Make.MP
module PP : Distribution.Polynomial_protocol.S
type proof = {
perm_and_plook : PP.PC.Commitment.t;
wires_cm : PP.PC.Commitment.t;
pp_proof : PP.proof;
}
include Plonk.Main_protocol_intf.S with type proof := proof
Raised by the prover when the provided inputs are not a satisfying assignment of the circuit.
Raised by the prover when the provided inputs are not a satisfying assignment of the circuit when using Plookup.
module Input_commitment : Plonk.Input_commitment.S
type scalar = Kzg.Bls.Scalar.t
val scalar_t : scalar Repr.t
val scalar_encoding : scalar Data_encoding.t
type circuit_map = (Plonk.Circuit.t * int) Plonk.Main_protocol_intf.SMap.t
Before proving and verifying, circuits go through a pre-processing step called setup
. The setup
takes as input a circuit_map
, which associates an identifier to a circuit and the number of statements that can be proved with that circuit. This produces a set of public_parameters
which are bound to the circuits and can be reused.
Set of public_parameters
needed by the prover. Its size is linear in the size of the circuits.
val prover_public_parameters_t : prover_public_parameters Repr.t
Set of public_parameters
needed by the verifier. Its size is constant w.r.t. the size of the circuits.
val verifier_public_parameters_t : verifier_public_parameters Repr.t
val verifier_public_parameters_encoding :
verifier_public_parameters Data_encoding.t
val proof_t : proof Repr.t
val proof_encoding : proof Data_encoding.t
Witness is the whole trace for the circuit, including input_commitment values first, followed by public input values and followed by the rest of the trace. This is the prover input for a single proof.
val circuit_prover_input_t : circuit_prover_input Repr.t
type prover_inputs = circuit_prover_input list Plonk.Main_protocol_intf.SMap.t
Map where each circuit identifier is bound to a list of circuit_prover_input
for a list of statements.
val prover_inputs_t : prover_inputs Repr.t
val public_inputs_t : public_inputs Repr.t
type circuit_verifier_input = {
nb_proofs : int;
public : public_inputs;
commitments : Input_commitment.public list list;
}
The verifier input for a circuit, represented as the actual number of proofs that have been proved by the prover, the public inputs & the input commitments
val circuit_verifier_input_t : circuit_verifier_input Repr.t
type verifier_inputs = circuit_verifier_input Plonk.Main_protocol_intf.SMap.t
The verifier inputs, represented as a map where each circuit is binded to the verifier inputs for this circuit.
val verifier_inputs_t : verifier_inputs Repr.t
val to_verifier_inputs :
prover_public_parameters ->
prover_inputs ->
verifier_inputs
Conversion from prover_inputs
to verifier_inputs
.
val input_commit :
?size:int ->
?shift:int ->
prover_public_parameters ->
scalar array ->
Input_commitment.t
input_commit ~shift pp secret
produces a commitment to the secret
array and additional prover information. This commitment is designed to be easily involved in a PlonK proof. In particular, the values of secret
will be added to the arithmetic identity in such a way that secret.(i)
participates in constraint number shift + i
, where equality will be asserted with respect to a PlonK variable in the same constraint. This allows us to "load" the value of secret.(i)
into the variable, which may be reused across the circuit. The optional argument shift
has a default value of 0. The commitment is relative to a certain domain size n
, included in pp
, the secret will remain information-theoretically hidden as long as the commitment is involved in at most n - |secret|
different proofs. If the optionnal argument size
is given, the secret will be padded with zeros to have the length size
(note that an error will be risen if size is smaller than the secret length).
val setup :
zero_knowledge:bool ->
circuit_map ->
srs:(Kzg.Bls.Srs.t * Kzg.Bls.Srs.t) ->
prover_public_parameters * verifier_public_parameters
setup ~zero_knowledge circuit_map ~srs
pre-processes the circuit_map
producing the public parameters. The SRSs of ZCash and Filecoin can be loaded from file using the Bls12_381_polynomial
library. Activating zero_knowledge
adds an overhead in proving time.
val update_prover_public_parameters :
'a Repr.ty ->
'a ->
prover_public_parameters ->
prover_public_parameters
Enrich the prover_public_parameters
with extra application data to prevent replay attacks. The same data must be used for updating the prover and verifier public parameters.
val update_verifier_public_parameters :
'a Repr.ty ->
'a ->
verifier_public_parameters ->
verifier_public_parameters
Enrich the verifier_public_parameters
with extra application data to prevent replay attacks. The same data must be used for updating the prover and verifier public parameters.
val prove : prover_public_parameters -> inputs:prover_inputs -> proof
prove public_parameters ~inputs
produces a proof for the collection of statements implied by inputs
and the circuits used for generating public_parameters
.
val verify :
verifier_public_parameters ->
inputs:verifier_inputs ->
proof ->
bool
verify public_parameters ~inputs proof
checks the validity of the proof
with regards to public_parameters
and inputs
.
module Internal_for_tests : sig ... end
val build_gates_randomness :
Kzg.Utils.Transcript.t ->
gate_randomness * Kzg.Utils.Transcript.t
val filter_prv_pp_circuits :
prover_public_parameters ->
'a Distribution.Main_protocol.SMap.t ->
prover_public_parameters
module Prover : sig ... end
val worker_inputs_t : worker_inputs Repr.t
val split_inputs_map :
nb_workers:int ->
circuit_prover_input list Distribution.Main_protocol.SMap.t ->
worker_inputs Distribution.Main_protocol.SMap.t list
type commit_to_wires_reply = PP.PC.Commitment.t
val commit_to_wires_reply_t : commit_to_wires_reply Repr.t
type commit_to_wires_remember = {
all_f_wires : Kzg.Bls.Poly.t Distribution.Main_protocol.SMap.t;
wires_list_map : Plonk.Identities.Evaluations.t
Distribution.Main_protocol.SMap.t
list
Distribution.Main_protocol.SMap.t;
inputs_map : circuit_prover_input list Distribution.Main_protocol.SMap.t;
shifts_map : (int * int) Distribution.Main_protocol.SMap.t;
f_wires : Kzg.Bls.Poly.t Distribution.Main_protocol.SMap.t list
Distribution.Main_protocol.SMap.t;
cm_aux_wires : PP.PC.Commitment.prover_aux;
}
val worker_commit_to_wires :
prover_public_parameters ->
worker_inputs Distribution.Main_protocol.SMap.t ->
commit_to_wires_reply * commit_to_wires_remember
type commit_to_plook_rc_reply = {
batched_wires_map : Plonk.Identities.Evaluations.t
Distribution.Main_protocol.SMap.t
Distribution.Main_protocol.SMap.t;
cmt : PP.PC.Commitment.t;
f_map : Kzg.Bls.Poly.t Distribution.Main_protocol.SMap.t;
prover_aux : PP.PC.Commitment.prover_aux;
}
val commit_to_plook_rc_reply_t : commit_to_plook_rc_reply Repr.t
val commit_to_plook_rc :
prover_public_parameters ->
(int * int) Distribution.Main_protocol.SMap.t ->
Kzg.Utils.Transcript.t ->
Plonk.Identities.Evaluations.t Distribution.Main_protocol.SMap.t list
Distribution.Main_protocol.SMap.t ->
commit_to_plook_rc_reply * commit_to_plook_rc_remember
val batch_evaluated_ids :
alpha:scalar ->
Plonk.Identities.Evaluations.t Distribution.Main_protocol.SMap.t ->
string list ->
Plonk.Identities.Evaluations.t
val kzg_eval_at_x :
prover_public_parameters ->
Kzg.Utils.Transcript.t ->
(PP.PC.secret * PP.PC.Commitment.prover_aux) list ->
scalar ->
PP.PC.answer list
val make_secret :
prover_public_parameters ->
(Kzg.Bls.Poly.t Distribution.Main_protocol.SMap.t
* PP.PC.Commitment.prover_aux) ->
(Kzg.Bls.Poly.t Distribution.Main_protocol.SMap.t
* PP.PC.Commitment.prover_aux)
list
val make_eval_points :
prover_public_parameters ->
Plonk.Identities.eval_point list list * Plonk.Identities.eval_point list list
val get_srs : prover_public_parameters -> PP.prover_public_parameters
val get_gen_n_nbt : prover_public_parameters -> scalar * int * int
Returns (g, n, nb_t), where n is the size of the circuit padded to the next power of two, g is a primitive n-th root of unity, & nb_t is the number of T polynomials in the answers
val get_transcript : prover_public_parameters -> Kzg.Utils.Transcript.t
val check_no_zk : prover_public_parameters -> unit