Use of term "Commitment"

baro77

10/24/23, 3:42 PM

As an amateur, my first encounter with commitments has been in the form of an hash of the committed value, then I have learnt about seeding the hash as blinding technique. Going on I have discovered how useful is the structure induced by Pedersen or El-Gamal commitments and the binding/hiding flavours. All of this to explain my current background.

Recently I have had a bird-eye view on KZG commitments, I have read that Bulletproofs is an Inner-Product-Argument commitment, and that FRI-based commitments use hashes.

So I'm a bit confused by the usage of term "commitments". The commit to secret data seems the recurring common step, but the revealing phase imho is really variegated:

in seeded hashes and Pedersen/El-Gamal is a go/no-go choice (the prover can prove its honesty just revealing the data);
KZG verifier can discover if the prover is honest just challenging it with a single point (so at most marginally affecting the data secrecy)
Bulletproofs proves range membership of data without revealing it
FRI: don't know yet but I guess they also have some "magic" beyond data revealing via opening

So KZG, IPA, FRI as commitments seem very different and more powerful than previous ones (not to mention they seem to require an "active" verifier in the revealing step)... so why the same name? Is it really just because of common initial commit to secret data or is there something more deep?

FOLLOW UP

The comments by @knaccc have been illuminating, and I have got a latter confirm about our conclusion here: https://scroll.io/blog/kzg

[...] Now, with polynomial commitment schemes, the committer commits to a polynomial ϕ ϕ, rather than some arbitrary message m m. Polynomial commitment schemes satisfy the above-mentioned properties of normal commitment schemes, and also achieve an additional property: the committer should be able to “open” certain evaluations of the committed polynomial without revealing the entire thing. [...]

131

0 + 8

commitments

knaccc

10/24/23, 3:58 PM

My understanding is that IPAs are arguments about Pedersen Commitment Vectors, which are Pedersen Commitments which commit to multiple values in the same commitment via multiple generator points. Therefore, an IPA is not a commitment itself. Please let me know if you have a reference to a source that suggests otherwise.

baro77

10/24/23, 4:12 PM

thanks @knaccc : https://twitter.com/benediktbuenz/status/1582510719341187072?s=61&t=x4HfIoIqM8lRlvn7gW0ldw ...anyway, if IPA as commitment is controversial, it seems to me that Kate Commitment is mainstream

knaccc

10/24/23, 4:23 PM

I'm not an expert on Bulletproofs, and Bünz definitely is. But, I think he means the types of vector commitments that IPAs work on, rather than that he's inferring that an IPA itself is a commitment. I'd therefore describe a Bulletproof as an IPA on vector commitments. I could be wrong. I've been meaning to find a day or two to read through and understand this: https://github.com/AdamISZ/from0k2bp/blob/master/from0k2bp.pdf which explains how Bulletproofs work.

baro77

10/24/23, 4:30 PM

@knaccc I have already began to read AdamISZ reference to make an infographic about Bulletproofs (but I'll need definitely more than 2 days :D ), and I confirm that his point of view is yours: beginning with Pedersen, generalizing to vectors, and going on from there playing with inner product

knaccc

10/24/23, 4:59 PM

Btw you might also find this useful: https://doc-internal.dalek.rs/bulletproofs/index.html

baro77

10/24/23, 5:22 PM

thanks, once understood I'll try to distill concepts from formal algebra, something following this family-style: https://www.bybaro.it/tss. Apart from that, I'm going to wait some ideas about my question, net of IPAs

knaccc

10/24/23, 6:19 PM

Another thought: I'm not sure why you consider KZG Commitments to be in a separate category from Pedersen Commitments. With PCs, you can prove something about the value committed to, such as whether it is a commitment to the same value as another PC (without revealing the value), or whether it's within a certain range (without revealing the value). With KZGCs, you can prove whether a certain point is on the polynomial curve that has been committed to (without revealing the curve). Either way, something is being committed to, and a certain property of the thing being committed to can be proven.

baro77

10/25/23, 10:42 AM

maybe you are right, it was 'cause I was feeling KZG so more powerful in opening phase, being able of a sound open of just a part (the point(s)) of the whole committed polynomial... but maybe it can be seen as consequence of technique's power and polynomial additional structure (like PC is more powerful of hashes thanks to its EC algebra)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Use of term "Commitment"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.