🪄
SNARK Fundamentals
  • 🪄SNARK Fundamentals: A Complete Beginner's Introduction
  • Part 1. What are SNARKs?
    • Argument of Knowledge
    • zkSNARKs in Action
  • Part 2. Math (to get to PLONK)
    • Fundamental Objects
    • Schwartz-Zippel and Polynomials
    • Elliptic Curves and DLOG
    • Polynomial Commitment Schemes
  • Part 3. Proof systems in the wild
    • A Bird’s Eye View of PLONK
    • Comparing Proof Systems
  • 🧙Further exploration
Powered by GitBook
On this page
  1. Part 2. Math (to get to PLONK)

Polynomial Commitment Schemes

And now we arrive at a more complex object, one that is used all over cryptography due to its usefulness, an elliptic curve group. An elliptic curve group consists of all the points that satisfy some elliptic curve equation within some specified finite field.

That’s right, we can make a group using elliptic curves, but they look different to the groups we looked at before because, rather than normal numbers, our set consists of points on an elliptic curve. The binary operation is not multiplication or normal addition, but instead the elliptic curve addition we explored earlier. And the identity element is not 0, but the point at infinity that we refer to as OOO.

That is the final piece of the puzzle for the most important component of zkSNARKs, a polynomial commitment scheme!

Mixing Objects: Polynomials & Elliptic Curves

So far we have been evaluating our polynomials of interest at values from fields, such as Fq\mathbb{F}_qFq​, but that doesn't have to be the case. We could evaluate our polynomials at values from a group too, like an elliptic curve (EC) group.

If our polynomial is f(x)=x2+3x+5f(x)=x^2+3x+5f(x)=x2+3x+5, then instead of putting in numbers and getting out numbers, like f(2)=22+3∗2+5=4+6+5=15f(2)=2^2+3*2+5=4+6+5=15f(2)=22+3∗2+5=4+6+5=15, we will put in a number and get out an elliptic curve point. For example if GGG is our base point on the EC, we have that f(2)=22G+3∗2G+5G=15Gf(2)=2^2G+3*2G+5G=15Gf(2)=22G+3∗2G+5G=15G.

You may notice that the evaluation of the above 2 look identical, except that the second one has a GGG at the end. The GGG is very useful because it lets us evaluate polynomials at points of unknown order! What does that mean? Let’s explore.

A point of unknown order is TTT where T=nGT=nGT=nG (so the EC point GGG added to itself nnn times) and nobody knows what nnn is. And thanks to the DLOG assumption, nobody can work it out.

How do we get such a point? We use something called a trusted setup, but that takes some more time to explain, so for now, just imagine that somebody you really trust gave it to you, for example David Attenborough. He went on his computer, made TTT, and then deleted nnn from memory, so he can’t even recover it.

Not only did he make TTT, he also made T2=n2GT^2=n^2GT2=n2G, as well as T3=n3GT^3=n^3GT3=n3G, and many more of these, up to T1010=n1010GT^{10^{10}}=n^{10^{10}}GT1010=n1010G.

Now that we have TTT and its powers, we can create a polynomial such as f(x)=x2+3x+5f(x)=x^2+3x+5f(x)=x2+3x+5 like we had above and we can evaluate it at an unknown point!

f(T)=T2+3T+5G=n2G+3nG+5G=(n2+3n+5)G=Pf(T)=T^2+3T+5G=n^2G+3nG+5G=(n^2+3n+5)G=Pf(T)=T2+3T+5G=n2G+3nG+5G=(n2+3n+5)G=P

We have the result PPP, meaning we know that the polynomial evaluates to PPP somewhere. But where does it evaluate to PPP? We don’t know. Well, we know that it is nnn, where T=nGT=nGT=nG, but nobody knows what nnn is – so it is unknown. Thus we can now evaluate polynomials at points of unknown order.

And that allows us to commit to polynomials and later reveal them. For example, let’s say you and I want to guess the price of three objects, but none of us wants to reveal our guesses before the other. If our three guesses are $37, $65, $134, then we can make a polynomial f(x)=37x2+65x+134f(x)=37x^2+65x+134f(x)=37x2+65x+134.

Now, instead of telling me your guesses, you can commit to your polynomial by determining f(T)=37T2+65T+134=Pf(T)=37T^2+65T+134=Pf(T)=37T2+65T+134=P and send me PPP. When I receive PPP, I have no way of determining what your polynomial was and therefore what your guesses are. Similarly I can send you my version of PPP, call my version P’P’P’, which would be the evaluation of my polynomial at TTT.

Now that we have both sent each other our commitments, we can reveal what our guesses were. We refer to this process of revealing our polynomials as an opening.

Once you commit to a polynomial you cannot change it since the commitment can be used to identify that you are lying. All I would need to do is make the polynomial with your guesses (so this happens after you open your commitment), let's call the polynomial I make from the opening you gave me g(x)g(x)g(x), then evaluate it at TTT and find that g(T)g(T)g(T) does not equal the f(T)f(T)f(T) commitment value that you sent me.

And finally, the Schwartz-Zippel lemma tells us that the chance of guessing the correct PPP is absolutely miniscule. Our polynomials have degree ddd and evaluate to a point in Fp\mathbb{F}_pFp​ where ppp is absolutely huge. Thus any polynomial we make can evaluate to PPP at at most ddd points. If we want to change our polynomial f(x)f(x)f(x), we have to make sure that the new polynomial g(x)g(x)g(x) evaluates to PPP at nnn. But we don’t know what nnn is, so we just have to randomly guess. And since ddd is so small compared to ppp, the chances of us guessing correctly are essentially impossible.

To summarize, a Polynomial Commitment Scheme (PCS) is a process that involves:

  1. Creating a point of unknown order such as T=nGT=nGT=nG where GGG and TTT are known but nnn isn’t (nnn is kept hidden thanks to the DLOG assumption) via a process known as a trusted setup ceremony (David Attenborough in our example).

  2. Creating powers of that point of unknown order, T2T^2T2, T3T^3T3, up to TmT^mTm for some number mmm

  3. Choosing a polynomial, any we wish

  4. Committing to that polynomial by evaluating it at the point of unknown order

  5. Opening that commitment by revealing our polynomial

  6. Revealing a polynomial that is different to the one we committed to is impossible, because if we did then the Schwartz-Zippel lemma tells us that when the verifier checks it, they will see that it does not match the commitment we sent them earlier

We only need to do the trusted setup ceremony once, and then we can reuse the result from it again and again every time we want to use the PCS.

PreviousElliptic Curves and DLOGNextPart 3. Proof systems in the wild

Last updated 1 year ago