mirror of https://github.com/zcash/halo2.git
Improvements due to @daira's code review.
This commit is contained in:
parent
a129490517
commit
289f24bb8b
|
@ -35,21 +35,21 @@ pub fn create_proof<
|
||||||
transcript: &mut T,
|
transcript: &mut T,
|
||||||
p_poly: &Polynomial<C::Scalar, Coeff>,
|
p_poly: &Polynomial<C::Scalar, Coeff>,
|
||||||
p_blind: Blind<C::Scalar>,
|
p_blind: Blind<C::Scalar>,
|
||||||
x: C::Scalar,
|
x_3: C::Scalar,
|
||||||
) -> io::Result<()> {
|
) -> io::Result<()> {
|
||||||
// We're limited to polynomials of degree n - 1.
|
// We're limited to polynomials of degree n - 1.
|
||||||
assert_eq!(p_poly.len(), params.n as usize);
|
assert_eq!(p_poly.len(), params.n as usize);
|
||||||
|
|
||||||
// Sample a random polynomial (of same degree) that has a root at x, first
|
// Sample a random polynomial (of same degree) that has a root at x_3, first
|
||||||
// by setting all coefficients to random values.
|
// by setting all coefficients to random values.
|
||||||
let mut s_poly = (*p_poly).clone();
|
let mut s_poly = (*p_poly).clone();
|
||||||
for coeff in s_poly.iter_mut() {
|
for coeff in s_poly.iter_mut() {
|
||||||
*coeff = C::Scalar::random(&mut rng);
|
*coeff = C::Scalar::random(&mut rng);
|
||||||
}
|
}
|
||||||
// Evaluate the random polynomial at x
|
// Evaluate the random polynomial at x_3
|
||||||
let s_at_x = eval_polynomial(&s_poly[..], x);
|
let s_at_x3 = eval_polynomial(&s_poly[..], x_3);
|
||||||
// Subtract constant coefficient to get a random polynomial with a root at x
|
// Subtract constant coefficient to get a random polynomial with a root at x_3
|
||||||
s_poly[0] = s_poly[0] - &s_at_x;
|
s_poly[0] = s_poly[0] - &s_at_x3;
|
||||||
// And sample a random blind
|
// And sample a random blind
|
||||||
let s_poly_blind = Blind(C::Scalar::random(&mut rng));
|
let s_poly_blind = Blind(C::Scalar::random(&mut rng));
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ pub fn create_proof<
|
||||||
transcript.write_point(s_poly_commitment)?;
|
transcript.write_point(s_poly_commitment)?;
|
||||||
|
|
||||||
// Challenge that will ensure that the prover cannot change P but can only
|
// Challenge that will ensure that the prover cannot change P but can only
|
||||||
// witness a random polynomial commitment that agrees with P at x, with high
|
// witness a random polynomial commitment that agrees with P at x_3, with high
|
||||||
// probability.
|
// probability.
|
||||||
let xi = *transcript.squeeze_challenge_scalar::<()>();
|
let xi = *transcript.squeeze_challenge_scalar::<()>();
|
||||||
|
|
||||||
|
@ -66,10 +66,10 @@ pub fn create_proof<
|
||||||
// in their commitments.
|
// in their commitments.
|
||||||
let z = *transcript.squeeze_challenge_scalar::<()>();
|
let z = *transcript.squeeze_challenge_scalar::<()>();
|
||||||
|
|
||||||
// We'll be opening `P' = P - [v] G_0 + [\xi] S` to ensure it has a root at
|
// We'll be opening `P' = P - [v] G_0 + [ξ] S` to ensure it has a root at
|
||||||
// zero.
|
// zero.
|
||||||
let mut p_prime_poly = s_poly * xi + p_poly;
|
let mut p_prime_poly = s_poly * xi + p_poly;
|
||||||
let v = eval_polynomial(&p_prime_poly, x);
|
let v = eval_polynomial(&p_prime_poly, x_3);
|
||||||
p_prime_poly[0] = p_prime_poly[0] - &v;
|
p_prime_poly[0] = p_prime_poly[0] - &v;
|
||||||
let p_prime_blind = s_poly_blind * Blind(xi) + p_blind;
|
let p_prime_blind = s_poly_blind * Blind(xi) + p_blind;
|
||||||
|
|
||||||
|
@ -81,14 +81,14 @@ pub fn create_proof<
|
||||||
let mut p_prime = p_prime_poly.values;
|
let mut p_prime = p_prime_poly.values;
|
||||||
assert_eq!(p_prime.len(), params.n as usize);
|
assert_eq!(p_prime.len(), params.n as usize);
|
||||||
|
|
||||||
// Initialize the vector `b` as the powers of `x`. The inner product of
|
// Initialize the vector `b` as the powers of `x_3`. The inner product of
|
||||||
// `p_prime` and `b` is the evaluation of the polynomial at `x`.
|
// `p_prime` and `b` is the evaluation of the polynomial at `x_3`.
|
||||||
let mut b = Vec::with_capacity(1 << params.k);
|
let mut b = Vec::with_capacity(1 << params.k);
|
||||||
{
|
{
|
||||||
let mut cur = C::Scalar::one();
|
let mut cur = C::Scalar::one();
|
||||||
for _ in 0..(1 << params.k) {
|
for _ in 0..(1 << params.k) {
|
||||||
b.push(cur);
|
b.push(cur);
|
||||||
cur *= &x;
|
cur *= &x_3;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -75,7 +75,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
||||||
) -> Result<Guard<'a, C, E>, Error> {
|
) -> Result<Guard<'a, C, E>, Error> {
|
||||||
let k = params.k as usize;
|
let k = params.k as usize;
|
||||||
|
|
||||||
// P' = P - [v] G_0 + [\xi] S
|
// P' = P - [v] G_0 + [ξ] S
|
||||||
msm.add_constant_term(-v); // add [-v] G_0
|
msm.add_constant_term(-v); // add [-v] G_0
|
||||||
let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?;
|
let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?;
|
||||||
let xi = *transcript.squeeze_challenge_scalar::<()>();
|
let xi = *transcript.squeeze_challenge_scalar::<()>();
|
||||||
|
@ -92,10 +92,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
||||||
let u_j_packed = transcript.squeeze_challenge();
|
let u_j_packed = transcript.squeeze_challenge();
|
||||||
let u_j = *u_j_packed.as_challenge_scalar::<()>();
|
let u_j = *u_j_packed.as_challenge_scalar::<()>();
|
||||||
|
|
||||||
rounds.push((
|
rounds.push((l, r, u_j, /* to be inverted */ u_j, u_j_packed));
|
||||||
l, r, u_j, u_j, // to be inverted
|
|
||||||
u_j_packed,
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
rounds
|
rounds
|
||||||
|
@ -103,7 +100,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
||||||
.map(|&mut (_, _, _, ref mut u_j, _)| u_j)
|
.map(|&mut (_, _, _, ref mut u_j, _)| u_j)
|
||||||
.batch_invert();
|
.batch_invert();
|
||||||
|
|
||||||
// This is the left hand side of the verifier equation.
|
// This is the left-hand side of the verifier equation.
|
||||||
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
||||||
let mut u = Vec::with_capacity(k);
|
let mut u = Vec::with_capacity(k);
|
||||||
let mut u_packed: Vec<E> = Vec::with_capacity(k);
|
let mut u_packed: Vec<E> = Vec::with_capacity(k);
|
||||||
|
@ -118,14 +115,15 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
|
||||||
// Our goal is to check that the left hand side of the verifier
|
// Our goal is to check that the left hand side of the verifier
|
||||||
// equation
|
// equation
|
||||||
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
||||||
// equals (given the prover's values c, f) the right hand side
|
// equals (given b = \mathbf{b}_0, and the prover's values c, f),
|
||||||
|
// the right-hand side
|
||||||
// = [c] (G'_0 + [b * z] U) + [f] W
|
// = [c] (G'_0 + [b * z] U) + [f] W
|
||||||
// except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so
|
// except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so
|
||||||
// we must substitute G'_0 with G'_0 - W to get
|
// we must substitute G'_0 with G'_0 - W to get
|
||||||
// = [c] ((G'_0 - W) + [b * z] U) + [f] W
|
// = [c] ((G'_0 - W) + [b * z] U) + [f] W
|
||||||
// = [c] G'_0 + [-c] W + [cbz] U + [f] W
|
// = [c] G'_0 + [-c] W + [cbz] U + [f] W
|
||||||
// = [c] G'_0 + [cbz] U + [f - c] W
|
// = [c] G'_0 + [cbz] U + [f - c] W
|
||||||
// and then subtracting the right hand side from both sides
|
// and then subtracting the right-hand side from both sides
|
||||||
// to get
|
// to get
|
||||||
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
|
||||||
// + [-c] G'_0 + [-cbz] U + [c - f] W
|
// + [-c] G'_0 + [-cbz] U + [c - f] W
|
||||||
|
|
Loading…
Reference in New Issue