r1cs_se_ppzksnark/prover.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 
26 #ifndef CRYPTO3_ZK_R1CS_SE_PPZKSNARK_BASIC_PROVER_HPP
27 #define CRYPTO3_ZK_R1CS_SE_PPZKSNARK_BASIC_PROVER_HPP
28 
29 #ifdef MULTICORE
30 #include <omp.h>
31 #endif
32 
33 #include <nil/crypto3/algebra/multiexp/multiexp.hpp>
34 #include <nil/crypto3/algebra/multiexp/policies.hpp>
35 #include <nil/crypto3/algebra/random_element.hpp>
36 
37 #include <nil/crypto3/zk/snark/reductions/r1cs_to_sap.hpp>
38 #include <nil/crypto3/zk/snark/relations/arithmetic_programs/sap.hpp>
39 #include <nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp>
40 
41 namespace nil {
42  namespace crypto3 {
43  namespace zk {
44  namespace snark {
45 
54  template<typename CurveType>
55  class r1cs_se_ppzksnark_prover {
56  typedef detail::r1cs_se_ppzksnark_types_policy<CurveType> policy_type;
57 
58  public:
59  typedef typename policy_type::constraint_system_type constraint_system_type;
60  typedef typename policy_type::primary_input_type primary_input_type;
61  typedef typename policy_type::auxiliary_input_type auxiliary_input_type;
62 
63  typedef typename policy_type::proving_key_type proving_key_type;
64  typedef typename policy_type::verification_key_type verification_key_type;
65  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
66 
67  typedef typename policy_type::keypair_type keypair_type;
68  typedef typename policy_type::proof_type proof_type;
69 
70  static inline proof_type process(const proving_key_type &proving_key,
71  const primary_input_type &primary_input,
72  const auxiliary_input_type &auxiliary_input) {
73 
74  const typename CurveType::scalar_field_type::value_type
75  d1 = algebra::random_element<typename CurveType::scalar_field_type>(),
76  d2 = algebra::random_element<typename CurveType::scalar_field_type>();
77 
78  const sap_witness<typename CurveType::scalar_field_type> sap_wit =
79  reductions::r1cs_to_sap<typename CurveType::scalar_field_type>::witness_map(
80  proving_key.constraint_system, primary_input, auxiliary_input, d1, d2);
81 
82 #ifdef MULTICORE
83  const std::size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env
84  // var or call omp_set_num_threads()
85 #else
86  const std::size_t chunks = 1;
87 #endif
88 
89  const typename CurveType::scalar_field_type::value_type r =
90  algebra::random_element<typename CurveType::scalar_field_type>();
91 
98  typename CurveType::template g1_type<>::value_type A =
99  r * proving_key.G_gamma_Z +
100  proving_key.A_query[0] + // i = 0 is a special case because input_i = 1
101  sap_wit.d1 * proving_key.G_gamma_Z + // ZK-patch
102  algebra::multiexp<algebra::policies::multiexp_method_BDLO12>(
103  proving_key.A_query.begin() + 1,
104  proving_key.A_query.end(),
105  sap_wit.coefficients_for_ACs.begin(),
106  sap_wit.coefficients_for_ACs.end(),
107  chunks);
108 
112  typename CurveType::template g2_type<>::value_type B =
113  r * proving_key.H_gamma_Z +
114  proving_key.B_query[0] + // i = 0 is a special case because input_i = 1
115  sap_wit.d1 * proving_key.H_gamma_Z + // ZK-patch
116  algebra::multiexp<algebra::policies::multiexp_method_BDLO12>(
117  proving_key.B_query.begin() + 1,
118  proving_key.B_query.end(),
119  sap_wit.coefficients_for_ACs.begin(),
120  sap_wit.coefficients_for_ACs.end(),
121  chunks);
132  typename CurveType::template g1_type<>::value_type C =
133  algebra::multiexp<algebra::policies::multiexp_method_BDLO12>(
134  proving_key.C_query_1.begin(),
135  proving_key.C_query_1.end(),
136  sap_wit.coefficients_for_ACs.begin() + sap_wit.num_inputs,
137  sap_wit.coefficients_for_ACs.end(),
138  chunks) +
139  (r * r) * proving_key.G_gamma2_Z2 + r * proving_key.G_ab_gamma_Z +
140  sap_wit.d1 * proving_key.G_ab_gamma_Z + // ZK-patch
141  r * proving_key.C_query_2[0] + // i = 0 is a special case for C_query_2
142  (r + r) * sap_wit.d1 * proving_key.G_gamma2_Z2 + // ZK-patch for C_query_2
143  r * algebra::multiexp<algebra::policies::multiexp_method_BDLO12>(
144  proving_key.C_query_2.begin() + 1,
145  proving_key.C_query_2.end(),
146  sap_wit.coefficients_for_ACs.begin(),
147  sap_wit.coefficients_for_ACs.end(),
148  chunks) +
149  sap_wit.d2 * proving_key.G_gamma2_Z_t[0] + // ZK-patch
150  algebra::multiexp<algebra::policies::multiexp_method_BDLO12>(
151  proving_key.G_gamma2_Z_t.begin(),
152  proving_key.G_gamma2_Z_t.end(),
153  sap_wit.coefficients_for_H.begin(),
154  sap_wit.coefficients_for_H.end(),
155  chunks);
156 
157  return {std::move(A), std::move(B), std::move(C)};
158  }
159  };
160  } // namespace snark
161  } // namespace zk
162  } // namespace crypto3
163 } // namespace nil
164 
165 #endif // CRYPTO3_ZK_R1CS_SE_PPZKSNARK_BASIC_PROVER_HPP
nil::crypto3::zk::snark::proving_key
Definition: proving_key.hpp:37
nil::crypto3::zk::snark::r1cs_se_ppzksnark_proof
Definition: snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp:41
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover
Definition: r1cs_se_ppzksnark/prover.hpp:55
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::proving_key_type
policy_type::proving_key_type proving_key_type
Definition: r1cs_se_ppzksnark/prover.hpp:63
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::auxiliary_input_type
policy_type::auxiliary_input_type auxiliary_input_type
Definition: r1cs_se_ppzksnark/prover.hpp:61
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: r1cs_se_ppzksnark/prover.hpp:64
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: r1cs_se_ppzksnark/prover.hpp:65
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::process
static proof_type process(const proving_key_type &proving_key, const primary_input_type &primary_input, const auxiliary_input_type &auxiliary_input)
Definition: r1cs_se_ppzksnark/prover.hpp:70
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::keypair_type
policy_type::keypair_type keypair_type
Definition: r1cs_se_ppzksnark/prover.hpp:67
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::primary_input_type
policy_type::primary_input_type primary_input_type
Definition: r1cs_se_ppzksnark/prover.hpp:60
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::constraint_system_type
policy_type::constraint_system_type constraint_system_type
Definition: r1cs_se_ppzksnark/prover.hpp:59
nil::crypto3::zk::snark::r1cs_se_ppzksnark_prover::proof_type
policy_type::proof_type proof_type
Definition: r1cs_se_ppzksnark/prover.hpp:68
nil::crypto3::zk::snark::r1cs_se_ppzksnark_proving_key
Definition: systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp:39
nil::crypto3::zk::snark::r1cs_se_ppzksnark_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:40
nil::crypto3::zk::snark::reductions::r1cs_to_sap::witness_map
static sap_witness< FieldType > witness_map(const r1cs_constraint_system< FieldType > &cs, const r1cs_primary_input< FieldType > &primary_input, const r1cs_auxiliary_input< FieldType > &auxiliary_input, const typename FieldType::value_type &d1, const typename FieldType::value_type &d2)
Definition: r1cs_to_sap.hpp:313
nil::crypto3::block::move
OutputIterator move(const SinglePassRange &rng, OutputIterator result)
Definition: move.hpp:45
nil
Definition: pair.hpp:31
r1cs_to_sap.hpp
random_element.hpp
nil::crypto3::zk::snark::detail::r1cs_se_ppzksnark_types_policy
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp:82
nil::crypto3::zk::snark::detail::r1cs_se_ppzksnark_types_policy::auxiliary_input_type
r1cs_auxiliary_input< typename CurveType::scalar_field_type > auxiliary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp:94
nil::crypto3::zk::snark::detail::r1cs_se_ppzksnark_types_policy::primary_input_type
r1cs_primary_input< typename CurveType::scalar_field_type > primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp:92
nil::crypto3::zk::snark::detail::r1cs_se_ppzksnark_types_policy::keypair_type
r1cs_se_ppzksnark_keypair< proving_key_type, verification_key_type > keypair_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp:126
nil::crypto3::zk::snark::r1cs_constraint_system< typename CurveType::scalar_field_type >
nil::crypto3::zk::snark::r1cs_se_ppzksnark_processed_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp:104
nil::crypto3::zk::snark::sap_witness
Definition: sap.hpp:286
nil::crypto3::zk::snark::sap_witness::d2
FieldType::value_type d2
Definition: sap.hpp:291
nil::crypto3::zk::snark::sap_witness::coefficients_for_ACs
std::vector< typename FieldType::value_type > coefficients_for_ACs
Definition: sap.hpp:293
nil::crypto3::zk::snark::sap_witness::num_inputs
std::size_t num_inputs
Definition: sap.hpp:289
nil::crypto3::zk::snark::sap_witness::d1
FieldType::value_type d1
Definition: sap.hpp:291
nil::crypto3::zk::snark::sap_witness::coefficients_for_H
std::vector< typename FieldType::value_type > coefficients_for_H
Definition: sap.hpp:294