123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169(*****************************************************************************)(* *)(* MIT License *)(* Copyright (c) 2022 Nomadic Labs <contact@nomadic-labs.com> *)(* *)(* Permission is hereby granted, free of charge, to any person obtaining a *)(* copy of this software and associated documentation files (the "Software"),*)(* to deal in the Software without restriction, including without limitation *)(* the rights to use, copy, modify, merge, publish, distribute, sublicense, *)(* and/or sell copies of the Software, and to permit persons to whom the *)(* Software is furnished to do so, subject to the following conditions: *)(* *)(* The above copyright notice and this permission notice shall be included *)(* in all copies or substantial portions of the Software. *)(* *)(* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR*)(* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, *)(* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL *)(* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER*)(* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING *)(* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER *)(* DEALINGS IN THE SOFTWARE. *)(* *)(*****************************************************************************)openBlsmoduletypeS=sig(** Raised by the prover when the provided inputs are not a satisfying
assignment of the circuit. *)exceptionRest_not_nullofstring(** Raised by the prover when the provided inputs are not a satisfying
assignment of the circuit when using Plookup. *)exceptionEntry_not_in_tableofstringmoduleInput_commitment:Input_commitment.Stypescalar=Scalar.t[@@derivingrepr](** *)valscalar_encoding:scalarData_encoding.t(** Before proving and verifying, circuits go through a pre-processing
step called [setup].
The [setup] takes as input a [circuit_map], which associates
an identifier to a circuit and the number of statements that can be
proved with that circuit.
This produces a set of [public_parameters] which are bound to the
circuits and can be reused.
*)typecircuit_map=(Circuit.t*int)SMap.t(** Set of [public_parameters] needed by the prover.
Its size is linear in the size of the circuits.
*)typeprover_public_parameters[@@derivingrepr](** Set of [public_parameters] needed by the verifier.
Its size is constant w.r.t. the size of the circuits.
*)typeverifier_public_parameters[@@derivingrepr]valverifier_public_parameters_encoding:verifier_public_parametersData_encoding.t(** Succinct proof for a collection of statements. *)typeproof[@@derivingrepr]valproof_encoding:proofData_encoding.t(** Witness is the whole trace for the circuit, including
input_commitment values first, followed by public input
values and followed by the rest of the trace.
This is the prover input for a single proof. *)typecircuit_prover_input={witness:scalararray;input_commitments:Input_commitment.tlist;}[@@derivingrepr](** Map where each circuit identifier is bound to
a list of [circuit_prover_input] for a list of statements. *)typeprover_inputs=circuit_prover_inputlistSMap.t[@@derivingrepr](** The public inputs for one circuit & several statements *)typepublic_inputs[@@derivingrepr](** The verifier inputs, represented as a map where each circuit is binded to
the verifier inputs for this circuit. *)typeverifier_inputs=(public_inputs*Input_commitment.publiclistlist)SMap.t[@@derivingrepr](** Conversion from [prover_inputs] to [verifier_inputs]. *)valto_verifier_inputs:prover_public_parameters->prover_inputs->verifier_inputs(** [input_commit ~shift pp secret] produces a commitment to the [secret]
array and additional prover information. This commitment is designed to be
easily involved in a PlonK proof. In particular, the values of [secret]
will be added to the arithmetic identity in such a way that [secret.(i)]
participates in constraint number [shift + i], where equality will be
asserted with respect to a PlonK variable in the same constraint.
This allows us to "load" the value of [secret.(i)] into the variable, which
may be reused across the circuit.
The optional argument [shift] has a default value of 0.
The commitment is relative to a certain domain size [n], included in [pp],
the secret will remain information-theoretically hidden as long as the
commitment is involved in at most [n - |secret|] different proofs.
If the optionnal argument [size] is given, the secret will be padded with
zeros to have the length [size] (note that an error will be risen if size
is smaller than the secret length).
*)valinput_commit:?size:int->?shift:int->prover_public_parameters->scalararray->Input_commitment.t(** [setup ~zero_knowledge circuit_map ~srs] pre-processes the [circuit_map]
producing the public parameters.
The SRSs of ZCash and Filecoin can be loaded from file using the
{!Bls12_381_polynomial} library.
Activating [zero_knowledge] adds an overhead in proving time.
*)valsetup:zero_knowledge:bool->circuit_map->srs:Srs.t*Srs.t->prover_public_parameters*verifier_public_parameters(** Enrich the [prover_public_parameters] with extra application data to
prevent replay attacks.
The same data must be used for updating the prover and verifier
public parameters.
*)valupdate_prover_public_parameters:Bytes.t->prover_public_parameters->prover_public_parameters(** Enrich the [verifier_public_parameters] with extra application data to
prevent replay attacks.
The same data must be used for updating the prover and verifier
public parameters.
*)valupdate_verifier_public_parameters:Bytes.t->verifier_public_parameters->verifier_public_parameters(** [prove public_parameters ~inputs] produces a proof for the collection
of statements implied by [inputs] and the circuits used for generating
[public_parameters].
@raises Rest_not_null
@raises Entry_not_in_table
*)valprove:prover_public_parameters->inputs:prover_inputs->proof(** [verify public_parameters ~inputs proof] checks the validity of the
[proof] with regards to [public_parameters] and [inputs].
*)valverify:verifier_public_parameters->inputs:verifier_inputs->proof->boolmoduleInternal_for_tests:sig(** [mutate_vi vi] returns None if vi is empty and Some vi' else.
vi' is slightly different from vi *)valmutate_vi:verifier_inputs->verifier_inputsoptionendend