Bounding the degree of polynomials is vital for two primary reasons:
Efficiency: Generating an SRS is computationally expensive and time-consuming. If a user wants to commit to a polynomial of a smaller degree, it's inefficient to generate a new SRS tailored to that degree.
Universality: Having a universal SRS that can be used for multiple polynomial commitments of varying degrees is extremely desirable. This eliminates the need for trust set up for every new application or every time the polynomial's degree changes.
Thus, by bounding the degree, we can utilize a pre-existing, trusted KZG SRS without going through the process of generating a new one.
The main crux of this protocol is to bridge the gap between the degree of the polynomial and the degree of the SRS, . Here's how this protocol achieves this:
Protocol Steps:
Polynomial Degree Shift: Given a polynomial of degree , we create a shifted polynomial by elevating the degrees of such that it matches with the higher degrees of the SRS. Effectively, .
Challenge Generation: The verifier, wanting to ensure the degree of the original polynomial, sends a random challenge number, .
Opening the Polynomial: The prover evaluates both the original polynomial and the shifted polynomial at the challenge point , resulting in and .
Verification:
If all these checks pass, the degree-bound proof is considered successful, ensuring that the original polynomial is of degree or lower, and utilizing the larger SRS of degree was legitimate.