arnaucube/nova-study
1
0
Fork 0
mirror of https://github.com/arnaucube/nova-study.git synced 2026-01-09 23:51:29 +01:00
Code Issues Projects Releases Wiki Activity

change C from AffineRepr to CurveGroup, use MNT4,6 for tests, other minor changes

Browse Source
This commit is contained in:
arnaucube
2023-04-29 01:03:38 +02:00
parent 590512de0c
commit 5aef5239f4
4 changed files with 120 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Cargo.toml
View File

@@ -15,7 +15,7 @@ ark-serialize = { version = "0.4.0", default-features = false, features = [ "der
rand = { version = "0.8", features = [ "std", "std_rng" ] } rand = { version = "0.8", features = [ "std", "std_rng" ] }
merlin = { version = "3.0.0" } merlin = { version = "3.0.0" }
ark-crypto-primitives = { version = "^0.4.0", default-features = true, features = [ "r1cs", "snark" ] } ark-crypto-primitives = { version = "^0.4.0", default-features = false, features = [ "r1cs", "snark"] }
ark-r1cs-std = { version = "^0.4.0", default-features = false } ark-r1cs-std = { version = "^0.4.0", default-features = false }
ark-relations = { version = "^0.4.0", default-features = false } ark-relations = { version = "^0.4.0", default-features = false }
ark-snark = { version = "^0.4.0", default-features = false } ark-snark = { version = "^0.4.0", default-features = false }
@@ -24,4 +24,6 @@ tracing-subscriber = { version = "0.2" }
derivative = { version = "2.0", features = ["use_core"] } derivative = { version = "2.0", features = ["use_core"] }
[dev-dependencies] [dev-dependencies]
ark-bn254 = { version = "0.4.0", default-features = false, features=["curve"] } ark-mnt4-298 = { version = "0.4.0", default-features = false, features=["curve", "r1cs"] }
ark-mnt6-298 = { version = "0.4.0", default-features = false, features=["r1cs"] }
ark-ed-on-mnt4-298 = { version = "0.4.0", default-features = false, features=["r1cs"] }

190
src/nifs.rs
View File

@@ -1,4 +1,5 @@
use ark_ec::AffineRepr; // use ark_ec::AffineRepr;
use ark_ec::CurveGroup;
use ark_ff::fields::PrimeField; use ark_ff::fields::PrimeField;
use ark_std::{ use ark_std::{
rand::{Rng, RngCore}, rand::{Rng, RngCore},
@@ -18,22 +19,23 @@ pub struct R1CS<F: PrimeField> {
} }
// Phi: φ in the paper (later 𝖴), a folded instance // Phi: φ in the paper (later 𝖴), a folded instance
pub struct Phi<C: AffineRepr> { #[derive(Clone, Debug)]
cmE: Commitment<C>, pub struct Phi<C: CurveGroup> {
u: C::ScalarField, pub cmE: Commitment<C>,
cmW: Commitment<C>, pub u: C::ScalarField,
x: Vec<C::ScalarField>, pub cmW: Commitment<C>,
pub x: C::ScalarField,
} }
// FWit: Folded Witness // FWit: Folded Witness
pub struct FWit<C: AffineRepr> { pub struct FWit<C: CurveGroup> {
E: Vec<C::ScalarField>, E: Vec<C::ScalarField>,
rE: C::ScalarField, rE: C::ScalarField,
W: Vec<C::ScalarField>, W: Vec<C::ScalarField>,
rW: C::ScalarField, rW: C::ScalarField,
} }
impl<C: AffineRepr> FWit<C> { impl<C: CurveGroup> FWit<C> {
pub fn new(z: Vec<C::ScalarField>, e_len: usize) -> Self { pub fn new(z: Vec<C::ScalarField>, e_len: usize) -> Self {
FWit::<C> { FWit::<C> {
E: vec![C::ScalarField::zero(); e_len], E: vec![C::ScalarField::zero(); e_len],
@@ -49,16 +51,16 @@ impl<C: AffineRepr> FWit<C> {
cmE, cmE,
u: C::ScalarField::one(), u: C::ScalarField::one(),
cmW, cmW,
x: self.W.clone(), x: self.W[0].clone(), // TODO WIP review
} }
} }
} }
pub struct NIFS<C: AffineRepr> { pub struct NIFS<C: CurveGroup> {
_phantom: PhantomData<C>, _phantom: PhantomData<C>,
} }
impl<C: AffineRepr> NIFS<C> { impl<C: CurveGroup> NIFS<C> {
// comp_T: compute cross-terms T // comp_T: compute cross-terms T
pub fn comp_T( pub fn comp_T(
r1cs: &R1CS<C::ScalarField>, r1cs: &R1CS<C::ScalarField>,
@@ -123,13 +125,13 @@ impl<C: AffineRepr> NIFS<C> {
let cmE = phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2); let cmE = phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2);
let u = phi1.u + r * phi2.u; let u = phi1.u + r * phi2.u;
let cmW = phi1.cmW.0 + phi2.cmW.0.mul(r); let cmW = phi1.cmW.0 + phi2.cmW.0.mul(r);
let x = vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r)); // let x = vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r));
// let x = rlin(phi1.x, phi2.x, r); let x = phi1.x + r * phi2.x;
Phi::<C> { Phi::<C> {
cmE: Commitment(cmE.into()), cmE: Commitment(cmE),
u, u,
cmW: Commitment(cmW.into()), cmW: Commitment(cmW),
x, x,
} }
} }
@@ -174,16 +176,17 @@ impl<C: AffineRepr> NIFS<C> {
cmT: &Commitment<C>, cmT: &Commitment<C>,
) -> bool { ) -> bool {
let r2 = r * r; let r2 = r * r;
if phi3.cmE.0 != (phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2)).into() { if phi3.cmE.0 != (phi1.cmE.0 + cmT.0.mul(r) + phi2.cmE.0.mul(r2)) {
return false; return false;
} }
if phi3.u != phi1.u + r * phi2.u { if phi3.u != phi1.u + r * phi2.u {
return false; return false;
} }
if phi3.cmW.0 != (phi1.cmW.0 + phi2.cmW.0.mul(r)).into() { if phi3.cmW.0 != (phi1.cmW.0 + phi2.cmW.0.mul(r)) {
return false; return false;
} }
if phi3.x != vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r)) { // if phi3.x != vec_add(&phi1.x, &vector_elem_product(&phi2.x, &r)) {
if phi3.x != phi1.x + r * phi2.x {
return false; return false;
} }
true true
@@ -225,12 +228,53 @@ impl<C: AffineRepr> NIFS<C> {
} }
} }
// only for tests across different files
pub fn gen_test_values<R: Rng, F: PrimeField>(
rng: &mut R,
) -> (R1CS<F>, Vec<F>, Vec<F>, Vec<F>, Vec<F>, Vec<F>, Vec<F>) {
// R1CS for: x^3 + x + 5 = y (example from article
// https://www.vitalik.ca/general/2016/12/10/qap.html )
let A = to_F_matrix::<F>(vec![
vec![0, 1, 0, 0, 0, 0],
vec![0, 0, 0, 1, 0, 0],
vec![0, 1, 0, 0, 1, 0],
vec![5, 0, 0, 0, 0, 1],
]);
let B = to_F_matrix::<F>(vec![
vec![0, 1, 0, 0, 0, 0],
vec![0, 1, 0, 0, 0, 0],
vec![1, 0, 0, 0, 0, 0],
vec![1, 0, 0, 0, 0, 0],
]);
let C = to_F_matrix::<F>(vec![
vec![0, 0, 0, 1, 0, 0],
vec![0, 0, 0, 0, 1, 0],
vec![0, 0, 0, 0, 0, 1],
vec![0, 0, 1, 0, 0, 0],
]);
// TODO in the future update this method to generate witness, and generate n witnesses
// instances, x: pub
let w1 = to_F_vec::<F>(vec![1, 3, 35, 9, 27, 30]);
let x1 = to_F_vec::<F>(vec![35]);
let w2 = to_F_vec::<F>(vec![1, 4, 73, 16, 64, 68]);
let x2 = to_F_vec::<F>(vec![73]);
let w3 = to_F_vec::<F>(vec![1, 5, 135, 25, 125, 130]);
let x3 = to_F_vec::<F>(vec![135]);
let r1cs = R1CS::<F> {
A: A.clone(),
B: B.clone(),
C: C.clone(),
};
(r1cs, w1, w2, w3, x1, x2, x3)
}
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use crate::pedersen::Pedersen; use crate::pedersen::Pedersen;
use ark_bn254::{g1::G1Affine, Fr};
use ark_ec::CurveGroup; use ark_ec::CurveGroup;
use ark_mnt4_298::{Fr, G1Projective};
use ark_std::{ use ark_std::{
rand::{Rng, RngCore}, rand::{Rng, RngCore},
UniformRand, UniformRand,
@@ -238,81 +282,33 @@ mod tests {
use ark_std::{One, Zero}; use ark_std::{One, Zero};
use std::ops::Mul; use std::ops::Mul;
fn gen_test_values<R: Rng>(
rng: &mut R,
) -> (
R1CS<Fr>,
Vec<Fr>,
Vec<Fr>,
Vec<Fr>,
Vec<Fr>,
Vec<Fr>,
Vec<Fr>,
) {
// R1CS for: x^3 + x + 5 = y (example from article
// https://www.vitalik.ca/general/2016/12/10/qap.html )
let A = to_F_matrix::<Fr>(vec![
vec![0, 1, 0, 0, 0, 0],
vec![0, 0, 0, 1, 0, 0],
vec![0, 1, 0, 0, 1, 0],
vec![5, 0, 0, 0, 0, 1],
]);
let B = to_F_matrix::<Fr>(vec![
vec![0, 1, 0, 0, 0, 0],
vec![0, 1, 0, 0, 0, 0],
vec![1, 0, 0, 0, 0, 0],
vec![1, 0, 0, 0, 0, 0],
]);
let C = to_F_matrix::<Fr>(vec![
vec![0, 0, 0, 1, 0, 0],
vec![0, 0, 0, 0, 1, 0],
vec![0, 0, 0, 0, 0, 1],
vec![0, 0, 1, 0, 0, 0],
]);
// TODO in the future update this method to generate witness, and generate n witnesses
// instances, x: pub
let w1 = to_F_vec::<Fr>(vec![1, 3, 35, 9, 27, 30]);
let x1 = to_F_vec::<Fr>(vec![35]);
let w2 = to_F_vec::<Fr>(vec![1, 4, 73, 16, 64, 68]);
let x2 = to_F_vec::<Fr>(vec![73]);
let w3 = to_F_vec::<Fr>(vec![1, 5, 135, 25, 125, 130]);
let x3 = to_F_vec::<Fr>(vec![135]);
let r1cs = R1CS::<Fr> {
A: A.clone(),
B: B.clone(),
C: C.clone(),
};
(r1cs, w1, w2, w3, x1, x2, x3)
}
// fold 2 instances into one // fold 2 instances into one
#[test] #[test]
fn test_one_fold() { fn test_one_fold() {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec let pedersen_params = Pedersen::<G1Projective>::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec
let (r1cs, w1, w2, _, x1, x2, _) = gen_test_values(&mut rng); let (r1cs, w1, w2, _, x1, x2, _) = gen_test_values(&mut rng);
let (A, B, C) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone()); let (A, B, C) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone());
let r = Fr::rand(&mut rng); // this would come from the transcript let r = Fr::rand(&mut rng); // this would come from the transcript
let fw1 = FWit::<G1Affine>::new(w1.clone(), A.len()); let fw1 = FWit::<G1Projective>::new(w1.clone(), A.len());
let fw2 = FWit::<G1Affine>::new(w2.clone(), A.len()); let fw2 = FWit::<G1Projective>::new(w2.clone(), A.len());
// get committed instances // get committed instances
let phi1 = fw1.commit(&pedersen_params); // wip let phi1 = fw1.commit(&pedersen_params); // wip
let phi2 = fw2.commit(&pedersen_params); let phi2 = fw2.commit(&pedersen_params);
let T = NIFS::<G1Affine>::comp_T(&r1cs, phi1.u, phi2.u, &w1, &w2); let T = NIFS::<G1Projective>::comp_T(&r1cs, phi1.u, phi2.u, &w1, &w2);
let rT: Fr = Fr::rand(&mut rng); let rT: Fr = Fr::rand(&mut rng);
let cmT = Pedersen::commit(&pedersen_params, &T, &rT); let cmT = Pedersen::commit(&pedersen_params, &T, &rT);
// fold witness // fold witness
let fw3 = NIFS::<G1Affine>::fold_witness(r, &fw1, &fw2, &T, rT); let fw3 = NIFS::<G1Projective>::fold_witness(r, &fw1, &fw2, &T, rT);
// fold instance // fold instance
let phi3 = NIFS::<G1Affine>::fold_instance(r, &phi1, &phi2, &cmT); let phi3 = NIFS::<G1Projective>::fold_instance(r, &phi1, &phi2, &cmT);
// naive check that the folded witness satisfies the relaxed r1cs // naive check that the folded witness satisfies the relaxed r1cs
let Az = matrix_vector_product(&A, &fw3.W); let Az = matrix_vector_product(&A, &fw3.W);
@@ -330,7 +326,7 @@ mod tests {
assert_eq!(phi3_expected.cmW.0, phi3.cmW.0); assert_eq!(phi3_expected.cmW.0, phi3.cmW.0);
// NIFS.Verify: // NIFS.Verify:
assert!(NIFS::<G1Affine>::verify(r, &phi1, &phi2, &phi3, &cmT)); assert!(NIFS::<G1Projective>::verify(r, &phi1, &phi2, &phi3, &cmT));
// init Prover's transcript // init Prover's transcript
let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new();
@@ -338,7 +334,7 @@ mod tests {
let mut transcript_v: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_v: Transcript<Fr> = Transcript::<Fr>::new();
// check openings of phi3.cmE, phi3.cmW and cmT // check openings of phi3.cmE, phi3.cmW and cmT
let (cmE_proof, cmW_proof, cmT_proof) = NIFS::<G1Affine>::open_commitments( let (cmE_proof, cmW_proof, cmT_proof) = NIFS::<G1Projective>::open_commitments(
&mut transcript_p, &mut transcript_p,
&pedersen_params, &pedersen_params,
&fw3, &fw3,
@@ -347,7 +343,7 @@ mod tests {
rT, rT,
&cmT, &cmT,
); );
let v = NIFS::<G1Affine>::verify_commitments( let v = NIFS::<G1Projective>::verify_commitments(
&mut transcript_v, &mut transcript_v,
&pedersen_params, &pedersen_params,
phi3, phi3,
@@ -362,41 +358,43 @@ mod tests {
#[test] #[test]
fn test_two_fold() { fn test_two_fold() {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng, 6); let pedersen_params = Pedersen::<G1Projective>::new_params(&mut rng, 6);
let (r1cs, w1, w2, w3, x1, x2, x3) = gen_test_values(&mut rng); let (r1cs, w1, w2, w3, x1, x2, x3) = gen_test_values(&mut rng);
let u1: Fr = Fr::one(); let u1: Fr = Fr::one();
let u2: Fr = Fr::one(); let u2: Fr = Fr::one();
let T_12 = NIFS::<G1Affine>::comp_T(&r1cs, u1, u2, &w1, &w2); let T_12 = NIFS::<G1Projective>::comp_T(&r1cs, u1, u2, &w1, &w2);
let rT_12: Fr = Fr::rand(&mut rng); let rT_12: Fr = Fr::rand(&mut rng);
let cmT_12 = Pedersen::commit(&pedersen_params, &T_12, &rT_12); let cmT_12 = Pedersen::commit(&pedersen_params, &T_12, &rT_12);
let r = Fr::rand(&mut rng); // this would come from the transcript let r = Fr::rand(&mut rng); // this would come from the transcript
let fw1 = FWit::<G1Affine>::new(w1, T_12.len()); let fw1 = FWit::<G1Projective>::new(w1, T_12.len());
let fw2 = FWit::<G1Affine>::new(w2, T_12.len()); let fw2 = FWit::<G1Projective>::new(w2, T_12.len());
// fold witness // fold witness
let fw_12 = NIFS::<G1Affine>::fold_witness(r, &fw1, &fw2, &T_12, rT_12); let fw_12 = NIFS::<G1Projective>::fold_witness(r, &fw1, &fw2, &T_12, rT_12);
// get committed instances // get committed instances
let phi1 = fw1.commit(&pedersen_params); // wip let phi1 = fw1.commit(&pedersen_params); // wip
let phi2 = fw2.commit(&pedersen_params); let phi2 = fw2.commit(&pedersen_params);
// fold instance // fold instance
let phi_12 = NIFS::<G1Affine>::fold_instance(r, &phi1, &phi2, &cmT_12); let phi_12 = NIFS::<G1Projective>::fold_instance(r, &phi1, &phi2, &cmT_12);
// NIFS.Verify: // NIFS.Verify:
assert!(NIFS::<G1Affine>::verify(r, &phi1, &phi2, &phi_12, &cmT_12)); assert!(NIFS::<G1Projective>::verify(
r, &phi1, &phi2, &phi_12, &cmT_12
));
//---- //----
// 2nd fold // 2nd fold
let fw3 = FWit::<G1Affine>::new(w3, r1cs.A.len()); let fw3 = FWit::<G1Projective>::new(w3, r1cs.A.len());
// compute cross terms // compute cross terms
let T_123 = NIFS::<G1Affine>::comp_T(&r1cs, phi_12.u, Fr::one(), &fw_12.W, &fw3.W); let T_123 = NIFS::<G1Projective>::comp_T(&r1cs, phi_12.u, Fr::one(), &fw_12.W, &fw3.W);
let rT_123: Fr = Fr::rand(&mut rng); let rT_123: Fr = Fr::rand(&mut rng);
let cmT_123 = Pedersen::commit(&pedersen_params, &T_123, &rT_123); let cmT_123 = Pedersen::commit(&pedersen_params, &T_123, &rT_123);
@@ -404,7 +402,7 @@ mod tests {
let r = Fr::rand(&mut rng); // this would come from the transcript let r = Fr::rand(&mut rng); // this would come from the transcript
// fold witness // fold witness
let fw_123 = NIFS::<G1Affine>::fold_witness(r, &fw_12, &fw3, &T_123, rT_123); let fw_123 = NIFS::<G1Projective>::fold_witness(r, &fw_12, &fw3, &T_123, rT_123);
// get committed instances // get committed instances
// phi_12 is already known for Verifier from folding phi1, phi2 // phi_12 is already known for Verifier from folding phi1, phi2
@@ -412,10 +410,10 @@ mod tests {
let phi3 = fw3.commit(&pedersen_params); let phi3 = fw3.commit(&pedersen_params);
// fold instance // fold instance
let phi_123 = NIFS::<G1Affine>::fold_instance(r, &phi_12, &phi3, &cmT_123); let phi_123 = NIFS::<G1Projective>::fold_instance(r, &phi_12, &phi3, &cmT_123);
// NIFS.Verify: // NIFS.Verify:
assert!(NIFS::<G1Affine>::verify( assert!(NIFS::<G1Projective>::verify(
r, &phi_12, &phi3, &phi_123, &cmT_123 r, &phi_12, &phi3, &phi_123, &cmT_123
)); ));
@@ -440,7 +438,7 @@ mod tests {
let mut transcript_v: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_v: Transcript<Fr> = Transcript::<Fr>::new();
// check openings of phi_123.cmE, phi_123.cmW and cmT_123 // check openings of phi_123.cmE, phi_123.cmW and cmT_123
let (cmE_proof, cmW_proof, cmT_proof) = NIFS::<G1Affine>::open_commitments( let (cmE_proof, cmW_proof, cmT_proof) = NIFS::<G1Projective>::open_commitments(
&mut transcript_p, &mut transcript_p,
&pedersen_params, &pedersen_params,
&fw_123, &fw_123,
@@ -449,7 +447,7 @@ mod tests {
rT_123, rT_123,
&cmT_123, &cmT_123,
); );
let v = NIFS::<G1Affine>::verify_commitments( let v = NIFS::<G1Projective>::verify_commitments(
&mut transcript_v, &mut transcript_v,
&pedersen_params, &pedersen_params,
phi_123, phi_123,
@@ -464,29 +462,29 @@ mod tests {
#[test] #[test]
fn test_nifs_interface() { fn test_nifs_interface() {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
let pedersen_params = Pedersen::<G1Affine>::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec let pedersen_params = Pedersen::<G1Projective>::new_params(&mut rng, 100); // 100 is wip, will get it from actual vec
let (r1cs, w1, w2, _, x1, x2, _) = gen_test_values(&mut rng); let (r1cs, w1, w2, _, x1, x2, _) = gen_test_values(&mut rng);
let (A, B, C) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone()); let (A, B, C) = (r1cs.A.clone(), r1cs.B.clone(), r1cs.C.clone());
let r = Fr::rand(&mut rng); // this would come from the transcript let r = Fr::rand(&mut rng); // this would come from the transcript
let fw1 = FWit::<G1Affine>::new(w1.clone(), A.len()); let fw1 = FWit::<G1Projective>::new(w1.clone(), A.len());
let fw2 = FWit::<G1Affine>::new(w2.clone(), A.len()); let fw2 = FWit::<G1Projective>::new(w2.clone(), A.len());
// init Prover's transcript // init Prover's transcript
let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new();
// NIFS.P // NIFS.P
let (fw3, phi1, phi2, T, cmT) = let (fw3, phi1, phi2, T, cmT) =
NIFS::<G1Affine>::P(&mut transcript_p, &pedersen_params, r, &r1cs, fw1, fw2); NIFS::<G1Projective>::P(&mut transcript_p, &pedersen_params, r, &r1cs, fw1, fw2);
// init Verifier's transcript // init Verifier's transcript
let mut transcript_v: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_v: Transcript<Fr> = Transcript::<Fr>::new();
// NIFS.V // NIFS.V
let phi3 = NIFS::<G1Affine>::V(r, &phi1, &phi2, &cmT); let phi3 = NIFS::<G1Projective>::V(r, &phi1, &phi2, &cmT);
assert!(NIFS::<G1Affine>::verify(r, &phi1, &phi2, &phi3, &cmT)); assert!(NIFS::<G1Projective>::verify(r, &phi1, &phi2, &phi3, &cmT));
} }
} }

34
src/pedersen.rs
View File

@@ -1,4 +1,5 @@
use ark_ec::AffineRepr; use ark_ec::AffineRepr;
use ark_ec::CurveGroup;
use ark_std::{ use ark_std::{
rand::{Rng, RngCore}, rand::{Rng, RngCore},
UniformRand, UniformRand,
@@ -8,35 +9,35 @@ use std::marker::PhantomData;
use crate::transcript::Transcript; use crate::transcript::Transcript;
use crate::utils::{naive_msm, vec_add, vector_elem_product}; use crate::utils::{naive_msm, vec_add, vector_elem_product};
pub struct Proof_elem<C: AffineRepr> { pub struct Proof_elem<C: CurveGroup> {
R: C, R: C,
t1: C::ScalarField, t1: C::ScalarField,
t2: C::ScalarField, t2: C::ScalarField,
} }
pub struct Proof<C: AffineRepr> { pub struct Proof<C: CurveGroup> {
R: C, R: C,
u_: Vec<C::ScalarField>, u_: Vec<C::ScalarField>,
ru_: C::ScalarField, ru_: C::ScalarField,
} }
pub struct Params<C: AffineRepr> { pub struct Params<C: CurveGroup> {
g: C, g: C,
h: C, h: C,
pub generators: Vec<C>, pub generators: Vec<C>,
} }
pub struct Pedersen<C: AffineRepr> { pub struct Pedersen<C: CurveGroup> {
_phantom: PhantomData<C>, _phantom: PhantomData<C>,
} }
impl<C: AffineRepr> Pedersen<C> { impl<C: CurveGroup> Pedersen<C> {
pub fn new_params<R: Rng>(rng: &mut R, max: usize) -> Params<C> { pub fn new_params<R: Rng>(rng: &mut R, max: usize) -> Params<C> {
let h_scalar = C::ScalarField::rand(rng); let h_scalar = C::ScalarField::rand(rng);
let g: C = C::generator(); let g: C = C::generator();
let generators: Vec<C> = vec![C::rand(rng); max]; let generators: Vec<C> = vec![C::rand(rng); max];
let params: Params<C> = Params::<C> { let params: Params<C> = Params::<C> {
g, g,
h: g.mul(h_scalar).into(), h: g.mul(h_scalar),
generators, generators,
}; };
params params
@@ -48,7 +49,7 @@ impl<C: AffineRepr> Pedersen<C> {
v: &C::ScalarField, v: &C::ScalarField,
) -> CommitmentElem<C> { ) -> CommitmentElem<C> {
let r = C::ScalarField::rand(rng); let r = C::ScalarField::rand(rng);
let cm: C = (params.g.mul(v) + params.h.mul(r)).into(); let cm: C = (params.g.mul(v) + params.h.mul(r));
CommitmentElem::<C> { cm, r } CommitmentElem::<C> { cm, r }
} }
pub fn commit( pub fn commit(
@@ -57,7 +58,7 @@ impl<C: AffineRepr> Pedersen<C> {
r: &C::ScalarField, // random value is provided, in order to be choosen by other parts of the protocol r: &C::ScalarField, // random value is provided, in order to be choosen by other parts of the protocol
) -> Commitment<C> { ) -> Commitment<C> {
let cm = params.h.mul(r) + naive_msm(v, &params.generators); let cm = params.h.mul(r) + naive_msm(v, &params.generators);
Commitment::<C>(cm.into()) Commitment::<C>(cm)
} }
pub fn prove_elem( pub fn prove_elem(
@@ -70,7 +71,7 @@ impl<C: AffineRepr> Pedersen<C> {
let r1 = transcript.get_challenge(b"r_1"); let r1 = transcript.get_challenge(b"r_1");
let r2 = transcript.get_challenge(b"r_2"); let r2 = transcript.get_challenge(b"r_2");
let R: C = (params.g.mul(r1) + params.h.mul(r2)).into(); let R: C = (params.g.mul(r1) + params.h.mul(r2));
transcript.add(b"cm", &cm); transcript.add(b"cm", &cm);
transcript.add(b"R", &R); transcript.add(b"R", &R);
@@ -91,7 +92,7 @@ impl<C: AffineRepr> Pedersen<C> {
let r1 = transcript.get_challenge(b"r_1"); let r1 = transcript.get_challenge(b"r_1");
let d = transcript.get_challenge_vec(b"d", v.len()); let d = transcript.get_challenge_vec(b"d", v.len());
let R: C = (params.h.mul(r1) + naive_msm(&d, &params.generators)).into(); let R: C = params.h.mul(r1) + naive_msm(&d, &params.generators);
transcript.add(b"cm", &cm.0); transcript.add(b"cm", &cm.0);
transcript.add(b"R", &R); transcript.add(b"R", &R);
@@ -145,13 +146,14 @@ impl<C: AffineRepr> Pedersen<C> {
} }
} }
pub struct Commitment<C: AffineRepr>(pub C); #[derive(Clone, Debug)]
pub struct Commitment<C: CurveGroup>(pub C);
pub struct CommitmentElem<C: AffineRepr> { pub struct CommitmentElem<C: CurveGroup> {
pub cm: C, pub cm: C,
pub r: C::ScalarField, pub r: C::ScalarField,
} }
impl<C: AffineRepr> CommitmentElem<C> { impl<C: CurveGroup> CommitmentElem<C> {
pub fn prove( pub fn prove(
&self, &self,
params: &Params<C>, params: &Params<C>,
@@ -165,8 +167,8 @@ impl<C: AffineRepr> CommitmentElem<C> {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use ark_bn254::{g1::G1Affine, Fr};
use ark_ec::CurveGroup; use ark_ec::CurveGroup;
use ark_mnt4_298::{Fr, G1Projective};
use std::ops::Mul; use std::ops::Mul;
#[test] #[test]
@@ -174,7 +176,7 @@ mod tests {
let mut rng = ark_std::test_rng(); let mut rng = ark_std::test_rng();
// setup params // setup params
let params = Pedersen::<G1Affine>::new_params( let params = Pedersen::<G1Projective>::new_params(
&mut rng, 0, /* 0, as here we don't use commit_vec */ &mut rng, 0, /* 0, as here we don't use commit_vec */
); );
@@ -198,7 +200,7 @@ mod tests {
const n: usize = 10; const n: usize = 10;
// setup params // setup params
let params = Pedersen::<G1Affine>::new_params(&mut rng, n); let params = Pedersen::<G1Projective>::new_params(&mut rng, n);
// init Prover's transcript // init Prover's transcript
let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new(); let mut transcript_p: Transcript<Fr> = Transcript::<Fr>::new();

7
src/utils.rs
View File

@@ -1,4 +1,5 @@
use ark_ec::AffineRepr; use ark_ec::AffineRepr;
use ark_ec::CurveGroup;
use ark_ff::fields::PrimeField; use ark_ff::fields::PrimeField;
use core::ops::{Add, Sub}; use core::ops::{Add, Sub};
use std::fmt; use std::fmt;
@@ -36,14 +37,14 @@ pub fn hadamard_product<F: PrimeField>(a: Vec<F>, b: Vec<F>) -> Vec<F> {
// vec_add(a, vector_elem_product(&b, &r)) // WIP probably group loops // vec_add(a, vector_elem_product(&b, &r)) // WIP probably group loops
// } // }
pub fn naive_msm<C: AffineRepr>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C { pub fn naive_msm<C: CurveGroup>(s: &Vec<C::ScalarField>, p: &Vec<C>) -> C {
// TODO check lengths, or at least check s.len()>= p.len() // TODO check lengths, or at least check s.len()>= p.len()
let mut r = p[0].mul(s[0]); let mut r = p[0].mul(s[0]);
for i in 1..s.len() { for i in 1..s.len() {
r = p[i].mul(s[i]); r = p[i].mul(s[i]);
} }
r.into() r
} }
pub fn vec_add<F: PrimeField>(a: &Vec<F>, b: &Vec<F>) -> Vec<F> { pub fn vec_add<F: PrimeField>(a: &Vec<F>, b: &Vec<F>) -> Vec<F> {
@@ -124,8 +125,8 @@ pub fn to_F_vec<F: PrimeField>(z: Vec<usize>) -> Vec<F> {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use ark_bn254::{g1::G1Affine, Fr};
use ark_ec::CurveGroup; use ark_ec::CurveGroup;
use ark_mnt4_298::{g1::G1Affine, Fr};
use ark_std::{One, Zero}; use ark_std::{One, Zero};
use std::ops::Mul; use std::ops::Mul;