Chapter status: ✅ in good shape ✅

Related puzzles: Puzzle 2 and Puzzle 4

TODO:

cover Kohrita-Towa variant

batch proofs for multiple polynomials [GWC19] [BDFG20]

multivariate polynomials [PST13]

degree-checks

Polynomial Commitment Schemes

Polynomial commitment schemes play a central role in the design of zk-SNARKs. In this section, we introduce them and present the two KZG schemes, DL-KZG and Ped-KZG.

Make sure to read the chapters about polynomials and standard commitments first.

We recall that given a field $F,$ we let $F_{(\leq d)} [X]$ denote the set of all univariate polynomials over $F$ of degree at most $d .$

Generalities
- Syntax
- Security
Informal Description of the KZG Schemes
The DL-KZG Scheme
The Ped-KZG Scheme
Discussion
Multi-evaluation Proofs
A Practical Use Case
Additional Resources

Generalities

As standard commitment schemes, a polynomial commitment scheme (PC scheme for short) involves two parties, a committer (or prover) and a verifier. It allows the committer to send to the verifier a commitment $C$ to some secret polynomial $p \in F_{(\leq d)} [X]$ and later on prove that $p$ evaluates to some specific value $v \in F$ at input $u \in F$ (usually of the verifier's choosing), potentially for multiple inputs.

Recall that a polynomial of degree at most $d$ is specified by the tuple $a = (a_{0}, \dots, a_{d}) \in F^{d + 1}$ of coefficients such that $p (X) = \sum_{i = 0}^{d} a_{i} X^{i} .$ From a broader perspective, a PC scheme can be seen as the combination of a standard commitment scheme over $F^{d + 1}$ together with various proof systems for proving assertions about the committed vector $a .$ In particular, proving that $p (u) = v$ is equivalent to proving that $i = 0 \sum d a_{i} u^{i} = v$ i.e., proving that the inner product of $a$ with the vector $(1, u, u^{2}, \dots, u^{d})$ is equal to $v .$ Other assertions one may want to prove when designing SNARKs are, for example, that $p$ has degree at most $d^{'} < d,$ which is equivalent to $a_{d^{'} + 1} = \dots = a_{d} = 0,$ or more complex relations about evaluations of $p$ such as $\sum_{u \in U} p (u) = 0$ for some subset $U \subset F .$

Syntax

More formally, a PC scheme is parameterized by a maximal degree $d \in N$ (one can think of $d$ as being given as input to all algorithms) and consists of the five following algorithms (the exact syntax can vary slightly in the literature, here we adhere to the syntax of standard commitment schemes):

a setup algorithm $Setup$ which on input the security parameter $1^{λ}$ returns public parameters¹ $p a r;$ these parameters implicitly specify some finite field $F;$
a commitment algorithm $Commit$ which on input parameters $p a r$ and a polynomial $p \in F_{(\leq d)} [X]$ returns a commitment $C$ and a decommitment $D;$
a "polynomial" verification algorithm $PolyVerif$ which on input parameters $p a r,$ a commitment $C,$ a polynomial $p \in F_{(\leq d)} [X],$ and a decommitment $D,$ returns 1 if $D$ is a valid decommitment for $(p a r, C, p)$ and 0 otherwise;
a proving algorithm $EvalProve$ which on input parameters $p a r,$ a polynomial $p \in F_{(\leq d)} [X],$ a decommitment $D,$ and a value $u \in F$ returns an evaluation $v \in F$ and a proof $Π;$
an "evaluation" verification algorithm $EvalVerif$ which on input parameters $p a r,$ a commitment $C,$ a pair $(u, v) \in F^{2},$ and a proof $Π,$ returns 1 if $Π$ is a valid proof that the polynomial committed to by $C$ evaluates to $v$ at input $u,$ and 0 otherwise.

In some cases (in particular for KZG), it might be possible to split the public parameters $p a r$ into a commitment key $c k$ and a verification key $v k,$ where typically only $c k$ is needed for algorithms $Commit,$ $PolyVerif,$ and $EvalProve$ and only $v k$ is needed for $EvalVerif .$

As already hinted, the three algorithms $Setup,$ $Commit,$ and $PolyVerif$ can be regarded together as a standard commitment scheme with message space $F_{(\leq d)} [X] ≅ F^{d + 1}$ (with $p$ specified by the tuple $(a_{0}, \dots, a_{d}) \in F^{d + 1}$ of its coefficients) while $EvalProve$ and $EvalVerif$ together form a proof system for statements of the form $p (u) = v .$

As for standard commitment schemes, what we just defined here is the syntax for a non-interactive PC scheme, where the $Setup$ algorithm is run once and for all and then committing and proving an evaluation of the committed polynomial is non-interactive. More generally, committing and evaluation proving could be interactive.

As always, the scheme must be correct, meaning two things: first, $(Setup, Commit, PolyVerif)$ must be correct as defined for a standard commitment scheme with message space $F^{d + 1};$ second, for every security parameter $λ,$ every $d \in N,$ every $p \in F_{(\leq d)} [X],$ and every $u \in F,$ the following game capturing the nominal execution of algorithms for evaluation proving must return true with probability 1:

$p a r \leftarrow Setup (1^{λ}) (C, D) \leftarrow Commit (p a r, p) (v, Π) \leftarrow EvalProve (p a r, p, D, u) b \leftarrow EvalVerif (p a r, C, (u, v), Π) assert (b = 1)$

Security

Defining security properties for PC schemes is rather subtle. Almost every paper about PC schemes define slightly different sets of security properties depending on the specific application being targeted. Here, we focus on the security properties proposed in the seminal paper about PC schemes [KZG10a], which are also the simplest ones.

First, a PC scheme should be hiding and binding in the standard sense when seen as a commitment to the tuple of coefficients $(a_{0}, \dots, a_{d}) \in F^{d + 1}$ defining the polynomial $p .$ Let us the recall the corresponding games, that we call POLY-HIDING and POLY-BINDING for clarity:

$\underline{Game POLY-HIDING:} b \leftarrow_{$} {0, 1} p a r \leftarrow Setup (1^{λ}) b^{'} \leftarrow A^{Commit} (p a r) assert (b = b^{'}) \underline{Oracle Commit (p_{0}, p_{1}) :} assert (deg (p_{0}) \leq d) assert (deg (p_{1}) \leq d) (C, D) \leftarrow Commit (p a r, p_{b}) return C$

$\underline{Game POLY-BINDING:} p a r \leftarrow Setup (1^{λ}) (C, p, D, p^{'}, D^{'}) \leftarrow A (p a r) assert (deg (p) \leq d) \land (deg (p^{'}) \leq d) b \leftarrow PolyVerif (p a r, C, p, D) b^{'} \leftarrow PolyVerif (p a r, C, p^{'}, D^{'}) assert (p \neq = p^{'}) assert (b = 1) assert (b^{'} = 1)$

It turns out that some PC schemes (such as the DL-KZG scheme) do not satisfy the poly-hiding notion (in general, when used to construct SNARKs, poly-hiding matters only if one cares about the SNARK being zero-knowledge). However, they satisfy what we call here evaluation hiding,² which informally means that for a random polynomial $p$ of degree at most $d,$ given a commitment to $p$ and at most $d$ evaluations of $p$ together with the corresponding proofs, no adversary should be able to guess the value of $p (u)$ for a new input $u .$ This is formalized by the following game:

$\underline{Game EVAL-HIDING:} p (X) \leftarrow_{$} F_{(\leq d)} [X] c t r \leftarrow 0 Q \leftarrow \emptyset p a r \leftarrow Setup (1^{λ}) (C, D) \leftarrow Commit (p a r, p) (u, v) \leftarrow A^{Prove} (p a r, C) assert (c t r \leq d) assert (u \in / Q) assert (p (u) = v) \underline{Oracle Prove (u) :} (v, Π) \leftarrow EvalProve (p a r, p, D, u) c t r \leftarrow c t r + 1 Q \leftarrow Q \cup {u} return (v, Π)$

To be completely explicit, the line $p (X) \leftarrow_{$} F_{(\leq d)} [X]$ means $a_{0}, \dots, a_{d} \leftarrow_{$} F p (X) : = i = 0 \sum d a_{i} X^{i} .$

The condition that the adversary makes at most $d$ queries to the $Prove$ oracle is of course necessary: once the commitment has been opened at $d + 1$ distinct points $u_{0},$ $\dots,$ $u_{d},$ the committed polynomial has been completely revealed by virtue of Lagrange interpolation.

Regarding the binding property of evaluation proving, a PC scheme should be evaluation binding, meaning no efficient adversary can produce a commitment and two valid proofs that the committed polynomial evaluates to two different values $v \neq = v^{'}$ at the same input $u .$ More formally, this is captured by the following game:

$\underline{Game EVAL-BINDING:} p a r \leftarrow Setup (1^{λ}) (C, u, (v, Π), (v^{'}, Π^{'})) \leftarrow A (p a r) b \leftarrow EvalVerif (p a r, C, (u, v), Π) b^{'} \leftarrow EvalVerif (p a r, C, (u, v^{'}), Π^{'}) assert (v \neq = v^{'}) assert (b = 1) assert (b^{'} = 1)$

As for standard commitments, all these properties can hold statistically or computationally, but poly-hiding and poly-binding cannot hold both statistically for a PC scheme.

Informal Description of the KZG Schemes

Two closely related and very efficient PC schemes based on pairings were proposed by Kate, Zaverucha, and Goldberg in 2010 [KZG10a] (see also [KZG10b] for the full paper with security proofs). We will call them (for reasons that will become clear soon) DL-KZG and Ped-KZG. What is usually simply called KZG corresponds to the DL-KZG scheme.

Let us start with a high-level view of DL-KZG. For a maximal degree $d,$ the commitment and opening part is very similar to the (non-hiding version of the) generalized Pedersen commitment scheme. The public parameters consist of $d + 1$ generators $(W_{0}, \dots, W_{d})$ of some group $G_{1}$ of prime order $r .$ A polynomial $p (X) = \sum_{i = 0}^{d} a_{i} X^{i}$ is seen as a vector $(a_{0}, \dots, a_{d}) \in (F_{r})^{d + 1}$ and the corresponding commitment is $C : = i = 0 \sum d a_{i} W_{i} .$ There is a big difference though with generalized Pedersen commitments: the generators $W_{0}, \dots, W_{d}$ are not independent. They are computed from a single generator $G_{1} \in G_{1}$ and a secret random scalar $τ \in F_{r}$ as $(W_{0}, W_{1}, \dots, W_{d}) = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}) .$ These parameters have a precise structure. For this reason, they are also called a structured reference string (SRS). This also implies that they cannot be sampled obliviously of $τ$ and require a trusted setup (more on this later).

As a result, the commitment $C$ is actually $p (τ)$ in disguise: $C = i = 0 \sum d a_{i} (τ^{i} G_{1}) = (i = 0 \sum d a_{i} τ^{i}) G_{1} = p (τ) G_{1} .$

Evaluation proving relies on the polynomial remainder theorem: a polynomial $p \in F [X]$ satisfies $p (u) = v$ if and only if $p (X) - v$ is divisible by $X - u,$ i.e., there exists a polynomial $q$ such that $p (X) - v = (X - u) q (X) .$ The proving algorithm therefore consists in computing the polynomial $q (X) = \sum_{i = 0}^{d} b_{i} X^{i}$ explicitly and the proof $Π,$ which consists in $q (τ)$ in disguise, as $Π : = i = 0 \sum d b_{i} (τ^{i} G_{1}) = q (τ) G_{1} .$

Evaluating this polynomial equality at $τ,$ we see that $p (τ) - v = (τ - u) q (τ) .$ The verification algorithm consists in checking this equality "in the exponent" (or rather "in the scalar multiplication" here as we use additive notation). This is where pairings comes in: $G_{1}$ is actually a pairing-friendly group coming with related groups $G_{2}$ and $G_{t}$ and a pairing $e : G_{1} \times G_{2} \to G_{t} .$ The public parameters include a generator $G_{2}$ of $G_{2}$ and the group element $H_{2} = τ G_{2} .$ The verifier can compute $(p (τ) - v) G_{1} = C - v G_{1}$ and $(τ - u) G_{2} = H_{2} - u G_{2}$ and also knows $Π = q (τ) G_{1} .$ Then $p (τ) - v = (τ - u) q (τ)$ holds iff the following pairing equality does: $e (C - v G_{1}, G_{2}) = e (Π, H_{2} - u G_{2}) .$

The DL-KZG commitment scheme is obviously not hiding because the commitment algorithm is deterministic. The Ped-KZG scheme remedies this problem by adding a commitment to a random polynomial $\overset{p}{^} = \sum_{i = 0}^{d} \overset{a}{^}_{i} X^{i}$ with respect to another tuple of points $(H_{1}, τ H_{1}, \dots, τ^{d} H_{1}) :$ $C = i = 0 \sum d a_{i} (τ^{i} G_{1}) + i = 0 \sum d \overset{a}{^}_{i} (τ^{i} H_{1}) = p (τ) G_{1} + \overset{p}{^} (τ) H_{1} .$ Evaluation proving is adapted accordingly. The form of the commitment $C$ is reminiscent of the (hiding version) of Pedersen commitments, explaining the naming convention.

We now give a detailed description and analysis of the properties of the DL-KZG and Ped-KZG schemes.

The DL-KZG Scheme

Description

Let $PairingSetup$ be an asymmetric pairing group setup algorithm.³ The DL-KZG scheme for a maximal degree $d$ is defined as follows:

The $Setup$ algorithm, on input the security parameter $1^{λ},$ runs $(G_{1}, G_{2}, G_{t}, r, e) \leftarrow PairingSetup (1^{λ}),$ draws random generators $G_{1}$ and $G_{2}$ of respectively $G_{1}$ and $G_{2},$ draws $τ \leftarrow_{$} F_{r},$ and returns public parameters $p a r : = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}) \in G_{1}^{d + 1} \times G_{2}^{2} .$ Here we assume that pairing parameters $(G_{1}, G_{2}, G_{t}, r, e)$ are implicitly specified in $p a r .$ ⁴ The field over which polynomials are defined is $F_{r} .$ The public parameters can be split into a commitment key $c k : = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}) \in G_{1}^{d + 1}$ and a verification key $v k : = (G_{1}, G_{2}, τ G_{2}) \in G_{1} \times G_{2}^{2} .$
The $Commit$ algorithm, on input a commitment key $c k = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1})$ and a polynomial $p \in F_{r}^{(\leq d)} [X]$ where $p (X) = \sum_{i = 0}^{d} a_{i} X^{i},$ returns the commitment $C : = i = 0 \sum d a_{i} (τ^{i} G_{1}) = p (τ) G_{1}$ and an empty decommitment $D = ⊥.$
The $PolyVerif$ algorithm, on input a commitment key $c k = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}),$ a commitment $C \in G_{1},$ and a polynomial $p \in F_{r}^{(\leq d)} [X]$ where $p (X) = \sum_{i = 0}^{d} a_{i} X^{i},$ returns 1 if $C = \sum_{i = 0}^{d} a_{i} (τ^{i} G_{1})$ and 0 otherwise.
The $EvalProve$ algorithm, on input a commitment key $c k = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}),$ a polynomial $p \in F_{r}^{(\leq d)} [X],$ and $u \in F_{r},$ computes the polynomial⁵ $q (X) : = \frac{p ( X ) - p ( u )}{X - u} = i = 0 \sum d b_{i} X^{i},$ the group element $Π : = i = 0 \sum d b_{i} (τ^{i} G_{1}) = q (τ) G_{1},$ and returns $p (u)$ and the proof $Π.$
The $EvalVerif$ algorithm, on input a verification key $v k = (G_{1}, G_{2}, τ G_{2}),$ a commitment $C,$ a pair $(u, v) \in F_{r}^{2},$ and a proof $Π,$ returns 1 if $e (C - v G_{1}, G_{2}) = e (Π, τ G_{2} - u G_{2}) (19.1)$ and 0 otherwise.

It is straightforward to verify that $(Setup, Commit, PolyVerif)$ is correct as a standard commitment scheme. Let's check that the scheme is correct with respect to evaluation proving, i.e., if the commitment $C$ and the proof $Π$ have been honestly computed, then the verification passes. If $C = p (τ) G_{1}$ and $Π = q (τ) G_{1}$ where $p (X)$ and $q (X)$ are such that $p (X) - v = (X - u) q (X),$ then $e (C - v G_{1}, G_{2}) = e ((p (τ) - v) G_{1}, G_{2}) = e ((τ - u) q (τ) G_{1}, G_{2}) = e (q (τ) G_{1}, (τ - u) G_{2}) = e (Π, τ G_{2} - u G_{2}),$ hence Eq. (19.1) is satisfied and $EvalVerif$ returns 1.

Hiding Security

The DL-KZG scheme as described above is not poly-hiding: the commitment algorithm $Commit$ is deterministic, hence, given two polynomials $p_{0}$ and $p_{1}$ and a commitment $C,$ it is trivial to distinguish whether $C$ commits to $p_{0}$ and $p_{1}$ by computing the corresponding commitments and comparing with $C .$

Regarding the eval-hiding property, note that DL-KZG cannot be statistically eval-hiding. Indeed, an unbounded adversary can compute $τ$ from the parameters and $p (τ)$ from the commitment and return $(τ, p (τ))$ to win the EVAL-HIDING game without making any query to the $Prove$ oracle. However, it is eval-hiding under the discrete logarithm assumption (in group $G_{1}) .$

Let us give the intuition before the full-fledged proof. As the committed polynomial is uniformly random in $F_{r}^{(\leq d)} [X],$ Lagrange interpolation ensures that given at most $d$ evaluations of $p$ at $u_{1}, \dots, u_{d},$ the value of $p$ on any other point $u \in / {u_{1}, \dots, u_{d}}$ is uniformly random so that even an unbounded adversary can guess it with probability at most $1/ ∣ F_{r} ∣ .$ Hence, the only way an adversary can guess $p (u)$ with non-negligible probability is to compute $p (τ)$ from $C = p (τ) G_{1} .$ Together with $d$ queries to the $Prove$ oracle, this yields $d + 1$ evaluations of $p,$ allowing to compute $p$ with Lagrange interpolation. But computing $p (τ)$ requires to solve the discrete logarithm problem for challenge $C .$

Theorem 19.1. Assume that the DL problem is hard in $G_{1}$ for $PairingSetup .$ Then the DL-KZG scheme is (computationally) eval-hiding. More precisely, for every adversary $A$ against the EVAL-HIDING game, there exists an adversary $B$ for the DL problem running in time $t + O (λ d^{2}),$ where $t$ is the running time of $A,$ and such that $Adv_{A}^{eval-hiding} (λ) \leq Adv_{B}^{dl} (λ) + \frac{1}{2 ^{2 λ - 1}} .$

Proof

Let $A$ be an adversary against the eval-hiding property of DL-KZG. Without loss of generality, we assume that $A$ makes exactly $d$ queries to the $Prove$ oracle. We simply denote EH the EVAL-HIDING game. Let also $E$ denote the event that $A$ queries the $Prove$ oracle on $τ .$ By definition of the advantage, we have $Adv_{A}^{eval-hiding} (λ) = Pr [EH \to true] = Pr [EH \to true ∣ E] Pr [E] + Pr [EH \to true ∣ \neg E] Pr [\neg E] \leq Pr [EH \to true ∣ E] + Pr [EH \to true ∣ \neg E] Pr [\neg E] .$ Let us first show that the first term is negligible. Just before $A$ returns its answer, $p$ has been evaluated on at most $d + 1$ points: $τ$ (when computing the commitment) and the $d$ queries ${u_{1}, \dots, u_{d}}$ of $A$ to the $Prove$ oracle. Conditioned on $A$ querying $Prove$ on $τ$ (i.e., $τ \in {u_{1}, \dots, u_{d}}),$ $p$ has been in fact evaluated on $d$ points before $A$ returns its output $(u, v) .$ Since $p$ is a random polynomial of degree $d,$ the value of $p (u)$ conditioned on these at most $d$ evaluations (for any $u \neq = u_{1}, \dots, u_{d})$ is uniformly random. Hence, even a computationally unbounded adversary can guess $p (u)$ with probability at most $1/ ∣ F_{r} ∣,$ i.e., $Pr [EH \to true ∣ E] = \frac{1}{∣ F _{r} ∣} \leq \frac{1}{2 ^{2 λ - 1}} .$ Let us now upper bound the second term with a reduction. We construct an adversary $B$ that solves the DL problem by simulating game EH to $A$ as follows. Let $C = c G_{1} \in G_{1}$ be the DL instance that $B$ must solve. $B$ draws $τ \leftarrow_{$} F_{r},$ computes $p a r : = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}),$ and runs $A$ on input $(p a r, C) .$ Note that $C$ implicitly commits to a polynomial $p$ such that $p (τ) = c .$ $B$ simulates the $Prove$ oracle as follows: when $A$ queries the oracle on some field element $u \in F_{r} ∖ {τ},$ $B$ draws $v \leftarrow_{$} F_{r},$ computes a proof $Π : = \frac{1}{τ - u} (C - v G_{1})$ and returns $(v, Π) .$ The proof is valid because $e (Π, τ G_{2} - u G_{2}) = e ((τ - u)^{- 1} (C - v G_{1}), (τ - u) G_{2}) = e (C - v G_{1}, G_{2})$ and hence the verification equation (19.1) is satisfied. Note that $B$ cannot answer this way if $A$ queries $τ$ to $Prove$ since $p (τ)$ is exactly the solution to its DL challenge. In such a case (i.e., when $E$ happens), $B$ simply aborts. Conditioned on $E$ not happening, $p$ is sampled through the commitment evaluation $p (τ) = c$ and the $d$ evaluations ${(u_{1}, v_{1}), \dots, (u_{d}, v_{d})}$ corresponding to $Prove$ queries made by $A,$ with $c$ and $v_{1}, \dots, v_{d}$ uniformly random and independent. By Lagrange interpolation, this is equivalent to drawing the $d + 1$ coefficients of $p$ uniformly at random and hence the EVAL-HIDING game is perfectly simulated. If $A$ successfully returns a pair $(u, v)$ such that $p (u) = v,$ then $B$ can interpolate the $d$ evaluations corresponding to $Prove$ queries together with $(u, v)$ to recover polynomial $p$ and compute $p (τ) = c,$ which yields the solution to the DL challenge.

Let DL be the discrete logarithm game played with $B .$ Then $Adv_{B}^{dl} (λ) = Pr [DL \to true] = Pr [DL \to true ∣ E] Pr [E] + Pr [DL \to true ∣ \neg E] Pr [\neg E] = Pr [DL \to true ∣ \neg E] Pr [\neg E] = Pr [EH \to true ∣ \neg E] Pr [\neg E]$ where for the last equality we used that conditioned on $\neg E,$ games DL $^{B} (λ)$ and EH $^{A} (λ)$ are identical. Hence, $Adv_{A}^{eval-hiding} (λ) \leq Adv_{B}^{dl} (λ) + \frac{1}{2 ^{2 λ - 1}}$ $B$ runs in time $t$ (where $t$ is the running time of $A)$ plus the time to interpolate $p,$ which requires at most $O (d^{2} lo g_{2} (r)) = O (λ d^{2})$ operations.

Binding Security

The only thing that a commitment $C$ commits to, information-theoretically speaking, is the value $p (τ) .$ Hence, the DL-KZG scheme is certainly not statistically poly-binding: an adversary able to compute $τ$ from the public parameters can very easily decommit any commitment $C = c G_{1}$ to any polynomial $p$ such that $p (τ) = c .$ However, for an adversary unable to compute $τ$ from the public parameters, which is an instance of what we call the $(d, 1)$ -co-DL problem, there is only a negligible chance that it can find two polynomials $p$ and $q$ such that $p (τ) G_{1} = q (τ) G_{1} = C .$ More formally, we have the following result.

Theorem 19.2. Assume that the $(d, 1)$ -co-DL problem is hard for $PairingSetup .$ Then the DL-KZG scheme for maximal degree $d$ is poly-binding. More precisely, for any adversary $A$ against the poly-binding security of DL-KZG for maximal degree $d,$ there exists an adversary $B$ for the $(d, 1)$ -co-DL problem running in time $t + O (λ d^{3}),$ where $t$ is the running time of $A,$ and such that $Adv_{A}^{poly-binding} (λ) = Adv_{B}^{(d,1)-co-dl} (λ) .$

Proof

Let $A$ be an adversary against the poly-binding security of DL-KZG for maximal degree $d .$ We construct an algorithm $B$ for the $(d, 1)$ -co-DL problem as follows. $B$ gets pairing group parameters $(G_{1}, G_{2}, G_{t}, r, e)$ and an instance $(G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2})$ of the $(d, 1)$ -co-DL problem. The goal of $B$ is to compute $τ .$ It runs $A$ on public parameters $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}) .$ Assume that $A$ is successful and returns a commitment $C$ and two distinct polynomials $p$ and $p^{'}$ of degree at most $d$ such that $PolyVerif (p a r, C, p) = PolyVerif (p a r, C, p^{'}) = 1.$ This implies that $C = p (τ) G_{1} = p^{'} (τ) G_{1},$ hence $p (τ) = p^{'} (τ)$ and $τ$ is a root of the non-zero polynomial $(p - p^{'}) (X) \in F_{r}^{(\leq d)} [X] .$ This polynomial can be factored in time $O (d^{3} lo g (r))$ with the Cantor–Zassenhaus algorithm, which allows $B$ to compute all its roots and find $τ .$ The success probability of $B$ is the same as the one of $A$ and the running time of $B$ is $t + O (λ d^{3}) .$

Eval-binding security relies on a stronger assumption, namely that the so-called $(q_{1}, q_{2})$ -strong Diffie-Hellman ( $(q_{1}, q_{2})$ -SDH) problem is hard. This problem is as follows: given $(G_{1}, x G_{1}, \dots x^{q_{1}} G_{1}, G_{2}, x G_{2}, \dots, x^{q_{2}} G_{2}) \in G_{1}^{q_{1} + 1} \times G_{2}^{q_{2} + 1},$ compute a pair $(a, Y) \in F_{r} \times G_{1}$ such that $Y = \frac{1}{x + a} G_{1} .$ The $(q, 1)$ -SDH problem is usually simply called the $q$ -SDH problem.

Theorem 19.3. Assume that the $d$ -SDH problem is hard for $PairingSetup .$ Then the DL-KZG scheme for maximal degree $d$ is eval-binding. More precisely, for any adversary $A$ against the eval-binding security of DL-KZG for maximal degree $d,$ there exists an adversary $B$ for the $d$ -SDH problem running in time similar to the time of $A$ and such that $Adv_{A}^{eval-binding} (λ) = Adv_{B}^{d -sdh} (λ) .$

Proof

Let $A$ be an adversary against the eval-binding security of the DL-KZG scheme for maximal degree $d .$ We construct an adversary $B$ for the $d$ -SDH problem. $B$ gets pairing group parameters $(G_{1}, G_{2}, G_{t}, r, e)$ and an instance $(G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2})$ of the $d$ -SDH problem. The goal of $B$ is to return a pair $(a, Y)$ such that $Y = \frac{1}{τ + a} G_{1} .$ It runs $A$ on public parameters $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}) .$ Assume that $A$ is successful and returns a commitment $C,$ a field element $u \in F_{r},$ and two valid value/proof pairs $(v, Π)$ and $(v^{'}, Π^{'})$ with $v \neq = v^{'} .$ Then $B$ proceeds as follows. First, it checks whether $u = τ$ (e.g., by checking whether $u G_{1}$ is equal to the second group element of the parameters $p a r) .$ If this is the case, then $B$ simply picks an arbitrary element $a \in F_{r} ∖ {- τ}$ and returns $(a, \frac{1}{τ + a} G_{1}) .$ From now on, we assume $u \neq = τ .$ The validity of the two proofs imply that $e (C - v G_{1}, G_{2}) and e (C - v^{'} G_{1}, G_{2}) = e (Π, τ G_{2} - u G_{2}) = e (Π^{'}, τ G_{2} - u G_{2}) .$ Taking the inverse of the second equation and multiplying with the first equation, we get successively $e (C - v G_{1}, G_{2}) e (C - v^{'} G_{1}, G_{2})^{- 1} e (C - v G_{1}, G_{2}) e (- C + v^{'} G_{1}, G_{2}) e (C - v G_{1} - C + v^{'} G_{1}, G_{2}) e ((v^{'} - v) G_{1}, G_{2}) e (\frac{1}{τ - u} G_{1}, G_{2}) = e (Π, (τ - u) G_{2}) e (Π^{'}, (τ - u) G_{2})^{- 1} = e (Π, (τ - u) G_{2}) e (- Π^{'}, (τ - u) G_{2}) = e (Π - Π^{'}, (τ - u) G_{2}) = e (Π - Π^{'}, (τ - u) G_{2}) = e (\frac{1}{v ^{'} - v} (Π - Π^{'}), G_{2}),$ where for the last implication we used that $v^{'} - v \neq = 0$ and $τ - u \neq = 0,$ which allows us to multiply by $(v^{'} - v)^{- 1} (τ - u)^{- 1} mod r .$ The last equation implies that $Y : = \frac{1}{v ^{'} - v} (Π - Π^{'}) = \frac{1}{τ - u} G_{1} .$ Hence, $B$ returns $(- u, Y)$ which is a valid solution of the SDH instance. The success probability of $B$ is the same as the one of $A$ and the running time of $B$ is close to the one of $A .$

The Ped-KZG Scheme

Description

As discussed in the previous section, the DL-KZG scheme is not poly-hiding because the $Commit$ algorithm is deterministic. It is possible the make the scheme poly-hiding by randomizing the $Commit$ algorithm. Below we present the Ped-KZG scheme. The idea is to add to the basic DL-KZG commitment $C = p (τ) G_{1}$ a commitment to another random and independent polynomial $\overset{p}{^} (X)$ with respect to another generator $H_{1}$ of $G_{1} .$ The commitment becomes $p (τ) G_{1} + \overset{p}{^} (τ) H_{1},$ which is very similar to a Pedersen commitment, hence the name. This requires expanding the size of the public parameters and the evaluation proofs. The formal description follows.

The $Setup$ algorithm, on input the security parameter $1^{λ},$ runs $(G_{1}, G_{2}, G_{t}, r, e) \leftarrow PairingSetup (1^{λ}),$ draws random generators $G_{1}$ and $H_{1}$ of $G_{1}$ and $G_{2}$ of $G_{2},$ draws $τ \leftarrow_{$} F_{r},$ and returns public parameters $p a r : = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, H_{1}, τ H_{1}, \dots, τ^{d} H_{1}, G_{2}, τ G_{2}) \in G_{1}^{2 d + 2} \times G_{2}^{2} .$ Here we assume that pairing parameters $(G_{1}, G_{2}, G_{t}, r, e)$ are implicitly specified in $p a r .$ The field over which polynomials are defined is $F_{r} .$ The public parameters can be split into a commitment key $c k : = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, H_{1}, τ H_{1}, \dots, τ^{d} H_{1}) \in G_{1}^{2 d + 2}$ and a verification key $v k : = (G_{1}, H_{1}, G_{2}, τ G_{2}) \in G_{1}^{2} \times G_{2}^{2} .$
The $Commit$ algorithm, on input a commitment key $c k$ and a polynomial $p \in F_{r}^{(\leq d)} [X]$ where $p (X) = \sum_{i = 0}^{d} a_{i} X^{i},$ draws a random polynomial $\overset{p}{^} (X) = \sum_{i = 0}^{d} \overset{a}{^}_{i} X^{i}$ with $\overset{a}{^}_{0}, \dots, \overset{a}{^}_{d} \leftarrow_{$} F_{r}$ and returns the commitment $C : = i = 0 \sum d a_{i} (τ^{i} G_{1}) + i = 0 \sum d \overset{a}{^}_{i} (τ^{i} H_{1}) = p (τ) G_{1} + \overset{p}{^} (τ) H_{1}$ and the decommitment $D = \overset{p}{^} (X) .$
The $PolyVerif$ algorithm, on input a commitment key $c k,$ a commitment $C \in G_{1},$ a polynomial $p \in F_{r}^{(\leq d)} [X]$ where $p (X) = \sum_{i = 0}^{d} a_{i} X^{i},$ and a decommitment $\overset{p}{^} \in F_{r}^{(\leq d)} [X]$ where $\overset{p}{^} (X) = \sum_{i = 0}^{d} \overset{a}{^}_{i} X^{i},$ returns 1 if $C = \sum_{i = 0}^{d} a_{i} (τ^{i} G_{1}) + \sum_{i = 0}^{d} \overset{a}{^}_{i} (τ^{i} H_{1})$ and 0 otherwise.
The $EvalProve$ algorithm, on input a commitment key $c k,$ a polynomial $p \in F_{r}^{(\leq d)} [X],$ a decommitment $\overset{p}{^} \in F_{r}^{(\leq d)} [X],$ and $u \in F_{r},$ computes the polynomials $q (X) \overset{q}{^} (X) : = \frac{p ( X ) - p ( u )}{X - u} = i = 0 \sum d b_{i} X^{i}, : = \frac{p ^ ( X ) - p ^ ( u )}{X - u} = i = 0 \sum d \hat{b}_{i} X^{i},$ the group element $Π : = i = 0 \sum d b_{i} (τ^{i} G_{1}) + i = 0 \sum d \hat{b}_{i} (τ^{i} H_{1}) = q (τ) G_{1} + \overset{q}{^} (τ) H_{1},$ and returns $p (u)$ and the proof $(\overset{p}{^} (u), Π) .$
The $EvalVerif$ algorithm, on input a verification key $v k = (G_{1}, H_{1}, G_{2}, τ G_{2}),$ a commitment $C,$ a pair $(u, v) \in F_{r}^{2},$ and a proof $(\overset{v}{^}, Π),$ returns 1 if $e (C - v G_{1} - \overset{v}{^} H_{1}, G_{2}) = e (Π, τ G_{2} - u G_{2}) (19.2)$ and 0 otherwise.

Correctness can be verified in a similar way to DL-KZG.

Hiding Security

Thanks to the commitment randomization, poly-hiding and eval-hiding security both hold statistically for Ped-KZG.

Theorem 19.4. The Ped-KZG scheme is perfectly poly-hiding.

Proof

For any $τ \in F_{r}$ and any polynomial $p \in F_{r}^{(\leq d)} [X],$ the commitment $C$ returned by the $Commit$ algorithm is uniformly random in $G_{1}$ due to the addition of the term $\overset{p}{^} (τ) .$ Hence, the $Commit$ oracle in the POLY-HIDING game does not reveal any information about the hidden bit $b .$

Theorem 19.5. The Ped-KZG scheme is statistically eval-hiding. More precisely, for any adversary $A,$ one has $Adv_{A}^{eval-hiding} \leq \frac{1}{2 ^{2 λ - 1}} .$

Proof

Let $A$ by a (computationally unbounded) adversary against the eval-hiding property of Ped-KZG. We can assume without loss of generality that $A$ is given $τ,$ the discrete logarithm $h$ of $H_{1}$ in base $G_{1},$ and the discrete logarithm $c = p (τ) + h \overset{p}{^} (τ)$ of the challenge commitment $C .$ Let u_i_, $i \in {1, \dots, d}$ be the queries of $A$ to oracle $Prove$ and $(v_{i}, (\overset{v}{^}_{i}, Π_{i}))$ be the corresponding answers. Note that $Π_{i}$ does not bring any additional information to $A$ as it can be computed from the other quantities, namely $Π_{i} = \frac{1}{τ - u _{i}} (C - v_{i} G_{1} - \overset{v}{^}_{i} H_{1}) .$ Hence, all in all the adversary is given $d$ evaluations of $p$ and $\overset{p}{^}$ at the same points together with the value $c = p (τ) + h \overset{p}{^} (τ) .$ Note that $h \neq = 0$ since $H_{1}$ is a generator of $G_{1} .$ Hence, conditioned on $(u_{i}, v_{i}, \overset{v}{^}_{i})$ for $i \in {1, \dots, d}$ and $c,$ the value of $p (τ)$ is uniformly random and $A$ only has $d$ evaluations of $p .$ This implies that the probability that $A$ guesses $p (u)$ correctly for $u \in / {u_{1}, \dots, u_{d}}$ is $1/ ∣ F_{r} ∣ \leq 1/ 2^{2 λ - 1} .$

Binding Security

The poly-binding and eval-binding security properties hold under the same assumptions as for DL-KZG. The proofs are slightly more complex and must account for the possibility that the adversary solves the discrete logarithm problem for $H_{1}$ in base $G_{1} .$

Theorem 19.6. Assume that the $(d, 1)$ -co-DL problem is hard for $PairingSetup .$ Then the Ped-KZG scheme for maximal degree $d$ is poly-binding. More precisely, for any adversary $A$ against the poly-binding security of Ped-KZG for maximal degree $d,$ there exists an adversary $B$ for the $(d, 1)$ -co-DL problem running in time $t + O (λ d^{3}),$ where $t$ is the running time of $A,$ and such that $Adv_{A}^{poly-binding} (λ) = 2 \cdot Adv_{B}^{(d,1)-co-dl} (λ) .$

Proof

Let $A$ be an adversary against the poly-binding security of the Ped-KZG scheme for maximal degree $d .$ We construct an algorithm $B$ for the $(d, 1)$ -co-DL problem as follows. $B$ gets pairing group parameters $(G_{1}, G_{2}, G_{t}, r, e)$ and an instance $(G_{1}, x G_{1}, \dots, x^{d} G_{1}, G_{2}, x G_{2})$ of the $(d, 1)$ -co-DL problem. The goal of $B$ is to compute $x .$

Adversary $B$ randomly chooses between two indistinguishable ways to embed its instance into the parameters. Namely, it draws $b \leftarrow_{$} {0, 1}$ and proceeds as follows depending on $b :$

If $b = 0,$ then $B$ draws $h \leftarrow_{$} F_{r} ∖ {0}$ and runs $A$ on public parameters $p a r = (G_{1}, x G_{1}, \dots, x^{d} G_{1}, α G_{1}, h (x G_{1}), \dots, h (x^{d} G_{1}), G_{2}, x G_{2}) .$ This implicitly sets $τ = x$ and $H_{1} = h G_{1} .$
If $b = 1,$ then $B$ draws $τ \leftarrow_{$} F_{r}$ and runs $A$ on public parameters $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, x G_{1}, τ (x G_{1}), \dots, τ^{d} (x G_{1}), G_{2}, τ G_{2}) .$ This implicitly sets $H_{1} = x G_{1} .$

Assume that $A$ is successful and returns a commitment $C$ and two distinct polynomials $p$ and $p^{'}$ of degree at most $d$ together with corresponding decommitments $\overset{p}{^}$ and $\overset{p}{^}^{'}$ such that $PolyVerif (p a r, C, p, \overset{p}{^}) = PolyVerif (p a r, C, p^{'}, \overset{p}{^}^{'}) = 1.$ This implies that $C = p (τ) G_{1} + \overset{p}{^} (τ) H_{1} = p^{'} (τ) G_{1} + \overset{p}{^}^{'} (τ) H_{1}$ and hence $(p (τ) - p^{'} (τ)) G_{1} + (\overset{p}{^} (τ) - \overset{p}{^}^{'} (τ)) H_{1} = 0.$ We can distinguish two cases:

case $p (τ) - p^{'} (τ) = 0 :$ If $b = 1$ then $B$ aborts. Otherwise, since $b = 0,$ we have $x = τ .$ Hence, $x$ is a root of the non-zero polynomial $(p - p^{'}) (X) \in F_{r}^{(\leq d)} [X] .$ This polynomial can be factored in time $O (d^{3} lo g (r))$ with the Cantor–Zassenhaus algorithm, which allows $B$ to compute all its roots and find $x .$
case $p (τ) - p^{'} (τ) \neq = 0 :$ If $b = 0$ then $B$ aborts. Otherwise, since $b = 1$ then $H_{1} = x G_{1} .$ This implies that $p (τ) - p^{'} (τ) + x (\overset{p}{^} (τ) - \overset{p}{^}^{'} (τ)) = 0.$ Then necessarily $\overset{p}{^} (τ) - \overset{p}{^}^{'} (τ) \neq = 0$ as otherwise this would contradict $p (τ) - p^{'} (τ) \neq = 0.$ Hence, $B$ can compute $x = \frac{p ( τ ) - p ^{'} ( τ )}{p ^ ^{'} ( τ ) - p ^ ( τ )} .$

The view of $A$ is independent from $b$ and hence $B$ aborts with probability $1/2,$ so that $Adv_{B}^{(d,1)-co-dl} (λ) = \frac{1}{2} Adv_{A}^{poly-binding} (λ) .$ The running time of $B$ is at most $t + O (λ d^{3}),$ which concludes the proof.

Theorem 19.7. Assume that the $d$ -SDH problem is hard for $PairingSetup .$ Then the Ped-KZG scheme for maximal degree $d$ is eval-binding. More precisely, for any adversary $A$ against the eval-binding security of Ped-KZG for maximal degree $d,$ there exists an adversary $B$ for the $d$ -SDH problem running in time similar to the time of $A$ and such that $Adv_{A}^{eval-binding} (λ) = 2 \cdot Adv_{B}^{d -sdh} (λ) .$

Proof

Let $A$ be an adversary against the eval-binding security of the Ped-KZG scheme for maximal degree $d .$ We construct an adversary $B$ for the $d$ -SDH problem. $B$ gets pairing group parameters $(G_{1}, G_{2}, G_{t}, r, e)$ and an instance $(G_{1}, x G_{1}, \dots, x^{d} G_{1}, G_{2}, x G_{2})$ of the $d$ -SDH problem. The goal of $B$ is to return a pair $(a, Y)$ such that $Y = \frac{1}{x + a} G_{1} .$

Adversary $B$ randomly chooses between two indistinguishable ways to embed its instance into the parameters. Namely, it draws $b \leftarrow_{$} {0, 1}$ and proceeds as follows depending on $b :$

If $b = 0,$ then $B$ draws $h \leftarrow_{$} F_{r} ∖ {0}$ and runs $A$ on public parameters $p a r = (G_{1}, x G_{1}, \dots, x^{d} G_{1}, α G_{1}, h (x G_{1}), \dots, h (x^{d} G_{1}), G_{2}, x G_{2}) .$ This implicitly sets $τ = x$ and $H_{1} = h G_{1} .$
If $b = 1,$ then $B$ draws $τ \leftarrow_{$} F_{r}$ and runs $A$ on public parameters $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, x G_{1}, τ (x G_{1}), \dots, τ^{d} (x G_{1}), G_{2}, τ G_{2}) .$ This implicitly sets $H_{1} = x G_{1} .$

Assume that $A$ is successful and returns a commitment $C,$ a field element $u \in F_{r},$ and two valid value/proof pairs $(v, (w, Π))$ and $(v^{'}, (w^{'}, Π^{'}))$ with $v \neq = v^{'} .$ Then $B$ proceeds as follows. First, it checks whether $u = τ$ (e.g., by checking whether $u G_{1}$ is equal to the second group element of the parameters $p a r) .$ If this is the case, then $B$ simply picks an arbitrary element $a \in F_{r} ∖ {- τ}$ and returns $(a, \frac{1}{τ + a} G_{1}) .$ From now on, we assume $u \neq = τ .$ The validity of the two proofs imply that $e (C - v G_{1} - w H_{1}, G_{2}) and e (C - v^{'} G_{1} - w^{'} H_{1}, G_{2}) = e (Π, τ G_{2} - u G_{2}) = e (Π^{'}, τ G_{2} - u G_{2}) .$ Combining these two equations, we get $e ((v^{'} - v) G_{1} + (w^{'} - w) H_{1}, G_{2}) e (\frac{v ^{'} - v}{τ - u} G_{1} + \frac{w ^{'} - w}{τ - u} H_{1}, G_{2}) = e (Π - Π^{'}, (τ - u) G_{2}) = e (Π - Π^{'}, G_{2}),$ where we used that $u \neq = τ .$

We can now distinguish two cases:

case $Π \neq = Π^{'} :$ If $b = 1$ then $B$ aborts. Otherwise, since $b = 0,$ we have $τ = x$ and $B$ knows the value $h$ such that $H_{1} = h G_{1} .$ The equation above yields $e (\frac{v ^{'} - v + h ( w ^{'} - w )}{x - u} G_{1}, G_{2}) = e (Π - Π^{'}, G_{2}),$ This implies in particular that $v^{'} - v + h (w^{'} - w) \neq = 0$ as otherwise this would imply $Π = Π^{'} .$ Hence, $e (\frac{1}{x - u} G_{1}, G_{2}) = e (\frac{1}{v ^{'} - v + h ( w ^{'} - w )} (Π - Π^{'}), G_{2})$ which implies that $Y : = \frac{1}{v ^{'} - v + h ( w ^{'} - w )} (Π - Π^{'}) = \frac{1}{( x - u )} G_{1}$ Thus, $B$ can return $(- u, Y)$ as solution to the $d$ -SDH instance.
case $Π = Π^{'} :$ If $b = 0$ then $B$ aborts. Otherwise, since $b = 1;$ we have $H_{1} = x G_{1}$ and the equation above yields $e (\frac{v ^{'} - v + x ( w ^{'} - w )}{τ - u} G_{1}, G_{2}) = e (0, G_{2}),$ which implies $(v^{'} - v) + x (w^{'} - w) = 0.$ We cannot have $w = w^{'}$ as this would imply $v = v^{'}$ whereas $v \neq = v^{'}$ when $A$ is successful. Hence, $B$ can compute $x = (v^{'} - v) (w^{'} - w)^{- 1},$ choose an arbitrary $a \in F_{r} ∖ {- x},$ and return $(a, \frac{1}{x + a} G_{1})$ as solution to the SDH instance.

The view of $A$ is independent from $b$ and hence $B$ aborts with probability $1/2,$ so that $Adv_{B}^{d -sdh} (λ) = \frac{1}{2} Adv_{A}^{eval-binding} (λ) .$ The running time of $B$ is similar to the running time of $A,$ which concludes the proof.

Discussion

Efficiency

DL-KZG commitments are extremely succinct and rather cheap to verify: a commitment and a proof take one elliptic curve point each (e.g., 48 bytes when using BLS12-381) and verifying an opening essentially takes two pairings. In case one has to verify many openings for the same commitment, the verification equation (19.1) can be equivalently written $e (C, G_{2}) = e (G_{1}, G_{2})^{v} e (Π, τ G_{2} - u G_{2}),$ where $e (C, G_{2})$ and $e (G_{1}, G_{2})$ can be computed once and stored for verifying multiple openings, allowing to trade one pairing for one exponentiation in $G_{t} .$ On the other hand, the size of the commitment key and the complexity of algorithms $Commit$ and $EvalProve$ are linear in $d,$ the maximal degree of committed polynomials (which when building SNARKs can be quite large).

Trusted Setup

The secret value $τ$ drawn by the $Setup$ algorithm must be securely deleted once the commitment key has been set up as it allows to break the evaluation binding property of the scheme. Indeed, knowing $τ,$ given an arbitrary commitment $C \in G_{1},$ one can open this commitment at any point $u \neq = τ$ to any value $v$ by computing the proof as $Π = (τ - u)^{- 1} (C - v G_{1}) .$ Then the verification equation (19.1) is satisfied as $e (Π, τ G_{2} - u G_{2}) = e ((τ - u)^{- 1} (C - v G_{1}), (τ - u) G_{2}) = e (C - v G_{1}, G_{2}) .$

This is quite different from the $Setup$ procedure of the Pedersen commitment scheme, for which it is possible to proceed without ever generating any trapdoor explicitly. There is no (efficient) way known to implement the $Setup$ procedure for KZG without explicitly sampling $τ .$ To the best of my knowledge, there is also no proof that this is impossible. The assumption that this is impossible looks quite similar to many "knowledge of exponent" assumptions, hence the claim that running the KZG setup obliviously of $τ$ is impossible is presumably true but not provable with known techniques. It is, however, possible to run the setup in a decentralized fashion, ensuring that the process is secure as long as a single party behaves honestly (see for example [NRBB22]).

Note that it is possible to check that the trusted setup yielded public parameters having the correct form, namely that there indeed exists $τ \in F_{r}$ such that $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}) .$ Say we are given $p a r = (P_{0}, P_{1}, \dots, P_{d}, G_{2}, H_{2}) .$ Let $τ$ be defined as the discrete log of $H_{2}$ in base $G_{2},$ i.e., $H_{2} = τ G_{2},$ and set $G_{1} = P_{0} .$ Then $c k$ has the correct form if and only if for every $i \in {0, \dots, d - 1},$ $e (P_{i}, H_{2}) = e (P_{i + 1}, G_{2}) .$ Indeed, one has the following equivalences: $e (P_{i}, H_{2}) = e (P_{i + 1}, G_{2}) ⟺ e (P_{i}, τ G_{2}) = e (P_{i + 1}, G_{2}) ⟺ e (τ P_{i}, G_{2}) = e (P_{i + 1}, G_{2}) ⟺ P_{i + 1} = τ P_{i} .$

Summary of KZG Properties

	DL-KZG	Ped-KZG
param. size	$(d + 1)$ $∣ G_{1} ∣$ + $2$ $∣ G_{2} ∣$	$(2 d + 2)$ $∣ G_{1} ∣$ + $2$ $∣ G_{2} ∣$
comt. size	$1$ $∣ G_{1} ∣$	$1$ $∣ G_{1} ∣$
proof size	$1$ $∣ G_{1} ∣$	$1$ $∣ G_{1} ∣$ + $1$ $∣ F_{r} ∣$
poly-hiding	---	perfect
eval-hiding	DL in $G_{1}$	perfect
poly-binding	$(d, 1)$ -co-DL	$(d, 1)$ -co-DL
eval-binding	$d$ -SDH	$d$ -SDH

Multi-evaluation Proofs

We will see that the DL-KZG scheme can be generalized to allow proving multiple evaluations with one single proof consisting of a single $G_{1}$ element. This technique can also be applied to Ped-KZG but it is much less interesting since the size of the proof for $n$ evaluations is one $G_{1}$ element plus $n$ field elements, hence it grows linearly with $n .$

Recall that for a polynomial $p \in F_{(\leq d)} [X],$ $p (u) = v$ is equivalent to $p (X) - v$ being divisible by $X - u .$ How does this generalize to multiple evaluations?

First, let us recall some vocabulary from the section about Lagrange interpolation. An evaluation domain (or simply domain) of size $n$ is a subset $U \subset F$ of size $n .$ The vanishing polynomial over $U$ is the polynomial $z (X)$ defined as $z_{U} (X) : = i = 1 \prod n (X - u_{i}) .$ A multi-evaluation of size $n$ is a subset $E = {(u_{1}, v_{1}), \dots, (u_{n}, v_{n})} \subset F^{2}$ such that $u_{i} \neq = u_{j}$ for $i \neq = j .$ The evaluation domain associated with $E = {(u_{1}, v_{1}), \dots, (u_{n}, v_{n})}$ is $U : = {u_{1}, \dots, u_{n}} .$ We say that a polynomial $p \in F [X]$ satisfies a multi-evaluation $E = {(u_{1}, v_{1}), \dots, (u_{n}, v_{n})}$ if $p (u_{i}) = v_{i}$ for every $i \in {1, \dots, n} .$

The idea of multi-evaluation proofs relies on the generalized polynomial remainder theorem that we restate here. Let $p \in F [X],$ $E = {(u_{1}, v_{1}), \dots, (u_{n}, v_{n})}$ be a multi-evaluation of size $n \leq deg (p),$ and $U : = {u_{1}, \dots, u_{n}} .$ Let $z (X)$ be the vanishing polynomial for domain $U$ and $ℓ (X)$ be the Lagrange interpolation polynomial for $E,$ i.e., the unique polynomial of degree at most $n - 1$ such that $ℓ (u_{i}) = v_{i}$ for every $i \in {1, \dots, n} .$ Then $p$ satisfies $E$ if and only if $z (X)$ divides $p (X) - ℓ (X) .$

For $n = 1,$ one recovers the standard polynomial remainder theorem since for a single point $(u, v)$ the vanishing polynomial is $X - u$ and the Lagrange interpolation polynomial is the constant polynomial $ℓ (X) = v,$ hence $p$ satisfies $p (u) = v$ if and only if $X - u$ divides $p (X) - v .$

Syntax and Security Definition

Let us now see how to adapt the syntax of a PC scheme to accommodate multi-evaluation proofs. Concretely, a PC scheme with multi-evaluation proofs consists of five algorithms: $Setup,$ $Commit,$ and $PolyVerif$ have the same syntax as for a standard PC scheme, while $EvalProve$ and $EvalVerif$ are replaced respectively by the following two algorithms:

a $MultiProve$ algorithm which on input parameters $p a r,$ a polynomial $p \in F_{(\leq d)} [X],$ a decommitment $D,$ and a tuple $(u_{1}, \dots, u_{n}) \in F^{n}$ of $n$ distinct field elements, $n \leq d,$ returns a tuple $(v_{1}, \dots, v_{n}) \in F^{n}$ and a proof $Π;$
a $MultiVerif$ algorithm which on input parameters $p a r,$ a commitment $C,$ a multi-evaluation $E,$ and a proof $Π,$ returns 1 if $Π$ is a valid proof that the polynomial committed to by $C$ satisfies $E$ and 0 otherwise.

The correctness property can be straightforwardly adapted: for every security parameter $λ,$ every $d \in N,$ every $p \in F_{(\leq d)} [X],$ every $n \in {1, \dots, d},$ and every subset ${u_{1}, \dots, u_{n}} \subset F,$ the following game capturing the nominal execution of algorithms for multi-evaluation proving must return true with probability 1:

$p a r \leftarrow Setup (1^{λ}) (C, D) \leftarrow Commit (p a r, p) ((v_{1}, \dots, v_{n}), Π) \leftarrow MultiProve (p a r, p, D, (u_{1}, \dots, u_{n})) E : = {(u_{1}, v_{1}), \dots, (u_{n}, v_{n})} b \leftarrow MultiVerif (p a r, C, E, Π) assert (b = 1)$

We must modify the security definitions accordingly. The poly-hiding and poly-binding notion are identical to the ones defined for a standard PC scheme. The eval-hiding notion is very similar: one only needs to adapt the $Prove$ oracle so that it may be queried on domains of size larger than 1.

The eval-binding notion requires more care: we still want that no adversary can prove that a polynomial evaluates to two different values $v$ and $v^{'}$ at the same input point $u;$ however, now the adversary has the freedom to prove this for two different multi-evaluations $E$ and $E^{'}$ with the constraint that $(u, v) \in E$ and $(u, v^{'}) \in E^{'} .$ To emphasize the difference, we call this adapted security notion multi-binding. It is defined via the following game.

$\underline{Game MULTI-BINDING:} p a r \leftarrow Setup (1^{λ}) (C, (u, v, v^{'}), (E, Π), (E^{'}, Π^{'})) \leftarrow A (p a r) b \leftarrow EvalVerif (p a r, C, E, Π) b^{'} \leftarrow EvalVerif (p a r, C, E^{'}, Π^{'}) assert (u, v) \in E assert (u, v^{'}) \in E^{'} assert (v \neq = v^{'}) assert (b = 1) assert (b^{'} = 1)$

KZG with Multi-evaluation Proofs: Description

The DL-KZG multi-evaluation PC scheme works as follows:

The $Setup$ algorithm, on input the security parameter $1^{λ},$ runs $(G_{1}, G_{2}, G_{t}, r, e) \leftarrow PairingSetup (1^{λ}),$ draws random generators $G_{1}$ and $G_{2}$ of respectively $G_{1}$ and $G_{2},$ draws $τ \leftarrow_{$} F_{r},$ and returns public parameters $p a r : = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}, \dots, τ^{d} G_{2}) \in G_{1}^{d + 1} \times G_{2}^{d + 1} .$
The $Commit$ and $PolyVerif$ algorithms are defined exactly as for DL-KZG.
The $MultiProve$ algorithm, on input a commitment key $c k = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}),$ a polynomial $p \in F_{r}^{(\leq d)} [X],$ and a subset $U = {u_{1}, \dots, u_{n}} \subset F_{r}$ of size $n \in {1, \dots, d},$ computes the polynomials $z (X) ℓ (X) q (X) : = i = 1 \prod n (X - u_{i}), : = i = 1 \sum n p (u_{i}) 1 \leq j \leq n j \neq = i \prod \frac{X - u _{j}}{u _{i} - u _{j}}, : = \frac{p ( X ) - ℓ ( X )}{z ( X )} = i = 0 \sum d b_{i} X^{i},$ and the group element $Π : = \sum_{i = 0}^{d} b_{i} (τ^{i} G_{1}) = q (τ) G_{1}$ and returns $(p (u_{1}), \dots, p (u_{n}))$ and the proof $Π.$
The $MultiVerif$ algorithm, on input a verification key $v k = (G_{2}, τ G_{2}, \dots, τ^{d} G_{2}),$ a commitment $C,$ a multi-evaluation $E = {(u_{1}, v_{1}), \dots, (u_{n}, v_{n})}$ of size $n \in {1, \dots, d},$ and a proof $Π,$ computes the polynomials $z (X) ℓ (X) : = i = 1 \prod n (X - u_{i}), : = i = 1 \sum n v_{i} 1 \leq j \leq n j \neq = i \prod \frac{X - u _{j}}{u _{i} - u _{j}},$ and returns 1 if $e (C - ℓ (τ) G_{1}, G_{2}) = e (Π, z (τ) G_{2})$ and 0 otherwise.

Observe that the $MultiVerif$ algorithm must compute $ℓ (τ) G_{1}$ and $z (τ) G_{2} .$ For a multi-evaluation of size $n,$ $ℓ$ has degree at most $n - 1$ and $z$ has degree $n .$ Hence, if proofs for multi-evaluations of size at most $N$ are to be supported, one can restrict the public parameters to $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}, \dots, τ^{N} G_{2}) \in G_{1}^{d + 1} \times G_{2}^{N + 1}$ and derive a commitment key $c k = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}) \in G_{1}^{d + 1}$ and a verification key $v k = (G_{1}, τ G_{1}, \dots, τ^{N - 1} G_{1}, G_{2}, τ G_{2}, \dots, τ^{N} G_{2}) \in G_{1}^{N} \times G_{2}^{N + 1} .$

Security Proof

The proof of Theorem 19.3 can be adapted to show that DL-KZG is multi-binding under a slightly different assumption called $(q_{1}, q_{2})$ -bilinear strong Diffie-Hellman ( $(q_{1}, q_{2})$ -BSDH). This problem is as follows: given $(G_{1}, x G_{1}, \dots x^{q_{1}} G_{1}, G_{2}, x G_{2}, \dots, x^{q_{2}} G_{2}) \in G_{1}^{q_{1} + 1} \times G_{2}^{q_{2} + 1},$ compute a pair $(a, Y) \in F_{r} \times G_{t}$ such that $Y = e (G_{1}, G_{2})^{\frac{1}{x + a}} .$ Note that $(q_{1}, q_{2}) -BSDH ≦ (q_{1}, q_{2}) -SDH .$ Indeed, given a solution $(a, \frac{1}{x + a} G_{1})$ for some SDH instance, one can compute a solution $(a, e (\frac{1}{x + a} G_{1}, G_{2}))$ for the corresponding BSDH instance. The converse, though, is not known to hold, so that BSDH is presumably a stronger assumption than SDH.

Theorem 19.8. Assume that the $(d, N)$ -BSDH problem is hard for $PairingSetup .$ Then the DL-KZG multi-evaluation scheme for maximal degree $d$ and multi-evaluations of size at most $N$ is multi-binding. More precisely, for any adversary $A$ against the multi-binding security of DL-KZG, there exists an adversary $B$ for the $(d, N)$ -BSDH problem running in time similar to the time of $A$ and such that $Adv_{A}^{multi-binding} (λ) = Adv_{B}^{(d,N) -bsdh} (λ) .$

Proof

Let $A$ be an adversary against the multi-binding security of the DL-KZG scheme for maximal degree $d .$ We construct an adversary $B$ for the $(d, N)$ -BSDH problem. $B$ gets pairing group parameters $(G_{1}, G_{2}, G_{t}, r, e)$ and an instance $(G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}, \dots, τ^{N} G_{2})$ of the $(d, N)$ -BSDH problem. The goal of $B$ is to return a pair $(a, Y)$ such that $Y = e (G_{1}, G_{2})^{\frac{1}{τ + a}} .$ Adversary $B$ runs $A$ on input parameters $p a r = (G_{1}, τ G_{1}, \dots, τ^{d} G_{1}, G_{2}, τ G_{2}, \dots, τ^{N} G_{2}) .$ Assume that $A$ returns a commitment $C,$ a tuple $(u, v, v^{'}) \in F_{r}^{3},$ and two valid multi-evaluations/proof pairs $(E, Π)$ and $(E^{'}, Π^{'})$ such that $v \neq = v^{'},$ $(u, v) \in E,$ and $(u, v^{'}) \in E^{'} .$ If $u = τ$ (which $B$ can verify by checking whether $u G_{1}$ is equal to the second group element of the parameters $p a r),$ then $B$ simply picks an arbitrary element $a \in F_{r} ∖ {- τ}$ and returns $(a, e (G_{1}, G_{2})^{\frac{1}{τ + a}})$ as solution to the $d$ -BSDH instance. From now on, we assume that $u \neq = τ .$

Let $U,$ resp. $U^{'}$ be the evaluation domain corresponding to $E,$ resp. $E^{'} .$ Let also $z,$ resp. $z^{'}$ be the vanishing polynomial for $U,$ resp. $U^{'}$ and $ℓ,$ resp. $ℓ^{'}$ be the Lagrange interpolation polynomial for $E,$ resp. $E^{'} .$ Validity of the two proofs imply that $e (C - ℓ (τ) G_{1}, G_{2}) and e (C - ℓ^{'} (τ) G_{1}, G_{2}) = e (Π, z (τ) G_{2}) = e (Π^{'}, z^{'} (τ) G_{2}) .$ Combining these two equations, we obtain $e ((ℓ^{'} - ℓ) (τ) G_{1}, G_{2}) = e (Π, z (τ) G_{2}) e (Π^{'}, z^{'} (τ) G_{2})^{- 1} .$ We know that $u$ is a root of both $z (X)$ and $z^{'} (X) .$ Hence, there are polynomials $q$ and $q^{'}$ such that $z (X) = (X - u) q (X)$ and $z^{'} (X) = (X - u) q^{'} (X) .$ We also know that polynomial $(ℓ^{'} - ℓ) (X)$ evaluates to $v^{'} - v$ at $u .$ Hence, by the polynomial remainder theorem, there is a polynomial $q^{''}$ such that $(ℓ^{'} - ℓ) (X) = v^{'} - v + (X - u) q^{''} (X) .$ Note that $B$ can explicitly compute $q,$ $q^{'},$ and $q^{''} .$ Injecting this in the previous equation, we get $e ((v^{'} - v) G_{1}, G_{2}) e ((τ - u) q^{''} (τ) G_{1}, G_{2}) = e (Π, (τ - u) q (τ) G_{2}) e (Π^{'}, (τ - u) q^{'} (τ) G_{2})^{- 1} e ((v^{'} - v) G_{1}, G_{2}) = e (Π, (τ - u) q (τ) G_{2}) e (Π^{'}, (τ - u) q^{'} (τ) G_{2})^{- 1} e ((τ - u) q^{''} (τ) G_{1}, G_{2})^{- 1} e (G_{1}, G_{2})^{1/ (τ - u)} = (e (Π, q (τ) G_{2}) e (- Π^{'}, q^{'} (τ) G_{2}) e (- q^{''} (τ) G_{1}, G_{2}))^{1/ (v^{'} - v)},$ where for the last equality we used that $τ - u \neq = 0$ and $v^{'} - v \neq = 0.$ Hence, $B$ can return $(- u, Y),$ where $Y$ is the right-hand side of the last equation, as solution to the $(d, N)$ -BSDH instance.

As a sanity check, observe that for a single evaluation ( $n = 1),$ one has $q (X) = q^{'} (X) = 1$ and $q^{''} (X) = 0,$ in which case the last equation simplifies to $e (\frac{1}{τ - u} G_{1}, G_{2}) = e (\frac{1}{v ^{'} - v} (Π - Π^{'}), G_{2})$ which allows to solve the $d$ -SDH problem and recover Theorem 19.3.

A Practical Use Case

Ethereum is planning to use the KZG polynomial commitment scheme for proto-danksharding. Its properties make it a convenient solution to the data availability problem. A distributed trusted setup is being run at the time of writing.

Additional Resources

There are many resources explaining KZG out there, here are a few:

Section 15.2 of PAZK
this post by Andy Arditi
this other one by Dankrad Feist
yet another one by Alin Tomescu
or this video by Dan Boneh.

1: As for standard commitment schemes, the name can vary and this is sometimes called a common reference string (crs) or structured reference string (srs) when it does not consist of random bits and has a specific "shape", as it is the case for KZG.

2: In the seminal paper introducing polynomial commitment schemes [KZG10a], evaluation hiding is simply called hiding.

3: KZG polynomial commitments are often described with a symmetric pairing (i.e., $G_{1} = G_{2}),$ but we define them for an asymmetric pairing as this is the preferred option in practice.

4: Quite often, generators $G_{1}$ and $G_{2}$ are standard and specified in public parameters alongside $G_{1}$ and $G_{2} .$

5: The polynomial $q (X)$ is well-defined by the polynomial remainder theorem.

Crypto Book (Work in Progress)

Polynomial Commitment Schemes

Contents

Generalities

Syntax

Security

Informal Description of the KZG Schemes

The DL-KZG Scheme

Description

Hiding Security

Binding Security

The Ped-KZG Scheme

Description

Hiding Security

Binding Security

Discussion

Efficiency

Trusted Setup

Summary of KZG Properties

Multi-evaluation Proofs

Syntax and Security Definition

KZG with Multi-evaluation Proofs: Description

Security Proof

A Practical Use Case

Additional Resources