diff --git a/src/bench.c b/src/bench.c index b18756a..c6c0335 100644 --- a/src/bench.c +++ b/src/bench.c @@ -77,14 +77,14 @@ int main(int argc, char *argv[]) else if (strcmp(argv[1], "-p") == 0) { setup_keys keys = read_setup(&bench_circuit); - proof p = generate_proof(&bench_circuit, keys.pk); + proof p = generate_proof(&bench_circuit, &keys.pk); store_proof(&p); } else if (strcmp(argv[1], "-v") == 0) { setup_keys keys = read_setup(&bench_circuit); proof p = read_proof(); - verify_proof(&bench_circuit, p, keys.vk); + verify_proof(&bench_circuit, &p, &keys.vk); } return 0; diff --git a/src/common/utils.c b/src/common/utils.c index 69b05f6..f7ce452 100644 --- a/src/common/utils.c +++ b/src/common/utils.c @@ -54,7 +54,7 @@ void init_setup(void *circuit) } } -void init_prover(void *circuit, proving_key pk) +void init_prover(void *circuit, proving_key *pk) { init_setup(circuit); @@ -62,7 +62,7 @@ void init_prover(void *circuit, proving_key pk) double elapsed; clock_gettime(CLOCK_MONOTONIC, &begin); - int n = mpz_get_ui(pk.Ne); + int n = mpz_get_ui(pk->Ne); AsFr = (mclBnFr*) malloc((n) * sizeof(mclBnFr)); BsFr = (mclBnFr*) malloc((n) * sizeof(mclBnFr)); @@ -75,24 +75,23 @@ void init_prover(void *circuit, proving_key pk) rsigma = (mclBnFr*) malloc((n) * sizeof(mclBnFr)); rsigmaInv = (mclBnFr*) malloc((n) * sizeof(mclBnFr)); - mpz_t shift_fft_mpz; + static mpz_t shift; mpz_init(shift); - mpz_init(shift_fft_mpz); mclBnFr rand; generate_random_scalar(&rand); fr_to_mpz(&shift, &rand); - mpz_powm(shift_fft_mpz, shift, pk.Ne, pPrime); - mpz_sub_ui(shift_fft_mpz, shift_fft_mpz, 1); - mpz_invert(shift_fft_mpz, shift_fft_mpz, pPrime); + mpz_powm(shift, shift, pk->Ne, pPrime); + mpz_sub_ui(shift, shift, 1); + mpz_invert(shift, shift, pPrime); - mpz_to_fr(&shift_fft, &shift_fft_mpz); + mpz_to_fr(&shift_fft, &shift); mclBnFr_setInt(&rsigma[0], 1); mclBnFr_inv(&rsigmaInv[0], &rsigma[0]); - mclBnG1_mul(&pk.xt1_rand[0], &pk.xt1[0], &rsigmaInv[0]); + mclBnG1_mul(&pk->xt1_rand[0], &pk->xt1[0], &rsigmaInv[0]); mclBnFr n_inverted; mclBnFr_setInt(&n_inverted, n); @@ -100,16 +99,16 @@ void init_prover(void *circuit, proving_key pk) mclBnFr_mul(&rsigma[0], &rsigma[0], &n_inverted); + mclBnFr one; + mclBnFr_setInt(&one, 1); + mclBnFr_mul(&rsigma[1], &rand, &one); + for (int i = 1; i < n; i++) { - mpz_t factor; - mpz_init(factor); - mpz_powm_ui(factor, shift, i, pPrime); - - mpz_to_fr(&rsigma[i], &factor); + if (i < n - 1) mclBnFr_mul(&rsigma[i + 1], &rsigma[i], &rand); mclBnFr_inv(&rsigmaInv[i], &rsigma[i]); - mclBnG1_mul(&pk.xt1_rand[i], &pk.xt1[i], &rsigmaInv[i]); + mclBnG1_mul(&pk->xt1_rand[i], &pk->xt1[i], &rsigmaInv[i]); mclBnFr_mul(&rsigma[i], &rsigma[i], &n_inverted); } diff --git a/src/gro16/gro16.h b/src/gro16/gro16.h index 42c76ce..4b4c0d2 100644 --- a/src/gro16/gro16.h +++ b/src/gro16/gro16.h @@ -47,8 +47,6 @@ static mclBnFr *CsFr; static mclBnFr *rsigma; static mclBnFr *rsigmaInv; - -static mpz_t shift; static mclBnFr shift_fft; static mpz_t *wM; diff --git a/src/gro16/prover.c b/src/gro16/prover.c index d678b44..7ed8874 100644 --- a/src/gro16/prover.c +++ b/src/gro16/prover.c @@ -1,7 +1,7 @@ -void h_coefficients(proving_key pk) +void h_coefficients(proving_key *pk) { - int n = mpz_get_ui(pk.Ne); + int n = mpz_get_ui(pk->Ne); mclBnFr uwFr[M]; #pragma omp parallel for @@ -21,46 +21,46 @@ void h_coefficients(proving_key pk) int l_it = 0; int r_it = 1; - for (int j = 0; j < pk.qap_size; j+=3) + for (int j = 0; j < pk->qap_size; j+=3) { - switch (pk.LRO[j]) + switch (pk->LRO[j]) { - case 1: mclBnFr_add(&AsFr[pk.LRO[j+1]], &AsFr[pk.LRO[j+1]], &uwFr[pk.LRO[j+2]]); break; - case 2: mclBnFr_add(&BsFr[pk.LRO[j+1]], &BsFr[pk.LRO[j+1]], &uwFr[pk.LRO[j+2]]); break; - case 3: mclBnFr_add(&CsFr[pk.LRO[j+1]], &CsFr[pk.LRO[j+1]], &uwFr[pk.LRO[j+2]]); break; + case 1: mclBnFr_add(&AsFr[pk->LRO[j+1]], &AsFr[pk->LRO[j+1]], &uwFr[pk->LRO[j+2]]); break; + case 2: mclBnFr_add(&BsFr[pk->LRO[j+1]], &BsFr[pk->LRO[j+1]], &uwFr[pk->LRO[j+2]]); break; + case 3: mclBnFr_add(&CsFr[pk->LRO[j+1]], &CsFr[pk->LRO[j+1]], &uwFr[pk->LRO[j+2]]); break; case 10: { mclBnFr factorFr; - if (pk.LRO[j+3] != INT_MAX) + if (pk->LRO[j+3] != INT_MAX) { - mclBnFr_setInt(&factorFr, pk.LRO[j+3]); - mclBnFr_mul(&factorFr, &uwFr[pk.LRO[j+2]], &factorFr); + mclBnFr_setInt(&factorFr, pk->LRO[j+3]); + mclBnFr_mul(&factorFr, &uwFr[pk->LRO[j+2]], &factorFr); } else { - mpz_to_fr(&factorFr, &pk.LRO_constants[l_it]); - mclBnFr_mul(&factorFr, &uwFr[pk.LRO[j+2]], &factorFr); + mpz_to_fr(&factorFr, &pk->LRO_constants[l_it]); + mclBnFr_mul(&factorFr, &uwFr[pk->LRO[j+2]], &factorFr); l_it+=2; } - mclBnFr_add(&AsFr[pk.LRO[j+1]], &AsFr[pk.LRO[j+1]], &factorFr); + mclBnFr_add(&AsFr[pk->LRO[j+1]], &AsFr[pk->LRO[j+1]], &factorFr); j+=1; break; } case 20: { mclBnFr factorFr; - if (pk.LRO[j+3] != INT_MAX) + if (pk->LRO[j+3] != INT_MAX) { - mclBnFr_setInt(&factorFr, pk.LRO[j+3]); - mclBnFr_mul(&factorFr, &uwFr[pk.LRO[j+2]], &factorFr); + mclBnFr_setInt(&factorFr, pk->LRO[j+3]); + mclBnFr_mul(&factorFr, &uwFr[pk->LRO[j+2]], &factorFr); } else { - mpz_to_fr(&factorFr, &pk.LRO_constants[r_it]); - mclBnFr_mul(&factorFr, &uwFr[pk.LRO[j+2]], &factorFr); + mpz_to_fr(&factorFr, &pk->LRO_constants[r_it]); + mclBnFr_mul(&factorFr, &uwFr[pk->LRO[j+2]], &factorFr); r_it+=2; } - mclBnFr_add(&BsFr[pk.LRO[j+1]], &BsFr[pk.LRO[j+1]], &factorFr); + mclBnFr_add(&BsFr[pk->LRO[j+1]], &BsFr[pk->LRO[j+1]], &factorFr); j+=1; break; } @@ -71,13 +71,13 @@ void h_coefficients(proving_key pk) { switch (get_thread()) { - case 0: ifft_t(n, pk.wMFr, AsFr); break; - case 1: ifft_t(n, pk.wMFr, BsFr); break; - case 2: ifft_t(n, pk.wMFr, CsFr); break; + case 0: ifft_t(n, pk->wMFr, AsFr); break; + case 1: ifft_t(n, pk->wMFr, BsFr); break; + case 2: ifft_t(n, pk->wMFr, CsFr); break; case 99: - ifft_t(n, pk.wMFr, AsFr); - ifft_t(n, pk.wMFr, BsFr); - ifft_t(n, pk.wMFr, CsFr); + ifft_t(n, pk->wMFr, AsFr); + ifft_t(n, pk->wMFr, BsFr); + ifft_t(n, pk->wMFr, CsFr); break; } } @@ -89,12 +89,12 @@ void h_coefficients(proving_key pk) mclBnFr_sub(&AsFr[i], &AsFr[i], &CsFr[i]); } - ifft(n, pk.wMFr, AsFr); + ifft(n, pk->wMFr, AsFr); } -void mul_exp(struct mulExpResult *result, mpz_t *uwProof, proving_key pk) +void mul_exp(struct mulExpResult *result, mpz_t *uwProof, proving_key *pk) { - int n = mpz_get_ui(pk.Ne); + int n = mpz_get_ui(pk->Ne); mclBnFr uwFactor[M]; mclBnFr uwFactorPublic[M-(nPublic + nConst)]; @@ -117,14 +117,14 @@ void mul_exp(struct mulExpResult *result, mpz_t *uwProof, proving_key pk) int num_threads = get_nprocs(); #endif - mclBnG1_mulVecMT(&result->uwA1, pk.A1, uwFactor, M, num_threads); - mclBnG1_mulVecMT(&result->uwB1, pk.B1, uwFactor, M, num_threads); - mclBnG2_mulVecMT(&result->uwB2, pk.B2, uwFactor, M, num_threads); - mclBnG1_mulVecMT(&result->uwC1, pk.pk1, uwFactorPublic, M-(nPublic + nConst), num_threads); - mclBnG1_mulVecMT(&result->htdelta, pk.xt1_rand, AsFr, n, num_threads); + mclBnG1_mulVecMT(&result->uwA1, pk->A1, uwFactor, M, num_threads); + mclBnG1_mulVecMT(&result->uwB1, pk->B1, uwFactor, M, num_threads); + mclBnG2_mulVecMT(&result->uwB2, pk->B2, uwFactor, M, num_threads); + mclBnG1_mulVecMT(&result->uwC1, pk->pk1, uwFactorPublic, M-(nPublic + nConst), num_threads); + mclBnG1_mulVecMT(&result->htdelta, pk->xt1_rand, AsFr, n, num_threads); } -void prove(int *circuit, mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t *uwProof, proving_key pk) +void prove(int *circuit, mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t *uwProof, proving_key *pk) { prover = 1; @@ -169,22 +169,22 @@ void prove(int *circuit, mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t *uwPro generate_random_scalar(&s); // piA = s1.alpha + Auw + r * s1.delta; - mclBnG1_mul(piA, &pk.delta1, &r); + mclBnG1_mul(piA, &pk->delta1, &r); mclBnG1_add(piA, piA, &result.uwA1); - mclBnG1_add(piA, piA, &pk.alpha1); + mclBnG1_add(piA, piA, &pk->alpha1); // piB1 = s1.beta + B1uw + s * s1.delta; - mclBnG1_mul(&piB1, &pk.delta1, &s); + mclBnG1_mul(&piB1, &pk->delta1, &s); mclBnG1_add(&piB1, &piB1, &result.uwB1); - mclBnG1_add(&piB1, &piB1, &pk.beta1); + mclBnG1_add(&piB1, &piB1, &pk->beta1); // piB2 = s2.beta + B2uw + s * s2.delta; - mclBnG2_mul(piB2, &pk.delta2, &s); + mclBnG2_mul(piB2, &pk->delta2, &s); mclBnG2_add(piB2, piB2, &result.uwB2); - mclBnG2_add(piB2, piB2, &pk.beta2); + mclBnG2_add(piB2, piB2, &pk->beta2); mclBnG1 factorG1; // piC = Cw + htdelta + piA*s + piB*r - r*s*s1.delta - mclBnG1_mul(&factorG1, &pk.delta1, &r); + mclBnG1_mul(&factorG1, &pk->delta1, &r); mclBnG1_mul(&factorG1, &factorG1, &s); mclBnG1_mul(piC, &piB1, &r); mclBnG1_sub(&factorG1, piC, &factorG1); diff --git a/src/gro16/verifier.c b/src/gro16/verifier.c index ae2e167..6f0acaf 100644 --- a/src/gro16/verifier.c +++ b/src/gro16/verifier.c @@ -1,5 +1,5 @@ -int verify(mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t u[(nPublic + nConst)], verifying_key vk) +int verify(proof *p, verifying_key *vk) { mclBnG1 factorG1; mclBnFr frFactor; @@ -10,16 +10,16 @@ int verify(mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t u[(nPublic + nConst) for (int i = (nPublic); i--;) { // Vu = Vu + u[i] * s1.vk[i] - mpz_to_fr(&frFactor, &u[i]); - mclBnG1_mul(&factorG1, &vk.vk1[i+nConst], &frFactor); + mpz_to_fr(&frFactor, &p->uwProof[i]); + mclBnG1_mul(&factorG1, &vk->vk1[i+nConst], &frFactor); mclBnG1_add(&Vu, &Vu, &factorG1); } for (int i = (nConst); i--;) { // Vu = Vu + u[i] * s1.vk[i] - mpz_to_fr(&frFactor, &vk.constants[i]); - mclBnG1_mul(&factorG1, &vk.vk1[i], &frFactor); + mpz_to_fr(&frFactor, &vk->constants[i]); + mclBnG1_mul(&factorG1, &vk->vk1[i], &frFactor); mclBnG1_add(&Vu, &Vu, &factorG1); } @@ -29,13 +29,13 @@ int verify(mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t u[(nPublic + nConst) { switch (get_thread()) { - case 0: mclBn_pairing(&pairing1, piA, piB2); break; - case 1: mclBn_pairing(&pairing2, &Vu, &vk.gamma2); break; - case 2: mclBn_pairing(&pairing3, piC, &vk.delta2); break; + case 0: mclBn_pairing(&pairing1, &p->piA, &p->piB2); break; + case 1: mclBn_pairing(&pairing2, &Vu, &vk->gamma2); break; + case 2: mclBn_pairing(&pairing3, &p->piC, &vk->delta2); break; case 99: - mclBn_pairing(&pairing1, piA, piB2); - mclBn_pairing(&pairing2, &Vu, &vk.gamma2); - mclBn_pairing(&pairing3, piC, &vk.delta2); + mclBn_pairing(&pairing1, &p->piA, &p->piB2); + mclBn_pairing(&pairing2, &Vu, &vk->gamma2); + mclBn_pairing(&pairing3, &p->piC, &vk->delta2); break; } } @@ -53,7 +53,7 @@ int verify(mclBnG1 *piA, mclBnG2 *piB2, mclBnG1 *piC, mpz_t u[(nPublic + nConst) } log_message("Computing e(alpha, beta) * e(Vu, gamma) * e(piC, delta)..."); - mclBnGT_mul(&factorGT, &vk.alphabetaT, &pairing2); + mclBnGT_mul(&factorGT, &vk->alphabetaT, &pairing2); mclBnGT_mul(&factorGT, &factorGT, &pairing3); log_state(1); if (logs) diff --git a/src/tests.c b/src/tests.c index a280ee2..ea0348f 100644 --- a/src/tests.c +++ b/src/tests.c @@ -56,7 +56,7 @@ void test_prover(void) { test_no_rand = 1; setup_keys keys = perform_setup(&test_single_constraint); - proof p = generate_proof(&test_single_constraint, keys.pk); + proof p = generate_proof(&test_single_constraint, &keys.pk); const char *piAstr = "1 13398732126763033363928255770670403609664455533535809960659793057603927642327 14567332642717250669329472598965177550050834309459245026995104363234319745805"; const char *piB2str = "1 9513526328373247288214002967710658327692956864193416721895179753121227228903 17320346092699268035923233491595138958007151833266586455159840335219170425243 8079768110185479532548096263199181437927983909022782182442306192699700743609 19381997603489315175356927627025590277145986935796790438444340629346184509934"; @@ -82,13 +82,13 @@ void test_full_circuits(void) setup_keys keys_mh = perform_setup(&test_mimc_hash); setup_keys keys_ev = perform_setup(&test_eddsa_verification); - proof p_sc = generate_proof(&test_single_constraint, keys_sc.pk); - proof p_mh = generate_proof(&test_mimc_hash, keys_mh.pk); - proof p_ev = generate_proof(&test_eddsa_verification, keys_ev.pk); + proof p_sc = generate_proof(&test_single_constraint, &keys_sc.pk); + proof p_mh = generate_proof(&test_mimc_hash, &keys_mh.pk); + proof p_ev = generate_proof(&test_eddsa_verification, &keys_ev.pk); - CU_ASSERT(verify_proof(&test_single_constraint, p_sc, keys_sc.vk)); - CU_ASSERT(verify_proof(&test_mimc_hash, p_mh, keys_mh.vk)); - CU_ASSERT(verify_proof(&test_eddsa_verification, p_ev, keys_ev.vk)); + CU_ASSERT(verify_proof(&test_single_constraint, &p_sc, &keys_sc.vk)); + CU_ASSERT(verify_proof(&test_mimc_hash, &p_mh, &keys_mh.vk)); + CU_ASSERT(verify_proof(&test_eddsa_verification, &p_ev, &keys_ev.vk)); } //TODO: fix this diff --git a/src/zpie.c b/src/zpie.c index 51e24c1..c5dc287 100644 --- a/src/zpie.c +++ b/src/zpie.c @@ -365,7 +365,7 @@ setup_keys read_setup(void *circuit) return keys; } -proof generate_proof(void *circuit, proving_key pk) +proof generate_proof(void *circuit, proving_key *pk) { init_prover(circuit, pk); @@ -377,7 +377,7 @@ proof generate_proof(void *circuit, proving_key pk) mpz_init(uw[i]); } - int n = mpz_get_ui(pk.Ne); + int n = mpz_get_ui(pk->Ne); wM = (mpz_t*) malloc((n) * sizeof(mpz_t)); proof p; @@ -418,8 +418,6 @@ proof generate_proof(void *circuit, proving_key pk) mpz_clear(uw[i]); } - mpz_clear(shift); - return p; } @@ -472,7 +470,7 @@ proof read_proof() return p; } -int verify_proof(void *circuit, proof p, verifying_key vk) +int verify_proof(void *circuit, proof *p, verifying_key *vk) { init_setup(circuit); @@ -480,7 +478,7 @@ int verify_proof(void *circuit, proof p, verifying_key vk) double elapsed; clock_gettime(CLOCK_MONOTONIC, &begin); - int verified = verify(&p.piA, &p.piB2, &p.piC, p.uwProof, vk); + int verified = verify(p, vk); if (verified) { diff --git a/src/zpie.h b/src/zpie.h index b3fd45a..aa5108b 100644 --- a/src/zpie.h +++ b/src/zpie.h @@ -85,9 +85,9 @@ static inline void bulletproof_get_context(context *ctx); static inline void bulletproof_user_gammas(int val); void init_setup(void *circuit); setup_keys perform_setup(void *circuit); -void init_prover(void *circuit, proving_key pk); -proof generate_proof(void *circuit, proving_key pk); -int verify_proof(void *circuit, proof p, verifying_key vk); +void init_prover(void *circuit, proving_key *pk); +proof generate_proof(void *circuit, proving_key *pk); +int verify_proof(void *circuit, proof *p, verifying_key *vk); #include "zpie.c" #include "bulletproofs/bulletproofs.c" \ No newline at end of file