Efficient Transparent Polynomial Commitments for zk-SNARKs

Abstract

This paper proposes a new efficient transparent polynomial commitment scheme. In a polynomial commitment scheme, a prover commits a polynomial and a verifier sends a random point to the prover. The prover then evaluates the polynomial on the given point with generating a proof that the evaluated value is correctly computed according to the committed function. Our construction is based on the polynomial commitment scheme (the DARK compiler) proposed by Bünz, Fisch, and Szepieniec in EUROCRYPT 2020. The approach of DARK is that a prover recursively generates 2 group elements as the proof for a polynomial with a halved degree and a verifier indirectly verifies them at each recursion. In our construction, a prover commits all the reduced polynomials across recursions at once, and then generates a single aggregated proof for them. By aggregating commitments from recursive steps in DARK, the proposed scheme reduces the proof size by half, and provides better performance in the proof generation and the proof verification compared to DARK. By adopting the proposed scheme, the efficiency of transparent SNARKs from polynomial IOPs can be significantly improved.

Appendix

1.1 Proof of Theorem 2

Proof

We show that an honest commiter passes all check in \(\textsf{PC}.\textsf{Ver}\) of Algorithm 2. We first show that \(g_{\mu +1}=s_{\mu +1} \pmod \ell \). By construction, \(s_1=r=\hat{g}_1 \pmod \ell \) and \(s_{i,R}=\hat{g}_{i,R} \pmod \ell \) for \(i=1,...,\mu \). We then have that \(s_{i,L}=s_i-q^{2^{\mu -i}}s_{i,R} \pmod \ell =\hat{g}_i-q^{2^{\mu -i}}\hat{g}_{i,R} \pmod \ell =\hat{g}_{i,L} \pmod \ell \) and \(s_{i+1}=s_{i,L}+\alpha _{i}s_{i,R}\pmod \ell =\hat{g}_{i,L}+\alpha _{i} \hat{g}_{i,R}\pmod \ell =\hat{g}_{i+1} \pmod \ell \) for \(i=1,\dots ,\mu \). This proves \(g_{\mu +1}=s_{\mu +1} \pmod \ell \). With similar argument, it holds that \(g_{\mu +1}=y_{\mu +1} \pmod p\).

Next we show that \(|g_{\mu +1}|\le b=(p-1)p^\mu \). Note that \(f \in \mathbb Z(p-1)[\mu ]\). Let \(b_1=p-1\). Suppose, for each i, there exists a bound \(b_i\) such that \(\Vert g_{i}\Vert _\infty \le b_i\). Since \(\alpha _{i}\in [0,p-1]\), we have \(\Vert g_{i+1}\Vert _\infty =\Vert g_{i,L}+\alpha _i g_{i,R}\Vert _\infty \le b_ip=(p-1)p^i\) for \(i=1,\dots ,\mu \). Finally, \({\textsf{PoKRep}}.\textsf{Ver}\) returns 1 because

$$\begin{aligned} C\cdot \prod _{i=1}^\mu D_i =G^{\hat{f}}\cdot \prod _{i=1}^{\mu }R_i^{\hat{g}_{i,R}}=G^{\left\lfloor \frac{\hat{f}}{\ell } \right\rfloor \ell + \hat{f} \bmod \ell }\cdot \prod _{i=1}^{\mu }R_i^{\left\lfloor \frac{\hat{g}_{i,R}}{\ell }\right\rfloor \ell +\hat{g}_{i,R} \bmod \ell }=Q^\ell \cdot G^{r}\cdot \prod _{i=1}^\mu R_i^{s_{i,R}}. \end{aligned}$$

1.2 Sketch of Proof for Theorem 3

Lemma 2

([16, Lemma 6]). For any \(\mu \)-variate multilinear polynomial f over \(\mathbb Z\) and \(p\ge 2\), \(\Pr _{\vec \alpha \,{\mathop {\leftarrow }\limits ^{\$}}\,[0,p-1]^\mu }[|f(\vec \alpha )|\le \frac{1}{p^\mu }\cdot \Vert f\Vert _\infty ]\le \frac{3\mu }{p}\).

Proof Sketch

We prove that the proposed polynomial commitment scheme is knowledge sound, thus, has witness-extended emulation [30]. We first define the series of bounds \(B_{\mu +1}\le \cdots \le B_1\) by \(B_{i}:=(p-1)p^{2\mu -i+1}\) for \(i=\mu +1,\dots ,1\). Note that \(B_{\mu +1}\) is equal to the bound parameter b in the proposed polynomial commitment scheme. We describe the extractor \({\mathcal {E}}_{\textsf{PC}}\). The extractor \({\mathcal {E}}_{\textsf{PC}}\) employs a poly-time knowledge extractor \({\mathcal {E}}_{\textsf{PoKRep}}\) of the protocol \({\textsf{PoKRep}}\). The description of \({\mathcal {E}}_{\textsf{PoKRep}}\) is given in [7, proof of Theorem 7]. \({\mathcal {E}}_{\textsf{PoKRep}}\) receives a polynomial in \(\lambda \) (denoted as \(\textsf{poly}(\lambda )\)) number of accepting \({\textsf{PoKRep}}\)–transcripts and extracts an input integer vector. Let \(\textsf{tr}_{\textsf{PC}}=\{C,(D_i,y_{i,R},\alpha _i)_{i=1,\dots ,\mu },g_{\mu +1}\mathrel {,}Q,(\ell ,(r,\vec s))\}\) be an accepting transcript that \({\mathcal {P}}\) and \({\mathcal {V}}\) generate by executing \(\textsf{PC}.\textsf{Commit}\), \(\textsf{PC}.\textsf{Open}\), and \(\textsf{PC}.\textsf{Ver}\). Algorithm \({\mathcal {E}}_\textsf{PC}\) works as follows:

1. 1.

   on input \({U:=C\prod _{i=1}^\mu D_i}\), call \({\textsf{PoKRep}}\) \(\textsf{poly}(\lambda )\) times, sampling fresh randomness \(\ell \) for \({\mathcal {V}}\), and obtain \(\textsf{poly}(\lambda )\) number of accepting transcripts \(T:=\{(\ell _i,Q_i,(r_i,\vec s_i))\}_{i=1,\dots ,\textsf{poly}(\lambda )}\) of \({\textsf{PoKRep}}\).

2. 2.

   run \({\mathcal {E}}_{\textsf{PoKRep}}\) on input T and obtain a witness integer vector \((\hat{g}_1'', \hat{g}_{i,R}',\dots ,\hat{g}_{\mu ,R}')\) such that \(U=G^{\hat{g}_1'}\prod _{i=1}^\mu R_i^{\hat{g}_{i,R}'}\).

3. 3.

   set \(\hat{g}_{\mu +1}'\leftarrow g_{\mu +1}\) and compute \(\hat{g}_i' \leftarrow (\hat{g}_{i+1}'-\alpha _i\cdot \hat{g}_{i,R}')+q^{2^{\mu -i}}\hat{g}_{i,R}'\) from \(i=\mu \) to 1. If \(\Vert g_1''(X_1,\dots ,X_\mu ):=\rho _q^{-1}(\hat{g}_1'')\Vert _\infty > B_1\) or \(\Vert g_i'(X_1,\dots ,X_{\mu -i+1})\Vert _\infty > B_i\) for some \(i\in [1,\mu ]\), then return to Step 1.

4. 4.

   if \(\hat{g}_1'=\hat{g}_1''\) and \(g_1'(\vec z)=y\pmod {p}\), output \(g_1'\) and stop.

5. 5.

   return to Step 1.

We argue that \({\mathcal {E}}_\textsf{PC}\) succeeds with overwhelming probability in a \(\textsf{poly}(\lambda )\) number of rounds. We first claim that Step 3 of \({\mathcal {E}}_\textsf{PC}\) successfully outputs integers \(\hat{g}_1''\) and \(\hat{g}_i'\)’s for \(i=1,\dots ,\mu \) such that \(\Vert \rho _q^{-1}(\hat{g}_1'')\Vert _\infty \le B_1\) and \(\Vert \rho _q^{-1}(\hat{g}_{i}')\Vert _\infty \le B_i\) with overwhelming probability. Suppose we have \(\hat{g}_i'\) such that \(\Vert \rho _q^{-1}(\hat{g}_{i}')\Vert _\infty > B_i\) from an accepting transcript. Then, by Lemma 2, we have \(\Pr [|g_i'(\alpha _\mu ,\dots ,\alpha _{i})|\le B_{\mu +1}]=\Pr [|g_i'(\alpha _\mu ,\dots ,\alpha _{i})|\le B_i/{p^{\mu -i+1}}]\le \Pr [|g_i'(\alpha _\mu ,\dots ,\alpha _{i})|\le \Vert g_i'\Vert _\infty /{p^{\mu -i+1}}]\le \frac{3(\mu -i+1)}{p}\le \frac{3\mu }{p}\), where \({(\alpha _\mu ,\dots ,\alpha _{i})\,{\mathop {\leftarrow }\limits ^{\$}}\,[0,p-1]^{\mu -i+1}}\). Thus, the probability that Step 3 fails to output integers is less than or equal to \(\frac{3\mu ^2}{p}\approx \frac{3\mu ^2}{2^\lambda }\), which is negligible.

We now claim that Step 4 of \({\mathcal {E}}_\textsf{PC}\) successfully outputs a witness polynomial. We argue that \(\hat{g}_1'=\hat{g}_1''\) holds with overwhelming probability. From Step 3, we have \(\hat{g}_1'=\hat{g}_{\mu +1}'+\sum _{i=1}^{\mu }(q^{2^{\mu -i}}-\alpha _i){\hat{g}_{i,R}'}\). Then, by the \(\textsf{PC}.\textsf{Ver}\), it holds that \(\hat{g}_1' = s_{\mu +1}+\sum _{i=1}^{\mu }(q^{2^{\mu -i}}-\alpha _i){\hat{s}_{i,R}}=r=\hat{g}_1''\pmod {\ell }\). Because the verifier sends a randomly selected \(\lambda \)-bit prime \(\ell \) to the prover after the verifier receives all commitments made by the prover, the probability that \(\hat{g}_1'\ne \hat{g}_1''\) is negligible. Finally, we show that \(g_1'(\vec z)=y\). Note that \(g_{\mu +1}=y+\sum _{i=1}^\mu (\alpha _i-z_{\mu +1-i})y_{i,R} \pmod {p}\) from \(\textsf{PC}.\textsf{Ver}\). We also have that \(g_{\mu +1}=g_1'(z_1,\dots ,z_\mu )+\sum _{i=1}^\mu (\alpha _i-z_{\mu +1-i})g_{i,R}'(z_1,\dots ,z_{\mu -i}) \pmod {p}\) from \({\mathcal {E}}_\textsf{PC}\). Thus, \(y+\sum _{i=1}^\mu (\alpha _i-z_{\mu +1-i})y_{i,R}=g_1'(z_1,\dots ,z_\mu )+\sum _{i=1}^\mu (\alpha _i-z_{\mu +1-i})g_{i,R}'(z_1,\dots ,z_{\mu -i}) \pmod {p}\) for \(\vec z=(z_1,\dots ,z_{\mu -i})\) and randomly selected \((\alpha _1,\dots ,\alpha _\mu )\) in \(\textsf{PC}.\textsf{Open}\). This means that \(g_1'(\vec z)=y \pmod {p}\), \(g_{i,R}'=y_{i,r}\pmod {p}\) for \(i=1,\dots ,\mu \) with overwhelming probability.