Proving multiple evaluations on multiple polynomials using IPAs

This is a slightly-rewritten version of the original post from here.

Introduction

This document explains how to open different polynomials at different points.
The opening proof consists of one inner-product argument (IPA) proof, one commitment and one scalar.

The key application here is computing a slim Verkle proof fast!

Notation

Let

G

be a group of order

p

whose group operation is denoted additively.

Let

c = [f (X)]

denote a polynomial commitment to

f (X)

, typically done as:

c = \prod_{i = 0}^{n} g_{i}^{f_{i}}

where

g_{i} \in G

are generators of

G

and

f = [f_{0}, \dots, f_{n}]

are the coefficients of the degree-

n

polynomial

f

Statement

Given

m

IPA commitments

C_{0} = [f_{0} (X)] . . . C_{m - 1} = [f_{m - 1} (X)]

, we want to prove evaluations:

f_{0} (z_{0}) = y_{0} ⋮ f_{m - 1} (z_{m - 1}) = y_{m - 1}

Batch proof using two IPA proofs

Let
$r \leftarrow H (C_{0}, . . . C_{m - 1}; z_{0}, . . ., z_{m - 1}; y_{0}, . . ., y_{m - 1})$

g (X) = r^{0} \frac{f_{0} (X) - y_{0}}{X - z_{0}} + r^{1} \frac{f_{1} (X) - y_{1}}{X - z_{1}} + \dots + r^{m - 1} \frac{f_{m - 1} (X) - y_{m - 1}}{X - z_{m - 1}}

The prover starts off by committing to

g (X)

, we denote this by

C = [g (X)]

The prover's job is to now convince the verifier that

C

is a commitment to

g (X)

. We do this by evaluating

g (X)

at some random point

t

We split the evaluation into two parts

g_{1} (t)

and

g_{2} (t)

g_{2} (t)

can be computed by the verifier.

However,

g_{1} (t)

cannot be computed by the verifier since it involves random evaluations of the polynomials

f_{i} (X)

. Instead, the prover will compute

g_{1} (t)

and send a proof of it's correctness.

g_{1} (t) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (t)}{t - z_{i}}

g_{2} (t) = \sum_{i = 0}^{m - 1} r^{i} \frac{y_{i}}{t - z_{i}}

Let
$t \leftarrow H (r, C)$

We note that

g_{1} (X) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{X - z_{i}}

.
However, the verifier will work with:

g_{1}^{'} (X) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{t - z_{i}}

Note that

g_{1}^{'} (t) = g_{1} (t)

, so proving an evaluation proof for

g_{1}^{'} (t)

is equivalent to proving

g_{1} (t)

.
Crucially, the verifier is able to compute the commitment for

g_{1}^{'} (X)

, which it could not do for

g_{1} (X)

due to the

X - z_{i}

's in the denominator.

Now we form two IPA proofs:

One for
$g_{1} (X)$ at
$t$ . We call this
$π_{1}$
One for
$g (X)$ at
$t$ . We call this
$π$

The prover now computes

y = g_{1} (t)

The proof consists of

C, (π_{1}, y), π

In this non-aggregated variation, the prover does not need to add
$[g_{1} (X)]$ to the transcript.

Verification

The Verifier ultimately wants to verify that

C

is the commitment to the polynomial

g (x)

The verifier computes

r

and

t

The verifier also computes

g_{2} (t)

, we mentioned above that they can do this by themselves.

Computing
$g (t)$

The verifier now needs to compute

g (t)

g (t) = g_{1} (t) - g_{2} (t)

We know that
$g_{1} (t)$ was supplied in the proof as
$y$ .
$g_{2} (t)$ can be computed by the verifier.

Hence the verifier can compute

g (t)

Note, however, that they cannot be sure that

$g_{1} (t)$ is the correct computation by the prover. They need to build
$[g_{1} (X)]$ themselves and verify it against
$g_{1} (t)$

Computing
$[g_{1} (X)]$

This is

g_{1} (X)

g_{1} (X) = \sum_{i = 0}^{m - 1} r^{i} \frac{f_{i} (X)}{t - z_{i}}

Hence

[g_{1} (X)]

is:

[g_{1} (X)] = \sum_{i = 0}^{m - 1} \frac{r_{i}}{t - z_{i}} C_{i}

The verifier is able to compute this themselves, and so is able to verify the proof

π_{1}

for

g_{1} (t)

against

[g_{1} (X)]

Is
$g (t)$ correct?

Note now that since

g_{1} (t)

was verified to be correct and

g_{2} (t)

was computed by the verifier, we can be sure that

g (t)

is correct.

Verify
$g (x)$ at
$t$

We can now verify

g (t)

against

C = [g (X)]

using the proof

π

Complexity

The communication complexity of this protocol is two IPA proofs, 1 scalar and 1 commitment. We can get a better protocol by aggregating things together!

More efficient batch proof using one IPA proof

We now present a protocol to aggregate the two IPA proofs together, only requiring one IPA proof.

Prover

Let
$q \leftarrow H (t, [g_{1} (X)])$

The prover no longer computes an IPA proof for

g_{1} (X)

and

g (X)

.
Instead, the prover combines them using

q

Let:

g_{3} (X) = g_{1} (X) + q \cdot g (X)

Now, we form an IPA proof

π_{3}

for

g_{3} (X)

t

The prover still computes

y = g_{1} (t)

The smaller proof now consists of

(C = [g (X)], π_{3}, y)

Verifier

In the previous step, the verifier checked

g_{1} (t)

's proof

π_{1}

against

[g_{1} (X)]

.
We delay this verification and instead compute:

$[g_{3} (X)] = [g_{1} (X)] + q \cdot [g (X)]$
$g_{3} (t) = g_{1} (t) + q \cdot g (t)$

The verifier now checks

g_{3} (t)

's proof

π_{3}

against

[g_{3} (X)]

With overwhelming probability over
$q$ this will only return true iff
$[g_{1} (X)]$ and
$[g (X)]$ opened at
$t$ are
$g_{1} (t)$ and
$g (t)$ respectively, from the equation.

Complexity

The communication complexity of the protocol is one IPA Proof, one commitment and one scalar.

Do we need to add
$[g_{1} (X)]$ to the transcript?

In the KZG document, this is
$h (X)$

If we were able to avoid this, then we could save a lot on prover time, as they could evaluate each

f_{i}

t

, then do

\frac{r^{i} \cdot f_{i} (t)}{t - z_{i}}

instead of needing to first compute

\frac{r^{i} \cdot f_{i} (X)}{t - z_{i}}

. (In the non-batched version)

However, we do need to do this because the challenge

q

is aggregating

[g_{1} (X)]

and

[g (X)]

, we need to bind

[g_{1} (X)]

to the challenge

q

There may be an argument to say that since

g_{1} (X)

uses

t

and simply using

q = H (t)

is enough to bind

g_{1} (X)

q

. We can restate this problem as:

Given two polynomials :
$f (X, Y)$ and
$g (X)$

I generate a completely random variable
$t$ .

If I want to add together
$f (X, t)$ and
$g (x)$

Is it enough to generate randomness based on
$g (X)$ and
$t$ alone?

The answer is no because the prover has free reign over
$X$ and can change it without affecting
$q$

Proving multiple evaluations on multiple polynomials using IPAs

Introduction

Notation

Statement

Batch proof using two IPA proofs

Verification

Computing g(t)

Computing [g1(X)]

Is g(t) correct?

Verify g(x) at t

Complexity

More efficient batch proof using one IPA proof

Prover

Verifier

Complexity

Do we need to add [g1(X)] to the transcript?

Read more

Call for research: Fast, on-disk authenticated key-value stores for state management

$T(n) = 2T(n/2) + O(n\log^2{n}\log\log{n})$

Complete $k$-ary tree with exactly $n$ leaves

Computing
$g (t)$

Computing
$[g_{1} (X)]$

Is
$g (t)$ correct?

Verify
$g (x)$ at
$t$

Do we need to add
$[g_{1} (X)]$ to the transcript?