You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

243 lines
14 KiB

3 years ago
3 years ago
3 years ago
3 years ago
3 years ago
  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." />
  5. <meta charset="utf-8">
  6. <title> Notes on KZG polynomial commitments - arnaucube - blog</title>
  7. <meta name="title" content=" Notes on KZG polynomial commitments - arnaucube - blog">
  8. <meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning.">
  9. <meta property="og:title" content=" Notes on KZG polynomial commitments - arnaucube - blog" />
  10. <meta property="og:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." />
  11. <meta property="og:url" content="https://arnaucube.com/blog/kzg-commitments.html" />
  12. <meta property="og:type" content="article" />
  13. <meta property="og:image" content="https://arnaucube.com/blog/" />
  14. <meta name="twitter:title" content=" Notes on KZG polynomial commitments - arnaucube - blog">
  15. <meta name="twitter:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning.">
  16. <meta name="twitter:image" content="https://arnaucube.com/blog/">
  17. <meta name="twitter:card" content="summary_large_image">
  18. <meta name="author" content="arnaucube">
  19. <link rel="icon" type="image/png" href="img/logoArnauCubeFavicon.png">
  20. <meta name="viewport" content="width=device-width, initial-scale=1">
  21. <link href="css/bootstrap.min.css" rel="stylesheet">
  22. <link rel="stylesheet" href="css/style.css">
  23. <!-- highlightjs -->
  24. <!-- <link rel="stylesheet" href="js/highlightjs/atom-one-dark.css"> -->
  25. <link rel="stylesheet" href="js/highlightjs/atom-one-light.css">
  26. <!-- <link rel="stylesheet" href="js/highlightjs/gruvbox-dark.css"> -->
  27. <script src="js/highlightjs/highlight.pack.js"></script>
  28. <!-- katex -->
  29. <link rel="stylesheet" href="js/katex/katex.min.css">
  30. </head>
  31. <body>
  32. <!-- o_gradient_background" -->
  33. <nav id="mainNav" class="navbar navbar-default navbar-fixed-top"
  34. style="height:50px;font-size:130%;">
  35. <div class="container">
  36. <div style="float:left;">
  37. <a href="/blog" style="color:#000;display:inline-block;">Blog index</a>
  38. <span style="margin-right:20px; margin-left:20px;">|</span>
  39. <a href="/blog/notes.html" style="font-size:90%;color:#000;display:inline-block;">other-notes</a>
  40. </div>
  41. <div style="float:right;">
  42. <a href="/" style="color:#000;display:inline-block;">arnaucube.com</a>
  43. <div class="onoffswitch" style="margin:10px;display:inline-block;" title="change theme">
  44. <input onclick="switchTheme()" type="checkbox" name="onoffswitch" class="onoffswitch-checkbox"
  45. id="themeSwitcher">
  46. <label class="onoffswitch-label" for="themeSwitcher"></label>
  47. </div>
  48. </div>
  49. </div>
  50. <img style="height:5px; width:100%; margin-top:8px;" src="img/gradient-line.jpg" />
  51. </nav>
  52. <div class="container" style="margin-top:40px;max-width:800px;">
  53. <h2>Notes on KZG polynomial commitments</h2>
  54. <p><em>2021-08-05</em></p>
  55. <blockquote>
  56. <p><strong>Warning</strong>: I want to state clearly that I&rsquo;m not a mathematician, I&rsquo;m just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.</p>
  57. </blockquote>
  58. <p>Few weeks ago I started reading about <a href="https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf">KZG Commitments</a> from the articles written by <a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">Dankrad Feist</a>, by <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">Tom Walton-Pocock</a> and by <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">Alin Tomescu</a>. I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles (<a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">1</a>, <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">2</a>, <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">3</a>) instead of this current notes.</p>
  59. <div class="row">
  60. <div class="col-md-7">
  61. <br>
  62. In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning.
  63. </div>
  64. <div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;">
  65. <b>Notation:</b><br>
  66. $[x]_1 = x G \in \mathbb{G}_1\newline
  67. [x]_2 = x H \in \mathbb{G}_2$
  68. <br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$.
  69. <br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$
  70. </div>
  71. </div>
  72. <h4>Trusted setup</h4>
  73. <p>First of all, we need to generate a <em>Trusted Setup</em> that will be used later in the rest of steps. Here, the concept of <em>Trusted Setup</em> is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the <em>KZG Commitments</em> the nature of its <em>Trusted Setup</em> allows to have some kind of &lsquo;global&rsquo; <em>Trusted Setup</em> that can be used for different polynomials.</p>
  74. <p>It should be computed in a <em>Multi-Party Computation</em> (<em>MPC</em>) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter <span class="math inline">\(\tau\)</span> can not be restored.</p>
  75. <p>The parameters of the <em>Trusted Setup</em> are generated by generating a random <span class="math inline">\(\tau \in \mathbb{F}_p\)</span>, and from this parameter we can compute <span class="math inline">\([\tau^i]_1\)</span> and <span class="math inline">\([\tau^i]_2\)</span> for <span class="math inline">\(i=0,...,n-1\)</span>:</p>
  76. <p><span class="math display">\[
  77. [\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline
  78. [\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2)
  79. \]</span></p><p>Which in additive representation is:</p>
  80. <p><span class="math display">\[
  81. (G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline
  82. (H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2
  83. \]</span></p><p>The &lsquo;intuition&rsquo; about the <em>Trusted Setup</em> is that is like encrypting a secret value (<span class="math inline">\(\tau\)</span>) that later will be used in the &lsquo;encrypted&rsquo; form to evaluate the polynomials.</p>
  84. <h4>Commitments</h4>
  85. <p>A commitment to a polynomial <span class="math inline">\(p(x) = \sum^n_{i=0} p_i x^i\)</span> is done by computing</p>
  86. <p><span class="math display">\[c=[p(\tau)]_1\]</span></p><p>which is computed by <span class="math inline">\(c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i\)</span>.</p>
  87. <p>The prover would send the commitment to the polynomial <span class="math inline">\(c\)</span>, and then the verifier would choose a value <span class="math inline">\(z \in \mathbb{F}_p\)</span>, where <span class="math inline">\(\mathbb{F}_p\)</span> is the finite field of the polynomial.</p>
  88. <h4>Evalutaion proofs</h4>
  89. <p>To prove an evaluation of the polynomial at the choosen value <span class="math inline">\(z\)</span> such that <span class="math inline">\(p(z)=y\)</span>, a quotient polynomial is computed: <span class="math inline">\(q(x) = \frac{p(x)-y}{x-z}\)</span>. This polynomial is the proof that <span class="math inline">\(p(z)=y\)</span>, as if <span class="math inline">\(q\)</span> exists it means that <span class="math inline">\(p(x)-y\)</span> is divisible by <span class="math inline">\(x-z\)</span>, which means that it has a root at <span class="math inline">\(z\)</span>, being <span class="math inline">\(p(z)-y=0\)</span>.</p>
  90. <p>Then, the evaluation proof is</p>
  91. <p><span class="math display">\[\pi = [q(\tau)]_1\]</span></p><p>which, as when computing <span class="math inline">\(c\)</span>, is computed by <span class="math inline">\(\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i\)</span>.</p>
  92. <p>Once computed, the prover would send this evaluation proof <span class="math inline">\(\pi\)</span> to the verifier.</p>
  93. <h4>Verifying an evaluation proof</h4>
  94. <p>In order to verify an evaluation proof, the verifier has the commitment <span class="math inline">\(c=[p(\tau)]_1\)</span>, the evaluation <span class="math inline">\(y=p(z)\)</span>, and the proof <span class="math inline">\(\pi=[q(\tau)]_1\)</span>.</p>
  95. <p>So, the verifier can check the <a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography">pairing</a> evaluation:
  96. $<span class="math inline">\(\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\)</span>$</p>
  97. <p>Where <span class="math inline">\([\tau]_2\)</span> comes from the Trusted Setup, <span class="math inline">\([z]_2\)</span> is point at which the polynomial is evaluated, and <span class="math inline">\([y]_1\)</span> is the claimed value p(z). And <span class="math inline">\(\pi\)</span> and <span class="math inline">\(c\)</span> are given by the prover.</p>
  98. <p>We can unroll that last equivalence, and see that:</p>
  99. <p><span class="math display">\[
  100. \hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline
  101. \Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline
  102. \Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T
  103. \]</span></p><p>We can see that is the equation <span class="math inline">\(q(x)(x-z)=p(x)-y\)</span>, which can be expressed as <span class="math inline">\(q(x) = \frac{p(x) - y}{x-z}\)</span>, evaluated at <span class="math inline">\(\tau\)</span> from the <em>trusted setup</em>, which is not known: <span class="math inline">\(q(\tau) = \frac{p(\tau) - y}{\tau-z}\)</span>.</p>
  104. <h3>Conclusions</h3>
  105. <p>The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we&rsquo;ve seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a <em>vector commitment</em>, using a polynomial where the <span class="math inline">\(p(i) = x_i\)</span> for all values of <span class="math inline">\(x_i\)</span> of the vector, which can be obtained from the <span class="math inline">\(x_i\)</span> values and computing the <a href="shamir-secret-sharing.html#lagrange-polynomial%20interpolation">Lagrange interpolation</a>. This is quite useful combined with the mentioned batch proofs. The <em>batch proofs</em> logic can be found at the <a href="https://arnaucube.com/blog/kzg-batch-proof.html">blog/kzg-batch-proof</a> notes (kind of the continuation of the current notes).</p>
  106. <p>As a final note, in order to try to digest the notes, I&rsquo;ve did a <em>toy implementation</em> of this scheme at <a href="https://github.com/arnaucube/kzg-commitments-study">https://github.com/arnaucube/kzg-commitments-study</a>. It&rsquo;s quite simple, but contains the logic overviewed in this notes.</p>
  107. <p><br>
  108. - <a href="https://arnaucube.com/blog/kzg-batch-proof.html">Part 2: Batch proof in KZG Commitments</a></p>
  109. </div>
  110. <footer style="text-align:center; margin-top:100px;margin-bottom:50px;">
  111. <div class="container">
  112. <br>
  113. <a href="/blog">Go to main</a>
  114. <br><br>
  115. <div class="row">
  116. <ul class="list-inline">
  117. <li><a href="https://twitter.com/arnaucube"
  118. style="color:gray;text-decoration:none;"
  119. target="_blank">twitter.com/arnaucube</a>
  120. </li>
  121. <li><a href="https://github.com/arnaucube"
  122. style="color:gray;text-decoration:none;"
  123. target="_blank">github.com/arnaucube</a>
  124. </li>
  125. </ul>
  126. </div>
  127. <div class="row" style="display:inline-block;">
  128. Blog made with <a href="http://github.com/arnaucube/blogo/"
  129. target="_blank" style="color: gray;text-decoration:none;">Blogo</a>
  130. </div>
  131. </div>
  132. </footer>
  133. <script>
  134. </script>
  135. <script src="js/external-links.js"></script>
  136. <script>hljs.initHighlightingOnLoad();</script>
  137. <script defer src="js/katex/katex.min.js"></script>
  138. <script defer src="js/katex/auto-render.min.js"></script>
  139. <script>
  140. document.addEventListener("DOMContentLoaded", function() {
  141. renderMathInElement(document.body, {
  142. displayMode: false,
  143. // customised options
  144. // • auto-render specific keys, e.g.:
  145. delimiters: [
  146. {left: '$$', right: '$$', display: true},
  147. {left: '$', right: '$', display: false},
  148. {left: "\\[", right: "\\]", display: true},
  149. {left: "\\(", right: "\\)", display: false},
  150. ],
  151. // • rendering keys, e.g.:
  152. throwOnError : true
  153. });
  154. });
  155. ///
  156. let theme = localStorage.getItem("theme");
  157. if ((theme === "light-theme")||(theme==null)) {
  158. theme = "light-theme";
  159. document.getElementById("themeSwitcher").checked = false;
  160. } else if (theme === "dark-theme") {
  161. theme = "dark-theme";
  162. document.getElementById("themeSwitcher").checked = true;
  163. }
  164. document.body.className = theme;
  165. localStorage.setItem("theme", theme);
  166. function switchTheme() {
  167. theme = localStorage.getItem("theme");
  168. if (theme === "light-theme") {
  169. theme = "dark-theme";
  170. document.getElementById("themeSwitcher").checked = true;
  171. } else {
  172. theme = "light-theme";
  173. document.getElementById("themeSwitcher").checked = false;
  174. }
  175. document.body.className = theme;
  176. localStorage.setItem("theme", theme);
  177. console.log(theme);
  178. }
  179. </script>
  180. <script>
  181. function tagLinks(tagName) {
  182. var tags = document.getElementsByTagName(tagName);
  183. for (var i=0, hElem; hElem = tags[i]; i++) {
  184. if (hElem.parentNode.className=="row postThumb") {
  185. continue;
  186. }
  187. hElem.id = hElem.innerHTML.toLowerCase().replace(" ", "-");
  188. hElem.innerHTML = "<a style='text-decoration:none;color:black;' href='#"+hElem.id+"'>"+hElem.innerHTML+"</a>";
  189. }
  190. }
  191. tagLinks("h2");
  192. tagLinks("h3");
  193. tagLinks("h4");
  194. tagLinks("h5");
  195. </script>
  196. <script src="js/mermaid.min.js"></script>
  197. </body>
  198. </html>