therealyingtong
5a341b0f8f
Modify Assignment::copy() to take Column<Any> instead of usize
2021-02-24 00:18:22 +08:00
therealyingtong
d82a0c85b1
Modify Assignment::copy() to take Permutation instead of usize
2021-02-24 00:17:29 +08:00
therealyingtong
340fb2b6df
Move Permutation struct from crate::circuit -> plonk::circuit
2021-02-24 00:17:29 +08:00
Jack Grigg
b4ed5295fe
Migrate to group traits
...
The `Curve` trait is now `CurveExt: group::prime::PrimeCurve`, and
`CurveAffine` is now `CurveAffine: group::prime::PrimeCurveAffine`.
There is no `CurveAffine` trait in `group`, and it's a widely-used
trait in this crate, so we don't rename it to `CurveAffineExt`.
2021-02-22 20:20:23 +00:00
Jack Grigg
7037d55320
Rename Curve and CurveAffine properties to match group traits
2021-02-22 20:05:08 +00:00
Daira Hopwood
4d61ad8ff5
Need a borrow here.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-02-18 23:50:19 +00:00
Sean Bowe
81af4e43d1
Update pinned verification key to account for circuit changes
2021-02-18 15:48:20 -07:00
therealyingtong
d29246b49b
Rename const_* -> constant_*
2021-02-18 15:41:36 -07:00
therealyingtong
4bf46fc349
Add Expression::Const variant
2021-02-18 15:41:36 -07:00
therealyingtong
6a7f869f66
Clippy fixes
2021-02-18 15:41:36 -07:00
therealyingtong
df2d818891
Account for Rotations of LagrangeCoeff values
2021-02-18 15:41:36 -07:00
therealyingtong
8e56b415fb
Rename column -> expression for lookups
2021-02-18 15:41:36 -07:00
therealyingtong
2f2de13887
Calculate required degree of lookup
2021-02-18 15:41:36 -07:00
therealyingtong
aca6de61f8
Evaluate Expressions and all variants
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-02-18 15:41:36 -07:00
therealyingtong
d8534e1c50
Pass Expressions to meta.lookup()
2021-02-18 15:41:35 -07:00
Sean Bowe
8060a12ea4
Fix minor nit (match ergonomics)
2021-02-17 15:39:46 -07:00
Sean Bowe
87536cea10
Use newtypes to simplify Debug implementations for pinning verification keys.
2021-02-17 15:20:19 -07:00
ebfull
bc9d05e67b
Apply suggestions from code review
...
Co-authored-by: str4d <jack@electriccoin.co>
2021-02-17 15:19:34 -07:00
Sean Bowe
dfa7d96fa9
Refactor verification key hashing logic to use Display impls.
2021-02-17 15:19:34 -07:00
therealyingtong
f35e190455
Hash in field modulus, curve parameters
2021-02-17 15:19:34 -07:00
therealyingtong
52c028b4da
Disambiguate naming of hash() -> hash_into()
2021-02-17 15:19:34 -07:00
therealyingtong
e7d6f67564
Rename aux -> instance after rebasing
2021-02-17 15:19:34 -07:00
therealyingtong
b204ff74a8
Do not return hash results from component hash() methods
2021-02-17 15:19:34 -07:00
therealyingtong
4aa4b4463a
Hash domain and cs into transcript
2021-02-17 15:19:34 -07:00
therealyingtong
437782e902
Hash fixed_commitments and permutations into transcript
2021-02-17 15:19:33 -07:00
therealyingtong
a19dc68dee
Use Column<Any> in Permutation::Argument
2021-02-17 21:32:17 +08:00
Daira Hopwood
760d69bd2c
Rename "auxiliary column" to "instance column" in the book and in code. fixes #181
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-02-14 21:09:49 +00:00
Sean Bowe
4b960a7c0c
cargo fmt
2021-02-14 09:28:51 -07:00
Jack Grigg
821bca0abe
Reduce FieldExt bound to Field for Neg and Sub impls on Expression<F>
2021-02-12 16:52:42 +00:00
Jack Grigg
db0477a606
impl<F: FieldExt> {Neg, Sub} for Expression<F>
2021-02-01 21:42:57 +00:00
Jack Grigg
0a378c3d0f
Require Circuit::Config implement Clone instead of Copy
2021-02-01 19:05:19 +00:00
Jack Grigg
82da677add
Add name field to ConstraintSystem::create_gate
...
The name has type `&'static str`, as gates apply to every row and thus
do not require any runtime information to name.
2021-02-01 18:38:13 +00:00
Jack Grigg
bf771a7446
Add namespacing and gadget name collection to Layouter
2021-02-01 18:38:04 +00:00
Jack Grigg
60061f64fd
Add name field to Layouter::assign_region
2021-02-01 18:34:24 +00:00
Jack Grigg
4c3adf59d5
Add annotations to Region::{assign_advice, assign_fixed}
...
This enables circuits to annotate individual cells with variable names
or similar protocol-specific metadata.
2021-02-01 18:33:25 +00:00
therealyingtong
ea14d99a83
Renaming and cleanups from code review
...
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
2021-02-02 00:05:55 +08:00
therealyingtong
a00d7c2fa6
Cleanups from code review
...
Co-authored-by: Kris Nuttycombe <kris.nuttycombe@gmail.com>
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
2021-01-31 11:48:32 +08:00
therealyingtong
def65609b1
Refactor PLONK verifier
2021-01-31 11:45:40 +08:00
therealyingtong
02b5b8442b
Refactor PLONK prover
2021-01-31 11:45:40 +08:00
ebfull
5f89227cdd
Merge pull request #135 from zcash/serialize-params
...
Serialize params
2021-01-30 11:43:55 -07:00
therealyingtong
faf5da15c9
Track column usage in RegionShape.
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-01-28 10:55:02 +08:00
therealyingtong
ffdd739f85
Only write k in Params; calculate n when reading
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
2021-01-24 08:07:30 +08:00
therealyingtong
e0f9fe1dcf
Clippy fixes + address review comments
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2021-01-24 08:07:30 +08:00
therealyingtong
58479fbcc3
Refactor keygen to generate pk from vk.
2021-01-24 08:07:30 +08:00
Sean Bowe
ba591c3b39
Add serialization support for PLONK verifying keys.
2021-01-24 08:05:58 +08:00
Sean Bowe
d9d20bfe36
Break out domain creation logic into separate method.
2021-01-24 08:04:13 +08:00
Kris Nuttycombe
74b2aa715f
Require Rotation instead of i32 for relative rows in circuits.
...
Co-authored-by: str4d <thestr4d@gmail.com>
2021-01-14 11:57:32 -07:00
Kris Nuttycombe
483cb1139f
Remove rotations from ConstraintSystem
2021-01-14 11:35:23 -07:00
Sean Bowe
e4dac4f621
clippy: remove unnecessarily explicit lifetimes and return types
2021-01-14 08:53:19 -07:00
Jack Grigg
d95e4e4724
clippy: Remove unnecessary Result
2021-01-14 08:46:25 -07:00
Jack Grigg
95314d0f69
clippy: Add type definitions for complex types
2021-01-14 08:46:23 -07:00
Jack Grigg
75915f67ed
clippy: Small cleanups
2021-01-14 08:43:25 -07:00
Sean Bowe
ec2d8db8cb
Multiopen prover never needed evals to be specified.
...
The Lagrange interpolation we were doing was pointless. kate_division sheds the constant
term off each time it is invoked because the quotient polynomial isn't affected by it.
This means we were modifying coefficients that end up getting discarded anyway; the
quotient polynomial coefficients are already determined exactly by the leading coefficients
and the fact that a root exists at each of the points.
2021-01-13 17:22:32 -07:00
ebfull
ccca639591
Merge pull request #111 from zcash/transcript-api-2
...
New Transcript API (and modified commitment scheme)
2021-01-13 16:50:47 -07:00
Sean Bowe
775151a67d
Change absorb_ to read_ in subprotocols.
2021-01-13 15:47:35 -07:00
Sean Bowe
9a26ef1acd
Refactor the Committed structure.
2021-01-13 15:44:37 -07:00
Jack Grigg
64b06735bf
Expose MockProver in crate, and add documentation
2021-01-06 21:52:56 +00:00
therealyingtong
fb939f17a9
Add permutation check to MockProver
2021-01-06 21:52:56 +00:00
Sean Bowe
c5e0364962
Remove the Read/Write type parameters from Transcript{Read,Write}.
2021-01-06 10:45:11 -07:00
Sean Bowe
4ecbfb548e
Remove unnecessary lifetimes.
2021-01-06 10:45:11 -07:00
Sean Bowe
06552eec44
Update the PLONK implementation to adapt to the new transcript API.
2021-01-06 10:45:11 -07:00
Jack Grigg
f49e1e6177
Fix breakage of trait resolution in Rust 1.49.0
...
Previously, `ChallengeScalar` could use the operator traits defined on
the `F: Field` type it wrapped, due to its `impl Deref<Target = F>`.
This was technically ambiguous, and Rust 1.49.0 makes that ambiguity an
error.
We could fix this by adding operator impls with `ChallengeScalar` on the
RHS, but that would conflict with zcash/halo2#111 . Instead we manually
dereference every challenge scalar when used in an arithmetic operation.
2021-01-06 00:48:29 +00:00
Jack Grigg
90c50fdd11
Refactor permutation proofs to reflect the separate permutations
2020-12-22 23:51:32 +00:00
Jack Grigg
62cace289b
Add a few comments to the permutation construction code
...
We mainly point at the design document that describes the algorithm.
2020-12-22 20:25:33 +00:00
Jack Grigg
838d21f2be
Refactor permutation keygen to reflect the separate permutations
2020-12-22 18:11:42 +00:00
Sean Bowe
9df7b5386f
Account more rigorously for the degrees of permutations' and lookups' constraints.
2020-12-22 08:59:08 -07:00
Sean Bowe
65ed1d8568
Check h_evals/h_commitments lengths in vanishing argument verifier.
2020-12-22 08:59:06 -07:00
therealyingtong
8360b94f89
Extract plonk::vanishing::{Argument, Proof} from prover and verifier
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2020-12-08 00:57:14 +08:00
therealyingtong
e5f55a8576
Abstract add_rotation() helper in plonk::circuit
2020-12-06 07:19:44 +08:00
therealyingtong
4273bbb2ba
[Documentation] Consistently use zero-based numbering
2020-12-06 07:10:09 +08:00
ying tong
30c13d5a6a
Further cleanups
...
Co-authored-by: ebfull <ewillbefull@gmail.com>
2020-12-05 13:14:50 +08:00
ying tong
ecc805fa35
Correct privacy of lookup structs + minor cleanups
...
Co-authored-by: str4d <jack@electriccoin.co>
2020-12-04 09:19:15 +08:00
therealyingtong
2284bbd0d8
Deduplicate Argument::commit_permuted() and rename {input,table}_values -> {input,table}_columns
2020-12-03 14:00:16 +08:00
therealyingtong
9a3d1b1d05
Optimisations and documentation updates
2020-12-03 12:54:25 +08:00
therealyingtong
e51ab7eaa7
Linearise state transition from Argument -> Permuted -> Committed
2020-12-03 12:11:00 +08:00
therealyingtong
0a85e93714
Add lookup to circuit and test
2020-12-03 10:50:20 +08:00
therealyingtong
0c81e9adab
Use lookup mod in plonk::prover and plonk::verifier
2020-12-03 10:50:20 +08:00
therealyingtong
19c1b20063
Add lookup::verifier methods
2020-12-03 10:50:20 +08:00
therealyingtong
c692311a12
Add Evaluated::open() and Evaluated::build() to lookup::prover
2020-12-03 10:50:20 +08:00
therealyingtong
6ccf58fc7c
Add Constructed::evaluate() to lookup::prover
2020-12-03 10:50:20 +08:00
therealyingtong
39df4954b5
Add Committed::construct() to lookup::prover
2020-12-03 10:50:20 +08:00
therealyingtong
2d0f4a11e3
Add commit_product() to lookup::prover
2020-12-03 10:50:20 +08:00
therealyingtong
46eed7be93
Add commit_permuted() in lookup::prover
2020-12-03 10:50:20 +08:00
therealyingtong
02344eb711
Add lookup mod and structs
2020-12-03 10:50:20 +08:00
therealyingtong
2ba44cff9f
Add theta challenge
2020-12-03 10:50:20 +08:00
therealyingtong
5d891e029d
Add fixed_values to ProvingKey
2020-12-03 10:50:20 +08:00
Sean Bowe
2e65229920
Remove unnecessary Clone impl from plonk::permutation::prover::Committed.
2020-12-02 09:50:45 -07:00
Jack Grigg
3d6afd7b8e
permutation: Clean up opening chains
2020-12-01 22:09:50 +00:00
Jack Grigg
dd3d1dd68b
Small type annotation cleanups
2020-12-01 21:49:07 +00:00
Jack Grigg
a63e6e25d8
Restrict visibility of PLONK challenges to plonk module
2020-12-01 21:14:14 +00:00
Jack Grigg
7422efca72
s/permutation::Proof::commit/permutation::Argument::commit
...
Once we refactor the permutation argument implementation to be integrated
as Vec<permutation::Proof>, we can change this again to just map from the
Vec<permutation::Argument> inside ConstraintSystem.
2020-12-01 21:10:31 +00:00
Jack Grigg
66240800a3
Move permutation keygen into plonk::permutation::keygen
2020-12-01 21:10:31 +00:00
Jack Grigg
f63f3ff2af
Introduce typed challenge scalars
...
This also centralises the challenge generation logic in Challenge::get,
ensuring it is consistent across the codebase.
2020-12-01 21:09:03 +00:00
Jack Grigg
4a3b830165
Extract permutation argument into a submodule
2020-12-01 21:03:31 +00:00
Jack Grigg
cdbc41148a
Migrate to ff traits
...
The `Field` trait in this crate is now `FieldExt: ff::PrimeField`.
2020-12-01 20:55:03 +00:00
Jack Grigg
875c223748
Simplify h_poly expression evaluation in Proof::create
2020-11-24 23:43:48 +00:00
Jack Grigg
61c9392475
Remove query allocations from Proof::create
...
multiopen::Proof::create takes `instances: IntoIterator`, so we can just
pass it an iterator directly.
2020-11-24 18:25:55 +00:00
Jack Grigg
6360da1f4e
Remove query allocations from Proof::verify
...
multiopen::Proof::verify takes `queries: IntoIterator`, so we can just
pass it an iterator directly.
2020-11-24 18:23:27 +00:00
Jack Grigg
7f29ab913d
Simplify h(x_3) computation in verifier using Horner's rule
...
Closes zcash/halo2#45
2020-11-24 18:18:45 +00:00
Jack Grigg
feba8e2fdf
Allocate permutation_modified_advice once in Proof::create
2020-11-24 18:18:45 +00:00
str4d
cc5f45231d
Merge pull request #42 from zcash/plonk-benches
...
PLONK benchmarks
2020-11-24 18:14:07 +00:00
therealyingtong
3eb6712c6c
Add aux information to metrics
2020-11-24 09:39:34 +08:00
Jack Grigg
d4424db8d4
Collect some prover metrics
2020-11-23 12:47:51 +00:00
therealyingtong
2375507f4f
Update error handling
2020-11-16 21:26:46 +00:00
therealyingtong
43337dea1b
Make Transcript generic over curve points
...
Co-authored-by: Jack Grigg <jack@electriccoin.co>
2020-11-16 21:26:46 +00:00
ebfull
5d1e1a29db
Merge pull request #51 from zcash/update-ci
...
Update Actions CI with improved workflow
2020-11-11 08:52:59 -07:00
ying tong
a856137619
Minor refactors
...
Co-authored-by: str4d <jack@electriccoin.co>
2020-11-11 13:56:34 +08:00
therealyingtong
766caf9214
Make getters for column index() and column_type()
2020-11-10 00:45:52 +08:00
therealyingtong
0519a522aa
Use TryFrom to convert Column<Any> to other column types
2020-11-10 00:39:08 +08:00
therealyingtong
22b6d5bd70
Cleanups in circuit.rs
2020-11-07 14:27:38 +08:00
therealyingtong
34c6cba537
Add generic query_any_index() and get_any_query_index methods
2020-11-06 12:39:51 +08:00
therealyingtong
075988ae4e
Introduce Column struct and ColumnType trait
2020-11-06 11:29:42 +08:00
therealyingtong
2034179d82
Rename wire -> column
2020-11-06 11:18:12 +08:00
Jack Grigg
10676657f4
Fix stable clippy lints
2020-10-30 01:29:05 +00:00
Jack Grigg
5a6a45c6a8
Fix deref breakage with nightly-2020-10-06
...
I think this is related to rust-lang/rust#77638
2020-10-30 01:21:09 +00:00
therealyingtong
24b85dec67
Remove q_evals.len() = rotations.len() check
...
q_evals should now have the same length as point_sets, which is only constructed in the multiopen verifier.
2020-10-14 00:43:48 +08:00
therealyingtong
89fd6e4d44
Use map_err() when handling multiopen::Proof::create()
...
Co-authored-by: Daira Hopwood <daira@electriccoin.co>
2020-10-14 00:35:36 +08:00
therealyingtong
6cd74999ff
Use ProverQuery and construct_intermediate_sets() in prover
2020-10-14 00:35:25 +08:00
therealyingtong
c3d0a172a7
Create multiopen abstraction
2020-10-14 00:35:25 +08:00
Sean Bowe
2ccddac674
Split proof/input length checks into separate method of verifier
2020-09-29 17:35:24 -06:00
Sean Bowe
9672bf9725
Minor improvements to check_hx()
2020-09-29 17:14:37 -06:00
Sean Bowe
7d8daa5d05
Refactor h_eval computation into separate, more functional code.
...
Co-authored-by: str4d <thestr4d@gmail.com>
2020-09-29 16:56:21 -06:00
Sean Bowe
e275d78c7d
Simplify permutations field of ConstraintSystem
...
Co-authored-by: therealyingtong <yingtong@electriccoin.co>
2020-09-29 08:51:00 -06:00
Sean Bowe
c97da352ee
Remove SRS and replace with ProvingKey/VerifyingKey abstractions
...
Co-authored-by: therealyingtong <yingtong@electriccoin.co>
2020-09-29 08:25:04 -06:00
Sean Bowe
56b6d8bd03
Auxilary wires in PLONK are foux blinded just like fixed wires.
2020-09-25 10:21:15 -06:00
Sean Bowe
2d1f69328f
Rename `OpeningProof` to just `Proof`.
2020-09-25 09:39:32 -06:00
Sean Bowe
a37c926a89
Address clippy lints
2020-09-20 13:09:03 -06:00
Sean Bowe
6620817d81
Return errors from verifier instead of assuming points aren't at infinity in the proof.
2020-09-19 13:47:37 -06:00
Sean Bowe
73d494a72d
Various changes, including restoring permutation argument to advice wires only for now.
2020-09-19 13:31:56 -06:00
therealyingtong
e8839a7579
Refactor wire pattern matching when computing permutation product
2020-09-19 12:39:04 -06:00
therealyingtong
24fe3fae29
Remove aux_commitments computation from Prover; remove blinding factor when accumulator aux_evals
2020-09-19 12:39:04 -06:00
therealyingtong
c772801f8f
Pass aux_lagrange_polys to prover as a slice
2020-09-19 12:39:04 -06:00
therealyingtong
0bdcbb6c67
Introduce Wire enum for use in permutations
2020-09-19 12:39:04 -06:00
therealyingtong
a257308ba2
Add aux wires to ConstraintSystem
2020-09-19 12:39:04 -06:00
therealyingtong
0caf1d2087
Provide aux_commitments to verifier and aux_lagrange_polys to prover
2020-09-19 12:39:04 -06:00
therealyingtong
76c49a4df3
Minor refactor
2020-09-19 23:44:00 +08:00
therealyingtong
33261ec1a0
Recover from OpeningProof::create() failure in PLONK prover
2020-09-19 23:19:30 +08:00
therealyingtong
69a612fb59
Increment blinding factor instead of choosing new random blinding factor
2020-09-19 23:04:17 +08:00
therealyingtong
a6f5d0ad5e
Remove fork from OpeningProof prover; add loop in PLONK prover to try different f_blind values
2020-09-19 16:57:32 +08:00
Sean Bowe
52a85380bc
Rename f_eval to msm_eval.
2020-09-16 13:15:10 -06:00
Sean Bowe
68de5db8c6
Mitigate unnecessary scaling operations in commitment verifier.
2020-09-15 17:42:02 -06:00
Sean Bowe
a886663e05
Incorporate MSM/Guard into PLONK verifier API and arithmetic.
2020-09-15 17:32:39 -06:00
Sean Bowe
643077b150
Rename `ConstraintSystem` to `Assignment`, and `MetaCircuit` to `ConstraintSystem`.
2020-09-13 10:30:02 -06:00
therealyingtong
1eb2a36086
Return MSM from PLONK verifier
2020-09-13 23:10:06 +08:00
therealyingtong
1a52d8f6b8
Add MSM to PLONK verifier signature
2020-09-13 12:32:32 +08:00
therealyingtong
14d1f41e08
Address review comments
2020-09-13 03:03:36 +08:00
therealyingtong
5f1cd6ced2
Only return Guard from OpeningProof.verify()
2020-09-13 00:50:35 +08:00
therealyingtong
d41fcf842b
Modify MSM and Guard structs and methods
2020-09-11 18:57:22 +08:00
therealyingtong
5724706a09
Add MSM and Guard structs in polycommit scheme
2020-09-10 18:51:41 +08:00
Sean Bowe
549232234f
Finish comment on Proof::verify.
2020-09-07 16:34:40 -06:00