arnaucube
/
go-snark-study
mirror of https://github.com/arnaucube/go-snark-study.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
1 Branch
4 Tags
109 MiB
Tree: 1bf5a75f01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1bf5a75f01'
${ noResults }
go-snark-study/proof/groth16.go

281 lines
8.8 KiB
Raw Normal View History

add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
add Groth16 proof generation & verification
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
  1. // implementation of https://eprint.iacr.org/2016/260.pdf
  3. package proof
  5. import (
  6. "fmt"
  7. "math/big"
  9. "github.com/arnaucube/go-snark/circuit"
  10. )
  12. // Groth16Setup is the data structure holding the Trusted Groth16Setup data.
  13. type Groth16Setup struct {
  14. Toxic struct {
  15. T *big.Int // trusted setup secret
  16. Kalpha *big.Int
  17. Kbeta *big.Int
  18. Kgamma *big.Int
  19. Kdelta *big.Int
  20. }
  22. // public
  23. Pk struct { // Proving Key
  24. BACDelta [][3]*big.Int // {( βui(x)+αvi(x)+wi(x) ) / γ } from 0 to l
  25. Z []*big.Int
  26. G1 struct {
  27. Alpha [3]*big.Int
  28. Beta [3]*big.Int
  29. Delta [3]*big.Int
  30. At [][3]*big.Int // {a(τ)} from 0 to m
  31. BACGamma [][3]*big.Int // {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m
  32. }
  33. G2 struct {
  34. Beta [3][2]*big.Int
  35. Gamma [3][2]*big.Int
  36. Delta [3][2]*big.Int
  37. BACGamma [][3][2]*big.Int // {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m
  38. }
  39. PowersTauDelta [][3]*big.Int // powers of τ encrypted in G1 curve, divided by δ
  40. }
  41. Vk struct {
  42. IC [][3]*big.Int
  43. G1 struct {
  44. Alpha [3]*big.Int
  45. }
  46. G2 struct {
  47. Beta [3][2]*big.Int
  48. Gamma [3][2]*big.Int
  49. Delta [3][2]*big.Int
  50. }
  51. }
  52. }
  54. // Groth16Proof contains the parameters to proof the zkSNARK
  55. type Groth16Proof struct {
  56. PiA [3]*big.Int
  57. PiB [3][2]*big.Int
  58. PiC [3]*big.Int
  59. }
  61. // Z is ...
  62. func (setup *Groth16Setup) Z() []*big.Int {
  63. return setup.Pk.Z
  64. }
  66. // Init generates the Trusted Setup from a compiled Circuit. The Setup.Toxic sub data structure must be destroyed
  67. func (setup *Groth16Setup) Init(witnessLength int, circuit circuit.Circuit, alphas, betas, gammas [][]*big.Int) error {
  68. var err error
  70. // generate random t value
  71. setup.Toxic.T, err = Utils.FqR.Rand()
  72. if err != nil {
  73. return err
  74. }
  76. setup.Toxic.Kalpha, err = Utils.FqR.Rand()
  77. if err != nil {
  78. return err
  79. }
  80. setup.Toxic.Kbeta, err = Utils.FqR.Rand()
  81. if err != nil {
  82. return err
  83. }
  84. setup.Toxic.Kgamma, err = Utils.FqR.Rand()
  85. if err != nil {
  86. return err
  87. }
  88. setup.Toxic.Kdelta, err = Utils.FqR.Rand()
  89. if err != nil {
  90. return err
  91. }
  93. // z pol
  94. zpol := []*big.Int{big.NewInt(int64(1))}
  95. for i := 1; i < len(alphas)-1; i++ {
  96. zpol = Utils.PF.Mul(
  97. zpol,
  98. []*big.Int{
  99. Utils.FqR.Neg(
  100. big.NewInt(int64(i))),
  101. big.NewInt(int64(1)),
  102. })
  103. }
  104. setup.Pk.Z = zpol
  105. zt := Utils.PF.Eval(zpol, setup.Toxic.T)
  106. invDelta := Utils.FqR.Inverse(setup.Toxic.Kdelta)
  107. ztinvDelta := Utils.FqR.Mul(invDelta, zt)
  109. // encrypt t values with curve generators
  110. // powers of tau divided by delta
  111. var ptd [][3]*big.Int
  112. ini := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, ztinvDelta)
  113. ptd = append(ptd, ini)
  114. tEncr := setup.Toxic.T
  115. for i := 1; i < len(zpol); i++ {
  116. ptd = append(ptd, Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, Utils.FqR.Mul(tEncr, ztinvDelta)))
  117. tEncr = Utils.FqR.Mul(tEncr, setup.Toxic.T)
  118. }
  119. // powers of τ encrypted in G1 curve, divided by δ
  120. // (G1 * τ) / δ
  121. setup.Pk.PowersTauDelta = ptd
  123. setup.Pk.G1.Alpha = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kalpha)
  124. setup.Pk.G1.Beta = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kbeta)
  125. setup.Pk.G1.Delta = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kdelta)
  126. setup.Pk.G2.Beta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kbeta)
  127. setup.Pk.G2.Delta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kdelta)
  129. setup.Vk.G1.Alpha = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kalpha)
  130. setup.Vk.G2.Beta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kbeta)
  131. setup.Vk.G2.Gamma = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kgamma)
  132. setup.Vk.G2.Delta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kdelta)
  134. for i := 0; i < len(circuit.Signals); i++ {
  135. // Pk.G1.At: {a(τ)} from 0 to m
  136. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  137. a := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, at)
  138. setup.Pk.G1.At = append(setup.Pk.G1.At, a)
  140. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  141. g1bt := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, bt)
  142. g2bt := Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, bt)
  143. // G1.BACGamma: {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m in G1
  144. setup.Pk.G1.BACGamma = append(setup.Pk.G1.BACGamma, g1bt)
  145. // G2.BACGamma: {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m in G2
  146. setup.Pk.G2.BACGamma = append(setup.Pk.G2.BACGamma, g2bt)
  147. }
  149. zero3 := [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  150. for i := 0; i < circuit.NPublic+1; i++ {
  151. setup.Pk.BACDelta = append(setup.Pk.BACDelta, zero3)
  152. }
  153. for i := circuit.NPublic + 1; i < circuit.NVars; i++ {
  154. // TODO calculate all at, bt, ct outside, to avoid repeating calculations
  155. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  156. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  157. ct := Utils.PF.Eval(gammas[i], setup.Toxic.T)
  158. c := Utils.FqR.Mul(
  159. invDelta,
  160. Utils.FqR.Add(
  161. Utils.FqR.Add(
  162. Utils.FqR.Mul(at, setup.Toxic.Kbeta),
  163. Utils.FqR.Mul(bt, setup.Toxic.Kalpha),
  164. ),
  165. ct,
  166. ),
  167. )
  168. g1c := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, c)
  170. // Pk.BACDelta: {( βui(x)+αvi(x)+wi(x) ) / γ } from 0 to l
  171. setup.Pk.BACDelta = append(setup.Pk.BACDelta, g1c)
  172. }
  174. for i := 0; i <= circuit.NPublic; i++ {
  175. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  176. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  177. ct := Utils.PF.Eval(gammas[i], setup.Toxic.T)
  178. ic := Utils.FqR.Mul(
  179. Utils.FqR.Inverse(setup.Toxic.Kgamma),
  180. Utils.FqR.Add(
  181. Utils.FqR.Add(
  182. Utils.FqR.Mul(at, setup.Toxic.Kbeta),
  183. Utils.FqR.Mul(bt, setup.Toxic.Kalpha),
  184. ),
  185. ct,
  186. ),
  187. )
  188. g1ic := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, ic)
  189. // used in verifier
  190. setup.Vk.IC = append(setup.Vk.IC, g1ic)
  191. }
  193. return nil
  194. }
  196. // Generate generates all the parameters to proof the zkSNARK from the Circuit, Setup and the Witness
  197. func (setup Groth16Setup) Generate(circuit circuit.Circuit, w []*big.Int, px []*big.Int) (Proof, error) {
  198. proof := &Groth16Proof{}
  199. proof.PiA = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  200. proof.PiB = Utils.Bn.Fq6.Zero()
  201. proof.PiC = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  203. r, err := Utils.FqR.Rand()
  204. if err != nil {
  205. return &Groth16Proof{}, err
  206. }
  207. s, err := Utils.FqR.Rand()
  208. if err != nil {
  209. return &Groth16Proof{}, err
  210. }
  212. // piBG1 will hold all the same than proof.PiB but in G1 curve
  213. piBG1 := [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  215. for i := 0; i < circuit.NVars; i++ {
  216. proof.PiA = Utils.Bn.G1.Add(proof.PiA, Utils.Bn.G1.MulScalar(setup.Pk.G1.At[i], w[i]))
  217. piBG1 = Utils.Bn.G1.Add(piBG1, Utils.Bn.G1.MulScalar(setup.Pk.G1.BACGamma[i], w[i]))
  218. proof.PiB = Utils.Bn.G2.Add(proof.PiB, Utils.Bn.G2.MulScalar(setup.Pk.G2.BACGamma[i], w[i]))
  219. }
  220. for i := circuit.NPublic + 1; i < circuit.NVars; i++ {
  221. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.BACDelta[i], w[i]))
  222. }
  224. // piA = (Σ from 0 to m (pk.A * w[i])) + pk.Alpha1 + r * δ
  225. proof.PiA = Utils.Bn.G1.Add(proof.PiA, setup.Pk.G1.Alpha)
  226. deltaR := Utils.Bn.G1.MulScalar(setup.Pk.G1.Delta, r)
  227. proof.PiA = Utils.Bn.G1.Add(proof.PiA, deltaR)
  229. // piBG1 = (Σ from 0 to m (pk.B1 * w[i])) + pk.g1.Beta + s * δ
  230. // piB = piB2 = (Σ from 0 to m (pk.B2 * w[i])) + pk.g2.Beta + s * δ
  231. piBG1 = Utils.Bn.G1.Add(piBG1, setup.Pk.G1.Beta)
  232. proof.PiB = Utils.Bn.G2.Add(proof.PiB, setup.Pk.G2.Beta)
  233. deltaSG1 := Utils.Bn.G1.MulScalar(setup.Pk.G1.Delta, s)
  234. piBG1 = Utils.Bn.G1.Add(piBG1, deltaSG1)
  235. deltaSG2 := Utils.Bn.G2.MulScalar(setup.Pk.G2.Delta, s)
  236. proof.PiB = Utils.Bn.G2.Add(proof.PiB, deltaSG2)
  238. hx := Utils.PF.DivisorPolynomial(px, setup.Pk.Z) // maybe move this calculation to a previous step
  240. // piC = (Σ from l+1 to m (w[i] * (pk.g1.Beta + pk.g1.Alpha + pk.C)) + h(tau)) / δ) + piA*s + r*piB - r*s*δ
  241. for i := 0; i < len(hx); i++ {
  242. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.PowersTauDelta[i], hx[i]))
  243. }
  244. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(proof.PiA, s))
  245. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(piBG1, r))
  246. negRS := Utils.FqR.Neg(Utils.FqR.Mul(r, s))
  247. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.G1.Delta, negRS))
  249. return proof, nil
  250. }
  252. // Verify verifies over the BN128 the Pairings of the Proof
  253. func (setup Groth16Setup) Verify(circuit circuit.Circuit, proof Proof, publicSignals []*big.Int, debug bool) bool {
  254. pproof, ok := proof.(*Groth16Proof)
  255. if !ok {
  256. panic("bad proof")
  257. }
  259. icPubl := setup.Vk.IC[0]
  260. for i := 0; i < len(publicSignals); i++ {
  261. icPubl = Utils.Bn.G1.Add(icPubl, Utils.Bn.G1.MulScalar(setup.Vk.IC[i+1], publicSignals[i]))
  262. }
  264. if !Utils.Bn.Fq12.Equal(
  265. Utils.Bn.Pairing(pproof.PiA, pproof.PiB),
  266. Utils.Bn.Fq12.Mul(
  267. Utils.Bn.Pairing(setup.Vk.G1.Alpha, setup.Vk.G2.Beta),
  268. Utils.Bn.Fq12.Mul(
  269. Utils.Bn.Pairing(icPubl, setup.Vk.G2.Gamma),
  270. Utils.Bn.Pairing(pproof.PiC, setup.Vk.G2.Delta)))) {
  271. if debug {
  272. fmt.Println("❌ groth16 verification not passed")
  273. }
  274. return false
  275. }
  276. if debug {
  277. fmt.Println("✓ groth16 verification passed")
  278. }
  280. return true
  281. }