Documentation
¶
Overview ¶
Package shplonk provides a SHPLONK commitment scheme, cf https://eprint.iacr.org/2020/081.pdf
Example (BatchOpen) ¶
This example shows how to batch open a list of polynomials on a set of points, where each polynomial is opened on its own set of point. That is the i-th polynomial f_i is opened on set of point S_i.
const nbPolynomials = 10
// sample a list of points and a list of polynomials. The i-th polynomial
// is opened on the i-th set of points, there might be several points per set.
points := make([][]fr.Element, nbPolynomials)
polynomials := make([][]fr.Element, nbPolynomials)
for i := 0; i < nbPolynomials; i++ {
polynomials[i] = make([]fr.Element, 20+2*i) // random size
for j := 0; j < 20+2*i; j++ {
polynomials[i][j].SetRandom()
}
points[i] = make([]fr.Element, i+1) // random number of point
for j := 0; j < i+1; j++ {
points[i][j].SetRandom()
}
}
// Create commitments for each polynomials
var err error
digests := make([]kzg.Digest, nbPolynomials)
for i := 0; i < nbPolynomials; i++ {
digests[i], err = kzg.Commit(polynomials[i], testSrs.Pk)
if err != nil {
panic(err)
}
}
// hash function that is used for the challenge derivation in Fiat Shamir
hf := sha256.New()
// ceate an opening proof of polynomials[i] on the set points[i]
openingProof, err := BatchOpen(polynomials, digests, points, hf, testSrs.Pk)
if err != nil {
panic(err)
}
// we verify the proof. If the proof is correct, then openingProof[i][j] contains
// the evaluation of the polynomials[i] on points[i][j]
err = BatchVerify(openingProof, digests, points, hf, testSrs.Vk)
if err != nil {
panic(err)
}
fmt.Println("verified")
Output: verified
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidNumberOfPoints = errors.New("number of digests should be equal to the number of points") ErrVerifyOpeningProof = errors.New("can't verify batch opening proof") ErrInvalidNumberOfDigests = errors.New("number of digests should be equal to the number of polynomials") ErrPairingCheck = errors.New("pairing product is not 1") )
Functions ¶
func BatchVerify ¶
func BatchVerify(proof OpeningProof, digests []kzg.Digest, points [][]fr.Element, hf hash.Hash, vk kzg.VerifyingKey, dataTranscript ...[]byte) error
BatchVerify uses proof to check that the commitments correctly open to proof.ClaimedValues at points. The order matters: the proof validates that the i-th commitment is correctly opened at the i-th point dataTranscript is some extra data that might be needed for Fiat Shamir, and is appended at the end of the original transcript.
Types ¶
type OpeningProof ¶
type OpeningProof struct {
// W = ∑ᵢ γⁱZ_{T\Sᵢ}(f_i(X)-r)/Z_{T} where Z_{T} is the vanishing polynomial on the (Sᵢ)_{i}
// and r interpolates fᵢ(Sᵢ) on (Sᵢ)
W bw6761.G1Affine
// L(X)/(X-z) where L(X)=∑ᵢγⁱZ_{T\xᵢ}(f_i(X)-rᵢ) - Z_{T}W(X)
WPrime bw6761.G1Affine
// ClaimedValues[i] are the values of fᵢ on Sᵢ
ClaimedValues [][]fr.Element
}
OpeningProof KZG proof for opening (fᵢ)_{i} at a different points (xᵢ)_{i}.
implements io.ReaderFrom and io.WriterTo
Source Files