forked from Consensys/gnark
-
Notifications
You must be signed in to change notification settings - Fork 0
/
verify.go
94 lines (76 loc) · 2.71 KB
/
verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
// Copyright 2020 ConsenSys Software Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by gnark DO NOT EDIT
package groth16
import (
"github.com/consensys/gnark-crypto/ecc"
curve "github.com/consensys/gnark-crypto/ecc/bw6-761"
"errors"
"fmt"
bw6_761witness "github.com/nume-crypto/gnark/internal/backend/bw6-761/witness"
"io"
"time"
"github.com/nume-crypto/gnark/logger"
)
var (
errPairingCheckFailed = errors.New("pairing doesn't match")
errCorrectSubgroupCheckFailed = errors.New("points in the proof are not in the correct subgroup")
)
// Verify verifies a proof with given VerifyingKey and publicWitness
func Verify(proof *Proof, vk *VerifyingKey, publicWitness bw6_761witness.Witness) error {
if len(publicWitness) != (len(vk.G1.K) - 1) {
return fmt.Errorf("invalid witness size, got %d, expected %d (public - ONE_WIRE)", len(publicWitness), len(vk.G1.K)-1)
}
log := logger.Logger().With().Str("curve", vk.CurveID().String()).Str("backend", "groth16").Logger()
start := time.Now()
// check that the points in the proof are in the correct subgroup
if !proof.isValid() {
return errCorrectSubgroupCheckFailed
}
var doubleML curve.GT
chDone := make(chan error, 1)
// compute (eKrsδ, eArBs)
go func() {
var errML error
doubleML, errML = curve.MillerLoop([]curve.G1Affine{proof.Krs, proof.Ar}, []curve.G2Affine{vk.G2.deltaNeg, proof.Bs})
chDone <- errML
close(chDone)
}()
// compute e(Σx.[Kvk(t)]1, -[γ]2)
var kSum curve.G1Jac
if _, err := kSum.MultiExp(vk.G1.K[1:], publicWitness, ecc.MultiExpConfig{ScalarsMont: true}); err != nil {
return err
}
kSum.AddMixed(&vk.G1.K[0])
var kSumAff curve.G1Affine
kSumAff.FromJacobian(&kSum)
right, err := curve.MillerLoop([]curve.G1Affine{kSumAff}, []curve.G2Affine{vk.G2.gammaNeg})
if err != nil {
return err
}
// wait for (eKrsδ, eArBs)
if err := <-chDone; err != nil {
return err
}
right = curve.FinalExponentiation(&right, &doubleML)
if !vk.e.Equal(&right) {
return errPairingCheckFailed
}
log.Debug().Dur("took", time.Since(start)).Msg("verifier done")
return nil
}
// ExportSolidity not implemented for BW6-761
func (vk *VerifyingKey) ExportSolidity(w io.Writer) error {
return errors.New("not implemented")
}