|
<!DOCTYPE html>
|
|
<html lang="en">
|
|
|
|
<head>
|
|
<meta name="description" content="The benefit of batch proof is that allows us to proof multiple points while the proof size remains constant to one G1 point." />
|
|
<meta charset="utf-8">
|
|
<title> Batch proof in KZG Commitments - arnaucube - blog</title>
|
|
<meta name="title" content=" Batch proof in KZG Commitments - arnaucube - blog">
|
|
<meta name="description" content="The benefit of batch proof is that allows us to proof multiple points while the proof size remains constant to one G1 point.">
|
|
|
|
<meta property="og:title" content=" Batch proof in KZG Commitments - arnaucube - blog" />
|
|
<meta property="og:description" content="The benefit of batch proof is that allows us to proof multiple points while the proof size remains constant to one G1 point." />
|
|
<meta property="og:url" content="https://arnaucube.com/blog/kzg-batch-proof.html" />
|
|
<meta property="og:type" content="article" />
|
|
<meta property="og:image" content="https://arnaucube.com/blog/" />
|
|
<meta name="twitter:title" content=" Batch proof in KZG Commitments - arnaucube - blog">
|
|
<meta name="twitter:description" content="The benefit of batch proof is that allows us to proof multiple points while the proof size remains constant to one G1 point.">
|
|
<meta name="twitter:image" content="https://arnaucube.com/blog/">
|
|
<meta name="twitter:card" content="summary_large_image">
|
|
<meta name="author" content="arnaucube">
|
|
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
<link href="css/bootstrap.min.css" rel="stylesheet">
|
|
<link rel="stylesheet" href="css/style.css">
|
|
|
|
<!-- highlightjs -->
|
|
<!-- <link rel="stylesheet" href="js/highlightjs/atom-one-dark.css"> -->
|
|
<link rel="stylesheet" href="js/highlightjs/gruvbox-dark.css">
|
|
<script src="js/highlightjs/highlight.pack.js"></script>
|
|
|
|
<!-- katex -->
|
|
<link rel="stylesheet" href="js/katex/katex.min.css">
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<!-- o_gradient_background" -->
|
|
<nav id="mainNav" class="navbar navbar-default navbar-fixed-top"
|
|
style="height:50px;font-size:130%;">
|
|
<div class="container">
|
|
<a href="/blog" style="color:#000;">Blog index</a>
|
|
<div style="float:right;">
|
|
<a href="/" style="color:#000;display:inline-block;">arnaucube.com</a>
|
|
<div class="onoffswitch" style="margin:10px;display:inline-block;" title="change theme">
|
|
<input onclick="switchTheme()" type="checkbox" name="onoffswitch" class="onoffswitch-checkbox"
|
|
id="themeSwitcher">
|
|
<label class="onoffswitch-label" for="themeSwitcher"></label>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<img style="height:5px; width:100%; margin-top:8px;" src="img/gradient-line.jpg" />
|
|
</nav>
|
|
|
|
|
|
|
|
<div class="container" style="margin-top:40px;max-width:800px;">
|
|
<h2>Batch proof in KZG Commitments</h2>
|
|
|
|
<p><em>2021-08-14</em></p>
|
|
|
|
<blockquote>
|
|
<p><strong>Warning</strong>: I want to state clearly that I’m not a mathematician, I’m just an amateur on math studying in my free time, and this article is just an attempt to try to sort the notes that I took while reading about the KZG Commitments.</p>
|
|
</blockquote>
|
|
|
|
<p>Last week I posted some <em><a href="https://arnaucube.com/blog/kzg-commitments.html">notes on KZG Commitmens</a></em>, which overviews the scheme for single proofs. The current notes, try to overview the <em>batch proof</em> iteraton on KZG Commitments, and the <em>vector commitment</em> usage of it. Again (as in the previous post), big thanks to <a href="https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html">Dankrad Feist</a> and <a href="https://alinush.github.io/2020/05/06/kzg-polynomial-commitments.html">Alin Tomescu</a> for their articles which helped me to follow a bit the reasoing behind this, and again, I recommend spending the time reading their articles instead of this current notes.</p>
|
|
|
|
<h4>Batch proof</h4>
|
|
|
|
<p>The benefit of <em>batch proof</em> is that allows us to proof multiple points while the proof size remains constant to one <span class="math inline">\(\mathbb{G}_1\)</span> point.
|
|
Let <span class="math inline">\((z_0, y_0), (z_1, y_1), ..., (z_k, y_k)\)</span> be the points that we want to proof, and that we have a polynomial <span class="math inline">\(p(x)\)</span> that goes through the points.
|
|
The <em>commitment</em> to the polynomial stands the same than for single proofs: <span class="math inline">\(c=[p(\tau)]_1\)</span>.</p>
|
|
|
|
<p>For the evaluation proof, while in the single proofs we compute <span class="math inline">\(q(x) = \frac{p(x)-y}{x-z}\)</span>, we will replace <span class="math inline">\(y\)</span> and <span class="math inline">\(x-z\)</span> by the following two polynomials.
|
|
The constant <span class="math inline">\(y\)</span> is replaced by a polynomial that has roots at all the points that we want to prove. This is achieved by computing the <a href="/blog/shamir-secret-sharing.html#lagrange-polynomial%20interpolation">Lagrange interpolation</a> for the given set of points:</p>
|
|
<p><span class="math display">\[
|
|
I(x) = \sum_{j=0}^k y_j l_j(x)\newline
|
|
where \space\space\space l_j(x) = \prod\_{0\leq m \leq k} \frac{x-x_m}{x_j - x_m}
|
|
\]</span></p><p>And the <span class="math inline">\(x-z\)</span>, which was to ensure that <span class="math inline">\(q(x)\)</span> had a root at <span class="math inline">\(z\)</span>, now, as we want to ensure that <span class="math inline">\(q(x)\)</span> has roots at all the points of the commitment, we will use the <em>zero polynomial</em>:</p>
|
|
<p><span class="math display">\[
|
|
Z(x) = \prod_{i=0}^{k} x-z_i =\newline
|
|
=(x-z_0)(x-z_1)...(x-z_k)
|
|
\]</span></p><p>This polynomial ensures that when <span class="math inline">\(x=z_i\)</span> (<span class="math inline">\(z_i\)</span> being one of our points), the polynomial evaluation will be zero.</p>
|
|
|
|
<p>Now we can put <span class="math inline">\(I(x)\)</span> and <span class="math inline">\(Z(x)\)</span> in place, obtaining <span class="math inline">\(q(x)=\frac{p(x)-I(x)}{Z(x)}\)</span>. And the batch proof evaluation is obtained by <span class="math inline">\(\pi=[q(\tau)]_1\)</span>.</p>
|
|
|
|
<p>The verification is quite similar than what we did for single proofs, but using the mentioned <span class="math inline">\(z(x)\)</span> and <span class="math inline">\(I(x)\)</span>:</p>
|
|
<p><span class="math display">\[
|
|
\hat{e}(\pi, [Z(\tau)]_2) == \hat{e}(c - [I(\tau)]_1, H)
|
|
\]</span></p><p>Which, as we did with the single proofs in the previous post, we can unroll it and see that:</p>
|
|
<p><span class="math display">\[
|
|
\hat{e}(\pi, [Z(\tau)]_2) == \hat{e}(c - [I(\tau)]_1, H)\newline
|
|
\Rightarrow \hat{e}([q(\tau)]_1, [Z(\tau)]_2) == \hat{e}([p(\tau)]_1 - [I(\tau)]_1, H)\newline
|
|
\Rightarrow [q(\tau) \cdot Z(\tau)]_T == [p(\tau) - I(\tau)]_T
|
|
\]</span></p><p>From where we see that is the equation <span class="math inline">\(q(x)\cdot Z(x)=p(x)-I(x)\)</span>, which can be expressed as <span class="math inline">\(q(x) = \frac{p(x) - I(x)}{Z(x)}\)</span>, evaluated at <span class="math inline">\(\tau\)</span> from the trusted setup, which is not known: <span class="math inline">\(q(\tau) = \frac{p(\tau) - I(\tau)}{Z(\tau)}\)</span>.</p>
|
|
|
|
<h4>Vector commitments</h4>
|
|
|
|
<p>As mentioned earlier, this scheme can be used as a <em>vector commitment</em> scheme.</p>
|
|
|
|
<p>A vector commitment allows a prover to commit to a vector and later proof that a certain value belongs to that vector. As a traditional example, we can think of <em>Merkle Trees</em>, where we can commit to a vector of values, which are placed in the tree leafs. Then we compute the <em>root</em> which acts as the commitment. Then we can provide a proof that a certain leaf belongs to the vector for the commitment (<em>root</em>) that we showed earlier.
|
|
The problem with Merkle Trees is that the proof size grows linearly with the size of the tree, as it contains the siblings from the leaf to the root. Here is where <em>KZG Commitments</em> can be benefitial, as the proof always stands with the same size, one <span class="math inline">\(\mathbb{G}_1\)</span> point, no matter of how many points we are batching.</p>
|
|
|
|
<p>We can use KZG Commitments as a vector commitment scheme by mapping the <em>vector</em> as a batch of points that build the polynomial, so when commiting to the polynomial we are commiting to the vector. Then, it’s a matter of using the <em>batch proof</em> approach explained above in order to proof multiple elements of the vector in a single proof that can be verified later.</p>
|
|
|
|
<h4>Final note</h4>
|
|
|
|
<p>I’m fascinated by this scheme and its potential. One next rabbit hole (related to KZG Commitments) to look at, would be the <a href="https://vitalik.ca/general/2019/09/22/plonk.html">Plonk</a> and other similar constructions. Also, another use case that is getting attention in the Ethereum community is the <a href="https://vitalik.ca/general/2021/06/18/verkle.html"><em>Verkle Trees</em></a>.</p>
|
|
|
|
<p>As in the previous notes, in order to try to put in practice the concepts, I’ve added the <em>batch proof</em> logic at <a href="https://github.com/arnaucube/kzg-commitments-study">https://github.com/arnaucube/kzg-commitments-study</a>.</p>
|
|
|
|
</div>
|
|
|
|
<footer style="text-align:center; margin-top:100px;margin-bottom:50px;">
|
|
<div class="container">
|
|
<div class="row">
|
|
<ul class="list-inline">
|
|
<li><a href="https://twitter.com/arnaucube"
|
|
style="color:gray;text-decoration:none;"
|
|
target="_blank">twitter.com/arnaucube</a>
|
|
</li>
|
|
<li><a href="https://github.com/arnaucube"
|
|
style="color:gray;text-decoration:none;"
|
|
target="_blank">github.com/arnaucube</a>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="row" style="display:inline-block;">
|
|
Blog made with <a href="http://github.com/arnaucube/blogo/"
|
|
target="_blank" style="color: gray;text-decoration:none;">Blogo</a>
|
|
</div>
|
|
</div>
|
|
</footer>
|
|
|
|
<script>
|
|
</script>
|
|
<script src="js/external-links.js"></script>
|
|
<script>hljs.initHighlightingOnLoad();</script>
|
|
<script defer src="js/katex/katex.min.js"></script>
|
|
<script defer src="js/katex/auto-render.min.js"></script>
|
|
<script>
|
|
document.addEventListener("DOMContentLoaded", function() {
|
|
renderMathInElement(document.body, {
|
|
displayMode: false,
|
|
// customised options
|
|
// • auto-render specific keys, e.g.:
|
|
delimiters: [
|
|
{left: '$$', right: '$$', display: true},
|
|
{left: '$', right: '$', display: false},
|
|
{left: "\\[", right: "\\]", display: true},
|
|
{left: "\\(", right: "\\)", display: false},
|
|
],
|
|
// • rendering keys, e.g.:
|
|
throwOnError : true
|
|
});
|
|
});
|
|
|
|
///
|
|
let theme = localStorage.getItem("theme");
|
|
if ((theme === "light-theme")||(theme==null)) {
|
|
theme = "light-theme";
|
|
document.getElementById("themeSwitcher").checked = false;
|
|
} else if (theme === "dark-theme") {
|
|
theme = "dark-theme";
|
|
document.getElementById("themeSwitcher").checked = true;
|
|
}
|
|
document.body.className = theme;
|
|
localStorage.setItem("theme", theme);
|
|
|
|
function switchTheme() {
|
|
theme = localStorage.getItem("theme");
|
|
if (theme === "light-theme") {
|
|
theme = "dark-theme";
|
|
document.getElementById("themeSwitcher").checked = true;
|
|
} else {
|
|
theme = "light-theme";
|
|
document.getElementById("themeSwitcher").checked = false;
|
|
}
|
|
document.body.className = theme;
|
|
localStorage.setItem("theme", theme);
|
|
|
|
console.log(theme);
|
|
}
|
|
</script>
|
|
<script>
|
|
function tagLinks(tagName) {
|
|
var tags = document.getElementsByTagName(tagName);
|
|
for (var i=0, hElem; hElem = tags[i]; i++) {
|
|
if (hElem.parentNode.className=="row postThumb") {
|
|
continue;
|
|
}
|
|
hElem.id = hElem.innerHTML.toLowerCase().replace(" ", "-");
|
|
hElem.innerHTML = "<a style='text-decoration:none;color:black;' href='#"+hElem.id+"'>"+hElem.innerHTML+"</a>";
|
|
}
|
|
}
|
|
tagLinks("h2");
|
|
tagLinks("h3");
|
|
tagLinks("h4");
|
|
tagLinks("h5");
|
|
</script>
|
|
<script src="js/mermaid.min.js"></script>
|
|
|
|
|
|
</body>
|
|
</html>
|
|
|