You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

177 lines
4.4 KiB

  1. package prover
  2. import (
  3. "crypto/rand"
  4. "math"
  5. "math/big"
  6. "sync"
  7. bn256 "github.com/ethereum/go-ethereum/crypto/bn256/cloudflare"
  8. "github.com/iden3/go-circom-prover-verifier/types"
  9. "github.com/iden3/go-iden3-crypto/ff"
  10. "github.com/iden3/go-iden3-crypto/utils"
  11. )
  12. // Proof is the data structure of the Groth16 zkSNARK proof
  13. type Proof struct {
  14. A *bn256.G1
  15. B *bn256.G2
  16. C *bn256.G1
  17. }
  18. // Pk holds the data structure of the ProvingKey
  19. type Pk struct {
  20. A []*bn256.G1
  21. B2 []*bn256.G2
  22. B1 []*bn256.G1
  23. C []*bn256.G1
  24. NVars int
  25. NPublic int
  26. VkAlpha1 *bn256.G1
  27. VkDelta1 *bn256.G1
  28. VkBeta1 *bn256.G1
  29. VkBeta2 *bn256.G2
  30. VkDelta2 *bn256.G2
  31. HExps []*bn256.G1
  32. DomainSize int
  33. PolsA []map[int]*big.Int
  34. PolsB []map[int]*big.Int
  35. PolsC []map[int]*big.Int
  36. }
  37. // Witness contains the witness
  38. type Witness []*big.Int
  39. func randBigInt() (*big.Int, error) {
  40. maxbits := types.R.BitLen()
  41. b := make([]byte, (maxbits/8)-1)
  42. _, err := rand.Read(b)
  43. if err != nil {
  44. return nil, err
  45. }
  46. r := new(big.Int).SetBytes(b)
  47. rq := new(big.Int).Mod(r, types.R)
  48. return rq, nil
  49. }
  50. // GenerateProof generates the Groth16 zkSNARK proof
  51. func GenerateProof(pk *types.Pk, w types.Witness) (*types.Proof, []*big.Int, error) {
  52. var proof types.Proof
  53. r, err := randBigInt()
  54. if err != nil {
  55. return nil, nil, err
  56. }
  57. s, err := randBigInt()
  58. if err != nil {
  59. return nil, nil, err
  60. }
  61. proof.A = new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  62. proof.B = new(bn256.G2).ScalarBaseMult(big.NewInt(0))
  63. proof.C = new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  64. proofBG1 := new(bn256.G1).ScalarBaseMult(big.NewInt(0))
  65. var wg sync.WaitGroup
  66. wg.Add(4)
  67. go func() {
  68. for i := 0; i < pk.NVars; i++ {
  69. proof.A = new(bn256.G1).Add(proof.A, new(bn256.G1).ScalarMult(pk.A[i], w[i]))
  70. }
  71. wg.Done()
  72. }()
  73. go func() {
  74. for i := 0; i < pk.NVars; i++ {
  75. proof.B = new(bn256.G2).Add(proof.B, new(bn256.G2).ScalarMult(pk.B2[i], w[i]))
  76. }
  77. wg.Done()
  78. }()
  79. go func() {
  80. for i := 0; i < pk.NVars; i++ {
  81. proofBG1 = new(bn256.G1).Add(proofBG1, new(bn256.G1).ScalarMult(pk.B1[i], w[i]))
  82. }
  83. wg.Done()
  84. }()
  85. go func() {
  86. for i := pk.NPublic + 1; i < pk.NVars; i++ {
  87. proof.C = new(bn256.G1).Add(proof.C, new(bn256.G1).ScalarMult(pk.C[i], w[i]))
  88. }
  89. wg.Done()
  90. }()
  91. wg.Wait()
  92. h := calculateH(pk, w)
  93. var wg2 sync.WaitGroup
  94. wg2.Add(2)
  95. go func() {
  96. proof.A = new(bn256.G1).Add(proof.A, pk.VkAlpha1)
  97. proof.A = new(bn256.G1).Add(proof.A, new(bn256.G1).ScalarMult(pk.VkDelta1, r))
  98. proof.B = new(bn256.G2).Add(proof.B, pk.VkBeta2)
  99. proof.B = new(bn256.G2).Add(proof.B, new(bn256.G2).ScalarMult(pk.VkDelta2, s))
  100. proofBG1 = new(bn256.G1).Add(proofBG1, pk.VkBeta1)
  101. proofBG1 = new(bn256.G1).Add(proofBG1, new(bn256.G1).ScalarMult(pk.VkDelta1, s))
  102. wg2.Done()
  103. }()
  104. go func() {
  105. for i := 0; i < len(h); i++ {
  106. proof.C = new(bn256.G1).Add(proof.C, new(bn256.G1).ScalarMult(pk.HExps[i], h[i]))
  107. }
  108. wg2.Done()
  109. }()
  110. wg2.Wait()
  111. proof.C = new(bn256.G1).Add(proof.C, new(bn256.G1).ScalarMult(proof.A, s))
  112. proof.C = new(bn256.G1).Add(proof.C, new(bn256.G1).ScalarMult(proofBG1, r))
  113. rsneg := new(big.Int).Mod(new(big.Int).Neg(new(big.Int).Mul(r, s)), types.R) // fAdd & fMul
  114. proof.C = new(bn256.G1).Add(proof.C, new(bn256.G1).ScalarMult(pk.VkDelta1, rsneg))
  115. pubSignals := w[1 : pk.NPublic+1]
  116. return &proof, pubSignals, nil
  117. }
  118. func calculateH(pk *types.Pk, w types.Witness) []*big.Int {
  119. m := pk.DomainSize
  120. polAT := arrayOfZeroes(m)
  121. polBT := arrayOfZeroes(m)
  122. for i := 0; i < pk.NVars; i++ {
  123. for j := range pk.PolsA[i] {
  124. polAT[j] = fAdd(polAT[j], fMul(w[i], pk.PolsA[i][j]))
  125. }
  126. for j := range pk.PolsB[i] {
  127. polBT[j] = fAdd(polBT[j], fMul(w[i], pk.PolsB[i][j]))
  128. }
  129. }
  130. polATe := utils.BigIntArrayToElementArray(polAT)
  131. polBTe := utils.BigIntArrayToElementArray(polBT)
  132. polASe := ifft(polATe)
  133. polBSe := ifft(polBTe)
  134. r := int(math.Log2(float64(m))) + 1
  135. roots := newRootsT()
  136. roots.setRoots(r)
  137. for i := 0; i < len(polASe); i++ {
  138. polASe[i] = ff.NewElement().Mul(polASe[i], roots.roots[r][i])
  139. polBSe[i] = ff.NewElement().Mul(polBSe[i], roots.roots[r][i])
  140. }
  141. polATodd := fft(polASe)
  142. polBTodd := fft(polBSe)
  143. polABT := arrayOfZeroesE(len(polASe) * 2)
  144. for i := 0; i < len(polASe); i++ {
  145. polABT[2*i] = ff.NewElement().Mul(polATe[i], polBTe[i])
  146. polABT[2*i+1] = ff.NewElement().Mul(polATodd[i], polBTodd[i])
  147. }
  148. hSeFull := ifft(polABT)
  149. hSe := hSeFull[m:]
  150. return utils.ElementArrayToBigIntArray(hSe)
  151. }