Comparison to other work

BCMS20 Appendix A.2

Appendix A.2 of BCMS20 describes a polynomial commitment scheme that is similar to the one described in BGH19 (BCMS20 being a generalization of the original Halo paper). Halo 2 builds on both of these works, and thus itself uses a polynomial commitment scheme that is very similar to the one in BCMS20.

The following table provides a mapping between the variable names in BCMS20, and the equivalent objects in Halo 2 (which builds on the nomenclature from the Halo paper):

BCMS20	Halo 2
$S$	$H$
$H$	$U$
$C$	`msm` or $P$
$α$	$ι$
$ξ_{0}$	$z$
$ξ_{i}$	`challenge_i`
$H^{'}$	$[z] U$
$\overset{p}{ˉ}$	`s_poly`
$\overset{ω}{ˉ}$	`s_poly_blind`
$\overset{ˉ}{C}$	`s_poly_commitment`
$h (X)$	$g (X)$
$U$	$G$
$ω^{'}$	`blind` / $ξ$
$c$	$a$
$c$	$a = a_{0}$
$v^{'}$	$ab$

Halo 2's polynomial commitment scheme differs from Appendix A.2 of BCMS20 in two ways:

Step 8 of the $Open$ algorithm computes a "non-hiding" commitment $C^{'}$ prior to the inner product argument, which opens to the same value as $C$ but is a commitment to a randomly-drawn polynomial. The remainder of the protocol involves no blinding. By contrast, in Halo 2 we blind every single commitment that we make (even for instance and fixed polynomials, though using a blinding factor of 1 for the fixed polynomials); this makes the protocol simpler to reason about. As a consequence of this, the verifier needs to handle the cumulative blinding factor at the end of the protocol, and so there is no need to derive an equivalent to $C^{'}$ at the start of the protocol.
- $C^{'}$ is also an input to the random oracle for $ξ_{0}$ ; in Halo 2 we utilize a transcript that has already committed to the equivalent components of $C^{'}$ prior to sampling $z$ .
The $PC_{DL} . SuccinctCheck$ subroutine (Figure 2 of BCMS20) computes the initial group element $C_{0}$ by adding $[v] H^{'} = [v ξ_{0}] H$ , which requires two scalar multiplications. Instead, we subtract $[v] G_{0}$ from the original commitment $P$ , so that we're effectively opening the polynomial at the point to the value zero. The computation $[v] G_{0}$ is more efficient in the context of recursion because $G_{0}$ is a fixed base (so we can use lookup tables).

The halo2 Book

Comparison to other work

BCMS20 Appendix A.2