srs.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2018-2021 Mikhail Komarov <nemo@nil.foundation>
3 // Copyright (c) 2020-2021 Nikita Kaskov <nbering@nil.foundation>
4 // Copyright (c) 2020-2021 Ilias Khairullin <ilias@nil.foundation>
5 //
6 // MIT License
7 //
8 // Permission is hereby granted, free of charge, to any person obtaining a copy
9 // of this software and associated documentation files (the "Software"), to deal
10 // in the Software without restriction, including without limitation the rights
11 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 // copies of the Software, and to permit persons to whom the Software is
13 // furnished to do so, subject to the following conditions:
14 //
15 // The above copyright notice and this permission notice shall be included in all
16 // copies or substantial portions of the Software.
17 //
18 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24 // SOFTWARE.
25 //---------------------------------------------------------------------------//
26 
27 #ifndef CRYPTO3_R1CS_GG_PPZKSNARK_AGGREGATE_IPP2_SRS_HPP
28 #define CRYPTO3_R1CS_GG_PPZKSNARK_AGGREGATE_IPP2_SRS_HPP
29 
30 #include <vector>
31 #include <tuple>
32 
36 
37 namespace nil {
38  namespace crypto3 {
39  namespace zk {
40  namespace snark {
41  template<typename GroupType,
42  typename ScalarFieldType = typename GroupType::curve_type::scalar_field_type>
43  std::vector<typename GroupType::value_type>
44  structured_generators_scalar_power(std::size_t n, const typename ScalarFieldType::value_type &s) {
45  BOOST_ASSERT(n > 0);
46 
47  std::vector<typename GroupType::value_type> powers_of_g {GroupType::value_type::one()};
48 
49  for (std::size_t i = 1; i < n; i++) {
50  powers_of_g.emplace_back(powers_of_g.back() * s);
51  }
52 
53  return powers_of_g;
54  }
55 
60  template<typename CurveType>
62  typedef CurveType curve_type;
63 
64  typedef typename curve_type::template g1_type<> g1_type;
65  typedef typename curve_type::template g2_type<> g2_type;
66  typedef typename g1_type::value_type g1_value_type;
67  typedef typename g2_type::value_type g2_value_type;
68 
72 
77  bool has_correct_len(std::size_t n) const {
79  }
80 
82  std::size_t n;
84  std::vector<g1_value_type> g_alpha_powers;
86  std::vector<g2_value_type> h_alpha_powers;
88  std::vector<g1_value_type> g_beta_powers;
90  std::vector<g2_value_type> h_beta_powers;
95  };
96 
100  template<typename CurveType>
102  typedef CurveType curve_type;
103 
104  std::size_t n;
105  typename CurveType::template g1_type<>::value_type g;
106  typename CurveType::template g2_type<>::value_type h;
107  typename CurveType::template g1_type<>::value_type g_alpha;
108  typename CurveType::template g1_type<>::value_type g_beta;
109  typename CurveType::template g2_type<>::value_type h_alpha;
110  typename CurveType::template g2_type<>::value_type h_beta;
111  };
112 
120  template<typename CurveType>
122  typedef CurveType curve_type;
124  typedef typename curve_type::scalar_field_type scalar_field_type;
125  typedef typename curve_type::template g1_type<> g1_type;
126  typedef typename curve_type::template g2_type<> g2_type;
127  typedef typename g1_type::value_type g1_value_type;
128  typedef typename g2_type::value_type g2_value_type;
129  typedef typename scalar_field_type::value_type scalar_field_value_type;
130 
133  typedef std::pair<proving_srs_type, verification_srs_type> srs_pair_type;
134 
136  std::vector<g1_value_type> g_alpha_powers;
138  std::vector<g2_value_type> h_alpha_powers;
140  std::vector<g1_value_type> g_beta_powers;
142  std::vector<g2_value_type> h_beta_powers;
143 
145  r1cs_gg_ppzksnark_aggregate_srs(std::size_t num_proofs, const scalar_field_value_type &alpha,
146  const scalar_field_value_type &beta) :
151  }
152 
157  srs_pair_type specialize(std::size_t num_proofs) {
158  BOOST_ASSERT(num_proofs > 0 && (num_proofs & (num_proofs - 1)) == 0);
159 
160  std::size_t tn = 2 * num_proofs; // size of the CRS we need
161  BOOST_ASSERT(g_alpha_powers.size() >= tn);
162  BOOST_ASSERT(h_alpha_powers.size() >= tn);
163  BOOST_ASSERT(g_beta_powers.size() >= tn);
164  BOOST_ASSERT(h_beta_powers.size() >= tn);
165 
166  std::size_t n = num_proofs;
167  // when doing the KZG opening we need _all_ coefficients from 0
168  // to 2n-1 because the polynomial is of degree 2n-1.
169  std::size_t g_low = 0;
170  std::size_t g_up = tn;
171  std::size_t h_low = 0;
172  std::size_t h_up = h_low + n;
173  std::vector<typename CurveType::template g2_type<>::value_type> v1 = {
174  h_alpha_powers.begin() + h_low, h_alpha_powers.begin() + h_up};
175  std::vector<typename CurveType::template g2_type<>::value_type> v2 = {
176  h_beta_powers.begin() + h_low, h_beta_powers.begin() + h_up};
177  typename proving_srs_type::vkey_type vkey = {v1, v2};
178  BOOST_ASSERT(vkey.has_correct_len(n));
179  // however, here we only need the "right" shifted bases for the
180  // commitment scheme.
181  std::vector<typename CurveType::template g1_type<>::value_type> w1 = {
182  g_alpha_powers.begin() + n, g_alpha_powers.begin() + g_up};
183  std::vector<typename CurveType::template g1_type<>::value_type> w2 = {
184  g_beta_powers.begin() + n, g_beta_powers.begin() + g_up};
185  typename proving_srs_type::wkey_type wkey = {w1, w2};
186  BOOST_ASSERT(wkey.has_correct_len(n));
187 
188  proving_srs_type pk = {n,
189  {g_alpha_powers.begin() + g_low, g_alpha_powers.begin() + g_up},
190  {h_alpha_powers.begin() + h_low, h_alpha_powers.begin() + h_up},
191  {g_beta_powers.begin() + g_low, g_beta_powers.begin() + g_up},
192  {h_beta_powers.begin() + h_low, h_beta_powers.begin() + h_up},
193  vkey,
194  wkey};
195  verification_srs_type vk = {n,
196  g_alpha_powers[0],
197  h_alpha_powers[0],
198  g_alpha_powers[1],
199  g_beta_powers[1],
200  h_alpha_powers[1],
201  h_beta_powers[1]};
202  return std::make_pair(pk, vk);
203  }
204  };
205  } // namespace snark
206  } // namespace zk
207  } // namespace crypto3
208 } // namespace nil
209 
210 #endif // CRYPTO3_R1CS_GG_PPZKSNARK_AGGREGATE_IPP2_SRS_HPP
ProvingMode
Definition: modes.hpp:33
std::vector< typename GroupType::value_type > structured_generators_scalar_power(std::size_t n, const typename ScalarFieldType::value_type &s)
Definition: srs.hpp:44
Definition: pair.hpp:31
curve_type::template g2_type g2_type
Definition: srs.hpp:65
std::size_t n
number of proofs to aggregate
Definition: srs.hpp:82
std::vector< g1_value_type > g_beta_powers
_{i=n}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:88
std::vector< g2_value_type > h_beta_powers
_{i=0}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:90
commitment_type::vkey_type vkey_type
Definition: srs.hpp:70
commitment_type::wkey_type wkey_type
Definition: srs.hpp:71
std::vector< g1_value_type > g_alpha_powers
_{i=0}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:84
g1_type::value_type g1_value_type
Definition: srs.hpp:66
vkey_type vkey
commitment key using in MIPP and TIPP
Definition: srs.hpp:92
curve_type::template g1_type g1_type
Definition: srs.hpp:64
wkey_type wkey
commitment key using in TIPP
Definition: srs.hpp:94
bool has_correct_len(std::size_t n) const
Definition: srs.hpp:77
std::vector< g2_value_type > h_alpha_powers
_{i=0}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:86
g2_type::value_type g2_value_type
Definition: srs.hpp:67
r1cs_gg_ppzksnark_ipp2_commitment< CurveType > commitment_type
Definition: srs.hpp:69
curve_type::scalar_field_type scalar_field_type
Definition: srs.hpp:124
scalar_field_type::value_type scalar_field_value_type
Definition: srs.hpp:129
curve_type::template g2_type g2_type
Definition: srs.hpp:126
g1_type::value_type g1_value_type
Definition: srs.hpp:127
std::vector< g2_value_type > h_alpha_powers
_{i=0}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:138
std::vector< g1_value_type > g_alpha_powers
_{i=0}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:136
std::vector< g2_value_type > h_beta_powers
_{i=0}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:142
std::pair< proving_srs_type, verification_srs_type > srs_pair_type
Definition: srs.hpp:133
std::vector< g1_value_type > g_beta_powers
_{i=n}^{N}$ where N is the smallest size of the two Groth16 CRS.
Definition: srs.hpp:140
r1cs_gg_ppzksnark_aggregate_verification_srs< CurveType > verification_srs_type
Definition: srs.hpp:132
r1cs_gg_ppzksnark_aggregate_proving_srs< CurveType > proving_srs_type
Definition: srs.hpp:131
curve_type::template g1_type g1_type
Definition: srs.hpp:125
static constexpr ProvingMode mode
Definition: srs.hpp:123
srs_pair_type specialize(std::size_t num_proofs)
Definition: srs.hpp:157
r1cs_gg_ppzksnark_aggregate_srs(std::size_t num_proofs, const scalar_field_value_type &alpha, const scalar_field_value_type &beta)
Definition: srs.hpp:145
g2_type::value_type g2_value_type
Definition: srs.hpp:128
CurveType::template g1_type ::value_type g
Definition: srs.hpp:105
CurveType::template g2_type ::value_type h_beta
Definition: srs.hpp:110
CurveType::template g1_type ::value_type g_beta
Definition: srs.hpp:108
CurveType::template g2_type ::value_type h
Definition: srs.hpp:106
CurveType::template g2_type ::value_type h_alpha
Definition: srs.hpp:109
CurveType::template g1_type ::value_type g_alpha
Definition: srs.hpp:107
bool has_correct_len(std::size_t n) const
Definition: commitment.hpp:98