@@ -51,6 +51,9 @@ namespace nil {
5151 namespace crypto3 {
5252 namespace zk {
5353 namespace commitments {
54+ template <typename CurveType>
55+ struct kzg_commitment ;
56+
5457 template <typename CurveType>
5558 struct kzg_commitment {
5659
@@ -66,8 +69,13 @@ namespace nil {
6669 using proof_type = commitment_type;
6770
6871 struct kzg_params_type {
72+ std::size_t n; // max polynomial degree
6973 scalar_value_type alpha; // secret key
70- std::size_t n; // max polynomial degree
74+ kzg_params_type (std::size_t _n, scalar_value_type _alpha) : n(_n), alpha(_alpha) {}
75+ kzg_params_type (std::size_t _n) {
76+ alpha = scalar_value_type::random_element ();
77+ n = _n;
78+ }
7179 };
7280
7381 struct srs_type {
@@ -93,7 +101,7 @@ namespace nil {
93101
94102 static commitment_type commit (const srs_type &srs,
95103 const polynomial<scalar_value_type> &f) {
96- BOOST_ASSERT (f.size () <= srs.commitment_key .size ());
104+ // assert (f.size() <= srs.commitment_key.size());
97105 return algebra::multiexp<multiexp_method>(srs.commitment_key .begin (),
98106 srs.commitment_key .begin () + f.size (), f.begin (), f.end (), 1 );
99107 }
@@ -105,22 +113,22 @@ namespace nil {
105113 }
106114
107115 static proof_type proof_eval (srs_type srs,
116+ const polynomial<scalar_value_type> &f,
108117 scalar_value_type i,
109- const polynomial< scalar_value_type> &f ) {
118+ scalar_value_type eval ) {
110119
111120 const polynomial<scalar_value_type> denominator_polynom = {-i, 1 };
112121 const polynomial<scalar_value_type> q =
113- (f - polynomial<scalar_value_type>{f. evaluate (i) }) / denominator_polynom;
122+ (f - polynomial<scalar_value_type>{eval }) / denominator_polynom;
114123
115- proof_type p = commit (srs, q);
116- return p;
124+ return commit (srs, q);
117125 }
118126
119127 static bool verify_eval (srs_type srs,
128+ proof_type p,
120129 commitment_type C_f,
121130 scalar_value_type i,
122- scalar_value_type eval,
123- proof_type p) {
131+ scalar_value_type eval) {
124132
125133 auto A_1 = algebra::precompute_g1<curve_type>(p);
126134 auto A_2 = algebra::precompute_g2<curve_type>(srs.verification_key -
@@ -135,6 +143,129 @@ namespace nil {
135143 return gt_4 == gt_value_type::one ();
136144 }
137145 };
146+
147+ template <typename CurveType>
148+ struct kzg_batched_commitment : public kzg_commitment <CurveType> {
149+
150+ typedef CurveType curve_type;
151+ typedef algebra::pairing::pairing_policy<curve_type> pairing_policy;
152+ typedef typename curve_type::gt_type::value_type gt_value_type;
153+
154+ using multiexp_method = typename algebra::policies::multiexp_method_BDLO12;
155+ using scalar_value_type = typename curve_type::scalar_field_type::value_type;
156+ using commitment_key_type = std::vector<typename curve_type::template g1_type<>::value_type>;
157+ using verification_key_type = typename curve_type::template g2_type<>::value_type;
158+ using commitment_type = typename curve_type::template g1_type<>::value_type;
159+
160+ using kzg = kzg_commitment<CurveType>;
161+ using kzg_params_type = typename kzg::kzg_params_type;
162+ using srs_type = typename kzg::srs_type;
163+
164+ struct evals_type {
165+ std::vector<scalar_value_type> evals_at_z0;
166+ std::vector<scalar_value_type> evals_at_z1;
167+ evals_type (const std::vector<scalar_value_type> &e1 , const std::vector<scalar_value_type> &e2 )
168+ : evals_at_z0(e1 ), evals_at_z1(e2 ) {}
169+ };
170+
171+ struct batched_proof_type {
172+ commitment_type commit0;
173+ commitment_type commit1;
174+ batched_proof_type (commitment_type c0, commitment_type c1) : commit0(c0), commit1(c1) {}
175+ };
176+
177+ static polynomial<scalar_value_type>
accumulate (
const std::vector<polynomial<scalar_value_type>> &polys,
178+ const scalar_value_type &factor) {
179+ std::size_t num = polys.size ();
180+ if (num == 1 ) return polys[0 ];
181+
182+ polynomial<scalar_value_type> result = polys[num - 1 ];
183+ for (int i = num - 2 ; i >= 0 ; --i) {
184+ result = result * factor + polys[i];
185+ }
186+ return result;
187+ }
188+
189+ static evals_type
evaluate_polynomials (
const std::vector<polynomial<scalar_value_type>> &polys0,
190+ const std::vector<polynomial<scalar_value_type>> &polys1,
191+ scalar_value_type z0, scalar_value_type z1) {
192+ std::vector<scalar_value_type> evals_at_z0;
193+ for (const auto &poly : polys0) {
194+ evals_at_z0.emplace_back (poly.evaluate (z0));
195+ }
196+
197+ std::vector<scalar_value_type> evals_at_z1;
198+ for (const auto &poly : polys1) {
199+ evals_at_z1.emplace_back (poly.evaluate (z1));
200+ }
201+
202+ return evals_type (evals_at_z0, evals_at_z1);
203+ }
204+
205+ static std::vector<commitment_type> commit (const srs_type &srs,
206+ const std::vector<polynomial<scalar_value_type>> &polys) {
207+ std::vector<commitment_type> commitments;
208+ for (const auto &poly : polys) {
209+ commitments.emplace_back (kzg::commit (srs, poly));
210+ }
211+ return commitments;
212+ }
213+
214+ static batched_proof_type proof_eval (const srs_type &srs,
215+ const std::vector<polynomial<scalar_value_type>> &polys0,
216+ const std::vector<polynomial<scalar_value_type>> &polys1,
217+ const evals_type &evals,
218+ scalar_value_type z0, scalar_value_type z1,
219+ scalar_value_type gamma0, scalar_value_type gamma1) {
220+
221+ auto accum0 = accumulate (polys0, gamma0);
222+ auto accum_eval0 = polynomial<scalar_value_type>{evals.evals_at_z0 }.evaluate (gamma0);
223+ typename kzg::proof_type proof0 = kzg::proof_eval (srs, accum0, z0, accum_eval0);
224+
225+ auto accum1 = accumulate (polys1, gamma1);
226+ auto accum_eval1 = polynomial<scalar_value_type>{evals.evals_at_z1 }.evaluate (gamma1);
227+ typename kzg::proof_type proof1 = kzg::proof_eval (srs, accum1, z1, accum_eval1);
228+
229+ return batched_proof_type (proof0, proof1);
230+ }
231+
232+ static bool verify_eval (srs_type srs,
233+ const batched_proof_type &proof,
234+ const evals_type &evals,
235+ const std::vector<commitment_type> &commits0,
236+ const std::vector<commitment_type> &commits1,
237+ scalar_value_type z0, scalar_value_type z1,
238+ scalar_value_type gamma0, scalar_value_type gamma1,
239+ scalar_value_type r) {
240+
241+ auto eval0_accum = evals.evals_at_z0 .back ();
242+ auto comm0_accum = commits0.back ();
243+ for (int i = commits0.size () - 2 ; i >= 0 ; --i) {
244+ comm0_accum = (gamma0 * comm0_accum) + commits0[i];
245+ eval0_accum = (eval0_accum * gamma0) + evals.evals_at_z0 [i];
246+ }
247+
248+ auto eval1_accum = evals.evals_at_z1 .back ();
249+ auto comm1_accum = commits1.back ();
250+ for (int i = commits1.size () - 2 ; i >= 0 ; --i) {
251+ comm1_accum = (gamma1 * comm1_accum) + commits1[i];
252+ eval1_accum = (eval1_accum * gamma1) + evals.evals_at_z1 [i];
253+ }
254+
255+ auto F = (comm0_accum - eval0_accum * curve_type::template g1_type<>::value_type::one ()) +
256+ r * (comm1_accum - eval1_accum * curve_type::template g1_type<>::value_type::one ());
257+
258+ auto A_1 = algebra::precompute_g1<curve_type>(F + z0 * proof.commit0 + z1 * r * proof.commit1 );
259+ auto A_2 = algebra::precompute_g2<curve_type>(curve_type::template g2_type<>::value_type::one ());
260+ auto B_1 = algebra::precompute_g1<curve_type>(-proof.commit0 - r * proof.commit1 );
261+ auto B_2 = algebra::precompute_g2<curve_type>(srs.verification_key );
262+
263+ gt_value_type gt3 = algebra::double_miller_loop<curve_type>(A_1, A_2, B_1, B_2);
264+ gt_value_type gt_4 = algebra::final_exponentiation<curve_type>(gt3);
265+
266+ return gt_4 == gt_value_type::one ();
267+ }
268+ };
138269 }; // namespace commitments
139270 } // namespace zk
140271 } // namespace crypto3
0 commit comments