Crate snarkvm_wasm[][src]

Modules

Data structures used by a polynomial commitment scheme.

This module contains an EvaluationDomain abstraction for performing various kinds of polynomial arithmetic on top of the scalar field.

Errors pertaining to query sets.

A polynomial represented in evaluations form.

An implementation of the Groth-Maller simulation extractable zkSNARK. GM17: https://eprint.iacr.org/2017/540

An implementation of the Groth16 zkSNARK.

The core [KZG10] construction.

Polynomial commitment scheme from [KZG10] that enforces strict degree bounds and (optionally) enables hiding commitments by following the approach outlined in [CHMMVW20, “Marlin”].

This module provides the non-native field gadget for the snarkVM constraint-writing platform. The non-native field gadget can be used as a standard FieldVar, given reasonable non-native gadget parameters.

A random number generator that bypasses some limitations of the Rust borrow checker.

Work with sparse and dense polynomials.

Polynomial commitment scheme based on the construction in [KZG10], modified to obtain batching and to enforce strict degree bounds by following the approach outlined in [MBKM19, “Sonic”] (more precisely, via the variant in [Gabizon19, “AuroraLight”] that avoids negative G1 powers).

Macros

Implements Add, Sub, AddAssign, and SubAssign on Self by deferring to an implementation on &Self

Helper macro to forward all derived implementations to the ToBytes and FromBytes traits

Implements Mul, Div, MulAssign, and DivAssign on Self by deferring to an implementation on &Self

Structs

Represents a variable in the constraint system which is guaranteed to be either zero or one.

Represents a variable in the constraint system whose value can be an arbitrary field element.

A proof of satisfaction of linear combinations.

Conversion of field elements by converting them to boolean sequences Used by Groth16 and Gm17

Constraint counter for testing purposes.

Stores a polynomial in coefficient form.

Defines a domain over which finite field (I)FFTs can be performed. Works only for fields that have a large multiplicative subgroup of size that is a power-of-2.

Stores a polynomial in evaluation form.

An allocated version of Evaluations.

An element of Fp12, represented by c0 + c1 * v

A commitment along with information about its degree bound (if any).

A labeled point variable, for queries to a polynomial commitment.

A polynomial along with information about its degree bound (if any), and the maximum number of queries that will be made to it. This latter number determines the amount of protection that will be provided to a commitment for this polynomial.

A labeled linear combinations of polynomials.

This represents a linear combination of some variables, with coefficients in the field F. The (coeff, var) pairs in a LinearCombination are kept sorted according to the index of the variable in its constraint system.

An allocated version of LinearCombination.

Stores the hashes of a particular path (in order) from leaf to root. Our path is_left_child() if the boolean in path is true.

This is a “namespaced” constraint system which borrows a constraint system (pushing a namespace context) and, when dropped, pops out of the namespace context.

A collection of random data used in the polynomial commitment checking.

Stores a polynomial in coefficient form.

An allocated version of QuerySet.

Stores a sparse polynomial in coefficient form.

Constraint system for testing purposes.

Represents a variable in a constraint system.

Enums

This is a boolean value which may be either a constant or an interpretation of an AllocatedBit.

Either a Variable or a LinearCombination.

Represents either a sparse polynomial or a dense one.

The error type for PolynomialCommitment.

Represent variables corresponding to a field element in F.

Represents the index of either a public variable (input) or a private variable (auxiliary).

A term in a linear combination.

A coefficient of LinearCombination.

This is an error that could occur during circuit synthesis contexts, such as CRS generation, proving or verification.

Constants

G1_GENERATOR_X = 81937999373150964239938255573465948239988671502647976594219695644855304257327692006745978603320413799295628339695

G1_GENERATOR_X = 6238772257594679368032145693622812838779005809760824733138787810501188623461307351759238099287535516224314149266511977132140828635950940021790489507611754366317801811090811367945064510304504157188661901055903167026722666149426237

G1_GENERATOR_Y = 241266749859715473739788878240585681733927191168601896383759122102112907357779751001206799952863815012735208165030

G1_GENERATOR_Y = 2101735126520897423911504562215834951148127555913367997162789335052900271653517958562461315794228241561913734371411178226936527683203879553093934185950470971848972085321797958124416462268292467002957525517188485984766314758624099

G2_GENERATOR_X = 6445332910596979336035888152774071626898886139774101364933948236926875073754470830732273879639675437155036544153105017729592600560631678554299562762294743927912429096636156401171909259073181112518725201388196280039960074422214428

G2_GENERATOR_X_C0 = 233578398248691099356572568220835526895379068987715365179118596935057653620464273615301663571204657964920925606294

G2_GENERATOR_X_C1 = 140913150380207355837477652521042157274541796891053068589147167627541651775299824604154852141315666357241556069118

G2_GENERATOR_Y = 562923658089539719386922163444547387757586534741080263946953401595155211934630598999300396317104182598044793758153214972605680357108252243146746187917218885078195819486220416605630144001533548163105316661692978285266378674355041

G2_GENERATOR_Y_C0 = 63160294768292073209381361943935198908131692476676907196754037919244929611450776219210369229519898517858833747423

G2_GENERATOR_Y_C1 = 149157405641012693445398062341192467754805999074082136895788947234480009303640899064710353187729182149407503257491

Traits

Returns addition of self + other in the constraint system.

If condition is true, return first; else, select second.

If condition == 1, then enforces that self and other are equal; otherwise, it doesn’t enforce anything.

Computations are expressed in terms of rank-1 constraint systems (R1CS). The generate_constraints method is called to generate constraints for both CRS generation and for proving.

Represents a constraint system which can have new variables allocated and constrains between them formed.

Returns division of self / other in the constraint system.

Types that can be FFT-ed must implement this trait.

The interface for fields that are able to be used in FFTs.

A trait that defines parameters for a field that can be used for FFTs.

The interface for a generic field.

A trait that defines parameters for a prime field.

Specifies how to convert variables of type FpGadget<F> to a variable of type Self

Single bit binary adder with carry bit https://en.wikipedia.org/wiki/Adder_(electronics)#Full_adder sum = (a XOR b) XOR carry carry = a AND b OR carry AND (a XOR b) Returns (sum, carry)

The interface for a singed or unsigned integer gadget.

Returns multiplication of self * other in the constraint system.

Returns a negated representation of self in the constraint system.

Describes the interface for a gadget for a PolynomialCommitment verifier.

Defines the minimal interface of commitments for any polynomial commitment scheme.

Defines the minimal interface of committer keys for any polynomial commitment scheme.

Defines the minimal interface of prepared commitments for any polynomial commitment scheme.

Defines the minimal interface of prepared verifier keys for any polynomial commitment scheme.

Defines the minimal interface of evaluation proofs for any polynomial commitment scheme.

Defines the minimal interface of commitment randomness for any polynomial commitment scheme.

Defines the minimal interface for public params for any polynomial commitment scheme.

Defines the minimal interface of verifier keys for any polynomial commitment scheme.

Describes the interface for a polynomial commitment scheme that allows a sender to commit to multiple polynomials and later provide a succinct proof of evaluation for the corresponding commitments at a query set Q, while enforcing per-polynomial degree bounds.

The interface for a prime field with Poseidon MDS matrix.

The interface for MDS parameters

Returns exponentiation of self ** other in the constraint system.

Define the minimal interface of prepared allocated structures.

The interface for a prime field.

Returns the bitwise sum of a n-bit number with carry bit

This implements constraints for SNARK verifiers.

Sign extends an array of bits to the desired length. Expects least significant bit first

The interface for a field that supports an efficient square-root operation.

Uses three bits to perform a lookup into a table, where the last bit performs negation

Types that can be converted to a vector of F elements. Useful for specifying how public inputs to a constraint system should be represented inside that constraint system.

Specifies how to convert a variable of type Self to variables of type FpGadget<F>

Uses two bits to perform a lookup into a table

Performs a bitwise XOR operation between self and other in the constraint system.

Functions

Type Definitions

Evaluations is the result of querying a set of labeled polynomials or equations p at a QuerySet Q. It maps each element of Q to the resulting evaluation. That is, if (label, query) is an element of Q, then evaluation.get((label, query)) should equal p[label].evaluate(query).

BLS12-377 scalar field.

BLS12-377 scalar field.

This field is the scalar field (Fr) of BLS12-377.

Labels a LabeledPolynomial or a LabeledCommitment.

QuerySet is the set of queries that are to be made to a set of labeled polynomials/equations p that have previously been committed to. Each element of a QuerySet is a (label, query) pair, where label is the label of a polynomial in p, and query is the field element that p[label] is to be queried at.