1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
use super::{G1Affine, G2Affine, PublicParameters, GT};
use crate::{base::impl_serde_for_ark_serde_unchecked, utils::log};
use alloc::vec::Vec;
use ark_ec::pairing::{Pairing, PairingOutput};
use ark_serialize::{CanonicalDeserialize, CanonicalSerialize, Compress, Validate};
use itertools::MultiUnzip;
use num_traits::One;
#[cfg(feature = "std")]
use std::{
fs::File,
io::{BufReader, BufWriter, Error, Read, Write},
path::Path,
};
/// The transparent setup information that the prover must know to create a proof.
/// This is public knowledge and must match with the verifier's setup information.
/// See Section 3.3 of <https://eprint.iacr.org/2020/1274.pdf> for details.
///
///
/// Note:
/// We use nu = m and k = m-i or m-j.
/// This indexing is more convenient for coding because lengths of the arrays used are typically 2^k rather than 2^i or 2^j.
pub struct ProverSetup<'a> {
/// `Gamma_1[k]` = Γ_1,(m-k) in the Dory paper.
pub(super) Gamma_1: Vec<&'a [G1Affine]>,
/// `Gamma_2[k]` = Γ_2,(m-k) in the Dory paper.
pub(super) Gamma_2: Vec<&'a [G2Affine]>,
/// `H_1` = `H_1` in the Dory paper. This could be used for blinding, but is currently only used in the Fold-Scalars algorithm.
pub(super) H_1: G1Affine,
/// `H_2` = `H_2` in the Dory paper. This could be used for blinding, but is currently only used in the Fold-Scalars algorithm.
pub(super) H_2: G2Affine,
/// `Gamma_2_fin` = `Gamma_2,fin` in the Dory paper.
pub(super) Gamma_2_fin: G2Affine,
/// `max_nu` is the maximum nu that this setup will work for
pub(super) max_nu: usize,
/// The handle to the `blitzar` `Gamma_1` instances.
#[cfg(feature = "blitzar")]
blitzar_handle:
blitzar::compute::MsmHandle<blitzar::compute::ElementP2<ark_bls12_381::g1::Config>>,
}
impl<'a> ProverSetup<'a> {
/// Create a new `ProverSetup` from the public parameters.
/// # Panics
/// Panics if the length of `Gamma_1` or `Gamma_2` is not equal to `2^max_nu`.
pub(super) fn new(
Gamma_1: &'a [G1Affine],
Gamma_2: &'a [G2Affine],
H_1: G1Affine,
H_2: G2Affine,
Gamma_2_fin: G2Affine,
max_nu: usize,
) -> Self {
assert_eq!(Gamma_1.len(), 1 << max_nu);
assert_eq!(Gamma_2.len(), 1 << max_nu);
#[cfg(feature = "blitzar")]
let blitzar_handle = blitzar::compute::MsmHandle::new(
&Gamma_1.iter().copied().map(Into::into).collect::<Vec<_>>(),
);
let (Gamma_1, Gamma_2): (Vec<_>, Vec<_>) = (0..=max_nu)
.map(|k| (&Gamma_1[..1 << k], &Gamma_2[..1 << k]))
.unzip();
ProverSetup {
Gamma_1,
Gamma_2,
H_1,
H_2,
Gamma_2_fin,
max_nu,
#[cfg(feature = "blitzar")]
blitzar_handle,
}
}
/// Create a new `ProverSetup` from the public parameters and blitzar handle
/// # Panics
/// Panics if the length of `Gamma_1` or `Gamma_2` is not equal to `2^max_nu`.
#[must_use]
#[cfg(feature = "blitzar")]
pub fn from_public_parameters_and_blitzar_handle(
public_parameters: &'a PublicParameters,
blitzar_handle: blitzar::compute::MsmHandle<
blitzar::compute::ElementP2<ark_bls12_381::g1::Config>,
>,
) -> Self {
let Gamma_1: &'a [G1Affine] = &public_parameters.Gamma_1;
let Gamma_2: &'a [G2Affine] = &public_parameters.Gamma_2;
let H_1 = public_parameters.H_1;
let H_2 = public_parameters.H_2;
let Gamma_2_fin = public_parameters.Gamma_2_fin;
let max_nu = public_parameters.max_nu;
assert_eq!(Gamma_1.len(), 1 << max_nu);
assert_eq!(Gamma_2.len(), 1 << max_nu);
let (Gamma_1, Gamma_2): (Vec<_>, Vec<_>) = (0..=max_nu)
.map(|k| (&Gamma_1[..1 << k], &Gamma_2[..1 << k]))
.unzip();
ProverSetup {
Gamma_1,
Gamma_2,
H_1,
H_2,
Gamma_2_fin,
max_nu,
#[cfg(feature = "blitzar")]
blitzar_handle,
}
}
/// Gets the `MSMHandle` for this setup
#[must_use]
#[cfg(feature = "blitzar")]
pub fn blitzar_handle(
self,
) -> blitzar::compute::MsmHandle<blitzar::compute::ElementP2<ark_bls12_381::g1::Config>> {
self.blitzar_handle
}
#[cfg(feature = "blitzar")]
#[tracing::instrument(name = "ProverSetup::blitzar_msm", level = "debug", skip_all)]
pub(super) fn blitzar_msm(
&self,
res: &mut [blitzar::compute::ElementP2<ark_bls12_381::g1::Config>],
element_num_bytes: u32,
scalars: &[u8],
) {
log::log_memory_usage("Start");
self.blitzar_handle.msm(res, element_num_bytes, scalars);
}
#[cfg(feature = "blitzar")]
#[tracing::instrument(name = "ProverSetup::blitzar_packed_msm", level = "debug", skip_all)]
pub(super) fn blitzar_packed_msm(
&self,
res: &mut [blitzar::compute::ElementP2<ark_bls12_381::g1::Config>],
output_bit_table: &[u32],
scalars: &[u8],
) {
log::log_memory_usage("Start");
self.blitzar_handle
.packed_msm(res, output_bit_table, scalars);
}
#[cfg(feature = "blitzar")]
#[tracing::instrument(name = "ProverSetup::blitzar_vlen_msm", level = "debug", skip_all)]
pub(super) fn blitzar_vlen_msm(
&self,
res: &mut [blitzar::compute::ElementP2<ark_bls12_381::g1::Config>],
output_bit_table: &[u32],
output_lengths: &[u32],
scalars: &[u8],
) {
log::log_memory_usage("Start");
self.blitzar_handle
.vlen_msm(res, output_bit_table, output_lengths, scalars);
}
}
impl<'a> From<&'a PublicParameters> for ProverSetup<'a> {
fn from(value: &'a PublicParameters) -> Self {
Self::new(
&value.Gamma_1,
&value.Gamma_2,
value.H_1,
value.H_2,
value.Gamma_2_fin,
value.max_nu,
)
}
}
/// The transparent setup information that the verifier must know to verify a proof.
/// This is public knowledge and must match with the prover's setup information.
/// See Section 3.3 of <https://eprint.iacr.org/2020/1274.pdf> for details.
///
///
/// Note:
/// We use nu = m and k = m-i or m-j.
/// This indexing is more convenient for coding because lengths of the arrays used are typically 2^k rather than 2^i or 2^j.
#[derive(CanonicalSerialize, CanonicalDeserialize, PartialEq, Eq, Debug, Clone)]
pub struct VerifierSetup {
/// `Delta_1L[k]` = Δ_1L,(m-k) in the Dory paper, so `Delta_1L[0]` is unused. Note, this is the same as `Delta_2L`.
pub(super) Delta_1L: Vec<GT>,
/// `Delta_1R[k]` = Δ_1R,(m-k) in the Dory paper, so `Delta_1R[0]` is unused.
pub(super) Delta_1R: Vec<GT>,
/// `Delta_2L[k]` = Δ_2L,(m-k) in the Dory paper, so `Delta_2L[0]` is unused. Note, this is the same as `Delta_1L`.
pub(super) Delta_2L: Vec<GT>,
/// `Delta_2R[k]` = Δ_2R,(m-k) in the Dory paper, so `Delta_2R[0]` is unused.
pub(super) Delta_2R: Vec<GT>,
/// `chi[k]` = χ,(m-k) in the Dory paper.
pub(super) chi: Vec<GT>,
/// `Gamma_1_0` is the `Γ_1` used in Scalar-Product algorithm in the Dory paper.
pub(super) Gamma_1_0: G1Affine,
/// `Gamma_2_0` is the `Γ_2` used in Scalar-Product algorithm in the Dory paper.
pub(super) Gamma_2_0: G2Affine,
/// `H_1` = `H_1` in the Dory paper. This could be used for blinding, but is currently only used in the Fold-Scalars algorithm.
pub(super) H_1: G1Affine,
/// `H_2` = `H_2` in the Dory paper. This could be used for blinding, but is currently only used in the Fold-Scalars algorithm.
pub(super) H_2: G2Affine,
/// `H_T` = `H_T` in the Dory paper.
pub(super) H_T: GT,
/// `Gamma_2_fin` = `Gamma_2,fin` in the Dory paper.
pub(super) Gamma_2_fin: G2Affine,
/// `max_nu` is the maximum nu that this setup will work for
pub(super) max_nu: usize,
}
impl_serde_for_ark_serde_unchecked!(VerifierSetup);
impl VerifierSetup {
/// Create a new `VerifierSetup` from the public parameters.
/// # Panics
/// Panics if the length of `Gamma_1_nu` is not equal to `2^max_nu`.
/// Panics if the length of `Gamma_2_nu` is not equal to `2^max_nu`.
pub(super) fn new(
Gamma_1_nu: &[G1Affine],
Gamma_2_nu: &[G2Affine],
H_1: G1Affine,
H_2: G2Affine,
Gamma_2_fin: G2Affine,
max_nu: usize,
) -> Self {
assert_eq!(Gamma_1_nu.len(), 1 << max_nu);
assert_eq!(Gamma_2_nu.len(), 1 << max_nu);
let (Delta_1L_2L, Delta_1R, Delta_2R, chi): (Vec<_>, Vec<_>, Vec<_>, Vec<_>) = (0..=max_nu)
.map(|k| {
if k == 0 {
(
PairingOutput(One::one()),
PairingOutput(One::one()),
PairingOutput(One::one()),
Pairing::pairing(Gamma_1_nu[0], Gamma_2_nu[0]),
)
} else {
(
Pairing::multi_pairing(
&Gamma_1_nu[..1 << (k - 1)],
&Gamma_2_nu[..1 << (k - 1)],
),
Pairing::multi_pairing(
&Gamma_1_nu[1 << (k - 1)..1 << k],
&Gamma_2_nu[..1 << (k - 1)],
),
Pairing::multi_pairing(
&Gamma_1_nu[..1 << (k - 1)],
&Gamma_2_nu[1 << (k - 1)..1 << k],
),
Pairing::multi_pairing(&Gamma_1_nu[..1 << k], &Gamma_2_nu[..1 << k]),
)
}
})
.multiunzip();
Self {
Delta_1L: Delta_1L_2L.clone(),
Delta_1R,
Delta_2L: Delta_1L_2L,
Delta_2R,
chi,
Gamma_1_0: Gamma_1_nu[0],
Gamma_2_0: Gamma_2_nu[0],
H_1,
H_2,
H_T: Pairing::pairing(H_1, H_2),
Gamma_2_fin,
max_nu,
}
}
#[cfg(feature = "std")]
/// Function to save `VerifierSetup` to a file in binary form
pub fn save_to_file(&self, path: &Path) -> std::io::Result<()> {
// Create or open the file at the specified path
let file = File::create(path)?;
let mut writer = BufWriter::new(file);
// Serialize the PublicParameters struct into the file
let mut serialized_data = Vec::new();
self.serialize_with_mode(&mut serialized_data, Compress::No)
.map_err(|e| Error::other(format!("{e}")))?;
// Write serialized bytes to the file
writer.write_all(&serialized_data)?;
writer.flush()?;
Ok(())
}
#[cfg(feature = "std")]
/// Function to load `VerifierSetup` from a file in binary form
pub fn load_from_file(path: &Path) -> std::io::Result<Self> {
// Open the file at the specified path
let file = File::open(path)?;
let mut reader = BufReader::new(file);
// Read the serialized data from the file
let mut serialized_data = Vec::new();
reader.read_to_end(&mut serialized_data)?;
// Deserialize the data into a PublicParameters instance
Self::deserialize_with_mode(&mut &serialized_data[..], Compress::No, Validate::No)
.map_err(|e| Error::other(format!("{e}")))
}
}
impl From<&PublicParameters> for VerifierSetup {
fn from(value: &PublicParameters) -> Self {
Self::new(
&value.Gamma_1,
&value.Gamma_2,
value.H_1,
value.H_2,
value.Gamma_2_fin,
value.max_nu,
)
}
}