Try   HackMD

Groth16 aggregation with public input trick

Regular Groth 16

CRS

  • Random
    τ
    chosen during trusted setup as well as
    α
    ,
    β
  • n
    is number of gates.
  • ui
    ,
    vi
    and
    wi
    are the QAP polynomials created from the R1CS circuit

SRS={g1αg1β,g1δ,{{g1τi},{g1ατi},{g1βτi}}i=0n1,{g1βui(τ)+αvi(τ)+wi(τ)}i=0n},{gτit(x)δ}i=0n1,g2β,g2δ,{g2τi}i=0n1}

Prover

Settings:

  • Regular proof is
    π=(A,B,C)
    .
  • l+1
    is number of public inputs (+1 as first public input is "1" in R1CS)
  • Vector of public inputs
    ϕ=(a0,,al)

Extension:
Prover computes the regular proof and computes the following additionally

  • S=g1i=0lai(βui(τ)+αvi(τ)+wi(τ))

  • Derive random challenge

    z=H(ϕ,π,S)

  • Compute the three following elements.

    • U=g2i=0lai(ui(τ)ui(z)τz)
    • V=g2i=0lai(vi(τ)vi(z)τz)
    • W=g2i=0lai(wi(τ)wi(z)τz)
  • Proof is

    (π,S,U,V,W)

Verifier

  • Compute the following three elements
    uz,vz,wzFr
    :
    • uz=i=0lui(z)
    • vz=i=0lvi(z)
    • wz=i=0lwi(z)
  • Check as usual
    • e(A,B)=e(g1α,g2β)e(S,g2)e(C,g2δ)
  • Check public input construction
    • e(Sg1βuzαvzwz,g2)=e(g1βτβz,U)e(g1αταz,V)e(g1τz,W)
    • These computations are done using the CRS