IPA Multipoint

Introduction

This document explains how to open multiple polynomials at multiple different points. Ultimately, we use one IPA proof, 1 commitment and 1 scalar. This is the batched setting.

Statement

Given

m

IPA commitments

C_{0} = [f_{0} (X)] . . . C_{m - 1} = [f_{m - 1} (X)]

, prove evaluations:

f_{0} (z_{0}) = y_{0} ⋮ f_{m - 1} (z_{m - 1}) = y_{m - 1}

where

z_{i} \in {0, . . ., d - 1}

Proof

Let
$r \leftarrow H (C_{0}, . . . C_{m - 1}, z_{0}, . . ., z_{m - 1}, y_{0}, . . ., y_{m - 1})$

g (X) = r^{0} \frac{f_{0} (X) - y_{0}}{X - z_{0}} + r^{1} \frac{f_{1} (X) - y_{1}}{X - z_{1}} + \dots + r^{m - 1} \frac{f_{m - 1} (X) - y_{m - 1}}{X - z_{m - 1}}

The prover starts off by committing to

g (X)

, we denote this by

D

[g (X)]

The prover's job is to now convince the verifier that

D

is a commitment to

g (X)

. We do this by evaluating

g (X)

at some random point

t

We split the evaluation into two parts

g_{1} (t)

and

g_{2} (t)

g_{2} (t)

can be computed by the verifier, while

g_{1} (t)

cannot, because it involves random evaluations at the polynomials

f_{i} (X)

The verifier is able to compute the
$g_{2} (t)$ .

The prover will compute
$g_{1} (t)$ and send a proof of it's correctness.

g_{1} (t) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (t)}{t - z_{i}}

g_{2} (t) = \sum_{i = 0}^{m - 1} r^{i} \frac{y_{i}}{t - z_{i}}

Let
$t \leftarrow H (r, D)$

We note that

g_{1} (X) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{X - z_{i}}

. However, we specify it as

\sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{t - z_{i}}

because the latter is also able to prove an opening for

g_{1} (t)

and the verifier is able to compute the commitment for it.

Now we form two IPA proofs:

One for
$g_{1} (X)$ at
$t$ . We call this
$π$
One for
$g (X)$ at
$t$ . We call this
$ρ$

The prover now computes

y = g_{1} (t)

The proof consists of

D, (π, y), ρ

In this non-aggregated variation, the prover does not need to add
$[g_{1} (X)]$ to the transcript.

Verification

The Verifier ultimately wants to verify that

D

is the commitment to the polynomial

g (x)

The verifier computes

r

and

t

The verifier also computes

g_{2} (t)

, we mentioned above that they can do this by themselves.

Computing
$g (t)$

The verifier now needs to compute

g (t)

g (t) = g_{1} (t) - g_{2} (t)

We know that
$g_{1} (t)$ was supplied in the proof as
$y$ .
$g_{2} (t)$ can be computed by the verifier.

Hence the verifier can compute

g (t)

Note however, that they cannot be sure that

$g_{1} (t)$ is the correct computation by the prover. They need to build
$[g_{1} (X)]$ themselves and verify it against
$g_{1} (t)$

Computing
$[g_{1} (X)]$

This is

g_{1} (X)

g_{1} (X) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{t - z_{i}}

Hence

[g_{1} (X)]

is:

[g_{1} (X)] = \sum_{i = 0}^{m - 1} \frac{r_{i}}{t - z_{i}} C_{i}

The verifier is able to compute this themselves, and so is able to verify that

g_{1} (t)

was computed correctly using IPA_VERIFY.

We can now call IPA_VERIFY using

$[g_{1} (X)]$
$g_{1} (t)$
$π$

Is
$g (t)$ correct?

Note now that since

g_{1} (t)

was verified to be correct and

g_{2} (t)

was computed by the verifier, we can be sure that

g (t)

is correct.

Verify
$g (x)$ at
$t$

We now call IPA_VERIFY using:

$D = [g (X)]$ *
$g (t)$
$ρ$

*In actuality, it's not

D

but an augmented

D

, but this works at a higher level and does not ruin the explanation.

Complexity

The communication complexity of this protocol is two IPA proofs, 1 scalar and 1 commitment. We can get a better protocol by aggregating things together!

Aggregation

We now present a protocol to aggregate the two IPA proofs together, only requiring one IPA proof.

Prover

Let
$q \leftarrow H (t, [g_{1} (X)])$

The prover no longer computes an IPA proof for

g_{1} (X)

and

g (X)

instead they combine them using

q

g_{3} (X) = g_{1} (X) + q \cdot g (X)

Now we form an IPA Proof for

g_{3} (X)

t

. Lets call this

σ

The prover still computes

y = g_{1} (t)

The proof consists of

D, σ, y

Verifier

In the previous step, the verifier called

[g_{1} (X)]

g_{1} (t)

with

π

, we delay this verification and instead compute:

$[g_{3} (X)] = [g_{1} (X)] + q \cdot [g (X)]$
$g_{3} (t) = g_{1} (t) + q \cdot g (t)$

We now call IPA_VERIFY using:

$[g_{3} (X)]$
$g_{3} (t)$
$σ$

With overwhelming probability over
$q$ this will only return true iff
$[g_{1} (X)]$ and
$[g (X)]$ opened at
$t$ are
$g_{1} (t)$ and
$g (t)$ respectively, from the equation.

Complexity

The communication complexity of the protocol is 1 IPA Proof, 1 commitment and 1 scalar.

Do we need to add
$[g_{1} (X)]$ to the transcript?

In the KZG document, this is
$h (X)$

If we were able to avoid this, then we could save a lot on prover time, as they could evaluate each

f_{i}

t

, then do

\frac{r^{i} \cdot f_{i} (t)}{t - z_{i}}

instead of needing to first compute

\frac{r^{i} \cdot f_{i} (X)}{t - z_{i}}

. (In the non-batched version)

However, we do need to do this because the challenge

q

is aggregating

[g_{1} (X)]

and

[g (X)]

, we need to bind

[g_{1} (X)]

to the challenge

q

There may be an argument to say that since

g_{1} (X)

uses

t

and simply using

q = H (t)

is enough to bind

g_{1} (X)

q

. We can restate this problem as:

Given two polynomials :
$f (X, Y)$ and
$g (X)$

I generate a completely random variable
$t$ .

If I want to add together
$f (X, t)$ and
$g (x)$

Is it enough to generate randomness based on
$g (X)$ and
$t$ alone?

The answer is no because the prover has free reign over
$X$ and can change it without affecting
$q$

IPA Multipoint

Introduction

Statement

Proof

Verification

Computing g(t)

Computing [g1(X)]

Is g(t) correct?

Verify g(x) at t

Complexity

Aggregation

Prover

Verifier

Complexity

Do we need to add [g1(X)] to the transcript?

Computing
$g (t)$

Computing
$[g_{1} (X)]$

Is
$g (t)$ correct?

Verify
$g (x)$ at
$t$

Do we need to add
$[g_{1} (X)]$ to the transcript?