2020-08-22 13:15:39 -07:00
|
|
|
//! This module provides an implementation of a variant of (Turbo)[PLONK][plonk]
|
|
|
|
//! that is designed specifically for the polynomial commitment scheme described
|
|
|
|
//! in the [Halo][halo] paper.
|
|
|
|
//!
|
|
|
|
//! [halo]: https://eprint.iacr.org/2019/1021
|
|
|
|
//! [plonk]: https://eprint.iacr.org/2019/953
|
|
|
|
|
|
|
|
use crate::arithmetic::CurveAffine;
|
2020-09-07 09:22:25 -07:00
|
|
|
use crate::poly::{
|
|
|
|
commitment::OpeningProof, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff,
|
|
|
|
Polynomial,
|
|
|
|
};
|
2020-08-22 13:15:39 -07:00
|
|
|
use crate::transcript::Hasher;
|
|
|
|
|
|
|
|
mod circuit;
|
|
|
|
mod prover;
|
|
|
|
mod srs;
|
|
|
|
mod verifier;
|
|
|
|
|
|
|
|
pub use circuit::*;
|
|
|
|
pub use prover::*;
|
|
|
|
pub use srs::*;
|
|
|
|
pub use verifier::*;
|
|
|
|
|
|
|
|
/// This is a structured reference string (SRS) that is (deterministically)
|
|
|
|
/// computed from a specific circuit and parameters for the polynomial
|
|
|
|
/// commitment scheme.
|
|
|
|
#[derive(Debug)]
|
|
|
|
pub struct SRS<C: CurveAffine> {
|
|
|
|
domain: EvaluationDomain<C::Scalar>,
|
2020-09-07 09:22:25 -07:00
|
|
|
l0: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
|
2020-08-22 15:10:27 -07:00
|
|
|
fixed_commitments: Vec<C>,
|
2020-09-07 09:22:25 -07:00
|
|
|
fixed_polys: Vec<Polynomial<C::Scalar, Coeff>>,
|
|
|
|
fixed_cosets: Vec<Polynomial<C::Scalar, ExtendedLagrangeCoeff>>,
|
2020-08-31 09:01:09 -07:00
|
|
|
permutation_commitments: Vec<Vec<C>>,
|
2020-09-07 09:22:25 -07:00
|
|
|
permutations: Vec<Vec<Polynomial<C::Scalar, LagrangeCoeff>>>,
|
|
|
|
permutation_polys: Vec<Vec<Polynomial<C::Scalar, Coeff>>>,
|
|
|
|
permutation_cosets: Vec<Vec<Polynomial<C::Scalar, ExtendedLagrangeCoeff>>>,
|
2020-09-11 16:18:41 -07:00
|
|
|
cs: ConstraintSystem<C::Scalar>,
|
2020-08-22 13:15:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/// This is an object which represents a (Turbo)PLONK proof.
|
2020-08-22 15:10:27 -07:00
|
|
|
// This structure must never allow points at infinity.
|
2020-08-22 13:15:39 -07:00
|
|
|
#[derive(Debug, Clone)]
|
|
|
|
pub struct Proof<C: CurveAffine> {
|
2020-08-22 15:10:27 -07:00
|
|
|
advice_commitments: Vec<C>,
|
2020-08-22 13:15:39 -07:00
|
|
|
h_commitments: Vec<C>,
|
2020-08-31 22:06:25 -07:00
|
|
|
permutation_product_commitments: Vec<C>,
|
|
|
|
permutation_product_evals: Vec<C::Scalar>,
|
|
|
|
permutation_product_inv_evals: Vec<C::Scalar>,
|
2020-09-02 09:45:03 -07:00
|
|
|
permutation_evals: Vec<Vec<C::Scalar>>,
|
2020-08-27 09:25:36 -07:00
|
|
|
advice_evals: Vec<C::Scalar>,
|
2020-09-17 09:33:42 -07:00
|
|
|
aux_evals: Vec<C::Scalar>,
|
2020-08-27 09:25:36 -07:00
|
|
|
fixed_evals: Vec<C::Scalar>,
|
|
|
|
h_evals: Vec<C::Scalar>,
|
2020-08-27 09:10:55 -07:00
|
|
|
f_commitment: C,
|
|
|
|
q_evals: Vec<C::Scalar>,
|
2020-08-22 13:15:39 -07:00
|
|
|
opening: OpeningProof<C>,
|
|
|
|
}
|
|
|
|
|
|
|
|
/// This is an error that could occur during proving or circuit synthesis.
|
|
|
|
// TODO: these errors need to be cleaned up
|
|
|
|
#[derive(Debug)]
|
|
|
|
pub enum Error {
|
|
|
|
/// This is an error that can occur during synthesis of the circuit, for
|
|
|
|
/// example, when the witness is not present.
|
|
|
|
SynthesisError,
|
|
|
|
/// The structured reference string or the parameters are not compatible
|
|
|
|
/// with the circuit being synthesized.
|
|
|
|
IncompatibleParams,
|
|
|
|
/// The constraint system is not satisfied.
|
|
|
|
ConstraintSystemFailure,
|
2020-08-22 15:10:27 -07:00
|
|
|
/// Out of bounds index passed to a backend
|
|
|
|
BoundsFailure,
|
2020-09-15 16:32:39 -07:00
|
|
|
/// Opening error
|
|
|
|
OpeningError,
|
2020-08-22 13:15:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
fn hash_point<C: CurveAffine, H: Hasher<C::Base>>(
|
|
|
|
transcript: &mut H,
|
|
|
|
point: &C,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
let tmp = point.get_xy();
|
|
|
|
if bool::from(tmp.is_none()) {
|
|
|
|
return Err(Error::SynthesisError);
|
|
|
|
};
|
|
|
|
let tmp = tmp.unwrap();
|
|
|
|
transcript.absorb(tmp.0);
|
|
|
|
transcript.absorb(tmp.1);
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn test_proving() {
|
2020-09-17 21:02:48 -07:00
|
|
|
use crate::arithmetic::{Curve, EqAffine, Field, Fp, Fq};
|
|
|
|
use crate::poly::commitment::{Blind, Params};
|
2020-08-22 13:15:39 -07:00
|
|
|
use crate::transcript::DummyHash;
|
2020-08-27 10:43:08 -07:00
|
|
|
use std::marker::PhantomData;
|
2020-08-22 13:15:39 -07:00
|
|
|
const K: u32 = 5;
|
|
|
|
|
2020-09-11 16:18:41 -07:00
|
|
|
/// This represents an advice wire at a certain row in the ConstraintSystem
|
2020-08-31 09:01:09 -07:00
|
|
|
#[derive(Copy, Clone, Debug)]
|
|
|
|
pub struct Variable(AdviceWire, usize);
|
|
|
|
|
2020-09-17 21:02:48 -07:00
|
|
|
/// This represents an auxiliary wire at a certain row in the ConstraintSystem
|
|
|
|
#[derive(Copy, Clone, Debug)]
|
|
|
|
pub struct AuxVariable(AuxWire, usize);
|
|
|
|
|
|
|
|
/// This represents a wire at a certain row in the ConstraintSystem
|
|
|
|
#[derive(Copy, Clone, Debug)]
|
|
|
|
pub struct PermVariable(Wire, usize);
|
|
|
|
|
2020-08-22 13:15:39 -07:00
|
|
|
// Initialize the polynomial commitment parameters
|
|
|
|
let params: Params<EqAffine> = Params::new::<DummyHash<Fq>>(K);
|
|
|
|
|
2020-08-27 10:43:08 -07:00
|
|
|
struct PLONKConfig {
|
2020-08-23 12:26:04 -07:00
|
|
|
a: AdviceWire,
|
|
|
|
b: AdviceWire,
|
|
|
|
c: AdviceWire,
|
2020-09-06 13:10:25 -07:00
|
|
|
d: AdviceWire,
|
|
|
|
e: AdviceWire,
|
2020-08-23 12:26:04 -07:00
|
|
|
|
2020-09-17 21:02:48 -07:00
|
|
|
x: AuxWire,
|
|
|
|
|
2020-08-23 12:26:04 -07:00
|
|
|
sa: FixedWire,
|
|
|
|
sb: FixedWire,
|
|
|
|
sc: FixedWire,
|
|
|
|
sm: FixedWire,
|
2020-09-17 21:02:48 -07:00
|
|
|
sx: FixedWire,
|
2020-08-31 09:01:09 -07:00
|
|
|
|
|
|
|
perm: usize,
|
2020-09-07 08:37:49 -07:00
|
|
|
perm2: usize,
|
2020-08-22 15:10:27 -07:00
|
|
|
}
|
2020-08-27 10:43:08 -07:00
|
|
|
|
|
|
|
trait StandardCS<FF: Field> {
|
|
|
|
fn raw_multiply<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
|
|
|
|
where
|
|
|
|
F: FnOnce() -> Result<(FF, FF, FF), Error>;
|
|
|
|
fn raw_add<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
|
|
|
|
where
|
|
|
|
F: FnOnce() -> Result<(FF, FF, FF), Error>;
|
2020-09-17 21:02:48 -07:00
|
|
|
fn copy(&mut self, a: PermVariable, b: PermVariable) -> Result<(), Error>;
|
|
|
|
fn raw_aux<F>(&mut self, f: F) -> Result<(Variable, AuxVariable), Error>
|
|
|
|
where
|
|
|
|
F: FnOnce() -> Result<(FF, FF), Error>;
|
2020-08-27 10:43:08 -07:00
|
|
|
}
|
|
|
|
|
2020-08-22 13:15:39 -07:00
|
|
|
struct MyCircuit<F: Field> {
|
|
|
|
a: Option<F>,
|
2020-09-17 21:02:48 -07:00
|
|
|
x: Option<F>,
|
2020-08-22 13:15:39 -07:00
|
|
|
}
|
|
|
|
|
2020-09-11 16:18:41 -07:00
|
|
|
struct StandardPLONK<'a, F: Field, CS: Assignment<F> + 'a> {
|
2020-08-27 10:43:08 -07:00
|
|
|
cs: &'a mut CS,
|
|
|
|
config: PLONKConfig,
|
|
|
|
current_gate: usize,
|
|
|
|
_marker: PhantomData<F>,
|
|
|
|
}
|
|
|
|
|
2020-09-11 16:18:41 -07:00
|
|
|
impl<'a, FF: Field, CS: Assignment<FF>> StandardPLONK<'a, FF, CS> {
|
2020-08-27 10:43:08 -07:00
|
|
|
fn new(cs: &'a mut CS, config: PLONKConfig) -> Self {
|
|
|
|
StandardPLONK {
|
|
|
|
cs,
|
|
|
|
config,
|
|
|
|
current_gate: 0,
|
|
|
|
_marker: PhantomData,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-11 16:18:41 -07:00
|
|
|
impl<'a, FF: Field, CS: Assignment<FF>> StandardCS<FF> for StandardPLONK<'a, FF, CS> {
|
2020-08-27 10:43:08 -07:00
|
|
|
fn raw_multiply<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
|
|
|
|
where
|
|
|
|
F: FnOnce() -> Result<(FF, FF, FF), Error>,
|
|
|
|
{
|
|
|
|
let index = self.current_gate;
|
|
|
|
self.current_gate += 1;
|
|
|
|
let mut value = None;
|
|
|
|
self.cs.assign_advice(self.config.a, index, || {
|
|
|
|
value = Some(f()?);
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.0)
|
|
|
|
})?;
|
2020-09-06 13:10:25 -07:00
|
|
|
self.cs.assign_advice(self.config.d, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.0.square().square())
|
|
|
|
})?;
|
2020-08-27 10:43:08 -07:00
|
|
|
self.cs.assign_advice(self.config.b, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.1)
|
|
|
|
})?;
|
2020-09-06 13:10:25 -07:00
|
|
|
self.cs.assign_advice(self.config.e, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.1.square().square())
|
|
|
|
})?;
|
2020-08-27 10:43:08 -07:00
|
|
|
self.cs.assign_advice(self.config.c, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.2)
|
|
|
|
})?;
|
|
|
|
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sa, index, || Ok(FF::zero()))?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sb, index, || Ok(FF::zero()))?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sc, index, || Ok(FF::one()))?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sm, index, || Ok(FF::one()))?;
|
|
|
|
Ok((
|
2020-08-31 09:01:09 -07:00
|
|
|
Variable(self.config.a, index),
|
|
|
|
Variable(self.config.b, index),
|
|
|
|
Variable(self.config.c, index),
|
2020-08-27 10:43:08 -07:00
|
|
|
))
|
|
|
|
}
|
|
|
|
fn raw_add<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
|
|
|
|
where
|
|
|
|
F: FnOnce() -> Result<(FF, FF, FF), Error>,
|
|
|
|
{
|
|
|
|
let index = self.current_gate;
|
|
|
|
self.current_gate += 1;
|
|
|
|
let mut value = None;
|
|
|
|
self.cs.assign_advice(self.config.a, index, || {
|
|
|
|
value = Some(f()?);
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.0)
|
|
|
|
})?;
|
2020-09-06 13:10:25 -07:00
|
|
|
self.cs.assign_advice(self.config.d, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.0.square().square())
|
|
|
|
})?;
|
2020-08-27 10:43:08 -07:00
|
|
|
self.cs.assign_advice(self.config.b, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.1)
|
|
|
|
})?;
|
2020-09-06 13:10:25 -07:00
|
|
|
self.cs.assign_advice(self.config.e, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.1.square().square())
|
|
|
|
})?;
|
2020-08-27 10:43:08 -07:00
|
|
|
self.cs.assign_advice(self.config.c, index, || {
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.2)
|
|
|
|
})?;
|
|
|
|
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sa, index, || Ok(FF::one()))?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sb, index, || Ok(FF::one()))?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sc, index, || Ok(FF::one()))?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sm, index, || Ok(FF::zero()))?;
|
|
|
|
Ok((
|
2020-08-31 09:01:09 -07:00
|
|
|
Variable(self.config.a, index),
|
|
|
|
Variable(self.config.b, index),
|
|
|
|
Variable(self.config.c, index),
|
2020-08-27 10:43:08 -07:00
|
|
|
))
|
|
|
|
}
|
2020-09-17 21:02:48 -07:00
|
|
|
fn copy(&mut self, left: PermVariable, right: PermVariable) -> Result<(), Error> {
|
2020-09-05 15:34:29 -07:00
|
|
|
let left_wire = match left.0 {
|
2020-09-17 21:02:48 -07:00
|
|
|
Wire::Advice(wire) => match wire {
|
|
|
|
x if x == self.config.a => 0,
|
|
|
|
x if x == self.config.b => 1,
|
|
|
|
x if x == self.config.c => 2,
|
|
|
|
_ => unreachable!(),
|
|
|
|
},
|
|
|
|
Wire::Aux(wire) => match wire {
|
|
|
|
x if x == self.config.x => 3,
|
|
|
|
_ => unreachable!(),
|
|
|
|
},
|
2020-08-31 09:01:09 -07:00
|
|
|
_ => unreachable!(),
|
|
|
|
};
|
2020-09-05 15:34:29 -07:00
|
|
|
let right_wire = match right.0 {
|
2020-09-17 21:02:48 -07:00
|
|
|
Wire::Advice(wire) => match wire {
|
|
|
|
x if x == self.config.a => 0,
|
|
|
|
x if x == self.config.b => 1,
|
|
|
|
x if x == self.config.c => 2,
|
|
|
|
_ => unreachable!(),
|
|
|
|
},
|
|
|
|
Wire::Aux(wire) => match wire {
|
|
|
|
x if x == self.config.x => 3,
|
|
|
|
_ => unreachable!(),
|
|
|
|
},
|
2020-08-31 09:01:09 -07:00
|
|
|
_ => unreachable!(),
|
|
|
|
};
|
|
|
|
|
|
|
|
self.cs
|
2020-09-07 08:37:49 -07:00
|
|
|
.copy(self.config.perm, left_wire, left.1, right_wire, right.1)?;
|
|
|
|
self.cs
|
|
|
|
.copy(self.config.perm2, left_wire, left.1, right_wire, right.1)
|
2020-08-31 09:01:09 -07:00
|
|
|
}
|
2020-09-17 21:02:48 -07:00
|
|
|
fn raw_aux<F>(&mut self, f: F) -> Result<(Variable, AuxVariable), Error>
|
|
|
|
where
|
|
|
|
F: FnOnce() -> Result<(FF, FF), Error>,
|
|
|
|
{
|
|
|
|
let index = self.current_gate;
|
|
|
|
self.current_gate += 1;
|
|
|
|
let mut value = None;
|
|
|
|
self.cs.assign_advice(self.config.a, index, || {
|
|
|
|
value = Some(f()?);
|
|
|
|
Ok(value.ok_or(Error::SynthesisError)?.0)
|
|
|
|
})?;
|
|
|
|
self.cs
|
|
|
|
.assign_fixed(self.config.sx, index, || Ok(FF::zero()))?;
|
|
|
|
Ok((
|
|
|
|
Variable(self.config.a, index),
|
|
|
|
AuxVariable(self.config.x, index),
|
|
|
|
))
|
|
|
|
}
|
2020-08-27 10:43:08 -07:00
|
|
|
}
|
|
|
|
|
2020-08-22 13:15:39 -07:00
|
|
|
impl<F: Field> Circuit<F> for MyCircuit<F> {
|
2020-08-27 10:43:08 -07:00
|
|
|
type Config = PLONKConfig;
|
2020-08-22 14:09:47 -07:00
|
|
|
|
2020-09-11 16:18:41 -07:00
|
|
|
fn configure(meta: &mut ConstraintSystem<F>) -> PLONKConfig {
|
2020-09-06 13:10:25 -07:00
|
|
|
let e = meta.advice_wire();
|
2020-08-22 15:10:27 -07:00
|
|
|
let a = meta.advice_wire();
|
|
|
|
let b = meta.advice_wire();
|
2020-09-06 13:10:25 -07:00
|
|
|
let sf = meta.fixed_wire();
|
2020-08-22 15:10:27 -07:00
|
|
|
let c = meta.advice_wire();
|
2020-09-06 13:10:25 -07:00
|
|
|
let d = meta.advice_wire();
|
2020-08-22 15:10:27 -07:00
|
|
|
|
2020-09-17 10:07:19 -07:00
|
|
|
let x = meta.aux_wire();
|
|
|
|
|
2020-09-17 21:02:48 -07:00
|
|
|
let perm = meta.permutation(&[
|
|
|
|
Wire::Advice(a),
|
|
|
|
Wire::Advice(b),
|
|
|
|
Wire::Advice(c),
|
|
|
|
Wire::Aux(x),
|
|
|
|
]);
|
|
|
|
let perm2 = meta.permutation(&[
|
|
|
|
Wire::Advice(a),
|
|
|
|
Wire::Advice(b),
|
|
|
|
Wire::Advice(c),
|
|
|
|
Wire::Aux(x),
|
|
|
|
]);
|
2020-08-31 09:01:09 -07:00
|
|
|
|
2020-09-06 13:10:25 -07:00
|
|
|
let sm = meta.fixed_wire();
|
2020-08-22 15:10:27 -07:00
|
|
|
let sa = meta.fixed_wire();
|
|
|
|
let sb = meta.fixed_wire();
|
|
|
|
let sc = meta.fixed_wire();
|
2020-09-17 10:07:19 -07:00
|
|
|
let sx = meta.fixed_wire();
|
2020-08-22 15:10:27 -07:00
|
|
|
|
2020-08-24 07:28:42 -07:00
|
|
|
meta.create_gate(|meta| {
|
2020-09-06 13:10:25 -07:00
|
|
|
let d = meta.query_advice(d, 1);
|
2020-08-24 07:28:42 -07:00
|
|
|
let a = meta.query_advice(a, 0);
|
2020-09-06 13:10:25 -07:00
|
|
|
let sf = meta.query_fixed(sf, 0);
|
|
|
|
let e = meta.query_advice(e, -1);
|
2020-08-24 07:28:42 -07:00
|
|
|
let b = meta.query_advice(b, 0);
|
|
|
|
let c = meta.query_advice(c, 0);
|
|
|
|
|
2020-09-17 21:02:48 -07:00
|
|
|
let x = meta.query_aux(x, 0);
|
2020-09-17 10:07:19 -07:00
|
|
|
|
2020-08-24 07:28:42 -07:00
|
|
|
let sa = meta.query_fixed(sa, 0);
|
|
|
|
let sb = meta.query_fixed(sb, 0);
|
|
|
|
let sc = meta.query_fixed(sc, 0);
|
|
|
|
let sm = meta.query_fixed(sm, 0);
|
2020-09-17 21:02:48 -07:00
|
|
|
let sx = meta.query_fixed(sx, 0);
|
2020-08-24 07:28:42 -07:00
|
|
|
|
2020-09-17 10:07:19 -07:00
|
|
|
a.clone() * sa
|
|
|
|
+ b.clone() * sb
|
|
|
|
+ a * b * sm
|
|
|
|
+ (c * sc * (-F::one()))
|
|
|
|
+ sf * (d * e)
|
|
|
|
+ (x * sx * (-F::one()))
|
2020-08-24 07:28:42 -07:00
|
|
|
});
|
|
|
|
|
2020-08-27 10:43:08 -07:00
|
|
|
PLONKConfig {
|
2020-08-22 15:10:27 -07:00
|
|
|
a,
|
|
|
|
b,
|
|
|
|
c,
|
2020-09-06 13:10:25 -07:00
|
|
|
d,
|
|
|
|
e,
|
2020-09-17 21:02:48 -07:00
|
|
|
x,
|
2020-08-22 15:10:27 -07:00
|
|
|
sa,
|
|
|
|
sb,
|
|
|
|
sc,
|
|
|
|
sm,
|
2020-09-17 21:02:48 -07:00
|
|
|
sx,
|
2020-08-31 09:01:09 -07:00
|
|
|
perm,
|
2020-09-07 08:37:49 -07:00
|
|
|
perm2,
|
2020-08-22 15:10:27 -07:00
|
|
|
}
|
2020-08-22 14:09:47 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
fn synthesize(
|
|
|
|
&self,
|
2020-09-11 16:18:41 -07:00
|
|
|
cs: &mut impl Assignment<F>,
|
2020-08-27 10:43:08 -07:00
|
|
|
config: PLONKConfig,
|
2020-08-22 14:09:47 -07:00
|
|
|
) -> Result<(), Error> {
|
2020-08-27 10:43:08 -07:00
|
|
|
let mut cs = StandardPLONK::new(cs, config);
|
|
|
|
|
2020-08-22 15:10:27 -07:00
|
|
|
for _ in 0..10 {
|
2020-08-27 10:43:08 -07:00
|
|
|
let mut a_squared = None;
|
2020-09-05 11:56:45 -07:00
|
|
|
let (a0, _, c0) = cs.raw_multiply(|| {
|
2020-08-27 10:43:08 -07:00
|
|
|
a_squared = self.a.map(|a| a.square());
|
|
|
|
Ok((
|
|
|
|
self.a.ok_or(Error::SynthesisError)?,
|
|
|
|
self.a.ok_or(Error::SynthesisError)?,
|
|
|
|
a_squared.ok_or(Error::SynthesisError)?,
|
|
|
|
))
|
|
|
|
})?;
|
2020-09-05 11:56:45 -07:00
|
|
|
let (a1, b1, _) = cs.raw_add(|| {
|
2020-08-27 10:43:08 -07:00
|
|
|
let fin = a_squared.and_then(|a2| self.a.map(|a| a + a2));
|
|
|
|
Ok((
|
|
|
|
self.a.ok_or(Error::SynthesisError)?,
|
|
|
|
a_squared.ok_or(Error::SynthesisError)?,
|
|
|
|
fin.ok_or(Error::SynthesisError)?,
|
|
|
|
))
|
|
|
|
})?;
|
2020-09-17 21:02:48 -07:00
|
|
|
cs.copy(
|
|
|
|
PermVariable(Wire::Advice(a0.0), a0.1),
|
|
|
|
PermVariable(Wire::Advice(a1.0), a1.1),
|
|
|
|
)?;
|
|
|
|
cs.copy(
|
|
|
|
PermVariable(Wire::Advice(b1.0), b1.1),
|
|
|
|
PermVariable(Wire::Advice(c0.0), c0.1),
|
|
|
|
)?;
|
2020-08-22 15:10:27 -07:00
|
|
|
}
|
2020-09-17 21:02:48 -07:00
|
|
|
let (_, x) = cs.raw_aux(|| {
|
|
|
|
Ok((
|
|
|
|
self.x.ok_or(Error::SynthesisError)?,
|
|
|
|
self.x.ok_or(Error::SynthesisError)?,
|
|
|
|
))
|
|
|
|
})?;
|
|
|
|
cs.copy(
|
|
|
|
PermVariable(Wire::Aux(x.0), x.1),
|
|
|
|
PermVariable(Wire::Aux(x.0), x.1),
|
|
|
|
)?;
|
2020-08-22 15:10:27 -07:00
|
|
|
|
2020-08-22 13:15:39 -07:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
let circuit: MyCircuit<Fp> = MyCircuit {
|
2020-09-05 11:56:45 -07:00
|
|
|
a: Some(Fp::random()),
|
2020-09-17 21:02:48 -07:00
|
|
|
|
|
|
|
// TODO: use meaningful value from recursion
|
|
|
|
x: Some(Fp::random()),
|
2020-08-22 13:15:39 -07:00
|
|
|
};
|
|
|
|
|
2020-09-17 21:02:48 -07:00
|
|
|
let empty_circuit: MyCircuit<Fp> = MyCircuit { a: None, x: None };
|
2020-08-24 07:36:41 -07:00
|
|
|
|
2020-08-22 13:15:39 -07:00
|
|
|
// Initialize the SRS
|
2020-08-24 07:36:41 -07:00
|
|
|
let srs = SRS::generate(¶ms, &empty_circuit).expect("SRS generation should not fail");
|
2020-08-22 13:15:39 -07:00
|
|
|
|
2020-09-17 21:02:48 -07:00
|
|
|
// TODO: use meaningful value from recursion
|
|
|
|
let aux_lagrange_polys = vec![srs.domain.empty_lagrange(); srs.cs.num_aux_wires];
|
|
|
|
|
|
|
|
// TODO: use meaningful value from recursion
|
|
|
|
let mut aux_commitments: Vec<EqAffine> = vec![];
|
|
|
|
for poly in &aux_lagrange_polys {
|
|
|
|
let commitment = params.commit_lagrange(poly, Blind::default());
|
|
|
|
aux_commitments.push(commitment.to_affine());
|
|
|
|
}
|
|
|
|
|
2020-09-05 10:40:25 -07:00
|
|
|
for _ in 0..100 {
|
|
|
|
// Create a proof
|
2020-09-17 21:02:48 -07:00
|
|
|
let proof = Proof::create::<DummyHash<Fq>, DummyHash<Fp>, _>(
|
|
|
|
¶ms,
|
|
|
|
&srs,
|
|
|
|
&circuit,
|
|
|
|
aux_lagrange_polys.clone(),
|
|
|
|
)
|
|
|
|
.expect("proof generation should not fail");
|
2020-08-22 13:15:39 -07:00
|
|
|
|
2020-09-15 16:32:39 -07:00
|
|
|
let msm = params.empty_msm();
|
|
|
|
let guard = proof
|
2020-09-17 21:02:48 -07:00
|
|
|
.verify::<DummyHash<Fq>, DummyHash<Fp>>(¶ms, &srs, msm, aux_commitments.clone())
|
2020-09-13 08:10:06 -07:00
|
|
|
.unwrap();
|
2020-09-15 16:32:39 -07:00
|
|
|
{
|
|
|
|
let msm = guard.clone().use_challenges();
|
|
|
|
assert!(msm.is_zero());
|
|
|
|
}
|
|
|
|
{
|
|
|
|
let g = guard.compute_g();
|
|
|
|
let (msm, _) = guard.clone().use_g(g);
|
|
|
|
assert!(msm.is_zero());
|
|
|
|
}
|
|
|
|
let msm = guard.clone().use_challenges();
|
|
|
|
assert!(msm.clone().is_zero());
|
|
|
|
let guard = proof
|
2020-09-17 21:02:48 -07:00
|
|
|
.verify::<DummyHash<Fq>, DummyHash<Fp>>(¶ms, &srs, msm, aux_commitments.clone())
|
2020-09-15 16:32:39 -07:00
|
|
|
.unwrap();
|
|
|
|
{
|
|
|
|
let msm = guard.clone().use_challenges();
|
|
|
|
assert!(msm.is_zero());
|
|
|
|
}
|
|
|
|
{
|
|
|
|
let g = guard.compute_g();
|
|
|
|
let (msm, _) = guard.clone().use_g(g);
|
|
|
|
assert!(msm.is_zero());
|
|
|
|
}
|
2020-09-05 10:40:25 -07:00
|
|
|
}
|
2020-08-22 13:15:39 -07:00
|
|
|
}
|