//! This module provides an implementation of a variant of (Turbo)[PLONK][plonk] //! that is designed specifically for the polynomial commitment scheme described //! in the [Halo][halo] paper. //! //! [halo]: https://eprint.iacr.org/2019/1021 //! [plonk]: https://eprint.iacr.org/2019/953 use crate::arithmetic::CurveAffine; use crate::poly::{ commitment::OpeningProof, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, }; use crate::transcript::Hasher; mod circuit; mod prover; mod srs; mod verifier; pub use circuit::*; pub use prover::*; pub use srs::*; pub use verifier::*; /// This is a structured reference string (SRS) that is (deterministically) /// computed from a specific circuit and parameters for the polynomial /// commitment scheme. #[derive(Debug)] pub struct SRS { domain: EvaluationDomain, l0: Polynomial, fixed_commitments: Vec, fixed_polys: Vec>, fixed_cosets: Vec>, permutation_commitments: Vec>, permutations: Vec>>, permutation_polys: Vec>>, permutation_cosets: Vec>>, cs: ConstraintSystem, } /// This is an object which represents a (Turbo)PLONK proof. // This structure must never allow points at infinity. #[derive(Debug, Clone)] pub struct Proof { advice_commitments: Vec, h_commitments: Vec, permutation_product_commitments: Vec, permutation_product_evals: Vec, permutation_product_inv_evals: Vec, permutation_evals: Vec>, advice_evals: Vec, fixed_evals: Vec, h_evals: Vec, f_commitment: C, q_evals: Vec, opening: OpeningProof, } /// This is an error that could occur during proving or circuit synthesis. // TODO: these errors need to be cleaned up #[derive(Debug)] pub enum Error { /// This is an error that can occur during synthesis of the circuit, for /// example, when the witness is not present. SynthesisError, /// The structured reference string or the parameters are not compatible /// with the circuit being synthesized. IncompatibleParams, /// The constraint system is not satisfied. ConstraintSystemFailure, /// Out of bounds index passed to a backend BoundsFailure, /// Opening error OpeningError, } fn hash_point>( transcript: &mut H, point: &C, ) -> Result<(), Error> { let tmp = point.get_xy(); if bool::from(tmp.is_none()) { return Err(Error::SynthesisError); }; let tmp = tmp.unwrap(); transcript.absorb(tmp.0); transcript.absorb(tmp.1); Ok(()) } #[test] fn test_proving() { use crate::arithmetic::{EqAffine, Field, Fp, Fq}; use crate::poly::commitment::Params; use crate::transcript::DummyHash; use std::marker::PhantomData; const K: u32 = 5; /// This represents an advice wire at a certain row in the ConstraintSystem #[derive(Copy, Clone, Debug)] pub struct Variable(AdviceWire, usize); // Initialize the polynomial commitment parameters let params: Params = Params::new::>(K); struct PLONKConfig { a: AdviceWire, b: AdviceWire, c: AdviceWire, d: AdviceWire, e: AdviceWire, sa: FixedWire, sb: FixedWire, sc: FixedWire, sm: FixedWire, perm: usize, perm2: usize, } trait StandardCS { fn raw_multiply(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error> where F: FnOnce() -> Result<(FF, FF, FF), Error>; fn raw_add(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error> where F: FnOnce() -> Result<(FF, FF, FF), Error>; fn copy(&mut self, a: Variable, b: Variable) -> Result<(), Error>; } struct MyCircuit { a: Option, } struct StandardPLONK<'a, F: Field, CS: Assignment + 'a> { cs: &'a mut CS, config: PLONKConfig, current_gate: usize, _marker: PhantomData, } impl<'a, FF: Field, CS: Assignment> StandardPLONK<'a, FF, CS> { fn new(cs: &'a mut CS, config: PLONKConfig) -> Self { StandardPLONK { cs, config, current_gate: 0, _marker: PhantomData, } } } impl<'a, FF: Field, CS: Assignment> StandardCS for StandardPLONK<'a, FF, CS> { fn raw_multiply(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error> where F: FnOnce() -> Result<(FF, FF, FF), Error>, { let index = self.current_gate; self.current_gate += 1; let mut value = None; self.cs.assign_advice(self.config.a, index, || { value = Some(f()?); Ok(value.ok_or(Error::SynthesisError)?.0) })?; self.cs.assign_advice(self.config.d, index, || { Ok(value.ok_or(Error::SynthesisError)?.0.square().square()) })?; self.cs.assign_advice(self.config.b, index, || { Ok(value.ok_or(Error::SynthesisError)?.1) })?; self.cs.assign_advice(self.config.e, index, || { Ok(value.ok_or(Error::SynthesisError)?.1.square().square()) })?; self.cs.assign_advice(self.config.c, index, || { Ok(value.ok_or(Error::SynthesisError)?.2) })?; self.cs .assign_fixed(self.config.sa, index, || Ok(FF::zero()))?; self.cs .assign_fixed(self.config.sb, index, || Ok(FF::zero()))?; self.cs .assign_fixed(self.config.sc, index, || Ok(FF::one()))?; self.cs .assign_fixed(self.config.sm, index, || Ok(FF::one()))?; Ok(( Variable(self.config.a, index), Variable(self.config.b, index), Variable(self.config.c, index), )) } fn raw_add(&mut self, f: F) -> Result<(Variable, Variable, Variable), Error> where F: FnOnce() -> Result<(FF, FF, FF), Error>, { let index = self.current_gate; self.current_gate += 1; let mut value = None; self.cs.assign_advice(self.config.a, index, || { value = Some(f()?); Ok(value.ok_or(Error::SynthesisError)?.0) })?; self.cs.assign_advice(self.config.d, index, || { Ok(value.ok_or(Error::SynthesisError)?.0.square().square()) })?; self.cs.assign_advice(self.config.b, index, || { Ok(value.ok_or(Error::SynthesisError)?.1) })?; self.cs.assign_advice(self.config.e, index, || { Ok(value.ok_or(Error::SynthesisError)?.1.square().square()) })?; self.cs.assign_advice(self.config.c, index, || { Ok(value.ok_or(Error::SynthesisError)?.2) })?; self.cs .assign_fixed(self.config.sa, index, || Ok(FF::one()))?; self.cs .assign_fixed(self.config.sb, index, || Ok(FF::one()))?; self.cs .assign_fixed(self.config.sc, index, || Ok(FF::one()))?; self.cs .assign_fixed(self.config.sm, index, || Ok(FF::zero()))?; Ok(( Variable(self.config.a, index), Variable(self.config.b, index), Variable(self.config.c, index), )) } fn copy(&mut self, left: Variable, right: Variable) -> Result<(), Error> { let left_wire = match left.0 { x if x == self.config.a => 0, x if x == self.config.b => 1, x if x == self.config.c => 2, _ => unreachable!(), }; let right_wire = match right.0 { x if x == self.config.a => 0, x if x == self.config.b => 1, x if x == self.config.c => 2, _ => unreachable!(), }; self.cs .copy(self.config.perm, left_wire, left.1, right_wire, right.1)?; self.cs .copy(self.config.perm2, left_wire, left.1, right_wire, right.1) } } impl Circuit for MyCircuit { type Config = PLONKConfig; fn configure(meta: &mut ConstraintSystem) -> PLONKConfig { let e = meta.advice_wire(); let a = meta.advice_wire(); let b = meta.advice_wire(); let sf = meta.fixed_wire(); let c = meta.advice_wire(); let d = meta.advice_wire(); let perm = meta.permutation(&[a, b, c]); let perm2 = meta.permutation(&[a, b, c]); let sm = meta.fixed_wire(); let sa = meta.fixed_wire(); let sb = meta.fixed_wire(); let sc = meta.fixed_wire(); meta.create_gate(|meta| { let d = meta.query_advice(d, 1); let a = meta.query_advice(a, 0); let sf = meta.query_fixed(sf, 0); let e = meta.query_advice(e, -1); let b = meta.query_advice(b, 0); let c = meta.query_advice(c, 0); let sa = meta.query_fixed(sa, 0); let sb = meta.query_fixed(sb, 0); let sc = meta.query_fixed(sc, 0); let sm = meta.query_fixed(sm, 0); a.clone() * sa + b.clone() * sb + a * b * sm + (c * sc * (-F::one())) + sf * (d * e) }); PLONKConfig { a, b, c, d, e, sa, sb, sc, sm, perm, perm2, } } fn synthesize( &self, cs: &mut impl Assignment, config: PLONKConfig, ) -> Result<(), Error> { let mut cs = StandardPLONK::new(cs, config); for _ in 0..10 { let mut a_squared = None; let (a0, _, c0) = cs.raw_multiply(|| { a_squared = self.a.map(|a| a.square()); Ok(( self.a.ok_or(Error::SynthesisError)?, self.a.ok_or(Error::SynthesisError)?, a_squared.ok_or(Error::SynthesisError)?, )) })?; let (a1, b1, _) = cs.raw_add(|| { let fin = a_squared.and_then(|a2| self.a.map(|a| a + a2)); Ok(( self.a.ok_or(Error::SynthesisError)?, a_squared.ok_or(Error::SynthesisError)?, fin.ok_or(Error::SynthesisError)?, )) })?; cs.copy(a0, a1)?; cs.copy(b1, c0)?; } Ok(()) } } let circuit: MyCircuit = MyCircuit { a: Some(Fp::random()), }; let empty_circuit: MyCircuit = MyCircuit { a: None }; // Initialize the SRS let srs = SRS::generate(¶ms, &empty_circuit).expect("SRS generation should not fail"); for _ in 0..100 { // Create a proof let proof = Proof::create::, DummyHash, _>(¶ms, &srs, &circuit) .expect("proof generation should not fail"); let msm = params.empty_msm(); let guard = proof .verify::, DummyHash>(¶ms, &srs, msm) .unwrap(); { let msm = guard.clone().use_challenges(); assert!(msm.is_zero()); } { let g = guard.compute_g(); let (msm, _) = guard.clone().use_g(g); assert!(msm.is_zero()); } let msm = guard.clone().use_challenges(); assert!(msm.clone().is_zero()); let guard = proof .verify::, DummyHash>(¶ms, &srs, msm) .unwrap(); { let msm = guard.clone().use_challenges(); assert!(msm.is_zero()); } { let g = guard.compute_g(); let (msm, _) = guard.clone().use_g(g); assert!(msm.is_zero()); } } }