snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 // Copyright (c) 2020-2021 Ilias Khairullin <ilias@nil.foundation>
5 //
6 // MIT License
7 //
8 // Permission is hereby granted, free of charge, to any person obtaining a copy
9 // of this software and associated documentation files (the "Software"), to deal
10 // in the Software without restriction, including without limitation the rights
11 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 // copies of the Software, and to permit persons to whom the Software is
13 // furnished to do so, subject to the following conditions:
14 //
15 // The above copyright notice and this permission notice shall be included in all
16 // copies or substantial portions of the Software.
17 //
18 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 // SOFTWARE.
25 //---------------------------------------------------------------------------//
26 
27 #ifndef CRYPTO3_R1CS_GG_PPZKSNARK_IPP2_AGGREGATE_PROOF_HPP
28 #define CRYPTO3_R1CS_GG_PPZKSNARK_IPP2_AGGREGATE_PROOF_HPP
29 
30 #include <vector>
31 #include <tuple>
32 #include <cmath>
33 
34 #include <nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/proof.hpp>
35 #include <nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp>
36 #include <nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp>
37 
38 namespace nil {
39  namespace crypto3 {
40  namespace zk {
41  namespace snark {
44  template<typename GroupType>
45  using kzg_opening = std::pair<typename GroupType::value_type, typename GroupType::value_type>;
46 
49  template<typename CurveType>
50  struct gipa_proof {
51  typedef CurveType curve_type;
52 
53  std::size_t nproofs;
54  std::vector<std::pair<r1cs_gg_ppzksnark_ipp2_commitment_output<curve_type>,
55  r1cs_gg_ppzksnark_ipp2_commitment_output<curve_type>>>
56  comms_ab;
57  std::vector<std::pair<r1cs_gg_ppzksnark_ipp2_commitment_output<curve_type>,
58  r1cs_gg_ppzksnark_ipp2_commitment_output<curve_type>>>
59  comms_c;
60  std::vector<
61  std::pair<typename curve_type::gt_type::value_type, typename curve_type::gt_type::value_type>>
62  z_ab;
63  std::vector<std::pair<typename curve_type::template g1_type<>::value_type,
64  typename curve_type::template g1_type<>::value_type>>
65  z_c;
66  typename curve_type::template g1_type<>::value_type final_a;
67  typename curve_type::template g2_type<>::value_type final_b;
68  typename curve_type::template g1_type<>::value_type final_c;
69 
72  std::pair<typename curve_type::template g2_type<>::value_type,
73  typename curve_type::template g2_type<>::value_type>
74  final_vkey;
75  std::pair<typename curve_type::template g1_type<>::value_type,
76  typename curve_type::template g1_type<>::value_type>
77  final_wkey;
78 
79  static std::size_t log_proofs(std::size_t nproofs) {
80  return std::ceil(std::log2(nproofs));
81  }
82  };
83 
84  template<typename CurveType>
85  struct tipp_mipp_proof {
86  typedef CurveType curve_type;
87 
88  gipa_proof<curve_type> gipa;
89  kzg_opening<typename curve_type::template g2_type<>> vkey_opening;
90  kzg_opening<typename curve_type::template g1_type<>> wkey_opening;
91  };
95  template<typename CurveType>
96  struct r1cs_gg_ppzksnark_aggregate_proof {
97  typedef CurveType curve_type;
100  r1cs_gg_ppzksnark_ipp2_commitment_output<curve_type> com_ab;
102  r1cs_gg_ppzksnark_ipp2_commitment_output<curve_type> com_c;
104  typename curve_type::gt_type::value_type ip_ab;
106  typename curve_type::template g1_type<>::value_type agg_c;
107  tipp_mipp_proof<curve_type> tmipp;
108 
111  bool is_valid() const {
112  // 1. Check length of the proofs
113  if (tmipp.gipa.nproofs < 2 ||
114  tmipp.gipa.nproofs >
115  r1cs_gg_ppzksnark_aggregate_srs<curve_type>::MAX_SRS_SIZE) {
116  return false;
117  }
118  // 2. Check if it's a power of two
119  if ((tmipp.gipa.nproofs & (tmipp.gipa.nproofs - 1)) != 0) {
120  return false;
121  }
122  // 3. Check all vectors are of the same length and of the correct length
123  if (tmipp.gipa.comms_ab.size() != std::ceil(std::log2(tmipp.gipa.nproofs))) {
124  return false;
125  }
126  if (!(tmipp.gipa.comms_ab.size() == tmipp.gipa.comms_c &&
127  tmipp.gipa.comms_ab == tmipp.gipa.z_ab && tmipp.gipa.comms_ab == tmipp.gipa.z_c)) {
128  return false;
129  }
130 
131  return true;
132  }
133  };
134  } // namespace snark
135  } // namespace zk
136  } // namespace crypto3
137 } // namespace nil
138 
139 #endif // CRYPTO3_R1CS_GG_PPZKSNARK_TYPES_POLICY_HPP
nil::crypto3::algebra::vector
vector(T, U...) -> vector< std::enable_if_t<(std::is_same_v< T, U > &&...), T >, 1+sizeof...(U)>
deduction guide for uniform initialization
nil::crypto3::zk::snark::kzg_opening
std::pair< typename GroupType::value_type, typename GroupType::value_type > kzg_opening
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:45
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_ipp2_commitment_output
std::pair< typename CurveType::gt_type::value_type, typename CurveType::gt_type::value_type > r1cs_gg_ppzksnark_ipp2_commitment_output
Both commitment outputs a pair of $F_q^k$ element.
Definition: commitment.hpp:76
nil
Definition: pair.hpp:31
proof.hpp
nil::crypto3::zk::snark::gipa_proof
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:50
nil::crypto3::zk::snark::gipa_proof::final_a
curve_type::template g1_type ::value_type final_a
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:66
nil::crypto3::zk::snark::gipa_proof::comms_ab
std::vector< std::pair< r1cs_gg_ppzksnark_ipp2_commitment_output< curve_type >, r1cs_gg_ppzksnark_ipp2_commitment_output< curve_type > > > comms_ab
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:56
nil::crypto3::zk::snark::gipa_proof::nproofs
std::size_t nproofs
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:53
nil::crypto3::zk::snark::gipa_proof::final_b
curve_type::template g2_type ::value_type final_b
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:67
nil::crypto3::zk::snark::gipa_proof::z_c
std::vector< std::pair< typename curve_type::template g1_type<>::value_type, typename curve_type::template g1_type<>::value_type > > z_c
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:65
nil::crypto3::zk::snark::gipa_proof::final_wkey
std::pair< typename curve_type::template g1_type<>::value_type, typename curve_type::template g1_type<>::value_type > final_wkey
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:77
nil::crypto3::zk::snark::gipa_proof::log_proofs
static std::size_t log_proofs(std::size_t nproofs)
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:79
nil::crypto3::zk::snark::gipa_proof::z_ab
std::vector< std::pair< typename curve_type::gt_type::value_type, typename curve_type::gt_type::value_type > > z_ab
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:62
nil::crypto3::zk::snark::gipa_proof::final_vkey
std::pair< typename curve_type::template g2_type<>::value_type, typename curve_type::template g2_type<>::value_type > final_vkey
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:74
nil::crypto3::zk::snark::gipa_proof::curve_type
CurveType curve_type
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:51
nil::crypto3::zk::snark::gipa_proof::comms_c
std::vector< std::pair< r1cs_gg_ppzksnark_ipp2_commitment_output< curve_type >, r1cs_gg_ppzksnark_ipp2_commitment_output< curve_type > > > comms_c
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:59
nil::crypto3::zk::snark::gipa_proof::final_c
curve_type::template g1_type ::value_type final_c
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:68
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:96
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::com_ab
r1cs_gg_ppzksnark_ipp2_commitment_output< curve_type > com_ab
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:100
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::com_c
r1cs_gg_ppzksnark_ipp2_commitment_output< curve_type > com_c
commit to C separate since we use it only in MIPP
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:102
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::ip_ab
curve_type::gt_type::value_type ip_ab
$A^r * B = Z$ is the left value on the aggregated Groth16 equation
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:104
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::curve_type
CurveType curve_type
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:97
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::is_valid
bool is_valid() const
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:111
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::agg_c
curve_type::template g1_type ::value_type agg_c
$C^r$ is used on the right side of the aggregated Groth16 equation
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:106
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_proof::tmipp
tipp_mipp_proof< curve_type > tmipp
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:107
nil::crypto3::zk::snark::r1cs_gg_ppzksnark_aggregate_srs
Definition: srs.hpp:121
nil::crypto3::zk::snark::tipp_mipp_proof
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:85
nil::crypto3::zk::snark::tipp_mipp_proof::gipa
gipa_proof< curve_type > gipa
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:88
nil::crypto3::zk::snark::tipp_mipp_proof::vkey_opening
kzg_opening< typename curve_type::template g2_type<> > vkey_opening
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:89
nil::crypto3::zk::snark::tipp_mipp_proof::wkey_opening
kzg_opening< typename curve_type::template g1_type<> > wkey_opening
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:90
nil::crypto3::zk::snark::tipp_mipp_proof::curve_type
CurveType curve_type
Definition: snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp:86