Add ra, rb, d1, d2, d3 coefficients

This commit is contained in:
Jordi Baylina 2018-09-24 12:32:33 +02:00
parent 16ff407765
commit 36c1e2098f
No known key found for this signature in database
GPG Key ID: 7480C80C1BE43112
9 changed files with 108 additions and 44 deletions

1
sha256_2_vk_proof.json Normal file

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -106,12 +106,12 @@ class PolField {
return this.reduce(res); return this.reduce(res);
} }
mulScalar(a, b) { mulScalar(p, b) {
if (this.F.isZero(b)) return []; if (this.F.isZero(b)) return [];
if (this.F.equals(b, this.F.one)) return a; if (this.F.equals(b, this.F.one)) return p;
const res = new Array(a.length); const res = new Array(p.length);
for (let i=0; i<a.length; i++) { for (let i=0; i<p.length; i++) {
res[i] = this.F.mul(a[i], b); res[i] = this.F.mul(p[i], b);
} }
return res; return res;
} }

View File

@ -30,6 +30,11 @@ module.exports = function genProof(vk_proof, witness) {
const proof = {}; const proof = {};
const d1 = PolF.F.random();
const d2 = PolF.F.random();
const d3 = PolF.F.random();
proof.pi_a = G1.zero; proof.pi_a = G1.zero;
proof.pi_ap = G1.zero; proof.pi_ap = G1.zero;
proof.pi_b = G2.zero; proof.pi_b = G2.zero;
@ -67,6 +72,19 @@ module.exports = function genProof(vk_proof, witness) {
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[s], witness[s])); proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[s], witness[s]));
} }
proof.pi_a = G1.add( proof.pi_a, G1.mulScalar( vk_proof.A[vk_proof.nVars], d1));
proof.pi_ap = G1.add( proof.pi_ap, G1.mulScalar( vk_proof.Ap[vk_proof.nVars], d1));
proof.pi_b = G2.add( proof.pi_b, G2.mulScalar( vk_proof.B[vk_proof.nVars], d2));
proof.pi_bp = G1.add( proof.pi_bp, G1.mulScalar( vk_proof.Bp[vk_proof.nVars], d2));
proof.pi_c = G1.add( proof.pi_c, G1.mulScalar( vk_proof.C[vk_proof.nVars], d3));
proof.pi_cp = G1.add( proof.pi_cp, G1.mulScalar( vk_proof.Cp[vk_proof.nVars], d3));
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars ], d1));
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars+1], d2));
proof.pi_kp = G1.add( proof.pi_kp, G1.mulScalar( vk_proof.Kp[vk_proof.nVars+2], d3));
/* /*
let polA = []; let polA = [];
let polB = []; let polB = [];
@ -98,7 +116,7 @@ module.exports = function genProof(vk_proof, witness) {
const h = PolF.div(polFull, vk_proof.polZ ); const h = PolF.div(polFull, vk_proof.polZ );
*/ */
const h = calculateH(vk_proof, witness); const h = calculateH(vk_proof, witness, d1, d2, d3);
console.log(h.length + "/" + vk_proof.hExps.length); console.log(h.length + "/" + vk_proof.hExps.length);
@ -123,7 +141,7 @@ module.exports = function genProof(vk_proof, witness) {
}; };
function calculateH(vk_proof, witness) { function calculateH(vk_proof, witness, d1, d2, d3) {
const F = PolF.F; const F = PolF.F;
const m = vk_proof.domainSize; const m = vk_proof.domainSize;
@ -156,7 +174,7 @@ function calculateH(vk_proof, witness) {
polZ_S[m] = F.one; polZ_S[m] = F.one;
polZ_S[0] = F.neg(F.one); polZ_S[0] = F.neg(F.one);
const H_S = PolF.div(polABC_S, polZ_S); let H_S = PolF.div(polABC_S, polZ_S);
/* /*
const H2S = PolF.mul(H_S, polZ_S); const H2S = PolF.mul(H_S, polZ_S);
@ -166,5 +184,25 @@ function calculateH(vk_proof, witness) {
console.log("ERROR: Not divisible!"); console.log("ERROR: Not divisible!");
} }
*/ */
/* add coefficients of the polynomial (d2*A + d1*B - d3) + d1*d2*Z */
H_S = PolF.extend(H_S, m+1);
for (let i=0; i<m; i++) {
const d2A = PolF.F.mul(d2, polA_S[i]);
const d1B = PolF.F.mul(d1, polB_S[i]);
H_S[i] = PolF.F.add(H_S[i], PolF.F.add(d2A, d1B));
}
H_S[0] = PolF.F.sub(H_S[0], d3);
// Z = x^m -1
const d1d2 = PolF.F.mul(d1, d2);
H_S[m] = PolF.F.add(H_S[m], d1d2);
H_S[0] = PolF.F.sub(H_S[0], d1d2);
H_S = PolF.reduce(PolF.affine(H_S));
return H_S; return H_S;
} }

View File

@ -22,13 +22,11 @@ const bigInt = require("./bigint.js");
const BN128 = require("./bn128.js"); const BN128 = require("./bn128.js");
const PolField = require("./polfield.js"); const PolField = require("./polfield.js");
const ZqField = require("./zqfield.js"); const ZqField = require("./zqfield.js");
const RatField = require("./ratfield.js");
const bn128 = new BN128(); const bn128 = new BN128();
const G1 = bn128.G1; const G1 = bn128.G1;
const G2 = bn128.G2; const G2 = bn128.G2;
const PolF = new PolField(new ZqField(bn128.r)); const PolF = new PolField(new ZqField(bn128.r));
const RatPolF = new PolField(new RatField(new ZqField(bn128.r)));
const F = new ZqField(bn128.r); const F = new ZqField(bn128.r);
module.exports = function setup(circuit) { module.exports = function setup(circuit) {
@ -121,18 +119,21 @@ function calculateValuesAtT(setup, circuit) {
function calculateEncriptedValuesAtT(setup, circuit) { function calculateEncriptedValuesAtT(setup, circuit) {
const v = calculateValuesAtT(setup, circuit); const v = calculateValuesAtT(setup, circuit);
setup.vk_proof.A = new Array(circuit.nVars); setup.vk_proof.A = new Array(circuit.nVars+1);
setup.vk_proof.B = new Array(circuit.nVars); setup.vk_proof.B = new Array(circuit.nVars+1);
setup.vk_proof.C = new Array(circuit.nVars); setup.vk_proof.C = new Array(circuit.nVars+1);
setup.vk_proof.Ap = new Array(circuit.nVars); setup.vk_proof.Ap = new Array(circuit.nVars+1);
setup.vk_proof.Bp = new Array(circuit.nVars); setup.vk_proof.Bp = new Array(circuit.nVars+1);
setup.vk_proof.Cp = new Array(circuit.nVars); setup.vk_proof.Cp = new Array(circuit.nVars+1);
setup.vk_proof.Kp = new Array(circuit.nVars); setup.vk_proof.Kp = new Array(circuit.nVars+3);
setup.vk_verifier.A = new Array(circuit.nVars); setup.vk_verifier.A = new Array(circuit.nVars);
setup.toxic.ka = F.random(); setup.toxic.ka = F.random();
setup.toxic.kb = F.random(); setup.toxic.kb = F.random();
setup.toxic.kc = F.random(); setup.toxic.kc = F.random();
setup.toxic.ra = F.random();
setup.toxic.rb = F.random();
setup.toxic.rc = F.mul(setup.toxic.ra, setup.toxic.rb);
setup.toxic.kbeta = F.random(); setup.toxic.kbeta = F.random();
setup.toxic.kgamma = F.random(); setup.toxic.kgamma = F.random();
@ -148,7 +149,8 @@ function calculateEncriptedValuesAtT(setup, circuit) {
for (let s=0; s<circuit.nVars; s++) { for (let s=0; s<circuit.nVars; s++) {
// A[i] = G1 * polA(t) // A[i] = G1 * polA(t)
const A = G1.affine(G1.mulScalar(G1.g, v.a_t[s])); const raat = F.mul(setup.toxic.ra, v.a_t[s]);
const A = G1.affine(G1.mulScalar(G1.g, raat));
setup.vk_proof.A[s] = A; setup.vk_proof.A[s] = A;
@ -158,30 +160,32 @@ function calculateEncriptedValuesAtT(setup, circuit) {
// B1[i] = G1 * polB(t) // B1[i] = G1 * polB(t)
const B1 = G1.affine(G1.mulScalar(G1.g, v.b_t[s])); const rbbt = F.mul(setup.toxic.rb, v.b_t[s]);
const B1 = G1.affine(G1.mulScalar(G1.g, rbbt));
// B2[i] = G2 * polB(t) // B2[i] = G2 * polB(t)
const B2 = G2.affine(G2.mulScalar(G2.g, v.b_t[s])); const B2 = G2.affine(G2.mulScalar(G2.g, rbbt));
setup.vk_proof.B[s]=B2; setup.vk_proof.B[s]=B2;
// C[i] = G1 * polC(t) // C[i] = G1 * polC(t)
const C = G1.affine(G1.mulScalar( G1.g, v.c_t[s])); const rcct = F.mul(setup.toxic.rc, v.c_t[s]);
const C = G1.affine(G1.mulScalar( G1.g, rcct));
setup.vk_proof.C[s] =C; setup.vk_proof.C[s] =C;
// K = G1 * (A+B+C) // K = G1 * (A+B+C)
const kt = F.affine(F.add(F.add(v.a_t[s], v.b_t[s]), v.c_t[s])); const kt = F.affine(F.add(F.add(raat, rbbt), rcct));
const K = G1.affine(G1.mulScalar( G1.g, kt)); const K = G1.affine(G1.mulScalar( G1.g, kt));
/*
// Comment this lines to improve the process // Comment this lines to improve the process
const Ktest = G1.affine(G1.add(G1.add(A, B1), C)); const Ktest = G1.affine(G1.add(G1.add(A, B1), C));
if (!G1.equals(K, Ktest)) { if (!G1.equals(K, Ktest)) {
console.log ("=====FAIL======"); console.log ("=====FAIL======");
} }
*/
setup.vk_proof.Ap[s] = G1.affine(G1.mulScalar(A, setup.toxic.ka)); setup.vk_proof.Ap[s] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
@ -190,14 +194,35 @@ function calculateEncriptedValuesAtT(setup, circuit) {
setup.vk_proof.Kp[s] = G1.affine(G1.mulScalar(K, setup.toxic.kbeta)); setup.vk_proof.Kp[s] = G1.affine(G1.mulScalar(K, setup.toxic.kbeta));
} }
// Extra coeficients
const A = G1.mulScalar( G1.g, F.mul(setup.toxic.ra, v.z_t));
setup.vk_proof.A[circuit.nVars] = G1.affine(A);
setup.vk_proof.Ap[circuit.nVars] = G1.affine(G1.mulScalar(A, setup.toxic.ka));
const B1 = G1.mulScalar( G1.g, F.mul(setup.toxic.rb, v.z_t));
const B2 = G2.mulScalar( G2.g, F.mul(setup.toxic.rb, v.z_t));
setup.vk_proof.B[circuit.nVars] = G2.affine(B2);
setup.vk_proof.Bp[circuit.nVars] = G1.affine(G1.mulScalar(B1, setup.toxic.kb));
const C = G1.mulScalar( G1.g, F.mul(setup.toxic.rc, v.z_t));
setup.vk_proof.C[circuit.nVars] = G1.affine(C);
setup.vk_proof.Cp[circuit.nVars] = G1.affine(G1.mulScalar(C, setup.toxic.kc));
setup.vk_proof.Kp[circuit.nVars ] = G1.affine(G1.mulScalar(A, setup.toxic.kbeta));
setup.vk_proof.Kp[circuit.nVars+1] = G1.affine(G1.mulScalar(B1, setup.toxic.kbeta));
setup.vk_proof.Kp[circuit.nVars+2] = G1.affine(G1.mulScalar(C, setup.toxic.kbeta));
// setup.vk_verifier.A[0] = G1.affine(G1.add(setup.vk_verifier.A[0], setup.vk_proof.A[circuit.nVars]));
// vk_z
setup.vk_verifier.vk_z = G2.affine(G2.mulScalar( setup.vk_verifier.vk_z = G2.affine(G2.mulScalar(
G2.g, G2.g,
v.z_t)); F.mul(setup.toxic.rc, v.z_t)));
} }
function calculateHexps(setup, circuit) { function calculateHexps(setup) {
const maxH = setup.vk_proof.domainSize; const maxH = setup.vk_proof.domainSize+1;
setup.vk_proof.hExps = new Array(maxH); setup.vk_proof.hExps = new Array(maxH);
setup.vk_proof.hExps[0] = G1.g; setup.vk_proof.hExps[0] = G1.g;

View File

@ -65,8 +65,5 @@ module.exports = function isValid(vk_verifier, proof, publicSignals) {
))) )))
return false; return false;
return true; return true;
}; };

View File

@ -203,14 +203,14 @@ describe("zkSnark", () => {
console.log("Start setup: "+Date().toString()); console.log("Start setup: "+Date().toString());
const setup = zkSnark.setup(cir); const setup = zkSnark.setup(cir);
const strSetup = stringifyBigInts(setup); const strSetup = stringifyBigInts(setup);
fs.writeFileSync("vk_proof.json", JSON.stringify(strSetup.vk_proof), "utf-8"); fs.writeFileSync("sha256_2_vk_proof.json", JSON.stringify(strSetup.vk_proof), "utf-8");
fs.writeFileSync("vk_verifier.json", JSON.stringify(strSetup.vk_verifier), "utf-8"); fs.writeFileSync("sha256_2_vk_verifier.json", JSON.stringify(strSetup.vk_verifier), "utf-8");
// const setup = {};
// setup.vk_proof = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_proof.json", "utf8")));
// setup.vk_verifier = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_verifier.json", "utf8")));
/*
const setup = {};
setup.vk_proof = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_proof.json", "utf8")));
setup.vk_verifier = unstringifyBigInts(JSON.parse(fs.readFileSync("vk_verifier.json", "utf8")));
*/
const witness = cir.calculateWitness({"a": "1", "b": "2"}); const witness = cir.calculateWitness({"a": "1", "b": "2"});
// assert.equal(witness[cir.getSignalIdx("main.out")].toString(), "67"); // assert.equal(witness[cir.getSignalIdx("main.out")].toString(), "67");
@ -221,4 +221,6 @@ describe("zkSnark", () => {
console.log("Start verifiying: "+ Date().toString()); console.log("Start verifiying: "+ Date().toString());
assert( zkSnark.isValid(setup.vk_verifier, proof, publicSignals)); assert( zkSnark.isValid(setup.vk_verifier, proof, publicSignals));
}).timeout(10000000); }).timeout(10000000);
}); });

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long