halo2/src/poly/commitment.rs

//! This module contains an implementation of the polynomial commitment scheme
//! described in the [Halo][halo] paper.
//!
//! [halo]: https://eprint.iacr.org/2019/1021

use super::{Coeff, LagrangeCoeff, Polynomial};
use crate::arithmetic::{best_fft, best_multiexp, parallelize, Curve, CurveAffine, FieldExt};
use crate::transcript::Hasher;

use ff::{Field, PrimeField};
use std::ops::{Add, AddAssign, Mul, MulAssign};

mod msm;
mod prover;
mod verifier;

pub use msm::MSM;
pub use verifier::{Accumulator, Guard};

/// These are the public parameters for the polynomial commitment scheme.
#[derive(Debug)]
pub struct Params<C: CurveAffine> {
    pub(crate) k: u32,
    pub(crate) n: u64,
    pub(crate) g: Vec<C>,
    pub(crate) g_lagrange: Vec<C>,
    pub(crate) h: C,
}

/// This is a proof object for the polynomial commitment scheme opening.
#[derive(Debug, Clone)]
pub struct Proof<C: CurveAffine> {
    rounds: Vec<(C, C)>,
    delta: C,
    z1: C::Scalar,
    z2: C::Scalar,
}

impl<C: CurveAffine> Params<C> {
    /// Initializes parameters for the curve, given a random oracle to draw
    /// points from.
    pub fn new<H: Hasher<C::Base>>(k: u32) -> Self {
        // This is usually a limitation on the curve, but we also want 32-bit
        // architectures to be supported.
        assert!(k < 32);
        // No goofy hardware please.
        assert!(core::mem::size_of::<usize>() >= 4);

        let n: u64 = 1 << k;

        let g = {
            let hasher = &H::init(C::Base::zero());

            let mut g = Vec::with_capacity(n as usize);
            g.resize(n as usize, C::zero());

            parallelize(&mut g, move |g, start| {
                let mut cur_value = C::Base::from(start as u64);
                for g in g.iter_mut() {
                    let mut hasher = hasher.clone();
                    hasher.absorb(cur_value);
                    cur_value += &C::Base::one();
                    loop {
                        let x = hasher.squeeze().to_bytes();
                        let p = C::from_bytes(&x);
                        if bool::from(p.is_some()) {
                            *g = p.unwrap();
                            break;
                        }
                    }
                }
            });

            g
        };

        // Let's evaluate all of the Lagrange basis polynomials
        // using an inverse FFT.
        let mut alpha_inv = C::Scalar::ROOT_OF_UNITY_INV;
        for _ in k..C::Scalar::S {
            alpha_inv = alpha_inv.square();
        }
        let mut g_lagrange_projective = g.iter().map(|g| g.to_projective()).collect::<Vec<_>>();
        best_fft(&mut g_lagrange_projective, alpha_inv, k);
        let minv = C::Scalar::TWO_INV.pow_vartime(&[k as u64, 0, 0, 0]);
        parallelize(&mut g_lagrange_projective, |g, _| {
            for g in g.iter_mut() {
                *g *= minv;
            }
        });

        let g_lagrange = {
            let mut g_lagrange = vec![C::zero(); n as usize];
            parallelize(&mut g_lagrange, |g_lagrange, starts| {
                C::Projective::batch_to_affine(
                    &g_lagrange_projective[starts..(starts + g_lagrange.len())],
                    g_lagrange,
                );
            });
            drop(g_lagrange_projective);
            g_lagrange
        };

        let h = {
            let mut hasher = H::init(C::Base::zero());
            let x = hasher.squeeze().to_bytes();
            let p = C::from_bytes(&x);
            p.unwrap()
        };

        Params {
            k,
            n,
            g,
            g_lagrange,
            h,
        }
    }

    /// This computes a commitment to a polynomial described by the provided
    /// slice of coefficients. The commitment will be blinded by the blinding
    /// factor `r`.
    pub fn commit(
        &self,
        poly: &Polynomial<C::Scalar, Coeff>,
        r: Blind<C::Scalar>,
    ) -> C::Projective {
        metrics::increment_counter!("multiexp", "size" => format!("{}", poly.len() + 1), "fn" => "commit");
        let mut tmp_scalars = Vec::with_capacity(poly.len() + 1);
        let mut tmp_bases = Vec::with_capacity(poly.len() + 1);

        tmp_scalars.extend(poly.iter());
        tmp_scalars.push(r.0);

        tmp_bases.extend(self.g.iter());
        tmp_bases.push(self.h);

        best_multiexp::<C>(&tmp_scalars, &tmp_bases)
    }

    /// This commits to a polynomial using its evaluations over the $2^k$ size
    /// evaluation domain. The commitment will be blinded by the blinding factor
    /// `r`.
    pub fn commit_lagrange(
        &self,
        poly: &Polynomial<C::Scalar, LagrangeCoeff>,
        r: Blind<C::Scalar>,
    ) -> C::Projective {
        metrics::increment_counter!("multiexp", "size" => format!("{}", poly.len() + 1), "fn" => "commit_lagrange");
        let mut tmp_scalars = Vec::with_capacity(poly.len() + 1);
        let mut tmp_bases = Vec::with_capacity(poly.len() + 1);

        tmp_scalars.extend(poly.iter());
        tmp_scalars.push(r.0);

        tmp_bases.extend(self.g_lagrange.iter());
        tmp_bases.push(self.h);

        best_multiexp::<C>(&tmp_scalars, &tmp_bases)
    }

    /// Generates an empty multiscalar multiplication struct using the
    /// appropriate params.
    pub fn empty_msm(&self) -> MSM<C> {
        MSM::new(self)
    }

    /// Getter for g generators
    pub fn get_g(&self) -> Vec<C> {
        self.g.clone()
    }
}

/// Wrapper type around a blinding factor.
#[derive(Copy, Clone, Eq, PartialEq, Debug)]
pub struct Blind<F>(pub F);

impl<F: FieldExt> Default for Blind<F> {
    fn default() -> Self {
        Blind(F::one())
    }
}

impl<F: FieldExt> Add for Blind<F> {
    type Output = Self;

    fn add(self, rhs: Blind<F>) -> Self {
        Blind(self.0 + rhs.0)
    }
}

impl<F: FieldExt> Mul for Blind<F> {
    type Output = Self;

    fn mul(self, rhs: Blind<F>) -> Self {
        Blind(self.0 * rhs.0)
    }
}

impl<F: FieldExt> AddAssign for Blind<F> {
    fn add_assign(&mut self, rhs: Blind<F>) {
        self.0 += rhs.0;
    }
}

impl<F: FieldExt> MulAssign for Blind<F> {
    fn mul_assign(&mut self, rhs: Blind<F>) {
        self.0 *= rhs.0;
    }
}

impl<F: FieldExt> AddAssign<F> for Blind<F> {
    fn add_assign(&mut self, rhs: F) {
        self.0 += rhs;
    }
}

impl<F: FieldExt> MulAssign<F> for Blind<F> {
    fn mul_assign(&mut self, rhs: F) {
        self.0 *= rhs;
    }
}

#[test]
fn test_commit_lagrange() {
    const K: u32 = 6;

    use crate::pasta::{EpAffine, Fp, Fq};
    use crate::transcript::DummyHash;
    let params = Params::<EpAffine>::new::<DummyHash<Fp>>(K);
    let domain = super::EvaluationDomain::new(1, K);

    let mut a = domain.empty_lagrange();

    for (i, a) in a.iter_mut().enumerate() {
        *a = Fq::from(i as u64);
    }

    let b = domain.lagrange_to_coeff(a.clone());

    let alpha = Blind(Fq::rand());

    assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha));
}

#[test]
fn test_opening_proof() {
    const K: u32 = 6;

    use ff::Field;

    use super::{
        commitment::{Blind, Params},
        EvaluationDomain,
    };
    use crate::arithmetic::{eval_polynomial, Curve, FieldExt};
    use crate::pasta::{EpAffine, Fp, Fq};
    use crate::transcript::{ChallengeScalar, DummyHash, Transcript};

    let params = Params::<EpAffine>::new::<DummyHash<Fp>>(K);
    let domain = EvaluationDomain::new(1, K);

    let mut px = domain.empty_coeff();

    for (i, a) in px.iter_mut().enumerate() {
        *a = Fq::from(i as u64);
    }

    let blind = Blind(Fq::rand());

    let p = params.commit(&px, blind).to_affine();

    let mut transcript = Transcript::<_, DummyHash<_>, DummyHash<_>>::new();
    transcript.absorb_point(&p).unwrap();
    let x = ChallengeScalar::<_, ()>::get(&mut transcript);
    // Evaluate the polynomial
    let v = eval_polynomial(&px, *x);

    transcript.absorb_base(Fp::from_bytes(&v.to_bytes()).unwrap()); // unlikely to fail since p ~ q

    loop {
        let mut transcript_dup = transcript.clone();

        let opening_proof = Proof::create(&params, &mut transcript, &px, blind, *x);
        if let Ok(opening_proof) = opening_proof {
            // Verify the opening proof
            let mut commitment_msm = params.empty_msm();
            commitment_msm.append_term(Field::one(), p);
            let guard = opening_proof
                .verify(
                    &params,
                    params.empty_msm(),
                    &mut transcript_dup,
                    *x,
                    commitment_msm,
                    v,
                )
                .unwrap();

            // Test guard behavior prior to checking another proof
            {
                // Test use_challenges()
                let msm_challenges = guard.clone().use_challenges();
                assert!(msm_challenges.eval());

                // Test use_g()
                let g = guard.compute_g();
                let (msm_g, _accumulator) = guard.clone().use_g(g);
                assert!(msm_g.eval());

                break;
            }
        } else {
            transcript = transcript_dup;
            transcript.absorb_base(Field::one());
        }
    }
}
Refactor module tree. 2020-09-07 09:22:25 -07:00			`//! This module contains an implementation of the polynomial commitment scheme`
			`//! described in the [Halo][halo] paper.`
			`//!`
			`//! [halo]: https://eprint.iacr.org/2019/1021`

Address review comments 2020-09-12 11:55:48 -07:00			`use super::{Coeff, LagrangeCoeff, Polynomial};`
Migrate to ff traits The `Field` trait in this crate is now `FieldExt: ff::PrimeField`. 2020-11-12 16:08:08 -08:00			`use crate::arithmetic::{best_fft, best_multiexp, parallelize, Curve, CurveAffine, FieldExt};`
Move Challenge and ChallengeScalar into the transcript module 2020-12-01 14:40:54 -08:00			`use crate::transcript::Hasher;`
Migrate to ff traits The `Field` trait in this crate is now `FieldExt: ff::PrimeField`. 2020-11-12 16:08:08 -08:00
			`use ff::{Field, PrimeField};`
Move Challenge and ChallengeScalar into the transcript module 2020-12-01 14:40:54 -08:00			`use std::ops::{Add, AddAssign, Mul, MulAssign};`
Refactor module tree. 2020-09-07 09:22:25 -07:00
Move MSM into submodule. 2020-10-13 07:16:20 -07:00			`mod msm;`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`mod prover;`
			`mod verifier;`

Move MSM into submodule. 2020-10-13 07:16:20 -07:00			`pub use msm::MSM;`
Move `Guard` and `Accumulator` implementations into `verifier` submodule. 2020-09-25 08:11:37 -07:00			`pub use verifier::{Accumulator, Guard};`

Refactor module tree. 2020-09-07 09:22:25 -07:00			`/// These are the public parameters for the polynomial commitment scheme.`
			`#[derive(Debug)]`
			`pub struct Params<C: CurveAffine> {`
			`pub(crate) k: u32,`
			`pub(crate) n: u64,`
			`pub(crate) g: Vec<C>,`
			`pub(crate) g_lagrange: Vec<C>,`
			`pub(crate) h: C,`
			`}`

Move MSM into submodule. 2020-10-13 07:16:20 -07:00			`/// This is a proof object for the polynomial commitment scheme opening.`
			`#[derive(Debug, Clone)]`
			`pub struct Proof<C: CurveAffine> {`
			`rounds: Vec<(C, C)>,`
			`delta: C,`
			`z1: C::Scalar,`
			`z2: C::Scalar,`
			`}`

Refactor module tree. 2020-09-07 09:22:25 -07:00			`impl<C: CurveAffine> Params<C> {`
			`/// Initializes parameters for the curve, given a random oracle to draw`
			`/// points from.`
			`pub fn new<H: Hasher<C::Base>>(k: u32) -> Self {`
			`// This is usually a limitation on the curve, but we also want 32-bit`
			`// architectures to be supported.`
			`assert!(k < 32);`
			`// No goofy hardware please.`
			`assert!(core::mem::size_of::<usize>() >= 4);`

			`let n: u64 = 1 << k;`

			`let g = {`
			`let hasher = &H::init(C::Base::zero());`

			`let mut g = Vec::with_capacity(n as usize);`
			`g.resize(n as usize, C::zero());`

			`parallelize(&mut g, move \|g, start\| {`
			`let mut cur_value = C::Base::from(start as u64);`
			`for g in g.iter_mut() {`
			`let mut hasher = hasher.clone();`
			`hasher.absorb(cur_value);`
			`cur_value += &C::Base::one();`
			`loop {`
			`let x = hasher.squeeze().to_bytes();`
			`let p = C::from_bytes(&x);`
			`if bool::from(p.is_some()) {`
			`*g = p.unwrap();`
			`break;`
			`}`
			`}`
			`}`
			`});`

			`g`
			`};`

			`// Let's evaluate all of the Lagrange basis polynomials`
			`// using an inverse FFT.`
			`let mut alpha_inv = C::Scalar::ROOT_OF_UNITY_INV;`
			`for _ in k..C::Scalar::S {`
			`alpha_inv = alpha_inv.square();`
			`}`
			`let mut g_lagrange_projective = g.iter().map(\|g\| g.to_projective()).collect::<Vec<_>>();`
			`best_fft(&mut g_lagrange_projective, alpha_inv, k);`
			`let minv = C::Scalar::TWO_INV.pow_vartime(&[k as u64, 0, 0, 0]);`
			`parallelize(&mut g_lagrange_projective, \|g, _\| {`
			`for g in g.iter_mut() {`
			`g = minv;`
			`}`
			`});`

			`let g_lagrange = {`
			`let mut g_lagrange = vec![C::zero(); n as usize];`
			`parallelize(&mut g_lagrange, \|g_lagrange, starts\| {`
			`C::Projective::batch_to_affine(`
			`&g_lagrange_projective[starts..(starts + g_lagrange.len())],`
			`g_lagrange,`
			`);`
			`});`
			`drop(g_lagrange_projective);`
			`g_lagrange`
			`};`

			`let h = {`
			`let mut hasher = H::init(C::Base::zero());`
			`let x = hasher.squeeze().to_bytes();`
			`let p = C::from_bytes(&x);`
			`p.unwrap()`
			`};`

			`Params {`
			`k,`
			`n,`
			`g,`
			`g_lagrange,`
			`h,`
			`}`
			`}`

			`/// This computes a commitment to a polynomial described by the provided`
			`/// slice of coefficients. The commitment will be blinded by the blinding`
			/// factor `r`.
			`pub fn commit(`
			`&self,`
			`poly: &Polynomial<C::Scalar, Coeff>,`
			`r: Blind<C::Scalar>,`
			`) -> C::Projective {`
model: metrics 0.13.0-alpha.13 2020-12-22 04:27:36 -08:00			`metrics::increment_counter!("multiexp", "size" => format!("{}", poly.len() + 1), "fn" => "commit");`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`let mut tmp_scalars = Vec::with_capacity(poly.len() + 1);`
			`let mut tmp_bases = Vec::with_capacity(poly.len() + 1);`

			`tmp_scalars.extend(poly.iter());`
			`tmp_scalars.push(r.0);`

			`tmp_bases.extend(self.g.iter());`
			`tmp_bases.push(self.h);`

			`best_multiexp::<C>(&tmp_scalars, &tmp_bases)`
			`}`

			`/// This commits to a polynomial using its evaluations over the $2^k$ size`
			`/// evaluation domain. The commitment will be blinded by the blinding factor`
			/// `r`.
			`pub fn commit_lagrange(`
			`&self,`
			`poly: &Polynomial<C::Scalar, LagrangeCoeff>,`
			`r: Blind<C::Scalar>,`
			`) -> C::Projective {`
model: metrics 0.13.0-alpha.13 2020-12-22 04:27:36 -08:00			`metrics::increment_counter!("multiexp", "size" => format!("{}", poly.len() + 1), "fn" => "commit_lagrange");`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`let mut tmp_scalars = Vec::with_capacity(poly.len() + 1);`
			`let mut tmp_bases = Vec::with_capacity(poly.len() + 1);`

			`tmp_scalars.extend(poly.iter());`
			`tmp_scalars.push(r.0);`

			`tmp_bases.extend(self.g_lagrange.iter());`
			`tmp_bases.push(self.h);`

			`best_multiexp::<C>(&tmp_scalars, &tmp_bases)`
			`}`
Address review comments 2020-09-12 11:55:48 -07:00
			`/// Generates an empty multiscalar multiplication struct using the`
			`/// appropriate params.`
Rename params.msm() to params.empty_msm() 2020-09-13 08:07:05 -07:00			`pub fn empty_msm(&self) -> MSM<C> {`
Move MSM into submodule. 2020-10-13 07:16:20 -07:00			`MSM::new(self)`
Address review comments 2020-09-12 11:55:48 -07:00			`}`
Add benchmarks for shared double-and-add 2020-09-15 09:44:56 -07:00
			`/// Getter for g generators`
			`pub fn get_g(&self) -> Vec<C> {`
			`self.g.clone()`
			`}`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`}`

			`/// Wrapper type around a blinding factor.`
			`#[derive(Copy, Clone, Eq, PartialEq, Debug)]`
			`pub struct Blind<F>(pub F);`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> Default for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`fn default() -> Self {`
			`Blind(F::one())`
			`}`
			`}`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> Add for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`type Output = Self;`

			`fn add(self, rhs: Blind<F>) -> Self {`
			`Blind(self.0 + rhs.0)`
			`}`
			`}`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> Mul for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`type Output = Self;`

			`fn mul(self, rhs: Blind<F>) -> Self {`
			`Blind(self.0 * rhs.0)`
			`}`
			`}`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> AddAssign for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`fn add_assign(&mut self, rhs: Blind<F>) {`
			`self.0 += rhs.0;`
			`}`
			`}`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> MulAssign for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`fn mul_assign(&mut self, rhs: Blind<F>) {`
			`self.0 *= rhs.0;`
			`}`
			`}`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> AddAssign<F> for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`fn add_assign(&mut self, rhs: F) {`
			`self.0 += rhs;`
			`}`
			`}`

Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`impl<F: FieldExt> MulAssign<F> for Blind<F> {`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`fn mul_assign(&mut self, rhs: F) {`
			`self.0 *= rhs;`
			`}`
			`}`

			`#[test]`
			`fn test_commit_lagrange() {`
			`const K: u32 = 6;`

Rename curves to Pallas/Vesta (Pasta). 2020-12-03 12:45:13 -08:00			`use crate::pasta::{EpAffine, Fp, Fq};`
cargo fmt 2020-12-03 12:59:17 -08:00			`use crate::transcript::DummyHash;`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`let params = Params::<EpAffine>::new::<DummyHash<Fp>>(K);`
			`let domain = super::EvaluationDomain::new(1, K);`

			`let mut a = domain.empty_lagrange();`

			`for (i, a) in a.iter_mut().enumerate() {`
			`*a = Fq::from(i as u64);`
			`}`

			`let b = domain.lagrange_to_coeff(a.clone());`

Migrate to ff traits The `Field` trait in this crate is now `FieldExt: ff::PrimeField`. 2020-11-12 16:08:08 -08:00			`let alpha = Blind(Fq::rand());`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha));`
			`}`

			`#[test]`
			`fn test_opening_proof() {`
			`const K: u32 = 6;`

Migrate to ff traits The `Field` trait in this crate is now `FieldExt: ff::PrimeField`. 2020-11-12 16:08:08 -08:00			`use ff::Field;`

Refactor module tree. 2020-09-07 09:22:25 -07:00			`use super::{`
			`commitment::{Blind, Params},`
			`EvaluationDomain,`
			`};`
Introduce typed challenge scalars This also centralises the challenge generation logic in Challenge::get, ensuring it is consistent across the codebase. 2020-11-25 11:26:31 -08:00			`use crate::arithmetic::{eval_polynomial, Curve, FieldExt};`
Rename curves to Pallas/Vesta (Pasta). 2020-12-03 12:45:13 -08:00			`use crate::pasta::{EpAffine, Fp, Fq};`
cargo fmt 2020-12-03 12:59:17 -08:00			`use crate::transcript::{ChallengeScalar, DummyHash, Transcript};`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`let params = Params::<EpAffine>::new::<DummyHash<Fp>>(K);`
			`let domain = EvaluationDomain::new(1, K);`

			`let mut px = domain.empty_coeff();`

			`for (i, a) in px.iter_mut().enumerate() {`
			`*a = Fq::from(i as u64);`
			`}`

Migrate to ff traits The `Field` trait in this crate is now `FieldExt: ff::PrimeField`. 2020-11-12 16:08:08 -08:00			`let blind = Blind(Fq::rand());`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`let p = params.commit(&px, blind).to_affine();`

Remove unnecessary Transcript::init_with_hashers constructor 2020-11-25 11:13:45 -08:00			`let mut transcript = Transcript::<_, DummyHash<_>, DummyHash<_>>::new();`
			`transcript.absorb_point(&p).unwrap();`
Fix challenge types in poly::multiopen and poly::commitment The argument to the poly::commitment prover and verifier was mistakenly represented as a challenge, when in fact the commitments may be opened at any scalar (which just happens to be a challenge within poly::multiopen). The poly::commitment APIs are now public again. 2020-12-01 14:34:18 -08:00			`let x = ChallengeScalar::<_, ()>::get(&mut transcript);`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`// Evaluate the polynomial`
Fix challenge types in poly::multiopen and poly::commitment The argument to the poly::commitment prover and verifier was mistakenly represented as a challenge, when in fact the commitments may be opened at any scalar (which just happens to be a challenge within poly::multiopen). The poly::commitment APIs are now public again. 2020-12-01 14:34:18 -08:00			`let v = eval_polynomial(&px, *x);`
Refactor module tree. 2020-09-07 09:22:25 -07:00
Remove unnecessary Transcript::init_with_hashers constructor 2020-11-25 11:13:45 -08:00			`transcript.absorb_base(Fp::from_bytes(&v.to_bytes()).unwrap()); // unlikely to fail since p ~ q`
Refactor module tree. 2020-09-07 09:22:25 -07:00
			`loop {`
Clippy fixes 2020-11-12 00:09:26 -08:00			`let mut transcript_dup = transcript.clone();`
Refactor module tree. 2020-09-07 09:22:25 -07:00
Fix challenge types in poly::multiopen and poly::commitment The argument to the poly::commitment prover and verifier was mistakenly represented as a challenge, when in fact the commitments may be opened at any scalar (which just happens to be a challenge within poly::multiopen). The poly::commitment APIs are now public again. 2020-12-01 14:34:18 -08:00			`let opening_proof = Proof::create(&params, &mut transcript, &px, blind, *x);`
Clippy fixes 2020-11-12 00:09:26 -08:00			`if let Ok(opening_proof) = opening_proof {`
Add MSM and Guard structs in polycommit scheme 2020-09-09 06:00:36 -07:00			`// Verify the opening proof`
Mitigate unnecessary scaling operations in commitment verifier. 2020-09-15 16:42:02 -07:00			`let mut commitment_msm = params.empty_msm();`
Parallelize and rename methods in msm.rs 2020-11-11 22:14:01 -08:00			`commitment_msm.append_term(Field::one(), p);`
Only return Guard from OpeningProof.verify() 2020-09-12 09:45:11 -07:00			`let guard = opening_proof`
Mitigate unnecessary scaling operations in commitment verifier. 2020-09-15 16:42:02 -07:00			`.verify(`
			`&params,`
			`params.empty_msm(),`
Clippy fixes 2020-11-12 00:09:26 -08:00			`&mut transcript_dup,`
Fix challenge types in poly::multiopen and poly::commitment The argument to the poly::commitment prover and verifier was mistakenly represented as a challenge, when in fact the commitments may be opened at any scalar (which just happens to be a challenge within poly::multiopen). The poly::commitment APIs are now public again. 2020-12-01 14:34:18 -08:00			`*x,`
Mitigate unnecessary scaling operations in commitment verifier. 2020-09-15 16:42:02 -07:00			`commitment_msm,`
			`v,`
			`)`
Fix bug in compute_g() 2020-09-13 08:10:37 -07:00			`.unwrap();`

Minor adjustments to tests and documentation 2020-09-13 09:17:00 -07:00			`// Test guard behavior prior to checking another proof`
			`{`
			`// Test use_challenges()`
			`let msm_challenges = guard.clone().use_challenges();`
Address clippy lints 2020-09-20 12:09:03 -07:00			`assert!(msm_challenges.eval());`
Minor adjustments to tests and documentation 2020-09-13 09:17:00 -07:00
			`// Test use_g()`
			`let g = guard.compute_g();`
			`let (msm_g, _accumulator) = guard.clone().use_g(g);`
Address clippy lints 2020-09-20 12:09:03 -07:00			`assert!(msm_g.eval());`
Minor adjustments to tests and documentation 2020-09-13 09:17:00 -07:00
Clippy fixes 2020-11-12 00:09:26 -08:00			`break;`
			`}`
			`} else {`
			`transcript = transcript_dup;`
			`transcript.absorb_base(Field::one());`
Refactor module tree. 2020-09-07 09:22:25 -07:00			`}`
			`}`
			`}`