[−][src]Module dusk_plonk::notes::kzg10_docs

In this module we show how, and why, the KZG10 polynomial commitment scheme has been implemented for this PLONK implementation.

KZG10 Commitments

PLONK can be constructed with different commitment schemes and does not requre solely homomorphic commitments. However, this library implements only homomorphic commitments for two reasons. One is their useful properties when given encrypted values, and the second is the requirements of the linearisation technique in PLONK.

PLONK makes use of the linearisation technique, originally conceived in the SONIC paper. This technique requires the the commitment scheme to be homomorphic. The use of this lineariser in the PLONK protocol prevents us from being able to use merkle tree like techniques, such as the FRI protocol.

We use 'KZG10 commitments', often called 'Kate' commitments refers to the commitments scheme created by Kate, Zaverucha and Goldberg. A deep explanation on how this particular commitment scheme operates can be found here in the original paper. Aside from the compatibility wiht the chosen linearisation technique, there are multiple benefits of using the KZG10 commitment scheme in the PLONK. The first is that it allow us to have constant size commitments; the witness of the evaluations is a single group element. The cost of these commitments is also constant irrespective of the number of evaluations, so we are able to employ them with a low overhead cost.

This commitment is used to commit to a polynomial, from a given structured reference string (SRS), \(\varPhi\), by means of a bilinear pairing group. Where \({\mathbb G_{1}}\) and \({\mathbb G_{2}}\) and groups two different pairing curves with generators \({\mathbf g_{1}} \in {\mathbb G_{1}}\) and \({\mathbf g_{2}} \in {\mathbb G_{2}}\).

These commitments are homomorphic, which enables us to perform operations on the already encrypted values and have the evaluation be indistinguishable from the evaluation of operations performed on the decrypted values. In terms of Kate commitments, we are able to take two commitment messages, \({\mathbf m_{1}}\) and \({\mathbf m_{2}}\), and know there is an efficient product operation for them both which equates to a commitment \({(\mathbf m_{1}}, {\mathbf m_{2}})\). For example: \[ \begin{aligned} \operatorname{Commitment}({\mathbf{m}}_{1}) \cdot \operatorname{Commitment}({\mathbf{m}}_{2}) \equiv {\mathbf{m}}_{1} \bigotimes {\mathbf{m}}_{2} \end{aligned} \]