Skip to main content

IPA Multipoint

Introduction

This document explains how to open multiple polynomials at multiple different points. Ultimately, we use one IPA proof, 1 commitment and 1 scalar. This is the batched setting.

Statement

Given mm IPA commitments C0=[f0(X)]...Cm1=[fm1(X)]C_0 = [f_0(X)] ... C_{m-1} = [f_{m-1}(X)], prove evaluations:

f0(z0)=y0fm1(zm1)=ym1f_0(z_0) = y_0 \\\vdots \\f_{m-1}(z_{m-1}) = y_{m-1}

where zi{0,...,d1}z_i \in \{0,...,d-1\}

Proof

  1. Let rH(C0,...Cm1,z0,...,zm1,y0,...,ym1)r \leftarrow H(C_0,...C_{m-1}, z_0, ..., z_{m-1}, y_0, ..., y_{m-1})
g(X)=r0f0(X)y0Xz0+r1f1(X)y1Xz1++rm1fm1(X)ym1Xzm1g(X) = r^0 \frac{f_0(X) - y_0}{X-z_0} + r^1 \frac{f_1(X) - y_1}{X-z_1} + \ldots +r^{m-1} \frac{f_{m-1}(X) - y_{m-1}}{X-z_{m-1}}

The prover starts off by committing to g(X)g(X), we denote this by DD or [g(X)][g(X)].

The provers job is to now convince the verifier that DD is a commitment to g(X)g(X). We do this by evaluating g(X)g(X) at some random point tt

We split the evaluation into two parts g1(t)g_1(t) and g2(t)g_2(t), g2(t)g_2(t) can be computed by the verifier, while g1(t)g_1(t) cannot, because it involves random evaluations at the polynomials fi(X)f_i(X).

  • The verifier is able to compute the g2(t)g_2(t).
  • The prover will compute g1(t)g_1(t) and send a proof of it's correctness.
g1(t)=rifi(t)tzig_1(t) = r^i \frac{f_i(t)}{t-z_i}
g2(t)=riyitzig_2(t) = r^i \frac{y_i}{t-z_i}
  1. Let tH(r,D)t \leftarrow H(r,D)

We note that g1(X)=rifi(X)Xzig_1(X) = r^i \frac{f_i(X)}{X-z_i}, however, we specify it as rifi(X)tzir^i \frac{f_i(X)}{t-z_i} because the latter is also able to prove an opening for g1(t)g_1(t) and the verifier is able to compute the commitment for it.

Now we form two IPA proofs:

  • One for g1(X)g_1(X) at tt. We call this π\pi
  • One for g(X)g(X) at tt. We call this ρ\rho

The prover now computes y=g1(t)y = g_1(t)

The proof consists of D,(π,y),ρD, (\pi, y), \rho

In this non-aggregated variation, the prover does not need to add [g1(X)][g_1(X)] to the transcript.

Verification

The Verifier ultimately wants to verify that DD is the commitment to the polynomial g(x)g(x).

The verifier computes rr and tt.

The verifier also computes g2(t)g_2(t), we mentioned above that they can do this by themselves.

Computing g(t)g(t)

The verifier now needs to compute g(t)g(t):

g(t)=g1(t)g2(t)g(t) = g_1(t) - g_2(t)

  • We know that g1(t)g_1(t) was supplied in the proof as yy.
  • g2(t)g_2(t) can be computed by the verifier.

Hence the verifier can compute g(t)g(t).

Note however, that they cannot be sure that g1(t)g_1(t) is the correct computation by the prover. They need to build [g1(X)][g_1(X)] themselves and verify it against g1(t)g_1(t)

Computing [g1(X)][g_1(X)]

This is g1(X)g_1(X):

g1(X)=rifi(X)tzig_1(X) = r^i \frac{f_i(X)}{t-z_i}

Hence [g1(X)][g_1(X)] is:

[g1(X)]=ritziCi[g_1(X)] = \frac{r_i}{t-z_i}C_i

The verifier is able to compute this themselves, and so is able to verify that g1(t)g_1(t) was computed correctly using IPA_VERIFY.

We can now call IPA_VERIFY using

  • [g1(X)][g_1(X)]
  • g1(t)g_1(t)
  • π\pi

Is g(t)g(t) correct?

Note now that since g1(t)g_1(t) was verified to be correct and g2(t)g_2(t) was computed by the verifier, we can be sure that g(t)g(t) is correct.

Verify g(x)g(x) at tt

We now call IPA_VERIFY using:

  • D=[g(X)]D = [g(X)] *
  • g(t)g(t)
  • ρ\rho

*In actuality, it's not DD but an augmented DD, but this works at a higher level and does not ruin the explanation.

Complexity

The communication complexity of this protocol is two IPA proofs, 1 scalar and 1 commitment. We can get a better protocol by aggregating things together!

Aggregation

We now present a protocol to aggregate the two IPA proofs together, only requiring one IPA proof.

Prover

  1. Let qH(t,[g1(X)])q \leftarrow H(t, [g_1(X)])

The prover no longer computes an IPA proof for g1(X)g_1(X) and g(X)g(X) instead they combine them using qq.

g3(X)=g1(X)+qg(X)g_3(X) = g_1(X) + q \cdot g(X)

Now we form an IPA Proof for g3(X)g_3(X) at tt. Lets call this σ\sigma.

The prover still computes y=g1(t)y = g_1(t)

The proof consists of D,σ,yD, \sigma, y

Verifier

In the previous step, the verifier called [g1(X)][g_1(X)] ,g1(t)g_1(t) with π\pi, we delay this verification and instead compute:

  • [g3(X)]=[g1(X)]+q[g(X)][g_3(X)] = [g_1(X)] + q \cdot [g(X)]
  • g3(t)=g1(t)+qg(t)g_3(t) = g_1(t) + q \cdot g(t)

We now call IPA_VERIFY using:

  • [g3(X)][g_3(X)]
  • g3(t)g_3(t)
  • σ\sigma

With overwhelming probability over qq this will only return true iff [g1(X)][g_1(X)] and [g(X)][g(X)] opened at tt are g1(t)g_1(t) and g(t)g(t) respectively, from the equation.

Complexity

The communication complexity of the protocol is 1 IPA Proof, 1 commitment and 1 scalar.

Do we need to add [g1(X)][g_1(X)] to the transcript?

In the KZG document, this is h(X)h(X)

If we were able to avoid this, then we could save a lot on prover time, as they could evaluate each fif_i at tt, then do rifi(t)tzi\frac{r^i \cdot f_i(t)}{t - z_i} instead of needing to first compute rifi(X)tzi\frac{r^i \cdot f_i(X)}{t - z_i}. (In the non-batched version)

However, we do need to do this because the challenge qq is aggregating [g1(X)][g_1(X)] and [g(X)][g(X)], we need to bind [g1(X)][g_1(X)] to the challenge qq.

There may be an argument to say that since g1(X)g_1(X) uses tt and simply using q=H(t)q = H(t) is enough to bind g1(X)g_1(X) to qq. We can restate this problem as:

Given two polynomials : f(X,Y)f(X, Y) and g(X)g(X)

I generate a completely random variable tt.

If I want to add together f(X,t)f(X, t) and g(x)g(x)

Is it enough to generate randomness based on g(X)g(X) and tt alone?

The answer is no because the prover has free reign over XX and can change it without affecting qq