PolyCommit DL polynomial commitments

Let_{p ∈ N}+ be aτ-bit prime and let_Zp[x]be the ring of polynomials over the finite fieldZp.25A

polynomial commitment scheme is a cryptographic commitment scheme with which a committer

A

can commit to a polynomial _{f ∈ Z}p[x]and later open the commitment either polynomial-wise

to f or point-wise to a point i, f (i)
on f, for an arbitrary inputi ∈ Zp. Kate et al.’s PolyCom-

mitDL scheme [KZG10a; §3.2] is a bilinear pairing-based construction (seeDefinition24below)

for polynomial commitments in which the size of a commitment does not depend on the degree of the committed polynomial. Using a long-lived reference string comprising n + 1 elements from an order-pbilinear groupGH,

A

can commit to any polynomial f ∈ Zp[x]of degree at most n <√pusing only a singleGHelement.

Definition24. A (symmetric) bilinear pairing on the pair of groups(HG, GT) of prime orderpis

an efficient algorithme: HG × HG → GTthat satisfies the following two conditions.

1. Bilinearity: For allg˜1, ˜g2 ∈ HGand for all x ∈ Zp,e( ˜g x 1, ˜g2) = e( ˜g1, ˜g x 2) = e( ˜g1, ˜g2) x . 2. Non-degeneracy: For allg ∈˜ HG

∗

, e( ˜g, ˜g) , 1.

Ife: G × HH G → GTis a bilinear pairing, then the pair of groups (HG, GT)is called a bilinear pair.

We use a symmetric pairing for ease of exposition; however, generalizing our constructions to use asymmetric (specifically, Type III) pairings is not difficult and is substantially more efficient in practice. For an overview of the available choices of cryptographic pairings, we refer the reader to Galbraith, Paterson, and Smart [GPS08].

A degree-nPolyCommitDLcommon reference string is a tuple of the form

Polyτ n
= (G, GH T, p, ˜g, e), ( ˜g αj



 j ∈ [1, n])
,

where (H_{G, G}T) is a bilinear pair in whichGH andGT haveτ-bit prime orderp,e: HG × HG → GT

is an efficient bilinear pairing on (H_{G, G}T), g ∈˜ GH ∗

is a generator of HG, and α ∈ Z ∗ p is a

random trapdoor exponent. On input the security parameter1τ, a trusted initializer generates (HG, GT, p, ˜g, e) ←

G

H(1

τ

) using a suitable bilinear group-generating algorithm

G

H (as defined

25We usepto denote our prime in this subsection in order to emphasize that we are not working in the fieldZq whose order matches our ubiquitous multiplicative groupG.

in Definition25 in Appendix A) with respect to which certain computational intractability as- sumptions hold. (We discuss the necessary assumptions below.) It then selects the trapdoor exponentα ∈RZ

∗

p, uses it to compute the power basis( ˜g

α_{, . . . , ˜g}αn

), and then securely discards it immediately thereafter.26 To commit to a polynomial f(x) =

P

d j=0ajx j ∈ Zp[x] of degree d ≤ n,

A

computes C =

Q

d j=0 g˜ αj
aj = ˜gf (α)

using the appropriate values from Polyτ n
.

A

can of course openC

to f by simply revealing f to

B

and having

B

redo the calculation. Alternatively,

A

can openC to a point i, f (i)
on f by appealing to the Polynomial Remainder Theorem [Gal12; Corollary2 to Theorem16.2] and the properties of the bilinear pairing, as outlined in Protocol4.10.

Protocol4.10 (Point-wise opening in PolyCommitDL[KZG10a; §3.2]).

Common input: (C,i) ∈ HG × Zp\ {α}and (HG, GT, p, ˜g, e), (g αj



 j ∈ [1, n])

A

A

’s private input: _{f ∈ Z}p[x]such thatdeg f = dandC = ˜g f (α)

A

1: Write f(x) = Q(x)(x − i) + f (i), whereQ(x) =

P

d−1 j=0bjx

j

is the polynomial quotient obtained upon dividing f(x) − f (i) by (x − i).

A

computes the evaluation witness element

w

i =

Q

d−1

j=0 g˜ αj
_b

j = ˜gQ(α)

and sends i, f (i),

w

i

to

B

.

B

2: Boutputs1ife C/g˜f (i), ˜g
= e

w

i,g˜

α_/

˜

gi
, and outputs0otherwise.

Note that the evaluation witness

w

i is itself a PolyCommitDLcommitment whose length, like

that ofC , is independent ofdeg f. The point-wise and polynomial-wise opening procedures are each complete by inspection. Moreover, one can show that if

A

selects f ∈ Zp[x]uniformly

at random (subject only todeg f ≤ d), then (i)C is unconditionally hiding when

B

knows at most d − 1 evaluations of f (and the associated witnesses), (ii) C is computationally hiding under the DL assumption when

B

knows exactly d evaluations of f (and the associated wit- nesses) and thatdeg f ≤ d, and (iii) C is trivially non-hiding when

B

knows d + 1 or more

26We can view PolyCommitDLas a trapdoor commitment scheme: given access to the trapdoor exponentα,Acan open a PolyCommitDLcommitment to an arbitrary point(i, yi) ∈ Zp\ {α}
× Zp. Note that although knowledge of the trapdoor exponent affects the binding property in PolyCommitDL, it does not affect the hiding property; thus, it is sometimes acceptable for the recipientBto also be the trusted initializer. Alternatively, the trusted initializer can be replaced by a secure multiparty computation between, say, all of the committers and recipients that intend to use Polyτ n
.

evaluations of f.27 Point-wise openings are computationally binding under a pair of DL-like assumptions — thestrong Diffie-Hellman (SDH) assumption [BB08; §2.3] and thepolynomial

Diffie-Hellman (polyDH) assumption[KZG10a; Definition2] — and polynomial-wise openings

are computationally binding under theDL assumption. See Appendix A for definitions of the

SDHandpolyDH assumptions. We refer the reader to Kate et al.’s paper [KZG10a] for further

details on PolyCommitDLcommitments, including proofs of the above security claims.

Change of basis in the PolyCommitDLcommon reference string

Given a polynomial f ∈ Zp[x]of degree n whose coefficients (a0, . . . , an) are each bounded

above by a small constant, say 2λ0_{, we can use Straus’ algorithm to compute a commitment}

C = ˜gf (α)

to f using fewer than λ0 + (n + 1)λ0/2 multiplications in GH, on average. In our construction below, it is not the coefficients (a0, . . . , an) of f that are each bounded above by 2λ0_{, but the evaluations f(0), . . . , f (n)
at x} = 1,. . . ,n_{. It is therefore advantageous for us to}

perform a “change of basis” from the power basis( ˜g, ˜gα, . . . , ˜gαn)in the PolyCommit_DLcommon reference string to the appropriate Lagrange basis. (In fact, we keep both bases around as we still find the power basis useful for efficiently committing to low-degree polynomials.) In particular, the trusted initializer precomputes the sequence of PolyCommitDLcommitments( ˜g0, ˜g1, . . . , ˜gn)

in which eachg˜j = ˜g ℓ ℓ_j(α)

for the Lagrange coefficient ℓℓj(x) = n Y i=0,i,j x − i j − i. (4.3)

The committer can then useStraus’ algorithmwith this basis to evaluateC =

Q

n i=0g˜

f (i) i using

fewer thanλ0+ (n + 1)λ0/2multiplications inHG, on average.

27More precisely, solving for f ∈RZp[x]given (i) a PolyCommitDLcommitmentg˜ f (α)_to

f, (ii) a set ofddistinct points on f (and the associated witnesses), and (iii) a promise thatdeg f = d, is equivalent to solving a random DL problem instance inHG(or inGT, ifB prefers). The correct interpretation for the above binding property is therefore: if the bilinear pairs(HG, GT)are output by a bilinear group-generating algorithmGHwith respect to which

theDL assumptionholds (seeDefinition25inAppendix A), then no PPT algorithm can solve for a randomly selected f fromg˜f (α) _{and a set ofdeg f distinct points on}

f, except with probability negligible inτ ≈ lg p. A similar interpretation holds for the computational binding properties.

Note that this optimization does not affect the security of the underlying PolyCommit_DLcon- struction, as

A

can easily compute the commitments( ˜g0, ˜g1, . . . , ˜gn)in polynomial time from the

power basis( ˜g, ˜gα, . . . , ˜gαn). Indeed, we only have the trusted initializer output ( ˜g0, . . . , ˜gn) as

part of the public parameters for convenience.

In document Efficient Zero-Knowledge Proofs and Applications (Page 119-122)