r1cs_ppzksnark.hpp

Go to the documentation of this file.

 
#ifndef R1CS_PPZKSNARK_HPP_
#define R1CS_PPZKSNARK_HPP_
 
#include <libff/algebra/curves/public_params.hpp>
#include <libsnark/common/data_structures/accumulation_vector.hpp>
#include <libsnark/knowledge_commitment/knowledge_commitment.hpp>
#include <libsnark/relations/constraint_satisfaction_problems/r1cs/r1cs.hpp>
#include <libsnark/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark_params.hpp>
#include <memory>
 
namespace libsnark
{
 
/******************************** Proving key ********************************/
 
template<typename ppT> class r1cs_ppzksnark_proving_key;
 
template<typename ppT>
std::ostream &operator<<(
    std::ostream &out, const r1cs_ppzksnark_proving_key<ppT> &pk);
 
template<typename ppT>
std::istream &operator>>(std::istream &in, r1cs_ppzksnark_proving_key<ppT> &pk);
 
template<typename ppT> class r1cs_ppzksnark_proving_key
{
public:
    knowledge_commitment_vector<libff::G1<ppT>, libff::G1<ppT>> A_query;
    knowledge_commitment_vector<libff::G2<ppT>, libff::G1<ppT>> B_query;
    knowledge_commitment_vector<libff::G1<ppT>, libff::G1<ppT>> C_query;
    libff::G1_vector<ppT> H_query;
    libff::G1_vector<ppT> K_query;
 
    r1cs_ppzksnark_constraint_system<ppT> constraint_system;
 
    r1cs_ppzksnark_proving_key(){};
    r1cs_ppzksnark_proving_key<ppT> &operator=(
        const r1cs_ppzksnark_proving_key<ppT> &other) = default;
    r1cs_ppzksnark_proving_key(const r1cs_ppzksnark_proving_key<ppT> &other) =
        default;
    r1cs_ppzksnark_proving_key(r1cs_ppzksnark_proving_key<ppT> &&other) =
        default;
    r1cs_ppzksnark_proving_key(
        knowledge_commitment_vector<libff::G1<ppT>, libff::G1<ppT>> &&A_query,
        knowledge_commitment_vector<libff::G2<ppT>, libff::G1<ppT>> &&B_query,
        knowledge_commitment_vector<libff::G1<ppT>, libff::G1<ppT>> &&C_query,
        libff::G1_vector<ppT> &&H_query,
        libff::G1_vector<ppT> &&K_query,
        r1cs_ppzksnark_constraint_system<ppT> &&constraint_system)
        : A_query(std::move(A_query))
        , B_query(std::move(B_query))
        , C_query(std::move(C_query))
        , H_query(std::move(H_query))
        , K_query(std::move(K_query))
        , constraint_system(std::move(constraint_system)){};
 
    size_t G1_size() const
    {
        return 2 * (A_query.domain_size() + C_query.domain_size()) +
               B_query.domain_size() + H_query.size() + K_query.size();
    }
 
    size_t G2_size() const { return B_query.domain_size(); }
 
    size_t G1_sparse_size() const
    {
        return 2 * (A_query.size() + C_query.size()) + B_query.size() +
               H_query.size() + K_query.size();
    }
 
    size_t G2_sparse_size() const { return B_query.size(); }
 
    size_t size_in_bits() const
    {
        return A_query.size_in_bits() + B_query.size_in_bits() +
               C_query.size_in_bits() + libff::size_in_bits(H_query) +
               libff::size_in_bits(K_query);
    }
 
    void print_size() const
    {
        libff::print_indent();
        printf("* G1 elements in PK: %zu\n", this->G1_size());
        libff::print_indent();
        printf("* Non-zero G1 elements in PK: %zu\n", this->G1_sparse_size());
        libff::print_indent();
        printf("* G2 elements in PK: %zu\n", this->G2_size());
        libff::print_indent();
        printf("* Non-zero G2 elements in PK: %zu\n", this->G2_sparse_size());
        libff::print_indent();
        printf("* PK size in bits: %zu\n", this->size_in_bits());
    }
 
    bool operator==(const r1cs_ppzksnark_proving_key<ppT> &other) const;
    friend std::ostream &operator<<<ppT>(
        std::ostream &out, const r1cs_ppzksnark_proving_key<ppT> &pk);
    friend std::istream &operator>>
        <ppT>(std::istream &in, r1cs_ppzksnark_proving_key<ppT> &pk);
};
 
/******************************* Verification key ****************************/
 
template<typename ppT> class r1cs_ppzksnark_verification_key;
 
template<typename ppT>
std::ostream &operator<<(
    std::ostream &out, const r1cs_ppzksnark_verification_key<ppT> &vk);
 
template<typename ppT>
std::istream &operator>>(
    std::istream &in, r1cs_ppzksnark_verification_key<ppT> &vk);
 
template<typename ppT> class r1cs_ppzksnark_verification_key
{
public:
    libff::G2<ppT> alphaA_g2;
    libff::G1<ppT> alphaB_g1;
    libff::G2<ppT> alphaC_g2;
    libff::G2<ppT> gamma_g2;
    libff::G1<ppT> gamma_beta_g1;
    libff::G2<ppT> gamma_beta_g2;
    libff::G2<ppT> rC_Z_g2;
 
    accumulation_vector<libff::G1<ppT>> encoded_IC_query;
 
    r1cs_ppzksnark_verification_key() = default;
    r1cs_ppzksnark_verification_key(
        const libff::G2<ppT> &alphaA_g2,
        const libff::G1<ppT> &alphaB_g1,
        const libff::G2<ppT> &alphaC_g2,
        const libff::G2<ppT> &gamma_g2,
        const libff::G1<ppT> &gamma_beta_g1,
        const libff::G2<ppT> &gamma_beta_g2,
        const libff::G2<ppT> &rC_Z_g2,
        const accumulation_vector<libff::G1<ppT>> &eIC)
        : alphaA_g2(alphaA_g2)
        , alphaB_g1(alphaB_g1)
        , alphaC_g2(alphaC_g2)
        , gamma_g2(gamma_g2)
        , gamma_beta_g1(gamma_beta_g1)
        , gamma_beta_g2(gamma_beta_g2)
        , rC_Z_g2(rC_Z_g2)
        , encoded_IC_query(eIC){};
 
    size_t G1_size() const { return 2 + encoded_IC_query.size(); }
 
    size_t G2_size() const { return 5; }
 
    size_t size_in_bits() const
    {
        return (
            2 * libff::G1<ppT>::size_in_bits() +
            encoded_IC_query.size_in_bits() +
            5 * libff::G2<ppT>::size_in_bits());
    }
 
    void print_size() const
    {
        libff::print_indent();
        printf("* G1 elements in VK: %zu\n", this->G1_size());
        libff::print_indent();
        printf("* G2 elements in VK: %zu\n", this->G2_size());
        libff::print_indent();
        printf("* VK size in bits: %zu\n", this->size_in_bits());
    }
 
    bool operator==(const r1cs_ppzksnark_verification_key<ppT> &other) const;
    friend std::ostream &operator<<<ppT>(
        std::ostream &out, const r1cs_ppzksnark_verification_key<ppT> &vk);
    friend std::istream &operator>>
        <ppT>(std::istream &in, r1cs_ppzksnark_verification_key<ppT> &vk);
 
    static r1cs_ppzksnark_verification_key<ppT> dummy_verification_key(
        const size_t input_size);
};
 
/************************ Processed verification key *************************/
 
template<typename ppT> class r1cs_ppzksnark_processed_verification_key;
 
template<typename ppT>
std::ostream &operator<<(
    std::ostream &out,
    const r1cs_ppzksnark_processed_verification_key<ppT> &pvk);
 
template<typename ppT>
std::istream &operator>>(
    std::istream &in, r1cs_ppzksnark_processed_verification_key<ppT> &pvk);
 
template<typename ppT> class r1cs_ppzksnark_processed_verification_key
{
public:
    libff::G2_precomp<ppT> pp_G2_one_precomp;
    libff::G2_precomp<ppT> vk_alphaA_g2_precomp;
    libff::G1_precomp<ppT> vk_alphaB_g1_precomp;
    libff::G2_precomp<ppT> vk_alphaC_g2_precomp;
    libff::G2_precomp<ppT> vk_rC_Z_g2_precomp;
    libff::G2_precomp<ppT> vk_gamma_g2_precomp;
    libff::G1_precomp<ppT> vk_gamma_beta_g1_precomp;
    libff::G2_precomp<ppT> vk_gamma_beta_g2_precomp;
 
    accumulation_vector<libff::G1<ppT>> encoded_IC_query;
 
    bool operator==(
        const r1cs_ppzksnark_processed_verification_key &other) const;
    friend std::ostream &operator<<<ppT>(
        std::ostream &out,
        const r1cs_ppzksnark_processed_verification_key<ppT> &pvk);
    friend std::istream &operator>><ppT>(
        std::istream &in, r1cs_ppzksnark_processed_verification_key<ppT> &pvk);
};
 
/********************************** Key pair *********************************/
 
template<typename ppT> class r1cs_ppzksnark_keypair
{
public:
    r1cs_ppzksnark_proving_key<ppT> pk;
    r1cs_ppzksnark_verification_key<ppT> vk;
 
    r1cs_ppzksnark_keypair() = default;
    r1cs_ppzksnark_keypair(const r1cs_ppzksnark_keypair<ppT> &other) = default;
    r1cs_ppzksnark_keypair(
        r1cs_ppzksnark_proving_key<ppT> &&pk,
        r1cs_ppzksnark_verification_key<ppT> &&vk)
        : pk(std::move(pk)), vk(std::move(vk))
    {
    }
 
    r1cs_ppzksnark_keypair(r1cs_ppzksnark_keypair<ppT> &&other) = default;
};
 
/*********************************** Proof ***********************************/
 
template<typename ppT> class r1cs_ppzksnark_proof;
 
template<typename ppT>
std::ostream &operator<<(
    std::ostream &out, const r1cs_ppzksnark_proof<ppT> &proof);
 
template<typename ppT>
std::istream &operator>>(std::istream &in, r1cs_ppzksnark_proof<ppT> &proof);
 
template<typename ppT> class r1cs_ppzksnark_proof
{
public:
    knowledge_commitment<libff::G1<ppT>, libff::G1<ppT>> g_A;
    knowledge_commitment<libff::G2<ppT>, libff::G1<ppT>> g_B;
    knowledge_commitment<libff::G1<ppT>, libff::G1<ppT>> g_C;
    libff::G1<ppT> g_H;
    libff::G1<ppT> g_K;
 
    r1cs_ppzksnark_proof()
    {
        // invalid proof with valid curve points
        this->g_A.g = libff::G1<ppT>::one();
        this->g_A.h = libff::G1<ppT>::one();
        this->g_B.g = libff::G2<ppT>::one();
        this->g_B.h = libff::G1<ppT>::one();
        this->g_C.g = libff::G1<ppT>::one();
        this->g_C.h = libff::G1<ppT>::one();
        this->g_H = libff::G1<ppT>::one();
        this->g_K = libff::G1<ppT>::one();
    }
    r1cs_ppzksnark_proof(
        knowledge_commitment<libff::G1<ppT>, libff::G1<ppT>> &&g_A,
        knowledge_commitment<libff::G2<ppT>, libff::G1<ppT>> &&g_B,
        knowledge_commitment<libff::G1<ppT>, libff::G1<ppT>> &&g_C,
        libff::G1<ppT> &&g_H,
        libff::G1<ppT> &&g_K)
        : g_A(std::move(g_A))
        , g_B(std::move(g_B))
        , g_C(std::move(g_C))
        , g_H(std::move(g_H))
        , g_K(std::move(g_K)){};
 
    size_t G1_size() const { return 7; }
 
    size_t G2_size() const { return 1; }
 
    size_t size_in_bits() const
    {
        return G1_size() * libff::G1<ppT>::size_in_bits() +
               G2_size() * libff::G2<ppT>::size_in_bits();
    }
 
    void print_size() const
    {
        libff::print_indent();
        printf("* G1 elements in proof: %zu\n", this->G1_size());
        libff::print_indent();
        printf("* G2 elements in proof: %zu\n", this->G2_size());
        libff::print_indent();
        printf("* Proof size in bits: %zu\n", this->size_in_bits());
    }
 
    bool is_well_formed() const
    {
        return (
            g_A.g.is_well_formed() && g_A.h.is_well_formed() &&
            g_B.g.is_well_formed() && g_B.h.is_well_formed() &&
            g_C.g.is_well_formed() && g_C.h.is_well_formed() &&
            g_H.is_well_formed() && g_K.is_well_formed());
    }
 
    bool operator==(const r1cs_ppzksnark_proof<ppT> &other) const;
    friend std::ostream &operator<<<ppT>(
        std::ostream &out, const r1cs_ppzksnark_proof<ppT> &proof);
    friend std::istream &operator>>
        <ppT>(std::istream &in, r1cs_ppzksnark_proof<ppT> &proof);
};
 
/***************************** Main algorithms *******************************/
 
template<
    typename ppT,
    libff::multi_exp_base_form BaseForm = libff::multi_exp_base_form_normal>
r1cs_ppzksnark_keypair<ppT> r1cs_ppzksnark_generator(
    const r1cs_ppzksnark_constraint_system<ppT> &cs);
 
template<
    typename ppT,
    libff::multi_exp_method Method = libff::multi_exp_method_bos_coster,
    libff::multi_exp_base_form BaseForm = libff::multi_exp_base_form_normal>
r1cs_ppzksnark_proof<ppT> r1cs_ppzksnark_prover(
    const r1cs_ppzksnark_proving_key<ppT> &pk,
    const r1cs_ppzksnark_primary_input<ppT> &primary_input,
    const r1cs_ppzksnark_auxiliary_input<ppT> &auxiliary_input);
 
/*
 Below are four variants of verifier algorithm for the R1CS ppzkSNARK.
 
 These are the four cases that arise from the following two choices:
 
 (1) The verifier accepts a (non-processed) verification key or, instead, a
 processed verification key. In the latter case, we call the algorithm an
 "online verifier".
 
 (2) The verifier checks for "weak" input consistency or, instead, "strong"
 input consistency. Strong input consistency requires that |primary_input| =
 CS.num_inputs, whereas weak input consistency requires that |primary_input| <=
 CS.num_inputs (and the primary input is implicitly padded with zeros up to
 length CS.num_inputs).
 */
 
template<typename ppT>
bool r1cs_ppzksnark_verifier_weak_IC(
    const r1cs_ppzksnark_verification_key<ppT> &vk,
    const r1cs_ppzksnark_primary_input<ppT> &primary_input,
    const r1cs_ppzksnark_proof<ppT> &proof);
 
template<typename ppT>
bool r1cs_ppzksnark_verifier_strong_IC(
    const r1cs_ppzksnark_verification_key<ppT> &vk,
    const r1cs_ppzksnark_primary_input<ppT> &primary_input,
    const r1cs_ppzksnark_proof<ppT> &proof);
 
template<typename ppT>
r1cs_ppzksnark_processed_verification_key<ppT> r1cs_ppzksnark_verifier_process_vk(
    const r1cs_ppzksnark_verification_key<ppT> &vk);
 
template<typename ppT>
bool r1cs_ppzksnark_online_verifier_weak_IC(
    const r1cs_ppzksnark_processed_verification_key<ppT> &pvk,
    const r1cs_ppzksnark_primary_input<ppT> &input,
    const r1cs_ppzksnark_proof<ppT> &proof);
 
template<typename ppT>
bool r1cs_ppzksnark_online_verifier_strong_IC(
    const r1cs_ppzksnark_processed_verification_key<ppT> &pvk,
    const r1cs_ppzksnark_primary_input<ppT> &primary_input,
    const r1cs_ppzksnark_proof<ppT> &proof);
 
/****************************** Miscellaneous ********************************/
 
template<typename ppT>
bool r1cs_ppzksnark_affine_verifier_weak_IC(
    const r1cs_ppzksnark_verification_key<ppT> &vk,
    const r1cs_ppzksnark_primary_input<ppT> &primary_input,
    const r1cs_ppzksnark_proof<ppT> &proof);
 
} // namespace libsnark
 
#include <libsnark/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.tcc>
 
#endif // R1CS_PPZKSNARK_HPP_