zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 // @file Declaration of interfaces for a ppzkADSNARK for R1CS.
26 //
27 // This includes:
28 // - class for authentication key (public and symmetric)
29 // - class for authentication verification key (public and symmetric)
30 // - class for proving key
31 // - class for verification key
32 // - class for processed verification key
33 // - class for key tuple (authentication key & proving key & verification key)
34 // - class for authenticated data
35 // - class for proof
36 // - generator algorithm
37 // - authentication key generator algorithm
38 // - prover algorithm
39 // - verifier algorithm (public and symmetric)
40 // - online verifier algorithm (public and symmetric)
41 //
42 // The implementation instantiates the construction in \[BBFR15], which in turn
43 // is based on the r1cs_ppzkadsnark proof system.
44 //
45 // Acronyms:
46 //
47 // - R1CS = "Rank-1 Constraint Systems"
48 // - ppzkADSNARK = "PreProcessing Zero-Knowledge Succinct Non-interactive ARgument of Knowledge Over Authenticated Data"
49 //
50 // References:
51 //
52 //\[BBFR15]
53 //"ADSNARK: Nearly Practical and Privacy-Preserving Proofs on Authenticated Data",
54 // Michael Backes, Manuel Barbosa, Dario Fiore, Raphael M. Reischuk,
55 // IEEE Symposium on Security and Privacy 2015,
56 // <http://eprint.iacr.org/2014/617>
57 //---------------------------------------------------------------------------//
58 
59 #ifndef CRYPTO3_R1CS_PPZKADSNARK_BASIC_POLICY_HPP
60 #define CRYPTO3_R1CS_PPZKADSNARK_BASIC_POLICY_HPP
61 
62 #include <memory>
63 
64 #include <nil/crypto3/zk/snark/commitments/knowledge_commitment.hpp>
65 #include <nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp>
66 
67 #include <nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp>
68 
69 #include <nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/prf.hpp>
70 #include <nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp>
71 #include <nil/crypto3/zk/snark/reductions/r1cs_to_qap.hpp>
72 
73 #include <nil/crypto3/algebra/multiexp/multiexp.hpp>
74 #include <nil/crypto3/algebra/multiexp/policies.hpp>
75 #include <nil/crypto3/algebra/algorithms/pair.hpp>
76 
77 namespace nil {
78  namespace crypto3 {
79  namespace zk {
80  namespace snark {
81  namespace detail {
82 
83  template<typename CurveType>
84  struct r1cs_ppzkadsnark_basic_policy {
85 
86  /******************************** Params ********************************/
87 
88  struct label_type {
89  unsigned char label_bytes[16];
90  label_type() {};
91  };
92 
97  template<typename r1cs_ppzkadsnark_ppT>
98  using snark_pp = typename r1cs_ppzkadsnark_ppT::snark_pp;
99 
100  template<typename r1cs_ppzkadsnark_ppT>
101  using constraint_system = r1cs_constraint_system<algebra::Fr<snark_pp<r1cs_ppzkadsnark_ppT>>>;
102 
103  template<typename r1cs_ppzkadsnark_ppT>
104  using primary_input = r1cs_primary_input<algebra::Fr<snark_pp<r1cs_ppzkadsnark_ppT>>>;
105 
106  template<typename r1cs_ppzkadsnark_ppT>
107  using auxiliary_input = r1cs_auxiliary_input<algebra::Fr<snark_pp<r1cs_ppzkadsnark_ppT>>>;
108 
109  template<typename r1cs_ppzkadsnark_ppT>
110  using secret_key = typename r1cs_ppzkadsnark_ppT::skT;
111 
112  template<typename r1cs_ppzkadsnark_ppT>
113  using vkT = typename r1cs_ppzkadsnark_ppT::vkT;
114 
115  template<typename r1cs_ppzkadsnark_ppT>
116  using signature = typename r1cs_ppzkadsnark_ppT::sigT;
117 
118  template<typename r1cs_ppzkadsnark_ppT>
119  using prf_key = typename r1cs_ppzkadsnark_ppT::prfKeyT;
120 
121  /******************************** Public authentication parameters
122  * ********************************/
123 
127  struct pub_auth_prms {
128 
129  typename CurveType::template g1_type<>::value_type I1;
130 
131  pub_auth_prms() {};
132  pub_auth_prms<CurveType> &operator=(const pub_auth_prms<CurveType> &other) = default;
133  pub_auth_prms(const pub_auth_prms<CurveType> &other) = default;
134  pub_auth_prms(pub_auth_prms<CurveType> &&other) = default;
135  pub_auth_prms(typename CurveType::template g1_type<>::value_type &&I1) : I1(std::move(I1)) {};
136 
137  bool operator==(const pub_auth_prms<CurveType> &other) const {
138  return (this->I1 == other.I1);
139  }
140  };
141 
142  /******************************** Secret authentication key ********************************/
143 
147  struct sec_auth_key {
148 
149  typename CurveType::scalar_field_type::value_type i;
150 
151  secret_key<CurveType> skp;
152  prf_key<CurveType> S;
153 
154  sec_auth_key() {};
155  sec_auth_key<CurveType> &operator=(const sec_auth_key<CurveType> &other) = default;
156  sec_auth_key(const sec_auth_key<CurveType> &other) = default;
157  sec_auth_key(sec_auth_key<CurveType> &&other) = default;
158  sec_auth_key(typename CurveType::scalar_field_type::value_type &&i,
159  secret_key<CurveType> &&skp,
160  prf_key<CurveType> &&S) :
161  i(std::move(i)),
162  skp(std::move(skp)), S(std::move(S)) {};
163 
164  bool operator==(const sec_auth_key<CurveType> &other) const {
165  return (this->i == other.i) && (this->skp == other.skp) && (this->S == other.S);
166  }
167  };
168 
169  /******************************** Public authentication key ********************************/
170 
174  struct pub_auth_key {
175 
176  typename CurveType::template g2_type<>::value_type minusI2;
177  vkT<CurveType> vkp;
178 
179  pub_auth_key() {};
180  pub_auth_key<CurveType> &operator=(const pub_auth_key<CurveType> &other) = default;
181  pub_auth_key(const pub_auth_key<CurveType> &other) = default;
182  pub_auth_key(pub_auth_key<CurveType> &&other) = default;
183  pub_auth_key(typename CurveType::template g2_type<>::value_type &&minusI2, vkT<CurveType> &&vkp) :
184  minusI2(std::move(minusI2)), vkp(std::move(vkp)) {};
185 
186  bool operator==(const pub_auth_key<CurveType> &other) const {
187  return (this->minusI2 == other.minusI2) && (this->vkp == other.vkp);
188  }
189  };
190 
191  /******************************** Authentication key material ********************************/
192  struct auth_keys {
193 
194  pub_auth_prms<CurveType> pap;
195  pub_auth_key<CurveType> pak;
196  sec_auth_key<CurveType> sak;
197 
198  auth_keys() {};
199  auth_keys(auth_keys<CurveType> &&other) = default;
200  auth_keys(pub_auth_prms<CurveType> &&pap,
201  pub_auth_key<CurveType> &&pak,
202  sec_auth_key<CurveType> &&sak) :
203  pap(std::move(pap)),
204  pak(std::move(pak)), sak(std::move(sak)) {
205  }
206  };
207 
208  /******************************** Authenticated data ********************************/
209 
213  struct auth_data {
214 
215  typename CurveType::scalar_field_type::value_type mu;
216  typename CurveType::template g2_type<>::value_type Lambda;
217 
218  signature<CurveType> sigma;
219 
220  auth_data() {};
221  auth_data<CurveType> &operator=(const auth_data<CurveType> &other) = default;
222  auth_data(const auth_data<CurveType> &other) = default;
223  auth_data(auth_data<CurveType> &&other) = default;
224 
225  auth_data(typename CurveType::scalar_field_type::value_type &&mu,
226  typename CurveType::template g2_type<>::value_type &&Lambda,
227 
228  signature<CurveType> &&sigma) :
229  mu(std::move(mu)),
230  Lambda(std::move(Lambda)), sigma(std::move(sigma)) {};
231 
232  bool operator==(const auth_data<CurveType> &other) const {
233  return (this->mu == other.mu) && (this->Lambda == other.Lambda) &&
234  (this->sigma == other.sigma);
235  }
236  };
237 
238  /******************************** Proving key ********************************/
239 
243  class proving_key {
244  using g1_type = typename CurveType::template g1_type<>;
245  using g2_type = typename CurveType::template g2_type<>;
246  using g1_value_type = typename g1_type::value_type;
247  using g2_value_type = typename g2_type::value_type;
248 
249  public:
250  knowledge_commitment_vector<g1_type, g1_type> A_query;
251  knowledge_commitment_vector<g2_type, g1_type> B_query;
252  knowledge_commitment_vector<g1_type, g1_type> C_query;
253 
254  typename std::vector<g1_value_type> H_query; // t powers
255  typename std::vector<g1_value_type> K_query;
256  /* Now come the additional elements for ad */
257  typename g1_value_type rA_i_Z_g1;
258 
259  constraint_system<CurveType> constraint_system;
260 
261  proving_key() {};
262  proving_key &operator=(const proving_key &other) = default;
263  proving_key(const proving_key &other) = default;
264  proving_key(proving_key &&other) = default;
265  proving_key(knowledge_commitment_vector<g1_type, g1_type> &&A_query,
266  knowledge_commitment_vector<g2_type, g1_type> &&B_query,
267  knowledge_commitment_vector<g1_type, g1_type> &&C_query,
268  typename std::vector<g1_value_type> &&H_query,
269  typename std::vector<g1_value_type> &&K_query,
270  g1_value_type &&rA_i_Z_g1,
271  constraint_system<CurveType> &&constraint_system) :
272  A_query(std::move(A_query)),
273  B_query(std::move(B_query)), C_query(std::move(C_query)), H_query(std::move(H_query)),
274  K_query(std::move(K_query)), rA_i_Z_g1(std::move(rA_i_Z_g1)),
275  constraint_system(std::move(constraint_system)) {};
276 
277  std::size_t G1_size() const {
278  return 2 * (A_query.domain_size() + C_query.domain_size()) + B_query.domain_size() +
279  H_query.size() + K_query.size() + 1;
280  }
281 
282  std::size_t G2_size() const {
283  return B_query.domain_size();
284  }
285 
286  std::size_t G1_sparse_size() const {
287  return 2 * (A_query.size() + C_query.size()) + B_query.size() + H_query.size() +
288  K_query.size() + 1;
289  }
290 
291  std::size_t G2_sparse_size() const {
292  return B_query.size();
293  }
294 
295  std::size_t size_in_bits() const {
296  return A_query.size_in_bits() + B_query.size_in_bits() + C_query.size_in_bits() +
297  H_query.size() * g1_type::value_bits + K_query.size() * g1_type::value_bits +
298  g1_type::value_bits;
299  }
300 
301  bool operator==(const proving_key<CurveType> &other) const {
302  return (this->A_query == other.A_query && this->B_query == other.B_query &&
303  this->C_query == other.C_query && this->H_query == other.H_query &&
304  this->K_query == other.K_query && this->rA_i_Z_g1 == other.rA_i_Z_g1 &&
305  this->constraint_system == other.constraint_system);
306  }
307  };
308 
309  /******************************* Verification key ****************************/
310 
314  struct verification_key {
315 
316  typename CurveType::template g2_type<>::value_type alphaA_g2;
317  typename CurveType::template g1_type<>::value_type alphaB_g1;
318  typename CurveType::template g2_type<>::value_type alphaC_g2;
319  typename CurveType::template g2_type<>::value_type gamma_g2;
320  typename CurveType::template g1_type<>::value_type gamma_beta_g1;
321  typename CurveType::template g2_type<>::value_type gamma_beta_g2;
322  typename CurveType::template g2_type<>::value_type rC_Z_g2;
323 
324  typename CurveType::template g1_type<>::value_type A0;
325  typename std::vector<typename CurveType::template g1_type<>::value_type> Ain;
326 
327  verification_key() = default;
328  verification_key(const typename CurveType::template g2_type<>::value_type &alphaA_g2,
329  const typename CurveType::template g1_type<>::value_type &alphaB_g1,
330  const typename CurveType::template g2_type<>::value_type &alphaC_g2,
331  const typename CurveType::template g2_type<>::value_type &gamma_g2,
332  const typename CurveType::template g1_type<>::value_type &gamma_beta_g1,
333  const typename CurveType::template g2_type<>::value_type &gamma_beta_g2,
334  const typename CurveType::template g2_type<>::value_type &rC_Z_g2,
335  const typename CurveType::template g1_type<>::value_type A0,
336  const typename std::vector<typename CurveType::template g1_type<>::value_type>
337  Ain) :
338  alphaA_g2(alphaA_g2),
339  alphaB_g1(alphaB_g1), alphaC_g2(alphaC_g2), gamma_g2(gamma_g2),
340  gamma_beta_g1(gamma_beta_g1), gamma_beta_g2(gamma_beta_g2), rC_Z_g2(rC_Z_g2), A0(A0),
341  Ain(Ain) {};
342 
343  std::size_t G1_size() const {
344  return 3 + Ain.size();
345  }
346 
347  std::size_t G2_size() const {
348  return 5;
349  }
350 
351  std::size_t size_in_bits() const {
352  return G1_size() * CurveType::template g1_type<>::value_type::value_bits +
353  G2_size() *
354  CurveType::template g2_type<>::value_type::value_bits; // possible zksnark bug
355  }
356 
357  bool operator==(const verification_key<CurveType> &other) const {
358  return (this->alphaA_g2 == other.alphaA_g2 && this->alphaB_g1 == other.alphaB_g1 &&
359  this->alphaC_g2 == other.alphaC_g2 && this->gamma_g2 == other.gamma_g2 &&
360  this->gamma_beta_g1 == other.gamma_beta_g1 &&
361  this->gamma_beta_g2 == other.gamma_beta_g2 && this->rC_Z_g2 == other.rC_Z_g2 &&
362  this->A0 == other.A0 && this->Ain == other.Ain);
363  }
364  };
365 
366  /************************ Processed verification key *************************/
367 
375  class processed_verification_key {
376  using pairing_policy = typename pairing::pairing_policy<CurveType>;
377 
378  public:
379  typename pairing_policy::g2_precomputed_type pp_G2_one_precomp;
380  typename pairing_policy::g2_precomputed_type vk_alphaA_g2_precomp;
381  typename pairing_policy::g1_precomputed_type vk_alphaB_g1_precomp;
382  typename pairing_policy::g2_precomputed_type vk_alphaC_g2_precomp;
383  typename pairing_policy::g2_precomputed_type vk_rC_Z_g2_precomp;
384  typename pairing_policy::g2_precomputed_type vk_gamma_g2_precomp;
385  typename pairing_policy::g1_precomputed_type vk_gamma_beta_g1_precomp;
386  typename pairing_policy::g2_precomputed_type vk_gamma_beta_g2_precomp;
387  typename pairing_policy::g2_precomputed_type vk_rC_i_g2_precomp;
388 
389  typename CurveType::template g1_type<>::value_type A0;
390  typename std::vector<typename CurveType::template g1_type<>::value_type> Ain;
391 
392  std::vector<pairing_policy::g1_precomputed_type> proof_g_vki_precomp;
393 
394  bool operator==(const processed_verification_key &other) const {
395  bool result = (this->pp_G2_one_precomp == other.pp_G2_one_precomp &&
396  this->vk_alphaA_g2_precomp == other.vk_alphaA_g2_precomp &&
397  this->vk_alphaB_g1_precomp == other.vk_alphaB_g1_precomp &&
398  this->vk_alphaC_g2_precomp == other.vk_alphaC_g2_precomp &&
399  this->vk_rC_Z_g2_precomp == other.vk_rC_Z_g2_precomp &&
400  this->vk_gamma_g2_precomp == other.vk_gamma_g2_precomp &&
401  this->vk_gamma_beta_g1_precomp == other.vk_gamma_beta_g1_precomp &&
402  this->vk_gamma_beta_g2_precomp == other.vk_gamma_beta_g2_precomp &&
403  this->vk_rC_i_g2_precomp == other.vk_rC_i_g2_precomp &&
404  this->A0 == other.A0 && this->Ain == other.Ain &&
405  this->proof_g_vki_precomp.size() == other.proof_g_vki_precomp.size());
406  if (result) {
407  for (std::size_t i = 0; i < this->proof_g_vki_precomp.size(); i++)
408  result &= this->proof_g_vki_precomp[i] == other.proof_g_vki_precomp[i];
409  }
410  return result;
411  }
412  };
413 
414  /********************************** Key pair *********************************/
415 
419  struct keypair {
420 
421  proving_key<CurveType> pk;
422  verification_key<CurveType> vk;
423 
424  keypair() = default;
425  keypair(const keypair<CurveType> &other) = default;
426  keypair(proving_key<CurveType> &&pk, verification_key<CurveType> &&vk) :
427  pk(std::move(pk)), vk(std::move(vk)) {
428  }
429 
430  keypair(keypair<CurveType> &&other) = default;
431  };
432 
433  /*********************************** Proof ***********************************/
434 
442  class proof {
443  using g1_type = typename CurveType::template g1_type<>;
444  using g2_type = typename CurveType::template g2_type<>;
445  using g1_value_type = typename g1_type::value_type;
446  using g2_value_type = typename g2_type::value_type;
447 
448  public:
449  typename knowledge_commitment<g1_value_type, g1_value_type>::value_type g_A;
450  typename knowledge_commitment<g2_value_type, g1_value_type>::value_type g_B;
451  typename knowledge_commitment<g1_value_type, g1_value_type>::value_type g_C;
452  g1_value_type g_H;
453  g1_value_type g_K;
454  typename knowledge_commitment<g1_value_type, g1_value_type>::value_type g_Aau;
455  g1_value_type muA;
456 
457  proof() {
458  // invalid proof with valid curve points
459  this->g_A.g = g1_value_type::one();
460  this->g_A.h = g1_value_type::one();
461  this->g_B.g = g2_value_type::one();
462  this->g_B.h = g1_value_type::one();
463  this->g_C.g = g1_value_type::one();
464  this->g_C.h = g1_value_type::one();
465  this->g_H = g1_value_type::one();
466  this->g_K = g1_value_type::one();
467  g_Aau = typename knowledge_commitment<g1_type, g1_type>::value_type(
468  g1_value_type::one(), g1_value_type::one());
469 
470  this->muA = g1_value_type::one();
471  }
472  proof(typename knowledge_commitment<g1_type, g1_type>::value_type &&g_A,
473  typename knowledge_commitment<g2_type, g1_type>::value_type &&g_B,
474  typename knowledge_commitment<g1_type, g1_type>::value_type &&g_C,
475  g1_value_type &&g_H,
476  g1_value_type &&g_K,
477  typename knowledge_commitment<g1_type, g1_type>::value_type &&g_Aau,
478  g1_value_type &&muA) :
479  g_A(std::move(g_A)),
480  g_B(std::move(g_B)), g_C(std::move(g_C)), g_H(std::move(g_H)), g_K(std::move(g_K)),
481  g_Aau(std::move(g_Aau)), muA(std::move(muA)) {};
482 
483  std::size_t G1_size() const {
484  return 10;
485  }
486 
487  std::size_t G2_size() const {
488  return 1;
489  }
490 
491  std::size_t size_in_bits() const {
492  return G1_size() * g1_value_type::value_bits + G2_size() * g2_value_type::value_bits;
493  }
494 
495  bool is_well_formed() const {
496  return (g_A.g.is_well_formed() && g_A.h.is_well_formed() && g_B.g.is_well_formed() &&
497  g_B.h.is_well_formed() && g_C.g.is_well_formed() && g_C.h.is_well_formed() &&
498  g_H.is_well_formed() && g_K.is_well_formed() && g_Aau.g.is_well_formed() &&
499  g_Aau.h.is_well_formed() && muA.is_well_formed());
500  }
501 
502  bool operator==(const proof<CurveType> &other) const {
503  return (this->g_A == other.g_A && this->g_B == other.g_B && this->g_C == other.g_C &&
504  this->g_H == other.g_H && this->g_K == other.g_K &&
505  this->g_Aau == other.g_Aau && this->muA == other.muA);
506  }
507  };
508 
509  /***************************** Main algorithms *******************************/
510 
514  static auth_keys<CurveType> auth_generator(void) {
515  kpT<CurveType> sigkp = sigGen<CurveType>();
516  prf_key<CurveType> prfseed = prfGen<CurveType>();
517  CurveType i = algebra::random_element<typename CurveType::scalar_field_type>();
518  typename CurveType::template g1_type<>::value_type I1 =
519  i * CurveType::template g1_type<>::value_type::one();
520  typename CurveType::template g2_type<>::value_type minusI2 =
521  CurveType::template g2_type<>::value_type::zero() -
522  i * CurveType::template g2_type<>::value_type::one();
523  return auth_keys<CurveType>(
524  pub_auth_prms<CurveType>(std::move(I1)),
525  pub_auth_key<CurveType>(std::move(minusI2), std::move(sigkp.vk)),
526  sec_auth_key<CurveType>(std::move(i), std::move(sigkp.sk), std::move(prfseed)));
527  }
528 
532  static std::vector<auth_data<CurveType>>
533  auth_sign(const std::vector<typename CurveType::scalar_field_type::value_type> &ins,
534  const sec_auth_key<CurveType> &sk,
535  const std::vector<label_type>
536  labels) {
537  assert(labels.size() == ins.size());
538  std::vector<auth_data<CurveType>> res;
539  res.reserve(ins.size());
540  for (std::size_t i = 0; i < ins.size(); i++) {
541  typename CurveType::scalar_field_type::value_type lambda =
542  prfCompute<CurveType>(sk.S, labels[i]);
543  typename CurveType::template g2_type<>::value_type Lambda =
544  lambda * CurveType::template g2_type<>::value_type::one();
545  signature<CurveType> sig = sigSign<CurveType>(sk.skp, labels[i], Lambda);
546  auth_data<CurveType> val(std::move(lambda + sk.i * ins[i]), std::move(Lambda),
547  std::move(sig));
548  res.emplace_back(val);
549  }
550  return std::move(res);
551  }
552 
556  // symmetric
557  static bool
558  auth_verify(const std::vector<typename CurveType::scalar_field_type::value_type> &data,
559  const std::vector<auth_data<CurveType>> &auth_data,
560  const sec_auth_key<CurveType> &sak,
561  const std::vector<label_type> &labels) {
562  assert((data.size() == labels.size()) && (auth_data.size() == labels.size()));
563  bool res = true;
564  for (std::size_t i = 0; i < data.size(); i++) {
565  typename CurveType::scalar_field_type::value_type lambda =
566  prfCompute<CurveType>(sak.S, labels[i]);
567  typename CurveType::scalar_field_type::value_type mup = lambda + sak.i * data[i];
568  res = res && (auth_data[i].mu == mup);
569  }
570  return res;
571  }
572 
573  // public
574  static bool
575  auth_verify(const std::vector<typename CurveType::scalar_field_type::value_type> &data,
576  const std::vector<auth_data<CurveType>> &auth_data,
577  const pub_auth_key<CurveType> &pak,
578  const std::vector<label_type> &labels) {
579  assert((data.size() == labels.size()) && (data.size() == auth_data.size()));
580  bool res = true;
581  for (std::size_t i = 0; i < auth_data.size(); i++) {
582  typename CurveType::template g2_type<>::value_type Mup =
583  auth_data[i].Lambda - data[i] * pak.minusI2;
584  res = res && (auth_data[i].mu * CurveType::template g2_type<>::value_type::one() == Mup);
585  res = res &&
586  sigVerif<CurveType>(pak.vkp, labels[i], auth_data[i].Lambda, auth_data[i].sigma);
587  }
588  return res;
589  }
590 
597  static keypair<CurveType> generator(const constraint_system<CurveType> &cs,
598  const pub_auth_prms<CurveType> &prms) {
599 
600  /* make the B_query "lighter" if possible */
601  constraint_system<CurveType> cs_copy(cs);
602  cs_copy.swap_AB_if_beneficial();
603 
604  /* draw random element at which the QAP is evaluated */
605  const typename CurveType::scalar_field_type::value_type t =
606  algebra::random_element<typename CurveType::scalar_field_type>();
607 
608  qap_instance_evaluation<typename CurveType::scalar_field_type::value_type> qap_inst =
609  r1cs_to_qap::instance_map_with_evaluation(cs_copy, t);
610 
611  printf("* QAP number of variables: %zu\n", qap_inst.num_variables());
612  printf("* QAP pre degree: %zu\n", cs_copy.constraints.size());
613  printf("* QAP degree: %zu\n", qap_inst.degree());
614  printf("* QAP number of input variables: %zu\n", qap_inst.num_inputs());
615 
616  std::size_t non_zero_At = 0, non_zero_Bt = 0, non_zero_Ct = 0, non_zero_Ht = 0;
617  for (std::size_t i = 0; i < qap_inst.num_variables() + 1; ++i) {
618  if (!qap_inst.At[i].is_zero()) {
619  ++non_zero_At;
620  }
621  if (!qap_inst.Bt[i].is_zero()) {
622  ++non_zero_Bt;
623  }
624  if (!qap_inst.Ct[i].is_zero()) {
625  ++non_zero_Ct;
626  }
627  }
628  for (std::size_t i = 0; i < qap_inst.degree() + 1; ++i) {
629  if (!qap_inst.Ht[i].is_zero()) {
630  ++non_zero_Ht;
631  }
632  }
633 
634  algebra::Fr_vector<snark_pp<CurveType>> At = std::move(
635  qap_inst.At); // qap_inst.At is now in unspecified state, but we do not use it later
636  algebra::Fr_vector<snark_pp<CurveType>> Bt = std::move(
637  qap_inst.Bt); // qap_inst.Bt is now in unspecified state, but we do not use it later
638  algebra::Fr_vector<snark_pp<CurveType>> Ct = std::move(
639  qap_inst.Ct); // qap_inst.Ct is now in unspecified state, but we do not use it later
640  algebra::Fr_vector<snark_pp<CurveType>> Ht = std::move(
641  qap_inst.Ht); // qap_inst.Ht is now in unspecified state, but we do not use it later
642 
643  /* append Zt to At,Bt,Ct with */
644  At.emplace_back(qap_inst.Zt);
645  Bt.emplace_back(qap_inst.Zt);
646  Ct.emplace_back(qap_inst.Zt);
647 
648  const typename CurveType::scalar_field_type::value_type
649  alphaA = algebra::random_element<typename CurveType::scalar_field_type>(),
650  alphaB = algebra::random_element<typename CurveType::scalar_field_type>(),
651  alphaC = algebra::random_element<typename CurveType::scalar_field_type>(),
652  rA = algebra::random_element<typename CurveType::scalar_field_type>(),
653  rB = algebra::random_element<typename CurveType::scalar_field_type>(),
654  beta = algebra::random_element<typename CurveType::scalar_field_type>(),
655  gamma = algebra::random_element<typename CurveType::scalar_field_type>();
656  const typename CurveType::scalar_field_type::value_type rC = rA * rB;
657 
658  // construct the same-coefficient-check query (must happen before zeroing out the prefix of
659  // At)
660  algebra::Fr_vector<snark_pp<CurveType>> Kt;
661  Kt.reserve(qap_inst.num_variables() + 4);
662  for (std::size_t i = 0; i < qap_inst.num_variables() + 1; ++i) {
663  Kt.emplace_back(beta * (rA * At[i] + rB * Bt[i] + rC * Ct[i]));
664  }
665  Kt.emplace_back(beta * rA * qap_inst.Zt);
666  Kt.emplace_back(beta * rB * qap_inst.Zt);
667  Kt.emplace_back(beta * rC * qap_inst.Zt);
668 
669  const std::size_t g1_exp_count = 2 * (non_zero_At - qap_inst.num_inputs() + non_zero_Ct) +
670  non_zero_Bt + non_zero_Ht + Kt.size();
671  const std::size_t g2_exp_count = non_zero_Bt;
672 
673  std::size_t g1_window =
674  algebra::get_exp_window_size<typename CurveType::template g1_type<>::value_type>(g1_exp_count);
675  std::size_t g2_window =
676  algebra::get_exp_window_size<typename CurveType::template g2_type<>::value_type>(g2_exp_count);
677  printf("* G1 window: %zu\n", g1_window);
678  printf("* G2 window: %zu\n", g2_window);
679 
680 #ifdef MULTICORE
681  const std::size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env
682  // var or call omp_set_num_threads()
683 #else
684  const std::size_t chunks = 1;
685 #endif
686 
687  algebra::window_table<typename CurveType::g1_type> g1_table =
688  algebra::get_window_table<typename CurveType::g1_type>(CurveType::scalar_field_type::value_bits, g1_window,
689  CurveType::template g1_type<>::value_type::one());
690 
691  algebra::window_table<typename algebra::CurveType::g2_type> g2_table =
692  algebra::get_window_table<typename CurveType::g2_type>(CurveType::scalar_field_type::value_bits, g2_window,
693  CurveType::template g2_type<>::value_type::one());
694 
695  knowledge_commitment_vector<typename CurveType::g1_type, typename CurveType::g1_type>
696  A_query = kc_batch_exp(CurveType::scalar_field_type::value_bits, g1_window, g1_window,
697  g1_table, g1_table, rA, rA * alphaA, At, chunks);
698 
699  knowledge_commitment_vector<typename CurveType::g2_type, typename CurveType::g1_type>
700  B_query = kc_batch_exp(CurveType::scalar_field_type::value_bits, g2_window, g1_window,
701  g2_table, g1_table, rB, rB * alphaB, Bt, chunks);
702 
703  knowledge_commitment_vector<typename CurveType::g1_type, typename CurveType::g1_type>
704  C_query = kc_batch_exp(CurveType::scalar_field_type::value_bits, g1_window, g1_window,
705  g1_table, g1_table, rC, rC * alphaC, Ct, chunks);
706 
707  typename std::vector<typename CurveType::template g1_type<>::value_type> H_query =
708  batch_exp(CurveType::scalar_field_type::value_bits, g1_window, g1_table, Ht);
709 #ifdef USE_MIXED_ADDITION
710  algebra::batch_to_special<typename CurveType::g1_type>(H_query);
711 #endif
712 
713  typename std::vector<typename CurveType::template g1_type<>::value_type> K_query =
714  batch_exp(CurveType::scalar_field_type::value_bits, g1_window, g1_table, Kt);
715 #ifdef USE_MIXED_ADDITION
716  algebra::batch_to_special<typename CurveType::g1_type>(K_query);
717 #endif
718 
719  typename CurveType::template g2_type<>::value_type alphaA_g2 =
720  alphaA * CurveType::template g2_type<>::value_type::one();
721  typename CurveType::template g1_type<>::value_type alphaB_g1 =
722  alphaB * CurveType::template g1_type<>::value_type::one();
723  typename CurveType::template g2_type<>::value_type alphaC_g2 =
724  alphaC * CurveType::template g2_type<>::value_type::one();
725  typename CurveType::template g2_type<>::value_type gamma_g2 =
726  gamma * CurveType::template g2_type<>::value_type::one();
727  typename CurveType::template g1_type<>::value_type gamma_beta_g1 =
728  (gamma * beta) * CurveType::template g1_type<>::value_type::one();
729  typename CurveType::template g2_type<>::value_type gamma_beta_g2 =
730  (gamma * beta) * CurveType::template g2_type<>::value_type::one();
731  typename CurveType::template g2_type<>::value_type rC_Z_g2 =
732  (rC * qap_inst.Zt) * CurveType::template g2_type<>::value_type::one();
733 
734  typename CurveType::template g1_type<>::value_type rA_i_Z_g1 = (rA * qap_inst.Zt) * prms.I1;
735 
736  typename CurveType::template g1_type<>::value_type A0 = A_query[0].g;
737  typename std::vector<typename CurveType::template g1_type<>::value_type> Ain;
738  Ain.reserve(qap_inst.num_inputs());
739  for (std::size_t i = 0; i < qap_inst.num_inputs(); ++i) {
740  Ain.emplace_back(A_query[1 + i].g);
741  }
742 
743  verification_key<CurveType> vk =
744  verification_key<CurveType>(alphaA_g2, alphaB_g1, alphaC_g2, gamma_g2, gamma_beta_g1,
745  gamma_beta_g2, rC_Z_g2, A0, Ain);
746  proving_key<CurveType> pk = proving_key<CurveType>(std::move(A_query),
747  std::move(B_query),
748  std::move(C_query),
749  std::move(H_query),
750  std::move(K_query),
751  std::move(rA_i_Z_g1),
752  std::move(cs_copy));
753 
754  return keypair<CurveType>(std::move(pk), std::move(vk));
755  }
756 
765  static proof<CurveType> prover(const proving_key<CurveType> &pk,
766  const primary_input<CurveType> &primary_input,
767  const auxiliary_input<CurveType> &auxiliary_input,
768  const std::vector<auth_data<CurveType>> &auth_data) {
769 
770  const typename CurveType::scalar_field_type::value_type
771  d1 = algebra::random_element<typename CurveType::scalar_field_type>(),
772  d2 = algebra::random_element<typename CurveType::scalar_field_type>(),
773  d3 = algebra::random_element<typename CurveType::scalar_field_type>(),
774  dauth = algebra::random_element<typename CurveType::scalar_field_type>();
775 
776  const qap_witness<typename CurveType::scalar_field_type> qap_wit = reductions::r1cs_to_qap<typename CurveType::scalar_field_type>::witness_map(
777  pk.constraint_system, primary_input, auxiliary_input, d1 + dauth, d2, d3);
778 
779  typename knowledge_commitment<typename CurveType::g1_type,
780  typename CurveType::g1_type>::value_type g_A =
781  /* pk.A_query[0] + */ d1 * pk.A_query[qap_wit.num_variables + 1];
782  typename knowledge_commitment<typename CurveType::g2_type,
783  typename CurveType::g1_type>::value_type g_B =
784  pk.B_query[0] + qap_wit.d2 * pk.B_query[qap_wit.num_variables + 1];
785  typename knowledge_commitment<typename CurveType::g1_type,
786  typename CurveType::g1_type>::value_type g_C =
787  pk.C_query[0] + qap_wit.d3 * pk.C_query[qap_wit.num_variables + 1];
788 
789  typename knowledge_commitment<typename CurveType::g1_type,
790  typename CurveType::g1_type>::value_type g_Ain =
791  dauth * pk.A_query[qap_wit.num_variables + 1];
792 
793  typename CurveType::template g1_type<>::value_type g_H =
794  CurveType::template g1_type<>::value_type::zero();
795  typename CurveType::template g1_type<>::value_type g_K =
796  (pk.K_query[0] + qap_wit.d1 * pk.K_query[qap_wit.num_variables + 1] +
797  qap_wit.d2 * pk.K_query[qap_wit.num_variables + 2] +
798  qap_wit.d3 * pk.K_query[qap_wit.num_variables + 3]);
799 
800 #ifdef MULTICORE
801  const std::size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env
802  // var or call omp_set_num_threads()
803 #else
804  const std::size_t chunks = 1;
805 #endif
806 
807  g_A = g_A + kc_multiexp_with_mixed_addition<
808  typename CurveType::g1_type, typename CurveType::g1_type,
809  typename CurveType::scalar_field_type,
810  algebra::policies::multiexp_method_bos_coster<
811  typename knowledge_commitment<typename CurveType::g1_type,
812  typename CurveType::g1_type>::value_type,
813  typename CurveType::scalar_field_type>>(
814  pk.A_query, 1 + qap_wit.num_inputs, 1 + qap_wit.num_variables,
815  qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_inputs,
816  qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_variables, chunks);
817 
818  g_Ain = g_Ain +
819  kc_multiexp_with_mixed_addition<
820  typename CurveType::g1_type, typename CurveType::g1_type,
821  typename CurveType::scalar_field_type,
822  algebra::policies::multiexp_method_bos_coster<
823  typename knowledge_commitment<typename CurveType::g1_type,
824  typename CurveType::g1_type>::value_type,
825  typename CurveType::scalar_field_type>>(
826  pk.A_query, 1, 1 + qap_wit.num_inputs, qap_wit.coefficients_for_ABCs.begin(),
827  qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_inputs, chunks);
828  // std :: cout << "The input proof term: " << g_Ain << "\n";
829 
830  g_B = g_B + kc_multiexp_with_mixed_addition<
831  typename CurveType::g2_type, typename CurveType::g1_type,
832  typename CurveType::scalar_field_type,
833  algebra::policies::multiexp_method_bos_coster<
834  typename knowledge_commitment<typename CurveType::g1_type,
835  typename CurveType::g1_type>::value_type,
836  typename CurveType::scalar_field_type>>(
837  pk.B_query, 1, 1 + qap_wit.num_variables,
838  qap_wit.coefficients_for_ABCs.begin(),
839  qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_variables, chunks);
840 
841  g_C = g_C + kc_multiexp_with_mixed_addition<
842  typename CurveType::g1_type, typename CurveType::g1_type,
843  typename CurveType::scalar_field_type,
844  algebra::policies::multiexp_method_bos_coster<
845  typename knowledge_commitment<typename CurveType::g1_type,
846  typename CurveType::g1_type>::value_type,
847  typename CurveType::scalar_field_type>>(
848  pk.C_query, 1, 1 + qap_wit.num_variables,
849  qap_wit.coefficients_for_ABCs.begin(),
850  qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_variables, chunks);
851 
852  g_H = g_H +
853  algebra::multiexp<
854  typename CurveType::g1_type, typename CurveType::scalar_field_type,
855  algebra::policies::multiexp_method_BDLO12<typename CurveType::g1_type,
856  typename CurveType::scalar_field_type>>(
857  pk.H_query.begin(),
858  pk.H_query.begin() + qap_wit.degree + 1,
859  qap_wit.coefficients_for_H.begin(),
860  qap_wit.coefficients_for_H.begin() + qap_wit.degree + 1,
861  chunks);
862 
863  g_K = g_K + algebra::multiexp_with_mixed_addition<
864  typename CurveType::g1_type, typename CurveType::scalar_field_type,
865  algebra::policies::multiexp_method_bos_coster<
866  typename CurveType::g1_type, typename CurveType::scalar_field_type>>(
867  pk.K_query.begin() + 1,
868  pk.K_query.begin() + 1 + qap_wit.num_variables,
869  qap_wit.coefficients_for_ABCs.begin(),
870  qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_variables,
871  chunks);
872 
873  std::vector<typename CurveType::scalar_field_type::value_type> mus;
874  std::vector<typename CurveType::template g1_type<>::value_type> Ains;
875  mus.reserve(qap_wit.num_inputs);
876  Ains.reserve(qap_wit.num_inputs);
877  for (std::size_t i = 0; i < qap_wit.num_inputs; i++) {
878  mus.emplace_back(auth_data[i].mu);
879  Ains.emplace_back(pk.A_query[i + 1].g);
880  }
881  typename CurveType::template g1_type<>::value_type muA = dauth * pk.rA_i_Z_g1;
882  muA = muA + algebra::multiexp<
883  typename CurveType::g1_type, typename CurveType::scalar_field_type,
884  algebra::policies::multiexp_method_bos_coster<
885  typename CurveType::g1_type, typename CurveType::scalar_field_type>>(
886  Ains.begin(), Ains.begin() + qap_wit.num_inputs, mus.begin(),
887  mus.begin() + qap_wit.num_inputs, chunks);
888 
889  // To Do: Decide whether to include relevant parts of auth_data in proof
890 
891  proof<CurveType> proof = proof<CurveType>(std::move(g_A),
892  std::move(g_B),
893  std::move(g_C),
894  std::move(g_H),
895  std::move(g_K),
896  std::move(g_Ain),
897  std::move(muA));
898 
899  return proof;
900  }
901 
902  /*
903  Below are two variants of verifier algorithm for the R1CS ppzkADSNARK.
904 
905  These are the four cases that arise from the following choices:
906 
907  1) The verifier accepts a (non-processed) verification key or, instead, a processed verification
908  key. In the latter case, we call the algorithm an "online verifier".
909 
910  2) The verifier uses the symmetric key or the public verification key.
911  In the former case we call the algorithm a "symmetric verifier".
912 
913  */
914 
918  static processed_verification_key<CurveType>
919  verifier_process_vk(const verification_key<CurveType> &vk) {
920 
921  using namespace algebra::pairing;
922 
923  using pairing_policy = pairing_policy<CurveType>;
924 
925  using g2_type = typename CurveType::template g2_type<>;
926 
927  processed_verification_key<CurveType> pvk;
928  pvk.pp_G2_one_precomp =
929  precompute_g2<CurveType>(g2_type::value_type::one());
930  pvk.vk_alphaA_g2_precomp = precompute_g2<CurveType>(vk.alphaA_g2);
931  pvk.vk_alphaB_g1_precomp = precompute_g1<CurveType>(vk.alphaB_g1);
932  pvk.vk_alphaC_g2_precomp = precompute_g2<CurveType>(vk.alphaC_g2);
933  pvk.vk_rC_Z_g2_precomp = precompute_g2<CurveType>(vk.rC_Z_g2);
934  pvk.vk_gamma_g2_precomp = precompute_g2<CurveType>(vk.gamma_g2);
935  pvk.vk_gamma_beta_g1_precomp = precompute_g1<CurveType>(vk.gamma_beta_g1);
936  pvk.vk_gamma_beta_g2_precomp = precompute_g2<CurveType>(vk.gamma_beta_g2);
937 
938  typename pairing_policy::g2_precomputed_type vk_rC_z_g2_precomp =
939  precompute_g2<CurveType>(vk.rC_Z_g2);
940 
941  pvk.A0 = typename CurveType::template g1_type<>::value_type(vk.A0);
942  pvk.Ain = typename std::vector<typename CurveType::template g1_type<>::value_type>(vk.Ain);
943 
944  pvk.proof_g_vki_precomp.reserve(pvk.Ain.size());
945  for (std::size_t i = 0; i < pvk.Ain.size(); i++) {
946  pvk.proof_g_vki_precomp.emplace_back(precompute_g1<CurveType>(pvk.Ain[i]));
947  }
948 
949  return pvk;
950  }
951 
956  // symmetric
957  static bool online_verifier(const processed_verification_key<CurveType> &pvk,
958  const proof<CurveType> &proof,
959  const sec_auth_key<CurveType> &sak,
960  const std::vector<label_type> &labels) {
961 
962  using namespace algebra::pairing;
963 
964  using pairing_policy = typename pairing_policy<CurveType>;
965 
966  bool result = true;
967 
968  if (!proof.is_well_formed()) {
969  result = false;
970  }
971 
972  std::vector<typename CurveType::scalar_field_type::value_type> lambdas;
973  lambdas.reserve(labels.size());
974  for (std::size_t i = 0; i < labels.size(); i++) {
975  lambdas.emplace_back(prfCompute<CurveType>(sak.S, labels[i]));
976  }
977  typename CurveType::template g1_type<>::value_type prodA = sak.i * proof.g_Aau.g;
978  prodA =
979  prodA + algebra::multiexp<
980  typename CurveType::g1_type, typename CurveType::scalar_field_type,
981  algebra::policies::multiexp_method_bos_coster<
982  typename CurveType::g1_type, typename CurveType::scalar_field_type>>(
983  pvk.Ain.begin(), pvk.Ain.begin() + labels.size(), lambdas.begin(),
984  lambdas.begin() + labels.size(), 1);
985 
986  bool result_auth = true;
987 
988  if (!(prodA == proof.muA)) {
989  result_auth = false;
990  }
991 
992  typename pairing_policy::g1_precomputed_type proof_g_Aau_g_precomp =
993  precompute_g1<CurveType>(proof.g_Aau.g);
994  typename pairing_policy::g1_precomputed_type proof_g_Aau_h_precomp =
995  precompute_g1<CurveType>(proof.g_Aau.h);
996 
997  typename gt_type::value_type kc_Aau_1 =
998  miller_loop<CurveType>(proof_g_Aau_g_precomp, pvk.vk_alphaA_g2_precomp);
999  typename gt_type::value_type kc_Aau_2 =
1000  miller_loop<CurveType>(proof_g_Aau_h_precomp, pvk.pp_G2_one_precomp);
1001  typename gt_type kc_Aau =
1002  final_exponentiation<CurveType>(kc_Aau_1 * kc_Aau_2.unitary_inversed());
1003  if (kc_Aau != gt_type::value_type::one()) {
1004  result_auth = false;
1005  }
1006 
1007  result &= result_auth;
1008 
1009  typename pairing_policy::g1_precomputed_type proof_g_A_g_precomp =
1010  precompute_g1<CurveType>(proof.g_A.g);
1011  typename pairing_policy::g1_precomputed_type proof_g_A_h_precomp =
1012  precompute_g1<CurveType>(proof.g_A.h);
1013  typename gt_type::value_type kc_A_1 =
1014  miller_loop<CurveType>(proof_g_A_g_precomp, pvk.vk_alphaA_g2_precomp);
1015  typename gt_type::value_type kc_A_2 =
1016  miller_loop<CurveType>(proof_g_A_h_precomp, pvk.pp_G2_one_precomp);
1017  typename gt_type kc_A =
1018  final_exponentiation<CurveType>(kc_A_1 * kc_A_2.unitary_inversed());
1019  if (kc_A != gt_type::value_type::one()) {
1020  result = false;
1021  }
1022 
1023  typename pairing_policy::g2_precomputed_type::value_type proof_g_B_g_precomp =
1024  precompute_g2<CurveType>(proof.g_B.g);
1025  typename pairing_policy::g1_precomputed_type proof_g_B_h_precomp =
1026  precompute_g1<CurveType>(proof.g_B.h);
1027  typename gt_type::value_type kc_B_1 =
1028  miller_loop<CurveType>(pvk.vk_alphaB_g1_precomp, proof_g_B_g_precomp);
1029  typename gt_type::value_type kc_B_2 =
1030  miller_loop<CurveType>(proof_g_B_h_precomp, pvk.pp_G2_one_precomp);
1031  typename gt_type kc_B =
1032  final_exponentiation<CurveType>(kc_B_1 * kc_B_2.unitary_inversed());
1033  if (kc_B != gt_type::value_type::one()) {
1034  result = false;
1035  }
1036 
1037  typename pairing_policy::g1_precomputed_type proof_g_C_g_precomp =
1038  precompute_g1<CurveType>(proof.g_C.g);
1039  typename pairing_policy::g1_precomputed_type proof_g_C_h_precomp =
1040  precompute_g1<CurveType>(proof.g_C.h);
1041  typename gt_type::value_type kc_C_1 =
1042  miller_loop<CurveType>(proof_g_C_g_precomp, pvk.vk_alphaC_g2_precomp);
1043  typename gt_type::value_type kc_C_2 =
1044  miller_loop<CurveType>(proof_g_C_h_precomp, pvk.pp_G2_one_precomp);
1045  typename gt_type kc_C =
1046  final_exponentiation<CurveType>(kc_C_1 * kc_C_2.unitary_inversed());
1047  if (kc_C != gt_type::value_type::one()) {
1048  result = false;
1049  }
1050 
1051  typename CurveType::template g1_type<>::value_type Aacc = pvk.A0 + proof.g_Aau.g + proof.g_A.g;
1052 
1053  typename pairing_policy::g1_precomputed_type proof_g_Aacc_precomp =
1054  precompute_g1<CurveType>(Aacc);
1055  typename pairing_policy::g1_precomputed_type proof_g_H_precomp =
1056  precompute_g1<CurveType>(proof.g_H);
1057  typename gt_type::value_type QAP_1 =
1058  miller_loop<CurveType>(proof_g_Aacc_precomp, proof_g_B_g_precomp);
1059  typename gt_type::value_type QAP_23 = pairing_policy::double_miller_loop(
1060  proof_g_H_precomp, pvk.vk_rC_Z_g2_precomp, proof_g_C_g_precomp, pvk.pp_G2_one_precomp);
1061  typename gt_type QAP =
1062  final_exponentiation<CurveType>(QAP_1 * QAP_23.unitary_inversed());
1063  if (QAP != gt_type::value_type::one()) {
1064  result = false;
1065  }
1066 
1067  typename pairing_policy::g1_precomputed_type proof_g_K_precomp =
1068  precompute_g1<CurveType>(proof.g_K);
1069  typename pairing_policy::g1_precomputed_type proof_g_Aacc_C_precomp =
1070  precompute_g1<CurveType>(Aacc + proof.g_C.g);
1071  typename gt_type::value_type K_1 =
1072  miller_loop<CurveType>(proof_g_K_precomp, pvk.vk_gamma_g2_precomp);
1073  typename gt_type::value_type K_23 =
1074  pairing_policy::double_miller_loop(proof_g_Aacc_C_precomp, pvk.vk_gamma_beta_g2_precomp,
1075  pvk.vk_gamma_beta_g1_precomp, proof_g_B_g_precomp);
1076  typename gt_type K =
1077  final_exponentiation<CurveType>(K_1 * K_23.unitary_inversed());
1078  if (K != gt_type::value_type::one()) {
1079  result = false;
1080  }
1081 
1082  return result;
1083  }
1084 
1089  static bool verifier(const verification_key<CurveType> &vk,
1090  const proof<CurveType> &proof,
1091  const sec_auth_key<CurveType> &sak,
1092  const std::vector<label_type> &labels) {
1093  processed_verification_key<CurveType> pvk = verifier_process_vk<CurveType>(vk);
1094  bool result = online_verifier<CurveType>(pvk, proof, sak, labels);
1095  return result;
1096  }
1097 
1102  // public
1103  static bool online_verifier(const processed_verification_key<CurveType> &pvk,
1104  const std::vector<auth_data<CurveType>> &auth_data,
1105  const proof<CurveType> &proof,
1106  const pub_auth_key<CurveType> &pak,
1107  const std::vector<label_type> &labels) {
1108 
1109  using pairing_policy = typename snark_pp<CurveType>::pairing;
1110 
1111  bool result = true;
1112 
1113  if (!proof.is_well_formed()) {
1114  result = false;
1115  }
1116 
1117  assert(labels.size() == auth_data.size());
1118 
1119  std::vector<typename CurveType::g2_type> Lambdas;
1120  std::vector<signature<CurveType>> sigs;
1121  Lambdas.reserve(labels.size());
1122  sigs.reserve(labels.size());
1123  for (std::size_t i = 0; i < labels.size(); i++) {
1124  Lambdas.emplace_back(auth_data[i].Lambda);
1125  sigs.emplace_back(auth_data[i].sigma);
1126  }
1127  bool result_auth = sigBatchVerif<CurveType>(pak.vkp, labels, Lambdas, sigs);
1128  if (!result_auth) {
1129  }
1130 
1131  // To Do: Decide whether to move pak and lambda preprocessing to offline
1132  std::vector<pairing_policy::g2_precomputed_type> g_Lambdas_precomp;
1133  g_Lambdas_precomp.reserve(auth_data.size());
1134  for (std::size_t i = 0; i < auth_data.size(); i++)
1135  g_Lambdas_precomp.emplace_back(precompute_g2<CurveType>(auth_data[i].Lambda));
1136  typename pairing_policy::g2_precomputed_type::value_type g_minusi_precomp =
1137  precompute_g2<CurveType>(pak.minusI2);
1138 
1139  typename gt_type::value_type accum;
1140  if (auth_data.size() % 2 == 1) {
1141  miller_loop<CurveType>(pvk.proof_g_vki_precomp[0], g_Lambdas_precomp[0]);
1142  } else {
1143  accum = gt_type::value_type::one();
1144  }
1145  for (std::size_t i = auth_data.size() % 2; i < labels.size(); i = i + 2) {
1146  accum = accum * pairing_policy::double_miller_loop(
1147  pvk.proof_g_vki_precomp[i], g_Lambdas_precomp[i],
1148  pvk.proof_g_vki_precomp[i + 1], g_Lambdas_precomp[i + 1]);
1149  }
1150 
1151  typename pairing_policy::g1_precomputed_type proof_g_muA_precomp =
1152  precompute_g1<CurveType>(proof.muA);
1153  typename pairing_policy::g1_precomputed_type proof_g_Aau_precomp =
1154  precompute_g1<CurveType>(proof.g_Aau.g);
1155  typename gt_type::value_type accum2 = pairing_policy::double_miller_loop(
1156  proof_g_muA_precomp, pvk.pp_G2_one_precomp, proof_g_Aau_precomp, g_minusi_precomp);
1157  typename gt_type authPair =
1158  final_exponentiation<CurveType>(accum * accum2.unitary_inversed());
1159  if (authPair != gt_type::value_type::one()) {
1160  result_auth = false;
1161  }
1162 
1163  if (!(result_auth)) {
1164  }
1165 
1166  typename pairing_policy::g1_precomputed_type proof_g_Aau_g_precomp =
1167  precompute_g1<CurveType>(proof.g_Aau.g);
1168  typename pairing_policy::g1_precomputed_type proof_g_Aau_h_precomp =
1169  precompute_g1<CurveType>(proof.g_Aau.h);
1170  typename gt_type::value_type kc_Aau_1 =
1171  miller_loop<CurveType>(proof_g_Aau_g_precomp, pvk.vk_alphaA_g2_precomp);
1172  typename gt_type::value_type kc_Aau_2 =
1173  miller_loop<CurveType>(proof_g_Aau_h_precomp, pvk.pp_G2_one_precomp);
1174  typename gt_type kc_Aau =
1175  typename ::final_exponentiation(kc_Aau_1 * kc_Aau_2.unitary_inversed());
1176  if (kc_Aau != gt_type::value_type::one()) {
1177  result_auth = false;
1178  }
1179 
1180  result &= result_auth;
1181 
1182  typename pairing_policy::g1_precomputed_type proof_g_A_g_precomp =
1183  precompute_g1<CurveType>(proof.g_A.g);
1184  typename pairing_policy::g1_precomputed_type proof_g_A_h_precomp =
1185  precompute_g1<CurveType>(proof.g_A.h);
1186  typename gt_type::value_type kc_A_1 =
1187  miller_loop<CurveType>(proof_g_A_g_precomp, pvk.vk_alphaA_g2_precomp);
1188  typename gt_type::value_type kc_A_2 =
1189  miller_loop<CurveType>(proof_g_A_h_precomp, pvk.pp_G2_one_precomp);
1190  typename gt_type kc_A =
1191  final_exponentiation<CurveType>(kc_A_1 * kc_A_2.unitary_inversed());
1192  if (kc_A != gt_type::value_type::one()) {
1193  result = false;
1194  }
1195 
1196  typename pairing_policy::g2_precomputed_type::value_type proof_g_B_g_precomp =
1197  precompute_g2<CurveType>(proof.g_B.g);
1198  typename pairing_policy::g1_precomputed_type proof_g_B_h_precomp =
1199  precompute_g1<CurveType>(proof.g_B.h);
1200  typename gt_type::value_type kc_B_1 =
1201  miller_loop<CurveType>(pvk.vk_alphaB_g1_precomp, proof_g_B_g_precomp);
1202  typename gt_type::value_type kc_B_2 =
1203  miller_loop<CurveType>(proof_g_B_h_precomp, pvk.pp_G2_one_precomp);
1204  typename gt_type kc_B =
1205  final_exponentiation<CurveType>(kc_B_1 * kc_B_2.unitary_inversed());
1206  if (kc_B != gt_type::value_type::one()) {
1207  result = false;
1208  }
1209 
1210  typename pairing_policy::g1_precomputed_type proof_g_C_g_precomp =
1211  precompute_g1<CurveType>(proof.g_C.g);
1212  typename pairing_policy::g1_precomputed_type proof_g_C_h_precomp =
1213  precompute_g1<CurveType>(proof.g_C.h);
1214  typename gt_type::value_type kc_C_1 =
1215  miller_loop<CurveType>(proof_g_C_g_precomp, pvk.vk_alphaC_g2_precomp);
1216  typename gt_type::value_type kc_C_2 =
1217  miller_loop<CurveType>(proof_g_C_h_precomp, pvk.pp_G2_one_precomp);
1218  typename gt_type kc_C =
1219  final_exponentiation<CurveType>(kc_C_1 * kc_C_2.unitary_inversed());
1220  if (kc_C != gt_type::value_type::one()) {
1221  result = false;
1222  }
1223 
1224  typename CurveType::template g1_type<>::value_type Aacc = pvk.A0 + proof.g_Aau.g + proof.g_A.g;
1225 
1226  typename pairing_policy::g1_precomputed_type proof_g_Aacc_precomp =
1227  precompute_g1<CurveType>(Aacc);
1228  typename pairing_policy::g1_precomputed_type proof_g_H_precomp =
1229  precompute_g1<CurveType>(proof.g_H);
1230  typename gt_type::value_type QAP_1 =
1231  miller_loop<CurveType>(proof_g_Aacc_precomp, proof_g_B_g_precomp);
1232  typename gt_type::value_type QAP_23 = pairing_policy::double_miller_loop(
1233  proof_g_H_precomp, pvk.vk_rC_Z_g2_precomp, proof_g_C_g_precomp, pvk.pp_G2_one_precomp);
1234  typename gt_type QAP =
1235  final_exponentiation<CurveType>(QAP_1 * QAP_23.unitary_inversed());
1236  if (QAP != gt_type::value_type::one()) {
1237  result = false;
1238  }
1239 
1240  typename pairing_policy::g1_precomputed_type proof_g_K_precomp =
1241  precompute_g1<CurveType>(proof.g_K);
1242  typename pairing_policy::g1_precomputed_type proof_g_Aacc_C_precomp =
1243  precompute_g1<CurveType>(Aacc + proof.g_C.g);
1244  typename gt_type::value_type K_1 =
1245  miller_loop<CurveType>(proof_g_K_precomp, pvk.vk_gamma_g2_precomp);
1246  typename gt_type::value_type K_23 =
1247  pairing_policy::double_miller_loop(proof_g_Aacc_C_precomp, pvk.vk_gamma_beta_g2_precomp,
1248  pvk.vk_gamma_beta_g1_precomp, proof_g_B_g_precomp);
1249  typename gt_type K =
1250  final_exponentiation<CurveType>(K_1 * K_23.unitary_inversed());
1251  if (K != gt_type::value_type::one()) {
1252  result = false;
1253  }
1254 
1255  return result;
1256  }
1257 
1262  // public
1263  static bool verifier(const verification_key<CurveType> &vk,
1264  const std::vector<auth_data<CurveType>> &auth_data,
1265  const proof<CurveType> &proof,
1266  const pub_auth_key<CurveType> &pak,
1267  const std::vector<label_type> &labels) {
1268  assert(labels.size() == auth_data.size());
1269  processed_verification_key<CurveType> pvk = verifier_process_vk<CurveType>(vk);
1270  bool result = online_verifier<CurveType>(pvk, auth_data, proof, pak, labels);
1271  return result;
1272  }
1273  };
1274  } // namespace detail
1275  } // namespace snark
1276  } // namespace zk
1277  } // namespace crypto3
1278 } // namespace nil
1279 
1280 #endif // CRYPTO3_R1CS_PPZKADSNARK_BASIC_POLICY_HPP
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:375
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::proof_g_vki_precomp
std::vector< pairing_policy::g1_precomputed_type > proof_g_vki_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:392
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_alphaA_g2_precomp
pairing_policy::g2_precomputed_type vk_alphaA_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:380
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_alphaC_g2_precomp
pairing_policy::g2_precomputed_type vk_alphaC_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:382
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_gamma_beta_g2_precomp
pairing_policy::g2_precomputed_type vk_gamma_beta_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:386
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::pp_G2_one_precomp
pairing_policy::g2_precomputed_type pp_G2_one_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:379
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_rC_i_g2_precomp
pairing_policy::g2_precomputed_type vk_rC_i_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:387
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::A0
CurveType::template g1_type ::value_type A0
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:389
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_rC_Z_g2_precomp
pairing_policy::g2_precomputed_type vk_rC_Z_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:383
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_gamma_beta_g1_precomp
pairing_policy::g1_precomputed_type vk_gamma_beta_g1_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:385
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::operator==
bool operator==(const processed_verification_key &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:394
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_gamma_g2_precomp
pairing_policy::g2_precomputed_type vk_gamma_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:384
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::Ain
std::vector< typename CurveType::template g1_type<>::value_type > Ain
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:390
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::processed_verification_key::vk_alphaB_g1_precomp
pairing_policy::g1_precomputed_type vk_alphaB_g1_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:381
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:442
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::operator==
bool operator==(const proof< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:502
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::g_H
g1_value_type g_H
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:452
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::G1_size
std::size_t G1_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:483
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::g_A
knowledge_commitment< g1_value_type, g1_value_type >::value_type g_A
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:449
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::g_C
knowledge_commitment< g1_value_type, g1_value_type >::value_type g_C
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:451
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::g_K
g1_value_type g_K
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:453
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::g_B
knowledge_commitment< g2_value_type, g1_value_type >::value_type g_B
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:450
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::is_well_formed
bool is_well_formed() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:495
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::muA
g1_value_type muA
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:455
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::proof
proof()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:457
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::size_in_bits
std::size_t size_in_bits() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:491
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::G2_size
std::size_t G2_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:487
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::proof
proof(typename knowledge_commitment< g1_type, g1_type >::value_type &&g_A, typename knowledge_commitment< g2_type, g1_type >::value_type &&g_B, typename knowledge_commitment< g1_type, g1_type >::value_type &&g_C, g1_value_type &&g_H, g1_value_type &&g_K, typename knowledge_commitment< g1_type, g1_type >::value_type &&g_Aau, g1_value_type &&muA)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:472
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proof::g_Aau
knowledge_commitment< g1_value_type, g1_value_type >::value_type g_Aau
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:454
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:243
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::G2_size
std::size_t G2_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:282
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::proving_key
proving_key(knowledge_commitment_vector< g1_type, g1_type > &&A_query, knowledge_commitment_vector< g2_type, g1_type > &&B_query, knowledge_commitment_vector< g1_type, g1_type > &&C_query, typename std::vector< g1_value_type > &&H_query, typename std::vector< g1_value_type > &&K_query, g1_value_type &&rA_i_Z_g1, constraint_system< CurveType > &&constraint_system)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:265
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::A_query
knowledge_commitment_vector< g1_type, g1_type > A_query
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:250
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::proving_key
proving_key(proving_key &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::constraint_system
constraint_system< CurveType > constraint_system
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:259
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::operator==
bool operator==(const proving_key< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:301
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::G1_size
std::size_t G1_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:277
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::proving_key
proving_key(const proving_key &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::B_query
knowledge_commitment_vector< g2_type, g1_type > B_query
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:251
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::rA_i_Z_g1
g1_value_type rA_i_Z_g1
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:257
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::K_query
std::vector< g1_value_type > K_query
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:255
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::proving_key
proving_key()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:261
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::size_in_bits
std::size_t size_in_bits() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:295
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::H_query
std::vector< g1_value_type > H_query
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:254
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::operator=
proving_key & operator=(const proving_key &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::G2_sparse_size
std::size_t G2_sparse_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:291
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::G1_sparse_size
std::size_t G1_sparse_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:286
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::proving_key::C_query
knowledge_commitment_vector< g1_type, g1_type > C_query
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:252
nil::crypto3::algebra::vector
vector(T, U...) -> vector< std::enable_if_t<(std::is_same_v< T, U > &&...), T >, 1+sizeof...(U)>
deduction guide for uniform initialization
knowledge_commitment.hpp
knowledge_commitment_multiexp.hpp
nil::crypto3::algebra::double_miller_loop
PairingCurveType::gt_type::value_type double_miller_loop(const typename PairingPolicy::g1_precomputed_type &prec_P1, const typename PairingPolicy::g2_precomputed_type &prec_Q1, const typename PairingPolicy::g1_precomputed_type &prec_P2, const typename PairingPolicy::g2_precomputed_type &prec_Q2)
Definition: pair.hpp:96
nil::crypto3::algebra::window_table
std::vector< std::vector< typename GroupType::value_type > > window_table
Definition: multiexp.hpp:116
nil::crypto3::algebra::multiexp_with_mixed_addition
std::iterator_traits< InputBaseIterator >::value_type multiexp_with_mixed_addition(InputBaseIterator vec_start, InputBaseIterator vec_end, InputFieldIterator scalar_start, InputFieldIterator scalar_end, const std::size_t chunks_count)
Definition: multiexp.hpp:74
nil::crypto3::algebra::multiexp
std::iterator_traits< InputBaseIterator >::value_type multiexp(InputBaseIterator vec_start, InputBaseIterator vec_end, InputFieldIterator scalar_start, InputFieldIterator scalar_end, const std::size_t chunks_count)
Definition: multiexp.hpp:43
nil::crypto3::algebra::batch_exp
std::vector< typename GroupType::value_type > batch_exp(const std::size_t scalar_size, const std::size_t window, const window_table< GroupType > &table, const InputRange &v)
Definition: multiexp.hpp:205
nil::crypto3::algebra::final_exponentiation
PairingCurveType::gt_type::value_type final_exponentiation(const typename PairingCurveType::gt_type::value_type &elt)
Definition: pair.hpp:106
nil::crypto3::block::move
OutputIterator move(const SinglePassRange &rng, OutputIterator result)
Definition: move.hpp:45
nil::crypto3::zk::snark::kc_multiexp_with_mixed_addition
knowledge_commitment< T1, T2 >::value_type kc_multiexp_with_mixed_addition(const knowledge_commitment_vector< T1, T2 > &vec, const std::size_t min_idx, const std::size_t max_idx, InputFieldIterator scalar_start, InputFieldIterator scalar_end, const std::size_t chunks)
Definition: knowledge_commitment_multiexp.hpp:59
nil::crypto3::zk::snark::r1cs_auxiliary_input
std::vector< typename FieldType::value_type > r1cs_auxiliary_input
Definition: r1cs.hpp:104
nil::crypto3::zk::snark::kc_batch_exp
knowledge_commitment_vector< T1, T2 > kc_batch_exp(const std::size_t scalar_size, const std::size_t T1_window, const std::size_t T2_window, const algebra::window_table< T1 > &T1_table, const algebra::window_table< T2 > &T2_table, const typename FieldType::value_type &T1_coeff, const typename FieldType::value_type &T2_coeff, const std::vector< typename FieldType::value_type > &v, const std::size_t suggested_num_chunks)
Definition: knowledge_commitment_multiexp.hpp:142
nil::crypto3::zk::snark::r1cs_primary_input
std::vector< typename FieldType::value_type > r1cs_primary_input
Definition: r1cs.hpp:101
nil
Definition: pair.hpp:31
r1cs_to_qap.hpp
nil::crypto3::algebra::pairing::pairing_policy< CurveType >
nil::crypto3::algebra::policies::multiexp_method_BDLO12
Definition: policies.hpp:100
nil::crypto3::algebra::policies::multiexp_method_bos_coster
Definition: policies.hpp:215
nil::crypto3::zk::snark::detail::knowledge_commitment
Definition: element_knowledge_commitment.hpp:40
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:213
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::operator=
auth_data< CurveType > & operator=(const auth_data< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::auth_data
auth_data(auth_data< CurveType > &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::mu
CurveType::scalar_field_type::value_type mu
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:215
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::auth_data
auth_data(typename CurveType::scalar_field_type::value_type &&mu, typename CurveType::template g2_type<>::value_type &&Lambda, signature< CurveType > &&sigma)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:225
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::sigma
signature< CurveType > sigma
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:218
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::auth_data
auth_data(const auth_data< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::Lambda
CurveType::template g2_type ::value_type Lambda
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:216
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::operator==
bool operator==(const auth_data< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:232
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_data::auth_data
auth_data()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:220
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:192
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys::sak
sec_auth_key< CurveType > sak
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:196
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys::pap
pub_auth_prms< CurveType > pap
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:194
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys::auth_keys
auth_keys(auth_keys< CurveType > &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys::auth_keys
auth_keys()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:198
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys::pak
pub_auth_key< CurveType > pak
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:195
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_keys::auth_keys
auth_keys(pub_auth_prms< CurveType > &&pap, pub_auth_key< CurveType > &&pak, sec_auth_key< CurveType > &&sak)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:200
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:419
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair::keypair
keypair(const keypair< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair::keypair
keypair(proving_key< CurveType > &&pk, verification_key< CurveType > &&vk)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:426
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair::keypair
keypair(keypair< CurveType > &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair::pk
proving_key< CurveType > pk
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:421
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair::keypair
keypair()=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::keypair::vk
verification_key< CurveType > vk
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:422
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::label_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:88
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::label_type::label_bytes
unsigned char label_bytes[16]
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:89
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::label_type::label_type
label_type()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:90
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:174
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::pub_auth_key
pub_auth_key(pub_auth_key< CurveType > &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::pub_auth_key
pub_auth_key(const pub_auth_key< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::minusI2
CurveType::template g2_type ::value_type minusI2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:176
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::vkp
vkT< CurveType > vkp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:177
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::pub_auth_key
pub_auth_key(typename CurveType::template g2_type<>::value_type &&minusI2, vkT< CurveType > &&vkp)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:183
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::operator==
bool operator==(const pub_auth_key< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:186
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::operator=
pub_auth_key< CurveType > & operator=(const pub_auth_key< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_key::pub_auth_key
pub_auth_key()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:179
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:127
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::pub_auth_prms
pub_auth_prms(typename CurveType::template g1_type<>::value_type &&I1)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:135
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::operator=
pub_auth_prms< CurveType > & operator=(const pub_auth_prms< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::pub_auth_prms
pub_auth_prms()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:131
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::pub_auth_prms
pub_auth_prms(pub_auth_prms< CurveType > &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::operator==
bool operator==(const pub_auth_prms< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:137
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::I1
CurveType::template g1_type ::value_type I1
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:129
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::pub_auth_prms::pub_auth_prms
pub_auth_prms(const pub_auth_prms< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:147
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::sec_auth_key
sec_auth_key(typename CurveType::scalar_field_type::value_type &&i, secret_key< CurveType > &&skp, prf_key< CurveType > &&S)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:158
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::operator=
sec_auth_key< CurveType > & operator=(const sec_auth_key< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::sec_auth_key
sec_auth_key(const sec_auth_key< CurveType > &other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::sec_auth_key
sec_auth_key(sec_auth_key< CurveType > &&other)=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::skp
secret_key< CurveType > skp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:151
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::sec_auth_key
sec_auth_key()
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:154
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::i
CurveType::scalar_field_type::value_type i
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:149
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::S
prf_key< CurveType > S
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:152
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::sec_auth_key::operator==
bool operator==(const sec_auth_key< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:164
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:314
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::gamma_g2
CurveType::template g2_type ::value_type gamma_g2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:319
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::verification_key
verification_key(const typename CurveType::template g2_type<>::value_type &alphaA_g2, const typename CurveType::template g1_type<>::value_type &alphaB_g1, const typename CurveType::template g2_type<>::value_type &alphaC_g2, const typename CurveType::template g2_type<>::value_type &gamma_g2, const typename CurveType::template g1_type<>::value_type &gamma_beta_g1, const typename CurveType::template g2_type<>::value_type &gamma_beta_g2, const typename CurveType::template g2_type<>::value_type &rC_Z_g2, const typename CurveType::template g1_type<>::value_type A0, const typename std::vector< typename CurveType::template g1_type<>::value_type > Ain)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:328
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::Ain
std::vector< typename CurveType::template g1_type<>::value_type > Ain
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:325
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::rC_Z_g2
CurveType::template g2_type ::value_type rC_Z_g2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:322
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::size_in_bits
std::size_t size_in_bits() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:351
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::gamma_beta_g2
CurveType::template g2_type ::value_type gamma_beta_g2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:321
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::G2_size
std::size_t G2_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:347
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::G1_size
std::size_t G1_size() const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:343
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::operator==
bool operator==(const verification_key< CurveType > &other) const
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:357
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::alphaC_g2
CurveType::template g2_type ::value_type alphaC_g2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:318
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::alphaA_g2
CurveType::template g2_type ::value_type alphaA_g2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:316
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::verification_key
verification_key()=default
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::gamma_beta_g1
CurveType::template g1_type ::value_type gamma_beta_g1
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:320
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::A0
CurveType::template g1_type ::value_type A0
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:324
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verification_key::alphaB_g1
CurveType::template g1_type ::value_type alphaB_g1
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:317
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:84
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::generator
static keypair< CurveType > generator(const constraint_system< CurveType > &cs, const pub_auth_prms< CurveType > &prms)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:597
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verifier
static bool verifier(const verification_key< CurveType > &vk, const std::vector< auth_data< CurveType >> &auth_data, const proof< CurveType > &proof, const pub_auth_key< CurveType > &pak, const std::vector< label_type > &labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:1263
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::vkT
typename r1cs_ppzkadsnark_ppT::vkT vkT
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:113
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_sign
static std::vector< auth_data< CurveType > > auth_sign(const std::vector< typename CurveType::scalar_field_type::value_type > &ins, const sec_auth_key< CurveType > &sk, const std::vector< label_type > labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:533
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verifier
static bool verifier(const verification_key< CurveType > &vk, const proof< CurveType > &proof, const sec_auth_key< CurveType > &sak, const std::vector< label_type > &labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:1089
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::prf_key
typename r1cs_ppzkadsnark_ppT::prfKeyT prf_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:119
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::verifier_process_vk
static processed_verification_key< CurveType > verifier_process_vk(const verification_key< CurveType > &vk)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:919
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::signature
typename r1cs_ppzkadsnark_ppT::sigT signature
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:116
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_verify
static bool auth_verify(const std::vector< typename CurveType::scalar_field_type::value_type > &data, const std::vector< auth_data< CurveType >> &auth_data, const pub_auth_key< CurveType > &pak, const std::vector< label_type > &labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:575
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::online_verifier
static bool online_verifier(const processed_verification_key< CurveType > &pvk, const proof< CurveType > &proof, const sec_auth_key< CurveType > &sak, const std::vector< label_type > &labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:957
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::secret_key
typename r1cs_ppzkadsnark_ppT::skT secret_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:110
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::primary_input
r1cs_primary_input< algebra::Fr< snark_pp< r1cs_ppzkadsnark_ppT > >> primary_input
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:104
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auxiliary_input
r1cs_auxiliary_input< algebra::Fr< snark_pp< r1cs_ppzkadsnark_ppT > >> auxiliary_input
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:107
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::snark_pp
typename r1cs_ppzkadsnark_ppT::snark_pp snark_pp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:98
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_generator
static auth_keys< CurveType > auth_generator(void)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:514
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::auth_verify
static bool auth_verify(const std::vector< typename CurveType::scalar_field_type::value_type > &data, const std::vector< auth_data< CurveType >> &auth_data, const sec_auth_key< CurveType > &sak, const std::vector< label_type > &labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:558
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::online_verifier
static bool online_verifier(const processed_verification_key< CurveType > &pvk, const std::vector< auth_data< CurveType >> &auth_data, const proof< CurveType > &proof, const pub_auth_key< CurveType > &pak, const std::vector< label_type > &labels)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:1103
nil::crypto3::zk::snark::detail::r1cs_ppzkadsnark_basic_policy::prover
static proof< CurveType > prover(const proving_key< CurveType > &pk, const primary_input< CurveType > &primary_input, const auxiliary_input< CurveType > &auxiliary_input, const std::vector< auth_data< CurveType >> &auth_data)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp:765
nil::crypto3::zk::snark::knowledge_commitment::value_type
detail::element_kc< Type1, Type2 > value_type
Definition: knowledge_commitment.hpp:52
nil::crypto3::zk::snark::kpT
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp:39
nil::crypto3::zk::snark::kpT::sk
r1cs_ppzkadsnark_secret_key< CurveType > sk
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp:40
nil::crypto3::zk::snark::kpT::vk
r1cs_ppzkadsnark_vkT< CurveType > vk
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp:41
nil::crypto3::zk::snark::qap_instance_evaluation
Definition: qap.hpp:183
nil::crypto3::zk::snark::qap_instance_evaluation::Ct
std::vector< field_value_type > Ct
Definition: qap.hpp:196
nil::crypto3::zk::snark::qap_instance_evaluation::degree
std::size_t degree
Definition: qap.hpp:189
nil::crypto3::zk::snark::qap_instance_evaluation::num_inputs
std::size_t num_inputs
Definition: qap.hpp:190
nil::crypto3::zk::snark::qap_instance_evaluation::Bt
std::vector< field_value_type > Bt
Definition: qap.hpp:196
nil::crypto3::zk::snark::qap_instance_evaluation::At
std::vector< field_value_type > At
Definition: qap.hpp:196
nil::crypto3::zk::snark::qap_instance_evaluation::Zt
field_value_type Zt
Definition: qap.hpp:198
nil::crypto3::zk::snark::qap_instance_evaluation::num_variables
std::size_t num_variables
Definition: qap.hpp:188
nil::crypto3::zk::snark::qap_instance_evaluation::Ht
std::vector< field_value_type > Ht
Definition: qap.hpp:196
nil::crypto3::zk::snark::qap_witness
Definition: qap.hpp:310
nil::crypto3::zk::snark::qap_witness::d3
field_value_type d3
Definition: qap.hpp:319
nil::crypto3::zk::snark::qap_witness::num_inputs
std::size_t num_inputs
Definition: qap.hpp:317
nil::crypto3::zk::snark::qap_witness::num_variables
std::size_t num_variables
Definition: qap.hpp:315
nil::crypto3::zk::snark::qap_witness::coefficients_for_H
std::vector< field_value_type > coefficients_for_H
Definition: qap.hpp:322
nil::crypto3::zk::snark::qap_witness::coefficients_for_ABCs
std::vector< field_value_type > coefficients_for_ABCs
Definition: qap.hpp:321
nil::crypto3::zk::snark::qap_witness::d1
field_value_type d1
Definition: qap.hpp:319
nil::crypto3::zk::snark::qap_witness::d2
field_value_type d2
Definition: qap.hpp:319
nil::crypto3::zk::snark::qap_witness::degree
std::size_t degree
Definition: qap.hpp:316
nil::crypto3::zk::snark::r1cs_constraint_system
Definition: r1cs.hpp:124
nil::crypto3::zk::snark::r1cs_constraint_system::constraints
std::vector< r1cs_constraint< FieldType > > constraints
Definition: r1cs.hpp:130
nil::crypto3::zk::snark::r1cs_constraint_system::swap_AB_if_beneficial
void swap_AB_if_beneficial()
Definition: r1cs.hpp:191
nil::crypto3::zk::snark::reductions::r1cs_to_qap::witness_map
static qap_witness< FieldType > witness_map(const r1cs_constraint_system< FieldType > &cs, const r1cs_primary_input< FieldType > &primary_input, const r1cs_auxiliary_input< FieldType > &auxiliary_input, const typename FieldType::value_type &d1, const typename FieldType::value_type &d2, const typename FieldType::value_type &d3)
Definition: r1cs_to_qap.hpp:221
nil::crypto3::zk::snark::sparse_vector
Definition: sparse_vector.hpp:48