Documentation ¶
Overview ¶
Package kzg provides a KZG commitment scheme.
Index ¶
- Variables
- func BatchVerifyMultiPoints(digests []Digest, proofs []OpeningProof, points []fr.Element, vk VerifyingKey) error
- func BatchVerifySinglePoint(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, ...) error
- func FoldProof(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, ...) (OpeningProof, Digest, error)
- func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk VerifyingKey) error
- type BatchOpeningProof
- type Digest
- type OpeningProof
- type ProvingKey
- type SRS
- type VerifyingKey
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidNbDigests = errors.New("number of digests is not the same as the number of polynomials") ErrZeroNbDigests = errors.New("number of digests is zero") ErrInvalidPolynomialSize = errors.New("invalid polynomial size (larger than SRS or == 0)") ErrVerifyOpeningProof = errors.New("can't verify opening proof") ErrVerifyBatchOpeningSinglePoint = errors.New("can't verify batch opening proof at single point") ErrMinSRSSize = errors.New("minimum srs size is 2") )
Functions ¶
func BatchVerifyMultiPoints ¶
func BatchVerifyMultiPoints(digests []Digest, proofs []OpeningProof, points []fr.Element, vk VerifyingKey) error
BatchVerifyMultiPoints batch verifies a list of opening proofs at different points. The purpose of the batching is to have only one pairing for verifying several proofs.
* digests list of committed polynomials * proofs list of opening proofs, one for each digest * points the list of points at which the opening are done
func BatchVerifySinglePoint ¶
func BatchVerifySinglePoint(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash, vk VerifyingKey) error
BatchVerifySinglePoint verifies a batched opening proof at a single point of a list of polynomials.
* digests list of digests on which opening proof is done * batchOpeningProof proof of correct opening on the digests
func FoldProof ¶
func FoldProof(digests []Digest, batchOpeningProof *BatchOpeningProof, point fr.Element, hf hash.Hash) (OpeningProof, Digest, error)
FoldProof fold the digests and the proofs in batchOpeningProof using Fiat Shamir to obtain an opening proof at a single point.
* digests list of digests on which batchOpeningProof is based * batchOpeningProof opening proof of digests * returns the folded version of batchOpeningProof, Digest, the folded version of digests
func Verify ¶
func Verify(commitment *Digest, proof *OpeningProof, point fr.Element, vk VerifyingKey) error
Verify verifies a KZG opening proof at a single point
Types ¶
type BatchOpeningProof ¶
type BatchOpeningProof struct { // H quotient polynomial Sum_i gamma**i*(f - f(z))/(x-z) H bls12381.G1Affine // ClaimedValues purported values ClaimedValues []fr.Element }
BatchOpeningProof opening proof for many polynomials at the same point
implements io.ReaderFrom and io.WriterTo
func BatchOpenSinglePoint ¶
func BatchOpenSinglePoint(polynomials [][]fr.Element, digests []Digest, point fr.Element, hf hash.Hash, pk ProvingKey) (BatchOpeningProof, error)
BatchOpenSinglePoint creates a batch opening proof at point of a list of polynomials. It's an interactive protocol, made non-interactive using Fiat Shamir.
* point is the point at which the polynomials are opened. * digests is the list of committed polynomials to open, need to derive the challenge using Fiat Shamir. * polynomials is the list of polynomials to open, they are supposed to be of the same size.
type OpeningProof ¶
type OpeningProof struct { // H quotient polynomial (f - f(z))/(x-z) H bls12381.G1Affine // ClaimedValue purported value ClaimedValue fr.Element }
OpeningProof KZG proof for opening at a single point.
implements io.ReaderFrom and io.WriterTo
func Open ¶
func Open(p []fr.Element, point fr.Element, pk ProvingKey) (OpeningProof, error)
Open computes an opening proof of polynomial p at given point. fft.Domain Cardinality must be larger than p.Degree()
type ProvingKey ¶ added in v0.11.0
type ProvingKey struct {
G1 []bls12381.G1Affine // [G₁ [α]G₁ , [α²]G₁, ... ]
}
ProvingKey used to create or open commitments
func (*ProvingKey) ReadFrom ¶ added in v0.11.0
func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom decodes ProvingKey data from reader.
func (*ProvingKey) UnsafeReadFrom ¶ added in v0.11.2
func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)
UnsafeReadFrom decodes ProvingKey data from reader without checking that point are in the correct subgroup.
func (*ProvingKey) WriteRawTo ¶ added in v0.11.2
func (pk *ProvingKey) WriteRawTo(w io.Writer) (int64, error)
WriteRawTo writes binary encoding of ProvingKey to w without point compression
type SRS ¶
type SRS struct { Pk ProvingKey Vk VerifyingKey }
SRS must be computed through MPC and comprises the ProvingKey and the VerifyingKey
func NewSRS ¶
NewSRS returns a new SRS using alpha as randomness source
In production, a SRS generated through MPC should be used.
implements io.ReaderFrom and io.WriterTo
type VerifyingKey ¶ added in v0.11.0
type VerifyingKey struct { G2 [2]bls12381.G2Affine // [G₂, [α]G₂ ] G1 bls12381.G1Affine }
VerifyingKey used to verify opening proofs
func (*VerifyingKey) ReadFrom ¶ added in v0.11.0
func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom decodes VerifyingKey data from reader.
func (*VerifyingKey) WriteRawTo ¶ added in v0.11.0
func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)
WriteRawTo writes binary encoding of VerifyingKey to w without point compression