Boogie Math

KZG commitments

Commitment schemes are used heavily in cryptography. In a nutshell, committing to some value means you cannot change this value later and this value is hidden to others. A Kate-Zaverucha-Goldberg commitment (opens new window) or simply Kate commitment allows commitment to a polynomial. And polynomial commitments are one of the building blocks of zk-rollups (opens new window).

So let us take the polynomial p(x)=a0+a1x+...+anxnp(x) = a_0 + a_1 x + ... + a_n x^n. As usually in cryptography, we live in some finite field FqF_q.

A Kate polynomial commitment is value [p(s)]1.[p(s)]_1.. We will see later what the notation []1[]_1 means. What is important is that nobody can extract pp or even p(s)p(s) from having just [p(s)]1[p(s)]_1.

Also, the committer (the party that computed [p(s)]1[p(s)]_1) cannot find another polynomial qq such that q(s)=p(s)q(s) = p(s). This property seems strange, but we will see later why this is so.

For a given χ\chi and p¯\bar p the committer can prove that it knows a polynomial that evaluates to p¯\bar p at χ\chi. This is more powerful than it might seem. I plan to write about it in a post about PLONK (opens new window).

Commitment

Let us say there is some secret value ss. And let us say [si]1[s^i]_1 and [si]2[s^i]_2 for i=0,...,n1i = 0, ..., n-1 are publicly known.

But what is this strange []1[]_1 and []2[]_2 notation?

[t]1[t]_1 just means tGtG where GG is a point on the elliptic curve. And [t]2[t]_2 means tHtH where HH is likewise a point on the elliptic curve.

So [p(s)]1[p(s)]_1 means p(s)Gp(s) G. And we cannot extract p(s)p(s) from knowing p(s)Gp(s) G, because that would mean breaking the elliptic curve discrete logarithm.

And then there is a pairing function:

A pairing is a map e:G1×G2GTe: G_1 \times G_2 \rightarrow G_T such that:

  • G1,G2,GTG_1, G_2, G_T are cyclic groups of prime order pp.
  • e:G1×G2GTe: G_1 \times G_2 \rightarrow G_T is bilinear, i.e. for all GG1,HG2,G \in G_1, H \in G_2, and a,bZa, b \in \mathbb{Z}, e(aG,bH)=e(G,H)abe(aG, bH) = e(G, H)^{ab}.
  • ee is an admissible bilinear map, i.e.
    • ee is efficiently computable
    • if GG and HH are generators of G1G_1 and G2G_2, then GTG_T is generated by e(G,H)e(G, H).
  • The discrete logarithm problem is hard to compute in G1,G2G_1, G_2, and GTG_T.

The math behind pairings is a complex topic and I plan to write a lot about it on these pages. But if you use a pairing function just as a black box and don’t mind what’s inside, then the polynomial commitments based on pairings are a surprisingly simple construct.

So, back to our polynomial pp.

We cannot compute p(s)=a0+a1s+...+ansnp(s) = a_0 + a_1 s + ... + a_n s^n because ss is a secret value that nobody knows, but we can compute [p(s)]1[p(s)]_1:

[p(s)]1=[(a0+a1s+...+ansn)G]1=a0[s0]1+a1[s1]1+...+an[sn]1[p(s)]_1 = [(a_0 + a_1 s + ... + a_n s^n) G]_1 = a_0 [s^0]_1 + a_1 [s^1]_1 + ... + a_n [s^n]_1

And this value is a KZG (or Kate) commitment to the polynomial pp.

Can the committer switch (cheat) to another polynomial?

Are there not many other polynomials that commit to the same value?

Yes, there are. But how likely is it that the polynomial rr of the same degree nn as the polynomial pp is to be found for which it holds that p(s)=r(s)p(s) = r(s)?

Let us denote h(x)=p(x)r(x)h(x) = p(x) - r(x). It holds: h(s)=0h(s) = 0.

But hh has at most nn zeros and nn (for example 2282^{28}) is tiny compared to qq (as in FqF_q, for example around 22562^{256}). The number of polynomials which evaluate to 00 at ss is tiny towards the number of all polynomials.

The probability of finding such a polynomial (remember, we do not know ss) is negligible.

Trusted setup

Where does ss come from?

Nobody is allowed to know ss, but everybody is allowed to know [si]1[s^i]_1 and [si]2[s^i]_2 for i=0,...,n1i = 0, ..., n-1.

So, how is this secret value ss generated? Well, it can be computed on some computer and this computer can be then thrown away after it spits out the [si]1[s^i]_1 and [si]2[s^i]_2 values. But a more secure way would be to use secure multi-party computation (opens new window), so that multiple subjects compute it, but none of them actually knows the value.

Opening

Having a commitment, how do we prove anything about the polynomial?

The verifier chooses a random χFq\chi \in F_q and the prover needs to provide p¯=p(χ)\bar p = p(\chi) and a proof that p¯\bar p really is the evaluation at χ\chi of the committed polynomial. This is called opening the polynomial at χ\chi.

By opening at one point the prover proves that it knows the polynomial that it has committed to.

The prover computes g(x)g(x) such that:

p(x)p¯=g(x)(xχ)p(x) - \bar{p} = g(x) (x - \chi)

Such g(x)g(x) exists because p¯=p(χ)\bar p = p(\chi).

The prover sends the value [g(s)]1[g(s)]_1 to the verifier.

The verifier checks whether:

e([p(s)p¯]1,[1]2)=e([g(s)]1,[(sχ)]2)e([p(s) - \bar p]_1, [1]_2) = e([g(s)]_1, [(s - \chi)]_2)

Note that the left side:

e([p(s)p¯]1,[1]2)=e((p(s)p¯)G),H)=e(G,H)p(s)p¯e([p(s) - \bar p]_1, [1]_2) = e((p(s) - \bar p) G), H) = e(G, H)^{p(s) - \bar p}

And the right side:

e([g(s)]1,[(sχ)]2)=e(g(s)G,(sχ)H)=e(G,H)g(s)(sχ)e([g(s)]_1, [(s - \chi)]_2) = e(g(s) G, (s - \chi) H) = e(G, H)^{g(s)(s-\chi)}

If the equality holds, the verifier knows that the prover knows a polynomial that evaluates to p¯\bar p at χ\chi.

But could the prover not find some values for p¯\bar p and g(s)g(s) such that p(s)p¯=g(s)(sχ)p(s) - \bar p = g(s) (s-\chi)?

Well, the prover doesn’t know ss, so it would need to guess the values. The probability of a correct guess is, again, negligible.

Some ideas behind PLONK