Module bellperson::groth16::aggregate [−][src]
Structs
AggregateProof | AggregateProof contains all elements to verify n aggregated Groth16 proofs using inner pairing product arguments. This proof can be created by any party in possession of valid Groth16 proofs. |
GenericSRS | It contains the maximum number of raw elements of the SRS needed to aggregate and verify
Groth16 proofs. One can derive specialized prover and verifier key for specific size of
aggregations by calling |
GipaProof | It contains all elements derived in the GIPA loop for both TIPP and MIPP at the same time. |
Key | Key is a generic commitment key that is instanciated with g and h as basis, and a and b as powers. |
ProverSRS | ProverSRS is the specialized SRS version for the prover for a specific number of proofs to aggregate. It contains as well the commitment keys for this specific size. Note the size must be a power of two for the moment - if it is not, padding must be applied. |
TippMippProof | It contains the GIPA recursive elements as well as the KZG openings for v and w |
VerifierSRS | Contains the necessary elements to verify an aggregated Groth16 proof; it is of fixed size regardless of the number of proofs aggregated. However, a verifier SRS will be determined by the number of proofs being aggregated. |
Constants
MAX_SRS_SIZE | Maximum size of the generic SRS constructed from Filecoin and Zcash power of taus. |
Functions
aggregate_proofs | Aggregate |
pair | Commits to a tuple of G1 vector and G2 vector in the following way: $T = \prod_{i=0}^n e(A_i, v_{1,i})e(B_i,w_{1,i})$ $U = \prod_{i=0}^n e(A_i, v_{2,i})e(B_i,w_{2,i})$ Output is $(T,U)$ |
setup_fake_srs | |
single_g1 | Commits to a single vector of G1 elements in the following way: $T = \prod_{i=0}^n e(A_i, v_{1,i})$ $U = \prod_{i=0}^n e(A_i, v_{2,i})$ Output is $(T,U)$ |
verify_aggregate_proof | Verifies the aggregated proofs thanks to the Groth16 verifying key, the verifier SRS from the aggregation scheme, all the public inputs of the proofs and the aggregated proof. |
verify_kzg_v | verify_kzg_opening_g2 takes a KZG opening, the final commitment key, SRS and any shift (in TIPP we shift the v commitment by r^-1) and returns a pairing tuple to check if the opening is correct or not. |
verify_kzg_w | Similar to verify_kzg_opening_g2 but for g1. |
Type Definitions
KZGOpening | KZGOpening represents the KZG opening of a commitment key (which is a tuple given commitment keys are a tuple). |
Output | Both commitment outputs a pair of $F_q^k$ element. |
VKey | Commitment key used by the “single” commitment on G1 values as well as in the “pair” commtitment. It contains ${h^a^i}{i=1}^n$ and ${h^b^i}{i=1}^n$ |
WKey | Commitment key used by the “pair” commitment. Note the sequence of powers starts at $n$ already. It contains ${g^{a^{n+i}}}{i=1}^n$ and ${g^{b^{n+i}}}{i=1}^n$ |