Module `Main_protocol.Make`Source

Parameters

module PP : Polynomial_protocol.S

Signature

module PP = PP

include Plonk.Main_protocol.S
  with type public_inputs = Plonk.Bls.Scalar.t array list

Sourceexception Rest_not_null of string

Raised by the prover when the provided inputs are not a satisfying assignment of the circuit.

Sourceexception Entry_not_in_table of string

Raised by the prover when the provided inputs are not a satisfying assignment of the circuit when using Plookup.

Sourcemodule Input_commitment : Plonk.Input_commitment.S

Sourcetype scalar = Plonk.Bls.Scalar.t

Sourceval scalar_t : scalar Repr.t

Sourceval scalar_encoding : scalar Data_encoding.t

Sourcetype circuit_map = (Plonk.Circuit.t * int) Plonk.SMap.t

Before proving and verifying, circuits go through a pre-processing step called setup. The setup takes as input a circuit_map, which associates an identifier to a circuit and the number of statements that can be proved with that circuit. This produces a set of public_parameters which are bound to the circuits and can be reused.

Sourcetype prover_public_parameters

Set of public_parameters needed by the prover. Its size is linear in the size of the circuits.

Sourceval prover_public_parameters_t : prover_public_parameters Repr.t

Sourcetype verifier_public_parameters

Set of public_parameters needed by the verifier. Its size is constant w.r.t. the size of the circuits.

Sourceval verifier_public_parameters_t : verifier_public_parameters Repr.t

Source

val verifier_public_parameters_encoding : 
  verifier_public_parameters Data_encoding.t

Sourcetype proof

Succinct proof for a collection of statements.

Sourceval proof_t : proof Repr.t

Sourceval proof_encoding : proof Data_encoding.t

Sourcetype circuit_prover_input = {

witness : scalar array;
input_commitments : Input_commitment.t list;

}

Witness is the whole trace for the circuit, including input_commitment values first, followed by public input values and followed by the rest of the trace. This is the prover input for a single proof.

Sourceval circuit_prover_input_t : circuit_prover_input Repr.t

Sourcetype prover_inputs = circuit_prover_input list Plonk.SMap.t

Map where each circuit identifier is bound to a list of circuit_prover_input for a list of statements.

Sourceval prover_inputs_t : prover_inputs Repr.t

Sourcetype public_inputs = Plonk.Bls.Scalar.t array list

The public inputs for one circuit & several statements

Sourceval public_inputs_t : public_inputs Repr.t

Source

type verifier_inputs =
  (public_inputs * Input_commitment.public list list) Plonk.SMap.t

The verifier inputs, represented as a map where each circuit is binded to the verifier inputs for this circuit.

Sourceval verifier_inputs_t : verifier_inputs Repr.t

Source

val to_verifier_inputs : 
  prover_public_parameters ->
  prover_inputs ->
  verifier_inputs

Conversion from prover_inputs to verifier_inputs.

Source

val input_commit : 
  ?size:int ->
  ?shift:int ->
  prover_public_parameters ->
  scalar array ->
  Input_commitment.t

input_commit ~shift pp secret produces a commitment to the secret array and additional prover information. This commitment is designed to be easily involved in a PlonK proof. In particular, the values of secret will be added to the arithmetic identity in such a way that secret.(i) participates in constraint number shift + i, where equality will be asserted with respect to a PlonK variable in the same constraint. This allows us to "load" the value of secret.(i) into the variable, which may be reused across the circuit. The optional argument shift has a default value of 0. The commitment is relative to a certain domain size n, included in pp, the secret will remain information-theoretically hidden as long as the commitment is involved in at most n - |secret| different proofs. If the optionnal argument size is given, the secret will be padded with zeros to have the length size (note that an error will be risen if size is smaller than the secret length).

Source

val setup : 
  zero_knowledge:bool ->
  circuit_map ->
  srs:
    (Octez_bls12_381_polynomial.Bls12_381_polynomial.Srs.t
     * Octez_bls12_381_polynomial.Bls12_381_polynomial.Srs.t) ->
  prover_public_parameters * verifier_public_parameters

setup ~zero_knowledge circuit_map ~srs pre-processes the circuit_map producing the public parameters. The SRSs of ZCash and Filecoin can be loaded from file using the Bls12_381_polynomial library. Activating zero_knowledge adds an overhead in proving time.

Source

val update_prover_public_parameters : 
  Bytes.t ->
  prover_public_parameters ->
  prover_public_parameters

Enrich the prover_public_parameters with extra application data to prevent replay attacks. The same data must be used for updating the prover and verifier public parameters.

Source

val update_verifier_public_parameters : 
  Bytes.t ->
  verifier_public_parameters ->
  verifier_public_parameters

Enrich the verifier_public_parameters with extra application data to prevent replay attacks. The same data must be used for updating the prover and verifier public parameters.

Sourceval prove : prover_public_parameters -> inputs:prover_inputs -> proof

prove public_parameters ~inputs produces a proof for the collection of statements implied by inputs and the circuits used for generating public_parameters.

raises Rest_not_null

raises Entry_not_in_table

Source

val verify : 
  verifier_public_parameters ->
  inputs:verifier_inputs ->
  proof ->
  bool

verify public_parameters ~inputs proof checks the validity of the proof with regards to public_parameters and inputs.

Sourcemodule Internal_for_tests : sig ... end

Sourcemodule Gates : Plonk.Custom_gates.S

Sourcemodule Perm : Plonk.Permutation_gate.S with module PP := PP

Sourceval get_gen_n_prover : prover_public_parameters -> scalar * int

Returns (g, n), where n is the size of the circuit padded to the next power of two & g is a primitive n-th root of unity

Sourceval get_gen_n_verifier : verifier_public_parameters -> scalar * int

Returns (g, n), where n is the size of the circuit padded to the next power of two & g is a primitive n-th root of unity

Source

val filter_prv_pp_circuits : 
  prover_public_parameters ->
  'a SMap.t ->
  prover_public_parameters

Source

val filter_vrf_pp_circuits : 
  verifier_public_parameters ->
  'a SMap.t ->
  verifier_public_parameters

Sourcetype prover_aux = {

answers : scalar SMap.t SMap.t list;
batch : scalar SMap.t list;
alpha : scalar;
beta : scalar;
gamma : scalar;
delta : scalar;
x : scalar;
r : scalar;
cms_answers : PP.Answers_commitment.t SMap.t;
cms_pi : PP.Answers_commitment.t SMap.t;
ids_batch : (scalar * int) SMap.t;
t_answers : scalar list;

}

Auxiliary information needed by the prover for the meta-verification in aPlonK

Sourcetype verifier_aux = {

alpha : scalar;
beta : scalar;
gamma : scalar;
delta : scalar;
x : scalar;
r : scalar;

}

Auxiliary information needed by the verifier for the meta-verification in aPlonK

Sourcetype input_commit_info = {

nb_max_answers : int;
nb_max_pi : int;
func : ?size:int -> ?shift:int -> scalar array -> PP.Answers_commitment.t;

}

Source

val prove_list : 
  prover_public_parameters ->
  input_commit_infos:input_commit_info SMap.t ->
  inputs:prover_inputs ->
  proof * prover_aux

Source

val verify_list : 
  verifier_public_parameters ->
  (proof
   * scalar SMap.t list
   * PP.Answers_commitment.public SMap.t
   * PP.Answers_commitment.public SMap.t
   * scalar list
   * (scalar * int) SMap.t) ->
  bool * verifier_aux

package octez-plonk

Module Main_protocol.MakeSource

Parameters

Signature

Module `Main_protocol.Make`Source