Skip to main content

Dory Polynomial Commitment Scheme

Dory is the multilinear polynomial commitment scheme used in Jolt to commit to witness polynomials and generate opening proofs. It provides succinct commitments with efficient proving and verification.

Overview

Dory is a polynomial commitment scheme (PCS) specifically designed for multilinear polynomials. In the Jolt architecture, it serves as the primary commitment mechanism for all witness data.

Key Properties

  • Multilinear polynomials: Dory commits to polynomials that are linear in each variable
  • Succinct commitments: Commitment size is independent of polynomial degree
  • Batch openings: Efficiently proves multiple polynomial evaluations simultaneously
  • Transparent setup: Does not require a trusted setup ceremony

Role in Jolt

Dory is used throughout the Jolt prover pipeline:

Committed Witness Polynomials

The following polynomials are committed using Dory:
  • RdInc: Register destination increment tracking
  • RamInc: RAM increment tracking
  • InstructionRa(d): Instruction lookup one-hot read-after polynomials
  • BytecodeRa(d): Bytecode one-hot read-after polynomials
  • RamRa(d): RAM one-hot read-after polynomials
  • TrustedAdvice: Trusted auxiliary witness data
  • UntrustedAdvice: Untrusted auxiliary witness data

Type Parameters

Dory appears throughout the Jolt codebase via the generic type parameter pattern: 
F: JoltField                          // BN254 scalar field
PCS: CommitmentScheme<Field = F>      // DoryCommitmentScheme
ProofTranscript: Transcript           // Fiat-Shamir transcript

Prover Pipeline Integration

Dory commitments are generated in stages during proving:

Stage 2: Streaming Commitment

  1. Tier-1 chunks: Large witness polynomials are split into chunks
  2. Tier-2 aggregation: Chunk commitments are aggregated hierarchically
  3. Final commitments: Root commitments are included in the proof
This streaming approach allows Jolt to handle large execution traces without loading entire polynomials into memory.

Stage 6: Opening Proofs

At the end of the sumcheck protocol, the prover must open committed polynomials at evaluation points determined by the verifier’s challenges. Dory provides:
  • Batched opening proofs: Multiple polynomial openings are aggregated into a single proof
  • Opening accumulator: ProverOpeningAccumulator collects all opening claims throughout the protocol
  • Opening proof generation: Batched Dory opening proof proves all evaluations simultaneously

Zero-Knowledge Mode

When Jolt is compiled with the zk feature flag, Dory supports zero-knowledge openings:
  • Standard mode: Opening proof reveals the evaluation y = P(r)
  • ZK mode: Opening proof includes a commitment y_com to the evaluation, and proves correctness of the committed value without revealing y itself
This is implemented in poly/commitment/dory/commitment_scheme.rs with the bind_opening_inputs_zk method.

Implementation Location

The Dory implementation is located in jolt-core/poly/commitment/dory/:
  • commitment_scheme.rs: Main DoryCommitmentScheme implementation
  • opening_proofs.rs: Batched opening proof generation and verification
  • structure.rs: Dory polynomial commitment structure and parameters

Performance Characteristics

Dory’s performance is crucial to Jolt’s overall efficiency:
  • Commitment time: Dominated by multi-scalar multiplications (MSMs)
  • Opening proof time: Proportional to the number of evaluation points
  • Memory usage: Streaming commitment reduces peak memory by avoiding full polynomial materialization

Multi-Scalar Multiplication

Dory relies heavily on efficient MSM implementations in jolt-core/msm/. The MSM performance directly impacts commitment generation time.

Comparison to Other PCS

Jolt also includes an implementation of HyperKZG for comparison, but Dory is the default choice due to:
  • Better asymptotic complexity for batch openings
  • No trusted setup requirement
  • Efficient handling of large multilinear polynomials via streaming

Academic References

Dory is based on the following research: Dory: Efficient, Transparent arguments for Generalised Inner Products and Polynomial Commitments
Jonathan Lee, et al. The Jolt paper also discusses how Dory integrates with the lookup singularity approach: Jolt: SNARKs for Virtual Machines via Lookups
Arasu Arun, Srinath Setty, Justin Thaler Unlocking the lookup singularity with Lasso
Srinath Setty, Justin Thaler, Riad Wahby

Build docs developers (and LLMs) love

Get started for freeTalk to us