MIT IAP 2023 Modern Zero Knowledge Cryptography课程笔记
Lecture 5: Commitment 2 (Ying Tong Lai)
- Polynomial Commitment
-
f(x) = a 0 a_0 a0 + a 1 x a_1x a1x + a 2 x 2 a_2x^2 a2x2 + … \dots … + a n x n a_nx^n anxn
-
a i a_i ai is secret
-
commit(f,z,y) = C
-
The commitment proved that
- f(z) = y
- C is the commitment of f
-
KZG commitment scheme. It is used in protocols like Sonic, Marlin, and PlonK. (Marlin and PlonK improve on Sonic by constructing a different polynomial IOP.)
-
How to generate τ \tau τ (trusted setup)
- Multiple-party computation
- Each party generate a random beacon
- Aggregate all beacons as τ \tau τ
- No one knows τ \tau τ exceplt compeletly collusion
- Multiple-party computation
-