# What is the KZG PCS $[\tau]_1$ stand for $\tau G_1$ - Public Parameters: $\text{srs} = ([1]_1, [\tau]_1, [\tau^2]_1, [\tau^3]_1, \dots, [\tau^{n-1}]_1, [1]_2, [\tau]_2)$, where the $\tau$ is a random, and will be deleted to make sure no one knows it after set up. - Prover knows: $f(X) = a_0 + a_1X + a_2 X^2 + \cdots + a_{n-1} X^{n-1}$ - for a Polynomial $f(X)$, its KZG10 Commitment is $C_{f(X)} = f(\tau)G = a_0G + a_1\tau G + a_2\tau^2 G + \cdots a_{n-1} \tau^{n-1} G = a_0[1]_1 + a_1[\tau]_1 + a_2[\tau^2]_1 + \dots + a^{n-1}[\tau^{n-1}]_1$, so the Prover can calculate $C_{f(X)}$ according to the srs, and public the $C_{f(X)}$ at first. 1. The verifier provides the challenge value $\zeta$ to prover, where $\zeta$ is a random value. 2. the prover calculate $f(\zeta) = y$. 3. the prover calculate $q(X)$ according to $f(X) - y = q(X)\cdot (X-\zeta) \quad X\in \mathbb{F}_n$ 4. the prover calculate $C_{q(X)} = q(\tau)G$ according to the srs. 5. the prover send the values $y, C_{q(X)}$ to verifier. 6. the verifier check $e(C_{f(x)} - y\cdot[1]_1, [1]_2) = e(C_{q(X)}, [\tau]_2-\zeta \cdot [1]_2)$, because $(f(\tau) - y)\cdot 1 = q(\tau) \cdot (\tau -\zeta)$ and $e([a]_1, [b]_1) = e(G, H)^{ab}$, so if $a_1b_1 =a_2b_2 \Rightarrow e([a_1]_1, [b_1]_2) = e([a_2]_1, [b_2]_2)$ ## Reference - https://learn.z2o-k7e.world/plonk-intro-cn/plonk-polycom.html - https://dankradfeist.de/ethereum/2020/06/16/kate-polynomial-commitments.html $$f(x) = \sum_{i=1}^8 (f_i\cdot \prod_{1\leq j \leq 8}^{j\neq i} \frac{x-j}{i-j})$$ $$f_1 \cdot \frac{x-2}{1-2}\frac{x-3}{1-3}\frac{x-4}{1-4}\frac{x-5}{1-5}\frac{x-6}{1-6}\frac{x-7}{1-7}\frac{x-8}{1-8}$$ $$c = f(s)G_1$$ $$\pi_i = \frac{f(s) - f_i}{s - i}\cdot G_1$$