def redc_init(self):
assert self.rA1vals is None
assert self.rZ1vals is None
assert len(self.avals) == len(self.bvals)
nprime = len(self.avals) // 2
self.rA1vals = (self.gops.rand_scalar(), self.gops.rand_scalar())
self.rZ1vals = (self.gops.rand_scalar(), self.gops.rand_scalar())
# g2^a1, g1^a2
if self.gvals is None:
cAm1 = self.gops.pow_gih(self.avals[:nprime], self.rA1vals[0],
nprime)
cAp1 = self.gops.pow_gih(self.avals[nprime:], self.rA1vals[1], 0)
else:
cAm1 = self.gops.multiexp(self.gvals[nprime:] + [self.gops.h],
self.avals[:nprime] + [self.rA1vals[0]])
cAp1 = self.gops.multiexp(self.gvals[:nprime] + [self.gops.h],
self.avals[nprime:] + [self.rA1vals[1]])
# a1*b2, a2*b1
zm1 = sum(
util.mul_vecs(self.avals[nprime:], self.bvals[:nprime],
self.com.rec_q)) % self.gops.q
zp1 = sum(
util.mul_vecs(self.avals[:nprime], self.bvals[nprime:],
self.com.rec_q)) % self.gops.q
cZm1 = self.gops.pow_gh(zm1, self.rZ1vals[0])
cZp1 = self.gops.pow_gh(zp1, self.rZ1vals[1])
if self.com.rec:
self.com.rec_q.did_rng(4)
self.com.rec_p.did_mexps([2, 1 + nprime] * 2)
return (cAm1, cAp1, cZm1, cZp1)
def run_one_test(nInBits, nCopies):
nOutBits = nInBits
(in0v, in1v, typv) = randutil.rand_ckt(nOutBits, nInBits)
inputs = randutil.rand_inputs(nInBits, nCopies)
circuit = CircuitProver(nCopies, 2**nInBits, [in0v], [in1v], [typv])
circuit.set_inputs(inputs)
z1 = [Defs.gen_random() for _ in xrange(0, nOutBits)]
z2 = [Defs.gen_random() for _ in xrange(0, circuit.nCopyBits)]
circuit.set_z(z1, z2, None, None, True)
# mlExt of outputs
outflat = util.flatten(circuit.ckt_outputs)
inLayer_mults = LayerComputeBeta(nOutBits + circuit.nCopyBits, z1 + z2)
assert len(outflat) == len(inLayer_mults.outputs)
inLayermul = util.mul_vecs(inLayer_mults.outputs, outflat)
inLayerExt = sum(inLayermul) % Defs.prime
w1 = [Defs.gen_random() for _ in xrange(0, nInBits)]
w2 = [Defs.gen_random() for _ in xrange(0, nInBits)]
w3 = [Defs.gen_random() for _ in xrange(0, circuit.nCopyBits)]
initOutputs = circuit.get_outputs()
assert inLayerExt == (initOutputs[0] + sum(initOutputs)) % Defs.prime
for i in xrange(0, len(w3)):
circuit.next_round(w3[i])
circuit.get_outputs()
for i in xrange(0, len(w1)):
circuit.next_round(w1[i])
circuit.get_outputs()
for i in xrange(0, len(w2)):
circuit.next_round(w2[i])
finalOutputs = circuit.get_outputs()
# check the outputs by computing mlext of layer input directly
inflat = util.flatten(inputs)
v1_mults = LayerComputeBeta(circuit.layer_inbits[0] + circuit.nCopyBits,
w1 + w3)
assert len(inflat) == len(v1_mults.outputs)
v1inmul = util.mul_vecs(v1_mults.outputs, inflat)
v1 = sum(v1inmul) % Defs.prime
v2_mults = LayerComputeBeta(circuit.layer_inbits[0] + circuit.nCopyBits,
w2 + w3)
assert len(inflat) == len(v2_mults.outputs)
v2inmul = util.mul_vecs(v2_mults.outputs, inflat)
v2 = sum(v2inmul) % Defs.prime
assert v1 == finalOutputs[0]
assert v2 == sum(finalOutputs) % Defs.prime
def redc_init(self):
assert self.rLval is None
assert self.rRval is None
assert len(self.avals) == len(self.bvals)
nprime = len(self.avals) // 2
self.rLval = self.gops.rand_scalar()
self.rRval = self.gops.rand_scalar()
cL = sum(
util.mul_vecs(self.avals[:nprime], self.bvals[nprime:],
self.com.rec_q)) % self.gops.q
cR = sum(
util.mul_vecs(self.avals[nprime:], self.bvals[:nprime],
self.com.rec_q)) % self.gops.q
# g2^a1, g1^a2
if self.gvals is None:
Lval = self.gops.maul(
self.gops.pow_gih(self.avals[:nprime], self.rLval, nprime),
self.gops.q - cL)
Rval = self.gops.maul(
self.gops.pow_gih(self.avals[nprime:], self.rRval, 0),
self.gops.q - cR)
else:
Lval = self.gops.multiexp(
self.gvals[nprime:] + [self.gops.g, self.gops.h],
self.avals[:nprime] + [cL, self.rLval])
Rval = self.gops.multiexp(
self.gvals[:nprime] + [self.gops.g, self.gops.h],
self.avals[nprime:] + [cR, self.rRval])
if self.com.rec:
self.com.rec_q.did_rng(2)
self.com.rec_p.did_mexps([2 + nprime] * 2)
return (Lval, Rval)
def fin_init(self):
assert len(self.gvals) == self.stoplen
assert len(self.bvals) == self.stoplen
assert len(self.avals) == self.stoplen
self.dvals = [self.gops.rand_scalar() for _ in xrange(0, self.stoplen)]
self.rbeta = self.gops.rand_scalar()
self.rdelta = self.gops.rand_scalar()
# delta is a vec commit over self.gvals
delta = self.gops.multiexp(self.gvals + [self.gops.h],
self.dvals + [self.rdelta])
# compute <b, d> and commit to it
prod_bd = sum(util.mul_vecs(self.bvals, self.dvals,
self.com.rec_q)) % self.gops.q
beta = self.gops.pow_gh(prod_bd, self.rbeta)
if self.com.rec:
self.com.rec_q.did_rng(2 + self.stoplen)
self.com.rec_p.did_mexps([2, 1 + self.stoplen])
return (delta, beta)
def run_one_test(nbits, squawk, nbins, pattern):
z = [Defs.gen_random() for _ in xrange(0, nbits)]
inv = [Defs.gen_random() for _ in xrange(0, (2**nbits) - nbins)]
if pattern is 0:
inv += [0 for _ in xrange(0, nbins)]
elif pattern is 1:
inv += [1 for _ in xrange(0, nbins)]
elif pattern == 2:
inv += [(i % 2) for i in xrange(0, nbins)]
elif pattern == 3:
inv += [((i + 1) % 2) for i in xrange(0, nbins)]
else:
inv += [random.randint(0, 1) for _ in xrange(0, nbins)]
assert len(inv) == (2**nbits)
Defs.track_fArith = True
fa = Defs.fArith()
oldrec = fa.new_cat("old")
newrec = fa.new_cat("new")
nw2rec = fa.new_cat("nw2")
oldbeta = LayerComputeBeta(nbits, z, oldrec)
oldval = sum(util.mul_vecs(oldbeta.outputs, inv)) % Defs.prime
oldrec.did_mul(len(inv))
oldrec.did_add(len(inv) - 1)
newcomp = VerifierIOMLExt(z, newrec)
newval = newcomp.compute(inv)
nw2comp = LayerComputeV(nbits, nw2rec)
nw2comp.other_factors = []
nw2comp.set_inputs(inv)
for zz in z:
nw2comp.next_round(zz)
nw2val = nw2comp.prevPassValue
assert oldval == newval, "error for inputs (new) %s : %s" % (str(z),
str(inv))
assert oldval == nw2val, "error for inputs (nw2) %s : %s" % (str(z),
str(inv))
if squawk:
print
print "nbits: %d" % nbits
print "OLD: %s" % str(oldrec)
print "NEW: %s" % str(newrec)
print "NW2: %s" % str(nw2rec)
betacomp = VerifierIOMLExt.compute_beta(z)
beta_lo = random.randint(0, 2**nbits - 1)
beta_hi = random.randint(beta_lo, 2**nbits - 1)
betacomp2 = VerifierIOMLExt.compute_beta(z, None, 1, beta_lo, beta_hi)
# make sure that the right range was generated, and correctly
assert len(betacomp) == len(betacomp2)
assert all([b is None for b in betacomp2[:beta_lo]])
assert all([b is not None for b in betacomp2[beta_lo:beta_hi + 1]])
assert all([b is None for b in betacomp2[beta_hi + 1:]])
assert all([
b2 == b if b2 is not None else True
for (b, b2) in zip(betacomp, betacomp2)
])
return newrec.get_counts()
stopbits = util.clog2(self.stoplen)
bvinit = (VerifierIOMLExt(self.rvals[stopbits:],
self.com.rec_q).compute(gpows) *
self.r0val) % self.gops.q
bvals = VerifierIOMLExt.compute_beta(self.rvals[:stopbits],
self.com.rec_q, bvinit)
# now compute the check values themselves
gvals = [
self.gops.pow_gi(gpows, idx, self.stoplen)
for idx in xrange(0, self.stoplen)
]
lhs1 = self.gops.multiexp(self.Avals + [delta], azpows + [1])
rhs1 = self.gops.multiexp(gvals + [self.gops.h], zvals + [zdelta])
prod_bz = sum(util.mul_vecs(bvals, zvals,
self.com.rec_q)) % self.gops.q
lhs2 = self.gops.multiexp(self.Zvals + [beta], azpows + [1])
rhs2 = self.gops.pow_gh(prod_bz, zbeta)
if self.com.rec:
clen = len(self.cvals)
self.com.rec_p.did_mexps(
[1 + len(gvals), 2, 1 + len(self.Avals), 1 + len(self.Zvals)] +
[len(gpows)] * self.stoplen)
self.com.rec_q.did_mul(
len(gpows) + (clen + 1) * (clen - 1) + 2 * clen + 1)
return lhs1 == rhs1 and lhs2 == rhs2
class WitnessLogCommitShort(_WCBase):
def run_one_test(nInBits, nCopies):
nOutBits = nInBits
circuit = _DummyCircuitProver(nCopies)
(in0v, in1v, typv) = randutil.rand_ckt(nOutBits, nInBits)
typc = [tc.cgate for tc in typv]
inputs = randutil.rand_inputs(nInBits, nCopies)
# compute outputs
ckt = ArithCircuit()
inCktLayer = ArithCircuitInputLayer(ckt, nOutBits)
outCktLayer = ArithCircuitLayer(ckt, inCktLayer, in0v, in1v, typc)
ckt.layers = [inCktLayer, outCktLayer]
outputs = []
for inp in inputs:
ckt.run(inp)
outputs.append(ckt.outputs)
z1 = [Defs.gen_random() for _ in xrange(0, nOutBits)]
z2 = [Defs.gen_random() for _ in xrange(0, circuit.nCopyBits)]
outLayer = LayerProver(nInBits, circuit, in0v, in1v, typv)
outLayer.set_inputs(inputs)
outLayer.set_z(z1, z2, None, None, True)
# mlExt of outputs
outflat = util.flatten(outputs)
inLayer_mults = LayerComputeBeta(nOutBits + outLayer.circuit.nCopyBits,
z1 + z2)
assert len(outflat) == len(inLayer_mults.outputs)
inLayermul = util.mul_vecs(inLayer_mults.outputs, outflat)
inLayerExt = sum(inLayermul) % Defs.prime
w3 = [Defs.gen_random() for _ in xrange(0, circuit.nCopyBits)]
w1 = [Defs.gen_random() for _ in xrange(0, nInBits)]
w2 = [Defs.gen_random() for _ in xrange(0, nInBits)]
outLayer.compute_outputs()
initOutputs = outLayer.output
assert inLayerExt == (initOutputs[0] + sum(initOutputs)) % Defs.prime
for i in xrange(0, len(w3)):
outLayer.next_round(w3[i])
outLayer.compute_outputs()
for i in xrange(0, len(w1)):
outLayer.next_round(w1[i])
outLayer.compute_outputs()
for i in xrange(0, len(w2)):
outLayer.next_round(w2[i])
outLayer.compute_outputs()
finalOutputs = outLayer.output
# check the outputs by computing mlext of layer input directly
inflat = util.flatten(inputs)
v1_mults = LayerComputeBeta(outLayer.nInBits + outLayer.circuit.nCopyBits,
w1 + w3)
assert len(inflat) == len(v1_mults.outputs)
v1inmul = util.mul_vecs(v1_mults.outputs, inflat)
v1 = sum(v1inmul) % Defs.prime
v2_mults = LayerComputeBeta(outLayer.nInBits + outLayer.circuit.nCopyBits,
w2 + w3)
assert len(inflat) == len(v2_mults.outputs)
v2inmul = util.mul_vecs(v2_mults.outputs, inflat)
v2 = sum(v2inmul) % Defs.prime
assert v1 == finalOutputs[0]
assert v2 == sum(finalOutputs) % Defs.prime