# Polynomial commitments, KZG and the necessity of EIP4844 --- ## Agenda - ZkSnark = Commitment + IOP - But what are commitment schemes? - Various form of commitments imply costs on ZK - Polynomial "balance" - Constraints to polynomials - Why KZG became the hot thing? - KZG in etherum --- ## Zk ~= Commitment + IOP - ZK is a form of communication when you can't decide if Alice talked to herself or to Bob, no matter how long you investigate the dialoge. - The "snark" part also makes this fast, small and one-shot. - It's a trend in crypto engineering to create new ZKSnarks by combining commitments and IOPs - It's not the **only** way to do it, but it works all the time if you have both components ready, and it's easy to model --- ## Commitment schemes - Appeared first in a thought experiment "coin tossing over phone". - You need an encoding of your **secret** data in a way that you cannot **change your mind** when it's time to decide who won. - Formally these are the **binding** and **hiding** requirements --- ## Commitment hierarchy in ZK  --- ## Polynomial $94x_1^{4} + 16x_2^3 - 20x_3 + 3$ or $\sum_{i=0}^{4} c_ix_i^i$ or $(94, 16, 0, -20, 3)$ --- ## Polynomial - they can encode an enormous amount of data - they also encode enormous amount of RELATIONS between data $A(x) + B(x) = C(x)$ - they can express everything that is computable \o/ ---  $x_2*(x_1+x_2)*(x_2+1)$ --- ## Why KZG is special? - Fixed commitment size (48 bytes), regardless of how long is your "equation" - Fixed proof size too! - Fixed time verification, just 2 operations! - Multiple proofs can be squeezed into one -> sounds like a rollup! :rolled_up_newspaper: --- ## Ethereum and KZG - Storage is still the most expensive resource in web3 (contrary to IT in general) - Storing commitments, even if just 48 bytes, cost a lot of gas (2100 per byte) - But we nee lots of these if we were to create ZK layer2 dApps --- ## So we made a storage layer just for KZG :shrug: From EIP4844, a separate layer is introduced that ONLY stores KZG commitments, cheaply, and deletes them after 2 weeks... you gonna verify them by that time anyway. --- ## Rules of the new layer - New type of transaction, only to be used if you want blobs - Not really sharded, but only synced by consensus nodes (prism, not geth) - Contracts cannot read directly, only the commitment - On the long term, sharding will be limited per block, so it **has it's own fee market** - New precompile contracts to verify proofs --- ## Layer2 after EIP4844 (the scroll way) - You made $T$ transactions off-chain that you need to anchor back to L1 for the fraction of the gas - Make a KZG commitment you T (remember you cannot change this later) - Make another KZG commitment to the circuit that gets executed inside EVM when you feed it these transactions - Evaluate both equations at the same point and check if they equal all the time --- ## The Future - DankSharding is only the first, forward-compatible step for real sharding - You still store all the blob transactions, but prune them frequently - Fee market experiments can run ahead of time and toolchain can mature before the real thing --- ## Thanks for your attention! Questions? https://silur.me @silur@infosec.exchange https://t.me/huohuli