mirror of https://github.com/zcash/halo2.git
Rename l_cover to l_blind for clarity.
This commit is contained in:
Sean Bowe
parent
f89e27ad10
commit
7c66323d87
|
|
@ -124,7 +124,7 @@ pub struct PinnedVerificationKey<'a, C: CurveAffine> {
|
|||
pub struct ProvingKey<C: CurveAffine> {
|
||||
vk: VerifyingKey<C>,
|
||||
l0: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
|
||||
l_cover: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
|
||||
l_blind: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
|
||||
l_last: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
|
||||
fixed_values: Vec<Polynomial<C::Scalar, LagrangeCoeff>>,
|
||||
fixed_polys: Vec<Polynomial<C::Scalar, Coeff>>,
|
||||
|
|
|
|||
|
|
@ -260,14 +260,14 @@ where
|
|||
let l0 = vk.domain.lagrange_to_coeff(l0);
|
||||
let l0 = vk.domain.coeff_to_extended(l0, Rotation::cur());
|
||||
|
||||
// Compute l_cover(X) which evaluates to 1 for each blinding factor row
|
||||
// Compute l_blind(X) which evaluates to 1 for each blinding factor row
|
||||
// and 0 otherwise over the domain.
|
||||
let mut l_cover = vk.domain.empty_lagrange();
|
||||
for evaluation in l_cover[..].iter_mut().rev().take(cs.blinding_factors()) {
|
||||
let mut l_blind = vk.domain.empty_lagrange();
|
||||
for evaluation in l_blind[..].iter_mut().rev().take(cs.blinding_factors()) {
|
||||
*evaluation = C::Scalar::one();
|
||||
}
|
||||
let l_cover = vk.domain.lagrange_to_coeff(l_cover);
|
||||
let l_cover = vk.domain.coeff_to_extended(l_cover, Rotation::cur());
|
||||
let l_blind = vk.domain.lagrange_to_coeff(l_blind);
|
||||
let l_blind = vk.domain.coeff_to_extended(l_blind, Rotation::cur());
|
||||
|
||||
// Compute l_last(X) which evaluates to 1 on the first inactive row (just
|
||||
// before the blinding factors) and 0 otherwise over the domain
|
||||
|
|
@ -283,7 +283,7 @@ where
|
|||
Ok(ProvingKey {
|
||||
vk,
|
||||
l0,
|
||||
l_cover,
|
||||
l_blind,
|
||||
l_last,
|
||||
fixed_values: fixed,
|
||||
fixed_polys,
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ impl<F: Field> Argument<F> {
|
|||
//
|
||||
// Enable the permutation argument for only the rows involved.
|
||||
// degree (2 + input_degree + table_degree) or 4, whichever is larger:
|
||||
// (1 - (l_last + l_cover)) * (
|
||||
// (1 - (l_last + l_blind)) * (
|
||||
// z(\omega X) (a'(X) + \beta) (s'(X) + \gamma)
|
||||
// - z(X) (\theta^{m-1} a_0(X) + ... + a_{m-1}(X) + \beta) (\theta^{m-1} s_0(X) + ... + s_{m-1}(X) + \gamma)
|
||||
// ) = 0
|
||||
|
|
@ -48,7 +48,7 @@ impl<F: Field> Argument<F> {
|
|||
// Either the two values are the same, or the previous
|
||||
// value of a' is the same as the current value.
|
||||
// degree 3:
|
||||
// (1 - (l_last + l_cover)) * (a′(X)−s′(X))⋅(a′(X)−a′(\omega{-1} X)) = 0
|
||||
// (1 - (l_last + l_blind)) * (a′(X)−s′(X))⋅(a′(X)−a′(\omega{-1} X)) = 0
|
||||
let mut input_degree = 1;
|
||||
for expr in self.input_expressions.iter() {
|
||||
input_degree = std::cmp::max(input_degree, expr.degree());
|
||||
|
|
|
|||
|
|
@ -434,7 +434,7 @@ impl<'a, C: CurveAffine> Committed<C> {
|
|||
) {
|
||||
let permuted = self.permuted;
|
||||
|
||||
let active_rows = Polynomial::one_minus(pk.l_last.clone() + &pk.l_cover);
|
||||
let active_rows = Polynomial::one_minus(pk.l_last.clone() + &pk.l_blind);
|
||||
|
||||
let expressions = iter::empty()
|
||||
// l_0(X) * (1 - z(X)) = 0
|
||||
|
|
@ -446,7 +446,7 @@ impl<'a, C: CurveAffine> Committed<C> {
|
|||
(self.product_coset.clone() * &self.product_coset - &self.product_coset)
|
||||
* &pk.l_last,
|
||||
))
|
||||
// (1 - (l_last + l_cover)) * (
|
||||
// (1 - (l_last + l_blind)) * (
|
||||
// z(\omega X) (a'(X) + \beta) (s'(X) + \gamma)
|
||||
// - z(X) (\theta^{m-1} a_0(X) + ... + a_{m-1}(X) + \beta) (\theta^{m-1} s_0(X) + ... + s_{m-1}(X) + \gamma)
|
||||
// ) = 0
|
||||
|
|
@ -501,7 +501,7 @@ impl<'a, C: CurveAffine> Committed<C> {
|
|||
// Check that each value in the permuted lookup input expression is either
|
||||
// equal to the value above it, or the value at the same index in the
|
||||
// permuted table expression.
|
||||
// (1 - (l_last + l_cover)) * (a′(X)−s′(X))⋅(a′(X)−a′(\omega{-1} X)) = 0
|
||||
// (1 - (l_last + l_blind)) * (a′(X)−s′(X))⋅(a′(X)−a′(\omega{-1} X)) = 0
|
||||
.chain(Some(
|
||||
(permuted.permuted_input_coset.clone() - &permuted.permuted_table_coset)
|
||||
* &(permuted.permuted_input_coset.clone() - &permuted.permuted_input_inv_coset)
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
&'a self,
|
||||
l_0: C::Scalar,
|
||||
l_last: C::Scalar,
|
||||
l_cover: C::Scalar,
|
||||
l_blind: C::Scalar,
|
||||
argument: &'a Argument<C::Scalar>,
|
||||
theta: ChallengeTheta<C>,
|
||||
beta: ChallengeBeta<C>,
|
||||
|
|
@ -119,7 +119,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
fixed_evals: &[C::Scalar],
|
||||
instance_evals: &[C::Scalar],
|
||||
) -> impl Iterator<Item = C::Scalar> + 'a {
|
||||
let active_rows = C::Scalar::one() - (l_last + l_cover);
|
||||
let active_rows = C::Scalar::one() - (l_last + l_blind);
|
||||
|
||||
let product_expression = || {
|
||||
// z(\omega X) (a'(X) + \beta) (s'(X) + \gamma)
|
||||
|
|
@ -161,7 +161,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
Some(l_last * &(self.product_eval.square() - &self.product_eval)),
|
||||
)
|
||||
.chain(
|
||||
// (1 - (l_last + l_cover)) * (
|
||||
// (1 - (l_last + l_blind)) * (
|
||||
// z(\omega X) (a'(X) + \beta) (s'(X) + \gamma)
|
||||
// - z(X) (\theta^{m-1} a_0(X) + ... + a_{m-1}(X) + \beta) (\theta^{m-1} s_0(X) + ... + s_{m-1}(X) + \gamma)
|
||||
// ) = 0
|
||||
|
|
@ -172,7 +172,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
l_0 * &(self.permuted_input_eval - &self.permuted_table_eval),
|
||||
))
|
||||
.chain(Some(
|
||||
// (1 - (l_last + l_cover)) * (a′(X)−s′(X))⋅(a′(X)−a′(\omega{-1} X)) = 0
|
||||
// (1 - (l_last + l_blind)) * (a′(X)−s′(X))⋅(a′(X)−a′(\omega{-1} X)) = 0
|
||||
(self.permuted_input_eval - &self.permuted_table_eval)
|
||||
* &(self.permuted_input_eval - &self.permuted_input_inv_eval)
|
||||
* &active_rows,
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ impl Argument {
|
|||
// following will not affect the required degree of
|
||||
// this middleware.
|
||||
//
|
||||
// (1 - (l_last + l_cover)) * (
|
||||
// (1 - (l_last + l_blind)) * (
|
||||
// z(\omega X) \prod (p(X) + \beta s_i(X) + \gamma)
|
||||
// - z(X) \prod (p(X) + \delta^i \beta X + \gamma)
|
||||
// )
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ impl Argument {
|
|||
let domain = &pk.vk.domain;
|
||||
|
||||
// How many columns can be included in a single permutation polynomial?
|
||||
// We need to multiply by z(X) and (1 - (l_last(X) + l_cover(X))). This
|
||||
// We need to multiply by z(X) and (1 - (l_last(X) + l_blind(X))). This
|
||||
// will never underflow because of the requirement of at least a degree
|
||||
// 3 circuit for the permutation argument.
|
||||
let chunk_len = pk.vk.cs.degree() - 2;
|
||||
|
|
@ -261,7 +261,7 @@ impl<C: CurveAffine> Committed<C> {
|
|||
.map(move |(coset, coset_last)| (coset - &coset_last) * &pk.l0),
|
||||
)
|
||||
// And for all the sets we enforce:
|
||||
// (1 - (l_last + l_cover)) * (
|
||||
// (1 - (l_last + l_blind)) * (
|
||||
// z_i(\omega X) \prod (p(X) + \beta s_i(X) + \gamma)
|
||||
// - z_i(X) \prod (p(X) + \delta^i \beta X + \gamma)
|
||||
// )
|
||||
|
|
@ -331,7 +331,7 @@ impl<C: CurveAffine> Committed<C> {
|
|||
current_delta *= &C::Scalar::DELTA;
|
||||
}
|
||||
|
||||
(left - &right) * &Polynomial::one_minus(pk.l_last.clone() + &pk.l_cover)
|
||||
(left - &right) * &Polynomial::one_minus(pk.l_last.clone() + &pk.l_blind)
|
||||
}),
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -108,7 +108,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
instance_evals: &'a [C::Scalar],
|
||||
l_0: C::Scalar,
|
||||
l_last: C::Scalar,
|
||||
l_cover: C::Scalar,
|
||||
l_blind: C::Scalar,
|
||||
beta: ChallengeBeta<C>,
|
||||
gamma: ChallengeGamma<C>,
|
||||
x: ChallengeX<C>,
|
||||
|
|
@ -146,7 +146,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
.map(move |(set, prev_last)| (set - &prev_last) * &l_0),
|
||||
)
|
||||
// And for all the sets we enforce:
|
||||
// (1 - (l_last + l_cover)) * (
|
||||
// (1 - (l_last + l_blind)) * (
|
||||
// z_i(\omega X) \prod (p(X) + \beta s_i(X) + \gamma)
|
||||
// - z_i(X) \prod (p(X) + \delta^i \beta X + \gamma)
|
||||
// )
|
||||
|
|
@ -195,7 +195,7 @@ impl<C: CurveAffine> Evaluated<C> {
|
|||
current_delta *= &C::Scalar::DELTA;
|
||||
}
|
||||
|
||||
(left - &right) * (C::Scalar::one() - &(l_last + &l_cover))
|
||||
(left - &right) * (C::Scalar::one() - &(l_last + &l_blind))
|
||||
}),
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -143,7 +143,7 @@ pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge<C>, T: Transcri
|
|||
.l_i_range(*x, xn, (-((blinding_factors + 1) as i32))..=0);
|
||||
assert_eq!(l_evals.len(), 2 + blinding_factors);
|
||||
let l_last = l_evals[0];
|
||||
let l_cover: C::Scalar = l_evals[1..(1 + blinding_factors)]
|
||||
let l_blind: C::Scalar = l_evals[1..(1 + blinding_factors)]
|
||||
.iter()
|
||||
.fold(C::Scalar::zero(), |acc, eval| acc + eval);
|
||||
let l_0 = l_evals[1 + blinding_factors];
|
||||
|
|
@ -179,7 +179,7 @@ pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge<C>, T: Transcri
|
|||
&instance_evals,
|
||||
l_0,
|
||||
l_last,
|
||||
l_cover,
|
||||
l_blind,
|
||||
beta,
|
||||
gamma,
|
||||
x,
|
||||
|
|
@ -192,7 +192,7 @@ pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge<C>, T: Transcri
|
|||
p.expressions(
|
||||
l_0,
|
||||
l_last,
|
||||
l_cover,
|
||||
l_blind,
|
||||
argument,
|
||||
theta,
|
||||
beta,
|
||||
|
|
|
|||
Loading…
Reference in New Issue