dusk-plonk 0.23.0

A pure-Rust implementation of the PLONK ZK-Proof algorithm
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// Copyright (c) DUSK NETWORK. All rights reserved.

use dusk_curves::bls12_381::BlsScalar;

use super::Commitment;

/// Proof that a polynomial `p` was correctly evaluated at a point `z`
/// producing the evaluated point p(z).
#[derive(Copy, Clone, Debug)]
#[allow(dead_code)]
pub(crate) struct Proof {
    /// This is a commitment to the witness polynomial.
    pub(crate) commitment_to_witness: Commitment,
    /// This is the result of evaluating a polynomial at the point `z`.
    pub(crate) evaluated_point: BlsScalar,
    /// This is the commitment to the polynomial that you want to prove a
    /// statement about.
    pub(crate) commitment_to_polynomial: Commitment,
}

#[cfg(feature = "alloc")]
pub(crate) mod alloc {
    use super::*;
    use crate::util::powers_of;
    #[rustfmt::skip]
    use ::alloc::vec::Vec;
    use dusk_curves::bls12_381::G1Projective;
    #[cfg(feature = "std")]
    use rayon::prelude::*;

    /// Proof that multiple polynomials were correctly evaluated at a point `z`,
    /// each producing their respective evaluated points p_i(z).
    #[derive(Debug)]
    #[allow(dead_code)]
    pub(crate) struct AggregateProof {
        /// This is a commitment to the aggregated witness polynomial.
        pub(crate) commitment_to_witness: Commitment,
        /// These are the results of the evaluating each polynomial at the
        /// point `z`.
        pub(crate) evaluated_points: Vec<BlsScalar>,
        /// These are the commitments to the polynomials which you want to
        /// prove a statement about.
        pub(crate) commitments_to_polynomials: Vec<Commitment>,
    }

    #[allow(dead_code)]
    impl AggregateProof {
        /// Initializes an `AggregatedProof` with the commitment to the witness.
        pub(crate) fn with_witness(witness: Commitment) -> AggregateProof {
            AggregateProof {
                commitment_to_witness: witness,
                evaluated_points: Vec::new(),
                commitments_to_polynomials: Vec::new(),
            }
        }

        /// Adds an evaluated point with the commitment to the polynomial which
        /// produced it.
        pub(crate) fn add_part(&mut self, part: (BlsScalar, Commitment)) {
            self.evaluated_points.push(part.0);
            self.commitments_to_polynomials.push(part.1);
        }

        /// Flattens an `AggregateProof` into a `Proof`.
        pub(crate) fn flatten(&self, v_challenge: &BlsScalar) -> Proof {
            let powers = powers_of(
                v_challenge,
                self.commitments_to_polynomials.len() - 1,
            );

            #[cfg(not(feature = "std"))]
            let flattened_poly_commitments_iter =
                self.commitments_to_polynomials.iter().zip(powers.iter());
            #[cfg(not(feature = "std"))]
            let flattened_poly_evaluations_iter =
                self.evaluated_points.iter().zip(powers.iter());

            #[cfg(feature = "std")]
            let flattened_poly_commitments_iter = self
                .commitments_to_polynomials
                .par_iter()
                .zip(powers.par_iter());
            #[cfg(feature = "std")]
            let flattened_poly_evaluations_iter =
                self.evaluated_points.par_iter().zip(powers.par_iter());

            // Flattened polynomial commitments using challenge `v`
            let flattened_poly_commitments: G1Projective =
                flattened_poly_commitments_iter
                    .map(|(poly, v_challenge)| poly.0 * v_challenge)
                    .sum();
            // Flattened evaluation points
            let flattened_poly_evaluations: BlsScalar =
                flattened_poly_evaluations_iter
                    .map(|(eval, v_challenge)| eval * v_challenge)
                    .sum();

            Proof {
                commitment_to_witness: self.commitment_to_witness,
                evaluated_point: flattened_poly_evaluations,
                commitment_to_polynomial: Commitment::from(
                    flattened_poly_commitments,
                ),
            }
        }
    }
}

#[cfg(all(test, feature = "alloc"))]
mod tests {
    use dusk_curves::bls12_381::{G1Affine, G1Projective};

    use super::*;

    #[test]
    fn aggregate_proof_flatten_is_linear_combination() {
        // Build an aggregate proof with 3 parts.
        let witness_commitment: Commitment = G1Affine::generator().into();
        let mut agg = alloc::AggregateProof::with_witness(witness_commitment);

        let c0: Commitment =
            (G1Projective::generator() * BlsScalar::from(2u64)).into();
        let c1: Commitment =
            (G1Projective::generator() * BlsScalar::from(3u64)).into();
        let c2: Commitment =
            (G1Projective::generator() * BlsScalar::from(5u64)).into();

        let e0 = BlsScalar::from(11u64);
        let e1 = BlsScalar::from(13u64);
        let e2 = BlsScalar::from(17u64);

        agg.add_part((e0, c0));
        agg.add_part((e1, c1));
        agg.add_part((e2, c2));

        let v = BlsScalar::from(7u64);

        let proof = agg.flatten(&v);

        // commitment_to_witness is left unchanged.
        assert_eq!(proof.commitment_to_witness, witness_commitment);

        let powers = crate::util::powers_of(&v, 2);
        assert_eq!(powers.len(), 3);

        let expected_eval = e0 * powers[0] + e1 * powers[1] + e2 * powers[2];
        assert_eq!(proof.evaluated_point, expected_eval);

        let expected_commitment_proj: G1Projective =
            c0.0 * &powers[0] + c1.0 * &powers[1] + c2.0 * &powers[2];
        let expected_commitment: Commitment = expected_commitment_proj.into();

        assert_eq!(proof.commitment_to_polynomial, expected_commitment);
    }
}