Schwartz-Zippel and Polynomials
Last updated
Last updated
We now want to introduce an idea called the Schwartz-Zippel lemma. A lemma is a proven statement used for proving other statements or theorems. The names Schwartz and Zippel reflect the names of some of the discoverers of this lemma.
This idea is statistical and it is going to be pinnacle in allowing us to check that a prover's computation has been done correctly. By choosing a random number and evaluating a polynomial there, we will be able to see whether a prover did their work in a valid way. Since the prover doesn't know what this number will be, they cannot 'prepare' their polynomial for it.
Before we formally define it, we want to touch on polynomials a little bit more. Most of what happens in zkSNARKs is to do with polynomials so spending more time on them is always worthwhile.
To recap, a polynomial is a formula where the variables have powers with positive, whole numbers, like or .
We often work with certain types of polynomials where there is an additional restriction. In SNARKs, we are interested in polynomials where the coefficients are all elements of a field.
Coefficients are numbers in front of the variables. In the coefficients are: for and for .
Let's say our field is , then would be a relevant polynomial (remember that in we have that , and therefore ), but wouldn't because it contains a fraction.
In terms of notation, we usually use to indicate the polynomials that we are interested in. indicates that we want the coefficients to be in , whilst the says that this will be a polynomial with as a variable. The polynomials can have powers of that are arbitrarily high, there is no limit on that.
We refer to the highest power of in a polynomial as the degree of the polynomial. For example the degree of is . The degree will play an important part in the Schwartz-Zippel lemma.
As will almost always be the case in cryptography, we are primarily interested in evaluating it on values from a field or a group. For example we might choose to evaluate these polynomials only at values within where is some huge prime.
The Schwartz-Zippel lemma essentially tells us that if we have two polynomials that have the same degree (the highest power term), for example , and some whose highest power is 7 (so its degree is also 7), then if we evaluate them at some randomly chosen point, let's say (the notation simply means the thing on the left is some element from the set on the right), and they have the same evaluation, so and , then it is safe to assume that the polynomials are actually the same, i.e. that .
But why is it safe to assume they are the same polynomial if they have the same evaluation? There are two primary things we need to think about.
Firstly, we need to consider the degree of our polynomials. If a polynomial has degree , then can cross the x-axis (i.e. evaluate to 0) at at most points. In fact, cannot evaluate to any value more than times. Let's explore that visually a bit.
Putting that all together, we can conclude that:
Because of the above two situations, the Schwartz-Zippel lemma follows that if two polynomials of the same degree evaluate to the same value on a randomly chosen point, then they are the same polynomial. Neat!
If we have a constant polynomial, i.e. where there are no powers of , for example , then the graph is just a horizontal line. Okay this actually breaks our rule since crosses the x-axis everywhere. But the case of a constant polynomial (there are no powers of , so the degree is ) is a special case.
What about if the degree is , like ? Well this curve will just be an upwards slope of . According to our rule, this line cannot cross any horizontal line more than once.
If we were to look at , we would have a more bendy curve. But let's try the same thing, draw horizontal lines and try to see if the curve crosses these lines at more than two points. Again, we won't find any.
These examples show that for a degree polynomial, any horizontal line in the graph cannot be crossed by the polynomial’s curve more than times. If is genuinely chosen at random after the polynomials are created, then it is not feasible to engineer to evaluate to the same value as at . Since the only way to arrive at the same value is by guessing, all we are left with is probability.
You might think that we can engineer so that its curve is the same as the curve of in most places, but make them differ in a few places.This is not possible - the curves of and can only cross in at most places. If they crossed at more places, then we could look at their difference . Since and are both degree polynomials, will also be of degree . But if and crossed each other more than times, will equal more than times, violating the rule we introduced above.
So if and are different polynomials, meaning their curves cross each others in at most places, how likely is it that they evaluate to the same value at ?
If is some number on the order of , and the degree of our polynomials is on the order of , then the chance of choosing something from the bucket within the bucket is roughly . How small is that? is roughly the number of atoms in our galaxy, the Milky Way. It is so unlikely that it is completely unreasonable to ever expect it to happen. The numbers we chose here reflect standard values we use in our zkSNARKs.
If , then for all values of
If , then the probability that for a randomly chosen is vanishingly small
Note: We said that would have to be chosen at random after the two polynomials and were already chosen. There is another scenario where this also works. If there is a way to keep invisible but still evaluate our polynomials there, then we can keep reusing this invisible value . A trusted setup lets us create this invisible value , which lets us create polynomial commitment schemes that allow us to check a prover’s proof, as we will see in a later section.