|
|
package prover
import ( "crypto/rand" "math" "math/big" "runtime" "sync"
bn256 "github.com/ethereum/go-ethereum/crypto/bn256/cloudflare" "github.com/iden3/go-circom-prover-verifier/types" "github.com/iden3/go-iden3-crypto/utils" //"fmt"
)
// Proof is the data structure of the Groth16 zkSNARK proof
type Proof struct { A *bn256.G1 B *bn256.G2 C *bn256.G1}
// Pk holds the data structure of the ProvingKey
type Pk struct { A []*bn256.G1 B2 []*bn256.G2 B1 []*bn256.G1 C []*bn256.G1 NVars int NPublic int VkAlpha1 *bn256.G1 VkDelta1 *bn256.G1 VkBeta1 *bn256.G1 VkBeta2 *bn256.G2 VkDelta2 *bn256.G2 HExps []*bn256.G1 DomainSize int PolsA []map[int]*big.Int PolsB []map[int]*big.Int PolsC []map[int]*big.Int}
// Witness contains the witness
type Witness []*big.Int
// Group Size
const ( GSIZE = 6)
func randBigInt() (*big.Int, error) { maxbits := types.R.BitLen() b := make([]byte, (maxbits/8)-1) _, err := rand.Read(b) if err != nil { return nil, err } r := new(big.Int).SetBytes(b) rq := new(big.Int).Mod(r, types.R)
return rq, nil}
// GenerateProof generates the Groth16 zkSNARK proof
func GenerateProof(pk *types.Pk, w types.Witness) (*types.Proof, []*big.Int, error) { var proof types.Proof
r, err := randBigInt() if err != nil { return nil, nil, err } s, err := randBigInt() if err != nil { return nil, nil, err }
// BEGIN PAR
numcpu := runtime.NumCPU()
proofA := arrayOfZeroesG1(numcpu) proofB := arrayOfZeroesG2(numcpu) proofC := arrayOfZeroesG1(numcpu) proofBG1 := arrayOfZeroesG1(numcpu) gsize := GSIZE var wg1 sync.WaitGroup wg1.Add(numcpu) for _cpu, _ranges := range ranges(pk.NVars, numcpu) { // split 1
go func(cpu int, ranges [2]int) { proofA[cpu] = scalarMultNoDoubleG1(pk.A[ranges[0]:ranges[1]], w[ranges[0]:ranges[1]], proofA[cpu], gsize) proofB[cpu] = scalarMultNoDoubleG2(pk.B2[ranges[0]:ranges[1]], w[ranges[0]:ranges[1]], proofB[cpu], gsize) proofBG1[cpu] = scalarMultNoDoubleG1(pk.B1[ranges[0]:ranges[1]], w[ranges[0]:ranges[1]], proofBG1[cpu], gsize) minLim := pk.NPublic + 1 if ranges[0] > pk.NPublic+1 { minLim = ranges[0] } if ranges[1] > pk.NPublic+1 { proofC[cpu] = scalarMultNoDoubleG1(pk.C[minLim:ranges[1]], w[minLim:ranges[1]], proofC[cpu], gsize) } wg1.Done() }(_cpu, _ranges) } wg1.Wait() // join 1
for cpu := 1; cpu < numcpu; cpu++ { proofA[0].Add(proofA[0], proofA[cpu]) proofB[0].Add(proofB[0], proofB[cpu]) proofC[0].Add(proofC[0], proofC[cpu]) proofBG1[0].Add(proofBG1[0], proofBG1[cpu]) } proof.A = proofA[0] proof.B = proofB[0] proof.C = proofC[0] // END PAR
h := calculateH(pk, w)
proof.A.Add(proof.A, pk.VkAlpha1) proof.A.Add(proof.A, new(bn256.G1).ScalarMult(pk.VkDelta1, r))
proof.B.Add(proof.B, pk.VkBeta2) proof.B.Add(proof.B, new(bn256.G2).ScalarMult(pk.VkDelta2, s))
proofBG1[0].Add(proofBG1[0], pk.VkBeta1) proofBG1[0].Add(proofBG1[0], new(bn256.G1).ScalarMult(pk.VkDelta1, s))
proofC = arrayOfZeroesG1(numcpu) var wg2 sync.WaitGroup wg2.Add(numcpu) for _cpu, _ranges := range ranges(len(h), numcpu) { // split 2
go func(cpu int, ranges [2]int) { proofC[cpu] = scalarMultNoDoubleG1(pk.HExps[ranges[0]:ranges[1]], h[ranges[0]:ranges[1]], proofC[cpu], gsize) wg2.Done() }(_cpu, _ranges) } wg2.Wait() // join 2
for cpu := 1; cpu < numcpu; cpu++ { proofC[0].Add(proofC[0], proofC[cpu]) } proof.C.Add(proof.C, proofC[0])
proof.C.Add(proof.C, new(bn256.G1).ScalarMult(proof.A, s)) proof.C.Add(proof.C, new(bn256.G1).ScalarMult(proofBG1[0], r)) rsneg := new(big.Int).Mod(new(big.Int).Neg(new(big.Int).Mul(r, s)), types.R) proof.C.Add(proof.C, new(bn256.G1).ScalarMult(pk.VkDelta1, rsneg))
pubSignals := w[1 : pk.NPublic+1]
return &proof, pubSignals, nil}
func calculateH(pk *types.Pk, w types.Witness) []*big.Int { m := pk.DomainSize polAT := arrayOfZeroes(m) polBT := arrayOfZeroes(m)
numcpu := runtime.NumCPU()
var wg1 sync.WaitGroup wg1.Add(2) go func() { for i := 0; i < pk.NVars; i++ { for j := range pk.PolsA[i] { polAT[j] = fAdd(polAT[j], fMul(w[i], pk.PolsA[i][j])) } } wg1.Done() }() go func() { for i := 0; i < pk.NVars; i++ { for j := range pk.PolsB[i] { polBT[j] = fAdd(polBT[j], fMul(w[i], pk.PolsB[i][j])) } } wg1.Done() }() wg1.Wait() polATe := utils.BigIntArrayToElementArray(polAT) polBTe := utils.BigIntArrayToElementArray(polBT)
polASe := ifft(polATe) polBSe := ifft(polBTe)
r := int(math.Log2(float64(m))) + 1 roots := newRootsT() roots.setRoots(r)
var wg2 sync.WaitGroup wg2.Add(numcpu) for _cpu, _ranges := range ranges(len(polASe), numcpu) { go func(cpu int, ranges [2]int) { for i := ranges[0]; i < ranges[1]; i++ { polASe[i].Mul(polASe[i], roots.roots[r][i]) polBSe[i].Mul(polBSe[i], roots.roots[r][i]) } wg2.Done() }(_cpu, _ranges) } wg2.Wait()
polATodd := fft(polASe) polBTodd := fft(polBSe)
polABT := arrayOfZeroesE(len(polASe) * 2) var wg3 sync.WaitGroup wg3.Add(numcpu) for _cpu, _ranges := range ranges(len(polASe), numcpu) { go func(cpu int, ranges [2]int) { for i := ranges[0]; i < ranges[1]; i++ { polABT[2*i].Mul(polATe[i], polBTe[i]) polABT[2*i+1].Mul(polATodd[i], polBTodd[i]) } wg3.Done() }(_cpu, _ranges) } wg3.Wait()
hSeFull := ifft(polABT)
hSe := hSeFull[m:] return utils.ElementArrayToBigIntArray(hSe)}
func ranges(n, parts int) [][2]int { s := make([][2]int, parts) p := float64(n) / float64(parts) for i := 0; i < parts; i++ { a, b := int(float64(i)*p), int(float64(i+1)*p) s[i] = [2]int{a, b} } return s}
|
