Polynomial commitment scheme

A polynomial commitment scheme (PCS) allows a prover to commit to a polynomial $f \in F_{p} [X]_{\leq d}$ (of degree at most $d$ ) and later prove evaluations $f (z) = y$ for any point $z$ queried by a verifier, without revealing $f$ itself. Polynomial commitments are the key bridge between arithmetization and proof systems: they allow a SNARK to efficiently check that a prover’s claimed polynomial satisfies the required constraints.

Syntax

A polynomial commitment scheme is a tuple of efficient algorithms $(Setup, Commit, Open, Vrfy)$ :

$Setup (1^{λ}, d) \to srs,$ produces a structured (or transparent) reference string for polynomials of degree $\leq d$ .
$Commit (srs, f) \to (C, aux),$ commits to a polynomial $f$ , producing commitment $C$ and auxiliary data $aux$ (kept by the prover).
$Open (srs, C, z, y, aux) \to π,$ produces an opening proof $π$ for the claim $f (z) = y$ .
$Vrfy (srs, C, z, y, π) \to {0, 1},$ verifies the claim $f (z) = y$ against commitment $C$ .

Properties

Correctness

For all polynomials $f$ , all $z \in F_{p}$ , and $(C, aux) \leftarrow Commit (srs, f)$ : $Pr [Vrfy (srs, C, z, f (z), Open (srs, C, z, f (z), aux)) = 1] = 1.$

Evaluation binding

For all efficient $A$ : it is infeasible to produce $C, z, y \neq = y^{'}, π, π^{'}$ such that both $Vrfy (srs, C, z, y, π) = 1$ and $Vrfy (srs, C, z, y^{'}, π^{'}) = 1$ .

Hiding (optional)

The commitment $C$ reveals no information about $f$ beyond its degree and any opened evaluations.

Variations

KZG (Kate-Zaverucha-Goldberg)

The KZG scheme commits to $f$ as $C = g^{f (τ)}$ in a bilinear group, where $τ$ is a secret known only during trusted setup. An opening proof for $f (z) = y$ is the single group element $π = g^{(f (τ) - y) / (τ - z)}$ (the “quotient polynomial” evaluated at $τ$ ). Verification checks $e (C / g^{y}, g) = e (π, g^{τ} / g^{z})$ using the pairing.

Proof size: $O (1)$ (one group element)
Verification time: $O (1)$ (two pairings)
Setup: Trusted; requires a structured reference string $(g, g^{τ}, \dots, g^{τ^{d}})$
Security: $q$ -Strong Diffie-Hellman assumption in a bilinear group
Reference: KZG10

Used in: Plonk, Marlin, KZG-based zkRollups, Ethereum EIP-4844.

FRI (Fast Reed-Solomon IOP of Proximity)

FRI is a transparent (no trusted setup) polynomial commitment that works by repeatedly halving the degree of a Reed-Solomon codeword via a random folding step. It is the core component of STARKs.

Proof size: $O (lo g^{2} d)$
Verification time: $O (lo g^{2} d)$
Setup: Transparent (public-coin; only a hash function needed)
Security: Collision-resistant hash functions; post-quantum secure
Reference: BBHR18

Inner Product Argument (IPA / Bulletproofs)

A transparent polynomial commitment based on Pedersen commitments and a recursive inner-product argument. No trusted setup; no pairings needed.

Proof size: $O (lo g d)$
Verification time: $O (d)$ (linear, but no pairing)
Setup: Transparent
Security: Discrete logarithm assumption

Other results

KZG is the polynomial commitment underlying most practical pairing-based SNARKs (Groth16, Plonk, Marlin) — KZG10, Gro16
FRI-based polynomial commitments give the only known transparent SNARKs with sublinear proof size — BBHR18
Any polynomial commitment with $O (1)$ proof size implies the existence of a succinct NIZK for NP — standard
Multi-point and batched opening protocols (e.g., FK20) allow proving many evaluations simultaneously with constant overhead — standard
Polynomial commitments are equivalent to vector commitments with position-binding under certain reductions — standard

Cryptology City

Explorer