Skip to content
This repository was archived by the owner on Feb 17, 2025. It is now read-only.

Commit 91286e7

Browse files
tshchelovekmartun
tshchelovek
authored and
martun
committed
updated interfaces for arbitrary num of polynomial batched #113 
1 parent 3cc3e4c commit 91286e7

File tree

2 files changed

+94
-112
lines changed
  • include/nil/crypto3/zk/commitments/polynomial
  • test/commitment

2 files changed

+94
-112
lines changed

include/nil/crypto3/zk/commitments/polynomial/kzg.hpp

Lines changed: 49 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ namespace nil {
9292
curve_type::template g2_type<>::value_type::one() * params.alpha;
9393

9494
for (std::size_t i = 0; i < params.n; i++) {
95-
commitment_key.emplace_back(alpha_scaled * (curve_type::template g1_type<>::value_type::one()));
95+
commitment_key.push_back(alpha_scaled * (curve_type::template g1_type<>::value_type::one()));
9696
alpha_scaled = alpha_scaled * params.alpha;
9797
}
9898

@@ -156,24 +156,14 @@ namespace nil {
156156
using commitment_key_type = std::vector<typename curve_type::template g1_type<>::value_type>;
157157
using verification_key_type = typename curve_type::template g2_type<>::value_type;
158158
using commitment_type = typename curve_type::template g1_type<>::value_type;
159+
using batched_proof_type = std::vector<commitment_type>;
160+
using evals_type = std::vector<std::vector<scalar_value_type>>;
161+
using batch_of_batches_of_polynomials_type = std::vector<std::vector<polynomial<scalar_value_type>>>;
159162

160163
using kzg = kzg_commitment<CurveType>;
161164
using kzg_params_type = typename kzg::kzg_params_type;
162165
using srs_type = typename kzg::srs_type;
163166

164-
struct evals_type {
165-
std::vector<scalar_value_type> evals_at_z0;
166-
std::vector<scalar_value_type> evals_at_z1;
167-
evals_type(const std::vector<scalar_value_type> &e1, const std::vector<scalar_value_type> &e2)
168-
: evals_at_z0(e1), evals_at_z1(e2) {}
169-
};
170-
171-
struct batched_proof_type {
172-
commitment_type commit0;
173-
commitment_type commit1;
174-
batched_proof_type(commitment_type c0, commitment_type c1) : commit0(c0), commit1(c1) {}
175-
};
176-
177167
static polynomial<scalar_value_type> accumulate(const std::vector<polynomial<scalar_value_type>> &polys,
178168
const scalar_value_type &factor) {
179169
std::size_t num = polys.size();
@@ -186,78 +176,78 @@ namespace nil {
186176
return result;
187177
}
188178

189-
static evals_type evaluate_polynomials(const std::vector<polynomial<scalar_value_type>> &polys0,
190-
const std::vector<polynomial<scalar_value_type>> &polys1,
191-
scalar_value_type z0, scalar_value_type z1) {
192-
std::vector<scalar_value_type> evals_at_z0;
193-
for (const auto &poly : polys0) {
194-
evals_at_z0.emplace_back(poly.evaluate(z0));
195-
}
179+
static evals_type evaluate_polynomials(const batch_of_batches_of_polynomials_type &polys,
180+
const std::vector<scalar_value_type> zs) {
181+
182+
assert(polys.size() == zs.size());
196183

197-
std::vector<scalar_value_type> evals_at_z1;
198-
for (const auto &poly : polys1) {
199-
evals_at_z1.emplace_back(poly.evaluate(z1));
184+
std::vector<std::vector<scalar_value_type>> evals;
185+
for (std::size_t i = 0; i < polys.size(); ++i) {
186+
std::vector<scalar_value_type> evals_at_z_i;
187+
for (const auto &poly : polys[i]) {
188+
evals_at_z_i.push_back(poly.evaluate(zs[i]));
189+
}
190+
evals.push_back(evals_at_z_i);
200191
}
201192

202-
return evals_type(evals_at_z0, evals_at_z1);
193+
return evals;
203194
}
204195

205196
static std::vector<commitment_type> commit(const srs_type &srs,
206197
const std::vector<polynomial<scalar_value_type>> &polys) {
207198
std::vector<commitment_type> commitments;
208199
for (const auto &poly : polys) {
209-
commitments.emplace_back(kzg::commit(srs, poly));
200+
commitments.push_back(kzg::commit(srs, poly));
210201
}
211202
return commitments;
212203
}
213204

214205
static batched_proof_type proof_eval(const srs_type &srs,
215-
const std::vector<polynomial<scalar_value_type>> &polys0,
216-
const std::vector<polynomial<scalar_value_type>> &polys1,
206+
const batch_of_batches_of_polynomials_type &polys,
217207
const evals_type &evals,
218-
scalar_value_type z0, scalar_value_type z1,
219-
scalar_value_type gamma0, scalar_value_type gamma1) {
220-
221-
auto accum0 = accumulate(polys0, gamma0);
222-
auto accum_eval0 = polynomial<scalar_value_type>{evals.evals_at_z0}.evaluate(gamma0);
223-
typename kzg::proof_type proof0 = kzg::proof_eval(srs, accum0, z0, accum_eval0);
208+
const std::vector<scalar_value_type> zs,
209+
const std::vector<scalar_value_type> gammas) {
210+
211+
std::vector<commitment_type> proofs;
224212

225-
auto accum1 = accumulate(polys1, gamma1);
226-
auto accum_eval1 = polynomial<scalar_value_type>{evals.evals_at_z1}.evaluate(gamma1);
227-
typename kzg::proof_type proof1 = kzg::proof_eval(srs, accum1, z1, accum_eval1);
213+
for (std::size_t i = 0; i < polys.size(); ++i) {
214+
auto accum = accumulate(polys[i], gammas[i]);
215+
auto accum_eval = polynomial<scalar_value_type>{evals[i]}.evaluate(gammas[i]);
216+
typename kzg::proof_type proof = kzg::proof_eval(srs, accum, zs[i], accum_eval);
217+
proofs.push_back(proof);
218+
}
228219

229-
return batched_proof_type(proof0, proof1);
220+
return proofs;
230221
}
231222

232223
static bool verify_eval(srs_type srs,
233224
const batched_proof_type &proof,
234225
const evals_type &evals,
235-
const std::vector<commitment_type> &commits0,
236-
const std::vector<commitment_type> &commits1,
237-
scalar_value_type z0, scalar_value_type z1,
238-
scalar_value_type gamma0, scalar_value_type gamma1,
226+
const std::vector<std::vector<commitment_type>> &commits,
227+
std::vector<scalar_value_type> zs,
228+
std::vector<scalar_value_type> gammas,
239229
scalar_value_type r) {
240230

241-
auto eval0_accum = evals.evals_at_z0.back();
242-
auto comm0_accum = commits0.back();
243-
for (int i = commits0.size() - 2; i >= 0; --i) {
244-
comm0_accum = (gamma0 * comm0_accum) + commits0[i];
245-
eval0_accum = (eval0_accum * gamma0) + evals.evals_at_z0[i];
231+
auto F = curve_type::template g1_type<>::value_type::zero();
232+
auto z_r_proofs = curve_type::template g1_type<>::value_type::zero();
233+
auto r_proofs = curve_type::template g1_type<>::value_type::zero();
234+
auto cur_r = scalar_value_type::one();
235+
for (std::size_t i = 0; i < proof.size(); ++i) {
236+
auto eval_accum = evals[i].back();
237+
auto comm_accum = commits[i].back();
238+
for (int j = commits[i].size() - 2; j >= 0; --j) {
239+
comm_accum = (gammas[i] * comm_accum) + commits[i][j];
240+
eval_accum = (eval_accum * gammas[i]) + evals[i][j];
241+
}
242+
F = F + cur_r * (comm_accum - eval_accum * curve_type::template g1_type<>::value_type::one());
243+
z_r_proofs = z_r_proofs + cur_r * zs[i] * proof[i];
244+
r_proofs = r_proofs - cur_r * proof[i];
245+
cur_r = cur_r * r;
246246
}
247247

248-
auto eval1_accum = evals.evals_at_z1.back();
249-
auto comm1_accum = commits1.back();
250-
for (int i = commits1.size() - 2; i >= 0; --i) {
251-
comm1_accum = (gamma1 * comm1_accum) + commits1[i];
252-
eval1_accum = (eval1_accum * gamma1) + evals.evals_at_z1[i];
253-
}
254-
255-
auto F = (comm0_accum - eval0_accum * curve_type::template g1_type<>::value_type::one()) +
256-
r * (comm1_accum - eval1_accum * curve_type::template g1_type<>::value_type::one());
257-
258-
auto A_1 = algebra::precompute_g1<curve_type>(F + z0 * proof.commit0 + z1 * r * proof.commit1);
248+
auto A_1 = algebra::precompute_g1<curve_type>(F + z_r_proofs);
259249
auto A_2 = algebra::precompute_g2<curve_type>(curve_type::template g2_type<>::value_type::one());
260-
auto B_1 = algebra::precompute_g1<curve_type>(-proof.commit0 - r * proof.commit1);
250+
auto B_1 = algebra::precompute_g1<curve_type>(r_proofs);
261251
auto B_2 = algebra::precompute_g2<curve_type>(srs.verification_key);
262252

263253
gt_value_type gt3 = algebra::double_miller_loop<curve_type>(A_1, A_2, B_1, B_2);

test/commitment/kzg.cpp

Lines changed: 45 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -190,48 +190,37 @@ BOOST_AUTO_TEST_CASE(kzg_batched_basic_test) {
190190
{{21, 22, 23, 24, 25, 26, 27, 28}},
191191
{{31, 32, 33, 34, 35, 36, 37, 38}},
192192
}};
193-
194193
const std::vector<polynomial<scalar_value_type>> gs{{
195194
{{71, 72, 73, 74, 75, 76, 77, 78}},
196195
{{81, 82, 83, 84, 85, 86, 87, 88}},
197196
{{91, 92, 93, 94, 95, 96, 97, 98}},
198197
}};
198+
typename kzg_type::batch_of_batches_of_polynomials_type polys = {fs, gs};
199199

200-
scalar_value_type z0 = 123;
201-
scalar_value_type z1 = 456;
202-
auto evals = kzg_type::evaluate_polynomials(fs, gs, z0, z1);
200+
std::vector<scalar_value_type> zs = {123, 456};
201+
auto evals = kzg_type::evaluate_polynomials(polys, zs);
203202

204203
auto srs = kzg_type::setup({n, alpha});
205204

206-
scalar_value_type gamma0 = 54321;
207-
scalar_value_type gamma1 = 98760;
205+
std::vector<scalar_value_type> gammas = {54321, 98760};
208206

209-
auto proof = kzg_type::proof_eval(srs, fs, gs, evals, z0, z1, gamma0, gamma1);
207+
auto proof = kzg_type::proof_eval(srs, polys, evals, zs, gammas);
210208

211-
{
209+
for (size_t j = 0; j < proof.size(); ++j) {
212210
scalar_value_type h0_x = scalar_value_type::zero();
213-
for (size_t i = 0; i < fs.size(); ++i) {
214-
const polynomial<scalar_value_type> &f_i = fs[i];
215-
const scalar_value_type f_x_minus_f_z0 = f_i.evaluate(alpha) - f_i.evaluate(z0);
216-
const scalar_value_type gamma_power = gamma0.pow(i);
217-
h0_x += gamma_power * f_x_minus_f_z0 * ((alpha - z0).inversed());
211+
for (size_t i = 0; i < polys[j].size(); ++i) {
212+
const polynomial<scalar_value_type> &f_i = polys[j][i];
213+
const scalar_value_type f_x_minus_f_z0 = f_i.evaluate(alpha) - f_i.evaluate(zs[j]);
214+
const scalar_value_type gamma_power = gammas[j].pow(i);
215+
h0_x += gamma_power * f_x_minus_f_z0 * ((alpha - zs[j]).inversed());
218216
}
219-
BOOST_CHECK(h0_x * curve_type::template g1_type<>::value_type::one() == proof.commit0);
220-
221-
scalar_value_type h1_x = scalar_value_type::zero();
222-
for (size_t i = 0; i < gs.size(); ++i) {
223-
const polynomial<scalar_value_type> &g_i = gs[i];
224-
const scalar_value_type g_x_minus_g_z1 = g_i.evaluate(alpha) - g_i.evaluate(z1);
225-
const scalar_value_type gamma_power = gamma1.pow(i);
226-
h1_x += gamma_power * g_x_minus_g_z1 * ((alpha - z1).inversed());
227-
}
228-
BOOST_CHECK(h1_x * curve_type::template g1_type<>::value_type::one() == proof.commit1);
217+
BOOST_CHECK(h0_x * curve_type::template g1_type<>::value_type::one() == proof[j]);
229218
}
230219

231220
scalar_value_type r = 23546;
232221
auto c0 = kzg_type::commit(srs, fs);
233222
auto c1 = kzg_type::commit(srs, gs);
234-
BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, c0, c1, z0, z1, gamma0, gamma1, r));
223+
BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, {c0, c1}, zs, gammas, r));
235224
}
236225

237226
BOOST_AUTO_TEST_CASE(kzg_batched_random_test) {
@@ -245,54 +234,57 @@ BOOST_AUTO_TEST_CASE(kzg_batched_random_test) {
245234

246235
scalar_value_type alpha = algebra::random_element<scalar_field_type>();
247236
std::size_t n = 298;
248-
const std::vector<polynomial<scalar_value_type>> fs{{
237+
const std::vector<polynomial<scalar_value_type>> f0{{
249238
{{1, 2, 3, 4, 5, 6, 7, 8}},
250239
{{11, 12, 13, 14, 15, 16, 17}},
251240
{{21, 22, 23, 24, 25, 26, 27, 28}},
252241
{{31, 32, 33, 34, 35, 36, 37, 38, 39}},
253242
}};
254-
255-
const std::vector<polynomial<scalar_value_type>> gs{{
243+
const std::vector<polynomial<scalar_value_type>> f1{{
256244
{{71, 72}},
257245
{{81, 82, 83, 85, 86, 87, 88}},
258246
{{91, 92, 93, 94, 95, 96, 97, 98, 99, 100}},
259247
}};
260-
261-
scalar_value_type z0 = algebra::random_element<scalar_field_type>();
262-
scalar_value_type z1 = algebra::random_element<scalar_field_type>();
263-
auto evals = kzg_type::evaluate_polynomials(fs, gs, z0, z1);
248+
const std::vector<polynomial<scalar_value_type>> f2{{
249+
{{73, 74, 25}},
250+
{{87}},
251+
{{91, 92, 93, 94, 95, 96, 97, 100, 1, 2, 3}},
252+
}};
253+
const kzg_type::batch_of_batches_of_polynomials_type polys = {f0, f1, f2};
254+
std::size_t num_polys = polys.size();
255+
256+
std::vector<scalar_value_type> zs;
257+
for (std::size_t i = 0; i < num_polys; ++i) {
258+
zs.push_back(algebra::random_element<scalar_field_type>());
259+
}
260+
auto evals = kzg_type::evaluate_polynomials(polys, zs);
264261

265262
auto srs = kzg_type::setup({n, alpha});
266263

267-
scalar_value_type gamma0 = algebra::random_element<scalar_field_type>();
268-
scalar_value_type gamma1 = algebra::random_element<scalar_field_type>();
264+
std::vector<scalar_value_type> gammas;
265+
for (std::size_t i = 0; i < num_polys; ++i) {
266+
gammas.push_back(algebra::random_element<scalar_field_type>());
267+
}
269268

270-
auto proof = kzg_type::proof_eval(srs, fs, gs, evals, z0, z1, gamma0, gamma1);
269+
auto proof = kzg_type::proof_eval(srs, polys, evals, zs, gammas);
271270

272-
{
271+
for (std::size_t j = 0; j < proof.size(); ++j) {
273272
scalar_value_type h0_x = scalar_value_type::zero();
274-
for (size_t i = 0; i < fs.size(); ++i) {
275-
const polynomial<scalar_value_type> &f_i = fs[i];
276-
const scalar_value_type f_x_minus_f_z0 = f_i.evaluate(alpha) - f_i.evaluate(z0);
277-
const scalar_value_type gamma_power = gamma0.pow(i);
278-
h0_x += gamma_power * f_x_minus_f_z0 * ((alpha - z0).inversed());
273+
for (std::size_t i = 0; i < polys[j].size(); ++i) {
274+
const polynomial<scalar_value_type> &f_i = polys[j][i];
275+
const scalar_value_type f_x_minus_f_z0 = f_i.evaluate(alpha) - f_i.evaluate(zs[j]);
276+
const scalar_value_type gamma_power = gammas[j].pow(i);
277+
h0_x += gamma_power * f_x_minus_f_z0 * ((alpha - zs[j]).inversed());
279278
}
280-
BOOST_CHECK(h0_x * curve_type::template g1_type<>::value_type::one() == proof.commit0);
281-
282-
scalar_value_type h1_x = scalar_value_type::zero();
283-
for (size_t i = 0; i < gs.size(); ++i) {
284-
const polynomial<scalar_value_type> &g_i = gs[i];
285-
const scalar_value_type g_x_minus_g_z1 = g_i.evaluate(alpha) - g_i.evaluate(z1);
286-
const scalar_value_type gamma_power = gamma1.pow(i);
287-
h1_x += gamma_power * g_x_minus_g_z1 * ((alpha - z1).inversed());
288-
}
289-
BOOST_CHECK(h1_x * curve_type::template g1_type<>::value_type::one() == proof.commit1);
279+
BOOST_CHECK(h0_x * curve_type::template g1_type<>::value_type::one() == proof[j]);
290280
}
291281

292282
scalar_value_type r = algebra::random_element<scalar_field_type>();
293-
auto c0 = kzg_type::commit(srs, fs);
294-
auto c1 = kzg_type::commit(srs, gs);
295-
BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, c0, c1, z0, z1, gamma0, gamma1, r));
283+
std::vector<std::vector<kzg_type::commitment_type>> cs;
284+
for (std::size_t j = 0; j < num_polys; ++j) {
285+
cs.push_back(kzg_type::commit(srs, polys[j]));
286+
}
287+
BOOST_CHECK(kzg_type::verify_eval(srs, proof, evals, cs, zs, gammas, r));
296288
}
297289

298290
BOOST_AUTO_TEST_SUITE_END()

0 commit comments

Comments
 (0)