Groth16Verifier
Supports verifying Groth16 proofs. Proofs can be in uncompressed
(256 bytes) and compressed (128 bytes) format. A view function is provided
to compress proofs.
See bn254 compression for further explanation.
error PublicInputNotInField()
Some of the provided public input values are larger than the field modulus.
Public input elements are not automatically reduced, as this is can be
a dangerous source of bugs.
ProofInvalid
The proof is invalid.
This can mean that provided Groth16 proof points are not on their
curves, that pairing equation fails, or that the proof is not for the
provided public input.
PRECOMPILE_MODEXP
uint256 PRECOMPILE_MODEXP
PRECOMPILE_ADD
PRECOMPILE_MUL
PRECOMPILE_VERIFY
uint256 PRECOMPILE_VERIFY
FRACTION_1_2_FP
FRACTION_27_82_FP
uint256 FRACTION_27_82_FP
FRACTION_3_82_FP
EXP_INVERSE_FP
EXP_SQRT_FP
ALPHA_X
ALPHA_Y
BETA_NEG_X_0
BETA_NEG_X_1
BETA_NEG_Y_0
BETA_NEG_Y_1
GAMMA_NEG_X_0
GAMMA_NEG_X_1
GAMMA_NEG_Y_0
GAMMA_NEG_Y_1
DELTA_NEG_X_0
DELTA_NEG_X_1
DELTA_NEG_Y_0
DELTA_NEG_Y_1
CONSTANT_X
CONSTANT_Y
PUB_0_X
PUB_0_Y
PUB_1_X
PUB_1_Y
negate
function negate(uint256 a) internal pure returns (uint256 x)
Negation in Fp.
Returns a number x such that a + x = 0 in Fp.
The input does not need to be reduced.
Parameters
| Name | Type | Description |
|---|
| a | uint256 | the base |
Return Values
| Name | Type | Description |
|---|
| x | uint256 | the result |
exp
function exp(uint256 a, uint256 e) internal view returns (uint256 x)
Exponentiation in Fp.
Returns a number x such that a ^ e = x in Fp.
The input does not need to be reduced.
Parameters
| Name | Type | Description |
|---|
| a | uint256 | the base |
| e | uint256 | the exponent |
Return Values
| Name | Type | Description |
|---|
| x | uint256 | the result |
invert_Fp
function invert_Fp(uint256 a) internal view returns (uint256 x)
Invertsion in Fp.
Returns a number x such that a * x = 1 in Fp.
The input does not need to be reduced.
Reverts with ProofInvalid() if the inverse does not exist
Parameters
| Name | Type | Description |
|---|
| a | uint256 | the input |
Return Values
| Name | Type | Description |
|---|
| x | uint256 | the solution |
sqrt_Fp
function sqrt_Fp(uint256 a) internal view returns (uint256 x)
Square root in Fp.
Returns a number x such that x * x = a in Fp.
Will revert with InvalidProof() if the input is not a square
or not reduced.
Parameters
| Name | Type | Description |
|---|
| a | uint256 | the square |
Return Values
| Name | Type | Description |
|---|
| x | uint256 | the solution |
isSquare_Fp
function isSquare_Fp(uint256 a) internal view returns (bool)
Square test in Fp.
Returns whether a number x exists such that x * x = a in Fp.
Will revert with InvalidProof() if the input is not a square
or not reduced.
Parameters
| Name | Type | Description |
|---|
| a | uint256 | the square |
Return Values
| Name | Type | Description |
|---|
| [0] | bool | x the solution |
sqrt_Fp2
function sqrt_Fp2(uint256 a0, uint256 a1, bool hint) internal view returns (uint256 x0, uint256 x1)
Square root in Fp2.
Fp2 is the complex extension Fp[i]/(i^2 + 1). The input is
a0 + a1 ⋅ i and the result is x0 + x1 ⋅ i.
Will revert with InvalidProof() if
- the input is not a square,
- the hint is incorrect, or
- the input coefficents are not reduced.
Parameters
| Name | Type | Description |
|---|
| a0 | uint256 | The real part of the input. |
| a1 | uint256 | The imaginary part of the input. |
| hint | bool | A hint which of two possible signs to pick in the equation. |
Return Values
| Name | Type | Description |
|---|
| x0 | uint256 | The real part of the square root. |
| x1 | uint256 | The imaginary part of the square root. |
compress_g1
function compress_g1(uint256 x, uint256 y) internal view returns (uint256 c)
Compress a G1 point.
Reverts with InvalidProof if the coordinates are not reduced
or if the point is not on the curve.
The point at infinity is encoded as (0,0) and compressed to 0.
Parameters
| Name | Type | Description |
|---|
| x | uint256 | The X coordinate in Fp. |
| y | uint256 | The Y coordinate in Fp. |
Return Values
| Name | Type | Description |
|---|
| c | uint256 | The compresed point (x with one signal bit). |
decompress_g1
function decompress_g1(uint256 c) internal view returns (uint256 x, uint256 y)
Decompress a G1 point.
Reverts with InvalidProof if the input does not represent a valid point.
The point at infinity is encoded as (0,0) and compressed to 0.
Parameters
| Name | Type | Description |
|---|
| c | uint256 | The compresed point (x with one signal bit). |
Return Values
| Name | Type | Description |
|---|
| x | uint256 | The X coordinate in Fp. |
| y | uint256 | The Y coordinate in Fp. |
compress_g2
function compress_g2(uint256 x0, uint256 x1, uint256 y0, uint256 y1) internal view returns (uint256 c0, uint256 c1)
Compress a G2 point.
Reverts with InvalidProof if the coefficients are not reduced
or if the point is not on the curve.
The G2 curve is defined over the complex extension Fp[i]/(i^2 + 1)
with coordinates (x0 + x1 ⋅ i, y0 + y1 ⋅ i).
The point at infinity is encoded as (0,0,0,0) and compressed to (0,0).
Parameters
| Name | Type | Description |
|---|
| x0 | uint256 | The real part of the X coordinate. |
| x1 | uint256 | The imaginary poart of the X coordinate. |
| y0 | uint256 | The real part of the Y coordinate. |
| y1 | uint256 | The imaginary part of the Y coordinate. |
Return Values
| Name | Type | Description |
|---|
| c0 | uint256 | The first half of the compresed point (x0 with two signal bits). |
| c1 | uint256 | The second half of the compressed point (x1 unmodified). |
decompress_g2
function decompress_g2(uint256 c0, uint256 c1) internal view returns (uint256 x0, uint256 x1, uint256 y0, uint256 y1)
Decompress a G2 point.
Reverts with InvalidProof if the input does not represent a valid point.
The G2 curve is defined over the complex extension Fp[i]/(i^2 + 1)
with coordinates (x0 + x1 ⋅ i, y0 + y1 ⋅ i).
The point at infinity is encoded as (0,0,0,0) and compressed to (0,0).
Parameters
| Name | Type | Description |
|---|
| c0 | uint256 | The first half of the compresed point (x0 with two signal bits). |
| c1 | uint256 | The second half of the compressed point (x1 unmodified). |
Return Values
| Name | Type | Description |
|---|
| x0 | uint256 | The real part of the X coordinate. |
| x1 | uint256 | The imaginary poart of the X coordinate. |
| y0 | uint256 | The real part of the Y coordinate. |
| y1 | uint256 | The imaginary part of the Y coordinate. |
function publicInputMSM(uint256[2] input) internal view returns (uint256 x, uint256 y)
Compute the public input linear combination.
Reverts with PublicInputNotInField if the input is not in the field.
Computes the multi-scalar-multiplication of the public input
elements and the verification key including the constant term.
Parameters
| Name | Type | Description |
|---|
| input | uint256[2] | The public inputs. These are elements of the scalar field Fr. |
Return Values
| Name | Type | Description |
|---|
| x | uint256 | The X coordinate of the resulting G1 point. |
| y | uint256 | The Y coordinate of the resulting G1 point. |
compressProof
function compressProof(uint256[8] proof) public view returns (uint256[4] compressed)
Compress a proof.
Will revert with InvalidProof if the curve points are invalid,
but does not verify the proof itself.
Parameters
| Name | Type | Description |
|---|
| proof | uint256[8] | The uncompressed Groth16 proof. Elements are in the same order as for verifyProof. I.e. Groth16 points (A, B, C) encoded as in EIP-197. |
Return Values
| Name | Type | Description |
|---|
| compressed | uint256[4] | The compressed proof. Elements are in the same order as for verifyCompressedProof. I.e. points (A, B, C) in compressed format. |
verifyCompressedProof
function verifyCompressedProof(uint256[4] compressedProof, uint256[2] input) public view
Verify a Groth16 proof with compressed points.
Reverts with InvalidProof if the proof is invalid or
with PublicInputNotInField the public input is not reduced.
There is no return value. If the function does not revert, the
proof was successfully verified.
Parameters
| Name | Type | Description |
|---|
| compressedProof | uint256[4] | the points (A, B, C) in compressed format matching the output of compressProof. |
| input | uint256[2] | the public input field elements in the scalar field Fr. Elements must be reduced. |
Verify
function Verify(uint256[8] proof, uint256[2] input) public view
Verify an uncompressed Groth16 proof.
Reverts with InvalidProof if the proof is invalid or
with PublicInputNotInField the public input is not reduced.
There is no return value. If the function does not revert, the
proof was successfully verified.
Parameters
| Name | Type | Description |
|---|
| proof | uint256[8] | the points (A, B, C) in EIP-197 format matching the output of compressProof. |
| input | uint256[2] | the public input field elements in the scalar field Fr. Elements must be reduced. |