zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Refactor PLONK verifier

This commit is contained in:
therealyingtong 2021-01-21 08:04:44 +08:00
parent 02b5b8442b
commit def65609b1
1 changed files with 184 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

308
src/plonk/verifier.rs
View File

@ -17,35 +17,49 @@ pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead<C>>(
params: &'a Params<C>, params: &'a Params<C>,
vk: &VerifyingKey<C>, vk: &VerifyingKey<C>,
msm: MSM<'a, C>, msm: MSM<'a, C>,
aux_commitments: &[C], aux_commitments_vec: &[&[C]],
transcript: &mut T, transcript: &mut T,
) -> Result<Guard<'a, C>, Error> { ) -> Result<Guard<'a, C>, Error> {
// Check that aux_commitments matches the expected number of aux columns // Check that aux_commitments matches the expected number of aux columns
if aux_commitments.len() != vk.cs.num_aux_columns { for aux_commitments in aux_commitments_vec.iter() {
return Err(Error::IncompatibleParams); if aux_commitments.len() != vk.cs.num_aux_columns {
return Err(Error::IncompatibleParams);
}
} }
// Hash the aux (external) commitments into the transcript let num_proofs = aux_commitments_vec.len();
for commitment in aux_commitments {
transcript for aux_commitments in aux_commitments_vec.iter() {
.common_point(*commitment) // Hash the aux (external) commitments into the transcript
.map_err(|_| Error::TranscriptError)? for commitment in *aux_commitments {
transcript
.common_point(*commitment)
.map_err(|_| Error::TranscriptError)?
}
} }
// Hash the prover's advice commitments into the transcript let mut advice_commitments_vec = Vec::with_capacity(num_proofs);
let advice_commitments = for _ in 0..num_proofs {
read_n_points(transcript, vk.cs.num_advice_columns).map_err(|_| Error::TranscriptError)?; // Hash the prover's advice commitments into the transcript
let advice_commitments = read_n_points(transcript, vk.cs.num_advice_columns)
.map_err(|_| Error::TranscriptError)?;
advice_commitments_vec.push(advice_commitments);
}
// Sample theta challenge for keeping lookup columns linearly independent // Sample theta challenge for keeping lookup columns linearly independent
let theta = ChallengeTheta::get(transcript); let theta = ChallengeTheta::get(transcript);
// Hash each lookup permuted commitment let mut lookups_permuted_vec = Vec::with_capacity(num_proofs);
let lookups = vk for _ in 0..num_proofs {
.cs // Hash each lookup permuted commitment
.lookups let lookups = vk
.iter() .cs
.map(|argument| argument.read_permuted_commitments(transcript)) .lookups
.collect::<Result<Vec<_>, _>>()?; .iter()
.map(|argument| argument.read_permuted_commitments(transcript))
.collect::<Result<Vec<_>, _>>()?;
lookups_permuted_vec.push(lookups);
}
// Sample beta challenge // Sample beta challenge
let beta = ChallengeBeta::get(transcript); let beta = ChallengeBeta::get(transcript);
@ -53,19 +67,27 @@ pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead<C>>(
// Sample gamma challenge // Sample gamma challenge
let gamma = ChallengeGamma::get(transcript); let gamma = ChallengeGamma::get(transcript);
// Hash each permutation product commitment let mut permutations_committed_vec = Vec::with_capacity(num_proofs);
let permutations = vk for _ in 0..num_proofs {
.cs // Hash each permutation product commitment
.permutations let permutations = vk
.iter() .cs
.map(|argument| argument.read_product_commitment(transcript)) .permutations
.collect::<Result<Vec<_>, _>>()?; .iter()
.map(|argument| argument.read_product_commitment(transcript))
.collect::<Result<Vec<_>, _>>()?;
permutations_committed_vec.push(permutations);
}
// Hash each lookup product commitment let mut lookups_committed_vec = Vec::with_capacity(num_proofs);
let lookups = lookups for lookups in lookups_permuted_vec.into_iter() {
.into_iter() // Hash each lookup product commitment
.map(|lookup| lookup.read_product_commitment(transcript)) let lookups = lookups
.collect::<Result<Vec<_>, _>>()?; .into_iter()
.map(|lookup| lookup.read_product_commitment(transcript))
.collect::<Result<Vec<_>, _>>()?;
lookups_committed_vec.push(lookups);
}
// Sample y challenge, which keeps the gates linearly independent. // Sample y challenge, which keeps the gates linearly independent.
let y = ChallengeY::get(transcript); let y = ChallengeY::get(transcript);
@ -76,25 +98,43 @@ pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead<C>>(
// satisfied with high probability. // satisfied with high probability.
let x = ChallengeX::get(transcript); let x = ChallengeX::get(transcript);
let advice_evals = read_n_scalars(transcript, vk.cs.advice_queries.len()) let mut aux_evals_vec = Vec::with_capacity(num_proofs);
.map_err(|_| Error::TranscriptError)?; for _ in 0..num_proofs {
let aux_evals = let aux_evals = read_n_scalars(transcript, vk.cs.aux_queries.len())
read_n_scalars(transcript, vk.cs.aux_queries.len()).map_err(|_| Error::TranscriptError)?; .map_err(|_| Error::TranscriptError)?;
aux_evals_vec.push(aux_evals);
}
let mut advice_evals_vec = Vec::with_capacity(num_proofs);
for _ in 0..num_proofs {
let advice_evals = read_n_scalars(transcript, vk.cs.advice_queries.len())
.map_err(|_| Error::TranscriptError)?;
advice_evals_vec.push(advice_evals);
}
let fixed_evals = read_n_scalars(transcript, vk.cs.fixed_queries.len()) let fixed_evals = read_n_scalars(transcript, vk.cs.fixed_queries.len())
.map_err(|_| Error::TranscriptError)?; .map_err(|_| Error::TranscriptError)?;
let vanishing = vanishing.evaluate(transcript)?; let vanishing = vanishing.evaluate(transcript)?;
let permutations = permutations let mut permutations_evaluated_vec = Vec::with_capacity(num_proofs);
.into_iter() for permutations in permutations_committed_vec.into_iter() {
.zip(vk.permutations.iter()) let permutations = permutations
.map(|(permutation, vkey)| permutation.evaluate(vkey, transcript)) .into_iter()
.collect::<Result<Vec<_>, _>>()?; .zip(vk.permutations.iter())
.map(|(permutation, vkey)| permutation.evaluate(vkey, transcript))
.collect::<Result<Vec<_>, _>>()?;
permutations_evaluated_vec.push(permutations);
}
let lookups = lookups let mut lookups_evaluated_vec = Vec::with_capacity(num_proofs);
.into_iter() for lookups in lookups_committed_vec.into_iter() {
.map(|lookup| lookup.evaluate(transcript)) let lookups = lookups
.collect::<Result<Vec<_>, _>>()?; .into_iter()
.map(|lookup| lookup.evaluate(transcript))
.collect::<Result<Vec<_>, _>>()?;
lookups_evaluated_vec.push(lookups);
}
// This check ensures the circuit is satisfied so long as the polynomial // This check ensures the circuit is satisfied so long as the polynomial
// commitments open to the correct values. // commitments open to the correct values.
@ -109,102 +149,122 @@ pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead<C>>(
* &vk.domain.get_barycentric_weight(); // l_0(x) * &vk.domain.get_barycentric_weight(); // l_0(x)
// Compute the expected value of h(x) // Compute the expected value of h(x)
let expressions = std::iter::empty() let expressions = advice_evals_vec
// Evaluate the circuit using the custom gates provided .iter()
.chain(vk.cs.gates.iter().map(|poly| { .zip(aux_evals_vec.iter())
poly.evaluate( .zip(permutations_evaluated_vec.iter())
&|index| fixed_evals[index], .zip(lookups_evaluated_vec.iter())
&|index| advice_evals[index], .flat_map(|(((advice_evals, aux_evals), permutations), lookups)| {
&|index| aux_evals[index], let fixed_evals = fixed_evals.clone();
&|a, b| a + &b, let fixed_evals_copy = fixed_evals.clone();
&|a, b| a * &b,
&|a, scalar| a * &scalar, std::iter::empty()
) // Evaluate the circuit using the custom gates provided
})) .chain(vk.cs.gates.iter().map(move |poly| {
.chain( poly.evaluate(
permutations &|index| fixed_evals[index],
.iter() &|index| advice_evals[index],
.zip(vk.cs.permutations.iter()) &|index| aux_evals[index],
.map(|(p, argument)| { &|a, b| a + &b,
p.expressions(vk, argument, &advice_evals, l_0, beta, gamma, x) &|a, b| a * &b,
}) &|a, scalar| a * &scalar,
.into_iter()
.flatten(),
)
.chain(
lookups
.iter()
.zip(vk.cs.lookups.iter())
.map(|(p, argument)| {
p.expressions(
vk,
l_0,
argument,
theta,
beta,
gamma,
&advice_evals,
&fixed_evals,
&aux_evals,
) )
}) }))
.into_iter() .chain(
.flatten(), permutations
); .iter()
.zip(vk.cs.permutations.iter())
.map(move |(p, argument)| {
p.expressions(vk, argument, &advice_evals, l_0, beta, gamma, x)
})
.into_iter()
.flatten(),
)
.chain(
lookups
.iter()
.zip(vk.cs.lookups.iter())
.map(move |(p, argument)| {
p.expressions(
vk,
l_0,
argument,
theta,
beta,
gamma,
&advice_evals,
&fixed_evals_copy,
&aux_evals,
)
})
.into_iter()
.flatten(),
)
})
.collect::<Vec<_>>()
.into_iter();
vanishing.verify(expressions, y, xn)?; vanishing.verify(expressions, y, xn)?;
} }
let queries = iter::empty() let queries = aux_commitments_vec
.chain( .iter()
vk.cs .zip(aux_evals_vec.iter())
.advice_queries .zip(advice_commitments_vec.iter())
.iter() .zip(advice_evals_vec.iter())
.enumerate() .zip(permutations_evaluated_vec.iter())
.map(|(query_index, &(column, at))| VerifierQuery { .zip(lookups_evaluated_vec.iter())
point: vk.domain.rotate_omega(*x, at), .flat_map(
commitment: &advice_commitments[column.index()], |(
eval: advice_evals[query_index], ((((aux_commitments, aux_evals), advice_commitments), advice_evals), permutations),
}), lookups,
) )| {
.chain( iter::empty()
vk.cs .chain(vk.cs.aux_queries.iter().enumerate().map(
.aux_queries move |(query_index, &(column, at))| VerifierQuery {
.iter() point: vk.domain.rotate_omega(*x, at),
.enumerate() commitment: &aux_commitments[column.index()],
.map(|(query_index, &(column, at))| VerifierQuery { eval: aux_evals[query_index],
point: vk.domain.rotate_omega(*x, at), },
commitment: &aux_commitments[column.index()], ))
eval: aux_evals[query_index], .chain(vk.cs.advice_queries.iter().enumerate().map(
}), move |(query_index, &(column, at))| VerifierQuery {
point: vk.domain.rotate_omega(*x, at),
commitment: &advice_commitments[column.index()],
eval: advice_evals[query_index],
},
))
.chain(
permutations
.iter()
.zip(vk.permutations.iter())
.map(move |(p, vkey)| p.queries(vk, vkey, x))
.into_iter()
.flatten(),
)
.chain(
lookups
.iter()
.map(move |p| p.queries(vk, x))
.into_iter()
.flatten(),
)
},
) )
.collect::<Vec<_>>()
.into_iter()
.chain( .chain(
vk.cs vk.cs
.fixed_queries .fixed_queries
.iter() .iter()
.enumerate() .enumerate()
.map(|(query_index, &(column, at))| VerifierQuery { .map(move |(query_index, &(column, at))| VerifierQuery {
point: vk.domain.rotate_omega(*x, at), point: vk.domain.rotate_omega(*x, at),
commitment: &vk.fixed_commitments[column.index()], commitment: &vk.fixed_commitments[column.index()],
eval: fixed_evals[query_index], eval: fixed_evals.clone()[query_index],
}), }),
) )
.chain(vanishing.queries(x)) .chain(vanishing.queries(x));
.chain(
permutations
.iter()
.zip(vk.permutations.iter())
.map(|(p, vkey)| p.queries(vk, vkey, x))
.into_iter()
.flatten(),
)
.chain(
lookups
.iter()
.map(|p| p.queries(vk, x))
.into_iter()
.flatten(),
);
// We are now convinced the circuit is satisfied so long as the // We are now convinced the circuit is satisfied so long as the
// polynomial commitments open to the correct values. // polynomial commitments open to the correct values.