mirror of https://github.com/zcash/halo2.git
commit
daf54ddec9
|
@ -344,13 +344,10 @@ impl<'a, C: CurveAffine> Committed<'a, C> {
|
||||||
theta: ChallengeTheta<C>,
|
theta: ChallengeTheta<C>,
|
||||||
beta: ChallengeBeta<C>,
|
beta: ChallengeBeta<C>,
|
||||||
gamma: ChallengeGamma<C>,
|
gamma: ChallengeGamma<C>,
|
||||||
) -> Result<
|
) -> (
|
||||||
(
|
|
||||||
Constructed<C>,
|
Constructed<C>,
|
||||||
impl Iterator<Item = Polynomial<C::Scalar, ExtendedLagrangeCoeff>> + 'a,
|
impl Iterator<Item = Polynomial<C::Scalar, ExtendedLagrangeCoeff>> + 'a,
|
||||||
),
|
) {
|
||||||
Error,
|
|
||||||
> {
|
|
||||||
let permuted = self.permuted;
|
let permuted = self.permuted;
|
||||||
|
|
||||||
let expressions = iter::empty()
|
let expressions = iter::empty()
|
||||||
|
@ -417,7 +414,7 @@ impl<'a, C: CurveAffine> Committed<'a, C> {
|
||||||
* &(permuted.permuted_input_coset.clone() - &permuted.permuted_input_inv_coset),
|
* &(permuted.permuted_input_coset.clone() - &permuted.permuted_input_inv_coset),
|
||||||
));
|
));
|
||||||
|
|
||||||
Ok((
|
(
|
||||||
Constructed {
|
Constructed {
|
||||||
permuted_input_poly: permuted.permuted_input_poly,
|
permuted_input_poly: permuted.permuted_input_poly,
|
||||||
permuted_input_blind: permuted.permuted_input_blind,
|
permuted_input_blind: permuted.permuted_input_blind,
|
||||||
|
@ -427,7 +424,7 @@ impl<'a, C: CurveAffine> Committed<'a, C> {
|
||||||
product_blind: self.product_blind,
|
product_blind: self.product_blind,
|
||||||
},
|
},
|
||||||
expressions,
|
expressions,
|
||||||
))
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -506,6 +503,8 @@ impl<C: CurveAffine> Evaluated<C> {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type ColumnPair<F> = (Polynomial<F, LagrangeCoeff>, Polynomial<F, LagrangeCoeff>);
|
||||||
|
|
||||||
/// Given a column of input values A and a column of table values S,
|
/// Given a column of input values A and a column of table values S,
|
||||||
/// this method permutes A and S to produce A' and S', such that:
|
/// this method permutes A and S to produce A' and S', such that:
|
||||||
/// - like values in A' are vertically adjacent to each other; and
|
/// - like values in A' are vertically adjacent to each other; and
|
||||||
|
@ -516,13 +515,7 @@ fn permute_column_pair<C: CurveAffine>(
|
||||||
domain: &EvaluationDomain<C::Scalar>,
|
domain: &EvaluationDomain<C::Scalar>,
|
||||||
input_column: &Polynomial<C::Scalar, LagrangeCoeff>,
|
input_column: &Polynomial<C::Scalar, LagrangeCoeff>,
|
||||||
table_column: &Polynomial<C::Scalar, LagrangeCoeff>,
|
table_column: &Polynomial<C::Scalar, LagrangeCoeff>,
|
||||||
) -> Result<
|
) -> Result<ColumnPair<C::Scalar>, Error> {
|
||||||
(
|
|
||||||
Polynomial<C::Scalar, LagrangeCoeff>,
|
|
||||||
Polynomial<C::Scalar, LagrangeCoeff>,
|
|
||||||
),
|
|
||||||
Error,
|
|
||||||
> {
|
|
||||||
let mut permuted_input_column = input_column.clone();
|
let mut permuted_input_column = input_column.clone();
|
||||||
|
|
||||||
// Sort input lookup column values
|
// Sort input lookup column values
|
||||||
|
|
|
@ -141,13 +141,10 @@ impl<C: CurveAffine> Committed<C> {
|
||||||
advice_cosets: &'a [Polynomial<C::Scalar, ExtendedLagrangeCoeff>],
|
advice_cosets: &'a [Polynomial<C::Scalar, ExtendedLagrangeCoeff>],
|
||||||
beta: ChallengeBeta<C>,
|
beta: ChallengeBeta<C>,
|
||||||
gamma: ChallengeGamma<C>,
|
gamma: ChallengeGamma<C>,
|
||||||
) -> Result<
|
) -> (
|
||||||
(
|
|
||||||
Constructed<C>,
|
Constructed<C>,
|
||||||
impl Iterator<Item = Polynomial<C::Scalar, ExtendedLagrangeCoeff>> + 'a,
|
impl Iterator<Item = Polynomial<C::Scalar, ExtendedLagrangeCoeff>> + 'a,
|
||||||
),
|
) {
|
||||||
Error,
|
|
||||||
> {
|
|
||||||
let domain = &pk.vk.domain;
|
let domain = &pk.vk.domain;
|
||||||
|
|
||||||
let expressions = iter::empty()
|
let expressions = iter::empty()
|
||||||
|
@ -197,13 +194,13 @@ impl<C: CurveAffine> Committed<C> {
|
||||||
left - &right
|
left - &right
|
||||||
}));
|
}));
|
||||||
|
|
||||||
Ok((
|
(
|
||||||
Constructed {
|
Constructed {
|
||||||
permutation_product_poly: self.permutation_product_poly,
|
permutation_product_poly: self.permutation_product_poly,
|
||||||
permutation_product_blind: self.permutation_product_blind,
|
permutation_product_blind: self.permutation_product_blind,
|
||||||
},
|
},
|
||||||
expressions,
|
expressions,
|
||||||
))
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -208,24 +208,24 @@ pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>, ConcreteCircuit: Circ
|
||||||
|
|
||||||
// Evaluate the h(X) polynomial's constraint system expressions for the permutation constraints, if any.
|
// Evaluate the h(X) polynomial's constraint system expressions for the permutation constraints, if any.
|
||||||
let (permutations, permutation_expressions): (Vec<_>, Vec<_>) = {
|
let (permutations, permutation_expressions): (Vec<_>, Vec<_>) = {
|
||||||
let tmp = permutations
|
let tmp: Vec<_> = permutations
|
||||||
.into_iter()
|
.into_iter()
|
||||||
.zip(pk.vk.cs.permutations.iter())
|
.zip(pk.vk.cs.permutations.iter())
|
||||||
.zip(pk.permutations.iter())
|
.zip(pk.permutations.iter())
|
||||||
.map(|((p, argument), pkey)| {
|
.map(|((p, argument), pkey)| {
|
||||||
p.construct(pk, argument, pkey, &advice_cosets, beta, gamma)
|
p.construct(pk, argument, pkey, &advice_cosets, beta, gamma)
|
||||||
})
|
})
|
||||||
.collect::<Result<Vec<_>, _>>()?;
|
.collect();
|
||||||
|
|
||||||
tmp.into_iter().unzip()
|
tmp.into_iter().unzip()
|
||||||
};
|
};
|
||||||
|
|
||||||
// Evaluate the h(X) polynomial's constraint system expressions for the lookup constraints, if any.
|
// Evaluate the h(X) polynomial's constraint system expressions for the lookup constraints, if any.
|
||||||
let (lookups, lookup_expressions): (Vec<_>, Vec<_>) = {
|
let (lookups, lookup_expressions): (Vec<_>, Vec<_>) = {
|
||||||
let tmp = lookups
|
let tmp: Vec<_> = lookups
|
||||||
.into_iter()
|
.into_iter()
|
||||||
.map(|p| p.construct(pk, theta, beta, gamma))
|
.map(|p| p.construct(pk, theta, beta, gamma))
|
||||||
.collect::<Result<Vec<_>, _>>()?;
|
.collect();
|
||||||
|
|
||||||
tmp.into_iter().unzip()
|
tmp.into_iter().unzip()
|
||||||
};
|
};
|
||||||
|
|
|
@ -89,10 +89,10 @@ impl<C: CurveAffine> Constructed<C> {
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<C: CurveAffine> Evaluated<C> {
|
impl<C: CurveAffine> Evaluated<C> {
|
||||||
pub(in crate::plonk) fn open<'a>(
|
pub(in crate::plonk) fn open(
|
||||||
&'a self,
|
&self,
|
||||||
x: ChallengeX<C>,
|
x: ChallengeX<C>,
|
||||||
) -> impl Iterator<Item = ProverQuery<'a, C>> + Clone {
|
) -> impl Iterator<Item = ProverQuery<'_, C>> + Clone {
|
||||||
self.constructed
|
self.constructed
|
||||||
.h_pieces
|
.h_pieces
|
||||||
.iter()
|
.iter()
|
||||||
|
|
|
@ -70,10 +70,10 @@ impl<C: CurveAffine> Evaluated<C> {
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(in crate::plonk) fn queries<'a>(
|
pub(in crate::plonk) fn queries(
|
||||||
&'a self,
|
&self,
|
||||||
x: ChallengeX<C>,
|
x: ChallengeX<C>,
|
||||||
) -> impl Iterator<Item = VerifierQuery<'a, C>> + Clone {
|
) -> impl Iterator<Item = VerifierQuery<'_, C>> + Clone {
|
||||||
self.h_commitments
|
self.h_commitments
|
||||||
.iter()
|
.iter()
|
||||||
.zip(self.h_evals.iter())
|
.zip(self.h_evals.iter())
|
||||||
|
|
|
@ -63,10 +63,8 @@ pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>>(
|
||||||
let mut final_poly = s_poly * iota + px;
|
let mut final_poly = s_poly * iota + px;
|
||||||
let v = eval_polynomial(&final_poly, x);
|
let v = eval_polynomial(&final_poly, x);
|
||||||
final_poly[0] = final_poly[0] - &v;
|
final_poly[0] = final_poly[0] - &v;
|
||||||
drop(px);
|
|
||||||
let blind = s_poly_blind * Blind(iota) + blind;
|
let blind = s_poly_blind * Blind(iota) + blind;
|
||||||
let mut blind = blind.0;
|
let mut blind = blind.0;
|
||||||
drop(s_poly_blind);
|
|
||||||
|
|
||||||
// Initialize the vector `a` as the coefficients of the polynomial,
|
// Initialize the vector `a` as the coefficients of the polynomial,
|
||||||
// rounding up to the parameters.
|
// rounding up to the parameters.
|
||||||
|
|
|
@ -61,7 +61,7 @@ impl<'a, C: CurveAffine> Guard<'a, C> {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Checks to see if an [`Proof`] is valid given the current `transcript`, and a
|
/// Checks to see if the proof represented within `transcript` is valid, and a
|
||||||
/// point `x` that the polynomial commitment `P` opens purportedly to the value
|
/// point `x` that the polynomial commitment `P` opens purportedly to the value
|
||||||
/// `v`. The provided `msm` should evaluate to the commitment `P` being opened.
|
/// `v`. The provided `msm` should evaluate to the commitment `P` being opened.
|
||||||
pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead<C>>(
|
pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead<C>>(
|
||||||
|
@ -160,7 +160,7 @@ fn compute_b<F: Field>(x: F, challenges: &[F]) -> F {
|
||||||
|
|
||||||
/// Computes the coefficients of $g(X) = \prod\limits_{i=0}^{k-1} (1 + u_i X^{2^i})$.
|
/// Computes the coefficients of $g(X) = \prod\limits_{i=0}^{k-1} (1 + u_i X^{2^i})$.
|
||||||
fn compute_s<F: Field>(challenges: &[F], init: F) -> Vec<F> {
|
fn compute_s<F: Field>(challenges: &[F], init: F) -> Vec<F> {
|
||||||
assert!(challenges.len() > 0);
|
assert!(!challenges.is_empty());
|
||||||
let mut v = vec![F::zero(); 1 << challenges.len()];
|
let mut v = vec![F::zero(); 1 << challenges.len()];
|
||||||
v[0] = init;
|
v[0] = init;
|
||||||
|
|
||||||
|
|
|
@ -87,9 +87,12 @@ trait Query<F>: Sized {
|
||||||
fn get_commitment(&self) -> Self::Commitment;
|
fn get_commitment(&self) -> Self::Commitment;
|
||||||
}
|
}
|
||||||
|
|
||||||
fn construct_intermediate_sets<F: FieldExt, I, Q: Query<F>>(
|
type IntermediateSets<F, Q> = (
|
||||||
queries: I,
|
Vec<CommitmentData<<Q as Query<F>>::Eval, <Q as Query<F>>::Commitment>>,
|
||||||
) -> (Vec<CommitmentData<Q::Eval, Q::Commitment>>, Vec<Vec<F>>)
|
Vec<Vec<F>>,
|
||||||
|
);
|
||||||
|
|
||||||
|
fn construct_intermediate_sets<F: FieldExt, I, Q: Query<F>>(queries: I) -> IntermediateSets<F, Q>
|
||||||
where
|
where
|
||||||
I: IntoIterator<Item = Q> + Clone,
|
I: IntoIterator<Item = Q> + Clone,
|
||||||
{
|
{
|
||||||
|
|
|
@ -104,7 +104,7 @@ where
|
||||||
let x_4 = ChallengeX4::get(transcript);
|
let x_4 = ChallengeX4::get(transcript);
|
||||||
|
|
||||||
let (f_poly, f_blind_try) = q_polys.iter().zip(q_blinds.iter()).fold(
|
let (f_poly, f_blind_try) = q_polys.iter().zip(q_blinds.iter()).fold(
|
||||||
(f_poly.clone(), f_blind),
|
(f_poly, f_blind),
|
||||||
|(f_poly, f_blind), (poly, blind)| {
|
|(f_poly, f_blind), (poly, blind)| {
|
||||||
(
|
(
|
||||||
f_poly * *x_4 + poly.as_ref().unwrap(),
|
f_poly * *x_4 + poly.as_ref().unwrap(),
|
||||||
|
|
|
@ -66,10 +66,9 @@ impl<R: Read, C: CurveAffine> TranscriptRead<C> for DummyHashRead<R, C> {
|
||||||
fn read_point(&mut self) -> io::Result<C> {
|
fn read_point(&mut self) -> io::Result<C> {
|
||||||
let mut compressed = [0u8; 32];
|
let mut compressed = [0u8; 32];
|
||||||
self.reader.read_exact(&mut compressed[..])?;
|
self.reader.read_exact(&mut compressed[..])?;
|
||||||
let point: C = Option::from(C::from_bytes(&compressed)).ok_or(io::Error::new(
|
let point: C = Option::from(C::from_bytes(&compressed)).ok_or_else(|| {
|
||||||
io::ErrorKind::Other,
|
io::Error::new(io::ErrorKind::Other, "invalid point encoding in proof")
|
||||||
"invalid point encoding in proof",
|
})?;
|
||||||
))?;
|
|
||||||
self.common_point(point)?;
|
self.common_point(point)?;
|
||||||
|
|
||||||
Ok(point)
|
Ok(point)
|
||||||
|
@ -78,10 +77,12 @@ impl<R: Read, C: CurveAffine> TranscriptRead<C> for DummyHashRead<R, C> {
|
||||||
fn read_scalar(&mut self) -> io::Result<C::Scalar> {
|
fn read_scalar(&mut self) -> io::Result<C::Scalar> {
|
||||||
let mut data = [0u8; 32];
|
let mut data = [0u8; 32];
|
||||||
self.reader.read_exact(&mut data)?;
|
self.reader.read_exact(&mut data)?;
|
||||||
let scalar = Option::from(C::Scalar::from_bytes(&data)).ok_or(io::Error::new(
|
let scalar = Option::from(C::Scalar::from_bytes(&data)).ok_or_else(|| {
|
||||||
|
io::Error::new(
|
||||||
io::ErrorKind::Other,
|
io::ErrorKind::Other,
|
||||||
"invalid field element encoding in proof",
|
"invalid field element encoding in proof",
|
||||||
))?;
|
)
|
||||||
|
})?;
|
||||||
self.scalar_state += &(scalar * &C::Scalar::ZETA);
|
self.scalar_state += &(scalar * &C::Scalar::ZETA);
|
||||||
self.scalar_state = self.scalar_state.square();
|
self.scalar_state = self.scalar_state.square();
|
||||||
self.read_scalar = true;
|
self.read_scalar = true;
|
||||||
|
@ -92,10 +93,12 @@ impl<R: Read, C: CurveAffine> TranscriptRead<C> for DummyHashRead<R, C> {
|
||||||
|
|
||||||
impl<R: Read, C: CurveAffine> Transcript<C> for DummyHashRead<R, C> {
|
impl<R: Read, C: CurveAffine> Transcript<C> for DummyHashRead<R, C> {
|
||||||
fn common_point(&mut self, point: C) -> io::Result<()> {
|
fn common_point(&mut self, point: C) -> io::Result<()> {
|
||||||
let (x, y) = Option::from(point.get_xy()).ok_or(io::Error::new(
|
let (x, y) = Option::from(point.get_xy()).ok_or_else(|| {
|
||||||
|
io::Error::new(
|
||||||
io::ErrorKind::Other,
|
io::ErrorKind::Other,
|
||||||
"cannot write points at infinity to the transcript",
|
"cannot write points at infinity to the transcript",
|
||||||
))?;
|
)
|
||||||
|
})?;
|
||||||
self.base_state += &(x * &C::Base::ZETA);
|
self.base_state += &(x * &C::Base::ZETA);
|
||||||
self.base_state = self.base_state.square();
|
self.base_state = self.base_state.square();
|
||||||
self.base_state += &(y * &C::Base::ZETA);
|
self.base_state += &(y * &C::Base::ZETA);
|
||||||
|
@ -170,10 +173,12 @@ impl<W: Write, C: CurveAffine> TranscriptWrite<C> for DummyHashWrite<W, C> {
|
||||||
|
|
||||||
impl<W: Write, C: CurveAffine> Transcript<C> for DummyHashWrite<W, C> {
|
impl<W: Write, C: CurveAffine> Transcript<C> for DummyHashWrite<W, C> {
|
||||||
fn common_point(&mut self, point: C) -> io::Result<()> {
|
fn common_point(&mut self, point: C) -> io::Result<()> {
|
||||||
let (x, y) = Option::from(point.get_xy()).ok_or(io::Error::new(
|
let (x, y) = Option::from(point.get_xy()).ok_or_else(|| {
|
||||||
|
io::Error::new(
|
||||||
io::ErrorKind::Other,
|
io::ErrorKind::Other,
|
||||||
"cannot write points at infinity to the transcript",
|
"cannot write points at infinity to the transcript",
|
||||||
))?;
|
)
|
||||||
|
})?;
|
||||||
self.base_state += &(x * &C::Base::ZETA);
|
self.base_state += &(x * &C::Base::ZETA);
|
||||||
self.base_state = self.base_state.square();
|
self.base_state = self.base_state.square();
|
||||||
self.base_state += &(y * &C::Base::ZETA);
|
self.base_state += &(y * &C::Base::ZETA);
|
||||||
|
|
Loading…
Reference in New Issue