diff --git a/.travis.yml b/.travis.yml index 9ddae8a6d..399eaf129 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,5 +4,9 @@ rust: cache: cargo +before_script: + - rustup component add rustfmt + script: + - cargo fmt --all -- --check - cargo test --verbose --release --all diff --git a/bellman/src/domain.rs b/bellman/src/domain.rs index 5d7d50009..808d2afd5 100644 --- a/bellman/src/domain.rs +++ b/bellman/src/domain.rs @@ -13,9 +13,7 @@ use ff::{Field, PrimeField, ScalarEngine}; use group::CurveProjective; -use super::{ - SynthesisError -}; +use super::SynthesisError; use super::multicore::Worker; @@ -25,7 +23,7 @@ pub struct EvaluationDomain> { omega: E::Fr, omegainv: E::Fr, geninv: E::Fr, - minv: E::Fr + minv: E::Fr, } impl> EvaluationDomain { @@ -41,8 +39,7 @@ impl> EvaluationDomain { self.coeffs } - pub fn from_coeffs(mut coeffs: Vec) -> Result, SynthesisError> - { + pub fn from_coeffs(mut coeffs: Vec) -> Result, SynthesisError> { // Compute the size of our evaluation domain let mut m = 1; let mut exp = 0; @@ -53,7 +50,7 @@ impl> EvaluationDomain { // The pairing-friendly curve may not be able to support // large enough (radix2) evaluation domains. if exp >= E::Fr::S { - return Err(SynthesisError::PolynomialDegreeTooLarge) + return Err(SynthesisError::PolynomialDegreeTooLarge); } } @@ -72,17 +69,18 @@ impl> EvaluationDomain { omega: omega, omegainv: omega.inverse().unwrap(), geninv: E::Fr::multiplicative_generator().inverse().unwrap(), - minv: E::Fr::from_str(&format!("{}", m)).unwrap().inverse().unwrap() + minv: E::Fr::from_str(&format!("{}", m)) + .unwrap() + .inverse() + .unwrap(), }) } - pub fn fft(&mut self, worker: &Worker) - { + pub fn fft(&mut self, worker: &Worker) { best_fft(&mut self.coeffs, worker, &self.omega, self.exp); } - pub fn ifft(&mut self, worker: &Worker) - { + pub fn ifft(&mut self, worker: &Worker) { best_fft(&mut self.coeffs, worker, &self.omegainv, self.exp); worker.scope(self.coeffs.len(), |scope, chunk| { @@ -98,8 +96,7 @@ impl> EvaluationDomain { }); } - pub fn distribute_powers(&mut self, worker: &Worker, g: E::Fr) - { + pub fn distribute_powers(&mut self, worker: &Worker, g: E::Fr) { worker.scope(self.coeffs.len(), |scope, chunk| { for (i, v) in self.coeffs.chunks_mut(chunk).enumerate() { scope.spawn(move || { @@ -113,14 +110,12 @@ impl> EvaluationDomain { }); } - pub fn coset_fft(&mut self, worker: &Worker) - { + pub fn coset_fft(&mut self, worker: &Worker) { self.distribute_powers(worker, E::Fr::multiplicative_generator()); self.fft(worker); } - pub fn icoset_fft(&mut self, worker: &Worker) - { + pub fn icoset_fft(&mut self, worker: &Worker) { let geninv = self.geninv; self.ifft(worker); @@ -139,9 +134,11 @@ impl> EvaluationDomain { /// The target polynomial is the zero polynomial in our /// evaluation domain, so we must perform division over /// a coset. - pub fn divide_by_z_on_coset(&mut self, worker: &Worker) - { - let i = self.z(&E::Fr::multiplicative_generator()).inverse().unwrap(); + pub fn divide_by_z_on_coset(&mut self, worker: &Worker) { + let i = self + .z(&E::Fr::multiplicative_generator()) + .inverse() + .unwrap(); worker.scope(self.coeffs.len(), |scope, chunk| { for v in self.coeffs.chunks_mut(chunk) { @@ -159,7 +156,11 @@ impl> EvaluationDomain { assert_eq!(self.coeffs.len(), other.coeffs.len()); worker.scope(self.coeffs.len(), |scope, chunk| { - for (a, b) in self.coeffs.chunks_mut(chunk).zip(other.coeffs.chunks(chunk)) { + for (a, b) in self + .coeffs + .chunks_mut(chunk) + .zip(other.coeffs.chunks(chunk)) + { scope.spawn(move || { for (a, b) in a.iter_mut().zip(b.iter()) { a.group_mul_assign(&b.0); @@ -174,7 +175,11 @@ impl> EvaluationDomain { assert_eq!(self.coeffs.len(), other.coeffs.len()); worker.scope(self.coeffs.len(), |scope, chunk| { - for (a, b) in self.coeffs.chunks_mut(chunk).zip(other.coeffs.chunks(chunk)) { + for (a, b) in self + .coeffs + .chunks_mut(chunk) + .zip(other.coeffs.chunks(chunk)) + { scope.spawn(move || { for (a, b) in a.iter_mut().zip(b.iter()) { a.group_sub_assign(&b); @@ -200,7 +205,7 @@ impl PartialEq for Point { } } -impl Copy for Point { } +impl Copy for Point {} impl Clone for Point { fn clone(&self) -> Point { @@ -231,7 +236,7 @@ impl PartialEq for Scalar { } } -impl Copy for Scalar { } +impl Copy for Scalar {} impl Clone for Scalar { fn clone(&self) -> Scalar { @@ -254,8 +259,7 @@ impl Group for Scalar { } } -fn best_fft>(a: &mut [T], worker: &Worker, omega: &E::Fr, log_n: u32) -{ +fn best_fft>(a: &mut [T], worker: &Worker, omega: &E::Fr, log_n: u32) { let log_cpus = worker.log_num_cpus(); if log_n <= log_cpus { @@ -265,8 +269,7 @@ fn best_fft>(a: &mut [T], worker: &Worker, omega: & } } -fn serial_fft>(a: &mut [T], omega: &E::Fr, log_n: u32) -{ +fn serial_fft>(a: &mut [T], omega: &E::Fr, log_n: u32) { fn bitreverse(mut n: u32, l: u32) -> u32 { let mut r = 0; for _ in 0..l { @@ -288,22 +291,22 @@ fn serial_fft>(a: &mut [T], omega: &E::Fr, log_n: u let mut m = 1; for _ in 0..log_n { - let w_m = omega.pow(&[(n / (2*m)) as u64]); + let w_m = omega.pow(&[(n / (2 * m)) as u64]); let mut k = 0; while k < n { let mut w = E::Fr::one(); for j in 0..m { - let mut t = a[(k+j+m) as usize]; + let mut t = a[(k + j + m) as usize]; t.group_mul_assign(&w); - let mut tmp = a[(k+j) as usize]; + let mut tmp = a[(k + j) as usize]; tmp.group_sub_assign(&t); - a[(k+j+m) as usize] = tmp; - a[(k+j) as usize].group_add_assign(&t); + a[(k + j + m) as usize] = tmp; + a[(k + j) as usize].group_add_assign(&t); w.mul_assign(&w_m); } - k += 2*m; + k += 2 * m; } m *= 2; @@ -315,9 +318,8 @@ fn parallel_fft>( worker: &Worker, omega: &E::Fr, log_n: u32, - log_cpus: u32 -) -{ + log_cpus: u32, +) { assert!(log_n >= log_cpus); let num_cpus = 1 << log_cpus; @@ -377,14 +379,17 @@ fn polynomial_arith() { use pairing::bls12_381::Bls12; use rand_core::RngCore; - fn test_mul(rng: &mut R) - { + fn test_mul(rng: &mut R) { let worker = Worker::new(); for coeffs_a in 0..70 { for coeffs_b in 0..70 { - let mut a: Vec<_> = (0..coeffs_a).map(|_| Scalar::(E::Fr::random(rng))).collect(); - let mut b: Vec<_> = (0..coeffs_b).map(|_| Scalar::(E::Fr::random(rng))).collect(); + let mut a: Vec<_> = (0..coeffs_a) + .map(|_| Scalar::(E::Fr::random(rng))) + .collect(); + let mut b: Vec<_> = (0..coeffs_b) + .map(|_| Scalar::(E::Fr::random(rng))) + .collect(); // naive evaluation let mut naive = vec![Scalar(E::Fr::zero()); coeffs_a + coeffs_b]; @@ -425,8 +430,7 @@ fn fft_composition() { use pairing::bls12_381::Bls12; use rand_core::RngCore; - fn test_comp(rng: &mut R) - { + fn test_comp(rng: &mut R) { let worker = Worker::new(); for coeffs in 0..10 { @@ -465,19 +469,20 @@ fn parallel_fft_consistency() { use rand_core::RngCore; use std::cmp::min; - fn test_consistency(rng: &mut R) - { + fn test_consistency(rng: &mut R) { let worker = Worker::new(); for _ in 0..5 { for log_d in 0..10 { let d = 1 << log_d; - let v1 = (0..d).map(|_| Scalar::(E::Fr::random(rng))).collect::>(); + let v1 = (0..d) + .map(|_| Scalar::(E::Fr::random(rng))) + .collect::>(); let mut v1 = EvaluationDomain::from_coeffs(v1).unwrap(); let mut v2 = EvaluationDomain::from_coeffs(v1.coeffs.clone()).unwrap(); - for log_cpus in log_d..min(log_d+1, 3) { + for log_cpus in log_d..min(log_d + 1, 3) { parallel_fft(&mut v1.coeffs, &worker, &v1.omega, log_d, log_cpus); serial_fft(&mut v2.coeffs, &v2.omega, log_d); diff --git a/bellman/src/gadgets.rs b/bellman/src/gadgets.rs index 6c4b09cff..cf366df37 100644 --- a/bellman/src/gadgets.rs +++ b/bellman/src/gadgets.rs @@ -1,17 +1,15 @@ pub mod test; -pub mod boolean; -pub mod multieq; -pub mod uint32; pub mod blake2s; -pub mod num; +pub mod boolean; pub mod lookup; +pub mod multieq; pub mod multipack; +pub mod num; pub mod sha256; +pub mod uint32; -use crate::{ - SynthesisError -}; +use crate::SynthesisError; // TODO: This should probably be removed and we // should use existing helper methods on `Option` @@ -27,7 +25,7 @@ impl Assignment for Option { fn get(&self) -> Result<&T, SynthesisError> { match *self { Some(ref v) => Ok(v), - None => Err(SynthesisError::AssignmentMissing) + None => Err(SynthesisError::AssignmentMissing), } } } diff --git a/bellman/src/gadgets/blake2s.rs b/bellman/src/gadgets/blake2s.rs index cef50ebb1..c5cee23c9 100644 --- a/bellman/src/gadgets/blake2s.rs +++ b/bellman/src/gadgets/blake2s.rs @@ -1,19 +1,10 @@ -use pairing::{ - Engine, -}; +use pairing::Engine; -use crate::{ - SynthesisError, - ConstraintSystem -}; +use crate::{ConstraintSystem, SynthesisError}; -use super::boolean::{ - Boolean -}; +use super::boolean::Boolean; -use super::uint32::{ - UInt32 -}; +use super::uint32::UInt32; use super::multieq::MultiEq; @@ -65,7 +56,7 @@ const SIGMA: [[usize; 16]; 10] = [ [12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11], [13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10], [6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5], - [10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0] + [10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0], ]; /* @@ -98,17 +89,30 @@ fn mixing_g, M>( c: usize, d: usize, x: &UInt32, - y: &UInt32 + y: &UInt32, ) -> Result<(), SynthesisError> - where M: ConstraintSystem> +where + M: ConstraintSystem>, { - v[a] = UInt32::addmany(cs.namespace(|| "mixing step 1"), &[v[a].clone(), v[b].clone(), x.clone()])?; + v[a] = UInt32::addmany( + cs.namespace(|| "mixing step 1"), + &[v[a].clone(), v[b].clone(), x.clone()], + )?; v[d] = v[d].xor(cs.namespace(|| "mixing step 2"), &v[a])?.rotr(R1); - v[c] = UInt32::addmany(cs.namespace(|| "mixing step 3"), &[v[c].clone(), v[d].clone()])?; + v[c] = UInt32::addmany( + cs.namespace(|| "mixing step 3"), + &[v[c].clone(), v[d].clone()], + )?; v[b] = v[b].xor(cs.namespace(|| "mixing step 4"), &v[c])?.rotr(R2); - v[a] = UInt32::addmany(cs.namespace(|| "mixing step 5"), &[v[a].clone(), v[b].clone(), y.clone()])?; + v[a] = UInt32::addmany( + cs.namespace(|| "mixing step 5"), + &[v[a].clone(), v[b].clone(), y.clone()], + )?; v[d] = v[d].xor(cs.namespace(|| "mixing step 6"), &v[a])?.rotr(R3); - v[c] = UInt32::addmany(cs.namespace(|| "mixing step 7"), &[v[c].clone(), v[d].clone()])?; + v[c] = UInt32::addmany( + cs.namespace(|| "mixing step 7"), + &[v[c].clone(), v[d].clone()], + )?; v[b] = v[b].xor(cs.namespace(|| "mixing step 8"), &v[c])?.rotr(R4); Ok(()) @@ -162,15 +166,13 @@ fn mixing_g, M>( END FUNCTION. */ - fn blake2s_compression>( mut cs: CS, h: &mut [UInt32], m: &[UInt32], t: u64, - f: bool -) -> Result<(), SynthesisError> -{ + f: bool, +) -> Result<(), SynthesisError> { assert_eq!(h.len(), 8); assert_eq!(m.len(), 16); @@ -196,10 +198,16 @@ fn blake2s_compression>( assert_eq!(v.len(), 16); v[12] = v[12].xor(cs.namespace(|| "first xor"), &UInt32::constant(t as u32))?; - v[13] = v[13].xor(cs.namespace(|| "second xor"), &UInt32::constant((t >> 32) as u32))?; + v[13] = v[13].xor( + cs.namespace(|| "second xor"), + &UInt32::constant((t >> 32) as u32), + )?; if f { - v[14] = v[14].xor(cs.namespace(|| "third xor"), &UInt32::constant(u32::max_value()))?; + v[14] = v[14].xor( + cs.namespace(|| "third xor"), + &UInt32::constant(u32::max_value()), + )?; } { @@ -210,20 +218,92 @@ fn blake2s_compression>( let s = SIGMA[i % 10]; - mixing_g(cs.namespace(|| "mixing invocation 1"), &mut v, 0, 4, 8, 12, &m[s[ 0]], &m[s[ 1]])?; - mixing_g(cs.namespace(|| "mixing invocation 2"), &mut v, 1, 5, 9, 13, &m[s[ 2]], &m[s[ 3]])?; - mixing_g(cs.namespace(|| "mixing invocation 3"), &mut v, 2, 6, 10, 14, &m[s[ 4]], &m[s[ 5]])?; - mixing_g(cs.namespace(|| "mixing invocation 4"), &mut v, 3, 7, 11, 15, &m[s[ 6]], &m[s[ 7]])?; + mixing_g( + cs.namespace(|| "mixing invocation 1"), + &mut v, + 0, + 4, + 8, + 12, + &m[s[0]], + &m[s[1]], + )?; + mixing_g( + cs.namespace(|| "mixing invocation 2"), + &mut v, + 1, + 5, + 9, + 13, + &m[s[2]], + &m[s[3]], + )?; + mixing_g( + cs.namespace(|| "mixing invocation 3"), + &mut v, + 2, + 6, + 10, + 14, + &m[s[4]], + &m[s[5]], + )?; + mixing_g( + cs.namespace(|| "mixing invocation 4"), + &mut v, + 3, + 7, + 11, + 15, + &m[s[6]], + &m[s[7]], + )?; - mixing_g(cs.namespace(|| "mixing invocation 5"), &mut v, 0, 5, 10, 15, &m[s[ 8]], &m[s[ 9]])?; - mixing_g(cs.namespace(|| "mixing invocation 6"), &mut v, 1, 6, 11, 12, &m[s[10]], &m[s[11]])?; - mixing_g(cs.namespace(|| "mixing invocation 7"), &mut v, 2, 7, 8, 13, &m[s[12]], &m[s[13]])?; - mixing_g(cs.namespace(|| "mixing invocation 8"), &mut v, 3, 4, 9, 14, &m[s[14]], &m[s[15]])?; + mixing_g( + cs.namespace(|| "mixing invocation 5"), + &mut v, + 0, + 5, + 10, + 15, + &m[s[8]], + &m[s[9]], + )?; + mixing_g( + cs.namespace(|| "mixing invocation 6"), + &mut v, + 1, + 6, + 11, + 12, + &m[s[10]], + &m[s[11]], + )?; + mixing_g( + cs.namespace(|| "mixing invocation 7"), + &mut v, + 2, + 7, + 8, + 13, + &m[s[12]], + &m[s[13]], + )?; + mixing_g( + cs.namespace(|| "mixing invocation 8"), + &mut v, + 3, + 4, + 9, + 14, + &m[s[14]], + &m[s[15]], + )?; } } for i in 0..8 { - let mut cs = cs.namespace(|| format!("h[{i}] ^ v[{i}] ^ v[{i} + 8]", i=i)); + let mut cs = cs.namespace(|| format!("h[{i}] ^ v[{i}] ^ v[{i} + 8]", i = i)); h[i] = h[i].xor(cs.namespace(|| "first xor"), &v[i])?; h[i] = h[i].xor(cs.namespace(|| "second xor"), &v[i + 8])?; @@ -262,9 +342,8 @@ fn blake2s_compression>( pub fn blake2s>( mut cs: CS, input: &[Boolean], - personalization: &[u8] -) -> Result, SynthesisError> -{ + personalization: &[u8], +) -> Result, SynthesisError> { use byteorder::{ByteOrder, LittleEndian}; assert_eq!(personalization.len(), 8); @@ -279,8 +358,12 @@ pub fn blake2s>( h.push(UInt32::constant(0x9B05688C)); // Personalization is stored here - h.push(UInt32::constant(0x1F83D9AB ^ LittleEndian::read_u32(&personalization[0..4]))); - h.push(UInt32::constant(0x5BE0CD19 ^ LittleEndian::read_u32(&personalization[4..8]))); + h.push(UInt32::constant( + 0x1F83D9AB ^ LittleEndian::read_u32(&personalization[0..4]), + )); + h.push(UInt32::constant( + 0x5BE0CD19 ^ LittleEndian::read_u32(&personalization[4..8]), + )); let mut blocks: Vec> = vec![]; @@ -312,7 +395,13 @@ pub fn blake2s>( { let cs = cs.namespace(|| "final block"); - blake2s_compression(cs, &mut h, &blocks[blocks.len() - 1], (input.len() / 8) as u64, true)?; + blake2s_compression( + cs, + &mut h, + &blocks[blocks.len() - 1], + (input.len() / 8) as u64, + true, + )?; } Ok(h.iter().flat_map(|b| b.into_bits()).collect()) @@ -321,14 +410,14 @@ pub fn blake2s>( #[cfg(test)] mod test { use blake2s_simd::Params as Blake2sParams; - use pairing::bls12_381::{Bls12}; + use pairing::bls12_381::Bls12; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; - use crate::gadgets::boolean::{Boolean, AllocatedBit}; - use crate::gadgets::test::TestConstraintSystem; use super::blake2s; - use crate::{ConstraintSystem}; + use crate::gadgets::boolean::{AllocatedBit, Boolean}; + use crate::gadgets::test::TestConstraintSystem; + use crate::ConstraintSystem; #[test] fn test_blank_hash() { @@ -356,7 +445,13 @@ mod test { #[test] fn test_blake2s_constraints() { let mut cs = TestConstraintSystem::::new(); - let input_bits: Vec<_> = (0..512).map(|i| AllocatedBit::alloc(cs.namespace(|| format!("input bit {}", i)), Some(true)).unwrap().into()).collect(); + let input_bits: Vec<_> = (0..512) + .map(|i| { + AllocatedBit::alloc(cs.namespace(|| format!("input bit {}", i)), Some(true)) + .unwrap() + .into() + }) + .collect(); blake2s(&mut cs, &input_bits, b"12345678").unwrap(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 21518); @@ -369,14 +464,17 @@ mod test { let mut cs = TestConstraintSystem::::new(); let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let input_bits: Vec<_> = (0..512) - .map(|_| Boolean::constant(rng.next_u32() % 2 != 0)) - .chain((0..512) - .map(|i| AllocatedBit::alloc(cs.namespace(|| format!("input bit {}", i)), Some(true)).unwrap().into())) - .collect(); + .map(|_| Boolean::constant(rng.next_u32() % 2 != 0)) + .chain((0..512).map(|i| { + AllocatedBit::alloc(cs.namespace(|| format!("input bit {}", i)), Some(true)) + .unwrap() + .into() + })) + .collect(); blake2s(&mut cs, &input_bits, b"12345678").unwrap(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 21518); @@ -386,10 +484,12 @@ mod test { fn test_blake2s_constant_constraints() { let mut cs = TestConstraintSystem::::new(); let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); - let input_bits: Vec<_> = (0..512).map(|_| Boolean::constant(rng.next_u32() % 2 != 0)).collect(); + let input_bits: Vec<_> = (0..512) + .map(|_| Boolean::constant(rng.next_u32() % 2 != 0)) + .collect(); blake2s(&mut cs, &input_bits, b"12345678").unwrap(); assert_eq!(cs.num_constraints(), 0); } @@ -397,13 +497,15 @@ mod test { #[test] fn test_blake2s() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); - for input_len in (0..32).chain((32..256).filter(|a| a % 8 == 0)) - { - let mut h = Blake2sParams::new().hash_length(32).personal(b"12345678").to_state(); + for input_len in (0..32).chain((32..256).filter(|a| a % 8 == 0)) { + let mut h = Blake2sParams::new() + .hash_length(32) + .personal(b"12345678") + .to_state(); let data: Vec = (0..input_len).map(|_| rng.next_u32() as u8).collect(); @@ -419,7 +521,11 @@ mod test { for bit_i in 0..8 { let cs = cs.namespace(|| format!("input bit {} {}", byte_i, bit_i)); - input_bits.push(AllocatedBit::alloc(cs, Some((input_byte >> bit_i) & 1u8 == 1u8)).unwrap().into()); + input_bits.push( + AllocatedBit::alloc(cs, Some((input_byte >> bit_i) & 1u8 == 1u8)) + .unwrap() + .into(), + ); } } @@ -427,17 +533,19 @@ mod test { assert!(cs.is_satisfied()); - let mut s = hash_result.as_ref().iter() - .flat_map(|&byte| (0..8).map(move |i| (byte >> i) & 1u8 == 1u8)); + let mut s = hash_result + .as_ref() + .iter() + .flat_map(|&byte| (0..8).map(move |i| (byte >> i) & 1u8 == 1u8)); for b in r { match b { Boolean::Is(b) => { assert!(s.next().unwrap() == b.get_value().unwrap()); - }, + } Boolean::Not(b) => { assert!(s.next().unwrap() != b.get_value().unwrap()); - }, + } Boolean::Constant(b) => { assert!(input_len == 0); assert!(s.next().unwrap() == b); diff --git a/bellman/src/gadgets/boolean.rs b/bellman/src/gadgets/boolean.rs index f6c11b69e..414b2909f 100644 --- a/bellman/src/gadgets/boolean.rs +++ b/bellman/src/gadgets/boolean.rs @@ -1,23 +1,16 @@ use ff::{BitIterator, Field, PrimeField}; use pairing::Engine; -use crate::{ - ConstraintSystem, - SynthesisError, - LinearCombination, - Variable -}; +use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; -use super::{ - Assignment -}; +use super::Assignment; /// Represents a variable in the constraint system which is guaranteed /// to be either zero or one. #[derive(Clone)] pub struct AllocatedBit { variable: Variable, - value: Option + value: Option, } impl AllocatedBit { @@ -35,18 +28,22 @@ impl AllocatedBit { pub fn alloc_conditionally( mut cs: CS, value: Option, - must_be_false: &AllocatedBit + must_be_false: &AllocatedBit, ) -> Result - where E: Engine, - CS: ConstraintSystem + where + E: Engine, + CS: ConstraintSystem, { - let var = cs.alloc(|| "boolean", || { - if *value.get()? { - Ok(E::Fr::one()) - } else { - Ok(E::Fr::zero()) - } - })?; + let var = cs.alloc( + || "boolean", + || { + if *value.get()? { + Ok(E::Fr::one()) + } else { + Ok(E::Fr::zero()) + } + }, + )?; // Constrain: (1 - must_be_false - a) * a = 0 // if must_be_false is true, the equation @@ -58,31 +55,32 @@ impl AllocatedBit { || "boolean constraint", |lc| lc + CS::one() - must_be_false.variable - var, |lc| lc + var, - |lc| lc + |lc| lc, ); Ok(AllocatedBit { variable: var, - value: value + value: value, }) } /// Allocate a variable in the constraint system which can only be a /// boolean value. - pub fn alloc( - mut cs: CS, - value: Option, - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn alloc(mut cs: CS, value: Option) -> Result + where + E: Engine, + CS: ConstraintSystem, { - let var = cs.alloc(|| "boolean", || { - if *value.get()? { - Ok(E::Fr::one()) - } else { - Ok(E::Fr::zero()) - } - })?; + let var = cs.alloc( + || "boolean", + || { + if *value.get()? { + Ok(E::Fr::one()) + } else { + Ok(E::Fr::zero()) + } + }, + )?; // Constrain: (1 - a) * a = 0 // This constrains a to be either 0 or 1. @@ -90,38 +88,38 @@ impl AllocatedBit { || "boolean constraint", |lc| lc + CS::one() - var, |lc| lc + var, - |lc| lc + |lc| lc, ); Ok(AllocatedBit { variable: var, - value: value + value: value, }) } /// Performs an XOR operation over the two operands, returning /// an `AllocatedBit`. - pub fn xor( - mut cs: CS, - a: &Self, - b: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn xor(mut cs: CS, a: &Self, b: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { let mut result_value = None; - let result_var = cs.alloc(|| "xor result", || { - if *a.value.get()? ^ *b.value.get()? { - result_value = Some(true); + let result_var = cs.alloc( + || "xor result", + || { + if *a.value.get()? ^ *b.value.get()? { + result_value = Some(true); - Ok(E::Fr::one()) - } else { - result_value = Some(false); + Ok(E::Fr::one()) + } else { + result_value = Some(false); - Ok(E::Fr::zero()) - } - })?; + Ok(E::Fr::zero()) + } + }, + )?; // Constrain (a + a) * (b) = (a + b - c) // Given that a and b are boolean constrained, if they @@ -142,38 +140,38 @@ impl AllocatedBit { || "xor constraint", |lc| lc + a.variable + a.variable, |lc| lc + b.variable, - |lc| lc + a.variable + b.variable - result_var + |lc| lc + a.variable + b.variable - result_var, ); Ok(AllocatedBit { variable: result_var, - value: result_value + value: result_value, }) } /// Performs an AND operation over the two operands, returning /// an `AllocatedBit`. - pub fn and( - mut cs: CS, - a: &Self, - b: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn and(mut cs: CS, a: &Self, b: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { let mut result_value = None; - let result_var = cs.alloc(|| "and result", || { - if *a.value.get()? & *b.value.get()? { - result_value = Some(true); + let result_var = cs.alloc( + || "and result", + || { + if *a.value.get()? & *b.value.get()? { + result_value = Some(true); - Ok(E::Fr::one()) - } else { - result_value = Some(false); + Ok(E::Fr::one()) + } else { + result_value = Some(false); - Ok(E::Fr::zero()) - } - })?; + Ok(E::Fr::zero()) + } + }, + )?; // Constrain (a) * (b) = (c), ensuring c is 1 iff // a AND b are both 1. @@ -181,37 +179,37 @@ impl AllocatedBit { || "and constraint", |lc| lc + a.variable, |lc| lc + b.variable, - |lc| lc + result_var + |lc| lc + result_var, ); Ok(AllocatedBit { variable: result_var, - value: result_value + value: result_value, }) } /// Calculates `a AND (NOT b)`. - pub fn and_not( - mut cs: CS, - a: &Self, - b: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn and_not(mut cs: CS, a: &Self, b: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { let mut result_value = None; - let result_var = cs.alloc(|| "and not result", || { - if *a.value.get()? & !*b.value.get()? { - result_value = Some(true); + let result_var = cs.alloc( + || "and not result", + || { + if *a.value.get()? & !*b.value.get()? { + result_value = Some(true); - Ok(E::Fr::one()) - } else { - result_value = Some(false); + Ok(E::Fr::one()) + } else { + result_value = Some(false); - Ok(E::Fr::zero()) - } - })?; + Ok(E::Fr::zero()) + } + }, + )?; // Constrain (a) * (1 - b) = (c), ensuring c is 1 iff // a is true and b is false, and otherwise c is 0. @@ -219,37 +217,37 @@ impl AllocatedBit { || "and not constraint", |lc| lc + a.variable, |lc| lc + CS::one() - b.variable, - |lc| lc + result_var + |lc| lc + result_var, ); Ok(AllocatedBit { variable: result_var, - value: result_value + value: result_value, }) } /// Calculates `(NOT a) AND (NOT b)`. - pub fn nor( - mut cs: CS, - a: &Self, - b: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn nor(mut cs: CS, a: &Self, b: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { let mut result_value = None; - let result_var = cs.alloc(|| "nor result", || { - if !*a.value.get()? & !*b.value.get()? { - result_value = Some(true); + let result_var = cs.alloc( + || "nor result", + || { + if !*a.value.get()? & !*b.value.get()? { + result_value = Some(true); - Ok(E::Fr::one()) - } else { - result_value = Some(false); + Ok(E::Fr::one()) + } else { + result_value = Some(false); - Ok(E::Fr::zero()) - } - })?; + Ok(E::Fr::zero()) + } + }, + )?; // Constrain (1 - a) * (1 - b) = (c), ensuring c is 1 iff // a and b are both false, and otherwise c is 0. @@ -257,21 +255,20 @@ impl AllocatedBit { || "nor constraint", |lc| lc + CS::one() - a.variable, |lc| lc + CS::one() - b.variable, - |lc| lc + result_var + |lc| lc + result_var, ); Ok(AllocatedBit { variable: result_var, - value: result_value + value: result_value, }) } } pub fn u64_into_boolean_vec_le>( mut cs: CS, - value: Option -) -> Result, SynthesisError> -{ + value: Option, +) -> Result, SynthesisError> { let values = match value { Some(ref value) => { let mut tmp = Vec::with_capacity(64); @@ -281,27 +278,28 @@ pub fn u64_into_boolean_vec_le>( } tmp - }, - None => { - vec![None; 64] } + None => vec![None; 64], }; - let bits = values.into_iter().enumerate().map(|(i, b)| { - Ok(Boolean::from(AllocatedBit::alloc( - cs.namespace(|| format!("bit {}", i)), - b - )?)) - }).collect::, SynthesisError>>()?; + let bits = values + .into_iter() + .enumerate() + .map(|(i, b)| { + Ok(Boolean::from(AllocatedBit::alloc( + cs.namespace(|| format!("bit {}", i)), + b, + )?)) + }) + .collect::, SynthesisError>>()?; Ok(bits) } pub fn field_into_boolean_vec_le, F: PrimeField>( cs: CS, - value: Option -) -> Result, SynthesisError> -{ + value: Option, +) -> Result, SynthesisError> { let v = field_into_allocated_bits_le::(cs, value)?; Ok(v.into_iter().map(|e| Boolean::from(e)).collect()) @@ -309,9 +307,8 @@ pub fn field_into_boolean_vec_le, F: PrimeFie pub fn field_into_allocated_bits_le, F: PrimeField>( mut cs: CS, - value: Option -) -> Result, SynthesisError> -{ + value: Option, +) -> Result, SynthesisError> { // Deconstruct in big-endian bit order let values = match value { Some(ref value) => { @@ -333,19 +330,17 @@ pub fn field_into_allocated_bits_le, F: Prime assert_eq!(tmp.len(), F::NUM_BITS as usize); tmp - }, - None => { - vec![None; F::NUM_BITS as usize] } + None => vec![None; F::NUM_BITS as usize], }; // Allocate in little-endian order - let bits = values.into_iter().rev().enumerate().map(|(i, b)| { - AllocatedBit::alloc( - cs.namespace(|| format!("bit {}", i)), - b - ) - }).collect::, SynthesisError>>()?; + let bits = values + .into_iter() + .rev() + .enumerate() + .map(|(i, b)| AllocatedBit::alloc(cs.namespace(|| format!("bit {}", i)), b)) + .collect::, SynthesisError>>()?; Ok(bits) } @@ -359,24 +354,21 @@ pub enum Boolean { /// Negated view of the boolean variable Not(AllocatedBit), /// Constant (not an allocated variable) - Constant(bool) + Constant(bool), } impl Boolean { pub fn is_constant(&self) -> bool { match *self { Boolean::Constant(_) => true, - _ => false + _ => false, } } - pub fn enforce_equal( - mut cs: CS, - a: &Self, - b: &Self - ) -> Result<(), SynthesisError> - where E: Engine, - CS: ConstraintSystem + pub fn enforce_equal(mut cs: CS, a: &Self, b: &Self) -> Result<(), SynthesisError> + where + E: Engine, + CS: ConstraintSystem, { match (a, b) { (&Boolean::Constant(a), &Boolean::Constant(b)) => { @@ -385,33 +377,33 @@ impl Boolean { } else { Err(SynthesisError::Unsatisfiable) } - }, + } (&Boolean::Constant(true), a) | (a, &Boolean::Constant(true)) => { cs.enforce( || "enforce equal to one", |lc| lc, |lc| lc, - |lc| lc + CS::one() - &a.lc(CS::one(), E::Fr::one()) + |lc| lc + CS::one() - &a.lc(CS::one(), E::Fr::one()), ); Ok(()) - }, + } (&Boolean::Constant(false), a) | (a, &Boolean::Constant(false)) => { cs.enforce( || "enforce equal to zero", |lc| lc, |lc| lc, - |_| a.lc(CS::one(), E::Fr::one()) + |_| a.lc(CS::one(), E::Fr::one()), ); Ok(()) - }, + } (a, b) => { cs.enforce( || "enforce equal", |lc| lc, |lc| lc, - |_| a.lc(CS::one(), E::Fr::one()) - &b.lc(CS::one(), E::Fr::one()) + |_| a.lc(CS::one(), E::Fr::one()) - &b.lc(CS::one(), E::Fr::one()), ); Ok(()) @@ -423,16 +415,11 @@ impl Boolean { match self { &Boolean::Constant(c) => Some(c), &Boolean::Is(ref v) => v.get_value(), - &Boolean::Not(ref v) => v.get_value().map(|b| !b) + &Boolean::Not(ref v) => v.get_value().map(|b| !b), } } - pub fn lc( - &self, - one: Variable, - coeff: E::Fr - ) -> LinearCombination - { + pub fn lc(&self, one: Variable, coeff: E::Fr) -> LinearCombination { match self { &Boolean::Constant(c) => { if c { @@ -440,10 +427,8 @@ impl Boolean { } else { LinearCombination::::zero() } - }, - &Boolean::Is(ref v) => { - LinearCombination::::zero() + (coeff, v.get_variable()) - }, + } + &Boolean::Is(ref v) => LinearCombination::::zero() + (coeff, v.get_variable()), &Boolean::Not(ref v) => { LinearCombination::::zero() + (coeff, one) - (coeff, v.get_variable()) } @@ -460,59 +445,54 @@ impl Boolean { match self { &Boolean::Constant(c) => Boolean::Constant(!c), &Boolean::Is(ref v) => Boolean::Not(v.clone()), - &Boolean::Not(ref v) => Boolean::Is(v.clone()) + &Boolean::Not(ref v) => Boolean::Is(v.clone()), } } /// Perform XOR over two boolean operands - pub fn xor<'a, E, CS>( - cs: CS, - a: &'a Self, - b: &'a Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn xor<'a, E, CS>(cs: CS, a: &'a Self, b: &'a Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { match (a, b) { (&Boolean::Constant(false), x) | (x, &Boolean::Constant(false)) => Ok(x.clone()), (&Boolean::Constant(true), x) | (x, &Boolean::Constant(true)) => Ok(x.not()), // a XOR (NOT b) = NOT(a XOR b) - (is @ &Boolean::Is(_), not @ &Boolean::Not(_)) | (not @ &Boolean::Not(_), is @ &Boolean::Is(_)) => { - Ok(Boolean::xor( - cs, - is, - ¬.not() - )?.not()) - }, + (is @ &Boolean::Is(_), not @ &Boolean::Not(_)) + | (not @ &Boolean::Not(_), is @ &Boolean::Is(_)) => { + Ok(Boolean::xor(cs, is, ¬.not())?.not()) + } // a XOR b = (NOT a) XOR (NOT b) - (&Boolean::Is(ref a), &Boolean::Is(ref b)) | (&Boolean::Not(ref a), &Boolean::Not(ref b)) => { + (&Boolean::Is(ref a), &Boolean::Is(ref b)) + | (&Boolean::Not(ref a), &Boolean::Not(ref b)) => { Ok(Boolean::Is(AllocatedBit::xor(cs, a, b)?)) } } } /// Perform AND over two boolean operands - pub fn and<'a, E, CS>( - cs: CS, - a: &'a Self, - b: &'a Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn and<'a, E, CS>(cs: CS, a: &'a Self, b: &'a Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { match (a, b) { // false AND x is always false - (&Boolean::Constant(false), _) | (_, &Boolean::Constant(false)) => Ok(Boolean::Constant(false)), + (&Boolean::Constant(false), _) | (_, &Boolean::Constant(false)) => { + Ok(Boolean::Constant(false)) + } // true AND x is always x (&Boolean::Constant(true), x) | (x, &Boolean::Constant(true)) => Ok(x.clone()), // a AND (NOT b) - (&Boolean::Is(ref is), &Boolean::Not(ref not)) | (&Boolean::Not(ref not), &Boolean::Is(ref is)) => { + (&Boolean::Is(ref is), &Boolean::Not(ref not)) + | (&Boolean::Not(ref not), &Boolean::Is(ref is)) => { Ok(Boolean::Is(AllocatedBit::and_not(cs, is, not)?)) - }, + } // (NOT a) AND (NOT b) = a NOR b (&Boolean::Not(ref a), &Boolean::Not(ref b)) => { Ok(Boolean::Is(AllocatedBit::nor(cs, a, b)?)) - }, + } // a AND b (&Boolean::Is(ref a), &Boolean::Is(ref b)) => { Ok(Boolean::Is(AllocatedBit::and(cs, a, b)?)) @@ -525,27 +505,26 @@ impl Boolean { mut cs: CS, a: &'a Self, b: &'a Self, - c: &'a Self + c: &'a Self, ) -> Result - where E: Engine, - CS: ConstraintSystem + where + E: Engine, + CS: ConstraintSystem, { let ch_value = match (a.get_value(), b.get_value(), c.get_value()) { (Some(a), Some(b), Some(c)) => { // (a and b) xor ((not a) and c) Some((a & b) ^ ((!a) & c)) - }, - _ => None + } + _ => None, }; match (a, b, c) { - (&Boolean::Constant(_), - &Boolean::Constant(_), - &Boolean::Constant(_)) => { + (&Boolean::Constant(_), &Boolean::Constant(_), &Boolean::Constant(_)) => { // They're all constants, so we can just compute the value. return Ok(Boolean::Constant(ch_value.expect("they're all constants"))); - }, + } (&Boolean::Constant(false), _, c) => { // If a is false // (a and b) xor ((not a) and c) @@ -554,29 +533,21 @@ impl Boolean { // equals // c return Ok(c.clone()); - }, + } (a, &Boolean::Constant(false), c) => { // If b is false // (a and b) xor ((not a) and c) // equals // ((not a) and c) - return Boolean::and( - cs, - &a.not(), - &c - ); - }, + return Boolean::and(cs, &a.not(), &c); + } (a, b, &Boolean::Constant(false)) => { // If c is false // (a and b) xor ((not a) and c) // equals // (a and b) - return Boolean::and( - cs, - &a, - &b - ); - }, + return Boolean::and(cs, &a, &b); + } (a, b, &Boolean::Constant(true)) => { // If c is true // (a and b) xor ((not a) and c) @@ -584,12 +555,8 @@ impl Boolean { // (a and b) xor (not a) // equals // not (a and (not b)) - return Ok(Boolean::and( - cs, - &a, - &b.not() - )?.not()); - }, + return Ok(Boolean::and(cs, &a, &b.not())?.not()); + } (a, &Boolean::Constant(true), c) => { // If b is true // (a and b) xor ((not a) and c) @@ -597,53 +564,47 @@ impl Boolean { // a xor ((not a) and c) // equals // not ((not a) and (not c)) - return Ok(Boolean::and( - cs, - &a.not(), - &c.not() - )?.not()); - }, + return Ok(Boolean::and(cs, &a.not(), &c.not())?.not()); + } (&Boolean::Constant(true), _, _) => { // If a is true // (a and b) xor ((not a) and c) // equals // b xor ((not a) and c) // So we just continue! - }, - (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Is(_)) | - (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Not(_)) | - (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Is(_)) | - (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Not(_)) | - (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Is(_)) | - (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Not(_)) | - (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Is(_)) | - (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Not(_)) - => {} + } + (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Is(_)) + | (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Not(_)) + | (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Is(_)) + | (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Not(_)) + | (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Is(_)) + | (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Not(_)) + | (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Is(_)) + | (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Not(_)) => {} } - let ch = cs.alloc(|| "ch", || { - ch_value.get().map(|v| { - if *v { - E::Fr::one() - } else { - E::Fr::zero() - } - }) - })?; + let ch = cs.alloc( + || "ch", + || { + ch_value + .get() + .map(|v| if *v { E::Fr::one() } else { E::Fr::zero() }) + }, + )?; // a(b - c) = ch - c cs.enforce( || "ch computation", - |_| b.lc(CS::one(), E::Fr::one()) - - &c.lc(CS::one(), E::Fr::one()), + |_| b.lc(CS::one(), E::Fr::one()) - &c.lc(CS::one(), E::Fr::one()), |_| a.lc(CS::one(), E::Fr::one()), - |lc| lc + ch - &c.lc(CS::one(), E::Fr::one()) + |lc| lc + ch - &c.lc(CS::one(), E::Fr::one()), ); Ok(AllocatedBit { value: ch_value, - variable: ch - }.into()) + variable: ch, + } + .into()) } /// Computes (a and b) xor (a and c) xor (b and c) @@ -653,58 +614,45 @@ impl Boolean { b: &'a Self, c: &'a Self, ) -> Result - where E: Engine, - CS: ConstraintSystem + where + E: Engine, + CS: ConstraintSystem, { let maj_value = match (a.get_value(), b.get_value(), c.get_value()) { (Some(a), Some(b), Some(c)) => { // (a and b) xor (a and c) xor (b and c) Some((a & b) ^ (a & c) ^ (b & c)) - }, - _ => None + } + _ => None, }; match (a, b, c) { - (&Boolean::Constant(_), - &Boolean::Constant(_), - &Boolean::Constant(_)) => { + (&Boolean::Constant(_), &Boolean::Constant(_), &Boolean::Constant(_)) => { // They're all constants, so we can just compute the value. return Ok(Boolean::Constant(maj_value.expect("they're all constants"))); - }, + } (&Boolean::Constant(false), b, c) => { // If a is false, // (a and b) xor (a and c) xor (b and c) // equals // (b and c) - return Boolean::and( - cs, - b, - c - ); - }, + return Boolean::and(cs, b, c); + } (a, &Boolean::Constant(false), c) => { // If b is false, // (a and b) xor (a and c) xor (b and c) // equals // (a and c) - return Boolean::and( - cs, - a, - c - ); - }, + return Boolean::and(cs, a, c); + } (a, b, &Boolean::Constant(false)) => { // If c is false, // (a and b) xor (a and c) xor (b and c) // equals // (a and b) - return Boolean::and( - cs, - a, - b - ); - }, + return Boolean::and(cs, a, b); + } (a, b, &Boolean::Constant(true)) => { // If c is true, // (a and b) xor (a and c) xor (b and c) @@ -712,54 +660,40 @@ impl Boolean { // (a and b) xor (a) xor (b) // equals // not ((not a) and (not b)) - return Ok(Boolean::and( - cs, - &a.not(), - &b.not() - )?.not()); - }, + return Ok(Boolean::and(cs, &a.not(), &b.not())?.not()); + } (a, &Boolean::Constant(true), c) => { // If b is true, // (a and b) xor (a and c) xor (b and c) // equals // (a) xor (a and c) xor (c) - return Ok(Boolean::and( - cs, - &a.not(), - &c.not() - )?.not()); - }, + return Ok(Boolean::and(cs, &a.not(), &c.not())?.not()); + } (&Boolean::Constant(true), b, c) => { // If a is true, // (a and b) xor (a and c) xor (b and c) // equals // (b) xor (c) xor (b and c) - return Ok(Boolean::and( - cs, - &b.not(), - &c.not() - )?.not()); - }, - (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Is(_)) | - (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Not(_)) | - (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Is(_)) | - (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Not(_)) | - (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Is(_)) | - (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Not(_)) | - (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Is(_)) | - (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Not(_)) - => {} + return Ok(Boolean::and(cs, &b.not(), &c.not())?.not()); + } + (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Is(_)) + | (&Boolean::Is(_), &Boolean::Is(_), &Boolean::Not(_)) + | (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Is(_)) + | (&Boolean::Is(_), &Boolean::Not(_), &Boolean::Not(_)) + | (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Is(_)) + | (&Boolean::Not(_), &Boolean::Is(_), &Boolean::Not(_)) + | (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Is(_)) + | (&Boolean::Not(_), &Boolean::Not(_), &Boolean::Not(_)) => {} } - let maj = cs.alloc(|| "maj", || { - maj_value.get().map(|v| { - if *v { - E::Fr::one() - } else { - E::Fr::zero() - } - }) - })?; + let maj = cs.alloc( + || "maj", + || { + maj_value + .get() + .map(|v| if *v { E::Fr::one() } else { E::Fr::zero() }) + }, + )?; // ¬(¬a ∧ ¬b) ∧ ¬(¬a ∧ ¬c) ∧ ¬(¬b ∧ ¬c) // (1 - ((1 - a) * (1 - b))) * (1 - ((1 - a) * (1 - c))) * (1 - ((1 - b) * (1 - c))) @@ -770,26 +704,24 @@ impl Boolean { // (b) * (c) = (bc) // (2bc - b - c) * (a) = bc - maj - let bc = Self::and( - cs.namespace(|| "b and c"), - b, - c - )?; + let bc = Self::and(cs.namespace(|| "b and c"), b, c)?; cs.enforce( || "maj computation", - |_| bc.lc(CS::one(), E::Fr::one()) - + &bc.lc(CS::one(), E::Fr::one()) - - &b.lc(CS::one(), E::Fr::one()) - - &c.lc(CS::one(), E::Fr::one()), + |_| { + bc.lc(CS::one(), E::Fr::one()) + &bc.lc(CS::one(), E::Fr::one()) + - &b.lc(CS::one(), E::Fr::one()) + - &c.lc(CS::one(), E::Fr::one()) + }, |_| a.lc(CS::one(), E::Fr::one()), - |_| bc.lc(CS::one(), E::Fr::one()) - maj + |_| bc.lc(CS::one(), E::Fr::one()) - maj, ); Ok(AllocatedBit { value: maj_value, - variable: maj - }.into()) + variable: maj, + } + .into()) } } @@ -801,16 +733,11 @@ impl From for Boolean { #[cfg(test)] mod test { - use crate::{ConstraintSystem}; + use super::{field_into_allocated_bits_le, u64_into_boolean_vec_le, AllocatedBit, Boolean}; + use crate::gadgets::test::*; + use crate::ConstraintSystem; use ff::{Field, PrimeField}; use pairing::bls12_381::{Bls12, Fr}; - use crate::gadgets::test::*; - use super::{ - AllocatedBit, - Boolean, - field_into_allocated_bits_le, - u64_into_boolean_vec_le - }; #[test] fn test_allocated_bit() { @@ -839,10 +766,24 @@ mod test { assert!(cs.is_satisfied()); assert!(cs.get("a/boolean") == if *a_val { Field::one() } else { Field::zero() }); assert!(cs.get("b/boolean") == if *b_val { Field::one() } else { Field::zero() }); - assert!(cs.get("xor result") == if *a_val ^ *b_val { Field::one() } else { Field::zero() }); + assert!( + cs.get("xor result") + == if *a_val ^ *b_val { + Field::one() + } else { + Field::zero() + } + ); // Invert the result and check if the constraint system is still satisfied - cs.set("xor result", if *a_val ^ *b_val { Field::zero() } else { Field::one() }); + cs.set( + "xor result", + if *a_val ^ *b_val { + Field::zero() + } else { + Field::one() + }, + ); assert!(!cs.is_satisfied()); } } @@ -861,10 +802,24 @@ mod test { assert!(cs.is_satisfied()); assert!(cs.get("a/boolean") == if *a_val { Field::one() } else { Field::zero() }); assert!(cs.get("b/boolean") == if *b_val { Field::one() } else { Field::zero() }); - assert!(cs.get("and result") == if *a_val & *b_val { Field::one() } else { Field::zero() }); + assert!( + cs.get("and result") + == if *a_val & *b_val { + Field::one() + } else { + Field::zero() + } + ); // Invert the result and check if the constraint system is still satisfied - cs.set("and result", if *a_val & *b_val { Field::zero() } else { Field::one() }); + cs.set( + "and result", + if *a_val & *b_val { + Field::zero() + } else { + Field::one() + }, + ); assert!(!cs.is_satisfied()); } } @@ -883,10 +838,24 @@ mod test { assert!(cs.is_satisfied()); assert!(cs.get("a/boolean") == if *a_val { Field::one() } else { Field::zero() }); assert!(cs.get("b/boolean") == if *b_val { Field::one() } else { Field::zero() }); - assert!(cs.get("and not result") == if *a_val & !*b_val { Field::one() } else { Field::zero() }); + assert!( + cs.get("and not result") + == if *a_val & !*b_val { + Field::one() + } else { + Field::zero() + } + ); // Invert the result and check if the constraint system is still satisfied - cs.set("and not result", if *a_val & !*b_val { Field::zero() } else { Field::one() }); + cs.set( + "and not result", + if *a_val & !*b_val { + Field::zero() + } else { + Field::one() + }, + ); assert!(!cs.is_satisfied()); } } @@ -905,10 +874,24 @@ mod test { assert!(cs.is_satisfied()); assert!(cs.get("a/boolean") == if *a_val { Field::one() } else { Field::zero() }); assert!(cs.get("b/boolean") == if *b_val { Field::one() } else { Field::zero() }); - assert!(cs.get("nor result") == if !*a_val & !*b_val { Field::one() } else { Field::zero() }); + assert!( + cs.get("nor result") + == if !*a_val & !*b_val { + Field::one() + } else { + Field::zero() + } + ); // Invert the result and check if the constraint system is still satisfied - cs.set("nor result", if !*a_val & !*b_val { Field::zero() } else { Field::one() }); + cs.set( + "nor result", + if !*a_val & !*b_val { + Field::zero() + } else { + Field::one() + }, + ); assert!(!cs.is_satisfied()); } } @@ -923,8 +906,12 @@ mod test { { let mut cs = TestConstraintSystem::::new(); - let mut a = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_bool)).unwrap()); - let mut b = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_bool)).unwrap()); + let mut a = Boolean::from( + AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_bool)).unwrap(), + ); + let mut b = Boolean::from( + AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_bool)).unwrap(), + ); if a_neg { a = a.not(); @@ -935,16 +922,15 @@ mod test { Boolean::enforce_equal(&mut cs, &a, &b).unwrap(); - assert_eq!( - cs.is_satisfied(), - (a_bool ^ a_neg) == (b_bool ^ b_neg) - ); + assert_eq!(cs.is_satisfied(), (a_bool ^ a_neg) == (b_bool ^ b_neg)); } { let mut cs = TestConstraintSystem::::new(); let mut a = Boolean::Constant(a_bool); - let mut b = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_bool)).unwrap()); + let mut b = Boolean::from( + AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_bool)).unwrap(), + ); if a_neg { a = a.not(); @@ -955,15 +941,14 @@ mod test { Boolean::enforce_equal(&mut cs, &a, &b).unwrap(); - assert_eq!( - cs.is_satisfied(), - (a_bool ^ a_neg) == (b_bool ^ b_neg) - ); + assert_eq!(cs.is_satisfied(), (a_bool ^ a_neg) == (b_bool ^ b_neg)); } { let mut cs = TestConstraintSystem::::new(); - let mut a = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_bool)).unwrap()); + let mut a = Boolean::from( + AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_bool)).unwrap(), + ); let mut b = Boolean::Constant(b_bool); if a_neg { @@ -975,10 +960,7 @@ mod test { Boolean::enforce_equal(&mut cs, &a, &b).unwrap(); - assert_eq!( - cs.is_satisfied(), - (a_bool ^ a_neg) == (b_bool ^ b_neg) - ); + assert_eq!(cs.is_satisfied(), (a_bool ^ a_neg) == (b_bool ^ b_neg)); } { let mut cs = TestConstraintSystem::::new(); @@ -1015,43 +997,43 @@ mod test { let mut b = Boolean::from(AllocatedBit::alloc(&mut cs, Some(true)).unwrap()); match b { - Boolean::Is(_) => {}, - _ => panic!("unexpected value") + Boolean::Is(_) => {} + _ => panic!("unexpected value"), } b = b.not(); match b { - Boolean::Not(_) => {}, - _ => panic!("unexpected value") + Boolean::Not(_) => {} + _ => panic!("unexpected value"), } b = b.not(); match b { - Boolean::Is(_) => {}, - _ => panic!("unexpected value") + Boolean::Is(_) => {} + _ => panic!("unexpected value"), } b = Boolean::constant(true); match b { - Boolean::Constant(true) => {}, - _ => panic!("unexpected value") + Boolean::Constant(true) => {} + _ => panic!("unexpected value"), } b = b.not(); match b { - Boolean::Constant(false) => {}, - _ => panic!("unexpected value") + Boolean::Constant(false) => {} + _ => panic!("unexpected value"), } b = b.not(); match b { - Boolean::Constant(true) => {}, - _ => panic!("unexpected value") + Boolean::Constant(true) => {} + _ => panic!("unexpected value"), } } @@ -1062,7 +1044,7 @@ mod test { AllocatedTrue, AllocatedFalse, NegatedAllocatedTrue, - NegatedAllocatedFalse + NegatedAllocatedFalse, } impl OperandType { @@ -1073,7 +1055,7 @@ mod test { OperandType::AllocatedTrue => false, OperandType::AllocatedFalse => false, OperandType::NegatedAllocatedTrue => false, - OperandType::NegatedAllocatedFalse => false + OperandType::NegatedAllocatedFalse => false, } } @@ -1084,12 +1066,11 @@ mod test { OperandType::AllocatedTrue => true, OperandType::AllocatedFalse => false, OperandType::NegatedAllocatedTrue => false, - OperandType::NegatedAllocatedFalse => true + OperandType::NegatedAllocatedFalse => true, } } } - #[test] fn test_boolean_xor() { let variants = [ @@ -1098,7 +1079,7 @@ mod test { OperandType::AllocatedTrue, OperandType::AllocatedFalse, OperandType::NegatedAllocatedTrue, - OperandType::NegatedAllocatedFalse + OperandType::NegatedAllocatedFalse, ]; for first_operand in variants.iter().cloned() { @@ -1115,10 +1096,18 @@ mod test { match operand { OperandType::True => Boolean::constant(true), OperandType::False => Boolean::constant(false), - OperandType::AllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()), - OperandType::AllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()), - OperandType::NegatedAllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()).not(), - OperandType::NegatedAllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()).not(), + OperandType::AllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()) + } + OperandType::AllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()) + } + OperandType::NegatedAllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()).not() + } + OperandType::NegatedAllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()).not() + } } }; @@ -1131,97 +1120,161 @@ mod test { assert!(cs.is_satisfied()); match (first_operand, second_operand, c) { - (OperandType::True, OperandType::True, Boolean::Constant(false)) => {}, - (OperandType::True, OperandType::False, Boolean::Constant(true)) => {}, - (OperandType::True, OperandType::AllocatedTrue, Boolean::Not(_)) => {}, - (OperandType::True, OperandType::AllocatedFalse, Boolean::Not(_)) => {}, - (OperandType::True, OperandType::NegatedAllocatedTrue, Boolean::Is(_)) => {}, - (OperandType::True, OperandType::NegatedAllocatedFalse, Boolean::Is(_)) => {}, + (OperandType::True, OperandType::True, Boolean::Constant(false)) => {} + (OperandType::True, OperandType::False, Boolean::Constant(true)) => {} + (OperandType::True, OperandType::AllocatedTrue, Boolean::Not(_)) => {} + (OperandType::True, OperandType::AllocatedFalse, Boolean::Not(_)) => {} + (OperandType::True, OperandType::NegatedAllocatedTrue, Boolean::Is(_)) => {} + (OperandType::True, OperandType::NegatedAllocatedFalse, Boolean::Is(_)) => {} - (OperandType::False, OperandType::True, Boolean::Constant(true)) => {}, - (OperandType::False, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::False, OperandType::AllocatedTrue, Boolean::Is(_)) => {}, - (OperandType::False, OperandType::AllocatedFalse, Boolean::Is(_)) => {}, - (OperandType::False, OperandType::NegatedAllocatedTrue, Boolean::Not(_)) => {}, - (OperandType::False, OperandType::NegatedAllocatedFalse, Boolean::Not(_)) => {}, + (OperandType::False, OperandType::True, Boolean::Constant(true)) => {} + (OperandType::False, OperandType::False, Boolean::Constant(false)) => {} + (OperandType::False, OperandType::AllocatedTrue, Boolean::Is(_)) => {} + (OperandType::False, OperandType::AllocatedFalse, Boolean::Is(_)) => {} + (OperandType::False, OperandType::NegatedAllocatedTrue, Boolean::Not(_)) => {} + (OperandType::False, OperandType::NegatedAllocatedFalse, Boolean::Not(_)) => {} - (OperandType::AllocatedTrue, OperandType::True, Boolean::Not(_)) => {}, - (OperandType::AllocatedTrue, OperandType::False, Boolean::Is(_)) => {}, - (OperandType::AllocatedTrue, OperandType::AllocatedTrue, Boolean::Is(ref v)) => { + (OperandType::AllocatedTrue, OperandType::True, Boolean::Not(_)) => {} + (OperandType::AllocatedTrue, OperandType::False, Boolean::Is(_)) => {} + ( + OperandType::AllocatedTrue, + OperandType::AllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedTrue, OperandType::AllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedTrue, + OperandType::AllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::AllocatedTrue, OperandType::NegatedAllocatedTrue, Boolean::Not(ref v)) => { + } + ( + OperandType::AllocatedTrue, + OperandType::NegatedAllocatedTrue, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedTrue, OperandType::NegatedAllocatedFalse, Boolean::Not(ref v)) => { + } + ( + OperandType::AllocatedTrue, + OperandType::NegatedAllocatedFalse, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, + } - (OperandType::AllocatedFalse, OperandType::True, Boolean::Not(_)) => {}, - (OperandType::AllocatedFalse, OperandType::False, Boolean::Is(_)) => {}, - (OperandType::AllocatedFalse, OperandType::AllocatedTrue, Boolean::Is(ref v)) => { + (OperandType::AllocatedFalse, OperandType::True, Boolean::Not(_)) => {} + (OperandType::AllocatedFalse, OperandType::False, Boolean::Is(_)) => {} + ( + OperandType::AllocatedFalse, + OperandType::AllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::AllocatedFalse, OperandType::AllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::AllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedFalse, OperandType::NegatedAllocatedTrue, Boolean::Not(ref v)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::NegatedAllocatedTrue, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::AllocatedFalse, OperandType::NegatedAllocatedFalse, Boolean::Not(ref v)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::NegatedAllocatedFalse, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, + } - (OperandType::NegatedAllocatedTrue, OperandType::True, Boolean::Is(_)) => {}, - (OperandType::NegatedAllocatedTrue, OperandType::False, Boolean::Not(_)) => {}, - (OperandType::NegatedAllocatedTrue, OperandType::AllocatedTrue, Boolean::Not(ref v)) => { + (OperandType::NegatedAllocatedTrue, OperandType::True, Boolean::Is(_)) => {} + (OperandType::NegatedAllocatedTrue, OperandType::False, Boolean::Not(_)) => {} + ( + OperandType::NegatedAllocatedTrue, + OperandType::AllocatedTrue, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedTrue, OperandType::AllocatedFalse, Boolean::Not(ref v)) => { + } + ( + OperandType::NegatedAllocatedTrue, + OperandType::AllocatedFalse, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::NegatedAllocatedTrue, OperandType::NegatedAllocatedTrue, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedTrue, + OperandType::NegatedAllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedTrue, OperandType::NegatedAllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedTrue, + OperandType::NegatedAllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, + } - (OperandType::NegatedAllocatedFalse, OperandType::True, Boolean::Is(_)) => {}, - (OperandType::NegatedAllocatedFalse, OperandType::False, Boolean::Not(_)) => {}, - (OperandType::NegatedAllocatedFalse, OperandType::AllocatedTrue, Boolean::Not(ref v)) => { + (OperandType::NegatedAllocatedFalse, OperandType::True, Boolean::Is(_)) => {} + (OperandType::NegatedAllocatedFalse, OperandType::False, Boolean::Not(_)) => {} + ( + OperandType::NegatedAllocatedFalse, + OperandType::AllocatedTrue, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::NegatedAllocatedFalse, OperandType::AllocatedFalse, Boolean::Not(ref v)) => { + } + ( + OperandType::NegatedAllocatedFalse, + OperandType::AllocatedFalse, + Boolean::Not(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedFalse, OperandType::NegatedAllocatedTrue, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedFalse, + OperandType::NegatedAllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::NegatedAllocatedFalse, OperandType::NegatedAllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedFalse, + OperandType::NegatedAllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("xor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, + } - _ => panic!("this should never be encountered") + _ => panic!("this should never be encountered"), } } } @@ -1235,7 +1288,7 @@ mod test { OperandType::AllocatedTrue, OperandType::AllocatedFalse, OperandType::NegatedAllocatedTrue, - OperandType::NegatedAllocatedFalse + OperandType::NegatedAllocatedFalse, ]; for first_operand in variants.iter().cloned() { @@ -1252,10 +1305,18 @@ mod test { match operand { OperandType::True => Boolean::constant(true), OperandType::False => Boolean::constant(false), - OperandType::AllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()), - OperandType::AllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()), - OperandType::NegatedAllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()).not(), - OperandType::NegatedAllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()).not(), + OperandType::AllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()) + } + OperandType::AllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()) + } + OperandType::NegatedAllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()).not() + } + OperandType::NegatedAllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()).not() + } } }; @@ -1268,98 +1329,183 @@ mod test { assert!(cs.is_satisfied()); match (first_operand, second_operand, c) { - (OperandType::True, OperandType::True, Boolean::Constant(true)) => {}, - (OperandType::True, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::True, OperandType::AllocatedTrue, Boolean::Is(_)) => {}, - (OperandType::True, OperandType::AllocatedFalse, Boolean::Is(_)) => {}, - (OperandType::True, OperandType::NegatedAllocatedTrue, Boolean::Not(_)) => {}, - (OperandType::True, OperandType::NegatedAllocatedFalse, Boolean::Not(_)) => {}, + (OperandType::True, OperandType::True, Boolean::Constant(true)) => {} + (OperandType::True, OperandType::False, Boolean::Constant(false)) => {} + (OperandType::True, OperandType::AllocatedTrue, Boolean::Is(_)) => {} + (OperandType::True, OperandType::AllocatedFalse, Boolean::Is(_)) => {} + (OperandType::True, OperandType::NegatedAllocatedTrue, Boolean::Not(_)) => {} + (OperandType::True, OperandType::NegatedAllocatedFalse, Boolean::Not(_)) => {} - (OperandType::False, OperandType::True, Boolean::Constant(false)) => {}, - (OperandType::False, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::False, OperandType::AllocatedTrue, Boolean::Constant(false)) => {}, - (OperandType::False, OperandType::AllocatedFalse, Boolean::Constant(false)) => {}, - (OperandType::False, OperandType::NegatedAllocatedTrue, Boolean::Constant(false)) => {}, - (OperandType::False, OperandType::NegatedAllocatedFalse, Boolean::Constant(false)) => {}, + (OperandType::False, OperandType::True, Boolean::Constant(false)) => {} + (OperandType::False, OperandType::False, Boolean::Constant(false)) => {} + (OperandType::False, OperandType::AllocatedTrue, Boolean::Constant(false)) => {} + (OperandType::False, OperandType::AllocatedFalse, Boolean::Constant(false)) => { + } + ( + OperandType::False, + OperandType::NegatedAllocatedTrue, + Boolean::Constant(false), + ) => {} + ( + OperandType::False, + OperandType::NegatedAllocatedFalse, + Boolean::Constant(false), + ) => {} - (OperandType::AllocatedTrue, OperandType::True, Boolean::Is(_)) => {}, - (OperandType::AllocatedTrue, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::AllocatedTrue, OperandType::AllocatedTrue, Boolean::Is(ref v)) => { + (OperandType::AllocatedTrue, OperandType::True, Boolean::Is(_)) => {} + (OperandType::AllocatedTrue, OperandType::False, Boolean::Constant(false)) => {} + ( + OperandType::AllocatedTrue, + OperandType::AllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("and result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::AllocatedTrue, OperandType::AllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedTrue, + OperandType::AllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("and result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedTrue, OperandType::NegatedAllocatedTrue, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedTrue, + OperandType::NegatedAllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedTrue, OperandType::NegatedAllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedTrue, + OperandType::NegatedAllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::one()); assert_eq!(v.value, Some(true)); - }, + } - (OperandType::AllocatedFalse, OperandType::True, Boolean::Is(_)) => {}, - (OperandType::AllocatedFalse, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::AllocatedFalse, OperandType::AllocatedTrue, Boolean::Is(ref v)) => { + (OperandType::AllocatedFalse, OperandType::True, Boolean::Is(_)) => {} + (OperandType::AllocatedFalse, OperandType::False, Boolean::Constant(false)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::AllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("and result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedFalse, OperandType::AllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::AllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("and result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedFalse, OperandType::NegatedAllocatedTrue, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::NegatedAllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::AllocatedFalse, OperandType::NegatedAllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::AllocatedFalse, + OperandType::NegatedAllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, + } - (OperandType::NegatedAllocatedTrue, OperandType::True, Boolean::Not(_)) => {}, - (OperandType::NegatedAllocatedTrue, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::NegatedAllocatedTrue, OperandType::AllocatedTrue, Boolean::Is(ref v)) => { + (OperandType::NegatedAllocatedTrue, OperandType::True, Boolean::Not(_)) => {} + ( + OperandType::NegatedAllocatedTrue, + OperandType::False, + Boolean::Constant(false), + ) => {} + ( + OperandType::NegatedAllocatedTrue, + OperandType::AllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedTrue, OperandType::AllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedTrue, + OperandType::AllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedTrue, OperandType::NegatedAllocatedTrue, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedTrue, + OperandType::NegatedAllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("nor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedTrue, OperandType::NegatedAllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedTrue, + OperandType::NegatedAllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("nor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, + } - (OperandType::NegatedAllocatedFalse, OperandType::True, Boolean::Not(_)) => {}, - (OperandType::NegatedAllocatedFalse, OperandType::False, Boolean::Constant(false)) => {}, - (OperandType::NegatedAllocatedFalse, OperandType::AllocatedTrue, Boolean::Is(ref v)) => { + (OperandType::NegatedAllocatedFalse, OperandType::True, Boolean::Not(_)) => {} + ( + OperandType::NegatedAllocatedFalse, + OperandType::False, + Boolean::Constant(false), + ) => {} + ( + OperandType::NegatedAllocatedFalse, + OperandType::AllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::one()); assert_eq!(v.value, Some(true)); - }, - (OperandType::NegatedAllocatedFalse, OperandType::AllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedFalse, + OperandType::AllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("and not result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedFalse, OperandType::NegatedAllocatedTrue, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedFalse, + OperandType::NegatedAllocatedTrue, + Boolean::Is(ref v), + ) => { assert!(cs.get("nor result") == Field::zero()); assert_eq!(v.value, Some(false)); - }, - (OperandType::NegatedAllocatedFalse, OperandType::NegatedAllocatedFalse, Boolean::Is(ref v)) => { + } + ( + OperandType::NegatedAllocatedFalse, + OperandType::NegatedAllocatedFalse, + Boolean::Is(ref v), + ) => { assert!(cs.get("nor result") == Field::one()); assert_eq!(v.value, Some(true)); - }, + } _ => { - panic!("unexpected behavior at {:?} AND {:?}", first_operand, second_operand); + panic!( + "unexpected behavior at {:?} AND {:?}", + first_operand, second_operand + ); } } } @@ -1391,7 +1537,10 @@ mod test { fn test_field_into_allocated_bits_le() { let mut cs = TestConstraintSystem::::new(); - let r = Fr::from_str("9147677615426976802526883532204139322118074541891858454835346926874644257775").unwrap(); + let r = Fr::from_str( + "9147677615426976802526883532204139322118074541891858454835346926874644257775", + ) + .unwrap(); let bits = field_into_allocated_bits_le(&mut cs, Some(r)).unwrap(); @@ -1417,7 +1566,7 @@ mod test { OperandType::AllocatedTrue, OperandType::AllocatedFalse, OperandType::NegatedAllocatedTrue, - OperandType::NegatedAllocatedFalse + OperandType::NegatedAllocatedFalse, ]; for first_operand in variants.iter().cloned() { @@ -1430,8 +1579,8 @@ mod test { let c; // ch = (a and b) xor ((not a) and c) - let expected = (first_operand.val() & second_operand.val()) ^ - ((!first_operand.val()) & third_operand.val()); + let expected = (first_operand.val() & second_operand.val()) + ^ ((!first_operand.val()) & third_operand.val()); { let mut dyn_construct = |operand, name| { @@ -1440,10 +1589,20 @@ mod test { match operand { OperandType::True => Boolean::constant(true), OperandType::False => Boolean::constant(false), - OperandType::AllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()), - OperandType::AllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()), - OperandType::NegatedAllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()).not(), - OperandType::NegatedAllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()).not(), + OperandType::AllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()) + } + OperandType::AllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()) + } + OperandType::NegatedAllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()) + .not() + } + OperandType::NegatedAllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()) + .not() + } } }; @@ -1458,19 +1617,17 @@ mod test { assert_eq!(maj.get_value().unwrap(), expected); - if first_operand.is_constant() || - second_operand.is_constant() || - third_operand.is_constant() + if first_operand.is_constant() + || second_operand.is_constant() + || third_operand.is_constant() { - if first_operand.is_constant() && - second_operand.is_constant() && - third_operand.is_constant() + if first_operand.is_constant() + && second_operand.is_constant() + && third_operand.is_constant() { assert_eq!(cs.num_constraints(), 0); } - } - else - { + } else { assert_eq!(cs.get("ch"), { if expected { Fr::one() @@ -1500,7 +1657,7 @@ mod test { OperandType::AllocatedTrue, OperandType::AllocatedFalse, OperandType::NegatedAllocatedTrue, - OperandType::NegatedAllocatedFalse + OperandType::NegatedAllocatedFalse, ]; for first_operand in variants.iter().cloned() { @@ -1513,9 +1670,9 @@ mod test { let c; // maj = (a and b) xor (a and c) xor (b and c) - let expected = (first_operand.val() & second_operand.val()) ^ - (first_operand.val() & third_operand.val()) ^ - (second_operand.val() & third_operand.val()); + let expected = (first_operand.val() & second_operand.val()) + ^ (first_operand.val() & third_operand.val()) + ^ (second_operand.val() & third_operand.val()); { let mut dyn_construct = |operand, name| { @@ -1524,10 +1681,20 @@ mod test { match operand { OperandType::True => Boolean::constant(true), OperandType::False => Boolean::constant(false), - OperandType::AllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()), - OperandType::AllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()), - OperandType::NegatedAllocatedTrue => Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()).not(), - OperandType::NegatedAllocatedFalse => Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()).not(), + OperandType::AllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()) + } + OperandType::AllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()) + } + OperandType::NegatedAllocatedTrue => { + Boolean::from(AllocatedBit::alloc(cs, Some(true)).unwrap()) + .not() + } + OperandType::NegatedAllocatedFalse => { + Boolean::from(AllocatedBit::alloc(cs, Some(false)).unwrap()) + .not() + } } }; @@ -1542,19 +1709,17 @@ mod test { assert_eq!(maj.get_value().unwrap(), expected); - if first_operand.is_constant() || - second_operand.is_constant() || - third_operand.is_constant() + if first_operand.is_constant() + || second_operand.is_constant() + || third_operand.is_constant() { - if first_operand.is_constant() && - second_operand.is_constant() && - third_operand.is_constant() + if first_operand.is_constant() + && second_operand.is_constant() + && third_operand.is_constant() { assert_eq!(cs.num_constraints(), 0); } - } - else - { + } else { assert_eq!(cs.get("maj"), { if expected { Fr::one() diff --git a/bellman/src/gadgets/lookup.rs b/bellman/src/gadgets/lookup.rs index 86ab10fff..bbb1da616 100644 --- a/bellman/src/gadgets/lookup.rs +++ b/bellman/src/gadgets/lookup.rs @@ -1,23 +1,15 @@ use ff::Field; use pairing::Engine; -use super::*; -use super::num::{ - AllocatedNum, - Num -}; use super::boolean::Boolean; -use crate::{ - ConstraintSystem -}; +use super::num::{AllocatedNum, Num}; +use super::*; +use crate::ConstraintSystem; // Synthesize the constants for each base pattern. -fn synth<'a, E: Engine, I>( - window_size: usize, - constants: I, - assignment: &mut [E::Fr] -) - where I: IntoIterator +fn synth<'a, E: Engine, I>(window_size: usize, constants: I, assignment: &mut [E::Fr]) +where + I: IntoIterator, { assert_eq!(assignment.len(), 1 << window_size); @@ -39,16 +31,20 @@ fn synth<'a, E: Engine, I>( pub fn lookup3_xy( mut cs: CS, bits: &[Boolean], - coords: &[(E::Fr, E::Fr)] + coords: &[(E::Fr, E::Fr)], ) -> Result<(AllocatedNum, AllocatedNum), SynthesisError> - where CS: ConstraintSystem +where + CS: ConstraintSystem, { assert_eq!(bits.len(), 3); assert_eq!(coords.len(), 8); // Calculate the index into `coords` - let i = - match (bits[0].get_value(), bits[1].get_value(), bits[2].get_value()) { + let i = match ( + bits[0].get_value(), + bits[1].get_value(), + bits[2].get_value(), + ) { (Some(a_value), Some(b_value), Some(c_value)) => { let mut tmp = 0; if a_value { @@ -61,25 +57,15 @@ pub fn lookup3_xy( tmp += 4; } Some(tmp) - }, - _ => None + } + _ => None, }; // Allocate the x-coordinate resulting from the lookup - let res_x = AllocatedNum::alloc( - cs.namespace(|| "x"), - || { - Ok(coords[*i.get()?].0) - } - )?; + let res_x = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(coords[*i.get()?].0))?; // Allocate the y-coordinate resulting from the lookup - let res_y = AllocatedNum::alloc( - cs.namespace(|| "y"), - || { - Ok(coords[*i.get()?].1) - } - )?; + let res_y = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(coords[*i.get()?].1))?; // Compute the coefficients for the lookup constraints let mut x_coeffs = [E::Fr::zero(); 8]; @@ -93,30 +79,38 @@ pub fn lookup3_xy( cs.enforce( || "x-coordinate lookup", - |lc| lc + (x_coeffs[0b001], one) + |lc| { + lc + (x_coeffs[0b001], one) + &bits[1].lc::(one, x_coeffs[0b011]) + &bits[2].lc::(one, x_coeffs[0b101]) - + &precomp.lc::(one, x_coeffs[0b111]), + + &precomp.lc::(one, x_coeffs[0b111]) + }, |lc| lc + &bits[0].lc::(one, E::Fr::one()), - |lc| lc + res_x.get_variable() + |lc| { + lc + res_x.get_variable() - (x_coeffs[0b000], one) - &bits[1].lc::(one, x_coeffs[0b010]) - &bits[2].lc::(one, x_coeffs[0b100]) - - &precomp.lc::(one, x_coeffs[0b110]), + - &precomp.lc::(one, x_coeffs[0b110]) + }, ); cs.enforce( || "y-coordinate lookup", - |lc| lc + (y_coeffs[0b001], one) + |lc| { + lc + (y_coeffs[0b001], one) + &bits[1].lc::(one, y_coeffs[0b011]) + &bits[2].lc::(one, y_coeffs[0b101]) - + &precomp.lc::(one, y_coeffs[0b111]), + + &precomp.lc::(one, y_coeffs[0b111]) + }, |lc| lc + &bits[0].lc::(one, E::Fr::one()), - |lc| lc + res_y.get_variable() + |lc| { + lc + res_y.get_variable() - (y_coeffs[0b000], one) - &bits[1].lc::(one, y_coeffs[0b010]) - &bits[2].lc::(one, y_coeffs[0b100]) - - &precomp.lc::(one, y_coeffs[0b110]), + - &precomp.lc::(one, y_coeffs[0b110]) + }, ); Ok((res_x, res_y)) @@ -127,16 +121,16 @@ pub fn lookup3_xy( pub fn lookup3_xy_with_conditional_negation( mut cs: CS, bits: &[Boolean], - coords: &[(E::Fr, E::Fr)] + coords: &[(E::Fr, E::Fr)], ) -> Result<(Num, Num), SynthesisError> - where CS: ConstraintSystem +where + CS: ConstraintSystem, { assert_eq!(bits.len(), 3); assert_eq!(coords.len(), 4); // Calculate the index into `coords` - let i = - match (bits[0].get_value(), bits[1].get_value()) { + let i = match (bits[0].get_value(), bits[1].get_value()) { (Some(a_value), Some(b_value)) => { let mut tmp = 0; if a_value { @@ -146,22 +140,19 @@ pub fn lookup3_xy_with_conditional_negation( tmp += 2; } Some(tmp) - }, - _ => None + } + _ => None, }; // Allocate the y-coordinate resulting from the lookup // and conditional negation - let y = AllocatedNum::alloc( - cs.namespace(|| "y"), - || { - let mut tmp = coords[*i.get()?].1; - if *bits[2].get_value().get()? { - tmp.negate(); - } - Ok(tmp) + let y = AllocatedNum::alloc(cs.namespace(|| "y"), || { + let mut tmp = coords[*i.get()?].1; + if *bits[2].get_value().get()? { + tmp.negate(); } - )?; + Ok(tmp) + })?; let one = CS::one(); @@ -174,21 +165,21 @@ pub fn lookup3_xy_with_conditional_negation( let precomp = Boolean::and(cs.namespace(|| "precomp"), &bits[0], &bits[1])?; let x = Num::zero() - .add_bool_with_coeff(one, &Boolean::constant(true), x_coeffs[0b00]) - .add_bool_with_coeff(one, &bits[0], x_coeffs[0b01]) - .add_bool_with_coeff(one, &bits[1], x_coeffs[0b10]) - .add_bool_with_coeff(one, &precomp, x_coeffs[0b11]); + .add_bool_with_coeff(one, &Boolean::constant(true), x_coeffs[0b00]) + .add_bool_with_coeff(one, &bits[0], x_coeffs[0b01]) + .add_bool_with_coeff(one, &bits[1], x_coeffs[0b10]) + .add_bool_with_coeff(one, &precomp, x_coeffs[0b11]); - let y_lc = precomp.lc::(one, y_coeffs[0b11]) + - &bits[1].lc::(one, y_coeffs[0b10]) + - &bits[0].lc::(one, y_coeffs[0b01]) + - (y_coeffs[0b00], one); + let y_lc = precomp.lc::(one, y_coeffs[0b11]) + + &bits[1].lc::(one, y_coeffs[0b10]) + + &bits[0].lc::(one, y_coeffs[0b01]) + + (y_coeffs[0b00], one); cs.enforce( || "y-coordinate lookup", |lc| lc + &y_lc + &y_lc, |lc| lc + &bits[2].lc::(one, E::Fr::one()), - |lc| lc + &y_lc - y.get_variable() + |lc| lc + &y_lc - y.get_variable(), ); Ok((x, y.into())) @@ -197,8 +188,8 @@ pub fn lookup3_xy_with_conditional_negation( #[cfg(test)] mod test { use super::*; + use crate::gadgets::boolean::{AllocatedBit, Boolean}; use crate::gadgets::test::*; - use crate::gadgets::boolean::{Boolean, AllocatedBit}; use pairing::bls12_381::{Bls12, Fr}; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -206,40 +197,42 @@ mod test { #[test] fn test_lookup3_xy() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { let mut cs = TestConstraintSystem::::new(); let a_val = rng.next_u32() % 2 != 0; - let a = Boolean::from( - AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_val)).unwrap() - ); + let a = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_val)).unwrap()); let b_val = rng.next_u32() % 2 != 0; - let b = Boolean::from( - AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_val)).unwrap() - ); + let b = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_val)).unwrap()); let c_val = rng.next_u32() % 2 != 0; - let c = Boolean::from( - AllocatedBit::alloc(cs.namespace(|| "c"), Some(c_val)).unwrap() - ); + let c = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "c"), Some(c_val)).unwrap()); let bits = vec![a, b, c]; - let points: Vec<(Fr, Fr)> = (0..8).map(|_| (Fr::random(&mut rng), Fr::random(&mut rng))).collect(); + let points: Vec<(Fr, Fr)> = (0..8) + .map(|_| (Fr::random(&mut rng), Fr::random(&mut rng))) + .collect(); let res = lookup3_xy(&mut cs, &bits, &points).unwrap(); assert!(cs.is_satisfied()); let mut index = 0; - if a_val { index += 1 } - if b_val { index += 2 } - if c_val { index += 4 } + if a_val { + index += 1 + } + if b_val { + index += 2 + } + if c_val { + index += 4 + } assert_eq!(res.0.get_value().unwrap(), points[index].0); assert_eq!(res.1.get_value().unwrap(), points[index].1); @@ -249,43 +242,45 @@ mod test { #[test] fn test_lookup3_xy_with_conditional_negation() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { let mut cs = TestConstraintSystem::::new(); let a_val = rng.next_u32() % 2 != 0; - let a = Boolean::from( - AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_val)).unwrap() - ); + let a = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_val)).unwrap()); let b_val = rng.next_u32() % 2 != 0; - let b = Boolean::from( - AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_val)).unwrap() - ); + let b = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "b"), Some(b_val)).unwrap()); let c_val = rng.next_u32() % 2 != 0; - let c = Boolean::from( - AllocatedBit::alloc(cs.namespace(|| "c"), Some(c_val)).unwrap() - ); + let c = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "c"), Some(c_val)).unwrap()); let bits = vec![a, b, c]; - let points: Vec<(Fr, Fr)> = (0..4).map(|_| (Fr::random(&mut rng), Fr::random(&mut rng))).collect(); + let points: Vec<(Fr, Fr)> = (0..4) + .map(|_| (Fr::random(&mut rng), Fr::random(&mut rng))) + .collect(); let res = lookup3_xy_with_conditional_negation(&mut cs, &bits, &points).unwrap(); assert!(cs.is_satisfied()); let mut index = 0; - if a_val { index += 1 } - if b_val { index += 2 } + if a_val { + index += 1 + } + if b_val { + index += 2 + } assert_eq!(res.0.get_value().unwrap(), points[index].0); let mut tmp = points[index].1; - if c_val { tmp.negate() } + if c_val { + tmp.negate() + } assert_eq!(res.1.get_value().unwrap(), tmp); } } @@ -293,14 +288,16 @@ mod test { #[test] fn test_synth() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let window_size = 4; let mut assignment = vec![Fr::zero(); 1 << window_size]; - let constants: Vec<_> = (0..(1 << window_size)).map(|_| Fr::random(&mut rng)).collect(); + let constants: Vec<_> = (0..(1 << window_size)) + .map(|_| Fr::random(&mut rng)) + .collect(); synth::(window_size, &constants, &mut assignment); diff --git a/bellman/src/gadgets/multieq.rs b/bellman/src/gadgets/multieq.rs index b1dfd7c01..510802d4a 100644 --- a/bellman/src/gadgets/multieq.rs +++ b/bellman/src/gadgets/multieq.rs @@ -1,14 +1,9 @@ use ff::{Field, PrimeField}; use pairing::Engine; -use crate::{ - SynthesisError, - ConstraintSystem, - LinearCombination, - Variable -}; +use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; -pub struct MultiEq>{ +pub struct MultiEq> { cs: CS, ops: usize, bits_used: usize, @@ -23,12 +18,11 @@ impl> MultiEq { ops: 0, bits_used: 0, lhs: LinearCombination::zero(), - rhs: LinearCombination::zero() + rhs: LinearCombination::zero(), } } - fn accumulate(&mut self) - { + fn accumulate(&mut self) { let ops = self.ops; let lhs = self.lhs.clone(); let rhs = self.rhs.clone(); @@ -36,7 +30,7 @@ impl> MultiEq { || format!("multieq {}", ops), |_| lhs, |lc| lc + CS::one(), - |_| rhs + |_| rhs, ); self.lhs = LinearCombination::zero(); self.rhs = LinearCombination::zero(); @@ -48,9 +42,8 @@ impl> MultiEq { &mut self, num_bits: usize, lhs: &LinearCombination, - rhs: &LinearCombination - ) - { + rhs: &LinearCombination, + ) { // Check if we will exceed the capacity if (E::Fr::CAPACITY as usize) <= (self.bits_used + num_bits) { self.accumulate(); @@ -68,67 +61,60 @@ impl> MultiEq { impl> Drop for MultiEq { fn drop(&mut self) { if self.bits_used > 0 { - self.accumulate(); + self.accumulate(); } } } -impl> ConstraintSystem for MultiEq -{ +impl> ConstraintSystem for MultiEq { type Root = Self; fn one() -> Variable { CS::one() } - fn alloc( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { self.cs.alloc(annotation, f) } - fn alloc_input( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc_input(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { self.cs.alloc_input(annotation, f) } - fn enforce( - &mut self, - annotation: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination + fn enforce(&mut self, annotation: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { self.cs.enforce(annotation, a, b, c) } fn push_namespace(&mut self, name_fn: N) - where NR: Into, N: FnOnce() -> NR + where + NR: Into, + N: FnOnce() -> NR, { self.cs.get_root().push_namespace(name_fn) } - fn pop_namespace(&mut self) - { + fn pop_namespace(&mut self) { self.cs.get_root().pop_namespace() } - fn get_root(&mut self) -> &mut Self::Root - { + fn get_root(&mut self) -> &mut Self::Root { self } } diff --git a/bellman/src/gadgets/multipack.rs b/bellman/src/gadgets/multipack.rs index b9b587778..34df7cd6d 100644 --- a/bellman/src/gadgets/multipack.rs +++ b/bellman/src/gadgets/multipack.rs @@ -1,20 +1,18 @@ -use ff::{Field, PrimeField}; -use pairing::Engine; -use crate::{ConstraintSystem, SynthesisError}; -use super::boolean::{Boolean}; +use super::boolean::Boolean; use super::num::Num; use super::Assignment; +use crate::{ConstraintSystem, SynthesisError}; +use ff::{Field, PrimeField}; +use pairing::Engine; /// Takes a sequence of booleans and exposes them as compact /// public inputs -pub fn pack_into_inputs( - mut cs: CS, - bits: &[Boolean] -) -> Result<(), SynthesisError> - where E: Engine, CS: ConstraintSystem +pub fn pack_into_inputs(mut cs: CS, bits: &[Boolean]) -> Result<(), SynthesisError> +where + E: Engine, + CS: ConstraintSystem, { - for (i, bits) in bits.chunks(E::Fr::CAPACITY as usize).enumerate() - { + for (i, bits) in bits.chunks(E::Fr::CAPACITY as usize).enumerate() { let mut num = Num::::zero(); let mut coeff = E::Fr::one(); for bit in bits { @@ -23,44 +21,38 @@ pub fn pack_into_inputs( coeff.double(); } - let input = cs.alloc_input(|| format!("input {}", i), || { - Ok(*num.get_value().get()?) - })?; + let input = cs.alloc_input(|| format!("input {}", i), || Ok(*num.get_value().get()?))?; // num * 1 = input cs.enforce( || format!("packing constraint {}", i), |_| num.lc(E::Fr::one()), |lc| lc + CS::one(), - |lc| lc + input + |lc| lc + input, ); } Ok(()) } -pub fn bytes_to_bits(bytes: &[u8]) -> Vec -{ - bytes.iter() - .flat_map(|&v| (0..8).rev().map(move |i| (v >> i) & 1 == 1)) - .collect() +pub fn bytes_to_bits(bytes: &[u8]) -> Vec { + bytes + .iter() + .flat_map(|&v| (0..8).rev().map(move |i| (v >> i) & 1 == 1)) + .collect() } -pub fn bytes_to_bits_le(bytes: &[u8]) -> Vec -{ - bytes.iter() - .flat_map(|&v| (0..8).map(move |i| (v >> i) & 1 == 1)) - .collect() +pub fn bytes_to_bits_le(bytes: &[u8]) -> Vec { + bytes + .iter() + .flat_map(|&v| (0..8).map(move |i| (v >> i) & 1 == 1)) + .collect() } -pub fn compute_multipacking( - bits: &[bool] -) -> Vec -{ +pub fn compute_multipacking(bits: &[bool]) -> Vec { let mut result = vec![]; - for bits in bits.chunks(E::Fr::CAPACITY as usize) - { + for bits in bits.chunks(E::Fr::CAPACITY as usize) { let mut cur = E::Fr::zero(); let mut coeff = E::Fr::one(); @@ -80,13 +72,13 @@ pub fn compute_multipacking( #[test] fn test_multipacking() { - use crate::{ConstraintSystem}; - use pairing::bls12_381::{Bls12}; + use crate::ConstraintSystem; + use pairing::bls12_381::Bls12; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; - use crate::gadgets::test::*; use super::boolean::{AllocatedBit, Boolean}; + use crate::gadgets::test::*; let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, @@ -98,16 +90,15 @@ fn test_multipacking() { let bits: Vec = (0..num_bits).map(|_| rng.next_u32() % 2 != 0).collect(); - let circuit_bits = bits.iter().enumerate() - .map(|(i, &b)| { - Boolean::from( - AllocatedBit::alloc( - cs.namespace(|| format!("bit {}", i)), - Some(b) - ).unwrap() - ) - }) - .collect::>(); + let circuit_bits = bits + .iter() + .enumerate() + .map(|(i, &b)| { + Boolean::from( + AllocatedBit::alloc(cs.namespace(|| format!("bit {}", i)), Some(b)).unwrap(), + ) + }) + .collect::>(); let expected_inputs = compute_multipacking::(&bits); diff --git a/bellman/src/gadgets/num.rs b/bellman/src/gadgets/num.rs index 077301f87..84843c1b7 100644 --- a/bellman/src/gadgets/num.rs +++ b/bellman/src/gadgets/num.rs @@ -1,78 +1,61 @@ use ff::{BitIterator, Field, PrimeField, PrimeFieldRepr}; use pairing::Engine; -use crate::{ - SynthesisError, - ConstraintSystem, - LinearCombination, - Variable -}; +use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; -use super::{ - Assignment -}; +use super::Assignment; -use super::boolean::{ - self, - Boolean, - AllocatedBit -}; +use super::boolean::{self, AllocatedBit, Boolean}; pub struct AllocatedNum { value: Option, - variable: Variable + variable: Variable, } impl Clone for AllocatedNum { fn clone(&self) -> Self { AllocatedNum { value: self.value, - variable: self.variable + variable: self.variable, } } } impl AllocatedNum { - pub fn alloc( - mut cs: CS, - value: F, - ) -> Result - where CS: ConstraintSystem, - F: FnOnce() -> Result + pub fn alloc(mut cs: CS, value: F) -> Result + where + CS: ConstraintSystem, + F: FnOnce() -> Result, { let mut new_value = None; - let var = cs.alloc(|| "num", || { - let tmp = value()?; + let var = cs.alloc( + || "num", + || { + let tmp = value()?; - new_value = Some(tmp); + new_value = Some(tmp); - Ok(tmp) - })?; + Ok(tmp) + }, + )?; Ok(AllocatedNum { value: new_value, - variable: var + variable: var, }) } - pub fn inputize( - &self, - mut cs: CS - ) -> Result<(), SynthesisError> - where CS: ConstraintSystem + pub fn inputize(&self, mut cs: CS) -> Result<(), SynthesisError> + where + CS: ConstraintSystem, { - let input = cs.alloc_input( - || "input variable", - || { - Ok(*self.value.get()?) - } - )?; + let input = cs.alloc_input(|| "input variable", || Ok(*self.value.get()?))?; cs.enforce( || "enforce input is correct", |lc| lc + input, |lc| lc + CS::one(), - |lc| lc + self.variable + |lc| lc + self.variable, ); Ok(()) @@ -83,18 +66,17 @@ impl AllocatedNum { /// order, requiring that the representation /// strictly exists "in the field" (i.e., a /// congruency is not allowed.) - pub fn into_bits_le_strict( - &self, - mut cs: CS - ) -> Result, SynthesisError> - where CS: ConstraintSystem + pub fn into_bits_le_strict(&self, mut cs: CS) -> Result, SynthesisError> + where + CS: ConstraintSystem, { pub fn kary_and( mut cs: CS, - v: &[AllocatedBit] + v: &[AllocatedBit], ) -> Result - where E: Engine, - CS: ConstraintSystem + where + E: Engine, + CS: ConstraintSystem, { assert!(v.len() > 0); @@ -109,7 +91,7 @@ impl AllocatedNum { cur = Some(AllocatedBit::and( cs.namespace(|| format!("and {}", i)), cur.as_ref().unwrap(), - v + v, )?); } } @@ -145,10 +127,7 @@ impl AllocatedNum { if b { // This is part of a run of ones. Let's just // allocate the boolean with the expected value. - let a_bit = AllocatedBit::alloc( - cs.namespace(|| format!("bit {}", i)), - a_bit - )?; + let a_bit = AllocatedBit::alloc(cs.namespace(|| format!("bit {}", i)), a_bit)?; // ... and add it to the current run of ones. current_run.push(a_bit.clone()); result.push(a_bit); @@ -162,7 +141,7 @@ impl AllocatedNum { } last_run = Some(kary_and( cs.namespace(|| format!("run ending at {}", i)), - ¤t_run + ¤t_run, )?); current_run.truncate(0); } @@ -175,7 +154,7 @@ impl AllocatedNum { let a_bit = AllocatedBit::alloc_conditionally( cs.namespace(|| format!("bit {}", i)), a_bit, - &last_run.as_ref().expect("char always starts with a one") + &last_run.as_ref().expect("char always starts with a one"), )?; result.push(a_bit); } @@ -201,12 +180,7 @@ impl AllocatedNum { lc = lc - self.variable; - cs.enforce( - || "unpacking constraint", - |lc| lc, - |lc| lc, - |_| lc - ); + cs.enforce(|| "unpacking constraint", |lc| lc, |lc| lc, |_| lc); // Convert into booleans, and reverse for little-endian bit order Ok(result.into_iter().map(|b| Boolean::from(b)).rev().collect()) @@ -215,16 +189,11 @@ impl AllocatedNum { /// Convert the allocated number into its little-endian representation. /// Note that this does not strongly enforce that the commitment is /// "in the field." - pub fn into_bits_le( - &self, - mut cs: CS - ) -> Result, SynthesisError> - where CS: ConstraintSystem + pub fn into_bits_le(&self, mut cs: CS) -> Result, SynthesisError> + where + CS: ConstraintSystem, { - let bits = boolean::field_into_allocated_bits_le( - &mut cs, - self.value - )?; + let bits = boolean::field_into_allocated_bits_le(&mut cs, self.value)?; let mut lc = LinearCombination::zero(); let mut coeff = E::Fr::one(); @@ -237,94 +206,91 @@ impl AllocatedNum { lc = lc - self.variable; - cs.enforce( - || "unpacking constraint", - |lc| lc, - |lc| lc, - |_| lc - ); + cs.enforce(|| "unpacking constraint", |lc| lc, |lc| lc, |_| lc); Ok(bits.into_iter().map(|b| Boolean::from(b)).collect()) } - pub fn mul( - &self, - mut cs: CS, - other: &Self - ) -> Result - where CS: ConstraintSystem + pub fn mul(&self, mut cs: CS, other: &Self) -> Result + where + CS: ConstraintSystem, { let mut value = None; - let var = cs.alloc(|| "product num", || { - let mut tmp = *self.value.get()?; - tmp.mul_assign(other.value.get()?); + let var = cs.alloc( + || "product num", + || { + let mut tmp = *self.value.get()?; + tmp.mul_assign(other.value.get()?); - value = Some(tmp); + value = Some(tmp); - Ok(tmp) - })?; + Ok(tmp) + }, + )?; // Constrain: a * b = ab cs.enforce( || "multiplication constraint", |lc| lc + self.variable, |lc| lc + other.variable, - |lc| lc + var + |lc| lc + var, ); Ok(AllocatedNum { value: value, - variable: var + variable: var, }) } - pub fn square( - &self, - mut cs: CS - ) -> Result - where CS: ConstraintSystem + pub fn square(&self, mut cs: CS) -> Result + where + CS: ConstraintSystem, { let mut value = None; - let var = cs.alloc(|| "squared num", || { - let mut tmp = *self.value.get()?; - tmp.square(); + let var = cs.alloc( + || "squared num", + || { + let mut tmp = *self.value.get()?; + tmp.square(); - value = Some(tmp); + value = Some(tmp); - Ok(tmp) - })?; + Ok(tmp) + }, + )?; // Constrain: a * a = aa cs.enforce( || "squaring constraint", |lc| lc + self.variable, |lc| lc + self.variable, - |lc| lc + var + |lc| lc + var, ); Ok(AllocatedNum { value: value, - variable: var + variable: var, }) } - pub fn assert_nonzero( - &self, - mut cs: CS - ) -> Result<(), SynthesisError> - where CS: ConstraintSystem + pub fn assert_nonzero(&self, mut cs: CS) -> Result<(), SynthesisError> + where + CS: ConstraintSystem, { - let inv = cs.alloc(|| "ephemeral inverse", || { - let tmp = *self.value.get()?; - - if tmp.is_zero() { - Err(SynthesisError::DivisionByZero) - } else { - Ok(tmp.inverse().unwrap()) - } - })?; + let inv = cs.alloc( + || "ephemeral inverse", + || { + let tmp = *self.value.get()?; + + if tmp.is_zero() { + Err(SynthesisError::DivisionByZero) + } else { + Ok(tmp.inverse().unwrap()) + } + }, + )?; // Constrain a * inv = 1, which is only valid // iff a has a multiplicative inverse, untrue @@ -333,7 +299,7 @@ impl AllocatedNum { || "nonzero assertion constraint", |lc| lc + self.variable, |lc| lc + inv, - |lc| lc + CS::one() + |lc| lc + CS::one(), ); Ok(()) @@ -346,44 +312,39 @@ impl AllocatedNum { mut cs: CS, a: &Self, b: &Self, - condition: &Boolean + condition: &Boolean, ) -> Result<(Self, Self), SynthesisError> - where CS: ConstraintSystem + where + CS: ConstraintSystem, { - let c = Self::alloc( - cs.namespace(|| "conditional reversal result 1"), - || { - if *condition.get_value().get()? { - Ok(*b.value.get()?) - } else { - Ok(*a.value.get()?) - } + let c = Self::alloc(cs.namespace(|| "conditional reversal result 1"), || { + if *condition.get_value().get()? { + Ok(*b.value.get()?) + } else { + Ok(*a.value.get()?) } - )?; + })?; cs.enforce( || "first conditional reversal", |lc| lc + a.variable - b.variable, |_| condition.lc(CS::one(), E::Fr::one()), - |lc| lc + a.variable - c.variable + |lc| lc + a.variable - c.variable, ); - let d = Self::alloc( - cs.namespace(|| "conditional reversal result 2"), - || { - if *condition.get_value().get()? { - Ok(*a.value.get()?) - } else { - Ok(*b.value.get()?) - } + let d = Self::alloc(cs.namespace(|| "conditional reversal result 2"), || { + if *condition.get_value().get()? { + Ok(*a.value.get()?) + } else { + Ok(*b.value.get()?) } - )?; + })?; cs.enforce( || "second conditional reversal", |lc| lc + b.variable - a.variable, |_| condition.lc(CS::one(), E::Fr::one()), - |lc| lc + b.variable - d.variable + |lc| lc + b.variable - d.variable, ); Ok((c, d)) @@ -400,14 +361,14 @@ impl AllocatedNum { pub struct Num { value: Option, - lc: LinearCombination + lc: LinearCombination, } impl From> for Num { fn from(num: AllocatedNum) -> Num { Num { value: num.value, - lc: LinearCombination::::zero() + num.variable + lc: LinearCombination::::zero() + num.variable, } } } @@ -416,7 +377,7 @@ impl Num { pub fn zero() -> Self { Num { value: Some(E::Fr::zero()), - lc: LinearCombination::zero() + lc: LinearCombination::zero(), } } @@ -428,13 +389,7 @@ impl Num { LinearCombination::zero() + (coeff, &self.lc) } - pub fn add_bool_with_coeff( - self, - one: Variable, - bit: &Boolean, - coeff: E::Fr - ) -> Self - { + pub fn add_bool_with_coeff(self, one: Variable, bit: &Boolean, coeff: E::Fr) -> Self { let newval = match (self.value, bit.get_value()) { (Some(mut curval), Some(bval)) => { if bval { @@ -442,27 +397,27 @@ impl Num { } Some(curval) - }, - _ => None + } + _ => None, }; Num { value: newval, - lc: self.lc + &bit.lc(one, coeff) + lc: self.lc + &bit.lc(one, coeff), } } } #[cfg(test)] mod test { - use crate::{ConstraintSystem}; + use crate::ConstraintSystem; use ff::{BitIterator, Field, PrimeField}; use pairing::bls12_381::{Bls12, Fr}; use rand_core::SeedableRng; use rand_xorshift::XorShiftRng; - use crate::gadgets::test::*; use super::{AllocatedNum, Boolean}; + use crate::gadgets::test::*; #[test] fn test_allocated_num() { @@ -491,8 +446,10 @@ mod test { fn test_num_multiplication() { let mut cs = TestConstraintSystem::::new(); - let n = AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::from_str("12").unwrap())).unwrap(); - let n2 = AllocatedNum::alloc(cs.namespace(|| "b"), || Ok(Fr::from_str("10").unwrap())).unwrap(); + let n = + AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::from_str("12").unwrap())).unwrap(); + let n2 = + AllocatedNum::alloc(cs.namespace(|| "b"), || Ok(Fr::from_str("10").unwrap())).unwrap(); let n3 = n.mul(&mut cs, &n2).unwrap(); assert!(cs.is_satisfied()); @@ -505,8 +462,8 @@ mod test { #[test] fn test_num_conditional_reversal() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); { let mut cs = TestConstraintSystem::::new(); @@ -573,14 +530,17 @@ mod test { cs.set("bit 254/boolean", Fr::one()); // this makes the conditional boolean constraint fail - assert_eq!(cs.which_is_unsatisfied().unwrap(), "bit 254/boolean constraint"); + assert_eq!( + cs.which_is_unsatisfied().unwrap(), + "bit 254/boolean constraint" + ); } #[test] fn test_into_bits() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for i in 0..200 { @@ -597,7 +557,10 @@ mod test { assert!(cs.is_satisfied()); - for (b, a) in BitIterator::new(r.into_repr()).skip(1).zip(bits.iter().rev()) { + for (b, a) in BitIterator::new(r.into_repr()) + .skip(1) + .zip(bits.iter().rev()) + { if let &Boolean::Is(ref a) = a { assert_eq!(b, a.get_value().unwrap()); } else { diff --git a/bellman/src/gadgets/sha256.rs b/bellman/src/gadgets/sha256.rs index 2e4669e75..cb057f866 100644 --- a/bellman/src/gadgets/sha256.rs +++ b/bellman/src/gadgets/sha256.rs @@ -1,6 +1,6 @@ -use super::uint32::UInt32; -use super::multieq::MultiEq; use super::boolean::Boolean; +use super::multieq::MultiEq; +use super::uint32::UInt32; use crate::{ConstraintSystem, SynthesisError}; use pairing::Engine; @@ -12,37 +12,35 @@ const ROUND_CONSTANTS: [u32; 64] = [ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, - 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2, ]; const IV: [u32; 8] = [ - 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, - 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 + 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, ]; pub fn sha256_block_no_padding( mut cs: CS, - input: &[Boolean] + input: &[Boolean], ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { assert_eq!(input.len(), 512); - Ok(sha256_compression_function( - &mut cs, - &input, - &get_sha256_iv() - )? - .into_iter() - .flat_map(|e| e.into_bits_be()) - .collect()) + Ok( + sha256_compression_function(&mut cs, &input, &get_sha256_iv())? + .into_iter() + .flat_map(|e| e.into_bits_be()) + .collect(), + ) } -pub fn sha256( - mut cs: CS, - input: &[Boolean] -) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +pub fn sha256(mut cs: CS, input: &[Boolean]) -> Result, SynthesisError> +where + E: Engine, + CS: ConstraintSystem, { assert!(input.len() % 8 == 0); @@ -62,16 +60,10 @@ pub fn sha256( let mut cur = get_sha256_iv(); for (i, block) in padded.chunks(512).enumerate() { - cur = sha256_compression_function( - cs.namespace(|| format!("block {}", i)), - block, - &cur - )?; + cur = sha256_compression_function(cs.namespace(|| format!("block {}", i)), block, &cur)?; } - Ok(cur.into_iter() - .flat_map(|e| e.into_bits_be()) - .collect()) + Ok(cur.into_iter().flat_map(|e| e.into_bits_be()).collect()) } fn get_sha256_iv() -> Vec { @@ -81,16 +73,19 @@ fn get_sha256_iv() -> Vec { fn sha256_compression_function( cs: CS, input: &[Boolean], - current_hash_value: &[UInt32] + current_hash_value: &[UInt32], ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { assert_eq!(input.len(), 512); assert_eq!(current_hash_value.len(), 8); - let mut w = input.chunks(32) - .map(|e| UInt32::from_bits_be(e)) - .collect::>(); + let mut w = input + .chunks(32) + .map(|e| UInt32::from_bits_be(e)) + .collect::>(); // We can save some constraints by combining some of // the constraints in different u32 additions @@ -100,30 +95,18 @@ fn sha256_compression_function( let cs = &mut cs.namespace(|| format!("w extension {}", i)); // s0 := (w[i-15] rightrotate 7) xor (w[i-15] rightrotate 18) xor (w[i-15] rightshift 3) - let mut s0 = w[i-15].rotr(7); - s0 = s0.xor( - cs.namespace(|| "first xor for s0"), - &w[i-15].rotr(18) - )?; - s0 = s0.xor( - cs.namespace(|| "second xor for s0"), - &w[i-15].shr(3) - )?; + let mut s0 = w[i - 15].rotr(7); + s0 = s0.xor(cs.namespace(|| "first xor for s0"), &w[i - 15].rotr(18))?; + s0 = s0.xor(cs.namespace(|| "second xor for s0"), &w[i - 15].shr(3))?; // s1 := (w[i-2] rightrotate 17) xor (w[i-2] rightrotate 19) xor (w[i-2] rightshift 10) - let mut s1 = w[i-2].rotr(17); - s1 = s1.xor( - cs.namespace(|| "first xor for s1"), - &w[i-2].rotr(19) - )?; - s1 = s1.xor( - cs.namespace(|| "second xor for s1"), - &w[i-2].shr(10) - )?; + let mut s1 = w[i - 2].rotr(17); + s1 = s1.xor(cs.namespace(|| "first xor for s1"), &w[i - 2].rotr(19))?; + s1 = s1.xor(cs.namespace(|| "second xor for s1"), &w[i - 2].shr(10))?; let tmp = UInt32::addmany( cs.namespace(|| "computation of w[i]"), - &[w[i-16].clone(), s0, w[i-7].clone(), s1] + &[w[i - 16].clone(), s0, w[i - 7].clone(), s1], )?; // w[i] := w[i-16] + s0 + w[i-7] + s1 @@ -134,29 +117,21 @@ fn sha256_compression_function( enum Maybe { Deferred(Vec), - Concrete(UInt32) + Concrete(UInt32), } impl Maybe { - fn compute( - self, - cs: M, - others: &[UInt32] - ) -> Result - where E: Engine, - CS: ConstraintSystem, - M: ConstraintSystem> + fn compute(self, cs: M, others: &[UInt32]) -> Result + where + E: Engine, + CS: ConstraintSystem, + M: ConstraintSystem>, { Ok(match self { - Maybe::Concrete(ref v) => { - return Ok(v.clone()) - }, + Maybe::Concrete(ref v) => return Ok(v.clone()), Maybe::Deferred(mut v) => { v.extend(others.into_iter().cloned()); - UInt32::addmany( - cs, - &v - )? + UInt32::addmany(cs, &v)? } }) } @@ -177,22 +152,11 @@ fn sha256_compression_function( // S1 := (e rightrotate 6) xor (e rightrotate 11) xor (e rightrotate 25) let new_e = e.compute(cs.namespace(|| "deferred e computation"), &[])?; let mut s1 = new_e.rotr(6); - s1 = s1.xor( - cs.namespace(|| "first xor for s1"), - &new_e.rotr(11) - )?; - s1 = s1.xor( - cs.namespace(|| "second xor for s1"), - &new_e.rotr(25) - )?; + s1 = s1.xor(cs.namespace(|| "first xor for s1"), &new_e.rotr(11))?; + s1 = s1.xor(cs.namespace(|| "second xor for s1"), &new_e.rotr(25))?; // ch := (e and f) xor ((not e) and g) - let ch = UInt32::sha256_ch( - cs.namespace(|| "ch"), - &new_e, - &f, - &g - )?; + let ch = UInt32::sha256_ch(cs.namespace(|| "ch"), &new_e, &f, &g)?; // temp1 := h + S1 + ch + k[i] + w[i] let temp1 = vec![ @@ -200,28 +164,17 @@ fn sha256_compression_function( s1, ch, UInt32::constant(ROUND_CONSTANTS[i]), - w[i].clone() + w[i].clone(), ]; // S0 := (a rightrotate 2) xor (a rightrotate 13) xor (a rightrotate 22) let new_a = a.compute(cs.namespace(|| "deferred a computation"), &[])?; let mut s0 = new_a.rotr(2); - s0 = s0.xor( - cs.namespace(|| "first xor for s0"), - &new_a.rotr(13) - )?; - s0 = s0.xor( - cs.namespace(|| "second xor for s0"), - &new_a.rotr(22) - )?; + s0 = s0.xor(cs.namespace(|| "first xor for s0"), &new_a.rotr(13))?; + s0 = s0.xor(cs.namespace(|| "second xor for s0"), &new_a.rotr(22))?; // maj := (a and b) xor (a and c) xor (b and c) - let maj = UInt32::sha256_maj( - cs.namespace(|| "maj"), - &new_a, - &b, - &c - )?; + let maj = UInt32::sha256_maj(cs.namespace(|| "maj"), &new_a, &b, &c)?; // temp2 := S0 + maj let temp2 = vec![s0, maj]; @@ -244,7 +197,13 @@ fn sha256_compression_function( d = c; c = b; b = new_a; - a = Maybe::Deferred(temp1.iter().cloned().chain(temp2.iter().cloned()).collect::>()); + a = Maybe::Deferred( + temp1 + .iter() + .cloned() + .chain(temp2.iter().cloned()) + .collect::>(), + ); } /* @@ -261,42 +220,42 @@ fn sha256_compression_function( let h0 = a.compute( cs.namespace(|| "deferred h0 computation"), - &[current_hash_value[0].clone()] + &[current_hash_value[0].clone()], )?; let h1 = UInt32::addmany( cs.namespace(|| "new h1"), - &[current_hash_value[1].clone(), b] + &[current_hash_value[1].clone(), b], )?; let h2 = UInt32::addmany( cs.namespace(|| "new h2"), - &[current_hash_value[2].clone(), c] + &[current_hash_value[2].clone(), c], )?; let h3 = UInt32::addmany( cs.namespace(|| "new h3"), - &[current_hash_value[3].clone(), d] + &[current_hash_value[3].clone(), d], )?; let h4 = e.compute( cs.namespace(|| "deferred h4 computation"), - &[current_hash_value[4].clone()] + &[current_hash_value[4].clone()], )?; let h5 = UInt32::addmany( cs.namespace(|| "new h5"), - &[current_hash_value[5].clone(), f] + &[current_hash_value[5].clone(), f], )?; let h6 = UInt32::addmany( cs.namespace(|| "new h6"), - &[current_hash_value[6].clone(), g] + &[current_hash_value[6].clone(), g], )?; let h7 = UInt32::addmany( cs.namespace(|| "new h7"), - &[current_hash_value[7].clone(), h] + &[current_hash_value[7].clone(), h], )?; Ok(vec![h0, h1, h2, h3, h4, h5, h6, h7]) @@ -306,8 +265,8 @@ fn sha256_compression_function( mod test { use super::*; use crate::gadgets::boolean::AllocatedBit; - use pairing::bls12_381::Bls12; use crate::gadgets::test::TestConstraintSystem; + use pairing::bls12_381::Bls12; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -318,11 +277,7 @@ mod test { let mut cs = TestConstraintSystem::::new(); let mut input_bits: Vec<_> = (0..512).map(|_| Boolean::Constant(false)).collect(); input_bits[0] = Boolean::Constant(true); - let out = sha256_compression_function( - &mut cs, - &input_bits, - &iv - ).unwrap(); + let out = sha256_compression_function(&mut cs, &input_bits, &iv).unwrap(); let out_bits: Vec<_> = out.into_iter().flat_map(|e| e.into_bits_be()).collect(); assert!(cs.is_satisfied()); @@ -343,27 +298,26 @@ mod test { #[test] fn test_full_block() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let iv = get_sha256_iv(); let mut cs = TestConstraintSystem::::new(); - let input_bits: Vec<_> = (0..512).map(|i| { - Boolean::from( - AllocatedBit::alloc( - cs.namespace(|| format!("input bit {}", i)), - Some(rng.next_u32() % 2 != 0) - ).unwrap() - ) - }).collect(); + let input_bits: Vec<_> = (0..512) + .map(|i| { + Boolean::from( + AllocatedBit::alloc( + cs.namespace(|| format!("input bit {}", i)), + Some(rng.next_u32() % 2 != 0), + ) + .unwrap(), + ) + }) + .collect(); - sha256_compression_function( - cs.namespace(|| "sha256"), - &input_bits, - &iv - ).unwrap(); + sha256_compression_function(cs.namespace(|| "sha256"), &input_bits, &iv).unwrap(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints() - 512, 25840); @@ -374,12 +328,11 @@ mod test { use sha2::{Digest, Sha256}; let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); - for input_len in (0..32).chain((32..256).filter(|a| a % 8 == 0)) - { + for input_len in (0..32).chain((32..256).filter(|a| a % 8 == 0)) { let mut h = Sha256::new(); let data: Vec = (0..input_len).map(|_| rng.next_u32() as u8).collect(); h.input(&data); @@ -392,7 +345,11 @@ mod test { for bit_i in (0..8).rev() { let cs = cs.namespace(|| format!("input bit {} {}", byte_i, bit_i)); - input_bits.push(AllocatedBit::alloc(cs, Some((input_byte >> bit_i) & 1u8 == 1u8)).unwrap().into()); + input_bits.push( + AllocatedBit::alloc(cs, Some((input_byte >> bit_i) & 1u8 == 1u8)) + .unwrap() + .into(), + ); } } @@ -400,17 +357,19 @@ mod test { assert!(cs.is_satisfied()); - let mut s = hash_result.as_ref().iter() - .flat_map(|&byte| (0..8).rev().map(move |i| (byte >> i) & 1u8 == 1u8)); + let mut s = hash_result + .as_ref() + .iter() + .flat_map(|&byte| (0..8).rev().map(move |i| (byte >> i) & 1u8 == 1u8)); for b in r { match b { Boolean::Is(b) => { assert!(s.next().unwrap() == b.get_value().unwrap()); - }, + } Boolean::Not(b) => { assert!(s.next().unwrap() != b.get_value().unwrap()); - }, + } Boolean::Constant(b) => { assert!(input_len == 0); assert!(s.next().unwrap() == b); diff --git a/bellman/src/gadgets/test/mod.rs b/bellman/src/gadgets/test/mod.rs index dc6adbfdc..58ba04062 100644 --- a/bellman/src/gadgets/test/mod.rs +++ b/bellman/src/gadgets/test/mod.rs @@ -1,13 +1,7 @@ use ff::{Field, PrimeField, PrimeFieldRepr}; use pairing::Engine; -use crate::{ - LinearCombination, - SynthesisError, - ConstraintSystem, - Variable, - Index -}; +use crate::{ConstraintSystem, Index, LinearCombination, SynthesisError, Variable}; use std::collections::HashMap; use std::fmt::Write; @@ -22,7 +16,7 @@ use blake2s_simd::{Params as Blake2sParams, State as Blake2sState}; enum NamedObject { Constraint(usize), Var(Variable), - Namespace + Namespace, } /// Constraint system for testing purposes. @@ -33,10 +27,10 @@ pub struct TestConstraintSystem { LinearCombination, LinearCombination, LinearCombination, - String + String, )>, inputs: Vec<(E::Fr, String)>, - aux: Vec<(E::Fr, String)> + aux: Vec<(E::Fr, String)>, } #[derive(Clone, Copy)] @@ -48,7 +42,7 @@ impl PartialEq for OrderedVariable { match (self.0.get_unchecked(), other.0.get_unchecked()) { (Index::Input(ref a), Index::Input(ref b)) => a == b, (Index::Aux(ref a), Index::Aux(ref b)) => a == b, - _ => false + _ => false, } } } @@ -63,20 +57,17 @@ impl Ord for OrderedVariable { (Index::Input(ref a), Index::Input(ref b)) => a.cmp(b), (Index::Aux(ref a), Index::Aux(ref b)) => a.cmp(b), (Index::Input(_), Index::Aux(_)) => Ordering::Less, - (Index::Aux(_), Index::Input(_)) => Ordering::Greater + (Index::Aux(_), Index::Input(_)) => Ordering::Greater, } } } -fn proc_lc( - terms: &[(Variable, E::Fr)], -) -> BTreeMap -{ +fn proc_lc(terms: &[(Variable, E::Fr)]) -> BTreeMap { let mut map = BTreeMap::new(); for &(var, coeff) in terms { map.entry(OrderedVariable(var)) - .or_insert(E::Fr::zero()) - .add_assign(&coeff); + .or_insert(E::Fr::zero()) + .add_assign(&coeff); } // Remove terms that have a zero coefficient to normalize @@ -94,11 +85,7 @@ fn proc_lc( map } -fn hash_lc( - terms: &[(Variable, E::Fr)], - h: &mut Blake2sState -) -{ +fn hash_lc(terms: &[(Variable, E::Fr)], h: &mut Blake2sState) { let map = proc_lc::(terms); let mut buf = [0u8; 9 + 32]; @@ -110,13 +97,13 @@ fn hash_lc( Index::Input(i) => { buf[0] = b'I'; BigEndian::write_u64(&mut buf[1..9], i as u64); - }, + } Index::Aux(i) => { buf[0] = b'A'; BigEndian::write_u64(&mut buf[1..9], i as u64); } } - + coeff.into_repr().write_be(&mut buf[9..]).unwrap(); h.update(&buf); @@ -126,15 +113,14 @@ fn hash_lc( fn eval_lc( terms: &[(Variable, E::Fr)], inputs: &[(E::Fr, String)], - aux: &[(E::Fr, String)] -) -> E::Fr -{ + aux: &[(E::Fr, String)], +) -> E::Fr { let mut acc = E::Fr::zero(); for &(var, ref coeff) in terms { let mut tmp = match var.get_unchecked() { Index::Input(index) => inputs[index].0, - Index::Aux(index) => aux[index].0 + Index::Aux(index) => aux[index].0, }; tmp.mul_assign(&coeff); @@ -147,14 +133,17 @@ fn eval_lc( impl TestConstraintSystem { pub fn new() -> TestConstraintSystem { let mut map = HashMap::new(); - map.insert("ONE".into(), NamedObject::Var(TestConstraintSystem::::one())); + map.insert( + "ONE".into(), + NamedObject::Var(TestConstraintSystem::::one()), + ); TestConstraintSystem { named_objects: map, current_namespace: vec![], constraints: vec![], inputs: vec![(E::Fr::one(), "ONE".into())], - aux: vec![] + aux: vec![], } } @@ -167,9 +156,9 @@ impl TestConstraintSystem { tmp }; - let powers_of_two = (0..E::Fr::NUM_BITS).map(|i| { - E::Fr::from_str("2").unwrap().pow(&[i as u64]) - }).collect::>(); + let powers_of_two = (0..E::Fr::NUM_BITS) + .map(|i| E::Fr::from_str("2").unwrap().pow(&[i as u64])) + .collect::>(); let pp = |s: &mut String, lc: &LinearCombination| { write!(s, "(").unwrap(); @@ -196,7 +185,7 @@ impl TestConstraintSystem { match var.0.get_unchecked() { Index::Input(i) => { write!(s, "`{}`", &self.inputs[i].1).unwrap(); - }, + } Index::Aux(i) => { write!(s, "`{}`", &self.aux[i].1).unwrap(); } @@ -259,45 +248,41 @@ impl TestConstraintSystem { a.mul_assign(&b); if a != c { - return Some(&*path) + return Some(&*path); } } None } - pub fn is_satisfied(&self) -> bool - { + pub fn is_satisfied(&self) -> bool { self.which_is_unsatisfied().is_none() } - pub fn num_constraints(&self) -> usize - { + pub fn num_constraints(&self) -> usize { self.constraints.len() } - pub fn set(&mut self, path: &str, to: E::Fr) - { + pub fn set(&mut self, path: &str, to: E::Fr) { match self.named_objects.get(path) { - Some(&NamedObject::Var(ref v)) => { - match v.get_unchecked() { - Index::Input(index) => self.inputs[index].0 = to, - Index::Aux(index) => self.aux[index].0 = to - } - } - Some(e) => panic!("tried to set path `{}` to value, but `{:?}` already exists there.", path, e), - _ => panic!("no variable exists at path: {}", path) + Some(&NamedObject::Var(ref v)) => match v.get_unchecked() { + Index::Input(index) => self.inputs[index].0 = to, + Index::Aux(index) => self.aux[index].0 = to, + }, + Some(e) => panic!( + "tried to set path `{}` to value, but `{:?}` already exists there.", + path, e + ), + _ => panic!("no variable exists at path: {}", path), } } - pub fn verify(&self, expected: &[E::Fr]) -> bool - { + pub fn verify(&self, expected: &[E::Fr]) -> bool { assert_eq!(expected.len() + 1, self.inputs.len()); - for (a, b) in self.inputs.iter().skip(1).zip(expected.iter()) - { + for (a, b) in self.inputs.iter().skip(1).zip(expected.iter()) { if &a.0 != b { - return false + return false; } } @@ -308,8 +293,7 @@ impl TestConstraintSystem { self.inputs.len() } - pub fn get_input(&mut self, index: usize, path: &str) -> E::Fr - { + pub fn get_input(&mut self, index: usize, path: &str) -> E::Fr { let (assignment, name) = self.inputs[index].clone(); assert_eq!(path, name); @@ -317,17 +301,17 @@ impl TestConstraintSystem { assignment } - pub fn get(&mut self, path: &str) -> E::Fr - { + pub fn get(&mut self, path: &str) -> E::Fr { match self.named_objects.get(path) { - Some(&NamedObject::Var(ref v)) => { - match v.get_unchecked() { - Index::Input(index) => self.inputs[index].0, - Index::Aux(index) => self.aux[index].0 - } - } - Some(e) => panic!("tried to get value of path `{}`, but `{:?}` exists there (not a variable)", path, e), - _ => panic!("no variable exists at path: {}", path) + Some(&NamedObject::Var(ref v)) => match v.get_unchecked() { + Index::Input(index) => self.inputs[index].0, + Index::Aux(index) => self.aux[index].0, + }, + Some(e) => panic!( + "tried to get value of path `{}`, but `{:?}` exists there (not a variable)", + path, e + ), + _ => panic!("no variable exists at path: {}", path), } } @@ -348,8 +332,7 @@ fn compute_path(ns: &[String], this: String) -> String { let mut name = String::new(); let mut needs_separation = false; - for ns in ns.iter().chain(Some(&this).into_iter()) - { + for ns in ns.iter().chain(Some(&this).into_iter()) { if needs_separation { name += "/"; } @@ -364,12 +347,11 @@ fn compute_path(ns: &[String], this: String) -> String { impl ConstraintSystem for TestConstraintSystem { type Root = Self; - fn alloc( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { let index = self.aux.len(); let path = compute_path(&self.current_namespace, annotation().into()); @@ -380,12 +362,11 @@ impl ConstraintSystem for TestConstraintSystem { Ok(var) } - fn alloc_input( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc_input(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { let index = self.inputs.len(); let path = compute_path(&self.current_namespace, annotation().into()); @@ -396,17 +377,13 @@ impl ConstraintSystem for TestConstraintSystem { Ok(var) } - fn enforce( - &mut self, - annotation: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination + fn enforce(&mut self, annotation: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { let path = compute_path(&self.current_namespace, annotation().into()); let index = self.constraints.len(); @@ -420,7 +397,9 @@ impl ConstraintSystem for TestConstraintSystem { } fn push_namespace(&mut self, name_fn: N) - where NR: Into, N: FnOnce() -> NR + where + NR: Into, + N: FnOnce() -> NR, { let name = name_fn().into(); let path = compute_path(&self.current_namespace, name.clone()); @@ -428,13 +407,11 @@ impl ConstraintSystem for TestConstraintSystem { self.current_namespace.push(name); } - fn pop_namespace(&mut self) - { + fn pop_namespace(&mut self) { assert!(self.current_namespace.pop().is_some()); } - fn get_root(&mut self) -> &mut Self::Root - { + fn get_root(&mut self) -> &mut Self::Root { self } } @@ -447,28 +424,26 @@ fn test_cs() { let mut cs = TestConstraintSystem::::new(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 0); - let a = cs.namespace(|| "a").alloc(|| "var", || Ok(Fr::from_str("10").unwrap())).unwrap(); - let b = cs.namespace(|| "b").alloc(|| "var", || Ok(Fr::from_str("4").unwrap())).unwrap(); - let c = cs.alloc(|| "product", || Ok(Fr::from_str("40").unwrap())).unwrap(); + let a = cs + .namespace(|| "a") + .alloc(|| "var", || Ok(Fr::from_str("10").unwrap())) + .unwrap(); + let b = cs + .namespace(|| "b") + .alloc(|| "var", || Ok(Fr::from_str("4").unwrap())) + .unwrap(); + let c = cs + .alloc(|| "product", || Ok(Fr::from_str("40").unwrap())) + .unwrap(); - cs.enforce( - || "mult", - |lc| lc + a, - |lc| lc + b, - |lc| lc + c - ); + cs.enforce(|| "mult", |lc| lc + a, |lc| lc + b, |lc| lc + c); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 1); cs.set("a/var", Fr::from_str("4").unwrap()); let one = TestConstraintSystem::::one(); - cs.enforce( - || "eq", - |lc| lc + a, - |lc| lc + one, - |lc| lc + b - ); + cs.enforce(|| "eq", |lc| lc + a, |lc| lc + one, |lc| lc + b); assert!(!cs.is_satisfied()); assert!(cs.which_is_unsatisfied() == Some("mult")); diff --git a/bellman/src/gadgets/uint32.rs b/bellman/src/gadgets/uint32.rs index 90f8d7e45..4c0d37601 100644 --- a/bellman/src/gadgets/uint32.rs +++ b/bellman/src/gadgets/uint32.rs @@ -1,16 +1,9 @@ use ff::{Field, PrimeField}; use pairing::Engine; -use crate::{ - SynthesisError, - ConstraintSystem, - LinearCombination -}; +use crate::{ConstraintSystem, LinearCombination, SynthesisError}; -use super::boolean::{ - Boolean, - AllocatedBit -}; +use super::boolean::{AllocatedBit, Boolean}; use super::multieq::MultiEq; @@ -20,13 +13,12 @@ use super::multieq::MultiEq; pub struct UInt32 { // Least significant bit first bits: Vec, - value: Option + value: Option, } impl UInt32 { /// Construct a constant `UInt32` from a `u32` - pub fn constant(value: u32) -> Self - { + pub fn constant(value: u32) -> Self { let mut bits = Vec::with_capacity(32); let mut tmp = value; @@ -42,17 +34,15 @@ impl UInt32 { UInt32 { bits: bits, - value: Some(value) + value: Some(value), } } /// Allocate a `UInt32` in the constraint system - pub fn alloc( - mut cs: CS, - value: Option - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn alloc(mut cs: CS, value: Option) -> Result + where + E: Engine, + CS: ConstraintSystem, { let values = match value { Some(mut val) => { @@ -64,23 +54,24 @@ impl UInt32 { } v - }, - None => vec![None; 32] + } + None => vec![None; 32], }; - let bits = values.into_iter() - .enumerate() - .map(|(i, v)| { - Ok(Boolean::from(AllocatedBit::alloc( - cs.namespace(|| format!("allocated bit {}", i)), - v - )?)) - }) - .collect::, SynthesisError>>()?; + let bits = values + .into_iter() + .enumerate() + .map(|(i, v)| { + Ok(Boolean::from(AllocatedBit::alloc( + cs.namespace(|| format!("allocated bit {}", i)), + v, + )?)) + }) + .collect::, SynthesisError>>()?; Ok(UInt32 { bits: bits, - value: value + value: value, }) } @@ -96,19 +87,22 @@ impl UInt32 { value.as_mut().map(|v| *v <<= 1); match b.get_value() { - Some(true) => { value.as_mut().map(|v| *v |= 1); }, - Some(false) => {}, - None => { value = None; } + Some(true) => { + value.as_mut().map(|v| *v |= 1); + } + Some(false) => {} + None => { + value = None; + } } } UInt32 { value: value, - bits: bits.iter().rev().cloned().collect() + bits: bits.iter().rev().cloned().collect(), } } - /// Turns this `UInt32` into its little-endian byte order representation. pub fn into_bits(&self) -> Vec { self.bits.clone() @@ -116,8 +110,7 @@ impl UInt32 { /// Converts a little-endian byte order representation of bits into a /// `UInt32`. - pub fn from_bits(bits: &[Boolean]) -> Self - { + pub fn from_bits(bits: &[Boolean]) -> Self { assert_eq!(bits.len(), 32); let new_bits = bits.to_vec(); @@ -131,43 +124,45 @@ impl UInt32 { if b { value.as_mut().map(|v| *v |= 1); } - }, - &Boolean::Is(ref b) => { - match b.get_value() { - Some(true) => { value.as_mut().map(|v| *v |= 1); }, - Some(false) => {}, - None => { value = None } - } - }, - &Boolean::Not(ref b) => { - match b.get_value() { - Some(false) => { value.as_mut().map(|v| *v |= 1); }, - Some(true) => {}, - None => { value = None } - } } + &Boolean::Is(ref b) => match b.get_value() { + Some(true) => { + value.as_mut().map(|v| *v |= 1); + } + Some(false) => {} + None => value = None, + }, + &Boolean::Not(ref b) => match b.get_value() { + Some(false) => { + value.as_mut().map(|v| *v |= 1); + } + Some(true) => {} + None => value = None, + }, } } UInt32 { value: value, - bits: new_bits + bits: new_bits, } } pub fn rotr(&self, by: usize) -> Self { let by = by % 32; - let new_bits = self.bits.iter() - .skip(by) - .chain(self.bits.iter()) - .take(32) - .cloned() - .collect(); + let new_bits = self + .bits + .iter() + .skip(by) + .chain(self.bits.iter()) + .take(32) + .cloned() + .collect(); UInt32 { bits: new_bits, - value: self.value.map(|v| v.rotate_right(by as u32)) + value: self.value.map(|v| v.rotate_right(by as u32)), } } @@ -176,17 +171,18 @@ impl UInt32 { let fill = Boolean::constant(false); - let new_bits = self.bits - .iter() // The bits are least significant first - .skip(by) // Skip the bits that will be lost during the shift - .chain(Some(&fill).into_iter().cycle()) // Rest will be zeros - .take(32) // Only 32 bits needed! - .cloned() - .collect(); + let new_bits = self + .bits + .iter() // The bits are least significant first + .skip(by) // Skip the bits that will be lost during the shift + .chain(Some(&fill).into_iter().cycle()) // Rest will be zeros + .take(32) // Only 32 bits needed! + .cloned() + .collect(); UInt32 { bits: new_bits, - value: self.value.map(|v| v >> by as u32) + value: self.value.map(|v| v >> by as u32), } } @@ -196,121 +192,99 @@ impl UInt32 { b: &Self, c: &Self, tri_fn: F, - circuit_fn: U + circuit_fn: U, ) -> Result - where E: Engine, - CS: ConstraintSystem, - F: Fn(u32, u32, u32) -> u32, - U: Fn(&mut CS, usize, &Boolean, &Boolean, &Boolean) -> Result + where + E: Engine, + CS: ConstraintSystem, + F: Fn(u32, u32, u32) -> u32, + U: Fn(&mut CS, usize, &Boolean, &Boolean, &Boolean) -> Result, { let new_value = match (a.value, b.value, c.value) { - (Some(a), Some(b), Some(c)) => { - Some(tri_fn(a, b, c)) - }, - _ => None + (Some(a), Some(b), Some(c)) => Some(tri_fn(a, b, c)), + _ => None, }; - let bits = a.bits.iter() - .zip(b.bits.iter()) - .zip(c.bits.iter()) - .enumerate() - .map(|(i, ((a, b), c))| circuit_fn(&mut cs, i, a, b, c)) - .collect::>()?; + let bits = a + .bits + .iter() + .zip(b.bits.iter()) + .zip(c.bits.iter()) + .enumerate() + .map(|(i, ((a, b), c))| circuit_fn(&mut cs, i, a, b, c)) + .collect::>()?; Ok(UInt32 { bits: bits, - value: new_value + value: new_value, }) } /// Compute the `maj` value (a and b) xor (a and c) xor (b and c) /// during SHA256. - pub fn sha256_maj( - cs: CS, - a: &Self, - b: &Self, - c: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn sha256_maj(cs: CS, a: &Self, b: &Self, c: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { - Self::triop(cs, a, b, c, |a, b, c| (a & b) ^ (a & c) ^ (b & c), - |cs, i, a, b, c| { - Boolean::sha256_maj( - cs.namespace(|| format!("maj {}", i)), - a, - b, - c - ) - } + Self::triop( + cs, + a, + b, + c, + |a, b, c| (a & b) ^ (a & c) ^ (b & c), + |cs, i, a, b, c| Boolean::sha256_maj(cs.namespace(|| format!("maj {}", i)), a, b, c), ) } /// Compute the `ch` value `(a and b) xor ((not a) and c)` /// during SHA256. - pub fn sha256_ch( - cs: CS, - a: &Self, - b: &Self, - c: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn sha256_ch(cs: CS, a: &Self, b: &Self, c: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { - Self::triop(cs, a, b, c, |a, b, c| (a & b) ^ ((!a) & c), - |cs, i, a, b, c| { - Boolean::sha256_ch( - cs.namespace(|| format!("ch {}", i)), - a, - b, - c - ) - } + Self::triop( + cs, + a, + b, + c, + |a, b, c| (a & b) ^ ((!a) & c), + |cs, i, a, b, c| Boolean::sha256_ch(cs.namespace(|| format!("ch {}", i)), a, b, c), ) } /// XOR this `UInt32` with another `UInt32` - pub fn xor( - &self, - mut cs: CS, - other: &Self - ) -> Result - where E: Engine, - CS: ConstraintSystem + pub fn xor(&self, mut cs: CS, other: &Self) -> Result + where + E: Engine, + CS: ConstraintSystem, { let new_value = match (self.value, other.value) { - (Some(a), Some(b)) => { - Some(a ^ b) - }, - _ => None + (Some(a), Some(b)) => Some(a ^ b), + _ => None, }; - let bits = self.bits.iter() - .zip(other.bits.iter()) - .enumerate() - .map(|(i, (a, b))| { - Boolean::xor( - cs.namespace(|| format!("xor of bit {}", i)), - a, - b - ) - }) - .collect::>()?; + let bits = self + .bits + .iter() + .zip(other.bits.iter()) + .enumerate() + .map(|(i, (a, b))| Boolean::xor(cs.namespace(|| format!("xor of bit {}", i)), a, b)) + .collect::>()?; Ok(UInt32 { bits: bits, - value: new_value + value: new_value, }) } /// Perform modular addition of several `UInt32` objects. - pub fn addmany( - mut cs: M, - operands: &[Self] - ) -> Result - where E: Engine, - CS: ConstraintSystem, - M: ConstraintSystem> + pub fn addmany(mut cs: M, operands: &[Self]) -> Result + where + E: Engine, + CS: ConstraintSystem, + M: ConstraintSystem>, { // Make some arbitrary bounds for ourselves to avoid overflows // in the scalar field @@ -337,7 +311,7 @@ impl UInt32 { match op.value { Some(val) => { result_value.as_mut().map(|v| *v += val as u64); - }, + } None => { // If any of our operands have unknown value, we won't // know the value of the result @@ -381,7 +355,7 @@ impl UInt32 { // Allocate the bit let b = AllocatedBit::alloc( cs.namespace(|| format!("result bit {}", i)), - result_value.map(|v| (v >> i) & 1 == 1) + result_value.map(|v| (v >> i) & 1 == 1), )?; // Add this bit to the result combination @@ -402,32 +376,34 @@ impl UInt32 { Ok(UInt32 { bits: result_bits, - value: modular_value + value: modular_value, }) } } #[cfg(test)] mod test { - use crate::gadgets::boolean::{Boolean}; - use super::{UInt32}; - use ff::Field; - use pairing::bls12_381::{Bls12}; - use crate::gadgets::test::*; - use crate::{ConstraintSystem}; + use super::UInt32; + use crate::gadgets::boolean::Boolean; use crate::gadgets::multieq::MultiEq; + use crate::gadgets::test::*; + use crate::ConstraintSystem; + use ff::Field; + use pairing::bls12_381::Bls12; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; #[test] fn test_uint32_from_bits_be() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { - let mut v = (0..32).map(|_| Boolean::constant(rng.next_u32() % 2 != 0)).collect::>(); + let mut v = (0..32) + .map(|_| Boolean::constant(rng.next_u32() % 2 != 0)) + .collect::>(); let b = UInt32::from_bits_be(&v); @@ -435,19 +411,18 @@ mod test { match bit { &Boolean::Constant(bit) => { assert!(bit == ((b.value.unwrap() >> i) & 1 == 1)); - }, - _ => unreachable!() + } + _ => unreachable!(), } } let expected_to_be_same = b.into_bits_be(); - for x in v.iter().zip(expected_to_be_same.iter()) - { + for x in v.iter().zip(expected_to_be_same.iter()) { match x { - (&Boolean::Constant(true), &Boolean::Constant(true)) => {}, - (&Boolean::Constant(false), &Boolean::Constant(false)) => {}, - _ => unreachable!() + (&Boolean::Constant(true), &Boolean::Constant(true)) => {} + (&Boolean::Constant(false), &Boolean::Constant(false)) => {} + _ => unreachable!(), } } } @@ -456,12 +431,14 @@ mod test { #[test] fn test_uint32_from_bits() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { - let mut v = (0..32).map(|_| Boolean::constant(rng.next_u32() % 2 != 0)).collect::>(); + let mut v = (0..32) + .map(|_| Boolean::constant(rng.next_u32() % 2 != 0)) + .collect::>(); let b = UInt32::from_bits(&v); @@ -469,19 +446,18 @@ mod test { match bit { &Boolean::Constant(bit) => { assert!(bit == ((b.value.unwrap() >> i) & 1 == 1)); - }, - _ => unreachable!() + } + _ => unreachable!(), } } let expected_to_be_same = b.into_bits(); - for x in v.iter().zip(expected_to_be_same.iter()) - { + for x in v.iter().zip(expected_to_be_same.iter()) { match x { - (&Boolean::Constant(true), &Boolean::Constant(true)) => {}, - (&Boolean::Constant(false), &Boolean::Constant(false)) => {}, - _ => unreachable!() + (&Boolean::Constant(true), &Boolean::Constant(true)) => {} + (&Boolean::Constant(false), &Boolean::Constant(false)) => {} + _ => unreachable!(), } } } @@ -490,8 +466,8 @@ mod test { #[test] fn test_uint32_xor() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { @@ -518,10 +494,10 @@ mod test { match b { &Boolean::Is(ref b) => { assert!(b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Not(ref b) => { assert!(!b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Constant(b) => { assert!(b == (expected & 1 == 1)); } @@ -535,8 +511,8 @@ mod test { #[test] fn test_uint32_addmany_constants() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { @@ -554,7 +530,8 @@ mod test { let r = { let mut cs = MultiEq::new(&mut cs); - let r = UInt32::addmany(cs.namespace(|| "addition"), &[a_bit, b_bit, c_bit]).unwrap(); + let r = + UInt32::addmany(cs.namespace(|| "addition"), &[a_bit, b_bit, c_bit]).unwrap(); r }; @@ -577,8 +554,8 @@ mod test { #[test] fn test_uint32_addmany() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { @@ -611,13 +588,11 @@ mod test { match b { &Boolean::Is(ref b) => { assert!(b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Not(ref b) => { assert!(!b.get_value().unwrap() == (expected & 1 == 1)); - }, - &Boolean::Constant(_) => { - unreachable!() } + &Boolean::Constant(_) => unreachable!(), } expected >>= 1; @@ -637,8 +612,8 @@ mod test { #[test] fn test_uint32_rotr() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let mut num = rng.next_u32(); @@ -656,8 +631,8 @@ mod test { match b { &Boolean::Constant(b) => { assert_eq!(b, tmp & 1 == 1); - }, - _ => unreachable!() + } + _ => unreachable!(), } tmp >>= 1; @@ -670,8 +645,8 @@ mod test { #[test] fn test_uint32_shr() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..50 { @@ -693,8 +668,8 @@ mod test { #[test] fn test_uint32_sha256_maj() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { @@ -720,10 +695,10 @@ mod test { match b { &Boolean::Is(ref b) => { assert!(b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Not(ref b) => { assert!(!b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Constant(b) => { assert!(b == (expected & 1 == 1)); } @@ -737,8 +712,8 @@ mod test { #[test] fn test_uint32_sha256_ch() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { @@ -764,10 +739,10 @@ mod test { match b { &Boolean::Is(ref b) => { assert!(b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Not(ref b) => { assert!(!b.get_value().unwrap() == (expected & 1 == 1)); - }, + } &Boolean::Constant(b) => { assert!(b == (expected & 1 == 1)); } diff --git a/bellman/src/groth16/generator.rs b/bellman/src/groth16/generator.rs index 3e15b2bc1..596464f31 100644 --- a/bellman/src/groth16/generator.rs +++ b/bellman/src/groth16/generator.rs @@ -6,36 +6,24 @@ use ff::{Field, PrimeField}; use group::{CurveAffine, CurveProjective, Wnaf}; use pairing::Engine; -use super::{ - Parameters, - VerifyingKey -}; +use super::{Parameters, VerifyingKey}; -use ::{ - SynthesisError, - Circuit, - ConstraintSystem, - LinearCombination, - Variable, - Index -}; +use {Circuit, ConstraintSystem, Index, LinearCombination, SynthesisError, Variable}; -use ::domain::{ - EvaluationDomain, - Scalar -}; +use domain::{EvaluationDomain, Scalar}; -use ::multicore::{ - Worker -}; +use multicore::Worker; /// Generates a random common reference string for /// a circuit. pub fn generate_random_parameters( circuit: C, - rng: &mut R + rng: &mut R, ) -> Result, SynthesisError> - where E: Engine, C: Circuit, R: RngCore +where + E: Engine, + C: Circuit, + R: RngCore, { let g1 = E::G1::random(rng); let g2 = E::G2::random(rng); @@ -45,16 +33,7 @@ pub fn generate_random_parameters( let delta = E::Fr::random(rng); let tau = E::Fr::random(rng); - generate_parameters::( - circuit, - g1, - g2, - alpha, - beta, - gamma, - delta, - tau - ) + generate_parameters::(circuit, g1, g2, alpha, beta, gamma, delta, tau) } /// This is our assembly structure that we'll use to synthesize the @@ -68,18 +47,17 @@ struct KeypairAssembly { ct_inputs: Vec>, at_aux: Vec>, bt_aux: Vec>, - ct_aux: Vec> + ct_aux: Vec>, } impl ConstraintSystem for KeypairAssembly { type Root = Self; - fn alloc( - &mut self, - _: A, - _: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc(&mut self, _: A, _: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { // There is no assignment, so we don't even invoke the // function for obtaining one. @@ -94,12 +72,11 @@ impl ConstraintSystem for KeypairAssembly { Ok(Variable(Index::Aux(index))) } - fn alloc_input( - &mut self, - _: A, - _: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc_input(&mut self, _: A, _: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { // There is no assignment, so we don't even invoke the // function for obtaining one. @@ -114,48 +91,59 @@ impl ConstraintSystem for KeypairAssembly { Ok(Variable(Index::Input(index))) } - fn enforce( - &mut self, - _: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination + fn enforce(&mut self, _: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { fn eval( l: LinearCombination, inputs: &mut [Vec<(E::Fr, usize)>], aux: &mut [Vec<(E::Fr, usize)>], - this_constraint: usize - ) - { + this_constraint: usize, + ) { for (index, coeff) in l.0 { match index { Variable(Index::Input(id)) => inputs[id].push((coeff, this_constraint)), - Variable(Index::Aux(id)) => aux[id].push((coeff, this_constraint)) + Variable(Index::Aux(id)) => aux[id].push((coeff, this_constraint)), } } } - eval(a(LinearCombination::zero()), &mut self.at_inputs, &mut self.at_aux, self.num_constraints); - eval(b(LinearCombination::zero()), &mut self.bt_inputs, &mut self.bt_aux, self.num_constraints); - eval(c(LinearCombination::zero()), &mut self.ct_inputs, &mut self.ct_aux, self.num_constraints); + eval( + a(LinearCombination::zero()), + &mut self.at_inputs, + &mut self.at_aux, + self.num_constraints, + ); + eval( + b(LinearCombination::zero()), + &mut self.bt_inputs, + &mut self.bt_aux, + self.num_constraints, + ); + eval( + c(LinearCombination::zero()), + &mut self.ct_inputs, + &mut self.ct_aux, + self.num_constraints, + ); self.num_constraints += 1; } fn push_namespace(&mut self, _: N) - where NR: Into, N: FnOnce() -> NR + where + NR: Into, + N: FnOnce() -> NR, { // Do nothing; we don't care about namespaces in this context. } - fn pop_namespace(&mut self) - { + fn pop_namespace(&mut self) { // Do nothing; we don't care about namespaces in this context. } @@ -173,9 +161,11 @@ pub fn generate_parameters( beta: E::Fr, gamma: E::Fr, delta: E::Fr, - tau: E::Fr + tau: E::Fr, ) -> Result, SynthesisError> - where E: Engine, C: Circuit +where + E: Engine, + C: Circuit, { let mut assembly = KeypairAssembly { num_inputs: 0, @@ -186,7 +176,7 @@ pub fn generate_parameters( ct_inputs: vec![], at_aux: vec![], bt_aux: vec![], - ct_aux: vec![] + ct_aux: vec![], }; // Allocate the "one" input variable @@ -198,11 +188,7 @@ pub fn generate_parameters( // Input constraints to ensure full density of IC query // x * 0 = 0 for i in 0..assembly.num_inputs { - assembly.enforce(|| "", - |lc| lc + Variable(Index::Input(i)), - |lc| lc, - |lc| lc, - ); + assembly.enforce(|| "", |lc| lc + Variable(Index::Input(i)), |lc| lc, |lc| lc); } // Create bases for blind evaluation of polynomials at tau @@ -240,10 +226,9 @@ pub fn generate_parameters( { let powers_of_tau = powers_of_tau.as_mut(); worker.scope(powers_of_tau.len(), |scope, chunk| { - for (i, powers_of_tau) in powers_of_tau.chunks_mut(chunk).enumerate() - { + for (i, powers_of_tau) in powers_of_tau.chunks_mut(chunk).enumerate() { scope.spawn(move || { - let mut current_tau_power = tau.pow(&[(i*chunk) as u64]); + let mut current_tau_power = tau.pow(&[(i * chunk) as u64]); for p in powers_of_tau { p.0 = current_tau_power; @@ -260,14 +245,15 @@ pub fn generate_parameters( // Compute the H query with multiple threads worker.scope(h.len(), |scope, chunk| { - for (h, p) in h.chunks_mut(chunk).zip(powers_of_tau.as_ref().chunks(chunk)) + for (h, p) in h + .chunks_mut(chunk) + .zip(powers_of_tau.as_ref().chunks(chunk)) { let mut g1_wnaf = g1_wnaf.shared(); scope.spawn(move || { // Set values of the H query to g1^{(tau^i * t(tau)) / delta} - for (h, p) in h.iter_mut().zip(p.iter()) - { + for (h, p) in h.iter_mut().zip(p.iter()) { // Compute final exponent let mut exp = p.0; exp.mul_assign(&coeff); @@ -320,9 +306,8 @@ pub fn generate_parameters( beta: &E::Fr, // Worker - worker: &Worker - ) - { + worker: &Worker, + ) { // Sanity check assert_eq!(a.len(), at.len()); assert_eq!(a.len(), bt.len()); @@ -333,31 +318,32 @@ pub fn generate_parameters( // Evaluate polynomials in multiple threads worker.scope(a.len(), |scope, chunk| { - for ((((((a, b_g1), b_g2), ext), at), bt), ct) in a.chunks_mut(chunk) - .zip(b_g1.chunks_mut(chunk)) - .zip(b_g2.chunks_mut(chunk)) - .zip(ext.chunks_mut(chunk)) - .zip(at.chunks(chunk)) - .zip(bt.chunks(chunk)) - .zip(ct.chunks(chunk)) + for ((((((a, b_g1), b_g2), ext), at), bt), ct) in a + .chunks_mut(chunk) + .zip(b_g1.chunks_mut(chunk)) + .zip(b_g2.chunks_mut(chunk)) + .zip(ext.chunks_mut(chunk)) + .zip(at.chunks(chunk)) + .zip(bt.chunks(chunk)) + .zip(ct.chunks(chunk)) { let mut g1_wnaf = g1_wnaf.shared(); let mut g2_wnaf = g2_wnaf.shared(); scope.spawn(move || { - for ((((((a, b_g1), b_g2), ext), at), bt), ct) in a.iter_mut() - .zip(b_g1.iter_mut()) - .zip(b_g2.iter_mut()) - .zip(ext.iter_mut()) - .zip(at.iter()) - .zip(bt.iter()) - .zip(ct.iter()) + for ((((((a, b_g1), b_g2), ext), at), bt), ct) in a + .iter_mut() + .zip(b_g1.iter_mut()) + .zip(b_g2.iter_mut()) + .zip(ext.iter_mut()) + .zip(at.iter()) + .zip(bt.iter()) + .zip(ct.iter()) { fn eval_at_tau( powers_of_tau: &[Scalar], - p: &[(E::Fr, usize)] - ) -> E::Fr - { + p: &[(E::Fr, usize)], + ) -> E::Fr { let mut acc = E::Fr::zero(); for &(ref coeff, index) in p { @@ -422,7 +408,7 @@ pub fn generate_parameters( &gamma_inverse, &alpha, &beta, - &worker + &worker, ); // Evaluate for auxiliary variables. @@ -440,7 +426,7 @@ pub fn generate_parameters( &delta_inverse, &alpha, &beta, - &worker + &worker, ); // Don't allow any elements be unconstrained, so that @@ -461,7 +447,7 @@ pub fn generate_parameters( gamma_g2: g2.mul(gamma).into_affine(), delta_g1: g1.mul(delta).into_affine(), delta_g2: g2.mul(delta).into_affine(), - ic: ic.into_iter().map(|e| e.into_affine()).collect() + ic: ic.into_iter().map(|e| e.into_affine()).collect(), }; Ok(Parameters { @@ -470,8 +456,23 @@ pub fn generate_parameters( l: Arc::new(l.into_iter().map(|e| e.into_affine()).collect()), // Filter points at infinity away from A/B queries - a: Arc::new(a.into_iter().filter(|e| !e.is_zero()).map(|e| e.into_affine()).collect()), - b_g1: Arc::new(b_g1.into_iter().filter(|e| !e.is_zero()).map(|e| e.into_affine()).collect()), - b_g2: Arc::new(b_g2.into_iter().filter(|e| !e.is_zero()).map(|e| e.into_affine()).collect()) + a: Arc::new( + a.into_iter() + .filter(|e| !e.is_zero()) + .map(|e| e.into_affine()) + .collect(), + ), + b_g1: Arc::new( + b_g1.into_iter() + .filter(|e| !e.is_zero()) + .map(|e| e.into_affine()) + .collect(), + ), + b_g2: Arc::new( + b_g2.into_iter() + .filter(|e| !e.is_zero()) + .map(|e| e.into_affine()) + .collect(), + ), }) } diff --git a/bellman/src/groth16/mod.rs b/bellman/src/groth16/mod.rs index 767150cba..85b7952bf 100644 --- a/bellman/src/groth16/mod.rs +++ b/bellman/src/groth16/mod.rs @@ -1,17 +1,12 @@ use group::{CurveAffine, EncodedPoint}; -use pairing::{ - Engine, - PairingCurveAffine, -}; +use pairing::{Engine, PairingCurveAffine}; -use ::{ - SynthesisError -}; +use SynthesisError; +use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt}; use multiexp::SourceBuilder; use std::io::{self, Read, Write}; use std::sync::Arc; -use byteorder::{BigEndian, WriteBytesExt, ReadBytesExt}; #[cfg(test)] mod tests; @@ -28,23 +23,17 @@ pub use self::verifier::*; pub struct Proof { pub a: E::G1Affine, pub b: E::G2Affine, - pub c: E::G1Affine + pub c: E::G1Affine, } impl PartialEq for Proof { fn eq(&self, other: &Self) -> bool { - self.a == other.a && - self.b == other.b && - self.c == other.c + self.a == other.a && self.b == other.b && self.c == other.c } } impl Proof { - pub fn write( - &self, - mut writer: W - ) -> io::Result<()> - { + pub fn write(&self, mut writer: W) -> io::Result<()> { writer.write_all(self.a.into_compressed().as_ref())?; writer.write_all(self.b.into_compressed().as_ref())?; writer.write_all(self.c.into_compressed().as_ref())?; @@ -52,48 +41,56 @@ impl Proof { Ok(()) } - pub fn read( - mut reader: R - ) -> io::Result - { + pub fn read(mut reader: R) -> io::Result { let mut g1_repr = ::Compressed::empty(); let mut g2_repr = ::Compressed::empty(); reader.read_exact(g1_repr.as_mut())?; let a = g1_repr - .into_affine() - .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) - .and_then(|e| if e.is_zero() { - Err(io::Error::new(io::ErrorKind::InvalidData, "point at infinity")) + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) + .and_then(|e| { + if e.is_zero() { + Err(io::Error::new( + io::ErrorKind::InvalidData, + "point at infinity", + )) } else { Ok(e) - })?; + } + })?; reader.read_exact(g2_repr.as_mut())?; let b = g2_repr - .into_affine() - .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) - .and_then(|e| if e.is_zero() { - Err(io::Error::new(io::ErrorKind::InvalidData, "point at infinity")) + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) + .and_then(|e| { + if e.is_zero() { + Err(io::Error::new( + io::ErrorKind::InvalidData, + "point at infinity", + )) } else { Ok(e) - })?; + } + })?; reader.read_exact(g1_repr.as_mut())?; let c = g1_repr - .into_affine() - .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) - .and_then(|e| if e.is_zero() { - Err(io::Error::new(io::ErrorKind::InvalidData, "point at infinity")) + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) + .and_then(|e| { + if e.is_zero() { + Err(io::Error::new( + io::ErrorKind::InvalidData, + "point at infinity", + )) } else { Ok(e) - })?; + } + })?; - Ok(Proof { - a: a, - b: b, - c: c - }) + Ok(Proof { a: a, b: b, c: c }) } } @@ -122,27 +119,23 @@ pub struct VerifyingKey { // for all public inputs. Because all public inputs have a dummy constraint, // this is the same size as the number of inputs, and never contains points // at infinity. - pub ic: Vec + pub ic: Vec, } impl PartialEq for VerifyingKey { fn eq(&self, other: &Self) -> bool { - self.alpha_g1 == other.alpha_g1 && - self.beta_g1 == other.beta_g1 && - self.beta_g2 == other.beta_g2 && - self.gamma_g2 == other.gamma_g2 && - self.delta_g1 == other.delta_g1 && - self.delta_g2 == other.delta_g2 && - self.ic == other.ic + self.alpha_g1 == other.alpha_g1 + && self.beta_g1 == other.beta_g1 + && self.beta_g2 == other.beta_g2 + && self.gamma_g2 == other.gamma_g2 + && self.delta_g1 == other.delta_g1 + && self.delta_g2 == other.delta_g2 + && self.ic == other.ic } } impl VerifyingKey { - pub fn write( - &self, - mut writer: W - ) -> io::Result<()> - { + pub fn write(&self, mut writer: W) -> io::Result<()> { writer.write_all(self.alpha_g1.into_uncompressed().as_ref())?; writer.write_all(self.beta_g1.into_uncompressed().as_ref())?; writer.write_all(self.beta_g2.into_uncompressed().as_ref())?; @@ -157,30 +150,39 @@ impl VerifyingKey { Ok(()) } - pub fn read( - mut reader: R - ) -> io::Result - { + pub fn read(mut reader: R) -> io::Result { let mut g1_repr = ::Uncompressed::empty(); let mut g2_repr = ::Uncompressed::empty(); reader.read_exact(g1_repr.as_mut())?; - let alpha_g1 = g1_repr.into_affine().map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; + let alpha_g1 = g1_repr + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; reader.read_exact(g1_repr.as_mut())?; - let beta_g1 = g1_repr.into_affine().map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; + let beta_g1 = g1_repr + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; reader.read_exact(g2_repr.as_mut())?; - let beta_g2 = g2_repr.into_affine().map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; + let beta_g2 = g2_repr + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; reader.read_exact(g2_repr.as_mut())?; - let gamma_g2 = g2_repr.into_affine().map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; + let gamma_g2 = g2_repr + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; reader.read_exact(g1_repr.as_mut())?; - let delta_g1 = g1_repr.into_affine().map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; + let delta_g1 = g1_repr + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; reader.read_exact(g2_repr.as_mut())?; - let delta_g2 = g2_repr.into_affine().map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; + let delta_g2 = g2_repr + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?; let ic_len = reader.read_u32::()? as usize; @@ -189,13 +191,18 @@ impl VerifyingKey { for _ in 0..ic_len { reader.read_exact(g1_repr.as_mut())?; let g1 = g1_repr - .into_affine() - .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) - .and_then(|e| if e.is_zero() { - Err(io::Error::new(io::ErrorKind::InvalidData, "point at infinity")) - } else { - Ok(e) - })?; + .into_affine() + .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) + .and_then(|e| { + if e.is_zero() { + Err(io::Error::new( + io::ErrorKind::InvalidData, + "point at infinity", + )) + } else { + Ok(e) + } + })?; ic.push(g1); } @@ -207,7 +214,7 @@ impl VerifyingKey { gamma_g2: gamma_g2, delta_g1: delta_g1, delta_g2: delta_g2, - ic: ic + ic: ic, }) } } @@ -216,7 +223,7 @@ impl VerifyingKey { pub struct Parameters { pub vk: VerifyingKey, - // Elements of the form ((tau^i * t(tau)) / delta) for i between 0 and + // Elements of the form ((tau^i * t(tau)) / delta) for i between 0 and // m-2 inclusive. Never contains points at infinity. pub h: Arc>, @@ -234,26 +241,22 @@ pub struct Parameters { // G1 and G2 for C/B queries, respectively. Never contains points at // infinity for the same reason as the "A" polynomials. pub b_g1: Arc>, - pub b_g2: Arc> + pub b_g2: Arc>, } impl PartialEq for Parameters { fn eq(&self, other: &Self) -> bool { - self.vk == other.vk && - self.h == other.h && - self.l == other.l && - self.a == other.a && - self.b_g1 == other.b_g1 && - self.b_g2 == other.b_g2 + self.vk == other.vk + && self.h == other.h + && self.l == other.l + && self.a == other.a + && self.b_g1 == other.b_g1 + && self.b_g2 == other.b_g2 } } impl Parameters { - pub fn write( - &self, - mut writer: W - ) -> io::Result<()> - { + pub fn write(&self, mut writer: W) -> io::Result<()> { self.vk.write(&mut writer)?; writer.write_u32::(self.h.len() as u32)?; @@ -284,27 +287,26 @@ impl Parameters { Ok(()) } - pub fn read( - mut reader: R, - checked: bool - ) -> io::Result - { + pub fn read(mut reader: R, checked: bool) -> io::Result { let read_g1 = |reader: &mut R| -> io::Result { let mut repr = ::Uncompressed::empty(); reader.read_exact(repr.as_mut())?; if checked { - repr - .into_affine() + repr.into_affine() } else { - repr - .into_affine_unchecked() + repr.into_affine_unchecked() } .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) - .and_then(|e| if e.is_zero() { - Err(io::Error::new(io::ErrorKind::InvalidData, "point at infinity")) - } else { - Ok(e) + .and_then(|e| { + if e.is_zero() { + Err(io::Error::new( + io::ErrorKind::InvalidData, + "point at infinity", + )) + } else { + Ok(e) + } }) }; @@ -313,17 +315,20 @@ impl Parameters { reader.read_exact(repr.as_mut())?; if checked { - repr - .into_affine() + repr.into_affine() } else { - repr - .into_affine_unchecked() + repr.into_affine_unchecked() } .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e)) - .and_then(|e| if e.is_zero() { - Err(io::Error::new(io::ErrorKind::InvalidData, "point at infinity")) - } else { - Ok(e) + .and_then(|e| { + if e.is_zero() { + Err(io::Error::new( + io::ErrorKind::InvalidData, + "point at infinity", + )) + } else { + Ok(e) + } }) }; @@ -376,7 +381,7 @@ impl Parameters { l: Arc::new(l), a: Arc::new(a), b_g1: Arc::new(b_g1), - b_g2: Arc::new(b_g2) + b_g2: Arc::new(b_g2), }) } } @@ -389,39 +394,30 @@ pub struct PreparedVerifyingKey { /// -delta in G2 neg_delta_g2: ::Prepared, /// Copy of IC from `VerifiyingKey`. - ic: Vec + ic: Vec, } pub trait ParameterSource { type G1Builder: SourceBuilder; type G2Builder: SourceBuilder; - fn get_vk( - &mut self, - num_ic: usize - ) -> Result, SynthesisError>; - fn get_h( - &mut self, - num_h: usize - ) -> Result; - fn get_l( - &mut self, - num_l: usize - ) -> Result; + fn get_vk(&mut self, num_ic: usize) -> Result, SynthesisError>; + fn get_h(&mut self, num_h: usize) -> Result; + fn get_l(&mut self, num_l: usize) -> Result; fn get_a( &mut self, num_inputs: usize, - num_aux: usize + num_aux: usize, ) -> Result<(Self::G1Builder, Self::G1Builder), SynthesisError>; fn get_b_g1( &mut self, num_inputs: usize, - num_aux: usize + num_aux: usize, ) -> Result<(Self::G1Builder, Self::G1Builder), SynthesisError>; fn get_b_g2( &mut self, num_inputs: usize, - num_aux: usize + num_aux: usize, ) -> Result<(Self::G2Builder, Self::G2Builder), SynthesisError>; } @@ -429,54 +425,39 @@ impl<'a, E: Engine> ParameterSource for &'a Parameters { type G1Builder = (Arc>, usize); type G2Builder = (Arc>, usize); - fn get_vk( - &mut self, - _: usize - ) -> Result, SynthesisError> - { + fn get_vk(&mut self, _: usize) -> Result, SynthesisError> { Ok(self.vk.clone()) } - fn get_h( - &mut self, - _: usize - ) -> Result - { + fn get_h(&mut self, _: usize) -> Result { Ok((self.h.clone(), 0)) } - fn get_l( - &mut self, - _: usize - ) -> Result - { + fn get_l(&mut self, _: usize) -> Result { Ok((self.l.clone(), 0)) } fn get_a( &mut self, num_inputs: usize, - _: usize - ) -> Result<(Self::G1Builder, Self::G1Builder), SynthesisError> - { + _: usize, + ) -> Result<(Self::G1Builder, Self::G1Builder), SynthesisError> { Ok(((self.a.clone(), 0), (self.a.clone(), num_inputs))) } fn get_b_g1( &mut self, num_inputs: usize, - _: usize - ) -> Result<(Self::G1Builder, Self::G1Builder), SynthesisError> - { + _: usize, + ) -> Result<(Self::G1Builder, Self::G1Builder), SynthesisError> { Ok(((self.b_g1.clone(), 0), (self.b_g1.clone(), num_inputs))) } fn get_b_g2( &mut self, num_inputs: usize, - _: usize - ) -> Result<(Self::G2Builder, Self::G2Builder), SynthesisError> - { + _: usize, + ) -> Result<(Self::G2Builder, Self::G2Builder), SynthesisError> { Ok(((self.b_g2.clone(), 0), (self.b_g2.clone(), num_inputs))) } } @@ -484,41 +465,38 @@ impl<'a, E: Engine> ParameterSource for &'a Parameters { #[cfg(test)] mod test_with_bls12_381 { use super::*; - use {Circuit, SynthesisError, ConstraintSystem}; + use {Circuit, ConstraintSystem, SynthesisError}; use ff::Field; - use rand::{thread_rng}; use pairing::bls12_381::{Bls12, Fr}; + use rand::thread_rng; #[test] fn serialization() { struct MySillyCircuit { a: Option, - b: Option + b: Option, } impl Circuit for MySillyCircuit { fn synthesize>( self, - cs: &mut CS - ) -> Result<(), SynthesisError> - { + cs: &mut CS, + ) -> Result<(), SynthesisError> { let a = cs.alloc(|| "a", || self.a.ok_or(SynthesisError::AssignmentMissing))?; let b = cs.alloc(|| "b", || self.b.ok_or(SynthesisError::AssignmentMissing))?; - let c = cs.alloc_input(|| "c", || { - let mut a = self.a.ok_or(SynthesisError::AssignmentMissing)?; - let b = self.b.ok_or(SynthesisError::AssignmentMissing)?; + let c = cs.alloc_input( + || "c", + || { + let mut a = self.a.ok_or(SynthesisError::AssignmentMissing)?; + let b = self.b.ok_or(SynthesisError::AssignmentMissing)?; - a.mul_assign(&b); - Ok(a) - })?; + a.mul_assign(&b); + Ok(a) + }, + )?; - cs.enforce( - || "a*b=c", - |lc| lc + a, - |lc| lc + b, - |lc| lc + c - ); + cs.enforce(|| "a*b=c", |lc| lc + a, |lc| lc + b, |lc| lc + c); Ok(()) } @@ -526,10 +504,9 @@ mod test_with_bls12_381 { let rng = &mut thread_rng(); - let params = generate_random_parameters::( - MySillyCircuit { a: None, b: None }, - rng - ).unwrap(); + let params = + generate_random_parameters::(MySillyCircuit { a: None, b: None }, rng) + .unwrap(); { let mut v = vec![]; @@ -555,11 +532,12 @@ mod test_with_bls12_381 { let proof = create_random_proof( MySillyCircuit { a: Some(a), - b: Some(b) + b: Some(b), }, ¶ms, - rng - ).unwrap(); + rng, + ) + .unwrap(); let mut v = vec![]; proof.write(&mut v).unwrap(); diff --git a/bellman/src/groth16/prover.rs b/bellman/src/groth16/prover.rs index ceb3dce7f..a502ac332 100644 --- a/bellman/src/groth16/prover.rs +++ b/bellman/src/groth16/prover.rs @@ -8,43 +8,23 @@ use ff::{Field, PrimeField}; use group::{CurveAffine, CurveProjective}; use pairing::Engine; -use super::{ - ParameterSource, - Proof -}; +use super::{ParameterSource, Proof}; -use ::{ - SynthesisError, - Circuit, - ConstraintSystem, - LinearCombination, - Variable, - Index -}; +use {Circuit, ConstraintSystem, Index, LinearCombination, SynthesisError, Variable}; -use ::domain::{ - EvaluationDomain, - Scalar -}; +use domain::{EvaluationDomain, Scalar}; -use ::multiexp::{ - DensityTracker, - FullDensity, - multiexp -}; +use multiexp::{multiexp, DensityTracker, FullDensity}; -use ::multicore::{ - Worker -}; +use multicore::Worker; fn eval( lc: &LinearCombination, mut input_density: Option<&mut DensityTracker>, mut aux_density: Option<&mut DensityTracker>, input_assignment: &[E::Fr], - aux_assignment: &[E::Fr] -) -> E::Fr -{ + aux_assignment: &[E::Fr], +) -> E::Fr { let mut acc = E::Fr::zero(); for &(index, coeff) in lc.0.iter() { @@ -56,7 +36,7 @@ fn eval( if let Some(ref mut v) = input_density { v.inc(i); } - }, + } Variable(Index::Aux(i)) => { tmp = aux_assignment[i]; if let Some(ref mut v) = aux_density { @@ -66,10 +46,10 @@ fn eval( } if coeff == E::Fr::one() { - acc.add_assign(&tmp); + acc.add_assign(&tmp); } else { - tmp.mul_assign(&coeff); - acc.add_assign(&tmp); + tmp.mul_assign(&coeff); + acc.add_assign(&tmp); } } @@ -89,18 +69,17 @@ struct ProvingAssignment { // Assignments of variables input_assignment: Vec, - aux_assignment: Vec + aux_assignment: Vec, } impl ConstraintSystem for ProvingAssignment { type Root = Self; - fn alloc( - &mut self, - _: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc(&mut self, _: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { self.aux_assignment.push(f()?); self.a_aux_density.add_element(); @@ -109,12 +88,11 @@ impl ConstraintSystem for ProvingAssignment { Ok(Variable(Index::Aux(self.aux_assignment.len() - 1))) } - fn alloc_input( - &mut self, - _: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc_input(&mut self, _: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { self.input_assignment.push(f()?); self.b_input_density.add_element(); @@ -122,17 +100,13 @@ impl ConstraintSystem for ProvingAssignment { Ok(Variable(Index::Input(self.input_assignment.len() - 1))) } - fn enforce( - &mut self, - _: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination + fn enforce(&mut self, _: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { let a = a(LinearCombination::zero()); let b = b(LinearCombination::zero()); @@ -146,14 +120,14 @@ impl ConstraintSystem for ProvingAssignment { None, Some(&mut self.a_aux_density), &self.input_assignment, - &self.aux_assignment + &self.aux_assignment, ))); self.b.push(Scalar(eval( &b, Some(&mut self.b_input_density), Some(&mut self.b_aux_density), &self.input_assignment, - &self.aux_assignment + &self.aux_assignment, ))); self.c.push(Scalar(eval( &c, @@ -164,18 +138,19 @@ impl ConstraintSystem for ProvingAssignment { None, None, &self.input_assignment, - &self.aux_assignment + &self.aux_assignment, ))); } fn push_namespace(&mut self, _: N) - where NR: Into, N: FnOnce() -> NR + where + NR: Into, + N: FnOnce() -> NR, { // Do nothing; we don't care about namespaces in this context. } - fn pop_namespace(&mut self) - { + fn pop_namespace(&mut self) { // Do nothing; we don't care about namespaces in this context. } @@ -187,9 +162,12 @@ impl ConstraintSystem for ProvingAssignment { pub fn create_random_proof>( circuit: C, params: P, - rng: &mut R + rng: &mut R, ) -> Result, SynthesisError> - where E: Engine, C: Circuit, R: RngCore +where + E: Engine, + C: Circuit, + R: RngCore, { let r = E::Fr::random(rng); let s = E::Fr::random(rng); @@ -201,9 +179,11 @@ pub fn create_proof>( circuit: C, mut params: P, r: E::Fr, - s: E::Fr + s: E::Fr, ) -> Result, SynthesisError> - where E: Engine, C: Circuit +where + E: Engine, + C: Circuit, { let mut prover = ProvingAssignment { a_aux_density: DensityTracker::new(), @@ -213,7 +193,7 @@ pub fn create_proof>( b: vec![], c: vec![], input_assignment: vec![], - aux_assignment: vec![] + aux_assignment: vec![], }; prover.alloc_input(|| "", || Ok(E::Fr::one()))?; @@ -221,11 +201,7 @@ pub fn create_proof>( circuit.synthesize(&mut prover)?; for i in 0..prover.input_assignment.len() { - prover.enforce(|| "", - |lc| lc + Variable(Index::Input(i)), - |lc| lc, - |lc| lc, - ); + prover.enforce(|| "", |lc| lc + Variable(Index::Input(i)), |lc| lc, |lc| lc); } let worker = Worker::new(); @@ -259,31 +235,76 @@ pub fn create_proof>( }; // TODO: parallelize if it's even helpful - let input_assignment = Arc::new(prover.input_assignment.into_iter().map(|s| s.into_repr()).collect::>()); - let aux_assignment = Arc::new(prover.aux_assignment.into_iter().map(|s| s.into_repr()).collect::>()); + let input_assignment = Arc::new( + prover + .input_assignment + .into_iter() + .map(|s| s.into_repr()) + .collect::>(), + ); + let aux_assignment = Arc::new( + prover + .aux_assignment + .into_iter() + .map(|s| s.into_repr()) + .collect::>(), + ); - let l = multiexp(&worker, params.get_l(aux_assignment.len())?, FullDensity, aux_assignment.clone()); + let l = multiexp( + &worker, + params.get_l(aux_assignment.len())?, + FullDensity, + aux_assignment.clone(), + ); let a_aux_density_total = prover.a_aux_density.get_total_density(); - let (a_inputs_source, a_aux_source) = params.get_a(input_assignment.len(), a_aux_density_total)?; + let (a_inputs_source, a_aux_source) = + params.get_a(input_assignment.len(), a_aux_density_total)?; - let a_inputs = multiexp(&worker, a_inputs_source, FullDensity, input_assignment.clone()); - let a_aux = multiexp(&worker, a_aux_source, Arc::new(prover.a_aux_density), aux_assignment.clone()); + let a_inputs = multiexp( + &worker, + a_inputs_source, + FullDensity, + input_assignment.clone(), + ); + let a_aux = multiexp( + &worker, + a_aux_source, + Arc::new(prover.a_aux_density), + aux_assignment.clone(), + ); let b_input_density = Arc::new(prover.b_input_density); let b_input_density_total = b_input_density.get_total_density(); let b_aux_density = Arc::new(prover.b_aux_density); let b_aux_density_total = b_aux_density.get_total_density(); - let (b_g1_inputs_source, b_g1_aux_source) = params.get_b_g1(b_input_density_total, b_aux_density_total)?; + let (b_g1_inputs_source, b_g1_aux_source) = + params.get_b_g1(b_input_density_total, b_aux_density_total)?; - let b_g1_inputs = multiexp(&worker, b_g1_inputs_source, b_input_density.clone(), input_assignment.clone()); - let b_g1_aux = multiexp(&worker, b_g1_aux_source, b_aux_density.clone(), aux_assignment.clone()); + let b_g1_inputs = multiexp( + &worker, + b_g1_inputs_source, + b_input_density.clone(), + input_assignment.clone(), + ); + let b_g1_aux = multiexp( + &worker, + b_g1_aux_source, + b_aux_density.clone(), + aux_assignment.clone(), + ); - let (b_g2_inputs_source, b_g2_aux_source) = params.get_b_g2(b_input_density_total, b_aux_density_total)?; - - let b_g2_inputs = multiexp(&worker, b_g2_inputs_source, b_input_density, input_assignment); + let (b_g2_inputs_source, b_g2_aux_source) = + params.get_b_g2(b_input_density_total, b_aux_density_total)?; + + let b_g2_inputs = multiexp( + &worker, + b_g2_inputs_source, + b_input_density, + input_assignment, + ); let b_g2_aux = multiexp(&worker, b_g2_aux_source, b_aux_density, aux_assignment); if vk.delta_g1.is_zero() || vk.delta_g2.is_zero() { @@ -325,6 +346,6 @@ pub fn create_proof>( Ok(Proof { a: g_a.into_affine(), b: g_b.into_affine(), - c: g_c.into_affine() + c: g_c.into_affine(), }) } diff --git a/bellman/src/groth16/tests/dummy_engine.rs b/bellman/src/groth16/tests/dummy_engine.rs index 654b8148a..4c5874d71 100644 --- a/bellman/src/groth16/tests/dummy_engine.rs +++ b/bellman/src/groth16/tests/dummy_engine.rs @@ -1,12 +1,13 @@ use ff::{ - Field, LegendreSymbol, PrimeField, PrimeFieldDecodingError, - PrimeFieldRepr, ScalarEngine, SqrtField}; + Field, LegendreSymbol, PrimeField, PrimeFieldDecodingError, PrimeFieldRepr, ScalarEngine, + SqrtField, +}; use group::{CurveAffine, CurveProjective, EncodedPoint, GroupDecodingError}; use pairing::{Engine, PairingCurveAffine}; +use rand_core::RngCore; use std::cmp::Ordering; use std::fmt; -use rand_core::RngCore; use std::num::Wrapping; const MODULUS_R: Wrapping = Wrapping(64513); @@ -80,9 +81,13 @@ impl SqrtField for Fr { fn legendre(&self) -> LegendreSymbol { // s = self^((r - 1) // 2) let s = self.pow([32256]); - if s == ::zero() { LegendreSymbol::Zero } - else if s == ::one() { LegendreSymbol::QuadraticResidue } - else { LegendreSymbol::QuadraticNonResidue } + if s == ::zero() { + LegendreSymbol::Zero + } else if s == ::one() { + LegendreSymbol::QuadraticResidue + } else { + LegendreSymbol::QuadraticNonResidue + } } fn sqrt(&self) -> Option { @@ -100,7 +105,7 @@ impl SqrtField for Fr { let mut m = Fr::S; while t != ::one() { - let mut i = 1; + let mut i = 1; { let mut t2i = t; t2i.square(); @@ -258,15 +263,18 @@ impl Engine for DummyEngine { type G2Affine = Fr; type Fq = Fr; type Fqe = Fr; - + // TODO: This should be F_645131 or something. Doesn't matter for now. type Fqk = Fr; fn miller_loop<'a, I>(i: I) -> Self::Fqk - where I: IntoIterator::Prepared, - &'a ::Prepared - )> + where + I: IntoIterator< + Item = &'a ( + &'a ::Prepared, + &'a ::Prepared, + ), + >, { let mut acc = ::zero(); @@ -280,8 +288,7 @@ impl Engine for DummyEngine { } /// Perform final exponentiation of the result of a miller loop. - fn final_exponentiation(this: &Self::Fqk) -> Option - { + fn final_exponentiation(this: &Self::Fqk) -> Option { Some(*this) } } @@ -308,9 +315,7 @@ impl CurveProjective for Fr { ::is_zero(self) } - fn batch_normalization(_: &mut [Self]) { - - } + fn batch_normalization(_: &mut [Self]) {} fn is_normalized(&self) -> bool { true @@ -332,8 +337,7 @@ impl CurveProjective for Fr { ::negate(self); } - fn mul_assign::Repr>>(&mut self, other: S) - { + fn mul_assign::Repr>>(&mut self, other: S) { let tmp = Fr::from_repr(other.into()).unwrap(); ::mul_assign(self, &tmp); @@ -415,8 +419,7 @@ impl CurveAffine for Fr { ::negate(self); } - fn mul::Repr>>(&self, other: S) -> Self::Projective - { + fn mul::Repr>>(&self, other: S) -> Self::Projective { let mut res = *self; let tmp = Fr::from_repr(other.into()).unwrap(); diff --git a/bellman/src/groth16/tests/mod.rs b/bellman/src/groth16/tests/mod.rs index 0e05c36ab..e6a36e4bc 100644 --- a/bellman/src/groth16/tests/mod.rs +++ b/bellman/src/groth16/tests/mod.rs @@ -6,86 +6,82 @@ use self::dummy_engine::*; use std::marker::PhantomData; -use ::{ - Circuit, - ConstraintSystem, - SynthesisError -}; +use {Circuit, ConstraintSystem, SynthesisError}; -use super::{ - generate_parameters, - prepare_verifying_key, - create_proof, - verify_proof -}; +use super::{create_proof, generate_parameters, prepare_verifying_key, verify_proof}; struct XORDemo { a: Option, b: Option, - _marker: PhantomData + _marker: PhantomData, } impl Circuit for XORDemo { - fn synthesize>( - self, - cs: &mut CS - ) -> Result<(), SynthesisError> - { - let a_var = cs.alloc(|| "a", || { - if self.a.is_some() { - if self.a.unwrap() { - Ok(E::Fr::one()) + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { + let a_var = cs.alloc( + || "a", + || { + if self.a.is_some() { + if self.a.unwrap() { + Ok(E::Fr::one()) + } else { + Ok(E::Fr::zero()) + } } else { - Ok(E::Fr::zero()) + Err(SynthesisError::AssignmentMissing) } - } else { - Err(SynthesisError::AssignmentMissing) - } - })?; + }, + )?; cs.enforce( || "a_boolean_constraint", |lc| lc + CS::one() - a_var, |lc| lc + a_var, - |lc| lc + |lc| lc, ); - let b_var = cs.alloc(|| "b", || { - if self.b.is_some() { - if self.b.unwrap() { - Ok(E::Fr::one()) + let b_var = cs.alloc( + || "b", + || { + if self.b.is_some() { + if self.b.unwrap() { + Ok(E::Fr::one()) + } else { + Ok(E::Fr::zero()) + } } else { - Ok(E::Fr::zero()) + Err(SynthesisError::AssignmentMissing) } - } else { - Err(SynthesisError::AssignmentMissing) - } - })?; + }, + )?; cs.enforce( || "b_boolean_constraint", |lc| lc + CS::one() - b_var, |lc| lc + b_var, - |lc| lc + |lc| lc, ); - let c_var = cs.alloc_input(|| "c", || { - if self.a.is_some() && self.b.is_some() { - if self.a.unwrap() ^ self.b.unwrap() { - Ok(E::Fr::one()) + let c_var = cs.alloc_input( + || "c", + || { + if self.a.is_some() && self.b.is_some() { + if self.a.unwrap() ^ self.b.unwrap() { + Ok(E::Fr::one()) + } else { + Ok(E::Fr::zero()) + } } else { - Ok(E::Fr::zero()) + Err(SynthesisError::AssignmentMissing) } - } else { - Err(SynthesisError::AssignmentMissing) - } - })?; + }, + )?; cs.enforce( || "c_xor_constraint", |lc| lc + a_var + a_var, |lc| lc + b_var, - |lc| lc + a_var + b_var - c_var + |lc| lc + a_var + b_var - c_var, ); Ok(()) @@ -106,19 +102,10 @@ fn test_xordemo() { let c = XORDemo:: { a: None, b: None, - _marker: PhantomData + _marker: PhantomData, }; - generate_parameters( - c, - g1, - g2, - alpha, - beta, - gamma, - delta, - tau - ).unwrap() + generate_parameters(c, g1, g2, alpha, beta, gamma, delta, tau).unwrap() }; // This will synthesize the constraint system: @@ -226,32 +213,35 @@ fn test_xordemo() { 59158 */ - let u_i = [59158, 48317, 21767, 10402].iter().map(|e| { - Fr::from_str(&format!("{}", e)).unwrap() - }).collect::>(); - let v_i = [0, 0, 60619, 30791].iter().map(|e| { - Fr::from_str(&format!("{}", e)).unwrap() - }).collect::>(); - let w_i = [0, 23320, 41193, 41193].iter().map(|e| { - Fr::from_str(&format!("{}", e)).unwrap() - }).collect::>(); + let u_i = [59158, 48317, 21767, 10402] + .iter() + .map(|e| Fr::from_str(&format!("{}", e)).unwrap()) + .collect::>(); + let v_i = [0, 0, 60619, 30791] + .iter() + .map(|e| Fr::from_str(&format!("{}", e)).unwrap()) + .collect::>(); + let w_i = [0, 23320, 41193, 41193] + .iter() + .map(|e| Fr::from_str(&format!("{}", e)).unwrap()) + .collect::>(); - for (u, a) in u_i.iter() - .zip(¶ms.a[..]) - { + for (u, a) in u_i.iter().zip(¶ms.a[..]) { assert_eq!(u, a); } - for (v, b) in v_i.iter() - .filter(|&&e| e != Fr::zero()) - .zip(¶ms.b_g1[..]) + for (v, b) in v_i + .iter() + .filter(|&&e| e != Fr::zero()) + .zip(¶ms.b_g1[..]) { assert_eq!(v, b); } - for (v, b) in v_i.iter() - .filter(|&&e| e != Fr::zero()) - .zip(¶ms.b_g2[..]) + for (v, b) in v_i + .iter() + .filter(|&&e| e != Fr::zero()) + .zip(¶ms.b_g2[..]) { assert_eq!(v, b); } @@ -296,15 +286,10 @@ fn test_xordemo() { let c = XORDemo { a: Some(true), b: Some(false), - _marker: PhantomData + _marker: PhantomData, }; - create_proof( - c, - ¶ms, - r, - s - ).unwrap() + create_proof(c, ¶ms, r, s).unwrap() }; // A(x) = @@ -320,7 +305,7 @@ fn test_xordemo() { expected_a.add_assign(&u_i[0]); // a_0 = 1 expected_a.add_assign(&u_i[1]); // a_1 = 1 expected_a.add_assign(&u_i[2]); // a_2 = 1 - // a_3 = 0 + // a_3 = 0 assert_eq!(proof.a, expected_a); } @@ -337,7 +322,7 @@ fn test_xordemo() { expected_b.add_assign(&v_i[0]); // a_0 = 1 expected_b.add_assign(&v_i[1]); // a_1 = 1 expected_b.add_assign(&v_i[2]); // a_2 = 1 - // a_3 = 0 + // a_3 = 0 assert_eq!(proof.b, expected_b); } @@ -378,7 +363,10 @@ fn test_xordemo() { expected_c.add_assign(¶ms.l[0]); // H query answer - for (i, coeff) in [5040, 11763, 10755, 63633, 128, 9747, 8739].iter().enumerate() { + for (i, coeff) in [5040, 11763, 10755, 63633, 128, 9747, 8739] + .iter() + .enumerate() + { let coeff = Fr::from_str(&format!("{}", coeff)).unwrap(); let mut tmp = params.h[i]; @@ -389,9 +377,5 @@ fn test_xordemo() { assert_eq!(expected_c, proof.c); } - assert!(verify_proof( - &pvk, - &proof, - &[Fr::one()] - ).unwrap()); + assert!(verify_proof(&pvk, &proof, &[Fr::one()]).unwrap()); } diff --git a/bellman/src/groth16/verifier.rs b/bellman/src/groth16/verifier.rs index 71c747837..926955a98 100644 --- a/bellman/src/groth16/verifier.rs +++ b/bellman/src/groth16/verifier.rs @@ -2,20 +2,11 @@ use ff::PrimeField; use group::{CurveAffine, CurveProjective}; use pairing::{Engine, PairingCurveAffine}; -use super::{ - Proof, - VerifyingKey, - PreparedVerifyingKey -}; +use super::{PreparedVerifyingKey, Proof, VerifyingKey}; -use ::{ - SynthesisError -}; +use SynthesisError; -pub fn prepare_verifying_key( - vk: &VerifyingKey -) -> PreparedVerifyingKey -{ +pub fn prepare_verifying_key(vk: &VerifyingKey) -> PreparedVerifyingKey { let mut gamma = vk.gamma_g2; gamma.negate(); let mut delta = vk.delta_g2; @@ -25,16 +16,15 @@ pub fn prepare_verifying_key( alpha_g1_beta_g2: E::pairing(vk.alpha_g1, vk.beta_g2), neg_gamma_g2: gamma.prepare(), neg_delta_g2: delta.prepare(), - ic: vk.ic.clone() + ic: vk.ic.clone(), } } pub fn verify_proof<'a, E: Engine>( pvk: &'a PreparedVerifyingKey, proof: &Proof, - public_inputs: &[E::Fr] -) -> Result -{ + public_inputs: &[E::Fr], +) -> Result { if (public_inputs.len() + 1) != pvk.ic.len() { return Err(SynthesisError::MalformedVerifyingKey); } @@ -53,11 +43,14 @@ pub fn verify_proof<'a, E: Engine>( // A * B + inputs * (-gamma) + C * (-delta) = alpha * beta // which allows us to do a single final exponentiation. - Ok(E::final_exponentiation( - &E::miller_loop([ + Ok(E::final_exponentiation(&E::miller_loop( + [ (&proof.a.prepare(), &proof.b.prepare()), (&acc.into_affine().prepare(), &pvk.neg_gamma_g2), - (&proof.c.prepare(), &pvk.neg_delta_g2) - ].into_iter()) - ).unwrap() == pvk.alpha_g1_beta_g2) + (&proof.c.prepare(), &pvk.neg_delta_g2), + ] + .into_iter(), + )) + .unwrap() + == pvk.alpha_g1_beta_g2) } diff --git a/bellman/src/lib.rs b/bellman/src/lib.rs index ee6bb8861..96400c9fe 100644 --- a/bellman/src/lib.rs +++ b/bellman/src/lib.rs @@ -4,10 +4,10 @@ extern crate group; extern crate pairing; extern crate rand_core; -extern crate futures; extern crate bit_vec; extern crate blake2s_simd; extern crate byteorder; +extern crate futures; #[cfg(feature = "multicore")] extern crate crossbeam; @@ -29,20 +29,20 @@ extern crate rand_xorshift; #[cfg(test)] extern crate sha2; -pub mod gadgets; -pub mod multicore; -mod multiexp; pub mod domain; +pub mod gadgets; #[cfg(feature = "groth16")] pub mod groth16; +pub mod multicore; +mod multiexp; use ff::{Field, ScalarEngine}; -use std::ops::{Add, Sub}; -use std::fmt; use std::error::Error; +use std::fmt; use std::io; use std::marker::PhantomData; +use std::ops::{Add, Sub}; /// Computations are expressed in terms of arithmetic circuits, in particular /// rank-1 quadratic constraint systems. The `Circuit` trait represents a @@ -50,10 +50,7 @@ use std::marker::PhantomData; /// CRS generation and during proving. pub trait Circuit { /// Synthesize the circuit into a rank-1 quadratic constraint system - fn synthesize>( - self, - cs: &mut CS - ) -> Result<(), SynthesisError>; + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError>; } /// Represents a variable in our constraint system. @@ -79,7 +76,7 @@ impl Variable { #[derive(Copy, Clone, PartialEq, Debug)] pub enum Index { Input(usize), - Aux(usize) + Aux(usize), } /// This represents a linear combination of some variables, with coefficients @@ -206,7 +203,7 @@ pub enum SynthesisError { /// During verification, our verifying key was malformed. MalformedVerifyingKey, /// During CRS generation, we observed an unconstrained auxiliary variable - UnconstrainedVariable + UnconstrainedVariable, } impl From for SynthesisError { @@ -218,14 +215,16 @@ impl From for SynthesisError { impl Error for SynthesisError { fn description(&self) -> &str { match *self { - SynthesisError::AssignmentMissing => "an assignment for a variable could not be computed", + SynthesisError::AssignmentMissing => { + "an assignment for a variable could not be computed" + } SynthesisError::DivisionByZero => "division by zero", SynthesisError::Unsatisfiable => "unsatisfiable constraint system", SynthesisError::PolynomialDegreeTooLarge => "polynomial degree is too large", SynthesisError::UnexpectedIdentity => "encountered an identity element in the CRS", SynthesisError::IoError(_) => "encountered an I/O error", SynthesisError::MalformedVerifyingKey => "malformed verifying key", - SynthesisError::UnconstrainedVariable => "auxiliary variable was unconstrained" + SynthesisError::UnconstrainedVariable => "auxiliary variable was unconstrained", } } } @@ -257,40 +256,36 @@ pub trait ConstraintSystem: Sized { /// determine the assignment of the variable. The given `annotation` function is invoked /// in testing contexts in order to derive a unique name for this variable in the current /// namespace. - fn alloc( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into; + fn alloc(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into; /// Allocate a public variable in the constraint system. The provided function is used to /// determine the assignment of the variable. - fn alloc_input( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into; + fn alloc_input(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into; /// Enforce that `A` * `B` = `C`. The `annotation` function is invoked in testing contexts /// in order to derive a unique name for the constraint in the current namespace. - fn enforce( - &mut self, - annotation: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination; + fn enforce(&mut self, annotation: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination; /// Create a new (sub)namespace and enter into it. Not intended /// for downstream use; use `namespace` instead. fn push_namespace(&mut self, name_fn: N) - where NR: Into, N: FnOnce() -> NR; + where + NR: Into, + N: FnOnce() -> NR; /// Exit out of the existing namespace. Not intended for /// downstream use; use `namespace` instead. @@ -301,11 +296,10 @@ pub trait ConstraintSystem: Sized { fn get_root(&mut self) -> &mut Self::Root; /// Begin a namespace for this constraint system. - fn namespace<'a, NR, N>( - &'a mut self, - name_fn: N - ) -> Namespace<'a, E, Self::Root> - where NR: Into, N: FnOnce() -> NR + fn namespace<'a, NR, N>(&'a mut self, name_fn: N) -> Namespace<'a, E, Self::Root> + where + NR: Into, + N: FnOnce() -> NR, { self.get_root().push_namespace(name_fn); @@ -324,37 +318,31 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Name CS::one() } - fn alloc( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { self.0.alloc(annotation, f) } - fn alloc_input( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc_input(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { self.0.alloc_input(annotation, f) } - fn enforce( - &mut self, - annotation: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination + fn enforce(&mut self, annotation: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { self.0.enforce(annotation, a, b, c) } @@ -364,18 +352,18 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Name // never a root constraint system. fn push_namespace(&mut self, _: N) - where NR: Into, N: FnOnce() -> NR + where + NR: Into, + N: FnOnce() -> NR, { panic!("only the root's push_namespace should be called"); } - fn pop_namespace(&mut self) - { + fn pop_namespace(&mut self) { panic!("only the root's pop_namespace should be called"); } - fn get_root(&mut self) -> &mut Self::Root - { + fn get_root(&mut self) -> &mut Self::Root { self.0.get_root() } } @@ -395,54 +383,48 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for &'cs CS::one() } - fn alloc( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { (**self).alloc(annotation, f) } - fn alloc_input( - &mut self, - annotation: A, - f: F - ) -> Result - where F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into + fn alloc_input(&mut self, annotation: A, f: F) -> Result + where + F: FnOnce() -> Result, + A: FnOnce() -> AR, + AR: Into, { (**self).alloc_input(annotation, f) } - fn enforce( - &mut self, - annotation: A, - a: LA, - b: LB, - c: LC - ) - where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination + fn enforce(&mut self, annotation: A, a: LA, b: LB, c: LC) + where + A: FnOnce() -> AR, + AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { (**self).enforce(annotation, a, b, c) } fn push_namespace(&mut self, name_fn: N) - where NR: Into, N: FnOnce() -> NR + where + NR: Into, + N: FnOnce() -> NR, { (**self).push_namespace(name_fn) } - fn pop_namespace(&mut self) - { + fn pop_namespace(&mut self) { (**self).pop_namespace() } - fn get_root(&mut self) -> &mut Self::Root - { + fn get_root(&mut self) -> &mut Self::Root { (**self).get_root() } } diff --git a/bellman/src/multicore.rs b/bellman/src/multicore.rs index 8d0b00c51..e8b2dae1f 100644 --- a/bellman/src/multicore.rs +++ b/bellman/src/multicore.rs @@ -6,15 +6,15 @@ #[cfg(feature = "multicore")] mod implementation { - use num_cpus; - use futures::{Future, IntoFuture, Poll}; - use futures_cpupool::{CpuPool, CpuFuture}; use crossbeam::{self, Scope}; + use futures::{Future, IntoFuture, Poll}; + use futures_cpupool::{CpuFuture, CpuPool}; + use num_cpus; #[derive(Clone)] pub struct Worker { cpus: usize, - pool: CpuPool + pool: CpuPool, } impl Worker { @@ -24,7 +24,7 @@ mod implementation { pub(crate) fn new_with_cpus(cpus: usize) -> Worker { Worker { cpus: cpus, - pool: CpuPool::new(cpus) + pool: CpuPool::new(cpus), } } @@ -36,26 +36,22 @@ mod implementation { log2_floor(self.cpus) } - pub fn compute( - &self, f: F - ) -> WorkerFuture - where F: FnOnce() -> R + Send + 'static, - R: IntoFuture + 'static, - R::Future: Send + 'static, - R::Item: Send + 'static, - R::Error: Send + 'static + pub fn compute(&self, f: F) -> WorkerFuture + where + F: FnOnce() -> R + Send + 'static, + R: IntoFuture + 'static, + R::Future: Send + 'static, + R::Item: Send + 'static, + R::Error: Send + 'static, { WorkerFuture { - future: self.pool.spawn_fn(f) + future: self.pool.spawn_fn(f), } } - pub fn scope<'a, F, R>( - &self, - elements: usize, - f: F - ) -> R - where F: FnOnce(&Scope<'a>, usize) -> R + pub fn scope<'a, F, R>(&self, elements: usize, f: F) -> R + where + F: FnOnce(&Scope<'a>, usize) -> R, { let chunk_size = if elements < self.cpus { 1 @@ -63,22 +59,19 @@ mod implementation { elements / self.cpus }; - crossbeam::scope(|scope| { - f(scope, chunk_size) - }) + crossbeam::scope(|scope| f(scope, chunk_size)) } } pub struct WorkerFuture { - future: CpuFuture + future: CpuFuture, } impl Future for WorkerFuture { type Item = T; type Error = E; - fn poll(&mut self) -> Poll - { + fn poll(&mut self) -> Poll { self.future.poll() } } @@ -88,7 +81,7 @@ mod implementation { let mut pow = 0; - while (1 << (pow+1)) <= num { + while (1 << (pow + 1)) <= num { pow += 1; } diff --git a/bellman/src/multiexp.rs b/bellman/src/multiexp.rs index c6553971b..fabb97853 100644 --- a/bellman/src/multiexp.rs +++ b/bellman/src/multiexp.rs @@ -1,11 +1,11 @@ -use ff::{Field, PrimeField, PrimeFieldRepr, ScalarEngine}; -use group::{CurveAffine, CurveProjective}; -use std::sync::Arc; -use std::io; -use bit_vec::{self, BitVec}; -use std::iter; -use futures::{Future}; use super::multicore::Worker; +use bit_vec::{self, BitVec}; +use ff::{Field, PrimeField, PrimeFieldRepr, ScalarEngine}; +use futures::Future; +use group::{CurveAffine, CurveProjective}; +use std::io; +use std::iter; +use std::sync::Arc; use super::SynthesisError; @@ -19,7 +19,10 @@ pub trait SourceBuilder: Send + Sync + 'static + Clone { /// A source of bases, like an iterator. pub trait Source { /// Parses the element from the source. Fails if the point is at infinity. - fn add_assign_mixed(&mut self, to: &mut ::Projective) -> Result<(), SynthesisError>; + fn add_assign_mixed( + &mut self, + to: &mut ::Projective, + ) -> Result<(), SynthesisError>; /// Skips `amt` elements from the source, avoiding deserialization. fn skip(&mut self, amt: usize) -> Result<(), SynthesisError>; @@ -34,13 +37,20 @@ impl SourceBuilder for (Arc>, usize) { } impl Source for (Arc>, usize) { - fn add_assign_mixed(&mut self, to: &mut ::Projective) -> Result<(), SynthesisError> { + fn add_assign_mixed( + &mut self, + to: &mut ::Projective, + ) -> Result<(), SynthesisError> { if self.0.len() <= self.1 { - return Err(io::Error::new(io::ErrorKind::UnexpectedEof, "expected more bases from source").into()); + return Err(io::Error::new( + io::ErrorKind::UnexpectedEof, + "expected more bases from source", + ) + .into()); } if self.0[self.1].is_zero() { - return Err(SynthesisError::UnexpectedIdentity) + return Err(SynthesisError::UnexpectedIdentity); } to.add_assign_mixed(&self.0[self.1]); @@ -52,7 +62,11 @@ impl Source for (Arc>, usize) { fn skip(&mut self, amt: usize) -> Result<(), SynthesisError> { if self.0.len() <= self.1 { - return Err(io::Error::new(io::ErrorKind::UnexpectedEof, "expected more bases from source").into()); + return Err(io::Error::new( + io::ErrorKind::UnexpectedEof, + "expected more bases from source", + ) + .into()); } self.1 += amt; @@ -63,7 +77,7 @@ impl Source for (Arc>, usize) { pub trait QueryDensity { /// Returns whether the base exists. - type Iter: Iterator; + type Iter: Iterator; fn iter(self) -> Self::Iter; fn get_query_size(self) -> Option; @@ -92,7 +106,7 @@ impl<'a> QueryDensity for &'a FullDensity { pub struct DensityTracker { bv: BitVec, - total_density: usize + total_density: usize, } impl<'a> QueryDensity for &'a DensityTracker { @@ -111,7 +125,7 @@ impl DensityTracker { pub fn new() -> DensityTracker { DensityTracker { bv: BitVec::new(), - total_density: 0 + total_density: 0, } } @@ -138,12 +152,13 @@ fn multiexp_inner( exponents: Arc::Fr as PrimeField>::Repr>>, mut skip: u32, c: u32, - handle_trivial: bool -) -> Box::Projective, Error=SynthesisError>> - where for<'a> &'a Q: QueryDensity, - D: Send + Sync + 'static + Clone + AsRef, - G: CurveAffine, - S: SourceBuilder + handle_trivial: bool, +) -> Box::Projective, Error = SynthesisError>> +where + for<'a> &'a Q: QueryDensity, + D: Send + Sync + 'static + Clone + AsRef, + G: CurveAffine, + S: SourceBuilder, { // Perform this region of the multiexp let this = { @@ -212,16 +227,24 @@ fn multiexp_inner( // There's another region more significant. Calculate and join it with // this region recursively. Box::new( - this.join(multiexp_inner(pool, bases, density_map, exponents, skip, c, false)) - .map(move |(this, mut higher)| { - for _ in 0..c { - higher.double(); - } + this.join(multiexp_inner( + pool, + bases, + density_map, + exponents, + skip, + c, + false, + )) + .map(move |(this, mut higher)| { + for _ in 0..c { + higher.double(); + } - higher.add_assign(&this); + higher.add_assign(&this); - higher - }) + higher + }), ) } } @@ -232,12 +255,13 @@ pub fn multiexp( pool: &Worker, bases: S, density_map: D, - exponents: Arc::Fr as PrimeField>::Repr>> -) -> Box::Projective, Error=SynthesisError>> - where for<'a> &'a Q: QueryDensity, - D: Send + Sync + 'static + Clone + AsRef, - G: CurveAffine, - S: SourceBuilder + exponents: Arc::Fr as PrimeField>::Repr>>, +) -> Box::Projective, Error = SynthesisError>> +where + for<'a> &'a Q: QueryDensity, + D: Send + Sync + 'static + Clone + AsRef, + G: CurveAffine, + S: SourceBuilder, { let c = if exponents.len() < 32 { 3u32 @@ -260,9 +284,8 @@ pub fn multiexp( fn test_with_bls12() { fn naive_multiexp( bases: Arc>, - exponents: Arc::Repr>> - ) -> G::Projective - { + exponents: Arc::Repr>>, + ) -> G::Projective { assert_eq!(bases.len(), exponents.len()); let mut acc = G::Projective::zero(); @@ -274,25 +297,28 @@ fn test_with_bls12() { acc } - use rand; use pairing::{bls12_381::Bls12, Engine}; + use rand; const SAMPLES: usize = 1 << 14; let rng = &mut rand::thread_rng(); - let v = Arc::new((0..SAMPLES).map(|_| ::Fr::random(rng).into_repr()).collect::>()); - let g = Arc::new((0..SAMPLES).map(|_| ::G1::random(rng).into_affine()).collect::>()); + let v = Arc::new( + (0..SAMPLES) + .map(|_| ::Fr::random(rng).into_repr()) + .collect::>(), + ); + let g = Arc::new( + (0..SAMPLES) + .map(|_| ::G1::random(rng).into_affine()) + .collect::>(), + ); let naive = naive_multiexp(g.clone(), v.clone()); let pool = Worker::new(); - let fast = multiexp( - &pool, - (g, 0), - FullDensity, - v - ).wait().unwrap(); + let fast = multiexp(&pool, (g, 0), FullDensity, v).wait().unwrap(); assert_eq!(naive, fast); } diff --git a/bellman/tests/mimc.rs b/bellman/tests/mimc.rs index d08940f75..18aaece94 100644 --- a/bellman/tests/mimc.rs +++ b/bellman/tests/mimc.rs @@ -14,31 +14,21 @@ use ff::{Field, ScalarEngine}; use pairing::Engine; // We're going to use the BLS12-381 pairing-friendly elliptic curve. -use pairing::bls12_381::{ - Bls12 -}; +use pairing::bls12_381::Bls12; // We'll use these interfaces to construct our circuit. -use bellman::{ - Circuit, - ConstraintSystem, - SynthesisError -}; +use bellman::{Circuit, ConstraintSystem, SynthesisError}; // We're going to use the Groth16 proving system. use bellman::groth16::{ - Proof, - generate_random_parameters, - prepare_verifying_key, - create_random_proof, - verify_proof, + create_random_proof, generate_random_parameters, prepare_verifying_key, verify_proof, Proof, }; const MIMC_ROUNDS: usize = 322; /// This is an implementation of MiMC, specifically a /// variant named `LongsightF322p3` for BLS12-381. -/// See http://eprint.iacr.org/2016/492 for more +/// See http://eprint.iacr.org/2016/492 for more /// information about this construction. /// /// ``` @@ -49,12 +39,7 @@ const MIMC_ROUNDS: usize = 322; /// return xL /// } /// ``` -fn mimc( - mut xl: E::Fr, - mut xr: E::Fr, - constants: &[E::Fr] -) -> E::Fr -{ +fn mimc(mut xl: E::Fr, mut xr: E::Fr, constants: &[E::Fr]) -> E::Fr { assert_eq!(constants.len(), MIMC_ROUNDS); for i in 0..MIMC_ROUNDS { @@ -76,31 +61,29 @@ fn mimc( struct MiMCDemo<'a, E: Engine> { xl: Option, xr: Option, - constants: &'a [E::Fr] + constants: &'a [E::Fr], } /// Our demo circuit implements this `Circuit` trait which /// is used during paramgen and proving in order to /// synthesize the constraint system. impl<'a, E: Engine> Circuit for MiMCDemo<'a, E> { - fn synthesize>( - self, - cs: &mut CS - ) -> Result<(), SynthesisError> - { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { assert_eq!(self.constants.len(), MIMC_ROUNDS); // Allocate the first component of the preimage. let mut xl_value = self.xl; - let mut xl = cs.alloc(|| "preimage xl", || { - xl_value.ok_or(SynthesisError::AssignmentMissing) - })?; + let mut xl = cs.alloc( + || "preimage xl", + || xl_value.ok_or(SynthesisError::AssignmentMissing), + )?; // Allocate the second component of the preimage. let mut xr_value = self.xr; - let mut xr = cs.alloc(|| "preimage xr", || { - xr_value.ok_or(SynthesisError::AssignmentMissing) - })?; + let mut xr = cs.alloc( + || "preimage xr", + || xr_value.ok_or(SynthesisError::AssignmentMissing), + )?; for i in 0..MIMC_ROUNDS { // xL, xR := xR + (xL + Ci)^3, xL @@ -112,15 +95,16 @@ impl<'a, E: Engine> Circuit for MiMCDemo<'a, E> { e.square(); e }); - let mut tmp = cs.alloc(|| "tmp", || { - tmp_value.ok_or(SynthesisError::AssignmentMissing) - })?; + let mut tmp = cs.alloc( + || "tmp", + || tmp_value.ok_or(SynthesisError::AssignmentMissing), + )?; cs.enforce( || "tmp = (xL + Ci)^2", |lc| lc + xl + (self.constants[i], CS::one()), |lc| lc + xl + (self.constants[i], CS::one()), - |lc| lc + tmp + |lc| lc + tmp, ); // new_xL = xR + (xL + Ci)^3 @@ -133,23 +117,25 @@ impl<'a, E: Engine> Circuit for MiMCDemo<'a, E> { e }); - let mut new_xl = if i == (MIMC_ROUNDS-1) { + let mut new_xl = if i == (MIMC_ROUNDS - 1) { // This is the last round, xL is our image and so // we allocate a public input. - cs.alloc_input(|| "image", || { - new_xl_value.ok_or(SynthesisError::AssignmentMissing) - })? + cs.alloc_input( + || "image", + || new_xl_value.ok_or(SynthesisError::AssignmentMissing), + )? } else { - cs.alloc(|| "new_xl", || { - new_xl_value.ok_or(SynthesisError::AssignmentMissing) - })? + cs.alloc( + || "new_xl", + || new_xl_value.ok_or(SynthesisError::AssignmentMissing), + )? }; cs.enforce( || "new_xL = xR + (xL + Ci)^3", |lc| lc + tmp, |lc| lc + xl + (self.constants[i], CS::one()), - |lc| lc + new_xl - xr + |lc| lc + new_xl - xr, ); // xR = xL @@ -172,7 +158,9 @@ fn test_mimc() { let rng = &mut thread_rng(); // Generate the MiMC round constants - let constants = (0..MIMC_ROUNDS).map(|_| ::Fr::random(rng)).collect::>(); + let constants = (0..MIMC_ROUNDS) + .map(|_| ::Fr::random(rng)) + .collect::>(); println!("Creating parameters..."); @@ -181,7 +169,7 @@ fn test_mimc() { let c = MiMCDemo:: { xl: None, xr: None, - constants: &constants + constants: &constants, }; generate_random_parameters(c, rng).unwrap() @@ -216,7 +204,7 @@ fn test_mimc() { let c = MiMCDemo { xl: Some(xl), xr: Some(xr), - constants: &constants + constants: &constants, }; // Create a groth16 proof with our parameters. @@ -230,20 +218,16 @@ fn test_mimc() { let start = Instant::now(); let proof = Proof::read(&proof_vec[..]).unwrap(); // Check the proof - assert!(verify_proof( - &pvk, - &proof, - &[image] - ).unwrap()); + assert!(verify_proof(&pvk, &proof, &[image]).unwrap()); total_verifying += start.elapsed(); } let proving_avg = total_proving / SAMPLES; - let proving_avg = proving_avg.subsec_nanos() as f64 / 1_000_000_000f64 - + (proving_avg.as_secs() as f64); + let proving_avg = + proving_avg.subsec_nanos() as f64 / 1_000_000_000f64 + (proving_avg.as_secs() as f64); let verifying_avg = total_verifying / SAMPLES; - let verifying_avg = verifying_avg.subsec_nanos() as f64 / 1_000_000_000f64 - + (verifying_avg.as_secs() as f64); + let verifying_avg = + verifying_avg.subsec_nanos() as f64 / 1_000_000_000f64 + (verifying_avg.as_secs() as f64); println!("Average proving time: {:?} seconds", proving_avg); println!("Average verifying time: {:?} seconds", verifying_avg); diff --git a/ff/ff_derive/src/lib.rs b/ff/ff_derive/src/lib.rs index df2625bfd..5f8e64267 100644 --- a/ff/ff_derive/src/lib.rs +++ b/ff/ff_derive/src/lib.rs @@ -52,13 +52,8 @@ pub fn prime_field(input: proc_macro::TokenStream) -> proc_macro::TokenStream { let mut gen = proc_macro2::TokenStream::new(); - let (constants_impl, sqrt_impl) = prime_field_constants_and_sqrt( - &ast.ident, - &repr_ident, - modulus, - limbs, - generator, - ); + let (constants_impl, sqrt_impl) = + prime_field_constants_and_sqrt(&ast.ident, &repr_ident, modulus, limbs, generator); gen.extend(constants_impl); gen.extend(prime_field_repr_impl(&repr_ident, limbs)); @@ -359,7 +354,8 @@ fn biguint_num_bits(mut v: BigUint) -> u32 { fn exp(base: BigUint, exp: &BigUint, modulus: &BigUint) -> BigUint { let mut ret = BigUint::one(); - for i in exp.to_bytes_be() + for i in exp + .to_bytes_be() .into_iter() .flat_map(|x| (0..8).rev().map(move |i| (x >> i).is_odd())) { @@ -380,11 +376,13 @@ fn test_exp() { &BigUint::from_str("5489673498567349856734895").unwrap(), &BigUint::from_str( "52435875175126190479447740508185965837690552500527637822603658699938581184513" - ).unwrap() + ) + .unwrap() ), BigUint::from_str( "4371221214068404307866768905142520595925044802278091865033317963560480051536" - ).unwrap() + ) + .unwrap() ); } @@ -423,7 +421,7 @@ fn prime_field_constants_and_sqrt( let mod_minus_1_over_2 = biguint_to_u64_vec((&modulus - BigUint::from_str("1").unwrap()) >> 1, limbs); - let legendre_impl = quote!{ + let legendre_impl = quote! { fn legendre(&self) -> ::ff::LegendreSymbol { // s = self^((modulus - 1) // 2) let s = self.pow(#mod_minus_1_over_2); @@ -445,7 +443,7 @@ fn prime_field_constants_and_sqrt( // Compute -R as (m - r) let rneg = biguint_to_u64_vec(&modulus - &r, limbs); - quote!{ + quote! { impl ::ff::SqrtField for #name { #legendre_impl @@ -472,7 +470,7 @@ fn prime_field_constants_and_sqrt( let t_plus_1_over_2 = biguint_to_u64_vec((&t + BigUint::one()) >> 1, limbs); let t = biguint_to_u64_vec(t.clone(), limbs); - quote!{ + quote! { impl ::ff::SqrtField for #name { #legendre_impl @@ -519,7 +517,7 @@ fn prime_field_constants_and_sqrt( } } } else { - quote!{} + quote! {} }; // Compute R^2 mod m @@ -536,36 +534,39 @@ fn prime_field_constants_and_sqrt( } inv = inv.wrapping_neg(); - (quote! { - /// This is the modulus m of the prime field - const MODULUS: #repr = #repr([#(#modulus,)*]); + ( + quote! { + /// This is the modulus m of the prime field + const MODULUS: #repr = #repr([#(#modulus,)*]); - /// The number of bits needed to represent the modulus. - const MODULUS_BITS: u32 = #modulus_num_bits; + /// The number of bits needed to represent the modulus. + const MODULUS_BITS: u32 = #modulus_num_bits; - /// The number of bits that must be shaved from the beginning of - /// the representation when randomly sampling. - const REPR_SHAVE_BITS: u32 = #repr_shave_bits; + /// The number of bits that must be shaved from the beginning of + /// the representation when randomly sampling. + const REPR_SHAVE_BITS: u32 = #repr_shave_bits; - /// 2^{limbs*64} mod m - const R: #repr = #repr(#r); + /// 2^{limbs*64} mod m + const R: #repr = #repr(#r); - /// 2^{limbs*64*2} mod m - const R2: #repr = #repr(#r2); + /// 2^{limbs*64*2} mod m + const R2: #repr = #repr(#r2); - /// -(m^{-1} mod m) mod m - const INV: u64 = #inv; + /// -(m^{-1} mod m) mod m + const INV: u64 = #inv; - /// Multiplicative generator of `MODULUS` - 1 order, also quadratic - /// nonresidue. - const GENERATOR: #repr = #repr(#generator); + /// Multiplicative generator of `MODULUS` - 1 order, also quadratic + /// nonresidue. + const GENERATOR: #repr = #repr(#generator); - /// 2^s * t = MODULUS - 1 with t odd - const S: u32 = #s; + /// 2^s * t = MODULUS - 1 with t odd + const S: u32 = #s; - /// 2^s root of unity computed by GENERATOR^t - const ROOT_OF_UNITY: #repr = #repr(#root_of_unity); - }, sqrt_impl) + /// 2^s root of unity computed by GENERATOR^t + const ROOT_OF_UNITY: #repr = #repr(#root_of_unity); + }, + sqrt_impl, + ) } /// Implement PrimeField for the derived type. @@ -585,9 +586,9 @@ fn prime_field_impl( mont_paramlist.append_separated( (0..(limbs * 2)).map(|i| (i, get_temp(i))).map(|(i, x)| { if i != 0 { - quote!{mut #x: u64} + quote! {mut #x: u64} } else { - quote!{#x: u64} + quote! {#x: u64} } }), proc_macro2::Punct::new(',', proc_macro2::Spacing::Alone), @@ -600,7 +601,7 @@ fn prime_field_impl( for i in 0..limbs { { let temp = get_temp(i); - gen.extend(quote!{ + gen.extend(quote! { let k = #temp.wrapping_mul(INV); let mut carry = 0; ::ff::mac_with_carry(#temp, k, MODULUS.0[0], &mut carry); @@ -609,7 +610,7 @@ fn prime_field_impl( for j in 1..limbs { let temp = get_temp(i + j); - gen.extend(quote!{ + gen.extend(quote! { #temp = ::ff::mac_with_carry(#temp, k, MODULUS.0[#j], &mut carry); }); } @@ -617,17 +618,17 @@ fn prime_field_impl( let temp = get_temp(i + limbs); if i == 0 { - gen.extend(quote!{ + gen.extend(quote! { #temp = ::ff::adc(#temp, 0, &mut carry); }); } else { - gen.extend(quote!{ + gen.extend(quote! { #temp = ::ff::adc(#temp, carry2, &mut carry); }); } if i != (limbs - 1) { - gen.extend(quote!{ + gen.extend(quote! { let carry2 = carry; }); } @@ -636,7 +637,7 @@ fn prime_field_impl( for i in 0..limbs { let temp = get_temp(limbs + i); - gen.extend(quote!{ + gen.extend(quote! { (self.0).0[#i] = #temp; }); } @@ -648,14 +649,14 @@ fn prime_field_impl( let mut gen = proc_macro2::TokenStream::new(); for i in 0..(limbs - 1) { - gen.extend(quote!{ + gen.extend(quote! { let mut carry = 0; }); for j in (i + 1)..limbs { let temp = get_temp(i + j); if i == 0 { - gen.extend(quote!{ + gen.extend(quote! { let #temp = ::ff::mac_with_carry(0, (#a.0).0[#i], (#a.0).0[#j], &mut carry); }); } else { @@ -667,7 +668,7 @@ fn prime_field_impl( let temp = get_temp(i + limbs); - gen.extend(quote!{ + gen.extend(quote! { let #temp = carry; }); } @@ -677,21 +678,21 @@ fn prime_field_impl( let temp1 = get_temp(limbs * 2 - i - 1); if i == 1 { - gen.extend(quote!{ + gen.extend(quote! { let #temp0 = #temp1 >> 63; }); } else if i == (limbs * 2 - 1) { - gen.extend(quote!{ + gen.extend(quote! { let #temp0 = #temp0 << 1; }); } else { - gen.extend(quote!{ + gen.extend(quote! { let #temp0 = (#temp0 << 1) | (#temp1 >> 63); }); } } - gen.extend(quote!{ + gen.extend(quote! { let mut carry = 0; }); @@ -699,7 +700,7 @@ fn prime_field_impl( let temp0 = get_temp(i * 2); let temp1 = get_temp(i * 2 + 1); if i == 0 { - gen.extend(quote!{ + gen.extend(quote! { let #temp0 = ::ff::mac_with_carry(0, (#a.0).0[#i], (#a.0).0[#i], &mut carry); }); } else { @@ -708,7 +709,7 @@ fn prime_field_impl( }); } - gen.extend(quote!{ + gen.extend(quote! { let #temp1 = ::ff::adc(#temp1, 0, &mut carry); }); } @@ -719,7 +720,7 @@ fn prime_field_impl( proc_macro2::Punct::new(',', proc_macro2::Spacing::Alone), ); - gen.extend(quote!{ + gen.extend(quote! { self.mont_reduce(#mont_calling); }); @@ -734,7 +735,7 @@ fn prime_field_impl( let mut gen = proc_macro2::TokenStream::new(); for i in 0..limbs { - gen.extend(quote!{ + gen.extend(quote! { let mut carry = 0; }); @@ -742,7 +743,7 @@ fn prime_field_impl( let temp = get_temp(i + j); if i == 0 { - gen.extend(quote!{ + gen.extend(quote! { let #temp = ::ff::mac_with_carry(0, (#a.0).0[#i], (#b.0).0[#j], &mut carry); }); } else { @@ -754,7 +755,7 @@ fn prime_field_impl( let temp = get_temp(i + limbs); - gen.extend(quote!{ + gen.extend(quote! { let #temp = carry; }); } @@ -765,29 +766,29 @@ fn prime_field_impl( proc_macro2::Punct::new(',', proc_macro2::Spacing::Alone), ); - gen.extend(quote!{ + gen.extend(quote! { self.mont_reduce(#mont_calling); }); gen } - let squaring_impl = sqr_impl(quote!{self}, limbs); - let multiply_impl = mul_impl(quote!{self}, quote!{other}, limbs); + let squaring_impl = sqr_impl(quote! {self}, limbs); + let multiply_impl = mul_impl(quote! {self}, quote! {other}, limbs); let montgomery_impl = mont_impl(limbs); // (self.0).0[0], (self.0).0[1], ..., 0, 0, 0, 0, ... let mut into_repr_params = proc_macro2::TokenStream::new(); into_repr_params.append_separated( (0..limbs) - .map(|i| quote!{ (self.0).0[#i] }) - .chain((0..limbs).map(|_| quote!{0})), + .map(|i| quote! { (self.0).0[#i] }) + .chain((0..limbs).map(|_| quote! {0})), proc_macro2::Punct::new(',', proc_macro2::Spacing::Alone), ); let top_limb_index = limbs - 1; - quote!{ + quote! { impl ::std::marker::Copy for #name { } impl ::std::clone::Clone for #name { diff --git a/librustzcash/src/rustzcash.rs b/librustzcash/src/rustzcash.rs index b1e0a30e9..0697272a4 100644 --- a/librustzcash/src/rustzcash.rs +++ b/librustzcash/src/rustzcash.rs @@ -59,9 +59,7 @@ use std::os::windows::ffi::OsStringExt; use zcash_primitives::{ merkle_tree::CommitmentTreeWitness, note_encryption::sapling_ka_agree, - primitives::{ - Diversifier, Note, PaymentAddress, ProofGenerationKey, ViewingKey, - }, + primitives::{Diversifier, Note, PaymentAddress, ProofGenerationKey, ViewingKey}, redjubjub::{self, Signature}, sapling::{merkle_hash, spend_sig}, transaction::components::Amount, diff --git a/pairing/src/bls12_381/ec.rs b/pairing/src/bls12_381/ec.rs index fa659bd58..9a78e37d6 100644 --- a/pairing/src/bls12_381/ec.rs +++ b/pairing/src/bls12_381/ec.rs @@ -14,11 +14,10 @@ macro_rules! curve_impl { pub struct $affine { pub(crate) x: $basefield, pub(crate) y: $basefield, - pub(crate) infinity: bool + pub(crate) infinity: bool, } - impl ::std::fmt::Display for $affine - { + impl ::std::fmt::Display for $affine { fn fmt(&self, f: &mut ::std::fmt::Formatter) -> ::std::fmt::Result { if self.infinity { write!(f, "{}(Infinity)", $name) @@ -30,13 +29,12 @@ macro_rules! curve_impl { #[derive(Copy, Clone, Debug, Eq)] pub struct $projective { - pub(crate) x: $basefield, - pub(crate) y: $basefield, - pub(crate) z: $basefield + pub(crate) x: $basefield, + pub(crate) y: $basefield, + pub(crate) z: $basefield, } - impl ::std::fmt::Display for $projective - { + impl ::std::fmt::Display for $projective { fn fmt(&self, f: &mut ::std::fmt::Formatter) -> ::std::fmt::Result { write!(f, "{}", self.into_affine()) } @@ -89,7 +87,9 @@ macro_rules! curve_impl { let mut res = $projective::zero(); for i in bits { res.double(); - if i { res.add_assign_mixed(self) } + if i { + res.add_assign_mixed(self) + } } res } @@ -112,12 +112,8 @@ macro_rules! curve_impl { $affine { x: x, - y: if (y < negy) ^ greatest { - y - } else { - negy - }, - infinity: false + y: if (y < negy) ^ greatest { y } else { negy }, + infinity: false, } }) } @@ -156,7 +152,7 @@ macro_rules! curve_impl { $affine { x: $basefield::zero(), y: $basefield::one(), - infinity: true + infinity: true, } } @@ -182,7 +178,6 @@ macro_rules! curve_impl { fn into_projective(&self) -> $projective { (*self).into() } - } impl PairingCurveAffine for $affine { @@ -197,7 +192,6 @@ macro_rules! curve_impl { fn pairing_with(&self, other: &Self::Pair) -> Self::PairingResult { self.perform_pairing(other) } - } impl CurveProjective for $projective { @@ -227,7 +221,7 @@ macro_rules! curve_impl { $projective { x: $basefield::zero(), y: $basefield::one(), - z: $basefield::zero() + z: $basefield::zero(), } } @@ -245,8 +239,7 @@ macro_rules! curve_impl { self.is_zero() || self.z == $basefield::one() } - fn batch_normalization(v: &mut [Self]) - { + fn batch_normalization(v: &mut [Self]) { // Montgomery’s Trick and Fast Implementation of Masked AES // Genelle, Prouff and Quisquater // Section 3.2 @@ -254,9 +247,10 @@ macro_rules! curve_impl { // First pass: compute [a, ab, abc, ...] let mut prod = Vec::with_capacity(v.len()); let mut tmp = $basefield::one(); - for g in v.iter_mut() - // Ignore normalized elements - .filter(|g| !g.is_normalized()) + for g in v + .iter_mut() + // Ignore normalized elements + .filter(|g| !g.is_normalized()) { tmp.mul_assign(&g.z); prod.push(tmp); @@ -266,13 +260,19 @@ macro_rules! curve_impl { tmp = tmp.inverse().unwrap(); // Guaranteed to be nonzero. // Second pass: iterate backwards to compute inverses - for (g, s) in v.iter_mut() - // Backwards - .rev() - // Ignore normalized elements - .filter(|g| !g.is_normalized()) - // Backwards, skip last element, fill in one for last term. - .zip(prod.into_iter().rev().skip(1).chain(Some($basefield::one()))) + for (g, s) in v + .iter_mut() + // Backwards + .rev() + // Ignore normalized elements + .filter(|g| !g.is_normalized()) + // Backwards, skip last element, fill in one for last term. + .zip( + prod.into_iter() + .rev() + .skip(1) + .chain(Some($basefield::one())), + ) { // tmp := tmp * g.z; g.z := tmp * s = 1/z let mut newtmp = tmp; @@ -283,9 +283,7 @@ macro_rules! curve_impl { } // Perform affine transformations - for g in v.iter_mut() - .filter(|g| !g.is_normalized()) - { + for g in v.iter_mut().filter(|g| !g.is_normalized()) { let mut z = g.z; // 1/z z.square(); // 1/z^2 g.x.mul_assign(&z); // x/z^2 @@ -538,8 +536,7 @@ macro_rules! curve_impl { let mut found_one = false; - for i in BitIterator::new(other.into()) - { + for i in BitIterator::new(other.into()) { if found_one { res.double(); } else { @@ -577,7 +574,7 @@ macro_rules! curve_impl { $projective { x: p.x, y: p.y, - z: $basefield::one() + z: $basefield::one(), } } } @@ -594,7 +591,7 @@ macro_rules! curve_impl { $affine { x: p.x, y: p.y, - infinity: false + infinity: false, } } else { // Z is nonzero, so it must have an inverse in a field. @@ -614,12 +611,12 @@ macro_rules! curve_impl { $affine { x: x, y: y, - infinity: false + infinity: false, } } } } - } + }; } pub mod g1 { @@ -990,7 +987,8 @@ pub mod g1 { 0x9fe83b1b4a5d648d, 0xf583cc5a508f6a40, 0xc3ad2aefde0bb13, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0x60aa6f9552f03aae, 0xecd01d5181300d35, @@ -998,7 +996,8 @@ pub mod g1 { 0xe760f57922998c9d, 0x953703f5795a39e5, 0xfe3ae0922df702c, - ])).unwrap(), + ])) + .unwrap(), infinity: false, }; assert!(!p.is_on_curve()); @@ -1015,7 +1014,8 @@ pub mod g1 { 0xea034ee2928b30a8, 0xbd8833dc7c79a7f7, 0xe45c9f0c0438675, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0x3b450eb1ab7b5dad, 0xa65cb81e975e8675, @@ -1023,7 +1023,8 @@ pub mod g1 { 0x753ddf21a2601d20, 0x532d0b640bd3ff8b, 0x118d2c543f031102, - ])).unwrap(), + ])) + .unwrap(), infinity: false, }; assert!(!p.is_on_curve()); @@ -1041,7 +1042,8 @@ pub mod g1 { 0xf35de9ce0d6b4e84, 0x265bddd23d1dec54, 0x12a8778088458308, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0x8a22defa0d526256, 0xc57ca55456fcb9ae, @@ -1049,7 +1051,8 @@ pub mod g1 { 0x921beef89d4f29df, 0x5b6fda44ad85fa78, 0xed74ab9f302cbe0, - ])).unwrap(), + ])) + .unwrap(), infinity: false, }; assert!(p.is_on_curve()); @@ -1067,7 +1070,8 @@ pub mod g1 { 0x485e77d50a5df10d, 0x4c6fcac4b55fd479, 0x86ed4d9906fb064, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0xd25ee6461538c65, 0x9f3bbb2ecd3719b9, @@ -1075,7 +1079,8 @@ pub mod g1 { 0xcefca68333c35288, 0x570c8005f8573fa6, 0x152ca696fe034442, - ])).unwrap(), + ])) + .unwrap(), z: Fq::one(), }; @@ -1087,7 +1092,8 @@ pub mod g1 { 0x5f44314ec5e3fb03, 0x24e8538737c6e675, 0x8abd623a594fba8, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0x6b0528f088bb7044, 0x2fdeb5c82917ff9e, @@ -1095,7 +1101,8 @@ pub mod g1 { 0xd65104c6f95a872a, 0x1f2998a5a9c61253, 0xe74846154a9e44, - ])).unwrap(), + ])) + .unwrap(), z: Fq::one(), }); @@ -1111,7 +1118,8 @@ pub mod g1 { 0xc4f9a52a428e23bb, 0xd178b28dd4f407ef, 0x17fb8905e9183c69 - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0xd0de9d65292b7710, 0xf6a05f2bcf1d9ca7, @@ -1119,7 +1127,8 @@ pub mod g1 { 0xeec8d1a5b7466c58, 0x4bc362649dce6376, 0x430cbdc5455b00a - ])).unwrap(), + ])) + .unwrap(), infinity: false, } ); @@ -1135,7 +1144,8 @@ pub mod g1 { 0x485e77d50a5df10d, 0x4c6fcac4b55fd479, 0x86ed4d9906fb064, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0xd25ee6461538c65, 0x9f3bbb2ecd3719b9, @@ -1143,7 +1153,8 @@ pub mod g1 { 0xcefca68333c35288, 0x570c8005f8573fa6, 0x152ca696fe034442, - ])).unwrap(), + ])) + .unwrap(), z: Fq::one(), }; @@ -1161,7 +1172,8 @@ pub mod g1 { 0x4b914c16687dcde0, 0x66c8baf177d20533, 0xaf960cff3d83833 - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0x3f0675695f5177a8, 0x2b6d82ae178a1ba0, @@ -1169,7 +1181,8 @@ pub mod g1 { 0x1771a65b60572f4e, 0x8b547c1313b27555, 0x135075589a687b1e - ])).unwrap(), + ])) + .unwrap(), infinity: false, } ); @@ -1192,7 +1205,8 @@ pub mod g1 { 0x71ffa8021531705, 0x7418d484386d267, 0xd5108d8ff1fbd6, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0xa776ccbfe9981766, 0x255632964ff40f4a, @@ -1200,7 +1214,8 @@ pub mod g1 { 0x520f74773e74c8c3, 0x484c8fc982008f0, 0xee2c3d922008cc6, - ])).unwrap(), + ])) + .unwrap(), infinity: false, }; @@ -1212,7 +1227,8 @@ pub mod g1 { 0xc6e05201e5f83991, 0xf7c75910816f207c, 0x18d4043e78103106, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0xa776ccbfe9981766, 0x255632964ff40f4a, @@ -1220,7 +1236,8 @@ pub mod g1 { 0x520f74773e74c8c3, 0x484c8fc982008f0, 0xee2c3d922008cc6, - ])).unwrap(), + ])) + .unwrap(), infinity: false, }; @@ -1235,7 +1252,8 @@ pub mod g1 { 0x9676ff02ec39c227, 0x4c12c15d7e55b9f3, 0x57fd1e317db9bd, - ])).unwrap(), + ])) + .unwrap(), y: Fq::from_repr(FqRepr([ 0x1288334016679345, 0xf955cd68615ff0b5, @@ -1243,7 +1261,8 @@ pub mod g1 { 0x1267d70db51049fb, 0x4696deb9ab2ba3e7, 0xb1e4e11177f59d4, - ])).unwrap(), + ])) + .unwrap(), infinity: false, }; @@ -1673,7 +1692,8 @@ pub mod g2 { 0x7a17a004747e3dbe, 0xcc65406a7c2e5a73, 0x10b8c03d64db4d0c, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xd30e70fe2f029778, 0xda30772df0f5212e, @@ -1681,7 +1701,8 @@ pub mod g2 { 0xfb777e5b9b568608, 0x789bac1fec71a2b9, 0x1342f02e2da54405, - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1691,7 +1712,8 @@ pub mod g2 { 0x663015d9410eb608, 0x78e82a79d829a544, 0x40a00545bb3c1e, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x4709802348e79377, 0xb5ac4dc9204bcfbd, @@ -1699,7 +1721,8 @@ pub mod g2 { 0x15008b1dc399e8df, 0x68128fd0548a3829, 0x16a613db5c873aaa, - ])).unwrap(), + ])) + .unwrap(), }, infinity: false, }; @@ -1718,7 +1741,8 @@ pub mod g2 { 0x41abba710d6c692c, 0xffcc4b2b62ce8484, 0x6993ec01b8934ed, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xb94e92d5f874e26, 0x44516408bc115d95, @@ -1726,7 +1750,8 @@ pub mod g2 { 0xa5a0c2b7131f3555, 0x83800965822367e7, 0x10cf1d3ad8d90bfa, - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1736,7 +1761,8 @@ pub mod g2 { 0x5a9171720e73eb51, 0x38eb4fd8d658adb7, 0xb649051bbc1164d, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x9225814253d7df75, 0xc196c2513477f887, @@ -1744,7 +1770,8 @@ pub mod g2 { 0x55f2b8efad953e04, 0x7379345eda55265e, 0x377f2e6208fd4cb, - ])).unwrap(), + ])) + .unwrap(), }, infinity: false, }; @@ -1764,7 +1791,8 @@ pub mod g2 { 0x2199bc19c48c393d, 0x4a151b732a6075bf, 0x17762a3b9108c4a7, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x26f461e944bbd3d1, 0x298f3189a9cf6ed6, @@ -1772,7 +1800,8 @@ pub mod g2 { 0x7e147f3f9e6e241, 0x72a9b63583963fff, 0x158b0083c000462, - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1782,7 +1811,8 @@ pub mod g2 { 0x68cad19430706b4d, 0x3ccfb97b924dcea8, 0x1660f93434588f8d, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xaaed3985b6dcb9c7, 0xc1e985d6d898d9f4, @@ -1790,7 +1820,8 @@ pub mod g2 { 0x3940a2dbb914b529, 0xbeb88137cf34f3e7, 0x1699ee577c61b694, - ])).unwrap(), + ])) + .unwrap(), }, infinity: false, }; @@ -1810,7 +1841,8 @@ pub mod g2 { 0x72556c999f3707ac, 0x4617f2e6774e9711, 0x100b2fe5bffe030b, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x7a33555977ec608, 0xe23039d1fe9c0881, @@ -1818,7 +1850,8 @@ pub mod g2 { 0x4637c4f417667e2e, 0x93ebe7c3e41f6acc, 0xde884f89a9a371b, - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1828,7 +1861,8 @@ pub mod g2 { 0x25fd427b4122f231, 0xd83112aace35cae, 0x191b2432407cbb7f, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xf68ae82fe97662f5, 0xe986057068b50b7d, @@ -1836,7 +1870,8 @@ pub mod g2 { 0x9eaa6d19de569196, 0xf6a03d31e2ec2183, 0x3bdafaf7ca9b39b, - ])).unwrap(), + ])) + .unwrap(), }, z: Fq2::one(), }; @@ -1850,7 +1885,8 @@ pub mod g2 { 0x8e73a96b329ad190, 0x27c546f75ee1f3ab, 0xa33d27add5e7e82, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x93b1ebcd54870dfe, 0xf1578300e1342e11, @@ -1858,7 +1894,8 @@ pub mod g2 { 0x2089faf462438296, 0x828e5848cd48ea66, 0x141ecbac1deb038b, - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1868,7 +1905,8 @@ pub mod g2 { 0x2767032fc37cc31d, 0xd5ee2aba84fd10fe, 0x16576ccd3dd0a4e8, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x4da9b6f6a96d1dd2, 0x9657f7da77f1650e, @@ -1876,7 +1914,8 @@ pub mod g2 { 0x31898db63f87363a, 0xabab040ddbd097cc, 0x11ad236b9ba02990, - ])).unwrap(), + ])) + .unwrap(), }, z: Fq2::one(), }); @@ -1894,7 +1933,8 @@ pub mod g2 { 0xf1273e6406eef9cc, 0xababd760ff05cb92, 0xd7c20456617e89 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xd1a50b8572cbd2b8, 0x238f0ac6119d07df, @@ -1902,7 +1942,8 @@ pub mod g2 { 0x8b203284c51edf6b, 0xc8a0b730bbb21f5e, 0x1a3b59d29a31274 - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1912,7 +1953,8 @@ pub mod g2 { 0x64528ab3863633dc, 0x159384333d7cba97, 0x4cb84741f3cafe8 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x242af0dc3640e1a4, 0xe90a73ad65c66919, @@ -1920,7 +1962,8 @@ pub mod g2 { 0x38528f92b689644d, 0xb6884deec59fb21f, 0x3c075d3ec52ba90 - ])).unwrap(), + ])) + .unwrap(), }, infinity: false, } @@ -1938,7 +1981,8 @@ pub mod g2 { 0x72556c999f3707ac, 0x4617f2e6774e9711, 0x100b2fe5bffe030b, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x7a33555977ec608, 0xe23039d1fe9c0881, @@ -1946,7 +1990,8 @@ pub mod g2 { 0x4637c4f417667e2e, 0x93ebe7c3e41f6acc, 0xde884f89a9a371b, - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -1956,7 +2001,8 @@ pub mod g2 { 0x25fd427b4122f231, 0xd83112aace35cae, 0x191b2432407cbb7f, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xf68ae82fe97662f5, 0xe986057068b50b7d, @@ -1964,7 +2010,8 @@ pub mod g2 { 0x9eaa6d19de569196, 0xf6a03d31e2ec2183, 0x3bdafaf7ca9b39b, - ])).unwrap(), + ])) + .unwrap(), }, z: Fq2::one(), }; @@ -1984,7 +2031,8 @@ pub mod g2 { 0xbcedcfce1e52d986, 0x9755d4a3926e9862, 0x18bab73760fd8024 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x4e7c5e0a2ae5b99e, 0x96e582a27f028961, @@ -1992,7 +2040,8 @@ pub mod g2 { 0xeb0cf5e610ef4fe7, 0x7b4c2bae8db6e70b, 0xf136e43909fca0 - ])).unwrap(), + ])) + .unwrap(), }, y: Fq2 { c0: Fq::from_repr(FqRepr([ @@ -2002,7 +2051,8 @@ pub mod g2 { 0xa5a2a51f7fde787b, 0x8b92866bc6384188, 0x81a53fe531d64ef - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x4c5d607666239b34, 0xeddb5f48304d14b3, @@ -2010,7 +2060,8 @@ pub mod g2 { 0xb271f52f12ead742, 0x244e6c2015c83348, 0x19e2deae6eb9b441 - ])).unwrap(), + ])) + .unwrap(), }, infinity: false, } diff --git a/pairing/src/bls12_381/fq.rs b/pairing/src/bls12_381/fq.rs index 0f54196af..d27254569 100644 --- a/pairing/src/bls12_381/fq.rs +++ b/pairing/src/bls12_381/fq.rs @@ -1582,26 +1582,24 @@ fn test_fq_is_valid() { a.0.sub_noborrow(&FqRepr::from(1)); assert!(a.is_valid()); assert!(Fq(FqRepr::from(0)).is_valid()); - assert!( - Fq(FqRepr([ - 0xdf4671abd14dab3e, - 0xe2dc0c9f534fbd33, - 0x31ca6c880cc444a6, - 0x257a67e70ef33359, - 0xf9b29e493f899b36, - 0x17c8be1800b9f059 - ])).is_valid() - ); - assert!( - !Fq(FqRepr([ - 0xffffffffffffffff, - 0xffffffffffffffff, - 0xffffffffffffffff, - 0xffffffffffffffff, - 0xffffffffffffffff, - 0xffffffffffffffff - ])).is_valid() - ); + assert!(Fq(FqRepr([ + 0xdf4671abd14dab3e, + 0xe2dc0c9f534fbd33, + 0x31ca6c880cc444a6, + 0x257a67e70ef33359, + 0xf9b29e493f899b36, + 0x17c8be1800b9f059 + ])) + .is_valid()); + assert!(!Fq(FqRepr([ + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff + ])) + .is_valid()); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, @@ -1949,7 +1947,8 @@ fn test_fq_squaring() { 0xdc05c659b4e15b27, 0x79361e5a802c6a23, 0x24bcbe5d51b9a6f - ])).unwrap() + ])) + .unwrap() ); let mut rng = XorShiftRng::from_seed([ @@ -2099,16 +2098,15 @@ fn test_fq_sqrt() { #[test] fn test_fq_from_into_repr() { // q + 1 should not be in the field - assert!( - Fq::from_repr(FqRepr([ - 0xb9feffffffffaaac, - 0x1eabfffeb153ffff, - 0x6730d2a0f6b0f624, - 0x64774b84f38512bf, - 0x4b1ba7b6434bacd7, - 0x1a0111ea397fe69a - ])).is_err() - ); + assert!(Fq::from_repr(FqRepr([ + 0xb9feffffffffaaac, + 0x1eabfffeb153ffff, + 0x6730d2a0f6b0f624, + 0x64774b84f38512bf, + 0x4b1ba7b6434bacd7, + 0x1a0111ea397fe69a + ])) + .is_err()); // q should not be in the field assert!(Fq::from_repr(Fq::char()).is_err()); diff --git a/pairing/src/bls12_381/fq12.rs b/pairing/src/bls12_381/fq12.rs index 3c726d2ce..dcfdef14f 100644 --- a/pairing/src/bls12_381/fq12.rs +++ b/pairing/src/bls12_381/fq12.rs @@ -2,7 +2,7 @@ use super::fq::FROBENIUS_COEFF_FQ12_C1; use super::fq2::Fq2; use super::fq6::Fq6; use ff::Field; -use rand_core::{RngCore}; +use rand_core::RngCore; /// An element of Fq12, represented by c0 + c1 * w. #[derive(Copy, Clone, Debug, Eq, PartialEq)] diff --git a/pairing/src/bls12_381/fq2.rs b/pairing/src/bls12_381/fq2.rs index 994a28a2a..781828055 100644 --- a/pairing/src/bls12_381/fq2.rs +++ b/pairing/src/bls12_381/fq2.rs @@ -1,4 +1,4 @@ -use super::fq::{FROBENIUS_COEFF_FQ2_C1, Fq, NEGATIVE_ONE}; +use super::fq::{Fq, FROBENIUS_COEFF_FQ2_C1, NEGATIVE_ONE}; use ff::{Field, SqrtField}; use rand_core::RngCore; @@ -261,12 +261,11 @@ fn test_fq2_basics() { ); assert!(Fq2::zero().is_zero()); assert!(!Fq2::one().is_zero()); - assert!( - !Fq2 { - c0: Fq::zero(), - c1: Fq::one(), - }.is_zero() - ); + assert!(!Fq2 { + c0: Fq::zero(), + c1: Fq::one(), + } + .is_zero()); } #[test] @@ -309,7 +308,8 @@ fn test_fq2_squaring() { 0xf7f295a94e58ae7c, 0x41b76dcc1c3fbe5e, 0x7080c5fa1d8e042, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x38f473b3c870a4ab, 0x6ad3291177c8c7e5, @@ -317,7 +317,8 @@ fn test_fq2_squaring() { 0xbfb99020604137a0, 0xfc58a7b7be815407, 0x10d1615e75250a21, - ])).unwrap(), + ])) + .unwrap(), }; a.square(); assert_eq!( @@ -330,7 +331,8 @@ fn test_fq2_squaring() { 0xcb674157618da176, 0x4cf17b5893c3d327, 0x7eac81369c43361 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xc1579cf58e980cf8, 0xa23eb7e12dd54d98, @@ -338,7 +340,8 @@ fn test_fq2_squaring() { 0x38d0d7275a9689e1, 0x739c983042779a65, 0x1542a61c8a8db994 - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -356,7 +359,8 @@ fn test_fq2_mul() { 0x9ee53e7e84d7532e, 0x1c202d8ed97afb45, 0x51d3f9253e2516f, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xa7348a8b511aedcf, 0x143c215d8176b319, @@ -364,7 +368,8 @@ fn test_fq2_mul() { 0x9533e4a9a5158be, 0x7a5e1ecb676d65f9, 0x180c3ee46656b008, - ])).unwrap(), + ])) + .unwrap(), }; a.mul_assign(&Fq2 { c0: Fq::from_repr(FqRepr([ @@ -374,7 +379,8 @@ fn test_fq2_mul() { 0xcd460f9f0c23e430, 0x6c9110292bfa409, 0x2c93a72eb8af83e, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x4b1c3f936d8992d4, 0x1d2a72916dba4c8a, @@ -382,7 +388,8 @@ fn test_fq2_mul() { 0x57a06d3135a752ae, 0x634cd3c6c565096d, 0x19e17334d4e93558, - ])).unwrap(), + ])) + .unwrap(), }); assert_eq!( a, @@ -394,7 +401,8 @@ fn test_fq2_mul() { 0x5511fe4d84ee5f78, 0x5310a202d92f9963, 0x1751afbe166e5399 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x84af0e1bd630117a, 0x6c63cd4da2c2aa7, @@ -402,7 +410,8 @@ fn test_fq2_mul() { 0xc975106579c275ee, 0x33a9ac82ce4c5083, 0x1ef1a36c201589d - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -422,7 +431,8 @@ fn test_fq2_inverse() { 0x9ee53e7e84d7532e, 0x1c202d8ed97afb45, 0x51d3f9253e2516f, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xa7348a8b511aedcf, 0x143c215d8176b319, @@ -430,7 +440,8 @@ fn test_fq2_inverse() { 0x9533e4a9a5158be, 0x7a5e1ecb676d65f9, 0x180c3ee46656b008, - ])).unwrap(), + ])) + .unwrap(), }; let a = a.inverse().unwrap(); assert_eq!( @@ -443,7 +454,8 @@ fn test_fq2_inverse() { 0xdfba703293941c30, 0xa6c3d8f9586f2636, 0x1351ef01941b70c4 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x8c39fd76a8312cb4, 0x15d7b6b95defbff0, @@ -451,7 +463,8 @@ fn test_fq2_inverse() { 0xcbf651a0f367afb2, 0xdf4e54f0d3ef15a6, 0x103bdf241afb0019 - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -469,7 +482,8 @@ fn test_fq2_addition() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -477,7 +491,8 @@ fn test_fq2_addition() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837, - ])).unwrap(), + ])) + .unwrap(), }; a.add_assign(&Fq2 { c0: Fq::from_repr(FqRepr([ @@ -487,7 +502,8 @@ fn test_fq2_addition() { 0x3b88899a42a6318f, 0x986a4a62fa82a49d, 0x13ce433fa26027f5, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x66323bf80b58b9b9, 0xa1379b6facf6e596, @@ -495,7 +511,8 @@ fn test_fq2_addition() { 0x2236f55246d0d44d, 0x4c8c1800eb104566, 0x11d6e20e986c2085, - ])).unwrap(), + ])) + .unwrap(), }); assert_eq!( a, @@ -507,7 +524,8 @@ fn test_fq2_addition() { 0xf4ef57d604b6bca2, 0x65309427b3d5d090, 0x14c715d5553f01d2 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xfdb032e7d9079a94, 0x35a2809d15468d83, @@ -515,7 +533,8 @@ fn test_fq2_addition() { 0xd62fa51334f560fa, 0x9ad265eb46e01984, 0x1303f3465112c8bc - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -533,7 +552,8 @@ fn test_fq2_subtraction() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -541,7 +561,8 @@ fn test_fq2_subtraction() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837, - ])).unwrap(), + ])) + .unwrap(), }; a.sub_assign(&Fq2 { c0: Fq::from_repr(FqRepr([ @@ -551,7 +572,8 @@ fn test_fq2_subtraction() { 0x3b88899a42a6318f, 0x986a4a62fa82a49d, 0x13ce433fa26027f5, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x66323bf80b58b9b9, 0xa1379b6facf6e596, @@ -559,7 +581,8 @@ fn test_fq2_subtraction() { 0x2236f55246d0d44d, 0x4c8c1800eb104566, 0x11d6e20e986c2085, - ])).unwrap(), + ])) + .unwrap(), }); assert_eq!( a, @@ -571,7 +594,8 @@ fn test_fq2_subtraction() { 0xe255902672ef6c43, 0x7f77a718021c342d, 0x72ba14049fe9881 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xeb4abaf7c255d1cd, 0x11df49bc6cacc256, @@ -579,7 +603,8 @@ fn test_fq2_subtraction() { 0xf63905f39ad8cb1f, 0x4cd5dd9fb40b3b8f, 0x957411359ba6e4c - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -597,7 +622,8 @@ fn test_fq2_negation() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -605,7 +631,8 @@ fn test_fq2_negation() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837, - ])).unwrap(), + ])) + .unwrap(), }; a.negate(); assert_eq!( @@ -618,7 +645,8 @@ fn test_fq2_negation() { 0xab107d49317487ab, 0x7e555df189f880e3, 0x19083f5486a10cbd - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x228109103250c9d0, 0x8a411ad149045812, @@ -626,7 +654,8 @@ fn test_fq2_negation() { 0xb07e9bc405608611, 0xfcd559cbe77bd8b8, 0x18d400b280d93e62 - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -644,7 +673,8 @@ fn test_fq2_doubling() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -652,7 +682,8 @@ fn test_fq2_doubling() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837, - ])).unwrap(), + ])) + .unwrap(), }; a.double(); assert_eq!( @@ -665,7 +696,8 @@ fn test_fq2_doubling() { 0x72cd9c7784211627, 0x998c938972a657e7, 0x1f1a52b65bdb3b9 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x2efbeddf9b5dc1b6, 0x28d5ca5ad09f4fdb, @@ -673,7 +705,8 @@ fn test_fq2_doubling() { 0x67f15f81dc49195b, 0x9c8c9bd4b79fa83d, 0x25a226f714d506e - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -691,7 +724,8 @@ fn test_fq2_frobenius_map() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc, - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -699,7 +733,8 @@ fn test_fq2_frobenius_map() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837, - ])).unwrap(), + ])) + .unwrap(), }; a.frobenius_map(0); assert_eq!( @@ -712,7 +747,8 @@ fn test_fq2_frobenius_map() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -720,7 +756,8 @@ fn test_fq2_frobenius_map() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837 - ])).unwrap(), + ])) + .unwrap(), } ); a.frobenius_map(1); @@ -734,7 +771,8 @@ fn test_fq2_frobenius_map() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x228109103250c9d0, 0x8a411ad149045812, @@ -742,7 +780,8 @@ fn test_fq2_frobenius_map() { 0xb07e9bc405608611, 0xfcd559cbe77bd8b8, 0x18d400b280d93e62 - ])).unwrap(), + ])) + .unwrap(), } ); a.frobenius_map(1); @@ -756,7 +795,8 @@ fn test_fq2_frobenius_map() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -764,7 +804,8 @@ fn test_fq2_frobenius_map() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837 - ])).unwrap(), + ])) + .unwrap(), } ); a.frobenius_map(2); @@ -778,7 +819,8 @@ fn test_fq2_frobenius_map() { 0xb966ce3bc2108b13, 0xccc649c4b9532bf3, 0xf8d295b2ded9dc - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0x977df6efcdaee0db, 0x946ae52d684fa7ed, @@ -786,7 +828,8 @@ fn test_fq2_frobenius_map() { 0xb3f8afc0ee248cad, 0x4e464dea5bcfd41e, 0x12d1137b8a6a837 - ])).unwrap(), + ])) + .unwrap(), } ); } @@ -805,7 +848,8 @@ fn test_fq2_sqrt() { 0xdb4a116b5bf74aa1, 0x1e58b2159dfe10e2, 0x7ca7da1f13606ac - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xfa8de88b7516d2c3, 0x371a75ed14f41629, @@ -813,9 +857,11 @@ fn test_fq2_sqrt() { 0x212611bca4e99121, 0x8ee5394d77afb3d, 0xec92336650e49d5 - ])).unwrap(), - }.sqrt() + ])) .unwrap(), + } + .sqrt() + .unwrap(), Fq2 { c0: Fq::from_repr(FqRepr([ 0x40b299b2704258c5, @@ -824,7 +870,8 @@ fn test_fq2_sqrt() { 0x8d7f1f723d02c1d3, 0x881b3e01b611c070, 0x10f6963bbad2ebc5 - ])).unwrap(), + ])) + .unwrap(), c1: Fq::from_repr(FqRepr([ 0xc099534fc209e752, 0x7670594665676447, @@ -832,7 +879,8 @@ fn test_fq2_sqrt() { 0x6b852aeaf2afcb1b, 0xa4c93b08105d71a9, 0x8d7cfff94216330 - ])).unwrap(), + ])) + .unwrap(), } ); @@ -845,10 +893,12 @@ fn test_fq2_sqrt() { 0x64774b84f38512bf, 0x4b1ba7b6434bacd7, 0x1a0111ea397fe69a - ])).unwrap(), - c1: Fq::zero(), - }.sqrt() + ])) .unwrap(), + c1: Fq::zero(), + } + .sqrt() + .unwrap(), Fq2 { c0: Fq::zero(), c1: Fq::from_repr(FqRepr([ @@ -858,7 +908,8 @@ fn test_fq2_sqrt() { 0x64774b84f38512bf, 0x4b1ba7b6434bacd7, 0x1a0111ea397fe69a - ])).unwrap(), + ])) + .unwrap(), } ); } diff --git a/pairing/src/bls12_381/fq6.rs b/pairing/src/bls12_381/fq6.rs index dbe58f724..b85c95d15 100644 --- a/pairing/src/bls12_381/fq6.rs +++ b/pairing/src/bls12_381/fq6.rs @@ -17,7 +17,6 @@ impl ::std::fmt::Display for Fq6 { } } - impl Fq6 { /// Multiply by quadratic nonresidue v. pub fn mul_by_nonresidue(&mut self) { diff --git a/pairing/src/bls12_381/fr.rs b/pairing/src/bls12_381/fr.rs index cb378f412..018e67a6e 100644 --- a/pairing/src/bls12_381/fr.rs +++ b/pairing/src/bls12_381/fr.rs @@ -388,22 +388,20 @@ fn test_fr_is_valid() { a.0.sub_noborrow(&FrRepr::from(1)); assert!(a.is_valid()); assert!(Fr(FrRepr::from(0)).is_valid()); - assert!( - Fr(FrRepr([ - 0xffffffff00000000, - 0x53bda402fffe5bfe, - 0x3339d80809a1d805, - 0x73eda753299d7d48 - ])).is_valid() - ); - assert!( - !Fr(FrRepr([ - 0xffffffffffffffff, - 0xffffffffffffffff, - 0xffffffffffffffff, - 0xffffffffffffffff - ])).is_valid() - ); + assert!(Fr(FrRepr([ + 0xffffffff00000000, + 0x53bda402fffe5bfe, + 0x3339d80809a1d805, + 0x73eda753299d7d48 + ])) + .is_valid()); + assert!(!Fr(FrRepr([ + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff + ])) + .is_valid()); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, @@ -707,7 +705,8 @@ fn test_fr_squaring() { 0xb79a310579e76ec2, 0xac1da8d0a9af4e5f, 0x13f629c49bf23e97 - ])).unwrap() + ])) + .unwrap() ); let mut rng = XorShiftRng::from_seed([ @@ -857,14 +856,13 @@ fn test_fr_sqrt() { #[test] fn test_fr_from_into_repr() { // r + 1 should not be in the field - assert!( - Fr::from_repr(FrRepr([ - 0xffffffff00000002, - 0x53bda402fffe5bfe, - 0x3339d80809a1d805, - 0x73eda753299d7d48 - ])).is_err() - ); + assert!(Fr::from_repr(FrRepr([ + 0xffffffff00000002, + 0x53bda402fffe5bfe, + 0x3339d80809a1d805, + 0x73eda753299d7d48 + ])) + .is_err()); // r should not be in the field assert!(Fr::from_repr(Fr::char()).is_err()); @@ -967,7 +965,8 @@ fn test_fr_display() { 0x185ec8eb3f5b5aee, 0x684499ffe4b9dd99, 0x7c9bba7afb68faa - ])).unwrap() + ])) + .unwrap() ), "Fr(0x07c9bba7afb68faa684499ffe4b9dd99185ec8eb3f5b5aeec3cae746a3b5ecc7)".to_string() ); @@ -979,7 +978,8 @@ fn test_fr_display() { 0xb0ad10817df79b6a, 0xd034a80a2b74132b, 0x41cf9a1336f50719 - ])).unwrap() + ])) + .unwrap() ), "Fr(0x41cf9a1336f50719d034a80a2b74132bb0ad10817df79b6a44c71298ff198106)".to_string() ); diff --git a/pairing/src/bls12_381/mod.rs b/pairing/src/bls12_381/mod.rs index 7bc03c623..deb6ffc6c 100644 --- a/pairing/src/bls12_381/mod.rs +++ b/pairing/src/bls12_381/mod.rs @@ -9,8 +9,8 @@ mod fr; mod tests; pub use self::ec::{ - G1, G1Affine, G1Compressed, G1Prepared, G1Uncompressed, G2, G2Affine, G2Compressed, G2Prepared, - G2Uncompressed, + G1Affine, G1Compressed, G1Prepared, G1Uncompressed, G2Affine, G2Compressed, G2Prepared, + G2Uncompressed, G1, G2, }; pub use self::fq::{Fq, FqRepr}; pub use self::fq12::Fq12; diff --git a/pairing/src/lib.rs b/pairing/src/lib.rs index a81d1a136..952185c74 100644 --- a/pairing/src/lib.rs +++ b/pairing/src/lib.rs @@ -37,8 +37,7 @@ pub trait Engine: ScalarEngine { Base = Self::Fq, Scalar = Self::Fr, Affine = Self::G1Affine, - > - + From; + > + From; /// The affine representation of an element in G1. type G1Affine: PairingCurveAffine< @@ -48,8 +47,7 @@ pub trait Engine: ScalarEngine { Projective = Self::G1, Pair = Self::G2Affine, PairingResult = Self::Fqk, - > - + From; + > + From; /// The projective representation of an element in G2. type G2: CurveProjective< @@ -57,8 +55,7 @@ pub trait Engine: ScalarEngine { Base = Self::Fqe, Scalar = Self::Fr, Affine = Self::G2Affine, - > - + From; + > + From; /// The affine representation of an element in G2. type G2Affine: PairingCurveAffine< @@ -68,8 +65,7 @@ pub trait Engine: ScalarEngine { Projective = Self::G2, Pair = Self::G1Affine, PairingResult = Self::Fqk, - > - + From; + > + From; /// The base field that hosts G1. type Fq: PrimeField + SqrtField; @@ -101,7 +97,8 @@ pub trait Engine: ScalarEngine { { Self::final_exponentiation(&Self::miller_loop( [(&(p.into().prepare()), &(q.into().prepare()))].iter(), - )).unwrap() + )) + .unwrap() } } diff --git a/pairing/src/tests/field.rs b/pairing/src/tests/field.rs index 0a33a7312..8f3d8d9e0 100644 --- a/pairing/src/tests/field.rs +++ b/pairing/src/tests/field.rs @@ -117,8 +117,8 @@ pub fn from_str_tests() { { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { diff --git a/zcash_client_backend/src/encoding.rs b/zcash_client_backend/src/encoding.rs index e84defa29..d39973d34 100644 --- a/zcash_client_backend/src/encoding.rs +++ b/zcash_client_backend/src/encoding.rs @@ -5,11 +5,11 @@ use bech32::{self, Error, FromBase32, ToBase32}; use pairing::bls12_381::Bls12; +use std::io::{self, Write}; use zcash_primitives::{ jubjub::edwards, primitives::{Diversifier, PaymentAddress}, }; -use std::io::{self, Write}; use zcash_primitives::{ zip32::{ExtendedFullViewingKey, ExtendedSpendingKey}, JUBJUB, @@ -187,11 +187,11 @@ mod tests { use pairing::bls12_381::Bls12; use rand_core::SeedableRng; use rand_xorshift::XorShiftRng; + use zcash_primitives::JUBJUB; use zcash_primitives::{ jubjub::edwards, primitives::{Diversifier, PaymentAddress}, }; - use zcash_primitives::JUBJUB; use super::{decode_payment_address, encode_payment_address}; use crate::constants; diff --git a/zcash_primitives/benches/pedersen_hash.rs b/zcash_primitives/benches/pedersen_hash.rs index a8f944e26..b647740b1 100644 --- a/zcash_primitives/benches/pedersen_hash.rs +++ b/zcash_primitives/benches/pedersen_hash.rs @@ -1,14 +1,14 @@ #![feature(test)] +extern crate pairing; extern crate rand_core; extern crate rand_os; extern crate test; -extern crate pairing; extern crate zcash_primitives; +use pairing::bls12_381::Bls12; use rand_core::RngCore; use rand_os::OsRng; -use pairing::bls12_381::Bls12; use zcash_primitives::jubjub::JubjubBls12; use zcash_primitives::pedersen_hash::{pedersen_hash, Personalization}; @@ -16,10 +16,10 @@ use zcash_primitives::pedersen_hash::{pedersen_hash, Personalization}; fn bench_pedersen_hash(b: &mut test::Bencher) { let params = JubjubBls12::new(); let rng = &mut OsRng; - let bits = (0..510).map(|_| (rng.next_u32() % 2) != 0).collect::>(); + let bits = (0..510) + .map(|_| (rng.next_u32() % 2) != 0) + .collect::>(); let personalization = Personalization::MerkleTree(31); - b.iter(|| { - pedersen_hash::(personalization, bits.clone(), ¶ms) - }); + b.iter(|| pedersen_hash::(personalization, bits.clone(), ¶ms)); } diff --git a/zcash_primitives/src/constants.rs b/zcash_primitives/src/constants.rs index dfdd36ff7..c21184df2 100644 --- a/zcash_primitives/src/constants.rs +++ b/zcash_primitives/src/constants.rs @@ -2,39 +2,31 @@ /// This is chosen to be some random string that we couldn't have anticipated when we designed /// the algorithm, for rigidity purposes. /// We deliberately use an ASCII hex string of 32 bytes here. -pub const GH_FIRST_BLOCK: &'static [u8; 64] - = b"096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0"; +pub const GH_FIRST_BLOCK: &'static [u8; 64] = + b"096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0"; // BLAKE2s invocation personalizations /// BLAKE2s Personalization for CRH^ivk = BLAKE2s(ak | nk) -pub const CRH_IVK_PERSONALIZATION: &'static [u8; 8] - = b"Zcashivk"; +pub const CRH_IVK_PERSONALIZATION: &'static [u8; 8] = b"Zcashivk"; /// BLAKE2s Personalization for PRF^nf = BLAKE2s(nk | rho) -pub const PRF_NF_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_nf"; +pub const PRF_NF_PERSONALIZATION: &'static [u8; 8] = b"Zcash_nf"; // Group hash personalizations /// BLAKE2s Personalization for Pedersen hash generators. -pub const PEDERSEN_HASH_GENERATORS_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_PH"; +pub const PEDERSEN_HASH_GENERATORS_PERSONALIZATION: &'static [u8; 8] = b"Zcash_PH"; /// BLAKE2s Personalization for the group hash for key diversification -pub const KEY_DIVERSIFICATION_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_gd"; +pub const KEY_DIVERSIFICATION_PERSONALIZATION: &'static [u8; 8] = b"Zcash_gd"; /// BLAKE2s Personalization for the spending key base point -pub const SPENDING_KEY_GENERATOR_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_G_"; +pub const SPENDING_KEY_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"Zcash_G_"; /// BLAKE2s Personalization for the proof generation key base point -pub const PROOF_GENERATION_KEY_BASE_GENERATOR_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_H_"; +pub const PROOF_GENERATION_KEY_BASE_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"Zcash_H_"; /// BLAKE2s Personalization for the value commitment generator for the value -pub const VALUE_COMMITMENT_GENERATOR_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_cv"; +pub const VALUE_COMMITMENT_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"Zcash_cv"; /// BLAKE2s Personalization for the nullifier position generator (for computing rho) -pub const NULLIFIER_POSITION_IN_TREE_GENERATOR_PERSONALIZATION: &'static [u8; 8] - = b"Zcash_J_"; +pub const NULLIFIER_POSITION_IN_TREE_GENERATOR_PERSONALIZATION: &'static [u8; 8] = b"Zcash_J_"; diff --git a/zcash_primitives/src/group_hash.rs b/zcash_primitives/src/group_hash.rs index 7369e0473..dec59cdd0 100644 --- a/zcash_primitives/src/group_hash.rs +++ b/zcash_primitives/src/group_hash.rs @@ -1,12 +1,6 @@ -use jubjub::{ - JubjubEngine, - PrimeOrder, - edwards -}; +use jubjub::{edwards, JubjubEngine, PrimeOrder}; -use ff::{ - PrimeField -}; +use ff::PrimeField; use blake2s_simd::Params; use constants; @@ -17,9 +11,8 @@ use constants; pub fn group_hash( tag: &[u8], personalization: &[u8], - params: &E::Params -) -> Option> -{ + params: &E::Params, +) -> Option> { assert_eq!(personalization.len(), 8); // Check to see that scalar field is 255 bits @@ -42,7 +35,7 @@ pub fn group_hash( } else { None } - }, - Err(_) => None + } + Err(_) => None, } } diff --git a/zcash_primitives/src/jubjub/edwards.rs b/zcash_primitives/src/jubjub/edwards.rs index e912aca23..b3cdd6449 100644 --- a/zcash_primitives/src/jubjub/edwards.rs +++ b/zcash_primitives/src/jubjub/edwards.rs @@ -1,22 +1,12 @@ use ff::{BitIterator, Field, PrimeField, PrimeFieldRepr, SqrtField}; -use super::{ - JubjubEngine, - JubjubParams, - Unknown, - PrimeOrder, - montgomery -}; +use super::{montgomery, JubjubEngine, JubjubParams, PrimeOrder, Unknown}; use rand_core::RngCore; use std::marker::PhantomData; -use std::io::{ - self, - Write, - Read -}; +use std::io::{self, Read, Write}; // Represents the affine point (X/Z, Y/Z) via the extended // twisted Edwards coordinates. @@ -29,46 +19,38 @@ pub struct Point { y: E::Fr, t: E::Fr, z: E::Fr, - _marker: PhantomData + _marker: PhantomData, } -fn convert_subgroup(from: &Point) -> Point -{ +fn convert_subgroup(from: &Point) -> Point { Point { x: from.x, y: from.y, t: from.t, z: from.z, - _marker: PhantomData + _marker: PhantomData, } } -impl From<&Point> for Point -{ - fn from(p: &Point) -> Point - { +impl From<&Point> for Point { + fn from(p: &Point) -> Point { p.clone() } } -impl From> for Point -{ - fn from(p: Point) -> Point - { +impl From> for Point { + fn from(p: Point) -> Point { convert_subgroup(&p) } } -impl From<&Point> for Point -{ - fn from(p: &Point) -> Point - { +impl From<&Point> for Point { + fn from(p: &Point) -> Point { convert_subgroup(p) } } -impl Clone for Point -{ +impl Clone for Point { fn clone(&self) -> Self { convert_subgroup(self) } @@ -99,11 +81,7 @@ impl PartialEq for Point { } impl Point { - pub fn read( - reader: R, - params: &E::Params - ) -> io::Result - { + pub fn read(reader: R, params: &E::Params) -> io::Result { let mut y_repr = ::Repr::default(); y_repr.read_le(reader)?; @@ -111,22 +89,18 @@ impl Point { y_repr.as_mut()[3] &= 0x7fffffffffffffff; match E::Fr::from_repr(y_repr) { - Ok(y) => { - match Self::get_for_y(y, x_sign, params) { - Some(p) => Ok(p), - None => { - Err(io::Error::new(io::ErrorKind::InvalidInput, "not on curve")) - } - } + Ok(y) => match Self::get_for_y(y, x_sign, params) { + Some(p) => Ok(p), + None => Err(io::Error::new(io::ErrorKind::InvalidInput, "not on curve")), }, - Err(_) => { - Err(io::Error::new(io::ErrorKind::InvalidInput, "y is not in field")) - } + Err(_) => Err(io::Error::new( + io::ErrorKind::InvalidInput, + "y is not in field", + )), } } - pub fn get_for_y(y: E::Fr, sign: bool, params: &E::Params) -> Option - { + pub fn get_for_y(y: E::Fr, sign: bool, params: &E::Params) -> Option { // Given a y on the curve, x^2 = (y^2 - 1) / (dy^2 + 1) // This is defined for all valid y-coordinates, // as dy^2 + 1 = 0 has no solution in Fr. @@ -162,29 +136,25 @@ impl Point { y: y, t: t, z: E::Fr::one(), - _marker: PhantomData + _marker: PhantomData, }) - }, - None => None + } + None => None, } - }, - None => None + } + None => None, } } /// This guarantees the point is in the prime order subgroup #[must_use] - pub fn mul_by_cofactor(&self, params: &E::Params) -> Point - { - let tmp = self.double(params) - .double(params) - .double(params); + pub fn mul_by_cofactor(&self, params: &E::Params) -> Point { + let tmp = self.double(params).double(params).double(params); convert_subgroup(&tmp) } - pub fn rand(rng: &mut R, params: &E::Params) -> Self - { + pub fn rand(rng: &mut R, params: &E::Params) -> Self { loop { let y = E::Fr::random(rng); let sign = rng.next_u32() % 2 != 0; @@ -197,11 +167,7 @@ impl Point { } impl Point { - pub fn write( - &self, - writer: W - ) -> io::Result<()> - { + pub fn write(&self, writer: W) -> io::Result<()> { let (x, y) = self.into_xy(); assert_eq!(E::Fr::NUM_BITS, 255); @@ -216,16 +182,12 @@ impl Point { } /// Convert from a Montgomery point - pub fn from_montgomery( - m: &montgomery::Point, - params: &E::Params - ) -> Self - { + pub fn from_montgomery(m: &montgomery::Point, params: &E::Params) -> Self { match m.into_xy() { None => { // Map the point at infinity to the neutral element. Point::zero() - }, + } Some((x, y)) => { // The map from a Montgomery curve is defined as: // (x, y) -> (u, v) where @@ -258,7 +220,7 @@ impl Point { y: neg1, t: E::Fr::zero(), z: E::Fr::one(), - _marker: PhantomData + _marker: PhantomData, } } else { // Otherwise, as stated above, the mapping is still @@ -317,7 +279,7 @@ impl Point { y: v, t: t, z: z, - _marker: PhantomData + _marker: PhantomData, } } } @@ -340,12 +302,11 @@ impl Point { y: E::Fr::one(), t: E::Fr::zero(), z: E::Fr::one(), - _marker: PhantomData + _marker: PhantomData, } } - pub fn into_xy(&self) -> (E::Fr, E::Fr) - { + pub fn into_xy(&self) -> (E::Fr, E::Fr) { let zinv = self.z.inverse().unwrap(); let mut x = self.x; @@ -432,13 +393,12 @@ impl Point { y: y3, t: t3, z: z3, - _marker: PhantomData + _marker: PhantomData, } } #[must_use] - pub fn add(&self, other: &Self, params: &E::Params) -> Self - { + pub fn add(&self, other: &Self, params: &E::Params) -> Self { // See "Twisted Edwards Curves Revisited" // Huseyin Hisil, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson // 3.1 Unified Addition in E^e @@ -505,17 +465,12 @@ impl Point { y: y3, t: t3, z: z3, - _marker: PhantomData + _marker: PhantomData, } } #[must_use] - pub fn mul::Repr>>( - &self, - scalar: S, - params: &E::Params - ) -> Self - { + pub fn mul::Repr>>(&self, scalar: S, params: &E::Params) -> Self { // Standard double-and-add scalar multiplication let mut res = Self::zero(); diff --git a/zcash_primitives/src/jubjub/fs.rs b/zcash_primitives/src/jubjub/fs.rs index baa16ef13..768bd833a 100644 --- a/zcash_primitives/src/jubjub/fs.rs +++ b/zcash_primitives/src/jubjub/fs.rs @@ -9,7 +9,12 @@ use rand_core::RngCore; use super::ToUniform; // s = 6554484396890773809930967563523245729705921265872317281365359162392183254199 -const MODULUS: FsRepr = FsRepr([0xd0970e5ed6f72cb7, 0xa6682093ccc81082, 0x6673b0101343b00, 0xe7db4ea6533afa9]); +const MODULUS: FsRepr = FsRepr([ + 0xd0970e5ed6f72cb7, + 0xa6682093ccc81082, + 0x6673b0101343b00, + 0xe7db4ea6533afa9, +]); // The number of bits needed to represent the modulus. const MODULUS_BITS: u32 = 252; @@ -19,32 +24,56 @@ const MODULUS_BITS: u32 = 252; const REPR_SHAVE_BITS: u32 = 4; // R = 2**256 % s -const R: FsRepr = FsRepr([0x25f80bb3b99607d9, 0xf315d62f66b6e750, 0x932514eeeb8814f4, 0x9a6fc6f479155c6]); +const R: FsRepr = FsRepr([ + 0x25f80bb3b99607d9, + 0xf315d62f66b6e750, + 0x932514eeeb8814f4, + 0x9a6fc6f479155c6, +]); // R2 = R^2 % s -const R2: FsRepr = FsRepr([0x67719aa495e57731, 0x51b0cef09ce3fc26, 0x69dab7fac026e9a5, 0x4f6547b8d127688]); +const R2: FsRepr = FsRepr([ + 0x67719aa495e57731, + 0x51b0cef09ce3fc26, + 0x69dab7fac026e9a5, + 0x4f6547b8d127688, +]); // INV = -(s^{-1} mod 2^64) mod s const INV: u64 = 0x1ba3a358ef788ef9; // GENERATOR = 6 (multiplicative generator of r-1 order, that is also quadratic nonresidue) -const GENERATOR: FsRepr = FsRepr([0x720b1b19d49ea8f1, 0xbf4aa36101f13a58, 0x5fa8cc968193ccbb, 0xe70cbdc7dccf3ac]); +const GENERATOR: FsRepr = FsRepr([ + 0x720b1b19d49ea8f1, + 0xbf4aa36101f13a58, + 0x5fa8cc968193ccbb, + 0xe70cbdc7dccf3ac, +]); // 2^S * t = MODULUS - 1 with t odd const S: u32 = 1; // 2^S root of unity computed by GENERATOR^t -const ROOT_OF_UNITY: FsRepr = FsRepr([0xaa9f02ab1d6124de, 0xb3524a6466112932, 0x7342261215ac260b, 0x4d6b87b1da259e2]); +const ROOT_OF_UNITY: FsRepr = FsRepr([ + 0xaa9f02ab1d6124de, + 0xb3524a6466112932, + 0x7342261215ac260b, + 0x4d6b87b1da259e2, +]); // -((2**256) mod s) mod s -const NEGATIVE_ONE: Fs = Fs(FsRepr([0xaa9f02ab1d6124de, 0xb3524a6466112932, 0x7342261215ac260b, 0x4d6b87b1da259e2])); +const NEGATIVE_ONE: Fs = Fs(FsRepr([ + 0xaa9f02ab1d6124de, + 0xb3524a6466112932, + 0x7342261215ac260b, + 0x4d6b87b1da259e2, +])); /// This is the underlying representation of an element of `Fs`. #[derive(Copy, Clone, PartialEq, Eq, Default, Debug)] pub struct FsRepr(pub [u64; 4]); -impl ::std::fmt::Display for FsRepr -{ +impl ::std::fmt::Display for FsRepr { fn fmt(&self, f: &mut ::std::fmt::Formatter) -> ::std::fmt::Result { try!(write!(f, "0x")); for i in self.0.iter().rev() { @@ -83,9 +112,9 @@ impl Ord for FsRepr { fn cmp(&self, other: &FsRepr) -> ::std::cmp::Ordering { for (a, b) in self.0.iter().rev().zip(other.0.iter().rev()) { if a < b { - return ::std::cmp::Ordering::Less + return ::std::cmp::Ordering::Less; } else if a > b { - return ::std::cmp::Ordering::Greater + return ::std::cmp::Ordering::Greater; } } @@ -227,8 +256,7 @@ impl PrimeFieldRepr for FsRepr { #[derive(Copy, Clone, PartialEq, Eq, Debug)] pub struct Fs(FsRepr); -impl ::std::fmt::Display for Fs -{ +impl ::std::fmt::Display for Fs { fn fmt(&self, f: &mut ::std::fmt::Formatter) -> ::std::fmt::Result { write!(f, "Fs({})", self.into_repr()) } @@ -256,9 +284,16 @@ impl PrimeField for Fs { fn into_repr(&self) -> FsRepr { let mut r = *self; - r.mont_reduce((self.0).0[0], (self.0).0[1], - (self.0).0[2], (self.0).0[3], - 0, 0, 0, 0); + r.mont_reduce( + (self.0).0[0], + (self.0).0[1], + (self.0).0[2], + (self.0).0[3], + 0, + 0, + 0, + 0, + ); r.0 } @@ -296,7 +331,7 @@ impl Field for Fs { tmp.0.as_mut()[3] &= 0xffffffffffffffff >> REPR_SHAVE_BITS; if tmp.is_valid() { - return tmp + return tmp; } } } @@ -414,8 +449,7 @@ impl Field for Fs { } #[inline] - fn mul_assign(&mut self, other: &Fs) - { + fn mul_assign(&mut self, other: &Fs) { let mut carry = 0; let r0 = mac_with_carry(0, (self.0).0[0], (other.0).0[0], &mut carry); let r1 = mac_with_carry(0, (self.0).0[0], (other.0).0[1], &mut carry); @@ -444,8 +478,7 @@ impl Field for Fs { } #[inline] - fn square(&mut self) - { + fn square(&mut self) { let mut carry = 0; let r1 = mac_with_carry(0, (self.0).0[0], (self.0).0[1], &mut carry); let r2 = mac_with_carry(0, (self.0).0[0], (self.0).0[2], &mut carry); @@ -507,9 +540,8 @@ impl Fs { mut r4: u64, mut r5: u64, mut r6: u64, - mut r7: u64 - ) - { + mut r7: u64, + ) { // The Montgomery reduction here is based on Algorithm 14.32 in // Handbook of Applied Cryptography // . @@ -579,13 +611,21 @@ impl ToUniform for Fs { } impl SqrtField for Fs { - fn legendre(&self) -> LegendreSymbol { // s = self^((s - 1) // 2) - let s = self.pow([0x684b872f6b7b965b, 0x53341049e6640841, 0x83339d80809a1d80, 0x73eda753299d7d4]); - if s == Self::zero() { Zero } - else if s == Self::one() { QuadraticResidue } - else { QuadraticNonResidue } + let s = self.pow([ + 0x684b872f6b7b965b, + 0x53341049e6640841, + 0x83339d80809a1d80, + 0x73eda753299d7d4, + ]); + if s == Self::zero() { + Zero + } else if s == Self::one() { + QuadraticResidue + } else { + QuadraticNonResidue + } } fn sqrt(&self) -> Option { @@ -593,24 +633,25 @@ impl SqrtField for Fs { // https://eprint.iacr.org/2012/685.pdf (page 9, algorithm 2) // a1 = self^((s - 3) // 4) - let mut a1 = self.pow([0xb425c397b5bdcb2d, 0x299a0824f3320420, 0x4199cec0404d0ec0, 0x39f6d3a994cebea]); + let mut a1 = self.pow([ + 0xb425c397b5bdcb2d, + 0x299a0824f3320420, + 0x4199cec0404d0ec0, + 0x39f6d3a994cebea, + ]); let mut a0 = a1; a0.square(); a0.mul_assign(self); - if a0 == NEGATIVE_ONE - { + if a0 == NEGATIVE_ONE { None - } - else - { + } else { a1.mul_assign(self); Some(a1) } } } - #[test] fn test_neg_one() { let mut o = Fs::one(); @@ -636,12 +677,30 @@ fn test_fs_repr_ordering() { assert!(b > a); } - assert_equality(FsRepr([9999, 9999, 9999, 9999]), FsRepr([9999, 9999, 9999, 9999])); - assert_equality(FsRepr([9999, 9998, 9999, 9999]), FsRepr([9999, 9998, 9999, 9999])); - assert_equality(FsRepr([9999, 9999, 9999, 9997]), FsRepr([9999, 9999, 9999, 9997])); - assert_lt(FsRepr([9999, 9997, 9999, 9998]), FsRepr([9999, 9997, 9999, 9999])); - assert_lt(FsRepr([9999, 9997, 9998, 9999]), FsRepr([9999, 9997, 9999, 9999])); - assert_lt(FsRepr([9, 9999, 9999, 9997]), FsRepr([9999, 9999, 9999, 9997])); + assert_equality( + FsRepr([9999, 9999, 9999, 9999]), + FsRepr([9999, 9999, 9999, 9999]), + ); + assert_equality( + FsRepr([9999, 9998, 9999, 9999]), + FsRepr([9999, 9998, 9999, 9999]), + ); + assert_equality( + FsRepr([9999, 9999, 9999, 9997]), + FsRepr([9999, 9999, 9999, 9997]), + ); + assert_lt( + FsRepr([9999, 9997, 9999, 9998]), + FsRepr([9999, 9997, 9999, 9999]), + ); + assert_lt( + FsRepr([9999, 9997, 9998, 9999]), + FsRepr([9999, 9997, 9999, 9999]), + ); + assert_lt( + FsRepr([9, 9999, 9999, 9997]), + FsRepr([9999, 9999, 9999, 9997]), + ); } #[test] @@ -670,13 +729,34 @@ fn test_fs_repr_is_zero() { #[test] fn test_fs_repr_div2() { - let mut a = FsRepr([0xbd2920b19c972321, 0x174ed0466a3be37e, 0xd468d5e3b551f0b5, 0xcb67c072733beefc]); + let mut a = FsRepr([ + 0xbd2920b19c972321, + 0x174ed0466a3be37e, + 0xd468d5e3b551f0b5, + 0xcb67c072733beefc, + ]); a.div2(); - assert_eq!(a, FsRepr([0x5e949058ce4b9190, 0x8ba76823351df1bf, 0x6a346af1daa8f85a, 0x65b3e039399df77e])); + assert_eq!( + a, + FsRepr([ + 0x5e949058ce4b9190, + 0x8ba76823351df1bf, + 0x6a346af1daa8f85a, + 0x65b3e039399df77e + ]) + ); for _ in 0..10 { a.div2(); } - assert_eq!(a, FsRepr([0x6fd7a524163392e4, 0x16a2e9da08cd477c, 0xdf9a8d1abc76aa3e, 0x196cf80e4e677d])); + assert_eq!( + a, + FsRepr([ + 0x6fd7a524163392e4, + 0x16a2e9da08cd477c, + 0xdf9a8d1abc76aa3e, + 0x196cf80e4e677d + ]) + ); for _ in 0..200 { a.div2(); } @@ -695,32 +775,46 @@ fn test_fs_repr_div2() { #[test] fn test_fs_repr_shr() { - let mut a = FsRepr([0xb33fbaec482a283f, 0x997de0d3a88cb3df, 0x9af62d2a9a0e5525, 0x36003ab08de70da1]); + let mut a = FsRepr([ + 0xb33fbaec482a283f, + 0x997de0d3a88cb3df, + 0x9af62d2a9a0e5525, + 0x36003ab08de70da1, + ]); a.shr(0); assert_eq!( a, - FsRepr([0xb33fbaec482a283f, 0x997de0d3a88cb3df, 0x9af62d2a9a0e5525, 0x36003ab08de70da1]) + FsRepr([ + 0xb33fbaec482a283f, + 0x997de0d3a88cb3df, + 0x9af62d2a9a0e5525, + 0x36003ab08de70da1 + ]) ); a.shr(1); assert_eq!( a, - FsRepr([0xd99fdd762415141f, 0xccbef069d44659ef, 0xcd7b16954d072a92, 0x1b001d5846f386d0]) + FsRepr([ + 0xd99fdd762415141f, + 0xccbef069d44659ef, + 0xcd7b16954d072a92, + 0x1b001d5846f386d0 + ]) ); a.shr(50); assert_eq!( a, - FsRepr([0xbc1a7511967bf667, 0xc5a55341caa4b32f, 0x75611bce1b4335e, 0x6c0]) + FsRepr([ + 0xbc1a7511967bf667, + 0xc5a55341caa4b32f, + 0x75611bce1b4335e, + 0x6c0 + ]) ); a.shr(130); - assert_eq!( - a, - FsRepr([0x1d5846f386d0cd7, 0x1b0, 0x0, 0x0]) - ); + assert_eq!(a, FsRepr([0x1d5846f386d0cd7, 0x1b0, 0x0, 0x0])); a.shr(64); - assert_eq!( - a, - FsRepr([0x1b0, 0x0, 0x0, 0x0]) - ); + assert_eq!(a, FsRepr([0x1b0, 0x0, 0x0, 0x0])); } #[test] @@ -765,9 +859,26 @@ fn test_fs_repr_sub_noborrow() { 0xe5, ]); - let mut t = FsRepr([0x8e62a7e85264e2c3, 0xb23d34c1941d3ca, 0x5976930b7502dd15, 0x600f3fb517bf5495]); - t.sub_noborrow(&FsRepr([0xd64f669809cbc6a4, 0xfa76cb9d90cf7637, 0xfefb0df9038d43b3, 0x298a30c744b31acf])); - assert!(t == FsRepr([0xb813415048991c1f, 0x10ad07ae88725d92, 0x5a7b851271759961, 0x36850eedd30c39c5])); + let mut t = FsRepr([ + 0x8e62a7e85264e2c3, + 0xb23d34c1941d3ca, + 0x5976930b7502dd15, + 0x600f3fb517bf5495, + ]); + t.sub_noborrow(&FsRepr([ + 0xd64f669809cbc6a4, + 0xfa76cb9d90cf7637, + 0xfefb0df9038d43b3, + 0x298a30c744b31acf, + ])); + assert!( + t == FsRepr([ + 0xb813415048991c1f, + 0x10ad07ae88725d92, + 0x5a7b851271759961, + 0x36850eedd30c39c5 + ]) + ); for _ in 0..1000 { let mut a = Fs::random(&mut rng).into_repr(); @@ -801,9 +912,19 @@ fn test_fs_legendre() { assert_eq!(QuadraticResidue, Fs::one().legendre()); assert_eq!(Zero, Fs::zero().legendre()); - let e = FsRepr([0x8385eec23df1f88e, 0x9a01fb412b2dba16, 0x4c928edcdd6c22f, 0x9f2df7ef69ecef9]); + let e = FsRepr([ + 0x8385eec23df1f88e, + 0x9a01fb412b2dba16, + 0x4c928edcdd6c22f, + 0x9f2df7ef69ecef9, + ]); assert_eq!(QuadraticResidue, Fs::from_repr(e).unwrap().legendre()); - let e = FsRepr([0xe8ed9f299da78568, 0x35efdebc88b2209, 0xc82125cb1f916dbe, 0x6813d2b38c39bd0]); + let e = FsRepr([ + 0xe8ed9f299da78568, + 0x35efdebc88b2209, + 0xc82125cb1f916dbe, + 0x6813d2b38c39bd0, + ]); assert_eq!(QuadraticNonResidue, Fs::from_repr(e).unwrap().legendre()); } @@ -814,9 +935,27 @@ fn test_fr_repr_add_nocarry() { 0xe5, ]); - let mut t = FsRepr([0xd64f669809cbc6a4, 0xfa76cb9d90cf7637, 0xfefb0df9038d43b3, 0x298a30c744b31acf]); - t.add_nocarry(&FsRepr([0x8e62a7e85264e2c3, 0xb23d34c1941d3ca, 0x5976930b7502dd15, 0x600f3fb517bf5495])); - assert_eq!(t, FsRepr([0x64b20e805c30a967, 0x59a9ee9aa114a02, 0x5871a104789020c9, 0x8999707c5c726f65])); + let mut t = FsRepr([ + 0xd64f669809cbc6a4, + 0xfa76cb9d90cf7637, + 0xfefb0df9038d43b3, + 0x298a30c744b31acf, + ]); + t.add_nocarry(&FsRepr([ + 0x8e62a7e85264e2c3, + 0xb23d34c1941d3ca, + 0x5976930b7502dd15, + 0x600f3fb517bf5495, + ])); + assert_eq!( + t, + FsRepr([ + 0x64b20e805c30a967, + 0x59a9ee9aa114a02, + 0x5871a104789020c9, + 0x8999707c5c726f65 + ]) + ); // Test for the associativity of addition. for _ in 0..1000 { @@ -868,8 +1007,20 @@ fn test_fs_is_valid() { a.0.sub_noborrow(&FsRepr::from(1)); assert!(a.is_valid()); assert!(Fs(FsRepr::from(0)).is_valid()); - assert!(Fs(FsRepr([0xd0970e5ed6f72cb6, 0xa6682093ccc81082, 0x6673b0101343b00, 0xe7db4ea6533afa9])).is_valid()); - assert!(!Fs(FsRepr([0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff])).is_valid()); + assert!(Fs(FsRepr([ + 0xd0970e5ed6f72cb6, + 0xa6682093ccc81082, + 0x6673b0101343b00, + 0xe7db4ea6533afa9 + ])) + .is_valid()); + assert!(!Fs(FsRepr([ + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff + ])) + .is_valid()); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, @@ -886,25 +1037,80 @@ fn test_fs_is_valid() { fn test_fs_add_assign() { { // Random number - let mut tmp = Fs::from_str("4577408157467272683998459759522778614363623736323078995109579213719612604198").unwrap(); + let mut tmp = Fs::from_str( + "4577408157467272683998459759522778614363623736323078995109579213719612604198", + ) + .unwrap(); assert!(tmp.is_valid()); // Test that adding zero has no effect. tmp.add_assign(&Fs(FsRepr::from(0))); - assert_eq!(tmp, Fs(FsRepr([0x8e6bfff4722d6e67, 0x5643da5c892044f9, 0x9465f4b281921a69, 0x25f752d3edd7162]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0x8e6bfff4722d6e67, + 0x5643da5c892044f9, + 0x9465f4b281921a69, + 0x25f752d3edd7162 + ])) + ); // Add one and test for the result. tmp.add_assign(&Fs(FsRepr::from(1))); - assert_eq!(tmp, Fs(FsRepr([0x8e6bfff4722d6e68, 0x5643da5c892044f9, 0x9465f4b281921a69, 0x25f752d3edd7162]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0x8e6bfff4722d6e68, + 0x5643da5c892044f9, + 0x9465f4b281921a69, + 0x25f752d3edd7162 + ])) + ); // Add another random number that exercises the reduction. - tmp.add_assign(&Fs(FsRepr([0xb634d07bc42d4a70, 0xf724f0c008411f5f, 0x456d4053d865af34, 0x24ce814e8c63027]))); - assert_eq!(tmp, Fs(FsRepr([0x44a0d070365ab8d8, 0x4d68cb1c91616459, 0xd9d3350659f7c99e, 0x4ac5d4227a3a189]))); + tmp.add_assign(&Fs(FsRepr([ + 0xb634d07bc42d4a70, + 0xf724f0c008411f5f, + 0x456d4053d865af34, + 0x24ce814e8c63027, + ]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0x44a0d070365ab8d8, + 0x4d68cb1c91616459, + 0xd9d3350659f7c99e, + 0x4ac5d4227a3a189 + ])) + ); // Add one to (s - 1) and test for the result. - tmp = Fs(FsRepr([0xd0970e5ed6f72cb6, 0xa6682093ccc81082, 0x6673b0101343b00, 0xe7db4ea6533afa9])); + tmp = Fs(FsRepr([ + 0xd0970e5ed6f72cb6, + 0xa6682093ccc81082, + 0x6673b0101343b00, + 0xe7db4ea6533afa9, + ])); tmp.add_assign(&Fs(FsRepr::from(1))); assert!(tmp.0.is_zero()); // Add a random number to another one such that the result is s - 1 - tmp = Fs(FsRepr([0xa11fda5950ce3636, 0x922e0dbccfe0ca0e, 0xacebb6e215b82d4a, 0x97ffb8cdc3aee93])); - tmp.add_assign(&Fs(FsRepr([0x2f7734058628f680, 0x143a12d6fce74674, 0x597b841eeb7c0db6, 0x4fdb95d88f8c115]))); - assert_eq!(tmp, Fs(FsRepr([0xd0970e5ed6f72cb6, 0xa6682093ccc81082, 0x6673b0101343b00, 0xe7db4ea6533afa9]))); + tmp = Fs(FsRepr([ + 0xa11fda5950ce3636, + 0x922e0dbccfe0ca0e, + 0xacebb6e215b82d4a, + 0x97ffb8cdc3aee93, + ])); + tmp.add_assign(&Fs(FsRepr([ + 0x2f7734058628f680, + 0x143a12d6fce74674, + 0x597b841eeb7c0db6, + 0x4fdb95d88f8c115, + ]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0xd0970e5ed6f72cb6, + 0xa6682093ccc81082, + 0x6673b0101343b00, + 0xe7db4ea6533afa9 + ])) + ); // Add one to the result and test for it. tmp.add_assign(&Fs(FsRepr::from(1))); assert!(tmp.0.is_zero()); @@ -941,23 +1147,72 @@ fn test_fs_add_assign() { fn test_fs_sub_assign() { { // Test arbitrary subtraction that tests reduction. - let mut tmp = Fs(FsRepr([0xb384d9f6877afd99, 0x4442513958e1a1c1, 0x352c4b8a95eccc3f, 0x2db62dee4b0f2])); - tmp.sub_assign(&Fs(FsRepr([0xec5bd2d13ed6b05a, 0x2adc0ab3a39b5fa, 0x82d3360a493e637e, 0x53ccff4a64d6679]))); - assert_eq!(tmp, Fs(FsRepr([0x97c015841f9b79f6, 0xe7fcb121eb6ffc49, 0xb8c050814de2a3c1, 0x943c0589dcafa21]))); + let mut tmp = Fs(FsRepr([ + 0xb384d9f6877afd99, + 0x4442513958e1a1c1, + 0x352c4b8a95eccc3f, + 0x2db62dee4b0f2, + ])); + tmp.sub_assign(&Fs(FsRepr([ + 0xec5bd2d13ed6b05a, + 0x2adc0ab3a39b5fa, + 0x82d3360a493e637e, + 0x53ccff4a64d6679, + ]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0x97c015841f9b79f6, + 0xe7fcb121eb6ffc49, + 0xb8c050814de2a3c1, + 0x943c0589dcafa21 + ])) + ); // Test the opposite subtraction which doesn't test reduction. - tmp = Fs(FsRepr([0xec5bd2d13ed6b05a, 0x2adc0ab3a39b5fa, 0x82d3360a493e637e, 0x53ccff4a64d6679])); - tmp.sub_assign(&Fs(FsRepr([0xb384d9f6877afd99, 0x4442513958e1a1c1, 0x352c4b8a95eccc3f, 0x2db62dee4b0f2]))); - assert_eq!(tmp, Fs(FsRepr([0x38d6f8dab75bb2c1, 0xbe6b6f71e1581439, 0x4da6ea7fb351973e, 0x539f491c768b587]))); + tmp = Fs(FsRepr([ + 0xec5bd2d13ed6b05a, + 0x2adc0ab3a39b5fa, + 0x82d3360a493e637e, + 0x53ccff4a64d6679, + ])); + tmp.sub_assign(&Fs(FsRepr([ + 0xb384d9f6877afd99, + 0x4442513958e1a1c1, + 0x352c4b8a95eccc3f, + 0x2db62dee4b0f2, + ]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0x38d6f8dab75bb2c1, + 0xbe6b6f71e1581439, + 0x4da6ea7fb351973e, + 0x539f491c768b587 + ])) + ); // Test for sensible results with zero tmp = Fs(FsRepr::from(0)); tmp.sub_assign(&Fs(FsRepr::from(0))); assert!(tmp.is_zero()); - tmp = Fs(FsRepr([0x361e16aef5cce835, 0x55bbde2536e274c1, 0x4dc77a63fd15ee75, 0x1e14bb37c14f230])); + tmp = Fs(FsRepr([ + 0x361e16aef5cce835, + 0x55bbde2536e274c1, + 0x4dc77a63fd15ee75, + 0x1e14bb37c14f230, + ])); tmp.sub_assign(&Fs(FsRepr::from(0))); - assert_eq!(tmp, Fs(FsRepr([0x361e16aef5cce835, 0x55bbde2536e274c1, 0x4dc77a63fd15ee75, 0x1e14bb37c14f230]))); + assert_eq!( + tmp, + Fs(FsRepr([ + 0x361e16aef5cce835, + 0x55bbde2536e274c1, + 0x4dc77a63fd15ee75, + 0x1e14bb37c14f230 + ])) + ); } let mut rng = XorShiftRng::from_seed([ @@ -983,9 +1238,26 @@ fn test_fs_sub_assign() { #[test] fn test_fs_mul_assign() { - let mut tmp = Fs(FsRepr([0xb433b01287f71744, 0x4eafb86728c4d108, 0xfdd52c14b9dfbe65, 0x2ff1f3434821118])); - tmp.mul_assign(&Fs(FsRepr([0xdae00fc63c9fa90f, 0x5a5ed89b96ce21ce, 0x913cd26101bd6f58, 0x3f0822831697fe9]))); - assert!(tmp == Fs(FsRepr([0xb68ecb61d54d2992, 0x5ff95874defce6a6, 0x3590eb053894657d, 0x53823a118515933]))); + let mut tmp = Fs(FsRepr([ + 0xb433b01287f71744, + 0x4eafb86728c4d108, + 0xfdd52c14b9dfbe65, + 0x2ff1f3434821118, + ])); + tmp.mul_assign(&Fs(FsRepr([ + 0xdae00fc63c9fa90f, + 0x5a5ed89b96ce21ce, + 0x913cd26101bd6f58, + 0x3f0822831697fe9, + ]))); + assert!( + tmp == Fs(FsRepr([ + 0xb68ecb61d54d2992, + 0x5ff95874defce6a6, + 0x3590eb053894657d, + 0x53823a118515933 + ])) + ); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, @@ -1035,10 +1307,24 @@ fn test_fs_mul_assign() { #[test] fn test_fr_squaring() { - let mut a = Fs(FsRepr([0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xe7db4ea6533afa8])); + let mut a = Fs(FsRepr([ + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xe7db4ea6533afa8, + ])); assert!(a.is_valid()); a.square(); - assert_eq!(a, Fs::from_repr(FsRepr([0x12c7f55cbc52fbaa, 0xdedc98a0b5e6ce9e, 0xad2892726a5396a, 0x9fe82af8fee77b3])).unwrap()); + assert_eq!( + a, + Fs::from_repr(FsRepr([ + 0x12c7f55cbc52fbaa, + 0xdedc98a0b5e6ce9e, + 0xad2892726a5396a, + 0x9fe82af8fee77b3 + ])) + .unwrap() + ); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, @@ -1185,17 +1471,38 @@ fn test_fs_sqrt() { #[test] fn test_fs_from_into_repr() { // r + 1 should not be in the field - assert!(Fs::from_repr(FsRepr([0xd0970e5ed6f72cb8, 0xa6682093ccc81082, 0x6673b0101343b00, 0xe7db4ea6533afa9])).is_err()); + assert!(Fs::from_repr(FsRepr([ + 0xd0970e5ed6f72cb8, + 0xa6682093ccc81082, + 0x6673b0101343b00, + 0xe7db4ea6533afa9 + ])) + .is_err()); // r should not be in the field assert!(Fs::from_repr(Fs::char()).is_err()); // Multiply some arbitrary representations to see if the result is as expected. - let a = FsRepr([0x5f2d0c05d0337b71, 0xa1df2b0f8a20479, 0xad73785e71bb863, 0x504a00480c9acec]); + let a = FsRepr([ + 0x5f2d0c05d0337b71, + 0xa1df2b0f8a20479, + 0xad73785e71bb863, + 0x504a00480c9acec, + ]); let mut a_fs = Fs::from_repr(a).unwrap(); - let b = FsRepr([0x66356ff51e477562, 0x60a92ab55cf7603, 0x8e4273c7364dd192, 0x36df8844a344dc5]); + let b = FsRepr([ + 0x66356ff51e477562, + 0x60a92ab55cf7603, + 0x8e4273c7364dd192, + 0x36df8844a344dc5, + ]); let b_fs = Fs::from_repr(b).unwrap(); - let c = FsRepr([0x7eef61708f4f2868, 0x747a7e6cf52946fb, 0x83dd75d7c9120017, 0x762f5177f0f3df7]); + let c = FsRepr([ + 0x7eef61708f4f2868, + 0x747a7e6cf52946fb, + 0x83dd75d7c9120017, + 0x762f5177f0f3df7, + ]); a_fs.mul_assign(&b_fs); assert_eq!(a_fs.into_repr(), c); @@ -1222,15 +1529,39 @@ fn test_fs_from_into_repr() { #[test] fn test_fs_repr_display() { assert_eq!( - format!("{}", FsRepr([0xa296db59787359df, 0x8d3e33077430d318, 0xd1abf5c606102eb7, 0xcbc33ee28108f0])), + format!( + "{}", + FsRepr([ + 0xa296db59787359df, + 0x8d3e33077430d318, + 0xd1abf5c606102eb7, + 0xcbc33ee28108f0 + ]) + ), "0x00cbc33ee28108f0d1abf5c606102eb78d3e33077430d318a296db59787359df".to_string() ); assert_eq!( - format!("{}", FsRepr([0x14cb03535054a620, 0x312aa2bf2d1dff52, 0x970fe98746ab9361, 0xc1e18acf82711e6])), + format!( + "{}", + FsRepr([ + 0x14cb03535054a620, + 0x312aa2bf2d1dff52, + 0x970fe98746ab9361, + 0xc1e18acf82711e6 + ]) + ), "0x0c1e18acf82711e6970fe98746ab9361312aa2bf2d1dff5214cb03535054a620".to_string() ); assert_eq!( - format!("{}", FsRepr([0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff])), + format!( + "{}", + FsRepr([ + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff, + 0xffffffffffffffff + ]) + ), "0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff".to_string() ); assert_eq!( @@ -1242,11 +1573,29 @@ fn test_fs_repr_display() { #[test] fn test_fs_display() { assert_eq!( - format!("{}", Fs::from_repr(FsRepr([0x5528efb9998a01a3, 0x5bd2add5cb357089, 0xc061fa6adb491f98, 0x70db9d143db03d9])).unwrap()), + format!( + "{}", + Fs::from_repr(FsRepr([ + 0x5528efb9998a01a3, + 0x5bd2add5cb357089, + 0xc061fa6adb491f98, + 0x70db9d143db03d9 + ])) + .unwrap() + ), "Fs(0x070db9d143db03d9c061fa6adb491f985bd2add5cb3570895528efb9998a01a3)".to_string() ); assert_eq!( - format!("{}", Fs::from_repr(FsRepr([0xd674745e2717999e, 0xbeb1f52d3e96f338, 0x9c7ae147549482b9, 0x999706024530d22])).unwrap()), + format!( + "{}", + Fs::from_repr(FsRepr([ + 0xd674745e2717999e, + 0xbeb1f52d3e96f338, + 0x9c7ae147549482b9, + 0x999706024530d22 + ])) + .unwrap() + ), "Fs(0x0999706024530d229c7ae147549482b9beb1f52d3e96f338d674745e2717999e)".to_string() ); } @@ -1260,14 +1609,19 @@ fn test_fs_num_bits() { #[test] fn test_fs_root_of_unity() { assert_eq!(Fs::S, 1); - assert_eq!(Fs::multiplicative_generator(), Fs::from_repr(FsRepr::from(6)).unwrap()); assert_eq!( - Fs::multiplicative_generator().pow([0x684b872f6b7b965b, 0x53341049e6640841, 0x83339d80809a1d80, 0x73eda753299d7d4]), + Fs::multiplicative_generator(), + Fs::from_repr(FsRepr::from(6)).unwrap() + ); + assert_eq!( + Fs::multiplicative_generator().pow([ + 0x684b872f6b7b965b, + 0x53341049e6640841, + 0x83339d80809a1d80, + 0x73eda753299d7d4 + ]), Fs::root_of_unity() ); - assert_eq!( - Fs::root_of_unity().pow([1 << Fs::S]), - Fs::one() - ); + assert_eq!(Fs::root_of_unity().pow([1 << Fs::S]), Fs::one()); assert!(Fs::multiplicative_generator().sqrt().is_none()); } diff --git a/zcash_primitives/src/jubjub/mod.rs b/zcash_primitives/src/jubjub/mod.rs index 71e1875c6..7ab0d0eee 100644 --- a/zcash_primitives/src/jubjub/mod.rs +++ b/zcash_primitives/src/jubjub/mod.rs @@ -24,10 +24,7 @@ use group_hash::group_hash; use constants; -use pairing::bls12_381::{ - Bls12, - Fr -}; +use pairing::bls12_381::{Bls12, Fr}; /// This is an implementation of the twisted Edwards Jubjub curve. pub mod edwards; @@ -44,11 +41,11 @@ pub mod tests; /// Point of unknown order. #[derive(Debug)] -pub enum Unknown { } +pub enum Unknown {} /// Point of prime order. #[derive(Debug)] -pub enum PrimeOrder { } +pub enum PrimeOrder {} /// Fixed generators of the Jubjub curve of unknown /// exponent. @@ -80,7 +77,7 @@ pub enum FixedGenerators { /// base at spend time. SpendingKeyGenerator = 5, - Max = 6 + Max = 6, } pub trait ToUniform { @@ -151,10 +148,18 @@ pub struct JubjubBls12 { } impl JubjubParams for JubjubBls12 { - fn edwards_d(&self) -> &Fr { &self.edwards_d } - fn montgomery_a(&self) -> &Fr { &self.montgomery_a } - fn montgomery_2a(&self) -> &Fr { &self.montgomery_2a } - fn scale(&self) -> &Fr { &self.scale } + fn edwards_d(&self) -> &Fr { + &self.edwards_d + } + fn montgomery_a(&self) -> &Fr { + &self.montgomery_a + } + fn montgomery_2a(&self) -> &Fr { + &self.montgomery_2a + } + fn scale(&self) -> &Fr { + &self.scale + } fn pedersen_hash_generators(&self) -> &[edwards::Point] { &self.pedersen_hash_generators } @@ -170,12 +175,10 @@ impl JubjubParams for JubjubBls12 { fn pedersen_circuit_generators(&self) -> &[Vec>] { &self.pedersen_circuit_generators } - fn generator(&self, base: FixedGenerators) -> &edwards::Point - { + fn generator(&self, base: FixedGenerators) -> &edwards::Point { &self.fixed_base_generators[base as usize] } - fn circuit_generators(&self, base: FixedGenerators) -> &[Vec<(Fr, Fr)>] - { + fn circuit_generators(&self, base: FixedGenerators) -> &[Vec<(Fr, Fr)>] { &self.fixed_base_circuit_generators[base as usize][..] } fn pedersen_hash_exp_window_size() -> u32 { @@ -191,13 +194,19 @@ impl JubjubBls12 { let mut tmp_params = JubjubBls12 { // d = -(10240/10241) - edwards_d: Fr::from_str("19257038036680949359750312669786877991949435402254120286184196891950884077233").unwrap(), + edwards_d: Fr::from_str( + "19257038036680949359750312669786877991949435402254120286184196891950884077233", + ) + .unwrap(), // A = 40962 montgomery_a: montgomery_a, // 2A = 2.A montgomery_2a: montgomery_2a, // scaling factor = sqrt(4 / (a - d)) - scale: Fr::from_str("17814886934372412843466061268024708274627479829237077604635722030778476050649").unwrap(), + scale: Fr::from_str( + "17814886934372412843466061268024708274627479829237077604635722030778476050649", + ) + .unwrap(), // We'll initialize these below pedersen_hash_generators: vec![], @@ -210,19 +219,14 @@ impl JubjubBls12 { fn find_group_hash( m: &[u8], personalization: &[u8; 8], - params: &E::Params - ) -> edwards::Point - { + params: &E::Params, + ) -> edwards::Point { let mut tag = m.to_vec(); let i = tag.len(); tag.push(0u8); loop { - let gh = group_hash( - &tag, - personalization, - params - ); + let gh = group_hash(&tag, personalization, params); // We don't want to overflow and start reusing generators assert!(tag[i] != u8::max_value()); @@ -239,18 +243,18 @@ impl JubjubBls12 { let mut pedersen_hash_generators = vec![]; for m in 0..5 { - use byteorder::{WriteBytesExt, LittleEndian}; + use byteorder::{LittleEndian, WriteBytesExt}; let mut segment_number = [0u8; 4]; - (&mut segment_number[0..4]).write_u32::(m).unwrap(); + (&mut segment_number[0..4]) + .write_u32::(m) + .unwrap(); - pedersen_hash_generators.push( - find_group_hash( - &segment_number, - constants::PEDERSEN_HASH_GENERATORS_PERSONALIZATION, - &tmp_params - ) - ); + pedersen_hash_generators.push(find_group_hash( + &segment_number, + constants::PEDERSEN_HASH_GENERATORS_PERSONALIZATION, + &tmp_params, + )); } // Check for duplicates, far worse than spec inconsistencies! @@ -259,7 +263,7 @@ impl JubjubBls12 { panic!("Neutral element!"); } - for p2 in pedersen_hash_generators.iter().skip(i+1) { + for p2 in pedersen_hash_generators.iter().skip(i + 1) { if p1 == p2 { panic!("Duplicate generator!"); } @@ -307,25 +311,46 @@ impl JubjubBls12 { // Create the bases for other parts of the protocol { - let mut fixed_base_generators = vec![edwards::Point::zero(); FixedGenerators::Max as usize]; + let mut fixed_base_generators = + vec![edwards::Point::zero(); FixedGenerators::Max as usize]; - fixed_base_generators[FixedGenerators::ProofGenerationKey as usize] = - find_group_hash(&[], constants::PROOF_GENERATION_KEY_BASE_GENERATOR_PERSONALIZATION, &tmp_params); + fixed_base_generators[FixedGenerators::ProofGenerationKey as usize] = find_group_hash( + &[], + constants::PROOF_GENERATION_KEY_BASE_GENERATOR_PERSONALIZATION, + &tmp_params, + ); fixed_base_generators[FixedGenerators::NoteCommitmentRandomness as usize] = - find_group_hash(b"r", constants::PEDERSEN_HASH_GENERATORS_PERSONALIZATION, &tmp_params); + find_group_hash( + b"r", + constants::PEDERSEN_HASH_GENERATORS_PERSONALIZATION, + &tmp_params, + ); - fixed_base_generators[FixedGenerators::NullifierPosition as usize] = - find_group_hash(&[], constants::NULLIFIER_POSITION_IN_TREE_GENERATOR_PERSONALIZATION, &tmp_params); + fixed_base_generators[FixedGenerators::NullifierPosition as usize] = find_group_hash( + &[], + constants::NULLIFIER_POSITION_IN_TREE_GENERATOR_PERSONALIZATION, + &tmp_params, + ); - fixed_base_generators[FixedGenerators::ValueCommitmentValue as usize] = - find_group_hash(b"v", constants::VALUE_COMMITMENT_GENERATOR_PERSONALIZATION, &tmp_params); + fixed_base_generators[FixedGenerators::ValueCommitmentValue as usize] = find_group_hash( + b"v", + constants::VALUE_COMMITMENT_GENERATOR_PERSONALIZATION, + &tmp_params, + ); fixed_base_generators[FixedGenerators::ValueCommitmentRandomness as usize] = - find_group_hash(b"r", constants::VALUE_COMMITMENT_GENERATOR_PERSONALIZATION, &tmp_params); + find_group_hash( + b"r", + constants::VALUE_COMMITMENT_GENERATOR_PERSONALIZATION, + &tmp_params, + ); - fixed_base_generators[FixedGenerators::SpendingKeyGenerator as usize] = - find_group_hash(&[], constants::SPENDING_KEY_GENERATOR_PERSONALIZATION, &tmp_params); + fixed_base_generators[FixedGenerators::SpendingKeyGenerator as usize] = find_group_hash( + &[], + constants::SPENDING_KEY_GENERATOR_PERSONALIZATION, + &tmp_params, + ); // Check for duplicates, far worse than spec inconsistencies! for (i, p1) in fixed_base_generators.iter().enumerate() { @@ -333,7 +358,7 @@ impl JubjubBls12 { panic!("Neutral element!"); } - for p2 in fixed_base_generators.iter().skip(i+1) { + for p2 in fixed_base_generators.iter().skip(i + 1) { if p1 == p2 { panic!("Duplicate generator!"); } @@ -413,10 +438,14 @@ fn test_jubjub_bls12() { let test_repr = hex!("9d12b88b08dcbef8a11ee0712d94cb236ee2f4ca17317075bfafc82ce3139d31"); let p = edwards::Point::::read(&test_repr[..], ¶ms).unwrap(); let q = edwards::Point::::get_for_y( - Fr::from_str("22440861827555040311190986994816762244378363690614952020532787748720529117853").unwrap(), + Fr::from_str( + "22440861827555040311190986994816762244378363690614952020532787748720529117853", + ) + .unwrap(), false, - ¶ms - ).unwrap(); + ¶ms, + ) + .unwrap(); assert!(p == q); @@ -424,10 +453,14 @@ fn test_jubjub_bls12() { let test_repr = hex!("9d12b88b08dcbef8a11ee0712d94cb236ee2f4ca17317075bfafc82ce3139db1"); let p = edwards::Point::::read(&test_repr[..], ¶ms).unwrap(); let q = edwards::Point::::get_for_y( - Fr::from_str("22440861827555040311190986994816762244378363690614952020532787748720529117853").unwrap(), + Fr::from_str( + "22440861827555040311190986994816762244378363690614952020532787748720529117853", + ) + .unwrap(), true, - ¶ms - ).unwrap(); + ¶ms, + ) + .unwrap(); assert!(p == q); } diff --git a/zcash_primitives/src/jubjub/montgomery.rs b/zcash_primitives/src/jubjub/montgomery.rs index 9bd602337..e0bc4bfc3 100644 --- a/zcash_primitives/src/jubjub/montgomery.rs +++ b/zcash_primitives/src/jubjub/montgomery.rs @@ -1,12 +1,6 @@ use ff::{BitIterator, Field, PrimeField, PrimeFieldRepr, SqrtField}; -use super::{ - JubjubEngine, - JubjubParams, - Unknown, - PrimeOrder, - edwards -}; +use super::{edwards, JubjubEngine, JubjubParams, PrimeOrder, Unknown}; use rand_core::RngCore; @@ -17,29 +11,25 @@ pub struct Point { x: E::Fr, y: E::Fr, infinity: bool, - _marker: PhantomData + _marker: PhantomData, } -fn convert_subgroup(from: &Point) -> Point -{ +fn convert_subgroup(from: &Point) -> Point { Point { x: from.x, y: from.y, infinity: from.infinity, - _marker: PhantomData + _marker: PhantomData, } } -impl From> for Point -{ - fn from(p: Point) -> Point - { +impl From> for Point { + fn from(p: Point) -> Point { convert_subgroup(&p) } } -impl Clone for Point -{ +impl Clone for Point { fn clone(&self) -> Self { convert_subgroup(self) } @@ -50,16 +40,13 @@ impl PartialEq for Point { match (self.infinity, other.infinity) { (true, true) => true, (true, false) | (false, true) => false, - (false, false) => { - self.x == other.x && self.y == other.y - } + (false, false) => self.x == other.x && self.y == other.y, } } } impl Point { - pub fn get_for_x(x: E::Fr, sign: bool, params: &E::Params) -> Option - { + pub fn get_for_x(x: E::Fr, sign: bool, params: &E::Params) -> Option { // Given an x on the curve, y = sqrt(x^3 + A*x^2 + x) let mut x2 = x; @@ -81,34 +68,28 @@ impl Point { x: x, y: y, infinity: false, - _marker: PhantomData - }) - }, - None => None + _marker: PhantomData, + }); + } + None => None, } } /// This guarantees the point is in the prime order subgroup #[must_use] - pub fn mul_by_cofactor(&self, params: &E::Params) -> Point - { - let tmp = self.double(params) - .double(params) - .double(params); + pub fn mul_by_cofactor(&self, params: &E::Params) -> Point { + let tmp = self.double(params).double(params).double(params); convert_subgroup(&tmp) } - pub fn rand(rng: &mut R, params: &E::Params) -> Self - { + pub fn rand(rng: &mut R, params: &E::Params) -> Self { loop { let x = E::Fr::random(rng); let sign = rng.next_u32() % 2 != 0; match Self::get_for_x(x, sign, params) { - Some(p) => { - return p - }, + Some(p) => return p, None => {} } } @@ -117,11 +98,7 @@ impl Point { impl Point { /// Convert from an Edwards point - pub fn from_edwards( - e: &edwards::Point, - params: &E::Params - ) -> Self - { + pub fn from_edwards(e: &edwards::Point, params: &E::Params) -> Self { let (x, y) = e.into_xy(); if y == E::Fr::one() { @@ -149,7 +126,7 @@ impl Point { x: E::Fr::zero(), y: E::Fr::zero(), infinity: false, - _marker: PhantomData + _marker: PhantomData, } } else { // The mapping is defined as above. @@ -176,7 +153,7 @@ impl Point { x: u, y: v, infinity: false, - _marker: PhantomData + _marker: PhantomData, } } } @@ -197,12 +174,11 @@ impl Point { x: E::Fr::zero(), y: E::Fr::zero(), infinity: true, - _marker: PhantomData + _marker: PhantomData, } } - pub fn into_xy(&self) -> Option<(E::Fr, E::Fr)> - { + pub fn into_xy(&self) -> Option<(E::Fr, E::Fr)> { if self.infinity { None } else { @@ -272,13 +248,12 @@ impl Point { x: x3, y: y3, infinity: false, - _marker: PhantomData + _marker: PhantomData, } } #[must_use] - pub fn add(&self, other: &Self, params: &E::Params) -> Self - { + pub fn add(&self, other: &Self, params: &E::Params) -> Self { // This is a standard affine point addition formula // See 4.3.2 The group law for Weierstrass curves // Montgomery curves and the Montgomery Ladder @@ -301,7 +276,10 @@ impl Point { { let mut tmp = other.x; tmp.sub_assign(&self.x); - delta.mul_assign(&tmp.inverse().expect("self.x != other.x, so this must be nonzero")); + delta.mul_assign( + &tmp.inverse() + .expect("self.x != other.x, so this must be nonzero"), + ); } let mut x3 = delta; @@ -320,7 +298,7 @@ impl Point { x: x3, y: y3, infinity: false, - _marker: PhantomData + _marker: PhantomData, } } } @@ -328,12 +306,7 @@ impl Point { } #[must_use] - pub fn mul::Repr>>( - &self, - scalar: S, - params: &E::Params - ) -> Self - { + pub fn mul::Repr>>(&self, scalar: S, params: &E::Params) -> Self { // Standard double-and-add scalar multiplication let mut res = Self::zero(); diff --git a/zcash_primitives/src/jubjub/tests.rs b/zcash_primitives/src/jubjub/tests.rs index e15b81e1e..1b4f8d125 100644 --- a/zcash_primitives/src/jubjub/tests.rs +++ b/zcash_primitives/src/jubjub/tests.rs @@ -1,18 +1,6 @@ -use super::{ - JubjubEngine, - JubjubParams, - PrimeOrder, - montgomery, - edwards -}; +use super::{edwards, montgomery, JubjubEngine, JubjubParams, PrimeOrder}; -use ff::{ - Field, - PrimeField, - PrimeFieldRepr, - SqrtField, - LegendreSymbol -}; +use ff::{Field, LegendreSymbol, PrimeField, PrimeFieldRepr, SqrtField}; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -30,12 +18,7 @@ pub fn test_suite(params: &E::Params) { test_read_write::(params); } -fn is_on_mont_curve>( - x: E::Fr, - y: E::Fr, - params: &P -) -> bool -{ +fn is_on_mont_curve>(x: E::Fr, y: E::Fr, params: &P) -> bool { let mut lhs = y; lhs.square(); @@ -56,9 +39,8 @@ fn is_on_mont_curve>( fn is_on_twisted_edwards_curve>( x: E::Fr, y: E::Fr, - params: &P -) -> bool -{ + params: &P, +) -> bool { let mut x2 = x; x2.square(); @@ -156,7 +138,9 @@ fn test_order(params: &E::Params) { ]); // The neutral element is in the prime order subgroup. - assert!(Point::::zero().as_prime_order(params).is_some()); + assert!(Point::::zero() + .as_prime_order(params) + .is_some()); for _ in 0..50 { // Pick a random point and multiply it by the cofactor @@ -256,11 +240,7 @@ fn test_get_for(params: &E::Params) { if let Some(mut p) = edwards::Point::::get_for_y(y, sign, params) { assert!(p.into_xy().0.into_repr().is_odd() == sign); p = p.negate(); - assert!( - edwards::Point::::get_for_y(y, !sign, params).unwrap() - == - p - ); + assert!(edwards::Point::::get_for_y(y, !sign, params).unwrap() == p); } } } @@ -321,13 +301,9 @@ fn test_back_and_forth(params: &E::Params) { let mont = mont_p1.add(&mont_p2, params).mul(s, params); let edwards = edwards_p1.add(&edwards_p2, params).mul(s, params); - assert!( - montgomery::Point::from_edwards(&edwards, params) == mont - ); + assert!(montgomery::Point::from_edwards(&edwards, params) == mont); - assert!( - edwards::Point::from_montgomery(&mont, params) == edwards - ); + assert!(edwards::Point::from_montgomery(&mont, params) == edwards); } } @@ -411,8 +387,7 @@ fn test_jubjub_params(params: &E::Params) { let mut pacc = E::Fs::zero().into_repr(); let mut nacc = E::Fs::char(); - for _ in 0..params.pedersen_hash_chunks_per_generator() - { + for _ in 0..params.pedersen_hash_chunks_per_generator() { // tmp = cur * 4 let mut tmp = cur; tmp.mul2(); diff --git a/zcash_primitives/src/keys.rs b/zcash_primitives/src/keys.rs index ae2c77afc..ad86059b0 100644 --- a/zcash_primitives/src/keys.rs +++ b/zcash_primitives/src/keys.rs @@ -2,12 +2,12 @@ //! //! Implements section 4.2.2 of the Zcash Protocol Specification. -use blake2b_simd::{Hash as Blake2bHash, Params as Blake2bParams}; -use ff::{PrimeField, PrimeFieldRepr}; use crate::{ jubjub::{edwards, FixedGenerators, JubjubEngine, JubjubParams, ToUniform, Unknown}, primitives::{ProofGenerationKey, ViewingKey}, }; +use blake2b_simd::{Hash as Blake2bHash, Params as Blake2bParams}; +use ff::{PrimeField, PrimeFieldRepr}; use std::io::{self, Read, Write}; pub const PRF_EXPAND_PERSONALIZATION: &'static [u8; 16] = b"Zcash_ExpandSeed"; @@ -187,8 +187,8 @@ impl FullViewingKey { #[cfg(test)] mod tests { - use pairing::bls12_381::Bls12; use crate::jubjub::{edwards, FixedGenerators, JubjubParams, PrimeOrder}; + use pairing::bls12_381::Bls12; use std::error::Error; use super::FullViewingKey; diff --git a/zcash_primitives/src/note_encryption.rs b/zcash_primitives/src/note_encryption.rs index e6804cf66..5412945bc 100644 --- a/zcash_primitives/src/note_encryption.rs +++ b/zcash_primitives/src/note_encryption.rs @@ -1,11 +1,5 @@ //! Implementation of in-band secret distribution for Zcash transactions. -use blake2b_simd::{Hash as Blake2bHash, Params as Blake2bParams}; -use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; -use crypto_api_chachapoly::{ChaCha20Ietf, ChachaPolyIetf}; -use ff::{PrimeField, PrimeFieldRepr}; -use pairing::bls12_381::{Bls12, Fr}; -use rand_core::{CryptoRng, RngCore}; use crate::{ jubjub::{ edwards, @@ -14,6 +8,12 @@ use crate::{ }, primitives::{Diversifier, Note, PaymentAddress}, }; +use blake2b_simd::{Hash as Blake2bHash, Params as Blake2bParams}; +use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; +use crypto_api_chachapoly::{ChaCha20Ietf, ChachaPolyIetf}; +use ff::{PrimeField, PrimeFieldRepr}; +use pairing::bls12_381::{Bls12, Fr}; +use rand_core::{CryptoRng, RngCore}; use std::fmt; use std::str; @@ -544,11 +544,6 @@ pub fn try_sapling_output_recovery( #[cfg(test)] mod tests { - use crypto_api_chachapoly::ChachaPolyIetf; - use ff::{Field, PrimeField, PrimeFieldRepr}; - use pairing::bls12_381::{Bls12, Fr, FrRepr}; - use rand_core::{CryptoRng, RngCore}; - use rand_os::OsRng; use crate::{ jubjub::{ edwards, @@ -557,6 +552,11 @@ mod tests { }, primitives::{Diversifier, PaymentAddress, ValueCommitment}, }; + use crypto_api_chachapoly::ChachaPolyIetf; + use ff::{Field, PrimeField, PrimeFieldRepr}; + use pairing::bls12_381::{Bls12, Fr, FrRepr}; + use rand_core::{CryptoRng, RngCore}; + use rand_os::OsRng; use super::{ kdf_sapling, prf_ock, sapling_ka_agree, try_sapling_compact_note_decryption, diff --git a/zcash_primitives/src/pedersen_hash.rs b/zcash_primitives/src/pedersen_hash.rs index aacca3791..f21b17bfa 100644 --- a/zcash_primitives/src/pedersen_hash.rs +++ b/zcash_primitives/src/pedersen_hash.rs @@ -4,14 +4,13 @@ use jubjub::*; #[derive(Copy, Clone)] pub enum Personalization { NoteCommitment, - MerkleTree(usize) + MerkleTree(usize), } impl Personalization { pub fn get_bits(&self) -> Vec { match *self { - Personalization::NoteCommitment => - vec![true, true, true, true, true, true], + Personalization::NoteCommitment => vec![true, true, true, true, true, true], Personalization::MerkleTree(num) => { assert!(num < 63); @@ -24,12 +23,16 @@ impl Personalization { pub fn pedersen_hash( personalization: Personalization, bits: I, - params: &E::Params + params: &E::Params, ) -> edwards::Point - where I: IntoIterator, - E: JubjubEngine +where + I: IntoIterator, + E: JubjubEngine, { - let mut bits = personalization.get_bits().into_iter().chain(bits.into_iter()); + let mut bits = personalization + .get_bits() + .into_iter() + .chain(bits.into_iter()); let mut result = edwards::Point::zero(); let mut generators = params.pedersen_hash_exp_table().iter(); @@ -79,12 +82,13 @@ pub fn pedersen_hash( break; } - let mut table: &[Vec>] = &generators.next().expect("we don't have enough generators"); + let mut table: &[Vec>] = + &generators.next().expect("we don't have enough generators"); let window = JubjubBls12::pedersen_hash_exp_window_size(); let window_mask = (1 << window) - 1; let mut acc = acc.into_repr(); - + let mut tmp = edwards::Point::zero(); while !acc.is_zero() { diff --git a/zcash_primitives/src/primitives.rs b/zcash_primitives/src/primitives.rs index 4026392cd..d1282b71e 100644 --- a/zcash_primitives/src/primitives.rs +++ b/zcash_primitives/src/primitives.rs @@ -4,60 +4,47 @@ use constants; use group_hash::group_hash; -use pedersen_hash::{ - pedersen_hash, - Personalization -}; +use pedersen_hash::{pedersen_hash, Personalization}; -use byteorder::{ - LittleEndian, - WriteBytesExt -}; +use byteorder::{LittleEndian, WriteBytesExt}; -use jubjub::{ - JubjubEngine, - JubjubParams, - edwards, - PrimeOrder, - FixedGenerators -}; +use jubjub::{edwards, FixedGenerators, JubjubEngine, JubjubParams, PrimeOrder}; use blake2s_simd::Params as Blake2sParams; #[derive(Clone)] pub struct ValueCommitment { pub value: u64, - pub randomness: E::Fs + pub randomness: E::Fs, } impl ValueCommitment { - pub fn cm( - &self, - params: &E::Params - ) -> edwards::Point - { - params.generator(FixedGenerators::ValueCommitmentValue) - .mul(self.value, params) - .add( - ¶ms.generator(FixedGenerators::ValueCommitmentRandomness) - .mul(self.randomness, params), - params - ) + pub fn cm(&self, params: &E::Params) -> edwards::Point { + params + .generator(FixedGenerators::ValueCommitmentValue) + .mul(self.value, params) + .add( + ¶ms + .generator(FixedGenerators::ValueCommitmentRandomness) + .mul(self.randomness, params), + params, + ) } } #[derive(Clone)] pub struct ProofGenerationKey { pub ak: edwards::Point, - pub nsk: E::Fs + pub nsk: E::Fs, } impl ProofGenerationKey { pub fn into_viewing_key(&self, params: &E::Params) -> ViewingKey { ViewingKey { ak: self.ak.clone(), - nk: params.generator(FixedGenerators::ProofGenerationKey) - .mul(self.nsk, params) + nk: params + .generator(FixedGenerators::ProofGenerationKey) + .mul(self.nsk, params), } } } @@ -65,19 +52,16 @@ impl ProofGenerationKey { #[derive(Debug)] pub struct ViewingKey { pub ak: edwards::Point, - pub nk: edwards::Point + pub nk: edwards::Point, } impl ViewingKey { - pub fn rk( - &self, - ar: E::Fs, - params: &E::Params - ) -> edwards::Point { + pub fn rk(&self, ar: E::Fs, params: &E::Params) -> edwards::Point { self.ak.add( - ¶ms.generator(FixedGenerators::SpendingKeyGenerator) - .mul(ar, params), - params + ¶ms + .generator(FixedGenerators::SpendingKeyGenerator) + .mul(ar, params), + params, ) } @@ -88,11 +72,13 @@ impl ViewingKey { self.nk.write(&mut preimage[32..64]).unwrap(); let mut h = [0; 32]; - h.copy_from_slice(Blake2sParams::new() - .hash_length(32) - .personal(constants::CRH_IVK_PERSONALIZATION) - .hash(&preimage) - .as_bytes()); + h.copy_from_slice( + Blake2sParams::new() + .hash_length(32) + .personal(constants::CRH_IVK_PERSONALIZATION) + .hash(&preimage) + .as_bytes(), + ); // Drop the most significant five bits, so it can be interpreted as a scalar. h[31] &= 0b0000_0111; @@ -106,15 +92,14 @@ impl ViewingKey { pub fn into_payment_address( &self, diversifier: Diversifier, - params: &E::Params - ) -> Option> - { + params: &E::Params, + ) -> Option> { diversifier.g_d(params).map(|g_d| { let pk_d = g_d.mul(self.ivk(), params); PaymentAddress { pk_d: pk_d, - diversifier: diversifier + diversifier: diversifier, } }) } @@ -126,17 +111,20 @@ pub struct Diversifier(pub [u8; 11]); impl Diversifier { pub fn g_d( &self, - params: &E::Params - ) -> Option> - { - group_hash::(&self.0, constants::KEY_DIVERSIFICATION_PERSONALIZATION, params) + params: &E::Params, + ) -> Option> { + group_hash::( + &self.0, + constants::KEY_DIVERSIFICATION_PERSONALIZATION, + params, + ) } } #[derive(Clone, Debug)] pub struct PaymentAddress { pub pk_d: edwards::Point, - pub diversifier: Diversifier + pub diversifier: Diversifier, } impl PartialEq for PaymentAddress { @@ -146,11 +134,7 @@ impl PartialEq for PaymentAddress { } impl PaymentAddress { - pub fn g_d( - &self, - params: &E::Params - ) -> Option> - { + pub fn g_d(&self, params: &E::Params) -> Option> { self.diversifier.g_d(params) } @@ -158,16 +142,13 @@ impl PaymentAddress { &self, value: u64, randomness: E::Fs, - params: &E::Params - ) -> Option> - { - self.g_d(params).map(|g_d| { - Note { - value: value, - r: randomness, - g_d: g_d, - pk_d: self.pk_d.clone() - } + params: &E::Params, + ) -> Option> { + self.g_d(params).map(|g_d| Note { + value: value, + r: randomness, + g_d: g_d, + pk_d: self.pk_d.clone(), }) } } @@ -181,7 +162,7 @@ pub struct Note { /// The public key of the address, g_d^ivk pub pk_d: edwards::Point, /// The commitment randomness - pub r: E::Fs + pub r: E::Fs, } impl PartialEq for Note { @@ -204,13 +185,14 @@ impl Note { } /// Computes the note commitment, returning the full point. - fn cm_full_point(&self, params: &E::Params) -> edwards::Point - { + fn cm_full_point(&self, params: &E::Params) -> edwards::Point { // Calculate the note contents, as bytes let mut note_contents = vec![]; // Writing the value in little endian - (&mut note_contents).write_u64::(self.value).unwrap(); + (&mut note_contents) + .write_u64::(self.value) + .unwrap(); // Write g_d self.g_d.write(&mut note_contents).unwrap(); @@ -223,36 +205,29 @@ impl Note { // Compute the Pedersen hash of the note contents let hash_of_contents = pedersen_hash( Personalization::NoteCommitment, - note_contents.into_iter() - .flat_map(|byte| { - (0..8).map(move |i| ((byte >> i) & 1) == 1) - }), - params + note_contents + .into_iter() + .flat_map(|byte| (0..8).map(move |i| ((byte >> i) & 1) == 1)), + params, ); // Compute final commitment - params.generator(FixedGenerators::NoteCommitmentRandomness) - .mul(self.r, params) - .add(&hash_of_contents, params) + params + .generator(FixedGenerators::NoteCommitmentRandomness) + .mul(self.r, params) + .add(&hash_of_contents, params) } /// Computes the nullifier given the viewing key and /// note position - pub fn nf( - &self, - viewing_key: &ViewingKey, - position: u64, - params: &E::Params - ) -> Vec - { + pub fn nf(&self, viewing_key: &ViewingKey, position: u64, params: &E::Params) -> Vec { // Compute rho = cm + position.G - let rho = self - .cm_full_point(params) - .add( - ¶ms.generator(FixedGenerators::NullifierPosition) - .mul(position, params), - params - ); + let rho = self.cm_full_point(params).add( + ¶ms + .generator(FixedGenerators::NullifierPosition) + .mul(position, params), + params, + ); // Compute nf = BLAKE2s(nk | rho) let mut nf_preimage = [0u8; 64]; @@ -267,8 +242,7 @@ impl Note { } /// Computes the note commitment - pub fn cm(&self, params: &E::Params) -> E::Fr - { + pub fn cm(&self, params: &E::Params) -> E::Fr { // The commitment is in the prime order subgroup, so mapping the // commitment to the x-coordinate is an injective encoding. self.cm_full_point(params).into_xy().0 diff --git a/zcash_primitives/src/prover.rs b/zcash_primitives/src/prover.rs index a434b4ea0..7c6673766 100644 --- a/zcash_primitives/src/prover.rs +++ b/zcash_primitives/src/prover.rs @@ -1,10 +1,10 @@ //! Abstractions over the proving system and parameters. -use pairing::bls12_381::{Bls12, Fr}; use crate::{ jubjub::{edwards, fs::Fs, Unknown}, primitives::{Diversifier, PaymentAddress, ProofGenerationKey}, }; +use pairing::bls12_381::{Bls12, Fr}; use crate::{ merkle_tree::CommitmentTreeWitness, diff --git a/zcash_primitives/src/redjubjub.rs b/zcash_primitives/src/redjubjub.rs index b7094191a..370f63d62 100644 --- a/zcash_primitives/src/redjubjub.rs +++ b/zcash_primitives/src/redjubjub.rs @@ -1,11 +1,9 @@ //! Implementation of RedJubjub, a specialization of RedDSA to the Jubjub curve. //! See section 5.4.6 of the Sapling protocol specification. +use crate::jubjub::{edwards::Point, FixedGenerators, JubjubEngine, JubjubParams, Unknown}; use ff::{Field, PrimeField, PrimeFieldRepr}; use rand_core::RngCore; -use crate::jubjub::{ - edwards::Point, FixedGenerators, JubjubEngine, JubjubParams, Unknown, -}; use std::io::{self, Read, Write}; use util::hash_to_scalar; @@ -150,10 +148,15 @@ impl PublicKey { Err(_) => return false, }; // 0 = h_G(-S . P_G + R + c . vk) - self.0.mul(c, params).add(&r, params).add( - ¶ms.generator(p_g).mul(s, params).negate().into(), - params - ).mul_by_cofactor(params).eq(&Point::zero()) + self.0 + .mul(c, params) + .add(&r, params) + .add( + ¶ms.generator(p_g).mul(s, params).negate().into(), + params, + ) + .mul_by_cofactor(params) + .eq(&Point::zero()) } } @@ -170,8 +173,7 @@ pub fn batch_verify<'a, E: JubjubEngine, R: RngCore>( batch: &[BatchEntry<'a, E>], p_g: FixedGenerators, params: &E::Params, -) -> bool -{ +) -> bool { let mut acc = Point::::zero(); for entry in batch { @@ -218,8 +220,8 @@ mod tests { #[test] fn test_batch_verify() { let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let params = &JubjubBls12::new(); let p_g = FixedGenerators::SpendingKeyGenerator; @@ -237,8 +239,16 @@ mod tests { assert!(vk2.verify(msg2, &sig2, p_g, params)); let mut batch = vec![ - BatchEntry { vk: vk1, msg: msg1, sig: sig1 }, - BatchEntry { vk: vk2, msg: msg2, sig: sig2 } + BatchEntry { + vk: vk1, + msg: msg1, + sig: sig1, + }, + BatchEntry { + vk: vk2, + msg: msg2, + sig: sig2, + }, ]; assert!(batch_verify(rng, &batch, p_g, params)); @@ -251,8 +261,8 @@ mod tests { #[test] fn cofactor_check() { let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let params = &JubjubBls12::new(); let zero = edwards::Point::zero(); @@ -286,8 +296,8 @@ mod tests { #[test] fn round_trip_serialization() { let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let p_g = FixedGenerators::SpendingKeyGenerator; let params = &JubjubBls12::new(); @@ -322,8 +332,8 @@ mod tests { #[test] fn random_signatures() { let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let p_g = FixedGenerators::SpendingKeyGenerator; let params = &JubjubBls12::new(); diff --git a/zcash_primitives/src/sapling.rs b/zcash_primitives/src/sapling.rs index 4590c79b2..02282d321 100644 --- a/zcash_primitives/src/sapling.rs +++ b/zcash_primitives/src/sapling.rs @@ -1,13 +1,13 @@ //! Structs and constants specific to the Sapling shielded pool. -use ff::{BitIterator, PrimeField, PrimeFieldRepr}; -use pairing::bls12_381::{Bls12, Fr, FrRepr}; -use rand_core::{CryptoRng, RngCore}; use crate::{ jubjub::{fs::Fs, FixedGenerators, JubjubBls12}, pedersen_hash::{pedersen_hash, Personalization}, primitives::Note, }; +use ff::{BitIterator, PrimeField, PrimeFieldRepr}; +use pairing::bls12_381::{Bls12, Fr, FrRepr}; +use rand_core::{CryptoRng, RngCore}; use std::io::{self, Read, Write}; use crate::merkle_tree::Hashable; diff --git a/zcash_primitives/src/transaction/builder.rs b/zcash_primitives/src/transaction/builder.rs index f32af7a14..b0e96f59b 100644 --- a/zcash_primitives/src/transaction/builder.rs +++ b/zcash_primitives/src/transaction/builder.rs @@ -1,12 +1,12 @@ //! Structs for building transactions. -use ff::Field; -use pairing::bls12_381::{Bls12, Fr}; -use rand::{rngs::OsRng, seq::SliceRandom, CryptoRng, RngCore}; use crate::{ jubjub::fs::Fs, primitives::{Diversifier, Note, PaymentAddress}, }; +use ff::Field; +use pairing::bls12_381::{Bls12, Fr}; +use rand::{rngs::OsRng, seq::SliceRandom, CryptoRng, RngCore}; use zip32::ExtendedSpendingKey; use crate::{ diff --git a/zcash_primitives/src/transaction/components.rs b/zcash_primitives/src/transaction/components.rs index c8cfadc08..7d2ffbbbb 100644 --- a/zcash_primitives/src/transaction/components.rs +++ b/zcash_primitives/src/transaction/components.rs @@ -1,7 +1,7 @@ +use crate::jubjub::{edwards, Unknown}; use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; use ff::{PrimeField, PrimeFieldRepr}; use pairing::bls12_381::{Bls12, Fr, FrRepr}; -use crate::jubjub::{edwards, Unknown}; use std::io::{self, Read, Write}; use legacy::Script; diff --git a/zcash_primitives/src/zip32.rs b/zcash_primitives/src/zip32.rs index 44b55f569..74124068d 100644 --- a/zcash_primitives/src/zip32.rs +++ b/zcash_primitives/src/zip32.rs @@ -135,7 +135,10 @@ impl DiversifierKey { /// Returns the first index starting from j that generates a valid /// diversifier, along with the corresponding diversifier. Returns /// an error if the diversifier space is exhausted. - pub fn diversifier(&self, mut j: DiversifierIndex) -> Result<(DiversifierIndex, Diversifier), ()> { + pub fn diversifier( + &self, + mut j: DiversifierIndex, + ) -> Result<(DiversifierIndex, Diversifier), ()> { let ff = FF1::::new(&self.0, 2).unwrap(); loop { // Generate d_j diff --git a/zcash_proofs/examples/bench.rs b/zcash_proofs/examples/bench.rs index a187ec680..a5c8a1300 100644 --- a/zcash_proofs/examples/bench.rs +++ b/zcash_proofs/examples/bench.rs @@ -1,30 +1,20 @@ -extern crate ff; extern crate bellman; +extern crate ff; extern crate pairing; extern crate rand_core; extern crate rand_xorshift; extern crate zcash_primitives; extern crate zcash_proofs; -use ff::Field; -use std::time::{Duration, Instant}; -use zcash_primitives::jubjub::{ - JubjubBls12, - edwards, - fs, -}; -use zcash_proofs::circuit::sapling::{ - Spend -}; -use zcash_primitives::primitives::{ - Diversifier, - ProofGenerationKey, - ValueCommitment -}; use bellman::groth16::*; +use ff::Field; +use pairing::bls12_381::{Bls12, Fr}; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; -use pairing::bls12_381::{Bls12, Fr}; +use std::time::{Duration, Instant}; +use zcash_primitives::jubjub::{edwards, fs, JubjubBls12}; +use zcash_primitives::primitives::{Diversifier, ProofGenerationKey, ValueCommitment}; +use zcash_proofs::circuit::sapling::Spend; const TREE_DEPTH: usize = 32; @@ -45,10 +35,11 @@ fn main() { commitment_randomness: None, ar: None, auth_path: vec![None; TREE_DEPTH], - anchor: None + anchor: None, }, - rng - ).unwrap(); + rng, + ) + .unwrap(); const SAMPLES: u32 = 50; @@ -56,7 +47,7 @@ fn main() { for _ in 0..SAMPLES { let value_commitment = ValueCommitment { value: 1, - randomness: fs::Fs::random(rng) + randomness: fs::Fs::random(rng), }; let nsk = fs::Fs::random(rng); @@ -64,7 +55,7 @@ fn main() { let proof_generation_key = ProofGenerationKey { ak: ak.clone(), - nsk: nsk.clone() + nsk: nsk.clone(), }; let viewing_key = proof_generation_key.into_viewing_key(jubjub_params); @@ -78,11 +69,7 @@ fn main() { Diversifier(d) }; - if let Some(p) = viewing_key.into_payment_address( - diversifier, - jubjub_params - ) - { + if let Some(p) = viewing_key.into_payment_address(diversifier, jubjub_params) { payment_address = p; break; } @@ -94,21 +81,25 @@ fn main() { let anchor = Fr::random(rng); let start = Instant::now(); - let _ = create_random_proof(Spend { - params: jubjub_params, - value_commitment: Some(value_commitment), - proof_generation_key: Some(proof_generation_key), - payment_address: Some(payment_address), - commitment_randomness: Some(commitment_randomness), - ar: Some(ar), - auth_path: auth_path, - anchor: Some(anchor) - }, &groth_params, rng).unwrap(); + let _ = create_random_proof( + Spend { + params: jubjub_params, + value_commitment: Some(value_commitment), + proof_generation_key: Some(proof_generation_key), + payment_address: Some(payment_address), + commitment_randomness: Some(commitment_randomness), + ar: Some(ar), + auth_path: auth_path, + anchor: Some(anchor), + }, + &groth_params, + rng, + ) + .unwrap(); total_time += start.elapsed(); } let avg = total_time / SAMPLES; - let avg = avg.subsec_nanos() as f64 / 1_000_000_000f64 - + (avg.as_secs() as f64); + let avg = avg.subsec_nanos() as f64 / 1_000_000_000f64 + (avg.as_secs() as f64); println!("Average proving time (in seconds): {}", avg); } diff --git a/zcash_proofs/src/circuit/ecc.rs b/zcash_proofs/src/circuit/ecc.rs index 593c57d24..4c0782987 100644 --- a/zcash_proofs/src/circuit/ecc.rs +++ b/zcash_proofs/src/circuit/ecc.rs @@ -1,37 +1,22 @@ use ff::Field; use pairing::Engine; -use bellman::{ - SynthesisError, - ConstraintSystem -}; +use bellman::{ConstraintSystem, SynthesisError}; -use bellman::gadgets::{ - Assignment -}; +use bellman::gadgets::Assignment; -use bellman::gadgets::num::{ - AllocatedNum, - Num -}; +use bellman::gadgets::num::{AllocatedNum, Num}; -use zcash_primitives::jubjub::{ - edwards, - JubjubEngine, - JubjubParams, - FixedGenerators -}; +use zcash_primitives::jubjub::{edwards, FixedGenerators, JubjubEngine, JubjubParams}; -use bellman::gadgets::lookup::{ - lookup3_xy -}; +use bellman::gadgets::lookup::lookup3_xy; use bellman::gadgets::boolean::Boolean; #[derive(Clone)] pub struct EdwardsPoint { x: AllocatedNum, - y: AllocatedNum + y: AllocatedNum, } /// Perform a fixed-base scalar multiplication with @@ -40,32 +25,40 @@ pub fn fixed_base_multiplication( mut cs: CS, base: FixedGenerators, by: &[Boolean], - params: &E::Params + params: &E::Params, ) -> Result, SynthesisError> - where CS: ConstraintSystem, - E: JubjubEngine +where + CS: ConstraintSystem, + E: JubjubEngine, { // Represents the result of the multiplication let mut result = None; - for (i, (chunk, window)) in by.chunks(3) - .zip(params.circuit_generators(base).iter()) - .enumerate() + for (i, (chunk, window)) in by + .chunks(3) + .zip(params.circuit_generators(base).iter()) + .enumerate() { - let chunk_a = chunk.get(0).map(|e| e.clone()).unwrap_or(Boolean::constant(false)); - let chunk_b = chunk.get(1).map(|e| e.clone()).unwrap_or(Boolean::constant(false)); - let chunk_c = chunk.get(2).map(|e| e.clone()).unwrap_or(Boolean::constant(false)); + let chunk_a = chunk + .get(0) + .map(|e| e.clone()) + .unwrap_or(Boolean::constant(false)); + let chunk_b = chunk + .get(1) + .map(|e| e.clone()) + .unwrap_or(Boolean::constant(false)); + let chunk_c = chunk + .get(2) + .map(|e| e.clone()) + .unwrap_or(Boolean::constant(false)); let (x, y) = lookup3_xy( cs.namespace(|| format!("window table lookup {}", i)), &[chunk_a, chunk_b, chunk_c], - window + window, )?; - let p = EdwardsPoint { - x: x, - y: y - }; + let p = EdwardsPoint { x: x, y: y }; if result.is_none() { result = Some(p); @@ -73,7 +66,7 @@ pub fn fixed_base_multiplication( result = Some(result.unwrap().add( cs.namespace(|| format!("addition {}", i)), &p, - params + params, )?); } } @@ -93,22 +86,14 @@ impl EdwardsPoint { pub fn assert_not_small_order( &self, mut cs: CS, - params: &E::Params + params: &E::Params, ) -> Result<(), SynthesisError> - where CS: ConstraintSystem + where + CS: ConstraintSystem, { - let tmp = self.double( - cs.namespace(|| "first doubling"), - params - )?; - let tmp = tmp.double( - cs.namespace(|| "second doubling"), - params - )?; - let tmp = tmp.double( - cs.namespace(|| "third doubling"), - params - )?; + let tmp = self.double(cs.namespace(|| "first doubling"), params)?; + let tmp = tmp.double(cs.namespace(|| "second doubling"), params)?; + let tmp = tmp.double(cs.namespace(|| "third doubling"), params)?; // (0, -1) is a small order point, but won't ever appear here // because cofactor is 2^3, and we performed three doublings. @@ -119,11 +104,9 @@ impl EdwardsPoint { Ok(()) } - pub fn inputize( - &self, - mut cs: CS - ) -> Result<(), SynthesisError> - where CS: ConstraintSystem + pub fn inputize(&self, mut cs: CS) -> Result<(), SynthesisError> + where + CS: ConstraintSystem, { self.x.inputize(cs.namespace(|| "x"))?; self.y.inputize(cs.namespace(|| "y"))?; @@ -132,21 +115,15 @@ impl EdwardsPoint { } /// This converts the point into a representation. - pub fn repr( - &self, - mut cs: CS - ) -> Result, SynthesisError> - where CS: ConstraintSystem + pub fn repr(&self, mut cs: CS) -> Result, SynthesisError> + where + CS: ConstraintSystem, { let mut tmp = vec![]; - let x = self.x.into_bits_le_strict( - cs.namespace(|| "unpack x") - )?; + let x = self.x.into_bits_le_strict(cs.namespace(|| "unpack x"))?; - let y = self.y.into_bits_le_strict( - cs.namespace(|| "unpack y") - )?; + let y = self.y.into_bits_le_strict(cs.namespace(|| "unpack y"))?; tmp.extend(y); tmp.push(x[0].clone()); @@ -159,34 +136,20 @@ impl EdwardsPoint { pub fn witness( mut cs: CS, p: Option>, - params: &E::Params + params: &E::Params, ) -> Result - where CS: ConstraintSystem + where + CS: ConstraintSystem, { let p = p.map(|p| p.into_xy()); // Allocate x - let x = AllocatedNum::alloc( - cs.namespace(|| "x"), - || { - Ok(p.get()?.0) - } - )?; + let x = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(p.get()?.0))?; // Allocate y - let y = AllocatedNum::alloc( - cs.namespace(|| "y"), - || { - Ok(p.get()?.1) - } - )?; + let y = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(p.get()?.1))?; - Self::interpret( - cs.namespace(|| "point interpretation"), - &x, - &y, - params - ) + Self::interpret(cs.namespace(|| "point interpretation"), &x, &y, params) } /// Returns `self` if condition is true, and the neutral @@ -194,9 +157,10 @@ impl EdwardsPoint { pub fn conditionally_select( &self, mut cs: CS, - condition: &Boolean + condition: &Boolean, ) -> Result - where CS: ConstraintSystem + where + CS: ConstraintSystem, { // Compute x' = self.x if condition, and 0 otherwise let x_prime = AllocatedNum::alloc(cs.namespace(|| "x'"), || { @@ -215,7 +179,7 @@ impl EdwardsPoint { || "x' computation", |lc| lc + self.x.get_variable(), |_| condition.lc(one, E::Fr::one()), - |lc| lc + x_prime.get_variable() + |lc| lc + x_prime.get_variable(), ); // Compute y' = self.y if condition, and 1 otherwise @@ -234,13 +198,12 @@ impl EdwardsPoint { || "y' computation", |lc| lc + self.y.get_variable(), |_| condition.lc(one, E::Fr::one()), - |lc| lc + y_prime.get_variable() - - &condition.not().lc(one, E::Fr::one()) + |lc| lc + y_prime.get_variable() - &condition.not().lc(one, E::Fr::one()), ); Ok(EdwardsPoint { x: x_prime, - y: y_prime + y: y_prime, }) } @@ -251,9 +214,10 @@ impl EdwardsPoint { &self, mut cs: CS, by: &[Boolean], - params: &E::Params + params: &E::Params, ) -> Result - where CS: ConstraintSystem + where + CS: ConstraintSystem, { // Represents the current "magnitude" of the base // that we're operating over. Starts at self, @@ -269,8 +233,9 @@ impl EdwardsPoint { } else { // Double the previous value curbase = Some( - curbase.unwrap() - .double(cs.namespace(|| format!("doubling {}", i)), params)? + curbase + .unwrap() + .double(cs.namespace(|| format!("doubling {}", i)), params)?, ); } @@ -278,12 +243,10 @@ impl EdwardsPoint { // is true, this will return `curbase`. Otherwise it will // return the neutral element, which will have no effect on // the result. - let thisbase = curbase.as_ref() - .unwrap() - .conditionally_select( - cs.namespace(|| format!("selection {}", i)), - bit - )?; + let thisbase = curbase + .as_ref() + .unwrap() + .conditionally_select(cs.namespace(|| format!("selection {}", i)), bit)?; if result.is_none() { result = Some(thisbase); @@ -291,7 +254,7 @@ impl EdwardsPoint { result = Some(result.unwrap().add( cs.namespace(|| format!("addition {}", i)), &thisbase, - params + params, )?); } } @@ -303,9 +266,10 @@ impl EdwardsPoint { mut cs: CS, x: &AllocatedNum, y: &AllocatedNum, - params: &E::Params + params: &E::Params, ) -> Result - where CS: ConstraintSystem + where + CS: ConstraintSystem, { // -x^2 + y^2 = 1 + dx^2y^2 @@ -316,25 +280,20 @@ impl EdwardsPoint { let one = CS::one(); cs.enforce( || "on curve check", - |lc| lc - x2.get_variable() - + y2.get_variable(), + |lc| lc - x2.get_variable() + y2.get_variable(), |lc| lc + one, - |lc| lc + one - + (*params.edwards_d(), x2y2.get_variable()) + |lc| lc + one + (*params.edwards_d(), x2y2.get_variable()), ); Ok(EdwardsPoint { x: x.clone(), - y: y.clone() + y: y.clone(), }) } - pub fn double( - &self, - mut cs: CS, - params: &E::Params - ) -> Result - where CS: ConstraintSystem + pub fn double(&self, mut cs: CS, params: &E::Params) -> Result + where + CS: ConstraintSystem, { // Compute T = (x1 + y1) * (x1 + y1) let t = AllocatedNum::alloc(cs.namespace(|| "T"), || { @@ -351,11 +310,9 @@ impl EdwardsPoint { cs.enforce( || "T computation", - |lc| lc + self.x.get_variable() - + self.y.get_variable(), - |lc| lc + self.x.get_variable() - + self.y.get_variable(), - |lc| lc + t.get_variable() + |lc| lc + self.x.get_variable() + self.y.get_variable(), + |lc| lc + self.x.get_variable() + self.y.get_variable(), + |lc| lc + t.get_variable(), ); // Compute A = x1 * y1 @@ -374,7 +331,7 @@ impl EdwardsPoint { || "C computation", |lc| lc + (*params.edwards_d(), a.get_variable()), |lc| lc + a.get_variable(), - |lc| lc + c.get_variable() + |lc| lc + c.get_variable(), ); // Compute x3 = (2.A) / (1 + C) @@ -390,10 +347,8 @@ impl EdwardsPoint { t0.mul_assign(&t1); Ok(t0) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; @@ -402,8 +357,7 @@ impl EdwardsPoint { || "x3 computation", |lc| lc + one + c.get_variable(), |lc| lc + x3.get_variable(), - |lc| lc + a.get_variable() - + a.get_variable() + |lc| lc + a.get_variable() + a.get_variable(), ); // Compute y3 = (U - 2.A) / (1 - C) @@ -421,10 +375,8 @@ impl EdwardsPoint { t0.mul_assign(&t1); Ok(t0) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; @@ -432,15 +384,10 @@ impl EdwardsPoint { || "y3 computation", |lc| lc + one - c.get_variable(), |lc| lc + y3.get_variable(), - |lc| lc + t.get_variable() - - a.get_variable() - - a.get_variable() + |lc| lc + t.get_variable() - a.get_variable() - a.get_variable(), ); - Ok(EdwardsPoint { - x: x3, - y: y3 - }) + Ok(EdwardsPoint { x: x3, y: y3 }) } /// Perform addition between any two points @@ -448,9 +395,10 @@ impl EdwardsPoint { &self, mut cs: CS, other: &Self, - params: &E::Params + params: &E::Params, ) -> Result - where CS: ConstraintSystem + where + CS: ConstraintSystem, { // Compute U = (x1 + y1) * (x2 + y2) let u = AllocatedNum::alloc(cs.namespace(|| "U"), || { @@ -467,11 +415,9 @@ impl EdwardsPoint { cs.enforce( || "U computation", - |lc| lc + self.x.get_variable() - + self.y.get_variable(), - |lc| lc + other.x.get_variable() - + other.y.get_variable(), - |lc| lc + u.get_variable() + |lc| lc + self.x.get_variable() + self.y.get_variable(), + |lc| lc + other.x.get_variable() + other.y.get_variable(), + |lc| lc + u.get_variable(), ); // Compute A = y2 * x1 @@ -493,7 +439,7 @@ impl EdwardsPoint { || "C computation", |lc| lc + (*params.edwards_d(), a.get_variable()), |lc| lc + b.get_variable(), - |lc| lc + c.get_variable() + |lc| lc + c.get_variable(), ); // Compute x3 = (A + B) / (1 + C) @@ -509,10 +455,8 @@ impl EdwardsPoint { t0.mul_assign(&t1); Ok(t0) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; @@ -521,8 +465,7 @@ impl EdwardsPoint { || "x3 computation", |lc| lc + one + c.get_variable(), |lc| lc + x3.get_variable(), - |lc| lc + a.get_variable() - + b.get_variable() + |lc| lc + a.get_variable() + b.get_variable(), ); // Compute y3 = (U - A - B) / (1 - C) @@ -539,10 +482,8 @@ impl EdwardsPoint { t0.mul_assign(&t1); Ok(t0) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; @@ -550,21 +491,16 @@ impl EdwardsPoint { || "y3 computation", |lc| lc + one - c.get_variable(), |lc| lc + y3.get_variable(), - |lc| lc + u.get_variable() - - a.get_variable() - - b.get_variable() + |lc| lc + u.get_variable() - a.get_variable() - b.get_variable(), ); - Ok(EdwardsPoint { - x: x3, - y: y3 - }) + Ok(EdwardsPoint { x: x3, y: y3 }) } } pub struct MontgomeryPoint { x: Num, - y: Num + y: Num, } impl MontgomeryPoint { @@ -574,9 +510,10 @@ impl MontgomeryPoint { pub fn into_edwards( &self, mut cs: CS, - params: &E::Params + params: &E::Params, ) -> Result, SynthesisError> - where CS: ConstraintSystem + where + CS: ConstraintSystem, { // Compute u = (scale*x) / y let u = AllocatedNum::alloc(cs.namespace(|| "u"), || { @@ -588,10 +525,8 @@ impl MontgomeryPoint { t0.mul_assign(&invy); Ok(t0) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; @@ -599,7 +534,7 @@ impl MontgomeryPoint { || "u computation", |lc| lc + &self.y.lc(E::Fr::one()), |lc| lc + u.get_variable(), - |lc| lc + &self.x.lc(*params.scale()) + |lc| lc + &self.x.lc(*params.scale()), ); // Compute v = (x - 1) / (x + 1) @@ -614,42 +549,28 @@ impl MontgomeryPoint { t0.mul_assign(&t1); Ok(t0) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; let one = CS::one(); cs.enforce( || "v computation", - |lc| lc + &self.x.lc(E::Fr::one()) - + one, + |lc| lc + &self.x.lc(E::Fr::one()) + one, |lc| lc + v.get_variable(), - |lc| lc + &self.x.lc(E::Fr::one()) - - one, + |lc| lc + &self.x.lc(E::Fr::one()) - one, ); - Ok(EdwardsPoint { - x: u, - y: v - }) + Ok(EdwardsPoint { x: u, y: v }) } /// Interprets an (x, y) pair as a point /// in Montgomery, does not check that it's /// on the curve. Useful for constants and /// window table lookups. - pub fn interpret_unchecked( - x: Num, - y: Num - ) -> Self - { - MontgomeryPoint { - x: x, - y: y - } + pub fn interpret_unchecked(x: Num, y: Num) -> Self { + MontgomeryPoint { x: x, y: y } } /// Performs an affine point addition, not defined for @@ -658,9 +579,10 @@ impl MontgomeryPoint { &self, mut cs: CS, other: &Self, - params: &E::Params + params: &E::Params, ) -> Result - where CS: ConstraintSystem + where + CS: ConstraintSystem, { // Compute lambda = (y' - y) / (x' - x) let lambda = AllocatedNum::alloc(cs.namespace(|| "lambda"), || { @@ -674,22 +596,16 @@ impl MontgomeryPoint { Some(d) => { n.mul_assign(&d); Ok(n) - }, - None => { - Err(SynthesisError::DivisionByZero) } + None => Err(SynthesisError::DivisionByZero), } })?; cs.enforce( || "evaluate lambda", - |lc| lc + &other.x.lc(E::Fr::one()) - - &self.x.lc(E::Fr::one()), - + |lc| lc + &other.x.lc(E::Fr::one()) - &self.x.lc(E::Fr::one()), |lc| lc + lambda.get_variable(), - - |lc| lc + &other.y.lc(E::Fr::one()) - - &self.y.lc(E::Fr::one()) + |lc| lc + &other.y.lc(E::Fr::one()) - &self.y.lc(E::Fr::one()), ); // Compute x'' = lambda^2 - A - x - x' @@ -709,10 +625,12 @@ impl MontgomeryPoint { || "evaluate xprime", |lc| lc + lambda.get_variable(), |lc| lc + lambda.get_variable(), - |lc| lc + (*params.montgomery_a(), one) + |lc| { + lc + (*params.montgomery_a(), one) + &self.x.lc(E::Fr::one()) + &other.x.lc(E::Fr::one()) + xprime.get_variable() + }, ); // Compute y' = -(y + lambda(x' - x)) @@ -729,57 +647,41 @@ impl MontgomeryPoint { // y' + y = lambda(x - x') cs.enforce( || "evaluate yprime", - |lc| lc + &self.x.lc(E::Fr::one()) - - xprime.get_variable(), - + |lc| lc + &self.x.lc(E::Fr::one()) - xprime.get_variable(), |lc| lc + lambda.get_variable(), - - |lc| lc + yprime.get_variable() - + &self.y.lc(E::Fr::one()) + |lc| lc + yprime.get_variable() + &self.y.lc(E::Fr::one()), ); Ok(MontgomeryPoint { x: xprime.into(), - y: yprime.into() + y: yprime.into(), }) } } #[cfg(test)] mod test { - use bellman::{ConstraintSystem}; + use bellman::ConstraintSystem; use ff::{BitIterator, Field, PrimeField}; use pairing::bls12_381::{Bls12, Fr}; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; use bellman::gadgets::test::*; - use zcash_primitives::jubjub::{ - montgomery, - edwards, - JubjubBls12, - JubjubParams, - FixedGenerators - }; use zcash_primitives::jubjub::fs::Fs; + use zcash_primitives::jubjub::{ + edwards, montgomery, FixedGenerators, JubjubBls12, JubjubParams, + }; - use super::{ - MontgomeryPoint, - EdwardsPoint, - AllocatedNum, - fixed_base_multiplication - }; - use bellman::gadgets::boolean::{ - Boolean, - AllocatedBit - }; + use super::{fixed_base_multiplication, AllocatedNum, EdwardsPoint, MontgomeryPoint}; + use bellman::gadgets::boolean::{AllocatedBit, Boolean}; #[test] fn test_into_edwards() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { @@ -789,12 +691,8 @@ mod test { let (u, v) = edwards::Point::from_montgomery(&p, params).into_xy(); let (x, y) = p.into_xy().unwrap(); - let numx = AllocatedNum::alloc(cs.namespace(|| "mont x"), || { - Ok(x) - }).unwrap(); - let numy = AllocatedNum::alloc(cs.namespace(|| "mont y"), || { - Ok(y) - }).unwrap(); + let numx = AllocatedNum::alloc(cs.namespace(|| "mont x"), || Ok(x)).unwrap(); + let numy = AllocatedNum::alloc(cs.namespace(|| "mont y"), || Ok(y)).unwrap(); let p = MontgomeryPoint::interpret_unchecked(numx.into(), numy.into()); @@ -820,19 +718,15 @@ mod test { fn test_interpret() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { let p = edwards::Point::::rand(rng, ¶ms); let mut cs = TestConstraintSystem::::new(); - let q = EdwardsPoint::witness( - &mut cs, - Some(p.clone()), - ¶ms - ).unwrap(); + let q = EdwardsPoint::witness(&mut cs, Some(p.clone()), ¶ms).unwrap(); let p = p.into_xy(); @@ -846,12 +740,8 @@ mod test { let (x, y) = p.into_xy(); let mut cs = TestConstraintSystem::::new(); - let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || { - Ok(x) - }).unwrap(); - let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || { - Ok(y) - }).unwrap(); + let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(x)).unwrap(); + let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(y)).unwrap(); let p = EdwardsPoint::interpret(&mut cs, &numx, &numy, ¶ms).unwrap(); @@ -866,12 +756,8 @@ mod test { let y = Fr::random(rng); let mut cs = TestConstraintSystem::::new(); - let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || { - Ok(x) - }).unwrap(); - let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || { - Ok(y) - }).unwrap(); + let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(x)).unwrap(); + let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(y)).unwrap(); EdwardsPoint::interpret(&mut cs, &numx, &numy, ¶ms).unwrap(); @@ -880,11 +766,11 @@ mod test { } #[test] - fn test_edwards_fixed_base_multiplication() { + fn test_edwards_fixed_base_multiplication() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { @@ -899,18 +785,23 @@ mod test { s_bits.reverse(); s_bits.truncate(Fs::NUM_BITS as usize); - let s_bits = s_bits.into_iter() - .enumerate() - .map(|(i, b)| AllocatedBit::alloc(cs.namespace(|| format!("scalar bit {}", i)), Some(b)).unwrap()) - .map(|v| Boolean::from(v)) - .collect::>(); + let s_bits = s_bits + .into_iter() + .enumerate() + .map(|(i, b)| { + AllocatedBit::alloc(cs.namespace(|| format!("scalar bit {}", i)), Some(b)) + .unwrap() + }) + .map(|v| Boolean::from(v)) + .collect::>(); let q = fixed_base_multiplication( cs.namespace(|| "multiplication"), FixedGenerators::NoteCommitmentRandomness, &s_bits, - params - ).unwrap(); + params, + ) + .unwrap(); assert_eq!(q.x.get_value().unwrap(), x1); assert_eq!(q.y.get_value().unwrap(), y1); @@ -921,8 +812,8 @@ mod test { fn test_edwards_multiplication() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { @@ -935,45 +826,37 @@ mod test { let (x0, y0) = p.into_xy(); let (x1, y1) = q.into_xy(); - let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || { - Ok(x0) - }).unwrap(); - let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || { - Ok(y0) - }).unwrap(); + let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); + let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); let p = EdwardsPoint { x: num_x0, - y: num_y0 + y: num_y0, }; let mut s_bits = BitIterator::new(s.into_repr()).collect::>(); s_bits.reverse(); s_bits.truncate(Fs::NUM_BITS as usize); - let s_bits = s_bits.into_iter() - .enumerate() - .map(|(i, b)| AllocatedBit::alloc(cs.namespace(|| format!("scalar bit {}", i)), Some(b)).unwrap()) - .map(|v| Boolean::from(v)) - .collect::>(); + let s_bits = s_bits + .into_iter() + .enumerate() + .map(|(i, b)| { + AllocatedBit::alloc(cs.namespace(|| format!("scalar bit {}", i)), Some(b)) + .unwrap() + }) + .map(|v| Boolean::from(v)) + .collect::>(); - let q = p.mul( - cs.namespace(|| "scalar mul"), - &s_bits, - params - ).unwrap(); + let q = p + .mul(cs.namespace(|| "scalar mul"), &s_bits, params) + .unwrap(); assert!(cs.is_satisfied()); - assert_eq!( - q.x.get_value().unwrap(), - x1 - ); + assert_eq!(q.x.get_value().unwrap(), x1); - assert_eq!( - q.y.get_value().unwrap(), - y1 - ); + assert_eq!(q.y.get_value().unwrap(), y1); } } @@ -981,8 +864,8 @@ mod test { fn test_conditionally_select() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..1000 { @@ -992,26 +875,22 @@ mod test { let (x0, y0) = p.into_xy(); - let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || { - Ok(x0) - }).unwrap(); - let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || { - Ok(y0) - }).unwrap(); + let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); + let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); let p = EdwardsPoint { x: num_x0, - y: num_y0 + y: num_y0, }; let mut should_we_select = rng.next_u32() % 2 != 0; // Conditionally allocate let mut b = if rng.next_u32() % 2 != 0 { - Boolean::from(AllocatedBit::alloc( - cs.namespace(|| "condition"), - Some(should_we_select) - ).unwrap()) + Boolean::from( + AllocatedBit::alloc(cs.namespace(|| "condition"), Some(should_we_select)) + .unwrap(), + ) } else { Boolean::constant(should_we_select) }; @@ -1022,7 +901,9 @@ mod test { should_we_select = !should_we_select; } - let q = p.conditionally_select(cs.namespace(|| "select"), &b).unwrap(); + let q = p + .conditionally_select(cs.namespace(|| "select"), &b) + .unwrap(); assert!(cs.is_satisfied()); @@ -1050,8 +931,8 @@ mod test { fn test_edwards_addition() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { @@ -1066,28 +947,20 @@ mod test { let mut cs = TestConstraintSystem::::new(); - let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || { - Ok(x0) - }).unwrap(); - let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || { - Ok(y0) - }).unwrap(); + let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); + let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); - let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || { - Ok(x1) - }).unwrap(); - let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || { - Ok(y1) - }).unwrap(); + let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || Ok(x1)).unwrap(); + let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || Ok(y1)).unwrap(); let p1 = EdwardsPoint { x: num_x0, - y: num_y0 + y: num_y0, }; let p2 = EdwardsPoint { x: num_x1, - y: num_y1 + y: num_y1, }; let p3 = p1.add(cs.namespace(|| "addition"), &p2, params).unwrap(); @@ -1121,8 +994,8 @@ mod test { fn test_edwards_doubling() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { @@ -1134,16 +1007,12 @@ mod test { let mut cs = TestConstraintSystem::::new(); - let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || { - Ok(x0) - }).unwrap(); - let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || { - Ok(y0) - }).unwrap(); + let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); + let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); let p1 = EdwardsPoint { x: num_x0, - y: num_y0 + y: num_y0, }; let p2 = p1.double(cs.namespace(|| "doubling"), params).unwrap(); @@ -1159,8 +1028,8 @@ mod test { fn test_montgomery_addition() { let params = &JubjubBls12::new(); let rng = &mut XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); for _ in 0..100 { @@ -1190,28 +1059,20 @@ mod test { let mut cs = TestConstraintSystem::::new(); - let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || { - Ok(x0) - }).unwrap(); - let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || { - Ok(y0) - }).unwrap(); + let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); + let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); - let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || { - Ok(x1) - }).unwrap(); - let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || { - Ok(y1) - }).unwrap(); + let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || Ok(x1)).unwrap(); + let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || Ok(y1)).unwrap(); let p1 = MontgomeryPoint { x: num_x0.into(), - y: num_y0.into() + y: num_y0.into(), }; let p2 = MontgomeryPoint { x: num_x1.into(), - y: num_y1.into() + y: num_y1.into(), }; let p3 = p1.add(cs.namespace(|| "addition"), &p2, params).unwrap(); diff --git a/zcash_proofs/src/circuit/pedersen_hash.rs b/zcash_proofs/src/circuit/pedersen_hash.rs index 0b6759719..21c0bf596 100644 --- a/zcash_proofs/src/circuit/pedersen_hash.rs +++ b/zcash_proofs/src/circuit/pedersen_hash.rs @@ -1,17 +1,13 @@ -use super::ecc::{ - MontgomeryPoint, - EdwardsPoint -}; +use super::ecc::{EdwardsPoint, MontgomeryPoint}; use bellman::gadgets::boolean::Boolean; -use zcash_primitives::jubjub::*; -use bellman::{ - ConstraintSystem, SynthesisError -}; use bellman::gadgets::lookup::*; +use bellman::{ConstraintSystem, SynthesisError}; +use zcash_primitives::jubjub::*; pub use zcash_primitives::pedersen_hash::Personalization; fn get_constant_bools(person: &Personalization) -> Vec { - person.get_bits() + person + .get_bits() .into_iter() .map(|e| Boolean::constant(e)) .collect() @@ -21,9 +17,10 @@ pub fn pedersen_hash( mut cs: CS, personalization: Personalization, bits: &[Boolean], - params: &E::Params + params: &E::Params, ) -> Result, SynthesisError> - where CS: ConstraintSystem +where + CS: ConstraintSystem, { let personalization = get_constant_bools(&personalization); assert_eq!(personalization.len(), 6); @@ -36,8 +33,7 @@ pub fn pedersen_hash( let mut segment_i = 0; loop { let mut segment_result = None; - let mut segment_windows = &segment_generators.next() - .expect("enough segments")[..]; + let mut segment_windows = &segment_generators.next().expect("enough segments")[..]; let mut window_i = 0; while let Some(a) = bits.next() { @@ -47,7 +43,7 @@ pub fn pedersen_hash( let tmp = lookup3_xy_with_conditional_negation( cs.namespace(|| format!("segment {}, window {}", segment_i, window_i)), &[a.clone(), b.clone(), c.clone()], - &segment_windows[0] + &segment_windows[0], )?; let tmp = MontgomeryPoint::interpret_unchecked(tmp.0, tmp.1); @@ -55,12 +51,14 @@ pub fn pedersen_hash( match segment_result { None => { segment_result = Some(tmp); - }, + } Some(ref mut segment_result) => { *segment_result = tmp.add( - cs.namespace(|| format!("addition of segment {}, window {}", segment_i, window_i)), + cs.namespace(|| { + format!("addition of segment {}, window {}", segment_i, window_i) + }), segment_result, - params + params, )?; } } @@ -79,22 +77,24 @@ pub fn pedersen_hash( // Convert this segment into twisted Edwards form. let segment_result = segment_result.into_edwards( cs.namespace(|| format!("conversion of segment {} into edwards", segment_i)), - params + params, )?; match edwards_result { Some(ref mut edwards_result) => { *edwards_result = segment_result.add( - cs.namespace(|| format!("addition of segment {} to accumulator", segment_i)), + cs.namespace(|| { + format!("addition of segment {} to accumulator", segment_i) + }), edwards_result, - params + params, )?; - }, + } None => { edwards_result = Some(segment_result); } } - }, + } None => { // We didn't process any new bits. break; @@ -110,37 +110,44 @@ pub fn pedersen_hash( #[cfg(test)] mod test { use super::*; + use bellman::gadgets::boolean::{AllocatedBit, Boolean}; use bellman::gadgets::test::*; - use bellman::gadgets::boolean::{Boolean, AllocatedBit}; - use zcash_primitives::pedersen_hash; use ff::PrimeField; use pairing::bls12_381::{Bls12, Fr}; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; + use zcash_primitives::pedersen_hash; #[test] fn test_pedersen_hash_constraints() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let params = &JubjubBls12::new(); let mut cs = TestConstraintSystem::::new(); - let input: Vec = (0..(Fr::NUM_BITS * 2)).map(|_| rng.next_u32() % 2 != 0).collect(); + let input: Vec = (0..(Fr::NUM_BITS * 2)) + .map(|_| rng.next_u32() % 2 != 0) + .collect(); - let input_bools: Vec = input.iter().enumerate().map(|(i, b)| { - Boolean::from( - AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b)).unwrap() - ) - }).collect(); + let input_bools: Vec = input + .iter() + .enumerate() + .map(|(i, b)| { + Boolean::from( + AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b)).unwrap(), + ) + }) + .collect(); pedersen_hash( cs.namespace(|| "pedersen hash"), Personalization::NoteCommitment, &input_bools, - params - ).unwrap(); + params, + ) + .unwrap(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 1377); @@ -149,8 +156,8 @@ mod test { #[test] fn test_pedersen_hash() { let mut rng = XorShiftRng::from_seed([ - 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, - 0xe5, + 0x59, 0x62, 0xbe, 0x3d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, + 0xbc, 0xe5, ]); let params = &JubjubBls12::new(); @@ -160,26 +167,33 @@ mod test { let mut cs = TestConstraintSystem::::new(); - let input_bools: Vec = input.iter().enumerate().map(|(i, b)| { - Boolean::from( - AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b)).unwrap() - ) - }).collect(); + let input_bools: Vec = input + .iter() + .enumerate() + .map(|(i, b)| { + Boolean::from( + AllocatedBit::alloc(cs.namespace(|| format!("input {}", i)), Some(*b)) + .unwrap(), + ) + }) + .collect(); let res = pedersen_hash( cs.namespace(|| "pedersen hash"), Personalization::MerkleTree(1), &input_bools, - params - ).unwrap(); + params, + ) + .unwrap(); assert!(cs.is_satisfied()); let expected = pedersen_hash::pedersen_hash::( Personalization::MerkleTree(1), input.clone().into_iter(), - params - ).into_xy(); + params, + ) + .into_xy(); assert_eq!(res.get_x().get_value().unwrap(), expected.0); assert_eq!(res.get_y().get_value().unwrap(), expected.1); @@ -188,8 +202,9 @@ mod test { let unexpected = pedersen_hash::pedersen_hash::( Personalization::MerkleTree(0), input.into_iter(), - params - ).into_xy(); + params, + ) + .into_xy(); assert!(res.get_x().get_value().unwrap() != unexpected.0); assert!(res.get_y().get_value().unwrap() != unexpected.1); diff --git a/zcash_proofs/src/circuit/sapling.rs b/zcash_proofs/src/circuit/sapling.rs index 1349c8cf8..0554ff4d9 100644 --- a/zcash_proofs/src/circuit/sapling.rs +++ b/zcash_proofs/src/circuit/sapling.rs @@ -1,31 +1,20 @@ use ff::{Field, PrimeField, PrimeFieldRepr}; -use bellman::{ - SynthesisError, - ConstraintSystem, - Circuit -}; +use bellman::{Circuit, ConstraintSystem, SynthesisError}; -use zcash_primitives::jubjub::{ - JubjubEngine, - FixedGenerators -}; +use zcash_primitives::jubjub::{FixedGenerators, JubjubEngine}; use zcash_primitives::constants; -use zcash_primitives::primitives::{ - ValueCommitment, - ProofGenerationKey, - PaymentAddress -}; +use zcash_primitives::primitives::{PaymentAddress, ProofGenerationKey, ValueCommitment}; -use bellman::gadgets::Assignment; -use bellman::gadgets::boolean; use super::ecc; use super::pedersen_hash; use bellman::gadgets::blake2s; -use bellman::gadgets::num; +use bellman::gadgets::boolean; use bellman::gadgets::multipack; +use bellman::gadgets::num; +use bellman::gadgets::Assignment; pub const TREE_DEPTH: usize = zcash_primitives::sapling::SAPLING_COMMITMENT_TREE_DEPTH; @@ -54,7 +43,7 @@ pub struct Spend<'a, E: JubjubEngine> { /// The anchor; the root of the tree. If the note being /// spent is zero-value, this can be anything. - pub anchor: Option + pub anchor: Option, } /// This is an output circuit instance. @@ -71,7 +60,7 @@ pub struct Output<'a, E: JubjubEngine> { pub commitment_randomness: Option, /// The ephemeral secret key for DH with recipient - pub esk: Option + pub esk: Option, } /// Exposes a Pedersen commitment to the value as an @@ -79,15 +68,16 @@ pub struct Output<'a, E: JubjubEngine> { fn expose_value_commitment( mut cs: CS, value_commitment: Option>, - params: &E::Params + params: &E::Params, ) -> Result, SynthesisError> - where E: JubjubEngine, - CS: ConstraintSystem +where + E: JubjubEngine, + CS: ConstraintSystem, { // Booleanize the value into little-endian bit order let value_bits = boolean::u64_into_boolean_vec_le( cs.namespace(|| "value"), - value_commitment.as_ref().map(|c| c.value) + value_commitment.as_ref().map(|c| c.value), )?; // Compute the note value in the exponent @@ -95,7 +85,7 @@ fn expose_value_commitment( cs.namespace(|| "compute the value in the exponent"), FixedGenerators::ValueCommitmentValue, &value_bits, - params + params, )?; // Booleanize the randomness. This does not ensure @@ -103,7 +93,7 @@ fn expose_value_commitment( // it doesn't matter for security. let rcv = boolean::field_into_boolean_vec_le( cs.namespace(|| "rcv"), - value_commitment.as_ref().map(|c| c.randomness) + value_commitment.as_ref().map(|c| c.randomness), )?; // Compute the randomness in the exponent @@ -111,15 +101,11 @@ fn expose_value_commitment( cs.namespace(|| "computation of rcv"), FixedGenerators::ValueCommitmentRandomness, &rcv, - params + params, )?; // Compute the Pedersen commitment to the value - let cv = value.add( - cs.namespace(|| "computation of cv"), - &rcv, - params - )?; + let cv = value.add(cs.namespace(|| "computation of cv"), &rcv, params)?; // Expose the commitment as an input to the circuit cv.inputize(cs.namespace(|| "commitment point"))?; @@ -128,43 +114,32 @@ fn expose_value_commitment( } impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> - { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { // Prover witnesses ak (ensures that it's on the curve) let ak = ecc::EdwardsPoint::witness( cs.namespace(|| "ak"), self.proof_generation_key.as_ref().map(|k| k.ak.clone()), - self.params + self.params, )?; // There are no sensible attacks on small order points // of ak (that we're aware of!) but it's a cheap check, // so we do it. - ak.assert_not_small_order( - cs.namespace(|| "ak not small order"), - self.params - )?; + ak.assert_not_small_order(cs.namespace(|| "ak not small order"), self.params)?; // Rerandomize ak and expose it as an input to the circuit { - let ar = boolean::field_into_boolean_vec_le( - cs.namespace(|| "ar"), - self.ar - )?; + let ar = boolean::field_into_boolean_vec_le(cs.namespace(|| "ar"), self.ar)?; // Compute the randomness in the exponent let ar = ecc::fixed_base_multiplication( cs.namespace(|| "computation of randomization for the signing key"), FixedGenerators::SpendingKeyGenerator, &ar, - self.params + self.params, )?; - let rk = ak.add( - cs.namespace(|| "computation of rk"), - &ar, - self.params - )?; + let rk = ak.add(cs.namespace(|| "computation of rk"), &ar, self.params)?; rk.inputize(cs.namespace(|| "rk"))?; } @@ -175,7 +150,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // Witness nsk as bits let nsk = boolean::field_into_boolean_vec_le( cs.namespace(|| "nsk"), - self.proof_generation_key.as_ref().map(|k| k.nsk.clone()) + self.proof_generation_key.as_ref().map(|k| k.nsk.clone()), )?; // NB: We don't ensure that the bit representation of nsk @@ -188,7 +163,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { cs.namespace(|| "computation of nk"), FixedGenerators::ProofGenerationKey, &nsk, - self.params + self.params, )?; } @@ -196,9 +171,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { let mut ivk_preimage = vec![]; // Place ak in the preimage for CRH^ivk - ivk_preimage.extend( - ak.repr(cs.namespace(|| "representation of ak"))? - ); + ivk_preimage.extend(ak.repr(cs.namespace(|| "representation of ak"))?); // This is the nullifier preimage for PRF^nf let mut nf_preimage = vec![]; @@ -206,9 +179,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // Extend ivk and nf preimages with the representation of // nk. { - let repr_nk = nk.repr( - cs.namespace(|| "representation of nk") - )?; + let repr_nk = nk.repr(cs.namespace(|| "representation of nk"))?; ivk_preimage.extend(repr_nk.iter().cloned()); nf_preimage.extend(repr_nk); @@ -221,7 +192,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { let mut ivk = blake2s::blake2s( cs.namespace(|| "computation of ivk"), &ivk_preimage, - constants::CRH_IVK_PERSONALIZATION + constants::CRH_IVK_PERSONALIZATION, )?; // drop_5 to ensure it's in the field @@ -239,7 +210,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { ecc::EdwardsPoint::witness( cs.namespace(|| "witness g_d"), self.payment_address.as_ref().and_then(|a| a.g_d(params)), - self.params + self.params, )? }; @@ -247,17 +218,10 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // is already done in the Output circuit, and this proof ensures // g_d is bound to a product of that check, but for defense in // depth let's check it anyway. It's cheap. - g_d.assert_not_small_order( - cs.namespace(|| "g_d not small order"), - self.params - )?; + g_d.assert_not_small_order(cs.namespace(|| "g_d not small order"), self.params)?; // Compute pk_d = g_d^ivk - let pk_d = g_d.mul( - cs.namespace(|| "compute pk_d"), - &ivk, - self.params - )?; + let pk_d = g_d.mul(cs.namespace(|| "compute pk_d"), &ivk, self.params)?; // Compute note contents: // value (in big endian) followed by g_d and pk_d @@ -271,18 +235,14 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { let value_bits = expose_value_commitment( cs.namespace(|| "value commitment"), self.value_commitment, - self.params + self.params, )?; // Compute the note's value as a linear combination // of the bits. let mut coeff = E::Fr::one(); for bit in &value_bits { - value_num = value_num.add_bool_with_coeff( - CS::one(), - bit, - coeff - ); + value_num = value_num.add_bool_with_coeff(CS::one(), bit, coeff); coeff.double(); } @@ -291,14 +251,10 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { } // Place g_d in the note - note_contents.extend( - g_d.repr(cs.namespace(|| "representation of g_d"))? - ); + note_contents.extend(g_d.repr(cs.namespace(|| "representation of g_d"))?); // Place pk_d in the note - note_contents.extend( - pk_d.repr(cs.namespace(|| "representation of pk_d"))? - ); + note_contents.extend(pk_d.repr(cs.namespace(|| "representation of pk_d"))?); assert_eq!( note_contents.len(), @@ -312,14 +268,14 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { cs.namespace(|| "note content hash"), pedersen_hash::Personalization::NoteCommitment, ¬e_contents, - self.params + self.params, )?; { // Booleanize the randomness for the note commitment let rcm = boolean::field_into_boolean_vec_le( cs.namespace(|| "rcm"), - self.commitment_randomness + self.commitment_randomness, )?; // Compute the note commitment randomness in the exponent @@ -327,7 +283,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { cs.namespace(|| "computation of commitment randomness"), FixedGenerators::NoteCommitmentRandomness, &rcm, - self.params + self.params, )?; // Randomize the note commitment. Pedersen hashes are not @@ -335,7 +291,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { cm = cm.add( cs.namespace(|| "randomization of note commitment"), &rcm, - self.params + self.params, )?; } @@ -356,7 +312,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // depth of the tree. let cur_is_right = boolean::Boolean::from(boolean::AllocatedBit::alloc( cs.namespace(|| "position bit"), - e.map(|e| e.1) + e.map(|e| e.1), )?); // Push this boolean for nullifier computation later @@ -364,19 +320,15 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // Witness the authentication path element adjacent // at this depth. - let path_element = num::AllocatedNum::alloc( - cs.namespace(|| "path element"), - || { - Ok(e.get()?.0) - } - )?; + let path_element = + num::AllocatedNum::alloc(cs.namespace(|| "path element"), || Ok(e.get()?.0))?; // Swap the two if the current subtree is on the right let (xl, xr) = num::AllocatedNum::conditionally_reverse( cs.namespace(|| "conditional reversal of preimage"), &cur, &path_element, - &cur_is_right + &cur_is_right, )?; // We don't need to be strict, because the function is @@ -392,20 +344,19 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { cs.namespace(|| "computation of pedersen hash"), pedersen_hash::Personalization::MerkleTree(i), &preimage, - self.params - )?.get_x().clone(); // Injective encoding + self.params, + )? + .get_x() + .clone(); // Injective encoding } { let real_anchor_value = self.anchor; // Allocate the "real" anchor that will be exposed. - let rt = num::AllocatedNum::alloc( - cs.namespace(|| "conditional anchor"), - || { - Ok(*real_anchor_value.get()?) - } - )?; + let rt = num::AllocatedNum::alloc(cs.namespace(|| "conditional anchor"), || { + Ok(*real_anchor_value.get()?) + })?; // (cur - rt) * value = 0 // if value is zero, cur and rt can be different @@ -414,7 +365,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { || "conditionally enforce correct root", |lc| lc + cur.get_variable() - rt.get_variable(), |lc| lc + &value_num.lc(E::Fr::one()), - |lc| lc + |lc| lc, ); // Expose the anchor @@ -430,29 +381,27 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { cs.namespace(|| "g^position"), FixedGenerators::NullifierPosition, &position_bits, - self.params + self.params, )?; // Add the position to the commitment rho = rho.add( cs.namespace(|| "faerie gold prevention"), &position, - self.params + self.params, )?; } - + // Let's compute nf = BLAKE2s(nk || rho) - nf_preimage.extend( - rho.repr(cs.namespace(|| "representation of rho"))? - ); + nf_preimage.extend(rho.repr(cs.namespace(|| "representation of rho"))?); assert_eq!(nf_preimage.len(), 512); - + // Compute nf let nf = blake2s::blake2s( cs.namespace(|| "nf computation"), &nf_preimage, - constants::PRF_NF_PERSONALIZATION + constants::PRF_NF_PERSONALIZATION, )?; multipack::pack_into_inputs(cs.namespace(|| "pack nullifier"), &nf) @@ -460,8 +409,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { } impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> - { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { // Let's start to construct our note, which contains // value (big endian) let mut note_contents = vec![]; @@ -471,7 +419,7 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { note_contents.extend(expose_value_commitment( cs.namespace(|| "value commitment"), self.value_commitment, - self.params + self.params, )?); // Let's deal with g_d @@ -483,7 +431,7 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { let g_d = ecc::EdwardsPoint::witness( cs.namespace(|| "witness g_d"), self.payment_address.as_ref().and_then(|a| a.g_d(params)), - self.params + self.params, )?; // g_d is ensured to be large order. The relationship @@ -495,29 +443,17 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { // // Further, if it were small order, epk would be // small order too! - g_d.assert_not_small_order( - cs.namespace(|| "g_d not small order"), - self.params - )?; + g_d.assert_not_small_order(cs.namespace(|| "g_d not small order"), self.params)?; // Extend our note contents with the representation of // g_d. - note_contents.extend( - g_d.repr(cs.namespace(|| "representation of g_d"))? - ); + note_contents.extend(g_d.repr(cs.namespace(|| "representation of g_d"))?); // Booleanize our ephemeral secret key - let esk = boolean::field_into_boolean_vec_le( - cs.namespace(|| "esk"), - self.esk - )?; + let esk = boolean::field_into_boolean_vec_le(cs.namespace(|| "esk"), self.esk)?; // Create the ephemeral public key from g_d. - let epk = g_d.mul( - cs.namespace(|| "epk computation"), - &esk, - self.params - )?; + let epk = g_d.mul(cs.namespace(|| "epk computation"), &esk, self.params)?; // Expose epk publicly. epk.inputize(cs.namespace(|| "epk"))?; @@ -534,13 +470,13 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { // endian bits (to match the representation) let y_contents = boolean::field_into_boolean_vec_le( cs.namespace(|| "pk_d bits of y"), - pk_d.map(|e| e.1) + pk_d.map(|e| e.1), )?; // Witness the sign bit let sign_bit = boolean::Boolean::from(boolean::AllocatedBit::alloc( cs.namespace(|| "pk_d bit of x"), - pk_d.map(|e| e.0.into_repr().is_odd()) + pk_d.map(|e| e.0.into_repr().is_odd()), )?); // Extend the note with pk_d representation @@ -560,14 +496,14 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { cs.namespace(|| "note content hash"), pedersen_hash::Personalization::NoteCommitment, ¬e_contents, - self.params + self.params, )?; { // Booleanize the randomness let rcm = boolean::field_into_boolean_vec_le( cs.namespace(|| "rcm"), - self.commitment_randomness + self.commitment_randomness, )?; // Compute the note commitment randomness in the exponent @@ -575,14 +511,14 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { cs.namespace(|| "computation of commitment randomness"), FixedGenerators::NoteCommitmentRandomness, &rcm, - self.params + self.params, )?; // Randomize our note commitment cm = cm.add( cs.namespace(|| "randomization of note commitment"), &rcm, - self.params + self.params, )?; } @@ -604,7 +540,7 @@ fn test_input_circuit_with_bls12_381() { use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; use zcash_primitives::{ - jubjub::{JubjubBls12, fs, edwards}, + jubjub::{edwards, fs, JubjubBls12}, pedersen_hash, primitives::{Diversifier, Note, ProofGenerationKey}, }; @@ -628,7 +564,7 @@ fn test_input_circuit_with_bls12_381() { let proof_generation_key = ProofGenerationKey { ak: ak.clone(), - nsk: nsk.clone() + nsk: nsk.clone(), }; let viewing_key = proof_generation_key.into_viewing_key(params); @@ -642,11 +578,7 @@ fn test_input_circuit_with_bls12_381() { Diversifier(d) }; - if let Some(p) = viewing_key.into_payment_address( - diversifier, - params - ) - { + if let Some(p) = viewing_key.into_payment_address(diversifier, params) { payment_address = p; break; } @@ -664,15 +596,14 @@ fn test_input_circuit_with_bls12_381() { value: value_commitment.value, g_d: g_d.clone(), pk_d: payment_address.pk_d.clone(), - r: commitment_randomness.clone() + r: commitment_randomness.clone(), }; let mut position = 0u64; let cm: Fr = note.cm(params); let mut cur = cm.clone(); - for (i, val) in auth_path.clone().into_iter().enumerate() - { + for (i, val) in auth_path.clone().into_iter().enumerate() { let (uncle, b) = val.unwrap(); let mut lhs = cur; @@ -691,10 +622,12 @@ fn test_input_circuit_with_bls12_381() { cur = pedersen_hash::pedersen_hash::( pedersen_hash::Personalization::MerkleTree(i), lhs.into_iter() - .take(Fr::NUM_BITS as usize) - .chain(rhs.into_iter().take(Fr::NUM_BITS as usize)), - params - ).into_xy().0; + .take(Fr::NUM_BITS as usize) + .chain(rhs.into_iter().take(Fr::NUM_BITS as usize)), + params, + ) + .into_xy() + .0; if b { position |= 1 << i; @@ -716,14 +649,17 @@ fn test_input_circuit_with_bls12_381() { commitment_randomness: Some(commitment_randomness), ar: Some(ar), auth_path: auth_path.clone(), - anchor: Some(cur) + anchor: Some(cur), }; instance.synthesize(&mut cs).unwrap(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 98777); - assert_eq!(cs.hash(), "d37c738e83df5d9b0bb6495ac96abf21bcb2697477e2c15c2c7916ff7a3b6a89"); + assert_eq!( + cs.hash(), + "d37c738e83df5d9b0bb6495ac96abf21bcb2697477e2c15c2c7916ff7a3b6a89" + ); assert_eq!(cs.get("randomization of note commitment/x3/num"), cm); @@ -731,8 +667,14 @@ fn test_input_circuit_with_bls12_381() { assert_eq!(cs.get_input(0, "ONE"), Fr::one()); assert_eq!(cs.get_input(1, "rk/x/input variable"), rk.0); assert_eq!(cs.get_input(2, "rk/y/input variable"), rk.1); - assert_eq!(cs.get_input(3, "value commitment/commitment point/x/input variable"), expected_value_cm.0); - assert_eq!(cs.get_input(4, "value commitment/commitment point/y/input variable"), expected_value_cm.1); + assert_eq!( + cs.get_input(3, "value commitment/commitment point/x/input variable"), + expected_value_cm.0 + ); + assert_eq!( + cs.get_input(4, "value commitment/commitment point/y/input variable"), + expected_value_cm.1 + ); assert_eq!(cs.get_input(5, "anchor/input variable"), cur); assert_eq!(cs.get_input(6, "pack nullifier/input 0"), expected_nf[0]); assert_eq!(cs.get_input(7, "pack nullifier/input 1"), expected_nf[1]); @@ -748,7 +690,7 @@ fn test_output_circuit_with_bls12_381() { use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; use zcash_primitives::{ - jubjub::{JubjubBls12, fs, edwards}, + jubjub::{edwards, fs, JubjubBls12}, primitives::{Diversifier, ProofGenerationKey}, }; @@ -769,7 +711,7 @@ fn test_output_circuit_with_bls12_381() { let proof_generation_key = ProofGenerationKey { ak: ak.clone(), - nsk: nsk.clone() + nsk: nsk.clone(), }; let viewing_key = proof_generation_key.into_viewing_key(params); @@ -783,11 +725,7 @@ fn test_output_circuit_with_bls12_381() { Diversifier(d) }; - if let Some(p) = viewing_key.into_payment_address( - diversifier, - params - ) - { + if let Some(p) = viewing_key.into_payment_address(diversifier, params) { payment_address = p; break; } @@ -804,30 +742,41 @@ fn test_output_circuit_with_bls12_381() { value_commitment: Some(value_commitment.clone()), payment_address: Some(payment_address.clone()), commitment_randomness: Some(commitment_randomness), - esk: Some(esk.clone()) + esk: Some(esk.clone()), }; instance.synthesize(&mut cs).unwrap(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 7827); - assert_eq!(cs.hash(), "c26d5cdfe6ccd65c03390902c02e11393ea6bb96aae32a7f2ecb12eb9103faee"); + assert_eq!( + cs.hash(), + "c26d5cdfe6ccd65c03390902c02e11393ea6bb96aae32a7f2ecb12eb9103faee" + ); - let expected_cm = payment_address.create_note( - value_commitment.value, - commitment_randomness, - params - ).expect("should be valid").cm(params); + let expected_cm = payment_address + .create_note(value_commitment.value, commitment_randomness, params) + .expect("should be valid") + .cm(params); let expected_value_cm = value_commitment.cm(params).into_xy(); - let expected_epk = payment_address.g_d(params).expect("should be valid").mul(esk, params); + let expected_epk = payment_address + .g_d(params) + .expect("should be valid") + .mul(esk, params); let expected_epk_xy = expected_epk.into_xy(); assert_eq!(cs.num_inputs(), 6); assert_eq!(cs.get_input(0, "ONE"), Fr::one()); - assert_eq!(cs.get_input(1, "value commitment/commitment point/x/input variable"), expected_value_cm.0); - assert_eq!(cs.get_input(2, "value commitment/commitment point/y/input variable"), expected_value_cm.1); + assert_eq!( + cs.get_input(1, "value commitment/commitment point/x/input variable"), + expected_value_cm.0 + ); + assert_eq!( + cs.get_input(2, "value commitment/commitment point/y/input variable"), + expected_value_cm.1 + ); assert_eq!(cs.get_input(3, "epk/x/input variable"), expected_epk_xy.0); assert_eq!(cs.get_input(4, "epk/y/input variable"), expected_epk_xy.1); assert_eq!(cs.get_input(5, "commitment/input variable"), expected_cm); diff --git a/zcash_proofs/src/circuit/sprout/commitment.rs b/zcash_proofs/src/circuit/sprout/commitment.rs index ba889a383..fba121738 100644 --- a/zcash_proofs/src/circuit/sprout/commitment.rs +++ b/zcash_proofs/src/circuit/sprout/commitment.rs @@ -1,20 +1,18 @@ -use pairing::{Engine}; +use bellman::gadgets::boolean::Boolean; +use bellman::gadgets::sha256::sha256; use bellman::{ConstraintSystem, SynthesisError}; -use bellman::gadgets::sha256::{ - sha256 -}; -use bellman::gadgets::boolean::{ - Boolean -}; +use pairing::Engine; pub fn note_comm( cs: CS, a_pk: &[Boolean], value: &[Boolean], rho: &[Boolean], - r: &[Boolean] + r: &[Boolean], ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { assert_eq!(a_pk.len(), 256); assert_eq!(value.len(), 64); @@ -35,8 +33,5 @@ pub fn note_comm( image.extend(rho.iter().cloned()); image.extend(r.iter().cloned()); - sha256( - cs, - &image - ) + sha256(cs, &image) } diff --git a/zcash_proofs/src/circuit/sprout/input.rs b/zcash_proofs/src/circuit/sprout/input.rs index a84e3a634..ad6091f09 100644 --- a/zcash_proofs/src/circuit/sprout/input.rs +++ b/zcash_proofs/src/circuit/sprout/input.rs @@ -1,16 +1,11 @@ -use pairing::{Engine}; +use bellman::gadgets::boolean::{AllocatedBit, Boolean}; +use bellman::gadgets::sha256::sha256_block_no_padding; use bellman::{ConstraintSystem, SynthesisError}; -use bellman::gadgets::sha256::{ - sha256_block_no_padding -}; -use bellman::gadgets::boolean::{ - AllocatedBit, - Boolean -}; +use pairing::Engine; -use super::*; -use super::prfs::*; use super::commitment::note_comm; +use super::prfs::*; +use super::*; pub struct InputNote { pub nf: Vec, @@ -27,49 +22,33 @@ impl InputNote { h_sig: &[Boolean], nonce: bool, auth_path: [Option<([u8; 32], bool)>; TREE_DEPTH], - rt: &[Boolean] + rt: &[Boolean], ) -> Result - where E: Engine, CS: ConstraintSystem + where + E: Engine, + CS: ConstraintSystem, { let a_sk = witness_u252( cs.namespace(|| "a_sk"), - a_sk.as_ref().map(|a_sk| &a_sk.0[..]) + a_sk.as_ref().map(|a_sk| &a_sk.0[..]), )?; - let rho = witness_u256( - cs.namespace(|| "rho"), - rho.as_ref().map(|rho| &rho.0[..]) - )?; + let rho = witness_u256(cs.namespace(|| "rho"), rho.as_ref().map(|rho| &rho.0[..]))?; - let r = witness_u256( - cs.namespace(|| "r"), - r.as_ref().map(|r| &r.0[..]) - )?; + let r = witness_u256(cs.namespace(|| "r"), r.as_ref().map(|r| &r.0[..]))?; - let a_pk = prf_a_pk( - cs.namespace(|| "a_pk computation"), - &a_sk - )?; + let a_pk = prf_a_pk(cs.namespace(|| "a_pk computation"), &a_sk)?; - let nf = prf_nf( - cs.namespace(|| "nf computation"), - &a_sk, - &rho - )?; + let nf = prf_nf(cs.namespace(|| "nf computation"), &a_sk, &rho)?; - let mac = prf_pk( - cs.namespace(|| "mac computation"), - &a_sk, - h_sig, - nonce - )?; + let mac = prf_pk(cs.namespace(|| "mac computation"), &a_sk, h_sig, nonce)?; let cm = note_comm( cs.namespace(|| "cm computation"), &a_pk, &value.bits_le(), &rho, - &r + &r, )?; // Witness into the merkle tree @@ -80,13 +59,13 @@ impl InputNote { let cur_is_right = AllocatedBit::alloc( cs.namespace(|| "cur is right"), - layer.as_ref().map(|&(_, p)| p) + layer.as_ref().map(|&(_, p)| p), )?; let lhs = cur; let rhs = witness_u256( cs.namespace(|| "sibling"), - layer.as_ref().map(|&(ref sibling, _)| &sibling[..]) + layer.as_ref().map(|&(ref sibling, _)| &sibling[..]), )?; // Conditionally swap if cur is right @@ -94,19 +73,16 @@ impl InputNote { cs.namespace(|| "conditional swap"), &lhs[..], &rhs[..], - &cur_is_right + &cur_is_right, )?; - cur = sha256_block_no_padding( - cs.namespace(|| "hash of this layer"), - &preimage - )?; + cur = sha256_block_no_padding(cs.namespace(|| "hash of this layer"), &preimage)?; } // enforce must be true if the value is nonzero let enforce = AllocatedBit::alloc( cs.namespace(|| "enforce"), - value.get_value().map(|n| n != 0) + value.get_value().map(|n| n != 0), )?; // value * (1 - enforce) = 0 @@ -116,7 +92,7 @@ impl InputNote { || "enforce validity", |_| value.lc(), |lc| lc + CS::one() - enforce.get_variable(), - |lc| lc + |lc| lc, ); assert_eq!(cur.len(), rt.len()); @@ -132,14 +108,11 @@ impl InputNote { || format!("conditionally enforce correct root for bit {}", i), |_| cur.lc(CS::one(), E::Fr::one()) - &rt.lc(CS::one(), E::Fr::one()), |lc| lc + enforce.get_variable(), - |lc| lc + |lc| lc, ); } - Ok(InputNote { - mac: mac, - nf: nf - }) + Ok(InputNote { mac: mac, nf: nf }) } } @@ -149,9 +122,11 @@ pub fn conditionally_swap_u256( mut cs: CS, lhs: &[Boolean], rhs: &[Boolean], - condition: &AllocatedBit + condition: &AllocatedBit, ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem, +where + E: Engine, + CS: ConstraintSystem, { assert_eq!(lhs.len(), 256); assert_eq!(rhs.len(), 256); @@ -164,13 +139,9 @@ pub fn conditionally_swap_u256( let x = Boolean::from(AllocatedBit::alloc( cs.namespace(|| "x"), - condition.get_value().and_then(|v| { - if v { - rhs.get_value() - } else { - lhs.get_value() - } - }) + condition + .get_value() + .and_then(|v| if v { rhs.get_value() } else { lhs.get_value() }), )?); // x = (1-condition)lhs + (condition)rhs @@ -184,33 +155,25 @@ pub fn conditionally_swap_u256( // x = rhs cs.enforce( || "conditional swap for x", - |lc| lc + &rhs.lc(CS::one(), E::Fr::one()) - - &lhs.lc(CS::one(), E::Fr::one()), + |lc| lc + &rhs.lc(CS::one(), E::Fr::one()) - &lhs.lc(CS::one(), E::Fr::one()), |lc| lc + condition.get_variable(), - |lc| lc + &x.lc(CS::one(), E::Fr::one()) - - &lhs.lc(CS::one(), E::Fr::one()) + |lc| lc + &x.lc(CS::one(), E::Fr::one()) - &lhs.lc(CS::one(), E::Fr::one()), ); let y = Boolean::from(AllocatedBit::alloc( cs.namespace(|| "y"), - condition.get_value().and_then(|v| { - if v { - lhs.get_value() - } else { - rhs.get_value() - } - }) + condition + .get_value() + .and_then(|v| if v { lhs.get_value() } else { rhs.get_value() }), )?); // y = (1-condition)rhs + (condition)lhs // y - rhs = condition (lhs - rhs) cs.enforce( || "conditional swap for y", - |lc| lc + &lhs.lc(CS::one(), E::Fr::one()) - - &rhs.lc(CS::one(), E::Fr::one()), + |lc| lc + &lhs.lc(CS::one(), E::Fr::one()) - &rhs.lc(CS::one(), E::Fr::one()), |lc| lc + condition.get_variable(), - |lc| lc + &y.lc(CS::one(), E::Fr::one()) - - &rhs.lc(CS::one(), E::Fr::one()) + |lc| lc + &y.lc(CS::one(), E::Fr::one()) - &rhs.lc(CS::one(), E::Fr::one()), ); new_lhs.push(x); diff --git a/zcash_proofs/src/circuit/sprout/mod.rs b/zcash_proofs/src/circuit/sprout/mod.rs index c28b8d7eb..358e1bbe8 100644 --- a/zcash_proofs/src/circuit/sprout/mod.rs +++ b/zcash_proofs/src/circuit/sprout/mod.rs @@ -1,16 +1,13 @@ +use bellman::gadgets::boolean::{AllocatedBit, Boolean}; +use bellman::gadgets::multipack::pack_into_inputs; +use bellman::{Circuit, ConstraintSystem, LinearCombination, SynthesisError}; use ff::Field; use pairing::Engine; -use bellman::{ConstraintSystem, SynthesisError, Circuit, LinearCombination}; -use bellman::gadgets::boolean::{ - AllocatedBit, - Boolean -}; -use bellman::gadgets::multipack::pack_into_inputs; -mod prfs; mod commitment; mod input; mod output; +mod prfs; use self::input::*; use self::output::*; @@ -37,39 +34,29 @@ pub struct JSInput { pub a_sk: Option, pub rho: Option, pub r: Option, - pub auth_path: [Option<([u8; 32], bool)>; TREE_DEPTH] + pub auth_path: [Option<([u8; 32], bool)>; TREE_DEPTH], } pub struct JSOutput { pub value: Option, pub a_pk: Option, - pub r: Option + pub r: Option, } impl Circuit for JoinSplit { - fn synthesize>( - self, - cs: &mut CS - ) -> Result<(), SynthesisError> - { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { assert_eq!(self.inputs.len(), 2); assert_eq!(self.outputs.len(), 2); // vpub_old is the value entering the // JoinSplit from the "outside" value // pool - let vpub_old = NoteValue::new( - cs.namespace(|| "vpub_old"), - self.vpub_old - )?; + let vpub_old = NoteValue::new(cs.namespace(|| "vpub_old"), self.vpub_old)?; // vpub_new is the value leaving the // JoinSplit into the "outside" value // pool - let vpub_new = NoteValue::new( - cs.namespace(|| "vpub_new"), - self.vpub_new - )?; + let vpub_new = NoteValue::new(cs.namespace(|| "vpub_new"), self.vpub_new)?; // The left hand side of the balance equation // vpub_old + inputs[0].value + inputs[1].value @@ -80,22 +67,17 @@ impl Circuit for JoinSplit { let mut rhs = vpub_new.lc(); // Witness rt (merkle tree root) - let rt = witness_u256( - cs.namespace(|| "rt"), - self.rt.as_ref().map(|v| &v[..]) - ).unwrap(); + let rt = witness_u256(cs.namespace(|| "rt"), self.rt.as_ref().map(|v| &v[..])).unwrap(); // Witness h_sig let h_sig = witness_u256( cs.namespace(|| "h_sig"), - self.h_sig.as_ref().map(|v| &v[..]) - ).unwrap(); + self.h_sig.as_ref().map(|v| &v[..]), + ) + .unwrap(); // Witness phi - let phi = witness_u252( - cs.namespace(|| "phi"), - self.phi.as_ref().map(|v| &v[..]) - ).unwrap(); + let phi = witness_u252(cs.namespace(|| "phi"), self.phi.as_ref().map(|v| &v[..])).unwrap(); let mut input_notes = vec![]; let mut lhs_total = self.vpub_old; @@ -110,17 +92,14 @@ impl Circuit for JoinSplit { } // Allocate the value of the note - let value = NoteValue::new( - cs.namespace(|| "value"), - input.value - )?; + let value = NoteValue::new(cs.namespace(|| "value"), input.value)?; // Compute the nonce (for PRF inputs) which is false // for the first input, and true for the second input. let nonce = match i { 0 => false, 1 => true, - _ => unreachable!() + _ => unreachable!(), }; // Perform input note computations @@ -133,7 +112,7 @@ impl Circuit for JoinSplit { &h_sig, nonce, input.auth_path, - &rt + &rt, )?); // Add the note value to the left hand side of @@ -148,10 +127,8 @@ impl Circuit for JoinSplit { { // Expected sum of the left hand side of the balance // equation, expressed as a 64-bit unsigned integer - let lhs_total = NoteValue::new( - cs.namespace(|| "total value of left hand side"), - lhs_total - )?; + let lhs_total = + NoteValue::new(cs.namespace(|| "total value of left hand side"), lhs_total)?; // Enforce that the left hand side can be expressed as a 64-bit // integer @@ -159,7 +136,7 @@ impl Circuit for JoinSplit { || "left hand side can be expressed as a 64-bit unsigned integer", |_| lhs.clone(), |lc| lc + CS::one(), - |_| lhs_total.lc() + |_| lhs_total.lc(), ); } @@ -169,17 +146,14 @@ impl Circuit for JoinSplit { for (i, output) in self.outputs.into_iter().enumerate() { let cs = &mut cs.namespace(|| format!("output {}", i)); - let value = NoteValue::new( - cs.namespace(|| "value"), - output.value - )?; + let value = NoteValue::new(cs.namespace(|| "value"), output.value)?; // Compute the nonce (for PRF inputs) which is false // for the first output, and true for the second output. let nonce = match i { 0 => false, 1 => true, - _ => unreachable!() + _ => unreachable!(), }; // Perform output note computations @@ -190,7 +164,7 @@ impl Circuit for JoinSplit { output.r, &phi, &h_sig, - nonce + nonce, )?); // Add the note value to the right hand side of @@ -203,7 +177,7 @@ impl Circuit for JoinSplit { || "balance equation", |_| lhs.clone(), |lc| lc + CS::one(), - |_| rhs + |_| rhs, ); let mut public_inputs = vec![]; @@ -229,15 +203,14 @@ impl Circuit for JoinSplit { pub struct NoteValue { value: Option, // Least significant digit first - bits: Vec + bits: Vec, } impl NoteValue { - fn new( - mut cs: CS, - value: Option - ) -> Result - where E: Engine, CS: ConstraintSystem, + fn new(mut cs: CS, value: Option) -> Result + where + E: Engine, + CS: ConstraintSystem, { let mut values; match value { @@ -247,7 +220,7 @@ impl NoteValue { values.push(Some(val & 1 == 1)); val >>= 1; } - }, + } None => { values = vec![None; 64]; } @@ -255,28 +228,27 @@ impl NoteValue { let mut bits = vec![]; for (i, value) in values.into_iter().enumerate() { - bits.push( - AllocatedBit::alloc( - cs.namespace(|| format!("bit {}", i)), - value - )? - ); + bits.push(AllocatedBit::alloc( + cs.namespace(|| format!("bit {}", i)), + value, + )?); } Ok(NoteValue { value: value, - bits: bits + bits: bits, }) } /// Encodes the bits of the value into little-endian /// byte order. fn bits_le(&self) -> Vec { - self.bits.chunks(8) - .flat_map(|v| v.iter().rev()) - .cloned() - .map(|e| Boolean::from(e)) - .collect() + self.bits + .chunks(8) + .flat_map(|v| v.iter().rev()) + .cloned() + .map(|e| Boolean::from(e)) + .collect() } /// Computes this value as a linear combination of @@ -304,15 +276,18 @@ fn witness_bits( mut cs: CS, value: Option<&[u8]>, num_bits: usize, - skip_bits: usize + skip_bits: usize, ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem, +where + E: Engine, + CS: ConstraintSystem, { let bit_values = if let Some(value) = value { let mut tmp = vec![]; - for b in value.iter() - .flat_map(|&m| (0..8).rev().map(move |i| m >> i & 1 == 1)) - .skip(skip_bits) + for b in value + .iter() + .flat_map(|&m| (0..8).rev().map(move |i| m >> i & 1 == 1)) + .skip(skip_bits) { tmp.push(Some(b)); } @@ -327,37 +302,35 @@ fn witness_bits( for (i, value) in bit_values.into_iter().enumerate() { bits.push(Boolean::from(AllocatedBit::alloc( cs.namespace(|| format!("bit {}", i)), - value + value, )?)); } Ok(bits) } -fn witness_u256( - cs: CS, - value: Option<&[u8]>, -) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem, +fn witness_u256(cs: CS, value: Option<&[u8]>) -> Result, SynthesisError> +where + E: Engine, + CS: ConstraintSystem, { witness_bits(cs, value, 256, 0) } -fn witness_u252( - cs: CS, - value: Option<&[u8]>, -) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem, +fn witness_u252(cs: CS, value: Option<&[u8]>) -> Result, SynthesisError> +where + E: Engine, + CS: ConstraintSystem, { witness_bits(cs, value, 252, 4) } #[test] fn test_sprout_constraints() { - use pairing::bls12_381::{Bls12}; use bellman::gadgets::test::*; + use pairing::bls12_381::Bls12; - use byteorder::{WriteBytesExt, ReadBytesExt, LittleEndian}; + use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; let test_vector = include_bytes!("test_vectors.dat"); let mut test_vector = &test_vector[..]; @@ -393,9 +366,7 @@ fn test_sprout_constraints() { } let mut position = test_vector.read_u64::().unwrap(); for i in 0..TREE_DEPTH { - auth_path[i].as_mut().map(|p| { - p.1 = (position & 1) == 1 - }); + auth_path[i].as_mut().map(|p| p.1 = (position & 1) == 1); position >>= 1; } @@ -407,15 +378,13 @@ fn test_sprout_constraints() { let r = Some(CommitmentRandomness(get_u256(&mut test_vector))); let a_sk = Some(SpendingKey(get_u256(&mut test_vector))); - inputs.push( - JSInput { - value: value, - a_sk: a_sk, - rho: rho, - r: r, - auth_path: auth_path - } - ); + inputs.push(JSInput { + value: value, + a_sk: a_sk, + rho: rho, + r: r, + auth_path: auth_path, + }); } let mut outputs = vec![]; @@ -426,13 +395,11 @@ fn test_sprout_constraints() { get_u256(&mut test_vector); let r = Some(CommitmentRandomness(get_u256(&mut test_vector))); - outputs.push( - JSOutput { - value: value, - a_pk: a_pk, - r: r - } - ); + outputs.push(JSOutput { + value: value, + a_pk: a_pk, + r: r, + }); } let vpub_old = Some(test_vector.read_u64::().unwrap()); @@ -454,7 +421,7 @@ fn test_sprout_constraints() { phi: phi, inputs: inputs, outputs: outputs, - rt: rt + rt: rt, }; js.synthesize(&mut cs).unwrap(); @@ -465,7 +432,10 @@ fn test_sprout_constraints() { assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 1989085); assert_eq!(cs.num_inputs(), 10); - assert_eq!(cs.hash(), "1a228d3c6377130d1778c7885811dc8b8864049cb5af8aff7e6cd46c5bc4b84c"); + assert_eq!( + cs.hash(), + "1a228d3c6377130d1778c7885811dc8b8864049cb5af8aff7e6cd46c5bc4b84c" + ); let mut expected_inputs = vec![]; expected_inputs.extend(rt.unwrap().to_vec()); @@ -476,8 +446,12 @@ fn test_sprout_constraints() { expected_inputs.extend(mac2.to_vec()); expected_inputs.extend(cm1.to_vec()); expected_inputs.extend(cm2.to_vec()); - expected_inputs.write_u64::(vpub_old.unwrap()).unwrap(); - expected_inputs.write_u64::(vpub_new.unwrap()).unwrap(); + expected_inputs + .write_u64::(vpub_old.unwrap()) + .unwrap(); + expected_inputs + .write_u64::(vpub_new.unwrap()) + .unwrap(); use bellman::gadgets::multipack; diff --git a/zcash_proofs/src/circuit/sprout/output.rs b/zcash_proofs/src/circuit/sprout/output.rs index f2e504aa2..a9a1e48b3 100644 --- a/zcash_proofs/src/circuit/sprout/output.rs +++ b/zcash_proofs/src/circuit/sprout/output.rs @@ -1,13 +1,13 @@ -use pairing::{Engine}; +use bellman::gadgets::boolean::Boolean; use bellman::{ConstraintSystem, SynthesisError}; -use bellman::gadgets::boolean::{Boolean}; +use pairing::Engine; -use super::*; -use super::prfs::*; use super::commitment::note_comm; +use super::prfs::*; +use super::*; pub struct OutputNote { - pub cm: Vec + pub cm: Vec, } impl OutputNote { @@ -18,37 +18,29 @@ impl OutputNote { r: Option, phi: &[Boolean], h_sig: &[Boolean], - nonce: bool + nonce: bool, ) -> Result - where E: Engine, CS: ConstraintSystem, + where + E: Engine, + CS: ConstraintSystem, { - let rho = prf_rho( - cs.namespace(|| "rho"), - phi, - h_sig, - nonce - )?; + let rho = prf_rho(cs.namespace(|| "rho"), phi, h_sig, nonce)?; let a_pk = witness_u256( cs.namespace(|| "a_pk"), - a_pk.as_ref().map(|a_pk| &a_pk.0[..]) + a_pk.as_ref().map(|a_pk| &a_pk.0[..]), )?; - let r = witness_u256( - cs.namespace(|| "r"), - r.as_ref().map(|r| &r.0[..]) - )?; + let r = witness_u256(cs.namespace(|| "r"), r.as_ref().map(|r| &r.0[..]))?; let cm = note_comm( cs.namespace(|| "cm computation"), &a_pk, &value.bits_le(), &rho, - &r + &r, )?; - Ok(OutputNote { - cm: cm - }) + Ok(OutputNote { cm: cm }) } } diff --git a/zcash_proofs/src/circuit/sprout/prfs.rs b/zcash_proofs/src/circuit/sprout/prfs.rs index 0b3e42ce3..ea87b08d4 100644 --- a/zcash_proofs/src/circuit/sprout/prfs.rs +++ b/zcash_proofs/src/circuit/sprout/prfs.rs @@ -1,11 +1,7 @@ -use pairing::{Engine}; +use bellman::gadgets::boolean::Boolean; +use bellman::gadgets::sha256::sha256_block_no_padding; use bellman::{ConstraintSystem, SynthesisError}; -use bellman::gadgets::sha256::{ - sha256_block_no_padding -}; -use bellman::gadgets::boolean::{ - Boolean -}; +use pairing::Engine; fn prf( cs: CS, @@ -14,9 +10,11 @@ fn prf( c: bool, d: bool, x: &[Boolean], - y: &[Boolean] + y: &[Boolean], ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { assert_eq!(x.len(), 252); assert_eq!(y.len(), 256); @@ -31,27 +29,35 @@ fn prf( assert_eq!(image.len(), 512); - sha256_block_no_padding( - cs, - &image - ) + sha256_block_no_padding(cs, &image) } -pub fn prf_a_pk( - cs: CS, - a_sk: &[Boolean] -) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +pub fn prf_a_pk(cs: CS, a_sk: &[Boolean]) -> Result, SynthesisError> +where + E: Engine, + CS: ConstraintSystem, { - prf(cs, true, true, false, false, a_sk, &(0..256).map(|_| Boolean::constant(false)).collect::>()) + prf( + cs, + true, + true, + false, + false, + a_sk, + &(0..256) + .map(|_| Boolean::constant(false)) + .collect::>(), + ) } pub fn prf_nf( cs: CS, a_sk: &[Boolean], - rho: &[Boolean] + rho: &[Boolean], ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { prf(cs, true, true, true, false, a_sk, rho) } @@ -60,9 +66,11 @@ pub fn prf_pk( cs: CS, a_sk: &[Boolean], h_sig: &[Boolean], - nonce: bool + nonce: bool, ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { prf(cs, false, nonce, false, false, a_sk, h_sig) } @@ -71,9 +79,11 @@ pub fn prf_rho( cs: CS, phi: &[Boolean], h_sig: &[Boolean], - nonce: bool + nonce: bool, ) -> Result, SynthesisError> - where E: Engine, CS: ConstraintSystem +where + E: Engine, + CS: ConstraintSystem, { prf(cs, false, nonce, true, false, phi, h_sig) } diff --git a/zcash_proofs/src/prover.rs b/zcash_proofs/src/prover.rs index 1c1a972cb..6dd5767df 100644 --- a/zcash_proofs/src/prover.rs +++ b/zcash_proofs/src/prover.rs @@ -3,11 +3,11 @@ use bellman::groth16::{Parameters, PreparedVerifyingKey}; use directories::BaseDirs; use pairing::bls12_381::{Bls12, Fr}; +use std::path::Path; use zcash_primitives::{ jubjub::{edwards, fs::Fs, Unknown}, primitives::{Diversifier, PaymentAddress, ProofGenerationKey}, }; -use std::path::Path; use zcash_primitives::{ merkle_tree::CommitmentTreeWitness, prover::TxProver, diff --git a/zcash_proofs/src/sapling/prover.rs b/zcash_proofs/src/sapling/prover.rs index e91417157..283e76b15 100644 --- a/zcash_proofs/src/sapling/prover.rs +++ b/zcash_proofs/src/sapling/prover.rs @@ -1,8 +1,6 @@ use bellman::{ gadgets::multipack, - groth16::{ - create_random_proof, verify_proof, Parameters, PreparedVerifyingKey, Proof, - }, + groth16::{create_random_proof, verify_proof, Parameters, PreparedVerifyingKey, Proof}, }; use ff::Field; use pairing::bls12_381::{Bls12, Fr};