dory-pcs 0.3.0

A high performance and modular implementation of the Dory polynomial commitment scheme.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

//! Protocol messages exchanged between prover and verifier
//!
//! These messages correspond to the Extended Dory Reduce protocol from Section 3.2
//! and the VMV transformation for polynomial commitments.

/// First prover message in the Dory-Reduce protocol (Section 3.2)
///
/// Contains D₁L, D₁R, D₂L, D₂R, E₁β, E₂β
#[derive(Clone, Debug, PartialEq)]
pub struct FirstReduceMessage<G1, G2, GT> {
    /// D₁L - left pairing for first set
    pub d1_left: GT,
    /// D₁R - right pairing for first set
    pub d1_right: GT,
    /// D₂L - left pairing for second set
    pub d2_left: GT,
    /// D₂R - right pairing for second set
    pub d2_right: GT,
    /// E₁β - extension element in G1 (Section 4.2)
    pub e1_beta: G1,
    /// E₂β - extension element in G2 (Section 4.2)
    pub e2_beta: G2,
}

/// Second prover message in the Dory-Reduce protocol (Section 3.2)
///
/// Contains C₊, C₋, E₁₊, E₁₋, E₂₊, E₂₋
#[derive(Clone, Debug, PartialEq)]
pub struct SecondReduceMessage<G1, G2, GT> {
    /// C₊ - plus combination
    pub c_plus: GT,
    /// C₋ - minus combination
    pub c_minus: GT,
    /// E₁₊ - extension element plus in G1
    pub e1_plus: G1,
    /// E₁₋ - extension element minus in G1
    pub e1_minus: G1,
    /// E₂₊ - extension element plus in G2
    pub e2_plus: G2,
    /// E₂₋ - extension element minus in G2
    pub e2_minus: G2,
}

/// Vector-Matrix-Vector message for polynomial commitment transformation
///
/// Contains C, D₂, E₁. Note: E₂ can be computed by verifier as y·Γ₂,fin
#[derive(Clone, Debug, PartialEq)]
pub struct VMVMessage<G1, GT> {
    /// C = e(MSM(T_vec', v_vec), Γ₂,fin)
    pub c: GT,
    /// D₂ = e(MSM(Γ₁\[nu\], v_vec), Γ₂,fin)
    pub d2: GT,
    /// E₁ = MSM(T_vec', L_vec)
    pub e1: G1,
}

/// Final scalar product message (Section 3.1)
///
/// Contains E₁, E₂ for the final pairing verification
#[derive(Clone, Debug, PartialEq)]
pub struct ScalarProductMessage<G1, G2> {
    /// E₁ - final G1 element
    pub e1: G1,
    /// E₂ - final G2 element
    pub e2: G2,
}

/// Σ-protocol 1: proves E2 and y_com commit to the same y.
#[cfg(feature = "zk")]
#[derive(Clone, Debug, PartialEq)]
#[allow(missing_docs)]
pub struct Sigma1Proof<G1, G2, F> {
    pub a1: G2,
    pub a2: G1,
    pub z1: F,
    pub z2: F,
    pub z3: F,
}

/// Σ-protocol 2: proves e(E1, Γ2,fin) - D2 = e(H1, t1·Γ2,fin + t2·H2).
#[cfg(feature = "zk")]
#[derive(Clone, Debug, PartialEq)]
#[allow(missing_docs)]
pub struct Sigma2Proof<F, GT> {
    pub a: GT,
    pub z1: F,
    pub z2: F,
}

/// ZK scalar product proof: proves (C, D1, D2) are consistent with blinded v1, v2.
#[derive(Clone, Debug, PartialEq)]
#[allow(missing_docs)]
pub struct ScalarProductProof<G1, G2, F, GT> {
    pub p1: GT,
    pub p2: GT,
    pub q: GT,
    pub r: GT,
    pub e1: G1,
    pub e2: G2,
    pub r1: F,
    pub r2: F,
    pub r3: F,
}