πͺ Session chair: Akira (Duties: Read material above-average carefully π€; prepare fallback discussions/questions (worst-case: just prepare some quiz questions about the material) π. Prepare a few slides to guide the session through subtopics (this is not supposed to be a detailed summary of the material)
βοΈ Notetaker: ? (Duties: Take notes during the session, push them to the wiki afterwards π. Moderate to get input for the wiki pages π§ . Make people summarize / dumb down discussion results to keep things comprehensible for everyone π§ββοΈ.)
π― Goals
This session covers detailed syntax and security properties of discrete logarithm-based polynomial commitments. We will particularly focus on the following contents from Lecture 6 (see π Material).
-
Security of KZG
- Binding, evaluation binding, knowledge soundness, hiding
- Why KZG is evaluation binding under the -SDH assumption
- Why KZG is knowledge sound under the -KoE assumption
- How to make KZG hiding
- Ceremony for distributed generation of SRS
- Batch proof: (1) single polynomial, many evaluations, (2) many polynomials, many evaluations
-
Bulletproofs-style transparent polynomial commitments
- The split-and-fold paradigm
- Tree-based special soundness
- Hyrax, Dory, Dark
β Quiz Questions
- Why is the -power knowledge of exponent assumption true in GGM?
- Why can be dropped if we are to prove knowledge soundness of KZG directly in the GGM?
- If the KZG commitment is randomized i.e. , what does the verification operation look like? How many evaluations can be revealed to prove ZK?
- What does the complete protocol for batch opening look like?
- Does Bulletproofs-PCom satisfy evaluation binding?
- Whatβs the intuition of knowledge soundness of Bulletproofs-PCom?