In [2]:
import numpy as np

In [12]:
# problem 2

def verify_r1cs(A : np.ndarray, B : np.ndarray, C : np.ndarray, w : np.ndarray):
    '''
    A, B, C are matrices with shape (n_equations, n_variables)
    w is a vector with shape (n_variables,)
    returns True if Aw * Bw = Cw, False otherwise
    '''
    left = np.dot(A, w) * np.dot(B, w)
    
    print("left", left)
    right = np.dot(C, w)
    print("right", right)
    return np.allclose(left, right)
    

import numpy as np

A = np.array([
    [0, 1, 0, 0, 0, 0, 0],
    [0, 1, 0, 0, 0, 0, 0],
    [0, 0, 1, 0, 0, 0, 0],
    [0, 0, 0, 1, 0, 0, 0],
    [0, 0, 0, 0, 1, 0, 0]
])

B = np.array([
    [0, 1, 0, 0, 0, 0, 0],
    [0, 0, 1, 0, 0, 0, 0],
    [0, 0, 1, 0, 0, 0, 0],
    [0, 0, 0, 0, 0, 1, 0],
    [0, 0, 0, 0, 0, 0, 1]
])

C = np.array([
    [0, 0, 0, 1, 0, 0, 0],
    [0, 0, 0, 0, 1, 0, 0],
    [0, 0, 0, 0, 0, 1, 0],
    [0, 0, 0, 0, 0, 0, 1],
    [36, 0, 0, 0, -36, 0, 11]
])


def parameterize_witness(x, y):
    a = x*x
    b = x*y
    c = y*y
    d = a*c
    
    return np.array([1, x, y, a, b, c, d])

# The witness vector W
W = parameterize_witness(3, 3)
print(W)

print("A.shape: ", A.shape)
print("B.shape: ", B.shape)
print("C.shape: ", C.shape)
print("W.shape: ", W.shape)

print(verify_r1cs(A, B, C, W))


[ 1  3  3  9  9  9 81]
A.shape:  (5, 7)
B.shape:  (5, 7)
C.shape:  (5, 7)
W.shape:  (7,)
left [  9   9   9  81 729]
right [  9   9   9  81 603]
False


In [None]:
# problem 3
from py_ecc.bn128 import pairing, multiply, G1, G2, curve_order, field_modulus, add, eq
from py_ecc.fields import bn128_FQ2, bn128_FQ
from typing import Any
import numpy as np

In [None]:


def is_2d_point(point: Any) -> bool:
    if point is None:
        return True  # Point at infinity is considered a valid 2D point
    if isinstance(point, tuple):
        if isinstance(point[0], bn128_FQ2):
            return True
    else:
        raise ValueError(f"Invalid point {point}")
    return False

def matrix_point_dot_prod(M : np.ndarray, s : np.ndarray) -> list[tuple]:
    '''
    M is a matrix with shape (n_equations, n_variables)
    s is a vector with shape (n_variables,)
    returns a vector with shape (n_equations,)
    '''
    assert M.shape[1] == s.shape[0]
    
    out = []
    for i in range(M.shape[0]):
        buf = None # this is the identity element of the group
        for j in range(M.shape[1]):
            elm = multiply(s[j], M[i, j])
            buf = add(buf, elm)
            
        out.append(tuple(buf))
    return out
            
def hadamard_prod(a : list, b : list) -> list:
    '''
    a, b are vectors with shape (n_variables,)
    returns a vector with shape (n_variables,)
    '''
    assert len(a) == len(b)
    prod = []
    for i in range(len(a)):
        # we need to ensure the G2 point is first
        if is_2d_point(tuple(a[i])):
            prod.append(pairing(a[i], b[i]))
        elif is_2d_point(tuple(b[i])):
            prod.append(pairing(b[i], a[i]))
        else:
            raise ValueError(f"Invalid point got two 1d points {a[i]} and {b[i]}")
    return prod
    
L = np.array([
    [1, 0, 0],
    [0, 1, 0],
    [0, 0, 1]
])

R = np.array([
    [1, 0, 0],
    [0, 1, 0],
    [0, 0, 1]
])

S = np.array([
    multiply(G1, 1),
    multiply(G2, 1),
    multiply(G1, 1),
])

S2 = np.array([
    multiply(G2, 1),
    multiply(G1, 1),
    multiply(G2, 1),
])
""" 
a = matrix_point_dot_prod(L, S2)
b = matrix_point_dot_prod(R, S)
c = hadamard_prod(a, b)
print(c) """

In [None]:

def verify_r1cs_with_points(
    L : np.ndarray, 
    R : np.ndarray, 
    O : np.ndarray, 
    S_1 : np.ndarray,
    S_2 : np.ndarray,
    G : np.ndarray
):
    '''
    L, R, O are matrices with shape (n_equations, n_variables)
    s is a vector with shape (n_variables,)
    returns True if L*s \odot R*s = O*s, False otherwise
    '''
    #check L, R, O are all the same shape and field elements
    assert L.shape == R.shape == O.shape 
    assert np.max(L) <= field_modulus
    assert np.max(R) <= field_modulus
    assert np.max(O) <= field_modulus
    
    #check s is a valid witness
    assert S_1.shape[0] == S_2.shape[0] == G.shape[0] == L.shape[1]
    
    left_a = matrix_point_dot_prod(L, S_1)
    left_b = matrix_point_dot_prod(R, S_2)
    left = hadamard_prod(left_a, left_b)
    right_a = matrix_point_dot_prod(O, S_1)
    right = hadamard_prod(right_a, G)
    
    for a, b in zip(left, right):
        if not eq(a, b):
            return False
    return True

O = np.array([
    [0,1, 0],
    [0,1, 0],
    [1, 0, 0]
])

L = np.array([
    [0, 1, 0],
    [0, 0, 1],
    [0, 1, 0]
])

R = np.array([
    [1, 0, 0],
    [0, 1, 0],
    [0, 0, 1]
])

S_1 = np.array([
    multiply(G1, 1),
    multiply(G1, 1),
    multiply(G1, 1),
])

S_2 = np.array([
    multiply(G2, 1),
    multiply(G2, 1),
    multiply(G2, 1),
])

G = np.array([
    multiply(G2, 1),
    multiply(G2, 1),
    multiply(G2, 1),
])

print(verify_r1cs_with_points(L, R, O, S_1, S_2, G))


In [None]:
G = np.array([
    multiply(G2, 1),
    multiply(G2, 1),
    multiply(G2, 1),
])


S_1 = np.array([
    multiply(G1, 1),
    multiply(G1, 1),
    multiply(G1, 1),
])





right_a = matrix_point_dot_prod(O, S_1)
right = hadamard_prod(right_a, G)
print(right)

In [None]:

def check_s_equality(sG1, sG2):
    '''
    sG1, sG2 are points on the curve
    returns True if sG1 == sG2, False otherwise
    '''
    G1_ = multiply(G1, 1)
    G2_ = multiply(G2, 1)   
    return eq(pairing(G2_, sG1), pairing(sG2, G1_))



Hint: When you get s encrypted with both G1 and G2 generators, you
don’t know whether or not they have the same discrete logarithm. However, it
is straightforward to check using another equation. Figure out how to discover
if sG1 == sG2 if you are given the elliptic curve points but not s.
Solidity cannot multiply G2 points, do this assignment in Python