zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update multiopen APIs to reflect changes made to Transcript APIs

This commit is contained in:
Sean Bowe 2020-12-21 15:59:41 -07:00
parent d30c6b62e4
commit 5be7d9525d
No known key found for this signature in database
GPG Key ID: 95684257D8F8B031
3 changed files with 212 additions and 244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/poly/multiopen.rs
View File

@ -15,6 +15,9 @@ use crate::{
mod prover;
mod verifier;
pub use prover::create_proof;
pub use verifier::verify_proof;
#[derive(Clone, Copy, Debug)]
struct X1 {}
/// Challenge for compressing openings at the same point sets together.
@ -36,19 +39,6 @@ struct X4 {}
/// together.
type ChallengeX4<F> = ChallengeScalar<F, X4>;
/// This is a multi-point opening proof used in the polynomial commitment scheme opening.
#[derive(Debug, Clone)]
pub struct Proof<C: CurveAffine> {
// A vector of evaluations at each set of query points
q_evals: Vec<C::Scalar>,
// Commitment to final polynomial
f_commitment: C,
// Commitment proof
opening: commitment::Proof<C>,
}
/// A polynomial query at a point
#[derive(Debug, Clone)]
pub struct ProverQuery<'a, C: CurveAffine> {

53
src/poly/multiopen/prover.rs
View File

@ -1,18 +1,19 @@
use super::super::{
commitment::{self, Blind, Params},
Coeff, Error, Polynomial,
Coeff, Polynomial,
};
use super::{
construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4, Proof,
ProverQuery, Query,
construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4, ProverQuery,
Query,
};
use crate::arithmetic::{
eval_polynomial, kate_division, lagrange_interpolate, Curve, CurveAffine, FieldExt,
};
use crate::transcript::{Hasher, Transcript};
use crate::transcript::TranscriptWrite;
use ff::Field;
use std::io::{self, Write};
use std::marker::PhantomData;
#[derive(Debug, Clone)]
@ -23,13 +24,12 @@ struct CommitmentData<C: CurveAffine> {
evals: Vec<C::Scalar>,
}
impl<C: CurveAffine> Proof<C> {
/// Create a multi-opening proof
pub fn create<'a, I, HBase: Hasher<C::Base>, HScalar: Hasher<C::Scalar>>(
pub fn create_proof<'a, I, C: CurveAffine, W: Write, T: TranscriptWrite<W, C>>(
params: &Params<C>,
transcript: &mut Transcript<C, HBase, HScalar>,
transcript: &mut T,
queries: I,
) -> Result<Self, Error>
) -> io::Result<()>
where
I: IntoIterator<Item = ProverQuery<'a, C>> + Clone,
{
@ -65,7 +65,7 @@ impl<C: CurveAffine> Proof<C> {
// Each polynomial is evaluated at a set of points. For each set,
// we collapse each polynomial's evals pointwise.
for (eval, set_eval) in evals.iter().zip(q_eval_sets[set_idx].iter_mut()) {
*set_eval *= &*x_1;
*set_eval *= &x_1;
*set_eval += eval;
}
};
@ -107,16 +107,12 @@ impl<C: CurveAffine> Proof<C> {
})
.unwrap();
let mut f_blind = Blind(C::Scalar::rand());
let mut f_commitment = params.commit(&f_poly, f_blind).to_affine();
let f_blind = Blind(C::Scalar::rand());
let f_commitment = params.commit(&f_poly, f_blind).to_affine();
let (opening, q_evals) = loop {
let mut transcript = transcript.clone();
transcript
.absorb_point(&f_commitment)
.map_err(|_| Error::SamplingError)?;
transcript.write_point(f_commitment)?;
let x_3 = ChallengeX3::get(&mut transcript);
let x_3 = ChallengeX3::get(transcript);
let q_evals: Vec<C::Scalar> = q_polys
.iter()
@ -124,37 +120,22 @@ impl<C: CurveAffine> Proof<C> {
.collect();
for eval in q_evals.iter() {
transcript.absorb_scalar(*eval);
transcript.write_scalar(*eval)?;
}
let x_4 = ChallengeX4::get(&mut transcript);
let x_4 = ChallengeX4::get(transcript);
let (f_poly, f_blind_try) = q_polys.iter().zip(q_blinds.iter()).fold(
(f_poly.clone(), f_blind),
|(f_poly, f_blind), (poly, blind)| {
(
f_poly * *x_4 + poly.as_ref().unwrap(),
Blind((f_blind.0 * &*x_4) + &blind.0),
Blind((f_blind.0 * &x_4) + &blind.0),
)
},
);
if let Ok(opening) =
commitment::Proof::create(&params, &mut transcript, &f_poly, f_blind_try, *x_3)
{
break (opening, q_evals);
} else {
f_blind += C::Scalar::one();
f_commitment = (f_commitment + params.h).to_affine();
}
};
Ok(Proof {
q_evals,
f_commitment,
opening,
})
}
commitment::create_proof(&params, transcript, &f_poly, f_blind_try, *x_3)
}
#[doc(hidden)]

39
src/poly/multiopen/verifier.rs
View File

@ -5,11 +5,13 @@ use super::super::{
Error,
};
use super::{
construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4, Proof, Query,
construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4, Query,
VerifierQuery,
};
use crate::arithmetic::{eval_polynomial, lagrange_interpolate, CurveAffine, FieldExt};
use crate::transcript::{Hasher, Transcript};
use crate::transcript::TranscriptRead;
use std::io::Read;
#[derive(Debug, Clone)]
struct CommitmentData<C: CurveAffine> {
@ -18,12 +20,10 @@ struct CommitmentData<C: CurveAffine> {
evals: Vec<C::Scalar>,
}
impl<C: CurveAffine> Proof<C> {
/// Verify a multi-opening proof
pub fn verify<'a, I, HBase: Hasher<C::Base>, HScalar: Hasher<C::Scalar>>(
&self,
pub fn verify_proof<'a, I, C: CurveAffine, R: Read, T: TranscriptRead<R, C>>(
params: &'a Params<C>,
transcript: &mut Transcript<C, HBase, HScalar>,
transcript: &mut T,
queries: I,
mut msm: MSM<'a, C>,
) -> Result<Guard<'a, C>, Error>
@ -40,7 +40,7 @@ impl<C: CurveAffine> Proof<C> {
// Sample a challenge x_2 for keeping the multi-point quotient
// polynomial terms linearly independent.
let x_2 = ChallengeX2::<C::Scalar>::get(transcript);
let x_2 = ChallengeX2::get(transcript);
let (commitment_map, point_sets) = construct_intermediate_sets(queries);
@ -59,7 +59,7 @@ impl<C: CurveAffine> Proof<C> {
q_commitments[set_idx].scale(*x_1);
q_commitments[set_idx].append_term(C::Scalar::one(), new_commitment);
for (eval, set_eval) in evals.iter().zip(q_eval_sets[set_idx].iter_mut()) {
*set_eval *= &*x_1;
*set_eval *= &x_1;
*set_eval += eval;
}
};
@ -76,16 +76,15 @@ impl<C: CurveAffine> Proof<C> {
}
// Obtain the commitment to the multi-point quotient polynomial f(X).
transcript
.absorb_point(&self.f_commitment)
.map_err(|_| Error::SamplingError)?;
let f_commitment = transcript.read_point().map_err(|_| Error::SamplingError)?;
// Sample a challenge x_3 for checking that f(X) was committed to
// correctly.
let x_3 = ChallengeX3::get(transcript);
for eval in self.q_evals.iter() {
transcript.absorb_scalar(*eval);
let mut q_evals = Vec::with_capacity(q_eval_sets.len());
for _ in 0..q_eval_sets.len() {
q_evals.push(transcript.read_scalar().map_err(|_| Error::SamplingError)?);
}
// We can compute the expected msm_eval at x_3 using the q_evals provided
@ -93,7 +92,7 @@ impl<C: CurveAffine> Proof<C> {
let msm_eval = point_sets
.iter()
.zip(q_eval_sets.iter())
.zip(self.q_evals.iter())
.zip(q_evals.iter())
.fold(
C::Scalar::zero(),
|msm_eval, ((points, evals), proof_eval)| {
@ -102,7 +101,7 @@ impl<C: CurveAffine> Proof<C> {
let eval = points.iter().fold(*proof_eval - &r_eval, |eval, point| {
eval * &(*x_3 - point).invert().unwrap()
});
msm_eval * &*x_2 + &eval
msm_eval * &x_2 + &eval
},
);
@ -112,20 +111,18 @@ impl<C: CurveAffine> Proof<C> {
// Compute the final commitment that has to be opened
let mut commitment_msm = params.empty_msm();
commitment_msm.append_term(C::Scalar::one(), self.f_commitment);
let (commitment_msm, msm_eval) = q_commitments.into_iter().zip(self.q_evals.iter()).fold(
commitment_msm.append_term(C::Scalar::one(), f_commitment);
let (commitment_msm, msm_eval) = q_commitments.into_iter().zip(q_evals.iter()).fold(
(commitment_msm, msm_eval),
|(mut commitment_msm, msm_eval), (q_commitment, q_eval)| {
commitment_msm.scale(*x_4);
commitment_msm.add_msm(&q_commitment);
(commitment_msm, msm_eval * &*x_4 + q_eval)
(commitment_msm, msm_eval * &x_4 + q_eval)
},
);
// Verify the opening proof
self.opening
.verify(params, msm, transcript, *x_3, commitment_msm, msm_eval)
}
super::commitment::verify_proof(params, msm, transcript, *x_3, commitment_msm, msm_eval)
}
#[doc(hidden)]