tornadocash
/
snarkjs
mirror of https://github.com/tornadocash/snarkjs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add ra, rb, d1, d2, d3 coefficients

This commit is contained in:
Jordi Baylina 2018-09-24 12:32:33 +02:00
parent 16ff407765
commit 36c1e2098f
No known key found for this signature in database
GPG Key ID: 7480C80C1BE43112
9 changed files with 108 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sha256_2_vk_proof.json Normal file
View File

File diff suppressed because one or more lines are too long

1
sha256_2_vk_verifier.json Normal file
View File

File diff suppressed because one or more lines are too long

10
src/polfield.js
View File

@ -106,12 +106,12 @@ class PolField {
return this.reduce(res);
}
mulScalar(a, b) {
mulScalar(p, b) {
if (this.F.isZero(b)) return [];
if (this.F.equals(b, this.F.one)) return a;
const res = new Array(a.length);
for (let i=0; i<a.length; i++) {
res[i] = this.F.mul(a[i], b);
if (this.F.equals(b, this.F.one)) return p;
const res = new Array(p.length);
for (let i=0; i<p.length; i++) {
res[i] = this.F.mul(p[i], b);
}
return res;
}

44
src/prover.js
View File

@ -30,6 +30,11 @@ module.exports = function genProof(vk_proof, witness) {
const proof = {};
const d1 = PolF.F.random();
const d2 = PolF.F.random();
const d3 = PolF.F.random();
proof.pi_a = G1.zero;
proof.pi_ap = G1.zero;
proof.pi_b = G2.zero;
@ -67,6 +72,19 @@ module.exports = function genProof(vk_proof, witness) {
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[s], witness[s]));
}
proof.pi_a = G1.add( proof.pi_a, G1.mulScalar( vk_proof.A[vk_proof.nVars], d1));
proof.pi_ap = G1.add( proof.pi_ap, G1.mulScalar( vk_proof.Ap[vk_proof.nVars], d1));
proof.pi_b = G2.add( proof.pi_b, G2.mulScalar( vk_proof.B[vk_proof.nVars], d2));
proof.pi_bp = G1.add( proof.pi_bp, G1.mulScalar( vk_proof.Bp[vk_proof.nVars], d2));
proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.C[vk_proof.nVars], d3));
proof.pi_cp = G1.add( proof.pi_cp, G1.mulScalar( vk_proof.Cp[vk_proof.nVars], d3));
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars ], d1));
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars+1], d2));
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars+2], d3));
/*
let polA = [];
let polB = [];
@ -98,7 +116,7 @@ module.exports = function genProof(vk_proof, witness) {
const h = PolF.div(polFull, vk_proof.polZ );
*/
const h = calculateH(vk_proof, witness);
const h = calculateH(vk_proof, witness, d1, d2, d3);
console.log(h.length + "/" + vk_proof.hExps.length);
@ -123,7 +141,7 @@ module.exports = function genProof(vk_proof, witness) {
};
function calculateH(vk_proof, witness) {
function calculateH(vk_proof, witness, d1, d2, d3) {
const F = PolF.F;
const m = vk_proof.domainSize;
@ -156,7 +174,7 @@ function calculateH(vk_proof, witness) {
polZ_S[m] = F.one;
polZ_S[0] = F.neg(F.one);
const H_S = PolF.div(polABC_S, polZ_S);
let H_S = PolF.div(polABC_S, polZ_S);
/*
const H2S = PolF.mul(H_S, polZ_S);
@ -166,5 +184,25 @@ function calculateH(vk_proof, witness) {
console.log("ERROR: Not divisible!");
}
*/
/* add coefficients of the polynomial (d2*A + d1*B - d3) + d1*d2*Z */
H_S = PolF.extend(H_S, m+1);
for (let i=0; i<m; i++) {
const d2A = PolF.F.mul(d2, polA_S[i]);
const d1B = PolF.F.mul(d1, polB_S[i]);
H_S[i] = PolF.F.add(H_S[i], PolF.F.add(d2A, d1B));
}
H_S[0] = PolF.F.sub(H_S[0], d3);
// Z = x^m -1
const d1d2 = PolF.F.mul(d1, d2);
H_S[m] = PolF.F.add(H_S[m], d1d2);
H_S[0] = PolF.F.sub(H_S[0], d1d2);
H_S = PolF.reduce(PolF.affine(H_S));
return H_S;
}

73
src/setup.js
View File

@ -22,13 +22,11 @@ const bigInt = require("./bigint.js");
const BN128 = require("./bn128.js");
const PolField = require("./polfield.js");
const ZqField = require("./zqfield.js");
const RatField = require("./ratfield.js");
const bn128 = new BN128();
const G1 = bn128.G1;
const G2 = bn128.G2;
const PolF = new PolField(new ZqField(bn128.r));
const RatPolF = new PolField(new RatField(new ZqField(bn128.r)));
const F = new ZqField(bn128.r);
module.exports = function setup(circuit) {
@ -121,18 +119,21 @@ function calculateValuesAtT(setup, circuit) {
function calculateEncriptedValuesAtT(setup, circuit) {
const v = calculateValuesAtT(setup, circuit);
setup.vk_proof.A = new Array(circuit.nVars);
setup.vk_proof.B = new Array(circuit.nVars);
setup.vk_proof.C = new Array(circuit.nVars);
setup.vk_proof.Ap = new Array(circuit.nVars);
setup.vk_proof.Bp = new Array(circuit.nVars);
setup.vk_proof.Cp = new Array(circuit.nVars);
setup.vk_proof.Kp = new Array(circuit.nVars);
setup.vk_proof.A = new Array(circuit.nVars+1);
setup.vk_proof.B = new Array(circuit.nVars+1);
setup.vk_proof.C = new Array(circuit.nVars+1);
setup.vk_proof.Ap = new Array(circuit.nVars+1);
setup.vk_proof.Bp = new Array(circuit.nVars+1);
setup.vk_proof.Cp = new Array(circuit.nVars+1);
setup.vk_proof.Kp = new Array(circuit.nVars+3);
setup.vk_verifier.A = new Array(circuit.nVars);
setup.toxic.ka = F.random();
setup.toxic.kb = F.random();
setup.toxic.kc = F.random();
setup.toxic.ra = F.random();
setup.toxic.rb = F.random();
setup.toxic.rc = F.mul(setup.toxic.ra, setup.toxic.rb);
setup.toxic.kbeta = F.random();
setup.toxic.kgamma = F.random();
@ -148,7 +149,8 @@ function calculateEncriptedValuesAtT(setup, circuit) {
for (let s=0; s<circuit.nVars; s++) {
// A[i] = G1 * polA(t)
const A = G1.affine(G1.mulScalar(G1.g, v.a_t[s]));
const raat = F.mul(setup.toxic.ra, v.a_t[s]);
const A = G1.affine(G1.mulScalar(G1.g, raat));
setup.vk_proof.A[s] = A;
@ -158,30 +160,32 @@ function calculateEncriptedValuesAtT(setup, circuit) {
// B1[i] = G1 * polB(t)
const B1 = G1.affine(G1.mulScalar(G1.g, v.b_t[s]));
const rbbt = F.mul(setup.toxic.rb, v.b_t[s]);
const B1 = G1.affine(G1.mulScalar(G1.g, rbbt));
// B2[i] = G2 * polB(t)
const B2 = G2.affine(G2.mulScalar(G2.g, v.b_t[s]));
const B2 = G2.affine(G2.mulScalar(G2.g, rbbt));
setup.vk_proof.B[s]=B2;
// C[i] = G1 * polC(t)
const C = G1.affine(G1.mulScalar( G1.g, v.c_t[s]));
const rcct = F.mul(setup.toxic.rc, v.c_t[s]);
const C = G1.affine(G1.mulScalar( G1.g, rcct));
setup.vk_proof.C[s] =C;
// K = G1 * (A+B+C)
const kt = F.affine(F.add(F.add(v.a_t[s], v.b_t[s]), v.c_t[s]));
const kt = F.affine(F.add(F.add(raat, rbbt), rcct));
const K = G1.affine(G1.mulScalar( G1.g, kt));
/*
// Comment this lines to improve the process
const Ktest = G1.affine(G1.add(G1.add(A, B1), C));
// Comment this lines to improve the process
const Ktest = G1.affine(G1.add(G1.add(A, B1), C));
if (!G1.equals(K, Ktest)) {
console.log ("=====FAIL======");
}
if (!G1.equals(K, Ktest)) {
console.log ("=====FAIL======");
}
*/
setup.vk_proof.Ap[s] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
@ -190,14 +194,35 @@ function calculateEncriptedValuesAtT(setup, circuit) {
setup.vk_proof.Kp[s] = G1.affine(G1.mulScalar(K, setup.toxic.kbeta));
}
// Extra coeficients
const A = G1.mulScalar( G1.g, F.mul(setup.toxic.ra, v.z_t));
setup.vk_proof.A[circuit.nVars] = G1.affine(A);
setup.vk_proof.Ap[circuit.nVars] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
const B1 = G1.mulScalar( G1.g, F.mul(setup.toxic.rb, v.z_t));
const B2 = G2.mulScalar( G2.g, F.mul(setup.toxic.rb, v.z_t));
setup.vk_proof.B[circuit.nVars] = G2.affine(B2);
setup.vk_proof.Bp[circuit.nVars] = G1.affine(G1.mulScalar(B1, setup.toxic.kb));
const C = G1.mulScalar( G1.g, F.mul(setup.toxic.rc, v.z_t));
setup.vk_proof.C[circuit.nVars] = G1.affine(C);
setup.vk_proof.Cp[circuit.nVars] = G1.affine(G1.mulScalar(C, setup.toxic.kc));
setup.vk_proof.Kp[circuit.nVars ] = G1.affine(G1.mulScalar(A, setup.toxic.kbeta));
setup.vk_proof.Kp[circuit.nVars+1] = G1.affine(G1.mulScalar(B1, setup.toxic.kbeta));
setup.vk_proof.Kp[circuit.nVars+2] = G1.affine(G1.mulScalar(C, setup.toxic.kbeta));
// setup.vk_verifier.A[0] = G1.affine(G1.add(setup.vk_verifier.A[0], setup.vk_proof.A[circuit.nVars]));
// vk_z
setup.vk_verifier.vk_z = G2.affine(G2.mulScalar(
G2.g,
v.z_t));
F.mul(setup.toxic.rc, v.z_t)));
}
function calculateHexps(setup, circuit) {
function calculateHexps(setup) {
const maxH = setup.vk_proof.domainSize;
const maxH = setup.vk_proof.domainSize+1;
setup.vk_proof.hExps = new Array(maxH);
setup.vk_proof.hExps[0] = G1.g;

3
src/verifier.js
View File

@ -65,8 +65,5 @@ module.exports = function isValid(vk_verifier, proof, publicSignals) {
)))
return false;
return true;
};

16
test/zksnark.js
View File

@ -203,14 +203,14 @@ describe("zkSnark", () => {
console.log("Start setup: "+Date().toString());
const setup = zkSnark.setup(cir);
const strSetup = stringifyBigInts(setup);
fs.writeFileSync("vk_proof.json", JSON.stringify(strSetup.vk_proof), "utf-8");
fs.writeFileSync("vk_verifier.json", JSON.stringify(strSetup.vk_verifier), "utf-8");
fs.writeFileSync("sha256_2_vk_proof.json", JSON.stringify(strSetup.vk_proof), "utf-8");
fs.writeFileSync("sha256_2_vk_verifier.json", JSON.stringify(strSetup.vk_verifier), "utf-8");
// const setup = {};
// setup.vk_proof = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_proof.json", "utf8")));
// setup.vk_verifier = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_verifier.json", "utf8")));
/*
const setup = {};
setup.vk_proof = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_proof.json", "utf8")));
setup.vk_verifier = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_verifier.json", "utf8")));
*/
const witness = cir.calculateWitness({"a": "1", "b": "2"});
// assert.equal(witness[cir.getSignalIdx("main.out")].toString(), "67");
@ -221,4 +221,6 @@ describe("zkSnark", () => {
console.log("Start verifiying: "+ Date().toString());
assert( zkSnark.isValid(setup.vk_verifier, proof, publicSignals));
}).timeout(10000000);
});

2
vk_proof.json
View File

File diff suppressed because one or more lines are too long

2
vk_verifier.json
View File

File diff suppressed because one or more lines are too long