From 78645c2a5d53f7a7970ab808ca1f0014b25e2947 Mon Sep 17 00:00:00 2001 From: Polina Chernyshova Date: Fri, 10 Feb 2023 12:50:33 +0000 Subject: [PATCH] kzg updated structure #113 --- .../crypto3/zk/commitments/polynomial/kzg.hpp | 346 +++++++++--------- test/commitment/kzg.cpp | 169 +++++---- 2 files changed, 272 insertions(+), 243 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index a1fcdf5f1..a202186f5 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -41,25 +41,29 @@ #include #include #include -#include #include using namespace nil::crypto3; -using namespace nil::crypto3::math; namespace nil { namespace crypto3 { namespace zk { namespace commitments { - template - struct kzg_commitment; + /** + * @brief The KZG Polynomial Commitment.. + * + * References: + * "Constant-Size Commitments to Polynomials and + * Their Applications", + * Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg, + * + */ template - struct kzg_commitment { + struct kzg { typedef CurveType curve_type; - typedef algebra::pairing::pairing_policy pairing_policy; typedef typename curve_type::gt_type::value_type gt_value_type; using multiexp_method = typename algebra::policies::multiexp_method_BDLO12; @@ -69,92 +73,99 @@ namespace nil { using commitment_type = typename curve_type::template g1_type<>::value_type; using proof_type = commitment_type; - struct kzg_params_type { - std::size_t n; //max polynomial degree - scalar_value_type alpha; //secret key - kzg_params_type(std::size_t _n, scalar_value_type _alpha) : n(_n), alpha(_alpha) {} - kzg_params_type(std::size_t _n) { - alpha = algebra::random_element(); - n = _n; - } - }; - - struct srs_type { + struct params_type { commitment_key_type commitment_key; verification_key_type verification_key; - srs_type(commitment_key_type ck, verification_key_type vk) : + params_type(commitment_key_type ck, verification_key_type vk) : commitment_key(ck), verification_key(vk) {} }; - - static srs_type setup(kzg_params_type params) { - scalar_value_type alpha_scaled = params.alpha; - commitment_key_type commitment_key = {curve_type::template g1_type<>::value_type::one()}; - verification_key_type verification_key = - curve_type::template g2_type<>::value_type::one() * params.alpha; - - for (std::size_t i = 0; i < params.n; i++) { - commitment_key.push_back(alpha_scaled * (curve_type::template g1_type<>::value_type::one())); - alpha_scaled = alpha_scaled * params.alpha; - } - - return srs_type(commitment_key, verification_key); - } - - static commitment_type commit(const srs_type &srs, - const polynomial &f) { - BOOST_ASSERT(f.size() <= srs.commitment_key.size()); - return algebra::multiexp(srs.commitment_key.begin(), - srs.commitment_key.begin() + f.size(), f.begin(), f.end(), 1); + }; + } // namespace commitments + + namespace algorithms { + template + static typename KZG::params_type setup(std::size_t max_degree, typename KZG::scalar_value_type alpha) { + typename KZG::scalar_value_type alpha_scaled = alpha; + typename KZG::commitment_key_type commitment_key = {KZG::curve_type::template g1_type<>::value_type::one()}; + typename KZG::verification_key_type verification_key = + KZG::curve_type::template g2_type<>::value_type::one() * alpha; + + for (std::size_t i = 0; i < max_degree; i++) { + commitment_key.push_back(alpha_scaled * (KZG::curve_type::template g1_type<>::value_type::one())); + alpha_scaled = alpha_scaled * alpha; } - static bool verify_poly(const srs_type &srs, - const polynomial &f, - const commitment_type &C_f) { - return C_f == commit(srs, f); + return typename KZG::params_type(commitment_key, verification_key); + } + + template + static typename KZG::commitment_type commit(const typename KZG::params_type ¶ms, + const typename math::polynomial &f) { + BOOST_ASSERT(f.size() <= params.commitment_key.size()); + return algebra::multiexp(params.commitment_key.begin(), + params.commitment_key.begin() + f.size(), f.begin(), f.end(), 1); + } + + template + static typename KZG::proof_type proof_eval(typename KZG::params_type params, + const typename math::polynomial &f, + typename KZG::scalar_value_type i, + typename KZG::scalar_value_type eval) { + + const typename math::polynomial denominator_polynom = {-i, 1}; + + typename math::polynomial q = f; + q[0] -= eval; + auto r = q % denominator_polynom; + if (r != typename KZG::scalar_value_type(0)) { + throw std::runtime_error("incorrect eval or point i"); } + q = q / denominator_polynom; + + return commit(params, q); + } + + template + static bool verify_eval(typename KZG::params_type params, + typename KZG::proof_type p, + typename KZG::commitment_type C_f, + typename KZG::scalar_value_type i, + typename KZG::scalar_value_type eval) { + auto A_1 = algebra::precompute_g1(p); + auto A_2 = algebra::precompute_g2(params.verification_key - + i * KZG::curve_type::template g2_type<>::value_type::one()); + auto B_1 = algebra::precompute_g1(eval * KZG::curve_type::template g1_type<>::value_type::one() - + C_f); + auto B_2 = algebra::precompute_g2(KZG::curve_type::template g2_type<>::value_type::one()); + + typename KZG::gt_value_type gt3 = algebra::double_miller_loop(A_1, A_2, B_1, B_2); + typename KZG::gt_value_type gt_4 = algebra::final_exponentiation(gt3); + + return gt_4 == KZG::gt_value_type::one(); + } + } // namespace algorithms - static proof_type proof_eval(srs_type srs, - const polynomial &f, - scalar_value_type i, - scalar_value_type eval) { - - const polynomial denominator_polynom = {-i, 1}; - - polynomial q = f; - q[0] -= eval; - auto r = q % denominator_polynom; - if (r != scalar_value_type(0)) { - throw std::runtime_error("incorrect eval or point i"); - } - q = q / denominator_polynom; - - return commit(srs, q); - } + namespace commitments { - static bool verify_eval(srs_type srs, - proof_type p, - commitment_type C_f, - scalar_value_type i, - scalar_value_type eval) { - auto A_1 = algebra::precompute_g1(p); - auto A_2 = algebra::precompute_g2(srs.verification_key - - i * curve_type::template g2_type<>::value_type::one()); - auto B_1 = algebra::precompute_g1(eval * curve_type::template g1_type<>::value_type::one() - - C_f); - auto B_2 = algebra::precompute_g2(curve_type::template g2_type<>::value_type::one()); - - gt_value_type gt3 = algebra::double_miller_loop(A_1, A_2, B_1, B_2); - gt_value_type gt_4 = algebra::final_exponentiation(gt3); - - return gt_4 == gt_value_type::one(); - } + template + struct batched_kzg_params { + constexpr static const std::size_t batch_size = BatchSize; }; - template - struct kzg_batched_commitment : public kzg_commitment { + /** + * @brief Based on the KZG Commitment. + * + * References: + * "PlonK: Permutations over Lagrange-bases for + * Oecumenical Noninteractive arguments of Knowledge", + * Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru, + * + */ + template + struct batched_kzg : public kzg { typedef CurveType curve_type; - typedef algebra::pairing::pairing_policy pairing_policy; + constexpr static const std::size_t batch_size = KZGParams::batch_size; typedef typename curve_type::gt_type::value_type gt_value_type; using multiexp_method = typename algebra::policies::multiexp_method_BDLO12; @@ -164,107 +175,114 @@ namespace nil { using commitment_type = typename curve_type::template g1_type<>::value_type; using batched_proof_type = std::vector; using evals_type = std::vector>; - using batch_of_batches_of_polynomials_type = std::vector>>; + using batch_of_batches_of_polynomials_type = std::vector>>; + + using basic_kzg = kzg; + using params_type = typename basic_kzg::params_type; + }; + } // namespace commitments - using kzg = kzg_commitment; - using kzg_params_type = typename kzg::kzg_params_type; - using srs_type = typename kzg::srs_type; + namespace algorithms { - static polynomial accumulate(const std::vector> &polys, - const scalar_value_type &factor) { - std::size_t num = polys.size(); - if (num == 1) return polys[0]; + template + static typename math::polynomial accumulate(const std::vector> &polys, + const typename KZG::scalar_value_type &factor) { + std::size_t num = polys.size(); + if (num == 1) return polys[0]; - polynomial result = polys[num - 1]; - for (int i = num - 2; i >= 0; --i) { - result = result * factor + polys[i]; - } - return result; + typename math::polynomial result = polys[num - 1]; + for (int i = num - 2; i >= 0; --i) { + result = result * factor + polys[i]; } + return result; + } - static evals_type evaluate_polynomials(const batch_of_batches_of_polynomials_type &polys, - const std::vector zs) { + template + static typename KZG::evals_type evaluate_polynomials(const typename KZG::batch_of_batches_of_polynomials_type &polys, + const std::vector zs) { - BOOST_ASSERT(polys.size() == zs.size()); + BOOST_ASSERT(polys.size() == zs.size()); - std::vector> evals; - for (std::size_t i = 0; i < polys.size(); ++i) { - std::vector evals_at_z_i; - for (const auto &poly : polys[i]) { - evals_at_z_i.push_back(poly.evaluate(zs[i])); - } - evals.push_back(evals_at_z_i); + std::vector> evals; + for (std::size_t i = 0; i < polys.size(); ++i) { + std::vector evals_at_z_i; + for (const auto &poly : polys[i]) { + evals_at_z_i.push_back(poly.evaluate(zs[i])); } - - return evals; + evals.push_back(evals_at_z_i); } - static std::vector commit(const srs_type &srs, - const std::vector> &polys) { - std::vector commitments; - for (const auto &poly : polys) { - commitments.push_back(kzg::commit(srs, poly)); - } - return commitments; - } + return evals; + } - static batched_proof_type proof_eval(const srs_type &srs, - const batch_of_batches_of_polynomials_type &polys, - const evals_type &evals, - const std::vector zs, - const std::vector gammas) { - - BOOST_ASSERT(polys.size() == evals.size()); - BOOST_ASSERT(polys.size() == gammas.size()); - std::vector proofs; - - for (std::size_t i = 0; i < polys.size(); ++i) { - auto accum = accumulate(polys[i], gammas[i]); - auto accum_eval = polynomial{evals[i]}.evaluate(gammas[i]); - typename kzg::proof_type proof = kzg::proof_eval(srs, accum, zs[i], accum_eval); - proofs.push_back(proof); - } - - return proofs; + template + static std::vector commit(const typename KZG::params_type ¶ms, + const std::vector> &polys) { + std::vector commitments; + for (const auto &poly : polys) { + commitments.push_back(commit(params, poly)); } - - static bool verify_eval(srs_type srs, - const batched_proof_type &proof, - const evals_type &evals, - const std::vector> &commits, - std::vector zs, - std::vector gammas, - scalar_value_type r) { - - auto F = curve_type::template g1_type<>::value_type::zero(); - auto z_r_proofs = curve_type::template g1_type<>::value_type::zero(); - auto r_proofs = curve_type::template g1_type<>::value_type::zero(); - auto cur_r = scalar_value_type::one(); - for (std::size_t i = 0; i < proof.size(); ++i) { - auto eval_accum = evals[i].back(); - auto comm_accum = commits[i].back(); - for (int j = commits[i].size() - 2; j >= 0; --j) { - comm_accum = (gammas[i] * comm_accum) + commits[i][j]; - eval_accum = (eval_accum * gammas[i]) + evals[i][j]; - } - F = F + cur_r * (comm_accum - eval_accum * curve_type::template g1_type<>::value_type::one()); - z_r_proofs = z_r_proofs + cur_r * zs[i] * proof[i]; - r_proofs = r_proofs - cur_r * proof[i]; - cur_r = cur_r * r; + return commitments; + } + + template + static typename KZG::batched_proof_type proof_eval(const typename KZG::params_type ¶ms, + const typename KZG::batch_of_batches_of_polynomials_type &polys, + const typename KZG::evals_type &evals, + const std::vector zs, + const std::vector gammas) { + + BOOST_ASSERT(polys.size() == evals.size()); + BOOST_ASSERT(polys.size() == gammas.size()); + std::vector proofs; + + for (std::size_t i = 0; i < polys.size(); ++i) { + auto accum = accumulate(polys[i], gammas[i]); + auto accum_eval = typename math::polynomial{evals[i]}.evaluate(gammas[i]); + typename KZG::basic_kzg::proof_type proof = proof_eval(params, accum, zs[i], accum_eval); + proofs.push_back(proof); + } + + return proofs; + } + + template + static bool verify_eval(typename KZG::params_type params, + const typename KZG::batched_proof_type &proof, + const typename KZG::evals_type &evals, + const std::vector> &commits, + std::vector zs, + std::vector gammas, + typename KZG::scalar_value_type r) { + + auto F = KZG::curve_type::template g1_type<>::value_type::zero(); + auto z_r_proofs = KZG::curve_type::template g1_type<>::value_type::zero(); + auto r_proofs = KZG::curve_type::template g1_type<>::value_type::zero(); + auto cur_r = KZG::scalar_value_type::one(); + for (std::size_t i = 0; i < proof.size(); ++i) { + auto eval_accum = evals[i].back(); + auto comm_accum = commits[i].back(); + for (int j = commits[i].size() - 2; j >= 0; --j) { + comm_accum = (gammas[i] * comm_accum) + commits[i][j]; + eval_accum = (eval_accum * gammas[i]) + evals[i][j]; } + F = F + cur_r * (comm_accum - eval_accum * KZG::curve_type::template g1_type<>::value_type::one()); + z_r_proofs = z_r_proofs + cur_r * zs[i] * proof[i]; + r_proofs = r_proofs - cur_r * proof[i]; + cur_r = cur_r * r; + } - auto A_1 = algebra::precompute_g1(F + z_r_proofs); - auto A_2 = algebra::precompute_g2(curve_type::template g2_type<>::value_type::one()); - auto B_1 = algebra::precompute_g1(r_proofs); - auto B_2 = algebra::precompute_g2(srs.verification_key); + auto A_1 = algebra::precompute_g1(F + z_r_proofs); + auto A_2 = algebra::precompute_g2(KZG::curve_type::template g2_type<>::value_type::one()); + auto B_1 = algebra::precompute_g1(r_proofs); + auto B_2 = algebra::precompute_g2(params.verification_key); - gt_value_type gt3 = algebra::double_miller_loop(A_1, A_2, B_1, B_2); - gt_value_type gt_4 = algebra::final_exponentiation(gt3); + typename KZG::gt_value_type gt3 = algebra::double_miller_loop(A_1, A_2, B_1, B_2); + typename KZG::gt_value_type gt_4 = algebra::final_exponentiation(gt3); - return gt_4 == gt_value_type::one(); - } - }; - }; // namespace commitments + return gt_4 == KZG::gt_value_type::one(); + } + } // namespace algorithms } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/test/commitment/kzg.cpp b/test/commitment/kzg.cpp index 7023c8231..c300223cd 100644 --- a/test/commitment/kzg.cpp +++ b/test/commitment/kzg.cpp @@ -63,29 +63,29 @@ BOOST_AUTO_TEST_CASE(kzg_basic_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_commitment kzg_type; + typedef zk::commitments::kzg kzg_type; scalar_value_type alpha = 10; scalar_value_type i = 2; std::size_t n = 16; const polynomial f = {-1, 1, 2, 3}; - auto srs = kzg_type::setup({n, alpha}); - BOOST_CHECK(curve_type::template g1_type<>::value_type::one() == srs.commitment_key[0]); - BOOST_CHECK(10 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[1]); - BOOST_CHECK(100 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[2]); - BOOST_CHECK(1000 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[3]); - BOOST_CHECK(alpha * curve_type::template g2_type<>::value_type::one() == srs.verification_key); + auto params = zk::algorithms::setup(n, alpha); + BOOST_CHECK(curve_type::template g1_type<>::value_type::one() == params.commitment_key[0]); + BOOST_CHECK(10 * curve_type::template g1_type<>::value_type::one() == params.commitment_key[1]); + BOOST_CHECK(100 * curve_type::template g1_type<>::value_type::one() == params.commitment_key[2]); + BOOST_CHECK(1000 * curve_type::template g1_type<>::value_type::one() == params.commitment_key[3]); + BOOST_CHECK(alpha * curve_type::template g2_type<>::value_type::one() == params.verification_key); - auto commit = kzg_type::commit(srs, f); + auto commit = zk::algorithms::commit(params, f); BOOST_CHECK(3209 * curve_type::template g1_type<>::value_type::one() == commit); auto eval = f.evaluate(i); - auto proof = kzg_type::proof_eval(srs, f, i, eval); + auto proof = zk::algorithms::proof_eval(params, f, i, eval); BOOST_CHECK(33 * scalar_value_type::one() == eval); BOOST_CHECK(397 * curve_type::template g1_type<>::value_type::one() == proof); - BOOST_CHECK(kzg_type::verify_eval(srs, proof, commit, i, eval)); + BOOST_CHECK(zk::algorithms::verify_eval(params, proof, commit, i, eval)); } BOOST_AUTO_TEST_CASE(kzg_random_test) { @@ -95,19 +95,19 @@ BOOST_AUTO_TEST_CASE(kzg_random_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_commitment kzg_type; + typedef zk::commitments::kzg kzg_type; scalar_value_type i = algebra::random_element(); + scalar_value_type alpha = algebra::random_element(); std::size_t n = 298; const polynomial f = {-1, 1, 2, 3, 5, -15}; - auto kzg_params = kzg_type::kzg_params_type(n); - auto srs = kzg_type::setup(kzg_params); - auto commit = kzg_type::commit(srs, f); + auto params = zk::algorithms::setup(n, alpha); + auto commit = zk::algorithms::commit(params, f); auto eval = f.evaluate(i); - auto proof = kzg_type::proof_eval(srs, f, i, eval); + auto proof = zk::algorithms::proof_eval(params, f, i, eval); - BOOST_CHECK(kzg_type::verify_eval(srs, proof, commit, i, eval)); + BOOST_CHECK(zk::algorithms::verify_eval(params, proof, commit, i, eval)); } BOOST_AUTO_TEST_CASE(kzg_false_test) { @@ -117,74 +117,78 @@ BOOST_AUTO_TEST_CASE(kzg_false_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_commitment kzg_type; + typedef zk::commitments::kzg kzg_type; scalar_value_type alpha = 10; scalar_value_type i = 2; std::size_t n = 16; const polynomial f = {100, 1, 2, 3}; - auto srs = kzg_type::setup({n, alpha}); + auto params = zk::algorithms::setup(n, alpha); - auto commit = kzg_type::commit(srs, f); + auto commit = zk::algorithms::commit(params, f); auto eval = f.evaluate(i); - auto proof = kzg_type::proof_eval(srs, f, i, eval); + auto proof = zk::algorithms::proof_eval(params, f, i, eval); - BOOST_CHECK(kzg_type::verify_eval(srs, proof, commit, i, eval)); + BOOST_CHECK(zk::algorithms::verify_eval(params, proof, commit, i, eval)); - // wrong srs - auto ck2 = srs.commitment_key; + // wrong params + auto ck2 = params.commitment_key; ck2[0] = ck2[0] * 2; - auto srs2 = kzg_type::srs_type(ck2, srs.verification_key * 2); - BOOST_CHECK(!kzg_type::verify_eval(srs2, proof, commit, i, eval)); + auto params2 = kzg_type::params_type(ck2, params.verification_key * 2); + BOOST_CHECK(!zk::algorithms::verify_eval(params2, proof, commit, i, eval)); // wrong commit auto commit2 = commit * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, commit2, i, eval)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, commit2, i, eval)); // wrong i auto i2 = i * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, commit, i2, eval)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, commit, i2, eval)); // wrong eval auto eval2 = eval * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, commit, i, eval2)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, commit, i, eval2)); // wrong proof { - // wrong srs + // wrong params typename kzg_type::proof_type proof2; bool exception = false; - try {proof2 = kzg_type::proof_eval(srs2, f, i, eval);} + try {proof2 = zk::algorithms::proof_eval(params2, f, i, eval);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, commit, i, eval), "wrong srs"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, commit, i, eval), "wrong params"); } // wrong i exception = false; - try {proof2 = kzg_type::proof_eval(srs, f, i2, eval);} + try {proof2 = zk::algorithms::proof_eval(params, f, i2, eval);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, commit, i, eval), "wrong i"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, commit, i, eval), "wrong i"); } // wrong eval exception = false; - try {proof2 = kzg_type::proof_eval(srs, f, i, eval2);} + try {proof2 = zk::algorithms::proof_eval(params, f, i, eval2);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, commit, i, eval), "wrong eval"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, commit, i, eval), "wrong eval"); } } auto proof2 = proof * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof2, commit, i, eval)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof2, commit, i, eval)); } +BOOST_AUTO_TEST_SUITE_END() + +BOOST_AUTO_TEST_SUITE(batched_kzg_test_suite) + BOOST_AUTO_TEST_CASE(kzg_batched_accumulate_test) { typedef algebra::curves::mnt4<298> curve_type; @@ -192,7 +196,9 @@ BOOST_AUTO_TEST_CASE(kzg_batched_accumulate_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_batched_commitment kzg_type; + + typedef zk::commitments::batched_kzg_params<2> batched_kzg_params_type; + typedef zk::commitments::batched_kzg kzg_type; { const std::vector> polynomials = {{ @@ -202,7 +208,7 @@ BOOST_AUTO_TEST_CASE(kzg_batched_accumulate_test) { const polynomial expect_result = {1, 2, 3, 4}; - BOOST_CHECK(expect_result == kzg_type::accumulate(polynomials, beta)); + BOOST_CHECK(expect_result == zk::algorithms::accumulate(polynomials, beta)); } { @@ -221,7 +227,7 @@ BOOST_AUTO_TEST_CASE(kzg_batched_accumulate_test) { 0 + beta * 0 + beta * beta * 12 }; - BOOST_CHECK(expect_result == kzg_type::accumulate(polynomials, beta)); + BOOST_CHECK(expect_result == zk::algorithms::accumulate(polynomials, beta)); } { @@ -242,7 +248,7 @@ BOOST_AUTO_TEST_CASE(kzg_batched_accumulate_test) { 8 + beta * 0}; const polynomial actual = - kzg_type::accumulate(f_set, beta); + zk::algorithms::accumulate(f_set, beta); BOOST_CHECK(expect == actual); } @@ -255,7 +261,9 @@ BOOST_AUTO_TEST_CASE(kzg_batched_basic_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_batched_commitment kzg_type; + + typedef zk::commitments::batched_kzg_params<2> batched_kzg_params_type; + typedef zk::commitments::batched_kzg kzg_type; scalar_value_type alpha = 7; std::size_t n = 8; @@ -273,13 +281,13 @@ BOOST_AUTO_TEST_CASE(kzg_batched_basic_test) { typename kzg_type::batch_of_batches_of_polynomials_type polys = {fs, gs}; std::vector zs = {123, 456}; - auto evals = kzg_type::evaluate_polynomials(polys, zs); + auto evals = zk::algorithms::evaluate_polynomials(polys, zs); - auto srs = kzg_type::setup({n, alpha}); + auto params = zk::algorithms::setup(n, alpha); std::vector gammas = {54321, 98760}; - auto proof = kzg_type::proof_eval(srs, polys, evals, zs, gammas); + auto proof = zk::algorithms::proof_eval(params, polys, evals, zs, gammas); for (size_t j = 0; j < proof.size(); ++j) { scalar_value_type h0_x = scalar_value_type::zero(); @@ -293,9 +301,9 @@ BOOST_AUTO_TEST_CASE(kzg_batched_basic_test) { } scalar_value_type r = 23546; - auto c0 = kzg_type::commit(srs, fs); - auto c1 = kzg_type::commit(srs, gs); - BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, {c0, c1}, zs, gammas, r)); + auto c0 = zk::algorithms::commit(params, fs); + auto c1 = zk::algorithms::commit(params, gs); + BOOST_CHECK(zk::algorithms::verify_eval(params, proof, evals, {c0, c1}, zs, gammas, r)); } BOOST_AUTO_TEST_CASE(kzg_batched_random_test) { @@ -305,9 +313,12 @@ BOOST_AUTO_TEST_CASE(kzg_batched_random_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_batched_commitment kzg_type; + + typedef zk::commitments::batched_kzg_params<2> batched_kzg_params_type; + typedef zk::commitments::batched_kzg kzg_type; std::size_t n = 298; + scalar_value_type alpha = algebra::random_element(); const std::vector> f0{{ {{1, 2, 3, 4, 5, 6, 7, 8}}, {{11, 12, 13, 14, 15, 16, 17}}, @@ -331,18 +342,16 @@ BOOST_AUTO_TEST_CASE(kzg_batched_random_test) { for (std::size_t i = 0; i < num_polys; ++i) { zs.push_back(algebra::random_element()); } - auto evals = kzg_type::evaluate_polynomials(polys, zs); + auto evals = zk::algorithms::evaluate_polynomials(polys, zs); - auto kzg_params = kzg_type::kzg_params_type(n); - auto alpha = kzg_params.alpha; - auto srs = kzg_type::setup(kzg_params); + auto params = zk::algorithms::setup(n, alpha); std::vector gammas; for (std::size_t i = 0; i < num_polys; ++i) { gammas.push_back(algebra::random_element()); } - auto proof = kzg_type::proof_eval(srs, polys, evals, zs, gammas); + auto proof = zk::algorithms::proof_eval(params, polys, evals, zs, gammas); for (std::size_t j = 0; j < proof.size(); ++j) { scalar_value_type h0_x = scalar_value_type::zero(); @@ -358,9 +367,9 @@ BOOST_AUTO_TEST_CASE(kzg_batched_random_test) { scalar_value_type r = algebra::random_element(); std::vector> cs; for (std::size_t j = 0; j < num_polys; ++j) { - cs.push_back(kzg_type::commit(srs, polys[j])); + cs.push_back(zk::algorithms::commit(params, polys[j])); } - BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, cs, zs, gammas, r)); + BOOST_CHECK(zk::algorithms::verify_eval(params, proof, evals, cs, zs, gammas, r)); } BOOST_AUTO_TEST_CASE(kzg_batched_false_test) { @@ -370,7 +379,9 @@ BOOST_AUTO_TEST_CASE(kzg_batched_false_test) { typedef typename curve_type::base_field_type base_field_type; typedef typename curve_type::scalar_field_type scalar_field_type; typedef typename curve_type::scalar_field_type::value_type scalar_value_type; - typedef zk::commitments::kzg_batched_commitment kzg_type; + + typedef zk::commitments::batched_kzg_params<2> batched_kzg_params_type; + typedef zk::commitments::batched_kzg kzg_type; scalar_value_type alpha = 7; std::size_t n = 298; @@ -392,92 +403,92 @@ BOOST_AUTO_TEST_CASE(kzg_batched_false_test) { std::size_t num_polys = polys.size(); std::vector zs = {123, 456, 789}; - auto evals = kzg_type::evaluate_polynomials(polys, zs); + auto evals = zk::algorithms::evaluate_polynomials(polys, zs); - auto srs = kzg_type::setup({n, alpha}); + auto params = zk::algorithms::setup(n, alpha); std::vector gammas = {54321, 98760, 12345}; - auto proof = kzg_type::proof_eval(srs, polys, evals, zs, gammas); + auto proof = zk::algorithms::proof_eval(params, polys, evals, zs, gammas); scalar_value_type r = 23546; std::vector> cs; for (std::size_t j = 0; j < num_polys; ++j) { - cs.push_back(kzg_type::commit(srs, polys[j])); + cs.push_back(zk::algorithms::commit(params, polys[j])); } - BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, cs, zs, gammas, r)); + BOOST_CHECK(zk::algorithms::verify_eval(params, proof, evals, cs, zs, gammas, r)); // wrong verification key - auto ck2 = srs.commitment_key; + auto ck2 = params.commitment_key; ck2[0] = ck2[0] * 2; - auto srs2 = kzg_type::srs_type(ck2, srs.verification_key * 2); - BOOST_CHECK(!kzg_type::verify_eval(srs2, proof, evals, cs, zs, gammas, r)); + auto params2 = kzg_type::params_type(ck2, params.verification_key * 2); + BOOST_CHECK(!zk::algorithms::verify_eval(params2, proof, evals, cs, zs, gammas, r)); // wrong evals auto evals2 = evals; evals2[evals.size() / 2][0] = evals2[evals.size() / 2][0] * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, evals2, cs, zs, gammas, r)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, evals2, cs, zs, gammas, r)); // wrong commitments auto cs2 = cs; cs2[0].back() = cs2[0].back() * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, evals, cs2, zs, gammas, r)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, evals, cs2, zs, gammas, r)); // wrong zs auto zs2 = zs; zs2[zs2.size() / 2] = zs2[zs2.size() / 2] * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, evals, cs, zs2, gammas, r)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, evals, cs, zs2, gammas, r)); // wrong gammas auto gammas2 = gammas; gammas2[gammas2.size() / 2] = gammas2[gammas2.size() / 2] * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof, evals, cs, zs, gammas2, r)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof, evals, cs, zs, gammas2, r)); // wrong proof { - // wrong srs + // wrong params typename kzg_type::batched_proof_type proof2; bool exception = false; - try {proof2 = kzg_type::proof_eval(srs2, polys, evals, zs, gammas);} + try {proof2 = zk::algorithms::proof_eval(params2, polys, evals, zs, gammas);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, evals, cs, zs, gammas, r), "wrong srs"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, evals, cs, zs, gammas, r), "wrong params"); } // wrong evals exception = false; - try {proof2 = kzg_type::proof_eval(srs, polys, evals2, zs, gammas);} + try {proof2 = zk::algorithms::proof_eval(params, polys, evals2, zs, gammas);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, evals, cs, zs, gammas, r), "wrong evals"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, evals, cs, zs, gammas, r), "wrong evals"); } // wrong zs exception = false; - try {proof2 = kzg_type::proof_eval(srs, polys, evals, zs2, gammas);} + try {proof2 = zk::algorithms::proof_eval(params, polys, evals, zs2, gammas);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, evals, cs, zs, gammas, r), "wrong zs"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, evals, cs, zs, gammas, r), "wrong zs"); } // wrong gammas exception = false; - try {proof2 = kzg_type::proof_eval(srs, polys, evals, zs, gammas2);} + try {proof2 = zk::algorithms::proof_eval(params, polys, evals, zs, gammas2);} catch (std::runtime_error& e) {exception = true;} if (!exception) { BOOST_CHECK(proof2 != proof); - BOOST_CHECK_MESSAGE(!kzg_type::verify_eval(srs, proof2, evals, cs, zs, gammas, r), "wrong gammas"); + BOOST_CHECK_MESSAGE(!zk::algorithms::verify_eval(params, proof2, evals, cs, zs, gammas, r), "wrong gammas"); } } auto proof2 = proof; proof2.back() = proof2.back() * 2; - BOOST_CHECK(!kzg_type::verify_eval(srs, proof2, evals, cs, zs, gammas, r)); + BOOST_CHECK(!zk::algorithms::verify_eval(params, proof2, evals, cs, zs, gammas, r)); // wrong combination of all - BOOST_CHECK(!kzg_type::verify_eval(srs2, proof2, evals2, cs2, zs2, gammas2, r)); + BOOST_CHECK(!zk::algorithms::verify_eval(params2, proof2, evals2, cs2, zs2, gammas2, r)); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file