ratchetcommit.cpp 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. #include <stdlib.h>
  2. #include <iostream>
  3. #include <fstream>
  4. #include "ecgadget.hpp"
  5. #include "scalarmul.hpp"
  6. using namespace libsnark;
  7. using namespace std;
  8. // A gadget for, given private input scalar r0,
  9. // computing private scalars r1, d0, d1 and public
  10. // EC points (D0x,D0y) and (D1x,D1y), such that:
  11. // r1 = h_2(r0)
  12. // d0 = h_1(r0)
  13. // d1 = h_1(r1)
  14. // D0 = d0 * G
  15. // D1 = d1 * G
  16. //
  17. // where h_1(r) is the x-coordinate of r*H1 and
  18. // h_2(r) is the x-coordinate of r*H2.
  19. template<typename FieldT>
  20. class ratchet_commit_gadget : public gadget<FieldT> {
  21. private:
  22. FieldT Gx, Gy, H1x, H1y, H2x, H2y;
  23. pb_variable<FieldT> r1y, d0y, d1y;
  24. vector<ec_constant_scalarmul_gadget<FieldT> > constmuls;
  25. public:
  26. const pb_variable<FieldT> r0, r1, d0, d1, D0x, D0y, D1x, D1y;
  27. ratchet_commit_gadget(protoboard<FieldT> &pb,
  28. const pb_variable<FieldT> &r0,
  29. const pb_variable<FieldT> &r1,
  30. const pb_variable<FieldT> &d0,
  31. const pb_variable<FieldT> &d1,
  32. const pb_variable<FieldT> &D0x,
  33. const pb_variable<FieldT> &D0y,
  34. const pb_variable<FieldT> &D1x,
  35. const pb_variable<FieldT> &D1y) :
  36. gadget<FieldT>(pb, "ratchet_commit_gadget"),
  37. // Curve parameters and generators
  38. Gx(0), Gy("11977228949870389393715360594190192321220966033310912010610740966317727761886"),
  39. H1x(1), H1y("21803877843449984883423225223478944275188924769286999517937427649571474907279"),
  40. H2x(3), H2y("5020743718369453748575779309408113228867962046286774659221819240049391841511"),
  41. r0(r0), r1(r1), d0(d0), d1(d1), D0x(D0x), D0y(D0y), D1x(D1x), D1y(D1y)
  42. {
  43. r1y.allocate(pb, "r1y");
  44. d0y.allocate(pb, "d0y");
  45. d1y.allocate(pb, "d1y");
  46. // r1 = [r0*H2]_x
  47. constmuls.emplace_back(pb, r1, r1y, r0, H2x, H2y);
  48. // d0 = [r0*H1]_x
  49. constmuls.emplace_back(pb, d0, d0y, r0, H1x, H1y);
  50. // d1 = [r1*H1]_x
  51. constmuls.emplace_back(pb, d1, d1y, r1, H1x, H1y);
  52. // D0 = d0*G
  53. constmuls.emplace_back(pb, D0x, D0y, d0, Gx, Gy);
  54. // D1 = d1*G
  55. constmuls.emplace_back(pb, D1x, D1y, d1, Gx, Gy);
  56. }
  57. void generate_r1cs_constraints()
  58. {
  59. for (auto&& gadget : constmuls) {
  60. gadget.generate_r1cs_constraints();
  61. }
  62. }
  63. void generate_r1cs_witness()
  64. {
  65. for (auto&& gadget : constmuls) {
  66. gadget.generate_r1cs_witness();
  67. }
  68. }
  69. };
  70. int main(int argc, char **argv)
  71. {
  72. // Initialize the curve parameters
  73. default_r1cs_gg_ppzksnark_pp::init_public_params();
  74. init_curveparams();
  75. typedef libff::Fr<default_r1cs_gg_ppzksnark_pp> FieldT;
  76. // Create protoboard
  77. libff::start_profiling();
  78. cout << "Keypair" << endl;
  79. protoboard<FieldT> pb;
  80. pb_variable<FieldT> r0, r1, d0, d1, D0x, D0y, D1x, D1y;
  81. // Allocate variables
  82. // Public outputs:
  83. D0x.allocate(pb, "D0x");
  84. D0y.allocate(pb, "D0y");
  85. D1x.allocate(pb, "D1x");
  86. D1y.allocate(pb, "D1y");
  87. // Private inputs:
  88. r0.allocate(pb, "r0");
  89. // Private outputs:
  90. r1.allocate(pb, "r1");
  91. d0.allocate(pb, "d0");
  92. d1.allocate(pb, "d1");
  93. // This sets up the protoboard variables so that the first n of them
  94. // represent the public values and the rest is private
  95. pb.set_input_sizes(4);
  96. // Initialize the gadgets
  97. ratchet_commit_gadget<FieldT> rcom(pb, r0, r1, d0, d1, D0x, D0y, D1x, D1y);
  98. rcom.generate_r1cs_constraints();
  99. const r1cs_constraint_system<FieldT> constraint_system = pb.get_constraint_system();
  100. const r1cs_gg_ppzksnark_keypair<default_r1cs_gg_ppzksnark_pp> keypair = r1cs_gg_ppzksnark_generator<default_r1cs_gg_ppzksnark_pp>(constraint_system);
  101. // Add witness values
  102. cout << "Prover" << endl;
  103. pb.val(r0) = FieldT::random_element();
  104. libff::enter_block("PROVER TIME");
  105. rcom.generate_r1cs_witness();
  106. cout << "r0 = " << pb.val(r0) << endl;
  107. cout << "r1 = " << pb.val(r1) << endl;
  108. cout << "d0 = " << pb.val(d0) << endl;
  109. cout << "d1 = " << pb.val(d1) << endl;
  110. cout << "D0 = (" << pb.val(D0x) << ", " << pb.val(D0y) << ")" << endl;
  111. cout << "D1 = (" << pb.val(D1x) << ", " << pb.val(D1y) << ")" << endl;
  112. const r1cs_gg_ppzksnark_proof<default_r1cs_gg_ppzksnark_pp> proof = r1cs_gg_ppzksnark_prover<default_r1cs_gg_ppzksnark_pp>(keypair.pk, pb.primary_input(), pb.auxiliary_input());
  113. libff::leave_block("PROVER TIME");
  114. cout << "Verifier" << endl;
  115. libff::enter_block("VERIFIER TIME");
  116. bool verified = r1cs_gg_ppzksnark_verifier_strong_IC<default_r1cs_gg_ppzksnark_pp>(keypair.vk, pb.primary_input(), proof);
  117. libff::leave_block("VERIFIER TIME");
  118. cout << "Number of R1CS constraints: " << constraint_system.num_constraints() << endl;
  119. cout << "Primary (public) input length: " << pb.primary_input().size() << endl;
  120. // cout << "Primary (public) input: " << pb.primary_input() << endl;
  121. cout << "Auxiliary (private) input length: " << pb.auxiliary_input().size() << endl;
  122. // cout << "Auxiliary (private) input: " << pb.auxiliary_input() << endl;
  123. cout << "Verification status: " << verified << endl;
  124. ofstream pkfile(string("pk_ratchetcom"));
  125. pkfile << keypair.pk;
  126. pkfile.close();
  127. ofstream vkfile(string("vk_ratchetcom"));
  128. vkfile << keypair.vk;
  129. vkfile.close();
  130. ofstream pffile(string("proof_ratchetcom"));
  131. pffile << proof;
  132. pffile.close();
  133. return 0;
  134. }