Module fedimint_threshold_crypto::poly
source · Expand description
Utilities for distributed key generation: uni- and bivariate polynomials and commitments.
If G
is a group of prime order r
(written additively), and g
is a generator, then
multiplication by integers factors through r
, so the map x -> x * g
(the sum of x
copies of g
) is a homomorphism from the field Scalar
of integers modulo r
to G
. If the
discrete logarithm is hard, i.e. it is infeasible to reverse this map, then x * g
can be
considered a commitment to x
: By publishing it, you can guarantee to others that you won’t
change your mind about the value x
, without revealing it.
This concept extends to polynomials: If you have a polynomial f
over Scalar
, defined as
a * X * X + b * X + c
, you can publish a * g
, b * g
and c * g
. Then others will be able
to verify any single value f(x)
of the polynomial without learning the original polynomial,
because f(x) * g == x * x * (a * g) + x * (b * g) + (c * g)
. Only after learning three (in
general degree + 1
) values, they can interpolate f
itself.
This module defines univariate polynomials (in one variable) and symmetric bivariate
polynomials (in two variables) over a field Scalar
, as well as their commitments in G
.
Structs
- A commitment to a symmetric bivariate polynomial.
- A symmetric bivariate polynomial in the prime field.
- A commitment to a univariate polynomial.
- A univariate polynomial in the prime field.