Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidAlgebraicRelation = errors.New("algebraic relation does not hold")
Functions ¶
func Setup ¶
func Setup(spr *cs.SparseR1CS) (*ProvingKey, *VerifyingKey, error)
Setup sets proving and verifying keys
Types ¶
type Proof ¶
type Proof struct { // commitments to the solution vectors LROpp [3]fri.ProofOfProximity // commitment to Z (permutation polynomial) // Z Commitment Zpp fri.ProofOfProximity // commitment to h1,h2,h3 such that h = h1 + X**n*h2 + X**2nh3 the quotient polynomial Hpp [3]fri.ProofOfProximity // opening proofs for L, R, O OpeningsLROmp [3]fri.OpeningProof // opening proofs for Z, Zu OpeningsZmp [2]fri.OpeningProof // opening proof for H OpeningsHmp [3]fri.OpeningProof // opening proofs for ql, qr, qm, qo, qk OpeningsQlQrQmQoQkincompletemp [5]fri.OpeningProof // openings of S1, S2, S3 // OpeningsS1S2S3 [3]OpeningProof OpeningsS1S2S3mp [3]fri.OpeningProof // openings of Id1, Id2, Id3 OpeningsId1Id2Id3mp [3]fri.OpeningProof }
func Prove ¶
func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness fr.Vector, opt backend.ProverConfig) (*Proof, error)
type ProvingKey ¶
type ProvingKey struct { // Verifying Key is embedded into the proving key (needed by Prove) Vk *VerifyingKey // qr,ql,qm,qo and Qk incomplete (Ls=Lagrange basis big domain, L=Lagrange basis small domain, C=canonical basis) EvaluationQlDomainBigBitReversed []fr.Element EvaluationQrDomainBigBitReversed []fr.Element EvaluationQmDomainBigBitReversed []fr.Element EvaluationQoDomainBigBitReversed []fr.Element LQkIncompleteDomainSmall []fr.Element CQl, CQr, CQm, CQo, CQkIncomplete []fr.Element // Domains used for the FFTs // 0 -> "small" domain, used for individual polynomials // 1 -> "big" domain, used for the computation of the quotient Domain [2]fft.Domain // s1, s2, s3 (L=Lagrange basis small domain, C=canonical basis, Ls=Lagrange Shifted big domain) LId []fr.Element EvaluationId1BigDomain, EvaluationId2BigDomain, EvaluationId3BigDomain []fr.Element EvaluationS1BigDomain, EvaluationS2BigDomain, EvaluationS3BigDomain []fr.Element // position -> permuted position (position in [0,3*sizeSystem-1]) Permutation []int64 }
ProvingKey stores the data needed to generate a proof: * the commitment scheme * ql, prepended with as many ones as they are public inputs * qr, qm, qo prepended with as many zeroes as there are public inputs. * qk, prepended with as many zeroes as public inputs, to be completed by the prover with the list of public inputs. * sigma_1, sigma_2, sigma_3 in both basis * the copy constraint permutation
func (*ProvingKey) VerifyingKey ¶
func (pk *ProvingKey) VerifyingKey() interface{}
VerifyingKey returns pk.Vk
type VerifyingKey ¶
type VerifyingKey struct { // Size circuit, that is the closest power of 2 bounding above // number of constraints+number of public inputs Size uint64 SizeInv fr.Element Generator fr.Element NbPublicVariables uint64 // cosetShift generator of the coset on the small domain CosetShift fr.Element // S commitments to S1, S2, S3 SCanonical [3][]fr.Element Spp [3]fri.ProofOfProximity // Id commitments to Id1, Id2, Id3 // Id [3]Commitment IdCanonical [3][]fr.Element Idpp [3]fri.ProofOfProximity // Commitments to ql, qr, qm, qo prepended with as many zeroes (ones for l) as there are public inputs. // In particular Qk is not complete. Qpp [5]fri.ProofOfProximity // Ql, Qr, Qm, Qo, Qk // Iopp scheme (currently one for each size of polynomial) Iopp fri.Iopp // generator of the group on which the Iopp works. If i is the opening position, // the polynomials will be opened at genOpening^{i}. GenOpening fr.Element }
VerifyingKey stores the data needed to verify a proof: * The commitment scheme * Commitments of ql prepended with as many ones as there are public inputs * Commitments of qr, qm, qo, qk prepended with as many zeroes as there are public inputs * Commitments to S1, S2, S3
func (*VerifyingKey) NbPublicWitness ¶
func (vk *VerifyingKey) NbPublicWitness() int
NbPublicWitness returns the expected public witness size (number of field elements)