Alin Tomescu

Papamanthou-Shi-Tamassia (PST) multivariate polynomial commitments

 
  • Oct 25, 2025

tl;dr: The 1st multivariate polynomial commitment scheme based on a non-trivial generalization of KZG.

$ % \def\one#1{\left[#1\right]_\textcolor{green}{1}} \def\two#1{\left[#1\right]_\textcolor{red}{2}} \def\three#1{\left[#1\right]_\textcolor{blue}{\top}} \def\pair#1#2{e\left(#1, #2\right)} \def\GGen{\mathsf{GGen}} $

$ \def\bin{\{0,1\}} \def\eq{\mathsf{eq}} \def\SC{\mathsf{SumCheck}} \def\MLE#1{\mathsf{MLE}(#1)} \def\i{\boldsymbol{i}} \def\j{\boldsymbol{j}} \def\x{\boldsymbol{x}} \def\X{\boldsymbol{X}} \def\y{\boldsymbol{y}} \def\Y{\boldsymbol{Y}} $

$ % % Field operations % % #1 is the number of field additions \def\Fadd#1{#1\ \green{\F^+}} % #1 is the number of field multiplications \def\Fmul#1{#1\ \red{\F}^\red{\times}} % % Abstract group % % #1 is the group % #2 is the # of group additions \def\Gadd#1#2{#2\ \green{#1}^\green{+}} % #2 is the # of scalar muls \def\Gmul#1#2{#2\ \orange{#1}^\orange{\times}} % #2 is the MSM size \def\msm#1#2{\red{#1}^{#2}} % do not use directly use either \fmsm or \vmsm \def\vmsm#1#2{\red{\mathsf{var}}\text{-}\msm{#1}{#2}} \def\fmsm#1#2{\msm{#1}{#2}} \def\fmsmSmall#1#2#3{\fmsm{#1}{#2}/{#3}} % ...#3 is the max scalar size \def\vmsmSmall#1#2#3{\vmsm{#1}{#2}/{#3}} % % \mathbb{G} group % \def\GaddG#1{\Gadd{\Gr}{#1}} \def\GmulG#1{\Gmul{\Gr}{#1}} \def\msmG#1{\msm{\Gr}{#1}} \def\vmsmG#1{\vmsm{\Gr}{#1}} \def\fmsmG#1{\fmsm{\Gr}{#1}} \def\fmsmGSmall#1#2{\fmsmSmall{\Gr}{#1}/{#2}} \def\vmsmGSmall#1#2{\vmsmSmall{\Gr}{#1}/{#2}} % % G_1 group % % Note: replicating the colors here because cannot get subscript to align with superscript (e.g., $\msmOne{n}$ would render akwardly) \def\GaddOne#1{\Gadd{\Gr}{#1}_\green{1}} \def\GmulOne#1{\Gmul{\Gr}{#1}_\orange{1}} \def\msmOne#1{\msm{\Gr}{#1}_\red{1}} \def\vmsmOne#1{\vmsm{\Gr}{#1}_\red{1}} \def\fmsmOne#1{\fmsm{\Gr}{#1}_\red{1}} \def\fmsmOneSmall#1#2{\fmsmSmall{\Gr}{#1}_\red{1}/{#2}} \def\vmsmOneSmall#1#2{\vmsmSmall{\Gr}{#1}_\red{1}/{#2}} % % G_2 group % % Note: same replication as for G_1 \def\GaddTwo#1{\Gadd{\Gr}{#1}_\green{2}} \def\GmulTwo#1{\Gmul{\Gr}{#1}_\orange{2}} \def\msmTwo#1{\msm{\Gr}{#1}_\red{2}} \def\vmsmTwo#1{\vmsm{\Gr}{#1}_\red{2}} \def\fmsmTwo#1{\fmsm{\Gr}{#1}_\red{2}} \def\fmsmTwoSmall#1#2{\fmsmSmall{\Gr}{#1}_\red{2}/{#2}} \def\vmsmTwoSmall#1#2{\vmsmSmall{\Gr}{#1}_\red{2}/{#2}} % % Target group % % Note: same replication as for G_1 \def\GaddTarget#1{\Gadd{\Gr}{#1}_\green{T}} \def\GmulTarget#1{\Gmul{\Gr}{#1}_\orange{T}} \def\msmTarget#1{\msm{\Gr}{#1}_\red{T}} \def\vmsmTarget#1{\vmsm{\Gr}{#1}_\red{T}} \def\fmsmTarget#1{\fmsm{\Gr}{#1}_\red{T}} \def\fmsmTargetSmall#1#2{\fmsmSmall{\Gr}{#1}_\red{T}/{#2}} \def\vmsmTargetSmall#1#2{\vmsmSmall{\Gr}{#1}_\red{T}/{#2}} % % A single pairing \def\pairing{\mathbb{P}} % #1 is the # of pairings \def\multipair#1{\mathbb{P}^{#1}} $

$ \def\crs#1{\textcolor{green}{#1}} $

Introduction

PST polynomial commitments1, originally published as an eprint in 20112, are a beautiful generalization of KZG univariate polynomial commitments to the multivariate setting.

Preliminaries

  • Let $\GGen(1^\lambda) \rightarrow \mathcal{G}$ denote a probabilistic polynomial-time algorithm that outputs bilinear groups $\mathcal{G} \bydef (\Gr_1, \Gr_2, \Gr_T)$ of prime order $p\approx 2^{2\lambda}$, denoted additively, such that:
    • $\one{1}$ generates $\Gr_1$
    • $\two{1}$ generates $\Gr_2$
    • $\three{1}$ generates $\Gr_T$
  • We use $\one{a}\bydef a\cdot \one{1}$ and $\two{b}\bydef b\cdot \two{1}$ and $\three{c}\bydef c\cdot \three{1}$ to denote multiplying a scalar by the group generator

  • Let $\F$ denote the scalar field of order $p$ associated with the bilinear groups

  • For time complexities, we use:
    • $\Fadd{n}$ for $n$ field additions in $\F$

    • $\Fmul{n}$ for $n$ field multiplications in $\F$

    • $\Gadd{\Gr}{n}$ for $n$ additions in $\Gr$
    • $\Gmul{\Gr}{n}$ for $n$ individual scalar multiplications in $\Gr$
    • $\fmsm{\Gr}{n}$ for a size-$n$ MSM in $\Gr$ where the group element bases are known ahead of time (i.e., fixed-base)
      • when the scalars are always from a set $S$, then we use $\fmsmSmall{\Gr}{n}{S}$
    • $\vmsm{\Gr}{n}$ for a size-$n$ MSM in $\Gr$ where the group element bases are not known ahead of time (i.e., variable-base)
      • when the scalars are always from a set $S$, then we use $\vmsmSmall{\Gr}{n}{S}$
    • $\pairing$ for one pairing
    • $\multipair{n}$ for a size-$n$ multipairing

Algorithms

$\mathsf{PST}.\mathsf{Setup}(\mathcal{G}, d_1,d_2,\ldots,d_\ell) \rightarrow (\ck, \prk,\vk)$

Return the public parameters: \begin{align} \ck &\gets \left(\crs{\one{\tau_1^{\alpha_1} \tau_2^{\alpha_2} \cdots \tau_\ell^{\alpha_\ell}}}\right)_{\alpha_1\in[0,d_1],\ldots,\alpha_\ell\in[0,d_\ell]} \\
\prk &\gets \left(\crs{\one{\tau_i^{\alpha_i} \tau_{i+1}^{\alpha_{i+1}} \cdots \tau_\ell^{\alpha_\ell}}}\right)_{i\in[\ell],\alpha_i\in[0,d_1),\alpha_{i+1}\in[0,d_{i+1}],\ldots,\alpha_\ell\in[0,d_\ell]} \\
\vk &\gets \left(\crs{\two{\tau_i}}\right)_{i\in[\ell]} \\
\end{align}

Double check this, but I think the max degrees in the $\prk$ are $d_i - 1$ instead of $d_i$ due to the division by $X_i$ when computing $q_i$.

$\mathsf{PST}.\mathsf{Commit}(\mathsf{ck}, f) \rightarrow C$

Parse the commitment key: \begin{align} \left(\crs{\one{\tau_1^{\alpha_1} \tau_2^{\alpha_2} \cdots \tau_\ell^{\alpha_\ell}}}\right)_{\alpha_1\in[0,d_1],\ldots,\alpha_\ell\in[0,d_\ell]} \parse \ck \end{align}

Assume that the polynomial $f$ looks like: \begin{align} f(X_1, X_2, \ldots, X_\ell) &= \sum_{\alpha_1\in[0,d_1]}\sum_{\alpha_2\in[0,d_2]}\ldots \sum_{\alpha_\ell\in[0,d_\ell]} f_{\alpha_1, \alpha_2, \ldots,\alpha_\ell} \cdot X_1^{\alpha_1} X_2^{\alpha_2} \cdots X_\ell^{\alpha_\ell}\\
% &\stackrel{\mathsf{def}}{=} \sum_{\boldsymbol{\alpha}\in[0,d]^\ell} f_{\boldsymbol{\alpha}} \cdot \boldsymbol{X}^{\boldsymbol{\alpha}},\ \text{where}\ \begin{cases} % \boldsymbol{\alpha} &\stackrel{\mathsf{def}}{=} [\alpha_1,\alpha_2,\ldots,\alpha_\ell]\\
% \boldsymbol{X}^{\boldsymbol{\alpha}} &\stackrel{\mathsf{def}}{=} X_1^{\alpha_1} X_2^{\alpha_2} \cdots X_\ell^{\alpha_\ell} %\end{cases} \end{align}

Commit to it as: \begin{align} C\gets \one{f(\tau_1, \tau_2,\ldots,\tau_\ell)} &= \sum_{\alpha_1\in[0,d_1]}\sum_{\alpha_2\in[0,d_2]}\ldots \sum_{\alpha_\ell\in[0,d_\ell]} f_{\alpha_1, \alpha_2, \ldots,\alpha_\ell} \cdot \crs{\one{\tau_1^{\alpha_1} \tau_2^{\alpha_2} \cdots \tau_\ell^{\alpha_\ell}}} \end{align}

$\mathsf{PST}.\mathsf{Open}(f, \boldsymbol{a}, z)\rightarrow \pi$

Compute quotient polynomials $q_1(X_1,\ldots,X_\ell), \ldots, q_\ell(X_\ell)$ such that: \begin{align} f(X_1,X_2,\ldots,X_\ell) = f(a_1,a_2, \ldots, a_\ell) + \sum_{i\in[\ell]} q_i(X_i,\ldots,X_\ell) (X_i - a_i) \end{align}

Give algorithm for computing $q_i$’s and mention that whether we start with $X_1$ or with $X_\ell$, has no bearing.

Return the proof: \begin{align} \pi \gets \left(\one{q_i(\tau_i,\ldots,\tau_\ell)}\right)_{i\in[\ell]} \end{align}

$\mathsf{PST}.\mathsf{Verify}(\vk, C, \boldsymbol{a}, z; \pi)\rightarrow \{0,1\}$

Parse the VK and the proof: \begin{align} \left(\crs{\two{\tau_i}}\right)_{i\in[\ell]} \parse \vk\\
(\pi_i)_{i\in[\ell]}\parse \pi\\
\end{align}

Check the proof: \begin{align} \textbf{assert}\ \pair{C - \one{z}}{\two{1}} \equals \sum_{i\in[\ell]} \pair{\pi_i}{\two{\tau_i} - \two{a_i}} \end{align}

Efficiency

TODOs

Is this knowledge-sound in the AGM?

References

For cited works, see below 👇👇

  1. Signatures of Correct Computation, by Papamanthou, Charalampos and Shi, Elaine and Tamassia, Roberto, in TCC’13, 2013 

  2. Signatures of Correct Computation, by Charalampos Papamanthou and Elaine Shi and Roberto Tamassia, in Cryptology ePrint Archive, Report 2011/587, 2011, [URL] 

Search