added multiple miller-loops, probabilistic and batch verification

Makefile

@@ -53,8 +53,8 @@ LIB_SRCS = \
 	src/algebra/curves/alt_bn128/alt_bn128_pp.cpp \
 	src/common/profiling.cpp \
 	src/common/utils.cpp \
-	src/gadgetlib1/constraint_profiling.cpp \
-
+	src/gadgetlib1/constraint_profiling.cpp  
+	
 ifeq ($(CURVE),BN128)
 	LIB_SRCS += \
 	        src/algebra/curves/bn128/bn128_g1.cpp \
@@ -70,7 +70,6 @@ endif
 
 # FIXME: most of these are broken due to removed code.
 DISABLED_EXECUTABLES = \
-	src/algebra/curves/tests/test_bilinearity \
 	src/algebra/curves/tests/test_groups \
 	src/algebra/fields/tests/test_fields \
 	src/common/routing_algorithms/profiling/profile_routing_algorithms \
@@ -94,7 +93,6 @@ DISABLED_EXECUTABLES = \
 	src/zk_proof_systems/ppzksnark/r1cs_gg_ppzksnark/profiling/profile_r1cs_gg_ppzksnark \
 	src/zk_proof_systems/ppzksnark/r1cs_gg_ppzksnark/tests/test_r1cs_gg_ppzksnark \
 	src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/profiling/profile_r1cs_ppzksnark \
-	src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/tests/test_r1cs_ppzksnark \
 	src/zk_proof_systems/ppzksnark/ram_ppzksnark/examples/demo_ram_ppzksnark \
 	src/zk_proof_systems/ppzksnark/ram_ppzksnark/examples/demo_ram_ppzksnark_generator \
 	src/zk_proof_systems/ppzksnark/ram_ppzksnark/examples/demo_ram_ppzksnark_prover \
@@ -109,14 +107,11 @@ DISABLED_EXECUTABLES = \
 	src/zk_proof_systems/zksnark/ram_zksnark/tests/test_ram_zksnark
 
 EXECUTABLES = \
-	src/algebra/fields/tests/test_bigint
+	src/algebra/curves/tests/test_bilinearity \
+	src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/tests/test_r1cs_ppzksnark
+
 
-EXECUTABLES_WITH_GTEST = \
-	src/gadgetlib2/examples/tutorial \
-	src/gadgetlib2/tests/gadgetlib2_test
 
-EXECUTABLES_WITH_SUPERCOP = \
-	src/zk_proof_systems/ppzkadsnark/r1cs_ppzkadsnark/examples/demo_r1cs_ppzkadsnark
 
 DOCS = README.html
 
@@ -208,13 +203,6 @@ $(LIBSNARK_A): $(LIB_OBJS) $(AR_LIBS)
 libsnark.so: $(LIBSNARK_A) $(DEPINST_EXISTS)
 	$(CXX) -o $@   --shared -Wl,--whole-archive $(LIBSNARK_A) $(CXXFLAGS) $(LDFLAGS) -Wl,--no-whole-archive $(LDLIBS)
 
-src/gadgetlib2/tests/gadgetlib2_test: \
-	src/gadgetlib2/tests/adapters_UTEST.cpp \
-	src/gadgetlib2/tests/constraint_UTEST.cpp \
-	src/gadgetlib2/tests/gadget_UTEST.cpp \
-	src/gadgetlib2/tests/integration_UTEST.cpp \
-	src/gadgetlib2/tests/protoboard_UTEST.cpp \
-	src/gadgetlib2/tests/variable_UTEST.cpp
 
 $(EXECUTABLES): %: %.o $(LIBSNARK_A) $(DEPINST_EXISTS)
 	$(CXX) -o $@   $@.o $(LIBSNARK_A) $(CXXFLAGS) $(LDFLAGS) $(LDLIBS)

src/algebra/curves/alt_bn128/alt_bn128_pairing.cpp

@@ -419,18 +419,19 @@ alt_bn128_Fq12 alt_bn128_ate_miller_loop(const alt_bn128_ate_G1_precomp &prec_P,
     return f;
 }
 
-alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(const alt_bn128_ate_G1_precomp &prec_P1,
-                                     const alt_bn128_ate_G2_precomp &prec_Q1,
-                                     const alt_bn128_ate_G1_precomp &prec_P2,
-                                     const alt_bn128_ate_G2_precomp &prec_Q2)
-{
-    enter_block("Call to alt_bn128_ate_double_miller_loop");
 
-    alt_bn128_Fq12 f = alt_bn128_Fq12::one();
+alt_bn128_Fq12 alt_bn128_ate_multiple_miller_loop(
+    const std::initializer_list<std::pair<
+        const alt_bn128_ate_G1_precomp&,
+        const alt_bn128_ate_G2_precomp&
+    > >& v
+)
+{
+    enter_block("Call to alt_bn128_ate_multiple_miller_loop");
+    auto f = alt_bn128_Fq12::one();
 
     bool found_one = false;
     size_t idx = 0;
-
     const bigint<alt_bn128_Fr::num_limbs> &loop_count = alt_bn128_ate_loop_count;
     for (long i = loop_count.max_bits(); i >= 0; --i)
     {
@@ -446,48 +447,65 @@ alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(const alt_bn128_ate_G1_precomp &
            alt_bn128_param_p (skipping leading zeros) in MSB to LSB
            order */
 
-        alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
-        alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
-        ++idx;
-
         f = f.squared();
-
-        f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
-        f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
+        for(auto& p:v){
+            auto c = p.second.coeffs[idx];
+            f = f.mul_by_024(c.ell_0, p.first.PY * c.ell_VW, p.first.PX * c.ell_VV);
+        }
+        ++idx;       
 
         if (bit)
         {
-            alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
-            alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
+            for(auto& p:v){
+                auto c = p.second.coeffs[idx];
+                f = f.mul_by_024(c.ell_0, p.first.PY * c.ell_VW, p.first.PX * c.ell_VV);
+            }
             ++idx;
 
-            f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
-            f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
         }
     }
 
     if (alt_bn128_ate_is_loop_count_neg)
     {
-    	f = f.inverse();
+        f = f.inverse();
     }
 
-    alt_bn128_ate_ell_coeffs c1 = prec_Q1.coeffs[idx];
-    alt_bn128_ate_ell_coeffs c2 = prec_Q2.coeffs[idx];
-    ++idx;
-    f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
-    f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
+    for(auto& p:v){
+        auto c = p.second.coeffs[idx];
+        f = f.mul_by_024(c.ell_0, p.first.PY * c.ell_VW, p.first.PX * c.ell_VV);
+    }
+    ++idx;       
 
-    c1 = prec_Q1.coeffs[idx];
-    c2 = prec_Q2.coeffs[idx];
-    ++idx;
-    f = f.mul_by_024(c1.ell_0, prec_P1.PY * c1.ell_VW, prec_P1.PX * c1.ell_VV);
-    f = f.mul_by_024(c2.ell_0, prec_P2.PY * c2.ell_VW, prec_P2.PX * c2.ell_VV);
+    for(auto& p:v){
+        auto c = p.second.coeffs[idx];
+        f = f.mul_by_024(c.ell_0, p.first.PY * c.ell_VW, p.first.PX * c.ell_VV);
+    }
+    ++idx;       
 
+    leave_block("Call to alt_bn128_ate_multiple_miller_loop"); 
+    return f;
+}
+
+
+
+
+alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(const alt_bn128_ate_G1_precomp &prec_P1,
+                                     const alt_bn128_ate_G2_precomp &prec_Q1,
+                                     const alt_bn128_ate_G1_precomp &prec_P2,
+                                     const alt_bn128_ate_G2_precomp &prec_Q2)
+{
+    enter_block("Call to alt_bn128_ate_double_miller_loop");
+
+    auto f = alt_bn128_ate_multiple_miller_loop({
+        std::make_pair(prec_P1,prec_Q1),
+        std::make_pair(prec_P2,prec_Q2)
+    });
     leave_block("Call to alt_bn128_ate_double_miller_loop");
 
     return f;
 }
 
+
 alt_bn128_Fq12 alt_bn128_ate_pairing(const alt_bn128_G1& P, const alt_bn128_G2 &Q)
 {
     enter_block("Call to alt_bn128_ate_pairing");

src/algebra/curves/alt_bn128/alt_bn128_pairing.hpp

@@ -57,6 +57,16 @@ alt_bn128_Fq12 alt_bn128_ate_double_miller_loop(const alt_bn128_ate_G1_precomp &
                                      const alt_bn128_ate_G1_precomp &prec_P2,
                                      const alt_bn128_ate_G2_precomp &prec_Q2);
 
+
+//compute the product of Miller Loops of all pairs
+alt_bn128_Fq12 alt_bn128_ate_multiple_miller_loop(
+    const std::initializer_list<std::pair<
+        const alt_bn128_ate_G1_precomp&,
+        const alt_bn128_ate_G2_precomp&
+    > >& v
+);
+
+
 alt_bn128_Fq12 alt_bn128_ate_pairing(const alt_bn128_G1& P,
                           const alt_bn128_G2 &Q);
 alt_bn128_GT alt_bn128_ate_reduced_pairing(const alt_bn128_G1 &P,

src/algebra/curves/alt_bn128/alt_bn128_pp.cpp

@@ -43,6 +43,16 @@ alt_bn128_Fq12 alt_bn128_pp::double_miller_loop(const alt_bn128_G1_precomp &prec
     return alt_bn128_double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
 }
 
+alt_bn128_Fq12 alt_bn128_pp::multiple_miller_loop(
+    const std::initializer_list<std::pair<
+        const alt_bn128_ate_G1_precomp&,
+        const alt_bn128_ate_G2_precomp&
+    > >& v
+)
+{
+   return alt_bn128_ate_multiple_miller_loop(v); 
+}
+
 alt_bn128_Fq12 alt_bn128_pp::pairing(const alt_bn128_G1 &P,
                                      const alt_bn128_G2 &Q)
 {

src/algebra/curves/alt_bn128/alt_bn128_pp.hpp

@@ -39,6 +39,12 @@ class alt_bn128_pp {
                                              const alt_bn128_G2_precomp &prec_Q1,
                                              const alt_bn128_G1_precomp &prec_P2,
                                              const alt_bn128_G2_precomp &prec_Q2);
+    static alt_bn128_Fq12 multiple_miller_loop(
+        const std::initializer_list<std::pair<
+            const alt_bn128_ate_G1_precomp&,
+            const alt_bn128_ate_G2_precomp&
+        > >& v
+    );   
     static alt_bn128_Fq12 pairing(const alt_bn128_G1 &P,
                                   const alt_bn128_G2 &Q);
     static alt_bn128_Fq12 reduced_pairing(const alt_bn128_G1 &P,

src/algebra/curves/tests/test_bilinearity.cpp

@@ -5,13 +5,13 @@
  * @copyright  MIT license (see LICENSE file)
  *****************************************************************************/
 #include "common/profiling.hpp"
-#include "algebra/curves/edwards/edwards_pp.hpp"
+//#include "algebra/curves/edwards/edwards_pp.hpp"
 #ifdef CURVE_BN128
-#include "algebra/curves/bn128/bn128_pp.hpp"
+//#include "algebra/curves/bn128/bn128_pp.hpp"
 #endif
 #include "algebra/curves/alt_bn128/alt_bn128_pp.hpp"
-#include "algebra/curves/mnt/mnt4/mnt4_pp.hpp"
-#include "algebra/curves/mnt/mnt6/mnt6_pp.hpp"
+//#include "algebra/curves/mnt/mnt4/mnt4_pp.hpp"
+//include "algebra/curves/mnt/mnt6/mnt6_pp.hpp"
 
 using namespace libsnark;
 
@@ -72,6 +72,56 @@ void double_miller_loop_test()
     const Fqk<ppT> ans_12 = ppT::double_miller_loop(prec_P1, prec_Q1, prec_P2, prec_Q2);
     assert(ans_1 * ans_2 == ans_12);
 }
+//checking multiple_miller_loop really computes the product of corresponding miller loops
+template<typename ppT>
+void multiple_miller_loop_test()
+{
+    const G1<ppT> P1 = (Fr<ppT>::random_element()) * G1<ppT>::one();
+    const G1<ppT> P2 = (Fr<ppT>::random_element()) * G1<ppT>::one();
+    const G1<ppT> P3 = (Fr<ppT>::random_element()) * G1<ppT>::one();
+    const G1<ppT> P4 = (Fr<ppT>::random_element()) * G1<ppT>::one();
+    const G1<ppT> P5 = (Fr<ppT>::random_element()) * G1<ppT>::one();
+
+    const G2<ppT> Q1 = (Fr<ppT>::random_element()) * G2<ppT>::one();
+    const G2<ppT> Q2 = (Fr<ppT>::random_element()) * G2<ppT>::one();
+    const G2<ppT> Q3 = (Fr<ppT>::random_element()) * G2<ppT>::one();
+    const G2<ppT> Q4 = (Fr<ppT>::random_element()) * G2<ppT>::one();
+    const G2<ppT> Q5 = (Fr<ppT>::random_element()) * G2<ppT>::one();
+
+
+    const G1_precomp<ppT> prec_P1 = ppT::precompute_G1(P1);
+    const G1_precomp<ppT> prec_P2 = ppT::precompute_G1(P2);
+    const G1_precomp<ppT> prec_P3 = ppT::precompute_G1(P3);
+    const G1_precomp<ppT> prec_P4 = ppT::precompute_G1(P4);
+    const G1_precomp<ppT> prec_P5 = ppT::precompute_G1(P5);
+    const G2_precomp<ppT> prec_Q1 = ppT::precompute_G2(Q1);
+    const G2_precomp<ppT> prec_Q2 = ppT::precompute_G2(Q2);
+    const G2_precomp<ppT> prec_Q3 = ppT::precompute_G2(Q3);
+    const G2_precomp<ppT> prec_Q4 = ppT::precompute_G2(Q4);
+    const G2_precomp<ppT> prec_Q5 = ppT::precompute_G2(Q5);
+    const Fqk<ppT> ans_1 = ppT::miller_loop(prec_P1, prec_Q1);
+    const Fqk<ppT> ans_2 = ppT::miller_loop(prec_P2, prec_Q2);
+    const Fqk<ppT> ans_3 = ppT::miller_loop(prec_P3, prec_Q3);
+    const Fqk<ppT> ans_4 = ppT::miller_loop(prec_P4, prec_Q4);
+    const Fqk<ppT> ans_5 = ppT::miller_loop(prec_P5, prec_Q5);
+    const Fqk<ppT> ans_1234 = ppT::multiple_miller_loop({
+        std::make_pair(prec_P1, prec_Q1),
+        std::make_pair(prec_P2, prec_Q2),
+        std::make_pair(prec_P3, prec_Q3),
+        std::make_pair(prec_P4, prec_Q4),
+       });
+    const Fqk<ppT> ans_12345 = ppT::multiple_miller_loop({
+        std::make_pair(prec_P1, prec_Q1),
+        std::make_pair(prec_P2, prec_Q2),
+        std::make_pair(prec_P3, prec_Q3),
+        std::make_pair(prec_P4, prec_Q4),
+        std::make_pair(prec_P5, prec_Q5)
+    });
+    assert(ans_1 * ans_2 * ans_3 * ans_4 * ans_5 == ans_12345);
+    assert(ans_1 * ans_2 * ans_3 * ans_4  == ans_1234);
+
+    assert(!(ans_1*ans_3*ans_4==ans_12345));
+}
 
 template<typename ppT>
 void affine_pairing_test()
@@ -110,27 +160,15 @@ void affine_pairing_test()
 int main(void)
 {
     start_profiling();
-    edwards_pp::init_public_params();
-    pairing_test<edwards_pp>();
-    double_miller_loop_test<edwards_pp>();
-
-    mnt6_pp::init_public_params();
-    pairing_test<mnt6_pp>();
-    double_miller_loop_test<mnt6_pp>();
-    affine_pairing_test<mnt6_pp>();
-
-    mnt4_pp::init_public_params();
-    pairing_test<mnt4_pp>();
-    double_miller_loop_test<mnt4_pp>();
-    affine_pairing_test<mnt4_pp>();
 
     alt_bn128_pp::init_public_params();
     pairing_test<alt_bn128_pp>();
     double_miller_loop_test<alt_bn128_pp>();
+    multiple_miller_loop_test<alt_bn128_pp>();
 
-#ifdef CURVE_BN128       // BN128 has fancy dependencies so it may be disabled
-    bn128_pp::init_public_params();
-    pairing_test<bn128_pp>();
-    double_miller_loop_test<bn128_pp>();
-#endif
+// #ifdef CURVE_BN128       // BN128 has fancy dependencies so it may be disabled
+//     bn128_pp::init_public_params();
+//     pairing_test<bn128_pp>();
+//     double_miller_loop_test<bn128_pp>();
+// #endif
 }

src/common/default_types/ec_pp.hpp

@@ -22,13 +22,13 @@ typedef alt_bn128_pp default_ec_pp;
 } // libsnark
 #endif
 
-#ifdef CURVE_BN128
-#include "algebra/curves/bn128/bn128_pp.hpp"
-namespace libsnark {
-typedef bn128_pp default_ec_pp;
-} // libsnark
-#endif
-
+// #ifdef CURVE_BN128
+// #include "algebra/curves/bn128/bn128_pp.hpp"
+// namespace libsnark {
+// typedef bn128_pp default_ec_pp;
+// } // libsnark
+// #endif
+ 	
 #ifdef CURVE_EDWARDS
 #include "algebra/curves/edwards/edwards_pp.hpp"
 namespace libsnark {

src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/examples/run_r1cs_ppzksnark.tcc

@@ -83,7 +83,7 @@ bool run_r1cs_ppzksnark(const r1cs_example<Fr<ppT> > &example,
     }
 
     print_header("R1CS ppzkSNARK Prover");
-    r1cs_ppzksnark_proof<ppT> proof = r1cs_ppzksnark_prover<ppT>(keypair.pk, example.primary_input, example.auxiliary_input);
+    r1cs_ppzksnark_proof<ppT> proof = r1cs_ppzksnark_prover<ppT>(keypair.pk, example.primary_input, example.auxiliary_input, example.constraint_system);
     printf("\n"); print_indent(); print_mem("after prover");
 
     if (test_serialization)
@@ -109,6 +109,30 @@ bool run_r1cs_ppzksnark(const r1cs_example<Fr<ppT> > &example,
     return ans;
 }
 
+template<typename ppT>
+void add_proof_in_batch_verifier_test(batch_verification_accumulator<ppT> &acc,
+                                       const r1cs_ppzksnark_proof<ppT> &proof,
+                                       const r1cs_ppzksnark_verification_key<ppT> &vk,
+                                       const r1cs_primary_input<Fr<ppT> > &primary_input)
+{
+    enter_block("Call to add_proof_in_batch_verifier_test");
+
+    //r1cs_ppzksnark_keypair<ppT> keypair = r1cs_ppzksnark_generator<ppT>(example.constraint_system);
+
+
+
+    print_header("R1CS ppzkSNARK Prover");
+    //r1cs_ppzksnark_proof<ppT> proof = r1cs_ppzksnark_prover<ppT>(keypair.pk, example.primary_input, example.auxiliary_input);
+
+    r1cs_ppzksnark_batcher<ppT>(vk, acc, primary_input, proof);
+
+
+    leave_block("Call to add_proof_in_batch_verifier_test");
+
+
+}
+
+
 } // libsnark
 
 #endif // RUN_R1CS_PPZKSNARK_TCC_