@ -0,0 +1,83 @@ |
|||||
|
## Notes on KZG polynomial commitments |
||||
|
*2021-08-05* |
||||
|
|
||||
|
> **Warning**: I want to state clearly that I'm not a mathematician, I'm just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments. |
||||
|
|
||||
|
Few weeks ago I started reading about [KZG Commitments](https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf) from the articles written by [Dankrad Feist](https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html), by [Tom Walton-Pocock](https://hackmd.io/@tompocock/Hk2A7BD6U) and by [Alin Tomescu](https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html). I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles instead of this current notes. |
||||
|
|
||||
|
<div class="row"> |
||||
|
<div class="col-md-7"> |
||||
|
<br> |
||||
|
In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning. |
||||
|
</div> |
||||
|
<div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;"> |
||||
|
<b>Notation:</b><br> |
||||
|
$[x]_1 = x G \in \mathbb{G}_1\newline |
||||
|
[x]_2 = x H \in \mathbb{G}_2$ |
||||
|
<br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$. |
||||
|
<br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$ |
||||
|
</div> |
||||
|
</div> |
||||
|
|
||||
|
#### Trusted setup |
||||
|
First of all, we need to generate a *Trusted Setup* that will be used later in the rest of steps. Here, the concept of *Trusted Setup* is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the *KZG Commitments* the nature of its *Trusted Setup* allows to have some kind of 'global' *Trusted Setup* that can be used for different polynomials. |
||||
|
|
||||
|
It should be computed in a *Multi-Party Computation* (*MPC*) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter $\tau$ can not be restored. |
||||
|
|
||||
|
The parameters of the *Trusted Setup* are generated by generating a random $\tau \in \mathbb{F}_p$, and from this parameter we can compute $[\tau^i]_1$ and $[\tau^i]_2$ for $i=0,...,n-1$: |
||||
|
|
||||
|
$$ |
||||
|
[\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline |
||||
|
[\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2) |
||||
|
$$ |
||||
|
|
||||
|
Which in additive representation is: |
||||
|
$$ |
||||
|
(G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline |
||||
|
(H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2 |
||||
|
$$ |
||||
|
|
||||
|
The 'intuition' about the *Trusted Setup* is that is like encrypting a secret value ($\tau$) that later will be used in the 'encrypted' form to evaluate the polynomials. |
||||
|
|
||||
|
#### Commitments |
||||
|
A commitment to a polynomial $p(x) = \sum^n_{i=0} p_i x^i$ is done by computing |
||||
|
|
||||
|
$$c=[p(\tau)]_1$$ |
||||
|
|
||||
|
which is computed by $c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i$. |
||||
|
|
||||
|
The prover would send the commitment to the polynomial $c$, and then the verifier would choose a value $z \in \mathbb{F}_p$, where $\mathbb{F}_p$ is the finite field of the polynomial. |
||||
|
|
||||
|
#### Evalutaion proofs |
||||
|
To prove an evaluation of the polynomial at the choosen value $z$ such that $p(z)=y$, a quotient polynomial is computed: $q(x) = \frac{p(x)-y}{x-z}$. This polynomial is the proof that $p(z)=y$, as if $q$ exists it means that $p(x)-y$ is divisible by $x-z$, which means that it has a root at $z$, being $p(z)-y=0$. |
||||
|
|
||||
|
Then, the evaluation proof is |
||||
|
|
||||
|
$$\pi = [q(\tau)]_1$$ |
||||
|
|
||||
|
which, as when computing $c$, is computed by $\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i$. |
||||
|
|
||||
|
Once computed, the prover would send this evaluation proof $\pi$ to the verifier. |
||||
|
|
||||
|
#### Verifying an evaluation proof |
||||
|
In order to verify an evaluation proof, the verifier has the commitment $c=[p(\tau)]_1$, the evaluation $y=p(z)$, and the proof $\pi=[q(\tau)]_1$. |
||||
|
|
||||
|
So, the verifier can check the [pairing](https://en.wikipedia.org/wiki/Pairing-based_cryptography) evaluation: |
||||
|
$$\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)$$ |
||||
|
|
||||
|
Where $[\tau]_2$ comes from the Trusted Setup, $[z]_2$ is point at which the polynomial is evaluated, and $[y]_1$ is the claimed value p(z). And $\pi$ and $c$ are given by the prover. |
||||
|
|
||||
|
We can unroll that last equivalence, and see that: |
||||
|
|
||||
|
$$ |
||||
|
\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline |
||||
|
\Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline |
||||
|
\Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T |
||||
|
$$ |
||||
|
|
||||
|
We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the *trusted setup*, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$. |
||||
|
|
||||
|
### Conclusions |
||||
|
The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we've seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a *vector commitment*, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the [Lagrange interpolation](https://en.wikipedia.org/wiki/Lagrange_polynomial). This is quite useful combined with the mentioned batch proofs. |
||||
|
|
||||
|
As a final note, in order to try to digest the notes, I've did a *toy implementation* of this scheme at https://github.com/arnaucube/kzg-commitments-study. It's quite simple, but contains the logic overviewed in this notes. |
@ -0,0 +1,5 @@ |
|||||
|
### Notes on KZG polynomial commitments |
||||
|
In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning. |
||||
|
|
||||
|
*2021-08-05* |
||||
|
|
@ -0,0 +1,192 @@ |
|||||
|
<!DOCTYPE html> |
||||
|
<html lang="en"> |
||||
|
|
||||
|
<head> |
||||
|
<meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." /> |
||||
|
<meta charset="utf-8"> |
||||
|
<title> Notes on KZG polynomial commitments - arnaucube</title> |
||||
|
<meta name="title" content=" Notes on KZG polynomial commitments - arnaucube"> |
||||
|
<meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning."> |
||||
|
|
||||
|
<meta property="og:title" content=" Notes on KZG polynomial commitments - arnaucube" /> |
||||
|
<meta property="og:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." /> |
||||
|
<meta property="og:url" content="https://arnaucube.com/blog/kzg-commitments.html" /> |
||||
|
<meta property="og:type" content="article" /> |
||||
|
<meta property="og:image" content="https://arnaucube.com/blog/" /> |
||||
|
<meta name="twitter:title" content=" Notes on KZG polynomial commitments - arnaucube"> |
||||
|
<meta name="twitter:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning."> |
||||
|
<meta name="twitter:image" content="https://arnaucube.com/blog/"> |
||||
|
<meta name="twitter:card" content="summary_large_image"> |
||||
|
<meta name="author" content="arnaucube"> |
||||
|
|
||||
|
<meta name="viewport" content="width=device-width, initial-scale=1"> |
||||
|
|
||||
|
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC" crossorigin="anonymous"> |
||||
|
<link rel="stylesheet" href="css/style.css"> |
||||
|
|
||||
|
<!-- highlightjs --> |
||||
|
<!-- <link rel="stylesheet" href="js/highlightjs/atom-one-dark.css"> --> |
||||
|
<link rel="stylesheet" href="js/highlightjs/gruvbox-dark.css"> |
||||
|
<script src="js/highlightjs/highlight.pack.js"></script> |
||||
|
|
||||
|
<!-- katex --> |
||||
|
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.13.11/dist/katex.min.css" integrity="sha384-Um5gpz1odJg5Z4HAmzPtgZKdTBHZdw8S29IecapCSB31ligYPhHQZMIlWLYQGVoc" crossorigin="anonymous"> |
||||
|
</head> |
||||
|
|
||||
|
<body> |
||||
|
|
||||
|
<!-- o_gradient_background" --> |
||||
|
<nav id="mainNav" class="navbar navbar-default navbar-fixed-top" |
||||
|
style="height:50px;font-size:130%;"> |
||||
|
<div class="container"> |
||||
|
<a href="/blog" style="color:#000;">Blog index</a> |
||||
|
<a href="/" style="color:#000;float:right;">arnaucube.com</a> |
||||
|
</div> |
||||
|
<img style="height:5px; width:100%; margin-top:8px;" src="img/gradient-line.jpg" /> |
||||
|
</nav> |
||||
|
|
||||
|
|
||||
|
|
||||
|
<div class="container" style="margin-top:40px;max-width:800px;"> |
||||
|
<h2>Notes on KZG polynomial commitments</h2> |
||||
|
|
||||
|
<p><em>2021-08-05</em></p> |
||||
|
|
||||
|
<blockquote> |
||||
|
<p><strong>Warning</strong>: I want to state clearly that I’m not a mathematician, I’m just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.</p> |
||||
|
</blockquote> |
||||
|
|
||||
|
<p>Few weeks ago I started reading about <a href="https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf">KZG Commitments</a> from the articles written by <a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">Dankrad Feist</a>, by <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">Tom Walton-Pocock</a> and by <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">Alin Tomescu</a>. I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles instead of this current notes.</p> |
||||
|
|
||||
|
<div class="row"> |
||||
|
<div class="col-md-7"> |
||||
|
<br> |
||||
|
In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning. |
||||
|
</div> |
||||
|
<div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;"> |
||||
|
<b>Notation:</b><br> |
||||
|
$[x]_1 = x G \in \mathbb{G}_1\newline |
||||
|
[x]_2 = x H \in \mathbb{G}_2$ |
||||
|
<br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$. |
||||
|
<br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$ |
||||
|
</div> |
||||
|
</div> |
||||
|
|
||||
|
<h4>Trusted setup</h4> |
||||
|
|
||||
|
<p>First of all, we need to generate a <em>Trusted Setup</em> that will be used later in the rest of steps. Here, the concept of <em>Trusted Setup</em> is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the <em>KZG Commitments</em> the nature of its <em>Trusted Setup</em> allows to have some kind of ‘global’ <em>Trusted Setup</em> that can be used for different polynomials.</p> |
||||
|
|
||||
|
<p>It should be computed in a <em>Multi-Party Computation</em> (<em>MPC</em>) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter $\tau$ can not be restored.</p> |
||||
|
|
||||
|
<p>The parameters of the <em>Trusted Setup</em> are generated by generating a random $\tau \in \mathbb{F}_p$, and from this parameter we can compute $[\tau^i]_1$ and $[\tau^i]_2$ for $i=0,…,n-1$:</p> |
||||
|
|
||||
|
<p>$$ |
||||
|
[\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, …, [\tau^{n-1}]_1)\newline |
||||
|
[\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, …, [\tau^{n-1}]_2) |
||||
|
$$</p> |
||||
|
|
||||
|
<p>Which in additive representation is: |
||||
|
$$ |
||||
|
(G, \tau G, \tau^2 G, …, \tau^{n-1} G) \in \mathbb{G}_1\newline |
||||
|
(H, \tau H, \tau^2 H, …, \tau^{n-1} H) \in \mathbb{G}_2 |
||||
|
$$</p> |
||||
|
|
||||
|
<p>The ‘intuition’ about the <em>Trusted Setup</em> is that is like encrypting a secret value ($\tau$) that later will be used in the ‘encrypted’ form to evaluate the polynomials.</p> |
||||
|
|
||||
|
<h4>Commitments</h4> |
||||
|
|
||||
|
<p>A commitment to a polynomial $p(x) = \sum^n_{i=0} p_i x^i$ is done by computing</p> |
||||
|
|
||||
|
<p>$$c=[p(\tau)]_1$$</p> |
||||
|
|
||||
|
<p>which is computed by $c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i$.</p> |
||||
|
|
||||
|
<p>The prover would send the commitment to the polynomial $c$, and then the verifier would choose a value $z \in \mathbb{F}_p$, where $\mathbb{F}_p$ is the finite field of the polynomial.</p> |
||||
|
|
||||
|
<h4>Evalutaion proofs</h4> |
||||
|
|
||||
|
<p>To prove an evaluation of the polynomial at the choosen value $z$ such that $p(z)=y$, a quotient polynomial is computed: $q(x) = \frac{p(x)-y}{x-z}$. This polynomial is the proof that $p(z)=y$, as if $q$ exists it means that $p(x)-y$ is divisible by $x-z$, which means that it has a root at $z$, being $p(z)-y=0$.</p> |
||||
|
|
||||
|
<p>Then, the evaluation proof is</p> |
||||
|
|
||||
|
<p>$$\pi = [q(\tau)]_1$$</p> |
||||
|
|
||||
|
<p>which, as when computing $c$, is computed by $\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i$.</p> |
||||
|
|
||||
|
<p>Once computed, the prover would send this evaluation proof $\pi$ to the verifier.</p> |
||||
|
|
||||
|
<h4>Verifying an evaluation proof</h4> |
||||
|
|
||||
|
<p>In order to verify an evaluation proof, the verifier has the commitment $c=[p(\tau)]_1$, the evaluation $y=p(z)$, and the proof $\pi=[q(\tau)]_1$.</p> |
||||
|
|
||||
|
<p>So, the verifier can check the <a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography">pairing</a> evaluation: |
||||
|
$$\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)$$</p> |
||||
|
|
||||
|
<p>Where $[\tau]_2$ comes from the Trusted Setup, $[z]_2$ is point at which the polynomial is evaluated, and $[y]_1$ is the claimed value p(z). And $\pi$ and $c$ are given by the prover.</p> |
||||
|
|
||||
|
<p>We can unroll that last equivalence, and see that:</p> |
||||
|
|
||||
|
<p>$$ |
||||
|
\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline |
||||
|
\Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline |
||||
|
\Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T |
||||
|
$$</p> |
||||
|
|
||||
|
<p>We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the <em>trusted setup</em>, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$.</p> |
||||
|
|
||||
|
<h3>Conclusions</h3> |
||||
|
|
||||
|
<p>The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we’ve seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a <em>vector commitment</em>, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the <a href="https://en.wikipedia.org/wiki/Lagrange_polynomial">Lagrange interpolation</a>. This is quite useful combined with the mentioned batch proofs.</p> |
||||
|
|
||||
|
<p>As a final note, in order to try to digest the notes, I’ve did a <em>toy implementation</em> of this scheme at <a href="https://github.com/arnaucube/kzg-commitments-study">https://github.com/arnaucube/kzg-commitments-study</a>. It’s quite simple, but contains the logic overviewed in this notes.</p> |
||||
|
|
||||
|
</div> |
||||
|
|
||||
|
<footer style="text-align:center; margin-top:100px;margin-bottom:50px;"> |
||||
|
<div class="container"> |
||||
|
<div class="row"> |
||||
|
<ul class="list-inline"> |
||||
|
<li><a href="https://twitter.com/arnaucube" |
||||
|
style="color:gray;text-decoration:none;" |
||||
|
target="_blank">twitter.com/arnaucube</a> |
||||
|
</li> |
||||
|
<li><a href="https://github.com/arnaucube" |
||||
|
style="color:gray;text-decoration:none;" |
||||
|
target="_blank">github.com/arnaucube</a> |
||||
|
</li> |
||||
|
</ul> |
||||
|
</div> |
||||
|
<div class="row" style="display:inline-block;"> |
||||
|
Blog made with <a href="http://github.com/arnaucube/blogo/" |
||||
|
target="_blank" style="color: gray;text-decoration:none;">Blogo</a> |
||||
|
</div> |
||||
|
</div> |
||||
|
</footer> |
||||
|
|
||||
|
<script> |
||||
|
</script> |
||||
|
<script src="js/external-links.js"></script> |
||||
|
<script>hljs.initHighlightingOnLoad();</script> |
||||
|
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.13.11/dist/katex.min.js" integrity="sha384-YNHdsYkH6gMx9y3mRkmcJ2mFUjTd0qNQQvY9VYZgQd7DcN7env35GzlmFaZ23JGp" crossorigin="anonymous"></script> |
||||
|
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.13.11/dist/contrib/auto-render.min.js" integrity="sha384-vZTG03m+2yp6N6BNi5iM4rW4oIwk5DfcNdFfxkk9ZWpDriOkXX8voJBFrAO7MpVl" crossorigin="anonymous"></script> |
||||
|
<script> |
||||
|
document.addEventListener("DOMContentLoaded", function() { |
||||
|
renderMathInElement(document.body, { |
||||
|
displayMode: false, |
||||
|
// customised options |
||||
|
// • auto-render specific keys, e.g.: |
||||
|
delimiters: [ |
||||
|
{left: '$$', right: '$$', display: true}, |
||||
|
{left: '$', right: '$', display: false}, |
||||
|
], |
||||
|
// • rendering keys, e.g.: |
||||
|
throwOnError : true |
||||
|
}); |
||||
|
}); |
||||
|
</script> |
||||
|
<script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script> |
||||
|
|
||||
|
|
||||
|
</body> |
||||
|
</html> |
||||
|
|