(*****************************************************************************)
(* *)
(* MIT License *)
(* Copyright (c) 2022 Nomadic Labs <contact@nomadic-labs.com> *)
(* *)
(* Permission is hereby granted, free of charge, to any person obtaining a *)
(* copy of this software and associated documentation files (the "Software"),*)
(* to deal in the Software without restriction, including without limitation *)
(* the rights to use, copy, modify, merge, publish, distribute, sublicense, *)
(* and/or sell copies of the Software, and to permit persons to whom the *)
(* Software is furnished to do so, subject to the following conditions: *)
(* *)
(* The above copyright notice and this permission notice shall be included *)
(* in all copies or substantial portions of the Software. *)
(* *)
(* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR*)
(* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, *)
(* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL *)
(* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER*)
(* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING *)
(* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER *)
(* DEALINGS IN THE SOFTWARE. *)
(* *)
(*****************************************************************************)
open Bls
module type S = sig
(** Raised by the prover when the provided inputs are not a satisfying
assignment of the circuit. *)
exception Rest_not_null of string
(** Raised by the prover when the provided inputs are not a satisfying
assignment of the circuit when using Plookup. *)
exception Entry_not_in_table of string
module Input_commitment : Input_commitment.S
type scalar = Scalar.t [@@deriving repr]
(** *)
val scalar_encoding : scalar Data_encoding.t
(** Before proving and verifying, circuits go through a pre-processing
step called [setup].
The [setup] takes as input a [circuit_map], which associates
an identifier to a circuit and the number of statements that can be
proved with that circuit.
This produces a set of [public_parameters] which are bound to the
circuits and can be reused.
*)
type circuit_map = (Circuit.t * int) SMap.t
(** Set of [public_parameters] needed by the prover.
Its size is linear in the size of the circuits.
*)
type prover_public_parameters [@@deriving repr]
(** Set of [public_parameters] needed by the verifier.
Its size is constant w.r.t. the size of the circuits.
*)
type verifier_public_parameters [@@deriving repr]
val verifier_public_parameters_encoding :
verifier_public_parameters Data_encoding.t
(** Succinct proof for a collection of statements. *)
type proof [@@deriving repr]
val proof_encoding : proof Data_encoding.t
(** Witness is the whole trace for the circuit, including
input_commitment values first, followed by public input
values and followed by the rest of the trace.
This is the prover input for a single proof. *)
type circuit_prover_input = {
witness : scalar array;
input_commitments : Input_commitment.t list;
}
[@@deriving repr]
(** Map where each circuit identifier is bound to
a list of [circuit_prover_input] for a list of statements. *)
type prover_inputs = circuit_prover_input list SMap.t [@@deriving repr]
(** The public inputs for one circuit & several statements *)
type public_inputs [@@deriving repr]
(** The verifier inputs, represented as a map where each circuit is binded to
the verifier inputs for this circuit. *)
type verifier_inputs =
(public_inputs * Input_commitment.public list list) SMap.t
[@@deriving repr]
(** Conversion from [prover_inputs] to [verifier_inputs]. *)
val to_verifier_inputs :
prover_public_parameters -> prover_inputs -> verifier_inputs
(** [input_commit ~shift pp secret] produces a commitment to the [secret]
array and additional prover information. This commitment is designed to be
easily involved in a PlonK proof. In particular, the values of [secret]
will be added to the arithmetic identity in such a way that [secret.(i)]
participates in constraint number [shift + i], where equality will be
asserted with respect to a PlonK variable in the same constraint.
This allows us to "load" the value of [secret.(i)] into the variable, which
may be reused across the circuit.
The optional argument [shift] has a default value of 0.
The commitment is relative to a certain domain size [n], included in [pp],
the secret will remain information-theoretically hidden as long as the
commitment is involved in at most [n - |secret|] different proofs.
If the optionnal argument [size] is given, the secret will be padded with
zeros to have the length [size] (note that an error will be risen if size
is smaller than the secret length).
*)
val input_commit :
?size:int ->
?shift:int ->
prover_public_parameters ->
scalar array ->
Input_commitment.t
(** [setup ~zero_knowledge circuit_map ~srs] pre-processes the [circuit_map]
producing the public parameters.
The SRSs of ZCash and Filecoin can be loaded from file using the
{!Bls12_381_polynomial} library.
Activating [zero_knowledge] adds an overhead in proving time.
*)
val setup :
zero_knowledge:bool ->
circuit_map ->
srs:Srs.t * Srs.t ->
prover_public_parameters * verifier_public_parameters
(** Enrich the [prover_public_parameters] with extra application data to
prevent replay attacks.
The same data must be used for updating the prover and verifier
public parameters.
*)
val update_prover_public_parameters :
Bytes.t -> prover_public_parameters -> prover_public_parameters
(** Enrich the [verifier_public_parameters] with extra application data to
prevent replay attacks.
The same data must be used for updating the prover and verifier
public parameters.
*)
val update_verifier_public_parameters :
Bytes.t -> verifier_public_parameters -> verifier_public_parameters
(** [prove public_parameters ~inputs] produces a proof for the collection
of statements implied by [inputs] and the circuits used for generating
[public_parameters].
@raises Rest_not_null
@raises Entry_not_in_table
*)
val prove : prover_public_parameters -> inputs:prover_inputs -> proof
(** [verify public_parameters ~inputs proof] checks the validity of the
[proof] with regards to [public_parameters] and [inputs].
*)
val verify :
verifier_public_parameters -> inputs:verifier_inputs -> proof -> bool
module Internal_for_tests : sig
(** [mutate_vi vi] returns None if vi is empty and Some vi' else.
vi' is slightly different from vi *)
val mutate_vi : verifier_inputs -> verifier_inputs option
end
end