-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path2021-10-11-basic-polynomial-commitment.html
444 lines (370 loc) · 23.4 KB
/
2021-10-11-basic-polynomial-commitment.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" type="text/css" href="/theme/css/elegant.prod.9e9d5ce754.css" media="screen">
<link rel="stylesheet" type="text/css" href="/theme/css/custom.css" media="screen">
<link rel="dns-prefetch" href="//fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com/" crossorigin>
<meta name="author" content="jin" />
<meta name="description" content="A vector commitment is scheme that allows one to commit to a sequence of values while keeping them hidden. The committer is also able to reveal the values later by providing a proof. Merkle tree is a form of vector commitment. The sequence of values are the leave nodes. The …
" />
<meta name="twitter:creator" content="@jinfwhuang">
<meta property="og:type" content="article" />
<meta name="twitter:card" content="summary">
<meta name="keywords" content="crytography, misc, " />
<meta property="og:title" content="An Example of Polynomial Commitment "/>
<meta property="og:url" content="/2021-10-11-basic-polynomial-commitment" />
<meta property="og:description" content="A vector commitment is scheme that allows one to commit to a sequence of values while keeping them hidden. The committer is also able to reveal the values later by providing a proof. Merkle tree is a form of vector commitment. The sequence of values are the leave nodes. The …" />
<meta property="og:site_name" content="Jin's Notes" />
<meta property="og:article:author" content="jin" />
<meta property="og:article:published_time" content="2021-10-11T00:00:00-07:00" />
<meta name="twitter:title" content="An Example of Polynomial Commitment ">
<meta name="twitter:description" content="A vector commitment is scheme that allows one to commit to a sequence of values while keeping them hidden. The committer is also able to reveal the values later by providing a proof. Merkle tree is a form of vector commitment. The sequence of values are the leave nodes. The …">
<meta property="og:image" content="/images/android-chrome-192x192.png" />
<meta name="twitter:image" content="/images/android-chrome-192x192.png" >
<title>An Example of Polynomial Commitment · Jin's Notes
</title>
<link rel="shortcut icon" href="/theme/images/favicon.ico" type="image/x-icon" />
<link rel="icon" href="/theme/images/apple-touch-icon-152x152.png" type="image/png" />
<link rel="apple-touch-icon" href="/theme/images/apple-touch-icon.png" type="image/png" />
<link rel="apple-touch-icon" sizes="57x57" href="/theme/images/apple-touch-icon-57x57.png" type="image/png" />
<link rel="apple-touch-icon" sizes="72x72" href="/theme/images/apple-touch-icon-72x72.png" type="image/png" />
<link rel="apple-touch-icon" sizes="76x76" href="/theme/images/apple-touch-icon-76x76.png" type="image/png" />
<link rel="apple-touch-icon" sizes="114x114" href="/theme/images/apple-touch-icon-114x114.png" type="image/png" />
<link rel="apple-touch-icon" sizes="120x120" href="/theme/images/apple-touch-icon-120x120.png" type="image/png" />
<link rel="apple-touch-icon" sizes="144x144" href="/theme/images/apple-touch-icon-144x144.png" type="image/png" />
<link rel="apple-touch-icon" sizes="152x152" href="/theme/images/apple-touch-icon-152x152.png" type="image/png" />
<link rel="apple-touch-icon" sizes="152x152" href="/theme/images/apple-touch-icon-180x180.png" type="image/png" />
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-207279664-1', 'auto');
ga('send', 'pageview');
</script>
</head>
<body>
<div id="content">
<div class="navbar navbar-static-top">
<div class="navbar-inner">
<div class="container-fluid">
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<a class="brand" href="/"><span class=site-name><span style="color:black;">Jin's Notes</span></span></a>
<div class="nav-collapse collapse">
<ul class="nav pull-right top-menu">
<li >
<a href=
"/"
>Home</a>
</li>
<!-- <li ><a href="/categories">Categories</a></li>-->
<li ><a href="/tags">Tags</a></li>
<li ><a href="/archives">Archives</a></li>
<li><form class="navbar-search" action="/search" onsubmit="return validateForm(this.elements['q'].value);"> <input type="text" class="search-query" placeholder="Search" name="q" id="tipue_search_input"></form></li>
</ul>
</div>
</div>
</div>
</div>
<div class="container-fluid">
<div class="row-fluid">
<div class="span1"></div>
<div class="span10">
<article itemscope>
<div class="row-fluid">
<header class="page-header span10 offset2">
<h1>
<a href="/2021-10-11-basic-polynomial-commitment">
An Example of Polynomial Commitment<br/>
</a>
</h1>
</header>
</div>
<div class="row-fluid">
<div class="span2 table-of-content">
<nav>
<h4>Contents</h4>
<div class="toc">
<ul>
<li><a href="#preliminary">Preliminary</a></li>
<li><a href="#commitment">Commitment</a></li>
<li><a href="#proof">Proof</a></li>
<li><a href="#verification">Verification</a></li>
<li><a href="#notes">Notes</a></li>
<li><a href="#references">References:</a></li>
</ul>
</div>
</nav>
</div>
<div class="span8 article-content">
<p>A vector commitment is scheme that allows one to commit to a sequence of values while keeping them hidden. The committer is also able to reveal the values later by providing a proof.</p>
<p>Merkle tree is a form of vector commitment. The sequence of values are the leave nodes. The commitment is the root hash. The revealing strategy is by way of a Merkle proof. One of the limitation of a Merkle proof is the proof size is <span class="math">\(O(k \log_k n)\)</span>.</p>
<p>A polynomial commitment is a strictly more expressive scheme than a vector commitment. A polynomial scheme could be used as a vector commitment.</p>
<p>Let’s make the setup more concrete. We have a sequence of values that we want to commit, <span class="math">\(\{x_i\}_{i=0}^n\)</span>. We want a construction where we have a constant size <span class="math">\(C\)</span> to represent these values, and we also want a constant size <span class="math">\(\pi\)</span> as a proof to the authenticity of a value <span class="math">\(y=x_i\)</span>. The following scheme is the <span class="caps">KZG</span> polynomial commitment.</p>
<h4 id="preliminary">Preliminary<a class="headerlink" href="#preliminary" title="Permanent link">¶</a></h4>
<p>The construction depends on pairing based cryptography primitives. I am not going into the technical details. You can find some a simple introduction to one such construction in my <a href="2021-09-25-bls-12-381-basics"><span class="caps">BLS</span> post</a>. The basics is that there are three groups, <span class="math">\(\mathbb{G}_1\)</span>, <span class="math">\(\mathbb{G}_2\)</span>, and <span class="math">\(\mathbb{G}_T\)</span> constructed on the prime field <span class="math">\(\mathcal{F}_r\)</span>. <span class="math">\(r\)</span> is the prime field order. Let <span class="math">\(G_1\)</span> and <span class="math">\(G_2\)</span> be the group generator of <span class="math">\(\mathbb{G}_1\)</span> and <span class="math">\(\mathbb{G}_2\)</span> respectively. There is a bilinear map <span class="math">\(e: \mathbb{G}_1 \times \mathbb{G}_2 \mapsto \mathbb{G}_T\)</span>. There are also arbitrary many of these values known by everyone, <span class="math">\(t^k G_1\)</span> and <span class="math">\(t^k G_2\)</span>, where <span class="math">\(k= 1, 2, ...\)</span> The trapdoor value <span class="math">\(t\in \mathcal{F}_r\)</span> is discarded and not known by anyone. We just need as many of these parameters as the size of the sequence we want to commit to.</p>
<h4 id="commitment">Commitment<a class="headerlink" href="#commitment" title="Permanent link">¶</a></h4>
<ol>
<li>Create a polynomial from the value sequence <span class="math">\(\{x_i\}\)</span>. This is straight forward, and could be accomplished by <a href="https://en.wikipedia.org/wiki/Lagrange_polynomial">lagrange polynomial</a>. The idea is simple. The polynomial could be just set to be as high degree as possible so all the values could be encoded in the polynomial. The polynomial <span class="math">\(p\)</span> is such that <span class="math">\(p(i) = x_i\)</span>. We write this polynomial in terms of its coefficients,</li>
</ol>
<div class="math">\begin{equation}
p(z) = \sum_{k=0}^{n-1} p_k z^k
\end{equation}</div>
<ol start="2">
<li>The commitment is
<div class="math">\begin{equation}
C = \sum_{i=0}^{n-1} p_i t^k G_1
\end{equation}</div>
</li>
</ol>
<p>Note that the commitment <span class="math">\(C\)</span> is a curve point in <span class="math">\(\mathbb{G}_1\)</span>. It is a curve point regardless of the size of the original sequence. </p>
<h4 id="proof">Proof<a class="headerlink" href="#proof" title="Permanent link">¶</a></h4>
<p>We want to construct a proof of a single value, <span class="math">\(y=x_i\)</span>. Because we convert the value sequence into a polynomial <span class="math">\(p\)</span>, we want to prove <span class="math">\(p(i) = y\)</span>. Let’s define another polynomial,
</p>
<div class="math">\begin{equation}
q(z) = \frac{p(z) - y}{z - i}
\end{equation}</div>
<p>
Again, we re-write this polynomial in its coefficient form, where
</p>
<div class="math">\begin{equation}
q(z) = \sum_{k=0}^{n-1} q_k z^k.
\end{equation}</div>
<p>The proof is
</p>
<div class="math">\begin{equation}
\pi = \sum_{i=0}^{n-1} q_i t^k G_1
\end{equation}</div>
<p>Note that the proof <span class="math">\(\pi\)</span> is a curve point in <span class="math">\(\mathbb{G}_1\)</span>.</p>
<h4 id="verification">Verification<a class="headerlink" href="#verification" title="Permanent link">¶</a></h4>
<p>We only need to verify the following relation.
</p>
<div class="math">\begin{equation}
e(\pi, tG_2 - iG_2) = e(C-yG_1, G_2)
\end{equation}</div>
<p>The commitment is <span class="math">\(C\)</span>. The claim is <span class="math">\(y = x_i\)</span>. The proof is <span class="math">\(\pi\)</span>. All of these are public information. <span class="math">\(tG_2\)</span> are public as well.</p>
<h4 id="notes">Notes<a class="headerlink" href="#notes" title="Permanent link">¶</a></h4>
<ul>
<li>The single point proof could be extended to a multiproof. The proof size remains to be a single curve point, hence constant size.</li>
<li>We could use the polynomial commitment scheme instead of the Merkle tree vector commitment scheme to represent a trie. The proof of a k-ary Merkle tree requires each path to contain <span class="math">\(k-1\)</span> many hash values, the number of hash values of the interested node’s siblings. The proof size is <span class="math">\(k \log_k n\)</span>. However, the polynomial commitment proof would allow us to use a single curve point to represent the proof at each level. It reduce the needs to list out sibling’s hash values. Hence the overall proof size is <span class="math">\( \log_k n\)</span>.</li>
<li>This could actually be one better. Because the revelation proofs are curve points, they are additive. We could use a single curve point to prove all parent-child relationship for each of the level. The overall proof size could be reduce to constant size.</li>
</ul>
<h2 id="references">References:<a class="headerlink" href="#references" title="Permanent link">¶</a></h2>
<ol>
<li>Vitalik’s description of <a href="https://vitalik.ca/general/2021/06/18/verkle.html">Verkle tree</a></li>
<li>Dankrad Feist’s description of <a href="https://www.youtube.com/watch?v=RGJOQHzg3UQ">Verkle trie</a></li>
<li><a href="https://ethresear.ch/t/using-polynomial-commitments-to-replace-state-roots/7095">Polynomial and Ethereum state root</a></li>
</ol>
<script type="text/javascript">if (!document.getElementById('mathjaxscript_pelican_#%@#$@#')) {
var align = "center",
indent = "0em",
linebreak = "false";
if (false) {
align = (screen.width < 768) ? "left" : align;
indent = (screen.width < 768) ? "0em" : indent;
linebreak = (screen.width < 768) ? 'true' : linebreak;
}
var mathjaxscript = document.createElement('script');
mathjaxscript.id = 'mathjaxscript_pelican_#%@#$@#';
mathjaxscript.type = 'text/javascript';
mathjaxscript.src = 'https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=default';
var configscript = document.createElement('script');
configscript.type = 'text/x-mathjax-config';
configscript[(window.opera ? "innerHTML" : "text")] =
"MathJax.Hub.Config({" +
// " config: ['MMLorHTML.js']," +
" TeX: { extensions: ['AMSmath.js','AMSsymbols.js','noErrors.js','noUndefined.js'], equationNumbers: { autoNumber: 'auto' } }," +
" jax: ['input/TeX','input/MathML','output/SVG']," +
" extensions: ['tex2jax.js','mml2jax.js','MathMenu.js','MathZoom.js']," +
" displayAlign: '"+ align +"'," +
" displayIndent: '"+ indent +"'," +
" showMathMenu: true," +
" messageStyle: 'normal'," +
" tex2jax: { " +
" inlineMath: [ ['\\\\(','\\\\)'] ], " +
" displayMath: [ ['$$','$$'] ]," +
" processEscapes: true," +
" preview: 'TeX'," +
" }, " +
" 'HTML-CSS': { " +
" availableFonts: ['TeX', 'STIX']," +
" preferredFont: 'STIX'," +
" styles: { '.MathJax_Display, .MathJax .mo, .MathJax .mi, .MathJax .mn': {color: 'inherit ! important'} }," +
" linebreaks: { automatic: "+ linebreak +", width: '90% container' }," +
" }, " +
"}); " +
"if ('default' !== 'default') {" +
"MathJax.Hub.Register.StartupHook('HTML-CSS Jax Ready',function () {" +
"var VARIANT = MathJax.OutputJax['HTML-CSS'].FONTDATA.VARIANT;" +
"VARIANT['normal'].fonts.unshift('MathJax_default');" +
"VARIANT['bold'].fonts.unshift('MathJax_default-bold');" +
"VARIANT['italic'].fonts.unshift('MathJax_default-italic');" +
"VARIANT['-tex-mathit'].fonts.unshift('MathJax_default-italic');" +
"});" +
"MathJax.Hub.Register.StartupHook('SVG Jax Ready',function () {" +
"var VARIANT = MathJax.OutputJax.SVG.FONTDATA.VARIANT;" +
"VARIANT['normal'].fonts.unshift('MathJax_default');" +
"VARIANT['bold'].fonts.unshift('MathJax_default-bold');" +
"VARIANT['italic'].fonts.unshift('MathJax_default-italic');" +
"VARIANT['-tex-mathit'].fonts.unshift('MathJax_default-italic');" +
"});" +
"}";
(document.body || document.getElementsByTagName('head')[0]).appendChild(configscript);
(document.body || document.getElementsByTagName('head')[0]).appendChild(mathjaxscript);
}
</script>
<hr/>
<script src="https://utteranc.es/client.js"
repo="jinfwhuang/jinfwhuang.github.io"
issue-term="pathname"
label="user-comments"
theme="github-light"
crossorigin="anonymous"
async>
</script>
<hr/>
<section>
<h2>Related Posts</h2>
<ul class="related-posts-list">
<li><a href="/2020-12-30-elliptical-curve-cryptography" title="Elliptical Curve Encryption and Signature - A practical introduction for programmers">Elliptical Curve Encryption and Signature <small>A practical introduction for programmers</small></a></li>
<li><a href="/2021-09-25-bls-12-381-basics" title="BLS-12-381 Basics">BLS-12-381 Basics</a></li>
</ul>
<hr />
</section>
<aside>
<nav>
<ul class="articles-timeline">
<li class="previous-article">« <a href="/2021-09-25-bls-12-381-basics" title="Previous: BLS-12-381 Basics">BLS-12-381 Basics</a></li>
<li class="next-article"><a href="/2022-03-15-stablecoins" title="Next: Notes on ERC20 Stablecoins">Notes on ERC20 Stablecoins</a> »</li>
</ul>
</nav>
</aside>
</div>
<section id="article-sidebar" class="span2">
<h4>Published</h4>
<time itemprop="dateCreated" datetime="2021-10-11T00:00:00-07:00">Mon 11 October 2021</time>
<!-- <h4>Category</h4>
<a class="category-link" href="/categories#misc-ref">misc</a>
-->
<h4>Tags</h4>
<ul class="list-of-tags tags-in-article">
<li><a href="/tags#crytography-ref">crytography
<span class="superscript">3</span>
</a></li>
</ul>
<h4>Contact</h4>
<div id="sidebar-social-link">
<a href="https://twitter.com/jinfwhuang" title="Twiiter" target="_blank" rel="nofollow noopener noreferrer">
<svg xmlns="http://www.w3.org/2000/svg" aria-label="Twitter" role="img" viewBox="0 0 512 512"><rect width="512" height="512" rx="15%" fill="#1da1f3"/><path fill="#fff" d="M437 152a72 72 0 0 1-40 12 72 72 0 0 0 32-40 72 72 0 0 1-45 17 72 72 0 0 0-122 65 200 200 0 0 1-145-74 72 72 0 0 0 22 94 72 72 0 0 1-32-7 72 72 0 0 0 56 69 72 72 0 0 1-32 1 72 72 0 0 0 67 50 200 200 0 0 1-105 29 200 200 0 0 0 309-179 200 200 0 0 0 35-37"/></svg>
</a>
<a href="https://www.linkedin.com/in/jinfwhuang" title="LinkedIn" target="_blank" rel="nofollow noopener noreferrer">
<svg xmlns="http://www.w3.org/2000/svg" aria-label="LinkedIn" role="img" viewBox="0 0 512 512" fill="#fff"><rect width="512" height="512" rx="15%" fill="#0077b5"/><circle cx="142" cy="138" r="37"/><path stroke="#fff" stroke-width="66" d="M244 194v198M142 194v198"/><path d="M276 282c0-20 13-40 36-40 24 0 33 18 33 45v105h66V279c0-61-32-89-76-89-34 0-51 19-59 32"/></svg>
</a>
</div>
</section>
</div>
</article>
<!-- Root element of PhotoSwipe. Must have class pswp. -->
<div class="pswp" tabindex="-1" role="dialog" aria-hidden="true">
<!-- Background of PhotoSwipe.
It's a separate element as animating opacity is faster than rgba(). -->
<div class="pswp__bg"></div>
<!-- Slides wrapper with overflow:hidden. -->
<div class="pswp__scroll-wrap">
<!-- Container that holds slides.
PhotoSwipe keeps only 3 of them in the DOM to save memory.
Don't modify these 3 pswp__item elements, data is added later on. -->
<div class="pswp__container">
<div class="pswp__item"></div>
<div class="pswp__item"></div>
<div class="pswp__item"></div>
</div>
<!-- Default (PhotoSwipeUI_Default) interface on top of sliding area. Can be changed. -->
<div class="pswp__ui pswp__ui--hidden">
<div class="pswp__top-bar">
<!-- Controls are self-explanatory. Order can be changed. -->
<div class="pswp__counter"></div>
<button class="pswp__button pswp__button--close" title="Close (Esc)"></button>
<button class="pswp__button pswp__button--share" title="Share"></button>
<button class="pswp__button pswp__button--fs" title="Toggle fullscreen"></button>
<button class="pswp__button pswp__button--zoom" title="Zoom in/out"></button>
<!-- Preloader demo https://codepen.io/dimsemenov/pen/yyBWoR -->
<!-- element will get class pswp__preloader--active when preloader is running -->
<div class="pswp__preloader">
<div class="pswp__preloader__icn">
<div class="pswp__preloader__cut">
<div class="pswp__preloader__donut"></div>
</div>
</div>
</div>
</div>
<div class="pswp__share-modal pswp__share-modal--hidden pswp__single-tap">
<div class="pswp__share-tooltip"></div>
</div>
<button class="pswp__button pswp__button--arrow--left" title="Previous (arrow left)">
</button>
<button class="pswp__button pswp__button--arrow--right" title="Next (arrow right)">
</button>
<div class="pswp__caption">
<div class="pswp__caption__center"></div>
</div>
</div>
</div>
</div> </div>
<div class="span1"></div>
</div>
</div>
</div>
<!-- <footer>
<div>
<span class="site-name"><span style="color:black;">Jin's Notes</span></span> - the hardest part is taking the first step
</div>
<div id="fpowered">
Powered by: <a href="http://getpelican.com/" title="Pelican Home Page" target="_blank" rel="nofollow noopener noreferrer">Pelican</a>
Theme: <a href="https://elegant.oncrashreboot.com/" title="Theme Elegant Home Page" target="_blank" rel="nofollow noopener noreferrer">Elegant</a>
</div>
</footer>-->
<script src="//code.jquery.com/jquery.min.js"></script>
<script src="//netdna.bootstrapcdn.com/twitter-bootstrap/2.3.2/js/bootstrap.min.js"></script>
<script src="/theme/js/elegant.prod.9e9d5ce754.js"></script>
<script>
function validateForm(query)
{
return (query.length > 0);
}
</script>
<script>
(function () {
if (window.location.hash.match(/^#comment-\d+$/)) {
$('#comment_thread').collapse('show');
}
})();
window.onhashchange=function(){
if (window.location.hash.match(/^#comment-\d+$/))
window.location.reload(true);
}
$('#comment_thread').on('shown', function () {
var link = document.getElementById('comment-accordion-toggle');
var old_innerHTML = link.innerHTML;
$(link).fadeOut(200, function() {
$(this).text('Click here to hide comments').fadeIn(200);
});
$('#comment_thread').on('hidden', function () {
$(link).fadeOut(200, function() {
$(this).text(old_innerHTML).fadeIn(200);
});
})
})
</script>
</body>
<!-- Theme: Elegant built for Pelican
License : MIT -->
</html>