Open lopeetall opened 2 years ago
It would be nice to have a function that applies n
-levels of blinding so that we can just figure out the correct n
for the PolynomialCommitment
scheme we're using and call this function.
Also would be good to have a test for each kind of PolynomialCommitment
that attempts to break ZK. A comprehensive test that catches any ZK bug may not be possible (?) but it should be possible to write a naive test that can catch insufficient blinding levels at least.
In this PR we used the method from this post from Daniel Lubarov https://mirprotocol.org/blog/Adding-zero-knowledge-to-Plonk-Halo to update our blinding method to one that does not increase the degree of polynomials.
This method is sound, but the post was written for Halo2-style polynomial commitments which are hiding by nature, meaning they need one less blinding factor than commitments which are not hiding, like KZG. I checked with Daniel Lubarov who confirmed this.
Blinders for KZG commitments need to be incremented by 1. This amounts to adding 1 more row of blinding factors to the wire polynomials, and 1 more pair of rows of blinding factors to the permutation polynomial.