Documentation ¶
Index ¶
- func BuildTrace(spr *cs.SparseR1CS, pt *Trace)
- func Setup(spr *cs.SparseR1CS, kzgSrs kzg.SRS) (*ProvingKey, *VerifyingKey, error)
- func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector) error
- type Proof
- type ProvingKey
- func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)
- func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)
- func (pk *ProvingKey) VerifyingKey() interface{}
- func (pk *ProvingKey) WriteRawTo(w io.Writer) (n int64, err error)
- func (pk *ProvingKey) WriteTo(w io.Writer) (n int64, err error)
- type Trace
- type VerifyingKey
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildTrace ¶
func BuildTrace(spr *cs.SparseR1CS, pt *Trace)
BuildTrace fills the constant columns ql, qr, qm, qo, qk from the sparser1cs. Size is the size of the system that is nb_constraints+nb_public_variables
func Setup ¶
func Setup(spr *cs.SparseR1CS, kzgSrs kzg.SRS) (*ProvingKey, *VerifyingKey, error)
Types ¶
type Proof ¶
type Proof struct { // Commitments to the solution vectors LRO [3]kzg.Digest // Commitment to Z, the permutation polynomial Z kzg.Digest // Commitments to h1, h2, h3 such that h = h1 + Xh2 + X**2h3 is the quotient polynomial H [3]kzg.Digest Bsb22Commitments []kzg.Digest // Batch opening proof of h1 + zeta*h2 + zeta**2h3, linearizedPolynomial, l, r, o, s1, s2, qCPrime BatchedProof kzg.BatchOpeningProof // Opening proof of Z at zeta*mu ZShiftedOpening kzg.OpeningProof }
func Prove ¶
func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts ...backend.ProverOption) (*Proof, error)
func (*Proof) WriteRawTo ¶
WriteRawTo writes binary encoding of Proof to w without point compression
type ProvingKey ¶
type ProvingKey struct { Kzg kzg.ProvingKey // Verifying Key is embedded into the proving key (needed by Prove) Vk *VerifyingKey // Domains used for the FFTs. // Domain[0] = small Domain // Domain[1] = big Domain Domain [2]fft.Domain // contains filtered or unexported fields }
ProvingKey stores the data needed to generate a proof: * the commitment scheme * ql, prepended with as many ones as they are public inputs * qr, qm, qo prepended with as many zeroes as there are public inputs. * qk, prepended with as many zeroes as public inputs, to be completed by the prover with the list of public inputs. * sigma_1, sigma_2, sigma_3 in both basis * the copy constraint permutation
func (*ProvingKey) ReadFrom ¶
func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom reads from binary representation in r into ProvingKey
func (*ProvingKey) UnsafeReadFrom ¶
func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)
UnsafeReadFrom reads from binary representation in r into ProvingKey without subgroup checks
func (*ProvingKey) VerifyingKey ¶
func (pk *ProvingKey) VerifyingKey() interface{}
VerifyingKey returns pk.Vk
func (*ProvingKey) WriteRawTo ¶
func (pk *ProvingKey) WriteRawTo(w io.Writer) (n int64, err error)
WriteRawTo writes binary encoding of ProvingKey to w without point compression
type Trace ¶
type Trace struct { // Constants describing a plonk circuit. The first entries // of LQk (whose index correspond to the public inputs) are set to 0, and are to be // completed by the prover. At those indices i (so from 0 to nb_public_variables), LQl[i]=-1 // so the first nb_public_variables constraints look like this: // -1*Wire[i] + 0* + 0 . It is zero when the constant coefficient is replaced by Wire[i]. Ql, Qr, Qm, Qo, Qk *iop.Polynomial Qcp []*iop.Polynomial // Polynomials representing the splitted permutation. The full permutation's support is 3*N where N=nb wires. // The set of interpolation is <g> of size N, so to represent the permutation S we let S acts on the // set A=(<g>, u*<g>, u^{2}*<g>) of size 3*N, where u is outside <g> (its use is to shift the set <g>). // We obtain a permutation of A, A'. We split A' in 3 (A'_{1}, A'_{2}, A'_{3}), and S1, S2, S3 are // respectively the interpolation of A'_{1}, A'_{2}, A'_{3} on <g>. S1, S2, S3 *iop.Polynomial // S full permutation, i -> S[i] S []int64 }
Trace stores a plonk trace as columns
type VerifyingKey ¶
type VerifyingKey struct { // Size circuit Size uint64 SizeInv fr.Element Generator fr.Element NbPublicVariables uint64 // Commitment scheme that is used for an instantiation of PLONK Kzg kzg.VerifyingKey // cosetShift generator of the coset on the small domain CosetShift fr.Element // S commitments to S1, S2, S3 S [3]kzg.Digest // Commitments to ql, qr, qm, qo, qcp prepended with as many zeroes (ones for l) as there are public inputs. // In particular Qk is not complete. Ql, Qr, Qm, Qo, Qk kzg.Digest Qcp []kzg.Digest CommitmentConstraintIndexes []uint64 }
VerifyingKey stores the data needed to verify a proof: * The commitment scheme * Commitments of ql prepended with as many ones as there are public inputs * Commitments of qr, qm, qo, qk prepended with as many zeroes as there are public inputs * Commitments to S1, S2, S3
func (*VerifyingKey) ExportSolidity ¶
func (vk *VerifyingKey) ExportSolidity(w io.Writer) error
ExportSolidity not implemented for BLS12-377
func (*VerifyingKey) NbPublicWitness ¶
func (vk *VerifyingKey) NbPublicWitness() int
NbPublicWitness returns the expected public witness size (number of field elements)
func (*VerifyingKey) ReadFrom ¶
func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom reads from binary representation in r into VerifyingKey
func (*VerifyingKey) WriteRawTo ¶
func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)
WriteRawTo writes binary encoding of VerifyingKey to w without point compression