Home

Aggregatable Subvector Commitments for Stateless Cryptocurrencies (from Lagrange polynomials)

tl;dr: We build a vector commitment (VC) scheme from KZG commitments to Lagrange polynomials that has (1) constant-sized, aggregatable proofs, which can all be precomputed in $O(n\log{n})$ time, and (2) linear public parameters, which can be derived from any “powers-of-tau” CRS in $O(n\log{n})$ time. Importantly, the auxiliary information needed...

Read more

Basics of Polynomials for Cryptography

A polynomial $\phi$ of degree $d$ is a vector of $d+1$ coefficients: \begin{align} \phi &= [\phi_0, \phi_1, \phi_2, \dots, \phi_d] \end{align} For example, $\phi = [1, 10, 9]$ is a degree 2 polynomial. Also, $\phi’ = [1, 10, 9, 0, 0, 0]$ is also a degree 2 polynomial, since the zero coefficients at the end do not count. But $\phi’’ = [...

Read more

Towards Scalable Verifiable Secret Sharing and Distributed Key Generation

tl;dr: We “authenticate” a polynomial multipoint evaluation using Kate-Zaverucha-Goldberg (KZG) commitments. This gives a new way to precompute $n$ proofs on a degree $t$ polynomial in $\Theta(n\log{t})$ time, rather than $\Theta(nt)$. \ The key trade-off is that our proofs are logarithmic-sized, rather than constant-sized. Nonetheless, we use o...

Read more

Fast and Scalable BLS Threshold Signatures

tl;dr: We use $O(t\log^2{t})$-time algorithms to interpolate secrets “in the exponent.” This makes aggregating $(t,n)$ BLS threshold signatures much faster, both at small and large scales. The question of scaling threshold signatures came to us at VMware Research after we finished working on SBFT1, a scalable Byzantine Fault Tolerance (BFT) pro...

Read more