Skip to content

Commit

Permalink
Improved batch verification for Lelantus one-of-many proofs
Browse files Browse the repository at this point in the history
  • Loading branch information
AaronFeickert committed Jul 12, 2021
1 parent 8192c5f commit e21f215
Show file tree
Hide file tree
Showing 7 changed files with 393 additions and 267 deletions.
16 changes: 8 additions & 8 deletions src/liblelantus/lelantus_primitives.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,9 @@ GroupElement LelantusPrimitives::double_commit(
}

void LelantusPrimitives::convert_to_sigma(
uint64_t num,
uint64_t n,
uint64_t m,
std::size_t num,
std::size_t n,
std::size_t m,
std::vector<Scalar>& out) {
out.reserve(n * m);
Scalar one(uint64_t(1));
Expand All @@ -74,11 +74,11 @@ void LelantusPrimitives::convert_to_sigma(
}
}

std::vector<uint64_t> LelantusPrimitives::convert_to_nal(
uint64_t num,
uint64_t n,
uint64_t m) {
std::vector<uint64_t> result;
std::vector<std::size_t> LelantusPrimitives::convert_to_nal(
std::size_t num,
std::size_t n,
std::size_t m) {
std::vector<std::size_t> result;
result.reserve(m);
while (num != 0)
{
Expand Down
4 changes: 2 additions & 2 deletions src/liblelantus/lelantus_primitives.h
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,9 @@ class LelantusPrimitives {
const Scalar& r,
GroupElement& result_out);

static void convert_to_sigma(uint64_t num, uint64_t n, uint64_t m, std::vector<Scalar>& out);
static void convert_to_sigma(std::size_t num, std::size_t n, std::size_t m, std::vector<Scalar>& out);

static std::vector<uint64_t> convert_to_nal(uint64_t num, uint64_t n, uint64_t m);
static std::vector<std::size_t> convert_to_nal(std::size_t num, std::size_t n, std::size_t m);

static void generate_Lelantus_challenge(
const std::vector<SigmaExtendedProof>& proofs,
Expand Down
49 changes: 34 additions & 15 deletions src/liblelantus/sigmaextended_prover.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,19 @@ namespace lelantus {
SigmaExtendedProver::SigmaExtendedProver(
const GroupElement& g,
const std::vector<GroupElement>& h_gens,
uint64_t n,
uint64_t m)
std::size_t n,
std::size_t m)
: g_(g)
, h_(h_gens)
, n_(n)
, m_(m) {
}

// Generate the initial portion of a one-of-many proof
// Internal prover state is maintained separately, in order to facilitate the last part of the proof later
void SigmaExtendedProver::sigma_commit(
const std::vector<GroupElement>& commits,
int l,
std::size_t l,
const Scalar& rA,
const Scalar& rB,
const Scalar& rC,
Expand All @@ -26,8 +28,25 @@ void SigmaExtendedProver::sigma_commit(
std::vector<Scalar>& Yk,
std::vector<Scalar>& sigma,
SigmaExtendedProof& proof_out) {
// Sanity checks
if (n_ < 2 || m_ < 2) {
throw std::invalid_argument("Prover parameters are invalid");
}
std::size_t N = (std::size_t)pow(n_, m_);
std::size_t setSize = commits.size();
assert(setSize > 0);
if (setSize == 0) {
throw std::invalid_argument("Cannot have empty commitment set");
}
if (setSize > N) {
throw std::invalid_argument("Commitment set is too large");
}
if (l >= setSize) {
throw std::invalid_argument("Signing index is out of range");
}
if (h_.size() != n_ * m_) {
throw std::invalid_argument("Generator vector size is invalid");
}

LelantusPrimitives::convert_to_sigma(l, n_, m_, sigma);
for (std::size_t k = 0; k < m_; ++k)
{
Expand Down Expand Up @@ -70,13 +89,12 @@ void SigmaExtendedProver::sigma_commit(
}
LelantusPrimitives::commit(g_,h_, d, rD, proof_out.D_);

std::size_t N = setSize;
std::vector<std::vector<Scalar>> P_i_k;
P_i_k.resize(N);
for (std::size_t i = 0; i < N - 1; ++i)
P_i_k.resize(setSize);
for (std::size_t i = 0; i < setSize - 1; ++i)
{
std::vector<Scalar>& coefficients = P_i_k[i];
std::vector<uint64_t> I = LelantusPrimitives::convert_to_nal(i, n_, m_);
std::vector<std::size_t> I = LelantusPrimitives::convert_to_nal(i, n_, m_);
coefficients.push_back(a[I[0]]);
coefficients.push_back(sigma[I[0]]);
for (std::size_t j = 1; j < m_; ++j) {
Expand All @@ -102,17 +120,17 @@ void SigmaExtendedProver::sigma_commit(
* \right]
*/

std::vector<uint64_t> I = LelantusPrimitives::convert_to_nal(N-1, n_, m_);
std::vector<uint64_t> lj = LelantusPrimitives::convert_to_nal(l, n_, m_);
std::vector<std::size_t> I = LelantusPrimitives::convert_to_nal(setSize - 1, n_, m_);
std::vector<std::size_t> lj = LelantusPrimitives::convert_to_nal(l, n_, m_);

std::vector<Scalar> p_i_sum;
p_i_sum.emplace_back(one);
std::vector<std::vector<Scalar>> partial_p_s;

// Pre-calculate product parts and calculate p_s(x) at the same time, put the latter into p_i_sum
for (int j = m_ - 1; j >= 0; j--) {
for (std::size_t j = m_; j > 0; j--) {
partial_p_s.push_back(p_i_sum);
LelantusPrimitives::new_factor(sigma[j * n_ + I[j]], a[j * n_ + I[j]], p_i_sum);
LelantusPrimitives::new_factor(sigma[(j - 1) * n_ + I[j - 1]], a[(j - 1) * n_ + I[j - 1]], p_i_sum);
}

for (std::size_t j = 0; j < m_; j++) {
Expand All @@ -131,15 +149,15 @@ void SigmaExtendedProver::sigma_commit(
p_i_sum[j + k] += polynomial[k];
}

P_i_k[N-1] = p_i_sum;
P_i_k[setSize - 1] = p_i_sum;

proof_out.Gk_.reserve(m_);
proof_out.Qk.reserve(m_);
for (std::size_t k = 0; k < m_; ++k)
{
std::vector<Scalar> P_i;
P_i.reserve(N);
for (std::size_t i = 0; i < N; ++i){
P_i.reserve(setSize);
for (std::size_t i = 0; i < setSize; ++i){
P_i.emplace_back(P_i_k[i][k]);
}
secp_primitives::MultiExponent mult(commits, P_i);
Expand All @@ -150,6 +168,7 @@ void SigmaExtendedProver::sigma_commit(
}
}

// Generate the rest of the one-of-many proof
void SigmaExtendedProver::sigma_response(
const std::vector<Scalar>& sigma,
const std::vector<Scalar>& a,
Expand Down
8 changes: 4 additions & 4 deletions src/liblelantus/sigmaextended_prover.h
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ class SigmaExtendedProver{

public:
SigmaExtendedProver(const GroupElement& g,
const std::vector<GroupElement>& h_gens, uint64_t n, uint64_t m);
const std::vector<GroupElement>& h_gens, std::size_t n, std::size_t m);

void sigma_commit(
const std::vector<GroupElement>& commits,
int l,
std::size_t l,
const Scalar& rA,
const Scalar& rB,
const Scalar& rC,
Expand Down Expand Up @@ -43,8 +43,8 @@ class SigmaExtendedProver{
private:
GroupElement g_;
std::vector<GroupElement> h_;
uint64_t n_;
uint64_t m_;
std::size_t n_;
std::size_t m_;
};

}//namespace lelantus
Expand Down
Loading

0 comments on commit e21f215

Please sign in to comment.