<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>Halo 2's polynomial commitment scheme differs from Appendix A.2 of BCMS20 in two ways:</p>
<ol>
<li>
<p>Step 8 of the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord text"><spanclass="mord">Open</span></span></span></span></span> algorithm computes a "non-hiding" commitment <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span></span></span></span> prior to
the inner product argument, which opens to the same value as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span></span></span></span> but is a commitment to
a randomly-drawn polynomial. The remainder of the protocol involves no blinding. By
and fixed polynomials, though using a blinding factor of 1 for the fixed polynomials);
this makes the protocol simpler to reason about. As a consequence of this, the verifier
needs to handle the cumulative blinding factor at the end of the protocol, and so there
is no need to derive an equivalent to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span></span></span></span> at the start of the protocol.</p>
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span></span></span></span> is also an input to the random oracle for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04601em;">ξ</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04601em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>; in Halo 2 we utilize a
transcript that has already committed to the equivalent components of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.751892em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span></span></span></span> prior to
<p>The <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord text"><spanclass="mord">PC</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord text mtight"><spanclass="mord mtight">DL</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mord">.</span><spanclass="mord text"><spanclass="mord">SuccinctCheck</span></span></span></span></span> subroutine (Figure 2 of BCMS20) computes
the initial group element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.07153em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> by adding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.001892em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span><spanclass="mord mathnormal">ϵ</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>, which requires two
scalar multiplications. Instead, we subtract <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathnormal">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> from the original commitment <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span></span></span></span>,
so that we're effectively opening the polynomial at the point to the value zero. The
computation <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathnormal">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is more efficient in the context of recursion because <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is a