From 55d2bf6bb2e66e5c8799532092f299194c36fa1e Mon Sep 17 00:00:00 2001 From: weikeng Date: Wed, 28 Jul 2021 19:18:06 -0700 Subject: [PATCH 1/4] update README --- README.md | 4 +- src/README.md | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 src/README.md diff --git a/README.md b/README.md index 6f5a3b9c..0aff38a7 100644 --- a/README.md +++ b/README.md @@ -78,8 +78,8 @@ EUROCRYPT 2020 Benedikt Bünz, Alessandro Chiesa, [Pratyush Mishra](https://www.github.com/pratyush), Nicholas Spooner TCC 2020 -[Signatures of Correct Computation][pst] -Charalampos Papamanthou, Elaine Shi, Roberto Tamassia +[Signatures of Correct Computation][pst] +Charalampos Papamanthou, Elaine Shi, Roberto Tamassia TCC 2013 ## Acknowledgements diff --git a/src/README.md b/src/README.md new file mode 100644 index 00000000..beb26814 --- /dev/null +++ b/src/README.md @@ -0,0 +1,108 @@ +## Supported Polynomial Commitment Schemes + +The library supports four polynomial commitment schemes. + +### Inner-product-argument PC + +A polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. + +The construction is described in the following paper. + +[pcd-acc]: https://ia.cr/2020/499 + +[Proof-Carrying Data from Accumulation Schemes][pcd-acc] +Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra, Nicholas Spooner +TCC 2020 + +### Marlin variant of the Kate-Zaverucha-Goldberg PC + +[kzg10]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf +[marlin]: https://ia.cr/2019/1047 + +Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement, batching, and (optional) hiding property taken from Marlin. + +The construction is described in the following paper. + +[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] +Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward +EUROCRYPT 2020 + +[Polynomial Commitments][kzg10] +Aniket Kate, Gregory M. Zaverucha, Ian Goldberg +ASIACRYPT 2010 + +### Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC + +Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement and batching taken from Sonic (more precisely, their counterparts in AuroraLight that avoid negative G1 powers). The (optional) hiding property of the commitment scheme follows the approach described in Marlin. + +The construction is described in the following paper. + +[sonic]: https://ia.cr/2019/099 +[aurora-light]: https://ia.cr/2019/601 + +[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light] +Ariel Gabizon +ePrint, 2019 + +[Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings][sonic] +Mary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn +CCS 2019 + +[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] +Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward +EUROCRYPT 2020 + +[Polynomial Commitments][kzg10] +Aniket Kate, Gregory M. Zaverucha, Ian Goldberg +ASIACRYPT 2010 + +### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC + +Multivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin. + +The construction is described in the following paper. + +[pst]: https://ia.cr.org/2011/587 + +[Signatures of Correct Computation][pst] +Charalampos Papamanthou, Elaine Shi, Roberto Tamassia +TCC 2013 + +[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] +Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward +EUROCRYPT 2020 + +## Comparison + +### Marlin vs Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC + +We summarize the differences between the first one (MarlinPC) and the second one (SonicPC) as follows. + +#### High-level: +They handle degree bounds differently. + +MarlinPC uses shift powers only in G1 and requires two commitments to enforce degree bounds. + +SonicPC uses shift powers in G1 and G2 and requires only one commitment to enforce degree bounds. + +#### Setup: + +SonicPC additionally computes some G2 elements for shift powers: `(1/\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1. + +#### Commit: + +When there is no degree bound, both are the same. + +When there is a degree bound, MarlinPC is more expensive: it needs one more commitment. + +#### Open: + +When there is no degree bound, both are the same. + +When there is a degree bound, MarlinPC is slightly more expensive: it requires more computation on the scalar field. + +#### Check: + +MarlinPC simply adjusts the commitment of the shifted polynomial, so the overhead is small. It checks a pairing equation with two pairing operations. + +SonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound. \ No newline at end of file From 715c9c4c379574267473b5210d9846c6644ed41e Mon Sep 17 00:00:00 2001 From: weikeng Date: Wed, 28 Jul 2021 19:21:57 -0700 Subject: [PATCH 2/4] consistency --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0aff38a7..0bd9162b 100644 --- a/README.md +++ b/README.md @@ -78,8 +78,8 @@ EUROCRYPT 2020 Benedikt Bünz, Alessandro Chiesa, [Pratyush Mishra](https://www.github.com/pratyush), Nicholas Spooner TCC 2020 -[Signatures of Correct Computation][pst] -Charalampos Papamanthou, Elaine Shi, Roberto Tamassia +[Signatures of Correct Computation][pst] +Charalampos Papamanthou, Elaine Shi, Roberto Tamassia TCC 2013 ## Acknowledgements From 32a0f4ee9d1a00de8a4f1d86774410f7d7c2bc26 Mon Sep 17 00:00:00 2001 From: weikeng Date: Wed, 28 Jul 2021 19:22:20 -0700 Subject: [PATCH 3/4] consistency --- src/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/README.md b/src/README.md index beb26814..1388a790 100644 --- a/src/README.md +++ b/src/README.md @@ -64,8 +64,8 @@ The construction is described in the following paper. [pst]: https://ia.cr.org/2011/587 -[Signatures of Correct Computation][pst] -Charalampos Papamanthou, Elaine Shi, Roberto Tamassia +[Signatures of Correct Computation][pst] +Charalampos Papamanthou, Elaine Shi, Roberto Tamassia TCC 2013 [Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin] From ce17514f46eb61d57b753a6216e57686c979b893 Mon Sep 17 00:00:00 2001 From: Pratyush Mishra Date: Wed, 4 Aug 2021 13:55:06 -0700 Subject: [PATCH 4/4] Small tweaks --- src/README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/README.md b/src/README.md index 1388a790..2d6745aa 100644 --- a/src/README.md +++ b/src/README.md @@ -35,7 +35,7 @@ ASIACRYPT 2010 Polynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement and batching taken from Sonic (more precisely, their counterparts in AuroraLight that avoid negative G1 powers). The (optional) hiding property of the commitment scheme follows the approach described in Marlin. -The construction is described in the following paper. +The construction is described in the following papers. [sonic]: https://ia.cr/2019/099 [aurora-light]: https://ia.cr/2019/601 @@ -74,9 +74,8 @@ EUROCRYPT 2020 ## Comparison -### Marlin vs Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC +### Comparison of `MarlinKZG10` and `SonicKZG10` -We summarize the differences between the first one (MarlinPC) and the second one (SonicPC) as follows. #### High-level: They handle degree bounds differently. @@ -87,22 +86,22 @@ SonicPC uses shift powers in G1 and G2 and requires only one commitment to enfor #### Setup: -SonicPC additionally computes some G2 elements for shift powers: `(1/\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1. +SonicPC additionally computes some G2 elements for shift powers: `(1/\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1, and are shared with the "non-shift" powers. #### Commit: When there is no degree bound, both are the same. -When there is a degree bound, MarlinPC is more expensive: it needs one more commitment. +When there is a degree bound, MarlinPC is more expensive: it needs an additional commitment to commit to the shifted poynomial. #### Open: When there is no degree bound, both are the same. -When there is a degree bound, MarlinPC is slightly more expensive: it requires more computation on the scalar field. +When there is a degree bound, MarlinPC is slightly more expensive: it requires more scalar field computations. #### Check: MarlinPC simply adjusts the commitment of the shifted polynomial, so the overhead is small. It checks a pairing equation with two pairing operations. -SonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound. \ No newline at end of file +SonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound.