Commitment Scheme

tags: `ingo`

What is a commitment?

A cryptographic commitment allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. It has two important properties:

Hiding: a commitment does not reveal anything about the original value
Binding: once you commit to a value, later you cannot change the committed value

We can think of a commitment scheme as a locker which has two phases:

Commit: lock a certain secret in the locker
Open: the secret is revealed by the sender, then the receiver verifies its authenticity

Kate Commitment Scheme

Lets say I know a polynomial

f (X)

of degree

d

. I wish to prove to you that I indeed know the coefficients of

f

without revealing them. Suppose

f (X) = c_{0} + c_{1} X + \dots + c_{d} X^{d}

and we have a secret scalar

β \in F_{p}

. The commit phase of KZG is simply computing the evaluation of

f

β

com (f) := f (β) = c_{0} + c_{1} β + \dots + c_{d} β^{d}

Now, the interesting thing about

β

is that it is assumed to be a universal secret, i.e. no one in the world knows what

β

is. Well, in that case, how can I compute the evaluation of

f

β

? We will answer this a bit later. For now, lets see what I do in the open phase of KZG. I compute a polynomial

w (X)

such that

w (X) := \frac{f (X) - f (z)}{X - z} = (f (X) - f (z)) (X - z)^{- 1}

where

z \in F_{p}

was sent by the verifier as a challenge. A natural question we can ask: is the polynomial

(f (X) - f (z))

even divisible by

(X - z)

? The answer is: yes, it is!

\begin{aligned} (f (X) - f (z)) & = (c_{0} + c_{1} X + \dots + c_{d} X^{d}) - (c_{0} + c_{1} z + \dots + c_{d} z^{d}) \\ = c_{1} (X - z) + c_{2} (X^{2} - z^{2}) + \dots + c_{d} (X^{d} - z^{d}) \\ = (X - z) [c_{1} + c_{2} (X + z) + \dots + c_{d} (X^{d - 1} + z X^{d - 2} + \dots + z^{d - 1})] \end{aligned}

Therefore,

w (X)

is a degree-

(d - 1)

polynomial with integer coefficients. Let

w (X) = w_{0} + w_{1} X + \dots + w_{d - 1} X^{d - 1}

. We commit to

w

as:

com (w) := w (β) = w_{0} + w_{1} β + \dots + w_{d - 1} β^{d - 1}

As a part of the open phase, I send the verifier a proof

π_{p c} = (com (f), com (w), v)

where

v := f (z)

The verifier will authenticate the proof by checking:

\begin{matrix} (1) & com (w) (β - z) = (com (f) - v) \end{matrix}

In other words, if the above equation holds true, it implies that the verifier checked if the expression of

w

holds at the secret point

β

. The verifier is convinced about my knowledge of

f

because otherwise, it would have been impossible for me to compute

w (X)

Structured Reference String (SRS)

In the above discussion, we assumed that the scalar

β

is not known to anybody in the world. But still the prover and verifier end up using it some way or other, how is that possible? This is made possible by elliptic curve cryptography! Suppose we have a group

G_{1}

with generator

g

. We embed the secret

β

using powers of the generator

g_{1} \in G_{1}

{srs}_{1} = {g_{1}, g_{1}^{β}, g_{1}^{β^{2}}, \dots, g_{1}^{β^{D}}} \in G_{1}^{D}

Given

{srs}_{1}

and the fact that the discrete log relation is unknown in

G_{1}

, there is no way any

^{†}

adversary could figure out what

β

is. Now, the commitment to

f

can be computed easily (of course only if

d < D

\begin{aligned} com (f) := g_{1}^{f (β)} & = g_{1}^{(c_{0} + c_{1} β + \dots c_{d} β^{d})} \\ = g_{1}^{c_{0}} \cdot (g_{1}^{β})^{c_{1}} \cdot (g_{1}^{β^{2}})^{c_{2}} \dots (g_{1}^{β^{d}})^{c_{d}} \end{aligned}

Given

(com (f), com (w))

and

{srs}_{1}

, how can we verify equation

(1)

? We essentially wish to check multiplication of evaluations of some polynomials on the secret

β

. Using

{srs}_{1}

, we can only add up terms in

β

in the exponent of

g_{1}

. To enable multiplication of terms in

β

, we need another fascinating cryptographic primitive: pairings.

A pairing is a map

e : G_{1} \times G_{2} \to G_{T}

where we have group generators

g_{1} \in G_{1}, g_{2} \in G_{2}

and

g_{t} \in G_{T}

in the target group

G_{T}

, such that

\forall a, b \in F_{p}

e (g_{1}^{a}, g_{2}^{b}) = g_{t}^{a b} .

Therefore, a pairing allows us to multiply scalars in the exponent of the generators

g_{1}

and

g_{2}

. For verification in

(1)

, we need a second part of our structured reference string:

{srs}_{2} = {g_{2}, g_{2}^{β}} \in G_{2}^{2} .

Now, the verification in equation

(1)

boils down to an equality of two pairing computations:

\begin{aligned} g_{t}^{w (β) (β - z)} & \overset{?}{=} g_{t}^{(f (β) - v) \cdot 1} \\ ⟹ e (g_{1}^{w (β)}, g_{2}^{(β - z)}) & \overset{?}{=} e (g_{1}^{(f (β) - v)}, g_{2}) \\ ⟹ e (com (w), g_{2}^{β} \cdot g_{2}^{- z}) & \overset{?}{=} e (com (f) \cdot g_{1}^{- v}, g_{2}) \end{aligned}

The set

srs = {srs}_{1} \cup {srs}_{2}

is called as the structured reference string. This SRS is computed using MPC among several participants of which only one party needs to be honest.

Notation: We will denote the commitment to a polynomial

f

[f (β)]_{1}

. Further, the SRS can be written as

\begin{aligned} {srs}_{1} & = {[1]_{1}, [β]_{1}, \dots, [β^{D}]_{1}} \\ {srs}_{2} & = {[1]_{2}, [β]_{2}} . \end{aligned}

Overview of Batched Kate PCS (Optional)

The Kate commitment scheme can be used prove the knowledge of a bunch of polynomials by "opening" all of them at a single scalar. Suppose we have the following polynomials to be opened at respective points (we're considering a fairly general case here):

Polynomials	Opening points
$f_{1, 1}, f_{1, 2}, \dots, f_{1, m}$	$z_{1}$
$f_{2, 1}, f_{2, 2}, \dots, f_{2, m}$	$z_{2}$
$⋮$	$⋮$
$f_{n, 1}, f_{n, 2}, \dots, f_{n, m}$	$z_{n}$

Here, we'll have to compute

n

opening polynomials

{W_{i} (X)}_{i \in [n]}

such that

W_{i} (X) = \frac{F_{i} (X) - F_{i} (z_{i})}{X - z_{i}}

where

F_{i} (X) = \sum_{j = 1}^{m} γ_{i}^{j - 1} f_{i, j}

. The opening proof would be

{[W_{1}]_{1}, [W_{2}]_{1}, \dots, [W_{n}]_{1}, {[f_{i, j}]_{1}, v_{i, j}}_{i \in [n], j \in [m]}}

where

v_{i, j} = f_{i, j} (z_{i}) \in F_{p}

. Clearly, the number of opening polynomial commitments needed to be computed by the prover is

n

(i.e. the number of opening points). Finally, the verification needs the pairing check:

e (W, Y) = e (F - Q, [1]_{2})

where

\begin{aligned} W & = \sum_{i \in [n]} u^{i - 1} [W_{i}]_{1} \\ F & = \sum_{i \in [n]} \sum_{j \in [m]} u^{i - 1} γ_{i}^{j - 1} [f_{i, j}]_{1} \\ Q & = {[\sum_{i \in [n]} \sum_{j \in [m]} u^{i - 1} γ_{i}^{j - 1} v_{i, j}]}_{1} \\ Y & = {[\sum_{i \in [n]} u^{i - 1} (X - z_{i})]}_{2} \end{aligned}

Marlin PCS

The structure of the SRS is slightly different for the KZG-style PCS used in Marlin.

srs = (\begin{matrix} G & β G & β^{2} G & \dots & β^{D} G \\ γ G & γ β G & γ β^{2} G & \dots & γ β^{D} G \end{matrix}) \in G_{1}^{2 D + 2}

The terms which include

γ

are necessary to commit to the hiding polynomials. Hiding polynomials are randomly generated polynomials that are added to the original polynomials to ensure that no information about the original polynomials is not revealed (i.e to make it zero-knowledge).

Commit Phase

Suppose we have polynomials

{p_{i} (X)}_{i \in [n]}

each with a degree bound^[1]

{d_{i}}_{i \in [n]}

. In this case, we also need to commit to the polynomial

p_{i}^{'} (X) = X^{D - d_{i}} p_{i} (X)

to prove the correct degree bound

deg (p_{i}) < d_{i}

holds. Define

d := max ({d_{i}}_{i \in [n]})

. To commit to these polynomial, we need to trim the SRS to get a committer's key:

{srs}_{c k} = (\begin{matrix} G & β G & β^{2} G & \dots & β^{d} G & β^{D - d} G & β^{D - d - 1} G & \dots & β^{D} G \\ γ G & γ β G & γ β^{2} G & \dots & γ β^{d} G \end{matrix}) \in G_{1}^{3 d + 3}

Hereafter, the commit phase proceeds as follows:

We are given randomness
${r_{i}, r_{i}^{'}}_{i \in [n]}$ which is to be added to the polynomials
$p_{i}, p_{i}^{'}$ respectively.
Compute polynomials
${\bar{p}}_{i} (X)$ and
${\bar{p}}_{i}^{'} (X)$ from the randomness
${r_{i}, r_{i}^{'}}_{i \in [n]}$ . Note the degrees of these polynomials should be equal to
$deg (p_{i})$ .
Compute the commitments as:

$\begin{aligned} [p_{i}] & := p_{i} (β) G + \color b l u e γ {\bar{p}}_{i} (β) G \\ [p_{i}^{'}] & := β^{D - d_{i}} p_{i} (β) G + \color b l u e γ {\bar{p}}_{i}^{'} (β) G \end{aligned}$

Open Phase

Given the evaluation point

z \in F_{p}

and the verifier challenge

ξ \in F_{p}

, the opening phase proceeds as:

We compute the opening polynomials as

$\begin{aligned} w (X) & = \sum_{i \in [n]} (ξ^{i} \frac{p_{i} (X) - p_{i} (z)}{X - z} + ξ^{n + i} X^{D - d_{i}} \frac{p_{i} (X) - p_{i} (z)}{X - z}) \\ = \sum_{i \in [n]} ξ^{i} (1 + ξ^{n} X^{D - d_{i}}) (\frac{p_{i} (X) - p_{i} (z)}{X - z}) \\ \bar{w} (X) & = \frac{\bar{p} (X) - \bar{p} (z) + {\bar{p}}^{'} (X) - {\bar{p}}^{'} (z)}{X - z} \end{aligned}$
where
$\bar{p} (X) = \sum_{i} ξ^{i} {\bar{p}}_{i} (X)$ and
${\bar{p}}^{'} (X) = \sum_{i} ξ^{n + i} {\bar{p}}_{i}^{'} (X)$ .
Compute commitment to the opening polynomials:

$w = [w (β)] + [γ \bar{w} (β)]$
Compute the randomness polynomials' evaluation:

$\bar{v} := \bar{p} (z) + {\bar{p}}^{'} (z) .$

Thus, the opening proof is

π = (w, \bar{v})

Verification

The verification involves checking the equality

e (C - v G - γ \bar{v} G, H) = e (w, β H - z H)

where

v = \sum_{i} ξ^{i} v_{i}

and

C = \sum_{i} ξ^{i} [p_{i}] + \sum_{i} ξ^{n + i} ([p_{i}^{'}] - v_{i} β^{D - d_{i}} G)

. Note that the verifier now requires the following SRS:

{srs}_{v k} = {H, β H, β^{D - d_{1}} G, β^{D - d_{2}} G, \dots, β^{D - d_{n}} G} \in G_{1}^{n} \times G_{2}^{2} .

Also note, the evaluations

v_{i} = p_{i} (z)

and the commitments

{[p_{i}], [p_{i}^{'}]}_{i \in [n]}

are sent to the verifier by the prover.

In the previous sections, we didn't need to prove any degree-bounds on a polynomial
$f (X)$ other than the obvious bound
$deg (f) < D$ . ↩︎

Commitment Scheme

tags: ingo

What is a commitment?

Kate Commitment Scheme

Structured Reference String (SRS)

Overview of Batched Kate PCS (Optional)

Marlin PCS

Commit Phase

Open Phase

Verification

tags: `ingo`