Documentation ¶
Overview ¶
Package kzg provides a KZG commitment scheme.
Index ¶
- Variables
- func BatchVerifyMultiPoints(digests []Digest, proofs []OpeningProof, points []fr.Element, vk VerifyingKey) error
- func BatchVerifySinglePoint(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, ...) error
- func FoldProof(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, ...) (OpeningProof, Digest, error)
- func ToLagrangeG1(coeffs []curve.G1Affine) ([]curve.G1Affine, error)
- func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk VerifyingKey) error
- type BatchOpeningProof
- type Digest
- type MpcSetup
- type OpeningProof
- type ProvingKey
- type SRS
- func (srs *SRS) ReadDump(r io.Reader, maxPkPoints ...int) error
- func (srs *SRS) ReadFrom(r io.Reader) (int64, error)
- func (srs *SRS) UnsafeReadFrom(r io.Reader) (int64, error)
- func (srs *SRS) WriteDump(w io.Writer, maxPkPoints ...int) error
- func (srs *SRS) WriteRawTo(w io.Writer) (int64, error)
- func (srs *SRS) WriteTo(w io.Writer) (int64, error)
- type VerifyingKey
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidNbDigests = errors.New("number of digests is not the same as the number of polynomials") ErrZeroNbDigests = errors.New("number of digests is zero") ErrInvalidPolynomialSize = errors.New("invalid polynomial size (larger than SRS or == 0)") ErrVerifyOpeningProof = errors.New("can't verify opening proof") ErrVerifyBatchOpeningSinglePoint = errors.New("can't verify batch opening proof at single point") ErrMinSRSSize = errors.New("minimum srs size is 2") )
Functions ¶
func BatchVerifyMultiPoints ¶
func BatchVerifyMultiPoints(digests []Digest, proofs []OpeningProof, points []fr.Element, vk VerifyingKey) error
BatchVerifyMultiPoints batch verifies a list of opening proofs at different points. The purpose of the batching is to have only one pairing for verifying several proofs.
* digests list of committed polynomials * proofs list of opening proofs, one for each digest * points the list of points at which the opening are done
func BatchVerifySinglePoint ¶
func BatchVerifySinglePoint(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, vk VerifyingKey, dataTranscript ...[]byte) error
BatchVerifySinglePoint verifies a batched opening proof at a single point of a list of polynomials.
* digests list of digests on which opening proof is done * batchOpeningProof proof of correct opening on the digests * dataTranscript extra data that might be needed to derive the challenge used for the folding
func FoldProof ¶
func FoldProof(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, dataTranscript ...[]byte) (OpeningProof, Digest, error)
FoldProof fold the digests and the proofs in batchOpeningProof using Fiat Shamir to obtain an opening proof at a single point.
* digests list of digests on which batchOpeningProof is based * batchOpeningProof opening proof of digests * transcript extra data needed to derive the challenge used for folding. * returns the folded version of batchOpeningProof, Digest, the folded version of digests
func ToLagrangeG1 ¶
ToLagrangeG1 in place transform of coeffs canonical form into Lagrange form. From the formula Lᵢ(τ) = 1/n∑_{j<n}(τ/ωⁱ)ʲ we see that [L₁(τ),..,Lₙ(τ)] = FFT_inv(∑_{j<n}τʲXʲ), so it suffices to apply the inverse fft on the vector consisting of the original SRS. Size of coeffs must be a power of 2.
func Verify ¶
func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk VerifyingKey) error
Verify verifies a KZG opening proof at a single point
Types ¶
type BatchOpeningProof ¶
type BatchOpeningProof struct { // H quotient polynomial Sum_i gamma**i*(f - f(z))/(x-z) H bn254.G1Affine // ClaimedValues purported values ClaimedValues []fr.Element }
BatchOpeningProof opening proof for many polynomials at the same point
implements io.ReaderFrom and io.WriterTo
func BatchOpenSinglePoint ¶
func BatchOpenSinglePoint(polynomials [][]fr.Element, digests []Digest, point fr.Element, hf hash.Hash, pk ProvingKey, dataTranscript ...[]byte) (BatchOpeningProof, error)
BatchOpenSinglePoint creates a batch opening proof at point of a list of polynomials. It's an interactive protocol, made non-interactive using Fiat Shamir.
* point is the point at which the polynomials are opened. * digests is the list of committed polynomials to open, need to derive the challenge using Fiat Shamir. * polynomials is the list of polynomials to open, they are supposed to be of the same size. * dataTranscript extra data that might be needed to derive the challenge used for folding
type MpcSetup ¶ added in v0.15.0
type MpcSetup struct {
// contains filtered or unexported fields
}
func InitializeSetup ¶ added in v0.15.0
func (*MpcSetup) Contribute ¶ added in v0.15.0
func (s *MpcSetup) Contribute()
type OpeningProof ¶
type OpeningProof struct { // H quotient polynomial (f - f(z))/(x-z) H bn254.G1Affine // ClaimedValue purported value ClaimedValue fr.Element }
OpeningProof KZG proof for opening at a single point.
implements io.ReaderFrom and io.WriterTo
func Open ¶
func Open(p []fr.Element, point fr.Element, pk ProvingKey) (OpeningProof, error)
Open computes an opening proof of polynomial p at given point. fft.Domain Cardinality must be larger than p.Degree()
type ProvingKey ¶
ProvingKey used to create or open commitments
func (*ProvingKey) ReadFrom ¶
func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom decodes ProvingKey data from reader.
func (*ProvingKey) UnsafeReadFrom ¶
func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)
UnsafeReadFrom decodes ProvingKey data from reader without checking that point are in the correct subgroup.
func (*ProvingKey) WriteRawTo ¶
func (pk *ProvingKey) WriteRawTo(w io.Writer) (int64, error)
WriteRawTo writes binary encoding of ProvingKey to w without point compression
type SRS ¶
type SRS struct { Pk ProvingKey Vk VerifyingKey }
SRS must be computed through MPC and comprises the ProvingKey and the VerifyingKey
func NewSRS ¶
NewSRS returns a new SRS using alpha as randomness source
In production, a SRS generated through MPC should be used.
Set Alpha = -1 to generate quickly a balanced, valid SRS (useful for benchmarking).
implements io.ReaderFrom and io.WriterTo
func (*SRS) UnsafeReadFrom ¶
UnsafeReadFrom decodes SRS data from reader without sub group checks
func (*SRS) WriteDump ¶
WriteDump writes the binary encoding of the entire SRS memory representation It is meant to be use to achieve fast serialization/deserialization and is not compatible with WriteTo / ReadFrom. It does not do any validation and doesn't encode points in a canonical form. @unsafe: this is platform dependent and may not be compatible with other platforms @unstable: the format may change in the future If maxPkPoints is provided, the number of points in the ProvingKey will be limited to maxPkPoints
func (*SRS) WriteRawTo ¶
WriteRawTo writes binary encoding of the entire SRS without point compression
type VerifyingKey ¶
type VerifyingKey struct { G2 [2]bn254.G2Affine // [G₂, [α]G₂ ] G1 bn254.G1Affine Lines [2][2][len(bn254.LoopCounter)]bn254.LineEvaluationAff // precomputed pairing lines corresponding to G₂, [α]G₂ }
VerifyingKey used to verify opening proofs
func (*VerifyingKey) ReadFrom ¶
func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom decodes VerifyingKey data from reader.
func (*VerifyingKey) WriteRawTo ¶
func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)
WriteRawTo writes binary encoding of VerifyingKey to w without point compression