mirror of https://github.com/zcash/halo2.git
Improvements due to @daira's code review.
This commit is contained in:
Sean Bowe
parent
a129490517
commit
289f24bb8b
|
|
@ -35,21 +35,21 @@ pub fn create_proof<
|
|||
transcript: &mut T,
|
||||
p_poly: &Polynomial<C::Scalar, Coeff>,
|
||||
p_blind: Blind<C::Scalar>,
|
||||
x: C::Scalar,
|
||||
x_3: C::Scalar,
|
||||
) -> io::Result<()> {
|
||||
// We're limited to polynomials of degree n - 1.
|
||||
assert_eq!(p_poly.len(), params.n as usize);
|
||||
|
||||
// Sample a random polynomial (of same degree) that has a root at x, first
|
||||
// Sample a random polynomial (of same degree) that has a root at x_3, first
|
||||
// by setting all coefficients to random values.
|
||||
let mut s_poly = (*p_poly).clone();
|
||||
for coeff in s_poly.iter_mut() {
|
||||
*coeff = C::Scalar::random(&mut rng);
|
||||
}
|
||||
// Evaluate the random polynomial at x
|
||||
let s_at_x = eval_polynomial(&s_poly[..], x);
|
||||
// Subtract constant coefficient to get a random polynomial with a root at x
|
||||
s_poly[0] = s_poly[0] - &s_at_x;
|
||||
// Evaluate the random polynomial at x_3
|
||||
let s_at_x3 = eval_polynomial(&s_poly[..], x_3);
|
||||
// Subtract constant coefficient to get a random polynomial with a root at x_3
|
||||
s_poly[0] = s_poly[0] - &s_at_x3;
|
||||
// And sample a random blind
|
||||
let s_poly_blind = Blind(C::Scalar::random(&mut rng));
|
||||
|
||||
|
|
@ -58,7 +58,7 @@ pub fn create_proof<
|
|||
transcript.write_point(s_poly_commitment)?;
|
||||
|
||||
// Challenge that will ensure that the prover cannot change P but can only
|
||||
// witness a random polynomial commitment that agrees with P at x, with high
|
||||
// witness a random polynomial commitment that agrees with P at x_3, with high
|
||||
// probability.
|
||||
let xi = *transcript.squeeze_challenge_scalar::<()>();
|
||||
|
||||
|
|
@ -66,10 +66,10 @@ pub fn create_proof<
|
|||
// in their commitments.
|
||||
let z = *transcript.squeeze_challenge_scalar::<()>();
|
||||
|
||||
// We'll be opening `P' = P - [v] G_0 + [\xi] S` to ensure it has a root at
|
||||
// We'll be opening `P' = P - [v] G_0 + [ξ] S` to ensure it has a root at
|
||||
// zero.
|
||||
let mut p_prime_poly = s_poly * xi + p_poly;
|
||||
let v = eval_polynomial(&p_prime_poly, x);
|
||||
let v = eval_polynomial(&p_prime_poly, x_3);
|
||||
p_prime_poly[0] = p_prime_poly[0] - &v;
|
||||
let p_prime_blind = s_poly_blind * Blind(xi) + p_blind;
|
||||
|
||||
|
|
@ -81,14 +81,14 @@ pub fn create_proof<
|
|||
let mut p_prime = p_prime_poly.values;
|
||||
assert_eq!(p_prime.len(), params.n as usize);
|
||||
|
||||
// Initialize the vector `b` as the powers of `x`. The inner product of
|
||||
// `p_prime` and `b` is the evaluation of the polynomial at `x`.
|
||||
// Initialize the vector `b` as the powers of `x_3`. The inner product of
|
||||
// `p_prime` and `b` is the evaluation of the polynomial at `x_3`.
|
||||
let mut b = Vec::with_capacity(1 << params.k);
|
||||
{
|
||||
let mut cur = C::Scalar::one();
|
||||
for _ in 0..(1 << params.k) {
|
||||
b.push(cur);
|
||||
cur *= &x;
|
||||
cur *= &x_3;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
|||
) -> Result<Guard<'a, C, E>, Error> {
|
||||
let k = params.k as usize;
|
||||
|
||||
// P' = P - [v] G_0 + [\xi] S
|
||||
// P' = P - [v] G_0 + [ξ] S
|
||||
msm.add_constant_term(-v); // add [-v] G_0
|
||||
let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?;
|
||||
let xi = *transcript.squeeze_challenge_scalar::<()>();
|
||||
|
|
@ -92,10 +92,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
|||
let u_j_packed = transcript.squeeze_challenge();
|
||||
let u_j = *u_j_packed.as_challenge_scalar::<()>();
|
||||
|
||||
rounds.push((
|
||||
l, r, u_j, u_j, // to be inverted
|
||||
u_j_packed,
|
||||
));
|
||||
rounds.push((l, r, u_j, /* to be inverted */ u_j, u_j_packed));
|
||||
}
|
||||
|
||||
rounds
|
||||
|
|
@ -103,7 +100,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
|||
.map(|&mut (_, _, _, ref mut u_j, _)| u_j)
|
||||
.batch_invert();
|
||||
|
||||
// This is the left hand side of the verifier equation.
|
||||
// This is the left-hand side of the verifier equation.
|
||||
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
||||
let mut u = Vec::with_capacity(k);
|
||||
let mut u_packed: Vec<E> = Vec::with_capacity(k);
|
||||
|
|
@ -118,14 +115,15 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
|||
// Our goal is to check that the left hand side of the verifier
|
||||
// equation
|
||||
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
||||
// equals (given the prover's values c, f) the right hand side
|
||||
// equals (given b = \mathbf{b}_0, and the prover's values c, f),
|
||||
// the right-hand side
|
||||
// = [c] (G'_0 + [b * z] U) + [f] W
|
||||
// except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so
|
||||
// we must substitute G'_0 with G'_0 - W to get
|
||||
// = [c] ((G'_0 - W) + [b * z] U) + [f] W
|
||||
// = [c] G'_0 + [-c] W + [cbz] U + [f] W
|
||||
// = [c] G'_0 + [cbz] U + [f - c] W
|
||||
// and then subtracting the right hand side from both sides
|
||||
// and then subtracting the right-hand side from both sides
|
||||
// to get
|
||||
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
||||
// + [-c] G'_0 + [-cbz] U + [c - f] W
|
||||
|
|
|
|||
Loading…
Reference in New Issue