Change verification API to allow the caller to supply instances as slices of scalars rather than commitments.

2021-07-13 12:08:16 -06:00 · 2021-07-13 12:08:16 -06:00 · 0dc4447ad8
parent f532b7e973
commit 0dc4447ad8
3 changed files with 47 additions and 21 deletions
--- a/src/dev.rs
+++ b/src/dev.rs
@ -416,6 +416,22 @@ impl<F: FieldExt> MockProver<F> {
            return Err(Error::NotEnoughRowsAvailable);
        }

+        if instance.len() != cs.num_instance_columns {
+            return Err(Error::IncompatibleParams);
+        }
+
+        let instance = instance
+            .into_iter()
+            .map(|mut instance| {
+                if instance.len() > n - (cs.blinding_factors() + 1) {
+                    return Err(Error::InstanceTooLarge);
+                }
+
+                instance.resize(n, F::zero());
+                Ok(instance)
+            })
+            .collect::<Result<Vec<_>, _>>()?;
+
        let fixed = vec![vec![None; n]; cs.num_fixed_columns];
        let advice = vec![vec![None; n]; cs.num_advice_columns];
        let permutation = permutation::keygen::Assembly::new(n, &cs.permutation);
--- a/src/plonk/verifier.rs
+++ b/src/plonk/verifier.rs
@ -1,4 +1,5 @@
 use ff::Field;
+use group::Curve;
 use std::iter;

 use super::{
@ -7,7 +8,7 @@ use super::{
 };
 use crate::arithmetic::{CurveAffine, FieldExt};
 use crate::poly::{
-    commitment::{Guard, Params, MSM},
+    commitment::{Blind, Guard, Params, MSM},
    multiopen::{self, VerifierQuery},
 };
 use crate::transcript::{read_n_points, read_n_scalars, EncodedChallenge, TranscriptRead};
@ -17,16 +18,35 @@ pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge<C>, T: Transcri
    params: &'params Params<C>,
    vk: &VerifyingKey<C>,
    msm: MSM<'params, C>,
-    instance_commitments: &[&[C]],
+    instances: &[&[&[C::Scalar]]],
    transcript: &mut T,
 ) -> Result<Guard<'params, C, E>, Error> {
-    // Check that instance_commitments matches the expected number of instance columns
-    for instance_commitments in instance_commitments.iter() {
-        if instance_commitments.len() != vk.cs.num_instance_columns {
+    // Check that instances matches the expected number of instance columns
+    for instances in instances.iter() {
+        if instances.len() != vk.cs.num_instance_columns {
            return Err(Error::IncompatibleParams);
        }
    }

+    let instance_commitments = instances
+        .iter()
+        .map(|instance| {
+            Ok(instance
+                .iter()
+                .map(|instance| {
+                    if instance.len() > params.n as usize - (vk.cs.blinding_factors() + 1) {
+                        return Err(Error::InstanceTooLarge);
+                    }
+                    let mut poly = instance.to_vec();
+                    poly.resize(params.n as usize, C::Scalar::zero());
+                    let poly = vk.domain.lagrange_from_vec(poly);
+
+                    Ok(params.commit_lagrange(&poly, Blind::default()).to_affine())
+                })
+                .collect::<Result<Vec<_>, _>>()?)
+        })
+        .collect::<Result<Vec<_>, _>>()?;
+
    let num_proofs = instance_commitments.len();

    // Hash verification key into transcript
@ -35,7 +55,7 @@ pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge<C>, T: Transcri

    for instance_commitments in instance_commitments.iter() {
        // Hash the instance (external) commitments into the transcript
-        for commitment in *instance_commitments {
+        for commitment in instance_commitments {
            transcript
                .common_point(*commitment)
                .map_err(|_| Error::TranscriptError)?
--- a/tests/plonk_api.rs
+++ b/tests/plonk_api.rs
@ -1,7 +1,6 @@
 #![allow(clippy::many_single_char_names)]
 #![allow(clippy::op_ref)]

-use group::Curve;
 use halo2::arithmetic::FieldExt;
 use halo2::circuit::{Cell, Layouter, SimpleFloorPlanner};
 use halo2::dev::MockProver;
@ -10,10 +9,7 @@ use halo2::plonk::{
    create_proof, keygen_pk, keygen_vk, verify_proof, Advice, Circuit, Column, ConstraintSystem,
    Error, Fixed, VerifyingKey,
 };
-use halo2::poly::{
-    commitment::{Blind, Params},
-    Rotation,
-};
+use halo2::poly::{commitment::Params, Rotation};
 use halo2::transcript::{Blake2bRead, Blake2bWrite, Challenge255};
 use std::marker::PhantomData;

@ -423,14 +419,10 @@ fn plonk_api() {
    let vk = keygen_vk(&params, &empty_circuit).expect("keygen_vk should not fail");
    let pk = keygen_pk(&params, vk, &empty_circuit).expect("keygen_pk should not fail");

-    let mut pubinputs = pk.get_vk().get_domain().empty_lagrange();
-    pubinputs[0] = instance;
-    let pubinput = params
-        .commit_lagrange(&pubinputs, Blind::default())
-        .to_affine();
+    let pubinputs = vec![instance];

    // Check this circuit is satisfied.
-    let prover = match MockProver::run(K, &circuit, vec![pubinputs.to_vec()]) {
+    let prover = match MockProver::run(K, &circuit, vec![pubinputs.clone()]) {
        Ok(prover) => prover,
        Err(e) => panic!("{:?}", e),
    };
@ -449,15 +441,13 @@ fn plonk_api() {
        .expect("proof generation should not fail");
        let proof: Vec<u8> = transcript.finalize();

-        let pubinput_slice = &[pubinput];
-        let pubinput_slice_copy = &[pubinput];
        let msm = params.empty_msm();
        let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(&proof[..]);
        let guard = verify_proof(
            &params,
            pk.get_vk(),
            msm,
-            &[pubinput_slice, pubinput_slice_copy],
+            &[&[&pubinputs[..]], &[&pubinputs[..]]],
            &mut transcript,
        )
        .unwrap();
@ -481,7 +471,7 @@ fn plonk_api() {
            &params,
            &vk,
            msm,
-            &[pubinput_slice, pubinput_slice_copy],
+            &[&[&pubinputs[..]], &[&pubinputs[..]]],
            &mut transcript,
        )
        .unwrap();