Evaldas Drąsutis
IOTA Foundation

Formulas for polynomial KZG commitments in Lagrange basis

Summary

This post describes an experimental implementation of polynomial KZG commitments, aka Kate commitments. The implementation uses the trusted setup completely in Lagrange basis calculated upon secret

s

, non-secret value

ω

and its powers. All computations are performed in the evaluation form. The powers of a secret on the curve

[s^{i}]_{1}

nor any FFT operations are not needed in any stage.

The math mostly follows articles on KZG by Dankrad Feist, specifically this and this. We assume the reader is familiar with the content of it.

The implemented experimental Go package is based on DEDIS Advanced Crypto Library for Go Kyber v3 and uses

b n 256

BLS suite. It can be found here: https://github.com/lunfardo314/verkle

General

Constant
$d$

d

is a global constant which defines maximum length of the vector we want to commit to. The shorter vectors can be commited by providing zeroes as values, however we can't commit vectors longer than

d

The
$ω$ value

The

ω

is a scalar in the underlying field with the property of

ω^{k} \neq 1, k = 1 \dots d - 1

We use values

ω^{0}, ω^{1}, \dots, ω^{d - 1}

to calculate the Lagrange basis. The Lagrange polynomial is defined the following way:

l_{i} (X) = \prod_{j = 0, j \neq i}^{d - 1} \frac{X - ω^{i}}{ω^{j} - ω^{i}}

Any vector

V = (v_{0}, v_{1}, \dots, v_{d - 1})

on the field corresponds to the polynomial

f (X) = \sum_{i = 0}^{d - 1} v_{i} l_{i} (X)

. It makes

f (ω^{i}) = v_{i}

for

i = 0 \dots d - 1

The auxiliarly polynomial

A (X) = \prod_{i = 0}^{d - 1} (X - ω^{i})

has its roots at

ω^{k}, k = 0 \dots d - 1

The formal derivate

A^{'} (X) = \sum_{j = 0}^{d - 1} \prod_{i \neq j} (X - ω^{i})

has the following values at these roots:

A^{'} (ω^{j}) = \prod_{i \neq j} (ω^{j} - ω^{i})

We could assume

ω^{d} = 1

, i.e

ω

to be a primitive root of unity Then we'll have

A (X) = X^{d} - 1

and

A^{'} (X) = d X^{d - 1}

A^{'} (ω^{i}) = d ω^{- i}

. It would make some calculation below more economic, however in this implementation we aim to avoid this assumption due to reasons explained below.

We can always assume

ω = r^{\frac{p - 1}{d}}

where

p

is the number of elements of the scalar field and

r

is a field element selected so that the

ω

is a primitive root of unity of degree

d

(any non-zero and non-one

r

would give a root of unity but not any would give a primitive root of unity, which is needed in our case, because we need

ω^{i} \neq 1, i = 1 \dots d - 1

. In practice we can keep trying random elements

r

until

ω

is a primitive. See code in the experimental implementation).

However, the above implies

d

is a divisor of

p - 1

. Since

d

is an essential constant of the setup, the assumption

ω^{d} = 1

significantly limits possible values of

d

and this, in turn, has consequences in performance. For example, in the BLS suite we use in this implementation, smallest divisor of

p - 1

after

2^{5}

5743

. If we want to create commitments of vectors of size

257

(

256

children plus terminal value in the node of a 257-ary verkle trie), we would still have to use

d = 5743

So, we want to provide setup for calculations for arbitrary

d

and therefore avoid assumption of

ω^{d} = 1

Trusted setup

The Lagrange basis for a secret

s

is a collection of

d

values on the curve:

T L_{i} = [l_{i} (s)]_{1} i = 0 \dots d - 1

Note that

T L_{i}

also depends on

ω

.
The trusted setup

T (d, ω, s)

is a collection of public values on

G_{1}

and

G_{2}

which includes:

$d$
$ω$
$[l_{i} (s)]_{1} i = 0 \dots d - 1$
$[s - ω^{i}]_{2} i = 0 \dots d - 1$ .

We assume

s

is a scalar value on the field not known to anyone, a secret. The secret value

s

and public values

d

and

ω

are used to compute all the values in the trusted setup

T (d, ω, s)

. The secret value

s

is destroyed immediately after the generation of

T

so that noone in the world should know it.

The trusted setup is public, i.e. it does not contain any secrets. It is computationally non-feasible neither to re-construct

s

from the given

T

nor to create another valid

T^{'} (d, ω, s^{'}) = T (d, ω, s)

for some other

s^{'} \neq s

What do we want to achieve?

We aim to commit to vectors of scalar values on the underlying field

V = (v_{0}, v_{1}, \dots, v_{d - 1})

and to prove inclusion of value

v_{i}

in a position

i

by providing the commitment to the whole vector (polynomial) and the proof (no need for the vector itself).

The commitment to the vector

V

is a commitment to the polynomial

f (X)

such that

f (ω^{i}) = v_{i}

. The KZG commitment to the polynomial is

C = [f (s)]_{1}

. It is calculated by the prover.

The proof

π_{i} = π_{i} (T, V, i)

is a value on

G_{1}

. It is calculated by the prover to prove the fact that vector

V

contains

v_{i}

at the index

i

The condition

v e r i f y (T, C, π_{i}, v_{i}, i) = t r u e

is practically impossible to satisfy when

f (ω^{i}) \neq v_{i}

. The

v e r i f y

function is calculated by verifier. It uses bilinear pairing

e : G_{1} \times G_{2} \to G_{T}

and the following equation to check the validity of the proof:

e (π_{i}, [s - ω^{i}]_{2}) = e (C - [v_{i}]_{1}, H)

where

H

is the generator of the group

G_{2}

Calculating commitment to the vector

KZG commitment to the vector is:

C (T, V) = [f (s)]_{1}

we calculate it from the trusted setup, i.e. not knowing the secret

s

C (T, V) = \sum_{i = 0}^{d - 1} v_{i} \times T L_{i}

Note that once we have

T L_{i}

constants precalculated, the

C

can be calulated in

O (d)

multiplications to scalar and additions on the curve. If the vector is sparse, i.e. with just few non-zero elements, the number of operations on curve is equal to the number of non-zero values.

Setting a new value at some position in the vector does not require complete re-calculation of

C

, two operations on the curve is enough to update

C

. Let's say the old value

v_{i}

is replaced with the new value

v_{i}^{'}

. The commitment to the updated vector

C^{'}

can be calculated as

C^{'} = C + T L_{i} \times (v_{i}^{'} - v_{i})

Calculating the proof

How do we calulate the proof

π_{i}

that value

v_{i}

is in the position

i

of the vector?

The simple but naive and wrong approach can be found below in the Annex. Calculating the proof. Naive approach (wrong).

To calculate

π_{i}

correctly we have to perform true division of polynomials.
The function

q_{i} (X) = \frac{f (X) - v_{i}}{X - ω^{i}}

is a polynomial because

X - ω^{i}

is a factor of

f (X) - v_{i}

. The latter is a polynomial which has root

ω^{i}

by the very construction of

f

The KZG proof of

f (ω^{i}) = v_{i}

π_{i} = [q_{i} (s)]_{1}

Just like we calculate

f

in Lagrange basis:

f (X) = \sum_{i = 0}^{d - 1} v_{i} l_{i} (X) f (ω^{j}) = \sum_{i = 0}^{d - 1} v_{i} l_{i} (ω^{j}) = \sum_{i = 0}^{d - 1} f (ω^{i}) l_{i} (ω^{j}) f (s) = \sum_{i = 0}^{d - 1} f (ω^{i}) l_{i} (s)

we aim to calculate

q_{i} (X)

in Lagrange basis too:

q_{i} (X) = \sum_{m = 0}^{d - 1} q_{i} (ω^{m}) l_{m} (X) q_{i} (s) = \sum_{m = 0}^{d - 1} q_{i} (ω^{m}) l_{m} (s)

So, we only need to calculate the

q_{i} (ω^{m})

for each

m

but how? The problem is, in the direct calculation it leads to zero denominator, even if we know it has value there because

q_{i} (X)

is a polynomial.

To calculate

q_{i} (ω^{m})

, we follow formulas in the article mentioned above, the chapter Dividing when one of the points is zero. We adjust formulas to our use of

{ω^{j}}

and to be more clear for our implementation.

Calculating
$q_{i} (ω^{m})$ with
$m \neq i$

q_{i} (X) = \frac{f (X) - v_{i}}{X - ω^{i}} = \frac{\sum_{j = 0}^{d - 1} v_{j} l_{j} (X) - v_{i}}{X - ω^{i}} q_{i} (ω^{m}) = \frac{\sum_{j = 0}^{d - 1} (v_{j} - v_{i}) l_{j} (ω^{m})}{ω^{m} - ω^{i}} = \frac{\sum_{j = 0, j \neq i}^{d - 1} (v_{j} - v_{i}) l_{j} (ω^{m})}{ω^{m} - ω^{i}} q_{i} (ω^{m}) = \frac{v_{m} - v_{i}}{ω^{m} - ω^{i}}, m \neq i

Almost there. Now we only have to figure out how to calculate

q_{m} (ω^{m})

Calculating
$q_{m} (ω^{m})$

We can rewrite formulas for the Lagrange polynomial:

l_{j} (X) = \frac{1}{A^{'} (ω^{j})} \frac{A (X)}{X - ω^{j}} \frac{l_{j} (X)}{X - ω^{i}} = \frac{1}{A^{'} (ω^{j})} \frac{A (X)}{(X - ω^{j}) (X - ω^{i})} \frac{A^{'} (ω^{i})}{A^{'} (ω^{i})} = \frac{A^{'} (ω^{i})}{A^{'} (ω^{j})} (\frac{1}{A^{'} (ω^{i})} \frac{A (X)}{X - ω^{i}}) \frac{1}{X - ω^{j}} = \frac{A^{'} (ω^{i})}{A^{'} (ω^{j})} \frac{l_{i} (X)}{X - ω^{j}}

Note that the formulas above are defined for any

i, j = 0 \dots d - 1

. Let's assume

X = ω^{m}

in the above:

\frac{l_{j} (ω^{m})}{ω^{m} - ω^{i}} = \frac{A^{'} (ω^{i})}{A^{'} (ω^{j})} \frac{l_{i} (ω^{m})}{ω^{m} - ω^{j}} q_{i} (ω^{m}) = \sum_{j = 0, j \neq i}^{d - 1} (v_{j} - v_{i}) \frac{l_{j} (ω^{m})}{ω^{m} - ω^{i}} = = \sum_{j = 0, j \neq i}^{d - 1} (v_{j} - v_{i}) \frac{A^{'} (ω^{i})}{A^{'} (ω^{j})} \frac{l_{i} (ω^{m})}{ω^{m} - ω^{j}} q_{m} (ω^{m}) = \sum_{j = 0, j \neq m}^{d - 1} (v_{j} - v_{m}) \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{l_{m} (ω^{m})}{ω^{m} - ω^{j}} = \sum_{j = 0, j \neq m}^{d - 1} (v_{j} - v_{m}) \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}} = = \sum_{j = 0, j \neq m}^{d - 1} v_{j} \times \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}} - v_{m} \times \sum_{j = 0, j \neq m}^{d - 1} \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}}

The following pre-calculated values would improve performace:

T A_{m j} = \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}} m \neq j T K_{m} = \sum_{j = 0, j \neq m}^{d - 1} \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}} q_{m} (ω^{m}) = \sum_{j = 0, j \neq m}^{d - 1} v_{j} \times T A_{m j} - v_{m} \times T K_{m}

Final formulas to calculate KZG proof
$π_{i}$

Note that we assume trusted setup is completely in Lagrange basis:

q_{i} (ω^{m}) = \frac{v_{m} - v_{i}}{ω^{m} - ω^{i}}, i \neq m q_{m} (ω^{m}) = \sum_{j = 0, j \neq m}^{d - 1} v_{j} \times T A_{m j} - v_{m} \times T K_{m} π_{i} = \sum_{j = 0}^{d - 1} q_{i} (ω^{j}) \times T L_{j}

where

T A_{m j} = \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}} m \neq j T K_{m} = \sum_{j = 0, j \neq m}^{d - 1} \frac{A^{'} (ω^{m})}{A^{'} (ω^{j})} \frac{1}{ω^{m} - ω^{j}} = \sum_{j = 0, j \neq m}^{d - 1} T A_{m j}

Precalculation of

T K_{m}

allows significantly speed up calculation of

q_{m} (ω^{m})

when

V

is sparse.

Precalculation of

T A_{m j}

could take a lot,

O (d^{2})

, of memory, so probably not worth it when

d

is large. Pre-calculation of

A^{'} (ω^{i})

would be enough.

Some observations

1. The formulas above are valid for arbitrary

d

, i.e. not constrained by the condition

ω^{d} = 1

. We chose to (pre)calculate values

A^{'} (ω^{i})

instead

2. Funny enough, it is not clear how, using the trusted setup, we could even calculate a fake proof

π_{i}^{f a k e}

which would state (wrongly)

f (ω^{i}) = y

for arbitrary

y \neq v_{i}

3. We can provide proof of the absense of a key in the verkle tree. For this we just need to provide proof of

v_{i} = 0

i.e.

f (ω^{i}) = 0

4. Since

q_{i} (ω^{m})

are all non-zero, calculation of

π_{i}

requires

d

operations on the curve. So, calculating the proof is an expensive operation and it does not look like it is possible to optimize it.

5. It turns out, we can update any trusted setup with the additional secret

t

by multiplying its public values without knowing the underlying secret. This property can be used to increase security of the trusted setup the following way:

let's say we have
$N$ unrelated parties
party
$0$ generates trusted setup
$T_{0}$ for its secret
$s_{0}$ , destroys it and passes
$T_{0}$ to the party
$T_{1}$ .
And so on: party
$j$ receives trusted setup
$T_{j - 1}$ from the previous party, generates it own secret
$s_{j}$ , multiplies previous trusted setup to get the next:
$T_{j} = s_{j} \times T_{j - 1}$ and destroys the secret
$s_{j}$ .
the last trusted setup
$T = T_{N - 1}$ is secure if any one of
$N$ parties were honest, i.e. it destroyed and forgot its secret.

Using other domain than
$ω^{i}$

Since we do not use the property of

ω

being a root of unity on the field, i.e.

ω^{d} = 1

, the domain where Lagrange polynomials are calculated can be almost any collection of different values on the field.

For example, in the above we could replace

ω^{i}

with

i

, i.e we'd be using

0, 1, 2, \dots d - 1

on the field as points to calculate the Lagrange basis. The pre-calculated values would become simpler and (pre) calculations faster:

T A_{m j} = \frac{A^{'} (m)}{A^{'} (j)} \frac{1}{m - j} m \neq j T K_{m} = \sum_{j = 0, j \neq m}^{d - 1} \frac{A^{'} (m)}{A^{'} (j)} \frac{1}{m - j} = \sum_{j = 0, j \neq m}^{d - 1} T A_{m j}

Annex. Calculating the proof. Naive approach (wrong)

The proof that vector (the committed polynomial) has value

v_{i}

in the i-th position is calculated the following way:

π_{i} = π_{i} (T, V, i) = [\frac{f (s) - v_{i}}{s - ω^{i}}]_{1}

π_{i}

is a point on

G_{1}

, just like

C

. How do we calculate it? Let's expand the formula.

π_{i} = [\frac{\sum_{j = 0}^{d - 1} v_{j} l_{j} (s)}{s - ω^{i}}]_{1} - [\frac{v_{i}}{s - ω^{i}}]_{1} = \sum_{j = 0}^{d - 1} v_{j} [\frac{l_{j} (s)}{s - ω^{i}}]_{1} - v_{i} [\frac{1}{s - ω^{i}}]_{1}

So, we only need to pracalculate values

[\frac{l_{j} (s)}{s - ω^{i}}]_{1}

and

[\frac{1}{s - ω^{i}}]_{1}

and make it a part of the trusted setup, after that we can calculate

π_{i}

for any

V

.Right? No!

As it was pointed out by Dankrad Feist in private email, after exposing value

[\frac{1}{s - ω^{i}}]_{1}

in public we make

π_{i}

fakeable:

π_{i}^{f a k e} = \sum_{j = 0}^{d - 1} r_{j} [\frac{l_{j} (s)}{s - ω^{i}}]_{1} - r_{i} [\frac{1}{s - ω^{i}}]_{1} = \frac{1}{s - ω_{i}} (C - r_{i} [1]_{1}) e (\frac{1}{s - ω^{i}} (C - r_{i} [1]_{1}), [s - ω^{i}]_{2}) = e (C - [r_{i}]_{1}, H)

for any

r_{i}

The above means pairing equation is always satisfied for any value we want. It does not make any sense, so, the approach is wrong.

Evaldas

2021/08/18 16:05:08

j} \\ \frac{l_j(X)}{X-\omega^i}=\frac{1}{A

Here I do not describe multi proofs, this is another thing. In this doc we only talk about vector commitments and proof for a value in the position. It corresponds to a node in the verkle trie (Edited)

2021/08/18 16:06:18

ng)*.

This document is just an expansion of the referenced docs. It uses same notation, no plan for separate section (Edited)

dankrad

2021/08/18 16:52:18

The $\omega$ is a scalar in the underlying field with the property of $\omega^k\not=1, k=1 \dots d-1$.

omega needs to be a root of unity, i.e. omega^d = 1 (Edited)

2021/08/18 16:52:36

The auxiliarly polynomial $A(X)=\prod_{i=0}^{d-1}(X-\omega^i)$ has its roots at $\omega^k, k=0 \dots d-1$

A(x) = \prod (not sum!!) (Edited)

2021/08/18 16:54:34

So, we want to provide setup for calculations for arbitrary $d$ and therefore avoid assumption of $\omega^d=1$.

If you do not want to use roots of unity, then you can simply use 0, 1, 2, 3, ... to simplify your calculations (Edited)

2021/08/18 17:01:23

The *trusted setup* is public, i.e. it does not contain any secrets. It is computationally non-feasible neither to re-construct $s$ from the given $T$ nor to create another valid $T'(d, \omega, s') = T(d, \omega, s)$ for some other $s'\not=s$.

That is not true, the trusted setup is updatable. You can take T(.,.,s), another secret t, and multiply all the monomials with it, so you get an updated trusted setup for s' = t*s (Edited)

2021/08/18 17:08:20

Just like we calculate $f$ in Lagrange basis: $$ \\f(X) = \sum_{i=0}^{d-1} v_il_i(X) \\f(\omega^j) = \sum_{i=0}^{d-1} v_il_i(\omega^j) = \sum_{i=0}^{d-1} f(\omega^i)l_i(\omega^j) \\f(s) = \sum_{i=0}^{d-1} f(\omega^i)l_i(s) $$ we aim to calculate $q_i(X)$ in Lagrange basis too: $$ q_i(X)=\sum_{m=0}^{d-1}q_i(\omega^m) l_m(X) \\ q_i(s)=\sum_{m=0}^{d-1}q_i(\omega^m) l_m(s)$$

Double use if index i (Edited)

2021/08/18 17:20:41

Precalculation of $TA_{mj}$ could take a lot, $O(d^2)$, of memory, so probably not worth it when $d$ is large. Pre-calculation of $A'(\omega^i)$ would be enough.

If you use 0,1,2,3,... as your domain instead of omega^i, then you can simplify this as the denominator simply becomes m-j, so you only need to invert 2n numbers in your precomputation instead of n^2. (Edited)

2021/08/18 17:20:42

I know, but see below pls. (Edited)

2021/08/18 17:22:14

This is true. It can be any (Edited)

2021/08/18 17:24:28

You are right. Does it change something security-wise? (Edited)

2021/08/18 17:28:13

Agreed. 1,2 etc can be used. Just wanted to stick to \omega thing, closer to the original. Why then we need powers and root of unity at all? (Edited)

2021/08/19 07:04:26

Btw, the updated trusted setup still will be another trusted setup T’ \not= T. So, the statements still holds (Edited)

Formulas for polynomial KZG commitments in Lagrange basis

Summary

General

Constant d

The ω value

Trusted setup

What do we want to achieve?

Calculating commitment to the vector

Calculating the proof

Calculating qi(ωm) with m≠i

Calculating qm(ωm)

Final formulas to calculate KZG proof πi

Some observations

Using other domain than ωi

Annex. Calculating the proof. Naive approach (wrong)

Read more

Proxima: ledger explorer

Constant
$d$

The
$ω$ value

Calculating
$q_{i} (ω^{m})$ with
$m \neq i$

Calculating
$q_{m} (ω^{m})$

Final formulas to calculate KZG proof
$π_{i}$

Using other domain than
$ω^{i}$