Merge pull request #499 from asn-d6/more_abstract_verification

`verify_cell_kzg_proof_batch()`: Split it up further
ethereum · Aug 23, 2024 · 7126419 · 7126419
2 parents f7b6b0c + e68de38
commit 7126419
Showing 1 changed file with 111 additions and 48 deletions.
diff --git a/src/eip7594/eip7594.c b/src/eip7594/eip7594.c
@@ -454,6 +454,63 @@ static C_KZG_RET compute_r_powers_for_verify_cell_kzg_proof_batch(
     return ret;
 }
 
+/**
+ * Compute the sum of the commitments weighted by the powers of r.
+ *
+ * @param[out] sum_of_commitments_out   The resulting G1 sum of the commitments
+ * @param[in]  unique_commitments       Array of unique commitments
+ * @param[in]  commitment_indices       Indices mapping to unique commitments
+ * @param[in]  r_powers                 Array of powers of r used for weighting
+ * @param[in]  num_commitments          The number of unique commitments
+ * @param[in]  num_cells                The number of cells
+ */
+static C_KZG_RET compute_weighted_sum_of_commitments(
+    g1_t *sum_of_commitments_out,
+    const Bytes48 *unique_commitments,
+    const uint64_t *commitment_indices,
+    const fr_t *r_powers,
+    size_t num_commitments,
+    uint64_t num_cells
+) {
+    C_KZG_RET ret;
+    g1_t *commitments_g1 = NULL;
+    fr_t *commitment_weights = NULL;
+
+    ret = new_fr_array(&commitment_weights, num_commitments);
+    if (ret != C_KZG_OK) goto out;
+    ret = new_g1_array(&commitments_g1, num_commitments);
+    if (ret != C_KZG_OK) goto out;
+
+    for (size_t i = 0; i < num_commitments; i++) {
+        /* Convert & validate commitment */
+        ret = bytes_to_kzg_commitment(&commitments_g1[i], &unique_commitments[i]);
+        if (ret != C_KZG_OK) goto out;
+
+        /* Initialize the weight to zero */
+        commitment_weights[i] = FR_ZERO;
+    }
+
+    /* Update commitment weights */
+    for (uint64_t i = 0; i < num_cells; i++) {
+        blst_fr_add(
+            &commitment_weights[commitment_indices[i]],
+            &commitment_weights[commitment_indices[i]],
+            &r_powers[i]
+        );
+    }
+
+    /* Compute commitment sum */
+    ret = g1_lincomb_fast(
+        sum_of_commitments_out, commitments_g1, commitment_weights, num_commitments
+    );
+    if (ret != C_KZG_OK) goto out;
+
+out:
+    c_kzg_free(commitment_weights);
+    c_kzg_free(commitments_g1);
+    return ret;
+}
+
 /**
  * Aggregate columns, compute the sum of interpolation polynomials, and commit to the result.
  *
@@ -612,6 +669,47 @@ static C_KZG_RET compute_commitment_to_aggregated_interpolation_poly(
     return ret;
 }
 
+/**
+ * Compute weighted sum of proofs.
+ *
+ * @param[out] weighted_proof_lincomb The resulting G1 sum of the proofs scaled by coset factors
+ * @param[in]  proofs_g1              Array of G1 elements representing the proofs
+ * @param[in]  r_powers               Array of powers of r used for weighting
+ * @param[in]  cell_indices           Array of cell indices
+ * @param[in]  num_cells              The number of cells
+ * @param[in]  s                      The trusted setup containing roots of unity
+ */
+static C_KZG_RET computed_weighted_sum_of_proofs(
+    g1_t *weighted_proof_sum_out,
+    const g1_t *proofs_g1,
+    const fr_t *r_powers,
+    const uint64_t *cell_indices,
+    uint64_t num_cells,
+    const KZGSettings *s
+) {
+    C_KZG_RET ret;
+    fr_t coset_factor_pow;
+    fr_t *weighted_powers_of_r = NULL;
+
+    ret = new_fr_array(&weighted_powers_of_r, num_cells);
+    if (ret != C_KZG_OK) goto out;
+
+    for (uint64_t i = 0; i < num_cells; i++) {
+        uint64_t pos = reverse_bits_limited(CELLS_PER_EXT_BLOB, cell_indices[i]);
+        fr_t coset_factor = s->roots_of_unity[pos];
+        // Compute h_k^n, with h_k and n as in the spec.
+        fr_pow(&coset_factor_pow, &coset_factor, FIELD_ELEMENTS_PER_CELL);
+        // Scale the power of r by h_k^n
+        blst_fr_mul(&weighted_powers_of_r[i], &r_powers[i], &coset_factor_pow);
+    }
+
+    ret = g1_lincomb_fast(weighted_proof_sum_out, proofs_g1, weighted_powers_of_r, num_cells);
+
+out:
+    c_kzg_free(weighted_powers_of_r);
+    return ret;
+}
+
 /**
  * Given some cells, verify that their proofs are valid.
  *
@@ -638,18 +736,14 @@ C_KZG_RET verify_cell_kzg_proof_batch(
     g1_t interpolation_poly_commit;
     g1_t final_g1_sum;
     g1_t proof_lincomb;
-    g1_t weighted_proof_lincomb;
+    g1_t weighted_sum_of_proofs;
     g2_t power_of_s = s->g2_values_monomial[FIELD_ELEMENTS_PER_CELL];
     size_t num_commitments;
 
     /* Arrays */
     Bytes48 *unique_commitments = NULL;
     uint64_t *commitment_indices = NULL;
-    fr_t *commitment_weights = NULL;
     fr_t *r_powers = NULL;
-    fr_t *weighted_powers_of_r = NULL;
-    fr_t *weights = NULL;
-    g1_t *commitments_g1 = NULL;
     g1_t *proofs_g1 = NULL;
 
     *ok = false;
@@ -691,21 +785,13 @@ C_KZG_RET verify_cell_kzg_proof_batch(
     // Array allocations
     ////////////////////////////////////////////////////////////////////////////////////////////////
 
-    ret = new_fr_array(&commitment_weights, num_commitments);
-    if (ret != C_KZG_OK) goto out;
     ret = new_fr_array(&r_powers, num_cells);
     if (ret != C_KZG_OK) goto out;
-    ret = new_fr_array(&weighted_powers_of_r, num_cells);
-    if (ret != C_KZG_OK) goto out;
-    ret = new_fr_array(&weights, num_cells);
-    if (ret != C_KZG_OK) goto out;
-    ret = new_g1_array(&commitments_g1, num_commitments);
-    if (ret != C_KZG_OK) goto out;
     ret = new_g1_array(&proofs_g1, num_cells);
     if (ret != C_KZG_OK) goto out;
 
     ////////////////////////////////////////////////////////////////////////////////////////////////
-    // Compute random linear combination of the proofs
+    // Compute powers of r, and extract KZG proofs out of input bytes
     ////////////////////////////////////////////////////////////////////////////////////////////////
 
     /*
@@ -730,34 +816,20 @@ C_KZG_RET verify_cell_kzg_proof_batch(
         if (ret != C_KZG_OK) goto out;
     }
 
-    /* Do the linear combination */
+    ////////////////////////////////////////////////////////////////////////////////////////////////
+    // Compute random linear combination of the proofs
+    ////////////////////////////////////////////////////////////////////////////////////////////////
+
     ret = g1_lincomb_fast(&proof_lincomb, proofs_g1, r_powers, num_cells);
     if (ret != C_KZG_OK) goto out;
 
     ////////////////////////////////////////////////////////////////////////////////////////////////
     // Compute sum of the commitments
     ////////////////////////////////////////////////////////////////////////////////////////////////
 
-    for (size_t i = 0; i < num_commitments; i++) {
-        /* Convert & validate commitment */
-        ret = bytes_to_kzg_commitment(&commitments_g1[i], &unique_commitments[i]);
-        if (ret != C_KZG_OK) goto out;
-
-        /* Initialize the weight to zero */
-        commitment_weights[i] = FR_ZERO;
-    }
-
-    /* Update commitment weights */
-    for (size_t i = 0; i < num_cells; i++) {
-        blst_fr_add(
-            &commitment_weights[commitment_indices[i]],
-            &commitment_weights[commitment_indices[i]],
-            &r_powers[i]
-        );
-    }
-
-    /* Compute commitment sum */
-    ret = g1_lincomb_fast(&final_g1_sum, commitments_g1, commitment_weights, num_commitments);
+    ret = compute_weighted_sum_of_commitments(
+        &final_g1_sum, unique_commitments, commitment_indices, r_powers, num_commitments, num_cells
+    );
     if (ret != C_KZG_OK) goto out;
 
     ////////////////////////////////////////////////////////////////////////////////////////////////
@@ -777,17 +849,12 @@ C_KZG_RET verify_cell_kzg_proof_batch(
     // Compute sum of the proofs scaled by the coset factors
     ////////////////////////////////////////////////////////////////////////////////////////////////
 
-    for (size_t i = 0; i < num_cells; i++) {
-        uint64_t pos = reverse_bits_limited(CELLS_PER_EXT_BLOB, cell_indices[i]);
-        fr_t coset_factor = s->roots_of_unity[pos];
-        fr_pow(&weights[i], &coset_factor, FIELD_ELEMENTS_PER_CELL);
-        blst_fr_mul(&weighted_powers_of_r[i], &r_powers[i], &weights[i]);
-    }
-
-    ret = g1_lincomb_fast(&weighted_proof_lincomb, proofs_g1, weighted_powers_of_r, num_cells);
+    ret = computed_weighted_sum_of_proofs(
+        &weighted_sum_of_proofs, proofs_g1, r_powers, cell_indices, num_cells, s
+    );
     if (ret != C_KZG_OK) goto out;
 
-    blst_p1_add(&final_g1_sum, &final_g1_sum, &weighted_proof_lincomb);
+    blst_p1_add(&final_g1_sum, &final_g1_sum, &weighted_sum_of_proofs);
 
     ////////////////////////////////////////////////////////////////////////////////////////////////
     // Do the final pairing check
@@ -798,11 +865,7 @@ C_KZG_RET verify_cell_kzg_proof_batch(
 out:
     c_kzg_free(unique_commitments);
     c_kzg_free(commitment_indices);
-    c_kzg_free(commitment_weights);
     c_kzg_free(r_powers);
-    c_kzg_free(weighted_powers_of_r);
-    c_kzg_free(weights);
-    c_kzg_free(commitments_g1);
     c_kzg_free(proofs_g1);
     return ret;
 }