Addition of KZG commitment scheme (issue #38)

[ThomasPiellard]

This PR fixes #38 .

KZG

The KZG stucture stores the SRS (2 G2 points, and a slice of G1 points) and the fft domain needed for the polyomial division. Each field is serialised when the KZG structure is read from/written to a reader/writer.

API breaking changes

• The interface that an additively homomorphic commitment scheme should implement has been modified and consists of the following methods:

Commit(p Polynomial) Digest
Open(point interface{}, p Polynomial) OpeningProof
Verify(commitment Digest, proof OpeningProof) error
BatchOpenSinglePoint(point interface{}, digests []Digest, polynomials []Polynomial) BatchOpeningProofSinglePoint
BatchVerifySinglePoint(digests []Digest, batchOpeningProof BatchOpeningProofSinglePoint) error

• The claimed values are now in the proof structure instead of separate objects.
  Example for KZG:

type Proof struct {

	// Point at which the polynomial is evaluated
	Point fr.Element

	// ClaimedValue purported value
	ClaimedValue fr.Element

	// H quotient polynomial (f - f(z))/(x-z)
	H bn254.G1Affine
}

• The interface that a Polynomial should implement has been enhanced to fit the needs of KZG, but is still minimalist:

type Polynomial interface {
	Degree() uint64
	Eval(v interface{}) interface{}
	Clone() Polynomial
	Add(p1, p2 Polynomial) Polynomial
	AddConstantInPlace(c interface{})
	SubConstantInPlace(c interface{})
	ScaleInPlace(c interface{})
	Equal(p1 Polynomial) bool
}

Status

All tests pass.

[CLAassistant]

All committers have signed the CLA.