KZG polynomial commitment scheme

Our goal is to leverage pairings to help provers to commit to a polynomial $f(x)$ before receiving the challenge $\gamma$ and for the verifier to have (cryptographic) certainty that the evaluation $f(\gamma )$ was done on this same commited polynomial, ruling out adaptive attacks. There are several answers in the literature to solve this exact problem, one prominent one is the KZG commitment scheme. We can illustrate the protocol with the following sequence diagram.

Exercise 7 For this protocol to work, we need a trusted setup based on a uniformly random (and secret) toxic waste τ. This is called toxic waste since it must be deleted after some setup values have been computed with it in order for the protocol to be secure. We also need to declare a public maximum polynomial degree $l$. Since we will later commit to multiplication of low degree polynomials, let us pick $l=10$.

With example $\tau =424242$, compute two public parameters: a vector

$$S_1=[P,\tau \cdot P,{\tau }^2\cdot P,\cdots ,{\tau }^l\cdot P]$$

where $P$ is the generator of ${\mathbb{G}}_1$ and a value

$$S_2=\tau \cdot Q$$

where $Q$ is the generator of the group ${\mathbb{G}}_2$.

#Solve here!
τ = 424242
l=10
S1=
S2=

If computed correctly you should get:

$$\begin{array}{rl}{S}_1=[& (1:2:1),\\ & (3388106087484702502772161951837520865682365219266094058038991331506090320735:10310862820936104897688292475187545406556140958479334534497508049176340462168:1),\\ & (5786299459695789788261684662131390109566181344091061986154006773045920884529:18198083969462810098554436542449595852850793038741994323649111219383738839374:1),\\ & (5932386722799341949736906223819928737327798404444018663115122905353930163217:17316789122660091087982740003020863959605853926224865905583913597777031548221:1),\\ & (14603143723753528702641274659350642057392810682423113693594196367092666272615:17734357240639322091230265203514580412414342326449923671483947891721675198742:1),\\ & (1485870938289488242176031429247482114928668541241910486620153058173498550422:8975504733770431670587733015492501696212039808343155103983507429794936273090:1),\\ & (35087711382470900519387874116184362249603265567233267930080986182721755391:9687295787051875541592859447450503637855174457649076441192556983747473888473:1),\\ & (21100087779353388367643433264506322944085867030119306347233967681812330825611:17068231115940713163151138839050846284784298672314356795840059410045954257490:1),\\ & (10641104735982477671491147382199353108251699282959504595440637553392719424596:3033897669229592557681916129851961240665115699542840722127903032620063452401:1),\\ & (12461517031230393262909098092888598630825065680164551109453025306556394017248:11406184524960241674372900569663181593279300027508257400554857135388045542548:1),\\ & (2310703006113265329769149621286389443406062880925858119855767049953176497692:20254007398902051444166009223523085479917136359422165955249757385592434525697:1)]\end{array}$$

and:

$$\begin{array}{rl}{S}_2=(& (18178798121214140434976027337622332703345638858169149597321922257824015358086\overline{u}+\\ & 17892288729126503148648989889095246645011224085306750203724686651395006961383){\overline{w}}^2:\\ & (15251007341879318938631029793693405432107362852215428951388705343135014132495\overline{u}+\\ & 11565079700697045165214936027269859661189920603201791930010463312628382919842){\overline{w}}^3:\\ & 1)\end{array}$$