Implement zkSNARK compression.

src/zcash/JoinSplit.cpp

@@ -125,7 +125,7 @@ public:
     JoinSplitCircuit() {}
 
     bool verify(
-        const boost::array<unsigned char, ZKSNARK_PROOF_SIZE>& proof,
+        const ZCProof& proof,
         const uint256& pubKeyHash,
         const uint256& randomSeed,
         const boost::array<uint256, NumInputs>& macs,
@@ -140,11 +140,7 @@ public:
         }
 
         try {
-            r1cs_ppzksnark_proof<ppzksnark_ppT> r1cs_proof;
-            std::stringstream ss;
-            std::string proof_str(proof.begin(), proof.end());
-            ss.str(proof_str);
-            ss >> r1cs_proof;
+            auto r1cs_proof = proof.to_libsnark_proof<r1cs_ppzksnark_proof<ppzksnark_ppT>>();
 
             uint256 h_sig = this->h_sig(randomSeed, nullifiers, pubKeyHash);
 
@@ -164,7 +160,7 @@ public:
         }
     }
 
-    boost::array<unsigned char, ZKSNARK_PROOF_SIZE> prove(
+    ZCProof prove(
         const boost::array<JSInput, NumInputs>& inputs,
         const boost::array<JSOutput, NumOutputs>& outputs,
         boost::array<Note, NumOutputs>& out_notes,
@@ -264,23 +260,12 @@ public:
         // estimate that it doesn't matter if we check every time.
         pb.constraint_system.swap_AB_if_beneficial();
 
-        auto proof = r1cs_ppzksnark_prover<ppzksnark_ppT>(
+        return ZCProof(r1cs_ppzksnark_prover<ppzksnark_ppT>(
             *pk,
             primary_input,
             aux_input,
             pb.constraint_system
-        );
-
-        std::stringstream ss;
-        ss << proof;
-        std::string serialized_proof = ss.str();
-
-        boost::array<unsigned char, ZKSNARK_PROOF_SIZE> result_proof;
-        //std::cout << "proof size in bytes when serialized: " << serialized_proof.size() << std::endl;
-        assert(serialized_proof.size() == ZKSNARK_PROOF_SIZE);
-        memcpy(&result_proof[0], &serialized_proof[0], ZKSNARK_PROOF_SIZE);
-
-        return result_proof;
+        ));
     }
 };
 

src/zcash/JoinSplit.hpp

@@ -2,6 +2,7 @@
 #define _ZCJOINSPLIT_H_
 
 #include "Zcash.h"
+#include "Proof.hpp"
 #include "Address.hpp"
 #include "Note.hpp"
 #include "IncrementalMerkleTree.hpp"
@@ -59,7 +60,7 @@ public:
     virtual void loadVerifyingKey(std::string path) = 0;
     virtual void saveVerifyingKey(std::string path) = 0;
 
-    virtual boost::array<unsigned char, ZKSNARK_PROOF_SIZE> prove(
+    virtual ZCProof prove(
         const boost::array<JSInput, NumInputs>& inputs,
         const boost::array<JSOutput, NumOutputs>& outputs,
         boost::array<Note, NumOutputs>& out_notes,
@@ -76,7 +77,7 @@ public:
     ) = 0;
 
     virtual bool verify(
-        const boost::array<unsigned char, ZKSNARK_PROOF_SIZE>& proof,
+        const ZCProof& proof,
         const uint256& pubKeyHash,
         const uint256& randomSeed,
         const boost::array<uint256, NumInputs>& hmacs,
@@ -96,4 +97,4 @@ protected:
 typedef libzcash::JoinSplit<ZC_NUM_JS_INPUTS,
                             ZC_NUM_JS_OUTPUTS> ZCJoinSplit;
 
-#endif // _ZCJOINSPLIT_H_
+#endif // _ZCJOINSPLIT_H_

src/zcash/Proof.cpp

@@ -0,0 +1,258 @@
+#include "Proof.hpp"
+
+#include <boost/static_assert.hpp>
+
+#include "crypto/common.h"
+#include "libsnark/common/default_types/r1cs_ppzksnark_pp.hpp"
+#include "libsnark/zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.hpp"
+
+using namespace libsnark;
+
+typedef alt_bn128_pp curve_pp;
+typedef alt_bn128_pp::G1_type curve_G1;
+typedef alt_bn128_pp::G2_type curve_G2;
+typedef alt_bn128_pp::GT_type curve_GT;
+typedef alt_bn128_pp::Fp_type curve_Fr;
+typedef alt_bn128_pp::Fq_type curve_Fq;
+typedef alt_bn128_pp::Fqe_type curve_Fq2;
+
+BOOST_STATIC_ASSERT(sizeof(mp_limb_t) == 8);
+
+namespace libzcash {
+
+bigint<8> fq2_to_bigint(const curve_Fq2 &e)
+{
+    auto modq = curve_Fq::field_char();
+    auto c0 = e.c0.as_bigint();
+    auto c1 = e.c1.as_bigint();
+
+    // TODO: It should be possible to use libsnark's bigint
+    // to do this stuff.
+
+    bigint<8> res;
+    // Multiply c1 by modq
+    mpn_mul(res.data, c1.data, 4, modq.data, 4);
+    // Add c0
+    mpn_add(res.data, res.data, 8, c0.data, 4);
+
+    return res;
+}
+
+// Compares two bigints, returning 0 if equal, 1 if a > b, and -1 if a < b
+template<mp_size_t LIMBS>
+int cmp_bigint(const bigint<LIMBS> &a, const bigint<LIMBS> &b)
+{
+    for (ssize_t i = LIMBS-1; i >= 0; i--) {
+        if (a.data[i] < b.data[i]) {
+            return -1;
+        } else if (a.data[i] > b.data[i]) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+// Returns whether a > b
+bool cmp_fq2(const curve_Fq2 &a, const curve_Fq2 &b)
+{
+    return cmp_bigint(fq2_to_bigint(a), fq2_to_bigint(b)) > 0;
+}
+
+// Writes a bigint in big endian
+template<mp_size_t LIMBS>
+void write_bigint(base_blob<8 * LIMBS * sizeof(mp_limb_t)> &blob, const bigint<LIMBS> &val)
+{
+    auto ptr = blob.begin();
+    for (ssize_t i = LIMBS-1; i >= 0; i--, ptr += 8) {
+        WriteBE64(ptr, val.data[i]);
+    }
+}
+
+// Reads a bigint from big endian
+template<mp_size_t LIMBS>
+bigint<LIMBS> read_bigint(const base_blob<8 * LIMBS * sizeof(mp_limb_t)> &blob)
+{
+    bigint<LIMBS> ret;
+
+    auto ptr = blob.begin();
+
+    for (ssize_t i = LIMBS-1; i >= 0; i--, ptr += 8) {
+        ret.data[i] = ReadBE64(ptr);
+    }
+
+    return ret;
+}
+
+template<>
+Fq::Fq(curve_Fq element) : data()
+{
+    write_bigint(data, element.as_bigint());
+}
+
+template<>
+curve_Fq Fq::to_libsnark_fq() const
+{
+    auto element_bigint = read_bigint<4>(data);
+
+    // Check that the integer is smaller than the modulus
+    auto modq = curve_Fq::field_char();
+    if (cmp_bigint(element_bigint, modq) != -1) {
+        throw std::logic_error("element is not in Fq");
+    }
+
+    return curve_Fq(element_bigint);
+}
+
+template<>
+Fq2::Fq2(curve_Fq2 element) : data()
+{
+    write_bigint(data, fq2_to_bigint(element));
+}
+
+template<>
+curve_Fq2 Fq2::to_libsnark_fq2() const
+{
+    auto modq = curve_Fq::field_char();
+    auto combined = read_bigint<8>(data);
+
+    // TODO: It should be possible to use libsnark's bigint
+    // to do this stuff.
+
+    bigint<5> res;
+    bigint<4> c0;
+
+    mpn_tdiv_qr(res.data, c0.data, 0, combined.data, 8, modq.data, 4);
+
+    if (res.data[4] != 0) {
+        throw std::logic_error("element is not in Fq2");
+    }
+
+    bigint<4> c1;
+    memcpy(c1.data, res.data, 4 * sizeof(mp_limb_t));
+
+    if (cmp_bigint(c1, modq) != -1) {
+        throw std::logic_error("element is not in Fq2");
+    }
+
+    return curve_Fq2(curve_Fq(c0), curve_Fq(c1));
+}
+
+template<>
+CompressedG1::CompressedG1(curve_G1 point)
+{
+    if (point.is_zero()) {
+        throw std::domain_error("curve point is zero");
+    }
+
+    point.to_affine_coordinates();
+
+    x = Fq(point.X);
+    y_lsb = point.Y.as_bigint().data[0] & 1;
+}
+
+template<>
+curve_G1 CompressedG1::to_libsnark_g1() const
+{
+    curve_Fq x_coordinate = x.to_libsnark_fq<curve_Fq>();
+
+    // y = +/- sqrt(x^3 + b)
+    auto y_coordinate = ((x_coordinate.squared() * x_coordinate) + alt_bn128_coeff_b).sqrt();
+
+    if ((y_coordinate.as_bigint().data[0] & 1) != y_lsb) {
+        y_coordinate = -y_coordinate;
+    }
+
+    curve_G1 r = curve_G1::one();
+    r.X = x_coordinate;
+    r.Y = y_coordinate;
+    r.Z = curve_Fq::one();
+
+    assert(r.is_well_formed());
+
+    return r;
+}
+
+template<>
+CompressedG2::CompressedG2(curve_G2 point)
+{
+    if (point.is_zero()) {
+        throw std::domain_error("curve point is zero");
+    }
+
+    point.to_affine_coordinates();
+
+    x = Fq2(point.X);
+    y_gt = cmp_fq2(point.Y, -(point.Y));
+}
+
+template<>
+curve_G2 CompressedG2::to_libsnark_g2() const
+{
+    auto x_coordinate = x.to_libsnark_fq2<curve_Fq2>();
+
+    // y = +/- sqrt(x^3 + b)
+    auto y_coordinate = ((x_coordinate.squared() * x_coordinate) + alt_bn128_twist_coeff_b).sqrt();
+    auto y_coordinate_neg = -y_coordinate;
+
+    if (cmp_fq2(y_coordinate, y_coordinate_neg) != y_gt) {
+        y_coordinate = y_coordinate_neg;
+    }
+
+    curve_G2 r = curve_G2::one();
+    r.X = x_coordinate;
+    r.Y = y_coordinate;
+    r.Z = curve_Fq2::one();
+
+    assert(r.is_well_formed());
+
+    return r;
+}
+
+template<>
+ZCProof::ZCProof(const r1cs_ppzksnark_proof<curve_pp> &proof)
+{
+    g_A = CompressedG1(proof.g_A.g);
+    g_A_prime = CompressedG1(proof.g_A.h);
+    g_B = CompressedG2(proof.g_B.g);
+    g_B_prime = CompressedG1(proof.g_B.h);
+    g_C = CompressedG1(proof.g_C.g);
+    g_C_prime = CompressedG1(proof.g_C.h);
+    g_K = CompressedG1(proof.g_K);
+    g_H = CompressedG1(proof.g_H);
+}
+
+template<>
+r1cs_ppzksnark_proof<curve_pp> ZCProof::to_libsnark_proof() const
+{
+    r1cs_ppzksnark_proof<curve_pp> proof;
+
+    proof.g_A.g = g_A.to_libsnark_g1<curve_G1>();
+    proof.g_A.h = g_A_prime.to_libsnark_g1<curve_G1>();
+    proof.g_B.g = g_B.to_libsnark_g2<curve_G2>();
+    proof.g_B.h = g_B_prime.to_libsnark_g1<curve_G1>();
+    proof.g_C.g = g_C.to_libsnark_g1<curve_G1>();
+    proof.g_C.h = g_C_prime.to_libsnark_g1<curve_G1>();
+    proof.g_K = g_K.to_libsnark_g1<curve_G1>();
+    proof.g_H = g_H.to_libsnark_g1<curve_G1>();
+
+    return proof;
+}
+
+ZCProof ZCProof::random_invalid()
+{
+    ZCProof p;
+    p.g_A = curve_G1::random_element();
+    p.g_A_prime = curve_G1::random_element();
+    p.g_B = curve_G2::random_element();
+    p.g_B_prime = curve_G1::random_element();
+    p.g_C = curve_G1::random_element();
+    p.g_C_prime = curve_G1::random_element();
+
+    p.g_K = curve_G1::random_element();
+    p.g_H = curve_G1::random_element();
+
+    return p;
+}
+
+}

src/zcash/Proof.hpp

@@ -0,0 +1,241 @@
+#ifndef _ZCPROOF_H_
+#define _ZCPROOF_H_
+
+#include "serialize.h"
+#include "uint256.h"
+
+namespace libzcash {
+
+const unsigned char G1_PREFIX_MASK = 0x02;
+const unsigned char G2_PREFIX_MASK = 0x0a;
+
+// Element in the base field
+class Fq {
+private:
+    base_blob<256> data;
+public:
+    Fq() : data() { }
+
+    template<typename libsnark_Fq>
+    Fq(libsnark_Fq element);
+
+    template<typename libsnark_Fq>
+    libsnark_Fq to_libsnark_fq() const;
+
+    ADD_SERIALIZE_METHODS;
+
+    template <typename Stream, typename Operation>
+    inline void SerializationOp(Stream& s, Operation ser_action, int nType, int nVersion) {
+        READWRITE(data);
+    }
+
+    friend bool operator==(const Fq& a, const Fq& b)
+    {
+        return (
+            a.data == b.data
+        );
+    }
+
+    friend bool operator!=(const Fq& a, const Fq& b)
+    {
+        return !(a == b);
+    }
+};
+
+// Element in the extension field
+class Fq2 {
+private:
+    base_blob<512> data;
+public:
+    Fq2() : data() { }
+
+    template<typename libsnark_Fq2>
+    Fq2(libsnark_Fq2 element);
+
+    template<typename libsnark_Fq2>
+    libsnark_Fq2 to_libsnark_fq2() const;
+
+    ADD_SERIALIZE_METHODS;
+
+    template <typename Stream, typename Operation>
+    inline void SerializationOp(Stream& s, Operation ser_action, int nType, int nVersion) {
+        READWRITE(data);
+    }
+
+    friend bool operator==(const Fq2& a, const Fq2& b)
+    {
+        return (
+            a.data == b.data
+        );
+    }
+
+    friend bool operator!=(const Fq2& a, const Fq2& b)
+    {
+        return !(a == b);
+    }
+};
+
+// Compressed point in G1
+class CompressedG1 {
+private:
+    bool y_lsb;
+    Fq x;
+
+public:
+    CompressedG1() : y_lsb(false), x() { }
+
+    template<typename libsnark_G1>
+    CompressedG1(libsnark_G1 point);
+
+    template<typename libsnark_G1>
+    libsnark_G1 to_libsnark_g1() const;
+
+    ADD_SERIALIZE_METHODS;
+
+    template <typename Stream, typename Operation>
+    inline void SerializationOp(Stream& s, Operation ser_action, int nType, int nVersion) {
+        unsigned char leadingByte = G1_PREFIX_MASK;
+
+        if (y_lsb) {
+            leadingByte |= 1;
+        }
+
+        READWRITE(leadingByte);
+
+        if ((leadingByte & (~1)) != G1_PREFIX_MASK) {
+            throw std::ios_base::failure("lead byte of G1 point not recognized");
+        }
+
+        y_lsb = leadingByte & 1;
+
+        READWRITE(x);
+    }
+
+    friend bool operator==(const CompressedG1& a, const CompressedG1& b)
+    {
+        return (
+            a.y_lsb == b.y_lsb &&
+            a.x == b.x
+        );
+    }
+
+    friend bool operator!=(const CompressedG1& a, const CompressedG1& b)
+    {
+        return !(a == b);
+    }
+};
+
+// Compressed point in G2
+class CompressedG2 {
+private:
+    bool y_gt;
+    Fq2 x;
+
+public:
+    CompressedG2() : y_gt(false), x() { }
+
+    template<typename libsnark_G2>
+    CompressedG2(libsnark_G2 point);
+
+    template<typename libsnark_G2>
+    libsnark_G2 to_libsnark_g2() const;
+
+    ADD_SERIALIZE_METHODS;
+
+    template <typename Stream, typename Operation>
+    inline void SerializationOp(Stream& s, Operation ser_action, int nType, int nVersion) {
+        unsigned char leadingByte = G2_PREFIX_MASK;
+
+        if (y_gt) {
+            leadingByte |= 1;
+        }
+
+        READWRITE(leadingByte);
+
+        if ((leadingByte & (~1)) != G2_PREFIX_MASK) {
+            throw std::ios_base::failure("lead byte of G2 point not recognized");
+        }
+
+        y_gt = leadingByte & 1;
+
+        READWRITE(x);
+    }
+
+    friend bool operator==(const CompressedG2& a, const CompressedG2& b)
+    {
+        return (
+            a.y_gt == b.y_gt &&
+            a.x == b.x
+        );
+    }
+
+    friend bool operator!=(const CompressedG2& a, const CompressedG2& b)
+    {
+        return !(a == b);
+    }
+};
+
+// Compressed zkSNARK proof
+class ZCProof {
+private:
+    CompressedG1 g_A;
+    CompressedG1 g_A_prime;
+    CompressedG2 g_B;
+    CompressedG1 g_B_prime;
+    CompressedG1 g_C;
+    CompressedG1 g_C_prime;
+    CompressedG1 g_K;
+    CompressedG1 g_H;
+
+public:
+    ZCProof() : g_A(), g_A_prime(), g_B(), g_B_prime(), g_C(), g_C_prime(), g_K(), g_H() { }
+
+    // Produces a compressed proof using a libsnark zkSNARK proof
+    template<typename libsnark_proof>
+    ZCProof(const libsnark_proof& proof);
+
+    // Produces a libsnark zkSNARK proof out of this proof,
+    // or throws an exception if it is invalid.
+    template<typename libsnark_proof>
+    libsnark_proof to_libsnark_proof() const;
+
+    static ZCProof random_invalid();
+
+    ADD_SERIALIZE_METHODS;
+
+    template <typename Stream, typename Operation>
+    inline void SerializationOp(Stream& s, Operation ser_action, int nType, int nVersion) {
+        READWRITE(g_A);
+        READWRITE(g_A_prime);
+        READWRITE(g_B);
+        READWRITE(g_B_prime);
+        READWRITE(g_C);
+        READWRITE(g_C_prime);
+        READWRITE(g_K);
+        READWRITE(g_H);
+    }
+
+    friend bool operator==(const ZCProof& a, const ZCProof& b)
+    {
+        return (
+            a.g_A == b.g_A &&
+            a.g_A_prime == b.g_A_prime &&
+            a.g_B == b.g_B &&
+            a.g_B_prime == b.g_B_prime &&
+            a.g_C == b.g_C &&
+            a.g_C_prime == b.g_C_prime &&
+            a.g_K == b.g_K &&
+            a.g_H == b.g_H
+        );
+    }
+
+    friend bool operator!=(const ZCProof& a, const ZCProof& b)
+    {
+        return !(a == b);
+    }
+};
+
+
+}
+
+#endif // _ZCPROOF_H_

src/zcash/Zcash.h

@@ -14,6 +14,4 @@
 
 #define ZC_NOTEPLAINTEXT_SIZE (ZC_NOTEPLAINTEXT_LEADING + ZC_V_SIZE + ZC_RHO_SIZE + ZC_R_SIZE + ZC_MEMO_SIZE)
 
-#define ZKSNARK_PROOF_SIZE 584
-
 #endif // _ZCCONSTANTS_H_