# KZG Commitment Scheme We choose a KZG commitment scheme to commit to the user balance polynomials for the compatibility with Halo2 API (more on that later). In brief, a KZG commitment is a single finite field element $$C$$ that uniquely represents a polynomial $$B(X)$$. It is impossible to reconstruct the polynomial from the commitment, so our requirement of user privacy is satisfied because it is impossible to infer any evaluations of the polynomial from the single-value commitment $$C$$. During the reveal (aka opening) phase, the committed value $$C$$ is used along with the claimed polynomial evaluation $$B(x)$$ to provide a succinct proof $$\pi$$ verifying that the value $$B(x)$$ is indeed an evaluation of a polynomial $$B(X)$$ at point $$x$$ and corresponds to the original commitment $$C$$. Therefore, KZG commitment allows the Custodian to individually provide the opening proofs $$\pi\_i$$ to each user to prove that the polynomial $$B(X)$$ indeed evaluates to the user balance $$b\_i$$ at the point $$x\_i = \omega^i$$. Knowing $$\langle C, B(\omega^i),\pi\rangle$$, the user is able to verify the opening. More broadly, the KZG commitment allows the prover to open the polynomial at *any* point, and we will later see how it benefits our case. ## Proof Of Solvency Using the described polynomial construction technique and the KZG commitment, it is sufficient for the Custodian to "open" the KZG commitment at $$x = 0$$: $$ \langle C, B(0),\pi\_{x=0}\rangle: B(0) = a\_0 + a\_10 + a\_20^2 + ... + a\_{n-1} 0^{n-1} = a\_0 $$ The total liabilities can then be calculated by multiplying the $$a\_0$$ value by the number of users: $$ S = n a\_0 $$ ## Proof Of Inclusion As described in the KZG section, individual users would receive the KZG opening proofs $$\langle C, B(\omega^i),\pi\_i\rangle$$ at their specific point $$\omega^i$$ and they would be able to check that * the opening evaluation is equal to their balance: $$B(\omega^i) = b^i$$; * the opening proof $$\pi\_i$$ corresponds to the public KZG commitment $$C$$. The caveat is that if two or more users have the same cryptocurrency balance value, a malicious Custodian could give them the same KZG proof because the user index $$i$$ is defined by the Custodian. We will use the following technique to mitigate this: * the Custodian has to additionally commit to another polynomial that evaluates to the hashes of user IDs at the specific user points: $$H(\omega^i) = h\_i$$; * the user ID should be known to the user (e.g, the email address used to register with the Custodian), so the user can check that the value $$h\_i$$ is indeed the hash of their ID; * the Custodian then gives two KZG commitments and two opening proofs to the user - $$\langle C\_B, B(\omega^i),\pi\_B\rangle$$ proving the balance inclusion into the balances polynomial, and $$\langle C\_H, H(\omega^i),\pi\_H\rangle$$ proving the user ID hash inclusion into the ID hash polynomial. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://summa.gitbook.io/summa/cryptographic-primitives/kzg-commitment-scheme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.