Module bellperson::groth16::aggregate [−][src]
Structs
AggregateProof contains all elements to verify n aggregated Groth16 proofs using inner pairing product arguments. This proof can be created by any party in possession of valid Groth16 proofs.
It contains the maximum number of raw elements of the SRS needed to aggregate and verify
Groth16 proofs. One can derive specialized prover and verifier key for specific size of
aggregations by calling srs.specialize(n). The specialized prover key also contains
precomputed tables that drastically increase prover’s performance.
This GenericSRS is usually formed from the transcript of two distinct power of taus ceremony
,in other words from two distinct Groth16 CRS.
See there a way on how to generate this GenesisSRS.
It contains all elements derived in the GIPA loop for both TIPP and MIPP at the same time.
Key is a generic commitment key that is instanciated with g and h as basis, and a and b as powers.
ProverSRS is the specialized SRS version for the prover for a specific number of proofs to aggregate. It contains as well the commitment keys for this specific size. Note the size must be a power of two for the moment - if it is not, padding must be applied.
It contains the GIPA recursive elements as well as the KZG openings for v and w
Contains the necessary elements to verify an aggregated Groth16 proof; it is of fixed size regardless of the number of proofs aggregated. However, a verifier SRS will be determined by the number of proofs being aggregated.
Constants
Maximum size of the generic SRS constructed from Filecoin and Zcash power of taus.
Functions
Aggregate n zkSnark proofs, where n must be a power of two.
WARNING: transcript_include represents everything that should be included in
the transcript from outside the boundary of this function. This is especially
relevant for ALL public inputs of ALL individual proofs. In the regular case,
one should input ALL public inputs from ALL proofs aggregated. However, IF ALL the
public inputs are fixed, and public before the aggregation time, then there is
no need to hash those. The reason we specify this extra assumption is because hashing
the public inputs from the decoded form can take quite some time depending on the
number of proofs and public inputs (+100ms in our case). In the case of Filecoin, the only
non-fixed part of the public inputs are the challenges derived from a seed. Even though this
seed comes from a random beeacon, we are hashing this as a safety precaution.
Commits to a tuple of G1 vector and G2 vector in the following way: $T = \prod_{i=0}^n e(A_i, v_{1,i})e(B_i,w_{1,i})$ $U = \prod_{i=0}^n e(A_i, v_{2,i})e(B_i,w_{2,i})$ Output is $(T,U)$
Commits to a single vector of G1 elements in the following way: $T = \prod_{i=0}^n e(A_i, v_{1,i})$ $U = \prod_{i=0}^n e(A_i, v_{2,i})$ Output is $(T,U)$
Verifies the aggregated proofs thanks to the Groth16 verifying key, the verifier SRS from the aggregation scheme, all the public inputs of the proofs and the aggregated proof.
verify_kzg_opening_g2 takes a KZG opening, the final commitment key, SRS and any shift (in TIPP we shift the v commitment by r^-1) and returns a pairing tuple to check if the opening is correct or not.
Similar to verify_kzg_opening_g2 but for g1.
Type Definitions
KZGOpening represents the KZG opening of a commitment key (which is a tuple given commitment keys are a tuple).
Both commitment outputs a pair of $F_q^k$ element.
Commitment key used by the “single” commitment on G1 values as well as in the “pair” commtitment. It contains ${h^a^i}{i=1}^n$ and ${h^b^i}{i=1}^n$
Commitment key used by the “pair” commitment. Note the sequence of powers starts at $n$ already. It contains ${g^{a^{n+i}}}{i=1}^n$ and ${g^{b^{n+i}}}{i=1}^n$