# A quick insight on Algebra for KZG Commitment


## Basic Algebraic Structures

### Abelian Groups

Any algebraic structure is defined through a set and an operation. An Abelian Group (also known as commutative group) $\mathbb{G}$ is a tuple $(G,\oplus)$ where $G$ is a set and $\oplus$ is a binary operation (i.e. an operation that takes two elements of the set and returns another element) that satisfies the following properties:

- Closure: $\forall a,b\in G, a\oplus b\in G$ (the elements returned by the operation are elements of the set).
- Associativity: $\forall a,b,c\in G, (a\oplus b)\oplus c=a\oplus(b\oplus c)$
- Identity element: $\exists e\in G, \forall a\in G, a\oplus e=e\oplus a=a$. $e$ is called the identity element. Sometimes it is also denoted by a **bold** "one": $\boldsymbol{1}$
- Inverse element: $\forall a\in G, \exists a^{-1}\in G, a\oplus a^{-1}=a^{-1}\oplus a=e$. $a^{-1}$ is called the inverse element of $a$.
- Commutativity: $\forall a,b\in G, a\oplus b=b\oplus a$

_(Note that the symbol $\forall$ means "for all" and $\exists$ means "there exists")_


Examples of Abelian Groups:

- The set of integers $\mathbb{Z}$ with the binary operation $+$ (addition) is an Abelian Group. The identity element is $0$ and the inverse element of $a$ is $-a$.
- The set of integers $\mathbb{Z}$ with the binary operation $\cdot$ (product; multiplication) is **NOT** an Abelian Group. The identity element is $1$ but the inverse element of $a$ is $\frac{1}{a}$, which is NOT an element of $\mathbb{Z}$.
- The set of rational numbers $\mathbb{Q}$ with the binary operation $\cdot$ (product; multiplication) is an Abelian Group. The identity element is $1$ and the inverse element of $a$ is $\frac{1}{a}$.

If the commutativity property is not present in the Abelian Group, then it is just called a Group.

### Finite Groups, Group Order, Cyclic Groups and Generators

If the Abelian Groups $G$ is finite, then we call it a Finite Group. The number of elements in the group $\mathbb{G}$ is called the order of the group, and is usually denoted by $\left|\mathbb{G}\right|$.

Example: The set of integers $\{0,1,2,3,4\}$ (which is a finite set) and the binary operation $+$. This is not a Finite Group because we lack **closure**: if we perform $2 + 3 = 5$, and $5$ is not in the set. However, if we change $+$ for $+$ under modulo $5$, then we do get a Finite Group, because this time $2 + 3 = 5\equiv 0\quad\text{mod}~5$. Indeed, all groups $(\mathbb{Z}_n, +~\text{mod}~ n)$ are finite (abelian) groups, whose order is $n$.

A Cyclic Group is a group that can be generated by a single element, called **generator** by means of the binary operation. Example, $\mathbb{Z}$ with the binary operation addition $+$ is indeed an infinite cyclic group, which has two different generators: $1$ and $-1$, because every integer can be generated by adding $1$ or $-1$ to itself, or through their inverses.

The same happens with $\mathbb{Z}_n$ with the binary operation addition $+$ under modulo $n$. Example, $\mathbb{Z}_5$ has four generators: $1$, $2$, $3$ and $4$, because every element of $\mathbb{Z}_5$ can be generated by adding $1$ or $4$ to itself.

### The Exponential Map

Say we have a finite cyclic group $\mathbb{G}=(G,\oplus)$ of order $n$ ($\left|\mathbb{G}\right|=n$; it contains $n$ elements) whose generator is $g$. The exponential map is a function that takes an integer $a\in\mathbb{Z}_n$ and returns the element of the group that is generated by $g^a$. One can understand $g^a$ as applying $a$ times the $\oplus$ operation on $g$.

For example: take the finite cyclic abelian group $\mathbb{G}:=(\mathbb{Z}_5, +~\text{mod}~5)$ of order $5$, and let's choose the generator $2$. The exponential map, which we'll call $\xi$ is:

\begin{align*}
\xi : \mathbb{Z}_5 &\rightarrow \mathbb{G}\\
a &\mapsto 2\cdot a\quad\text{mod}~5
\end{align*}

To test if this is true:

<center>

|     $\mathbb{Z}_5$         |         $\mathbb{G}$    |
|:---:|:----------------------------------------------:|
| $a$ |       $\xi(a)=2\cdot a\quad\text{mod}~5$       |
| $0$ |             $\xi(0)=2\cdot 0 = 0$              |
| $1$ |             $\xi(1)=2\cdot 1 = 2$              |
| $2$ |             $\xi(2)=2\cdot 2 = 4$              |
| $3$ | $\xi(3)=2\cdot 3 = 6\equiv 1\quad\text{mod}~5$ |
| $4$ | $\xi(4)=2\cdot 4 = 8\equiv 3\quad\text{mod}~5$ |

</center>


Another example: take the finite cyclic abelian group $\mathbb{G}:=(\{1,2,3,4,5,6\}, \cdot~\text{mod}~7)$ of order $6$, and let's choose the generator $3$. The exponential map, which we'll call $\xi$ is:

\begin{align*}
\xi : \mathbb{Z}_6 &\rightarrow \mathbb{G}\\
a &\mapsto 3^a\quad\text{mod}~7
\end{align*}

To test if this is true:

<center>

|     $\mathbb{Z}_6$         |         $\mathbb{G}$     |
|:---:|:-----------------------------------------------:|
| $a$ |         $\xi(a) = 3^a\quad\text{mod}~7$         |
| $0$ |               $\xi(0)= 3^0 = 1$                 |
| $1$ |               $\xi(1)= 3^1 = 3$                 |
| $2$ |               $\xi(2)= 3^2 = 2$                 |
| $3$ |   $\xi(3)=3^3 = 27 \equiv 6\quad\text{mod}~7$   |
| $4$ |   $\xi(4)=3^4 = 81 \equiv 4\quad\text{mod}~7$   |
| $5$ | $\xi(5)=3^5 = 243 = 8\equiv 5\quad\text{mod}~7$ |

</center>

The exponential map allows to perform so-called _"calculations in the exponent"_. For the previous example,  that we want to compute $5\cdot 6\cdot 3\quad\text{mod}~7$. We can do it two ways:


### Pairings

A pairing map takes elements from a group $\mathbb{G}_1$ and elements from a group $\mathbb{G}_2$ and returns an element of a group $\mathbb{G}_T$. Let's define the pairing $e$, and a pair $(a,b)\mid a\in\mathbb{G_1}, b\in\mathbb{G}_2$:

\begin{align*}
e : \mathbb{G}_1\times\mathbb{G}_2 &\rightarrow \mathbb{G}_T\\
(a,b) &\mapsto e(a,b)
\end{align*}

A pairing is said to be **bilinear** if for all $g_1,g'_1\in\mathbb{G}_1$ and $g_2,g'_2\in\mathbb{G}_2$, it is satisfied that:

\begin{align*}
e(g_1\oplus g'_1,g_2) &= e(g_1,g_2)\oplus e(g'_1,g_2)\\
e(g_1,g_2\oplus g'_2) &= e(g_1,g_2)\oplus e(g_1,g'_2)
\end{align*}

A pairing is said to be **non-degenerate** if for all $g_1\in\mathbb{G}_1$ and $g_2\in\mathbb{G}_2$, it is satisfied that:

$$e(g_1,g_2)=\boldsymbol{1}_{\mathbb{G}_T}\Rightarrow \boldsymbol{1}_{\mathbb{G}_1}\quad\text{or}\quad\boldsymbol{1}_{\mathbb{G}_2}$$

In other words, if the pairing of two elements of $\mathbb{G}_1$ and $\mathbb{G}_2$ is the neutral element of $\mathbb{G}_T$, then at least one of the elements of $\mathbb{G}_1$ or $\mathbb{G}_2$ must be the neutral element of their respective group.

An example for a pairing is taking all the groups as the set of integers $\mathbb{Z}_p$ with the binary operation addition $+$ and the pairing $e$ as:

\begin{align*}
e : \mathbb{Z}\times\mathbb{Z} &\rightarrow \mathbb{Z}\\
(a,b) &\mapsto a\cdot b
\end{align*}

It is easy to see that:

\begin{align*}
e(a + b, c) &= (a + b)\cdot c = a\cdot c + b\cdot c = e(a, c) + e(b, c)\\
e(a,b) &= 0 \Rightarrow a = 0 \quad\text{or}\quad b = 0
\end{align*}

both hold.


### Rings

We will be focusing on something more specifically called commutative rings. A Ring $R$ is a tuple $(R,\oplus,\otimes)$ where $R$ is a set and $\oplus$ and $\otimes$ are binary operations that satisfy the following properties:

- $(R,\oplus)$ is an Abelian Group
- Commutativity: $\forall a,b\in R, a\otimes b=b\otimes a$
- Associativity: $\forall a,b,c\in R, (a\otimes b)\otimes c=a\otimes(b\otimes c)$
- Distributivity: $\forall a,b,c\in R, (a\oplus b)\otimes c=(a\otimes c)\oplus(b\otimes c)$
- Identity element: $\exists e\in R, \forall a\in R, a\otimes e=e\otimes a=a$. $e$ is called the identity element. Sometimes it is also denoted by a **bold** "one": $\boldsymbol{1}$. In this case, the identity element for $\oplus$ can be denoted by a **bold** "zero": $\boldsymbol{0}$.

Example, the set of integers $\mathbb{Z}$ with the binary operations $+$ (addition) and $\cdot$ (product; multiplication) is a Ring. The identity element for $+$ is $0$ and the identity element for $\cdot$ is $1$.

### Fields & Galois Fields

The final algebraic structure we'll see are Fields. A Field $\mathbb{F}$ is a tuple $(F,\oplus,\otimes)$ where $F$ is a set and $\oplus$ and $\otimes$ are binary operations that satisfy the following properties:

- $(F,\oplus,\otimes)$ is a Ring
- $\forall a\in F\setminus\{0\}, \exists a^{-1}\in F, a\otimes a^{-1}=a^{-1}\otimes a=e$. $a^{-1}$ is called the inverse element of $a$.

Galois Fields (also known as Finite Fields) are a special kind of Field, where the set $F$ is finite. The order of the field is the number of elements in the set $F$, and is usually denoted by $\left|\mathbb{F}\right|$. We are going to use what are known as Prime Fields, which are build by means of $\mathbb{Z}/p\mathbb{Z}$ with the binary operations $+$ (addition) and $\cdot$ (product; multiplication) under modulo $p$, where $p\in\mathbb{P}$. These special fields are denoted as $\mathbb{F}_p$.

What if $\mathbb{Z}/n\mathbb{Z}$, where $n\notin\mathbb{P}$?_

In that case, we would have a Ring, but not a Field, because not every arbitrary element of $a\in\mathbb{Z}/n\mathbb{Z}\setminus\{0\}$ has an inverse $a^{-1}$ in the set. For example, let's take $\mathbb{Z}/6\mathbb{Z}$ with the binary operation $\cdot$ (product; multiplication) under modulo $6$. Since $\mathbb{Z}/6\mathbb{Z}=\{0,1,2,3,4,5\}$, let's construct the multiplication table:

<center>

| $\cdot$ | $0$ | $1$ | $2$ | $3$ | $4$ | $5$ |
|:-------:|:---:|:---:|:---:|:---:|:---:|:---:|
|   $0$   | $0$ | $0$ | $0$ | $0$ | $0$ | $0$ |
|   $1$   | $0$ | $1$ | $2$ | $3$ | $4$ | $5$ |
|   $2$   | $0$ | $2$ | $4$ | $0$ | $2$ | $4$ |
|   $3$   | $0$ | $3$ | $0$ | $3$ | $0$ | $3$ |
|   $4$   | $0$ | $4$ | $2$ | $0$ | $4$ | $2$ |
|   $5$   | $0$ | $5$ | $4$ | $3$ | $2$ | $1$ |

</center>

Notice that there are rows/columns (besides $0$) that do not have a single entry that equals 1? For example, $2$, $3$ and $4$. This means that only $1$ and $5$ have a multiplicative inverse in $\mathbb{Z}/6\mathbb{Z}$, while the rest of the elements do not. Therefore, $\mathbb{Z}/6\mathbb{Z}$ is not a Field.

## Polynomials

A polynomial is an expression consisting of variables (also called indeterminates) and coefficients, that involves only the operations of addition, subtraction, multiplication, and non-negative integer exponents of variables. An example of a polynomial of a single indeterminate $x$ is $x^2 - 4x + 7$. When talking about polynomials, one refers to the set of polynomials with coefficients and values that "live" in the field of real numbers $\mathbb{R}$ (embeded with the binary operations $+$ (addition) and $\cdot$ (product; multiplication)). This set is denoted as $\mathbb{R}[x]$. For example, the polynomial $x^2 - 2$ is an element of $\mathbb{R}[x]$.

We can define polynomials over any field $\mathbb{F}$, and denote the set of polynomials with coefficients and values that "live" in $\mathbb{F}$ as $\mathbb{F}[x]$. For example, the polynomial $x^2 - 2$ is also an element of $\mathbb{F}_5[x]$.

The field over which we construct the polynomials greatly affects the properties of the polynomials. Example, let's take the polynomial $x^2 - 2$.
- If we are working with $\mathbb{R}[x]$, then this polynomial has two roots: $\sqrt{2}$ and $-\sqrt{2}$, because $x^2 - 2 = (x - \sqrt{2})(x + \sqrt{2})$.
- If we are working with $\mathbb{F}_5[x]$, then this polynomial has no roots, because $\pm\sqrt{2}$ are not elements of $\mathbb{F}_5$.

So, $x^2 - 2$ is an irreducible polynomial in $\mathbb{F}_5[x]$, but not in $\mathbb{R}[x]$.

Another example: the polynomial $x^2 + 1$.
- If we are working with $\mathbb{R}[x]$, then this polynomial has no roots, because $x^2 + 1 = (x + i)(x - i)$, where $i$ is the imaginary unit, and $i$ is not an element of $\mathbb{R}$.
- If we are working with $\mathbb{C}[x]$, then this polynomial has two roots: $\pm i$.
- If we are working with $\mathbb{F}_5[x]$, then this polynomial has two roots: $2$ and $3$, because $x^2 + 1 = (x - 2)(x - 3)$.

Remember that in $\mathbb{F}_5[x]$, all operations are done under modulo $5$. So, let's expand $(x - 2)(x - 3)$:

\begin{align*}
(x - 2)(x - 3) &= x^2 - 3x - 2x + 6\\
&= x^2 - 5x + 6\\
&\equiv x^2 + 1\quad\text{mod}~5
\end{align*}

# 2. KZG Commitments

The KZG Commitment scheme is a commitment scheme that allows to commit to a polynomial $\phi(x) = a_0 + a_1x + a_2x^2+\dots+a_tx^t$, where $\phi(x)\in\mathbb{F}_p[x]$. _"To commit"_ means proving that you know the polynomial $\phi(x)$ without revealing it, like a sealed envelope.

## 2.1 The Setup Phase

Start with defining a Galois Field $\mathbb{F}_p$ where $p$ is a prime number. Also let's define a maximum degree $t$ for the polynomials we'll be working with, so that $t < p$. _To do this properly, we must choose a prime so that it fulfills the $k$ bits of security that we want to establish for your commitment scheme. Example, if we want $128$ bits of security, you must choose a prime $p$ so that_ $2^{128} < p < 2^{129}$.

Now, we'll define a generator $g$ of $\mathbb{F}_p$, compute two groups $\mathbb{G}$ and $\mathbb{G}_T$ that have $g$ as their generator, define a pairing $e:\mathbb{G}\times\mathbb{G}\to\mathbb{G}_T$ that is bilinear and non-degenerate.

A trusted party then picks a random $\alpha\in\mathbb{F}_p^*$ and computes the public parameters $PP$:

$$
PP = \left\langle g, g^\alpha, g^{\alpha^2}, \dots, g^{\alpha^t}\right\rangle
$$

$PP$ will be publicly available **to everyone**. The trusted party will then **HAVE TO DELETE** $\alpha$.

## 2.2 The Commitment Phase

Now, say we want to commit to a polynomial $\phi(x) = a_0 + a_1x + a_2x^2+\dots+a_tx^t$, where $\phi(x)\in\mathbb{F}_p[x]$. Compute the commitment $\mathcal{C}\in\mathbb{F}_p$:

$$
\mathcal{C} = g^{\phi(\alpha)}
$$

without knowing $\alpha$ ? Remember that we have the public parameters $PP$, which contain $g^\alpha$, $g^{\alpha^2}$, $\dots$, $g^{\alpha^t}$. We can compute the commitment $\mathcal{C}$ by **evaluating on the exponent**:

\begin{align*}
\mathcal{C} &= g^{\phi(\alpha)}\\
&= g^{a_0 + a_1\alpha + a_2\alpha^2+\dots+a_t\alpha^t}\\
&= g^{a_0}\cdot g^{a_1\alpha}\cdot g^{a_2\alpha^2}\cdot\dots\cdot g^{a_t\alpha^t}\\
&= g^{a_0}\cdot (g^{\alpha})^{a_1}\cdot (g^{\alpha^2})^{a_2}\cdot\dots\cdot (g^{\alpha^t})^{a_t}\\
\end{align*}

We know $g^\alpha, g^{\alpha^2},\dots$ from the Public Parameters ($PP$). So, we can compute the commitment $\mathcal{C}$.

## 2.3 The Opening Phase

In this step, the Verifier will ask the Prover to "open" the commitment $\mathcal{C}$ to a random specific point $s\in\mathbb{F}_p$. In other words, the prover will have to evaluate $\phi(s)$ and commit the result in the form of the opening triplet $OT = \left(s,\phi(s),\mathcal{C}_{\psi_s}\right)$. Computing $\phi(s)$ is trivial, but how do we compute $\mathcal{C}_{\psi_s}$?

$\mathcal{C}_{\psi_s}$ is defined as $g^{\psi(\alpha)}$, where $\psi(\alpha)$ is the proof polynomial that is constructed from $\phi(x)$ and $s$. To contstruct this polynomial, let's imagine the polynomial $\rho(x)\in\mathbb{F}_p\mid \rho(x)=\phi(x)-\phi(s)$. Trivially, $\rho(x)$ has $s$ as one of its roots (because $\rho(s)=\phi(s)-\phi(s)=0$). That means it admits a factorization of the form $\rho(x)=\psi_s(x)\cdot(x-s)$, where $\psi_s(x)$ is a polynomial of degree $t - 1$.

Given that $\rho(s)=\phi(s)-\phi(s)=\psi_s(x)\cdot(x - s)$, we have $\psi_s(x)=\frac{\phi(x)-\phi(s)}{x - s}$. Now, we can compute the commitment $\mathcal{C}_{\psi_s}$ the same way as we computed the commitment $\mathcal{C}$, we just have to replace $\phi(x)$ with $\psi_s(x)$.

The opening triplet $OT$ is then sent to the Verifier.

## 2.4. The Verification Phase

The verifier has to check that the opening triplet $OT$ is valid. Other words, that $\phi(s)$ is indeed evaluating $\phi(x)$ (which is hidden in $\mathcal{C}$) on $s$.

The verifier knows $PP$ (public by default), $\mathcal{C}=g^{\phi(\alpha)}$, $s$, $\phi(s)$ and $\mathcal{C}_{\psi_s}=g^{\psi_s(\alpha)}$. Along with that, the verifier will make use of the pairing $e:\mathbb{G}\times\mathbb{G}\to\mathbb{G}_T$ that is bilinear and non-degenerate. Why? Imagine we had no pairing $e$, and the verifier attempted to verify the commitment $\mathcal{C}$:

\begin{align*}
\mathcal{C} &= g^{\phi(\alpha)}\\
&= g^{\psi_s(\alpha)\cdot(\alpha - s) + \phi(s)}\\
&= g^{\psi_s(\alpha)\cdot(\alpha - s)}\cdot g^{\phi(s)}\\
&= \mathcal{C}_{\psi_s}^{(\alpha - s)}\cdot g^{\phi(s)}
\end{align*}

This would precise the verifier knowing $\alpha$. But, since we have the pairing $e$, we can check if the following holds:

$$
e(\mathcal{C}, g) = e(\mathcal{C}_{\psi_s}, g^{\alpha - s})\cdot e(g^{\phi(s)}, g)
$$

Expanding on the above:

\begin{align*}
e(\mathcal{C}, g) &= e(g^{\phi(\alpha)}, g)\\
&= e(g, g)^{\phi(\alpha)}\\
&= e(g, g)^{\psi_s(\alpha)\cdot(\alpha - s) + \phi(s)}\\
&= e(g, g)^{\psi_s(\alpha)\cdot(\alpha - s)}\cdot e(g, g)^{\phi(s)}\\
&= e(g^{\psi_s(\alpha)}, g^{(\alpha - s)})\cdot e(g, g)^{\phi(s)}\\
&= e(\mathcal{C}_{\psi_s}, g^{\alpha - s})\cdot e(g, g)^{\phi(s)}\\
&= e(\mathcal{C}_{\psi_s}, g^{\alpha}\cdot g^{- s})\cdot e(g, g)^{\phi(s)}
\end{align*}

The nice property is that the verifier has all the information needed to compute this. In particular, $g^{\alpha}$ is given in the Public Parameters ($PP$) and $g^{- s}$ is easily computable.
