Recall: How to build an Efficient SNARK?
What is a Polynomial Commitment?
- A bit more formality
Group Theory
KZG Poly-Commit Scheme with Pairings
Bulletproofs
- The Magic Trick
More Poly-Commit Schemes
- Hyrax
- Dory
- Dark
Summary

Recall: How to build an Efficient SNARK?

There are various paradigms on building SNARKs, but the general paradigm is made up of two steps:

A functional commitment scheme, which is a cryptographic object
A suitable interactive oracle proof (IOP), which is an information theoretic object

In Lecture 5, we have seen PLONK, which operated with:

A univariate polynomial commitment scheme
PLONK polynomial IOP

In Lecture 4, we have seen another method using the sum-check protocol:

A multivariate polynomial commitment scheme
Sum-check protocol for IOP

In this lecture, we will dive deeper into polynomial commitment schemes, in particular those that are based on bilinear pairings and discrete logarithm.

What is a Polynomial Commitment?

Consider a family of polynomials $F$ . The prover has some polynomial $f \in F$ that is a function $f : X \to Y$ . The interactions of a polynomial commitment scheme look like the following:

sequenceDiagram
	actor P as Prover
	actor V as Verifier

	note over P: f ∈ F

	P ->> V: (1) com_f := commit(f)
	V ->> P: (2) u ∈ X
	P ->> V: (3) v ∈ Y, proof π
	note over V: (4) Accept or Reject

Let us explain each numbered step in this sequence diagram:

Prover commits to the polynomial, and sends the commitment $co m_{f}$ , also shown as $f$ .
The verifier would like to query this polynomial at some value $u$ , so it sends this to the prover.
Prover evaluates $v := f (u)$ and sends this to verifier, along with a proof $π$ that indeed $v = f (u)$ and $f \in F$ .
The verifier will verify this proof, and accept if it is valid.

A bit more formality

Let's make a more formal definition of polynomial commitments now. They are made of 4 algorithms:

$k ey g e n (λ, F) \to g p$ generate public parameters given the polynomial family and security parameter $λ$ . Note the $g p$ is also known as "common reference string", or "public key" too.
$co mmi t (g p, f) \to co m_{f}$ computes the commitment to the given polynomial.
$e v a l (g p, f, u) \to v, π$ is the evaluation method that the prover uses to compute $v := f (u)$ and generate a proof that $v = f (u)$ this is true and $f \in F$ .
$v er i f y (g p, co m_{f}, u, v, π) \to {0, 1}$ verifies an evaluation, and it will either accept or reject (which is why I used a bit to represent output).

Polynomial commitment has the following properties:

Correctness: if the prover is honest, and follows the given algorithms above, then $v er i f y$ should always accept. We won't go too much into this one yet.

Knowledge Soundness: for every polynomial time adversary $A = (A_{0}, A_{1})$ such that:

$g p \leftarrow k ey g e n (λ, F)$
$co m_{f} \leftarrow A_{0} (g p)$
$v, π \leftarrow A_{1} (g p, u)$

where $Pr [V (v p, x, π) = accept] = 1$ , then there is an efficient extractor $E$ that uses $A_{1}$ as a black box (oracle) such that:

$g p \leftarrow k ey g e n (λ, F)$
$co m_{f} \leftarrow A_{0} (g p)$
$f \leftarrow E (g p, co m_{f})$

where $Pr [f (u) = v and f \in F] > 1 - ϵ$ . Meaning that if the prover can convince the verifier about some committed polynomial $f$ , then an efficient extractor can "extract" that $f$ from the prover via some algorithm, and then find out that indeed the evaluations are correct, with at most some negligible probability of failure.

Group Theory

It will be good to refresh our memory on some of the preliminary concepts, starting with group theory!

A group is a set $G$ and an operation $*$ . It satisfies the following properties:

Closure: $\forall a, b \in G$ it holds that $a * b \in G$ . In other words, the result of this operation is still an element of this group, it is closed in this group!
Associativity: $\forall a, b, c \in G$ it holds that $(a * b) * c = a * (b * c)$ . The order of execution should not matter.
Identity: $\exists e \in G$ such that $\forall a \in G$ it holds that $e * a = a * e = a$ . We call $e$ the identity element, because the result of operating on it is identical to the operand.
Inverse: $\forall a \in G, \exists b \in G$ such that $a * b = b * a = e$ . This is very important to keep in mind.

For example, the set of integers $Z = {\dots, - 1, 0, 1, \dots}$ under addition operation $+$ satisfies all these properties. You might also be familiar with rational numbers, real numbers, complex numbers and such.

In cryptography, here are some commonly used groups:

Positive integers $mod$ some prime number $p$ , which is the set ${1, 2, \dots, p - 1}$ under the multiplication operation $\times$ . This is denoted as $Z_{p}^{*}$ .
Elliptic curves, we will not go into this yet though.

Generator of a Group

An element $g \in G$ that generates all the other elements in the group by taking its powers is called the generator of that group. For example, consider the multiplicative group $Z_{7}^{*} = {1, 2, 3, 4, 5, 6}$ . See what happens if we take powers of 3 in this group.

$1$	$2$	$3$	$4$	$5$	$6$
$3^{6}$	$3^{2}$	$3^{1}$	$3^{4}$	$3^{5}$	$3^{3}$

Notice that $3^{6} = 1$ , so you can continue to powering $3^{7} = 3$ , $3^{8} = 2$ and so on but you will keep getting the same values. Furthermore, there can be multiple generators within a group!

Discrete Logarithm Assumption

So think of a some group $G$ with $p$ elements. You could represent the group by literally writing out all its $p$ elements. Alternatively, you could just note down the generator $g$ and find its $p$ powers to obtain the group elements; keep in mind that there may be different generators too. With that in mind, let us look at the discrete logarithm problem:

given $y \in G$ find $x$ such that $g^{x} = y$

It turns out that this is very hard to do, you basically have to try your luck with $x$ . There are some clever methods too, but it is the general consensus that this problem is computationally hard, meaning that you can't solve it in polynomial time.

Quantum computers can actually solve this in polynomial time, and any scheme that uses discrete log is therefore not post-quantum secure.

Diffie-Hellman Assumption

You might remember this duo from the Diffie-Hellman Key-Exchange [Diffie-Hellamn'76]. The paper is based on the Diffie-Hellman Assumption, which is very similar to the discrete logarithm assumption.

given $G, g, g^{x}, g^{y}$ compute $g^{x y}$

This is a stronger assumption that the discrete logarithm assumption, meaning that it "assumes more stuff". In other words, if discrete logarithm assumption breaks, you can break this one too. What you could do it, simply find $x$ from $g^{x}$ and $y$ from $g^{y}$ and just compute $g^{x y}$ .

To our best knowledge, this is also a hard problem and there is no efficient solution yet.

Bilinear Pairing

Bilinear pairings are an awesome building block that we will make use of. You have the following:

$G$ : the base group, a multiplicative cyclic group
$G_{T}$ : the target group, yet another multiplicative cyclic group
$p$ : the order of both $G$ and $G_{T}$
$g$ : the generator of base group $G$
$e$ : a pairing operation $e : G \times G \to G_{T}$

The pairing must have the following bilinearity property:

$\forall P, Q, \in G : e (P^{x}, Q^{y}) = e (P, Q)^{x y}$

Note that computing $e$ itself may be efficient or not, that depends on the groups that are being used. Also note that you could have two different base groups, unlike our example above which just uses on base group for both $P$ and $Q$ .

Example: Diffie-Hellman

Consider $e (g, g)^{x y}$ , what can this be equal to?

$e (g, g)^{x y} = e (g^{x}, g^{y})$
$e (g, g)^{x y} = e (g^{x y}, g)$

That means $e (g^{x}, g^{y}) = e (g^{x y}, g)$ . We know that given $g^{x}, g^{y}$ we can't compute $g^{x y}$ that is the Diffie-Hellman assumption. However, what if someone claims that they have computed $g^{x y}$ ? Well, we can check this without learning what $x, y$ is simply with the aforementioned equality.

Example: BLS Signature

BLS signature [Boneh-Lynn-Shacham'01] is an example usage of bilinear pairings. It is a signature scheme with the following functions:

$k ey g e n (p, G, g, G_{T}, e) \to (s k = x, p k = g^{x})$ that is the secret (private) key and public key respectively
$s i g n (s k, m) \to σ = H (m)^{x}$ where $H$ is a cryptographic hash function that maps the message space to $G$
$v er i f y (p k, σ, m) \to {0, 1}$ will verify if $e (H (m), g^{x}) = e (σ, g)$ . Notice that $g^{x}$ comes from $p k$ , and $H$ is a known public hash function

KZG Poly-Commit Scheme with Pairings

Remember we had went over KZG in the previous lecture, but there at some point we had to mention "pairings". Now, we will look at KZG again but with pairings included.

Suppose you have a univariate polynomial function family $F = F_{p}^{(\leq d)} [X]$ and some polynomial that you would like to commit $f \in F$ . You also have a bilinear pairing $p, G, q, G_{T}, e$ . Let's see how KZG works with these.

$k ey g e n (λ, F) \to g p$
- Sample a random $τ \in F_{P}$
- Set $g p = (g, g^{τ}, g^{τ^{2}}, \dots, g^{τ^{d}})$
- Delete $τ$ , its toxic waste at this point and you should make sure no one gets it. If they do, they can generate fake proofs. This is why a trusted setup is required for KZG.
$co mmi t (g p, f) \to co m_{f}$
- The polynomial is represented with its coefficients $f (x) = f_{0} + f_{1} x . + f_{2} x^{2} + \dots + f_{d} x^{d}$ .
- The commitment is $co m_{f} = g^{f (τ)}$ . How can this be done without knowing $τ$ ? Well, that is where $g p$ comes into play.
- Notice that $g^{f (τ)} = g^{f_{0} = f_{1} τ + f^{2} τ^{2} + \dots + f_{d} τ^{d}}$
- Its equal to $(g)^{f_{0}} + (g^{τ})^{f_{1}} + (g^{τ^{2}})^{f_{2}} + \dots (g^{τ^{d}})^{f_{d}}$ which can be done using just the elements in the public parameters $g p$ and the coefficients of $f$ .
$e v a l (g p, f, u) \to v, π$
- A verifier wants to query this polynomial at point $u$ , and you would like to show that $f (u) = v$ along with a proof $π$ that this is indeed true.
- To do this, first you find a quotient polynomial $q (x)$ such that $f (x) - f (u) = (x - u) q (x)$ . Note that $u$ is a a root of $f (x) - f (u)$ .
- Then, your proof is $π = g^{q (τ)}$ which you can do without knowing $τ$ but instead using $g p$ , as shown in the last bullet under $co mmi t$ .
$v er i f y (g p, co m_{f}, u, v, π) \to {0, 1}$
- The idea is to check the equation at point $τ$ as $g^{f (τ) - f (u)} = g^{(τ - u) q (τ)}$ .
- The verifier knows $g^{(τ - u)}$ as $g^{τ}$ is in $g p$ and $g^{u}$ the verifier can calculate, and it also knows $g^{q (τ)}$ because that is the proof $π$ sent by the prover. However, Diffie-Hellman assumption tells us that just by knowing these two, the verifier can't compute $g^{(τ - u) q (τ)}$ . So what do we do?
- We can use a bilinear pairing! We will make use of the pairing $e (co m_{f} / g^{v}, g) = e (g^{(τ - u)}, π)$ . Notice that this pairing translates to $e (g, g)^{f (τ) - f (u)} = e (g, g)^{(τ - u) q (τ)}$ . The verifier can simply check this equality, and accepts if it is correct.

sequenceDiagram
  actor P as Prover
  actor V as Verifier

  %% keygen
  note over P, V: gp = (g, g^t, g^(t^2), ..., g^(t^d))

  %% comittment
  note over P: f ∈ F
  P ->> V: com_f := g^f(t)

  %% eval
  V ->> P: u
  note over P: v = f(u)
  note over P: f(x)-f(u) = (x-u)q(x)

  %% verify
  P ->> V: v, proof π = g^q(t)
  note over V: g^(t-u) = g^t / g^u
  note over V: e(com_f / g^v, g) ?= e(g^(t-u), π)
  note over V: if true, Accept, otherwise Reject

q-Strong Bilinear Diffie-Hellman

What about the properties of KZG?

Correctness: if the prover is honest, then the verifier will always accept.
Soundness: how likely is a fake proof to be verified?

The answer to this comes from something called "q-Strong Bilinear Diffie-Hellman" (short for q-SBDH) assumption. That is, given $(p, G, g, G_{T}, e)$ and $(g, g^{τ}, g^{τ^{2}}, \dots, g^{τ^{d}})$ it is hard to compute $e (g, g)^{\frac{1}{τ - u}}$ for any $u$ . This is a stronger assumption that computational Diffie-Hellman.

Let us prove the soundness then! We will do a Proof by Contradiction. Suppose $v^{*} \neq = f (u)$ yet a fake proof $π^{*}$ passes the verification. We begin the proof by writing the bilinear pairing equivalence that the verifier checks for:

$e (co m_{f} / g^{v^{*}}, g) = e (g^{τ - u}, π^{*})$

We will assume that the prover knows $f$ , which is a strong assumption but we will explain it later (see Knowledge of Exponent). Therefore, we have the following equivalence:

$e (g^{f (τ) - v^{*}}, g) = e (g^{τ - u}, π^{*})$

Now the trick of the proof: we add $f (u) - f (u)$ to the leftmost exponent, which is effectively adding 0 so it does not change anything.

$e (g^{f (τ) - f (u) + f (u) - v^{*}}, g) = e (g^{τ - u}, π^{*})$

Now define $δ = f (u) - v^{*}$ , which is non-zero because we have said above that $v^{*} \neq = f (u)$ . We rewrite the left hand-side:

$e (g^{(τ - u) q (τ) + δ}, g) = e (g^{τ - u}, π^{*})$

As a result of pairing, we can move the exponents outside $e$ as:

$e (g, g)^{(τ - u) q (τ) + δ} = e (g, π^{*})^{τ - u}$

Dividing both sides by $e (g, g)^{τ - u}$ we get:

$e (g, g)^{δ} = (e (g, π^{*}) / e (g, g)^{q (τ)})^{τ - u}$

Finally, taking both sides to power $- 1/ (τ - u)$ leads to a contradiction!

$e (g, g)^{\frac{δ}{τ - u}} = e (g, π^{*}) / e (g, g)^{q (τ)}$

Notice the left side that is $e (g, g)^{\frac{δ}{τ - u}}$ , which is what q-SBDH was about! Even more, the right side of the equation only has globally available variables, so this means that the prover can break q-SBDH assumption.

Knowledge of Exponent (KoE)

We have said that we assume the prover knows $f$ such that $co m_{f} = g^{f (τ)}$ . How can we make sure of this? Here is how:

Again you have $g p = (g, g^{τ}, g^{τ^{2}}, \dots, g^{τ^{d}})$
Sample some random $α$ compute $g p^{α} = (g^{α}, g^{ατ}, g^{α τ^{2}}, \dots, g^{α τ^{d}})$
Now compute two commitments instead of one, $co m_{f} = g^{f (τ)}$ and $co m_{f}^{'} = g^{α f (τ)}$

Now we can make use of bilinear pairings: if $e (co m_{f}, g^{α}) = e (co m_{f}^{'}, g)$ there exists an extractor $E$ that extracts $f$ such that $co m_{f} = g^{f (τ)}$ . This extractor will extract $f$ in our proof above, where we assumed the prover knows $f$ .

Let us then describe the KZG with knowledge soundness:

Keygen generates both $g p$ and $g p^{α}$
Commit computes both $co m_{f}$ and $co m_{f}^{'}$
Verify additionally checks $e (co m_{f}, g^{α}) = e (co m_{f}^{'}, g)$

Note that this doubles the cost of key generation and commitments, as well as the verifier time.

Generic Group Model (GGM)

GGM [Shoup'97], [Maurer'05] can replace the KoE assumption and reduce commitment size in KZG. The informal definition is that the adversary is only given an oracle to compute the group operation, that is: given $(g, g^{τ}, g^{τ^{2}}, \dots, g^{τ^{d}})$ the adversary can only compute their linear combinations.

Properties of KZG

So let us write down the properties of KZG.

Keygen requires trusted setup
Commit requires $O (d)$ group exponentiations and $O (1)$ commitment size
Eval requires $O (d)$ group exponentiations, and $q (x)$ can be computed efficiently in linear time
Proof size is $O (1)$ for the single group element
Verifier time is $O (1)$ for the pairing check

Powers of Tau Ceremony

Okay, trusted setup sucks but we can make it a bit nicer: instead of letting one party come up with the global parameters, we will distribute this process to multiple parties. In doing so, even if only one party is honest and gets rid of the "toxic waste", then that is enough for us so that no one will be able to reconstruct the trapdoor. Here is how:

Suppose your global parameters are $g p$ right now:

$g p = (g^{τ}, g^{τ^{2}}, \dots, g^{τ^{d}}) = (g_{1}, g_{2}, \dots, g_{d})$

As a participant in this ceremony, you sample some random $s$ , and obtain new $g p^{'}$ as:

$g p^{'} = (g_{1}^{s}, g_{2}^{s^{2}}, \dots, g_{d}^{s^{d}}) = (g^{s τ}, g^{(s τ)^{2}}, \dots, g^{(s τ)^{d}})$

This can go on for many participants, see for example Perpetual Powers of Tau.

A new method [Nikolaenko-Ragsdale-Bonneau-Boneh'22] provides a way to check the correctness of $g p^{'}$ too. The idea is:

the contributor knows $s$ such that $g_{1}^{'} = (g_{1})^{s}$
and $g p^{'}$ consists of consecutive powers $e (g_{i}^{'}, g_{1}^{'}) = e (g_{i + 1}^{'}, g)$ where $g_{1}^{'} \neq = 1$

Variants of KZG

We will look at several extensions of KZG univariate polynomial commitment scheme.

Multivariate KZG

[Papamanthou-Shi-Tamassia'13] describes a way to use KZG for multivariate polynomials. The idea is:

$f (x_{1}, x_{2}, \dots, x_{k}) - f (u_{1}, u_{2}, \dots, u_{k}) = i = 1 \sum k (x_{i} - u_{i}) q_{i} (x)$

Keygen will sample $τ = τ_{1}, τ_{2}, \dots, τ_{k}$ to compute $g p$ as $g$ raised to all possible monomials of $τ$
Commit will compute $co m_{f} = g^{f (τ_{1}, τ_{2}, \dots, τ_{k})}$
Eval will compute a group element for each polynomial $π_{i} = g^{q_{i} (τ)}$
Verify will check $e (co m_{f} / g^{v}, g) = \prod_{i = 1}^{k} e (g^{τ_{i} - u_{i}}, π_{i})$

Notice that the proof size and verifier time is greater here.

You can find in practice vSQL [ZGKPP'17] and Libra [XZZPS'19] that makes use of multivariate KZG as the commitment scheme and Sum-check protocol or GKR protocol as the IOP to obtain a SNARK.

Achieving Zero-Knowledge

Plain KZG is not zero-knowledge, e.g. $co m_{f} = g^{f (τ)}$ is deterministic. Also remember that to formally show zero-knowledgeness, we need a simulator construction that can simulate the view of the commitment scheme.

[ZGKPP'18] shows a method to do this by masking with randomizers.

Commit will compute the masked $co m_{f} = g^{f (τ) + rη}$
Eval will also be masked as follows:

$f (x) + ry - f (u) = (x - u) (q (x) + r^{'} y) + y (r - r^{'} (x - u))$

The proof will therefore be $π = g^{q (τ) + r^{'} η}, g^{r - r^{'} (τ - u)}$ . Note that this looks much like the bivariate extension of KZG, but the other polynomial is like some added randomness to provide zero-knowledge property.

Batch Proofs on a Single Polynomial

Prover wants to prove $f$ at multiple points $u_{1}, u_{2}, \dots, u_{m}$ for $m < d$ . The key idea is to extrapolate $f (u_{1}), f (u_{2}), \dots, f (u_{m})$ to obtain $h (x)$ . Then,

we find a quotient polynomial from $f (x) - h (x) = \prod_{i = 1}^{m} (x - u_{i}) q (x)$
the proof then becomes $π = g^{q (τ)}$
verifier will check $e (co m_{f} / g^{h (τ)}, g) = e (g^{\prod_{i = 1}^{m} (τ - u_{i})}, π)$

Batch Proofs on Multiple Polynomials

Prover wants to prove $f$ at multiple points and polynomials $f_{i} (u_{i, j}) = v_{i, j}$ for $i \in [n], j \in [m]$ . The key idea is to extrapolate $f_{i} (u_{i, 1}), f_{i} (u_{i, 2}), \dots, f_{i} (u_{i, m})$ to obtain $h_{i} (x)$ . Then,

we find quotient polynomials from $f_{i} (x) - h_{i} (x) = \prod_{j = 1}^{m} (x - u_{i, j}) q_{i} (x)$
the proof will have all $q_{i} (x)$ in a random linear combination

Bulletproofs

Although the powers-of-tau ceremony helps on the "trusted setup" problem, Bulletproofs [BCCGP'16], [BBBPWM'18] completely remove the "trusted setup" problem of KZG!

$k ey g e n$
- Bulletproofs have a "transparent setup" phase, which is to simply $d + 1$ randomly sampled elements from a group $G$ , resulting in $g p = (g_{0}, g_{1}, \dots, g_{d})$
$co mmi t (g p, f) \to co m_{f}$
- suppose you have a polynomial $f (x) = f_{0} + f_{1} x + f_{2} x^{2} + \dots f_{d} x^{d}$
- commitment is $co m_{f} = g_{0}^{f_{0}} g_{1}^{f_{1}} \dots g_{d}^{f_{d}}$
- notice that this is a "vector commitment" version of a Pedersen Commitment

Then, do $e v a l$ and $v er i f y$ recursively around $lo g d$ times:

$e v a l (g p, f, u)$
- find $v = f (u)$
- compute $L, R, v_{l}, v_{r}$
- receive a random $r$ from verifier and reduce $f$ to $f^{'}$ of degree $d /2$
- update the global parameter to be $g p^{'}$
$v er i f y (g p, co m_{f}, u, v, π)$
- check $v = v_{L} + v_{R} \times u^{d /2}$
- generate $r$ randomly
- update $co m^{'} = L^{r} \times co m_{f} \times R^{r^{- 1}}$ (this is the magic trick)
- update the global parameter to be $g p^{'}$
- set $v^{'} = r v_{L} + r_{R}$

The idea of Bulletproofs is to recursively divide a polynomial in two polynomials, and commit to those smaller polynomials, eventually reducing whatever degree you have started with to 1.

The Magic Trick

So let's go over what happens in that magical line where we obtain the new commitment given $L, R$ (left & right respectively). Suppose we have a polynomial of degree 3

$f (x) = f_{0} + f_{1} x + f_{2} x^{2} + f_{3} x^{3}$

and our commitment is:

$co m_{f} = g_{0}^{f_{0}} g_{1}^{f_{1}} g_{2}^{f_{2}} g_{3}^{f_{3}}$

The prover splits the polynomial into two polynomials of half the degree:

left half: $f_{L} (x) = f_{0} + f_{1} x$
right half: $f_{R} (x) = f_{2} + f_{3} x$

It will also commit the each half:

left half: $L = g_{2}^{f_{0}} g_{3}^{f_{1}}$
right half: $R = g_{0}^{f_{2}} g_{1}^{f_{3}}$

Did you notice the criss-cross between the group elements and their exponents? The $g$ terms are fitting nicely with the coefficients, but the exponents are actually belonging to the other polynomial! This is a way of "relating" both halves together, so to restrain the prover to some extent and keep the computations sound.

The magical line is the following:

$co m^{'} = L^{r} \times co m_{f} \times R^{r^{- 1}}$

$co m^{'} = (g_{0}^{f_{0} + r^{- 1} f_{2}} g_{2}^{r f_{0} + f_{2}}) (g_{1}^{f_{1} + r^{- 1} f_{3}} g_{3}^{r f_{1} + f_{3}})$

$co m^{'} = (g_{0}^{r^{- 1}} g_{2})^{r f_{0} + f_{2}} \times (g_{1}^{r^{- 1}} g_{3})^{r f_{1} + f_{3}}$

Now notice that this commitment is what you would have gotten if you had:

a polynomial $f^{'} (x) = (r f_{0} + f_{2}) + (r f_{1} + f_{3}) x$
and $g p^{'} = (g_{0}^{r^{- 1}} g_{2}, g_{1}^{r^{- 1}} g_{3})$

Both are half the size of what we had started with! If you keep doing this recursively, you will end up with a degree-1 polynomial in around $lo g d$ steps. Without caring about zero-knowledge property, the prover could simply send the constant sized polynomial for the last step to prove the evaluation.

Also to mention, you could take "odd-elements & even-elements" instead of "left-half & right-half" for this process, which is similar to what is done in FFT, and it would still work!

sequenceDiagram
	actor P as Prover
	actor V as Verifier

  %% keygen
	note over P, V: gp = (g_0, g_1, g_2, ..., g_d)

	%% comittment
	note over P: f ∈ F
	P ->> V: com_f := g_0f^0 * g_1f^1 * ... * g_df^d

  %% eval
	V ->> P: u
  note over P: v = f(u)
	P ->> V: v

	loop while deg(f) > 1
	note over V: sample random r
	V ->> P: r

  note over P: L, R := split(f)
	P ->> V: v_L = L(u), com_L, v_R = R(u), com_R
	note over P: f' := reduce(L, R, r)

  %% verify
  note over V: assert: v == v_L + v_R * u^2
	note over V: com' = L^r * com_f * R^{r^-1}
	note over V: update gp as gp'
	note over V: v' = r * v_L + v_R
	note over V, P: recurse with f', com', v', gp'
	end

	note over V, P: prove eval of a const-sized polynomial
	note over V: accept or reject

More Poly-Commit Schemes

More advanced schemes based on d-log with transparent setup are out there, and we will go over them quickly.

Hyrax

Hyrax [Wahby-Tzialla-Shelat-Thaler-Walfish'18] improves the verifier time to $O (d)$ by representing the coefficients as a 2D matrix. This way, it commits to the matrix row-wise, and does reduction column-wise. Proof size also becomes $O (d)$ .

Dory

Dory [Lee'21] delegates the structured computation to the prover using inner pairing product arguments [BMMTV'21]. This way, verifier time becomes $O (lo g d)$ and prover time becomes $O (d)$ exponentiations plus $O (d)$ field operations, so prover time is still linear but in practice it is a bit more efficient.

Dark

Dark [Bünz-Fisch-Szepieniec'20] achieves $O (lo g d)$ proof size and verifier time! The trick here is to use group of an unknown order.

Summary

Here is a quick summary of all the methods covered in this lecture.

Scheme	Prover Time	Proof Size	Verifier Time	Setup Phase	Cryptographic primitive
KZG	$O (d)$	$O (1)$	$O (1)$	Trusted	Pairing
Bulletproofs	$O (d)$	$O (lo g d)$	$O (d)$	Transparent	Discrete-log
Hyrax	$O (d)$	$O (d)$	$O (d)$	Transparent	Discrete-log
Dory	$O (d)$	$O (lo g d)$	$O (lo g d)$	Transparent	Pairing
Dark	$O (d)$	$O (lo g d)$	$O (lo g d)$	Transparent	Unknown order Group

Cryptonotes