var multiproof = (function(){ var Extended = nobleEd25519.ExtendedPoint; function calc_R(cs, zs, ys){ //cs is a list of affine points. //zs is a list of fr encoded values. //ys is a list of fr encoded values. var b = []; for(var i = 0; i> = hash:doit(B), //fr:encode(R2 rem fr:prime()). }; function mul_r_powers(r, a, c){ if(c.length === 0){ return([]); }; return([fr.mul(c[0], a)] .concat(mul_r_powers( r, fr.mul(a, r), c.slice(1)))); }; function commit(rs, xs){//xs is points. return(multi_exponent.doit(rs, xs)); }; function calc_G2_2(r, t, ys, zs){ var divisors = zs.map(function(z){ return(fr.sub(t, z))}); var ids = fr.batch_inverse(divisors); var rids = mul_r_powers(r, 1n, ids); var l1 = []; for(var i =0; i< ys.length; i++){ l1.push(fr.mul(ys[i], rids[i])); }; var result = fr.add_all(l1); return([rids, result]); }; function verify(co, commits, zs, ys){ //for the fast version of verkle proofs, that include all 256 elements of the vector commitment, no bullet proof. var commitg = co[0]; var ng2 = co[1]; var gs = precomputes.ghq()[0]; var da = precomputes.da(); var pa = precomputes.a(); var domain = precomputes.domain(); var affines = points.extended2affine_batch( [commitg].concat(commits)); var acg = affines[0]; var affine_commits = affines.slice(1); var r = calc_R(affine_commits, zs, ys); var t = calc_T(acg, r); var ev = poly.eval_outside_v( t, domain, pa, poly.c2e(da, domain)); var ag = commit(ng2, gs); var [rids, g2] = calc_G2_2(r, t, ys, zs); var commit_e = multi_exponent.doit(rids, commits); var commit_g_sub_e = points.sub(commitg, commit_e); var bool2 = points.eq(commit_g_sub_e, ag); if(!(bool2)){ return(["error", "multiproof error"]); }; var ab = fr.dot(ng2, ev); if(!(0n === fr.add(g2, ab))){ return(["error", "multiproof error2"]); }; return(true); }; function verify_unused(co, commits, zs, ys){ var commitg = co[0]; var open_g_e = co[1]; var [gs, hs, q] = precomputes.ghq(); var da = precomputes.da(); var pa = precomputes.a(); var domain = precomputes.domain(); var affines = points.extended2affine_batch( [commitg].concat(commits)); var acg = affines[0]; var affine_commits = affines.slice(1); var r = calc_R(affine_commits, zs, ys); var t = calc_T(acg, r); var ev = poly.eval_outside_v( t, domain, pa, poly.c2e(da, domain)); console.log(ev[1]); console.log(open_g_e); console.log(open_g_e[2]); //ev[0] and ev[1] are correct. var bool = ipa.verify(open_g_e, ev, gs, hs, q); if(!(bool)){ return(["error", "ipa failure"]); }; var [rids, g2] = calc_G2_2(r, t, ys, zs); var commit_e = multi_exponent.doit(rids, commits); //var commit_neg_e = points.neg(commit_e); //var commit_g_sub_e = points.add(commitg, commit_neg_e); var commit_g_sub_e = points.sub(commitg, commit_e); var bool2 = points.eq(commit_g_sub_e, open_g_e[0]); if(!(bool2)){ return(["error", "multiproof error"]); }; var bool3 = 0n === fr.add(g2, open_g_e[1]); if(!(bool3)){ return(["error", "multiproof error 2 "]); }; return(true); }; function test_r(){ //looking at multiproof test(9). var p = points.gen_point(0); //console.log(p); var r = calc_R([p], [6n], [5n]); return(r === fr.decode(verkle_binary.array_to_int(verkle_binary.string_to_array(atob("ZH19WZA9dBN/b0UWEjP1Ogiz/UlHXjkIBWvHNeDnVQ8=")).reverse(), 32))); // should be }; function range(a, b){ if(a >= b){ return([]);} return([a].concat(range(a+1, b))); }; function test_verify(){ var many = 3; var domain = precomputes.domain(); var a = domain.slice().reverse().map( function(x){return(fr.neg(x)); }); var as = range(0, many).map( function(x){return(a);}); var zs = range(0, many).map( function(x){return(domain[1]); }); var ys = []; for(var i = 0; i