snarkjs/src/prover_groth.js

/*
    Copyright 2018 0kims association.

    This file is part of snarkjs.

    snarkjs is a free software: you can redistribute it and/or
    modify it under the terms of the GNU General Public License as published by the
    Free Software Foundation, either version 3 of the License, or (at your option)
    any later version.

    snarkjs is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
    or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
    more details.

    You should have received a copy of the GNU General Public License along with
    snarkjs. If not, see <https://www.gnu.org/licenses/>.
*/

/* Implementation of this paper: https://eprint.iacr.org/2016/260.pdf */

const BN128 = require("./bn128.js");
const PolField = require("./polfield.js");
const ZqField = require("./zqfield.js");

const bn128 = new BN128();
const PolF = new PolField(new ZqField(bn128.r));
const G1 = bn128.G1;
const G2 = bn128.G2;

module.exports = function genProof(vk_proof, witness) {

    const proof = {};

    const r = PolF.F.random();
    const s = PolF.F.random();

/* Uncomment to generate a deterministic proof to debug
    const r = PolF.F.zero;
    const s = PolF.F.zero;
*/


    proof.pi_a = G1.zero;
    proof.pi_b = G2.zero;
    proof.pi_c = G1.zero;

    let pib1 = G1.zero;


    // Skip public entries and the "1" signal that are forced by the verifier

    for (let s= 0; s< vk_proof.nVars; s++) {
        // pi_a = pi_a + A[s] * witness[s];
        proof.pi_a = G1.add( proof.pi_a, G1.mulScalar( vk_proof.A[s], witness[s]));

        // pi_b = pi_b + B[s] * witness[s];
        proof.pi_b = G2.add( proof.pi_b, G2.mulScalar( vk_proof.B2[s], witness[s]));

        pib1 = G1.add( pib1, G1.mulScalar( vk_proof.B1[s], witness[s]));
    }

    for (let s= vk_proof.nPublic+1; s< vk_proof.nVars; s++) {

        // pi_a  = pi_a  + A[s]  * witness[s];
        proof.pi_c  = G1.add( proof.pi_c, G1.mulScalar( vk_proof.C[s], witness[s]));
    }

    proof.pi_a  = G1.add( proof.pi_a, vk_proof.vk_alfa_1 );
    proof.pi_a  = G1.add( proof.pi_a, G1.mulScalar( vk_proof.vk_delta_1, r ));

    proof.pi_b  = G2.add( proof.pi_b, vk_proof.vk_beta_2 );
    proof.pi_b  = G2.add( proof.pi_b, G2.mulScalar( vk_proof.vk_delta_2, s ));

    pib1 = G1.add( pib1, vk_proof.vk_beta_1 );
    pib1 = G1.add( pib1, G1.mulScalar( vk_proof.vk_delta_1, s ));

    const h = calculateH(vk_proof, witness);

    // proof.pi_c = G1.affine(proof.pi_c);
    // console.log("pi_onlyc", proof.pi_c);

    for (let i = 0; i < h.length; i++) {
        // console.log(i + "->" + h[i].toString());
        proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.hExps[i], h[i]));
    }

    // proof.pi_c = G1.affine(proof.pi_c);
    // console.log("pi_candh", proof.pi_c);

    proof.pi_c  = G1.add( proof.pi_c, G1.mulScalar( proof.pi_a, s ));
    proof.pi_c  = G1.add( proof.pi_c, G1.mulScalar( pib1, r ));
    proof.pi_c  = G1.add( proof.pi_c, G1.mulScalar( vk_proof.vk_delta_1, PolF.F.affine(PolF.F.neg(PolF.F.mul(r,s) ))));


    const publicSignals = witness.slice(1, vk_proof.nPublic+1);

    proof.pi_a = G1.affine(proof.pi_a);
    proof.pi_b = G2.affine(proof.pi_b);
    proof.pi_c = G1.affine(proof.pi_c);

    proof.protocol = "groth";

    return {proof, publicSignals};

};


function calculateH(vk_proof, witness) {

    const F = PolF.F;
    const m = vk_proof.domainSize;
    const polA_T = new Array(m).fill(PolF.F.zero);
    const polB_T = new Array(m).fill(PolF.F.zero);
    const polC_T = new Array(m).fill(PolF.F.zero);

    for (let s=0; s<vk_proof.nVars; s++) {
        for (let c in vk_proof.polsA[s]) {
            polA_T[c] = F.add(polA_T[c], F.mul(witness[s], vk_proof.polsA[s][c]));
        }
        for (let c in vk_proof.polsB[s]) {
            polB_T[c] = F.add(polB_T[c], F.mul(witness[s], vk_proof.polsB[s][c]));
        }
        for (let c in vk_proof.polsC[s]) {
            polC_T[c] = F.add(polC_T[c], F.mul(witness[s], vk_proof.polsC[s][c]));
        }
    }

    const polA_S = PolF.ifft(polA_T);
    const polB_S = PolF.ifft(polB_T);

    const polAB_S = PolF.mul(polA_S, polB_S);

    const polC_S = PolF.ifft(polC_T);

    const polABC_S = PolF.sub(polAB_S, polC_S);

    const H_S = polABC_S.slice(m);

    return H_S;
}
Prepare license 2018-09-05 04:56:49 +02:00			`/*`
Changes README, copyright and typos 2018-09-10 11:53:09 +02:00			`Copyright 2018 0kims association.`
Prepare license 2018-09-05 04:56:49 +02:00
License fix and remove gig test 2018-10-21 19:41:44 +02:00			`This file is part of snarkjs.`
Prepare license 2018-09-05 04:56:49 +02:00
License fix and remove gig test 2018-10-21 19:41:44 +02:00			`snarkjs is a free software: you can redistribute it and/or`
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00			`modify it under the terms of the GNU General Public License as published by the`
			`Free Software Foundation, either version 3 of the License, or (at your option)`
Changes README, copyright and typos 2018-09-10 11:53:09 +02:00			`any later version.`
Prepare license 2018-09-05 04:56:49 +02:00
License fix and remove gig test 2018-10-21 19:41:44 +02:00			`snarkjs is distributed in the hope that it will be useful,`
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00			`but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY`
			`or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for`
Changes README, copyright and typos 2018-09-10 11:53:09 +02:00			`more details.`
Prepare license 2018-09-05 04:56:49 +02:00
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00			`You should have received a copy of the GNU General Public License along with`
License fix and remove gig test 2018-10-21 19:41:44 +02:00			`snarkjs. If not, see <https://www.gnu.org/licenses/>.`
Prepare license 2018-09-05 04:56:49 +02:00			`*/`

Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`/* Implementation of this paper: https://eprint.iacr.org/2016/260.pdf */`

uppercase conflict 2018-09-09 14:07:28 +02:00			`const BN128 = require("./bn128.js");`
snarks part done 2018-08-09 15:31:16 +02:00			`const PolField = require("./polfield.js");`
zkSnarks working 2018-08-25 00:16:12 +02:00			`const ZqField = require("./zqfield.js");`
snarks part done 2018-08-09 15:31:16 +02:00
zkSnarks working 2018-08-25 00:16:12 +02:00			`const bn128 = new BN128();`
			`const PolF = new PolField(new ZqField(bn128.r));`
			`const G1 = bn128.G1;`
			`const G2 = bn128.G2;`
Skeleton 2018-08-09 08:16:34 +02:00
			`module.exports = function genProof(vk_proof, witness) {`

snarks part done 2018-08-09 15:31:16 +02:00			`const proof = {};`

Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`const r = PolF.F.random();`
			`const s = PolF.F.random();`
Add ra, rb, d1, d2, d3 coefficients 2018-09-24 12:32:33 +02:00
log functions 2019-06-16 00:12:50 +02:00			`/* Uncomment to generate a deterministic proof to debug`
			`const r = PolF.F.zero;`
			`const s = PolF.F.zero;`
			`*/`


zkSnarks working 2018-08-25 00:16:12 +02:00			`proof.pi_a = G1.zero;`
			`proof.pi_b = G2.zero;`
			`proof.pi_c = G1.zero;`
Groth protocol imlemented 2018-11-10 14:43:37 +01:00
			`let pib1 = G1.zero;`
snarks part done 2018-08-09 15:31:16 +02:00

Force 1 in the verifier 2018-08-09 18:59:39 +02:00			`// Skip public entries and the "1" signal that are forced by the verifier`
snarks part done 2018-08-09 15:31:16 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`for (let s= 0; s< vk_proof.nVars; s++) {`
			`// pi_a = pi_a + A[s] * witness[s];`
			`proof.pi_a = G1.add( proof.pi_a, G1.mulScalar( vk_proof.A[s], witness[s]));`
snarks part done 2018-08-09 15:31:16 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`// pi_b = pi_b + B[s] * witness[s];`
			`proof.pi_b = G2.add( proof.pi_b, G2.mulScalar( vk_proof.B2[s], witness[s]));`
snarks part done 2018-08-09 15:31:16 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`pib1 = G1.add( pib1, G1.mulScalar( vk_proof.B1[s], witness[s]));`
			`}`
snarks part done 2018-08-09 15:31:16 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`for (let s= vk_proof.nPublic+1; s< vk_proof.nVars; s++) {`
snarks part done 2018-08-09 15:31:16 +02:00
			`// pi_a = pi_a + A[s] * witness[s];`
zkSnarks working 2018-08-25 00:16:12 +02:00			`proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.C[s], witness[s]));`
snarks part done 2018-08-09 15:31:16 +02:00			`}`

Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`proof.pi_a = G1.add( proof.pi_a, vk_proof.vk_alfa_1 );`
			`proof.pi_a = G1.add( proof.pi_a, G1.mulScalar( vk_proof.vk_delta_1, r ));`
Add ra, rb, d1, d2, d3 coefficients 2018-09-24 12:32:33 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`proof.pi_b = G2.add( proof.pi_b, vk_proof.vk_beta_2 );`
			`proof.pi_b = G2.add( proof.pi_b, G2.mulScalar( vk_proof.vk_delta_2, s ));`
Add ra, rb, d1, d2, d3 coefficients 2018-09-24 12:32:33 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`pib1 = G1.add( pib1, vk_proof.vk_beta_1 );`
			`pib1 = G1.add( pib1, G1.mulScalar( vk_proof.vk_delta_1, s ));`
Add ra, rb, d1, d2, d3 coefficients 2018-09-24 12:32:33 +02:00
Small fixes and optimizations 2019-04-09 14:55:59 +02:00			`const h = calculateH(vk_proof, witness);`
snarks part done 2018-08-09 15:31:16 +02:00
log functions 2019-06-16 00:12:50 +02:00			`// proof.pi_c = G1.affine(proof.pi_c);`
			`// console.log("pi_onlyc", proof.pi_c);`

Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`for (let i = 0; i < h.length; i++) {`
log functions 2019-06-16 00:12:50 +02:00			`// console.log(i + "->" + h[i].toString());`
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.hExps[i], h[i]));`
snarks part done 2018-08-09 15:31:16 +02:00			`}`

log functions 2019-06-16 00:12:50 +02:00			`// proof.pi_c = G1.affine(proof.pi_c);`
			`// console.log("pi_candh", proof.pi_c);`
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( proof.pi_a, s ));`
			`proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( pib1, r ));`
			`proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.vk_delta_1, PolF.F.affine(PolF.F.neg(PolF.F.mul(r,s) ))));`
snarks part done 2018-08-09 15:31:16 +02:00
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`const publicSignals = witness.slice(1, vk_proof.nPublic+1);`
snarks part done 2018-08-09 15:31:16 +02:00
zkSnarks working 2018-08-25 00:16:12 +02:00			`proof.pi_a = G1.affine(proof.pi_a);`
			`proof.pi_b = G2.affine(proof.pi_b);`
			`proof.pi_c = G1.affine(proof.pi_c);`
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00
Groth protocol imlemented 2018-11-10 14:43:37 +01:00			`proof.protocol = "groth";`
zkSnarks working 2018-08-25 00:16:12 +02:00
			`return {proof, publicSignals};`
Small fixes and optimizations 2019-04-09 14:55:59 +02:00
snarks part done 2018-08-09 15:31:16 +02:00			`};`
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00

Small fixes and optimizations 2019-04-09 14:55:59 +02:00			`function calculateH(vk_proof, witness) {`
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00
			`const F = PolF.F;`
			`const m = vk_proof.domainSize;`
			`const polA_T = new Array(m).fill(PolF.F.zero);`
			`const polB_T = new Array(m).fill(PolF.F.zero);`
			`const polC_T = new Array(m).fill(PolF.F.zero);`

			`for (let s=0; s<vk_proof.nVars; s++) {`
			`for (let c in vk_proof.polsA[s]) {`
			`polA_T[c] = F.add(polA_T[c], F.mul(witness[s], vk_proof.polsA[s][c]));`
			`}`
			`for (let c in vk_proof.polsB[s]) {`
			`polB_T[c] = F.add(polB_T[c], F.mul(witness[s], vk_proof.polsB[s][c]));`
			`}`
			`for (let c in vk_proof.polsC[s]) {`
			`polC_T[c] = F.add(polC_T[c], F.mul(witness[s], vk_proof.polsC[s][c]));`
			`}`
			`}`

			`const polA_S = PolF.ifft(polA_T);`
			`const polB_S = PolF.ifft(polB_T);`

			`const polAB_S = PolF.mul(polA_S, polB_S);`

			`const polC_S = PolF.ifft(polC_T);`

			`const polABC_S = PolF.sub(polAB_S, polC_S);`

Small fixes and optimizations 2019-04-09 14:55:59 +02:00			`const H_S = polABC_S.slice(m);`
Add ra, rb, d1, d2, d3 coefficients 2018-09-24 12:32:33 +02:00
Important optimization for the trusted setup 2018-09-23 09:20:01 +02:00			`return H_S;`
			`}`