Previously `plonk::verify_proof` took an `MSM` as an argument, to enable
batch verification. However, this also required that it take a source of
randomness in order to enforce separation of proofs within a batch. This
made single-proof verification unnecessarily non-deterministic.
We now have a `VerificationStrategy` trait encapsulating the necessary
details, and separate `SingleVerifier` and `BatchVerifier` structs for
the specific variants. Proof verifiers no longer need to create and
manage the `MSM` themselves, and single-proof verifiers no longer need
to supply a source of randomness.
Co-authored-by: Sean Bowe <sean@electriccoin.co>
Previously we were passing through the chunk size and index to each
thread's evaluation context, but this was insufficient for them to
determine whether or not they were processing the final chunk, or if
the final chunk was short. This led to constant and linear term chunks
being created with the full chunk size, even if the last chunk was
short. If this longer-than-short chunk reached the root of the AST, it
triggered a panic in the final `copy_from_slice()`.
The bug was obscured in two ways:
- Currently polynomials always have a power-of-two length, and on CPUs
with power-of-two threads this meant we never produced short chunks.
- The way that subsequent operations like `Ast::Add` were implemented
meant that if a constant or linear term occurred on the right-hand
side of an operation, the longer chunks were masked to the short chunk
length.
We fix this by passing the polynomial length into each thread's context,
so that we can compute the correct length for the final chunk.
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
The type inference algorithm seems to have been simplified,
meaning that the combination of T::from(x.into()) doesn't work anymore.
In any case, the code was also incomprehensible to a human, as it's not clear
by which "route" it does the transformation. It took me a few minutes to
figure out it's a `u64`.
These have been replaced by operations on either `poly::Ast` nodes, or
operations directly on chunks of polynomials within a higher-level
parallelism context.
Addition and scalar multiplication are (currently) still used in various
areas of the prover, so those are left in place.
This saves a bunch of `Clone`s and `Drop`s, which were consuming
significant amounts of time in large circuits (Orchard), which meant we
didn't save as much time as we could :)
This currently matches the first region on the row that matches any
input column, which will result in some mismatches. To fix this, we will
need to track the columns of complex selectors.