zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove fork from OpeningProof prover; add loop in PLONK prover to try different f_blind values

This commit is contained in:
therealyingtong 2020-09-19 13:21:05 +08:00
parent 208be28113
commit a6f5d0ad5e
No known key found for this signature in database
GPG Key ID: 179F32A1503D607E
5 changed files with 70 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
src/plonk/prover.rs
View File

@ -529,51 +529,71 @@ impl<C: CurveAffine> Proof<C> {
})
.or_else(|| Some(poly));
}
let mut f_poly = f_poly.unwrap();
let mut f_blind = Blind(C::Scalar::random());
let f_commitment = params.commit(&f_poly, f_blind).to_affine();
let final_opening;
let final_f_commitment;
let final_q_evals;
hash_point(&mut transcript, &f_commitment)?;
loop {
let mut transcript_dup = transcript.clone();
let mut transcript_scalar_dup = transcript_scalar.clone();
let mut f_poly_dup = f_poly.clone().unwrap();
let x_6: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
let mut f_blind = Blind(C::Scalar::random());
let f_commitment = params.commit(&f_poly_dup, f_blind).to_affine();
hash_point(&mut transcript_dup, &f_commitment)?;
let mut q_evals = vec![C::Scalar::zero(); meta.rotations.len()];
let x_6: C::Scalar =
get_challenge_scalar(Challenge(transcript_dup.squeeze().get_lower_128()));
for (_, &point_index) in meta.rotations.iter() {
q_evals[point_index.0] =
eval_polynomial(&q_polys[point_index.0].as_ref().unwrap(), x_6);
let mut q_evals = vec![C::Scalar::zero(); meta.rotations.len()];
for (_, &point_index) in meta.rotations.iter() {
q_evals[point_index.0] =
eval_polynomial(&q_polys[point_index.0].as_ref().unwrap(), x_6);
}
for eval in q_evals.iter() {
transcript_scalar_dup.absorb(*eval);
}
let transcript_scalar_point =
C::Base::from_bytes(&(transcript_scalar_dup.squeeze()).to_bytes()).unwrap();
transcript_dup.absorb(transcript_scalar_point);
let x_7: C::Scalar =
get_challenge_scalar(Challenge(transcript_dup.squeeze().get_lower_128()));
for (_, &point_index) in meta.rotations.iter() {
f_blind *= x_7;
f_blind += q_blinds[point_index.0];
parallelize(&mut f_poly_dup, |f, start| {
for (f, a) in f
.iter_mut()
.zip(q_polys[point_index.0].as_ref().unwrap()[start..].iter())
{
*f *= &x_7;
*f += a;
}
});
}
// Check U
let u_x = transcript_dup.clone().squeeze();
// y^2 = x^3 + B
let u_y2 = u_x.square() * &u_x + &C::b();
if let Some(_) = u_y2.deterministic_sqrt() {
final_q_evals = q_evals;
final_f_commitment = f_commitment;
final_opening =
OpeningProof::create(&params, &mut transcript_dup, &f_poly_dup, f_blind, x_6)
.unwrap();
break;
}
}
for eval in q_evals.iter() {
transcript_scalar.absorb(*eval);
}
let transcript_scalar_point =
C::Base::from_bytes(&(transcript_scalar.squeeze()).to_bytes()).unwrap();
transcript.absorb(transcript_scalar_point);
let x_7: C::Scalar = get_challenge_scalar(Challenge(transcript.squeeze().get_lower_128()));
for (_, &point_index) in meta.rotations.iter() {
f_blind *= x_7;
f_blind += q_blinds[point_index.0];
parallelize(&mut f_poly, |f, start| {
for (f, a) in f
.iter_mut()
.zip(q_polys[point_index.0].as_ref().unwrap()[start..].iter())
{
*f *= &x_7;
*f += a;
}
});
}
// Let's prove that the q_commitment opens at x to the expected value.
let opening = OpeningProof::create(&params, &mut transcript, &f_poly, f_blind, x_6)
.map_err(|_| Error::ConstraintSystemFailure)?;
Ok(Proof {
advice_commitments,
h_commitments,
@ -584,9 +604,9 @@ impl<C: CurveAffine> Proof<C> {
advice_evals,
fixed_evals,
h_evals,
f_commitment,
q_evals,
opening,
f_commitment: final_f_commitment,
q_evals: final_q_evals,
opening: final_opening,
})
}
}

2
src/poly.rs
View File

@ -19,6 +19,8 @@ pub use domain::*;
pub enum Error {
/// OpeningProof is not well-formed
OpeningError,
/// Caller needs to re-sample a point
SamplingError,
}
/// The basis over which a polynomial is described.

1
src/poly/commitment.rs
View File

@ -16,7 +16,6 @@ mod verifier;
/// This is a proof object for the polynomial commitment scheme opening.
#[derive(Debug, Clone)]
pub struct OpeningProof<C: CurveAffine> {
fork: u8,
rounds: Vec<(C, C)>,
delta: C,
z1: C::Scalar,

33
src/poly/commitment/prover.rs
View File

@ -1,4 +1,4 @@
use super::super::{Coeff, Polynomial};
use super::super::{Coeff, Error, Polynomial};
use super::{Blind, OpeningProof, Params};
use crate::arithmetic::{
best_multiexp, compute_inner_product, get_challenge_scalar, parallelize, small_multiexp,
@ -26,40 +26,22 @@ impl<C: CurveAffine> OpeningProof<C> {
px: &Polynomial<C::Scalar, Coeff>,
blind: Blind<C::Scalar>,
x: C::Scalar,
) -> Result<Self, ()> {
) -> Result<Self, Error> {
let mut blind = blind.0;
// We're limited to polynomials of degree n - 1.
assert!(px.len() <= params.n as usize);
let mut fork = 0;
// TODO: remove this hack and force the caller to deal with it
loop {
let mut transcript = transcript.clone();
transcript.absorb(C::Base::from_u64(fork as u64));
let u_x = transcript.squeeze();
// y^2 = x^3 + B
let u_y2 = u_x.square() * &u_x + &C::b();
let u_y = u_y2.deterministic_sqrt();
if u_y.is_none() {
fork += 1;
} else {
break;
}
}
transcript.absorb(C::Base::from_u64(fork as u64));
// Compute U
let u = {
let u_x = transcript.squeeze();
// y^2 = x^3 + B
let u_y2 = u_x.square() * &u_x + &C::b();
let u_y = u_y2.deterministic_sqrt().unwrap();
C::from_xy(u_x, u_y).unwrap()
if let Some(u_y) = u_y2.deterministic_sqrt() {
C::from_xy(u_x, u_y).unwrap()
} else {
return Err(Error::SamplingError);
}
};
// Initialize the vector `a` as the coefficients of the polynomial,
@ -205,7 +187,6 @@ impl<C: CurveAffine> OpeningProof<C> {
let z2 = c * &blind + &s;
Ok(OpeningProof {
fork,
rounds,
delta,
z1,

2
src/poly/commitment/verifier.rs
View File

@ -22,8 +22,6 @@ impl<C: CurveAffine> OpeningProof<C> {
return Err(Error::OpeningError);
}
transcript.absorb(C::Base::from_u64(self.fork as u64));
// Compute U
let u = {
let u_x = transcript.squeeze();