zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,455 Commits 40 Branches 6 Tags 59 MiB
Commit Graph

178 Commits

Author SHA1 Message Date
Daira Hopwood 0f7299c116
Merge pull request #625 from zcash/region-query-instance 
halo2_proofs: Introduce `RegionLayouter::instance_value` method.
 2022-10-08 11:18:46 +01:00
Daira Hopwood de76fd48fc
Merge pull request #622 from zcash/patch-mockprover-query_instance 
[MockProver] Check for instance values in gate queries.
 2022-10-08 11:15:06 +01:00
Daira Hopwood 21a79182ed
Merge pull request #667 from Orbis-Tertius/fix-plonk-test 
Don't use `include_bytes!` for `plonk_api` test
 2022-10-07 15:14:38 +01:00
ying tong 4d970865cb
[doc] commitment::verifier: verify_proof does not have [-c]G term 2022-10-05 17:57:48 -07:00
Daira Hopwood 6f692c0e53 There is no z' in the lookup argument, only z. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2022-09-26 20:14:08 +08:00
Las Safin bc10548907
`cargo fmt` 2022-09-23 13:16:49 +00:00
Las Safin 6b3da1fb4b
Don't use `include_bytes!` for `plonk_api` test 
The current working directory for a test always seems to be
the root of the crate, hence `./tests/plonk_api_proof.bin` is
always the correct path.
 2022-09-23 11:25:37 +00:00
Nalin Bhardwaj fad6201b34 Merge layouter used by cost and graph into one 2022-09-16 16:27:51 +05:30
Nalin Bhardwaj 55d470ffd2 Add row and col count to cost model 2022-09-16 16:27:22 +05:30
ebfull 61a1f63fcb
Merge pull request #623 from zcash/table-col-equality 
Allow `enable_equality` on `TableColumn`
 2022-09-13 08:03:20 -06:00
ebfull 2bdb369393
Merge pull request #654 from zcash/bug-instances-len 
`plonk::prover::create_proof`: Check that `circuits` and `instances` have equal lengths
 2022-09-13 08:02:26 -06:00
therealyingtong 76c658b321 [MockProver] Check for instance values in gate queries. 2022-09-13 18:25:21 +08:00
therealyingtong 7ed2a4d529 plonk::prover::create_proof: Return error if circuits and instances have different lengths. 2022-09-13 18:19:45 +08:00
therealyingtong d0bbcda590 plonk::prover: Test proof creation with wrong number of instances. 
Currently, create_proof passes even if the number of circuits does
not equal the number of instances.
 2022-09-13 18:19:45 +08:00
Jack Grigg ffc8e24fb2 Reduce feature surface of `plotters` 
`plotters 0.3.3` updated from `font-kit 0.10.0` to `0.11.0`. This is an
internal dependency and ostensibly wouldn't be a breaking change, except
that `font-kit 0.11.0` added a dependency on `yeslogic-fontconfig-sys`
which has additional system dependency requirements. This had the effect
of breaking compilation in a non-breaking release.

However, `font-kit` is only required for `BitMapBackend`, which is not
part of our public API and is only used by some of the `halo2_gadgets`
tests. So we can avoid affecting our downstream users by disabling the
default-enabled features of `plotters`.
 2022-09-12 18:31:04 +00:00
Jack Grigg 7e353115fc halo2_proofs: Remove unused imports 2022-09-12 18:07:18 +00:00
str4d 5d653e5d4e
Merge pull request #649 from zcash/cleanups 
Various cleanups
 2022-09-12 18:44:45 +01:00
str4d e8cb2e6470
halo2_proofs: Use qualified form of `rustdoc::broken_intra_doc_links` 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2022-09-12 16:43:00 +01:00
Jack Grigg a2c542f70b halo2_proofs: Remove unused clippy lint overrides 2022-09-09 18:20:24 +00:00
Jack Grigg 301bcb3e2d halo2_proofs: Narrow `clippy::upper_case_acronyms` lint override 2022-09-09 18:20:10 +00:00
Jack Grigg 349908d539 halo2_proofs: Narrow `clippy::too_many_arguments` lint override 
This enables the lint to show up on new PRs.
 2022-09-09 18:15:10 +00:00
Jack Grigg 3cbfd54f77 halo2_proofs: Fix `clippy::assign_op_pattern` lints 
The pattern is preserved in one location inside the inner product
argument, where we instead desire to avoid allocations by collapsing
p_prime into itself. Using `+=` here requires both mutable and immutable
borrows simultaneously, and assigning temporaries to avoid this makes
the implementation less clear.
 2022-09-09 18:08:40 +00:00
Jack Grigg e65974eb2d halo2_proofs: Remove lint overrides now that MSRV is above 1.51 2022-09-09 17:45:00 +00:00
Jack Grigg f852be62a8 halo2_proofs: Remove unused imports 2022-09-09 17:43:43 +00:00
Jack Grigg 60696a7cfa halo2_proofs: Proxy all `rayon` usage through `halo2_proofs::multicore` 
Part of zcash/halo2#648.
 2022-09-09 17:36:05 +00:00
Jack Grigg d24f0fd582 halo2_proofs: Add tests for "rotate-and-chunk" APIs 2022-08-25 01:30:23 +00:00
Jack Grigg 5b7b4dd76b Silence clippy lint 2022-08-25 01:07:38 +00:00
Jack Grigg 1d8737e7ab halo2_proofs: Avoid caching rotated polynomials in `poly::Evaluator` 
Previously we used the existing `Polynomial::rotate` and
`EvaluationDomain::rotate_extended` APIs to rotate the polynomials we
query at non-zero rotations, and then stored references to the chunks of
each (rotated and unrotated) polynomial as slices. When we reached an
`AstLeaf`, we would then clone the corresponding polynomial chunk.

We now avoid all of this with combined "rotate-and-chunk" APIs, making
use of the observation that a rotation is simply a renumbering of the
indices of the polynomial coefficients. Given that when we reach an
`AstLeaf` we already needed to allocate, these new APIs have the same
number of allocations during AST evaluation, but enable us to completely
avoid caching any information about the rotations or rotated polynomials
ahead of time.
 2022-08-25 00:48:51 +00:00
Jack Grigg df61767e02 halo2_proofs: Reduce memory usage of `poly::Evaluator` 
`poly::Evaluator` stores all of the polynomials registered with it in
memory for the duration of its existence. When evaluating an AST, it
additionally caches the rotated polynomials in memory, and then chunks
all of the rotated polynomials for parallel evaluation.

Previously, it stored a polynomial for every unique AST leaf, regardless
of whether that leaf required a rotation or not. This resulted in the
unrotated polynomials being stored twice in memory. However, the chunks
simply refer to slices over cached polynomials, so we can reference the
unrotated polynomials stored in `poly::Evaluator` instead of copies of
them stored in the rotated polynomial `HashMap`. This strictly reduces
memory usage during proving with no effect on correctness.
 2022-08-23 18:25:39 +00:00
han0110 8ff5b1e3af feat: make `Expression::{Fixed,Advice,Instance}` to wrap their own `Query` struct 2022-07-15 10:33:47 -04:00
therealyingtong 6038b87a1d halo2_proofs: Introduce RegionLayouter::instance_value method. 
This allows us to access instance column values within a region.
Previously, this was done only through assign_advice_from_instance.
 2022-07-07 17:18:42 -04:00
therealyingtong 28fbc5b4fe Allow enable_equality on TableColumn 2022-07-06 11:29:25 -04:00
Sean Bowe deef0e1416
Place `halo2_proofs::plonk::BatchVerifier` behind a (default enabled) crate feature called `batch`. 2022-06-23 12:51:47 -06:00
Jack Grigg 7a22f3c9b6 halo2_proofs 0.2.0 2022-06-23 17:40:23 +00:00
Jack Grigg 5641a64d3c halo2_proofs: Fix clippy lints 2022-06-23 17:38:11 +00:00
str4d dac6cfb5d7
Merge pull request #610 from zcash/rework-batch-verifier 
Rework `halo2_proofs::plonk::BatchVerifier`
 2022-06-23 18:15:24 +01:00
Jack Grigg dd94fb95a4 Rework `halo2_proofs::plonk::BatchVerifier` 
`BatchVerifier` now manages the entire batch verification process.
Individual proofs are verified on a threadpool, and the resulting MSMs
are then batch-checked as before. The addition of parallelism here
couples with zcash/halo2#608 to make parallelism less fine-grained and
reduce the overhead of multi-threading.
 2022-06-23 16:52:08 +00:00
ebfull 7087c33658
Merge pull request #608 from ebfull/msm-optimization 
MSM optimizations
 2022-06-23 10:49:22 -06:00
Daira Hopwood 2ed70a3f08 Reduce memory overhead of MSM by 64 bytes per "other" base, and add tests. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2022-06-23 14:15:37 +01:00
Sean Bowe 6b4af24a5f
Deduplicate the extra (scalar, base) pairs in MSMs. 2022-06-22 14:31:00 -06:00
Sean Bowe 6939ac47ab
Remove parallelism from within MSM scalar operations. 2022-06-22 13:41:45 -06:00
Jack Grigg 05f37ee8a6 Cache the constraint system degree in `VerifyingKey` 
This means we only compute the degree in a verification context during
construction, instead of twice per proof in the permutation argument.
 2022-06-22 19:33:36 +00:00
Jack Grigg 4802936c56 Cache the representative of `VerifyingKey` used in transcripts 
This means we only need to `Debug`-format the `PinnedVerificationKey`
once on construction, instead of once per proof.
 2022-06-22 19:25:32 +00:00
Jack Grigg 22ec36979c Add `BatchVerifier::finalize_and_return_rng` 2022-06-21 15:04:08 +00:00
str4d 7cb71b4814
Update halo2_proofs/src/circuit/value.rs 
Co-authored-by: ying tong <yingtong@z.cash>
 2022-06-13 16:41:05 +01:00
Jack Grigg 5752adf0e5 halo2_proofs: `impl {Add, Sub, Mul} for &Value<V>` 2022-06-09 22:44:25 +00:00
Jack Grigg 521d6edd1c halo2_proofs: Make `Value::{known, unknown}` const 2022-06-09 22:40:11 +00:00
Jack Grigg 47f25ad632 halo2_proofs: Replace `Option<V>` with `Value<V>` 2022-06-08 23:03:16 +00:00
Jack Grigg c17d52e5bf halo2_proofs: Add `halo2_proofs::circuit::Value<V>` 
This is a more usable and type-safe replacement for `Option<V>` in
circuit synthesis.
 2022-06-08 22:29:14 +00:00
Jack Grigg 515f97769f halo2_gadgets: Enable more inversions to be batched during synthesis 2022-06-08 00:50:16 +00:00
Jack Grigg 3bc0c598ef halo2_proofs 0.1.0 
Closes zcash/halo2#426.
 2022-05-10 22:01:21 +00:00
Jack Grigg 96d4a31d39 halo2_gadgets: Batch inversions in `SinsemillaChip::hash_to_point` 
This saves around 3.7% in proving time for a 2-action Orchard bundle on
a Ryzen 9 5950X.
 2022-05-08 03:28:34 +00:00
ebfull 6fb622a1fc
Merge pull request #543 from NoCtrlZ/feat/fft-optimization 
Optimize Fft
 2022-05-05 14:05:13 -06:00
ebfull a1d1371ce3
Merge pull request #563 from parazyd/clone-impls-keys 
plonk: Derive Clone for VerifyingKey and ProvingKey.
 2022-05-05 13:59:44 -06:00
Taylor Hornby 64e7efb0d4
Merge pull request #542 from zcash/relicense-mit-or-apache-2.0 
Relicense Halo 2 crates as MIT OR Apache 2.0
 2022-05-05 13:50:45 -06:00
Jack Grigg e04c8bfb4b Migrate to `ff 0.12` 2022-05-04 23:36:18 +00:00
NoCtrlZ 32ed927579 Apply @daira's review suggestion 2022-04-28 09:47:22 +09:00
NoCtrlZ 9a9873a2c5 optimize fft 2022-04-28 09:44:54 +09:00
Jack Grigg f4675997bc Fix some clippy lints 2022-04-27 12:58:16 +00:00
Jack Grigg f830c6f7fb Remove pins for dependencies with MSRV-incompatible point releases 2022-04-27 12:28:19 +00:00
Jack Grigg bb1ed8288a Set edition to 2021 
We also set `resolver = "2"` on the workspace; this is the default for
the root package in Rust 2021, but as we use a virtual workspace we need
to explicitly set it instead.
 2022-04-27 12:28:19 +00:00
Jack Grigg 7688c371f6 Bump MSRV to 1.56.1 
Closes zcash/halo2#482.
 2022-04-27 12:24:57 +00:00
parazyd a6d7785ddc
plonk: Derive Clone for VerifyingKey and ProvingKey. 
Signed-off-by: parazyd <parazyd@dyne.org>
 2022-04-26 14:08:11 +02:00
str4d 66b2b3ba7e
Merge pull request #414 from zcash/constraints-helper 
Add a `Constraints` helper
 2022-04-22 11:52:06 +02:00
Sean Bowe a02b9e2e7e
Add benchmark for various FFT sizes. 2022-04-20 13:09:58 -06:00
Jack Grigg d93846f8fd Note that `Constraints::with_selector` accepts arrays from 1.53 2022-04-20 10:55:55 +00:00
Jack Grigg 78de8a5c94 Add a `Constraints` helper 
There are two existing patterns for constructing a gate from a set of
constraints with a common selector:

- Create an iterator of constraints, where each constraint includes the
  selector:
  ```
  vec![
      ("foo", selector.clone() * foo),
      ("bar", selector.clone() * bar),
      ("baz", selector * bar),
  ]
  ```
  This requires the user to write O(n) `selector.clone()` calls.

- Create an iterator of constraints, and then map the selector in:
  ```
  vec![
      ("foo", foo),
      ("bar", bar),
      ("baz", bar),
  ].into_iter().map(move |(name, poly)| (name, selector.clone() * poly))
  ```
  This looks cleaner overall, but the API is not as intuitive, and it
  is messier when the constraints are named.

The `Constraints` struct provides a third, clearer API:
```
Constraints::with_selector(
    selector,
    vec![
        ("foo", foo),
        ("bar", bar),
        ("baz", bar),
    ],
)
```
This focuses on the structure of the constraints, and handles the
selector application for the user.
 2022-04-20 10:55:50 +00:00
str4d 46ba444169
Merge pull request #480 from zcash/477-mockprover-pretty-failures 
Add `MockProver::assert_satisfied` with pretty-printed failures
 2022-04-20 12:53:16 +02:00
str4d 69c138c25c
Clarify some comments and messages 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2022-04-19 16:04:19 +02:00
str4d 606afb8349
Merge pull request #445 from daira/mockprover-regression 
Fix mock prover performance regression for lookup arguments
 2022-04-19 14:17:17 +02:00
Daira Hopwood 424a2748d1
Clarify a comment 2022-04-19 12:36:02 +01:00
str4d 221766986b
Merge pull request #532 from zcash/bench-lookup-mockprover 
Bench heavily padded lookup in MockProver.
 2022-04-18 12:45:30 +02:00
str4d 19b2b3b7e2
Fix clippy lints 2022-04-18 12:25:58 +02:00
ying tong 066bd15d7e
cost-model.rs: Correct lookup required degree calculation. 2022-04-14 16:25:52 +02:00
Jack Grigg 90e671e77c Relicense Halo 2 crates as MIT OR Apache 2.0 
See this blog post for details:
    https://electriccoin.co/blog/zero-knowledge-proving-system-halo-now-licensed-under-mit-making-it-available-for-anyone-to-use/
 2022-04-07 14:22:49 +00:00
therealyingtong a11cb9796e halo2_proofs 0.1.0-beta.4 2022-04-06 12:24:28 +08:00
Sean Bowe 6a31a0e6a1
Apply @str4d's review suggestions. 2022-04-04 14:07:31 -06:00
Sean Bowe fa069a7455
Use unwrap_or_default() instead of unwrap_or(HashMap::new()) 2022-04-03 10:06:19 -06:00
Sean Bowe fd7e9ddbb0
rustfmt 2022-04-02 15:38:46 -06:00
Sean Bowe 4163b8765a
Reduce depth of AST by special casing the application of Horner's rule. 
The existing code will fold together a very deep AST that applies Horner's
rule to each gate in a proof -- which could include multiple circuits and
so for some applications will quickly grow such that when we recursively
descend later during evaluation the stack will easily overflow.

This change special cases the application of Horner's rule to a
"DistributePowers" AST node to keep the tree depth from exploding in size.
 2022-04-02 13:13:46 -06:00
Jack Grigg 0946bdb455 dev: Enable `VerifyFailure::Permutation` to point to region offsets 2022-03-30 01:39:50 +00:00
therealyingtong 51d34c12a2 Bench heavily padded lookup in MockProver. 
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2022-03-24 22:02:29 +08:00
Jack Grigg 8acd4abfb3 halo2_proofs 0.1.0-beta.3 2022-03-22 19:59:10 +00:00
Jack Grigg e39c8e94d2 Update changelogs 2022-03-22 19:55:53 +00:00
str4d 8abd7b74db
Merge pull request #417 from zcash/fix-assigned-usage 
Expand `Assigned<F>` APIs
 2022-03-22 19:46:51 +00:00
str4d 642efc1536
Merge pull request #521 from zcash/reconstruct-selectors 
Remove selector_map from pinned verification key and remove VerificationKey serialization
 2022-03-18 00:14:36 +00:00
Jack Grigg c6b4fcaf34 Fix docs.rs build 
The published source code for each package needs to include the required
header file, and the path to that header file needs to be relative to
the package source (not the repository source). We therefore need to
have the header file present in each workspace package.

Closes zcash/halo2#506.
 2022-03-17 19:14:11 +00:00
Sean Bowe f46d77763e
Remove logic for reading and writing VerificationKey to/from buffers. 2022-03-16 14:19:33 -06:00
Sean Bowe 819bc3c2f5
Stop placing the selector_map (which is an internal API detail) in the pinned verification key. 2022-03-16 14:19:13 -06:00
Sean Bowe e10f4e1d0e
Add mechanism for generating a new proof in test. 2022-03-16 12:53:04 -06:00
Daira Hopwood b48b032041
Minor simplification 2022-02-16 17:14:41 +00:00
Jack Grigg 57596cab36 dev: Add a custom `VerifyFailure::CellNotAssigned` emitter 
The `dev::tests::unassigned_cell` test case, shown via `assert_eq!(err, Ok(()))`:
```
  left: `Err([CellNotAssigned { gate: Gate { index: 0, name: "Equality check" }, region: Region { index: 0, name: "Faulty synthesis" }, gate_offset: 1, column: Column { index: 1, column_type: Advice }, offset: 1 }])`,
 right: `Ok(())`',
```

Via `impl Display for VerifyFailure`:
```
Region 0 ('Faulty synthesis') uses Gate 0 ('Equality check') at offset 1, which requires cell in column Column { index: 1, column_type: Advice } at offset 1 to be assigned.
```

Via `VerifyFailure::emit`:
```
error: cell not assigned
  Cell layout in region 'Faulty synthesis':
    | Offset | A0 | A1 |
    +--------+----+----+
    |    0   | x0 |    |
    |    1   |    |  X | <--{ X marks the spot! 🦜

  Gate 'Equality check' (applied at offset 1) queries these cells.
```
 2022-02-16 13:57:53 +00:00
Jack Grigg 369ff521d3 dev: Store gate offset in `VerifyFailure::CellNotAssigned` 2022-02-16 13:57:53 +00:00
Jack Grigg c19a1ade2a dev: Add a custom `VerifyFailure::Lookup` emitter 
The `dev::tests::bad_lookup` test case, shown via `assert_eq!(err, Ok(()))`:
```
  left: `Err([Lookup { lookup_index: 0, location: InRegion { region: Region { index: 2, name: "Faulty synthesis" }, offset: 1 } }])`,
 right: `Ok(())`',
```

Via `impl Display for VerifyFailure`:
```
Lookup 0 is not satisfied in Region 2 ('Faulty synthesis') at offset 1
```

Via `VerifyFailure::emit`:
```
error: lookup input does not exist in table
  (L0) ∉ (F0)

  Lookup inputs:
    L0 = x1 * x0 + (1 - x1) * 0x2
    ^
    | Cell layout in region 'Faulty synthesis':
    |   | Offset | A0 | F1 |
    |   +--------+----+----+
    |   |    1   | x0 | x1 | <--{ Lookup inputs queried here
    |
    | Assigned cell values:
    |   x0 = 0x5
    |   x1 = 1
```
 2022-02-16 13:56:17 +00:00
Jack Grigg 62eea4c457 dev: Move cell loaders into `dev::util` 2022-02-16 13:56:17 +00:00
Jack Grigg 44e3cf8c61 dev: Move expression stringifier into `dev::failure::emitter` 2022-02-16 13:56:17 +00:00
Jack Grigg 212e3d07ce dev: Move cell layout emitter into a submodule 2022-02-16 13:56:17 +00:00
Jack Grigg 8e1fb87a33 dev: Add a custom `VerifyFailure::ConstraintNotSatisfied` emitter 
An example failure, shown via `assert_eq!(err, Ok(()))`:
```
  left: `Err([ConstraintNotSatisfied { constraint: Constraint { gate: Gate { index: 0, name: "R1CS constraint" }, index: 0, name: "buggy R1CS" }, location: InRegion { region: Region { index: 0, name: "Example region" }, offset: 1 }, cell_values: [(VirtualCell { name: "", column: Column { column_type: Advice, index: 0 }, rotation: 0 }, "0x2"), (VirtualCell { name: "", column: Column { column_type: Advice, index: 1 }, rotation: -1 }, "0x4"), (VirtualCell { name: "", column: Column { column_type: Advice, index: 2 }, rotation: 1 }, "0x8")] }])`,
 right: `Ok(())`',
```

Via `impl Display for VerifyFailure`:
```
Constraint 0 ('buggy R1CS') in gate 0 ('R1CS constraint') is not satisfied in Region 0 ('Example region') at offset 1
- Column('Advice', 0)@0 = 0x2
- Column('Advice', 1)@-1 = 0x4
- Column('Advice', 2)@1 = 0x8
```

Via `VerifyFailure::emit`:
```
error: constraint not satisfied
  Cell layout in region 'Example region':
    | Offset | A0 | A1 | A2 |
    +--------+----+----+----+
    |    0   |    | x1 |    |
    |    1   | x0 |    |    | <--{ Gate 'R1CS constraint' applied here
    |    2   |    |    | x2 |

  Constraint 'buggy R1CS':
    S0 * (x0 * x1 + x2) = 0

  Assigned cell values:
    x0 = 0x2
    x1 = 0x4
    x2 = 0x8
```
 2022-02-16 13:56:17 +00:00
Jack Grigg 5cdc029bb4 dev: Add `MockProver::assert_satisfied` 
This is equivalent to `assert_eq!(mock_prover.verify(), Ok(()))`, but
pretty-prints the verification failures instead of debug-printing them.
In its initial state, it just prints the `Display` impl.
 2022-02-16 13:56:17 +00:00
Jack Grigg 0e08903669 dev: Move `VerifyFailure` and `FailureLocation` into submodule 2022-02-16 13:55:29 +00:00