Adapt low degree proof on G2 for compatibility with perpetual power of tau #222
Conversation
bxue-l2
changed the title
| @@ -108,16 +108,19 @@ message Bundle { | |||
| message BlobHeader { | |||
| // The KZG commitment to the polynomial representing the blob. | |||
| bytes commitment = 1; | |||
There was a problem hiding this comment.
while we're making this breaking change, should we update the API so that it returns x and y coordinates of the commitment instead of the serialized bytes?
same as length_commitment and length_proof
There was a problem hiding this comment.
Or JSON, it's much more widely accepted than gob
There was a problem hiding this comment.
yup either one
@bxue-l2 if you want me to work on it let me know. I can work on a separate PR that this can rebase onto
| @@ -98,8 +99,8 @@ func (e *Encoder) Encode(data []byte, params core.EncodingParams) (core.BlobComm | |||
| } | |||
|
|
|||
| func (e *Encoder) VerifyBlobLength(commitments core.BlobCommitments) error { | |||
|
|
|||
| return e.EncoderGroup.VerifyCommit(commitments.Commitment.G1Point, commitments.LengthProof.G1Point, uint64(commitments.Length-1)) | |||
| //commitments.Commitment.G1Point, | |||
| } | ||
|
|
||
| // compute commit for the full poly | ||
| commit := g.Commit(poly.Coeffs) | ||
| lowDegreeCommitment := bls.LinCombG2(g.Srs.G2[:len(poly.Coeffs)], poly.Coeffs) |
There was a problem hiding this comment.
How does the verifier know this is committing to the same polynomial as the above commitment (just use a different group)?
There was a problem hiding this comment.
The file name convention has been using underscore to connect subparts
api/proto/node/node.proto
Outdated
| @@ -108,16 +108,19 @@ message Bundle { | |||
| message BlobHeader { | |||
| // The KZG commitment to the polynomial representing the blob. | |||
| bytes commitment = 1; | |||
| // The KZG commitment to the polynomial representing the blob on G2, it is uesd | |||
There was a problem hiding this comment.
uesd -> used.
The length_proof is used to prove the degree, not length_commitment?
| @@ -108,16 +108,19 @@ message Bundle { | |||
| message BlobHeader { | |||
| // The KZG commitment to the polynomial representing the blob. | |||
| bytes commitment = 1; | |||
There was a problem hiding this comment.
Or JSON, it's much more widely accepted than gob
| @@ -14,6 +14,16 @@ type Commitment struct { | |||
| *bn254.G1Point | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
I think we should do away with all of these custom types. My suggestion:
We have
type G1Point struct {
*bn254.G1Point
}
type G2Point struct {
*bn254.G2Point
}
And create seralization/deserialization methods for these.
If we want to, we can also do some type aliasing, i.e.
type LengthProof = G2Point
type RevealProof = G1Point
I think it's probably okay to fully drop the Commitment and LengthCommitment tpyes/aliases and just use the G1Point and G2Point types directly.
There was a problem hiding this comment.
I like this suggestion.
What about creating a new type instead of type aliasing though (type LengthProof G2Point)? I think it's safer to use stronger types
There was a problem hiding this comment.
Doing the stronger typing here obviously has the disadvantage that you can't use any methods like serialization/deserialization of the G2Point directly on the LengthProof object. You'd have unwrap, call the method, or call the method and then wrap.
I don't have a strong sense of the advantages of the stronger typing in this case, but I'm happy to defer to you.
| Commitment *Commitment `json:"commitment"` | ||
| LengthProof *Commitment `json:"length_proof"` | ||
| Length uint `json:"length"` | ||
| Commitment *Commitment `json:"commitment"` |
There was a problem hiding this comment.
For the name of the type, yeah that sounds clearer
| "github.com/stretchr/testify/require" | ||
| ) | ||
|
|
||
| func TestBatchEquivalence(t *testing.T) { |
There was a problem hiding this comment.
Should we add a failing test case for difference commits?
|
Looks like this may need to be rebased to the current master. |
Co-authored-by: Robert Raynor <[email protected]> Co-authored-by: Jian Xiao <[email protected]> Co-authored-by: steven <[email protected]> Co-authored-by: steven <[email protected]> Co-authored-by: siddimore <[email protected]> Co-authored-by: Ian Shim <[email protected]> Co-authored-by: bolatfurkan <[email protected]> Co-authored-by: Peter Straus <[email protected]> Co-authored-by: WELLINGTON MIRANDA BARBOSA <[email protected]> Co-authored-by: Wellington Barbosa <[email protected]> Co-authored-by: Jian Xiao <[email protected]> Co-authored-by: buldazer <[email protected]> Co-authored-by: Madhur Shrimal <[email protected]> Co-authored-by: Daniel Mancia <[email protected]>
bxue-l2
force-pushed
the
adapt-low-degree-proof-to-g2
branch
from
2261b80 to
bd6f70d
Compare
rebased |
|
Will addressed in a PR for cleanup The file name convention has been using underscore to connect subparts from Jian uesd -> used. Nix from Jian Unwrap and string typing from Robert CommitmentType from Robert |
|
Also needs to address this one in the follow up PR: #222 (comment) |
Why are these changes needed?
We uses the SRS generated by perpetual power of tau
Although the perpetual power of tau is designed to have 2^28 points, in the setup, they actually generated 2^29-1 g1 points. https://github.com/dcbuild3r/ptau-deserializer/blob/main/deserialize/ptau.go#L25. Whereas there are only 2^28 G2 points. It is my miss that didn’t catch it .
Then the problem is the adversary can create a wrong degree proof. I.e the following equation
e( [poly(tau)] g1, tau^[max-claimedDegree] g2) = e( [poly(tau^(max-claimedDegree))] g1, [1] g2 )
left hand side g1 is the commitment, right hand side g1 is the degree proof.
Since adversray actually know [2max]g1 due to the artifact of the setup, the adversary can use a higher degree polynomial than claimed, and create a wrong proof by using the higher degree g1. Can you confirm?
Here is a fix, we swap g1 and g2 for the degree proof. Since adversary cannot find a higher g2, then we are safe.
Then we prove the equivalence of [poly(tau)] g1 used in universal verifier and [poly(tau)]_ g2 used in the new degree proof, by following equation
e([poly(tau)] g1, g2) = e(g1, poly(tau) g2)
Since all pairing have common g2 on the left hand side, we can batch all the pairing with 2 MSM. What do you think.
Checks