w3f_pcs/pcs/kzg/
params.rs

1use ark_ec::pairing::Pairing;
2use ark_ec::AffineRepr;
3use ark_poly::{EvaluationDomain, GeneralEvaluationDomain};
4use ark_serialize::*;
5use ark_std::{vec, vec::Vec};
6
7use crate::pcs::kzg::lagrange::LagrangianCK;
8use crate::pcs::kzg::urs::URS;
9use crate::pcs::{CommitterKey, PcsParams, RawVerifierKey, VerifierKey};
10
11impl<E: Pairing> PcsParams for URS<E> {
12    type CK = KzgCommitterKey<E::G1Affine>;
13    type VK = KzgVerifierKey<E>;
14    type RVK = RawKzgVerifierKey<E>;
15
16    fn ck(&self) -> Self::CK {
17        let monomial = MonomialCK {
18            powers_in_g1: self.powers_in_g1.clone(),
19        };
20        KzgCommitterKey {
21            monomial,
22            lagrangian: None,
23        }
24    }
25
26    fn ck_with_lagrangian(&self, domain_size: usize) -> Self::CK {
27        let domain = GeneralEvaluationDomain::new(domain_size).unwrap();
28        assert_eq!(
29            domain.size(),
30            domain_size,
31            "domains of size {} are not supported",
32            domain_size
33        );
34        assert!(domain_size <= self.powers_in_g1.len());
35        let monomial = MonomialCK {
36            powers_in_g1: self.powers_in_g1[0..domain_size].to_vec(),
37        };
38        let lagrangian = Some(monomial.to_lagrangian(domain));
39        KzgCommitterKey {
40            monomial,
41            lagrangian,
42        }
43    }
44
45    fn vk(&self) -> Self::VK {
46        self.raw_vk().prepare()
47    }
48
49    /// Non-prepared verifier key. Can be used for serialization.
50    fn raw_vk(&self) -> Self::RVK {
51        assert!(self.powers_in_g1.len() > 0, "no G1 generator");
52        assert!(
53            self.powers_in_g2.len() > 1,
54            "{} powers in G2",
55            self.powers_in_g2.len()
56        );
57
58        RawKzgVerifierKey {
59            g1: self.powers_in_g1[0],
60            g2: self.powers_in_g2[0],
61            tau_in_g2: self.powers_in_g2[1],
62        }
63    }
64}
65
66#[derive(Clone, Debug, CanonicalSerialize, CanonicalDeserialize)]
67pub struct KzgCommitterKey<G: AffineRepr> {
68    pub monomial: MonomialCK<G>,
69    pub lagrangian: Option<LagrangianCK<G>>,
70}
71
72/// Used to commit to and to open univariate polynomials of degree up to self.max_degree().
73#[derive(Clone, Debug, CanonicalSerialize, CanonicalDeserialize)]
74pub struct MonomialCK<G: AffineRepr> {
75    // G1, tau.G1, tau^2.G1, ..., tau^n1.G1
76    pub(crate) powers_in_g1: Vec<G>,
77}
78
79impl<G: AffineRepr> CommitterKey for MonomialCK<G> {
80    fn max_degree(&self) -> usize {
81        self.powers_in_g1.len() - 1
82    }
83}
84
85impl<G: AffineRepr> CommitterKey for KzgCommitterKey<G> {
86    fn max_degree(&self) -> usize {
87        self.monomial.max_degree()
88    }
89}
90
91/// Verifier key with G2 elements not "prepared". Exists only to be serializable.
92/// KzgVerifierKey is used for verification.
93#[derive(Clone, Debug, Eq, PartialEq, CanonicalSerialize, CanonicalDeserialize)]
94pub struct RawKzgVerifierKey<E: Pairing> {
95    pub g1: E::G1Affine,
96    // generator of G1
97    pub g2: E::G2Affine,
98    // generator of G2
99    pub tau_in_g2: E::G2Affine, // tau.g2
100}
101
102impl<E: Pairing> RawVerifierKey for RawKzgVerifierKey<E> {
103    type VK = KzgVerifierKey<E>;
104
105    /// Returns the key that is used to verify openings in a single point. It has points in G2 "prepared".
106    /// "Preparation" is a pre-computation that makes pairing computation with these points more efficient.
107    /// At the same time usual arithmetic operations are not implemented for "prepared" points.
108    fn prepare(&self) -> KzgVerifierKey<E> {
109        KzgVerifierKey {
110            g1: self.g1,
111            g2: self.g2.into(),
112            tau_in_g2: self.tau_in_g2.into(),
113        }
114    }
115}
116
117/// "Prepared" verifier key capable of verifying opening in a single point, given the commitment is in G1.
118/// Use RawKzgVerifierKey for serialization.
119#[derive(Clone, Debug)]
120pub struct KzgVerifierKey<E: Pairing> {
121    // generator of G1
122    pub(crate) g1: E::G1Affine,
123    // G1Prepared is just a wrapper around G1Affine // TODO: fixed-base precomputations
124    // generator of G2, prepared
125    pub(crate) g2: E::G2Prepared,
126    // G2Prepared can be used as a pairing RHS only
127    // tau.g2, prepared
128    pub(crate) tau_in_g2: E::G2Prepared, // G2Prepared can be used as a pairing RHS only
129}
130
131impl<E: Pairing> VerifierKey for KzgVerifierKey<E> {}
132
133impl<E: Pairing> From<KzgVerifierKey<E>> for KzgCommitterKey<E::G1Affine> {
134    fn from(vk: KzgVerifierKey<E>) -> Self {
135        let monomial = MonomialCK {
136            powers_in_g1: vec![vk.g1],
137        };
138        Self {
139            monomial,
140            lagrangian: None,
141        }
142    }
143}
w3f_pcs/pcs/kzg/params.rs

w3f_pcs/pcs/kzg/
params.rs
