zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Various changes, including restoring permutation argument to advice wires only for now.

This commit is contained in:
Sean Bowe 2020-09-19 13:31:56 -06:00
parent e8839a7579
commit 73d494a72d
No known key found for this signature in database
GPG Key ID: 95684257D8F8B031
4 changed files with 106 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
src/plonk.rs
View File

@ -102,14 +102,6 @@ fn test_proving() {
#[derive(Copy, Clone, Debug)]
pub struct Variable(AdviceWire, usize);
/// This represents an auxiliary wire at a certain row in the ConstraintSystem
#[derive(Copy, Clone, Debug)]
pub struct AuxVariable(AuxWire, usize);
/// This represents a wire at a certain row in the ConstraintSystem
#[derive(Copy, Clone, Debug)]
pub struct PermVariable(Wire, usize);
// Initialize the polynomial commitment parameters
let params: Params<EqAffine> = Params::new::<DummyHash<Fq>>(K);
@ -120,13 +112,11 @@ fn test_proving() {
d: AdviceWire,
e: AdviceWire,
x: AuxWire,
sa: FixedWire,
sb: FixedWire,
sc: FixedWire,
sm: FixedWire,
sx: FixedWire,
sp: FixedWire,
perm: usize,
perm2: usize,
@ -139,15 +129,14 @@ fn test_proving() {
fn raw_add<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
where
F: FnOnce() -> Result<(FF, FF, FF), Error>;
fn copy(&mut self, a: PermVariable, b: PermVariable) -> Result<(), Error>;
fn raw_aux<F>(&mut self, f: F) -> Result<(Variable, AuxVariable), Error>
fn copy(&mut self, a: Variable, b: Variable) -> Result<(), Error>;
fn public_input<F>(&mut self, f: F) -> Result<Variable, Error>
where
F: FnOnce() -> Result<(FF, FF), Error>;
F: FnOnce() -> Result<FF, Error>;
}
struct MyCircuit<F: Field> {
a: Option<F>,
x: Option<F>,
}
struct StandardPLONK<'a, F: Field, CS: Assignment<F> + 'a> {
@ -245,31 +234,17 @@ fn test_proving() {
Variable(self.config.c, index),
))
}
fn copy(&mut self, left: PermVariable, right: PermVariable) -> Result<(), Error> {
fn copy(&mut self, left: Variable, right: Variable) -> Result<(), Error> {
let left_wire = match left.0 {
Wire::Advice(wire) => match wire {
x if x == self.config.a => 0,
x if x == self.config.b => 1,
x if x == self.config.c => 2,
_ => unreachable!(),
},
Wire::Aux(wire) => match wire {
x if x == self.config.x => 3,
_ => unreachable!(),
},
x if x == self.config.a => 0,
x if x == self.config.b => 1,
x if x == self.config.c => 2,
_ => unreachable!(),
};
let right_wire = match right.0 {
Wire::Advice(wire) => match wire {
x if x == self.config.a => 0,
x if x == self.config.b => 1,
x if x == self.config.c => 2,
_ => unreachable!(),
},
Wire::Aux(wire) => match wire {
x if x == self.config.x => 3,
_ => unreachable!(),
},
x if x == self.config.a => 0,
x if x == self.config.b => 1,
x if x == self.config.c => 2,
_ => unreachable!(),
};
@ -278,23 +253,17 @@ fn test_proving() {
self.cs
.copy(self.config.perm2, left_wire, left.1, right_wire, right.1)
}
fn raw_aux<F>(&mut self, f: F) -> Result<(Variable, AuxVariable), Error>
fn public_input<F>(&mut self, f: F) -> Result<Variable, Error>
where
F: FnOnce() -> Result<(FF, FF), Error>,
F: FnOnce() -> Result<FF, Error>,
{
let index = self.current_gate;
self.current_gate += 1;
let mut value = None;
self.cs.assign_advice(self.config.a, index, || {
value = Some(f()?);
Ok(value.ok_or(Error::SynthesisError)?.0)
})?;
self.cs.assign_advice(self.config.a, index, || f())?;
self.cs
.assign_fixed(self.config.sx, index, || Ok(FF::zero()))?;
Ok((
Variable(self.config.a, index),
AuxVariable(self.config.x, index),
))
.assign_fixed(self.config.sp, index, || Ok(FF::one()))?;
Ok(Variable(self.config.a, index))
}
}
@ -308,27 +277,16 @@ fn test_proving() {
let sf = meta.fixed_wire();
let c = meta.advice_wire();
let d = meta.advice_wire();
let p = meta.aux_wire();
let x = meta.aux_wire();
let perm = meta.permutation(&[
Wire::Advice(a),
Wire::Advice(b),
Wire::Advice(c),
Wire::Aux(x),
]);
let perm2 = meta.permutation(&[
Wire::Advice(a),
Wire::Advice(b),
Wire::Advice(c),
Wire::Aux(x),
]);
let perm = meta.permutation(&[a, b, c]);
let perm2 = meta.permutation(&[a, b, c]);
let sm = meta.fixed_wire();
let sa = meta.fixed_wire();
let sb = meta.fixed_wire();
let sc = meta.fixed_wire();
let sx = meta.fixed_wire();
let sp = meta.fixed_wire();
meta.create_gate(|meta| {
let d = meta.query_advice(d, 1);
@ -338,20 +296,20 @@ fn test_proving() {
let b = meta.query_advice(b, 0);
let c = meta.query_advice(c, 0);
let x = meta.query_aux(x, 0);
let sa = meta.query_fixed(sa, 0);
let sb = meta.query_fixed(sb, 0);
let sc = meta.query_fixed(sc, 0);
let sm = meta.query_fixed(sm, 0);
let sx = meta.query_fixed(sx, 0);
a.clone() * sa
+ b.clone() * sb
+ a * b * sm
+ (c * sc * (-F::one()))
+ sf * (d * e)
+ (x * sx * (-F::one()))
a.clone() * sa + b.clone() * sb + a * b * sm + (c * sc * (-F::one())) + sf * (d * e)
});
meta.create_gate(|meta| {
let a = meta.query_advice(a, 0);
let p = meta.query_aux(p, 0);
let sp = meta.query_fixed(sp, 0);
sp * (a + p * (-F::one()))
});
PLONKConfig {
@ -360,12 +318,11 @@ fn test_proving() {
c,
d,
e,
x,
sa,
sb,
sc,
sm,
sx,
sp,
perm,
perm2,
}
@ -378,6 +335,8 @@ fn test_proving() {
) -> Result<(), Error> {
let mut cs = StandardPLONK::new(cs, config);
let _ = cs.public_input(|| Ok(F::one() + F::one()))?;
for _ in 0..10 {
let mut a_squared = None;
let (a0, _, c0) = cs.raw_multiply(|| {
@ -396,66 +355,43 @@ fn test_proving() {
fin.ok_or(Error::SynthesisError)?,
))
})?;
cs.copy(
PermVariable(Wire::Advice(a0.0), a0.1),
PermVariable(Wire::Advice(a1.0), a1.1),
)?;
cs.copy(
PermVariable(Wire::Advice(b1.0), b1.1),
PermVariable(Wire::Advice(c0.0), c0.1),
)?;
cs.copy(a0, a1)?;
cs.copy(b1, c0)?;
}
let (_, x) = cs.raw_aux(|| {
Ok((
self.x.ok_or(Error::SynthesisError)?,
self.x.ok_or(Error::SynthesisError)?,
))
})?;
cs.copy(
PermVariable(Wire::Aux(x.0), x.1),
PermVariable(Wire::Aux(x.0), x.1),
)?;
Ok(())
}
}
let empty_circuit: MyCircuit<Fp> = MyCircuit { a: None, x: None };
let circuit: MyCircuit<Fp> = MyCircuit {
a: Some(Fp::random()),
};
let empty_circuit: MyCircuit<Fp> = MyCircuit { a: None };
// Initialize the SRS
let srs = SRS::generate(&params, &empty_circuit).expect("SRS generation should not fail");
// TODO: use meaningful value from recursion
let mut aux_lagrange_polys = vec![srs.domain.empty_lagrange(); srs.cs.num_aux_wires];
// TODO: use meaningful value from recursion
let mut aux_commitments: Vec<EqAffine> = vec![];
for poly in &aux_lagrange_polys {
let commitment = params.commit_lagrange(poly, Blind(Fp::zero()));
aux_commitments.push(commitment.to_affine());
}
let mut pubinputs = srs.domain.empty_lagrange();
pubinputs[0] = Fp::one();
pubinputs[0] += Fp::one();
let pubinput = params
.commit_lagrange(&pubinputs, Blind(Field::zero()))
.to_affine();
for _ in 0..100 {
// Generate circuit
let circuit: MyCircuit<Fp> = MyCircuit {
a: Some(Fp::random()),
// TODO: use meaningful value from recursion
x: Some(Fp::random()),
};
// Create a proof
let proof = Proof::create::<DummyHash<Fq>, DummyHash<Fp>, _>(
&params,
&srs,
&circuit,
&aux_lagrange_polys.clone(),
&[pubinputs.clone()],
)
.expect("proof generation should not fail");
let msm = params.empty_msm();
let guard = proof
.verify::<DummyHash<Fq>, DummyHash<Fp>>(&params, &srs, msm, aux_commitments.clone())
.verify::<DummyHash<Fq>, DummyHash<Fp>>(&params, &srs, msm, &[pubinput])
.unwrap();
{
let msm = guard.clone().use_challenges();
@ -469,7 +405,7 @@ fn test_proving() {
let msm = guard.clone().use_challenges();
assert!(msm.clone().is_zero());
let guard = proof
.verify::<DummyHash<Fq>, DummyHash<Fp>>(&params, &srs, msm, aux_commitments.clone())
.verify::<DummyHash<Fq>, DummyHash<Fp>>(&params, &srs, msm, &[pubinput])
.unwrap();
{
let msm = guard.clone().use_challenges();
@ -478,18 +414,7 @@ fn test_proving() {
{
let g = guard.compute_g();
let (msm, _) = guard.clone().use_g(g);
assert!(msm.clone().is_zero());
let mut g_scalars = vec![Fp::one(); 1 << K];
if let Some(msm_g_scalars) = msm.get_g_scalars() {
g_scalars = msm_g_scalars;
}
let g_lagrange_poly = srs.domain.lagrange_from_vec(g_scalars.clone());
aux_lagrange_polys = vec![g_lagrange_poly.clone(); 1];
let g_commitment = params
.commit_lagrange(&g_lagrange_poly, Blind(Fp::zero()))
.to_affine();
aux_commitments = vec![g_commitment; 1];
assert!(msm.is_zero());
}
}
}

21
src/plonk/circuit.rs
View File

@ -18,17 +18,6 @@ pub struct AdviceWire(pub usize);
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
pub struct AuxWire(pub usize);
/// An enum over all wire types, to be used in permutations
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
pub enum Wire {
/// Fixed wire
Fixed(FixedWire),
/// Advice wire
Advice(AdviceWire),
/// Auxiliary wire
Aux(AuxWire),
}
/// This trait allows a [`Circuit`] to direct some backend to assign a witness
/// for a constraint system.
pub trait Assignment<F: Field> {
@ -187,7 +176,7 @@ pub struct ConstraintSystem<F> {
// enforced between advice wire values in A, B and C, and another
// permutation between wires (B, C, D) which allows the same with D instead
// of A.
pub(crate) permutations: Vec<Vec<(Wire, usize)>>,
pub(crate) permutations: Vec<Vec<(AdviceWire, usize)>>,
}
impl<F: Field> Default for ConstraintSystem<F> {
@ -211,7 +200,7 @@ impl<F: Field> Default for ConstraintSystem<F> {
impl<F: Field> ConstraintSystem<F> {
/// Add a permutation argument for some advice wires
pub fn permutation(&mut self, wires: &[Wire]) -> usize {
pub fn permutation(&mut self, wires: &[AdviceWire]) -> usize {
let index = self.permutations.len();
if index == 0 {
let at = Rotation(-1);
@ -220,11 +209,7 @@ impl<F: Field> ConstraintSystem<F> {
}
let wires = wires
.iter()
.map(|&wire| match wire {
Wire::Advice(wire) => (Wire::Advice(wire), self.query_advice_index(wire, 0)),
Wire::Aux(wire) => (Wire::Aux(wire), self.query_aux_index(wire, 0)),
Wire::Fixed(wire) => (Wire::Fixed(wire), self.query_fixed_index(wire, 0)),
})
.map(|&wire| (wire, self.query_advice_index(wire, 0)))
.collect();
self.permutations.push(wires);

75
src/plonk/prover.rs
View File

@ -1,5 +1,5 @@
use super::{
circuit::{AdviceWire, Assignment, Circuit, ConstraintSystem, FixedWire, Wire},
circuit::{AdviceWire, Assignment, Circuit, ConstraintSystem, FixedWire},
hash_point, Error, Proof, SRS,
};
use crate::arithmetic::{
@ -24,8 +24,12 @@ impl<C: CurveAffine> Proof<C> {
params: &Params<C>,
srs: &SRS<C>,
circuit: &ConcreteCircuit,
aux_lagrange_polys: &[Polynomial<C::Scalar, LagrangeCoeff>],
aux: &[Polynomial<C::Scalar, LagrangeCoeff>],
) -> Result<Self, Error> {
if aux.len() != srs.cs.num_aux_wires {
return Err(Error::IncompatibleParams);
}
struct WitnessCollection<F: Field> {
advice: Vec<Polynomial<F, LagrangeCoeff>>,
_marker: std::marker::PhantomData<F>,
@ -89,6 +93,38 @@ impl<C: CurveAffine> Proof<C> {
// Create a transcript for obtaining Fiat-Shamir challenges.
let mut transcript = HBase::init(C::Base::one());
// Compute commitments to aux wire polynomials
let aux_commitments_projective: Vec<_> = aux
.iter()
.map(|poly| params.commit_lagrange(poly, Blind(C::Scalar::zero()))) // TODO: bad blind?
.collect();
let mut aux_commitments = vec![C::zero(); aux_commitments_projective.len()];
C::Projective::batch_to_affine(&aux_commitments_projective, &mut aux_commitments);
let aux_commitments = aux_commitments;
drop(aux_commitments_projective);
for commitment in &aux_commitments {
hash_point(&mut transcript, commitment)?;
}
let aux_polys: Vec<_> = aux
.clone()
.into_iter()
.map(|poly| {
let lagrange_vec = domain.lagrange_from_vec(poly.to_vec());
domain.lagrange_to_coeff(lagrange_vec)
})
.collect();
let aux_cosets: Vec<_> = meta
.aux_queries
.iter()
.map(|&(wire, at)| {
let poly = aux_polys[wire.0].clone();
domain.coeff_to_extended(poly, at)
})
.collect();
// Compute commitments to advice wire polynomials
let advice_blinds: Vec<_> = witness
.advice
@ -126,24 +162,6 @@ impl<C: CurveAffine> Proof<C> {
})
.collect();
let aux_polys: Vec<_> = aux_lagrange_polys
.clone()
.into_iter()
.map(|poly| {
let lagrange_vec = domain.lagrange_from_vec(poly.to_vec());
domain.lagrange_to_coeff(lagrange_vec)
})
.collect();
let aux_cosets: Vec<_> = meta
.aux_queries
.iter()
.map(|&(wire, at)| {
let poly = aux_polys[wire.0].clone();
domain.coeff_to_extended(poly, at)
})
.collect();
// Sample x_0 challenge
let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
@ -174,12 +192,7 @@ impl<C: CurveAffine> Proof<C> {
parallelize(&mut modified_advice, |modified_advice, start| {
for ((modified_advice, advice_value), permuted_advice_value) in modified_advice
.iter_mut()
.zip(match wire {
Wire::Advice(wire) => witness.advice[wire.0][start..].iter(),
Wire::Aux(wire) => aux_lagrange_polys[wire.0][start..].iter(),
// TODO: implement for fixed wires
_ => unreachable!(),
})
.zip(witness.advice[wire.0][start..].iter())
.zip(permuted_wire_values[start..].iter())
{
*modified_advice *= &(x_0 * permuted_advice_value + &x_1 + advice_value);
@ -210,13 +223,9 @@ impl<C: CurveAffine> Proof<C> {
let omega = domain.get_omega();
parallelize(&mut modified_advice, |modified_advice, start| {
let mut deltaomega = deltaomega * &omega.pow_vartime(&[start as u64, 0, 0, 0]);
for (modified_advice, advice_value) in
modified_advice.iter_mut().zip(match wire {
Wire::Advice(wire) => witness.advice[wire.0][start..].iter(),
Wire::Aux(wire) => aux_lagrange_polys[wire.0][start..].iter(),
// TODO: implement for fixed wires
_ => unreachable!(),
})
for (modified_advice, advice_value) in modified_advice
.iter_mut()
.zip(witness.advice[wire.0][start..].iter())
{
// Multiply by p_j(\omega^i) + \delta^j \omega^i \beta
*modified_advice *= &(deltaomega * &x_0 + &x_1 + advice_value);

13
src/plonk/verifier.rs
View File

@ -13,10 +13,13 @@ impl<'a, C: CurveAffine> Proof<C> {
params: &'a Params<C>,
srs: &SRS<C>,
mut msm: MSM<'a, C>,
aux_commitments: Vec<C>,
aux_commitments: &[C],
) -> Result<Guard<'a, C>, Error> {
// Check that aux_commitments matches the expected number of aux_wires
if aux_commitments.len() != srs.cs.num_aux_wires {
// and self.aux_evals
if aux_commitments.len() != srs.cs.num_aux_wires
|| self.aux_evals.len() != srs.cs.num_aux_wires
{
return Err(Error::IncompatibleParams);
}
@ -28,6 +31,12 @@ impl<'a, C: CurveAffine> Proof<C> {
// Create a transcript for obtaining Fiat-Shamir challenges.
let mut transcript = HBase::init(C::Base::one());
// Hash the aux (external) commitments into the transcript
for commitment in aux_commitments {
hash_point(&mut transcript, commitment)
.expect("proof cannot contain points at infinity"); // TODO
}
// Hash the prover's advice commitments into the transcript
for commitment in &self.advice_commitments {
hash_point(&mut transcript, commitment)