Definition
A polynomial commitment scheme lets a prover publish a short commitment to a polynomial, then later prove the polynomial's value at any requested point without revealing the polynomial itself. The verifier checks the evaluation proof against the commitment alone. This deceptively simple capability is the central building block of nearly every modern succinct zero-knowledge proof system, because most computations can be encoded as claims about polynomial evaluations.
The three core operations
Every such scheme provides a commit step that produces a binding, usually constant-size commitment; an open or prove step that generates an evaluation proof for a chosen point; and a verify step that confirms the claimed value is consistent with the commitment. Security rests on binding, meaning the prover cannot later equivocate about which polynomial was committed.
The major families
Schemes differ chiefly in their setup and cryptographic assumptions. Pairing-based commitments achieve tiny constant-size proofs but require a trusted setup. Hash-based and Reed-Solomon constructions need no trusted setup and resist quantum attack, at the cost of larger proofs. Inner-product constructions sit in between, offering logarithmic proofs without a setup. The choice of scheme largely determines a proof system's proof size, verification cost, and trust assumptions.
The dominant pairing-based instance is the KZG polynomial commitment, while the transparent, hash-based route is built on FRI.
In Simple Terms
A polynomial commitment scheme lets a prover publish a short commitment to a polynomial, then later prove the polynomial’s value at any requested point without…