halo2/src/plonk/vanishing/prover.rs

use std::iter;

use ff::Field;
use group::Curve;

use super::Argument;
use crate::{
    arithmetic::{eval_polynomial, CurveAffine, FieldExt},
    plonk::{ChallengeX, ChallengeY, Error},
    poly::{
        commitment::{Blind, Params},
        multiopen::ProverQuery,
        Coeff, EvaluationDomain, ExtendedLagrangeCoeff, Polynomial,
    },
    transcript::{EncodedChallenge, TranscriptWrite},
};

pub(in crate::plonk) struct Committed<C: CurveAffine> {
    random_poly: Polynomial<C::Scalar, Coeff>,
    random_blind: Blind<C::Scalar>,
}

pub(in crate::plonk) struct Constructed<C: CurveAffine> {
    h_pieces: Vec<Polynomial<C::Scalar, Coeff>>,
    h_blinds: Vec<Blind<C::Scalar>>,
    committed: Committed<C>,
}

pub(in crate::plonk) struct Evaluated<C: CurveAffine> {
    h_poly: Polynomial<C::Scalar, Coeff>,
    h_blind: Blind<C::Scalar>,
    committed: Committed<C>,
}

impl<C: CurveAffine> Argument<C> {
    pub(in crate::plonk) fn commit<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(
        params: &Params<C>,
        domain: &EvaluationDomain<C::Scalar>,
        transcript: &mut T,
    ) -> Result<Committed<C>, Error> {
        // Sample a random polynomial of degree n - 1
        let mut random_poly = domain.empty_coeff();
        for coeff in random_poly.iter_mut() {
            *coeff = C::Scalar::rand();
        }
        // Sample a random blinding factor
        let random_blind = Blind(C::Scalar::rand());

        // Commit
        let c = params.commit(&random_poly, random_blind).to_affine();
        transcript
            .write_point(c)
            .map_err(|_| Error::TranscriptError)?;

        Ok(Committed {
            random_poly,
            random_blind,
        })
    }
}

impl<C: CurveAffine> Committed<C> {
    pub(in crate::plonk) fn construct<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(
        self,
        params: &Params<C>,
        domain: &EvaluationDomain<C::Scalar>,
        expressions: impl Iterator<Item = Polynomial<C::Scalar, ExtendedLagrangeCoeff>>,
        y: ChallengeY<C>,
        transcript: &mut T,
    ) -> Result<Constructed<C>, Error> {
        // Evaluate the h(X) polynomial's constraint system expressions for the constraints provided
        let h_poly = expressions.fold(domain.empty_extended(), |h_poly, v| h_poly * *y + &v);

        // Divide by t(X) = X^{params.n} - 1.
        let h_poly = domain.divide_by_vanishing_poly(h_poly);

        // Obtain final h(X) polynomial
        let h_poly = domain.extended_to_coeff(h_poly);

        // Split h(X) up into pieces
        let h_pieces = h_poly
            .chunks_exact(params.n as usize)
            .map(|v| domain.coeff_from_vec(v.to_vec()))
            .collect::<Vec<_>>();
        drop(h_poly);
        let h_blinds: Vec<_> = h_pieces.iter().map(|_| Blind(C::Scalar::rand())).collect();

        // Compute commitments to each h(X) piece
        let h_commitments_projective: Vec<_> = h_pieces
            .iter()
            .zip(h_blinds.iter())
            .map(|(h_piece, blind)| params.commit(h_piece, *blind))
            .collect();
        let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];
        C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);
        let h_commitments = h_commitments;

        // Hash each h(X) piece
        for c in h_commitments.iter() {
            transcript
                .write_point(*c)
                .map_err(|_| Error::TranscriptError)?;
        }

        Ok(Constructed {
            h_pieces,
            h_blinds,
            committed: self,
        })
    }
}

impl<C: CurveAffine> Constructed<C> {
    pub(in crate::plonk) fn evaluate<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(
        self,
        x: ChallengeX<C>,
        xn: C::Scalar,
        domain: &EvaluationDomain<C::Scalar>,
        transcript: &mut T,
    ) -> Result<Evaluated<C>, Error> {
        let h_poly = self
            .h_pieces
            .iter()
            .rev()
            .fold(domain.empty_coeff(), |acc, eval| acc * xn + eval);

        let h_blind = self
            .h_blinds
            .iter()
            .rev()
            .fold(Blind(C::Scalar::zero()), |acc, eval| {
                acc * Blind(xn) + *eval
            });

        let random_eval = eval_polynomial(&self.committed.random_poly, *x);
        transcript
            .write_scalar(random_eval)
            .map_err(|_| Error::TranscriptError)?;

        Ok(Evaluated {
            h_poly,
            h_blind,
            committed: self.committed,
        })
    }
}

impl<C: CurveAffine> Evaluated<C> {
    pub(in crate::plonk) fn open(
        &self,
        x: ChallengeX<C>,
    ) -> impl Iterator<Item = ProverQuery<'_, C>> + Clone {
        iter::empty()
            .chain(Some(ProverQuery {
                point: *x,
                poly: &self.h_poly,
                blind: self.h_blind,
            }))
            .chain(Some(ProverQuery {
                point: *x,
                poly: &self.committed.random_poly,
                blind: self.committed.random_blind,
            }))
    }
}
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`use std::iter;`

Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`use ff::Field;`
Migrate to group traits The `Curve` trait is now `CurveExt: group::prime::PrimeCurve`, and `CurveAffine` is now `CurveAffine: group::prime::PrimeCurveAffine`. There is no `CurveAffine` trait in `group`, and it's a widely-used trait in this crate, so we don't rename it to `CurveAffineExt`. 2021-02-22 11:02:53 -08:00			`use group::Curve;`

Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`use super::Argument;`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`use crate::{`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`arithmetic::{eval_polynomial, CurveAffine, FieldExt},`
Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`plonk::{ChallengeX, ChallengeY, Error},`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`poly::{`
			`commitment::{Blind, Params},`
			`multiopen::ProverQuery,`
			`Coeff, EvaluationDomain, ExtendedLagrangeCoeff, Polynomial,`
			`},`
Replace ChallengeSpace with EncodedChallenge API Co-authored-by: Sean Bowe <ewillbefull@gmail.com> 2021-04-30 18:28:50 -07:00			`transcript::{EncodedChallenge, TranscriptWrite},`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`};`

Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`pub(in crate::plonk) struct Committed<C: CurveAffine> {`
			`random_poly: Polynomial<C::Scalar, Coeff>,`
			`random_blind: Blind<C::Scalar>,`
			`}`

Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`pub(in crate::plonk) struct Constructed<C: CurveAffine> {`
			`h_pieces: Vec<Polynomial<C::Scalar, Coeff>>,`
			`h_blinds: Vec<Blind<C::Scalar>>,`
Collapse random_{poly,blind} fields back into Committed in other structures. 2021-07-13 15:19:44 -07:00			`committed: Committed<C>,`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`}`

			`pub(in crate::plonk) struct Evaluated<C: CurveAffine> {`
Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`h_poly: Polynomial<C::Scalar, Coeff>,`
			`h_blind: Blind<C::Scalar>,`
Collapse random_{poly,blind} fields back into Committed in other structures. 2021-07-13 15:19:44 -07:00			`committed: Committed<C>,`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`}`

			`impl<C: CurveAffine> Argument<C> {`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`pub(in crate::plonk) fn commit<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(`
			`params: &Params<C>,`
			`domain: &EvaluationDomain<C::Scalar>,`
			`transcript: &mut T,`
			`) -> Result<Committed<C>, Error> {`
			`// Sample a random polynomial of degree n - 1`
			`let mut random_poly = domain.empty_coeff();`
			`for coeff in random_poly.iter_mut() {`
			`*coeff = C::Scalar::rand();`
			`}`
			`// Sample a random blinding factor`
			`let random_blind = Blind(C::Scalar::rand());`

			`// Commit`
			`let c = params.commit(&random_poly, random_blind).to_affine();`
			`transcript`
			`.write_point(c)`
			`.map_err(\|_\| Error::TranscriptError)?;`

			`Ok(Committed {`
			`random_poly,`
			`random_blind,`
			`})`
			`}`
			`}`

			`impl<C: CurveAffine> Committed<C> {`
Input as associated type on EncodedChallenge Use Input as an associated type instead of a type parameter, to reduce infection Co-authored-by: Sean Bowe <ewillbefull@gmail.com> 2021-05-07 07:21:54 -07:00			`pub(in crate::plonk) fn construct<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`self,`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`params: &Params<C>,`
			`domain: &EvaluationDomain<C::Scalar>,`
			`expressions: impl Iterator<Item = Polynomial<C::Scalar, ExtendedLagrangeCoeff>>,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`y: ChallengeY<C>,`
			`transcript: &mut T,`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`) -> Result<Constructed<C>, Error> {`
			`// Evaluate the h(X) polynomial's constraint system expressions for the constraints provided`
			`let h_poly = expressions.fold(domain.empty_extended(), \|h_poly, v\| h_poly * *y + &v);`

			`// Divide by t(X) = X^{params.n} - 1.`
			`let h_poly = domain.divide_by_vanishing_poly(h_poly);`

			`// Obtain final h(X) polynomial`
			`let h_poly = domain.extended_to_coeff(h_poly);`

			`// Split h(X) up into pieces`
			`let h_pieces = h_poly`
			`.chunks_exact(params.n as usize)`
			`.map(\|v\| domain.coeff_from_vec(v.to_vec()))`
			`.collect::<Vec<_>>();`
			`drop(h_poly);`
			`let h_blinds: Vec<_> = h_pieces.iter().map(\|_\| Blind(C::Scalar::rand())).collect();`

			`// Compute commitments to each h(X) piece`
			`let h_commitments_projective: Vec<_> = h_pieces`
			`.iter()`
			`.zip(h_blinds.iter())`
Remove needless borrows that are immediately dereferenced: https://rust-lang.github.io/rust-clippy/master/index.html#needless_borrow Signed-off-by: Daira Hopwood <daira@jacaranda.org> 2021-06-21 10:19:15 -07:00			`.map(\|(h_piece, blind)\| params.commit(h_piece, *blind))`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`.collect();`
Rename Curve and CurveAffine properties to match group traits 2021-02-22 10:39:14 -08:00			`let mut h_commitments = vec![C::identity(); h_commitments_projective.len()];`
			`C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments);`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`let h_commitments = h_commitments;`

			`// Hash each h(X) piece`
			`for c in h_commitments.iter() {`
			`transcript`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`.write_point(*c)`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`.map_err(\|_\| Error::TranscriptError)?;`
			`}`

Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`Ok(Constructed {`
			`h_pieces,`
			`h_blinds,`
Collapse random_{poly,blind} fields back into Committed in other structures. 2021-07-13 15:19:44 -07:00			`committed: self,`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`})`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`}`
			`}`

			`impl<C: CurveAffine> Constructed<C> {`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`pub(in crate::plonk) fn evaluate<E: EncodedChallenge<C>, T: TranscriptWrite<C, E>>(`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`self,`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`x: ChallengeX<C>,`
Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`xn: C::Scalar,`
			`domain: &EvaluationDomain<C::Scalar>,`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`transcript: &mut T,`
			`) -> Result<Evaluated<C>, Error> {`
Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`let h_poly = self`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`.h_pieces`
			`.iter()`
Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`.rev()`
			`.fold(domain.empty_coeff(), \|acc, eval\| acc * xn + eval);`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00
Linearize the h(X) check. 2021-02-26 16:12:38 -08:00			`let h_blind = self`
			`.h_blinds`
			`.iter()`
			`.rev()`
			`.fold(Blind(C::Scalar::zero()), \|acc, eval\| {`
			`acc * Blind(xn) + *eval`
			`});`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00
Collapse random_{poly,blind} fields back into Committed in other structures. 2021-07-13 15:19:44 -07:00			`let random_eval = eval_polynomial(&self.committed.random_poly, *x);`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`transcript`
			`.write_scalar(random_eval)`
			`.map_err(\|_\| Error::TranscriptError)?;`

			`Ok(Evaluated {`
			`h_poly,`
			`h_blind,`
Collapse random_{poly,blind} fields back into Committed in other structures. 2021-07-13 15:19:44 -07:00			`committed: self.committed,`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`})`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`}`
			`}`

			`impl<C: CurveAffine> Evaluated<C> {`
clippy: Small cleanups 2021-01-14 05:16:56 -08:00			`pub(in crate::plonk) fn open(`
			`&self,`
Update the PLONK implementation to adapt to the new transcript API. 2020-12-23 12:03:31 -08:00			`x: ChallengeX<C>,`
clippy: Small cleanups 2021-01-14 05:16:56 -08:00			`) -> impl Iterator<Item = ProverQuery<'_, C>> + Clone {`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`iter::empty()`
			`.chain(Some(ProverQuery {`
			`point: *x,`
			`poly: &self.h_poly,`
			`blind: self.h_blind,`
			`}))`
			`.chain(Some(ProverQuery {`
			`point: *x,`
Collapse random_{poly,blind} fields back into Committed in other structures. 2021-07-13 15:19:44 -07:00			`poly: &self.committed.random_poly,`
			`blind: self.committed.random_blind,`
Always commit to a random polynomial that is evaluated at x in order to blind the multiopen evaluation of h(X). 2021-03-03 09:52:24 -08:00			`}))`
Extract plonk::vanishing::{Argument, Proof} from prover and verifier Co-authored-by: Jack Grigg <jack@electriccoin.co> 2020-12-02 07:16:37 -08:00			`}`
			`}`