From b5fc8948d07bbb92bacb3c2ca28061aed1ef636f Mon Sep 17 00:00:00 2001 From: Polina Chernyshova Date: Thu, 2 Feb 2023 22:07:01 +0000 Subject: [PATCH] kzg commitment updated #113 --- .../crypto3/zk/commitments/polynomial/kzg.hpp | 94 +++++++++++-------- test/CMakeLists.txt | 1 + test/commitment/kzg.cpp | 33 +++++-- 3 files changed, 78 insertions(+), 50 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index 874ca687c..a2bda671c 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -39,6 +39,8 @@ #include #include #include +#include +#include #include using namespace nil::crypto3::math; @@ -50,78 +52,90 @@ namespace nil { namespace zk { namespace commitments { template - struct kzg { + struct kzg_commitment { typedef CurveType curve_type; - typedef algebra::pairing::pairing_policy pairing; + typedef algebra::pairing::pairing_policy pairing_policy; typedef typename curve_type::gt_type::value_type gt_value_type; - using base_field_value_type = typename curve_type::base_field_type::value_type; + using multiexp_method = typename algebra::policies::multiexp_method_BDLO12; + using scalar_value_type = typename curve_type::scalar_field_type::value_type; using commitment_key_type = std::vector::value_type>; using verification_key_type = typename curve_type::template g2_type<>::value_type; using commitment_type = typename curve_type::template g1_type<>::value_type; using proof_type = commitment_type; - struct params_type { - std::size_t a; + struct kzg_params_type { + scalar_value_type alpha; //secret key + std::size_t n; //max polynomial degree }; - static std::pair setup(const std::size_t n, - params_type params) { + struct srs_type { + commitment_key_type commitment_key; + verification_key_type verification_key; + srs_type(commitment_key_type ck, verification_key_type vk) : + commitment_key(ck), verification_key(vk) {} + }; - size_t a_scaled = params.a; + static srs_type setup(kzg_params_type params) { + scalar_value_type alpha_scaled = params.alpha; commitment_key_type commitment_key = {curve_type::template g1_type<>::value_type::one()}; verification_key_type verification_key = - curve_type::template g2_type<>::value_type::one() * params.a; + curve_type::template g2_type<>::value_type::one() * params.alpha; - for (std::size_t i = 0; i < n; i++) { - commitment_key.emplace_back(a_scaled * (curve_type::template g1_type<>::value_type::one())); - a_scaled = a_scaled * params.a; + for (std::size_t i = 0; i < params.n; i++) { + commitment_key.emplace_back(alpha_scaled * (curve_type::template g1_type<>::value_type::one())); + alpha_scaled = alpha_scaled * params.alpha; } - return std::make_pair(commitment_key, verification_key); + return srs_type(std::move(commitment_key), verification_key); } - static commitment_type commit(const commitment_key_type &commitment_key, - const polynomial &f) { - - commitment_type commitment = f[0] * commitment_key[0]; - - for (std::size_t i = 0; i < f.size(); i++) { - commitment = commitment + commitment_key[i] * f[i]; - } - - return commitment; + static commitment_type commit(const srs_type &srs, + const polynomial &f) { + BOOST_ASSERT(f.size() <= srs.commitment_key.size()); + return algebra::multiexp(srs.commitment_key.begin(), + srs.commitment_key.begin() + f.size(), f.begin(), f.end(), 1); } - static proof_type proof_eval(commitment_key_type commitment_key, - typename curve_type::base_field_type::value_type x, - typename curve_type::base_field_type::value_type y, - const polynomial &f) { + static bool verify_poly(const srs_type &srs, + const polynomial &f, + const commitment_type &C_f) { + return C_f == commit(srs, f); + } - const polynomial denominator_polynom = {-x, 1}; + static proof_type proof_eval(srs_type srs, + scalar_value_type i, + const polynomial &f) { - const polynomial q = - (f + polynomial {-y}) / denominator_polynom; + const polynomial denominator_polynom = {-i, 1}; + const polynomial q = + (f - polynomial{f.evaluate(i)}) / denominator_polynom; - proof_type p = kzg_commitment::commit(commitment_key, q); + proof_type p = commit(srs, q); return p; } - static bool verify_eval(verification_key_type verification_key, + static bool verify_eval(srs_type srs, commitment_type C_f, - base_field_value_type x, - base_field_value_type y, + scalar_value_type i, + scalar_value_type eval, proof_type p) { + + using g1_precomp_type = typename pairing_policy::g1_precomputed_type; + using g2_precomp_type = typename pairing_policy::g2_precomputed_type; - typename curve_type::gt_type::value_type gt1 = - algebra::pair(C_f - curve_type::template g1_type<>::value_type::one() * y, - curve_type::template g2_type<>::value_type::one()); + g1_precomp_type A_1 = algebra::precompute_g1(p); + g2_precomp_type A_2 = algebra::precompute_g2(srs.verification_key - + i * curve_type::template g2_type<>::value_type::one()); + g1_precomp_type B_1 = algebra::precompute_g1(eval * curve_type::template g1_type<>::value_type::one() - + C_f); + g2_precomp_type B_2 = algebra::precompute_g2(curve_type::template g2_type<>::value_type::one()); - typename curve_type::gt_type::value_type gt2 = algebra::pair( - p, verification_key - curve_type::template g2_type<>::value_type::one() * x); + gt_value_type gt3 = algebra::double_miller_loop(A_1, A_2, B_1, B_2); + gt_value_type gt_4 = algebra::final_exponentiation(gt3); - return gt1 == gt2; + return gt_4 == gt_value_type::one(); } }; }; // namespace commitments diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index ebe6227bd..6c6b41959 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -61,6 +61,7 @@ endmacro() set(TESTS_NAMES "commitment/lpc" "commitment/fri" + "commitment/kzg" "commitment/fold_polynomial" "commitment/lpc_performance" "commitment/pedersen" diff --git a/test/commitment/kzg.cpp b/test/commitment/kzg.cpp index 7d519d025..412eb49ff 100644 --- a/test/commitment/kzg.cpp +++ b/test/commitment/kzg.cpp @@ -43,7 +43,6 @@ #include using namespace nil::crypto3; -using namespace nil::crypto3::zk::snark; using namespace nil::crypto3::math; BOOST_AUTO_TEST_SUITE(kzg_test_suite) @@ -51,19 +50,33 @@ BOOST_AUTO_TEST_SUITE(kzg_test_suite) BOOST_AUTO_TEST_CASE(kzg_basic_test) { typedef algebra::curves::mnt4<298> curve_type; - typedef typename curve_type::base_field_type::value_type base_field_value_type; - typedef zk::snark::kzg_commitment kzg_type; + typedef typename curve_type::base_field_type::value_type base_value_type; + typedef typename curve_type::base_field_type base_field_type; + typedef typename curve_type::scalar_field_type scalar_field_type; + typedef typename curve_type::scalar_field_type::value_type scalar_value_type; + typedef zk::commitments::kzg_commitment kzg_type; - typename kzg_type::params_type kzg_params; - kzg_params.a = 2; + scalar_value_type alpha = 10; + scalar_value_type i = 2; + std::size_t n = 16; + const polynomial f = {-1, 1, 2, 3}; - const polynomial f = {1, 1}; + auto srs = kzg_type::setup({alpha, n}); + BOOST_CHECK(curve_type::template g1_type<>::value_type::one() == srs.commitment_key[0]); + BOOST_CHECK(10 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[1]); + BOOST_CHECK(100 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[2]); + BOOST_CHECK(1000 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[3]); + BOOST_CHECK(alpha * curve_type::template g2_type<>::value_type::one() == srs.verification_key); - auto kzg_keys = kzg_type::setup(298, kzg_params); - auto commit = kzg_type::commit(std::get<0>(kzg_keys), f); - auto proof = kzg_type::proof_eval(std::get<0>(kzg_keys), 1, 2, f); + auto commit = kzg_type::commit(srs, f); + BOOST_CHECK(3209 * curve_type::template g1_type<>::value_type::one() == commit); - BOOST_CHECK(kzg_type::verify_eval(std::get<1>(kzg_keys), commit, 1, 2, proof)); + auto eval = f.evaluate(i); + auto proof = kzg_type::proof_eval(srs, i, f); + BOOST_CHECK(33 * scalar_value_type::one() == eval); + BOOST_CHECK(397 * curve_type::template g1_type<>::value_type::one() == proof); + + BOOST_CHECK(kzg_type::verify_eval(srs, commit, i, eval, proof)); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file