KZG Commitment Scheme
Last updated
Last updated
We choose a KZG commitment scheme to commit to the user balance polynomials for the compatibility with Halo2 API (more on that later). In brief, a KZG commitment is a single finite field element that uniquely represents a polynomial .
It is impossible to reconstruct the polynomial from the commitment, so our requirement of user privacy is satisfied because it is impossible to infer any evaluations of the polynomial from the single-value commitment .
During the reveal (aka opening) phase, the committed value is used along with the claimed polynomial evaluation to provide a succinct proof verifying that the value is indeed an evaluation of a polynomial at point and corresponds to the original commitment . Therefore, KZG commitment allows the Custodian to individually provide the opening proofs to each user to prove that the polynomial indeed evaluates to the user balance at the point . Knowing , the user is able to verify the opening.
More broadly, the KZG commitment allows the prover to open the polynomial at any point, and we will later see how it benefits our case.
Using the described polynomial construction technique and the KZG commitment, it is sufficient for the Custodian to "open" the KZG commitment at :
The total liabilities can then be calculated by multiplying the value by the number of users:
As described in the KZG section, individual users would receive the KZG opening proofs at their specific point and they would be able to check that
the opening evaluation is equal to their balance: ;
the opening proof corresponds to the public KZG commitment .
The caveat is that if two or more users have the same cryptocurrency balance value, a malicious Custodian could give them the same KZG proof because the user index is defined by the Custodian. We will use the following technique to mitigate this:
the Custodian has to additionally commit to another polynomial that evaluates to the hashes of user IDs at the specific user points: ;
the user ID should be known to the user (e.g, the email address used to register with the Custodian), so the user can check that the value is indeed the hash of their ID;
the Custodian then gives two KZG commitments and two opening proofs to the user - proving the balance inclusion into the balances polynomial, and proving the user ID hash inclusion into the ID hash polynomial.