# Cryptography used in Verkle Tries *Disclaimer: The graphics presented in this document may not be pleasing to the eye* ## Overview ![image alt](https://i.imgur.com/VIpKysK.png "title" =440x200) Conceptually we can split verkle tries into two layers, the cryptography layer and the trie logic which depends on the cryptographic layer. The cryptography layer exposes a small set of methods that the trie layer relies on, hiding all of the inherent complexity of the cryptography and allowing both layers to be implemented in parallel.  In this document we focus on the cryptographic layer. We will omit notes on the bottom two layers as they are quite common in cryptography and we do not diverge from the convention in any meaningful way with respects to these two layers. In closing, we note that for the big integer arithmetic layer, one needs a 256 bit integer and the base field needed will be the scalar field of the curve bls12-381. **Elliptic curve arithmetic** - We define a twisted edwards curve $E$, known as bandersnatch whose basefield $\mathbb{F}_p$ is equal to the scalar field $\mathbb{F}_r$ of bls12-381. - We define a prime group abstraction over bandersnatch known as banderwagon by using the fact that bandersnatch's small subgroup is isomorphic to $\mathbb{Z}_2 \times \mathbb{Z}_2$. This prime group abstraction also permits an injective map from its group to $\mathbb{F}_p$. **Single Point Polynomial commitment scheme** - First we note that one is able to use a vector commitment scheme or a polynomial commitment scheme. We use the terminology of polynomial commitment schemes but it is a trivial translation. - We choose any homomorphic polynomial commitment scheme to work with our multipoint commitment scheme. We have chosen the inner product argument that was first presented in the bulletproofs protocol, however we use the variant from [BCMS20](https://eprint.iacr.org/2020/499.pdf). Given that bandersnatch is not pairing friendly, we are able to choose any polynomial commitment scheme which does not use pairings. [Kate](https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf) commitments are therefore not usable. **Multipoint Polynomial commitment scheme** We define a multipoint commitment scheme which is configured to use a homomorphic single point polynomial commitment scheme that is able to create a proving procedure which is more efficient than calling the single point polynomial commitment scheme algorithm repeatedly. - We also show how to use the first form of the barycentric formula to efficiently divide by a linear polynomial which vanishes on the domain in lagrange basis. Since we are not able to efficiently interpolate many polynomials, this is a crucial component to having an efficient prover in practice. ## Table of Contents ### API [Exposed API to Verkle Layer](https://hackmd.io/@6iQDuIePQjyYBqDChYw_jg/H1xXvMatq) ### Elliptic curve arithmetic - [Understanding Banderwagon : Introduction](https://hackmd.io/4o5IPeQuSuiojg2Aux1IUw) - [Understanding Banderwagon: Twisted Edwards Curves](https://hackmd.io/mZUiHhIYS4ydP9KUaYJqfA) - [Understanding Banderwagon : Halving a Point](https://hackmd.io/gK13DW-6SYqqPTr7-aFkaw) ### Commitment scheme - [Vector commitment scheme: Introduction](https://hackmd.io/Ousa85hTQ7CdRxmlhROVbQ) - [Vector commitment scheme : Multipoint argument](https://hackmd.io/7vIMcrgtTOKyvvtziTf0HA) - [Dividing in Lagrange basis on the domain](https://hackmd.io/mJeCRcawTRqr9BooVpHv5g)