Skip to content

Commit

Permalink
kzg commitment updated #113
Browse files Browse the repository at this point in the history
  • Loading branch information
tshchelovek authored and martun committed Aug 10, 2023
1 parent 33323c5 commit fb12230
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 50 deletions.
94 changes: 54 additions & 40 deletions include/nil/crypto3/zk/commitments/polynomial/kzg.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@
#include <nil/crypto3/math/polynomial/polynomial.hpp>
#include <nil/crypto3/algebra/type_traits.hpp>
#include <nil/crypto3/algebra/algorithms/pair.hpp>
#include <nil/crypto3/algebra/multiexp/multiexp.hpp>
#include <nil/crypto3/algebra/multiexp/policies.hpp>
#include <nil/crypto3/algebra/pairing/pairing_policy.hpp>

using namespace nil::crypto3::math;
Expand All @@ -50,78 +52,90 @@ namespace nil {
namespace zk {
namespace commitments {
template<typename CurveType>
struct kzg {
struct kzg_commitment {

typedef CurveType curve_type;
typedef algebra::pairing::pairing_policy<curve_type> pairing;
typedef algebra::pairing::pairing_policy<curve_type> pairing_policy;
typedef typename curve_type::gt_type::value_type gt_value_type;

using base_field_value_type = typename curve_type::base_field_type::value_type;
using multiexp_method = typename algebra::policies::multiexp_method_BDLO12;
using scalar_value_type = typename curve_type::scalar_field_type::value_type;
using commitment_key_type = std::vector<typename curve_type::template g1_type<>::value_type>;
using verification_key_type = typename curve_type::template g2_type<>::value_type;
using commitment_type = typename curve_type::template g1_type<>::value_type;
using proof_type = commitment_type;

struct params_type {
std::size_t a;
struct kzg_params_type {
scalar_value_type alpha; //secret key
std::size_t n; //max polynomial degree
};

static std::pair<commitment_key_type, verification_key_type> setup(const std::size_t n,
params_type params) {
struct srs_type {
commitment_key_type commitment_key;
verification_key_type verification_key;
srs_type(commitment_key_type ck, verification_key_type vk) :
commitment_key(ck), verification_key(vk) {}
};

size_t a_scaled = params.a;
static srs_type setup(kzg_params_type params) {
scalar_value_type alpha_scaled = params.alpha;
commitment_key_type commitment_key = {curve_type::template g1_type<>::value_type::one()};
verification_key_type verification_key =
curve_type::template g2_type<>::value_type::one() * params.a;
curve_type::template g2_type<>::value_type::one() * params.alpha;

for (std::size_t i = 0; i < n; i++) {
commitment_key.emplace_back(a_scaled * (curve_type::template g1_type<>::value_type::one()));
a_scaled = a_scaled * params.a;
for (std::size_t i = 0; i < params.n; i++) {
commitment_key.emplace_back(alpha_scaled * (curve_type::template g1_type<>::value_type::one()));
alpha_scaled = alpha_scaled * params.alpha;
}

return std::make_pair(commitment_key, verification_key);
return srs_type(std::move(commitment_key), verification_key);
}

static commitment_type commit(const commitment_key_type &commitment_key,
const polynomial<base_field_value_type> &f) {

commitment_type commitment = f[0] * commitment_key[0];

for (std::size_t i = 0; i < f.size(); i++) {
commitment = commitment + commitment_key[i] * f[i];
}

return commitment;
static commitment_type commit(const srs_type &srs,
const polynomial<scalar_value_type> &f) {
BOOST_ASSERT(f.size() <= srs.commitment_key.size());
return algebra::multiexp<multiexp_method>(srs.commitment_key.begin(),
srs.commitment_key.begin() + f.size(), f.begin(), f.end(), 1);
}

static proof_type proof_eval(commitment_key_type commitment_key,
typename curve_type::base_field_type::value_type x,
typename curve_type::base_field_type::value_type y,
const polynomial<base_field_value_type> &f) {
static bool verify_poly(const srs_type &srs,
const polynomial<scalar_value_type> &f,
const commitment_type &C_f) {
return C_f == commit(srs, f);
}

const polynomial<base_field_value_type> denominator_polynom = {-x, 1};
static proof_type proof_eval(srs_type srs,
scalar_value_type i,
const polynomial<scalar_value_type> &f) {

const polynomial<base_field_value_type> q =
(f + polynomial<base_field_value_type> {-y}) / denominator_polynom;
const polynomial<scalar_value_type> denominator_polynom = {-i, 1};
const polynomial<scalar_value_type> q =
(f - polynomial<scalar_value_type>{f.evaluate(i)}) / denominator_polynom;

proof_type p = kzg_commitment::commit(commitment_key, q);
proof_type p = commit(srs, q);
return p;
}

static bool verify_eval(verification_key_type verification_key,
static bool verify_eval(srs_type srs,
commitment_type C_f,
base_field_value_type x,
base_field_value_type y,
scalar_value_type i,
scalar_value_type eval,
proof_type p) {

using g1_precomp_type = typename pairing_policy::g1_precomputed_type;
using g2_precomp_type = typename pairing_policy::g2_precomputed_type;

typename curve_type::gt_type::value_type gt1 =
algebra::pair<curve_type>(C_f - curve_type::template g1_type<>::value_type::one() * y,
curve_type::template g2_type<>::value_type::one());
g1_precomp_type A_1 = algebra::precompute_g1<curve_type>(p);
g2_precomp_type A_2 = algebra::precompute_g2<curve_type>(srs.verification_key -
i * curve_type::template g2_type<>::value_type::one());
g1_precomp_type B_1 = algebra::precompute_g1<curve_type>(eval * curve_type::template g1_type<>::value_type::one() -
C_f);
g2_precomp_type B_2 = algebra::precompute_g2<curve_type>(curve_type::template g2_type<>::value_type::one());

typename curve_type::gt_type::value_type gt2 = algebra::pair<curve_type>(
p, verification_key - curve_type::template g2_type<>::value_type::one() * x);
gt_value_type gt3 = algebra::double_miller_loop<curve_type>(A_1, A_2, B_1, B_2);
gt_value_type gt_4 = algebra::final_exponentiation<curve_type>(gt3);

return gt1 == gt2;
return gt_4 == gt_value_type::one();
}
};
}; // namespace commitments
Expand Down
1 change: 1 addition & 0 deletions test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ endmacro()
set(TESTS_NAMES
"commitment/lpc"
"commitment/fri"
"commitment/kzg"
"commitment/fold_polynomial"
"commitment/lpc_performance"
"commitment/pedersen"
Expand Down
33 changes: 23 additions & 10 deletions test/commitment/kzg.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -43,27 +43,40 @@
#include <nil/crypto3/zk/commitments/polynomial/kzg.hpp>

using namespace nil::crypto3;
using namespace nil::crypto3::zk::snark;
using namespace nil::crypto3::math;

BOOST_AUTO_TEST_SUITE(kzg_test_suite)

BOOST_AUTO_TEST_CASE(kzg_basic_test) {

typedef algebra::curves::mnt4<298> curve_type;
typedef typename curve_type::base_field_type::value_type base_field_value_type;
typedef zk::snark::kzg_commitment<curve_type> kzg_type;
typedef typename curve_type::base_field_type::value_type base_value_type;
typedef typename curve_type::base_field_type base_field_type;
typedef typename curve_type::scalar_field_type scalar_field_type;
typedef typename curve_type::scalar_field_type::value_type scalar_value_type;
typedef zk::commitments::kzg_commitment<curve_type> kzg_type;

typename kzg_type::params_type kzg_params;
kzg_params.a = 2;
scalar_value_type alpha = 10;
scalar_value_type i = 2;
std::size_t n = 16;
const polynomial<scalar_value_type> f = {-1, 1, 2, 3};

const polynomial<base_field_value_type> f = {1, 1};
auto srs = kzg_type::setup({alpha, n});
BOOST_CHECK(curve_type::template g1_type<>::value_type::one() == srs.commitment_key[0]);
BOOST_CHECK(10 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[1]);
BOOST_CHECK(100 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[2]);
BOOST_CHECK(1000 * curve_type::template g1_type<>::value_type::one() == srs.commitment_key[3]);
BOOST_CHECK(alpha * curve_type::template g2_type<>::value_type::one() == srs.verification_key);

auto kzg_keys = kzg_type::setup(298, kzg_params);
auto commit = kzg_type::commit(std::get<0>(kzg_keys), f);
auto proof = kzg_type::proof_eval(std::get<0>(kzg_keys), 1, 2, f);
auto commit = kzg_type::commit(srs, f);
BOOST_CHECK(3209 * curve_type::template g1_type<>::value_type::one() == commit);

BOOST_CHECK(kzg_type::verify_eval(std::get<1>(kzg_keys), commit, 1, 2, proof));
auto eval = f.evaluate(i);
auto proof = kzg_type::proof_eval(srs, i, f);
BOOST_CHECK(33 * scalar_value_type::one() == eval);
BOOST_CHECK(397 * curve_type::template g1_type<>::value_type::one() == proof);

BOOST_CHECK(kzg_type::verify_eval(srs, commit, i, eval, proof));
}

BOOST_AUTO_TEST_SUITE_END()

0 comments on commit fb12230

Please sign in to comment.