Feat/pedersen batch verify

[Tabaie]

Description

This PR implements a BatchVerify function that can verify $n$ proofs of knowledge from keys with the same base $G_2$ point but possibly different $\sigma$ parameters using $n+1$ pairings instead of $2n$.

The existing BatchProve method which folds both commitments and proofs remains valid by the following extractor construction, but is not suitable to some applications.

Let V be able to provide convincing folded proofs of knowledge for $C_i = x_i B$ for $i\in {1,2 }, B\in G_1$ with high probability. Then, an extractor is able, by rewinding, to obtain two correct folded proofs of knowledge $\Pi, \Pi' \in G_1$ corresponding to distinct challenges $r,r'\in \mathbb F_r$ respectively. Then we have $e(C_1 + rC_2,G^\sigma)=e(\Pi,G), e(C_1+r'C_2,G^\sigma)=e(\Pi',G).$ Then we get $e\big((r-r')C_2, G^\sigma\big)=e(\Pi-\Pi',G)\Rightarrow e(C_2,G^\sigma)=e\big(\frac 1 {r-r'}(\Pi-\Pi'), G\big)$, thus obtaining a proof in the original scheme of knowledge of $C_2$. A proof of knowledge of $C_1$ can similarly can be extracted.

The new scheme requires the prover to send the $n$ individual proofs to the verifier. The verifier randomizes $r$ without sending it as a challenge to the prover. It folds the commitments into $C = C_1 + rC_2+...+r^{n-1}C_n$ and checks that $e(C, G)=e(\Pi_1,G^{\frac 1 {\sigma_1}})...e(\Pi_n, G^{\frac 1{\sigma_n}})$. Then, from $1=e(C_1^{\sigma_1}-\Pi_1,G)e^r(C_2^{\sigma_2}-\Pi_2,G)...e^{r^{n-1}}(C_n^{\sigma_n}-\Pi_n,G)$ one can deduce with high probability that $e(C_i,G^{\sigma_i})=e(\Pi_i,G)$ for $i=1..n$.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Interface changes

• The Setup function no longer takes the bases in variadic form. This is to provide the option to the user to set the G2 point themselves instead of having it randomized.
• The prove and fold functions no longer take "Fiat-Shamir options". Instead, they take in a challenge field element, implementing an interactive version of the protocol. The user is now responsible for generating a suitable challenge should they choose to apply the Fiat-Shamir transformation.
• A BatchVerify function is added to verify many proofs of knowledge with the same G2 point efficiently. It may be confusing to users that BatchVerify and BatchProve do not correspond.

How has this been tested?

Please describe the tests that you ran or implemented to verify your changes. Provide instructions so we can reproduce.

• TestSemiFoldProofs

Checklist:

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I did not modify files generated from templates
• golangci-lint does not output errors locally
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[github-actions]

📦 github.com/consensys/gnark-crypto/ecc/bn254/fr/fri
❌ TestFRI 21.15s

! verifying wrong opening should fail: Falsified after 4 passed tests.
ARG_0: 0
+ verifying correct opening should succeed: OK, passed 10 tests.
+ The claimed value of a polynomial should match P(x): OK, passed 10 tests.
+ Derive queries position: points should belong the correct fiber: OK,
   passed 10 tests.
+ verifying a correctly formed proof should succeed: OK, passed 10 tests.
    properties.go:57: failed with initial seed: 1719877377657023392

[ivokub]

Looks good to me, but I have some ideas on making more cleaner and flexible to use.

I messed up the comments though - I added mostly to the generated code, but they go for the template.

[ivokub]

Looks good to me now. I paraphrased the method documentation so that it would look nicely on the documentation site. I also added package examples which should show on on the documentation site, so the users would know how to combine different methods (and for example how to generate bases for the setup etc.). Have a look at my changes and they seem good, then it is good to merge on my side 👍

[Tabaie]

Perfect thank you for the modifications!