From 289f24bb8b5bf198c852d1f4844935c49b04ec7d Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Fri, 11 Feb 2022 08:50:55 -0700 Subject: [PATCH] Improvements due to @daira's code review. --- halo2_proofs/src/poly/commitment/prover.rs | 24 ++++++++++---------- halo2_proofs/src/poly/commitment/verifier.rs | 14 +++++------- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/halo2_proofs/src/poly/commitment/prover.rs b/halo2_proofs/src/poly/commitment/prover.rs index 05848352..f58973c1 100644 --- a/halo2_proofs/src/poly/commitment/prover.rs +++ b/halo2_proofs/src/poly/commitment/prover.rs @@ -35,21 +35,21 @@ pub fn create_proof< transcript: &mut T, p_poly: &Polynomial, p_blind: Blind, - x: C::Scalar, + x_3: C::Scalar, ) -> io::Result<()> { // We're limited to polynomials of degree n - 1. assert_eq!(p_poly.len(), params.n as usize); - // Sample a random polynomial (of same degree) that has a root at x, first + // Sample a random polynomial (of same degree) that has a root at x_3, first // by setting all coefficients to random values. let mut s_poly = (*p_poly).clone(); for coeff in s_poly.iter_mut() { *coeff = C::Scalar::random(&mut rng); } - // Evaluate the random polynomial at x - let s_at_x = eval_polynomial(&s_poly[..], x); - // Subtract constant coefficient to get a random polynomial with a root at x - s_poly[0] = s_poly[0] - &s_at_x; + // Evaluate the random polynomial at x_3 + let s_at_x3 = eval_polynomial(&s_poly[..], x_3); + // Subtract constant coefficient to get a random polynomial with a root at x_3 + s_poly[0] = s_poly[0] - &s_at_x3; // And sample a random blind let s_poly_blind = Blind(C::Scalar::random(&mut rng)); @@ -58,7 +58,7 @@ pub fn create_proof< transcript.write_point(s_poly_commitment)?; // Challenge that will ensure that the prover cannot change P but can only - // witness a random polynomial commitment that agrees with P at x, with high + // witness a random polynomial commitment that agrees with P at x_3, with high // probability. let xi = *transcript.squeeze_challenge_scalar::<()>(); @@ -66,10 +66,10 @@ pub fn create_proof< // in their commitments. let z = *transcript.squeeze_challenge_scalar::<()>(); - // We'll be opening `P' = P - [v] G_0 + [\xi] S` to ensure it has a root at + // We'll be opening `P' = P - [v] G_0 + [ξ] S` to ensure it has a root at // zero. let mut p_prime_poly = s_poly * xi + p_poly; - let v = eval_polynomial(&p_prime_poly, x); + let v = eval_polynomial(&p_prime_poly, x_3); p_prime_poly[0] = p_prime_poly[0] - &v; let p_prime_blind = s_poly_blind * Blind(xi) + p_blind; @@ -81,14 +81,14 @@ pub fn create_proof< let mut p_prime = p_prime_poly.values; assert_eq!(p_prime.len(), params.n as usize); - // Initialize the vector `b` as the powers of `x`. The inner product of - // `p_prime` and `b` is the evaluation of the polynomial at `x`. + // Initialize the vector `b` as the powers of `x_3`. The inner product of + // `p_prime` and `b` is the evaluation of the polynomial at `x_3`. let mut b = Vec::with_capacity(1 << params.k); { let mut cur = C::Scalar::one(); for _ in 0..(1 << params.k) { b.push(cur); - cur *= &x; + cur *= &x_3; } } diff --git a/halo2_proofs/src/poly/commitment/verifier.rs b/halo2_proofs/src/poly/commitment/verifier.rs index 5f0d26ef..c3defb2a 100644 --- a/halo2_proofs/src/poly/commitment/verifier.rs +++ b/halo2_proofs/src/poly/commitment/verifier.rs @@ -75,7 +75,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge, T: TranscriptRea ) -> Result, Error> { let k = params.k as usize; - // P' = P - [v] G_0 + [\xi] S + // P' = P - [v] G_0 + [ξ] S msm.add_constant_term(-v); // add [-v] G_0 let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?; let xi = *transcript.squeeze_challenge_scalar::<()>(); @@ -92,10 +92,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge, T: TranscriptRea let u_j_packed = transcript.squeeze_challenge(); let u_j = *u_j_packed.as_challenge_scalar::<()>(); - rounds.push(( - l, r, u_j, u_j, // to be inverted - u_j_packed, - )); + rounds.push((l, r, u_j, /* to be inverted */ u_j, u_j_packed)); } rounds @@ -103,7 +100,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge, T: TranscriptRea .map(|&mut (_, _, _, ref mut u_j, _)| u_j) .batch_invert(); - // This is the left hand side of the verifier equation. + // This is the left-hand side of the verifier equation. // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) let mut u = Vec::with_capacity(k); let mut u_packed: Vec = Vec::with_capacity(k); @@ -118,14 +115,15 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge, T: TranscriptRea // Our goal is to check that the left hand side of the verifier // equation // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) - // equals (given the prover's values c, f) the right hand side + // equals (given b = \mathbf{b}_0, and the prover's values c, f), + // the right-hand side // = [c] (G'_0 + [b * z] U) + [f] W // except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so // we must substitute G'_0 with G'_0 - W to get // = [c] ((G'_0 - W) + [b * z] U) + [f] W // = [c] G'_0 + [-c] W + [cbz] U + [f] W // = [c] G'_0 + [cbz] U + [f - c] W - // and then subtracting the right hand side from both sides + // and then subtracting the right-hand side from both sides // to get // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) // + [-c] G'_0 + [-cbz] U + [c - f] W