From 437782e902228dc6cf7f656b5ba949b28faf27ed Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Tue, 9 Feb 2021 14:01:33 +0800 Subject: [PATCH 01/19] Hash fixed_commitments and permutations into transcript --- src/plonk.rs | 14 +++++++++++++- src/plonk/permutation.rs | 9 +++++++++ src/plonk/prover.rs | 3 +++ src/plonk/verifier.rs | 3 +++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/plonk.rs b/src/plonk.rs index 598d683..7844d28 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -9,7 +9,7 @@ use crate::arithmetic::CurveAffine; use crate::poly::{ commitment::Params, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, }; -use crate::transcript::ChallengeScalar; +use crate::transcript::{ChallengeScalar, Transcript}; mod circuit; mod keygen; @@ -74,6 +74,18 @@ impl VerifyingKey { cs, }) } + + /// Hashes a verification key into a transcript. + pub fn hash>(&self, transcript: &mut T) -> io::Result<()> { + for commitment in &self.fixed_commitments { + transcript.common_point(*commitment)?; + } + for permutation in &self.permutations { + permutation.hash(transcript)?; + } + + Ok(()) + } } /// This is a proving key which allows for the creation of proofs for a diff --git a/src/plonk/permutation.rs b/src/plonk/permutation.rs index dffa01c..054ba23 100644 --- a/src/plonk/permutation.rs +++ b/src/plonk/permutation.rs @@ -4,6 +4,7 @@ use super::circuit::{Any, Column}; use crate::{ arithmetic::CurveAffine, poly::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial}, + transcript::Transcript, }; pub(crate) mod keygen; @@ -66,6 +67,14 @@ impl VerifyingKey { .collect::, _>>()?; Ok(VerifyingKey { commitments }) } + + pub(crate) fn hash>(&self, transcript: &mut T) -> io::Result<()> { + for commitment in &self.commitments { + transcript.common_point(*commitment)?; + } + + Ok(()) + } } /// The proving key for a single permutation argument. diff --git a/src/plonk/prover.rs b/src/plonk/prover.rs index 038b12d..41069bb 100644 --- a/src/plonk/prover.rs +++ b/src/plonk/prover.rs @@ -30,6 +30,9 @@ pub fn create_proof, ConcreteCircuit: Circ } } + // Hash verification key into transcript + pk.vk.hash(transcript).map_err(|_| Error::TranscriptError)?; + let domain = &pk.vk.domain; let mut meta = ConstraintSystem::default(); let config = ConcreteCircuit::configure(&mut meta); diff --git a/src/plonk/verifier.rs b/src/plonk/verifier.rs index 6d1f721..d324d48 100644 --- a/src/plonk/verifier.rs +++ b/src/plonk/verifier.rs @@ -29,6 +29,9 @@ pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead>( let num_proofs = instance_commitments.len(); + // Hash verification key into transcript + vk.hash(transcript).map_err(|_| Error::TranscriptError)?; + for instance_commitments in instance_commitments.iter() { // Hash the instance (external) commitments into the transcript for commitment in *instance_commitments { From 4aa4b4463a9a72e1cd3c90b86deda6a7ad4145b4 Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Thu, 11 Feb 2021 22:30:26 +0800 Subject: [PATCH 02/19] Hash domain and cs into transcript --- src/plonk.rs | 30 +++++++++++++++- src/plonk/circuit.rs | 82 ++++++++++++++++++++++++++++++++++++++++++-- src/poly.rs | 8 +++++ src/poly/domain.rs | 17 +++++++++ 4 files changed, 134 insertions(+), 3 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index 7844d28..bb00b2c 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -5,11 +5,14 @@ //! [halo]: https://eprint.iacr.org/2019/1021 //! [plonk]: https://eprint.iacr.org/2019/953 -use crate::arithmetic::CurveAffine; +use blake2b_simd::Params as Blake2bParams; + +use crate::arithmetic::{CurveAffine, FieldExt}; use crate::poly::{ commitment::Params, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, }; use crate::transcript::{ChallengeScalar, Transcript}; +use std::convert::TryInto; mod circuit; mod keygen; @@ -77,13 +80,38 @@ impl VerifyingKey { /// Hashes a verification key into a transcript. pub fn hash>(&self, transcript: &mut T) -> io::Result<()> { + let mut hasher = Blake2bParams::new() + .hash_length(64) + .personal(C::BLAKE2B_PERSONALIZATION) + .to_state(); + + // Hash in constants in the domain which influence the proof + let domain_hash = &self.domain.hash(&mut hasher); + transcript.common_scalar(C::Scalar::from_bytes_wide(domain_hash))?; + + // Hash in `ConstraintSystem` + let cs_hash = &self.cs.hash(&mut hasher); + transcript.common_scalar(C::Scalar::from_bytes_wide(cs_hash))?; + + // Hash in vector of fixed commitments + hasher.update(b"num_fixed_commitments"); + hasher.update(&self.fixed_commitments.len().to_le_bytes()); for commitment in &self.fixed_commitments { transcript.common_point(*commitment)?; } + + // Hash in vector of permutation arguments + hasher.update(b"num_permutations"); + hasher.update(&self.permutations.len().to_le_bytes()); for permutation in &self.permutations { permutation.hash(transcript)?; } + // Hash in final Blake2bState + transcript.common_scalar(C::Scalar::from_bytes_wide( + hasher.finalize().as_bytes().try_into().unwrap(), + ))?; + Ok(()) } } diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index e8dfcfc..020ee35 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -1,8 +1,9 @@ +use blake2b_simd::State as Blake2bState; use core::cmp::max; use core::ops::{Add, Mul}; use ff::Field; use std::{ - convert::TryFrom, + convert::{TryFrom, TryInto}, ops::{Neg, Sub}, }; @@ -10,7 +11,7 @@ use super::{lookup, permutation, Error}; use crate::poly::Rotation; /// A column type -pub trait ColumnType: 'static + Sized {} +pub trait ColumnType: 'static + Sized + std::fmt::Debug {} /// A column with an index and type #[derive(Clone, Copy, Debug, Eq, PartialEq, Hash)] @@ -27,6 +28,11 @@ impl Column { pub(crate) fn column_type(&self) -> &C { &self.column_type } + + pub(crate) fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + hasher.update(&format!("{:?}", self).as_bytes()); + hasher.finalize().as_bytes().try_into().unwrap() + } } /// An advice column @@ -317,6 +323,12 @@ impl Expression { Expression::Scaled(poly, _) => poly.degree(), } } + + /// Hash an Expression into a Blake2bState + pub fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + hasher.update(&format!("{:?}", self).as_bytes()); + hasher.finalize().as_bytes().try_into().unwrap() + } } impl Neg for Expression { @@ -598,4 +610,70 @@ impl ConstraintSystem { self.num_instance_columns += 1; tmp } + + /// Hashes the `ConstraintSystem` into a `u64`. + pub fn hash(&self, mut hasher: &mut Blake2bState) -> [u8; 64] { + hasher.update(b"num_fixed_columns"); + hasher.update(&self.num_fixed_columns.to_le_bytes()); + + hasher.update(b"num_advice_columns"); + hasher.update(&self.num_advice_columns.to_le_bytes()); + + hasher.update(b"num_aux_columns"); + hasher.update(&self.num_aux_columns.to_le_bytes()); + + hasher.update(b"num_gates"); + hasher.update(&self.gates.len().to_le_bytes()); + for gate in self.gates.iter() { + hasher.update(gate.0.to_owned().as_bytes()); + gate.1.hash(&mut hasher); + } + + hasher.update(b"num_advice_queries"); + hasher.update(&self.advice_queries.len().to_le_bytes()); + for query in self.advice_queries.iter() { + query.0.hash(&mut hasher); + query.1.hash(&mut hasher); + } + + hasher.update(b"num_aux_queries"); + hasher.update(&self.aux_queries.len().to_le_bytes()); + for query in self.aux_queries.iter() { + query.0.hash(&mut hasher); + query.1.hash(&mut hasher); + } + + hasher.update(b"num_fixed_queries"); + hasher.update(&self.fixed_queries.len().to_le_bytes()); + for query in self.fixed_queries.iter() { + query.0.hash(&mut hasher); + query.1.hash(&mut hasher); + } + + hasher.update(b"num_permutations"); + hasher.update(&self.permutations.len().to_le_bytes()); + for argument in self.permutations.iter() { + hasher.update(&argument.get_columns().len().to_le_bytes()); + for column in argument.get_columns().iter() { + column.hash(&mut hasher); + } + } + + hasher.update(b"num_lookups"); + hasher.update(&self.lookups.len().to_le_bytes()); + for argument in self.lookups.iter() { + hasher.update(&argument.input_columns.len().to_le_bytes()); + hasher.update(&argument.table_columns.len().to_le_bytes()); + for (input, table) in argument + .input_columns + .iter() + .zip(argument.table_columns.iter()) + { + input.hash(&mut hasher); + table.hash(&mut hasher); + } + } + + hasher.finalize().as_bytes().try_into().unwrap() + } } diff --git a/src/poly.rs b/src/poly.rs index 5ac1462..45088f4 100644 --- a/src/poly.rs +++ b/src/poly.rs @@ -4,7 +4,9 @@ use crate::arithmetic::parallelize; +use blake2b_simd::State as Blake2bState; use ff::Field; +use std::convert::TryInto; use std::fmt::Debug; use std::marker::PhantomData; use std::ops::{Add, Deref, DerefMut, Index, IndexMut, Mul, RangeFrom, RangeFull, Sub}; @@ -228,4 +230,10 @@ impl Rotation { pub fn next() -> Rotation { Rotation(1) } + + /// Hash Rotation into a Blake2bState + pub fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + hasher.update(&format!("{:?}", self).as_bytes()); + hasher.finalize().as_bytes().try_into().unwrap() + } } diff --git a/src/poly/domain.rs b/src/poly/domain.rs index e8cc41e..c9a9dff 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -8,6 +8,9 @@ use super::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, Rotation}; use ff::{Field, PrimeField}; use std::marker::PhantomData; +use blake2b_simd::State as Blake2bState; +use std::convert::TryInto; + /// This structure contains precomputed constants and other details needed for /// performing operations on an evaluation domain of size $2^k$ and an extended /// domain of size $2^{k} * j$ with $j \neq 0$. @@ -376,4 +379,18 @@ impl EvaluationDomain { pub fn get_quotient_poly_degree(&self) -> usize { self.quotient_poly_degree as usize } + + /// Hashes the constants in the domain which influence the proof into a u64 + pub fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + hasher.update(b"k"); + hasher.update(&self.k.to_le_bytes()); + + hasher.update(b"extended_k"); + hasher.update(&self.extended_k.to_le_bytes()); + + hasher.update(b"omega"); + hasher.update(&self.omega.to_bytes()); + + hasher.finalize().as_bytes().try_into().unwrap() + } } From b204ff74a8940af4c5fee8010d161c0abb556edd Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Mon, 15 Feb 2021 12:46:14 +0800 Subject: [PATCH 03/19] Do not return hash results from component hash() methods --- src/plonk.rs | 8 +++----- src/plonk/circuit.rs | 15 +++++---------- src/plonk/permutation.rs | 9 ++++++++- src/poly.rs | 4 +--- src/poly/domain.rs | 6 ++---- 5 files changed, 19 insertions(+), 23 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index bb00b2c..0655d18 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -86,12 +86,10 @@ impl VerifyingKey { .to_state(); // Hash in constants in the domain which influence the proof - let domain_hash = &self.domain.hash(&mut hasher); - transcript.common_scalar(C::Scalar::from_bytes_wide(domain_hash))?; + self.domain.hash(&mut hasher); // Hash in `ConstraintSystem` - let cs_hash = &self.cs.hash(&mut hasher); - transcript.common_scalar(C::Scalar::from_bytes_wide(cs_hash))?; + self.cs.hash(&mut hasher); // Hash in vector of fixed commitments hasher.update(b"num_fixed_commitments"); @@ -104,7 +102,7 @@ impl VerifyingKey { hasher.update(b"num_permutations"); hasher.update(&self.permutations.len().to_le_bytes()); for permutation in &self.permutations { - permutation.hash(transcript)?; + permutation.hash(&mut hasher, transcript)?; } // Hash in final Blake2bState diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index 020ee35..f7feea0 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -3,7 +3,7 @@ use core::cmp::max; use core::ops::{Add, Mul}; use ff::Field; use std::{ - convert::{TryFrom, TryInto}, + convert::TryFrom, ops::{Neg, Sub}, }; @@ -29,9 +29,8 @@ impl Column { &self.column_type } - pub(crate) fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + pub(crate) fn hash(&self, hasher: &mut Blake2bState) { hasher.update(&format!("{:?}", self).as_bytes()); - hasher.finalize().as_bytes().try_into().unwrap() } } @@ -325,9 +324,8 @@ impl Expression { } /// Hash an Expression into a Blake2bState - pub fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + pub fn hash(&self, hasher: &mut Blake2bState) { hasher.update(&format!("{:?}", self).as_bytes()); - hasher.finalize().as_bytes().try_into().unwrap() } } @@ -612,7 +610,7 @@ impl ConstraintSystem { } /// Hashes the `ConstraintSystem` into a `u64`. - pub fn hash(&self, mut hasher: &mut Blake2bState) -> [u8; 64] { + pub fn hash(&self, mut hasher: &mut Blake2bState) { hasher.update(b"num_fixed_columns"); hasher.update(&self.num_fixed_columns.to_le_bytes()); @@ -625,7 +623,6 @@ impl ConstraintSystem { hasher.update(b"num_gates"); hasher.update(&self.gates.len().to_le_bytes()); for gate in self.gates.iter() { - hasher.update(gate.0.to_owned().as_bytes()); gate.1.hash(&mut hasher); } @@ -663,7 +660,7 @@ impl ConstraintSystem { hasher.update(&self.lookups.len().to_le_bytes()); for argument in self.lookups.iter() { hasher.update(&argument.input_columns.len().to_le_bytes()); - hasher.update(&argument.table_columns.len().to_le_bytes()); + assert_eq!(argument.input_columns.len(), argument.table_columns.len()); for (input, table) in argument .input_columns .iter() @@ -673,7 +670,5 @@ impl ConstraintSystem { table.hash(&mut hasher); } } - - hasher.finalize().as_bytes().try_into().unwrap() } } diff --git a/src/plonk/permutation.rs b/src/plonk/permutation.rs index 054ba23..abf6af9 100644 --- a/src/plonk/permutation.rs +++ b/src/plonk/permutation.rs @@ -11,6 +11,7 @@ pub(crate) mod keygen; pub(crate) mod prover; pub(crate) mod verifier; +use blake2b_simd::State as Blake2bState; use std::io; /// A permutation argument. @@ -68,7 +69,13 @@ impl VerifyingKey { Ok(VerifyingKey { commitments }) } - pub(crate) fn hash>(&self, transcript: &mut T) -> io::Result<()> { + pub(crate) fn hash>( + &self, + hasher: &mut Blake2bState, + transcript: &mut T, + ) -> io::Result<()> { + hasher.update(b"num_commitments"); + hasher.update(&self.commitments.len().to_le_bytes()); for commitment in &self.commitments { transcript.common_point(*commitment)?; } diff --git a/src/poly.rs b/src/poly.rs index 45088f4..1954d16 100644 --- a/src/poly.rs +++ b/src/poly.rs @@ -6,7 +6,6 @@ use crate::arithmetic::parallelize; use blake2b_simd::State as Blake2bState; use ff::Field; -use std::convert::TryInto; use std::fmt::Debug; use std::marker::PhantomData; use std::ops::{Add, Deref, DerefMut, Index, IndexMut, Mul, RangeFrom, RangeFull, Sub}; @@ -232,8 +231,7 @@ impl Rotation { } /// Hash Rotation into a Blake2bState - pub fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + pub fn hash(&self, hasher: &mut Blake2bState) { hasher.update(&format!("{:?}", self).as_bytes()); - hasher.finalize().as_bytes().try_into().unwrap() } } diff --git a/src/poly/domain.rs b/src/poly/domain.rs index c9a9dff..6298a27 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -380,8 +380,8 @@ impl EvaluationDomain { self.quotient_poly_degree as usize } - /// Hashes the constants in the domain which influence the proof into a u64 - pub fn hash(&self, hasher: &mut Blake2bState) -> [u8; 64] { + /// Hashes the constants in the domain which influence the proof into a Blake2bState + pub fn hash(&self, hasher: &mut Blake2bState) { hasher.update(b"k"); hasher.update(&self.k.to_le_bytes()); @@ -390,7 +390,5 @@ impl EvaluationDomain { hasher.update(b"omega"); hasher.update(&self.omega.to_bytes()); - - hasher.finalize().as_bytes().try_into().unwrap() } } From e7d6f6756461de40f61681019bc0149dc72649da Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Tue, 16 Feb 2021 00:20:54 +0800 Subject: [PATCH 04/19] Rename aux -> instance after rebasing --- src/plonk/circuit.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index f7feea0..7792908 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -617,8 +617,8 @@ impl ConstraintSystem { hasher.update(b"num_advice_columns"); hasher.update(&self.num_advice_columns.to_le_bytes()); - hasher.update(b"num_aux_columns"); - hasher.update(&self.num_aux_columns.to_le_bytes()); + hasher.update(b"num_instance_columns"); + hasher.update(&self.num_instance_columns.to_le_bytes()); hasher.update(b"num_gates"); hasher.update(&self.gates.len().to_le_bytes()); @@ -633,9 +633,9 @@ impl ConstraintSystem { query.1.hash(&mut hasher); } - hasher.update(b"num_aux_queries"); - hasher.update(&self.aux_queries.len().to_le_bytes()); - for query in self.aux_queries.iter() { + hasher.update(b"num_instance_queries"); + hasher.update(&self.instance_queries.len().to_le_bytes()); + for query in self.instance_queries.iter() { query.0.hash(&mut hasher); query.1.hash(&mut hasher); } From 52c028b4daf04dbc47466bbdc4a111508d76a3fc Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Tue, 16 Feb 2021 01:09:54 +0800 Subject: [PATCH 05/19] Disambiguate naming of hash() -> hash_into() --- src/plonk.rs | 8 ++++---- src/plonk/circuit.rs | 26 +++++++++++++------------- src/plonk/permutation.rs | 2 +- src/plonk/prover.rs | 4 +++- src/plonk/verifier.rs | 3 ++- src/poly.rs | 2 +- src/poly/domain.rs | 3 +-- 7 files changed, 25 insertions(+), 23 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index 0655d18..95ad65e 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -79,17 +79,17 @@ impl VerifyingKey { } /// Hashes a verification key into a transcript. - pub fn hash>(&self, transcript: &mut T) -> io::Result<()> { + pub fn hash_into>(&self, transcript: &mut T) -> io::Result<()> { let mut hasher = Blake2bParams::new() .hash_length(64) .personal(C::BLAKE2B_PERSONALIZATION) .to_state(); // Hash in constants in the domain which influence the proof - self.domain.hash(&mut hasher); + self.domain.hash_into(&mut hasher); // Hash in `ConstraintSystem` - self.cs.hash(&mut hasher); + self.cs.hash_into(&mut hasher); // Hash in vector of fixed commitments hasher.update(b"num_fixed_commitments"); @@ -102,7 +102,7 @@ impl VerifyingKey { hasher.update(b"num_permutations"); hasher.update(&self.permutations.len().to_le_bytes()); for permutation in &self.permutations { - permutation.hash(&mut hasher, transcript)?; + permutation.hash_into(&mut hasher, transcript)?; } // Hash in final Blake2bState diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index 7792908..0d2dbf0 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -29,7 +29,7 @@ impl Column { &self.column_type } - pub(crate) fn hash(&self, hasher: &mut Blake2bState) { + pub(crate) fn hash_into(&self, hasher: &mut Blake2bState) { hasher.update(&format!("{:?}", self).as_bytes()); } } @@ -324,7 +324,7 @@ impl Expression { } /// Hash an Expression into a Blake2bState - pub fn hash(&self, hasher: &mut Blake2bState) { + pub fn hash_into(&self, hasher: &mut Blake2bState) { hasher.update(&format!("{:?}", self).as_bytes()); } } @@ -610,7 +610,7 @@ impl ConstraintSystem { } /// Hashes the `ConstraintSystem` into a `u64`. - pub fn hash(&self, mut hasher: &mut Blake2bState) { + pub fn hash_into(&self, mut hasher: &mut Blake2bState) { hasher.update(b"num_fixed_columns"); hasher.update(&self.num_fixed_columns.to_le_bytes()); @@ -623,28 +623,28 @@ impl ConstraintSystem { hasher.update(b"num_gates"); hasher.update(&self.gates.len().to_le_bytes()); for gate in self.gates.iter() { - gate.1.hash(&mut hasher); + gate.1.hash_into(&mut hasher); } hasher.update(b"num_advice_queries"); hasher.update(&self.advice_queries.len().to_le_bytes()); for query in self.advice_queries.iter() { - query.0.hash(&mut hasher); - query.1.hash(&mut hasher); + query.0.hash_into(&mut hasher); + query.1.hash_into(&mut hasher); } hasher.update(b"num_instance_queries"); hasher.update(&self.instance_queries.len().to_le_bytes()); for query in self.instance_queries.iter() { - query.0.hash(&mut hasher); - query.1.hash(&mut hasher); + query.0.hash_into(&mut hasher); + query.1.hash_into(&mut hasher); } hasher.update(b"num_fixed_queries"); hasher.update(&self.fixed_queries.len().to_le_bytes()); for query in self.fixed_queries.iter() { - query.0.hash(&mut hasher); - query.1.hash(&mut hasher); + query.0.hash_into(&mut hasher); + query.1.hash_into(&mut hasher); } hasher.update(b"num_permutations"); @@ -652,7 +652,7 @@ impl ConstraintSystem { for argument in self.permutations.iter() { hasher.update(&argument.get_columns().len().to_le_bytes()); for column in argument.get_columns().iter() { - column.hash(&mut hasher); + column.hash_into(&mut hasher); } } @@ -666,8 +666,8 @@ impl ConstraintSystem { .iter() .zip(argument.table_columns.iter()) { - input.hash(&mut hasher); - table.hash(&mut hasher); + input.hash_into(&mut hasher); + table.hash_into(&mut hasher); } } } diff --git a/src/plonk/permutation.rs b/src/plonk/permutation.rs index abf6af9..336a765 100644 --- a/src/plonk/permutation.rs +++ b/src/plonk/permutation.rs @@ -69,7 +69,7 @@ impl VerifyingKey { Ok(VerifyingKey { commitments }) } - pub(crate) fn hash>( + pub(crate) fn hash_into>( &self, hasher: &mut Blake2bState, transcript: &mut T, diff --git a/src/plonk/prover.rs b/src/plonk/prover.rs index 41069bb..15ec08b 100644 --- a/src/plonk/prover.rs +++ b/src/plonk/prover.rs @@ -31,7 +31,9 @@ pub fn create_proof, ConcreteCircuit: Circ } // Hash verification key into transcript - pk.vk.hash(transcript).map_err(|_| Error::TranscriptError)?; + pk.vk + .hash_into(transcript) + .map_err(|_| Error::TranscriptError)?; let domain = &pk.vk.domain; let mut meta = ConstraintSystem::default(); diff --git a/src/plonk/verifier.rs b/src/plonk/verifier.rs index d324d48..f1f09d2 100644 --- a/src/plonk/verifier.rs +++ b/src/plonk/verifier.rs @@ -30,7 +30,8 @@ pub fn verify_proof<'a, C: CurveAffine, T: TranscriptRead>( let num_proofs = instance_commitments.len(); // Hash verification key into transcript - vk.hash(transcript).map_err(|_| Error::TranscriptError)?; + vk.hash_into(transcript) + .map_err(|_| Error::TranscriptError)?; for instance_commitments in instance_commitments.iter() { // Hash the instance (external) commitments into the transcript diff --git a/src/poly.rs b/src/poly.rs index 1954d16..26e776a 100644 --- a/src/poly.rs +++ b/src/poly.rs @@ -231,7 +231,7 @@ impl Rotation { } /// Hash Rotation into a Blake2bState - pub fn hash(&self, hasher: &mut Blake2bState) { + pub fn hash_into(&self, hasher: &mut Blake2bState) { hasher.update(&format!("{:?}", self).as_bytes()); } } diff --git a/src/poly/domain.rs b/src/poly/domain.rs index 6298a27..04eaea9 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -9,7 +9,6 @@ use ff::{Field, PrimeField}; use std::marker::PhantomData; use blake2b_simd::State as Blake2bState; -use std::convert::TryInto; /// This structure contains precomputed constants and other details needed for /// performing operations on an evaluation domain of size $2^k$ and an extended @@ -381,7 +380,7 @@ impl EvaluationDomain { } /// Hashes the constants in the domain which influence the proof into a Blake2bState - pub fn hash(&self, hasher: &mut Blake2bState) { + pub fn hash_into(&self, hasher: &mut Blake2bState) { hasher.update(b"k"); hasher.update(&self.k.to_le_bytes()); From f35e190455f071b2b12ae6f55581ae18d5d127f0 Mon Sep 17 00:00:00 2001 From: therealyingtong Date: Wed, 17 Feb 2021 11:32:14 +0800 Subject: [PATCH 06/19] Hash in field modulus, curve parameters --- src/plonk.rs | 47 ++++++++++++++++++++++++++++++++++++++++++++ src/plonk/circuit.rs | 2 ++ src/poly/domain.rs | 5 +++++ 3 files changed, 54 insertions(+) diff --git a/src/plonk.rs b/src/plonk.rs index 95ad65e..b3da309 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -85,6 +85,53 @@ impl VerifyingKey { .personal(C::BLAKE2B_PERSONALIZATION) .to_state(); + // Hash in curve parameters + hasher.update(&C::Scalar::ROOT_OF_UNITY.to_bytes()); + hasher.update(&C::Scalar::ROOT_OF_UNITY_INV.to_bytes()); + hasher.update( + &(C::Scalar::T_MINUS1_OVER2 + .iter() + .fold(Vec::new(), |mut res, word| { + res.extend_from_slice(&word.to_le_bytes()); + res + })), + ); + hasher.update(&C::Scalar::DELTA.to_bytes()); + hasher.update(&C::Scalar::TWO_INV.to_bytes()); + hasher.update(&C::Scalar::RESCUE_ALPHA.to_le_bytes()); + hasher.update( + &(C::Scalar::RESCUE_INVALPHA + .iter() + .fold(Vec::new(), |mut res, word| { + res.extend_from_slice(&word.to_le_bytes()); + res + })), + ); + hasher.update(&C::Base::ZETA.to_bytes()); + + hasher.update(&C::Base::ROOT_OF_UNITY.to_bytes()); + hasher.update(&C::Base::ROOT_OF_UNITY_INV.to_bytes()); + hasher.update( + &(C::Base::T_MINUS1_OVER2 + .iter() + .fold(Vec::new(), |mut res, word| { + res.extend_from_slice(&word.to_le_bytes()); + res + })), + ); + hasher.update(&C::Base::DELTA.to_bytes()); + hasher.update(&C::Base::TWO_INV.to_bytes()); + hasher.update(&C::Base::RESCUE_ALPHA.to_le_bytes()); + hasher.update( + &(C::Base::RESCUE_INVALPHA + .iter() + .fold(Vec::new(), |mut res, word| { + res.extend_from_slice(&word.to_le_bytes()); + res + })), + ); + hasher.update(&C::Base::ZETA.to_bytes()); + // Hash in constants in the domain which influence the proof self.domain.hash_into(&mut hasher); diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index 0d2dbf0..c65514d 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -30,6 +30,7 @@ impl Column { } pub(crate) fn hash_into(&self, hasher: &mut Blake2bState) { + hasher.update(&format!("{:?}", self).as_bytes().len().to_le_bytes()); hasher.update(&format!("{:?}", self).as_bytes()); } } @@ -325,6 +326,7 @@ impl Expression { /// Hash an Expression into a Blake2bState pub fn hash_into(&self, hasher: &mut Blake2bState) { + hasher.update(&format!("{:?}", self).as_bytes().len().to_le_bytes()); hasher.update(&format!("{:?}", self).as_bytes()); } } diff --git a/src/poly/domain.rs b/src/poly/domain.rs index 04eaea9..141c002 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -381,6 +381,11 @@ impl EvaluationDomain { /// Hashes the constants in the domain which influence the proof into a Blake2bState pub fn hash_into(&self, hasher: &mut Blake2bState) { + // Hash in field modulus + let modulus = G::Scalar::char_le_bits(); + hasher.update(&modulus.len().to_le_bytes()); + hasher.update(format!("{:?}", modulus).as_bytes()); + hasher.update(b"k"); hasher.update(&self.k.to_le_bytes()); From dfa7d96fa92840c4c694fce60a9b597c8eb1aa07 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 10:46:20 -0700 Subject: [PATCH 07/19] Refactor verification key hashing logic to use Display impls. --- src/arithmetic/fields.rs | 3 ++ src/pasta/curves.rs | 12 ++++- src/pasta/fields/fp.rs | 2 + src/pasta/fields/fq.rs | 2 + src/plonk.rs | 93 ++++++++++------------------------ src/plonk/circuit.rs | 107 ++++++++++++--------------------------- src/plonk/permutation.rs | 16 ------ src/poly/domain.rs | 32 +++++------- 8 files changed, 90 insertions(+), 177 deletions(-) diff --git a/src/arithmetic/fields.rs b/src/arithmetic/fields.rs index 10f3102..7c8a788 100644 --- a/src/arithmetic/fields.rs +++ b/src/arithmetic/fields.rs @@ -19,6 +19,9 @@ const_assert!(size_of::() >= 4); pub trait FieldExt: ff::PrimeField + From + Ord + ConstantTimeEq + Group { + /// Modulus of the field written as a string for display purposes + const MODULUS: &'static str; + /// Generator of the $2^S$ multiplicative subgroup const ROOT_OF_UNITY: Self; diff --git a/src/pasta/curves.rs b/src/pasta/curves.rs index 01ef683..23d0fcb 100644 --- a/src/pasta/curves.rs +++ b/src/pasta/curves.rs @@ -29,13 +29,23 @@ macro_rules! new_curve_impl { /// Represents a point in the affine coordinate space (or the point at /// infinity). - #[derive(Copy, Clone, Debug)] + #[derive(Copy, Clone)] pub struct $name_affine { x: $base, y: $base, infinity: Choice, } + impl std::fmt::Debug for $name_affine { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { + if self.infinity.into() { + write!(f, "Infinity") + } else { + write!(f, "({:?}, {:?})", self.x, self.y) + } + } + } + impl Curve for $name { type Affine = $name_affine; type Scalar = $scalar; diff --git a/src/pasta/fields/fp.rs b/src/pasta/fields/fp.rs index 665bc5c..2ca3603 100644 --- a/src/pasta/fields/fp.rs +++ b/src/pasta/fields/fp.rs @@ -605,6 +605,8 @@ lazy_static! { } impl FieldExt for Fp { + const MODULUS: &'static str = + "0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001"; const ROOT_OF_UNITY: Self = ROOT_OF_UNITY; const ROOT_OF_UNITY_INV: Self = Fp::from_raw([ 0xf0b87c7db2ce91f6, diff --git a/src/pasta/fields/fq.rs b/src/pasta/fields/fq.rs index 79791d1..df9549c 100644 --- a/src/pasta/fields/fq.rs +++ b/src/pasta/fields/fq.rs @@ -605,6 +605,8 @@ lazy_static! { } impl FieldExt for Fq { + const MODULUS: &'static str = + "0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001"; const ROOT_OF_UNITY: Self = ROOT_OF_UNITY; const ROOT_OF_UNITY_INV: Self = Fq::from_raw([ 0x57eecda0a84b6836, diff --git a/src/plonk.rs b/src/plonk.rs index b3da309..c0addda 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -85,72 +85,10 @@ impl VerifyingKey { .personal(C::BLAKE2B_PERSONALIZATION) .to_state(); - // Hash in curve parameters - hasher.update(&C::Scalar::ROOT_OF_UNITY.to_bytes()); - hasher.update(&C::Scalar::ROOT_OF_UNITY_INV.to_bytes()); - hasher.update( - &(C::Scalar::T_MINUS1_OVER2 - .iter() - .fold(Vec::new(), |mut res, word| { - res.extend_from_slice(&word.to_le_bytes()); - res - })), - ); - hasher.update(&C::Scalar::DELTA.to_bytes()); - hasher.update(&C::Scalar::TWO_INV.to_bytes()); - hasher.update(&C::Scalar::RESCUE_ALPHA.to_le_bytes()); - hasher.update( - &(C::Scalar::RESCUE_INVALPHA - .iter() - .fold(Vec::new(), |mut res, word| { - res.extend_from_slice(&word.to_le_bytes()); - res - })), - ); - hasher.update(&C::Base::ZETA.to_bytes()); + let s = format!("{}", self); - hasher.update(&C::Base::ROOT_OF_UNITY.to_bytes()); - hasher.update(&C::Base::ROOT_OF_UNITY_INV.to_bytes()); - hasher.update( - &(C::Base::T_MINUS1_OVER2 - .iter() - .fold(Vec::new(), |mut res, word| { - res.extend_from_slice(&word.to_le_bytes()); - res - })), - ); - hasher.update(&C::Base::DELTA.to_bytes()); - hasher.update(&C::Base::TWO_INV.to_bytes()); - hasher.update(&C::Base::RESCUE_ALPHA.to_le_bytes()); - hasher.update( - &(C::Base::RESCUE_INVALPHA - .iter() - .fold(Vec::new(), |mut res, word| { - res.extend_from_slice(&word.to_le_bytes()); - res - })), - ); - hasher.update(&C::Base::ZETA.to_bytes()); - - // Hash in constants in the domain which influence the proof - self.domain.hash_into(&mut hasher); - - // Hash in `ConstraintSystem` - self.cs.hash_into(&mut hasher); - - // Hash in vector of fixed commitments - hasher.update(b"num_fixed_commitments"); - hasher.update(&self.fixed_commitments.len().to_le_bytes()); - for commitment in &self.fixed_commitments { - transcript.common_point(*commitment)?; - } - - // Hash in vector of permutation arguments - hasher.update(b"num_permutations"); - hasher.update(&self.permutations.len().to_le_bytes()); - for permutation in &self.permutations { - permutation.hash_into(&mut hasher, transcript)?; - } + hasher.update(&(s.len() as u64).to_le_bytes()); + hasher.update(s.as_bytes()); // Hash in final Blake2bState transcript.common_scalar(C::Scalar::from_bytes_wide( @@ -161,6 +99,28 @@ impl VerifyingKey { } } +impl std::fmt::Display for VerifyingKey { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { + write!( + f, + "VerificationKey {{\ + base_modulus = {base_modulus}, \ + scalar_modulus = {scalar_modulus}, \ + domain = {domain}, \ + cs = {cs}, \ + fixed_commitments = {fixed_commitments:?}, \ + permutations = {permutations:?}\ + }}", + base_modulus = C::Base::MODULUS, + scalar_modulus = C::Scalar::MODULUS, + domain = self.domain, + cs = self.cs, + fixed_commitments = self.fixed_commitments, + permutations = self.permutations + ) + } +} + /// This is a proving key which allows for the creation of proofs for a /// particular circuit. #[derive(Debug)] @@ -589,7 +549,7 @@ fn test_proving() { } } - let a = Fp::rand(); + let a = Fp::from_u64(2834758237) * Fp::ZETA; let a_squared = a * &a; let instance = Fp::one() + Fp::one(); let lookup_table = vec![instance, a, a, Fp::zero()]; @@ -607,6 +567,7 @@ fn test_proving() { // Initialize the proving key let vk = keygen_vk(¶ms, &empty_circuit).expect("keygen_vk should not fail"); + assert_eq!(format!("{}", vk), "VerificationKey {base_modulus = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001, scalar_modulus = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001, domain = Domain {k = 5, extended_k = 7, omega = 0x0cc3380dc616f2e1daf29ad1560833ed3baea3393eceb7bc8fa36376929b78cc }, cs = ConstraintSystem {num_fixed_columns: 8, num_advice_columns: 5, num_instance_columns: 1, fixed_queries: [(Column { index: 6, column_type: Fixed }, Rotation(0)), (Column { index: 7, column_type: Fixed }, Rotation(0)), (Column { index: 0, column_type: Fixed }, Rotation(0)), (Column { index: 2, column_type: Fixed }, Rotation(0)), (Column { index: 3, column_type: Fixed }, Rotation(0)), (Column { index: 4, column_type: Fixed }, Rotation(0)), (Column { index: 1, column_type: Fixed }, Rotation(0)), (Column { index: 5, column_type: Fixed }, Rotation(0))], advice_queries: [(Column { index: 1, column_type: Advice }, Rotation(0)), (Column { index: 2, column_type: Advice }, Rotation(0)), (Column { index: 3, column_type: Advice }, Rotation(0)), (Column { index: 4, column_type: Advice }, Rotation(1)), (Column { index: 0, column_type: Advice }, Rotation(-1))], instance_queries: [(Column { index: 0, column_type: Instance }, Rotation(0))], permutations: [Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }, Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }], lookups: [Argument { input_columns: [Column { index: 1, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }] }, Argument { input_columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }, Column { index: 7, column_type: Fixed }] }], gates: [Sum(Sum(Sum(Sum(Product(Advice(0), Fixed(3)), Product(Advice(1), Fixed(4))), Product(Product(Advice(0), Advice(1)), Fixed(6))), Scaled(Product(Advice(2), Fixed(5)), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000)), Product(Fixed(2), Product(Advice(3), Advice(4)))), Product(Fixed(7), Sum(Advice(0), Scaled(Instance(0), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000))), ]}, fixed_commitments = [(0x3710f15f98bf0a7421343fdf390b9519506c67431a5c78678fbcc4db815c8547, 0x0a3c77f30ab2a2741b21cd45326c87dc7f7050b1a5e8c181a534b9c84a09cb02), (0x115235d6bd2467772db857d66e7f44837cd38bb6ac0c7b412c2997dd47cbbc3c, 0x0f339c20c40e10bed476699e2ddb88256092447582b250f329b0cbf6c3f66f17), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x241d6d9c2060ce821d4b05ff2f9566c3947541f3d14a9aabcdb96c19158e8bc7, 0x39582cc6bdb1a4a88e89c050ad6db0ade34f45ec5791b07de6e694e9627ca66a), (0x1ee805e20232ba31eeae1fa345bd88ac7df81dc43ffb3967a218ea4defc9d17d, 0x2838c83c064d44e87e5c8d05a234ad24d2d4a502a370acb514b430f516c0f0bf), (0x37ead9904c760201ec4734ef398f0bdb5fe5a5e6e9db19c85e6b5483bdeb0a0b, 0x1dc08c38ed713b14f7a21a891a83b52160a3ffb0dccfbd70db7c7eb235dd193e), (0x2dc3d20553691216c988ecbb596c4bda329f27d50bd8a7c2fb0d84b423da3cb4, 0x025b40e800020458e15e3a57268562e6c08c6971d71262bd67c72437cfc60b4c)], permutations = [VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }, VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }]}"); let pk = keygen_pk(¶ms, vk, &empty_circuit).expect("keygen_pk should not fail"); let mut pubinputs = pk.get_vk().get_domain().empty_lagrange(); diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index c65514d..42464af 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -1,7 +1,6 @@ -use blake2b_simd::State as Blake2bState; use core::cmp::max; use core::ops::{Add, Mul}; -use ff::Field; +use ff::{Field, PrimeField}; use std::{ convert::TryFrom, ops::{Neg, Sub}, @@ -28,11 +27,6 @@ impl Column { pub(crate) fn column_type(&self) -> &C { &self.column_type } - - pub(crate) fn hash_into(&self, hasher: &mut Blake2bState) { - hasher.update(&format!("{:?}", self).as_bytes().len().to_le_bytes()); - hasher.update(&format!("{:?}", self).as_bytes()); - } } /// An advice column @@ -323,12 +317,6 @@ impl Expression { Expression::Scaled(poly, _) => poly.degree(), } } - - /// Hash an Expression into a Blake2bState - pub fn hash_into(&self, hasher: &mut Blake2bState) { - hasher.update(&format!("{:?}", self).as_bytes().len().to_le_bytes()); - hasher.update(&format!("{:?}", self).as_bytes()); - } } impl Neg for Expression { @@ -392,6 +380,36 @@ pub struct ConstraintSystem { pub(crate) lookups: Vec, } +impl std::fmt::Display for ConstraintSystem { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { + write!( + f, + "ConstraintSystem {{\ + num_fixed_columns: {num_fixed_columns}, \ + num_advice_columns: {num_advice_columns}, \ + num_instance_columns: {num_instance_columns}, \ + fixed_queries: {fixed_queries:?}, \ + advice_queries: {advice_queries:?}, \ + instance_queries: {instance_queries:?}, \ + permutations: {permutations:?}, \ + lookups: {lookups:?}, \ + gates: [", + num_fixed_columns = self.num_fixed_columns, + num_advice_columns = self.num_advice_columns, + num_instance_columns = self.num_instance_columns, + fixed_queries = &self.fixed_queries, + advice_queries = &self.advice_queries, + instance_queries = &self.instance_queries, + lookups = &self.lookups, + permutations = &self.permutations + )?; + for (_, expr) in self.gates.iter() { + write!(f, "{:?}, ", expr)?; + } + write!(f, "]}}") + } +} + impl Default for ConstraintSystem { fn default() -> ConstraintSystem { ConstraintSystem { @@ -610,67 +628,4 @@ impl ConstraintSystem { self.num_instance_columns += 1; tmp } - - /// Hashes the `ConstraintSystem` into a `u64`. - pub fn hash_into(&self, mut hasher: &mut Blake2bState) { - hasher.update(b"num_fixed_columns"); - hasher.update(&self.num_fixed_columns.to_le_bytes()); - - hasher.update(b"num_advice_columns"); - hasher.update(&self.num_advice_columns.to_le_bytes()); - - hasher.update(b"num_instance_columns"); - hasher.update(&self.num_instance_columns.to_le_bytes()); - - hasher.update(b"num_gates"); - hasher.update(&self.gates.len().to_le_bytes()); - for gate in self.gates.iter() { - gate.1.hash_into(&mut hasher); - } - - hasher.update(b"num_advice_queries"); - hasher.update(&self.advice_queries.len().to_le_bytes()); - for query in self.advice_queries.iter() { - query.0.hash_into(&mut hasher); - query.1.hash_into(&mut hasher); - } - - hasher.update(b"num_instance_queries"); - hasher.update(&self.instance_queries.len().to_le_bytes()); - for query in self.instance_queries.iter() { - query.0.hash_into(&mut hasher); - query.1.hash_into(&mut hasher); - } - - hasher.update(b"num_fixed_queries"); - hasher.update(&self.fixed_queries.len().to_le_bytes()); - for query in self.fixed_queries.iter() { - query.0.hash_into(&mut hasher); - query.1.hash_into(&mut hasher); - } - - hasher.update(b"num_permutations"); - hasher.update(&self.permutations.len().to_le_bytes()); - for argument in self.permutations.iter() { - hasher.update(&argument.get_columns().len().to_le_bytes()); - for column in argument.get_columns().iter() { - column.hash_into(&mut hasher); - } - } - - hasher.update(b"num_lookups"); - hasher.update(&self.lookups.len().to_le_bytes()); - for argument in self.lookups.iter() { - hasher.update(&argument.input_columns.len().to_le_bytes()); - assert_eq!(argument.input_columns.len(), argument.table_columns.len()); - for (input, table) in argument - .input_columns - .iter() - .zip(argument.table_columns.iter()) - { - input.hash_into(&mut hasher); - table.hash_into(&mut hasher); - } - } - } } diff --git a/src/plonk/permutation.rs b/src/plonk/permutation.rs index 336a765..dffa01c 100644 --- a/src/plonk/permutation.rs +++ b/src/plonk/permutation.rs @@ -4,14 +4,12 @@ use super::circuit::{Any, Column}; use crate::{ arithmetic::CurveAffine, poly::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial}, - transcript::Transcript, }; pub(crate) mod keygen; pub(crate) mod prover; pub(crate) mod verifier; -use blake2b_simd::State as Blake2bState; use std::io; /// A permutation argument. @@ -68,20 +66,6 @@ impl VerifyingKey { .collect::, _>>()?; Ok(VerifyingKey { commitments }) } - - pub(crate) fn hash_into>( - &self, - hasher: &mut Blake2bState, - transcript: &mut T, - ) -> io::Result<()> { - hasher.update(b"num_commitments"); - hasher.update(&self.commitments.len().to_le_bytes()); - for commitment in &self.commitments { - transcript.common_point(*commitment)?; - } - - Ok(()) - } } /// The proving key for a single permutation argument. diff --git a/src/poly/domain.rs b/src/poly/domain.rs index 141c002..c103e10 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -7,9 +7,6 @@ use super::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, Rotation}; use ff::{Field, PrimeField}; use std::marker::PhantomData; - -use blake2b_simd::State as Blake2bState; - /// This structure contains precomputed constants and other details needed for /// performing operations on an evaluation domain of size $2^k$ and an extended /// domain of size $2^{k} * j$ with $j \neq 0$. @@ -378,21 +375,20 @@ impl EvaluationDomain { pub fn get_quotient_poly_degree(&self) -> usize { self.quotient_poly_degree as usize } +} - /// Hashes the constants in the domain which influence the proof into a Blake2bState - pub fn hash_into(&self, hasher: &mut Blake2bState) { - // Hash in field modulus - let modulus = G::Scalar::char_le_bits(); - hasher.update(&modulus.len().to_le_bytes()); - hasher.update(format!("{:?}", modulus).as_bytes()); - - hasher.update(b"k"); - hasher.update(&self.k.to_le_bytes()); - - hasher.update(b"extended_k"); - hasher.update(&self.extended_k.to_le_bytes()); - - hasher.update(b"omega"); - hasher.update(&self.omega.to_bytes()); +impl std::fmt::Display for EvaluationDomain { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { + write!( + f, + "Domain {{\ + k = {k:?}, \ + extended_k = {extended_k:?}, \ + omega = {omega:?} \ + }}", + k = self.k, + extended_k = self.extended_k, + omega = self.omega + ) } } From ea563434f48be4db4fde42665776feeda797e225 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 10:48:28 -0700 Subject: [PATCH 08/19] Remove hash_into from Rotation. --- src/poly.rs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/poly.rs b/src/poly.rs index 26e776a..193bd39 100644 --- a/src/poly.rs +++ b/src/poly.rs @@ -229,9 +229,4 @@ impl Rotation { pub fn next() -> Rotation { Rotation(1) } - - /// Hash Rotation into a Blake2bState - pub fn hash_into(&self, hasher: &mut Blake2bState) { - hasher.update(&format!("{:?}", self).as_bytes()); - } } From 98f5b17359abd29bf69e1fd070e4065b21066d5a Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 10:58:37 -0700 Subject: [PATCH 09/19] Remove unused import --- src/poly.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/poly.rs b/src/poly.rs index 193bd39..5ac1462 100644 --- a/src/poly.rs +++ b/src/poly.rs @@ -4,7 +4,6 @@ use crate::arithmetic::parallelize; -use blake2b_simd::State as Blake2bState; use ff::Field; use std::fmt::Debug; use std::marker::PhantomData; From bc9d05e67b0581c8f34d5450a45696d6f976ba48 Mon Sep 17 00:00:00 2001 From: ebfull Date: Wed, 17 Feb 2021 13:44:28 -0700 Subject: [PATCH 10/19] Apply suggestions from code review Co-authored-by: str4d --- src/plonk.rs | 4 ++-- src/plonk/circuit.rs | 2 +- src/poly/domain.rs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index c0addda..c7c39a5 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -92,7 +92,7 @@ impl VerifyingKey { // Hash in final Blake2bState transcript.common_scalar(C::Scalar::from_bytes_wide( - hasher.finalize().as_bytes().try_into().unwrap(), + hasher.finalize().as_array(), ))?; Ok(()) @@ -103,7 +103,7 @@ impl std::fmt::Display for VerifyingKey { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { write!( f, - "VerificationKey {{\ + "VerificationKey {{ \ base_modulus = {base_modulus}, \ scalar_modulus = {scalar_modulus}, \ domain = {domain}, \ diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index 42464af..3360c05 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -384,7 +384,7 @@ impl std::fmt::Display for ConstraintSystem { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { write!( f, - "ConstraintSystem {{\ + "ConstraintSystem {{ \ num_fixed_columns: {num_fixed_columns}, \ num_advice_columns: {num_advice_columns}, \ num_instance_columns: {num_instance_columns}, \ diff --git a/src/poly/domain.rs b/src/poly/domain.rs index c103e10..eb5ef9e 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -381,7 +381,7 @@ impl std::fmt::Display for EvaluationDomain { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { write!( f, - "Domain {{\ + "Domain {{ \ k = {k:?}, \ extended_k = {extended_k:?}, \ omega = {omega:?} \ From 6226426be03974f8baf917c1214c45bf4792ed21 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 13:53:31 -0700 Subject: [PATCH 11/19] Restore whitespace --- src/poly/domain.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/poly/domain.rs b/src/poly/domain.rs index eb5ef9e..d4c8498 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -7,6 +7,7 @@ use super::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, Rotation}; use ff::{Field, PrimeField}; use std::marker::PhantomData; + /// This structure contains precomputed constants and other details needed for /// performing operations on an evaluation domain of size $2^k$ and an extended /// domain of size $2^{k} * j$ with $j \neq 0$. From 34a5bfd4b1c10b8fed2917ce8e3e402015a3f76d Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 13:53:50 -0700 Subject: [PATCH 12/19] Remove unused TryInto import. --- src/plonk.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/plonk.rs b/src/plonk.rs index c7c39a5..59cdd58 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -12,7 +12,6 @@ use crate::poly::{ commitment::Params, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, }; use crate::transcript::{ChallengeScalar, Transcript}; -use std::convert::TryInto; mod circuit; mod keygen; From 2076701fc38c232a12319a2e549d226c377f6bb6 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 13:55:38 -0700 Subject: [PATCH 13/19] cargo fmt --- src/plonk.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index 59cdd58..07368a1 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -90,9 +90,7 @@ impl VerifyingKey { hasher.update(s.as_bytes()); // Hash in final Blake2bState - transcript.common_scalar(C::Scalar::from_bytes_wide( - hasher.finalize().as_array(), - ))?; + transcript.common_scalar(C::Scalar::from_bytes_wide(hasher.finalize().as_array()))?; Ok(()) } From 87536cea1020d3ae6aa3f59d3406ba6c3c09d940 Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 15:15:08 -0700 Subject: [PATCH 14/19] Use newtypes to simplify Debug implementations for pinning verification keys. --- src/plonk.rs | 57 ++++++++++++++++++++++--------------- src/plonk/circuit.rs | 67 ++++++++++++++++++++++++++------------------ src/poly/domain.rs | 31 +++++++++++--------- 3 files changed, 90 insertions(+), 65 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index 07368a1..639d149 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -9,7 +9,8 @@ use blake2b_simd::Params as Blake2bParams; use crate::arithmetic::{CurveAffine, FieldExt}; use crate::poly::{ - commitment::Params, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, + commitment::Params, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, + PinnedEvaluationDomain, Polynomial, }; use crate::transcript::{ChallengeScalar, Transcript}; @@ -84,7 +85,7 @@ impl VerifyingKey { .personal(C::BLAKE2B_PERSONALIZATION) .to_state(); - let s = format!("{}", self); + let s = format!("{:?}", self.pinned()); hasher.update(&(s.len() as u64).to_le_bytes()); hasher.update(s.as_bytes()); @@ -94,30 +95,40 @@ impl VerifyingKey { Ok(()) } -} -impl std::fmt::Display for VerifyingKey { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { - write!( - f, - "VerificationKey {{ \ - base_modulus = {base_modulus}, \ - scalar_modulus = {scalar_modulus}, \ - domain = {domain}, \ - cs = {cs}, \ - fixed_commitments = {fixed_commitments:?}, \ - permutations = {permutations:?}\ - }}", - base_modulus = C::Base::MODULUS, - scalar_modulus = C::Scalar::MODULUS, - domain = self.domain, - cs = self.cs, - fixed_commitments = self.fixed_commitments, - permutations = self.permutations - ) + /// Obtains a pinned representation of this verification key that contains + /// the minimal information necessary to reconstruct the verification key. + pub fn pinned(&self) -> PinnedVerificationKey<'_, C> { + PinnedVerificationKey { + domain: self.domain.pinned(), + fixed_commitments: &self.fixed_commitments, + permutations: &self.permutations, + cs: self.cs.pinned(), + } } } +/// Minimal representation of a verification key that can be used to identify +/// its active contents. +pub struct PinnedVerificationKey<'a, C: CurveAffine> { + domain: PinnedEvaluationDomain<'a, C::Scalar>, + fixed_commitments: &'a Vec, + permutations: &'a Vec>, + cs: PinnedConstraintSystem<'a, C::Scalar>, +} + +impl<'a, C: CurveAffine> std::fmt::Debug for PinnedVerificationKey<'a, C> { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { + f.debug_struct("PinnedVerificationKey") + .field("base_modulus", &C::Base::MODULUS) + .field("scalar_modulus", &C::Scalar::MODULUS) + .field("domain", &self.domain) + .field("cs", &self.cs) + .field("fixed_commitments", self.fixed_commitments) + .field("permutations", self.permutations) + .finish() + } +} /// This is a proving key which allows for the creation of proofs for a /// particular circuit. #[derive(Debug)] @@ -564,7 +575,7 @@ fn test_proving() { // Initialize the proving key let vk = keygen_vk(¶ms, &empty_circuit).expect("keygen_vk should not fail"); - assert_eq!(format!("{}", vk), "VerificationKey {base_modulus = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001, scalar_modulus = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001, domain = Domain {k = 5, extended_k = 7, omega = 0x0cc3380dc616f2e1daf29ad1560833ed3baea3393eceb7bc8fa36376929b78cc }, cs = ConstraintSystem {num_fixed_columns: 8, num_advice_columns: 5, num_instance_columns: 1, fixed_queries: [(Column { index: 6, column_type: Fixed }, Rotation(0)), (Column { index: 7, column_type: Fixed }, Rotation(0)), (Column { index: 0, column_type: Fixed }, Rotation(0)), (Column { index: 2, column_type: Fixed }, Rotation(0)), (Column { index: 3, column_type: Fixed }, Rotation(0)), (Column { index: 4, column_type: Fixed }, Rotation(0)), (Column { index: 1, column_type: Fixed }, Rotation(0)), (Column { index: 5, column_type: Fixed }, Rotation(0))], advice_queries: [(Column { index: 1, column_type: Advice }, Rotation(0)), (Column { index: 2, column_type: Advice }, Rotation(0)), (Column { index: 3, column_type: Advice }, Rotation(0)), (Column { index: 4, column_type: Advice }, Rotation(1)), (Column { index: 0, column_type: Advice }, Rotation(-1))], instance_queries: [(Column { index: 0, column_type: Instance }, Rotation(0))], permutations: [Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }, Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }], lookups: [Argument { input_columns: [Column { index: 1, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }] }, Argument { input_columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }, Column { index: 7, column_type: Fixed }] }], gates: [Sum(Sum(Sum(Sum(Product(Advice(0), Fixed(3)), Product(Advice(1), Fixed(4))), Product(Product(Advice(0), Advice(1)), Fixed(6))), Scaled(Product(Advice(2), Fixed(5)), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000)), Product(Fixed(2), Product(Advice(3), Advice(4)))), Product(Fixed(7), Sum(Advice(0), Scaled(Instance(0), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000))), ]}, fixed_commitments = [(0x3710f15f98bf0a7421343fdf390b9519506c67431a5c78678fbcc4db815c8547, 0x0a3c77f30ab2a2741b21cd45326c87dc7f7050b1a5e8c181a534b9c84a09cb02), (0x115235d6bd2467772db857d66e7f44837cd38bb6ac0c7b412c2997dd47cbbc3c, 0x0f339c20c40e10bed476699e2ddb88256092447582b250f329b0cbf6c3f66f17), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x241d6d9c2060ce821d4b05ff2f9566c3947541f3d14a9aabcdb96c19158e8bc7, 0x39582cc6bdb1a4a88e89c050ad6db0ade34f45ec5791b07de6e694e9627ca66a), (0x1ee805e20232ba31eeae1fa345bd88ac7df81dc43ffb3967a218ea4defc9d17d, 0x2838c83c064d44e87e5c8d05a234ad24d2d4a502a370acb514b430f516c0f0bf), (0x37ead9904c760201ec4734ef398f0bdb5fe5a5e6e9db19c85e6b5483bdeb0a0b, 0x1dc08c38ed713b14f7a21a891a83b52160a3ffb0dccfbd70db7c7eb235dd193e), (0x2dc3d20553691216c988ecbb596c4bda329f27d50bd8a7c2fb0d84b423da3cb4, 0x025b40e800020458e15e3a57268562e6c08c6971d71262bd67c72437cfc60b4c)], permutations = [VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }, VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }]}"); + assert_eq!(format!("{:?}", vk.pinned()), "PinnedVerificationKey { base_modulus: \"0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001\", scalar_modulus: \"0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001\", domain: PinnedEvaluationDomain { k: 5, extended_k: 7, omega: 0x0cc3380dc616f2e1daf29ad1560833ed3baea3393eceb7bc8fa36376929b78cc }, cs: PinnedConstraintSystem { num_fixed_columns: 8, num_advice_columns: 5, num_instance_columns: 1, gates: [Sum(Sum(Sum(Sum(Product(Advice(0), Fixed(3)), Product(Advice(1), Fixed(4))), Product(Product(Advice(0), Advice(1)), Fixed(6))), Scaled(Product(Advice(2), Fixed(5)), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000)), Product(Fixed(2), Product(Advice(3), Advice(4)))), Product(Fixed(7), Sum(Advice(0), Scaled(Instance(0), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000)))], advice_queries: [(Column { index: 1, column_type: Advice }, Rotation(0)), (Column { index: 2, column_type: Advice }, Rotation(0)), (Column { index: 3, column_type: Advice }, Rotation(0)), (Column { index: 4, column_type: Advice }, Rotation(1)), (Column { index: 0, column_type: Advice }, Rotation(-1))], instance_queries: [(Column { index: 0, column_type: Instance }, Rotation(0))], fixed_queries: [(Column { index: 6, column_type: Fixed }, Rotation(0)), (Column { index: 7, column_type: Fixed }, Rotation(0)), (Column { index: 0, column_type: Fixed }, Rotation(0)), (Column { index: 2, column_type: Fixed }, Rotation(0)), (Column { index: 3, column_type: Fixed }, Rotation(0)), (Column { index: 4, column_type: Fixed }, Rotation(0)), (Column { index: 1, column_type: Fixed }, Rotation(0)), (Column { index: 5, column_type: Fixed }, Rotation(0))], permutations: [Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }, Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }], lookups: [Argument { input_columns: [Column { index: 1, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }] }, Argument { input_columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }, Column { index: 7, column_type: Fixed }] }] }, fixed_commitments: [(0x3710f15f98bf0a7421343fdf390b9519506c67431a5c78678fbcc4db815c8547, 0x0a3c77f30ab2a2741b21cd45326c87dc7f7050b1a5e8c181a534b9c84a09cb02), (0x115235d6bd2467772db857d66e7f44837cd38bb6ac0c7b412c2997dd47cbbc3c, 0x0f339c20c40e10bed476699e2ddb88256092447582b250f329b0cbf6c3f66f17), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x241d6d9c2060ce821d4b05ff2f9566c3947541f3d14a9aabcdb96c19158e8bc7, 0x39582cc6bdb1a4a88e89c050ad6db0ade34f45ec5791b07de6e694e9627ca66a), (0x1ee805e20232ba31eeae1fa345bd88ac7df81dc43ffb3967a218ea4defc9d17d, 0x2838c83c064d44e87e5c8d05a234ad24d2d4a502a370acb514b430f516c0f0bf), (0x37ead9904c760201ec4734ef398f0bdb5fe5a5e6e9db19c85e6b5483bdeb0a0b, 0x1dc08c38ed713b14f7a21a891a83b52160a3ffb0dccfbd70db7c7eb235dd193e), (0x2dc3d20553691216c988ecbb596c4bda329f27d50bd8a7c2fb0d84b423da3cb4, 0x025b40e800020458e15e3a57268562e6c08c6971d71262bd67c72437cfc60b4c)], permutations: [VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }, VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }] }"); let pk = keygen_pk(¶ms, vk, &empty_circuit).expect("keygen_pk should not fail"); let mut pubinputs = pk.get_vk().get_domain().empty_lagrange(); diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index 3360c05..eda0f1a 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -1,6 +1,6 @@ use core::cmp::max; use core::ops::{Add, Mul}; -use ff::{Field, PrimeField}; +use ff::Field; use std::{ convert::TryFrom, ops::{Neg, Sub}, @@ -380,33 +380,27 @@ pub struct ConstraintSystem { pub(crate) lookups: Vec, } -impl std::fmt::Display for ConstraintSystem { +/// Represents the minimal parameters that determine a `ConstraintSystem`. +#[derive(Debug)] +pub struct PinnedConstraintSystem<'a, F: Field> { + num_fixed_columns: &'a usize, + num_advice_columns: &'a usize, + num_instance_columns: &'a usize, + gates: PinnedGates<'a, F>, + advice_queries: &'a Vec<(Column, Rotation)>, + instance_queries: &'a Vec<(Column, Rotation)>, + fixed_queries: &'a Vec<(Column, Rotation)>, + permutations: &'a Vec, + lookups: &'a Vec, +} + +struct PinnedGates<'a, F: Field>(&'a Vec<(&'static str, Expression)>); + +impl<'a, F: Field> std::fmt::Debug for PinnedGates<'a, F> { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { - write!( - f, - "ConstraintSystem {{ \ - num_fixed_columns: {num_fixed_columns}, \ - num_advice_columns: {num_advice_columns}, \ - num_instance_columns: {num_instance_columns}, \ - fixed_queries: {fixed_queries:?}, \ - advice_queries: {advice_queries:?}, \ - instance_queries: {instance_queries:?}, \ - permutations: {permutations:?}, \ - lookups: {lookups:?}, \ - gates: [", - num_fixed_columns = self.num_fixed_columns, - num_advice_columns = self.num_advice_columns, - num_instance_columns = self.num_instance_columns, - fixed_queries = &self.fixed_queries, - advice_queries = &self.advice_queries, - instance_queries = &self.instance_queries, - lookups = &self.lookups, - permutations = &self.permutations - )?; - for (_, expr) in self.gates.iter() { - write!(f, "{:?}, ", expr)?; - } - write!(f, "]}}") + f.debug_list() + .entries(self.0.iter().map(|&(_, ref expr)| expr)) + .finish() } } @@ -427,7 +421,24 @@ impl Default for ConstraintSystem { } impl ConstraintSystem { - /// Add a permutation argument for some columns + /// Obtain a pinned version of this constraint system; a structure with the + /// minimal parameters needed to determine the rest of the constraint + /// system. + pub fn pinned(&self) -> PinnedConstraintSystem<'_, F> { + PinnedConstraintSystem { + num_fixed_columns: &self.num_fixed_columns, + num_advice_columns: &self.num_advice_columns, + num_instance_columns: &self.num_instance_columns, + gates: PinnedGates(&self.gates), + fixed_queries: &self.fixed_queries, + advice_queries: &self.advice_queries, + instance_queries: &self.instance_queries, + permutations: &self.permutations, + lookups: &self.lookups, + } + } + + /// Add a permutation argument for some advice columns pub fn permutation(&mut self, columns: &[Column]) -> usize { let index = self.permutations.len(); diff --git a/src/poly/domain.rs b/src/poly/domain.rs index d4c8498..c6bd2ce 100644 --- a/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -376,20 +376,23 @@ impl EvaluationDomain { pub fn get_quotient_poly_degree(&self) -> usize { self.quotient_poly_degree as usize } -} -impl std::fmt::Display for EvaluationDomain { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { - write!( - f, - "Domain {{ \ - k = {k:?}, \ - extended_k = {extended_k:?}, \ - omega = {omega:?} \ - }}", - k = self.k, - extended_k = self.extended_k, - omega = self.omega - ) + /// Obtain a pinned version of this evaluation domain; a structure with the + /// minimal parameters needed to determine the rest of the evaluation + /// domain. + pub fn pinned(&self) -> PinnedEvaluationDomain<'_, G> { + PinnedEvaluationDomain { + k: &self.k, + extended_k: &self.extended_k, + omega: &self.omega, + } } } + +/// Represents the minimal parameters that determine an `EvaluationDomain`. +#[derive(Debug)] +pub struct PinnedEvaluationDomain<'a, G: Group> { + k: &'a u32, + extended_k: &'a u32, + omega: &'a G::Scalar, +} From 2fe4e0d9009467a2a45018ae41f80455fa788a1b Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 15:17:23 -0700 Subject: [PATCH 15/19] Change personalization of BLAKE2b used in hash_into. --- src/plonk.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/plonk.rs b/src/plonk.rs index 639d149..43cacc0 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -82,7 +82,7 @@ impl VerifyingKey { pub fn hash_into>(&self, transcript: &mut T) -> io::Result<()> { let mut hasher = Blake2bParams::new() .hash_length(64) - .personal(C::BLAKE2B_PERSONALIZATION) + .personal(b"Halo2-Verify-Key") .to_state(); let s = format!("{:?}", self.pinned()); From 2b1c319ba00ad746a2a6d5c4553778cb375bc82f Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 15:38:43 -0700 Subject: [PATCH 16/19] Use pretty-printing in test of verification key pinning. --- src/plonk.rs | 330 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 329 insertions(+), 1 deletion(-) diff --git a/src/plonk.rs b/src/plonk.rs index 43cacc0..f9a91f3 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -575,7 +575,6 @@ fn test_proving() { // Initialize the proving key let vk = keygen_vk(¶ms, &empty_circuit).expect("keygen_vk should not fail"); - assert_eq!(format!("{:?}", vk.pinned()), "PinnedVerificationKey { base_modulus: \"0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001\", scalar_modulus: \"0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001\", domain: PinnedEvaluationDomain { k: 5, extended_k: 7, omega: 0x0cc3380dc616f2e1daf29ad1560833ed3baea3393eceb7bc8fa36376929b78cc }, cs: PinnedConstraintSystem { num_fixed_columns: 8, num_advice_columns: 5, num_instance_columns: 1, gates: [Sum(Sum(Sum(Sum(Product(Advice(0), Fixed(3)), Product(Advice(1), Fixed(4))), Product(Product(Advice(0), Advice(1)), Fixed(6))), Scaled(Product(Advice(2), Fixed(5)), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000)), Product(Fixed(2), Product(Advice(3), Advice(4)))), Product(Fixed(7), Sum(Advice(0), Scaled(Instance(0), 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000)))], advice_queries: [(Column { index: 1, column_type: Advice }, Rotation(0)), (Column { index: 2, column_type: Advice }, Rotation(0)), (Column { index: 3, column_type: Advice }, Rotation(0)), (Column { index: 4, column_type: Advice }, Rotation(1)), (Column { index: 0, column_type: Advice }, Rotation(-1))], instance_queries: [(Column { index: 0, column_type: Instance }, Rotation(0))], fixed_queries: [(Column { index: 6, column_type: Fixed }, Rotation(0)), (Column { index: 7, column_type: Fixed }, Rotation(0)), (Column { index: 0, column_type: Fixed }, Rotation(0)), (Column { index: 2, column_type: Fixed }, Rotation(0)), (Column { index: 3, column_type: Fixed }, Rotation(0)), (Column { index: 4, column_type: Fixed }, Rotation(0)), (Column { index: 1, column_type: Fixed }, Rotation(0)), (Column { index: 5, column_type: Fixed }, Rotation(0))], permutations: [Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }, Argument { columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }, Column { index: 3, column_type: Advice }] }], lookups: [Argument { input_columns: [Column { index: 1, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }] }, Argument { input_columns: [Column { index: 1, column_type: Advice }, Column { index: 2, column_type: Advice }], table_columns: [Column { index: 6, column_type: Fixed }, Column { index: 7, column_type: Fixed }] }] }, fixed_commitments: [(0x3710f15f98bf0a7421343fdf390b9519506c67431a5c78678fbcc4db815c8547, 0x0a3c77f30ab2a2741b21cd45326c87dc7f7050b1a5e8c181a534b9c84a09cb02), (0x115235d6bd2467772db857d66e7f44837cd38bb6ac0c7b412c2997dd47cbbc3c, 0x0f339c20c40e10bed476699e2ddb88256092447582b250f329b0cbf6c3f66f17), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), (0x241d6d9c2060ce821d4b05ff2f9566c3947541f3d14a9aabcdb96c19158e8bc7, 0x39582cc6bdb1a4a88e89c050ad6db0ade34f45ec5791b07de6e694e9627ca66a), (0x1ee805e20232ba31eeae1fa345bd88ac7df81dc43ffb3967a218ea4defc9d17d, 0x2838c83c064d44e87e5c8d05a234ad24d2d4a502a370acb514b430f516c0f0bf), (0x37ead9904c760201ec4734ef398f0bdb5fe5a5e6e9db19c85e6b5483bdeb0a0b, 0x1dc08c38ed713b14f7a21a891a83b52160a3ffb0dccfbd70db7c7eb235dd193e), (0x2dc3d20553691216c988ecbb596c4bda329f27d50bd8a7c2fb0d84b423da3cb4, 0x025b40e800020458e15e3a57268562e6c08c6971d71262bd67c72437cfc60b4c)], permutations: [VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }, VerifyingKey { commitments: [(0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc)] }] }"); let pk = keygen_pk(¶ms, vk, &empty_circuit).expect("keygen_pk should not fail"); let mut pubinputs = pk.get_vk().get_domain().empty_lagrange(); @@ -650,4 +649,333 @@ fn test_proving() { assert!(msm.eval()); } } + + // Check that the verification key has not changed unexpectedly + { + assert_eq!( + format!("{:#?}", pk.vk.pinned()), + r#####"PinnedVerificationKey { + base_modulus: "0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001", + scalar_modulus: "0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001", + domain: PinnedEvaluationDomain { + k: 5, + extended_k: 7, + omega: 0x0cc3380dc616f2e1daf29ad1560833ed3baea3393eceb7bc8fa36376929b78cc, + }, + cs: PinnedConstraintSystem { + num_fixed_columns: 8, + num_advice_columns: 5, + num_instance_columns: 1, + gates: [ + Sum( + Sum( + Sum( + Sum( + Product( + Advice( + 0, + ), + Fixed( + 3, + ), + ), + Product( + Advice( + 1, + ), + Fixed( + 4, + ), + ), + ), + Product( + Product( + Advice( + 0, + ), + Advice( + 1, + ), + ), + Fixed( + 6, + ), + ), + ), + Scaled( + Product( + Advice( + 2, + ), + Fixed( + 5, + ), + ), + 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000, + ), + ), + Product( + Fixed( + 2, + ), + Product( + Advice( + 3, + ), + Advice( + 4, + ), + ), + ), + ), + Product( + Fixed( + 7, + ), + Sum( + Advice( + 0, + ), + Scaled( + Instance( + 0, + ), + 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000000, + ), + ), + ), + ], + advice_queries: [ + ( + Column { + index: 1, + column_type: Advice, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 2, + column_type: Advice, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 3, + column_type: Advice, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 4, + column_type: Advice, + }, + Rotation( + 1, + ), + ), + ( + Column { + index: 0, + column_type: Advice, + }, + Rotation( + -1, + ), + ), + ], + instance_queries: [ + ( + Column { + index: 0, + column_type: Instance, + }, + Rotation( + 0, + ), + ), + ], + fixed_queries: [ + ( + Column { + index: 6, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 7, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 0, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 2, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 3, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 4, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 1, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ( + Column { + index: 5, + column_type: Fixed, + }, + Rotation( + 0, + ), + ), + ], + permutations: [ + Argument { + columns: [ + Column { + index: 1, + column_type: Advice, + }, + Column { + index: 2, + column_type: Advice, + }, + Column { + index: 3, + column_type: Advice, + }, + ], + }, + Argument { + columns: [ + Column { + index: 1, + column_type: Advice, + }, + Column { + index: 2, + column_type: Advice, + }, + Column { + index: 3, + column_type: Advice, + }, + ], + }, + ], + lookups: [ + Argument { + input_columns: [ + Column { + index: 1, + column_type: Advice, + }, + ], + table_columns: [ + Column { + index: 6, + column_type: Fixed, + }, + ], + }, + Argument { + input_columns: [ + Column { + index: 1, + column_type: Advice, + }, + Column { + index: 2, + column_type: Advice, + }, + ], + table_columns: [ + Column { + index: 6, + column_type: Fixed, + }, + Column { + index: 7, + column_type: Fixed, + }, + ], + }, + ], + }, + fixed_commitments: [ + (0x3710f15f98bf0a7421343fdf390b9519506c67431a5c78678fbcc4db815c8547, 0x0a3c77f30ab2a2741b21cd45326c87dc7f7050b1a5e8c181a534b9c84a09cb02), + (0x115235d6bd2467772db857d66e7f44837cd38bb6ac0c7b412c2997dd47cbbc3c, 0x0f339c20c40e10bed476699e2ddb88256092447582b250f329b0cbf6c3f66f17), + (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), + (0x2a9ba245dcce53752e1de999b45c975472bb33b58aed8bcebdfcd185627895f0, 0x1252bf596b7acd19625f68845749f6672b99e71238cfabe91ca545103168d0f0), + (0x241d6d9c2060ce821d4b05ff2f9566c3947541f3d14a9aabcdb96c19158e8bc7, 0x39582cc6bdb1a4a88e89c050ad6db0ade34f45ec5791b07de6e694e9627ca66a), + (0x1ee805e20232ba31eeae1fa345bd88ac7df81dc43ffb3967a218ea4defc9d17d, 0x2838c83c064d44e87e5c8d05a234ad24d2d4a502a370acb514b430f516c0f0bf), + (0x37ead9904c760201ec4734ef398f0bdb5fe5a5e6e9db19c85e6b5483bdeb0a0b, 0x1dc08c38ed713b14f7a21a891a83b52160a3ffb0dccfbd70db7c7eb235dd193e), + (0x2dc3d20553691216c988ecbb596c4bda329f27d50bd8a7c2fb0d84b423da3cb4, 0x025b40e800020458e15e3a57268562e6c08c6971d71262bd67c72437cfc60b4c), + ], + permutations: [ + VerifyingKey { + commitments: [ + (0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), + (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), + (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc), + ], + }, + VerifyingKey { + commitments: [ + (0x289f468bca3471a3d240169ec65047d0c4bb5e1135e81822523c74b596139fed, 0x1a585c821c71fb49c883859f1389bcae45f17593ddb5f9fee1781b27129e1b06), + (0x096ef96a7725c636e7ca645dfe539694cf2a988da1ca50a468320f419d008054, 0x1ac0b48a254f8e2311081f81aa4a8ff39e37e40aa4c003325f1ac1219d231818), + (0x254c9f0088599aba37607cfd1700c653ef3ec21bfd60b98c3d725678540bc4df, 0x134d9818929589052f3cd80d50140b851db26231b2b784a6b2528a64805598dc), + ], + }, + ], +}"#####); + } } From 8060a12ea4cff7e7efe741ca3febf1b41f387ebb Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 15:39:46 -0700 Subject: [PATCH 17/19] Fix minor nit (match ergonomics) --- src/plonk/circuit.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/plonk/circuit.rs b/src/plonk/circuit.rs index eda0f1a..bb66484 100644 --- a/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -399,7 +399,7 @@ struct PinnedGates<'a, F: Field>(&'a Vec<(&'static str, Expression)>); impl<'a, F: Field> std::fmt::Debug for PinnedGates<'a, F> { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { f.debug_list() - .entries(self.0.iter().map(|&(_, ref expr)| expr)) + .entries(self.0.iter().map(|(_, expr)| expr)) .finish() } } From 7fcd302d2d939e2a8924046cec56845837652c0e Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Wed, 17 Feb 2021 15:40:41 -0700 Subject: [PATCH 18/19] cargo fmt --- src/plonk.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/plonk.rs b/src/plonk.rs index f9a91f3..fe9fcd9 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -976,6 +976,7 @@ fn test_proving() { ], }, ], -}"#####); +}"##### + ); } } From 5e20b0f2a70d81bf2b84feee0b2cbf42741a58cb Mon Sep 17 00:00:00 2001 From: Sean Bowe Date: Thu, 18 Feb 2021 07:51:41 -0700 Subject: [PATCH 19/19] Automatically derive PinnedVerificationKey's Debug impl. --- src/plonk.rs | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/src/plonk.rs b/src/plonk.rs index fe9fcd9..80a05bc 100644 --- a/src/plonk.rs +++ b/src/plonk.rs @@ -100,6 +100,8 @@ impl VerifyingKey { /// the minimal information necessary to reconstruct the verification key. pub fn pinned(&self) -> PinnedVerificationKey<'_, C> { PinnedVerificationKey { + base_modulus: C::Base::MODULUS, + scalar_modulus: C::Scalar::MODULUS, domain: self.domain.pinned(), fixed_commitments: &self.fixed_commitments, permutations: &self.permutations, @@ -110,24 +112,14 @@ impl VerifyingKey { /// Minimal representation of a verification key that can be used to identify /// its active contents. +#[derive(Debug)] pub struct PinnedVerificationKey<'a, C: CurveAffine> { + base_modulus: &'static str, + scalar_modulus: &'static str, domain: PinnedEvaluationDomain<'a, C::Scalar>, + cs: PinnedConstraintSystem<'a, C::Scalar>, fixed_commitments: &'a Vec, permutations: &'a Vec>, - cs: PinnedConstraintSystem<'a, C::Scalar>, -} - -impl<'a, C: CurveAffine> std::fmt::Debug for PinnedVerificationKey<'a, C> { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> { - f.debug_struct("PinnedVerificationKey") - .field("base_modulus", &C::Base::MODULUS) - .field("scalar_modulus", &C::Scalar::MODULUS) - .field("domain", &self.domain) - .field("cs", &self.cs) - .field("fixed_commitments", self.fixed_commitments) - .field("permutations", self.permutations) - .finish() - } } /// This is a proving key which allows for the creation of proofs for a /// particular circuit.