Jekyll2020-09-23T18:19:38+00:00https://alinush.github.io//feed.xmlAlin TomescuTBD
Alin TomescuKate-Zaverucha-Goldberg (KZG) Constant-Sized Polynomial Commitments2020-05-06T22:38:00+00:002020-05-06T22:38:00+00:00https://alinush.github.io//2020/05/06/kzg-polynomial-commitments<p>Kate, Zaverucha and Goldberg introduced a constant-sized polynomial commitment scheme in 2010<sup id="fnref:KZG10b" role="doc-noteref"><a href="#fn:KZG10b" class="footnote">1</a></sup>.
We refer to this scheme as <strong>KZG</strong> and quickly introduce it below.</p>
<p><strong>Prerequisites:</strong></p>
<ul>
<li>Pairings (or bilinear maps)</li>
<li><a href="/2020/03/16/polynomials-for-crypto.html">Polynomials</a></li>
</ul>
<h2 id="trusted-setup">Trusted setup</h2>
<p>To commit to degree $\le \ell$ polynomials, need $\ell$-SDH public parameters:
\((g,g^\tau,g^{\tau^2},\dots,g^{\tau^\ell}) = (g^{\tau^i})_{i\in[0,\ell]}\)</p>
<p>Here, $\tau$ is called the <strong>trapdoor</strong>.
These parameters should be generated via a distributed protocol that outputs just the $g^{\tau^i}$’s and <strong>forgets the trapdoor</strong> $\tau$.</p>
<p>The public parameters are <strong>updatable</strong>: given $g^{\tau^i}$’s, anyone can update them to $g^{\alpha^i}$’s where $\alpha = \tau + \Delta$ by picking a random $\Delta$ and computing:
\(g^{\alpha^i} = \left(g^{\tau^i}\right)^{\Delta^i}\)</p>
<p>This is useful when you want to safely re-use a pre-generated set of public parameters, without trusting that nobody knows the trapdoor.</p>
<h2 id="commitments">Commitments</h2>
<p>Commitment to $\phi(X)=\prod_{i\in[0,d]} \phi_i X^i$ is $c=g^{\phi(\tau)}$ computed as:</p>
\[c=\prod_{i\in[0,\deg{\phi}]} \left(g^{\tau^i}\right)^{\phi_i}\]
<p>Since it is just one group element, the commitment is <em>constant-sized</em>.</p>
<h2 id="evaluation-proofs">Evaluation proofs</h2>
<p>To prove an evaluation $\phi(a) = y$, a <em>quotient</em> is computed in $O(d)$ time:
\(q(X) = \frac{\phi(X) - y}{X - a}\)</p>
<p>Then, the <em>constant-sized</em> <strong>evaluation proof</strong> is:</p>
\[\pi = g^{q(\tau)}\]
<p>Note that this leverages the <a href="/2020/03/16/polynomials-for-crypto.html#the-polynomial-remainder-theorem">polynomial remainder theorem</a>.</p>
<h3 id="verifying-an-evaluation-proof">Verifying an evaluation proof</h3>
<p>A verifier who has the commitment $c=g^{\phi(\tau)}$ and the proof $\pi=g^{q(\tau)}$ can verify it in <em>constant-time</em> using two pairings:</p>
<p>\begin{align}
e(c / g^y, g) &= e(\pi, g^\tau / g^a) \Leftrightarrow\\<br />
e(g^{\phi(\tau)-y}, g) &= e(g^{q(\tau)}, g^{\tau-a}) \Leftrightarrow\\<br />
e(g,g)^{\phi(\tau)-y} &= e(g,g)^{q(\tau)(\tau-a)}\\<br />
\phi(\tau)-y &= q(\tau)(\tau-a)
\end{align}</p>
<p>This effectively checks that $q(X) = \frac{\phi(X) - y}{X-a}$ by checking this equality holds for $X=\tau$.
In other words, it checks that the <a href="/2020/03/16/polynomials-for-crypto.html#the-polynomial-remainder-theorem">polynomial remainder theorem</a> holds at $X=\tau$.</p>
<h2 id="batch-proofs">Batch proofs</h2>
<p>Can prove multiple evaluations $(\phi(a_i) = y_i)_{i\in I}$ using a constant-sized <strong>KZG batch proof</strong> $\pi_I = g^{q_I(\tau)}$, where:</p>
<p>\begin{align}
\label{eq:batch-proof-rel}
q_I(X) &=\frac{\phi(X)-R_I(X)}{A_I(X)}\\<br />
A_I(X) &=\prod_{i\in I} (X - a_i)\\<br />
R_I(a_i) &= y_i,\forall i\in I\\<br />
\end{align}</p>
<p>$R_I(X)$ can be interpolated via Lagrange interpolation as:
\(R_I(X)=\sum_{i\in I} y_i \prod_{j\in I,j\ne i}\frac{X - a_j}{a_i - a_j}\)
<!-- TODO: Lagrange interpolation background in cryptomat --></p>
<h3 id="verifying-a-batch-proof">Verifying a batch proof</h3>
<p>The verifier who has the commitment $c$, the evaluations $(a_i, y_i)_{i\in I}$ and a batch proof $\pi_I=g^{q_I(\tau)}$ can verify them as follows.</p>
<ol>
<li>First, he interpolates the <strong>accumulator polynomial</strong> \(A_I(X)=\prod_{i\in I} (X-a_i)\) via a subproduct tree in $O(\vert I\vert\log^2{\vert I\vert})$ time<sup id="fnref:vG13ModernCh10" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">2</a></sup>.
Then, commits to it as $g^{A_I(\tau)}$ in $O(\vert I \vert)$ time.</li>
<li>Second, he interpolates $R_I(X)$ s.t. $R_I(a_i)=y_i,\forall i \in I$ via fast Lagrange interpolation in $O(\vert I\vert\log^2{\vert I\vert})$ time<sup id="fnref:vG13ModernCh10:1" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">2</a></sup>.
Then, commits to it as $g^{R_I(\tau)}$ in $O(\vert I \vert)$ time.</li>
<li>Third, he checks Equation \ref{eq:batch-proof-rel} holds at $X=\tau$ using two pairings: $e(c / r, g) = e(\pi_I, a)$.</li>
</ol>
<p>Note that:</p>
<p>\begin{align}
e(g^{\phi(\tau) / g^R_I(\tau)}, g) &= e(g^{q_I(\tau)}, g^{A_I(\tau)})\Leftrightarrow\\<br />
e(g^{\phi(\tau) - R_I(\tau)}, g) &= e(g,g)^{q_I(\tau) A_I(\tau)}\Leftrightarrow\\<br />
\phi(\tau) - R_I(\tau) &= q_I(\tau) A_I(\tau)
\end{align}</p>
<!-- TODO: ## Commitment and proof homomorphism -->
<!-- TODO: ## Aggregation of proofs -->
<!-- TODO: ## Information-theoretic hiding -->
<h3 id="references">References</h3>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:KZG10b" role="doc-endnote">
<p><strong>Polynomial commitments</strong>, by Kate, Aniket and Zaverucha, Gregory M and Goldberg, Ian, 2010, <a href="https://pdfs.semanticscholar.org/31eb/add7a0109a584cfbf94b3afaa3c117c78c91.pdf">[URL]</a> <a href="#fnref:KZG10b" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:vG13ModernCh10" role="doc-endnote">
<p><strong>Fast polynomial evaluation and interpolation</strong>, by von zur Gathen, Joachim and Gerhard, Jurgen, <em>in Modern Computer Algebra</em>, 2013 <a href="#fnref:vG13ModernCh10" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:vG13ModernCh10:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
</ol>
</div>Alin TomescuKate, Zaverucha and Goldberg introduced a constant-sized polynomial commitment scheme in 20101. We refer to this scheme as KZG and quickly introduce it below. Prerequisites: Pairings (or bilinear maps) Polynomials Trusted setup To commit to degree $\le \ell$ polynomials, need $\ell$-SDH public parameters: \((g,g^\tau,g^{\tau^2},\dots,g^{\tau^\ell}) = (g^{\tau^i})_{i\in[0,\ell]}\) Here, $\tau$ is called the trapdoor. These parameters should be generated via a distributed protocol that outputs just the $g^{\tau^i}$’s and forgets the trapdoor $\tau$. The public parameters are updatable: given $g^{\tau^i}$’s, anyone can update them to $g^{\alpha^i}$’s where $\alpha = \tau + \Delta$ by picking a random $\Delta$ and computing: \(g^{\alpha^i} = \left(g^{\tau^i}\right)^{\Delta^i}\) This is useful when you want to safely re-use a pre-generated set of public parameters, without trusting that nobody knows the trapdoor. Commitments Commitment to $\phi(X)=\prod_{i\in[0,d]} \phi_i X^i$ is $c=g^{\phi(\tau)}$ computed as: \[c=\prod_{i\in[0,\deg{\phi}]} \left(g^{\tau^i}\right)^{\phi_i}\] Since it is just one group element, the commitment is constant-sized. Evaluation proofs To prove an evaluation $\phi(a) = y$, a quotient is computed in $O(d)$ time: \(q(X) = \frac{\phi(X) - y}{X - a}\) Then, the constant-sized evaluation proof is: \[\pi = g^{q(\tau)}\] Note that this leverages the polynomial remainder theorem. Verifying an evaluation proof A verifier who has the commitment $c=g^{\phi(\tau)}$ and the proof $\pi=g^{q(\tau)}$ can verify it in constant-time using two pairings: \begin{align} e(c / g^y, g) &= e(\pi, g^\tau / g^a) \Leftrightarrow\\ e(g^{\phi(\tau)-y}, g) &= e(g^{q(\tau)}, g^{\tau-a}) \Leftrightarrow\\ e(g,g)^{\phi(\tau)-y} &= e(g,g)^{q(\tau)(\tau-a)}\\ \phi(\tau)-y &= q(\tau)(\tau-a) \end{align} This effectively checks that $q(X) = \frac{\phi(X) - y}{X-a}$ by checking this equality holds for $X=\tau$. In other words, it checks that the polynomial remainder theorem holds at $X=\tau$. Batch proofs Can prove multiple evaluations $(\phi(a_i) = y_i)_{i\in I}$ using a constant-sized KZG batch proof $\pi_I = g^{q_I(\tau)}$, where: \begin{align} \label{eq:batch-proof-rel} q_I(X) &=\frac{\phi(X)-R_I(X)}{A_I(X)}\\ A_I(X) &=\prod_{i\in I} (X - a_i)\\ R_I(a_i) &= y_i,\forall i\in I\\ \end{align} $R_I(X)$ can be interpolated via Lagrange interpolation as: \(R_I(X)=\sum_{i\in I} y_i \prod_{j\in I,j\ne i}\frac{X - a_j}{a_i - a_j}\) Verifying a batch proof The verifier who has the commitment $c$, the evaluations $(a_i, y_i)_{i\in I}$ and a batch proof $\pi_I=g^{q_I(\tau)}$ can verify them as follows. First, he interpolates the accumulator polynomial \(A_I(X)=\prod_{i\in I} (X-a_i)\) via a subproduct tree in $O(\vert I\vert\log^2{\vert I\vert})$ time2. Then, commits to it as $g^{A_I(\tau)}$ in $O(\vert I \vert)$ time. Second, he interpolates $R_I(X)$ s.t. $R_I(a_i)=y_i,\forall i \in I$ via fast Lagrange interpolation in $O(\vert I\vert\log^2{\vert I\vert})$ time2. Then, commits to it as $g^{R_I(\tau)}$ in $O(\vert I \vert)$ time. Third, he checks Equation \ref{eq:batch-proof-rel} holds at $X=\tau$ using two pairings: $e(c / r, g) = e(\pi_I, a)$. Note that: \begin{align} e(g^{\phi(\tau) / g^R_I(\tau)}, g) &= e(g^{q_I(\tau)}, g^{A_I(\tau)})\Leftrightarrow\\ e(g^{\phi(\tau) - R_I(\tau)}, g) &= e(g,g)^{q_I(\tau) A_I(\tau)}\Leftrightarrow\\ \phi(\tau) - R_I(\tau) &= q_I(\tau) A_I(\tau) \end{align} References Polynomial commitments, by Kate, Aniket and Zaverucha, Gregory M and Goldberg, Ian, 2010, [URL] ↩ Fast polynomial evaluation and interpolation, by von zur Gathen, Joachim and Gerhard, Jurgen, in Modern Computer Algebra, 2013 ↩ ↩2Aggregatable Subvector Commitments for Stateless Cryptocurrencies (from Lagrange polynomials)2020-05-06T14:00:00+00:002020-05-06T14:00:00+00:00https://alinush.github.io//2020/05/06/aggregatable-subvector-commitments-for-stateless-cryptocurrencies<p class="info"><strong>tl;dr:</strong> We build a vector commitment (VC) scheme from KZG commitments to Lagrange polynomials that has (1) constant-sized, aggregatable proofs, which can all be precomputed in $O(n\log{n})$ time, and (2) linear public parameters, which can be derived from any “powers-of-tau” CRS in $O(n\log{n})$ time.
Importantly, the auxiliary information needed to update proofs (a.k.a. the “update key”) is $O(1)$-sized.
Our scheme is compatible with recent techniques to aggregate subvector proofs across <em>different</em> commitments<sup id="fnref:GRWZ20" role="doc-noteref"><a href="#fn:GRWZ20" class="footnote">1</a></sup>.</p>
<!--more-->
<p>This is joint work with <a href="https://twitter.com/ittaia">Ittai Abraham</a>, <a href="https://twitter.com/VitalikButerin">Vitalik Buterin</a>, <a href="https://twitter.com/drakefjustin">Justin Drake</a>, <a href="https://twitter.com/dankrad">Dankrad Feist</a> and <a href="https://twitter.com/khovr">Dmitry Khovratovich</a>.
Our <strong>full paper</strong> is available online <a href="https://eprint.iacr.org/2020/527">here</a>, has been recently accepted to <a href="https://scn.unisa.it/">SCN’20</a>, and has been presented <a href="https://www.youtube.com/watch?v=Yzs6DEVFTLM">here</a> (25 minutes) and <a href="https://www.youtube.com/watch?v=KGRnpjPjduI&list=PLj80z0cJm8QHm_9BdZ1BqcGbgE-BEn-3Y&index=22&t=0s">here</a> (1 hour).
You can find the slides in <a href="https://github.com/alinush/asvc-talk">this GitHub repo</a>.</p>
<p><strong>A little backstory:</strong>
I’ve been interested in vector commitments (VCs) ever since <a href="https://madars.org/">Madars Virza</a> first showed me how KZG and roots of unity gives rise to a simple VC scheme.
In 2018, I was trying to figure out if VC proofs can be updated fast in such a construction.
I came up with a KZG-based scheme that could update a proof for $v_i$ given a change to any $v_j $.
Unfortunately, it required an $O(n)$-sized, <em>static</em>, <em>update key</em> to do the update.
Since each player $i$ in a stateless cryptocurrency has to update their proof for $v_i$, this $O(n)$-sized update key is an annoying storage burden for that user.</p>
<p>Then, I saw <a href="https://ethresear.ch/t/using-polynomial-commitments-to-replace-state-roots/7095">Vitalik Buterin’s post</a> on using <em>partial fraction decomposition</em> to aggregate KZG proofs.
This was great, since it immediately implied VC proofs can be aggregated.
However, after conversations with <a href="https://twitter.com/ittaia">Ittai Abraham</a> and the Ethereum Research team, it became clear this can also be used to reduce the update key size.
The key ingredient was turning two commitments to $A(X)/(X-i)$ and $A(X)/(X-j)$ into a commitment to $A(X)/\left((X-i)(X-j)\right)$ (see <a href="#updating-proofs">here</a>).
This post explains this technique and how to make it work by taking care of all details (e.g., making update keys verifiable, computing them from the KZG public params efficiently, etc.).</p>
<p hidden="">$$
\def\G{\mathbb{G}}
\def\Zp{\mathbb{Z}_p}
\newcommand{\bezout}{B\'ezout\xspace}
\newcommand{\G}{\mathbb{G}}
\newcommand{\Gho}{\mathbb{G}_{?}}
\newcommand{\Fp}{\mathbb{F}_p}
\newcommand{\GT}{\mathbb{G}_T}
\newcommand{\Zp}{\mathbb{Z}_p}
\newcommand{\poly}{\mathsf{poly}}
\newcommand{\lagr}{\mathcal{L}}
\newcommand{\vect}[1]{\boldsymbol{\mathrm{#1}}}
\newcommand{\prk}{\mathsf{prk}}
\newcommand{\vrk}{\mathsf{vrk}}
\newcommand{\upk}{\mathsf{upk}}
$$</p>
<!-- \overset{\mathrm{def}}{=} -->
<h1 id="preliminaries">Preliminaries</h1>
<p>Let $[i,j]=\{i,i+1,i+2,\dots,j-1,j\}$ and $[0, n) = [0,n-1]$.
Let $p$ be a sufficiently large prime that denotes the order of our groups.</p>
<p>In this post, beyond basic group theory for cryptographers<sup id="fnref:KL15" role="doc-noteref"><a href="#fn:KL15" class="footnote">2</a></sup> and basic polynomial arithmetic, I will assume you are familiar with a few concepts:</p>
<ul>
<li><strong>Bilinear maps</strong><sup id="fnref:GPS08" role="doc-noteref"><a href="#fn:GPS08" class="footnote">3</a></sup>. Specifically, $\exists$ a bilinear map $e : \G_1 \times \G_2 \rightarrow \G_T$ such that:
<ul>
<li>$\forall u\in \G_1,v\in \G_2, a\in \Zp, b\in \Zp, e(u^a, v^b) = e(u,v)^{ab}$</li>
<li>$e(g_1,g_2)\ne 1_T$ where $g_1,g_2$ are the generators of $\G_1$ and $\G_2$ respectively and $1_T$ is the identity of $\G_T$</li>
</ul>
</li>
<li><strong>KZG</strong><sup id="fnref:KZG10a" role="doc-noteref"><a href="#fn:KZG10a" class="footnote">4</a></sup> <strong>polynomial commitments</strong> (see <a href="/2020/05/06/kzg-polynomial-commitments.html">here</a>),</li>
<li>The <strong>Fast Fourier Transform (FFT)</strong><sup id="fnref:CLRS09" role="doc-noteref"><a href="#fn:CLRS09" class="footnote">5</a></sup> applied to polynomials. Specifically,
<ul>
<li>Suppose $\Zp$ admits a primitive <em>root of unity</em> $\omega$ of order $n$ (i.e., $n \mid p-1$)</li>
<li>Let \(H=\{1, \omega, \omega^2, \omega^3, \dots, \omega^{n-1}\}\) denote the set of all $n$ $n$th roots of unity</li>
<li>Then, FFT can be used to efficiently evaluate any polynomial $\phi(X)$ at all $X\in H$ in $\Theta(n\log{n})$ time
<ul>
<li>i.e., compute all \(\{\phi(\omega^{i-1})\}_{i\in[n]}\)</li>
</ul>
</li>
</ul>
</li>
</ul>
<h1 id="vcs-from-lagrange-polynomials">VCs from Lagrange polynomials</h1>
<p>We build upon a previous line of work on VCs from Lagrange polynomials<sup id="fnref:CDHK15" role="doc-noteref"><a href="#fn:CDHK15" class="footnote">6</a></sup><sup>,</sup><sup id="fnref:KZG10a:1" role="doc-noteref"><a href="#fn:KZG10a" class="footnote">4</a></sup><sup>,</sup><sup id="fnref:Tomescu20" role="doc-noteref"><a href="#fn:Tomescu20" class="footnote">7</a></sup>.</p>
<p>Recall that given a vector $\vect{v} = [v_0, v_1, \dots, v_{n-1}]$, we can interpolate a polynomial $\phi(X)$ such that $\phi(i)=v_i$ as follows:
\begin{align}
\phi(X)=\sum_{i=0}^{n-1} v_i \cdot \lagr_i(X),\ \text{where}\ \lagr_i(X) = \prod_{\substack{j\in [0,n)\\j\ne i}}\frac{X-j}{i-j}
\end{align}</p>
<!-- TODO: add this to polynomial basics -->
<p>It is well-known that this Lagrange representation of $\vect{v}$ naturally gives rise to a <strong>vector commitment (VC)</strong> scheme<sup id="fnref:CF13" role="doc-noteref"><a href="#fn:CF13" class="footnote">8</a></sup>.
The key idea is to commit to $\vect{v}$ by committing to $\phi(X)$ using KZG polynomial commitments (see <a href="/2020/05/06/kzg-polynomial-commitments.html">here</a>).
Then, proving $\phi(i) = v_i$ proves that $v_i$ is the $i$th element in the vector.
Next, we describe how this scheme works in more detail and what features it has.</p>
<h2 id="trusted-setup">Trusted setup</h2>
<p>To set up the VC scheme for committing to any vector of size $n$, use an MPC protocol<sup id="fnref:BGM17" role="doc-noteref"><a href="#fn:BGM17" class="footnote">9</a></sup> to generate public parameters $\left(g^{\tau^i}\right)_{i\in [0,n]}$.
<!-- Note: need to commit to A(X) which has roots at all n i's, so need g^{\tau^n} -->
Then, either:</p>
<ol>
<li>Spend $O(n^2)$ time to compute commitments $\ell_i = g^{\lagr_i(\tau)}$ to all $n$ Lagrange polynomials $\lagr_i(X)$.</li>
<li>Or, “shift” the computation of these commitments into the MPC protocol, losing some efficiency.</li>
</ol>
<p class="warning">We will fix this later by storing $v_i$ at $\phi(\omega_n^i)$, which will allow us to compute all $\ell_i$’s in $O(n\log{n})$ time.</p>
<p>Either way, the <strong>proving key</strong> is $\prk=\left(g^{\tau^i},\ell_i\right)_{i\in[0,n)}$ and will be used to commit to a vector and create proofs.
The <strong>verification key</strong> is $\vrk=(g,g^{\tau})$ and will be used to verify proofs.</p>
<h2 id="committing-to-a-vector">Committing to a vector</h2>
<p>The <strong>commitment</strong> to a vector $\vect{v}$ is just a KZG commitment $c=g^{\phi(\tau)}$ to its polynomial $\phi(X)$.
This can be computed very fast, in $O(n)$ time, given the proving key $\prk$:</p>
<p>\begin{align}
c &= \sum_{i=0}^{n-1} \ell_i^{v_i}\\<br />
&= \sum_{i=0}^{n-1} g^{v_i \cdot \lagr_i(\tau)}\\<br />
&= g^{\prod_{i=0}^{n-1} v_i \cdot \lagr_i(\tau)}\\<br />
&= g^{\phi(\tau)}
\end{align}</p>
<h3 id="updating-the-commitment">Updating the commitment</h3>
<p>KZG commitments and thus vector commitments are <em>homomorphic</em>: given commitments $c$ and $c’$ to $\vect{v}$ and $\vect{v’}$, we can get a commitment $C=c \cdot c’$ to $\vect{v} + \vect{v’}$.</p>
<p>A consequence of this is that we can easily update a commitment $c$ to $c’$, given a change $\delta$ to $v_i$ as:
\begin{align}
c’ = c \cdot \ell_i^{\delta}
\end{align}</p>
<h2 id="constant-sized-proofs">Constant-sized proofs</h2>
<p>To prove that $v_i$ is the $i$th element in $\vect{v}$, we have to prove that $\phi(i)=v_i$.
For this, we need to:</p>
<ol>
<li>Interpolate $\phi(X)$ in $O(n\log^2{n})$ field operations and get its coefficients.</li>
<li>Divide $\phi(X)$ by $X-i$ in $O(n)$ field operations and get a quotient $q_i(X)$ such that $\phi(X)=q_i(X)(X-i) + v_i$ (see the <a href="2020/03/16/polynomials-for-crypto.html#the-polynomial-remainder-theorem">polynomial remainder theorem</a>).</li>
<li>Compute a KZG commitment $\pi_i=g^{q_i(\tau)}$ to $q_i(X)$ using an $O(n)$ time multi-exponentiation</li>
</ol>
<p>The proof will be:
\begin{align}
\pi_i=g^{q_i(\tau)}=g^\frac{\phi(\tau)-v_i}{\tau-i}
\end{align}</p>
<p class="warning">In <em>Appendix D.7</em> in <a href="https://eprint.iacr.org/2020/527">our paper</a>, we show how to compute $\pi_i$ in $O(n)$ time, <em>without interpolating</em> $\phi(X)$ by carefully crafting our public parameters.</p>
<p>To verify the proof, we can check with a pairing that:
\begin{align}
e(c/g^{v_i}, g)=e(\pi_i, g^{\tau}/g^i)
\end{align}</p>
<p>This is equivalent to checking that the <a href="/2020/03/16/polynomials-for-crypto.html#the-polynomial-remainder-theorem">polynomial remainder theorem</a> holds for $\phi(i)$ at $X=\tau$.</p>
<h2 id="constant-sized-i-subvector-proofs">Constant-sized $I$-subvector proofs</h2>
<p>To prove multiple positions $(v_i)_{i\in I}$, an <strong>$I$-subvector proof</strong> $\pi_I$ can be computed using a <a href="/2020/05/06/kzg-polynomial-commitments.html#batch-proofs">KZG batch proof</a> as:</p>
<p>\begin{align}
\pi_I &= g^{q_I(\tau)}=g^\frac{\phi(\tau)-R_I(\tau)}{A_I(\tau)}
\end{align}</p>
<p>For this, the prover has to interpolate the following polynomials in $O(\vert I\vert \log^2{\vert I\vert})$ time:</p>
<p>\begin{align}
A_I(X) &=\prod_{i\in I} (X - i)\\<br />
R_I(X) &=\sum_{i\in I} v_i \prod_{j\in I,j\ne i}\frac{X - j}{i - j}\ \text{s.t.}\ R_I(i) = v_i,\forall i\in I
\end{align}</p>
<p>Verifying the proof can also be done with two pairings:
\begin{align}
e(c/g^{R_I(\tau)}, g)=e(\pi_I, g^{A_I(\tau)})
\end{align}</p>
<p>Note that the verifier has to spend $O(\vert I\vert \log^2{\vert I\vert})$ time to interpolate and commit to $A_I(X)$ and $R_I(X)$.</p>
<p class="warning">Later on, we show how to aggregate an $I$-subvector proof $\pi_I$ from all individual proofs $\pi_i, i\in I$ in $O(\vert I\vert \log^2{\vert I\vert})$ time.</p>
<h1 id="enhancing-lagrange-based-vcs">Enhancing Lagrange-based VCs</h1>
<p>The VC scheme presented so far has several nice features:</p>
<ul>
<li>$O(1)$-sized commitments</li>
<li>$O(n)$-sized proving key and $O(1)$-sized verification key</li>
<li>$O(1)$-sized proofs and $O(1)$-sized $I$-subvector proofs</li>
</ul>
<p>It also has additional features, which we didn’t explain:</p>
<ul>
<li><em>Homomorphic proofs:</em> Suppose we are given (1) a proof $\pi_i$ for $v_i$ w.r.t. a commitment $c$ for $\vect{v}$ and (2) a proof $\pi_i’$ for $v_i’$ w.r.t. to $c’$ for vector $\vect{v’}$. Then, can obtain a proof $\Lambda_i=\pi_i \cdot \pi_i’$ for $v_i + v_i’$ w.r.t. $C=c\cdot c’$, which is a commitment to $\vect{v}+\vect{v’}$.</li>
<li><em>Hiding:</em> can commit to a vector as $g^{\phi(\tau)} h^{r(\tau)}$ to get a commitment that hides all information about $\vect{v}$.
<ul>
<li>Here, will need extra $h^{\tau^i}$’s.</li>
<li>Also, $r(X)$ is a random, degree $n-1$ polynomial.
<!--
Note: degree higher than $n-1$ doesn't do anything extra, AFAICT: if you give $n$ evaluations of $\phi$, you reveal $\phi(X)$ anyway, so no sense in "protecting" r(X).
\
In other applications, it might make sense for r(X) to have degree higher than \phi(X), if you want to hide \phi's degree (I think).
--></li>
</ul>
</li>
</ul>
<p>Nonetheless, applications such as <em>stateless cryptocurrencies</em><sup id="fnref:CPZ18" role="doc-noteref"><a href="#fn:CPZ18" class="footnote">10</a></sup>, require extra features:</p>
<ol>
<li><strong>Aggregatable proofs:</strong> Blocks can be made smaller by aggregating all users’ proofs in a block into a single subvector proof.</li>
<li><strong>Updatable proofs:</strong> In a stateless cryptocurrency, each user $i$ has a proof of her balance stored at position $i$ in the vector. However, since the vector changes after each transaction in the currency, the user must be able to update her proof so it verifies w.r.t. the updated vector commitment.</li>
<li><strong>Precompute <em>all</em> proofs fast:</strong> Proof serving nodes in stateless cryptocurrencies can operate faster if they periodically precompute all proofs rather than updating all $O(n)$ proof after each new block.</li>
<li><strong>Updatable public parameters:</strong> Since many $g^{\tau^i}$’s are already publicly available from previous trusted setup ceremonies implemented via MPC, it would be nice to use them safely by “refreshing” them with additional trusted randomness.</li>
</ol>
<p><a href="https://eprint.iacr.org/2020/527">Our paper</a> adds all these features by carefully making use of roots of unity<sup id="fnref:vG13ModernCh8" role="doc-noteref"><a href="#fn:vG13ModernCh8" class="footnote">11</a></sup>, Fast Fourier Transforms (FFTs)<sup id="fnref:CLRS09:1" role="doc-noteref"><a href="#fn:CLRS09" class="footnote">5</a></sup> and partial fraction decomposition<sup id="fnref:Buterin20UsingPoly" role="doc-noteref"><a href="#fn:Buterin20UsingPoly" class="footnote">12</a></sup>.</p>
<h2 id="aggregating-proofs-into-subvector-profs">Aggregating proofs into subvector profs</h2>
<p>Drake and Buterin<sup id="fnref:Buterin20UsingPoly:1" role="doc-noteref"><a href="#fn:Buterin20UsingPoly" class="footnote">12</a></sup> observe that partial fraction decomposition can be used to aggregate KZG proofs.</p>
<p>Let’s first take a quick look at how partial fraction decomposition works.</p>
<h3 id="partial-fraction-decomposition">Partial fraction decomposition</h3>
<p>Any <em>accumulator polynomial fraction</em> can be decomposed as:
\begin{align}
\frac{1}{\prod_{i\in I} (X-i)} = \sum_{i\in I} c_i \cdot \frac{1}{X-i}
\end{align}</p>
<p>The key question is “What are the $c_i$’s?”
Surprisingly, the answer is given by a slightly tweaked Lagrange interpolation formula on a set of points $I$ <sup id="fnref:BT04" role="doc-noteref"><a href="#fn:BT04" class="footnote">13</a></sup>:</p>
<p>\begin{align}
\lagr_i(X)=\prod_{j\in I, j\ne i} \frac{X-j}{i - j}=\frac{A_I(X)}{A_I’(i) (X-i)},\ \text{where}\ A_I(X)=\prod_{i\in I} (X-i)
\end{align}</p>
<p>Here, $A_I’(X)$ is the derivative of $A_I(X)$ and has the (non-obvious) property that $A_I’(i)=\prod_{j\in I,j\ne i} (i-j)$.
(Check out <a href="/2020/03/12/scalable-bls-threshold-signatures.html#our-quasilinear-time-bls-threshold-signature-aggregation">this post</a> for some intuition on why this tweaked Lagrange formula works.)</p>
<p>Now, let us interpolate the polynomial $\phi(X)=1$ using this new Lagrange formula from a set of $|I|$ points $(v_i, \phi(v_i)=1)_{i\in I}$.
\begin{align}
\phi(X) &= \sum_{i\in I} v_i \lagr_i(X)\Leftrightarrow\\\
1 &= A_I(X)\sum_{i\in[0,n)} \frac{v_i}{A_I’(i)(X-i)}\Leftrightarrow\\<br />
\frac{1}{A_I(X)} &= \sum_{i\in I} \frac{1}{A_I’(i)(X-i)}\Leftrightarrow\\<br />
\frac{1}{A_I(X)} &= \sum_{i\in I} \frac{1}{A_I’(i)}\cdot\frac{1}{(X-i)}\Rightarrow\\<br />
c_i &= \frac{1}{A_I’(i)}
\end{align}</p>
<p>Thus, to compute all $c_i$’s needed to decompose, we need to evaluate $A’(X)$ at all $i\in I$.
Fortunately, this can be done in $O(\vert I\vert \log^2{\vert I\vert})$ field operations using a polynomial multipoint evaluation<sup id="fnref:vG13ModernCh10" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">14</a></sup>.</p>
<h3 id="applying-partial-fraction-decomposition-to-vc-proofs">Applying partial fraction decomposition to VC proofs</h3>
<p>Recall that an $I$-subvector proof is just a commitment to the following quotient polynomial:</p>
<p>\begin{align}
q_I(X)
&= \phi(X)\frac{1}{A_I(X)}- R_I(X)\frac{1}{A_I(X)}\\<br />
\end{align}</p>
<p>Next, we replace $\frac{1}{A_I(X)}$ with its partial fraction decomposition $\sum_{i\in I} \frac{1}{A_I’(i)(X-i)}$.</p>
<p>\begin{align}
q_I(X)
&= \phi(X)\sum_{i\in I} \frac{1}{A_I’(i)(X-i)} - \left(A_I(X)\sum_{i\in I} \frac{v_i}{A_I’(i)(X-i)}\right)\cdot \frac{1}{A_I(X)} \\<br />
&= \sum_{i\in I} \frac{\phi(X)}{A_I’(i)(X-i)} - \sum_{i\in I} \frac{v_i}{A_I’(i)(X-i)}\\<br />
&= \sum_{i\in I} \frac{1}{A_I’(i)}\cdot \frac{\phi(X) - v_i}{X-i}\\<br />
&= \sum_{i\in I} \frac{1}{A_I’(i)}\cdot q_i(X)
\end{align}</p>
<p>So in the end, we were able to express $q_I(X)$ as a linear combination of $q_i(X)$’s, which are exactly the quotients committed to in the proofs of the $v_i$’s (see <a href="#constant-sized-proofs">here</a>).</p>
<p>Thus, given a set of proofs $(\pi_i)_{i\in I}$ for a bunch of $v_i$’s, we can aggregate them into an $I$-subvector proof $\pi_I$ as:
\begin{align}
\pi_I &= \prod_{i\in I} \pi_i^{\frac{1}{A_I’(i)}}
\end{align}</p>
<p>This takes $O(\vert I\vert \log^2{\vert I\vert})$ field operations to compute all the $c_i$’s, as explained in the previous subsection.</p>
<h2 id="updating-proofs">Updating proofs</h2>
<p>First, recall that a proof $\pi_i$ for $v_i$ is a KZG commitment to:
\begin{align}
q_i(X)=\frac{\phi(X)-v_i}{X-i}
\end{align}</p>
<p>Suppose that $v_j$ changes to $v_j+\delta$, thus changing the vector commitment and invalidating any proof $\pi_i$.
Thus, we want to be able to update any proof $\pi_i$ to a new proof $\pi_i’$ that verifies w.r.t. the updated commitment.
Note that we must consider two cases:</p>
<ol>
<li>$i=j$</li>
<li>$i\ne j$.</li>
</ol>
<p>We refer to the party updating their proof $\pi_i$ as the <strong>proof updater</strong>.</p>
<h3 id="the-ij-case">The $i=j$ case</h3>
<p>Let’s see how the quotient polynomial $q_i’(X)$ in the updated proof $\pi_i’$ relates to the original quotient $q_i(X)$:
\begin{align}
q_i’(X)
&=\frac{\phi’(X)-(v_i+\delta)}{X-i}\\<br />
& =\frac{\left(\phi(X) + \delta\lagr_i(X)\right) - v_i -\delta}{X-i}\\<br />
&=\frac{\phi(X) - v_i}{X-i}-\frac{\delta(\lagr_i(X)-1)}{X-i}\\<br />
&= q_i(X) + \delta\left(\frac{\lagr_i(X)-1}{X-i}\right)
\end{align}</p>
<p>Observe that if we include KZG commitments $u_i$ to $\frac{\lagr_i(X)-1}{X-i}$ in our public parameters, then we can update $\pi_i$ to $\pi_i’$ as:
\begin{align}
\pi_i’ = \pi_i \cdot \left(u_i\right)^{\delta}
\end{align}</p>
<p>We include a commitment $u_i$ as part of each user $i$’s update key $\upk_i = u_i = g^\frac{\lagr_i(\tau)-1}{\tau-i}$.
This way, each user $i$ can update her proof after a change to their own $v_i$.
This leaves us with handling updates to $v_j$ for $j\ne i$.
We handle this next by including additional information in $\upk_i$.</p>
<h3 id="the-ine-j-case">The $i\ne j$ case</h3>
<p>Again, let’s see how $q_i’(X)$ relates to the original $q_i(X)$, but after a change $\delta$ at position $j\ne i$:
\begin{align}
q_i’(X)
&=\frac{\phi’(X)-v_i}{X-i}\\<br />
&=\frac{\left(\phi(X) + \delta\lagr_j(X)\right) - v_i}{X-i}\\<br />
&=\frac{\phi(X) - v_i}{X-i}-\frac{\delta\lagr_j(X)}{X-i}\\<br />
&= q_i(X) + \delta\left(\frac{\lagr_j(X)}{X-i}\right)
\end{align}</p>
<p>This time we are in a bit of pickle because there are $O(n^2)$ possible polynomials $U_{i,j}(X) = \frac{\lagr_j(X)}{X-i}$
Let, $u_{i,j}=g^{U_{i,j}(\tau)}$ denote their commitments.
This would mean we’d need each user $i$ to have $n-1$ $u_{i,j}$’s: one for each $j\in[0,n),j\ne i$.
Then, for any change $\delta$ to $v_j$, user $i$ could update its $\pi_i$ to $\pi_i’$ as:
\begin{align}
\pi_i’ = \pi_i \cdot \left(u_{i,j}\right)^{\delta}
\end{align}</p>
<p>However, this would mean each user $i$’s update key is $\upk_i = (u_i, (u_{i,j})_{j\in [0,n),j\ne i})$ and is $O(n)$-sized.
This makes it impractical for use in applications such as stateless cryptocurrencies, where each user $i$ has to include their $\upk_i$ in every transaction they issue.</p>
<h4 id="re-constructing-u_ij-fast">Re-constructing $u_{i,j}$ fast</h4>
<p>Fortunately, by putting additional information in $\upk_i$ and $\upk_j$, we can help user $i$ reconstruct $u_{i,j}$ in $O(1)$ time.
Let $A(X)=\prod_{i\in [0,n)} (X-i)$ be the accumulator polynomial over all $i$’s.
Let $A’(X)$ be its derivative and store the evaluation $A’(i)$ in each user’s $\upk_i$.
Additionally, store $a_i = g^\frac{A(\tau)}{\tau-i}$ in each user’s $\upk_i$.
(Note that $a_i$ is just a KZG proof for $A(i) = 0$.)</p>
<p class="error">Computing all $a_i$’s takes $O(n^2)$ time, but we improve this to $O(n\log{n})$ time later using roots of unity.</p>
<p>Next, using the tweaked Lagrange formula from before, rewrite $U_{i,j}(X)$ as:
\begin{align}
U_{i,j}(X)
&=\frac{\lagr_j(X)}{X-i}\\<br />
&= \frac{A(X)}{A’(j)(X-j)(X-i)}\\<br />
&= \frac{1}{A’(j)}\cdot A(X) \cdot \frac{1}{(X-j)(X-i)}
\end{align}</p>
<p>Next, notice that we can decompose $\frac{1}{(X-j)(X-i)}$:
\begin{align}
U_{i,j}(X)
&= \frac{1}{A’(j)}\cdot A(X) \cdot \frac{1}{(X-j)(X-i)}\\<br />
&= \frac{1}{A’(j)}\cdot A(X) \cdot \left(c_j \frac{1}{X-j}+ c_i\frac{1}{X-i}\right)
&= \frac{1}{A’(j)}\cdot \left(c_j \frac{A(X)}{X-j}+ c_i\frac{A(X)}{X-i}\right)
\end{align}</p>
<p>Now, notice that this implies the commitment $u_{i,j}$ can be computed in $O(1)$ time as:
\begin{align}
u_{i,j}
&= \left(a_j^{c_j} \cdot a_i^{c_i}\right)^\frac{1}{A’(j)}
\end{align}</p>
<p>What are $c_i$ and $c_j$? Just define $A_{i,j}(X) = (X-i)(X-j)$, take its derivative $A_{i,j}’(X)=(X-i)+(X-j)$ and, <a href="#partial-fraction-decomposition">as mentioned before</a>, you have $c_i=1/A_{i,j}’(i)=1/(i-j)$ and $c_j=1/A_{i,j}’(j)=1/(j-i)$</p>
<p>Thus, it is sufficient to set each user’s $\upk_i=(u_i, a_i, A’(i))$.</p>
<p class="info">Note that for user $i$ to update their proof, they need not just their own $\upk_i$ but also the $\upk_j$ corresponding to the changed position $j$.
This is fine in settings such as stateless cryptocurrencies, where $\upk_j$ is part of the transaction that sends money from user $i$ to user $j$.</p>
<h2 id="verifiable-update-keys">Verifiable update keys</h2>
<p>In the stateless cryptocurrency setting, it is very important that user $i$ be able verify $\upk_j$ before using it to update her proof.
Similarly, miners should verify the update keys they use for updating the commitment $c$.
(We did not discuss it, but $\upk_i$ can also be used to derive a commitment to $\lagr_i(X)$ needed to update $c$ after a change to $v_i$.)</p>
<p>To verify $\upk_i$, we need to include a commitment $a=g^{A(\tau)}$ to $A(X)$ in the $\vrk$.
This way, each $a_i$ in $\upk_i$ can be verified as a normal KZG proof w.r.t. $a$.
Then, each $u_i$ can also be verified by noticing two things:</p>
<ol>
<li>$u_i$ is just a KZG proof that $\lagr_i(i) = 1$</li>
<li>$a_i$ can be transformed into $\ell_i=g^{\lagr_i(\tau)}$ in $O(1)$ time by exponentiating it with $1/A’(i)$, which is part of $\upk_i$</li>
</ol>
<p>As a result, $u_i$ can now be verified as a KZG proof that $\lagr_i(i) = 1$ against $\ell_i$.</p>
<h2 id="precomputing-all-proofs-fast">Precomputing all proofs fast</h2>
<p>Computing all $n$ constant-sized proofs for $v_i=\phi(i)$ in less than quadratic time seems very difficult.
Fortunately, Feist and Khovratovich<sup id="fnref:FK20" role="doc-noteref"><a href="#fn:FK20" class="footnote">15</a></sup> give a beautiful technique that can do this, subject to the restriction that the evaluation points are roots of unity, rather than $[0,1,\dots, n-1]$.
Thus, if we change our scheme to store $v_i$ at $\phi(\omega^i)$ where $\omega$ is an $n$th primitive root of unity, we can use this technique to compute all VC proofs $(\pi_i)_{i\in [0,n)}$ in $O(n\log{n})$ time.</p>
<p>Furthermore, we can use this same technique to compute all the $a_i$’s from each $\upk_i$ in $O(n\log{n})$ time.</p>
<h2 id="efficiently-computable-and-updatable-public-parameters">Efficiently-computable and updatable public parameters</h2>
<p>Our scheme’s public parameters, consisting of the proving key, verification key and update keys, need to be generated via an MPC protocol<sup id="fnref:BGM17:1" role="doc-noteref"><a href="#fn:BGM17" class="footnote">9</a></sup>, to guarantee nobody learns the trapdoor $\tau$.
Unfortunately, the most efficient MPC protocols only output $g^{\tau^i}$’s.
This means we should (ideally) find a way to derive the remaining public parameters from these $g^{\tau^i}$’s.</p>
<p>First, when using roots of unity, we have $A(X)=\prod_{i\in [0,n)} (X-\omega^i) = X^n - 1$.
Thus, the commitment $a=g^{A(\tau)}$ to $A(X)=X^{n} - 1$ can be computed in $O(1)$ time via an exponentiation.</p>
<p>Second, the commitments $\ell_i=g^{\lagr_i(\tau)}$ to Lagrange polynomials can be computed via a single DFT on the $(g^{\tau^i})$’s.
(See <em>Sec 3.12.3, pg. 97</em> in <a href="https://madars.org/">Madars Virza’s</a> PhD thesis<sup id="fnref:Virza17" role="doc-noteref"><a href="#fn:Virza17" class="footnote">16</a></sup>).
<!-- Also briefly mentioned in BCG+15: Oakland paper I-C-2, page 5 --></p>
<p>Third, each $a_i = g^{A(\tau)/(\tau -\omega^i)}$ is just a bilinear accumulator membership proof for $\omega^i$ w.r.t. $A(X)$.
Thus, all $a_i$’s can be computed in $O(n\log{n})$ time via the Feist-Khovratovich technique<sup id="fnref:FK20:1" role="doc-noteref"><a href="#fn:FK20" class="footnote">15</a></sup>.</p>
<p>Lastly, we need a way to compute all $u_i = g^{\frac{\lagr_i(\tau)-1}{X-\omega^i}}$.
It turns out this is also doable in $O(n\log{n})$ time using an FFT on a carefully-crafted input (see <em>Sec 3.4.5</em> in <a href="https://eprint.iacr.org/2020/527">our paper</a>).</p>
<p>As a last benefit, since our parameters can be derived from $g^{\tau^i}$’s which are <em>updatable</em>, our parameters are updatable.
This is very useful as it allows safe reuse of existing parameters generated for other schemes.</p>
<h1 id="parting-thoughts">Parting thoughts</h1>
<p>Please see <a href="https://eprint.iacr.org/2020/527">our paper</a> for more goodies, including:</p>
<ul>
<li>A formalization of our primitive (in Sec 3.1)</li>
<li>The full algorithms of our VC (in Sec 3.4.4)</li>
<li>A new security definition for KZG batch proofs with a reduction to $n$-SBDH (in Appendix C)</li>
<li>The efficient algorithm for computing the $u_i$’s (in Sec 3.4.5)</li>
<li>A comparison to other VCs (in Table 2)</li>
<li>An survey of existing VC schemes over prime-order groups, with a time complexity analysis (in Appendix D)</li>
<li>A smaller, incomplete survey of existing VC schemes over hidden-order groups (in Appendix D)</li>
</ul>
<h2 id="are-roots-of-unity-necessary">Are roots of unity necessary?</h2>
<p><a href="https://twitter.com/chbpap">Babis Papamanthou</a> asked me a very good question: <em>“What functionality requires the use of roots of unity?”</em>
I hope the last two sections answered that clearly:</p>
<ul>
<li>Can precompute all $n$ VC proofs in quasilinear time</li>
<li>Can derive our public parameters efficiently from the $g^{\tau^i}$’s
<ul>
<li>This includes all $u_i$’s and $a_i$’s needed to update proofs efficiently</li>
</ul>
</li>
<li>Can have (efficiently) updatable public parameters</li>
<li>Can remove $A’(i)$ from $\upk_i$, since $A’(i)=n\omega^{-i}$ (see <em>Appendix A</em> in <a href="https://eprint.iacr.org/2020/527">our paper</a>)</li>
</ul>
<h2 id="future-work">Future work</h2>
<p>It would be very exciting to see by how much this new VC scheme improves the performance of stateless cryptocurrencies such as Edrax<sup id="fnref:CPZ18:1" role="doc-noteref"><a href="#fn:CPZ18" class="footnote">10</a></sup>.</p>
<h1 id="acknowledgements">Acknowledgements</h1>
<p>Special thanks goes to <a href="https://madars.org/">Madars Virza</a> who first introduced me to Lagrange-based VCs in 2017 and helped me with some of the related work.</p>
<h3 id="references">References</h3>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:GRWZ20" role="doc-endnote">
<p><strong>Pointproofs: Aggregating Proofs for Multiple Vector Commitments</strong>, by Sergey Gorbunov and Leonid Reyzin and Hoeteck Wee and Zhenfei Zhang, <em>in Cryptology ePrint Archive, Report 2020/419</em>, 2020, <a href="https://eprint.iacr.org/2020/419">[URL]</a> <a href="#fnref:GRWZ20" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:KL15" role="doc-endnote">
<p><strong>Introduction to Modern Cryptography</strong>, by Jonathan Katz and Yehuda Lindell, 2007 <a href="#fnref:KL15" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:GPS08" role="doc-endnote">
<p><strong>Pairings for cryptographers</strong>, by Steven D. Galbraith and Kenneth G. Paterson and Nigel P. Smart, <em>in Discrete Applied Mathematics</em>, 2008 <a href="#fnref:GPS08" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:KZG10a" role="doc-endnote">
<p><strong>Constant-Size Commitments to Polynomials and Their Applications</strong>, by Kate, Aniket and Zaverucha, Gregory M. and Goldberg, Ian, <em>in ASIACRYPT ‘10</em>, 2010 <a href="#fnref:KZG10a" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:KZG10a:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:CLRS09" role="doc-endnote">
<p><strong>Introduction to Algorithms, Third Edition</strong>, by Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford, 2009 <a href="#fnref:CLRS09" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:CLRS09:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:CDHK15" role="doc-endnote">
<p><strong>Composable and Modular Anonymous Credentials: Definitions and Practical Constructions</strong>, by Camenisch, Jan and Dubovitskaya, Maria and Haralambiev, Kristiyan and Kohlweiss, Markulf, <em>in Advances in Cryptology – ASIACRYPT 2015</em>, 2015 <a href="#fnref:CDHK15" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:Tomescu20" role="doc-endnote">
<p><strong>How to Keep a Secret and Share a Public Key (Using Polynomial Commitments)</strong>, by Tomescu, Alin, 2020 <a href="#fnref:Tomescu20" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:CF13" role="doc-endnote">
<p><strong>Vector Commitments and Their Applications</strong>, by Catalano, Dario and Fiore, Dario, <em>in Public-Key Cryptography – PKC 2013</em>, 2013 <a href="#fnref:CF13" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:BGM17" role="doc-endnote">
<p><strong>Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model</strong>, by Sean Bowe and Ariel Gabizon and Ian Miers, <em>in Cryptology ePrint Archive, Report 2017/1050</em>, 2017, <a href="https://eprint.iacr.org/2017/1050">[URL]</a> <a href="#fnref:BGM17" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:BGM17:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:CPZ18" role="doc-endnote">
<p><strong>Edrax: A Cryptocurrency with Stateless Transaction Validation</strong>, by Alexander Chepurnoy and Charalampos Papamanthou and Yupeng Zhang, <em>in Cryptology ePrint Archive, Report 2018/968</em>, 2018 <a href="#fnref:CPZ18" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:CPZ18:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:vG13ModernCh8" role="doc-endnote">
<p><strong>Fast Multiplication</strong>, by von zur Gathen, Joachim and Gerhard, Jurgen, <em>in Modern Computer Algebra</em>, 2013 <a href="#fnref:vG13ModernCh8" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:Buterin20UsingPoly" role="doc-endnote">
<p><strong>Using polynomial commitments to replace state roots</strong>, by Vitalik Buterin, <em>in \url{https://ethresear.ch/t/using-polynomial-commitments-to-replace-state-roots/7095}</em>, 2020, <a href="https://ethresear.ch/t/using-polynomial-commitments-to-replace-state-roots/7095">[URL]</a> <a href="#fnref:Buterin20UsingPoly" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:Buterin20UsingPoly:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:BT04" role="doc-endnote">
<p><strong>Barycentric Lagrange Interpolation</strong>, by Berrut, J. and Trefethen, L., <em>in SIAM Review</em>, 2004 <a href="#fnref:BT04" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:vG13ModernCh10" role="doc-endnote">
<p><strong>Fast polynomial evaluation and interpolation</strong>, by von zur Gathen, Joachim and Gerhard, Jurgen, <em>in Modern Computer Algebra</em>, 2013 <a href="#fnref:vG13ModernCh10" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:FK20" role="doc-endnote">
<p><strong>Fast amortized Kate proofs</strong>, by Dankrad Feist and Dmitry Khovratovich, 2020, <a href="https://github.com/khovratovich/Kate/blob/master/Kate_amortized.pdf">[pdf]</a> <a href="#fnref:FK20" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:FK20:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:Virza17" role="doc-endnote">
<p><strong>On Deploying Succinct Zero-Knowledge Proofs</strong>, by Virza, Madars, 2017 <a href="#fnref:Virza17" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>Alin Tomescutl;dr: We build a vector commitment (VC) scheme from KZG commitments to Lagrange polynomials that has (1) constant-sized, aggregatable proofs, which can all be precomputed in $O(n\log{n})$ time, and (2) linear public parameters, which can be derived from any “powers-of-tau” CRS in $O(n\log{n})$ time. Importantly, the auxiliary information needed to update proofs (a.k.a. the “update key”) is $O(1)$-sized. Our scheme is compatible with recent techniques to aggregate subvector proofs across different commitments1. Pointproofs: Aggregating Proofs for Multiple Vector Commitments, by Sergey Gorbunov and Leonid Reyzin and Hoeteck Wee and Zhenfei Zhang, in Cryptology ePrint Archive, Report 2020/419, 2020, [URL] ↩Bilinear Accumulators for Cryptocurrency Enthusiasts2020-04-02T08:10:00+00:002020-04-02T08:10:00+00:00https://alinush.github.io//2020/04/02/bilinear-accumulators-for-cryptocurrency<p class="info"><strong>tl;dr:</strong> We give on overview of <em>bilinear accumulators</em>, a more communication-efficient alternative to Merkle Hash Trees (MHTs) that comes at an increase in computation.
Put simply, bilinear accumulators are commitments to sets with constant-sized (non)membership proofs.</p>
<!-- more -->
<p>For more details, see this full post on <a href="https://decentralizedthoughts.github.io/2020-04-02-bilinear-accumulators-for-cryptocurrency/">Decentralized Thoughts</a>.</p>Alin Tomescutl;dr: We give on overview of bilinear accumulators, a more communication-efficient alternative to Merkle Hash Trees (MHTs) that comes at an increase in computation. Put simply, bilinear accumulators are commitments to sets with constant-sized (non)membership proofs. For more details, see this full post on Decentralized Thoughts.Multiplying a Toeplitz matrix by a vector2020-03-19T14:00:00+00:002020-03-19T14:00:00+00:00https://alinush.github.io//2020/03/19/multiplying-a-vector-by-a-toeplitz-matrix<p>These are some notes on how to efficiently multiply a <em>Toeplitz matrix</em> by a vector.
I was writing these for myself while implementing the <a href="https://github.com/khovratovich/Kate/blob/master/Kate_amortized.pdf">new amortized KZG proofs</a> by Feist and Khovratovich, but I thought they might be useful for you too.</p>
<!--more-->
<h2 id="preliminaries">Preliminaries</h2>
<p>We use column vector notation for all vectors.
If $[a, b, c]$ is a row vector, then $[a,b,c]^T$ denotes its transpose: i.e., the column vector \(\begin{bmatrix}a \\\\\ b \\\\\ c\end{bmatrix}\).</p>
<h2 id="whats-a-toeplitz-and-a-circulant-matrix">What’s a Toeplitz (and a circulant) matrix?</h2>
<p>A <em>Toeplitz matrix</em> (e.g. of size $4\times 4$) looks like this:</p>
<p>\begin{bmatrix}
a_0 & a_{-1} & a_{-2} & a_{-3}\\<br />
a_1 & a_0 & a_{-1} & a_{-2}\\<br />
a_2 & a_1 & a_0 & a_{-1}\\<br />
a_3 & a_2 & a_1 & a_0
\end{bmatrix}</p>
<p>Note the odd use of negative indices here, since typically we usually use positive numbers to index.
It’s just convenient for notation to use negative indices.</p>
<p>In other words, it’s a square matrix where the entries “repeat diagonally.”
A concrete example would be:</p>
<p>\begin{bmatrix}
7 & 11 & 5 & 6 \\<br />
3 & 7 & 11 & 5 \\<br />
8 & 3 & 7 & 11 \\<br />
1 & 8 & 3 & 7
\end{bmatrix}</p>
<p>A <em>circulant matrix</em> $C$ is a special form of Toeplitz matrix:</p>
<p>\begin{bmatrix}
a_0 & a_3 & a_2 & a_1\\<br />
a_1 & a_0 & a_3 & a_2\\<br />
a_2 & a_1 & a_0 & a_3\\<br />
a_3 & a_2 & a_1 & a_0
\end{bmatrix}</p>
<p>In other words, each row is shifted/rotated to the right by 1 entry.
(Or, alternatively, each column is shifted/rotated down by 1 entry.)</p>
<p>In general, note that any circulant matrix $C_n$ of size $n\times n$ has a <em>vector representation</em>:</p>
\[\vec{a_n}=[a_0, a_1, \dots, a_{n-1}]\]
<p>Also, note that a circulant matrix is a particular type of a Toeplitz matrix where $a_{-i} = a_{n-i}, \forall i \in[n-1]$.</p>
<p>Here are two examples of circulant matrices:</p>
\[C_4=\begin{bmatrix}
7 & 11 & 5 & 6 \\\\\
6 & 7 & 11 & 5 \\\\\
5 & 6 & 7 & 11 \\\\\
11 & 5 & 6 & 7
\end{bmatrix},
C_4'=\begin{bmatrix}
7 & 1 & 8 & 3 \\\\\
3 & 7 & 1 & 8 \\\\\
8 & 3 & 7 & 1 \\\\\
1 & 8 & 3 & 7
\end{bmatrix}\]
<p>Importantly, a circulant matrix is <em>diagonalizable</em> by the DFT matrix (although we won’t explain why).</p>
<p>First, recall an example of a DFT matrix (e.g., of size $4 \times 4$):</p>
\[F_4=\begin{bmatrix}
1 & 1 & 1 & 1 \\\\\
1 & (w)^1 & (w)^2 & (w)^3 \\\\\
1 & (w^2)^1 & (w^2)^2 & (w^2)^3 \\\\\
1 & (w^3)^1 & (w^3)^2 & (w^3)^3
\end{bmatrix}\]
<p>What we’re saying is that a circulant matrix $C_n$ of size $n\times n$ can be written as:</p>
\[C_n = (F_n)^{-1} \mathsf{diag}(F_n \vec{a_n}) F_n\]
<p>Here, \(\vec{a_n} = [a_0, \dots, a_{n-1}]\) is the vector representation of $C_n$ as discussed before (see above).
Also, $\mathsf{diag}(F_n \vec{a})$ is the $n\times n$ diagonal matrix whose diagonal entries are the entries from $F_n\vec{a_n}$ (i.e., the entry at position $(i,i)$ is the $i$th entry in $F_n\vec{a_n}$) and all other entries are 0.</p>
<h2 id="multiplying-a-circulant-matrix-by-a-vector">Multiplying a circulant matrix by a vector</h2>
<p>Let $y=\mathsf{DFT}(\vec{x}) = F_n \vec{x}$ denote the DFT of a vector $\vec{x}$ and let $\vec{x}=\mathsf{DFT}^{-1}(y)=F_n^{-1} \vec{y}$ denote the inverse DFT.</p>
<p>If $C_n$ is circulant with vector representation $\vec{a_n}$, then multiplying it by a size-$n$ vector $\vec{x}$ can be written as:</p>
<p>\begin{align}
C_n \vec{x} &= \left((F_n)^{-1} \mathsf{diag}(F_n\vec{a_n}) F_n\right)\vec{x}\\<br />
&= (F_n)^{-1} (\mathsf{diag}(F_n\vec{a_n}) (F_n \vec{x}))\\<br />
&= \mathsf{DFT}^{-1}(\mathsf{diag}(\mathsf{DFT}(\vec{a_n})) \mathsf{DFT}(\vec{x}))\\<br />
&= \mathsf{DFT}^{-1}(\mathsf{diag}(\vec{v}) \vec{y})\\<br />
&= \mathsf{DFT}^{-1}(\vec{v} \circ \vec{y})\\<br />
&= \mathsf{DFT}^{-1}(\vec{u})
\end{align}</p>
<p>In other words, what we must do is:</p>
<ul>
<li>Compute $\vec{y}$ by doing a DFT on $\vec{x}$ (in $\Theta(n\log{n})$ time)</li>
<li>Compute $\vec{v}$ by doing a DFT on $\vec{a_n}$ (in $\Theta(n\log{n})$ time)</li>
<li>Compute the Hadamard product $\vec{u}=\vec{v} \circ \vec{y}$,
<ul>
<li>(Since that’s what happens when you multiply a diagonal matrix by a vector.)</li>
</ul>
</li>
<li>Do an inverse DFT on $\vec{u}$ (in $\Theta(n\log{n})$ time).</li>
</ul>
<p>Thus, we can compute $C_n \vec{x}$ in $\Theta(n\log{n})$ time.</p>
<h2 id="multiplying-a-toeplitz-matrix-by-a-vector">Multiplying a Toeplitz matrix by a vector</h2>
<p>To multiply a Toeplitz matrix $T_n$ by a vector $\vec{x}$, we’ll embed the matrix in a circulant matrix $C_{2n}$ in such a manner that the first $n$ entries of $C_{2n}\vec{x}$ will equal exactly $T_n\vec{x}$.</p>
<p>We’ll use $T_4$ as an example:</p>
\[T_4 = \begin{bmatrix}
a_0 & a_{-1} & a_{-2} & a_{-3}\\\\\
a_1 & a_0 & a_{-1} & a_{-2}\\\\\
a_2 & a_1 & a_0 & a_{-1}\\\\\
a_3 & a_2 & a_1 & a_0
\end{bmatrix}\]
<p>We want to build a circulant matrix $C_8$ from $T_4$ such that:</p>
\[C_8 \begin{bmatrix} \vec{x} \\\\\ \vec{0} \end{bmatrix} = \begin{bmatrix} T_4 \vec{x} \\\\\ ? \end{bmatrix}\]
<p class="info">Note that we don’t care what we get in the last $n$ entries of the result, which we denote with a question mark.
Also, $\vec{0}$ denotes the vector of $n=4$ zeros.</p>
<p>If we had such a $C_8$, then we could multiply it with \(\begin{bmatrix}\vec{x}\\\\\ \vec{0}\end{bmatrix}\) using the $\Theta(n\log{n})$ multiplication algorithm from the previous section and efficiently compute $T_4\vec{x}$.</p>
<p>We’ll build $C_8$ from $T_4$ and some other, to be determined matrix which we denote using $B_4$.</p>
\[C_8 = \begin{bmatrix}
T_4 & B_4 \\\\\
B_4 & T_4
\end{bmatrix}\]
<p>Note that this gives us what we want:
\(C_8 \begin{bmatrix}\vec{x}\\\\\ \vec{0}\end{bmatrix} =
\begin{bmatrix}
T_4 & B_4 \\\\\
B_4 & T_4
\end{bmatrix}
\begin{bmatrix}\vec{x}\\\\\ \vec{0}\end{bmatrix}=
\begin{bmatrix}T_4\vec{x}\\\\\ B_4\vec{x}\end{bmatrix}\)</p>
<p>In other words, the first $n$ entries of the product are indeed equal to $T_4 \vec{x}$, independent of what we pick for $B_4$.</p>
<p>But for us to efficiently compute the product, we’ll need to pick a $B_4$ that makes $C_8$ circulant.
So let’s look at what $C_8$ looks like with just the two $T_4$’s in it:</p>
\[C_8 = \begin{bmatrix}
a_0 & a_{-1} & a_{-2} & a_{-3} & ? & ? & ? & ? \\\\\
a_1 & a_0 & a_{-1} & a_{-2} & ? & ? & ? & ? \\\\\
a_2 & a_1 & a_0 & a_{-1} & ? & ? & ? & ? \\\\\
a_3 & a_2 & a_1 & a_0 & ? & ? & ? & ? \\\\
? & ? & ? & ? & a_0 & a_{-1} & a_{-2} & a_{-3}\\\\\
? & ? & ? & ? & a_1 & a_0 & a_{-1} & a_{-2}\\\\\
? & ? & ? & ? & a_2 & a_1 & a_0 & a_{-1}\\\\\
? & ? & ? & ? & a_3 & a_2 & a_1 & a_0
\end{bmatrix}\]
<p>We can fill in part of the puzzle to keep $C_8$ circulant:</p>
\[C_8 = \begin{bmatrix}
a_0 & a_{-1} & a_{-2} & a_{-3} & ? & ? & ? & ? \\\\\
a_1 & a_0 & a_{-1} & a_{-2} & \mathbf{a_{-3}} & ? & ? & ? \\\\\
a_2 & a_1 & a_0 & a_{-1} & \mathbf{a_{-2}} & \mathbf{a_{-3}} & ? & ? \\\\\
a_3 & a_2 & a_1 & a_0 & \mathbf{a_{-1}} & \mathbf{a_{-2}} & \mathbf{a_{-3}} & ? \\\\
? & \mathbf{a_3} & \mathbf{a_2} & \mathbf{a_1} & a_0 & a_{-1} & a_{-2} & a_{-3}\\\\\
? & ? & \mathbf{a_3} & \mathbf{a_2} & a_1 & a_0 & a_{-1} & a_{-2}\\\\\
? & ? & ? & \mathbf{a_3} & a_2 & a_1 & a_0 & a_{-1}\\\\\
? & ? & ? & ? & a_3 & a_2 & a_1 & a_0
\end{bmatrix}\]
<p>By now, you can tell that $B_4$ can be set to:</p>
\[B_4 = \begin{bmatrix}
? & \mathbf{a_3} & \mathbf{a_2} & \mathbf{a_1} \\\\\
\mathbf{a_{-3}} & ? &\mathbf{a_3} & \mathbf{a_2} \\\\\
\mathbf{a_{-2}} &\mathbf{a_{-3}} & ? &\mathbf{a_3} \\\\\
\mathbf{a_{-1}} & \mathbf{a_{-2}} & \mathbf{a_{-3}} & ?
\end{bmatrix}\]
<p>Since the only constraint for the diagonal elements is to be the same, we’ll set them to $a_0$.
So, the final $C_8$ will be:</p>
\[C_8 = \begin{bmatrix}
a_0 & a_{-1} & a_{-2} & a_{-3} & \mathbf{a_0} & \mathbf{a_3} & \mathbf{a_2} & \mathbf{a_1} \\\\\
a_1 & a_0 & a_{-1} & a_{-2} & \mathbf{a_{-3}} & \mathbf{a_0} & \mathbf{a_3} & \mathbf{a_2} \\\\\
a_2 & a_1 & a_0 & a_{-1} & \mathbf{a_{-2}} & \mathbf{a_{-3}} & \mathbf{a_0} & \mathbf{a_3} \\\\\
a_3 & a_2 & a_1 & a_0 & \mathbf{a_{-1}} & \mathbf{a_{-2}} & \mathbf{a_{-3}} & \mathbf{a_0}\\\\
\mathbf{a_0} & \mathbf{a_3} & \mathbf{a_2} & \mathbf{a_1} & a_0 & a_{-1} & a_{-2} & a_{-3}\\\\\
\mathbf{a_{-3}} & \mathbf{a_0} & \mathbf{a_3} & \mathbf{a_2} & a_1 & a_0 & a_{-1} & a_{-2}\\\\\
\mathbf{a_{-2}} & \mathbf{a_{-3}} & \mathbf{a_0} & \mathbf{a_3} & a_2 & a_1 & a_0 & a_{-1}\\\\\
\mathbf{a_{-1}} & \mathbf{a_{-2}} & \mathbf{a_{-3}} & \mathbf{a_0} & a_3 & a_2 & a_1 & a_0
\end{bmatrix}\]
<p>The question that remains to be answered is what is the <em>vector representation</em> $\vec{a_8}$ of $C_8$, since that’s what we’ll need to efficiently evaluate $C_8\vec{x}$ and thus $T_4\vec{x}$.</p>
<p>The answer is, as before, the elements in the first columns of $C_8$, which are:</p>
\[\vec{a_8}=[ a_0, a_1, a_2, a_3, a_0, a_{-3}, a_{-2}, a_{-1} ]^T\]
<p>Thus, applying the algorithm for circulant matrices from before, what we must do is:</p>
<ul>
<li>Build $\vec{a_{2n}}$ from the entries \(\{a_{n-1}, a_{n-2}, \dots, a_1, a_0, a_{-1}, \dots, a_{-(n-1)}\}\) of the Toeplitz matrix $T_n$</li>
<li>Compute $\vec{y}$ by doing a DFT on $[\vec{x}, \vec{0}]^T$</li>
<li>Compute $\vec{v}$ by doing a DFT on $\vec{a_{2n}}$ (e.g., on $\vec{a_8}$ from above)</li>
<li>Compute the Hadamard product $\vec{u}=\vec{v} \circ \vec{y}$,</li>
<li>Do an inverse DFT on $\vec{u}$</li>
<li>The product $T_n \vec{x}$ consists of the first $n$ entries of the resulting vector</li>
</ul>Alin TomescuThese are some notes on how to efficiently multiply a Toeplitz matrix by a vector. I was writing these for myself while implementing the new amortized KZG proofs by Feist and Khovratovich, but I thought they might be useful for you too.Basics of Polynomials for Cryptography2020-03-16T10:38:00+00:002020-03-16T10:38:00+00:00https://alinush.github.io//2020/03/16/polynomials-for-crypto<p>A <strong>polynomial</strong> $\phi$ of <strong>degree</strong> $d$ is a vector of $d+1$ <strong>coefficients</strong>:</p>
<p>\begin{align}
\phi &= [\phi_0, \phi_1, \phi_2, \dots, \phi_d]
\end{align}</p>
<p>For example, $\phi = [1, 10, 9]$ is a degree 2 polynomial.
Also, $\phi’ = [1, 10, 9, 0, 0, 0]$ is also a degree 2 polynomial, since the zero coefficients at the end do not count.
But $\phi’’ = [1, 10, 9, 0, 0, 0, 1]$ is a degree 6 polynomial, since the last non-zero coefficient is $\phi_6 = 3$.</p>
<p><em>“A list of numbers? That makes no sense!”</em>
Don’t panic!
You are probably more familiar to polynomials expressed as function of a variable $X$:
\begin{align}
\phi(X) &= \phi_0 + \phi_1\cdot X + \phi_2\cdot X^2 + \cdots + \phi_d\cdot X^d]\\<br />
&= \sum_{i=0}^{d+1} \phi_i X^i
\end{align}</p>
<p>For example, $\phi = [1, 10, 9]$ and $\phi(X) = 9X^2 + 10X + 1$ are one and the same thing.</p>
<p><strong>Note:</strong> The degree is defined as the index $i$ of the last non-zero coefficient: $\deg(\phi)=i$ s.t. $\forall j > i, \phi_j = 0$.</p>
<h2 id="the-basics-of-polynomials">The basics of polynomials</h2>
<h3 id="roots-of-polynomials">Roots of polynomials</h3>
<p>We say $z$ is a <em>root</em> of $\phi(X)$ if $\phi(z) = 0$.
In this case, $\exists q(X)$ such that $\phi(X) = q(X)(X-z)$.</p>
<p>But what if $z$ is also a root $q(X)$?
We can capture this notion as follows: we say $z$ has a <em>multiplicity</em> $k$ if $\exists q’(X)$ such that $\phi(X) = q’(X) (X-z)^k$.</p>
<!-- TODO
### Evaluating polynomials
### Adding and subtracting polynomials
### Multiplying polynomials
-->
<h3 id="the-polynomial-remainder-theorem">The polynomial remainder theorem</h3>
<p>This theorem says that:</p>
<p>\begin{align}
\phi(a) = y\Leftrightarrow \exists q(X), \phi(X) &= q(X)(X-a) + \phi(a)
\end{align}</p>
<p>This property is leveraged by certain cryptosystems<sup id="fnref:kzg-eval-proofs" role="doc-noteref"><a href="#fn:kzg-eval-proofs" class="footnote">1</a></sup>.</p>
<h3 id="dividing-polynomials">Dividing polynomials</h3>
<p>Division of polynomials conceptually resembles division of integers.</p>
<p>Specifically, dividing a polynomial $a(X)$ by $b(X)$ gives a <strong>quotient</strong> $q(X)$ and a <strong>remainder</strong> $r(X)$ such that:</p>
\[a(X) = q(X) b(X) + r(X)\]
<p>Importantly, $\deg{q} = \deg{a} - \deg{b}$ and $\deg{r} < \deg{b}$.</p>
<h3 id="lagrange-interpolation">Lagrange interpolation</h3>
<p hidden="">
$\newcommand{\lagr}{\mathcal{L}}$
</p>
<p>Given $n$ pairs $(x_i, y_i)_{i\in[n]}$, one can compute or <em>interpolate</em> a degree $\le n-1$ polynomial $\phi(X)$ such that:
\(\phi(x_i)=y_i,\forall i\in[n]\)</p>
<p>Specifically, the <em>Lagrange interpolation</em> formula says that:
\begin{align}
\phi(X) &= \sum_{i\in[n]} y_i \cdot \lagr_i(X),\ \text{where}\ \lagr_i(X) = \prod_{j\in[n],j\ne i} \frac{X-x_j}{x_i-x_j}
\end{align}</p>
<p>This formula is intimidating at first, but there’s a very simple intuition behind it.
The key idea is that $\lagr_i(X)$ is defined so that it has two properties:</p>
<ol>
<li>$\lagr_i(x_i) = 1,\forall i\in[n]$</li>
<li>$\lagr_i(x_j) = 0,\forall j \in [n]\setminus{i}$</li>
</ol>
<p>You can actually convince yourself that $\lagr_i(X)$ has these properties by plugging in $x_i$ and $x_j$ to see what happens.</p>
<p class="warning"><strong>Important:</strong> The $\lagr_i(X)$ polynomials are dependent on the set of $x_i$’s only (and thus on $n$)! Specifically each $\lagr_i(X)$ has degree $n-1$ and has a root at each $x_j$ when $j\ne i$!
In this sense, a better notation for them would be $\lagr_i^{[x_i, n]}(X)$ or $\lagr_i^{[n]}(X)$ to indicate this dependence.</p>
<p>Furthermore, consider the following example with $n=3$ pairs.
Then, by the Lagrange formula, we have:</p>
\[\phi(X) = y_1 \lagr_1(X) + y_2 \lagr_2(X) + y_3 \lagr_3(X)\]
<p>Next, by applying the two key properties of $\lagr_i(X)$ from above, you can easily check that $\phi(x_i) = y_i,\forall i\in[3]$:
\begin{align}
\phi(x_1) &= y_1 \lagr_1(x_1) + y_2 \lagr_2(x_1) + y_3 \lagr_3(x_1) = y_1 \cdot 1 + y_2 \cdot 0 + y_3 \cdot 0 = y_1\\<br />
\phi(x_2) &= y_1 \lagr_1(x_2) + y_2 \lagr_2(x_2) + y_3 \lagr_3(x_2) = y_1 \cdot 0 + y_2 \cdot 1 + y_3 \cdot 0 = y_2\\<br />
\phi(x_3) &= y_1 \lagr_1(x_3) + y_2 \lagr_2(x_3) + y_3 \lagr_3(x_3) = y_1 \cdot 0 + y_2 \cdot 0 + y_3 \cdot 1 = y_3
\end{align}</p>
<p>An <strong>important detail</strong> is that the degree of the interpolated $\phi(X)$ is $\le n-1$ and not necessarily exactly equal to $n-1$.
To see this, consider interpolating the polynomial $\phi(X)$ such that $\phi(i) = i$ for all $i\in [n]$.
In other words, $x_i = y_i = i$.</p>
<p>The inspired reader might notice that the polynomial $\phi(X) = X$ could satisfy our constraints.
But is this what the Lagrange interpolation will return?
After all, the interpolated $\phi(X)$ is a sum of degree $n-1$ polynomials $\lagr_i(X)$, so could it have degree 1?
Well, it turns out, yes, because things cancel out.
To see, this take a simple example, with $n=3$:
\begin{align}
\phi(X) &=\sum_{i\in [3]} i \cdot \lagr_i(X) = \sum_{i\in [3]} i \cdot \prod_{j\in[3]\setminus{i}} \frac{X - j}{i - j}\\<br />
&= 1\cdot \frac{X-2}{1-2}\frac{X-3}{1-3} + 2\cdot \frac{X-1}{2-1}\frac{X-3}{2-3} + 3\cdot\frac{X-1}{3-1}\frac{X-2}{3-2}\\<br />
&= \frac{X-2}{-1}\frac{X-3}{-2} + 2\cdot \frac{X-1}{1}\frac{X-3}{-1} + 3\cdot \frac{X-1}{2}\frac{X-2}{1}\\<br />
&= \frac{1}{2}(X-2)(X-3) - 2(X-1)(X-3) + \frac{3}{2}(X-1)(X-2)\\<br />
&= \frac{1}{2}[(X-2)(X-3) + 3(X-1)(X-2)] - 2(X-1)(X-3)\\<br />
&= \frac{1}{2}[(X-2)(4X-6)] - 2(X-1)(X-3)\\<br />
&= (X-2)(2X-3) - 2(X-1)(X-3)\\<br />
&= (2X^2 - 4X - 3X + 6) - 2(X^2 - 4X +3)\\<br />
&= (2X^2 - 7X + 6) - 2X^2 + 8X - 6\\<br />
&= X
\end{align}</p>
<!-- TODO:
# The Discrete Fourier Transform (DFT)
Should have its own article.
# Multipoint evaluations
-->
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:kzg-eval-proofs" role="doc-endnote">
<p>Evaluation proofs in <a href="/2020/05/06/kzg-polynomial-commitments.html#evaluation-proofs">KZG polynomial commitments</a> leverage the polynomial remainder theorem. <a href="#fnref:kzg-eval-proofs" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>Alin TomescuA polynomial $\phi$ of degree $d$ is a vector of $d+1$ coefficients: \begin{align} \phi &= [\phi_0, \phi_1, \phi_2, \dots, \phi_d] \end{align} For example, $\phi = [1, 10, 9]$ is a degree 2 polynomial. Also, $\phi’ = [1, 10, 9, 0, 0, 0]$ is also a degree 2 polynomial, since the zero coefficients at the end do not count. But $\phi’’ = [1, 10, 9, 0, 0, 0, 1]$ is a degree 6 polynomial, since the last non-zero coefficient is $\phi_6 = 3$. “A list of numbers? That makes no sense!” Don’t panic! You are probably more familiar to polynomials expressed as function of a variable $X$: \begin{align} \phi(X) &= \phi_0 + \phi_1\cdot X + \phi_2\cdot X^2 + \cdots + \phi_d\cdot X^d]\\ &= \sum_{i=0}^{d+1} \phi_i X^i \end{align} For example, $\phi = [1, 10, 9]$ and $\phi(X) = 9X^2 + 10X + 1$ are one and the same thing. Note: The degree is defined as the index $i$ of the last non-zero coefficient: $\deg(\phi)=i$ s.t. $\forall j > i, \phi_j = 0$. The basics of polynomials Roots of polynomials We say $z$ is a root of $\phi(X)$ if $\phi(z) = 0$. In this case, $\exists q(X)$ such that $\phi(X) = q(X)(X-z)$. But what if $z$ is also a root $q(X)$? We can capture this notion as follows: we say $z$ has a multiplicity $k$ if $\exists q’(X)$ such that $\phi(X) = q’(X) (X-z)^k$. The polynomial remainder theorem This theorem says that: \begin{align} \phi(a) = y\Leftrightarrow \exists q(X), \phi(X) &= q(X)(X-a) + \phi(a) \end{align} This property is leveraged by certain cryptosystems1. Dividing polynomials Division of polynomials conceptually resembles division of integers. Specifically, dividing a polynomial $a(X)$ by $b(X)$ gives a quotient $q(X)$ and a remainder $r(X)$ such that: \[a(X) = q(X) b(X) + r(X)\] Importantly, $\deg{q} = \deg{a} - \deg{b}$ and $\deg{r} < \deg{b}$. Lagrange interpolation $\newcommand{\lagr}{\mathcal{L}}$ Given $n$ pairs $(x_i, y_i)_{i\in[n]}$, one can compute or interpolate a degree $\le n-1$ polynomial $\phi(X)$ such that: \(\phi(x_i)=y_i,\forall i\in[n]\) Specifically, the Lagrange interpolation formula says that: \begin{align} \phi(X) &= \sum_{i\in[n]} y_i \cdot \lagr_i(X),\ \text{where}\ \lagr_i(X) = \prod_{j\in[n],j\ne i} \frac{X-x_j}{x_i-x_j} \end{align} This formula is intimidating at first, but there’s a very simple intuition behind it. The key idea is that $\lagr_i(X)$ is defined so that it has two properties: $\lagr_i(x_i) = 1,\forall i\in[n]$ $\lagr_i(x_j) = 0,\forall j \in [n]\setminus{i}$ You can actually convince yourself that $\lagr_i(X)$ has these properties by plugging in $x_i$ and $x_j$ to see what happens. Important: The $\lagr_i(X)$ polynomials are dependent on the set of $x_i$’s only (and thus on $n$)! Specifically each $\lagr_i(X)$ has degree $n-1$ and has a root at each $x_j$ when $j\ne i$! In this sense, a better notation for them would be $\lagr_i^{[x_i, n]}(X)$ or $\lagr_i^{[n]}(X)$ to indicate this dependence. Furthermore, consider the following example with $n=3$ pairs. Then, by the Lagrange formula, we have: \[\phi(X) = y_1 \lagr_1(X) + y_2 \lagr_2(X) + y_3 \lagr_3(X)\] Next, by applying the two key properties of $\lagr_i(X)$ from above, you can easily check that $\phi(x_i) = y_i,\forall i\in[3]$: \begin{align} \phi(x_1) &= y_1 \lagr_1(x_1) + y_2 \lagr_2(x_1) + y_3 \lagr_3(x_1) = y_1 \cdot 1 + y_2 \cdot 0 + y_3 \cdot 0 = y_1\\ \phi(x_2) &= y_1 \lagr_1(x_2) + y_2 \lagr_2(x_2) + y_3 \lagr_3(x_2) = y_1 \cdot 0 + y_2 \cdot 1 + y_3 \cdot 0 = y_2\\ \phi(x_3) &= y_1 \lagr_1(x_3) + y_2 \lagr_2(x_3) + y_3 \lagr_3(x_3) = y_1 \cdot 0 + y_2 \cdot 0 + y_3 \cdot 1 = y_3 \end{align} An important detail is that the degree of the interpolated $\phi(X)$ is $\le n-1$ and not necessarily exactly equal to $n-1$. To see this, consider interpolating the polynomial $\phi(X)$ such that $\phi(i) = i$ for all $i\in [n]$. In other words, $x_i = y_i = i$. The inspired reader might notice that the polynomial $\phi(X) = X$ could satisfy our constraints. But is this what the Lagrange interpolation will return? After all, the interpolated $\phi(X)$ is a sum of degree $n-1$ polynomials $\lagr_i(X)$, so could it have degree 1? Well, it turns out, yes, because things cancel out. To see, this take a simple example, with $n=3$: \begin{align} \phi(X) &=\sum_{i\in [3]} i \cdot \lagr_i(X) = \sum_{i\in [3]} i \cdot \prod_{j\in[3]\setminus{i}} \frac{X - j}{i - j}\\ &= 1\cdot \frac{X-2}{1-2}\frac{X-3}{1-3} + 2\cdot \frac{X-1}{2-1}\frac{X-3}{2-3} + 3\cdot\frac{X-1}{3-1}\frac{X-2}{3-2}\\ &= \frac{X-2}{-1}\frac{X-3}{-2} + 2\cdot \frac{X-1}{1}\frac{X-3}{-1} + 3\cdot \frac{X-1}{2}\frac{X-2}{1}\\ &= \frac{1}{2}(X-2)(X-3) - 2(X-1)(X-3) + \frac{3}{2}(X-1)(X-2)\\ &= \frac{1}{2}[(X-2)(X-3) + 3(X-1)(X-2)] - 2(X-1)(X-3)\\ &= \frac{1}{2}[(X-2)(4X-6)] - 2(X-1)(X-3)\\ &= (X-2)(2X-3) - 2(X-1)(X-3)\\ &= (2X^2 - 4X - 3X + 6) - 2(X^2 - 4X +3)\\ &= (2X^2 - 7X + 6) - 2X^2 + 8X - 6\\ &= X \end{align} Evaluation proofs in KZG polynomial commitments leverage the polynomial remainder theorem. ↩Towards Scalable Verifiable Secret Sharing and Distributed Key Generation2020-03-12T14:00:00+00:002020-03-12T14:00:00+00:00https://alinush.github.io//2020/03/12/towards-scalable-vss-and-dkg<p class="info"><strong>tl;dr:</strong> We “authenticate” a polynomial multipoint evaluation using Kate-Zaverucha-Goldberg (KZG) commitments.
This gives a new way to precompute $n$ proofs on a degree $t$ polynomial in $\Theta(n\log{t})$ time, rather than $\Theta(nt)$.
<br />
The key trade-off is that our proofs are logarithmic-sized, rather than constant-sized.
Nonetheless, we use our faster proofs to scale <em>Verifiable Secret Sharing (VSS)</em> protocols and <em>distributed key generation (DKG)</em> protocols.
<br />
We also obtain a new <em>Vector Commitment (VC)</em> scheme, which can be used for stateless cryptocurrencies<sup id="fnref:CPZ18" role="doc-noteref"><a href="#fn:CPZ18" class="footnote">1</a></sup>.</p>
<p>In a <a href="/2020/03/12/scalable-bls-threshold-signatures.html">previous post</a>, I described our new techniques for scaling BLS threshold signatures to millions of signers.
However, as pointed out by my friend <a href="http://albertkwon.com">Albert Kwon</a>, once we have such a scalable threshold signature scheme (TSS), a new question arises:</p>
<p><em><center>"Can we efficiently bootstrap a $(t,n)$ threshold signature scheme when $t$ and $n$ are very large?"</center></em></p>
<p>The answer is: use a <em>distributed key generation (DKG)</em><sup id="fnref:GJKR07" role="doc-noteref"><a href="#fn:GJKR07" class="footnote">2</a></sup> protocol.
Unfortunately, DKGs do not scale well.
Their main bottleneck is efficiently computing <em>evaluation proofs</em> in a <em>polynomial commitment scheme</em> such as KZG<sup id="fnref:KZG10a" role="doc-noteref"><a href="#fn:KZG10a" class="footnote">3</a></sup>.
In this post, we’ll introduce new techniques for speeding this up.</p>
<!-- At a high level, a DKG operates as follows:
- All the $n$ _signers_ participate in the protocol,
- (Perform some computations, exchange some private/public information, etc.)
- At the end of the protocol, each signers $i$ obtains its own _secret share_ $s_i$ of the _secret key_ $s$ of the TSS,
- Importantly, the protocol guarantees $s$ is **not** known by any of the signers,
- Furthermore, each signer also obtains $g^s$, which will be the _public key_ of the TSS.
+ Note that all signers implicitly _agree_ on $g^s$ (and thus on $s$, even though they don't know $s$).
-->
<p>As mentioned before, our <strong>full paper</strong><sup id="fnref:TCZplus20" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">4</a></sup> can be found <a href="/papers/dkg-sp2020.pdf">here</a> and will appear in IEEE S&P’20.
A prototype implementation of our VSS and DKG benchmarks is available on GitHub <a href="https://github.com/alinush/libpolycrypto/">here</a>.</p>
<p hidden="">$$
\def\G{\mathbb{G}}
\def\Zp{\mathbb{Z}_p}
$$</p>
<!-- \overset{\mathrm{def}}{=} -->
<h2 id="preliminaries">Preliminaries</h2>
<p>Let $[n]=\{1,2,3,\dots,n\}$.
Let $p$ be a sufficiently large prime that denotes the order of our groups.</p>
<p>In this post, beyond basic group theory for cryptographers<sup id="fnref:KL15" role="doc-noteref"><a href="#fn:KL15" class="footnote">5</a></sup> and basic polynomial arithmetic, I will assume you are familiar with a few concepts:</p>
<ul>
<li><strong>Bilinear maps</strong><sup id="fnref:GPS08" role="doc-noteref"><a href="#fn:GPS08" class="footnote">6</a></sup>. Specifically, $\exists$ a bilinear map $e : \G_1 \times \G_2 \rightarrow \G_T$ such that:
<ul>
<li>$\forall u\in \G_1,v\in \G_2, a\in \Zp, b\in \Zp, e(u^a, v^b) = e(u,v)^{ab}$</li>
<li>$e(g_1,g_2)\ne 1_T$ where $g_1,g_2$ are the generators of $\G_1$ and $\G_2$ respectively and $1_T$ is the identity of $\G_T$</li>
</ul>
</li>
<li>The <strong>polynomial remainder theorem (PRT)</strong> which says that $\forall z$: $\phi(z) = \phi(X) \bmod (X-z)$,
<ul>
<li>Or, equivalently, $\exists q, \phi(X) = q(X)(X-z) + \phi(z)$.
<ul>
<li>We’ll refer to this as the <em>PRT equation</em></li>
</ul>
</li>
</ul>
</li>
<li><strong>KZG</strong><sup id="fnref:KZG10a:1" role="doc-noteref"><a href="#fn:KZG10a" class="footnote">3</a></sup> <strong>polynomial commitments</strong> (see <a href="/2020/05/06/kzg-polynomial-commitments.html">here</a>). Specifically,
<ul>
<li>To commit to degree $\le \ell$ polynomials, need $\ell$-SDH public parameters $(g,g^\tau,g^{\tau^2},\dots,g^{\tau^\ell}) = (g^{\tau^i})_{i\in[0,\ell]}$,</li>
<li>Commitment to $\phi(X)=\prod_{i\in[0,d]} \phi_i X^i$ is $c=g^{\phi(\tau)}$ computed as $c=\prod_{i\in[0,\deg{\phi}]} \left(g^{\tau^i}\right)^{\phi_i}$,</li>
<li>To prove an evaluation $\phi(a) = b$, a <em>quotient</em> $q(X) = \frac{\phi(X) - b}{X - a}$ is computed and the <em>evaluation proof</em> is $g^{q(\tau)}$.</li>
<li>A verifier who has the commitment $c=g^{\phi(\tau)}$ and the proof $\pi=g^{q(\tau)}$ can verify it using a bilinear map:
<ul>
<li>$e(c / g^b, g) = e(\pi, g^\tau / g^a) \Leftrightarrow$</li>
<li>$e(g^{\phi(\tau)-b}, g) = e(g^{q(\tau)}, g^{\tau-a}) \Leftrightarrow$</li>
<li>$e(g,g)^{\phi(\tau)-b} = e(g,g)^{q(\tau)(\tau-a)}$.</li>
<li>This effectively checks that $q(X) = \frac{\phi(X) - b}{X-a}$ by checking this equality holds for $X=\tau$.</li>
</ul>
</li>
</ul>
</li>
<li>The <strong>Fast Fourier Transform (FFT)</strong><sup id="fnref:CLRS09" role="doc-noteref"><a href="#fn:CLRS09" class="footnote">7</a></sup> applied to polynomials. Specifically,
<ul>
<li>Suppose $\Zp$ admits a primitive <em>root of unity</em> $\omega$ of order $n$ (i.e., $n \mid p-1$)</li>
<li>Let \(H=\{1, \omega, \omega^2, \omega^3, \dots, \omega^{n-1}\}\) denote the set of all $n$ $n$th roots of unity</li>
<li>Then, FFT can be used to efficiently evaluate any polynomial $\phi(X)$ at all $X\in H$ in $\Theta(n\log{n})$ time
<ul>
<li>i.e., compute all \(\{\phi(\omega^{i-1})\}_{i\in[n]}\)</li>
</ul>
</li>
</ul>
</li>
<li><strong>$(t,n)$ Verifiable Secret Sharing (VSS)</strong> via Shamir Secret Sharing. Specifically, we’ll focus on <em>eVSS</em><sup id="fnref:KZG10a:2" role="doc-noteref"><a href="#fn:KZG10a" class="footnote">3</a></sup>:
<ul>
<li>1 <em>dealer</em> with a secret $s$</li>
<li>$n$ <em>players</em></li>
<li>The goal is for dealer to give each player $i$ a <em>share</em> $s_i$ of the secret $s$ such that any subset of $t$ shares can be used to reconstruct $s$</li>
<li>To do this, the dealer:
<ul>
<li>Picks a random degree $t-1$ polynomial $\phi(X)$ such that $\phi(0)=s$</li>
<li>Commits to $\phi(X)$ using KZG and broadcasts commitment $c=g^{\phi(\tau)}$ to all players</li>
<li>Gives each player $i$ its share $s_i = \phi(i)$ together with a KZG proof $\pi_i$ that the share is correct</li>
<li>Each player verifies $\pi_i$ against $c$ and its share $s_i=\phi(i)$</li>
</ul>
</li>
<li>(Leaving out details about the complaint broadcasting round and the reconstruction phase of VSS.)</li>
</ul>
</li>
<li><strong>$(t,n)$ Distributed Key Generation (DKG)</strong> via VSS. Specifically,
<ul>
<li>Just that, at a high level, a DKG protocol involves each one of the $n$ players running a VSS protocol with all the other players.</li>
</ul>
</li>
</ul>
<h3 id="polynomial-multipoint-evaluations">Polynomial multipoint evaluations</h3>
<p>A key ingredient in our work, is a <em>polynomial multipoint evaluation</em><sup id="fnref:vG13ModernCh10" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">8</a></sup>, or a <em>multipoint eval</em> for short.
This is just an algorithm for efficiently evaluating a degree $t$ polynomial at $n$ points in $\Theta(n\log^2{t})$ time.
In contrast, the naive approach would take $\Theta(nt)$ time.</p>
<p class="info">An FFT is an example of a multipoint eval, where the evaluation points are restricted to be all $n$ $n$th roots of unity.
However, the multipoint eval we’ll describe below works for any set of points.</p>
<p>First, recall that the naive way to evaluate $\phi$ at $n$ points \(\{1,2,\dots,n\}\) is to compute:</p>
\[\phi(i)=\sum_{j=0}^{t} \phi_j \cdot (i^j),\forall i\in[n]\]
<p>Here, $\phi_j$ denotes the $j$th coefficient of $\phi$.</p>
<p>In contrast, in a multipoint eval, we will compute $\phi(i)$ by indirectly (and efficiently) computing $\phi(X) \bmod (X-i)$ which exactly equals $\phi(i)$. (Recall the polynomial remainder theorem from above.)</p>
<p>For example, for $n=4$, we’ll first compute a <em>remainder polynomial</em>:
\begin{align}
\color{red}{r_{1,4}(X)} &= \phi(X) \bmod (X-1)(X-2)\cdots(X-4)
\end{align}</p>
<p>Then, we’ll “recurse”, splitting the $(X-1)(X-2)\cdots(X-4)$ <em>vanishing polynomial</em> into two halves, and dividing the $\color{red}{r_{1,4}}$ remainder by the two halves:
\begin{align}
\color{green}{r_{1,2}(X)} &= \color{red}{r_{1,4}(X)} \bmod (X-1)(X-2)\\<br />
\color{orange}{r_{3,4}(X)} &= \color{red}{r_{1,4}(X)} \bmod (X-3)(X-4)
\end{align}</p>
<p class="info">A key concept in a multipoint eval is that of a <em>vanishing polynomial</em> over a set of points.
This is just a polynomial that has roots at all those points.
For example, $(X-1)(X-2)\cdots(X-4)$ is a vanishing polynomial over \(\{1,2,3,4\}\).</p>
<p>Finally, we’ll compute, for all \(i\in\{1,2,3,4\}\), the actual evaluations $\phi(i)$ as:
\begin{align}
\color{blue}{r_{1,1}(X)} &= \color{green}{r_{1,2}(X)} \bmod (X-1) = \phi(1)\\<br />
\color{blue}{r_{2,2}(X)} &= \color{green}{r_{1,2}(X)} \bmod (X-2) = \phi(2)\\<br />
\color{blue}{r_{3,3}(X)} &= \color{orange}{r_{3,4}(X)} \bmod (X-3) = \phi(3)\\<br />
\color{blue}{r_{4,4}(X)} &= \color{orange}{r_{4,4}(X)} \bmod (X-4) = \phi(4)
\end{align}</p>
<p class="info">You might wonder how come $r_{1,1}(X)=\color{green}{r_{1,2}(X)} \bmod (X-1) = \phi(1)$?
If you expand $r_{1,2}(X)$ you get $r_{1,1}(X) = \left(\left(\phi(X) \bmod (X-1)(X-2)\cdots(X-4)\right) \bmod (X-1)(X-2)\right) \bmod (X-1)$ and this is exactly equal to $\phi(X) \bmod(X-1) = \phi(1)$.</p>
<p>Still, a picture is worth a thousand words, so let’s depict a larger example for evaluating at \(\{1,2,3,\dots,8\}\).
Importantly, we will depict divisions by the vanishing polynomials slightly differently.
Specifically, rather than just focusing on the remainder and write:</p>
\[r(X) = \phi(X) \bmod \prod_i (X-i)\]
<p>…we focus on both the remainder and the <em>quotient polynomial</em> and write:</p>
\[\phi(X) = q(X) \prod_i(X-i) + r(X)\]
<p class="info">Recall from your basic polynomial math that, when dividing a polynomial $a$ by another polynomial $b$, we get a <em>quotient polynomial</em> $q$ and a remainder polynomial $r$ of degree less than $b$ such that $a(X) = q(X) b(X) + r(X)$.</p>
<p>Here’s what a multipoint eval of $\phi(X)$ at \(\{1,\dots,8\}\) looks like:</p>
<!-- ![Multipoint evaluation at 1, 2, ..., 8](/pictures/multipoint-eval-quo-tree.png){: .align-center} -->
<p><a href="/pictures/multipoint-eval-quo-tree.png"><img alt="Multipoint evaluation at 1, 2, ..., 8" src="/pictures/multipoint-eval-quo-tree.png" class="align-center" /></a></p>
<p class="info"><em>You might want to zoom in on the image above, if it’s not sufficiently clear.</em>
Each node $w$ in the multipoint eval tree stores three polynomials: a <em>vanishing polynomial</em> $V_w$ of the form $\prod_i (X-i)$, a <em>quotient</em> $q_w$ and a <em>remainder</em> $r_w$.
If we let $u$ denote node $w$’s parent, then the multipoint evaluation operates very simply:
For every node $w$, divide the parent remainder $r_u$ by $V_w$, obtaining a new remainder $r_w$ and quotient $q_w$.
For the root node, the parent remainder is $\phi(X)$ itself and the vanishing polynomial is $(X-1)\cdots(X-8)$.
Finally, notice that the vanishing polynomials are “split” into left and right “halves” at every node in the tree.</p>
<p>The end result are the remainders $r_{i,i} = \phi(X) \bmod (X-i)$ which are exactly equal to the evaluations $\phi(i)$.</p>
<p class="info">It might might not be immediately obvious but, as $n$ and $t$ get large, this approach saves us a lot of work, taking only $\Theta(n\log^2{t})$ time.
(In contrast, the naive approach takes $\Theta(nt)$ time.)</p>
<p>Hopefully, it should be clear by now that:</p>
<ul>
<li>A multipoint eval is used to <em>efficiently</em> evaluate a polynomial $\phi(X)$ at $n$ points.</li>
<li>It takes $\Theta(n\log^2{t})$ time if $\phi(X)$ has degree $t$.</li>
<li>The key ingredient: repeated divisions by vanishing polynomials at the evaluation points.</li>
<li>These repeated divisions produce a remainder and a quotient polynomial at each node in the tree.</li>
</ul>
<h2 id="authenticated-multipoint-evaluation-trees-amts">Authenticated Multipoint Evaluation Trees (AMTs)</h2>
<p>In the KZG polynomial commitment scheme, computing $n$ evaluation proofs takes $\Theta(nt)$ time.
Here, we will speed this up to $\Theta(n\log{t})$ time <strong>at the cost of increasing proof size from constant to logarithmic</strong>.
Later on, we will use our faster proofs to help scale VSS and DKG protocols computationally, although at the cost of a small increase in communication.</p>
<p>The idea is very simple: we take a multipoint evaluation and <strong>“authenticate”</strong> it by committing (via KZG) to the <em>quotient polynomials</em> in the tree.
An evaluation proof now consists of all the quotient commitments along the path to the evaluation point.</p>
<p>For example, in the figure above, the evaluation proof for $\phi(3)$ would be:</p>
\[\pi_{\lvert X=3} = \left(g^{q_{1,8}(\tau)}, g^{q_{1,4}(\tau)}, g^{q_{3,4}(\tau)}, g^{q_{3,3}(\tau)}\right)\]
<p>We call this construction an <em>authenticated multipoint evaluation tree (AMT)</em>.</p>
<h3 id="verifying-amt-proofs">Verifying AMT proofs</h3>
<p>What about checking a proof?
Recall that, in KZG, the verifier uses the bilinear map to check that the polynomial remainder theorem (PRT) holds:</p>
\[\exists q(X), \phi(X) = q(X)(X-3) + \phi(3)\]
<p>Specifically, the verifier is given a commitment to $q(X)$ and checks that the property above holds at $X=\tau$ where $\tau$ is the $\ell$-SDH trapdoor.</p>
<p>In AMTs, the intuition remains the same, except the verifier will <strong>indirectly</strong> check the PRT holds.
Specifically, for the example above, the verifier will check that, $\exists q_{1,8}(X), q_{1,4}(X), q_{3,4}(X), q_{3,3}(X)$ such that:</p>
<p>\begin{align}
\phi(X) &=q_{1,8}(X)\cdot(X-1)\cdots(X-8) + {}\\<br />
&+ q_{1,4}(X)\cdot(X-1)\cdots(X-4) + {}\\<br />
&+ q_{3,4}(X)\cdot(X-3)(X-4) + {}\\<br />
&+ q_{3,3}(X)\cdot(X-3) + {}\\<br />
&+ \phi(3)
\end{align}</p>
<p>We’ll refer to this as the <em>AMT equation</em>.</p>
<p class="info">You can easily derive the AMT equation if you “expand” $\phi(X)$’s expression starting at the root and going all the way to $\phi(3)$’s leaf in the tree.
\begin{align*}
\phi(X) &= q_{1,8}(X)\cdot(X-1)\cdots(X-8) + r_{1,8}\\<br />
&= q_{1,8}(X)\cdot(X-1)\cdots(X-8) + q_{1,4}(X)\cdot(X-1)\cdots(X-4) + r_{1,4}\\<br />
&= q_{1,8}(X)\cdot(X-1)\cdots(X-8) + q_{1,4}(X)\cdot(X-1)\cdots(X-4) + q_{3,4}(X)\cdot(X-3)(X-4) + r_{3,4}\\<br />
&= \dots
%+ q_{3,3}(X)(X-3) + \phi(3)
\end{align*}</p>
<p>Note that by factoring out $(X-3)$ in the AMT equation, we can obtain the quotient $q(X)$ that satisfies the PRT equation:
\begin{align}
q(X) &=q_{1,8}(X)\cdot\frac{(X-1)\cdots(X-8)}{X-3} + {}\\<br />
&+ q_{1,4}(X)\cdot(X-1)(X-2)(X-4) + {}\\<br />
&+ q_{3,4}(X)\cdot(X-4) + {}\\<br />
&+ q_{3,3}(X)
\end{align}</p>
<p>In other words, the quotient $q(X)$ from the KZG proof is just a linear combination of the quotients from the AMT proof.
This is why checking the AMT equation is equivalent to checking the PRT equation.</p>
<p>In conclusion, to verify the AMT proof for $\phi(3)$, the verifier will use the bilinear map to ensure the AMT equation holds at $X=\tau$:
\begin{align}
e(g^{\phi(\tau)}, g) &= e(g^{q_{1,8}(\tau)}, g^{(\tau-1)\cdots(\tau-8)})\cdot {}\\<br />
&\cdot e(g^{q_{1,4}(\tau)}, g^{(\tau-1)\cdots(\tau-4)})\cdot {}\\<br />
&\cdot e(g^{q_{3,4}(\tau)}, g^{(\tau-3)(\tau-4)})\cdot {}\\<br />
&\cdot e(g^{q_{3,3}(\tau)}, g^{\tau-3})\cdot {}\\<br />
&\cdot e(g^{\phi(3)}, g)
\end{align}</p>
<p class="info">Note that for this, the verifier needs commitments to the vanishing polynomials along the path to $\phi(3)$.
This means the verifer would need $O(n)$ such commitments as part of its public parameters to verify all $n$ proofs.
In the paper<sup id="fnref:TCZplus20:1" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">4</a></sup>, we address this shortcoming by restricting the evaluation points to be roots of unity.
This makes all vanishing polynomials be of the form $\left(X^{n/{2^i}} + c\right)$ for some constant $c$ and only requires the verifiers to have $O(\log{n})$ public parameters to reconstruct any vanishing polynomial commitment.
It also has the advantage of reducing the multipoint eval time from $\Theta(n\log^2{t})$ to $\Theta(n\log{t})$.</p>
<p>In general, let $P$ denote the nodes along the path to an evaluation point $i$, let $w\in P$ be such a node, and $q_w, V_w$ denote the quotient and vanishing polynomials at node $w$.
Then, to verify an AMT proof for $i$, the verifier will check that:</p>
\[e(g^{\phi(\tau)}, g) = e(g^{\phi(i)}, g) \prod_{w\in P} e(g^{q_w(\tau)}, g^{V_w(\tau)})\]
<p>By now, you should understand that:</p>
<ul>
<li>We can precompute $n$ logarithmic-sized evaluation proofs for a degree $t$ polynomial
<ul>
<li>In $\Theta(n\log^2{t})$ time, for arbitrary evaluation points</li>
<li>In $\Theta(n\log{t})$ time, if the evaluation points are roots of unity</li>
</ul>
</li>
<li>Verifying a proof takes logarithmic time</li>
</ul>
<p class="info">To be precise, the proof size and verification time are both $\Theta(\log{t})$ when $t < n$, which is the case in the VSS/DKG setting.
You can see the paper<sup id="fnref:TCZplus20:2" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">4</a></sup> for details.</p>
<!--
We will _restrict_ the evaluation points to be the $n$ $n$th roots of unity where $n$ is a power of two, rather than $$\{1,2,\dots,n\}$$.
This will speed up divisions in the multipoint eval and reduce the complexity by a $\log{t}$ factor to $\Theta(n\log{t})$.
Nonetheless, our techniques generalize to $n\ne 2^k$ and to precomputing proofs for any set of $n$ points (although in $\Theta(n\log^2{t})$ time).
-->
<h2 id="applications-of-amts">Applications of AMTs</h2>
<h3 id="vector-commitments-vcs">Vector commitments (VCs)</h3>
<p>By representing a vector $v = [v_0, v_1, v_2, \dots, v_{n-1}]$ as a (univariate) polynomial $\phi(X)$ where $\phi(\omega^i) = v_i$, we can easily obtain a vector commitment scheme similar to the multivariate polynmomial-based one by Chepurnoy et al<sup id="fnref:CPZ18:1" role="doc-noteref"><a href="#fn:CPZ18" class="footnote">1</a></sup>.
Our scheme also supports updating proofs efficiently (see Chapter 9.2.2., pg. 120 in my thesis<sup id="fnref:Tomescu20" role="doc-noteref"><a href="#fn:Tomescu20" class="footnote">9</a></sup> for details).</p>
<h3 id="faster-vss">Faster VSS</h3>
<p>Recall from the preliminaries section that the key bottleneck in eVSS is the dealer having to precompute KZG proofs for all $n$ players.
This takes $\Theta(nt)$ time.
By using AMTs enhanced with roots of unity, we can reduce this time to $O(n\log{t})$.
This has a drastic effect on dealing time and helps scale eVSS to very large numbers of participants.</p>
<p><img src="/pictures/vss-deal-times.png" alt="eVSS versus AMT VSS in terms of dealing time" class="align-center" /></p>
<p class="info">The $x$-axis is $\log_2(t)$ where $t$ is the threshold, which doubles for every tick.
They $y$-axis is the dealing time in seconds.
The graph shows that our AMT-based VSS outscales eVSS for large $t$ and performs better even at the scale of hundreds of players.</p>
<h3 id="faster-dkg">Faster DKG</h3>
<p>Since in a DKG protocol, each player performs a VSS with all the other players, the results from above carry over to DKG protocols too.
In fact, the DKG dealing time (per-player) doesn’t differ much from the VSS dealing time, especially as $t$ gets large.
Thus, the improvement in DKG dealing times is perfectly illustrated by the graph above too.</p>
<p>An important thing to note here is that our AMT proofs have a <em>homomorphic property</em> which is necessary for using them in DKGs.
Specifically, an AMT proof for $\phi(i)$ and another proof for $\psi(i)$ can be combined into a proof for $\left(\phi+\psi\right)(i)$.</p>
<h2 id="caveats">Caveats</h2>
<p>We also want to emphasize several limitations of our work:</p>
<ul>
<li>VSS and DKG protocols seem to inherently require a <em>broadcast channel</em>, which is as hard to scale as any consensus algorithm. We do not address this.</li>
<li>Our results only apply to synchronous VSS and DKG protocols, which make strong assumptions about the broadcast channel.</li>
<li>Our VSS and DKG protocols are not proven to be adaptively secure.</li>
<li>We do not address the large communication overhead of VSS and DKG protocols deployed at large scales.</li>
</ul>
<h2 id="remaining-questions">Remaining questions</h2>
<p>Can we precompute constant-sized, rather than logarithmic-sized, KZG evaluation proofs in quasilinear time?
Recently, Feist and Khovratovich<sup id="fnref:FK20" role="doc-noteref"><a href="#fn:FK20" class="footnote">10</a></sup> showed this is possible if the set of evaluation points are all the $n$ $n$th roots of unity.
Thus, by applying their techniques, we can further speed up computation in VSS and DKG, while maintaining the same communication efficiency.
We hope to implement their techniques and see how much better than AMT VSS we can do.</p>
<p>Our $(t,n)$ VSS/DKG protocols require $t$-SDH public parameters.
Thus, the non-trivial problem of generating $t$-SDH public parameters remains.
In some sense, we make this problem worse because our scalable protocols require a large $t$.
We hope to address this in future work.</p>
<h3 id="references">References</h3>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:CPZ18" role="doc-endnote">
<p><strong>Edrax: A Cryptocurrency with Stateless Transaction Validation</strong>, by Alexander Chepurnoy and Charalampos Papamanthou and Yupeng Zhang, <em>in Cryptology ePrint Archive, Report 2018/968</em>, 2018 <a href="#fnref:CPZ18" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:CPZ18:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:GJKR07" role="doc-endnote">
<p><strong>Secure Distributed Key Generation for Discrete-Log Based Cryptosystems</strong>, by Gennaro, Rosario and Jarecki, Stanislaw and Krawczyk, Hugo and Rabin, Tal, <em>in Journal of Cryptology</em>, 2007 <a href="#fnref:GJKR07" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:KZG10a" role="doc-endnote">
<p><strong>Constant-Size Commitments to Polynomials and Their Applications</strong>, by Kate, Aniket and Zaverucha, Gregory M. and Goldberg, Ian, <em>in ASIACRYPT ‘10</em>, 2010 <a href="#fnref:KZG10a" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:KZG10a:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a> <a href="#fnref:KZG10a:2" class="reversefootnote" role="doc-backlink">↩<sup>3</sup></a></p>
</li>
<li id="fn:TCZplus20" role="doc-endnote">
<p><strong>Towards Scalable Threshold Cryptosystems</strong>, by Alin Tomescu and Robert Chen and Yiming Zheng and Ittai Abraham and Benny Pinkas and Guy Golan Gueta and Srinivas Devadas, <em>in 2020 IEEE Symposium on Security and Privacy (SP)</em>, 2020, <a href="/papers/dkg-sp2020.pdf">[PDF]</a>. <a href="#fnref:TCZplus20" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:TCZplus20:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a> <a href="#fnref:TCZplus20:2" class="reversefootnote" role="doc-backlink">↩<sup>3</sup></a></p>
</li>
<li id="fn:KL15" role="doc-endnote">
<p><strong>Introduction to Modern Cryptography</strong>, by Jonathan Katz and Yehuda Lindell, 2007 <a href="#fnref:KL15" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:GPS08" role="doc-endnote">
<p><strong>Pairings for cryptographers</strong>, by Steven D. Galbraith and Kenneth G. Paterson and Nigel P. Smart, <em>in Discrete Applied Mathematics</em>, 2008 <a href="#fnref:GPS08" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:CLRS09" role="doc-endnote">
<p><strong>Introduction to Algorithms, Third Edition</strong>, by Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford, 2009 <a href="#fnref:CLRS09" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:vG13ModernCh10" role="doc-endnote">
<p><strong>Fast polynomial evaluation and interpolation</strong>, by von zur Gathen, Joachim and Gerhard, Jurgen, <em>in Modern Computer Algebra</em>, 2013 <a href="#fnref:vG13ModernCh10" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:Tomescu20" role="doc-endnote">
<p><strong>How to Keep a Secret and Share a Public Key (Using Polynomial Commitments)</strong>, by Tomescu, Alin, 2020 <a href="#fnref:Tomescu20" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:FK20" role="doc-endnote">
<p><strong>Fast amortized Kate proofs</strong>, by Dankrad Feist and Dmitry Khovratovich, 2020, <a href="https://github.com/khovratovich/Kate/blob/master/Kate_amortized.pdf">[pdf]</a> <a href="#fnref:FK20" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>Alin Tomescutl;dr: We “authenticate” a polynomial multipoint evaluation using Kate-Zaverucha-Goldberg (KZG) commitments. This gives a new way to precompute $n$ proofs on a degree $t$ polynomial in $\Theta(n\log{t})$ time, rather than $\Theta(nt)$. The key trade-off is that our proofs are logarithmic-sized, rather than constant-sized. Nonetheless, we use our faster proofs to scale Verifiable Secret Sharing (VSS) protocols and distributed key generation (DKG) protocols. We also obtain a new Vector Commitment (VC) scheme, which can be used for stateless cryptocurrencies1. In a previous post, I described our new techniques for scaling BLS threshold signatures to millions of signers. However, as pointed out by my friend Albert Kwon, once we have such a scalable threshold signature scheme (TSS), a new question arises: "Can we efficiently bootstrap a $(t,n)$ threshold signature scheme when $t$ and $n$ are very large?" The answer is: use a distributed key generation (DKG)2 protocol. Unfortunately, DKGs do not scale well. Their main bottleneck is efficiently computing evaluation proofs in a polynomial commitment scheme such as KZG3. In this post, we’ll introduce new techniques for speeding this up. As mentioned before, our full paper4 can be found here and will appear in IEEE S&P’20. A prototype implementation of our VSS and DKG benchmarks is available on GitHub here. $$ \def\G{\mathbb{G}} \def\Zp{\mathbb{Z}_p} $$ Preliminaries Let $[n]=\{1,2,3,\dots,n\}$. Let $p$ be a sufficiently large prime that denotes the order of our groups. In this post, beyond basic group theory for cryptographers5 and basic polynomial arithmetic, I will assume you are familiar with a few concepts: Bilinear maps6. Specifically, $\exists$ a bilinear map $e : \G_1 \times \G_2 \rightarrow \G_T$ such that: $\forall u\in \G_1,v\in \G_2, a\in \Zp, b\in \Zp, e(u^a, v^b) = e(u,v)^{ab}$ $e(g_1,g_2)\ne 1_T$ where $g_1,g_2$ are the generators of $\G_1$ and $\G_2$ respectively and $1_T$ is the identity of $\G_T$ The polynomial remainder theorem (PRT) which says that $\forall z$: $\phi(z) = \phi(X) \bmod (X-z)$, Or, equivalently, $\exists q, \phi(X) = q(X)(X-z) + \phi(z)$. We’ll refer to this as the PRT equation KZG3 polynomial commitments (see here). Specifically, To commit to degree $\le \ell$ polynomials, need $\ell$-SDH public parameters $(g,g^\tau,g^{\tau^2},\dots,g^{\tau^\ell}) = (g^{\tau^i})_{i\in[0,\ell]}$, Commitment to $\phi(X)=\prod_{i\in[0,d]} \phi_i X^i$ is $c=g^{\phi(\tau)}$ computed as $c=\prod_{i\in[0,\deg{\phi}]} \left(g^{\tau^i}\right)^{\phi_i}$, To prove an evaluation $\phi(a) = b$, a quotient $q(X) = \frac{\phi(X) - b}{X - a}$ is computed and the evaluation proof is $g^{q(\tau)}$. A verifier who has the commitment $c=g^{\phi(\tau)}$ and the proof $\pi=g^{q(\tau)}$ can verify it using a bilinear map: $e(c / g^b, g) = e(\pi, g^\tau / g^a) \Leftrightarrow$ $e(g^{\phi(\tau)-b}, g) = e(g^{q(\tau)}, g^{\tau-a}) \Leftrightarrow$ $e(g,g)^{\phi(\tau)-b} = e(g,g)^{q(\tau)(\tau-a)}$. This effectively checks that $q(X) = \frac{\phi(X) - b}{X-a}$ by checking this equality holds for $X=\tau$. The Fast Fourier Transform (FFT)7 applied to polynomials. Specifically, Suppose $\Zp$ admits a primitive root of unity $\omega$ of order $n$ (i.e., $n \mid p-1$) Let \(H=\{1, \omega, \omega^2, \omega^3, \dots, \omega^{n-1}\}\) denote the set of all $n$ $n$th roots of unity Then, FFT can be used to efficiently evaluate any polynomial $\phi(X)$ at all $X\in H$ in $\Theta(n\log{n})$ time i.e., compute all \(\{\phi(\omega^{i-1})\}_{i\in[n]}\) $(t,n)$ Verifiable Secret Sharing (VSS) via Shamir Secret Sharing. Specifically, we’ll focus on eVSS3: 1 dealer with a secret $s$ $n$ players The goal is for dealer to give each player $i$ a share $s_i$ of the secret $s$ such that any subset of $t$ shares can be used to reconstruct $s$ To do this, the dealer: Picks a random degree $t-1$ polynomial $\phi(X)$ such that $\phi(0)=s$ Commits to $\phi(X)$ using KZG and broadcasts commitment $c=g^{\phi(\tau)}$ to all players Gives each player $i$ its share $s_i = \phi(i)$ together with a KZG proof $\pi_i$ that the share is correct Each player verifies $\pi_i$ against $c$ and its share $s_i=\phi(i)$ (Leaving out details about the complaint broadcasting round and the reconstruction phase of VSS.) $(t,n)$ Distributed Key Generation (DKG) via VSS. Specifically, Just that, at a high level, a DKG protocol involves each one of the $n$ players running a VSS protocol with all the other players. Polynomial multipoint evaluations A key ingredient in our work, is a polynomial multipoint evaluation8, or a multipoint eval for short. This is just an algorithm for efficiently evaluating a degree $t$ polynomial at $n$ points in $\Theta(n\log^2{t})$ time. In contrast, the naive approach would take $\Theta(nt)$ time. An FFT is an example of a multipoint eval, where the evaluation points are restricted to be all $n$ $n$th roots of unity. However, the multipoint eval we’ll describe below works for any set of points. First, recall that the naive way to evaluate $\phi$ at $n$ points \(\{1,2,\dots,n\}\) is to compute: \[\phi(i)=\sum_{j=0}^{t} \phi_j \cdot (i^j),\forall i\in[n]\] Here, $\phi_j$ denotes the $j$th coefficient of $\phi$. In contrast, in a multipoint eval, we will compute $\phi(i)$ by indirectly (and efficiently) computing $\phi(X) \bmod (X-i)$ which exactly equals $\phi(i)$. (Recall the polynomial remainder theorem from above.) For example, for $n=4$, we’ll first compute a remainder polynomial: \begin{align} \color{red}{r_{1,4}(X)} &= \phi(X) \bmod (X-1)(X-2)\cdots(X-4) \end{align} Then, we’ll “recurse”, splitting the $(X-1)(X-2)\cdots(X-4)$ vanishing polynomial into two halves, and dividing the $\color{red}{r_{1,4}}$ remainder by the two halves: \begin{align} \color{green}{r_{1,2}(X)} &= \color{red}{r_{1,4}(X)} \bmod (X-1)(X-2)\\ \color{orange}{r_{3,4}(X)} &= \color{red}{r_{1,4}(X)} \bmod (X-3)(X-4) \end{align} A key concept in a multipoint eval is that of a vanishing polynomial over a set of points. This is just a polynomial that has roots at all those points. For example, $(X-1)(X-2)\cdots(X-4)$ is a vanishing polynomial over \(\{1,2,3,4\}\). Finally, we’ll compute, for all \(i\in\{1,2,3,4\}\), the actual evaluations $\phi(i)$ as: \begin{align} \color{blue}{r_{1,1}(X)} &= \color{green}{r_{1,2}(X)} \bmod (X-1) = \phi(1)\\ \color{blue}{r_{2,2}(X)} &= \color{green}{r_{1,2}(X)} \bmod (X-2) = \phi(2)\\ \color{blue}{r_{3,3}(X)} &= \color{orange}{r_{3,4}(X)} \bmod (X-3) = \phi(3)\\ \color{blue}{r_{4,4}(X)} &= \color{orange}{r_{4,4}(X)} \bmod (X-4) = \phi(4) \end{align} You might wonder how come $r_{1,1}(X)=\color{green}{r_{1,2}(X)} \bmod (X-1) = \phi(1)$? If you expand $r_{1,2}(X)$ you get $r_{1,1}(X) = \left(\left(\phi(X) \bmod (X-1)(X-2)\cdots(X-4)\right) \bmod (X-1)(X-2)\right) \bmod (X-1)$ and this is exactly equal to $\phi(X) \bmod(X-1) = \phi(1)$. Still, a picture is worth a thousand words, so let’s depict a larger example for evaluating at \(\{1,2,3,\dots,8\}\). Importantly, we will depict divisions by the vanishing polynomials slightly differently. Specifically, rather than just focusing on the remainder and write: \[r(X) = \phi(X) \bmod \prod_i (X-i)\] …we focus on both the remainder and the quotient polynomial and write: \[\phi(X) = q(X) \prod_i(X-i) + r(X)\] Recall from your basic polynomial math that, when dividing a polynomial $a$ by another polynomial $b$, we get a quotient polynomial $q$ and a remainder polynomial $r$ of degree less than $b$ such that $a(X) = q(X) b(X) + r(X)$. Here’s what a multipoint eval of $\phi(X)$ at \(\{1,\dots,8\}\) looks like: You might want to zoom in on the image above, if it’s not sufficiently clear. Each node $w$ in the multipoint eval tree stores three polynomials: a vanishing polynomial $V_w$ of the form $\prod_i (X-i)$, a quotient $q_w$ and a remainder $r_w$. If we let $u$ denote node $w$’s parent, then the multipoint evaluation operates very simply: For every node $w$, divide the parent remainder $r_u$ by $V_w$, obtaining a new remainder $r_w$ and quotient $q_w$. For the root node, the parent remainder is $\phi(X)$ itself and the vanishing polynomial is $(X-1)\cdots(X-8)$. Finally, notice that the vanishing polynomials are “split” into left and right “halves” at every node in the tree. The end result are the remainders $r_{i,i} = \phi(X) \bmod (X-i)$ which are exactly equal to the evaluations $\phi(i)$. It might might not be immediately obvious but, as $n$ and $t$ get large, this approach saves us a lot of work, taking only $\Theta(n\log^2{t})$ time. (In contrast, the naive approach takes $\Theta(nt)$ time.) Hopefully, it should be clear by now that: A multipoint eval is used to efficiently evaluate a polynomial $\phi(X)$ at $n$ points. It takes $\Theta(n\log^2{t})$ time if $\phi(X)$ has degree $t$. The key ingredient: repeated divisions by vanishing polynomials at the evaluation points. These repeated divisions produce a remainder and a quotient polynomial at each node in the tree. Authenticated Multipoint Evaluation Trees (AMTs) In the KZG polynomial commitment scheme, computing $n$ evaluation proofs takes $\Theta(nt)$ time. Here, we will speed this up to $\Theta(n\log{t})$ time at the cost of increasing proof size from constant to logarithmic. Later on, we will use our faster proofs to help scale VSS and DKG protocols computationally, although at the cost of a small increase in communication. The idea is very simple: we take a multipoint evaluation and “authenticate” it by committing (via KZG) to the quotient polynomials in the tree. An evaluation proof now consists of all the quotient commitments along the path to the evaluation point. For example, in the figure above, the evaluation proof for $\phi(3)$ would be: \[\pi_{\lvert X=3} = \left(g^{q_{1,8}(\tau)}, g^{q_{1,4}(\tau)}, g^{q_{3,4}(\tau)}, g^{q_{3,3}(\tau)}\right)\] We call this construction an authenticated multipoint evaluation tree (AMT). Verifying AMT proofs What about checking a proof? Recall that, in KZG, the verifier uses the bilinear map to check that the polynomial remainder theorem (PRT) holds: \[\exists q(X), \phi(X) = q(X)(X-3) + \phi(3)\] Specifically, the verifier is given a commitment to $q(X)$ and checks that the property above holds at $X=\tau$ where $\tau$ is the $\ell$-SDH trapdoor. In AMTs, the intuition remains the same, except the verifier will indirectly check the PRT holds. Specifically, for the example above, the verifier will check that, $\exists q_{1,8}(X), q_{1,4}(X), q_{3,4}(X), q_{3,3}(X)$ such that: \begin{align} \phi(X) &=q_{1,8}(X)\cdot(X-1)\cdots(X-8) + {}\\ &+ q_{1,4}(X)\cdot(X-1)\cdots(X-4) + {}\\ &+ q_{3,4}(X)\cdot(X-3)(X-4) + {}\\ &+ q_{3,3}(X)\cdot(X-3) + {}\\ &+ \phi(3) \end{align} We’ll refer to this as the AMT equation. You can easily derive the AMT equation if you “expand” $\phi(X)$’s expression starting at the root and going all the way to $\phi(3)$’s leaf in the tree. \begin{align*} \phi(X) &= q_{1,8}(X)\cdot(X-1)\cdots(X-8) + r_{1,8}\\ &= q_{1,8}(X)\cdot(X-1)\cdots(X-8) + q_{1,4}(X)\cdot(X-1)\cdots(X-4) + r_{1,4}\\ &= q_{1,8}(X)\cdot(X-1)\cdots(X-8) + q_{1,4}(X)\cdot(X-1)\cdots(X-4) + q_{3,4}(X)\cdot(X-3)(X-4) + r_{3,4}\\ &= \dots %+ q_{3,3}(X)(X-3) + \phi(3) \end{align*} Note that by factoring out $(X-3)$ in the AMT equation, we can obtain the quotient $q(X)$ that satisfies the PRT equation: \begin{align} q(X) &=q_{1,8}(X)\cdot\frac{(X-1)\cdots(X-8)}{X-3} + {}\\ &+ q_{1,4}(X)\cdot(X-1)(X-2)(X-4) + {}\\ &+ q_{3,4}(X)\cdot(X-4) + {}\\ &+ q_{3,3}(X) \end{align} In other words, the quotient $q(X)$ from the KZG proof is just a linear combination of the quotients from the AMT proof. This is why checking the AMT equation is equivalent to checking the PRT equation. In conclusion, to verify the AMT proof for $\phi(3)$, the verifier will use the bilinear map to ensure the AMT equation holds at $X=\tau$: \begin{align} e(g^{\phi(\tau)}, g) &= e(g^{q_{1,8}(\tau)}, g^{(\tau-1)\cdots(\tau-8)})\cdot {}\\ &\cdot e(g^{q_{1,4}(\tau)}, g^{(\tau-1)\cdots(\tau-4)})\cdot {}\\ &\cdot e(g^{q_{3,4}(\tau)}, g^{(\tau-3)(\tau-4)})\cdot {}\\ &\cdot e(g^{q_{3,3}(\tau)}, g^{\tau-3})\cdot {}\\ &\cdot e(g^{\phi(3)}, g) \end{align} Note that for this, the verifier needs commitments to the vanishing polynomials along the path to $\phi(3)$. This means the verifer would need $O(n)$ such commitments as part of its public parameters to verify all $n$ proofs. In the paper4, we address this shortcoming by restricting the evaluation points to be roots of unity. This makes all vanishing polynomials be of the form $\left(X^{n/{2^i}} + c\right)$ for some constant $c$ and only requires the verifiers to have $O(\log{n})$ public parameters to reconstruct any vanishing polynomial commitment. It also has the advantage of reducing the multipoint eval time from $\Theta(n\log^2{t})$ to $\Theta(n\log{t})$. In general, let $P$ denote the nodes along the path to an evaluation point $i$, let $w\in P$ be such a node, and $q_w, V_w$ denote the quotient and vanishing polynomials at node $w$. Then, to verify an AMT proof for $i$, the verifier will check that: \[e(g^{\phi(\tau)}, g) = e(g^{\phi(i)}, g) \prod_{w\in P} e(g^{q_w(\tau)}, g^{V_w(\tau)})\] By now, you should understand that: We can precompute $n$ logarithmic-sized evaluation proofs for a degree $t$ polynomial In $\Theta(n\log^2{t})$ time, for arbitrary evaluation points In $\Theta(n\log{t})$ time, if the evaluation points are roots of unity Verifying a proof takes logarithmic time To be precise, the proof size and verification time are both $\Theta(\log{t})$ when $t < n$, which is the case in the VSS/DKG setting. You can see the paper4 for details. Applications of AMTs Vector commitments (VCs) By representing a vector $v = [v_0, v_1, v_2, \dots, v_{n-1}]$ as a (univariate) polynomial $\phi(X)$ where $\phi(\omega^i) = v_i$, we can easily obtain a vector commitment scheme similar to the multivariate polynmomial-based one by Chepurnoy et al1. Our scheme also supports updating proofs efficiently (see Chapter 9.2.2., pg. 120 in my thesis9 for details). Faster VSS Recall from the preliminaries section that the key bottleneck in eVSS is the dealer having to precompute KZG proofs for all $n$ players. This takes $\Theta(nt)$ time. By using AMTs enhanced with roots of unity, we can reduce this time to $O(n\log{t})$. This has a drastic effect on dealing time and helps scale eVSS to very large numbers of participants. The $x$-axis is $\log_2(t)$ where $t$ is the threshold, which doubles for every tick. They $y$-axis is the dealing time in seconds. The graph shows that our AMT-based VSS outscales eVSS for large $t$ and performs better even at the scale of hundreds of players. Faster DKG Since in a DKG protocol, each player performs a VSS with all the other players, the results from above carry over to DKG protocols too. In fact, the DKG dealing time (per-player) doesn’t differ much from the VSS dealing time, especially as $t$ gets large. Thus, the improvement in DKG dealing times is perfectly illustrated by the graph above too. An important thing to note here is that our AMT proofs have a homomorphic property which is necessary for using them in DKGs. Specifically, an AMT proof for $\phi(i)$ and another proof for $\psi(i)$ can be combined into a proof for $\left(\phi+\psi\right)(i)$. Caveats We also want to emphasize several limitations of our work: VSS and DKG protocols seem to inherently require a broadcast channel, which is as hard to scale as any consensus algorithm. We do not address this. Our results only apply to synchronous VSS and DKG protocols, which make strong assumptions about the broadcast channel. Our VSS and DKG protocols are not proven to be adaptively secure. We do not address the large communication overhead of VSS and DKG protocols deployed at large scales. Remaining questions Can we precompute constant-sized, rather than logarithmic-sized, KZG evaluation proofs in quasilinear time? Recently, Feist and Khovratovich10 showed this is possible if the set of evaluation points are all the $n$ $n$th roots of unity. Thus, by applying their techniques, we can further speed up computation in VSS and DKG, while maintaining the same communication efficiency. We hope to implement their techniques and see how much better than AMT VSS we can do. Our $(t,n)$ VSS/DKG protocols require $t$-SDH public parameters. Thus, the non-trivial problem of generating $t$-SDH public parameters remains. In some sense, we make this problem worse because our scalable protocols require a large $t$. We hope to address this in future work. References Edrax: A Cryptocurrency with Stateless Transaction Validation, by Alexander Chepurnoy and Charalampos Papamanthou and Yupeng Zhang, in Cryptology ePrint Archive, Report 2018/968, 2018 ↩ ↩2 Secure Distributed Key Generation for Discrete-Log Based Cryptosystems, by Gennaro, Rosario and Jarecki, Stanislaw and Krawczyk, Hugo and Rabin, Tal, in Journal of Cryptology, 2007 ↩ Constant-Size Commitments to Polynomials and Their Applications, by Kate, Aniket and Zaverucha, Gregory M. and Goldberg, Ian, in ASIACRYPT ‘10, 2010 ↩ ↩2 ↩3 Towards Scalable Threshold Cryptosystems, by Alin Tomescu and Robert Chen and Yiming Zheng and Ittai Abraham and Benny Pinkas and Guy Golan Gueta and Srinivas Devadas, in 2020 IEEE Symposium on Security and Privacy (SP), 2020, [PDF]. ↩ ↩2 ↩3 Introduction to Modern Cryptography, by Jonathan Katz and Yehuda Lindell, 2007 ↩ Pairings for cryptographers, by Steven D. Galbraith and Kenneth G. Paterson and Nigel P. Smart, in Discrete Applied Mathematics, 2008 ↩ Introduction to Algorithms, Third Edition, by Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford, 2009 ↩ Fast polynomial evaluation and interpolation, by von zur Gathen, Joachim and Gerhard, Jurgen, in Modern Computer Algebra, 2013 ↩ How to Keep a Secret and Share a Public Key (Using Polynomial Commitments), by Tomescu, Alin, 2020 ↩ Fast amortized Kate proofs, by Dankrad Feist and Dmitry Khovratovich, 2020, [pdf] ↩Fast and Scalable BLS Threshold Signatures2020-03-12T00:00:00+00:002020-03-12T00:00:00+00:00https://alinush.github.io//2020/03/12/scalable-bls-threshold-signatures<p class="info"><strong>tl;dr:</strong> We use $O(t\log^2{t})$-time algorithms to interpolate secrets “in the exponent.”
This makes aggregating $(t,n)$ BLS threshold signatures much faster, both at small and large scales.</p>
<p>The question of scaling threshold signatures came to us at <a href="https://research.vmware.com">VMware Research</a> after we finished working on SBFT<sup id="fnref:GAGplus19" role="doc-noteref"><a href="#fn:GAGplus19" class="footnote">1</a></sup>, a scalable Byzantine Fault Tolerance (BFT) protocol that uses BLS threshold signatures<sup id="fnref:BLS04" role="doc-noteref"><a href="#fn:BLS04" class="footnote">2</a></sup>.</p>
<p>We recently published our work<sup id="fnref:TCZplus20" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">3</a></sup> in <a href="https://www.ieee-security.org/TC/SP2020/">IEEE S&P’20</a>.
Our work also address how to scale the necessary <em>distributed key generation (DKG)</em> protocol needed to bootstrap a BLS threshold signature scheme.
We present these results in <a href="2020/03/12/towards-scalable-vss-and-dkg.html">another post</a>.</p>
<p>A <strong>prototype implementation</strong> is available on GitHub <a href="https://github.com/alinush/libpolycrypto/">here</a>.</p>
<p hidden="">$$
\def\G{\mathbb{G}}
\def\Zp{\mathbb{Z}_p}
\def\Ell{\mathcal{L}}
$$</p>
<h2 id="preliminaries">Preliminaries</h2>
<p>Let $[n]=\{1,2,3,\dots,n\}$.
Let $p$ be a sufficiently large prime that denotes the order of our groups.</p>
<p>In this post, beyond basic group theory for cryptographers<sup id="fnref:KL15" role="doc-noteref"><a href="#fn:KL15" class="footnote">4</a></sup>, I will assume you are familiar with a few concepts:</p>
<ul>
<li><strong>Bilinear maps</strong><sup id="fnref:GPS08" role="doc-noteref"><a href="#fn:GPS08" class="footnote">5</a></sup>. Specifically, $\exists$ a bilinear map $e : \G_1 \times \G_2 \rightarrow \G_T$ such that:
<ul>
<li>$\forall u\in \G_1,v\in \G_2, a\in \Zp, b\in \Zp, e(u^a, v^b) = e(u,v)^{ab}$</li>
<li>$e(g_1,g_2)\ne 1_T$ where $g_1,g_2$ are the generators of $\G_1$ and $\G_2$ respectively and $1_T$ is the identity of $\G_T$</li>
</ul>
</li>
<li><strong>BLS signatures</strong><sup id="fnref:BLS04:1" role="doc-noteref"><a href="#fn:BLS04" class="footnote">2</a></sup>. Specifically,
<ul>
<li>Let $H : \{0,1\}^* \rightarrow \G_1$ be a collision-resistant hash-function (CRHF)</li>
<li>The <em>secret key</em> is $s\in_R \Zp$ and the <em>public key</em> is $g_2^s\in \G_2$</li>
<li>$\sigma = H(m)^s \in \G_1$ is a signature on $m$ under secret key $s$</li>
<li>To verify a signature, one checks if $e(H(m), g_2^s) = e(\sigma, g_2)$</li>
</ul>
</li>
<li>$(t,n)$ <strong>BLS threshold signatures</strong><sup id="fnref:Boldyreva03" role="doc-noteref"><a href="#fn:Boldyreva03" class="footnote">6</a></sup>. Specifically,
<ul>
<li><em>Shamir secret sharing</em><sup id="fnref:Shamir79" role="doc-noteref"><a href="#fn:Shamir79" class="footnote">7</a></sup> of secret key $s$</li>
<li>i.e., $s = \phi(0)$ where $\phi(X)\in \Zp[X]$ is random, degree $t-1$ polynomial</li>
<li><em>Signer</em> $i\in\{1,2,\dots, n\}$ gets his <em>secret key share</em> $s_i = \phi(i)$ and <em>verification key</em> $g^{s_i}$</li>
<li>Nobody knows $s$, so cannot <em>directly</em> produce a signature $H(m)^s$ on $m$</li>
<li>Instead, $t$ or more signers have to co-operate to produce a signature</li>
<li>Each signer $i$ computes a <em>signature share</em> or <em>sigshare</em> $\sigma_i = H(m)^{s_i}$</li>
<li>Then, an <em>aggregator</em>:
<ul>
<li>Collects as many $\sigma_i$’s as possible</li>
<li>Verifies each $\sigma_i$ under its signer’s verification key: Is $e(H(m),g_2^{s_i}) = e(\sigma_i, g_2)$?</li>
<li>…and thus identifies $t$ valid sigshares</li>
<li>Aggregates the signature $\sigma = H(m)^s$ via “interpolation in the exponent” from the $t$ valid sigshares (see next section).</li>
</ul>
</li>
</ul>
</li>
</ul>
<h3 id="basics-of-polynomial-interpolation">Basics of polynomial interpolation</h3>
<p>A good source for this is Berrut and Trefethen<sup id="fnref:BT04" role="doc-noteref"><a href="#fn:BT04" class="footnote">8</a></sup>.</p>
<p>Let $\phi \in \Zp[X]$ be a polynomial of degree $t-1$.
Suppose there are $n$ evaluations $(i, \phi(i))_{i\in [n]}$ “out there” and we have $t$ out of these $n$ evaluations.
Specifically, let $(j, \phi(j))_{j \in T}$ denote this subset, where $T\subset [n]$ and $|T|=t$.</p>
<p>How can we recover or <em>interpolate</em> $\phi(X)$ from these $t$ evaluations?</p>
<p>We can use <em>Lagrange’s formula</em>, which says:</p>
<p>\begin{align}
\phi(X) &= \sum_{j\in T} \Ell_j^T(X) \phi(j)\label{eq:lagrange-sum}
\end{align}</p>
<p>The $\Ell_j^T(X)$’s are called <em>Lagrange polynomials</em> and are defined as:</p>
<p>\begin{align}
\Ell_j^T(X) &= \prod_{\substack{k\in T\\k\ne j}} \frac{X - k}{j - k}\label{eq:lagrange-poly}
\end{align}</p>
<p>The key property of these polynomials is that $\forall j\in T, \Ell_j^T(j) = 1$ and $\forall i\in T, i\ne j,\Ell_j^T(i) = 0$.</p>
<p class="info">We are artificially restricting ourselves to evaluations of $\phi$ at points $\{1,2,\dots,n\}$ since this is the setting that arises in BLS threshold signatures.
However, these protocols work for any set of points $(x_i, \phi(x_i))_{i\in [n]}$.
For example, as we’ll see later, it can be useful to replace the signer IDs $\{1,2,\dots,n\}$ with roots of unity $\{\omega^0, \omega^1, \dots, \omega^{n-1}\}$.</p>
<h2 id="faster-bls-threshold-signatures">Faster BLS threshold signatures</h2>
<p>As explained before, aggregating a $(t,n)$ threshold signature such as BLS, requires interpolating the secret key $s$ “in the exponent.”
This is typically done naively in $\Theta(t^2)$ time.</p>
<p>In our paper<sup id="fnref:TCZplus20:1" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">3</a></sup>, we adapt well-known, fast polynomial interpolation algorithms<sup id="fnref:vG13ModernCh10" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">9</a></sup> to do this in $O(t\log^2{t})$ time.
This not only scales BLS threshold signature aggregation to millions of signers, but also speeds up aggregation at smaller scales of hundreds of signers.</p>
<p>First, I’ll describe the naive, quadratic-time algorithm for aggregation.
Then, I’ll introduce the quasilinear-time algorithm, adapted for the “in the exponent” setting.</p>
<h3 id="quadratic-time-bls-threshold-signature-aggregation">Quadratic-time BLS threshold signature aggregation</h3>
<p>Having identified $t$ valid signature shares $\sigma_j = H(m)^{s_j}, j\in T$, the aggregator will recover $s=\phi(0)$ but do so “in the exponent”, by recovering $H(m)^{\phi(0)}=H(m)^s$.</p>
<p>For this, the aggregator computes all the $\Ell_j^T(0)$’s by computing Equation $\ref{eq:lagrange-poly}$ at $X=0$:</p>
\[\Ell_j^T(0) = \prod_{\substack{k\in T\\\\k\ne j}} \frac{0 - k}{j - k} = \prod_{\substack{k\in T\\\\k\ne j}} \frac{k}{k - j}\]
<p class="error">Computing a single $\Ell_j^T(0)$ can be done in $\Theta(t)$ time by simply carrying out the operations above in the field $\Zp$.
<em>However</em>, we need to compute <em>all</em> of them: $\Ell_j^T(0), \forall j \in T$, which takes $\Theta(t^2)$ time.
We will describe how to reduce this time in the next subsection.</p>
<p>The final step consists of several exponentiations in $\G_1$, which actually computes the secret key $s$ in the exponent, as per Equation \ref{eq:lagrange-sum} at $X=0$:</p>
<p>\begin{align}
\prod_{j\in T} \sigma_j^{\Ell_j^T(0)} &= \prod_{j\in T} \left(H(m)^{s_j}\right)^{\Ell_j^T(0)}\\<br />
&= \prod_{j\in T} H(m)^{\Ell_j^T(0) s_j}\\<br />
&= H(m)^{\sum_{j\in T}{\Ell_j^T(0) s_j}}\\<br />
&= H(m)^{\sum_{j\in T}{\Ell_j^T(0) \phi(j)}}\\<br />
&= H(m)^{\phi(0)} = H(m)^s = \sigma
\end{align}</p>
<p>This last step takes $\Theta(t)$ time and is sped up in practice using multi-exponentiation techniques.</p>
<p>This naive algorithm works quite well, especially at small scales, but the performance deteriorates fast, as computing the $\Ell_j^T(0)$’s becomes very expensive.
The figure below depicts this trend.</p>
<p><img src="/pictures/bls-thresh-naive.png" alt="Naive aggregation time for BLS threshold signatures" class="align-center" /></p>
<p class="info">The $x$-axis is $\log_2(t)$ where $t$ is the threshold, which doubles for every tick.
The $y$-axis is the time to aggregate a $(t, 2t-1)$ BLS threshold signature in <em>seconds</em>.
This consists of (1) the time to compute the Lagrange coefficients and (2) the time to compute the multi-exponentiation.
As you can see, for $t=2^{11}=2048$, the time to aggregate is less than 1 second.</p>
<p>The BLS threshold signature aggregation code was implemented using <a href="https://github.com/scipr-lab/libff">libff</a> and <a href="https://github.com/scipr-lab/libfqfft">libfqfft</a> and is available on GitHub <a href="https://github.com/alinush/libpolycrypto/">here</a>.
We used various optimizations using roots-of-unity to speed up this naive implementation.</p>
<h3 id="our-quasilinear-time-bls-threshold-signature-aggregation">Our quasilinear-time BLS threshold signature aggregation</h3>
<p>This is going to get a bit mathematical, so hold on tight.
Everything explained here is just a slight modification of the fast polynomial interpolation techniques explained in “Modern Computer Algebra”<sup id="fnref:vG13ModernCh10:1" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">9</a></sup>.</p>
<p>We’ll refer to $\Ell_j^T(0)$ as a <em>Lagrange coefficient</em>: this is just the Lagrange polynomial from Equation \ref{eq:lagrange-poly} evaluated at $X=0$.
Recall that the aggregator must compute all $t=|T|$ Lagrange coefficients.</p>
<h4 id="step-1-numerators-and-denominators-of-lagrange-coefficients">Step 1: Numerators and denominators of Lagrange coefficients</h4>
<p>Notice that each Lagrange coefficient can be rewritten as a <em>numerator</em> divided by a <em>denominator</em>.
All $t$ numerators can be computed very fast in $\Theta(t)$ time, but the denominators will be a bit more challenging.</p>
<p>First, we define a <em>vanishing polynomial</em> $V_T(X)$ that has roots at all $X\in T$:
\begin{align}
V_T(X) = \prod_{j\in T} (X - j)
\end{align}</p>
<p>Similarly, let $V_{T\setminus\{j\}}(X)$ have roots at all $X\in T\setminus\{j\}$:
\begin{align}
V_{T\setminus\{j\}}(X) =\prod_{\substack{k\in T\\k\ne j}} (X - k)=V_T(X)/(X - j)
\end{align}</p>
<p>Second, we rewrite the Lagrange polynomials using these vanishing polynomials.
\begin{align}
\Ell_j^T(X) &= \prod_{\substack{k\in T\\k\ne j}} \frac{X - k}{j - k}\\<br />
&= \frac{\prod_{\substack{k\in T\\k\ne j}}(X - k)}{\prod_{\substack{k\in T\\k\ne j}}(j - k)}\\<br />
&= \frac{V_{T\setminus\{j\}}(X)}{V_{T\setminus\{j\}}(j)}
\end{align}</p>
<p>As a result, we can rewrite the Lagrange <em>coefficients</em> as:
\begin{align}
\Ell_j^T(0) &= \frac{V_{T\setminus\{j\}}(0)}{V_{T\setminus\{j\}}(j)}
\end{align}</p>
<p>Finally, we note that computing <em>all</em> numerators $V_{T\setminus\{j\}}(0)=V_T(0)/(0-j)$ can be done in $\Theta(t)$ time by:</p>
<ol>
<li>
<p>Computing $V_T(0)$ in $\Theta(t)$ time</p>
</li>
<li>
<p>Dividing it by $-j$ for all $j\in T$, also in $\Theta(t)$ time</p>
</li>
</ol>
<h4 id="step-2-computing-all-denominators-leftrightarrow-evaluate-some-polynomial-at-t-points">Step 2: Computing all denominators $\Leftrightarrow$ evaluate some polynomial at $t$ points</h4>
<p>(It is a bit more difficult to) notice that the denominator $V_{T\setminus\{j\}}(j)$ equals exactly $V_T’(j)$, where $V_T’$ is the derivative of $V_T$.
This means that we can compute <em>all</em> denominators by evaluating $V_T’$ at all $j\in T$.
We will explain later how we can do this evaluation very efficiently.</p>
<p>First, let us see what $V_T’(X)$ looks like.
Here, it’s helpful to take an example.
Say $T = \{1,3,9\}$ (i.e., the aggregator identified 3 valid sigshares from players 1, 3 and 9), which means $V_T(X)=(X-1)(X-3)(x-9)$.</p>
<p>If we apply the product rule of differentiation, we get:
\begin{align}
V_T’(x) &= \big[(x-1)(x-3)\big]'(x-9) + \big[(x-1)(x-3)\big](x-9)’\\<br />
&= \big[(x-1)’(x-3) + (x-1)(x-3)’\big](x-9) + (x-1)(x-3)\\<br />
&= \big[(x-3)+(x-1)\big](x-9) + (x-1)(x-3)\\<br />
&= (x-3)(x-9) + (x-1)(x-9) + (x-1)(x-3)\\<br />
&= V_{T\setminus\{1\}}(x) + V_{T\setminus\{3\}}(x) + V_{T\setminus\{9\}}(x)
\end{align}</p>
<p>In general, for any set $T$ of signers, it is the case that:
\begin{align}
V_T’(X) = \sum_{k \in T} V_{T\setminus\{k\}}(X)
\end{align}</p>
<p class="info">We leave proving this as an exercise.
The example above should give you enough intuition for why this holds.</p>
<p>Second, notice that $V_T’(j) = V_{T\setminus\{j\}}(j)$ does appear to hold for this example where $T=\{1,3,9\}$:
\begin{align}
V_T’(1) &= (1-3)(1-9) + 0 + 0 = V_{T\setminus\{1\}}(1)\\<br />
V_T’(3) &= 0 + (3-1)(3-9) + 0 = V_{T\setminus\{3\}}(1)\\<br />
V_T’(9) &= 0 + 0 + (9-1)(9-3) + 0 = V_{T\setminus\{9\}}(1)
\end{align}</p>
<p>We can easily prove this holds for any set $T$ of signers:
\begin{align}
V_T’(j) &= \sum_{k \in T} V_{T\setminus\{k\}}(j)\\<br />
&= V_{T\setminus\{j\}}(j) + \sum_{k \in T\setminus\{j\}} V_{T\setminus\{k\}}(j)\label{eq:vtprimeofj}\\<br />
&= V_{T\setminus\{j\}}(j) + \sum_{k \in T\setminus\{j\}} 0\label{eq:vtprimeofj-zero}\\\
&= V_{T\setminus\{j\}}(j)
\end{align}</p>
<p>In other words, this means the denominator of the $j$th Lagrange coefficient $\Ell_j^T(0)$ exactly equals $V_T’(j)$, as we promised in the beginning.</p>
<p class="info">If you missed the transition from Equation \ref{eq:vtprimeofj} to Equation \ref{eq:vtprimeofj-zero} recall that $V_{T\setminus\{k\}}(X)$ is zero for all $X$ in $T$ <strong>except for</strong> $k$.
Thus, since $j \in T$ and $j\ne k$, we have $V_{T\setminus\{k\}}(j) = 0$.</p>
<h4 id="step-3-evaluating-v_tx-fast-at-all-xin-t">Step 3: Evaluating $V_T’(X)$ <em>fast</em> at all $X\in T$</h4>
<p>The road so far (to fast BLS threshold signature aggregation):</p>
<ul>
<li>Compute all numerators in $O(t)$ time</li>
<li>Compute the vanishing polynomial $V_T(X)$ in $O(t\log^2{t})$ time. How?
<ul>
<li>Build a tree!</li>
<li>Each leaf stores a <em>monomial</em> $(X-j)$, for all $j\in T$</li>
<li>The parent of two nodes stores the product of their children’s polynomials</li>
<li>As a result, the root will store $V_T(X)$</li>
<li>(See an example figure below for $T=\{2,4,5,8,9,13,16,20\}$.)</li>
</ul>
</li>
<li>Compute its derivative $V_T’(X)$ in $O(t)$ time. How?
<ul>
<li>Rewrite $V_T(X)$ in <em>coefficient form</em> as $V_T(X) = \sum_{i=0}^{|T|} c_i X^i$</li>
<li>Then, $V_T’(X) = \sum_{i=1}^{|T|} i \cdot c_i \cdot X^{i-1}$</li>
</ul>
</li>
<li>Evaluate $V_T’(X)$ at all points in $T$. <strong>Let’s see how!</strong></li>
</ul>
<p><img src="/pictures/vanishing-poly-tree.png" alt="Computing a vanishing polynomial recursively" class="align-center" /></p>
<p class="info">Here we are computing $V_T(X)$ when $T=\{2,4,5,8,9,13,16,20\}$.
At each node in the tree, the two children’s polynomials are being multiplied.
Multiplication can be done fast in $O(d\log{d})$ time using the Fast Fourier Transform (FFT)<sup id="fnref:CLRS09" role="doc-noteref"><a href="#fn:CLRS09" class="footnote">10</a></sup>, where $d$ is the degree of the children polynomials.</p>
<h5 id="evaluate-v_tx-using-a-polynomial-multipoint-evaluation">Evaluate $V_T’(X)$ using a polynomial multipoint evaluation</h5>
<p>We want to evaluate $V_T’(X)$ of degree $t-1$ at $t$ points: i.e., at all $j\in T$.
If we do this naively, one evaluation takes $\Theta(t)$ time and thus all evaluations take $\Theta(t^2)$ time.
Fortunately, a $\Theta(t\log^2{t})$ algorithm exists and is called a <em>polynomial multipoint evaluation</em><sup id="fnref:vG13ModernCh10:2" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">9</a></sup>, or a <em>multipoint eval</em> for short.</p>
<p>To understand how a multipoint eval works, first you must understand two things:</p>
<ol>
<li>The <strong>polynomial remainder theorem</strong>, which says $\forall$ polynomials $\phi$ and $\forall j$, $\phi(j) = \phi(X) \bmod (X-j)$, where $\bmod$ is the remainder of the division $\phi(X) / (X-j)$.
<ul>
<li>We’ll refer to these operations as “modular reductions.”</li>
</ul>
</li>
<li>Recursion!</li>
</ol>
<p>A multipoint eval computes $\phi(j)$ by <em>recursively</em> computing $\phi(X) \bmod (X-j)$ in an efficient manner.
Since a picture is worth a thousands words, please take a look at the figure below, which depicts a multipoint eval of $\phi$ at $T=\{1,2,\dots,8\}$.</p>
<p><img src="/pictures/multipoint-eval-tree.png" alt="A multipoint evaluation at 1, 2, ..., 8" class="align-center" /></p>
<p class="info">Each node $w$ in the multipoint eval tree stores two polynomials: a vanishing polynomial $V_w$ and a remainder $r_w$.
If we let $u$ denote node $w$’s parent, then the multipoint evaluation operates as follows:
For every node $w$, compute $r_w = r_u \bmod V_w$.
(In the tree, this is depicted more simply using a “$\text{mod}\ V_w$” at each node $w$.)
To start the recursive computation, the root node $\varepsilon$ has $r_\varepsilon=\phi(X)\bmod (X-1)(X-2)\cdots(X-8)$.
The other important rule is for every node $w$, the children of node $w$ will store the “left” and “right” halves of $V_w$.
This helps split the problem into two halves and halves the degree of the remainders at each level.</p>
<p>Each path in the tree corresponds to a sequence of modular reductions applied to $\phi$, ultimately leading to an evaluation $\phi(j)$.
For example, the red path to $\bmod (X-3)$ gives the evaluation $\phi(3)$ and corresponds to the following sequence of modular reductions:</p>
\[\big(\left[\left(\phi(X) \bmod (X-1)\dots(X-8)\right)\bmod(X-1)\dots(X-4)\right]\bmod(X-3)(X-4)\big)\bmod(X-3)\]
<p class="info">My explanation here is in many ways inadequate.
Although the figure should be of some help, you should see “Modern Computer Algebra”, Chapter 10<sup id="fnref:vG13ModernCh10:3" role="doc-noteref"><a href="#fn:vG13ModernCh10" class="footnote">9</a></sup> and our paper<sup id="fnref:TCZplus20:2" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">3</a></sup> for more background on polynomial multipoint evaluations.</p>
<p>By reasoning about the degrees of the polynomials involved in the tree, one can show that at most $O(t\log{t})$ work is being done at each level in the multipoint eval tree.
Since there are roughly $\log{t}$ levels, this means the multipoint eval only takes $O(t\log^2{t})$ time.</p>
<p>In practice, a multipoint eval requires implementing fast polynomial division using FFT.
Next, we explain how to avoid this and get a considerable speed-up.</p>
<h5 id="evaluate-v_tx-using-the-fast-fourier-transform-fft">Evaluate $V_T’(X)$ using the Fast Fourier Transform (FFT)</h5>
<p>If we pick the signer IDs to be roots of unity rather than $\{1,2,\dots,n\}$, we can evaluate $V_T’(X)$ fast in $\Theta(n\log{n})$ time with a single <em>Fast Fourier Transform (FFT)</em>.
For example, let $\omega$ be a primitive $N$th root of unity (where $N$ is the smallest power of 2 that is $\ge n$).
Then, signer $i$ could have ID $\omega^{i-1}$ rather than $i$.
This would slightly change the definitions of the Lagrange polynomials and the vanishing polynomials too:
they would be of the form $\prod_{j\in T}(X-\omega_N^{j-1})$ rather than $\prod_{j\in T}(X - j)$.</p>
<p>This is actually the route we take in our paper<sup id="fnref:TCZplus20:3" role="doc-noteref"><a href="#fn:TCZplus20" class="footnote">3</a></sup>, since a single FFT will be much faster than a polynomial multipoint evaluation which requires multiple polynomial divisions, which in turn require multiple FFTs.
You can see the performance boost and scalability gained in the figure below.</p>
<p><img src="/pictures/bls-thresh-eff.png" alt="Fast aggregation time for BLS threshold signatures" class="align-center" /></p>
<p class="info">The $x$-axis is $\log_2(t)$ where $t$ is the threshold, which doubles for every tick.
The $y$-axis is the time to aggregate, <strong>using the quasilinear-time Lagrange algorithm</strong>, a $(t, 2t-1)$ BLS threshold signature in <em>seconds</em>.
As you can see, for $t=2^{11}=2048$, the time to aggregate decreases from 1 second to 0.1 seconds.
We also scale better: in 1 second we can aggregate a signature with $t=2^{14}\approx 16,000$.
Furthermore, we get a performance boost even at scales as small as $t=128$.</p>
<p>Again, the code is available on GitHub <a href="https://github.com/alinush/libpolycrypto/">here</a>.</p>
<h2 id="ending-notes">Ending notes</h2>
<p>We showed how existing algorithms for polynomial interpolation can (and should) be used to speed up and scale BLS threshold signatures.
In fact, these techniques can be applied to any threshold cryptosystem whose secret lies in a prime-order finite field with support for roots of unity.</p>
<h3 id="references">References</h3>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:GAGplus19" role="doc-endnote">
<p><strong>SBFT: A Scalable and Decentralized Trust Infrastructure</strong>, by G. Golan Gueta and I. Abraham and S. Grossman and D. Malkhi and B. Pinkas and M. Reiter and D. Seredinschi and O. Tamir and A. Tomescu, <em>in 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)</em>, 2019, <a href="https://arxiv.org/pdf/1804.01626.pdf">[PDF]</a>. <a href="#fnref:GAGplus19" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:BLS04" role="doc-endnote">
<p><strong>Short Signatures from the Weil Pairing</strong>, by Boneh, Dan and Lynn, Ben and Shacham, Hovav, <em>in Journal of Cryptology</em>, 2004 <a href="#fnref:BLS04" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:BLS04:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a></p>
</li>
<li id="fn:TCZplus20" role="doc-endnote">
<p><strong>Towards Scalable Threshold Cryptosystems</strong>, by Alin Tomescu and Robert Chen and Yiming Zheng and Ittai Abraham and Benny Pinkas and Guy Golan Gueta and Srinivas Devadas, <em>in 2020 IEEE Symposium on Security and Privacy (SP)</em>, 2020, <a href="/papers/dkg-sp2020.pdf">[PDF]</a>. <a href="#fnref:TCZplus20" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:TCZplus20:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a> <a href="#fnref:TCZplus20:2" class="reversefootnote" role="doc-backlink">↩<sup>3</sup></a> <a href="#fnref:TCZplus20:3" class="reversefootnote" role="doc-backlink">↩<sup>4</sup></a></p>
</li>
<li id="fn:KL15" role="doc-endnote">
<p><strong>Introduction to Modern Cryptography</strong>, by Jonathan Katz and Yehuda Lindell, 2007 <a href="#fnref:KL15" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:GPS08" role="doc-endnote">
<p><strong>Pairings for cryptographers</strong>, by Steven D. Galbraith and Kenneth G. Paterson and Nigel P. Smart, <em>in Discrete Applied Mathematics</em>, 2008 <a href="#fnref:GPS08" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:Boldyreva03" role="doc-endnote">
<p><strong>Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme</strong>, by Boldyreva, Alexandra, <em>in PKC 2003</em>, 2002 <a href="#fnref:Boldyreva03" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:Shamir79" role="doc-endnote">
<p><strong>How to Share a Secret</strong>, by Shamir, Adi, <em>in Commun. ACM</em>, 1979 <a href="#fnref:Shamir79" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:BT04" role="doc-endnote">
<p><strong>Barycentric Lagrange Interpolation</strong>, by Berrut, J. and Trefethen, L., <em>in SIAM Review</em>, 2004 <a href="#fnref:BT04" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:vG13ModernCh10" role="doc-endnote">
<p><strong>Fast polynomial evaluation and interpolation</strong>, by von zur Gathen, Joachim and Gerhard, Jurgen, <em>in Modern Computer Algebra</em>, 2013 <a href="#fnref:vG13ModernCh10" class="reversefootnote" role="doc-backlink">↩</a> <a href="#fnref:vG13ModernCh10:1" class="reversefootnote" role="doc-backlink">↩<sup>2</sup></a> <a href="#fnref:vG13ModernCh10:2" class="reversefootnote" role="doc-backlink">↩<sup>3</sup></a> <a href="#fnref:vG13ModernCh10:3" class="reversefootnote" role="doc-backlink">↩<sup>4</sup></a></p>
</li>
<li id="fn:CLRS09" role="doc-endnote">
<p><strong>Introduction to Algorithms, Third Edition</strong>, by Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford, 2009 <a href="#fnref:CLRS09" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>Alin Tomescutl;dr: We use $O(t\log^2{t})$-time algorithms to interpolate secrets “in the exponent.” This makes aggregating $(t,n)$ BLS threshold signatures much faster, both at small and large scales. The question of scaling threshold signatures came to us at VMware Research after we finished working on SBFT1, a scalable Byzantine Fault Tolerance (BFT) protocol that uses BLS threshold signatures2. We recently published our work3 in IEEE S&P’20. Our work also address how to scale the necessary distributed key generation (DKG) protocol needed to bootstrap a BLS threshold signature scheme. We present these results in another post. A prototype implementation is available on GitHub here. $$ \def\G{\mathbb{G}} \def\Zp{\mathbb{Z}_p} \def\Ell{\mathcal{L}} $$ Preliminaries Let $[n]=\{1,2,3,\dots,n\}$. Let $p$ be a sufficiently large prime that denotes the order of our groups. In this post, beyond basic group theory for cryptographers4, I will assume you are familiar with a few concepts: Bilinear maps5. Specifically, $\exists$ a bilinear map $e : \G_1 \times \G_2 \rightarrow \G_T$ such that: $\forall u\in \G_1,v\in \G_2, a\in \Zp, b\in \Zp, e(u^a, v^b) = e(u,v)^{ab}$ $e(g_1,g_2)\ne 1_T$ where $g_1,g_2$ are the generators of $\G_1$ and $\G_2$ respectively and $1_T$ is the identity of $\G_T$ BLS signatures2. Specifically, Let $H : \{0,1\}^* \rightarrow \G_1$ be a collision-resistant hash-function (CRHF) The secret key is $s\in_R \Zp$ and the public key is $g_2^s\in \G_2$ $\sigma = H(m)^s \in \G_1$ is a signature on $m$ under secret key $s$ To verify a signature, one checks if $e(H(m), g_2^s) = e(\sigma, g_2)$ $(t,n)$ BLS threshold signatures6. Specifically, Shamir secret sharing7 of secret key $s$ i.e., $s = \phi(0)$ where $\phi(X)\in \Zp[X]$ is random, degree $t-1$ polynomial Signer $i\in\{1,2,\dots, n\}$ gets his secret key share $s_i = \phi(i)$ and verification key $g^{s_i}$ Nobody knows $s$, so cannot directly produce a signature $H(m)^s$ on $m$ Instead, $t$ or more signers have to co-operate to produce a signature Each signer $i$ computes a signature share or sigshare $\sigma_i = H(m)^{s_i}$ Then, an aggregator: Collects as many $\sigma_i$’s as possible Verifies each $\sigma_i$ under its signer’s verification key: Is $e(H(m),g_2^{s_i}) = e(\sigma_i, g_2)$? …and thus identifies $t$ valid sigshares Aggregates the signature $\sigma = H(m)^s$ via “interpolation in the exponent” from the $t$ valid sigshares (see next section). Basics of polynomial interpolation A good source for this is Berrut and Trefethen8. Let $\phi \in \Zp[X]$ be a polynomial of degree $t-1$. Suppose there are $n$ evaluations $(i, \phi(i))_{i\in [n]}$ “out there” and we have $t$ out of these $n$ evaluations. Specifically, let $(j, \phi(j))_{j \in T}$ denote this subset, where $T\subset [n]$ and $|T|=t$. How can we recover or interpolate $\phi(X)$ from these $t$ evaluations? We can use Lagrange’s formula, which says: \begin{align} \phi(X) &= \sum_{j\in T} \Ell_j^T(X) \phi(j)\label{eq:lagrange-sum} \end{align} The $\Ell_j^T(X)$’s are called Lagrange polynomials and are defined as: \begin{align} \Ell_j^T(X) &= \prod_{\substack{k\in T\\k\ne j}} \frac{X - k}{j - k}\label{eq:lagrange-poly} \end{align} The key property of these polynomials is that $\forall j\in T, \Ell_j^T(j) = 1$ and $\forall i\in T, i\ne j,\Ell_j^T(i) = 0$. We are artificially restricting ourselves to evaluations of $\phi$ at points $\{1,2,\dots,n\}$ since this is the setting that arises in BLS threshold signatures. However, these protocols work for any set of points $(x_i, \phi(x_i))_{i\in [n]}$. For example, as we’ll see later, it can be useful to replace the signer IDs $\{1,2,\dots,n\}$ with roots of unity $\{\omega^0, \omega^1, \dots, \omega^{n-1}\}$. Faster BLS threshold signatures As explained before, aggregating a $(t,n)$ threshold signature such as BLS, requires interpolating the secret key $s$ “in the exponent.” This is typically done naively in $\Theta(t^2)$ time. In our paper3, we adapt well-known, fast polynomial interpolation algorithms9 to do this in $O(t\log^2{t})$ time. This not only scales BLS threshold signature aggregation to millions of signers, but also speeds up aggregation at smaller scales of hundreds of signers. First, I’ll describe the naive, quadratic-time algorithm for aggregation. Then, I’ll introduce the quasilinear-time algorithm, adapted for the “in the exponent” setting. Quadratic-time BLS threshold signature aggregation Having identified $t$ valid signature shares $\sigma_j = H(m)^{s_j}, j\in T$, the aggregator will recover $s=\phi(0)$ but do so “in the exponent”, by recovering $H(m)^{\phi(0)}=H(m)^s$. For this, the aggregator computes all the $\Ell_j^T(0)$’s by computing Equation $\ref{eq:lagrange-poly}$ at $X=0$: \[\Ell_j^T(0) = \prod_{\substack{k\in T\\\\k\ne j}} \frac{0 - k}{j - k} = \prod_{\substack{k\in T\\\\k\ne j}} \frac{k}{k - j}\] Computing a single $\Ell_j^T(0)$ can be done in $\Theta(t)$ time by simply carrying out the operations above in the field $\Zp$. However, we need to compute all of them: $\Ell_j^T(0), \forall j \in T$, which takes $\Theta(t^2)$ time. We will describe how to reduce this time in the next subsection. The final step consists of several exponentiations in $\G_1$, which actually computes the secret key $s$ in the exponent, as per Equation \ref{eq:lagrange-sum} at $X=0$: \begin{align} \prod_{j\in T} \sigma_j^{\Ell_j^T(0)} &= \prod_{j\in T} \left(H(m)^{s_j}\right)^{\Ell_j^T(0)}\\ &= \prod_{j\in T} H(m)^{\Ell_j^T(0) s_j}\\ &= H(m)^{\sum_{j\in T}{\Ell_j^T(0) s_j}}\\ &= H(m)^{\sum_{j\in T}{\Ell_j^T(0) \phi(j)}}\\ &= H(m)^{\phi(0)} = H(m)^s = \sigma \end{align} This last step takes $\Theta(t)$ time and is sped up in practice using multi-exponentiation techniques. This naive algorithm works quite well, especially at small scales, but the performance deteriorates fast, as computing the $\Ell_j^T(0)$’s becomes very expensive. The figure below depicts this trend. The $x$-axis is $\log_2(t)$ where $t$ is the threshold, which doubles for every tick. The $y$-axis is the time to aggregate a $(t, 2t-1)$ BLS threshold signature in seconds. This consists of (1) the time to compute the Lagrange coefficients and (2) the time to compute the multi-exponentiation. As you can see, for $t=2^{11}=2048$, the time to aggregate is less than 1 second. The BLS threshold signature aggregation code was implemented using libff and libfqfft and is available on GitHub here. We used various optimizations using roots-of-unity to speed up this naive implementation. Our quasilinear-time BLS threshold signature aggregation This is going to get a bit mathematical, so hold on tight. Everything explained here is just a slight modification of the fast polynomial interpolation techniques explained in “Modern Computer Algebra”9. We’ll refer to $\Ell_j^T(0)$ as a Lagrange coefficient: this is just the Lagrange polynomial from Equation \ref{eq:lagrange-poly} evaluated at $X=0$. Recall that the aggregator must compute all $t=|T|$ Lagrange coefficients. Step 1: Numerators and denominators of Lagrange coefficients Notice that each Lagrange coefficient can be rewritten as a numerator divided by a denominator. All $t$ numerators can be computed very fast in $\Theta(t)$ time, but the denominators will be a bit more challenging. First, we define a vanishing polynomial $V_T(X)$ that has roots at all $X\in T$: \begin{align} V_T(X) = \prod_{j\in T} (X - j) \end{align} Similarly, let $V_{T\setminus\{j\}}(X)$ have roots at all $X\in T\setminus\{j\}$: \begin{align} V_{T\setminus\{j\}}(X) =\prod_{\substack{k\in T\\k\ne j}} (X - k)=V_T(X)/(X - j) \end{align} Second, we rewrite the Lagrange polynomials using these vanishing polynomials. \begin{align} \Ell_j^T(X) &= \prod_{\substack{k\in T\\k\ne j}} \frac{X - k}{j - k}\\ &= \frac{\prod_{\substack{k\in T\\k\ne j}}(X - k)}{\prod_{\substack{k\in T\\k\ne j}}(j - k)}\\ &= \frac{V_{T\setminus\{j\}}(X)}{V_{T\setminus\{j\}}(j)} \end{align} As a result, we can rewrite the Lagrange coefficients as: \begin{align} \Ell_j^T(0) &= \frac{V_{T\setminus\{j\}}(0)}{V_{T\setminus\{j\}}(j)} \end{align} Finally, we note that computing all numerators $V_{T\setminus\{j\}}(0)=V_T(0)/(0-j)$ can be done in $\Theta(t)$ time by: Computing $V_T(0)$ in $\Theta(t)$ time Dividing it by $-j$ for all $j\in T$, also in $\Theta(t)$ time Step 2: Computing all denominators $\Leftrightarrow$ evaluate some polynomial at $t$ points (It is a bit more difficult to) notice that the denominator $V_{T\setminus\{j\}}(j)$ equals exactly $V_T’(j)$, where $V_T’$ is the derivative of $V_T$. This means that we can compute all denominators by evaluating $V_T’$ at all $j\in T$. We will explain later how we can do this evaluation very efficiently. First, let us see what $V_T’(X)$ looks like. Here, it’s helpful to take an example. Say $T = \{1,3,9\}$ (i.e., the aggregator identified 3 valid sigshares from players 1, 3 and 9), which means $V_T(X)=(X-1)(X-3)(x-9)$. If we apply the product rule of differentiation, we get: \begin{align} V_T’(x) &= \big[(x-1)(x-3)\big]'(x-9) + \big[(x-1)(x-3)\big](x-9)’\\ &= \big[(x-1)’(x-3) + (x-1)(x-3)’\big](x-9) + (x-1)(x-3)\\ &= \big[(x-3)+(x-1)\big](x-9) + (x-1)(x-3)\\ &= (x-3)(x-9) + (x-1)(x-9) + (x-1)(x-3)\\ &= V_{T\setminus\{1\}}(x) + V_{T\setminus\{3\}}(x) + V_{T\setminus\{9\}}(x) \end{align} In general, for any set $T$ of signers, it is the case that: \begin{align} V_T’(X) = \sum_{k \in T} V_{T\setminus\{k\}}(X) \end{align} We leave proving this as an exercise. The example above should give you enough intuition for why this holds. Second, notice that $V_T’(j) = V_{T\setminus\{j\}}(j)$ does appear to hold for this example where $T=\{1,3,9\}$: \begin{align} V_T’(1) &= (1-3)(1-9) + 0 + 0 = V_{T\setminus\{1\}}(1)\\ V_T’(3) &= 0 + (3-1)(3-9) + 0 = V_{T\setminus\{3\}}(1)\\ V_T’(9) &= 0 + 0 + (9-1)(9-3) + 0 = V_{T\setminus\{9\}}(1) \end{align} We can easily prove this holds for any set $T$ of signers: \begin{align} V_T’(j) &= \sum_{k \in T} V_{T\setminus\{k\}}(j)\\ &= V_{T\setminus\{j\}}(j) + \sum_{k \in T\setminus\{j\}} V_{T\setminus\{k\}}(j)\label{eq:vtprimeofj}\\ &= V_{T\setminus\{j\}}(j) + \sum_{k \in T\setminus\{j\}} 0\label{eq:vtprimeofj-zero}\\\ &= V_{T\setminus\{j\}}(j) \end{align} In other words, this means the denominator of the $j$th Lagrange coefficient $\Ell_j^T(0)$ exactly equals $V_T’(j)$, as we promised in the beginning. If you missed the transition from Equation \ref{eq:vtprimeofj} to Equation \ref{eq:vtprimeofj-zero} recall that $V_{T\setminus\{k\}}(X)$ is zero for all $X$ in $T$ except for $k$. Thus, since $j \in T$ and $j\ne k$, we have $V_{T\setminus\{k\}}(j) = 0$. Step 3: Evaluating $V_T’(X)$ fast at all $X\in T$ The road so far (to fast BLS threshold signature aggregation): Compute all numerators in $O(t)$ time Compute the vanishing polynomial $V_T(X)$ in $O(t\log^2{t})$ time. How? Build a tree! Each leaf stores a monomial $(X-j)$, for all $j\in T$ The parent of two nodes stores the product of their children’s polynomials As a result, the root will store $V_T(X)$ (See an example figure below for $T=\{2,4,5,8,9,13,16,20\}$.) Compute its derivative $V_T’(X)$ in $O(t)$ time. How? Rewrite $V_T(X)$ in coefficient form as $V_T(X) = \sum_{i=0}^{|T|} c_i X^i$ Then, $V_T’(X) = \sum_{i=1}^{|T|} i \cdot c_i \cdot X^{i-1}$ Evaluate $V_T’(X)$ at all points in $T$. Let’s see how! Here we are computing $V_T(X)$ when $T=\{2,4,5,8,9,13,16,20\}$. At each node in the tree, the two children’s polynomials are being multiplied. Multiplication can be done fast in $O(d\log{d})$ time using the Fast Fourier Transform (FFT)10, where $d$ is the degree of the children polynomials. Evaluate $V_T’(X)$ using a polynomial multipoint evaluation We want to evaluate $V_T’(X)$ of degree $t-1$ at $t$ points: i.e., at all $j\in T$. If we do this naively, one evaluation takes $\Theta(t)$ time and thus all evaluations take $\Theta(t^2)$ time. Fortunately, a $\Theta(t\log^2{t})$ algorithm exists and is called a polynomial multipoint evaluation9, or a multipoint eval for short. To understand how a multipoint eval works, first you must understand two things: The polynomial remainder theorem, which says $\forall$ polynomials $\phi$ and $\forall j$, $\phi(j) = \phi(X) \bmod (X-j)$, where $\bmod$ is the remainder of the division $\phi(X) / (X-j)$. We’ll refer to these operations as “modular reductions.” Recursion! A multipoint eval computes $\phi(j)$ by recursively computing $\phi(X) \bmod (X-j)$ in an efficient manner. Since a picture is worth a thousands words, please take a look at the figure below, which depicts a multipoint eval of $\phi$ at $T=\{1,2,\dots,8\}$. Each node $w$ in the multipoint eval tree stores two polynomials: a vanishing polynomial $V_w$ and a remainder $r_w$. If we let $u$ denote node $w$’s parent, then the multipoint evaluation operates as follows: For every node $w$, compute $r_w = r_u \bmod V_w$. (In the tree, this is depicted more simply using a “$\text{mod}\ V_w$” at each node $w$.) To start the recursive computation, the root node $\varepsilon$ has $r_\varepsilon=\phi(X)\bmod (X-1)(X-2)\cdots(X-8)$. The other important rule is for every node $w$, the children of node $w$ will store the “left” and “right” halves of $V_w$. This helps split the problem into two halves and halves the degree of the remainders at each level. Each path in the tree corresponds to a sequence of modular reductions applied to $\phi$, ultimately leading to an evaluation $\phi(j)$. For example, the red path to $\bmod (X-3)$ gives the evaluation $\phi(3)$ and corresponds to the following sequence of modular reductions: \[\big(\left[\left(\phi(X) \bmod (X-1)\dots(X-8)\right)\bmod(X-1)\dots(X-4)\right]\bmod(X-3)(X-4)\big)\bmod(X-3)\] My explanation here is in many ways inadequate. Although the figure should be of some help, you should see “Modern Computer Algebra”, Chapter 109 and our paper3 for more background on polynomial multipoint evaluations. By reasoning about the degrees of the polynomials involved in the tree, one can show that at most $O(t\log{t})$ work is being done at each level in the multipoint eval tree. Since there are roughly $\log{t}$ levels, this means the multipoint eval only takes $O(t\log^2{t})$ time. In practice, a multipoint eval requires implementing fast polynomial division using FFT. Next, we explain how to avoid this and get a considerable speed-up. Evaluate $V_T’(X)$ using the Fast Fourier Transform (FFT) If we pick the signer IDs to be roots of unity rather than $\{1,2,\dots,n\}$, we can evaluate $V_T’(X)$ fast in $\Theta(n\log{n})$ time with a single Fast Fourier Transform (FFT). For example, let $\omega$ be a primitive $N$th root of unity (where $N$ is the smallest power of 2 that is $\ge n$). Then, signer $i$ could have ID $\omega^{i-1}$ rather than $i$. This would slightly change the definitions of the Lagrange polynomials and the vanishing polynomials too: they would be of the form $\prod_{j\in T}(X-\omega_N^{j-1})$ rather than $\prod_{j\in T}(X - j)$. This is actually the route we take in our paper3, since a single FFT will be much faster than a polynomial multipoint evaluation which requires multiple polynomial divisions, which in turn require multiple FFTs. You can see the performance boost and scalability gained in the figure below. The $x$-axis is $\log_2(t)$ where $t$ is the threshold, which doubles for every tick. The $y$-axis is the time to aggregate, using the quasilinear-time Lagrange algorithm, a $(t, 2t-1)$ BLS threshold signature in seconds. As you can see, for $t=2^{11}=2048$, the time to aggregate decreases from 1 second to 0.1 seconds. We also scale better: in 1 second we can aggregate a signature with $t=2^{14}\approx 16,000$. Furthermore, we get a performance boost even at scales as small as $t=128$. Again, the code is available on GitHub here. Ending notes We showed how existing algorithms for polynomial interpolation can (and should) be used to speed up and scale BLS threshold signatures. In fact, these techniques can be applied to any threshold cryptosystem whose secret lies in a prime-order finite field with support for roots of unity. References SBFT: A Scalable and Decentralized Trust Infrastructure, by G. Golan Gueta and I. Abraham and S. Grossman and D. Malkhi and B. Pinkas and M. Reiter and D. Seredinschi and O. Tamir and A. Tomescu, in 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2019, [PDF]. ↩ Short Signatures from the Weil Pairing, by Boneh, Dan and Lynn, Ben and Shacham, Hovav, in Journal of Cryptology, 2004 ↩ ↩2 Towards Scalable Threshold Cryptosystems, by Alin Tomescu and Robert Chen and Yiming Zheng and Ittai Abraham and Benny Pinkas and Guy Golan Gueta and Srinivas Devadas, in 2020 IEEE Symposium on Security and Privacy (SP), 2020, [PDF]. ↩ ↩2 ↩3 ↩4 Introduction to Modern Cryptography, by Jonathan Katz and Yehuda Lindell, 2007 ↩ Pairings for cryptographers, by Steven D. Galbraith and Kenneth G. Paterson and Nigel P. Smart, in Discrete Applied Mathematics, 2008 ↩ Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme, by Boldyreva, Alexandra, in PKC 2003, 2002 ↩ How to Share a Secret, by Shamir, Adi, in Commun. ACM, 1979 ↩ Barycentric Lagrange Interpolation, by Berrut, J. and Trefethen, L., in SIAM Review, 2004 ↩ Fast polynomial evaluation and interpolation, by von zur Gathen, Joachim and Gerhard, Jurgen, in Modern Computer Algebra, 2013 ↩ ↩2 ↩3 ↩4 Introduction to Algorithms, Third Edition, by Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford, 2009 ↩Range Proofs from Polynomial Commitments, Re-explained2020-03-03T00:00:00+00:002020-03-03T00:00:00+00:00https://alinush.github.io//2020/03/03/range-proofs-from-polynomial-commitments-reexplained<p class="info">This is a re-exposition of a <a href="https://hackmd.io/@dabo/B1U4kx8XI">post</a> by Dan Boneh, Ben Fisch, Ariel Gabizon on how to obtain a constant-sized range proof from constant-sized polynomial commitments.</p>
<p>This post was moved to <a href="https://decentralizedthoughts.github.io/2020-03-03-range-proofs-from-polynomial-commitments-reexplained/">Decentralized Thoughts</a>.</p>Alin TomescuThis is a re-exposition of a post by Dan Boneh, Ben Fisch, Ariel Gabizon on how to obtain a constant-sized range proof from constant-sized polynomial commitments. This post was moved to Decentralized Thoughts.“Ego is the enemy”, by Ryan Holiday2020-01-23T09:37:00+00:002020-01-23T09:37:00+00:00https://alinush.github.io//2020/01/23/ego-is-the-enemy<p>This is <a href="https://www.amazon.com/gp/product/1591847818">Ryan Holiday’s “Ego is the enemy”</a> in bullet-point form.</p>
<p>These are the ideas I found interesting from the book, without the excellent stories used to back them.
For those, you’ll have to <a href="https://www.amazon.com/gp/product/1591847818">buy the book</a>.
I changed some of the excerpts from 2nd person to 1st person, so they resonate more.
I kept the same table of contents as in the book, except I changed some of the chapter titles.</p>
<blockquote>
<p>It’s in everyone’s head.<br />
And they trust him,<br />
Because they think they are him.</p>
<p>It’s beautiful man… <br />
You have to admire the opponent’s elegance.</p>
<p><em>(Revolver, 2005)</em></p>
</blockquote>
<h2 id="intro">Intro</h2>
<ul>
<li>A prescription: <em>humility</em>.</li>
<li>Return to the humility and work-ethic it took me to get here.</li>
<li>I might not ever be straight, but I can strive for <em>straighter</em>.</li>
<li>Think less of myself.
<ul>
<li>Be less invested in the story I tell myself (or others) about my own specialness.</li>
<li>Then, be liberated to do what I want to do.</li>
</ul>
</li>
<li><strong>Definition (Ego):</strong>
<ul>
<li>An excessive focus on glorious outcomes instead of the sweat-ridden work.</li>
<li>Being dangerously focused on myself:
<ul>
<li>How do I look?</li>
<li>How much money will I make?</li>
<li>How high do I stack up in the “intellectual hierarchy?”</li>
</ul>
</li>
<li>An unhealthy belief in my own importance.</li>
<li>Arrogance.</li>
<li>Self-centered ambition.</li>
<li>Need to be “better than”, “more than”, “recognized for,” beyond any reasonable utility.</li>
<li>Sense of superiority and certainty that exceeds the bounds of confidence and talent.</li>
<li>“I am God’s gift to humanity.”</li>
</ul>
</li>
</ul>
<p>Be humble in your aspirations, gracious in your success and resilient in your failures.</p>
<h2 id="aspire">Aspire</h2>
<h3 id="too-much-talk">Too much talk</h3>
<ul>
<li>My weak, egotistical side says <em>“I want to get as much public credit and attention as I can for doing the least possible.”</em></li>
<li>I seem to think being silent is a sign of weakness.
<ul>
<li>That being ignored is tantamount to death (and for the ego this is true).</li>
</ul>
</li>
<li>Talk depletes us.
<ul>
<li>Talking and doing fight for the same resources.</li>
<li>The only relation between work and chatter is that one kills the other.</li>
</ul>
</li>
<li>Goal visualisation is important, but our mind can start to confuse it with actual progress.</li>
<li>That feeling that others out there, in public, enjoying the limelight, are somehow getting the better end of the deal.
<ul>
<li>They are not.</li>
<li>They’re too busy working to do anything else.</li>
</ul>
</li>
</ul>
<h3 id="to-do-rather-than-to-be">“To do” rather than “to be”</h3>
<ul>
<li>Impressing people is utterly different from being impressive.</li>
<li><em>“A man is worked upon by what he works on”</em> said Frederik Douglass, who was a slave and saw the effect slavery had even on the slave owners themselves.
<ul>
<li>e.g., What you choose to do for money works on you.</li>
</ul>
</li>
<li><strong>“To be” \(<\) “to do”.</strong>
<ul>
<li>“To do” means your purpose has to be something larger than you (i.e., larger than just “to be”).
<ul>
<li>This could mean to accomplish something, or to prove something to yourself.</li>
</ul>
</li>
</ul>
</li>
<li>If you go with “to do”, things are suddenly simpler, but <em>harder</em>.
<ul>
<li>Simpler, because you can easily decide.
<ul>
<li>You know what you need to <em>do</em>, what is important to you.</li>
<li>The rest are distractions.</li>
<li>Or maybe they’re for recognition (i.e., “to be” rather than “to do”).</li>
<li>You do <em>not</em> need to compromise, since you’re always doing what you want and need to be doing.</li>
</ul>
</li>
<li>Harder, because you must harshly and strictly judge opportunities.
<ul>
<li>Do they help you do what you set out to do?</li>
<li>Are you being selfish (i.e., operating in “to be” mode) or selfless (in “to do” mode)?</li>
</ul>
</li>
</ul>
</li>
</ul>
<h3 id="become-a-student">Become a student</h3>
<ul>
<li>The pretense of knowledge is our most dangerous vice.
<ul>
<li>It prevents us from getting any better.</li>
</ul>
</li>
<li>Have a <em>mentor</em>, someone who is clearly better than you, to learn from.
<ul>
<li>Keeps your ego in check.</li>
</ul>
</li>
<li>Have an equal, to occasionally test yourself against.</li>
<li>Have someone lesser, to teach.</li>
</ul>
<h3 id="dont-be-passionate">Don’t be passionate</h3>
<ul>
<li><strong>Definition (Bad passion)</strong>:
<ul>
<li>Unbridled enthusiasm.</li>
<li>Burning, unquenchable desire to start or to achieve some <em>vague</em>, ambitious and distant goal.</li>
<li>Seemingly innocuous motivation.</li>
<li>Can tell you in great detail who they intend to become and what their success will be like.</li>
</ul>
</li>
<li>We only hear of the passion of successful people.</li>
<li>We forget that failures share the same trait.</li>
<li>Maybe passion is necessary but not sufficient.</li>
<li>Instead, <em>purpose</em>: passion with boundaries.
<ul>
<li>It de-emphasizes the “I.”</li>
<li>It’s pursuing something outside of yourself.
<!-- - _Realism:_ detachment and perspective. -->
<!-- TODO: what was this 'realism' about? --></li>
</ul>
</li>
</ul>
<!-- TODO: find better title -->
<h3 id="the-canvas-strategy">The canvas strategy</h3>
<ul>
<li>Say little, do much.</li>
<li>Be lesser, do more.</li>
<li><em>The canvas strategy:</em> Help yourself by helping others.</li>
<li>Working for others keeps your ego in check.</li>
</ul>
<h3 id="restrain-yourself">Restrain yourself</h3>
<ul>
<li>Put aside your ego and your basic sense of fairness and rights as a human being.</li>
<li>It doesn’t degrade you when others treat you poorly. It degrades them.</li>
<li>You’re not able to change the system until <em>after</em> you’ve made it.</li>
</ul>
<h3 id="get-out-of-your-own-head">Get out of your own head</h3>
<blockquote>
<p>A person who thinks all the time has nothing to think about except thoughts, <br />
So he loses touch with reality and lives in a world of illusions.</p>
<p><em>(Alan Watts)</em></p>
</blockquote>
<ul>
<li>Petrified of growing up.</li>
<li>Desperately wanting to get away.</li>
<li>Addicted to watching movies, preferring an idealized version of life on the screen.</li>
<li>Self-obsessed and immature, the world is too much to bear for you, driving you away from human contact.</li>
<li><strong>Thinking/fantasizing about doing something (and enjoying the imaginary aftermath) versus actually doing it.</strong></li>
<li>This could be the attitude I’ve (involuntarily) cultivated for the past 10 years.</li>
<li>If you are not careful, station <strong>KFKD</strong> (K fucked) will play in your head 24 hours per day:
<ul>
<li>Out of the right speaker:
<ul>
<li>Endless stream of self-aggrandizement,</li>
<li>Recitation of one’s specialness,</li>
<li>How much more open and brilliant and knowing and misunderstood and humble one is.</li>
</ul>
</li>
<li>Out of the left speaker:
<ul>
<li>Rap songs of self-loathing,</li>
<li>List of all things one doesn’t do well,</li>
<li>All the mistakes made today and over one’s lifetime,</li>
<li>The doubt,</li>
<li>The assertions…
<ul>
<li>That everything that one touches turns to shit,</li>
<li>That one doesn’t do relationships well,</li>
<li>That one is in every way a fraud, incapable of selfless love,</li>
<li>That one had no talent or insight.</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Refuse to keep a diary because it might turn your quiet, reflective time into a sort of performance and self-deception for the sake of your (future) readers.</li>
<li>Engage with the world! (Do not fantasize too much about it.)</li>
</ul>
<blockquote>
<p>We flip up our jacket collar and consider briefly how cool we must look.<br />
We’re fearless warriors on our way to the top.<br />
It’s the opening credits montage.<br />
It’s a scene in a novel.<br />
It feels good […] and so we stay stuck inside our heads instead of participating in the world around us.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<h3 id="the-danger-of-early-pride">The danger of early pride</h3>
<blockquote>
<p>Whom the gods wish to destroy they first call promising.</p>
<p><em>(Cyril Connolly)</em></p>
<p>Are you going to be a fool?<br />
Are you going to let this money puff you up?<br />
Keep your eyes open.<br />
Don’t lose your balance.</p>
<p><em>(John D. Rockefeller)</em></p>
</blockquote>
<ul>
<li>Don’t count your chickens before they hatch.</li>
<li>What things make me feel too good?</li>
<li>Don’t boast. There’s nothing in it for you.
<ul>
<li>…except inflating your own ego and later paying for it.</li>
</ul>
</li>
</ul>
<blockquote>
<p>What we cultivate less is how to protect ourselves against the validation and gratification that will quickly come our way if we show promise.<br />
What we don’t protect ourselves against are people and <em>things</em> that make us feel good – or rather, too good.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<h3 id="work-work-work">Work, work, work</h3>
<ul>
<li>Ignore whatever plaudits others are getting.</li>
<li>Ignore whatever plaudits <em>you</em> are getting.</li>
<li>Work.</li>
</ul>
<h2 id="success">Success</h2>
<ul>
<li>Ego weakens the mind that helped you succeed in the first place.</li>
</ul>
<blockquote>
<p>Success is intoxicating.<br />
To sustain it requires sobriety.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<h3 id="dont-tell-yourself-a-story">Don’t tell yourself a story</h3>
<blockquote>
<p>If the players take care of the details, the score takes care of itself.</p>
<p><em>(Bill Walsh)</em></p>
</blockquote>
<ul>
<li>Standards of performance (SoPs).
<ul>
<li>Not about control,</li>
<li>But about instilling excellence.</li>
<li>Seemingly trivial details:
<ul>
<li>Do not sit down on the practice field,</li>
<li>Do not browse the web for fun at work,</li>
<li>Maximum effort and commitment,</li>
<li>8 hours of work per day minimum,</li>
<li>Office and room must be clean.</li>
</ul>
</li>
</ul>
</li>
</ul>
<blockquote>
<p>We want so desperately to believe that those who have great empires <em>set out</em> to build one.<br />
Why?<br />
So we can indulge in the <em>pleasurable planning</em> of ours.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>Don’t be thinking what your achievements say about you, or your failures.
<ul>
<li>Or else, you’ll begin to slack off,</li>
<li>And to forget the SoPs that got you there.</li>
</ul>
</li>
</ul>
<blockquote>
<p>Keep your identity small:
the more labels you have for yourself, the dumber they make you.</p>
<p><em>(Paul Graham)</em></p>
<p>Make it about the work and the principles behind it.<br />
Not about a grand vision that makes a good headline.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>Don’t confuse titles and praise with the real work that got you there.</li>
<li>Don’t be thinking that success is now natural because your first big success kind of was.</li>
<li>Not everything is possible.
<ul>
<li>Just try doing something and you’ll see.</li>
</ul>
</li>
<li>Maybe the lesson you should have extracted here is that whether you succeed (or fail), this does not mean you are special (or worthless).</li>
<li>Success is rooted in work.
<ul>
<li>And luck or grace.</li>
<li>And God only knows what else.</li>
</ul>
</li>
<li>Don’t build a narrative around who you were/are/will be.</li>
<li>Focus on the execution.
<ul>
<li>Execution is sacred,</li>
<li>And primal.</li>
</ul>
</li>
</ul>
<h3 id="whats-important-to-you">What’s important to you?</h3>
<ul>
<li>You accomplished so much (more than you ever expected to).
<ul>
<li>But it’s not enough for you.</li>
</ul>
</li>
<li>You want more, but you can’t decide what’s important for you.</li>
<li>You’re never happy with what you have.
<ul>
<li>You want what others have too.</li>
</ul>
</li>
<li>Ultimately, at the end of the day, you want more than everyone else.
<ul>
<li>Maybe then you’ll feel satisfied.</li>
<li>But most likely, not.</li>
<li>What a chore.</li>
<li>How tiring.</li>
</ul>
</li>
<li>You started knowing what’s important to you:
<ul>
<li>Outdoing your previous self,</li>
<li>Contribution to others.</li>
</ul>
</li>
<li>Once you achieved it though, you lost sight of your priorities.</li>
</ul>
<blockquote>
<p>An honest man who just couldn’t help himself, who couldn’t manage to focus, and ended up far outside the bounds of his ample genius.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>Fear of missing out (FOMO).</li>
<li>We just can’t say “no.”
<ul>
<li>Out of vague attraction, greed or vanity.</li>
</ul>
</li>
</ul>
<blockquote>
<p>All of us waste precious life doing things we don’t like, to prove ourselves to people we don’t respect, and to get things we don’t want.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>You keep going down this road of success and you’ll keep meeting others more successful than you.
<ul>
<li>How will you react?</li>
<li>Will you feel insignificant?</li>
</ul>
</li>
<li>A prescription:
<ul>
<li>Choose a competition,</li>
<li>Set standards of performance,</li>
<li>Work hard to get closer and closer to your potential,</li>
<li>The results will come as a byproduct.
<ul>
<li>Or not \(\Rightarrow\) regroup!</li>
</ul>
</li>
<li>Please don’t choose <em>“I want to be better than, have more than, everyone, everywhere.”</em></li>
</ul>
</li>
<li>Do not look at other people and make their approval your goal, ignoring your true potential and purpose.</li>
<li><strong>Definition (Euthymia)</strong>: <em>A sense of your own path and how to stay on it without getting distracted by all the others that intersect it.</em></li>
<li>Think about what’s important to you and ignore the rest.
<ul>
<li>Why do you do what you do?</li>
<li>What are you after?</li>
</ul>
</li>
</ul>
<h3 id="beware-of-the-disease-of-me">Beware of the disease of me</h3>
<ul>
<li>Who has time to look at a picture of himself? What’s the point?</li>
</ul>
<h3 id="meditate-on-the-immensity">Meditate on the immensity</h3>
<blockquote>
<p>When we lack a connection to anything larger or bigger than us, it’s like a piece of our soul is gone.<br />
We just can’t forget which is bigger and which has been here longer.<br />
It’s hard to be self-absorbed and convinced of your own greatness inside the solitude and quiet of a sensory deprivation tank.<br />
It’s hard to be anything but humble walking alone along a beach late at night with an endless black ocean crashing loudly against the ground next to you.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>This is why you like nature: it reminds you of your place and how privileged you are to have it.
<ul>
<li>e.g., sitting in the grass at midnight starring at the Milky Way.</li>
</ul>
</li>
<li>Meditation helps repeal the ego.</li>
</ul>
<h2 id="failure">Failure</h2>
<blockquote>
<p>Ego adds self-injury to every injury you experience.<br />
A fragile sense of self is constantly under threat.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>When things get difficult, ego betrays you and gets in the way.</li>
</ul>
<blockquote>
<p>[The great failing is] to see yourself as more than you are and to value yourself at less than your true worth.</p>
<p><em>(Goethe)</em></p>
</blockquote>
<ul>
<li>Be humble and be strong.</li>
</ul>
<h3 id="the-effort-is-enough">The effort is enough</h3>
<ul>
<li>Do the right thing (e.g., work) and worry not about what comes to pass.</li>
<li>You might face abject failure or pure indifference.</li>
<li>That’s what happens when a project leaves your hand and goes in the hands of <em>other people.</em></li>
<li>How foolish to expect them to see things as you do.</li>
<li>How foolish to feel insulted or applauded by their reaction.</li>
<li>Doing good work is sufficient.</li>
<li>The effort is enough.</li>
</ul>
<blockquote>
<p>How do you take pride in yourself and your work?<br />
Change the definition of success.<br />
Success is peace of mind, which is a direct result of self-satisfaction in knowing you made the effort to do your best to become the best that you are capable of becoming.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>Like Richard Feynman said, <em>“doing the work is the prize.”</em></li>
</ul>
<blockquote>
<p>How arbitrary (many of) the breaks in life are…</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>The world is indifferent to what you want or need.</li>
<li>If you persist in your desires, you are setting yourself up for resentment or worse.</li>
<li>Doing the work is enough.</li>
</ul>
<h3 id="draw-the-line">Draw the line</h3>
<ul>
<li>When you get your identity tied up in your work, you worry that any failure will say something bad about you as <em>a person</em>.</li>
<li>It’s almost like you’re afraid of admitting that you failed <em>as a normal fallible person</em>, not as the idealized grandiose personality your ego painted for you.</li>
<li>It’s a sunk cost fallacy: I’ve already invested so much in this grandiosity of mine, am I supposed to stop despite all of the evidence around me that I’m not as great as I paint myself to be?</li>
<li>We are fallible.
<ul>
<li>It is said so in the bible,</li>
<li>And for good reason.</li>
</ul>
</li>
</ul>
<blockquote>
<p>When a team looks like they’re going to lose a game, the coach doesn’t call them over and lie to them.
Instead, he or she reminds them who they are and what they’re capable of, and urges them to <em>go back out there and embody that</em>.</p>
<p>Only ego thinks embarrassment or failure are more than what they are.</p>
<p><em>(Ryan Holiday)</em></p>
</blockquote>
<ul>
<li>Is this going to be a “lose-lose” situation or a “lose… and then win?”</li>
<li>Circle of life: aspire and then succeed or fail.</li>
<li>Wisdom: success and failure are transitory and <em>not</em> a statement about your value as a human being.</li>
</ul>
<h3 id="maintain-your-own-scorecard">Maintain your own scorecard</h3>
<ul>
<li>Always hold yourself to a higher standard than what others might consider “good.”</li>
<li>Care little about what other people think and more about if you met your own standards.</li>
<li>In the face of success, be careful:
<ul>
<li>Celebrate and accept congratulations,</li>
<li>But keep your head down and focus on getting <em>even better</em>.</li>
</ul>
</li>
<li><strong>Measure yourself against your potential: the absolute best you are capable of.</strong>
<ul>
<li>First of all, are you even meeting your standards of performance?</li>
<li>This way you won’t seek the spotlight or other’s applause as much.</li>
<li>Make meeting, exceeding and redifining your standards trump all of that.</li>
</ul>
</li>
</ul>
<h3 id="always-love">Always love</h3>
<blockquote>
<p>Why should we feel anger at the world?<br />
As if the world would notice?</p>
<p><em>(Euripedes)</em></p>
</blockquote>
<ul>
<li>Take inventory:
<ul>
<li>What do you dislike?</li>
<li>Whose name fills you with revulsion and rage?</li>
</ul>
</li>
<li>Now ask:
<ul>
<li>Have these strong feelings really helped you accomplish anything?</li>
<li><strong>Where has hatred, anger or rage ever gotten anyone?</strong></li>
</ul>
</li>
<li>Obsession with the past is ego embodied:
<ul>
<li>You can’t conceive of accepting that someone could hurt you, deliberately or otherwise,</li>
<li>So you hate.</li>
</ul>
</li>
</ul>
<blockquote>
<p>It is the small things.<br />
Everyday deeds of ordinary folk that keeps the darkness at bay.<br />
Simple acts of kindness and love.</p>
<p><em>(<a href="https://www.youtube.com/watch?v=o-8dFg0OSdE">Mithrandir</a>)</em></p>
</blockquote>
<h3 id="for-everything-that-comes-next-ego-is-the-enemy">For everything that comes next, ego is the enemy…</h3>
<blockquote>
<p>I don’t like work – no man does – but I like what is in the work – the chance to find yourself.</p>
<p><em>(Joseph Conrad)</em></p>
</blockquote>
<ul>
<li>Keeping your ego at bay is like keeping your house clean: every day you must sweep the floor or else the dust settles and accumulates.</li>
<li>Sweep the damn floor every minute of every day.</li>
<li>And then again.</li>
</ul>Alin TomescuThis is Ryan Holiday’s “Ego is the enemy” in bullet-point form. These are the ideas I found interesting from the book, without the excellent stories used to back them. For those, you’ll have to buy the book. I changed some of the excerpts from 2nd person to 1st person, so they resonate more. I kept the same table of contents as in the book, except I changed some of the chapter titles. It’s in everyone’s head. And they trust him, Because they think they are him. It’s beautiful man… You have to admire the opponent’s elegance. (Revolver, 2005) Intro A prescription: humility. Return to the humility and work-ethic it took me to get here. I might not ever be straight, but I can strive for straighter. Think less of myself. Be less invested in the story I tell myself (or others) about my own specialness. Then, be liberated to do what I want to do. Definition (Ego): An excessive focus on glorious outcomes instead of the sweat-ridden work. Being dangerously focused on myself: How do I look? How much money will I make? How high do I stack up in the “intellectual hierarchy?” An unhealthy belief in my own importance. Arrogance. Self-centered ambition. Need to be “better than”, “more than”, “recognized for,” beyond any reasonable utility. Sense of superiority and certainty that exceeds the bounds of confidence and talent. “I am God’s gift to humanity.” Be humble in your aspirations, gracious in your success and resilient in your failures. Aspire Too much talk My weak, egotistical side says “I want to get as much public credit and attention as I can for doing the least possible.” I seem to think being silent is a sign of weakness. That being ignored is tantamount to death (and for the ego this is true). Talk depletes us. Talking and doing fight for the same resources. The only relation between work and chatter is that one kills the other. Goal visualisation is important, but our mind can start to confuse it with actual progress. That feeling that others out there, in public, enjoying the limelight, are somehow getting the better end of the deal. They are not. They’re too busy working to do anything else. “To do” rather than “to be” Impressing people is utterly different from being impressive. “A man is worked upon by what he works on” said Frederik Douglass, who was a slave and saw the effect slavery had even on the slave owners themselves. e.g., What you choose to do for money works on you. “To be” \(<\) “to do”. “To do” means your purpose has to be something larger than you (i.e., larger than just “to be”). This could mean to accomplish something, or to prove something to yourself. If you go with “to do”, things are suddenly simpler, but harder. Simpler, because you can easily decide. You know what you need to do, what is important to you. The rest are distractions. Or maybe they’re for recognition (i.e., “to be” rather than “to do”). You do not need to compromise, since you’re always doing what you want and need to be doing. Harder, because you must harshly and strictly judge opportunities. Do they help you do what you set out to do? Are you being selfish (i.e., operating in “to be” mode) or selfless (in “to do” mode)? Become a student The pretense of knowledge is our most dangerous vice. It prevents us from getting any better. Have a mentor, someone who is clearly better than you, to learn from. Keeps your ego in check. Have an equal, to occasionally test yourself against. Have someone lesser, to teach. Don’t be passionate Definition (Bad passion): Unbridled enthusiasm. Burning, unquenchable desire to start or to achieve some vague, ambitious and distant goal. Seemingly innocuous motivation. Can tell you in great detail who they intend to become and what their success will be like. We only hear of the passion of successful people. We forget that failures share the same trait. Maybe passion is necessary but not sufficient. Instead, purpose: passion with boundaries. It de-emphasizes the “I.” It’s pursuing something outside of yourself. The canvas strategy Say little, do much. Be lesser, do more. The canvas strategy: Help yourself by helping others. Working for others keeps your ego in check. Restrain yourself Put aside your ego and your basic sense of fairness and rights as a human being. It doesn’t degrade you when others treat you poorly. It degrades them. You’re not able to change the system until after you’ve made it. Get out of your own head A person who thinks all the time has nothing to think about except thoughts, So he loses touch with reality and lives in a world of illusions. (Alan Watts) Petrified of growing up. Desperately wanting to get away. Addicted to watching movies, preferring an idealized version of life on the screen. Self-obsessed and immature, the world is too much to bear for you, driving you away from human contact. Thinking/fantasizing about doing something (and enjoying the imaginary aftermath) versus actually doing it. This could be the attitude I’ve (involuntarily) cultivated for the past 10 years. If you are not careful, station KFKD (K fucked) will play in your head 24 hours per day: Out of the right speaker: Endless stream of self-aggrandizement, Recitation of one’s specialness, How much more open and brilliant and knowing and misunderstood and humble one is. Out of the left speaker: Rap songs of self-loathing, List of all things one doesn’t do well, All the mistakes made today and over one’s lifetime, The doubt, The assertions… That everything that one touches turns to shit, That one doesn’t do relationships well, That one is in every way a fraud, incapable of selfless love, That one had no talent or insight. Refuse to keep a diary because it might turn your quiet, reflective time into a sort of performance and self-deception for the sake of your (future) readers. Engage with the world! (Do not fantasize too much about it.) We flip up our jacket collar and consider briefly how cool we must look. We’re fearless warriors on our way to the top. It’s the opening credits montage. It’s a scene in a novel. It feels good […] and so we stay stuck inside our heads instead of participating in the world around us. (Ryan Holiday) The danger of early pride Whom the gods wish to destroy they first call promising. (Cyril Connolly) Are you going to be a fool? Are you going to let this money puff you up? Keep your eyes open. Don’t lose your balance. (John D. Rockefeller) Don’t count your chickens before they hatch. What things make me feel too good? Don’t boast. There’s nothing in it for you. …except inflating your own ego and later paying for it. What we cultivate less is how to protect ourselves against the validation and gratification that will quickly come our way if we show promise. What we don’t protect ourselves against are people and things that make us feel good – or rather, too good. (Ryan Holiday) Work, work, work Ignore whatever plaudits others are getting. Ignore whatever plaudits you are getting. Work. Success Ego weakens the mind that helped you succeed in the first place. Success is intoxicating. To sustain it requires sobriety. (Ryan Holiday) Don’t tell yourself a story If the players take care of the details, the score takes care of itself. (Bill Walsh) Standards of performance (SoPs). Not about control, But about instilling excellence. Seemingly trivial details: Do not sit down on the practice field, Do not browse the web for fun at work, Maximum effort and commitment, 8 hours of work per day minimum, Office and room must be clean. We want so desperately to believe that those who have great empires set out to build one. Why? So we can indulge in the pleasurable planning of ours. (Ryan Holiday) Don’t be thinking what your achievements say about you, or your failures. Or else, you’ll begin to slack off, And to forget the SoPs that got you there. Keep your identity small: the more labels you have for yourself, the dumber they make you. (Paul Graham) Make it about the work and the principles behind it. Not about a grand vision that makes a good headline. (Ryan Holiday) Don’t confuse titles and praise with the real work that got you there. Don’t be thinking that success is now natural because your first big success kind of was. Not everything is possible. Just try doing something and you’ll see. Maybe the lesson you should have extracted here is that whether you succeed (or fail), this does not mean you are special (or worthless). Success is rooted in work. And luck or grace. And God only knows what else. Don’t build a narrative around who you were/are/will be. Focus on the execution. Execution is sacred, And primal. What’s important to you? You accomplished so much (more than you ever expected to). But it’s not enough for you. You want more, but you can’t decide what’s important for you. You’re never happy with what you have. You want what others have too. Ultimately, at the end of the day, you want more than everyone else. Maybe then you’ll feel satisfied. But most likely, not. What a chore. How tiring. You started knowing what’s important to you: Outdoing your previous self, Contribution to others. Once you achieved it though, you lost sight of your priorities. An honest man who just couldn’t help himself, who couldn’t manage to focus, and ended up far outside the bounds of his ample genius. (Ryan Holiday) Fear of missing out (FOMO). We just can’t say “no.” Out of vague attraction, greed or vanity. All of us waste precious life doing things we don’t like, to prove ourselves to people we don’t respect, and to get things we don’t want. (Ryan Holiday) You keep going down this road of success and you’ll keep meeting others more successful than you. How will you react? Will you feel insignificant? A prescription: Choose a competition, Set standards of performance, Work hard to get closer and closer to your potential, The results will come as a byproduct. Or not \(\Rightarrow\) regroup! Please don’t choose “I want to be better than, have more than, everyone, everywhere.” Do not look at other people and make their approval your goal, ignoring your true potential and purpose. Definition (Euthymia): A sense of your own path and how to stay on it without getting distracted by all the others that intersect it. Think about what’s important to you and ignore the rest. Why do you do what you do? What are you after? Beware of the disease of me Who has time to look at a picture of himself? What’s the point? Meditate on the immensity When we lack a connection to anything larger or bigger than us, it’s like a piece of our soul is gone. We just can’t forget which is bigger and which has been here longer. It’s hard to be self-absorbed and convinced of your own greatness inside the solitude and quiet of a sensory deprivation tank. It’s hard to be anything but humble walking alone along a beach late at night with an endless black ocean crashing loudly against the ground next to you. (Ryan Holiday) This is why you like nature: it reminds you of your place and how privileged you are to have it. e.g., sitting in the grass at midnight starring at the Milky Way. Meditation helps repeal the ego. Failure Ego adds self-injury to every injury you experience. A fragile sense of self is constantly under threat. (Ryan Holiday) When things get difficult, ego betrays you and gets in the way. [The great failing is] to see yourself as more than you are and to value yourself at less than your true worth. (Goethe) Be humble and be strong. The effort is enough Do the right thing (e.g., work) and worry not about what comes to pass. You might face abject failure or pure indifference. That’s what happens when a project leaves your hand and goes in the hands of other people. How foolish to expect them to see things as you do. How foolish to feel insulted or applauded by their reaction. Doing good work is sufficient. The effort is enough. How do you take pride in yourself and your work? Change the definition of success. Success is peace of mind, which is a direct result of self-satisfaction in knowing you made the effort to do your best to become the best that you are capable of becoming. (Ryan Holiday) Like Richard Feynman said, “doing the work is the prize.” How arbitrary (many of) the breaks in life are… (Ryan Holiday) The world is indifferent to what you want or need. If you persist in your desires, you are setting yourself up for resentment or worse. Doing the work is enough. Draw the line When you get your identity tied up in your work, you worry that any failure will say something bad about you as a person. It’s almost like you’re afraid of admitting that you failed as a normal fallible person, not as the idealized grandiose personality your ego painted for you. It’s a sunk cost fallacy: I’ve already invested so much in this grandiosity of mine, am I supposed to stop despite all of the evidence around me that I’m not as great as I paint myself to be? We are fallible. It is said so in the bible, And for good reason. When a team looks like they’re going to lose a game, the coach doesn’t call them over and lie to them. Instead, he or she reminds them who they are and what they’re capable of, and urges them to go back out there and embody that. Only ego thinks embarrassment or failure are more than what they are. (Ryan Holiday) Is this going to be a “lose-lose” situation or a “lose… and then win?” Circle of life: aspire and then succeed or fail. Wisdom: success and failure are transitory and not a statement about your value as a human being. Maintain your own scorecard Always hold yourself to a higher standard than what others might consider “good.” Care little about what other people think and more about if you met your own standards. In the face of success, be careful: Celebrate and accept congratulations, But keep your head down and focus on getting even better. Measure yourself against your potential: the absolute best you are capable of. First of all, are you even meeting your standards of performance? This way you won’t seek the spotlight or other’s applause as much. Make meeting, exceeding and redifining your standards trump all of that. Always love Why should we feel anger at the world? As if the world would notice? (Euripedes) Take inventory: What do you dislike? Whose name fills you with revulsion and rage? Now ask: Have these strong feelings really helped you accomplish anything? Where has hatred, anger or rage ever gotten anyone? Obsession with the past is ego embodied: You can’t conceive of accepting that someone could hurt you, deliberately or otherwise, So you hate. It is the small things. Everyday deeds of ordinary folk that keeps the darkness at bay. Simple acts of kindness and love. (Mithrandir) For everything that comes next, ego is the enemy… I don’t like work – no man does – but I like what is in the work – the chance to find yourself. (Joseph Conrad) Keeping your ego at bay is like keeping your house clean: every day you must sweep the floor or else the dust settles and accumulates. Sweep the damn floor every minute of every day. And then again.How to give (and make) a presentation2015-09-14T00:00:00+00:002015-09-14T00:00:00+00:00https://alinush.github.io//2015/09/14/How-to-give-a-presentation<p>These are my notes from a quick workshop at Stony Brook University given by Professor
Michael Bender and Professor Rob Johnson in May 2012.</p>
<h2 id="how-to-make-the-presentation">How to <em>make</em> the presentation</h2>
<h3 id="prefix-competitive">Prefix competitive</h3>
<ul>
<li>If you had one slide, make your presentation.</li>
<li>If you had two slides, extend your 1 slide presentation.</li>
<li>1 slide -> 2 slides -> 3 slides.</li>
</ul>
<h3 id="quick-outline">Quick outline</h3>
<ul>
<li>Explain your problem (most likely to do bad on).</li>
<li>Explain why your problem is important.</li>
<li>Why do existing solutions not solve the problem?</li>
<li>Explain your contribution (most likely to do bad on).
<ul>
<li>Make clear what you did.</li>
<li>Make clear what other people did.</li>
</ul>
</li>
<li>Talk about your solution.</li>
<li>Put results pretty early on in the presentation.</li>
</ul>
<h3 id="tips">Tips</h3>
<p>If you have a title and you don’t know how to begin, begin by explaining your
title.</p>
<p>Put your work in context:</p>
<ul>
<li>Explain how you fit in and how you differentiate yourself from the other work.</li>
<li>Cite related work.</li>
</ul>
<p><strong>No more than 40 (or 20?) words per slide.</strong></p>
<p>Include pictures/examples.</p>
<p>If it’s a 10 minute talk, you don’t have time to explain how you solved the
problem, but more interesting than how you solved the problem:</p>
<ul>
<li>What the problem is.</li>
<li>What are difficult examples.</li>
<li>What were the difficulties.</li>
<li>What is the intuition behind the problem/solution.</li>
</ul>
<p><strong>Don’t take information away.</strong></p>
<h3 id="the-conclusion-slide">The conclusion slide</h3>
<ul>
<li>Philosophy, morals, summarize.</li>
<li>What does this mean?</li>
<li>What should people take out of this?</li>
</ul>
<h2 id="how-to-deliver-a-presentation">How to <em>deliver</em> a presentation</h2>
<p>Giving a good talk has a lot more to do with following rules than being
naturally gifted.</p>
<ul>
<li>First, slides have to be very fast.</li>
<li>Memorize your first sentence(s).
<ul>
<li>Say it confidently.</li>
<li>Likely to be nervous, so it’s good to be prepared in the beginning</li>
<li>Begin the talk quickly.</li>
<li>A student actually put the title slide about a third into the talk.</li>
</ul>
</li>
</ul>
<p>Hardest thing, most of you will fail on:</p>
<ul>
<li>Conclude your slides (individually).
<ul>
<li>Each slide must be introduced and concluded.</li>
<li>Concluding slides is really relaxing, everyone will feel great when you do
that.</li>
<li>Conclusion of your slide should be on the slide.</li>
<li>Know the conclusions for each slide.</li>
<li>Basically your “topic sentence” now becomes your ending concluding sentence
(opposite to normal writing).</li>
</ul>
</li>
<li>Pause after conclusions, let yourself and the audience breathe.
<ul>
<li>One reason you don’t do this is because you’re concerned about time, or
you can’t wait to move on to the next slide.</li>
<li>If you can’t say in a single sentence: “Why is this slide here?” then it’s
a bad slide.</li>
</ul>
</li>
</ul>
<p>Stand next to the screen, point with your fingers, the screen is not made of
sulfuric acid.</p>
<ul>
<li>Practice touching the screen, it’s a beautiful thing :)</li>
</ul>
<p>Refer to <strong>everything</strong> on the slides.</p>
<p><strong>Do not apologize, ever.</strong></p>
<p>Make jokes, smile.</p>
<ul>
<li>Follow with something self-referential.</li>
<li>Maybe add some silly pictures (strawberry, hamsters). Use this with caution.</li>
<li>Smile while giving talk.
<ul>
<li>If you’re not enjoying yourself, then everyone else will feel awkward.</li>
</ul>
</li>
</ul>
<p>Should you read your slide, or should you just summarize your slide?</p>
<ul>
<li>Do not read your slides in a monotone.</li>
<li>People can only focus on one thing at a time: don’t have a paragraph on the
slide and say something different.
<ul>
<li>People will have to choose between you and the paragraph.</li>
</ul>
</li>
</ul>
<p>Make your talk self-contained, that’s the easiest way to present.</p>
<ul>
<li>If you find you’re paraphrasing from the slides, then you have bad slides.</li>
</ul>
<p><strong>Practice your talk out loud.</strong></p>
<p><strong>Explain your talk to someone.</strong></p>
<ul>
<li>Goal is not to make a talk that makes you look smarter because it’s so
difficult to understand.</li>
<li>Make a talk that’s simple, elegant, and people can understand.</li>
<li>How can you make people both understand what you did and understand that it
was difficult?
<ul>
<li>Make it seem like what you really did was more complicated actually</li>
<li>How do you say something is complicated?
<ul>
<li>Personal stories.</li>
</ul>
</li>
</ul>
</li>
</ul>
<p><strong>Don’t:</strong></p>
<ul>
<li>Be nervous. Okay in the beginning, but shake it off.</li>
<li>Stare down at the floor.</li>
<li>Keep your hand in your pocket(s). My personal preference, at least.</li>
</ul>Alin TomescuThese are my notes from a quick workshop at Stony Brook University given by Professor Michael Bender and Professor Rob Johnson in May 2012. How to make the presentation Prefix competitive If you had one slide, make your presentation. If you had two slides, extend your 1 slide presentation. 1 slide -> 2 slides -> 3 slides. Quick outline Explain your problem (most likely to do bad on). Explain why your problem is important. Why do existing solutions not solve the problem? Explain your contribution (most likely to do bad on). Make clear what you did. Make clear what other people did. Talk about your solution. Put results pretty early on in the presentation. Tips If you have a title and you don’t know how to begin, begin by explaining your title. Put your work in context: Explain how you fit in and how you differentiate yourself from the other work. Cite related work. No more than 40 (or 20?) words per slide. Include pictures/examples. If it’s a 10 minute talk, you don’t have time to explain how you solved the problem, but more interesting than how you solved the problem: What the problem is. What are difficult examples. What were the difficulties. What is the intuition behind the problem/solution. Don’t take information away. The conclusion slide Philosophy, morals, summarize. What does this mean? What should people take out of this? How to deliver a presentation Giving a good talk has a lot more to do with following rules than being naturally gifted. First, slides have to be very fast. Memorize your first sentence(s). Say it confidently. Likely to be nervous, so it’s good to be prepared in the beginning Begin the talk quickly. A student actually put the title slide about a third into the talk. Hardest thing, most of you will fail on: Conclude your slides (individually). Each slide must be introduced and concluded. Concluding slides is really relaxing, everyone will feel great when you do that. Conclusion of your slide should be on the slide. Know the conclusions for each slide. Basically your “topic sentence” now becomes your ending concluding sentence (opposite to normal writing). Pause after conclusions, let yourself and the audience breathe. One reason you don’t do this is because you’re concerned about time, or you can’t wait to move on to the next slide. If you can’t say in a single sentence: “Why is this slide here?” then it’s a bad slide. Stand next to the screen, point with your fingers, the screen is not made of sulfuric acid. Practice touching the screen, it’s a beautiful thing :) Refer to everything on the slides. Do not apologize, ever. Make jokes, smile. Follow with something self-referential. Maybe add some silly pictures (strawberry, hamsters). Use this with caution. Smile while giving talk. If you’re not enjoying yourself, then everyone else will feel awkward. Should you read your slide, or should you just summarize your slide? Do not read your slides in a monotone. People can only focus on one thing at a time: don’t have a paragraph on the slide and say something different. People will have to choose between you and the paragraph. Make your talk self-contained, that’s the easiest way to present. If you find you’re paraphrasing from the slides, then you have bad slides. Practice your talk out loud. Explain your talk to someone. Goal is not to make a talk that makes you look smarter because it’s so difficult to understand. Make a talk that’s simple, elegant, and people can understand. How can you make people both understand what you did and understand that it was difficult? Make it seem like what you really did was more complicated actually How do you say something is complicated? Personal stories. Don’t: Be nervous. Okay in the beginning, but shake it off. Stare down at the floor. Keep your hand in your pocket(s). My personal preference, at least.