The Prover interpolates polynomial h such that seqK(h)=ωt,ωt+1,..,ωn−1,0,..,0. Here t=2 and n=5, therefore seqK(h)=ω2,ω3,ω4,0,..,0. This means that {h(k):k∈K={1,43,39,48,73,62,132,65,80}}={ω2,ω3,ω4,0,..,0}={42,125,135,0,0,0,0,0,0}Therefore h(1)=42, h(43)=125 , h(39)=135, h(48)=h(73)=h(62)=h(132)=h(65)=h(80)=0. So h(x)=42L1(x)+125L2(x)+135L3(x) where L1(x)=(−42)(−38)(−47)(−72)(−61)(−131)(−64)(−79)(x−43)(x−39)(x−48)(x−73)(x−62)(x−132)(x−65)(x−80)=161x8+161x7+161x6+161x5+161x4+161x3+161x2+161x+161,
Therefore h(x)=121x8+133x7+57x6+127x5+103x4+24x3+128x2+140x+114. The Prover sends π1=(h0,h1,...,h8) where hi is coefficients of polynomial h(x) to the Verifier.
3-5-1-2- Step 2
The Prover and the Verifier do GeometricSequenceTest on h (to verify correct construction of polynomial h). In GeometricSequenceTest want to prove that SeqK(h)=a1,a1r,..,a1rc1−1,a2,a2r,...,a2rc2−1,...,av,avr,...,avrcv−1.
3-5-1-2- Step 2-A- Geometric Sequence Test
Since h(γ0)=ω2, h(γ1)=ω3 ,h(γ2)=ω4 and h(γ3)=...=h(γ8)=0, then Geometric Sequence Test with a1=ω2, a2=0, r=ω, c1=n−t=3 and c2=m−(n−t)=9−3=6 run. Let pi=∑j<icj for i∈{1,2,..,v}. Here v is the number of ci that are non-zero. Therefore v=2 , p1=0 and p2=c1=3.
The Prover and the Verifier run ZeroOverK (see the next section) to check that for all k∈K, have (h(γk)−rh(k))∏i=1v(k−γpi+ci−1)=0. Here, ZeroOverK run to check that for all k∈K={1,γ,γ2,..,γ8}, have (h(γk)−ωh(k))(k−γ2)(k−ω8)=0.
Note: It is clear that if the construction of h is correct, it applies this equality, because if k=1, h(γk)=h(γ)=ωh(1) then h(γk)−ωh(k)=0. If k=γ, h(γk)=h(γ2)=ωh(γ), then h(γk)−ωh(k)=0. If k=γ2, then k−γ2=0. If k=ω3,...,ω7, then h(γk)=ωh(k)=0 and if k=γ8, then k−γ8=0.
3-5-1-2-Step 2-B- Zero over K
In ZeroOverK, want to prove that for all k∈K, F(k)=0 where F(x)=G(x,fj1(α1x),fj2(α2x),...,fjt(αtx)). Here F(x)=(h(γx)−ωh(x))(x−γ2)(x−γ8), therefore since t=2, F(x)=G(x,fj1(α1x),fj2(α2x))=(h(γx)−ωh(x))(x−γ2)(x−γ8), so h1=fj1=h, h2=fj2=h, α1=γ and α2=1.
2-2-1 The Prover selects polynomials ri∈F<2[x], i∈{1,2,..,t}. Then computes masks mi(x)=ri(αi−1x)ZK(αi−1x) and computes hi′(x)=hi(x)+mi(x) for i∈{1,2,..,t}.
Here, the Prover selects r1,r2. For example, let r1(x)=2+x and r2(x)=2x. Therefore m1(x)=r1(α1−1x)ZK(α1−1x) where α1=γ=48 and ZK(x)=∏x∈K(x−k)=(x−1)(x−43)(x−39)(x−48)(x−73)(x−62)(x−132)(x−65)(x−80)=x9+180. Therefore m1(x)=r1(80x)ZK(80x)=80x10+2x9+101x+179m2(x)=r2(α2−1x)ZK(α2−1x)=r2(x)ZK(x)=2x(x9+180)=2x10+179x. Then computes h1′(x)=h1(x)+m1(x)=h(x)+m1(x)=80x10+2x9+121x8+133x7+57x6+127x5+103x4+24x3+128x2+60x+112 and h2′(x)=h2(x)+m2(x)=h(x)+m2(x)=2x10+121x8+133x7+57x6+127x5+103x4+24x3+128x2+138x+114.
2-2-2- The Prover computes F′(x)=G(x,h1′(α1x),h2′(α2x),...,ht′(αtx)) and q1(x)=ZK(x)F′(x) then the Prover sends πPFR1+i=(mi1,...,mideg(mi)) where mijs are coefficients of polynomial mi(x), πPFR1+t+i=(ri1,...,rideg(ri)) where rijs are coefficients of polynomial ri(x) and πPFR2t+2=(q11,...,q1deg(q1)) where q1js are coefficients of polynomial q1(x)
Here F′(x)=G(x,h1′(43x),h2′(x))=(h1′(43x)−ωh2′(x))(x−γ2)(x−γ8)=64x12+169x11+168x10+51x9+117x3+12x2+13x+130
and then q1(x)=ZK(x)F′(x)=64x3+169x2+168x+51.
The Prover sends πPFR2=(179,101,0,0,0,0,0,0,0,2,80), πPFR3=(0,179,0,0,0,0,0,0,0,0,2) , πPFR4=(2,1), πPFR5=(0,2) and πPFR6=(51,168,169,64) to the Verifier.
2-2-3- The Verifier derives hi′=hi+mi through additive homomorphism. Then samples β1, β2 and c of F∗−K and sends c to the Prover. Suppose β1=65, β2=21 and c=171. The Verifier sends c=171 to the Prover.
2-2-4- The Prover computes q2=r1+cr2+...+ct−1rt and the Verifier derives concrete oracle q2 through additive homomorphism. Here, the Prover computes q2(x)=r1(x)+cr2(x)=2+x+171(2x)=162x+2.
2-2-5- Let M(x)=m1(α1x)+cm2(α2x)+...+ct−1mt(αtx). The Verifier computes ZK(β1), ZK(β2), queries q1(β1)and q2(β2) and for i∈{1,2,..,t}, queries hi′(αiβ1) and mi(αiβ2)to compute F′(β1) and M(β2). The Verifier asserts two identities M(β2)−q2(β2)ZK(β2)=0 and F′(β1)−q1(β1)ZK(β1)=0.
Here, M(x)=m1(α1x)+cm2(α2x)=m1(γx)+171m2(x)=162x10+2x9+19x+179. The Verifier computes ZK(β1)=ZK(65)=659+180=0 and ZK(β2)=ZK(21)=219+180=30 and queries q1(β1)=86 and q2(β2)=146. Also queries values h1′(α1β1)=h1′(γ×65)=h1′(80)=0 , h2′(α2β1)=h2′(65)=0, m1(α1β2)=m1(γ×21)=m1(179)=147 and m2(α2β2)=m2(21)=174. Then checksM(β2)−q2(β2)ZK(β2)=0 , that means 36−30×146=36−36≡0(mod181), and F′(β1)−q1(β1)ZK(β1)=0, that means 0−86×0≡0(mod181).
3- The Prover and the Verifier run SubsetoverK between rowA and h to prove that rowA(K)⊂h(K) where rowA(K)={rowA(k):k∈K}and h(K)={h(k):k∈K}.
3-5-1-2- Step 3- Subset over K
.................
4- The Prover and the Verifier run Discrete−logComparison between rowA and colA as following:
3-5-1-2- Step 4- Discrete-log Comparison
Let parameters (Δ∈F,n=∣H∣) such that ord(Δ)=2n and Δ2=ω.
Here, ω=59, Δ=56 and ord(Δ)=2n=10.
3-5-1-2- Step 4-Substep A- The Prover interpolates polynomial s so that agrees with colArowA on K. Then send them to the Verifier.
where L1(x), L2(x) and L3(x) are computed in step 1 and the rest of Li(x)s are
L4(x)=126x8+75x7+161x6+126x5+75x4+161x3+126x2+75x+161,
L5(x)=169x8+29x7+126x6+148x5+125x4+75x3+45x2+27x+161,
L6(x)=27x8+45x7+75x6+125x5+148x4+126x3+29x2+169x+161,
L7(x)=75x8+126x7+161x6+75x5+126x4+161x3+75x2+126x+161,
L8(x)=148x8+27x7+126x6+45x5+29x4+75x3+169x2+125x+161and
L9(x)=29x8+148x7+75x6+27x5+169x4+126x3+125x2+45x+161.
Therefore s(x)=41x8+101x7+34x6+38x5+x4+25x3+152x2+123x+87. The Prover sends s(x) to the Verifier.
3-5-1-2- Step 4-Substep B- For b∈{rowA,colA,s}, the Prover interpolates polynomial b′ so that for all k∈K, b′(k)=Δlogωb(k).
Here, if b=rowA, rowA′(k)=ΔlogωrowA(k)=56log59rowA(k)that means rowA′(1)=56log5942=562≡59(mod181), rowA′(43)=56log59125=563≡46(mod181),
rowA′(39)=56log59135=564≡42(mod181), rowA′(48)=56log5948≡49(mod181),
rowA′(73)=56log5936≡114(mod181), rowA′(62)=56log59151≡(mod181).\
if b=colA, colA′(k)=ΔlogωcolA(k)=56log59colA(k)that means colA′(1)=56log5959=561≡56(mod181), colA′(48)=56log591=565≡180(mod181) and colA′(132)=56log59125=563≡46(mod181). Therefore colA′(x)=56L1(x)+180L2(x)+46L3(x)=96x2+47x+94.
if b=s, s′(k)=Δlogωs(k)=56log59s(k)that means s′(1)=56log5959=561≡56(mod181), s′(48)=56log59125=563≡46(mod181) and s′(132)=56log5959=561≡56(mod181). Therefore s′(x)=56L1(x)+46L2(x)+56L3(x)=21x2+103x+113.
Then the Prover sends rowA′, colA′ and s′ to the Verifier.
3-5-1-2- Step 4-Substep C- The Prover interpolates polynomial h so that seqK(h)=1,Δ,Δ2,..,Δn−1,0,0,..,0.
Here seqK(h)=1,56,59,46,42.
AHP Proof
Since in this example ni=1, therefore input and output are not vector. So, we denote input by x and output by y instead of X and Y.
1- The Prover puts x=4 in ComAHPX1 . We consider z=(1,x,w1,w2,y) where w1=5x, w2=w1+11 and y=26w2. Therefore z=(1,x,W,y)=(1,4,20,31,82). The Prover calculates zA=Az=000100010000000000010000014203182=004131, zB=Bz=00511260000000010000000000014203182=0053126and zC=Cz=000000000000100000100000114203182=00203182
2- The Prover calculates the polynomial zA(x)using indexing zA by elements of H that mean zA(x) is the polynomial where zA(1)=0, zA(59)=0, zA(42)=4, zA(125)=1 and zA(135)=31.
Then calculates polynomial z^A(x) using the polynomial zA(x) such that z^A(x)∈F<∣H∣+b[x] that agree with zA(x) on H . Note that values of up to b locations in this polynomial reveals no information about the witness wprovided the locations are in F−H.
Here, for simplicity, let b=2. The Prover calculates z^A(x) such that agree with zA(x) on H and also z^A(150)=5, z^A(80)=47.
Therefore, we have z^A(x)=4L3(x)+L4(x)+31L5(x)+5L6(x)+47L7(x) where L3(x)=133x6+155x5+117x4+27x3+48x2+73x+171, L4(x)=4x6+123x5+25x4+48x3+27x2+113x+22, L5(x)=75x6+115x5+27x4+25x3+117x2+154x+30, L6(x)=132x6+119x5+49x+62 and L7(x)=97x6+111x5+84x+70.
So z^A(x)=116x6+165x5+63x4+26x3+45x2+141x+168.
Similarly, calculates polynomial z^B(x) so that z^B(x)∈F<∣H∣+b[x] that agree with zB(x) on H that mean z^B(1)=0, z^B(59)=0, z^B(42)=5, z^B(125)=31, z^B(135)=26 and also b=2 random locations z^B(150)=15 and z^B(80)=170. So, z^B(x)=5L3(x)+31L4(x)+26L5(x)+15L6(x)+170L7(x)=32x6+178x5+71x4+101x3+137x2+81x+124
Similarly, calculates polynomial z^C(x) such that z^C(x)∈F<∣H∣+b[x] that agree with zC(x) on H that mean z^C(1)=0, z^C(59)=0, z^C(42)=20, z^C(125)=31, z^C(135)=82 and also b=2 random locations z^C(150)=1 and z^C(80)=100. So z^C(x)=20L3(x)+31L4(x)+82L5(x)+L6(x)+100L7(x)=123x6+50x5+80x4+96x3+169x2+157x+49
The Prover calculates polynomial W^(x)∈F<ng+b[x] that agree with Wˉ(x) on H[>∣x∣+1] where
Wˉ:H[>∣x∣+1]={42,125,135}→F
Wˉ(h)=vH[≤∣x∣+1](h)W(h)−x^(h)
and vH[≤∣x∣+1](h) is vanishing polynomial on H[≤∣x∣+1]={1,59}, therefore vH[≤∣x∣+1](h)=(h−1)(h−59). Also x^(h) is the polynomial such that x^(1)=1 and x^(59)=4, therefore x^(h)=128h+54. Therefore,
Wˉ(42)=(42−1)(42−59)W(42)−x^(42)=(41)(−17)20−0≡108(mod181), Wˉ(125)=(125−1)(125−59)W(125)−x^(125)=(124)(66)31−126≡160(mod181) and Wˉ(135)=(135−1)(135−59)W(135)−x^(135)=(134)(76)82−139≡78(mod181).
Now, calculates W^(x)∈F<ng+b=3+2[x] so that W^(42)=108, W^(125)=160 , W^(135)=78 and also b=2 random locations W^(150)=42 and W^(80)=180. Therefore, W^(x)=108L1(x)+160L2(x)+78L3(x)+42L4(x)+180L5(x) where L1(x)=(−83)(−93)(−108)(−38)(x−125)(x−135)(x−150)(x−80)≡152x4+92x3+73x2+43x+112(mod181),
L2(x)=156x4+39x3+84x2+86x+171, L3(x)=161x4+157x3+131x2+159x+6,
L4(x)=60x4+67x3+118x2+50x+20 and L5(x)=14x4+7x3+137x2+24x+54. Therefore,
W^(x)=149x4+97x3+161x2+121x+166.
3- The Prover finds polynomial h0(x) so that z^A(x)z^B(x)−z^C(x)=h0(x)vH(x). Since z^A(x)z^B(x)−z^C(x)=92x12+45x11+164x10+x9+20x8+61x7+152x6+49x5+180x4+161x3+28x2+165x+149 and vH(x)=∏h∈H(x−h)=(x−1)(x−59)(x−42)(x−125)(x−135)=x5+180, The Prover finds
h0(x)=92x7+45x6+164x5+x4+20x3+153x2+16x+32.
4- The Prover samples a fully random s(x)∈F<2∣H∣+b−1=11[x]. Consider s(x)=5x10+101x8+17x7+x5+20x4+3x+115. Then, the Prover computes sum σ1=∑k∈Hs(k)=s(1)+s(59)+s(42)+s(125)+s(135)=81+47+141+46+109≡62(mod181).
5- The Prover sends ComAHPX2=∑i=0degw^(x)w^ick(i)=30,
ComAHPX3=∑i=0degz^A(x)z^Aick(i)=160, ComAHPX4=∑i=0degz^B(x)z^Bick(i)=69,
ComAHPX5=∑i=0degz^C(x)z^Cick(i)=11, ComAHPX6=∑i=0degh0(x)h0ick(i)=18 and
ComAHPX7=∑i=0degs(x)sick(i)=178.
6- The Verifier chooses random numbers α, ηA, ηB, ηC and sends them to the Prover. ( Note that the Prover can choose α=hash(s(0)), ηA=hash(s(1)), ηB=hash(s(2)), ηC=hash(s(3)). Let α=10, ηA=2, ηB=30 and ηC=100.
7- The Prover finds polynomials g1(x) and h1(x) such that
where r(x,y)=uH(x,y)=x−yvH(x)−vH(y) , vH(x)=∏h∈H(x−h)=x∣H∣−1. Therefore r(x,y)=x−yx5−y5 . Also rM(x,y)=∑k∈Hr(x,k)M^(k,y) for M∈{A,B,C}.
Now, since ∑MηMz^M(x)=ηAz^A(x)+ηBz^B(x)+ηCz^C(x)=98x6+172x5+120x4+12x3+104x2+131x+87and r(α,x)=r(10,x)=10−x105−x5, so the second term of the left of equation (1) is r(α,x)∑MηMz^M(x)=98x10+66x9+56x8+29x7+32x6+153x5+56x4+136x3+123x2+42x+114
Also, z^(x)=W^(x)vH[≤∣x∣+1](x)+x^(x)=(149x4+97x3+161x2+121x+166)(x−1)(x−59)+128x+54=149x6+26x5+55x4+166x3+52x2+22x+74 that agree with z on H. Also, rA(10,x)=∑k∈Hr(10,k)A^(k,x) where A^(x,y) is a polynomial such that A^(42,59)=1, A^(125,1)=1, A^(135,125)=1 and A^(x,y)=0 for the rest of points in H×H. So, A^(x,y) is a bivariate polynomial that passes from these 25 points. This polynomial can obtain as following:
A^(x,y)=∑k∈KuH(x,row^AHPA(k))uH(y,col^AHPA(k))val^AHPA(k)=∑k∈Kx−row^AHPA(k)x5−row^AHPA(k)5y−col^AHPA(k)y5−col^AHPA(k)5val^AHPA(k)
Therefore, A^(x,y)=5x−42x5−1y−59y5−1+5x−125x5−1y−1y5−1+132x−135x5−1y−125y5−1. So rA(10,x)=∑k∈Hr(10,k)A^(k,x)=70A^(1,x)+13A^(59,x)+150A^(42,x)+26A^(125,x)+147A^(135,x)where A^(1,x)=A^(59,x)=0, A^(42,x)=5×82×x−59x5−1=48(x4+59x3+42x2+125x+135)=48x4+117x3+25x2+27x+145, A^(125,x)=5×29×x−1x5−1=145(x4+x3+x2+x+1)=145x4+145x3+145x2+145x+145, A^(135,x)=132×114×x−125x5−1=25(x4+125x3+59x2+135x+42)=25x4+48x3+27x2+117x+145
Now, calculates B^(x,y) similarly as following:
B^(x,y)=∑k∈KuH(x,row^AHPB(k))uH(y,col^AHPB(k))val^AHPB(k)=∑k∈Kx−row^AHPB(k)x5−row^AHPB(k)5y−col^AHPB(k)y5−col^AHPB(k)5val^AHPB(k)
Therefore, B^(x,y)=117x−42x5−1y−1y5−1+55x−125x5−1y−1y5−1+29x−125x5−1y−42y5−1+68x−135x5−1y−1y5−1. So, rB(10,x)=∑k∈Hr(10,k)B^(k,x)=70B^(1,x)+13B^(59,x)+150B^(42,x)+26B^(125,x)+147B^(135,x)
where B^(1,x)=B^(59,x)=0, B^(42,x)=117×82×x−1x5−1=1×(x4+x3+x2+x+1)=x4+x3+x2+x+1, B^(125,x)=55×29×x−1x5−1+29×29×x−42x5−1=147(x4+x3+x2+x+1)+117(x4+42x3+135x2+59x+125)=83x4+174x3+14x2+172x+111and B^(135,x)=68×114×x−1x5−1=150(x4+x3+x2+x+1)=150x4+150x3+150x2+150x+150
Now, calculates C^(x,y) similarly as following:
C^(x,y)=∑k∈KuH(x,row^AHPC(k))uH(y,col^AHPC(k))val^AHPC(k)=∑k∈Kx−row^AHPC(k)x5−row^AHPC5(k)y−col^AHPC(k)y5−col^AHPC5(k)val^AHPC(k)
Therefore, C^(x,y)=114x−42x5−1y−42y5−1+82x−125x5−1y−125y5−1+5x−135x5−1y−135y5−1. So, rC(10,x)=70C^(1,x)+13C^(59,x)+150C^(42,x)+26C^(125,x)+147C^(135,x) where C^(1,x)=C^(59,x)=0, C^(42,x)=114×82×x−42x5−1=117(x4+42x3+135x2+59x+125)=117x4+27x3+48x2+25x+145, C^(125,x)=82×29×x−125x5−1=25(x4+125x3+59x2+135x+42)=25x4+48x3+27x2+117x+145and C^(135,x)=5×114×x−135x5−1=27(x4+135x3+125x2+42x+59)=27x4+25x3+117x2+48x+145
Therefore, the third term of the left of equation (1) is
Therefore, the left of equation (1) is s(x)+r(α,x)∑MηMz^M(x)−(∑MηMrM(α,x))z^(x)=115x10+143x9+180x8+66x7+127x6+97x5+172x4+93x3+24x2+154x+90
Now, the Prover finds polynomials g1(x) and h1(x) such that h1(x)vH(x)+xg1(x)+∣H∣σ1=115x10+143x9+180x8+66x7+127x6+97x5+172x4+93x3+24x2+154x+90
that means, the Prover finds polynomials g1(x) and h1(x) such that h1(x)(x5+180)+xg1(x)+121=115x10+143x9+180x8+66x7+127x6+97x5+172x4+93x3+24x2+154x+90
In this case, polynomials g1(x)=134x3+92x2+90x+100 and h1(x)=115x5+143x4+180x3+66x2+127x+31 are obtained. The Prover sends ,
ComAHPX8=∑i=0degg1(x)g1ick(i)=129 and ComAHPX9=∑i=0degh1(x)h1ick(i)=33 to the Verifier where g1i is coefficient of xi of polynomial g1(x) and h1i is coefficient of xi of polynomial h1(x).
8- The Verifier selects β1∈F−H and sends it to the Prover. (The Prover can selects β1=hash(s(8))). Let β1=22.
9- The Prover calculates σ2=∑k∈Hr(α,k)∑MηMM^(k,β1)=r(10,1)∑MηMM^(1,22)+r(10,59)∑MηMM^(59,22)+r(10,42)∑MηMM^(42,22)+r(10,125)∑MηMM^(125,22)+r(10,135)∑MηMM^(135,22)
that is σ2=70×0+13×0+150×135+26×88+147×22=70.
Then, the Prover finds g2(x) and h2(x) such that r(α,x)∑MηMM^(x,β1)=h2(x)vH(x)+xg2(x)+∣H∣σ2
where r(α,x)∑MηMM^(x,β1)=r(10,x)(2A^(x,22)+30B^(x,22)+100C^(x,22)) whereA^(x,22)=5x−42x5−122−59225−1+5x−125x5−122−1225−1+132x−135x5−122−125225−1=159x−42x5−1+56x−125x5−1+114x−135x5−1=159(x4+42x3+135x2+59x+125)+56(x4+125x3+59x2+135x+42)+114(x4+135x3+125x2+42x+59)=148x4+108x3+104x2+9x+174,B^(x,22)=117x−42x5−122−1225−1+55x−125x5−122−1225−1+29x−125x5−122−42225−1+68x−135x5−122−1225−1=146x4+37x3+95x2+100x+165and C^(x,22)=114x−42x5−122−42225−1+82x−125x5−122−125225−1+5x−135x5−122−135225−1=6(x4+42x3+135x2+59x+125)+5(x4+125x3+59x2+135x+42)+177(x4+135x3+125x2+42x+59)=7x4+156x3+62x2+137x
Hence, the Prover finds g2(x)=40x3+30x2+173x+105 and h2(x)=127x3+96x2+82x+162 such that h2(x)vH(x)+xg2(x)+∣H∣σ2=h2(x)(x5+180)+xg2(x)+570=127x8+96x7+82x6+162x5+40x4+84x3+77x2+23x+33
The Prover sends , ComAHPX10=∑i=0degg2(x)g2ick(i)=100 and
ComAHPX11=∑i=0degh2(x)h2ick(i)=179 where g2i is coefficient of xi of polynomial g2(x) and h2i is coefficient of xi of polynomial h2(x).
10- The Verifier selects β2∈F−H and sends it to the Prover. For example β2=80.
11- The Prover calculates σ3=∑k∈K(∑MηM(β2−rowM′^(k))(β1−colM′^(k))vH(β2)vH(β1)valM′^(k))=(238×14472×18×5+3038×2172×18×117+10038×16172×18×114)+(2136×2172×18×5+30136×2172×18×55+100136×7872×18×82)+(2126×7872×18×132+30136×16172×18×29+100126×6872×18×5)+(30126×2172×18×68)=84 Then, the Prover finds polynomials g3(x) and h3(x) such that h3(x)vK(x)=a(x)−b(x)(xg3(x)+∣K∣σ3) where a(x)=∑M∈{A,B,C}ηMvH(β2)vH(β1)val^AHPM(x)∏N∈{A,B,C}−{M}(β2−row^AHPN(x))(β1−col^AHPN(x))and b(x)=∏M∈{A,B,C}(β2−row^AHPM(x))(β1−col^AHPM(x)).
Therefore, since vH(β1)=225+180=18 and vH(β2)=805+180=72 ,
The Prover sends , ComAHPX12=∑i=0degg3(x)g3ick(i)=169 and ComAHPX13=∑i=0degh3(x)h3ick(i)=166
where g3i is coefficient of xi of polynomial g3(x) and h3i is coefficient of xi of polynomial h3(x).
12- The Prover sends πAHP1=62, πAHP2=(166,121,161,97,149), πAHP3=(168,141,45,26,63,165,116), πAHP4=(124,81,137,101,71,178,32), πAHP5=(49,157,169,96,80,50,123), πAHP6=(32,16,153,20,1,164,45,92) and πAHP7=(115,3,0,0,20,1,0,17,101,0,5)
to the Verifier that are value of σ1, coefficients of polynomials W^(x), z^A(x), z^B(x), z^C(x),h0(x) and s(x), respectively.
13- The Prover sends πAHP8=(100,90,92,134) and πAHP9=(31,127,66,180,143,115) to the Verifier that are coefficients of polynomials g1(x) and h1(x), respectively.
14-The Prover sends πAHP10=70, πAHP11=(105,173,30,40) and πAHP12=(162,82,96,127) that are value of σ2 and coefficients of polynomials g2(x) and h2(x), respectively.
15- The Prover sends πAHP13=84, πAHP14=(134,111,161,123,110) and
that are value of σ3 and coefficients of polynomials g3(x) and h3(x), respectively.
16- The Prover chooses random values ηw^, ηz^A, ηz^B, ηz^C, ηh0, ηs, ηg1, ηh1, ηg2, ηh2, ηg3 and ηh3 of F. For example, ηw^=1, ηz^A=4, ηz^B=10, ηz^C=8, ηh0=32, ηs=45, ηg1=92, ηh1=11, ηg2=1, ηh2=5, ηg3=25 and ηh3=63.
17- The Prover calculates the linear combinationp(x)=ηw^w^(x)+ηz^Az^A(x)+ηz^Bz^B(x)+ηz^Cz^C(x)+ηh0h0(x)+ηss(x)+ηg1g1(x)+ηh1h1(x)+ηg2g2(x)+ηh2h2(x)+ηg3g3(x)+ηh3h3(x).
18- The Prover calculates p(x) in x=x′ (value of x′ is received from the Verifier), then puts it in πAHP16 . Therefore πAHP16=p(x′)=y′. For example, if x′=2, then πAHP16=p(2)=119.
19- The Prover computes πAHP17=PC.Eval(ck,p(x),dp,rp,x′) where dp is degree bound of p(x) and rp is a random value.
For example, if the polynomial commitment scheme KZG is used, then the Prover builds polynomial
q(x)=x−x′p(x)−y′=x−2p(x)−119=71x28+98x27+128x26+178x25+63x24+124x23+71x22+30x21+39x20+97x19+32x18+147x17+133x16+33x15+106x14+112x13+49x12+17x11+82x10+57x9+48x8+94x7+144x6+14x5+154x4+135x3+32x2+101x+93
and calculates πAHP17=gq(τ) by using ck as following:
πAHP17=∑i=0degq(x)qick(i)=149 where qi is the coefficient of xi of q(x).