Suyash Bagad
Cryptography Engineer
Polynomial Commitment and SRS
Aztec Study Club - Session 10
18th May 2022
\pi
Proof
Polynomial Commitments
p(X) = c_1 + c_2 X + c_3 X^2 + \dots + c_n X^{n-1}
\(\text{deg}(p) = n-1\)
Coefficients \((c_0, c_1, \dots, c_n)\)
Variable
- To commit to \(p(X)\), just compute \(p(\beta)\) for some universal secret \(\beta \in \mathbb{F}\)
p(\beta) = c_1 + c_2 \beta + c_3 \beta^2 + \dots + c_n \beta^{n-1}
- Wait but...
- What's commit? and why commit at all?
- What do you mean by a universal secret \(\beta\)?
- Does this even have any use?
Opening a Polynomial
I wish to convince Alice that I know \(p(X)\) without revealing it to her. Help!
Bob
Alice
Opening a Polynomial
First, let me commit to \(p(X)\),
i.e. evaluate \(p(\beta)\)
Bob
Alice
\(p(\beta)\)
How do I believe you?
Communication: \([p(\beta)]\)
Opening a Polynomial
Bob
Alice
Fair enough! Give me a challenge!
Okay, lets generate a challenge:
\(z = \textsf{hash}(p(\beta))\)
\(z\)
Communication: \([p(\beta), z]\)
Opening a Polynomial
Bob
Alice
Now let me compute a new polynomial:
w(X) = \frac{p(X)-p(z)}{X-z}
Opening a Polynomial
Bob
Alice
\(w(\beta)\)
Ok, thank you,
but how do I verify?
Communication: \([p(\beta), z, w(\beta)]\)
Lets commit to \(w(X)\) by evaluating \(w(\beta)\)
Opening a Polynomial
Bob
Alice
Communication: \([p(\beta), z, w(\beta)]\)
Use our past communication!
Opening a Polynomial
Bob
Alice
Communication: \([p(\beta), z, w(\beta)]\)
Use our past communication!
w(X)(\beta - z) \stackrel{?}{=} (p(\beta) - z)
Why did it work?
\begin{aligned}
p(X)-p(z) &= (c_0 + c_1X + \dots + c_{n-1}X^{n-1}) - (c_0 + c_1z + \dots + c_{n-1}z^{n-1}) \\[5pt]
&= c_1(X-z) + c_2(X^2-z^2) \dots + c_{n-1}(X^{n-1}-z^{n-1}) \\[5pt]
&= c_1\textcolor{orange}{(X-z)} + c_2\textcolor{orange}{(X-z)}(X+z) \dots + c_{n-1}\textcolor{orange}{(X-z)}(X^{n-2} + \dots + z^{n-2}) \\[5pt]
&= \textcolor{orange}{(X-z)}\Big\{c_1 + c_2(X+z) + \dots c_{n-1}(X^{n-2} + zX^{n-3} + \dots + z^{n-2})\Big\}
\end{aligned}
\begin{aligned}
w(X) &:= \frac{p(X)-p(z)}{X-z}
\end{aligned}
\begin{aligned}
\therefore \ \frac{p(X)-p(z)}{\textcolor{orange}{(X-z)}} = \big(c_1 + c_2(X+z) + \dots c_{n-1}(X^{n-2} + zX^{n-3} + \dots + z^{n-2})\big)
\end{aligned}
- The opening polynomial is enough!
Could Bob have cheated?
- Bob can cheat if he can find \(g(X)\neq p(X)\) s.t. \(g(s)=p(s)\)
- For the commitments to match: \(g(s)=p(s) \implies p(s)-g(s)=0\)
- So the polynomial \((p-g)(X)\) must be \(0\) at \(s\)
p(X) = c_0 + c_1X + c_2X^2 + \dots + c_{n-1}X^{n-1}
g(X) = b_0 + b_1X + b_2X^2 + \dots + b_{n-1}X^{n-1}
-
p(X)-g(X) = (c_0-b_0) + (c_1-b_1)X + \dots + (c_{n-1}-b_{n-1})X^{n-1}
\text{deg}((p-g)(X)) \le (n-1)
\implies \ \text{Roots: }\big|\{x \ | \ (p-g)(x)=0\}\big| \le n
\mathbb{P}\left((p-g)(s) = 0\right) = \frac{n}{q} \approx 0 \text{ since } q \gg n
- For largest possible \(n=2^{28}\) and \(q \approx 2^{254}\), its still very unlikely: \(2^{-226}\)
What's a universal secret?
- Recall we said \(\beta\) was a universal secret
- Instead of directly evaluating \(p(\beta)\), we do:
\begin{aligned}
\textsf{comm}(p) &= p(\beta)G \\
&= (c_1 + c_2\beta + c_3\beta^2 + \dots + c_n\beta^{n-1})G \\
&= c_1G + c_2\beta G + c_3\beta^2G + \dots + c_n\beta^{n-1}G \\
&= c_1\textcolor{orange}{G} + c_2\textcolor{orange}{\beta G} + c_3\textcolor{orange}{\beta^2G} + \dots + c_n\textcolor{orange}{\beta^{n-1}G}\\
&= \langle \vec{c}, \ \textcolor{orange}{\vec{G}} \rangle
\end{aligned}
\textsf{srs}_1 = \{\textcolor{orange}{G}, \textcolor{orange}{\beta G}, \textcolor{orange}{\beta^2G}, \textcolor{orange}{\beta^3G}, \dots, \textcolor{orange}{\beta^DG}\}
Group generator
- We pre-compute these elements and call it as SRS
- Its a one-time computation!
Ignition Ceremony
\textsf{srs} = \{\textcolor{orange}{G}, \textcolor{orange}{\beta G}, \textcolor{orange}{\beta^2G}, \textcolor{orange}{\beta^3G}, \dots, \textcolor{orange}{\beta^DG}\}
- First participant chooses a secret \(x_1 \in \mathbb{F}\) and computes:
\textsf{srs}_1 =
\{\textcolor{orange}{1}\textcolor{grey}{G},
\ \textcolor{orange}{x_1}\textcolor{grey}{G},
\ \textcolor{orange}{x_1^2}\textcolor{grey}{G},
\ \textcolor{orange}{x_1^3}\textcolor{grey}{G}, \dots,
\ \textcolor{orange}{x_1^D}\textcolor{grey}{G}\}
- Second participant chooses a secret \(x_2 \in \mathbb{F}\) and computes:
\textsf{srs}_1 =
\{\textcolor{orange}{1}\textcolor{grey}{\textsf{srs}_1[0]},
\ \textcolor{orange}{x_2}\textcolor{grey}{\textsf{srs}_1[1]},
\ \textcolor{orange}{x_2^2}\textcolor{grey}{\textsf{srs}_1[2]},
\ \textcolor{orange}{x_2^3}\textcolor{grey}{\textsf{srs}_1[3]}, \dots,
\ \textcolor{orange}{x_2^D}\textcolor{grey}{\textsf{srs}_1[D-1]}\}
=
\{\textcolor{orange}{1}\textcolor{grey}{G},
\ \textcolor{orange}{x_2}\textcolor{grey}{x_1G},
\ \textcolor{orange}{x_2^2}\textcolor{grey}{x_1^2G},
\ \textcolor{orange}{x_2^3}\textcolor{grey}{x_1^3G}, \dots,
\ \textcolor{orange}{x_2^D}\textcolor{grey}{x_1^{D-1}G]}\}
- If 100 participants participated:
\beta = (\textcolor{orange}{x_{100}x_{99} \dots x_2 x_1})
- Only one needs to be honest!
e(
\textcolor{orange}{1}\textcolor{grey}{\textsf{srs}_1[0]},
\textcolor{lightgreen}{x_2}\textcolor{grey}{\textsf{srs}_2[1]}
)
\stackrel{?}{=}
e(
\textcolor{orange}{x_2}\textcolor{grey}{\textsf{srs}_1[1]},
\textcolor{lightgreen}{1}\textcolor{grey}{\textsf{srs}_2[0]}
)
e(
\textcolor{orange}{x_2^i}\textcolor{grey}{\textsf{srs}_1[i]},
\textcolor{lightgreen}{x_2}\textcolor{grey}{\textsf{srs}_2[1]}
)
\stackrel{?}{=}
e(
\textcolor{orange}{x_2^{i+1}}\textcolor{grey}{\textsf{srs}_1[i+1]},
\textcolor{lightgreen}{1}\textcolor{grey}{\textsf{srs}_2[0]}
)
\textsf{srs}_1 =
\{\textcolor{orange}{1}\textcolor{grey}{\textsf{srs}_1[0]},
\ \textcolor{orange}{x_2}\textcolor{grey}{\textsf{srs}_1[1]},
\ \textcolor{orange}{x_2^2}\textcolor{grey}{\textsf{srs}_1[2]},
\ \textcolor{orange}{x_2^3}\textcolor{grey}{\textsf{srs}_1[3]}, \dots,
\ \textcolor{orange}{x_2^D}\textcolor{grey}{\textsf{srs}_1[D-1]}\}
\textsf{srs}_2 =
\{\textcolor{lightgreen}{1}\textcolor{grey}{\textsf{srs}_2[0]},
\ \textcolor{lightgreen}{x_2}\textcolor{grey}{\textsf{srs}_2[1]}\}
\textsf{srs}_1 =
\{\textcolor{orange}{1}\textcolor{grey}{G},
\ \textcolor{orange}{x}\textcolor{grey}{G},
\ \textcolor{orange}{x^2}\textcolor{grey}{G},
\ \textcolor{orange}{x^3}\textcolor{grey}{G}, \dots,
\ \textcolor{orange}{x^D}\textcolor{grey}{G}\}
\textsf{srs}_2 =
\{\textcolor{lightgreen}{1}\textcolor{grey}{H},
\ \textcolor{lightgreen}{x}\textcolor{grey}{H}\}
\textsf{srs}_1 =
\{\textcolor{orange}{1}\textcolor{grey}{G},
\ \textcolor{orange}{y}\textcolor{grey}{xG},
\ \textcolor{orange}{y^2}\textcolor{grey}{x^2G},
\ \textcolor{orange}{y^3}\textcolor{grey}{x^3G}, \dots,
\ \textcolor{orange}{y^D}\textcolor{grey}{x^4G}\}
\textsf{srs}_2 =
\{\textcolor{lightgreen}{1}\textcolor{grey}{H},
\ \textcolor{lightgreen}{y}\textcolor{grey}{xH}\}
e(\textcolor{orange}{y}\textcolor{grey}{xG}, \textcolor{lightgreen}{1}\textcolor{grey}{H}) =
e(\textcolor{blue}{y}\textcolor{grey}{G}, \textcolor{lightgreen}{x}\textcolor{grey}{H}) =
e(\textcolor{orange}{1}\textcolor{grey}{G}, \textcolor{lightgreen}{y}\textcolor{grey}{xH})
Polynomial Commitments and Ignition Ceremony
By Suyash Bagad
Polynomial Commitments and Ignition Ceremony
Aztec's ignition ceremony and the KZG polynomial commitment scheme.
