def batch_verify_eval(self, commits, i, shares, auxes, witnesses):
assert (len(commits) == len(shares) and len(commits) == len(witnesses)
and len(commits) == len(auxes))
commitprod = G1.one()
witnessprod = G1.one()
sharesum = ZR(0)
auxsum = ZR(0)
for j in range(len(commits)):
commitprod *= commits[j]
witnessprod *= witnesses[j]
sharesum += shares[j]
auxsum += auxes[j]
lhs = pair(commitprod, self.ghats[0])
rhs = (pair(witnessprod, self.ghats[1] * self.ghats[0]**(-i)) *
(self.gg**sharesum) * (self.gh**auxsum))
return lhs == rhs
def commit(self, phi):
c = G1.one()
phi_hat = polynomials_over(self.field).random(self.t)
i = 0
for item in self.gs:
c *= item**phi.coeffs[i]
i += 1
i = 0
for item in self.hs:
c *= item**phi_hat.coeffs[i]
i += 1
# c should equal g **(phi(alpha)) h **(phi_hat(alpha))
return c, phi_hat
def create_witness(self, phi, phi_hat, i):
poly = polynomials_over(self.field)
div = poly([-1 * i, 1])
psi = (phi - poly([phi(i)])) / div
psi_hat = (phi_hat - poly([phi_hat(i)])) / div
witness = G1.one()
j = 0
for item in self.gs[:-1]:
witness *= item**psi.coeffs[j]
j += 1
j = 0
for item in self.hs[:-1]:
witness *= item**psi_hat.coeffs[j]
j += 1
return witness
def verify_eval(self, cs, i, phi_at_i, witness):
lhs = G1.one()
for j in range(len(cs)):
lhs *= pow(cs[j], pow(i, j))
rhs = pow(self.g, phi_at_i) * pow(self.h, witness)
return lhs == rhs
