IPA Multipoint
Introduction
This document explains how to open multiple polynomials at multiple different points. Ultimately, we use one IPA proof, 1 commitment and 1 scalar. This is the batched setting.
Statement
Given IPA commitments , prove evaluations:
where
Proof
- Let
The prover starts off by committing to , we denote this by or .
The provers job is to now convince the verifier that is a commitment to . We do this by evaluating at some random point
We split the evaluation into two parts and , can be computed by the verifier, while cannot, because it involves random evaluations at the polynomials .
- The verifier is able to compute the .
- The prover will compute and send a proof of it's correctness.
- Let
We note that , however, we specify it as because the latter is also able to prove an opening for and the verifier is able to compute the commitment for it.
Now we form two IPA proofs:
- One for at . We call this
- One for at . We call this
The prover now computes
The proof consists of
In this non-aggregated variation, the prover does not need to add to the transcript.
Verification
The Verifier ultimately wants to verify that is the commitment to the polynomial .
The verifier computes and .
The verifier also computes , we mentioned above that they can do this by themselves.
Computing
The verifier now needs to compute :
- We know that was supplied in the proof as .
- can be computed by the verifier.
Hence the verifier can compute .
Note however, that they cannot be sure that is the correct computation by the prover. They need to build themselves and verify it against
Computing
This is :
Hence is:
The verifier is able to compute this themselves, and so is able to verify that was computed correctly using IPA_VERIFY.
We can now call IPA_VERIFY using
Is correct?
Note now that since was verified to be correct and was computed by the verifier, we can be sure that is correct.
Verify at
We now call IPA_VERIFY using:
- *
*In actuality, it's not but an augmented , but this works at a higher level and does not ruin the explanation.
Complexity
The communication complexity of this protocol is two IPA proofs, 1 scalar and 1 commitment. We can get a better protocol by aggregating things together!
Aggregation
We now present a protocol to aggregate the two IPA proofs together, only requiring one IPA proof.
Prover
- Let
The prover no longer computes an IPA proof for and instead they combine them using .
Now we form an IPA Proof for at . Lets call this .
The prover still computes
The proof consists of
Verifier
In the previous step, the verifier called , with , we delay this verification and instead compute:
We now call IPA_VERIFY using:
With overwhelming probability over this will only return true iff and opened at are and respectively, from the equation.
Complexity
The communication complexity of the protocol is 1 IPA Proof, 1 commitment and 1 scalar.
Do we need to add to the transcript?
In the KZG document, this is
If we were able to avoid this, then we could save a lot on prover time, as they could evaluate each at , then do instead of needing to first compute . (In the non-batched version)
However, we do need to do this because the challenge is aggregating and , we need to bind to the challenge .
There may be an argument to say that since uses and simply using is enough to bind to . We can restate this problem as:
Given two polynomials : and
I generate a completely random variable .
If I want to add together and
Is it enough to generate randomness based on and alone?
The answer is no because the prover has free reign over and can change it without affecting