Suyash Bagad
Cryptography Engineer
Magic of Polynomials
Aztec Study Club - 5
9 March 2022
Recap
- Schnorr's identity protocol
- Proving that I own secret key \(\alpha\) given \(U=\alpha G\)
- Interactive sigma protocols:
Prover
Verifier
\(\textsf{commitment}\)
\(\textsf{challenge}\)
\(\textsf{response}\)
- Non-interactive digital signatures using Fiat-Shamir
\(\textsf{challenge} = H(\textsf{commitment})\)
\(\textsf{output} \in \{0,1\}\)
Vectors
\vec{a} = 3\hat{x} + 2\hat{y}
\vec{b} = 1\hat{x} + 4\hat{y}
\vec{c} = 4\hat{x} + 6\hat{y}
\(\vec{c}\)
Basis \(\hat{x}\)
Basis \(\hat{y}\)
\(y\)
\(x\)
\(\vec{b}\small{(1,4)}\)
\(\vec{a}\small{(3,2)}\)
+
Polynomials
Polynomials
- Represented in two forms
- \(\color{lightpink}{\text{Evaluation}}\) form: \(f(X) = \sum_{i \in [n]}f(i)L_i(X)\)
- \(\color{lightgreen}{\text{Monomial}}\) form: \(f(X) = c_0 + c_1X + c_2X^2 + \dots + c_{n-1}X^{n-1}\)
- If \(x\)-coordinates have nice structure, e.g. \(X = \{1, \omega, \omega^2, \dots, \omega^{n-1}\}\)
\Big\{\textcolor{lightpink}{f(1), f(\omega), f(\omega^2), \dots, f(\omega^{n-1})}\Big\}
\Big\{\underbrace{\textcolor{lightgreen}{c_0, c_1, c_2, \dots, c_{n-1}}}_{n=2^m}\Big\}
- Polynomial division and multiplication is cheaper in FFT form
- Addition and subtraction have similar costs
- Evaluation at \(x \in \mathbb{F}\)? Barycentric formula for FFT!
- Honk teaser: Plonk with everything in the FFT form 😲
\(\textsf{FFT}\)
\(\textsf{iFFT}\)
Kate Commitment Scheme
- For a visa application, we need to submit bank statements
| Month | Avg Balance |
|---|---|
| January | $1000 |
| February | $2500 |
| March | $1500 |
| April | $2000 |
| May | $3100 |
| June | $1800 |
| X |
|---|
\(1\)
\(\omega\)
\(\omega^2\)
\(\omega^3\)
\(\omega^4\)
\(\omega^5\)
| - | $0 | |
| - | $0 |
\(\omega^6\)
\(\omega^7\)
- How do I prove my balance without revealing the bank statment?
X
\begin{cases}
& \\
& \\
& \\
& \\
& \\
& \\
& \\
\end{cases}
\begin{cases}
& \\
& \\
& \\
& \\
& \\
& \\
& \\
\end{cases}
f(X)
\textcolor{lightpink}{f(X)} = 1000L_1^n(X) + \dots + 1800L_6^{n}(X)
\xrightarrow{\textsf{iFFT}} \textcolor{lightgreen}{f(X)} = c_0 + c_1X + \dots + c_{n-1}X^{n-1}
Kate Commitment Scheme
- The commit phase: for some secret scalar \(s \in \mathbb{F}_q\)
\textsf{commit}\left(\textcolor{lightgreen}{f}\right) \equiv f(s)= c_0 + c_1s + \dots + c_{n-1}s^{n-1}
- The open phase: given a challenge \(z\in \mathbb{F}_q,\) we compute:
\(\begin{aligned}\textsf{open}\left(f, z\right) \equiv w(s)= \frac{f(s)-f(z)}{s-z}\end{aligned}\)
opening polynomial
opening point
- The opening proof: \(\pi = \big\{\textcolor{lightgreen}{f(s), w(s), f(z)}\big\}\)
- The verification:
\textsf{verify}\left(\pi, z\right) \equiv \textcolor{lightgreen}{w(s)}\cdot (s-z) \stackrel{?}{=} (\textcolor{lightgreen}{f(s)}-\textcolor{lightgreen}{f(z)})
Kate Commitment Scheme
\(1.\) Is the opening polynomial enough?
\begin{aligned}
f(X)-f(z) &= (c_0 + c_1X + \dots + c_{n-1}X^{n-1}) - (c_0 + c_1z + \dots + c_{n-1}z^{n-1}) \\[5pt]
&= c_1(X-z) + c_2(X^2-z^2) \dots + c_{n-1}(X^{n-1}-z^{n-1}) \\[5pt]
&= c_1\textcolor{orange}{(X-z)} + c_2\textcolor{orange}{(X-z)}(X+z) \dots + c_{n-1}\textcolor{orange}{(X-z)}(X^{n-2} + \dots + z^{n-2}) \\[5pt]
&= \textcolor{orange}{(X-z)}\Big\{c_1 + c_2(X+z) + \dots c_{n-1}(X^{n-2} + zX^{n-3} + \dots + z^{n-2})\Big\}
\end{aligned}
\begin{aligned}
w(X) &:= \frac{f(X)-f(z)}{X-z}
\end{aligned}
- If the prover doesn't know the polynomial, its not possible to compute a correct \(w(X)\)
\begin{aligned}
\therefore \ \frac{f(X)-f(z)}{\textcolor{orange}{(X-z)}} = \big(c_1 + c_2(X+z) + \dots c_{n-1}(X^{n-2} + zX^{n-3} + \dots + z^{n-2})\big)
\end{aligned}
Kate Commitment Scheme
\(2.\) Could a malicious prover find \(g(X)\neq f(X)\) s.t. \(g(s)=f(s)\)?
- For the commitments to match: \(g(s)=f(s) \implies f(s)-g(s)=0\)
- So the polynomial \((f-g)(X)\) must be \(0\) at \(s\)
f(X) = c_0 + c_1X + c_2X^2 + \dots + c_{n-1}X^{n-1}
g(X) = b_0 + b_1X + b_2X^2 + \dots + b_{n-1}X^{n-1}
-
f(X)-g(X) = (c_0-b_0) + (c_1-b_1)X + \dots + (c_{n-1}-b_{n-1})X^{n-1}
\text{deg}((f-g)(X)) \le (n-1)
\implies \ \text{Roots: }\big|\{x \ | \ (f-g)(x)=0\}\big| \le n
\mathbb{P}\left((f-g)(s) = 0\right) = \frac{n}{q} \approx 0 \text{ since } q \gg n
- For largest possible \(n=2^{28}\) and \(q \approx 2^{254}\), its still very unlikely: \(2^{-226}\)
Kate Commitment Scheme
\(3.\) How can the secret \(s\) be universally accepted?
- Given \(\textsf{srs}_1\), its impossible to find \(s\). How do we commit then?
\textsf{srs}_1 = \{G_1, sG_1, s^2G_1, s^3G_1, \dots, s^DG_1\}
\textsf{com}(\textcolor{lightgreen}{f}) :=
\textcolor{lightgreen}{c_0}(G_1) +
\textcolor{lightgreen}{c_1}(sG_1) +
\textcolor{lightgreen}{c_2}(s^2G_1) + \dots +
\textcolor{lightgreen}{c_{n-1}}(s^{n-1}G_1)
= \textcolor{lightgreen}{f(s)}G_1
unknown
\(D \approx 100M\)
- Linear combination of coefficients and the SRS!
- How does verification work?
\textsf{verify}\left(\pi, z\right) \equiv \textcolor{pink}{w(s)}\cdot (s-z) \stackrel{?}{=} (\textcolor{pink}{f(s)}-\textcolor{pink}{f(z)})
- How do we handle multiplications?
Kate Commitment Scheme
- Elliptic curve pairings:
e(aG_1, bG_2) = (ab)G_T
Generator of \(\mathbb{G}_T\)
pairing
Generator of \(\mathbb{G}_2\)
- Verifier needs a different SRS: \(\textsf{srs}_2 = \{G_2, sG_2\}\)
\begin{aligned}
\textsf{LHS} \equiv \textcolor{pink}{w(s)}\cdot (s-z)G_T &= e(\textcolor{pink}{w(s)}G_1, (s-z)G_2) \\[5pt]
&= e(W, \ sG_2 - zG_2)
\end{aligned}
\begin{aligned}
\textsf{RHS} \equiv (\textcolor{pink}{f(s)} - f(z)) \cdot 1 G_T &= e((\textcolor{pink}{f(s)} - f(z))G_1, 1\cdot G_2) \\[5pt]
&= e(F - f(z)G_1, \ 1\cdot G_2)
\end{aligned}
\textsf{verify}\left(\pi, z\right) \equiv \textcolor{pink}{w(s)}\cdot (s-z) \stackrel{?}{=} (\textcolor{pink}{f(s)}-\textcolor{pink}{f(z)})
\underbrace{\hspace{1.2cm}}_{}
\((1)\)
\underbrace{\hspace{1.2cm}}_{}
\((2)\)
Generator of \(\mathbb{G}_1\)
Summary
- Recap of Schnorr signature
- Sigma protocol example
- Forms of polynomials
- Lagrange basis polynomials
- FFT vs monomial form
- Tradeoffs
- Kate commitment scheme
- How do you I prove the knowledge of a polynomial?
- Structured reference string
- Up next:
- Holographic proof systems (fancy word for SNARKs)
Magic of Polynomials
By Suyash Bagad
Magic of Polynomials
Aztec Study Club's fifth presentation on basics of polynomial commitment schemes.
- 71
