2020-11-12 16:08:08 -08:00
|
|
|
use ff::Field;
|
|
|
|
|
2020-09-29 07:25:04 -07:00
|
|
|
use super::{
|
2020-11-05 19:25:50 -08:00
|
|
|
circuit::{Advice, Assignment, Circuit, Column, ConstraintSystem, Fixed},
|
2020-11-30 18:09:03 -08:00
|
|
|
permutation, Error, ProvingKey, VerifyingKey,
|
2020-09-29 07:25:04 -07:00
|
|
|
};
|
2020-11-30 18:09:03 -08:00
|
|
|
use crate::arithmetic::{Curve, CurveAffine};
|
2020-09-29 07:25:04 -07:00
|
|
|
use crate::poly::{
|
|
|
|
commitment::{Blind, Params},
|
|
|
|
EvaluationDomain, LagrangeCoeff, Polynomial, Rotation,
|
|
|
|
};
|
|
|
|
|
2021-01-12 07:01:50 -08:00
|
|
|
pub(crate) fn create_domain<C, ConcreteCircuit>(
|
|
|
|
params: &Params<C>,
|
|
|
|
) -> (
|
|
|
|
EvaluationDomain<C::Scalar>,
|
|
|
|
ConstraintSystem<C::Scalar>,
|
|
|
|
ConcreteCircuit::Config,
|
|
|
|
)
|
|
|
|
where
|
|
|
|
C: CurveAffine,
|
|
|
|
ConcreteCircuit: Circuit<C::Scalar>,
|
|
|
|
{
|
|
|
|
let mut cs = ConstraintSystem::default();
|
|
|
|
let config = ConcreteCircuit::configure(&mut cs);
|
|
|
|
|
|
|
|
// The permutation argument will serve alongside the gates, so must be
|
|
|
|
// accounted for.
|
|
|
|
let mut degree = cs
|
|
|
|
.permutations
|
|
|
|
.iter()
|
|
|
|
.map(|p| p.required_degree())
|
|
|
|
.max()
|
|
|
|
.unwrap_or(1);
|
|
|
|
|
|
|
|
// The lookup argument also serves alongside the gates and must be accounted
|
|
|
|
// for.
|
|
|
|
degree = std::cmp::max(
|
|
|
|
degree,
|
|
|
|
cs.lookups
|
|
|
|
.iter()
|
|
|
|
.map(|l| l.required_degree())
|
|
|
|
.max()
|
|
|
|
.unwrap_or(1),
|
|
|
|
);
|
|
|
|
|
|
|
|
// Account for each gate to ensure our quotient polynomial is the
|
|
|
|
// correct degree and that our extended domain is the right size.
|
|
|
|
for poly in cs.gates.iter() {
|
|
|
|
degree = std::cmp::max(degree, poly.degree());
|
|
|
|
}
|
|
|
|
|
|
|
|
let domain = EvaluationDomain::new(degree as u32, params.k);
|
|
|
|
|
|
|
|
(domain, cs, config)
|
|
|
|
}
|
|
|
|
|
2020-09-29 07:25:04 -07:00
|
|
|
/// Generate a `ProvingKey` from an instance of `Circuit`.
|
|
|
|
pub fn keygen<C, ConcreteCircuit>(
|
|
|
|
params: &Params<C>,
|
|
|
|
circuit: &ConcreteCircuit,
|
|
|
|
) -> Result<ProvingKey<C>, Error>
|
|
|
|
where
|
|
|
|
C: CurveAffine,
|
|
|
|
ConcreteCircuit: Circuit<C::Scalar>,
|
|
|
|
{
|
|
|
|
struct Assembly<F: Field> {
|
|
|
|
fixed: Vec<Polynomial<F, LagrangeCoeff>>,
|
2020-12-22 10:11:42 -08:00
|
|
|
permutations: Vec<permutation::keygen::Assembly>,
|
2020-09-29 07:25:04 -07:00
|
|
|
_marker: std::marker::PhantomData<F>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<F: Field> Assignment<F> for Assembly<F> {
|
|
|
|
fn assign_advice(
|
|
|
|
&mut self,
|
2020-11-05 19:25:50 -08:00
|
|
|
_: Column<Advice>,
|
2020-09-29 07:25:04 -07:00
|
|
|
_: usize,
|
|
|
|
_: impl FnOnce() -> Result<F, Error>,
|
|
|
|
) -> Result<(), Error> {
|
2020-11-05 19:13:54 -08:00
|
|
|
// We only care about fixed columns here
|
2020-09-29 07:25:04 -07:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
fn assign_fixed(
|
|
|
|
&mut self,
|
2020-11-05 19:25:50 -08:00
|
|
|
column: Column<Fixed>,
|
2020-09-29 07:25:04 -07:00
|
|
|
row: usize,
|
|
|
|
to: impl FnOnce() -> Result<F, Error>,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
*self
|
|
|
|
.fixed
|
2020-11-09 08:45:52 -08:00
|
|
|
.get_mut(column.index())
|
2020-09-29 07:25:04 -07:00
|
|
|
.and_then(|v| v.get_mut(row))
|
|
|
|
.ok_or(Error::BoundsFailure)? = to()?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
fn copy(
|
|
|
|
&mut self,
|
|
|
|
permutation: usize,
|
2020-11-05 19:13:54 -08:00
|
|
|
left_column: usize,
|
2020-09-29 07:25:04 -07:00
|
|
|
left_row: usize,
|
2020-11-05 19:13:54 -08:00
|
|
|
right_column: usize,
|
2020-09-29 07:25:04 -07:00
|
|
|
right_row: usize,
|
|
|
|
) -> Result<(), Error> {
|
2020-12-22 10:11:42 -08:00
|
|
|
// Check bounds first
|
|
|
|
if permutation >= self.permutations.len() {
|
|
|
|
return Err(Error::BoundsFailure);
|
|
|
|
}
|
|
|
|
|
|
|
|
self.permutations[permutation].copy(left_column, left_row, right_column, right_row)
|
2020-09-29 07:25:04 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-12 07:01:50 -08:00
|
|
|
let (domain, cs, config) = create_domain::<C, ConcreteCircuit>(params);
|
2020-09-29 07:25:04 -07:00
|
|
|
|
|
|
|
let mut assembly: Assembly<C::Scalar> = Assembly {
|
2020-11-05 19:13:54 -08:00
|
|
|
fixed: vec![domain.empty_lagrange(); cs.num_fixed_columns],
|
2020-12-22 10:11:42 -08:00
|
|
|
permutations: cs
|
|
|
|
.permutations
|
|
|
|
.iter()
|
2020-12-21 21:56:30 -08:00
|
|
|
.map(|p| permutation::keygen::Assembly::new(params.n as usize, p))
|
2020-12-22 10:11:42 -08:00
|
|
|
.collect(),
|
2020-09-29 07:25:04 -07:00
|
|
|
_marker: std::marker::PhantomData,
|
|
|
|
};
|
|
|
|
|
|
|
|
// Synthesize the circuit to obtain SRS
|
|
|
|
circuit.synthesize(&mut assembly, config)?;
|
|
|
|
|
2020-12-22 10:11:42 -08:00
|
|
|
let permutation_helper = permutation::keygen::Assembly::build_helper(params, &cs, &domain);
|
|
|
|
|
|
|
|
let (permutation_pks, permutation_vks) = cs
|
|
|
|
.permutations
|
|
|
|
.iter()
|
|
|
|
.zip(assembly.permutations.into_iter())
|
|
|
|
.map(|(p, assembly)| assembly.build_keys(params, &domain, &permutation_helper, p))
|
|
|
|
.unzip();
|
2020-09-29 07:25:04 -07:00
|
|
|
|
|
|
|
let fixed_commitments = assembly
|
|
|
|
.fixed
|
|
|
|
.iter()
|
|
|
|
.map(|poly| params.commit_lagrange(poly, Blind::default()).to_affine())
|
|
|
|
.collect();
|
|
|
|
|
|
|
|
let fixed_polys: Vec<_> = assembly
|
|
|
|
.fixed
|
2020-11-30 22:35:56 -08:00
|
|
|
.iter()
|
|
|
|
.map(|poly| domain.lagrange_to_coeff(poly.clone()))
|
2020-09-29 07:25:04 -07:00
|
|
|
.collect();
|
|
|
|
|
|
|
|
let fixed_cosets = cs
|
|
|
|
.fixed_queries
|
|
|
|
.iter()
|
2020-11-05 19:13:54 -08:00
|
|
|
.map(|&(column, at)| {
|
2020-11-09 08:45:52 -08:00
|
|
|
let poly = fixed_polys[column.index()].clone();
|
2020-09-29 07:25:04 -07:00
|
|
|
domain.coeff_to_extended(poly, at)
|
|
|
|
})
|
|
|
|
.collect();
|
|
|
|
|
|
|
|
// Compute l_0(X)
|
|
|
|
// TODO: this can be done more efficiently
|
|
|
|
let mut l0 = domain.empty_lagrange();
|
|
|
|
l0[0] = C::Scalar::one();
|
|
|
|
let l0 = domain.lagrange_to_coeff(l0);
|
2020-12-23 08:45:16 -08:00
|
|
|
let l0 = domain.coeff_to_extended(l0, Rotation::cur());
|
2020-09-29 07:25:04 -07:00
|
|
|
|
|
|
|
Ok(ProvingKey {
|
|
|
|
vk: VerifyingKey {
|
|
|
|
domain,
|
|
|
|
fixed_commitments,
|
2020-11-30 18:09:03 -08:00
|
|
|
permutations: permutation_vks,
|
2020-09-29 07:25:04 -07:00
|
|
|
cs,
|
|
|
|
},
|
|
|
|
l0,
|
2020-11-30 22:35:56 -08:00
|
|
|
fixed_values: assembly.fixed,
|
2020-09-29 07:25:04 -07:00
|
|
|
fixed_polys,
|
|
|
|
fixed_cosets,
|
2020-11-30 18:09:03 -08:00
|
|
|
permutations: permutation_pks,
|
2020-09-29 07:25:04 -07:00
|
|
|
})
|
|
|
|
}
|