mirror of https://github.com/zcash/halo2.git
Various changes, including restoring permutation argument to advice wires only for now.
This commit is contained in:
parent
e8839a7579
commit
73d494a72d
175
src/plonk.rs
175
src/plonk.rs
|
@ -102,14 +102,6 @@ fn test_proving() {
|
||||||
#[derive(Copy, Clone, Debug)]
|
#[derive(Copy, Clone, Debug)]
|
||||||
pub struct Variable(AdviceWire, usize);
|
pub struct Variable(AdviceWire, usize);
|
||||||
|
|
||||||
/// This represents an auxiliary wire at a certain row in the ConstraintSystem
|
|
||||||
#[derive(Copy, Clone, Debug)]
|
|
||||||
pub struct AuxVariable(AuxWire, usize);
|
|
||||||
|
|
||||||
/// This represents a wire at a certain row in the ConstraintSystem
|
|
||||||
#[derive(Copy, Clone, Debug)]
|
|
||||||
pub struct PermVariable(Wire, usize);
|
|
||||||
|
|
||||||
// Initialize the polynomial commitment parameters
|
// Initialize the polynomial commitment parameters
|
||||||
let params: Params<EqAffine> = Params::new::<DummyHash<Fq>>(K);
|
let params: Params<EqAffine> = Params::new::<DummyHash<Fq>>(K);
|
||||||
|
|
||||||
|
@ -120,13 +112,11 @@ fn test_proving() {
|
||||||
d: AdviceWire,
|
d: AdviceWire,
|
||||||
e: AdviceWire,
|
e: AdviceWire,
|
||||||
|
|
||||||
x: AuxWire,
|
|
||||||
|
|
||||||
sa: FixedWire,
|
sa: FixedWire,
|
||||||
sb: FixedWire,
|
sb: FixedWire,
|
||||||
sc: FixedWire,
|
sc: FixedWire,
|
||||||
sm: FixedWire,
|
sm: FixedWire,
|
||||||
sx: FixedWire,
|
sp: FixedWire,
|
||||||
|
|
||||||
perm: usize,
|
perm: usize,
|
||||||
perm2: usize,
|
perm2: usize,
|
||||||
|
@ -139,15 +129,14 @@ fn test_proving() {
|
||||||
fn raw_add<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
|
fn raw_add<F>(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error>
|
||||||
where
|
where
|
||||||
F: FnOnce() -> Result<(FF, FF, FF), Error>;
|
F: FnOnce() -> Result<(FF, FF, FF), Error>;
|
||||||
fn copy(&mut self, a: PermVariable, b: PermVariable) -> Result<(), Error>;
|
fn copy(&mut self, a: Variable, b: Variable) -> Result<(), Error>;
|
||||||
fn raw_aux<F>(&mut self, f: F) -> Result<(Variable, AuxVariable), Error>
|
fn public_input<F>(&mut self, f: F) -> Result<Variable, Error>
|
||||||
where
|
where
|
||||||
F: FnOnce() -> Result<(FF, FF), Error>;
|
F: FnOnce() -> Result<FF, Error>;
|
||||||
}
|
}
|
||||||
|
|
||||||
struct MyCircuit<F: Field> {
|
struct MyCircuit<F: Field> {
|
||||||
a: Option<F>,
|
a: Option<F>,
|
||||||
x: Option<F>,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
struct StandardPLONK<'a, F: Field, CS: Assignment<F> + 'a> {
|
struct StandardPLONK<'a, F: Field, CS: Assignment<F> + 'a> {
|
||||||
|
@ -245,31 +234,17 @@ fn test_proving() {
|
||||||
Variable(self.config.c, index),
|
Variable(self.config.c, index),
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
fn copy(&mut self, left: PermVariable, right: PermVariable) -> Result<(), Error> {
|
fn copy(&mut self, left: Variable, right: Variable) -> Result<(), Error> {
|
||||||
let left_wire = match left.0 {
|
let left_wire = match left.0 {
|
||||||
Wire::Advice(wire) => match wire {
|
x if x == self.config.a => 0,
|
||||||
x if x == self.config.a => 0,
|
x if x == self.config.b => 1,
|
||||||
x if x == self.config.b => 1,
|
x if x == self.config.c => 2,
|
||||||
x if x == self.config.c => 2,
|
|
||||||
_ => unreachable!(),
|
|
||||||
},
|
|
||||||
Wire::Aux(wire) => match wire {
|
|
||||||
x if x == self.config.x => 3,
|
|
||||||
_ => unreachable!(),
|
|
||||||
},
|
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
};
|
};
|
||||||
let right_wire = match right.0 {
|
let right_wire = match right.0 {
|
||||||
Wire::Advice(wire) => match wire {
|
x if x == self.config.a => 0,
|
||||||
x if x == self.config.a => 0,
|
x if x == self.config.b => 1,
|
||||||
x if x == self.config.b => 1,
|
x if x == self.config.c => 2,
|
||||||
x if x == self.config.c => 2,
|
|
||||||
_ => unreachable!(),
|
|
||||||
},
|
|
||||||
Wire::Aux(wire) => match wire {
|
|
||||||
x if x == self.config.x => 3,
|
|
||||||
_ => unreachable!(),
|
|
||||||
},
|
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -278,23 +253,17 @@ fn test_proving() {
|
||||||
self.cs
|
self.cs
|
||||||
.copy(self.config.perm2, left_wire, left.1, right_wire, right.1)
|
.copy(self.config.perm2, left_wire, left.1, right_wire, right.1)
|
||||||
}
|
}
|
||||||
fn raw_aux<F>(&mut self, f: F) -> Result<(Variable, AuxVariable), Error>
|
fn public_input<F>(&mut self, f: F) -> Result<Variable, Error>
|
||||||
where
|
where
|
||||||
F: FnOnce() -> Result<(FF, FF), Error>,
|
F: FnOnce() -> Result<FF, Error>,
|
||||||
{
|
{
|
||||||
let index = self.current_gate;
|
let index = self.current_gate;
|
||||||
self.current_gate += 1;
|
self.current_gate += 1;
|
||||||
let mut value = None;
|
self.cs.assign_advice(self.config.a, index, || f())?;
|
||||||
self.cs.assign_advice(self.config.a, index, || {
|
|
||||||
value = Some(f()?);
|
|
||||||
Ok(value.ok_or(Error::SynthesisError)?.0)
|
|
||||||
})?;
|
|
||||||
self.cs
|
self.cs
|
||||||
.assign_fixed(self.config.sx, index, || Ok(FF::zero()))?;
|
.assign_fixed(self.config.sp, index, || Ok(FF::one()))?;
|
||||||
Ok((
|
|
||||||
Variable(self.config.a, index),
|
Ok(Variable(self.config.a, index))
|
||||||
AuxVariable(self.config.x, index),
|
|
||||||
))
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -308,27 +277,16 @@ fn test_proving() {
|
||||||
let sf = meta.fixed_wire();
|
let sf = meta.fixed_wire();
|
||||||
let c = meta.advice_wire();
|
let c = meta.advice_wire();
|
||||||
let d = meta.advice_wire();
|
let d = meta.advice_wire();
|
||||||
|
let p = meta.aux_wire();
|
||||||
|
|
||||||
let x = meta.aux_wire();
|
let perm = meta.permutation(&[a, b, c]);
|
||||||
|
let perm2 = meta.permutation(&[a, b, c]);
|
||||||
let perm = meta.permutation(&[
|
|
||||||
Wire::Advice(a),
|
|
||||||
Wire::Advice(b),
|
|
||||||
Wire::Advice(c),
|
|
||||||
Wire::Aux(x),
|
|
||||||
]);
|
|
||||||
let perm2 = meta.permutation(&[
|
|
||||||
Wire::Advice(a),
|
|
||||||
Wire::Advice(b),
|
|
||||||
Wire::Advice(c),
|
|
||||||
Wire::Aux(x),
|
|
||||||
]);
|
|
||||||
|
|
||||||
let sm = meta.fixed_wire();
|
let sm = meta.fixed_wire();
|
||||||
let sa = meta.fixed_wire();
|
let sa = meta.fixed_wire();
|
||||||
let sb = meta.fixed_wire();
|
let sb = meta.fixed_wire();
|
||||||
let sc = meta.fixed_wire();
|
let sc = meta.fixed_wire();
|
||||||
let sx = meta.fixed_wire();
|
let sp = meta.fixed_wire();
|
||||||
|
|
||||||
meta.create_gate(|meta| {
|
meta.create_gate(|meta| {
|
||||||
let d = meta.query_advice(d, 1);
|
let d = meta.query_advice(d, 1);
|
||||||
|
@ -338,20 +296,20 @@ fn test_proving() {
|
||||||
let b = meta.query_advice(b, 0);
|
let b = meta.query_advice(b, 0);
|
||||||
let c = meta.query_advice(c, 0);
|
let c = meta.query_advice(c, 0);
|
||||||
|
|
||||||
let x = meta.query_aux(x, 0);
|
|
||||||
|
|
||||||
let sa = meta.query_fixed(sa, 0);
|
let sa = meta.query_fixed(sa, 0);
|
||||||
let sb = meta.query_fixed(sb, 0);
|
let sb = meta.query_fixed(sb, 0);
|
||||||
let sc = meta.query_fixed(sc, 0);
|
let sc = meta.query_fixed(sc, 0);
|
||||||
let sm = meta.query_fixed(sm, 0);
|
let sm = meta.query_fixed(sm, 0);
|
||||||
let sx = meta.query_fixed(sx, 0);
|
|
||||||
|
|
||||||
a.clone() * sa
|
a.clone() * sa + b.clone() * sb + a * b * sm + (c * sc * (-F::one())) + sf * (d * e)
|
||||||
+ b.clone() * sb
|
});
|
||||||
+ a * b * sm
|
|
||||||
+ (c * sc * (-F::one()))
|
meta.create_gate(|meta| {
|
||||||
+ sf * (d * e)
|
let a = meta.query_advice(a, 0);
|
||||||
+ (x * sx * (-F::one()))
|
let p = meta.query_aux(p, 0);
|
||||||
|
let sp = meta.query_fixed(sp, 0);
|
||||||
|
|
||||||
|
sp * (a + p * (-F::one()))
|
||||||
});
|
});
|
||||||
|
|
||||||
PLONKConfig {
|
PLONKConfig {
|
||||||
|
@ -360,12 +318,11 @@ fn test_proving() {
|
||||||
c,
|
c,
|
||||||
d,
|
d,
|
||||||
e,
|
e,
|
||||||
x,
|
|
||||||
sa,
|
sa,
|
||||||
sb,
|
sb,
|
||||||
sc,
|
sc,
|
||||||
sm,
|
sm,
|
||||||
sx,
|
sp,
|
||||||
perm,
|
perm,
|
||||||
perm2,
|
perm2,
|
||||||
}
|
}
|
||||||
|
@ -378,6 +335,8 @@ fn test_proving() {
|
||||||
) -> Result<(), Error> {
|
) -> Result<(), Error> {
|
||||||
let mut cs = StandardPLONK::new(cs, config);
|
let mut cs = StandardPLONK::new(cs, config);
|
||||||
|
|
||||||
|
let _ = cs.public_input(|| Ok(F::one() + F::one()))?;
|
||||||
|
|
||||||
for _ in 0..10 {
|
for _ in 0..10 {
|
||||||
let mut a_squared = None;
|
let mut a_squared = None;
|
||||||
let (a0, _, c0) = cs.raw_multiply(|| {
|
let (a0, _, c0) = cs.raw_multiply(|| {
|
||||||
|
@ -396,66 +355,43 @@ fn test_proving() {
|
||||||
fin.ok_or(Error::SynthesisError)?,
|
fin.ok_or(Error::SynthesisError)?,
|
||||||
))
|
))
|
||||||
})?;
|
})?;
|
||||||
cs.copy(
|
cs.copy(a0, a1)?;
|
||||||
PermVariable(Wire::Advice(a0.0), a0.1),
|
cs.copy(b1, c0)?;
|
||||||
PermVariable(Wire::Advice(a1.0), a1.1),
|
|
||||||
)?;
|
|
||||||
cs.copy(
|
|
||||||
PermVariable(Wire::Advice(b1.0), b1.1),
|
|
||||||
PermVariable(Wire::Advice(c0.0), c0.1),
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
let (_, x) = cs.raw_aux(|| {
|
|
||||||
Ok((
|
|
||||||
self.x.ok_or(Error::SynthesisError)?,
|
|
||||||
self.x.ok_or(Error::SynthesisError)?,
|
|
||||||
))
|
|
||||||
})?;
|
|
||||||
cs.copy(
|
|
||||||
PermVariable(Wire::Aux(x.0), x.1),
|
|
||||||
PermVariable(Wire::Aux(x.0), x.1),
|
|
||||||
)?;
|
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
let empty_circuit: MyCircuit<Fp> = MyCircuit { a: None, x: None };
|
let circuit: MyCircuit<Fp> = MyCircuit {
|
||||||
|
a: Some(Fp::random()),
|
||||||
|
};
|
||||||
|
|
||||||
|
let empty_circuit: MyCircuit<Fp> = MyCircuit { a: None };
|
||||||
|
|
||||||
// Initialize the SRS
|
// Initialize the SRS
|
||||||
let srs = SRS::generate(¶ms, &empty_circuit).expect("SRS generation should not fail");
|
let srs = SRS::generate(¶ms, &empty_circuit).expect("SRS generation should not fail");
|
||||||
|
|
||||||
// TODO: use meaningful value from recursion
|
let mut pubinputs = srs.domain.empty_lagrange();
|
||||||
let mut aux_lagrange_polys = vec![srs.domain.empty_lagrange(); srs.cs.num_aux_wires];
|
pubinputs[0] = Fp::one();
|
||||||
|
pubinputs[0] += Fp::one();
|
||||||
// TODO: use meaningful value from recursion
|
let pubinput = params
|
||||||
let mut aux_commitments: Vec<EqAffine> = vec![];
|
.commit_lagrange(&pubinputs, Blind(Field::zero()))
|
||||||
for poly in &aux_lagrange_polys {
|
.to_affine();
|
||||||
let commitment = params.commit_lagrange(poly, Blind(Fp::zero()));
|
|
||||||
aux_commitments.push(commitment.to_affine());
|
|
||||||
}
|
|
||||||
|
|
||||||
for _ in 0..100 {
|
for _ in 0..100 {
|
||||||
// Generate circuit
|
|
||||||
let circuit: MyCircuit<Fp> = MyCircuit {
|
|
||||||
a: Some(Fp::random()),
|
|
||||||
|
|
||||||
// TODO: use meaningful value from recursion
|
|
||||||
x: Some(Fp::random()),
|
|
||||||
};
|
|
||||||
|
|
||||||
// Create a proof
|
// Create a proof
|
||||||
let proof = Proof::create::<DummyHash<Fq>, DummyHash<Fp>, _>(
|
let proof = Proof::create::<DummyHash<Fq>, DummyHash<Fp>, _>(
|
||||||
¶ms,
|
¶ms,
|
||||||
&srs,
|
&srs,
|
||||||
&circuit,
|
&circuit,
|
||||||
&aux_lagrange_polys.clone(),
|
&[pubinputs.clone()],
|
||||||
)
|
)
|
||||||
.expect("proof generation should not fail");
|
.expect("proof generation should not fail");
|
||||||
|
|
||||||
let msm = params.empty_msm();
|
let msm = params.empty_msm();
|
||||||
let guard = proof
|
let guard = proof
|
||||||
.verify::<DummyHash<Fq>, DummyHash<Fp>>(¶ms, &srs, msm, aux_commitments.clone())
|
.verify::<DummyHash<Fq>, DummyHash<Fp>>(¶ms, &srs, msm, &[pubinput])
|
||||||
.unwrap();
|
.unwrap();
|
||||||
{
|
{
|
||||||
let msm = guard.clone().use_challenges();
|
let msm = guard.clone().use_challenges();
|
||||||
|
@ -469,7 +405,7 @@ fn test_proving() {
|
||||||
let msm = guard.clone().use_challenges();
|
let msm = guard.clone().use_challenges();
|
||||||
assert!(msm.clone().is_zero());
|
assert!(msm.clone().is_zero());
|
||||||
let guard = proof
|
let guard = proof
|
||||||
.verify::<DummyHash<Fq>, DummyHash<Fp>>(¶ms, &srs, msm, aux_commitments.clone())
|
.verify::<DummyHash<Fq>, DummyHash<Fp>>(¶ms, &srs, msm, &[pubinput])
|
||||||
.unwrap();
|
.unwrap();
|
||||||
{
|
{
|
||||||
let msm = guard.clone().use_challenges();
|
let msm = guard.clone().use_challenges();
|
||||||
|
@ -478,18 +414,7 @@ fn test_proving() {
|
||||||
{
|
{
|
||||||
let g = guard.compute_g();
|
let g = guard.compute_g();
|
||||||
let (msm, _) = guard.clone().use_g(g);
|
let (msm, _) = guard.clone().use_g(g);
|
||||||
assert!(msm.clone().is_zero());
|
assert!(msm.is_zero());
|
||||||
|
|
||||||
let mut g_scalars = vec![Fp::one(); 1 << K];
|
|
||||||
if let Some(msm_g_scalars) = msm.get_g_scalars() {
|
|
||||||
g_scalars = msm_g_scalars;
|
|
||||||
}
|
|
||||||
let g_lagrange_poly = srs.domain.lagrange_from_vec(g_scalars.clone());
|
|
||||||
aux_lagrange_polys = vec![g_lagrange_poly.clone(); 1];
|
|
||||||
let g_commitment = params
|
|
||||||
.commit_lagrange(&g_lagrange_poly, Blind(Fp::zero()))
|
|
||||||
.to_affine();
|
|
||||||
aux_commitments = vec![g_commitment; 1];
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,17 +18,6 @@ pub struct AdviceWire(pub usize);
|
||||||
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
|
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
|
||||||
pub struct AuxWire(pub usize);
|
pub struct AuxWire(pub usize);
|
||||||
|
|
||||||
/// An enum over all wire types, to be used in permutations
|
|
||||||
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
|
|
||||||
pub enum Wire {
|
|
||||||
/// Fixed wire
|
|
||||||
Fixed(FixedWire),
|
|
||||||
/// Advice wire
|
|
||||||
Advice(AdviceWire),
|
|
||||||
/// Auxiliary wire
|
|
||||||
Aux(AuxWire),
|
|
||||||
}
|
|
||||||
|
|
||||||
/// This trait allows a [`Circuit`] to direct some backend to assign a witness
|
/// This trait allows a [`Circuit`] to direct some backend to assign a witness
|
||||||
/// for a constraint system.
|
/// for a constraint system.
|
||||||
pub trait Assignment<F: Field> {
|
pub trait Assignment<F: Field> {
|
||||||
|
@ -187,7 +176,7 @@ pub struct ConstraintSystem<F> {
|
||||||
// enforced between advice wire values in A, B and C, and another
|
// enforced between advice wire values in A, B and C, and another
|
||||||
// permutation between wires (B, C, D) which allows the same with D instead
|
// permutation between wires (B, C, D) which allows the same with D instead
|
||||||
// of A.
|
// of A.
|
||||||
pub(crate) permutations: Vec<Vec<(Wire, usize)>>,
|
pub(crate) permutations: Vec<Vec<(AdviceWire, usize)>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<F: Field> Default for ConstraintSystem<F> {
|
impl<F: Field> Default for ConstraintSystem<F> {
|
||||||
|
@ -211,7 +200,7 @@ impl<F: Field> Default for ConstraintSystem<F> {
|
||||||
|
|
||||||
impl<F: Field> ConstraintSystem<F> {
|
impl<F: Field> ConstraintSystem<F> {
|
||||||
/// Add a permutation argument for some advice wires
|
/// Add a permutation argument for some advice wires
|
||||||
pub fn permutation(&mut self, wires: &[Wire]) -> usize {
|
pub fn permutation(&mut self, wires: &[AdviceWire]) -> usize {
|
||||||
let index = self.permutations.len();
|
let index = self.permutations.len();
|
||||||
if index == 0 {
|
if index == 0 {
|
||||||
let at = Rotation(-1);
|
let at = Rotation(-1);
|
||||||
|
@ -220,11 +209,7 @@ impl<F: Field> ConstraintSystem<F> {
|
||||||
}
|
}
|
||||||
let wires = wires
|
let wires = wires
|
||||||
.iter()
|
.iter()
|
||||||
.map(|&wire| match wire {
|
.map(|&wire| (wire, self.query_advice_index(wire, 0)))
|
||||||
Wire::Advice(wire) => (Wire::Advice(wire), self.query_advice_index(wire, 0)),
|
|
||||||
Wire::Aux(wire) => (Wire::Aux(wire), self.query_aux_index(wire, 0)),
|
|
||||||
Wire::Fixed(wire) => (Wire::Fixed(wire), self.query_fixed_index(wire, 0)),
|
|
||||||
})
|
|
||||||
.collect();
|
.collect();
|
||||||
self.permutations.push(wires);
|
self.permutations.push(wires);
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
use super::{
|
use super::{
|
||||||
circuit::{AdviceWire, Assignment, Circuit, ConstraintSystem, FixedWire, Wire},
|
circuit::{AdviceWire, Assignment, Circuit, ConstraintSystem, FixedWire},
|
||||||
hash_point, Error, Proof, SRS,
|
hash_point, Error, Proof, SRS,
|
||||||
};
|
};
|
||||||
use crate::arithmetic::{
|
use crate::arithmetic::{
|
||||||
|
@ -24,8 +24,12 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
params: &Params<C>,
|
params: &Params<C>,
|
||||||
srs: &SRS<C>,
|
srs: &SRS<C>,
|
||||||
circuit: &ConcreteCircuit,
|
circuit: &ConcreteCircuit,
|
||||||
aux_lagrange_polys: &[Polynomial<C::Scalar, LagrangeCoeff>],
|
aux: &[Polynomial<C::Scalar, LagrangeCoeff>],
|
||||||
) -> Result<Self, Error> {
|
) -> Result<Self, Error> {
|
||||||
|
if aux.len() != srs.cs.num_aux_wires {
|
||||||
|
return Err(Error::IncompatibleParams);
|
||||||
|
}
|
||||||
|
|
||||||
struct WitnessCollection<F: Field> {
|
struct WitnessCollection<F: Field> {
|
||||||
advice: Vec<Polynomial<F, LagrangeCoeff>>,
|
advice: Vec<Polynomial<F, LagrangeCoeff>>,
|
||||||
_marker: std::marker::PhantomData<F>,
|
_marker: std::marker::PhantomData<F>,
|
||||||
|
@ -89,6 +93,38 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
// Create a transcript for obtaining Fiat-Shamir challenges.
|
// Create a transcript for obtaining Fiat-Shamir challenges.
|
||||||
let mut transcript = HBase::init(C::Base::one());
|
let mut transcript = HBase::init(C::Base::one());
|
||||||
|
|
||||||
|
// Compute commitments to aux wire polynomials
|
||||||
|
let aux_commitments_projective: Vec<_> = aux
|
||||||
|
.iter()
|
||||||
|
.map(|poly| params.commit_lagrange(poly, Blind(C::Scalar::zero()))) // TODO: bad blind?
|
||||||
|
.collect();
|
||||||
|
let mut aux_commitments = vec![C::zero(); aux_commitments_projective.len()];
|
||||||
|
C::Projective::batch_to_affine(&aux_commitments_projective, &mut aux_commitments);
|
||||||
|
let aux_commitments = aux_commitments;
|
||||||
|
drop(aux_commitments_projective);
|
||||||
|
|
||||||
|
for commitment in &aux_commitments {
|
||||||
|
hash_point(&mut transcript, commitment)?;
|
||||||
|
}
|
||||||
|
|
||||||
|
let aux_polys: Vec<_> = aux
|
||||||
|
.clone()
|
||||||
|
.into_iter()
|
||||||
|
.map(|poly| {
|
||||||
|
let lagrange_vec = domain.lagrange_from_vec(poly.to_vec());
|
||||||
|
domain.lagrange_to_coeff(lagrange_vec)
|
||||||
|
})
|
||||||
|
.collect();
|
||||||
|
|
||||||
|
let aux_cosets: Vec<_> = meta
|
||||||
|
.aux_queries
|
||||||
|
.iter()
|
||||||
|
.map(|&(wire, at)| {
|
||||||
|
let poly = aux_polys[wire.0].clone();
|
||||||
|
domain.coeff_to_extended(poly, at)
|
||||||
|
})
|
||||||
|
.collect();
|
||||||
|
|
||||||
// Compute commitments to advice wire polynomials
|
// Compute commitments to advice wire polynomials
|
||||||
let advice_blinds: Vec<_> = witness
|
let advice_blinds: Vec<_> = witness
|
||||||
.advice
|
.advice
|
||||||
|
@ -126,24 +162,6 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
})
|
})
|
||||||
.collect();
|
.collect();
|
||||||
|
|
||||||
let aux_polys: Vec<_> = aux_lagrange_polys
|
|
||||||
.clone()
|
|
||||||
.into_iter()
|
|
||||||
.map(|poly| {
|
|
||||||
let lagrange_vec = domain.lagrange_from_vec(poly.to_vec());
|
|
||||||
domain.lagrange_to_coeff(lagrange_vec)
|
|
||||||
})
|
|
||||||
.collect();
|
|
||||||
|
|
||||||
let aux_cosets: Vec<_> = meta
|
|
||||||
.aux_queries
|
|
||||||
.iter()
|
|
||||||
.map(|&(wire, at)| {
|
|
||||||
let poly = aux_polys[wire.0].clone();
|
|
||||||
domain.coeff_to_extended(poly, at)
|
|
||||||
})
|
|
||||||
.collect();
|
|
||||||
|
|
||||||
// Sample x_0 challenge
|
// Sample x_0 challenge
|
||||||
let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
let x_0: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
|
||||||
|
|
||||||
|
@ -174,12 +192,7 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
parallelize(&mut modified_advice, |modified_advice, start| {
|
parallelize(&mut modified_advice, |modified_advice, start| {
|
||||||
for ((modified_advice, advice_value), permuted_advice_value) in modified_advice
|
for ((modified_advice, advice_value), permuted_advice_value) in modified_advice
|
||||||
.iter_mut()
|
.iter_mut()
|
||||||
.zip(match wire {
|
.zip(witness.advice[wire.0][start..].iter())
|
||||||
Wire::Advice(wire) => witness.advice[wire.0][start..].iter(),
|
|
||||||
Wire::Aux(wire) => aux_lagrange_polys[wire.0][start..].iter(),
|
|
||||||
// TODO: implement for fixed wires
|
|
||||||
_ => unreachable!(),
|
|
||||||
})
|
|
||||||
.zip(permuted_wire_values[start..].iter())
|
.zip(permuted_wire_values[start..].iter())
|
||||||
{
|
{
|
||||||
*modified_advice *= &(x_0 * permuted_advice_value + &x_1 + advice_value);
|
*modified_advice *= &(x_0 * permuted_advice_value + &x_1 + advice_value);
|
||||||
|
@ -210,13 +223,9 @@ impl<C: CurveAffine> Proof<C> {
|
||||||
let omega = domain.get_omega();
|
let omega = domain.get_omega();
|
||||||
parallelize(&mut modified_advice, |modified_advice, start| {
|
parallelize(&mut modified_advice, |modified_advice, start| {
|
||||||
let mut deltaomega = deltaomega * &omega.pow_vartime(&[start as u64, 0, 0, 0]);
|
let mut deltaomega = deltaomega * &omega.pow_vartime(&[start as u64, 0, 0, 0]);
|
||||||
for (modified_advice, advice_value) in
|
for (modified_advice, advice_value) in modified_advice
|
||||||
modified_advice.iter_mut().zip(match wire {
|
.iter_mut()
|
||||||
Wire::Advice(wire) => witness.advice[wire.0][start..].iter(),
|
.zip(witness.advice[wire.0][start..].iter())
|
||||||
Wire::Aux(wire) => aux_lagrange_polys[wire.0][start..].iter(),
|
|
||||||
// TODO: implement for fixed wires
|
|
||||||
_ => unreachable!(),
|
|
||||||
})
|
|
||||||
{
|
{
|
||||||
// Multiply by p_j(\omega^i) + \delta^j \omega^i \beta
|
// Multiply by p_j(\omega^i) + \delta^j \omega^i \beta
|
||||||
*modified_advice *= &(deltaomega * &x_0 + &x_1 + advice_value);
|
*modified_advice *= &(deltaomega * &x_0 + &x_1 + advice_value);
|
||||||
|
|
|
@ -13,10 +13,13 @@ impl<'a, C: CurveAffine> Proof<C> {
|
||||||
params: &'a Params<C>,
|
params: &'a Params<C>,
|
||||||
srs: &SRS<C>,
|
srs: &SRS<C>,
|
||||||
mut msm: MSM<'a, C>,
|
mut msm: MSM<'a, C>,
|
||||||
aux_commitments: Vec<C>,
|
aux_commitments: &[C],
|
||||||
) -> Result<Guard<'a, C>, Error> {
|
) -> Result<Guard<'a, C>, Error> {
|
||||||
// Check that aux_commitments matches the expected number of aux_wires
|
// Check that aux_commitments matches the expected number of aux_wires
|
||||||
if aux_commitments.len() != srs.cs.num_aux_wires {
|
// and self.aux_evals
|
||||||
|
if aux_commitments.len() != srs.cs.num_aux_wires
|
||||||
|
|| self.aux_evals.len() != srs.cs.num_aux_wires
|
||||||
|
{
|
||||||
return Err(Error::IncompatibleParams);
|
return Err(Error::IncompatibleParams);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -28,6 +31,12 @@ impl<'a, C: CurveAffine> Proof<C> {
|
||||||
// Create a transcript for obtaining Fiat-Shamir challenges.
|
// Create a transcript for obtaining Fiat-Shamir challenges.
|
||||||
let mut transcript = HBase::init(C::Base::one());
|
let mut transcript = HBase::init(C::Base::one());
|
||||||
|
|
||||||
|
// Hash the aux (external) commitments into the transcript
|
||||||
|
for commitment in aux_commitments {
|
||||||
|
hash_point(&mut transcript, commitment)
|
||||||
|
.expect("proof cannot contain points at infinity"); // TODO
|
||||||
|
}
|
||||||
|
|
||||||
// Hash the prover's advice commitments into the transcript
|
// Hash the prover's advice commitments into the transcript
|
||||||
for commitment in &self.advice_commitments {
|
for commitment in &self.advice_commitments {
|
||||||
hash_point(&mut transcript, commitment)
|
hash_point(&mut transcript, commitment)
|
||||||
|
|
Loading…
Reference in New Issue