Notations & Definitions

This page is a glossary for notation and concepts present in the documentation.

Sets and Groups #

  • Z\mathbb{Z} is the set of integers, {,2,2,1,0,1,2,}\{\dots, -2, -2, -1, 0, 1, 2, \dots\}.

  • N\mathbb{N} is the set of integers greater than or equal to 0, {0,1,2,}\{0,1,2,\dots\}.

  • [n][n] is the finite set of integers {1,,n}\{1, \dots ,n\}.

  • Zn\mathbb{Z}_n are the integers modulo nn, a set associated with the equivalence classes of integers {0,1,,n1}\{0,1, \dots ,n−1\}.

  • Zn\mathbb{Z}_n^∗ is the multiplicative group of integers modulo nn: an element ee from Zn\mathbb{Z}_n is in Zn\mathbb{Z}_n^∗ iff gcd(e,n)=1\gcd(e,n)=1, that is Zn={eZn:gcd(e,n)=1}\mathbb{Z}_n^* = \{e \in \mathbb{Z}_n: \gcd(e, n) = 1 \}. When nn is prime, then Zn={1,,n1}\mathbb{Z}_n^* = \{1, \dots, n-1\}.

  • Fp\mathbb{F}_p is the finite field of order pp; when pp is a prime number, these are the integers modulo pp, Zp\mathbb{Z}_p; when pp is a prime power qkq^k, these are Galois fields.

  • S|S| is the order of a set SS, i.e., its number of elements. For example, Zn=Φ(n)|\mathbb{Z}_n^*| = \Phi(n), and for a prime nn, Zn=n1|\mathbb{Z}^*_n| = n - 1.

  • L\mathcal{L}: An evaluation domain, typically used in FFT-based polynomial commitment schemes (e.g., domains of size a power of two).

  • R\mathcal{R}: A relation or constraint system, such as an R1CS (Rank-1 Constraint System).

  • RS\mathsf{RS}: Reed-Solomon codes.

Vectors #

  • aZqn\bm{a} \in \mathbb{Z}_q^n is a vector (a1,,an)(a_1, \dots ,a_n) with aiZqa_i \in \mathbb{Z}_q for all ii.

  • cac \cdot \bm{a} denotes the scalar product (ca1,,can)(c \cdot a_1, \cdots ,c \cdot a_n).

  • a,b\lang \bm{a}, \bm{b} \rang denotes the inner product i=1n=aibi\sum_{i = 1}^n = a_i \cdot b_i

Sampling #

In protocol specifications, we will often need to uniformly sample elements from sets. We will use the following notation:

  • x$Xx \stackrel{\$}{\leftarrow} X, where xx is uniformly sampled from the set XX.

Assertions #

We will use assertions in protocol descriptions. When the assertions do not hold, the protocol must abort to avoid leaking secret information.

  • a=?ba\stackrel{?}=b, requires a=ba=b, and aborts otherwise

  • a>?ba \stackrel{?}> b, requires a>ba>b, and aborts otherwise

  • a?Sa \stackrel{?}\in S, requires that aa is in the set SS, and aborts otherwise.

Hash Functions #

  • Hash()\mathsf{Hash}(\cdot) is a cryptographically secure domain-separated hash function.

  • Hash()[0:k]\mathsf{Hash}(\cdot)[0:k] is a cryptographically secure domain-separated hash function with specific output-size of kk-bits.

Special Functions

  • deg(f)\deg(f): The degree of a polynomial ff, i.e., the highest exponent with non-zero coefficient in ff.

  • logx\log x: The logarithm of xx (base context-dependent, often base 2 in crypto).

  • max(x1,,xn)\max(x_1, \dots, x_n): The maximum of a set of values.

  • min(x1,,xn)\min(x_1, \dots, x_n): The minimum of a set of values.

  • gcd(n,m)\gcd(n,m) is the positive greatest common divisor of integers nn and mm; when gcd(n,m)=1\gcd(n,m)=1

    , nn and mm are said to be coprime.

  • φ(n)\varphi(n) is Euler’s totient function; for n1n \ge 1, it is the number of integers in {1,,n}\{1, \dots ,n\} coprime with nn.

Others

  • A Montgomery form of aZNa \in \mathbb{Z}_N is represented by aˉ=aRmodN\bar{a} = aR \mod N, given a modulus NN and a Montgomery radix RR such that gcd(N,R)=1\gcd (N, R) = 1.

References #

Last updated