From 3620b7c0cf54285ecc043ade36fdae160c9c17b4 Mon Sep 17 00:00:00 2001 From: Bowen Xue <93296844+bxue-l2@users.noreply.github.com> Date: Mon, 29 Apr 2024 16:00:03 -0700 Subject: [PATCH] add open commitment utils (#446) Co-authored-by: Bowen Xue --- .../utils/openCommitment/open_commitment.go | 134 ++++++++++++++++++ .../openCommitment/open_commitment_test.go | 105 ++++++++++++++ 2 files changed, 239 insertions(+) create mode 100644 encoding/utils/openCommitment/open_commitment.go create mode 100644 encoding/utils/openCommitment/open_commitment_test.go diff --git a/encoding/utils/openCommitment/open_commitment.go b/encoding/utils/openCommitment/open_commitment.go new file mode 100644 index 0000000000..2b45640845 --- /dev/null +++ b/encoding/utils/openCommitment/open_commitment.go @@ -0,0 +1,134 @@ +package openCommitment + +import ( + "errors" + "fmt" + "math/big" + + "github.com/consensys/gnark-crypto/ecc" + "github.com/consensys/gnark-crypto/ecc/bn254" + "github.com/consensys/gnark-crypto/ecc/bn254/fr" +) + +// Implement https://github.com/ethereum/consensus-specs/blob/017a8495f7671f5fff2075a9bfc9238c1a0982f8/specs/deneb/polynomial-commitments.md#compute_kzg_proof_impl +func ComputeKzgProof( + evalFr []fr.Element, + index int, + G1srsLagrange []bn254.G1Affine, + rootOfUnities []fr.Element, +) (*bn254.G1Affine, *fr.Element, error) { + if len(evalFr) != len(rootOfUnities) { + return nil, nil, fmt.Errorf("inconsistent length between blob and root of unities") + } + if index < 0 || index >= len(evalFr) { + return nil, nil, fmt.Errorf("the function only opens points within a blob") + } + + polyShift := make([]fr.Element, len(evalFr)) + + valueFr := evalFr[index] + + zFr := rootOfUnities[index] + + for i := 0; i < len(polyShift); i++ { + polyShift[i].Sub(&evalFr[i], &valueFr) + } + + denomPoly := make([]fr.Element, len(rootOfUnities)) + + for i := 0; i < len(evalFr); i++ { + denomPoly[i].Sub(&rootOfUnities[i], &zFr) + } + + quotientPoly := make([]fr.Element, len(rootOfUnities)) + for i := 0; i < len(quotientPoly); i++ { + if denomPoly[i].IsZero() { + quotientPoly[i] = computeQuotientEvalOnDomain(zFr, evalFr, valueFr, rootOfUnities) + } else { + quotientPoly[i].Div(&polyShift[i], &denomPoly[i]) + } + } + + config := ecc.MultiExpConfig{} + + var proof bn254.G1Affine + _, err := proof.MultiExp(G1srsLagrange, quotientPoly, config) + if err != nil { + return nil, nil, err + } + + return &proof, &valueFr, nil +} + +func VerifyKzgProof(G1Gen, commitment, proof bn254.G1Affine, G2Gen, G2tau bn254.G2Affine, valueFr, zFr fr.Element) error { + + var valueG1 bn254.G1Affine + var valueBig big.Int + valueG1.ScalarMultiplication(&G1Gen, valueFr.BigInt(&valueBig)) + + var commitMinusValue bn254.G1Affine + commitMinusValue.Sub(&commitment, &valueG1) + + var zG2 bn254.G2Affine + zG2.ScalarMultiplication(&G2Gen, zFr.BigInt(&valueBig)) + + var xMinusZ bn254.G2Affine + xMinusZ.Sub(&G2tau, &zG2) + + return PairingsVerify(&commitMinusValue, &G2Gen, &proof, &xMinusZ) +} + +func PairingsVerify(a1 *bn254.G1Affine, a2 *bn254.G2Affine, b1 *bn254.G1Affine, b2 *bn254.G2Affine) error { + var negB1 bn254.G1Affine + negB1.Neg(b1) + + P := [2]bn254.G1Affine{*a1, negB1} + Q := [2]bn254.G2Affine{*a2, *b2} + + ok, err := bn254.PairingCheck(P[:], Q[:]) + if err != nil { + return err + } + if !ok { + return errors.New("pairingCheck pairing not ok") + } + + return nil +} + +func CommitInLagrange(evalFr []fr.Element, G1srsLagrange []bn254.G1Affine) (*bn254.G1Affine, error) { + config := ecc.MultiExpConfig{} + + var proof bn254.G1Affine + _, err := proof.MultiExp(G1srsLagrange, evalFr, config) + if err != nil { + return nil, err + } + return &proof, nil +} + +// Implement https://github.com/ethereum/consensus-specs/blob/017a8495f7671f5fff2075a9bfc9238c1a0982f8/specs/deneb/polynomial-commitments.md#compute_quotient_eval_within_domain +func computeQuotientEvalOnDomain(zFr fr.Element, evalFr []fr.Element, valueFr fr.Element, rootOfunities []fr.Element) fr.Element { + var quotient fr.Element + var f_i, numerator, denominator, temp fr.Element + + for i := 0; i < len(rootOfunities); i++ { + omega_i := rootOfunities[i] + if omega_i.Equal(&zFr) { + continue + } + + f_i.Sub(&evalFr[i], &valueFr) + numerator.Mul(&f_i, &omega_i) + + denominator.Sub(&zFr, &omega_i) + denominator.Mul(&denominator, &zFr) + + numerator.Mul(&f_i, &omega_i) + temp.Div(&numerator, &denominator) + + quotient.Add("ient, &temp) + + } + return quotient +} diff --git a/encoding/utils/openCommitment/open_commitment_test.go b/encoding/utils/openCommitment/open_commitment_test.go new file mode 100644 index 0000000000..1430130b38 --- /dev/null +++ b/encoding/utils/openCommitment/open_commitment_test.go @@ -0,0 +1,105 @@ +package openCommitment_test + +import ( + "crypto/rand" + "log" + "math/big" + "runtime" + "testing" + + "github.com/Layr-Labs/eigenda/encoding" + "github.com/Layr-Labs/eigenda/encoding/kzg" + kzgProver "github.com/Layr-Labs/eigenda/encoding/kzg/prover" + "github.com/Layr-Labs/eigenda/encoding/rs" + "github.com/Layr-Labs/eigenda/encoding/utils/codec" + oc "github.com/Layr-Labs/eigenda/encoding/utils/openCommitment" + + "github.com/consensys/gnark-crypto/ecc/bn254" + "github.com/consensys/gnark-crypto/ecc/bn254/fr" + "github.com/stretchr/testify/require" +) + +var ( + gettysburgAddressBytes = []byte("Fourscore and seven years ago our fathers brought forth, on this continent, a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation, or any nation so conceived, and so dedicated, can long endure. We are met on a great battle-field of that war. We have come to dedicate a portion of that field, as a final resting-place for those who here gave their lives, that that nation might live. It is altogether fitting and proper that we should do this. But, in a larger sense, we cannot dedicate, we cannot consecrate—we cannot hallow—this ground. The brave men, living and dead, who struggled here, have consecrated it far above our poor power to add or detract. The world will little note, nor long remember what we say here, but it can never forget what they did here. It is for us the living, rather, to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us—that from these honored dead we take increased devotion to that cause for which they here gave the last full measure of devotion—that we here highly resolve that these dead shall not have died in vain—that this nation, under God, shall have a new birth of freedom, and that government of the people, by the people, for the people, shall not perish from the earth.") + kzgConfig *kzg.KzgConfig + numNode uint64 + numSys uint64 + numPar uint64 +) + +func TestOpenCommitment(t *testing.T) { + log.Println("Setting up suite") + + kzgConfig = &kzg.KzgConfig{ + G1Path: "../../../inabox/resources/kzg/g1.point", + G2Path: "../../../inabox/resources/kzg/g2.point", + G2PowerOf2Path: "../../../inabox/resources/kzg/g2.point.powerOf2", + CacheDir: "../../../inabox/resources/kzg/SRSTables", + SRSOrder: 3000, + SRSNumberToLoad: 3000, + NumWorker: uint64(runtime.GOMAXPROCS(0)), + } + + // input evaluation + validInput := codec.ConvertByPaddingEmptyByte(gettysburgAddressBytes) + inputFr, err := rs.ToFrArray(validInput) + require.Nil(t, err) + + frLen := uint64(len(inputFr)) + paddedInputFr := make([]fr.Element, encoding.NextPowerOf2(frLen)) + // pad input Fr to power of 2 for computing FFT + for i := 0; i < len(paddedInputFr); i++ { + if i < len(inputFr) { + paddedInputFr[i].Set(&inputFr[i]) + } else { + paddedInputFr[i].SetZero() + } + } + + // we need prover only to access kzg SRS, and get kzg commitment of encoding + group, err := kzgProver.NewProver(kzgConfig, true) + require.Nil(t, err) + + // get root of unit for blob + numNode = 4 + numSys = 4 + numPar = 0 + numOpenChallenge := 10 + + params := encoding.ParamsFromSysPar(numSys, numPar, uint64(len(validInput))) + enc, err := group.GetKzgEncoder(params) + require.Nil(t, err) + rootOfUnities := enc.Fs.ExpandedRootsOfUnity[:len(enc.Fs.ExpandedRootsOfUnity)-1] + + // Lagrange basis SRS in normal order, not butterfly + lagrangeG1SRS, err := enc.Fs.FFTG1(group.Srs.G1[:len(paddedInputFr)], true) + require.Nil(t, err) + + // commit in lagrange form + commitLagrange, err := oc.CommitInLagrange(paddedInputFr, lagrangeG1SRS) + require.Nil(t, err) + + modulo := big.NewInt(int64(len(inputFr))) + // pick a random place in the blob to open + for k := 0; k < numOpenChallenge; k++ { + + indexBig, err := rand.Int(rand.Reader, modulo) + require.Nil(t, err) + + index := int(indexBig.Int64()) + + // open at index on the kzg + proof, valueFr, err := oc.ComputeKzgProof(paddedInputFr, index, lagrangeG1SRS, rootOfUnities) + require.Nil(t, err) + + _, _, g1Gen, g2Gen := bn254.Generators() + + err = oc.VerifyKzgProof(g1Gen, *commitLagrange, *proof, g2Gen, group.Srs.G2[1], *valueFr, rootOfUnities[index]) + require.Nil(t, err) + + require.Equal(t, *valueFr, inputFr[index]) + + //valueBytse := valueFr.Bytes() + //fmt.Println("value Byte", string(valueBytse[1:])) + } +}