Fast amortized KZG proofs

Background

Multiple KZG Proofs Generation is different from Multiopening KZG Proof:

Multiple KZG Proofs Generation means generating
$n$ KZG proofs

$[π_{0}, π_{1}, . . ., π_{i}, . . ., π_{n}]$ for a
$n$ opening pairs
$[f (y_{0}) = z_{0}, f (y_{1}) = z_{1}, . . ., f (y_{i}) = z_{i}, . . ., f (y_{n}) = z_{n}]$
The requirement here is that the
$n$ opening proofs are generated from the same polynomial
$f$
Multiopening KZG Proof means generating a single proof
$π$ for two or more openings
$[f (y_{1}) = z_{1}, f (y_{2}) = z_{2}]$ .

In the case of Summa, we are interesting in the former when generating the user inclusion opening proofs. As of today, each proof is generated running the same routine via the create_proof function.

The goal is to explore optimization techniques that come when the multiple opening (KZG) proofs are generated starting from the same polynomial

f (x)

KZG Commitment

Setup

[s], [s^{2}], . . ., [s^{d}]

Commitment

Generating KZG commitment for polynomial

f

of degree

d

C_{f} = \sum_{0 \leq i \leq d} f_{i} [s^{i}]

Proof

Say we want to prove that

f (y) = z

. This is equivalent to prove the existance of the quotient polynomial

T_{y} (X) = \frac{f (X) - z}{X - y}

. Note that the quotient polynomial has degree

d - 1

given the division between two polynomials.

The (opening) proof

π

is therefore equal to generate a KZG commitment for the quotient polynomial

π [f (y) = z] = C_{T_{y}}

For the scope of Summa, we want to generate many of these proofs. As many as the number of users of the Custodian.

Generating the commitment

C_{T_{y}}

first requires to compute the coefficients

t_{i}

of the quotient polynomial

T_{y} (X)

. These can be computed using the following formula:

$t_{d - 1} = f_{d}$
$t_{j} = f_{j + 1} + y \cdot t_{j + 1}$

Let's understand why is that the case. The first expression states that the highest degree coefficient (leading term)

t_{d - 1}

of the quotient polynomial is equal to the highest degree coefficient (leading term) of the polynomial

f

, namely

f_{d}

. The reason of that is rooted in the nature of polynomial division. The leading term of the quotient polynomial is obtained by dividing the leading term of the dividend by the leading term of the divisor. In this case, the leading term of the dividend is

f_{d}

, while the leading term of the divisor is

1

. Therefore the leading term of the quotient is equal to

f_{d}

The second formula is a way to recursively calculate the next coefficient of the quotient polynomial starting from the new leading coefficient of the dividend. This is rooted in the nature of polynomial long division as you can see from the following example that considers a polynomial

f

of degree 3.

f (X) = 2 X^{3} - 3 X^{2} + X - 5

f (2) = 1

T_{y} (X) = \frac{f (X) - 1}{X - 2} = \frac{2 X^{3} - 3 X^{2} + X - 6}{X - 2}

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

You can see how the coefficients of the quotient polynomial match the definition above.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

To generalize the definition of the quotient polynomial for a polynomial

f (X) = a_{3} X^{3} + a_{2} X^{2} + a_{1} X + a_{0}

and a pair

f (y) = z

T_{y} (X) = a_{3} X^{2} + (a_{2} + y \cdot a_{3}) X + a 1 + y \cdot a 2 + y^{2} \cdot a 3

Let's now consider the case in which we need to generate an opening proof for the same polynomial

f

but for a different pair of points.

π [f (b) = c]

The quotient polynomial will be

T_{b} (X) = a_{3} X^{2} + (a_{2} + b \cdot a_{3}) X + a 1 + b \cdot a 2 + b^{2} \cdot a 3

Using this expression, you can tell that, apart from the leading coefficient, all the other coefficients of the quotient polynomials are opening-proof dependent. Namely, the value

b

y

at which we are opening the proof appears inside the coefficient. Also you can note that the value of

z

(or

c

in the second polynomial) doesn't appear in the quotient polynomial

Now let's see how the actual KZG proof

π

would look like in the two different cases.

π [f (y) = z] = C_{T_{y}} = a_{3} [s^{2}] + (a_{2} + y \cdot a_{3}) [s^{1}] + a 1 + y \cdot a 2 + y^{2} \cdot a 3

π [f (b) = c] = C_{T_{y}} = a_{3} [s^{2}] + (a_{2} + b \cdot a_{3}) [s^{1}] + a 1 + b \cdot a 2 + b^{2} \cdot a 3

We can group the first proof by

y

and the second proof by

b

π [f (y) = z] = C_{T_{y}} = a_{3} \cdot y^{2} + (a_{3} \cdot [s^{1}] + a_{2}) \cdot y + a_{3} \cdot [s^{2}] + a^{2} \cdot [s^{1}] + a 1

π [f (b) = a] = C_{T_{b}} = a_{3} \cdot b^{2} + (a_{3} \cdot [s^{1}] + a_{2}) \cdot b + a_{3} \cdot [s^{2}] + a^{2} \cdot [s^{1}] + a 1

We can see this as a polynomial

h

X

h (X) = a_{3} \cdot X^{2} + (a_{3} \cdot [s^{1}] + a_{2}) \cdot X + a_{3} \cdot [s^{2}] + a^{2} \cdot [s^{1}] + a 1

Note that the coefficients of

h

are only dependent of the coefficients

a_{i}

of the initial polynomial

f

and on the values

[s_{i}]

of the trusted setup.

The opening proof for whatever point

y

b

can be seen as an evaluation of

h (X)

at that point:

π [f (y) = z] = C_{T_{y}} = h (y) = a_{3} \cdot y^{2} + (a_{3} \cdot [s^{1}] + a_{2}) \cdot y + a_{3} \cdot [s^{2}] + a^{2} \cdot [s^{1}] + a 1

π [f (b) = a] = C_{T_{y}} = h (y) = a_{3} \cdot b^{2} + (a_{3} \cdot [s^{1}] + a_{2}) \cdot b + a_{3} \cdot [s^{2}] + a^{2} \cdot [s^{1}] + a 1

So let's say that we have a polynomial

f

of degree

d

and we want to generate

n

KZG opening proofs out of it. The steps needed are:

Calculate the coefficients of
$h$ .
Perform
$n$ evaluations of
$h (X)$

The main takeaway here is that we remove the need to calculate a new quotient polynomial for each of the

n

opening proofs. Instead the coefficients of

h

needs to be calculated only once and then can be reused to generate the different proofs of inclusion.

FFT

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Requires evaluations to be at the roots of unity
Direct FFT: go from coefficients to evaluations
$O (d \cdot l o g d)$ .
Inverse FFT (interpolation): go from evaluations to coefficients
$O (d \cdot l o g d)$

Application

Requires evaluations to be at the roots of unity for efficiency reasons.

In order to generate

n

KZG proofs, it is required to:

Calculate the coefficients of
$h$

Check paragraph 2.2 of the Paper. his operation is

O (d \cdot l o g d)

Calculate the
$n$ evaluations of the polynomial
$h$ at the roots of unity that corresponds to the KZG proofs.

It turns out that we can use FTT to efficiently calculate the evaluations of

h

at the roots of unity starting from its coefficients. This operation is

O (n \cdot l o g n)

TO DO

Comparative cost analysis

Fast amortized KZG proofs

Background

KZG Commitment

Setup

Commitment

Proof

FFT

Application

TO DO

Read more

Summa Report

Vulnerability Report: Binance PoR Dummy User Attack

Summa V2: Polynomial Interpolation Approach

Summa Starter Pack