From c0312e5d83502022572d88b5a087d5878a251a6b Mon Sep 17 00:00:00 2001 From: Jordi Baylina Date: Thu, 9 Aug 2018 15:31:16 +0200 Subject: [PATCH] snarks part done --- README | 107 ++++++++++++++++++++ README.md | 6 +- src/gt.js | 20 ++++ src/pairing.js | 2 + src/{polinomial.js => polfield.js} | 4 + src/prover.js | 83 ++++++++++++++- src/setup.js | 155 +++++++++++++++++++++++++++++ src/verifier.js | 50 +++++++++- src/znfield.js | 15 +++ 9 files changed, 437 insertions(+), 5 deletions(-) create mode 100644 README create mode 100644 src/gt.js rename src/{polinomial.js => polfield.js} (93%) diff --git a/README b/README new file mode 100644 index 0000000..dd185fb --- /dev/null +++ b/README @@ -0,0 +1,107 @@ +# javascript implementation of zkSnark + +This is a javascript implementation of zkSnarks. + +This library allows to do the trusted setup, generate proofs and verify the proofs. + +This library uses the compiled circuits generated by the jaz compiler. + +## Install + +``` +npm install zkSnark +``` + +## Usage + +### import + +``` +const zkSnark = require("zksnark"); +``` + +### Load a circuit. + +``` +// "myCircuit.cir" is the output of the jaz compiler + +const circuitDef = JSON.parse(fs.readFileSync("myCircuit.cir", "utf8")); +const circuit = new zkSnark.Circuit(circuitDef); +``` + +### Inspect the circuit. + +``` + // `signalId` can always be a number or an alias string + + circuit.m; // number of constrains + circuit.n; // number of signals + circuit.p; // number of public signals (nPublicInputs + nOutputs) + + // The array of signals is always sorted in this order: + // [ outputs, publicInputs, privedInputs, internalSignals, constants] + + // returns a,b and c coeficients of the `signalId` on a given `constrain` + circuit.a(constrain, signalId) + circuit.b(constrain, signalId) + circuit.c(constrain, signalId) + + circuit.nOutputs // number of public outputs + circuit.nPublicInputs // number of public inputs + circuit.nPrivateInputs // number of private inputs + circuit.nInputs // number of inputs ( nPublicInputs + nPrivateInputs) + + circuit.outputIdx(i) // returns the index of the i'th output + circuit.inputIdx(i) // returns the index of the i'th input + circuit.inputPublicIdx(i) // returns the index of the i'th public input + circuit.inputPrivateIdx(i) // returns the index of the i'th private input + + // returns signal Idx given a signalId + // if the idx >= n , it is a constant + // if the idx == -1, the signal does not exist + circuit.signalId2idx(signalId); + + // returns an array aliases names for a given signalId + circuit.signalNames(signalId) + + // input is a key value object where keys are the signal names + // of all the inputs (public and private) + // returns an array of values that represent the witness + circuit.generateWitness(input) +``` + +### Trusted setup + +``` +const setup = zkSnark.setup(circuit); +fs.writeFileSink("myCircuit.vk_proof", JSON.stringify(setup.vk_proof), "utf8"); +fs.writeFileSink("myCircuit.vk_verifier", JSON.stringify(setup.vk_verifier), "utf8"); +setup.toxic // Must be discarded. +``` + +### Generate proof + +``` +const circuitDef = JSON.parse(fs.readFileSync("myCircuit.cir", "utf8")); +const circuit = new zkSnark.Circuit(circuitDef); +const input = { + "main.pubIn1": "123", + "main.out1": "456" +} +const witness = circuit.generateWitness(input); +const vk_proof = JSON.parse(fs.readFileSync("myCircuit.vk_proof", "utf8")); + +const {proof, publicSignals} = zkSnark.genProof(vk_proof, witness); +``` + +### Verifier + +``` +const vk_verifier = JSON.parse(fs.readFileSync("myCircuit.vk_verifier", "utf8")); + +if (zkSnark.isValid(vk_verifier, proof, publicSignals)) { + console.log("The proof is valid"); +} else { + console.log("The proof is not valid"); +} +``` diff --git a/README.md b/README.md index dd185fb..b6dc4d4 100644 --- a/README.md +++ b/README.md @@ -34,9 +34,9 @@ const circuit = new zkSnark.Circuit(circuitDef); ``` // `signalId` can always be a number or an alias string - circuit.m; // number of constrains - circuit.n; // number of signals - circuit.p; // number of public signals (nPublicInputs + nOutputs) + circuit.nConstrains; // number of constrains + circuit.nSignals; // number of signals + circuit.nPublic; // number of public signals (nOutputs + nPublicInputs) // The array of signals is always sorted in this order: // [ outputs, publicInputs, privedInputs, internalSignals, constants] diff --git a/src/gt.js b/src/gt.js new file mode 100644 index 0000000..996ad77 --- /dev/null +++ b/src/gt.js @@ -0,0 +1,20 @@ +const bigInt = require("big-integer"); +const ZnField = require("./znfield.js"); + +module.eports = class Gt { + + constructor() { + // TODO + throw new Error("Not Implementted"); + } + + mul(p1, p2) { + // TODO + throw new Error("Not Implementted"); + } + + equal(p1, p2) { + // TODO + throw new Error("Not Implementted"); + } +}; diff --git a/src/pairing.js b/src/pairing.js index 484c5eb..e38397a 100644 --- a/src/pairing.js +++ b/src/pairing.js @@ -5,6 +5,8 @@ This module calculate the pairing of p1 and p2 where p1 in G1 and p2 in G2 const bigInt = require("big-integer"); module.exports = function pairing(p1, p2) { + + // TODO throw new Error("Not Implementted"); }; diff --git a/src/polinomial.js b/src/polfield.js similarity index 93% rename from src/polinomial.js rename to src/polfield.js index dde58ad..60e5b9e 100644 --- a/src/polinomial.js +++ b/src/polfield.js @@ -37,6 +37,10 @@ class PolField { throw new Error("Not Implementted"); } + eval(p, x) { + throw new Error("Not Implementted"); + } + lagrange(points) { throw new Error("Not Implementted"); } diff --git a/src/prover.js b/src/prover.js index a888851..5844680 100644 --- a/src/prover.js +++ b/src/prover.js @@ -1,5 +1,86 @@ +const bigInt = require("big-integer"); + +const ZnField = require("./znfield.js"); +const G1Curve = require("./g1curve"); +const G2Curve = require("./g2curve"); +const PolField = require("./polfield.js"); + +const F = new ZnField(bigInt("21888242871839275222246405745257275088548364400416034343698204186575808495617")); +const G1 = new G1Curve(); +const G2 = new G2Curve(); +const PolF = new PolField(F); module.exports = function genProof(vk_proof, witness) { -} + const proof = {}; + + proof.pi_a = G1.zero(); + proof.pi_ap = G1.zero(); + proof.pi_b = G2.zero(); + proof.pi_bp = G2.zero(); + proof.pi_c = G1.zero(); + proof.pi_cp = G1.zero(); + proof.pi_kp = G1.zero(); + proof.pi_h = G1.zero(); + + + for (let s= vk_proof.nPublic; s< vk_proof.nSignals; s++) { + + // pi_a = pi_a + A[s] * witness[s]; + proof.pi_a = G1.add( proof.pi_a, G1.mulEscalar( vk_proof.A[s], witness[s])); + + // pi_ap = pi_ap + Ap[s] * witness[s]; + proof.pi_ap = G1.add( proof.pi_ap, G1.mulEscalar( vk_proof.Ap[s], witness[s])); + } + + for (let s= 0; s< vk_proof.nSignals; s++) { + // pi_a = pi_a + A[s] * witness[s]; + proof.pi_b = G2.add( proof.pi_b, G1.mulEscalar( vk_proof.B[s], witness[s])); + + // pi_ap = pi_ap + Ap[s] * witness[s]; + proof.pi_bp = G1.add( proof.pi_bp, G1.mulEscalar( vk_proof.Bp[s], witness[s])); + + // pi_a = pi_a + A[s] * witness[s]; + proof.pi_c = G1.add( proof.pi_c, G1.mulEscalar( vk_proof.C[s], witness[s])); + + // pi_ap = pi_ap + Ap[s] * witness[s]; + proof.pi_cp = G1.add( proof.pi_cp, G1.mulEscalar( vk_proof.Cp[s], witness[s])); + + // pi_ap = pi_ap + Ap[s] * witness[s]; + proof.pi_kp = G1.add( proof.pi_kp, G1.mulEscalar( vk_proof.Kp[s], witness[s])); + } + + let polA = []; + let polB = []; + let polC = []; + + for (let s= 0; s< vk_proof.nSignals; s++) { + polA = PolF.add( + polA, + PolF.mul( + vk_proof.polsA[s], + [witness[s]] )); + + polB = PolF.add( + polB, + PolF.mul( + vk_proof.polsB[s], + [witness[s]] )); + + polC = PolF.add( + polC, + PolF.mul( + vk_proof.polsC[s], + [witness[s]] )); + } + + let polFull = PolF.sub(PolF.mul( polA, polB), polC); + + const h = PolF.div(polFull, vk_proof.polZ ); + + for (let i = 0; i < h.length; i++) { + proof.pi_h = G1.add( proof.pi_h, G1.mulEscalar( vk_proof.hExps[i], h[i])); + } + +}; diff --git a/src/setup.js b/src/setup.js index fbc94e4..76b6f0a 100644 --- a/src/setup.js +++ b/src/setup.js @@ -1,5 +1,160 @@ +const bigInt = require("big-integer"); +const ZnField = require("./znfield.js"); +const PolField = require("./polfield.js"); +const G1Curve = require("./g1curve"); +const G2Curve = require("./g2curve"); + +const F = new ZnField(bigInt("21888242871839275222246405745257275088548364400416034343698204186575808495617")); +const PolF = new PolField(F); +const G1 = new G1Curve(); +const G2 = new G2Curve(); module.exports = function setup(circuit) { + const setup = { + vk_proof : { + nSignals: circuit.nSignals, + nPublic: circuit.nPublic + }, + vk_verifier: { + nPublic: circuit.nPublic + }, + toxic: {} + }; + calculatePolinomials(setup, circuit); + setup.toxic.t = F.random(); + calculateEncriptedValuesAtT(setup, circuit); + calculateHexps(setup, circuit); +}; + +function calculatePolinomials(setup, circuit) { + // Calculate the points that must cross each polinomial + const aPoints = []; + const bPoints = []; + const cPoints = []; + for (let s = 0; circuit.nSignals; s++) { + aPoints[s] = []; + bPoints[s] = []; + cPoints[s] = []; + for (let c=0; c