[−][src]Module threshold_crypto::poly
Utilities for distributed key generation: uni- and bivariate polynomials and commitments.
If G is a group of prime order r (written additively), and g is a generator, then
multiplication by integers factors through r, so the map x -> x * g (the sum of x
copies of g) is a homomorphism from the field Fr of integers modulo r to G. If the
discrete logarithm is hard, i.e. it is infeasible to reverse this map, then x * g can be
considered a commitment to x: By publishing it, you can guarantee to others that you won't
change your mind about the value x, without revealing it.
This concept extends to polynomials: If you have a polynomial f over Fr, defined as
a * X * X + b * X + c, you can publish a * g, b * g and c * g. Then others will be able
to verify any single value f(x) of the polynomial without learning the original polynomial,
because f(x) * g == x * x * (a * g) + x * (b * g) + (c * g). Only after learning three (in
general degree + 1) values, they can interpolate f itself.
This module defines univariate polynomials (in one variable) and symmetric bivariate
polynomials (in two variables) over a field Fr, as well as their commitments in G.
Structs
| BivarCommitment | A commitment to a symmetric bivariate polynomial. |
| BivarPoly | A symmetric bivariate polynomial in the prime field. |
| Commitment | A commitment to a univariate polynomial. |
| Poly | A univariate polynomial in the prime field. |