|
|
<!DOCTYPE html> <html lang="en">
<head> <meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." /> <meta charset="utf-8"> <title> Notes on KZG polynomial commitments - arnaucube - blog</title> <meta name="title" content=" Notes on KZG polynomial commitments - arnaucube - blog"> <meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning.">
<meta property="og:title" content=" Notes on KZG polynomial commitments - arnaucube - blog" /> <meta property="og:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." /> <meta property="og:url" content="https://arnaucube.com/blog/kzg-commitments.html" /> <meta property="og:type" content="article" /> <meta property="og:image" content="https://arnaucube.com/blog/" /> <meta name="twitter:title" content=" Notes on KZG polynomial commitments - arnaucube - blog"> <meta name="twitter:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning."> <meta name="twitter:image" content="https://arnaucube.com/blog/"> <meta name="twitter:card" content="summary_large_image"> <meta name="author" content="arnaucube">
<link rel="icon" type="image/png" href="img/logoArnauCubeFavicon.png">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="css/style.css">
<!-- highlightjs --> <!-- <link rel="stylesheet" href="js/highlightjs/atom-one-dark.css"> --> <link rel="stylesheet" href="js/highlightjs/atom-one-light.css"> <!-- <link rel="stylesheet" href="js/highlightjs/gruvbox-dark.css"> --> <script src="js/highlightjs/highlight.pack.js"></script>
<!-- katex --> <link rel="stylesheet" href="js/katex/katex.min.css"> </head>
<body>
<!-- o_gradient_background" --> <nav id="mainNav" class="navbar navbar-default navbar-fixed-top" style="height:50px;font-size:130%;"> <div class="container"> <div style="float:left;"> <a href="/blog" style="color:#000;display:inline-block;">Blog index</a> <span style="margin-right:20px; margin-left:20px;">|</span> <a href="/blog/notes.html" style="font-size:90%;color:#000;display:inline-block;">other-notes</a> </div> <div style="float:right;"> <a href="/" style="color:#000;display:inline-block;">arnaucube.com</a> <div class="onoffswitch" style="margin:10px;display:inline-block;" title="change theme"> <input onclick="switchTheme()" type="checkbox" name="onoffswitch" class="onoffswitch-checkbox" id="themeSwitcher"> <label class="onoffswitch-label" for="themeSwitcher"></label> </div> </div> </div> <img style="height:5px; width:100%; margin-top:8px;" src="img/gradient-line.jpg" /> </nav>
<div class="container" style="margin-top:40px;max-width:800px;"> <h2>Notes on KZG polynomial commitments</h2>
<p><em>2021-08-05</em></p>
<blockquote> <p><strong>Warning</strong>: I want to state clearly that I’m not a mathematician, I’m just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.</p> </blockquote>
<p>Few weeks ago I started reading about <a href="https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf">KZG Commitments</a> from the articles written by <a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">Dankrad Feist</a>, by <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">Tom Walton-Pocock</a> and by <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">Alin Tomescu</a>. I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles (<a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">1</a>, <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">2</a>, <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">3</a>) instead of this current notes.</p>
<div class="row"> <div class="col-md-7"> <br> In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning. </div> <div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;"> <b>Notation:</b><br> $[x]_1 = x G \in \mathbb{G}_1\newline [x]_2 = x H \in \mathbb{G}_2$ <br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$. <br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$ </div> </div>
<h4>Trusted setup</h4>
<p>First of all, we need to generate a <em>Trusted Setup</em> that will be used later in the rest of steps. Here, the concept of <em>Trusted Setup</em> is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the <em>KZG Commitments</em> the nature of its <em>Trusted Setup</em> allows to have some kind of ‘global’ <em>Trusted Setup</em> that can be used for different polynomials.</p>
<p>It should be computed in a <em>Multi-Party Computation</em> (<em>MPC</em>) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter <span class="math inline">\(\tau\)</span> can not be restored.</p>
<p>The parameters of the <em>Trusted Setup</em> are generated by generating a random <span class="math inline">\(\tau \in \mathbb{F}_p\)</span>, and from this parameter we can compute <span class="math inline">\([\tau^i]_1\)</span> and <span class="math inline">\([\tau^i]_2\)</span> for <span class="math inline">\(i=0,...,n-1\)</span>:</p> <p><span class="math display">\[ [\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline [\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2) \]</span></p><p>Which in additive representation is:</p> <p><span class="math display">\[ (G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline (H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2 \]</span></p><p>The ‘intuition’ about the <em>Trusted Setup</em> is that is like encrypting a secret value (<span class="math inline">\(\tau\)</span>) that later will be used in the ‘encrypted’ form to evaluate the polynomials.</p>
<h4>Commitments</h4>
<p>A commitment to a polynomial <span class="math inline">\(p(x) = \sum^n_{i=0} p_i x^i\)</span> is done by computing</p> <p><span class="math display">\[c=[p(\tau)]_1\]</span></p><p>which is computed by <span class="math inline">\(c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i\)</span>.</p>
<p>The prover would send the commitment to the polynomial <span class="math inline">\(c\)</span>, and then the verifier would choose a value <span class="math inline">\(z \in \mathbb{F}_p\)</span>, where <span class="math inline">\(\mathbb{F}_p\)</span> is the finite field of the polynomial.</p>
<h4>Evalutaion proofs</h4>
<p>To prove an evaluation of the polynomial at the choosen value <span class="math inline">\(z\)</span> such that <span class="math inline">\(p(z)=y\)</span>, a quotient polynomial is computed: <span class="math inline">\(q(x) = \frac{p(x)-y}{x-z}\)</span>. This polynomial is the proof that <span class="math inline">\(p(z)=y\)</span>, as if <span class="math inline">\(q\)</span> exists it means that <span class="math inline">\(p(x)-y\)</span> is divisible by <span class="math inline">\(x-z\)</span>, which means that it has a root at <span class="math inline">\(z\)</span>, being <span class="math inline">\(p(z)-y=0\)</span>.</p>
<p>Then, the evaluation proof is</p> <p><span class="math display">\[\pi = [q(\tau)]_1\]</span></p><p>which, as when computing <span class="math inline">\(c\)</span>, is computed by <span class="math inline">\(\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i\)</span>.</p>
<p>Once computed, the prover would send this evaluation proof <span class="math inline">\(\pi\)</span> to the verifier.</p>
<h4>Verifying an evaluation proof</h4>
<p>In order to verify an evaluation proof, the verifier has the commitment <span class="math inline">\(c=[p(\tau)]_1\)</span>, the evaluation <span class="math inline">\(y=p(z)\)</span>, and the proof <span class="math inline">\(\pi=[q(\tau)]_1\)</span>.</p>
<p>So, the verifier can check the <a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography">pairing</a> evaluation: $<span class="math inline">\(\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\)</span>$</p>
<p>Where <span class="math inline">\([\tau]_2\)</span> comes from the Trusted Setup, <span class="math inline">\([z]_2\)</span> is point at which the polynomial is evaluated, and <span class="math inline">\([y]_1\)</span> is the claimed value p(z). And <span class="math inline">\(\pi\)</span> and <span class="math inline">\(c\)</span> are given by the prover.</p>
<p>We can unroll that last equivalence, and see that:</p> <p><span class="math display">\[ \hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline \Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline \Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T \]</span></p><p>We can see that is the equation <span class="math inline">\(q(x)(x-z)=p(x)-y\)</span>, which can be expressed as <span class="math inline">\(q(x) = \frac{p(x) - y}{x-z}\)</span>, evaluated at <span class="math inline">\(\tau\)</span> from the <em>trusted setup</em>, which is not known: <span class="math inline">\(q(\tau) = \frac{p(\tau) - y}{\tau-z}\)</span>.</p>
<h3>Conclusions</h3>
<p>The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we’ve seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a <em>vector commitment</em>, using a polynomial where the <span class="math inline">\(p(i) = x_i\)</span> for all values of <span class="math inline">\(x_i\)</span> of the vector, which can be obtained from the <span class="math inline">\(x_i\)</span> values and computing the <a href="shamir-secret-sharing.html#lagrange-polynomial%20interpolation">Lagrange interpolation</a>. This is quite useful combined with the mentioned batch proofs. The <em>batch proofs</em> logic can be found at the <a href="https://arnaucube.com/blog/kzg-batch-proof.html">blog/kzg-batch-proof</a> notes (kind of the continuation of the current notes).</p>
<p>As a final note, in order to try to digest the notes, I’ve did a <em>toy implementation</em> of this scheme at <a href="https://github.com/arnaucube/kzg-commitments-study">https://github.com/arnaucube/kzg-commitments-study</a>. It’s quite simple, but contains the logic overviewed in this notes.</p>
<p><br> - <a href="https://arnaucube.com/blog/kzg-batch-proof.html">Part 2: Batch proof in KZG Commitments</a></p>
</div>
<footer style="text-align:center; margin-top:100px;margin-bottom:50px;"> <div class="container"> <br> <a href="/blog">Go to main</a> <br><br> <div class="row"> <ul class="list-inline"> <li><a href="https://twitter.com/arnaucube" style="color:gray;text-decoration:none;" target="_blank">twitter.com/arnaucube</a> </li> <li><a href="https://github.com/arnaucube" style="color:gray;text-decoration:none;" target="_blank">github.com/arnaucube</a> </li> </ul> </div> <div class="row" style="display:inline-block;"> Blog made with <a href="http://github.com/arnaucube/blogo/" target="_blank" style="color: gray;text-decoration:none;">Blogo</a> </div> </div> </footer>
<script> </script> <script src="js/external-links.js"></script> <script>hljs.initHighlightingOnLoad();</script> <script defer src="js/katex/katex.min.js"></script> <script defer src="js/katex/auto-render.min.js"></script> <script> document.addEventListener("DOMContentLoaded", function() { renderMathInElement(document.body, { displayMode: false, // customised options // • auto-render specific keys, e.g.: delimiters: [ {left: '$$', right: '$$', display: true}, {left: '$', right: '$', display: false}, {left: "\\[", right: "\\]", display: true}, {left: "\\(", right: "\\)", display: false}, ], // • rendering keys, e.g.: throwOnError : true }); });
/// let theme = localStorage.getItem("theme"); if ((theme === "light-theme")||(theme==null)) { theme = "light-theme"; document.getElementById("themeSwitcher").checked = false; } else if (theme === "dark-theme") { theme = "dark-theme"; document.getElementById("themeSwitcher").checked = true; } document.body.className = theme; localStorage.setItem("theme", theme);
function switchTheme() { theme = localStorage.getItem("theme"); if (theme === "light-theme") { theme = "dark-theme"; document.getElementById("themeSwitcher").checked = true; } else { theme = "light-theme"; document.getElementById("themeSwitcher").checked = false; } document.body.className = theme; localStorage.setItem("theme", theme);
console.log(theme); } </script> <script> function tagLinks(tagName) { var tags = document.getElementsByTagName(tagName); for (var i=0, hElem; hElem = tags[i]; i++) { if (hElem.parentNode.className=="row postThumb") { continue; } hElem.id = hElem.innerHTML.toLowerCase().replace(" ", "-"); hElem.innerHTML = "<a style='text-decoration:none;color:black;' href='#"+hElem.id+"'>"+hElem.innerHTML+"</a>"; } } tagLinks("h2"); tagLinks("h3"); tagLinks("h4"); tagLinks("h5"); </script> <script src="js/mermaid.min.js"></script>
</body> </html>
|