mirror of
https://github.com/tornadocash/snarkjs.git
synced 2024-10-31 23:35:40 +01:00
Add ra, rb, d1, d2, d3 coefficients
This commit is contained in:
parent
16ff407765
commit
36c1e2098f
1
sha256_2_vk_proof.json
Normal file
1
sha256_2_vk_proof.json
Normal file
File diff suppressed because one or more lines are too long
1
sha256_2_vk_verifier.json
Normal file
1
sha256_2_vk_verifier.json
Normal file
File diff suppressed because one or more lines are too long
@ -106,12 +106,12 @@ class PolField {
|
|||||||
return this.reduce(res);
|
return this.reduce(res);
|
||||||
}
|
}
|
||||||
|
|
||||||
mulScalar(a, b) {
|
mulScalar(p, b) {
|
||||||
if (this.F.isZero(b)) return [];
|
if (this.F.isZero(b)) return [];
|
||||||
if (this.F.equals(b, this.F.one)) return a;
|
if (this.F.equals(b, this.F.one)) return p;
|
||||||
const res = new Array(a.length);
|
const res = new Array(p.length);
|
||||||
for (let i=0; i<a.length; i++) {
|
for (let i=0; i<p.length; i++) {
|
||||||
res[i] = this.F.mul(a[i], b);
|
res[i] = this.F.mul(p[i], b);
|
||||||
}
|
}
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
@ -30,6 +30,11 @@ module.exports = function genProof(vk_proof, witness) {
|
|||||||
|
|
||||||
const proof = {};
|
const proof = {};
|
||||||
|
|
||||||
|
|
||||||
|
const d1 = PolF.F.random();
|
||||||
|
const d2 = PolF.F.random();
|
||||||
|
const d3 = PolF.F.random();
|
||||||
|
|
||||||
proof.pi_a = G1.zero;
|
proof.pi_a = G1.zero;
|
||||||
proof.pi_ap = G1.zero;
|
proof.pi_ap = G1.zero;
|
||||||
proof.pi_b = G2.zero;
|
proof.pi_b = G2.zero;
|
||||||
@ -67,6 +72,19 @@ module.exports = function genProof(vk_proof, witness) {
|
|||||||
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[s], witness[s]));
|
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[s], witness[s]));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
proof.pi_a = G1.add( proof.pi_a, G1.mulScalar( vk_proof.A[vk_proof.nVars], d1));
|
||||||
|
proof.pi_ap = G1.add( proof.pi_ap, G1.mulScalar( vk_proof.Ap[vk_proof.nVars], d1));
|
||||||
|
|
||||||
|
proof.pi_b = G2.add( proof.pi_b, G2.mulScalar( vk_proof.B[vk_proof.nVars], d2));
|
||||||
|
proof.pi_bp = G1.add( proof.pi_bp, G1.mulScalar( vk_proof.Bp[vk_proof.nVars], d2));
|
||||||
|
|
||||||
|
proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.C[vk_proof.nVars], d3));
|
||||||
|
proof.pi_cp = G1.add( proof.pi_cp, G1.mulScalar( vk_proof.Cp[vk_proof.nVars], d3));
|
||||||
|
|
||||||
|
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars ], d1));
|
||||||
|
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars+1], d2));
|
||||||
|
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars+2], d3));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
let polA = [];
|
let polA = [];
|
||||||
let polB = [];
|
let polB = [];
|
||||||
@ -98,7 +116,7 @@ module.exports = function genProof(vk_proof, witness) {
|
|||||||
const h = PolF.div(polFull, vk_proof.polZ );
|
const h = PolF.div(polFull, vk_proof.polZ );
|
||||||
*/
|
*/
|
||||||
|
|
||||||
const h = calculateH(vk_proof, witness);
|
const h = calculateH(vk_proof, witness, d1, d2, d3);
|
||||||
|
|
||||||
console.log(h.length + "/" + vk_proof.hExps.length);
|
console.log(h.length + "/" + vk_proof.hExps.length);
|
||||||
|
|
||||||
@ -123,7 +141,7 @@ module.exports = function genProof(vk_proof, witness) {
|
|||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
function calculateH(vk_proof, witness) {
|
function calculateH(vk_proof, witness, d1, d2, d3) {
|
||||||
|
|
||||||
const F = PolF.F;
|
const F = PolF.F;
|
||||||
const m = vk_proof.domainSize;
|
const m = vk_proof.domainSize;
|
||||||
@ -156,7 +174,7 @@ function calculateH(vk_proof, witness) {
|
|||||||
polZ_S[m] = F.one;
|
polZ_S[m] = F.one;
|
||||||
polZ_S[0] = F.neg(F.one);
|
polZ_S[0] = F.neg(F.one);
|
||||||
|
|
||||||
const H_S = PolF.div(polABC_S, polZ_S);
|
let H_S = PolF.div(polABC_S, polZ_S);
|
||||||
/*
|
/*
|
||||||
const H2S = PolF.mul(H_S, polZ_S);
|
const H2S = PolF.mul(H_S, polZ_S);
|
||||||
|
|
||||||
@ -166,5 +184,25 @@ function calculateH(vk_proof, witness) {
|
|||||||
console.log("ERROR: Not divisible!");
|
console.log("ERROR: Not divisible!");
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
/* add coefficients of the polynomial (d2*A + d1*B - d3) + d1*d2*Z */
|
||||||
|
|
||||||
|
H_S = PolF.extend(H_S, m+1);
|
||||||
|
|
||||||
|
for (let i=0; i<m; i++) {
|
||||||
|
const d2A = PolF.F.mul(d2, polA_S[i]);
|
||||||
|
const d1B = PolF.F.mul(d1, polB_S[i]);
|
||||||
|
H_S[i] = PolF.F.add(H_S[i], PolF.F.add(d2A, d1B));
|
||||||
|
}
|
||||||
|
|
||||||
|
H_S[0] = PolF.F.sub(H_S[0], d3);
|
||||||
|
|
||||||
|
// Z = x^m -1
|
||||||
|
const d1d2 = PolF.F.mul(d1, d2);
|
||||||
|
H_S[m] = PolF.F.add(H_S[m], d1d2);
|
||||||
|
H_S[0] = PolF.F.sub(H_S[0], d1d2);
|
||||||
|
|
||||||
|
H_S = PolF.reduce(PolF.affine(H_S));
|
||||||
|
|
||||||
return H_S;
|
return H_S;
|
||||||
}
|
}
|
||||||
|
63
src/setup.js
63
src/setup.js
@ -22,13 +22,11 @@ const bigInt = require("./bigint.js");
|
|||||||
const BN128 = require("./bn128.js");
|
const BN128 = require("./bn128.js");
|
||||||
const PolField = require("./polfield.js");
|
const PolField = require("./polfield.js");
|
||||||
const ZqField = require("./zqfield.js");
|
const ZqField = require("./zqfield.js");
|
||||||
const RatField = require("./ratfield.js");
|
|
||||||
|
|
||||||
const bn128 = new BN128();
|
const bn128 = new BN128();
|
||||||
const G1 = bn128.G1;
|
const G1 = bn128.G1;
|
||||||
const G2 = bn128.G2;
|
const G2 = bn128.G2;
|
||||||
const PolF = new PolField(new ZqField(bn128.r));
|
const PolF = new PolField(new ZqField(bn128.r));
|
||||||
const RatPolF = new PolField(new RatField(new ZqField(bn128.r)));
|
|
||||||
const F = new ZqField(bn128.r);
|
const F = new ZqField(bn128.r);
|
||||||
|
|
||||||
module.exports = function setup(circuit) {
|
module.exports = function setup(circuit) {
|
||||||
@ -121,18 +119,21 @@ function calculateValuesAtT(setup, circuit) {
|
|||||||
function calculateEncriptedValuesAtT(setup, circuit) {
|
function calculateEncriptedValuesAtT(setup, circuit) {
|
||||||
|
|
||||||
const v = calculateValuesAtT(setup, circuit);
|
const v = calculateValuesAtT(setup, circuit);
|
||||||
setup.vk_proof.A = new Array(circuit.nVars);
|
setup.vk_proof.A = new Array(circuit.nVars+1);
|
||||||
setup.vk_proof.B = new Array(circuit.nVars);
|
setup.vk_proof.B = new Array(circuit.nVars+1);
|
||||||
setup.vk_proof.C = new Array(circuit.nVars);
|
setup.vk_proof.C = new Array(circuit.nVars+1);
|
||||||
setup.vk_proof.Ap = new Array(circuit.nVars);
|
setup.vk_proof.Ap = new Array(circuit.nVars+1);
|
||||||
setup.vk_proof.Bp = new Array(circuit.nVars);
|
setup.vk_proof.Bp = new Array(circuit.nVars+1);
|
||||||
setup.vk_proof.Cp = new Array(circuit.nVars);
|
setup.vk_proof.Cp = new Array(circuit.nVars+1);
|
||||||
setup.vk_proof.Kp = new Array(circuit.nVars);
|
setup.vk_proof.Kp = new Array(circuit.nVars+3);
|
||||||
setup.vk_verifier.A = new Array(circuit.nVars);
|
setup.vk_verifier.A = new Array(circuit.nVars);
|
||||||
|
|
||||||
setup.toxic.ka = F.random();
|
setup.toxic.ka = F.random();
|
||||||
setup.toxic.kb = F.random();
|
setup.toxic.kb = F.random();
|
||||||
setup.toxic.kc = F.random();
|
setup.toxic.kc = F.random();
|
||||||
|
setup.toxic.ra = F.random();
|
||||||
|
setup.toxic.rb = F.random();
|
||||||
|
setup.toxic.rc = F.mul(setup.toxic.ra, setup.toxic.rb);
|
||||||
setup.toxic.kbeta = F.random();
|
setup.toxic.kbeta = F.random();
|
||||||
setup.toxic.kgamma = F.random();
|
setup.toxic.kgamma = F.random();
|
||||||
|
|
||||||
@ -148,7 +149,8 @@ function calculateEncriptedValuesAtT(setup, circuit) {
|
|||||||
for (let s=0; s<circuit.nVars; s++) {
|
for (let s=0; s<circuit.nVars; s++) {
|
||||||
|
|
||||||
// A[i] = G1 * polA(t)
|
// A[i] = G1 * polA(t)
|
||||||
const A = G1.affine(G1.mulScalar(G1.g, v.a_t[s]));
|
const raat = F.mul(setup.toxic.ra, v.a_t[s]);
|
||||||
|
const A = G1.affine(G1.mulScalar(G1.g, raat));
|
||||||
|
|
||||||
setup.vk_proof.A[s] = A;
|
setup.vk_proof.A[s] = A;
|
||||||
|
|
||||||
@ -158,30 +160,32 @@ function calculateEncriptedValuesAtT(setup, circuit) {
|
|||||||
|
|
||||||
|
|
||||||
// B1[i] = G1 * polB(t)
|
// B1[i] = G1 * polB(t)
|
||||||
const B1 = G1.affine(G1.mulScalar(G1.g, v.b_t[s]));
|
const rbbt = F.mul(setup.toxic.rb, v.b_t[s]);
|
||||||
|
const B1 = G1.affine(G1.mulScalar(G1.g, rbbt));
|
||||||
|
|
||||||
// B2[i] = G2 * polB(t)
|
// B2[i] = G2 * polB(t)
|
||||||
const B2 = G2.affine(G2.mulScalar(G2.g, v.b_t[s]));
|
const B2 = G2.affine(G2.mulScalar(G2.g, rbbt));
|
||||||
|
|
||||||
setup.vk_proof.B[s]=B2;
|
setup.vk_proof.B[s]=B2;
|
||||||
|
|
||||||
// C[i] = G1 * polC(t)
|
// C[i] = G1 * polC(t)
|
||||||
const C = G1.affine(G1.mulScalar( G1.g, v.c_t[s]));
|
const rcct = F.mul(setup.toxic.rc, v.c_t[s]);
|
||||||
|
const C = G1.affine(G1.mulScalar( G1.g, rcct));
|
||||||
setup.vk_proof.C[s] =C;
|
setup.vk_proof.C[s] =C;
|
||||||
|
|
||||||
// K = G1 * (A+B+C)
|
// K = G1 * (A+B+C)
|
||||||
|
|
||||||
const kt = F.affine(F.add(F.add(v.a_t[s], v.b_t[s]), v.c_t[s]));
|
const kt = F.affine(F.add(F.add(raat, rbbt), rcct));
|
||||||
const K = G1.affine(G1.mulScalar( G1.g, kt));
|
const K = G1.affine(G1.mulScalar( G1.g, kt));
|
||||||
|
|
||||||
|
/*
|
||||||
// Comment this lines to improve the process
|
// Comment this lines to improve the process
|
||||||
const Ktest = G1.affine(G1.add(G1.add(A, B1), C));
|
const Ktest = G1.affine(G1.add(G1.add(A, B1), C));
|
||||||
|
|
||||||
if (!G1.equals(K, Ktest)) {
|
if (!G1.equals(K, Ktest)) {
|
||||||
console.log ("=====FAIL======");
|
console.log ("=====FAIL======");
|
||||||
}
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
setup.vk_proof.Ap[s] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
|
setup.vk_proof.Ap[s] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
|
||||||
@ -190,14 +194,35 @@ function calculateEncriptedValuesAtT(setup, circuit) {
|
|||||||
setup.vk_proof.Kp[s] = G1.affine(G1.mulScalar(K, setup.toxic.kbeta));
|
setup.vk_proof.Kp[s] = G1.affine(G1.mulScalar(K, setup.toxic.kbeta));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Extra coeficients
|
||||||
|
const A = G1.mulScalar( G1.g, F.mul(setup.toxic.ra, v.z_t));
|
||||||
|
setup.vk_proof.A[circuit.nVars] = G1.affine(A);
|
||||||
|
setup.vk_proof.Ap[circuit.nVars] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
|
||||||
|
|
||||||
|
const B1 = G1.mulScalar( G1.g, F.mul(setup.toxic.rb, v.z_t));
|
||||||
|
const B2 = G2.mulScalar( G2.g, F.mul(setup.toxic.rb, v.z_t));
|
||||||
|
setup.vk_proof.B[circuit.nVars] = G2.affine(B2);
|
||||||
|
setup.vk_proof.Bp[circuit.nVars] = G1.affine(G1.mulScalar(B1, setup.toxic.kb));
|
||||||
|
|
||||||
|
const C = G1.mulScalar( G1.g, F.mul(setup.toxic.rc, v.z_t));
|
||||||
|
setup.vk_proof.C[circuit.nVars] = G1.affine(C);
|
||||||
|
setup.vk_proof.Cp[circuit.nVars] = G1.affine(G1.mulScalar(C, setup.toxic.kc));
|
||||||
|
|
||||||
|
setup.vk_proof.Kp[circuit.nVars ] = G1.affine(G1.mulScalar(A, setup.toxic.kbeta));
|
||||||
|
setup.vk_proof.Kp[circuit.nVars+1] = G1.affine(G1.mulScalar(B1, setup.toxic.kbeta));
|
||||||
|
setup.vk_proof.Kp[circuit.nVars+2] = G1.affine(G1.mulScalar(C, setup.toxic.kbeta));
|
||||||
|
|
||||||
|
// setup.vk_verifier.A[0] = G1.affine(G1.add(setup.vk_verifier.A[0], setup.vk_proof.A[circuit.nVars]));
|
||||||
|
|
||||||
|
// vk_z
|
||||||
setup.vk_verifier.vk_z = G2.affine(G2.mulScalar(
|
setup.vk_verifier.vk_z = G2.affine(G2.mulScalar(
|
||||||
G2.g,
|
G2.g,
|
||||||
v.z_t));
|
F.mul(setup.toxic.rc, v.z_t)));
|
||||||
}
|
}
|
||||||
|
|
||||||
function calculateHexps(setup, circuit) {
|
function calculateHexps(setup) {
|
||||||
|
|
||||||
const maxH = setup.vk_proof.domainSize;
|
const maxH = setup.vk_proof.domainSize+1;
|
||||||
|
|
||||||
setup.vk_proof.hExps = new Array(maxH);
|
setup.vk_proof.hExps = new Array(maxH);
|
||||||
setup.vk_proof.hExps[0] = G1.g;
|
setup.vk_proof.hExps[0] = G1.g;
|
||||||
|
@ -65,8 +65,5 @@ module.exports = function isValid(vk_verifier, proof, publicSignals) {
|
|||||||
)))
|
)))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
};
|
};
|
||||||
|
@ -203,14 +203,14 @@ describe("zkSnark", () => {
|
|||||||
console.log("Start setup: "+Date().toString());
|
console.log("Start setup: "+Date().toString());
|
||||||
const setup = zkSnark.setup(cir);
|
const setup = zkSnark.setup(cir);
|
||||||
const strSetup = stringifyBigInts(setup);
|
const strSetup = stringifyBigInts(setup);
|
||||||
fs.writeFileSync("vk_proof.json", JSON.stringify(strSetup.vk_proof), "utf-8");
|
fs.writeFileSync("sha256_2_vk_proof.json", JSON.stringify(strSetup.vk_proof), "utf-8");
|
||||||
fs.writeFileSync("vk_verifier.json", JSON.stringify(strSetup.vk_verifier), "utf-8");
|
fs.writeFileSync("sha256_2_vk_verifier.json", JSON.stringify(strSetup.vk_verifier), "utf-8");
|
||||||
|
|
||||||
|
|
||||||
|
// const setup = {};
|
||||||
|
// setup.vk_proof = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_proof.json", "utf8")));
|
||||||
|
// setup.vk_verifier = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_verifier.json", "utf8")));
|
||||||
|
|
||||||
/*
|
|
||||||
const setup = {};
|
|
||||||
setup.vk_proof = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_proof.json", "utf8")));
|
|
||||||
setup.vk_verifier = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_verifier.json", "utf8")));
|
|
||||||
*/
|
|
||||||
const witness = cir.calculateWitness({"a": "1", "b": "2"});
|
const witness = cir.calculateWitness({"a": "1", "b": "2"});
|
||||||
|
|
||||||
// assert.equal(witness[cir.getSignalIdx("main.out")].toString(), "67");
|
// assert.equal(witness[cir.getSignalIdx("main.out")].toString(), "67");
|
||||||
@ -221,4 +221,6 @@ describe("zkSnark", () => {
|
|||||||
console.log("Start verifiying: "+ Date().toString());
|
console.log("Start verifiying: "+ Date().toString());
|
||||||
assert( zkSnark.isValid(setup.vk_verifier, proof, publicSignals));
|
assert( zkSnark.isValid(setup.vk_verifier, proof, publicSignals));
|
||||||
}).timeout(10000000);
|
}).timeout(10000000);
|
||||||
|
|
||||||
|
|
||||||
});
|
});
|
||||||
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user