arnaucube
/
go-snark
mirror of https://github.com/arnaucube/go-snark.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 Commits
1 Branch
4 Tags
91 MiB
Tree: 54a265e73b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '54a265e73b'
${ noResults }
go-snark/proof/groth16.go

275 lines
8.4 KiB
Raw Normal View History

add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
add Groth16 proof generation & verification
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 setup calculation
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 setup calculation
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 setup calculation
5 years ago
add Groth16 proof generation & verification
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 proof generation & verification
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
refactoring: - avoid code duplication on cmd - interface for proof system
5 years ago
add Groth16 proof generation & verification
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 proof generation & verification
5 years ago
move pf to fields and qap conversion to proof module
5 years ago
add Groth16 proof generation & verification
5 years ago
  1. // implementation of https://eprint.iacr.org/2016/260.pdf
  3. package proof
  5. import (
  6. "fmt"
  7. "math/big"
  9. "github.com/arnaucube/go-snark/circuit"
  10. )
  12. // Groth16Setup is Groth16 system setup structure
  13. type Groth16Setup struct {
  14. Toxic struct {
  15. T *big.Int // trusted setup secret
  16. Kalpha *big.Int
  17. Kbeta *big.Int
  18. Kgamma *big.Int
  19. Kdelta *big.Int
  20. } `json:"-"`
  22. // public
  23. Pk struct { // Proving Key
  24. BACDelta [][3]*big.Int // {( βui(x)+αvi(x)+wi(x) ) / γ } from 0 to l
  25. Z []*big.Int
  26. G1 struct {
  27. Alpha [3]*big.Int
  28. Beta [3]*big.Int
  29. Delta [3]*big.Int
  30. At [][3]*big.Int // {a(τ)} from 0 to m
  31. BACGamma [][3]*big.Int // {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m
  32. }
  33. G2 struct {
  34. Beta [3][2]*big.Int
  35. Gamma [3][2]*big.Int
  36. Delta [3][2]*big.Int
  37. BACGamma [][3][2]*big.Int // {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m
  38. }
  39. PowersTauDelta [][3]*big.Int // powers of τ encrypted in G1 curve, divided by δ
  40. }
  41. Vk struct {
  42. IC [][3]*big.Int
  43. G1 struct {
  44. Alpha [3]*big.Int
  45. }
  46. G2 struct {
  47. Beta [3][2]*big.Int
  48. Gamma [3][2]*big.Int
  49. Delta [3][2]*big.Int
  50. }
  51. }
  52. }
  54. // Groth16Proof is Groth16 proof structure
  55. type Groth16Proof struct {
  56. PiA [3]*big.Int
  57. PiB [3][2]*big.Int
  58. PiC [3]*big.Int
  59. }
  61. // Z is ...
  62. func (setup *Groth16Setup) Z() []*big.Int {
  63. return setup.Pk.Z
  64. }
  66. // Init setups the trusted setup from a compiled circuit
  67. func (setup *Groth16Setup) Init(cir *circuit.Circuit, alphas, betas, gammas [][]*big.Int) error {
  68. var err error
  70. setup.Toxic.T, err = Utils.FqR.Rand()
  71. if err != nil {
  72. return err
  73. }
  75. setup.Toxic.Kalpha, err = Utils.FqR.Rand()
  76. if err != nil {
  77. return err
  78. }
  79. setup.Toxic.Kbeta, err = Utils.FqR.Rand()
  80. if err != nil {
  81. return err
  82. }
  83. setup.Toxic.Kgamma, err = Utils.FqR.Rand()
  84. if err != nil {
  85. return err
  86. }
  87. setup.Toxic.Kdelta, err = Utils.FqR.Rand()
  88. if err != nil {
  89. return err
  90. }
  92. zpol := []*big.Int{big.NewInt(int64(1))}
  93. for i := 1; i < len(alphas)-1; i++ {
  94. zpol = Utils.PF.Mul(
  95. zpol,
  96. []*big.Int{
  97. Utils.FqR.Neg(
  98. big.NewInt(int64(i))),
  99. big.NewInt(int64(1)),
  100. })
  101. }
  102. setup.Pk.Z = zpol
  103. zt := Utils.PF.Eval(zpol, setup.Toxic.T)
  104. invDelta := Utils.FqR.Inverse(setup.Toxic.Kdelta)
  105. ztinvDelta := Utils.FqR.Mul(invDelta, zt)
  107. // encrypt t values with curve generators
  108. // powers of tau divided by delta
  109. var ptd [][3]*big.Int
  110. ini := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, ztinvDelta)
  111. ptd = append(ptd, ini)
  112. tEncr := setup.Toxic.T
  113. for i := 1; i < len(zpol); i++ {
  114. ptd = append(ptd, Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, Utils.FqR.Mul(tEncr, ztinvDelta)))
  115. tEncr = Utils.FqR.Mul(tEncr, setup.Toxic.T)
  116. }
  117. // powers of τ encrypted in G1 curve, divided by δ
  118. // (G1 * τ) / δ
  119. setup.Pk.PowersTauDelta = ptd
  121. setup.Pk.G1.Alpha = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kalpha)
  122. setup.Pk.G1.Beta = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kbeta)
  123. setup.Pk.G1.Delta = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kdelta)
  124. setup.Pk.G2.Beta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kbeta)
  125. setup.Pk.G2.Delta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kdelta)
  127. setup.Vk.G1.Alpha = Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, setup.Toxic.Kalpha)
  128. setup.Vk.G2.Beta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kbeta)
  129. setup.Vk.G2.Gamma = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kgamma)
  130. setup.Vk.G2.Delta = Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, setup.Toxic.Kdelta)
  132. for i := 0; i < len(cir.Signals); i++ {
  133. // Pk.G1.At: {a(τ)} from 0 to m
  134. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  135. a := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, at)
  136. setup.Pk.G1.At = append(setup.Pk.G1.At, a)
  138. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  139. g1bt := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, bt)
  140. g2bt := Utils.Bn.G2.MulScalar(Utils.Bn.G2.G, bt)
  141. // G1.BACGamma: {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m in G1
  142. setup.Pk.G1.BACGamma = append(setup.Pk.G1.BACGamma, g1bt)
  143. // G2.BACGamma: {( βui(x)+αvi(x)+wi(x) ) / δ } from l+1 to m in G2
  144. setup.Pk.G2.BACGamma = append(setup.Pk.G2.BACGamma, g2bt)
  145. }
  147. zero3 := [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  148. for i := 0; i < cir.NPublic+1; i++ {
  149. setup.Pk.BACDelta = append(setup.Pk.BACDelta, zero3)
  150. }
  151. for i := cir.NPublic + 1; i < cir.NVars; i++ {
  152. // TODO calculate all at, bt, ct outside, to avoid repeating calculations
  153. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  154. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  155. ct := Utils.PF.Eval(gammas[i], setup.Toxic.T)
  156. c := Utils.FqR.Mul(
  157. invDelta,
  158. Utils.FqR.Add(
  159. Utils.FqR.Add(
  160. Utils.FqR.Mul(at, setup.Toxic.Kbeta),
  161. Utils.FqR.Mul(bt, setup.Toxic.Kalpha),
  162. ),
  163. ct,
  164. ),
  165. )
  166. g1c := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, c)
  168. // Pk.BACDelta: {( βui(x)+αvi(x)+wi(x) ) / γ } from 0 to l
  169. setup.Pk.BACDelta = append(setup.Pk.BACDelta, g1c)
  170. }
  172. for i := 0; i <= cir.NPublic; i++ {
  173. at := Utils.PF.Eval(alphas[i], setup.Toxic.T)
  174. bt := Utils.PF.Eval(betas[i], setup.Toxic.T)
  175. ct := Utils.PF.Eval(gammas[i], setup.Toxic.T)
  176. ic := Utils.FqR.Mul(
  177. Utils.FqR.Inverse(setup.Toxic.Kgamma),
  178. Utils.FqR.Add(
  179. Utils.FqR.Add(
  180. Utils.FqR.Mul(at, setup.Toxic.Kbeta),
  181. Utils.FqR.Mul(bt, setup.Toxic.Kalpha),
  182. ),
  183. ct,
  184. ),
  185. )
  186. g1ic := Utils.Bn.G1.MulScalar(Utils.Bn.G1.G, ic)
  187. // used in verifier
  188. setup.Vk.IC = append(setup.Vk.IC, g1ic)
  189. }
  191. return nil
  192. }
  194. // Generate generates Pinocchio proof
  195. func (setup Groth16Setup) Generate(cir *circuit.Circuit, w []*big.Int, px []*big.Int) (Proof, error) {
  196. proof := &Groth16Proof{}
  197. proof.PiA = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  198. proof.PiB = Utils.Bn.Fq6.Zero()
  199. proof.PiC = [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  201. r, err := Utils.FqR.Rand()
  202. if err != nil {
  203. return &Groth16Proof{}, err
  204. }
  205. s, err := Utils.FqR.Rand()
  206. if err != nil {
  207. return &Groth16Proof{}, err
  208. }
  210. // piBG1 will hold all the same than proof.PiB but in G1 curve
  211. piBG1 := [3]*big.Int{Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero(), Utils.Bn.G1.F.Zero()}
  213. for i := 0; i < cir.NVars; i++ {
  214. proof.PiA = Utils.Bn.G1.Add(proof.PiA, Utils.Bn.G1.MulScalar(setup.Pk.G1.At[i], w[i]))
  215. piBG1 = Utils.Bn.G1.Add(piBG1, Utils.Bn.G1.MulScalar(setup.Pk.G1.BACGamma[i], w[i]))
  216. proof.PiB = Utils.Bn.G2.Add(proof.PiB, Utils.Bn.G2.MulScalar(setup.Pk.G2.BACGamma[i], w[i]))
  217. }
  218. for i := cir.NPublic + 1; i < cir.NVars; i++ {
  219. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.BACDelta[i], w[i]))
  220. }
  222. // piA = (Σ from 0 to m (pk.A * w[i])) + pk.Alpha1 + r * δ
  223. proof.PiA = Utils.Bn.G1.Add(proof.PiA, setup.Pk.G1.Alpha)
  224. deltaR := Utils.Bn.G1.MulScalar(setup.Pk.G1.Delta, r)
  225. proof.PiA = Utils.Bn.G1.Add(proof.PiA, deltaR)
  227. // piBG1 = (Σ from 0 to m (pk.B1 * w[i])) + pk.g1.Beta + s * δ
  228. // piB = piB2 = (Σ from 0 to m (pk.B2 * w[i])) + pk.g2.Beta + s * δ
  229. piBG1 = Utils.Bn.G1.Add(piBG1, setup.Pk.G1.Beta)
  230. proof.PiB = Utils.Bn.G2.Add(proof.PiB, setup.Pk.G2.Beta)
  231. deltaSG1 := Utils.Bn.G1.MulScalar(setup.Pk.G1.Delta, s)
  232. piBG1 = Utils.Bn.G1.Add(piBG1, deltaSG1)
  233. deltaSG2 := Utils.Bn.G2.MulScalar(setup.Pk.G2.Delta, s)
  234. proof.PiB = Utils.Bn.G2.Add(proof.PiB, deltaSG2)
  236. hx := Utils.PF.DivisorPolynomial(px, setup.Pk.Z) // maybe move this calculation to a previous step
  238. // piC = (Σ from l+1 to m (w[i] * (pk.g1.Beta + pk.g1.Alpha + pk.C)) + h(tau)) / δ) + piA*s + r*piB - r*s*δ
  239. for i := 0; i < len(hx); i++ {
  240. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.PowersTauDelta[i], hx[i]))
  241. }
  242. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(proof.PiA, s))
  243. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(piBG1, r))
  244. negRS := Utils.FqR.Neg(Utils.FqR.Mul(r, s))
  245. proof.PiC = Utils.Bn.G1.Add(proof.PiC, Utils.Bn.G1.MulScalar(setup.Pk.G1.Delta, negRS))
  247. return proof, nil
  248. }
  250. // Verify verifies over the BN128 the Pairings of the Proof
  251. func (setup Groth16Setup) Verify(proof Proof, publicSignals []*big.Int) (bool, error) {
  252. pproof, ok := proof.(*Groth16Proof)
  253. if !ok {
  254. return false, fmt.Errorf("bad proof type")
  255. }
  257. icPubl := setup.Vk.IC[0]
  258. for i := 0; i < len(publicSignals); i++ {
  259. icPubl = Utils.Bn.G1.Add(icPubl, Utils.Bn.G1.MulScalar(setup.Vk.IC[i+1], publicSignals[i]))
  260. }
  262. if !Utils.Bn.Fq12.Equal(
  263. Utils.Bn.Pairing(pproof.PiA, pproof.PiB),
  264. Utils.Bn.Fq12.Mul(
  265. Utils.Bn.Pairing(setup.Vk.G1.Alpha, setup.Vk.G2.Beta),
  266. Utils.Bn.Fq12.Mul(
  267. Utils.Bn.Pairing(icPubl, setup.Vk.G2.Gamma),
  268. Utils.Bn.Pairing(pproof.PiC, setup.Vk.G2.Delta),
  269. ),
  270. )) {
  271. return false, nil
  272. }
  274. return true, nil
  275. }