Skip to main content

create_evaluation_proof

dory_pcs::evaluation_proof

Function create_evaluation_proof 

Source 
pub fn create_evaluation_proof<F, E, M1, M2, T, P, Mo>(
    polynomial: &P,
    point: &[F],
    row_commitments: Option<Vec<E::G1>>,
    commit_blind: F,
    nu: usize,
    sigma: usize,
    setup: &ProverSetup<E>,
    transcript: &mut T,
) -> Result<(DoryProof<E::G1, E::G2, E::GT>, Option<F>), DoryError>
where
    F: Field,
    E: PairingCurve,
    E::G1: Group<Scalar = F>,
    E::G2: Group<Scalar = F>,
    E::GT: Group<Scalar = F>,
    M1: DoryRoutines<E::G1>,
    M2: DoryRoutines<E::G2>,
    T: Transcript<Curve = E>,
    P: MultilinearLagrange<F>,
    Mo: Mode,
Expand description

Create evaluation proof for a polynomial at a point

Implements Eval-VMV-RE protocol from Dory Section 5. The protocol proves that polynomial(point) = evaluation via the VMV relation: evaluation = L^T × M × R

§Algorithm

  1. Compute or use provided row commitments (Tier 1 commitment)
  2. Split evaluation point into left and right vectors
  3. Compute v_vec (column evaluations)
  4. Create VMV message (C, D2, E1)
  5. Initialize prover state for inner product / reduce-and-fold protocol
  6. Run max(nu, sigma) rounds of reduce-and-fold (with automatic padding for non-square):
    • First reduce: compute message and apply beta challenge (reduce)
    • Second reduce: compute message and apply alpha challenge (fold)
  7. Compute final scalar product message

§Parameters

  • polynomial: Polynomial to prove evaluation for
  • point: Evaluation point (length nu + sigma)
  • row_commitments: Optional precomputed row commitments from polynomial.commit()
  • commit_blind: GT-level blinding scalar from commit(). Ignored when row_commitments is None (the blind is computed internally in that case).
  • nu: Log₂ of number of rows (constraint: nu ≤ sigma)
  • sigma: Log₂ of number of columns
  • setup: Prover setup
  • transcript: Fiat-Shamir transcript for challenge generation

§Returns

Complete Dory proof containing VMV message, reduce messages, and final message

§Errors

Returns error if dimensions are invalid (nu > sigma) or protocol fails

§Matrix Layout

Supports both square (nu = sigma) and non-square (nu < sigma) matrices. For non-square matrices, vectors are automatically padded to length 2^sigma.