Skip to content

Commit bf30d8c

Browse files
dtebbsdtebbs
committed
use evaluations in witness construction in the kzg10_batched poly commit scheme
1 parent 34a2125 commit bf30d8c

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

libsnark/polynomial_commitments/kzg10_batched.tcc

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,6 @@ typename kzg10_batched_2_point<ppT>::evaluation_witness kzg10_batched_2_point<
143143
{
144144
assert(fs.size() == evaluations.s_1s.size());
145145
assert(gs.size() == evaluations.s_2s.size());
146-
libff::UNUSED(evaluations);
147146

148147
// For convenience of variable naming, let $f_i \in fs$ and $g_i in gs$ be
149148
// the two sets of polynomials. These are denoted $f_i$ and $f'_i$ in
@@ -166,21 +165,27 @@ typename kzg10_batched_2_point<ppT>::evaluation_witness kzg10_batched_2_point<
166165
// polynomial into the kzg10 create_witness function, to yield $W_1$ and
167166
// $sf_1$.
168167

169-
// TODO: Use the evaluations object to compute f_accum_eval and
170-
// g_accum_eval, instead of evaluating the accumulated polynomial.
168+
// The evaluation of the accumulated polynomials is computed as:
169+
//
170+
// s_1[0] + s_1[1] * gamma_1 + ... + s_i[t1 - 1] gamma_1^{t1 - 1}
171+
//
172+
// which can be views as a polynomial in gamma with coefficients s_1. Note
173+
// that this approach assumes that the highest degree of the polynomials
174+
// f_s and g_s is larger than the number of polynomials, and therefore it
175+
// is more efficient to reuse the existing evaluations instead of
176+
// evaluating the accumulated polynomials.
171177

172-
// Accumulate polynomials and get the witnesses
173178
const polynomial<Field> f_accum =
174179
internal::polynomial_accumulate_with_power_factors(fs, gamma_1);
175180
const libff::Fr<ppT> f_accum_eval =
176-
kzg10<ppT>::evaluate_polynomial(f_accum, z_1);
181+
kzg10<ppT>::evaluate_polynomial(evaluations.s_1s, gamma_1);
177182
const libff::G1<ppT> f_accum_witness =
178183
kzg10<ppT>::create_evaluation_witness(f_accum, z_1, f_accum_eval, srs);
179184

180185
const polynomial<Field> g_accum =
181186
internal::polynomial_accumulate_with_power_factors(gs, gamma_2);
182187
const libff::Fr<ppT> g_accum_eval =
183-
kzg10<ppT>::evaluate_polynomial(g_accum, z_2);
188+
kzg10<ppT>::evaluate_polynomial(evaluations.s_2s, gamma_2);
184189
const libff::G1<ppT> g_accum_witness =
185190
kzg10<ppT>::create_evaluation_witness(g_accum, z_2, g_accum_eval, srs);
186191

0 commit comments

Comments
 (0)