Documentation ¶
Index ¶
- func Setup(spr *cs.SparseR1CS, srs, srsLagrange kzg.SRS) (*ProvingKey, *VerifyingKey, error)
- func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, ...) error
- type Proof
- type ProvingKey
- func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)
- func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)
- func (pk *ProvingKey) VerifyingKey() interface{}
- func (pk *ProvingKey) WriteRawTo(w io.Writer) (n int64, err error)
- func (pk *ProvingKey) WriteTo(w io.Writer) (n int64, err error)
- type Trace
- type VerifyingKey
- func (vk *VerifyingKey) ExportSolidity(w io.Writer) error
- func (vk *VerifyingKey) NbPublicWitness() int
- func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)
- func (vk *VerifyingKey) UnsafeReadFrom(r io.Reader) (int64, error)
- func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)
- func (vk *VerifyingKey) WriteTo(w io.Writer) (n int64, err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Setup ¶
func Setup(spr *cs.SparseR1CS, srs, srsLagrange kzg.SRS) (*ProvingKey, *VerifyingKey, error)
func Verify ¶
func Verify(proof *Proof, vk *VerifyingKey, publicWitness fr.Vector, opts ...backend.VerifierOption) error
Types ¶
type Proof ¶
type Proof struct { // Commitments to the solution vectors LRO [3]kzg.Digest // Commitment to Z, the permutation polynomial Z kzg.Digest // Commitments to h1, h2, h3 such that h = h1 + Xⁿ⁺²*h2 + X²⁽ⁿ⁺²⁾*h3 is the quotient polynomial H [3]kzg.Digest Bsb22Commitments []kzg.Digest // Batch opening proof of linearizedPolynomial, l, r, o, s1, s2, qCPrime BatchedProof kzg.BatchOpeningProof // Opening proof of Z at zeta*mu ZShiftedOpening kzg.OpeningProof }
func Prove ¶
func Prove(spr *cs.SparseR1CS, pk *ProvingKey, fullWitness witness.Witness, opts ...backend.ProverOption) (*Proof, error)
func (*Proof) WriteRawTo ¶
WriteRawTo writes binary encoding of Proof to w without point compression
type ProvingKey ¶
type ProvingKey struct {
Kzg, KzgLagrange kzg.ProvingKey
// Verifying Key is embedded into the proving key (needed by Prove)
Vk *VerifyingKey
}
ProvingKey stores the data needed to generate a proof
func (*ProvingKey) ReadFrom ¶
func (pk *ProvingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom reads from binary representation in r into ProvingKey
func (*ProvingKey) UnsafeReadFrom ¶
func (pk *ProvingKey) UnsafeReadFrom(r io.Reader) (int64, error)
UnsafeReadFrom reads from binary representation in r into ProvingKey without subgroup checks
func (*ProvingKey) VerifyingKey ¶
func (pk *ProvingKey) VerifyingKey() interface{}
VerifyingKey returns pk.Vk
func (*ProvingKey) WriteRawTo ¶
func (pk *ProvingKey) WriteRawTo(w io.Writer) (n int64, err error)
WriteRawTo writes binary encoding of ProvingKey to w without point compression
type Trace ¶
type Trace struct { // Constants describing a plonk circuit. The first entries // of LQk (whose index correspond to the public inputs) are set to 0, and are to be // completed by the prover. At those indices i (so from 0 to nb_public_variables), LQl[i]=-1 // so the first nb_public_variables constraints look like this: // -1*Wire[i] + 0* + 0 . It is zero when the constant coefficient is replaced by Wire[i]. Ql, Qr, Qm, Qo, Qk *iop.Polynomial Qcp []*iop.Polynomial // Polynomials representing the splitted permutation. The full permutation's support is 3*N where N=nb wires. // The set of interpolation is <g> of size N, so to represent the permutation S we let S acts on the // set A=(<g>, u*<g>, u^{2}*<g>) of size 3*N, where u is outside <g> (its use is to shift the set <g>). // We obtain a permutation of A, A'. We split A' in 3 (A'_{1}, A'_{2}, A'_{3}), and S1, S2, S3 are // respectively the interpolation of A'_{1}, A'_{2}, A'_{3} on <g>. S1, S2, S3 *iop.Polynomial // S full permutation, i -> S[i] S []int64 }
Trace stores a plonk trace as columns
func NewTrace ¶
func NewTrace(spr *cs.SparseR1CS, domain *fft.Domain) *Trace
NewTrace returns a new Trace object from the constraint system. It fills the constant columns ql, qr, qm, qo, qk, and qcp with the coefficients of the constraints. Size is the size of the system that is next power of 2 (nb_constraints+nb_public_variables) The permutation is also computed and stored in the Trace.
type VerifyingKey ¶
type VerifyingKey struct { // Size circuit Size uint64 SizeInv fr.Element Generator fr.Element NbPublicVariables uint64 // Commitment scheme that is used for an instantiation of PLONK Kzg kzg.VerifyingKey // cosetShift generator of the coset on the small domain CosetShift fr.Element // S commitments to S1, S2, S3 S [3]kzg.Digest // Commitments to ql, qr, qm, qo, qcp prepended with as many zeroes (ones for l) as there are public inputs. // In particular Qk is not complete. Ql, Qr, Qm, Qo, Qk kzg.Digest Qcp []kzg.Digest CommitmentConstraintIndexes []uint64 }
VerifyingKey stores the data needed to verify a proof: * The commitment scheme * Commitments of ql prepended with as many ones as there are public inputs * Commitments of qr, qm, qo, qk prepended with as many zeroes as there are public inputs * Commitments to S1, S2, S3
func (*VerifyingKey) ExportSolidity ¶
func (vk *VerifyingKey) ExportSolidity(w io.Writer) error
ExportSolidity not implemented for BLS12-381
func (*VerifyingKey) NbPublicWitness ¶
func (vk *VerifyingKey) NbPublicWitness() int
NbPublicWitness returns the expected public witness size (number of field elements)
func (*VerifyingKey) ReadFrom ¶
func (vk *VerifyingKey) ReadFrom(r io.Reader) (int64, error)
ReadFrom reads from binary representation in r into VerifyingKey
func (*VerifyingKey) UnsafeReadFrom ¶
func (vk *VerifyingKey) UnsafeReadFrom(r io.Reader) (int64, error)
UnsafeReadFrom reads from binary representation in r into VerifyingKey. Current implementation is a passthrough to ReadFrom
func (*VerifyingKey) WriteRawTo ¶
func (vk *VerifyingKey) WriteRawTo(w io.Writer) (int64, error)
WriteRawTo writes binary encoding of VerifyingKey to w without point compression