Ligero for multilinear polynomials

 

To commit to an $\ell$-variate multilinear polynomial $f(x)$ we assume it (as equivalent) to represent as a list of elements where each element at the position $i$ equals to $f(\tilde{i})$ where $\tilde{i}$ represents a bit string equivalent to the $i$ value. Then, we reorganize this list into the matrix $M$ of size $2^{\ell_0} \times 2^{\ell_1}$ in such a way that:

\[f(\tilde{i}) = M[\tilde{i}_0][\tilde{i}_1]\]

where

\[\tilde{i} = \tilde{i}_0||\tilde{i}_1\]

Image

Then, for each row, we replace it with its error-correcting code representation, assuming that the matrix will become bigger — it will have size $2^{\ell_0} \times 2^{\ell_2}$ where $\ell_2 > \ell_1$

Image

The commitment to its matrix will be a Merkle tree, where each leaf will contain a corresponding column. For example:

Image

Openning

To open the polynomial value at a point $r$ the prover splits it into two parts $r_1$ and $r_2$ of sizes $\ell_1$ and $\ell_2$. Then, the prover opens the value $M[r_1][r_2]$.

Proving and Verification

To prove that the opening $M[r_1][r_2]$ corresponds to the commitment (Merkle tree hash), the prover goes through the following steps:

  • The prover selects a row $w = M[r_1]$ and shares it.
  • The verifier checks that the element on the position $r_2$ in the row $w$ equals $M[r_1][r_2]$.
  • The verifier evaluates an error correcting code of $w$.
  • The verifier selects several columns (in the encoded matrix) and asks the prover to open it with the corresponding Merkle proofs.
  • The verifier selects the corresponding elements from these columns (on the positions $r_1$) and checks the equality with the corresponding elements in the encoded row $w$.

Note, that this is a non-zero-knowledge version of the protocol. While sharing the opened row $w$ we share the additional private information besides the requested opening so the commitment protocol does not own a perfect hiding property.

In the section 4.6 of https://eprint.iacr.org/2022/1608.pdf the author describes how to make this protocol zero-knowledge.

To achieve this, we add an additional random row $u$ into the matrix (WLOG append it downside). The encoded version of this row will also be committed. Then, we suppose to share $w = M[r_1] + u$ with verifier. During the verification phase, the verifier becomes able to check that the encoded elements of $w$ are valid by adding last column element to the $r_1$ element.

To prove that the opening $M[r_1][r_2]$ corresponds to the commitment (Merkle tree hash), the prover goes through the following steps:

  • The prover shares the $u[r_2]$ value.
  • The prover selects a row $w = M[r_1]$ and shares it.
  • The verifier checks that the element on the position $r_2$ in the row $w$ equals $M[r_1][r_2] + u[r_2]$.
  • The verifier evaluates an error correcting code of $w$, namely $ECC(w)$.
  • The verifier selects several columns (in the encoded matrix) and asks the prover to open it with the corresponding Merkle proofs.
  • For the column $c$ with index $k$ the verifier checks that $c[r_1] = ECC(w)[k] + c.last()$.