halo2/halo2_proofs/src/poly.rs

//! Contains utilities for performing arithmetic over univariate polynomials in
//! various forms, including computing commitments to them and provably opening
//! the committed polynomials at arbitrary points.

use crate::arithmetic::parallelize;
use crate::plonk::Assigned;

use group::ff::{BatchInvert, Field};
use pasta_curves::arithmetic::FieldExt;
use std::fmt::Debug;
use std::marker::PhantomData;
use std::ops::{Add, Deref, DerefMut, Index, IndexMut, Mul, RangeFrom, RangeFull};

pub mod commitment;
mod domain;
mod evaluator;
pub mod multiopen;

pub use domain::*;
pub use evaluator::*;

/// This is an error that could occur during proving or circuit synthesis.
// TODO: these errors need to be cleaned up
#[derive(Debug)]
pub enum Error {
    /// OpeningProof is not well-formed
    OpeningError,
    /// Caller needs to re-sample a point
    SamplingError,
}

/// The basis over which a polynomial is described.
pub trait Basis: Copy + Debug + Send + Sync {}

/// The polynomial is defined as coefficients
#[derive(Clone, Copy, Debug)]
pub struct Coeff;
impl Basis for Coeff {}

/// The polynomial is defined as coefficients of Lagrange basis polynomials
#[derive(Clone, Copy, Debug)]
pub struct LagrangeCoeff;
impl Basis for LagrangeCoeff {}

/// The polynomial is defined as coefficients of Lagrange basis polynomials in
/// an extended size domain which supports multiplication
#[derive(Clone, Copy, Debug)]
pub struct ExtendedLagrangeCoeff;
impl Basis for ExtendedLagrangeCoeff {}

/// Represents a univariate polynomial defined over a field and a particular
/// basis.
#[derive(Clone, Debug)]
pub struct Polynomial<F, B> {
    values: Vec<F>,
    _marker: PhantomData<B>,
}

impl<F, B> Index<usize> for Polynomial<F, B> {
    type Output = F;

    fn index(&self, index: usize) -> &F {
        self.values.index(index)
    }
}

impl<F, B> IndexMut<usize> for Polynomial<F, B> {
    fn index_mut(&mut self, index: usize) -> &mut F {
        self.values.index_mut(index)
    }
}

impl<F, B> Index<RangeFrom<usize>> for Polynomial<F, B> {
    type Output = [F];

    fn index(&self, index: RangeFrom<usize>) -> &[F] {
        self.values.index(index)
    }
}

impl<F, B> IndexMut<RangeFrom<usize>> for Polynomial<F, B> {
    fn index_mut(&mut self, index: RangeFrom<usize>) -> &mut [F] {
        self.values.index_mut(index)
    }
}

impl<F, B> Index<RangeFull> for Polynomial<F, B> {
    type Output = [F];

    fn index(&self, index: RangeFull) -> &[F] {
        self.values.index(index)
    }
}

impl<F, B> IndexMut<RangeFull> for Polynomial<F, B> {
    fn index_mut(&mut self, index: RangeFull) -> &mut [F] {
        self.values.index_mut(index)
    }
}

impl<F, B> Deref for Polynomial<F, B> {
    type Target = [F];

    fn deref(&self) -> &[F] {
        &self.values[..]
    }
}

impl<F, B> DerefMut for Polynomial<F, B> {
    fn deref_mut(&mut self) -> &mut [F] {
        &mut self.values[..]
    }
}

impl<F, B> Polynomial<F, B> {
    /// Iterate over the values, which are either in coefficient or evaluation
    /// form depending on the basis `B`.
    pub fn iter(&self) -> impl Iterator<Item = &F> {
        self.values.iter()
    }

    /// Iterate over the values mutably, which are either in coefficient or
    /// evaluation form depending on the basis `B`.
    pub fn iter_mut(&mut self) -> impl Iterator<Item = &mut F> {
        self.values.iter_mut()
    }

    /// Gets the size of this polynomial in terms of the number of
    /// coefficients used to describe it.
    pub fn num_coeffs(&self) -> usize {
        self.values.len()
    }
}

pub(crate) fn batch_invert_assigned<F: FieldExt>(
    assigned: Vec<Polynomial<Assigned<F>, LagrangeCoeff>>,
) -> Vec<Polynomial<F, LagrangeCoeff>> {
    let mut assigned_denominators: Vec<_> = assigned
        .iter()
        .map(|f| {
            f.iter()
                .map(|value| value.denominator())
                .collect::<Vec<_>>()
        })
        .collect();

    assigned_denominators
        .iter_mut()
        .flat_map(|f| {
            f.iter_mut()
                // If the denominator is trivial, we can skip it, reducing the
                // size of the batch inversion.
                .filter_map(|d| d.as_mut())
        })
        .batch_invert();

    assigned
        .iter()
        .zip(assigned_denominators.into_iter())
        .map(|(poly, inv_denoms)| {
            poly.invert(inv_denoms.into_iter().map(|d| d.unwrap_or_else(F::one)))
        })
        .collect()
}

impl<F: Field> Polynomial<Assigned<F>, LagrangeCoeff> {
    pub(crate) fn invert(
        &self,
        inv_denoms: impl Iterator<Item = F> + ExactSizeIterator,
    ) -> Polynomial<F, LagrangeCoeff> {
        assert_eq!(inv_denoms.len(), self.values.len());
        Polynomial {
            values: self
                .values
                .iter()
                .zip(inv_denoms.into_iter())
                .map(|(a, inv_den)| a.numerator() * inv_den)
                .collect(),
            _marker: self._marker,
        }
    }
}

impl<'a, F: Field, B: Basis> Add<&'a Polynomial<F, B>> for Polynomial<F, B> {
    type Output = Polynomial<F, B>;

    fn add(mut self, rhs: &'a Polynomial<F, B>) -> Polynomial<F, B> {
        parallelize(&mut self.values, |lhs, start| {
            for (lhs, rhs) in lhs.iter_mut().zip(rhs.values[start..].iter()) {
                *lhs += *rhs;
            }
        });

        self
    }
}

impl<F: Field> Polynomial<F, LagrangeCoeff> {
    /// Rotates the values in a Lagrange basis polynomial by `Rotation`
    pub fn rotate(&self, rotation: Rotation) -> Polynomial<F, LagrangeCoeff> {
        let mut values = self.values.clone();
        if rotation.0 < 0 {
            values.rotate_right((-rotation.0) as usize);
        } else {
            values.rotate_left(rotation.0 as usize);
        }
        Polynomial {
            values,
            _marker: PhantomData,
        }
    }
}

impl<F: Field, B: Basis> Mul<F> for Polynomial<F, B> {
    type Output = Polynomial<F, B>;

    fn mul(mut self, rhs: F) -> Polynomial<F, B> {
        parallelize(&mut self.values, |lhs, _| {
            for lhs in lhs.iter_mut() {
                *lhs *= rhs;
            }
        });

        self
    }
}

/// Describes the relative rotation of a vector. Negative numbers represent
/// reverse (leftmost) rotations and positive numbers represent forward (rightmost)
/// rotations. Zero represents no rotation.
#[derive(Copy, Clone, Debug, PartialEq)]
pub struct Rotation(pub i32);

impl Rotation {
    /// The current location in the evaluation domain
    pub fn cur() -> Rotation {
        Rotation(0)
    }

    /// The previous location in the evaluation domain
    pub fn prev() -> Rotation {
        Rotation(-1)
    }

    /// The next location in the evaluation domain
    pub fn next() -> Rotation {
        Rotation(1)
    }
}
Refactor module tree. 2020-09-07 09:22:25 -07:00			`//! Contains utilities for performing arithmetic over univariate polynomials in`
			`//! various forms, including computing commitments to them and provably opening`
			`//! the committed polynomials at arbitrary points.`

Migrate to ff traits The `Field` trait in this crate is now `FieldExt: ff::PrimeField`. 2020-11-12 16:08:08 -08:00			`use crate::arithmetic::parallelize;`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`use crate::plonk::Assigned;`
Refactor module tree. 2020-09-07 09:22:25 -07:00
Use `ff::BatchInvert` now that we have upstreamed it 2021-09-30 14:35:33 -07:00			`use group::ff::{BatchInvert, Field};`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`use pasta_curves::arithmetic::FieldExt;`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`use std::fmt::Debug;`
			`use std::marker::PhantomData;`
Remove unused `Polynomial` operations with internal parallelism These have been replaced by operations on either `poly::Ast` nodes, or operations directly on chunks of polynomials within a higher-level parallelism context. Addition and scalar multiplication are (currently) still used in various areas of the prover, so those are left in place. 2022-01-19 13:53:17 -08:00			`use std::ops::{Add, Deref, DerefMut, Index, IndexMut, Mul, RangeFrom, RangeFull};`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`pub mod commitment;`
			`mod domain;`
Add `poly::Evaluator` for building polynomial operation ASTs Co-authored-by: Sean Bowe <sean@electriccoin.co> 2021-12-29 15:52:03 -08:00			`mod evaluator;`
Create multiopen abstraction 2020-09-29 00:23:41 -07:00			`pub mod multiopen;`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`pub use domain::*;`
Add `poly::Evaluator` for building polynomial operation ASTs Co-authored-by: Sean Bowe <sean@electriccoin.co> 2021-12-29 15:52:03 -08:00			`pub use evaluator::*;`
Refactor module tree. 2020-09-07 09:22:25 -07:00
Add MSM and Guard structs in polycommit scheme 2020-09-09 06:00:36 -07:00			`/// This is an error that could occur during proving or circuit synthesis.`
			`// TODO: these errors need to be cleaned up`
			`#[derive(Debug)]`
			`pub enum Error {`
			`/// OpeningProof is not well-formed`
			`OpeningError,`
Remove fork from OpeningProof prover; add loop in PLONK prover to try different f_blind values 2020-09-18 22:21:05 -07:00			`/// Caller needs to re-sample a point`
			`SamplingError,`
Add MSM and Guard structs in polycommit scheme 2020-09-09 06:00:36 -07:00			`}`

Refactor module tree. 2020-09-07 09:22:25 -07:00			`/// The basis over which a polynomial is described.`
Add `poly::Evaluator` for building polynomial operation ASTs Co-authored-by: Sean Bowe <sean@electriccoin.co> 2021-12-29 15:52:03 -08:00			`pub trait Basis: Copy + Debug + Send + Sync {}`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`/// The polynomial is defined as coefficients`
Add `poly::Evaluator` for building polynomial operation ASTs Co-authored-by: Sean Bowe <sean@electriccoin.co> 2021-12-29 15:52:03 -08:00			`#[derive(Clone, Copy, Debug)]`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`pub struct Coeff;`
			`impl Basis for Coeff {}`

			`/// The polynomial is defined as coefficients of Lagrange basis polynomials`
Add `poly::Evaluator` for building polynomial operation ASTs Co-authored-by: Sean Bowe <sean@electriccoin.co> 2021-12-29 15:52:03 -08:00			`#[derive(Clone, Copy, Debug)]`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`pub struct LagrangeCoeff;`
			`impl Basis for LagrangeCoeff {}`

			`/// The polynomial is defined as coefficients of Lagrange basis polynomials in`
			`/// an extended size domain which supports multiplication`
Add `poly::Evaluator` for building polynomial operation ASTs Co-authored-by: Sean Bowe <sean@electriccoin.co> 2021-12-29 15:52:03 -08:00			`#[derive(Clone, Copy, Debug)]`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`pub struct ExtendedLagrangeCoeff;`
			`impl Basis for ExtendedLagrangeCoeff {}`

			`/// Represents a univariate polynomial defined over a field and a particular`
			`/// basis.`
			`#[derive(Clone, Debug)]`
			`pub struct Polynomial<F, B> {`
			`values: Vec<F>,`
			`_marker: PhantomData<B>,`
			`}`

			`impl<F, B> Index<usize> for Polynomial<F, B> {`
			`type Output = F;`

			`fn index(&self, index: usize) -> &F {`
			`self.values.index(index)`
			`}`
			`}`

			`impl<F, B> IndexMut<usize> for Polynomial<F, B> {`
			`fn index_mut(&mut self, index: usize) -> &mut F {`
			`self.values.index_mut(index)`
			`}`
			`}`

			`impl<F, B> Index<RangeFrom<usize>> for Polynomial<F, B> {`
			`type Output = [F];`

			`fn index(&self, index: RangeFrom<usize>) -> &[F] {`
			`self.values.index(index)`
			`}`
			`}`

			`impl<F, B> IndexMut<RangeFrom<usize>> for Polynomial<F, B> {`
			`fn index_mut(&mut self, index: RangeFrom<usize>) -> &mut [F] {`
			`self.values.index_mut(index)`
			`}`
			`}`

			`impl<F, B> Index<RangeFull> for Polynomial<F, B> {`
			`type Output = [F];`

			`fn index(&self, index: RangeFull) -> &[F] {`
			`self.values.index(index)`
			`}`
			`}`

			`impl<F, B> IndexMut<RangeFull> for Polynomial<F, B> {`
			`fn index_mut(&mut self, index: RangeFull) -> &mut [F] {`
			`self.values.index_mut(index)`
			`}`
			`}`

			`impl<F, B> Deref for Polynomial<F, B> {`
			`type Target = [F];`

			`fn deref(&self) -> &[F] {`
			`&self.values[..]`
			`}`
			`}`

			`impl<F, B> DerefMut for Polynomial<F, B> {`
			`fn deref_mut(&mut self) -> &mut [F] {`
			`&mut self.values[..]`
			`}`
			`}`

			`impl<F, B> Polynomial<F, B> {`
			`/// Iterate over the values, which are either in coefficient or evaluation`
			/// form depending on the basis `B`.
			`pub fn iter(&self) -> impl Iterator<Item = &F> {`
			`self.values.iter()`
			`}`

			`/// Iterate over the values mutably, which are either in coefficient or`
			/// evaluation form depending on the basis `B`.
			`pub fn iter_mut(&mut self) -> impl Iterator<Item = &mut F> {`
			`self.values.iter_mut()`
			`}`

Address clippy lints 2020-09-20 12:09:03 -07:00			`/// Gets the size of this polynomial in terms of the number of`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`/// coefficients used to describe it.`
Address clippy lints 2020-09-20 12:09:03 -07:00			`pub fn num_coeffs(&self) -> usize {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`self.values.len()`
			`}`
			`}`

Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`pub(crate) fn batch_invert_assigned<F: FieldExt>(`
Make permutation argument perfectly complete and zero-knowledge. 2021-07-02 15:20:36 -07:00			`assigned: Vec<Polynomial<Assigned<F>, LagrangeCoeff>>,`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`) -> Vec<Polynomial<F, LagrangeCoeff>> {`
			`let mut assigned_denominators: Vec<_> = assigned`
			`.iter()`
			`.map(\|f\| {`
			`f.iter()`
			`.map(\|value\| value.denominator())`
			`.collect::<Vec<_>>()`
			`})`
			`.collect();`

			`assigned_denominators`
			`.iter_mut()`
			`.flat_map(\|f\| {`
			`f.iter_mut()`
Make Assigned an enum, to remove field comparisions from batch eval 2021-06-18 14:04:31 -07:00			`// If the denominator is trivial, we can skip it, reducing the`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`// size of the batch inversion.`
Make Assigned an enum, to remove field comparisions from batch eval 2021-06-18 14:04:31 -07:00			`.filter_map(\|d\| d.as_mut())`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`})`
			`.batch_invert();`

			`assigned`
			`.iter()`
			`.zip(assigned_denominators.into_iter())`
Make Assigned an enum, to remove field comparisions from batch eval 2021-06-18 14:04:31 -07:00			`.map(\|(poly, inv_denoms)\| {`
			`poly.invert(inv_denoms.into_iter().map(\|d\| d.unwrap_or_else(F::one)))`
			`})`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`.collect()`
			`}`

			`impl<F: Field> Polynomial<Assigned<F>, LagrangeCoeff> {`
Make Assigned an enum, to remove field comparisions from batch eval 2021-06-18 14:04:31 -07:00			`pub(crate) fn invert(`
			`&self,`
			`inv_denoms: impl Iterator<Item = F> + ExactSizeIterator,`
			`) -> Polynomial<F, LagrangeCoeff> {`
Batch invert cell assignments during keygen and proving 2021-06-11 09:34:25 -07:00			`assert_eq!(inv_denoms.len(), self.values.len());`
			`Polynomial {`
			`values: self`
			`.values`
			`.iter()`
			`.zip(inv_denoms.into_iter())`
			`.map(\|(a, inv_den)\| a.numerator() * inv_den)`
			`.collect(),`
			`_marker: self._marker,`
			`}`
			`}`
			`}`

Refactor module tree. 2020-09-07 09:22:25 -07:00			`impl<'a, F: Field, B: Basis> Add<&'a Polynomial<F, B>> for Polynomial<F, B> {`
			`type Output = Polynomial<F, B>;`

			`fn add(mut self, rhs: &'a Polynomial<F, B>) -> Polynomial<F, B> {`
			`parallelize(&mut self.values, \|lhs, start\| {`
			`for (lhs, rhs) in lhs.iter_mut().zip(rhs.values[start..].iter()) {`
			`lhs += rhs;`
			`}`
			`});`

			`self`
			`}`
			`}`

halo2_proofs: Fix clippy lints 2022-06-23 10:31:13 -07:00			`impl<F: Field> Polynomial<F, LagrangeCoeff> {`
Account for Rotations of LagrangeCoeff values 2021-02-14 07:17:54 -08:00			/// Rotates the values in a Lagrange basis polynomial by `Rotation`
			`pub fn rotate(&self, rotation: Rotation) -> Polynomial<F, LagrangeCoeff> {`
			`let mut values = self.values.clone();`
			`if rotation.0 < 0 {`
			`values.rotate_right((-rotation.0) as usize);`
			`} else {`
			`values.rotate_left(rotation.0 as usize);`
			`}`
			`Polynomial {`
			`values,`
			`_marker: PhantomData,`
			`}`
			`}`
			`}`

halo2_proofs: Fix clippy lints 2022-06-23 10:31:13 -07:00			`impl<F: Field, B: Basis> Mul<F> for Polynomial<F, B> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`type Output = Polynomial<F, B>;`

			`fn mul(mut self, rhs: F) -> Polynomial<F, B> {`
			`parallelize(&mut self.values, \|lhs, _\| {`
			`for lhs in lhs.iter_mut() {`
			`lhs = rhs;`
			`}`
			`});`

			`self`
			`}`
			`}`
Require Rotation instead of i32 for relative rows in circuits. Co-authored-by: str4d <thestr4d@gmail.com> 2020-12-23 08:45:16 -08:00
			`/// Describes the relative rotation of a vector. Negative numbers represent`
			`/// reverse (leftmost) rotations and positive numbers represent forward (rightmost)`
			`/// rotations. Zero represents no rotation.`
			`#[derive(Copy, Clone, Debug, PartialEq)]`
			`pub struct Rotation(pub i32);`

			`impl Rotation {`
			`/// The current location in the evaluation domain`
			`pub fn cur() -> Rotation {`
			`Rotation(0)`
			`}`

			`/// The previous location in the evaluation domain`
			`pub fn prev() -> Rotation {`
			`Rotation(-1)`
			`}`

			`/// The next location in the evaluation domain`
			`pub fn next() -> Rotation {`
			`Rotation(1)`
			`}`
			`}`