zec
/
halo2
mirror of https://github.com/zcash/halo2.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
680 Commits 40 Branches 6 Tags 59 MiB
Commit Graph

438 Commits

Author SHA1 Message Date
Sean Bowe 8060a12ea4
Fix minor nit (match ergonomics) 2021-02-17 15:39:46 -07:00
Sean Bowe 2b1c319ba0
Use pretty-printing in test of verification key pinning. 2021-02-17 15:38:43 -07:00
Sean Bowe 2fe4e0d900
Change personalization of BLAKE2b used in hash_into. 2021-02-17 15:20:19 -07:00
Sean Bowe 87536cea10
Use newtypes to simplify Debug implementations for pinning verification keys. 2021-02-17 15:20:19 -07:00
Sean Bowe 2076701fc3
cargo fmt 2021-02-17 15:19:34 -07:00
Sean Bowe 34a5bfd4b1
Remove unused TryInto import. 2021-02-17 15:19:34 -07:00
Sean Bowe 6226426be0
Restore whitespace 2021-02-17 15:19:34 -07:00
ebfull bc9d05e67b
Apply suggestions from code review 
Co-authored-by: str4d <jack@electriccoin.co>
 2021-02-17 15:19:34 -07:00
Sean Bowe 98f5b17359
Remove unused import 2021-02-17 15:19:34 -07:00
Sean Bowe ea563434f4
Remove hash_into from Rotation. 2021-02-17 15:19:34 -07:00
Sean Bowe dfa7d96fa9
Refactor verification key hashing logic to use Display impls. 2021-02-17 15:19:34 -07:00
therealyingtong f35e190455
Hash in field modulus, curve parameters 2021-02-17 15:19:34 -07:00
therealyingtong 52c028b4da
Disambiguate naming of hash() -> hash_into() 2021-02-17 15:19:34 -07:00
therealyingtong e7d6f67564
Rename aux -> instance after rebasing 2021-02-17 15:19:34 -07:00
therealyingtong b204ff74a8
Do not return hash results from component hash() methods 2021-02-17 15:19:34 -07:00
therealyingtong 4aa4b4463a
Hash domain and cs into transcript 2021-02-17 15:19:34 -07:00
therealyingtong 437782e902
Hash fixed_commitments and permutations into transcript 2021-02-17 15:19:33 -07:00
Jack Grigg 0c4f779993 ff 0.9 2021-02-17 20:42:27 +00:00
ebfull 068babe3d0
Merge pull request #193 from zcash/any-permutation 
Allow permutations to be over all column types
 2021-02-17 09:06:27 -07:00
therealyingtong a19dc68dee Use Column<Any> in Permutation::Argument 2021-02-17 21:32:17 +08:00
Jack Grigg bea5f7f418 Add gadgets for elliptic curve operations 2021-02-17 00:49:22 +00:00
Jack Grigg 25573bbeb8 Alter the SHA-256 gadget to require namespacing 2021-02-17 00:16:47 +00:00
Jack Grigg 4c5a00b767 SHA-256 gadgets and chip traits 2021-02-15 16:35:58 +00:00
Daira Hopwood 22297bbc89
Merge pull request #185 from daira/aux-to-instance 
Rename "auxiliary column" to "instance column" in the book and in code
 2021-02-15 15:42:54 +00:00
Sean Bowe 3b954cdd3b
Allow unknown clippy lints so that lints added in nightly don't break CI 2021-02-15 07:53:27 -07:00
Daira Hopwood 760d69bd2c Rename "auxiliary column" to "instance column" in the book and in code. fixes #181 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-02-14 21:09:49 +00:00
Sean Bowe 175c1449d3
Disable clippy::upper_case_acronyms lint. 2021-02-14 09:39:05 -07:00
Sean Bowe 4b960a7c0c
cargo fmt 2021-02-14 09:28:51 -07:00
ebfull 9fc45ad11e
Merge pull request #163 from zcash/region-helpers 
Helpers for implementing regions
 2021-02-12 10:03:39 -07:00
Jack Grigg 821bca0abe Reduce FieldExt bound to Field for Neg and Sub impls on Expression<F> 2021-02-12 16:52:42 +00:00
Sean Bowe d3cd39fc6d
Add common_scalar method to Transcript. 2021-02-12 09:08:56 -07:00
Jack Grigg 5905230174 Fix stable clippy lints 2021-02-05 16:48:41 +00:00
Jack Grigg 3fc245343e Return results from assigned regions 
This makes it easier to pass variables out of a region.
 2021-02-01 21:42:57 +00:00
Jack Grigg db0477a606 impl<F: FieldExt> {Neg, Sub} for Expression<F> 2021-02-01 21:42:57 +00:00
Jack Grigg 0a378c3d0f Require Circuit::Config implement Clone instead of Copy 2021-02-01 19:05:19 +00:00
Jack Grigg c95f0b7c0c circuit_layout: Darken the cells of the region that have been assigned to 
We record every instance of a cell assignment, so that cells which are
double-assigned (which is usually a mistake) will appear darker.
 2021-02-01 18:38:22 +00:00
Jack Grigg 3c1132ec59 Add halo2::dev::circuit_layout behind dev-graph feature flag 
This method renders circuits as tables, showing how the various regions
within them have been layed out.
 2021-02-01 18:38:20 +00:00
Jack Grigg 7dd6e65a5f Add halo2::dev::circuit_dot_graph behind dev-graph feature flag 
This method renders circuits as dot graphs, to help circuit developers
understand their structure.
 2021-02-01 18:38:16 +00:00
Jack Grigg 82da677add Add name field to ConstraintSystem::create_gate 
The name has type `&'static str`, as gates apply to every row and thus
do not require any runtime information to name.
 2021-02-01 18:38:13 +00:00
Jack Grigg bf771a7446 Add namespacing and gadget name collection to Layouter 2021-02-01 18:38:04 +00:00
Jack Grigg 60061f64fd Add name field to Layouter::assign_region 2021-02-01 18:34:24 +00:00
Jack Grigg 4c3adf59d5 Add annotations to Region::{assign_advice, assign_fixed} 
This enables circuits to annotate individual cells with variable names
or similar protocol-specific metadata.
 2021-02-01 18:33:25 +00:00
therealyingtong 48bfea9782 Replace DummyHash with BLAKE2b 2021-02-02 00:53:53 +08:00
therealyingtong ea14d99a83 Renaming and cleanups from code review 
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
 2021-02-02 00:05:55 +08:00
therealyingtong a00d7c2fa6 Cleanups from code review 
Co-authored-by: Kris Nuttycombe <kris.nuttycombe@gmail.com>
Co-authored-by: Sean Bowe <ewillbefull@gmail.com>
 2021-01-31 11:48:32 +08:00
therealyingtong de86391f0e Update test to pass multiple ConcreteCircuits 2021-01-31 11:48:32 +08:00
therealyingtong def65609b1 Refactor PLONK verifier 2021-01-31 11:45:40 +08:00
therealyingtong 02b5b8442b Refactor PLONK prover 2021-01-31 11:45:40 +08:00
ebfull 5f89227cdd
Merge pull request #135 from zcash/serialize-params 
Serialize params
 2021-01-30 11:43:55 -07:00
str4d 7448f9b930
Merge pull request #156 from zcash/clippy-fixes 
Clippy lint fixes
 2021-01-30 13:14:46 +13:00
Jack Grigg 8b2082877e Remove unnecessary let bindings 2021-01-29 23:43:13 +00:00
therealyingtong 2255fbec8b Make RegionShape struct public 2021-01-28 10:55:17 +08:00
therealyingtong faf5da15c9 Track column usage in RegionShape. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-01-28 10:55:02 +08:00
therealyingtong ffdd739f85 Only write k in Params; calculate n when reading 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-24 08:07:30 +08:00
therealyingtong e0f9fe1dcf Clippy fixes + address review comments 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-01-24 08:07:30 +08:00
therealyingtong 58479fbcc3 Refactor keygen to generate pk from vk. 2021-01-24 08:07:30 +08:00
therealyingtong b9737ada93 Add serialization support for polycommit Params. 2021-01-24 08:05:58 +08:00
Sean Bowe ba591c3b39 Add serialization support for PLONK verifying keys. 2021-01-24 08:05:58 +08:00
Sean Bowe a0d7998785 Add implementations of read/write to CurveAffine and FieldExt. 2021-01-24 08:05:58 +08:00
Sean Bowe d9d20bfe36 Break out domain creation logic into separate method. 2021-01-24 08:04:13 +08:00
str4d 963a91464a
Merge pull request #120 from daira/sqrt_ratio 
Add sqrt_ratio implementation.
 2021-01-24 07:58:14 +13:00
Daira Hopwood c7a12ee178
Add documentation of perfect hash parameters. 2021-01-17 02:24:09 +00:00
Daira Hopwood adc3c9c2ea
Fix incorrect variable name in a comment. 
Co-authored-by: str4d <thestr4d@gmail.com>
 2021-01-17 01:52:49 +00:00
Kris Nuttycombe 94dd9cc421 Fix doctests. 2021-01-14 13:31:48 -07:00
Kris Nuttycombe 74b2aa715f Require Rotation instead of i32 for relative rows in circuits. 
Co-authored-by: str4d <thestr4d@gmail.com>
 2021-01-14 11:57:32 -07:00
Kris Nuttycombe 483cb1139f Remove rotations from ConstraintSystem 2021-01-14 11:35:23 -07:00
Sean Bowe e4dac4f621
clippy: remove unnecessarily explicit lifetimes and return types 2021-01-14 08:53:19 -07:00
Jack Grigg d95e4e4724
clippy: Remove unnecessary Result 2021-01-14 08:46:25 -07:00
Jack Grigg ec8c925587
doc: Fix broken intra-doc link 2021-01-14 08:46:25 -07:00
Jack Grigg 95314d0f69
clippy: Add type definitions for complex types 2021-01-14 08:46:23 -07:00
Jack Grigg 75915f67ed
clippy: Small cleanups 2021-01-14 08:43:25 -07:00
Jack Grigg 6dd7595438
clippy: Remove useless actions 
- Dropping a reference does nothing.
- Dropping a Copy type drops a copy.
- No need to clone the last usage of a variable.
 2021-01-14 08:43:25 -07:00
Jack Grigg 6983bd1bbc
clippy: Use Option::ok_or_else to construct errors from functions 2021-01-14 08:43:25 -07:00
Daira Hopwood 288a21ef1e Replace the Tonelli-Shanks sqrt algorithm with the table-based one. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-14 02:34:43 +00:00
Daira Hopwood c5e48fdd06 Address @ebfull's review comments. 
Co-authored-by: Sean Bowe <sean@electriccoin.co>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-14 02:34:43 +00:00
Daira Hopwood af9834d68c Implement `sqrt_alt`, a more efficient way of doing `sqrt_ratio(num, one())`. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-14 02:34:43 +00:00
Daira Hopwood 806748fbc4 Use addition chains for powering by (T-1)/2. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-14 02:34:43 +00:00
Daira Hopwood 227025b7b3 Avoid exposing implementation details of the square root implementation. 
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-14 02:34:43 +00:00
Daira Hopwood e13ee2c8ff Add sqrt_ratio implementation. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
 2021-01-14 02:34:43 +00:00
Sean Bowe ec2d8db8cb
Multiopen prover never needed evals to be specified. 
The Lagrange interpolation we were doing was pointless. kate_division sheds the constant
term off each time it is invoked because the quotient polynomial isn't affected by it.
This means we were modifying coefficients that end up getting discarded anyway; the
quotient polynomial coefficients are already determined exactly by the leading coefficients
and the fact that a root exists at each of the points.
 2021-01-13 17:22:32 -07:00
ebfull ccca639591
Merge pull request #111 from zcash/transcript-api-2 
New Transcript API (and modified commitment scheme)
 2021-01-13 16:50:47 -07:00
Sean Bowe 1f510016d8
Simplifications to some logic. 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2021-01-13 15:51:48 -07:00
Sean Bowe 775151a67d
Change absorb_ to read_ in subprotocols. 2021-01-13 15:47:35 -07:00
Sean Bowe 9a26ef1acd
Refactor the Committed structure. 2021-01-13 15:44:37 -07:00
Sean Bowe cc6b0bb7f2
Rename blind to \xi for consistency. 2021-01-13 15:24:44 -07:00
Sean Bowe 47d021ceb3
Add reference to issue in TODO comment. 2021-01-13 08:41:14 -07:00
ebfull 1e4b449934
Merge pull request #125 from zcash/circuit-traits 
Circuit component traits
 2021-01-12 09:23:21 -07:00
Sean Bowe e1a772d6e1
Remove transcript forking API. 2021-01-12 07:40:31 -07:00
Sean Bowe f308eb969c
Remove deterministic square root calculation as it's no longer needed. 2021-01-12 07:40:26 -07:00
Sean Bowe 98c1d80c90
Avoid square challenges and forking in inner product argument 
This modifies the scheme to be almost identical to the construction
outlined in Appenix A.2 of "Proof-Carrying Data from Accumulation
Schemes" (https://eprint.iacr.org/2020/499). The only remaining
difference is that we do not compute [v] U but instead subtract
[v] G_0 from the commitment before opening.
 2021-01-12 07:40:20 -07:00
Jack Grigg d94e9b3daf Remove unnecessary trailing semicolon 2021-01-08 02:22:16 +00:00
Jack Grigg f24b60b5b0 Add a placeholder module for gadgets 2021-01-08 01:55:10 +00:00
Jack Grigg 7e2406cc77 Implement a simple single-chip layouter 2021-01-08 01:54:44 +00:00
Jack Grigg 17da891b25 General traits and structs for implementing circuits 2021-01-08 01:54:18 +00:00
Jack Grigg 08da49353e Fix clippy lints in MockProver 2021-01-07 12:42:04 +00:00
Jack Grigg 8590211585 Remove unnecessary parts from MockProver per review comments 2021-01-06 21:52:56 +00:00
Jack Grigg 49f1598c0e Add example to MockProver documentation 
Also fixes a bug in MockProver::verify (which was exposing an internal
implementation detail as an incorrect row numbering).
 2021-01-06 21:52:56 +00:00
Jack Grigg 64b06735bf Expose MockProver in crate, and add documentation 2021-01-06 21:52:56 +00:00
therealyingtong fb939f17a9 Add permutation check to MockProver 2021-01-06 21:52:56 +00:00
Jack Grigg 6eebf3994b Add MockProver for developing circuits 2021-01-06 21:52:56 +00:00
Sean Bowe c8dedf2ec3
Fix challenge multiplications as per #119. 2021-01-06 10:47:06 -07:00
Sean Bowe c5e0364962
Remove the Read/Write type parameters from Transcript{Read,Write}. 2021-01-06 10:45:11 -07:00
Sean Bowe dff5a3a692
Generate the URS using a homebrew mixture of blake2b and try-and-increment. 2021-01-06 10:45:11 -07:00
Sean Bowe a2999accb5
Rename DummyHash{Reader,Writer} to DummyHash{Read,Write}. 2021-01-06 10:45:11 -07:00
Sean Bowe 7ffd28a1b5
Remove unnecessary separate msm from commitment::verify_proof. 2021-01-06 10:45:11 -07:00
Sean Bowe 4ecbfb548e
Remove unnecessary lifetimes. 2021-01-06 10:45:11 -07:00
Sean Bowe 06552eec44
Update the PLONK implementation to adapt to the new transcript API. 2021-01-06 10:45:11 -07:00
Sean Bowe 5be7d9525d
Update multiopen APIs to reflect changes made to Transcript APIs 2021-01-06 10:45:10 -07:00
Sean Bowe d30c6b62e4
Modification of the polynomial commitment scheme to compensate for Transcript API changes. 2021-01-06 10:40:26 -07:00
Sean Bowe fb232ddec0
Change API for dealing with transcripts to integrate proof reading/writing. 2021-01-06 10:39:11 -07:00
Jack Grigg f49e1e6177 Fix breakage of trait resolution in Rust 1.49.0 
Previously, `ChallengeScalar` could use the operator traits defined on
the `F: Field` type it wrapped, due to its `impl Deref<Target = F>`.
This was technically ambiguous, and Rust 1.49.0 makes that ambiguity an
error.

We could fix this by adding operator impls with `ChallengeScalar` on the
RHS, but that would conflict with zcash/halo2#111. Instead we manually
dereference every challenge scalar when used in an arithmetic operation.
 2021-01-06 00:48:29 +00:00
Jack Grigg 90c50fdd11 Refactor permutation proofs to reflect the separate permutations 2020-12-22 23:51:32 +00:00
Jack Grigg 62cace289b Add a few comments to the permutation construction code 
We mainly point at the design document that describes the algorithm.
 2020-12-22 20:25:33 +00:00
Jack Grigg 838d21f2be Refactor permutation keygen to reflect the separate permutations 2020-12-22 18:11:42 +00:00
Sean Bowe 9df7b5386f
Account more rigorously for the degrees of permutations' and lookups' constraints. 2020-12-22 08:59:08 -07:00
Sean Bowe 65ed1d8568
Check h_evals/h_commitments lengths in vanishing argument verifier. 2020-12-22 08:59:06 -07:00
Jack Grigg 8389389d37 model: metrics 0.13.0-alpha.13 2020-12-22 12:27:36 +00:00
Sean Bowe c25b7e7d09
cargo fmt 2020-12-13 10:37:32 -07:00
ebfull 7c0e56a44e
Merge pull request #84 from zcash/pasta-curves 
Replace Tweedle curves with Pasta curves
 2020-12-13 08:51:52 -07:00
Sean Bowe 1c0daa5478
Add leading zeroes to hex in some constants. 2020-12-11 13:25:18 -07:00
ebfull 0101014268
Use constants where applicable in field implementations 
Co-authored-by: str4d <jack@electriccoin.co>
 2020-12-11 11:54:32 -07:00
therealyingtong 8360b94f89 Extract plonk::vanishing::{Argument, Proof} from prover and verifier 
Co-authored-by: Jack Grigg <jack@electriccoin.co>
 2020-12-08 00:57:14 +08:00
Sean Bowe 81345e0cf1
Change ZETA constant of Fp to make it consistent with the endomorphism over Fq. 2020-12-07 09:42:33 -07:00
therealyingtong e5f55a8576 Abstract add_rotation() helper in plonk::circuit 2020-12-06 07:19:44 +08:00
therealyingtong 4273bbb2ba [Documentation] Consistently use zero-based numbering 2020-12-06 07:10:09 +08:00
ying tong 30c13d5a6a Further cleanups 
Co-authored-by: ebfull <ewillbefull@gmail.com>
 2020-12-05 13:14:50 +08:00
Sean Bowe e7c4213537
Remove duplicative from_bytes_wide method in fq.rs; it already exists in the trait impl for FieldExt. 2020-12-04 17:22:02 -07:00
Sean Bowe 3b91899a19
Make comment consistent between fq.rs / fp.rs 2020-12-04 15:01:44 -07:00
ying tong ecc805fa35 Correct privacy of lookup structs + minor cleanups 
Co-authored-by: str4d <jack@electriccoin.co>
 2020-12-04 09:19:15 +08:00
Sean Bowe 6c0e6f7348
cargo fmt 2020-12-03 13:59:17 -07:00
Sean Bowe 95e41fcfcf
Rename curves to Pallas/Vesta (Pasta). 2020-12-03 13:47:47 -07:00
Sean Bowe 7536af8b69
Implement Fp/Fq for the Pallas and Vesta curves. 
Co-authored-by: Kris Nuttycombe <kris@electriccoin.co>
 2020-12-03 13:46:13 -07:00
therealyingtong 2284bbd0d8 Deduplicate Argument::commit_permuted() and rename {input,table}_values -> {input,table}_columns 2020-12-03 14:00:16 +08:00
therealyingtong 9a3d1b1d05 Optimisations and documentation updates 2020-12-03 12:54:25 +08:00
therealyingtong e51ab7eaa7 Linearise state transition from Argument -> Permuted -> Committed 2020-12-03 12:11:00 +08:00
therealyingtong 0a85e93714 Add lookup to circuit and test 2020-12-03 10:50:20 +08:00
therealyingtong 0c81e9adab Use lookup mod in plonk::prover and plonk::verifier 2020-12-03 10:50:20 +08:00
therealyingtong 19c1b20063 Add lookup::verifier methods 2020-12-03 10:50:20 +08:00
therealyingtong c692311a12 Add Evaluated::open() and Evaluated::build() to lookup::prover 2020-12-03 10:50:20 +08:00
therealyingtong 6ccf58fc7c Add Constructed::evaluate() to lookup::prover 2020-12-03 10:50:20 +08:00
therealyingtong 39df4954b5 Add Committed::construct() to lookup::prover 2020-12-03 10:50:20 +08:00
therealyingtong 2d0f4a11e3 Add commit_product() to lookup::prover 2020-12-03 10:50:20 +08:00
therealyingtong 46eed7be93 Add commit_permuted() in lookup::prover 2020-12-03 10:50:20 +08:00
therealyingtong 02344eb711 Add lookup mod and structs 2020-12-03 10:50:20 +08:00
therealyingtong 2ba44cff9f Add theta challenge 2020-12-03 10:50:20 +08:00
therealyingtong 5d891e029d Add fixed_values to ProvingKey 2020-12-03 10:50:20 +08:00
Sean Bowe 2e65229920
Remove unnecessary Clone impl from plonk::permutation::prover::Committed. 2020-12-02 09:50:45 -07:00
Jack Grigg 4d4c79be58 Move Challenge and ChallengeScalar into the transcript module 2020-12-01 22:40:54 +00:00
Jack Grigg 2e6ca274a4 Fix challenge types in poly::multiopen and poly::commitment 
The argument to the poly::commitment prover and verifier was mistakenly
represented as a challenge, when in fact the commitments may be opened at
any scalar (which just happens to be a challenge within poly::multiopen).

The poly::commitment APIs are now public again.
 2020-12-01 22:34:18 +00:00
Jack Grigg 3d6afd7b8e permutation: Clean up opening chains 2020-12-01 22:09:50 +00:00