def test_bacs():
new_num_constraints = 101
pb = pyzpk.protoboard()
# Test for pb_variable
res = pyzpk.pb_variable(0)
res.allocate(pb, "res")
# Test for pb_variable_array
A = pyzpk.pb_variable_array()
B = pyzpk.pb_variable_array()
A.allocate(pb, new_num_constraints, "A")
B.allocate(pb, new_num_constraints, "B")
assert len(A.get_vals(pb)) == 101
assert len(B.get_vals(pb)) == 101
assert A != B
# Test for pb_linear_combination
lc = pyzpk.linear_combination()
pb_lc = pyzpk.pb_linear_combination()
pb_lc.assign(pb, lc)
pb_lc.evaluate(pb)
assert pb_lc.is_constant() == True
# Test for pb_linear_combination_array
pb_A = pyzpk.pb_linear_combination_array()
assert pb_A.evaluate(pb) == None
def test_sha256_gadgets():
pb = pyzpk.protoboard()
left = pyzpk.digest_variable(pb, pyzpk.SHA256_digest_size, "left")
right = pyzpk.digest_variable(pb, pyzpk.SHA256_digest_size, "right")
output = pyzpk.digest_variable(pb, pyzpk.SHA256_digest_size, "output")
f = pyzpk.sha256_two_to_one_hash_gadget(pb, left, right, output, "f")
f.generate_r1cs_constraints(True)
# Number of constraints for sha256_two_to_one_hash_gadget
assert pb.num_constraints() == 27280
left_bv = [
0x426bc2d8, 0x4dc86782, 0x81e8957a, 0x409ec148, 0xe6cffbe8, 0xafe6ba4f,
0x9c6f1978, 0xdd7af7e9
]
right_bv = [
0x038cce42, 0xabd366b8, 0x3ede7e00, 0x9130de53, 0x72cdf73d, 0xee825114,
0x8cb48d1b, 0x9af68ad0
]
hash_bv = [
0xeffd0b7f, 0x1ccba116, 0x2ee816f7, 0x31c62b48, 0x59305141, 0x990e5c0a,
0xce40d33d, 0x0b1167d1
]
left.generate_r1cs_witness(left_bv)
right.generate_r1cs_witness(right_bv)
f.generate_r1cs_witness()
output.generate_r1cs_witness(hash_bv)
assert pb.is_satisfied() == True
def test_set_commitment_gadgets():
pb = pyzpk.protoboard()
digest_len = pyzpk.knapsack_CRH_with_field_out_gadget.get_digest_len()
max_set_size = 16
value_size = pyzpk.knapsack_CRH_with_field_out_gadget.get_digest_len(
) if pyzpk.knapsack_CRH_with_field_out_gadget.get_block_len() > 0 else 10
accumulator = pyzpk.set_commitment_accumulator
set_elems = []
for i in range(max_set_size):
elem = []
for i in range(value_size):
elem.append(random.randint(0, RAND_MAX) % 2)
set_elems.append(elem)
element_bits = pyzpk.pb_variable_array()
element_bits.allocate(pb, value_size, "element_bits")
root_digest = pyzpk.digest_variable(pb, digest_len, "root_digest")
check_succesful = pyzpk.pb_variable(0)
check_succesful.allocate(pb, "check_succesful")
proof = pyzpk.set_membership_proof_variable(pb, max_set_size, "proof")
for i in range(max_set_size):
element_bits.fill_with_bits(pb, set_elems[i])
pb.set_val(check_succesful, pyzpk.Fp_model.one())
assert pb.is_satisfied() == True
pb.set_val(check_succesful, pyzpk.Fp_model.zero())
assert pb.is_satisfied() == True
def test_knapsack_gadgets():
dimension = 1
input_bits = [1, 1, 0, 0, 1, 0, 1, 0, 0, 1]
digest_bits = [
1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0,
1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1,
1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0,
0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1,
1, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0,
1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1,
0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1,
1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0,
1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1,
0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1,
1, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0,
1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1,
1, 1, 0, 1, 0, 0, 0, 0, 0, 0
]
assert pyzpk.knapsack_dimension.dimension == dimension
pb = pyzpk.protoboard()
input_block = pyzpk.block_variable(pb, len(input_bits), "input_block")
digest_len = pyzpk.knapsack_CRH_with_bit_out_gadget.get_digest_len()
output_digest = pyzpk.digest_variable(pb, digest_len, "output_digest")
input_block.generate_r1cs_witness(input_bits)
assert pb.is_satisfied() == True
def test_G1_variable_precomp():
pb = pyzpk.protoboard()
g_val = pyzpk.mnt4_G1.one()
g = pyzpk.G1_variable(pb, "g")
precomp = pyzpk.G1_precomputation()
do_precomp = pyzpk.precompute_G1_gadget(pb, g, precomp, "do_precomp")
do_precomp.generate_r1cs_constraints()
g.generate_r1cs_witness(g_val)
do_precomp.generate_r1cs_witness()
assert pb.is_satisfied() == True
def test_mnt_miller_loop():
pb = pyzpk.protoboard()
P_val = pyzpk.mnt4_G1.one()
Q_val = pyzpk.mnt4_G2.one()
P = pyzpk.G1_variable(pb, "P")
Q = pyzpk.G2_variable(pb, "Q")
prec_P = pyzpk.G1_precomputation()
prec_Q = pyzpk.G2_precomputation()
compute_prec_P = pyzpk.precompute_G1_gadget(pb, P, prec_P, "prec_P")
compute_prec_Q = pyzpk.precompute_G2_gadget(pb, Q, prec_Q, "prec_Q")
compute_prec_P.generate_r1cs_constraints()
compute_prec_Q.generate_r1cs_constraints()
P.generate_r1cs_witness(P_val)
compute_prec_P.generate_r1cs_witness()
Q.generate_r1cs_witness(Q_val)
compute_prec_Q.generate_r1cs_witness()
assert pb.is_satisfied() == True
def test_conjunction_gadget():
n = 10
pb = pyzpk.protoboard()
inputs = pyzpk.pb_variable_array()
inputs.allocate(pb, n, "inputs")
output = pyzpk.pb_variable(0)
output.allocate(pb, "output")
c = pyzpk.conjunction_gadget(pb, inputs, output, "c")
c.generate_r1cs_constraints()
for w in range(0, 1 << n):
for j in range(0, n):
inputs.get_vals(pb)[j] = pyzpk.Fp_model(
pyzpk.bigint(1) if w & (1 << j) else pyzpk.bigint(0))
assert c.generate_r1cs_witness() == None
assert pb.is_satisfied() == True
def test_verifiers_gadgets():
FieldT_A = pyzpk.Fp_model()
FieldT_B = pyzpk.Fp_model()
num_constraints = 50
primary_input_size = 3
elt_size = pyzpk.Fp_model.size_in_bits()
primary_input_size_in_bits = elt_size * primary_input_size
vk_size_in_bits = pyzpk.r1cs_ppzksnark_verification_key_variable.size_in_bits(
primary_input_size)
pb = pyzpk.protoboard()
vk_bits = pyzpk.pb_variable_array()
vk_bits.allocate(pb, vk_size_in_bits, "vk_bits")
primary_input_bits = pyzpk.pb_variable_array()
primary_input_bits.allocate(pb, primary_input_size_in_bits,
"primary_input_bits")
proof = pyzpk.r1cs_ppzksnark_proof_variable(pb, "proof")
assert pb.is_satisfied() == True
def test_mnt_e_over_e_miller_loop():
pb = pyzpk.protoboard()
P1_val = pyzpk.mnt4_G1.one()
Q1_val = pyzpk.mnt4_G2.one()
P2_val = pyzpk.mnt4_G1.one()
Q2_val = pyzpk.mnt4_G2.one()
P1 = pyzpk.G1_variable(pb, "P1")
Q1 = pyzpk.G2_variable(pb, "Q1")
P2 = pyzpk.G1_variable(pb, "P2")
Q2 = pyzpk.G2_variable(pb, "Q2")
prec_P1 = pyzpk.G1_precomputation()
prec_Q1 = pyzpk.G2_precomputation()
prec_P2 = pyzpk.G1_precomputation()
prec_Q2 = pyzpk.G2_precomputation()
compute_prec_P1 = pyzpk.precompute_G1_gadget(pb, P1, prec_P1, "prec_P1")
compute_prec_Q1 = pyzpk.precompute_G2_gadget(pb, Q1, prec_Q1, "prec_Q1")
compute_prec_P2 = pyzpk.precompute_G1_gadget(pb, P2, prec_P2, "prec_P2")
compute_prec_Q2 = pyzpk.precompute_G2_gadget(pb, Q2, prec_Q2, "prec_Q2")
compute_prec_P1.generate_r1cs_constraints()
compute_prec_Q1.generate_r1cs_constraints()
compute_prec_P2.generate_r1cs_constraints()
compute_prec_Q2.generate_r1cs_constraints()
P1.generate_r1cs_witness(P1_val)
compute_prec_P1.generate_r1cs_witness()
Q1.generate_r1cs_witness(Q1_val)
compute_prec_Q1.generate_r1cs_witness()
P2.generate_r1cs_witness(P2_val)
compute_prec_P2.generate_r1cs_witness()
Q2.generate_r1cs_witness(Q2_val)
compute_prec_Q2.generate_r1cs_witness()
assert pb.is_satisfied() == True
def test_comparison_gadget():
n = 10
pb = pyzpk.protoboard()
A = pyzpk.pb_linear_combination()
B = pyzpk.pb_linear_combination()
less = pyzpk.pb_variable(0)
less_or_eq = pyzpk.pb_variable(0)
lc = pyzpk.linear_combination()
A.assign(pb, lc)
B.assign(pb, lc)
assert A.evaluate(pb) == None
assert B.evaluate(pb) == None
less.allocate(pb, "less")
less_or_eq.allocate(pb, "less_or_eq")
cmp = pyzpk.comparison_gadget(pb, n, A, B, less, less_or_eq, "cmp")
cmp.generate_r1cs_constraints()
assert cmp.generate_r1cs_witness() == None
assert pb.is_satisfied() == True
0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1,
1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1,
1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1,
1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0,
0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0
])
# Tensor() ---> List()
input_bits = input_bits_tensor.tolist()
digest_bits = digest_bits_tensor.tolist()
dimension = 1
assert pyzpk.knapsack_dimension.dimension == dimension
# Create protoboard
pb = pyzpk.protoboard()
input_block = pyzpk.block_variable(pb, len(input_bits), "input_block")
digest_len = pyzpk.knapsack_CRH_with_bit_out_gadget.get_digest_len()
output_digest = pyzpk.digest_variable(pb, digest_len, "output_digest")
input_block.generate_r1cs_witness(input_bits)
# Validity of Protoboard
assert pb.is_satisfied() == True
output = input_block.get_block()
output_tensor = torch.Tensor(output)
# Given a R1CS (Rank-1 constraint system) aka example, it
# generates a keypair one for the prover and the other for the verifier.
num_constraints, input_size = 1000, 100
example = pyzpk.generate_r1cs_example_with_binary_input(
num_constraints, input_size)
def test_merkle_tree():
digest_len = 298
tree_depth = 16
prev_path = []
prev_load_hash = []
prev_store_hash = []
for i in range(digest_len):
prev_load_hash.append(random.randint(0, RAND_MAX) % 2)
prev_store_hash.append(random.randint(0, RAND_MAX) % 2)
for i in range(tree_depth):
prev_path.append(random.randint(0, RAND_MAX) % 2)
address = 0
address_bits = []
while tree_depth > 0:
level = tree_depth - 1
computed_is_right = random.randint(0, RAND_MAX) % 2
address |= 1 << (tree_depth - 1 -
level) if computed_is_right == 1 else 0
address_bits.append(computed_is_right)
other = []
for i in range(digest_len):
other.append(random.randint(0, RAND_MAX) % 2)
prev_path[level] = other
tree_depth -= 1
tree_depth = 16
pb = pyzpk.protoboard()
address_bits_va = pyzpk.pb_variable_array()
address_bits_va.allocate(pb, tree_depth, "address_bits")
prev_leaf_digest = pyzpk.digest_variable(pb, digest_len,
"prev_leaf_digest")
prev_root_digest = pyzpk.digest_variable(pb, digest_len,
"prev_root_digest")
prev_path_var = pyzpk.merkle_authentication_path_variable(
pb, tree_depth, "prev_path_var")
next_leaf_digest = pyzpk.digest_variable(pb, digest_len,
"next_leaf_digest")
next_root_digest = pyzpk.digest_variable(pb, digest_len,
"next_root_digest")
next_path_var = pyzpk.merkle_authentication_path_variable(
pb, tree_depth, "next_path_var")
prev_path_var.generate_r1cs_constraints()
address_bits_va.fill_with_bits(pb, address_bits)
assert address_bits_va.get_field_element_from_bits(pb).as_ulong() == 0
prev_leaf_digest.generate_r1cs_witness(prev_load_hash)
next_leaf_digest.generate_r1cs_witness(prev_store_hash)
address_bits_va.fill_with_bits(pb, address_bits)
prev_leaf_digest.generate_r1cs_witness(prev_load_hash)
next_leaf_digest.generate_r1cs_witness(prev_store_hash)
prev_root_digest.generate_r1cs_witness(prev_load_hash)
next_root_digest.generate_r1cs_witness(prev_store_hash)
address_bits_va.fill_with_bits(pb, address_bits)
assert pb.is_satisfied() == True
