Try   HackMD

Degree-Bound Proof for KZG Polynomial Commitments

1. Why Degree-Bound?

Bounding the degree of polynomials is vital for two primary reasons:

  • Efficiency: Generating an SRS is computationally expensive and time-consuming. If a user wants to commit to a polynomial of a smaller degree, it's inefficient to generate a new SRS tailored to that degree.

  • Universality: Having a universal SRS that can be used for multiple polynomial commitments of varying degrees is extremely desirable. This eliminates the need for trust set up for every new application or every time the polynomial's degree changes.

Thus, by bounding the degree, we can utilize a pre-existing, trusted KZG SRS without going through the process of generating a new one.

2. Protocol Overview

The main crux of this protocol is to bridge the gap between the degree of the polynomial

f(x) and the degree of the SRS,
D. Here's how this protocol achieves this:

Protocol Steps:

  1. Polynomial Degree Shift: Given a polynomial

    f(x) of degree
    d    , we create a shifted polynomial
    fup(x)     by elevating the degrees of
    f(x)     such that it matches with the higher degrees of the SRS. Effectively,
    fup(x)=f(x)×x(Dd)    .

  2. Challenge Generation: The verifier, wanting to ensure the degree of the original polynomial, sends a random challenge number,

    r.

  3. Opening the Polynomial: The prover evaluates both the original polynomial and the shifted polynomial at the challenge point

    r, resulting in
    f(r)     and
    fup(r)    .

  4. Verification:

    • The verifier checks that:
      [f(r)×r(Dd)=fup(r)]
      If this equation holds, it confirms that the original polynomial's degree is as claimed.
    • Furthermore, the verifier also checks the KZG openings for both evaluations to ensure their correctness.

If all these checks pass, the degree-bound proof is considered successful, ensuring that the original polynomial is of degree

d or lower, and utilizing the larger SRS of degree
D was legitimate.

Last changed by 
n1trox
1
4
241

Read more

Untitled

Version A: The simplest approach with a non-anonymous setting User's public key: $g^{f(0)}$ User submits the commitment of the polynomial, its public key, and the opening proof: $g^{f(\alpha)}, g^{f(0)}, g^{\psi_{0}(\alpha)}$ The verifier checks if the user's public key is on the committed polynomial by verifying the opening of the KZG commitment: $$ e(g^{\psi_{0}(\alpha)},g^\alpha)\cdot e(g,g^{f(0)}) \stackrel{?}{=} e(g, g^{f(\alpha)}) $$ If this check passes, the verifier trusts the public key and the commitment. However, this trust may be misplaced due to a vulnerability in the setup phase. The prover can manipulate the public key by choosing a random number $\gamma$. The prover then multiplies $g^{\psi(\alpha)}$ and $g^{f(0)}$ with $g^\gamma$ to produce $g^{\psi(\alpha)}\cdot g^\gamma$ and $g^{f(0)}\cdot g^{\alpha}\cdot g^\gamma$. This results in a manipulated pairing check that still passes. If the verifier attempts to interpolate the polynomial by Lagrange interpolation, they will get a private key that does not correspond to the crafted public key. This highlights a significant vulnerability in the setup phase of Version A.

May 29, 2023
RLN on KZG Version A Vulnerabilities

问题描述 在 RLN on KZG协议中,证明者需要提交一个多项式 $f$ 的承诺以及公钥 $g^{f(0)}$。我们发现了一个漏洞,攻击者可以在不知道私钥的情况下伪造公钥。为了解决这个问题,我们提出了一个解决方案,使用 Schnorr 签名来验证公钥,可以有效地防止这种攻击。 漏洞详细信息 在原始的 RLN 协议中,证明者提交多项式承诺 $g^{f(\alpha)}$、公钥 $g^{f(0)}$ 和开放证明 $g^{\psi_{0}(\alpha)}$。验证者检查用户的公钥是否在提交的多项式上,通过验证开放证明 $g^{\psi_{0}(\alpha)}$: $$ e(g^{\psi_{0}(\alpha)},g^\alpha)\cdot e(g,g^{f(0)}) \stackrel{?}{=} e(g, g^{f(\alpha)}) $$

May 16, 2023
Read more from n1trox
Published on HackMD