## Evaluate

$ 5x^{3} - 4x^{2}y^{2} + 13xy^{2} + x^{2} -10y = out $

$ v_1 = xx $

$ v_2 = yy $

$ v_3 = 5xv_1 $

$ v_4 = 4v_1v_2 $

$ out -v_3 + v_4 - v_1 + 10y = 13xv_2 $

$ w = \begin{bmatrix}
1 & out & x & y & v_1 & v_2 & v_3 & v_4
\end{bmatrix} $



$ L = \begin{bmatrix}
1 & out & x & y & v_1 & v_2 & v_3 & v_4 \\
0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\
0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\
0 & 0 & 5 & 0 & 0 & 0 & 0 & 0 \\
0 & 0 & 0 & 0 & 4 & 0 & 0 & 0 \\
0 & 0 & 13 & 0 & 0 & 0 & 0 & 0 \\
\end{bmatrix} $


$ R = \begin{bmatrix}
1 & out & x & y & v_1 & v_2 & v_3 & v_4 \\
0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\
0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\
0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\
0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\
0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\
\end{bmatrix} $


$ O = \begin{bmatrix}
1 & out & x & y & v_1 & v_2 & v_3 & v_4 \\
0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\
0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\
0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 \\
0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 \\
0 & 1 & 0 & 10 & -1 & 0 & -1 & 1 \\
\end{bmatrix} $


In [6]:
import galois
import numpy as np

p = 71
p = 21888242871839275222246405745257275088548364400416034343698204186575808495617
FP = galois.GF(p)

x = FP(2)
y = FP(3)

v1 = x * x
v2 = y * y
v3 = 5 * x * v1
v4 = 4 * v1 * v2
out = 5*x**3 - 4*x**2*y**2 + 13*x*y**2 + x**2 - 10*y

w = FP([1, out, x, y, v1, v2, v3, v4])

print("w =", w)

R = FP([[0, 0, 1, 0, 0, 0, 0, 0],
         [0, 0, 0, 1, 0, 0, 0, 0],
         [0, 0, 5, 0, 0, 0, 0, 0],
         [0, 0, 0, 0, 4, 0, 0, 0],
         [0, 0, 13, 0, 0, 0, 0, 0]])

L = FP([[0, 0, 1, 0, 0, 0, 0, 0],
         [0, 0, 0, 1, 0, 0, 0, 0],
         [0, 0, 0, 0, 1, 0, 0, 0],
         [0, 0, 0, 0, 0, 1, 0, 0],
         [0, 0, 0, 0, 0, 1, 0, 0]])

O = FP([[0, 0, 0, 0, 1, 0, 0, 0],
         [0, 0, 0, 0, 0, 1, 0, 0],
         [0, 0, 0, 0, 0, 0, 1, 0],
         [0, 0, 0, 0, 0, 0, 0, 1],
         [0, 1, 0, 10, FP(p - 1), 0, FP(p - 1), 1]])

Lw = np.dot(L, w)
Rw = np.dot(R, w)
Ow = np.dot(O, w)

print("Lw =", Lw)
print("Rw =", Rw)

LwRw = np.multiply(Lw, Rw)

print("Lw * Rw =", LwRw)

print("Ow =     ", Ow)

assert np.all(LwRw == Ow)


w = [  1 104   2   3   4   9  40 144]
Lw = [2 3 4 9 9]
Rw = [ 2  3 10 16 26]
Lw * Rw = [  4   9  40 144 234]
Ow =      [  4   9  40 144 234]


In [7]:
mtxs = [L, R, O]
poly_m = []

for m in mtxs:
    poly_list = []
    for i in range(0, m.shape[1]):
        points_x = FP(np.zeros(m.shape[0], dtype=int))
        points_y = FP(np.zeros(m.shape[0], dtype=int))
        for j in range(0, m.shape[0]):
            points_x[j] = FP(j+1)
            points_y[j] = m[j][i]

        poly = galois.lagrange_poly(points_x, points_y)
        coef = poly.coefficients()[::-1]
        if len(coef) < m.shape[0]:
            coef = np.append(coef, np.zeros(m.shape[0] - len(coef), dtype=int))
        poly_list.append(coef)
    
    poly_m.append(FP(poly_list))

Lp = poly_m[0]
Rp = poly_m[1]
Op = poly_m[2]

print(f'''L
{Lp}
''')

print(f'''R
{Rp}
''')

print(f'''O
{Op}
''')

L
[[                                                                            0
                                                                              0
                                                                              0
                                                                              0
                                                                              0]
 [                                                                            0
                                                                              0
                                                                              0
                                                                              0
                                                                              0]
 [                                                                            5
   9120101196599698009269335727190531286895151833506680976540918411073253539834
    91201011965996980092693357271905

In [8]:
alpha = FP(2)
beta = FP(3)
tau = FP(20)

Lp_beta = Lp * beta
Rp_alpha = Rp * alpha

print(f'''Lp * β
{Lp_beta}
''')

print(f'''Rp * α
{Rp_alpha}
''')

Lp * β
[[                                                                            0
                                                                              0
                                                                              0
                                                                              0
                                                                              0]
 [                                                                            0
                                                                              0
                                                                              0
                                                                              0
                                                                              0]
 [                                                                           15
   5472060717959818805561601436314318772137091100104008585924551046643952123885
   2736030358979909402780800718

In [9]:
U = galois.Poly((w @ Lp)[::-1])
V = galois.Poly((w @ Rp)[::-1])
W = galois.Poly((w @ Op)[::-1])

U_beta = galois.Poly((w @ Lp_beta)[::-1])
V_alpha = galois.Poly((w @ Rp_alpha)[::-1])

print("U = ", U)
print("V = ", V)
print("W = ", W)
print("βU = ", U_beta)
print("αV = ", V_alpha)

T = galois.Poly(FP([1, p-1]))
for i in range(2, L.shape[0] + 1):
    T *= galois.Poly(FP([1, p-i]))

print("T = ", T)
for i in range(1, L.shape[0] + 2):
    print(f"T({i}) = ", T(i))
    if i == L.shape[0]:
        print("-"*10)

H = (U * V - W) // T
rem = (U * V - W) % T

print("H = ", H)
print("rem = ", rem)

assert rem == 0

U =  11856131555579607412050136445347690672963697383558685269503193934395229601792x^4 + 20064222632519335620392538599819168831169334033714698148390020504361157787655x^3 + 20976232752179305421319472172538221959858849217065366246044112345468483141610x^2 + 12768141675239577212977070018066743801653212566909353367157285775502554955812x + 21888242871839275222246405745257275088548364400416034343698204186575808495601
V =  10944121435919637611123202872628637544274182200208017171849102093287904247809x^4 + 3648040478639879203707734290876212514758060733402672390616367364429301415930x^3 + 10944121435919637611123202872628637544274182200208017171849102093287904247836x^2 + 18240202393199396018538671454381062573790303667013361953081836822146507079635x + 26
W =  12768141675239577212977070018066743801653212566909353367157285775502554955771x^4 + 7296080957279758407415468581752425029516121466805344781232734728858602831936x^3 + 9120101196599698009269335727190531286895151833506680976540918411073253539611x^2 

In [10]:
u = U(tau)
v = V(tau)
w = W(tau)
t = T(tau)
h = H(tau)

print("u(tau) = ", u)
print("v(tau) = ", v)
print("w(tau) = ", w)
print("t(tau) = ", t)
print("h(tau) = ", h)

assert u * v - w == t * h

u(tau) =  21888242871839275222246405745257275088548364400416034343698204186575808449126
v(tau) =  40776
w(tau) =  21888242871839275222246405745257275088548364400416034343698204186575808026321
t(tau) =  1395360
h(tau) =  5472060717959818805561601436314318772137091100104008585924551046643952122546


In [25]:
from py_ecc.optimized_bn128 import multiply, G1, G2, add, pairing, neg, normalize

def evaluate(poly, tau, use_G1 = True, t = FP(1), verbose = False):
    G = G1 if use_G1 else G2

    raw_eval = poly(tau * t)
    if verbose:
        print("P = ", poly)
        if t != 1:
            print(f"P({tau} * {t}) = ", raw_eval)
        else:
            print(f"P({tau}) = ", raw_eval)

    coeficients = poly.coefficients()
    
    polys = []
    degree = poly.degree
    for c in coeficients:
        point = multiply(G, int(tau**degree * t))
        if verbose:
            print(normalize(point))
        polys.append(multiply(point, int(c)))
        degree -= 1

    res = polys[0]
    for i in range(1, len(polys)):
        res = add(res, polys[i])

    if verbose:
        print("-"*10)
    print(normalize(res))
    return res

print(f"""
tau = τ = {tau}""")

print("""
Evaluation of U(τ)""")
A = evaluate(U, tau, use_G1=True)
print("""
Evaluation of V(τ)""")
B = evaluate(V, tau, use_G1=False)
print("""
Evaluation of W(τ)""")
C1 = evaluate(W, tau, use_G1=True)
print("""
Evaluation of H(T(τ)*τ)""")
C2 = evaluate(H, tau, use_G1=True, t=t)

C = add(C1, C2)

print("""
pairing(B, A) == pairing(G2, C) # A * B == C""")
assert pairing(B, A) == pairing(G2, C)




tau = τ = 20

Evaluation of U(τ)
(19092006581455788758709004813424108450475230671546198110182704126760952021248, 18428185916649502171614192229986655674799279684527591370328182794110727996633)

Evaluation of V(τ)
((1110332524507442648511549408896049077062269578877062826069065960274388112308, 15815785354885964222010325771656100864105333417560377595802485750386873282739), (20784382045877636010618629654573620888044404319093695781168988411617616204166, 5234804291052944426941184034424257962428641145809086397589880058685491457835))

Evaluation of W(τ)
(4332211754712447830985995611850650187777429327166207444167442694016708164572, 18653944916512833915877880824670106612615930132754035460520595641342891193291)

Evaluation of H(T(τ)*τ)
(15551478468863407133082273596809708386636205061415073946863016340240446979938, 9243456354285016116901884822866590450090359728120624112265890427370343988287)

pairing(B, A) == pairing(G2, C) # A * B == C


In [12]:
u = U(tau) + alpha
v = V(tau) + beta
w = W(tau)
t = T(tau)
h = H(tau)

c1 = U_beta(tau)
c2 = V_alpha(tau)

print("u(τ) = ", u)
print("v(τ) = ", v)
print("w(τ) = ", w)
print("t(τ) = ", t)
print("h(τ) = ", h)

assert u * v == alpha * beta + (w + c1 + c2) + t * h

u(τ) =  21888242871839275222246405745257275088548364400416034343698204186575808449128
v(τ) =  40779
w(τ) =  21888242871839275222246405745257275088548364400416034343698204186575808026321
t(τ) =  1395360
h(τ) =  5472060717959818805561601436314318772137091100104008585924551046643952122546


In [13]:
from colorama import Fore, Back, Style

alphaG1 = multiply(G1, int(alpha))
betaG2 = multiply(G2, int(beta))

print("\nα * G1")
print("alphaG1 = ", normalize(alphaG1))

print("\nβ * G2")
print("betaG2 = ", normalize(betaG2), "\n")

print("\nEvaluation of \033[91m A \033[00m =  U(τ) + α")
A = evaluate(U, tau, use_G1=True)
A = add(A, alphaG1)
print("A = ", normalize(neg(A)))

print("\nEvaluation of \033[91m B \033[00m = V(τ) + β")
B = evaluate(V, tau, use_G1=False)
B = add(B, betaG2)
print("B = ", normalize(B))

print("--------------------")

print("\nC = U(τ) * β + V(τ) * α + \033[01m\033[91m W(τ) \033[00m + H(T(τ)*τ)")
print("Evaluation of W(τ)")
wC = evaluate(W, tau, use_G1=True)
print("wC = ", normalize(wC))

print("\nC = U(τ) * β + V(τ) * α + W(τ) + \033[01m\033[91m H(T(τ)*τ) \033[00m")
print("Evaluation of H(T(τ)*τ)")
hC = evaluate(H, tau, use_G1=True, t=t)
print("hC = ", normalize(hC))

print("\nC = \033[01m\033[91m U(τ) * β \033[00m + V(τ) * α + W(τ) +  H(T(τ)*τ)")
print("Evaluation of U(τ) * β")
uC = evaluate(U_beta, tau, use_G1=True)
print("uC = ", normalize(uC))

print("\nC = U(τ) * β + \033[01m\033[91m V(τ) * α \033[00m + W(τ) +  H(T(τ)*τ)")
print("Evaluation of V(τ) * α")
vC = evaluate(V_alpha, tau, use_G1=True)
print("vC = ", normalize(vC))

print("\nC = \033[01m\033[91m U(τ) * β + V(τ) * α \033[00m + W(τ) + H(T(τ)*τ)")
print("Evaluation of U(τ) * β + V(τ) * α")
uvC = add(uC, vC)
print("uvC = ", normalize(uvC))

print("\nC = \033[01m\033[91m U(τ) * β + V(τ) * α + W(τ) \033[00m + H(T(τ)*τ)")
print("Evaluation of U(τ) * β + V(τ) * α + W(τ)")
uvwC = add(uvC, wC)
print("uvwC = ", normalize(uvwC))

print("\nC = \033[01m\033[91m U(τ) * β + V(τ) * α + W(τ) + H(T(τ)*τ) \033[00m")
print("Evaluation of U(τ) * β + V(τ) * α + W(τ) + H(T(τ)*τ)")
C = add(uvwC, hC)
print("C = ", normalize(C))


α * G1
alphaG1 =  (1368015179489954701390400359078579693043519447331113978918064868415326638035, 9918110051302171585080402603319702774565515993150576347155970296011118125764)

β * G2
betaG2 =  ((2725019753478801796453339367788033689375851816420509565303521482350756874229, 7273165102799931111715871471550377909735733521218303035754523677688038059653), (2512659008974376214222774206987427162027254181373325676825515531566330959255, 957874124722006818841961785324909313781880061366718538693995380805373202866)) 


Evaluation of [91m A [00m =  U(τ) + α
P(20) =  21888242871839275222246405745257275088548364400416034343698204186575808449126
A =  (1386024683863798223806715768494499062004541323940181712423964207525793364711, 21888102028181201026520927748650667146060315771644791066010745818423154284449)

Evaluation of [91m B [00m = V(τ) + β
P(20) =  40776
B =  ((2268131489099612700799057509317325492629365410973939712610009952960246451283, 546020289861882444985100463520891516184525258789384254119

In [14]:
from string import Template

with open("Verifier.sol.template", "r") as f:
    template = Template(f.read())
    variables = {
        "aG1_x": normalize(neg(A))[0],
        "aG1_y": normalize(neg(A))[1],
        "bG2_x1": normalize(B)[0].coeffs[0],
        "bG2_x2": normalize(B)[0].coeffs[1],
        "bG2_y1": normalize(B)[1].coeffs[0],
        "bG2_y2": normalize(B)[1].coeffs[1],
        "cG1_x": normalize(C)[0],
        "cG1_y": normalize(C)[1],
        "alphaG1_x": normalize(alphaG1)[0],
        "alphaG1_y": normalize(alphaG1)[1],
        "betaG2_x1": normalize(betaG2)[0].coeffs[0],
        "betaG2_x2": normalize(betaG2)[0].coeffs[1],
        "betaG2_y1": normalize(betaG2)[1].coeffs[0],
        "betaG2_y2": normalize(betaG2)[1].coeffs[1],
    }
    output = template.substitute(variables)

with open("Verifier.sol", "w") as f:
    f.write(output)

In [15]:
def split_poly(poly):
    coef = [int(c) for c in poly.coefficients()]
    p1 = coef[:2] + [0] * (len(coef) - 2)
    p2 = [0] * 2 + coef[2:]

    return galois.Poly(FP(p1)), galois.Poly(FP(p2))

U1, U2 = split_poly(U_beta)
V1, V2 = split_poly(V_alpha)
W1, W2 = split_poly(W)

print("U1 = ", U1)
print("U2 = ", U2)
print("V1 = ", V1)
print("V2 = ", V2)
print("W1 = ", W1)
print("W2 = ", W2)

print("""
Evaluation of W1(τ)""")
wC1 = evaluate(W1, tau, use_G1=True)
print("wC = ", normalize(wC1))

print("""
Evaluation of W2(τ)""")
wC2 = evaluate(W2, tau, use_G1=True)
print("wC = ", normalize(wC2))

print("""
Evaluation of U1(τ) * β""")
uC1 = evaluate(U1, tau, use_G1=True)
print("uC1 = ", normalize(uC1))

print("""
Evaluation of U2(τ) * β""")
uC2 = evaluate(U2, tau, use_G1=True)
print("uC2 = ", normalize(uC2))

print("""
Evaluation of V1(τ) * α""")
vC1 = evaluate(V1, tau, use_G1=True)
print("vC1 = ", normalize(vC1))

print("""
Evaluation of V2(τ) * α""")
vC2 = evaluate(V2, tau, use_G1=True)
print("vC2 = ", normalize(vC2))

print("""
Evaluation of U2(τ) * β + V2(τ) * α""")
uvC2 = add(uC2, vC2)
print("uvC2 = ", normalize(uvC2))

print("""
Evaluation of U2(τ) * β + V2(τ) * α + W2(τ)""")
uvwC2 = add(uvC2, wC2)
print("uvwC2 = ", normalize(uvwC2))

print("""
Evaluation of U2(τ) * β + V2(τ) * α + W2(τ) + H(T(τ)*τ)""")
C = add(uvwC2, hC)
print("C = ", normalize(C))

print("""
Evaluation of U1(τ) * β""")
uC1 = evaluate(U1, tau, use_G1=True)
print("uC1 = ", normalize(uC1))

print("""
Evaluation of V1(τ) * α""")
vC1 = evaluate(V1, tau, use_G1=True)
print("vC1 = ", normalize(vC1))

print("""
Evaluation of U1(τ) * β + V1(τ) * α""")
uvC1 = add(uC1, vC1)
print("uvC1 = ", normalize(uvC1))

print("""
Evaluation of U1(τ) * β + V1(τ) * α + W1(τ)""")
C_verifier = add(uvC1, wC1)
print("C_verifier = ", normalize(C_verifier))

U1 =  13680151794899547013904003590785796930342727750260021464811377616609880309759x^4 + 16416182153879456416684804308942956316411273300312025757773653139931856371731x^3
U2 =  19152212512859365819465605027100115702479818850364030050735928663253832433596x^2 + 16416182153879456416684804308942956316411273300312025757773653139931856371819x + 21888242871839275222246405745257275088548364400416034343698204186575808495569
V1 =  x^4 + 7296080957279758407415468581752425029516121466805344781232734728858602831860x^3
V2 =  55x^2 + 14592161914559516814830937163504850059032242933610689562465469457717205663653x + 52
W1 =  12768141675239577212977070018066743801653212566909353367157285775502554955771x^4 + 7296080957279758407415468581752425029516121466805344781232734728858602831936x^3
W2 =  9120101196599698009269335727190531286895151833506680976540918411073253539611x^2 + 14592161914559516814830937163504850059032242933610689562465469457717205664076x + 218882428718392752222464057452572750885483644004160343

In [16]:
from string import Template

with open("VerifierPublicInput.sol.template", "r") as f:
    template = Template(f.read())
    variables = {
        "aG1_x": normalize(neg(A))[0],
        "aG1_y": normalize(neg(A))[1],
        "bG2_x1": normalize(B)[0].coeffs[0],
        "bG2_x2": normalize(B)[0].coeffs[1],
        "bG2_y1": normalize(B)[1].coeffs[0],
        "bG2_y2": normalize(B)[1].coeffs[1],
        "cG1_x": normalize(C)[0],
        "cG1_y": normalize(C)[1],
        "alphaG1_x": normalize(alphaG1)[0],
        "alphaG1_y": normalize(alphaG1)[1],
        "betaG2_x1": normalize(betaG2)[0].coeffs[0],
        "betaG2_x2": normalize(betaG2)[0].coeffs[1],
        "betaG2_y1": normalize(betaG2)[1].coeffs[0],
        "betaG2_y2": normalize(betaG2)[1].coeffs[1],
        "cG1_verifier_x": normalize(C_verifier)[0],
        "cG1_verifier_y": normalize(C_verifier)[1],
    }
    output = template.substitute(variables)

with open("VerifierPublicInput.sol", "w") as f:
    f.write(output)