Module bellperson::groth16::aggregate [−][src]
Structs
| AggregateProof | AggregateProof contains all elements to verify n aggregated Groth16 proofs using inner pairing product arguments. This proof can be created by any party in possession of valid Groth16 proofs. |
| GenericSRS | It contains the maximum number of raw elements of the SRS needed to aggregate and verify
Groth16 proofs. One can derive specialized prover and verifier key for specific size of
aggregations by calling |
| GipaProof | It contains all elements derived in the GIPA loop for both TIPP and MIPP at the same time. |
| Key | Key is a generic commitment key that is instanciated with g and h as basis, and a and b as powers. |
| ProverSRS | ProverSRS is the specialized SRS version for the prover for a specific number of proofs to aggregate. It contains as well the commitment keys for this specific size. Note the size must be a power of two for the moment - if it is not, padding must be applied. |
| TippMippProof | It contains the GIPA recursive elements as well as the KZG openings for v and w |
| VerifierSRS | Contains the necessary elements to verify an aggregated Groth16 proof; it is of fixed size regardless of the number of proofs aggregated. However, a verifier SRS will be determined by the number of proofs being aggregated. |
Constants
| MAX_SRS_SIZE | Maximum size of the generic SRS constructed from Filecoin and Zcash power of taus. |
Functions
| aggregate_proofs | Aggregate |
| pair | Commits to a tuple of G1 vector and G2 vector in the following way: $T = \prod_{i=0}^n e(A_i, v_{1,i})e(B_i,w_{1,i})$ $U = \prod_{i=0}^n e(A_i, v_{2,i})e(B_i,w_{2,i})$ Output is $(T,U)$ |
| setup_fake_srs | |
| single_g1 | Commits to a single vector of G1 elements in the following way: $T = \prod_{i=0}^n e(A_i, v_{1,i})$ $U = \prod_{i=0}^n e(A_i, v_{2,i})$ Output is $(T,U)$ |
| verify_aggregate_proof | Verifies the aggregated proofs thanks to the Groth16 verifying key, the verifier SRS from the aggregation scheme, all the public inputs of the proofs and the aggregated proof. WARNING: transcript_include represents everything that should be included in the transcript from outside the boundary of this function. This is especially relevant for ALL public inputs of ALL individual proofs. In the regular case, one should input ALL public inputs from ALL proofs aggregated. However, IF ALL the public inputs are fixed, and public before the aggregation time, then there is no need to hash those. The reason we specify this extra assumption is because hashing the public inputs from the decoded form can take quite some time depending on the number of proofs and public inputs (+100ms in our case). In the case of Filecoin, the only non-fixed part of the public inputs are the challenges derived from a seed. Even though this seed comes from a random beeacon, we are hashing this as a safety precaution. |
| verify_kzg_v | verify_kzg_opening_g2 takes a KZG opening, the final commitment key, SRS and any shift (in TIPP we shift the v commitment by r^-1) and returns a pairing tuple to check if the opening is correct or not. |
| verify_kzg_w | Similar to verify_kzg_opening_g2 but for g1. |
Type Definitions
| KZGOpening | KZGOpening represents the KZG opening of a commitment key (which is a tuple given commitment keys are a tuple). |
| Output | Both commitment outputs a pair of $F_q^k$ element. |
| VKey | Commitment key used by the “single” commitment on G1 values as well as in the “pair” commtitment. It contains ${h^a^i}{i=1}^n$ and ${h^b^i}{i=1}^n$ |
| WKey | Commitment key used by the “pair” commitment. Note the sequence of powers starts at $n$ already. It contains ${g^{a^{n+i}}}{i=1}^n$ and ${g^{b^{n+i}}}{i=1}^n$ |