|
|
package kzg
import ( "fmt" "math/big"
bn256 "github.com/ethereum/go-ethereum/crypto/bn256/cloudflare")
// TrustedSetup also named Reference String
type TrustedSetup struct { Tau1 []*bn256.G1 Tau2 []*bn256.G2}
// NewTrustedSetup returns a new trusted setup. This step should be done in a
// secure & distributed way
func NewTrustedSetup(l int) (*TrustedSetup, error) { // compute random s
s, err := randBigInt() if err != nil { return nil, err }
// Notation: [x]₁=xG ∈ 𝔾₁, [x]₂=xH ∈ 𝔾₂
// τ₁: [x₀]₁, [x₁]₁, [x₂]₁, ..., [x n₋₁]₁
// τ₂: [x₀]₂, [x₁]₂, [x₂]₂, ..., [x n₋₁]₂
// sPow := make([]*big.Int, l)
tauG1 := make([]*bn256.G1, l) tauG2 := make([]*bn256.G2, l) for i := 0; i < l; i++ { sPow := fExp(s, big.NewInt(int64(i))) tauG1[i] = new(bn256.G1).ScalarBaseMult(sPow) tauG2[i] = new(bn256.G2).ScalarBaseMult(sPow) }
return &TrustedSetup{tauG1, tauG2}, nil}
// Commit generates the commitment to the polynomial p(x)
func Commit(ts *TrustedSetup, p []*big.Int) *bn256.G1 { c := evaluateG1(ts, p) return c}
func evaluateG1(ts *TrustedSetup, p []*big.Int) *bn256.G1 { c := new(bn256.G1).ScalarMult(ts.Tau1[0], p[0]) for i := 1; i < len(p); i++ { sp := new(bn256.G1).ScalarMult(ts.Tau1[i], p[i]) c = new(bn256.G1).Add(c, sp) } return c}
//nolint:deadcode,unused
func evaluateG2(ts *TrustedSetup, p []*big.Int) *bn256.G2 { c := new(bn256.G2).ScalarMult(ts.Tau2[0], p[0]) for i := 1; i < len(p); i++ { sp := new(bn256.G2).ScalarMult(ts.Tau2[i], p[i]) c = new(bn256.G2).Add(c, sp) } return c}
// EvaluationProof generates the evaluation proof
func EvaluationProof(ts *TrustedSetup, p []*big.Int, z, y *big.Int) (*bn256.G1, error) { n := polynomialSub(p, []*big.Int{y}) // p-y
// n := p // we can omit y (p(z))
d := []*big.Int{fNeg(z), big.NewInt(1)} // x-z
q, rem := polynomialDiv(n, d) if compareBigIntArray(rem, arrayOfZeroes(len(rem))) { return nil, fmt.Errorf("remainder should be 0, instead is %d", rem) }
// proof: e = [q(t)]₁
e := evaluateG1(ts, q) return e, nil}
// Verify computes the KZG commitment verification
func Verify(ts *TrustedSetup, c, proof *bn256.G1, z, y *big.Int) bool { s2 := ts.Tau2[1] // [t]₂ = sG ∈ 𝔾₂ = Tau2[1]
zG2Neg := new(bn256.G2).Neg( new(bn256.G2).ScalarBaseMult(z)) // [z]₂ = zG ∈ 𝔾₂
// [t]₂ - [z]₂
sz := new(bn256.G2).Add(s2, zG2Neg)
yG1Neg := new(bn256.G1).Neg( new(bn256.G1).ScalarBaseMult(y)) // [y]₁ = yG ∈ 𝔾₁
// c - [y]₁
cy := new(bn256.G1).Add(c, yG1Neg)
h := new(bn256.G2).ScalarBaseMult(big.NewInt(1)) // H ∈ 𝔾₂
// e(proof, [t]₂ - [z]₂) == e(c - [y]₁, H)
e1 := bn256.Pair(proof, sz) e2 := bn256.Pair(cy, h) return e1.String() == e2.String()}
//
// Batch proofs
//
// EvaluationBatchProof generates the evalutation proof for the given list of points
func EvaluationBatchProof(ts *TrustedSetup, p []*big.Int, zs, ys []*big.Int) (*bn256.G1, error) { if len(zs) != len(ys) { return nil, fmt.Errorf("len(zs)!=len(ys), %d!=%d", len(zs), len(ys)) } if len(p) <= len(zs)+1 { return nil, fmt.Errorf("polynomial p(x) can not be of degree"+ " equal or smaller than the number of given points+1."+ " Polynomial p(x) degree: %d, number of points: %d", len(p), len(zs)) }
// z(x) = (x-z0)(x-z1)...(x-zn)
z := zeroPolynomial(zs)
// I(x) = Lagrange interpolation through (z0, y0), (z1, y1), ...
i, err := LagrangeInterpolation(zs, ys) if err != nil { return nil, err }
// q(x) = ( p(x) - I(x) ) / z(x)
pMinusI := polynomialSub(p, i) q, rem := polynomialDiv(pMinusI, z) if compareBigIntArray(rem, arrayOfZeroes(len(rem))) { return nil, fmt.Errorf("remainder should be 0, instead is %d", rem) }
// proof: e = [q(t)]₁
e := evaluateG1(ts, q) return e, nil}
// VerifyBatchProof computes the KZG batch proof commitment verification
func VerifyBatchProof(ts *TrustedSetup, c, proof *bn256.G1, zs, ys []*big.Int) bool { // [z(s)]₂
z := zeroPolynomial(zs) zG2 := evaluateG2(ts, z) // [z(t)]₂ = z(t) G ∈ 𝔾₂
// I(x) = Lagrange interpolation through (z0, y0), (z1, y1), ...
i, err := LagrangeInterpolation(zs, ys) if err != nil { return false } // [i(t)]₁
iG1 := evaluateG1(ts, i) // [i(t)]₁ = i(t) G ∈ 𝔾₁
// c - [i(t)]₁
iG1Neg := new(bn256.G1).Neg(iG1) ciG1 := new(bn256.G1).Add(c, iG1Neg)
h := new(bn256.G2).ScalarBaseMult(big.NewInt(1)) // H ∈ 𝔾₂
// e(proof, [z(t)]₂) == e(c - [I(t)]₁, H)
e1 := bn256.Pair(proof, zG2) e2 := bn256.Pair(ciG1, h) return e1.String() == e2.String()}
|
