Skip to main content

dory_pcs/
proof.rs

1//! Dory proof structure
2//!
3//! A Dory proof consists of:
4//! - VMV message (PCS transform)
5//! - Multiple rounds of reduce messages (log n rounds)
6//! - Final scalar product message
7
8use crate::messages::*;
9use crate::primitives::arithmetic::Group;
10
11/// A complete Dory evaluation proof
12///
13/// The proof demonstrates that a committed polynomial evaluates to a specific value
14/// at a given point. It consists of messages from the interactive protocol made
15/// non-interactive via Fiat-Shamir.
16///
17/// The proof includes the matrix dimensions (nu, sigma) used during proof generation,
18/// which the verifier uses to ensure consistency with the evaluation point.
19#[derive(Clone, Debug, PartialEq)]
20#[allow(missing_docs)]
21pub struct DoryProof<G1: Group, G2, GT> {
22    /// Vector-Matrix-Vector message for PCS transformation
23    pub vmv_message: VMVMessage<G1, GT>,
24
25    /// First reduce messages for each round (nu rounds total)
26    pub first_messages: Vec<FirstReduceMessage<G1, G2, GT>>,
27
28    /// Second reduce messages for each round (nu rounds total)
29    pub second_messages: Vec<SecondReduceMessage<G1, G2, GT>>,
30
31    /// Final scalar product message
32    pub final_message: ScalarProductMessage<G1, G2>,
33
34    /// Log₂ of number of rows in the coefficient matrix
35    pub nu: usize,
36
37    /// Log₂ of number of columns in the coefficient matrix
38    pub sigma: usize,
39
40    /// Blinded E₂ element for zero-knowledge proofs
41    #[cfg(feature = "zk")]
42    pub e2: Option<G2>,
43    /// Pedersen commitment to the blinding vector y
44    #[cfg(feature = "zk")]
45    pub y_com: Option<G1>,
46    /// Σ₁ proof: E₂ and y_com commit to the same y
47    #[cfg(feature = "zk")]
48    pub sigma1_proof: Option<Sigma1Proof<G1, G2, G1::Scalar>>,
49    /// Σ₂ proof: consistency of E₁ with D₂
50    #[cfg(feature = "zk")]
51    pub sigma2_proof: Option<Sigma2Proof<G1::Scalar, GT>>,
52    /// ZK scalar product proof: (C, D₁, D₂) consistency with blinded vectors
53    #[cfg(feature = "zk")]
54    pub scalar_product_proof: Option<ScalarProductProof<G1, G2, G1::Scalar, GT>>,
55}