diff --git a/CHANGELOG.md b/CHANGELOG.md index c152e9ab..8caf16b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to Rust's notion of - `halo2::dev::LookupFailure` (used in `VerifyFailure::Lookup`) ### Changed +- `halo2::plonk::create_proof` now takes an `R: rand::RngCore` argument. - `halo2::plonk::Error` has been overhauled: - `Error` now implements `std::fmt::Display` and `std::error::Error`. - `Error` no longer implements `PartialEq`. Tests can check for specific error diff --git a/benches/arithmetic.rs b/benches/arithmetic.rs index ec13c74b..e6e4f242 100644 --- a/benches/arithmetic.rs +++ b/benches/arithmetic.rs @@ -2,14 +2,18 @@ extern crate criterion; extern crate halo2; -use crate::arithmetic::{small_multiexp, FieldExt}; +use crate::arithmetic::small_multiexp; use crate::pasta::{EqAffine, Fp}; use crate::poly::commitment::Params; +use group::ff::Field; use halo2::*; use criterion::{black_box, Criterion}; +use rand::rngs::OsRng; fn criterion_benchmark(c: &mut Criterion) { + let rng = OsRng; + // small multiexp { let params: Params = Params::new(5); @@ -17,8 +21,8 @@ fn criterion_benchmark(c: &mut Criterion) { let len = g.len() / 2; let (g_lo, g_hi) = g.split_at_mut(len); - let coeff_1 = Fp::rand(); - let coeff_2 = Fp::rand(); + let coeff_1 = Fp::random(rng); + let coeff_2 = Fp::random(rng); c.bench_function("double-and-add", |b| { b.iter(|| { diff --git a/benches/plonk.rs b/benches/plonk.rs index 30fe5234..bf0415c4 100644 --- a/benches/plonk.rs +++ b/benches/plonk.rs @@ -2,12 +2,14 @@ extern crate criterion; extern crate halo2; +use group::ff::Field; use halo2::arithmetic::FieldExt; use halo2::circuit::{Cell, Layouter, SimpleFloorPlanner}; use halo2::pasta::{EqAffine, Fp}; use halo2::plonk::*; use halo2::poly::{commitment::Params, Rotation}; use halo2::transcript::{Blake2bRead, Blake2bWrite, Challenge255}; +use rand::rngs::OsRng; use std::marker::PhantomData; @@ -253,13 +255,15 @@ fn criterion_benchmark(c: &mut Criterion) { } fn prover(k: u32, params: &Params, pk: &ProvingKey) -> Vec { + let rng = OsRng; + let circuit: MyCircuit = MyCircuit { - a: Some(Fp::rand()), + a: Some(Fp::random(rng)), k, }; let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); - create_proof(params, pk, &[circuit], &[&[]], &mut transcript) + create_proof(params, pk, &[circuit], &[&[]], rng, &mut transcript) .expect("proof generation should not fail"); transcript.finalize() } diff --git a/examples/sha256/benches.rs b/examples/sha256/benches.rs index 76ba9099..e24705e5 100644 --- a/examples/sha256/benches.rs +++ b/examples/sha256/benches.rs @@ -8,6 +8,7 @@ use halo2::{ poly::commitment::Params, transcript::{Blake2bRead, Blake2bWrite, Challenge255}, }; +use rand::rngs::OsRng; use std::{ fs::File, @@ -134,7 +135,7 @@ fn bench(name: &str, k: u32, c: &mut Criterion) { let proof_path = Path::new("./benches/sha256_assets/sha256_proof"); if File::open(&proof_path).is_err() { let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); - create_proof(¶ms, &pk, &[circuit], &[], &mut transcript) + create_proof(¶ms, &pk, &[circuit], &[], OsRng, &mut transcript) .expect("proof generation should not fail"); let proof: Vec = transcript.finalize(); let mut file = File::create(&proof_path).expect("Failed to create sha256_proof"); diff --git a/examples/two-chip.rs b/examples/two-chip.rs index 117eac93..680511ef 100644 --- a/examples/two-chip.rs +++ b/examples/two-chip.rs @@ -513,7 +513,9 @@ impl Circuit for MyCircuit { #[allow(clippy::many_single_char_names)] fn main() { + use group::ff::Field; use halo2::{dev::MockProver, pasta::Fp}; + use rand::rngs::OsRng; // ANCHOR: test-circuit // The number of rows in our circuit cannot exceed 2^k. Since our example @@ -521,9 +523,10 @@ fn main() { let k = 4; // Prepare the private and public inputs to the circuit! - let a = Fp::rand(); - let b = Fp::rand(); - let c = Fp::rand(); + let rng = OsRng; + let a = Fp::random(rng); + let b = Fp::random(rng); + let c = Fp::random(rng); let d = (a + b) * c; // Instantiate the circuit with the private inputs. diff --git a/src/arithmetic.rs b/src/arithmetic.rs index 4d1031ce..0dac0fe2 100644 --- a/src/arithmetic.rs +++ b/src/arithmetic.rs @@ -402,13 +402,18 @@ pub fn lagrange_interpolate(points: &[F], evals: &[F]) -> Vec { } } +#[cfg(test)] +use rand::rngs::OsRng; + #[cfg(test)] use crate::pasta::Fp; #[test] fn test_lagrange_interpolate() { - let points = (0..5).map(|_| Fp::rand()).collect::>(); - let evals = (0..5).map(|_| Fp::rand()).collect::>(); + let rng = OsRng; + + let points = (0..5).map(|_| Fp::random(rng)).collect::>(); + let evals = (0..5).map(|_| Fp::random(rng)).collect::>(); for coeffs in 0..5 { let points = &points[0..coeffs]; diff --git a/src/plonk/lookup/prover.rs b/src/plonk/lookup/prover.rs index 6e7c60d3..80e29a14 100644 --- a/src/plonk/lookup/prover.rs +++ b/src/plonk/lookup/prover.rs @@ -16,6 +16,7 @@ use group::{ ff::{BatchInvert, Field}, Curve, }; +use rand::RngCore; use std::{ collections::BTreeMap, iter, @@ -73,6 +74,7 @@ impl Argument { 'a, C, E: EncodedChallenge, + R: RngCore, T: TranscriptWrite, >( &self, @@ -86,6 +88,7 @@ impl Argument { advice_cosets: &'a [Polynomial], fixed_cosets: &'a [Polynomial], instance_cosets: &'a [Polynomial], + mut rng: R, transcript: &mut T, ) -> Result, Error> where @@ -173,14 +176,6 @@ impl Argument { ) }; - // Closure to construct commitment to vector of values - let commit_values = |values: &Polynomial| { - let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); - let blind = Blind(C::Scalar::rand()); - let commitment = params.commit_lagrange(values, blind).to_affine(); - (poly, blind, commitment) - }; - // Get values of input expressions involved in the lookup and compress them let (unpermuted_input_expressions, unpermuted_input_cosets, compressed_input_expression) = compress_expressions(&self.input_expressions); @@ -190,14 +185,23 @@ impl Argument { compress_expressions(&self.table_expressions); // Permute compressed (InputExpression, TableExpression) pair - let (permuted_input_expression, permuted_table_expression) = permute_expression_pair::( + let (permuted_input_expression, permuted_table_expression) = permute_expression_pair::( pk, params, domain, + &mut rng, &compressed_input_expression, &compressed_table_expression, )?; + // Closure to construct commitment to vector of values + let mut commit_values = |values: &Polynomial| { + let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); + let blind = Blind(C::Scalar::random(&mut rng)); + let commitment = params.commit_lagrange(values, blind).to_affine(); + (poly, blind, commitment) + }; + // Commit to permuted input expression let (permuted_input_poly, permuted_input_blind, permuted_input_commitment) = commit_values(&permuted_input_expression); @@ -238,13 +242,18 @@ impl Permuted { /// grand product polynomial over the lookup. The grand product polynomial /// is used to populate the Product struct. The Product struct is /// added to the Lookup and finally returned by the method. - pub(in crate::plonk) fn commit_product, T: TranscriptWrite>( + pub(in crate::plonk) fn commit_product< + E: EncodedChallenge, + R: RngCore, + T: TranscriptWrite, + >( self, pk: &ProvingKey, params: &Params, theta: ChallengeTheta, beta: ChallengeBeta, gamma: ChallengeGamma, + mut rng: R, transcript: &mut T, ) -> Result, Error> { let blinding_factors = pk.vk.cs.blinding_factors(); @@ -326,7 +335,7 @@ impl Permuted { // be a boolean (and ideally 1, else soundness is broken) .take(params.n as usize - blinding_factors) // Chain random blinding factors. - .chain((0..blinding_factors).map(|_| C::Scalar::rand())) + .chain((0..blinding_factors).map(|_| C::Scalar::random(&mut rng))) .collect::>(); assert_eq!(z.len(), params.n as usize); let z = pk.vk.domain.lagrange_from_vec(z); @@ -376,7 +385,7 @@ impl Permuted { assert_eq!(z[u], C::Scalar::one()); } - let product_blind = Blind(C::Scalar::rand()); + let product_blind = Blind(C::Scalar::random(rng)); let product_commitment = params.commit_lagrange(&z, product_blind).to_affine(); let z = pk.vk.domain.lagrange_to_coeff(z); let product_coset = pk.vk.domain.coeff_to_extended(z.clone()); @@ -587,10 +596,11 @@ type ExpressionPair = (Polynomial, Polynomial( +fn permute_expression_pair( pk: &ProvingKey, params: &Params, domain: &EvaluationDomain, + mut rng: R, input_expression: &Polynomial, table_expression: &Polynomial, ) -> Result, Error> { @@ -645,8 +655,9 @@ fn permute_expression_pair( } assert!(repeated_input_rows.is_empty()); - permuted_input_expression.extend((0..(blinding_factors + 1)).map(|_| C::Scalar::rand())); - permuted_table_coeffs.extend((0..(blinding_factors + 1)).map(|_| C::Scalar::rand())); + permuted_input_expression + .extend((0..(blinding_factors + 1)).map(|_| C::Scalar::random(&mut rng))); + permuted_table_coeffs.extend((0..(blinding_factors + 1)).map(|_| C::Scalar::random(&mut rng))); assert_eq!(permuted_input_expression.len(), params.n as usize); assert_eq!(permuted_table_coeffs.len(), params.n as usize); diff --git a/src/plonk/permutation/prover.rs b/src/plonk/permutation/prover.rs index 58c8c69c..fc3a8e7b 100644 --- a/src/plonk/permutation/prover.rs +++ b/src/plonk/permutation/prover.rs @@ -2,6 +2,7 @@ use group::{ ff::{BatchInvert, Field}, Curve, }; +use rand::RngCore; use std::iter::{self, ExactSizeIterator}; use super::super::{circuit::Any, ChallengeBeta, ChallengeGamma, ChallengeX}; @@ -44,6 +45,7 @@ impl Argument { pub(in crate::plonk) fn commit< C: CurveAffine, E: EncodedChallenge, + R: RngCore, T: TranscriptWrite, >( &self, @@ -55,6 +57,7 @@ impl Argument { instance: &[Polynomial], beta: ChallengeBeta, gamma: ChallengeGamma, + mut rng: R, transcript: &mut T, ) -> Result, Error> { let domain = &pk.vk.domain; @@ -155,12 +158,12 @@ impl Argument { let mut z = domain.lagrange_from_vec(z); // Set blinding factors for z in &mut z[params.n as usize - blinding_factors..] { - *z = C::Scalar::rand(); + *z = C::Scalar::random(&mut rng); } // Set new last_z last_z = z[params.n as usize - (blinding_factors + 1)]; - let blind = Blind(C::Scalar::rand()); + let blind = Blind(C::Scalar::random(&mut rng)); let permutation_product_commitment_projective = params.commit_lagrange(&z, blind); let permutation_product_blind = blind; diff --git a/src/plonk/prover.rs b/src/plonk/prover.rs index 1cfd233e..46503c5a 100644 --- a/src/plonk/prover.rs +++ b/src/plonk/prover.rs @@ -1,5 +1,6 @@ use ff::Field; use group::Curve; +use rand::{rngs::OsRng, RngCore}; use std::iter; use std::ops::RangeTo; @@ -32,6 +33,7 @@ use crate::{ pub fn create_proof< C: CurveAffine, E: EncodedChallenge, + R: RngCore, T: TranscriptWrite, ConcreteCircuit: Circuit, >( @@ -39,6 +41,7 @@ pub fn create_proof< pk: &ProvingKey, circuits: &[ConcreteCircuit], instances: &[&[&[C::Scalar]]], + mut rng: R, transcript: &mut T, ) -> Result<(), Error> { for instance in instances.iter() { @@ -284,12 +287,15 @@ pub fn create_proof< // Add blinding factors to advice columns for advice in &mut advice { for cell in &mut advice[unusable_rows_start..] { - *cell = C::Scalar::rand(); + *cell = C::Scalar::random(&mut rng); } } // Compute commitments to advice column polynomials - let advice_blinds: Vec<_> = advice.iter().map(|_| Blind(C::Scalar::rand())).collect(); + let advice_blinds: Vec<_> = advice + .iter() + .map(|_| Blind(C::Scalar::random(&mut rng))) + .collect(); let advice_commitments_projective: Vec<_> = advice .iter() .zip(advice_blinds.iter()) @@ -348,6 +354,7 @@ pub fn create_proof< &advice.advice_cosets, &pk.fixed_cosets, &instance.instance_cosets, + &mut rng, transcript, ) }) @@ -375,6 +382,7 @@ pub fn create_proof< &instance.instance_values, beta, gamma, + &mut rng, transcript, ) }) @@ -386,13 +394,15 @@ pub fn create_proof< // Construct and commit to products for each lookup lookups .into_iter() - .map(|lookup| lookup.commit_product(pk, params, theta, beta, gamma, transcript)) + .map(|lookup| { + lookup.commit_product(pk, params, theta, beta, gamma, &mut rng, transcript) + }) .collect::, _>>() }) .collect::, _>>()?; // Commit to the vanishing argument's random polynomial for blinding h(x_3) - let vanishing = vanishing::Argument::commit(params, domain, transcript)?; + let vanishing = vanishing::Argument::commit(params, domain, &mut rng, transcript)?; // Obtain challenge for keeping all separate gates linearly independent let y: ChallengeY<_> = transcript.squeeze_challenge_scalar(); @@ -473,7 +483,7 @@ pub fn create_proof< ); // Construct the vanishing argument's h(X) commitments - let vanishing = vanishing.construct(params, domain, expressions, y, transcript)?; + let vanishing = vanishing.construct(params, domain, expressions, y, &mut rng, transcript)?; let x: ChallengeX<_> = transcript.squeeze_challenge_scalar(); let xn = x.pow(&[params.n as u64, 0, 0, 0]); @@ -601,5 +611,5 @@ pub fn create_proof< // We query the h(X) polynomial at x .chain(vanishing.open(x)); - multiopen::create_proof(params, transcript, instances).map_err(|_| Error::Opening) + multiopen::create_proof(params, rng, transcript, instances).map_err(|_| Error::Opening) } diff --git a/src/plonk/vanishing/prover.rs b/src/plonk/vanishing/prover.rs index 02dff0a6..d719947c 100644 --- a/src/plonk/vanishing/prover.rs +++ b/src/plonk/vanishing/prover.rs @@ -2,6 +2,7 @@ use std::iter; use ff::Field; use group::Curve; +use rand::RngCore; use super::Argument; use crate::{ @@ -33,18 +34,19 @@ pub(in crate::plonk) struct Evaluated { } impl Argument { - pub(in crate::plonk) fn commit, T: TranscriptWrite>( + pub(in crate::plonk) fn commit, R: RngCore, T: TranscriptWrite>( params: &Params, domain: &EvaluationDomain, + mut rng: R, transcript: &mut T, ) -> Result, Error> { // Sample a random polynomial of degree n - 1 let mut random_poly = domain.empty_coeff(); for coeff in random_poly.iter_mut() { - *coeff = C::Scalar::rand(); + *coeff = C::Scalar::random(&mut rng); } // Sample a random blinding factor - let random_blind = Blind(C::Scalar::rand()); + let random_blind = Blind(C::Scalar::random(rng)); // Commit let c = params.commit(&random_poly, random_blind).to_affine(); @@ -58,12 +60,17 @@ impl Argument { } impl Committed { - pub(in crate::plonk) fn construct, T: TranscriptWrite>( + pub(in crate::plonk) fn construct< + E: EncodedChallenge, + R: RngCore, + T: TranscriptWrite, + >( self, params: &Params, domain: &EvaluationDomain, expressions: impl Iterator>, y: ChallengeY, + mut rng: R, transcript: &mut T, ) -> Result, Error> { // Evaluate the h(X) polynomial's constraint system expressions for the constraints provided @@ -81,7 +88,10 @@ impl Committed { .map(|v| domain.coeff_from_vec(v.to_vec())) .collect::>(); drop(h_poly); - let h_blinds: Vec<_> = h_pieces.iter().map(|_| Blind(C::Scalar::rand())).collect(); + let h_blinds: Vec<_> = h_pieces + .iter() + .map(|_| Blind(C::Scalar::random(&mut rng))) + .collect(); // Compute commitments to each h(X) piece let h_commitments_projective: Vec<_> = h_pieces diff --git a/src/poly/commitment.rs b/src/poly/commitment.rs index d9e7cba2..30d164ef 100644 --- a/src/poly/commitment.rs +++ b/src/poly/commitment.rs @@ -256,6 +256,8 @@ impl MulAssign for Blind { fn test_commit_lagrange_epaffine() { const K: u32 = 6; + use rand::rngs::OsRng; + use crate::pasta::{EpAffine, Fq}; let params = Params::::new(K); let domain = super::EvaluationDomain::new(1, K); @@ -268,7 +270,7 @@ fn test_commit_lagrange_epaffine() { let b = domain.lagrange_to_coeff(a.clone()); - let alpha = Blind(Fq::rand()); + let alpha = Blind(Fq::random(OsRng)); assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha)); } @@ -277,6 +279,8 @@ fn test_commit_lagrange_epaffine() { fn test_commit_lagrange_eqaffine() { const K: u32 = 6; + use rand::rngs::OsRng; + use crate::pasta::{EqAffine, Fp}; let params = Params::::new(K); let domain = super::EvaluationDomain::new(1, K); @@ -289,7 +293,7 @@ fn test_commit_lagrange_eqaffine() { let b = domain.lagrange_to_coeff(a.clone()); - let alpha = Blind(Fp::rand()); + let alpha = Blind(Fp::random(OsRng)); assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha)); } @@ -299,6 +303,7 @@ fn test_opening_proof() { const K: u32 = 6; use ff::Field; + use rand::rngs::OsRng; use super::{ commitment::{Blind, Params}, @@ -310,6 +315,8 @@ fn test_opening_proof() { Blake2bRead, Blake2bWrite, Challenge255, Transcript, TranscriptRead, TranscriptWrite, }; + let rng = OsRng; + let params = Params::::new(K); let mut params_buffer = vec![]; params.write(&mut params_buffer).unwrap(); @@ -323,7 +330,7 @@ fn test_opening_proof() { *a = Fq::from(i as u64); } - let blind = Blind(Fq::rand()); + let blind = Blind(Fq::random(rng)); let p = params.commit(&px, blind).to_affine(); @@ -335,7 +342,7 @@ fn test_opening_proof() { transcript.write_scalar(v).unwrap(); let (proof, ch_prover) = { - create_proof(¶ms, &mut transcript, &px, blind, *x).unwrap(); + create_proof(¶ms, rng, &mut transcript, &px, blind, *x).unwrap(); let ch_prover = transcript.squeeze_challenge(); (transcript.finalize(), ch_prover) }; diff --git a/src/poly/commitment/prover.rs b/src/poly/commitment/prover.rs index 211b60fe..b393747e 100644 --- a/src/poly/commitment/prover.rs +++ b/src/poly/commitment/prover.rs @@ -1,4 +1,5 @@ use ff::Field; +use rand::RngCore; use super::super::{Coeff, Polynomial}; use super::{Blind, Params}; @@ -23,8 +24,14 @@ use std::io; /// opening v, and the point x. It's probably also nice for the transcript /// to have seen the elliptic curve description and the URS, if you want to /// be rigorous. -pub fn create_proof, T: TranscriptWrite>( +pub fn create_proof< + C: CurveAffine, + E: EncodedChallenge, + R: RngCore, + T: TranscriptWrite, +>( params: &Params, + mut rng: R, transcript: &mut T, px: &Polynomial, blind: Blind, @@ -37,14 +44,14 @@ pub fn create_proof, T: TranscriptWrite, T: TranscriptWrite { #[test] fn test_rotate() { + use rand::rngs::OsRng; + use crate::arithmetic::eval_polynomial; use crate::pasta::pallas::Scalar; + let domain = EvaluationDomain::::new(1, 3); + let rng = OsRng; let mut poly = domain.empty_lagrange(); assert_eq!(poly.len(), 8); for value in poly.iter_mut() { - *value = Scalar::rand(); + *value = Scalar::random(rng); } let poly_rotated_cur = poly.rotate(Rotation::cur()); @@ -573,7 +577,7 @@ fn test_rotate() { let poly_rotated_next = domain.lagrange_to_coeff(poly_rotated_next); let poly_rotated_prev = domain.lagrange_to_coeff(poly_rotated_prev); - let x = Scalar::rand(); + let x = Scalar::random(rng); assert_eq!( eval_polynomial(&poly[..], x), @@ -591,6 +595,8 @@ fn test_rotate() { #[test] fn test_l_i() { + use rand::rngs::OsRng; + use crate::arithmetic::{eval_polynomial, lagrange_interpolate}; use crate::pasta::pallas::Scalar; let domain = EvaluationDomain::::new(1, 3); @@ -607,7 +613,7 @@ fn test_l_i() { l.push(l_i); } - let x = Scalar::rand(); + let x = Scalar::random(OsRng); let xn = x.pow(&[8, 0, 0, 0]); let evaluations = domain.l_i_range(x, xn, -7..=7); diff --git a/src/poly/multiopen.rs b/src/poly/multiopen.rs index ae8e27ab..7e860e42 100644 --- a/src/poly/multiopen.rs +++ b/src/poly/multiopen.rs @@ -250,6 +250,7 @@ where #[test] fn test_roundtrip() { use group::Curve; + use rand::rngs::OsRng; use super::commitment::{Blind, Params}; use crate::arithmetic::{eval_polynomial, FieldExt}; @@ -260,6 +261,7 @@ fn test_roundtrip() { let params: Params = Params::new(K); let domain = EvaluationDomain::new(1, K); + let rng = OsRng; let mut ax = domain.empty_coeff(); for (i, a) in ax.iter_mut().enumerate() { @@ -276,14 +278,14 @@ fn test_roundtrip() { *a = Fp::from(100 + i as u64); } - let blind = Blind(Fp::rand()); + let blind = Blind(Fp::random(rng)); let a = params.commit(&ax, blind).to_affine(); let b = params.commit(&bx, blind).to_affine(); let c = params.commit(&cx, blind).to_affine(); - let x = Fp::rand(); - let y = Fp::rand(); + let x = Fp::random(rng); + let y = Fp::random(rng); let avx = eval_polynomial(&ax, x); let bvx = eval_polynomial(&bx, x); let cvy = eval_polynomial(&cx, y); @@ -291,6 +293,7 @@ fn test_roundtrip() { let mut transcript = crate::transcript::Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); create_proof( ¶ms, + rng, &mut transcript, std::iter::empty() .chain(Some(ProverQuery { diff --git a/src/poly/multiopen/prover.rs b/src/poly/multiopen/prover.rs index bea21010..a881f201 100644 --- a/src/poly/multiopen/prover.rs +++ b/src/poly/multiopen/prover.rs @@ -12,12 +12,21 @@ use crate::transcript::{EncodedChallenge, TranscriptWrite}; use ff::Field; use group::Curve; +use rand::RngCore; use std::io; use std::marker::PhantomData; /// Create a multi-opening proof -pub fn create_proof<'a, I, C: CurveAffine, E: EncodedChallenge, T: TranscriptWrite>( +pub fn create_proof< + 'a, + I, + C: CurveAffine, + E: EncodedChallenge, + R: RngCore, + T: TranscriptWrite, +>( params: &Params, + mut rng: R, transcript: &mut T, queries: I, ) -> io::Result<()> @@ -78,7 +87,7 @@ where }) .unwrap(); - let f_blind = Blind(C::Scalar::rand()); + let f_blind = Blind(C::Scalar::random(&mut rng)); let f_commitment = params.commit(&f_poly, f_blind).to_affine(); transcript.write_point(f_commitment)?; @@ -106,7 +115,7 @@ where }, ); - commitment::create_proof(params, transcript, &f_poly, f_blind_try, *x_3) + commitment::create_proof(params, rng, transcript, &f_poly, f_blind_try, *x_3) } #[doc(hidden)] diff --git a/src/poly/multiopen/verifier.rs b/src/poly/multiopen/verifier.rs index ea96a0b8..eec80e51 100644 --- a/src/poly/multiopen/verifier.rs +++ b/src/poly/multiopen/verifier.rs @@ -1,4 +1,5 @@ use ff::Field; +use rand::rngs::OsRng; use super::super::{ commitment::{Guard, Params, MSM}, @@ -31,7 +32,7 @@ where // Scale the MSM by a random factor to ensure that if the existing MSM // has is_zero() == false then this argument won't be able to interfere // with it to make it true, with high probability. - msm.scale(C::Scalar::rand()); + msm.scale(C::Scalar::random(OsRng)); // Sample x_1 for compressing openings at the same point sets together let x_1: ChallengeX1<_> = transcript.squeeze_challenge_scalar(); diff --git a/tests/plonk_api.rs b/tests/plonk_api.rs index 9007a8ec..5ba512af 100644 --- a/tests/plonk_api.rs +++ b/tests/plonk_api.rs @@ -12,6 +12,7 @@ use halo2::plonk::{ }; use halo2::poly::{commitment::Params, Rotation}; use halo2::transcript::{Blake2bRead, Blake2bWrite, Challenge255}; +use rand::rngs::OsRng; use std::marker::PhantomData; #[test] @@ -436,6 +437,7 @@ fn plonk_api() { &pk, &[circuit.clone(), circuit.clone()], &[&[&[instance]], &[&[instance]]], + OsRng, &mut transcript, ) .expect("proof generation should not fail");