​(x)=80x10+2x9+121x8+133x7+57x6+127x5+103x4+ 24x3+128x2+60x+11224x^3+128x^2+60x+11224x3+128x2+60x+112 and h2′(x)=h2(x)+m2(x)=h(x)+m2(x)=2x10+121x8+133x7+h'_2(x)=h_2(x)+m_2(x)=h(x)+m_2(x)=2x^{10}+121x^8+133x^7+h2′​(x)=h2​(x)+m2​(x)=h(x)+m2​(x)=2x10+121x8+133x7+ 57x6+127x5+103x4+24x3+128x2+138x+11457x^6+127x^5+103x^4+24x^3+128x^2+138x+11457x6+127x5+103x4+24x3+128x2+138x+114.

2-2-2- The Prover computes F′(x)=G(x,h1′(α1x),h2′(α2x),...,ht′(αtx))F'(x)=G(x,h'_1(\alpha_1x),h'_2(\alpha_2x),...,h'_t(\alpha_tx))F′(x)=G(x,h1′​(α1​x),h2′​(α2​x),...,ht′​(αt​x)) and q1(x)=F′(x)ZK(x)q_1(x)=\frac{F'(x)}{Z_{\mathbb{K}}(x)}q1​(x)=ZK​(x)F′(x)​ then the Prover sends πPFR1+i=(mi1,...,mideg(mi))\pi_{PFR_{1+i}}=(m_{i1},...,m_{ideg(m_i)})πPFR1+i​​=(mi1​,...,mideg(mi​)​) where mijm_{ij}mij​s are coefficients of polynomial mi(x)m_i(x)mi​(x), πPFR1+t+i=(ri1,...,rideg(ri))\pi_{PFR_{1+t+i}}=(r_{i1},...,r_{ideg(r_i)})πPFR1+t+i​​=(ri1​,...,rideg(ri​)​) where rijr_{ij}rij​s are coefficients of polynomial ri(x)r_i(x)ri​(x) and πPFR2t+2=(q11,...,q1deg(q1))\pi_{PFR_{2t+2}}=(q_{11},...,q_{1deg(q_1)})πPFR2t+2​​=(q11​,...,q1deg(q1​)​) where q1jq_{1j}q1j​s are coefficients of polynomial q1(x)q_1(x)q1​(x)

Here F′(x)=G(x,h1′(43x),h2′(x))=(h1′(43x)−ωh2′(x))(x−γ2)(x−γ8)=64x12+169x11+168x10F'(x)=G(x,h'_1(43x),h'_2(x))=(h'_1(43x)-\omega h'_2(x))(x-\gamma^2)(x-\gamma^8)=64x^{12}+169x^{11}+168x^{10}F′(x)=G(x,h1′​(43x),h2′​(x))=(h1′​(43x)−ωh2′​(x))(x−γ2)(x−γ8)=64x12+169x11+168x10 +51x9+117x3+12x2+13x+130+51x^9+117x^3+12x^2+13x+130+51x9+117x3+12x2+13x+130 and then q1(x)=F′(x)ZK(x)=64x3+169x2+168x+51q_1(x)=\frac{F'(x)}{Z_{\mathbb{K}}(x)}=64x^3+169x^2+168x+51q1​(x)=ZK​(x)F′(x)​=64x3+169x2+168x+51.

.................

3-5-1-2- Step 4- Discrete-log Comparison

AHP Proof

and

Therefore,

and

The Prover obtains

Proof JSON file Example 1

IoT_Manufacturer_Name = "zkIoT" IoT_Device_Name = "MultiSensor" Device_Hardware_Version = "1.0" Firmware_Version = "1.0" Device Picture= <> Lines = [200, 350, 4000-4010]

    {
    "commitmentId": 64-bit,
    "class": 32-bit Integer,
    "input": 4
    "output": 82    
       
    "P_AHP1": 62
    "P_AHP2": [166,121,161,97,149],
    "P_AHP3": [168,141,45,26,63,165,116],
    "P_AHP4": [124,81,137,101,71,178,32],  
    "P_AHP5": [49,157,169,96,80,50,123], 
    "P_AHP6": [32,16,153,20,1,164,45,92],
    "P_AHP7": [115,3,0,0,20,1,0,17,101,0,5],
    "P_AHP8": [100,90,92,134],
    "P_AHP9": [31,127,66,180,143,115],
    "P_AHP10": 70
    "P_AHP11": [105,173,30,40],
    "P_AHP12": [162,82,96,127],
    "P_AHP13": 84
    "P_AHP14": [134,111,161,123,110],
    "P_AHP15": [99,177,50,53,136,143,97,18,37,111,147,18,128,138,53,15,71,98,99,75,75,60,139,92,135,139,16,65,74,4]
    "P_AHP16": 119
    "P_AHP17": 149
      
    "Com_AHP1_x": 4,
    "Com_AHP2_x": 30,
    "Com_AHP3_x": 160,
    "Com_AHP4_x": 69,
    "Com_AHP5_x": 11,
    "Com_AHP6_x": 18,  
    "Com_AHP7_x": 178,
    "Com_AHP8_x": 129,
    "Com_AHP9_x": 33,
    "Com_AHP10_x": 100,
    "Com_AHP11_x": 179,
    "Com_AHP12_x": 169,
    "Com_AHP13_x": 166
}

The Prover sends πPFR2=(179,101,0,0,0,0,0,0,0,2,80)\pi_{PFR_{2}}=(179,101,0,0,0,0,0,0,0,2,80)πPFR2​​=(179,101,0,0,0,0,0,0,0,2,80), πPFR3=(0,179,0,0,0,0,0,0,0,0,2)\pi_{PFR_{3}}=(0,179,0,0,0,0,0,0,0,0,2)πPFR3​​=(0,179,0,0,0,0,0,0,0,0,2) , πPFR4=(2,1)\pi_{PFR_4}=(2,1)πPFR4​​=(2,1), πPFR5=(0,2)\pi_{PFR_5}=(0,2)πPFR5​​=(0,2) and πPFR6=(51,168,169,64)\pi_{PFR_6}=(51,168,169,64)πPFR6​​=(51,168,169,64) to the Verifier.

2-2-3- The Verifier derives hi′=hi+mih'_i=h_i+m_ihi′​=hi​+mi​ through additive homomorphism. Then samples β1\beta_1β1​, β2\beta_2β2​ and ccc of F∗−K\mathbb{F}^{*}-\mathbb{K}F∗−K and sends ccc to the Prover. Suppose β1=65\beta_1=65β1​=65, β2=21\beta_2=21β2​=21 and c=171c=171c=171. The Verifier sends c=171c=171c=171 to the Prover.

2-2-4- The Prover computes q2=r1+cr2+...+ct−1rtq_2=r_1+cr_2+...+c^{t-1}r_tq2​=r1​+cr2​+...+ct−1rt​ and the Verifier derives concrete oracle q2q_2q2​ through additive homomorphism. Here, the Prover computes q2(x)=r1(x)+cr2(x)=2+x+171(2x)=162x+2q_2(x)=r_1(x)+cr_2(x)=2+x+171(2x)=162x+2q2​(x)=r1​(x)+cr2​(x)=2+x+171(2x)=162x+2.

2-2-5- Let M(x)=m1(α1x)+cm2(α2x)+...+ct−1mt(αtx)M(x)=m_1(\alpha_1 x)+cm_2(\alpha_2 x)+...+c^{t-1}m_t(\alpha_t x)M(x)=m1​(α1​x)+cm2​(α2​x)+...+ct−1mt​(αt​x). The Verifier computes ZK(β1)Z_{\mathbb{K}}(\beta_1)ZK​(β1​), ZK(β2)Z_{\mathbb{K}}(\beta_2)ZK​(β2​), queries q1(β1)q_1(\beta_1)q1​(β1​)and q2(β2)q_2(\beta_2)q2​(β2​) and for i∈{1,2,..,t}i\in \{1,2,..,t\}i∈{1,2,..,t}, queries hi′(αiβ1)h'_i(\alpha_i\beta_1)hi′​(αi​β1​) and mi(αiβ2)m_i(\alpha_i\beta_2)mi​(αi​β2​)to compute F′(β1)F'(\beta_1)F′(β1​) and M(β2)M(\beta_2)M(β2​). The Verifier asserts two identities M(β2)−q2(β2)ZK(β2)=0M(\beta_2)-q_2(\beta_2)Z_{\mathbb{K}}(\beta_2)=0M(β2​)−q2​(β2​)ZK​(β2​)=0 and F′(β1)−q1(β1)ZK(β1)=0F'(\beta_1)-q_1(\beta_1)Z_{\mathbb{K}}(\beta_1)=0F′(β1​)−q1​(β1​)ZK​(β1​)=0.

Here, M(x)=m1(α1x)+cm2(α2x)=m1(γx)+171m2(x)=162x10+2x9+19x+179M(x)=m_1(\alpha_1 x)+cm_2(\alpha_2 x)=m_1(\gamma x)+171m_2(x)=162x^{10}+2x^9+19x+179M(x)=m1​(α1​x)+cm2​(α2​x)=m1​(γx)+171m2​(x)=162x10+2x9+19x+179. The Verifier computes ZK(β1)=ZK(65)=659+180=0Z_{\mathbb{K}}(\beta_1)=Z_{\mathbb{K}}(65)=65^9+180=0ZK​(β1​)=ZK​(65)=659+180=0 and ZK(β2)=ZK(21)=219+180=30Z_{\mathbb{K}}(\beta_2)=Z_{\mathbb{K}}(21)=21^9+180=30ZK​(β2​)=ZK​(21)=219+180=30 and queries q1(β1)=86q_1(\beta_1)=86q1​(β1​)=86 and q2(β2)=146q_2(\beta_2)=146q2​(β2​)=146. Also queries values h1′(α1β1)=h1′(γ×65)=h1′(80)=0h'_1(\alpha_1\beta_1)=h'_1(\gamma\times 65)=h'_1(80)=0h1′​(α1​β1​)=h1′​(γ×65)=h1′​(80)=0 , h2′(α2β1)=h2′(65)=0h'_2(\alpha_2\beta_1)=h'_2(65)=0h2′​(α2​β1​)=h2′​(65)=0, m1(α1β2)=m1(γ×21)=m1(179)=147m_1(\alpha_1\beta_2)=m_1(\gamma\times 21)=m_1(179)=147m1​(α1​β2​)=m1​(γ×21)=m1​(179)=147 and m2(α2β2)=m2(21)=174m_2(\alpha_2\beta_2)=m_2(21)=174m2​(α2​β2​)=m2​(21)=174. Then checksM(β2)−q2(β2)ZK(β2)=0M(\beta_2)-q_2(\beta_2)Z_{\mathbb{K}}(\beta_2)=0M(β2​)−q2​(β2​)ZK​(β2​)=0 , that means 36−30×146=36−36≡0(mod181)36-30\times 146=36-36\equiv 0\hspace{1mm}(\textrm{mod}\hspace{1mm}181)36−30×146=36−36≡0(mod181), and F′(β1)−q1(β1)ZK(β1)=0F'(\beta_1)-q_1(\beta_1)Z_{\mathbb{K}}(\beta_1)=0F′(β1​)−q1​(β1​)ZK​(β1​)=0, that means 0−86×0≡0(mod181)0-86\times 0\equiv 0\hspace{1mm}(\textrm{mod}\hspace{1mm}181)0−86×0≡0(mod181).

3- The Prover and the Verifier run SubsetoverKSubset\hspace{1mm}over\hspace{1mm}\mathbb{K}SubsetoverK between rowArow_ArowA​ and hhh to prove that rowA(K)⊂h(K)row_A(\mathbb{K})\subset h(\mathbb{K})rowA​(K)⊂h(K) where rowA(K)={rowA(k):k∈K}row_A(\mathbb{K})=\{row_A(k):\hspace{1mm}k\in\mathbb{K}\}rowA​(K)={rowA​(k):k∈K}and h(K)={h(k):k∈K}h(\mathbb{K})=\{h(k)\hspace{1mm}:\hspace{1mm}k\in\mathbb{K}\}h(K)={h(k):k∈K}.

3-5-1-2- Step 3- Subset over K\mathbb{K}K

4- The Prover and the Verifier run Discrete−logComparisonDiscrete-log\hspace{1mm} ComparisonDiscrete−logComparison between rowArow_ArowA​ and colAcol_AcolA​ as following:

Let parameters (Δ∈F,n=∣H∣)(\Delta \in \mathbb{F}, n = |\mathbb{H}|)(Δ∈F,n=∣H∣) such that ord(Δ)=2nord(\Delta) = 2nord(Δ)=2n and Δ2=ω\Delta^2=\omegaΔ2=ω. Here, ω=59\omega=59ω=59, Δ=56\Delta=56Δ=56 and ord(Δ)=2n=10ord(\Delta)=2n=10ord(Δ)=2n=10.

3-5-1-2- Step 4-Substep A- The Prover interpolates polynomial sss so that agrees with rowAcolA\frac{row_A}{col_A}colA​rowA​​ on K\mathbb{K}K. Then send them to the Verifier.

Here, s(1)=rowA(1)colA(1)=4259≡59(mod181)s(1)=\frac{row_A(1)}{col_A(1)}=\frac{42}{59}\equiv 59\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(1)=colA​(1)rowA​(1)​=5942​≡59(mod181), s(43)=rowA(43)colA(43)≡125(mod181)s(43)=\frac{row_A(43)}{col_A(43)}\equiv125\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(43)=colA​(43)rowA​(43)​≡125(mod181), s(39)=rowA(39)colA(39)=135125≡59(mod181)s(39)=\frac{row_A(39)}{col_A(39)}=\frac{135}{125}\equiv59\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(39)=colA​(39)rowA​(39)​=125135​≡59(mod181), s(48)=rowA(48)colA(48)=4845≡170(mod181)s(48)=\frac{row_A(48)}{col_A(48)}=\frac{48}{45}\equiv 170\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(48)=colA​(48)rowA​(48)​=4548​≡170(mod181), s(73)=rowA(73)colA(73)=3622≡51(mod181)s(73)=\frac{row_A(73)}{col_A(73)}=\frac{36}{22}\equiv 51\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(73)=colA​(73)rowA​(73)​=2236​≡51(mod181), s(62)=rowA(62)colA(62)=151166≡2(mod181)s(62)=\frac{row_A(62)}{col_A(62)}=\frac{151}{166}\equiv 2\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(62)=colA​(62)rowA​(62)​=166151​≡2(mod181), s(132)=rowA(132)colA(132)=2146≡28(mod181)s(132)=\frac{row_A(132)}{col_A(132)}=\frac{21}{46}\equiv 28\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(132)=colA​(132)rowA​(132)​=4621​≡28(mod181), s(65)=rowA(65)colA(65)=131127≡135(mod181)s(65)=\frac{row_A(65)}{col_A(65)}=\frac{131}{127}\equiv 135\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(65)=colA​(65)rowA​(65)​=127131​≡135(mod181) and s(80)=rowA(80)colA(80)=640≡154(mod181)s(80)=\frac{row_A(80)}{col_A(80)}=\frac{6}{40}\equiv 154\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s(80)=colA​(80)rowA​(80)​=406​≡154(mod181). Therefore, s(x)=59L1(x)+125L2(x)+59L3(x)+170L4(x)+51L5(x)+2L6(x)+28L7(x)+135L8(x)+s(x)=59L_1(x)+125L_2(x)+59L_3(x)+170L_4(x)+51L_5(x)+2L_6(x)+28L_7(x)+135L_8(x)+s(x)=59L1​(x)+125L2​(x)+59L3​(x)+170L4​(x)+51L5​(x)+2L6​(x)+28L7​(x)+135L8​(x)+ 154L9(x)154L_9(x)154L9​(x).

where L1(x)L_1(x)L1​(x), L2(x)L_2(x)L2​(x) and L3(x)L_3(x)L3​(x) are computed in step 111 and the rest of Li(x)sL_i(x)sLi​(x)s are L4(x)=126x8+75x7+161x6+126x5+75x4+161x3+126x2+75x+161L_4(x)=126x^8+75x^7+161x^6+126x^5+75x^4+161x^3+126x^2+75x+161L4​(x)=126x8+75x7+161x6+126x5+75x4+161x3+126x2+75x+161, L5(x)=169x8+29x7+126x6+148x5+125x4+75x3+45x2+27x+161L_5(x)=169x^8+29x^7+126x^6+148x^5+125x^4+75x^3+45x^2+27x+161L5​(x)=169x8+29x7+126x6+148x5+125x4+75x3+45x2+27x+161, L6(x)=27x8+45x7+75x6+125x5+148x4+126x3+29x2+169x+161L_6(x)=27x^8+45x^7+75x^6+125x^5+148x^4+126x^3+29x^2+169x+161L6​(x)=27x8+45x7+75x6+125x5+148x4+126x3+29x2+169x+161, L7(x)=75x8+126x7+161x6+75x5+126x4+161x3+75x2+126x+161L_7(x)=75x^8+126x^7+161x^6+75x^5+126x^4+161x^3+75x^2+126x+161L7​(x)=75x8+126x7+161x6+75x5+126x4+161x3+75x2+126x+161, L8(x)=148x8+27x7+126x6+45x5+29x4+75x3+169x2+125x+161L_8(x)=148x^8+27x^7+126x^6+45x^5+29x^4+75x^3+169x^2+125x+161L8​(x)=148x8+27x7+126x6+45x5+29x4+75x3+169x2+125x+161and L9(x)=29x8+148x7+75x6+27x5+169x4+126x3+125x2+45x+161L_9(x)=29x^8+148x^7+75x^6+27x^5+169x^4+126x^3+125x^2+45x+161L9​(x)=29x8+148x7+75x6+27x5+169x4+126x3+125x2+45x+161.

Therefore s(x)=41x8+101x7+34x6+38x5+x4+25x3+152x2+123x+87s(x)=41x^8+101x^7+34x^6+38x^5+x^4+25x^3+152x^2+123x+87s(x)=41x8+101x7+34x6+38x5+x4+25x3+152x2+123x+87. The Prover sends s(x)s(x)s(x) to the Verifier.

3-5-1-2- Step 4-Substep B- For b∈{rowA,colA,s}b\in\{row_A, col_A, s\}b∈{rowA​,colA​,s}, the Prover interpolates polynomial b′b'b′ so that for all k∈Kk\in \mathbb{K}k∈K, b′(k)=Δlog⁡ωb(k)b'(k)=\Delta^{\log_{\omega}^{b(k)}}b′(k)=Δlogωb(k)​.

Here, if b=rowAb=row_Ab=rowA​, rowA′(k)=Δlog⁡ωrowA(k)=56log⁡59rowA(k)row'_A(k)=\Delta^{\log_{\omega}^{row_A(k)}}=56^{\log_{59}^{row_A(k)}}rowA′​(k)=ΔlogωrowA​(k)​=56log59rowA​(k)​that means rowA′(1)=56log⁡5942=562≡59(mod181)row'_A(1)=56^{\log_{59}^{42}}=56^2\equiv 59\hspace{1mm}(\textrm{mod}\hspace{1mm}181)rowA′​(1)=56log5942​=562≡59(mod181), rowA′(43)=56log⁡59125=563≡46(mod181)row'_A(43)=56^{\log_{59}^{125}}=56^3\equiv 46\hspace{1mm}(\textrm{mod}\hspace{1mm}181)rowA′​(43)=56log59125​=563≡46(mod181), rowA′(39)=56log⁡59135=564≡42(mod181)row'_A(39)=56^{\log_{59}^{135}}=56^4\equiv 42\hspace{1mm}(\textrm{mod}\hspace{1mm}181)rowA′​(39)=56log59135​=564≡42(mod181), rowA′(48)=56log⁡5948≡49(mod181)row'_A(48)=56^{\log_{59}^{48}} \equiv 49\hspace{1mm}(\textrm{mod}\hspace{1mm}181)rowA′​(48)=56log5948​≡49(mod181), rowA′(73)=56log⁡5936≡114(mod181)row'_A(73)=56^{\log_{59}^{36}} \equiv 114\hspace{1mm}(\textrm{mod}\hspace{1mm}181)rowA′​(73)=56log5936​≡114(mod181), rowA′(62)=56log⁡59151≡(mod181)row'_A(62)=56^{\log_{59}^{151}} \equiv \hspace{1mm}(\textrm{mod}\hspace{1mm}181)rowA′​(62)=56log59151​≡(mod181).\

Therefore rowA′(x)=59L1(x)+46L2(x)+42L3(x)+49L4(x)+114L5(x)+...row'_A(x)=59L_1(x)+46L_2(x)+42L_3(x)+49L_4(x)+114L_5(x)+...rowA′​(x)=59L1​(x)+46L2​(x)+42L3​(x)+49L4​(x)+114L5​(x)+....

if b=colAb=col_Ab=colA​, colA′(k)=Δlog⁡ωcolA(k)=56log⁡59colA(k)col'_A(k)=\Delta^{\log_{\omega}^{col_A(k)}}=56^{\log_{59}^{col_A(k)}}colA′​(k)=ΔlogωcolA​(k)​=56log59colA​(k)​that means colA′(1)=56log⁡5959=561≡56(mod181)col'_A(1)=56^{\log_{59}^{59}}=56^1\equiv 56\hspace{1mm}(\textrm{mod}\hspace{1mm}181)colA′​(1)=56log5959​=561≡56(mod181), colA′(48)=56log⁡591=565≡180(mod181)col'_A(48)=56^{\log_{59}^{1}}=56^5\equiv 180\hspace{1mm}(\textrm{mod}\hspace{1mm}181)colA′​(48)=56log591​=565≡180(mod181) and colA′(132)=56log⁡59125=563≡46(mod181)col'_A(132)=56^{\log_{59}^{125}}=56^3\equiv 46\hspace{1mm}(\textrm{mod}\hspace{1mm}181)colA′​(132)=56log59125​=563≡46(mod181). Therefore colA′(x)=56L1(x)+180L2(x)+46L3(x)=96x2+47x+94col'_A(x)=56L_1(x)+180L_2(x)+46L_3(x)=96x^2+47x+94colA′​(x)=56L1​(x)+180L2​(x)+46L3​(x)=96x2+47x+94.

if b=sb=sb=s, s′(k)=Δlog⁡ωs(k)=56log⁡59s(k)s'(k)=\Delta^{\log_{\omega}^{s(k)}}=56^{\log_{59}^{s(k)}}s′(k)=Δlogωs(k)​=56log59s(k)​that means s′(1)=56log⁡5959=561≡56(mod181)s'(1)=56^{\log_{59}^{59}}=56^1\equiv 56\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s′(1)=56log5959​=561≡56(mod181), s′(48)=56log⁡59125=563≡46(mod181)s'(48)=56^{\log_{59}^{125}}=56^3\equiv 46\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s′(48)=56log59125​=563≡46(mod181) and s′(132)=56log⁡5959=561≡56(mod181)s'(132)=56^{\log_{59}^{59}}=56^1\equiv 56\hspace{1mm}(\textrm{mod}\hspace{1mm}181)s′(132)=56log5959​=561≡56(mod181). Therefore s′(x)=56L1(x)+46L2(x)+56L3(x)=21x2+103x+113s'(x)=56L_1(x)+46L_2(x)+56L_3(x)=21x^2+103x+113s′(x)=56L1​(x)+46L2​(x)+56L3​(x)=21x2+103x+113.

Then the Prover sends rowA′row'_ArowA′​, colA′col'_AcolA′​ and s′s's′ to the Verifier.

3-5-1-2- Step 4-Substep C- The Prover interpolates polynomial hhh so that seqK(h)=1,Δ,Δ2,..,Δn−1,0,0,..,0seq_{\mathbf{K}}(h)=1,\Delta,\Delta^2,..,\Delta^{n-1},0,0,..,0seqK​(h)=1,Δ,Δ2,..,Δn−1,0,0,..,0.

Here seqK(h)=1,56,59,46,42seq_{\mathbf{K}}(h)=1, 56, 59, 46, 42seqK​(h)=1,56,59,46,42.

Since in this example ni=1n_i=1ni​=1, therefore input and output are not vector. So, we denote input by xxx and output by yyy instead of XXX and YYY.

Proof(F181,H={1,59,42,125,135},K={1,49,48,180,132,133},A,B,C,x=4,W=(20,31),y=82)Proof (\mathbb{F}_{181}, \mathbb{H}=\{1,59,42,125,135\}, \mathbb{K}=\{1,49,48,180,132,133\}, A, B, C, x=4,W=(20,31),y=82)Proof(F181​,H={1,59,42,125,135},K={1,49,48,180,132,133},A,B,C,x=4,W=(20,31),y=82)

1- The Prover puts x=4x=4x=4 in ComAHPX1Com_{AHP_X}^1ComAHPX​1​ . We consider z=(1,x,w1,w2,y)z=(1,x,w_1,w_2,y)z=(1,x,w1​,w2​,y) where w1=5xw_1=5xw1​=5x, w2=w1+11w_2=w_1+11w2​=w1​+11 and y=26w2y=26w_2y=26w2​. Therefore z=(1,x,W,y)=(1,4,20,31,82)z=(1,x,W,y)=(1,4,20,31,82)z=(1,x,W,y)=(1,4,20,31,82). The Prover calculates zA=Az=[0000000000010001000000010][14203182]=[004131]z_A=Az=\begin{bmatrix}0&0&0&0&0\\0&0&0&0&0\\0&1&0&0&0\\1&0&0&0&0\\0&0&0&1&0\\ \end{bmatrix}\begin{bmatrix}1\\4\\20\\31\\82\\\end{bmatrix}=\begin{bmatrix}0\\0\\4\\1\\31\\\end{bmatrix}zA​=Az=​00010​00100​00000​00001​00000​​​14203182​​=​004131​​, zB=Bz=[000000000050000110100260000][14203182]=[0053126]z_B=Bz=\begin{bmatrix}0&0&0&0&0\\0&0&0&0&0\\5&0&0&0&0\\11&0&1&0&0\\26&0&0&0&0\\\end{bmatrix}\begin{bmatrix}1\\4\\20\\31\\82\end{bmatrix}=\begin{bmatrix}0\\0\\5\\31\\26\\\end{bmatrix}zB​=Bz=​0051126​00000​00010​00000​00000​​​14203182​​=​0053126​​and zC=Cz=[0000000000001000001000001][14203182]=[00203182]z_C=Cz=\begin{bmatrix}0&0&0&0&0\\0&0&0&0&0\\0&0&1&0&0\\0&0&0&1&0\\0&0&0&0&1\\\end{bmatrix}\begin{bmatrix}1\\4\\20\\31\\82\\\end{bmatrix}=\begin{bmatrix}0\\0\\20\\31\\82\\\end{bmatrix}zC​=Cz=​00000​00000​00100​00010​00001​​​14203182​​=​00203182​​

2- The Prover calculates the polynomial zA(x)z_A(x)zA​(x)using indexing zAz_AzA​ by elements of H\mathbb{H}H that mean zA(x)z_A(x)zA​(x) is the polynomial where zA(1)=0z_A(1)=0zA​(1)=0, zA(59)=0z_A(59)=0zA​(59)=0, zA(42)=4z_A(42)=4zA​(42)=4, zA(125)=1z_A(125)=1zA​(125)=1 and zA(135)=31z_A(135)=31zA​(135)=31.

Then calculates polynomial z^A(x)\hat{z}_A(x)z^A​(x) using the polynomial zA(x)z_A(x)zA​(x) such that z^A(x)∈F<∣H∣+b[x]\hat{z}_A(x)\in \mathbb{F}^{<|\mathbb{H}|+b}[x]z^A​(x)∈F<∣H∣+b[x] that agree with zA(x)z_A(x)zA​(x) on H\mathbb{H}H . Note that values of up to bbb locations in this polynomial reveals no information about the witness wwwprovided the locations are in F−H\mathbb{F}-\mathbb{H}F−H. Here, for simplicity, let b=2b=2b=2. The Prover calculates z^A(x)\hat{z}_A(x)z^A​(x) such that agree with zA(x)z_A(x)zA​(x) on H\mathbb{H}H and also z^A(150)=5\hat{z}_A(150)=5z^A​(150)=5, z^A(80)=47\hat{z}_A(80)=47z^A​(80)=47.

Therefore, we have z^A(x)=4L3(x)+L4(x)+31L5(x)+5L6(x)+47L7(x)\hat{z}_A(x)=4L_3(x)+L_4(x)+31L_5(x)+5L_6(x)+47L_7(x)z^A​(x)=4L3​(x)+L4​(x)+31L5​(x)+5L6​(x)+47L7​(x) where L3(x)=133x6+155x5+117x4+27x3+48x2+73x+171L_3(x)=133x^6+155x^5+117x^4+27x^3+48x^2+73x+171L3​(x)=133x6+155x5+117x4+27x3+48x2+73x+171, L4(x)=4x6+123x5+25x4+48x3+27x2+113x+22L_4(x)=4x^6+123x^5+25x^4+48x^3+27x^2+113x+22L4​(x)=4x6+123x5+25x4+48x3+27x2+113x+22, L5(x)=75x6+115x5+27x4+25x3+117x2+154x+30L_5(x)=75x^6+115x^5+27x^4+25x^3+117x^2+154x+30L5​(x)=75x6+115x5+27x4+25x3+117x2+154x+30, L6(x)=132x6+119x5+49x+62L_6(x)=132x^6+119x^5+49x+62L6​(x)=132x6+119x5+49x+62 and L7(x)=97x6+111x5+84x+70L_7(x)=97x^6+111x^5+84x+70L7​(x)=97x6+111x5+84x+70. So z^A(x)=116x6+165x5+63x4+26x3+45x2+141x+168\hat{z}_A(x)=116x^6+165x^5+63x^4+26x^3+45x^2+141x+168z^A​(x)=116x6+165x5+63x4+26x3+45x2+141x+168.

Similarly, calculates polynomial z^B(x)\hat{z}_B(x)z^B​(x) so that z^B(x)∈F<∣H∣+b[x]\hat{z}_B(x)\in \mathbb{F}^{<|\mathbb{H}|+b}[x]z^B​(x)∈F<∣H∣+b[x] that agree with zB(x)z_B(x)zB​(x) on H\mathbb{H}H that mean z^B(1)=0\hat{z}_B(1)=0z^B​(1)=0, z^B(59)=0\hat{z}_B(59)=0z^B​(59)=0, z^B(42)=5\hat{z}_B(42)=5z^B​(42)=5, z^B(125)=31\hat{z}_B(125)=31z^B​(125)=31, z^B(135)=26\hat{z}_B(135)=26z^B​(135)=26 and also b=2b=2b=2 random locations z^B(150)=15\hat{z}_B(150)=15z^B​(150)=15 and z^B(80)=170\hat{z}_B(80)=170z^B​(80)=170. So, z^B(x)=5L3(x)+31L4(x)+26L5(x)+15L6(x)+170L7(x)=32x6+178x5+71x4+101x3+137x2+81x+124\hat{z}_B(x)=5L_3(x)+31L_4(x)+26L_5(x)+15L_6(x)+170L_7(x)=32x^6+178x^5+71x^4+101x^3+137x^2+81x+124z^B​(x)=5L3​(x)+31L4​(x)+26L5​(x)+15L6​(x)+170L7​(x)=32x6+178x5+71x4+101x3+137x2+81x+124

Similarly, calculates polynomial z^C(x)\hat{z}_C(x)z^C​(x) such that z^C(x)∈F<∣H∣+b[x]\hat{z}_C(x)\in \mathbb{F}^{<|\mathbb{H}|+b}[x]z^C​(x)∈F<∣H∣+b[x] that agree with zC(x)z_C(x)zC​(x) on H\mathbb{H}H that mean z^C(1)=0\hat{z}_C(1)=0z^C​(1)=0, z^C(59)=0\hat{z}_C(59)=0z^C​(59)=0, z^C(42)=20\hat{z}_C(42)=20z^C​(42)=20, z^C(125)=31\hat{z}_C(125)=31z^C​(125)=31, z^C(135)=82\hat{z}_C(135)=82z^C​(135)=82 and also b=2b=2b=2 random locations z^C(150)=1\hat{z}_C(150)=1z^C​(150)=1 and z^C(80)=100\hat{z}_C(80)=100z^C​(80)=100. So z^C(x)=20L3(x)+31L4(x)+82L5(x)+L6(x)+100L7(x)=123x6+50x5+80x4+96x3+169x2+157x+49\hat{z}_C(x)=20L_3(x)+31L_4(x)+82L_5(x)+L_6(x)+100L_7(x)=123x^6+50x^5+80x^4+96x^3+169x^2+157x+49z^C​(x)=20L3​(x)+31L4​(x)+82L5​(x)+L6​(x)+100L7​(x)=123x6+50x5+80x4+96x3+169x2+157x+49

The Prover calculates polynomial W^(x)∈F<ng+b[x]\hat{W}(x)\in \mathbb{F}^{<n_g+b}[x]W^(x)∈F<ng​+b[x] that agree with Wˉ(x)\bar{W}(x)Wˉ(x) on H[>∣x∣+1]\mathbb{H}[>|x|+1]H[>∣x∣+1] where

Wˉ:H[>∣x∣+1]={42,125,135}→F\bar{W}:\mathbb{H}[>|x|+1]=\{42,125,135\}\to \mathbb{F}Wˉ:H[>∣x∣+1]={42,125,135}→F

Wˉ(h)=W(h)−x^(h)vH[≤∣x∣+1](h)\bar{W}(h)=\frac{W(h)-\hat{x}(h)}{v_{\mathbb{H}[\leq |x|+1]}(h)}Wˉ(h)=vH[≤∣x∣+1]​(h)W(h)−x^(h)​

and vH[≤∣x∣+1](h)v_{\mathbb{H}[\leq |x|+1]}(h)vH[≤∣x∣+1]​(h) is vanishing polynomial on H[≤∣x∣+1]={1,59}\mathbb{H}[\leq |x|+1]=\{1,59\}H[≤∣x∣+1]={1,59}, therefore vH[≤∣x∣+1](h)=(h−1)(h−59)v_{\mathbb{H}[\leq |x|+1]}(h)=(h-1)(h-59)vH[≤∣x∣+1]​(h)=(h−1)(h−59). Also x^(h)\hat{x}(h)x^(h) is the polynomial such that x^(1)=1\hat{x}(1)=1x^(1)=1 and x^(59)=4\hat{x}(59)=4x^(59)=4, therefore x^(h)=128h+54\hat{x}(h)=128h+54x^(h)=128h+54. Therefore,

Wˉ(42)=W(42)−x^(42)(42−1)(42−59)=20−0(41)(−17)≡108(mod181)\bar{W}(42)=\frac{W(42)-\hat{x}(42)}{(42-1)(42-59)}=\frac{20-0}{(41)(-17)}\equiv 108\hspace{1mm}(\textrm{mod}\hspace{1mm}181)Wˉ(42)=(42−1)(42−59)W(42)−x^(42)​=(41)(−17)20−0​≡108(mod181), Wˉ(125)=W(125)−x^(125)(125−1)(125−59)=31−126(124)(66)≡160(mod181)\bar{W}(125)=\frac{W(125)-\hat{x}(125)}{(125-1)(125-59)}=\frac{31-126}{(124)(66)}\equiv 160\hspace{1mm}(\textrm{mod}\hspace{1mm}181)Wˉ(125)=(125−1)(125−59)W(125)−x^(125)​=(124)(66)31−126​≡160(mod181) and Wˉ(135)=W(135)−x^(135)(135−1)(135−59)=82−139(134)(76)≡78(mod181)\bar{W}(135)=\frac{W(135)-\hat{x}(135)}{(135-1)(135-59)}=\frac{82-139}{(134)(76)}\equiv 78\hspace{1mm}(\textrm{mod}\hspace{1mm}181)Wˉ(135)=(135−1)(135−59)W(135)−x^(135)​=(134)(76)82−139​≡78(mod181).

Now, calculates W^(x)∈F<ng+b=3+2[x]\hat{W}(x)\in\mathbb{F}^{<n_g+b=3+2}[x]W^(x)∈F<ng​+b=3+2[x] so that W^(42)=108\hat{W}(42)=108W^(42)=108, W^(125)=160\hat{W}(125)=160W^(125)=160 , W^(135)=78\hat{W}(135)=78W^(135)=78 and also b=2b=2b=2 random locations W^(150)=42\hat{W}(150)=42W^(150)=42 and W^(80)=180\hat{W}(80)=180W^(80)=180. Therefore, W^(x)=108L1(x)+160L2(x)+78L3(x)+42L4(x)+180L5(x)\hat{W}(x)=108L_1(x)+160L_2(x)+78L_3(x)+42L_4(x)+180L_5(x)W^(x)=108L1​(x)+160L2​(x)+78L3​(x)+42L4​(x)+180L5​(x) where L1(x)=(x−125)(x−135)(x−150)(x−80)(−83)(−93)(−108)(−38)≡152x4+92x3+73x2+43x+112(mod181)L_1(x)=\frac{(x-125)(x-135)(x-150)(x-80)}{(-83)(-93)(-108)(-38)}\equiv 152x^4+92x^3+73x^2+43x+112\hspace{1mm}(\textrm{mod}\hspace{1mm}181)L1​(x)=(−83)(−93)(−108)(−38)(x−125)(x−135)(x−150)(x−80)​≡152x4+92x3+73x2+43x+112(mod181), L2(x)=156x4+39x3+84x2+86x+171L_2(x)=156x^4+39x^3+84x^2+86x+171L2​(x)=156x4+39x3+84x2+86x+171, L3(x)=161x4+157x3+131x2+159x+6L_3(x)=161x^4+157x^3+131x^2+159x+6L3​(x)=161x4+157x3+131x2+159x+6, L4(x)=60x4+67x3+118x2+50x+20L_4(x)=60x^4+67x^3+118x^2+50x+20L4​(x)=60x4+67x3+118x2+50x+20 and L5(x)=14x4+7x3+137x2+24x+54L_5(x)=14x^4+7x^3+137x^2+24x+54L5​(x)=14x4+7x3+137x2+24x+54. Therefore, W^(x)=149x4+97x3+161x2+121x+166\hat{W}(x)=149x^4+97x^3+161x^2+121x+166W^(x)=149x4+97x3+161x2+121x+166.

3- The Prover finds polynomial h0(x)h_0(x)h0​(x) so that z^A(x)z^B(x)−z^C(x)=h0(x)vH(x)\hat{z}_A(x)\hat{z}_B(x)-\hat{z}_C(x)=h_0(x)v_{\mathbb{H}}(x)z^A​(x)z^B​(x)−z^C​(x)=h0​(x)vH​(x). Since z^A(x)z^B(x)−z^C(x)=\hat{z}_A(x)\hat{z}_B(x)-\hat{z}_C(x)=z^A​(x)z^B​(x)−z^C​(x)= 92x12+45x11+164x10+x9+20x8+61x7+152x6+49x5+180x4+161x3+28x2+165x+14992x^{12}+45x^{11}+164x^{10}+x^9+20x^8+61x^7+152x^6+49x^5+180x^4+161x^3+28x^2+165x+14992x12+45x11+164x10+x9+20x8+61x7+152x6+49x5+180x4+161x3+28x2+165x+149 and vH(x)=∏h∈H(x−h)=(x−1)(x−59)(x−42)(x−125)(x−135)=x5+180v_{\mathbb{H}}(x)=\prod_{h\in\mathbb{H}}(x-h)=(x-1)(x-59)(x-42)(x-125)(x-135)=x^5+180vH​(x)=∏h∈H​(x−h)=(x−1)(x−59)(x−42)(x−125)(x−135)=x5+180, The Prover finds h0(x)=92x7+45x6+164x5+x4+20x3+153x2+16x+32h_0(x)=92x^7+45x^6+164x^5+x^4+20x^3+153x^2+16x+32h0​(x)=92x7+45x6+164x5+x4+20x3+153x2+16x+32.

4- The Prover samples a fully random s(x)∈F<2∣H∣+b−1=11[x]s(x)\in\mathbb{F}^{<2|\mathbb{H}|+b-1=11}[x]s(x)∈F<2∣H∣+b−1=11[x]. Consider s(x)=5x10+101x8+17x7+x5+20x4+3x+115s(x)=5x^{10}+101x^8+17x^7+x^5+20x^4+3x+115s(x)=5x10+101x8+17x7+x5+20x4+3x+115. Then, the Prover computes sum σ1=∑k∈Hs(k)=\sigma_1=\sum_{k\in \mathbb{H}}s(k)=σ1​=∑k∈H​s(k)= s(1)+s(59)+s(42)+s(125)+s(135)=81+47+141+46+109≡62(mod181)s(1)+s(59)+s(42)+s(125)+s(135)=81+47+141+46+109\equiv 62\hspace{1mm}(\hspace{1mm}\textrm{mod}\hspace{1mm}181)s(1)+s(59)+s(42)+s(125)+s(135)=81+47+141+46+109≡62(mod181).

5- The Prover sends ComAHPX2=∑i=0degw^(x)w^ick(i)=30Com_{AHP_X}^2=\sum_{i=0}^{deg_{\hat{w}(x)}}\hat{w}_i\hspace{1mm}ck(i)=30ComAHPX​2​=∑i=0degw^(x)​​w^i​ck(i)=30, ComAHPX3=∑i=0degz^A(x)z^Aick(i)=160Com_{AHP_X}^{3}=\sum_{i=0}^{deg_{\hat{z}_A(x)}}\hat{z}_{A_i}ck(i)=160ComAHPX​3​=∑i=0degz^A​(x)​​z^Ai​​ck(i)=160, ComAHPX4=∑i=0degz^B(x)z^Bick(i)=69Com_{AHP_X}^{4}=\sum_{i=0}^{deg_{\hat{z}_B(x)}}\hat{z}_{B_i}ck(i)=69ComAHPX​4​=∑i=0degz^B​(x)​​z^Bi​​ck(i)=69, ComAHPX5=∑i=0degz^C(x)z^Cick(i)=11Com_{AHP_X}^{5}=\sum_{i=0}^{deg_{\hat{z}_C(x)}}\hat{z}_{C_i}ck(i)=11ComAHPX​5​=∑i=0degz^C​(x)​​z^Ci​​ck(i)=11, ComAHPX6=∑i=0degh0(x)h0ick(i)=18Com_{AHP_X}^{6}=\sum_{i=0}^{deg_{h_0(x)}}h_{0_i}ck(i)=18ComAHPX​6​=∑i=0degh0​(x)​​h0i​​ck(i)=18 and ComAHPX7=∑i=0degs(x)sick(i)=178Com_{AHP_X}^{7}=\sum_{i=0}^{deg_{s(x)}}s_i\hspace{1mm}ck(i)=178ComAHPX​7​=∑i=0degs(x)​​si​ck(i)=178.

6- The Verifier chooses random numbers α\alphaα, ηA\eta_AηA​, ηB\eta_BηB​, ηC\eta_CηC​ and sends them to the Prover. ( Note that the Prover can choose α=hash(s(0))\alpha=hash(s(0))α=hash(s(0)), ηA=hash(s(1))\eta_A=hash(s(1))ηA​=hash(s(1)), ηB=hash(s(2))\eta_B=hash(s(2))ηB​=hash(s(2)), ηC=hash(s(3))\eta_C=hash(s(3))ηC​=hash(s(3)). Let α=10\alpha=10α=10, ηA=2\eta_A=2ηA​=2, ηB=30\eta_B=30ηB​=30 and ηC=100\eta_C=100ηC​=100.

7- The Prover finds polynomials g1(x)g_1(x)g1​(x) and h1(x)h_1(x)h1​(x) such that

s(x)+r(α,x)∑MηMz^M(x)−(∑MηMrM(α,x))z^(x)=h1(x)vH(x)+xg1(x)+σ1∣H∣s(x)+r(\alpha,x)\sum_{M}\eta_M\hat{z}_M(x)-(\sum_{M}\eta_Mr_M(\alpha,x))\hat{z}(x)=h_1(x)v_{\mathbb{H}}(x)+xg_1(x)+\frac{\sigma_1}{|\mathbb{H}|}s(x)+r(α,x)∑M​ηM​z^M​(x)−(∑M​ηM​rM​(α,x))z^(x)=h1​(x)vH​(x)+xg1​(x)+∣H∣σ1​​ (1)(1)(1)

where r(x,y)=uH(x,y)=vH(x)−vH(y)x−yr(x,y)=u_{\mathbb{H}}(x,y)=\frac{v_{\mathbb{H}}(x)-v_{\mathbb{H}}(y)}{x-y}r(x,y)=uH​(x,y)=x−yvH​(x)−vH​(y)​ , vH(x)=∏h∈H(x−h)=x∣H∣−1v_{\mathbb{H}}(x)=\prod_{h\in \mathbb{H}}(x-h)=x^{|\mathbb{H}|}-1vH​(x)=∏h∈H​(x−h)=x∣H∣−1. Therefore r(x,y)=x5−y5x−yr(x,y)=\frac{x^5-y^5}{x-y}r(x,y)=x−yx5−y5​ . Also rM(x,y)=∑k∈Hr(x,k)M^(k,y)r_M(x,y)=\sum_{k\in \mathbb{H}}r(x,k)\hat{M}(k,y)rM​(x,y)=∑k∈H​r(x,k)M^(k,y) for M∈{A,B,C}M\in \{A,B,C\}M∈{A,B,C}.

Now, since ∑MηMz^M(x)=ηAz^A(x)+ηBz^B(x)+ηCz^C(x)=98x6+172x5+120x4+12x3+104x2+131x+87\sum_M\eta_M\hat{z}_M(x)=\eta_A\hat{z}_A(x)+\eta_B\hat{z}_B(x)+\eta_C\hat{z} _C(x)=98x^6+172x^5+120x^4+12x^3+104x^2+131x+87∑M​ηM​z^M​(x)=ηA​z^A​(x)+ηB​z^B​(x)+ηC​z^C​(x)=98x6+172x5+120x4+12x3+104x2+131x+87and r(α,x)=r(10,x)=105−x510−xr(\alpha,x)=r(10,x)=\frac{10^5-x^5}{10-x}r(α,x)=r(10,x)=10−x105−x5​, so the second term of the left of equation (1)(1)(1) is r(α,x)∑MηMz^M(x)=98x10+66x9+56x8+29x7+32x6+153x5+56x4+136x3+123x2+42x+114r(\alpha,x)\sum_M\eta_M\hat{z}_M(x)=98x^{10}+66x^9+56x^8+29x^7+32x^6+153x^5+56x^4+136x^3+123x^2+42x+114r(α,x)∑M​ηM​z^M​(x)=98x10+66x9+56x8+29x7+32x6+153x5+56x4+136x3+123x2+42x+114

Also, z^(x)=W^(x)vH[≤∣x∣+1](x)+x^(x)=(149x4+97x3+161x2+121x+166)(x−1)(x−59)+128x+54=149x6+26x5+55x4+166x3+52x2+22x+74\hat{z}(x)=\hat{W}(x)v_{\mathbb{H}[\leq |x|+1]}(x)+\hat{x}(x)=(149x^4+97x^3+161x^2+121x+166)(x-1)(x-59)+128x+54=149x^6+26x^5+55x^4+166x^3+52x^2+22x+74z^(x)=W^(x)vH[≤∣x∣+1]​(x)+x^(x)=(149x4+97x3+161x2+121x+166)(x−1)(x−59)+128x+54=149x6+26x5+55x4+166x3+52x2+22x+74 that agree with zzz on H\mathbb{H}H. Also, rA(10,x)=∑k∈Hr(10,k)A^(k,x)r_A(10,x)=\sum_{k\in \mathbb{H}}r(10,k)\hat{A}(k,x)rA​(10,x)=∑k∈H​r(10,k)A^(k,x) where A^(x,y)\hat{A}(x,y)A^(x,y) is a polynomial such that A^(42,59)=1\hat{A}(42,59)=1A^(42,59)=1, A^(125,1)=1\hat{A}(125,1)=1A^(125,1)=1, A^(135,125)=1\hat{A}(135,125)=1A^(135,125)=1 and A^(x,y)=0\hat{A}(x,y)=0A^(x,y)=0 for the rest of points in H×H\mathbb{H}\times\mathbb{H}H×H. So, A^(x,y)\hat{A}(x,y)A^(x,y) is a bivariate polynomial that passes from these 25 points. This polynomial can obtain as following: A^(x,y)=∑k∈KuH(x,row^AHPA(k))uH(y,col^AHPA(k))val^AHPA(k)=∑k∈Kx5−row^AHPA(k)5x−row^AHPA(k)y5−col^AHPA(k)5y−col^AHPA(k)val^AHPA(k)\hat{A}(x,y)=\sum_{k\in \mathbb{K}}u_{\mathbb{H}}(x,\hat{row}_{AHP_A}(k))u_{\mathbb{H}}(y,\hat{col}_{AHP_A}(k))\hat{val}_{AHP_A}(k)=\sum_{k\in \mathbb{K}}\frac{x^5-\hat{row}_{AHP_A}(k)^5}{x-\hat{row}_{AHP_A}(k)}\frac{y^5-\hat{col}_{AHP_A}(k)^5}{y-\hat{col}_{AHP_A}(k)}\hat{val}_{AHP_A}(k)A^(x,y)=∑k∈K​uH​(x,row^AHPA​​(k))uH​(y,col^AHPA​​(k))val^AHPA​​(k)=∑k∈K​x−row^AHPA​​(k)x5−row^AHPA​​(k)5​y−col^AHPA​​(k)y5−col^AHPA​​(k)5​val^AHPA​​(k) Therefore, A^(x,y)=5x5−1x−42y5−1y−59+5x5−1x−125y5−1y−1+132x5−1x−135y5−1y−125\hat{A}(x,y)=5\frac{x^5-1}{x-42}\frac{y^5-1}{y-59}+5\frac{x^5-1}{x-125}\frac{y^5-1}{y-1}+132\frac{x^5-1}{x-135}\frac{y^5-1}{y-125}A^(x,y)=5x−42x5−1​y−59y5−1​+5x−125x5−1​y−1y5−1​+132x−135x5−1​y−125y5−1​. So rA(10,x)=∑k∈Hr(10,k)A^(k,x)=70A^(1,x)+13A^(59,x)+150A^(42,x)+26A^(125,x)+147A^(135,x)r_A(10,x)=\sum_{k\in\mathbb{H}}r(10,k)\hat{A}(k,x)=70\hat{A}(1,x)+13\hat{A}(59,x)+150\hat{A}(42,x)+26\hat{A}(125,x)+147\hat{A}(135,x)rA​(10,x)=∑k∈H​r(10,k)A^(k,x)=70A^(1,x)+13A^(59,x)+150A^(42,x)+26A^(125,x)+147A^(135,x)where A^(1,x)=A^(59,x)=0\hat{A}(1,x)=\hat{A}(59,x)=0A^(1,x)=A^(59,x)=0, A^(42,x)=5×82×x5−1x−59=48(x4+59x3+42x2+125x+135)=48x4+117x3+25x2+27x+145\hat{A}(42,x)=5\times82\times\frac{x^5-1}{x-59}=48(x^4+59x^3+42x^2+125x+135)=48x^4+117x^3+25x^2+27x+145A^(42,x)=5×82×x−59x5−1​=48(x4+59x3+42x2+125x+135)=48x4+117x3