International Association for Cryptologic Research (IACR)
Abstract
We present a variant of the Kate, Zaverucha and Goldberg polynomial commitment scheme [KZG] where d polynomials can be opened at a point that is a d\u27th power, such that the amount of verifier group operations does not depend on d.
Our method works by reducing opening multiple polynomials at a single point x, to opening a single polynomial at many points via an ``FFT-like identity\u27\u27.
As an application we present a version of the PlonK zk-SNARK[GWC] with significantly improved verifier performance, at the cost roughly tripling the prover time. Specifically, in addition to the two pairings, the verifier only performs five scalar multiplications, rather than 16 or 18 as in the versions presented in [GWC]
