diff --git a/src/snark/src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.tcc b/src/snark/src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.tcc index aeb2bbb85..697395931 100644 --- a/src/snark/src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.tcc +++ b/src/snark/src/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.tcc @@ -431,6 +431,92 @@ r1cs_ppzksnark_keypair r1cs_ppzksnark_generator( return r1cs_ppzksnark_keypair(std::move(pk), std::move(vk)); } +template +knowledge_commitment r1cs_compute_proof_kc(const qap_witness > &qap_wit, + const knowledge_commitment_vector &kcv, + const Fr &zk_shift) +{ + knowledge_commitment returnval = kcv[0] + (zk_shift * kcv[qap_wit.num_variables()+1]); + +#ifdef DEBUG + assert(kcv.domain_size() == qap_wit.num_variables()+2); +#endif + +#ifdef MULTICORE + const size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env var or call omp_set_num_threads() +#else + const size_t chunks = 1; +#endif + + returnval = returnval + kc_multi_exp_with_mixed_addition >( + kcv, + 1, + 1 + qap_wit.num_variables(), + qap_wit.coefficients_for_ABCs.begin(), + qap_wit.coefficients_for_ABCs.begin()+qap_wit.num_variables(), + chunks, + true + ); + + return returnval; +} + + + +template +G1 r1cs_compute_proof_K(const qap_witness> &qap_wit, const G1_vector &K_query, const G1 &zk_shift) +{ +#ifdef DEBUG + assert(K_query.size() == qap_wit.num_variables()+4); +#endif + +#ifdef MULTICORE + const size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env var or call omp_set_num_threads() +#else + const size_t chunks = 1; +#endif + + G1 g_K = K_query[0] + zk_shift; + g_K = g_K + multi_exp_with_mixed_addition, Fr >( + K_query.begin()+1, + K_query.begin()+1+qap_wit.num_variables(), + qap_wit.coefficients_for_ABCs.begin(), + qap_wit.coefficients_for_ABCs.begin()+qap_wit.num_variables(), + chunks, + true + ); + + return g_K; +} + + +template +G1 r1cs_compute_proof_H(const qap_witness > &qap_wit, const G1_vector &H_query) +{ + G1 g_H = G1::zero(); + +#ifdef DEBUG + assert(H_query.size() == qap_wit.degree()+1); +#endif + +#ifdef MULTICORE + const size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env var or call omp_set_num_threads() +#else + const size_t chunks = 1; +#endif + + g_H = g_H + multi_exp, Fr >( + H_query.begin(), + H_query.begin()+qap_wit.degree()+1, + qap_wit.coefficients_for_H.begin(), + qap_wit.coefficients_for_H.begin()+qap_wit.degree()+1, + chunks, + true + ); + + return g_H; +} + template r1cs_ppzksnark_proof r1cs_ppzksnark_prover(const r1cs_ppzksnark_proving_key &pk, const r1cs_ppzksnark_primary_input &primary_input, @@ -457,67 +543,36 @@ r1cs_ppzksnark_proof r1cs_ppzksnark_prover(const r1cs_ppzksnark_proving_key assert(qap_inst.is_satisfied(qap_wit)); #endif - knowledge_commitment, G1 > g_A = pk.A_query[0] + qap_wit.d1*pk.A_query[qap_wit.num_variables()+1]; - knowledge_commitment, G1 > g_B = pk.B_query[0] + qap_wit.d2*pk.B_query[qap_wit.num_variables()+1]; - knowledge_commitment, G1 > g_C = pk.C_query[0] + qap_wit.d3*pk.C_query[qap_wit.num_variables()+1]; - - G1 g_H = G1::zero(); - G1 g_K = (pk.K_query[0] + - qap_wit.d1*pk.K_query[qap_wit.num_variables()+1] + - qap_wit.d2*pk.K_query[qap_wit.num_variables()+2] + - qap_wit.d3*pk.K_query[qap_wit.num_variables()+3]); - #ifdef DEBUG for (size_t i = 0; i < qap_wit.num_inputs() + 1; ++i) { assert(pk.A_query[i].g == G1::zero()); } - assert(pk.A_query.domain_size() == qap_wit.num_variables()+2); - assert(pk.B_query.domain_size() == qap_wit.num_variables()+2); - assert(pk.C_query.domain_size() == qap_wit.num_variables()+2); - assert(pk.H_query.size() == qap_wit.degree()+1); - assert(pk.K_query.size() == qap_wit.num_variables()+4); -#endif - -#ifdef MULTICORE - const size_t chunks = omp_get_max_threads(); // to override, set OMP_NUM_THREADS env var or call omp_set_num_threads() -#else - const size_t chunks = 1; #endif enter_block("Compute the proof"); enter_block("Compute answer to A-query", false); - g_A = g_A + kc_multi_exp_with_mixed_addition, G1, Fr >(pk.A_query, - 1, 1+qap_wit.num_variables(), - qap_wit.coefficients_for_ABCs.begin(), qap_wit.coefficients_for_ABCs.begin()+qap_wit.num_variables(), - chunks, true); + auto g_A = r1cs_compute_proof_kc, G1 >(qap_wit, pk.A_query, qap_wit.d1); leave_block("Compute answer to A-query", false); enter_block("Compute answer to B-query", false); - g_B = g_B + kc_multi_exp_with_mixed_addition, G1, Fr >(pk.B_query, - 1, 1+qap_wit.num_variables(), - qap_wit.coefficients_for_ABCs.begin(), qap_wit.coefficients_for_ABCs.begin()+qap_wit.num_variables(), - chunks, true); + auto g_B = r1cs_compute_proof_kc, G1 >(qap_wit, pk.B_query, qap_wit.d2); leave_block("Compute answer to B-query", false); enter_block("Compute answer to C-query", false); - g_C = g_C + kc_multi_exp_with_mixed_addition, G1, Fr >(pk.C_query, - 1, 1+qap_wit.num_variables(), - qap_wit.coefficients_for_ABCs.begin(), qap_wit.coefficients_for_ABCs.begin()+qap_wit.num_variables(), - chunks, true); + auto g_C = r1cs_compute_proof_kc, G1 >(qap_wit, pk.C_query, qap_wit.d3); leave_block("Compute answer to C-query", false); enter_block("Compute answer to H-query", false); - g_H = g_H + multi_exp, Fr >(pk.H_query.begin(), pk.H_query.begin()+qap_wit.degree()+1, - qap_wit.coefficients_for_H.begin(), qap_wit.coefficients_for_H.begin()+qap_wit.degree()+1, - chunks, true); + auto g_H = r1cs_compute_proof_H(qap_wit, pk.H_query); leave_block("Compute answer to H-query", false); enter_block("Compute answer to K-query", false); - g_K = g_K + multi_exp_with_mixed_addition, Fr >(pk.K_query.begin()+1, pk.K_query.begin()+1+qap_wit.num_variables(), - qap_wit.coefficients_for_ABCs.begin(), qap_wit.coefficients_for_ABCs.begin()+qap_wit.num_variables(), - chunks, true); + G1 zk_shift = qap_wit.d1*pk.K_query[qap_wit.num_variables()+1] + + qap_wit.d2*pk.K_query[qap_wit.num_variables()+2] + + qap_wit.d3*pk.K_query[qap_wit.num_variables()+3]; + G1 g_K = r1cs_compute_proof_K(qap_wit, pk.K_query, zk_shift); leave_block("Compute answer to K-query", false); leave_block("Compute the proof"); @@ -525,7 +580,6 @@ r1cs_ppzksnark_proof r1cs_ppzksnark_prover(const r1cs_ppzksnark_proving_key leave_block("Call to r1cs_ppzksnark_prover"); r1cs_ppzksnark_proof proof = r1cs_ppzksnark_proof(std::move(g_A), std::move(g_B), std::move(g_C), std::move(g_H), std::move(g_K)); - //proof.print_size(); return proof; }