Zeromorph

Presentation: https://www.youtube.com/watch?v=vFuqRHEjv5k

Introduction

Aztec uses Sumcheck to prove the proof of circuit satisfiability. In Sumcheck, a multilinear polynomial is used. Therefore, it is necessary to efficiently commit to and open this multilinear polynomial. Additionally, since Aztec is a privacy-focused Layer 2, an efficient way to achieve zero-knowledge (ZK) is also required. To address this, Aztec introduces a method called Zeromorph, which is currently implemented in Aztec Zeromorph.

Background

KZG

  1. KZG.Setup(1λ,Nmax)([1]1,[s]1,,[sNmax]1,[1]2,[s]2)\mathsf{KZG.Setup}(1^\lambda, N_{\mathsf{max}}) \rightarrow ([1]_1, [s]_1, \dots, [s^{N_{\mathsf{max}}}]_1, [1]_2, [s]_2)

  2. KZG.Commit(fF[X]Nmax)C=[f(s)]1\mathsf{KZG.Commit}(f \in F[X]^{N_{\mathsf{max}}}) \rightarrow C = [f(s)]_1

  3. KZG.ProveEval(f,z,v)W=[f(s)vsz]1\mathsf{KZG.ProveEval}(f, z, v) \rightarrow W = \left[\frac{f(s) - v}{s - z}\right]_1

  4. KZG.VerifyEval(C,W,z,v)b{0,1}\mathsf{KZG.VerifyEval}(C, W, z, v) \rightarrow b \in \{0, 1\}:

The verifier checks the following equation:

e(C[v]1,[1]2)=?e(W,[s]2[z]2)e(C - [v]_1, [1]_2) \stackrel{?}=e(W, [s]_2 - [z]_2)

Here, the verifier learns the information (C,W,v)(C, W, v), which presents two issues:

  1. Since KZG is a computationally hiding commitment, if quantum computing becomes feasible, revealing (C,W)(C, W) may no longer satisfy the ZK property.

  2. While it proves circuit satisfiability, it also reveals information of the polynomial with P(z)=vP(z) = v.

Hiding KZG

Instead of the naive KZG scheme outlined above, Zeromorph uses a more secure variant named "Hiding KZG."

HidingKZG.Setup(1λ,Nmax)([1]1,[s]1,,[sNmax]1,[ξ]1,[1]2,[s]2,[ξ]2)\mathsf{HidingKZG.Setup}(1^\lambda, N_{\mathsf{max}}) \rightarrow ([1]_1, [s]_1, \dots, [s^{N{\mathsf{max}}}]_1, [\xi]_1, [1]_2, [s]_2, [\xi]_2)

HidingKZG.Commit(fF[X]<Nmax)(C,r)\mathsf{HidingKZG.Commit}(f \in \mathsf{F}[X]^{<N_{\mathsf{max}}}) \rightarrow (C, r):

  1. The prover samples rFr \leftarrow \mathbb{F}.

  2. The prover constructs C=[f(s)]1+r[ξ]1C = [f(s)]_1 + r \cdot [\xi]_1.

  3. The prover can send only CC to the verifier.

HidingKZG.Open(C,f,r)b{0,1}\mathsf{HidingKZG.Open}(C, f, r) \rightarrow b \in \{0, 1\}:

This checks the following equation:

C=?[f(s)]1+r[ξ]1C \stackrel{?}= [f(s)]_1 + r \cdot [\xi]_1

HidingKZG.ProveEval(C,r,z,v)(W,δ)\mathsf{HidingKZG.ProveEval}(C, r, z, v) \rightarrow (W, \delta):

  1. The prover samples αF\alpha \leftarrow \mathbb{F}.

  2. The prover provides the verifier with WW and δ\delta:

W=[f(s)vsz]1+α[ξ]1,δ=[rα(sz)]1W = \left[\frac{f(s) - v}{s - z}\right]_1 + \alpha \cdot [\xi]_1, \quad \delta = [r - \alpha (s - z)]_1

HidingKZG.VerifyEval(C,W,δ,z,v)b{0,1}\mathsf{HidingKZG.VerifyEval}(C, W, \delta, z, v) \rightarrow b \in \{0, 1\}:

The verifier checks the following equation:

e(C[v]1,[1]2)=?e(W,[s]2[z]2)e(δ,[ξ]2)e(C - [v]_1, [1]_2) \stackrel{?}=e(W, [s]_2 - [z]_2) \cdot e(\delta, [\xi]_2)

Proof.

f(s)+rξv=f(s)v+αξ(sz)+(rα(sz))ξ=f(s)v+rξ\begin{align*} f(s) + r \xi - v&= f(s) -v + \alpha \xi(s-z) + (r- \alpha(s-z))\xi \\ &= f(s) - v + r\xi \end{align*}

This is only satisfied iff HidingKZG.Open(C,f,r)=1f(z)=v\mathsf{HidingKZG.Open}(C, f, r) = 1 \land f(z) = v.

In comparison to naive KZG, HidingKZG's verifier learns of an additional δ\delta that allows HidingKZG to stand up against the issues of naïve KZG in the following ways:

  1. Since HidingKZG is a perfectly hiding commitment, even if quantum computing becomes feasible, revealing (C,W,δ)(C, W, \delta) still satisfies the ZK property.

  2. However, it still reveals P(z)=vP(z) = v while proving circuit satisfiability.

Later in this document, we explain an additional trick that ensures that only information about circuit satisfiability is revealed.

During the presentation, 이태훈asked a great question: "Why isn't the blinding technique introduced in the Plonk paper sufficient for the ZK property?". After internal discussion, we concluded that it requires more randomness and does not provide protection against post-quantum threats.

Multilinear Polynomial Identity

Zeromorph requires the use of the Sumcheck protocol, which is reduced to an evaluation claim for a multilinear polynomial fF[X0,,Xn1]1f \in \mathbb{F}[X_0, \dots, X_{n-1}]^{\le1}:

b{0,1}nf(b)=0f(z)=v\sum_{\bm{b} \in \{0, 1\}^n} f(\bm{b}) = 0 \rightarrow f(\bm{z}) = v

where z=(z0,,zn1)Fn\bm{z} = (z_0, \dots, z_{n-1}) \in \mathbb{F}^n and vFv \in \mathbb{F}.

By Lemma 2.3.1, The multilinear polynomial identity is defined as follows:

fv=i=0n1(Xizi)qi(1)\begin{align*} f - v = \sum_{i=0}^{n-1}(X_i - z_i)q_i && (1) \end{align*}

If there exist qiq_i as defined below that satisfies the above, then f(z)=vf(\bm{z}) = v.

  • For i=0i = 0: qiFq_i \in \mathbb{F}

  • For 0<i<n0 < i < n: qiF[X0,,Xi1]1q_i \in \mathbb{F}[X_0, \dots, X_{i-1}]^{\le1}

Proof:

If n=1n = 1, equation (1)(1) reduces to the following univariate polynomial identity:

fv=(X0z0)q0f - v = (X_0 - z_0)q_0

Thus, if q0Fq_0 \in \mathbb{F}, then f(z0)=vf(z_0) = v.

If n>1n > 1, ff is divided by (Xn1zn1)(X_{n-1} - z_{n-1}) results in quotient qn1q_{n-1} with remainder f(X0,,Xn2,zn1)f(X_0, \dots, X_{n-2}, z_{n-1}) as follows:

f(X0,,Xn1)=(Xn1zn1)qn1+f(X0,,Xn2,zn1)f(X_0, \dots, X_{n-1}) = (X_{n-1} - z_{n-1})q_{n-1} + f(X_0, \dots, X_{n-2}, z_{n-1})

The polynomial f(X0,,Xn1)f(X0,,Xn2,zn1)f(X_0, \dots, X_{n-1}) - f(X_0, \dots, X_{n-2}, z_{n-1}) has a degree of at most 1 in all variables. Therefore, qn1q_{n-1} must have a degree of at most 1 in X0,,Xn2X_0, \dots, X_{n-2}, and a degree of at most 0 in Xn1X_{n-1}. This implies qn1F[X0,,Xn2]1q_{n-1} \in \mathbb{F}[X_0, \dots ,X_{n-2}]^{\le1}. Using this information and recursive decomposition, we derive the following:

f(X0,,Xn2,zn1)=(Xn2zn2)qn2+f(X0,,Xn3,zn2,zn1)f(X0,z1,zn1)=(X0z0)q0+f(z0,,zn1)f(X_0, \dots, X_{n-2}, z_{n-1}) = (X_{n-2} - z_{n-2})q_{n-2} + f(X_0, \dots, X_{n-3}, z_{n-2}, z_{n-1}) \\ \dots \\ f(X_0, z_1, \dots z_{n-1}) = (X_0 - z_0) q_0 + f(z_0, \dots, z_{n-1})

Iteratively substituting all the equations above yields:

f=i=0n1(Xizi)qi+f(z0,,zn1)f = \sum_{i=0}^{n-1}(X_i - z_i)q_i + f(z_0, \dots, z_{n-1})

Therefore, by equation (1)(1), we confirm f(z0,,zn1)=f(z)=vf(z_0, \dots, z_{n-1}) = f(\bm{z}) =v.

Computing qiq_i

According to Lemma 2.3.1 in the Zeromorph paper, qiq_i can be computed as:

qi=f(X0,,Xi1,zi+1,zi+1,,zn1)f(X0,,Xi1,zi,zi+1,,zn1)q_i = f(X_0, \dots, X_{i-1}, z_i + 1, z_{i+1}, \dots, z_{n-1}) - f(X_0, \dots, X_{i-1}, z_i, z_{i+1}, \dots, z_{n-1})

Example:

Let's calculate q1q_1, the quotient from dividing f(X0,X1,z2)f(X_0, X_1, z_2) by (X1z1)(X_1 - z_1):

q1=f(X0,z1+1,z2)f(X0,z1,z2)q_1 = f(X_0, z_1 + 1, z_2) - f(X_0, z_1, z_2)

f(X0,z1+1,z2)f(X_0, z_1 + 1, z_2) will be evaluated as follows:

f(X0,z1+1,z2)=c0X0(z1+1)z2+c1X0(z1+1)+c2X0z2+c3(z1+1)z2+c4X0+c5(z1+1)+c6z2+c7(a)\begin{align*}f(X_0, z_1 + 1, z_2) = c_0X_0(z_1 + 1)z_2 + c_1X_0(z_1 + 1) + c_2X_0z_2 + c_3(z_1 + 1)z_2 + c_4X_0 + c_5(z_1 + 1) + c_6z_2 + c_7 && (a)\end{align*}

f(X0,z1,z2)f(X_0, z_1, z_2) will be evaluated as follows:

f(X0,z1,z2)=c0X0z1z2+c1X0z1+c2X0z2+c3z1z2+c4X0+c5z1+c6z2+c7(b)\begin{align*}f(X_0, z_1, z_2) = c_0X_0z_1z_2 + c_1X_0z_1 + c_2X_0z_2 + c_3z_1z_2 + c_4X_0 + c_5z_1 + c_6z_2 + c_7 && (b)\end{align*}

Subtracting equation (b)(b) from equation (a)(a) allows us to compute q1q_1 as the following:

f(X0,z1+1,z2)f(X0,z1,z2)=c0X0(z1+1)z2+c1X0(z1+1)+c2X0z2+c3(z1+1)z2+c4X0+c5(z1+1)+c6z2+c7c0X0z1z2c1X0z1c2X0z2c3z1z2c4X0c5z1c6z2c7=c0X0z2+c1X0+c3z2+c5.\begin{aligned} f(X_0, z_1 + 1, z_2) - f(X_0, z_1, z_2) &= c_0X_0(z_1 + 1)z_2 + c_1X_0(z_1 + 1) + c_2X_0z_2 + c_3(z_1 + 1)z_2 \\ &\quad + c_4X_0 + c_5(z_1 + 1) + c_6z_2 + c_7 \\ &\quad - c_0X_0z_1z_2 - c_1X_0z_1 - c_2X_0z_2 - c_3z_1z_2 \\ &\quad - c_4X_0 - c_5z_1 - c_6z_2 - c_7 \\ &= c_0X_0z_2 + c_1X_0 + c_3z_2 + c_5. \end{aligned}

Now we can see that f(X0,X1,z2)f(X_0, X_1, z_2) can be decomposed as the following:

f(X0,X1,z2)=(X1z1)(c0X0z2+c1X0+c3z2+c5)q1+f(X0,z1,z2)\begin{align*} f(X_0, X_1, z_2) &= (X_1 - z_1) \underbrace{(c_0X_0z_2 + c_1X_0 + c_3z_2 + c_5)}_{q_1 } + f(X_0, z_1, z_2) \\ \end{align*}

The validity of this statement can be ensured by multiplying all terms out

f(X0,X1,z2)=c0X0X1z2+c1X0X1+c3X1z2+c5X1c0X0z1z2c1X0z1c3z1z2c5z1+c0X0z1z2+c1X0z1+c2X0z2+c3z1z2+c4X0+c5z1+c6z2+c7=c0X0X1z2+c1X0X1+c2X0z2+c3X1z2+c4X0+c5X1+c6z2+c7.\begin{align*} f(X_0, X_1, z_2) &= c_0X_0X_1z_2 + c_1X_0X_1 + c_3X_1z_2 + c_5X_1 \\ &\quad - c_0X_0z_1z_2 - c_1X_0z_1 - c_3z_1z_2 - c_5z_1 \\ &\quad + c_0X_0z_1z_2 + c_1X_0z_1 + c_2X_0z_2 + c_3z_1z_2 \\ &\quad + c_4X_0 + c_5z_1 + c_6z_2 + c_7 \\ &= c_0X_0X_1z_2 + c_1X_0X_1 + c_2X_0z_2 + c_3X_1z_2 \\ &\quad + c_4X_0 + c_5X_1 + c_6z_2 + c_7. \end{align*}

Verifying the Multilinear Polynomial Identity

Verifying equation (1)(1) requires nn pairing operations, which imposes a computational overhead on the verifier:

e([f(s0,,sn1)]1[v]1,[1]2)=?i=0n1e([qi(s0,,si1)]1,[si]2[zi]2)e([f(s_0, \dots, s_{n-1})]_1 - [v]_1,[1]_2) \stackrel{?}= \prod_{i = 0}^{n-1} e([q_i(s_0, \dots, s_{i-1})]_1, [s_i]_2 - [z_i]_2)

Additionally, qiF[X0,,Xi1]1q_i \in \mathbb{F}[X_0, \dots ,X_{i-1}]^{\le1} must be verified, which will be checked using the degree check protocol introduced later.

Protocol Explanation

Multilinear Polynomial Identity using Univariate PCS

To efficiently verify the multilinear polynomial identity, we first define the following mapping:

Un:F[X0,,Xn1]1F[X]<2n\mathcal{U}_n: \mathbb{F}[X_0, \dots, X_{n-1}]^{\le1} \rightarrow \mathbb{F}[X]^{<2^n}

Given f(X)f(\bm{X}) defined as:

f(X):=b{0,1}nvbeq~(X,b)f(\bm{X}) := \sum_{\bm{b} \in \{0, 1\}^n}v_{\bm{b}} \cdot \mathsf{\widetilde{eq}}(\bm{X}, \bm{b})

the function Un(f)\mathcal{U}_n(f) transforms the following expression:

eq~(X,b)=i=0n1(biXi+(1bi)(1Xi))i=0n1(X2i)bi\mathsf{\widetilde{eq}}(\bm{X}, \bm{b}) =\prod_{i = 0}^{n-1} (b_i X_i +(1-b_i)(1 - X_i)) \rightarrow \prod_{i=0}^{n-1} \left(X^{2^i}\right)^{b_i}

This seemingly expensive operation actually introduces no computational overhead. This is because the witness generation process for constructing a ZK proof already outputs polynomial evaluations, making this mapping essentially free.

If f=cFf = c \in \mathbb{F} is a constant function, we can compute:

Un(f)=cΦn(X)\mathcal{U}_n(f) = c \cdot \Phi_n(X)

where Φn(X)\Phi_n(X) is defined as:

Φn(X):=i=02n1Xi\Phi_n(X) :=\sum_{i = 0}^{2^n - 1}X^i

This satisfies the following equation, meaning that evaluating Φn(X)\Phi_n(X) at any point xx requires only n+1n + 1 multiplications and 22 additions:

Φn(X)=X2n1X1\Phi_n(X) = \frac{X^{2^n} - 1}{X - 1}

For example, if n=2n = 2, we can compute:

U2(f)=f(0,0)+f(1,0)X+f(0,1)X2+f(1,1)X3\mathcal{U}_2(f) = f(0, 0) + f(1, 0)X + f(0, 1)X^2 + f(1, 1)X^3

Applying this mapping to both sides of equation (1)(1), we transform it into:

Un(f)vUn(1)=i=0n1Un(Xiqi)ziUn(qi)(2)\begin{align*} \mathcal{U}_n(f) - v \cdot \mathcal{U}_n(1) = \sum_{i=0}^{n-1}\mathcal{U}_n(X_iq_i)- z_i \cdot \mathcal{U}_n(q_i) && (2) \end{align*}

Since Un(f)\mathcal{U}_n(f) is a linear isomorphism, satisfying equation (2)(2) implies equation (1)(1) is also satisfied. Instead of using a multilinear PCS to commit to ff, we can now use a univariate PCS via Un(f)\mathcal{U}_n(f).

Next, we analyze how the verifier can efficiently verify the claim. The prover will commit to Un(f)\mathcal{U}_n(f) and Un(qi)\mathcal{U}_n(q_i), while Un(1)=Φn(X)\mathcal{U}_n(1) = \Phi_n(X) can be easily computed. The key question now is: how can we efficiently compute Un(Xiqi)\mathcal{U}_n(X_iq_i)?

By Lemma 2.5.2, let f^F2n1\hat{f} \in \mathbb{F}^{\le2^n -1} and define f:=Un1(f^)f := \mathcal{U}_n^{-1}\left(\hat{f}\right). For 0i<n0 \le i < n, if fF[X0,,Xi1]1f \in \mathbb{F}[X_0, \dots, X_{i-1}]^{\le 1}, then f^(X)=Φni(X2i)f^<2i\hat{f}(X) = \Phi_{n-i}\left(X^{2^i} \right) \hat{f}^{<2^i}, where f^<2i=Ui(f)\hat{f}^{<2^i} =\mathcal{U}_i(f).

For example, if i=2,n=3i = 2, n = 3 and f=2X0+X1+0X2f = 2X_0 + X_1 + 0X_2​, then U3(f)\mathcal{U}_3(f) can be computed as:

U3(f)=f(0,0,0)+f(1,0,0)X+f(0,1,0)X2+f(1,1,0)X3+f(0,0,1)X4+f(1,0,1)X5+f(0,1,1)X6+f(1,1,1)X7=0+2X+1X2+3X3+0X4+2X5+1X6+3X7=(X4+1)Φ1(X4)(0+2X+1X2+3X3)U2(f)<4\begin{align*} \mathcal{U}_3(f) &= \textcolor{red}{f(0, 0, 0) + f(1, 0, 0) X + f(0,1,0)X^2 + f(1,1,0) X^3} + f(0, 0, 1)X^4 + f(1,0,1)X^5 + f(0,1,1)X^6 + f(1,1,1)X^7 \\ &= \textcolor{red}{0 + 2X + 1X^2 + 3X^3} + 0X^4 + 2X^5 + 1X^6 + 3X^7 \\ &= \underbrace{(X^4 + 1)}_{\Phi_1(X^4)}\underbrace{\textcolor{red}{(0 + 2X + 1X^2 + 3X^3)}}_{ \mathcal{U}_2(f)^{<4}} \end{align*}

By Lemma 2.5.3, if fF[X0,,Xi1]1f \in \mathbb{F}[X_0, \dots, X_{i-1} ]^{\le1}, we can compute:

Un(Xif)=X2iX2i+1Un(f)\mathcal{U}_n(X_if) = \frac{X^{2^i}}{X^{2^i} + 1}\mathcal{U}_n(f)

For example, if i=2,n=3i = 2, n = 3, and f=2X0+X1f = 2X_0 + X_1​, then multiplying by X2X_2​ gives f=X2f=2X0X2+X1X2f' = X_2f = 2X_0X_2 + X_1X_2.

Thus, when X2=0X_2 = 0, both ff and ff' evaluate to 0. When X2=1X_2 = 1, ff' takes the same value as ff.

U3(f)=f(0,0,0)+f(1,0,0)X+f(0,1,0)X2+f(1,1,0)X3+f(0,0,1)X4+f(1,0,1)X5+f(0,1,1)X6+f(1,1,1)X7=f(0,0,1)X4+f(1,0,1)X5+f(0,1,1)X6+f(1,1,1)X7=X4X4+1(f(0,0,0)+f(1,0,0)X+f(0,1,0)X2+f(1,1,0)X3+f(0,0,1)X4+f(1,0,1)X5+f(0,1,1)X6+f(1,1,1)X7)U3(f)\begin{align*} \mathcal{U}_3(f') &= f'(0, 0, 0) + f'(1, 0, 0) X + f'(0,1,0)X^2 + f'(1,1,0) X^3 + f'(0, 0, 1)X^4 + f'(1,0,1)X^5 + f'(0,1,1)X^6 + f'(1,1,1)X^7 \\ &= f(0, 0, 1)X^4 + f(1,0,1)X^5 + f(0,1,1)X^6 + f(1,1,1)X^7 \\ &= \frac{X^4}{X^4 + 1}\underbrace{\left({f(0, 0, 0) + f(1, 0, 0) X + f(0,1,0)X^2 + f(1,1,0) X^3} + f(0, 0, 1)X^4 + f(1,0,1)X^5 + f(0,1,1)X^6 + f(1,1,1)X^7\right)}_{\mathcal{U}_3(f)} \end{align*}

Applying Lemma 2.5.3 to equation (2)(2), we transform it into:

Un(f)vUn(1)=i=0n1(X2iX2i+1zi)Un(qi)(3)\begin{align*} \mathcal{U}_n(f) - v \cdot \mathcal{U}_n(1) = \sum_{i=0}^{n-1}\left(\frac{X^{2^i}}{X^{2^i} + 1}- z_i\right) \mathcal{U}_n(q_i) && (3) \end{align*}

At this stage, the verifier must check whether qiF[X0,,Xi1]1q_i \in \mathbb{F}[X_0, \dots, X_{i-1} ]^{\le1}. We can verify this using Un(qi)F[X]<2i\mathcal{U}_n(q_i) \in \mathbb{F}[X]^{<2^i} through a degree check protocol. by substituting Lemma 2.5.2 into equation (3)(3), which results in:

Un(f)vUn(1)=i=0n1(X2iX2i+1zi)Φni(X2i)Un(qi)<2i(4)\begin{align*} \mathcal{U}_n(f) - v \cdot \mathcal{U}_n(1) = \sum_{i=0}^{n-1}\left(\frac{X^{2^i}}{X^{2^i} + 1}- z_i\right) \Phi_{n-i}\left(X^{2^i}\right)\mathcal{U}_n(q_i)^{<2^i} && (4) \end{align*}

Since Φni(X2i)\Phi_{n-i}\left(X^{2^i}\right) is defined as:

Φni(X2i)=1+X2i+(X2i)2++(X2i)2ni1=X2n1X2i1\begin{align*} \Phi_{n-i}\left(X^{2^i}\right) &= 1 + X^{2^i} + \left(X^{2^i}\right)^2 + \dots + \left(X^{2^i}\right)^{2^{n-i} - 1} \\ &= \frac{X^{2^n} - 1}{X^{2^i} - 1} \end{align*}

we can simplify:

X2iX2i+1Φni(X2i)=X2iX2i+1X2n1X2i1=X2iX2n1X2i+11=X2iΦni1(X2i+1)\frac{X^{2^i}}{X^{2^i} + 1}\Phi_{n-i}\left(X^{2^i}\right) = \frac{X^{2^i}}{X^{2^i} + 1}\frac{X^{2^n} - 1}{X^{2^i} - 1} = X^{2^i}\frac{X^{2^n} - 1}{X^{2^{i + 1}} - 1} = X^{2^i}\Phi_{n-i-1}\left(X^{2^{i+1}}\right)

Applying this to equation (4)(4), we obtain:

Un(f)vUn(1)=i=0n1(X2iΦni1(X2i+1)ziΦni(X2i))Un(qi)<2i(5) \begin{align*} \mathcal{U}_n(f) - v \cdot \mathcal{U}_n(1) = \sum_{i=0}^{n-1}\left(X^{2^i}\Phi_{n-i-1}\left(X^{2^{i+1}}\right)- z_i \cdot \Phi_{n-i}\left(X^{2^i}\right)\right) \mathcal{U}_n(q_i)^{<2^i} && (5) \end{align*}

Now we can define ζx(X)\zeta_x(X) using equation (5), which is partially evaluated at xx on Φn(X)\Phi_n(X) as:

ζx(X):=Un(f)vΦn(x)i=0n1(x2iΦni1(x2k+1)ziΦni(x2i))Un(qi)<2i(X)\zeta_x(X) := \mathcal{U}_n(f) - v \cdot \Phi_n(x) - \sum_{i=0}^{n-1}\left(x^{2^i}\Phi_{n-i-1}\left(x^{2^{k+1}}\right)- z_i \cdot \Phi_{n-i} \left( x^{2^i} \right) \right)\mathcal{U}_n(q_i)^{<2^i}(X) \\

Then the prover needs to commit to this polynomial (Cζx,r)=HidingKZG.Commit(ζx)(C_{\zeta_x}, r) = \mathsf{HidingKZG.Commit}(\zeta_x). If the prover sends (W,δ)=HidingKZG.ProveEval(Cζx,r,x,0)(W, \delta) = \mathsf{HidingKZG.ProveEval}(C_{\zeta_x}, r, x, 0) to the verifier, then the verifier can verify using 3 pairing operations with HidingKZG.VerifyEval(Cζx,W,δ,x,0) \mathsf{HidingKZG.VerifyEval}(C_{\zeta_x}, W, \delta, x, 0).

Note that since only ζx(x)=0\zeta_x(x) = 0 is opened for ζx(X)\zeta_x(X), it is now possible to prove circuit satisfiability without revealing any additional information.

Degree Check Protocol

Single KZG Degree Check

Let's construct a protocol based on HidingKZG\mathsf{HidingKZG} that verifies whether a given polynomial fF[X]f \in \mathbb{F}[X] satisfies deg(f)d<Nmax\deg(f) \le d < N_{\mathsf{max}}.

HidingKZG.ProveOpenWithDegreeCheck(C,r,d)(W,δ)\mathsf{HidingKZG.ProveOpenWithDegreeCheck}(C, r, d) \rightarrow (W, \delta):

  1. The prover samples αF\alpha \leftarrow \mathbb{F}.

  2. The prover provides the verifier with W,δW, \delta:

W=[f(s)sNmax1d]1+α[ξ]1,δ=r[sNmax1d]1[α]1W = \left[f(s)s^{N_{\mathsf{max}} - 1 -d} \right]_1 + \alpha\cdot [\xi]_1, \quad \delta = r \cdot \left[s^{N_{\mathsf{max}}-1-d}\right]_1 - [\alpha]_1

HidingKZG.VerifyOpenWithDegreeCheck(C,W,δ,d)b{0,1}\mathsf{HidingKZG.VerifyOpenWithDegreeCheck}(C, W, \delta, d) \rightarrow b \in \{0, 1\}:

The verifier checks the following equation:

e(C,[sNmax1d]2)=?e(W,[1]2)e(δ,[ξ]2)e(C, \left[ s^{N_{\mathsf{max}}-1-d} \right]_2) \stackrel{?}= e(W, [1]_2) \cdot e(\delta, [\xi]_2)

This is satisfied iff HidingKZG.Open(C,f,r)=1fF[X]d\mathsf{HidingKZG.Open}(C, f, r) = 1 \land f \in \mathbb{F}[X]^{\le d}.

Soundness Proof:

Suppose deg(f)>d\deg(f) > d. Then, the degree of f(X)XNmax1df(X) \cdot X^{N_{\mathsf{max}}-1-d} is at least NmaxN_{\mathsf{max}}, making it impossible to commit to WW.

Completeness Proof:

CsNmax1d=(f(s)+rξ)sNmax1d=f(s)sNmax1d+αξ+(rsNmax1dα)ξ=f(s)sNmax1d+rξsNmax1d\begin{align*} C \cdot s^{N_{\mathsf{max} - 1 - d}} =(f(s) + r\xi) \cdot s^{N_{\mathsf{max} - 1 - d}} &= f(s)s^{N_{\mathsf{max}}-1-d} +\alpha\xi + (r\cdot s^{N_{\mathsf{max}} - 1 - d} - \alpha)\xi \\ &= f(s)s^{N_{\mathsf{max}}-1-d} + r \xi \cdot s^{N_{\mathsf{max}} - 1 - d} \end{align*}

HidingKZG.ProveEvalWithDegreeCheck(C,r,d,z,v)(W,δ)\mathsf{HidingKZG.ProveEvalWithDegreeCheck}(C, r, d, z, v) \rightarrow (W, \delta):

  1. The prover samples αF\alpha \leftarrow \mathbb{F}.

  2. The prover provides the verifier with W,δW, \delta:

W=[f(s)vszsNmaxd]1+α[ξ]1,δ=r[sNmaxd]1[α(sz)]1W = \left[\frac{f(s) - v}{s - z}s^{N_{\mathsf{max}}-d} \right]_1 + \alpha\cdot [\xi]_1, \quad \delta = r \cdot \left[s^{N_{\mathsf{max}}-d} \right]_1 - [\alpha(s - z)]_1

HidingKZG.VerifyEvalWithDegreeCheck(C,W,δ,d,z,v)b{0,1}\mathsf{HidingKZG.VerifyEvalWithDegreeCheck}(C, W, \delta, d, z, v) \rightarrow b \in \{0, 1\}:

The verifier checks the following equation:

e(C[v]1,[sNmaxd]2)=?e(W,[s]2[z]2)e(δ,[ξ]2)e(C - [v]_1, \left[ s^{N_{\mathsf{max}}-d} \right]_2) \stackrel{?}= e(W, [s]_2 - [z]_2) \cdot e(\delta, [\xi]_2)

This is satisfied iff HidingKZG.Open(C,f,r)=1fF[X]df(z)=v\mathsf{HidingKZG.Open}(C, f, r) = 1 \land f \in \mathbb{F}[X]^{\le d} \land f(z) = v.

Soundness Proof:

Suppose deg(f)>d\deg(f) > d. Then, the degree of f(X)vXzXNmaxd\frac{f(X) - v}{X - z}X^{N_{\mathsf{max}}-d} is at least NmaxN_{\mathsf{max}}, making it impossible to commit to WW.

Completeness Proof:

(Cv)sNmaxd=(f(s)+rξv)sNmaxd=(f(s)v)sNmaxd+αξ(sz)+(rsNmaxdα(sz))ξ=(f(s)v)sNmaxd+rξsNmaxd\begin{align*} (C -v ) \cdot s^{N_{\mathsf{max}} - d} =(f(s) + r\xi -v ) \cdot s^{N_{\mathsf{max}} - d} &= (f(s) - v)s^{N_{\mathsf{max}}-d} + \alpha\xi(s - z) + (r\cdot s^{N_{\mathsf{max}} - d} - \alpha(s - z))\xi \\ &= (f(s) - v)s^{N_{\mathsf{max}}-d} + r\xi \cdot s^{N_{\mathsf{max}}-d} \end{align*}

Batch Degree Check

Now, let’s consider a set of polynomials f={f0,,fk1}\bm{f} = \{f_0, \dots, f_{k-1}\} and their respective degree bounds d={d0,,dk1}\bm{d} = \{d_0, \dots, d_{k-1}\}. For 0i<k0 \le i < k, each fif_i belongs to F[X]\mathbb{F}[X], and we aim to construct a batch protocol to verify whether deg(fi)di<Nmax\deg(f_i) \le d_i < N_{\mathsf{max}}.

First, we choose maxdidNmax2\max d_i \le d^* \le N_{\mathsf{max}} - 2. Let C={C0,,Ck1}\bm{C} = \{C_0, \dots, C_{k-1}\} and r={r0,,rk1}\bm{r} =\{r_0, \dots, r_{k-1}\} be the set of commitments and randomness corresponding to f\bm{f}.

HidingKZG.ProveOpenWithBatchDegreeCheck(f,r,d)(Cf,W,δ)\mathsf{HidingKZG.ProveOpenWithBatchDegreeCheck}(\bm{f}, \bm{r}, \bm{d}) \rightarrow (C_f, W, \delta):

  1. The verifier samples yFy \leftarrow \mathbb{F} and sends it to the prover.

  2. The prover computes (Cf,r)=HidingKZG.Commit(f)(C_f, r) = \mathsf{HidingKZG.Commit}(f) and sends it to the verifier:

f:=i=0k1yiXddi+1fif := \sum_{i=0}^{k-1}y^iX^{d^*-d_i+1}f_i

  1. The verifier samples xFx \leftarrow \mathbb{F}^* (where x0x \ne 0) and sends it to the prover.

  2. The prover samples αF\alpha \leftarrow \mathbb{F}.

  3. The prover sends W,δW, \delta to the verifier:

W=[ζx(s)sxsNmaxd1]1+α[ξ]1δ=(ri=0k1yixddi+1ri)[sNmaxd1]1[α(sx)]1W = \left[\frac{\zeta_x(s)}{s - x} s^{N_{\mathsf{max}} - d^* - 1}\right]_1 + \alpha \cdot [\xi]_1 \\ \delta = \left(r - \sum_{i=0}^{k-1}y^ix^{d^*-d_i+1}r_i\right)\cdot\left[ s^{N_{\mathsf{max}}-d*-1}\right]_1 - [\alpha(s - x)]_1

Here, ζx(X)\zeta_x(X) is defined as:

ζx(X):=f(X)i=0k1yixddi+1fi(X)\zeta_x(X) := f(X) - \sum_{i = 0}^{k-1}y^ix^{d^*-d_i+1}f_i(X)

HidingKZG.VerifyOpenWithBatchDegreeCheck(C,Cf,W,δ,d)b{0,1}\mathsf{HidingKZG.VerifyOpenWithBatchDegreeCheck}(\bm{C}, C_f, W, \delta, \bm{d}) \rightarrow b \in \{0, 1\}

The verifier checks the following equation:

e(Cζx,[sNmaxd1]2)=?e(W,[s]2[x]2)e(δ,[ξ]2)e(C_{\zeta_x},\left[ s^{N_{\mathsf{max}} - d^* - 1} \right]_2) \stackrel{?}= e(W, [s]_2 - [x]_2) \cdot e(\delta, [\xi]_2)

The commitment CζxC_{\zeta_x} is defined as:

CζX:=Cfi=0k1yixddi+1CiC_{\zeta_X} := C_f - \sum_{i=0}^{k-1}y^ix^{d^*-d_i+1}C_i

This is satisfied iff HidingKZG.Open(Ci,fi,ri)=1fiF[X]di\mathsf{HidingKZG.Open}(C_i, f_i, r_i) = 1 \land f_i \in \mathbb{F}[X]^{\le d_i} for 0i<k0 \le i < k.

Soundness Proof:

Suppose that for some 0i<k0 \le i < k, we have deg(fi)>di\deg(f_i) > d_i. Then the degree of ff becomes:

deg(ζx(X))=deg(f)d+2\deg(\zeta_x(X)) = \deg (f) \ge d^* + 2

which leads to:

deg(ζx(X)XxXNmaxd1)Nmax\deg\left(\frac{\zeta_x(X)}{X - x}X^{N_{\mathsf{max}} - d^* -1}\right) \ge N_{\mathsf{max}}

making it impossible to commit to WW.

Completeness Proof:

(ζx(s)+(ri=0k1yixddi+1ri)ξ)sNmaxd1=ζx(s)sNmaxd1+αξ(sx)+((ri=0k1yixddi+1ri)sNmaxd1α(sx))ξ=ζx(s)sNmaxd1+(ri=0k1yixddi+1ri)ξsNmaxd1\begin{align*} \left(\zeta_x(s) + \left(r - \sum_{i=0}^{k-1}y_ix^{d^*-d_i+1}r_i\right)\xi\right)\cdot s^{N_{\mathsf{max}} - d^* - 1} &= \zeta_x(s) \cdot s^{N_{\mathsf{max}} - d^* - 1} + \alpha\xi(s - x) + \left(\left(r - \sum_{i=0}^{k-1}y_ix^{d^*-d_i+1}r_i\right) \cdot s^{N_{\mathsf{max}} - d^* - 1} - \alpha(s - x)\right)\xi \\ &= \zeta_x(s)\cdot s^{N_{\mathsf{max}} - d^* - 1} + \left(r - \sum_{i=0}^{k-1}y_ix^{d^*-d_i+1}r_i\right)\xi \cdot s^{N_{\mathsf{max}} - d^* - 1} \end{align*}

In the above protocol, we designed the batch degree check using the HidingKZG\mathsf{HidingKZG} protocol. However, as discussed in Section 5.4 of the paper, this method is applicable in a more general setting, provided that:

  • The commitment scheme satisfies additive homomorphism.

  • The evaluation protocol is knowledge-sound.

These conditions allow the batch degree check to be used in other polynomial commitment schemes as well.

Batch Evaluation with Degree Check

Now, let’s consider a set of polynomials f={f0,,fk1}\bm{f} = \{f_0, \dots, f_{k-1}\} and their respective evaluation values v={v0,,vk1}\bm{v} = \{v_0, \dots, v_{k-1}\}. For 0i<k0 \le i < k, each fif_i belongs to F[X]\mathbb{F}[X], and we aim to construct a batch protocol to verify whether deg(fi)d<Nmax\deg(f_i) \le d < N_{\mathsf{max}} and fi(z)=vif_i(z) = v_i.

Let C={C0,,Ck1}\bm{C} = \{C_0, \dots, C_{k-1}\} and r={r0,,rk1}\bm{r} =\{r_0, \dots, r_{k-1}\} be the set of commitments and randomness corresponding to f\bm{f}.

HidingKZG.ProveBatchEvalWithDegreeCheck(C,r,d,z,v)(W,δ)\mathsf{HidingKZG.ProveBatchEvalWithDegreeCheck}(\bm{C}, \bm{r}, d, z, \bm{v}) \rightarrow (W, \delta):

  1. The verifier samples yFy \leftarrow \mathbb{F} and sends it to the prover.

  2. The prover samples αF\alpha \leftarrow \mathbb{F}.

  3. The prover provides the verifier with W,δW, \delta:

W=[i=0k1yi(fi(s)vi)szsNmaxd]1+α[ξ]1δ=(i=0k1yiri)[sNmaxd]1[α(sz)]1W = \left[\frac{\sum_{i = 0}^{k-1}y^i(f_i(s) - v_i)}{s - z} s^{N_{\mathsf{max}} - d}\right]_1 + \alpha \cdot [\xi]_1 \\ \delta = \left(\sum_{i=0}^{k-1}y^ir_i\right)\cdot\left[ s^{N_{\mathsf{max}}-d}\right]_1 - [\alpha(s - z)]_1

HidingKZG.VerifyBatchEvalWithDegreeCheck(C,W,δ,d,z,v)b{0,1}\mathsf{HidingKZG.VerifyBatchEvalWithDegreeCheck}(\bm{C}, W, \delta, d, z, \bm{v}) \rightarrow b \in \{0, 1\}:

The verifier checks the following equation:

e(i=0k1yiCi[i=0k1yivi]1,[sNmaxd]2)=?e(W,[s]2[x]2)e(δ,[ξ]2)e(\sum_{i=0}^{k-1}y_iC_i - \left[\sum_{i=0}^{k-1}y^iv_i\right]_1,\left[ s^{N_{\mathsf{max}} - d} \right]_2) \stackrel{?}= e(W, [s]_2 - [x]_2) \cdot e(\delta, [\xi]_2)

This is satisfied iff HidingKZG.Open(Ci,fi,ri)=1fiF[X]dfi(z)=vi\mathsf{HidingKZG.Open}(C_i, f_i, r_i) = 1 \land f_i \in \mathbb{F}[X]^{\le d} \land f_i(z) = v_i for 0i<k0 \le i < k.

Soundness Proof:

Suppose that for some 0i<k0 \le i < k, we have deg(fi)>d\deg(f_i) > d. Then the degree of the expression:

deg(i=0k1yi(fi(X)v)XxXNmaxd)Nmax\deg\left(\frac{\sum_{i=0}^{k-1}y^i(f_i(X) - v)}{X - x}X^{N_{\mathsf{max}} - d}\right) \ge N_{\mathsf{max}}

making it impossible to commit to WW.

Completeness Proof:

i=0k1yi(fi(s)+riξvi)sNmaxd=i=0k1yi(fi(s)vi)sNmaxd+αξ(sz)+(i=0k1yirisNmaxdα(sz))ξ=i=0k1yi(fi(s)vi)sNmaxd+i=0k1yiriξsNmaxd\begin{align*} \sum_{i=0}^{k-1}y_i\left(f_i(s) + r_i\xi - v_i\right) \cdot s^{N_{\mathsf{max}} - d} &= \sum_{i=0}^{k-1}y_i(f_i(s) - v_i) \cdot s^{N_{\mathsf{max}} - d} + \alpha\xi(s - z) + \left(\sum_{i=0}^{k-1}y^ir_i \cdot s^{N_{\mathsf{max}} - d} - \alpha(s - z)\right)\xi \\ &=\sum_{i=0}^{k-1}y_i(f_i(s) - v_i) \cdot s^{N_{\mathsf{max}} - d} + \sum_{i=0}^{k-1}y^ir_i\xi \cdot s^{N_{\mathsf{max}} - d} \end{align*}

Put Together

To summarize, in order to prove f(z)=?vf(\bm{z}) \stackrel{?}= v, we transformed the problem as follows:

Un(f)vΦn(X)=i=0n1(X2iΦni1(X2i+1)ziΦni(X2i))Un(qi)<2i\mathcal{U}_n(f) - v \cdot \Phi_n(X) = \sum_{i=0}^{n-1}\left(X^{2^i}\Phi_{n-i-1}\left(X^{2^{i+1}}\right)- z_i \cdot \Phi_{n-i}\left(X^{2^i}\right)\right) \mathcal{U}_n(q_i)^{<2^i}

Now, let's prove the above equation using HidingKZG\mathsf{HidingKZG}.

  1. The prover computes commitments (Ci,ri):=HidingKZG.commit(Un(qi)<2i)(C_i, r_i) := \mathsf{HidingKZG.commit}\left(\mathcal{U}_n(q_i)^{<2^i}\right) for 0i<n0 \le i < n, and sends them to the verifier.

  2. The verifier randomly samples yFy \leftarrow \mathbb{F}.

  3. The prover computes (Cq^,r^):=HidingKZG.commit(q^)(C_{\hat{q}}, \hat{r}) := \mathsf{HidingKZG.commit}\left(\hat{q}\right) for 0i<n0 \le i < n and sends the commitments to the verifier, where:

q^(X):=i=0n1yiX2ndi1Un(qi)<2i\hat{q}(X) := \sum_{i=0}^{n-1}y^iX^{2^n-d_i-1}\mathcal{U}_n(q_i)^{<2^i}

  1. The verifier randomly samples xF,zFx \leftarrow \mathbb{F}^*, z\leftarrow \mathbb{F} (where x0x \neq 0).

  2. The prover samples αF\alpha \leftarrow \mathbb{F}.

  3. The prover provides the verifier with W,δW, \delta:

W=[(ζx(s)+zZx(s)sx)sNmax(2n1)]1+α[ξ]1δ=[(rζ+zrZ)sNmax(2n1)α(sx)]1W = \left[\left(\frac{\zeta_x(s) + z \cdot Z_x(s)}{s- x}\right)s^{N_{\mathsf{max}} - (2^n - 1)} \right]_1 + \alpha \cdot [\xi]_1 \\ \delta = \left[ (r_\zeta + z r_Z) s^{N_{\mathsf{max}} - (2^n - 1)} -\alpha (s - x)\right]_1

Where the values are defined as follows:

ζx(X):=q^(X)i=0n1yix2ndi1Un(qi)<2iZx(X):=Un(f)vΦn(x)i=0n1(x2iΦni1(x2k+1)ziΦni(x2i))Un(qi)<2irζ:=ri=0n1(x2iΦni1(x2i+1)ziΦni(x2i))rirZ:=r^i=0n1yix2ndi1ri\zeta_x(X) := \hat{q}(X) - \sum_{i=0}^{n-1}y^ix^{2^n-d_i-1}\mathcal{U}_n(q_i)^{<2^i}\\ Z_x(X) := \mathcal{U}_n(f) - v \cdot \Phi_n(x) - \sum_{i=0}^{n-1}\left(x^{2^i}\Phi_{n-i-1}\left(x^{2^{k+1}}\right)- z_i \cdot \Phi_{n-i} \left( x^{2^i} \right) \right)\mathcal{U}_n(q_i)^{<2^i} \\ r_\zeta := r - \sum_{i=0}^{n-1}\left(x^{2^i}\Phi_{n-i-1}\left(x^{2^{i+1}}\right)-z_i \cdot \Phi_{n-i}\left(x^{2^i}\right)\right) \cdot r_i \\ r_Z := \hat{r} - \sum_{i=0}^{n-1}y^ix^{2^n-d_i-1}r_i

  1. The verifier checks the following equation:

e(Cζx+zCZx,[sNmax(2n1)]2)=?e(W,[sx]2)e(δ,[ξ]2)e(C_{\zeta_x} + z \cdot C_{Z_x}, [s^{N_{\mathsf{max}}-(2^n-1)}]_2) \stackrel{?}= e(W, [s - x]_2) \cdot e(\delta, [\xi]_2)

Where the values are defined as follows:

Cζx:=Cq^i=0n1yix2ndi1CiCZx:=[Un(f)(s)]1[vΦn(x)]1i=0n1(x2iΦni1(x2i+1)ziΦni(x2i)))CiC_{\zeta_x} := C_{\hat{q}} - \sum_{i=0}^{n-1}y^ix^{2^n-d_i-1}C_i \\ C_{Z_x} := [\mathcal{U}_n(f)(s)]_1 - [v \cdot \Phi_n(x)]_1 - \sum_{i=0}^{n-1}\left(x^{2^i}\Phi_{n-i-1}\left(x^{2^{i+1}}\right) - z_i \cdot \Phi_{n-i}\left(x^{2^i})\right)\right)\cdot C_i

Completeness Proof:

(ζx(s)+rζ+z(Zx(s)+rZ))sNmax(2n1)=(ζx(s)+zZx(s))sNmax(2n1)+αξ(sx)+((rζ+zrZ)sNmax(2n1)α(sx))ξ=(ζx(s)+zZx(s))sNmax(2n1)+(rζ+zrZ)sNmax(2n1)\begin{align*} (\zeta_x(s) + r_{\zeta} + z \cdot (Z_x(s) + r_Z))s^{N_{\mathsf{max}} - (2^n - 1)} &= (\zeta_x(s) + z \cdot Z_x(s))s^{N_{\mathsf{max}} - (2^n - 1)} + \alpha\xi(s- x) + ((r_\zeta + z r_Z) s^{N_{\mathsf{max}} - (2^n - 1)} - \alpha(s - x))\xi \\ &= (\zeta_x(s) + z \cdot Z_x(s))s^{N_{\mathsf{max}} - (2^n - 1)} + (r_\zeta + z r_Z) s^{N_{\mathsf{max}} - (2^n - 1)} \end{align*}

Analysis:

  • srs\mathsf{srs}(structure reference string) size: Nmax+1G1,Nmax+1G2N^{\mathsf{max}}+1\mathbb{G}_1, N^{\mathsf{max}}+1\mathbb{G}_2

  • Prover work: O(n) MSMO(n)\ \mathsf{MSM}

    • To compute each CiC_i, it takes 2i+1 MSM2^i + 1 \ \mathsf{MSM} operations.

    • To compute Cq^C_{\hat{q}}, it takes at most 2n1 MSM2^{n-1}\ \mathsf{MSM} operations. This is because q^\hat{q} ​ has nonzero coefficients ranging from a maximum degree of 2n1=2ndn112^{n-1}=2^n- d_{n-1}-1 to 2n1=2nd012^{n}-1 = 2^n - d_0 - 1.

    • To compute WW, it takes at most 2n MSM2^n\ \mathsf{MSM} operations.

    • To compute δ\delta, it takes 3 MSM3\ \mathsf{MSM} operations: (rζ+zrZ)[sNmax(2n1)]1α[s]1+αx[1]1(r_\zeta + z r_Z) \cdot [ s^{N_{\mathsf{max}} - (2^n - 1)}]_1 -\alpha \cdot [s]_1 + \alpha x \cdot [1]_1.

  • Proof length: n+3G1,3Fn+3\mathbb{G}_1,3\mathbb{F}

    • n+3G1n + 3\mathbb{G}_1: (C0,,Cn1,Cq^,W,δ)(C_0, \dots, C_{n-1}, C_{\hat{q}}, W, \delta)

    • 3F3\mathbb{F}: (y,x,z)(y, x, z)

  • Verifier work: 2n+6MSM1,2G2,3P2n+6 \mathsf{MSM}_1, 2\mathbb{G}_2, 3\mathsf{P}

    • To compute [vΦn(x)]1[v \cdot \Phi_n(x)]_1, it takes 1 MSM1\ \mathsf{MSM} operation.

    • To compute CZxC_{Zx}, it takes n+2 MSMn + 2\ \mathsf{MSM} operations.

    • To compute CζxC_{\zeta_x}, it takes n+1 MSMn + 1\ \mathsf{MSM} operations.

    • To compute Cζx+zCZxC_{\zeta_x} + z \cdot C_{Z_x}, it takes 2 MSM2\ \mathsf{MSM} operations.

    • To compuete [s]2[x]2[s]_2 - [x]_2, it takes 2G22 \mathbb{G}_2 operations.

Here, MSM\mathsf{MSM} represents MSM operations in G1\mathbb{G}_1, F\mathbb{F} represents addition or multiplication in F\mathbb{F}, and P\mathsf{P} denotes a pairing operation.

Shift Evaluation

In permutation arguments or lookup arguments like Plookup, computing the evaluations of shifted polynomials is necessary. For example, if fF[X0,,Xn1]1f \in \mathbb{F}[X_0, \dots, X_{n-1}]^{\le 1} has the following evaluations:

v={v0,v1,,v2n2,v2n1}\bm{v} = \{ v_0, v_1, \dots, v_{2^n-2}, v_{2^n-1} \}

then the evaluations of shift(f)\mathsf{shift}(f) are:

v={v1,v2,,v2n1,v0}\bm{v'} = \{ v_1, v_2, \dots, v_{2^n-1}, v_0 \}

Applying the Un\mathcal{U}_n mapping results in:

Un(f)=v0+v1X+v2n2X2n2+v2n1X2n1Un(shift(f))=v1+v2X++v2n1X2n2+v0X2n1\mathcal{U}_n(f) = v_0 + v_1X \dots + v_{2^n-2}X^{2^n-2} + v_{2^n-1}X^{2^n-1} \\ \mathcal{U}_n(\mathsf{shift}(f) ) =v_1 + v_2X + \dots + v_{2^n-1}X^{2^n -2} + v_0X^{2^n -1}

To prove shift(f)(z)=v\mathsf{shift}(f)(\bm{z}) = v, we construct the following equation:

shift(f)v=i=0n1(Xizi)qi\mathsf{shift}(f) - v = \sum_{i=0}^{n-1}(X_i - z_i)q_i

and demonstrate the existence of a suitable qiq_i satisfying:

  • i=0q0Fi = 0 \Rightarrow q_0 \in \mathbb{F}

  • 0<i<nqiF[X0,,Xi1]10 < i < n \Rightarrow q_i \in \mathbb{F}[X_0, \dots, X_{i-1}]^{\le 1}

Applying the transformation from equation (1)(1) to (5)(5), we obtain:

Un(shift(f))vΦn(X)=i=0n1(X2iΦni1(X2i+1)ziΦni(X2i))Un(qi)<2i(6) \begin{align*} \mathcal{U}_n(\mathsf{shift}(f)) - v \cdot \Phi_n(X) = \sum_{i=0}^{n-1}\left(X^{2^i}\Phi_{n-i-1}\left(X^{2^{i+1}}\right)- z_i \cdot \Phi_{n-i}\left(X^{2^i}\right)\right) \mathcal{U}_n(q_i)^{<2^i} && (6) \end{align*}

Multiplying Un(shift(f))\mathcal{U}_n(\mathsf{shift}(f)) by XX, we get:

XUn(shift(f))=v1X+v2X2++v2n1X2n1+v0X2n=v0+v1X+v2X2++v2n1X2n1+v0X2nv0=Un(f)+v0(X2n1)\begin{align*} X\mathcal{U}_n(\mathsf{shift}(f)) &= v_1X + v_2X^2 + \dots +v_{2^n-1}X^{2^n-1} + v_0X^{2^n} \\ &= v_0 + v_1X + v_2X^2 + \dots +v_{2^n-1}X^{2^n-1} + v_0X^{2^n} - v_0 \\ &= \mathcal{U}_n(f) + v_0(X^{2^n} - 1) \end{align*}

Thus, multiplying both sides of equation (6)(6) by XX, we obtain:

Un(f)+v0(X2n1)vXΦn(X)=Xi=0n1(X2iΦni1(X2i+1)ziΦni(X2i))Un(qi)<2i(7) \begin{align*} \mathcal{U}_n(f) + v_0(X^{2^n} - 1) - v \cdot X \Phi_n(X) = X \cdot \sum_{i=0}^{n-1}\left(X^{2^i}\Phi_{n-i-1}\left(X^{2^{i+1}}\right)- z_i \cdot \Phi_{n-i}\left(X^{2^i}\right)\right) \mathcal{U}_n(q_i)^{<2^i} && (7) \end{align*}

Since equation (7)(7) holds, we can prove that shift(f)\mathsf{shift}(f) is indeed a shifted version of ff by committing only once to Un(f)\mathcal{U}_n(f) and then using it to verify the evaluation claim of shift(f)\mathsf{shift}(f).

If v0=0v_0 = 0, the protocol simplifies even further! While the referenced paper discusses high-degree shifts and batched verification methods, these are omitted here for brevity. Interested readers are encouraged to refer to Sections 7 and 8 for more details!

Conclusion

The multilinear polynomial identity originally required nn pairing operations. However, thanks to Un\mathcal{U}_n mapping, the verifier can now perform the expensive pairing computation in just three operations.

Meanwhile, to prove that qiq_i is bounded by a certain degree, the degree check protocol must be executed, which requires an srs\mathsf{srs} proportional to NmaxN_{\mathsf{max}} in G1\mathbb{G}_1 and G2\mathbb{G}_2. Fortunately, the verifier does not need to perform the costly G2\mathbb{G}_2 operations.

Additionally, an important point is that for hiding, only logN+5\log N + 5 elements in G1\mathbb{G}_1 are required.

References

Written by ryan Kim from A41

PreviousSHPlonkNextYao's Garbled Circuits

Last updated