halo2/src/plonk/permutation/verifier.rs

use ff::Field;
use std::iter;

use super::super::{circuit::Any, ChallengeBeta, ChallengeGamma, ChallengeX};
use super::{Argument, VerifyingKey};
use crate::{
    arithmetic::{CurveAffine, FieldExt},
    plonk::{self, Error},
    poly::{multiopen::VerifierQuery, Rotation},
    transcript::{EncodedChallenge, TranscriptRead},
};

pub struct Committed<C: CurveAffine> {
    permutation_product_commitment: C,
}

pub struct Evaluated<C: CurveAffine> {
    permutation_product_commitment: C,
    permutation_product_eval: C::Scalar,
    permutation_product_next_eval: C::Scalar,
    permutation_evals: Vec<C::Scalar>,
}

impl Argument {
    pub(crate) fn read_product_commitment<
        C: CurveAffine,
        E: EncodedChallenge<C>,
        T: TranscriptRead<C, E>,
    >(
        &self,
        transcript: &mut T,
    ) -> Result<Committed<C>, Error> {
        let permutation_product_commitment = transcript
            .read_point()
            .map_err(|_| Error::TranscriptError)?;

        Ok(Committed {
            permutation_product_commitment,
        })
    }
}

impl<C: CurveAffine> Committed<C> {
    pub(crate) fn evaluate<E: EncodedChallenge<C>, T: TranscriptRead<C, E>>(
        self,
        vkey: &VerifyingKey<C>,
        transcript: &mut T,
    ) -> Result<Evaluated<C>, Error> {
        let permutation_product_eval = transcript
            .read_scalar()
            .map_err(|_| Error::TranscriptError)?;
        let permutation_product_next_eval = transcript
            .read_scalar()
            .map_err(|_| Error::TranscriptError)?;
        let mut permutation_evals = Vec::with_capacity(vkey.commitments.len());
        for _ in 0..vkey.commitments.len() {
            permutation_evals.push(
                transcript
                    .read_scalar()
                    .map_err(|_| Error::TranscriptError)?,
            );
        }

        Ok(Evaluated {
            permutation_product_commitment: self.permutation_product_commitment,
            permutation_product_eval,
            permutation_product_next_eval,
            permutation_evals,
        })
    }
}

impl<C: CurveAffine> Evaluated<C> {
    pub(in crate::plonk) fn expressions<'a>(
        &'a self,
        vk: &'a plonk::VerifyingKey<C>,
        p: &'a Argument,
        advice_evals: &'a [C::Scalar],
        fixed_evals: &[C::Scalar],
        instance_evals: &'a [C::Scalar],
        l_0: C::Scalar,
        beta: ChallengeBeta<C>,
        gamma: ChallengeGamma<C>,
        x: ChallengeX<C>,
    ) -> impl Iterator<Item = C::Scalar> + 'a {
        iter::empty()
            // l_0(X) * (1 - z(X)) = 0
            .chain(Some(
                l_0 * &(C::Scalar::one() - &self.permutation_product_eval),
            ))
            // z(omega X) \prod (p(X) + \beta s_i(X) + \gamma)
            // - z(X) \prod (p(X) + \delta^i \beta X + \gamma)
            .chain(Some({
                let mut left = self.permutation_product_next_eval;
                for (eval, permutation_eval) in p
                    .columns
                    .iter()
                    .map(|&column| match column.column_type() {
                        Any::Advice => {
                            advice_evals[vk.cs.get_any_query_index(column, Rotation::cur())]
                        }
                        Any::Fixed => {
                            fixed_evals[vk.cs.get_any_query_index(column, Rotation::cur())]
                        }
                        Any::Instance => {
                            instance_evals[vk.cs.get_any_query_index(column, Rotation::cur())]
                        }
                    })
                    .zip(self.permutation_evals.iter())
                {
                    left *= &(eval + &(*beta * permutation_eval) + &*gamma);
                }

                let mut right = self.permutation_product_eval;
                let mut current_delta = *beta * &*x;
                for eval in p.columns.iter().map(|&column| match column.column_type() {
                    Any::Advice => advice_evals[vk.cs.get_any_query_index(column, Rotation::cur())],
                    Any::Fixed => fixed_evals[vk.cs.get_any_query_index(column, Rotation::cur())],
                    Any::Instance => {
                        instance_evals[vk.cs.get_any_query_index(column, Rotation::cur())]
                    }
                }) {
                    right *= &(eval + &current_delta + &*gamma);
                    current_delta *= &C::Scalar::DELTA;
                }

                left - &right
            }))
    }

    pub(in crate::plonk) fn queries<'r, 'params: 'r>(
        &'r self,
        vk: &'r plonk::VerifyingKey<C>,
        vkey: &'r VerifyingKey<C>,
        x: ChallengeX<C>,
    ) -> impl Iterator<Item = VerifierQuery<'r, 'params, C>> + Clone {
        let x_next = vk.domain.rotate_omega(*x, Rotation::next());

        iter::empty()
            // Open permutation product commitments at x and \omega x
            .chain(Some(VerifierQuery::new_commitment(
                &self.permutation_product_commitment,
                *x,
                self.permutation_product_eval,
            )))
            .chain(Some(VerifierQuery::new_commitment(
                &self.permutation_product_commitment,
                x_next,
                self.permutation_product_next_eval,
            )))
            // Open permutation commitments for each permutation argument at x
            .chain(
                vkey.commitments
                    .iter()
                    .zip(self.permutation_evals.iter())
                    .map(move |(commitment, &eval)| {
                        VerifierQuery::new_commitment(commitment, *x, eval)
                    }),
            )
    }
}
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`use ff::Field;`
			`use std::iter;`

Propagate type changes 2021-04-12 23:47:25 -07:00			`use super::super::{circuit::Any, ChallengeBeta, ChallengeGamma, ChallengeX};`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`use super::{Argument, VerifyingKey};`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`use crate::{`
			`arithmetic::{CurveAffine, FieldExt},`
Propagate type changes 2021-04-12 23:47:25 -07:00			`plonk::{self, Error},`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`poly::{multiopen::VerifierQuery, Rotation},`
Replace ChallengeSpace with EncodedChallenge API Co-authored-by: Sean Bowe <ewillbefull@gmail.com> 2021-04-30 18:28:50 -07:00			`transcript::{EncodedChallenge, TranscriptRead},`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`};`

Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`pub struct Committed<C: CurveAffine> {`
			`permutation_product_commitment: C,`
			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`pub struct Evaluated<C: CurveAffine> {`
			`permutation_product_commitment: C,`
			`permutation_product_eval: C::Scalar,`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`permutation_product_next_eval: C::Scalar,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`permutation_evals: Vec<C::Scalar>,`
			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`impl Argument {`
Propagate type changes 2021-04-12 23:47:25 -07:00			`pub(crate) fn read_product_commitment<`
			`C: CurveAffine,`
Input as associated type on EncodedChallenge Use Input as an associated type instead of a type parameter, to reduce infection Co-authored-by: Sean Bowe <ewillbefull@gmail.com> 2021-05-07 07:21:54 -07:00			`E: EncodedChallenge<C>,`
			`T: TranscriptRead<C, E>,`
Propagate type changes 2021-04-12 23:47:25 -07:00			`>(`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`&self,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`transcript: &mut T,`
			`) -> Result<Committed<C>, Error> {`
			`let permutation_product_commitment = transcript`
			`.read_point()`
			`.map_err(\|_\| Error::TranscriptError)?;`

			`Ok(Committed {`
			`permutation_product_commitment,`
			`})`
			`}`
			`}`

			`impl<C: CurveAffine> Committed<C> {`
Input as associated type on EncodedChallenge Use Input as an associated type instead of a type parameter, to reduce infection Co-authored-by: Sean Bowe <ewillbefull@gmail.com> 2021-05-07 07:21:54 -07:00			`pub(crate) fn evaluate<E: EncodedChallenge<C>, T: TranscriptRead<C, E>>(`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`self,`
			`vkey: &VerifyingKey<C>,`
			`transcript: &mut T,`
			`) -> Result<Evaluated<C>, Error> {`
			`let permutation_product_eval = transcript`
			`.read_scalar()`
			`.map_err(\|_\| Error::TranscriptError)?;`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`let permutation_product_next_eval = transcript`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`.read_scalar()`
			`.map_err(\|_\| Error::TranscriptError)?;`
			`let mut permutation_evals = Vec::with_capacity(vkey.commitments.len());`
			`for _ in 0..vkey.commitments.len() {`
			`permutation_evals.push(`
			`transcript`
			`.read_scalar()`
			`.map_err(\|_\| Error::TranscriptError)?,`
			`);`
			`}`

			`Ok(Evaluated {`
			`permutation_product_commitment: self.permutation_product_commitment,`
			`permutation_product_eval,`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`permutation_product_next_eval,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`permutation_evals,`
			`})`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`impl<C: CurveAffine> Evaluated<C> {`
Restrict visibility of PLONK challenges to plonk module 2020-12-01 13:14:14 -08:00			`pub(in crate::plonk) fn expressions<'a>(`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`&'a self,`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`vk: &'a plonk::VerifyingKey<C>,`
			`p: &'a Argument,`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`advice_evals: &'a [C::Scalar],`
Use Column<Any> in Permutation::Argument 2021-02-17 05:13:25 -08:00			`fixed_evals: &[C::Scalar],`
			`instance_evals: &'a [C::Scalar],`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`l_0: C::Scalar,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`beta: ChallengeBeta<C>,`
			`gamma: ChallengeGamma<C>,`
			`x: ChallengeX<C>,`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`) -> impl Iterator<Item = C::Scalar> + 'a {`
			`iter::empty()`
			`// l_0(X) * (1 - z(X)) = 0`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.chain(Some(`
			`l_0 * &(C::Scalar::one() - &self.permutation_product_eval),`
			`))`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`// z(omega X) \prod (p(X) + \beta s_i(X) + \gamma)`
			`// - z(X) \prod (p(X) + \delta^i \beta X + \gamma)`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.chain(Some({`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`let mut left = self.permutation_product_next_eval;`
Use Column<Any> in Permutation::Argument 2021-02-17 05:13:25 -08:00			`for (eval, permutation_eval) in p`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.columns`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.iter()`
Use Column<Any> in Permutation::Argument 2021-02-17 05:13:25 -08:00			`.map(\|&column\| match column.column_type() {`
			`Any::Advice => {`
			`advice_evals[vk.cs.get_any_query_index(column, Rotation::cur())]`
			`}`
			`Any::Fixed => {`
			`fixed_evals[vk.cs.get_any_query_index(column, Rotation::cur())]`
			`}`
			`Any::Instance => {`
			`instance_evals[vk.cs.get_any_query_index(column, Rotation::cur())]`
			`}`
Require Rotation instead of i32 for relative rows in circuits. Co-authored-by: str4d <thestr4d@gmail.com> 2020-12-23 08:45:16 -08:00			`})`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.zip(self.permutation_evals.iter())`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`{`
Use Column<Any> in Permutation::Argument 2021-02-17 05:13:25 -08:00			`left = &(eval + &(beta * permutation_eval) + &*gamma);`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`let mut right = self.permutation_product_eval;`
Fix breakage of trait resolution in Rust 1.49.0 Previously, `ChallengeScalar` could use the operator traits defined on the `F: Field` type it wrapped, due to its `impl Deref<Target = F>`. This was technically ambiguous, and Rust 1.49.0 makes that ambiguity an error. We could fix this by adding operator impls with `ChallengeScalar` on the RHS, but that would conflict with zcash/halo2#111. Instead we manually dereference every challenge scalar when used in an arithmetic operation. 2021-01-05 16:00:27 -08:00			`let mut current_delta = beta &*x;`
Use Column<Any> in Permutation::Argument 2021-02-17 05:13:25 -08:00			`for eval in p.columns.iter().map(\|&column\| match column.column_type() {`
			`Any::Advice => advice_evals[vk.cs.get_any_query_index(column, Rotation::cur())],`
			`Any::Fixed => fixed_evals[vk.cs.get_any_query_index(column, Rotation::cur())],`
			`Any::Instance => {`
			`instance_evals[vk.cs.get_any_query_index(column, Rotation::cur())]`
			`}`
Require Rotation instead of i32 for relative rows in circuits. Co-authored-by: str4d <thestr4d@gmail.com> 2020-12-23 08:45:16 -08:00			`}) {`
Use Column<Any> in Permutation::Argument 2021-02-17 05:13:25 -08:00			`right = &(eval + &current_delta + &gamma);`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`current_delta *= &C::Scalar::DELTA;`
			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`left - &right`
			`}))`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}`

Allow MSMs to be queried and not just raw commitments. This allows us to avoid some interstitial arithmetic in the vanishing argument. 2021-02-26 17:48:02 -08:00			`pub(in crate::plonk) fn queries<'r, 'params: 'r>(`
			`&'r self,`
			`vk: &'r plonk::VerifyingKey<C>,`
			`vkey: &'r VerifyingKey<C>,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`x: ChallengeX<C>,`
Allow MSMs to be queried and not just raw commitments. This allows us to avoid some interstitial arithmetic in the vanishing argument. 2021-02-26 17:48:02 -08:00			`) -> impl Iterator<Item = VerifierQuery<'r, 'params, C>> + Clone {`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`let x_next = vk.domain.rotate_omega(*x, Rotation::next());`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
			`iter::empty()`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`// Open permutation product commitments at x and \omega x`
Allow MSMs to be queried and not just raw commitments. This allows us to avoid some interstitial arithmetic in the vanishing argument. 2021-02-26 17:48:02 -08:00			`.chain(Some(VerifierQuery::new_commitment(`
			`&self.permutation_product_commitment,`
			`*x,`
			`self.permutation_product_eval,`
			`)))`
			`.chain(Some(VerifierQuery::new_commitment(`
			`&self.permutation_product_commitment,`
Switch directionality of the permutation argument's constraints. 2021-03-04 09:34:56 -08:00			`x_next,`
			`self.permutation_product_next_eval,`
Allow MSMs to be queried and not just raw commitments. This allows us to avoid some interstitial arithmetic in the vanishing argument. 2021-02-26 17:48:02 -08:00			`)))`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`// Open permutation commitments for each permutation argument at x`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.chain(`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`vkey.commitments`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.iter()`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.zip(self.permutation_evals.iter())`
Allow MSMs to be queried and not just raw commitments. This allows us to avoid some interstitial arithmetic in the vanishing argument. 2021-02-26 17:48:02 -08:00			`.map(move \|(commitment, &eval)\| {`
			`VerifierQuery::new_commitment(commitment, *x, eval)`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}),`
			`)`
			`}`
			`}`