A Simple Range Proof From Polynomial Commitments

Dan Boneh, Ben Fisch, Ariel Gabizon, and Zac Williamson

Let's construct a simple zero knowledge range proof from a hiding polynomial commitment scheme (PCS).

The setup

Let

p

be a prime, where

p > 2^{n}

for some

n

. We want a commitment scheme for elements in

F_{p}

that allows a prover to efficiently convince a verifier that a committed quantity

z \in F_{p}

is in the range

0 \leq z < 2^{n}

We show that for a committed

z \in F_{p}

, the prover can provide an HVZK proof to convince the verifier that

0 \leq z < 2^{n}

by committing to two polynomials of degree

(n + 1)

, and running the polynomial evaluation protocol three times. Therefore:

For the pairing-based polynomial commitment scheme of Kate, Zaverucha and Goldberg, this gives a range proof of length
$O_{λ} (1)$ that can be verified in time
$O_{λ} (1)$ , with a trusted setup and an updatable SRS of size
$O_{λ} (n)$ .
For the DARK polynomial commitment scheme of Bünz, Fisch, and Szepieniec, this gives a range proof of length
$O_{λ} (\log n)$ that can be verified in time
$O_{λ} (\log n)$ , with no trusted setup.
For comparison, recall that Bulletproofs give a range proof with no trusted setup of length
$O_{λ} (\log n)$ that can be verified in time
$O_{λ} (n)$ .

In what follows we use

F_{p}^{(< n)} [X]

to denote polynomials in

F_{p} [X]

of degree less than

n

. We assume that

n

divides

p - 1

so that there is an element

ω \in F_{p}

of order

n

. Let

H = {1, ω, ω^{2}, \dots, ω^{n - 1}}

The commitment scheme

Suppose that we have available a hiding and binding PCS for polynomials in

F_{p}^{(< n)} [X]

. Moreover, we assume that the polynomial evaluation protocol is HVZK.

To commit to an element

z \in F_{p}

, choose an arbitrary polynomial

f \in F_{p}^{(< n)} [X]

such that

f (1) = z

. Taking

f

as the constant polynomial

f (X) = z

is sufficient. The commitment to

z

is the polynomial commitment

{com}_{f}

f

If the PCS is additive, then the commitment scheme is additively homomorphic: given commitments to

z_{1}

and

z_{2}

F_{p}

, anyone can construct a commitment to

z_{1} + z_{2}

Range proof for the range
$[0, 2^{n})$

Let

{com}_{f}

be a commitment to

z \in F_{p}

so that

f (1) = z

, as above. Let

z_{0}, \dots, z_{n - 1} \in {0, 1}

be the binary digits of

z

, so that

z = \sum_{i = 0}^{n - 1} 2^{i} \cdot z_{i}

Now, given

{com}_{f}

, the prover proves that

0 \leq z < 2^{n}

, by constructing a degree-

(n - 1)

polynomial

g \in F_{p}^{(< n)} [X]

such that

g (ω^{n - 1}) = z_{n - 1} and g (ω^{i}) = 2 g (ω^{i + 1}) + z_{i} for all i = n - 2, \dots, 0 .

Observe that

g (1) = g (ω^{0}) = \sum_{i = 0}^{n - 1} 2^{i} \cdot z_{i} = z

. Now the prover needs to prove three things:

$g (1) = f (1)$ ,
$g (ω^{n - 1}) \in {0, 1}$ , and
$g (X) - 2 g (X ω) \in {0, 1}$ for all
$x \in H ∖ {ω^{n - 1}}$ .

Condition (1) proves that

g (1) = z

; Conditions (2) and (3) prove that

z_{0}, \dots, z_{n - 1}

are all in

{0, 1}

and are the binary digital of

z

. Together, these conditions prove that

0 \leq z < 2^{n}

, as required.

To prove Conditions (1)-(3), the prover sends to the verifier a polynomial commitment to

g

. It then proves to the verifier that the following polynomials evaluate to zero for all

x \in H

\begin{aligned} w_{1} (X) & = (g - f) \cdot (\frac{X^{n} - 1}{X - 1}), \\ w_{2} (X) & = g \cdot (1 - g) \cdot (\frac{X^{n} - 1}{X - ω^{n - 1}}), and \\ w_{3} (X) & = [g (X) - 2 g (X ω)] \cdot [1 - g (X) + 2 g (X ω)] \cdot (X - ω^{n - 1}) . \end{aligned}

This can be done efficiently using a batch opening technique described in this paper. The verifier sends a radom

τ \in F_{p}

to the prover, and the prover computes the quotient polynomial

q (X) = (w_{1} + τ w_{2} + τ^{2} w_{3}) / (X^{n} - 1) .

The prover sends a polynomial commitment to

q

to the verifier, and then proves that the polynomial

w (X) = w_{1} + τ w_{2} + τ^{2} w_{3} - q \cdot (X^{n} - 1)

is the zero polynomial. To do so, the verifier sends a random

ρ \in F_{p}

to the prover, and together they run the evaluation protocol three times: once for

g (ρ)

, once for

g (ρ ω)

, and once for evaluating

\hat{w} (ρ)

, where

\hat{w} (X) = f (X) \cdot (\frac{ρ^{n} - 1}{ρ - 1}) + q (X) \cdot (ρ^{n} - 1)

. This

\hat{w}

is a linear combination of

f

and

q

, and therefore the verifier can construct a commitment to

\hat{w}

using the additiving property of the PCS. The three evaluations,

g (ρ)

\hat{w} (ρ)

, and

g (ρ ω)

, along with

ρ

and

τ

, are sufficient to evaluate

w (ρ)

and confirm that the result is zero. This proves, with high probability, that

w

is the zero polynomial.

There is one remaining issue, which is that revealing

g (ρ)

\hat{w} (ρ)

, and

g (ρ ω)

is not zero-knowledge. The fix is simple: the prover constructs

g

as a degree

n + 1

polynomial by interpolating

g

to a random value at two more points

ω^{'}, ω^{″}

outside

H

. That is,

g

is defined in exactly the same way on all points in

H

, but

g (ω^{'}) = α

and

g (ω^{″}) = β

for random

α, β \in F_{p}

and

ω, ω^{'} \notin H

. Since

g

has the same values over all points in

H

, this has no effect on the relations checked above. This is zero-knowledge because

g (ρ)

and

g (ρ ω)

can now be simulated as independent random values in

F_{p}

. Moreover, the value of

\hat{w} (ρ)

is completely determined by the fact that

w (ρ) = 0

, and can therefore also be simulated. Note that we need to restrict the choice of

ρ

(F_{p} ∖ H)

to ensure that the simulation is valid.

This entire process makes two polynomial commitments, to

g

and

q

, and uses the polynomial evaluation protocol three times to evaluate

g (ρ)

\hat{w} (ρ)

, and

g (ρ ω)

. We note that, if needed, it is possible to reduce the degree of

g

by writing

z

in a base greater than 2.

Other constructions

The Bulletproofs paper (Section 4.1) shows how to implement a range proof using an inner-product argument. The DARK paper shows how to implemement an inner-product argument using a polynomial commitment scheme. Combining the two gives another way to construct a range proof from a polynomial commitment scheme with similar properties as the range proof described above. Interestingly, the resulting protocol is quite different.

Implementation/related work

This scheme initially appeared as a component of Turbo Plonk by Ariel Gabizon and Zac Williamson

A Simple Range Proof From Polynomial Commitments

Dan Boneh, Ben Fisch, Ariel Gabizon, and Zac Williamson

The setup

The commitment scheme

Range proof for the range [0,2n)

Other constructions

Implementation/related work

Read more

How to Store a Permutation Compactly

How to Build a Private DAO on Ethereum

Range proof for the range
$[0, 2^{n})$