Pairing-based polynomial commitments and Kate polynomial commitments

There’s this thing called a Kate polynomial commitment, which is a polynomial commitment primitive that makes use of pairings. There’s an excellent post from Dankrad which I would recommend reading instead of this post. I wrote this as a shorter summary of how you can commit to a polynomial, and then prove any evaluation $f (x) = y$ .

Here’s how it works:

You have a polynomial $f (x) = x^{2} + 3 x$

and some public parameters:

S R S = {[1], [s], [s^{2}], [s^{3}]} = {G, s G, s^{2} G, s^{3} G}

where $[x] : = x G$ for some generator $G$ of an elliptic curve group.

and $s$ is a toxic waste (something that no one should know) hidden behind an elliptic curve point G (some people call that “hidden in the exponent”).

to commit to $f$

To commit to this polynomial, evaluate it at the unknown point $s$ . You can do that by playing with the $S R S$ :

[f (s)] : = [s^{2}] + 3 [s] = s^{2} G + 3 s G = (s^{2} + 3 s) G

to prove that $f (ζ) = a$

One day, the verifier asks “what’s the evaluation at $ζ$ ?” And the prover responds by sending the answer, $a$ , and a proof ( $h (s)$ , see below).

The idea behind the proof

Notice that because $ζ$ is a root of $f (x) - f (ζ)$ , then for some polynomial $h (x)$ :

f (x) - f (ζ) = (x - ζ) \cdot h (x)

Due to this, $h (x) = \frac{f (x) - f (ζ)}{x - ζ}$ must be a valid polynomial.

At a high-level:

the verifier will compute what they think $[h (x)]$ should be at some random point $s$
the prover will send the actual value $[h (s)]$
the verifier will check if they match

This works because the Schartz-Zippel lemma tells us that two polynomials that are different are different in most points.

The proof

Here’s the protocol:

the prover sends the verifier a commitment $[\frac{f (s) - f (ζ)}{s - ζ}] = [h (s)]$ evaluated at some random point $s$ (the toxic waste).
the verifier constructs a similar $h (s)$ but with the expected value of $f (ζ)$ instead: $[\frac{f (s) - a}{s - ζ}]$ . The verifier then checks if it’s equal to $[h (s)]$ .

Note:

The prover can compute $[h (s)]$ easily, because they can just compute the polynomial $h (x)$ first, and then reconstruct it at $s$ with the $S R S$ . $h (x) = \frac{f (x) - f (ζ)}{x - ζ} = a_{0} + a_{1} x + a_{2} x^{2} + \dots$ and then $[h (s)] : = a_{0} [1] + a_{1} [s] + a_{2} [s^{2}] + \dots$

for example with our previous $f (x)$ and $ζ = 3$
The verifier cannot compute their own $[h (s)]$ because they cannot divide by $s$ (remember, nobody knows $s$ ). They need a pairing. Remember, you want to check the following identity hidden in the exponent (using commitments): $\frac{[f (s) - a]}{[s - ζ]} = [h (s)]$ But since you can’t divide with commitments, you can’t compute what’s on the left-hand side. You can multiply thanks to pairings though. So instead, you could check the following equation: $[f (s) - a] = [(s - ζ) h (s)]$ and with pairings, you can multiply $[s - ζ]$ with the proof $[h (s)]$ : $e ([f (s)] - [a], [1]) = e ([s - ζ], [h (s)])$

PS: Thanks to h for pointing out a mistake

Pairing-based polynomial commitments and Kate polynomial commitments

to commit to f

to prove that f(ζ)=a

The idea behind the proof

The proof

to commit to $f$

to prove that $f (ζ) = a$