diff --git a/std/algebra/sw_bls12377/g1.go b/std/algebra/sw_bls12377/g1.go index 6ea3aa15d..303315a83 100644 --- a/std/algebra/sw_bls12377/g1.go +++ b/std/algebra/sw_bls12377/g1.go @@ -206,7 +206,7 @@ func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}) *G1Aff } } -var DecomposeScalar = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { +var DecomposeScalarG1 = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { cc := getInnerCurveConfig(scalarField) sp := ecc.SplitScalar(inputs[0], cc.glvBasis) res[0].Set(&(sp[0])) @@ -228,7 +228,7 @@ var DecomposeScalar = func(scalarField *big.Int, inputs []*big.Int, res []*big.I } func init() { - hint.Register(DecomposeScalar) + hint.Register(DecomposeScalarG1) } // varScalarMul sets P = [s] Q and returns P. @@ -254,7 +254,7 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl // the hints allow to decompose the scalar s into s1 and s2 such that // s1 + λ * s2 == s mod r, // where λ is third root of one in 𝔽_r. - sd, err := api.Compiler().NewHint(DecomposeScalar, 3, s) + sd, err := api.Compiler().NewHint(DecomposeScalarG1, 3, s) if err != nil { // err is non-nil only for invalid number of inputs panic(err) diff --git a/std/algebra/sw_bls12377/pairing_test.go b/std/algebra/sw_bls12377/pairing_test.go index 11edab03a..b16e3617b 100644 --- a/std/algebra/sw_bls12377/pairing_test.go +++ b/std/algebra/sw_bls12377/pairing_test.go @@ -23,7 +23,6 @@ import ( "github.com/consensys/gnark-crypto/ecc" bls12377 "github.com/consensys/gnark-crypto/ecc/bls12-377" "github.com/consensys/gnark-crypto/ecc/bls12-377/fr" - "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/frontend/cs/r1cs" "github.com/consensys/gnark/std/algebra/fields_bls12377" @@ -54,7 +53,7 @@ func TestFinalExp(t *testing.T) { circuit.R = pairingRes assert := test.NewAssert(t) - assert.SolvingSucceeded(&circuit, &witness, test.WithBackends(backend.PLONK), test.WithCurves(ecc.BW6_761)) + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_761)) } type pairingBLS377 struct { diff --git a/std/algebra/sw_bls24315/g1.go b/std/algebra/sw_bls24315/g1.go index aae7b1905..1e8b12fd0 100644 --- a/std/algebra/sw_bls24315/g1.go +++ b/std/algebra/sw_bls24315/g1.go @@ -206,7 +206,7 @@ func (P *G1Affine) ScalarMul(api frontend.API, Q G1Affine, s interface{}) *G1Aff } } -var DecomposeScalar = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { +var DecomposeScalarG1 = func(scalarField *big.Int, inputs []*big.Int, res []*big.Int) error { cc := getInnerCurveConfig(scalarField) sp := ecc.SplitScalar(inputs[0], cc.glvBasis) res[0].Set(&(sp[0])) @@ -228,7 +228,7 @@ var DecomposeScalar = func(scalarField *big.Int, inputs []*big.Int, res []*big.I } func init() { - hint.Register(DecomposeScalar) + hint.Register(DecomposeScalarG1) } // varScalarMul sets P = [s] Q and returns P. @@ -254,7 +254,7 @@ func (P *G1Affine) varScalarMul(api frontend.API, Q G1Affine, s frontend.Variabl // the hints allow to decompose the scalar s into s1 and s2 such that // s1 + λ * s2 == s mod r, // where λ is third root of one in 𝔽_r. - sd, err := api.Compiler().NewHint(DecomposeScalar, 3, s) + sd, err := api.Compiler().NewHint(DecomposeScalarG1, 3, s) if err != nil { // err is non-nil only for invalid number of inputs panic(err) diff --git a/std/algebra/sw_bls24315/pairing_test.go b/std/algebra/sw_bls24315/pairing_test.go index 715f6a3cc..f8d78b238 100644 --- a/std/algebra/sw_bls24315/pairing_test.go +++ b/std/algebra/sw_bls24315/pairing_test.go @@ -23,7 +23,6 @@ import ( "github.com/consensys/gnark-crypto/ecc" bls24315 "github.com/consensys/gnark-crypto/ecc/bls24-315" "github.com/consensys/gnark-crypto/ecc/bls24-315/fr" - "github.com/consensys/gnark/backend" "github.com/consensys/gnark/frontend" "github.com/consensys/gnark/frontend/cs/r1cs" "github.com/consensys/gnark/std/algebra/fields_bls24315" @@ -87,7 +86,7 @@ func TestPairingBLS24315(t *testing.T) { witness.Q.Assign(&Q) assert := test.NewAssert(t) - assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_633), test.WithBackends(backend.GROTH16)) + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_633)) } @@ -124,7 +123,7 @@ func TestTriplePairingBLS24315(t *testing.T) { witness.Q3.Assign(&Q[2]) assert := test.NewAssert(t) - assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_633), test.WithBackends(backend.GROTH16)) + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_633)) } diff --git a/std/commitments/kzg_bls12377/verifier.go b/std/commitments/kzg_bls12377/verifier.go new file mode 100644 index 000000000..49f9ed5b1 --- /dev/null +++ b/std/commitments/kzg_bls12377/verifier.go @@ -0,0 +1,84 @@ +/* +Copyright © 2020 ConsenSys + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package kzg_bls12377 provides a ZKP-circuit function to verify BLS12_377 KZG inside a BW6_761 circuit. +package kzg_bls12377 + +import ( + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/std/algebra/fields_bls12377" + "github.com/consensys/gnark/std/algebra/sw_bls12377" +) + +// Digest commitment of a polynomial. +type Digest = sw_bls12377.G1Affine + +// VK verification key (G2 part of SRS) +type VK struct { + G1 sw_bls12377.G1Affine // G₁ + G2 [2]sw_bls12377.G2Affine // [G₂, [α]G₂] +} + +// OpeningProof KZG proof for opening at a single point. +type OpeningProof struct { + // H quotient polynomial (f - f(z))/(x-z) + H sw_bls12377.G1Affine + + // ClaimedValue purported value + ClaimedValue frontend.Variable +} + +// Verify verifies a KZG opening proof at a single point +func Verify(api frontend.API, commitment Digest, proof OpeningProof, point frontend.Variable, srs VK) { + // We take the ClaimedValue and point to be frontend.Variable wich + // are elements in 𝔽_p, i.e. the BW6-761 scalar field. + // This is different from 𝔽_r, i.e. the BLS12-377 scalar field + // but r << p (p-r ≈ 377-bit) so when adding two 𝔽_r elements + // as 𝔽_p there is no reduction mod p. + // However, we should be cautious about negative elements and take + // the negative of points instead (-[f(a)]G₁ and -[a]G₂). + + // [f(a)]G₁ + var claimedValueG1Aff sw_bls12377.G1Affine + claimedValueG1Aff.ScalarMul(api, srs.G1, proof.ClaimedValue) + + // [f(α) - f(a)]G₁ + var fminusfaG1 sw_bls12377.G1Affine + fminusfaG1.Neg(api, claimedValueG1Aff) + fminusfaG1.AddAssign(api, commitment) + + // [-H(α)]G₁ + var negH sw_bls12377.G1Affine + negH.Neg(api, proof.H) + + // [α-a]G₂ + var alphaMinusaG2 sw_bls12377.G2Affine + alphaMinusaG2.ScalarMul(api, srs.G2[0], point). + Neg(api, alphaMinusaG2). + AddAssign(api, srs.G2[1]) + + // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + resPairing, _ := sw_bls12377.Pair( + api, + []sw_bls12377.G1Affine{fminusfaG1, negH}, + []sw_bls12377.G2Affine{srs.G2[0], alphaMinusaG2}, + ) + + var one fields_bls12377.E12 + one.SetOne() + resPairing.AssertIsEqual(api, one) + +} diff --git a/std/commitments/kzg_bls12377/verifier_test.go b/std/commitments/kzg_bls12377/verifier_test.go new file mode 100644 index 000000000..c28eb5328 --- /dev/null +++ b/std/commitments/kzg_bls12377/verifier_test.go @@ -0,0 +1,169 @@ +/* +Copyright © 2020 ConsenSys + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kzg_bls12377 + +import ( + "crypto/rand" + "testing" + + "github.com/consensys/gnark-crypto/ecc" + "github.com/consensys/gnark-crypto/ecc/bls12-377/fr" + "github.com/consensys/gnark-crypto/ecc/bls12-377/fr/kzg" + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/frontend/cs/r1cs" + "github.com/consensys/gnark/frontend/cs/scs" + "github.com/consensys/gnark/test" +) + +type verifierCircuit struct { + VerifKey VK + Proof OpeningProof + Com Digest + S frontend.Variable +} + +func (circuit *verifierCircuit) Define(api frontend.API) error { + + // create the verifier cs + Verify(api, circuit.Com, circuit.Proof, circuit.S, circuit.VerifKey) + + return nil +} + +//------------------------------------------------------- +// proof generated using gnark-crypto + +func TestVerifierDynamic(t *testing.T) { + + assert := test.NewAssert(t) + + // sizes of polynomials, kzg + const kzgSize = 128 + const polynomialSize = 100 + + // trusted setup + alpha, err := rand.Int(rand.Reader, ecc.BLS12_377.ScalarField()) + assert.NoError(err) + srs, err := kzg.NewSRS(kzgSize, alpha) + assert.NoError(err) + + // random polynomial + f := make([]fr.Element, polynomialSize) + for i := 0; i < 60; i++ { + f[i].SetRandom() + } + + // commit to the polynomial + com, err := kzg.Commit(f, srs) + assert.NoError(err) + + // create opening proof + var point fr.Element + point.SetRandom() + proof, err := kzg.Open(f, point, srs) + assert.NoError(err) + + // check that the proof is correct + err = kzg.Verify(&com, &proof, point, srs) + if err != nil { + t.Fatal(err) + } + + // verify the proof in circuit + var witness verifierCircuit + + // populate the witness + witness.Com.X = com.X.String() + witness.Com.Y = com.Y.String() + + witness.Proof.H.X = proof.H.X.String() + witness.Proof.H.Y = proof.H.Y.String() + + witness.Proof.ClaimedValue = proof.ClaimedValue.String() + + witness.S = point.String() + + witness.VerifKey.G1.X = srs.G1[0].X.String() + witness.VerifKey.G1.Y = srs.G1[0].Y.String() + + witness.VerifKey.G2[0].X.A0 = srs.G2[0].X.A0.String() + witness.VerifKey.G2[0].X.A1 = srs.G2[0].X.A1.String() + witness.VerifKey.G2[0].Y.A0 = srs.G2[0].Y.A0.String() + witness.VerifKey.G2[0].Y.A1 = srs.G2[0].Y.A1.String() + witness.VerifKey.G2[1].X.A0 = srs.G2[1].X.A0.String() + witness.VerifKey.G2[1].X.A1 = srs.G2[1].X.A1.String() + witness.VerifKey.G2[1].Y.A0 = srs.G2[1].Y.A0.String() + witness.VerifKey.G2[1].Y.A1 = srs.G2[1].Y.A1.String() + + // check if the circuit is solved + var circuit verifierCircuit + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_761)) + +} + +//------------------------------------------------------- +// harcoded values + +func TestVerifier(t *testing.T) { + + var circuit, witness verifierCircuit + + // static witness + witness.Com.X = "145429059828629443506099208441019164249918805265766585069511130101715300037889375544644493566733059056337445574142" + witness.Com.Y = "7748648670212409231552941907406345586179813940682493172078407968203200311849395869785335293628955566021478572791" + + witness.Proof.H.X = "142546216630759857020142552653688574597188212934274836451979072858880695115513802425442488457664742720974070355453" + witness.Proof.H.Y = "51742728231756961100409716107519203689800988928890924645730616869717553365749083029986151526811552917856555146906" + + witness.Proof.ClaimedValue = "7211341386127354417397285211336133449231039596179023429378585109196698597268" + witness.S = "4321" + witness.VerifKey.G1.X = "81937999373150964239938255573465948239988671502647976594219695644855304257327692006745978603320413799295628339695" + witness.VerifKey.G1.Y = "241266749859715473739788878240585681733927191168601896383759122102112907357779751001206799952863815012735208165030" + witness.VerifKey.G2[0].X.A0 = "233578398248691099356572568220835526895379068987715365179118596935057653620464273615301663571204657964920925606294" + witness.VerifKey.G2[0].X.A1 = "140913150380207355837477652521042157274541796891053068589147167627541651775299824604154852141315666357241556069118" + witness.VerifKey.G2[0].Y.A0 = "63160294768292073209381361943935198908131692476676907196754037919244929611450776219210369229519898517858833747423" + witness.VerifKey.G2[0].Y.A1 = "149157405641012693445398062341192467754805999074082136895788947234480009303640899064710353187729182149407503257491" + witness.VerifKey.G2[1].X.A0 = "123747009012703414871739433259892117784672459657097139998749475279099125411579029748101735145753812822027512995199" + witness.VerifKey.G2[1].X.A1 = "62735868045337090199933301723513128455431585854943778977190757050206710789139082141526891028732261537358701287808" + witness.VerifKey.G2[1].Y.A0 = "212548833831227473592895134150456464278558858278752454560645447355770538424096804613692943525553353783189853308160" + witness.VerifKey.G2[1].Y.A1 = "123051654588413991319606911619099872563646143639520520553172600449178549047186983142138529976243874838154671706124" + + // cs values + assert := test.NewAssert(t) + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_761)) + +} + +// bench +var ccsBench frontend.CompiledConstraintSystem + +func BenchmarkVerifyKZG(b *testing.B) { + var c verifierCircuit + b.ResetTimer() + b.Run("groth16", func(b *testing.B) { + for i := 0; i < b.N; i++ { + ccsBench, _ = frontend.Compile(ecc.BW6_761.ScalarField(), r1cs.NewBuilder, &c) + } + }) + b.Log("groth16", ccsBench.GetNbConstraints()) + b.Run("plonk", func(b *testing.B) { + for i := 0; i < b.N; i++ { + ccsBench, _ = frontend.Compile(ecc.BW6_761.ScalarField(), scs.NewBuilder, &c) + } + }) + b.Log("plonk", ccsBench.GetNbConstraints()) +} diff --git a/std/commitments/kzg_bls24315/verifier.go b/std/commitments/kzg_bls24315/verifier.go new file mode 100644 index 000000000..4d7625e2e --- /dev/null +++ b/std/commitments/kzg_bls24315/verifier.go @@ -0,0 +1,84 @@ +/* +Copyright © 2020 ConsenSys + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package kzg_bls24315 provides a ZKP-circuit function to verify BLS24_315 KZG inside a BW6_633 circuit. +package kzg_bls24315 + +import ( + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/std/algebra/fields_bls24315" + "github.com/consensys/gnark/std/algebra/sw_bls24315" +) + +// Digest commitment of a polynomial. +type Digest = sw_bls24315.G1Affine + +// VK verification key (G2 part of SRS) +type VK struct { + G1 sw_bls24315.G1Affine // G₁ + G2 [2]sw_bls24315.G2Affine // [G₂, [α]G₂] +} + +// OpeningProof KZG proof for opening at a single point. +type OpeningProof struct { + // H quotient polynomial (f - f(z))/(x-z) + H sw_bls24315.G1Affine + + // ClaimedValue purported value + ClaimedValue frontend.Variable +} + +// Verify verifies a KZG opening proof at a single point +func Verify(api frontend.API, commitment Digest, proof OpeningProof, point frontend.Variable, srs VK) { + // We take the ClaimedValue and point to be frontend.Variable wich + // are elements in 𝔽_p, i.e. the BW6-633 scalar field. + // This is different from 𝔽_r, i.e. the BLS24-315 scalar field + // but r << p (p-r ≈ 315-bit) so when adding two 𝔽_r elements + // as 𝔽_p there is no reduction mod p. + // However, we should be cautious about negative elements and take + // the negative of points instead (-[f(a)]G₁ and -[a]G₂). + + // [f(a)]G₁ + var claimedValueG1Aff sw_bls24315.G1Affine + claimedValueG1Aff.ScalarMul(api, srs.G1, proof.ClaimedValue) + + // [f(α) - f(a)]G₁ + var fminusfaG1 sw_bls24315.G1Affine + fminusfaG1.Neg(api, claimedValueG1Aff) + fminusfaG1.AddAssign(api, commitment) + + // [-H(α)]G₁ + var negH sw_bls24315.G1Affine + negH.Neg(api, proof.H) + + // [α-a]G₂ + var alphaMinusaG2 sw_bls24315.G2Affine + alphaMinusaG2.ScalarMul(api, srs.G2[0], point). + Neg(api, alphaMinusaG2). + AddAssign(api, srs.G2[1]) + + // e([f(α) - f(a)]G₁, G₂).e([-H(α)]G₁, [α-a]G₂) ==? 1 + resPairing, _ := sw_bls24315.Pair( + api, + []sw_bls24315.G1Affine{fminusfaG1, negH}, + []sw_bls24315.G2Affine{srs.G2[0], alphaMinusaG2}, + ) + + var one fields_bls24315.E24 + one.SetOne() + resPairing.AssertIsEqual(api, one) + +} diff --git a/std/commitments/kzg_bls24315/verifier_test.go b/std/commitments/kzg_bls24315/verifier_test.go new file mode 100644 index 000000000..3855d1a99 --- /dev/null +++ b/std/commitments/kzg_bls24315/verifier_test.go @@ -0,0 +1,188 @@ +/* +Copyright © 2020 ConsenSys + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kzg_bls24315 + +import ( + "crypto/rand" + "testing" + + "github.com/consensys/gnark-crypto/ecc" + "github.com/consensys/gnark-crypto/ecc/bls24-315/fr" + "github.com/consensys/gnark-crypto/ecc/bls24-315/fr/kzg" + "github.com/consensys/gnark/frontend" + "github.com/consensys/gnark/frontend/cs/r1cs" + "github.com/consensys/gnark/frontend/cs/scs" + "github.com/consensys/gnark/test" +) + +type verifierCircuit struct { + VerifKey VK + Proof OpeningProof + Com Digest + S frontend.Variable +} + +func (circuit *verifierCircuit) Define(api frontend.API) error { + + // create the verifier cs + Verify(api, circuit.Com, circuit.Proof, circuit.S, circuit.VerifKey) + + return nil +} + +//------------------------------------------------------- +// proof generated using gnark-crypto + +func TestVerifierDynamic(t *testing.T) { + + assert := test.NewAssert(t) + + // sizes of polynomials, kzg + const kzgSize = 128 + const polynomialSize = 100 + + // trusted setup + alpha, err := rand.Int(rand.Reader, ecc.BLS24_315.ScalarField()) + assert.NoError(err) + srs, err := kzg.NewSRS(kzgSize, alpha) + assert.NoError(err) + + // random polynomial + f := make([]fr.Element, polynomialSize) + for i := 0; i < 60; i++ { + f[i].SetRandom() + } + + // commit to the polynomial + com, err := kzg.Commit(f, srs) + assert.NoError(err) + + // create opening proof + var point fr.Element + point.SetRandom() + proof, err := kzg.Open(f, point, srs) + assert.NoError(err) + + // check that the proof is correct + err = kzg.Verify(&com, &proof, point, srs) + if err != nil { + t.Fatal(err) + } + + // verify the proof in circuit + var witness verifierCircuit + + // populate the witness + witness.Com.X = com.X.String() + witness.Com.Y = com.Y.String() + + witness.Proof.H.X = proof.H.X.String() + witness.Proof.H.Y = proof.H.Y.String() + + witness.Proof.ClaimedValue = proof.ClaimedValue.String() + + witness.S = point.String() + + witness.VerifKey.G1.X = srs.G1[0].X.String() + witness.VerifKey.G1.Y = srs.G1[0].Y.String() + + witness.VerifKey.G2[0].X.B0.A0 = srs.G2[0].X.B0.A0.String() + witness.VerifKey.G2[0].X.B0.A1 = srs.G2[0].X.B0.A1.String() + witness.VerifKey.G2[0].X.B1.A0 = srs.G2[0].X.B1.A0.String() + witness.VerifKey.G2[0].X.B1.A1 = srs.G2[0].X.B1.A1.String() + witness.VerifKey.G2[0].Y.B0.A0 = srs.G2[0].Y.B0.A0.String() + witness.VerifKey.G2[0].Y.B0.A1 = srs.G2[0].Y.B0.A1.String() + witness.VerifKey.G2[0].Y.B1.A0 = srs.G2[0].Y.B1.A0.String() + witness.VerifKey.G2[0].Y.B1.A1 = srs.G2[0].Y.B1.A1.String() + + witness.VerifKey.G2[1].X.B0.A0 = srs.G2[1].X.B0.A0.String() + witness.VerifKey.G2[1].X.B0.A1 = srs.G2[1].X.B0.A1.String() + witness.VerifKey.G2[1].X.B1.A0 = srs.G2[1].X.B1.A0.String() + witness.VerifKey.G2[1].X.B1.A1 = srs.G2[1].X.B1.A1.String() + witness.VerifKey.G2[1].Y.B0.A0 = srs.G2[1].Y.B0.A0.String() + witness.VerifKey.G2[1].Y.B0.A1 = srs.G2[1].Y.B0.A1.String() + witness.VerifKey.G2[1].Y.B1.A0 = srs.G2[1].Y.B1.A0.String() + witness.VerifKey.G2[1].Y.B1.A1 = srs.G2[1].Y.B1.A1.String() + + // check if the circuit is solved + var circuit verifierCircuit + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_633)) + +} + +//------------------------------------------------------- +// harcoded values + +func TestVerifier(t *testing.T) { + + var circuit, witness verifierCircuit + + // static witness + witness.Com.X = "35386189147256460787905142428026982693834102687669771641361389281756222188309133371287736011496" + witness.Com.Y = "27110917293370507654960132415484655252529074592699870521959828295621560278434020539890708345149" + + witness.Proof.H.X = "237024382315576057940476197527646514934539639879200035206834755549615436908306104502862432730" + witness.Proof.H.Y = "24965199876048664783103146001620612576865473814618781613850899751573655382828001319566087837055" + + witness.Proof.ClaimedValue = "10347231107172233075459792371577505115223937655290126532055162077965558980163" + witness.S = "4321" + witness.VerifKey.G1.X = "34223510504517033132712852754388476272837911830964394866541204856091481856889569724484362330263" + witness.VerifKey.G1.Y = "24215295174889464585413596429561903295150472552154479431771837786124301185073987899223459122783" + + witness.VerifKey.G2[0].X.B0.A0 = "24614737899199071964341749845083777103809664018538138889239909664991294445469052467064654073699" + witness.VerifKey.G2[0].X.B0.A1 = "17049297748993841127032249156255993089778266476087413538366212660716380683149731996715975282972" + witness.VerifKey.G2[0].X.B1.A0 = "11950668649125904104557740112865942804623051114821811669564995102755430514441092495782202668342" + witness.VerifKey.G2[0].X.B1.A1 = "3603055379462539802413979855826194299714805833759849528529386570240639115620788686893505938793" + witness.VerifKey.G2[0].Y.B0.A0 = "31740092748246070457677943092194030978994615503726570180895475408200863271773078192139722193079" + witness.VerifKey.G2[0].Y.B0.A1 = "30261413948955264769241509843031153941332801192447678605718183215275065425758214858190865971597" + witness.VerifKey.G2[0].Y.B1.A0 = "14195825602561496219090410113749222574308144851497375443809100117082380611212823440674391088885" + witness.VerifKey.G2[0].Y.B1.A1 = "2391152940984805871402135750194189812615420966694899795235607856168224901793030297133493038211" + + witness.VerifKey.G2[1].X.B0.A0 = "32770621494303675347306576037414743205466109457179006780112295339591667866879607994893522201077" + witness.VerifKey.G2[1].X.B0.A1 = "26234307989293079589757302086025391411007046129273969450459586440325937793578626756390716239607" + witness.VerifKey.G2[1].X.B1.A0 = "12885920290770633767625725164719407698814564441475093302178981579150678620682561869830892647708" + witness.VerifKey.G2[1].X.B1.A1 = "27040439362534196619980827988108357486576687369306457236523666215277529311368226649309430321857" + witness.VerifKey.G2[1].Y.B0.A0 = "37891043881493427277825396947634598161159358734636209357686614942355583145029806490020871408089" + witness.VerifKey.G2[1].Y.B0.A1 = "24578978782210992183339450660991675754164024355249488228592063724386132418314115963198249364981" + witness.VerifKey.G2[1].Y.B1.A0 = "2561567173101794713286533032340948733218695754942152779206184132595475750392464489574163449132" + witness.VerifKey.G2[1].Y.B1.A1 = "22410372563820522534342381636929948962663337994936763276489712608156477267640544532767398832260" + + // cs values + assert := test.NewAssert(t) + assert.SolvingSucceeded(&circuit, &witness, test.WithCurves(ecc.BW6_633)) + +} + +// bench +var ccsBench frontend.CompiledConstraintSystem + +func BenchmarkVerifyKZG(b *testing.B) { + var c verifierCircuit + b.ResetTimer() + b.Run("groth16", func(b *testing.B) { + for i := 0; i < b.N; i++ { + ccsBench, _ = frontend.Compile(ecc.BW6_633.ScalarField(), r1cs.NewBuilder, &c) + } + }) + b.Log("groth16", ccsBench.GetNbConstraints()) + b.Run("plonk", func(b *testing.B) { + for i := 0; i < b.N; i++ { + ccsBench, _ = frontend.Compile(ecc.BW6_633.ScalarField(), scs.NewBuilder, &c) + } + }) + b.Log("plonk", ccsBench.GetNbConstraints()) +} diff --git a/std/hints.go b/std/hints.go index c3a30ad3e..877f22cb9 100644 --- a/std/hints.go +++ b/std/hints.go @@ -22,8 +22,8 @@ func RegisterHints() { func registerHints() { // note that importing these packages may already triggers a call to hint.Register(...) - hint.Register(sw_bls24315.DecomposeScalar) - hint.Register(sw_bls12377.DecomposeScalar) + hint.Register(sw_bls24315.DecomposeScalarG1) + hint.Register(sw_bls12377.DecomposeScalarG1) hint.Register(sw_bls24315.DecomposeScalarG2) hint.Register(sw_bls12377.DecomposeScalarG2) hint.Register(bits.NTrits)