zeth/phase2_8hpp_source.html

// Copyright (c) 2015-2022 Clearmatics Technologies Ltd

//

// SPDX-License-Identifier: LGPL-3.0+


#ifndef __ZETH_MPC_GROTH16_PHASE2_HPP__

#define __ZETH_MPC_GROTH16_PHASE2_HPP__


#include "libzeth/mpc/groth16/mpc_hash.hpp"

#include "libzeth/snarks/groth16/groth16_snark.hpp"


// Structures and operations related to the "Phase 2" MPC described in

// [BoweGM17].  Parts of the implementation use techniques from the

// "Phase2" library from "zk-SNARK MPCs, made easy".

//

// References:

//

// \[BoweGM17]

//  "Scalable Multi-party Computation for zk-SNARK Parameters in the Random

//  Beacon Model"

//  Sean Bowe and Ariel Gabizon and Ian Miers,

//  IACR Cryptology ePrint Archive 2017,

//  <http://eprint.iacr.org/2017/1050>

//

// "Phase2" (From "zk-SNARK MPCs, made easy" library

//  https://github.com/ebfull/phase2)

//

// "Sapling MPC" ("Multi-party computation for Zcash's Sapling zk-SNARK public

//  parameters" https://github.com/zcash-hackworks/sapling-mpc)


namespace libzeth

{


template<typename ppT> class srs_powersoftau;

template<typename ppT> class srs_mpc_layer_L1;


template<typename ppT> class srs_mpc_phase2_accumulator

{

public:

    // Hash of the initial state before any contributions are made. Kept

    // constant over the MPC, and used to check that challenges and responses

    // are part of the same MPC.

    mpc_hash_t cs_hash;


    libff::G1<ppT> delta_g1;


    libff::G2<ppT> delta_g2;


    // { H_i } = { [ t(x) . x^i / delta ]_1 }  i \in [0..n-2] (n-1 entries)

    libff::G1_vector<ppT> H_g1;


    // { L_j } = { [ ABC_j / delta ]_1 } j \in [num_inputs + 1..num_variables]

    libff::G1_vector<ppT> L_g1;


    srs_mpc_phase2_accumulator(

        const mpc_hash_t cs_hash,

        const libff::G1<ppT> &delta_g1,

        const libff::G2<ppT> &delta_g2,

        libff::G1_vector<ppT> &&H_g1,

        libff::G1_vector<ppT> &&L_g1);


    bool operator==(const srs_mpc_phase2_accumulator<ppT> &other) const;

    bool is_well_formed() const;

    void write(std::ostream &out) const;

    void write_compressed(std::ostream &out) const;

    static srs_mpc_phase2_accumulator<ppT> read(std::istream &in);

    static srs_mpc_phase2_accumulator<ppT> read_compressed(std::istream &in);

};


template<typename ppT> class srs_mpc_phase2_publickey

{

public:

    mpc_hash_t transcript_digest;

    libff::G1<ppT> new_delta_g1;

    libff::G1<ppT> s_g1;

    libff::G1<ppT> s_delta_j_g1;

    libff::G2<ppT> r_delta_j_g2;


    srs_mpc_phase2_publickey(

        const mpc_hash_t transcript_digest,

        const libff::G1<ppT> &new_delta_g1,

        const libff::G1<ppT> &s_g1,

        const libff::G1<ppT> &s_delta_j_g1,

        const libff::G2<ppT> &r_delta_j_g2);


    bool operator==(const srs_mpc_phase2_publickey<ppT> &other) const;

    bool is_well_formed() const;

    void write(std::ostream &out) const;

    static srs_mpc_phase2_publickey<ppT> read(std::istream &in);

    void compute_digest(mpc_hash_t out_digest) const;

};


template<typename ppT> class srs_mpc_phase2_challenge

{

public:

    mpc_hash_t transcript_digest;

    srs_mpc_phase2_accumulator<ppT> accumulator;


    srs_mpc_phase2_challenge(

        const mpc_hash_t transcript_digest,

        srs_mpc_phase2_accumulator<ppT> &&accumulator);


    bool operator==(const srs_mpc_phase2_challenge<ppT> &other) const;

    bool is_well_formed() const;

    void write(std::ostream &out) const;

    static srs_mpc_phase2_challenge<ppT> read(std::istream &in);

};


template<typename ppT> class srs_mpc_phase2_response

{

public:

    srs_mpc_phase2_accumulator<ppT> new_accumulator;

    srs_mpc_phase2_publickey<ppT> publickey;


    srs_mpc_phase2_response(

        srs_mpc_phase2_accumulator<ppT> &&new_accumulator,

        srs_mpc_phase2_publickey<ppT> &&publickey);


    bool operator==(const srs_mpc_phase2_response<ppT> &other) const;

    bool is_well_formed() const;

    void write(std::ostream &out) const;

    static srs_mpc_phase2_response<ppT> read(std::istream &in);

};


// Phase2 functions


template<mp_size_t n, const libff::bigint<n> &modulus>

void srs_mpc_digest_to_fp(

    const mpc_hash_t transcript_digest, libff::Fp_model<n, modulus> &out_fr);


template<typename ppT>

libff::G2<ppT> srs_mpc_digest_to_g2(const mpc_hash_t digest);


template<typename ppT>

srs_mpc_phase2_accumulator<ppT> srs_mpc_phase2_begin(

    const mpc_hash_t cs_hash,

    const srs_mpc_layer_L1<ppT> &layer_L1,

    size_t num_inputs);


template<typename ppT>

srs_mpc_phase2_publickey<ppT> srs_mpc_phase2_compute_public_key(

    const mpc_hash_t transcript_digest,

    const libff::G1<ppT> &last_delta,

    const libff::Fr<ppT> &secret);


template<typename ppT>

bool srs_mpc_phase2_verify_publickey(

    const libff::G1<ppT> last_delta_g1,

    const srs_mpc_phase2_publickey<ppT> &publickey);


template<typename ppT>

srs_mpc_phase2_accumulator<ppT> srs_mpc_phase2_update_accumulator(

    const srs_mpc_phase2_accumulator<ppT> &last_accum,

    const libff::Fr<ppT> &delta_j);


template<typename ppT>

bool srs_mpc_phase2_update_is_consistent(

    const srs_mpc_phase2_accumulator<ppT> &last,

    const srs_mpc_phase2_accumulator<ppT> &updated);


template<typename ppT>

bool srs_mpc_phase2_verify_update(

    const srs_mpc_phase2_accumulator<ppT> &last,

    const srs_mpc_phase2_accumulator<ppT> &updated,

    const srs_mpc_phase2_publickey<ppT> &publickey);


template<typename ppT>

srs_mpc_phase2_challenge<ppT> srs_mpc_phase2_initial_challenge(

    srs_mpc_phase2_accumulator<ppT> &&initial_accumulator);


template<typename ppT>

srs_mpc_phase2_response<ppT> srs_mpc_phase2_compute_response(

    const srs_mpc_phase2_challenge<ppT> &challenge,

    const libff::Fr<ppT> &delta_j);


template<typename ppT>

bool srs_mpc_phase2_verify_response(

    const srs_mpc_phase2_challenge<ppT> &challenge,

    const srs_mpc_phase2_response<ppT> &response);


template<typename ppT>

srs_mpc_phase2_challenge<ppT> srs_mpc_phase2_compute_challenge(

    srs_mpc_phase2_response<ppT> &&response);


template<typename ppT, bool enable_contribution_check = true>

bool srs_mpc_phase2_verify_transcript(

    const mpc_hash_t initial_transcript_digest,

    const libff::G1<ppT> &initial_delta,

    const mpc_hash_t check_for_contribution,

    std::istream &transcript_stream,

    libff::G1<ppT> &out_final_delta,

    mpc_hash_t out_final_transcript_digest,

    bool &out_contribution_found);


template<typename ppT>

bool srs_mpc_phase2_verify_transcript(

    const mpc_hash_t initial_transcript_digest,

    const libff::G1<ppT> &initial_delta,

    std::istream &transcript_stream,

    libff::G1<ppT> &out_final_delta,

    mpc_hash_t out_final_transcript_digest);


template<typename ppT>

srs_mpc_phase2_challenge<ppT> srs_mpc_dummy_phase2(

    const srs_mpc_layer_L1<ppT> &layer1,

    const libff::Fr<ppT> &delta,

    size_t num_inputs);


template<

    typename ppT,

    libff::multi_exp_base_form BaseForm = libff::multi_exp_base_form_normal>

libsnark::r1cs_gg_ppzksnark_keypair<ppT> mpc_create_key_pair(

    srs_powersoftau<ppT> &&pot,

    srs_mpc_layer_L1<ppT> &&layer1,

    srs_mpc_phase2_accumulator<ppT> &&layer2,

    libsnark::r1cs_constraint_system<libff::Fr<ppT>> &&cs,

    const libsnark::qap_instance<libff::Fr<ppT>> &qap);


} // namespace libzeth


#include "libzeth/mpc/groth16/phase2.tcc"


#endif // __ZETH_MPC_GROTH16_PHASE2_HPP__