|
|
## Notes on KZG polynomial commitments
*2021-08-05*
> **Warning**: I want to state clearly that I'm not a mathematician, I'm just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.
Few weeks ago I started reading about [KZG Commitments](https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf) from the articles written by [Dankrad Feist](https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html), by [Tom Walton-Pocock](https://hackmd.io/@tompocock/Hk2A7BD6U) and by [Alin Tomescu](https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html). I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles ([1](https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html), [2](https://hackmd.io/@tompocock/Hk2A7BD6U), [3](https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html)) instead of this current notes.
<div class="row"> <div class="col-md-7"> <br> In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning. </div> <div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;"> <b>Notation:</b><br> $[x]_1 = x G \in \mathbb{G}_1\newline [x]_2 = x H \in \mathbb{G}_2$ <br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$. <br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$ </div> </div>
#### Trusted setup
First of all, we need to generate a *Trusted Setup* that will be used later in the rest of steps. Here, the concept of *Trusted Setup* is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the *KZG Commitments* the nature of its *Trusted Setup* allows to have some kind of 'global' *Trusted Setup* that can be used for different polynomials.
It should be computed in a *Multi-Party Computation* (*MPC*) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter $\tau$ can not be restored.
The parameters of the *Trusted Setup* are generated by generating a random $\tau \in \mathbb{F}_p$, and from this parameter we can compute $[\tau^i]_1$ and $[\tau^i]_2$ for $i=0,...,n-1$:
$$ [\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline [\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2) $$
Which in additive representation is:
$$ (G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline (H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2 $$
The 'intuition' about the *Trusted Setup* is that is like encrypting a secret value ($\tau$) that later will be used in the 'encrypted' form to evaluate the polynomials.
#### Commitments
A commitment to a polynomial $p(x) = \sum^n_{i=0} p_i x^i$ is done by computing
$$c=[p(\tau)]_1$$
which is computed by $c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i$.
The prover would send the commitment to the polynomial $c$, and then the verifier would choose a value $z \in \mathbb{F}_p$, where $\mathbb{F}_p$ is the finite field of the polynomial.
#### Evalutaion proofs
To prove an evaluation of the polynomial at the choosen value $z$ such that $p(z)=y$, a quotient polynomial is computed: $q(x) = \frac{p(x)-y}{x-z}$. This polynomial is the proof that $p(z)=y$, as if $q$ exists it means that $p(x)-y$ is divisible by $x-z$, which means that it has a root at $z$, being $p(z)-y=0$.
Then, the evaluation proof is
$$\pi = [q(\tau)]_1$$
which, as when computing $c$, is computed by $\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i$.
Once computed, the prover would send this evaluation proof $\pi$ to the verifier.
#### Verifying an evaluation proof
In order to verify an evaluation proof, the verifier has the commitment $c=[p(\tau)]_1$, the evaluation $y=p(z)$, and the proof $\pi=[q(\tau)]_1$.
So, the verifier can check the [pairing](https://en.wikipedia.org/wiki/Pairing-based_cryptography) evaluation: $$\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)$$
Where $[\tau]_2$ comes from the Trusted Setup, $[z]_2$ is point at which the polynomial is evaluated, and $[y]_1$ is the claimed value p(z). And $\pi$ and $c$ are given by the prover.
We can unroll that last equivalence, and see that:
$$ \hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline \Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline \Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T $$
We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the *trusted setup*, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$.
### Conclusions
The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we've seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a *vector commitment*, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the [Lagrange interpolation](shamir-secret-sharing.html#lagrange-polynomial%20interpolation). This is quite useful combined with the mentioned batch proofs. The *batch proofs* logic can be found at the [blog/kzg-batch-proof](https://arnaucube.com/blog/kzg-batch-proof.html) notes (kind of the continuation of the current notes).
As a final note, in order to try to digest the notes, I've did a *toy implementation* of this scheme at https://github.com/arnaucube/kzg-commitments-study. It's quite simple, but contains the logic overviewed in this notes.
<br> - [Part 2: Batch proof in KZG Commitments](https://arnaucube.com/blog/kzg-batch-proof.html)
|