Kate, Zaverucha and Goldberg introduced a constant-sized polynomial commitment scheme in 20101. We refer to this scheme as KZG and quickly introduce it below.
Prerequisites:
- Cyclic groups of prime order and finite fields
- Pairings (or bilinear maps)
- Polynomials
Trusted setup
To commit to degree
Here,
The public parameters are updatable: given
This is useful when you want to safely re-use a pre-generated set of public parameters, without trusting that nobody knows the trapdoor.
Commitments
Commitment to
Since it is just one group element, the commitment is constant-sized.
Evaluation proofs
To prove an evaluation
Then, the constant-sized evaluation proof is:
Note that this leverages the polynomial remainder theorem.
Verifying an evaluation proof
A verifier who has the commitment
This effectively checks that
Batch proofs
One can prove multiple evaluations
Each node in the subproduct tree multiplies the polynomials stored in its two children nodes.
This way, the root polynomial will be exactly
Observation 1: I believe computing
Observation 2: In practice, the algorithms for computing
Verifying a batch proof
The verifier who has the commitment
- First, he interpolates the accumulator polynomial
as discussed above. Then, commits to in time: - Second, he interpolates
s.t. as discussed above. Then, commits to in time: - Third, he checks Equation
holds at using two pairings: .
Note that:
Aggregation of proofs
For now, we discuss proof aggregation in a different blog post on building vector commitments (VCs) from KZG.
Applications
There are many cryptographic tools one can build using polynomial commitment schemes such as KZG.
Here’s a few we’ve blogged about in the past:
- Cryptographic accumulators
- Vector Commitments (VC) schemes with
-sized proofs or with -sized proofs - Range proofs
Appendix
Recently, Cohen et al.6 showed that an MPC ceremony for generating
Acknowledgements
Many thanks to Shravan Srinivasan and Philipp Jovanovic for really helping improve this post.
-
Polynomial commitments, by Kate, Aniket and Zaverucha, Gregory M and Goldberg, Ian, 2010, [URL] ↩
-
Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs, by E. Ben-Sasson and A. Chiesa and M. Green and E. Tromer and M. Virza, in 2015 IEEE Symposium on Security and Privacy, 2015 ↩
-
A Multi-party Protocol for Constructing the Public Parameters of the Pinocchio zk-SNARK, by Bowe, Sean and Gabizon, Ariel and Green, Matthew D., in Financial Cryptography and Data Security, 2019 ↩
-
Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model, by Sean Bowe and Ariel Gabizon and Ian Miers, 2017, [URL] ↩
-
Fast polynomial evaluation and interpolation, by von zur Gathen, Joachim and Gerhard, Jurgen, in Modern Computer Algebra, 2013 ↩ ↩2
-
Guaranteed Output in
Rounds for Round-Robin Sampling Protocols, by Ran Cohen and Jack Doerner and Yashvanth Kondi and abhi shelat, in Cryptology {ePrint} Archive, Paper 2022/257, 2022, [URL] ↩