kzg

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2023 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package kzg provides a KZG commitment scheme.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrInvalidNbDigests              = errors.New("number of digests is not the same as the number of polynomials")
	ErrZeroNbDigests                 = errors.New("number of digests is zero")
	ErrInvalidPolynomialSize         = errors.New("invalid polynomial size (larger than SRS or == 0)")
	ErrVerifyOpeningProof            = errors.New("can't verify opening proof")
	ErrVerifyBatchOpeningSinglePoint = errors.New("can't verify batch opening proof at single point")
	ErrMinSRSSize                    = errors.New("minimum srs size is 2")
)

Functions

func BatchVerifyMultiPoints

func BatchVerifyMultiPoints(digests []Digest, proofs []OpeningProof, points []fr.Element, vk VerifyingKey) error

BatchVerifyMultiPoints batch verifies a list of opening proofs at different points. The purpose of the batching is to have only one pairing for verifying several proofs.

* digests list of committed polynomials * proofs list of opening proofs, one for each digest * points the list of points at which the opening are done

func BatchVerifySinglePoint

func BatchVerifySinglePoint(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, vk VerifyingKey, dataTranscript ...[]byte) error

BatchVerifySinglePoint verifies a batched opening proof at a single point of a list of polynomials.

* digests list of digests on which opening proof is done * batchOpeningProof proof of correct opening on the digests * dataTranscript extra data that might be needed to derive the challenge used for the folding

func FoldProof

func FoldProof(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, dataTranscript ...[]byte) (OpeningProof, Digest, error)

FoldProof fold the digests and the proofs in batchOpeningProof using Fiat Shamir to obtain an opening proof at a single point.

* digests list of digests on which batchOpeningProof is based * batchOpeningProof opening proof of digests * transcript extra data needed to derive the challenge used for folding. * returns the folded version of batchOpeningProof, Digest, the folded version of digests

func Verify

func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk VerifyingKey) error

Verify verifies a KZG opening proof at a single point

Types

type BatchOpeningProof

type BatchOpeningProof struct {
	// H quotient polynomial Sum_i gamma**i*(f - f(z))/(x-z)
	H bls24317.G1Affine

	// ClaimedValues purported values
	ClaimedValues []fr.Element
}

BatchOpeningProof opening proof for many polynomials at the same point

implements io.ReaderFrom and io.WriterTo

func BatchOpenSinglePoint

func BatchOpenSinglePoint(polynomials [][]fr.Element, digests []Digest, point fr.Element, hf hash.Hash, pk ProvingKey, dataTranscript ...[]byte) (BatchOpeningProof, error)

BatchOpenSinglePoint creates a batch opening proof at point of a list of polynomials. It's an interactive protocol, made non-interactive using Fiat Shamir.

* point is the point at which the polynomials are opened. * digests is the list of committed polynomials to open, need to derive the challenge using Fiat Shamir. * polynomials is the list of polynomials to open, they are supposed to be of the same size. * dataTranscript extra data that might be needed to derive the challenge used for folding

func (*BatchOpeningProof) ReadFrom

func (proof *BatchOpeningProof) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes BatchOpeningProof data from reader.

func (*BatchOpeningProof) WriteTo

func (proof *BatchOpeningProof) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of a BatchOpeningProof

type Digest

type Digest = bls24317.G1Affine

Digest commitment of a polynomial.

func Commit

func Commit(p []fr.Element, pk ProvingKey, nbTasks ...int) (Digest, error)

Commit commits to a polynomial using a multi exponentiation with the SRS. It is assumed that the polynomial is in canonical form, in Montgomery form.

type OpeningProof

type OpeningProof struct {
	// H quotient polynomial (f - f(z))/(x-z)
	H bls24317.G1Affine

	// ClaimedValue purported value
	ClaimedValue fr.Element
}

OpeningProof KZG proof for opening at a single point.

implements io.ReaderFrom and io.WriterTo

func Open

func Open(p []fr.Element, point fr.Element, pk ProvingKey) (OpeningProof, error)

Open computes an opening proof of polynomial p at given point. fft.Domain Cardinality must be larger than p.Degree()

func (*OpeningProof) ReadFrom

func (proof *OpeningProof) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes OpeningProof data from reader.

func (*OpeningProof) WriteTo

func (proof *OpeningProof) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of a OpeningProof

type ProvingKey added in v0.11.0

type ProvingKey struct {
	G1 []bls24317.G1Affine // [G₁ [α]G₁ , [α²]G₁, ... ]
}

ProvingKey used to create or open commitments

func (*ProvingKey) ReadFrom added in v0.11.0

func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes ProvingKey data from reader.

func (*ProvingKey) UnsafeReadFrom added in v0.11.2

func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)

UnsafeReadFrom decodes ProvingKey data from reader without checking that point are in the correct subgroup.

func (*ProvingKey) WriteRawTo added in v0.11.2

func (pk *ProvingKey) WriteRawTo(w io.Writer) (int64, error)

WriteRawTo writes binary encoding of ProvingKey to w without point compression

func (*ProvingKey) WriteTo added in v0.11.0

func (pk *ProvingKey) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of the ProvingKey

type SRS

type SRS struct {
	Pk ProvingKey
	Vk VerifyingKey
}

SRS must be computed through MPC and comprises the ProvingKey and the VerifyingKey

func NewSRS

func NewSRS(size uint64, bAlpha *big.Int) (*SRS, error)

NewSRS returns a new SRS using alpha as randomness source

In production, a SRS generated through MPC should be used.

implements io.ReaderFrom and io.WriterTo

func (*SRS) ReadFrom

func (srs *SRS) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes SRS data from reader.

func (*SRS) WriteTo

func (srs *SRS) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of the entire SRS

type VerifyingKey added in v0.11.0

type VerifyingKey struct {
	G2 [2]bls24317.G2Affine // [G₂, [α]G₂ ]
	G1 bls24317.G1Affine
}

VerifyingKey used to verify opening proofs

func (*VerifyingKey) ReadFrom added in v0.11.0

func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes VerifyingKey data from reader.

func (*VerifyingKey) WriteRawTo added in v0.11.0

func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)

WriteRawTo writes binary encoding of VerifyingKey to w without point compression

func (*VerifyingKey) WriteTo added in v0.11.0

func (vk *VerifyingKey) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of the VerifyingKey

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL