package octez-libs
module PC : Kzg_pack.Super_PC_sig
include Aggregation.Polynomial_protocol.S with module PC := PC
include Plonk.Polynomial_protocol.S with module PC := PC
type prover_public_parameters = PC.Public_parameters.prover
The type of prover public parameters.
val prover_public_parameters_t : prover_public_parameters Repr.t
type verifier_public_parameters = PC.Public_parameters.verifier
The type of verifier public parameters.
val verifier_public_parameters_t : verifier_public_parameters Repr.t
The type for proofs, containing a commitment to the polynomial T that asserts the satisfiability of the identities over the subset of interest, as well as a PC
proof and a list of PC
answers.
val setup :
setup_params:PC.Public_parameters.setup_params ->
srs:(Kzg.Bls.Srs.t * Kzg.Bls.Srs.t) ->
prover_public_parameters
* verifier_public_parameters
* Kzg.Utils.Transcript.t
The polynomial commitment setup function, requires a labeled argument of setup parameters for the underlying PC
and a labeled argument containing the path location of a set of SRS files.
val prove :
prover_public_parameters ->
Kzg.Utils.Transcript.t ->
n:int ->
generator:Kzg.Bls.Scalar.t ->
secrets:
(Kzg.Bls.Poly.t Plonk.Identities.SMap.t * PC.Commitment.prover_aux) list ->
eval_points:Plonk.Identities.eval_point list list ->
evaluations:Plonk.Identities.Evaluations.t Plonk.Identities.SMap.t ->
identities:Plonk.Identities.prover_identities ->
nb_of_t_chunks:int ->
proof * Kzg.Utils.Transcript.t
The prover function. Takes as input the prover_public_parameters
, an initial transcript
(possibly including a context if this prove
is used as a building block of a bigger protocol), the size n
of subgroup H, the canonical generator
of subgroup H, a list of secrets
including polynomials that have supposedly been committed (and a verifier received such commitments) as well as prover auxiliary information generated during the committing process, a list of evaluation point lists specifying the evaluation points where each secret needs to be evaluated at, a map of the above-mentioned polynomials this time in FFT evaluations
form, for efficient polynomial multiplication, and some prover_identities
that are supposedly satisfied by the secret polynomials. Outputs a proof and an updated transcript.
val verify :
verifier_public_parameters ->
Kzg.Utils.Transcript.t ->
n:int ->
generator:Kzg.Bls.Scalar.t ->
commitments:PC.Commitment.t list ->
eval_points:Plonk.Identities.eval_point list list ->
identities:Plonk.Identities.verifier_identities ->
proof ->
bool * Kzg.Utils.Transcript.t
The verifier function. Takes as input the verifier_public_parameters
, an initial transcript
(that should coincide with the initial transcript used by prove
), the size n
of subgroup H, the canonical generator
of subgroup H, a list of commitments
to the secret polynomials by the prover, a list of evaluation points as in prove
, some verifier_identities
, and a proof
. Outputs a bool
value representing acceptance or rejection.
type prover_aux = {
answers : Kzg.Bls.Scalar.t Aggregation.Polynomial_protocol.SMap.t Aggregation.Polynomial_protocol.SMap.t list;
batch : Kzg.Bls.Scalar.t Aggregation.Polynomial_protocol.SMap.t list;
alpha : Kzg.Bls.Scalar.t;
x : Kzg.Bls.Scalar.t;
r : Kzg.Bls.Scalar.t;
cms_answers : Answers_commitment.t Aggregation.Polynomial_protocol.SMap.t;
t_answers : Kzg.Bls.Scalar.t list;
}
Auxiliary information needed by the prover for the meta-verification in aPlonK
Auxiliary information needed by the verifier for the meta-verification in aPlonK
val update_transcript_with_formatted_answers :
Kzg.Utils.Transcript.t ->
(Kzg.Bls.Scalar.t Aggregation.Polynomial_protocol.SMap.t
Aggregation.Polynomial_protocol.SMap.t
list ->
Answers_commitment.t)
Aggregation.Polynomial_protocol.SMap.t ->
Kzg.Bls.Scalar.t Aggregation.Polynomial_protocol.SMap.t
Aggregation.Polynomial_protocol.SMap.t
list ->
Kzg.Bls.Scalar.t list
* Answers_commitment.t Aggregation.Polynomial_protocol.SMap.t
* Kzg.Utils.Transcript.t
val prove_super_aggregation :
prover_public_parameters ->
Kzg.Utils.Transcript.t ->
commit_to_answers_map:
(Kzg.Bls.Scalar.t Aggregation.Polynomial_protocol.SMap.t
Aggregation.Polynomial_protocol.SMap.t
list ->
Answers_commitment.t)
Aggregation.Polynomial_protocol.SMap.t ->
n:int ->
generator:Kzg.Bls.Scalar.t ->
secrets:
(Kzg.Bls.Poly.t Aggregation.Polynomial_protocol.SMap.t
* PC.Commitment.prover_aux)
list ->
eval_points:Plonk.Identities.eval_point list list ->
evaluations:
Plonk.Identities.Evaluations.t Aggregation.Polynomial_protocol.SMap.t ->
identities:Plonk.Identities.prover_identities ->
nb_of_t_chunks:int ->
(proof * prover_aux) * Kzg.Utils.Transcript.t
val verify_super_aggregation :
verifier_public_parameters ->
Kzg.Utils.Transcript.t ->
n:int ->
generator:Kzg.Bls.Scalar.t ->
commitments:PC.Commitment.t list ->
eval_points:Plonk.Identities.eval_point list list ->
s_list:Kzg.Bls.Scalar.t Aggregation.Polynomial_protocol.SMap.t list ->
cms_answers:Answers_commitment.public Aggregation.Polynomial_protocol.SMap.t ->
t_answers:Kzg.Bls.Scalar.t list ->
ids_batch:(Kzg.Bls.Scalar.t * int) Aggregation.Polynomial_protocol.SMap.t ->
proof ->
(bool * verifier_aux) * Kzg.Utils.Transcript.t
val compute_t :
n:int ->
alpha:Kzg.Bls.Scalar.t ->
nb_of_t_chunks:int ->
Plonk.Identities.Evaluations.t Kzg.SMap.t ->
Plonk.Identities.Evaluations.polynomial Kzg.SMap.t
compute_t ~n ~alpha evaluations
returns a polynomial T splitted in chunks, where T(X) = (sum_i alpha^i evaluations[i]) / (X^n - 1)
and the returned chunks { 'T_0' -> T0; 'T_1' -> T1; 'T_2' -> T2 }
are such that T = T0 + X^n T1 + X^{2n} T2
.