zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 //
5 // MIT License
6 //
7 // Permission is hereby granted, free of charge, to any person obtaining a copy
8 // of this software and associated documentation files (the "Software"), to deal
9 // in the Software without restriction, including without limitation the rights
10 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 // copies of the Software, and to permit persons to whom the Software is
12 // furnished to do so, subject to the following conditions:
13 //
14 // The above copyright notice and this permission notice shall be included in all
15 // copies or substantial portions of the Software.
16 //
17 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 // SOFTWARE.
24 //---------------------------------------------------------------------------//
25 // @file Declaration of interfaces for a ppzkSNARK for BACS.
26 //
27 // This includes:
28 // - class for proving key
29 // - class for verification key
30 // - class for processed verification key
31 // - class for key pair (proving key & verification key)
32 // - class for proof
33 // - generator algorithm
34 // - prover algorithm
35 // - verifier algorithm (with strong or weak input consistency)
36 // - online verifier algorithm (with strong or weak input consistency)
37 //
38 // The implementation is a straightforward combination of:
39 // (1) a BACS-to-R1CS reduction, and
40 // (2) a ppzkSNARK for R1CS.
41 //
42 //
43 // Acronyms:
44 //
45 // - BACS = "Bilinear Arithmetic Circuit Satisfiability"
46 // - R1CS = "Rank-1 Constraint System"
47 // - ppzkSNARK = "PreProcessing Zero-Knowledge Succinct Non-interactive ARgument of Knowledge"
48 //---------------------------------------------------------------------------//
49 
50 #ifndef CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_VERIFIER_HPP
51 #define CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_VERIFIER_HPP
52 
53 #include <nil/crypto3/algebra/algorithms/pair.hpp>
54 
55 #include <nil/crypto3/zk/snark/accumulation_vector.hpp>
56 #include <nil/crypto3/zk/snark/commitments/knowledge_commitment.hpp>
57 #include <nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp>
58 #include <nil/crypto3/zk/snark/reductions/r1cs_to_qap.hpp>
59 #include <nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp>
60 
61 namespace nil {
62  namespace crypto3 {
63  namespace zk {
64  namespace snark {
65 
66  using namespace algebra;
67 
68  template<typename CurveType, ProvingMode Mode = ProvingMode::Basic>
69  class r1cs_gg_ppzksnark_process_verification_key;
70 
71  template<typename CurveType, ProvingMode Mode = ProvingMode::Basic>
72  class r1cs_gg_ppzksnark_verifier_weak_input_consistency;
73 
74  template<typename CurveType, ProvingMode Mode = ProvingMode::Basic>
75  class r1cs_gg_ppzksnark_verifier_strong_input_consistency;
76 
80  template<typename CurveType>
81  class r1cs_gg_ppzksnark_process_verification_key<CurveType, ProvingMode::Basic> {
82  typedef detail::r1cs_gg_ppzksnark_basic_policy<CurveType, ProvingMode::Basic> policy_type;
83 
84  public:
85  typedef typename policy_type::verification_key_type verification_key_type;
86  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
87 
88  static inline processed_verification_key_type
89  process(const verification_key_type &verification_key) {
90 
91  processed_verification_key_type processed_verification_key;
92  processed_verification_key.vk_alpha_g1_beta_g2 = verification_key.alpha_g1_beta_g2;
93  processed_verification_key.vk_gamma_g2_precomp =
94  precompute_g2<CurveType>(verification_key.gamma_g2);
95  processed_verification_key.vk_delta_g2_precomp =
96  precompute_g2<CurveType>(verification_key.delta_g2);
97  processed_verification_key.gamma_ABC_g1 = verification_key.gamma_ABC_g1;
98 
99  return processed_verification_key;
100  }
101  };
102 
117  template<typename CurveType>
118  class r1cs_gg_ppzksnark_verifier_weak_input_consistency<CurveType, ProvingMode::Basic> {
119  typedef detail::r1cs_gg_ppzksnark_basic_policy<CurveType, ProvingMode::Basic> policy_type;
120 
121  typedef typename CurveType::scalar_field_type scalar_field_type;
122  typedef typename CurveType::template g1_type<> g1_type;
123  typedef typename CurveType::gt_type gt_type;
124  typedef typename pairing::pairing_policy<CurveType>::g1_precomputed_type g1_precomputed_type;
125  typedef typename pairing::pairing_policy<CurveType>::g2_precomputed_type g2_precomputed_type;
126 
127  public:
128  typedef typename policy_type::primary_input_type primary_input_type;
129  typedef typename policy_type::verification_key_type verification_key_type;
130  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
131  typedef typename policy_type::proof_type proof_type;
132 
138  static inline bool process(const verification_key_type &verification_key,
139  const primary_input_type &primary_input,
140  const proof_type &proof) {
141  return process(r1cs_gg_ppzksnark_process_verification_key<CurveType>::process(verification_key),
142  primary_input, proof);
143  }
144 
150  static inline bool process(const processed_verification_key_type &processed_verification_key,
151  const primary_input_type &primary_input,
152  const proof_type &proof) {
153 
154  assert(processed_verification_key.gamma_ABC_g1.domain_size() >= primary_input.size());
155 
156  const accumulation_vector<g1_type> accumulated_IC =
157  processed_verification_key.gamma_ABC_g1.accumulate_chunk(primary_input.begin(),
158  primary_input.end(), 0);
159 
160  const typename g1_type::value_type &acc = accumulated_IC.first;
161 
162  bool result = true;
163 
164  if (!proof.is_well_formed()) {
165  result = false;
166  }
167 
168  const g1_precomputed_type proof_g_A_precomp = precompute_g1<CurveType>(proof.g_A);
169  const g2_precomputed_type proof_g_B_precomp = precompute_g2<CurveType>(proof.g_B);
170  const g1_precomputed_type proof_g_C_precomp = precompute_g1<CurveType>(proof.g_C);
171  const g1_precomputed_type acc_precomp = precompute_g1<CurveType>(acc);
172 
173  const typename gt_type::value_type QAP1 =
174  miller_loop<CurveType>(proof_g_A_precomp, proof_g_B_precomp);
175  const typename gt_type::value_type QAP2 = double_miller_loop<CurveType>(
176  acc_precomp, processed_verification_key.vk_gamma_g2_precomp, proof_g_C_precomp,
177  processed_verification_key.vk_delta_g2_precomp);
178  const typename gt_type::value_type QAP =
179  final_exponentiation<CurveType>(QAP1 * QAP2.unitary_inversed());
180 
181  if (QAP != processed_verification_key.vk_alpha_g1_beta_g2) {
182  result = false;
183  }
184 
185  return result;
186  }
187  };
188 
189  template<typename CurveType>
190  class r1cs_gg_ppzksnark_verifier_strong_input_consistency<CurveType, ProvingMode::Basic> {
191  typedef detail::r1cs_gg_ppzksnark_basic_policy<CurveType, ProvingMode::Basic> policy_type;
192 
193  public:
194  typedef typename policy_type::primary_input_type primary_input_type;
195  typedef typename policy_type::verification_key_type verification_key_type;
196  typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
197  typedef typename policy_type::proof_type proof_type;
198 
204  static inline bool process(const verification_key_type &verification_key,
205  const primary_input_type &primary_input,
206  const proof_type &proof) {
207 
208  return process(r1cs_gg_ppzksnark_process_verification_key<CurveType>::process(verification_key),
209  primary_input, proof);
210  }
211 
217  static inline bool process(const processed_verification_key_type &processed_verification_key,
218  const primary_input_type &primary_input,
219  const proof_type &proof) {
220  bool result = true;
221 
222  if (processed_verification_key.gamma_ABC_g1.domain_size() != primary_input.size()) {
223  result = false;
224  } else {
225  result = r1cs_gg_ppzksnark_verifier_weak_input_consistency<CurveType>::process(
226  processed_verification_key, primary_input, proof);
227  }
228 
229  return result;
230  }
231  };
232 
233  // /**
234  // *
235  // * A verifier algorithm for the R1CS GG-ppzkSNARK that:
236  // * (1) accepts a non-processed verification key,
237  // * (2) has weak input consistency, and
238  // * (3) uses affine coordinates for elliptic-curve computations.
239  // */
240  // template<typename CurveType>
241  // class r1cs_gg_ppzksnark_affine_verifier_weak_input_consistency {
242  // typedef detail::r1cs_gg_ppzksnark_basic_policy<CurveType, ProvingMode::Basic> policy_type;
243 
244  // typedef typename CurveType::scalar_field_type scalar_field_type;
245  // typedef typename CurveType::template g1_type<> g1_type;
246  // typedef typename CurveType::gt_type gt_type;
247  // typedef typename pairing::pairing_policy<CurveType>::affine_ate_g1_precomp affine_ate_g1_precomp;
248  // typedef typename pairing::pairing_policy<CurveType>::affine_ate_g2_precomp affine_ate_g2_precomp;
249 
250  // public:
251  // typedef typename policy_type::primary_input_type primary_input_type;
252 
253  // typedef typename policy_type::verification_key_type verification_key_type;
254  // typedef typename policy_type::processed_verification_key_type processed_verification_key_type;
255 
256  // typedef typename policy_type::proof_type proof_type;
257 
258  // static inline bool process(const verification_key_type &verification_key,
259  // const primary_input_type &primary_input,
260  // const proof_type &proof) {
261 
262  // BOOST_ASSERT(verification_key.gamma_ABC_g1.domain_size() >= primary_input.size());
263 
264  // affine_ate_g2_precomp pvk_vk_gamma_g2_precomp =
265  // affine_ate_precompute_g2<CurveType>(verification_key.gamma_g2);
266  // affine_ate_g2_precomp pvk_vk_delta_g2_precomp =
267  // affine_ate_precompute_g2<CurveType>(verification_key.delta_g2);
268 
269  // const accumulation_vector<g1_type> accumulated_IC =
270  // verification_key.gamma_ABC_g1.accumulate_chunk(primary_input.begin(),
271  // primary_input.end(),
272  // 0);
273  // const typename g1_type::value_type &acc = accumulated_IC.first;
274 
275  // bool result = true;
276 
277  // if (!proof.is_well_formed()) {
278  // result = false;
279  // }
280 
281  // const affine_ate_g1_precomp proof_g_A_precomp =
282  // affine_ate_precompute_g1<CurveType>(proof.g_A);
283  // const affine_ate_g2_precomp proof_g_B_precomp =
284  // affine_ate_precompute_g2<CurveType>(proof.g_B);
285  // const affine_ate_g1_precomp proof_g_C_precomp =
286  // affine_ate_precompute_g1<CurveType>(proof.g_C);
287  // const affine_ate_g1_precomp acc_precomp = affine_ate_precompute_g1<CurveType>(acc);
288 
289  // const typename fqk_type::value_type QAP_miller =
290  // affine_ate_e_times_e_over_e_miller_loop<CurveType>(
291  // acc_precomp, pvk_vk_gamma_g2_precomp, proof_g_C_precomp, pvk_vk_delta_g2_precomp,
292  // proof_g_A_precomp, proof_g_B_precomp);
293  // const typename gt_type::value_type QAP =
294  // final_exponentiation<CurveType>(QAP_miller.unitary_inversed());
295 
296  // if (QAP != verification_key.alpha_g1_beta_g2) {
297  // result = false;
298  // }
299  // return result;
300  // }
301  // };
302  } // namespace snark
303  } // namespace zk
304  } // namespace crypto3
305 } // namespace nil
306 
307 #endif // CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_VERIFIER_HPP
accumulation_vector.hpp
nil::crypto3::zk::snark::accumulation_vector< g1_type >
nil::crypto3::zk::snark::accumulation_vector::domain_size
std::size_t domain_size() const
Definition: accumulation_vector.hpp:79
nil::crypto3::zk::snark::accumulation_vector::accumulate_chunk
accumulation_vector< Type > accumulate_chunk(InputIterator begin, InputIterator end, std::size_t offset) const
Definition: accumulation_vector.hpp:94
nil::crypto3::zk::snark::accumulation_vector::first
underlying_value_type first
Definition: accumulation_vector.hpp:52
nil::crypto3::zk::snark::proof
Definition: snark/proof.hpp:37
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_process_verification_key< CurveType, ProvingMode::Basic >::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:85
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_process_verification_key< CurveType, ProvingMode::Basic >::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:86
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_process_verification_key< CurveType, ProvingMode::Basic >::process
static processed_verification_key_type process(const verification_key_type &verification_key)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:89
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_process_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:69
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency< CurveType, ProvingMode::Basic >::proof_type
policy_type::proof_type proof_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:197
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency< CurveType, ProvingMode::Basic >::process
static bool process(const processed_verification_key_type &processed_verification_key, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:217
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency< CurveType, ProvingMode::Basic >::primary_input_type
policy_type::primary_input_type primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:194
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency< CurveType, ProvingMode::Basic >::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:196
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency< CurveType, ProvingMode::Basic >::process
static bool process(const verification_key_type &verification_key, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:204
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency< CurveType, ProvingMode::Basic >::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:195
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_strong_input_consistency
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:75
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency< CurveType, ProvingMode::Basic >::processed_verification_key_type
policy_type::processed_verification_key_type processed_verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:130
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency< CurveType, ProvingMode::Basic >::primary_input_type
policy_type::primary_input_type primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:128
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency< CurveType, ProvingMode::Basic >::verification_key_type
policy_type::verification_key_type verification_key_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:129
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency< CurveType, ProvingMode::Basic >::proof_type
policy_type::proof_type proof_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:131
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency< CurveType, ProvingMode::Basic >::process
static bool process(const verification_key_type &verification_key, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:138
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency< CurveType, ProvingMode::Basic >::process
static bool process(const processed_verification_key_type &processed_verification_key, const primary_input_type &primary_input, const proof_type &proof)
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:150
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verifier_weak_input_consistency
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp:72
knowledge_commitment.hpp
nil::crypto3::zk::snark::ProvingMode
ProvingMode
Definition: modes.hpp:33
nil
Definition: pair.hpp:31
r1cs_to_qap.hpp
nil::crypto3::algebra::pairing::pairing_policy
Definition: pairing_policy.hpp:35
nil::crypto3::zk::snark::detail::r1cs_gg_ppzksnark_basic_policy< CurveType, ProvingMode::Basic >
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp:78
nil::crypto3::zk::snark::detail::r1cs_gg_ppzksnark_basic_policy< CurveType, ProvingMode::Basic >::primary_input_type
r1cs_primary_input< typename curve_type::scalar_field_type > primary_input_type
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp:90
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_processed_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp:102
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_processed_verification_key::vk_gamma_g2_precomp
pairing_policy::g2_precomputed_type vk_gamma_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp:107
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_processed_verification_key::gamma_ABC_g1
accumulation_vector< typename CurveType::template g1_type<> > gamma_ABC_g1
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp:110
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_processed_verification_key::vk_alpha_g1_beta_g2
CurveType::gt_type::value_type vk_alpha_g1_beta_g2
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp:106
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_processed_verification_key::vk_delta_g2_precomp
pairing_policy::g2_precomputed_type vk_delta_g2_precomp
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp:108
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_proof
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/proof.hpp:40
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_verification_key
Definition: zk/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp:47
nil::crypto3::zk::snark::verification_key
Definition: zk/include/nil/crypto3/zk/snark/verification_key.hpp:35
basic_policy.hpp