zec
/
pasta_curves
mirror of https://github.com/zcash/pasta_curves.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Refactor PLONK prover

This commit is contained in:
therealyingtong 2021-01-20 21:47:55 +08:00
parent 5f89227cdd
commit 02b5b8442b
4 changed files with 430 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/plonk/circuit.rs
View File

@ -158,7 +158,7 @@ pub trait Assignment<F: Field> {
/// [`ConstraintSystem`] implementation.
pub trait Circuit<F: Field> {
/// This is a configuration object that stores things like columns.
type Config;
type Config: Copy;
/// The circuit is given an opportunity to describe the exact gate
/// arrangement, column arrangement, etc.

4
src/plonk/lookup.rs
View File

@ -1,7 +1,7 @@
use super::circuit::{Any, Column};
mod prover;
mod verifier;
pub(crate) mod prover;
pub(crate) mod verifier;
#[derive(Clone, Debug)]
pub(crate) struct Argument {

4
src/plonk/permutation.rs
View File

@ -7,8 +7,8 @@ use crate::{
};
pub(crate) mod keygen;
mod prover;
mod verifier;
pub(crate) mod prover;
pub(crate) mod verifier;
use std::io;

676
src/plonk/prover.rs
View File

@ -3,14 +3,14 @@ use std::iter;
use super::{
circuit::{Advice, Assignment, Circuit, Column, ConstraintSystem, Fixed},
vanishing, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, ChallengeY, Error,
ProvingKey,
lookup, permutation, vanishing, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX,
ChallengeY, Error, ProvingKey,
};
use crate::arithmetic::{eval_polynomial, Curve, CurveAffine, FieldExt};
use crate::poly::{
commitment::{Blind, Params},
multiopen::{self, ProverQuery},
LagrangeCoeff, Polynomial,
Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial,
};
use crate::transcript::TranscriptWrite;
@ -20,50 +20,13 @@ use crate::transcript::TranscriptWrite;
pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>, ConcreteCircuit: Circuit<C::Scalar>>(
params: &Params<C>,
pk: &ProvingKey<C>,
circuit: &ConcreteCircuit,
aux: &[Polynomial<C::Scalar, LagrangeCoeff>],
circuits: &[ConcreteCircuit],
auxs: &[&[Polynomial<C::Scalar, LagrangeCoeff>]],
transcript: &mut T,
) -> Result<(), Error> {
if aux.len() != pk.vk.cs.num_aux_columns {
return Err(Error::IncompatibleParams);
}
struct WitnessCollection<F: Field> {
advice: Vec<Polynomial<F, LagrangeCoeff>>,
_marker: std::marker::PhantomData<F>,
}
impl<F: Field> Assignment<F> for WitnessCollection<F> {
fn assign_advice(
&mut self,
column: Column<Advice>,
row: usize,
to: impl FnOnce() -> Result<F, Error>,
) -> Result<(), Error> {
*self
.advice
.get_mut(column.index())
.and_then(|v| v.get_mut(row))
.ok_or(Error::BoundsFailure)? = to()?;
Ok(())
}
fn assign_fixed(
&mut self,
_: Column<Fixed>,
_: usize,
_: impl FnOnce() -> Result<F, Error>,
) -> Result<(), Error> {
// We only care about advice columns here
Ok(())
}
fn copy(&mut self, _: usize, _: usize, _: usize, _: usize, _: usize) -> Result<(), Error> {
// We only care about advice columns here
Ok(())
for aux in auxs.iter() {
if aux.len() != pk.vk.cs.num_aux_columns {
return Err(Error::IncompatibleParams);
}
}
@ -71,115 +34,218 @@ pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>, ConcreteCircuit: Circ
let mut meta = ConstraintSystem::default();
let config = ConcreteCircuit::configure(&mut meta);
let mut witness = WitnessCollection {
advice: vec![domain.empty_lagrange(); meta.num_advice_columns],
_marker: std::marker::PhantomData,
struct AuxSingle<C: CurveAffine> {
pub aux_values: Vec<Polynomial<C::Scalar, LagrangeCoeff>>,
pub aux_polys: Vec<Polynomial<C::Scalar, Coeff>>,
pub aux_cosets: Vec<Polynomial<C::Scalar, ExtendedLagrangeCoeff>>,
}
let aux_vec: Result<Vec<_>, _> = auxs
.iter()
.map(|aux| -> Result<AuxSingle<C>, Error> {
let aux_commitments_projective: Vec<_> = aux
.iter()
.map(|poly| params.commit_lagrange(poly, Blind::default()))
.collect();
let mut aux_commitments = vec![C::zero(); aux_commitments_projective.len()];
C::Projective::batch_to_affine(&aux_commitments_projective, &mut aux_commitments);
let aux_commitments = aux_commitments;
drop(aux_commitments_projective);
metrics::counter!("aux_commitments", aux_commitments.len() as u64);
for commitment in &aux_commitments {
transcript
.common_point(*commitment)
.map_err(|_| Error::TranscriptError)?;
}
let aux_polys: Vec<_> = aux
.iter()
.map(|poly| {
let lagrange_vec = domain.lagrange_from_vec(poly.to_vec());
domain.lagrange_to_coeff(lagrange_vec)
})
.collect();
let aux_cosets: Vec<_> = meta
.aux_queries
.iter()
.map(|&(column, at)| {
let poly = aux_polys[column.index()].clone();
domain.coeff_to_extended(poly, at)
})
.collect();
Ok(AuxSingle {
aux_values: aux.to_vec(),
aux_polys,
aux_cosets,
})
})
.collect();
let aux_vec = match aux_vec {
Ok(aux_vec) => aux_vec,
Err(err) => return Err(err),
};
// Synthesize the circuit to obtain the witness and other information.
circuit.synthesize(&mut witness, config)?;
let witness = witness;
// Compute commitments to aux column polynomials
let aux_commitments_projective: Vec<_> = aux
.iter()
.map(|poly| params.commit_lagrange(poly, Blind::default()))
.collect();
let mut aux_commitments = vec![C::zero(); aux_commitments_projective.len()];
C::Projective::batch_to_affine(&aux_commitments_projective, &mut aux_commitments);
let aux_commitments = aux_commitments;
drop(aux_commitments_projective);
metrics::counter!("aux_commitments", aux_commitments.len() as u64);
for commitment in &aux_commitments {
transcript
.common_point(*commitment)
.map_err(|_| Error::TranscriptError)?;
struct AdviceSingle<C: CurveAffine> {
pub advice_values: Vec<Polynomial<C::Scalar, LagrangeCoeff>>,
pub advice_polys: Vec<Polynomial<C::Scalar, Coeff>>,
pub advice_cosets: Vec<Polynomial<C::Scalar, ExtendedLagrangeCoeff>>,
pub advice_blinds: Vec<Blind<C::Scalar>>,
}
let aux_polys: Vec<_> = aux
let advice_vec: Result<Vec<_>, _> = circuits
.iter()
.map(|poly| {
let lagrange_vec = domain.lagrange_from_vec(poly.to_vec());
domain.lagrange_to_coeff(lagrange_vec)
.map(|circuit| -> Result<AdviceSingle<C>, Error> {
struct WitnessCollection<F: Field> {
pub advice: Vec<Polynomial<F, LagrangeCoeff>>,
_marker: std::marker::PhantomData<F>,
}
impl<F: Field> Assignment<F> for WitnessCollection<F> {
fn assign_advice(
&mut self,
column: Column<Advice>,
row: usize,
to: impl FnOnce() -> Result<F, Error>,
) -> Result<(), Error> {
*self
.advice
.get_mut(column.index())
.and_then(|v| v.get_mut(row))
.ok_or(Error::BoundsFailure)? = to()?;
Ok(())
}
fn assign_fixed(
&mut self,
_: Column<Fixed>,
_: usize,
_: impl FnOnce() -> Result<F, Error>,
) -> Result<(), Error> {
// We only care about advice columns here
Ok(())
}
fn copy(
&mut self,
_: usize,
_: usize,
_: usize,
_: usize,
_: usize,
) -> Result<(), Error> {
// We only care about advice columns here
Ok(())
}
}
let mut witness = WitnessCollection {
advice: vec![domain.empty_lagrange(); meta.num_advice_columns],
_marker: std::marker::PhantomData,
};
// Synthesize the circuit to obtain the witness and other information.
circuit.synthesize(&mut witness, config)?;
let witness = witness;
// Compute commitments to advice column polynomials
let advice_blinds: Vec<_> = witness
.advice
.iter()
.map(|_| Blind(C::Scalar::rand()))
.collect();
let advice_commitments_projective: Vec<_> = witness
.advice
.iter()
.zip(advice_blinds.iter())
.map(|(poly, blind)| params.commit_lagrange(poly, *blind))
.collect();
let mut advice_commitments = vec![C::zero(); advice_commitments_projective.len()];
C::Projective::batch_to_affine(&advice_commitments_projective, &mut advice_commitments);
let advice_commitments = advice_commitments;
drop(advice_commitments_projective);
metrics::counter!("advice_commitments", advice_commitments.len() as u64);
for commitment in &advice_commitments {
transcript
.write_point(*commitment)
.map_err(|_| Error::TranscriptError)?;
}
let advice_polys: Vec<_> = witness
.advice
.clone()
.into_iter()
.map(|poly| domain.lagrange_to_coeff(poly))
.collect();
let advice_cosets: Vec<_> = meta
.advice_queries
.iter()
.map(|&(column, at)| {
let poly = advice_polys[column.index()].clone();
domain.coeff_to_extended(poly, at)
})
.collect();
Ok(AdviceSingle {
advice_values: witness.advice,
advice_polys,
advice_cosets,
advice_blinds,
})
})
.collect();
let aux_cosets: Vec<_> = meta
.aux_queries
.iter()
.map(|&(column, at)| {
let poly = aux_polys[column.index()].clone();
domain.coeff_to_extended(poly, at)
})
.collect();
// Compute commitments to advice column polynomials
let advice_blinds: Vec<_> = witness
.advice
.iter()
.map(|_| Blind(C::Scalar::rand()))
.collect();
let advice_commitments_projective: Vec<_> = witness
.advice
.iter()
.zip(advice_blinds.iter())
.map(|(poly, blind)| params.commit_lagrange(poly, *blind))
.collect();
let mut advice_commitments = vec![C::zero(); advice_commitments_projective.len()];
C::Projective::batch_to_affine(&advice_commitments_projective, &mut advice_commitments);
let advice_commitments = advice_commitments;
drop(advice_commitments_projective);
metrics::counter!("advice_commitments", advice_commitments.len() as u64);
for commitment in &advice_commitments {
transcript
.write_point(*commitment)
.map_err(|_| Error::TranscriptError)?;
}
let advice_polys: Vec<_> = witness
.advice
.clone()
.into_iter()
.map(|poly| domain.lagrange_to_coeff(poly))
.collect();
let advice_cosets: Vec<_> = meta
.advice_queries
.iter()
.map(|&(column, at)| {
let poly = advice_polys[column.index()].clone();
domain.coeff_to_extended(poly, at)
})
.collect();
let advice_vec = match advice_vec {
Ok(advice_vec) => advice_vec,
Err(err) => return Err(err),
};
// Sample theta challenge for keeping lookup columns linearly independent
let theta = ChallengeTheta::get(transcript);
// Construct and commit to permuted values for each lookup
let lookups = pk
.vk
.cs
.lookups
let lookups_vec: Result<Vec<Vec<_>>, _> = aux_vec
.iter()
.map(|lookup| {
lookup.commit_permuted(
&pk,
&params,
&domain,
theta,
&witness.advice,
&pk.fixed_values,
&aux,
&advice_cosets,
&pk.fixed_cosets,
&aux_cosets,
transcript,
)
})
.collect::<Result<Vec<_>, _>>()?;
.zip(advice_vec.iter())
.map(
|(aux, advice)| -> Result<Vec<lookup::prover::Permuted<'_, C>>, Error> {
// Construct and commit to permuted values for each lookup
pk.vk
.cs
.lookups
.iter()
.map(|lookup| {
lookup.commit_permuted(
&pk,
&params,
&domain,
theta,
&advice.advice_values,
&pk.fixed_values,
&aux.aux_values,
&advice.advice_cosets,
&pk.fixed_cosets,
&aux.aux_cosets,
transcript,
)
})
.collect()
},
)
.collect();
let lookups_vec = match lookups_vec {
Ok(lookups_vec) => lookups_vec,
Err(err) => return Err(err),
};
// Sample beta challenge
let beta = ChallengeBeta::get(transcript);
@ -187,89 +253,166 @@ pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>, ConcreteCircuit: Circ
// Sample gamma challenge
let gamma = ChallengeGamma::get(transcript);
// Commit to permutations, if any.
let permutations = pk
.vk
.cs
.permutations
let permutations_vec: Result<Vec<Vec<_>>, _> = advice_vec
.iter()
.zip(pk.permutations.iter())
.map(|(p, pkey)| p.commit(params, pk, pkey, &witness.advice, beta, gamma, transcript))
.collect::<Result<Vec<_>, _>>()?;
.map(
|advice| -> Result<Vec<permutation::prover::Committed<C>>, Error> {
// Commit to permutations, if any.
pk.vk
.cs
.permutations
.iter()
.zip(pk.permutations.iter())
.map(|(p, pkey)| {
p.commit(
params,
pk,
pkey,
&advice.advice_values,
beta,
gamma,
transcript,
)
})
.collect()
},
)
.collect();
// Construct and commit to products for each lookup
let lookups = lookups
let permutations_vec = match permutations_vec {
Ok(permutations_vec) => permutations_vec,
Err(err) => return Err(err),
};
let lookups_vec: Result<Vec<Vec<lookup::prover::Committed<'_, C>>>, _> = lookups_vec
.into_iter()
.map(|lookup| lookup.commit_product(&pk, &params, theta, beta, gamma, transcript))
.collect::<Result<Vec<_>, _>>()?;
.map(|lookups| -> Result<Vec<_>, _> {
// Construct and commit to products for each lookup
lookups
.into_iter()
.map(|lookup| lookup.commit_product(&pk, &params, theta, beta, gamma, transcript))
.collect::<Result<Vec<_>, _>>()
})
.collect();
let lookups_vec = match lookups_vec {
Ok(lookups_vec) => lookups_vec,
Err(err) => return Err(err),
};
// Obtain challenge for keeping all separate gates linearly independent
let y = ChallengeY::get(transcript);
// Evaluate the h(X) polynomial's constraint system expressions for the permutation constraints, if any.
let (permutations, permutation_expressions): (Vec<_>, Vec<_>) = {
let tmp: Vec<_> = permutations
let (permutations_vec, permutation_expressions_vec): (Vec<Vec<_>>, Vec<Vec<_>>) =
permutations_vec
.into_iter()
.zip(pk.vk.cs.permutations.iter())
.zip(pk.permutations.iter())
.map(|((p, argument), pkey)| {
p.construct(pk, argument, pkey, &advice_cosets, beta, gamma)
.zip(advice_vec.iter())
.map(|(permutations, advice)| {
let tmp: Vec<_> = permutations
.into_iter()
.zip(pk.vk.cs.permutations.iter())
.zip(pk.permutations.iter())
.map(|((p, argument), pkey)| {
p.construct(pk, argument, pkey, &advice.advice_cosets, beta, gamma)
})
.collect();
tmp.into_iter().unzip()
})
.collect();
tmp.into_iter().unzip()
};
// Evaluate the h(X) polynomial's constraint system expressions for the lookup constraints, if any.
let (lookups, lookup_expressions): (Vec<_>, Vec<_>) = {
let tmp: Vec<_> = lookups
.collect::<Vec<(Vec<_>, Vec<_>)>>()
.into_iter()
.map(|p| p.construct(pk, theta, beta, gamma))
.collect();
.unzip();
tmp.into_iter().unzip()
};
let (lookups_vec, lookup_expressions_vec): (Vec<Vec<_>>, Vec<Vec<_>>) = lookups_vec
.into_iter()
.map(|lookups| {
// Evaluate the h(X) polynomial's constraint system expressions for the lookup constraints, if any.
let tmp: Vec<_> = lookups
.into_iter()
.map(|p| p.construct(pk, theta, beta, gamma))
.collect();
// Evaluate the h(X) polynomial's constraint system expressions for the constraints provided
let expressions = iter::empty()
// Custom constraints
.chain(meta.gates.iter().map(|poly| {
poly.evaluate(
&|index| pk.fixed_cosets[index].clone(),
&|index| advice_cosets[index].clone(),
&|index| aux_cosets[index].clone(),
&|a, b| a + &b,
&|a, b| a * &b,
&|a, scalar| a * scalar,
)
}))
// Permutation constraints, if any.
.chain(permutation_expressions.into_iter().flatten())
// Lookup constraints, if any.
.chain(lookup_expressions.into_iter().flatten());
tmp.into_iter().unzip()
})
.collect::<Vec<(Vec<_>, Vec<_>)>>()
.into_iter()
.unzip();
let expressions = advice_vec
.iter()
.zip(aux_vec.iter())
.zip(permutation_expressions_vec.into_iter())
.zip(lookup_expressions_vec.into_iter())
.flat_map(
|(((advice, aux), permutation_expressions), lookup_expressions)| {
iter::empty()
// Custom constraints
.chain(meta.gates.iter().map(move |poly| {
poly.evaluate(
&|index| pk.fixed_cosets[index].clone(),
&|index| advice.advice_cosets[index].clone(),
&|index| aux.aux_cosets[index].clone(),
&|a, b| a + &b,
&|a, b| a * &b,
&|a, scalar| a * scalar,
)
}))
// Permutation constraints, if any.
.chain(permutation_expressions.into_iter().flatten())
// Lookup constraints, if any.
.chain(lookup_expressions.into_iter().flatten())
},
)
.collect::<Vec<_>>()
.into_iter();
// Construct the vanishing argument
let vanishing = vanishing::Argument::construct(params, domain, expressions, y, transcript)?;
let x = ChallengeX::get(transcript);
// Evaluate polynomials at omega^i x
let advice_evals: Vec<_> = meta
.advice_queries
.iter()
.map(|&(column, at)| {
eval_polynomial(&advice_polys[column.index()], domain.rotate_omega(*x, at))
})
.collect();
// Compute and hash aux evals for each circuit instance
for aux in aux_vec.iter() {
// Evaluate polynomials at omega^i x
let aux_evals: Vec<_> = meta
.aux_queries
.iter()
.map(|&(column, at)| {
eval_polynomial(&aux.aux_polys[column.index()], domain.rotate_omega(*x, at))
})
.collect();
let aux_evals: Vec<_> = meta
.aux_queries
.iter()
.map(|&(column, at)| {
eval_polynomial(&aux_polys[column.index()], domain.rotate_omega(*x, at))
})
.collect();
// Hash each aux column evaluation
for eval in aux_evals.iter() {
transcript
.write_scalar(*eval)
.map_err(|_| Error::TranscriptError)?;
}
}
// Compute and hash advice evals for each circuit instance
for advice in advice_vec.iter() {
// Evaluate polynomials at omega^i x
let advice_evals: Vec<_> = meta
.advice_queries
.iter()
.map(|&(column, at)| {
eval_polynomial(
&advice.advice_polys[column.index()],
domain.rotate_omega(*x, at),
)
})
.collect();
// Hash each advice column evaluation
for eval in advice_evals.iter() {
transcript
.write_scalar(*eval)
.map_err(|_| Error::TranscriptError)?;
}
}
// Compute and hash fixed evals (shared across all circuit instances)
let fixed_evals: Vec<_> = meta
.fixed_queries
.iter()
@ -278,12 +421,8 @@ pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>, ConcreteCircuit: Circ
})
.collect();
// Hash each column evaluation
for eval in advice_evals
.iter()
.chain(aux_evals.iter())
.chain(fixed_evals.iter())
{
// Hash each fixed column evaluation
for eval in fixed_evals.iter() {
transcript
.write_scalar(*eval)
.map_err(|_| Error::TranscriptError)?;
@ -292,63 +431,98 @@ pub fn create_proof<C: CurveAffine, T: TranscriptWrite<C>, ConcreteCircuit: Circ
let vanishing = vanishing.evaluate(x, transcript)?;
// Evaluate the permutations, if any, at omega^i x.
let permutations = permutations
let permutations_vec: Result<Vec<Vec<permutation::prover::Evaluated<C>>>, _> = permutations_vec
.into_iter()
.zip(pk.permutations.iter())
.map(|(p, pkey)| p.evaluate(pk, pkey, x, transcript))
.collect::<Result<Vec<_>, _>>()?;
.map(|permutations| -> Result<Vec<_>, _> {
permutations
.into_iter()
.zip(pk.permutations.iter())
.map(|(p, pkey)| p.evaluate(pk, pkey, x, transcript))
.collect::<Result<Vec<_>, _>>()
})
.collect();
let permutations_vec = match permutations_vec {
Ok(permutations_vec) => permutations_vec,
Err(err) => return Err(err),
};
// Evaluate the lookups, if any, at omega^i x.
let lookups = lookups
let lookups_vec: Result<Vec<Vec<lookup::prover::Evaluated<C>>>, _> = lookups_vec
.into_iter()
.map(|p| p.evaluate(pk, x, transcript))
.collect::<Result<Vec<_>, _>>()?;
.map(|lookups| -> Result<Vec<_>, _> {
lookups
.into_iter()
.map(|p| p.evaluate(pk, x, transcript))
.collect::<Result<Vec<_>, _>>()
})
.collect();
let instances = iter::empty()
.chain(
pk.vk
.cs
.advice_queries
.iter()
.map(|&(column, at)| ProverQuery {
point: domain.rotate_omega(*x, at),
poly: &advice_polys[column.index()],
blind: advice_blinds[column.index()],
}),
)
.chain(
pk.vk
.cs
.aux_queries
.iter()
.map(|&(column, at)| ProverQuery {
point: domain.rotate_omega(*x, at),
poly: &aux_polys[column.index()],
blind: Blind::default(),
}),
)
let lookups_vec = match lookups_vec {
Ok(lookups_vec) => lookups_vec,
Err(err) => return Err(err),
};
let instances = aux_vec
.iter()
.zip(advice_vec.iter())
.zip(permutations_vec.iter())
.zip(lookups_vec.iter())
.flat_map(|(((aux, advice), permutations), lookups)| {
iter::empty()
.chain(
pk.vk
.cs
.aux_queries
.iter()
.map(move |&(column, at)| ProverQuery {
point: domain.rotate_omega(*x, at),
poly: &aux.aux_polys[column.index()],
blind: Blind::default(),
}),
)
.chain(
pk.vk
.cs
.advice_queries
.iter()
.map(move |&(column, at)| ProverQuery {
point: domain.rotate_omega(*x, at),
poly: &advice.advice_polys[column.index()],
blind: advice.advice_blinds[column.index()],
}),
)
.chain(
permutations
.iter()
.zip(pk.permutations.iter())
.map(move |(p, pkey)| p.open(pk, pkey, x))
.into_iter()
.flatten(),
)
.chain(
lookups
.iter()
.map(move |p| p.open(pk, x))
.into_iter()
.flatten(),
)
})
.collect::<Vec<_>>()
.into_iter()
.chain(
pk.vk
.cs
.fixed_queries
.iter()
.map(|&(column, at)| ProverQuery {
.map(move |&(column, at)| ProverQuery {
point: domain.rotate_omega(*x, at),
poly: &pk.fixed_polys[column.index()],
blind: Blind::default(),
}),
)
// We query the h(X) polynomial at x
.chain(vanishing.open(x))
.chain(
permutations
.iter()
.zip(pk.permutations.iter())
.map(|(p, pkey)| p.open(pk, pkey, x))
.into_iter()
.flatten(),
)
.chain(lookups.iter().map(|p| p.open(pk, x)).into_iter().flatten());
.chain(vanishing.open(x));
multiopen::create_proof(params, transcript, instances).map_err(|_| Error::OpeningError)
}