# Evaluate 
$ f(x, y) = 2x^2 - x^2y^2 + 3 $

$ g_0 = x ⋅ x $ 

$ g_1 = x ⋅ x $ 

$ g_2 = y ⋅ y $

$ g_3 = g_0 ⋅ 2 $

$ g_4 = g_1 ⋅ g_2 $

$ g_5 = g_2 - g_4 $

$ g_6 = g_5 + 3 $

---

$ c_0 = a_0 ⋅ b_0 $

$ c_1 = a_1 ⋅ b_1 $

$ c_2 = a_2 ⋅ b_2 $

$ c_3 = a_3 ⋅ 2 $

$ c_4 = a_4 ⋅ b_4 $

$ c_5 = a_5 - b_5 $

$ c_6 = a_6 + 3 $

---

$ x = a_0 = b_0 = a_1 = b_1 $

$ y = a_2 = b_2 $

$ g_0 = a_3 = c_0 $

$ g_1 = a_4 = c_1 $

$ g_2 = b_4 = c_2 $

$ g_3 = a_5 = c_3 $

$ g_4 = b_5 = c_4 $

$ g_5 = a_6 = c_5 $

$ g_6 = c_6 $

### Gate constrain equation

$ g_i = q_{Li}⋅a_i+q_{Ri}⋅b_i+q_{Mi}⋅(a_i⋅b_i)+q_{Ci}+q_{Oi}⋅c_i=0 $

$ g_0 = 0⋅a_0 + 0⋅b_0 + 1⋅(a_0⋅b_0) + 0 + (-1)⋅c_0 = 0 $

$ g_1 = 0⋅a_1 + 0⋅b_1 + 1⋅(a_1⋅b_1) + 0 + (-1)⋅c_1 = 0 $

$ g_2 = 0⋅a_2 + 0⋅b_2 + 1⋅(a_2⋅b_2) + 0 + (-1)⋅c_2 = 0 $

$ g_3 = 2⋅a_3 + 0⋅b_3 + 0⋅(a_3⋅b_3) + 0 + (-1)⋅c_3 = 0 $

$ g_4 = 0⋅a_4 + 0⋅b_4 + 1⋅(a_4⋅b_4) + 0 + (-1)⋅c_4 = 0 $

$ g_5 = 1⋅a_5 + (-1)⋅b_5 + 0⋅(a_5⋅b_5) + 0 + (-1)⋅c_5 = 0 $

$ g_6 = 1⋅a_6 + 0⋅b_6 + 0⋅(a_6⋅b_6) + 3 + (-1)⋅c_6 = 0 $

**selector vectors**

$ g_i = [q_{Li}, q_{Ri}, q_{Mi}, q_{Ci}, q_{Oi}] $

$ g_0 = [0, 0, 1, 0, -1] $

$ g_1 = [0, 0, 1, 0, -1] $

$ g_2 = [0, 0, 1, 0, -1] $

$ g_3 = [2, 0, 0, 0, -1] $

$ g_4 = [0, 0, 1, 0, -1] $

$ g_5 = [1, -1, 0, 0, -1] $

$ g_6 = [1, 0, 0, 3, 0] $

**let x = 2 y = 3**


| Vectors| a | b | c | qLi | qRi | qMi | qCi | qOi | PI |
| --- | --- | --- | --- |--- | --- | --- | --- | --- | --- |
| gate0 | 2 | 2 | 4 | 0 | 0 | 1 | 0 | -1 | 0 |
| gate1 | 2 | 2 | 4 | 0 | 0 | 1 | 0 | -1 | 0 |
| gate2 | 3 | 3 | 9 | 0 | 0 | 1 | 0 | -1 | 0 |
| gate3 | 4 | 0 | 8 | 2 | 0 | 0 | 0 | -1 | 0 |
| gate4 | 4 | 9 | 36 | 0 | 0 | 1 | 0 | -1 | 0 |
| gate5 | 8 | 36 | -28 | 1 | -1 | 0 | 0 | -1 | 0 |
| gate6 | -28 | 3 | -25 | 1 | 0 | 0 | 3 | 0 | 25 |

# Setup

In [1]:
import galois
import numpy as np
from utils import generator1, generator2, curve_order, normalize, validate_point, GPoint, SRS

G1 = generator1()
G2 = generator2()

def new_call(self, at, **kwargs):
    if isinstance(at, SRS):
        coeffs = self.coeffs[::-1]
        result = at.tau1[0] * coeffs[0]
        for i in range(1, len(coeffs)):
            result += at.tau1[i] * coeffs[i]
        return result

    return galois.Poly.original_call(self, at, **kwargs)

galois.Poly.original_call = galois.Poly.__call__
galois.Poly.__call__ = new_call

In [2]:
# initial values for x and y
x = 2
y = 3

# to switch between encrypted (ECC) and unencrypted mode (prime field p=241)
encrypted = True

# Prime field p
p = 241 if not encrypted else curve_order
# p = 241
Fp = galois.GF(p)

# 2x^2 - x^2y^2 + 3
out = 2*x**2 - x**2*y**2 + 3
print(f"out = {out}")

# We have 7 gates, next power of 2 is 8
n = 7
n = 2**int(np.ceil(np.log2(n)))
assert n & n - 1 == 0, "n must be a power of 2"

# Find primitive root of unity
omega = Fp.primitive_root_of_unity(n)
assert omega**(n) == 1, f"omega (ω) {omega} is not a root of unity"

roots = Fp([omega**i for i in range(n)])
print(f"roots = {roots}")

out = -25
roots = [                                                                            1
 19540430494807482326159819597004422086093766032135589407132600596362845576832
 21888242871839275217838484774961031246007050428528088939761107053157389710902
 13274704216607947843011480449124596415239537050559949017414504948711435969894
 21888242871839275222246405745257275088548364400416034343698204186575808495616
  2347812377031792896086586148252853002454598368280444936565603590212962918785
                    4407920970296243842541313971887945403937097133418418784715
  8613538655231327379234925296132678673308827349856085326283699237864372525723]


## Witness & Gates

In [3]:
def pad_array(a, n):
    return a + [0]*(n - len(a))

# witness vectors
a = [2, 2, 3, 4, 4, 8, -28]
b = [2, 2, 3, 0, 9, 36, 3]
c = [4, 4, 9, 8, 36, -28, -25]
pi = [0, 0, 0, 0, 0, 0, 25]

# gate vectors
ql = [0, 0, 0, 2, 0, 1, 1]
qr = [0, 0, 0, 0, 0, -1, 0]
qm = [1, 1, 1, 1, 1, 0, 0]
qc = [0, 0, 0, 0, 0, 0, 3]
qo = [-1, -1, -1, -1, -1, -1, 0]

# pad vectors to length n
a = pad_array(a, n)
b = pad_array(b, n)
c = pad_array(c, n)
pi = pad_array(pi, n)
ql = pad_array(ql, n)
qr = pad_array(qr, n)
qm = pad_array(qm, n)
qc = pad_array(qc, n)
qo = pad_array(qo, n)

print(f"a = {a}")
print(f"b = {b}")
print(f"c = {c}")
print(f"ql = {ql}")
print(f"qr = {qr}")
print(f"qm = {qm}")
print(f"qc = {qc}")
print(f"qo = {qo}")
print(f"pi = {pi}")

a = [2, 2, 3, 4, 4, 8, -28, 0]
b = [2, 2, 3, 0, 9, 36, 3, 0]
c = [4, 4, 9, 8, 36, -28, -25, 0]
ql = [0, 0, 0, 2, 0, 1, 1, 0]
qr = [0, 0, 0, 0, 0, -1, 0, 0]
qm = [1, 1, 1, 1, 1, 0, 0, 0]
qc = [0, 0, 0, 0, 0, 0, 3, 0]
qo = [-1, -1, -1, -1, -1, -1, 0, 0]
pi = [0, 0, 0, 0, 0, 0, 25, 0]


## Permutations

In [4]:
def print_sigma(sigma, a, b, c, r):
    group_size = len(sigma) // 3
    padding = 6

    print(f"{' w'} | {'value':{padding}} | {'i':{padding}} | {'sigma(i)':{padding}}")

    for i in range(0, group_size):
        print(f"a{i} | {a[i]:{padding}} | {r[i]:{padding}} | {r[sigma[i]]:{padding}}")

    print(f"-- | {'--':{padding}} | {'--':{padding}} | {'--':{padding}}")

    for i in range(group_size, 2 * group_size):
        print(f"b{i - group_size} | {b[i - group_size]:{padding}} | {r[i]:{padding}} | {r[sigma[i]]:{padding}}")

    print(f"-- | {'--':{padding}} | {'--':{padding}} | {'--':{padding}}")

    for i in range(2 * group_size, 3 * group_size):
        print(f"c{i - 2 * group_size} | {c[i - 2 * group_size]:{padding}} | {r[i]:{padding}} | {r[sigma[i]]:{padding}}")

ai = range(0, n)
bi = range(n, 2*n)
ci = range(2*n, 3*n)

sigma = {
    ai[0]: ai[0], ai[1]: ai[1], ai[2]: ai[2], ai[3]: ci[0], ai[4]: ci[1], ai[5]: ci[3], ai[6]: ci[5], ai[7]: ai[7],
    bi[0]: bi[0], bi[1]: bi[1], bi[2]: bi[2], bi[3]: bi[3], bi[4]: ci[2], bi[5]: ci[4], bi[6]: bi[6], bi[7]: bi[7],
    ci[0]: ai[3], ci[1]: ai[4], ci[2]: bi[4], ci[3]: ai[5], ci[4]: bi[5], ci[5]: ai[6], ci[6]: ci[6], ci[7]: ci[7],
}

k1 = 2
k2 = 4
c1_roots = roots
c2_roots = roots * k1
c3_roots = roots * k2

c_roots = np.concatenate((c1_roots, c2_roots, c3_roots))

check = set()
for r in c_roots:
    assert not int(r) in check, f"Duplicate root {r} in {c_roots}"
    check.add(int(r))

sigma1 = Fp([c_roots[sigma[i]] for i in range(0, n)])
sigma2 = Fp([c_roots[sigma[i + n]] for i in range(0, n)])
sigma3 = Fp([c_roots[sigma[i + 2 * n]] for i in range(0, n)])

print_sigma(sigma, a, b, c, c_roots)

print("\n\n--- Cosest ---")
print(f"c0 = {c1_roots}")
print(f"c1 = {c2_roots}")
print(f"c2 = {c3_roots}")

print("\n\n--- Sigma ---")
print(f"sigma1 = {sigma1}")
print(f"sigma2 = {sigma2}")
print(f"sigma3 = {sigma3}")

 w | value  | i      | sigma(i)
a0 |      2 |      1 |      1
a1 |      2 | 19540430494807482326159819597004422086093766032135589407132600596362845576832 | 19540430494807482326159819597004422086093766032135589407132600596362845576832
a2 |      3 | 21888242871839275217838484774961031246007050428528088939761107053157389710902 | 21888242871839275217838484774961031246007050428528088939761107053157389710902
a3 |      4 | 13274704216607947843011480449124596415239537050559949017414504948711435969894 |      4
a4 |      4 | 21888242871839275222246405745257275088548364400416034343698204186575808495616 | 12496993363712103637900061152245863078729970927294254597435789825723956820477
a5 |      8 | 2347812377031792896086586148252853002454598368280444936565603590212962918785 | 9322331122753240927553110305983835483861419401407727382261611421694126888342
a6 |    -28 | 4407920970296243842541313971887945403937097133418418784715 | 9391249508127171584346344593011412009818393473121779746262414360851851675140

## Gate Polynomials

In [5]:
def to_galois_array(vector, field):
    # normalize to positive values
    a = [x % field.order for x in vector]
    return field(a)

def to_poly(x, v, field):
    assert len(x) == len(v)
    y = to_galois_array(v, field) if type(v) == list else v
    return galois.lagrange_poly(x, y)

QL = to_poly(roots, ql, Fp)
QR = to_poly(roots, qr, Fp)
QM = to_poly(roots, qm, Fp)
QC = to_poly(roots, qc, Fp)
QO = to_poly(roots, qo, Fp)
PI = to_poly(roots, pi, Fp)

print("--- Gate Polynomials ---")
print(f"QL = {QL}")
print(f"QR = {QR}")
print(f"QM = {QM}")
print(f"QC = {QC}")
print(f"QO = {QO}")
print(f"PI = {PI}")

--- Gate Polynomials ---
QL = 3612152601280961073314683502099786209434373305161036046916463827631781705411x^7 + 16416182153879456417235794430229986796728937546798018933265790281609158719802x^6 + 5961799955605786503393330439980659875369380680279914842076475412146455611834x^5 + 5472060717959818805561601436314318772137091100104008585924551046643952123904x^4 + 1859908116678857733348898176788593523338046287914958889992361502366775114672x^3 + 10944121435919637610572212751341607063956517953722023996356964951610601899719x^2 + 10454382198273669912189493626388235480406564127060124564712903444430796063700x + 10944121435919637611123202872628637544274182200208017171849102093287904247809
QR = 2442553811850935290769977449625552760761720754016948675891575074545355697104x^7 + 13680151794899547014454993712072827410660391996746014640303514758287182657850x^6 + 7131398745035812285938036492454893324042033231424002213101364165232881620141x^5 + 19152212512859365819465605027100115702479818850364030050735928663

## Permutation Polynomials

In [6]:
S1 = to_poly(roots, sigma1, Fp)
S2 = to_poly(roots, sigma2, Fp)
S3 = to_poly(roots, sigma3, Fp)

I1 = to_poly(roots, c1_roots, Fp)
I2 = to_poly(roots, c2_roots, Fp)
I3 = to_poly(roots, c3_roots, Fp)

padding = 3
for i in range(0, len(roots)):
    s  = f"i = {i:{padding}} --> {roots[i]:{padding}} "
    s += f"  I1({roots[i]:{padding}}) = {I1(roots[i]):{padding}} "
    s += f"  I2({roots[i]:{padding}}) = {I2(roots[i]):{padding}} "
    s += f"  I3({roots[i]:{padding}}) = {I3(roots[i]):{padding}} "
    s += f"  S1({roots[i]:{padding}}) = {S1(roots[i]):{padding}} "
    s += f"  S2({roots[i]:{padding}}) = {S2(roots[i]):{padding}} "
    s += f"  S3({roots[i]:{padding}}) = {S3(roots[i]):{padding}} "
    print(s)

    assert I1(roots[i]) == roots[i], f"I1({roots[i]}) != {roots[i]}"
    assert I2(roots[i]) == k1 * roots[i], f"I2({roots[i]}) != {k1 * roots[i]}"
    assert I3(roots[i]) == k2 * roots[i], f"I3({roots[i]}) != {k2 * roots[i]}"

    assert S1(roots[i]) == sigma1[i], f"S1({roots[i]}) != {sigma1[i]}"
    assert S2(roots[i]) == sigma2[i], f"S2({roots[i]}) != {sigma2[i]}"
    assert S3(roots[i]) == sigma3[i], f"S3({roots[i]}) != {sigma3[i]}"

i =   0 -->   1   I1(  1) =   1   I2(  1) =   2   I3(  1) =   4   S1(  1) =   1   S2(  1) =   2   S3(  1) = 13274704216607947843011480449124596415239537050559949017414504948711435969894 
i =   1 --> 19540430494807482326159819597004422086093766032135589407132600596362845576832   I1(19540430494807482326159819597004422086093766032135589407132600596362845576832) = 19540430494807482326159819597004422086093766032135589407132600596362845576832   I2(19540430494807482326159819597004422086093766032135589407132600596362845576832) = 17192618117775689430073233448751569083639167663855144470566997006149882658047   I3(19540430494807482326159819597004422086093766032135589407132600596362845576832) = 12496993363712103637900061152245863078729970927294254597435789825723956820477   S1(19540430494807482326159819597004422086093766032135589407132600596362845576832) = 19540430494807482326159819597004422086093766032135589407132600596362845576832   S2(19540430494807482326159819597004422086093766032135589407132600

In [7]:
def to_vanishing_poly(roots, field):
    # Z^n - 1 = (Z - 1)(Z - w)(Z - w^2)...(Z - w^(n-1))
    return galois.Poly.Degrees([len(roots), 0], coeffs=[1, -1], field=field)

Zh = to_vanishing_poly(roots, Fp)
for x in roots:
    assert Zh(x) == 0

print("--- Vanishing Polynomial ---")
print(f"Zh = {Zh}")

--- Vanishing Polynomial ---
Zh = x^8 + 21888242871839275222246405745257275088548364400416034343698204186575808495616


## CRS Construction

In [8]:
def generate_tau(encrypted=False):
    return SRS(Fp.Random(), n) if encrypted else Fp.Random()

tau = generate_tau(encrypted=encrypted)
print(f"--- Tau ---")
print(tau)

--- Tau ---
tau: 10689791810148527086042099304582348348030345553637354502674269843384803529716
[tau^0]G1: (1, 2)
[tau^1]G1: (11618734792868787529571984229258372139910756676528652150123544507823270217567, 14318276661882519987674327744797376101022084826646962631385181470018535563357)
[tau^2]G1: (6999926305506011911666690103470468057054793656897433430854011057559830640821, 5971248688080976599326168584392328170892117406407459344055890672800800304973)
[tau^3]G1: (2666168629455261402195584690435505853542005566694477356924132221339380309077, 11465837524681661561279424295511390249299600288008223421483334412516434061043)
[tau^4]G1: (15858789209744697695548444102443788928542263098005289507360902173083824529518, 15411893526951280670789964846775701372369290464118315784056486268271729336724)
[tau^5]G1: (6009896056441314411199840378518011395567284017377804630557374912931937610377, 18461580675549435319112971442579813950786689953282505658283901784490958570165)
[tau^6]G1: (13257596245541310302089603474

# Prover

## Round 1

In [9]:
random_b = [Fp.Random() for i in range(0, 9)]

bA = galois.Poly(random_b[:2], field=Fp)
bB = galois.Poly(random_b[2:4], field=Fp)
bC = galois.Poly(random_b[4:6], field=Fp)

_A = to_poly(roots, a, Fp)
_B = to_poly(roots, b, Fp)
_C = to_poly(roots, c, Fp)

A = _A + bA*Zh
B = _B + bB*Zh
C = _C + bC*Zh

# gate constraints polynomial
# g(x) = a(x)*ql(x) + b(x)*qr(x) + a(x)*b(x)*qm(x) + c(x)*qo(x) + qpi(x) + qc(x)
G = A*QL + B*QR + A*B*QM + C*QO + QC + PI

print("--- Gate Constraints Polynomial ---")
print(f"G = {G}")
for i in range(0, len(roots)):
    print(f"gate #{i} G({roots[i]}) = {G(roots[i])} --> {'OK' if G(roots[i]) == 0 else 'FAIL'}")
    assert G(roots[i]) == 0, f"G({roots[i]}) != 0"

assert G % Zh == 0, f"G(x) % Zh(x) != 0"

padding = 3
for i in range(0, len(roots)):
    s = f"i = {i:{padding}} --> {roots[i]:{padding}} "
    s += f"   A({roots[i]:{padding}}) = {A(roots[i]):{padding}} "
    s += f"   B({roots[i]:{padding}}) = {B(roots[i]):{padding}} "
    s += f"   C({roots[i]:{padding}}) = {C(roots[i]):{padding}} "
    print(s)

round1 = [A(tau), B(tau), C(tau)]
print("\n\n--- Round 1 ---")
print(f"Round 1 = {round1}")

--- Gate Constraints Polynomial ---
G = 19176649019484919164471612756584251510894818624941333638132522924336331413800x^25 + 6484003728259500550915845264886437409332339335679426366152914273389560350826x^24 + 5260105457241922766316330488788328126133965075074367087989710771838843232156x^23 + 18742132118178670110019362158343435403760085167363786895269216065295753916047x^22 + 18404181887087326565543635951229675344166294731466106521953347751834991021691x^21 + 3859473418302001569787986324069496186857482387932071505419962464895631380923x^20 + 6298403093398667097955030090866122514961311878194376368151388937425279104666x^19 + 5083312696171343262702485578073153029580163834358386078470932419278437676119x^18 + 20597250795272615871151857969026106209679899588195172353232226184372875091282x^17 + 19192559046105985845362995666902508960049530283527556170979412471051581591532x^16 + 14531007530897024160028250523122150300344697253696869778303524387146712449639x^15 + 10204614820008983039395595281293256953397

## Round 2

In [10]:
import sha3

def numbers_to_hash(numbers, field) -> int:
    """Hash a number."""
    engine = sha3.keccak_256()
    for number in numbers:
        if isinstance(number, tuple):
            x, y, z = number
            engine.update(bytes(hex(int(x)), 'utf-8'))
            engine.update(bytes(hex(int(y)), 'utf-8'))
            engine.update(bytes(hex(int(z)), 'utf-8'))
        else:
            engine.update(bytes(hex(int(number)), 'utf-8'))
    return field(int(engine.hexdigest(), 16) % field.order)

beta = numbers_to_hash(round1 + [0], Fp)
gamma = numbers_to_hash(round1 + [1], Fp)

_F = (A + I1 * beta + gamma) * (B + I2 * beta + gamma) * (C + I3 * beta + gamma)
_G = (A + S1 * beta + gamma) * (B + S2 * beta + gamma) * (C + S3 * beta + gamma)

acc_eval = [Fp(1)]
for i in range(0, n):
    acc_eval.append(
        acc_eval[-1] * (_F(roots[i]) / _G(roots[i]))
    )
assert acc_eval.pop() == Fp(1)
ACC = galois.lagrange_poly(roots, Fp(acc_eval))
print("\n\n--- Accumulator Polynomial ---")
print(f"ACC(x) = {ACC}")

bZ = galois.Poly(random_b[6:9], field=Fp)
print(f"bZ = {bZ}")
Z = bZ * Zh + ACC

print("\n\n--- Z Polynomial ---")
print(f"Z(x) = {Z}")

for r in roots:
    print(f"Z({r}) = {Z(r)}")

assert Z(roots[0]) == 1
assert Z(roots[-1]) == 1

round2 = [Z(tau)]
print("\n\n--- Round 2 ---")
print(f"Round 2 = {round2}")



--- Accumulator Polynomial ---
ACC(x) = 10872963604518678668452365356620244579735145650470886291878837640605873657499x^7 + 20961461332563781619664575602516641557272236338059855635956048216984961554785x^6 + 1562214331700123941267753773330838706304040796196910942836421783358912942629x^5 + 21125051320683563868009501835807573143896974321319160899952175400799696428760x^4 + 6222469170765383468138958788100085517272248247825877511078103510798544068045x^3 + 20534868902201327804261637971819466903753771624655460493059285990538092275007x^2 + 19782936585065945170090016583124569651891508726725273148930755131130948997150x + 8379249111697571571347218814966955382615896296826746794799393258662012554211
bZ = 3900401743740267432153202210115737665618348291636398384882379031888175986804x^2 + 2700257576304433569262436725025091833314473918377838940427387847126196507478x + 2858074098384123676483575949196752207874676396745466621515882186517768937828


--- Z Polynomial ---
Z(x) = 390040174374026743215320221011

# Round 3

In [11]:
def shift_poly(poly: galois.Poly, omega: Fp):
    coeffs = poly.coeffs[::-1]
    coeffs = [c * omega**i for i, c in enumerate(coeffs)]
    return galois.Poly(coeffs[::-1], field=poly.field)

alpha = numbers_to_hash(round1 + round2, Fp)

Zomega = shift_poly(Z, omega=omega)
for r in roots:
    print(f"Z({r:3}) = {Z(r):3} -> Zω({r:3}) = {Zomega(r):3}")

print("\n\n--- Zω Polynomial ---")
print(f"Z(ωx) = {Zomega}")

L1 = galois.lagrange_poly(roots, Fp([1] + [Fp(0)] * (n - 1)))

print("\n\n--- L1 Polynomial ---")
print(f"L1(x) = {L1}")
for i, r in enumerate(roots):
    print(f"L1({r}) = {L1(r)}")
    assert L1(r) == (Fp(1) if i == 0 else Fp(0))

T0 = G
assert T0 % Zh == 0, f"T0(x) % Zh(x) != 0"

T1 = (_F * Z - _G * Zomega) * alpha
assert T1 % Zh == 0, f"T1(x) % Zh(x) != 0"

T2 = (Z - galois.Poly([1], field=Fp)) * L1 * alpha**2
assert T2 % Zh == 0, f"T2(x) % Zh(x) != 0"

T = (T0 + T1 + T2)
assert T % Zh == 0, f"T(x) % Zh(x) != 0"

for r in roots:
    assert T(r) == 0, f"T({r}) != 0"

T = T // Zh

print("\n\n--- T Polynomial ---")
print(f"T(x) = {T}")

t_coeffs = T.coeffs[::-1]

Tl = galois.Poly(t_coeffs[:n][::-1], field=Fp)
Tm = galois.Poly(t_coeffs[n:2*(n)][::-1], field=Fp)
Th = galois.Poly(t_coeffs[2*(n):][::-1], field=Fp)

X_n = galois.Poly.Degrees([n, 0], coeffs=[1, 0], field=Fp)
X_2n = galois.Poly.Degrees([2*(n), 0], coeffs=[1, 0], field=Fp)
# make sure that T was split correctly
# T = TL + X^n * TM + X^2n * TH
assert T == (Tl + X_n * Tm + X_2n * Th)
assert T.degree == 3 * n + 5

b10 = Fp.Random()
b11 = Fp.Random()

Tl = Tl + b10 * X_n
Tm = Tm - b10 + b11 * X_n
Th = Th - b11
assert T == (Tl + X_n * Tm + X_2n * Th)

print("\n\n--- T' ---")
print(f"Tl(x) = {Tl}")
print(f"Tm(x) = {Tm}")
print(f"Th(x) = {Th}")

round3 = [Tl(tau), Tm(tau), Th(tau)]
print("\n\n--- Round 3 ---")
print(f"Round 3 = {round3}")

Z(  1) =   1 -> Zω(  1) = 667784842827980092645780939720423727420751198326596319940402768677163964420
Z(19540430494807482326159819597004422086093766032135589407132600596362845576832) = 667784842827980092645780939720423727420751198326596319940402768677163964420 -> Zω(19540430494807482326159819597004422086093766032135589407132600596362845576832) = 11946655434771319638156551147885103721301545602112286341264684560426213687140
Z(21888242871839275217838484774961031246007050428528088939761107053157389710902) = 11946655434771319638156551147885103721301545602112286341264684560426213687140 -> Zω(21888242871839275217838484774961031246007050428528088939761107053157389710902) = 12118781512660482267600468239205011336400031827898629754440118702207416136955
Z(13274704216607947843011480449124596415239537050559949017414504948711435969894) = 12118781512660482267600468239205011336400031827898629754440118702207416136955 -> Zω(13274704216607947843011480449124596415239537050559949017414504948711435969894) = 

## Round 4

In [12]:
zeta = numbers_to_hash(round1 + round2 + round3, Fp)

a_zeta = A(zeta)
b_zeta = B(zeta)
c_zeta = C(zeta)
s1_zeta = S1(zeta)
s2_zeta = S2(zeta)
z_omega_zeta = Zomega(zeta)

round4 = [a_zeta, b_zeta, c_zeta, s1_zeta, s2_zeta, z_omega_zeta]
print("\n\n--- Round 4 ---")
print(f"Round 4 = {round4}")



--- Round 4 ---
Round 4 = [GF(14071788501497821158855146517256858921195834400000467211484625063692387943210,
   order=21888242871839275222246405745257275088548364400416034343698204186575808495617), GF(21720700666301009020723707469095289175912728107267020752578056304892523415839,
   order=21888242871839275222246405745257275088548364400416034343698204186575808495617), GF(18322086635659789493872060525867195897431504764889595840610591957844944053377,
   order=21888242871839275222246405745257275088548364400416034343698204186575808495617), GF(10882864065795290031754704830456702884318097933214574970233168239567055728974,
   order=21888242871839275222246405745257275088548364400416034343698204186575808495617), GF(18568044669091469164265000126455984494119591499934357220900770132109929883337,
   order=21888242871839275222246405745257275088548364400416034343698204186575808495617), GF(18142179723085891919857824620385436201439497410863672537569331433098974828483,
   order=2188824287183927522224640

# Round 5

In [13]:
v = numbers_to_hash(round1 + round2 + round3 + round4, Fp)

pi_zeta = PI(zeta)

R = (QM * a_zeta * b_zeta +
    QL * a_zeta +
    QR * b_zeta +
    QO * c_zeta +
    QC + pi_zeta)
R += (Z * 
    (a_zeta + beta * zeta + gamma) *
    (b_zeta + beta * zeta * k1 + gamma) *
    (c_zeta + beta * zeta * k2 + gamma) * alpha)
R -= (z_omega_zeta *
    (a_zeta + beta * s1_zeta + gamma) *
    (b_zeta + beta * s2_zeta + gamma) * 
    (c_zeta + beta * S3 + gamma) * alpha)
R += (Z - Fp(1)) * L1(zeta) * alpha**2
R -= Zh(zeta) * (Tl + zeta**n * Tm + zeta**(2*n) * Th)

print("\n\n--- R ---")
print(f"R(x) = {R}")

X_minus_zeta = galois.Poly([1, -zeta], field=Fp)
print(f"X - zeta = {X_minus_zeta}")

Wzeta = R + \
        (A - a_zeta) * v + \
        (B - b_zeta) * v**2 + \
        (C - c_zeta) * v**3 + \
        (S1 - s1_zeta) * v**4 + \
        (S2 - s2_zeta) * v**5

assert Wzeta % X_minus_zeta == 0, f"Wzeta(x) % X - zeta != 0"
Wzeta = Wzeta // X_minus_zeta

X_minus_omega_zeta = galois.Poly([1, -(omega*zeta)], field=Fp)
print(f"X - ω*zeta = {X_minus_omega_zeta}")

Womega_zeta = (Z - z_omega_zeta)
assert Womega_zeta % X_minus_omega_zeta == 0, f"Womega_zeta(x) % X - ω*zeta != 0"
Womega_zeta = Womega_zeta // X_minus_omega_zeta

round5 = [Wzeta(tau), Womega_zeta(tau)]
print("\n\n--- Round 5 ---")
print(f"Round 5 = {round5}")

u = numbers_to_hash(round1 + round2 + round3 + round4 + round5, Fp)



--- R ---
R(x) = 14423612765300646233875391573062198533957324612957379330795556887204482585368x^13 + 19846048615422743337035028476567270541432010545897166153667147494577199580602x^12 + 8436238838278580855328628364067579151341474193956765292427383553140195291749x^11 + 21784571824233386705264346873588868717302546117542146910566774899162545425907x^10 + 20875997233982663329276308616573149616026196713369429411703722559100156013621x^9 + 1650256580241699670121738762631642637993821114107481233273422146192577098734x^8 + 7353148849479480652094347754214246844921030516958000044538892888281561018326x^7 + 10081863180171889219993883756592602157284081115759117928509528298326684261072x^6 + 19029355527444086110064620945141859901340442695332007837515486832840122765462x^5 + 1972880812354084295076545871016032882812180793210891922831769505727640888383x^4 + 10118589411965903014629426995873585508780991123083443595826695197445661821309x^3 + 11209970088688291255554768311300818693997681612785706763866369500448

In [14]:
proof = {
    "A": round1[0],
    "B": round1[1],
    "C": round1[2],
    "Z": round2[0],
    "Tl": round3[0],
    "Tm": round3[1],
    "Th": round3[2],
    "Wzeta": round5[0],
    "Womega_zeta": round5[1],
    "a_zeta": round4[0],
    "b_zeta": round4[1],
    "c_zeta": round4[2],
    "s1_zeta": round4[3],
    "s2_zeta": round4[4],
    "z_omega_zeta": round4[5],
    "Fp": p,
}

for k, v in proof.items():
    if isinstance(v, GPoint) or isinstance(v, GPoint):
        proof[k] = str(v)
    else:
        proof[k] = int(v)

import json
open ("proof.json", "w").write(json.dumps(proof, indent=4))

circuit = {
    "QM": QM.coeffs,
    "QL": QL.coeffs,
    "QR": QR.coeffs,
    "QO": QO.coeffs,
    "QC": QC.coeffs,
    "PI": PI.coeffs,
    "Zh": Zh.coeffs,
    "L1": L1.coeffs,
    "S1": S1.coeffs,
    "S2": S2.coeffs,
    "S3": S3.coeffs,
    "k1": k1,
    "k2": k2,
    "tau": tau.tau if encrypted else tau,
    "Fp": p,
    "omega": omega,
    "n": n,
    "encrypted": encrypted,
}

for k, v in circuit.items():
    if k in ["tau", "k1", "k2", "Fp", "omega", "n"]:
        circuit[k] = int(v)
    elif isinstance(v, bool):
        continue
    else:
        circuit[k] = [int(x) for x in v]

open ("circuit.json", "w").write(json.dumps(circuit, indent=4))

7561

# Verifier

In [15]:
# These evaluations are calculated beforehand during the setup phase
qm_exp = QM(tau)
ql_exp = QL(tau)
qr_exp = QR(tau)
qo_exp = QO(tau)
qc_exp = QC(tau)
s1_exp = S1(tau)
s2_exp = S2(tau)
s3_exp = S3(tau)

# Values provided by the prover (round 1 to 5) is a proof.
a_exp = round1[0]
b_exp = round1[1]
c_exp = round1[2]

z_exp = round2[0]

tl_exp = round3[0]
tm_exp = round3[1]
th_exp = round3[2]

# Note: verifier has to verify that the following values are in the correct Fp field
a_zeta, b_zeta, c_zeta, s1_zeta, s2_zeta, z_omega_zeta = round4

w_zeta_exp = round5[0]
w_omega_zeta_exp = round5[1]

# Note: verifier has to verify that the following values are on the curve
if encrypted:
    validate_point(qm_exp)
    validate_point(ql_exp)
    validate_point(qr_exp)
    validate_point(qo_exp)
    validate_point(qc_exp)
    validate_point(z_exp)
    validate_point(s1_exp)
    validate_point(s2_exp)
    validate_point(s3_exp)
    validate_point(tl_exp)
    validate_point(tm_exp)
    validate_point(th_exp)
    validate_point(a_exp)
    validate_point(b_exp)
    validate_point(c_exp)
    validate_point(w_zeta_exp)
    validate_point(w_omega_zeta_exp)

beta = numbers_to_hash(round1 + [0], Fp)
gamma = numbers_to_hash(round1 + [1], Fp)
alpha = numbers_to_hash(round1 + round2, Fp)
zeta = numbers_to_hash(round1 + round2 + round3, Fp)
v = numbers_to_hash(round1 + round2 + round3 + round4, Fp)
u = numbers_to_hash(round1 + round2 + round3 + round4 + round5, Fp)

In [16]:
Zh_z = Zh(zeta)
L1_z = L1(zeta)
PI_z = PI(zeta)

r0 = (PI_z - L1_z * alpha**2 -
    (a_zeta + beta * s1_zeta + gamma) *
    (b_zeta + beta * s2_zeta + gamma) *
    (c_zeta + gamma) * z_omega_zeta * alpha)

In [17]:
D_exp = (qm_exp * a_zeta * b_zeta +
        ql_exp * a_zeta +
        qr_exp * b_zeta +
        qo_exp * c_zeta +
        qc_exp)

D_exp += (z_exp * (
        (a_zeta + beta * zeta + gamma) *
        (b_zeta + beta * zeta * k1 + gamma) *
        (c_zeta + beta * zeta * k2 + gamma) * alpha
        + L1_z * alpha**2 + u))

D_exp -= (s3_exp *
        (a_zeta + beta * s1_zeta + gamma) *
        (b_zeta + beta * s2_zeta + gamma) * 
        alpha * beta * z_omega_zeta)

D_exp -= ((tl_exp + 
        tm_exp * zeta**n  +
        th_exp * zeta**(2*n)) *
        Zh_z)

In [18]:
F_exp = (D_exp + 
        a_exp * v +
        b_exp * v**2 +
        c_exp * v**3 +
        s1_exp * v**4 +
        s2_exp * v**5)

print(f"F_exp = {F_exp}")

F_exp = (21657532057912584823646137870907508675278530212614641607595162151825597375368, 19543798916048237908748449407655822101386574292914020108748404837746222007343, 21445344355381160976137495432701574366375356479442092492047660418583174441572)


In [19]:
E_exp = (-r0 +
        v * a_zeta +
        v**2 * b_zeta +
        v**3 * c_zeta +
        v**4 * s1_zeta +
        v**5 * s2_zeta +
        u * z_omega_zeta)

if encrypted:
        E_exp = G1 * E_exp

print(f"E_exp = {E_exp}")

E_exp = (17459173416278814315753763562125347744266039940541381801726306915243484294997, 1307624642964067106841107479733080905212058915704695916522200128466010638763, 14305516036151272312492126809303825096099152061774973562069230877979496835992)


In [20]:
e1 = w_zeta_exp + w_omega_zeta_exp * u
e2 = (w_zeta_exp * zeta + w_omega_zeta_exp * (u * zeta * omega) +
    F_exp + (E_exp * Fp(p-1)))

if encrypted:
    pairing1 = tau.tau2.pair(e1)
    pairing2 = G2.pair(e2)

    print(f"pairing1 = {pairing1}")
    print(f"pairing2 = {pairing2}")

    assert pairing1 == pairing2, f"pairing1 != pairing2"
else:
    print("\n\n--- e1, e2 ---")
    print(f"e1 = {e1 * tau} = {e1} * tau")
    print(f"e2 = {e2}")
    assert e1 * tau == e2

pairing1 = (1995524244905634973051289338410047215939497810662085468048857028536236827485, 7387396249125994352231452489008895507424282268692284231480616357421276372009, 15980839134404896310461893125714008384730728107204167967568573327513965595322, 13403794397039826461380381384317254567755449884512264787211460655040373877204, 9682088073025662616013992059147658990785139150637334602832671584948870347999, 13878328290834720204712268808270529479160592520076597954814269036384099592167, 2868912482778317219476603830117389977599520723022394424834458120120508156279, 10362426014774102954381913156604555782316562211383026629166568025047376090021, 17980162332020806365668723229904072193728870974944251788323145130213624625951, 16559423327676627549564196964221226532959436263168667730480553316216437116883, 9755851071128066467510154810347311905641142318016715292805523665524304985451, 9547299747612497522533986006801129701873246236971751314135552554575950847582)
pairing2 = (1995524244905634973051289338410047