<!DOCTYPE html>
<html lang="en">

  <head>
    <meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." />
    <meta charset="utf-8">
    <title> Notes on KZG polynomial commitments - arnaucube - blog</title>
    <meta name="title" content=" Notes on KZG polynomial commitments - arnaucube - blog">
    <meta name="description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning.">

    <meta property="og:title" content=" Notes on KZG polynomial commitments - arnaucube - blog" />
    <meta property="og:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning." />
    <meta property="og:url" content="https://arnaucube.com/blog/kzg-commitments.html" />
    <meta property="og:type" content="article" />
    <meta property="og:image" content="https://arnaucube.com/blog/" />
    <meta name="twitter:title" content=" Notes on KZG polynomial commitments - arnaucube - blog">
    <meta name="twitter:description" content="In the following notes I've tried to summarize the KZG Commitment scheme with the concepts that helped me to follow the reasoning.">
    <meta name="twitter:image" content="https://arnaucube.com/blog/">
    <meta name="twitter:card" content="summary_large_image">
    <meta name="author" content="arnaucube">

    <link rel="icon" type="image/png" href="img/logoArnauCubeFavicon.png">

    <meta name="viewport" content="width=device-width, initial-scale=1">

    <link href="css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="css/style.css">

    <!-- highlightjs -->
    <!-- <link rel="stylesheet" href="js/highlightjs/atom-one-dark.css"> -->
    <link rel="stylesheet" href="js/highlightjs/atom-one-light.css">
    <!-- <link rel="stylesheet" href="js/highlightjs/gruvbox-dark.css"> -->
    <script src="js/highlightjs/highlight.pack.js"></script>

    <!-- katex -->
    <link rel="stylesheet" href="js/katex/katex.min.css">
  </head>

  <body>

    <!-- o_gradient_background" -->
    <nav id="mainNav" class="navbar navbar-default navbar-fixed-top"
                      style="height:50px;font-size:130%;">
      <div class="container">
        <div style="float:left;">
        <a href="/blog" style="color:#000;display:inline-block;">Blog index</a>
        <span style="margin-right:20px; margin-left:20px;">|</span>
        <a href="/blog/notes.html" style="font-size:90%;color:#000;display:inline-block;">other-notes</a>
        </div>
        <div style="float:right;">
          <a href="/" style="color:#000;display:inline-block;">arnaucube.com</a>
          <div class="onoffswitch" style="margin:10px;display:inline-block;" title="change theme">
            <input onclick="switchTheme()" type="checkbox" name="onoffswitch" class="onoffswitch-checkbox"
              id="themeSwitcher">
            <label class="onoffswitch-label" for="themeSwitcher"></label>
          </div>
        </div>
      </div>
      <img style="height:5px; width:100%; margin-top:8px;" src="img/gradient-line.jpg" />
    </nav>



    <div class="container" style="margin-top:40px;max-width:800px;">
      <h2>Notes on KZG polynomial commitments</h2>

<p><em>2021-08-05</em></p>

<blockquote>
<p><strong>Warning</strong>: I want to state clearly that I&rsquo;m not a mathematician, I&rsquo;m just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.</p>
</blockquote>

<p>Few weeks ago I started reading about <a href="https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf">KZG Commitments</a> from the articles written by <a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">Dankrad Feist</a>, by <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">Tom Walton-Pocock</a> and by <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">Alin Tomescu</a>. I want to thank them, because their articles helped me to understand a bit the concepts. I recommend spending the time reading their articles (<a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">1</a>, <a href="https://hackmd.io/@tompocock/Hk2A7BD6U">2</a>, <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">3</a>) instead of this current notes.</p>

<div class="row">
    <div class="col-md-7">
	<br>
	In the following notes I've tried to summarize the KZG Commitments scheme with the concepts that helped me to follow the reasoning.
    </div>
    <div class="col-md-5" style="font-size:90%; padding:10px;border:1px solid #cfcfcf;">
	<b>Notation:</b><br>
	$[x]_1 = x G \in \mathbb{G}_1\newline
	[x]_2 = x H \in \mathbb{G}_2$
	<br>Where $\mathbb{G}_1 = \langle G \rangle$ and $\mathbb{G}_2 = \langle H \rangle$.
	<br>In other words: $G$ is the generator of $\mathbb{G}_1$, and $H$ is the generator of $\mathbb{G}_2$
    </div>
</div>

<h4>Trusted setup</h4>

<p>First of all, we need to generate a <em>Trusted Setup</em> that will be used later in the rest of steps. Here, the concept of <em>Trusted Setup</em> is quite similar to what we are familiar when dealing with other zk protocols such zkSNARKs, but with the advantage that for the <em>KZG Commitments</em> the nature of its <em>Trusted Setup</em> allows to have some kind of &lsquo;global&rsquo; <em>Trusted Setup</em> that can be used for different polynomials.</p>

<p>It should be computed in a <em>Multi-Party Computation</em> (<em>MPC</em>) fashion, and ensuring that at least one of the participants is honest, in order to ensure that the original parameter <span class="math inline">\(\tau\)</span> can not be restored.</p>

<p>The parameters of the <em>Trusted Setup</em> are generated by generating a random <span class="math inline">\(\tau \in \mathbb{F}_p\)</span>, and from this parameter we can compute <span class="math inline">\([\tau^i]_1\)</span> and <span class="math inline">\([\tau^i]_2\)</span> for <span class="math inline">\(i=0,...,n-1\)</span>:</p>
<p><span class="math display">\[
[\tau^i]_1 = ([\tau^0]_1, [\tau^1]_1, [\tau^2]_1, ..., [\tau^{n-1}]_1)\newline
[\tau^i]_2 = ([\tau^0]_2, [\tau^1]_2, [\tau^2]_2, ..., [\tau^{n-1}]_2)
\]</span></p><p>Which in additive representation is:</p>
<p><span class="math display">\[
(G, \tau G, \tau^2 G, ..., \tau^{n-1} G) \in \mathbb{G}_1\newline
(H, \tau H, \tau^2 H, ..., \tau^{n-1} H) \in \mathbb{G}_2
\]</span></p><p>The &lsquo;intuition&rsquo; about the <em>Trusted Setup</em> is that is like encrypting a secret value (<span class="math inline">\(\tau\)</span>) that later will be used in the &lsquo;encrypted&rsquo; form to evaluate the polynomials.</p>

<h4>Commitments</h4>

<p>A commitment to a polynomial <span class="math inline">\(p(x) = \sum^n_{i=0} p_i x^i\)</span> is done by computing</p>
<p><span class="math display">\[c=[p(\tau)]_1\]</span></p><p>which is computed by <span class="math inline">\(c = \sum^{deg(p(x))}_{i=0} [\tau^i] \cdot p_i\)</span>.</p>

<p>The prover would send the commitment to the polynomial <span class="math inline">\(c\)</span>, and then the verifier would choose a value <span class="math inline">\(z \in \mathbb{F}_p\)</span>, where <span class="math inline">\(\mathbb{F}_p\)</span> is the finite field of the polynomial.</p>

<h4>Evalutaion proofs</h4>

<p>To prove an evaluation of the polynomial at the choosen value <span class="math inline">\(z\)</span> such that <span class="math inline">\(p(z)=y\)</span>, a quotient polynomial is computed: <span class="math inline">\(q(x) = \frac{p(x)-y}{x-z}\)</span>. This polynomial is the proof that <span class="math inline">\(p(z)=y\)</span>, as if <span class="math inline">\(q\)</span> exists it means that <span class="math inline">\(p(x)-y\)</span> is divisible by <span class="math inline">\(x-z\)</span>, which means that it has a root at <span class="math inline">\(z\)</span>, being <span class="math inline">\(p(z)-y=0\)</span>.</p>

<p>Then, the evaluation proof is</p>
<p><span class="math display">\[\pi = [q(\tau)]_1\]</span></p><p>which, as when computing <span class="math inline">\(c\)</span>, is computed by <span class="math inline">\(\pi=\sum^{deg(q(x))}_{i=0} [\tau^i] \cdot q_i\)</span>.</p>

<p>Once computed, the prover would send this evaluation proof <span class="math inline">\(\pi\)</span> to the verifier.</p>

<h4>Verifying an evaluation proof</h4>

<p>In order to verify an evaluation proof, the verifier has the commitment <span class="math inline">\(c=[p(\tau)]_1\)</span>, the evaluation <span class="math inline">\(y=p(z)\)</span>, and the proof <span class="math inline">\(\pi=[q(\tau)]_1\)</span>.</p>

<p>So, the verifier can check the <a href="https://en.wikipedia.org/wiki/Pairing-based_cryptography">pairing</a> evaluation:
$<span class="math inline">\(\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\)</span>$</p>

<p>Where <span class="math inline">\([\tau]_2\)</span> comes from the Trusted Setup, <span class="math inline">\([z]_2\)</span> is point at which the polynomial is evaluated, and <span class="math inline">\([y]_1\)</span> is the claimed value p(z). And <span class="math inline">\(\pi\)</span> and <span class="math inline">\(c\)</span> are given by the prover.</p>

<p>We can unroll that last equivalence, and see that:</p>
<p><span class="math display">\[
\hat{e}(\pi, [\tau]_2 - [z]_2) == \hat{e}(c - [y]_1, H)\newline
\Rightarrow \hat{e}([q(\tau)]_1, [\tau-z]_2) == \hat{e}([p(\tau)]_1 - [y]_1, H)\newline
\Rightarrow [q(\tau) \cdot (\tau-z)]_T == [p(\tau) - y]_T
\]</span></p><p>We can see that is the equation <span class="math inline">\(q(x)(x-z)=p(x)-y\)</span>, which can be expressed as <span class="math inline">\(q(x) = \frac{p(x) - y}{x-z}\)</span>, evaluated at <span class="math inline">\(\tau\)</span> from the <em>trusted setup</em>, which is not known: <span class="math inline">\(q(\tau) = \frac{p(\tau) - y}{\tau-z}\)</span>.</p>

<h3>Conclusions</h3>

<p>The content covered in this notes is just a quick overview, but allows us to see the potential of the scheme. One next iteration from what we&rsquo;ve seen is the approach to do batch proofs, which allows us to evaluate at multiple points with a single evaluation proof. This scheme can be used as a <em>vector commitment</em>, using a polynomial where the <span class="math inline">\(p(i) = x_i\)</span> for all values of <span class="math inline">\(x_i\)</span> of the vector, which can be obtained from the <span class="math inline">\(x_i\)</span> values and computing the <a href="shamir-secret-sharing.html#lagrange-polynomial%20interpolation">Lagrange interpolation</a>. This is quite useful combined with the mentioned batch proofs. The <em>batch proofs</em> logic can be found at the <a href="https://arnaucube.com/blog/kzg-batch-proof.html">blog/kzg-batch-proof</a> notes (kind of the continuation of the current notes).</p>

<p>As a final note, in order to try to digest the notes, I&rsquo;ve did a <em>toy implementation</em> of this scheme at <a href="https://github.com/arnaucube/kzg-commitments-study">https://github.com/arnaucube/kzg-commitments-study</a>. It&rsquo;s quite simple, but contains the logic overviewed in this notes.</p>

<p><br>
- <a href="https://arnaucube.com/blog/kzg-batch-proof.html">Part 2: Batch proof in KZG Commitments</a></p>

    </div>

    <footer style="text-align:center; margin-top:100px;margin-bottom:50px;">
      <div class="container">
        <br>
        <a href="/blog">Go to main</a>
        <br><br>
        <div class="row">
          <ul class="list-inline">
            <li><a href="https://twitter.com/arnaucube"
                   style="color:gray;text-decoration:none;"
                   target="_blank">twitter.com/arnaucube</a>
            </li>
            <li><a href="https://github.com/arnaucube"
                   style="color:gray;text-decoration:none;"
                   target="_blank">github.com/arnaucube</a>
            </li>
          </ul>
        </div>
        <div class="row" style="display:inline-block;">
          Blog made with <a href="http://github.com/arnaucube/blogo/"
                            target="_blank" style="color: gray;text-decoration:none;">Blogo</a>
        </div>
      </div>
    </footer>

    <script>
    </script>
    <script src="js/external-links.js"></script>
    <script>hljs.initHighlightingOnLoad();</script>
    <script defer src="js/katex/katex.min.js"></script>
    <script defer src="js/katex/auto-render.min.js"></script>
    <script>
      document.addEventListener("DOMContentLoaded", function() {
        renderMathInElement(document.body, {
          displayMode: false,
          // customised options
          // • auto-render specific keys, e.g.:
          delimiters: [
            {left: '$$', right: '$$', display: true},
            {left: '$', right: '$', display: false},
            {left: "\\[", right: "\\]", display: true},
            {left: "\\(", right: "\\)", display: false},
            {left: "\\begin{equation}", right: "\\end{equation}", display: true}
          ],
          // • rendering keys, e.g.:
          throwOnError : true
        });
      });

      ///
      let theme = localStorage.getItem("theme");
      if ((theme === "light-theme")||(theme==null)) {
          theme = "light-theme";
          document.getElementById("themeSwitcher").checked = false;
      } else if (theme === "dark-theme") {
          theme = "dark-theme";
          document.getElementById("themeSwitcher").checked = true;
      }
      document.body.className = theme;
      localStorage.setItem("theme", theme);

      function switchTheme() {
        theme = localStorage.getItem("theme");
        if (theme === "light-theme") {
          theme = "dark-theme";
          document.getElementById("themeSwitcher").checked = true;
        } else {
          theme = "light-theme";
          document.getElementById("themeSwitcher").checked = false;
        }
        document.body.className = theme;
        localStorage.setItem("theme", theme);

        console.log(theme);
      }
    </script>
    <script>
    function tagLinks(tagName) {
      var tags = document.getElementsByTagName(tagName);
      for (var i=0, hElem; hElem =  tags[i]; i++) {
        if (hElem.parentNode.className=="row postThumb") {
          continue;
        }
        hElem.id = hElem.innerHTML.toLowerCase().replace(" ", "-");
        hElem.innerHTML = "<a style='text-decoration:none;color:black;' href='#"+hElem.id+"'>"+hElem.innerHTML+"</a>";
      }
    }
    tagLinks("h2");
    tagLinks("h3");
    tagLinks("h4");
    tagLinks("h5");
    </script>
    <script src="js/mermaid.min.js"></script>


  </body>
</html>