diff --git a/README.md b/README.md index b029431..f12464b 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Documents used for this implementation: - [*Why and how zkSNARKs work*, by Maksym Petkus](https://arxiv.org/abs/1906.07221v1) -You can find more info on the logic behind the powers of tau computation & verification in these notes: http://arnaucube.com/blog/powersoftau.html +**You can find more info on the logic behind the powers of tau computation & verification in these notes: http://arnaucube.com/blog/powersoftau.html** ### Usage Get the binary from the [releases](https://github.com/arnaucube/eth-kzg-ceremony-alt/releases) (alternative you can compile it from source), and run: diff --git a/powersoftau.go b/powersoftau.go index b450cf4..e455904 100644 --- a/powersoftau.go +++ b/powersoftau.go @@ -231,9 +231,10 @@ func checkG2PointCorrectness(p *bls12381.PointG2) error { return nil } -// Verify checks the correct computation of the new SRS respectively from the -// previous SRS -func Verify(prevSRS, newSRS *SRS, proof *Proof) bool { +// VerifyNewSRSFromPrevSRS checks the correct computation of the new SRS +// respectively from the previous SRS. These are the checks that the Sequencer +// would do. +func VerifyNewSRSFromPrevSRS(prevSRS, newSRS *SRS, proof *Proof) bool { pairing := bls12381.NewEngine() // 1. check that elements of the newSRS are valid points @@ -282,3 +283,58 @@ func Verify(prevSRS, newSRS *SRS, proof *Proof) bool { return true } + +// VerifyState acts similarly to VerifyNewSRSFromPrevSRS, but verifying the +// given State (which can be obtained from the Sequencer) +func VerifyState(s *State) bool { + pairing := bls12381.NewEngine() + + for _, t := range s.Transcripts { + // 1. check that elements of the SRS are valid points + for i := 0; i < len(t.PowersOfTau.G1Powers); i++ { + if err := checkG1PointCorrectness(t.PowersOfTau.G1Powers[i]); err != nil { + return false + } + } + for i := 0; i < len(t.PowersOfTau.G2Powers); i++ { + if err := checkG2PointCorrectness(t.PowersOfTau.G2Powers[i]); err != nil { + return false + } + } + + // 2. check t.Witness.RunningProducts[last] == t.PowersOfTau.G1Powers[1] + if !g1.Equal(t.Witness.RunningProducts[len(t.Witness.RunningProducts)-1], + t.PowersOfTau.G1Powers[1]) { + return false + } + + // 3. check newSRS.G1s[1] (g₁^τ'), is correctly related to prevSRS.G1s[1] (g₁^τ) + // e([τ]₁, [p]₂) == e([τ']₁, [1]₂) + eL := pairing.AddPair(t.Witness.RunningProducts[len(t.Witness.RunningProducts)-2], t.Witness.PotPubKeys[len(t.Witness.PotPubKeys)-1]).Result() + eR := pairing.AddPair(t.Witness.RunningProducts[len(t.Witness.RunningProducts)-1], g2.One()).Result() + if !eL.Equal(eR) { + return false + } + + // 4. check newSRS following the powers of tau structure + for i := 0; i < len(t.PowersOfTau.G1Powers)-1; i++ { + // i) e([τ'ⁱ]₁, [τ']₂) == e([τ'ⁱ⁺¹]₁, [1]₂), for i ∈ [1, n−1] + eL := pairing.AddPair(t.PowersOfTau.G1Powers[i], t.PowersOfTau.G2Powers[1]).Result() + eR := pairing.AddPair(t.PowersOfTau.G1Powers[i+1], g2.One()).Result() + if !eL.Equal(eR) { + return false + } + } + + for i := 0; i < len(t.PowersOfTau.G2Powers)-1; i++ { + // ii) e([τ']₁, [τ'ʲ]₂) == e([1]₁, [τ'ʲ⁺¹]₂), for j ∈ [1, m−1] + eL := pairing.AddPair(t.PowersOfTau.G1Powers[1], t.PowersOfTau.G2Powers[i]).Result() + eR := pairing.AddPair(g1.One(), t.PowersOfTau.G2Powers[i+1]).Result() + if !eL.Equal(eR) { + return false + } + } + } + + return true +} diff --git a/powersoftau_test.go b/powersoftau_test.go index 1441cc5..b7ce803 100644 --- a/powersoftau_test.go +++ b/powersoftau_test.go @@ -17,12 +17,12 @@ func TestContribution(t *testing.T) { []byte("1111111111111111111111111111111111111111111111111111111111111111")) c.Assert(err, qt.IsNil) - c.Assert(Verify(srs_0, srs_1, proof_1), qt.IsTrue) + c.Assert(VerifyNewSRSFromPrevSRS(srs_0, srs_1, proof_1), qt.IsTrue) srs_2, proof_2, err := Contribute(srs_1, 0, []byte("2222222222222222222222222222222222222222222222222222222222222222")) c.Assert(err, qt.IsNil) - c.Assert(Verify(srs_1, srs_2, proof_2), qt.IsTrue) + c.Assert(VerifyNewSRSFromPrevSRS(srs_1, srs_2, proof_2), qt.IsTrue) } func TestComputeNewState(t *testing.T) {