Struct InnerProductProof 

pub struct InnerProductProof { /* private fields */ }

InnerProductProof construct

Implementations

impl InnerProductProof

pub fn create( transcript: &mut Transcript, a: &[Scalar], b: &[Scalar], generators_offset: u64, ) -> InnerProductProof

Creates an inner product proof.

The proof is created with respect to the base G, provided by:

let np = 1ull << ceil(log2(n));
let G = vec![RISTRETTO_BASEPOINT_POINT; np + 1];
crate::compute::get_curve25519_generators(G, generators_offset)

The verifier transcript is passed in as a parameter so that the challenges depend on the entire transcript (including parent protocols).

Note that we don’t have any restriction to the n value, other than it has to be non-zero.

Algorithm description

Initially, we compute G and Q = G[np], where np = 1ull << ceil(log2(n)) and G is zero-indexed.

The protocol consists of k = ceil(lg_2(n)) rounds, indexed by j = k - 1 , ... , 0.

In the j-th round, the prover computes:

a_lo = {a[0], a[1], ..., a[n/2 - 1]}
a_hi = {a[n/2], a[n/2 + 1], ..., a[n - 1]}
b_lo = {b[0], b[1], ..., b[n/2 - 1]}
b_hi = {b[n/2], b[n/2 + 1], ..., b[n - 1]}
G_lo = {G[0], G[1], ..., G[n/2 - 1]}
G_hi = {G[n/2], G[n/2 + 1], ..., G[n-1]}

l_vector[j] = <a_lo, G_hi> + <a_lo, b_hi> * Q
r_vector[j] = <a_hi, G_lo> + <a_hi, b_lo> * Q

Note that if the a or b length is not a power of 2, then a or b is padded with zeros until it has a power of 2. G always has a power of 2 given how it is constructed.

Then the prover sends l_vector[j] and r_vector[j] to the verifier, and the verifier responds with a challenge value u[j] <- Z_p (finite field of order p), which is non-interactively simulated by the input strobe-based transcript.

transcript.append("L", l_vector[j]);
transcript.append("R", r_vector[j]);

u[j] = transcript.challenge_value("x");

Then the prover uses u[j] to compute

a = a_lo * u[j] + (u[j]^(-1)) * a_hi;
b = b_lo * (u[j]^(-1)) + u[j] * b_hi;

Then, the prover and verifier both compute

G = G_lo * (u[j]^(-1)) + u[j] * G_hi

n = n / 2;

and use these vectors (all of length 2^j) for the next round.

After the last (j = 0) round, the prover sends ap_value = a[0] to the verifier.

Arguments:

• transcript (in/out): a single strobe-based transcript
• a (in): array with non-zero length n
• b (in): array with non-zero length n
• generators_offset (in): offset used to fetch the bases

pub fn verify( &self, transcript: &mut Transcript, a_commit: &RistrettoPoint, product: &Scalar, b: &[Scalar], generators_offset: u64, ) -> Result<(), ProofError>

Verifies an inner product proof.

The proof is verified with respect to the base G, provided by:

let np = 1ull << ceil(log2(n));
let G = vec![RISTRETTO_BASEPOINT_POINT; np + 1];
crate::compute::get_curve25519_generators(G, generators_offset)`.

Note that we don’t have any restriction to the n value, other than it has to be non-zero.

Arguments:

• transcript (in/out): a single strobe-based transcript
• a_commit (in): a single Ristretto point, represented by <a, G> (the inner product of the two vectors)
• product (in): a single scalar, represented by <a, b>, the inner product of the two vectors a and b used by InnerProductProof::create(...)
• b (in): array with non-zero length n, the same one used by InnerProductProof::create(...)
• generators_offset (in): offset used to fetch the bases

Trait Implementations

impl Clone for InnerProductProof

fn clone(&self) -> InnerProductProof

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl CommitmentEvaluationProof for InnerProductProof

type Scalar = MontScalar<FrConfig>

The associated scalar that the commitment is for.

type Commitment = RistrettoPoint

The associated commitment type.

type Error = ProofError

The error type for the proof.

type ProverPublicSetup<'a> = ()

The public setup parameters required by the prover. This is simply precomputed data that is required by the prover to create a proof.

type VerifierPublicSetup<'a> = ()

The public setup parameters required by the verifier. This is simply precomputed data that is required by the verifier to verify a proof.

fn new( transcript: &mut impl Transcript, a: &[Self::Scalar], b_point: &[Self::Scalar], generators_offset: u64, _setup: &Self::ProverPublicSetup<'_>, ) -> Self

Create a new proof.

fn verify_batched_proof( &self, transcript: &mut impl Transcript, commit_batch: &[Self::Commitment], batching_factors: &[Self::Scalar], evaluations: &[Self::Scalar], b_point: &[Self::Scalar], generators_offset: u64, table_length: usize, _setup: &Self::VerifierPublicSetup<'_>, ) -> Result<(), Self::Error>

Verify a batch proof. This can be more efficient than verifying individual proofs for some schemes.

fn verify_proof( &self, transcript: &mut impl Transcript, a_commit: &Self::Commitment, product: &Self::Scalar, b_point: &[Self::Scalar], generators_offset: u64, table_length: usize, setup: &Self::VerifierPublicSetup<'_>, ) -> Result<(), Self::Error>

Verify a proof.

impl Debug for InnerProductProof

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for InnerProductProof

fn deserialize<__D>( __deserializer: __D, ) -> Result<InnerProductProof, <__D as Deserializer<'de>>::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for InnerProductProof

fn serialize<__S>( &self, __serializer: __S, ) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.