Documentation
¶
Index ¶
- Constants
- func VerifyPhase2(r1cs *cs.R1CS, commons *SrsCommons, beaconChallenge []byte, c ...*Phase2) (groth16.ProvingKey, groth16.VerifyingKey, error)
- type Phase1
- type Phase2
- func (p *Phase2) Contribute()
- func (p *Phase2) Initialize(r1cs *cs.R1CS, commons *SrsCommons) Phase2Evaluations
- func (p *Phase2) ReadFrom(reader io.Reader) (n int64, err error)
- func (p *Phase2) Seal(commons *SrsCommons, evals *Phase2Evaluations, beaconChallenge []byte) (groth16.ProvingKey, groth16.VerifyingKey)
- func (p *Phase2) Verify(next *Phase2) error
- func (p *Phase2) WriteTo(writer io.Writer) (n int64, err error)
- type Phase2Evaluations
- type SrsCommons
Constants ¶
const ( DST_TAU = iota DST_ALPHA DST_BETA )
const ( DST_DELTA = iota DST_SIGMA )
Variables ¶
This section is empty.
Functions ¶
func VerifyPhase2 ¶
func VerifyPhase2(r1cs *cs.R1CS, commons *SrsCommons, beaconChallenge []byte, c ...*Phase2) (groth16.ProvingKey, groth16.VerifyingKey, error)
VerifyPhase2 for circuit described by r1cs using parameters from commons beaconChallenge is a random beacon of moderate entropy evaluated at a time later than the latest contribution. It seeds a final "contribution" to the protocol, reproducible by any verifier. For more information on random beacons, refer to https://a16zcrypto.com/posts/article/public-randomness-and-randomness-beacons/ Organizations such as the League of Entropy (https://leagueofentropy.com/) provide such beacons. THIS IS NOT A RECOMMENDATION OR ENDORSEMENT. c are the output from the contributors, and are assumed to be well-formed, as guaranteed by the ReadFrom function. WARNING: the last contribution object will be modified
Types ¶
type Phase1 ¶
type Phase1 struct {
Challenge []byte // Hash of the transcript PRIOR to this participant
// contains filtered or unexported fields
}
Phase1 in line with Phase1 of the MPC described in https://eprint.iacr.org/2017/1050.pdf
Also known as "Powers of Tau"
func NewPhase1 ¶ added in v0.13.0
NewPhase1 creates an empty Phase1 contribution object to be used by the first contributor or the verifier N is the FFT domain size
func (*Phase1) Contribute ¶
func (p *Phase1) Contribute()
Contribute contributes randomness to the Phase1 object. This mutates Phase1. p is trusted to be well-formed. The ReadFrom function performs such basic sanity checks.
func (*Phase1) Initialize ¶ added in v0.13.0
Initialize an empty Phase1 contribution object to be used by the first contributor or the verifier N is the FFT domain size
func (*Phase1) Seal ¶ added in v0.13.0
func (p *Phase1) Seal(beaconChallenge []byte) SrsCommons
Seal performs the final contribution and outputs the final parameters. No randomization is performed at this step. A verifier should simply re-run this and check that it produces the same values. beaconChallenge is a random beacon of moderate entropy evaluated at a time later than the latest contribution. It seeds a final "contribution" to the protocol, reproducible by any verifier. For more information on random beacons, refer to https://a16zcrypto.com/posts/article/public-randomness-and-randomness-beacons/ Organizations such as the League of Entropy (https://leagueofentropy.com/) provide such beacons. THIS IS NOT A RECOMMENDATION OR ENDORSEMENT. WARNING: Seal modifies p, just as Contribute does. The result will be an INVALID Phase1 object, since no proof of correctness is produced.
type Phase2 ¶
type Phase2 struct {
Parameters struct {
G1 struct {
Delta curve.G1Affine
Z []curve.G1Affine // Z[i] = xⁱt(x)/δ where t is the domain vanishing polynomial 0 ≤ i ≤ N-2
PKK []curve.G1Affine // PKK are the coefficients of the private witness, needed for the proving key. They have a denominator of δ
SigmaCKK [][]curve.G1Affine // Commitment proof bases: SigmaCKK[i][j] = σᵢCᵢⱼ where Cᵢⱼ is the commitment basis for the jᵗʰ committed element from the iᵗʰ commitment
}
G2 struct {
Delta curve.G2Affine
Sigma []curve.G2Affine // the secret σ value for each commitment
}
}
// Proofs of update correctness
Sigmas []mpcsetup.UpdateProof
Delta mpcsetup.UpdateProof
// Challenge is the hash of the PREVIOUS contribution
Challenge []byte
}
func (*Phase2) Contribute ¶
func (p *Phase2) Contribute()
func (*Phase2) Initialize ¶ added in v0.13.0
func (p *Phase2) Initialize(r1cs *cs.R1CS, commons *SrsCommons) Phase2Evaluations
Initialize is to be run by the coordinator It involves no coin tosses. A verifier should simply rerun all the steps
func (*Phase2) Seal ¶ added in v0.13.0
func (p *Phase2) Seal(commons *SrsCommons, evals *Phase2Evaluations, beaconChallenge []byte) (groth16.ProvingKey, groth16.VerifyingKey)
Seal performs the final contribution and outputs the proving and verifying keys. No randomization is performed at this step. A verifier should simply re-run this and check that it produces the same values. beaconChallenge is a random beacon of moderate entropy evaluated at a time later than the latest contribution. It seeds a final "contribution" to the protocol, reproducible by any verifier. For more information on random beacons, refer to https://a16zcrypto.com/posts/article/public-randomness-and-randomness-beacons/ Organizations such as the League of Entropy (https://leagueofentropy.com/) provide such beacons. THIS IS NOT A RECOMMENDATION OR ENDORSEMENT. WARNING: Seal modifies p, just as Contribute does. The result will be an INVALID Phase1 object, since no proof of correctness is produced.
type Phase2Evaluations ¶
type Phase2Evaluations struct {
G1 struct {
A []curve.G1Affine // A are the left coefficient polynomials for each witness element, evaluated at τ
B []curve.G1Affine // B are the right coefficient polynomials for each witness element, evaluated at τ
VKK []curve.G1Affine // VKK are the coefficients of the public witness and commitments
CKK [][]curve.G1Affine // CKK are the coefficients of the committed values
}
G2 struct {
B []curve.G2Affine // B are the right coefficient polynomials for each witness element, evaluated at τ
}
PublicAndCommitmentCommitted [][]int
}
Phase2Evaluations components of the circuit keys not depending on Phase2 randomisations
type SrsCommons ¶ added in v0.13.0
type SrsCommons struct {
G1 struct {
Tau []curve.G1Affine // {[τ⁰]₁, [τ¹]₁, [τ²]₁, …, [τ²ᴺ⁻²]₁}
AlphaTau []curve.G1Affine // {α[τ⁰]₁, α[τ¹]₁, α[τ²]₁, …, α[τᴺ⁻¹]₁}
BetaTau []curve.G1Affine // {β[τ⁰]₁, β[τ¹]₁, β[τ²]₁, …, β[τᴺ⁻¹]₁}
}
G2 struct {
Tau []curve.G2Affine // {[τ⁰]₂, [τ¹]₂, [τ²]₂, …, [τᴺ⁻¹]₂}
Beta curve.G2Affine // [β]₂
}
}
SrsCommons are the circuit-independent components of the Groth16 SRS, computed by the first phase. in all that follows, N is the domain size
func VerifyPhase1 ¶
func VerifyPhase1(N uint64, beaconChallenge []byte, c ...*Phase1) (SrsCommons, error)
VerifyPhase1 and return the SRS parameters usable for any circuit of domain size N beaconChallenge is a random beacon of moderate entropy evaluated at a time later than the latest contribution. It seeds a final "contribution" to the protocol, reproducible by any verifier. For more information on random beacons, refer to https://a16zcrypto.com/posts/article/public-randomness-and-randomness-beacons/ Organizations such as the League of Entropy (https://leagueofentropy.com/) provide such beacons. THIS IS NOT A RECOMMENDATION OR ENDORSEMENT. c are the output from the contributors and are assumed to be well-formed, as guaranteed by the ReadFrom function. WARNING: the last contribution object will be modified
Source Files