From 96c9ec822b8d2c79773df798e666835a81b2b063 Mon Sep 17 00:00:00 2001 From: Eric Woolsey Date: Wed, 26 Jun 2024 20:20:20 -0700 Subject: [PATCH 1/5] pedersen mpc --- backend/groth16/bn254/mpcsetup/phase2.go | 119 ++++++++++++++++++----- backend/groth16/bn254/mpcsetup/setup.go | 19 +++- 2 files changed, 114 insertions(+), 24 deletions(-) diff --git a/backend/groth16/bn254/mpcsetup/phase2.go b/backend/groth16/bn254/mpcsetup/phase2.go index 3fcafb30da..0575e45335 100644 --- a/backend/groth16/bn254/mpcsetup/phase2.go +++ b/backend/groth16/bn254/mpcsetup/phase2.go @@ -23,6 +23,8 @@ import ( curve "github.com/consensys/gnark-crypto/ecc/bn254" "github.com/consensys/gnark-crypto/ecc/bn254/fr" + + utils "github.com/consensys/gnark/backend/groth16/internal" "github.com/consensys/gnark/constraint" cs "github.com/consensys/gnark/constraint/bn254" ) @@ -30,6 +32,7 @@ import ( type Phase2Evaluations struct { G1 struct { A, B, VKK []curve.G1Affine + Basis [][]curve.G1Affine } G2 struct { B []curve.G2Affine @@ -39,11 +42,12 @@ type Phase2Evaluations struct { type Phase2 struct { Parameters struct { G1 struct { - Delta curve.G1Affine - L, Z []curve.G1Affine + Delta curve.G1Affine + L, Z []curve.G1Affine + BasisExpSigma [][]curve.G1Affine } G2 struct { - Delta curve.G2Affine + Delta, GRootSigmaNeg curve.G2Affine } } PublicKey PublicKey @@ -105,15 +109,26 @@ func InitPhase2(r1cs *cs.R1CS, srs1 *Phase1) (Phase2, Phase2Evaluations) { coeffAlphaTau1 := lagrangeCoeffsG1(srs.G1.AlphaTau, size) coeffBetaTau1 := lagrangeCoeffsG1(srs.G1.BetaTau, size) - internal, secret, public := r1cs.GetNbVariables() - nWires := internal + secret + public + // a commitment is itself defined by a hint so the prover considers it private + // but the verifier will need to inject the value itself so on the groth16 + // level it must be considered public + nbWires := r1cs.NbInternalVariables + r1cs.GetNbPublicVariables() + r1cs.GetNbSecretVariables() + commitmentInfo := r1cs.CommitmentInfo.(constraint.Groth16Commitments) + commitmentWires := commitmentInfo.CommitmentIndexes() + privateCommitted := commitmentInfo.GetPrivateCommitted() + nbPrivateCommittedWires := utils.NbElements(privateCommitted) + + nbPublicWires := r1cs.GetNbPublicVariables() + len(commitmentInfo) + nbPrivateWires := r1cs.GetNbSecretVariables() + r1cs.NbInternalVariables - nbPrivateCommittedWires - len(commitmentInfo) + var evals Phase2Evaluations - evals.G1.A = make([]curve.G1Affine, nWires) - evals.G1.B = make([]curve.G1Affine, nWires) - evals.G2.B = make([]curve.G2Affine, nWires) - bA := make([]curve.G1Affine, nWires) - aB := make([]curve.G1Affine, nWires) - C := make([]curve.G1Affine, nWires) + evals.G1.A = make([]curve.G1Affine, nbWires) + evals.G1.B = make([]curve.G1Affine, nbWires) + evals.G1.Basis = make([][]curve.G1Affine, nbPrivateCommittedWires) + evals.G2.B = make([]curve.G2Affine, nbWires) + bA := make([]curve.G1Affine, nbWires) + aB := make([]curve.G1Affine, nbWires) + CC := make([]curve.G1Affine, nbWires) // TODO @gbotrel use constraint iterator when available. @@ -133,7 +148,7 @@ func InitPhase2(r1cs *cs.R1CS, srs1 *Phase1) (Phase2, Phase2Evaluations) { } // C for _, t := range c.O { - accumulateG1(&C[t.WireID()], t, &coeffTau1[i]) + accumulateG1(&CC[t.WireID()], t, &coeffTau1[i]) } i++ } @@ -153,21 +168,56 @@ func InitPhase2(r1cs *cs.R1CS, srs1 *Phase1) (Phase2, Phase2Evaluations) { bitReverse(c2.Parameters.G1.Z) c2.Parameters.G1.Z = c2.Parameters.G1.Z[:n-1] - // Evaluate L - nPrivate := internal + secret - c2.Parameters.G1.L = make([]curve.G1Affine, nPrivate) - evals.G1.VKK = make([]curve.G1Affine, public) - offset := public - for i := 0; i < nWires; i++ { + c2.Parameters.G1.L = make([]curve.G1Affine, nbPrivateWires) + evals.G1.VKK = make([]curve.G1Affine, nbPublicWires) + evals.G1.Basis = make([][]curve.G1Affine, len(commitmentInfo)) + for i := range commitmentInfo { + evals.G1.Basis[i] = make([]curve.G1Affine, len(privateCommitted[i])) + } + + vI := 0 // number of public wires seen so far + cI := make([]int, len(commitmentInfo)) // number of private committed wires seen so far for each commitment + nbPrivateCommittedSeen := 0 // = ∑ᵢ cI[i] + nbCommitmentsSeen := 0 + + for i := range bA { var tmp curve.G1Affine tmp.Add(&bA[i], &aB[i]) - tmp.Add(&tmp, &C[i]) - if i < public { - evals.G1.VKK[i].Set(&tmp) + tmp.Add(&tmp, &CC[i]) + commitment := -1 // index of the commitment that commits to this variable as a private or commitment value + var isCommitment, isPublic bool + if isPublic = i < r1cs.GetNbPublicVariables(); !isPublic { + if nbCommitmentsSeen < len(commitmentWires) && commitmentWires[nbCommitmentsSeen] == i { + isCommitment = true + nbCommitmentsSeen++ + } + + for j := range commitmentInfo { // does commitment j commit to i? + if cI[j] < len(privateCommitted[j]) && privateCommitted[j][cI[j]] == i { + commitment = j + break // frontend guarantees that no private variable is committed to more than once + } + } + } + + if isPublic || commitment != -1 || isCommitment { + if isPublic || isCommitment { + evals.G1.VKK[vI] = tmp + vI++ + } else { // committed and private + evals.G1.Basis[commitment][cI[commitment]] = tmp + cI[commitment]++ + nbPrivateCommittedSeen++ + } } else { - c2.Parameters.G1.L[i-offset].Set(&tmp) + c2.Parameters.G1.L[i-vI-nbPrivateCommittedSeen] = tmp // vI = nbPublicSeen + nbCommitmentsSeen } } + + basisExpSigma, gRootSigmaNeg := InitPedersen(evals.G1.Basis...) + c2.Parameters.G1.BasisExpSigma = basisExpSigma + c2.Parameters.G2.GRootSigmaNeg = gRootSigmaNeg + // Set δ public key var delta fr.Element delta.SetOne() @@ -262,3 +312,28 @@ func (c *Phase2) hash() []byte { c.writeTo(sha) return sha.Sum(nil) } + +func InitPedersen(bases ...[]curve.G1Affine) (BasisExpSigma [][]curve.G1Affine, GRootSigmaNeg curve.G2Affine) { + _, _, _, g2 := curve.Generators() + + var modMinusOne big.Int + modMinusOne.Sub(fr.Modulus(), big.NewInt(1)) + + // set sigma to 1 + sigma := big.NewInt(1) + + // Todo: simplify + var sigmaInvNeg big.Int + sigmaInvNeg.ModInverse(sigma, fr.Modulus()) + sigmaInvNeg.Sub(fr.Modulus(), &sigmaInvNeg) + GRootSigmaNeg.ScalarMultiplication(&g2, &sigmaInvNeg) + + BasisExpSigma = make([][]curve.G1Affine, len(bases)) + for i := range bases { + BasisExpSigma[i] = make([]curve.G1Affine, len(bases[i])) + for j := range bases[i] { + BasisExpSigma[i][j].ScalarMultiplication(&bases[i][j], sigma) + } + } + return +} diff --git a/backend/groth16/bn254/mpcsetup/setup.go b/backend/groth16/bn254/mpcsetup/setup.go index 4946e9f597..3357f711d5 100644 --- a/backend/groth16/bn254/mpcsetup/setup.go +++ b/backend/groth16/bn254/mpcsetup/setup.go @@ -19,14 +19,20 @@ package mpcsetup import ( curve "github.com/consensys/gnark-crypto/ecc/bn254" "github.com/consensys/gnark-crypto/ecc/bn254/fr/fft" + "github.com/consensys/gnark-crypto/ecc/bn254/fr/pedersen" groth16 "github.com/consensys/gnark/backend/groth16/bn254" + "github.com/consensys/gnark/constraint" + cs "github.com/consensys/gnark/constraint/bn254" ) -func ExtractKeys(srs1 *Phase1, srs2 *Phase2, evals *Phase2Evaluations, nConstraints int) (pk groth16.ProvingKey, vk groth16.VerifyingKey) { +func ExtractKeys(r1cs *cs.R1CS, srs1 *Phase1, srs2 *Phase2, evals *Phase2Evaluations) (pk groth16.ProvingKey, vk groth16.VerifyingKey) { _, _, _, g2 := curve.Generators() + commitmentInfo := r1cs.CommitmentInfo.(constraint.Groth16Commitments) + commitmentWires := commitmentInfo.CommitmentIndexes() + // Initialize PK - pk.Domain = *fft.NewDomain(uint64(nConstraints)) + pk.Domain = *fft.NewDomain(uint64(r1cs.NbConstraints)) pk.G1.Alpha.Set(&srs1.Parameters.G1.AlphaTau[0]) pk.G1.Beta.Set(&srs1.Parameters.G1.BetaTau[0]) pk.G1.Delta.Set(&srs2.Parameters.G1.Delta) @@ -37,6 +43,12 @@ func ExtractKeys(srs1 *Phase1, srs2 *Phase2, evals *Phase2Evaluations, nConstrai pk.G2.Beta.Set(&srs1.Parameters.G2.Beta) pk.G2.Delta.Set(&srs2.Parameters.G2.Delta) + pk.CommitmentKeys = make([]pedersen.ProvingKey, len(evals.G1.Basis)) + for i := range evals.G1.Basis { + pk.CommitmentKeys[i].Basis = evals.G1.Basis[i] + pk.CommitmentKeys[i].BasisExpSigma = srs2.Parameters.G1.BasisExpSigma[i] + } + // Filter out infinity points nWires := len(evals.G1.A) pk.InfinityA = make([]bool, nWires) @@ -87,6 +99,9 @@ func ExtractKeys(srs1 *Phase1, srs2 *Phase2, evals *Phase2Evaluations, nConstrai vk.G2.Delta.Set(&srs2.Parameters.G2.Delta) vk.G2.Gamma.Set(&g2) vk.G1.K = evals.G1.VKK + vk.CommitmentKey.G = g2 + vk.CommitmentKey.GRootSigmaNeg = srs2.Parameters.G2.GRootSigmaNeg + vk.PublicAndCommitmentCommitted = commitmentInfo.GetPublicAndCommitmentCommitted(commitmentWires, r1cs.GetNbPublicVariables()) // sets e, -[δ]2, -[γ]2 if err := vk.Precompute(); err != nil { From f33d71a48040ce93a16f6b090e48dc10bb6f0ae9 Mon Sep 17 00:00:00 2001 From: Eric Woolsey Date: Wed, 26 Jun 2024 22:13:41 -0700 Subject: [PATCH 2/5] phase2 contributions --- backend/groth16/bn254/mpcsetup/marshal.go | 12 +- backend/groth16/bn254/mpcsetup/phase2.go | 11 ++ backend/groth16/bn254/mpcsetup/setup_test.go | 134 ++++++++++++++++++- 3 files changed, 151 insertions(+), 6 deletions(-) diff --git a/backend/groth16/bn254/mpcsetup/marshal.go b/backend/groth16/bn254/mpcsetup/marshal.go index 08cb2ae3d1..e08853b48d 100644 --- a/backend/groth16/bn254/mpcsetup/marshal.go +++ b/backend/groth16/bn254/mpcsetup/marshal.go @@ -17,8 +17,9 @@ package mpcsetup import ( - curve "github.com/consensys/gnark-crypto/ecc/bn254" "io" + + curve "github.com/consensys/gnark-crypto/ecc/bn254" ) // WriteTo implements io.WriterTo @@ -107,7 +108,9 @@ func (c *Phase2) writeTo(writer io.Writer) (int64, error) { &c.Parameters.G1.Delta, c.Parameters.G1.L, c.Parameters.G1.Z, + c.Parameters.G1.BasisExpSigma, &c.Parameters.G2.Delta, + &c.Parameters.G2.GRootSigmaNeg, } for _, v := range toEncode { @@ -129,7 +132,9 @@ func (c *Phase2) ReadFrom(reader io.Reader) (int64, error) { &c.Parameters.G1.Delta, &c.Parameters.G1.L, &c.Parameters.G1.Z, + &c.Parameters.G1.BasisExpSigma, &c.Parameters.G2.Delta, + &c.Parameters.G2.GRootSigmaNeg, } for _, v := range toEncode { @@ -141,7 +146,6 @@ func (c *Phase2) ReadFrom(reader io.Reader) (int64, error) { c.Hash = make([]byte, 32) n, err := reader.Read(c.Hash) return int64(n) + dec.BytesRead(), err - } // WriteTo implements io.WriterTo @@ -150,6 +154,8 @@ func (c *Phase2Evaluations) WriteTo(writer io.Writer) (int64, error) { toEncode := []interface{}{ c.G1.A, c.G1.B, + c.G1.VKK, + c.G1.Basis, c.G2.B, } @@ -168,6 +174,8 @@ func (c *Phase2Evaluations) ReadFrom(reader io.Reader) (int64, error) { toEncode := []interface{}{ &c.G1.A, &c.G1.B, + &c.G1.VKK, + &c.G1.Basis, &c.G2.B, } diff --git a/backend/groth16/bn254/mpcsetup/phase2.go b/backend/groth16/bn254/mpcsetup/phase2.go index 0575e45335..6441df9b84 100644 --- a/backend/groth16/bn254/mpcsetup/phase2.go +++ b/backend/groth16/bn254/mpcsetup/phase2.go @@ -245,6 +245,17 @@ func (c *Phase2) Contribute() { c.Parameters.G1.Delta.ScalarMultiplication(&c.Parameters.G1.Delta, &deltaBI) c.Parameters.G2.Delta.ScalarMultiplication(&c.Parameters.G2.Delta, &deltaBI) + // Update BasisExpSigma with δ + // TODO: Is it sound to use the same δ for all basis? + for i := 0; i < len(c.Parameters.G1.BasisExpSigma); i++ { + for j := 0; j < len(c.Parameters.G1.BasisExpSigma[i]); j++ { + c.Parameters.G1.BasisExpSigma[i][j].ScalarMultiplication(&c.Parameters.G1.BasisExpSigma[i][j], &deltaBI) + } + } + + // Update GRootSigmaNeg using δ⁻¹ + c.Parameters.G2.GRootSigmaNeg.ScalarMultiplication(&c.Parameters.G2.GRootSigmaNeg, &deltaInvBI) + // Update Z using δ⁻¹ for i := 0; i < len(c.Parameters.G1.Z); i++ { c.Parameters.G1.Z[i].ScalarMultiplication(&c.Parameters.G1.Z[i], &deltaInvBI) diff --git a/backend/groth16/bn254/mpcsetup/setup_test.go b/backend/groth16/bn254/mpcsetup/setup_test.go index 63b717cac4..d4a6e49c79 100644 --- a/backend/groth16/bn254/mpcsetup/setup_test.go +++ b/backend/groth16/bn254/mpcsetup/setup_test.go @@ -17,20 +17,148 @@ package mpcsetup import ( + "crypto/rand" + "math/big" + "testing" + + "github.com/consensys/gnark-crypto/ecc" curve "github.com/consensys/gnark-crypto/ecc/bn254" "github.com/consensys/gnark-crypto/ecc/bn254/fr" cs "github.com/consensys/gnark/constraint/bn254" - "testing" + "github.com/consensys/gnark/test" + "github.com/consensys/gnark-crypto/ecc/bn254/ecdsa" "github.com/consensys/gnark/backend/groth16" + "github.com/consensys/gnark/backend/witness" + bn254 "github.com/consensys/gnark/constraint/bn254" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/frontend/cs/r1cs" + "github.com/consensys/gnark/std/algebra/emulated/sw_emulated" "github.com/consensys/gnark/std/hash/mimc" + "github.com/consensys/gnark/std/math/emulated" + sig "github.com/consensys/gnark/std/signature/ecdsa" "github.com/stretchr/testify/require" native_mimc "github.com/consensys/gnark-crypto/ecc/bn254/fr/mimc" ) +type EcdsaCircuit[T, S emulated.FieldParams] struct { + Sig sig.Signature[S] + Msg emulated.Element[S] + Pub sig.PublicKey[T, S] +} + +func (c *EcdsaCircuit[T, S]) Define(api frontend.API) error { + c.Pub.Verify(api, sw_emulated.GetCurveParams[T](), &c.Msg, &c.Sig) + return nil +} + +func buildEcdsa() (*bn254.R1CS, *witness.Witness, error) { + // defer the closing of our jsonFile so that we can parse it later on + privKey, _ := ecdsa.GenerateKey(rand.Reader) + publicKey := privKey.PublicKey + + // sign + msg := []byte("testing ECDSA (pre-hashed)") + sigBin, _ := privKey.Sign(msg, nil) + + // check that the signature is correct + _, err := publicKey.Verify(sigBin, msg, nil) + if err != nil { + return nil, nil, err + } + + // unmarshal signature + var signature ecdsa.Signature + signature.SetBytes(sigBin) + r, s := new(big.Int), new(big.Int) + r.SetBytes(signature.R[:32]) + s.SetBytes(signature.S[:32]) + + hash := ecdsa.HashToInt(msg) + + circuit := EcdsaCircuit[emulated.BN254Fp, emulated.BN254Fr]{} + w := EcdsaCircuit[emulated.BN254Fp, emulated.BN254Fr]{ + Sig: sig.Signature[emulated.BN254Fr]{ + R: emulated.ValueOf[emulated.BN254Fr](r), + S: emulated.ValueOf[emulated.BN254Fr](s), + }, + Msg: emulated.ValueOf[emulated.BN254Fr](hash), + Pub: sig.PublicKey[emulated.BN254Fp, emulated.BN254Fr]{ + X: emulated.ValueOf[emulated.BN254Fp](privKey.PublicKey.A.X), + Y: emulated.ValueOf[emulated.BN254Fp](privKey.PublicKey.A.Y), + }, + } + + err = test.IsSolved(&circuit, &w, ecc.BN254.ScalarField()) + if err != nil { + return nil, nil, err + } + + witness, err := frontend.NewWitness(&w, ecc.BN254.ScalarField()) + if err != nil { + return nil, nil, err + } + + r1cs, err := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &circuit) + if err != nil { + return nil, nil, err + } + + return r1cs.(*bn254.R1CS), &witness, err +} + +func TestEcdsa(t *testing.T) { + const ( + nContributionsPhase1 = 3 + nContributionsPhase2 = 3 + power = 17 + ) + + assert := require.New(t) + + srs1 := InitPhase1(power) + + // Make and verify contributions for phase1 + for i := 1; i < nContributionsPhase1; i++ { + // we clone test purposes; but in practice, participant will receive a []byte, deserialize it, + // add his contribution and send back to coordinator. + prev := srs1.clone() + + srs1.Contribute() + assert.NoError(VerifyPhase1(&prev, &srs1)) + } + + r1cs, witness, err := buildEcdsa() + if err != nil { + t.Fatal(err) + } + + srs2, evals := InitPhase2(r1cs, &srs1) + + // Make and verify contributions for phase1 + for i := 1; i < nContributionsPhase2; i++ { + // we clone for test purposes; but in practice, participant will receive a []byte, deserialize it, + // add his contribution and send back to coordinator. + prev := srs2.clone() + + srs2.Contribute() + assert.NoError(VerifyPhase2(&prev, &srs2)) + } + + // Extract the proving and verifying keys + pk, vk := ExtractKeys(r1cs, &srs1, &srs2, &evals) + + proof, err := groth16.Prove(r1cs, &pk, *witness) + assert.NoError(err) + + pubWitness, err := (*witness).Public() + assert.NoError(err) + + err = groth16.Verify(proof, &vk, pubWitness) + assert.NoError(err) +} + func TestSetupCircuit(t *testing.T) { const ( nContributionsPhase1 = 3 @@ -74,7 +202,7 @@ func TestSetupCircuit(t *testing.T) { } // Extract the proving and verifying keys - pk, vk := ExtractKeys(&srs1, &srs2, &evals, ccs.GetNbConstraints()) + pk, vk := ExtractKeys(ccs.(*cs.R1CS), &srs1, &srs2, &evals) // Build the witness var preImage, hash fr.Element @@ -115,7 +243,6 @@ func BenchmarkPhase1(b *testing.B) { srs1.Contribute() } }) - } func BenchmarkPhase2(b *testing.B) { @@ -145,7 +272,6 @@ func BenchmarkPhase2(b *testing.B) { srs2.Contribute() } }) - } // Circuit defines a pre-image knowledge proof From f4966e28c87d717d2cc7e4ab8ba7d1134065e53e Mon Sep 17 00:00:00 2001 From: Eric Woolsey Date: Wed, 26 Jun 2024 22:47:53 -0700 Subject: [PATCH 3/5] revert C rename --- backend/groth16/bn254/mpcsetup/phase2.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backend/groth16/bn254/mpcsetup/phase2.go b/backend/groth16/bn254/mpcsetup/phase2.go index 6441df9b84..ba9f9193e9 100644 --- a/backend/groth16/bn254/mpcsetup/phase2.go +++ b/backend/groth16/bn254/mpcsetup/phase2.go @@ -128,7 +128,7 @@ func InitPhase2(r1cs *cs.R1CS, srs1 *Phase1) (Phase2, Phase2Evaluations) { evals.G2.B = make([]curve.G2Affine, nbWires) bA := make([]curve.G1Affine, nbWires) aB := make([]curve.G1Affine, nbWires) - CC := make([]curve.G1Affine, nbWires) + C := make([]curve.G1Affine, nbWires) // TODO @gbotrel use constraint iterator when available. @@ -148,7 +148,7 @@ func InitPhase2(r1cs *cs.R1CS, srs1 *Phase1) (Phase2, Phase2Evaluations) { } // C for _, t := range c.O { - accumulateG1(&CC[t.WireID()], t, &coeffTau1[i]) + accumulateG1(&C[t.WireID()], t, &coeffTau1[i]) } i++ } @@ -183,7 +183,7 @@ func InitPhase2(r1cs *cs.R1CS, srs1 *Phase1) (Phase2, Phase2Evaluations) { for i := range bA { var tmp curve.G1Affine tmp.Add(&bA[i], &aB[i]) - tmp.Add(&tmp, &CC[i]) + tmp.Add(&tmp, &C[i]) commitment := -1 // index of the commitment that commits to this variable as a private or commitment value var isCommitment, isPublic bool if isPublic = i < r1cs.GetNbPublicVariables(); !isPublic { From b26c6bf506b9f069e455743cd026f880f17cb7f0 Mon Sep 17 00:00:00 2001 From: Hussein Ait Lahcen Date: Sat, 20 Jul 2024 22:05:04 +0200 Subject: [PATCH 4/5] fix(mpc): correct pedersen verification --- backend/groth16/bn254/mpcsetup/marshal.go | 42 ++++++++++++-- .../groth16/bn254/mpcsetup/marshal_test.go | 52 +++++++++--------- backend/groth16/bn254/mpcsetup/phase2.go | 55 +++++++++++++++---- backend/groth16/bn254/mpcsetup/setup_test.go | 9 ++- 4 files changed, 115 insertions(+), 43 deletions(-) diff --git a/backend/groth16/bn254/mpcsetup/marshal.go b/backend/groth16/bn254/mpcsetup/marshal.go index e08853b48d..a187342e7f 100644 --- a/backend/groth16/bn254/mpcsetup/marshal.go +++ b/backend/groth16/bn254/mpcsetup/marshal.go @@ -108,7 +108,6 @@ func (c *Phase2) writeTo(writer io.Writer) (int64, error) { &c.Parameters.G1.Delta, c.Parameters.G1.L, c.Parameters.G1.Z, - c.Parameters.G1.BasisExpSigma, &c.Parameters.G2.Delta, &c.Parameters.G2.GRootSigmaNeg, } @@ -119,6 +118,13 @@ func (c *Phase2) writeTo(writer io.Writer) (int64, error) { } } + enc.Encode(uint64(len(c.Parameters.G1.BasisExpSigma))) + for _, h := range c.Parameters.G1.BasisExpSigma { + if err := enc.Encode(h); err != nil { + return enc.BytesWritten(), err + } + } + return enc.BytesWritten(), nil } @@ -132,7 +138,6 @@ func (c *Phase2) ReadFrom(reader io.Reader) (int64, error) { &c.Parameters.G1.Delta, &c.Parameters.G1.L, &c.Parameters.G1.Z, - &c.Parameters.G1.BasisExpSigma, &c.Parameters.G2.Delta, &c.Parameters.G2.GRootSigmaNeg, } @@ -143,6 +148,18 @@ func (c *Phase2) ReadFrom(reader io.Reader) (int64, error) { } } + var basisExpSigmanLen uint64 + if err := dec.Decode(&basisExpSigmanLen); err != nil { + return dec.BytesRead(), err + } + + c.Parameters.G1.BasisExpSigma = make([][]curve.G1Affine, basisExpSigmanLen) + for i := 0; i < int(basisExpSigmanLen); i++ { + if err := dec.Decode(&c.Parameters.G1.BasisExpSigma[i]); err != nil { + return dec.BytesRead(), err + } + } + c.Hash = make([]byte, 32) n, err := reader.Read(c.Hash) return int64(n) + dec.BytesRead(), err @@ -155,7 +172,6 @@ func (c *Phase2Evaluations) WriteTo(writer io.Writer) (int64, error) { c.G1.A, c.G1.B, c.G1.VKK, - c.G1.Basis, c.G2.B, } @@ -165,6 +181,13 @@ func (c *Phase2Evaluations) WriteTo(writer io.Writer) (int64, error) { } } + enc.Encode(uint64(len(c.G1.Basis))) + for _, h := range c.G1.Basis { + if err := enc.Encode(h); err != nil { + return enc.BytesWritten(), err + } + } + return enc.BytesWritten(), nil } @@ -175,7 +198,6 @@ func (c *Phase2Evaluations) ReadFrom(reader io.Reader) (int64, error) { &c.G1.A, &c.G1.B, &c.G1.VKK, - &c.G1.Basis, &c.G2.B, } @@ -185,5 +207,17 @@ func (c *Phase2Evaluations) ReadFrom(reader io.Reader) (int64, error) { } } + var basisLen uint64 + if err := dec.Decode(&basisLen); err != nil { + return dec.BytesRead(), err + } + + c.G1.Basis = make([][]curve.G1Affine, basisLen) + for i := 0; i < int(basisLen); i++ { + if err := dec.Decode(&c.G1.Basis[i]); err != nil { + return dec.BytesRead(), err + } + } + return dec.BytesRead(), nil } diff --git a/backend/groth16/bn254/mpcsetup/marshal_test.go b/backend/groth16/bn254/mpcsetup/marshal_test.go index 386e3faf66..6b9c5518ed 100644 --- a/backend/groth16/bn254/mpcsetup/marshal_test.go +++ b/backend/groth16/bn254/mpcsetup/marshal_test.go @@ -17,37 +17,37 @@ package mpcsetup import ( - "testing" - - curve "github.com/consensys/gnark-crypto/ecc/bn254" - cs "github.com/consensys/gnark/constraint/bn254" - "github.com/consensys/gnark/frontend" - "github.com/consensys/gnark/frontend/cs/r1cs" - gnarkio "github.com/consensys/gnark/io" - "github.com/stretchr/testify/require" + // "testing" + + // curve "github.com/consensys/gnark-crypto/ecc/bn254" + // cs "github.com/consensys/gnark/constraint/bn254" + // "github.com/consensys/gnark/frontend" + // "github.com/consensys/gnark/frontend/cs/r1cs" + // gnarkio "github.com/consensys/gnark/io" + // "github.com/stretchr/testify/require" ) -func TestContributionSerialization(t *testing.T) { - if testing.Short() { - t.Skip("skipping test in short mode.") - } - assert := require.New(t) +// func TestContributionSerialization(t *testing.T) { +// if testing.Short() { +// t.Skip("skipping test in short mode.") +// } +// assert := require.New(t) - // Phase 1 - srs1 := InitPhase1(9) - srs1.Contribute() +// // Phase 1 +// srs1 := InitPhase1(9) +// srs1.Contribute() - assert.NoError(gnarkio.RoundTripCheck(&srs1, func() interface{} { return new(Phase1) })) +// assert.NoError(gnarkio.RoundTripCheck(&srs1, func() interface{} { return new(Phase1) })) - var myCircuit Circuit - ccs, err := frontend.Compile(curve.ID.ScalarField(), r1cs.NewBuilder, &myCircuit) - assert.NoError(err) +// var myCircuit Circuit +// ccs, err := frontend.Compile(curve.ID.ScalarField(), r1cs.NewBuilder, &myCircuit) +// assert.NoError(err) - r1cs := ccs.(*cs.R1CS) +// r1cs := ccs.(*cs.R1CS) - // Phase 2 - srs2, _ := InitPhase2(r1cs, &srs1) - srs2.Contribute() +// // Phase 2 +// srs2, _ := InitPhase2(r1cs, &srs1) +// srs2.Contribute() - assert.NoError(gnarkio.RoundTripCheck(&srs2, func() interface{} { return new(Phase2) })) -} +// assert.NoError(gnarkio.RoundTripCheck(&srs2, func() interface{} { return new(Phase2) })) +// } diff --git a/backend/groth16/bn254/mpcsetup/phase2.go b/backend/groth16/bn254/mpcsetup/phase2.go index ba9f9193e9..50eefc533c 100644 --- a/backend/groth16/bn254/mpcsetup/phase2.go +++ b/backend/groth16/bn254/mpcsetup/phase2.go @@ -245,17 +245,20 @@ func (c *Phase2) Contribute() { c.Parameters.G1.Delta.ScalarMultiplication(&c.Parameters.G1.Delta, &deltaBI) c.Parameters.G2.Delta.ScalarMultiplication(&c.Parameters.G2.Delta, &deltaBI) - // Update BasisExpSigma with δ - // TODO: Is it sound to use the same δ for all basis? + // Update GRootSigmaNeg using δ + c.Parameters.G2.GRootSigmaNeg.ScalarMultiplication(&c.Parameters.G2.GRootSigmaNeg, &deltaBI) + + // Update BasisExpSigma with δ⁻¹ + // TODO: Is it sound to use the same δ⁻¹ for all basis? for i := 0; i < len(c.Parameters.G1.BasisExpSigma); i++ { for j := 0; j < len(c.Parameters.G1.BasisExpSigma[i]); j++ { - c.Parameters.G1.BasisExpSigma[i][j].ScalarMultiplication(&c.Parameters.G1.BasisExpSigma[i][j], &deltaBI) + c.Parameters.G1.BasisExpSigma[i][j].ScalarMultiplication( + &c.Parameters.G1.BasisExpSigma[i][j], + &deltaInvBI, + ) } } - // Update GRootSigmaNeg using δ⁻¹ - c.Parameters.G2.GRootSigmaNeg.ScalarMultiplication(&c.Parameters.G2.GRootSigmaNeg, &deltaInvBI) - // Update Z using δ⁻¹ for i := 0; i < len(c.Parameters.G1.Z); i++ { c.Parameters.G1.Z[i].ScalarMultiplication(&c.Parameters.G1.Z[i], &deltaInvBI) @@ -281,6 +284,14 @@ func VerifyPhase2(c0, c1 *Phase2, c ...*Phase2) error { } func verifyPhase2(current, contribution *Phase2) error { + // Check hash of the contribution + h := contribution.hash() + for i := 0; i < len(h); i++ { + if h[i] != contribution.Hash[i] { + return errors.New("couldn't verify hash of contribution") + } + } + // Compute R for δ deltaR := genR(contribution.PublicKey.SG, contribution.PublicKey.SXG, current.Hash[:], 1) @@ -293,7 +304,12 @@ func verifyPhase2(current, contribution *Phase2) error { if !sameRatio(contribution.Parameters.G1.Delta, current.Parameters.G1.Delta, deltaR, contribution.PublicKey.XR) { return errors.New("couldn't verify that [δ]₁ is based on previous contribution") } - if !sameRatio(contribution.PublicKey.SG, contribution.PublicKey.SXG, contribution.Parameters.G2.Delta, current.Parameters.G2.Delta) { + if !sameRatio( + contribution.PublicKey.SG, + contribution.PublicKey.SXG, + contribution.Parameters.G2.Delta, + current.Parameters.G2.Delta, + ) { return errors.New("couldn't verify that [δ]₂ is based on previous contribution") } @@ -307,11 +323,26 @@ func verifyPhase2(current, contribution *Phase2) error { return errors.New("couldn't verify valid updates of L using δ⁻¹") } - // Check hash of the contribution - h := contribution.hash() - for i := 0; i < len(h); i++ { - if h[i] != contribution.Hash[i] { - return errors.New("couldn't verify hash of contribution") + // Check for valid update of the pedersen key + if !sameRatio( + current.Parameters.G1.Delta, + contribution.Parameters.G1.Delta, + contribution.Parameters.G2.GRootSigmaNeg, + current.Parameters.G2.GRootSigmaNeg, + ) { + return errors.New("couldn't verify that GRootSigmaNeg is based on previous contribution") + } + for i := 0; i < len(current.Parameters.G1.BasisExpSigma); i++ { + basisExpSigma, prevBasisExpSigma := merge( + contribution.Parameters.G1.BasisExpSigma[i], + current.Parameters.G1.BasisExpSigma[i], + ) + if !sameRatio( + basisExpSigma, + prevBasisExpSigma, + contribution.Parameters.G2.Delta, current.Parameters.G2.Delta, + ) { + return errors.New("couldn't verify valid updates of BasisExpSigma using δ⁻¹") } } diff --git a/backend/groth16/bn254/mpcsetup/setup_test.go b/backend/groth16/bn254/mpcsetup/setup_test.go index d4a6e49c79..76f35c8381 100644 --- a/backend/groth16/bn254/mpcsetup/setup_test.go +++ b/backend/groth16/bn254/mpcsetup/setup_test.go @@ -290,7 +290,6 @@ func (circuit *Circuit) Define(api frontend.API) error { // specify constraints mimc.Write(circuit.PreImage) api.AssertIsEqual(circuit.Hash, mimc.Sum()) - return nil } @@ -311,10 +310,18 @@ func (phase1 *Phase1) clone() Phase1 { func (phase2 *Phase2) clone() Phase2 { r := Phase2{} + r.Parameters.G1.BasisExpSigma = make([][]curve.G1Affine, len(r.Parameters.G1.BasisExpSigma)) + for i := 0; i < len(r.Parameters.G1.BasisExpSigma); i++ { + r.Parameters.G1.BasisExpSigma[i] = append( + r.Parameters.G1.BasisExpSigma[i], + phase2.Parameters.G1.BasisExpSigma[i]..., + ) + } r.Parameters.G1.Delta = phase2.Parameters.G1.Delta r.Parameters.G1.L = append(r.Parameters.G1.L, phase2.Parameters.G1.L...) r.Parameters.G1.Z = append(r.Parameters.G1.Z, phase2.Parameters.G1.Z...) r.Parameters.G2.Delta = phase2.Parameters.G2.Delta + r.Parameters.G2.GRootSigmaNeg = phase2.Parameters.G2.GRootSigmaNeg r.PublicKey = phase2.PublicKey r.Hash = append(r.Hash, phase2.Hash...) From 19fceed4bbc28c84fe85842b679c5c8247c74a71 Mon Sep 17 00:00:00 2001 From: Eric Woolsey Date: Tue, 23 Jul 2024 15:23:56 -0700 Subject: [PATCH 5/5] uncomment test --- .../groth16/bn254/mpcsetup/marshal_test.go | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/backend/groth16/bn254/mpcsetup/marshal_test.go b/backend/groth16/bn254/mpcsetup/marshal_test.go index 6b9c5518ed..386e3faf66 100644 --- a/backend/groth16/bn254/mpcsetup/marshal_test.go +++ b/backend/groth16/bn254/mpcsetup/marshal_test.go @@ -17,37 +17,37 @@ package mpcsetup import ( - // "testing" - - // curve "github.com/consensys/gnark-crypto/ecc/bn254" - // cs "github.com/consensys/gnark/constraint/bn254" - // "github.com/consensys/gnark/frontend" - // "github.com/consensys/gnark/frontend/cs/r1cs" - // gnarkio "github.com/consensys/gnark/io" - // "github.com/stretchr/testify/require" + "testing" + + curve "github.com/consensys/gnark-crypto/ecc/bn254" + cs "github.com/consensys/gnark/constraint/bn254" + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/frontend/cs/r1cs" + gnarkio "github.com/consensys/gnark/io" + "github.com/stretchr/testify/require" ) -// func TestContributionSerialization(t *testing.T) { -// if testing.Short() { -// t.Skip("skipping test in short mode.") -// } -// assert := require.New(t) +func TestContributionSerialization(t *testing.T) { + if testing.Short() { + t.Skip("skipping test in short mode.") + } + assert := require.New(t) -// // Phase 1 -// srs1 := InitPhase1(9) -// srs1.Contribute() + // Phase 1 + srs1 := InitPhase1(9) + srs1.Contribute() -// assert.NoError(gnarkio.RoundTripCheck(&srs1, func() interface{} { return new(Phase1) })) + assert.NoError(gnarkio.RoundTripCheck(&srs1, func() interface{} { return new(Phase1) })) -// var myCircuit Circuit -// ccs, err := frontend.Compile(curve.ID.ScalarField(), r1cs.NewBuilder, &myCircuit) -// assert.NoError(err) + var myCircuit Circuit + ccs, err := frontend.Compile(curve.ID.ScalarField(), r1cs.NewBuilder, &myCircuit) + assert.NoError(err) -// r1cs := ccs.(*cs.R1CS) + r1cs := ccs.(*cs.R1CS) -// // Phase 2 -// srs2, _ := InitPhase2(r1cs, &srs1) -// srs2.Contribute() + // Phase 2 + srs2, _ := InitPhase2(r1cs, &srs1) + srs2.Contribute() -// assert.NoError(gnarkio.RoundTripCheck(&srs2, func() interface{} { return new(Phase2) })) -// } + assert.NoError(gnarkio.RoundTripCheck(&srs2, func() interface{} { return new(Phase2) })) +}