The theta challenge is used in the lookup argument to compress the
input and table expressions. This can be done fully in the
commit_permuted step, after which the original uncompressed
expressions are no longer needed.
Author: Ying Tong Lai <yingtong@z.cash>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
`BatchVerifier` now manages the entire batch verification process.
Individual proofs are verified on a threadpool, and the resulting MSMs
are then batch-checked as before. The addition of parallelism here
couples with zcash/halo2#608 to make parallelism less fine-grained and
reduce the overhead of multi-threading.
There are two existing patterns for constructing a gate from a set of
constraints with a common selector:
- Create an iterator of constraints, where each constraint includes the
selector:
```
vec![
("foo", selector.clone() * foo),
("bar", selector.clone() * bar),
("baz", selector * bar),
]
```
This requires the user to write O(n) `selector.clone()` calls.
- Create an iterator of constraints, and then map the selector in:
```
vec![
("foo", foo),
("bar", bar),
("baz", bar),
].into_iter().map(move |(name, poly)| (name, selector.clone() * poly))
```
This looks cleaner overall, but the API is not as intuitive, and it
is messier when the constraints are named.
The `Constraints` struct provides a third, clearer API:
```
Constraints::with_selector(
selector,
vec![
("foo", foo),
("bar", bar),
("baz", bar),
],
)
```
This focuses on the structure of the constraints, and handles the
selector application for the user.
The existing code will fold together a very deep AST that applies Horner's
rule to each gate in a proof -- which could include multiple circuits and
so for some applications will quickly grow such that when we recursively
descend later during evaluation the stack will easily overflow.
This change special cases the application of Horner's rule to a
"DistributePowers" AST node to keep the tree depth from exploding in size.
Previously `plonk::verify_proof` took an `MSM` as an argument, to enable
batch verification. However, this also required that it take a source of
randomness in order to enforce separation of proofs within a batch. This
made single-proof verification unnecessarily non-deterministic.
We now have a `VerificationStrategy` trait encapsulating the necessary
details, and separate `SingleVerifier` and `BatchVerifier` structs for
the specific variants. Proof verifiers no longer need to create and
manage the `MSM` themselves, and single-proof verifiers no longer need
to supply a source of randomness.
Co-authored-by: Sean Bowe <sean@electriccoin.co>
In zcash/halo2#383 we altered the bounds on region assignment methods
like `Region::assign_advice` to constrain the value closure's result on
`for<'vr> Assigned<F>: From<&'vr VR>` instead of `VR: Into<Assigned<F>>`.
This had the unintended side-effect that `Assigned<F>` could no longer
be returned from the closure, because we were previously relying on the
implicit `impl From<T> for T` provided by Rust, which no longer fits the
bound. This commit adds the missing from-reference impl to restore
functionality, re-enabling inversion deferrment.