Expand description
Utilities for distributed key generation: uni- and bivariate polynomials and commitments.
If G
is a group of prime order r
(written additively), and g
is a generator, then
multiplication by integers factors through r
, so the map x -> x * g
(the sum of x
copies of g
) is a homomorphism from the field Fr
of integers modulo r
to G
. If the
discrete logarithm is hard, i.e. it is infeasible to reverse this map, then x * g
can be
considered a commitment to x
: By publishing it, you can guarantee to others that you won’t
change your mind about the value x
, without revealing it.
This concept extends to polynomials: If you have a polynomial f
over Fr
, defined as
a * X * X + b * X + c
, you can publish a * g
, b * g
and c * g
. Then others will be able
to verify any single value f(x)
of the polynomial without learning the original polynomial,
because f(x) * g == x * x * (a * g) + x * (b * g) + (c * g)
. Only after learning three (in
general degree + 1
) values, they can interpolate f
itself.
This module defines univariate polynomials (in one variable) and symmetric bivariate
polynomials (in two variables) over a field Fr
, as well as their commitments in G
.
Structs
A commitment to a symmetric bivariate polynomial.
A symmetric bivariate polynomial in the prime field.
A commitment to a univariate polynomial.
A univariate polynomial in the prime field.