arnaucube/blog
1
0
Fork 0
mirror of https://github.com/arnaucube/blog.git synced 2026-02-10 04:36:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Gen html, small md-LaTeX fixes

Browse Source
This commit is contained in:
arnaucube
2022-05-15 22:00:06 +02:00
parent b5e52d04d2
commit e766aa9016
97 changed files with 46759 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
public/kzg-commitments.html
View File

@@ -21,7 +21,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC" crossorigin="anonymous">
<link href="css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="css/style.css">
<!-- highlightjs -->
@@ -30,7 +30,7 @@
<script src="js/highlightjs/highlight.pack.js"></script>
<!-- katex -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.13.11/dist/katex.min.css" integrity="sha384-Um5gpz1odJg5Z4HAmzPtgZKdTBHZdw8S29IecapCSB31ligYPhHQZMIlWLYQGVoc" crossorigin="anonymous">
<link rel="stylesheet" href="js/katex/katex.min.css">
</head>
<body>
@@ -83,67 +83,53 @@
<p>First of all, we need to generate a <em>Trusted Setup</em> that will be used later in the rest of steps. Here, the concept of <em>Trusted Setup</em> is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the <em>KZG Commitments</em> the nature of its <em>Trusted Setup</em> allows to have some kind of &lsquo;global&rsquo; <em>Trusted Setup</em> that can be used for different polynomials.</p>
<p>It should be computed in a <em>Multi-Party Computation</em> (<em>MPC</em>) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter $\tau$ can not be restored.</p>
<p>It should be computed in a <em>Multi-Party Computation</em> (<em>MPC</em>) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter <span class="math inline">\(\tau\)</span> can not be restored.</p>
<p>The parameters of the <em>Trusted Setup</em> are generated by generating a random $\tau \in \mathbb{F}_p$, and from this parameter we can compute $[\tau^i]_1$ and $[\tau^i]_2$ for $i=0,&hellip;,n-1$:</p>
<p>$$
[\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, &hellip;, [\tau^{n-1}]_1)\newline
[\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, &hellip;, [\tau^{n-1}]_2)
$$</p>
<p>Which in additive representation is:
$$
(G, \tau G, \tau^2 G, &hellip;, \tau^{n-1} G) \in \mathbb{G}_1\newline
(H, \tau H, \tau^2 H, &hellip;, \tau^{n-1} H) \in \mathbb{G}_2
$$</p>
<p>The &lsquo;intuition&rsquo; about the <em>Trusted Setup</em> is that is like encrypting a secret value ($\tau$) that later will be used in the &lsquo;encrypted&rsquo; form to evaluate the polynomials.</p>
<p>The parameters of the <em>Trusted Setup</em> are generated by generating a random <span class="math inline">\(\tau \in \mathbb{F}_p\)</span>, and from this parameter we can compute <span class="math inline">\([\tau^i]_1\)</span> and <span class="math inline">\([\tau^i]_2\)</span> for <span class="math inline">\(i=0,...,n-1\)</span>:</p>
<p><span class="math display">\[
[\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline
[\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2)
\]</span></p><p>Which in additive representation is:</p>
<p><span class="math display">\[
(G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline
(H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2
\]</span></p><p>The &lsquo;intuition&rsquo; about the <em>Trusted Setup</em> is that is like encrypting a secret value (<span class="math inline">\(\tau\)</span>) that later will be used in the &lsquo;encrypted&rsquo; form to evaluate the polynomials.</p>
<h4>Commitments</h4>
<p>A commitment to a polynomial $p(x) = \sum^n_{i=0} p_i x^i$ is done by computing</p>
<p>A commitment to a polynomial <span class="math inline">\(p(x) = \sum^n_{i=0} p_i x^i\)</span> is done by computing</p>
<p><span class="math display">\[c=[p(\tau)]_1\]</span></p><p>which is computed by <span class="math inline">\(c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i\)</span>.</p>
<p>$$c=[p(\tau)]_1$$</p>
<p>which is computed by $c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i$.</p>
<p>The prover would send the commitment to the polynomial $c$, and then the verifier would choose a value $z \in \mathbb{F}_p$, where $\mathbb{F}_p$ is the finite field of the polynomial.</p>
<p>The prover would send the commitment to the polynomial <span class="math inline">\(c\)</span>, and then the verifier would choose a value <span class="math inline">\(z \in \mathbb{F}_p\)</span>, where <span class="math inline">\(\mathbb{F}_p\)</span> is the finite field of the polynomial.</p>
<h4>Evalutaion proofs</h4>
<p>To prove an evaluation of the polynomial at the choosen value $z$ such that $p(z)=y$, a quotient polynomial is computed: $q(x) = \frac{p(x)-y}{x-z}$. This polynomial is the proof that $p(z)=y$, as if $q$ exists it means that $p(x)-y$ is divisible by $x-z$, which means that it has a root at $z$, being $p(z)-y=0$.</p>
<p>To prove an evaluation of the polynomial at the choosen value <span class="math inline">\(z\)</span> such that <span class="math inline">\(p(z)=y\)</span>, a quotient polynomial is computed: <span class="math inline">\(q(x) = \frac{p(x)-y}{x-z}\)</span>. This polynomial is the proof that <span class="math inline">\(p(z)=y\)</span>, as if <span class="math inline">\(q\)</span> exists it means that <span class="math inline">\(p(x)-y\)</span> is divisible by <span class="math inline">\(x-z\)</span>, which means that it has a root at <span class="math inline">\(z\)</span>, being <span class="math inline">\(p(z)-y=0\)</span>.</p>
<p>Then, the evaluation proof is</p>
<p><span class="math display">\[\pi = [q(\tau)]_1\]</span></p><p>which, as when computing <span class="math inline">\(c\)</span>, is computed by <span class="math inline">\(\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i\)</span>.</p>
<p>$$\pi = [q(\tau)]_1$$</p>
<p>which, as when computing $c$, is computed by $\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i$.</p>
<p>Once computed, the prover would send this evaluation proof $\pi$ to the verifier.</p>
<p>Once computed, the prover would send this evaluation proof <span class="math inline">\(\pi\)</span> to the verifier.</p>
<h4>Verifying an evaluation proof</h4>
<p>In order to verify an evaluation proof, the verifier has the commitment $c=[p(\tau)]_1$, the evaluation $y=p(z)$, and the proof $\pi=[q(\tau)]_1$.</p>
<p>In order to verify an evaluation proof, the verifier has the commitment <span class="math inline">\(c=[p(\tau)]_1\)</span>, the evaluation <span class="math inline">\(y=p(z)\)</span>, and the proof <span class="math inline">\(\pi=[q(\tau)]_1\)</span>.</p>
<p>So, the verifier can check the <a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography">pairing</a> evaluation:
$$\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)$$</p>
$<span class="math inline">\(\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\)</span>$</p>
<p>Where $[\tau]_2$ comes from the Trusted Setup, $[z]_2$ is point at which the polynomial is evaluated, and $[y]_1$ is the claimed value p(z). And $\pi$ and $c$ are given by the prover.</p>
<p>Where <span class="math inline">\([\tau]_2\)</span> comes from the Trusted Setup, <span class="math inline">\([z]_2\)</span> is point at which the polynomial is evaluated, and <span class="math inline">\([y]_1\)</span> is the claimed value p(z). And <span class="math inline">\(\pi\)</span> and <span class="math inline">\(c\)</span> are given by the prover.</p>
<p>We can unroll that last equivalence, and see that:</p>
<p>$$
<p><span class="math display">\[
\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline
\Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline
\Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T
$$</p>
<p>We can see that is the equation $q(x)(x-z)=p(x)-y$, which can be expressed as $q(x) = \frac{p(x) - y}{x-z}$, evaluated at $\tau$ from the <em>trusted setup</em>, which is not known: $q(\tau) = \frac{p(\tau) - y}{\tau-z}$.</p>
\]</span></p><p>We can see that is the equation <span class="math inline">\(q(x)(x-z)=p(x)-y\)</span>, which can be expressed as <span class="math inline">\(q(x) = \frac{p(x) - y}{x-z}\)</span>, evaluated at <span class="math inline">\(\tau\)</span> from the <em>trusted setup</em>, which is not known: <span class="math inline">\(q(\tau) = \frac{p(\tau) - y}{\tau-z}\)</span>.</p>
<h3>Conclusions</h3>
<p>The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we&rsquo;ve seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a <em>vector commitment</em>, using a polynomial where the $p(i) = x_i$ for all values of $x_i$ of the vector, which can be obtained from the $x_i$ values and computing the <a href="https://en.wikipedia.org/wiki/Lagrange_polynomial">Lagrange interpolation</a>. This is quite useful combined with the mentioned batch proofs. The <em>batch proofs</em> logic can be found at the <a href="https://arnaucube.com/blog/kzg-batch-proof.html">blog/kzg-batch-proof</a> notes (kind of the continuation of the current notes).</p>
<p>The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we&rsquo;ve seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a <em>vector commitment</em>, using a polynomial where the <span class="math inline">\(p(i) = x_i\)</span> for all values of <span class="math inline">\(x_i\)</span> of the vector, which can be obtained from the <span class="math inline">\(x_i\)</span> values and computing the <a href="https://en.wikipedia.org/wiki/Lagrange_polynomial">Lagrange interpolation</a>. This is quite useful combined with the mentioned batch proofs. The <em>batch proofs</em> logic can be found at the <a href="https://arnaucube.com/blog/kzg-batch-proof.html">blog/kzg-batch-proof</a> notes (kind of the continuation of the current notes).</p>
<p>As a final note, in order to try to digest the notes, I&rsquo;ve did a <em>toy implementation</em> of this scheme at <a href="https://github.com/arnaucube/kzg-commitments-study">https://github.com/arnaucube/kzg-commitments-study</a>. It&rsquo;s quite simple, but contains the logic overviewed in this notes.</p>
@@ -177,8 +163,8 @@ $$</p>
</script>
<script src="js/external-links.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.13.11/dist/katex.min.js" integrity="sha384-YNHdsYkH6gMx9y3mRkmcJ2mFUjTd0qNQQvY9VYZgQd7DcN7env35GzlmFaZ23JGp" crossorigin="anonymous"></script>
<script defer src="https://cdn.jsdelivr.net/npm/katex@0.13.11/dist/contrib/auto-render.min.js" integrity="sha384-vZTG03m+2yp6N6BNi5iM4rW4oIwk5DfcNdFfxkk9ZWpDriOkXX8voJBFrAO7MpVl" crossorigin="anonymous"></script>
<script defer src="js/katex/katex.min.js"></script>
<script defer src="js/katex/auto-render.min.js"></script>
<script>
document.addEventListener("DOMContentLoaded", function() {
renderMathInElement(document.body, {
@@ -188,6 +174,8 @@ $$</p>
delimiters: [
{left: '$$', right: '$$', display: true},
{left: '$', right: '$', display: false},
{left: "\\[", right: "\\]", display: true},
{left: "\\(", right: "\\)", display: false},
],
// • rendering keys, e.g.:
throwOnError : true
@@ -237,7 +225,7 @@ $$</p>
tagLinks("h4");
tagLinks("h5");
</script>
<script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
<script src="js/mermaid.min.js"></script>
</body>