2021-02-05 06:28:50 -08:00
|
|
|
extern crate halo2;
|
|
|
|
|
|
|
|
use std::marker::PhantomData;
|
|
|
|
|
|
|
|
use halo2::{
|
|
|
|
arithmetic::FieldExt,
|
2021-04-27 19:47:26 -07:00
|
|
|
circuit::{layouter::SingleChipLayouter, Cell, Chip, Layouter, Region},
|
2021-02-05 06:28:50 -08:00
|
|
|
dev::VerifyFailure,
|
2021-02-18 22:36:19 -08:00
|
|
|
plonk::{
|
2021-04-21 15:58:44 -07:00
|
|
|
Advice, Assignment, Circuit, Column, ConstraintSystem, Error, Instance, Permutation,
|
|
|
|
Selector,
|
2021-02-18 22:36:19 -08:00
|
|
|
},
|
2021-02-05 06:28:50 -08:00
|
|
|
poly::Rotation,
|
|
|
|
};
|
|
|
|
|
|
|
|
// ANCHOR: instructions
|
2021-04-19 06:25:32 -07:00
|
|
|
trait NumericInstructions<F: FieldExt>: Chip<F> {
|
2021-02-05 06:28:50 -08:00
|
|
|
/// Variable representing a number.
|
|
|
|
type Num;
|
|
|
|
|
|
|
|
/// Loads a number into the circuit as a private input.
|
2021-04-21 15:58:44 -07:00
|
|
|
fn load_private(&self, layouter: impl Layouter<F>, a: Option<F>) -> Result<Self::Num, Error>;
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
/// Returns `c = a * b`.
|
|
|
|
fn mul(
|
2021-04-19 06:25:32 -07:00
|
|
|
&self,
|
2021-04-21 15:58:44 -07:00
|
|
|
layouter: impl Layouter<F>,
|
2021-02-05 06:28:50 -08:00
|
|
|
a: Self::Num,
|
|
|
|
b: Self::Num,
|
|
|
|
) -> Result<Self::Num, Error>;
|
|
|
|
|
|
|
|
/// Exposes a number as a public input to the circuit.
|
2021-04-21 15:58:44 -07:00
|
|
|
fn expose_public(&self, layouter: impl Layouter<F>, num: Self::Num) -> Result<(), Error>;
|
2021-02-05 06:28:50 -08:00
|
|
|
}
|
|
|
|
// ANCHOR_END: instructions
|
|
|
|
|
|
|
|
// ANCHOR: chip
|
2021-04-19 06:25:32 -07:00
|
|
|
/// The chip that will implement our instructions! Chips store their own
|
|
|
|
/// config, as well as type markers if necessary.
|
2021-02-05 06:28:50 -08:00
|
|
|
struct FieldChip<F: FieldExt> {
|
2021-04-27 19:47:26 -07:00
|
|
|
config: FieldConfig,
|
2021-02-05 06:28:50 -08:00
|
|
|
_marker: PhantomData<F>,
|
|
|
|
}
|
|
|
|
// ANCHOR_END: chip
|
|
|
|
|
2021-04-27 21:36:37 -07:00
|
|
|
// ANCHOR: chip-config
|
|
|
|
/// Chip state is stored in a config struct. This is generated by the chip
|
|
|
|
/// during configuration, and then stored inside the chip.
|
|
|
|
#[derive(Clone, Debug)]
|
|
|
|
struct FieldConfig {
|
|
|
|
/// For this chip, we will use two advice columns to implement our instructions.
|
|
|
|
/// These are also the columns through which we communicate with other parts of
|
|
|
|
/// the circuit.
|
|
|
|
advice: [Column<Advice>; 2],
|
|
|
|
|
|
|
|
// We need to create a permutation between our advice columns. This allows us to
|
|
|
|
// copy numbers within these columns from arbitrary rows, which we can use to load
|
|
|
|
// inputs into our instruction regions.
|
|
|
|
perm: Permutation,
|
|
|
|
|
|
|
|
// We need a selector to enable the multiplication gate, so that we aren't placing
|
|
|
|
// any constraints on cells where `NumericInstructions::mul` is not being used.
|
|
|
|
// This is important when building larger circuits, where columns are used by
|
|
|
|
// multiple sets of instructions.
|
|
|
|
s_mul: Selector,
|
|
|
|
|
|
|
|
// The selector for the public-input gate, which uses one of the advice columns.
|
|
|
|
s_pub: Selector,
|
|
|
|
}
|
|
|
|
|
2021-04-21 15:58:44 -07:00
|
|
|
impl<F: FieldExt> FieldChip<F> {
|
2021-04-27 19:47:26 -07:00
|
|
|
fn construct(config: <Self as Chip<F>>::Config) -> Self {
|
2021-04-19 06:25:32 -07:00
|
|
|
Self {
|
|
|
|
config,
|
|
|
|
_marker: PhantomData,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-02-05 06:28:50 -08:00
|
|
|
fn configure(
|
|
|
|
meta: &mut ConstraintSystem<F>,
|
2021-04-21 15:58:44 -07:00
|
|
|
advice: [Column<Advice>; 2],
|
|
|
|
instance: Column<Instance>,
|
|
|
|
) -> <Self as Chip<F>>::Config {
|
2021-02-17 05:13:25 -08:00
|
|
|
let perm = Permutation::new(
|
|
|
|
meta,
|
|
|
|
&advice
|
|
|
|
.iter()
|
|
|
|
.map(|column| (*column).into())
|
|
|
|
.collect::<Vec<_>>(),
|
|
|
|
);
|
2021-02-23 15:36:16 -08:00
|
|
|
let s_mul = meta.selector();
|
|
|
|
let s_pub = meta.selector();
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
// Define our multiplication gate!
|
|
|
|
meta.create_gate("mul", |meta| {
|
|
|
|
// To implement multiplication, we need three advice cells and a selector
|
|
|
|
// cell. We arrange them like so:
|
|
|
|
//
|
|
|
|
// | a0 | a1 | s_mul |
|
|
|
|
// |-----|-----|-------|
|
|
|
|
// | lhs | rhs | s_mul |
|
|
|
|
// | out | | |
|
|
|
|
//
|
2021-02-12 07:52:19 -08:00
|
|
|
// Gates may refer to any relative offsets we want, but each distinct
|
|
|
|
// offset adds a cost to the proof. The most common offsets are 0 (the
|
|
|
|
// current row), 1 (the next row), and -1 (the previous row), for which
|
|
|
|
// `Rotation` has specific constructors.
|
2021-04-21 15:58:44 -07:00
|
|
|
let lhs = meta.query_advice(advice[0], Rotation::cur());
|
|
|
|
let rhs = meta.query_advice(advice[1], Rotation::cur());
|
|
|
|
let out = meta.query_advice(advice[0], Rotation::next());
|
2021-06-04 08:18:51 -07:00
|
|
|
let s_mul = meta.query_selector(s_mul);
|
2021-02-05 06:28:50 -08:00
|
|
|
|
2021-05-27 06:44:02 -07:00
|
|
|
// Finally, we return the polynomial expressions that constrain this gate.
|
|
|
|
// For our multiplication gate, we only need a single polynomial constraint.
|
|
|
|
//
|
|
|
|
// The polynomial expressions returned from `create_gate` will be
|
2021-02-12 07:52:19 -08:00
|
|
|
// constrained by the proving system to equal zero. Our expression
|
|
|
|
// has the following properties:
|
2021-02-05 06:28:50 -08:00
|
|
|
// - When s_mul = 0, any value is allowed in lhs, rhs, and out.
|
|
|
|
// - When s_mul != 0, this constrains lhs * rhs = out.
|
2021-05-27 06:44:02 -07:00
|
|
|
vec![s_mul * (lhs * rhs + out * -F::one())]
|
2021-02-05 06:28:50 -08:00
|
|
|
});
|
|
|
|
|
|
|
|
// Define our public-input gate!
|
|
|
|
meta.create_gate("public input", |meta| {
|
2021-02-12 07:52:19 -08:00
|
|
|
// We choose somewhat-arbitrarily that we will use the second advice
|
|
|
|
// column for exposing numbers as public inputs.
|
2021-04-21 15:58:44 -07:00
|
|
|
let a = meta.query_advice(advice[1], Rotation::cur());
|
|
|
|
let p = meta.query_instance(instance, Rotation::cur());
|
2021-06-04 08:18:51 -07:00
|
|
|
let s = meta.query_selector(s_pub);
|
2021-02-05 06:28:50 -08:00
|
|
|
|
2021-02-14 09:30:36 -08:00
|
|
|
// We simply constrain the advice cell to be equal to the instance cell,
|
2021-02-12 07:52:19 -08:00
|
|
|
// when the selector is enabled.
|
2021-05-27 06:44:02 -07:00
|
|
|
vec![s * (p + a * -F::one())]
|
2021-02-05 06:28:50 -08:00
|
|
|
});
|
|
|
|
|
2021-04-27 19:47:26 -07:00
|
|
|
FieldConfig {
|
2021-04-21 15:58:44 -07:00
|
|
|
advice,
|
|
|
|
perm,
|
|
|
|
s_mul,
|
|
|
|
s_pub,
|
2021-04-27 19:47:26 -07:00
|
|
|
}
|
2021-02-05 06:28:50 -08:00
|
|
|
}
|
|
|
|
}
|
2021-04-27 21:36:37 -07:00
|
|
|
// ANCHOR_END: chip-config
|
2021-04-27 19:47:26 -07:00
|
|
|
|
2021-04-27 21:36:37 -07:00
|
|
|
// ANCHOR: chip-impl
|
2021-04-27 19:47:26 -07:00
|
|
|
impl<F: FieldExt> Chip<F> for FieldChip<F> {
|
|
|
|
type Config = FieldConfig;
|
|
|
|
type Loaded = ();
|
|
|
|
|
|
|
|
fn config(&self) -> &Self::Config {
|
|
|
|
&self.config
|
|
|
|
}
|
|
|
|
|
|
|
|
fn loaded(&self) -> &Self::Loaded {
|
|
|
|
&()
|
|
|
|
}
|
|
|
|
}
|
2021-02-05 06:28:50 -08:00
|
|
|
// ANCHOR_END: chip-impl
|
|
|
|
|
|
|
|
// ANCHOR: instructions-impl
|
2021-04-27 19:47:26 -07:00
|
|
|
/// A variable representing a number.
|
|
|
|
#[derive(Clone)]
|
|
|
|
struct Number<F: FieldExt> {
|
|
|
|
cell: Cell,
|
|
|
|
value: Option<F>,
|
|
|
|
}
|
2021-02-05 06:28:50 -08:00
|
|
|
|
2021-04-19 06:25:32 -07:00
|
|
|
impl<F: FieldExt> NumericInstructions<F> for FieldChip<F> {
|
2021-02-05 06:28:50 -08:00
|
|
|
type Num = Number<F>;
|
|
|
|
|
|
|
|
fn load_private(
|
2021-04-19 06:25:32 -07:00
|
|
|
&self,
|
2021-04-21 15:58:44 -07:00
|
|
|
mut layouter: impl Layouter<F>,
|
2021-04-19 06:25:32 -07:00
|
|
|
value: Option<F>,
|
2021-02-05 06:28:50 -08:00
|
|
|
) -> Result<Self::Num, Error> {
|
2021-04-27 19:47:26 -07:00
|
|
|
let config = self.config();
|
2021-04-19 06:25:32 -07:00
|
|
|
|
2021-02-05 06:28:50 -08:00
|
|
|
let mut num = None;
|
|
|
|
layouter.assign_region(
|
|
|
|
|| "load private",
|
|
|
|
|mut region| {
|
|
|
|
let cell = region.assign_advice(
|
|
|
|
|| "private input",
|
|
|
|
config.advice[0],
|
|
|
|
0,
|
|
|
|
|| value.ok_or(Error::SynthesisError),
|
|
|
|
)?;
|
|
|
|
num = Some(Number { cell, value });
|
|
|
|
Ok(())
|
|
|
|
},
|
|
|
|
)?;
|
|
|
|
Ok(num.unwrap())
|
|
|
|
}
|
|
|
|
|
|
|
|
fn mul(
|
2021-04-19 06:25:32 -07:00
|
|
|
&self,
|
2021-04-21 15:58:44 -07:00
|
|
|
mut layouter: impl Layouter<F>,
|
2021-02-05 06:28:50 -08:00
|
|
|
a: Self::Num,
|
|
|
|
b: Self::Num,
|
|
|
|
) -> Result<Self::Num, Error> {
|
2021-04-27 19:47:26 -07:00
|
|
|
let config = self.config();
|
2021-04-19 06:25:32 -07:00
|
|
|
|
2021-02-05 06:28:50 -08:00
|
|
|
let mut out = None;
|
|
|
|
layouter.assign_region(
|
|
|
|
|| "mul",
|
2021-04-19 06:25:32 -07:00
|
|
|
|mut region: Region<'_, F>| {
|
2021-02-12 07:52:19 -08:00
|
|
|
// We only want to use a single multiplication gate in this region,
|
|
|
|
// so we enable it at region offset 0; this means it will constrain
|
|
|
|
// cells at offsets 0 and 1.
|
2021-02-23 15:36:16 -08:00
|
|
|
config.s_mul.enable(&mut region, 0)?;
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
// The inputs we've been given could be located anywhere in the circuit,
|
|
|
|
// but we can only rely on relative offsets inside this region. So we
|
2021-02-12 07:52:19 -08:00
|
|
|
// assign new cells inside the region and constrain them to have the
|
|
|
|
// same values as the inputs.
|
2021-02-05 06:28:50 -08:00
|
|
|
let lhs = region.assign_advice(
|
|
|
|
|| "lhs",
|
|
|
|
config.advice[0],
|
|
|
|
0,
|
|
|
|
|| a.value.ok_or(Error::SynthesisError),
|
|
|
|
)?;
|
|
|
|
let rhs = region.assign_advice(
|
|
|
|
|| "rhs",
|
|
|
|
config.advice[1],
|
|
|
|
0,
|
|
|
|
|| b.value.ok_or(Error::SynthesisError),
|
|
|
|
)?;
|
|
|
|
region.constrain_equal(&config.perm, a.cell, lhs)?;
|
|
|
|
region.constrain_equal(&config.perm, b.cell, rhs)?;
|
|
|
|
|
|
|
|
// Now we can assign the multiplication result into the output position.
|
|
|
|
let value = a.value.and_then(|a| b.value.map(|b| a * b));
|
|
|
|
let cell = region.assign_advice(
|
|
|
|
|| "lhs * rhs",
|
|
|
|
config.advice[0],
|
|
|
|
1,
|
|
|
|
|| value.ok_or(Error::SynthesisError),
|
|
|
|
)?;
|
|
|
|
|
2021-02-12 07:52:19 -08:00
|
|
|
// Finally, we return a variable representing the output,
|
|
|
|
// to be used in another part of the circuit.
|
2021-02-05 06:28:50 -08:00
|
|
|
out = Some(Number { cell, value });
|
|
|
|
Ok(())
|
|
|
|
},
|
|
|
|
)?;
|
|
|
|
|
|
|
|
Ok(out.unwrap())
|
|
|
|
}
|
|
|
|
|
2021-04-21 15:58:44 -07:00
|
|
|
fn expose_public(&self, mut layouter: impl Layouter<F>, num: Self::Num) -> Result<(), Error> {
|
2021-04-27 19:47:26 -07:00
|
|
|
let config = self.config();
|
2021-04-19 06:25:32 -07:00
|
|
|
|
2021-02-05 06:28:50 -08:00
|
|
|
layouter.assign_region(
|
|
|
|
|| "expose public",
|
2021-04-19 06:25:32 -07:00
|
|
|
|mut region: Region<'_, F>| {
|
2021-02-05 06:28:50 -08:00
|
|
|
// Enable the public-input gate.
|
2021-02-23 15:36:16 -08:00
|
|
|
config.s_pub.enable(&mut region, 0)?;
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
// Load the output into the correct advice column.
|
|
|
|
let out = region.assign_advice(
|
|
|
|
|| "public advice",
|
|
|
|
config.advice[1],
|
|
|
|
0,
|
|
|
|
|| num.value.ok_or(Error::SynthesisError),
|
|
|
|
)?;
|
|
|
|
region.constrain_equal(&config.perm, num.cell, out)?;
|
|
|
|
|
2021-02-14 09:30:36 -08:00
|
|
|
// We don't assign to the instance column inside the circuit;
|
2021-02-12 07:52:19 -08:00
|
|
|
// the mapping of public inputs to cells is provided to the prover.
|
2021-02-05 06:28:50 -08:00
|
|
|
Ok(())
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// ANCHOR_END: instructions-impl
|
|
|
|
|
|
|
|
// ANCHOR: circuit
|
|
|
|
/// The full circuit implementation.
|
|
|
|
///
|
2021-02-12 07:52:19 -08:00
|
|
|
/// In this struct we store the private input variables. We use `Option<F>` because
|
|
|
|
/// they won't have any value during key generation. During proving, if any of these
|
|
|
|
/// were `None` we would get an error.
|
2021-02-05 06:28:50 -08:00
|
|
|
struct MyCircuit<F: FieldExt> {
|
|
|
|
a: Option<F>,
|
|
|
|
b: Option<F>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<F: FieldExt> Circuit<F> for MyCircuit<F> {
|
|
|
|
// Since we are using a single chip for everything, we can just reuse its config.
|
2021-04-27 19:47:26 -07:00
|
|
|
type Config = FieldConfig;
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
fn configure(meta: &mut ConstraintSystem<F>) -> Self::Config {
|
|
|
|
// We create the two advice columns that FieldChip uses for I/O.
|
2021-04-21 15:58:44 -07:00
|
|
|
let advice = [meta.advice_column(), meta.advice_column()];
|
2021-02-05 06:28:50 -08:00
|
|
|
|
2021-04-21 15:58:44 -07:00
|
|
|
// We also need an instance column to store public inputs.
|
|
|
|
let instance = meta.instance_column();
|
2021-04-19 06:25:32 -07:00
|
|
|
|
2021-04-27 19:47:26 -07:00
|
|
|
FieldChip::configure(meta, advice, instance)
|
2021-02-05 06:28:50 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
fn synthesize(&self, cs: &mut impl Assignment<F>, config: Self::Config) -> Result<(), Error> {
|
2021-04-19 06:25:32 -07:00
|
|
|
let mut layouter = SingleChipLayouter::new(cs)?;
|
2021-04-27 19:47:26 -07:00
|
|
|
let field_chip = FieldChip::<F>::construct(config);
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
// Load our private values into the circuit.
|
2021-04-21 15:58:44 -07:00
|
|
|
let a = field_chip.load_private(layouter.namespace(|| "load a"), self.a)?;
|
|
|
|
let b = field_chip.load_private(layouter.namespace(|| "load b"), self.b)?;
|
2021-02-05 06:28:50 -08:00
|
|
|
|
2021-02-12 07:52:19 -08:00
|
|
|
// We only have access to plain multiplication.
|
|
|
|
// We could implement our circuit as:
|
2021-02-05 06:28:50 -08:00
|
|
|
// asq = a*a
|
|
|
|
// bsq = b*b
|
|
|
|
// c = asq*bsq
|
|
|
|
//
|
|
|
|
// but it's more efficient to implement it as:
|
|
|
|
// ab = a*b
|
|
|
|
// c = ab^2
|
2021-04-21 15:58:44 -07:00
|
|
|
let ab = field_chip.mul(layouter.namespace(|| "a * b"), a, b)?;
|
|
|
|
let c = field_chip.mul(layouter.namespace(|| "ab * ab"), ab.clone(), ab)?;
|
2021-02-05 06:28:50 -08:00
|
|
|
|
|
|
|
// Expose the result as a public input to the circuit.
|
2021-04-21 15:58:44 -07:00
|
|
|
field_chip.expose_public(layouter.namespace(|| "expose c"), c)
|
2021-02-05 06:28:50 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
// ANCHOR_END: circuit
|
|
|
|
|
|
|
|
fn main() {
|
|
|
|
use halo2::{dev::MockProver, pasta::Fp};
|
|
|
|
|
|
|
|
// ANCHOR: test-circuit
|
2021-02-12 07:52:19 -08:00
|
|
|
// The number of rows in our circuit cannot exceed 2^k. Since our example
|
|
|
|
// circuit is very small, we can pick a very small value here.
|
2021-02-05 06:28:50 -08:00
|
|
|
let k = 3;
|
|
|
|
|
|
|
|
// Prepare the private and public inputs to the circuit!
|
|
|
|
let a = Fp::from(2);
|
|
|
|
let b = Fp::from(3);
|
|
|
|
let c = a.square() * b.square();
|
|
|
|
|
|
|
|
// Instantiate the circuit with the private inputs.
|
|
|
|
let circuit = MyCircuit {
|
|
|
|
a: Some(a),
|
|
|
|
b: Some(b),
|
|
|
|
};
|
|
|
|
|
2021-02-12 07:52:46 -08:00
|
|
|
// Arrange the public input. We expose the multiplication result in row 6
|
2021-02-14 09:30:36 -08:00
|
|
|
// of the instance column, so we position it there in our public inputs.
|
2021-02-05 06:28:50 -08:00
|
|
|
let mut public_inputs = vec![Fp::zero(); 1 << k];
|
|
|
|
public_inputs[6] = c;
|
|
|
|
|
|
|
|
// Given the correct public input, our circuit will verify.
|
|
|
|
let prover = MockProver::run(k, &circuit, vec![public_inputs.clone()]).unwrap();
|
|
|
|
assert_eq!(prover.verify(), Ok(()));
|
|
|
|
|
|
|
|
// If we try some other public input, the proof will fail!
|
|
|
|
public_inputs[6] += Fp::one();
|
|
|
|
let prover = MockProver::run(k, &circuit, vec![public_inputs]).unwrap();
|
|
|
|
assert_eq!(
|
|
|
|
prover.verify(),
|
2021-06-03 19:01:09 -07:00
|
|
|
Err(vec![VerifyFailure::Constraint {
|
2021-02-05 06:28:50 -08:00
|
|
|
gate_index: 1,
|
|
|
|
gate_name: "public input",
|
2021-06-03 19:01:09 -07:00
|
|
|
constraint_index: 0,
|
2021-06-03 19:41:06 -07:00
|
|
|
constraint_name: "",
|
2021-02-05 06:28:50 -08:00
|
|
|
row: 6,
|
2021-05-18 08:32:15 -07:00
|
|
|
}])
|
2021-02-05 06:28:50 -08:00
|
|
|
);
|
|
|
|
// ANCHOR_END: test-circuit
|
|
|
|
}
|