arnaucube
/
go-snark
mirror of https://github.com/arnaucube/go-snark.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 Commits
1 Branch
4 Tags
91 MiB
Tree: 0096fbcaff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0096fbcaff'
${ noResults }
go-snark/snark.go

376 lines
12 KiB
Raw Normal View History

key generation for proofs, snark files to the root directory
6 years ago
doing trusted setup
6 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
Preparing Pull Request
5 years ago
doing trusted setup
6 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
doing trusted setup
6 years ago
Preparing Pull Request
5 years ago
doing trusted setup
6 years ago
circuit CalculateWitness, added - & / in GenerateR1CS(), added doc
5 years ago
proofs
6 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
key generation for proofs, snark files to the root directory
6 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
proofs
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
Preparing Pull Request
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
proofs
6 years ago
key generation for proofs, snark files to the root directory
6 years ago
circuit CalculateWitness, added - & / in GenerateR1CS(), added doc
5 years ago
proofs
6 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
proofs
6 years ago
snark.Utils packed
5 years ago
circuit CalculateWitness, added - & / in GenerateR1CS(), added doc
5 years ago
optimizing R1CS representation extending parser
5 years ago
proofs
6 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
fixed full flow, now works, need to update circuit parser&compiler, and clean the code
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
doing trusted setup
6 years ago
snark.Utils packed
5 years ago
doing trusted setup
6 years ago
proofs
6 years ago
doing trusted setup
6 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
doing trusted setup
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
doing trusted setup
6 years ago
proofs
6 years ago
snark.Utils packed
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
optimizing R1CS representation extending parser
5 years ago
snark.Utils packed
5 years ago
small update, fix trusted setup ops over Field R
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
optimizing R1CS representation extending parser
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark.Utils packed
5 years ago
small update, fix trusted setup ops over Field R
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark.Utils packed
5 years ago
small update, fix trusted setup ops over Field R
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
snark.Utils packed
5 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
snark.Utils packed
5 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark.Utils packed
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
fixed full flow, now works, need to update circuit parser&compiler, and clean the code
5 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
small update, fix trusted setup ops over Field R
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
small update, fix trusted setup ops over Field R
5 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
circuit CalculateWitness, added - & / in GenerateR1CS(), added doc
5 years ago
multiplication gate reduction via reusing old gates with equivalent behaviour multiplication gate reduction via reusing old gates with equivalent behaviour
5 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
snark.Utils packed
5 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
multiplication gate reduction via reusing old gates with equivalent behaviour multiplication gate reduction via reusing old gates with equivalent behaviour
5 years ago
snark.Utils packed
5 years ago
doing trusted setup
6 years ago
key generation for proofs, snark files to the root directory
6 years ago
multiplication gate reduction via reusing old gates with equivalent behaviour multiplication gate reduction via reusing old gates with equivalent behaviour
5 years ago
snark.Utils packed
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark.Utils packed
5 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
small update, fix trusted setup ops over Field R
5 years ago
snark.Utils packed
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
proofs
6 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
proofs
6 years ago
circuit CalculateWitness, added - & / in GenerateR1CS(), added doc
5 years ago
multiplication gate reduction via reusing old gates with equivalent behaviour multiplication gate reduction via reusing old gates with equivalent behaviour
5 years ago
proofs
6 years ago
snark.Utils packed
5 years ago
minimal clean & update tests
5 years ago
proofs
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
cli
5 years ago
proofs
6 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
snark.Utils packed
5 years ago
minimal clean & update tests
5 years ago
e(Vb, piB) == e(piB', g2) proof
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
cli
5 years ago
proofs
6 years ago
snark.Utils packed
5 years ago
minimal clean & update tests
5 years ago
proofs
6 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
cli
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
snark.Utils packed
5 years ago
add rho's for proof keys and verification keys calculation, Vk.IC, add alphas input soundness when generating trusted setup
5 years ago
snark.Utils packed
5 years ago
minimal clean & update tests
5 years ago
bn128.NewFqR with field over R. Setup.Pk & .Vk
6 years ago
proofs
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
cli
5 years ago
proofs
6 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
key generation for proofs, snark files to the root directory
6 years ago
snark.Utils packed
5 years ago
minimal clean & update tests
5 years ago
snark trusted setup + generate proof + verify proof working. Added test to bn128 pairing
6 years ago
fixing Z(x), VkIC, Vkz, piH calculations
5 years ago
cli
5 years ago
doing trusted setup
6 years ago
proofs
6 years ago
doing trusted setup
6 years ago
Preparing Pull Request
5 years ago
  1. package snark
  3. import (
  4. "fmt"
  5. "github.com/arnaucube/go-snark/circuitcompiler"
  6. "math/big"
  7. "os"
  9. "github.com/arnaucube/go-snark/bn128"
  10. "github.com/arnaucube/go-snark/fields"
  11. "github.com/arnaucube/go-snark/r1csqap"
  12. )
  14. // Setup is the data structure holding the Trusted Setup data. The Setup.Toxic sub struct must be destroyed after the GenerateTrustedSetup function is completed
  15. type Setup struct {
  16. Toxic struct {
  17. T *big.Int // trusted setup secret
  18. Ka *big.Int // prover
  19. Kb *big.Int // prover
  20. Kc *big.Int // prover
  21. Kbeta *big.Int
  22. Kgamma *big.Int
  23. RhoA *big.Int
  24. RhoB *big.Int
  25. RhoC *big.Int
  26. }
  28. // public
  29. G1T [][3]*big.Int // t encrypted in G1 curve, G1T == Pk.H
  30. G2T [][3][2]*big.Int // t encrypted in G2 curve
  31. Pk struct {
  32. // Proving Key pk:=(pkA, pkB, pkC, pkH)
  33. A [][3]*big.Int
  34. B [][3][2]*big.Int
  35. C [][3]*big.Int
  36. Kp [][3]*big.Int
  37. Ap [][3]*big.Int
  38. Bp [][3]*big.Int
  39. Cp [][3]*big.Int
  40. Z []*big.Int
  41. }
  42. Vk struct {
  43. Vka [3][2]*big.Int
  44. Vkb [3]*big.Int
  45. Vkc [3][2]*big.Int
  46. IC [][3]*big.Int
  47. G1Kbg [3]*big.Int // g1 * Kbeta * Kgamma
  48. G2Kbg [3][2]*big.Int // g2 * Kbeta * Kgamma
  49. G2Kg [3][2]*big.Int // g2 * Kgamma
  50. Vkz [3][2]*big.Int
  51. }
  52. }
  54. // Proof contains the parameters to proof the zkSNARK
  55. type Proof struct {
  56. PiA [3]*big.Int
  57. PiAp [3]*big.Int
  58. PiB [3][2]*big.Int
  59. PiBp [3]*big.Int
  60. PiC [3]*big.Int
  61. PiCp [3]*big.Int
  62. PiH [3]*big.Int
  63. PiKp [3]*big.Int
  64. // PublicSignals []*big.Int
  65. }
  67. type utils struct {
  68. Bn bn128.Bn128
  69. FqR fields.Fq
  70. PF r1csqap.PolynomialField
  71. }
  73. // Utils is the data structure holding the BN128, FqR Finite Field over R, PolynomialField, that will be used inside the snarks operations
  74. var Utils = prepareUtils()
  76. func prepareUtils() utils {
  77. bn, err := bn128.NewBn128()
  78. if err != nil {
  79. panic(err)
  80. }
  81. // new Finite Field
  82. fqR := fields.NewFq(bn.R)
  83. // new Polynomial Field
  84. pf := r1csqap.NewPolynomialField(fqR)
  86. return utils{
  87. Bn: bn,
  88. FqR: fqR,
  89. PF: pf,
  90. }
  91. }
  93. // GenerateTrustedSetup generates the Trusted Setup from a compiled Circuit. The Setup.Toxic sub data structure must be destroyed
  94. func GenerateTrustedSetup(witnessLength int, alphas, betas, gammas [][]*big.Int) (Setup, error) {
  95. var setup Setup
  96. var err error
  98. // input soundness
  99. // for i := 0; i < len(alphas); i++ {
  100. // for j := 0; j < len(alphas[i]); j++ {
  101. // if j <= circuit.NPublic {
  102. // if bytes.Equal(alphas[i][j].Bytes(), Utils.FqR.Zero().Bytes()) {
  103. // alphas[i][j] = Utils.FqR.One()
  104. // }
  105. // }
  106. // }
  107. // }
  109. // generate random t value
  110. setup.Toxic.T, err = Utils.FqR.Rand()
  111. if err != nil {
  112. return Setup{}, err
  113. }
  115. // k for calculating pi' and Vk
  116. setup.Toxic.Ka, err = Utils.FqR.Rand()
  117. if err != nil {
  118. return Setup{}, err
  119. }
  120. setup.Toxic.Kb, err = Utils.FqR.Rand()
  121. if err != nil {
  122. return Setup{}, err
  123. }
  124. setup.Toxic.Kc, err = Utils.FqR.Rand()
  125. if err != nil {
  126. return Setup{}, err
  127. }
  129. // generate Kβ (Kbeta) and Kγ (Kgamma)
  130. setup.Toxic.Kbeta, err = Utils.FqR.Rand()
  131. if err != nil {
  132. return Setup{}, err
  133. }
  134. setup.Toxic.Kgamma, err = Utils.FqR.Rand()
  135. if err != nil {
  136. return Setup{}, err
  137. }
  139. // generate ρ (Rho): ρA, ρB, ρC
  140. setup.Toxic.RhoA, err = Utils.FqR.Rand()
  141. if err != nil {
  142. return Setup{}, err
  143. }
  144. setup.Toxic.RhoB, err = Utils.FqR.Rand()
  145. if err != nil {
  146. return Setup{}, err
  147. }
  148. setup.Toxic.RhoC = Utils.FqR.Mul(setup.Toxic.RhoA, setup.Toxic.RhoB)
  150. // calculated more down
  151. // for i := 0; i < witnessLength; i++ {
  152. // tPow := Utils.FqR.Exp(setup.Toxic.T, big.NewInt(int64(i)))
  153. // tEncr1 := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, tPow)
  154. // gt1 = append(gt1, tEncr1)
  155. // tEncr2 := Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, tPow)
  156. // gt2 = append(gt2, tEncr2)
  157. // }
  158. // gt1: g1, g1*t, g1*t^2, g1*t^3, ...
  159. // gt2: g2, g2*t, g2*t^2, ...
  161. setup.Vk.Vka = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Ka)
  162. setup.Vk.Vkb = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kb)
  163. setup.Vk.Vkc = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kc)
  165. /*
  166. Verification keys:
  167. - Vk_betagamma1: setup.G1Kbg = g1 * Kbeta*Kgamma
  168. - Vk_betagamma2: setup.G2Kbg = g2 * Kbeta*Kgamma
  169. - Vk_gamma: setup.G2Kg = g2 * Kgamma
  170. */
  171. kbg := Utils.FqR.Mul(setup.Toxic.Kbeta, setup.Toxic.Kgamma)
  172. setup.Vk.G1Kbg = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, kbg)
  173. setup.Vk.G2Kbg = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, kbg)
  174. setup.Vk.G2Kg = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kgamma)
  176. // for i := 0; i < circuit.NVars; i++ {
  177. for i := 0; i < witnessLength; i++ {
  178. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  179. // rhoAat := Utils.Bn.Fq1.Mul(setup.Toxic.RhoA, at)
  180. rhoAat := Utils.FqR.Mul(setup.Toxic.RhoA, at)
  181. a := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, rhoAat)
  182. setup.Pk.A = append(setup.Pk.A, a)
  183. if i <= 4 {
  184. setup.Vk.IC = append(setup.Vk.IC, a)
  185. }
  187. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  188. // rhoBbt := Utils.Bn.Fq1.Mul(setup.Toxic.RhoB, bt)
  189. rhoBbt := Utils.FqR.Mul(setup.Toxic.RhoB, bt)
  190. bg1 := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, rhoBbt)
  191. bg2 := Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, rhoBbt)
  192. setup.Pk.B = append(setup.Pk.B, bg2)
  194. ct := Utils.PF.Eval(gammas[i], setup.Toxic.T)
  195. // rhoCct := Utils.Bn.Fq1.Mul(setup.Toxic.RhoC, ct)
  196. rhoCct := Utils.FqR.Mul(setup.Toxic.RhoC, ct)
  197. c := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, rhoCct)
  198. setup.Pk.C = append(setup.Pk.C, c)
  200. kt := Utils.FqR.Add(Utils.FqR.Add(rhoAat, rhoBbt), rhoCct)
  201. k := Utils.Bn.G1.Affine(Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, kt))
  203. ktest := Utils.Bn.G1.Affine(Utils.Bn.G1.Add(Utils.Bn.G1.Add(a, bg1), c))
  204. if !Utils.Bn.Fq2.Equal(k, ktest) {
  205. os.Exit(1)
  206. return setup, err
  207. }
  209. setup.Pk.Ap = append(setup.Pk.Ap, Utils.Bn.G1.MulScalar(a, setup.Toxic.Ka))
  210. setup.Pk.Bp = append(setup.Pk.Bp, Utils.Bn.G1.MulScalar(bg1, setup.Toxic.Kb))
  211. setup.Pk.Cp = append(setup.Pk.Cp, Utils.Bn.G1.MulScalar(c, setup.Toxic.Kc))
  212. k_ := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, kt)
  213. setup.Pk.Kp = append(setup.Pk.Kp, Utils.Bn.G1.MulScalar(k_, setup.Toxic.Kbeta))
  214. }
  216. // z pol
  217. zpol := []*big.Int{big.NewInt(int64(1))}
  218. // for i := 0; i < len(circuit.Constraints); i++ {
  219. for i := 1; i < len(alphas)-1; i++ {
  220. zpol = Utils.PF.Mul(
  221. zpol,
  222. []*big.Int{
  223. Utils.FqR.Neg( // neg over R
  224. big.NewInt(int64(i))),
  225. big.NewInt(int64(1)),
  226. })
  227. }
  228. setup.Pk.Z = zpol
  230. zt := Utils.PF.Eval(zpol, setup.Toxic.T)
  231. // rhoCzt := Utils.Bn.Fq1.Mul(setup.Toxic.RhoC, zt)
  232. rhoCzt := Utils.FqR.Mul(setup.Toxic.RhoC, zt)
  233. setup.Vk.Vkz = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, rhoCzt)
  235. // encrypt t values with curve generators
  236. var gt1 [][3]*big.Int
  237. gt1 = append(gt1, Utils.Bn.G1.G) // the first is t**0 * G1 = 1 * G1 = G1
  238. tEncr := setup.Toxic.T
  239. for i := 1; i < len(zpol); i++ { //should be G1T = pkH = (tau**i * G1) from i=0 to d, where d is degree of pol Z(x)
  240. gt1 = append(gt1, Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, tEncr))
  241. // tEncr = Utils.Bn.Fq1.Mul(tEncr, setup.Toxic.T)
  242. tEncr = Utils.FqR.Mul(tEncr, setup.Toxic.T)
  243. }
  244. setup.G1T = gt1
  246. return setup, nil
  247. }
  249. // GenerateProofs generates all the parameters to proof the zkSNARK from the Circuit, Setup and the Witness
  250. func GenerateProofs(setup Setup, nInputs int, w []*big.Int, px []*big.Int) (Proof, error) {
  251. var proof Proof
  252. proof.PiA = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  253. proof.PiAp = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  254. proof.PiB = Utils.Bn.Fq6.Zero()
  255. proof.PiBp = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  256. proof.PiC = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  257. proof.PiCp = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  258. proof.PiH = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  259. proof.PiKp = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  261. for i := nInputs; i < len(w)-1; i++ {
  262. proof.PiA = Utils.Bn.G1.Add(proof.PiA, Utils.Bn.G1.MulScalar(setup.Pk.A[i], w[i]))
  263. proof.PiAp = Utils.Bn.G1.Add(proof.PiAp, Utils.Bn.G1.MulScalar(setup.Pk.Ap[i], w[i]))
  264. }
  266. for i := 0; i < len(w); i++ {
  267. proof.PiB = Utils.Bn.G2.Add(proof.PiB, Utils.Bn.G2.MulScalar(setup.Pk.B[i], w[i]))
  268. proof.PiBp = Utils.Bn.G1.Add(proof.PiBp, Utils.Bn.G1.MulScalar(setup.Pk.Bp[i], w[i]))
  270. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.C[i], w[i]))
  271. proof.PiCp = Utils.Bn.G1.Add(proof.PiCp, Utils.Bn.G1.MulScalar(setup.Pk.Cp[i], w[i]))
  273. proof.PiKp = Utils.Bn.G1.Add(proof.PiKp, Utils.Bn.G1.MulScalar(setup.Pk.Kp[i], w[i]))
  274. }
  276. hx := Utils.PF.DivisorPolynomial(px, setup.Pk.Z) // maybe move this calculation to a previous step
  278. // piH = pkH,0 + sum ( hi * pk H,i ), where pkH = G1T, hi=hx
  279. // proof.PiH = Utils.Bn.G1.Add(proof.PiH, setup.G1T[0])
  280. for i := 0; i < len(hx); i++ {
  281. proof.PiH = Utils.Bn.G1.Add(proof.PiH, Utils.Bn.G1.MulScalar(setup.G1T[i], hx[i]))
  282. }
  284. return proof, nil
  285. }
  287. // VerifyProof verifies over the BN128 the Pairings of the Proof
  288. func VerifyProof(setup Setup, proof Proof, publicSignals []*big.Int, debug bool) bool {
  289. // e(piA, Va) == e(piA', g2)
  290. pairingPiaVa := Utils.Bn.Pairing(proof.PiA, setup.Vk.Vka)
  291. pairingPiapG2 := Utils.Bn.Pairing(proof.PiAp, Utils.Bn.G2.G)
  292. if !Utils.Bn.Fq12.Equal(pairingPiaVa, pairingPiapG2) {
  293. fmt.Println("❌ e(piA, Va) == e(piA', g2), valid knowledge commitment for A")
  294. return false
  295. }
  296. if debug {
  297. fmt.Println("✓ e(piA, Va) == e(piA', g2), valid knowledge commitment for A")
  298. }
  300. // e(Vb, piB) == e(piB', g2)
  301. pairingVbPib := Utils.Bn.Pairing(setup.Vk.Vkb, proof.PiB)
  302. pairingPibpG2 := Utils.Bn.Pairing(proof.PiBp, Utils.Bn.G2.G)
  303. if !Utils.Bn.Fq12.Equal(pairingVbPib, pairingPibpG2) {
  304. fmt.Println("❌ e(Vb, piB) == e(piB', g2), valid knowledge commitment for B")
  305. return false
  306. }
  307. if debug {
  308. fmt.Println("✓ e(Vb, piB) == e(piB', g2), valid knowledge commitment for B")
  309. }
  311. // e(piC, Vc) == e(piC', g2)
  312. pairingPicVc := Utils.Bn.Pairing(proof.PiC, setup.Vk.Vkc)
  313. pairingPicpG2 := Utils.Bn.Pairing(proof.PiCp, Utils.Bn.G2.G)
  314. if !Utils.Bn.Fq12.Equal(pairingPicVc, pairingPicpG2) {
  315. fmt.Println("❌ e(piC, Vc) == e(piC', g2), valid knowledge commitment for C")
  316. return false
  317. }
  318. if debug {
  319. fmt.Println("✓ e(piC, Vc) == e(piC', g2), valid knowledge commitment for C")
  320. }
  322. // Vkx, to then calculate Vkx+piA
  323. vkxpia := setup.Vk.IC[0]
  324. for i := 0; i < len(publicSignals); i++ {
  325. vkxpia = Utils.Bn.G1.Add(vkxpia, Utils.Bn.G1.MulScalar(setup.Vk.IC[i+1], publicSignals[i]))
  326. }
  328. // e(Vkx+piA, piB) == e(piH, Vkz) * e(piC, g2)
  329. if !Utils.Bn.Fq12.Equal(
  330. Utils.Bn.Pairing(Utils.Bn.G1.Add(vkxpia, proof.PiA), proof.PiB), // TODO Add(vkxpia, proof.PiA) can go outside in order to save computation, as is reused later
  331. Utils.Bn.Fq12.Mul(
  332. Utils.Bn.Pairing(proof.PiH, setup.Vk.Vkz),
  333. Utils.Bn.Pairing(proof.PiC, Utils.Bn.G2.G))) {
  334. fmt.Println("❌ e(Vkx+piA, piB) == e(piH, Vkz) * e(piC, g2), QAP disibility checked")
  335. return false
  336. }
  337. if debug {
  338. fmt.Println("✓ e(Vkx+piA, piB) == e(piH, Vkz) * e(piC, g2), QAP disibility checked")
  339. }
  341. // e(Vkx+piA+piC, g2KbetaKgamma) * e(g1KbetaKgamma, piB)
  342. // == e(piK, g2Kgamma)
  343. piApiC := Utils.Bn.G1.Add(Utils.Bn.G1.Add(vkxpia, proof.PiA), proof.PiC)
  344. pairingPiACG2Kbg := Utils.Bn.Pairing(piApiC, setup.Vk.G2Kbg)
  345. pairingG1KbgPiB := Utils.Bn.Pairing(setup.Vk.G1Kbg, proof.PiB)
  346. pairingL := Utils.Bn.Fq12.Mul(pairingPiACG2Kbg, pairingG1KbgPiB)
  347. pairingR := Utils.Bn.Pairing(proof.PiKp, setup.Vk.G2Kg)
  348. if !Utils.Bn.Fq12.Equal(pairingL, pairingR) {
  349. fmt.Println("❌ e(Vkx+piA+piC, g2KbetaKgamma) * e(g1KbetaKgamma, piB) == e(piK, g2Kgamma)")
  350. return false
  351. }
  352. if debug {
  353. fmt.Println("✓ e(Vkx+piA+piC, g2KbetaKgamma) * e(g1KbetaKgamma, piB) == e(piK, g2Kgamma)")
  354. }
  356. return true
  357. }
  359. //TODO this is just a workaround to place the output after the input signals. Will be removed once the handling of private variables is already considered in the lexer
  360. func RelocateOutput(numberOfInputs int, r1cs circuitcompiler.R1CS, witness []*big.Int) (r circuitcompiler.R1CS, w []*big.Int) {
  361. tmpA, tmpB, tmpC := [][]*big.Int{}, [][]*big.Int{}, [][]*big.Int{}
  363. tmpA = append(tmpA, r1cs.A[len(r1cs.A)-1])
  364. tmpA = append(tmpA, r1cs.A[:len(r1cs.A)-1]...)
  366. tmpB = append(tmpB, r1cs.B[len(r1cs.B)-1])
  367. tmpB = append(tmpB, r1cs.B[:len(r1cs.B)-1]...)
  369. tmpC = append(tmpC, r1cs.C[len(r1cs.C)-1])
  370. tmpC = append(tmpC, r1cs.C[:len(r1cs.C)-1]...)
  372. wtmp := append(witness[:numberOfInputs], witness[len(witness)-1])
  373. wtmp = append(wtmp, witness[numberOfInputs:len(witness)-2]...)
  375. return circuitcompiler.R1CS{A: tmpA, B: tmpB, C: tmpC}, wtmp
  376. }