123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687openBlsopenUtilsmodulePairing_G1=structmoduleProof=G1letchecksrs_n_dcmproof=Pairing.pairing_check[(G1.negatecm,srs_n_d);(proof,G2.one)]endmodulePairing_G2=structmoduleProof=G2letchecksrs_n_dcmproof=Pairing.pairing_check[(G1.negatecm,srs_n_d);(G1.one,proof)]endmoduletypeParing_G=sigmoduleProof:G_sigvalcheck:G2.t->G1.t->Proof.t->boolendmoduleMake(Pairing:Paring_G)=structmoduleCm=Commitment.Single(G1)moduleProof=Commitment.Single(Pairing.Proof)typeprover_public_parameters=Pairing.Proof.Srs.ttypeverifier_public_parameters=G2.ttypesecret=Poly.t(* p(X) of degree n. Max degree that can be committed: d, which is also the
SRS's length - 1. We take d = t.max_polynomial_length - 1 since we don't want to commit
polynomials with degree greater than polynomials to be erasure-encoded.
We consider the bilinear groups (G_1, G_2, G_T) with G_1=<g> and G_2=<h>.
- Commit (p X^{d-n}) such that deg (p X^{d-n}) = d the max degree
that can be committed
- Verify: checks if e(commit(p), commit(X^{d-n})) = e(commit(p X^{d-n}), h)
using the commitments for p and p X^{d-n}, and computing the commitment for
X^{d-n} on G_2. *)(* Proves that degree(p) < t.max_polynomial_length *)(* FIXME https://gitlab.com/tezos/tezos/-/issues/4192
Generalize this function to pass the slot_size in parameter. *)letprove~max_commit~max_degreesrsp=(* Note: this reallocates a buffer of size (Srs_g1.size t.srs.raw.srs_g1)
(2^21 elements in practice), so roughly 100MB. We can get rid of the
allocation by giving an offset for the SRS in Pippenger. *)Poly.mul_xnp(max_commit-max_degree)Scalar.zero|>Proof.commitsrs(* Verifies that the degree of the committed polynomial is < t.max_polynomial_length *)letverifysrs_n_dcmproof=(* checking that cm * committed_offset_monomial = proof *)Pairing.checksrs_n_dcmproofmoduleCommit=Commitment.CommitmoduleCommitment=Commitment.Make(G1)letprove_multi~max_commit~max_degreesrstranscriptcmp=lettranscript=Transcript.expandCommitment.tcmtranscriptinletr,transcript=Fr_generation.random_frtranscriptinletrs=Fr_generation.powers(SMap.cardinalcm)rinletp,_=SMap.fold(fun_p(acc,i)->(Poly.(acc+mul_by_scalarrs.(i)p),i+1))p(Poly.zero,0)inletproof=(prove~max_commit~max_degreesrs)pin(proof,transcript)(* Verifies that the degree of the committed polynomial is < t.max_polynomial_length *)letverify_multipptranscript(cm:Commitment.t)proof=(* checking that cm * committed_offset_monomial = proof *)lettranscript=Transcript.expandCommitment.tcmtranscriptinletr,transcript=Fr_generation.random_frtranscriptinletrs=Fr_generation.powers(SMap.cardinalcm)rinletcm=Commit.with_affine_array_1(SMap.valuescm|>Array.of_list)rsinletcheck=verifyppcmproofin(check,transcript)endincludeMake(Pairing_G2)moduleG1_proof=Make(Pairing_G1)