def run_one_test(nInBits, nCopies, nLayers, qStat):
nOutBits = nInBits
in0vv = []
in1vv = []
typvv = []
for _ in xrange(0, nLayers):
(in0v, in1v, typv) = randutil.rand_ckt(nOutBits, nInBits)
in0vv.append(in0v)
in1vv.append(in1v)
typvv.append(typv)
prv = CircuitProverNIZK(nCopies, 2**nInBits, in0vv, in1vv, typvv)
# blind some of the inputs to the verifier
nondet_bits = random.randint(0, nInBits - 1)
prv.set_nondet_range(nondet_bits)
inputs = randutil.rand_inputs(nInBits, nCopies)
pf = prv.run(inputs)
ver = CircuitVerifierNIZK(nCopies, 2**nInBits, in0vv, in1vv, typvv)
ver.run(pf)
if not qStat:
print "nInBits: %d, nCopies: %d, nLayers: %d" % (nInBits, nCopies,
nLayers)
print " %d group elems, %d bytes in proof" % FiatShamir.proof_size(
pf)
for fArith in [ver.in_a, ver.out_a, ver.sc_a, ver.tV_a, ver.nlay_a]:
if fArith is not None:
print " %s: %s" % (fArith.cat, str(fArith))
def run_rdl_test(nInBits, nCopies, nLayers, qStat):
(in0vv, in1vv, typvv) = rand_ckt(nInBits, nLayers)
nRDLBits = nInBits - random.randint(0, 2)
nRDLInputs = 2**nRDLBits
nInputs = 2**nInBits
rdl = [[random.randint(0, nRDLInputs - 1) for _ in xrange(0, nInputs)]
for _ in xrange(0, nCopies)]
prv = CircuitProverVecWitNIZK(nCopies, 2**nInBits, in0vv, in1vv, typvv)
prv.set_rdl(rdl, nRDLInputs)
inputs = randutil.rand_inputs(nRDLBits, 1)
pf = prv.run(inputs)
ver = CircuitVerifierVecWitNIZK(nCopies, 2**nInBits, in0vv, in1vv, typvv)
ver.set_rdl(rdl, nRDLInputs)
ver.run(pf)
if not qStat:
print "nInBits: %d, nCopies: %d, nLayers: %d" % (nInBits, nCopies,
nLayers)
print " %d group elems, %d bytes in proof" % FiatShamir.proof_size(
pf)
for fArith in [ver.in_a, ver.out_a, ver.sc_a, ver.tV_a, ver.nlay_a]:
if fArith is not None:
print " %s: %s" % (fArith.cat, str(fArith))
def run(self, pf):
self.fs = FiatShamir.from_string(pf)
assert Defs.prime == self.fs.q
# handle inputs and outputs
inputs = self.fs.take(True)
outputs = self.fs.take(True)
self.set_io(inputs, outputs)
# get the witness
wcom = self.fs.take()[0]
self.witness_commit(wcom)
# get the polycommit
chal_y = self.fs.rand_scalar()
chal_z = self.fs.rand_scalar()
self.set_y_z(chal_y, chal_z)
pcom = self.fs.take()
self.poly_commit(pcom)
# get the polyeval
chal = self.fs.rand_scalar()
self.set_x(chal)
peval = self.fs.take()[0]
# run the recursive argument
chal = self.fs.rand_scalar()
self.poly_verify_init(peval, chal)
cont = True
while cont:
lrval = self.fs.take()[0]
chal = self.fs.rand_scalar()
cont = self.iparg_cont(chal, lrval)
# finally, check the result of the recursive argument
abvals = self.fs.take()[0]
self.iparg_fin(abvals)
def run(self, pf):
self.fs = FiatShamir.from_string(pf)
assert Defs.prime == self.fs.q
# handle inputs and outputs
inputs = self.fs.take(True)
outputs = self.fs.take(True)
self.set_io(inputs, outputs)
# handle witness commit
wcom = self.fs.take()[0]
self.witness_commit(wcom)
# first challenge and polycommit
chal = self.fs.rand_scalar()
pcom = self.fs.take()[0]
self.set_y(chal)
self.poly_commit(pcom)
# poly verification
chal = self.fs.rand_scalar()
peval = self.fs.take()[0]
self.set_x(chal)
self.poly_verify(peval)
def __init__(self, ckt, curve=None):
super(BulletProverNI, self).__init__(ckt, curve)
self.fs = FiatShamir(Defs.prime)
class BulletProverNI(BulletProver):
def __init__(self, ckt, curve=None):
super(BulletProverNI, self).__init__(ckt, curve)
self.fs = FiatShamir(Defs.prime)
def run(self, inputs):
# solve the AC
(inputs, outputs, ai, bi, ci) = ACSolver(self.ckt).solve(inputs)
# put inputs and outputs into the transcript
self.fs.put(inputs, True)
self.fs.put(outputs, True)
# commit to the witness
wcom = self.witness_commit(ai, bi, ci)
self.fs.put(wcom)
# commit to the resulting polynomial
chal_y = self.fs.rand_scalar()
chal_z = self.fs.rand_scalar()
pcom = self.poly_commit(chal_y, chal_z)
self.fs.put(pcom)
# evaluate the polynomial at the challenge point
chal = self.fs.rand_scalar()
peval = self.poly_eval(chal)
self.fs.put(peval)
# now run recursive argument until we bottom out
chal = self.fs.rand_scalar()
lrval = self.iparg_init(chal)
self.fs.put(lrval)
while self.iparg_cont(self.fs.rand_scalar()):
lrval = self.iparg_init(None)
self.fs.put(lrval)
# finally, the last value
abvals = self.iparg_fin()
self.fs.put(abvals)
# done!
return self.fs.to_string()
class BCCGPSqrtProverNI(BCCGPSqrtProver):
def __init__(self, ckt, curve=None):
super(BCCGPSqrtProverNI, self).__init__(ckt, curve)
self.fs = FiatShamir(Defs.prime)
def run(self, inputs):
# solve the AC
(inputs, outputs, ai, bi, ci) = ACSolver(self.ckt).solve(inputs)
# put the inputs and outputs into the transcript
self.fs.put(inputs, True)
self.fs.put(outputs, True)
# commit to the witness
wcom = self.witness_commit(ai, bi, ci)
self.fs.put(wcom)
# commit to the resulting polynomial
chal = self.fs.rand_scalar()
pcom = self.poly_commit(chal)
self.fs.put(pcom)
# evaluate the polynomial at the challenge point
chal = self.fs.rand_scalar()
peval = self.poly_eval(chal)
self.fs.put(peval)
# done!
return self.fs.to_string()
def run_fennel(verifier_info):
# set curve and prime
Defs.curve = verifier_info.curve
util.set_prime(libfennel.commit.MiraclEC.get_order(Defs.curve))
# pylint doesn't seed to understand how classmethods are inherited from metclasses
p_from_pws = verifier_info.proofType.ProverClass.from_pws # pylint: disable=no-member
v_from_pws = verifier_info.proofType.VerifierClass.from_pws # pylint: disable=no-member
pFile = pypws.parse_pws(verifier_info.pwsFile, str(Defs.prime))
# handle RDL
if verifier_info.rdlFile is not None:
rFile = pypws.parse_pws_unopt(verifier_info.rdlFile, str(Defs.prime))
(r_input_layer,
rdl_map) = libfennel.parse_pws.parse_rdl(rFile, verifier_info.nCopies,
pFile[0])
# either generate or read in proof
if verifier_info.vProofFile is None:
(input_layer, prv) = p_from_pws(pFile, verifier_info.nCopies)
prv.build_prover()
# set up RDL
if verifier_info.rdlFile is not None:
inputs = get_inputs(verifier_info, r_input_layer)
prv.set_rdl(rdl_map, len(r_input_layer))
else:
inputs = get_inputs(verifier_info, input_layer)
# handle nondeterminism options
if verifier_info.ndBits is not None:
prv.set_nondet_range(verifier_info.ndBits)
if verifier_info.ndGen is not None:
prv.set_nondet_gen(verifier_info.ndGen)
if verifier_info.rvStart is not None and verifier_info.rvEnd is not None:
prv.set_rval_range(verifier_info.rvStart, verifier_info.rvEnd)
if verifier_info.witnessDiv is not None:
prv.set_wdiv(verifier_info.witnessDiv)
verifier_info.pStartTime = time.time()
proof = prv.run(inputs)
verifier_info.pEndTime = time.time()
else:
with open(verifier_info.vProofFile, 'r') as fh:
proof = bz2.decompress(fh.read())
verifier_info.Log.log(
"Proof size: %d elems, %d bytes" % FiatShamir.proof_size(proof), True)
# either verify or write out proof
if verifier_info.pProofFile is None:
(_, ver) = v_from_pws(pFile, verifier_info.nCopies)
# set up RDL
if verifier_info.rdlFile is not None:
ver.set_rdl(rdl_map, len(r_input_layer))
verifier_info.vStartTime = time.time()
try:
ver.run(proof)
except Exception as e: # pylint: disable=broad-except
verifier_info.Log.log("Verification failed: %s" % e, True)
verifier_info.Log.log(traceback.format_exc(), True)
else:
verifier_info.Log.log("Verification succeeded.", True)
verifier_info.vEndTime = time.time()
else:
with open(verifier_info.pProofFile, 'w') as fh:
fh.write(bz2.compress(proof))
nInBits = util.clog2(len(input_layer))
if verifier_info.rdlFile is not None:
nInBits = util.clog2(len(r_input_layer))
nCopies = verifier_info.nCopies
nLayers = len(ver.in0vv) + 1 if verifier_info.rdlFile is not None else 0
verifier_info.Log.log(
"nInBits: %d, nCopies: %d, nLayers: %d" % (nInBits, nCopies, nLayers),
verifier_info.showPerf)
if Defs.track_fArith:
verifier_info.Log.log(str(Defs.fArith()), verifier_info.showPerf)