From 0b2293bcc0f86b42f8c5ebad750e07ae87cd0b3a Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Sat, 30 May 2020 12:32:21 +1200 Subject: [PATCH 1/2] bellman: Replace E: ScalarEngine with Scalar: PrimeField Instead of imposing the requirement that bellman users explicitly specify an engine for every proving system, we allow the Rust type system to figure it out for us. An engine is specifically useful in places where we require defined relationships between several types; ff::ScalarEngine only has one type, and thus any usage of it can be trivially replaced by an explicit Scalar type. This is also more readable :) --- bellman/src/domain.rs | 120 +++++------ bellman/src/gadgets/blake2s.rs | 28 +-- bellman/src/gadgets/boolean.rs | 192 ++++++++++-------- bellman/src/gadgets/lookup.rs | 86 ++++---- bellman/src/gadgets/multieq.rs | 36 ++-- bellman/src/gadgets/multipack.rs | 31 ++- bellman/src/gadgets/num.rs | 89 ++++---- bellman/src/gadgets/sha256.rs | 36 ++-- bellman/src/gadgets/test/mod.rs | 99 +++++---- bellman/src/gadgets/uint32.rs | 68 ++++--- bellman/src/groth16/generator.rs | 58 +++--- bellman/src/groth16/mod.rs | 12 +- bellman/src/groth16/prover.rs | 44 ++-- bellman/src/groth16/tests/mod.rs | 25 ++- bellman/src/lib.rs | 142 +++++++------ bellman/tests/mimc.rs | 28 +-- zcash_proofs/examples/bench.rs | 4 +- zcash_proofs/src/circuit/ecc.rs | 82 ++++---- zcash_proofs/src/circuit/pedersen_hash.rs | 14 +- zcash_proofs/src/circuit/sapling.rs | 46 ++--- zcash_proofs/src/circuit/sprout/commitment.rs | 8 +- zcash_proofs/src/circuit/sprout/input.rs | 24 +-- zcash_proofs/src/circuit/sprout/mod.rs | 41 ++-- zcash_proofs/src/circuit/sprout/output.rs | 8 +- zcash_proofs/src/circuit/sprout/prfs.rs | 32 +-- zcash_proofs/src/sapling/prover.rs | 2 +- zcash_proofs/src/sapling/verifier.rs | 2 +- zcash_proofs/src/sprout.rs | 2 +- 28 files changed, 695 insertions(+), 664 deletions(-) diff --git a/bellman/src/domain.rs b/bellman/src/domain.rs index 4e24f18b0..47f8ff083 100644 --- a/bellman/src/domain.rs +++ b/bellman/src/domain.rs @@ -11,41 +11,40 @@ //! [`EvaluationDomain`]: crate::domain::EvaluationDomain //! [Groth16]: https://eprint.iacr.org/2016/260 -use ff::{Field, PrimeField, ScalarEngine}; +use ff::PrimeField; use group::CurveProjective; -use std::ops::{AddAssign, MulAssign, SubAssign}; use super::SynthesisError; use super::multicore::Worker; -pub struct EvaluationDomain> { +pub struct EvaluationDomain> { coeffs: Vec, exp: u32, - omega: E::Fr, - omegainv: E::Fr, - geninv: E::Fr, - minv: E::Fr, + omega: S, + omegainv: S, + geninv: S, + minv: S, } -impl> AsRef<[G]> for EvaluationDomain { +impl> AsRef<[G]> for EvaluationDomain { fn as_ref(&self) -> &[G] { &self.coeffs } } -impl> AsMut<[G]> for EvaluationDomain { +impl> AsMut<[G]> for EvaluationDomain { fn as_mut(&mut self) -> &mut [G] { &mut self.coeffs } } -impl> EvaluationDomain { +impl> EvaluationDomain { pub fn into_coeffs(self) -> Vec { self.coeffs } - pub fn from_coeffs(mut coeffs: Vec) -> Result, SynthesisError> { + pub fn from_coeffs(mut coeffs: Vec) -> Result, SynthesisError> { // Compute the size of our evaluation domain let mut m = 1; let mut exp = 0; @@ -55,14 +54,14 @@ impl> EvaluationDomain { // The pairing-friendly curve may not be able to support // large enough (radix2) evaluation domains. - if exp >= E::Fr::S { + if exp >= S::S { return Err(SynthesisError::PolynomialDegreeTooLarge); } } // Compute omega, the 2^exp primitive root of unity - let mut omega = E::Fr::root_of_unity(); - for _ in exp..E::Fr::S { + let mut omega = S::root_of_unity(); + for _ in exp..S::S { omega = omega.square(); } @@ -74,11 +73,8 @@ impl> EvaluationDomain { exp, omega, omegainv: omega.invert().unwrap(), - geninv: E::Fr::multiplicative_generator().invert().unwrap(), - minv: E::Fr::from_str(&format!("{}", m)) - .unwrap() - .invert() - .unwrap(), + geninv: S::multiplicative_generator().invert().unwrap(), + minv: S::from_str(&format!("{}", m)).unwrap().invert().unwrap(), }) } @@ -102,7 +98,7 @@ impl> EvaluationDomain { }); } - pub fn distribute_powers(&mut self, worker: &Worker, g: E::Fr) { + pub fn distribute_powers(&mut self, worker: &Worker, g: S) { worker.scope(self.coeffs.len(), |scope, chunk| { for (i, v) in self.coeffs.chunks_mut(chunk).enumerate() { scope.spawn(move |_scope| { @@ -117,7 +113,7 @@ impl> EvaluationDomain { } pub fn coset_fft(&mut self, worker: &Worker) { - self.distribute_powers(worker, E::Fr::multiplicative_generator()); + self.distribute_powers(worker, S::multiplicative_generator()); self.fft(worker); } @@ -130,9 +126,9 @@ impl> EvaluationDomain { /// This evaluates t(tau) for this domain, which is /// tau^m - 1 for these radix-2 domains. - pub fn z(&self, tau: &E::Fr) -> E::Fr { + pub fn z(&self, tau: &S) -> S { let mut tmp = tau.pow_vartime(&[self.coeffs.len() as u64]); - tmp.sub_assign(&E::Fr::one()); + tmp.sub_assign(&S::one()); tmp } @@ -141,7 +137,7 @@ impl> EvaluationDomain { /// evaluation domain, so we must perform division over /// a coset. pub fn divide_by_z_on_coset(&mut self, worker: &Worker) { - let i = self.z(&E::Fr::multiplicative_generator()).invert().unwrap(); + let i = self.z(&S::multiplicative_generator()).invert().unwrap(); worker.scope(self.coeffs.len(), |scope, chunk| { for v in self.coeffs.chunks_mut(chunk) { @@ -155,7 +151,7 @@ impl> EvaluationDomain { } /// Perform O(n) multiplication of two polynomials in the domain. - pub fn mul_assign(&mut self, worker: &Worker, other: &EvaluationDomain>) { + pub fn mul_assign(&mut self, worker: &Worker, other: &EvaluationDomain>) { assert_eq!(self.coeffs.len(), other.coeffs.len()); worker.scope(self.coeffs.len(), |scope, chunk| { @@ -174,7 +170,7 @@ impl> EvaluationDomain { } /// Perform O(n) subtraction of one polynomial from another in the domain. - pub fn sub_assign(&mut self, worker: &Worker, other: &EvaluationDomain) { + pub fn sub_assign(&mut self, worker: &Worker, other: &EvaluationDomain) { assert_eq!(self.coeffs.len(), other.coeffs.len()); worker.scope(self.coeffs.len(), |scope, chunk| { @@ -193,9 +189,9 @@ impl> EvaluationDomain { } } -pub trait Group: Sized + Copy + Clone + Send + Sync { +pub trait Group: Sized + Copy + Clone + Send + Sync { fn group_zero() -> Self; - fn group_mul_assign(&mut self, by: &E::Fr); + fn group_mul_assign(&mut self, by: &Scalar); fn group_add_assign(&mut self, other: &Self); fn group_sub_assign(&mut self, other: &Self); } @@ -216,7 +212,7 @@ impl Clone for Point { } } -impl> Group for Point { +impl Group for Point { fn group_zero() -> Self { Point(G::identity()) } @@ -231,27 +227,27 @@ impl> Group for Point } } -pub struct Scalar(pub E::Fr); +pub struct Scalar(pub S); -impl PartialEq for Scalar { - fn eq(&self, other: &Scalar) -> bool { +impl PartialEq for Scalar { + fn eq(&self, other: &Scalar) -> bool { self.0 == other.0 } } -impl Copy for Scalar {} +impl Copy for Scalar {} -impl Clone for Scalar { - fn clone(&self) -> Scalar { +impl Clone for Scalar { + fn clone(&self) -> Scalar { *self } } -impl Group for Scalar { +impl Group for Scalar { fn group_zero() -> Self { - Scalar(E::Fr::zero()) + Scalar(S::zero()) } - fn group_mul_assign(&mut self, by: &E::Fr) { + fn group_mul_assign(&mut self, by: &S) { self.0.mul_assign(by); } fn group_add_assign(&mut self, other: &Self) { @@ -262,7 +258,7 @@ impl Group for Scalar { } } -fn best_fft>(a: &mut [T], worker: &Worker, omega: &E::Fr, log_n: u32) { +fn best_fft>(a: &mut [T], worker: &Worker, omega: &S, log_n: u32) { let log_cpus = worker.log_num_cpus(); if log_n <= log_cpus { @@ -272,7 +268,7 @@ fn best_fft>(a: &mut [T], worker: &Worker, omega: & } } -fn serial_fft>(a: &mut [T], omega: &E::Fr, log_n: u32) { +fn serial_fft>(a: &mut [T], omega: &S, log_n: u32) { fn bitreverse(mut n: u32, l: u32) -> u32 { let mut r = 0; for _ in 0..l { @@ -298,7 +294,7 @@ fn serial_fft>(a: &mut [T], omega: &E::Fr, log_n: u let mut k = 0; while k < n { - let mut w = E::Fr::one(); + let mut w = S::one(); for j in 0..m { let mut t = a[(k + j + m) as usize]; t.group_mul_assign(&w); @@ -316,10 +312,10 @@ fn serial_fft>(a: &mut [T], omega: &E::Fr, log_n: u } } -fn parallel_fft>( +fn parallel_fft>( a: &mut [T], worker: &Worker, - omega: &E::Fr, + omega: &S, log_n: u32, log_cpus: u32, ) { @@ -339,7 +335,7 @@ fn parallel_fft>( let omega_j = omega.pow_vartime(&[j as u64]); let omega_step = omega.pow_vartime(&[(j as u64) << log_new_n]); - let mut elt = E::Fr::one(); + let mut elt = S::one(); for (i, tmp) in tmp.iter_mut().enumerate() { for s in 0..num_cpus { let idx = (i + (s << log_new_n)) % (1 << log_n); @@ -379,23 +375,19 @@ fn parallel_fft>( #[cfg(feature = "pairing")] #[test] fn polynomial_arith() { - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::RngCore; - fn test_mul(rng: &mut R) { + fn test_mul(rng: &mut R) { let worker = Worker::new(); for coeffs_a in 0..70 { for coeffs_b in 0..70 { - let mut a: Vec<_> = (0..coeffs_a) - .map(|_| Scalar::(E::Fr::random(rng))) - .collect(); - let mut b: Vec<_> = (0..coeffs_b) - .map(|_| Scalar::(E::Fr::random(rng))) - .collect(); + let mut a: Vec<_> = (0..coeffs_a).map(|_| Scalar::(S::random(rng))).collect(); + let mut b: Vec<_> = (0..coeffs_b).map(|_| Scalar::(S::random(rng))).collect(); // naive evaluation - let mut naive = vec![Scalar(E::Fr::zero()); coeffs_a + coeffs_b]; + let mut naive = vec![Scalar(S::zero()); coeffs_a + coeffs_b]; for (i1, a) in a.iter().enumerate() { for (i2, b) in b.iter().enumerate() { let mut prod = *a; @@ -404,8 +396,8 @@ fn polynomial_arith() { } } - a.resize(coeffs_a + coeffs_b, Scalar(E::Fr::zero())); - b.resize(coeffs_a + coeffs_b, Scalar(E::Fr::zero())); + a.resize(coeffs_a + coeffs_b, Scalar(S::zero())); + b.resize(coeffs_a + coeffs_b, Scalar(S::zero())); let mut a = EvaluationDomain::from_coeffs(a).unwrap(); let mut b = EvaluationDomain::from_coeffs(b).unwrap(); @@ -424,16 +416,16 @@ fn polynomial_arith() { let rng = &mut rand::thread_rng(); - test_mul::(rng); + test_mul::(rng); } #[cfg(feature = "pairing")] #[test] fn fft_composition() { - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::RngCore; - fn test_comp(rng: &mut R) { + fn test_comp(rng: &mut R) { let worker = Worker::new(); for coeffs in 0..10 { @@ -441,7 +433,7 @@ fn fft_composition() { let mut v = vec![]; for _ in 0..coeffs { - v.push(Scalar::(E::Fr::random(rng))); + v.push(Scalar::(S::random(rng))); } let mut domain = EvaluationDomain::from_coeffs(v.clone()).unwrap(); @@ -462,17 +454,17 @@ fn fft_composition() { let rng = &mut rand::thread_rng(); - test_comp::(rng); + test_comp::(rng); } #[cfg(feature = "pairing")] #[test] fn parallel_fft_consistency() { - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::RngCore; use std::cmp::min; - fn test_consistency(rng: &mut R) { + fn test_consistency(rng: &mut R) { let worker = Worker::new(); for _ in 0..5 { @@ -480,7 +472,7 @@ fn parallel_fft_consistency() { let d = 1 << log_d; let v1 = (0..d) - .map(|_| Scalar::(E::Fr::random(rng))) + .map(|_| Scalar::(S::random(rng))) .collect::>(); let mut v1 = EvaluationDomain::from_coeffs(v1).unwrap(); let mut v2 = EvaluationDomain::from_coeffs(v1.coeffs.clone()).unwrap(); @@ -497,5 +489,5 @@ fn parallel_fft_consistency() { let rng = &mut rand::thread_rng(); - test_consistency::(rng); + test_consistency::(rng); } diff --git a/bellman/src/gadgets/blake2s.rs b/bellman/src/gadgets/blake2s.rs index 79c42e48b..226563d42 100644 --- a/bellman/src/gadgets/blake2s.rs +++ b/bellman/src/gadgets/blake2s.rs @@ -4,7 +4,7 @@ use super::{boolean::Boolean, multieq::MultiEq, uint32::UInt32}; use crate::{ConstraintSystem, SynthesisError}; -use ff::ScalarEngine; +use ff::PrimeField; /* 2.1. Parameters @@ -79,7 +79,7 @@ const SIGMA: [[usize; 16]; 10] = [ END FUNCTION. */ -fn mixing_g, M>( +fn mixing_g, M>( mut cs: M, v: &mut [UInt32], a: usize, @@ -90,7 +90,7 @@ fn mixing_g, M>( y: &UInt32, ) -> Result<(), SynthesisError> where - M: ConstraintSystem>, + M: ConstraintSystem>, { v[a] = UInt32::addmany( cs.namespace(|| "mixing step 1"), @@ -164,7 +164,7 @@ where END FUNCTION. */ -fn blake2s_compression>( +fn blake2s_compression>( mut cs: CS, h: &mut [UInt32], m: &[UInt32], @@ -337,7 +337,7 @@ fn blake2s_compression>( END FUNCTION. */ -pub fn blake2s>( +pub fn blake2s>( mut cs: CS, input: &[Boolean], personalization: &[u8], @@ -409,7 +409,7 @@ pub fn blake2s>( mod test { use blake2s_simd::Params as Blake2sParams; use hex_literal::hex; - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -420,7 +420,7 @@ mod test { #[test] fn test_blank_hash() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let input_bits = vec![]; let out = blake2s(&mut cs, &input_bits, b"12345678").unwrap(); assert!(cs.is_satisfied()); @@ -443,7 +443,7 @@ mod test { #[test] fn test_blake2s_constraints() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let input_bits: Vec<_> = (0..512) .map(|i| { AllocatedBit::alloc(cs.namespace(|| format!("input bit {}", i)), Some(true)) @@ -461,7 +461,7 @@ mod test { // Test that 512 fixed leading bits (constants) // doesn't result in more constraints. - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, 0xe5, @@ -481,7 +481,7 @@ mod test { #[test] fn test_blake2s_constant_constraints() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut rng = XorShiftRng::from_seed([ 0x59, 0x62, 0xbe, 0x5d, 0x76, 0x3d, 0x31, 0x8d, 0x17, 0xdb, 0x37, 0x32, 0x54, 0x06, 0xbc, 0xe5, @@ -512,7 +512,7 @@ mod test { let hash_result = h.finalize(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut input_bits = vec![]; @@ -559,7 +559,7 @@ mod test { let data: Vec = hex!("be9f9c485e670acce8b1516a378176161b20583637b6f1c536fbc1158a0a3296831df2920e57a442d5738f4be4dd6be89dd7913fc8b4d1c0a815646a4d674b77f7caf313bd880bf759fcac27037c48c2b2a20acd2fd5248e3be426c84a341c0a3c63eaf36e0d537d10b8db5c6e4c801832c41eb1a3ed602177acded8b4b803bd34339d99a18b71df399641cc8dfae2ad193fcd74b5913e704551777160d14c78f2e8d5c32716a8599c1080cb89a40ccd6ba596694a8b4a065d9f2d0667ef423ed2e418093caff884540858b4f4b62acd47edcea880523e1b1cda8eb225c128c2e9e83f14f6e7448c5733a195cac7d79a53dde5083172462c45b2f799e42af1c9").to_vec(); assert_eq!(data.len(), 256); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut input_bits = vec![]; @@ -596,7 +596,7 @@ mod test { let data: Vec = hex!("5dcfe8bab4c758d2eb1ddb7ef337583e0df3e2c358e1755b7cd303a658de9a1227eed1d1114179a5c3c38d692ff2cf2d4e5c92a9516de750106774bbf9f7d063f707f4c9b6a02c0a77e4feb99e036c3ccaee7d1a31cb144093aa074bc9da608f8ff30b39c3c60e4a243cc0bbd406d1262a7d6607b31c60275c6bcc8b0ac49a06a4b629a98693c5f7640f3bca45e4977cfabc5b17f52838af3433b1fd407dbbdc131e8e4bd58bcee85bbab4b57b656c6a2ec6cf852525bc8423675e2bf29159139cd5df99db94719f3f7167230e0d5bd76f6d7891b656732cef9c3c0d48a5fa3d7a879988157b39015a85451b25af0301ca5e759ac35fea79dca38c673ec6db9f3885d9103e2dcb3304bd3d59b0b1d01babc97ef8a74d91b6ab6bf50f29eb5adf7250a28fd85db37bff0133193635da69caeefc72979cf3bef1d2896d847eea7e8a81e0927893dbd010feb6fb845d0399007d9a148a0596d86cd8f4192631f975c560f4de8da5f712c161342063af3c11029d93d6df7ff46db48343499de9ec4786cac059c4025ef418c9fe40132428ff8b91259d71d1709ff066add84ae944b45a817f60b4c1bf719e39ae23e9b413469db2310793e9137cf38741e5dd2a3c138a566dbde1950c00071b20ac457b46ba9b0a7ebdddcc212bd228d2a4c4146a970e54158477247c27871af1564b176576e9fd43bf63740bf77434bc4ea3b1a4b430e1a11714bf43160145578a575c3f78ddeaa48de97f73460f26f8df2b5d63e31800100d16bc27160fea5ced5a977ef541cfe8dadc7b3991ed1c0d4f16a3076bbfed96ba3e155113e794987af8abb133f06feefabc2ac32eb4d4d4ba1541ca08b9e518d2e74b7f946b0cbd2663d58c689359b9a565821acc619011233d1011963fa302cde34fc9c5ba2e03eeb2512f547391e940d56218e22ae325f2dfa38d4bae35744ee707aa5dc9c17674025d15390a08f5c452343546ef6da0f7").to_vec(); assert_eq!(data.len(), 700); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut input_bits = vec![]; @@ -651,7 +651,7 @@ mod test { let hash_result = h.finalize(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut input_bits = vec![]; diff --git a/bellman/src/gadgets/boolean.rs b/bellman/src/gadgets/boolean.rs index b521e7bdf..940790d9c 100644 --- a/bellman/src/gadgets/boolean.rs +++ b/bellman/src/gadgets/boolean.rs @@ -1,6 +1,6 @@ //! Gadgets for allocating bits in the circuit and performing boolean logic. -use ff::{BitIterator, Field, PrimeField, ScalarEngine}; +use ff::{BitIterator, PrimeField}; use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; @@ -26,22 +26,22 @@ impl AllocatedBit { /// Allocate a variable in the constraint system which can only be a /// boolean value. Further, constrain that the boolean is false /// unless the condition is false. - pub fn alloc_conditionally( + pub fn alloc_conditionally( mut cs: CS, value: Option, must_be_false: &AllocatedBit, ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let var = cs.alloc( || "boolean", || { if *value.get()? { - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } }, )?; @@ -67,18 +67,18 @@ impl AllocatedBit { /// Allocate a variable in the constraint system which can only be a /// boolean value. - pub fn alloc(mut cs: CS, value: Option) -> Result + pub fn alloc(mut cs: CS, value: Option) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let var = cs.alloc( || "boolean", || { if *value.get()? { - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } }, )?; @@ -100,10 +100,10 @@ impl AllocatedBit { /// Performs an XOR operation over the two operands, returning /// an `AllocatedBit`. - pub fn xor(mut cs: CS, a: &Self, b: &Self) -> Result + pub fn xor(mut cs: CS, a: &Self, b: &Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let mut result_value = None; @@ -113,11 +113,11 @@ impl AllocatedBit { if *a.value.get()? ^ *b.value.get()? { result_value = Some(true); - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { result_value = Some(false); - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } }, )?; @@ -152,10 +152,10 @@ impl AllocatedBit { /// Performs an AND operation over the two operands, returning /// an `AllocatedBit`. - pub fn and(mut cs: CS, a: &Self, b: &Self) -> Result + pub fn and(mut cs: CS, a: &Self, b: &Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let mut result_value = None; @@ -165,11 +165,11 @@ impl AllocatedBit { if *a.value.get()? & *b.value.get()? { result_value = Some(true); - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { result_value = Some(false); - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } }, )?; @@ -190,10 +190,10 @@ impl AllocatedBit { } /// Calculates `a AND (NOT b)`. - pub fn and_not(mut cs: CS, a: &Self, b: &Self) -> Result + pub fn and_not(mut cs: CS, a: &Self, b: &Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let mut result_value = None; @@ -203,11 +203,11 @@ impl AllocatedBit { if *a.value.get()? & !*b.value.get()? { result_value = Some(true); - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { result_value = Some(false); - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } }, )?; @@ -228,10 +228,10 @@ impl AllocatedBit { } /// Calculates `(NOT a) AND (NOT b)`. - pub fn nor(mut cs: CS, a: &Self, b: &Self) -> Result + pub fn nor(mut cs: CS, a: &Self, b: &Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let mut result_value = None; @@ -241,11 +241,11 @@ impl AllocatedBit { if !*a.value.get()? & !*b.value.get()? { result_value = Some(true); - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { result_value = Some(false); - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } }, )?; @@ -266,7 +266,7 @@ impl AllocatedBit { } } -pub fn u64_into_boolean_vec_le>( +pub fn u64_into_boolean_vec_le>( mut cs: CS, value: Option, ) -> Result, SynthesisError> { @@ -297,16 +297,24 @@ pub fn u64_into_boolean_vec_le>( Ok(bits) } -pub fn field_into_boolean_vec_le, F: PrimeField>( +pub fn field_into_boolean_vec_le< + Scalar: PrimeField, + CS: ConstraintSystem, + F: PrimeField, +>( cs: CS, value: Option, ) -> Result, SynthesisError> { - let v = field_into_allocated_bits_le::(cs, value)?; + let v = field_into_allocated_bits_le::(cs, value)?; Ok(v.into_iter().map(Boolean::from).collect()) } -pub fn field_into_allocated_bits_le, F: PrimeField>( +pub fn field_into_allocated_bits_le< + Scalar: PrimeField, + CS: ConstraintSystem, + F: PrimeField, +>( mut cs: CS, value: Option, ) -> Result, SynthesisError> { @@ -366,10 +374,10 @@ impl Boolean { } } - pub fn enforce_equal(mut cs: CS, a: &Self, b: &Self) -> Result<(), SynthesisError> + pub fn enforce_equal(mut cs: CS, a: &Self, b: &Self) -> Result<(), SynthesisError> where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { match (a, b) { (&Boolean::Constant(a), &Boolean::Constant(b)) => { @@ -384,7 +392,7 @@ impl Boolean { || "enforce equal to one", |lc| lc, |lc| lc, - |lc| lc + CS::one() - &a.lc(CS::one(), E::Fr::one()), + |lc| lc + CS::one() - &a.lc(CS::one(), Scalar::one()), ); Ok(()) @@ -394,7 +402,7 @@ impl Boolean { || "enforce equal to zero", |lc| lc, |lc| lc, - |_| a.lc(CS::one(), E::Fr::one()), + |_| a.lc(CS::one(), Scalar::one()), ); Ok(()) @@ -404,7 +412,7 @@ impl Boolean { || "enforce equal", |lc| lc, |lc| lc, - |_| a.lc(CS::one(), E::Fr::one()) - &b.lc(CS::one(), E::Fr::one()), + |_| a.lc(CS::one(), Scalar::one()) - &b.lc(CS::one(), Scalar::one()), ); Ok(()) @@ -420,18 +428,22 @@ impl Boolean { } } - pub fn lc(&self, one: Variable, coeff: E::Fr) -> LinearCombination { + pub fn lc( + &self, + one: Variable, + coeff: Scalar, + ) -> LinearCombination { match *self { Boolean::Constant(c) => { if c { - LinearCombination::::zero() + (coeff, one) + LinearCombination::::zero() + (coeff, one) } else { - LinearCombination::::zero() + LinearCombination::::zero() } } - Boolean::Is(ref v) => LinearCombination::::zero() + (coeff, v.get_variable()), + Boolean::Is(ref v) => LinearCombination::::zero() + (coeff, v.get_variable()), Boolean::Not(ref v) => { - LinearCombination::::zero() + (coeff, one) - (coeff, v.get_variable()) + LinearCombination::::zero() + (coeff, one) - (coeff, v.get_variable()) } } } @@ -451,10 +463,10 @@ impl Boolean { } /// Perform XOR over two boolean operands - pub fn xor<'a, E, CS>(cs: CS, a: &'a Self, b: &'a Self) -> Result + pub fn xor<'a, Scalar, CS>(cs: CS, a: &'a Self, b: &'a Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { match (a, b) { (&Boolean::Constant(false), x) | (x, &Boolean::Constant(false)) => Ok(x.clone()), @@ -473,10 +485,10 @@ impl Boolean { } /// Perform AND over two boolean operands - pub fn and<'a, E, CS>(cs: CS, a: &'a Self, b: &'a Self) -> Result + pub fn and<'a, Scalar, CS>(cs: CS, a: &'a Self, b: &'a Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { match (a, b) { // false AND x is always false @@ -502,15 +514,15 @@ impl Boolean { } /// Computes (a and b) xor ((not a) and c) - pub fn sha256_ch<'a, E, CS>( + pub fn sha256_ch<'a, Scalar, CS>( mut cs: CS, a: &'a Self, b: &'a Self, c: &'a Self, ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let ch_value = match (a.get_value(), b.get_value(), c.get_value()) { (Some(a), Some(b), Some(c)) => { @@ -589,16 +601,16 @@ impl Boolean { || { ch_value .get() - .map(|v| if *v { E::Fr::one() } else { E::Fr::zero() }) + .map(|v| if *v { Scalar::one() } else { Scalar::zero() }) }, )?; // a(b - c) = ch - c cs.enforce( || "ch computation", - |_| b.lc(CS::one(), E::Fr::one()) - &c.lc(CS::one(), E::Fr::one()), - |_| a.lc(CS::one(), E::Fr::one()), - |lc| lc + ch - &c.lc(CS::one(), E::Fr::one()), + |_| b.lc(CS::one(), Scalar::one()) - &c.lc(CS::one(), Scalar::one()), + |_| a.lc(CS::one(), Scalar::one()), + |lc| lc + ch - &c.lc(CS::one(), Scalar::one()), ); Ok(AllocatedBit { @@ -609,15 +621,15 @@ impl Boolean { } /// Computes (a and b) xor (a and c) xor (b and c) - pub fn sha256_maj<'a, E, CS>( + pub fn sha256_maj<'a, Scalar, CS>( mut cs: CS, a: &'a Self, b: &'a Self, c: &'a Self, ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let maj_value = match (a.get_value(), b.get_value(), c.get_value()) { (Some(a), Some(b), Some(c)) => { @@ -692,7 +704,7 @@ impl Boolean { || { maj_value .get() - .map(|v| if *v { E::Fr::one() } else { E::Fr::zero() }) + .map(|v| if *v { Scalar::one() } else { Scalar::zero() }) }, )?; @@ -710,12 +722,12 @@ impl Boolean { cs.enforce( || "maj computation", |_| { - bc.lc(CS::one(), E::Fr::one()) + &bc.lc(CS::one(), E::Fr::one()) - - &b.lc(CS::one(), E::Fr::one()) - - &c.lc(CS::one(), E::Fr::one()) + bc.lc(CS::one(), Scalar::one()) + &bc.lc(CS::one(), Scalar::one()) + - &b.lc(CS::one(), Scalar::one()) + - &c.lc(CS::one(), Scalar::one()) }, - |_| a.lc(CS::one(), E::Fr::one()), - |_| bc.lc(CS::one(), E::Fr::one()) - maj, + |_| a.lc(CS::one(), Scalar::one()), + |_| bc.lc(CS::one(), Scalar::one()) - maj, ); Ok(AllocatedBit { @@ -738,11 +750,11 @@ mod test { use crate::gadgets::test::*; use crate::ConstraintSystem; use ff::{Field, PrimeField}; - use pairing::bls12_381::{Bls12, Fr}; + use pairing::bls12_381::Fr; #[test] fn test_allocated_bit() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); AllocatedBit::alloc(&mut cs, Some(true)).unwrap(); assert!(cs.get("boolean") == Fr::one()); @@ -758,7 +770,7 @@ mod test { fn test_xor() { for a_val in [false, true].iter() { for b_val in [false, true].iter() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = AllocatedBit::alloc(cs.namespace(|| "a"), Some(*a_val)).unwrap(); let b = AllocatedBit::alloc(cs.namespace(|| "b"), Some(*b_val)).unwrap(); let c = AllocatedBit::xor(&mut cs, &a, &b).unwrap(); @@ -794,7 +806,7 @@ mod test { fn test_and() { for a_val in [false, true].iter() { for b_val in [false, true].iter() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = AllocatedBit::alloc(cs.namespace(|| "a"), Some(*a_val)).unwrap(); let b = AllocatedBit::alloc(cs.namespace(|| "b"), Some(*b_val)).unwrap(); let c = AllocatedBit::and(&mut cs, &a, &b).unwrap(); @@ -830,7 +842,7 @@ mod test { fn test_and_not() { for a_val in [false, true].iter() { for b_val in [false, true].iter() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = AllocatedBit::alloc(cs.namespace(|| "a"), Some(*a_val)).unwrap(); let b = AllocatedBit::alloc(cs.namespace(|| "b"), Some(*b_val)).unwrap(); let c = AllocatedBit::and_not(&mut cs, &a, &b).unwrap(); @@ -866,7 +878,7 @@ mod test { fn test_nor() { for a_val in [false, true].iter() { for b_val in [false, true].iter() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = AllocatedBit::alloc(cs.namespace(|| "a"), Some(*a_val)).unwrap(); let b = AllocatedBit::alloc(cs.namespace(|| "b"), Some(*b_val)).unwrap(); let c = AllocatedBit::nor(&mut cs, &a, &b).unwrap(); @@ -905,7 +917,7 @@ mod test { for a_neg in [false, true].iter().cloned() { for b_neg in [false, true].iter().cloned() { { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut a = Boolean::from( AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_bool)).unwrap(), @@ -926,7 +938,7 @@ mod test { assert_eq!(cs.is_satisfied(), (a_bool ^ a_neg) == (b_bool ^ b_neg)); } { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut a = Boolean::Constant(a_bool); let mut b = Boolean::from( @@ -945,7 +957,7 @@ mod test { assert_eq!(cs.is_satisfied(), (a_bool ^ a_neg) == (b_bool ^ b_neg)); } { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut a = Boolean::from( AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_bool)).unwrap(), @@ -964,7 +976,7 @@ mod test { assert_eq!(cs.is_satisfied(), (a_bool ^ a_neg) == (b_bool ^ b_neg)); } { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut a = Boolean::Constant(a_bool); let mut b = Boolean::Constant(b_bool); @@ -993,7 +1005,7 @@ mod test { #[test] fn test_boolean_negation() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut b = Boolean::from(AllocatedBit::alloc(&mut cs, Some(true)).unwrap()); @@ -1085,7 +1097,7 @@ mod test { for first_operand in variants.iter().cloned() { for second_operand in variants.iter().cloned() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a; let b; @@ -1294,7 +1306,7 @@ mod test { for first_operand in variants.iter().cloned() { for second_operand in variants.iter().cloned() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a; let b; @@ -1515,7 +1527,7 @@ mod test { #[test] fn test_u64_into_boolean_vec_le() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let bits = u64_into_boolean_vec_le(&mut cs, Some(17234652694787248421)).unwrap(); @@ -1536,7 +1548,7 @@ mod test { #[test] fn test_field_into_allocated_bits_le() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let r = Fr::from_str( "9147677615426976802526883532204139322118074541891858454835346926874644257775", @@ -1573,7 +1585,7 @@ mod test { for first_operand in variants.iter().cloned() { for second_operand in variants.iter().cloned() { for third_operand in variants.iter().cloned() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let a; let b; @@ -1664,7 +1676,7 @@ mod test { for first_operand in variants.iter().cloned() { for second_operand in variants.iter().cloned() { for third_operand in variants.iter().cloned() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let a; let b; @@ -1745,7 +1757,7 @@ mod test { #[test] fn test_alloc_conditionally() { { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let b = AllocatedBit::alloc(&mut cs, Some(false)).unwrap(); let value = None; @@ -1761,7 +1773,7 @@ mod test { { // since value is true, b must be false, so it should succeed - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let value = Some(true); let b = AllocatedBit::alloc(&mut cs, Some(false)).unwrap(); @@ -1778,7 +1790,7 @@ mod test { { // since value is true, b must be false, so it should fail - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let value = Some(true); let b = AllocatedBit::alloc(&mut cs, Some(true)).unwrap(); @@ -1793,7 +1805,7 @@ mod test { let value = Some(false); //check with false bit - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let b1 = AllocatedBit::alloc(&mut cs, Some(false)).unwrap(); AllocatedBit::alloc_conditionally(cs.namespace(|| "alloc_conditionally"), value, &b1) .unwrap(); @@ -1801,7 +1813,7 @@ mod test { assert!(cs.is_satisfied()); //check with true bit - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let b2 = AllocatedBit::alloc(&mut cs, Some(true)).unwrap(); AllocatedBit::alloc_conditionally(cs.namespace(|| "alloc_conditionally"), value, &b2) .unwrap(); diff --git a/bellman/src/gadgets/lookup.rs b/bellman/src/gadgets/lookup.rs index bde86e2ba..d7fb30151 100644 --- a/bellman/src/gadgets/lookup.rs +++ b/bellman/src/gadgets/lookup.rs @@ -1,7 +1,6 @@ //! Window table lookup gadgets. -use ff::{Field, ScalarEngine}; -use std::ops::{AddAssign, Neg}; +use ff::PrimeField; use super::boolean::Boolean; use super::num::{AllocatedNum, Num}; @@ -9,9 +8,9 @@ use super::*; use crate::ConstraintSystem; // Synthesize the constants for each base pattern. -fn synth<'a, E: ScalarEngine, I>(window_size: usize, constants: I, assignment: &mut [E::Fr]) +fn synth<'a, Scalar: PrimeField, I>(window_size: usize, constants: I, assignment: &mut [Scalar]) where - I: IntoIterator, + I: IntoIterator, { assert_eq!(assignment.len(), 1 << window_size); @@ -29,13 +28,13 @@ where /// Performs a 3-bit window table lookup. `bits` is in /// little-endian order. -pub fn lookup3_xy( +pub fn lookup3_xy( mut cs: CS, bits: &[Boolean], - coords: &[(E::Fr, E::Fr)], -) -> Result<(AllocatedNum, AllocatedNum), SynthesisError> + coords: &[(Scalar, Scalar)], +) -> Result<(AllocatedNum, AllocatedNum), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { assert_eq!(bits.len(), 3); assert_eq!(coords.len(), 8); @@ -69,10 +68,10 @@ where let res_y = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(coords[*i.get()?].1))?; // Compute the coefficients for the lookup constraints - let mut x_coeffs = [E::Fr::zero(); 8]; - let mut y_coeffs = [E::Fr::zero(); 8]; - synth::(3, coords.iter().map(|c| &c.0), &mut x_coeffs); - synth::(3, coords.iter().map(|c| &c.1), &mut y_coeffs); + let mut x_coeffs = [Scalar::zero(); 8]; + let mut y_coeffs = [Scalar::zero(); 8]; + synth::(3, coords.iter().map(|c| &c.0), &mut x_coeffs); + synth::(3, coords.iter().map(|c| &c.1), &mut y_coeffs); let precomp = Boolean::and(cs.namespace(|| "precomp"), &bits[1], &bits[2])?; @@ -82,17 +81,17 @@ where || "x-coordinate lookup", |lc| { lc + (x_coeffs[0b001], one) - + &bits[1].lc::(one, x_coeffs[0b011]) - + &bits[2].lc::(one, x_coeffs[0b101]) - + &precomp.lc::(one, x_coeffs[0b111]) + + &bits[1].lc::(one, x_coeffs[0b011]) + + &bits[2].lc::(one, x_coeffs[0b101]) + + &precomp.lc::(one, x_coeffs[0b111]) }, - |lc| lc + &bits[0].lc::(one, E::Fr::one()), + |lc| lc + &bits[0].lc::(one, Scalar::one()), |lc| { lc + res_x.get_variable() - (x_coeffs[0b000], one) - - &bits[1].lc::(one, x_coeffs[0b010]) - - &bits[2].lc::(one, x_coeffs[0b100]) - - &precomp.lc::(one, x_coeffs[0b110]) + - &bits[1].lc::(one, x_coeffs[0b010]) + - &bits[2].lc::(one, x_coeffs[0b100]) + - &precomp.lc::(one, x_coeffs[0b110]) }, ); @@ -100,17 +99,17 @@ where || "y-coordinate lookup", |lc| { lc + (y_coeffs[0b001], one) - + &bits[1].lc::(one, y_coeffs[0b011]) - + &bits[2].lc::(one, y_coeffs[0b101]) - + &precomp.lc::(one, y_coeffs[0b111]) + + &bits[1].lc::(one, y_coeffs[0b011]) + + &bits[2].lc::(one, y_coeffs[0b101]) + + &precomp.lc::(one, y_coeffs[0b111]) }, - |lc| lc + &bits[0].lc::(one, E::Fr::one()), + |lc| lc + &bits[0].lc::(one, Scalar::one()), |lc| { lc + res_y.get_variable() - (y_coeffs[0b000], one) - - &bits[1].lc::(one, y_coeffs[0b010]) - - &bits[2].lc::(one, y_coeffs[0b100]) - - &precomp.lc::(one, y_coeffs[0b110]) + - &bits[1].lc::(one, y_coeffs[0b010]) + - &bits[2].lc::(one, y_coeffs[0b100]) + - &precomp.lc::(one, y_coeffs[0b110]) }, ); @@ -119,13 +118,13 @@ where /// Performs a 3-bit window table lookup, where /// one of the bits is a sign bit. -pub fn lookup3_xy_with_conditional_negation( +pub fn lookup3_xy_with_conditional_negation( mut cs: CS, bits: &[Boolean], - coords: &[(E::Fr, E::Fr)], -) -> Result<(Num, Num), SynthesisError> + coords: &[(Scalar, Scalar)], +) -> Result<(Num, Num), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { assert_eq!(bits.len(), 3); assert_eq!(coords.len(), 4); @@ -158,10 +157,10 @@ where let one = CS::one(); // Compute the coefficients for the lookup constraints - let mut x_coeffs = [E::Fr::zero(); 4]; - let mut y_coeffs = [E::Fr::zero(); 4]; - synth::(2, coords.iter().map(|c| &c.0), &mut x_coeffs); - synth::(2, coords.iter().map(|c| &c.1), &mut y_coeffs); + let mut x_coeffs = [Scalar::zero(); 4]; + let mut y_coeffs = [Scalar::zero(); 4]; + synth::(2, coords.iter().map(|c| &c.0), &mut x_coeffs); + synth::(2, coords.iter().map(|c| &c.1), &mut y_coeffs); let precomp = Boolean::and(cs.namespace(|| "precomp"), &bits[0], &bits[1])?; @@ -171,15 +170,15 @@ where .add_bool_with_coeff(one, &bits[1], x_coeffs[0b10]) .add_bool_with_coeff(one, &precomp, x_coeffs[0b11]); - let y_lc = precomp.lc::(one, y_coeffs[0b11]) - + &bits[1].lc::(one, y_coeffs[0b10]) - + &bits[0].lc::(one, y_coeffs[0b01]) + let y_lc = precomp.lc::(one, y_coeffs[0b11]) + + &bits[1].lc::(one, y_coeffs[0b10]) + + &bits[0].lc::(one, y_coeffs[0b01]) + (y_coeffs[0b00], one); cs.enforce( || "y-coordinate lookup", |lc| lc + &y_lc + &y_lc, - |lc| lc + &bits[2].lc::(one, E::Fr::one()), + |lc| lc + &bits[2].lc::(one, Scalar::one()), |lc| lc + &y_lc - y.get_variable(), ); @@ -191,9 +190,12 @@ mod test { use super::*; use crate::gadgets::boolean::{AllocatedBit, Boolean}; use crate::gadgets::test::*; - use pairing::bls12_381::{Bls12, Fr}; + + use ff::Field; + use pairing::bls12_381::Fr; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; + use std::ops::{AddAssign, Neg}; #[test] fn test_lookup3_xy() { @@ -203,7 +205,7 @@ mod test { ]); for _ in 0..100 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let a_val = rng.next_u32() % 2 != 0; let a = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_val)).unwrap()); @@ -248,7 +250,7 @@ mod test { ]); for _ in 0..100 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let a_val = rng.next_u32() % 2 != 0; let a = Boolean::from(AllocatedBit::alloc(cs.namespace(|| "a"), Some(a_val)).unwrap()); @@ -300,7 +302,7 @@ mod test { .map(|_| Fr::random(&mut rng)) .collect(); - synth::(window_size, &constants, &mut assignment); + synth(window_size, &constants, &mut assignment); for b in 0..(1 << window_size) { let mut acc = Fr::zero(); diff --git a/bellman/src/gadgets/multieq.rs b/bellman/src/gadgets/multieq.rs index 37b2d9429..b2bc151cb 100644 --- a/bellman/src/gadgets/multieq.rs +++ b/bellman/src/gadgets/multieq.rs @@ -1,16 +1,16 @@ -use ff::{Field, PrimeField, ScalarEngine}; +use ff::PrimeField; use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; -pub struct MultiEq> { +pub struct MultiEq> { cs: CS, ops: usize, bits_used: usize, - lhs: LinearCombination, - rhs: LinearCombination, + lhs: LinearCombination, + rhs: LinearCombination, } -impl> MultiEq { +impl> MultiEq { pub fn new(cs: CS) -> Self { MultiEq { cs, @@ -40,17 +40,17 @@ impl> MultiEq { pub fn enforce_equal( &mut self, num_bits: usize, - lhs: &LinearCombination, - rhs: &LinearCombination, + lhs: &LinearCombination, + rhs: &LinearCombination, ) { // Check if we will exceed the capacity - if (E::Fr::CAPACITY as usize) <= (self.bits_used + num_bits) { + if (Scalar::CAPACITY as usize) <= (self.bits_used + num_bits) { self.accumulate(); } - assert!((E::Fr::CAPACITY as usize) > (self.bits_used + num_bits)); + assert!((Scalar::CAPACITY as usize) > (self.bits_used + num_bits)); - let coeff = E::Fr::from_str("2") + let coeff = Scalar::from_str("2") .unwrap() .pow_vartime(&[self.bits_used as u64]); self.lhs = self.lhs.clone() + (coeff, lhs); @@ -59,7 +59,7 @@ impl> MultiEq { } } -impl> Drop for MultiEq { +impl> Drop for MultiEq { fn drop(&mut self) { if self.bits_used > 0 { self.accumulate(); @@ -67,7 +67,9 @@ impl> Drop for MultiEq { } } -impl> ConstraintSystem for MultiEq { +impl> ConstraintSystem + for MultiEq +{ type Root = Self; fn one() -> Variable { @@ -76,7 +78,7 @@ impl> ConstraintSystem for MultiEq(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -85,7 +87,7 @@ impl> ConstraintSystem for MultiEq(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -96,9 +98,9 @@ impl> ConstraintSystem for MultiEq AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { self.cs.enforce(annotation, a, b, c) } diff --git a/bellman/src/gadgets/multipack.rs b/bellman/src/gadgets/multipack.rs index 8ee6a1546..b4df2eeab 100644 --- a/bellman/src/gadgets/multipack.rs +++ b/bellman/src/gadgets/multipack.rs @@ -4,19 +4,18 @@ use super::boolean::Boolean; use super::num::Num; use super::Assignment; use crate::{ConstraintSystem, SynthesisError}; -use ff::{Field, PrimeField, ScalarEngine}; -use std::ops::AddAssign; +use ff::PrimeField; /// Takes a sequence of booleans and exposes them as compact /// public inputs -pub fn pack_into_inputs(mut cs: CS, bits: &[Boolean]) -> Result<(), SynthesisError> +pub fn pack_into_inputs(mut cs: CS, bits: &[Boolean]) -> Result<(), SynthesisError> where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { - for (i, bits) in bits.chunks(E::Fr::CAPACITY as usize).enumerate() { - let mut num = Num::::zero(); - let mut coeff = E::Fr::one(); + for (i, bits) in bits.chunks(Scalar::CAPACITY as usize).enumerate() { + let mut num = Num::::zero(); + let mut coeff = Scalar::one(); for bit in bits { num = num.add_bool_with_coeff(CS::one(), bit, coeff); @@ -28,7 +27,7 @@ where // num * 1 = input cs.enforce( || format!("packing constraint {}", i), - |_| num.lc(E::Fr::one()), + |_| num.lc(Scalar::one()), |lc| lc + CS::one(), |lc| lc + input, ); @@ -51,12 +50,12 @@ pub fn bytes_to_bits_le(bytes: &[u8]) -> Vec { .collect() } -pub fn compute_multipacking(bits: &[bool]) -> Vec { +pub fn compute_multipacking(bits: &[bool]) -> Vec { let mut result = vec![]; - for bits in bits.chunks(E::Fr::CAPACITY as usize) { - let mut cur = E::Fr::zero(); - let mut coeff = E::Fr::one(); + for bits in bits.chunks(Scalar::CAPACITY as usize) { + let mut cur = Scalar::zero(); + let mut coeff = Scalar::one(); for bit in bits { if *bit { @@ -75,7 +74,7 @@ pub fn compute_multipacking(bits: &[bool]) -> Vec { #[test] fn test_multipacking() { use crate::ConstraintSystem; - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -88,7 +87,7 @@ fn test_multipacking() { ]); for num_bits in 0..1500 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let bits: Vec = (0..num_bits).map(|_| rng.next_u32() % 2 != 0).collect(); @@ -102,7 +101,7 @@ fn test_multipacking() { }) .collect::>(); - let expected_inputs = compute_multipacking::(&bits); + let expected_inputs = compute_multipacking(&bits); pack_into_inputs(cs.namespace(|| "pack"), &circuit_bits).unwrap(); diff --git a/bellman/src/gadgets/num.rs b/bellman/src/gadgets/num.rs index 236689d2b..7f94d93ea 100644 --- a/bellman/src/gadgets/num.rs +++ b/bellman/src/gadgets/num.rs @@ -1,7 +1,6 @@ //! Gadgets representing numbers in the scalar field of the underlying curve. -use ff::{BitIterator, Field, PrimeField, ScalarEngine}; -use std::ops::{AddAssign, MulAssign}; +use ff::{BitIterator, PrimeField}; use crate::{ConstraintSystem, LinearCombination, SynthesisError, Variable}; @@ -9,12 +8,12 @@ use super::Assignment; use super::boolean::{self, AllocatedBit, Boolean}; -pub struct AllocatedNum { - value: Option, +pub struct AllocatedNum { + value: Option, variable: Variable, } -impl Clone for AllocatedNum { +impl Clone for AllocatedNum { fn clone(&self) -> Self { AllocatedNum { value: self.value, @@ -23,11 +22,11 @@ impl Clone for AllocatedNum { } } -impl AllocatedNum { +impl AllocatedNum { pub fn alloc(mut cs: CS, value: F) -> Result where - CS: ConstraintSystem, - F: FnOnce() -> Result, + CS: ConstraintSystem, + F: FnOnce() -> Result, { let mut new_value = None; let var = cs.alloc( @@ -49,7 +48,7 @@ impl AllocatedNum { pub fn inputize(&self, mut cs: CS) -> Result<(), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let input = cs.alloc_input(|| "input variable", || Ok(*self.value.get()?))?; @@ -70,15 +69,15 @@ impl AllocatedNum { /// congruency is not allowed.) pub fn to_bits_le_strict(&self, mut cs: CS) -> Result, SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { - pub fn kary_and( + pub fn kary_and( mut cs: CS, v: &[AllocatedBit], ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert!(!v.is_empty()); @@ -104,7 +103,7 @@ impl AllocatedNum { // We want to ensure that the bit representation of a is // less than or equal to r - 1. let mut a = self.value.map(|e| BitIterator::::new(e.to_repr())); - let b = (-E::Fr::one()).to_repr(); + let b = (-Scalar::one()).to_repr(); let mut result = vec![]; @@ -171,7 +170,7 @@ impl AllocatedNum { // However, now we have to unpack self! let mut lc = LinearCombination::zero(); - let mut coeff = E::Fr::one(); + let mut coeff = Scalar::one(); for bit in result.iter().rev() { lc = lc + (coeff, bit.get_variable()); @@ -192,12 +191,12 @@ impl AllocatedNum { /// "in the field." pub fn to_bits_le(&self, mut cs: CS) -> Result, SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let bits = boolean::field_into_allocated_bits_le(&mut cs, self.value)?; let mut lc = LinearCombination::zero(); - let mut coeff = E::Fr::one(); + let mut coeff = Scalar::one(); for bit in bits.iter() { lc = lc + (coeff, bit.get_variable()); @@ -214,7 +213,7 @@ impl AllocatedNum { pub fn mul(&self, mut cs: CS, other: &Self) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { let mut value = None; @@ -246,7 +245,7 @@ impl AllocatedNum { pub fn square(&self, mut cs: CS) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { let mut value = None; @@ -277,7 +276,7 @@ impl AllocatedNum { pub fn assert_nonzero(&self, mut cs: CS) -> Result<(), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let inv = cs.alloc( || "ephemeral inverse", @@ -315,7 +314,7 @@ impl AllocatedNum { condition: &Boolean, ) -> Result<(Self, Self), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let c = Self::alloc(cs.namespace(|| "conditional reversal result 1"), || { if *condition.get_value().get()? { @@ -328,7 +327,7 @@ impl AllocatedNum { cs.enforce( || "first conditional reversal", |lc| lc + a.variable - b.variable, - |_| condition.lc(CS::one(), E::Fr::one()), + |_| condition.lc(CS::one(), Scalar::one()), |lc| lc + a.variable - c.variable, ); @@ -343,14 +342,14 @@ impl AllocatedNum { cs.enforce( || "second conditional reversal", |lc| lc + b.variable - a.variable, - |_| condition.lc(CS::one(), E::Fr::one()), + |_| condition.lc(CS::one(), Scalar::one()), |lc| lc + b.variable - d.variable, ); Ok((c, d)) } - pub fn get_value(&self) -> Option { + pub fn get_value(&self) -> Option { self.value } @@ -359,37 +358,37 @@ impl AllocatedNum { } } -pub struct Num { - value: Option, - lc: LinearCombination, +pub struct Num { + value: Option, + lc: LinearCombination, } -impl From> for Num { - fn from(num: AllocatedNum) -> Num { +impl From> for Num { + fn from(num: AllocatedNum) -> Num { Num { value: num.value, - lc: LinearCombination::::zero() + num.variable, + lc: LinearCombination::::zero() + num.variable, } } } -impl Num { +impl Num { pub fn zero() -> Self { Num { - value: Some(E::Fr::zero()), + value: Some(Scalar::zero()), lc: LinearCombination::zero(), } } - pub fn get_value(&self) -> Option { + pub fn get_value(&self) -> Option { self.value } - pub fn lc(&self, coeff: E::Fr) -> LinearCombination { + pub fn lc(&self, coeff: Scalar) -> LinearCombination { LinearCombination::zero() + (coeff, &self.lc) } - pub fn add_bool_with_coeff(self, one: Variable, bit: &Boolean, coeff: E::Fr) -> Self { + pub fn add_bool_with_coeff(self, one: Variable, bit: &Boolean, coeff: Scalar) -> Self { let newval = match (self.value, bit.get_value()) { (Some(mut curval), Some(bval)) => { if bval { @@ -412,7 +411,7 @@ impl Num { mod test { use crate::ConstraintSystem; use ff::{BitIterator, Field, PrimeField}; - use pairing::bls12_381::{Bls12, Fr}; + use pairing::bls12_381::Fr; use rand_core::SeedableRng; use rand_xorshift::XorShiftRng; use std::ops::{Neg, SubAssign}; @@ -422,7 +421,7 @@ mod test { #[test] fn test_allocated_num() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); AllocatedNum::alloc(&mut cs, || Ok(Fr::one())).unwrap(); @@ -431,7 +430,7 @@ mod test { #[test] fn test_num_squaring() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let n = AllocatedNum::alloc(&mut cs, || Ok(Fr::from_str("3").unwrap())).unwrap(); let n2 = n.square(&mut cs).unwrap(); @@ -445,7 +444,7 @@ mod test { #[test] fn test_num_multiplication() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let n = AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::from_str("12").unwrap())).unwrap(); @@ -467,7 +466,7 @@ mod test { 0xbc, 0xe5, ]); { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let a = AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::random(&mut rng))).unwrap(); let b = AllocatedNum::alloc(cs.namespace(|| "b"), || Ok(Fr::random(&mut rng))).unwrap(); @@ -481,7 +480,7 @@ mod test { } { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let a = AllocatedNum::alloc(cs.namespace(|| "a"), || Ok(Fr::random(&mut rng))).unwrap(); let b = AllocatedNum::alloc(cs.namespace(|| "b"), || Ok(Fr::random(&mut rng))).unwrap(); @@ -498,7 +497,7 @@ mod test { #[test] fn test_num_nonzero() { { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let n = AllocatedNum::alloc(&mut cs, || Ok(Fr::from_str("3").unwrap())).unwrap(); n.assert_nonzero(&mut cs).unwrap(); @@ -508,7 +507,7 @@ mod test { assert!(cs.which_is_unsatisfied() == Some("nonzero assertion constraint")); } { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let n = AllocatedNum::alloc(&mut cs, || Ok(Fr::zero())).unwrap(); assert!(n.assert_nonzero(&mut cs).is_err()); @@ -519,7 +518,7 @@ mod test { fn test_into_bits_strict() { let negone = Fr::one().neg(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let n = AllocatedNum::alloc(&mut cs, || Ok(negone)).unwrap(); n.to_bits_le_strict(&mut cs).unwrap(); @@ -545,7 +544,7 @@ mod test { for i in 0..200 { let r = Fr::random(&mut rng); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let n = AllocatedNum::alloc(&mut cs, || Ok(r)).unwrap(); diff --git a/bellman/src/gadgets/sha256.rs b/bellman/src/gadgets/sha256.rs index 1be898e0d..2db3e6ce1 100644 --- a/bellman/src/gadgets/sha256.rs +++ b/bellman/src/gadgets/sha256.rs @@ -7,7 +7,7 @@ use super::boolean::Boolean; use super::multieq::MultiEq; use super::uint32::UInt32; use crate::{ConstraintSystem, SynthesisError}; -use ff::ScalarEngine; +use ff::PrimeField; #[allow(clippy::unreadable_literal)] const ROUND_CONSTANTS: [u32; 64] = [ @@ -26,13 +26,13 @@ const IV: [u32; 8] = [ 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, ]; -pub fn sha256_block_no_padding( +pub fn sha256_block_no_padding( mut cs: CS, input: &[Boolean], ) -> Result, SynthesisError> where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert_eq!(input.len(), 512); @@ -44,10 +44,10 @@ where ) } -pub fn sha256(mut cs: CS, input: &[Boolean]) -> Result, SynthesisError> +pub fn sha256(mut cs: CS, input: &[Boolean]) -> Result, SynthesisError> where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert!(input.len() % 8 == 0); @@ -77,14 +77,14 @@ fn get_sha256_iv() -> Vec { IV.iter().map(|&v| UInt32::constant(v)).collect() } -fn sha256_compression_function( +fn sha256_compression_function( cs: CS, input: &[Boolean], current_hash_value: &[UInt32], ) -> Result, SynthesisError> where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert_eq!(input.len(), 512); assert_eq!(current_hash_value.len(), 8); @@ -128,11 +128,11 @@ where } impl Maybe { - fn compute(self, cs: M, others: &[UInt32]) -> Result + fn compute(self, cs: M, others: &[UInt32]) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, - M: ConstraintSystem>, + Scalar: PrimeField, + CS: ConstraintSystem, + M: ConstraintSystem>, { Ok(match self { Maybe::Concrete(ref v) => return Ok(v.clone()), @@ -274,7 +274,7 @@ mod test { use crate::gadgets::boolean::AllocatedBit; use crate::gadgets::test::TestConstraintSystem; use hex_literal::hex; - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -282,7 +282,7 @@ mod test { fn test_blank_hash() { let iv = get_sha256_iv(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut input_bits: Vec<_> = (0..512).map(|_| Boolean::Constant(false)).collect(); input_bits[0] = Boolean::Constant(true); let out = sha256_compression_function(&mut cs, &input_bits, &iv).unwrap(); @@ -312,7 +312,7 @@ mod test { let iv = get_sha256_iv(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let input_bits: Vec<_> = (0..512) .map(|i| { Boolean::from( @@ -346,7 +346,7 @@ mod test { h.input(&data); let hash_result = h.result(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let mut input_bits = vec![]; for (byte_i, input_byte) in data.into_iter().enumerate() { diff --git a/bellman/src/gadgets/test/mod.rs b/bellman/src/gadgets/test/mod.rs index be7214ea2..c1395b10b 100644 --- a/bellman/src/gadgets/test/mod.rs +++ b/bellman/src/gadgets/test/mod.rs @@ -1,12 +1,11 @@ //! Helpers for testing circuit implementations. -use ff::{Endianness, Field, PrimeField, ScalarEngine}; +use ff::{Endianness, PrimeField}; use crate::{ConstraintSystem, Index, LinearCombination, SynthesisError, Variable}; use std::collections::HashMap; use std::fmt::Write; -use std::ops::{AddAssign, MulAssign, Neg}; use byteorder::{BigEndian, ByteOrder}; use std::cmp::Ordering; @@ -22,17 +21,17 @@ enum NamedObject { } /// Constraint system for testing purposes. -pub struct TestConstraintSystem { +pub struct TestConstraintSystem { named_objects: HashMap, current_namespace: Vec, constraints: Vec<( - LinearCombination, - LinearCombination, - LinearCombination, + LinearCombination, + LinearCombination, + LinearCombination, String, )>, - inputs: Vec<(E::Fr, String)>, - aux: Vec<(E::Fr, String)>, + inputs: Vec<(Scalar, String)>, + aux: Vec<(Scalar, String)>, } #[derive(Clone, Copy)] @@ -64,11 +63,11 @@ impl Ord for OrderedVariable { } } -fn proc_lc(terms: &[(Variable, E::Fr)]) -> BTreeMap { +fn proc_lc(terms: &[(Variable, Scalar)]) -> BTreeMap { let mut map = BTreeMap::new(); for &(var, coeff) in terms { map.entry(OrderedVariable(var)) - .or_insert_with(E::Fr::zero) + .or_insert_with(Scalar::zero) .add_assign(&coeff); } @@ -87,8 +86,8 @@ fn proc_lc(terms: &[(Variable, E::Fr)]) -> BTreeMap(terms: &[(Variable, E::Fr)], h: &mut Blake2sState) { - let map = proc_lc::(terms); +fn hash_lc(terms: &[(Variable, Scalar)], h: &mut Blake2sState) { + let map = proc_lc::(terms); let mut buf = [0u8; 9 + 32]; BigEndian::write_u64(&mut buf[0..8], map.len() as u64); @@ -107,7 +106,7 @@ fn hash_lc(terms: &[(Variable, E::Fr)], h: &mut Blake2sState) { } let mut coeff_repr = coeff.to_repr(); - ::ReprEndianness::toggle_little_endian(&mut coeff_repr); + ::ReprEndianness::toggle_little_endian(&mut coeff_repr); let coeff_be: Vec<_> = coeff_repr.as_ref().iter().cloned().rev().collect(); buf[9..].copy_from_slice(&coeff_be[..]); @@ -115,12 +114,12 @@ fn hash_lc(terms: &[(Variable, E::Fr)], h: &mut Blake2sState) { } } -fn eval_lc( - terms: &[(Variable, E::Fr)], - inputs: &[(E::Fr, String)], - aux: &[(E::Fr, String)], -) -> E::Fr { - let mut acc = E::Fr::zero(); +fn eval_lc( + terms: &[(Variable, Scalar)], + inputs: &[(Scalar, String)], + aux: &[(Scalar, String)], +) -> Scalar { + let mut acc = Scalar::zero(); for &(var, ref coeff) in terms { let mut tmp = match var.get_unchecked() { @@ -128,26 +127,26 @@ fn eval_lc( Index::Aux(index) => aux[index].0, }; - tmp.mul_assign(&coeff); + tmp.mul_assign(coeff); acc.add_assign(&tmp); } acc } -impl TestConstraintSystem { - pub fn new() -> TestConstraintSystem { +impl TestConstraintSystem { + pub fn new() -> TestConstraintSystem { let mut map = HashMap::new(); map.insert( "ONE".into(), - NamedObject::Var(TestConstraintSystem::::one()), + NamedObject::Var(TestConstraintSystem::::one()), ); TestConstraintSystem { named_objects: map, current_namespace: vec![], constraints: vec![], - inputs: vec![(E::Fr::one(), "ONE".into())], + inputs: vec![(Scalar::one(), "ONE".into())], aux: vec![], } } @@ -155,16 +154,16 @@ impl TestConstraintSystem { pub fn pretty_print(&self) -> String { let mut s = String::new(); - let negone = E::Fr::one().neg(); + let negone = Scalar::one().neg(); - let powers_of_two = (0..E::Fr::NUM_BITS) - .map(|i| E::Fr::from_str("2").unwrap().pow_vartime(&[u64::from(i)])) + let powers_of_two = (0..Scalar::NUM_BITS) + .map(|i| Scalar::from_str("2").unwrap().pow_vartime(&[u64::from(i)])) .collect::>(); - let pp = |s: &mut String, lc: &LinearCombination| { + let pp = |s: &mut String, lc: &LinearCombination| { write!(s, "(").unwrap(); let mut is_first = true; - for (var, coeff) in proc_lc::(lc.as_ref()) { + for (var, coeff) in proc_lc::(lc.as_ref()) { if coeff == negone { write!(s, " - ").unwrap(); } else if !is_first { @@ -172,7 +171,7 @@ impl TestConstraintSystem { } is_first = false; - if coeff != E::Fr::one() && coeff != negone { + if coeff != Scalar::one() && coeff != negone { for (i, x) in powers_of_two.iter().enumerate() { if x == &coeff { write!(s, "2^{} . ", i).unwrap(); @@ -227,9 +226,9 @@ impl TestConstraintSystem { } for constraint in &self.constraints { - hash_lc::(constraint.0.as_ref(), &mut h); - hash_lc::(constraint.1.as_ref(), &mut h); - hash_lc::(constraint.2.as_ref(), &mut h); + hash_lc::(constraint.0.as_ref(), &mut h); + hash_lc::(constraint.1.as_ref(), &mut h); + hash_lc::(constraint.2.as_ref(), &mut h); } let mut s = String::new(); @@ -242,9 +241,9 @@ impl TestConstraintSystem { pub fn which_is_unsatisfied(&self) -> Option<&str> { for &(ref a, ref b, ref c, ref path) in &self.constraints { - let mut a = eval_lc::(a.as_ref(), &self.inputs, &self.aux); - let b = eval_lc::(b.as_ref(), &self.inputs, &self.aux); - let c = eval_lc::(c.as_ref(), &self.inputs, &self.aux); + let mut a = eval_lc::(a.as_ref(), &self.inputs, &self.aux); + let b = eval_lc::(b.as_ref(), &self.inputs, &self.aux); + let c = eval_lc::(c.as_ref(), &self.inputs, &self.aux); a.mul_assign(&b); @@ -264,7 +263,7 @@ impl TestConstraintSystem { self.constraints.len() } - pub fn set(&mut self, path: &str, to: E::Fr) { + pub fn set(&mut self, path: &str, to: Scalar) { match self.named_objects.get(path) { Some(&NamedObject::Var(ref v)) => match v.get_unchecked() { Index::Input(index) => self.inputs[index].0 = to, @@ -278,7 +277,7 @@ impl TestConstraintSystem { } } - pub fn verify(&self, expected: &[E::Fr]) -> bool { + pub fn verify(&self, expected: &[Scalar]) -> bool { assert_eq!(expected.len() + 1, self.inputs.len()); for (a, b) in self.inputs.iter().skip(1).zip(expected.iter()) { @@ -294,7 +293,7 @@ impl TestConstraintSystem { self.inputs.len() } - pub fn get_input(&mut self, index: usize, path: &str) -> E::Fr { + pub fn get_input(&mut self, index: usize, path: &str) -> Scalar { let (assignment, name) = self.inputs[index].clone(); assert_eq!(path, name); @@ -302,7 +301,7 @@ impl TestConstraintSystem { assignment } - pub fn get(&mut self, path: &str) -> E::Fr { + pub fn get(&mut self, path: &str) -> Scalar { match self.named_objects.get(path) { Some(&NamedObject::Var(ref v)) => match v.get_unchecked() { Index::Input(index) => self.inputs[index].0, @@ -345,12 +344,12 @@ fn compute_path(ns: &[String], this: String) -> String { name } -impl ConstraintSystem for TestConstraintSystem { +impl ConstraintSystem for TestConstraintSystem { type Root = Self; fn alloc(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -365,7 +364,7 @@ impl ConstraintSystem for TestConstraintSystem { fn alloc_input(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -382,9 +381,9 @@ impl ConstraintSystem for TestConstraintSystem { where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { let path = compute_path(&self.current_namespace, annotation().into()); let index = self.constraints.len(); @@ -419,10 +418,10 @@ impl ConstraintSystem for TestConstraintSystem { #[test] fn test_cs() { - use ff::PrimeField; - use pairing::bls12_381::{Bls12, Fr}; + use ff::{Field, PrimeField}; + use pairing::bls12_381::Fr; - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 0); let a = cs @@ -443,7 +442,7 @@ fn test_cs() { cs.set("a/var", Fr::from_str("4").unwrap()); - let one = TestConstraintSystem::::one(); + let one = TestConstraintSystem::::one(); cs.enforce(|| "eq", |lc| lc + a, |lc| lc + one, |lc| lc + b); assert!(!cs.is_satisfied()); diff --git a/bellman/src/gadgets/uint32.rs b/bellman/src/gadgets/uint32.rs index 16bb65135..a040a2bd6 100644 --- a/bellman/src/gadgets/uint32.rs +++ b/bellman/src/gadgets/uint32.rs @@ -3,7 +3,7 @@ //! //! [`sha256`]: crate::gadgets::sha256 -use ff::{Field, PrimeField, ScalarEngine}; +use ff::PrimeField; use crate::{ConstraintSystem, LinearCombination, SynthesisError}; @@ -43,10 +43,10 @@ impl UInt32 { } /// Allocate a `UInt32` in the constraint system - pub fn alloc(mut cs: CS, value: Option) -> Result + pub fn alloc(mut cs: CS, value: Option) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let values = match value { Some(mut val) => { @@ -189,7 +189,7 @@ impl UInt32 { } } - fn triop( + fn triop( mut cs: CS, a: &Self, b: &Self, @@ -198,8 +198,8 @@ impl UInt32 { circuit_fn: U, ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, F: Fn(u32, u32, u32) -> u32, U: Fn(&mut CS, usize, &Boolean, &Boolean, &Boolean) -> Result, { @@ -225,10 +225,15 @@ impl UInt32 { /// Compute the `maj` value (a and b) xor (a and c) xor (b and c) /// during SHA256. - pub fn sha256_maj(cs: CS, a: &Self, b: &Self, c: &Self) -> Result + pub fn sha256_maj( + cs: CS, + a: &Self, + b: &Self, + c: &Self, + ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { Self::triop( cs, @@ -242,10 +247,15 @@ impl UInt32 { /// Compute the `ch` value `(a and b) xor ((not a) and c)` /// during SHA256. - pub fn sha256_ch(cs: CS, a: &Self, b: &Self, c: &Self) -> Result + pub fn sha256_ch( + cs: CS, + a: &Self, + b: &Self, + c: &Self, + ) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { Self::triop( cs, @@ -258,10 +268,10 @@ impl UInt32 { } /// XOR this `UInt32` with another `UInt32` - pub fn xor(&self, mut cs: CS, other: &Self) -> Result + pub fn xor(&self, mut cs: CS, other: &Self) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let new_value = match (self.value, other.value) { (Some(a), Some(b)) => Some(a ^ b), @@ -283,15 +293,15 @@ impl UInt32 { } /// Perform modular addition of several `UInt32` objects. - pub fn addmany(mut cs: M, operands: &[Self]) -> Result + pub fn addmany(mut cs: M, operands: &[Self]) -> Result where - E: ScalarEngine, - CS: ConstraintSystem, - M: ConstraintSystem>, + Scalar: PrimeField, + CS: ConstraintSystem, + M: ConstraintSystem>, { // Make some arbitrary bounds for ourselves to avoid overflows // in the scalar field - assert!(E::Fr::NUM_BITS >= 64); + assert!(Scalar::NUM_BITS >= 64); assert!(operands.len() >= 2); // Weird trivial cases that should never happen assert!(operands.len() <= 10); @@ -324,7 +334,7 @@ impl UInt32 { // Iterate over each bit of the operand and add the operand to // the linear combination - let mut coeff = E::Fr::one(); + let mut coeff = Scalar::one(); for bit in &op.bits { lc = lc + &bit.lc(CS::one(), coeff); @@ -352,7 +362,7 @@ impl UInt32 { let mut result_lc = LinearCombination::zero(); // Allocate each bit of the result - let mut coeff = E::Fr::one(); + let mut coeff = Scalar::one(); let mut i = 0; while max_value != 0 { // Allocate the bit @@ -392,7 +402,7 @@ mod test { use crate::gadgets::test::*; use crate::ConstraintSystem; use ff::Field; - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use rand_core::{RngCore, SeedableRng}; use rand_xorshift::XorShiftRng; @@ -474,7 +484,7 @@ mod test { ]); for _ in 0..1000 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = rng.next_u32(); let b = rng.next_u32(); @@ -519,7 +529,7 @@ mod test { ]); for _ in 0..1000 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = rng.next_u32(); let b = rng.next_u32(); @@ -562,7 +572,7 @@ mod test { ]); for _ in 0..1000 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = rng.next_u32(); let b = rng.next_u32(); @@ -675,7 +685,7 @@ mod test { ]); for _ in 0..1000 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = rng.next_u32(); let b = rng.next_u32(); @@ -719,7 +729,7 @@ mod test { ]); for _ in 0..1000 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let a = rng.next_u32(); let b = rng.next_u32(); diff --git a/bellman/src/groth16/generator.rs b/bellman/src/groth16/generator.rs index 7a0e1b0b9..060ff1bec 100644 --- a/bellman/src/groth16/generator.rs +++ b/bellman/src/groth16/generator.rs @@ -2,7 +2,7 @@ use rand_core::RngCore; use std::ops::{AddAssign, MulAssign}; use std::sync::Arc; -use ff::Field; +use ff::{Field, PrimeField}; use group::{CurveAffine, CurveProjective, Group, Wnaf}; use pairing::Engine; @@ -22,7 +22,7 @@ pub fn generate_random_parameters( ) -> Result, SynthesisError> where E: Engine, - C: Circuit, + C: Circuit, R: RngCore, { let g1 = E::G1::random(rng); @@ -38,24 +38,24 @@ where /// This is our assembly structure that we'll use to synthesize the /// circuit into a QAP. -struct KeypairAssembly { +struct KeypairAssembly { num_inputs: usize, num_aux: usize, num_constraints: usize, - at_inputs: Vec>, - bt_inputs: Vec>, - ct_inputs: Vec>, - at_aux: Vec>, - bt_aux: Vec>, - ct_aux: Vec>, + at_inputs: Vec>, + bt_inputs: Vec>, + ct_inputs: Vec>, + at_aux: Vec>, + bt_aux: Vec>, + ct_aux: Vec>, } -impl ConstraintSystem for KeypairAssembly { +impl ConstraintSystem for KeypairAssembly { type Root = Self; fn alloc(&mut self, _: A, _: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -74,7 +74,7 @@ impl ConstraintSystem for KeypairAssembly { fn alloc_input(&mut self, _: A, _: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -95,14 +95,14 @@ impl ConstraintSystem for KeypairAssembly { where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { - fn eval( - l: LinearCombination, - inputs: &mut [Vec<(E::Fr, usize)>], - aux: &mut [Vec<(E::Fr, usize)>], + fn eval( + l: LinearCombination, + inputs: &mut [Vec<(Scalar, usize)>], + aux: &mut [Vec<(Scalar, usize)>], this_constraint: usize, ) { for (index, coeff) in l.0 { @@ -165,7 +165,7 @@ pub fn generate_parameters( ) -> Result, SynthesisError> where E: Engine, - C: Circuit, + C: Circuit, { let mut assembly = KeypairAssembly { num_inputs: 0, @@ -192,7 +192,7 @@ where } // Create bases for blind evaluation of polynomials at tau - let powers_of_tau = vec![Scalar::(E::Fr::zero()); assembly.num_constraints]; + let powers_of_tau = vec![Scalar::(E::Fr::zero()); assembly.num_constraints]; let mut powers_of_tau = EvaluationDomain::from_coeffs(powers_of_tau)?; // Compute G1 window table @@ -302,7 +302,7 @@ where g2_wnaf: &Wnaf>, // Lagrange coefficients for tau - powers_of_tau: &[Scalar], + powers_of_tau: &[Scalar], // QAP polynomials at: &[Vec<(E::Fr, usize)>], @@ -362,11 +362,11 @@ where .zip(bt.iter()) .zip(ct.iter()) { - fn eval_at_tau( - powers_of_tau: &[Scalar], - p: &[(E::Fr, usize)], - ) -> E::Fr { - let mut acc = E::Fr::zero(); + fn eval_at_tau( + powers_of_tau: &[Scalar], + p: &[(S, usize)], + ) -> S { + let mut acc = S::zero(); for &(ref coeff, index) in p { let mut n = powers_of_tau[index].0; @@ -416,7 +416,7 @@ where } // Evaluate for inputs. - eval( + eval::( &g1_wnaf, &g2_wnaf, &powers_of_tau, @@ -434,7 +434,7 @@ where ); // Evaluate for auxiliary variables. - eval( + eval::( &g1_wnaf, &g2_wnaf, &powers_of_tau, diff --git a/bellman/src/groth16/mod.rs b/bellman/src/groth16/mod.rs index a5d8aa522..f9fb17d8b 100644 --- a/bellman/src/groth16/mod.rs +++ b/bellman/src/groth16/mod.rs @@ -479,20 +479,20 @@ mod test_with_bls12_381 { use super::*; use crate::{Circuit, ConstraintSystem, SynthesisError}; - use ff::Field; + use ff::{Field, PrimeField}; use pairing::bls12_381::{Bls12, Fr}; use rand::thread_rng; use std::ops::MulAssign; #[test] fn serialization() { - struct MySillyCircuit { - a: Option, - b: Option, + struct MySillyCircuit { + a: Option, + b: Option, } - impl Circuit for MySillyCircuit { - fn synthesize>( + impl Circuit for MySillyCircuit { + fn synthesize>( self, cs: &mut CS, ) -> Result<(), SynthesisError> { diff --git a/bellman/src/groth16/prover.rs b/bellman/src/groth16/prover.rs index 0052751e9..ff91c2675 100644 --- a/bellman/src/groth16/prover.rs +++ b/bellman/src/groth16/prover.rs @@ -4,7 +4,7 @@ use std::sync::Arc; use futures::Future; -use ff::Field; +use ff::{Field, PrimeField}; use group::{CurveAffine, CurveProjective}; use pairing::Engine; @@ -18,14 +18,14 @@ use crate::multiexp::{multiexp, DensityTracker, FullDensity}; use crate::multicore::Worker; -fn eval( - lc: &LinearCombination, +fn eval( + lc: &LinearCombination, mut input_density: Option<&mut DensityTracker>, mut aux_density: Option<&mut DensityTracker>, - input_assignment: &[E::Fr], - aux_assignment: &[E::Fr], -) -> E::Fr { - let mut acc = E::Fr::zero(); + input_assignment: &[S], + aux_assignment: &[S], +) -> S { + let mut acc = S::zero(); for &(index, coeff) in lc.0.iter() { let mut tmp; @@ -45,7 +45,7 @@ fn eval( } } - if coeff == E::Fr::one() { + if coeff == S::one() { acc.add_assign(&tmp); } else { tmp.mul_assign(&coeff); @@ -56,28 +56,28 @@ fn eval( acc } -struct ProvingAssignment { +struct ProvingAssignment { // Density of queries a_aux_density: DensityTracker, b_input_density: DensityTracker, b_aux_density: DensityTracker, // Evaluations of A, B, C polynomials - a: Vec>, - b: Vec>, - c: Vec>, + a: Vec>, + b: Vec>, + c: Vec>, // Assignments of variables - input_assignment: Vec, - aux_assignment: Vec, + input_assignment: Vec, + aux_assignment: Vec, } -impl ConstraintSystem for ProvingAssignment { +impl ConstraintSystem for ProvingAssignment { type Root = Self; fn alloc(&mut self, _: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -90,7 +90,7 @@ impl ConstraintSystem for ProvingAssignment { fn alloc_input(&mut self, _: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -104,9 +104,9 @@ impl ConstraintSystem for ProvingAssignment { where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { let a = a(LinearCombination::zero()); let b = b(LinearCombination::zero()); @@ -166,7 +166,7 @@ pub fn create_random_proof>( ) -> Result, SynthesisError> where E: Engine, - C: Circuit, + C: Circuit, R: RngCore, { let r = E::Fr::random(rng); @@ -183,7 +183,7 @@ pub fn create_proof>( ) -> Result, SynthesisError> where E: Engine, - C: Circuit, + C: Circuit, { let mut prover = ProvingAssignment { a_aux_density: DensityTracker::new(), diff --git a/bellman/src/groth16/tests/mod.rs b/bellman/src/groth16/tests/mod.rs index 276738c85..8038e1721 100644 --- a/bellman/src/groth16/tests/mod.rs +++ b/bellman/src/groth16/tests/mod.rs @@ -1,5 +1,4 @@ use ff::{Field, PrimeField}; -use pairing::Engine; mod dummy_engine; use self::dummy_engine::*; @@ -11,22 +10,22 @@ use crate::{Circuit, ConstraintSystem, SynthesisError}; use super::{create_proof, generate_parameters, prepare_verifying_key, verify_proof}; -struct XORDemo { +struct XORDemo { a: Option, b: Option, - _marker: PhantomData, + _marker: PhantomData, } -impl Circuit for XORDemo { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +impl Circuit for XORDemo { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { let a_var = cs.alloc( || "a", || { if self.a.is_some() { if self.a.unwrap() { - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } } else { Err(SynthesisError::AssignmentMissing) @@ -46,9 +45,9 @@ impl Circuit for XORDemo { || { if self.b.is_some() { if self.b.unwrap() { - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } } else { Err(SynthesisError::AssignmentMissing) @@ -68,9 +67,9 @@ impl Circuit for XORDemo { || { if self.a.is_some() && self.b.is_some() { if self.a.unwrap() ^ self.b.unwrap() { - Ok(E::Fr::one()) + Ok(Scalar::one()) } else { - Ok(E::Fr::zero()) + Ok(Scalar::zero()) } } else { Err(SynthesisError::AssignmentMissing) @@ -100,13 +99,13 @@ fn test_xordemo() { let tau = Fr::from_str("3673").unwrap(); let params = { - let c = XORDemo:: { + let c = XORDemo { a: None, b: None, _marker: PhantomData, }; - generate_parameters(c, g1, g2, alpha, beta, gamma, delta, tau).unwrap() + generate_parameters::(c, g1, g2, alpha, beta, gamma, delta, tau).unwrap() }; // This will synthesize the constraint system: diff --git a/bellman/src/lib.rs b/bellman/src/lib.rs index 4c6c7eaf8..6412a928b 100644 --- a/bellman/src/lib.rs +++ b/bellman/src/lib.rs @@ -22,12 +22,13 @@ //! }, //! groth16, Circuit, ConstraintSystem, SynthesisError, //! }; +//! use ff::PrimeField; //! use pairing::{bls12_381::Bls12, Engine}; //! use rand::rngs::OsRng; //! use sha2::{Digest, Sha256}; //! //! /// Our own SHA-256d gadget. Input and output are in little-endian bit order. -//! fn sha256d>( +//! fn sha256d>( //! mut cs: CS, //! data: &[Boolean], //! ) -> Result, SynthesisError> { @@ -57,8 +58,8 @@ //! preimage: Option<[u8; 80]>, //! } //! -//! impl Circuit for MyCircuit { -//! fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +//! impl Circuit for MyCircuit { +//! fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { //! // Compute the values for the bits of the preimage. If we are verifying a proof, //! // we still need to create the same constraints, so we return an equivalent-size //! // Vec of None (indicating that the value of each bit is unknown). @@ -118,7 +119,7 @@ //! //! // Pack the hash as inputs for proof verification. //! let hash_bits = multipack::bytes_to_bits_le(&hash); -//! let inputs = multipack::compute_multipacking::(&hash_bits); +//! let inputs = multipack::compute_multipacking(&hash_bits); //! //! // Check the proof! //! assert!(groth16::verify_proof(&pvk, &proof, &inputs).unwrap()); @@ -142,21 +143,21 @@ pub mod groth16; pub mod multicore; mod multiexp; -use ff::{Field, ScalarEngine}; +use ff::PrimeField; use std::error::Error; use std::fmt; use std::io; use std::marker::PhantomData; -use std::ops::{Add, MulAssign, Neg, Sub}; +use std::ops::{Add, Sub}; /// Computations are expressed in terms of arithmetic circuits, in particular /// rank-1 quadratic constraint systems. The `Circuit` trait represents a /// circuit that can be synthesized. The `synthesize` method is called during /// CRS generation and during proving. -pub trait Circuit { +pub trait Circuit { /// Synthesize the circuit into a rank-1 quadratic constraint system - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError>; + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError>; } /// Represents a variable in our constraint system. @@ -188,59 +189,59 @@ pub enum Index { /// This represents a linear combination of some variables, with coefficients /// in the scalar field of a pairing-friendly elliptic curve group. #[derive(Clone)] -pub struct LinearCombination(Vec<(Variable, E::Fr)>); +pub struct LinearCombination(Vec<(Variable, Scalar)>); -impl AsRef<[(Variable, E::Fr)]> for LinearCombination { - fn as_ref(&self) -> &[(Variable, E::Fr)] { +impl AsRef<[(Variable, Scalar)]> for LinearCombination { + fn as_ref(&self) -> &[(Variable, Scalar)] { &self.0 } } -impl LinearCombination { - pub fn zero() -> LinearCombination { +impl LinearCombination { + pub fn zero() -> LinearCombination { LinearCombination(vec![]) } } -impl Add<(E::Fr, Variable)> for LinearCombination { - type Output = LinearCombination; +impl Add<(Scalar, Variable)> for LinearCombination { + type Output = LinearCombination; - fn add(mut self, (coeff, var): (E::Fr, Variable)) -> LinearCombination { + fn add(mut self, (coeff, var): (Scalar, Variable)) -> LinearCombination { self.0.push((var, coeff)); self } } -impl Sub<(E::Fr, Variable)> for LinearCombination { - type Output = LinearCombination; +impl Sub<(Scalar, Variable)> for LinearCombination { + type Output = LinearCombination; #[allow(clippy::suspicious_arithmetic_impl)] - fn sub(self, (coeff, var): (E::Fr, Variable)) -> LinearCombination { + fn sub(self, (coeff, var): (Scalar, Variable)) -> LinearCombination { self + (coeff.neg(), var) } } -impl Add for LinearCombination { - type Output = LinearCombination; +impl Add for LinearCombination { + type Output = LinearCombination; - fn add(self, other: Variable) -> LinearCombination { - self + (E::Fr::one(), other) + fn add(self, other: Variable) -> LinearCombination { + self + (Scalar::one(), other) } } -impl Sub for LinearCombination { - type Output = LinearCombination; +impl Sub for LinearCombination { + type Output = LinearCombination; - fn sub(self, other: Variable) -> LinearCombination { - self - (E::Fr::one(), other) + fn sub(self, other: Variable) -> LinearCombination { + self - (Scalar::one(), other) } } -impl<'a, E: ScalarEngine> Add<&'a LinearCombination> for LinearCombination { - type Output = LinearCombination; +impl<'a, Scalar: PrimeField> Add<&'a LinearCombination> for LinearCombination { + type Output = LinearCombination; - fn add(mut self, other: &'a LinearCombination) -> LinearCombination { + fn add(mut self, other: &'a LinearCombination) -> LinearCombination { for s in &other.0 { self = self + (s.1, s.0); } @@ -249,10 +250,10 @@ impl<'a, E: ScalarEngine> Add<&'a LinearCombination> for LinearCombination } } -impl<'a, E: ScalarEngine> Sub<&'a LinearCombination> for LinearCombination { - type Output = LinearCombination; +impl<'a, Scalar: PrimeField> Sub<&'a LinearCombination> for LinearCombination { + type Output = LinearCombination; - fn sub(mut self, other: &'a LinearCombination) -> LinearCombination { + fn sub(mut self, other: &'a LinearCombination) -> LinearCombination { for s in &other.0 { self = self - (s.1, s.0); } @@ -261,10 +262,15 @@ impl<'a, E: ScalarEngine> Sub<&'a LinearCombination> for LinearCombination } } -impl<'a, E: ScalarEngine> Add<(E::Fr, &'a LinearCombination)> for LinearCombination { - type Output = LinearCombination; +impl<'a, Scalar: PrimeField> Add<(Scalar, &'a LinearCombination)> + for LinearCombination +{ + type Output = LinearCombination; - fn add(mut self, (coeff, other): (E::Fr, &'a LinearCombination)) -> LinearCombination { + fn add( + mut self, + (coeff, other): (Scalar, &'a LinearCombination), + ) -> LinearCombination { for s in &other.0 { let mut tmp = s.1; tmp.mul_assign(&coeff); @@ -275,10 +281,15 @@ impl<'a, E: ScalarEngine> Add<(E::Fr, &'a LinearCombination)> for LinearCombi } } -impl<'a, E: ScalarEngine> Sub<(E::Fr, &'a LinearCombination)> for LinearCombination { - type Output = LinearCombination; +impl<'a, Scalar: PrimeField> Sub<(Scalar, &'a LinearCombination)> + for LinearCombination +{ + type Output = LinearCombination; - fn sub(mut self, (coeff, other): (E::Fr, &'a LinearCombination)) -> LinearCombination { + fn sub( + mut self, + (coeff, other): (Scalar, &'a LinearCombination), + ) -> LinearCombination { for s in &other.0 { let mut tmp = s.1; tmp.mul_assign(&coeff); @@ -347,10 +358,10 @@ impl fmt::Display for SynthesisError { /// Represents a constraint system which can have new variables /// allocated and constrains between them formed. -pub trait ConstraintSystem: Sized { +pub trait ConstraintSystem: Sized { /// Represents the type of the "root" of this constraint system /// so that nested namespaces can minimize indirection. - type Root: ConstraintSystem; + type Root: ConstraintSystem; /// Return the "one" input variable fn one() -> Variable { @@ -363,7 +374,7 @@ pub trait ConstraintSystem: Sized { /// namespace. fn alloc(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into; @@ -371,7 +382,7 @@ pub trait ConstraintSystem: Sized { /// determine the assignment of the variable. fn alloc_input(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into; @@ -381,9 +392,9 @@ pub trait ConstraintSystem: Sized { where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination; + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination; /// Create a new (sub)namespace and enter into it. Not intended /// for downstream use; use `namespace` instead. @@ -401,7 +412,7 @@ pub trait ConstraintSystem: Sized { fn get_root(&mut self) -> &mut Self::Root; /// Begin a namespace for this constraint system. - fn namespace(&mut self, name_fn: N) -> Namespace<'_, E, Self::Root> + fn namespace(&mut self, name_fn: N) -> Namespace<'_, Scalar, Self::Root> where NR: Into, N: FnOnce() -> NR, @@ -414,9 +425,14 @@ pub trait ConstraintSystem: Sized { /// This is a "namespaced" constraint system which borrows a constraint system (pushing /// a namespace context) and, when dropped, pops out of the namespace context. -pub struct Namespace<'a, E: ScalarEngine, CS: ConstraintSystem>(&'a mut CS, PhantomData); +pub struct Namespace<'a, Scalar: PrimeField, CS: ConstraintSystem>( + &'a mut CS, + PhantomData, +); -impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Namespace<'cs, E, CS> { +impl<'cs, Scalar: PrimeField, CS: ConstraintSystem> ConstraintSystem + for Namespace<'cs, Scalar, CS> +{ type Root = CS::Root; fn one() -> Variable { @@ -425,7 +441,7 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Name fn alloc(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -434,7 +450,7 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Name fn alloc_input(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -445,9 +461,9 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Name where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { self.0.enforce(annotation, a, b, c) } @@ -473,15 +489,17 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for Name } } -impl<'a, E: ScalarEngine, CS: ConstraintSystem> Drop for Namespace<'a, E, CS> { +impl<'a, Scalar: PrimeField, CS: ConstraintSystem> Drop for Namespace<'a, Scalar, CS> { fn drop(&mut self) { self.get_root().pop_namespace() } } -/// Convenience implementation of ConstraintSystem for mutable references to +/// Convenience implementation of ConstraintSystem for mutable references to /// constraint systems. -impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for &'cs mut CS { +impl<'cs, Scalar: PrimeField, CS: ConstraintSystem> ConstraintSystem + for &'cs mut CS +{ type Root = CS::Root; fn one() -> Variable { @@ -490,7 +508,7 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for &'cs fn alloc(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -499,7 +517,7 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for &'cs fn alloc_input(&mut self, annotation: A, f: F) -> Result where - F: FnOnce() -> Result, + F: FnOnce() -> Result, A: FnOnce() -> AR, AR: Into, { @@ -510,9 +528,9 @@ impl<'cs, E: ScalarEngine, CS: ConstraintSystem> ConstraintSystem for &'cs where A: FnOnce() -> AR, AR: Into, - LA: FnOnce(LinearCombination) -> LinearCombination, - LB: FnOnce(LinearCombination) -> LinearCombination, - LC: FnOnce(LinearCombination) -> LinearCombination, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination, { (**self).enforce(annotation, a, b, c) } diff --git a/bellman/tests/mimc.rs b/bellman/tests/mimc.rs index a1de0f108..17bd10ad0 100644 --- a/bellman/tests/mimc.rs +++ b/bellman/tests/mimc.rs @@ -4,10 +4,8 @@ use rand::thread_rng; // For benchmarking use std::time::{Duration, Instant}; -// Bring in some tools for using pairing-friendly curves -use ff::{Field, ScalarEngine}; -use pairing::Engine; -use std::ops::{AddAssign, MulAssign}; +// Bring in some tools for using finite fiels +use ff::{Field, PrimeField}; // We're going to use the BLS12-381 pairing-friendly elliptic curve. use pairing::bls12_381::Bls12; @@ -35,7 +33,7 @@ const MIMC_ROUNDS: usize = 322; /// return xL /// } /// ``` -fn mimc(mut xl: E::Fr, mut xr: E::Fr, constants: &[E::Fr]) -> E::Fr { +fn mimc(mut xl: Scalar, mut xr: Scalar, constants: &[Scalar]) -> Scalar { assert_eq!(constants.len(), MIMC_ROUNDS); for i in 0..MIMC_ROUNDS { @@ -53,17 +51,17 @@ fn mimc(mut xl: E::Fr, mut xr: E::Fr, constants: &[E::Fr]) -> E::Fr { /// This is our demo circuit for proving knowledge of the /// preimage of a MiMC hash invocation. -struct MiMCDemo<'a, E: Engine> { - xl: Option, - xr: Option, - constants: &'a [E::Fr], +struct MiMCDemo<'a, Scalar: PrimeField> { + xl: Option, + xr: Option, + constants: &'a [Scalar], } /// Our demo circuit implements this `Circuit` trait which /// is used during paramgen and proving in order to /// synthesize the constraint system. -impl<'a, E: Engine> Circuit for MiMCDemo<'a, E> { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +impl<'a, Scalar: PrimeField> Circuit for MiMCDemo<'a, Scalar> { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { assert_eq!(self.constants.len(), MIMC_ROUNDS); // Allocate the first component of the preimage. @@ -147,6 +145,8 @@ impl<'a, E: Engine> Circuit for MiMCDemo<'a, E> { #[test] fn test_mimc() { + use ff::ScalarEngine; + // This may not be cryptographically safe, use // `OsRng` (for example) in production software. let rng = &mut thread_rng(); @@ -160,13 +160,13 @@ fn test_mimc() { // Create parameters for our circuit let params = { - let c = MiMCDemo:: { + let c = MiMCDemo { xl: None, xr: None, constants: &constants, }; - generate_random_parameters(c, rng).unwrap() + generate_random_parameters::(c, rng).unwrap() }; // Prepare the verification key (for proof verification) @@ -187,7 +187,7 @@ fn test_mimc() { // Generate a random preimage and compute the image let xl = ::Fr::random(rng); let xr = ::Fr::random(rng); - let image = mimc::(xl, xr, &constants); + let image = mimc(xl, xr, &constants); proof_vec.truncate(0); diff --git a/zcash_proofs/examples/bench.rs b/zcash_proofs/examples/bench.rs index 2f4878685..cbf6b5e09 100644 --- a/zcash_proofs/examples/bench.rs +++ b/zcash_proofs/examples/bench.rs @@ -19,7 +19,7 @@ fn main() { println!("Creating sample parameters..."); let groth_params = generate_random_parameters::( - Spend { + Spend:: { params: jubjub_params, value_commitment: None, proof_generation_key: None, @@ -37,7 +37,7 @@ fn main() { let mut total_time = Duration::new(0, 0); for _ in 0..SAMPLES { - let value_commitment = ValueCommitment { + let value_commitment = ValueCommitment:: { value: 1, randomness: fs::Fs::random(rng), }; diff --git a/zcash_proofs/src/circuit/ecc.rs b/zcash_proofs/src/circuit/ecc.rs index d287e1bd9..1e573da55 100644 --- a/zcash_proofs/src/circuit/ecc.rs +++ b/zcash_proofs/src/circuit/ecc.rs @@ -18,8 +18,8 @@ use bellman::gadgets::boolean::Boolean; #[derive(Clone)] pub struct EdwardsPoint { - x: AllocatedNum, - y: AllocatedNum, + x: AllocatedNum, + y: AllocatedNum, } /// Perform a fixed-base scalar multiplication with @@ -31,7 +31,7 @@ pub fn fixed_base_multiplication( params: &E::Params, ) -> Result, SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, E: JubjubEngine, { // Represents the result of the multiplication @@ -78,11 +78,11 @@ where } impl EdwardsPoint { - pub fn get_x(&self) -> &AllocatedNum { + pub fn get_x(&self) -> &AllocatedNum { &self.x } - pub fn get_y(&self) -> &AllocatedNum { + pub fn get_y(&self) -> &AllocatedNum { &self.y } @@ -92,7 +92,7 @@ impl EdwardsPoint { params: &E::Params, ) -> Result<(), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let tmp = self.double(cs.namespace(|| "first doubling"), params)?; let tmp = tmp.double(cs.namespace(|| "second doubling"), params)?; @@ -109,7 +109,7 @@ impl EdwardsPoint { pub fn inputize(&self, mut cs: CS) -> Result<(), SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { self.x.inputize(cs.namespace(|| "x"))?; self.y.inputize(cs.namespace(|| "y"))?; @@ -120,7 +120,7 @@ impl EdwardsPoint { /// This converts the point into a representation. pub fn repr(&self, mut cs: CS) -> Result, SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let mut tmp = vec![]; @@ -142,7 +142,7 @@ impl EdwardsPoint { params: &E::Params, ) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { let p = p.map(|p| p.to_xy()); @@ -163,7 +163,7 @@ impl EdwardsPoint { condition: &Boolean, ) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { // Compute x' = self.x if condition, and 0 otherwise let x_prime = AllocatedNum::alloc(cs.namespace(|| "x'"), || { @@ -220,7 +220,7 @@ impl EdwardsPoint { params: &E::Params, ) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { // Represents the current "magnitude" of the base // that we're operating over. Starts at self, @@ -267,12 +267,12 @@ impl EdwardsPoint { pub fn interpret( mut cs: CS, - x: &AllocatedNum, - y: &AllocatedNum, + x: &AllocatedNum, + y: &AllocatedNum, params: &E::Params, ) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { // -x^2 + y^2 = 1 + dx^2y^2 @@ -296,7 +296,7 @@ impl EdwardsPoint { pub fn double(&self, mut cs: CS, params: &E::Params) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { // Compute T = (x1 + y1) * (x1 + y1) let t = AllocatedNum::alloc(cs.namespace(|| "T"), || { @@ -395,7 +395,7 @@ impl EdwardsPoint { params: &E::Params, ) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { // Compute U = (x1 + y1) * (x2 + y2) let u = AllocatedNum::alloc(cs.namespace(|| "U"), || { @@ -492,8 +492,8 @@ impl EdwardsPoint { } pub struct MontgomeryPoint { - x: Num, - y: Num, + x: Num, + y: Num, } impl MontgomeryPoint { @@ -506,7 +506,7 @@ impl MontgomeryPoint { params: &E::Params, ) -> Result, SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { // Compute u = (scale*x) / y let u = AllocatedNum::alloc(cs.namespace(|| "u"), || { @@ -558,7 +558,7 @@ impl MontgomeryPoint { /// in Montgomery, does not check that it's /// on the curve. Useful for constants and /// window table lookups. - pub fn interpret_unchecked(x: Num, y: Num) -> Self { + pub fn interpret_unchecked(x: Num, y: Num) -> Self { MontgomeryPoint { x, y } } @@ -571,7 +571,7 @@ impl MontgomeryPoint { params: &E::Params, ) -> Result where - CS: ConstraintSystem, + CS: ConstraintSystem, { // Compute lambda = (y' - y) / (x' - x) let lambda = AllocatedNum::alloc(cs.namespace(|| "lambda"), || { @@ -673,7 +673,7 @@ mod test { ]); for _ in 0..100 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let p = montgomery::Point::::rand(rng, params); let (u, v) = edwards::Point::from_montgomery(&p, params).to_xy(); @@ -682,7 +682,7 @@ mod test { let numx = AllocatedNum::alloc(cs.namespace(|| "mont x"), || Ok(x)).unwrap(); let numy = AllocatedNum::alloc(cs.namespace(|| "mont y"), || Ok(y)).unwrap(); - let p = MontgomeryPoint::interpret_unchecked(numx.into(), numy.into()); + let p = MontgomeryPoint::::interpret_unchecked(numx.into(), numy.into()); let q = p.into_edwards(&mut cs, params).unwrap(); @@ -713,7 +713,7 @@ mod test { for _ in 0..100 { let p = edwards::Point::::rand(rng, ¶ms); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let q = EdwardsPoint::witness(&mut cs, Some(p.clone()), ¶ms).unwrap(); let p = p.to_xy(); @@ -727,11 +727,11 @@ mod test { let p = edwards::Point::::rand(rng, ¶ms); let (x, y) = p.to_xy(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(x)).unwrap(); let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(y)).unwrap(); - let p = EdwardsPoint::interpret(&mut cs, &numx, &numy, ¶ms).unwrap(); + let p = EdwardsPoint::::interpret(&mut cs, &numx, &numy, ¶ms).unwrap(); assert!(cs.is_satisfied()); assert_eq!(p.x.get_value().unwrap(), x); @@ -743,11 +743,11 @@ mod test { let x = Fr::random(rng); let y = Fr::random(rng); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let numx = AllocatedNum::alloc(cs.namespace(|| "x"), || Ok(x)).unwrap(); let numy = AllocatedNum::alloc(cs.namespace(|| "y"), || Ok(y)).unwrap(); - EdwardsPoint::interpret(&mut cs, &numx, &numy, ¶ms).unwrap(); + EdwardsPoint::::interpret(&mut cs, &numx, &numy, ¶ms).unwrap(); assert_eq!(cs.which_is_unsatisfied().unwrap(), "on curve check"); } @@ -762,7 +762,7 @@ mod test { ]); for _ in 0..100 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let p = params.generator(FixedGenerators::NoteCommitmentRandomness); let s = Fs::random(rng); @@ -783,7 +783,7 @@ mod test { .map(|v| Boolean::from(v)) .collect::>(); - let q = fixed_base_multiplication( + let q = fixed_base_multiplication::( cs.namespace(|| "multiplication"), FixedGenerators::NoteCommitmentRandomness, &s_bits, @@ -805,7 +805,7 @@ mod test { ]); for _ in 0..100 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let p = edwards::Point::::rand(rng, params); let s = Fs::random(rng); @@ -817,7 +817,7 @@ mod test { let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); - let p = EdwardsPoint { + let p = EdwardsPoint:: { x: num_x0, y: num_y0, }; @@ -857,7 +857,7 @@ mod test { ]); for _ in 0..1000 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let p = edwards::Point::::rand(rng, params); @@ -866,7 +866,7 @@ mod test { let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); - let p = EdwardsPoint { + let p = EdwardsPoint:: { x: num_x0, y: num_y0, }; @@ -933,7 +933,7 @@ mod test { let (x1, y1) = p2.to_xy(); let (x2, y2) = p3.to_xy(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); @@ -941,7 +941,7 @@ mod test { let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || Ok(x1)).unwrap(); let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || Ok(y1)).unwrap(); - let p1 = EdwardsPoint { + let p1 = EdwardsPoint:: { x: num_x0, y: num_y0, }; @@ -993,12 +993,12 @@ mod test { let (x0, y0) = p1.to_xy(); let (x1, y1) = p2.to_xy(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); - let p1 = EdwardsPoint { + let p1 = EdwardsPoint:: { x: num_x0, y: num_y0, }; @@ -1047,7 +1047,7 @@ mod test { let (x1, y1) = p2.to_xy().unwrap(); let (x2, y2) = p3.to_xy().unwrap(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let num_x0 = AllocatedNum::alloc(cs.namespace(|| "x0"), || Ok(x0)).unwrap(); let num_y0 = AllocatedNum::alloc(cs.namespace(|| "y0"), || Ok(y0)).unwrap(); @@ -1055,7 +1055,7 @@ mod test { let num_x1 = AllocatedNum::alloc(cs.namespace(|| "x1"), || Ok(x1)).unwrap(); let num_y1 = AllocatedNum::alloc(cs.namespace(|| "y1"), || Ok(y1)).unwrap(); - let p1 = MontgomeryPoint { + let p1 = MontgomeryPoint:: { x: num_x0.into(), y: num_y0.into(), }; @@ -1092,7 +1092,7 @@ mod test { let params = &JubjubBls12::new(); let check_small_order_from_p = |p: edwards::Point, is_small_order| { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let p = EdwardsPoint::witness(&mut cs, Some(p), params).unwrap(); assert!(cs.is_satisfied()); diff --git a/zcash_proofs/src/circuit/pedersen_hash.rs b/zcash_proofs/src/circuit/pedersen_hash.rs index 18c2aae1c..43278a75c 100644 --- a/zcash_proofs/src/circuit/pedersen_hash.rs +++ b/zcash_proofs/src/circuit/pedersen_hash.rs @@ -22,7 +22,7 @@ pub fn pedersen_hash( params: &E::Params, ) -> Result, SynthesisError> where - CS: ConstraintSystem, + CS: ConstraintSystem, { let personalization = get_constant_bools(&personalization); assert_eq!(personalization.len(), 6); @@ -162,7 +162,7 @@ mod test { ] .iter() { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let input: Vec = (0..n_bits).map(|_| rng.next_u32() % 2 != 0).collect(); @@ -177,7 +177,7 @@ mod test { }) .collect(); - pedersen_hash( + pedersen_hash::( cs.namespace(|| "pedersen hash"), Personalization::NoteCommitment, &input_bools, @@ -212,7 +212,7 @@ mod test { for _ in 0..5 { let input: Vec = (0..length).map(|_| rng.next_u32() % 2 != 0).collect(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let input_bools: Vec = input .iter() @@ -225,7 +225,7 @@ mod test { }) .collect(); - let res = pedersen_hash( + let res = pedersen_hash::( cs.namespace(|| "pedersen hash"), Personalization::MerkleTree(1), &input_bools, @@ -278,7 +278,7 @@ mod test { for length in 300..302 { let input: Vec = (0..length).map(|_| rng.next_u32() % 2 != 0).collect(); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let input_bools: Vec = input .iter() @@ -291,7 +291,7 @@ mod test { }) .collect(); - let res = pedersen_hash( + let res = pedersen_hash::( cs.namespace(|| "pedersen hash"), Personalization::MerkleTree(1), &input_bools, diff --git a/zcash_proofs/src/circuit/sapling.rs b/zcash_proofs/src/circuit/sapling.rs index fe20e4fde..7aecb825c 100644 --- a/zcash_proofs/src/circuit/sapling.rs +++ b/zcash_proofs/src/circuit/sapling.rs @@ -74,7 +74,7 @@ fn expose_value_commitment( ) -> Result, SynthesisError> where E: JubjubEngine, - CS: ConstraintSystem, + CS: ConstraintSystem, { // Booleanize the value into little-endian bit order let value_bits = boolean::u64_into_boolean_vec_le( @@ -83,7 +83,7 @@ where )?; // Compute the note value in the exponent - let value = ecc::fixed_base_multiplication( + let value = ecc::fixed_base_multiplication::( cs.namespace(|| "compute the value in the exponent"), FixedGenerators::ValueCommitmentValue, &value_bits, @@ -99,7 +99,7 @@ where )?; // Compute the randomness in the exponent - let rcv = ecc::fixed_base_multiplication( + let rcv = ecc::fixed_base_multiplication::( cs.namespace(|| "computation of rcv"), FixedGenerators::ValueCommitmentRandomness, &rcv, @@ -115,8 +115,8 @@ where Ok(value_bits) } -impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { // Prover witnesses ak (ensures that it's on the curve) let ak = ecc::EdwardsPoint::witness( cs.namespace(|| "ak"), @@ -134,7 +134,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { let ar = boolean::field_into_boolean_vec_le(cs.namespace(|| "ar"), self.ar)?; // Compute the randomness in the exponent - let ar = ecc::fixed_base_multiplication( + let ar = ecc::fixed_base_multiplication::( cs.namespace(|| "computation of randomization for the signing key"), FixedGenerators::SpendingKeyGenerator, &ar, @@ -161,7 +161,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { // congruency then that's equivalent. // Compute nk = [nsk] ProvingPublicKey - nk = ecc::fixed_base_multiplication( + nk = ecc::fixed_base_multiplication::( cs.namespace(|| "computation of nk"), FixedGenerators::ProofGenerationKey, &nsk, @@ -266,7 +266,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { ); // Compute the hash of the note contents - let mut cm = pedersen_hash::pedersen_hash( + let mut cm = pedersen_hash::pedersen_hash::( cs.namespace(|| "note content hash"), pedersen_hash::Personalization::NoteCommitment, ¬e_contents, @@ -281,7 +281,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { )?; // Compute the note commitment randomness in the exponent - let rcm = ecc::fixed_base_multiplication( + let rcm = ecc::fixed_base_multiplication::( cs.namespace(|| "computation of commitment randomness"), FixedGenerators::NoteCommitmentRandomness, &rcm, @@ -342,7 +342,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { preimage.extend(xr.to_bits_le(cs.namespace(|| "xr into bits"))?); // Compute the new subtree value - cur = pedersen_hash::pedersen_hash( + cur = pedersen_hash::pedersen_hash::( cs.namespace(|| "computation of pedersen hash"), pedersen_hash::Personalization::MerkleTree(i), &preimage, @@ -379,7 +379,7 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { let mut rho = cm; { // Compute the position in the exponent - let position = ecc::fixed_base_multiplication( + let position = ecc::fixed_base_multiplication::( cs.namespace(|| "g^position"), FixedGenerators::NullifierPosition, &position_bits, @@ -410,8 +410,8 @@ impl<'a, E: JubjubEngine> Circuit for Spend<'a, E> { } } -impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { // Let's start to construct our note, which contains // value (big endian) let mut note_contents = vec![]; @@ -494,7 +494,7 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { ); // Compute the hash of the note contents - let mut cm = pedersen_hash::pedersen_hash( + let mut cm = pedersen_hash::pedersen_hash::( cs.namespace(|| "note content hash"), pedersen_hash::Personalization::NoteCommitment, ¬e_contents, @@ -509,7 +509,7 @@ impl<'a, E: JubjubEngine> Circuit for Output<'a, E> { )?; // Compute the note commitment randomness in the exponent - let rcm = ecc::fixed_base_multiplication( + let rcm = ecc::fixed_base_multiplication::( cs.namespace(|| "computation of commitment randomness"), FixedGenerators::NoteCommitmentRandomness, &rcm, @@ -556,7 +556,7 @@ fn test_input_circuit_with_bls12_381() { let tree_depth = 32; for _ in 0..10 { - let value_commitment = ValueCommitment { + let value_commitment = ValueCommitment:: { value: rng.next_u64(), randomness: fs::Fs::random(rng), }; @@ -638,10 +638,10 @@ fn test_input_circuit_with_bls12_381() { let expected_nf = note.nf(&viewing_key, position, params); let expected_nf = multipack::bytes_to_bits_le(&expected_nf); - let expected_nf = multipack::compute_multipacking::(&expected_nf); + let expected_nf = multipack::compute_multipacking(&expected_nf); assert_eq!(expected_nf.len(), 2); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let instance = Spend { params, @@ -732,7 +732,7 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() { ]; for i in 0..10 { - let value_commitment = ValueCommitment { + let value_commitment = ValueCommitment:: { value: i, randomness: fs::Fs::from_str(&(1000 * (i + 1)).to_string()).unwrap(), }; @@ -822,10 +822,10 @@ fn test_input_circuit_with_bls12_381_external_test_vectors() { let expected_nf = note.nf(&viewing_key, position, params); let expected_nf = multipack::bytes_to_bits_le(&expected_nf); - let expected_nf = multipack::compute_multipacking::(&expected_nf); + let expected_nf = multipack::compute_multipacking(&expected_nf); assert_eq!(expected_nf.len(), 2); - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let instance = Spend { params: params, @@ -887,7 +887,7 @@ fn test_output_circuit_with_bls12_381() { ]); for _ in 0..100 { - let value_commitment = ValueCommitment { + let value_commitment = ValueCommitment:: { value: rng.next_u64(), randomness: fs::Fs::random(rng), }; @@ -921,7 +921,7 @@ fn test_output_circuit_with_bls12_381() { let esk = fs::Fs::random(rng); { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::new(); let instance = Output { params, diff --git a/zcash_proofs/src/circuit/sprout/commitment.rs b/zcash_proofs/src/circuit/sprout/commitment.rs index fba121738..367be9caf 100644 --- a/zcash_proofs/src/circuit/sprout/commitment.rs +++ b/zcash_proofs/src/circuit/sprout/commitment.rs @@ -1,9 +1,9 @@ use bellman::gadgets::boolean::Boolean; use bellman::gadgets::sha256::sha256; use bellman::{ConstraintSystem, SynthesisError}; -use pairing::Engine; +use ff::PrimeField; -pub fn note_comm( +pub fn note_comm( cs: CS, a_pk: &[Boolean], value: &[Boolean], @@ -11,8 +11,8 @@ pub fn note_comm( r: &[Boolean], ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert_eq!(a_pk.len(), 256); assert_eq!(value.len(), 64); diff --git a/zcash_proofs/src/circuit/sprout/input.rs b/zcash_proofs/src/circuit/sprout/input.rs index a2726d41a..b2e0d6ced 100644 --- a/zcash_proofs/src/circuit/sprout/input.rs +++ b/zcash_proofs/src/circuit/sprout/input.rs @@ -1,7 +1,7 @@ use bellman::gadgets::boolean::{AllocatedBit, Boolean}; use bellman::gadgets::sha256::sha256_block_no_padding; use bellman::{ConstraintSystem, SynthesisError}; -use pairing::Engine; +use ff::PrimeField; use super::commitment::note_comm; use super::prfs::*; @@ -13,7 +13,7 @@ pub struct InputNote { } impl InputNote { - pub fn compute( + pub fn compute( mut cs: CS, a_sk: Option, rho: Option, @@ -25,8 +25,8 @@ impl InputNote { rt: &[Boolean], ) -> Result where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let a_sk = witness_u252( cs.namespace(|| "a_sk"), @@ -106,7 +106,7 @@ impl InputNote { // if enforce is one, they must be equal cs.enforce( || format!("conditionally enforce correct root for bit {}", i), - |_| cur.lc(CS::one(), E::Fr::one()) - &rt.lc(CS::one(), E::Fr::one()), + |_| cur.lc(CS::one(), Scalar::one()) - &rt.lc(CS::one(), Scalar::one()), |lc| lc + enforce.get_variable(), |lc| lc, ); @@ -118,15 +118,15 @@ impl InputNote { /// Swaps two 256-bit blobs conditionally, returning the /// 512-bit concatenation. -pub fn conditionally_swap_u256( +pub fn conditionally_swap_u256( mut cs: CS, lhs: &[Boolean], rhs: &[Boolean], condition: &AllocatedBit, ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert_eq!(lhs.len(), 256); assert_eq!(rhs.len(), 256); @@ -155,9 +155,9 @@ where // x = rhs cs.enforce( || "conditional swap for x", - |lc| lc + &rhs.lc(CS::one(), E::Fr::one()) - &lhs.lc(CS::one(), E::Fr::one()), + |lc| lc + &rhs.lc(CS::one(), Scalar::one()) - &lhs.lc(CS::one(), Scalar::one()), |lc| lc + condition.get_variable(), - |lc| lc + &x.lc(CS::one(), E::Fr::one()) - &lhs.lc(CS::one(), E::Fr::one()), + |lc| lc + &x.lc(CS::one(), Scalar::one()) - &lhs.lc(CS::one(), Scalar::one()), ); let y = Boolean::from(AllocatedBit::alloc( @@ -171,9 +171,9 @@ where // y - rhs = condition (lhs - rhs) cs.enforce( || "conditional swap for y", - |lc| lc + &lhs.lc(CS::one(), E::Fr::one()) - &rhs.lc(CS::one(), E::Fr::one()), + |lc| lc + &lhs.lc(CS::one(), Scalar::one()) - &rhs.lc(CS::one(), Scalar::one()), |lc| lc + condition.get_variable(), - |lc| lc + &y.lc(CS::one(), E::Fr::one()) - &rhs.lc(CS::one(), E::Fr::one()), + |lc| lc + &y.lc(CS::one(), Scalar::one()) - &rhs.lc(CS::one(), Scalar::one()), ); new_lhs.push(x); diff --git a/zcash_proofs/src/circuit/sprout/mod.rs b/zcash_proofs/src/circuit/sprout/mod.rs index 6afe67793..b2653ab24 100644 --- a/zcash_proofs/src/circuit/sprout/mod.rs +++ b/zcash_proofs/src/circuit/sprout/mod.rs @@ -13,8 +13,7 @@ use bellman::gadgets::boolean::{AllocatedBit, Boolean}; use bellman::gadgets::multipack::pack_into_inputs; use bellman::{Circuit, ConstraintSystem, LinearCombination, SynthesisError}; -use ff::Field; -use pairing::Engine; +use ff::PrimeField; mod commitment; mod input; @@ -55,8 +54,8 @@ pub struct JSOutput { pub r: Option, } -impl Circuit for JoinSplit { - fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { +impl Circuit for JoinSplit { + fn synthesize>(self, cs: &mut CS) -> Result<(), SynthesisError> { assert_eq!(self.inputs.len(), 2); assert_eq!(self.outputs.len(), 2); @@ -219,10 +218,10 @@ pub struct NoteValue { } impl NoteValue { - fn new(mut cs: CS, value: Option) -> Result + fn new(mut cs: CS, value: Option) -> Result where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let mut values; match value { @@ -262,10 +261,10 @@ impl NoteValue { /// Computes this value as a linear combination of /// its bits. - fn lc(&self) -> LinearCombination { + fn lc(&self) -> LinearCombination { let mut tmp = LinearCombination::zero(); - let mut coeff = E::Fr::one(); + let mut coeff = Scalar::one(); for b in &self.bits { tmp = tmp + (coeff, b.get_variable()); coeff = coeff.double(); @@ -281,15 +280,15 @@ impl NoteValue { /// Witnesses some bytes in the constraint system, /// skipping the first `skip_bits`. -fn witness_bits( +fn witness_bits( mut cs: CS, value: Option<&[u8]>, num_bits: usize, skip_bits: usize, ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let bit_values = if let Some(value) = value { let mut tmp = vec![]; @@ -318,18 +317,18 @@ where Ok(bits) } -fn witness_u256(cs: CS, value: Option<&[u8]>) -> Result, SynthesisError> +fn witness_u256(cs: CS, value: Option<&[u8]>) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { witness_bits(cs, value, 256, 0) } -fn witness_u252(cs: CS, value: Option<&[u8]>) -> Result, SynthesisError> +fn witness_u252(cs: CS, value: Option<&[u8]>) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { witness_bits(cs, value, 252, 4) } @@ -338,7 +337,7 @@ where #[ignore] fn test_sprout_constraints() { use bellman::gadgets::test::*; - use pairing::bls12_381::Bls12; + use pairing::bls12_381::Fr; use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt}; @@ -356,7 +355,7 @@ fn test_sprout_constraints() { } while test_vector.len() != 0 { - let mut cs = TestConstraintSystem::::new(); + let mut cs = TestConstraintSystem::::new(); let phi = Some(get_u256(&mut test_vector)); let rt = Some(get_u256(&mut test_vector)); @@ -462,7 +461,7 @@ fn test_sprout_constraints() { use bellman::gadgets::multipack; let expected_inputs = multipack::bytes_to_bits(&expected_inputs); - let expected_inputs = multipack::compute_multipacking::(&expected_inputs); + let expected_inputs = multipack::compute_multipacking(&expected_inputs); assert!(cs.verify(&expected_inputs)); } diff --git a/zcash_proofs/src/circuit/sprout/output.rs b/zcash_proofs/src/circuit/sprout/output.rs index 73a98514a..6360f4122 100644 --- a/zcash_proofs/src/circuit/sprout/output.rs +++ b/zcash_proofs/src/circuit/sprout/output.rs @@ -1,6 +1,6 @@ use bellman::gadgets::boolean::Boolean; use bellman::{ConstraintSystem, SynthesisError}; -use pairing::Engine; +use ff::PrimeField; use super::commitment::note_comm; use super::prfs::*; @@ -11,7 +11,7 @@ pub struct OutputNote { } impl OutputNote { - pub fn compute( + pub fn compute( mut cs: CS, a_pk: Option, value: &NoteValue, @@ -21,8 +21,8 @@ impl OutputNote { nonce: bool, ) -> Result where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { let rho = prf_rho(cs.namespace(|| "rho"), phi, h_sig, nonce)?; diff --git a/zcash_proofs/src/circuit/sprout/prfs.rs b/zcash_proofs/src/circuit/sprout/prfs.rs index ea87b08d4..240538a9f 100644 --- a/zcash_proofs/src/circuit/sprout/prfs.rs +++ b/zcash_proofs/src/circuit/sprout/prfs.rs @@ -1,9 +1,9 @@ use bellman::gadgets::boolean::Boolean; use bellman::gadgets::sha256::sha256_block_no_padding; use bellman::{ConstraintSystem, SynthesisError}; -use pairing::Engine; +use ff::PrimeField; -fn prf( +fn prf( cs: CS, a: bool, b: bool, @@ -13,8 +13,8 @@ fn prf( y: &[Boolean], ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { assert_eq!(x.len(), 252); assert_eq!(y.len(), 256); @@ -32,10 +32,10 @@ where sha256_block_no_padding(cs, &image) } -pub fn prf_a_pk(cs: CS, a_sk: &[Boolean]) -> Result, SynthesisError> +pub fn prf_a_pk(cs: CS, a_sk: &[Boolean]) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { prf( cs, @@ -50,40 +50,40 @@ where ) } -pub fn prf_nf( +pub fn prf_nf( cs: CS, a_sk: &[Boolean], rho: &[Boolean], ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { prf(cs, true, true, true, false, a_sk, rho) } -pub fn prf_pk( +pub fn prf_pk( cs: CS, a_sk: &[Boolean], h_sig: &[Boolean], nonce: bool, ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { prf(cs, false, nonce, false, false, a_sk, h_sig) } -pub fn prf_rho( +pub fn prf_rho( cs: CS, phi: &[Boolean], h_sig: &[Boolean], nonce: bool, ) -> Result, SynthesisError> where - E: Engine, - CS: ConstraintSystem, + Scalar: PrimeField, + CS: ConstraintSystem, { prf(cs, false, nonce, true, false, phi, h_sig) } diff --git a/zcash_proofs/src/sapling/prover.rs b/zcash_proofs/src/sapling/prover.rs index f7b037343..cc3898e06 100644 --- a/zcash_proofs/src/sapling/prover.rs +++ b/zcash_proofs/src/sapling/prover.rs @@ -145,7 +145,7 @@ impl SaplingProvingContext { // Add the nullifier through multiscalar packing { let nullifier = multipack::bytes_to_bits_le(&nullifier); - let nullifier = multipack::compute_multipacking::(&nullifier); + let nullifier = multipack::compute_multipacking(&nullifier); assert_eq!(nullifier.len(), 2); diff --git a/zcash_proofs/src/sapling/verifier.rs b/zcash_proofs/src/sapling/verifier.rs index b8869129a..32e4d8ca8 100644 --- a/zcash_proofs/src/sapling/verifier.rs +++ b/zcash_proofs/src/sapling/verifier.rs @@ -97,7 +97,7 @@ impl SaplingVerificationContext { // Add the nullifier through multiscalar packing { let nullifier = multipack::bytes_to_bits_le(nullifier); - let nullifier = multipack::compute_multipacking::(&nullifier); + let nullifier = multipack::compute_multipacking(&nullifier); assert_eq!(nullifier.len(), 2); diff --git a/zcash_proofs/src/sprout.rs b/zcash_proofs/src/sprout.rs index 30ec8217f..efd0508ec 100644 --- a/zcash_proofs/src/sprout.rs +++ b/zcash_proofs/src/sprout.rs @@ -161,7 +161,7 @@ pub fn verify_proof( public_input.extend(&vpub_new.to_le_bytes()); let public_input = multipack::bytes_to_bits(&public_input); - let public_input = multipack::compute_multipacking::(&public_input); + let public_input = multipack::compute_multipacking(&public_input); let proof = match Proof::read(&proof[..]) { Ok(p) => p, From 0a0e5139480cfff13483f895129796359dbe639d Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Sat, 30 May 2020 15:18:25 +1200 Subject: [PATCH 2/2] ff: Remove ScalarEngine --- bellman/src/groth16/tests/dummy_engine.rs | 7 ++----- bellman/src/multiexp.rs | 14 +++++--------- bellman/tests/mimc.rs | 10 ++++------ ff/src/lib.rs | 8 -------- group/src/lib.rs | 4 ---- pairing/src/bls12_381/mod.rs | 7 ++----- pairing/src/lib.rs | 7 +++++-- 7 files changed, 18 insertions(+), 39 deletions(-) diff --git a/bellman/src/groth16/tests/dummy_engine.rs b/bellman/src/groth16/tests/dummy_engine.rs index 5686c95c4..bf3bb035a 100644 --- a/bellman/src/groth16/tests/dummy_engine.rs +++ b/bellman/src/groth16/tests/dummy_engine.rs @@ -1,4 +1,4 @@ -use ff::{Field, PrimeField, ScalarEngine}; +use ff::{Field, PrimeField}; use group::{CurveAffine, CurveProjective, Group, PrimeGroup}; use pairing::{Engine, PairingCurveAffine}; @@ -324,11 +324,8 @@ impl PrimeField for Fr { #[derive(Clone)] pub struct DummyEngine; -impl ScalarEngine for DummyEngine { - type Fr = Fr; -} - impl Engine for DummyEngine { + type Fr = Fr; type G1 = Fr; type G1Affine = Fr; type G2 = Fr; diff --git a/bellman/src/multiexp.rs b/bellman/src/multiexp.rs index a9a868f1a..c9e00d6ba 100644 --- a/bellman/src/multiexp.rs +++ b/bellman/src/multiexp.rs @@ -293,9 +293,6 @@ where multiexp_inner(pool, bases, density_map, exponents, 0, c, true) } -#[cfg(all(test, feature = "pairing"))] -use ff::ScalarEngine; - #[cfg(feature = "pairing")] #[test] fn test_with_bls12() { @@ -315,17 +312,16 @@ fn test_with_bls12() { } use group::Group; - use pairing::{bls12_381::Bls12, Engine}; + use pairing::{ + bls12_381::{Bls12, Fr}, + Engine, + }; use rand; const SAMPLES: usize = 1 << 14; let rng = &mut rand::thread_rng(); - let v = Arc::new( - (0..SAMPLES) - .map(|_| ::Fr::random(rng)) - .collect::>(), - ); + let v = Arc::new((0..SAMPLES).map(|_| Fr::random(rng)).collect::>()); let g = Arc::new( (0..SAMPLES) .map(|_| ::G1::random(rng).to_affine()) diff --git a/bellman/tests/mimc.rs b/bellman/tests/mimc.rs index 17bd10ad0..b708a18a2 100644 --- a/bellman/tests/mimc.rs +++ b/bellman/tests/mimc.rs @@ -8,7 +8,7 @@ use std::time::{Duration, Instant}; use ff::{Field, PrimeField}; // We're going to use the BLS12-381 pairing-friendly elliptic curve. -use pairing::bls12_381::Bls12; +use pairing::bls12_381::{Bls12, Fr}; // We'll use these interfaces to construct our circuit. use bellman::{Circuit, ConstraintSystem, SynthesisError}; @@ -145,15 +145,13 @@ impl<'a, Scalar: PrimeField> Circuit for MiMCDemo<'a, Scalar> { #[test] fn test_mimc() { - use ff::ScalarEngine; - // This may not be cryptographically safe, use // `OsRng` (for example) in production software. let rng = &mut thread_rng(); // Generate the MiMC round constants let constants = (0..MIMC_ROUNDS) - .map(|_| ::Fr::random(rng)) + .map(|_| Fr::random(rng)) .collect::>(); println!("Creating parameters..."); @@ -185,8 +183,8 @@ fn test_mimc() { for _ in 0..SAMPLES { // Generate a random preimage and compute the image - let xl = ::Fr::random(rng); - let xr = ::Fr::random(rng); + let xl = Fr::random(rng); + let xr = Fr::random(rng); let image = mimc(xl, xr, &constants); proof_vec.truncate(0); diff --git a/ff/src/lib.rs b/ff/src/lib.rs index 3382262ee..e975d9136 100644 --- a/ff/src/lib.rs +++ b/ff/src/lib.rs @@ -213,14 +213,6 @@ pub trait PrimeField: Field + From { fn root_of_unity() -> Self; } -/// An "engine" is a collection of types (fields, elliptic curve groups, etc.) -/// with well-defined relationships. Specific relationships (for example, a -/// pairing-friendly curve) can be defined in a subtrait. -pub trait ScalarEngine: Sized + 'static + Clone { - /// This is the scalar field of the engine's groups. - type Fr: PrimeField; -} - #[derive(Debug)] pub struct BitIterator> { t: E, diff --git a/group/src/lib.rs b/group/src/lib.rs index b2e83b30d..4ca6b612e 100644 --- a/group/src/lib.rs +++ b/group/src/lib.rs @@ -35,10 +35,6 @@ impl ScalarMul for T where T: Mul: for<'r> ScalarMul<&'r Rhs, Output> {} impl ScalarMulOwned for T where T: for<'r> ScalarMul<&'r Rhs, Output> {} diff --git a/pairing/src/bls12_381/mod.rs b/pairing/src/bls12_381/mod.rs index e6aaa063d..2732105c6 100644 --- a/pairing/src/bls12_381/mod.rs +++ b/pairing/src/bls12_381/mod.rs @@ -23,7 +23,7 @@ pub use self::fr::{Fr, FrRepr}; use super::{Engine, PairingCurveAffine}; -use ff::{BitIterator, Field, ScalarEngine}; +use ff::{BitIterator, Field}; use group::CurveAffine; use std::ops::{AddAssign, MulAssign, Neg, SubAssign}; use subtle::CtOption; @@ -35,11 +35,8 @@ const BLS_X_IS_NEGATIVE: bool = true; #[derive(Clone, Debug)] pub struct Bls12; -impl ScalarEngine for Bls12 { - type Fr = Fr; -} - impl Engine for Bls12 { + type Fr = Fr; type G1 = G1; type G1Affine = G1Affine; type G2 = G2; diff --git a/pairing/src/lib.rs b/pairing/src/lib.rs index 78394fdd4..88728d13f 100644 --- a/pairing/src/lib.rs +++ b/pairing/src/lib.rs @@ -21,14 +21,17 @@ pub mod tests; pub mod bls12_381; use core::ops::Mul; -use ff::{Field, PrimeField, ScalarEngine}; +use ff::{Field, PrimeField}; use group::{CurveAffine, CurveProjective, GroupOps, GroupOpsOwned, ScalarMul, ScalarMulOwned}; use subtle::CtOption; /// An "engine" is a collection of types (fields, elliptic curve groups, etc.) /// with well-defined relationships. In particular, the G1/G2 curve groups are /// of prime order `r`, and are equipped with a bilinear pairing function. -pub trait Engine: ScalarEngine { +pub trait Engine: Sized + 'static + Clone { + /// This is the scalar field of the engine's groups. + type Fr: PrimeField; + /// The projective representation of an element in G1. type G1: CurveProjective + From