halo2/src/plonk/permutation/verifier.rs

use ff::Field;
use std::iter;

use super::{Argument, Proof, VerifyingKey};
use crate::{
    arithmetic::{CurveAffine, FieldExt},
    plonk::{self, ChallengeBeta, ChallengeGamma, ChallengeX, Error},
    poly::{multiopen::VerifierQuery, Rotation},
    transcript::{Hasher, Transcript},
};

impl<C: CurveAffine> Proof<C> {
    pub(crate) fn check_lengths(&self, p: &Argument) -> Result<(), Error> {
        if self.permutation_evals.len() != p.columns.len() {
            return Err(Error::IncompatibleParams);
        }

        Ok(())
    }

    pub(crate) fn absorb_commitments<HBase: Hasher<C::Base>, HScalar: Hasher<C::Scalar>>(
        &self,
        transcript: &mut Transcript<C, HBase, HScalar>,
    ) -> Result<(), Error> {
        transcript
            .absorb_point(&self.permutation_product_commitment)
            .map_err(|_| Error::TranscriptError)
    }

    pub(in crate::plonk) fn expressions<'a>(
        &'a self,
        vk: &'a plonk::VerifyingKey<C>,
        p: &'a Argument,
        advice_evals: &'a [C::Scalar],
        l_0: C::Scalar,
        beta: ChallengeBeta<C::Scalar>,
        gamma: ChallengeGamma<C::Scalar>,
        x: ChallengeX<C::Scalar>,
    ) -> impl Iterator<Item = C::Scalar> + 'a {
        iter::empty()
            // l_0(X) * (1 - z(X)) = 0
            .chain(Some(
                l_0 * &(C::Scalar::one() - &self.permutation_product_eval),
            ))
            // z(X) \prod (p(X) + \beta s_i(X) + \gamma)
            // - z(omega^{-1} X) \prod (p(X) + \delta^i \beta X + \gamma)
            .chain(Some({
                let mut left = self.permutation_product_eval;
                for (advice_eval, permutation_eval) in p
                    .columns
                    .iter()
                    .map(|&column| advice_evals[vk.cs.get_advice_query_index(column, 0)])
                    .zip(self.permutation_evals.iter())
                {
                    left *= &(advice_eval + &(*beta * permutation_eval) + &*gamma);
                }

                let mut right = self.permutation_product_inv_eval;
                let mut current_delta = *beta * &*x;
                for advice_eval in p
                    .columns
                    .iter()
                    .map(|&column| advice_evals[vk.cs.get_advice_query_index(column, 0)])
                {
                    right *= &(advice_eval + &current_delta + &*gamma);
                    current_delta *= &C::Scalar::DELTA;
                }

                left - &right
            }))
    }

    pub(crate) fn evals(&self) -> impl Iterator<Item = &C::Scalar> {
        iter::empty()
            .chain(Some(&self.permutation_product_eval))
            .chain(Some(&self.permutation_product_inv_eval))
            .chain(self.permutation_evals.iter())
    }

    pub(in crate::plonk) fn queries<'a>(
        &'a self,
        vk: &'a plonk::VerifyingKey<C>,
        vkey: &'a VerifyingKey<C>,
        x: ChallengeX<C::Scalar>,
    ) -> impl Iterator<Item = VerifierQuery<'a, C>> + Clone {
        let x_inv = vk.domain.rotate_omega(*x, Rotation(-1));

        iter::empty()
            // Open permutation product commitments at x and \omega^{-1} x
            .chain(Some(VerifierQuery {
                point: *x,
                commitment: &self.permutation_product_commitment,
                eval: self.permutation_product_eval,
            }))
            .chain(Some(VerifierQuery {
                point: x_inv,
                commitment: &self.permutation_product_commitment,
                eval: self.permutation_product_inv_eval,
            }))
            // Open permutation commitments for each permutation argument at x
            .chain(
                vkey.commitments
                    .iter()
                    .zip(self.permutation_evals.iter())
                    .map(move |(commitment, &eval)| VerifierQuery {
                        point: *x,
                        commitment,
                        eval,
                    }),
            )
    }
}
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`use ff::Field;`
			`use std::iter;`

Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`use super::{Argument, Proof, VerifyingKey};`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`use crate::{`
			`arithmetic::{CurveAffine, FieldExt},`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`plonk::{self, ChallengeBeta, ChallengeGamma, ChallengeX, Error},`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`poly::{multiopen::VerifierQuery, Rotation},`
			`transcript::{Hasher, Transcript},`
			`};`

			`impl<C: CurveAffine> Proof<C> {`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`pub(crate) fn check_lengths(&self, p: &Argument) -> Result<(), Error> {`
			`if self.permutation_evals.len() != p.columns.len() {`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`return Err(Error::IncompatibleParams);`
			`}`

			`Ok(())`
			`}`

			`pub(crate) fn absorb_commitments<HBase: Hasher<C::Base>, HScalar: Hasher<C::Scalar>>(`
			`&self,`
			`transcript: &mut Transcript<C, HBase, HScalar>,`
			`) -> Result<(), Error> {`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`transcript`
			`.absorb_point(&self.permutation_product_commitment)`
			`.map_err(\|_\| Error::TranscriptError)`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}`

Restrict visibility of PLONK challenges to plonk module 2020-12-01 13:14:14 -08:00			`pub(in crate::plonk) fn expressions<'a>(`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`&'a self,`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`vk: &'a plonk::VerifyingKey<C>,`
			`p: &'a Argument,`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`advice_evals: &'a [C::Scalar],`
			`l_0: C::Scalar,`
Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`beta: ChallengeBeta<C::Scalar>,`
			`gamma: ChallengeGamma<C::Scalar>,`
			`x: ChallengeX<C::Scalar>,`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`) -> impl Iterator<Item = C::Scalar> + 'a {`
			`iter::empty()`
			`// l_0(X) * (1 - z(X)) = 0`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.chain(Some(`
			`l_0 * &(C::Scalar::one() - &self.permutation_product_eval),`
			`))`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`// z(X) \prod (p(X) + \beta s_i(X) + \gamma)`
			`// - z(omega^{-1} X) \prod (p(X) + \delta^i \beta X + \gamma)`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.chain(Some({`
			`let mut left = self.permutation_product_eval;`
			`for (advice_eval, permutation_eval) in p`
			`.columns`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.iter()`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.map(\|&column\| advice_evals[vk.cs.get_advice_query_index(column, 0)])`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.zip(self.permutation_evals.iter())`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`{`
Fix breakage of trait resolution in Rust 1.49.0 Previously, `ChallengeScalar` could use the operator traits defined on the `F: Field` type it wrapped, due to its `impl Deref<Target = F>`. This was technically ambiguous, and Rust 1.49.0 makes that ambiguity an error. We could fix this by adding operator impls with `ChallengeScalar` on the RHS, but that would conflict with zcash/halo2#111. Instead we manually dereference every challenge scalar when used in an arithmetic operation. 2021-01-05 16:00:27 -08:00			`left = &(advice_eval + &(beta * permutation_eval) + &*gamma);`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`let mut right = self.permutation_product_inv_eval;`
Fix breakage of trait resolution in Rust 1.49.0 Previously, `ChallengeScalar` could use the operator traits defined on the `F: Field` type it wrapped, due to its `impl Deref<Target = F>`. This was technically ambiguous, and Rust 1.49.0 makes that ambiguity an error. We could fix this by adding operator impls with `ChallengeScalar` on the RHS, but that would conflict with zcash/halo2#111. Instead we manually dereference every challenge scalar when used in an arithmetic operation. 2021-01-05 16:00:27 -08:00			`let mut current_delta = beta &*x;`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`for advice_eval in p`
			`.columns`
			`.iter()`
			`.map(\|&column\| advice_evals[vk.cs.get_advice_query_index(column, 0)])`
			`{`
Fix breakage of trait resolution in Rust 1.49.0 Previously, `ChallengeScalar` could use the operator traits defined on the `F: Field` type it wrapped, due to its `impl Deref<Target = F>`. This was technically ambiguous, and Rust 1.49.0 makes that ambiguity an error. We could fix this by adding operator impls with `ChallengeScalar` on the RHS, but that would conflict with zcash/halo2#111. Instead we manually dereference every challenge scalar when used in an arithmetic operation. 2021-01-05 16:00:27 -08:00			`right = &(advice_eval + &current_delta + &gamma);`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`current_delta *= &C::Scalar::DELTA;`
			`}`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`left - &right`
			`}))`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}`

			`pub(crate) fn evals(&self) -> impl Iterator<Item = &C::Scalar> {`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`iter::empty()`
			`.chain(Some(&self.permutation_product_eval))`
			`.chain(Some(&self.permutation_product_inv_eval))`
			`.chain(self.permutation_evals.iter())`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}`

Restrict visibility of PLONK challenges to plonk module 2020-12-01 13:14:14 -08:00			`pub(in crate::plonk) fn queries<'a>(`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`&'a self,`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`vk: &'a plonk::VerifyingKey<C>,`
			`vkey: &'a VerifyingKey<C>,`
Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`x: ChallengeX<C::Scalar>,`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`) -> impl Iterator<Item = VerifierQuery<'a, C>> + Clone {`
Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`let x_inv = vk.domain.rotate_omega(*x, Rotation(-1));`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00
			`iter::empty()`
permutation: Clean up opening chains 2020-12-01 14:09:50 -08:00			`// Open permutation product commitments at x and \omega^{-1} x`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.chain(Some(VerifierQuery {`
			`point: *x,`
			`commitment: &self.permutation_product_commitment,`
			`eval: self.permutation_product_eval,`
			`}))`
			`.chain(Some(VerifierQuery {`
			`point: x_inv,`
			`commitment: &self.permutation_product_commitment,`
			`eval: self.permutation_product_inv_eval,`
			`}))`
			`// Open permutation commitments for each permutation argument at x`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.chain(`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`vkey.commitments`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`.iter()`
Refactor permutation proofs to reflect the separate permutations 2020-12-22 15:51:32 -08:00			`.zip(self.permutation_evals.iter())`
			`.map(move \|(commitment, &eval)\| VerifierQuery {`
			`point: *x,`
			`commitment,`
			`eval,`
Extract permutation argument into a submodule 2020-11-24 16:49:52 -08:00			`}),`
			`)`
			`}`
			`}`