You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

83 lines
5.6 KiB

  1. ## Notes on KZG polynomial commitments
  2. *2021-08-05*
  3. > **Warning**: I want to state clearly that I'm not a mathematician, I'm just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.
  4. Few weeks ago I started reading about [KZG Commitments](https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf) from the articles written by [Dankrad Feist](https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html), by [Tom Walton-Pocock](https://hackmd.io/@tompocock/Hk2A7BD6U) and by [Alin Tomescu](https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html). I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles instead of this current notes.
  5. <div class="row">
  6. <div class="col-md-7">
  7. <br>
  8. In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning.
  9. </div>
  10. <div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;">
  11. <b>Notation:</b><br>
  12. $[x]_1 = x G \in \mathbb{G}_1\newline
  13. [x]_2 = x H \in \mathbb{G}_2$
  14. <br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$.
  15. <br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$
  16. </div>
  17. </div>
  18. #### Trusted setup
  19. First of all, we need to generate a *Trusted Setup* that will be used later in the rest of steps. Here, the concept of *Trusted Setup* is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the *KZG Commitments* the nature of its *Trusted Setup* allows to have some kind of 'global' *Trusted Setup* that can be used for different polynomials.
  20. It should be computed in a *Multi-Party Computation* (*MPC*) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter $\tau$ can not be restored.
  21. The parameters of the *Trusted Setup* are generated by generating a random $\tau \in \mathbb{F}_p$, and from this parameter we can compute $[\tau^i]_1$ and $[\tau^i]_2$ for $i=0,...,n-1$:
  22. $$
  23. [\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline
  24. [\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2)
  25. $$
  26. Which in additive representation is:
  27. $$
  28. (G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline
  29. (H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2
  30. $$
  31. The 'intuition' about the *Trusted Setup* is that is like encrypting a secret value ($\tau$) that later will be used in the 'encrypted' form to evaluate the polynomials.
  32. #### Commitments
  33. A commitment to a polynomial $p(x) = \sum^n_{i=0} p_i x^i$ is done by computing
  34. $$c=[p(\tau)]_1$$
  35. which is computed by $c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i$.
  36. The prover would send the commitment to the polynomial $c$, and then the verifier would choose a value $z \in \mathbb{F}_p$, where $\mathbb{F}_p$ is the finite field of the polynomial.
  37. #### Evalutaion proofs
  38. To prove an evaluation of the polynomial at the choosen value $z$ such that $p(z)=y$, a quotient polynomial is computed: $q(x) = \frac{p(x)-y}{x-z}$. This polynomial is the proof that $p(z)=y$, as if $q$ exists it means that $p(x)-y$ is divisible by $x-z$, which means that it has a root at $z$, being $p(z)-y=0$.
  39. Then, the evaluation proof is
  40. $$\pi = [q(\tau)]_1$$
  41. which, as when computing $c$, is computed by $\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i$.
  42. Once computed, the prover would send this evaluation proof $\pi$ to the verifier.
  43. #### Verifying an evaluation proof
  44. In order to verify an evaluation proof, the verifier has the commitment $c=[p(\tau)]_1$, the evaluation $y=p(z)$, and the proof $\pi=[q(\tau)]_1$.
  45. So, the verifier can check the [pairing](https://en.wikipedia.org/wiki/Pairing-based_cryptography) evaluation:
  46. $$\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)$$
  47. Where $[\tau]_2$ comes from the Trusted Setup, $[z]_2$ is point at which the polynomial is evaluated, and $[y]_1$ is the claimed value p(z). And $\pi$ and $c$ are given by the prover.
  48. We can unroll that last equivalence, and see that:
  49. $$
  50. \hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline
  51. \Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline
  52. \Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T
  53. $$
  54. We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the *trusted setup*, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$.
  55. ### Conclusions
  56. The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we've seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a *vector commitment*, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the [Lagrange interpolation](https://en.wikipedia.org/wiki/Lagrange_polynomial). This is quite useful combined with the mentioned batch proofs. The *batch proofs* logic can be found at the [blog/kzg-batch-proof](https://arnaucube.com/blog/kzg-batch-proof.html) notes (kind of the continuation of the current notes).
  57. As a final note, in order to try to digest the notes, I've did a *toy implementation* of this scheme at https://github.com/arnaucube/kzg-commitments-study. It's quite simple, but contains the logic overviewed in this notes.