mirror of https://github.com/zcash/halo2.git
Merge pull request #24 from zcash/remove-fork-hack
Remove fork hack from OpeningProof::create()
This commit is contained in:
commit
0eed821083
|
@ -529,14 +529,18 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
})
|
})
|
||||||
.or_else(|| Some(poly));
|
.or_else(|| Some(poly));
|
||||||
}
|
}
|
||||||
let mut f_poly = f_poly.unwrap();
|
|
||||||
|
let f_poly = f_poly.unwrap();
|
||||||
let mut f_blind = Blind(C::Scalar::random());
|
let mut f_blind = Blind(C::Scalar::random());
|
||||||
|
let mut f_commitment = params.commit(&f_poly, f_blind).to_affine();
|
||||||
|
|
||||||
let f_commitment = params.commit(&f_poly, f_blind).to_affine();
|
let (opening, q_evals) = loop {
|
||||||
|
let mut transcript = transcript.clone();
|
||||||
|
let mut transcript_scalar = transcript_scalar.clone();
|
||||||
hash_point(&mut transcript, &f_commitment)?;
|
hash_point(&mut transcript, &f_commitment)?;
|
||||||
|
|
||||||
let x_6: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
let x_6: C::Scalar =
|
||||||
|
get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||||
|
|
||||||
let mut q_evals = vec![C::Scalar::zero(); meta.rotations.len()];
|
let mut q_evals = vec![C::Scalar::zero(); meta.rotations.len()];
|
||||||
|
|
||||||
|
@ -553,11 +557,14 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
C::Base::from_bytes(&(transcript_scalar.squeeze()).to_bytes()).unwrap();
|
C::Base::from_bytes(&(transcript_scalar.squeeze()).to_bytes()).unwrap();
|
||||||
transcript.absorb(transcript_scalar_point);
|
transcript.absorb(transcript_scalar_point);
|
||||||
|
|
||||||
let x_7: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
let x_7: C::Scalar =
|
||||||
|
get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||||
|
|
||||||
|
let mut f_blind_dup = f_blind.clone();
|
||||||
|
let mut f_poly = f_poly.clone();
|
||||||
for (_, &point_index) in meta.rotations.iter() {
|
for (_, &point_index) in meta.rotations.iter() {
|
||||||
f_blind *= x_7;
|
f_blind_dup *= x_7;
|
||||||
f_blind += q_blinds[point_index.0];
|
f_blind_dup += q_blinds[point_index.0];
|
||||||
|
|
||||||
parallelize(&mut f_poly, |f, start| {
|
parallelize(&mut f_poly, |f, start| {
|
||||||
for (f, a) in f
|
for (f, a) in f
|
||||||
|
@ -569,10 +576,15 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
let opening = OpeningProof::create(¶ms, &mut transcript, &f_poly, f_blind_dup, x_6);
|
||||||
|
|
||||||
// Let's prove that the q_commitment opens at x to the expected value.
|
if opening.is_ok() {
|
||||||
let opening = OpeningProof::create(¶ms, &mut transcript, &f_poly, f_blind, x_6)
|
break (opening.unwrap(), q_evals);
|
||||||
.map_err(|_| Error::ConstraintSystemFailure)?;
|
} else {
|
||||||
|
f_blind += C::Scalar::one();
|
||||||
|
f_commitment = (f_commitment + params.h).to_affine();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
Ok(Proof {
|
Ok(Proof {
|
||||||
advice_commitments,
|
advice_commitments,
|
||||||
|
|
|
@ -19,6 +19,8 @@ pub use domain::*;
|
||||||
pub enum Error {
|
pub enum Error {
|
||||||
/// OpeningProof is not well-formed
|
/// OpeningProof is not well-formed
|
||||||
OpeningError,
|
OpeningError,
|
||||||
|
/// Caller needs to re-sample a point
|
||||||
|
SamplingError,
|
||||||
}
|
}
|
||||||
|
|
||||||
/// The basis over which a polynomial is described.
|
/// The basis over which a polynomial is described.
|
||||||
|
|
|
@ -16,7 +16,6 @@ mod verifier;
|
||||||
/// This is a proof object for the polynomial commitment scheme opening.
|
/// This is a proof object for the polynomial commitment scheme opening.
|
||||||
#[derive(Debug, Clone)]
|
#[derive(Debug, Clone)]
|
||||||
pub struct OpeningProof<C: CurveAffine> {
|
pub struct OpeningProof<C: CurveAffine> {
|
||||||
fork: u8,
|
|
||||||
rounds: Vec<(C, C)>,
|
rounds: Vec<(C, C)>,
|
||||||
delta: C,
|
delta: C,
|
||||||
z1: C::Scalar,
|
z1: C::Scalar,
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
use super::super::{Coeff, Polynomial};
|
use super::super::{Coeff, Error, Polynomial};
|
||||||
use super::{Blind, OpeningProof, Params};
|
use super::{Blind, OpeningProof, Params};
|
||||||
use crate::arithmetic::{
|
use crate::arithmetic::{
|
||||||
best_multiexp, compute_inner_product, get_challenge_scalar, parallelize, small_multiexp,
|
best_multiexp, compute_inner_product, get_challenge_scalar, parallelize, small_multiexp,
|
||||||
|
@ -26,40 +26,22 @@ impl<C: CurveAffine> OpeningProof<C> {
|
||||||
px: &Polynomial<C::Scalar, Coeff>,
|
px: &Polynomial<C::Scalar, Coeff>,
|
||||||
blind: Blind<C::Scalar>,
|
blind: Blind<C::Scalar>,
|
||||||
x: C::Scalar,
|
x: C::Scalar,
|
||||||
) -> Result<Self, ()> {
|
) -> Result<Self, Error> {
|
||||||
let mut blind = blind.0;
|
let mut blind = blind.0;
|
||||||
|
|
||||||
// We're limited to polynomials of degree n - 1.
|
// We're limited to polynomials of degree n - 1.
|
||||||
assert!(px.len() <= params.n as usize);
|
assert!(px.len() <= params.n as usize);
|
||||||
|
|
||||||
let mut fork = 0;
|
|
||||||
|
|
||||||
// TODO: remove this hack and force the caller to deal with it
|
|
||||||
loop {
|
|
||||||
let mut transcript = transcript.clone();
|
|
||||||
transcript.absorb(C::Base::from_u64(fork as u64));
|
|
||||||
let u_x = transcript.squeeze();
|
|
||||||
// y^2 = x^3 + B
|
|
||||||
let u_y2 = u_x.square() * &u_x + &C::b();
|
|
||||||
let u_y = u_y2.deterministic_sqrt();
|
|
||||||
|
|
||||||
if u_y.is_none() {
|
|
||||||
fork += 1;
|
|
||||||
} else {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
transcript.absorb(C::Base::from_u64(fork as u64));
|
|
||||||
|
|
||||||
// Compute U
|
// Compute U
|
||||||
let u = {
|
let u = {
|
||||||
let u_x = transcript.squeeze();
|
let u_x = transcript.squeeze();
|
||||||
// y^2 = x^3 + B
|
// y^2 = x^3 + B
|
||||||
let u_y2 = u_x.square() * &u_x + &C::b();
|
let u_y2 = u_x.square() * &u_x + &C::b();
|
||||||
let u_y = u_y2.deterministic_sqrt().unwrap();
|
if let Some(u_y) = u_y2.deterministic_sqrt() {
|
||||||
|
|
||||||
C::from_xy(u_x, u_y).unwrap()
|
C::from_xy(u_x, u_y).unwrap()
|
||||||
|
} else {
|
||||||
|
return Err(Error::SamplingError);
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
// Initialize the vector `a` as the coefficients of the polynomial,
|
// Initialize the vector `a` as the coefficients of the polynomial,
|
||||||
|
@ -205,7 +187,6 @@ impl<C: CurveAffine> OpeningProof<C> {
|
||||||
let z2 = c * &blind + &s;
|
let z2 = c * &blind + &s;
|
||||||
|
|
||||||
Ok(OpeningProof {
|
Ok(OpeningProof {
|
||||||
fork,
|
|
||||||
rounds,
|
rounds,
|
||||||
delta,
|
delta,
|
||||||
z1,
|
z1,
|
||||||
|
|
|
@ -22,8 +22,6 @@ impl<C: CurveAffine> OpeningProof<C> {
|
||||||
return Err(Error::OpeningError);
|
return Err(Error::OpeningError);
|
||||||
}
|
}
|
||||||
|
|
||||||
transcript.absorb(C::Base::from_u64(self.fork as u64));
|
|
||||||
|
|
||||||
// Compute U
|
// Compute U
|
||||||
let u = {
|
let u = {
|
||||||
let u_x = transcript.squeeze();
|
let u_x = transcript.squeeze();
|
||||||
|
|
Loading…
Reference in New Issue