zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 
26 #ifndef CRYPTO3_ZK_R1CS_SE_PPZKSNARK_BASIC_VERIFIER_HPP
27 #define CRYPTO3_ZK_R1CS_SE_PPZKSNARK_BASIC_VERIFIER_HPP
28 
29 #ifdef MULTICORE
30 #include <omp.h>
31 #endif
32 
33 #include <nil/crypto3/algebra/multiexp/multiexp.hpp>
34 #include <nil/crypto3/algebra/multiexp/policies.hpp>
35 #include <nil/crypto3/algebra/algorithms/pair.hpp>
36 
37 #include <nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp>
38 
39 namespace nil {
40  namespace crypto3 {
41  namespace zk {
42  namespace snark {
43 
47  template<typename CurveType>
48  class r1cs_se_ppzksnark_process_verification_key {
49  typedef detail::r1cs_se_ppzksnark_types_policy<CurveType> policy_type;
50 
51  public:
52  typedef typename policy_type::verification_key_type verification_key_type;
53  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
54 
55  static inline processed_verification_key_type
56  process(const verification_key_type &verification_key) {
57 
58  typename pairing::pairing_policy<CurveType>::g1_precomputed_type
59  G_alpha_pc = precompute_g1<CurveType>(verification_key.G_alpha);
60  typename pairing::pairing_policy<CurveType>::g2_precomputed_type
61  H_beta_pc = precompute_g2<CurveType>(verification_key.H_beta);
62 
63  processed_verification_key_type processed_verification_key;
64  processed_verification_key.G_alpha = verification_key.G_alpha;
65  processed_verification_key.H_beta = verification_key.H_beta;
66  processed_verification_key.G_alpha_H_beta_ml =
67  miller_loop<CurveType>(G_alpha_pc, H_beta_pc);
68  processed_verification_key.G_gamma_pc =
69  precompute_g1<CurveType>(verification_key.G_gamma);
70  processed_verification_key.H_gamma_pc =
71  precompute_g2<CurveType>(verification_key.H_gamma);
72  processed_verification_key.H_pc =
73  precompute_g2<CurveType>(verification_key.H);
74 
75  processed_verification_key.query = verification_key.query;
76 
77  return processed_verification_key;
78  }
79  };
80 
81  /*
82  Below are four variants of verifier algorithm for the R1CS SEppzkSNARK.
83 
84  These are the four cases that arise from the following two choices:
85 
86  (1) The verifier accepts a (non-processed) verification key or, instead, a processed
87  verification key. In the latter case, we call the algorithm an "online verifier".
88 
89  (2) The verifier checks for "weak" input consistency or, instead, "strong" input consistency.
90  Strong input consistency requires that |primary_input| = CS.num_inputs, whereas
91  weak input consistency requires that |primary_input| <= CS.num_inputs (and
92  the primary input is implicitly padded with zeros up to length CS.num_inputs).
93  */
94 
95  template<typename CurveType>
96  class r1cs_se_ppzksnark_verifier_weak_input_consistency {
97  typedef detail::r1cs_se_ppzksnark_types_policy<CurveType> policy_type;
98 
99  public:
100  typedef typename policy_type::primary_input_type primary_input_type;
101  typedef typename policy_type::verification_key_type verification_key_type;
102  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
103  typedef typename policy_type::proof_type proof_type;
104 
110  static inline bool process(const verification_key_type &vk,
111  const primary_input_type &primary_input,
112  const proof_type &proof) {
113  return process(
114  r1cs_se_ppzksnark_process_verification_key<CurveType>::process(vk), primary_input, proof);
115  }
116 
122  static inline bool process(const processed_verification_key_type &processed_verification_key,
123  const primary_input_type &primary_input,
124  const proof_type &proof) {
125 
126  bool result = true;
127 
128  if (!proof.is_well_formed()) {
129  result = false;
130  }
131 
132 #ifdef MULTICORE
133  const std::size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env
134  // var or call omp_set_num_threads()
135 #else
136  const std::size_t chunks = 1;
137 #endif
138 
144  typename CurveType::template g1_type<>::value_type G_psi =
145  processed_verification_key.query[0] +
146  algebra::multiexp<algebra::policies::multiexp_method_bos_coster>(
147  processed_verification_key.query.begin() + 1, processed_verification_key.query.end(),
148  primary_input.begin(), primary_input.end(), chunks);
149 
150  typename CurveType::gt_type::value_type
151  test1_l = miller_loop<CurveType>(
152  precompute_g1<CurveType>(proof.A + processed_verification_key.G_alpha),
153  precompute_g2<CurveType>(proof.B + processed_verification_key.H_beta)),
154  test1_r1 = processed_verification_key.G_alpha_H_beta_ml,
155  test1_r2 = miller_loop<CurveType>(precompute_g1<CurveType>(G_psi),
156  processed_verification_key.H_gamma_pc),
157  test1_r3 = miller_loop<CurveType>(precompute_g1<CurveType>(proof.C),
158  processed_verification_key.H_pc);
159  typename CurveType::gt_type::value_type test1 = final_exponentiation<CurveType>(
160  test1_l.unitary_inversed() * test1_r1 * test1_r2 * test1_r3);
161 
162  if (test1 != CurveType::gt_type::value_type::one()) {
163  result = false;
164  }
165 
169  typename CurveType::gt_type::value_type test2_l = miller_loop<CurveType>(
170  precompute_g1<CurveType>(proof.A),
171  processed_verification_key.H_gamma_pc),
172  test2_r = miller_loop<CurveType>(
173  processed_verification_key.G_gamma_pc,
174  precompute_g2<CurveType>(proof.B));
175  typename CurveType::gt_type::value_type test2 =
176  final_exponentiation<CurveType>(test2_l * test2_r.unitary_inversed());
177 
178  if (test2 != CurveType::gt_type::value_type::one()) {
179  result = false;
180  }
181 
182  return result;
183  }
184  };
185 
186  template<typename CurveType>
187  class r1cs_se_ppzksnark_verifier_strong_input_consistency {
188  typedef detail::r1cs_se_ppzksnark_types_policy<CurveType> policy_type;
189 
190  public:
191  typedef typename policy_type::primary_input_type primary_input_type;
192  typedef typename policy_type::verification_key_type verification_key_type;
193  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
194  typedef typename policy_type::proof_type proof_type;
195 
201  static inline bool process(const verification_key_type &vk,
202  const primary_input_type &primary_input,
203  const proof_type &proof) {
204  return process(
205  r1cs_se_ppzksnark_process_verification_key<CurveType>::process(vk), primary_input, proof);
206  }
207 
213  static inline bool process(const processed_verification_key_type &pvk,
214  const primary_input_type &primary_input,
215  const proof_type &proof) {
216 
217  bool result = true;
218 
219  if (pvk.query.size() != primary_input.size() + 1) {
220  result = false;
221  } else {
222  result = r1cs_se_ppzksnark_verifier_weak_input_consistency<CurveType>::process(
223  pvk, primary_input, proof);
224  }
225 
226  return result;
227  }
228  };
229  } // namespace snark
230  } // namespace zk
231  } // namespace crypto3
232 } // namespace nil
233 
234 #endif // CRYPTO3_ZK_R1CS_SE_PPZKSNARK_BASIC_GENERATOR_HPP
nil::crypto3::zk::snark::proof
Definition: snark/proof.hpp:37
nil::crypto3::zk::snark::r1cs_se_ppzksnark_process_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:48
nil::crypto3::zk::snark::r1cs_se_ppzksnark_process_verification_key::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:52
nil::crypto3::zk::snark::r1cs_se_ppzksnark_process_verification_key::process
static processed_verification_key_type process(const verification_key_type &verification_key)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:56
nil::crypto3::zk::snark::r1cs_se_ppzksnark_process_verification_key::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:53
nil::crypto3::zk::snark::r1cs_se_ppzksnark_proof
Definition: snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp:41
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:40
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:187
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency::proof_type
policy_type::proof_type proof_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:194
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency::process
static bool process(const processed_verification_key_type &pvk, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:213
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:192
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency::primary_input_type
policy_type::primary_input_type primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:191
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:193
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_strong_input_consistency::process
static bool process(const verification_key_type &vk, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:201
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:96
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency::process
static bool process(const processed_verification_key_type &processed_verification_key, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:122
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency::process
static bool process(const verification_key_type &vk, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:110
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:102
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency::primary_input_type
policy_type::primary_input_type primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:100
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:101
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verifier_weak_input_consistency::proof_type
policy_type::proof_type proof_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp:103
nil
Definition: pair.hpp:31
nil::crypto3::algebra::pairing::pairing_policy
Definition: pairing_policy.hpp:35
nil::crypto3::zk::snark::detail::r1cs_se_ppzksnark_types_policy
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp:82
nil::crypto3::zk::snark::detail::r1cs_se_ppzksnark_types_policy::primary_input_type
r1cs_primary_input< typename CurveType::scalar_field_type > primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp:92
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:104
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::G_alpha_H_beta_ml
CurveType::gt_type::value_type G_alpha_H_beta_ml
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:108
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::H_gamma_pc
pairing::pairing_policy< CurveType >::g2_precomputed_type H_gamma_pc
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:110
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::G_gamma_pc
pairing::pairing_policy< CurveType >::g1_precomputed_type G_gamma_pc
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:109
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::H_beta
CurveType::template g2_type ::value_type H_beta
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:107
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::query
std::vector< typename CurveType::template g1_type<>::value_type > query
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:113
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::G_alpha
CurveType::template g1_type ::value_type G_alpha
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:106
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key::H_pc
pairing::pairing_policy< CurveType >::g2_precomputed_type H_pc
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:111
nil::crypto3::zk::snark::verification_key
Definition: zk/include/nil/crypto3/zk/snark/verification_key.hpp:35