zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improvements due to @daira's code review.

This commit is contained in:
Sean Bowe 2022-02-11 08:50:55 -07:00
parent a129490517
commit 289f24bb8b
No known key found for this signature in database
GPG Key ID: 95684257D8F8B031
2 changed files with 18 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
halo2_proofs/src/poly/commitment/prover.rs
View File

@ -35,21 +35,21 @@ pub fn create_proof<
transcript: &mut T, transcript: &mut T,
p_poly: &Polynomial<C::Scalar, Coeff>, p_poly: &Polynomial<C::Scalar, Coeff>,
p_blind: Blind<C::Scalar>, p_blind: Blind<C::Scalar>,
x: C::Scalar, x_3: C::Scalar,
) -> io::Result<()> { ) -> io::Result<()> {
// We're limited to polynomials of degree n - 1. // We're limited to polynomials of degree n - 1.
assert_eq!(p_poly.len(), params.n as usize); assert_eq!(p_poly.len(), params.n as usize);
// Sample a random polynomial (of same degree) that has a root at x, first // Sample a random polynomial (of same degree) that has a root at x_3, first
// by setting all coefficients to random values. // by setting all coefficients to random values.
let mut s_poly = (*p_poly).clone(); let mut s_poly = (*p_poly).clone();
for coeff in s_poly.iter_mut() { for coeff in s_poly.iter_mut() {
*coeff = C::Scalar::random(&mut rng); *coeff = C::Scalar::random(&mut rng);
} }
// Evaluate the random polynomial at x // Evaluate the random polynomial at x_3
let s_at_x = eval_polynomial(&s_poly[..], x); let s_at_x3 = eval_polynomial(&s_poly[..], x_3);
// Subtract constant coefficient to get a random polynomial with a root at x // Subtract constant coefficient to get a random polynomial with a root at x_3
s_poly[0] = s_poly[0] - &s_at_x; s_poly[0] = s_poly[0] - &s_at_x3;
// And sample a random blind // And sample a random blind
let s_poly_blind = Blind(C::Scalar::random(&mut rng)); let s_poly_blind = Blind(C::Scalar::random(&mut rng));
@ -58,7 +58,7 @@ pub fn create_proof<
transcript.write_point(s_poly_commitment)?; transcript.write_point(s_poly_commitment)?;
// Challenge that will ensure that the prover cannot change P but can only // Challenge that will ensure that the prover cannot change P but can only
// witness a random polynomial commitment that agrees with P at x, with high // witness a random polynomial commitment that agrees with P at x_3, with high
// probability. // probability.
let xi = *transcript.squeeze_challenge_scalar::<()>(); let xi = *transcript.squeeze_challenge_scalar::<()>();
@ -66,10 +66,10 @@ pub fn create_proof<
// in their commitments. // in their commitments.
let z = *transcript.squeeze_challenge_scalar::<()>(); let z = *transcript.squeeze_challenge_scalar::<()>();
// We'll be opening `P' = P - [v] G_0 + [\xi] S` to ensure it has a root at // We'll be opening `P' = P - [v] G_0 + [ξ] S` to ensure it has a root at
// zero. // zero.
let mut p_prime_poly = s_poly * xi + p_poly; let mut p_prime_poly = s_poly * xi + p_poly;
let v = eval_polynomial(&p_prime_poly, x); let v = eval_polynomial(&p_prime_poly, x_3);
p_prime_poly[0] = p_prime_poly[0] - &v; p_prime_poly[0] = p_prime_poly[0] - &v;
let p_prime_blind = s_poly_blind * Blind(xi) + p_blind; let p_prime_blind = s_poly_blind * Blind(xi) + p_blind;
@ -81,14 +81,14 @@ pub fn create_proof<
let mut p_prime = p_prime_poly.values; let mut p_prime = p_prime_poly.values;
assert_eq!(p_prime.len(), params.n as usize); assert_eq!(p_prime.len(), params.n as usize);
// Initialize the vector `b` as the powers of `x`. The inner product of // Initialize the vector `b` as the powers of `x_3`. The inner product of
// `p_prime` and `b` is the evaluation of the polynomial at `x`. // `p_prime` and `b` is the evaluation of the polynomial at `x_3`.
let mut b = Vec::with_capacity(1 << params.k); let mut b = Vec::with_capacity(1 << params.k);
{ {
let mut cur = C::Scalar::one(); let mut cur = C::Scalar::one();
for _ in 0..(1 << params.k) { for _ in 0..(1 << params.k) {
b.push(cur); b.push(cur);
cur *= &x; cur *= &x_3;
} }
} }

14
halo2_proofs/src/poly/commitment/verifier.rs
View File

@ -75,7 +75,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
) -> Result<Guard<'a, C, E>, Error> { ) -> Result<Guard<'a, C, E>, Error> {
let k = params.k as usize; let k = params.k as usize;
// P' = P - [v] G_0 + [\xi] S // P' = P - [v] G_0 + [ξ] S
msm.add_constant_term(-v); // add [-v] G_0 msm.add_constant_term(-v); // add [-v] G_0
let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?; let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?;
let xi = *transcript.squeeze_challenge_scalar::<()>(); let xi = *transcript.squeeze_challenge_scalar::<()>();
@ -92,10 +92,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
let u_j_packed = transcript.squeeze_challenge(); let u_j_packed = transcript.squeeze_challenge();
let u_j = *u_j_packed.as_challenge_scalar::<()>(); let u_j = *u_j_packed.as_challenge_scalar::<()>();
rounds.push(( rounds.push((l, r, u_j, /* to be inverted */ u_j, u_j_packed));
l, r, u_j, u_j, // to be inverted
u_j_packed,
));
} }
rounds rounds
@ -103,7 +100,7 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
.map(|&mut (_, _, _, ref mut u_j, _)| u_j) .map(|&mut (_, _, _, ref mut u_j, _)| u_j)
.batch_invert(); .batch_invert();
// This is the left hand side of the verifier equation. // This is the left-hand side of the verifier equation.
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
let mut u = Vec::with_capacity(k); let mut u = Vec::with_capacity(k);
let mut u_packed: Vec<E> = Vec::with_capacity(k); let mut u_packed: Vec<E> = Vec::with_capacity(k);
@ -118,14 +115,15 @@ pub fn verify_proof<'a, C: CurveAffine, E: EncodedChallenge<C>, T: TranscriptRea
// Our goal is to check that the left hand side of the verifier // Our goal is to check that the left hand side of the verifier
// equation // equation
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
// equals (given the prover's values c, f) the right hand side // equals (given b = \mathbf{b}_0, and the prover's values c, f),
// the right-hand side
// = [c] (G'_0 + [b * z] U) + [f] W // = [c] (G'_0 + [b * z] U) + [f] W
// except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so // except that we wish for the prover to supply G'_0 as Commit(g(X); 1) so
// we must substitute G'_0 with G'_0 - W to get // we must substitute G'_0 with G'_0 - W to get
// = [c] ((G'_0 - W) + [b * z] U) + [f] W // = [c] ((G'_0 - W) + [b * z] U) + [f] W
// = [c] G'_0 + [-c] W + [cbz] U + [f] W // = [c] G'_0 + [-c] W + [cbz] U + [f] W
// = [c] G'_0 + [cbz] U + [f - c] W // = [c] G'_0 + [cbz] U + [f - c] W
// and then subtracting the right hand side from both sides // and then subtracting the right-hand side from both sides
// to get // to get
// P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j)
// + [-c] G'_0 + [-cbz] U + [c - f] W // + [-c] G'_0 + [-cbz] U + [c - f] W