Browse Source

Add batch proof in kzg commitments post

master
arnaucube 3 years ago
parent
commit
e043736ee6
4 changed files with 66 additions and 1 deletions
  1. +5
    -0
      blogo-input/blogo.json
  2. +56
    -0
      blogo-input/posts/kzg-batch-proof.md
  3. +4
    -0
      blogo-input/posts/kzg-batch-proof_thumb.md
  4. +1
    -1
      blogo-input/posts/kzg-commitments.md

+ 5
- 0
blogo-input/blogo.json

@ -8,6 +8,11 @@
"metadescr": "arnaucube blog", "metadescr": "arnaucube blog",
"metaimg": "img/logoArnauCube.png", "metaimg": "img/logoArnauCube.png",
"posts": [ "posts": [
{
"thumb": "kzg-batch-proof_thumb.md",
"md": "kzg-batch-proof.md",
"metadescr": "The benefit of batch proof is that allows us to proof multiple points while the proof size remains constant to one G1 point."
},
{ {
"thumb": "kzg-commitments_thumb.md", "thumb": "kzg-commitments_thumb.md",
"md": "kzg-commitments.md", "md": "kzg-commitments.md",

+ 56
- 0
blogo-input/posts/kzg-batch-proof.md

@ -0,0 +1,56 @@
## Batch proof in KZG Commitments
*2021-08-14*
> **Warning**: I want to state clearly that I'm not a mathematician, I'm just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.
Last week I posted some *[notes on KZG Commitmens](https://arnaucube.com/blog/kzg-commitments.html)*, which overviews the scheme for single proofs. The current notes, try to overview the *batch proof* iteraton on KZG Commitments, and the *vector commitment* usage of it. Again (as in the previous post), big thanks to [Dankrad Feist](https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html) and [Alin Tomescu](https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html) for their articles which helped me to follow a bit the reasoing behind this, and again, I recommend spending the time reading their articles instead of this current notes.
#### Batch proof
The benefit of *batch proof* is that allows us to proof multiple points while the proof size remains constant to one $\mathbb{G}_1$ point.
Let $(z_0, y_0), (z_1, y_1), ..., (z_k, y_k)$ be the points that we want to proof, and that we have a polynomial $p(x)$ that goes through the points.
The *commitment* to the polynomial stands the same than for single proofs: $c=[p(\tau)]_1$.
For the evaluation proof, while in the single proofs we compute $q(x) = \frac{p(x)-y}{x-z}$, we will replace $y$ and $x-z$ by the following two polynomials.
The constant $y$ is replaced by a polynomial that has roots at all the points that we want to prove. This is achieved by computing the [Lagrange interpolation](https://en.wikipedia.org/wiki/Lagrange_polynomial) for the given set of points:
$$
I(x) = \sum_{j=0}^k y_j l_j(x)\newline
where \space\space\space l_j(x) = \prod\_{0\leq m \leq k} \frac{x-x_m}{x_j - x_m}
$$
And the $x-z$, which was to ensure that $q(x)$ had a root at $z$, now, as we want to ensure that $q(x)$ has roots at all the points of the commitment, we will use the *zero polynomial*:
$$
Z(x) = \prod_{i=0}^{k} x-z_i =\newline
=(x-z_0)(x-z_1)...(x-z_k)
$$
This polynomial ensures that when $x=z_i$ ($z_i$ being one of our points), the polynomial evaluation will be zero.
Now we can put $I(x)$ and $Z(x)$ in place, obtaining $q(x)=\frac{p(x)-I(x)}{Z(x)}$. And the batch proof evaluation is obtained by $\pi=[q(\tau)]_1$.
The verification is quite similar than what we did for single proofs, but using the mentioned $z(x)$ and $I(x)$:
$$
\hat{e}(\pi, [Z(\tau)]_2) == \hat{e}(c - [I(\tau)]_1, H)
$$
Which, as we did with the single proofs in the previous post, we can unroll it and see that:
$$
\hat{e}(\pi, [Z(\tau)]_2) == \hat{e}(c - [I(\tau)]_1, H)\newline
\Rightarrow \hat{e}([q(\tau)]_1, [Z(\tau)]_2) == \hat{e}([p(\tau)]_1 - [I(\tau)]_1, H)\newline
\Rightarrow [q(\tau) \cdot Z(\tau)]_T == [p(\tau) - I(\tau)]_T
$$
From where we see that is the equation $q(x)\cdot Z(x)=p(x)-I(x)$, which can be expressed as $q(x) = \frac{p(x) - I(x)}{Z(x)}$, evaluated at $\tau$ from the trusted setup, which is not known: $q(\tau) = \frac{p(\tau) - I(\tau)}{Z(\tau)}$.
#### Vector commitments
As mentioned earlier, this scheme can be used as a *vector commitment* scheme.
A vector commitment allows a prover to commit to a vector and later proof that a certain value belongs to that vector. As a traditional example, we can think of *Merkle Trees*, where we can commit to a vector of values, which are placed in the tree leafs. Then we compute the *root* which acts as the commitment. Then we can provide a proof that a certain leaf belongs to the vector for the commitment (*root*) that we showed earlier.
The problem with Merkle Trees is that the proof size grows linearly with the size of the tree, as it contains the siblings from the leaf to the root. Here is where *KZG Commitments* can be benefitial, as the proof always stands with the same size, one $\mathbb{G}_1$ point, no matter of how many points we are batching.
We can use KZG Commitments as a vector commitment scheme by mapping the *vector* as a batch of points that build the polynomial, so when commiting to the polynomial we are commiting to the vector. Then, it's a matter of using the *batch proof* approach explained above in order to proof multiple elements of the vector in a single proof that can be verified later.
#### Final note
I'm fascinated by this scheme and its potential. One next rabbit hole (related to KZG Commitments) to look at, would be the [Plonk](https://vitalik.ca/general/2019/09/22/plonk.html) and other similar constructions. Also, another use case that is getting attention in the Ethereum community is the [*Verkle Trees*](https://vitalik.ca/general/2021/06/18/verkle.html).
As in the previous notes, in order to try to put in practice the concepts, I've added the *batch proof* logic at https://github.com/arnaucube/kzg-commitments-study.

+ 4
- 0
blogo-input/posts/kzg-batch-proof_thumb.md

@ -0,0 +1,4 @@
### Batch proof in KZG Commitments
The benefit of *batch proof* is that allows us to proof multiple points while the proof size remains constant to one $\mathbb{G}_1$ point.
*2021-08-14*

+ 1
- 1
blogo-input/posts/kzg-commitments.md

@ -78,6 +78,6 @@ $$
We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the *trusted setup*, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$. We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the *trusted setup*, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$.
### Conclusions ### Conclusions
The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we've seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a *vector commitment*, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the [Lagrange interpolation](https://en.wikipedia.org/wiki/Lagrange_polynomial). This is quite useful combined with the mentioned batch proofs.
The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we've seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a *vector commitment*, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the [Lagrange interpolation](https://en.wikipedia.org/wiki/Lagrange_polynomial). This is quite useful combined with the mentioned batch proofs. The *batch proofs* logic can be found at the [blog/kzg-batch-proof](https://arnaucube.com/blog/kzg-batch-proof.html) notes (kind of the continuation of the current notes).
As a final note, in order to try to digest the notes, I've did a *toy implementation* of this scheme at https://github.com/arnaucube/kzg-commitments-study. It's quite simple, but contains the logic overviewed in this notes. As a final note, in order to try to digest the notes, I've did a *toy implementation* of this scheme at https://github.com/arnaucube/kzg-commitments-study. It's quite simple, but contains the logic overviewed in this notes.

Loading…
Cancel
Save