kzg

package
v0.15.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 21, 2025 License: Apache-2.0 Imports: 18 Imported by: 37

Documentation

Overview

Package kzg provides a KZG commitment scheme.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrInvalidNbDigests              = errors.New("number of digests is not the same as the number of polynomials")
	ErrZeroNbDigests                 = errors.New("number of digests is zero")
	ErrInvalidPolynomialSize         = errors.New("invalid polynomial size (larger than SRS or == 0)")
	ErrVerifyOpeningProof            = errors.New("can't verify opening proof")
	ErrVerifyBatchOpeningSinglePoint = errors.New("can't verify batch opening proof at single point")
	ErrMinSRSSize                    = errors.New("minimum srs size is 2")
)

Functions

func BatchVerifyMultiPoints

func BatchVerifyMultiPoints(digests []Digest, proofs []OpeningProof, points []fr.Element, vk VerifyingKey) error

BatchVerifyMultiPoints batch verifies a list of opening proofs at different points. The purpose of the batching is to have only one pairing for verifying several proofs.

* digests list of committed polynomials * proofs list of opening proofs, one for each digest * points the list of points at which the opening are done

func BatchVerifySinglePoint

func BatchVerifySinglePoint(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, vk VerifyingKey, dataTranscript ...[]byte) error

BatchVerifySinglePoint verifies a batched opening proof at a single point of a list of polynomials.

* digests list of digests on which opening proof is done * batchOpeningProof proof of correct opening on the digests * dataTranscript extra data that might be needed to derive the challenge used for the folding

func FoldProof

func FoldProof(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, dataTranscript ...[]byte) (OpeningProof, Digest, error)

FoldProof fold the digests and the proofs in batchOpeningProof using Fiat Shamir to obtain an opening proof at a single point.

* digests list of digests on which batchOpeningProof is based * batchOpeningProof opening proof of digests * transcript extra data needed to derive the challenge used for folding. * returns the folded version of batchOpeningProof, Digest, the folded version of digests

func ToLagrangeG1

func ToLagrangeG1(coeffs []curve.G1Affine) ([]curve.G1Affine, error)

ToLagrangeG1 in place transform of coeffs canonical form into Lagrange form. From the formula Lᵢ(τ) = 1/n∑_{j<n}(τ/ωⁱ)ʲ we see that [L₁(τ),..,Lₙ(τ)] = FFT_inv(∑_{j<n}τʲXʲ), so it suffices to apply the inverse fft on the vector consisting of the original SRS. Size of coeffs must be a power of 2.

func Verify

func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk VerifyingKey) error

Verify verifies a KZG opening proof at a single point

Types

type BatchOpeningProof

type BatchOpeningProof struct {
	// H quotient polynomial Sum_i gamma**i*(f - f(z))/(x-z)
	H bn254.G1Affine

	// ClaimedValues purported values
	ClaimedValues []fr.Element
}

BatchOpeningProof opening proof for many polynomials at the same point

implements io.ReaderFrom and io.WriterTo

func BatchOpenSinglePoint

func BatchOpenSinglePoint(polynomials [][]fr.Element, digests []Digest, point fr.Element, hf hash.Hash, pk ProvingKey, dataTranscript ...[]byte) (BatchOpeningProof, error)

BatchOpenSinglePoint creates a batch opening proof at point of a list of polynomials. It's an interactive protocol, made non-interactive using Fiat Shamir.

* point is the point at which the polynomials are opened. * digests is the list of committed polynomials to open, need to derive the challenge using Fiat Shamir. * polynomials is the list of polynomials to open, they are supposed to be of the same size. * dataTranscript extra data that might be needed to derive the challenge used for folding

func (*BatchOpeningProof) ReadFrom

func (proof *BatchOpeningProof) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes BatchOpeningProof data from reader.

func (*BatchOpeningProof) WriteTo

func (proof *BatchOpeningProof) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of a BatchOpeningProof

type Digest

type Digest = bn254.G1Affine

Digest commitment of a polynomial.

func Commit

func Commit(p []fr.Element, pk ProvingKey, nbTasks ...int) (Digest, error)

Commit commits to a polynomial using a multi exponentiation with the SRS. It is assumed that the polynomial is in canonical form, in Montgomery form.

type MpcSetup added in v0.15.0

type MpcSetup struct {
	// contains filtered or unexported fields
}

func InitializeSetup added in v0.15.0

func InitializeSetup(N int) MpcSetup

func (*MpcSetup) Contribute added in v0.15.0

func (s *MpcSetup) Contribute()

func (*MpcSetup) ReadFrom added in v0.15.0

func (s *MpcSetup) ReadFrom(r io.Reader) (int64, error)

ReadFrom implements io.ReaderFrom

func (*MpcSetup) Seal added in v0.15.0

func (s *MpcSetup) Seal(beaconChallenge []byte) SRS

func (*MpcSetup) Verify added in v0.15.0

func (s *MpcSetup) Verify(next *MpcSetup) error

func (*MpcSetup) WriteTo added in v0.15.0

func (s *MpcSetup) WriteTo(w io.Writer) (int64, error)

WriteTo implements io.WriterTo

type OpeningProof

type OpeningProof struct {
	// H quotient polynomial (f - f(z))/(x-z)
	H bn254.G1Affine

	// ClaimedValue purported value
	ClaimedValue fr.Element
}

OpeningProof KZG proof for opening at a single point.

implements io.ReaderFrom and io.WriterTo

func Open

func Open(p []fr.Element, point fr.Element, pk ProvingKey) (OpeningProof, error)

Open computes an opening proof of polynomial p at given point. fft.Domain Cardinality must be larger than p.Degree()

func (*OpeningProof) ReadFrom

func (proof *OpeningProof) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes OpeningProof data from reader.

func (*OpeningProof) WriteTo

func (proof *OpeningProof) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of a OpeningProof

type ProvingKey

type ProvingKey struct {
	G1 []bn254.G1Affine // [G₁ [α]G₁ , [α²]G₁, ... ]
}

ProvingKey used to create or open commitments

func (*ProvingKey) ReadFrom

func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes ProvingKey data from reader.

func (*ProvingKey) UnsafeReadFrom

func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)

UnsafeReadFrom decodes ProvingKey data from reader without checking that point are in the correct subgroup.

func (*ProvingKey) WriteRawTo

func (pk *ProvingKey) WriteRawTo(w io.Writer) (int64, error)

WriteRawTo writes binary encoding of ProvingKey to w without point compression

func (*ProvingKey) WriteTo

func (pk *ProvingKey) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of the ProvingKey

type SRS

type SRS struct {
	Pk ProvingKey
	Vk VerifyingKey
}

SRS must be computed through MPC and comprises the ProvingKey and the VerifyingKey

func NewSRS

func NewSRS(size uint64, bAlpha *big.Int) (*SRS, error)

NewSRS returns a new SRS using alpha as randomness source

In production, a SRS generated through MPC should be used.

Set Alpha = -1 to generate quickly a balanced, valid SRS (useful for benchmarking).

implements io.ReaderFrom and io.WriterTo

func (*SRS) ReadDump

func (srs *SRS) ReadDump(r io.Reader, maxPkPoints ...int) error

ReadDump deserializes the SRS from a reader, as written by WriteDump

func (*SRS) ReadFrom

func (srs *SRS) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes SRS data from reader.

func (*SRS) UnsafeReadFrom

func (srs *SRS) UnsafeReadFrom(r io.Reader) (int64, error)

UnsafeReadFrom decodes SRS data from reader without sub group checks

func (*SRS) WriteDump

func (srs *SRS) WriteDump(w io.Writer, maxPkPoints ...int) error

WriteDump writes the binary encoding of the entire SRS memory representation It is meant to be use to achieve fast serialization/deserialization and is not compatible with WriteTo / ReadFrom. It does not do any validation and doesn't encode points in a canonical form. @unsafe: this is platform dependent and may not be compatible with other platforms @unstable: the format may change in the future If maxPkPoints is provided, the number of points in the ProvingKey will be limited to maxPkPoints

func (*SRS) WriteRawTo

func (srs *SRS) WriteRawTo(w io.Writer) (int64, error)

WriteRawTo writes binary encoding of the entire SRS without point compression

func (*SRS) WriteTo

func (srs *SRS) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of the entire SRS

type VerifyingKey

type VerifyingKey struct {
	G2    [2]bn254.G2Affine // [G₂, [α]G₂ ]
	G1    bn254.G1Affine
	Lines [2][2][len(bn254.LoopCounter)]bn254.LineEvaluationAff // precomputed pairing lines corresponding to G₂, [α]G₂
}

VerifyingKey used to verify opening proofs

func (*VerifyingKey) ReadFrom

func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)

ReadFrom decodes VerifyingKey data from reader.

func (*VerifyingKey) WriteRawTo

func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)

WriteRawTo writes binary encoding of VerifyingKey to w without point compression

func (*VerifyingKey) WriteTo

func (vk *VerifyingKey) WriteTo(w io.Writer) (int64, error)

WriteTo writes binary encoding of the VerifyingKey

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL