{"id":13566183,"url":"https://github.com/arkworks-rs/poly-commit","last_synced_at":"2025-04-03T23:31:19.283Z","repository":{"id":40479298,"uuid":"208185732","full_name":"arkworks-rs/poly-commit","owner":"arkworks-rs","description":"A Rust library for polynomial commitments","archived":false,"fork":false,"pushed_at":"2024-12-02T20:55:49.000Z","size":667,"stargazers_count":374,"open_issues_count":27,"forks_count":141,"subscribers_count":23,"default_branch":"master","last_synced_at":"2025-03-26T18:02:21.480Z","etag":null,"topics":["cryptography","marlin","pairings","polynomial-commitments","rust","sonic"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arkworks-rs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-13T03:01:25.000Z","updated_at":"2025-03-24T17:08:55.000Z","dependencies_parsed_at":"2024-04-24T08:59:56.935Z","dependency_job_id":"b622a616-45e0-43fa-9505-885c148362b3","html_url":"https://github.com/arkworks-rs/poly-commit","commit_stats":{"total_commits":113,"total_committers":25,"mean_commits":4.52,"dds":"0.47787610619469023","last_synced_commit":"32badb304b60be67df4cf2510af87d3f9083ace4"},"previous_names":["scipr-lab/poly-commit"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkworks-rs%2Fpoly-commit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkworks-rs%2Fpoly-commit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkworks-rs%2Fpoly-commit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkworks-rs%2Fpoly-commit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arkworks-rs","download_url":"https://codeload.github.com/arkworks-rs/poly-commit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247097744,"owners_count":20883125,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","marlin","pairings","polynomial-commitments","rust","sonic"],"created_at":"2024-08-01T13:02:03.942Z","updated_at":"2025-04-03T23:31:19.276Z","avatar_url":"https://github.com/arkworks-rs.png","language":"Rust","readme":"\u003ch1 align=\"center\"\u003ePolynomial Commitments\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://github.com/arkworks-rs/poly-commit/blob/master/LICENSE-APACHE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-APACHE-blue.svg\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://github.com/arkworks-rs/poly-commit/blob/master/LICENSE-MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-blue.svg\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n`poly-commit` is a Rust library that implements *polynomial commitment schemes*. This library was initially developed as part of the [Marlin paper][marlin], and is released under the MIT License and the Apache v2 License (see [License](#license)).\n\n**WARNING:** This is an academic prototype, and in particular has not received careful code review. This implementation is NOT ready for production use.\n\n## Overview\n\nA polynomial commitment scheme is a cryptographic primitive that enables a party to commit to a polynomial over a given finite field, and then, later on, to reveal desired evaluations of the polynomial along with cryptographic proofs attesting to their correctness.\n\nThis library provides various constructions of polynomial commitment schemes. These constructions support committing to multiple polynomials at a time with differing degree bounds, batching multiple evaluation proofs for the same evaluation point into a single one, and batch verification of proofs.\n\nThe key properties satisfied by the polynomial commitment schemes are **succinctness**, **extractability**, and **hiding**. See [the Marlin paper][marlin] for definitions of these properties.\n\n\n### Supported Polynomial Commitment Schemes\n\nThe library supports six polynomial commitment schemes.\n\n#### Inner-product-argument PC\n\nA polynomial commitment scheme based on the hardness of the discrete logarithm problem in prime-order groups. \nThe construction is described in the following paper.\n\n[pcd-acc]: https://ia.cr/2020/499\n\n[Proof-Carrying Data from Accumulation Schemes][pcd-acc]     \nBenedikt Bünz, Alessandro Chiesa, Pratyush Mishra, Nicholas Spooner     \nTCC 2020\n\n#### Marlin variant of the Kate-Zaverucha-Goldberg PC\n\nPolynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement, batching, and (optional) hiding property taken from Marlin.\nThe construction is described in the following papers.\n\n[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     \nAlessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward  \nEUROCRYPT 2020\n\n[Polynomial Commitments][kzg10]     \nAniket Kate, Gregory M. Zaverucha, Ian Goldberg     \nASIACRYPT 2010\n\n#### Sonic/AuroraLight variant of the Kate-Zaverucha-Goldberg PC\n\nPolynomial commitment based on the Kate-Zaverucha-Goldberg construction, with degree enforcement and batching taken from Sonic (more precisely, their counterparts in AuroraLight that avoid negative G1 powers). The (optional) hiding property of the commitment scheme follows the approach described in Marlin.\nThe construction is described in the following papers.\n\n[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light]     \nAriel Gabizon     \nePrint, 2019\n\n[Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings][sonic]     \nMary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn     \nCCS 2019\n\n[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     \nAlessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward  \nEUROCRYPT 2020\n\n[Polynomial Commitments][kzg10]     \nAniket Kate, Gregory M. Zaverucha, Ian Goldberg     \nASIACRYPT 2010\n\n#### Hyrax multilinear PC\n\nMultilinear polynomial commitment, introduced with Hyrax zkSNARK. Relies on Pedersen commitments and discrete logarithm problem for a hiding scheme. Construction details in the following paper.\n\n[Doubly-efficient zkSNARKs without trusted setup][hyrax]     \nRiad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish     \n2018 IEEE Symposium on Security and Privacy\n\n#### Ligero and Brakedown\n\nPolynomial commitments based on linear codes and cryptographic hash functions. Construction details in the following papers.\n\n[Ligero: Lightweight Sublinear Arguments Without a Trusted Setup][ligero]    \nScott Ames, Carmit Hazay, Yuval Ishai, Muthuramakrishnan Venkitasubramaniam    \nCCS 2017\n\n[Brakedown: Linear-time and field-agnostic SNARKs for R1CS][brakedown]    \nAlexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby    \nCRYPTO 2023\n\n#### Marlin variant of the Papamanthou-Shi-Tamassia multivariate PC\n\nMultivariate polynomial commitment based on the construction in the Papamanthou-Shi-Tamassia construction with batching and (optional) hiding property inspired by the univariate scheme in Marlin.\nThe construction is described in the following paper.\n\n[Signatures of Correct Computation][pst]    \nCharalampos Papamanthou, Elaine Shi, Roberto Tamassia   \nTCC 2013\n\n[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     \nAlessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, Nicholas Ward  \nEUROCRYPT 2020\n\n### Comparison (WIP)\n\n#### Comparison of `MarlinKZG10` and `SonicKZG10`\n\n\n- High-level:\nThey handle degree bounds differently. \nMarlinPC uses shift powers only in G1 and requires two commitments to enforce degree bounds.\nSonicPC uses shift powers in G1 and G2 and requires only one commitment to enforce degree bounds.\n\n- Setup:\nSonicPC additionally computes some G2 elements for shift powers: `(1/\\beta)^i H`. This results in a longer verifying key, as shift powers in SonicPC are in G2, while shift powers in Marlin are in G1, and are shared with the \"non-shift\" powers.\n\n- Commit:\nWhen there is no degree bound, both are the same.\nWhen there is a degree bound, MarlinPC is more expensive: it needs an additional commitment to commit to the shifted poynomial. \n\n- Open: \nWhen there is no degree bound, both are the same.\nWhen there is a degree bound, MarlinPC is slightly more expensive: it requires more scalar field computations.\n\n- Check:\nMarlinPC simply adjusts the commitment of the shifted polynomial, so the overhead is small. It checks a pairing equation with two pairing operations.\nSonicPC is more expensive, as it checks a pairing equation of three pairing operations. It can be reduced into two if there is no degree bound.\n\n## Build guide\n\nThe library compiles on the `stable` toolchain of the Rust compiler. To install the latest version of Rust, first install `rustup` by following the instructions [here](https://rustup.rs/), or via your platform's package manager. Once `rustup` is installed, install the Rust toolchain by invoking:\n```bash\nrustup install stable\n```\n\nAfter that, use `cargo` (the standard Rust build tool) to build the library:\n```bash\ngit clone https://github.com/scipr-lab/poly-commit.git\ncd poly-commit\ncargo build --release\n```\n\nThis library comes with some unit and integration tests. Run these tests with:\n```bash\ncargo test\n```\n\nA benchmarking module is also provided for the `commit`, `open` and `verify` methods, as well as for computing the commitment and proof size. You can add a new benchmark for your scheme following the examples in the `pcs/benches` directory, or run the existing benchmarks with:\n```bash\ncargo bench\n```\n\nLastly, this library is instrumented with profiling infrastructure that prints detailed traces of execution time. To enable this, compile with `cargo build --features print-trace`.\n\n## Usage\n\n### [`PolynomialCommitment`](https://github.com/arkworks-rs/poly-commit/blob/master/src/lib.rs#L145)\n\nThis trait defines the interface for a polynomial commitment scheme. It is recommended to use the schemes from this crate that implement the `PolynomialCommitment` trait\n(e.g. the [vanilla KZG scheme](./src/kzg10/mod.rs) does not implement this trait, but the [Marlin scheme](./src/marlin/mod.rs) which uses it under the hood, does).\n\n```rust\n// In this example, we will commit to a single polynomial, open it first at one point, and then batched at two points, and finally verify the proofs.\n// We will use the KZG10 polynomial commitment scheme, following the approach from Marlin.\n\nuse ark_poly_commit::{Polynomial, marlin_pc::MarlinKZG10, LabeledPolynomial, PolynomialCommitment, QuerySet, Evaluations};\nuse ark_bls12_377::Bls12_377;\nuse ark_crypto_primitives::sponge::poseidon::{PoseidonSponge, PoseidonConfig};\nuse ark_crypto_primitives::sponge::CryptographicSponge;\nuse ark_ec::pairing::Pairing;\nuse ark_ff::UniformRand;\nuse ark_std::test_rng;\nuse ark_poly::{univariate::DensePolynomial, DenseUVPolynomial};\nuse rand_chacha::ChaCha20Rng;\nuse ark_ff::PrimeField;\n\ntype UniPoly_377 = DensePolynomial\u003c\u003cBls12_377 as Pairing\u003e::ScalarField\u003e;\ntype PCS = MarlinKZG10\u003cBls12_377, UniPoly_377\u003e;\n\nlet rng = \u0026mut test_rng();\n\nlet max_degree = 16; // max degree supported by the scheme with the given public parameters generated by the setup here.\n\n// 1. PolynomialCommitment::setup\n// The setup procedure in this example is for demonstration purposes only - typically a setup ceremony would be run to generate the public parameters.\nlet pp = PCS::setup(max_degree, None, rng).unwrap();\n\nlet degree = 10; //degree of our polynomial\nlet secret_poly = UniPoly_377::rand(degree, rng);\n\nlet point_1 = \u003cBls12_377 as Pairing\u003e::ScalarField::rand(rng);\nlet point_2 = \u003cBls12_377 as Pairing\u003e::ScalarField::rand(rng);\n\nlet label = String::from(\"secret_poly\");\nlet labeled_poly = LabeledPolynomial::new(\n   label.clone(),\n   secret_poly.clone(),\n   Some(degree),\n   Some(2), // we will open a univariate poly at two points\n);\n\n// TODO: replace by https://github.com/arkworks-rs/crypto-primitives/issues/112.\nfn test_sponge\u003cF: PrimeField\u003e() -\u003e PoseidonSponge\u003cF\u003e {\n   let full_rounds = 8;\n   let partial_rounds = 31;\n   let alpha = 17;\n\n   let mds = vec![\n      vec![F::one(), F::zero(), F::one()],\n      vec![F::one(), F::one(), F::zero()],\n      vec![F::zero(), F::one(), F::one()],\n   ];\n\n   let mut v = Vec::new();\n   let mut ark_rng = test_rng();\n\n   for _ in 0..(full_rounds + partial_rounds) {\n      let mut res = Vec::new();\n\n      for _ in 0..3 {\n         res.push(F::rand(\u0026mut ark_rng));\n      }\n      v.push(res);\n   }\n   let config = PoseidonConfig::new(full_rounds, partial_rounds, alpha, mds, v, 2, 1);\n   PoseidonSponge::new(\u0026config)\n}\nlet mut test_sponge = test_sponge::\u003c\u003cBls12_377 as Pairing\u003e::ScalarField\u003e();\n\n// 2. PolynomialCommitment::trim\n// Since the setup produced pp with a max degree of 16, and our poly is of degree 10, we can trim the SRS to tailor it to this example.\nlet (ck, vk) = PCS::trim(\u0026pp, degree, 2, Some(\u0026[degree])).unwrap(); \n\n// 3. PolynomialCommitment::commit\n// The prover commits to the polynomial using their committer key `ck`.\nlet (comms, states) = PCS::commit(\u0026ck, [\u0026labeled_poly], Some(rng)).unwrap(); \n\n// 4a. PolynomialCommitment::open\n// Opening proof at a single point.\nlet proof_single = PCS::open(\u0026ck, [\u0026labeled_poly], \u0026comms, \u0026point_1, \u0026mut (test_sponge.clone()), \u0026states, None).unwrap(); \n\n// 5a. PolynomialCommitment::check\n// Verifying the proof at a single point, given the commitment, the point, the claimed evaluation, and the proof.\nassert!(PCS::check(\u0026vk, \u0026comms, \u0026point_1, [secret_poly.evaluate(\u0026point_1)], \u0026proof_single, \u0026mut (test_sponge.clone()), Some(rng)).unwrap()); \n\nlet mut query_set = QuerySet::new();\nlet mut values = Evaluations::new();\nfor (i, point) in [point_1, point_2].iter().enumerate() {\n   query_set.insert((label.clone(), (format!(\"{}\", i), point.clone())));\n   let value = secret_poly.evaluate(\u0026point);\n   values.insert((label.clone(), point.clone()), value);\n}\n\n// 4b. PolynomialCommitment::batch_open\n// Some schemes support batch opening proofs. Generate a single proof for opening the polynomial at multiple points.\nlet proof_batched = PCS::batch_open(\n   \u0026ck,\n   [\u0026labeled_poly],\n   \u0026comms,\n   \u0026query_set,\n   \u0026mut (test_sponge.clone()),\n   \u0026states,\n   Some(rng),\n).unwrap();\n\n// 5b. PolynomialCommitment::batch_check\nassert!(PCS::batch_check(\n   \u0026vk,\n   \u0026comms,\n   \u0026query_set,\n   \u0026values,\n   \u0026proof_batched,\n   \u0026mut (test_sponge.clone()),\n   rng,\n).unwrap());\n```\n\n## License\n\nThis library is licensed under either of the following licenses, at your discretion.\n\n * [Apache License Version 2.0](LICENSE-APACHE)\n * [MIT License](LICENSE-MIT)\n\nUnless you explicitly state otherwise, any contribution that you submit to this library shall be dual licensed as above (as defined in the Apache v2 License), without any additional terms or conditions.\n\n[kzg10]: http://cacr.uwaterloo.ca/techreports/2010/cacr2010-10.pdf\n[marlin]: https://ia.cr/2019/1047\n[sonic]: https://ia.cr/2019/099\n[aurora-light]: https://ia.cr/2019/601\n[pcd-acc]: https://ia.cr/2020/499\n[pst]: https://ia.cr/2011/587\n[brakedown]: https://ia.cr/2021/1043\n[ligero]: https://ia.cr/2022/1608\n[hyrax]: https://eprint.iacr.org/2017/1132\n\n## Reference papers\n\n[Polynomial Commitments][kzg10]     \nAniket Kate, Gregory M. Zaverucha, Ian Goldberg     \nASIACRYPT 2010\n\n[Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings][sonic]     \nMary Maller, Sean Bowe, Markulf Kohlweiss, Sarah Meiklejohn     \nCCS 2019\n\n[AuroraLight: Improved Prover Efficiency and SRS Size in a Sonic-Like System][aurora-light]     \nAriel Gabizon     \nePrint, 2019\n\n[Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS][marlin]     \nAlessandro Chiesa, Yuncong Hu, Mary Maller, [Pratyush Mishra](https://www.github.com/pratyush), Noah Vesely, [Nicholas Ward](https://www.github.com/npwardberkeley)     \nEUROCRYPT 2020\n\n[Proof-Carrying Data from Accumulation Schemes][pcd-acc]     \nBenedikt Bünz, Alessandro Chiesa, [Pratyush Mishra](https://www.github.com/pratyush), Nicholas Spooner     \nTCC 2020\n\n[Signatures of Correct Computation][pst]    \nCharalampos Papamanthou, Elaine Shi, Roberto Tamassia   \nTCC 2013\n\n[Ligero: Lightweight Sublinear Arguments Without a Trusted Setup][ligero]    \nScott Ames, Carmit Hazay, Yuval Ishai, Muthuramakrishnan Venkitasubramaniam    \nCCS 2017\n\n[Doubly-efficient zkSNARKs without trusted setup][hyrax]\nRiad S. Wahby, Ioanna Tzialla, abhi shelat, Justin Thaler, Michael Walfish\n2018 IEEE Symposium on Security and Privacy\n\n[Brakedown: Linear-time and field-agnostic SNARKs for R1CS][brakedown]    \nAlexander Golovnev, Jonathan Lee, Srinath Setty, Justin Thaler, Riad S. Wahby    \nCRYPTO 2023\n\n## Acknowledgements\n\nThis work was supported by: an Engineering and Physical Sciences Research Council grant; a Google Faculty Award; the RISELab at UC Berkeley; and donations from the Ethereum Foundation and the Interchain Foundation.\n","funding_links":[],"categories":["Rust"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farkworks-rs%2Fpoly-commit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farkworks-rs%2Fpoly-commit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farkworks-rs%2Fpoly-commit/lists"}