diff --git a/.github/ISSUE_TEMPLATE/eli15.md b/.github/ISSUE_TEMPLATE/eli15.md deleted file mode 100644 index d9fb8fe550..0000000000 --- a/.github/ISSUE_TEMPLATE/eli15.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -name: ELI15 improvement request -about: Let us know how the Halo 2 book could be improved! -title: 'ELI15: ' -labels: 'ELI15' -assignees: '' - ---- - -## Which section of the Halo 2 book were you reading? - -## What was unclear? - -## What would help to make it clearer to you? - diff --git a/halo2_proofs/CHANGELOG.md b/CHANGELOG.md similarity index 100% rename from halo2_proofs/CHANGELOG.md rename to CHANGELOG.md diff --git a/Cargo.toml b/Cargo.toml index b44700ec43..a12a604279 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,100 @@ -[workspace] -members = [ - "halo2", - "halo2_proofs", +[package] +name = "halo2_proofs" +version = "0.3.0" +authors = [ + "Sean Bowe ", + "Ying Tong Lai ", + "Daira Hopwood ", + "Jack Grigg ", ] +edition = "2021" +rust-version = "1.76.0" +description = """ +Fast PLONK-based zero-knowledge proving system +""" +license = "MIT OR Apache-2.0" +repository = "https://github.com/input-output-hk/halo2" +readme = "README.md" +categories = ["cryptography"] +keywords = ["halo", "proofs", "zkp", "zkSNARKs"] + +[package.metadata.docs.rs] +all-features = true +rustdoc-args = ["--cfg", "docsrs", "--html-in-header", "katex-header.html"] + +[[bench]] +name = "commit_zk" +harness = false + +[[bench]] +name = "hashtocurve" +harness = false + +[[bench]] +name = "plonk" +harness = false + +[[bench]] +name = "dev_lookup" +harness = false + +[dependencies] +backtrace = { version = "0.3", optional = true } +ff = "0.13" +group = "0.13" +halo2curves = { version = "0.7.0", default-features = false } +rand_core = { version = "0.6", default-features = false } +tracing = "0.1" +blake2b_simd = "1" # MSRV 1.66.0 +sha3 = "0.9.1" +rand_chacha = "0.3" +serde = { version = "1", optional = true, features = ["derive"] } +serde_derive = { version = "1", optional = true} +rayon = "1.8" + +# Developer tooling dependencies +plotters = { version = "0.3.0", default-features = false, optional = true } +tabbycat = { version = "0.1", features = ["attributes"], optional = true } + +# Legacy circuit compatibility +halo2_legacy_pdqsort = { version = "0.1.0", optional = true } + +[dev-dependencies] +assert_matches = "1.5" +criterion = "0.3" +gumdrop = "0.8" +proptest = "1" +rand_core = { version = "0.6", default-features = false, features = ["getrandom"] } +serde_json = "1" + +[target.'cfg(all(target_arch = "wasm32", target_os = "unknown"))'.dev-dependencies] +getrandom = { version = "0.2", features = ["js"] } + +[features] +default = ["batch", "bits"] +dev-graph = ["plotters", "tabbycat"] +test-dev-graph = [ + "dev-graph", + "plotters/bitmap_backend", + "plotters/bitmap_encoder", + "plotters/ttf", +] +bits = ["halo2curves/bits"] +gadget-traces = ["backtrace"] +thread-safe-region = [] +sanity-checks = [] +batch = ["rand_core/getrandom"] +circuit-params = [] +cost-estimator = ["serde", "serde_derive"] +derive_serde = ["halo2curves/derive_serde"] + +[lib] +bench = false + +[[example]] +name = "circuit-layout" +required-features = ["test-dev-graph"] + +[[example]] +name = "proof-size" +required-features = ["cost-estimator"] diff --git a/README.md b/README.md index 3c7aa59572..bdb9a63639 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ -# halo2 [![Crates.io](https://img.shields.io/crates/v/halo2.svg)](https://crates.io/crates/halo2) # +# halo2_proofs [![Crates.io](https://img.shields.io/crates/v/halo2_proofs.svg)](https://crates.io/crates/halo2_proofs) # -## [Documentation](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs) - -For experimental features `privacy-scaling-explorations/halo2` fork adds, please refer to [`experimental-features.md`](./book/src/user/experimental-features.md). +## [Documentation](https://docs.rs/halo2_proofs) ## Minimum Supported Rust Version @@ -13,7 +11,9 @@ minor version bump. ## Controlling parallelism -`halo2` currently uses [rayon](https://github.com/rayon-rs/rayon) for parallel computation. The `RAYON_NUM_THREADS` environment variable can be used to set the number of threads. +`halo2_proofs` currently uses [rayon](https://github.com/rayon-rs/rayon) for parallel +computation. The `RAYON_NUM_THREADS` environment variable can be used to set the number of +threads. When compiling to WASM-targets, notice that since version `1.7`, `rayon` will fallback automatically (with no need to handle features) to require `getrandom` in order to be able to work. For more info related to WASM-compilation. diff --git a/halo2_proofs/benches/commit_zk.rs b/benches/commit_zk.rs similarity index 97% rename from halo2_proofs/benches/commit_zk.rs rename to benches/commit_zk.rs index d06bed0f97..873ec9af19 100644 --- a/halo2_proofs/benches/commit_zk.rs +++ b/benches/commit_zk.rs @@ -2,7 +2,7 @@ extern crate criterion; use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion}; use group::ff::Field; -use halo2_proofs::arithmetic::parallelize; +use halo2_proofs::utils::arithmetic::parallelize; use halo2curves::pasta::pallas::Scalar; use rand_chacha::rand_core::RngCore; use rand_chacha::ChaCha20Rng; diff --git a/halo2_proofs/benches/dev_lookup.rs b/benches/dev_lookup.rs similarity index 100% rename from halo2_proofs/benches/dev_lookup.rs rename to benches/dev_lookup.rs diff --git a/halo2_proofs/benches/hashtocurve.rs b/benches/hashtocurve.rs similarity index 93% rename from halo2_proofs/benches/hashtocurve.rs rename to benches/hashtocurve.rs index a3805f3b9e..7bd01d55b8 100644 --- a/halo2_proofs/benches/hashtocurve.rs +++ b/benches/hashtocurve.rs @@ -2,7 +2,7 @@ use criterion::{criterion_group, criterion_main, Criterion}; -use halo2_proofs::arithmetic::CurveExt; +use halo2_proofs::utils::arithmetic::CurveExt; use halo2curves::pasta::{pallas, vesta}; fn criterion_benchmark(c: &mut Criterion) { diff --git a/halo2_proofs/benches/plonk.rs b/benches/plonk.rs similarity index 84% rename from halo2_proofs/benches/plonk.rs rename to benches/plonk.rs index 9c9bd2618a..7f1d191142 100644 --- a/halo2_proofs/benches/plonk.rs +++ b/benches/plonk.rs @@ -4,26 +4,16 @@ extern crate criterion; use group::ff::Field; use halo2_proofs::circuit::{Cell, Layouter, SimpleFloorPlanner, Value}; use halo2_proofs::plonk::*; -use halo2_proofs::poly::{commitment::ParamsProver, Rotation}; -use halo2_proofs::transcript::{Blake2bRead, Blake2bWrite, Challenge255}; -use halo2curves::pasta::{EqAffine, Fp}; +use halo2_proofs::poly::Rotation; +use halo2curves::bn256; use rand_core::OsRng; -use halo2_proofs::{ - poly::{ - ipa::{ - commitment::{IPACommitmentScheme, ParamsIPA}, - multiopen::ProverIPA, - strategy::SingleStrategy, - }, - VerificationStrategy, - }, - transcript::{TranscriptReadBuffer, TranscriptWriterBuffer}, -}; - use std::marker::PhantomData; use criterion::{BenchmarkId, Criterion}; +use halo2_proofs::poly::kzg::{params::ParamsKZG, KZGCommitmentScheme}; +use halo2_proofs::transcript::{CircuitTranscript, Transcript}; +use halo2_proofs::utils::rational::Rational; fn criterion_benchmark(c: &mut Criterion) { /// This represents an advice column at a certain row in the ConstraintSystem @@ -49,14 +39,14 @@ fn criterion_benchmark(c: &mut Criterion) { f: F, ) -> Result<(Cell, Cell, Cell), Error> where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>; + F: FnMut() -> Value<(Rational, Rational, Rational)>; fn raw_add( &self, layouter: &mut impl Layouter, f: F, ) -> Result<(Cell, Cell, Cell), Error> where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>; + F: FnMut() -> Value<(Rational, Rational, Rational)>; fn copy(&self, layouter: &mut impl Layouter, a: Cell, b: Cell) -> Result<(), Error>; } @@ -87,7 +77,7 @@ fn criterion_benchmark(c: &mut Criterion) { mut f: F, ) -> Result<(Cell, Cell, Cell), Error> where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>, + F: FnMut() -> Value<(Rational, Rational, Rational)>, { layouter.assign_region( || "raw_multiply", @@ -129,7 +119,7 @@ fn criterion_benchmark(c: &mut Criterion) { mut f: F, ) -> Result<(Cell, Cell, Cell), Error> where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>, + F: FnMut() -> Value<(Rational, Rational, Rational)>, { layouter.assign_region( || "raw_add", @@ -241,7 +231,7 @@ fn criterion_benchmark(c: &mut Criterion) { let cs = StandardPlonk::new(config); for _ in 0..((1 << (self.k - 1)) - 3) { - let a: Value> = self.a.into(); + let a: Value> = self.a.into(); let mut a_squared = Value::unknown(); let (a0, _, c0) = cs.raw_multiply(&mut layouter, || { a_squared = a.square(); @@ -261,9 +251,14 @@ fn criterion_benchmark(c: &mut Criterion) { } } - fn keygen(k: u32) -> (ParamsIPA, ProvingKey) { - let params: ParamsIPA = ParamsIPA::new(k); - let empty_circuit: MyCircuit = MyCircuit { + fn keygen( + k: u32, + ) -> ( + ParamsKZG, + ProvingKey>, + ) { + let params: ParamsKZG = ParamsKZG::new(k); + let empty_circuit: MyCircuit = MyCircuit { a: Value::unknown(), k, }; @@ -272,16 +267,21 @@ fn criterion_benchmark(c: &mut Criterion) { (params, pk) } - fn prover(k: u32, params: &ParamsIPA, pk: &ProvingKey) -> Vec { + fn prover( + k: u32, + params: &ParamsKZG, + pk: &ProvingKey>, + ) -> Vec { let rng = OsRng; - let circuit: MyCircuit = MyCircuit { - a: Value::known(Fp::random(rng)), + let circuit: MyCircuit = MyCircuit { + a: Value::known(bn256::Fr::random(rng)), k, }; - let mut transcript = Blake2bWrite::<_, _, Challenge255>::init(vec![]); - create_proof::, ProverIPA, _, _, _, _>( + let mut transcript = CircuitTranscript::init(); + + create_proof::, _, _>( params, pk, &[circuit], @@ -293,10 +293,21 @@ fn criterion_benchmark(c: &mut Criterion) { transcript.finalize() } - fn verifier(params: &ParamsIPA, vk: &VerifyingKey, proof: &[u8]) { - let strategy = SingleStrategy::new(params); - let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(proof); - assert!(verify_proof(params, vk, strategy, &[&[]], &mut transcript).is_ok()); + fn verifier( + params: &ParamsKZG, + vk: &VerifyingKey>, + proof: &[u8], + ) { + let mut transcript = CircuitTranscript::init_from_bytes(proof); + assert!( + verify_proof::, _>( + params, + vk, + &[&[]], + &mut transcript + ) + .is_ok() + ); } let k_range = 8..=16; diff --git a/book/.gitignore b/book/.gitignore deleted file mode 100644 index 7585238efe..0000000000 --- a/book/.gitignore +++ /dev/null @@ -1 +0,0 @@ -book diff --git a/book/Makefile b/book/Makefile deleted file mode 100644 index 2fb3f9a9cd..0000000000 --- a/book/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -.PHONY: all -all: - find src -type f -a -name '*.md' |sed 's/[.]md$$/.html/g' |xargs $(MAKE) - -clean: - find src -type f -a -name '*.html' -print0 |xargs -0 rm - -%.html: %.md - pandoc --katex --from=markdown --to=html "$<" "--output=$@" - ./edithtml.sh "$@" "$<" diff --git a/book/book.toml b/book/book.toml deleted file mode 100644 index 87448f1696..0000000000 --- a/book/book.toml +++ /dev/null @@ -1,14 +0,0 @@ -[book] -authors = [ - "Jack Grigg", - "Sean Bowe", - "Daira Hopwood", - "Ying Tong Lai", -] -language = "en" -multilingual = false -src = "src" -title = "The halo2 Book" - -[preprocessor.katex] -macros = "macros.txt" diff --git a/book/edithtml.sh b/book/edithtml.sh deleted file mode 100755 index 4825478716..0000000000 --- a/book/edithtml.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -cat - "$1" > "$1.prefix" < - - - - - - $2 - - - - - - -EOF -cat "$1.prefix" - >"$1" < - -EOF -rm -f "$1.prefix" diff --git a/book/macros.txt b/book/macros.txt deleted file mode 100644 index 22eab46299..0000000000 --- a/book/macros.txt +++ /dev/null @@ -1,76 +0,0 @@ -# Conventions - -\bconcat:{\mathop{\kern 0.1em||\kern 0.1em}} -\Repr:{\star} - -# Conversions - -\ItoLEBSP:{\mathsf{I2LEBSP}_{#1}} - -# Fields and curves - -\BaseLength:{\ell^\mathsf{#1\vphantom{p}}_{\mathsf{base}}} - -# Commitments and hashes - -\SinsemillaHash:{\mathsf{SinsemillaHash}} -\SinsemillaCommit:{\mathsf{SinsemillaCommit}} -\SinsemillaShortCommit:{\mathsf{SinsemillaShortCommit}} - -# Circuit constraint helper methods - -\BoolCheck:{\texttt{bool\_check}({#1})} -\Ternary:{\texttt{ternary}({{#1}, {#2}, {#3}})} -\RangeCheck:{\texttt{range\_check}({#1, #2})} -\ShortLookupRangeCheck:{\texttt{short\_lookup\_range\_check}({#1})} - -# Halo 2 proof - -\field:{\mathbb{F}} -\group:{\mathbb{G}} -\setup:{\textnormal{Setup}} -\prover:{\mathcal{P}} -\verifier:{\mathcal{V}} -\sec:{\lambda} -\negl:{\textnormal{negl}(\lambda)} -\pp:{\mathsf{pp}} -\ip:{\textnormal{IP}} -\relation:{\mathcal{R}} -\a:{\mathcal{A}} -\sim:{\mathcal{S}} -\tr:{\textnormal{tr}} -\srs:{\textnormal{SRS}} -\srwee:{\textnormal{sr-wee}} -\real:{\textnormal{real}} -\ideal:{\textnormal{ideal}} -\weereal:{\textnormal{WEE-real}} -\weeideal:{\textnormal{WEE-ideal}} -\oracle:{\mathcal{O}} -\ch:{\mathsf{Ch}} -\badch:{\mathsf{BadCh}} -\adv:{\mathsf{Adv}} -\bottom:{\perp} -\alg:{#1_\textnormal{alg}} -\zero:{\mathcal{O}} -\dlrel:{\textsf{dl-rel}} -\game:{\mathsf{G}} -\innerprod:{\langle{#1},{#2}\rangle} -\dlgame:{\mathsf{G}^\dlrel_{\group,n}} -\distinguisher:{\mathcal{D}} -\extractor:{\mathcal{E}} -\state:{\mathsf{st}_{#1}} -\halo:{\textsf{Halo}} -\lo:{\textnormal{lo}} -\hi:{\textnormal{hi}} -\protocol:{\halo} -\extractwitness:{\textnormal{ExtractWitness}} -\pfail:{p_\textnormal{fail}} -\repr:\{\kern-0.1em {#1} \kern-0.1em\}^{#2} -\rep:{\repr{#1}{}} -\repv:{\repr{#1}{\mathbf{#2}}_{#3}} -\dlreladv:{\mathcal{H}} -\mr:{\mathcal{M}^{#1}_{#2}({#3})} -\mv:{\mr{\mathbf{#1}}{#2}{#3}} -\m:{\mr{#1}{}{#2}} -\z:{\mathcal{Z}_{#1}({#2}, {#3})} -\trprefix:{{#1}|_{#2}} diff --git a/book/src/IDENTIFIERS.json b/book/src/IDENTIFIERS.json deleted file mode 100644 index 2508a78a0f..0000000000 --- a/book/src/IDENTIFIERS.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "decompose-combined-lookup": "design/gadgets/decomposition.html#combined-lookup-expression", - "decompose-short-lookup": "design/gadgets/decomposition.html#short-range-check", - "decompose-short-range": "design/gadgets/decomposition.html#short-range-decomposition", - "ecc-complete-addition": "design/gadgets/ecc/addition.html#complete-addition-constraints", - "ecc-incomplete-addition": "design/gadgets/ecc/addition.html#incomplete-addition-constraints", - "ecc-fixed-mul-base-canonicity": "design/gadgets/ecc/fixed-base-scalar-mul.html#base-field-element", - "ecc-fixed-mul-coordinates": "design/gadgets/ecc/fixed-base-scalar-mul.html#constrain-coordinates", - "ecc-fixed-mul-full-word": "design/gadgets/ecc/fixed-base-scalar-mul.html#full-width-scalar", - "ecc-fixed-mul-load-base": "design/gadgets/ecc/fixed-base-scalar-mul.html#load-fixed-base", - "ecc-fixed-mul-short-msb": "design/gadgets/ecc/fixed-base-scalar-mul.html#constrain-short-signed-msb", - "ecc-fixed-mul-short-conditional-neg": "design/gadgets/ecc/fixed-base-scalar-mul.html#constrain-short-signed-conditional-neg", - "ecc-var-mul-complete-gate": "design/gadgets/ecc/var-base-scalar-mul.html#complete-gate", - "ecc-var-mul-incomplete-first-row": "design/gadgets/ecc/var-base-scalar-mul.html#incomplete-first-row-gate", - "ecc-var-mul-incomplete-last-row": "design/gadgets/ecc/var-base-scalar-mul.html#incomplete-last-row-gate", - "ecc-var-mul-incomplete-main-loop": "design/gadgets/ecc/var-base-scalar-mul.html#incomplete-main-loop-gate", - "ecc-var-mul-lsb-gate": "design/gadgets/ecc/var-base-scalar-mul.html#lsb-gate", - "ecc-var-mul-overflow": "design/gadgets/ecc/var-base-scalar-mul.html#overflow-check-constraints", - "ecc-var-mul-witness-scalar": "design/gadgets/ecc/var-base-scalar-mul.html#witness-scalar", - "ecc-witness-point": "design/gadgets/ecc/witnessing-points.html#points-including-the-identity", - "ecc-witness-non-identity-point": "design/gadgets/ecc/witnessing-points.html#non-identity-points", - "sinsemilla-constraints": "design/gadgets/sinsemilla.html#optimized-sinsemilla-gate", - "sinsemilla-merkle-crh-bit-lengths": "design/gadgets/sinsemilla/merkle-crh.html#bit-length-constraints", - "sinsemilla-merkle-crh-decomposition": "design/gadgets/sinsemilla/merkle-crh.html#decomposition-constraints" -} \ No newline at end of file diff --git a/book/src/README.md b/book/src/README.md deleted file mode 100644 index 676d71c102..0000000000 --- a/book/src/README.md +++ /dev/null @@ -1 +0,0 @@ -{{#include ../../README.md}} diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md deleted file mode 100644 index f234b2e4d2..0000000000 --- a/book/src/SUMMARY.md +++ /dev/null @@ -1,47 +0,0 @@ -# The halo2 Book - -[halo2](README.md) -- [Concepts](concepts.md) - - [Proof systems](concepts/proofs.md) - - [PLONKish Arithmetization](concepts/arithmetization.md) - - [Chips](concepts/chips.md) - - [Gadgets](concepts/gadgets.md) -- [User Documentation](user.md) - - [Developer tools](user/dev-tools.md) - - [A simple example](user/simple-example.md) - - [Lookup tables](user/lookup-tables.md) - - [Gadgets](user/gadgets.md) - - [Tips and tricks](user/tips-and-tricks.md) - - [Experimental features](user/experimental-features.md) -- [Design](design.md) - - [Proving system](design/proving-system.md) - - [Lookup argument](design/proving-system/lookup.md) - - [Permutation argument](design/proving-system/permutation.md) - - [Circuit commitments](design/proving-system/circuit-commitments.md) - - [Vanishing argument](design/proving-system/vanishing.md) - - [Multipoint opening argument](design/proving-system/multipoint-opening.md) - - [Inner product argument](design/proving-system/inner-product.md) - - [Comparison to other work](design/proving-system/comparison.md) - - [Protocol Description](design/protocol.md) - - [Implementation](design/implementation.md) - - [Proofs](design/implementation/proofs.md) - - [Fields](design/implementation/fields.md) - - [Selector combining](design/implementation/selector-combining.md) - - [Gadgets](design/gadgets.md) - - [Elliptic curve cryptography](design/gadgets/ecc.md) - - [Witnessing points](design/gadgets/ecc/witnessing-points.md) - - [Incomplete and complete addition](design/gadgets/ecc/addition.md) - - [Fixed-base scalar multiplication](design/gadgets/ecc/fixed-base-scalar-mul.md) - - [Variable-base scalar multiplication](design/gadgets/ecc/var-base-scalar-mul.md) - - [Sinsemilla](design/gadgets/sinsemilla.md) - - [MerkleCRH](design/gadgets/sinsemilla/merkle-crh.md) - - [Decomposition](design/gadgets/decomposition.md) - - [SHA-256](design/gadgets/sha256.md) - - [16-bit table chip](design/gadgets/sha256/table16.md) -- [Background Material](background.md) - - [Fields](background/fields.md) - - [Polynomials](background/polynomials.md) - - [Cryptographic groups](background/groups.md) - - [Elliptic curves](background/curves.md) - - [Polynomial commitment using inner product argument](background/pc-ipa.md) - - [Recursion](background/recursion.md) diff --git a/book/src/background.md b/book/src/background.md deleted file mode 100644 index abc65a5038..0000000000 --- a/book/src/background.md +++ /dev/null @@ -1,7 +0,0 @@ -# Background Material - -This section covers the background material required to understand the Halo 2 proving -system. It is targeted at an ELI15 (Explain It Like I'm 15) level; if you think anything -could do with additional explanation, [let us know]! - -[let us know]: https://github.com/zcash/halo2/issues/new/choose diff --git a/book/src/background/curves.md b/book/src/background/curves.md deleted file mode 100644 index 089ff77fff..0000000000 --- a/book/src/background/curves.md +++ /dev/null @@ -1,297 +0,0 @@ -# Elliptic curves - -Elliptic curves constructed over finite fields are another important cryptographic tool. - -We use elliptic curves because they provide a cryptographic [group](fields.md#Groups), -i.e. a group in which the discrete logarithm problem (discussed below) is hard. - -There are several ways to define the curve equation, but for our purposes, let -$\mathbb{F}_p$ be a large (255-bit) field, and then let the set of solutions $(x, y)$ to -$y^2 = x^3 + b$ for some constant $b$ define the $\mathbb{F}_p$-rational points on an -elliptic curve $E(\mathbb{F}_p)$. These $(x, y)$ coordinates are called "affine -coordinates". Each of the $\mathbb{F}_p$-rational points, together with a "point at -infinity" $\mathcal{O}$ that serves as the group identity, can be interpreted as an -element of a group. By convention, elliptic curve groups are written additively. - -![](https://i.imgur.com/JvLS6yE.png) -*"Three points on a line sum to zero, which is the point at infinity."* - -The group addition law is simple: to add two points together, find the line that -intersects both points and obtain the third point, and then negate its $y$-coordinate. The -case that a point is being added to itself, called point doubling, requires special -handling: we find the line tangent to the point, and then find the single other point that -intersects this line and then negate. Otherwise, in the event that a point is being -"added" to its negation, the result is the point at infinity. - -The ability to add and double points naturally gives us a way to scale them by integers, -called _scalars_. The number of points on the curve is the group order. If this number -is a prime $q$, then the scalars can be considered as elements of a _scalar field_, -$\mathbb{F}_q$. - -Elliptic curves, when properly designed, have an important security property. Given two -random elements $G, H \in E(\mathbb{F}_p)$ finding $a$ such that $[a] G = H$, otherwise -known as the discrete log of $H$ with respect to $G$, is considered computationally -infeasible with classical computers. This is called the elliptic curve discrete log -assumption. - -If an elliptic curve group $\mathbb{G}$ has prime order $q$ (like the ones used in Halo 2), -then it is a finite cyclic group. Recall from the section on [groups](fields.md#Groups) -that this implies it is isomorphic to $\mathbb{Z}/q\mathbb{Z}$, or equivalently, to the -scalar field $\mathbb{F}_q$. Each possible generator $G$ fixes the isomorphism; then -an element on the scalar side is precisely the discrete log of the corresponding group -element with respect to $G$. In the case of a cryptographically secure elliptic curve, -the isomorphism is hard to compute in the $\mathbb{G} \rightarrow \mathbb{F}_q$ direction -because the elliptic curve discrete log problem is hard. - -> It is sometimes helpful to make use of this isomorphism by thinking of group-based -> cryptographic protocols and algorithms in terms of the scalars instead of in terms of -> the group elements. This can make proofs and notation simpler. -> -> For instance, it has become common in papers on proof systems to use the notation $[x]$ -> to denote a group element with discrete log $x$, where the generator is implicit. -> -> We also used this idea in the -> "[distinct-x theorem](https://zips.z.cash/protocol/protocol.pdf#thmdistinctx)", -> in order to prove correctness of optimizations -> [for elliptic curve scalar multiplication](https://github.com/zcash/zcash/issues/3924) -> in Sapling, and an endomorphism-based optimization in Appendix C of the original -> [Halo paper](https://eprint.iacr.org/2019/1021.pdf). - -## Curve arithmetic - -### Point doubling - -The simplest situation is doubling a point $(x_0, y_0)$. Continuing with our example -$y^2 = x^3 + b$, this is done first by computing the derivative -$$ -\lambda = \frac{\mathrm{d}y}{\mathrm{d}x} = \frac{3x^2}{2y}. -$$ - -To obtain expressions for $(x_1, y_1) = (x_0, y_0) + (x_0, y_0),$ we consider - -$$ -\begin{aligned} -\frac{-y_1 - y_0}{x_1 - x_0} = \lambda &\implies -y_1 = \lambda(x_1 - x_0) + y_0 \\ -&\implies \boxed{y_1 = \lambda(x_0 - x_1) - y_0}. -\end{aligned} -$$ - -To get the expression for $x_1,$ we substitute $y = \lambda(x_0 - x) - y_0$ into the -elliptic curve equation: - -$$ -\begin{aligned} -y^2 = x^3 + b &\implies (\lambda(x_0 - x) - y_0)^2 = x^3 + b \\ -&\implies x^3 - \lambda^2 x^2 + \cdots = 0 \leftarrow\text{(rearranging terms)} \\ -&= (x - x_0)(x - x_0)(x - x_1) \leftarrow\text{(known roots $x_0, x_0, x_1$)} \\ -&= x^3 - (x_0 + x_0 + x_1)x^2 + \cdots. -\end{aligned} -$$ - -Comparing coefficients for the $x^2$ term gives us -$\lambda^2 = x_0 + x_0 + x_1 \implies \boxed{x_1 = \lambda^2 - 2x_0}.$ - - -### Projective coordinates -This unfortunately requires an expensive inversion of $2y$. We can avoid this by arranging -our equations to "defer" the computation of the inverse, since we often do not need the -actual affine $(x', y')$ coordinate of the resulting point immediately after an individual -curve operation. Let's introduce a third coordinate $Z$ and scale our curve equation by -$Z^3$ like so: - -$$ -Z^3 y^2 = Z^3 x^3 + Z^3 b -$$ - -Our original curve is just this curve at the restriction $Z = 1$. If we allow the affine -point $(x, y)$ to be represented by $X = xZ$, $Y = yZ$ and $Z \neq 0$ then we have the -[homogeneous projective curve](https://en.wikipedia.org/wiki/Homogeneous_coordinates) - -$$ -Y^2 Z = X^3 + Z^3 b. -$$ - -Obtaining $(x, y)$ from $(X, Y, Z)$ is as simple as computing $(X/Z, Y/Z)$ when -$Z \neq 0$. (When $Z = 0,$ we are dealing with the point at infinity $O := (0:1:0)$.) In -this form, we now have a convenient way to defer the inversion required by doubling a -point. The general strategy is to express $x', y'$ as rational functions using $x = X/Z$ -and $y = Y/Z$, rearrange to make their denominators the same, and then take the resulting -point $(X, Y, Z)$ to have $Z$ be the shared denominator and $X = x'Z, Y = y'Z$. - -> Projective coordinates are often, but not always, more efficient than affine -> coordinates. There may be exceptions to this when either we have a different way to -> apply Montgomery's trick, or when we're in the circuit setting where multiplications and -> inversions are about equally as expensive (at least in terms of circuit size). - -The following shows an example of doubling a point $(X, Y, Z) = (xZ, yZ, Z)$ without an -inversion. Substituting with $X, Y, Z$ gives us -$$ -\lambda = \frac{3x^2}{2y} = \frac{3(X/Z)^2}{2(Y/Z)} = \frac{3 X^2}{2YZ} -$$ - -and gives us -$$ -\begin{aligned} -x' &= \lambda^2 - 2x \\ -&= \lambda^2 - \frac{2X}{Z} \\ -&= \frac{9 X^4}{4Y^2Z^2} - \frac{2X}{Z} \\ -&= \frac{9 X^4 - 8XY^2Z}{4Y^2Z^2} \\ -&= \frac{18 X^4 Y Z - 16XY^3Z^2}{8Y^3Z^3} \\ -\\ -y' &= \lambda (x - x') - y \\ -&= \lambda (\frac{X}{Z} - \frac{9 X^4 - 8XY^2Z}{4Y^2Z^2}) - \frac{Y}{Z} \\ -&= \frac{3 X^2}{2YZ} (\frac{X}{Z} - \frac{9 X^4 - 8XY^2Z}{4Y^2Z^2}) - \frac{Y}{Z} \\ -&= \frac{3 X^3}{2YZ^2} - \frac{27 X^6 - 24X^3Y^2Z}{8Y^3Z^3} - \frac{Y}{Z} \\ -&= \frac{12 X^3Y^2Z - 8Y^4Z^2 - 27 X^6 + 24X^3Y^2Z}{8Y^3Z^3} -\end{aligned} -$$ - -Notice how the denominators of $x'$ and $y'$ are the same. Thus, instead of computing -$(x', y')$ we can compute $(X, Y, Z)$ with $Z = 8Y^3Z^3$ and $X, Y$ set to the -corresponding numerators such that $X/Z = x'$ and $Y/Z = y'$. This completely avoids the -need to perform an inversion when doubling, and something analogous to this can be done -when adding two distinct points. - -### Point addition -We now add two points with distinct $x$-coordinates, $P = (x_0, y_0)$ and $Q = (x_1, y_1),$ -where $x_0 \neq x_1,$ to obtain $R = P + Q = (x_2, y_2).$ The line $\overline{PQ}$ has slope -$$\lambda = \frac{y_1 - y_0}{x_1 - x_0} \implies y - y_0 = \lambda \cdot (x - x_0).$$ - -Using the expression for $\overline{PQ}$, we compute $y$-coordinate $-y_2$ of $-R$ as: -$$-y_2 - y_0 = \lambda \cdot (x_2 - x_0) \implies \boxed{y_2 =\lambda (x_0 - x_2) - y_0}.$$ - -Plugging the expression for $\overline{PQ}$ into the curve equation $y^2 = x^3 + b$ yields -$$ -\begin{aligned} -y^2 = x^3 + b &\implies (\lambda \cdot (x - x_0) + y_0)^2 = x^3 + b \\ -&\implies x^3 - \lambda^2 x^2 + \cdots = 0 \leftarrow\text{(rearranging terms)} \\ -&= (x - x_0)(x - x_1)(x - x_2) \leftarrow\text{(known roots $x_0, x_1, x_2$)} \\ -&= x^3 - (x_0 + x_1 + x_2)x^2 + \cdots. -\end{aligned} -$$ - -Comparing coefficients for the $x^2$ term gives us -$\lambda^2 = x_0 + x_1 + x_2 \implies \boxed{x_2 = \lambda^2 - x_0 - x_1}$. - ----------- - -Important notes: - -* There exist efficient formulae[^complete-formulae] for point addition that do not have - edge cases (so-called "complete" formulae) and that unify the addition and doubling - cases together. The result of adding a point to its negation using those formulae - produces $Z = 0$, which represents the point at infinity. -* In addition, there are other models like the Jacobian representation where - $(x, y) = (xZ^2, yZ^3, Z)$ where the curve is rescaled by $Z^6$ instead of $Z^3$, and - this representation has even more efficient arithmetic but no unified/complete formulae. -* We can easily compare two curve points $(X_1, Y_1, Z_1)$ and $(X_2, Y_2, Z_2)$ for - equality in the homogeneous projective coordinate space by "homogenizing" their - Z-coordinates; the checks become $X_1 Z_2 = X_2 Z_1$ and $Y_1 Z_2 = Y_2 Z_1$. - -## Curve endomorphisms - -Imagine that $\mathbb{F}_p$ has a primitive cube root of unity, or in other words that -$3 | p - 1$ and so an element $\zeta_p$ generates a $3$-order multiplicative subgroup. -Notice that a point $(x, y)$ on our example elliptic curve $y^2 = x^3 + b$ has two cousin -points: $(\zeta_p x,y), (\zeta_p^2 x,y)$, because the computation $x^3$ effectively kills the -$\zeta$ component of the $x$-coordinate. Applying the map $(x, y) \mapsto (\zeta_p x, y)$ -is an application of an endomorphism over the curve. The exact mechanics involved are -complicated, but when the curve has a prime $q$ number of points (and thus a prime -"order") the effect of the endomorphism is to multiply the point by a scalar in -$\mathbb{F}_q$ which is also a primitive cube root $\zeta_q$ in the scalar field. - -## Curve point compression -Given a point on the curve $P = (x,y)$, we know that its negation $-P = (x, -y)$ is also -on the curve. To uniquely specify a point, we need only encode its $x$-coordinate along -with the sign of its $y$-coordinate. - -### Serialization -As mentioned in the [Fields](./fields.md) section, we can interpret the least significant -bit of a field element as its "sign", since its additive inverse will always have the -opposite LSB. So we record the LSB of the $y$-coordinate as `sign`. - -Pallas and Vesta are defined over the $\mathbb{F}_p$ and $\mathbb{F}_q$ fields, which -elements can be expressed in $255$ bits. This conveniently leaves one unused bit in a -32-byte representation. We pack the $y$-coordinate `sign` bit into the highest bit in -the representation of the $x$-coordinate: - -```text - <----------------------------------- x ---------------------------------> -Enc(P) = [_ _ _ _ _ _ _ _] [_ _ _ _ _ _ _ _] ... [_ _ _ _ _ _ _ _] [_ _ _ _ _ _ _ sign] - ^ <-------------------------------------> ^ - LSB 30 bytes MSB -``` - -The "point at infinity" $\mathcal{O}$ that serves as the group identity, does not have an -affine $(x, y)$ representation. However, it turns out that there are no points on either -the Pallas or Vesta curve with $x = 0$ or $y = 0$. We therefore use the "fake" affine -coordinates $(0, 0)$ to encode $\mathcal{O}$, which results in the all-zeroes 32-byte -array. - -### Deserialization -When deserializing a compressed curve point, we first read the most significant bit as -`ysign`, the sign of the $y$-coordinate. Then, we set this bit to zero to recover the -original $x$-coordinate. - -If $x = 0, y = 0,$ we return the "point at infinity" $\mathcal{O}$. Otherwise, we proceed -to compute $y = \sqrt{x^3 + b}.$ Here, we read the least significant bit of $y$ as `sign`. -If `sign == ysign`, we already have the correct sign and simply return the curve point -$(x, y)$. Otherwise, we negate $y$ and return $(x, -y)$. - -## Cycles of curves -Let $E_p$ be an elliptic curve over a finite field $\mathbb{F}_p,$ where $p$ is a prime. -We denote this by $E_p/\mathbb{F}_p.$ and we denote the group of points of $E_p$ over -$\mathbb{F}_p,$ with order $q = \#E(\mathbb{F}_p).$ For this curve, we call $\mathbb{F}_p$ -the "base field" and $\mathbb{F}_q$ the "scalar field". - -We instantiate our proof system over the elliptic curve $E_p/\mathbb{F}_p$. This allows us -to prove statements about $\mathbb{F}_q$-arithmetic circuit satisfiability. - -> **(aside) If our curve $E_p$ is over $\mathbb{F}_p,$ why is the arithmetic circuit instead in $\mathbb{F}_q$?** -> The proof system is basically working on encodings of the scalars in the circuit (or -> more precisely, commitments to polynomials whose coefficients are scalars). The scalars -> are in $\mathbb{F}_q$ when their encodings/commitments are elliptic curve points in -> $E_p/\mathbb{F}_p$. - -However, most of the verifier's arithmetic computations are over the base field -$\mathbb{F}_p,$ and are thus efficiently expressed as an $\mathbb{F}_p$-arithmetic -circuit. - -> **(aside) Why are the verifier's computations (mainly) over $\mathbb{F}_p$?** -> The Halo 2 verifier actually has to perform group operations using information output by -> the circuit. Group operations like point doubling and addition use arithmetic in -> $\mathbb{F}_p$, because the coordinates of points are in $\mathbb{F}_p.$ - -This motivates us to construct another curve with scalar field $\mathbb{F}_p$, which has -an $\mathbb{F}_p$-arithmetic circuit that can efficiently verify proofs from the first -curve. As a bonus, if this second curve had base field $E_q/\mathbb{F}_q,$ it would -generate proofs that could be efficiently verified in the first curve's -$\mathbb{F}_q$-arithmetic circuit. In other words, we instantiate a second proof system -over $E_q/\mathbb{F}_q,$ forming a 2-cycle with the first: - -![](https://i.imgur.com/bNMyMRu.png) - -### TODO: Pallas-Vesta curves -Reference: https://github.com/zcash/pasta - -## Hashing to curves - -Sometimes it is useful to be able to produce a random point on an elliptic curve -$E_p/\mathbb{F}_p$ corresponding to some input, in such a way that no-one will know its -discrete logarithm (to any other base). - -This is described in detail in the [Internet draft on Hashing to Elliptic Curves][cfrg-hash-to-curve]. -Several algorithms can be used depending on efficiency and security requirements. The -framework used in the Internet Draft makes use of several functions: - -* ``hash_to_field``: takes a byte sequence input and maps it to a element in the base - field $\mathbb{F}_p$ -* ``map_to_curve``: takes an $\mathbb{F}_p$ element and maps it to $E_p$. - -[cfrg-hash-to-curve]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/?include_text=1 - -### TODO: Simplified SWU -Reference: https://eprint.iacr.org/2019/403.pdf - -## References -[^complete-formulae]: [Renes, J., Costello, C., & Batina, L. (2016, May). "Complete addition formulas for prime order elliptic curves." In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 403-428). Springer, Berlin, Heidelberg.](https://eprint.iacr.org/2015/1060) diff --git a/book/src/background/fields.md b/book/src/background/fields.md deleted file mode 100644 index 325637010a..0000000000 --- a/book/src/background/fields.md +++ /dev/null @@ -1,307 +0,0 @@ -# Fields - -A fundamental component of many cryptographic protocols is the algebraic structure known -as a [field]. Fields are sets of objects (usually numbers) with two associated binary -operators $+$ and $\times$ such that various [field axioms][field-axioms] hold. The real -numbers $\mathbb{R}$ are an example of a field with uncountably many elements. - -[field]: https://en.wikipedia.org/wiki/Field_(mathematics) -[field-axioms]: https://en.wikipedia.org/wiki/Field_(mathematics)#Classic_definition - -Halo makes use of _finite fields_ which have a finite number of elements. Finite fields -are fully classified as follows: - -- if $\mathbb{F}$ is a finite field, it contains $|\mathbb{F}| = p^k$ elements for some - integer $k \geq 1$ and some prime $p$; -- any two finite fields with the same number of elements are isomorphic. In particular, - all of the arithmetic in a prime field $\mathbb{F}_p$ is isomorphic to addition and - multiplication of integers modulo $p$, i.e. in $\mathbb{Z}_p$. This is why we often - refer to $p$ as the _modulus_. - -We'll write a field as $\mathbb{F}_q$ where $q = p^k$. The prime $p$ is called its -_characteristic_. In the cases where $k \gt 1$ the field $\mathbb{F}_q$ is a $k$-degree -extension of the field $\mathbb{F}_p$. (By analogy, the complex numbers -$\mathbb{C} = \mathbb{R}(i)$ are an extension of the real numbers.) However, in Halo we do -not use extension fields. Whenever we write $\mathbb{F}_p$ we are referring to what -we call a _prime field_ which has a prime $p$ number of elements, i.e. $k = 1$. - -Important notes: - -* There are two special elements in any field: $0$, the additive identity, and - $1$, the multiplicative identity. -* The least significant bit of a field element, when represented as an integer in binary - format, can be interpreted as its "sign" to help distinguish it from its additive - inverse (negation). This is because for some nonzero element $a$ which has a least - significant bit $0$ we have that $-a = p - a$ has a least significant bit $1$, and vice - versa. We could also use whether or not an element is larger than $(p - 1) / 2$ to give - it a "sign." - -Finite fields will be useful later for constructing [polynomials](polynomials.md) and -[elliptic curves](curves.md). Elliptic curves are examples of groups, which we discuss -next. - -## Groups - -Groups are simpler and more limited than fields; they have only one binary operator $\cdot$ -and fewer axioms. They also have an identity, which we'll denote as $1$. - -[group]: https://en.wikipedia.org/wiki/Group_(mathematics) -[group-axioms]: https://en.wikipedia.org/wiki/Group_(mathematics)#Definition - -Any non-zero element $a$ in a group has an _inverse_ $b = a^{-1}$, -which is the _unique_ element $b$ such that $a \cdot b = 1$. - -For example, the set of nonzero elements of $\mathbb{F}_p$ forms a group, where the -group operation is given by multiplication on the field. - -[group]: https://en.wikipedia.org/wiki/Group_(mathematics) - -> #### (aside) Additive vs multiplicative notation -> If $\cdot$ is written as $\times$ or omitted (i.e. $a \cdot b$ written as $ab$), the -> identity as $1$, and inversion as $a^{-1}$, as we did above, then we say that the group -> is "written multiplicatively". If $\cdot$ is written as $+$, the identity as $0$ or -> $\mathcal{O}$, and inversion as $-a$, then we say it is "written additively". -> -> It's conventional to use additive notation for elliptic curve groups, and multiplicative -> notation when the elements come from a finite field. -> -> When additive notation is used, we also write -> -> $$[k] A = \underbrace{A + A + \cdots + A}_{k \text{ times}}$$ -> -> for nonnegative $k$ and call this "scalar multiplication"; we also often use uppercase -> letters for variables denoting group elements. When multiplicative notation is used, we -> also write -> -> $$a^k = \underbrace{a \times a \times \cdots \times a}_{k \text{ times}}$$ -> -> and call this "exponentiation". In either case we call the scalar $k$ such that -> $[k] g = a$ or $g^k = a$ the "discrete logarithm" of $a$ to base $g$. We can extend -> scalars to negative integers by inversion, i.e. $[-k] A + [k] A = \mathcal{O}$ or -> $a^{-k} \times a^k = 1$. - -The _order_ of an element $a$ of a finite group is defined as the smallest positive integer -$k$ such that $a^k = 1$ (in multiplicative notation) or $[k] a = \mathcal{O}$ (in additive -notation). The order _of the group_ is the number of elements. - -Groups always have a [generating set], which is a set of elements such that we can produce -any element of the group as (in multiplicative terminology) a product of powers of those -elements. So if the generating set is $g_{1..k}$, we can produce any element of the group -as $\prod\limits_{i=1}^{k} g_i^{a_i}$. There can be many different generating sets for a -given group. - -[generating set]: https://en.wikipedia.org/wiki/Generating_set_of_a_group - -A group is called [cyclic] if it has a (not necessarily unique) generating set with only -a single element — call it $g$. In that case we can say that $g$ generates the group, and -that the order of $g$ is the order of the group. - -Any finite cyclic group $\mathbb{G}$ of order $n$ is [isomorphic] to the integers -modulo $n$ (denoted $\mathbb{Z}/n\mathbb{Z}$), such that: - -- the operation $\cdot$ in $\mathbb{G}$ corresponds to addition modulo $n$; -- the identity in $\mathbb{G}$ corresponds to $0$; -- some generator $g \in \mathbb{G}$ corresponds to $1$. - -Given a generator $g$, the isomorphism is always easy to compute in the -$\mathbb{Z}/n\mathbb{Z} \rightarrow \mathbb{G}$ direction; it is just $a \mapsto g^a$ -(or in additive notation, $a \mapsto [a] g$). -It may be difficult in general to compute in the $\mathbb{G} \rightarrow \mathbb{Z}/n\mathbb{Z}$ -direction; we'll discuss this further when we come to [elliptic curves](curves.md). - -If the order $n$ of a finite group is prime, then the group is cyclic, and every -non-identity element is a generator. - -[isomorphic]: https://en.wikipedia.org/wiki/Isomorphism -[cyclic]: https://en.wikipedia.org/wiki/Cyclic_group - -### The multiplicative group of a finite field - -We use the notation $\mathbb{F}_p^\times$ for the multiplicative group (i.e. the group -operation is multiplication in $\mathbb{F}_p$) over the set $\mathbb{F}_p - \{0\}$. - -A quick way of obtaining the inverse in $\mathbb{F}_p^\times$ is $a^{-1} = a^{p - 2}$. -The reason for this stems from [Fermat's little theorem][fermat-little], which states -that $a^p = a \pmod p$ for any integer $a$. If $a$ is nonzero, we can divide by $a$ twice -to get $a^{p-2} = a^{-1}.$ - -[fermat-little]: https://en.wikipedia.org/wiki/Fermat%27s_little_theorem - -Let's assume that $\alpha$ is a generator of $\mathbb{F}_p^\times$, so it has order $p-1$ -(equal to the number of elements in $\mathbb{F}_p^\times$). Therefore, for any element in -$a \in \mathbb{F}_p^\times$ there is a unique integer $i \in \{0..p-2\}$ such that $a = \alpha^i$. - -Notice that $a \times b$ where $a, b \in \mathbb{F}_p^\times$ can really be interpreted as -$\alpha^i \times \alpha^j$ where $a = \alpha^i$ and $b = \alpha^j$. Indeed, it holds that -$\alpha^i \times \alpha^j = \alpha^{i + j}$ for all $0 \leq i, j \lt p - 1$. As a result -the multiplication of nonzero field elements can be interpreted as addition modulo $p - 1$ -with respect to some fixed generator $\alpha$. The addition just happens "in the exponent." - -This is another way to look at where $a^{p - 2}$ comes from for computing inverses in the -field: - -$$p - 2 \equiv -1 \pmod{p - 1},$$ - -so $a^{p - 2} = a^{-1}$. - -### Montgomery's Trick - -Montgomery's trick, named after Peter Montgomery (RIP) is a way to compute many group -inversions at the same time. It is commonly used to compute inversions in -$\mathbb{F}_p^\times$, which are quite computationally expensive compared to multiplication. - -Imagine we need to compute the inverses of three nonzero elements $a, b, c \in \mathbb{F}_p^\times$. -Instead, we'll compute the products $x = ab$ and $y = xc = abc$, and compute the inversion - -$$z = y^{p - 2} = \frac{1}{abc}.$$ - -We can now multiply $z$ by $x$ to obtain $\frac{1}{c}$ and multiply $z$ by $c$ to obtain -$\frac{1}{ab}$, which we can then multiply by $a, b$ to obtain their respective inverses. - -This technique generalizes to arbitrary numbers of group elements with just a single -inversion necessary. - -## Multiplicative subgroups - -A _subgroup_ of a group $G$ with operation $\cdot$, is a subset of elements of $G$ that -also form a group under $\cdot$. - -In the previous section we said that $\alpha$ is a generator of the $(p - 1)$-order -multiplicative group $\mathbb{F}_p^\times$. This group has _composite_ order, and so by -the Chinese remainder theorem[^chinese-remainder] it has strict subgroups. As an example -let's imagine that $p = 11$, and so $p - 1$ factors into $5 \cdot 2$. Thus, there is a -generator $\beta$ of the $5$-order subgroup and a generator $\gamma$ of the $2$-order -subgroup. All elements in $\mathbb{F}_p^\times$, therefore, can be written uniquely as -$\beta^i \cdot \gamma^j$ for some $i$ (modulo $5$) and some $j$ (modulo $2$). - -If we have $a = \beta^i \cdot \gamma^j$ notice what happens when we compute - -$$ -a^5 = (\beta^i \cdot \gamma^j)^5 - = \beta^{i \cdot 5} \cdot \gamma^{j \cdot 5} - = \beta^0 \cdot \gamma^{j \cdot 5} - = \gamma^{j \cdot 5}; -$$ - -we have effectively "killed" the $5$-order subgroup component, producing a value in the -$2$-order subgroup. - -[Lagrange's theorem (group theory)][lagrange-group] states that the order of any subgroup -$H$ of a finite group $G$ divides the order of $G$. Therefore, the order of any subgroup -of $\mathbb{F}_p^\times$ must divide $p-1.$ - -[lagrange-group]: https://en.wikipedia.org/wiki/Lagrange%27s_theorem_(group_theory) - -[PLONK-based] proving systems like Halo 2 are more convenient to use with fields that have -a large number of multiplicative subgroups with a "smooth" distribution (which makes the -performance cliffs smaller and more granular as circuit sizes increase). The Pallas and -Vesta curves specifically have primes of the form - -$$T \cdot 2^S = p - 1$$ - -with $S = 32$ and $T$ odd (i.e. $p - 1$ has 32 lower zero-bits). This means they have -multiplicative subgroups of order $2^k$ for all $k \leq 32$. These 2-adic subgroups are -nice for [efficient FFTs], as well as enabling a wide variety of circuit sizes. - -[PLONK-based]: plonkish.md -[efficient FFTs]: polynomials.md#fast-fourier-transform-fft - -## Square roots - -In a field $\mathbb{F}_p$ exactly half of all nonzero elements are squares; the remainder -are non-squares or "quadratic non-residues". In order to see why, consider an $\alpha$ -that generates the $2$-order multiplicative subgroup of $\mathbb{F}_p^\times$ (this exists -because $p - 1$ is divisible by $2$ since $p$ is a prime greater than $2$) and $\beta$ that -generates the $t$-order multiplicative subgroup of $\mathbb{F}_p^\times$ where $p - 1 = 2t$. -Then every element $a \in \mathbb{F}_p^\times$ can be written uniquely as -$\alpha^i \cdot \beta^j$ with $i \in \mathbb{Z}_2$ and $j \in \mathbb{Z}_t$. Half of all -elements will have $i = 0$ and the other half will have $i = 1$. - -Let's consider the simple case where $p \equiv 3 \pmod{4}$ and so $t$ is odd (if $t$ is -even, then $p - 1$ would be divisible by $4$, which contradicts $p$ being $3 \pmod{4}$). -If $a \in \mathbb{F}_p^\times$ is a square, then there must exist -$b = \alpha^i \cdot \beta^j$ such that $b^2 = a$. But this means that - -$$a = (\alpha^i \cdot \beta^j)^2 = \alpha^{2i} \cdot \beta^{2j} = \beta^{2j}.$$ - -In other words, all squares in this particular field do not generate the $2$-order -multiplicative subgroup, and so since half of the elements generate the $2$-order subgroup -then at most half of the elements are square. In fact exactly half of the elements are -square (since squaring each nonsquare element gives a unique square). This means we can -assume all squares can be written as $\beta^m$ for some $m$, and therefore finding the -square root is a matter of exponentiating by $2^{-1} \pmod{t}$. - -In the event that $p \equiv 1 \pmod{4}$ then things get more complicated because -$2^{-1} \pmod{t}$ does not exist. Let's write $p - 1$ as $2^k \cdot t$ with $t$ odd. The -case $k = 0$ is impossible, and the case $k = 1$ is what we already described, so consider -$k \geq 2$. $\alpha$ generates a $2^k$-order multiplicative subgroup and $\beta$ generates -the odd $t$-order multiplicative subgroup. Then every element $a \in \mathbb{F}_p^\times$ -can be written as $\alpha^i \cdot \beta^j$ for $i \in \mathbb{Z}_{2^k}$ and -$j \in \mathbb{Z}_t$. If the element is a square, then there exists some $b = \sqrt{a}$ -which can be written $b = \alpha^{i'} \cdot \beta^{j'}$ for $i' \in \mathbb{Z}_{2^k}$ and -$j' \in \mathbb{Z}_t$. This means that $a = b^2 = \alpha^{2i'} \cdot \beta^{2j'}$, -therefore we have $i \equiv 2i' \pmod{2^k}$, and $j \equiv 2j' \pmod{t}$. $i$ would have -to be even in this case because otherwise it would be impossible to have -$i \equiv 2i' \pmod{2^k}$ for any $i'$. In the case that $a$ is not a square, then $i$ is -odd, and so half of all elements are squares. - -In order to compute the square root, we can first raise the element -$a = \alpha^i \cdot \beta^j$ to the power $t$ to "kill" the $t$-order component, giving - -$$a^t = \alpha^{it \pmod {2^k}} \cdot \beta^{jt \pmod t} = \alpha^{it \pmod {2^k}}$$ - -and then raise this result to the power $t^{-1} \pmod{2^k}$ to undo the effect of the -original exponentiation on the $2^k$-order component: - -$$(\alpha^{it \bmod 2^k})^{t^{-1} \pmod{2^k}} = \alpha^i$$ - -(since $t$ is relatively prime to $2^k$). This leaves bare the $\alpha^i$ value which we -can trivially handle. We can similarly kill the $2^k$-order component to obtain -$\beta^{j \cdot 2^{-1} \pmod{t}}$, and put the values together to obtain the square root. - -It turns out that in the cases $k = 2, 3$ there are simpler algorithms that merge several -of these exponentiations together for efficiency. For other values of $k$, the only known -way is to manually extract $i$ by squaring until you obtain the identity for every single -bit of $i$. This is the essence of the [Tonelli-Shanks square root algorithm][ts-sqrt] and -describes the general strategy. (There is another square root algorithm that uses -quadratic extension fields, but it doesn't pay off in efficiency until the prime becomes -quite large.) - -[ts-sqrt]: https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm - -## Roots of unity - -In the previous sections we wrote $p - 1 = 2^k \cdot t$ with $t$ odd, and stated that an -element $\alpha \in \mathbb{F}_p^\times$ generated the $2^k$-order subgroup. For -convenience, let's denote $n := 2^k.$ The elements $\{1, \alpha, \ldots, \alpha^{n-1}\}$ -are known as the $n$th [roots of unity](https://en.wikipedia.org/wiki/Root_of_unity). - -The **primitive root of unity**, $\omega,$ is an $n$th root of unity such that -$\omega^i \neq 1$ except when $i \equiv 0 \pmod{n}$. - -Important notes: - -- If $\alpha$ is an $n$th root of unity, $\alpha$ satisfies $\alpha^n - 1 = 0.$ If - $\alpha \neq 1,$ then - $$1 + \alpha + \alpha^2 + \cdots + \alpha^{n-1} = 0.$$ -- Equivalently, the roots of unity are solutions to the equation - $$X^n - 1 = (X - 1)(X - \alpha)(X - \alpha^2) \cdots (X - \alpha^{n-1}).$$ -- **$\boxed{\omega^{\frac{n}{2}+i} = -\omega^i}$ ("Negation lemma")**. Proof: - $$ - \begin{aligned} - \omega^n = 1 &\implies \omega^n - 1 = 0 \\ - &\implies (\omega^{n/2} + 1)(\omega^{n/2} - 1) = 0. - \end{aligned} - $$ - Since the order of $\omega$ is $n$, $\omega^{n/2} \neq 1.$ Therefore, $\omega^{n/2} = -1.$ - -- **$\boxed{(\omega^{\frac{n}{2}+i})^2 = (\omega^i)^2}$ ("Halving lemma")**. Proof: - $$ - (\omega^{\frac{n}{2}+i})^2 = \omega^{n + 2i} = \omega^{n} \cdot \omega^{2i} = \omega^{2i} = (\omega^i)^2. - $$ - In other words, if we square each element in the $n$th roots of unity, we would get back - only half the elements, $\{(\omega_n^i)^2\} = \{\omega_{n/2}\}$ (i.e. the $\frac{n}{2}$th roots - of unity). There is a two-to-one mapping between the elements and their squares. - -## References -[^chinese-remainder]: [Friedman, R. (n.d.) "Cyclic Groups and Elementary Number Theory II" (p. 5).](http://www.math.columbia.edu/~rf/numbertheory2.pdf) diff --git a/book/src/background/groups.md b/book/src/background/groups.md deleted file mode 100644 index da8cbc385e..0000000000 --- a/book/src/background/groups.md +++ /dev/null @@ -1,94 +0,0 @@ -# Cryptographic groups - -In the section [Inverses and groups](fields.md#inverses-and-groups) we introduced the -concept of *groups*. A group has an identity and a group operation. In this section we -will write groups additively, i.e. the identity is $\mathcal{O}$ and the group operation -is $+$. - -Some groups can be used as *cryptographic groups*. At the risk of oversimplifying, this -means that the problem of finding a discrete logarithm of a group element $P$ to a given -base $G$, i.e. finding $x$ such that $P = [x] G$, is hard in general. - -## Pedersen commitment -The Pedersen commitment [[P99]] is a way to commit to a secret message in a verifiable -way. It uses two random public generators $G, H \in \mathbb{G},$ where $\mathbb{G}$ is a -cryptographic group of order $p$. A random secret $r$ is chosen in $\mathbb{Z}_q$, and the -message to commit to $m$ is from any subset of $\mathbb{Z}_q$. The commitment is - -$$c = \text{Commit}(m,r)=[m]G + [r]H.$$ - -To open the commitment, the committer reveals $m$ and $r,$ thus allowing anyone to verify -that $c$ is indeed a commitment to $m.$ - -[P99]: https://link.springer.com/content/pdf/10.1007%2F3-540-46766-1_9.pdf#page=3 - -Notice that the Pedersen commitment scheme is homomorphic: - -$$ -\begin{aligned} -\text{Commit}(m,r) + \text{Commit}(m',r') &= [m]G + [r]H + [m']G + [r']H \\ -&= [m + m']G + [r + r']H \\ -&= \text{Commit}(m + m',r + r'). -\end{aligned} -$$ - -Assuming the discrete log assumption holds, Pedersen commitments are also perfectly hiding -and computationally binding: - -* **hiding**: the adversary chooses messages $m_0, m_1.$ The committer commits to one of - these messages $c = \text{Commit}(m_b,r), b \in \{0,1\}.$ Given $c,$ the probability of - the adversary guessing the correct $b$ is no more than $\frac{1}{2}$. -* **binding**: the adversary cannot pick two different messages $m_0 \neq m_1,$ and - randomness $r_0, r_1,$ such that $\text{Commit}(m_0,r_0) = \text{Commit}(m_1,r_1).$ - -### Vector Pedersen commitment -We can use a variant of the Pedersen commitment scheme to commit to multiple messages at -once, $\mathbf{m} = (m_0, \cdots, m_{n-1})$. This time, we'll have to sample a corresponding -number of random public generators $\mathbf{G} = (G_0, \cdots, G_{n-1}),$ along with a -single random generator $H$ as before (for use in hiding). Then, our commitment scheme is: - -$$ -\begin{aligned} -\text{Commit}(\mathbf{m}; r) &= \text{Commit}((m_0, \cdots, m_{n-1}); r) \\ -&= [r]H + [m_0]G_0 + \cdots + [m_{n-1}]G_{n-1} \\ -&= [r]H + \sum_{i= 0}^{n-1} [m_i]G_i. -\end{aligned} -$$ - -> TODO: is this positionally binding? - -## Diffie–Hellman - -An example of a protocol that uses cryptographic groups is Diffie–Hellman key agreement -[[DH1976]]. The Diffie–Hellman protocol is a method for two users, Alice and Bob, to -generate a shared private key. It proceeds as follows: - -1. Alice and Bob publicly agree on two prime numbers, $p$ and $G,$ where $p$ is large and - $G$ is a primitive root $\pmod p.$ (Note that $g$ is a generator of the group - $\mathbb{F}_p^\times.$) -2. Alice chooses a large random number $a$ as her private key. She computes her public key - $A = [a]G \pmod p,$ and sends $A$ to Bob. -3. Similarly, Bob chooses a large random number $b$ as his private key. He computes his - public key $B = [b]G \pmod p,$ and sends $B$ to Alice. -4. Now both Alice and Bob compute their shared key $K = [ab]G \pmod p,$ which Alice - computes as - $$K = [a]B \pmod p = [a]([b]G) \pmod p,$$ - and Bob computes as - $$K = [b]A \pmod p = [b]([a]G) \pmod p.$$ - -[DH1976]: https://ee.stanford.edu/~hellman/publications/24.pdf - -A potential eavesdropper would need to derive $K = [ab]g \pmod p$ knowing only -$g, p, A = [a]G,$ and $B = [b]G$: in other words, they would need to either get the -discrete logarithm $a$ from $A = [a]G$ or $b$ from $B = [b]G,$ which we assume to be -computationally infeasible in $\mathbb{F}_p^\times.$ - -More generally, protocols that use similar ideas to Diffie–Hellman are used throughout -cryptography. One way of instantiating a cryptographic group is as an -[elliptic curve](curves.md). Before we go into detail on elliptic curves, we'll describe -some algorithms that can be used for any group. - -## Multiscalar multiplication - -### TODO: Pippenger's algorithm -Reference: https://jbootle.github.io/Misc/pippenger.pdf diff --git a/book/src/background/pc-ipa.md b/book/src/background/pc-ipa.md deleted file mode 100644 index 63410c8ddb..0000000000 --- a/book/src/background/pc-ipa.md +++ /dev/null @@ -1,80 +0,0 @@ -# Polynomial commitment using inner product argument -We want to commit to some polynomial $p(X) \in \mathbb{F}_p[X]$, and be able to provably -evaluate the committed polynomial at arbitrary points. The naive solution would be for the -prover to simply send the polynomial's coefficients to the verifier: however, this -requires $O(n)$ communication. Our polynomial commitment scheme gets the job done using -$O(\log n)$ communication. - -### `Setup` -Given a parameter $d = 2^k,$ we generate the common reference string -$\sigma = (\mathbb{G}, \mathbf{G}, H, \mathbb{F}_p)$ defining certain constants for this -scheme: -* $\mathbb{G}$ is a group of prime order $p;$ -* $\mathbf{G} \in \mathbb{G}^d$ is a vector of $d$ random group elements; -* $H \in \mathbb{G}$ is a random group element; and -* $\mathbb{F}_p$ is the finite field of order $p.$ - -### `Commit` -The Pedersen vector commitment $\text{Commit}$ is defined as - -$$\text{Commit}(\sigma, p(X); r) = \langle\mathbf{a}, \mathbf{G}\rangle + [r]H,$$ - -for some polynomial $p(X) \in \mathbb{F}_p[X]$ and some blinding factor -$r \in \mathbb{F}_p.$ Here, each element of the vector $\mathbf{a}_i \in \mathbb{F}_p$ is -the coefficient for the $i$th degree term of $p(X),$ and $p(X)$ is of maximal degree -$d - 1.$ - -### `Open` (prover) and `OpenVerify` (verifier) -The modified inner product argument is an argument of knowledge for the relation - -$$\boxed{\{((P, x, v); (\mathbf{a}, r)): P = \langle\mathbf{a}, \mathbf{G}\rangle + [r]H, v = \langle\mathbf{a}, \mathbf{b}\rangle\}},$$ - -where $\mathbf{b} = (1, x, x^2, \cdots, x^{d-1})$ is composed of increasing powers of the -evaluation point $x.$ This allows a prover to demonstrate to a verifier that the -polynomial contained “inside” the commitment $P$ evaluates to $v$ at $x,$ and moreover, -that the committed polynomial has maximum degree $d − 1.$ - -The inner product argument proceeds in $k = \log_2 d$ rounds. For our purposes, it is -sufficient to know about its final outputs, while merely providing intuition about the -intermediate rounds. (Refer to Section 3 in the [Halo] paper for a full explanation.) - -[Halo]: https://eprint.iacr.org/2019/1021.pdf - -Before beginning the argument, the verifier selects a random group element $U$ and sends it -to the prover. We initialize the argument at round $k,$ with the vectors -$\mathbf{a}^{(k)} := \mathbf{a},$ $\mathbf{G}^{(k)} := \mathbf{G}$ and -$\mathbf{b}^{(k)} := \mathbf{b}.$ In each round $j = k, k-1, \cdots, 1$: - -* the prover computes two values $L_j$ and $R_j$ by taking some inner product of - $\mathbf{a}^{(j)}$ with $\mathbf{G}^{(j)}$ and $\mathbf{b}^{(j)}$. Note that are in some - sense "cross-terms": the lower half of $\mathbf{a}$ is used with the higher half of - $\mathbf{G}$ and $\mathbf{b}$, and vice versa: - -$$ -\begin{aligned} -L_j &= \langle\mathbf{a_{lo}^{(j)}}, \mathbf{G_{hi}^{(j)}}\rangle + [l_j]H + [\langle\mathbf{a_{lo}^{(j)}}, \mathbf{b_{hi}^{(j)}}\rangle] U\\ -R_j &= \langle\mathbf{a_{hi}^{(j)}}, \mathbf{G_{lo}^{(j)}}\rangle + [r_j]H + [\langle\mathbf{a_{hi}^{(j)}}, \mathbf{b_{lo}^{(j)}}\rangle] U\\ -\end{aligned} -$$ - -* the verifier issues a random challenge $u_j$; -* the prover uses $u_j$ to compress the lower and higher halves of $\mathbf{a}^{(j)}$, - thus producing a new vector of half the original length - $$\mathbf{a}^{(j-1)} = \mathbf{a_{hi}^{(j)}}\cdot u_j^{-1} + \mathbf{a_{lo}^{(j)}}\cdot u_j.$$ - The vectors $\mathbf{G}^{(j)}$ and $\mathbf{b}^{(j)}$ are similarly compressed to give - $\mathbf{G}^{(j-1)}$ and $\mathbf{b}^{(j-1)}$. -* $\mathbf{a}^{(j-1)}$, $\mathbf{G}^{(j-1)}$ and $\mathbf{b}^{(j-1)}$ are input to the - next round $j - 1.$ - -Note that at the end of the last round $j = 1,$ we are left with $a := \mathbf{a}^{(0)}$, -$G := \mathbf{G}^{(0)}$, $b := \mathbf{b}^{(0)},$ each of length 1. The intuition is that -these final scalars, together with the challenges $\{u_j\}$ and "cross-terms" -$\{L_j, R_j\}$ from each round, encode the compression in each round. Since the prover did -not know the challenges $U, \{u_j\}$ in advance, they would have been unable to manipulate -the round compressions. Thus, checking a constraint on these final terms should enforce -that the compression had been performed correctly, and that the original $\mathbf{a}$ -satisfied the relation before undergoing compression. - -Note that $G, b$ are simply rearrangements of the publicly known $\mathbf{G}, \mathbf{b},$ -with the round challenges $\{u_j\}$ mixed in: this means the verifier can compute $G, b$ -independently and verify that the prover had provided those same values. diff --git a/book/src/background/plonkish.md b/book/src/background/plonkish.md deleted file mode 100644 index 47642193e8..0000000000 --- a/book/src/background/plonkish.md +++ /dev/null @@ -1,82 +0,0 @@ -# [WIP] PLONKish arithmetization - -We call the field over which the circuit is defined $\mathbb{F} = \mathbb{F}_p$. - -Let $n = 2^k$, and assume that $\omega$ is a primitive root of unity of order $n$ in -$\mathbb{F}^\times$, so that $\mathbb{F}^\times$ has a multiplicative subgroup -$\mathcal{H} = \{1, \omega, \omega^2, \cdots, \omega^{n-1}\}$. This forms a Lagrange -basis corresponding to the elements in the subgroup. - -## Polynomial rules -A polynomial rule defines a constraint that must hold between its specified columns at -every row (i.e. at every element in the multiplicative subgroup). - -e.g. - -```text -a * sa + b * sb + a * b * sm + c * sc + PI = 0 -``` - -## Columns -- **fixed columns**: fixed for all instances of a particular circuit. These include - selector columns, which toggle parts of a polynomial rule "on" or "off" to form a - "custom gate". They can also include any other fixed data. -- **advice columns**: variable values assigned in each instance of the circuit. - Corresponds to the prover's secret witness. -- **public input**: like advice columns, but publicly known values. - -Each column is a vector of $n$ values, e.g. $\mathbf{a} = [a_0, a_1, \cdots, a_{n-1}]$. We -can think of the vector as the evaluation form of the column polynomial -$a(X), X \in \mathcal{H}.$ To recover the coefficient form, we can use -[Lagrange interpolation](polynomials.md#lagrange-interpolation), such that -$a(\omega^i) = a_i.$ - -## Equality constraints -- Define permutation between a set of columns, e.g. $\sigma(a, b, c)$ -- Assert equalities between specific cells in these columns, e.g. $b_1 = c_0$ -- Construct permuted columns which should evaluate to same value as original columns - -## Permutation grand product -$$Z(\omega^i) := \prod_{0 \leq j \leq i} \frac{C_k(\omega^j) + \beta\delta^k \omega^j + \gamma}{C_k(\omega^j) + \beta S_k(\omega^j) + \gamma},$$ -where $i = 0, \cdots, n-1$ indexes over the size of the multiplicative subgroup, and -$k = 0, \cdots, m-1$ indexes over the advice columns involved in the permutation. This is -a running product, where each term includes the cumulative product of the terms before it. - -> TODO: what is $\delta$? keep columns linearly independent - -Check the constraints: - -1. First term is equal to one - $$\mathcal{L}_0(X) \cdot (1 - Z(X)) = 0$$ - -2. Running product is well-constructed. For each row, we check that this holds: - $$Z(\omega^i) \cdot{(C(\omega^i) + \beta S_k(\omega^i) + \gamma)} - Z(\omega^{i-1}) \cdot{(C(\omega^i) + \delta^k \beta \omega^i + \gamma)} = 0$$ - Rearranging gives - $$Z(\omega^i) = Z(\omega^{i-1}) \frac{C(\omega^i) + \beta\delta^k \omega^i + \gamma}{C(\omega^i) + \beta S_k(\omega^i) + \gamma},$$ - which is how we defined the grand product polynomial in the first place. - -### Lookup -Reference: [Generic Lookups with PLONK (DRAFT)](/LTPc5f-3S0qNF6MtwD-Tdg?view) - -### Vanishing argument -We want to check that the expressions defined by the gate constraints, permutation -constraints and lookup constraints evaluate to zero at all elements in the multiplicative -subgroup. To do this, the prover collapses all the expressions into one polynomial -$$H(X) = \sum_{i=0}^e y^i E_i(X),$$ -where $e$ is the number of expressions and $y$ is a random challenge used to keep the -constraints linearly independent. The prover then divides this by the vanishing polynomial -(see section: [Vanishing polynomial](polynomials.md#vanishing-polynomial)) and commits to -the resulting quotient - -$$\text{Commit}(Q(X)), \text{where } Q(X) = \frac{H(X)}{Z_H(X)}.$$ - -The verifier responds with a random evaluation point $x,$ to which the prover replies with -the claimed evaluations $q = Q(x), \{e_i\}_{i=0}^e = \{E_i(x)\}_{i=0}^e.$ Now, all that -remains for the verifier to check is that the evaluations satisfy - -$$q \stackrel{?}{=} \frac{\sum_{i=0}^e y^i e_i}{Z_H(x)}.$$ - -Notice that we have yet to check that the committed polynomials indeed evaluate to the -claimed values at -$x, q \stackrel{?}{=} Q(x), \{e_i\}_{i=0}^e \stackrel{?}{=} \{E_i(x)\}_{i=0}^e.$ -This check is handled by the polynomial commitment scheme (described in the next section). diff --git a/book/src/background/polynomials.md b/book/src/background/polynomials.md deleted file mode 100644 index 7846233724..0000000000 --- a/book/src/background/polynomials.md +++ /dev/null @@ -1,289 +0,0 @@ -# Polynomials - -Let $A(X)$ be a polynomial over $\mathbb{F}_p$ with formal indeterminate $X$. As an example, - -$$ -A(X) = a_0 + a_1 X + a_2 X^2 + a_3 X^3 -$$ - -defines a degree-$3$ polynomial. $a_0$ is referred to as the constant term. Polynomials of -degree $n-1$ have $n$ coefficients. We will often want to compute the result of replacing -the formal indeterminate $X$ with some concrete value $x$, which we denote by $A(x)$. - -> In mathematics this is commonly referred to as "evaluating $A(X)$ at a point $x$". -> The word "point" here stems from the geometrical usage of polynomials in the form -> $y = A(x)$, where $(x, y)$ is the coordinate of a point in two-dimensional space. -> However, the polynomials we deal with are almost always constrained to equal zero, and -> $x$ will be an [element of some field](fields.md). This should not be confused -> with points on an [elliptic curve](curves.md), which we also make use of, but never in -> the context of polynomial evaluation. - -Important notes: - -* Multiplication of polynomials produces a product polynomial that is the sum of the - degrees of its factors. Polynomial division subtracts from the degree. - $$\deg(A(X)B(X)) = \deg(A(X)) + \deg(B(X)),$$ - $$\deg(A(X)/B(X)) = \deg(A(X)) -\deg(B(X)).$$ -* Given a polynomial $A(X)$ of degree $n-1$, if we obtain $n$ evaluations of the - polynomial at distinct points then these evaluations perfectly define the polynomial. In - other words, given these evaluations we can obtain a unique polynomial $A(X)$ of degree - $n-1$ via polynomial interpolation. -* $[a_0, a_1, \cdots, a_{n-1}]$ is the **coefficient representation** of the polynomial - $A(X)$. Equivalently, we could use its **evaluation representation** - $$[(x_0, A(x_0)), (x_1, A(x_1)), \cdots, (x_{n-1}, A(x_{n-1}))]$$ - at $n$ distinct points. Either representation uniquely specifies the same polynomial. - -> #### (aside) Horner's rule -> Horner's rule allows for efficient evaluation of a polynomial of degree $n-1$, using -> only $n-1$ multiplications and $n-1$ additions. It is the following identity: -> $$\begin{aligned}a_0 &+ a_1X + a_2X^2 + \cdots + a_{n-1}X^{n-1} \\ &= a_0 + X\bigg( a_1 + X \Big( a_2 + \cdots + X(a_{n-2} + X a_{n-1}) \Big)\!\bigg),\end{aligned}$$ - -## Fast Fourier Transform (FFT) -The FFT is an efficient way of converting between the coefficient and evaluation -representations of a polynomial. It evaluates the polynomial at the $n$th roots of unity -$\{\omega^0, \omega^1, \cdots, \omega^{n-1}\},$ where $\omega$ is a primitive $n$th root -of unity. By exploiting symmetries in the roots of unity, each round of the FFT reduces -the evaluation into a problem only half the size. Most commonly we use polynomials of -length some power of two, $n = 2^k$, and apply the halving reduction recursively. - -### Motivation: Fast polynomial multiplication -In the coefficient representation, it takes $O(n^2)$ operations to multiply two -polynomials $A(X)\cdot B(X) = C(X)$: - -$$ -\begin{aligned} -A(X) &= a_0 + a_1X + a_2X^2 + \cdots + a_{n-1}X^{n-1}, \\ -B(X) &= b_0 + b_1X + b_2X^2 + \cdots + b_{n-1}X^{n-1}, \\ -C(X) &= a_0\cdot (b_0 + b_1X + b_2X^2 + \cdots + b_{n-1}X^{n-1}) \\ -&+ a_1X\cdot (b_0 + b_1X + b_2X^2 + \cdots + b_{n-1}X^{n-1})\\ -&+ \cdots \\ -&+ a_{n-1}X^{n-1} \cdot (b_0 + b_1X + b_2X^2 + \cdots + b_{n-1}X^{n-1}), -\end{aligned} -$$ - -where each of the $n$ terms in the first polynomial has to be multiplied by the $n$ terms -of the second polynomial. - -In the evaluation representation, however, polynomial multiplication only requires $O(n)$ -operations: - -$$ -\begin{aligned} -A&: \{(x_0, A(x_0)), (x_1, A(x_1)), \cdots, (x_{n-1}, A(x_{n-1}))\}, \\ -B&: \{(x_0, B(x_0)), (x_1, B(x_1)), \cdots, (x_{n-1}, B(x_{n-1}))\}, \\ -C&: \{(x_0, A(x_0)B(x_0)), (x_1, A(x_1)B(x_1)), \cdots, (x_{n-1}, A(x_{n-1})B(x_{n-1}))\}, -\end{aligned} -$$ - -where each evaluation is multiplied pointwise. - -This suggests the following strategy for fast polynomial multiplication: - -1. Evaluate polynomials at all $n$ points; -2. Perform fast pointwise multiplication in the evaluation representation ($O(n)$); -3. Convert back to the coefficient representation. - -The challenge now is how to **evaluate** and **interpolate** the polynomials efficiently. -Naively, evaluating a polynomial at $n$ points would require $O(n^2)$ operations (we use -the $O(n)$ Horner's rule at each point): - -$$ -\begin{bmatrix} -A(1) \\ -A(\omega) \\ -A(\omega^2) \\ -\vdots \\ -A(\omega^{n-1}) -\end{bmatrix} = -\begin{bmatrix} -1&1&1&\dots&1 \\ -1&\omega&\omega^2&\dots&\omega^{n-1} \\ -1&\omega^2&\omega^{2\cdot2}&\dots&\omega^{2\cdot(n-1)} \\ -\vdots&\vdots&\vdots& &\vdots \\ -1&\omega^{n-1}&\omega^{2(n-1)}&\cdots&\omega^{(n-1)^2}\\ -\end{bmatrix} \cdot -\begin{bmatrix} -a_0 \\ -a_1 \\ -a_2 \\ -\vdots \\ -a_{n-1} -\end{bmatrix}. -$$ - -For convenience, we will denote the matrices above as: -$$\hat{\mathbf{A}} = \mathbf{V}_\omega \cdot \mathbf{A}. $$ - -($\hat{\mathbf{A}}$ is known as the *Discrete Fourier Transform* of $\mathbf{A}$; -$\mathbf{V}_\omega$ is also called the *Vandermonde matrix*.) - -### The (radix-2) Cooley-Tukey algorithm -Our strategy is to divide a DFT of size $n$ into two interleaved DFTs of size $n/2$. Given -the polynomial $A(X) = a_0 + a_1X + a_2X^2 + \cdots + a_{n-1}X^{n-1},$ we split it up into -even and odd terms: - -$$ -\begin{aligned} -A_{\text{even}} &= a_0 + a_2X + \cdots + a_{n-2}X^{\frac{n}{2} - 1}, \\ -A_{\text{odd}} &= a_1 + a_3X + \cdots + a_{n-1}X^{\frac{n}{2} - 1}. \\ -\end{aligned} -$$ - -To recover the original polynomial, we do -$A(X) = A_{\text{even}} (X^2) + X A_{\text{odd}}(X^2).$ - -Trying this out on points $\omega_n^i$ and $\omega_n^{\frac{n}{2} + i}$, -$i \in [0..\frac{n}{2}-1],$ we start to notice some symmetries: - -$$ -\begin{aligned} -A(\omega_n^i) &= A_{\text{even}} ((\omega_n^i)^2) + \omega_n^i A_{\text{odd}}((\omega_n^i)^2), \\ -A(\omega_n^{\frac{n}{2} + i}) &= A_{\text{even}} ((\omega_n^{\frac{n}{2} + i})^2) + \omega_n^{\frac{n}{2} + i} A_{\text{odd}}((\omega_n^{\frac{n}{2} + i})^2) \\ -&= A_{\text{even}} ((-\omega_n^i)^2) - \omega_n^i A_{\text{odd}}((-\omega_n^i)^2) \leftarrow\text{(negation lemma)} \\ -&= A_{\text{even}} ((\omega_n^i)^2) - \omega_n^i A_{\text{odd}}((\omega_n^i)^2). -\end{aligned} -$$ - -Notice that we are only evaluating $A_{\text{even}}(X)$ and $A_{\text{odd}}(X)$ over half -the domain $\{(\omega_n^0)^2, (\omega_n)^2, \cdots, (\omega_n^{\frac{n}{2} -1})^2\} = \{\omega_{n/2}^i\}, i = [0..\frac{n}{2}-1]$ (halving lemma). -This gives us all the terms we need to reconstruct $A(X)$ over the full domain -$\{\omega^0, \omega, \cdots, \omega^{n -1}\}$: which means we have transformed a -length-$n$ DFT into two length-$\frac{n}{2}$ DFTs. - -We choose $n = 2^k$ to be a power of two (by zero-padding if needed), and apply this -divide-and-conquer strategy recursively. By the Master Theorem[^master-thm], this gives us -an evaluation algorithm with $O(n\log_2n)$ operations, also known as the Fast Fourier -Transform (FFT). - -### Inverse FFT -So we've evaluated our polynomials and multiplied them pointwise. What remains is to -convert the product from the evaluation representation back to coefficient representation. -To do this, we simply call the FFT on the evaluation representation. However, this time we -also: -- replace $\omega^i$ by $\omega^{-i}$ in the Vandermonde matrix, and -- multiply our final result by a factor of $1/n$. - -In other words: -$$\mathbf{A} = \frac{1}{n} \mathbf{V}_{\omega^{-1}} \cdot \hat{\mathbf{A}}. $$ - -(To understand why the inverse FFT has a similar form to the FFT, refer to Slide 13-1 of -[^ifft]. The below image was also taken from [^ifft].) - -![](https://i.imgur.com/lSw30zo.png) - - -## The Schwartz-Zippel lemma -The Schwartz-Zippel lemma informally states that "different polynomials are different at -most points." Formally, it can be written as follows: - -> Let $p(x_1, x_2, \cdots, x_n)$ be a nonzero polynomial of $n$ variables with degree $d$. -> Let $S$ be a finite set of numbers with at least $d$ elements in it. If we choose random -> $\alpha_1, \alpha_2, \cdots, \alpha_n$ from $S$, -> $$\text{Pr}[p(\alpha_1, \alpha_2, \cdots, \alpha_n) = 0] \leq \frac{d}{|S|}.$$ - -In the familiar univariate case $p(X)$, this reduces to saying that a nonzero polynomial -of degree $d$ has at most $d$ roots. - -The Schwartz-Zippel lemma is used in polynomial equality testing. Given two multi-variate -polynomials $p_1(x_1,\cdots,x_n)$ and $p_2(x_1,\cdots,x_n)$ of degrees $d_1, d_2$ -respectively, we can test if -$p_1(\alpha_1, \cdots, \alpha_n) - p_2(\alpha_1, \cdots, \alpha_n) = 0$ for random -$\alpha_1, \cdots, \alpha_n \leftarrow S,$ where the size of $S$ is at least -$|S| \geq (d_1 + d_2).$ If the two polynomials are identical, this will always be true, -whereas if the two polynomials are different then the equality holds with probability at -most $\frac{\max(d_1,d_2)}{|S|}$. - -## Vanishing polynomial -Consider the order-$n$ multiplicative subgroup $\mathcal{H}$ with primitive root of unity -$\omega$. For all $\omega^i \in \mathcal{H}, i \in [n-1],$ we have -$(\omega^i)^n = (\omega^n)^i = (\omega^0)^i = 1.$ In other words, every element of -$\mathcal{H}$ fulfils the equation - -$$ -\begin{aligned} -Z_H(X) &= X^n - 1 \\ -&= (X-\omega^0)(X-\omega^1)(X-\omega^2)\cdots(X-\omega^{n-1}), -\end{aligned} -$$ - -meaning every element is a root of $Z_H(X).$ We call $Z_H(X)$ the **vanishing polynomial** -over $\mathcal{H}$ because it evaluates to zero on all elements of $\mathcal{H}.$ - -This comes in particularly handy when checking polynomial constraints. For instance, to -check that $A(X) + B(X) = C(X)$ over $\mathcal{H},$ we simply have to check that -$A(X) + B(X) - C(X)$ is some multiple of $Z_H(X)$. In other words, if dividing our -constraint by the vanishing polynomial still yields some polynomial -$\frac{A(X) + B(X) - C(X)}{Z_H(X)} = H(X),$ we are satisfied that $A(X) + B(X) - C(X) = 0$ -over $\mathcal{H}.$ - -## Lagrange basis functions - -> TODO: explain what a basis is in general (briefly). - -Polynomials are commonly written in the monomial basis (e.g. $X, X^2, ... X^n$). However, -when working over a multiplicative subgroup of order $n$, we find a more natural expression -in the Lagrange basis. - -Consider the order-$n$ multiplicative subgroup $\mathcal{H}$ with primitive root of unity -$\omega$. The Lagrange basis corresponding to this subgroup is a set of functions -$\{\mathcal{L}_i\}_{i = 0}^{n-1}$, where - -$$ -\mathcal{L_i}(\omega^j) = \begin{cases} -1 & \text{if } i = j, \\ -0 & \text{otherwise.} -\end{cases} -$$ - -We can write this more compactly as $\mathcal{L_i}(\omega^j) = \delta_{ij},$ where -$\delta$ is the Kronecker delta function. - -Now, we can write our polynomial as a linear combination of Lagrange basis functions, - -$$A(X) = \sum_{i = 0}^{n-1} a_i\mathcal{L_i}(X), X \in \mathcal{H},$$ - -which is equivalent to saying that $p(X)$ evaluates to $a_0$ at $\omega^0$, -to $a_1$ at $\omega^1$, to $a_2$ at $\omega^2, \cdots,$ and so on. - -When working over a multiplicative subgroup, the Lagrange basis function has a convenient -sparse representation of the form - -$$ -\mathcal{L}_i(X) = \frac{c_i\cdot(X^{n} - 1)}{X - \omega^i}, -$$ - -where $c_i$ is the barycentric weight. (To understand how this form was derived, refer to -[^barycentric].) For $i = 0,$ we have -$c = 1/n \implies \mathcal{L}_0(X) = \frac{1}{n} \frac{(X^{n} - 1)}{X - 1}$. - -Suppose we are given a set of evaluation points $\{x_0, x_1, \cdots, x_{n-1}\}$. -Since we cannot assume that the $x_i$'s form a multiplicative subgroup, we consider also -the Lagrange polynomials $\mathcal{L}_i$'s in the general case. Then we can construct: - -$$ -\mathcal{L}_i(X) = \prod_{j\neq i}\frac{X - x_j}{x_i - x_j}, i \in [0..n-1]. -$$ - -Here, every $X = x_j \neq x_i$ will produce a zero numerator term $(x_j - x_j),$ causing -the whole product to evaluate to zero. On the other hand, $X= x_i$ will evaluate to -$\frac{x_i - x_j}{x_i - x_j}$ at every term, resulting in an overall product of one. This -gives the desired Kronecker delta behaviour $\mathcal{L_i}(x_j) = \delta_{ij}$ on the -set $\{x_0, x_1, \cdots, x_{n-1}\}$. - -### Lagrange interpolation -Given a polynomial in its evaluation representation - -$$A: \{(x_0, A(x_0)), (x_1, A(x_1)), \cdots, (x_{n-1}, A(x_{n-1}))\},$$ - -we can reconstruct its coefficient form in the Lagrange basis: - -$$A(X) = \sum_{i = 0}^{n-1} A(x_i)\mathcal{L_i}(X), $$ - -where $X \in \{x_0, x_1,\cdots, x_{n-1}\}.$ - -## References -[^master-thm]: [Dasgupta, S., Papadimitriou, C. H., & Vazirani, U. V. (2008). "Algorithms" (ch. 2). New York: McGraw-Hill Higher Education.](https://people.eecs.berkeley.edu/~vazirani/algorithms/chap2.pdf) - -[^ifft]: [Golin, M. (2016). "The Fast Fourier Transform and Polynomial Multiplication" [lecture notes], COMP 3711H Design and Analysis of Algorithms, Hong Kong University of Science and Technology.](http://www.cs.ust.hk/mjg_lib/Classes/COMP3711H_Fall16/lectures/FFT_Slides.pdf) - -[^barycentric]: [Berrut, J. and Trefethen, L. (2004). "Barycentric Lagrange Interpolation."](https://people.maths.ox.ac.uk/trefethen/barycentric.pdf) diff --git a/book/src/background/recursion.md b/book/src/background/recursion.md deleted file mode 100644 index 4b6ce7430f..0000000000 --- a/book/src/background/recursion.md +++ /dev/null @@ -1,26 +0,0 @@ -## Recursion -> Alternative terms: Induction; Accumulation scheme; Proof-carrying data - -However, the computation of $G$ requires a length-$2^k$ multiexponentiation -$\langle \mathbf{G}, \mathbf{s}\rangle,$ where $\mathbf{s}$ is composed of the round -challenges $u_1, \cdots, u_k$ arranged in a binary counting structure. This is the -linear-time computation that we want to amortise across a batch of proof instances. -Instead of computing $G,$ notice that we can express $G$ as a commitment to a polynomial - -$$G = \text{Commit}(\sigma, g(X, u_1, \cdots, u_k)),$$ - -where $g(X, u_1, \cdots, u_k) := \prod_{i=1}^k (u_i + u_i^{-1}X^{2^{i-1}})$ is a -polynomial with degree $2^k - 1.$ - -| | | -| -------- | -------- | -| | Since $G$ is a commitment, it can be checked in an inner product argument. The verifier circuit witnesses $G$ and brings $G, u_1, \cdots, u_k$ out as public inputs to the proof $\pi.$ The next verifier instance checks $\pi$ using the inner product argument; this includes checking that $G = \text{Commit}(g(X, u_1, \cdots, u_k))$ evaluates at some random point to the expected value for the given challenges $u_1, \cdots, u_k.$ Recall from the [previous section](#Polynomial-commitment-using-inner-product-argument) that this check only requires $\log d$ work.

At the end of checking $\pi$ and $G,$ the circuit is left with a new $G',$ along with the $u_1', \cdots, u_k'$ challenges sampled for the check. To fully accept $\pi$ as valid, we should perform a linear-time computation of $G' = \langle\mathbf{G}, \mathbf{s}'\rangle$. Once again, we delay this computation by witnessing $G'$ and bringing $G', u_1', \cdots, u_k'$ out as public inputs to the proof $\pi'.$

This goes on from one proof instance to the next, until we are satisfied with the size of our batch of proofs. We finally perform a single linear-time computation, thus deciding the validity of the whole batch. | - -We recall from the section [Cycles of curves](curves.md#cycles-of-curves) that we can -instantiate this protocol over a two-cycle, where a proof produced by one curve is -efficiently verified in the circuit of the other curve. However, some of these verifier -checks can actually be efficiently performed in the native circuit; these are "deferred" -to the next native circuit (see diagram below) instead of being immediately passed over to -the other curve. - -![](https://i.imgur.com/l4HrYgE.png) diff --git a/book/src/concepts.md b/book/src/concepts.md deleted file mode 100644 index 328529c65f..0000000000 --- a/book/src/concepts.md +++ /dev/null @@ -1,5 +0,0 @@ -# Concepts - -First we'll describe the concepts behind zero-knowledge proof systems; the -*arithmetization* (kind of circuit description) used by Halo 2; and the -abstractions we use to build circuit implementations. diff --git a/book/src/concepts/arithmetization.md b/book/src/concepts/arithmetization.md deleted file mode 100644 index 65b25c8274..0000000000 --- a/book/src/concepts/arithmetization.md +++ /dev/null @@ -1,57 +0,0 @@ -# PLONKish Arithmetization - -The arithmetization used by Halo 2 comes from [PLONK](https://eprint.iacr.org/2019/953), or -more precisely its extension UltraPLONK that supports custom gates and lookup arguments. We'll -call it [***PLONKish***](https://twitter.com/feministPLT/status/1413815927704014850). - -***PLONKish circuits*** are defined in terms of a rectangular matrix of values. We refer to -***rows***, ***columns***, and ***cells*** of this matrix with the conventional meanings. - -A PLONKish circuit depends on a ***configuration***: - -* A finite field $\mathbb{F}$, where cell values (for a given statement and witness) will be - elements of $\mathbb{F}$. -* The number of columns in the matrix, and a specification of each column as being - ***fixed***, ***advice***, or ***instance***. Fixed columns are fixed by the circuit; - advice columns correspond to witness values; and instance columns are normally used for - public inputs (technically, they can be used for any elements shared between the prover - and verifier). - -* A subset of the columns that can participate in equality constraints. - -* A ***maximum constraint degree***. - -* A sequence of ***polynomial constraints***. These are multivariate polynomials over - $\mathbb{F}$ that must evaluate to zero *for each row*. The variables in a polynomial - constraint may refer to a cell in a given column of the current row, or a given column of - another row relative to this one (with wrap-around, i.e. taken modulo $n$). The maximum - degree of each polynomial is given by the maximum constraint degree. - -* A sequence of ***lookup arguments*** defined over tuples of ***input expressions*** - (which are multivariate polynomials as above) and ***table columns***. - -A PLONKish circuit also defines: - -* The number of rows $n$ in the matrix. $n$ must correspond to the size of a multiplicative - subgroup of $\mathbb{F}^\times$; typically a power of two. - -* A sequence of ***equality constraints***, which specify that two given cells must have equal - values. - -* The values of the fixed columns at each row. - -From a circuit description we can generate a ***proving key*** and a ***verification key***, -which are needed for the operations of proving and verification for that circuit. - -> Note that we specify the ordering of columns, polynomial constraints, lookup arguments, and -> equality constraints, even though these do not affect the meaning of the circuit. This makes -> it easier to define the generation of proving and verification keys as a deterministic -> process. - -Typically, a configuration will define polynomial constraints that are switched off and on by -***selectors*** defined in fixed columns. For example, a constraint $q_i \cdot p(...) = 0$ can -be switched off for a particular row $i$ by setting $q_i = 0$. In this case we sometimes refer -to a set of constraints controlled by a set of selector columns that are designed to be used -together, as a ***gate***. Typically there will be a ***standard gate*** that supports generic -operations like field multiplication and division, and possibly also ***custom gates*** that -support more specialized operations. diff --git a/book/src/concepts/chips.md b/book/src/concepts/chips.md deleted file mode 100644 index 4770d97237..0000000000 --- a/book/src/concepts/chips.md +++ /dev/null @@ -1,87 +0,0 @@ -# Chips - -The previous section gives a fairly low-level description of a circuit. When implementing circuits we will -typically use a higher-level API which aims for the desirable characteristics of auditability, -efficiency, modularity, and expressiveness. - -Some of the terminology and concepts used in this API are taken from an analogy with -integrated circuit design and layout. [As for integrated circuits](https://opencores.org/), -the above desirable characteristics are easier to obtain by composing ***chips*** that provide -efficient pre-built implementations of particular functionality. - -For example, we might have chips that implement particular cryptographic primitives such as a -hash function or cipher, or algorithms like scalar multiplication or pairings. - -In PLONKish circuits, it is possible to build up arbitrary logic just from standard gates that do -field multiplication and addition. However, very significant efficiency gains can be obtained by -using custom gates. - -Using our API, we define chips that "know" how to use particular sets of custom gates. This -creates an abstraction layer that isolates the implementation of a high-level circuit from the -complexity of using custom gates directly. - -> Even if we sometimes need to "wear two hats", by implementing both a high-level circuit and -> the chips that it uses, the intention is that this separation will result in code that is -> easier to understand, audit, and maintain/reuse. This is partly because some potential -> implementation errors are ruled out by construction. - -Gates in PLONKish circuits refer to cells by ***relative references***, i.e. to the cell in a given -column, and the row at a given offset relative to the one in which the gate's selector is set. We -call this an ***offset reference*** when the offset is nonzero (i.e. offset references are a subset -of relative references). - -Relative references contrast with ***absolute references*** used in equality constraints, -which can point to any cell. - -The motivation for offset references is to reduce the number of columns needed in the -configuration, which reduces proof size. If we did not have offset references then we would -need a column to hold each value referred to by a custom gate, and we would need to use -equality constraints to copy values from other cells of the circuit into that column. With -offset references, we not only need fewer columns; we also do not need equality constraints to -be supported for all of those columns, which improves efficiency. - -In R1CS (another arithmetization which may be more familiar to some readers, but don't worry -if it isn't), a circuit consists of a "sea of gates" with no semantically significant ordering. -Because of offset references, the order of rows in a PLONKish circuit, on the other hand, *is* -significant. We're going to make some simplifying assumptions and define some abstractions to -tame the resulting complexity: the aim will be that, [at the gadget level](gadgets.md) where -we do most of our circuit construction, we will not have to deal with relative references or -with gate layout explicitly. - -We will partition a circuit into ***regions***, where each region contains a disjoint subset -of cells, and relative references only ever point *within* a region. Part of the responsibility -of a chip implementation is to ensure that gates that make offset references are laid out in -the correct positions in a region. - -Given the set of regions and their ***shapes***, we will use a separate ***floor planner*** -to decide where (i.e. at what starting row) each region is placed. There is a default floor -planner that implements a very general algorithm, but you can write your own floor planner if -you need to. - -Floor planning will in general leave gaps in the matrix, because the gates in a given row did -not use all available columns. These are filled in —as far as possible— by gates that do -not require offset references, which allows them to be placed on any row. - -Chips can also define lookup tables. If more than one table is defined for the same lookup -argument, we can use a ***tag column*** to specify which table is used on each row. It is also -possible to perform a lookup in the union of several tables (limited by the polynomial degree -bound). - -## Composing chips -In order to combine functionality from several chips, we compose them in a tree. The top-level -chip defines a set of fixed, advice, and instance columns, and then specifies how they -should be distributed between lower-level chips. - -In the simplest case, each lower-level chips will use columns disjoint from the other chips. -However, it is allowed to share a column between chips. It is important to optimize the number -of advice columns in particular, because that affects proof size. - -The result (possibly after optimization) is a PLONKish configuration. Our circuit implementation -will be parameterized on a chip, and can use any features of the supported lower-level chips via -the top-level chip. - -Our hope is that less expert users will normally be able to find an existing chip that -supports the operations they need, or only have to make minor modifications to an existing -chip. Expert users will have full control to do the kind of -[circuit optimizations](https://zips.z.cash/protocol/canopy.pdf#circuitdesign) -[that ECC is famous for](https://electriccoin.co/blog/cultivating-sapling-faster-zksnarks/) 🙂. diff --git a/book/src/concepts/gadgets.md b/book/src/concepts/gadgets.md deleted file mode 100644 index aa352db41f..0000000000 --- a/book/src/concepts/gadgets.md +++ /dev/null @@ -1,25 +0,0 @@ -# Gadgets - -When implementing a circuit, we could use the features of the chips we've selected directly. -Typically, though, we will use them via ***gadgets***. This indirection is useful because, -for reasons of efficiency and limitations imposed by PLONKish circuits, the chip interfaces will -often be dependent on low-level implementation details. The gadget interface can provide a more -convenient and stable API that abstracts away from extraneous detail. - -For example, consider a hash function such as SHA-256. The interface of a chip supporting -SHA-256 might be dependent on internals of the hash function design such as the separation -between message schedule and compression function. The corresponding gadget interface can -provide a more convenient and familiar `update`/`finalize` API, and can also handle parts -of the hash function that do not need chip support, such as padding. This is similar to how -[accelerated](https://software.intel.com/content/www/us/en/develop/articles/intel-sha-extensions.html) -[instructions](https://developer.arm.com/documentation/ddi0514/g/introduction/about-the-cortex-a57-processor-cryptography-engine) -for cryptographic primitives on CPUs are typically accessed via software libraries, rather -than directly. - -Gadgets can also provide modular and reusable abstractions for circuit programming -at a higher level, similar to their use in libraries such as -[libsnark](https://github.com/christianlundkvist/libsnark-tutorial) and -[bellman](https://electriccoin.co/blog/bellman-zksnarks-in-rust/). As well as abstracting -*functions*, they can also abstract *types*, such as elliptic curve points or integers of -specific sizes. - diff --git a/book/src/concepts/proofs.md b/book/src/concepts/proofs.md deleted file mode 100644 index fa82c76ffe..0000000000 --- a/book/src/concepts/proofs.md +++ /dev/null @@ -1,91 +0,0 @@ -# Proof systems - -The aim of any ***proof system*** is to be able to prove interesting mathematical or -cryptographic ***statements***. - -Typically, in a given protocol we will want to prove families of statements that differ -in their ***public inputs***. The prover will also need to show that they know some -***private inputs*** that make the statement hold. - -To do this we write down a ***relation***, $\mathcal{R}$, that specifies which -combinations of public and private inputs are valid. - -> The terminology above is intended to be aligned with the -> [ZKProof Community Reference](https://docs.zkproof.org/reference#latest-version). - -To be precise, we should distinguish between the relation $\mathcal{R}$, and its -implementation to be used in a proof system. We call the latter a ***circuit***. - -The language that we use to express circuits for a particular proof system is called an -***arithmetization***. Usually, an arithmetization will define circuits in terms of -polynomial constraints on variables over a field. - -> The _process_ of expressing a particular relation as a circuit is also sometimes called -> "arithmetization", but we'll avoid that usage. - -To create a proof of a statement, the prover will need to know the private inputs, -and also intermediate values, called ***advice*** values, that are used by the circuit. - -We assume that we can compute advice values efficiently from the private and public inputs. -The particular advice values will depend on how we write the circuit, not only on the -high-level statement. - -The private inputs and advice values are collectively called a ***witness***. - -> Some authors use "witness" as just a synonym for private inputs. But in our usage, -> a witness includes advice, i.e. it includes all values that the prover supplies to -> the circuit. - -For example, suppose that we want to prove knowledge of a preimage $x$ of a -hash function $H$ for a digest $y$: - -* The private input would be the preimage $x$. - -* The public input would be the digest $y$. - -* The relation would be $\{(x, y) : H(x) = y\}$. - -* For a particular public input $Y$, the statement would be: $\{(x) : H(x) = Y\}$. - -* The advice would be all of the intermediate values in the circuit implementing the - hash function. The witness would be $x$ and the advice. - -A ***Non-interactive Argument*** allows a ***prover*** to create a ***proof*** for a -given statement and witness. The proof is data that can be used to convince a ***verifier*** -that _there exists_ a witness for which the statement holds. The security property that -such proofs cannot falsely convince a verifier is called ***soundness***. - -A ***Non-interactive Argument of Knowledge*** (***NARK***) further convinces the verifier -that the prover _knew_ a witness for which the statement holds. This security property is -called ***knowledge soundness***, and it implies soundness. - -In practice knowledge soundness is more useful for cryptographic protocols than soundness: -if we are interested in whether Alice holds a secret key in some protocol, say, we need -Alice to prove that _she knows_ the key, not just that it exists. - -Knowledge soundness is formalized by saying that an ***extractor***, which can observe -precisely how the proof is generated, must be able to compute the witness. - -> This property is subtle given that proofs can be ***malleable***. That is, depending on the -> proof system it may be possible to take an existing proof (or set of proofs) and, without -> knowing the witness(es), modify it/them to produce a distinct proof of the same or a related -> statement. Higher-level protocols that use malleable proof systems need to take this into -> account. -> -> Even without malleability, proofs can also potentially be ***replayed***. For instance, -> we would not want Alice in our example to be able to present a proof generated by someone -> else, and have that be taken as a demonstration that she knew the key. - -If a proof yields no information about the witness (other than that a witness exists and was -known to the prover), then we say that the proof system is ***zero knowledge***. - -If a proof system produces short proofs —i.e. of length polylogarithmic in the circuit -size— then we say that it is ***succinct***. A succinct NARK is called a ***SNARK*** -(***Succinct Non-Interactive Argument of Knowledge***). - -> By this definition, a SNARK need not have verification time polylogarithmic in the circuit -> size. Some papers use the term ***efficient*** to describe a SNARK with that property, but -> we'll avoid that term since it's ambiguous for SNARKs that support amortized or recursive -> verification, which we'll get to later. - -A ***zk-SNARK*** is a zero-knowledge SNARK. diff --git a/book/src/design.md b/book/src/design.md deleted file mode 100644 index db8a6d09de..0000000000 --- a/book/src/design.md +++ /dev/null @@ -1,17 +0,0 @@ -# Design - -## Note on Language - -We use slightly different language than others to describe PLONK concepts. Here's the -overview: - -1. We like to think of PLONK-like arguments as tables, where each column corresponds to a - "wire". We refer to entries in this table as "cells". -2. We like to call "selector polynomials" and so on "fixed columns" instead. We then refer - specifically to a "selector constraint" when a cell in a fixed column is being used to - control whether a particular constraint is enabled in that row. -3. We call the other polynomials "advice columns" usually, when they're populated by the - prover. -4. We use the term "rule" to refer to a "gate" like - $$A(X) \cdot q_A(X) + B(X) \cdot q_B(X) + A(X) \cdot B(X) \cdot q_M(X) + C(X) \cdot q_C(X) = 0.$$ - - TODO: Check how consistent we are with this, and update the code and docs to match. diff --git a/book/src/design/gadgets.md b/book/src/design/gadgets.md deleted file mode 100644 index 98fdbf92f5..0000000000 --- a/book/src/design/gadgets.md +++ /dev/null @@ -1,7 +0,0 @@ -# Gadgets - -In this section we document the gadgets and chip designs provided in the `halo2_gadgets` -crate. - -> Neither these gadgets, nor their implementations, have been reviewed, and they should -> not be used in production. diff --git a/book/src/design/gadgets/decomposition.md b/book/src/design/gadgets/decomposition.md deleted file mode 100644 index 94e2349081..0000000000 --- a/book/src/design/gadgets/decomposition.md +++ /dev/null @@ -1,76 +0,0 @@ -# Decomposition -Given a field element $\alpha$, these gadgets decompose it into $W$ $K$-bit windows $$\alpha = k_0 + 2^{K} \cdot k_1 + 2^{2K} \cdot k_2 + \cdots + 2^{(W-1)K} \cdot k_{W-1}$$ where each $k_i$ a $K$-bit value. - -This is done using a running sum $z_i, i \in [0..W).$ We initialize the running sum $z_0 = \alpha,$ and compute subsequent terms $z_{i+1} = \frac{z_i - k_i}{2^{K}}.$ This gives us: - -$$ -\begin{aligned} -z_0 &= \alpha \\ - &= k_0 + 2^{K} \cdot k_1 + 2^{2K} \cdot k_2 + 2^{3K} \cdot k_3 + \cdots, \\ -z_1 &= (z_0 - k_0) / 2^K \\ - &= k_1 + 2^{K} \cdot k_2 + 2^{2K} \cdot k_3 + \cdots, \\ -z_2 &= (z_1 - k_1) / 2^K \\ - &= k_2 + 2^{K} \cdot k_3 + \cdots, \\ - &\vdots \\ -\downarrow &\text{ (in strict mode)} \\ -z_W &= (z_{W-1} - k_{W-1}) / 2^K \\ - &= 0 \text{ (because } z_{W-1} = k_{W-1} \text{)} -\end{aligned} -$$ - -### Strict mode -Strict mode constrains the running sum output $z_{W}$ to be zero, thus range-constraining the field element to be within $W \cdot K$ bits. - -In strict mode, we are also assured that $z_{W-1} = k_{W-1}$ gives us the last window in the decomposition. -## Lookup decomposition -This gadget makes use of a $K$-bit lookup table to decompose a field element $\alpha$ into $K$-bit words. Each $K$-bit word $k_i = z_i - 2^K \cdot z_{i+1}$ is range-constrained by a lookup in the $K$-bit table. - -The region layout for the lookup decomposition uses a single advice column $z$, and two selectors $q_{lookup}$ and $q_{running}.$ -$$ -\begin{array}{|c|c|c|} -\hline - z & q_\mathit{lookup} & q_\mathit{running} \\\hline -\hline - z_0 & 1 & 1 \\\hline - z_1 & 1 & 1 \\\hline -\vdots & \vdots & \vdots \\\hline -z_{n-1} & 1 & 1 \\\hline -z_n & 0 & 0 \\\hline -\end{array} -$$ -### Short range check -Using two $K$-bit lookups, we can range-constrain a field element $\alpha$ to be $n$ bits, where $n \leq K.$ To do this: - -1. Constrain $0 \leq \alpha < 2^K$ to be within $K$ bits using a $K$-bit lookup. -2. Constrain $0 \leq \alpha \cdot 2^{K - n} < 2^K$ to be within $K$ bits using a $K$-bit lookup. - -The short variant of the lookup decomposition introduces a $q_{bitshift}$ selector. The same advice column $z$ has here been renamed to $\textsf{word}$ for clarity: -$$ -\begin{array}{|c|c|c|c|} -\hline -\textsf{word} & q_\mathit{lookup} & q_\mathit{running} & q_\mathit{bitshift} \\\hline -\hline -\alpha & 1 & 0 & 0 \\\hline -\alpha' & 1 & 0 & 1 \\\hline -2^{K-n} & 0 & 0 & 0 \\\hline -\end{array} -$$ - -where $\alpha' = \alpha \cdot 2^{K - n}.$ Note that $2^{K-n}$ is assigned to a fixed column at keygen, and copied in at proving time. This is used in the gate enabled by the $q_\mathit{bitshift}$ selector to check that $\alpha$ was shifted correctly: -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline - 2 & q_\mathit{bitshift} \cdot ((\alpha \cdot 2^{K - n}) - \alpha') \\\hline -\end{array} -$$ - -### Combined lookup expression -Since the lookup decomposition and its short variant both make use of the same lookup table, we combine their lookup input expressions into a single one: - -$$q_\mathit{lookup} \cdot \left(q_\mathit{running} \cdot (z_i - 2^K \cdot z_{i+1}) + (1 - q_\mathit{running}) \cdot \textsf{word} \right)$$ - -where $z_i$ and $\textsf{word}$ are the same cell (but distinguished here for clarity of usage). - -## Short range decomposition -For a short range (for instance, $[0, \texttt{range})$ where $\texttt{range} \leq 8$), we can range-constrain each word using a degree-$\texttt{range}$ polynomial constraint instead of a lookup: $$\RangeCheck{word}{range} = \texttt{word} \cdot (1 - \texttt{word}) \cdots (\texttt{range} - 1 - \texttt{word}).$$ diff --git a/book/src/design/gadgets/ecc.md b/book/src/design/gadgets/ecc.md deleted file mode 100644 index e1025ee98f..0000000000 --- a/book/src/design/gadgets/ecc.md +++ /dev/null @@ -1,50 +0,0 @@ -# Elliptic Curves - -## `EccChip` - -`halo2_gadgets` provides a chip that implements `EccInstructions` using 10 advice columns. -The chip is currently restricted to the Pallas curve, but will be extended to support the -[Vesta curve](https://github.com/zcash/halo2/issues/578) in the near future. - -### Chip assumptions - -A non-exhaustive list of assumptions made by `EccChip`: -- $0$ is not an $x$-coordinate of a valid point on the curve. - - Holds for Pallas because $5$ is not square in $\mathbb{F}_q$. -- $0$ is not a $y$-coordinate of a valid point on the curve. - - Holds for Pallas because $-5$ is not a cube in $\mathbb{F}_q$. - -### Layout - -The following table shows how columns are used by the gates for various chip sub-areas: - -- $W$ - witnessing points. -- $AI$ - incomplete point addition. -- $AC$ - complete point addition. -- $MF$ - Fixed-base scalar multiplication. -- $MVI$ - variable-base scalar multiplication, incomplete rounds. -- $MVC$ - variable-base scalar multiplication, complete rounds. -- $MVO$ - variable-base scalar multiplication, overflow check. - -$$ -\begin{array}{|c||c|c|c|c|c|c|c|c|c|c|} -\hline -\text{Sub-area} & a_0 & a_1 & a_2 & a_3 & a_4 & a_5 & a_6 & a_7 & a_8 & a_9 \\\hline -\hline - W & x & y \\\hline -\hline - AI & x_p & y_p & x_q & y_q \\\hline - & & & x_r & y_r \\\hline -\hline - AC & x_p & y_p & x_q & y_q & \lambda & \alpha & \beta & \gamma & \delta & \\\hline - & & & x_r & y_r \\\hline -\hline - MF & x_p & y_p & x_q & y_q & \text{window} & u \\\hline - & & & x_r & y_r \\\hline -\hline -MVI & x_p & y_p & \lambda_2^{lo} & x_A^{hi} & \lambda_1^{hi} & \lambda_2^{hi} & z^{lo} & x_A^{lo} & \lambda_1^{lo} & z^{hi} \\\hline -\hline -MVC & x_p & y_p & x_q & y_q & \lambda & \alpha & \beta & \gamma & \delta & z^{complete} \\\hline - & & & x_r & y_r \\\hline -\end{array} -$$ diff --git a/book/src/design/gadgets/ecc/addition.md b/book/src/design/gadgets/ecc/addition.md deleted file mode 100644 index a51d9dc165..0000000000 --- a/book/src/design/gadgets/ecc/addition.md +++ /dev/null @@ -1,359 +0,0 @@ -We will use formulae for curve arithmetic using affine coordinates on short Weierstrass curves, -derived from section 4.1 of [Hüseyin Hışıl's thesis](https://core.ac.uk/download/pdf/10898289.pdf). - -## Incomplete addition - -- Inputs: $P = (x_p, y_p), Q = (x_q, y_q)$ -- Output: $R = P \;⸭\; Q = (x_r, y_r)$ - -The formulae from Hışıl's thesis are: - -- $x_3 = \left(\frac{y_1 - y_2}{x_1 - x_2}\right)^2 - x_1 - x_2$ -- $y_3 = \frac{y_1 - y_2}{x_1 - x_2} \cdot (x_1 - x_3) - y_1.$ - -Rename $(x_1, y_1)$ to $(x_q, y_q)$, $(x_2, y_2)$ to $(x_p, y_p)$, and $(x_3, y_3)$ to $(x_r, y_r)$, giving - -- $x_r = \left(\frac{y_q - y_p}{x_q - x_p}\right)^2 - x_q - x_p$ -- $y_r = \frac{y_q - y_p}{x_q - x_p} \cdot (x_q - x_r) - y_q$ - -which is equivalent to - -- $x_r + x_q + x_p = \left(\frac{y_p - y_q}{x_p - x_q}\right)^2$ -- $y_r + y_q = \frac{y_p - y_q}{x_p - x_q} \cdot (x_q - x_r).$ - -Assuming $x_p \neq x_q$, we have - -$ -\begin{array}{lrrll} -&& x_r + x_q + x_p &=& \left(\frac{y_p - y_q}{x_p - x_q}\right)^2 \\[1.2ex] -&\Longleftrightarrow &(x_r + x_q + x_p) \cdot (x_p - x_q)^2 &=& (y_p - y_q)^2 \\[1ex] -&\Longleftrightarrow &(x_r + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 &=& 0 \\[1.5ex] -\text{and} \\ -&&y_r + y_q &=& \frac{y_p - y_q}{x_p - x_q} \cdot (x_q - x_r) \\[0.8ex] -&\Longleftrightarrow &(y_r + y_q) \cdot (x_p - x_q) &=& (y_p - y_q) \cdot (x_q - x_r) \\[1ex] -&\Longleftrightarrow &(y_r + y_q) \cdot (x_p - x_q) - (y_p - y_q) \cdot (x_q - x_r) &=& 0. -\end{array} -$ - -So we get the constraints: -- $(x_r + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 = 0$ - - Note that this constraint is unsatisfiable for $P \;⸭\; (-P)$ (when $P \neq \mathcal{O}$), - and so cannot be used with arbitrary inputs. -- $(y_r + y_q) \cdot (x_p - x_q) - (y_p - y_q) \cdot (x_q - x_r) = 0.$ - -### Constraints - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -4 & q_\text{add-incomplete} \cdot \left( (x_r + x_q + x_p) \cdot (x_p - x_q)^2 - (y_p - y_q)^2 \right) = 0 \\\hline -3 & q_\text{add-incomplete} \cdot \left( (y_r + y_q) \cdot (x_p - x_q) - (y_p - y_q) \cdot (x_q - x_r) \right) = 0 \\\hline -\end{array} -$$ - -## Complete addition - -$\hspace{1em} \begin{array}{rcll} -\mathcal{O} &+& \mathcal{O} &= \mathcal{O} \\[0.4ex] -\mathcal{O} &+& (x_q, y_q) &= (x_q, y_q) \\[0.4ex] - (x_p, y_p) &+& \mathcal{O} &= (x_p, y_p) \\[0.6ex] - (x, y) &+& (x, y) &= [2] (x, y) \\[0.6ex] - (x, y) &+& (x, -y) &= \mathcal{O} \\[0.4ex] - (x_p, y_p) &+& (x_q, y_q) &= (x_p, y_p) \;⸭\; (x_q, y_q), \text{ if } x_p \neq x_q. -\end{array}$ - -Suppose that we represent $\mathcal{O}$ as $(0, 0)$. ($0$ is not an $x$-coordinate of a valid point because we would need $y^2 = x^3 + 5$, and $5$ is not square in $\mathbb{F}_q$. Also $0$ is not a $y$-coordinate of a valid point because $-5$ is not a cube in $\mathbb{F}_q$.) - -$$ -\begin{aligned} -P + Q &= R\\ -(x_p, y_p) + (x_q, y_q) &= (x_r, y_r) \\ - \lambda &= \frac{y_q - y_p}{x_q - x_p} \\ - x_r &= \lambda^2 - x_p - x_q \\ - y_r &= \lambda(x_p - x_r) - y_p -\end{aligned} -$$ - -For the doubling case, Hışıl's thesis tells us that $\lambda$ has to -instead be computed as $\frac{3x^2}{2y}$. - -Define $\mathsf{inv0}(x) = \begin{cases} 0, &\text{if } x = 0 \\ 1/x, &\text{otherwise.} \end{cases}$ - -Witness $\alpha, \beta, \gamma, \delta, \lambda$ where: - -$\hspace{1em} -\begin{array}{rl} -\alpha \,\,=&\!\! \mathsf{inv0}(x_q - x_p) \\[0.4ex] -\beta \,\,=&\!\! \mathsf{inv0}(x_p) \\[0.4ex] -\gamma \,\,=&\!\! \mathsf{inv0}(x_q) \\[0.4ex] -\delta \,\,=&\!\! \begin{cases} - \mathsf{inv0}(y_q + y_p), &\text{if } x_q = x_p \\ - 0, &\text{otherwise} - \end{cases} \\[2.5ex] -\lambda \,\,=&\!\! \begin{cases} - \frac{y_q - y_p}{x_q - x_p}, &\text{if } x_q \neq x_p \\[1.2ex] - \frac{3{x_p}^2}{2y_p} &\text{if } x_q = x_p \wedge y_p \neq 0 \\[0.8ex] - 0, &\text{otherwise.} - \end{cases} -\end{array} -$ - -### Constraints - -$$ -\begin{array}{|c|lcl|l|} -\hline -\text{Degree} & \text{Constraint}\hspace{7em} &&& \text{Meaning} \\\hline -4 & q_\mathit{add} \cdot (x_q - x_p) \cdot ((x_q - x_p) \cdot \lambda - (y_q - y_p)) &=& 0 & x_q \neq x_p \implies \lambda = \frac{y_q - y_p}{x_q - x_p} \\\hline \\[-2.3ex] -5 & q_\mathit{add} \cdot (1 - (x_q - x_p) \cdot \alpha) \cdot \left(2y_p \cdot \lambda - 3{x_p}^2\right) &=& 0 & \begin{cases} x_q = x_p \wedge y_p \neq 0 \implies \lambda = \frac{3{x_p}^2}{2y_p} \\ x_q = x_p \wedge y_p = 0 \implies x_p = 0 \end{cases} \\\hline -6 & q_\mathit{add} \cdot x_p \cdot x_q \cdot (x_q - x_p) \cdot (\lambda^2 - x_p - x_q - x_r) &=& 0 & x_p \neq 0 \wedge x_q \neq 0 \wedge x_q \neq x_p \implies x_r = \lambda^2 - x_p - x_q \\ -6 & q_\mathit{add} \cdot x_p \cdot x_q \cdot (x_q - x_p) \cdot (\lambda \cdot (x_p - x_r) - y_p - y_r) &=& 0 & x_p \neq 0 \wedge x_q \neq 0 \wedge x_q \neq x_p \implies y_r = \lambda \cdot (x_p - x_r) - y_p \\ -6 & q_\mathit{add} \cdot x_p \cdot x_q \cdot (y_q + y_p) \cdot (\lambda^2 - x_p - x_q - x_r) &=& 0 & x_p \neq 0 \wedge x_q \neq 0 \wedge y_q \neq -y_p \implies x_r = \lambda^2 - x_p - x_q \\ -6 & q_\mathit{add} \cdot x_p \cdot x_q \cdot (y_q + y_p) \cdot (\lambda \cdot (x_p - x_r) - y_p - y_r) &=& 0 & x_p \neq 0 \wedge x_q \neq 0 \wedge y_q \neq -y_p \implies y_r = \lambda \cdot (x_p - x_r) - y_p \\\hline -4 & q_\mathit{add} \cdot (1 - x_p \cdot \beta) \cdot (x_r - x_q) &=& 0 & x_p = 0 \implies x_r = x_q \\ -4 & q_\mathit{add} \cdot (1 - x_p \cdot \beta) \cdot (y_r - y_q) &=& 0 & x_p = 0 \implies y_r = y_q \\\hline -4 & q_\mathit{add} \cdot (1 - x_q \cdot \gamma) \cdot (x_r - x_p) &=& 0 & x_q = 0 \implies x_r = x_p \\ -4 & q_\mathit{add} \cdot (1 - x_q \cdot \gamma) \cdot (y_r - y_p) &=& 0 & x_q = 0 \implies y_r = y_p \\\hline -4 & q_\mathit{add} \cdot (1 - (x_q - x_p) \cdot \alpha - (y_q + y_p) \cdot \delta) \cdot x_r &=& 0 & x_q = x_p \wedge y_q = -y_p \implies x_r = 0 \\ -4 & q_\mathit{add} \cdot (1 - (x_q - x_p) \cdot \alpha - (y_q + y_p) \cdot \delta) \cdot y_r &=& 0 & x_q = x_p \wedge y_q = -y_p \implies y_r = 0 \\\hline -\end{array} -$$ - -Max degree: 6 - -### Analysis of constraints -$$ -\begin{array}{rl} -1. & (x_q - x_p) \cdot ((x_q - x_p) \cdot \lambda - (y_q - y_p)) = 0 \\ - & \\ - & \begin{aligned} - \text{At least one of } &x_q - x_p = 0 \\ - \text{or } &(x_q - x_p) \cdot \lambda - (y_q - y_p) = 0 \\ - \end{aligned} \\ - & \text{must be satisfied for the constraint to be satisfied.} \\ - & \\ - & \text{If } x_q - x_p \neq 0, \text{ then } (x_q - x_p) \cdot \lambda - (y_q - y_p) = 0, \text{ and} \\ - & \text{by rearranging both sides we get } \lambda = (y_q - y_p) / (x_q - x_p). \\ - & \\ - & \text{Therefore:} \\ - & \hspace{2em} x_q \neq x_p \implies \lambda = (y_q - y_p) / (x_q - x_p).\\ - & \\ -2. & (1 - (x_q - x_p) \cdot \alpha) \cdot (2y_p \cdot \lambda - 3x_p^2) = 0 \\ - & \\ - & \begin{aligned} - \text{At least one of } &(1 - (x_q - x_p) \cdot \alpha) = 0 \\ - \text{or } &(2y_p \cdot \lambda - 3x_p^2) = 0 - \end{aligned} \\ - & \text{must be satisfied for the constraint to be satisfied.} \\ - & \\ - & \text{If } x_q = x_p, \text{ then } 1 - (x_q - x_p) \cdot \alpha = 0 \text{ has no solution for } \alpha, \\ - & \text{so it must be that } 2y_p \cdot \lambda - 3x_p^2 = 0. \\ - & \\ - & \text{If } x_q = x_p \text{ and } y_p = 0 \text{ then } x_p = 0, \text{ and the constraint is satisfied.}\\ - & \\ - & \text{If } x_q = x_p \text{ and } y_p \neq 0 \text{ then by rearranging both sides} \\ - & \text{we get } \lambda = 3x_p^2 / 2y_p. \\ - & \\ - & \text{Therefore:} \\ - & \hspace{2em} (x_q = x_p) \wedge y_p \neq 0 \implies \lambda = 3x_p^2 / 2y_p. \\ - & \\ -3.\text{ a)} & x_p \cdot x_q \cdot (x_q - x_p) \cdot (\lambda^2 - x_p - x_q - x_r) = 0 \\ - \text{ b)} & x_p \cdot x_q \cdot (x_q - x_p) \cdot (\lambda \cdot (x_p - x_r) - y_p - y_r) = 0 \\ - \text{ c)} & x_p \cdot x_q \cdot (y_q + y_p) \cdot (\lambda^2 - x_p - x_q - x_r) = 0 \\ - \text{ d)} & x_p \cdot x_q \cdot (y_q + y_p) \cdot (\lambda \cdot (x_p - x_r) - y_p - y_r) = 0 \\ - & \\ - & \begin{aligned} - \text{At least one of } &x_p = 0 \\ - \text{or } &x_p = 0 \\ - \text{or } &(x_q - x_p) = 0 \\ - \text{or } &(\lambda^2 - x_p - x_q - x_r) = 0 \\ - \end{aligned} \\ - & \text{must be satisfied for constraint (a) to be satisfied.} \\ - & \\ - & \text{If } x_p \neq 0 \wedge x_q \neq 0 \wedge x_q \neq x_p, \\[1.5ex] - & \text{• Constraint (a) imposes that } x_r = \lambda^2 - x_p - x_q. \\ - & \text{• Constraint (b) imposes that } y_r = \lambda \cdot (x_p - x_r) - y_p. \\ - & \\ - & \text{If } x_p \neq 0 \wedge x_q \neq 0 \wedge y_q \neq -y_p, \\[1.5ex] - & \text{• Constraint (c) imposes that } x_r = \lambda^2 - x_p - x_q. \\ - & \text{• Constraint (d) imposes that } y_r = \lambda \cdot (x_p - x_r) - y_p. \\ - & \\ - & \text{Therefore:} \\ - & \begin{aligned} - &(x_p \neq 0) \wedge (x_q \neq 0) \wedge ((x_q \neq x_p) \vee (y_q \neq -y_p)) \\ - \implies &(x_r = \lambda^2 - x_p - x_q) \wedge (y_r = \lambda \cdot (x_p - x_r) - y_p). - \end{aligned} \\ - & \\ -4.\text{ a)} & (1 - x_p \cdot \beta) \cdot (x_r - x_q) = 0 \\ - \text{ b)} & (1 - x_p \cdot \beta) \cdot (y_r - y_q) = 0 \\ - & \\ - & \begin{aligned} - \text{At least one of } 1 - x_p \cdot \beta &= 0 \\ - \text{or } x_r - x_q &= 0 - \end{aligned} \\ - & \text{must be satisfied for constraint (a) to be satisfied.} \\ - & \\ - & \text{If } x_p = 0 \text{ then } 1 - x_p \cdot \beta = 0 \text{ has no solutions for } \beta, \\ - & \text{and so it must be that } x_r - x_q = 0. \\ - & \\ - & \text{Similarly, constraint (b) imposes that if } x_p = 0 \\ - & \text{then } y_r - y_q = 0. \\ - & \\ - & \text{Therefore:} \\ - & \hspace{2em} x_p = 0 \implies (x_r, y_r) = (x_q, y_q). \\ - & \\ -5.\text{ a)} & (1 - x_q \cdot \gamma) \cdot (x_r - x_p) = 0 \\ - \text{ b)} & (1 - x_q \cdot \gamma) \cdot (y_r - y_p) = 0 \\ - & \\ - & \begin{aligned} - \text{At least one of } 1 - x_q \cdot \gamma &= 0 \\ - \text{or } x_r - x_p &= 0 - \end{aligned} \\ - & \text{must be satisfied for constraint (a) to be satisfied.} \\ - & \\ - & \text{If } x_q = 0 \text{ then } 1 - x_q \cdot \gamma = 0 \text{ has no solutions for } \gamma, \\ - & \text{and so it must be that } x_r - x_p = 0. \\ - & \\ - & \text{Similarly, constraint (b) imposes that if } x_q = 0 \\ - & \text{then } y_r - y_p = 0. \\ - & \\ - & \text{Therefore:} \\ - & \hspace{2em} x_q = 0 \implies (x_r, y_r) = (x_p, y_p). \\ - & \\ -6.\text{ a)} & (1 - (x_q - x_p) \cdot \alpha - (y_q + y_p) \cdot \delta) \cdot x_r = 0 \\ - \text{ b)} & (1 - (x_q - x_p) \cdot \alpha - (y_q + y_p) \cdot \delta) \cdot y_r = 0 \\ - & \\ - & \begin{aligned} - \text{At least one of } &1 - (x_q - x_p) \cdot \alpha - (y_q + y_p) \cdot \delta = 0 \\ - \text{or } &x_r = 0 - \end{aligned} \\ - & \text{must be satisfied for constraint (a) to be satisfied,} \\ - & \text{and similarly replacing } x_r \text{ by } y_r. \\ - & \\ - & \text{If } x_r \neq 0 \text{ or } y_r \neq 0, \text{ then it must be that } 1 - (x_q - x_p) \cdot \alpha - (y_q + y_p) \cdot \delta = 0. \\ - & \\ - & \text{However, if } x_q = x_p \wedge y_q = -y_p, \text{ then there are no solutions for } \alpha \text { and } \delta. \\ - & \\ - & \text{Therefore: } \\ - & \hspace{2em} x_q = x_p \wedge y_q = -y_p \implies (x_r, y_r) = (0, 0). -\end{array} -$$ - -#### Propositions: - -$ -\begin{array}{cl} -(1)& x_q \neq x_p \implies \lambda = (y_q - y_p) / (x_q - x_p) \\[0.8ex] -(2)& (x_q = x_p) \wedge y_p \neq 0 \implies \lambda = 3x_p^2 / 2y_p \\[0.8ex] -(3)& (x_p \neq 0) \wedge (x_q \neq 0) \wedge ((x_q \neq x_p) \vee (y_q \neq -y_p)) \\[0.4ex] - &\implies (x_r = \lambda^2 - x_p - x_q) \wedge (y_r = \lambda \cdot (x_p - x_r) - y_p) \\[0.8ex] -(4)& x_p = 0 \implies (x_r, y_r) = (x_q, y_q) \\[0.8ex] -(5)& x_q = 0 \implies (x_r, y_r) = (x_p, y_p) \\[0.8ex] -(6)& x_q = x_p \wedge y_q = -y_p \implies (x_r, y_r) = (0, 0) -\end{array} -$ - -#### Cases: - -$(x_p, y_p) + (x_q, y_q) = (x_r, y_r)$ - -Note that we rely on the fact that $0$ is not a valid $x$-coordinate or $y$-coordinate of a -point on the Pallas curve other than $\mathcal{O}$. - -* $(0, 0) + (0, 0)$ - - Completeness: - - $ - \begin{array}{cl} - (1)&\text{holds because } x_q = x_p \\ - (2)&\text{holds because } y_p = 0 \\ - (3)&\text{holds because } x_p = 0 \\ - (4)&\text{holds because } (x_r, y_r) = (x_q, y_q) = (0, 0) \\ - (5)&\text{holds because } (x_r, y_r) = (x_p, y_p) = (0, 0) \\ - (6)&\text{holds because } (x_r, y_r) = (0, 0). \\ - \end{array} - $ - - - Soundness: $(x_r, y_r) = (0, 0)$ is the only solution to $(6).$ - -* $(x, y) + (0, 0)$ for $(x, y) \neq (0, 0)$ - - Completeness: - - $ - \begin{array}{cl} - (1)&\text{holds because } x_q \neq x_p, \text{ therefore } \lambda = (y_q - y_p) / (x_q - x_p) \text{ is a solution} \\ - (2)&\text{holds because } x_q \neq x_p, \text{ therefore } \alpha = (x_q - x_p)^{-1} \text{ is a solution} \\ - (3)&\text{holds because } x_q = 0 \\ - (4)&\text{holds because } x_p \neq 0, \text{ therefore } \beta = x_p^{-1} \text{ is a solution} \\ - (5)&\text{holds because } (x_r, y_r) = (x_p, y_p) \\ - (6)&\text{holds because } x_q \neq x_p, \text{ therefore } \alpha = (x_q - x_p)^{-1} \text{ and } \delta = 0 \text{ is a solution.} - \end{array} - $ - - - Soundness: $(x_r, y_r) = (x_p, y_p)$ is the only solution to $(5).$ - -* $(0, 0) + (x, y)$ for $(x, y) \neq (0, 0)$ - - Completeness: - - $ - \begin{array}{cl} - (1)&\text{holds because } x_q \neq x_p, \text{ therefore } \lambda = (y_q - y_p) / (x_q - x_p) \text{ is a solution} \\ - (2)&\text{holds because } x_q \neq x_p, \text{ therefore } \alpha = (x_q - x_p)^{-1} \text{ is a solution} \\ - (3)&\text{holds because } x_p = 0 \\ - (4)&\text{holds because } x_p = 0 \text{ only when } (x_r, y_r) = (x_q, y_q) \\ - (5)&\text{holds because } x_q \neq 0, \text{ therefore } \gamma = x_q^{-1} \text{ is a solution}\\ - (6)&\text{holds because } x_q \neq x_p, \text{ therefore } \alpha = (x_q - x_p)^{-1} \text{ and } \delta = 0 \text{ is a solution.} - \end{array} - $ - - - Soundness: $(x_r, y_r) = (x_q, y_q)$ is the only solution to $(4).$ - -* $(x, y) + (x, y)$ for $(x, y) \neq (0, 0)$ - - Completeness: - - $ - \begin{array}{cl} - (1)&\text{holds because } x_q = x_p \\ - (2)&\text{holds because } x_q = x_p \wedge y_p \neq 0, \text{ therefore } \lambda = 3x_p^2 / 2y_p \text{ is a solution}\\ - (3)&\text{holds because } x_r = \lambda^2 - x_p - x_q \wedge y_r = \lambda \cdot (x_p - x_r) - y_p \text{ in this case} \\ - (4)&\text{holds because } x_p \neq 0, \text{ therefore } \beta = x_p^{-1} \text{ is a solution} \\ - (5)&\text{holds because } x_p \neq 0, \text{ therefore } \gamma = x_q^{-1} \text{ is a solution} \\ - (6)&\text{holds because } x_q = x_p \text{ and } y_q \neq -y_p, \text{ therefore } \alpha = 0 \text{ and } \delta = (y_q + y_p)^{-1} \text{ is a solution.} \\ - \end{array} - $ - - - Soundness: $\lambda$ is computed correctly, and $(x_r, y_r) = (\lambda^2 - x_p - x_q, \lambda \cdot (x_p - x_r) - y_p)$ is the only solution. - -* $(x, y) + (x, -y)$ for $(x, y) \neq (0, 0)$ - - Completeness: - - $ - \begin{array}{cl} - (1)&\text{holds because } x_q = x_p \\ - (2)&\text{holds because } x_q = x_p \wedge y_p \neq 0, \text{ therefore } \lambda = 3x_p^2 / 2y_p \text{ is a solution} \\ - &\text{(although } \lambda \text{ is not used in this case)} \\ - (3)&\text{holds because } x_q = x_p \text{ and } y_q = -y_p \\ - (4)&\text{holds because } x_p \neq 0, \text{ therefore } \beta = x_p^{-1} \text{ is a solution} \\ - (5)&\text{holds because } x_q \neq 0, \text{ therefore } \gamma = x_q^{-1} \text{ is a solution} \\ - (6)&\text{holds because } (x_r, y_r) = (0, 0) \\ - \end{array} - $ - - - Soundness: $(x_r, y_r) = (0, 0)$ is the only solution to $(6).$ - -* $(x_p, y_p) + (x_q, y_q)$ for $(x_p, y_p) \neq (0,0)$ and $(x_q, y_q) \neq (0, 0)$ and $x_p \neq x_q$ - - Completeness: - - $ - \begin{array}{cl} - (1)&\text{holds because } x_q \neq x_p, \text{ therefore } \lambda = (y_q - y_p) / (x_q - x_p) \text{ is a solution} \\ - (2)&\text{holds because } x_q \neq x_p, \text{ therefore } \alpha = (x_q - x_p)^{-1} \text{ is a solution} \\ - (3)&\text{holds because } x_r = \lambda^2 - x_p - x_q \wedge y_r = \lambda \cdot (x_p - x_r) - y_p \text{ in this case} \\ - (4)&\text{holds because } x_p \neq 0, \text{ therefore } \beta = x_p^{-1} \text{ is a solution} \\ - (5)&\text{holds because } x_q \neq 0, \text{ therefore } \gamma = x_q^{-1} \text{ is a solution} \\ - (6)&\text{holds because } x_q \neq x_p, \text{ therefore } \alpha = (x_q - x_p)^{-1} \text{ and } \delta = 0 \text{ is a solution.} - \end{array} - $ - - - Soundness: $\lambda$ is computed correctly, and $(x_r, y_r) = (\lambda^2 - x_p - x_q, \lambda \cdot (x_p - x_r) - y_p)$ is the only solution. diff --git a/book/src/design/gadgets/ecc/fixed-base-scalar-mul.md b/book/src/design/gadgets/ecc/fixed-base-scalar-mul.md deleted file mode 100644 index dbeece496d..0000000000 --- a/book/src/design/gadgets/ecc/fixed-base-scalar-mul.md +++ /dev/null @@ -1,189 +0,0 @@ -# Fixed-base scalar multiplication - -There are $6$ fixed bases in the Orchard protocol: -- $\mathcal{K}^{\mathsf{Orchard}}$, used in deriving the nullifier; -- $\mathcal{G}^{\mathsf{Orchard}}$, used in spend authorization; -- $\mathcal{R}$ base for $\mathsf{NoteCommit}^{\mathsf{Orchard}}$; -- $\mathcal{V}$ and $\mathcal{R}$ bases for $\mathsf{ValueCommit}^{\mathsf{Orchard}}$; and -- $\mathcal{R}$ base for $\mathsf{Commit}^{\mathsf{ivk}}$. -## Decompose scalar -We support fixed-base scalar multiplication with three types of scalars: -### Full-width scalar -A $255$-bit scalar from $\mathbb{F}_q$. We decompose a full-width scalar $\alpha$ into $85$ $3$-bit windows: - -$$\alpha = k_0 + k_1 \cdot (2^3)^1 + \cdots + k_{84} \cdot (2^3)^{84}, k_i \in [0..2^3).$$ - -The scalar multiplication will be computed correctly for $k_{0..84}$ representing any -integer in the range $[0, 2^{255})$ - that is, the scalar is allowed to be non-canonical. - -We range-constrain each $3$-bit word of the scalar decomposition using a polynomial range-check constraint: -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -9 & q_\texttt{mul\_fixed\_full} \cdot \RangeCheck{\text{word}}{2^3} = 0 \\\hline -\end{array} -$$ -where $\RangeCheck{\text{word}}{\texttt{range}} = \text{word} \cdot (1 - \text{word}) \cdots (\texttt{range} - 1 - \text{word}).$ - -### Base field element -We support using a base field element as the scalar in fixed-base multiplication. This occurs, for example, in the scalar multiplication for the nullifier computation of the Action circuit $\mathsf{DeriveNullifier_{nk}} = \mathsf{Extract}_\mathbb{P}\left(\left[(\mathsf{PRF_{nk}^{nfOrchard}}(\rho) + \psi) \bmod{q_\mathbb{P}}\right]\mathcal{K}^\mathsf{Orchard} + \mathsf{cm}\right)$: here, the scalar $$\left[(\mathsf{PRF_{nk}^{nfOrchard}}(\rho) + \psi) \bmod{q_\mathbb{P}}\right]$$ is the result of a base field addition. - -Decompose the base field element $\alpha$ into three-bit windows, and range-constrain each window, using the [short range decomposition](../decomposition.md#short-range-decomposition) gadget in strict mode, with $W = 85, K = 3.$ - -If $k_{0..84}$ is witnessed directly then no issue of canonicity arises. However, because the scalar is given as a base field element here, care must be taken to ensure a canonical representation, since $2^{255} > p$. That is, we must check that $0 \leq \alpha < p,$ where $p$ the is Pallas base field modulus $$p = 2^{254} + t_p = 2^{254} + 45560315531419706090280762371685220353.$$ Note that $t_p < 2^{130}.$ - -To do this, we decompose $\alpha$ into three pieces: $$\alpha = \alpha_0 \text{ (252 bits) } \,||\, \alpha_1 \text{ (2 bits) } \,||\, \alpha_2 \text{ (1 bit) }.$$ - -We check the correctness of this decomposition by: -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -5 & q_\text{canon-base-field} \cdot \RangeCheck{\alpha_1}{2^2} = 0 \\\hline -3 & q_\text{canon-base-field} \cdot \BoolCheck{\alpha_2} = 0 \\\hline -2 & q_\text{canon-base-field} \cdot \left(z_{84} - (\alpha_1 + \alpha_2 \cdot 2^2)\right) = 0 \\\hline -\end{array} -$$ -If the MSB $\alpha_2 = 0$ is not set, then $\alpha < 2^{254} < p.$ However, in the case where $\alpha_2 = 1$, we must check: -- $\alpha_2 = 1 \implies \alpha_1 = 0;$ -- $\alpha_2 = 1 \implies \alpha_0 < t_p$: - - $\alpha_2 = 1 \implies 0 \leq \alpha_0 < 2^{130}$, - - $\alpha_2 = 1 \implies 0 \leq \alpha_0 + 2^{130} - t_p < 2^{130}$ - -To check that $0 \leq \alpha_0 < 2^{130},$ we make use of the three-bit running sum decomposition: -- Firstly, we constrain $\alpha_0$ to be a $132$-bit value by enforcing its high $120$ bits to be all-zero. We can get $\textsf{alpha\_0\_hi\_120}$ from the decomposition: -$$ -\begin{aligned} -z_{44} &= k_{44} + 2^3 k_{45} + \cdots + 2^{3 \cdot (84 - 44)} k_{84}\\ -\implies \textsf{alpha\_0\_hi\_120} &= z_{44} - 2^{3 \cdot (84 - 44)} k_{84}\\ -&= z_{44} - 2^{3 \cdot (40)} z_{84}. -\end{aligned} -$$ -- Then, we constrain bits $130..\!\!=\!\!131$ of $\alpha_0$ to be zeroes; in other words, we constrain the three-bit word $k_{43} = \alpha[129..\!\!=\!\!131] = \alpha_0[129..\!\!=\!\!131] \in \{0, 1\}.$ We make use of the running sum decomposition to obtain $k_{43} = z_{43} - z_{44} \cdot 2^3.$ - -Define $\alpha'_0 = \alpha_0 + 2^{130} - t_p$. To check that $0 \leq \alpha'_0 < 2^{130},$ we use 13 ten-bit [lookups](../decomposition.md#lookup-decomposition), where we constrain the $z_{13}$ running sum output of the lookup to be $0$ if $\alpha_2 = 1.$ -$$ -\begin{array}{|c|l|l|} -\hline -\text{Degree} & \text{Constraint} & \text{Comment} \\\hline -2 & q_\text{canon-base-field} \cdot (\alpha_0' - (\alpha_0 + 2^{130} - t_\mathbb{P})) = 0 \\\hline -3 & q_\text{canon-base-field} \cdot \alpha_2 \cdot \alpha_1 = 0 & \alpha_2 = 1 \implies \alpha_1 = 0 \\\hline -3 & q_\text{canon-base-field} \cdot \alpha_2 \cdot \textsf{alpha\_0\_hi\_120} = 0 & \text{Constrain $\alpha_0$ to be a $132$-bit value} \\\hline -4 & q_\text{canon-base-field} \cdot \alpha_2 \cdot \BoolCheck{k_{43}} = 0 & \text{Constrain $\alpha_0[130..\!\!=\!\!131]$ to $0$} \\\hline -3 & q_\text{canon-base-field} \cdot \alpha_2 \cdot z_{13}(\texttt{lookup}(\alpha_0', 13)) = 0 & \alpha_2 = 1 \implies 0 \leq \alpha'_0 < 2^{130}\\\hline -\end{array} -$$ -### Short signed scalar -A short signed scalar is witnessed as a magnitude $m$ and sign $s$ such that -$$ -s \in \{-1, 1\} \\ -m \in [0, 2^{64}) \\ -\mathsf{v^{old}} - \mathsf{v^{new}} = s \cdot m. -$$ - -This is used for $\mathsf{ValueCommit^{Orchard}}$. We want to compute $\mathsf{ValueCommit^{Orchard}_{rcv}}(\mathsf{v^{old}} - \mathsf{v^{new}}) = [\mathsf{v^{old}} - \mathsf{v^{new}}] \mathcal{V} + [\mathsf{rcv}] \mathcal{R}$, where -$$ --(2^{64}-1) \leq \mathsf{v^{old}} - \mathsf{v^{new}} \leq 2^{64}-1 -$$ - -$\mathsf{v^{old}}$ and $\mathsf{v^{new}}$ are each already constrained to $64$ bits (by their use as inputs to $\mathsf{NoteCommit^{Orchard}}$). - -Decompose the magnitude $m$ into three-bit windows, and range-constrain each window, using the [short range decomposition](../decomposition.md#short-range-decomposition) gadget in strict mode, with $W = 22, K = 3.$ - - We have two additional constraints: -$$ -\begin{array}{|c|l|l|} -\hline -\text{Degree} & \text{Constraint} & \text{Comment} \\\hline -3 & q_\texttt{mul\_fixed\_short} \cdot \BoolCheck{k_{21}} = 0 & \text{The last window must be a single bit.}\\\hline -3 & q_\texttt{mul\_fixed\_short} \cdot \left(s^2 - 1\right) = 0 &\text{The sign must be $1$ or $-1$.}\\\hline -\end{array} -$$ -where $\BoolCheck{x} = x \cdot (1 - x)$. - -## Load fixed base -Then, we precompute multiples of the fixed base $B$ for each window. This takes the form of a window table: $M[0..W)[0..8)$ such that: - -- for the first (W-1) rows $M[0..(W-1))[0..8)$: $$M[w][k] = [(k+2) \cdot (2^3)^w]B$$ -- in the last row $M[W-1][0..8)$: $$M[w][k] = [k \cdot (2^3)^w - \sum\limits_{j=0}^{83} 2^{3j+1}]B$$ - -The additional $(k + 2)$ term lets us avoid adding the point at infinity in the case $k = 0$. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $\sum\limits_{j=0}^{W-2} 2^{3j+1}$. - -> Note: Although an offset of $(k + 1)$ would naively suffice, it introduces an edge case when $k_0 = 7, k_1= 0$. -> In this case, the window table entries evaluate to the same point: -> * $M[0][k_0] = [(7+1)*(2^3)^0]B = [8]B,$ -> * $M[1][k_1] = [(0+1)*(2^3)^1]B = [8]B.$ -> -> In fixed-base scalar multiplication, we sum the multiples of $B$ at each window (except the last) using incomplete addition. -> Since the point doubling case is not handled by incomplete addition, we avoid it by using an offset of $(k+2).$ - -For each window of fixed-base multiples $M[w] = (M[w][0], \cdots, M[w][7]), w \in [0..(W-1))$: -- Define a Lagrange interpolation polynomial $\mathcal{L}_x(k)$ that maps $k \in [0..8)$ to the $x$-coordinate of the multiple $M[w][k]$, i.e. - $$ - \mathcal{L}_x(k) = \begin{cases} - ([(k + 2) \cdot (2^3)^w] B)_x &\text{for } w \in [0..(W-1)); \\ - ([k \cdot (2^3)^w - \sum\limits_{j=0}^{83} 2^{3j+1}] B)_x &\text{for } w = 84; \text{ and} - \end{cases} - $$ -- Find a value $z_w$ such that $z_w + (M[w][k])_y$ is a square $u^2$ in the field, but the wrong-sign $y$-coordinate $z_w - (M[w][k])_y$ does not produce a square. - -Repeating this for all $W$ windows, we end up with: -- an $W \times 8$ table $\mathcal{L}_x$ storing $8$ coefficients interpolating the $x-$coordinate for each window. Each $x$-coordinate interpolation polynomial will be of the form -$$\mathcal{L}_x[w](k) = c_0 + c_1 \cdot k + c_2 \cdot k^2 + \cdots + c_7 \cdot k^7,$$ -where $k \in [0..8), w \in [0..85)$ and $c_k$'s are the coefficients for each power of $k$; and -- a length-$W$ array $Z$ of $z_w$'s. - -We load these precomputed values into fixed columns whenever we do fixed-base scalar multiplication in the circuit. - -## Fixed-base scalar multiplication -Given a decomposed scalar $\alpha$ and a fixed base $B$, we compute $[\alpha]B$ as follows: - -1. For each $k_w, w \in [0..85), k_w \in [0..8)$ in the scalar decomposition, witness the $x$- and $y$-coordinates $(x_w,y_w) = M[w][k_w].$ -2. Check that $(x_w, y_w)$ is on the curve: $y_w^2 = x_w^3 + b$. -3. Witness $u_w$ such that $y_w + z_w = u_w^2$. -4. For all windows but the last, use [incomplete addition](./incomplete-add.md) to sum the $M[w][k_w]$'s, resulting in $[\alpha - k_{84} \cdot (2^3)^{84} + \sum\limits_{j=0}^{83} 2^{3j+1}]B$. -5. For the last window, use complete addition $M[83][k_{83}] + M[84][k_{84}]$ and return the final result. - -> Note: complete addition is required in the final step to correctly map $[0]B$ to a representation of the point at infinity, $(0,0)$; and also to handle a corner case for which the last step is a doubling. - - Constraints: -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -8 & q_\text{mul-fixed} \cdot \left( \mathcal{L}_x[w](k_w) - x_w \right) = 0 \\\hline -4 & q_\text{mul-fixed} \cdot \left( y_w^2 - x_w^3 - b \right) = 0 \\\hline -3 & q_\text{mul-fixed} \cdot \left( u_w^2 - y_w - Z[w] \right) = 0 \\\hline -\end{array} -$$ - -where $b = 5$ (from the Pallas curve equation). - -### Signed short exponent -Recall that the signed short exponent is witnessed as a $64-$bit magnitude $m$, and a sign $s \in {1, -1}.$ Using the above algorithm, we compute $P = [m] \mathcal{B}$. Then, to get the final result $P',$ we conditionally negate $P$ using $(x, y) \mapsto (x, s \cdot y)$. - - Constraints: -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -3 & q_\texttt{mul\_fixed\_short} \cdot \left(P'_y - P_y\right) \cdot \left(P'_y + P_y\right) = 0 \\\hline -3 & q_\texttt{mul\_fixed\_short} \cdot \left(s \cdot P'_y - P_y\right) = 0 \\\hline -\end{array} -$$ - -## Layout - -$$ -\begin{array}{|c|c|c|c|c|c|c|c|} -\hline - x_P & y_P & x_{QR} & y_{QR} & u & \text{window} & L_{0..=7} & \textsf{fixed\_z} \\\hline -x_{P,0} & y_{P,0} & & & u_0 & \text{window}_0 & L_{0..=7,0} & \textsf{fixed\_z}_0 \\\hline -x_{P,1} & y_{P,1} & x_{Q,1} = x_{P,0} & y_{Q,1} = y_{P,0} & u_1 & \text{window}_1 & L_{0..=7,1} & \textsf{fixed\_z}_1 \\\hline -x_{P,2} & y_{P,2} & x_{Q,2} = x_{R,1} & y_{Q,2} = y_{R,1} & u_2 & \text{window}_2 & L_{0..=7,1} & \textsf{fixed\_z}_2 \\\hline -\vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots \\\hline -\end{array} -$$ - -Note: this doesn't include the last row that uses [complete addition](./addition.md#Complete-addition). In the implementation this is allocated in a different region. diff --git a/book/src/design/gadgets/ecc/var-base-scalar-mul.md b/book/src/design/gadgets/ecc/var-base-scalar-mul.md deleted file mode 100644 index 84ef5ab3dc..0000000000 --- a/book/src/design/gadgets/ecc/var-base-scalar-mul.md +++ /dev/null @@ -1,394 +0,0 @@ -# Variable-base scalar multiplication - -In the Orchard circuit we need to check $\mathsf{pk_d} = [\mathsf{ivk}] \mathsf{g_d}$ where $\mathsf{ivk} \in [0, p)$ and the scalar field is $\mathbb{F}_q$ with $p < q$. - -We have $p = 2^{254} + t_p$ and $q = 2^{254} + t_q$, for $t_p, t_q < 2^{128}$. - -## Witness scalar -We're trying to compute $[\alpha] T$ for $\alpha \in [0, q)$. Set $k = \alpha + t_q$ and $n = 254$. Then we can compute - -$\begin{array}{cl} -[2^{254} + (\alpha + t_q)] T &= [2^{254} + (\alpha + t_q) - (2^{254} + t_q)] T \\ - &= [\alpha] T -\end{array}$ - -provided that $\alpha + t_q \in [0, 2^{n+1})$, i.e. $\alpha < 2^{n+1} - t_q$ which covers the whole range we need because in fact $2^{255} - t_q > q$. - -Thus, given a scalar $\alpha$, we witness the boolean decomposition of $k = \alpha + t_q.$ (We use big-endian bit order for convenient input into the variable-base scalar multiplication algorithm.) - -$$k = k_{254} \cdot 2^{254} + k_{253} \cdot 2^{253} + \cdots + k_0.$$ - -## Variable-base scalar multiplication -We use an optimized double-and-add algorithm, copied from ["Faster variable-base scalar multiplication in zk-SNARK circuits"](https://github.com/zcash/zcash/issues/3924) with some variable name changes: - -```ignore -Acc := [2] T -for i from n-1 down to 0 { - P := k_{i+1} ? T : −T - Acc := (Acc + P) + Acc -} -return (k_0 = 0) ? (Acc - T) : Acc -``` - -It remains to check that the x-coordinates of each pair of points to be added are distinct. - -When adding points in a prime-order group, we can rely on Theorem 3 from Appendix C of the [Halo paper](https://eprint.iacr.org/2019/1021.pdf), which says that if we have two such points with nonzero indices wrt a given odd-prime order base, where the indices taken in the range $-(q-1)/2..(q-1)/2$ are distinct disregarding sign, then they have different x-coordinates. This is helpful, because it is easier to reason about the indices of points occurring in the scalar multiplication algorithm than it is to reason about their x-coordinates directly. - -So, the required check is equivalent to saying that the following "indexed version" of the above algorithm never asserts: - -```ignore -acc := 2 -for i from n-1 down to 0 { - p = k_{i+1} ? 1 : −1 - assert acc ≠ ± p - assert (acc + p) ≠ acc // X - acc := (acc + p) + acc - assert 0 < acc ≤ (q-1)/2 -} -if k_0 = 0 { - assert acc ≠ 1 - acc := acc - 1 -} -``` - -The maximum value of `acc` is: -```ignore - <--- n 1s ---> - 1011111...111111 -= 1100000...000000 - 1 -``` -= $2^{n+1} + 2^n - 1$ - -> The assertion labelled X obviously cannot fail because $p \neq 0$. It is possible to see that acc is monotonically increasing except in the last conditional. It reaches its largest value when $k$ is maximal, i.e. $2^{n+1} + 2^n - 1$. - -So to entirely avoid exceptional cases, we would need $2^{n+1} + 2^n - 1 < (q-1)/2$. But we can use $n$ larger by $c$ if the last $c$ iterations use [complete addition](./addition.md#Complete-addition). - -The first $i$ for which the algorithm using **only** incomplete addition fails is going to be $252$, since $2^{252+1} + 2^{252} - 1 > (q - 1)/2$. We need $n = 254$ to make the wraparound technique above work. - -```python -sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001 -sage: 2^253 + 2^252 - 1 < (q-1)//2 -False -sage: 2^252 + 2^251 - 1 < (q-1)//2 -True -``` - -So the last three iterations of the loop ($i = 2..0$) need to use [complete addition](./addition.md#Complete-addition), as does the conditional subtraction at the end. Writing this out using ⸭ for incomplete addition (as we do in the spec), we have: - -```ignore -Acc := [2] T -for i from 253 down to 3 { - P := k_{i+1} ? T : −T - Acc := (Acc ⸭ P) ⸭ Acc -} -for i from 2 down to 0 { - P := k_{i+1} ? T : −T - Acc := (Acc + P) + Acc // complete addition -} -return (k_0 = 0) ? (Acc + (-T)) : Acc // complete addition -``` - -## Constraint program for optimized double-and-add -Define a running sum $\mathbf{z_j} = \sum_{i=j}^{n} (\mathbf{k}_{i} \cdot 2^{i-j})$, where $n = 254$ and: - -$$ -\begin{aligned} - &\mathbf{z}_{n+1} = 0,\\ - &\mathbf{z}_{n} = \mathbf{k}_{n}, \hspace{2em}\text{(most significant bit)}\\ - &\mathbf{z}_0 = k.\\ -\end{aligned} -$$ - -$\begin{array}{l} -\text{Initialize } A_{254} = [2] T. \\ -\\ -\text{for } i \text{ from } 254 \text{ down to } 4: \\ -\hspace{1.5em} \BoolCheck{\mathbf{k}_i} = 0 \\ -\hspace{1.5em} \mathbf{z}_{i} = 2\mathbf{z}_{i+1} + \mathbf{k}_{i} \\ -\hspace{1.5em} x_{P,i} = x_T \\ -\hspace{1.5em} y_{P,i} = (2 \mathbf{k}_i - 1) \cdot y_T \hspace{2em}\text{(conditionally negate)} \\ -\hspace{1.5em} \lambda_{1,i} \cdot (x_{A,i} - x_{P,i}) = y_{A,i} - y_{P,i} \\ -\hspace{1.5em} x_{R,i} = \lambda_{1,i}^2 - x_{A,i} - x_{P,i} \\ -\hspace{1.5em} (\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - x_{R,i}) = 2 y_{\mathsf{A},i} \\ -\hspace{1.5em} \lambda_{2,i}^2 = x_{A,i-1} + x_{R,i} + x_{A,i} \\ -\hspace{1.5em} \lambda_{2,i} \cdot (x_{A,i} - x_{A,i-1}) = y_{A,i} + y_{A,i-1}. \\ -\end{array}$ - -The helper $\BoolCheck{x} = x \cdot (1 - x)$. -After substitution of $x_{P,i}, y_{P,i}, x_{R,i}, y_{A,i}$, and $y_{A,i-1}$, this becomes: - -$\begin{array}{l} -\text{Initialize } A_{254} = [2] T. \\ -\\ -\text{for } i \text{ from } 254 \text{ down to } 4: \\ -\hspace{1.5em} \text{// let } \mathbf{k}_{i} = \mathbf{z}_{i} - 2\mathbf{z}_{i+1} \\ -\hspace{1.5em} \text{// let } y_{A,i} = \frac{(\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - (\lambda_{1,i}^2 - x_{A,i} - x_T))}{2} \\[2ex] -\hspace{1.5em} \BoolCheck{\mathbf{k}_i} = 0 \\ -\hspace{1.5em} \lambda_{1,i} \cdot (x_{A,i} - x_T) = y_{A,i} - (2 \mathbf{k}_i - 1) \cdot y_T \\ -\hspace{1.5em} \lambda_{2,i}^2 = x_{A,i-1} + \lambda_{1,i}^2 - x_T \\[1ex] -\hspace{1.5em} \begin{cases} - \lambda_{2,i} \cdot (x_{A,i} - x_{A,i-1}) = y_{A,i} + y_{A, i-1}, &\text{if } i > 4 \\[0.5ex] - \lambda_{2,4} \cdot (x_{A,4} - x_{A,3}) = y_{A,4} + y_{A,3}^\text{witnessed}, &\text{if } i = 4. - \end{cases} -\end{array}$ - -Here, $y_{A,3}^\text{witnessed}$ is assigned to a cell. This is unlike previous $y_{A,i}$'s, which were implicitly derived from $\lambda_{1,i}, \lambda_{2,i}, x_{A,i}, x_T$, but never actually assigned. - -The bits $\mathbf{k}_{3 \dots 1}$ are used in three further steps, using [complete addition](./addition.md#Complete-addition): - -$\begin{array}{l} -\text{for } i \text{ from } 3 \text{ down to } 1: \\ -\hspace{1.5em} \text{// let } \mathbf{k}_{i} = \mathbf{z}_{i} - 2\mathbf{z}_{i+1} \\[0.5ex] -\hspace{1.5em} \BoolCheck{\mathbf{k}_i} = 0 \\ -\hspace{1.5em} (x_{A,i-1}, y_{A,i-1}) = \left((x_{A,i}, y_{A,i}) + (x_T, y_T)\right) + (x_{A,i}, y_{A,i}) -\end{array}$ - -If the least significant bit $\mathbf{k_0} = 1,$ we set $B = \mathcal{O},$ otherwise we set ${B = -T}$. Then we return ${A + B}$ using complete addition. - -Let $B = \begin{cases} -(0, 0), &\text{ if } \mathbf{k_0} = 1, \\ -(x_T, -y_T), &\text{ otherwise.} -\end{cases}$ - -Output $(x_{A,0}, y_{A,0}) + B$. - -(Note that $(0, 0)$ represents $\mathcal{O}$.) - -## Incomplete addition - -We need six advice columns to witness $(x_T, y_T, \lambda_1, \lambda_2, x_{A,i}, \mathbf{z}_i)$. However, since $(x_T, y_T)$ are the same, we can perform two incomplete additions in a single row, reusing the same $(x_T, y_T)$. We split the scalar bits used in incomplete addition into $hi$ and $lo$ halves and process them in parallel. This means that we effectively have two for loops: -- the first, covering the $hi$ half for $i$ from $254$ down to $130$, with a special case at $i = 130$; and -- the second, covering the $lo$ half for the remaining $i$ from $129$ down to $4$, with a special case at $i = 4$. - -$$ -\begin{array}{|c|c|c|c|c|c|c|c|c|c|c|c|c|c|c|c|} -\hline - x_T & y_T & z^{hi} & x_A^{hi} & \lambda_1^{hi} & \lambda_2^{hi} & q_1^{hi} & q_2^{hi} & q_3^{hi} & z^{lo} & x_A^{lo} & \lambda_1^{lo} & \lambda_2^{lo} & q_1^{lo} & q_2^{lo} & q_3^{lo} \\\hline - & & \mathbf{z}_{255} = 0 & & y_{A,254}=2[T]_y & & 1 & 0 & 0 & \mathbf{z}_{130} & & y_{A,129} & & 1 & 0 & 0 \\\hline - x_T & y_T & \mathbf{z}_{254} & x_{A,254} = 2[T]_x & \lambda_{1,254} & \lambda_{2,254} & 0 & 1 & 0 & \mathbf{z}_{129} & x_{A,129} & \lambda_{1,129} & \lambda_{2,129} & 0 & 1 & 0 \\\hline - x_T & y_T & \mathbf{z}_{253} & x_{A,253} & \lambda_{1,253} & \lambda_{2,253} & 0 & 1 & 0 & \mathbf{z}_{128} & x_{A,128} & \lambda_{1,128} & \lambda_{2,128} & 0 & 1 & 0 \\\hline - \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots \\\hline - x_T & y_T & \mathbf{z}_{130} & x_{A,130} & \lambda_{1,130} & \lambda_{2,130} & 0 & 0 & 1 & \mathbf{z}_5 & x_{A,5} & \lambda_{1,5} & \lambda_{2,5} & 0 & 1 & 0 \\\hline - x_T & y_T & & x_{A,129} & y_{A,129} & & & & & \mathbf{z}_4 & x_{A,4} & \lambda_{1,4} & \lambda_{2,4} & 0 & 0 & 1 \\\hline - & & & & & & & & & & x_{A,3} & y_{A,3} & & & & \\\hline - -\end{array} -$$ - -For each $hi$ and $lo$ half, we have three sets of gates. Note that $i$ is going from $255..=3$; $i$ is NOT indexing the rows. - -### $q_1 = 1$ -This gate is only used on the first row (before the for loop). We check that $\lambda_1, \lambda_2$ are initialized to values consistent with the initial $y_A.$ -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -4 & q_1 \cdot \left(y_{A,n}^\text{witnessed} - y_{A,n}\right) = 0 \\\hline -\end{array} -$$ -where -$$ -\begin{aligned} -y_{A,n} &= \frac{(\lambda_{1,n} + \lambda_{2,n}) \cdot (x_{A,n} - (\lambda_{1,n}^2 - x_{A,n} - x_T))}{2},\\ -y_{A,n}^\text{witnessed} &\text{ is witnessed.} -\end{aligned} -$$ - -### $q_2 = 1$ -This gate is used on all rows corresponding to the for loop except the last. - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -2 & q_2 \cdot \left(x_{T,cur} - x_{T,next}\right) = 0 \\\hline -2 & q_2 \cdot \left(y_{T,cur} - y_{T,next}\right) = 0 \\\hline -3 & q_2 \cdot \BoolCheck{\mathbf{k}_i} = 0, \text{ where } \mathbf{k}_i = \mathbf{z}_{i} - 2\mathbf{z}_{i+1} \\\hline -4 & q_2 \cdot \left(\lambda_{1,i} \cdot (x_{A,i} - x_{T,i}) - y_{A,i} + (2\mathbf{k}_i - 1) \cdot y_{T,i}\right) = 0 \\\hline -3 & q_2 \cdot \left(\lambda_{2,i}^2 - x_{A,i-1} - x_{R,i} - x_{A,i}\right) = 0 \\\hline -3 & q_2 \cdot \left(\lambda_{2,i} \cdot (x_{A,i} - x_{A,i-1}) - y_{A,i} - y_{A,i-1}\right) = 0 \\\hline -\end{array} -$$ -where -$$ -\begin{aligned} -x_{R,i} &= \lambda_{1,i}^2 - x_{A,i} - x_T, \\ -y_{A,i} &= \frac{(\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - (\lambda_{1,i}^2 - x_{A,i} - x_T))}{2}, \\ -y_{A,i-1} &= \frac{(\lambda_{1,i-1} + \lambda_{2,i-1}) \cdot (x_{A,i-1} - (\lambda_{1,i-1}^2 - x_{A,i-1} - x_T))}{2}, \\ -\end{aligned} -$$ - -### $q_3 = 1$ -This gate is used on the final iteration of the for loop, handling the special case where we check that the output $y_A$ has been witnessed correctly. -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -3 & q_3 \cdot \BoolCheck{\mathbf{k}_i} = 0, \text{ where } \mathbf{k}_i = \mathbf{z}_{i} - 2\mathbf{z}_{i+1} \\\hline -4 & q_3 \cdot \left(\lambda_{1,i} \cdot (x_{A,i} - x_{T,i}) - y_{A,i} + (2\mathbf{k}_i - 1) \cdot y_{T,i}\right) = 0 \\\hline -3 & q_3 \cdot \left(\lambda_{2,i}^2 - x_{A,i-1} - x_{R,i} - x_{A,i}\right) = 0 \\\hline -3 & q_3 \cdot \left(\lambda_{2,i} \cdot (x_{A,i} - x_{A,i-1}) - y_{A,i} - y_{A,i-1}^\text{witnessed}\right) = 0 \\\hline -\end{array} -$$ -where -$$ -\begin{aligned} -x_{R,i} &= \lambda_{1,i}^2 - x_{A,i} - x_T, \\ -y_{A,i} &= \frac{(\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - (\lambda_{1,i}^2 - x_{A,i} - x_T))}{2},\\ -y_{A,i-1}^\text{witnessed} &\text{ is witnessed.} -\end{aligned} -$$ - -## Complete addition - -We reuse the [complete addition](addition.md#complete-addition) constraints to implement -the final $c$ rounds of double-and-add. This requires two rows per round because we need -9 advice columns for each complete addition. In the 10th advice column we stash the other -cells that we need to correctly implement the double-and-add: - -- The base $y$ coordinate, so we can conditionally negate it as input to one of the - complete additions. -- The running sum, which we constrain over two rows instead of sequentially. - -### Layout - -$$ -\begin{array}{|c|c|c|c|c|c|c|c|c|c|c|} -a_0 & a_1 & a_2 & a_3 & a_4 & a_5 & a_6 & a_7 & a_8 & a_9 & q_\texttt{mul\_decompose\_var} \\\hline -x_T & y_p & x_A & y_A & \lambda_1 & \alpha_1 & \beta_1 & \gamma_1 & \delta_1 & z_{i+1} & 0 \\\hline -x_A & y_A & x_q & y_q & \lambda_2 & \alpha_2 & \beta_2 & \gamma_2 & \delta_2 & y_T & 1 \\\hline - & & x_r & y_r & & & & & & z_i & 0 \\\hline -\end{array} -$$ - -### Constraints - -In addition to the complete addition constraints, we define the following gate: - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline - & q_\texttt{mul\_decompose\_var} \cdot \BoolCheck{\mathbf{k}_i} = 0 \\\hline - & q_\texttt{mul\_decompose\_var} \cdot \Ternary{\mathbf{k}_i}{y_T - y_p}{y_T + y_p} = 0 \\\hline -\end{array} -$$ -where $\mathbf{k}_i = \mathbf{z}_{i} - 2\mathbf{z}_{i+1}$. - -## LSB - -### Layout - -$$ -\begin{array}{|c|c|c|c|c|c|c|c|c|c|c|} -a_0 & a_1 & a_2 & a_3 & a_4 & a_5 & a_6 & a_7 & a_8 & a_9 & q_\texttt{mul\_lsb} \\\hline -x_p & y_p & x_A & y_A & \lambda & \alpha & \beta & \gamma & \delta & z_1 & 1 \\\hline -x_T & y_T & x_r & y_r & & & & & & z_0 & 0 \\\hline -\end{array} -$$ - -### Constraints - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline - & q_\texttt{mul\_lsb} \cdot \BoolCheck{\mathbf{k}_0} = 0 \\\hline - & q_\texttt{mul\_lsb} \cdot \Ternary{\mathbf{k}_0}{x_p}{x_p - x_T} = 0 \\\hline - & q_\texttt{mul\_lsb} \cdot \Ternary{\mathbf{k}_0}{y_p}{y_p + y_T} = 0 \\\hline -\end{array} -$$ -where $\mathbf{k}_0 = \mathbf{z}_0 - 2\mathbf{z}_1$. - -## Overflow check - -$\mathbf{z}_i$ cannot overflow for any $i \geq 1$, because it is a weighted sum of bits only up to $2^{n-1} = 2^{253}$, which is smaller than $p$ (and also $q$). - -However, $\mathbf{z}_0 = \alpha + t_q$ *can* overflow $[0, p)$. - -Since overflow can only occur in the final step that constrains $\mathbf{z}_0 = 2 \cdot \mathbf{z}_1 + \mathbf{k}_0$, we have $\mathbf{z}_0 = k \pmod{p}$. It is then sufficient to also check that $\mathbf{z}_0 = \alpha + t_q \pmod{p}$ (so that $k = \alpha + t_q \pmod{p}$) and that $k \in [t_q, p + t_q)$. These conditions together imply that $k = \alpha + t_q$ as an integer, and so $2^{254} + k = \alpha \pmod{q}$ as required. - -> Note: the bits $\mathbf{k}_{254..0}$ do not represent a value reduced modulo $q$, but rather a representation of the unreduced $\alpha + t_q$. - -### Optimized check for $k \in [t_q, p + t_q)$ - -Since $t_p + t_q < 2^{130}$, we have $$[t_q, p + t_q) = [t_q, t_q + 2^{130}) \;\cup\; [2^{130}, 2^{254}) \;\cup\; \big([2^{254}, 2^{254} + 2^{130}) \;\cap\; [p + t_q - 2^{130}, p + t_q)\big).$$ - -We may assume that $k = \alpha + t_q \pmod{p}$. - -Therefore, -$\begin{array}{rcl} -k \in [t_q, p + t_q) &\Leftrightarrow& \big(k \in [t_q, t_q + 2^{130}) \;\vee\; k \in [2^{130}, 2^{254})\big) \;\vee\; \\ - & & \big(k \in [2^{254}, 2^{254} + 2^{130}) \;\wedge\; k \in [p + t_q - 2^{130}, p + t_q)\big) \\ - \\ - &\Leftrightarrow& \big(\mathbf{k}_{254} = 0 \implies (k \in [t_q, t_q + 2^{130}) \;\vee\; k \in [2^{130}, 2^{254}))\big) \;\wedge \\ - & & \big(\mathbf{k}_{254} = 1 \implies (k \in [2^{254}, 2^{254} + 2^{130}) \;\wedge\; k \in [p + t_q - 2^{130}, p + t_q)\big) \\ - \\ - &\Leftrightarrow& \big(\mathbf{k}_{254} = 0 \implies (\alpha \in [0, 2^{130}) \;\vee\; k \in [2^{130}, 2^{254})\big) \;\wedge \\ - & & \big(\mathbf{k}_{254} = 1 \implies (k \in [2^{254}, 2^{254} + 2^{130}) \;\wedge\; (\alpha + 2^{130}) \bmod p \in [0, 2^{130}))\big) \;\;Ⓐ -\end{array}$ - -> Given $k \in [2^{254}, 2^{254} + 2^{130})$, we prove equivalence of $k \in [p + t_q - 2^{130}, p + t_q)$ and $(\alpha + 2^{130}) \bmod p \in [0, 2^{130})$ as follows: -> * shift the range by $2^{130} - p - t_q$ to give $k + 2^{130} - p - t_q \in [0, 2^{130})$; -> * observe that $k + 2^{130} - p - t_q$ is guaranteed to be in $[2^{130} - t_p - t_q, 2^{131} - t_p - t_q)$ and therefore cannot overflow or underflow modulo $p$; -> * using the fact that $k = \alpha + t_q \pmod{p}$, observe that $(k + 2^{130} - p - t_q) \bmod p = (\alpha + t_q + 2^{130} - p - t_q) \bmod p = (\alpha + 2^{130}) \bmod p$. -> -> (We can see in a different way that this is correct by observing that it checks whether $\alpha \bmod p \in [p - 2^{130}, p)$, so the upper bound is aligned as we would expect.) - -Now, we can continue optimizing from $Ⓐ$: - -$\begin{array}{rcl} -k \in [t_q, p + t_q) &\Leftrightarrow& \big(\mathbf{k}_{254} = 0 \implies (\alpha \in [0, 2^{130}) \;\vee\; k \in [2^{130}, 2^{254})\big) \;\wedge \\ - & & \big(\mathbf{k}_{254} = 1 \implies (k \in [2^{254}, 2^{254} + 2^{130}) \;\wedge\; (\alpha + 2^{130}) \bmod p \in [0, 2^{130}))\big) \\ - \\ - &\Leftrightarrow& \big(\mathbf{k}_{254} = 0 \implies (\alpha \in [0, 2^{130}) \;\vee\; \mathbf{k}_{253..130} \text{ are not all } 0)\big) \;\wedge \\ - & & \big(\mathbf{k}_{254} = 1 \implies (\mathbf{k}_{253..130} \text{ are all } 0 \;\wedge\; (\alpha + 2^{130}) \bmod p \in [0, 2^{130}))\big) -\end{array}$ - -Constraining $\mathbf{k}_{253..130}$ to be all-$0$ or not-all-$0$ can be implemented almost "for free", as follows. - -Recall that $\mathbf{z}_i = \sum_{h=i}^{n} (\mathbf{k}_{h} \cdot 2^{h-i})$, so we have: - -$\begin{array}{rcl} - \mathbf{z}_{130} &=& \sum_{h=130}^{254} (\mathbf{k}_h \cdot 2^{h-130}) \\ - \mathbf{z}_{130} &=& \mathbf{k}_{254} \cdot 2^{254-130} + \sum_{h=130}^{253} (\mathbf{k}_h \cdot 2^{h-130}) \\ -\mathbf{z}_{130} - \mathbf{k}_{254} \cdot 2^{124} &=& \sum_{h=130}^{253} (\mathbf{k}_h \cdot 2^{h-130}) -\end{array}$ - -So $\mathbf{k}_{253..130}$ are all $0$ exactly when $\mathbf{z}_{130} = \mathbf{k}_{254} \cdot 2^{124}$. - -Finally, we can merge the $130$-bit decompositions for the $\mathbf{k}_{254} = 0$ and $\mathbf{k}_{254} = 1$ cases by checking that $(\alpha + \mathbf{k}_{254} \cdot 2^{130}) \bmod p \in [0, 2^{130})$. - -### Overflow check constraints - -Let $s = \alpha + \mathbf{k}_{254} \cdot 2^{130}$. The constraints for the overflow check are: - -$$ -\begin{aligned} -\mathbf{z}_0 &= \alpha + t_q \pmod{p} \\ -\mathbf{k}_{254} = 1 \implies \big(\mathbf{z}_{130} &= 2^{124} \;\wedge\; s \bmod p \in [0, 2^{130})\big) \\ -\mathbf{k}_{254} = 0 \implies \big(\mathbf{z}_{130} &\neq 0 \;\vee\; s \bmod p \in [0, 2^{130})\big) -\end{aligned} -$$ - -Define $\mathsf{inv0}(x) = \begin{cases} 0, &\text{if } x = 0 \\ 1/x, &\text{otherwise.} \end{cases}$ - -Witness $\eta = \mathsf{inv0}(\mathbf{z}_{130})$, and decompose $s \bmod p$ as $\mathbf{s}_{129..0}$. - -Then the needed gates are: - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -2 & q_\texttt{mul\_overflow} \cdot \left(s - (\alpha + \mathbf{k}_{254} \cdot 2^{130})\right) = 0 \\\hline -2 & q_\texttt{mul\_overflow} \cdot \left(\mathbf{z}_0 - \alpha - t_q\right) = 0 \\\hline -3 & q_\texttt{mul\_overflow} \cdot \left(\mathbf{k}_{254} \cdot (\mathbf{z}_{130} - 2^{124})\right) = 0 \\\hline -3 & q_\texttt{mul\_overflow} \cdot \left(\mathbf{k}_{254} \cdot (s - \sum\limits_{i=0}^{129} 2^i \cdot \mathbf{s}_i)/2^{130}\right) = 0 \\\hline -5 & q_\texttt{mul\_overflow} \cdot \left((1 - \mathbf{k}_{254}) \cdot (1 - \mathbf{z}_{130} \cdot \eta) \cdot (s - \sum\limits_{i=0}^{129} 2^i \cdot \mathbf{s}_i)/2^{130}\right) = 0 \\\hline -\end{array} -$$ -where $(s - \sum\limits_{i=0}^{129} 2^i \cdot \mathbf{s}_i)/2^{130}$ can be computed by another running sum. Note that the factor of $1/2^{130}$ has no effect on the constraint, since the RHS is zero. - -#### Running sum range check -We make use of a $10$-bit [lookup range check](../decomposition.md#lookup-decomposition) in the circuit to subtract the low $130$ bits of $\mathbf{s}$. The range check subtracts the first $13 \cdot 10$ bits of $\mathbf{s},$ and right-shifts the result to give $(s - \sum\limits_{i=0}^{129} 2^i \cdot \mathbf{s}_i)/2^{130}.$ diff --git a/book/src/design/gadgets/ecc/witnessing-points.md b/book/src/design/gadgets/ecc/witnessing-points.md deleted file mode 100644 index 1159f37d16..0000000000 --- a/book/src/design/gadgets/ecc/witnessing-points.md +++ /dev/null @@ -1,35 +0,0 @@ -# Witnessing points - -We represent elliptic curve points in the circuit in their affine representation $(x, y)$. -The identity is represented as the pseudo-coordinate $(0, 0)$, which we -[assume](../ecc.md#chip-assumptions) is not a valid point on the curve. - -## Non-identity points - -To constrain a coordinate pair $(x, y)$ as representing a valid point on the curve, we -directly check the curve equation. For Pallas and Vesta, this is: - -$$y^2 = x^3 + 5$$ - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -4 & q_\text{point}^\text{non-id} \cdot (y^2 - x^3 - 5) = 0 \\\hline -\end{array} -$$ - -## Points including the identity - -To allow $(x, y)$ to represent either a valid point on the curve, or the pseudo-coordinate -$(0, 0)$, we define a separate gate that enforces the curve equation check unless both $x$ -and $y$ are zero. - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -5 & (q_\text{point} \cdot x) \cdot (y^2 - x^3 - 5) = 0 \\\hline -5 & (q_\text{point} \cdot y) \cdot (y^2 - x^3 - 5) = 0 \\\hline -\end{array} -$$ diff --git a/book/src/design/gadgets/sha256.md b/book/src/design/gadgets/sha256.md deleted file mode 100644 index eb9489bf7a..0000000000 --- a/book/src/design/gadgets/sha256.md +++ /dev/null @@ -1,65 +0,0 @@ -# SHA-256 - -## Specification - -SHA-256 is specified in [NIST FIPS PUB 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf). - -Unlike the specification, we use $\boxplus$ for addition modulo $2^{32}$, and $+$ for -field addition. $\oplus$ is used for XOR. - -## Gadget interface - -SHA-256 maintains state in eight 32-bit variables. It processes input as 512-bit blocks, -but internally splits these blocks into 32-bit chunks. We therefore designed the SHA-256 -gadget to consume input in 32-bit chunks. - -## Chip instructions - -The SHA-256 gadget requires a chip with the following instructions: - -```rust -# extern crate halo2_proofs; -# use halo2_proofs::plonk::Error; -# use std::fmt; -# -# trait Chip: Sized {} -# trait Layouter {} -const BLOCK_SIZE: usize = 16; -const DIGEST_SIZE: usize = 8; - -pub trait Sha256Instructions: Chip { - /// Variable representing the SHA-256 internal state. - type State: Clone + fmt::Debug; - /// Variable representing a 32-bit word of the input block to the SHA-256 compression - /// function. - type BlockWord: Copy + fmt::Debug; - - /// Places the SHA-256 IV in the circuit, returning the initial state variable. - fn initialization_vector(layouter: &mut impl Layouter) -> Result; - - /// Starting from the given initial state, processes a block of input and returns the - /// final state. - fn compress( - layouter: &mut impl Layouter, - initial_state: &Self::State, - input: [Self::BlockWord; BLOCK_SIZE], - ) -> Result; - - /// Converts the given state into a message digest. - fn digest( - layouter: &mut impl Layouter, - state: &Self::State, - ) -> Result<[Self::BlockWord; DIGEST_SIZE], Error>; -} -``` - -TODO: Add instruction for computing padding. - -This set of instructions was chosen to strike a balance between the reusability of the -instructions, and the scope for chips to internally optimise them. In particular, we -considered splitting the compression function into its constituent parts (Ch, Maj etc), -and providing a compression function gadget that implemented the round logic. However, -this would prevent chips from using relative references between the various parts of a -compression round. Having an instruction that implements all compression rounds is also -similar to the Intel SHA extensions, which provide an instruction that performs multiple -compression rounds. diff --git a/book/src/design/gadgets/sha256/bit_reassignment.png b/book/src/design/gadgets/sha256/bit_reassignment.png deleted file mode 100644 index faf495c777..0000000000 Binary files a/book/src/design/gadgets/sha256/bit_reassignment.png and /dev/null differ diff --git a/book/src/design/gadgets/sha256/compression.png b/book/src/design/gadgets/sha256/compression.png deleted file mode 100644 index fc0c4a3909..0000000000 Binary files a/book/src/design/gadgets/sha256/compression.png and /dev/null differ diff --git a/book/src/design/gadgets/sha256/low_sigma_0.png b/book/src/design/gadgets/sha256/low_sigma_0.png deleted file mode 100644 index 60a3236869..0000000000 Binary files a/book/src/design/gadgets/sha256/low_sigma_0.png and /dev/null differ diff --git a/book/src/design/gadgets/sha256/low_sigma_1.png b/book/src/design/gadgets/sha256/low_sigma_1.png deleted file mode 100644 index 16241827a3..0000000000 Binary files a/book/src/design/gadgets/sha256/low_sigma_1.png and /dev/null differ diff --git a/book/src/design/gadgets/sha256/table16.md b/book/src/design/gadgets/sha256/table16.md deleted file mode 100644 index 00c1ad6692..0000000000 --- a/book/src/design/gadgets/sha256/table16.md +++ /dev/null @@ -1,899 +0,0 @@ -# 16-bit table chip for SHA-256 - -This chip implementation is based around a single 16-bit lookup table. It requires a -minimum of $2^{16}$ circuit rows, and is therefore suitable for use in larger circuits. - -We target a maximum constraint degree of $9$. That will allow us to handle constraining -carries and "small pieces" to a range of up to $\{0..7\}$ in one row. - -## Compression round - -There are $64$ compression rounds. Each round takes 32-bit values $A, B, C, D, E, F, G, H$ -as input, and performs the following operations: - -$$ -\begin{array}{rcl} -Ch(E, F, G) &=& (E \wedge F) \oplus (¬E \wedge G) \\ -Maj(A, B, C) &=& (A \wedge B) \oplus (A \wedge C) \oplus (B \wedge C) \\ - &=& count(A, B, C) \geq 2 \\ -\Sigma_0(A) &=& (A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋙ 22) \\ -\Sigma_1(E) &=& (E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋙ 25) \\ -H' &=& H + Ch(E, F, G) + \Sigma_1(E) + K_t + W_t \\ -E_{new} &=& reduce_6(H' + D) \\ -A_{new} &=& reduce_7(H' + Maj(A, B, C) + \Sigma_0(A)) -\end{array} -$$ - -where $reduce_i$ must handle a carry $0 \leq \mathit{carry} < i$. - -![The SHA-256 compression function](./compression.png) - -Define $\mathtt{spread}$ as a table mapping a $16$-bit input to an output interleaved with -zero bits. We do not require a separate table for range checks because $\mathtt{spread}$ -can be used. - -### Modular addition - -To implement addition modulo $2^{32}$, we note that this is equivalent to adding the -operands using field addition, and then masking away all but the lowest 32 bits of the -result. For example, if we have two operands $a$ and $b$: - -$$a \boxplus b = c,$$ - -we decompose each operand (along with the result) into 16-bit chunks: - -$$(a_L : \mathbb{Z}_{2^{16}}, a_H : \mathbb{Z}_{2^{16}}) \boxplus (b_L : \mathbb{Z}_{2^{16}}, b_H : \mathbb{Z}_{2^{16}}) = (c_L : \mathbb{Z}_{2^{16}}, c_H : \mathbb{Z}_{2^{16}}),$$ - -and then reformulate the constraint using field addition: - -$$\mathsf{carry} \cdot 2^{32} + c_H \cdot 2^{16} + c_L = (a_H + b_H) \cdot 2^{16} + a_L + b_L.$$ - -More generally, any bit-decomposition of the output can be used, not just a decomposition -into 16-bit chunks. Note that this correctly handles the carry from $a_L + b_L$. - -This constraint requires that each chunk is correctly range-checked (or else an assignment -could overflow the field). - -- The operand and result chunks can be constrained using $\mathtt{spread}$, by looking up - each chunk in the "dense" column within a subset of the table. This way we additionally - get the "spread" form of the output for free; in particular this is true for the output - of the bottom-right $\boxplus$ which becomes $A_{new}$, and the output of the leftmost - $\boxplus$ which becomes $E_{new}$. We will use this below to optimize $Maj$ and $Ch$. - -- $\mathsf{carry}$ must be constrained to the precise range of allowed carry values for - the number of operands. We do this with a - [small range constraint](../../../user/tips-and-tricks.md#small-range-constraints). - -### Maj function - -$Maj$ can be done in $4$ lookups: $2\; \mathtt{spread} * 2$ chunks - -- As mentioned above, after the first round we already have $A$ in spread form $A'$. - Similarly, $B$ and $C$ are equal to the $A$ and $B$ respectively of the previous round, - and therefore in the steady state we already have them in spread form $B'$ and $C'$. In - fact we can also assume we have them in spread form in the first round, either from the - fixed IV or from the use of $\mathtt{spread}$ to reduce the output of the feedforward in - the previous block. -- Add the spread forms in the field: $M' = A' + B' + C'$; - - We can add them as $32$-bit words or in pieces; it's equivalent -- Witness the compressed even bits $M^{even}_i$ and the compressed odd bits $M^{odd}_i$ for $i = \{0..1\}$; -- Constrain $M' = \mathtt{spread}(M^{even}_0) + 2 \cdot \mathtt{spread}(M^{odd}_0) + 2^{32} \cdot \mathtt{spread}(M^{even}_1) + 2^{33} \cdot \mathtt{spread}(M^{odd}_1)$, where $M^{odd}_i$ is the $Maj$ function output. - -> Note: by "even" bits we mean the bits of weight an even-power of $2$, i.e. of weight -> $2^0, 2^2, \ldots$. Similarly by "odd" bits we mean the bits of weight an odd-power of -> $2$. - -### Ch function -> TODO: can probably be optimized to $4$ or $5$ lookups using an additional table. -> -$Ch$ can be done in $8$ lookups: $4\; \mathtt{spread} * 2$ chunks - -- As mentioned above, after the first round we already have $E$ in spread form $E'$. - Similarly, $F$ and $G$ are equal to the $E$ and $F$ respectively of the previous round, - and therefore in the steady state we already have them in spread form $F'$ and $G'$. In - fact we can also assume we have them in spread form in the first round, either from the - fixed IV or from the use of $\mathtt{spread}$ to reduce the output of the feedforward in - the previous block. -- Calculate $P' = E' + F'$ and $Q' = (evens - E') + G'$, where $evens = \mathtt{spread}(2^{32} - 1)$. - - We can add them as $32$-bit words or in pieces; it's equivalent. - - $evens - E'$ works to compute the spread of $¬E$ even though negation and - $\mathtt{spread}$ do not commute in general. It works because each spread bit in $E'$ - is subtracted from $1$, so there are no borrows. -- Witness $P^{even}_i, P^{odd}_i, Q^{even}_i, Q^{odd}_i$ such that - $P' = \mathtt{spread}(P^{even}_0) + 2 \cdot \mathtt{spread}(P^{odd}_0) + 2^{32} \cdot \mathtt{spread}(P^{even}_1) + 2^{33} \cdot \mathtt{spread}(P^{odd}_1)$, and similarly for $Q'$. -- $\{P^{odd}_i + Q^{odd}_i\}_{i=0..1}$ is the $Ch$ function output. - -### Σ_0 function - -$\Sigma_0(A)$ can be done in $6$ lookups. - -To achieve this we first split $A$ into pieces $(a, b, c, d)$, of lengths $(2, 11, 9, 10)$ -bits respectively counting from the little end. At the same time we obtain the spread -forms of these pieces. This can all be done in two PLONK rows, because the $10$ and -$11$-bit pieces can be handled using $\mathtt{spread}$ lookups, and the $9$-bit piece can -be split into $3 * 3$-bit subpieces. The latter and the remaining $2$-bit piece can be -range-checked by polynomial constraints in parallel with the two lookups, two small pieces -in each row. The spread forms of these small pieces are found by interpolation. - -Note that the splitting into pieces can be combined with the reduction of $A_{new}$, i.e. -no extra lookups are needed for the latter. In the last round we reduce $A_{new}$ after -adding the feedforward (requiring a carry of up to $7$ which is fine). - -$(A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋙ 22)$ is equivalent to -$(A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋘ 10)$: - -![](./upp_sigma_0.png) - -Then, using $4$ more $\mathtt{spread}$ lookups we obtain the result as the even bits of a -linear combination of the pieces: - -$$ -\begin{array}{rcccccccl} - & (a &||& d &||& c &||& b) & \oplus \\ - & (b &||& a &||& d &||& c) & \oplus \\ - & (c &||& b &||& a &||& d) & \\ -&&&&\Downarrow \\ -R' = & 4^{30} a &+& 4^{20} d &+& 4^{11} c &+& b\;&+ \\ - & 4^{21} b &+& 4^{19} a &+& 4^{ 9} d &+& c\;&+ \\ - & 4^{23} c &+& 4^{12} b &+& 4^{10} a &+& d\;& -\end{array} -$$ - -That is, we witness the compressed even bits $R^{even}_i$ and the compressed odd bits -$R^{odd}_i$, and constrain -$$R' = \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1)$$ -where $\{R^{even}_i\}_{i=0..1}$ is the $\Sigma_0$ function output. - -### Σ_1 function - -$\Sigma_1(E)$ can be done in $6$ lookups. - -To achieve this we first split $E$ into pieces $(a, b, c, d)$, of lengths $(6, 5, 14, 7)$ -bits respectively counting from the little end. At the same time we obtain the spread -forms of these pieces. This can all be done in two PLONK rows, because the $7$ and -$14$-bit pieces can be handled using $\mathtt{spread}$ lookups, the $5$-bit piece can be -split into $3$ and $2$-bit subpieces, and the $6$-bit piece can be split into $2 * 3$-bit -subpieces. The four small pieces can be range-checked by polynomial constraints in -parallel with the two lookups, two small pieces in each row. The spread forms of these -small pieces are found by interpolation. - -Note that the splitting into pieces can be combined with the reduction of $E_{new}$, i.e. -no extra lookups are needed for the latter. In the last round we reduce $E_{new}$ after -adding the feedforward (requiring a carry of up to $6$ which is fine). - -$(E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋙ 25)$ is equivalent to -$(E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋘ 7)$. - -![](./upp_sigma_1.png) - -Then, using $4$ more $\mathtt{spread}$ lookups we obtain the result as the even bits of a -linear combination of the pieces, in the same way we did for $\Sigma_0$: - -$$ -\begin{array}{rcccccccl} - & (a &||& d &||& c &||& b) & \oplus \\ - & (b &||& a &||& d &||& c) & \oplus \\ - & (c &||& b &||& a &||& d) & \\ -&&&&\Downarrow \\ -R' = & 4^{26} a &+& 4^{19} d &+& 4^{ 5} c &+& b\;&+ \\ - & 4^{27} b &+& 4^{21} a &+& 4^{14} d &+& c\;&+ \\ - & 4^{18} c &+& 4^{13} b &+& 4^{ 7} a &+& d\;& -\end{array} -$$ - -That is, we witness the compressed even bits $R^{even}_i$ and the compressed odd bits -$R^{odd}_i$, and constrain -$$R' = \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1)$$ -where $\{R^{even}_i\}_{i=0..1}$ is the $\Sigma_1$ function output. - -## Block decomposition - -For each block $M \in \{0,1\}^{512}$ of the padded message, $64$ words of $32$ bits each -are constructed as follows: -- The first $16$ are obtained by splitting $M$ into $32$-bit blocks $$M = W_0 || W_1 || \cdots || W_{14} || W_{15};$$ -- The remaining $48$ words are constructed using the formula: -$$W_i = \sigma_1(W_{i-2}) \boxplus W_{i-7} \boxplus \sigma_0(W_{i-15}) \boxplus W_{i-16},$$ for $16 \leq i < 64$. - -> Note: $0$-based numbering is used for the $W$ word indices. - -$$ -\begin{array}{ccc} -\sigma_0(X) &=& (X ⋙ 7) \oplus (X ⋙ 18) \oplus (X ≫ 3) \\ -\sigma_1(X) &=& (X ⋙ 17) \oplus (X ⋙ 19) \oplus (X ≫ 10) \\ -\end{array} -$$ - -> Note: $≫$ is a right-**shift**, not a rotation. - -### σ_0 function - -$(X ⋙ 7) \oplus (X ⋙ 18) \oplus (X ≫ 3)$ is equivalent to -$(X ⋙ 7) \oplus (X ⋘ 14) \oplus (X ≫ 3)$. - -![](./low_sigma_0.png) - -As above but with pieces $(a, b, c, d)$ of lengths $(3, 4, 11, 14)$ counting from the -little end. Split $b$ into two $2$-bit subpieces. - -$$ -\begin{array}{rcccccccl} - & (0^{[3]} &||& d &||& c &||& b) & \oplus \\ - & (\;\;\;b &||& a &||& d &||& c) & \oplus \\ - & (\;\;\;c &||& b &||& a &||& d) & \\ -&&&&\Downarrow \\ -R' = & & & 4^{15} d &+& 4^{ 4} c &+& b\;&+ \\ - & 4^{28} b &+& 4^{25} a &+& 4^{11} d &+& c\;&+ \\ - & 4^{21} c &+& 4^{17} b &+& 4^{14} a &+& d\;& -\end{array} -$$ - -### σ_1 function - -$(X ⋙ 17) \oplus (X ⋙ 19) \oplus (X ≫ 10)$ is equivalent to -$(X ⋘ 15) \oplus (X ⋘ 13) \oplus (X ≫ 10)$. - -![](./low_sigma_1.png) - -TODO: this diagram doesn't match the expression on the right. This is just for consistency -with the other diagrams. - -As above but with pieces $(a, b, c, d)$ of lengths $(10, 7, 2, 13)$ counting from the -little end. Split $b$ into $(3, 2, 2)$-bit subpieces. - -$$ -\begin{array}{rcccccccl} - & (0^{[10]}&||& d &||& c &||& b) & \oplus \\ - & (\;\;\;b &||& a &||& d &||& c) & \oplus \\ - & (\;\;\;c &||& b &||& a &||& d) & \\ -&&&&\Downarrow \\ -R' = & & & 4^{ 9} d &+& 4^{ 7} c &+& b\;&+ \\ - & 4^{25} b &+& 4^{15} a &+& 4^{ 2} d &+& c\;&+ \\ - & 4^{30} c &+& 4^{23} b &+& 4^{13} a &+& d\;& -\end{array} -$$ - -### Message scheduling - -We apply $\sigma_0$ to $W_{1..48}$, and $\sigma_1$ to $W_{14..61}$. In order to avoid -redundant applications of $\mathtt{spread}$, we can merge the splitting into pieces for -$\sigma_0$ and $\sigma_1$ in the case of $W_{14..48}$. Merging the piece lengths -$(3, 4, 11, 14)$ and $(10, 7, 2, 13)$ gives pieces of lengths $(3, 4, 3, 7, 1, 1, 13)$. - -![](./bit_reassignment.png) - -If we can do the merged split in $3$ rows (as opposed to a total of $4$ rows when -splitting for $\sigma_0$ and $\sigma_1$ separately), we save $35$ rows. - -> These might even be doable in $2$ rows; not sure. -> —Daira - -We can merge the reduction mod $2^{32}$ of $W_{16..61}$ into their splitting when they are -used to compute subsequent words, similarly to what we did for $A$ and $E$ in the round -function. - -We will still need to reduce $W_{62..63}$ since they are not split. (Technically we could -leave them unreduced since they will be reduced later when they are used to compute -$A_{new}$ and $E_{new}$ -- but that would require handling a carry of up to $10$ rather -than $6$, so it's not worth the complexity.) - -The resulting message schedule cost is: -- $2$ rows to constrain $W_0$ to $32$ bits - - This is technically optional, but let's do it for robustness, since the rest of the - input is constrained for free. -- $13*2$ rows to split $W_{1..13}$ into $(3, 4, 11, 14)$-bit pieces -- $35*3$ rows to split $W_{14..48}$ into $(3, 4, 3, 7, 1, 1, 13)$-bit pieces (merged with - a reduction for $W_{16..48}$) -- $13*2$ rows to split $W_{49..61}$ into $(10, 7, 2, 13)$-bit pieces (merged with a - reduction) -- $4*48$ rows to extract the results of $\sigma_0$ for $W_{1..48}$ -- $4*48$ rows to extract the results of $\sigma_1$ for $W_{14..61}$ -- $2*2$ rows to reduce $W_{62..63}$ -- $= 547$ rows. - -## Overall cost - -For each round: -- $8$ rows for $Ch$ -- $4$ rows for $Maj$ -- $6$ rows for $\Sigma_0$ -- $6$ rows for $\Sigma_1$ -- $reduce_6$ and $reduce_7$ are always free -- $= 24$ per round - -This gives $24*64 = 1792$ rows for all of "step 3", to which we need to add: - -- $547$ rows for message scheduling -- $2*8$ rows for $8$ reductions mod $2^{32}$ in "step 4" - -giving a total of $2099$ rows. - -## Tables - -We only require one table $\mathtt{spread}$, with $2^{16}$ rows and $3$ columns. We need a -tag column to allow selecting $(7, 10, 11, 13, 14)$-bit subsets of the table for -$\Sigma_{0..1}$ and $\sigma_{0..1}$. - -### `spread` table - -| row | tag | table (16b) | spread (32b) | -|--------------|-----|------------------|----------------------------------| -| $0$ | 0 | 0000000000000000 | 00000000000000000000000000000000 | -| $1$ | 0 | 0000000000000001 | 00000000000000000000000000000001 | -| $2$ | 0 | 0000000000000010 | 00000000000000000000000000000100 | -| $3$ | 0 | 0000000000000011 | 00000000000000000000000000000101 | -| ... | 0 | ... | ... | -| $2^{7} - 1$ | 0 | 0000000001111111 | 00000000000000000001010101010101 | -| $2^{7}$ | 1 | 0000000010000000 | 00000000000000000100000000000000 | -| ... | 1 | ... | ... | -| $2^{10} - 1$ | 1 | 0000001111111111 | 00000000000001010101010101010101 | -| ... | 2 | ... | ... | -| $2^{11} - 1$ | 2 | 0000011111111111 | 00000000010101010101010101010101 | -| ... | 3 | ... | ... | -| $2^{13} - 1$ | 3 | 0001111111111111 | 00000001010101010101010101010101 | -| ... | 4 | ... | ... | -| $2^{14} - 1$ | 4 | 0011111111111111 | 00000101010101010101010101010101 | -| ... | 5 | ... | ... | -| $2^{16} - 1$ | 5 | 1111111111111111 | 01010101010101010101010101010101 | - -For example, to do an $11$-bit $\mathtt{spread}$ lookup, we polynomial-constrain the tag -to be in $\{0, 1, 2\}$. For the most common case of a $16$-bit lookup, we don't need to -constrain the tag. Note that we can fill any unused rows beyond $2^{16}$ with a duplicate -entry, e.g. all-zeroes. - -## Gates - -### Choice gate -Input from previous operations: -- $E', F', G',$ 64-bit spread forms of 32-bit words $E, F, G$, assumed to be constrained by previous operations - - in practice, we'll have the spread forms of $E', F', G'$ after they've been decomposed into 16-bit subpieces -- $evens$ is defined as $\mathtt{spread}(2^{32} - 1)$ - - $evens_0 = evens_1 = \mathtt{spread}(2^{16} - 1)$ - -#### E ∧ F -|s_ch| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | -|----|-------------|-------------|-----------------------------|------------------------------------|------------------------------------| -|0 |{0,1,2,3,4,5}|$P_0^{even}$ |$\texttt{spread}(P_0^{even})$| $\mathtt{spread}(E^{lo})$ | $\mathtt{spread}(E^{hi})$ | -|1 |{0,1,2,3,4,5}|$P_0^{odd}$ |$\texttt{spread}(P_0^{odd})$ |$\texttt{spread}(P_1^{odd})$ | | -|0 |{0,1,2,3,4,5}|$P_1^{even}$ |$\texttt{spread}(P_1^{even})$| $\mathtt{spread}(F^{lo})$ | $\mathtt{spread}(F^{hi})$ | -|0 |{0,1,2,3,4,5}|$P_1^{odd}$ |$\texttt{spread}(P_1^{odd})$ | | | - -#### ¬E ∧ G -s_ch_neg| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | ---------|-------------|-------------|-----------------------------|------------------------------------|------------------------------------|------------------------------------| - 0 |{0,1,2,3,4,5}|$Q_0^{even}$ |$\texttt{spread}(Q_0^{even})$|$\mathtt{spread}(E_{neg}^{lo})$ | $\mathtt{spread}(E_{neg}^{hi})$ | $\mathtt{spread}(E^{lo})$ | - 1 |{0,1,2,3,4,5}|$Q_0^{odd}$ |$\texttt{spread}(Q_0^{odd})$ |$\texttt{spread}(Q_1^{odd})$ | | $\mathtt{spread}(E^{hi})$ | - 0 |{0,1,2,3,4,5}|$Q_1^{even}$ |$\texttt{spread}(Q_1^{even})$|$\mathtt{spread}(G^{lo})$ | $\mathtt{spread}(G^{hi})$ | | - 0 |{0,1,2,3,4,5}|$Q_1^{odd}$ |$\texttt{spread}(Q_1^{odd})$ | | | | - -Constraints: -- `s_ch` (choice): $LHS - RHS = 0$ - - $LHS = a_3 \omega^{-1} + a_3 \omega + 2^{32}(a_4 \omega^{-1} + a_4 \omega)$ - - $RHS = a_2 \omega^{-1} + 2* a_2 + 2^{32}(a_2 \omega + 2* a_3)$ -- `s_ch_neg` (negation): `s_ch` with an extra negation check -- $\mathtt{spread}$ lookup on $(a_0, a_1, a_2)$ -- permutation between $(a_2, a_3)$ - -Output: $Ch(E, F, G) = P^{odd} + Q^{odd} = (P_0^{odd} + Q_0^{odd}) + 2^{16} (P_1^{odd} + Q_1^{odd})$ - -### Majority gate - -Input from previous operations: -- $A', B', C',$ 64-bit spread forms of 32-bit words $A, B, C$, assumed to be constrained by previous operations - - in practice, we'll have the spread forms of $A', B', C'$ after they've been decomposed into $16$-bit subpieces - -s_maj| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | ------|-------------|------------|-----------------------------|----------------------------|--------------------------|--------------------------| - 0 |{0,1,2,3,4,5}|$M_0^{even}$|$\texttt{spread}(M_0^{even})$| |$\mathtt{spread}(A^{lo})$ |$\mathtt{spread}(A^{hi})$ | - 1 |{0,1,2,3,4,5}|$M_0^{odd}$ |$\texttt{spread}(M_0^{odd})$ |$\texttt{spread}(M_1^{odd})$|$\mathtt{spread}(B^{lo})$ |$\mathtt{spread}(B^{hi})$ | - 0 |{0,1,2,3,4,5}|$M_1^{even}$|$\texttt{spread}(M_1^{even})$| |$\mathtt{spread}(C^{lo})$ |$\mathtt{spread}(C^{hi})$ | - 0 |{0,1,2,3,4,5}|$M_1^{odd}$ |$\texttt{spread}(M_1^{odd})$ | | | | - -Constraints: -- `s_maj` (majority): $LHS - RHS = 0$ - - $LHS = \mathtt{spread}(M^{even}_0) + 2 \cdot \mathtt{spread}(M^{odd}_0) + 2^{32} \cdot \mathtt{spread}(M^{even}_1) + 2^{33} \cdot \mathtt{spread}(M^{odd}_1)$ - - $RHS = A' + B' + C'$ -- $\mathtt{spread}$ lookup on $(a_0, a_1, a_2)$ -- permutation between $(a_2, a_3)$ - -Output: $Maj(A,B,C) = M^{odd} = M_0^{odd} + 2^{16} M_1^{odd}$ - -### Σ_0 gate - -$A$ is a 32-bit word split into $(2,11,9,10)$-bit chunks, starting from the little end. We refer to these chunks as $(a(2), b(11), c(9), d(10))$ respectively, and further split $c(9)$ into three 3-bit chunks $c(9)^{lo}, c(9)^{mid}, c(9)^{hi}$. We witness the spread versions of the small chunks. - -$$ -\begin{array}{ccc} -\Sigma_0(A) &=& (A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋙ 22) \\ -&=& (A ⋙ 2) \oplus (A ⋙ 13) \oplus (A ⋘ 10) -\end{array} -$$ - -s_upp_sigma_0| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | --------------|-------------|------------|-----------------------------|------------------------------|----------------------------|------------------------|-----------------------------| - 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $c(9)^{lo}$ |$\texttt{spread}(c(9)^{lo})$| $c(9)^{mid}$ |$\texttt{spread}(c(9)^{mid})$| - 1 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(d(10))$ |$\texttt{spread}(b(11))$| $c(9)$ | - 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $a(2)$ |$\texttt{spread}(a(2))$ | $c(9)^{hi}$ |$\texttt{spread}(c(9)^{hi})$ | - 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | - - -Constraints: -- `s_upp_sigma_0` ($\Sigma_0$ constraint): $LHS - RHS + tag + decompose = 0$ - -$$ -\begin{array}{ccc} -tag &=& constrain_1(a_0\omega^{-1}) + constrain_2(a_0\omega) \\ -decompose &=& a(2) + 2^2 b(11) + 2^{13} c(9)^{lo} + 2^{16} c(9)^{mid} + 2^{19} c(9)^{hi} + 2^{22} d(10) - A\\ -LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) -\end{array} -$$ -$$ -\begin{array}{rcccccccccl} -RHS = & 4^{30} \texttt{spread}(a(2)) &+& 4^{20} \texttt{spread}(d(10)) &+& 4^{17} \texttt{spread}(c(9)^{hi}) &+& 4^{14} \texttt{spread}(c(9)^{mid}) &+& 4^{11} \texttt{spread}(c(9)^{lo}) &+& \texttt{spread}(b(11))\;&+ \\ - & 4^{21} \texttt{spread}(b(11)) &+& 4^{19} \texttt{spread}(a(2)) &+& 4^{9} \texttt{spread}(d(10)) &+& 4^{6} \texttt{spread}(c(9)^{hi}) &+& 4^{3} \texttt{spread}(c(9)^{mid}) &+& \texttt{spread}(c(9)^{lo}) \;&+ \\ - & 4^{29} \texttt{spread}(c(9)^{hi}) &+& 4^{26} \texttt{spread}(c(9)^{mid}) &+& 4^{23} \texttt{spread}(c(9)^{lo}) &+& 4^{12} \texttt{spread}(b(11)) &+& 4^{10} \texttt{spread}(a(2)) &+& \texttt{spread}(d(10))\;& -\end{array} -$$ - -- $\mathtt{spread}$ lookup on $a_0, a_1, a_2$ -- 2-bit range check and 2-bit spread check on $a(2)$ -- 3-bit range check and 3-bit spread check on $c(9)^{lo}, c(9)^{mid}, c(9)^{hi}$ - -(see section [Helper gates](#helper-gates)) - -Output: $\Sigma_0(A) = R^{even} = R_0^{even} + 2^{16} R_1^{even}$ - -### Σ_1 gate -$E$ is a 32-bit word split into $(6,5,14,7)$-bit chunks, starting from the little end. We refer to these chunks as $(a(6), b(5), c(14), d(7))$ respectively, and further split $a(6)$ into two 3-bit chunks $a(6)^{lo}, a(6)^{hi}$ and $b$ into (2,3)-bit chunks $b(5)^{lo}, b(5)^{hi}$. We witness the spread versions of the small chunks. - -$$ -\begin{array}{ccc} -\Sigma_1(E) &=& (E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋙ 25) \\ -&=& (E ⋙ 6) \oplus (E ⋙ 11) \oplus (E ⋘ 7) -\end{array} -$$ - -s_upp_sigma_1| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | --------------|-------------|------------|-----------------------------|------------------------------|----------------------------|------------------------|-----------------------------|------------| - 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $b(5)^{lo}$ |$\texttt{spread}(b(5)^{lo})$| $b(5)^{hi}$ |$\texttt{spread}(b(5)^{hi})$ | $b(5)$ | - 1 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(d(7))$ |$\texttt{spread}(c(14))$| | | - 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $a(6)^{lo}$ |$\texttt{spread}(a(6)^{lo})$| $a(6)^{hi}$ |$\texttt{spread}(a(6)^{hi})$ | $a(6)$ | - 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | - - -Constraints: -- `s_upp_sigma_1` ($\Sigma_1$ constraint): $LHS - RHS + tag + decompose = 0$ - -$$ -\begin{array}{ccc} -tag &=& a_0\omega^{-1} + constrain_4(a_0\omega) \\ -decompose &=& a(6)^{lo} + 2^3 a(6)^{hi} + 2^6 b(5)^{lo} + 2^8 b(5)^{hi} + 2^{11} c(14) + 2^{25} d(7) - E \\ -LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) -\end{array} -$$ -$$ -\begin{array}{rcccccccccl} -RHS = & 4^{29} \texttt{spread}(a(6)^{hi}) &+& 4^{26} \texttt{spread}(a(6)^{lo}) &+& 4^{19} \texttt{spread}(d(7)) &+& 4^{ 5} \texttt{spread}(c(14)) &+& 4^{2} \texttt{spread}(b(5)^{hi}) &+& \texttt{spread}(b(5)^{lo})\;&+ \\ - & 4^{29} \texttt{spread}(b(5)^{hi}) &+& 4^{27} \texttt{spread}(b(5)^{lo}) &+& 4^{24} \texttt{spread}(a(6)^{hi}) &+& 4^{21} \texttt{spread}(a(6)^{lo}) &+& 4^{14} \texttt{spread}(d(7)) &+& \texttt{spread}(c(14))\;&+ \\ - & 4^{18} \texttt{spread}(c(14)) &+& 4^{15} \texttt{spread}(b(5)^{hi}) &+& 4^{13} \texttt{spread}(b(5)^{lo}) &+& 4^{10} \texttt{spread}(a(6)^{hi}) &+& 4^{7} \texttt{spread}(a(6)^{lo}) &+& \texttt{spread}(d(7))\;& -\end{array} -$$ - -- $\mathtt{spread}$ lookup on $a_0, a_1, a_2$ -- 2-bit range check and 2-bit spread check on $b(5)^{lo}$ -- 3-bit range check and 3-bit spread check on $a(6)^{lo}, a(6)^{hi}, b(4)^{hi}$ - -(see section [Helper gates](#helper-gates)) - -Output: $\Sigma_1(E) = R^{even} = R_0^{even} + 2^{16} R_1^{even}$ - -### σ_0 gate -#### v1 -v1 of the $\sigma_0$ gate takes in a word that's split into $(3, 4, 11, 14)$-bit chunks (already constrained by message scheduling). We refer to these chunks respectively as $(a(3), b(4), c(11), d(14)).$ $b(4)$ is further split into two 2-bit chunks $b(4)^{lo},b(4)^{hi}.$ We witness the spread versions of the small chunks. We already have $\texttt{spread}(c(11))$ and $\texttt{spread}(d(14))$ from the message scheduling. - -$(X ⋙ 7) \oplus (X ⋙ 18) \oplus (X ≫ 3)$ is equivalent to -$(X ⋙ 7) \oplus (X ⋘ 14) \oplus (X ≫ 3)$. - -s_low_sigma_0| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | --------------|-------------|------------|-----------------------------|-----------------------------|----------------------------|--------------------|----------------------------| - 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $b(4)^{lo}$ |$\texttt{spread}(b(4)^{lo})$| $b(4)^{hi}$ |$\texttt{spread}(b(4)^{hi})$| - 1 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ |$\texttt{spread}(R_1^{odd})$ |$\texttt{spread}(c)$ |$\texttt{spread}(d)$| $b(4)$ | - 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $0$ | $0$ | $a$ | $\texttt{spread}(a)$ | - 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | - -Constraints: -- `s_low_sigma_0` ($\sigma_0$ v1 constraint): $LHS - RHS = 0$ - -$$ -\begin{array}{ccc} -LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) -\end{array} -$$ -$$ -\begin{array}{rccccccccl} -RHS = & & & 4^{15} d(14) &+& 4^{ 4} c(11) &+& 4^2 b(4)^{hi} &+& b(4)^{lo}\;&+ \\ - & 4^{30} b(4)^{hi} &+& 4^{28} b(4)^{lo} &+& 4^{25} a(3) &+& 4^{11} d(14) &+& c(11)\;&+ \\ - & 4^{21} c(11) &+& 4^{19} b(4)^{hi} &+& 4^{17} b(4)^{lo} &+& 4^{14} a(3) &+& d(14)\;& -\end{array} -$$ - -- check that `b` was properly split into subsections for 4-bit pieces. - - $W^{b(4)lo} + 2^2 W^{b(4)hi} - W = 0$ -- 2-bit range check and 2-bit spread check on $b(4)^{lo}, b(4)^{hi}$ -- 3-bit range check and 3-bit spread check on $a(3)$ - - -#### v2 -v2 of the $\sigma_0$ gate takes in a word that's split into $(3, 4, 3, 7, 1, 1, 13)$-bit chunks (already constrained by message scheduling). We refer to these chunks respectively as $(a(3), b(4), c(3), d(7), e(1), f(1), g(13)).$ We already have $\mathtt{spread}(d(7)), \mathtt{spread}(g(13))$ from the message scheduling. The 1-bit $e(1), f(1)$ remain unchanged by the spread operation and can be used directly. We further split $b(4)$ into two 2-bit chunks $b(4)^{lo}, b(4)^{hi}.$ We witness the spread versions of the small chunks. - -$(X ⋙ 7) \oplus (X ⋙ 18) \oplus (X ≫ 3)$ is equivalent to -$(X ⋙ 7) \oplus (X ⋘ 14) \oplus (X ≫ 3)$. - -s_low_sigma_0_v2| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | -----------------|-------------|------------|-----------------------------|-----------------------------|----------------------------|------------------------|----------------------------|------------| - 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $b(4)^{lo}$ |$\texttt{spread}(b(4)^{lo})$| $b(4)^{hi}$ |$\texttt{spread}(b(4)^{hi})$| | - 1 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$| $\texttt{spread}(d(7))$ |$\texttt{spread}(g(13))$| $b(4)$ | $e(1)$ | - 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $a(3)$ |$\texttt{spread}(a(3))$ | $c(3)$ |$\texttt{spread}(c(3))$ | $f(1)$ | - 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | - -Constraints: -- `s_low_sigma_0_v2` ($\sigma_0$ v2 constraint): $LHS - RHS = 0$ - -$$ -\begin{array}{ccc} -LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) -\end{array} -$$ -$$ -\begin{array}{rcccccccccccl} -RHS = & & & 4^{16} g(13) &+& 4^{15} f(1) &+& 4^{ 14} e(1) &+& 4^{ 7} d(7) &+& 4^{ 4} c(3) &+& 4^2 b(4)^{hi} &+& b(4)^{lo}\;&+ \\ - & 4^{30} b(4)^{hi} &+& 4^{28} b(4)^{lo} &+& 4^{25} a(3) &+& 4^{12} g(13) &+& 4^{11} f(1) &+& 4^{10} e(1) &+& 4^{3} d(7) &+& c(3)\;&+ \\ - & 4^{31} e(1) &+& 4^{24} d(7) &+& 4^{21} c(3) &+& 4^{19} b(4)^{hi} &+& 4^{17} b(4)^{lo} &+& 4^{14} a(3) &+& 4^{1} g(13) &+& f(1)\;& -\end{array} -$$ - -- check that `b` was properly split into subsections for 4-bit pieces. - - $W^{b(4)lo} + 2^2 W^{b(4)hi} - W = 0$ -- 2-bit range check and 2-bit spread check on $b(4)^{lo}, b(4)^{hi}$ -- 3-bit range check and 3-bit spread check on $a(3), c(3)$ - -### σ_1 gate -#### v1 -v1 of the $\sigma_1$ gate takes in a word that's split into $(10, 7, 2, 13)$-bit chunks (already constrained by message scheduling). We refer to these chunks respectively as $(a(10), b(7), c(2), d(13)).$ $b(7)$ is further split into $(2, 2, 3)$-bit chunks $b(7)^{lo}, b(7)^{mid}, b(7)^{hi}.$ We witness the spread versions of the small chunks. We already have $\texttt{spread}(a(10))$ and $\texttt{spread}(d(13))$ from the message scheduling. - -$(X ⋙ 17) \oplus (X ⋙ 19) \oplus (X ≫ 10)$ is equivalent to -$(X ⋘ 15) \oplus (X ⋘ 13) \oplus (X ≫ 10)$. - -s_low_sigma_1| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | --------------|-------------|------------|-----------------------------|------------------------------|----------------------------|------------------------|-----------------------------| - 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $b(7)^{lo}$ |$\texttt{spread}(b(7)^{lo})$| $b(7)^{mid}$ |$\texttt{spread}(b(7)^{mid})$| - 1 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(a(10))$ |$\texttt{spread}(d(13))$| $b(7)$ | - 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $c(2)$ |$\texttt{spread}(c(2))$ | $b(7)^{hi}$ |$\texttt{spread}(b(7)^{hi})$ | - 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | - -Constraints: -- `s_low_sigma_1` ($\sigma_1$ v1 constraint): $LHS - RHS = 0$ -$$ -\begin{array}{ccc} -LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) -\end{array} -$$ -$$ -\begin{array}{rcccccccccl} -RHS = & & & 4^{ 9} d(13) &+& 4^{ 7} c(2) &+& 4^{4} b(7)^{hi} &+& 4^{2} b(7)^{mid} &+& b(7)^{lo}\;&+ \\ - & 4^{29} b(7)^{hi} &+& 4^{27} b(7)^{mid} &+& 4^{25} b(7)^{lo} &+& 4^{15} a(10) &+& 4^{ 2} d(13) &+& c(2)\;&+ \\ - & 4^{30} c(2) &+& 4^{27} b(7)^{hi} &+& 4^{25} b(7)^{mid} &+& 4^{23} b(7)^{lo} &+& 4^{13} a(10) &+& d(13)\;& -\end{array} -$$ - -- check that `b` was properly split into subsections for 7-bit pieces. - - $W^{b(7)lo} + 2^2 W^{b(7)mid} + 2^4 W^{b(7)hi} - W = 0$ -- 2-bit range check and 2-bit spread check on $b(7)^{lo}, b(7)^{mid}, c(2)$ -- 3-bit range check and 3-bit spread check on $b(7)^{hi}$ - - -#### v2 -v2 of the $\sigma_1$ gate takes in a word that's split into $(3, 4, 3, 7, 1, 1, 13)$-bit chunks (already constrained by message scheduling). We refer to these chunks respectively as $(a(3), b(4), c(3), d(7), e(1), f(1), g(13)).$ We already have $\mathtt{spread}(d(7)), \mathtt{spread}(g(13))$ from the message scheduling. The 1-bit $e(1), f(1)$ remain unchanged by the spread operation and can be used directly. We further split $b(4)$ into two 2-bit chunks $b(4)^{lo}, b(4)^{hi}.$ We witness the spread versions of the small chunks. - -$(X ⋙ 17) \oplus (X ⋙ 19) \oplus (X ≫ 10)$ is equivalent to -$(X ⋘ 15) \oplus (X ⋘ 13) \oplus (X ≫ 10)$. - -s_low_sigma_1_v2| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | -----------------|-------------|------------|-----------------------------|-----------------------------|----------------------------|-------------------------|----------------------------|------------| - 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $b(4)^{lo}$ |$\texttt{spread}(b(4)^{lo})$| $b(4)^{hi}$ |$\texttt{spread}(b(4)^{hi})$| | - 1 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$| $\texttt{spread}(d(7))$ | $\texttt{spread}(g(13))$| $b(4)$ | $e(1)$ | - 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $a(3)$ |$\texttt{spread}(a(3))$ | $c(3)$ |$\texttt{spread}(c(3))$ | $f(1)$ | - 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | - -Constraints: -- `s_low_sigma_1_v2` ($\sigma_1$ v2 constraint): $LHS - RHS = 0$ - -$$ -\begin{array}{ccc} -LHS &=& \mathtt{spread}(R^{even}_0) + 2 \cdot \mathtt{spread}(R^{odd}_0) + 2^{32} \cdot \mathtt{spread}(R^{even}_1) + 2^{33} \cdot \mathtt{spread}(R^{odd}_1) -\end{array} -$$ -$$ -\begin{array}{rccccccccccccl} -RHS = & &&&& & & 4^{ 9} g(13) &+& 4^{ 8} f(1) &+& 4^{ 7} e(1) &+& d(7)\;&+ \\ - & 4^{25} d(7) &+& 4^{22} c(3) &+& 4^{20} b(4)^{hi} &+& 4^{18} b(4)^{lo} &+& 4^{15} a &+& 4^{ 2} g(13) &+& 4^{1}f(1) &+& e(1)\;&+ \\ - & 4^{31} f(1) &+& 4^{30} e(1) &+& 4^{23} d(7) &+& 4^{20} c(3) &+& 4^{18} b(4)^{hi} &+& 4^{16} b(4)^{lo} &+& 4^{13} a &+& g(13)\;& -\end{array} -$$ - -- check that `b` was properly split into subsections for 4-bit pieces. - - $W^{b(4)lo} + 2^2 W^{b(4)hi} - W = 0$ -- 2-bit range check and 2-bit spread check on $b(4)^{lo}, b(4)^{hi}$ -- 3-bit range check and 3-bit spread check on $a(3), c(3)$ - - -### Helper gates - -#### Small range constraints -Let $constrain_n(x) = \prod_{i=0}^n (x-i)$. Constraining this expression to equal zero enforces that $x$ is in $[0..n].$ - -#### 2-bit range check -$(a - 3)(a - 2)(a - 1)(a) = 0$ - -sr2| $a_0$ | ----|-------| - 1 | a | - -#### 2-bit spread -$l_1(a) + 4*l_2(a) + 5*l_3(a) - a' = 0$ - -ss2| $a_0$ | $a_1$ ----|-------|------ - 1 | a | a' - -with interpolation polynomials: -- $l_0(a) = \frac{(a - 3)(a - 2)(a - 1)}{(-3)(-2)(-1)}$ ($\mathtt{spread}(00) = 0000$) -- $l_1(a) = \frac{(a - 3)(a - 2)(a)}{(-2)(-1)(1)}$ ($\mathtt{spread}(01) = 0001$) -- $l_2(a) = \frac{(a - 3)(a - 1)(a)}{(-1)(1)(2)}$ ($\mathtt{spread}(10) = 0100$) -- $l_3(a) = \frac{(a - 2)(a - 1)(a)}{(1)(2)(3)}$ ($\mathtt{spread}(11) = 0101$) - -#### 3-bit range check -$(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)(a) = 0$ - -sr3| $a_0$ | ----|-------| - 1 | a | - -#### 3-bit spread -$l_1(a) + 4*l_2(a) + 5*l_3(a) + 16*l_4(a) + 17*l_5(a) + 20*l_6(a) + 21*l_7(a) - a' = 0$ - -ss3| $a_0$ | $a_1$ ----|-------|------ - 1 | a | a' - -with interpolation polynomials: -- $l_0(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)}{(-7)(-6)(-5)(-4)(-3)(-2)(-1)}$ ($\mathtt{spread}(000) = 000000$) -- $l_1(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a)}{(-6)(-5)(-4)(-3)(-2)(-1)(1)}$ ($\mathtt{spread}(001) = 000001$) -- $l_2(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 3)(a - 1)(a)}{(-5)(-4)(-3)(-2)(-1)(1)(2)}$ ($\mathtt{spread}(010) = 000100$) -- $l_3(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 4)(a - 2)(a - 1)(a)}{(-4)(-3)(-2)(-1)(1)(2)(3)}$ ($\mathtt{spread}(011) = 000101$) -- $l_4(a) = \frac{(a - 7)(a - 6)(a - 5)(a - 3)(a - 2)(a - 1)(a)}{(-3)(-2)(-1)(1)(2)(3)(4)}$ ($\mathtt{spread}(100) = 010000$) -- $l_5(a) = \frac{(a - 7)(a - 6)(a - 4)(a - 3)(a - 2)(a - 1)(a)}{(-2)(-1)(1)(2)(3)(4)(5)}$ ($\mathtt{spread}(101) = 010001$) -- $l_6(a) = \frac{(a - 7)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)(a)}{(-1)(1)(2)(3)(4)(5)(6)}$ ($\mathtt{spread}(110) = 010100$) -- $l_7(a) = \frac{(a - 6)(a - 5)(a - 4)(a - 3)(a - 2)(a - 1)(a)}{(1)(2)(3)(4)(5)(6)(7)}$ ($\mathtt{spread}(111) = 010101$) - -#### reduce_6 gate -Addition $\pmod{2^{32}}$ of 6 elements - -Input: -- $E$ -- $\{e_i^{lo}, e_i^{hi}\}_{i=0}^5$ -- $carry$ - -Check: $E = e_0 + e_1 + e_2 + e_3 + e_4 + e_5 \pmod{32}$ - -Assume inputs are constrained to 16 bits. -- Addition gate (sa): - - $a_0 + a_1 + a_2 + a_3 + a_4 + a_5 + a_6 - a_7 = 0$ -- Carry gate (sc): - - $2^{16} a_6 \omega^{-1} + a_6 + [(a_6 - 5)(a_6 - 4)(a_6 -3)(a_6 - 2)(a_6 - 1)(a_6)] = 0$ - -sa|sc| $a_0$ | $a_1$ |$a_2$ |$a_3$ |$a_4$ |$a_5$ |$a_6$ |$a_7$ | ---|--|----------|----------|----------|----------|----------|----------|---------------|--------| -1 |0 |$e_0^{lo}$|$e_1^{lo}$|$e_2^{lo}$|$e_3^{lo}$|$e_4^{lo}$|$e_5^{lo}$|$-carry*2^{16}$|$E^{lo}$| -1 |1 |$e_0^{hi}$|$e_1^{hi}$|$e_2^{hi}$|$e_3^{hi}$|$e_4^{hi}$|$e_5^{hi}$|$carry$ |$E^{hi}$| - -Assume inputs are constrained to 16 bits. -- Addition gate (sa): - - $a_0 \omega^{-1} + a_1 \omega^{-1} + a_2 \omega^{-1} + a_0 + a_1 + a_2 + a_3 \omega^{-1} - a_3 = 0$ -- Carry gate (sc): - - $2^{16} a_3 \omega + a_3 \omega^{-1} = 0$ - - -sa|sc| $a_0$ | $a_1$ |$a_2$ |$a_3$ | ---|--|----------|----------|----------|---------------| -0 |0 |$e_0^{lo}$|$e_1^{lo}$|$e_2^{lo}$|$-carry*2^{16}$| -1 |1 |$e_3^{lo}$|$e_4^{lo}$|$e_5^{lo}$|$E^{lo}$ | -0 |0 |$e_0^{hi}$|$e_1^{hi}$|$e_2^{hi}$|$carry$ | -1 |0 |$e_3^{hi}$|$e_4^{hi}$|$e_5^{hi}$|$E^{hi}$ | - -#### reduce_7 gate -Addition $\pmod{2^{32}}$ of 7 elements - -Input: -- $E$ -- $\{e_i^{lo}, e_i^{hi}\}_{i=0}^6$ -- $carry$ - -Check: $E = e_0 + e_1 + e_2 + e_3 + e_4 + e_5 + e_6 \pmod{32}$ - -Assume inputs are constrained to 16 bits. -- Addition gate (sa): - - $a_0 + a_1 + a_2 + a_3 + a_4 + a_5 + a_6 + a_7 - a_8 = 0$ -- Carry gate (sc): - - $2^{16} a_7 \omega^{-1} + a_7 + [(a_7 - 6)(a_7 - 5)(a_7 - 4)(a_7 -3)(a_7 - 2)(a_7 - 1)(a_7)] = 0$ - -sa|sc| $a_0$ | $a_1$ |$a_2$ |$a_3$ |$a_4$ |$a_5$ |$a_6$ |$a_7$ |$a_8$ | ---|--|----------|----------|----------|----------|----------|----------|----------|---------------|--------| -1 |0 |$e_0^{lo}$|$e_1^{lo}$|$e_2^{lo}$|$e_3^{lo}$|$e_4^{lo}$|$e_5^{lo}$|$e_6^{lo}$|$-carry*2^{16}$|$E^{lo}$| -1 |1 |$e_0^{hi}$|$e_1^{hi}$|$e_2^{hi}$|$e_3^{hi}$|$e_4^{hi}$|$e_5^{hi}$|$e_6^{hi}$|$carry$ |$E^{hi}$| - - -### Message scheduling region -For each block $M \in \{0,1\}^{512}$ of the padded message, $64$ words of $32$ bits each are constructed as follows: -- the first $16$ are obtained by splitting $M$ into $32$-bit blocks $$M = W_0 || W_1 || \cdots || W_{14} || W_{15};$$ -- the remaining $48$ words are constructed using the formula: -$$W_i = \sigma_1(W_{i-2}) \boxplus W_{i-7} \boxplus \sigma_0(W_{i-15}) \boxplus W_{i-16},$$ for $16 \leq i < 64$. - -sw|sd0|sd1|sd2|sd3|ss0|ss0_v2|ss1|ss1_v2| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | $a_8$ | $a_9$ | ---|---|---|---|---|---|------|---|------|---------------|------------------|-----------------------------------|------------------------------|----------------------------------|---------------------------------|--------------------------------- |------------------------|----------------|--------------| -0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $W_{0}^{lo}$ | $\texttt{spread}(W_{0}^{lo})$ | $W_{0}^{lo}$ | $W_{0}^{hi}$ | $W_{0}$ |$\sigma_0(W_1)^{lo}$ |$\sigma_1(W_{14})^{lo}$ | $W_{9}^{lo}$ | | -1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $W_{0}^{hi}$ | $\texttt{spread}(W_{0}^{hi})$ | | | $W_{16}$ |$\sigma_0(W_1)^{hi}$ |$\sigma_1(W_{14})^{hi}$ | $W_{9}^{hi}$ | $carry_{16}$ | -0 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4} | $W_{1}^{d(14)}$ | $\texttt{spread}(W_{1}^{d(14)})$ | $W_{1}^{lo}$ | $W_{1}^{hi}$ | $W_{1}$ |$\sigma_0(W_2)^{lo}$ |$\sigma_1(W_{15})^{lo}$ | $W_{10}^{lo}$ | | -1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} | $W_{1}^{c(11)}$ | $\texttt{spread}(W_{1}^{c(11)})$ | $W_{1}^{a(3)}$ | $W_{1}^{b(4)}$ | $W_{17}$ |$\sigma_0(W_2)^{hi}$ |$\sigma_1(W_{15})^{hi}$ | $W_{10}^{hi}$ | $carry_{17}$ | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_0^{even}$ | $\texttt{spread}(R_0^{even})$ | $W_{1}^{b(4)lo}$ |$\texttt{spread}(W_{1}^{b(4)lo})$ | $W_{1}^{b(4)hi}$ |$\texttt{spread}(W_{1}^{b(4)hi})$ | | | | -0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_1^{odd}$ | $\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ |$\texttt{spread}(W_{1}^{c(11)})$ |$\texttt{spread}(W_{1}^{d(14)})$ | $W_{1}^{b(4)}$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_0^{odd}$ | $\texttt{spread}(R_1^{even})$ | $0$ | $0$ | $W_{1}^{a(3)}$ |$\texttt{spread}(W_{1}^{a(3)})$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_1^{even}$ | $\texttt{spread}(R_1^{odd})$ | $\sigma_0 v1 R_0$ | $\sigma_0 v1 R_1$ | $\sigma_0 v1 R_0^{even}$ | $\sigma_0 v1 R_0^{odd}$ | | | | -..|...|...|...|...|...|... |...|... | ... | ... | ... | ... | ... | ... | ... | ... | ... | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3} | $W_{14}^{g(13)}$ | $\texttt{spread}(W_{14}^{g(13)})$ | $W_{14}^{a(3)}$ | $W_{14}^{c(3)}$ | | | | | | -0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | $W_{14}^{d(7)}$ | $\texttt{spread}(W_{14}^{d(7)})$ | $W_{14}^{lo}$ | $W_{14}^{hi}$ | $W_{14}$ |$\sigma_0(W_{15})^{lo}$ |$\sigma_1(W_{28})^{lo}$ | $W_{23}^{lo}$ | | -1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | $W_{14}^{b(4)}$ | $\texttt{spread}(W_{14}^{b(4)})$ | $W_{14}^{e(1)}$ | $W_{14}^{f(1)}$ | $W_{30}$ |$\sigma_0(W_{15})^{hi}$ |$\sigma_1(W_{28})^{hi}$ | $W_{23}^{hi}$ | $carry_{30}$ | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_0^{even}$ | $\texttt{spread}(R_0^{even})$ | $W_{14}^{b(4)lo}$ |$\texttt{spread}(W_{14}^{b(4)lo})$| $W_{14}^{b(4) hi}$ |$\texttt{spread}(W_{14}^{b(4)hi})$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | {0,1,2,3,4,5} | $R_0^{odd}$ | $\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ |$\texttt{spread}(W_{14}^{d(7)})$ |$\texttt{spread}(W_{14}^{g(13)})$| $W_{1}^{b(14)}$ | $W_{14}^{e(1)}$ | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_1^{even}$ | $\texttt{spread}(R_1^{even})$ | $W_{14}^{a(3)}$ |$\texttt{spread}(W_{14}^{a(3)})$ | $W_{14}^{c(3)}$ |$\texttt{spread}(W_{14}^{c(3)})$ | $W_{14}^{f(1)}$ | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_1^{odd}$ | $\texttt{spread}(R_1^{odd})$ | $\sigma_0 v2 R_0$ | $\sigma_0 v2 R_1$ |$\sigma_0 v2 R_0^{even}$ |$\sigma_0 v2 R_0^{odd}$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_0^{even}$ | $\texttt{spread}(R_0^{even})$ | $W_{14}^{b(4)lo}$ |$\texttt{spread}(W_{14}^{b(4)lo})$| $W_{14}^{b(4) hi}$ |$\texttt{spread}(W_{14}^{b(4)hi})$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | {0,1,2,3,4,5} | $R_0^{odd}$ | $\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(d)$ | $\texttt{spread}(g)$ | | $W_{14}^{e(1)}$ | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_1^{even}$ | $\texttt{spread}(R_1^{even})$ | $W_{14}^{a(3)}$ |$\texttt{spread}(W_{14}^{a(3)})$ | $W_{14}^{c(3)}$ |$\texttt{spread}(W_{14}^{c(3)})$ | $W_{14}^{f(1)}$ | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $R_1^{odd}$ | $\texttt{spread}(R_1^{odd})$ | $\sigma_1 v2 R_0$ | $\sigma_1 v2 R_1$ |$\sigma_1 v2 R_0^{even}$ |$\sigma_1 v2 R_0^{odd}$ | | | | -..|...|...|...|...|...|... |...|... | ... | ... | ... | ... | ... | ... | ... | ... | ... | | -0 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | {0,1,2,3} | $W_{49}^{d(13)}$ | $\texttt{spread}(W_{49}^{d(13)})$ | $W_{49}^{lo}$ | $W_{49}^{hi}$ | $W_{49}$ | | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} | $W_{49}^{a(10)}$ | $\texttt{spread}(W_{49}^{a(10)})$ | $W_{49}^{c(2)}$ | $W_{49}^{b(7)}$ | | | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5} | $R_0^{even}$ | $\texttt{spread}(R_0^{even})$ | $W_{49}^{b(7)lo}$ |$\texttt{spread}(W_{49}^{b(7)lo})$| $W_{49}^{b(7)mid}$ |$\texttt{spread}(W_{49}^{b(7)mid})$| | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |{0,1,2,3,4,5} | $R_0^{odd}$ | $\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(a)$ | $\texttt{spread}(d)$ | $W_{1}^{b(49)}$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5} | $R_1^{even}$ | $\texttt{spread}(R_1^{even})$ | $W_{49}^{c(2)}$ |$\texttt{spread}(W_{49}^{c(2)})$ | $W_{49}^{b(7)hi}$ |$\texttt{spread}(W_{49}^{b(7)hi})$ | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5} | $R_1^{odd}$ | $\texttt{spread}(R_1^{odd})$ | $\sigma_1 v1 R_0$ | $\sigma_1 v1 R_1$ |$\sigma_1 v1 R_0^{even}$ |$\sigma_1 v1 R_0^{odd}$ | | | | -..|...|...|...|...|...|... |...|... | ... | ... | ... | ... | ... | ... | ... | ... | ... | | -0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $W_{62}^{lo}$ | $\texttt{spread}(W_{62}^{lo})$ | $W_{62}^{lo}$ | $W_{62}^{hi}$ | $W_{62}$ | | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $W_{62}^{hi}$ | $\texttt{spread}(W_{62}^{hi})$ | | | | | | | | -0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $W_{63}^{lo}$ | $\texttt{spread}(W_{63}^{lo})$ | $W_{63}^{lo}$ | $W_{63}^{hi}$ | $W_{63}$ | | | | | -0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2,3,4,5} | $W_{63}^{hi}$ | $\texttt{spread}(W_{63}^{hi})$ | | | | | | | | - -Constraints: -- `sw`: construct word using $reduce_4$ -- `sd0`: decomposition gate for $W_0, W_{62}, W_{63}$ - - $W^{lo} + 2^{16} W^{hi} - W = 0$ -- `sd1`: decomposition gate for $W_{1..13}$ (split into $(3,4,11,14)$-bit pieces) - - $W^{a(3)} + 2^3 W^{b(4) lo} + 2^5 W^{b(4) hi} + 2^7 W^{c(11)} + 2^{18} W^{d(14)} - W = 0$ -- `sd2`: decomposition gate for $W_{14..48}$ (split into $(3,4,3,7,1,1,13)$-bit pieces) - - $W^{a(3)} + 2^3 W^{b(4) lo} + 2^5 W^{b(4) hi} + 2^7 W^{c(11)} + 2^{10} W^{d(14)} + 2^{17} W^{e(1)} + 2^{18} W^{f(1)} + 2^{19} W^{g(13)} - W = 0$ -- `sd3`: decomposition gate for $W_{49..61}$ (split into $(10,7,2,13)$-bit pieces) - - $W^{a(10)} + 2^{10} W^{b(7) lo} + 2^{12} W^{b(7) mid} + 2^{15} W^{b(7) hi} + 2^{17} W^{c(2)} + 2^{19} W^{d(13)} - W = 0$ - -### Compression region - -```plaintext -+----------------------------------------------------------+ -| | -| decompose E, | -| Σ_1(E) | -| | -| +---------------------------------------+ -| | | -| | reduce_5() to get H' | -| | | -+----------------------------------------------------------+ -| decompose F, decompose G | -| | -| Ch(E,F,G) | -| | -+----------------------------------------------------------+ -| | -| decompose A, | -| Σ_0(A) | -| | -| | -| +---------------------------------------+ -| | | -| | reduce_7() to get A_new, | -| | using H' | -| | | -+------------------+---------------------------------------+ -| decompose B, decompose C | -| | -| Maj(A,B,C) | -| | -| +---------------------------------------+ -| | reduce_6() to get E_new, | -| | using H' | -+------------------+---------------------------------------+ - -``` - -#### Initial round: - -s_digest|sd_abcd|sd_efgh|ss0|ss1|s_maj|s_ch_neg|s_ch|s_a_new |s_e_new |s_h_prime| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | $a_8$ | $a_9$ | ---------|-------|-------|---|---|-----|--------|----|--------|--------|---------|-------------|------------|-----------------------------|-------------------------------------|-------------------------------------|----------------------------------------|------------------------------------|------------------------------------|------------------------------------|------------------------------------| - 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$F_0 d(7)$ |$\texttt{spread}(E_0 d(7)) $ | $E_0 b(5)^{lo}$ | $\texttt{spread}(E_0 b(5)^{lo})$ | $E_0 b(5)^{hi}$ | $\texttt{spread}(E_0 b(5)^{hi}) $ | $E_0^{lo}$ | $\mathtt{spread}(E_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$E_0 c(14)$ |$\texttt{spread}(E_0 c(14))$ | $E_0 a(6)^{lo}$ | $\texttt{spread}(E_0 a(6)^{lo})$ | $E_0 a(6)^{hi}$ | $\texttt{spread}(E_0 a(6)^{hi}) $ | $E_0^{hi}$ | $\mathtt{spread}(E_0^{hi})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $\texttt{spread}(E_0 b(5)^{lo})$ | $\texttt{spread}(E_0 b(5)^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(E_0 d(7))$ | $\texttt{spread}(E_0 c(14))$ | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $\texttt{spread}(E_0 a(6)^{lo})$ | $\texttt{spread}(E_0 a(6)^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | | | - 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$F_0 d(7)$ |$\texttt{spread}(F_0 d(7)) $ | $F_0 b(5)^{lo}$ | $\texttt{spread}(F_0 b(5)^{lo})$ | $F_0 b(5)^{hi}$ | $\texttt{spread}(F_0 b(5)^{hi}) $ | $F_0^{lo}$ | $\mathtt{spread}(F_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$F_0 c(14)$ |$\texttt{spread}(F_0 c(14))$ | $F_0 a(6)^{lo}$ | $\texttt{spread}(F_0 a(6)^{lo})$ | $F_0 a(6)^{hi}$ | $\texttt{spread}(F_0 a(6)^{hi}) $ | $F_0^{hi}$ | $\mathtt{spread}(F_0^{hi})$ | | - 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$G_0 d(7)$ |$\texttt{spread}(G_0 d(7)) $ | $G_0 b(5)^{lo}$ | $\texttt{spread}(G_0 b(5)^{lo})$ | $G_0 b(5)^{hi}$ | $\texttt{spread}(G_0 b(5)^{hi}) $ | $G_0^{lo}$ | $\mathtt{spread}(G_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$G_0 c(14)$ |$\texttt{spread}(G_0 c(14))$ | $G_0 a(6)^{lo}$ | $\texttt{spread}(G_0 a(6)^{lo})$ | $G_0 a(6)^{hi}$ | $\texttt{spread}(G_0 a(6)^{hi}) $ | $G_0^{hi}$ | $\mathtt{spread}(G_0^{hi})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$P_0^{even}$|$\texttt{spread}(P_0^{even})$| $\mathtt{spread}(E^{lo})$ | $\mathtt{spread}(E^{hi})$ | $Q_0^{odd}$ | $K_0^{lo}$ | $H_0^{lo}$ | $W_0^{lo}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 |{0,1,2,3,4,5}|$P_0^{odd}$ |$\texttt{spread}(P_0^{odd})$ | $\texttt{spread}(P_1^{odd})$ | $\Sigma_1(E_0)^{lo}$ | $\Sigma_1(E_0)^{hi}$ | $K_0^{hi}$ | $H_0^{hi}$ | $W_0^{hi}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$P_1^{even}$|$\texttt{spread}(P_1^{even})$| $\mathtt{spread}(F^{lo})$ | $\mathtt{spread}(F^{hi})$ | $Q_1^{odd}$ | $P_1^{odd}$ | $Hprime_0^{lo}$ | $Hprime_0^{hi}$ | $Hprime_0 carry$ | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$P_1^{odd}$ |$\texttt{spread}(P_1^{odd})$ | | | | | $D_0^{lo}$ | $E_1^{lo}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 |{0,1,2,3,4,5}|$Q_0^{even}$|$\texttt{spread}(Q_0^{even})$| $\mathtt{spread}(E_{neg}^{lo})$ | $\mathtt{spread}(E_{neg}^{hi})$ | $\mathtt{spread}(E^{lo})$ | | $D_0^{hi}$ | $E_1^{hi}$ | $E_1 carry$ | - 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$Q_0^{odd}$ |$\texttt{spread}(Q_0^{odd})$ | $\texttt{spread}(Q_1^{odd})$ | | $\mathtt{spread}(E^{hi})$ | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$Q_1^{even}$|$\texttt{spread}(Q_1^{even})$| $\mathtt{spread}(G^{lo})$ | $\mathtt{spread}(G^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$Q_1^{odd}$ |$\texttt{spread}(Q_1^{odd})$ | | | | | | | | - 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$A_0 b(11)$ |$\texttt{spread}(A_0 b(11))$ | $A_0 c(9)^{lo}$ | $\texttt{spread}(A_0 c(9)^{lo})$ | $A_0 c(9)^{mid}$ | $\texttt{spread}(A_0 c(9)^{mid})$ | $A_0^{lo}$ | $\mathtt{spread}(A_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$A_0 d(10)$ |$\texttt{spread}(A_0 d(10))$ | $A_0 a(2)$ | $\texttt{spread}(A_0 a(2))$ | $A_0 c(9)^{hi}$ | $\texttt{spread}(A_0 c(9)^{hi})$ | $A_0^{hi}$ | $\mathtt{spread}(A_0^{hi})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $\texttt{spread}(c(9)^{lo})$ | $\texttt{spread}(c(9)^{mid})$ | | | | | | - 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(d(10))$ | $\texttt{spread}(b(11))$ | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $\texttt{spread}(a(2))$ | $\texttt{spread}(c(9)^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | | | - 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$B_0 b(11)$ |$\texttt{spread}(B_0 b(11))$ | $B_0 c(9)^{lo}$ | $\texttt{spread}(B_0 c(9)^{lo})$ | $B_0 c(9)^{mid}$ | $\texttt{spread}(B_0 c(9)^{mid})$ | $B_0^{lo}$ | $\mathtt{spread}(B_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$B_0 d(10)$ |$\texttt{spread}(B_0 d(10))$ | $B_0 a(2)$ | $\texttt{spread}(B_0 a(2))$ | $B_0 c(9)^{hi}$ | $\texttt{spread}(B_0 c(9)^{hi})$ | $B_0^{hi}$ | $\mathtt{spread}(B_0^{hi})$ | | - 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$C_0 b(11)$ |$\texttt{spread}(C_0 b(11))$ | $C_0 c(9)^{lo}$ | $\texttt{spread}(C_0 c(9)^{lo})$ | $C_0 c(9)^{mid}$ | $\texttt{spread}(C_0 c(9)^{mid})$ | $C_0^{lo}$ | $\mathtt{spread}(C_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$C_0 d(10)$ |$\texttt{spread}(C_0 d(10))$ | $C_0 a(2)$ | $\texttt{spread}(C_0 a(2))$ | $C_0 c(9)^{hi}$ | $\texttt{spread}(C_0 c(9)^{hi})$ | $C_0^{hi}$ | $\mathtt{spread}(C_0^{hi})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$M_0^{even}$|$\texttt{spread}(M_0^{even})$| $M_1^{odd}$ | $\mathtt{spread}(A_0^{lo})$ | $\mathtt{spread}(A_0^{hi})$ | | $Hprime_0^{lo}$ | $Hprime_0^{hi}$ | | - 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 |{0,1,2,3,4,5}|$M_0^{odd}$ |$\texttt{spread}(M_0^{odd})$ | $\texttt{spread}(M_1^{odd})$ | $\mathtt{spread}(B_0^{lo})$ | $\mathtt{spread}(B_0^{hi})$ | $\Sigma_0(A_0)^{lo}$ | | $A_1^{lo}$ | $A_1 carry$ | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$M_1^{even}$|$\texttt{spread}(M_1^{even})$| | $\mathtt{spread}(C_0^{lo})$ | $\mathtt{spread}(C_0^{hi})$ | $\Sigma_0(A_0)^{hi}$ | | $A_1^{hi}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$M_1^{odd}$ |$\texttt{spread}(M_1^{odd})$ | | | | | | | | - -#### Steady-state: - -s_digest|sd_abcd|sd_efgh|ss0|ss1|s_maj|s_ch_neg|s_ch|s_a_new |s_e_new |s_h_prime| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | $a_8$ | $a_9$ | ---------|-------|-------|---|---|-----|--------|----|--------|--------|---------|-------------|------------|-----------------------------|-------------------------------------|-------------------------------------|----------------------------------------|------------------------------------|------------------------------------|------------------------------------|------------------------------------| - 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$F_0 d(7)$ |$\texttt{spread}(E_0 d(7)) $ | $E_0 b(5)^{lo}$ | $\texttt{spread}(E_0 b(5)^{lo})$ | $E_0 b(5)^{hi}$ | $\texttt{spread}(E_0 b(5)^{hi}) $ | $E_0^{lo}$ | $\mathtt{spread}(E_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$E_0 c(14)$ |$\texttt{spread}(E_0 c(14))$ | $E_0 a(6)^{lo}$ | $\texttt{spread}(E_0 a(6)^{lo})$ | $E_0 a(6)^{hi}$ | $\texttt{spread}(E_0 a(6)^{hi}) $ | $E_0^{hi}$ | $\mathtt{spread}(E_0^{hi})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $\texttt{spread}(E_0 b(5)^{lo})$ | $\texttt{spread}(E_0 b(5)^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(E_0 d(7))$ | $\texttt{spread}(E_0 c(14))$ | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $\texttt{spread}(E_0 a(6)^{lo})$ | $\texttt{spread}(E_0 a(6)^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$P_0^{even}$|$\texttt{spread}(P_0^{even})$| $\mathtt{spread}(E^{lo})$ | $\mathtt{spread}(E^{hi})$ | $Q_0^{odd}$ | $K_0^{lo}$ | $H_0^{lo}$ | $W_0^{lo}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 |{0,1,2,3,4,5}|$P_0^{odd}$ |$\texttt{spread}(P_0^{odd})$ | $\texttt{spread}(P_1^{odd})$ | $\Sigma_1(E_0)^{lo}$ | $\Sigma_1(E_0)^{hi}$ | $K_0^{hi}$ | $H_0^{hi}$ | $W_0^{hi}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$P_1^{even}$|$\texttt{spread}(P_1^{even})$| $\mathtt{spread}(F^{lo})$ | $\mathtt{spread}(F^{hi})$ | $Q_1^{odd}$ | $P_1^{odd}$ | $Hprime_0^{lo}$ | $Hprime_0^{hi}$ | $Hprime_0 carry$ | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$P_1^{odd}$ |$\texttt{spread}(P_1^{odd})$ | | | | | $D_0^{lo}$ | $E_1^{lo}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 |{0,1,2,3,4,5}|$Q_0^{even}$|$\texttt{spread}(Q_0^{even})$| $\mathtt{spread}(E_{neg}^{lo})$ | $\mathtt{spread}(E_{neg}^{hi})$ | $\mathtt{spread}(E^{lo})$ | | $D_0^{hi}$ | $E_1^{hi}$ | $E_1 carry$ | - 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$Q_0^{odd}$ |$\texttt{spread}(Q_0^{odd})$ | $\texttt{spread}(Q_1^{odd})$ | | $\mathtt{spread}(E^{hi})$ | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$Q_1^{even}$|$\texttt{spread}(Q_1^{even})$| $\mathtt{spread}(G^{lo})$ | $\mathtt{spread}(G^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$Q_1^{odd}$ |$\texttt{spread}(Q_1^{odd})$ | | | | | | | | - 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1,2} |$A_0 b(11)$ |$\texttt{spread}(A_0 b(11))$ | $A_0 c(9)^{lo}$ | $\texttt{spread}(A_0 c(9)^{lo})$ | $A_0 c(9)^{mid}$ | $\texttt{spread}(A_0 c(9)^{mid})$ | $A_0^{lo}$ | $\mathtt{spread}(A_0^{lo})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | {0,1} |$A_0 d(10)$ |$\texttt{spread}(A_0 d(10))$ | $A_0 a(2)$ | $\texttt{spread}(A_0 a(2))$ | $A_0 c(9)^{hi}$ | $\texttt{spread}(A_0 c(9)^{hi})$ | $A_0^{hi}$ | $\mathtt{spread}(A_0^{hi})$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{even}$|$\texttt{spread}(R_0^{even})$| $\texttt{spread}(c(9)^{lo})$ | $\texttt{spread}(c(9)^{mid})$ | | | | | | - 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_0^{odd}$ |$\texttt{spread}(R_0^{odd})$ | $\texttt{spread}(R_1^{odd})$ | $\texttt{spread}(d(10))$ | $\texttt{spread}(b(11))$ | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{even}$|$\texttt{spread}(R_1^{even})$| $\texttt{spread}(a(2))$ | $\texttt{spread}(c(9)^{hi})$ | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$R_1^{odd}$ |$\texttt{spread}(R_1^{odd})$ | | | | | | | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$M_0^{even}$|$\texttt{spread}(M_0^{even})$| $M_1^{odd}$ | $\mathtt{spread}(A_0^{lo})$ | $\mathtt{spread}(A_0^{hi})$ | | $Hprime_0^{lo}$ | $Hprime_0^{hi}$ | | - 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | 0 |{0,1,2,3,4,5}|$M_0^{odd}$ |$\texttt{spread}(M_0^{odd})$ | $\texttt{spread}(M_1^{odd})$ | $\mathtt{spread}(B_0^{lo})$ | $\mathtt{spread}(B_0^{hi})$ | $\Sigma_0(A_0)^{lo}$ | | $A_1^{lo}$ | $A_1 carry$ | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$M_1^{even}$|$\texttt{spread}(M_1^{even})$| | $\mathtt{spread}(C_0^{lo})$ | $\mathtt{spread}(C_0^{hi})$ | $\Sigma_0(A_0)^{hi}$ | | $A_1^{hi}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |{0,1,2,3,4,5}|$M_1^{odd}$ |$\texttt{spread}(M_1^{odd})$ | | | | | | | | - -#### Final digest: -s_digest|sd_abcd|sd_efgh|ss0|ss1|s_maj|s_ch_neg|s_ch|s_a_new |s_e_new |s_h_prime| $a_0$ | $a_1$ | $a_2$ | $a_3$ | $a_4$ | $a_5$ | $a_6$ | $a_7$ | $a_8$ | $a_9$ | ---------|-------|-------|---|---|-----|--------|----|--------|--------|---------|-------------|-------------|------------------------------|-------------------------------------|-------------------------------------|----------------------------------------|------------------------------------|------------------------------------|------------------------------------|------------------------------------| - 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | $A_{63}^{lo}$ | $A_{63}^{hi}$ | $A_{63}$ | $B_{63}^{lo}$ | $B_{63}^{hi}$ | $B_{63}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | $C_{63}^{lo}$ | $C_{63}^{hi}$ | $C_{63}$ | $C_{63}^{lo}$ | $C_{63}^{hi}$ | $C_{63}$ | | - 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | $E_{63}^{lo}$ | $E_{63}^{hi}$ | $E_{63}$ | $G_{63}^{lo}$ | $G_{63}^{hi}$ | $G_{63}$ | | - 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | $F_{63}^{lo}$ | $F_{63}^{hi}$ | $F_{63}$ | $H_{63}^{lo}$ | $H_{63}^{hi}$ | $H_{63}$ | | diff --git a/book/src/design/gadgets/sha256/upp_sigma_0.png b/book/src/design/gadgets/sha256/upp_sigma_0.png deleted file mode 100644 index f509e5d58d..0000000000 Binary files a/book/src/design/gadgets/sha256/upp_sigma_0.png and /dev/null differ diff --git a/book/src/design/gadgets/sha256/upp_sigma_1.png b/book/src/design/gadgets/sha256/upp_sigma_1.png deleted file mode 100644 index 6f80dc710c..0000000000 Binary files a/book/src/design/gadgets/sha256/upp_sigma_1.png and /dev/null differ diff --git a/book/src/design/gadgets/sinsemilla.md b/book/src/design/gadgets/sinsemilla.md deleted file mode 100644 index b5fee9fc46..0000000000 --- a/book/src/design/gadgets/sinsemilla.md +++ /dev/null @@ -1,262 +0,0 @@ -# Sinsemilla - -## Overview -Sinsemilla is a collision-resistant hash function and commitment scheme designed to be efficient in algebraic circuit models that support [lookups](https://zcash.github.io/halo2/design/proving-system/lookup.html), such as PLONK or Halo 2. - -The security properties of Sinsemilla are similar to Pedersen hashes; it is **not** designed to be used where a random oracle, PRF, or preimage-resistant hash is required. **The only claimed security property of the hash function is collision-resistance for fixed-length inputs.** - -Sinsemilla is roughly 4 times less efficient than the algebraic hashes Rescue and Poseidon inside a circuit, but around 19 times more efficient than Rescue outside a circuit. Unlike either of these hashes, the collision resistance property of Sinsemilla can be proven based on cryptographic assumptions that have been well-established for at least 20 years. Sinsemilla can also be used as a computationally binding and perfectly hiding commitment scheme. - -The general approach is to split the message into $k$-bit pieces, and for each piece, select from a table of $2^k$ bases in our cryptographic group. We combine the selected bases using a double-and-add algorithm. This ends up being provably as secure as a vector Pedersen hash, and makes advantageous use of the lookup facility supported by Halo 2. - -## Description - -This section is an outline of how Sinsemilla works: for the normative specification, refer to [§5.4.1.9 Sinsemilla Hash Function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash) in the protocol spec. The incomplete point addition operator, ⸭, that we use below is also defined there. - -Let $\mathbb{G}$ be a cryptographic group of prime order $q$. We write $\mathbb{G}$ additively, with identity $\mathcal{O}$, and using $[m] P$ for scalar multiplication of $P$ by $m$. - -Let $k \geq 1$ be an integer chosen based on efficiency considerations (the table size will be $2^k$). Let $n$ be an integer, fixed for each instantiation, such that messages are $kn$ bits, where $2^n \leq \frac{q-1}{2}$. We use zero-padding to the next multiple of $k$ bits if necessary. - -$\textsf{Setup}$: Choose $Q$ and $P[0..2^k - 1]$ as $2^k + 1$ independent, verifiably random generators of $\mathbb{G}$, using a suitable hash into $\mathbb{G}$, such that none of $Q$ or $P[0..2^k - 1]$ are $\mathcal{O}$. - -> In Orchard, we define $Q$ to be dependent on a domain separator $D$. The protocol specification uses $\mathcal{Q}(D)$ in place of $Q$ and $\mathcal{S}(m)$ in place of $P[m]$. - -$\textsf{Hash}(M)$: -- Split $M$ into $n$ groups of $k$ bits. Interpret each group as a $k$-bit little-endian integer $m_i$. -- let $\mathsf{Acc}_0 := Q$ -- for $i$ from $0$ up to $n-1$: - - let $\mathsf{Acc}_{i+1} := (\mathsf{Acc}_i \;⸭\; P[m_{i+1}]) \;⸭\; \mathsf{Acc}_i$ -- return $\mathsf{Acc}_n$ - -Let $\textsf{ShortHash}(M)$ be the $x$-coordinate of $\textsf{Hash}(M)$. (This assumes that $\mathbb{G}$ is a prime-order elliptic curve in short Weierstrass form, as is the case for Pallas and Vesta.) - -> It is slightly more efficient to express a double-and-add $[2] A + R$ as $(A + R) + A$. We also use incomplete additions: it is shown in the [Sinsemilla security argument](https://zips.z.cash/protocol/protocol.pdf#sinsemillasecurity) that in the case where $\mathbb{G}$ is a prime-order short Weierstrass elliptic curve, an exceptional case for addition would lead to finding a discrete logarithm, which can be assumed to occur with negligible probability even for adversarial input. - -### Use as a commitment scheme -Choose another generator $H$ independently of $Q$ and $P[0..2^k - 1]$. - -The randomness $r$ for a commitment is chosen uniformly on $[0, q)$. - -Let $\textsf{Commit}_r(M) = \textsf{Hash}(M) \;⸭\; [r] H$. - -Let $\textsf{ShortCommit}_r(M)$ be the $x\text{-coordinate}$ of $\textsf{Commit}_r(M)$. (This again assumes that $\mathbb{G}$ is a prime-order elliptic curve in short Weierstrass form.) - -Note that unlike a simple Pedersen commitment, this commitment scheme ($\textsf{Commit}$ or $\textsf{ShortCommit}$) is not additively homomorphic. - -## Efficient implementation -The aim of the design is to optimize the number of bits that can be processed for each step of the algorithm (which requires a doubling and addition in $\mathbb{G}$) for a given table size. Using a single table of size $2^k$ group elements, we can process $k$ bits at a time. - -### Incomplete addition - -In each step of Sinsemilla we want to compute $A_{i+1} := (A_i \;⸭\; P_i) \;⸭\; A_i$. Let -$R_i := A_i \;⸭\; P_i$ be the intermediate result such that $A_{i+1} := A_i \;⸭\; R_i$. -Recalling the [incomplete addition formulae](ecc/addition.md#incomplete-addition): - -$$ -\begin{aligned} -x_3 &= \left(\frac{y_1 - y_2}{x_1 - x_2}\right)^2 - x_1 - x_2 \\ -y_3 &= \frac{y_1 - y_2}{x_1 - x_2} \cdot (x_1 - x_3) - y_1 \\ -\end{aligned} -$$ - -Let $\lambda = \frac{y_1 - y_2}{x_1 - x_2}$. Substituting the coordinates for each of the -incomplete additions in turn, and rearranging, we get - -$$ -\begin{aligned} -\lambda_{1,i} &= \frac{y_{A,i} - y_{P,i}}{x_{A,i} - x_{P,i}} \\ -&\implies y_{A,i} - y_{P,i} = \lambda_{1,i} \cdot (x_{A,i} - x_{P,i}) \\ -&\implies y_{P,i} = y_{A,i} - \lambda_{1,i} \cdot (x_{A,i} - x_{P,i}) \\ -x_{R,i} &= \lambda_{1,i}^2 - x_{A,i} - x_{P,i} \\ -y_{R,i} &= \lambda_{1,i} \cdot (x_{A,i} - x_{R,i}) - y_{A,i} \\ -\end{aligned} -$$ -and -$$ -\begin{aligned} -\lambda_{2,i} &= \frac{y_{A,i} - y_{R,i}}{x_{A,i} - x_{R,i}} \\ -&\implies y_{A,i} - y_{R,i} = \lambda_{2,i} \cdot (x_{A,i} - x_{R,i}) \\ -&\implies y_{A,i} - \left( \lambda_{1,i} \cdot (x_{A,i} - x_{R,i}) - y_{A,i} \right) = \lambda_{2,i} \cdot (x_{A,i} - x_{R,i}) \\ -&\implies 2 \cdot y_{A,i} = (\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - x_{R,i}) \\ -x_{A,i+1} &= \lambda_{2,i}^2 - x_{A,i} - x_{R,i} \\ -y_{A,i+1} &= \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) - y_{A,i}. \\ -\end{aligned} -$$ - -### Constraint program -Let $\mathcal{P} = \left\{(j,\, x_{P[j]},\, y_{P[j]}) \text{ for } j \in \{0..2^k - 1\}\right\}$. - -Input: $m_{1..=n}$. (The message words are 1-indexed here, as in the [protocol spec](https://zips.z.cash/protocol/nu5.pdf#concretesinsemillahash), but we start the loop from $i = 0$ so that $(x_{A,i}, y_{A,i})$ corresponds to $\mathsf{Acc}_i$ in the protocol spec.) - -Output: $(x_{A,n},\, y_{A,n})$. - -- $(x_{A,0},\, y_{A,0}) = Q$ -- for $i$ from $0$ up to $n-1$: - - $y_{P,i} = y_{A,i} - \lambda_{1,i} \cdot (x_{A,i} - x_{P,i})$ - - $x_{R,i} = \lambda_{1,i}^2 - x_{A,i} - x_{P,i}$ - - $2 \cdot y_{A,i} = (\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - x_{R,i})$ - - $(m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P}$ - - $\lambda_{2,i}^2 = x_{A,i+1} + x_{R,i} + x_{A,i}$ - - $\lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = y_{A,i} + y_{A,i+1}$ - - -## PLONK / Halo 2 constraints - -### Message decomposition -We have an $n$-bit message $m = m_1 + 2^k m_2 + ... + 2^{k\cdot (n-1)} m_n$. (Note that the message words are 1-indexed as in the [protocol spec](https://zips.z.cash/protocol/nu5.pdf#concretesinsemillahash).) - -Initialise the running sum $z_0 = \alpha$ and define $z_{i + 1} := \frac{z_{i} - m_{i+1}}{2^K}$. We will end up with $z_n = 0.$ - -Rearranging gives us an expression for each word of the original message -$m_{i+1} = z_{i} - 2^k \cdot z_{i + 1}$, which we can look up in the table. We position -$z_{i}$ and $z_{i + 1}$ in adjacent rows of the same column, so we can sequentially apply -the constraint across the entire message. - -In other words, $z_{n-i} = \sum\limits_{h=0}^{i-1} 2^{kh} \cdot m_{h+1}$. - -> For a little-endian decomposition as used here, the running sum is initialized to the scalar and ends at 0. For a big-endian decomposition as used in [variable-base scalar multiplication](https://hackmd.io/o9EzZBwxSWSi08kQ_fMIOw), the running sum would start at 0 and end with recovering the original scalar. - -### Efficient packing - -The running sum only applies to message words within a single field element. That means if -$n \geq \mathtt{PrimeField::NUM\_BITS}$ then we will need several disjoint running sums. A -longer message can be constructed by splitting the message words across several field -elements, and then running several instances of the constraints below. - -The expression for $m_{i+1}$ above requires $n + 1$ rows in the $z_{i}$ column, leaving a -one-row gap in adjacent columns and making $\mathsf{Acc}_i$ tricker to accumulate. In -order to support chaining multiple field elements without a gap, we use a slightly more -complicated expression for $m_{i+1}$ that includes a selector: - -$$m_{i+1} = z_{i} - 2^k \cdot q_{run,i} \cdot z_{i+1}$$ - -This effectively forces $\mathbf{z}_n$ to zero for the last step of each element, which -allows the cell that would have been $\mathbf{z}_n$ to be used to reinitialize the running -sum for the next element. - -With this sorted out, the incomplete addition accumulator can eliminate $y_{A,i}$ almost -entirely, by substituting for $x$ and $\lambda$ values in the current and next rows. The -two exceptions are at the start of Sinsemilla (where we need to constrain the accumulator -to have initial value $Q$), and the end (where we need to witness $y_{A,n}$ for use -outside of Sinsemilla). - -### Selectors - -We need a total of four logical selectors to: - -- Control the Sinsemilla gate and lookup. -- Distinguish between the last message word in a running sum and its earlier words. -- Mark the start of Sinsemilla. -- Mark the end of Sinsemilla. - -We use regular selector columns for the Sinsemilla gate selector $q_{S1}$ and Sinsemilla -start selector $q_{S4}.$ The other two selectors are synthesized from a single fixed -column $q_{S2}$ as follows: - -$$ -\begin{aligned} -q_{S3} &= q_{S2} \cdot (q_{S2} - 1) \\ -q_{run} &= q_{S2} - q_{S3} \\ -\end{aligned} -$$ - -$$ -\begin{array}{|c|c|c|} -\hline -q_{S2} & q_{S3} & q_{run} \\\hline - 0 & 0 & 0 \\\hline - 1 & 0 & 1 \\\hline - 2 & 2 & 0 \\\hline -\end{array} -$$ - -We set $q_{S2}$ to $1$ on most Sinsemilla rows, and $0$ for the last step of each element, -except for the last element where it is set to $2$. We can then use $q_{S3}$ to toggle -between constraining the substituted $y_{A,i+1}$ on adjacent rows, and the witnessed -$y_{A,n}$ at the end of Sinsemilla: - -$$ -\lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = y_{A,i} + \frac{2 - q_{S3}}{2} \cdot y_{A,i+1} + \frac{q_{S3}}{2} \cdot y_{A,n} -$$ - -### Generator lookup table -The Sinsemilla circuit makes use of $2^{10}$ pre-computed random generators. These are loaded into a lookup table: -$$ -\begin{array}{|c|c|c|} -\hline - table_{idx} & table_x & table_y \\\hline - 0 & x_{P[0]} & y_{P[0]} \\\hline - 1 & x_{P[1]} & y_{P[1]} \\\hline - 2 & x_{P[2]} & y_{P[2]} \\\hline - \vdots & \vdots & \vdots \\\hline - 2^{10} - 1 & x_{P[2^{10}-1]} & y_{P[2^{10}-1]} \\\hline -\end{array} -$$ - -### Layout -$$ -\begin{array}{|c|c|c|c|c|c|c|c|c|c|} -\hline -\text{Step} & x_A & x_P & bits & \lambda_1 & \lambda_2 & q_{S1} & q_{S2} & q_{S4} & \textsf{fixed\_y\_Q}\\\hline - 0 & x_Q & x_{P[m_1]} & z_0 & \lambda_{1,0} & \lambda_{2,0} & 1 & 1 & 1 & y_Q \\\hline - 1 & x_{A,1} & x_{P[m_2]} & z_1 & \lambda_{1,1} & \lambda_{2,1} & 1 & 1 & 0 & 0 \\\hline - 2 & x_{A,2} & x_{P[m_3]} & z_2 & \lambda_{1,2} & \lambda_{2,2} & 1 & 1 & 0 & 0 \\\hline - \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & 1 & 1 & 0 & 0 \\\hline - n-1 & x_{A,n-1} & x_{P[m_n]} & z_{n-1} & \lambda_{1,n-1} & \lambda_{2,n-1} & 1 & 0 & 0 & 0 \\\hline - 0' & x'_{A,0} & x_{P[m'_1]} & z'_0 & \lambda'_{1,0} & \lambda'_{2,0} & 1 & 1 & 0 & 0 \\\hline - 1' & x'_{A,1} & x_{P[m'_2]} & z'_1 & \lambda'_{1,1} & \lambda'_{2,1} & 1 & 1 & 0 & 0 \\\hline - 2' & x'_{A,2} & x_{P[m'_3]} & z'_2 & \lambda'_{1,2} & \lambda'_{2,2} & 1 & 1 & 0 & 0 \\\hline - \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & 1 & 1 & 0 & 0 \\\hline - n-1' & x'_{A,n-1} & x_{P[m'_n]} & z'_{n-1} & \lambda'_{1,n-1} & \lambda'_{2,n-1} & 1 & 2 & 0 & 0 \\\hline - n' & x'_{A,n} & & & y_{A,n} & & 0 & 0 & 0 & 0 \\\hline -\end{array} -$$ - -$x_Q$, $z_0$, $z'_0$, etc. are copied in using equality constraints. - -### Optimized Sinsemilla gate -$$ -\begin{array}{lrcl} -\text{For } i \in [0, n), \text{ let} &x_{R,i} &=& \lambda_{1,i}^2 - x_{A,i} - x_{P,i} \\ - &Y_{A,i} &=& (\lambda_{1,i} + \lambda_{2,i}) \cdot (x_{A,i} - x_{R,i}) \\ - &y_{P,i} &=& Y_{A,i}/2 - \lambda_{1,i} \cdot (x_{A,i} - x_{P,i}) \\ - &m_{i+1} &=& z_{i} - q_{run,i} \cdot z_{i+1} \cdot 2^k \\ - &q_{run} &=& q_{S2} - q_{S3} \\ - &q_{S3} &=& q_{S2} \cdot (q_{S2} - 1) -\end{array} -$$ - -The Halo 2 circuit API can automatically substitute $y_{P,i}$, $x_{R,i}$, $Y_{A,i}$, and -$Y_{A,i+1}$, so we don't need to do that manually. - -- $x_{A,0} = x_Q$ -- $2 \cdot y_Q = Y_{A,0}$ -- for $i$ from $0$ up to $n-1$: - - $(m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P}$ - - $\lambda_{2,i}^2 = x_{A,i+1} + x_{R,i} + x_{A,i}$ - - $4 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) = 2 \cdot Y_{A,i} + (2 - q_{S3}) \cdot Y_{A,i+1} + 2 q_{S3} \cdot y_{A,n}$ - -Note that each term of the last constraint is multiplied by $4$ relative to the constraint program given earlier. This is a small optimization that avoids divisions by $2$. - -By gating the lookup expression on $q_{S1}$, we avoid the need to fill in unused cells with dummy values to pass the lookup argument. The optimized lookup value (using a default index of $0$) is: - -$$ -\begin{array}{ll} -(&q_{S1} \cdot m_{i+1}, \\ - &q_{S1} \cdot x_{P,i} + (1 - q_{S1}) \cdot x_{P,0}, \\ - &q_{S1} \cdot y_{P,i} + (1 - q_{S1}) \cdot y_{P,0} \;\;\;) -\end{array} -$$ - -This increases the degree of the lookup argument to $6$. - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -4 & q_{S4} \cdot (2 \cdot y_Q - Y_{A,0}) = 0 \\\hline -6 & q_{S1,i} \Rightarrow (m_{i+1},\, x_{P,i},\, y_{P,i}) \in \mathcal{P} \\\hline -3 & q_{S1,i} \cdot \big(\lambda_{2,i}^2 - (x_{A,i+1} + x_{R,i} + x_{A,i})\big) \\\hline -5 & q_{S1,i} \cdot \left(4 \cdot \lambda_{2,i} \cdot (x_{A,i} - x_{A,i+1}) - (2 \cdot Y_{A,i} + (2 - q_{S3,i}) \cdot Y_{A,i+1} + 2 \cdot q_{S3,i} \cdot y_{A,n})\right) = 0 \\\hline -\end{array} -$$ diff --git a/book/src/design/gadgets/sinsemilla/merkle-crh.md b/book/src/design/gadgets/sinsemilla/merkle-crh.md deleted file mode 100644 index 774c7eea4d..0000000000 --- a/book/src/design/gadgets/sinsemilla/merkle-crh.md +++ /dev/null @@ -1,144 +0,0 @@ -# MerkleCRH - -## Message decomposition -$\mathsf{SinsemillaHash}$ is used in the [$\mathsf{MerkleCRH^{Orchard}}$ hash function](https://zips.z.cash/protocol/protocol.pdf#orchardmerklecrh). The input to $\mathsf{SinsemillaHash}$ is: - -$${l\star} \,||\, {\textsf{left}\star} \,||\, {\textsf{right}\star},$$ - -where: -- ${l\star} = \textsf{I2LEBSP}_{10}(l) = \textsf{I2LEBSP}_{10}(\textsf{MerkleDepth}^\textsf{Orchard} - 1 - \textsf{layer})$, -- ${\textsf{left}\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{left})$, -- ${\textsf{right}\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{right})$, - -with $\ell_{\textsf{Merkle}}^{\textsf{Orchard}} = 255.$ $\textsf{left}\star$ and -$\textsf{right}\star$ are allowed to be non-canonical $255$-bit encodings of -$\textsf{left}$ and $\textsf{right}$. - -Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into -chunks: - -$$ -\begin{aligned} -l\star &= a_0 \\ -\textsf{left}\star &= a_1 \bconcat b_0 \bconcat b_1 \\ - &= (\text{bits } 0..=239 \text{ of } \textsf{ left }) \bconcat - (\text{bits } 240..=249 \text{ of } \textsf{left}) \bconcat - (\text{bits } 250..=254 \text{ of } \textsf{left}) \\ -\textsf{right}\star &= b_2 \bconcat c \\ - &= (\text{bits } 0..=4 \text{ of } \textsf{right}) \bconcat - (\text{bits } 5..=254 \text{ of } \textsf{right}) -\end{aligned} -$$ - -Then we recompose the chunks into `MessagePiece`s: - -$$ -\begin{array}{|c|l|} -\hline -\text{Length (bits)} & \text{Piece} \\\hline -250 & a = a_0 \bconcat a_1 \\ -20 & b = b_0 \bconcat b_1 \bconcat b_2 \\ -250 & c \\\hline -\end{array} -$$ - -Each message piece is constrained by $\SinsemillaHash$ to its stated length. Additionally, -$\textsf{left}$ and $\textsf{right}$ are witnessed as field elements, so we know that they -are canonical. However, we need additional constraints to enforce that the chunks are the -correct bit lengths (or else they could overlap in the decompositions and allow the prover -to witness an arbitrary $\SinsemillaHash$ message). - -Some of these constraints can be implemented with reusable circuit gadgets. We define a -custom gate controlled by the selector $q_\mathsf{decompose}$ to hold the remaining -constraints. - -## Bit length constraints - -Chunk $c$ is directly constrained by Sinsemilla. We constrain the remaining chunks with -the following constraints: - -### $a_0, a_1$ - -$z_{1,a}$, the index-1 running sum output of $\textsf{SinsemillaHash}(a)$, is copied into -the gate. $z_{1,a}$ has been constrained by $\textsf{SinsemillaHash}$ to be $240$ bits, -and is precisely $a_1$. We recover chunk $a_0$ using $a, z_{1,a}:$ -$$ -\begin{aligned} -z_{1,a} &= \frac{a - a_0}{2^{10}}\\ - &= a_1 \\ - \implies a_0 &= a - z_{1,a} \cdot 2^{10}. -\end{aligned} -$$ - -### $b_0, b_1, b_2$ - -$z_{1,b}$, the index-1 running sum output of $\textsf{SinsemillaHash}(b)$, is copied into -the gate. $z_{1,b}$ has been constrained by $\textsf{SinsemillaHash}$ to be $10$ bits. We -witness the subpieces $b_1, b_2$ outside this gate, and constrain them each to be $5$ -bits. Inside the gate, we check that $$b_1 + 2^5 \cdot b_2 = z_{1,b}.$$ -We also recover the subpiece $b_0$ using $(b, z_{1,b})$: -$$ -\begin{aligned} -z_{1,b} &= \frac{b - b_{0..=10}}{2^{10}}\\ - \implies b_0 &= b - (z_{1,b} \cdot 2^{10}). -\end{aligned} -$$ - -### Constraints - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline - & \ShortLookupRangeCheck{b_1, 5} \\\hline - & \ShortLookupRangeCheck{b_2, 5} \\\hline -2 & q_\mathsf{decompose} \cdot (z_{1,b} - (b_1 + b_2 \cdot 2^5)) = 0 \\\hline -\end{array} -$$ - -where $\ShortLookupRangeCheck{}$ is a -[short lookup range check](../decomposition.md#short-range-check). - -## Decomposition constraints - -We have now derived or witnessed every subpiece, and range-constrained every subpiece: -- $a_0$ ($10$ bits), derived as $a_0 = a - 2^{10} \cdot z_{1,a}$; -- $a_1$ ($240$ bits), equal to $z_{1,a}$; -- $b_0$ ($10$ bits), derived as $b_0 = b - 2^{10} \cdot z_{1,b}$; -- $b_1$ ($5$ bits) is witnessed and constrained outside the gate; -- $b_2$ ($5$ bits) is witnessed and constrained outside the gate; -- $c$ ($250$ bits) is witnessed and constrained outside the gate. -- $b_1 + 2^5 \cdot b_2$ is constrained to equal $z_{1, b}$. - -We can now use them to reconstruct the original field element inputs: - -$$ -\begin{align} -l &= a_0 \\ -\mathsf{left} &= a_1 + 2^{240} \cdot b_0 + 2^{250} \cdot b_1 \\ -\mathsf{right} &= b_2 + 2^5 \cdot c -\end{align} -$$ - -$$ -\begin{array}{|c|l|} -\hline -\text{Degree} & \text{Constraint} \\\hline -2 & q_\mathsf{decompose} \cdot (a_0 - l) = 0 \\\hline -2 & q_\mathsf{decompose} \cdot (a_1 + (b_0 + b_1 \cdot 2^{10}) \cdot 2^{240} - \mathsf{left}) = 0 \\\hline -2 & q_\mathsf{decompose} \cdot (b_2 + c \cdot 2^5 - \mathsf{right}) = 0 \\\hline -\end{array} -$$ - -## Region layout - -$$ -\begin{array}{|c|c|c|c|c|c} - & & & & & q_\mathsf{decompose} \\\hline - a & b & c & \mathsf{left} & \mathsf{right} & 1 \\\hline -z_{1,a} &z_{1,b} & b_1 & b_2 & l & 0 \\\hline -\end{array} -$$ - -## Circuit components -The Orchard circuit spans $10$ advice columns while the $\textsf{Sinsemilla}$ chip only uses $5$ advice columns. We distribute the path hashing evenly across two $\textsf{Sinsemilla}$ chips to make better use of the available circuit area. Since the output from the previous layer hash is copied into the next layer hash, we maintain continuity even when moving from one chip to the other. diff --git a/book/src/design/implementation.md b/book/src/design/implementation.md deleted file mode 100644 index d2557ff700..0000000000 --- a/book/src/design/implementation.md +++ /dev/null @@ -1 +0,0 @@ -# Implementation diff --git a/book/src/design/implementation/fields.md b/book/src/design/implementation/fields.md deleted file mode 100644 index 81226e5430..0000000000 --- a/book/src/design/implementation/fields.md +++ /dev/null @@ -1,97 +0,0 @@ -# Fields - -The [Pasta curves](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/) -that we use in `halo2` are designed to be highly 2-adic, meaning that a large $2^S$ -[multiplicative subgroup](../../background/fields.md#multiplicative-subgroups) exists in -each field. That is, we can write $p - 1 \equiv 2^S \cdot T$ with $T$ odd. For both Pallas -and Vesta, $S = 32$; this helps to simplify the field implementations. - -## Sarkar square-root algorithm (table-based variant) - -We use a technique from [Sarkar2020](https://eprint.iacr.org/2020/1407.pdf) to compute -[square roots](../../background/fields.md#square-roots) in `halo2`. The intuition behind -the algorithm is that we can split the task into computing square roots in each -multiplicative subgroup. - -Suppose we want to find the square root of $u$ modulo one of the Pasta primes $p$, where -$u$ is a non-zero square in $\mathbb{Z}_p^\times$. We define a $2^S$ -[root of unity](../../background/fields.md#roots-of-unity) $g = z^T$ where $z$ is a -non-square in $\mathbb{Z}_p^\times$, and precompute the following tables: - -$$ -gtab = \begin{bmatrix} -g^0 & g^1 & ... & g^{2^8 - 1} \\ -(g^{2^8})^0 & (g^{2^8})^1 & ... & (g^{2^8})^{2^8 - 1} \\ -(g^{2^{16}})^0 & (g^{2^{16}})^1 & ... & (g^{2^{16}})^{2^8 - 1} \\ -(g^{2^{24}})^0 & (g^{2^{24}})^1 & ... & (g^{2^{24}})^{2^8 - 1} -\end{bmatrix} -$$ - -$$ -invtab = \begin{bmatrix} -(g^{-2^{24}})^0 & (g^{-2^{24}})^1 & ... & (g^{-2^{24}})^{2^8 - 1} -\end{bmatrix} -$$ - -Let $v = u^{(T-1)/2}$. We can then define $x = uv \cdot v = u^T$ as an element of the -$2^S$ multiplicative subgroup. - -Let $x_3 = x, x_2 = x_3^{2^8}, x_1 = x_2^{2^8}, x_0 = x_1^{2^8}.$ - -### i = 0, 1 -Using $invtab$, we lookup $t_0$ such that -$$ -x_0 = (g^{-2^{24}})^{t_0} \implies x_0 \cdot g^{t_0 \cdot 2^{24}} = 1. -$$ - -Define $\alpha_1 = x_1 \cdot (g^{2^{16}})^{t_0}.$ - -### i = 2 -Lookup $t_1$ s.t. -$$ -\begin{array}{ll} -\alpha_1 = (g^{-2^{24}})^{t_1} &\implies x_1 \cdot (g^{2^{16}})^{t_0} = (g^{-2^{24}})^{t_1} \\ -&\implies -x_1 \cdot g^{(t_0 + 2^8 \cdot t_1) \cdot 2^{16}} = 1. -\end{array} -$$ - -Define $\alpha_2 = x_2 \cdot (g^{2^8})^{t_0 + 2^8 \cdot t_1}.$ - -### i = 3 -Lookup $t_2$ s.t. - -$$ -\begin{array}{ll} -\alpha_2 = (g^{-2^{24}})^{t_2} &\implies x_2 \cdot (g^{2^8})^{t_0 + 2^8\cdot {t_1}} = (g^{-2^{24}})^{t_2} \\ -&\implies x_2 \cdot g^{(t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2) \cdot 2^8} = 1. -\end{array} -$$ - -Define $\alpha_3 = x_3 \cdot g^{t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2}.$ - -### Final result -Lookup $t_3$ such that - -$$ -\begin{array}{ll} -\alpha_3 = (g^{-2^{24}})^{t_3} &\implies x_3 \cdot g^{t_0 + 2^8\cdot {t_1} + 2^{16} \cdot t_2} = (g^{-2^{24}})^{t_3} \\ -&\implies x_3 \cdot g^{t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2 + 2^{24} \cdot t_3} = 1. -\end{array} -$$ - -Let $t = t_0 + 2^8 \cdot t_1 + 2^{16} \cdot t_2 + 2^{24} \cdot t_3$. - -We can now write -$$ -\begin{array}{lclcl} -x_3 \cdot g^{t} = 1 &\implies& x_3 &=& g^{-t} \\ -&\implies& uv^2 &=& g^{-t} \\ -&\implies& uv &=& v^{-1} \cdot g^{-t} \\ -&\implies& uv \cdot g^{t / 2} &=& v^{-1} \cdot g^{-t / 2}. -\end{array} -$$ - -Squaring the RHS, we observe that $(v^{-1} g^{-t / 2})^2 = v^{-2}g^{-t} = u.$ Therefore, -the square root of $u$ is $uv \cdot g^{t / 2}$; the first part we computed earlier, and -the second part can be computed with three multiplications using lookups in $gtab$. diff --git a/book/src/design/implementation/proofs.md b/book/src/design/implementation/proofs.md deleted file mode 100644 index 4b1339fb73..0000000000 --- a/book/src/design/implementation/proofs.md +++ /dev/null @@ -1,89 +0,0 @@ -# Halo 2 proofs - -## Proofs as opaque byte streams - -In proving system implementations like `bellman`, there is a concrete `Proof` struct that -encapsulates the proof data, is returned by a prover, and can be passed to a verifier. - -`halo2` does not contain any proof-like structures, for several reasons: - -- The Proof structures would contain vectors of (vectors of) curve points and scalars. - This complicates serialization/deserialization of proofs because the lengths of these - vectors depend on the configuration of the circuit. However, we didn't want to encode - the lengths of vectors inside of proofs, because at runtime the circuit is fixed, and - thus so are the proof sizes. -- It's easy to accidentally put stuff into a Proof structure that isn't also placed in the - transcript, which is a hazard when developing and implementing a proving system. -- We needed to be able to create multiple PLONK proofs at the same time; these proofs - share many different substructures when they are for the same circuit. - -Instead, `halo2` treats proof objects as opaque byte streams. Creation and consumption of -these byte streams happens via the transcript: - -- The `TranscriptWrite` trait represents something that we can write proof components to - (at proving time). -- The `TranscriptRead` trait represents something that we can read proof components from - (at verifying time). - -Crucially, implementations of `TranscriptWrite` are responsible for simultaneously writing -to some `std::io::Write` buffer at the same time that they hash things into the transcript, -and similarly for `TranscriptRead`/`std::io::Read`. - -As a bonus, treating proofs as opaque byte streams ensures that verification accounts for -the cost of deserialization, which isn't negligible due to point compression. - -## Proof encoding - -A Halo 2 proof, constructed over a curve $E(\mathbb{F}_p)$, is encoded as a stream of: - -- Points $P \in E(\mathbb{F}_p)$ (for commitments to polynomials), and -- Scalars $s \in \mathbb{F}_q$ (for evaluations of polynomials, and blinding values). - -For the Pallas and Vesta curves, both points and scalars have 32-byte encodings, meaning -that proofs are always a multiple of 32 bytes. - -The `halo2` crate supports proving multiple instances of a circuit simultaneously, in -order to share common proof components and protocol logic. - -In the encoding description below, we will use the following circuit-specific constants: - -- $k$ - the size parameter of the circuit (which has $2^k$ rows). -- $A$ - the number of advice columns. -- $F$ - the number of fixed columns. -- $I$ - the number of instance columns. -- $L$ - the number of lookup arguments. -- $P$ - the number of permutation arguments. -- $\textsf{Col}_P$ - the number of columns involved in permutation argument $P$. -- $D$ - the maximum degree for the quotient polynomial. -- $Q_A$ - the number of advice column queries. -- $Q_F$ - the number of fixed column queries. -- $Q_I$ - the number of instance column queries. -- $M$ - the number of instances of the circuit that are being proven simultaneously. - -As the proof encoding directly follows the transcript, we can break the encoding into -sections matching the Halo 2 protocol: - -- PLONK commitments: - - $A$ points (repeated $M$ times). - - $2L$ points (repeated $M$ times). - - $P$ points (repeated $M$ times). - - $L$ points (repeated $M$ times). - -- Vanishing argument: - - $D - 1$ points. - - $Q_I$ scalars (repeated $M$ times). - - $Q_A$ scalars (repeated $M$ times). - - $Q_F$ scalars. - - $D - 1$ scalars. - -- PLONK evaluations: - - $(2 + \textsf{Col}_P) \times P$ scalars (repeated $M$ times). - - $5L$ scalars (repeated $M$ times). - -- Multiopening argument: - - 1 point. - - 1 scalar per set of points in the multiopening argument. - -- Polynomial commitment scheme: - - $1 + 2k$ points. - - $2$ scalars. diff --git a/book/src/design/implementation/selector-combining.md b/book/src/design/implementation/selector-combining.md deleted file mode 100644 index a6e98a9529..0000000000 --- a/book/src/design/implementation/selector-combining.md +++ /dev/null @@ -1,116 +0,0 @@ -# Selector combining - -Heavy use of custom gates can lead to a circuit defining many binary selectors, which -would increase proof size and verification time. - -This section describes an optimization, applied automatically by halo2, that combines -binary selector columns into fewer fixed columns. - -The basic idea is that if we have $\ell$ binary selectors labelled $1, \ldots, \ell$ that -are enabled on disjoint sets of rows, then under some additional conditions we can combine -them into a single fixed column, say $q$, such that: -$$ -q = \begin{cases} - k, &\text{if the selector labelled } k \text{ is } 1 \\ - 0, &\text{if all these selectors are } 0. -\end{cases} -$$ - -However, the devil is in the detail. - -The halo2 API allows defining some selectors to be "simple selectors", subject to the -following condition: - -> Every polynomial constraint involving a simple selector $s$ must be of the form -> $s \cdot t = 0,$ where $t$ is a polynomial involving *no* simple selectors. - -Suppose that $s$ has label $k$ in some set of $\ell$ simple selectors that are combined -into $q$ as above. Then this condition ensures that replacing $s$ by -$q \cdot \prod_{1 \leq h \leq \ell,\,h \neq k}\; (h - q)$ will not change the meaning of -any constraints. - -> It would be possible to relax this condition by ensuring that every use of a binary -> selector is substituted by a precise interpolation of its value from the corresponding -> combined selector. However, -> -> * the restriction simplifies the implementation, developer tooling, and human -> understanding and debugging of the resulting constraint system; -> * the scope to apply the optimization is not impeded very much by this restriction for -> typical circuits. - -Note that replacing $s$ by $q \cdot \prod_{1 \leq h \leq \ell,\,h \neq k}\; (h - q)$ will -increase the degree of constraints selected by $s$ by $\ell-1$, and so we must choose the -selectors that are combined in such a way that the maximum degree bound is not exceeded. - -## Identifying selectors that can be combined - -We need a partition of the overall set of selectors $s_0, \ldots, s_{m-1}$ into subsets -(called "combinations"), such that no two selectors in a combination are enabled on the -same row. - -Labels must be unique within a combination, but they are not unique across combinations. -Do not confuse a selector's index with its label. - -Suppose that we are given $\mathsf{max\_degree}$, the degree bound of the circuit. - -We use the following algorithm: - -1. Leave nonsimple selectors unoptimized, i.e. map each of them to a separate fixed - column. -2. Check (or ensure by construction) that all polynomial constraints involving each simple - selector $s_i$ are of the form $s_i \cdot t_{i,j} = 0$ where $t_{i,j}$ do not involve - any simple selectors. For each $i$, record the maximum degree of any $t_{i,j}$ as - $d^\mathsf{max}_i$. -3. Compute a binary "exclusion matrix" $X$ such that $X_{j,i}$ is $1$ whenever $i \neq j$ - and $s_i$ and $s_j$ are enabled on the same row; and $0$ otherwise. - > Since $X$ is symmetric and is zero on the diagonal, we can represent it by either its - > upper or lower triangular entries. The rest of the algorithm is guaranteed only to - > access only the entries $X_{j,i}$ where $j > i$. -4. Initialize a boolean array $\mathsf{added}_{0..{k-1}}$ to all $\mathsf{false}$. - > $\mathsf{added}_i$ will record whether $s_i$ has been included in any combination. -6. Iterate over the $s_i$ that have not yet been added to any combination: - * a. Add $s_i$ to a fresh combination $c$, and set $\mathsf{added}_i = \mathsf{true}$. - * b. Let mut $d := d^\mathsf{max}_i - 1$. - > $d$ is used to keep track of the largest degree, *excluding* the selector - > expression, of any gate involved in the combination $c$ so far. - * c. Iterate over all the selectors $s_j$ for $j > i$ that can potentially join $c$, - i.e. for which $\mathsf{added}_j$ is false: - * i. (Optimization) If $d + \mathsf{len}(c) = \mathsf{max\_degree}$, break to the - outer loop, since no more selectors can be added to $c$. - * ii. Let $d^\mathsf{new} = \mathsf{max}(d, d^\mathsf{max}_j-1)$. - * iii. If $X_{j,i'}$ is $\mathsf{true}$ for any $i'$ in $c$, or if - $d^\mathsf{new} + (\mathsf{len}(c) + 1) > \mathsf{max\_degree}$, break to the outer - loop. - > $d^\mathsf{new} + (\mathsf{len}(c) + 1)$ is the maximum degree, *including* the - > selector expression, of any constraint that would result from adding $s_j$ to the - > combination $c$. - * iv. Set $d := d^\mathsf{new}$. - * v. Add $s_j$ to $c$ and set $\mathsf{added}_j := \mathsf{true}$. - * d. Allocate a fixed column $q_c$, initialized to all-zeroes. - * e. For each selector $s' \in c$: - * i. Label $s'$ with a distinct index $k$ where $1 \leq k \leq \mathsf{len}(c)$. - * ii. Record that $s'$ should be substituted with - $q_c \cdot \prod_{1 \leq h \leq \mathsf{len}(c),\,h \neq k} (h-q_c)$ in all gate - constraints. - * iii. For each row $r$ such that $s'$ is enabled at $r$, assign the value $k$ to - $q_c$ at row $r$. - -The above algorithm is implemented in -[halo2_proofs/src/plonk/circuit/compress_selectors.rs](https://github.com/zcash/halo2/blob/main/halo2_proofs/src/plonk/circuit/compress_selectors.rs). -This is used by the `compress_selectors` function of -[halo2_proofs/src/plonk/circuit.rs](https://github.com/zcash/halo2/blob/main/halo2_proofs/src/plonk/circuit.rs) -which does the actual substitutions. - -## Writing circuits to take best advantage of selector combining - -For this optimization it is beneficial for a circuit to use simple selectors as far as -possible, rather than fixed columns. It is usually not beneficial to do manual combining -of selectors, because the resulting fixed columns cannot take part in the automatic -combining. That means that to get comparable results you would need to do a global -optimization manually, which would interfere with writing composable gadgets. - -Whether two selectors are enabled on the same row (and so are inhibited from being -combined) depends on how regions are laid out by the floor planner. The currently -implemented floor planners do not attempt to take this into account. We suggest not -worrying about it too much — the gains that can be obtained by cajoling a floor planner to -shuffle around regions in order to improve combining are likely to be relatively small. diff --git a/book/src/design/protocol.md b/book/src/design/protocol.md deleted file mode 100644 index cd15d68bf4..0000000000 --- a/book/src/design/protocol.md +++ /dev/null @@ -1,828 +0,0 @@ -# Protocol Description - -## Preliminaries - -We take $\sec$ as our security parameter, and unless explicitly noted all -algorithms and adversaries are probabilistic (interactive) Turing machines that -run in polynomial time in this security parameter. We use $\negl$ to denote a -function that is negligible in $\sec$. - -### Cryptographic Groups - -We let $\group$ denote a cyclic group of prime order $p$. The identity of a -group is written as $\zero$. We refer to the scalars of elements in $\group$ as -elements in a scalar field $\field$ of size $p$. Group elements are written in -capital letters while scalars are written in lowercase or Greek letters. Vectors -of scalars or group elements are written in boldface, i.e. $\mathbf{a} \in -\field^n$ and $\mathbf{G} \in \group^n$. Group operations are written additively -and the multiplication of a group element $G$ by a scalar $a$ is written $[a] -G$. - -We will often use the notation $\langle \mathbf{a}, \mathbf{b} \rangle$ to -describe the inner product of two like-length vectors of scalars $\mathbf{a}, -\mathbf{b} \in \field^n$. We also use this notation to represent the linear -combination of group elements such as $\langle \mathbf{a}, \mathbf{G} \rangle$ -with $\mathbf{a} \in \field^n, \mathbf{G} \in \group^n$, computed in practice by -a multiscalar multiplication. - -We use $\mathbf{0}^n$ to describe a vector of length $n$ that contains only -zeroes in $\field$. - -> **Discrete Log Relation Problem.** The advantage metric -$$ -\adv^\dlrel_{\group,n}(\a, \sec) = \textnormal{Pr} \left[ \mathsf{G}^\dlrel_{\group,n}(\a, \sec) \right] -$$ -> is defined with respect the following game. -$$ -\begin{array}{ll} -&\underline{\bold{Game} \, \mathsf{G}^\dlrel_{\group,n}(\a, \sec):} \\ -&\mathbf{G} \gets \group^n_\sec \\ -&\mathbf{a} \gets \a(\mathbf{G}) \\ -&\textnormal{Return} \, \left( \langle \mathbf{a}, \mathbf{G} \rangle = \zero \land \mathbf{a} \neq \mathbf{0}^n \right) -\end{array} -$$ - -Given an $n$-length vector $\mathbf{G} \in \group^n$ of group elements, the -_discrete log relation problem_ asks for $\mathbf{g} \in \field^n$ such that -$\mathbf{g} \neq \mathbf{0}^n$ and yet $\innerprod{\mathbf{g}}{\mathbf{G}} = -\zero$, which we refer to as a _non-trivial_ discrete log relation. The hardness -of this problem is tightly implied by the hardness of the discrete log problem -in the group as shown in Lemma 3 of [[JT20]](https://eprint.iacr.org/2020/1213). -Formally, we use the game $\dlgame$ defined above to capture this problem. - -### Interactive Proofs - -_Interactive proofs_ are a triple of algorithms $\ip = (\setup, \prover, -\verifier)$. The algorithm $\setup(1^\sec)$ produces as its output some _public -parameters_ commonly referred to by $\pp$. The prover $\prover$ and verifier -$\verifier$ are interactive machines (with access to $\pp$) and we denote by -$\langle \prover(x), \verifier(y) \rangle$ an algorithm that executes a -two-party protocol between them on inputs $x, y$. The output of this protocol, a -_transcript_ of their interaction, contains all of the messages sent between -$\prover$ and $\verifier$. At the end of the protocol, the verifier outputs a -decision bit. - -### Zero knowledge Arguments of Knowledge - -Proofs of knowledge are interactive proofs where the prover aims to convince the -verifier that they know a witness $w$ such that $(x, w) \in \relation$ for a -statement $x$ and polynomial-time decidable relation $\relation$. We will work -with _arguments_ of knowledge which assume computationally-bounded provers. - -We will analyze arguments of knowledge through the lens of four security -notions. - -* **Completeness:** If the prover possesses a valid witness, can they _always_ - convince the verifier? It is useful to understand this property as it can have - implications for the other security notions. -* **Soundness:** Can a cheating prover falsely convince the verifier of the - correctness of a statement that is not actually correct? We refer to the - probability that a cheating prover can falsely convince the verifier as the - _soundness error_. -* **Knowledge soundness:** When the verifier is convinced the statement is - correct, does the prover actually possess ("know") a valid witness? We refer - to the probability that a cheating prover falsely convinces the verifier of - this knowledge as the _knowledge error_. -* **Zero knowledge:** Does the verifier learn anything besides that which can be - inferred from the correctness of the statement and the prover's knowledge of a - valid witness? - -First, we will visit the simple definition of completeness. - -> **Perfect Completeness.** An interactive argument $(\setup, \prover, \verifier)$ -> has _perfect completeness_ if for all polynomial-time decidable -> relations $\relation$ and for all non-uniform polynomial-time adversaries $\a$ -$$ -Pr \left[ - (x, w) \notin \relation \lor - \langle \prover(\pp, x, w), \verifier(\pp, x) \rangle \, \textnormal{accepts} - \, \middle| \, - \begin{array}{ll} - &\pp \gets \setup(1^\sec) \\ - &(x, w) \gets \a(\pp) - \end{array} -\right] = 1 -$$ - -#### Soundness - -Complicating our analysis is that although our protocol is described as an -interactive argument, it is realized in practice as a _non-interactive argument_ -through the use of the Fiat-Shamir transformation. - -> **Public coin.** We say that an interactive argument is _public coin_ when all -> of the messages sent by the verifier are each sampled with fresh randomness. - -> **Fiat-Shamir transformation.** In this transformation an interactive, public -> coin argument can be made _non-interactive_ in the _random oracle model_ by -> replacing the verifier algorithm with a cryptographically strong hash function -> that produces sufficiently random looking output. - -This transformation means that in the concrete protocol a cheating prover can -easily "rewind" the verifier by forking the transcript and sending new messages -to the verifier. Studying the concrete security of our construction _after_ -applying this transformation is important. Fortunately, we are able to follow a -framework of analysis by Ghoshal and Tessaro -([[GT20](https://eprint.iacr.org/2020/1351)]) that has been applied to -constructions similar to ours. - -We will study our protocol through the notion of _state-restoration soundness_. -In this model the (cheating) prover is allowed to rewind the verifier to any -previous state it was in. The prover wins if they are able to produce an -accepting transcript. - -> **State-Restoration Soundness.** Let $\ip$ be an interactive argument with $r -> = r(\sec)$ verifier challenges and let the $i$th challenge be sampled from -> $\ch_i$. The advantage metric -$$ -\adv^\srs_\ip(\prover, \sec) = \textnormal{Pr} \left[ \srs^\ip_\prover(\sec) \right] -$$ -> of a state restoration prover $\prover$ is defined with respect to the -> following game. -$$ -\begin{array}{ll} -\begin{array}{ll} -&\underline{\bold{Game} \, \srs_\ip^\prover(\sec):} \\ -&\textnormal{win} \gets \tt{false}; \\ -&\tr \gets \epsilon \\ -&\pp \gets \ip.\setup(1^\sec) \\ -&(x, \textsf{st}_\prover) \gets \prover_\sec(\pp) \\ -&\textnormal{Run} \, \prover^{\oracle_\srs}_\sec(\textsf{st}_\prover) \\ -&\textnormal{Return win} -\end{array} & -\begin{array}{ll} -&\underline{\bold{Oracle} \, \oracle_\srs(\tau = (a_1, c_1, ..., a_{i - 1}, c_{i - 1}), a_i):} \\ -& \textnormal{If} \, \tau \in \tr \, \textnormal{then} \\ -& \, \, \textnormal{If} \, i \leq r \, \textnormal{then} \\ -& \, \, \, \, c_i \gets \ch_i; \tr \gets \tr || (\tau, a_i, c_i); \textnormal{Return} \, c_i \\ -& \, \, \textnormal{Else if} \, i = r + 1 \, \textnormal{then} \\ -& \, \, \, \, d \gets \ip.\verifier (\pp, x, (\tau, a_i)); \tr \gets (\tau, a_i) \\ -& \, \, \, \, \textnormal{If} \, d = 1 \, \textnormal{then win} \gets \tt{true} \\ -& \, \, \, \, \textnormal{Return} \, d \\ -&\textnormal{Return} \bottom -\end{array} -\end{array} -$$ - -As shown in [[GT20](https://eprint.iacr.org/2020/1351)] (Theorem 1) state -restoration soundness is tightly related to soundness after applying the -Fiat-Shamir transformation. - -#### Knowledge Soundness - -We will show that our protocol satisfies a strengthened notion of knowledge -soundness known as _witness extended emulation_. Informally, this notion states -that for any successful prover algorithm there exists an efficient _emulator_ -that can extract a witness from it by rewinding it and supplying it with fresh -randomness. - -However, we must slightly adjust our definition of witness extended emulation to -account for the fact that our provers are state restoration provers and can -rewind the verifier. Further, to avoid the need for rewinding the state -restoration prover during witness extraction we study our protocol in the -algebraic group model. - -> **Algebraic Group Model (AGM).** An adversary $\alg{\prover}$ is said to be -> _algebraic_ if whenever it outputs a group element $X$ it also outputs a -> _representation_ $\mathbf{x} \in \field^n$ such that $\langle \mathbf{x}, \mathbf{G} \rangle = X$ where $\mathbf{G} \in \group^n$ is the vector of group -> elements that $\alg{\prover}$ has seen so far. -> Notationally, we write $\rep{X}$ to describe a group element $X$ enhanced -> with this representation. We also write $\repv{X}{G}{i}$ to identify the -> component of the representation of $X$ that corresponds with $\mathbf{G}_i$. In -> other words, -$$ -X = \sum\limits_{i=0}^{n - 1} \left[ \repv{X}{G}{i} \right] \mathbf{G}_i -$$ - -The algebraic group model allows us to perform so-called "online" extraction for -some protocols: the extractor can obtain the witness from the representations -themselves for a single (accepting) transcript. - -> **State Restoration Witness Extended Emulation** Let $\ip$ be an interactive -> argument for relation $\relation$ with $r = r(\sec)$ challenges. We define for -> all non-uniform algebraic provers $\alg{\prover}$, extractors $\extractor$, -> and computationally unbounded distinguishers $\distinguisher$ the advantage -> metric -$$ -\adv^\srwee_{\ip, \relation}(\alg{\prover}, \distinguisher, \extractor, \sec) = \textnormal{Pr} \left[ \weereal^{\prover,\distinguisher}_{\ip,\relation}(\sec) \right] - \textnormal{Pr} \left[ \weeideal^{\extractor,\prover,\distinguisher}_{\ip,\relation}(\sec) \right] -$$ -> is defined with the respect to the following games. -$$ -\begin{array}{ll} -\begin{array}{ll} -&\underline{\bold{Game} \, \weereal_{\ip,\relation}^{\alg{\prover},\distinguisher}(\sec):} \\ -&\tr \gets \epsilon \\ -&\pp \gets \ip.\setup(1^\sec) \\ -&(x, \state{\prover}) \gets \alg{\prover}(\pp) \\ -&\textnormal{Run} \, \alg{\prover}^{\oracle_\real}(\state{\prover}) \\ -&b \gets \distinguisher(\tr) \\ -&\textnormal{Return} \, b = 1 \\ -&\underline{\bold{Game} \, \weeideal_{\ip,\relation}^{\extractor,\alg{\prover},\distinguisher}(\sec):} \\ -&\tr \gets \epsilon \\ -&\pp \gets \ip.\setup(1^\sec) \\ -&(x, \state{\prover}) \gets \alg{\prover}(\pp) \\ -&\state{\extractor} \gets (1^\sec, \pp, x) \\ -&\textnormal{Run} \, \alg{\prover}^{\oracle_\ideal}(\state{\prover}) \\ -&w \gets \extractor(\state{\extractor}, \bottom) \\ -&b \gets \distinguisher(\tr) \\ -&\textnormal{Return} \, (b = 1) \\ -&\, \, \land (\textnormal{Acc}(\tr) \implies (x, w) \in \relation) \\ -\end{array} & -\begin{array}{ll} -&\underline{\bold{Oracle} \, \oracle_\real(\tau = (a_1, c_1, ..., a_{i - 1}, c_{i - 1}), a_i):} \\ -& \textnormal{If} \, \tau \in \tr \, \textnormal{then} \\ -& \, \, \textnormal{If} \, i \leq r \, \textnormal{then} \\ -& \, \, \, \, c_i \gets \ch_i; \tr \gets \tr || (\tau, a_i, c_i); \textnormal{Return} \, c_i \\ -& \, \, \textnormal{Else if} \, i = r + 1 \, \textnormal{then} \\ -& \, \, \, \, d \gets \ip.\verifier (\pp, x, (\tau, a_i)); \tr \gets (\tau, a_i) \\ -& \, \, \, \, \textnormal{If} \, d = 1 \, \textnormal{then win} \gets \tt{true} \\ -& \, \, \, \, \textnormal{Return} \, d \\ -& \, \, \textnormal{Return} \, \bottom \\ -\\ -\\ -&\underline{\bold{Oracle} \, \oracle_\ideal(\tau, a):} \\ -& \textnormal{If} \, \tau \in \tr \, \textnormal{then} \\ -& \, \, (r, \state{\extractor}) \gets \extractor(\state{\extractor}, \left[(\tau, a)\right]) \\ -& \, \, \tr \gets \tr || (\tau, a, r) \\ -& \, \, \textnormal{Return} \, r \\ -&\textnormal{Return} \, \bottom -\end{array} -\end{array} -$$ - -#### Zero Knowledge - -We say that an argument of knowledge is _zero knowledge_ if the verifier also -does not learn anything from their interaction besides that which can be learned -from the existence of a valid $w$. More formally, - -> **Perfect Special Honest-Verifier Zero Knowledge.** A public coin interactive -> argument $(\setup, \prover, \verifier)$ has _perfect special honest-verifier -> zero knowledge_ (PSHVZK) if for all polynomial-time decidable relations -> $\relation$ and for all $(x, w) \in \relation$ and for all non-uniform -> polynomial-time adversaries $\a_1, \a_2$ there exists a probabilistic -> polynomial-time simulator $\sim$ such that -$$ -\begin{array}{rl} -&Pr \left[ \a_1(\sigma, x, \tr) = 1 \, \middle| \, -\begin{array}{ll} -&\pp \gets \setup(1^\lambda); \\ -&(x, w, \rho) \gets \a_2(\pp); \\ -&tr \gets \langle \prover(\pp, x, w), \verifier(\pp, x, \rho) \rangle -\end{array} - \right] \\ - \\ -=&Pr \left[ \a_1(\sigma, x, \tr) = 1 \, \middle| \, -\begin{array}{ll} -&\pp \gets \setup(1^\lambda); \\ -&(x, w, \rho) \gets \a_2(\pp); \\ -&tr \gets \sim(\pp, x, \rho) -\end{array} -\right] -\end{array} -$$ -> where $\rho$ is the internal randomness of the verifier. - -In this (common) definition of zero-knowledge the verifier is expected to act -"honestly" and send challenges that correspond only with their internal -randomness; they cannot adaptively respond to the prover based on the prover's -messages. We use a strengthened form of this definition that forces the simulator -to output a transcript with the same (adversarially provided) challenges that -the verifier algorithm sends to the prover. - -## Protocol - -Let $\omega \in \field$ be a $n = 2^k$ primitive root of unity forming the -domain $D = (\omega^0, \omega^1, ..., \omega^{n - 1})$ with $t(X) = X^n - 1$ the -vanishing polynomial over this domain. Let $n_g, n_a, n_e$ be positive integers with $n_a, n_e \lt n$ and $n_g \geq 4$. -We present an interactive argument $\halo = (\setup, \prover, \verifier)$ for -the relation -$$ -\relation = \left\{ -\begin{array}{ll} -&\left( -\begin{array}{ll} -\left( -g(X, C_0, ..., C_{n_a - 1}, a_0(X), ..., a_{n_a - 1}\left(X, C_0, ..., C_{n_a - 1}, a_0(X), ..., a_{n_a - 2}(X) \right)) -\right); \\ -\left( -a_0(X), a_1(X, C_0, a_0(X)), ..., a_{n_a - 1}\left(X, C_0, ..., C_{n_a - 1}, a_0(X), ..., a_{n_a - 2}(X) \right) -\right) -\end{array} -\right) : \\ -\\ -& g(\omega^i, \cdots) = 0 \, \, \, \, \forall i \in [0, 2^k) -\end{array} -\right\} -$$ -where $a_0, a_1, ..., a_{n_a - 1}$ are (multivariate) polynomials with degree $n - 1$ in $X$ and $g$ has degree $n_g(n - 1)$ at most in any indeterminates $X, C_0, C_1, ...$. - -$\setup(\sec)$ returns $\pp = (\group, \field, \mathbf{G} \in \group^n, U, W \in \group)$. - -For all $i \in [0, n_a)$: -* Let $\mathbf{p_i}$ be the exhaustive set of integers $j$ (modulo $n$) such that $a_i(\omega^j X, \cdots)$ appears as a term in $g(X, \cdots)$. -* Let $\mathbf{q}$ be a list of distinct sets of integers containing $\mathbf{p_i}$ and the set $\mathbf{q_0} = \{0\}$. -* Let $\sigma(i) = \mathbf{q}_j$ when $\mathbf{q}_j = \mathbf{p_i}$. - -Let $n_q \leq n_a$ denote the size of $\mathbf{q}$, and let $n_e$ denote the size of every $\mathbf{p_i}$ without loss of generality. - -In the following protocol, we take it for granted that each polynomial $a_i(X, \cdots)$ is defined such that $n_e + 1$ blinding factors are freshly sampled by the prover and are each present as an evaluation of $a_i(X, \cdots)$ over the domain $D$. In all of the following, the verifier's challenges cannot be zero or an element in $D$, and some additional limitations are placed on specific challenges as well. - -1. $\prover$ and $\verifier$ proceed in the following $n_a$ rounds of interaction, where in round $j$ (starting at $0$) - * $\prover$ sets $a'_j(X) = a_j(X, c_0, c_1, ..., c_{j - 1}, a_0(X, \cdots), ..., a_{j - 1}(X, \cdots, c_{j - 1}))$ - * $\prover$ sends a hiding commitment $A_j = \innerprod{\mathbf{a'}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{a'}$ are the coefficients of the univariate polynomial $a'_j(X)$ and $\cdot$ is some random, independently sampled blinding factor elided for exposition. (This elision notation is used throughout this protocol description to simplify exposition.) - * $\verifier$ responds with a challenge $c_j$. -2. $\prover$ sets $g'(X) = g(X, c_0, c_1, ..., c_{n_a - 1}, \cdots)$. -3. $\prover$ sends a commitment $R = \innerprod{\mathbf{r}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{r} \in \field^n$ are the coefficients of a randomly sampled univariate polynomial $r(X)$ of degree $n - 1$. -4. $\prover$ computes univariate polynomial $h(X) = \frac{g'(X)}{t(X)}$ of degree $n_g(n - 1) - n$. -5. $\prover$ computes at most $n - 1$ degree polynomials $h_0(X), h_1(X), ..., h_{n_g - 2}(X)$ such that $h(X) = \sum\limits_{i=0}^{n_g - 2} X^{ni} h_i(X)$. -6. $\prover$ sends commitments $H_i = \innerprod{\mathbf{h_i}}{\mathbf{G}} + [\cdot] W$ for all $i$ where $\mathbf{h_i}$ denotes the vector of coefficients for $h_i(X)$. -7. $\verifier$ responds with challenge $x$ and computes $H' = \sum\limits_{i=0}^{n_g - 2} [x^{ni}] H_i$. -8. $\prover$ sets $h'(X) = \sum\limits_{i=0}^{n_g - 2} x^{ni} h_i(X)$. -9. $\prover$ sends $r = r(x)$ and for all $i \in [0, n_a)$ sends $\mathbf{a_i}$ such that $(\mathbf{a_i})_j = a'_i(\omega^{(\mathbf{p_i})_j} x)$ for all $j \in [0, n_e - 1]$. -10. For all $i \in [0, n_a)$ $\prover$ and $\verifier$ set $s_i(X)$ to be the lowest degree univariate polynomial defined such that $s_i(\omega^{(\mathbf{p_i})_j} x) = (\mathbf{a_i})_j$ for all $j \in [0, n_e - 1)$. -11. $\verifier$ responds with challenges $x_1, x_2$ and initializes $Q_0, Q_1, ..., Q_{n_q - 1} = \zero$. - * Starting at $i=0$ and ending at $n_a - 1$ $\verifier$ sets $Q_{\sigma(i)} := [x_1] Q_{\sigma(i)} + A_i$. - * $\verifier$ finally sets $Q_0 := [x_1^2] Q_0 + [x_1] H' + R$. -12. $\prover$ initializes $q_0(X), q_1(X), ..., q_{n_q - 1}(X) = 0$. - * Starting at $i=0$ and ending at $n_a - 1$ $\prover$ sets $q_{\sigma(i)} := x_1 q_{\sigma(i)} + a'(X)$. - * $\prover$ finally sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$. -13. $\prover$ and $\verifier$ initialize $r_0(X), r_1(X), ..., r_{n_q - 1}(X) = 0$. - * Starting at $i = 0$ and ending at $n_a - 1$ $\prover$ and $\verifier$ set $r_{\sigma(i)}(X) := x_1 r_{\sigma(i)}(X) + s_i(X)$. - * Finally $\prover$ and $\verifier$ set $r_0 := x_1^2 r_0 + x_1 h + r$ and where $h$ is computed by $\verifier$ as $\frac{g'(x)}{t(x)}$ using the values $r, \mathbf{a}$ provided by $\prover$. -14. $\prover$ sends $Q' = \innerprod{\mathbf{q'}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{q'}$ defines the coefficients of the polynomial -$$q'(X) = \sum\limits_{i=0}^{n_q - 1} - -x_2^i - \left( - \frac - {q_i(X) - r_i(X)} - {\prod\limits_{j=0}^{n_e - 1} - \left( - X - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -$$ -15. $\verifier$ responds with challenge $x_3$. -16. $\prover$ sends $\mathbf{u} \in \field^{n_q}$ such that $\mathbf{u}_i = q_i(x_3)$ for all $i \in [0, n_q)$. -17. $\verifier$ responds with challenge $x_4$. -18. $\verifier$ sets $P = Q' + x_4 \sum\limits_{i=0}^{n_q - 1} [x_4^i] Q_i$ and $v = $ -$$ -\sum\limits_{i=0}^{n_q - 1} -\left( -x_2^i - \left( - \frac - { \mathbf{u}_i - r_i(x_3) } - {\prod\limits_{j=0}^{n_e - 1} - \left( - x_3 - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -\right) -+ -x_4 \sum\limits_{i=0}^{n_q - 1} x_4 \mathbf{u}_i -$$ -19. $\prover$ sets $p(X) = q'(X) + [x_4] \sum\limits_{i=0}^{n_q - 1} x_4^i q_i(X)$. -20. $\prover$ samples a random polynomial $s(X)$ of degree $n - 1$ with a root at $x_3$ and sends a commitment $S = \innerprod{\mathbf{s}}{\mathbf{G}} + [\cdot] W$ where $\mathbf{s}$ defines the coefficients of $s(X)$. -21. $\verifier$ responds with challenges $\xi, z$. -22. $\verifier$ sets $P' = P - [v] \mathbf{G}_0 + [\xi] S$. -23. $\prover$ sets $p'(X) = p(X) - p(x_3) + \xi s(X)$ (where $p(x_3)$ should correspond with the verifier's computed value $v$). -24. Initialize $\mathbf{p'}$ as the coefficients of $p'(X)$ and $\mathbf{G'} = \mathbf{G}$ and $\mathbf{b} = (x_3^0, x_3^1, ..., x_3^{n - 1})$. $\prover$ and $\verifier$ will interact in the following $k$ rounds, where in the $j$th round starting in round $j=0$ and ending in round $j=k-1$: - * $\prover$ sends $L_j = \innerprod{\mathbf{p'}_\hi}{\mathbf{G'}_\lo} + [z \innerprod{\mathbf{p'}_\hi}{\mathbf{b}_\lo}] U + [\cdot] W$ and $R_j = \innerprod{\mathbf{p'}_\lo}{\mathbf{G'}_\hi} + [z \innerprod{\mathbf{p'}_\lo}{\mathbf{b}_\hi}] U + [\cdot] W$. - * $\verifier$ responds with challenge $u_j$ chosen such that $1 + u_{k-1-j} x_3^{2^j}$ is nonzero. - * $\prover$ and $\verifier$ set $\mathbf{G'} := \mathbf{G'}_\lo + u_j \mathbf{G'}_\hi$ and $\mathbf{b} := \mathbf{b}_\lo + u_j \mathbf{b}_\hi$. - * $\prover$ sets $\mathbf{p'} := \mathbf{p'}_\lo + u_j^{-1} \mathbf{p'}_\hi$. -25. $\prover$ sends $c = \mathbf{p'}_0$ and synthetic blinding factor $f$ computed from the elided blinding factors. -26. $\verifier$ accepts only if $\sum_{j=0}^{k - 1} [u_j^{-1}] L_j + P' + \sum_{j=0}^{k - 1} [u_j] R_j = [c] \mathbf{G'}_0 + [c \mathbf{b}_0 z] U + [f] W$. - -### Zero-knowledge and Completeness - -We claim that this protocol is _perfectly complete_. This can be verified by -inspection of the protocol; given a valid witness $a_i(X, \cdots) \forall i$ the -prover succeeds in convincing the verifier with probability $1$. - -We claim that this protocol is _perfect special honest-verifier zero knowledge_. -We do this by showing that a simulator $\sim$ exists which can produce an -accepting transcript that is equally distributed with a valid prover's -interaction with a verifier with the same public coins. The simulator will act -as an honest prover would, with the following exceptions: - -1. In step $1$ of the protocol $\sim$ chooses random degree $n - 1$ polynomials (in $X$) $a_i(X, \cdots) \forall i$. -2. In step $5$ of the protocol $\sim$ chooses a random $n - 1$ degree polynomials $h_0(X), h_1(X), ..., h_{n_g - 2}(X)$. -3. In step $14$ of the protocol $\sim$ chooses a random $n - 1$ degree polynomial $q'(X)$. -4. In step $20$ of the protocol $\sim$ uses its foreknowledge of the verifier's choice of $\xi$ to produce a degree $n - 1$ polynomial $s(X)$ conditioned only such that $p(X) - v + \xi s(X)$ has a root at $x_3$. - -First, let us consider why this simulator always succeeds in producing an -_accepting_ transcript. $\sim$ lacks a valid witness and simply commits to -random polynomials whenever knowledge of a valid witness would be required by -the honest prover. The verifier places no conditions on the scalar values in the -transcript. $\sim$ must only guarantee that the check in step $26$ of the -protocol succeeds. It does so by using its knowledge of the challenge $\xi$ to -produce a polynomial which interferes with $p'(X)$ to ensure it has a root at -$x_3$. The transcript will thus always be accepting due to perfect completeness. - -In order to see why $\sim$ produces transcripts distributed identically to the -honest prover, we will look at each piece of the transcript and compare the -distributions. First, note that $\sim$ (just as the honest prover) uses a -freshly random blinding factor for every group element in the transcript, and so -we need only consider the _scalars_ in the transcript. $\sim$ acts just as the -prover does except in the mentioned cases so we will analyze each case: - -1. $\sim$ and an honest prover reveal $n_e$ openings of each polynomial $a_i(X, \cdots)$, and at most one additional opening of each $a_i(X, \cdots)$ in step $16$. However, the honest prover blinds their polynomials $a_i(X, \cdots)$ (in $X$) with $n_e + 1$ random evaluations over the domain $D$. Thus, the openings of $a_i(X, \cdots)$ at the challenge $x$ (which is prohibited from being $0$ or in the domain $D$ by the protocol) are distributed identically between $\sim$ and an honest prover. -2. Neither $\sim$ nor the honest prover reveal $h(x)$ as it is computed by the verifier. However, the honest prover may reveal $h'(x_3)$ --- which has a non-trivial relationship with $h(X)$ --- were it not for the fact that the honest prover also commits to a random degree $n - 1$ polynomial $r(X)$ in step $3$, producing a commitment $R$ and ensuring that in step $12$ when the prover sets $q_0(X) := x_1^2 q_0(X) + x_1 h'(X) + r(X)$ the distribution of $q_0(x_3)$ is uniformly random. Thus, $h'(x_3)$ is never revealed by the honest prover nor by $\sim$. -3. The expected value of $q'(x_3)$ is computed by the verifier (in step $18$) and so the simulator's actual choice of $q'(X)$ is irrelevant. -4. $p(X) - v + \xi s(X)$ is conditioned on having a root at $x_3$, but otherwise no conditions are placed on $s(X)$ and so the distribution of the degree $n - 1$ polynomial $p(X) - v + \xi s(X)$ is uniformly random whether or not $s(X)$ has a root at $x_3$. Thus, the distribution of $c$ produced in step $25$ is identical between $\sim$ and an honest prover. The synthetic blinding factor $f$ also revealed in step $25$ is a trivial function of the prover's other blinding factors and so is distributed identically between $\sim$ and an honest prover. - -Notes: - -1. In an earlier version of our protocol, the prover would open each individual commitment $H_0, H_1, ...$ at $x$ as part of the multipoint opening argument, and the verifier would confirm that a linear combination of these openings (with powers of $x^n$) agreed to the expected value of $h(x)$. This was done because it's more efficient in recursive proofs. However, it was unclear to us what the expected distribution of the openings of these commitments $H_0, H_1, ...$ was and so proving that the argument was zero-knowledge is difficult. Instead, we changed the argument so that the _verifier_ computes a linear combination of the commitments and that linear combination is opened at $x$. This avoided leaking $h_i(x)$. -2. As mentioned, in step $3$ the prover commits to a random polynomial as a way of ensuring that $h'(x_3)$ is not revealed in the multiopen argument. This is done because it's unclear what the distribution of $h'(x_3)$ would be. -3. Technically it's also possible for us to prove zero-knowledge with a simulator that uses its foreknowledge of the challenge $x$ to commit to an $h(X)$ which agrees at $x$ to the value it will be expected to. This would obviate the need for the random polynomial $s(X)$ in the protocol. This may make the analysis of zero-knowledge for the remainder of the protocol a little bit tricky though, so we didn't go this route. -4. Group element blinding factors are _technically_ not necessary after step $23$ in which the polynomial is completely randomized. However, it's simpler in practice for us to ensure that every group element in the protocol is randomly blinded to make edge cases involving the point at infinity harder. -5. It is crucial that the verifier cannot challenge the prover to open polynomials at points in $D$ as otherwise the transcript of an honest prover will be forced to contain what could be portions of the prover's witness. We therefore restrict the space of challenges to include all elements of the field except $D$ and, for simplicity, we also prohibit the challenge of $0$. - -## Witness-extended Emulation - -Let $\protocol = \protocol[\group]$ be the interactive argument described above for relation $\relation$ and some group $\group$ with scalar field $\field$. We can always construct an extractor $\extractor$ such that for any non-uniform algebraic prover $\alg{\prover}$ making at most $q$ queries to its oracle, there exists a non-uniform adversary $\dlreladv$ with the property that for any computationally unbounded distinguisher $\distinguisher$ - -$$ -\adv^\srwee_{\protocol, \relation}(\alg{\prover}, \distinguisher, \extractor, \sec) \leq q\epsilon + \adv^\dlrel_{\group,n+2}(\dlreladv, \sec) -$$ - -where $\epsilon \leq \frac{n_g \cdot (n - 1)}{|\ch|}$. - -_Proof._ We will prove this by invoking Theorem 1 of [[GT20]](https://eprint.iacr.org/2020/1351). First, we note that the challenge space for all rounds is the same, i.e. $\forall i \ \ch = \ch_i$. Theorem 1 requires us to define: - -- $\badch(\tr') \in \ch$ for all partial transcripts $\tr' = (\pp, x, [a_0], c_0, \ldots, [a_i])$ such that $|\badch(\tr')| / |\ch| \leq \epsilon$. -- an extractor function $e$ that takes as input an accepting extended transcript $\tr$ and either returns a valid witness or fails. -- a function $\pfail(\protocol, \alg{\prover}, e, \relation)$ returning a probability. - -We say that an accepting extended transcript $\tr$ contains "bad challenges" if and only if there exists a partial extended transcript $\tr'$, a challenge $c_i \in \badch(\tr')$, and some sequence of prover messages and challenges $([a_{i+1}], c_{i+1}, \ldots [a_j])$ such that $\tr = \tr' \,||\, (c_i, [a_{i+1}], c_{i+1}, \ldots [a_j])$. - -Theorem 1 requires that $e$, when given an accepting extended transcript $\tr$ that does not contain "bad challenges", returns a valid witness for that transcript except with probability bounded above by $\pfail(\protocol, \alg{\prover}, e, \relation)$. - -Our strategy is as follows: we will define $e$, establish an upper bound on $\pfail$ with respect to an adversary $\dlreladv$ that plays the $\dlrel_{\group,n+2}$ game, substitute these into Theorem 1, and then walk through the protocol to determine the upper bound of the size of $\badch(\tr')$. The adversary $\dlreladv$ plays the $\dlrel_{\group,n+2}$ game as follows: given the inputs $U, W \in \mathbb{G}, \mathbf{G} \in \mathbb{G}^n$, the adversary $\dlreladv$ simulates the game $\srwee_{\protocol, \relation}$ to $\alg{\prover}$ using the inputs from the $\dlrel_{\group,n+2}$ game as public parameters. If $\alg{\prover}$ manages to produce an accepting extended transcript $\tr$, $\dlreladv$ invokes a function $h$ on $\tr$ and returns its output. We shall define $h$ in such a way that for an accepting extended transcript $\tr$ that does not contain "bad challenges", $e(\tr)$ _always_ returns a valid witness whenever $h(\tr)$ does _not_ return a non-trivial discrete log relation. This means that the probability $\pfail(\protocol, \alg{\prover}, e, \relation)$ is no greater than $\adv^\dlrel_{\group,n+2}(\dlreladv, \sec)$, establishing our claim. - -#### Helpful substitutions - -We will perform some substitutions to aid in exposition. First, let us define the polynomial - -$$ -\kappa(X) = \prod_{j=0}^{k - 1} (1 + u_{k - 1 - j} X^{2^j}) -$$ - -so that we can write $\mathbf{b}_0 = \kappa(x_3)$. The coefficient vector $\mathbf{s}$ of $\kappa(X)$ is defined such that - -$$\mathbf{s}_i = \prod\limits_{j=0}^{k-1} u_{k - 1 - j}^{f(i, j)}$$ - -where $f(i, j)$ returns $1$ when the $j$th bit of $i$ is set, and $0$ otherwise. We can also write $\mathbf{G'}_0 = \innerprod{\mathbf{s}}{\mathbf{G}}$. - -### Description of function $h$ - -Recall that an accepting transcript $\tr$ is such that - -$$ -\sum_{i=0}^{k - 1} [u_j^{-1}] \rep{L_j} + \rep{P'} + \sum_{i=0}^{k - 1} [u_j] \rep{R_j} = [c] \mathbf{G'}_0 + [c z \mathbf{b}_0] U + [f] W -$$ - -By inspection of the representations of group elements with respect to $\mathbf{G}, U, W$ (recall that $\alg{\prover}$ is algebraic and so $\dlreladv$ has them), we obtain the $n$ equalities - -$$ -\sum_{i=0}^{k - 1} u_j^{-1} \repv{L_j}{G}{i} + \repv{P'}{G}{i} + \sum_{i=0}^{k - 1} u_j \repv{R_j}{G}{i} = c \mathbf{s}_i \forall i \in [0, n) -$$ - -and the equalities - -$$ -\sum_{i=0}^{k - 1} u_j^{-1} \repr{L_j}{U} + \repr{P'}{U} + \sum_{i=0}^{k - 1} u_j \repr{R_j}{U} = c z \kappa(x_3) -$$ - -$$ -\sum_{i=0}^{k - 1} u_j^{-1} \repr{L_j}{W} + \repr{P'}{W} + \sum_{i=0}^{k - 1} u_j \repr{R_j}{W} = f -$$ - -We define the linear-time function $h$ that returns the representation of - -$$ -\begin{array}{rll} -\sum\limits_{i=0}^{n - 1} &\left[ \sum_{i=0}^{k - 1} u_j^{-1} \repv{L_j}{G}{i} + \repv{P'}{G}{i} + \sum_{i=0}^{k - 1} u_j \repv{R_j}{G}{i} - c \mathbf{s}_i \right] & \mathbf{G}_i \\[1ex] -+ &\left[ \sum_{i=0}^{k - 1} u_j^{-1} \repr{L_j}{U} + \repr{P'}{U} + \sum_{i=0}^{k - 1} u_j \repr{R_j}{U} - c z \kappa(x_3) \right] & U \\[1ex] -+ &\left[ \sum_{i=0}^{k - 1} u_j^{-1} \repr{L_j}{W} + \repr{P'}{W} + \sum_{i=0}^{k - 1} u_j \repr{R_j}{W} - f \right] & W -\end{array} -$$ - -which is always a discrete log relation. If any of the equalities above are not satisfied, then this discrete log relation is non-trivial. This is the function invoked by $\dlreladv$. - -#### The extractor function $e$ - -The extractor function $e$ simply returns $a_i(X)$ from the representation $\rep{A_i}$ for $i \in [0, n_a)$. Due to the restrictions we will place on the space of bad challenges in each round, we are guaranteed to obtain polynomials such that $g(X, C_0, C_1, \cdots, a_0(X), a_1(X), \cdots)$ vanishes over $D$ whenever the discrete log relation returned by the adversary's function $h$ is trivial. This trivially gives us that the extractor function $e$ succeeds with probability bounded above by $\pfail$ as required. - -#### Defining $\badch(\tr')$ - -Recall from before that the following $n$ equalities hold: - -$$ -\sum_{i=0}^{k - 1} u_j^{-1} \repv{L_j}{G}{i} + \repv{P'}{G}{i} + \sum_{i=0}^{k - 1} u_j \repv{R_j}{G}{i} = c \mathbf{s}_i \forall i \in [0, n) -$$ - -as well as the equality - -$$ -\sum_{i=0}^{k - 1} u_j^{-1} \repr{L_j}{U} + \repr{P'}{U} + \sum_{i=0}^{k - 1} u_j \repr{R_j}{U} = c z \kappa(x_3) -$$ - -For convenience let us introduce the following notation - -$$ -\begin{array}{ll} -\mv{G}{i}{m} &= \sum_{i=0}^{m - 1} u_j^{-1} \repv{L_j}{G}{i} + \repv{P'}{G}{i} + \sum_{i=0}^{m - 1} u_j \repv{R_j}{G}{i} \\[1ex] -\m{U}{m} &= \sum_{i=0}^{m - 1} u_j^{-1} \repr{L_j}{U} + \repr{P'}{U} + \sum_{i=0}^{m - 1} u_j \repr{R_j}{U} -\end{array} -$$ - -so that we can rewrite the above (after expanding for $\kappa(x_3)$) as - -$$ -\mv{G}{i}{k} = c \mathbf{s}_i \forall i \in [0, n) -$$ - -$$ -\m{U}{k} = c z \prod_{j=0}^{k - 1} (1 + u_{k - 1 - j} x_3^{2^j}) -$$ - -We can combine these equations by multiplying both sides of each instance of the first equation by $\mathbf{s}_i^{-1}$ (because $\mathbf{s}_i$ is never zero) and substituting for $c$ in the second equation, yielding the following $n$ equalities: - -$$ -\m{U}{k} = \mv{G}{i}{k} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{k - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \forall i \in [0, n) -$$ - -> **Lemma 1.** If $\m{U}{k} = \mv{G}{i}{k} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{k - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \forall i \in [0, n)$ then it follows that $\repr{P'}{U} = z \sum\limits_{i=0}^{2^k - 1} x_3^i \repv{P'}{G}{i}$ for all transcripts that do not contain bad challenges. -> -> _Proof._ It will be useful to introduce yet another abstraction defined starting with -> $$ -\z{k}{m}{i} = \mv{G}{i}{m} -$$ -> and then recursively defined for all integers $r$ such that $0 \lt r \leq k$ -> $$ -\z{k - r}{m}{i} = \z{k - r + 1}{m}{i} + x_3^{2^{k - r}} \z{k - r + 1}{m}{i + 2^{k - r}} -$$ -> This allows us to rewrite our above equalities as -> $$ -\m{U}{k} = \z{k}{k}{i} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{k - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \forall i \in [0, n) -$$ -> -> We will now show that for all integers $r$ such that $0 \lt r \leq k$ that whenever the following holds for $r$ -> $$ -\m{U}{r} = \z{r}{r}{i} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \forall i \in [0, 2^r) -$$ -> that the same _also_ holds for -> $$ -\m{U}{r - 1} = \z{r - 1}{r - 1}{i} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 2 - j} x_3^{2^j}) \forall i \in [0, 2^{r-1}) -$$ -> -> For all integers $r$ such that $0 \lt r \leq k$ we have that $\mathbf{s}_{i + 2^{r - 1}} = u_{r - 1} \mathbf{s}_i \forall i \in [0, 2^{r - 1})$ by the definition of $\mathbf{s}$. This gives us $\mathbf{s}_{i+2^{r - 1}}^{-1} = \mathbf{s}_i^{-1} u_{r - 1}^{-1} \forall i \in [0, 2^{r - 1})$ as no value in $\mathbf{s}$ nor any challenge $u_r$ are zeroes. We can use this to relate one half of the equalities with the other half as so: -> $$ -\begin{array}{rl} -\m{U}{r} &= \z{r}{r}{i} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \\ -&= \z{r}{r}{i + 2^{r - 1}} \cdot \mathbf{s}_i^{-1} u_{r - 1}^{-1} z \prod_{j=0}^{r - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> Notice that $\z{r}{r}{i}$ can be rewritten as $u_{r - 1}^{-1} \repv{L_{r - 1}}{G}{i} + \z{r}{r - 1}{i} + u_{r - 1} \repv{R_{r - 1}}{G}{i}$ for all $i \in [0, 2^{r})$. Thus we can rewrite the above as -> -> $$ -\begin{array}{rl} -\m{U}{r} &= \left( u_{r - 1}^{-1} \repv{L_{r - 1}}{G}{i} + \z{r}{r - 1}{i} + u_{r - 1} \repv{R_{r - 1}}{G}{i} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \\ -&= \left( u_{r - 1}^{-1} \repv{L_{r - 1}}{G}{i + 2^{r - 1}} + \z{r}{r - 1}{i + 2^{r - 1}} + u_{r - 1} \repv{R_{r - 1}}{G}{i + 2^{r - 1}} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} u_{r - 1}^{-1} z \prod_{j=0}^{r - 1} (1 + u_{k - 1 - j} x_3^{2^j}) \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> Now let us rewrite these equalities substituting $u_{r - 1}$ with formal indeterminate $X$. -> -> $$ -\begin{array}{rl} -& X^{-1} \repr{L_{r - 1}}{U} + \m{U}{r - 1} + X \repr{R_{r - 1}}{U} \\ -&= \left( X^{-1} \repv{L_{r - 1}}{G}{i} + \z{r}{r - 1}{i} + X \repv{R_{r - 1}}{G}{i} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) (1 + x_3^{2^{r - 1}} X) \\ -&= \left( X^{-1} \repv{L_{r - 1}}{G}{i + 2^{r - 1}} + \z{r}{r - 1}{i + 2^{r - 1}} + X \repv{R_{r - 1}}{G}{i + 2^{r - 1}} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) (X^{-1} + x_3^{2^{r - 1}}) \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> Now let us rescale everything by $X^2$ to remove negative exponents. -> -> $$ -\begin{array}{rl} -& X \repr{L_{r - 1}}{U} + X^2 \m{U}{r - 1} + X^3 \repr{R_{r - 1}}{U} \\ -&= \left( X^{-1} \repv{L_{r - 1}}{G}{i} + \z{r}{r - 1}{i} + X \repv{R_{r - 1}}{G}{i} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) (X^2 + x_3^{2^{r - 1}} X^3) \\ -&= \left( X^{-1} \repv{L_{r - 1}}{G}{i + 2^{r - 1}} + \z{r}{r - 1}{i + 2^{r - 1}} + X \repv{R_{r - 1}}{G}{i + 2^{r - 1}} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) (X + x_3^{2^{r - 1}} X^2) \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> This gives us $2^{r - 1}$ triples of maximal degree-$4$ polynomials in $X$ that agree at $u_{r - 1}$ despite having coefficients determined prior to the choice of $u_{r - 1}$. The probability that two of these polynomials would agree at $u_{r - 1}$ and yet be distinct would be $\frac{4}{|\ch|}$ by the Schwartz-Zippel lemma and so by the union bound the probability that the three of these polynomials agree and yet any of them is distinct from another is $\frac{8}{|\ch|}$. By the union bound again the probability that any of the $2^{r - 1}$ triples have multiple distinct polynomials is $\frac{2^{r - 1}\cdot8}{|\ch|}$. By restricting the challenge space for $u_{r - 1}$ accordingly we obtain $|\badch(\trprefix{\tr'}{u_r})|/|\ch| \leq \frac{2^{r - 1}\cdot8}{|\ch|}$ for integers $0 \lt r \leq k$ and thus $|\badch(\trprefix{\tr'}{u_k})|/|\ch| \leq \frac{4n}{|\ch|} \leq \epsilon$. -> -> We can now conclude an equality of polynomials, and thus of coefficients. Consider the coefficients of the constant terms first, which gives us the $2^{r - 1}$ equalities -> $$ -0 = 0 = \mathbf{s}_i^{-1} z \left( \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) \right) \cdot \repv{L_{r - 1}}{G}{i + 2^{r - 1}} \forall i \in [0, 2^{r - 1}) -$$ -> -> No value of $\mathbf{s}$ is zero, $z$ is never chosen to be $0$ and each $u_j$ is chosen so that $1 + u_{k - 1 - j} x_3^{2^j}$ is nonzero, so we can then conclude -> $$ -0 = \repv{L_{r - 1}}{G}{i + 2^{r - 1}} \forall i \in [0, 2^{r - 1}) -$$ -> -> An identical process can be followed with respect to the coefficients of the $X^4$ term in the equalities to establish $0 = \repv{R_{r - 1}}{G}{i} \forall i \in [0, 2^{r - 1})$ contingent on $x_3$ being nonzero, which it always is. Substituting these in our equalities yields us something simpler -> -> $$ -\begin{array}{rl} -& X \repr{L_{r - 1}}{U} + X^2 \m{U}{r - 1} + X^3 \repr{R_{r - 1}}{U} \\ -&= \left( X^{-1} \repv{L_{r - 1}}{G}{i} + \z{r}{r - 1}{i} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) (X^2 + x_3^{2^{r - 1}} X^3) \\ -&= \left( \z{r}{r - 1}{i + 2^{r - 1}} + X \repv{R_{r - 1}}{G}{i + 2^{r - 1}} \right) \\ -&\cdot \; \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) (X + x_3^{2^{r - 1}} X^2) \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> Now we will consider the coefficients in $X$, which yield the equalities -> -> $$ -\begin{array}{rl} -\repr{L_{r - 1}}{U} &= \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) \cdot \repv{L_{r - 1}}{G}{i} \\ -&= \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) \cdot \z{r}{r - 1}{i + 2^{r - 1}} \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> which for similar reasoning as before yields the equalities -> $$ -\repv{L_{r - 1}}{G}{i} = \z{r}{r - 1}{i + 2^{r - 1}} \forall i \in [0, 2^{r - 1}) -$$ -> -> Finally we will consider the coefficients in $X^2$ which yield the equalities -> -> $$ -\begin{array}{rl} -\m{U}{r - 1} &= \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) \cdot \left( \z{r}{r - 1}{i} + \repv{L_{r - 1}}{G}{i} x_3^{2^{r - 1}} \right) \\ -&\forall i \in [0, 2^{r - 1}) -\end{array} -$$ -> -> which by substitution gives us $\forall i \in [0, 2^{r - 1})$ -> $$ -\m{U}{r - 1} = \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) \cdot \left( \z{r}{r - 1}{i} + \z{r}{r - 1}{i + 2^{r - 1}} x_3^{2^{r - 1}} \right) -$$ -> -> Notice that by the definition of $\z{r - 1}{m}{i}$ we can rewrite this as -> -> $$ -\m{U}{r - 1} = \z{r - 1}{r - 1}{i} \cdot \mathbf{s}_i^{-1} z \prod_{j=0}^{r - 2} (1 + u_{k - 1 - j} x_3^{2^j}) \forall i \in [0, 2^{r - 1}) -$$ -> -> which is precisely in the form we set out to demonstrate. -> -> We now proceed by induction from the case $r = k$ (which we know holds) to reach $r = 0$, which gives us -$$ -\m{U}{0} = \z{0}{0}{0} \cdot \mathbf{s}_0^{-1} z -$$ -> -> and because $\m{U}{0} = \repr{P'}{U}$ and $\z{0}{0}{0} = \sum_{i=0}^{2^k - 1} x_3^i \repv{P'}{G}{i}$, we obtain $\repr{P'}{U} = z \sum_{i=0}^{2^k - 1} x_3^i \repv{P'}{G}{i}$, which completes the proof. - -Having established that $\repr{P'}{U} = z \sum_{i=0}^{2^k - 1} x_3^i \repv{P'}{G}{i}$, and given that $x_3$ and $\repv{P'}{G}{i}$ are fixed in advance of the choice of $z$, we have that at most one value of $z \in \ch$ (which is nonzero) exists such that $\repr{P'}{U} = z \sum_{i=0}^{2^k - 1} x_3^i \repv{P'}{G}{i}$ and yet $\repr{P'}{U} \neq 0$. By restricting $|\badch(\trprefix{\tr'}{z})|/|\ch| \leq \frac{1}{|\ch|} \leq \epsilon$ accordingly we obtain $\repr{P'}{U} = 0$ and therefore that the polynomial defined by $\repr{P'}{\mathbf{G}}$ has a root at $x_3$. - -By construction $P' = P - [v] \mathbf{G}_0 + [\xi] S$, giving us that the polynomial defined by $\repr{P + [\xi] S}{\mathbf{G}}$ evaluates to $v$ at the point $x_3$. We have that $v, P, S$ are fixed prior to the choice of $\xi$, and so either the polynomial defined by $\repr{S}{\mathbf{G}}$ has a root at $x_3$ (which implies the polynomial defined by $\repr{P}{\mathbf{G}}$ evaluates to $v$ at the point $x_3$) or else $\xi$ is the single solution in $\ch$ for which $\repr{P + [\xi] S}{\mathbf{G}}$ evaluates to $v$ at the point $x_3$ while $\repr{P}{\mathbf{G}}$ itself does not. We avoid the latter case by restricting $|\badch(\trprefix{\tr'}{\xi})|/|\ch| \leq \frac{1}{|\ch|} \leq \epsilon$ accordingly and can thus conclude that the polynomial defined by $\repr{P}{\mathbf{G}}$ evaluates to $v$ at $x_3$. - -The remaining work deals strictly with the representations of group elements sent previously by the prover and their relationship with $P$ as well as the challenges chosen in each round of the protocol. We will simplify things first by using $p(X)$ to represent the polynomial defined by $\repr{P}{\mathbf{G}}$, as it is the case that this $p(X)$ corresponds exactly with the like-named polynomial in the protocol itself. We will make similar substitutions for the other group elements (and their corresponding polynomials) to aid in exposition, as the remainder of this proof is mainly tedious application of the Schwartz-Zippel lemma to upper bound the bad challenge space size for each of the remaining challenges in the protocol. - -Recall that $P = Q' + x_4 \sum\limits_{i=0}^{n_q - 1} [x_4^i] Q_i$, and so by substitution we have $p(X) = q'(X) + x_4 \sum\limits_{i=0}^{n_q - 1} x_4^i q_i(X)$. Recall also that - -$$ -v = \sum\limits_{i=0}^{n_q - 1} -\left( -x_2^i - \left( - \frac - { \mathbf{u}_i - r_i(x_3) } - {\prod\limits_{j=0}^{n_e - 1} - \left( - x_3 - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -\right) -+ -x_4 \sum\limits_{i=0}^{n_q - 1} x_4 \mathbf{u}_i -$$ - -We have already established that $p(x_3) = v$. Notice that the coefficients in the above expressions for $v$ and $P$ are fixed prior to the choice of $x_4 \in \ch$. By the Schwartz-Zippel lemma we have that only at most $n_q + 1$ possible choices of $x_4$ exist such that these expressions are satisfied and yet $q_i(x_3) \neq \mathbf{u}_i$ for any $i$ or - -$$ -q'(x_3) \neq \sum\limits_{i=0}^{n_q - 1} -\left( -x_2^i - \left( - \frac - { \mathbf{u}_i - r_i(x_3) } - {\prod\limits_{j=0}^{n_e - 1} - \left( - x_3 - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -\right) -$$ - -By restricting $|\badch(\trprefix{\tr'}{x_4})|/|\ch| \leq \frac{n_q + 1}{|\ch|} \leq \epsilon$ we can conclude that all of the aforementioned inequalities are untrue. Now we can substitute $\mathbf{u}_i$ with $q_i(x_3)$ for all $i$ to obtain - -$$ -q'(x_3) = \sum\limits_{i=0}^{n_q - 1} -\left( -x_2^i - \left( - \frac - { q_i(x_3) - r_i(x_3) } - {\prod\limits_{j=0}^{n_e - 1} - \left( - x_3 - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -\right) -$$ - -Suppose that $q'(X)$ (which is the polynomial defined by $\repr{Q'}{\mathbf{G}}$, and is of degree at most $n - 1$) does _not_ take the form - -$$\sum\limits_{i=0}^{n_q - 1} - -x_2^i - \left( - \frac - {q_i(X) - r_i(X)} - {\prod\limits_{j=0}^{n_e - 1} - \left( - X - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -$$ - -and yet $q'(X)$ agrees with this expression at $x_3$ as we've established above. By the Schwartz-Zippel lemma this can only happen for at most $n - 1$ choices of $x_3 \in \ch$ and so by restricting $|\badch(\trprefix{\tr'}{x_3})|/|\ch| \leq \frac{n - 1}{|\ch|} \leq \epsilon$ we obtain that - -$$q'(X) = \sum\limits_{i=0}^{n_q - 1} - -x_2^i - \left( - \frac - {q_i(X) - r_i(X)} - {\prod\limits_{j=0}^{n_e - 1} - \left( - X - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } - \right) -$$ - -Next we will extract the coefficients of this polynomial in $x_2$ (which are themselves polynomials in formal indeterminate $X$) by again applying the Schwartz-Zippel lemma with respect to $x_2$; again, this leads to the restriction $|\badch(\trprefix{\tr'}{x_2})|/|\ch| \leq \frac{n_q}{|\ch|} \leq \epsilon$ and we obtain the following polynomials of degree at most $n - 1$ for all $i \in [0, n_q - 1)$ - -$$ -\frac - {q_i(X) - r_i(X)} - {\prod\limits_{j=0}^{n_e - 1} - \left( - X - \omega^{\left( - \mathbf{q_i} - \right)_j} x - \right) - } -$$ - -Having established that these are each non-rational polynomials of degree at most $n - 1$ we can then say (by the factor theorem) that for each $i \in [0, n_q - 1]$ and $j \in [0, n_e - 1]$ we have that $q_i(X) - r_i(X)$ has a root at $\omega^{\left(\mathbf{q_i}\right)_j} x$. Note that we can interpret each $q_i(X)$ as the restriction of a _bivariate_ polynomial at the point $x_1$ whose degree with respect to $x_1$ is at most $n_a + 1$ and whose coefficients consist of various polynomials $a'_i(X)$ (from the representation $\repr{A'_i}{\mathbf{G}}$) as well as $h'(X)$ (from the representation $\repr{H'_i}{\mathbf{G}}$) and $r(X)$ (from the representation $\repr{R}{\mathbf{G}}$). By similarly applying the Schwartz-Zippel lemma and restricting the challenge space with $|\badch(\trprefix{\tr'}{x_1})|/|\ch| \leq \frac{n_a + 1}{|\ch|} \leq \epsilon$ we obtain (by construction of each $q'_i(X)$ and $r_i(X)$ in steps 12 and 13 of the protocol) that the prover's claimed value of $r$ in step 9 is equal to $r(x)$; that the value $h$ computed by the verifier in step 13 is equal to $h'(x)$; and that for all $i \in [0, n_q - 1]$ the prover's claimed values $(\mathbf{a_i})_j = a'_i(\omega^{(\mathbf{p_i})_j} x)$ for all $j \in [0, n_e - 1]$. - -By construction of $h'(X)$ (from the representation $\repr{H'}{\mathbf{G}}$) in step 7 we know that $h'(x) = h(x)$ where by $h(X)$ we refer to the polynomial of degree at most $(n_g - 1) \cdot (n - 1)$ whose coefficients correspond to the concatenated representations of each $\repr{H_i}{\mathbf{G}}$. As before, suppose that $h(X)$ does _not_ take the form $g'(X) / t(X)$. Then because $h(X)$ is determined prior to the choice of $x$ then by the Schwartz-Zippel lemma we know that it would only agree with $g'(X) / t(X)$ at $(n_g - 1) \cdot (n - 1)$ points at most if the polynomials were not equal. By restricting again $|\badch(\trprefix{\tr'}{x})|/|\ch| \leq \frac{(n_g - 1) \cdot (n - 1)}{|\ch|} \leq \epsilon$ we obtain $h(X) = g'(X) / t(X)$ and because $h(X)$ is a non-rational polynomial by the factor theorem we obtain that $g'(X)$ vanishes over the domain $D$. - -We now have that $g'(X)$ vanishes over $D$ but wish to show that $g(X, C_0, C_1, \cdots)$ vanishes over $D$ at all points to complete the proof. This just involves a sequence of applying the same technique to each of the challenges; since the polynomial $g(\cdots)$ has degree at most $n_g \cdot (n - 1)$ in any indeterminate by definition, and because each polynomial $a_i(X, C_0, C_1, ..., C_{i - 1}, \cdots)$ is determined prior to the choice of concrete challenge $c_i$ by similarly bounding $|\badch(\trprefix{\tr'}{c_i})|/|\ch| \leq \frac{n_g \cdot (n - 1)}{|\ch|} \leq \epsilon$ we ensure that $g(X, C_0, C_1, \cdots)$ vanishes over $D$, completing the proof. diff --git a/book/src/design/proving-system.md b/book/src/design/proving-system.md deleted file mode 100644 index a0ed0f1fb7..0000000000 --- a/book/src/design/proving-system.md +++ /dev/null @@ -1,74 +0,0 @@ -# Proving system - -The Halo 2 proving system can be broken down into five stages: - -1. Commit to polynomials encoding the main components of the circuit: - - Cell assignments. - - Permuted values and products for each lookup argument. - - Equality constraint permutations. -2. Construct the vanishing argument to constrain all circuit relations to zero: - - Standard and custom gates. - - Lookup argument rules. - - Equality constraint permutation rules. -3. Evaluate the above polynomials at all necessary points: - - All relative rotations used by custom gates across all columns. - - Vanishing argument pieces. -4. Construct the multipoint opening argument to check that all evaluations are consistent - with their respective commitments. -5. Run the inner product argument to create a polynomial commitment opening proof for the - multipoint opening argument polynomial. - -These stages are presented in turn across this section of the book. - -## Example - -To aid our explanations, we will at times refer to the following example constraint -system: - -- Four advice columns $a, b, c, d$. -- One fixed column $f$. -- Three custom gates: - - $a \cdot b \cdot c_{-1} - d = 0$ - - $f_{-1} \cdot c = 0$ - - $f \cdot d \cdot a = 0$ - -## tl;dr - -The table below provides a (probably too) succinct description of the Halo 2 protocol. -This description will likely be replaced by the Halo 2 paper and security proof, but for -now serves as a summary of the following sub-sections. - -| Prover | | Verifier | -| --------------------------------------------------------------------------- | ------- | ---------------------------------- | -| | $\larr$ | $t(X) = (X^n - 1)$ | -| | $\larr$ | $F = [F_0, F_1, \dots, F_{m - 1}]$ | -| $\mathbf{A} = [A_0, A_1, \dots, A_{m - 1}]$ | $\rarr$ | | -| | $\larr$ | $\theta$ | -| $\mathbf{L} = [(A'_0, S'_0), \dots, (A'_{m - 1}, S'_{m - 1})]$ | $\rarr$ | | -| | $\larr$ | $\beta, \gamma$ | -| $\mathbf{Z_P} = [Z_{P,0}, Z_{P,1}, \ldots]$ | $\rarr$ | | -| $\mathbf{Z_L} = [Z_{L,0}, Z_{L,1}, \ldots]$ | $\rarr$ | | -| | $\larr$ | $y$ | -| $h(X) = \frac{\text{gate}_0(X) + \dots + y^i \cdot \text{gate}_i(X)}{t(X)}$ | | | -| $h(X) = h_0(X) + \dots + X^{n(d-1)} h_{d-1}(X)$ | | | -| $\mathbf{H} = [H_0, H_1, \dots, H_{d-1}]$ | $\rarr$ | | -| | $\larr$ | $x$ | -| $evals = [A_0(x), \dots, H_{d - 1}(x)]$ | $\rarr$ | | -| | | Checks $h(x)$ | -| | $\larr$ | $x_1, x_2$ | -| Constructs $h'(X)$ multipoint opening poly | | | -| $U = \text{Commit}(h'(X))$ | $\rarr$ | | -| | $\larr$ | $x_3$ | -| $\mathbf{q}_\text{evals} = [Q_0(x_3), Q_1(x_3), \dots]$ | $\rarr$ | | -| $u_\text{eval} = U(x_3)$ | $\rarr$ | | -| | $\larr$ | $x_4$ | - -Then the prover and verifier: - -- Construct $\text{finalPoly}(X)$ as a linear combination of $\mathbf{Q}$ and $U$ using - powers of $x_4$; -- Construct $\text{finalPolyEval}$ as the equivalent linear combination of - $\mathbf{q}_\text{evals}$ and $u_\text{eval}$; and -- Perform $\text{InnerProduct}(\text{finalPoly}(X), x_3, \text{finalPolyEval}).$ - -> TODO: Write up protocol components that provide zero-knowledge. diff --git a/book/src/design/proving-system/circuit-commitments.md b/book/src/design/proving-system/circuit-commitments.md deleted file mode 100644 index 7352788929..0000000000 --- a/book/src/design/proving-system/circuit-commitments.md +++ /dev/null @@ -1,114 +0,0 @@ -# Circuit commitments - -## Committing to the circuit assignments - -At the start of proof creation, the prover has a table of cell assignments that it claims -satisfy the constraint system. The table has $n = 2^k$ rows, and is broken into advice, -instance, and fixed columns. We define $F_{i,j}$ as the assignment in the $j$th row of -the $i$th fixed column. Without loss of generality, we'll similarly define $A_{i,j}$ to -represent the advice and instance assignments. - -> We separate fixed columns here because they are provided by the verifier, whereas the -> advice and instance columns are provided by the prover. In practice, the commitments to -> instance and fixed columns are computed by both the prover and verifier, and only the -> advice commitments are stored in the proof. - -To commit to these assignments, we construct Lagrange polynomials of degree $n - 1$ for -each column, over an evaluation domain of size $n$ (where $\omega$ is the $n$th primitive -root of unity): - -- $a_i(X)$ interpolates such that $a_i(\omega^j) = A_{i,j}$. -- $f_i(X)$ interpolates such that $f_i(\omega^j) = F_{i,j}$. - -We then create a blinding commitment to the polynomial for each column: - -$$\mathbf{A} = [\text{Commit}(a_0(X)), \dots, \text{Commit}(a_i(X))]$$ -$$\mathbf{F} = [\text{Commit}(f_0(X)), \dots, \text{Commit}(f_i(X))]$$ - -$\mathbf{F}$ is constructed as part of key generation, using a blinding factor of $1$. -$\mathbf{A}$ is constructed by the prover and sent to the verifier. - -## Committing to the lookup permutations - -The verifier starts by sampling $\theta$, which is used to keep individual columns within -lookups independent. Then, the prover commits to the permutations for each lookup as -follows: - -- Given a lookup with input column polynomials $[A_0(X), \dots, A_{m-1}(X)]$ and table - column polynomials $[S_0(X), \dots, S_{m-1}(X)]$, the prover constructs two compressed - polynomials - - $$A_\text{compressed}(X) = \theta^{m-1} A_0(X) + \theta^{m-2} A_1(X) + \dots + \theta A_{m-2}(X) + A_{m-1}(X)$$ - $$S_\text{compressed}(X) = \theta^{m-1} S_0(X) + \theta^{m-2} S_1(X) + \dots + \theta S_{m-2}(X) + S_{m-1}(X)$$ - -- The prover then permutes $A_\text{compressed}(X)$ and $S_\text{compressed}(X)$ according - to the [rules of the lookup argument](lookup.md), obtaining $A'(X)$ and $S'(X)$. - -The prover creates blinding commitments for all of the lookups - -$$\mathbf{L} = \left[ (\text{Commit}(A'(X))), \text{Commit}(S'(X))), \dots \right]$$ - -and sends them to the verifier. - -After the verifier receives $\mathbf{A}$, $\mathbf{F}$, and $\mathbf{L}$, it samples -challenges $\beta$ and $\gamma$ that will be used in the permutation argument and the -remainder of the lookup argument below. (These challenges can be reused because the -arguments are independent.) - -## Committing to the equality constraint permutation - -Let $c$ be the number of columns that are enabled for equality constraints. - -Let $m$ be the maximum number of columns that can accommodated by a -[column set](permutation.md#spanning-a-large-number-of-columns) without exceeding -the PLONK configuration's maximum constraint degree. - -Let $u$ be the number of “usable” rows as defined in the -[Permutation argument](permutation.md#zero-knowledge-adjustment) section. - -Let $b = \mathsf{ceiling}(c/m).$ - -The prover constructs a vector $\mathbf{P}$ of length $bu$ such that for each -column set $0 \leq a < b$ and each row $0 \leq j < u,$ - -$$ -\mathbf{P}_{au + j} = \prod\limits_{i=am}^{\min(c, (a+1)m)-1} \frac{v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma}. -$$ - -The prover then computes a running product of $\mathbf{P}$, starting at $1$, -and a vector of polynomials $Z_{P,0..b-1}$ that each have a Lagrange basis -representation corresponding to a $u$-sized slice of this running product, as -described in the [Permutation argument](permutation.md#argument-specification) -section. - -The prover creates blinding commitments to each $Z_{P,a}$ polynomial: - -$$\mathbf{Z_P} = \left[\text{Commit}(Z_{P,0}(X)), \dots, \text{Commit}(Z_{P,b-1}(X))\right]$$ - -and sends them to the verifier. - -## Committing to the lookup permutation product columns - -In addition to committing to the individual permuted lookups, for each lookup, -the prover needs to commit to the permutation product column: - -- The prover constructs a vector $P$: - -$$ -P_j = \frac{(A_\text{compressed}(\omega^j) + \beta)(S_\text{compressed}(\omega^j) + \gamma)}{(A'(\omega^j) + \beta)(S'(\omega^j) + \gamma)} -$$ - -- The prover constructs a polynomial $Z_L$ which has a Lagrange basis representation - corresponding to a running product of $P$, starting at $Z_L(1) = 1$. - -$\beta$ and $\gamma$ are used to combine the permutation arguments for $A'(X)$ and $S'(X)$ -while keeping them independent. The important thing here is that the verifier samples -$\beta$ and $\gamma$ after the prover has created $\mathbf{A}$, $\mathbf{F}$, and -$\mathbf{L}$ (and thus committed to all the cell values used in lookup columns, as well -as $A'(X)$ and $S'(X)$ for each lookup). - -As before, the prover creates blinding commitments to each $Z_L$ polynomial: - -$$\mathbf{Z_L} = \left[\text{Commit}(Z_L(X)), \dots \right]$$ - -and sends them to the verifier. diff --git a/book/src/design/proving-system/comparison.md b/book/src/design/proving-system/comparison.md deleted file mode 100644 index 87496a82b0..0000000000 --- a/book/src/design/proving-system/comparison.md +++ /dev/null @@ -1,55 +0,0 @@ -# Comparison to other work - -## BCMS20 Appendix A.2 - -Appendix A.2 of [BCMS20] describes a polynomial commitment scheme that is similar to the -one described in [BGH19] (BCMS20 being a generalization of the original Halo paper). Halo -2 builds on both of these works, and thus itself uses a polynomial commitment scheme that -is very similar to the one in BCMS20. - -[BGH19]: https://eprint.iacr.org/2019/1021 -[BCMS20]: https://eprint.iacr.org/2020/499 - -The following table provides a mapping between the variable names in BCMS20, and the -equivalent objects in Halo 2 (which builds on the nomenclature from the Halo paper): - -| BCMS20 | Halo 2 | -| :------------: | :-----------------: | -| $S$ | $H$ | -| $H$ | $U$ | -| $C$ | `msm` or $P$ | -| $\alpha$ | $\iota$ | -| $\xi_0$ | $z$ | -| $\xi_i$ | `challenge_i` | -| $H'$ | $[z] U$ | -| $\bar{p}$ | `s_poly` | -| $\bar{\omega}$ | `s_poly_blind` | -| $\bar{C}$ | `s_poly_commitment` | -| $h(X)$ | $g(X)$ | -| $U$ | $G$ | -| $\omega'$ | `blind` / $\xi$ | -| $\mathbf{c}$ | $\mathbf{a}$ | -| $c$ | $a = \mathbf{a}_0$ | -| $v'$ | $ab$ | - -Halo 2's polynomial commitment scheme differs from Appendix A.2 of BCMS20 in two ways: - -1. Step 8 of the $\text{Open}$ algorithm computes a "non-hiding" commitment $C'$ prior to - the inner product argument, which opens to the same value as $C$ but is a commitment to - a randomly-drawn polynomial. The remainder of the protocol involves no blinding. By - contrast, in Halo 2 we blind every single commitment that we make (even for instance - and fixed polynomials, though using a blinding factor of 1 for the fixed polynomials); - this makes the protocol simpler to reason about. As a consequence of this, the verifier - needs to handle the cumulative blinding factor at the end of the protocol, and so there - is no need to derive an equivalent to $C'$ at the start of the protocol. - - - $C'$ is also an input to the random oracle for $\xi_0$; in Halo 2 we utilize a - transcript that has already committed to the equivalent components of $C'$ prior to - sampling $z$. - -2. The $\text{PC}_\text{DL}.\text{SuccinctCheck}$ subroutine (Figure 2 of BCMS20) computes - the initial group element $C_0$ by adding $[v] H' = [v \xi_0] H$, which requires two - scalar multiplications. Instead, we subtract $[v] G_0$ from the original commitment $P$, - so that we're effectively opening the polynomial at the point to the value zero. The - computation $[v] G_0$ is more efficient in the context of recursion because $G_0$ is a - fixed base (so we can use lookup tables). diff --git a/book/src/design/proving-system/inner-product.md b/book/src/design/proving-system/inner-product.md deleted file mode 100644 index 7ccc9b2fbf..0000000000 --- a/book/src/design/proving-system/inner-product.md +++ /dev/null @@ -1,11 +0,0 @@ -# Inner product argument - -Halo 2 uses a polynomial commitment scheme for which we can create polynomial commitment -opening proofs, based around the Inner Product Argument. - -> TODO: Explain Halo 2's variant of the IPA. -> -> It is very similar to $\text{PC}_\text{DL}.\text{Open}$ from Appendix A.2 of [BCMS20]. -> See [this comparison](comparison.md#bcms20-appendix-a2) for details. -> -> [BCMS20]: https://eprint.iacr.org/2020/499 diff --git a/book/src/design/proving-system/lookup.md b/book/src/design/proving-system/lookup.md deleted file mode 100644 index 3bc7a4a99d..0000000000 --- a/book/src/design/proving-system/lookup.md +++ /dev/null @@ -1,177 +0,0 @@ -# Lookup argument - -Halo 2 uses the following lookup technique, which allows for lookups in arbitrary sets, and -is arguably simpler than Plookup. - -## Note on Language - -In addition to the [general notes on language](../../design.md#note-on-language): - -- We call the $Z(X)$ polynomial (the grand product argument polynomial for the permutation - argument) the "permutation product" column. - -## Technique Description - -For ease of explanation, we'll first describe a simplified version of the argument that -ignores zero knowledge. - -We express lookups in terms of a "subset argument" over a table with $2^k$ rows (numbered -from 0), and columns $A$ and $S.$ - -The goal of the subset argument is to enforce that every cell in $A$ is equal to _some_ -cell in $S.$ This means that more than one cell in $A$ can be equal to the _same_ cell in -$S,$ and some cells in $S$ don't need to be equal to any of the cells in $A.$ - -- $S$ might be fixed, but it doesn't need to be. That is, we can support looking up values - in either fixed or variable tables (where the latter includes advice columns). -- $A$ and $S$ can contain duplicates. If the sets represented by $A$ and/or $S$ are not - naturally of size $2^k,$ we extend $S$ with duplicates and $A$ with dummy values known - to be in $S.$ - - Alternatively we could add a "lookup selector" that controls which elements of the $A$ - column participate in lookups. This would modify the occurrence of $A(X)$ in the - permutation rule below to replace $A$ with, say, $S_0$ if a lookup is not selected. - -Let $\ell_i$ be the Lagrange basis polynomial that evaluates to $1$ at row $i,$ and $0$ -otherwise. - -We start by allowing the prover to supply permutation columns of $A$ and $S.$ Let's call -these $A'$ and $S',$ respectively. We can enforce that they are permutations using a -permutation argument with product column $Z$ with the rules: - -$$ -Z(\omega X) \cdot (A'(X) + \beta) \cdot (S'(X) + \gamma) - Z(X) \cdot (A(X) + \beta) \cdot (S(X) + \gamma) = 0 -$$$$ -\ell_0(X) \cdot (1 - Z(X)) = 0 -$$ - -i.e. provided that division by zero does not occur, we have for all $i \in [0, 2^k)$: - -$$ -Z_{i+1} = Z_i \cdot \frac{(A_i + \beta) \cdot (S_i + \gamma)}{(A'_i + \beta) \cdot (S'_i + \gamma)} -$$$$ -Z_{2^k} = Z_0 = 1. -$$ - -This is a version of the permutation argument which allows $A'$ and $S'$ to be -permutations of $A$ and $S,$ respectively, but doesn't specify the exact permutations. -$\beta$ and $\gamma$ are separate challenges so that we can combine these two permutation -arguments into one without worrying that they might interfere with each other. - -The goal of these permutations is to allow $A'$ and $S'$ to be arranged by the prover in a -particular way: - -1. All the cells of column $A'$ are arranged so that like-valued cells are vertically - adjacent to each other. This could be done by some kind of sorting algorithm, but all - that matters is that like-valued cells are on consecutive rows in column $A',$ and that - $A'$ is a permutation of $A.$ -2. The first row in a sequence of like values in $A'$ is the row that has the - corresponding value in $S'.$ Apart from this constraint, $S'$ is any arbitrary - permutation of $S.$ - -Now, we'll enforce that either $A'_i = S'_i$ or that $A'_i = A'_{i-1},$ using the rule - -$$ -(A'(X) - S'(X)) \cdot (A'(X) - A'(\omega^{-1} X)) = 0 -$$ - -In addition, we enforce $A'_0 = S'_0$ using the rule - -$$ -\ell_0(X) \cdot (A'(X) - S'(X)) = 0 -$$ - -(The $A'(X) - A'(\omega^{-1} X)$ term of the first rule here has no effect at row $0,$ even -though $\omega^{-1} X$ "wraps", because of the second rule.) - -Together these constraints effectively force every element in $A'$ (and thus $A$) to equal -at least one element in $S'$ (and thus $S$). Proof: by induction on prefixes of the rows. - -## Zero-knowledge adjustment - -In order to achieve zero knowledge for the PLONK-based proof system, we will need the last -$t$ rows of each column to be filled with random values. This requires an adjustment to the -lookup argument, because these random values would not satisfy the constraints described -above. - -We limit the number of usable rows to $u = 2^k - t - 1.$ We add two selectors: - -* $q_\mathit{blind}$ is set to $1$ on the last $t$ rows, and $0$ elsewhere; -* $q_\mathit{last}$ is set to $1$ only on row $u,$ and $0$ elsewhere (i.e. it is set on the - row in between the usable rows and the blinding rows). - -We enable the constraints from above only for the usable rows: - -$$ -\big(1 - (q_\mathit{last}(X) + q_\mathit{blind}(X))\big) \cdot \big(Z(\omega X) \cdot (A'(X) + \beta) \cdot (S'(X) + \gamma) - Z(X) \cdot (A(X) + \beta) \cdot (S(X) + \gamma)\big) = 0 -$$$$ -\big(1 - (q_\mathit{last}(X) + q_\mathit{blind}(X))\big) \cdot (A'(X) - S'(X)) \cdot (A'(X) - A'(\omega^{-1} X)) = 0 -$$ - -The rules that are enabled on row $0$ remain the same: - -$$ -\ell_0(X) \cdot (A'(X) - S'(X)) = 0 -$$$$ -\ell_0(X) \cdot (1 - Z(X)) = 0 -$$ - -Since we can no longer rely on the wraparound to ensure that the product $Z$ becomes $1$ -again at $\omega^{2^k},$ we would instead need to constrain $Z(\omega^u)$ to $1.$ However, -there is a potential difficulty: if any of the values $A_i + \beta$ or $S_i + \gamma$ are -zero for $i \in [0, u),$ then it might not be possible to satisfy the permutation argument. -This occurs with negligible probability over choices of $\beta$ and $\gamma,$ but is an -obstacle to achieving *perfect* zero knowledge (because an adversary can rule out witnesses -that would cause this situation), as well as perfect completeness. - -To ensure both perfect completeness and perfect zero knowledge, we allow $Z(\omega^u)$ -to be either zero or one: - -$$ -q_\mathit{last}(X) \cdot (Z(X)^2 - Z(X)) = 0 -$$ - -Now if $A_i + \beta$ or $S_i + \gamma$ are zero for some $i,$ we can set $Z_j = 0$ for -$i < j \leq u,$ satisfying the constraint system. - -Note that the challenges $\beta$ and $\gamma$ are chosen after committing to $A$ and $S$ -(and to $A'$ and $S'$), so the prover cannot force the case where some $A_i + \beta$ or -$S_i + \gamma$ is zero to occur. Since this case occurs with negligible probability, -soundness is not affected. - -## Cost - -* There is the original column $A$ and the fixed column $S.$ -* There is a permutation product column $Z.$ -* There are the two permutations $A'$ and $S'.$ -* The gates are all of low degree. - -## Generalizations - -Halo 2's lookup argument implementation generalizes the above technique in the following -ways: - -- $A$ and $S$ can be extended to multiple columns, combined using a random challenge. $A'$ - and $S'$ stay as single columns. - - The commitments to the columns of $S$ can be precomputed, then combined cheaply once - the challenge is known by taking advantage of the homomorphic property of Pedersen - commitments. - - The columns of $A$ can be given as arbitrary polynomial expressions using relative - references. These will be substituted into the product column constraint, subject to - the maximum degree bound. This potentially saves one or more advice columns. -- Then, a lookup argument for an arbitrary-width relation can be implemented in terms of a - subset argument, i.e. to constrain $\mathcal{R}(x, y, ...)$ in each row, consider - $\mathcal{R}$ as a set of tuples $S$ (using the method of the previous point), and check - that $(x, y, ...) \in \mathcal{R}.$ - - In the case where $\mathcal{R}$ represents a function, this implicitly also checks - that the inputs are in the domain. This is typically what we want, and often saves an - additional range check. -- We can support multiple tables in the same circuit, by combining them into a single - table that includes a tag column to identify the original table. - - The tag column could be merged with the "lookup selector" mentioned earlier, if this - were implemented. - -These generalizations are similar to those in sections 4 and 5 of the -[Plookup paper](https://eprint.iacr.org/2020/315.pdf). That is, the differences from -Plookup are in the subset argument. This argument can then be used in all the same ways; -for instance, the optimized range check technique in section 5 of the Plookup paper can -also be used with this subset argument. diff --git a/book/src/design/proving-system/multipoint-opening.md b/book/src/design/proving-system/multipoint-opening.md deleted file mode 100644 index 98982928c0..0000000000 --- a/book/src/design/proving-system/multipoint-opening.md +++ /dev/null @@ -1,94 +0,0 @@ -# Multipoint opening argument - -Consider the commitments $A, B, C, D$ to polynomials $a(X), b(X), c(X), d(X)$. -Let's say that $a$ and $b$ were queried at the point $x$, while $c$ and $d$ -were queried at both points $x$ and $\omega x$. (Here, $\omega$ is the primitive -root of unity in the multiplicative subgroup over which we constructed the -polynomials). - -To open these commitments, we could create a polynomial $Q$ for each point that we queried -at (corresponding to each relative rotation used in the circuit). But this would not be -efficient in the circuit; for example, $c(X)$ would appear in multiple polynomials. - -Instead, we can group the commitments by the sets of points at which they were queried: -$$ -\begin{array}{cccc} -&\{x\}& &\{x, \omega x\}& \\ - &A& &C& \\ - &B& &D& -\end{array} -$$ - -For each of these groups, we combine them into a polynomial set, and create a single $Q$ -for that set, which we open at each rotation. - -## Optimization steps - -The multipoint opening optimization takes as input: - -- A random $x$ sampled by the verifier, at which we evaluate $a(X), b(X), c(X), d(X)$. -- Evaluations of each polynomial at each point of interest, provided by the prover: - $a(x), b(x), c(x), d(x), c(\omega x), d(\omega x)$ - -These are the outputs of the [vanishing argument](vanishing.md#evaluating-the-polynomials). - -The multipoint opening optimization proceeds as such: - -1. Sample random $x_1$, to keep $a, b, c, d$ linearly independent. -2. Accumulate polynomials and their corresponding evaluations according - to the point set at which they were queried: - `q_polys`: - $$ - \begin{array}{rccl} - q_1(X) &=& a(X) &+& x_1 b(X) \\ - q_2(X) &=& c(X) &+& x_1 d(X) - \end{array} - $$ - `q_eval_sets`: - ```math - [ - [a(x) + x_1 b(x)], - [ - c(x) + x_1 d(x), - c(\omega x) + x_1 d(\omega x) - ] - ] - ``` - NB: `q_eval_sets` is a vector of sets of evaluations, where the outer vector - corresponds to the point sets, which in this example are $\{x\}$ and $\{x, \omega x\}$, - and the inner vector corresponds to the points in each set. -3. Interpolate each set of values in `q_eval_sets`: - `r_polys`: - $$ - \begin{array}{cccc} - r_1(X) s.t.&&& \\ - &r_1(x) &=& a(x) + x_1 b(x) \\ - r_2(X) s.t.&&& \\ - &r_2(x) &=& c(x) + x_1 d(x) \\ - &r_2(\omega x) &=& c(\omega x) + x_1 d(\omega x) \\ - \end{array} - $$ -4. Construct `f_polys` which check the correctness of `q_polys`: - `f_polys` - $$ - \begin{array}{rcl} - f_1(X) &=& \frac{ q_1(X) - r_1(X)}{X - x} \\ - f_2(X) &=& \frac{ q_2(X) - r_2(X)}{(X - x)(X - \omega x)} \\ - \end{array} - $$ - - If $q_1(x) = r_1(x)$, then $f_1(X)$ should be a polynomial. - If $q_2(x) = r_2(x)$ and $q_2(\omega x) = r_2(\omega x)$ - then $f_2(X)$ should be a polynomial. -5. Sample random $x_2$ to keep the `f_polys` linearly independent. -6. Construct $f(X) = f_1(X) + x_2 f_2(X)$. -7. Sample random $x_3$, at which we evaluate $f(X)$: - $$ - \begin{array}{rcccl} - f(x_3) &=& f_1(x_3) &+& x_2 f_2(x_3) \\ - &=& \frac{q_1(x_3) - r_1(x_3)}{x_3 - x} &+& x_2\frac{q_2(x_3) - r_2(x_3)}{(x_3 - x)(x_3 - \omega x)} - \end{array} - $$ -8. Sample random $x_4$ to keep $f(X)$ and `q_polys` linearly independent. -9. Construct `final_poly`, $$final\_poly(X) = f(X) + x_4 q_1(X) + x_4^2 q_2(X),$$ - which is the polynomial we commit to in the inner product argument. diff --git a/book/src/design/proving-system/permutation-diagram.png b/book/src/design/proving-system/permutation-diagram.png deleted file mode 100644 index a0f683a90d..0000000000 Binary files a/book/src/design/proving-system/permutation-diagram.png and /dev/null differ diff --git a/book/src/design/proving-system/permutation-diagram.svg b/book/src/design/proving-system/permutation-diagram.svg deleted file mode 100644 index 2ae7f31461..0000000000 --- a/book/src/design/proving-system/permutation-diagram.svg +++ /dev/null @@ -1,1743 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - image/svg+xml - - - - - - - - - - - 7 - - - - - - 7 - - 7 - - 7 - 7 - = - - - - B - 7 - - - C - 7 - - - D - 7 - - - - A - 7 - - - 7 - - 3 - - - - B - 7 - - - D - 7 - - - - A - 7 - - - - 3 - C - - - - - - - - - - - - - σ - - - - - - - - - - - 7 - C - B - A - D - - - - - - - - - - - - σ - - - - - - - - - - - A - B - C - D - - diff --git a/book/src/design/proving-system/permutation.md b/book/src/design/proving-system/permutation.md deleted file mode 100644 index f71e4edf75..0000000000 --- a/book/src/design/proving-system/permutation.md +++ /dev/null @@ -1,272 +0,0 @@ -# Permutation argument - -Given that gates in halo2 circuits operate "locally" (on cells in the current row or -defined relative rows), it is common to need to copy a value from some arbitrary cell into -the current row for use in a gate. This is performed with an equality constraint, which -enforces that the source and destination cells contain the same value. - -We implement these equality constraints by constructing a permutation that represents the -constraints, and then using a permutation argument within the proof to enforce them. - -## Notation - -A permutation is a one-to-one and onto mapping of a set onto itself. A permutation can be -factored uniquely into a composition of cycles (up to ordering of cycles, and rotation of -each cycle). - -We sometimes use [cycle notation](https://en.wikipedia.org/wiki/Permutation#Cycle_notation) -to write permutations. Let $(a\ b\ c)$ denote a cycle where $a$ maps to $b,$ $b$ maps to -$c,$ and $c$ maps to $a$ (with the obvious generalization to arbitrary-sized cycles). -Writing two or more cycles next to each other denotes a composition of the corresponding -permutations. For example, $(a\ b)\ (c\ d)$ denotes the permutation that maps $a$ to $b,$ -$b$ to $a,$ $c$ to $d,$ and $d$ to $c.$ - -## Constructing the permutation - -### Goal - -We want to construct a permutation in which each subset of variables that are in a -equality-constraint set form a cycle. For example, suppose that we have a circuit that -defines the following equality constraints: - -- $a \equiv b$ -- $a \equiv c$ -- $d \equiv e$ - -From this we have the equality-constraint sets $\{a, b, c\}$ and $\{d, e\}.$ We want to -construct the permutation: - -$$(a\ b\ c)\ (d\ e)$$ - -which defines the mapping of $[a, b, c, d, e]$ to $[b, c, a, e, d].$ - -### Algorithm - -We need to keep track of the set of cycles, which is a -[set of disjoint sets](https://en.wikipedia.org/wiki/Disjoint-set_data_structure). -Efficient data structures for this problem are known; for the sake of simplicity we choose -one that is not asymptotically optimal but is easy to implement. - -We represent the current state as: - -- an array $\mathsf{mapping}$ for the permutation itself; -- an auxiliary array $\mathsf{aux}$ that keeps track of a distinguished element of each - cycle; -- another array $\mathsf{sizes}$ that keeps track of the size of each cycle. - -We have the invariant that for each element $x$ in a given cycle $C,$ $\mathsf{aux}(x)$ -points to the same element $c \in C.$ This allows us to quickly decide whether two given -elements $x$ and $y$ are in the same cycle, by checking whether -$\mathsf{aux}(x) = \mathsf{aux}(y).$ Also, $\mathsf{sizes}(\mathsf{aux}(x))$ gives the -size of the cycle containing $x.$ (This is guaranteed only for -$\mathsf{sizes}(\mathsf{aux}(x)),$ not for $\mathsf{sizes}(x).$) - -The algorithm starts with a representation of the identity permutation: -for all $x,$ we set $\mathsf{mapping}(x) = x,$ $\mathsf{aux}(x) = x,$ and -$\mathsf{sizes}(x) = 1.$ - -To add an equality constraint $\mathit{left} \equiv \mathit{right}$: - -1. Check whether $\mathit{left}$ and $\mathit{right}$ are already in the same cycle, i.e. - whether $\mathsf{aux}(\mathit{left}) = \mathsf{aux}(\mathit{right}).$ If so, there is - nothing to do. -2. Otherwise, $\mathit{left}$ and $\mathit{right}$ belong to different cycles. Make - $\mathit{left}$ the larger cycle and $\mathit{right}$ the smaller one, by swapping them - iff $\mathsf{sizes}(\mathsf{aux}(\mathit{left})) < \mathsf{sizes}(\mathsf{aux}(\mathit{right})).$ -3. Set $\mathsf{sizes}(\mathsf{aux}(\mathit{left})) := - \mathsf{sizes}(\mathsf{aux}(\mathit{left})) + \mathsf{sizes}(\mathsf{aux}(\mathit{right})).$ -4. Following the mapping around the right (smaller) cycle, for each element $x$ set - $\mathsf{aux}(x) := \mathsf{aux}(\mathit{left}).$ -5. Splice the smaller cycle into the larger one by swapping $\mathsf{mapping}(\mathit{left})$ - with $\mathsf{mapping}(\mathit{right}).$ - -For example, given two disjoint cycles $(A\ B\ C\ D)$ and $(E\ F\ G\ H)$: - -```plaintext -A +---> B -^ + -| | -+ v -D <---+ C E +---> F - ^ + - | | - + v - H <---+ G -``` - -After adding constraint $B \equiv E$ the above algorithm produces the cycle: - -```plaintext -A +---> B +-------------+ -^ | -| | -+ v -D <---+ C <---+ E F - ^ + - | | - + v - H <---+ G -``` - -### Broken alternatives - -If we did not check whether $\mathit{left}$ and $\mathit{right}$ were already in the same -cycle, then we could end up undoing an equality constraint. For example, if we have the -following constraints: - -- $a \equiv b$ -- $b \equiv c$ -- $c \equiv d$ -- $b \equiv d$ - -and we tried to implement adding an equality constraint just using step 5 of the above -algorithm, then we would end up constructing the cycle $(a\ b)\ (c\ d),$ rather than the -correct $(a\ b\ c\ d).$ - -## Argument specification - -We need to check a permutation of cells in $m$ columns, represented in Lagrange basis by -polynomials $v_0, \ldots, v_{m-1}.$ - -We will label *each cell* in those $m$ columns with a unique element of $\mathbb{F}^\times.$ - -Suppose that we have a permutation on these labels, -$$ -\sigma(\mathsf{column}: i, \mathsf{row}: j) = (\mathsf{column}: i', \mathsf{row}: j'). -$$ -in which the cycles correspond to equality-constraint sets. - -> If we consider the set of pairs $\{(\mathit{label}, \mathit{value})\}$, then the values within -> each cycle are equal if and only if permuting the label in each pair by $\sigma$ yields the -> same set: -> -> ![An example for a cycle (A B C D). The set before permuting the labels is {(A, 7), (B, 7), (C, 7), (D, 7)}, and the set after is {(D, 7), (A, 7), (B, 7), (C, 7)} which is the same. If one of the 7s is replaced by 3, then the set after permuting labels is not the same.](./permutation-diagram.png) -> -> Since the labels are distinct, set equality is the same as multiset equality, which we can -> check using a product argument. - -Let $\omega$ be a $2^k$ root of unity and let $\delta$ be a $T$ root of unity, where -${T \cdot 2^S + 1 = p}$ with $T$ odd and ${k \leq S.}$ -We will use $\delta^i \cdot \omega^j \in \mathbb{F}^\times$ as the label for the -cell in the $j$th row of the $i$th column of the permutation argument. - -We represent $\sigma$ by a vector of $m$ polynomials $s_i(X)$ such that -$s_i(\omega^j) = \delta^{i'} \cdot \omega^{j'}.$ - -Notice that the identity permutation can be represented by the vector of $m$ polynomials -$\mathsf{ID}_i(\omega^j)$ such that $\mathsf{ID}_i(\omega^j) = \delta^i \cdot \omega^j.$ - -We will use a challenge $\beta$ to compress each ${(\mathit{label}, \mathit{value})}$ pair -to $\mathit{value} + \beta \cdot \mathit{label}.$ Just as in the product argument we used -for [lookups](lookup.md), we also use a challenge $\gamma$ to randomize each term of the -product. - -Now given our permutation represented by $s_0, \ldots, s_{m-1}$ over columns represented by -$v_0, \ldots, v_{m-1},$ we want to ensure that: -$$ -\prod\limits_{i=0}^{m-1} \prod\limits_{j=0}^{n-1} \left(\frac{v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma}\right) = 1 -$$ - -> Here ${v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j}$ represents the unpermuted -> $(\mathit{label}, value)$ pair, and ${v_i(\omega^j) + \beta \cdot s_i(\omega^j)}$ -> represents the permuted $(\sigma(\mathit{label}), value)$ pair. - -Let $Z_P$ be such that $Z_P(\omega^0) = Z_P(\omega^n) = 1$ and for $0 \leq j < n$: -$$\begin{array}{rl} -Z_P(\omega^{j+1}) &= \prod\limits_{h=0}^{j} \prod\limits_{i=0}^{m-1} \frac{v_i(\omega^h) + \beta \cdot \delta^i \cdot \omega^h + \gamma}{v_i(\omega^h) + \beta \cdot s_i(\omega^h) + \gamma} \\ - &= Z_P(\omega^j) \prod\limits_{i=0}^{m-1} \frac{v_i(\omega^j) + \beta \cdot \delta^i \cdot \omega^j + \gamma}{v_i(\omega^j) + \beta \cdot s_i(\omega^j) + \gamma} -\end{array}$$ - -Then it is sufficient to enforce the rules: -$$ -Z_P(\omega X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right) = 0 \\ -\ell_0 \cdot (1 - Z_P(X)) = 0 -$$ - -This assumes that the number of columns $m$ is such that the polynomial in the first -rule above fits within the degree bound of the PLONK configuration. We will see -[below](#spanning-a-large-number-of-columns) how to handle a larger number of columns. - -> The optimization used to obtain the simple representation of the identity permutation was suggested -> by Vitalik Buterin for PLONK, and is described at the end of section 8 of the PLONK paper. Note that -> the $\delta^i$ are all distinct quadratic non-residues, provided that the number of columns that -> are enabled for equality is no more than $T$, which always holds in practice for the curves used in -> Halo 2. - -## Zero-knowledge adjustment - -Similarly to the [lookup argument](lookup.md#zero-knowledge-adjustment), we need an -adjustment to the above argument to account for the last $t$ rows of each column being -filled with random values. - -We limit the number of usable rows to $u = 2^k - t - 1.$ We add two selectors, -defined in the same way as for the lookup argument: - -* $q_\mathit{blind}$ is set to $1$ on the last $t$ rows, and $0$ elsewhere; -* $q_\mathit{last}$ is set to $1$ only on row $u,$ and $0$ elsewhere (i.e. it is set on - the row in between the usable rows and the blinding rows). - -We enable the product rule from above only for the usable rows: - -$\big(1 - (q_\mathit{last}(X) + q_\mathit{blind}(X))\big) \cdot$ -$\hspace{1em}\left(Z_P(\omega X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \prod\limits_{i=0}^{m-1} \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right)\right) = 0$ - -The rule that is enabled on row $0$ remains the same: - -$$ -\ell_0(X) \cdot (1 - Z_P(X)) = 0 -$$ - -Since we can no longer rely on the wraparound to ensure that each product $Z_P$ becomes -$1$ again at $\omega^{2^k},$ we would instead need to constrain $Z(\omega^u) = 1.$ This -raises the same problem that was described for the lookup argument. So we allow -$Z(\omega^u)$ to be either zero or one: - -$$ -q_\mathit{last}(X) \cdot (Z_P(X)^2 - Z_P(X)) = 0 -$$ - -which gives perfect completeness and zero knowledge. - -## Spanning a large number of columns - -The halo2 implementation does not in practice limit the number of columns for which -equality constraints can be enabled. Therefore, it must solve the problem that the -above approach might yield a product rule with a polynomial that exceeds the PLONK -configuration's degree bound. The degree bound could be raised, but this would be -inefficient if no other rules require a larger degree. - -Instead, we split the product across $b$ sets of $m$ columns, using product columns -$Z_{P,0}, \ldots Z_{P,b-1},$ and we use another rule to copy the product from the end -of one column set to the beginning of the next. - -That is, for $0 \leq a < b$ we have: - -$\big(1 - (q_\mathit{last}(X) + q_\mathit{blind}(X))\big) \cdot$ -$\hspace{1em}\left(Z_{P,a}(\omega X) \cdot \!\prod\limits_{i=am}^{(a+1)m-1}\! \left(v_i(X) + \beta \cdot s_i(X) + \gamma\right) - Z_P(X) \cdot \!\prod\limits_{i=am}^{(a+1)m-1}\! \left(v_i(X) + \beta \cdot \delta^i \cdot X + \gamma\right)\right)$ -$\hspace{2em}= 0$ - -> For simplicity this is written assuming that the number of columns enabled for -> equality constraints is a multiple of $m$; if not then the products for the last -> column set will have fewer than $m$ terms. - -For the first column set we have: - -$$ -\ell_0 \cdot (1 - Z_{P,0}(X)) = 0 -$$ - -For each subsequent column set, $0 < a < b,$ we use the following rule to copy -$Z_{P,a-1}(\omega^u)$ to the start of the next column set, $Z_{P,a}(\omega^0)$: - -$$ -\ell_0 \cdot \left(Z_{P,a}(X) - Z_{P,a-1}(\omega^u X)\right) = 0 -$$ - -For the last column set, we allow $Z_{P,b-1}(\omega^u)$ to be either zero or one: - -$$ -q_\mathit{last}(X) \cdot \left(Z_{P,b-1}(X)^2 - Z_{P,b-1}(X)\right) = 0 -$$ - -which gives perfect completeness and zero knowledge as before. diff --git a/book/src/design/proving-system/vanishing.md b/book/src/design/proving-system/vanishing.md deleted file mode 100644 index 72e1e21ee3..0000000000 --- a/book/src/design/proving-system/vanishing.md +++ /dev/null @@ -1,79 +0,0 @@ -# Vanishing argument - -Having committed to the circuit assignments, the prover now needs to demonstrate that the -various circuit relations are satisfied: - -- The custom gates, represented by polynomials $\text{gate}_i(X)$. -- The rules of the lookup arguments. -- The rules of the equality constraint permutations. - -Each of these relations is represented as a polynomial of degree $d$ (the maximum degree -of any of the relations) with respect to the circuit columns. Given that the degree of the -assignment polynomials for each column is $n - 1$, the relation polynomials have degree -$d(n - 1)$ with respect to $X$. - -> In our [example](../proving-system.md#example), these would be the gate polynomials, of -> degree $3n - 3$: -> -> - $\text{gate}_0(X) = a_0(X) \cdot a_1(X) \cdot a_2(X \omega^{-1}) - a_3(X)$ -> - $\text{gate}_1(X) = f_0(X \omega^{-1}) \cdot a_2(X)$ -> - $\text{gate}_2(X) = f_0(X) \cdot a_3(X) \cdot a_0(X)$ - -A relation is satisfied if its polynomial is equal to zero. One way to demonstrate this is -to divide each polynomial relation by the vanishing polynomial $t(X) = (X^n - 1)$, which -is the lowest-degree monomial that has roots at every $\omega^i$. If relation's polynomial -is perfectly divisible by $t(X)$, it is equal to zero over the domain (as desired). - -This simple construction would require a polynomial commitment per relation. Instead, we -commit to all of the circuit relations simultaneously: the verifier samples $y$, and then -the prover constructs the quotient polynomial - -$$h(X) = \frac{\text{gate}_0(X) + y \cdot \text{gate}_1(X) + \dots + y^i \cdot \text{gate}_i(X) + \dots}{t(X)},$$ - -where the numerator is a random (the prover commits to the cell assignments before the -verifier samples $y$) linear combination of the circuit relations. - -- If the numerator polynomial (in formal indeterminate $X$) is perfectly divisible by - $t(X)$, then with high probability all relations are satisfied. -- Conversely, if at least one relation is not satisfied, then with high probability - $h(x) \cdot t(x)$ will not equal the evaluation of the numerator at $x$. In this case, - the numerator polynomial would not be perfectly divisible by $t(X)$. - -## Committing to $h(X)$ - -$h(X)$ has degree $d(n - 1) - n$ (because the divisor $t(X)$ has degree $n$). However, the -polynomial commitment scheme we use for Halo 2 only supports committing to polynomials of -degree $n - 1$ (which is the maximum degree that the rest of the protocol needs to commit -to). Instead of increasing the cost of the polynomial commitment scheme, the prover split -$h(X)$ into pieces of degree $n - 1$ - -$$h_0(X) + X^n h_1(X) + \dots + X^{n(d-1)} h_{d-1}(X),$$ - -and produces blinding commitments to each piece - -$$\mathbf{H} = [\text{Commit}(h_0(X)), \text{Commit}(h_1(X)), \dots, \text{Commit}(h_{d-1}(X))].$$ - -## Evaluating the polynomials - -At this point, all properties of the circuit have been committed to. The verifier now -wants to see if the prover committed to the correct $h(X)$ polynomial. The verifier -samples $x$, and the prover produces the purported evaluations of the various polynomials -at $x$, for all the relative offsets used in the circuit, as well as $h(X)$. - -> In our [example](../proving-system.md#example), this would be: -> -> - $a_0(x)$ -> - $a_1(x)$ -> - $a_2(x)$, $a_2(x \omega^{-1})$ -> - $a_3(x)$ -> - $f_0(x)$, $f_0(x \omega^{-1})$ -> - $h_0(x)$, ..., $h_{d-1}(x)$ - -The verifier checks that these evaluations satisfy the form of $h(X)$: - -$$\frac{\text{gate}_0(x) + \dots + y^i \cdot \text{gate}_i(x) + \dots}{t(x)} = h_0(x) + \dots + x^{n(d-1)} h_{d-1}(x)$$ - -Now content that the evaluations collectively satisfy the gate constraints, the verifier -needs to check that the evaluations themselves are consistent with the original -[circuit commitments](circuit-commitments.md), as well as $\mathbf{H}$. To implement this -efficiently, we use a [multipoint opening argument](multipoint-opening.md). diff --git a/book/src/user.md b/book/src/user.md deleted file mode 100644 index c13533a519..0000000000 --- a/book/src/user.md +++ /dev/null @@ -1,5 +0,0 @@ -# User Documentation - -You're probably here because you want to write circuits? Excellent! - -This section will guide you through the process of creating circuits with halo2. diff --git a/book/src/user/dev-tools.md b/book/src/user/dev-tools.md deleted file mode 100644 index 5aebf78deb..0000000000 --- a/book/src/user/dev-tools.md +++ /dev/null @@ -1,114 +0,0 @@ -# Developer tools - -The `halo2` crate includes several utilities to help you design and implement your -circuits. - -## Mock prover - -`halo2_proofs::dev::MockProver` is a tool for debugging circuits, as well as cheaply verifying -their correctness in unit tests. The private and public inputs to the circuit are -constructed as would normally be done to create a proof, but `MockProver::run` instead -creates an object that will test every constraint in the circuit directly. It returns -granular error messages that indicate which specific constraint (if any) is not satisfied. - -## Circuit visualizations - -The `dev-graph` feature flag exposes several helper methods for creating graphical -representations of circuits. - -On Debian systems, you will need the following additional packages: -```plaintext -sudo apt install cmake libexpat1-dev libfreetype6-dev -``` - -### Circuit layout - -`halo2_proofs::dev::CircuitLayout` renders the circuit layout as a grid: - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/circuit-layout.rs:dev-graph}} -``` - -- Columns are laid out from left to right as instance, advice and fixed. The order of - columns is otherwise without meaning. - - Instance columns have a white background. - - Advice columns have a red background. - - Fixed columns have a blue background. -- Regions are shown as labelled green boxes (overlaying the background colour). A region - may appear as multiple boxes if some of its columns happen to not be adjacent. -- Cells that have been assigned to by the circuit will be shaded in grey. If any cells are - assigned to more than once (which is usually a mistake), they will be shaded darker than - the surrounding cells. - -### Circuit structure - -`halo2_proofs::dev::circuit_dot_graph` builds a [DOT graph string] representing the given -circuit, which can then be rendered with a variety of [layout programs]. The graph is built -from calls to `Layouter::namespace` both within the circuit, and inside the gadgets and -chips that it uses. - -[DOT graph string]: https://graphviz.org/doc/info/lang.html -[layout programs]: https://en.wikipedia.org/wiki/DOT_(graph_description_language)#Layout_programs - -```rust,ignore,no_run -fn main() { - // Prepare the circuit you want to render. - // You don't need to include any witness variables. - let a = Fp::rand(); - let instance = Fp::one() + Fp::one(); - let lookup_table = vec![instance, a, a, Fp::zero()]; - let circuit: MyCircuit = MyCircuit { - a: None, - lookup_table, - }; - - // Generate the DOT graph string. - let dot_string = halo2_proofs::dev::circuit_dot_graph(&circuit); - - // Now you can either handle it in Rust, or just - // print it out to use with command-line tools. - print!("{}", dot_string); -} -``` - -## Cost estimator - -The `cost-model` binary takes high-level parameters for a circuit design, and estimates -the verification cost, as well as resulting proof size. - -```plaintext -Usage: cargo run --example cost-model -- [OPTIONS] k - -Positional arguments: - k 2^K bound on the number of rows. - -Optional arguments: - -h, --help Print this message. - -a, --advice R[,R..] An advice column with the given rotations. May be repeated. - -i, --instance R[,R..] An instance column with the given rotations. May be repeated. - -f, --fixed R[,R..] A fixed column with the given rotations. May be repeated. - -g, --gate-degree D Maximum degree of the custom gates. - -l, --lookup N,I,T A lookup over N columns with max input degree I and max table degree T. May be repeated. - -p, --permutation N A permutation over N columns. May be repeated. -``` - -For example, to estimate the cost of a circuit with three advice columns and one fixed -column (with various rotations), and a maximum gate degree of 4: - -```plaintext -> cargo run --example cost-model -- -a 0,1 -a 0 -a-0,-1,1 -f 0 -g 4 11 - Finished dev [unoptimized + debuginfo] target(s) in 0.03s - Running `target/debug/examples/cost-model -a 0,1 -a 0 -a 0,-1,1 -f 0 -g 4 11` -Circuit { - k: 11, - max_deg: 4, - advice_columns: 3, - lookups: 0, - permutations: [], - column_queries: 7, - point_sets: 3, - estimator: Estimator, -} -Proof size: 1440 bytes -Verification: at least 81.689ms -``` diff --git a/book/src/user/experimental-features.md b/book/src/user/experimental-features.md deleted file mode 100644 index 78ea802ce4..0000000000 --- a/book/src/user/experimental-features.md +++ /dev/null @@ -1,140 +0,0 @@ -# Experimental features - -In `privacy-scaling-explorations/halo2` fork we have implemented many experimental features to cover different use cases, especially for those with huge circuits. We collect them in this page for easier tracking and referencing. - -## Commitment scheme abstraction - -To support different kinds of polynomial commitment schemes, we've added a trait `CommitmentScheme` to allow create/verify proofs with different commitment scheme implementations, currently there are 2 available implementations in this fork: - -- [`IPACommitmentScheme`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/poly/ipa/commitment/struct.IPACommitmentScheme.html) - - The original implementation from `zcash/halo2` with the original multi-open strategy `{Prover,Verifier}IPA` - -- [`KZGCommitmentScheme`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/poly/kzg/commitment/struct.KZGCommitmentScheme.html) - - KZG commitment scheme as in [GWC19](https://eprint.iacr.org/2019/953), which doesn't commit the instance columns, with 2 multi-open strategies available: - - - `{Prover,Verifier}GWC` - The original strategy in [GWC19](https://eprint.iacr.org/2019/953) - - `{Prover,Verifier}SHPLONK` - The strategy proposed in [BDFG20](https://eprint.iacr.org/2020/081) - -When using `create_proof` and `verify_proof`, we need to specify the commitment scheme and multi-open strategy like: - -```rust -// Using IPA -create_proof, ProverIPA<_>, _, _, _, _> -verify_proof, ProverIPA<_>, _, _, _> - -// Using KZG with GWC19 mutli-open strategy -create_proof, ProverGWC<_>, _, _, _, _> -verify_proof, ProverGWC<_>, _, _, _> - -// Using KZG with BDFG20 mutli-open strategy -create_proof, ProverSHPLONK<_>, _, _, _, _> -verify_proof, ProverSHPLONK<_>, _, _, _> -``` - -## `ConstraintSystem` extension - -### Dynamic lookup - -[`ConstraintSystem::lookup_any`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ConstraintSystem.html#method.lookup_any) is added for use cases that need to lookup dynamic table instead of fixed table. - -Unlike `ConstraintSystem::lookup` which only allows `TableColumn`(s) as table, it allows any `Expression`(s) without simple selector. - -### Shuffle - -[`ConstraintSystem::shuffle`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ConstraintSystem.html#method.shuffle) is added for use cases that only need shuffle without pre-defined mapping. - -It allows us to prove any `Expression`(s) without simple selector is shuffled from the other. For example `halo2_proofs/examples/shuffle_api.rs` shows how to prove two lists of 2-tuples are shuffled of each other. - -### Multi-phase - -[`ConstraintSystem::advice_column_in`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ConstraintSystem.html#method.advice_column_in) and [`ConstraintSystem::challenge_usable_after`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ConstraintSystem.html#method.challenge_usable_after) are added for use cases that build PIOP sub-routine themselves, currently it supports up-to 3 phases as `{First,Second,Third}Phase`. - -It allows us to allocate advice column in different interactive phases with extra challenges squeezed in-between. For example in `halo2_proofs/examples/shuffle.rs` it shows how to build a customized shuffle argument with such API. - -### Unblinded advice column - -[`ConstraintSystem::unblinded_advice_column`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ConstraintSystem.html#method.unblinded_advice_column) is added for use cases that want to reuse advice column commitment among different proofs. For example in `halo2_proofs/examples/vector-ops-unblinded.rs` it shows with this API and same assignment, two advice commitment from different proof can be same. - -Worth mentioning, re-using advice column commitment in different proofs will need more blinding factors than the amount that prover adds, otherwise some information will be leaked and it's no longer perfect zero-knowledge. - -## [`Expression`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/enum.Expression.html) extension - -- [`Expression::Challenge`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/enum.Expression.html#variant.Challenge) - - A variant added for multi-phase. It can be obtained by [`ConstraintSystem::challenge_usable_after`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ConstraintSystem.html#method.challenge_usable_after) and used as a pseudo-random constant. - -- [`Expression::identifier`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/enum.Expression.html#method.identifier) - - It prints `Expression` in a less verbose and human-readable way. - -## [`Circuit`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/trait.Circuit.html) extension - -- [`Circuit::Params`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/trait.Circuit.html#associatedtype.Params) - - To use this, feature `circuit-params` needs to be turned on. - - A associated type added for configuring circuit with runtime parameter. - - It allows us to implement [`Circuit::params`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/trait.Circuit.html#method.params) to return the parameter of a circuit, and implement [`Circuit::configure_with_params`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/trait.Circuit.html#method.configure_with_params) to configure circuit with runtime parameter retrieved earlier. - -## [`ProvingKey`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.ProvingKey.html) & [`VerifyingKey`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/struct.VerifyingKey.html) de/serialization and [`SerdeFormat`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/enum.SerdeFormat.html) - -`ProvingKey::{read,write}` and `VerifyingKey::{read,write}` is added to serialize proving key and verifying key. - -For field elements and elliptic curve points inside pk and vk, currently we have 3 different de/serialization format: - -- [`SerdeFormat::Processed`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/enum.SerdeFormat.html#variant.Processed) - - It de/serializes them as `PrimeField::Repr` and `GroupEncoding::Repr` respectively, and checks all elements are valid. - -- [`SerdeFormat::RawBytes`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/enum.SerdeFormat.html#variant.RawBytes) - - It de/serializes them as `SerdeObject::{from_raw_bytes,to_raw_bytes}` respectively, and checks all elements are valid. - -- [`SerdeFormat::RawBytesUnchecked`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/enum.SerdeFormat.html#variant.RawBytesUnchecked) - - It de/serializes them as `SerdeObject::{from_raw_bytes,to_raw_bytes}` respectively, without checking if elements are valid. - -Also `ParamsKZG::{read_custom,write_custom}` follows the same rule, and by default `ParamsKZG::{read,write}` uses `SerdeFormat::RawBytes` for efficiency. - -## Thread safe [`Region`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/circuit/struct.Region.html) - -To use this, feature `thread-safe-region` needs to be turned on. - -It constrains the `RegionLayouter` to be `Send` so we can have a `Region` in different threads. It's useful when we want to arrange witness computation and assignment in the same place, but still keep the function `Send` so the caller can parallelize multiple of them. - -For example `halo2_proofs/examples/vector-mul.rs` shows how to parallelize region computation and assignment. - -## Optional selector compression - -Currently [`keygen_vk`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/fn.keygen_vk.html) changes configured `ConstraintSystem` to compresses simple selectors into smaller set of fixed columns to reduce cost. - -For some use cases that want to keep configured `ConstraintSystem` unchanged they can do the verifying key generation by calling [`keygen_vk_custom`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/plonk/fn.keygen_vk_custom.html) with second argument as `false` instead, which disables the selector compression. - -## [`MockProver`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/dev/struct.MockProver.html) improvement - -- [`MockProver::verify_par`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/dev/struct.MockProver.html#method.verify_par) - - Same checks as `MockProver::verify`, but parallelized. - -- [`MockProver::verify_at_rows`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/dev/struct.MockProver.html#method.verify_at_rows) - - Same checks as `MockProver::verify`, but only on specified rows. - -- [`MockProver::verify_at_rows_par`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/dev/struct.MockProver.html#method.verify_at_rows_par) - - Same checks as `MockProver::verify_at_rows`, but parallelized. - -- [`MockProver::assert_satisfied_par`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/dev/struct.MockProver.html#method.assert_satisfied_par) - - Same assertions as `MockProver::assert_satisfied`, but parallelized. - -- [`MockProver::assert_satisfied_at_rows_par`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/dev/struct.MockProver.html#method.assert_satisfied_at_rows_par) - - Same assertions as `MockProver::assert_satisfied_par`, but only on specified rows. - -## `Evaluator` and `evaluate_h` - -They are introduced to improve quotient computation speed and memory usage for circuit with complicated `Expression`. diff --git a/book/src/user/gadgets.md b/book/src/user/gadgets.md deleted file mode 100644 index 406e8aa011..0000000000 --- a/book/src/user/gadgets.md +++ /dev/null @@ -1 +0,0 @@ -# Gadgets diff --git a/book/src/user/lookup-tables.md b/book/src/user/lookup-tables.md deleted file mode 100644 index 2709a94f36..0000000000 --- a/book/src/user/lookup-tables.md +++ /dev/null @@ -1,11 +0,0 @@ -# Lookup tables - -In normal programs, you can trade memory for CPU to improve performance, by pre-computing -and storing lookup tables for some part of the computation. We can do the same thing in -halo2 circuits! - -A lookup table can be thought of as enforcing a *relation* between variables, where the relation is expressed as a table. -Assuming we have only one lookup argument in our constraint system, the total size of tables is constrained by the size of the circuit: -each table entry costs one row, and it also costs one row to do each lookup. - -TODO diff --git a/book/src/user/simple-example.md b/book/src/user/simple-example.md deleted file mode 100644 index fecf518f76..0000000000 --- a/book/src/user/simple-example.md +++ /dev/null @@ -1,86 +0,0 @@ -# A simple example - -Let's start with a simple circuit, to introduce you to the common APIs and how they are -used. The circuit will take a public input $c$, and will prove knowledge of two private -inputs $a$ and $b$ such that - -$$a^2 \cdot b^2 = c.$$ - -## Define instructions - -Firstly, we need to define the instructions that our circuit will rely on. Instructions -are the boundary between high-level [gadgets](../concepts/gadgets.md) and the low-level -circuit operations. Instructions may be as coarse or as granular as desired, but in -practice you want to strike a balance between an instruction being large enough to -effectively optimize its implementation, and small enough that it is meaningfully -reusable. - -For our circuit, we will use three instructions: -- Load a private number into the circuit. -- Multiply two numbers. -- Expose a number as a public input to the circuit. - -We also need a type for a variable representing a number. Instruction interfaces provide -associated types for their inputs and outputs, to allow the implementations to represent -these in a way that makes the most sense for their optimization goals. - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:instructions}} -``` - -## Define a chip implementation - -For our circuit, we will build a [chip](../concepts/chips.md) that provides the above -numeric instructions for a finite field. - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:chip}} -``` - -Every chip needs to implement the `Chip` trait. This defines the properties of the chip -that a `Layouter` may rely on when synthesizing a circuit, as well as enabling any initial -state that the chip requires to be loaded into the circuit. - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:chip-impl}} -``` - -## Configure the chip - -The chip needs to be configured with the columns, permutations, and gates that will be -required to implement all of the desired instructions. - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:chip-config}} -``` - -## Implement chip traits - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:instructions-impl}} -``` - -## Build the circuit - -Now that we have the instructions we need, and a chip that implements them, we can finally -build our circuit! - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:circuit}} -``` - -## Testing the circuit - -`halo2_proofs::dev::MockProver` can be used to test that the circuit is working correctly. The -private and public inputs to the circuit are constructed as we will do to create a proof, -but by passing them to `MockProver::run` we get an object that can test every constraint -in the circuit, and tell us exactly what is failing (if anything). - -```rust,ignore,no_run -{{#include ../../../halo2_proofs/examples/simple-example.rs:test-circuit}} -``` - -## Full example - -You can find the source code for this example -[here](https://github.com/zcash/halo2/tree/main/halo2_proofs/examples/simple-example.rs). diff --git a/book/src/user/tips-and-tricks.md b/book/src/user/tips-and-tricks.md deleted file mode 100644 index b2d7be0d95..0000000000 --- a/book/src/user/tips-and-tricks.md +++ /dev/null @@ -1,71 +0,0 @@ -# Tips and tricks - -This section contains various ideas and snippets that you might find useful while writing -halo2 circuits. - -## Small range constraints - -A common constraint used in R1CS circuits is the boolean constraint: $b * (1 - b) = 0$. -This constraint can only be satisfied by $b = 0$ or $b = 1$. - -In halo2 circuits, you can similarly constrain a cell to have one of a small set of -values. For example, to constrain $a$ to the range $[0..5]$, you would create a gate of -the form: - -$$a \cdot (1 - a) \cdot (2 - a) \cdot (3 - a) \cdot (4 - a) = 0$$ - -while to constrain $c$ to be either 7 or 13, you would use: - -$$(7 - c) \cdot (13 - c) = 0$$ - -> The underlying principle here is that we create a polynomial constraint with roots at -> each value in the set of possible values we want to allow. In R1CS circuits, the maximum -> supported polynomial degree is 2 (due to all constraints being of the form $a * b = c$). -> In halo2 circuits, you can use arbitrary-degree polynomials - with the proviso that -> higher-degree constraints are more expensive to use. - -Note that the roots don't have to be constants; for example $(a - x) \cdot (a - y) \cdot (a - z) = 0$ will constrain $a$ to be equal to one of $\{ x, y, z \}$ where the latter can be arbitrary polynomials, as long as the whole expression stays within the maximum degree bound. - -## Small set interpolation -We can use Lagrange interpolation to create a polynomial constraint that maps -$f(X) = Y$ for small sets of $X \in \{x_i\}, Y \in \{y_i\}$. - -For instance, say we want to map a 2-bit value to a "spread" version interleaved -with zeros. We first precompute the evaluations at each point: - -$$ -\begin{array}{rcl} -00 \rightarrow 0000 &\implies& 0 \rightarrow 0 \\ -01 \rightarrow 0001 &\implies& 1 \rightarrow 1 \\ -10 \rightarrow 0100 &\implies& 2 \rightarrow 4 \\ -11 \rightarrow 0101 &\implies& 3 \rightarrow 5 -\end{array} -$$ - -Then, we construct the Lagrange basis polynomial for each point using the -identity: -$$\mathcal{l}_j(X) = \prod_{0 \leq m < k,\; m \neq j} \frac{x - x_m}{x_j - x_m},$$ -where $k$ is the number of data points. ($k = 4$ in our example above.) - -Recall that the Lagrange basis polynomial $\mathcal{l}_j(X)$ evaluates to $1$ at -$X = x_j$ and $0$ at all other $x_i, j \neq i.$ - -Continuing our example, we get four Lagrange basis polynomials: - -$$ -\begin{array}{ccc} -l_0(X) &=& \frac{(X - 3)(X - 2)(X - 1)}{(-3)(-2)(-1)} \\[1ex] -l_1(X) &=& \frac{(X - 3)(X - 2)(X)}{(-2)(-1)(1)} \\[1ex] -l_2(X) &=& \frac{(X - 3)(X - 1)(X)}{(-1)(1)(2)} \\[1ex] -l_3(X) &=& \frac{(X - 2)(X - 1)(X)}{(1)(2)(3)} -\end{array} -$$ - -Our polynomial constraint is then - -$$ -\begin{array}{cccccccccccl} -&f(0) \cdot l_0(X) &+& f(1) \cdot l_1(X) &+& f(2) \cdot l_2(X) &+& f(3) \cdot l_3(X) &-& f(X) &=& 0 \\ -\implies& 0 \cdot l_0(X) &+& 1 \cdot l_1(X) &+& 4 \cdot l_2(X) &+& 5 \cdot l_3(X) &-& f(X) &=& 0. \\ -\end{array} -$$ diff --git a/halo2_proofs/examples/circuit-layout.rs b/examples/circuit-layout.rs similarity index 100% rename from halo2_proofs/examples/circuit-layout.rs rename to examples/circuit-layout.rs diff --git a/halo2_proofs/examples/proof-size.rs b/examples/proof-size.rs similarity index 97% rename from halo2_proofs/examples/proof-size.rs rename to examples/proof-size.rs index 3d5b242fb0..9b92a3b4e3 100644 --- a/halo2_proofs/examples/proof-size.rs +++ b/examples/proof-size.rs @@ -88,8 +88,8 @@ const K: u32 = 11; fn main() { let circuit = TestCircuit {}; - let model = from_circuit_to_model_circuit::<_, _, 56, 56>( - K, + let model = from_circuit_to_model_circuit::<_, _, 32, 32>( + Some(K), &circuit, vec![], CommitmentScheme::KZGGWC, diff --git a/halo2_proofs/examples/serialization.rs b/examples/serialization.rs similarity index 78% rename from halo2_proofs/examples/serialization.rs rename to examples/serialization.rs index 39b6b1192f..287aa061b8 100644 --- a/halo2_proofs/examples/serialization.rs +++ b/examples/serialization.rs @@ -1,9 +1,11 @@ +use blake2b_simd::State; use std::{ fs::File, io::{BufReader, BufWriter, Write}, }; use ff::Field; +use halo2_proofs::transcript::{CircuitTranscript, Transcript}; use halo2_proofs::{ circuit::{Layouter, SimpleFloorPlanner, Value}, plonk::{ @@ -11,19 +13,12 @@ use halo2_proofs::{ ConstraintSystem, Error, Fixed, Instance, ProvingKey, }, poly::{ - kzg::{ - commitment::{KZGCommitmentScheme, ParamsKZG}, - multiopen::{ProverGWC, VerifierGWC}, - strategy::SingleStrategy, - }, + kzg::{params::ParamsKZG, KZGCommitmentScheme}, Rotation, }, - transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, TranscriptReadBuffer, TranscriptWriterBuffer, - }, - SerdeFormat, + utils::SerdeFormat, }; -use halo2curves::bn256::{Bn256, Fr, G1Affine}; +use halo2curves::bn256::{Bn256, Fr}; use rand_core::OsRng; #[derive(Clone, Copy)] @@ -132,7 +127,8 @@ fn main() { let k = 4; let circuit = StandardPlonk(Fr::random(OsRng)); let params = ParamsKZG::::setup(k, OsRng); - let vk = keygen_vk(¶ms, &circuit).expect("vk should not fail"); + let vk = keygen_vk::<_, KZGCommitmentScheme, _>(¶ms, &circuit) + .expect("vk should not fail"); let pk = keygen_pk(¶ms, vk, &circuit).expect("pk should not fail"); let f = File::create("serialization-test.pk").unwrap(); @@ -143,7 +139,7 @@ fn main() { let f = File::open("serialization-test.pk").unwrap(); let mut reader = BufReader::new(f); #[allow(clippy::unit_arg)] - let pk = ProvingKey::::read::<_, StandardPlonk>( + let pk = ProvingKey::>::read::<_, StandardPlonk>( &mut reader, SerdeFormat::RawBytes, #[cfg(feature = "circuit-params")] @@ -154,15 +150,9 @@ fn main() { std::fs::remove_file("serialization-test.pk").unwrap(); let instances: &[&[Fr]] = &[&[circuit.0]]; - let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); - create_proof::< - KZGCommitmentScheme, - ProverGWC<'_, Bn256>, - Challenge255, - _, - Blake2bWrite, G1Affine, Challenge255<_>>, - _, - >( + let mut transcript = CircuitTranscript::::init(); + + create_proof::, _, _>( ¶ms, &pk, &[circuit], @@ -170,23 +160,17 @@ fn main() { OsRng, &mut transcript, ) - .expect("prover should not fail"); + .expect("proof generation should not fail"); + let proof = transcript.finalize(); - let strategy = SingleStrategy::new(¶ms); - let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(&proof[..]); - assert!(verify_proof::< - KZGCommitmentScheme, - VerifierGWC<'_, Bn256>, - Challenge255, - Blake2bRead<&[u8], G1Affine, Challenge255>, - SingleStrategy<'_, Bn256>, - >( + let mut transcript = CircuitTranscript::::init_from_bytes(&proof[..]); + + assert!(verify_proof::, _>( ¶ms, pk.get_vk(), - strategy, &[instances], - &mut transcript + &mut transcript, ) .is_ok()); } diff --git a/halo2_proofs/examples/simple-example.rs b/examples/simple-example.rs similarity index 99% rename from halo2_proofs/examples/simple-example.rs rename to examples/simple-example.rs index 242257a692..45ab6675b7 100644 --- a/halo2_proofs/examples/simple-example.rs +++ b/examples/simple-example.rs @@ -1,10 +1,10 @@ use std::marker::PhantomData; use halo2_proofs::{ - arithmetic::Field, circuit::{AssignedCell, Chip, Layouter, Region, SimpleFloorPlanner, Value}, plonk::{Advice, Circuit, Column, ConstraintSystem, Error, Fixed, Instance, Selector}, poly::Rotation, + utils::arithmetic::Field, }; // ANCHOR: instructions diff --git a/halo2_proofs/examples/two-chip.rs b/examples/two-chip.rs similarity index 99% rename from halo2_proofs/examples/two-chip.rs rename to examples/two-chip.rs index 336f9c4957..60dac6bb12 100644 --- a/halo2_proofs/examples/two-chip.rs +++ b/examples/two-chip.rs @@ -1,10 +1,10 @@ use std::marker::PhantomData; use halo2_proofs::{ - arithmetic::Field, circuit::{AssignedCell, Chip, Layouter, Region, SimpleFloorPlanner, Value}, plonk::{Advice, Circuit, Column, ConstraintSystem, Error, Instance, Selector}, poly::Rotation, + utils::arithmetic::Field, }; // ANCHOR: field-instructions diff --git a/halo2_proofs/examples/vector-mul.rs b/examples/vector-mul.rs similarity index 99% rename from halo2_proofs/examples/vector-mul.rs rename to examples/vector-mul.rs index 01728fdf36..791a52c37b 100644 --- a/halo2_proofs/examples/vector-mul.rs +++ b/examples/vector-mul.rs @@ -1,10 +1,10 @@ use std::marker::PhantomData; use halo2_proofs::{ - arithmetic::Field, circuit::{AssignedCell, Chip, Layouter, Region, SimpleFloorPlanner, Value}, plonk::{Advice, Circuit, Column, ConstraintSystem, Error, Instance, Selector}, poly::Rotation, + utils::arithmetic::Field, }; // ANCHOR: instructions diff --git a/halo2_proofs/examples/vector-ops-unblinded.rs b/examples/vector-ops-unblinded.rs similarity index 90% rename from halo2_proofs/examples/vector-ops-unblinded.rs rename to examples/vector-ops-unblinded.rs index 7e9ebd1d81..136c34b3c3 100644 --- a/halo2_proofs/examples/vector-ops-unblinded.rs +++ b/examples/vector-ops-unblinded.rs @@ -1,26 +1,21 @@ +use blake2b_simd::State; /// Here we construct two circuits one for adding two vectors and one for multiplying and we check that their transcripts have the same inputs /// by way of the unblinded inputs. /// This is a simple example of how to use unblinded inputs to match up circuits that might be proved on different host machines. use std::marker::PhantomData; -use ff::FromUniformBytes; +use ff::{FromUniformBytes, WithSmallOrderMulGroup}; +use halo2_proofs::poly::kzg::{params::ParamsKZG, KZGCommitmentScheme}; +use halo2_proofs::transcript::{CircuitTranscript, Hashable, Sampleable, Transcript}; use halo2_proofs::{ - arithmetic::{CurveAffine, Field}, circuit::{AssignedCell, Chip, Layouter, Region, SimpleFloorPlanner, Value}, plonk::*, - poly::{ - commitment::ParamsProver, - ipa::{ - commitment::{IPACommitmentScheme, ParamsIPA}, - multiopen::{ProverIPA, VerifierIPA}, - strategy::AccumulatorStrategy, - }, - Rotation, VerificationStrategy, - }, - transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, TranscriptReadBuffer, TranscriptWriterBuffer, - }, + poly::Rotation, + utils::arithmetic::Field, }; +use halo2curves::pairing::{Engine, MultiMillerLoop}; +use halo2curves::serde::SerdeObject; +use halo2curves::CurveAffine; use rand_core::OsRng; // ANCHOR: instructions @@ -466,23 +461,30 @@ impl Circuit for AddCircuit { } // ANCHOR_END: circuit -fn test_prover( +fn test_prover( k: u32, - circuit: impl Circuit, + circuit: impl Circuit, expected: bool, - instances: Vec, + instances: Vec, ) -> Vec where - C::Scalar: FromUniformBytes<64>, + E::G1Affine: + Default + SerdeObject + Hashable + CurveAffine, + E::Fr: WithSmallOrderMulGroup<3> + + FromUniformBytes<64> + + SerdeObject + + Sampleable + + Hashable + + Ord, { - let params = ParamsIPA::::new(k); + let params = ParamsKZG::::new(k); let vk = keygen_vk(¶ms, &circuit).unwrap(); let pk = keygen_pk(¶ms, vk, &circuit).unwrap(); let proof = { - let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); + let mut transcript = CircuitTranscript::::init(); - create_proof::, ProverIPA, _, _, _, _>( + create_proof::, _, _>( ¶ms, &pk, &[circuit], @@ -496,28 +498,23 @@ where }; let accepted = { - let strategy = AccumulatorStrategy::new(¶ms); - let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(&proof[..]); + let mut transcript = CircuitTranscript::::init_from_bytes(&proof[..]); - verify_proof::, VerifierIPA, _, _, _>( + verify_proof::, _>( ¶ms, pk.get_vk(), - strategy, &[&[&instances]], &mut transcript, ) - .map(|strategy| strategy.finalize()) - .unwrap_or_default() }; - assert_eq!(accepted, expected); + assert_eq!(accepted.is_ok(), expected); proof } fn main() { - use halo2curves::pasta::Fp; - + use halo2curves::bn256::Fr; const N: usize = 10; // ANCHOR: test-circuit // The number of rows in our circuit cannot exceed 2^k. Since our example @@ -525,10 +522,10 @@ fn main() { let k = 7; // Prepare the inputs to the circuit! - let a = [Fp::from(2); N]; - let b = [Fp::from(3); N]; - let c_mul: Vec = a.iter().zip(b).map(|(&a, b)| a * b).collect(); - let c_add: Vec = a.iter().zip(b).map(|(&a, b)| a + b).collect(); + let a = [Fr::from(2); N]; + let b = [Fr::from(3); N]; + let c_mul: Vec = a.iter().zip(b).map(|(&a, b)| a * b).collect(); + let c_add: Vec = a.iter().zip(b).map(|(&a, b)| a + b).collect(); // Instantiate the mul circuit with the inputs. let mul_circuit = MulCircuit { @@ -543,9 +540,9 @@ fn main() { }; // the commitments will be the first columns of the proof transcript so we can compare them easily - let proof_1 = test_prover::(k, mul_circuit, true, c_mul); + let proof_1 = test_prover::(k, mul_circuit, true, c_mul); // the commitments will be the first columns of the proof transcript so we can compare them easily - let proof_2 = test_prover::(k, add_circuit, true, c_add); + let proof_2 = test_prover::(k, add_circuit, true, c_add); // the commitments will be the first columns of the proof transcript so we can compare them easily // here we compare the first 10 bytes of the commitments diff --git a/halo2/CHANGELOG.md b/halo2/CHANGELOG.md deleted file mode 100644 index 19cfec4d18..0000000000 --- a/halo2/CHANGELOG.md +++ /dev/null @@ -1,15 +0,0 @@ -# Changelog -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to Rust's notion of -[Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -## [Unreleased] - -## [0.1.0-beta.2] - 2022-02-14 -### Removed -- Everything (moved to `halo2_proofs` crate). - -## [0.1.0-beta.1] - 2021-09-24 -Initial beta release! diff --git a/halo2/Cargo.toml b/halo2/Cargo.toml deleted file mode 100644 index 5618165271..0000000000 --- a/halo2/Cargo.toml +++ /dev/null @@ -1,25 +0,0 @@ -[package] -name = "halo2" -version = "0.1.0-beta.2" -authors = [ - "Jack Grigg ", -] -edition = "2021" -rust-version = "1.56.1" -description = "[BETA] Fast zero-knowledge proof-carrying data implementation with no trusted setup" -license = "MIT OR Apache-2.0" -repository = "https://github.com/zcash/halo2" -documentation = "https://docs.rs/halo2" -readme = "../README.md" -categories = ["cryptography"] -keywords = ["halo", "proofs", "recursive", "zkp", "zkSNARKs"] - -[package.metadata.docs.rs] -all-features = true -rustdoc-args = ["--cfg", "docsrs", "--html-in-header", "katex-header.html"] - -[dependencies] -halo2_proofs = { version = "0.3", path = "../halo2_proofs", default-features = false } - -[lib] -bench = false diff --git a/halo2/katex-header.html b/halo2/katex-header.html deleted file mode 100644 index 98e85904fa..0000000000 --- a/halo2/katex-header.html +++ /dev/null @@ -1,15 +0,0 @@ - - - - \ No newline at end of file diff --git a/halo2/src/lib.rs b/halo2/src/lib.rs deleted file mode 100644 index 33cb67b4df..0000000000 --- a/halo2/src/lib.rs +++ /dev/null @@ -1,7 +0,0 @@ -//! # halo2 - -#![cfg_attr(docsrs, feature(doc_cfg))] -#![deny(rustdoc::broken_intra_doc_links)] -#![deny(missing_debug_implementations)] -#![deny(missing_docs)] -#![deny(unsafe_code)] diff --git a/halo2_proofs/Cargo.toml b/halo2_proofs/Cargo.toml deleted file mode 100644 index e340407dd6..0000000000 --- a/halo2_proofs/Cargo.toml +++ /dev/null @@ -1,109 +0,0 @@ -[package] -name = "halo2_proofs" -version = "0.3.0" -authors = [ - "Sean Bowe ", - "Ying Tong Lai ", - "Daira Hopwood ", - "Jack Grigg ", -] -edition = "2021" -rust-version = "1.66.0" -description = """ -Fast PLONK-based zero-knowledge proving system with no trusted setup -""" -license = "MIT OR Apache-2.0" -repository = "https://github.com/zcash/halo2" -documentation = "https://docs.rs/halo2_proofs" -readme = "README.md" -categories = ["cryptography"] -keywords = ["halo", "proofs", "zkp", "zkSNARKs"] - -[package.metadata.docs.rs] -all-features = true -rustdoc-args = ["--cfg", "docsrs", "--html-in-header", "katex-header.html"] - -[[bench]] -name = "arithmetic" -harness = false - -[[bench]] -name = "commit_zk" -harness = false - -[[bench]] -name = "hashtocurve" -harness = false - -[[bench]] -name = "plonk" -harness = false - -[[bench]] -name = "dev_lookup" -harness = false - -[[bench]] -name = "fft" -harness = false - -[dependencies] -backtrace = { version = "0.3", optional = true } -ff = "0.13" -group = "0.13" -halo2curves = { version = "0.6.0", default-features = false } -rand_core = { version = "0.6", default-features = false } -tracing = "0.1" -blake2b_simd = "1" # MSRV 1.66.0 -sha3 = "0.9.1" -rand_chacha = "0.3" -serde = { version = "1", optional = true, features = ["derive"] } -serde_derive = { version = "1", optional = true} -rayon = "1.8" - -# Developer tooling dependencies -plotters = { version = "0.3.0", default-features = false, optional = true } -tabbycat = { version = "0.1", features = ["attributes"], optional = true } - -# Legacy circuit compatibility -halo2_legacy_pdqsort = { version = "0.1.0", optional = true } - -[dev-dependencies] -assert_matches = "1.5" -criterion = "0.3" -gumdrop = "0.8" -proptest = "1" -rand_core = { version = "0.6", default-features = false, features = ["getrandom"] } -serde_json = "1" - -[target.'cfg(all(target_arch = "wasm32", target_os = "unknown"))'.dev-dependencies] -getrandom = { version = "0.2", features = ["js"] } - -[features] -default = ["batch", "bits"] -dev-graph = ["plotters", "tabbycat"] -test-dev-graph = [ - "dev-graph", - "plotters/bitmap_backend", - "plotters/bitmap_encoder", - "plotters/ttf", -] -bits = ["halo2curves/bits"] -gadget-traces = ["backtrace"] -thread-safe-region = [] -sanity-checks = [] -batch = ["rand_core/getrandom"] -circuit-params = [] -cost-estimator = ["serde", "serde_derive"] -derive_serde = ["halo2curves/derive_serde"] - -[lib] -bench = false - -[[example]] -name = "circuit-layout" -required-features = ["test-dev-graph"] - -[[example]] -name = "proof-size" -required-features = ["cost-estimator"] diff --git a/halo2_proofs/README.md b/halo2_proofs/README.md deleted file mode 100644 index bdb9a63639..0000000000 --- a/halo2_proofs/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# halo2_proofs [![Crates.io](https://img.shields.io/crates/v/halo2_proofs.svg)](https://crates.io/crates/halo2_proofs) # - -## [Documentation](https://docs.rs/halo2_proofs) - -## Minimum Supported Rust Version - -Requires Rust **1.65.0** or higher. - -Minimum supported Rust version can be changed in the future, but it will be done with a -minor version bump. - -## Controlling parallelism - -`halo2_proofs` currently uses [rayon](https://github.com/rayon-rs/rayon) for parallel -computation. The `RAYON_NUM_THREADS` environment variable can be used to set the number of -threads. - -When compiling to WASM-targets, notice that since version `1.7`, `rayon` will fallback automatically (with no need to handle features) to require `getrandom` in order to be able to work. For more info related to WASM-compilation. - -See: [Rayon: Usage with WebAssembly](https://github.com/rayon-rs/rayon#usage-with-webassembly) for more - -## License - -Licensed under either of - - * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or - http://www.apache.org/licenses/LICENSE-2.0) - * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT) - -at your option. - -### Contribution - -Unless you explicitly state otherwise, any contribution intentionally -submitted for inclusion in the work by you, as defined in the Apache-2.0 -license, shall be dual licensed as above, without any additional terms or -conditions. diff --git a/halo2_proofs/benches/arithmetic.rs b/halo2_proofs/benches/arithmetic.rs deleted file mode 100644 index 4ae88af137..0000000000 --- a/halo2_proofs/benches/arithmetic.rs +++ /dev/null @@ -1,38 +0,0 @@ -#[macro_use] -extern crate criterion; - -use crate::arithmetic::small_multiexp; -use crate::halo2curves::pasta::{EqAffine, Fp}; -use group::ff::Field; -use halo2_proofs::*; - -use halo2_proofs::poly::{commitment::ParamsProver, ipa::commitment::ParamsIPA}; - -use criterion::{black_box, Criterion}; -use rand_core::OsRng; - -fn criterion_benchmark(c: &mut Criterion) { - let rng = OsRng; - - // small multiexp - { - let params: ParamsIPA = ParamsIPA::new(5); - let g = &mut params.get_g().to_vec(); - let len = g.len() / 2; - let (g_lo, g_hi) = g.split_at_mut(len); - - let coeff_1 = Fp::random(rng); - let coeff_2 = Fp::random(rng); - - c.bench_function("double-and-add", |b| { - b.iter(|| { - for (g_lo, g_hi) in g_lo.iter().zip(g_hi.iter()) { - small_multiexp(&[black_box(coeff_1), black_box(coeff_2)], &[*g_lo, *g_hi]); - } - }) - }); - } -} - -criterion_group!(benches, criterion_benchmark); -criterion_main!(benches); diff --git a/halo2_proofs/benches/fft.rs b/halo2_proofs/benches/fft.rs deleted file mode 100644 index 0de72a0380..0000000000 --- a/halo2_proofs/benches/fft.rs +++ /dev/null @@ -1,26 +0,0 @@ -#[macro_use] -extern crate criterion; - -use crate::arithmetic::best_fft; -use group::ff::Field; -use halo2_proofs::*; -use halo2curves::pasta::Fp; - -use criterion::{BenchmarkId, Criterion}; -use rand_core::OsRng; - -fn criterion_benchmark(c: &mut Criterion) { - let mut group = c.benchmark_group("fft"); - for k in 3..19 { - group.bench_function(BenchmarkId::new("k", k), |b| { - let mut a = (0..(1 << k)).map(|_| Fp::random(OsRng)).collect::>(); - let omega = Fp::random(OsRng); // would be weird if this mattered - b.iter(|| { - best_fft(&mut a, omega, k as u32); - }); - }); - } -} - -criterion_group!(benches, criterion_benchmark); -criterion_main!(benches); diff --git a/halo2_proofs/examples/shuffle.rs b/halo2_proofs/examples/shuffle.rs deleted file mode 100644 index 35a85cb9f0..0000000000 --- a/halo2_proofs/examples/shuffle.rs +++ /dev/null @@ -1,352 +0,0 @@ -use ff::{BatchInvert, FromUniformBytes}; -use halo2_proofs::{ - arithmetic::{CurveAffine, Field}, - circuit::{floor_planner::V1, Layouter, Value}, - dev::{metadata, FailureLocation, MockProver, VerifyFailure}, - halo2curves::pasta::EqAffine, - plonk::*, - poly::{ - commitment::ParamsProver, - ipa::{ - commitment::{IPACommitmentScheme, ParamsIPA}, - multiopen::{ProverIPA, VerifierIPA}, - strategy::AccumulatorStrategy, - }, - VerificationStrategy, - }, - transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, TranscriptReadBuffer, TranscriptWriterBuffer, - }, -}; -use rand_core::{OsRng, RngCore}; -use std::iter; - -fn rand_2d_array(rng: &mut R) -> [[F; H]; W] { - [(); W].map(|_| [(); H].map(|_| F::random(&mut *rng))) -} - -fn shuffled( - original: [[F; H]; W], - rng: &mut R, -) -> [[F; H]; W] { - let mut shuffled = original; - - for row in (1..H).rev() { - let rand_row = (rng.next_u32() as usize) % row; - for column in shuffled.iter_mut() { - column.swap(row, rand_row); - } - } - - shuffled -} - -#[derive(Clone)] -struct MyConfig { - q_shuffle: Selector, - q_first: Selector, - q_last: Selector, - original: [Column; W], - shuffled: [Column; W], - theta: Challenge, - gamma: Challenge, - z: Column, -} - -impl MyConfig { - fn configure(meta: &mut ConstraintSystem) -> Self { - let [q_shuffle, q_first, q_last] = [(); 3].map(|_| meta.selector()); - // First phase - let original = [(); W].map(|_| meta.advice_column_in(FirstPhase)); - let shuffled = [(); W].map(|_| meta.advice_column_in(FirstPhase)); - let [theta, gamma] = [(); 2].map(|_| meta.challenge_usable_after(FirstPhase)); - // Second phase - let z = meta.advice_column_in(SecondPhase); - - meta.create_gate("z should start with 1", |_| { - let one = Expression::Constant(F::ONE); - - vec![q_first.expr() * (one - z.cur())] - }); - - meta.create_gate("z should end with 1", |_| { - let one = Expression::Constant(F::ONE); - - vec![q_last.expr() * (one - z.cur())] - }); - - meta.create_gate("z should have valid transition", |_| { - let q_shuffle = q_shuffle.expr(); - let original = original.map(|advice| advice.cur()); - let shuffled = shuffled.map(|advice| advice.cur()); - let [theta, gamma] = [theta, gamma].map(|challenge| challenge.expr()); - - // Compress - let original = original - .iter() - .cloned() - .reduce(|acc, a| acc * theta.clone() + a) - .unwrap(); - let shuffled = shuffled - .iter() - .cloned() - .reduce(|acc, a| acc * theta.clone() + a) - .unwrap(); - - vec![q_shuffle * (z.cur() * (original + gamma.clone()) - z.next() * (shuffled + gamma))] - }); - - Self { - q_shuffle, - q_first, - q_last, - original, - shuffled, - theta, - gamma, - z, - } - } -} - -#[derive(Clone, Default)] -struct MyCircuit { - original: Value<[[F; H]; W]>, - shuffled: Value<[[F; H]; W]>, -} - -impl MyCircuit { - fn rand(rng: &mut R) -> Self { - let original = rand_2d_array::(rng); - let shuffled = shuffled(original, rng); - - Self { - original: Value::known(original), - shuffled: Value::known(shuffled), - } - } -} - -impl Circuit for MyCircuit { - type Config = MyConfig; - type FloorPlanner = V1; - #[cfg(feature = "circuit-params")] - type Params = (); - - fn without_witnesses(&self) -> Self { - Self::default() - } - - fn configure(meta: &mut ConstraintSystem) -> Self::Config { - MyConfig::configure(meta) - } - - fn synthesize( - &self, - config: Self::Config, - mut layouter: impl Layouter, - ) -> Result<(), Error> { - let theta = layouter.get_challenge(config.theta); - let gamma = layouter.get_challenge(config.gamma); - - layouter.assign_region( - || "Shuffle original into shuffled", - |mut region| { - // Keygen - config.q_first.enable(&mut region, 0)?; - config.q_last.enable(&mut region, H)?; - for offset in 0..H { - config.q_shuffle.enable(&mut region, offset)?; - } - - // First phase - for (idx, (&column, values)) in config - .original - .iter() - .zip(self.original.transpose_array().iter()) - .enumerate() - { - for (offset, &value) in values.transpose_array().iter().enumerate() { - region.assign_advice( - || format!("original[{idx}][{offset}]"), - column, - offset, - || value, - )?; - } - } - for (idx, (&column, values)) in config - .shuffled - .iter() - .zip(self.shuffled.transpose_array().iter()) - .enumerate() - { - for (offset, &value) in values.transpose_array().iter().enumerate() { - region.assign_advice( - || format!("shuffled[{idx}][{offset}]"), - column, - offset, - || value, - )?; - } - } - - // Second phase - let z = self.original.zip(self.shuffled).zip(theta).zip(gamma).map( - |(((original, shuffled), theta), gamma)| { - let mut product = vec![F::ZERO; H]; - for (idx, product) in product.iter_mut().enumerate() { - let mut compressed = F::ZERO; - for value in shuffled.iter() { - compressed *= theta; - compressed += value[idx]; - } - - *product = compressed + gamma - } - - product.iter_mut().batch_invert(); - - for (idx, product) in product.iter_mut().enumerate() { - let mut compressed = F::ZERO; - for value in original.iter() { - compressed *= theta; - compressed += value[idx]; - } - - *product *= compressed + gamma - } - - #[allow(clippy::let_and_return)] - let z = iter::once(F::ONE) - .chain(product) - .scan(F::ONE, |state, cur| { - *state *= &cur; - Some(*state) - }) - .collect::>(); - - #[cfg(feature = "sanity-checks")] - assert_eq!(F::ONE, *z.last().unwrap()); - - z - }, - ); - for (offset, value) in z.transpose_vec(H + 1).into_iter().enumerate() { - region.assign_advice(|| format!("z[{offset}]"), config.z, offset, || value)?; - } - - Ok(()) - }, - ) - } -} - -fn test_mock_prover, const W: usize, const H: usize>( - k: u32, - circuit: MyCircuit, - expected: Result<(), Vec<(metadata::Constraint, FailureLocation)>>, -) { - let prover = MockProver::run(k, &circuit, vec![]).unwrap(); - match (prover.verify(), expected) { - (Ok(_), Ok(_)) => {} - (Err(err), Err(expected)) => { - assert_eq!( - err.into_iter() - .map(|failure| match failure { - VerifyFailure::ConstraintNotSatisfied { - constraint, - location, - .. - } => (constraint, location), - _ => panic!("MockProver::verify has result unmatching expected"), - }) - .collect::>(), - expected - ) - } - (_, _) => panic!("MockProver::verify has result unmatching expected"), - }; -} - -fn test_prover( - k: u32, - circuit: MyCircuit, - expected: bool, -) where - C::Scalar: FromUniformBytes<64>, -{ - let params = ParamsIPA::::new(k); - let vk = keygen_vk(¶ms, &circuit).unwrap(); - let pk = keygen_pk(¶ms, vk, &circuit).unwrap(); - - let proof = { - let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); - - create_proof::, ProverIPA, _, _, _, _>( - ¶ms, - &pk, - &[circuit], - &[&[]], - OsRng, - &mut transcript, - ) - .expect("proof generation should not fail"); - - transcript.finalize() - }; - - let accepted = { - let strategy = AccumulatorStrategy::new(¶ms); - let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(&proof[..]); - - verify_proof::, VerifierIPA, _, _, _>( - ¶ms, - pk.get_vk(), - strategy, - &[&[]], - &mut transcript, - ) - .map(|strategy| strategy.finalize()) - .unwrap_or_default() - }; - - assert_eq!(accepted, expected); -} - -fn main() { - const W: usize = 4; - const H: usize = 32; - const K: u32 = 8; - - let circuit = &MyCircuit::<_, W, H>::rand(&mut OsRng); - - { - test_mock_prover(K, circuit.clone(), Ok(())); - test_prover::(K, circuit.clone(), true); - } - - #[cfg(not(feature = "sanity-checks"))] - { - use std::ops::IndexMut; - - let mut circuit = circuit.clone(); - circuit.shuffled = circuit.shuffled.map(|mut shuffled| { - shuffled.index_mut(0).swap(0, 1); - shuffled - }); - - test_mock_prover( - K, - circuit.clone(), - Err(vec![( - ((1, "z should end with 1").into(), 0, "").into(), - FailureLocation::InRegion { - region: (0, "Shuffle original into shuffled").into(), - offset: 32, - }, - )]), - ); - test_prover::(K, circuit, false); - } -} diff --git a/halo2_proofs/examples/shuffle_api.rs b/halo2_proofs/examples/shuffle_api.rs deleted file mode 100644 index 259e038d06..0000000000 --- a/halo2_proofs/examples/shuffle_api.rs +++ /dev/null @@ -1,216 +0,0 @@ -use std::{marker::PhantomData, vec}; - -use ff::FromUniformBytes; -use halo2_proofs::{ - arithmetic::Field, - circuit::{Layouter, SimpleFloorPlanner, Value}, - plonk::{ - create_proof, keygen_pk, keygen_vk, verify_proof, Advice, Circuit, Column, - ConstraintSystem, Error, Fixed, Selector, - }, - poly::Rotation, - poly::{ - commitment::ParamsProver, - ipa::{ - commitment::{IPACommitmentScheme, ParamsIPA}, - multiopen::{ProverIPA, VerifierIPA}, - strategy::AccumulatorStrategy, - }, - VerificationStrategy, - }, - transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, TranscriptReadBuffer, TranscriptWriterBuffer, - }, -}; -use halo2curves::{pasta::EqAffine, CurveAffine}; -use rand_core::OsRng; - -struct ShuffleChip { - config: ShuffleConfig, - _marker: PhantomData, -} - -#[derive(Clone, Debug)] -struct ShuffleConfig { - input_0: Column, - input_1: Column, - shuffle_0: Column, - shuffle_1: Column, - s_input: Selector, - s_shuffle: Selector, -} - -impl ShuffleChip { - fn construct(config: ShuffleConfig) -> Self { - Self { - config, - _marker: PhantomData, - } - } - - fn configure( - meta: &mut ConstraintSystem, - input_0: Column, - input_1: Column, - shuffle_0: Column, - shuffle_1: Column, - ) -> ShuffleConfig { - let s_shuffle = meta.complex_selector(); - let s_input = meta.complex_selector(); - meta.shuffle("shuffle", |meta| { - let s_input = meta.query_selector(s_input); - let s_shuffle = meta.query_selector(s_shuffle); - let input_0 = meta.query_advice(input_0, Rotation::cur()); - let input_1 = meta.query_fixed(input_1, Rotation::cur()); - let shuffle_0 = meta.query_advice(shuffle_0, Rotation::cur()); - let shuffle_1 = meta.query_advice(shuffle_1, Rotation::cur()); - vec![ - (s_input.clone() * input_0, s_shuffle.clone() * shuffle_0), - (s_input * input_1, s_shuffle * shuffle_1), - ] - }); - ShuffleConfig { - input_0, - input_1, - shuffle_0, - shuffle_1, - s_input, - s_shuffle, - } - } -} - -#[derive(Default)] -struct MyCircuit { - input_0: Vec>, - input_1: Vec, - shuffle_0: Vec>, - shuffle_1: Vec>, -} - -impl Circuit for MyCircuit { - // Since we are using a single chip for everything, we can just reuse its config. - type Config = ShuffleConfig; - type FloorPlanner = SimpleFloorPlanner; - #[cfg(feature = "circuit-params")] - type Params = (); - - fn without_witnesses(&self) -> Self { - Self::default() - } - - fn configure(meta: &mut ConstraintSystem) -> Self::Config { - let input_0 = meta.advice_column(); - let input_1 = meta.fixed_column(); - let shuffle_0 = meta.advice_column(); - let shuffle_1 = meta.advice_column(); - ShuffleChip::configure(meta, input_0, input_1, shuffle_0, shuffle_1) - } - - fn synthesize( - &self, - config: Self::Config, - mut layouter: impl Layouter, - ) -> Result<(), Error> { - let ch = ShuffleChip::::construct(config); - layouter.assign_region( - || "load inputs", - |mut region| { - for (i, (input_0, input_1)) in - self.input_0.iter().zip(self.input_1.iter()).enumerate() - { - region.assign_advice(|| "input_0", ch.config.input_0, i, || *input_0)?; - region.assign_fixed( - || "input_1", - ch.config.input_1, - i, - || Value::known(*input_1), - )?; - ch.config.s_input.enable(&mut region, i)?; - } - Ok(()) - }, - )?; - layouter.assign_region( - || "load shuffles", - |mut region| { - for (i, (shuffle_0, shuffle_1)) in - self.shuffle_0.iter().zip(self.shuffle_1.iter()).enumerate() - { - region.assign_advice(|| "shuffle_0", ch.config.shuffle_0, i, || *shuffle_0)?; - region.assign_advice(|| "shuffle_1", ch.config.shuffle_1, i, || *shuffle_1)?; - ch.config.s_shuffle.enable(&mut region, i)?; - } - Ok(()) - }, - )?; - Ok(()) - } -} - -fn test_prover(k: u32, circuit: MyCircuit, expected: bool) -where - C::Scalar: FromUniformBytes<64>, -{ - let params = ParamsIPA::::new(k); - let vk = keygen_vk(¶ms, &circuit).unwrap(); - let pk = keygen_pk(¶ms, vk, &circuit).unwrap(); - - let proof = { - let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); - - create_proof::, ProverIPA, _, _, _, _>( - ¶ms, - &pk, - &[circuit], - &[&[]], - OsRng, - &mut transcript, - ) - .expect("proof generation should not fail"); - - transcript.finalize() - }; - - let accepted = { - let strategy = AccumulatorStrategy::new(¶ms); - let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(&proof[..]); - - verify_proof::, VerifierIPA, _, _, _>( - ¶ms, - pk.get_vk(), - strategy, - &[&[]], - &mut transcript, - ) - .map(|strategy| strategy.finalize()) - .unwrap_or_default() - }; - - assert_eq!(accepted, expected); -} - -fn main() { - use halo2_proofs::dev::MockProver; - use halo2curves::pasta::Fp; - const K: u32 = 4; - let input_0 = [1, 2, 4, 1] - .map(|e: u64| Value::known(Fp::from(e))) - .to_vec(); - let input_1 = [10, 20, 40, 10].map(Fp::from).to_vec(); - let shuffle_0 = [4, 1, 1, 2] - .map(|e: u64| Value::known(Fp::from(e))) - .to_vec(); - let shuffle_1 = [40, 10, 10, 20] - .map(|e: u64| Value::known(Fp::from(e))) - .to_vec(); - let circuit = MyCircuit { - input_0, - input_1, - shuffle_0, - shuffle_1, - }; - let prover = MockProver::run(K, &circuit, vec![]).unwrap(); - prover.assert_satisfied(); - test_prover::(K, circuit, true); -} diff --git a/halo2_proofs/katex-header.html b/halo2_proofs/katex-header.html deleted file mode 100644 index 98e85904fa..0000000000 --- a/halo2_proofs/katex-header.html +++ /dev/null @@ -1,15 +0,0 @@ - - - - \ No newline at end of file diff --git a/halo2_proofs/src/arithmetic.rs b/halo2_proofs/src/arithmetic.rs deleted file mode 100644 index 0163e355eb..0000000000 --- a/halo2_proofs/src/arithmetic.rs +++ /dev/null @@ -1,554 +0,0 @@ -//! This module provides common utilities, traits and structures for group, -//! field and polynomial arithmetic. - -use super::multicore; -pub use ff::Field; -use group::{ - ff::{BatchInvert, PrimeField}, - Curve, Group, GroupOpsOwned, ScalarMulOwned, -}; - -pub use halo2curves::{CurveAffine, CurveExt}; - -/// This represents an element of a group with basic operations that can be -/// performed. This allows an FFT implementation (for example) to operate -/// generically over either a field or elliptic curve group. -pub trait FftGroup: - Copy + Send + Sync + 'static + GroupOpsOwned + ScalarMulOwned -{ -} - -impl FftGroup for T -where - Scalar: Field, - T: Copy + Send + Sync + 'static + GroupOpsOwned + ScalarMulOwned, -{ -} - -fn multiexp_serial(coeffs: &[C::Scalar], bases: &[C], acc: &mut C::Curve) { - let coeffs: Vec<_> = coeffs.iter().map(|a| a.to_repr()).collect(); - - let c = if bases.len() < 4 { - 1 - } else if bases.len() < 32 { - 3 - } else { - (f64::from(bases.len() as u32)).ln().ceil() as usize - }; - - fn get_at(segment: usize, c: usize, bytes: &F::Repr) -> usize { - let skip_bits = segment * c; - let skip_bytes = skip_bits / 8; - - if skip_bytes >= (F::NUM_BITS as usize + 7) / 8 { - return 0; - } - - let mut v = [0; 8]; - for (v, o) in v.iter_mut().zip(bytes.as_ref()[skip_bytes..].iter()) { - *v = *o; - } - - let mut tmp = u64::from_le_bytes(v); - tmp >>= skip_bits - (skip_bytes * 8); - tmp %= 1 << c; - - tmp as usize - } - - let segments = (C::Scalar::NUM_BITS as usize / c) + 1; - - for current_segment in (0..segments).rev() { - for _ in 0..c { - *acc = acc.double(); - } - - #[derive(Clone, Copy)] - enum Bucket { - None, - Affine(C), - Projective(C::Curve), - } - - impl Bucket { - fn add_assign(&mut self, other: &C) { - *self = match *self { - Bucket::None => Bucket::Affine(*other), - Bucket::Affine(a) => Bucket::Projective(a + *other), - Bucket::Projective(mut a) => { - a += *other; - Bucket::Projective(a) - } - } - } - - fn add(self, mut other: C::Curve) -> C::Curve { - match self { - Bucket::None => other, - Bucket::Affine(a) => { - other += a; - other - } - Bucket::Projective(a) => other + &a, - } - } - } - - let mut buckets: Vec> = vec![Bucket::None; (1 << c) - 1]; - - for (coeff, base) in coeffs.iter().zip(bases.iter()) { - let coeff = get_at::(current_segment, c, coeff); - if coeff != 0 { - buckets[coeff - 1].add_assign(base); - } - } - - // Summation by parts - // e.g. 3a + 2b + 1c = a + - // (a) + b + - // ((a) + b) + c - let mut running_sum = C::Curve::identity(); - for exp in buckets.into_iter().rev() { - running_sum = exp.add(running_sum); - *acc += &running_sum; - } - } -} - -/// Performs a small multi-exponentiation operation. -/// Uses the double-and-add algorithm with doublings shared across points. -pub fn small_multiexp(coeffs: &[C::Scalar], bases: &[C]) -> C::Curve { - let coeffs: Vec<_> = coeffs.iter().map(|a| a.to_repr()).collect(); - let mut acc = C::Curve::identity(); - - // for byte idx - for byte_idx in (0..((C::Scalar::NUM_BITS as usize + 7) / 8)).rev() { - // for bit idx - for bit_idx in (0..8).rev() { - acc = acc.double(); - // for each coeff - for coeff_idx in 0..coeffs.len() { - let byte = coeffs[coeff_idx].as_ref()[byte_idx]; - if ((byte >> bit_idx) & 1) != 0 { - acc += bases[coeff_idx]; - } - } - } - } - - acc -} - -/// Performs a multi-exponentiation operation. -/// -/// This function will panic if coeffs and bases have a different length. -/// -/// This will use multithreading if beneficial. -pub fn best_multiexp(coeffs: &[C::Scalar], bases: &[C]) -> C::Curve { - assert_eq!(coeffs.len(), bases.len()); - - let num_threads = multicore::current_num_threads(); - if coeffs.len() > num_threads { - let chunk = coeffs.len() / num_threads; - let num_chunks = coeffs.chunks(chunk).len(); - let mut results = vec![C::Curve::identity(); num_chunks]; - multicore::scope(|scope| { - let chunk = coeffs.len() / num_threads; - - for ((coeffs, bases), acc) in coeffs - .chunks(chunk) - .zip(bases.chunks(chunk)) - .zip(results.iter_mut()) - { - scope.spawn(move |_| { - multiexp_serial(coeffs, bases, acc); - }); - } - }); - results.iter().fold(C::Curve::identity(), |a, b| a + b) - } else { - let mut acc = C::Curve::identity(); - multiexp_serial(coeffs, bases, &mut acc); - acc - } -} - -/// Performs a radix-$2$ Fast-Fourier Transformation (FFT) on a vector of size -/// $n = 2^k$, when provided `log_n` = $k$ and an element of multiplicative -/// order $n$ called `omega` ($\omega$). The result is that the vector `a`, when -/// interpreted as the coefficients of a polynomial of degree $n - 1$, is -/// transformed into the evaluations of this polynomial at each of the $n$ -/// distinct powers of $\omega$. This transformation is invertible by providing -/// $\omega^{-1}$ in place of $\omega$ and dividing each resulting field element -/// by $n$. -/// -/// This will use multithreading if beneficial. -pub fn best_fft>(a: &mut [G], omega: Scalar, log_n: u32) { - fn bitreverse(mut n: usize, l: usize) -> usize { - let mut r = 0; - for _ in 0..l { - r = (r << 1) | (n & 1); - n >>= 1; - } - r - } - - let threads = multicore::current_num_threads(); - let log_threads = log2_floor(threads); - let n = a.len(); - assert_eq!(n, 1 << log_n); - - for k in 0..n { - let rk = bitreverse(k, log_n as usize); - if k < rk { - a.swap(rk, k); - } - } - - // precompute twiddle factors - let twiddles: Vec<_> = (0..(n / 2)) - .scan(Scalar::ONE, |w, _| { - let tw = *w; - *w *= ω - Some(tw) - }) - .collect(); - - if log_n <= log_threads { - let mut chunk = 2_usize; - let mut twiddle_chunk = n / 2; - for _ in 0..log_n { - a.chunks_mut(chunk).for_each(|coeffs| { - let (left, right) = coeffs.split_at_mut(chunk / 2); - - // case when twiddle factor is one - let (a, left) = left.split_at_mut(1); - let (b, right) = right.split_at_mut(1); - let t = b[0]; - b[0] = a[0]; - a[0] += &t; - b[0] -= &t; - - left.iter_mut() - .zip(right.iter_mut()) - .enumerate() - .for_each(|(i, (a, b))| { - let mut t = *b; - t *= &twiddles[(i + 1) * twiddle_chunk]; - *b = *a; - *a += &t; - *b -= &t; - }); - }); - chunk *= 2; - twiddle_chunk /= 2; - } - } else { - recursive_butterfly_arithmetic(a, n, 1, &twiddles) - } -} - -/// This perform recursive butterfly arithmetic -pub fn recursive_butterfly_arithmetic>( - a: &mut [G], - n: usize, - twiddle_chunk: usize, - twiddles: &[Scalar], -) { - if n == 2 { - let t = a[1]; - a[1] = a[0]; - a[0] += &t; - a[1] -= &t; - } else { - let (left, right) = a.split_at_mut(n / 2); - multicore::join( - || recursive_butterfly_arithmetic(left, n / 2, twiddle_chunk * 2, twiddles), - || recursive_butterfly_arithmetic(right, n / 2, twiddle_chunk * 2, twiddles), - ); - - // case when twiddle factor is one - let (a, left) = left.split_at_mut(1); - let (b, right) = right.split_at_mut(1); - let t = b[0]; - b[0] = a[0]; - a[0] += &t; - b[0] -= &t; - - left.iter_mut() - .zip(right.iter_mut()) - .enumerate() - .for_each(|(i, (a, b))| { - let mut t = *b; - t *= &twiddles[(i + 1) * twiddle_chunk]; - *b = *a; - *a += &t; - *b -= &t; - }); - } -} - -/// Convert coefficient bases group elements to lagrange basis by inverse FFT. -pub fn g_to_lagrange(g_projective: Vec, k: u32) -> Vec { - let n_inv = C::Scalar::TWO_INV.pow_vartime([k as u64, 0, 0, 0]); - let mut omega_inv = C::Scalar::ROOT_OF_UNITY_INV; - for _ in k..C::Scalar::S { - omega_inv = omega_inv.square(); - } - - let mut g_lagrange_projective = g_projective; - best_fft(&mut g_lagrange_projective, omega_inv, k); - parallelize(&mut g_lagrange_projective, |g, _| { - for g in g.iter_mut() { - *g *= n_inv; - } - }); - - let mut g_lagrange = vec![C::identity(); 1 << k]; - parallelize(&mut g_lagrange, |g_lagrange, starts| { - C::Curve::batch_normalize( - &g_lagrange_projective[starts..(starts + g_lagrange.len())], - g_lagrange, - ); - }); - - g_lagrange -} - -/// This evaluates a provided polynomial (in coefficient form) at `point`. -pub fn eval_polynomial(poly: &[F], point: F) -> F { - fn evaluate(poly: &[F], point: F) -> F { - poly.iter() - .rev() - .fold(F::ZERO, |acc, coeff| acc * point + coeff) - } - let n = poly.len(); - let num_threads = multicore::current_num_threads(); - if n * 2 < num_threads { - evaluate(poly, point) - } else { - let chunk_size = (n + num_threads - 1) / num_threads; - let mut parts = vec![F::ZERO; num_threads]; - multicore::scope(|scope| { - for (chunk_idx, (out, poly)) in - parts.chunks_mut(1).zip(poly.chunks(chunk_size)).enumerate() - { - scope.spawn(move |_| { - let start = chunk_idx * chunk_size; - out[0] = evaluate(poly, point) * point.pow_vartime([start as u64, 0, 0, 0]); - }); - } - }); - parts.iter().fold(F::ZERO, |acc, coeff| acc + coeff) - } -} - -/// This computes the inner product of two vectors `a` and `b`. -/// -/// This function will panic if the two vectors are not the same size. -pub fn compute_inner_product(a: &[F], b: &[F]) -> F { - // TODO: parallelize? - assert_eq!(a.len(), b.len()); - - let mut acc = F::ZERO; - for (a, b) in a.iter().zip(b.iter()) { - acc += (*a) * (*b); - } - - acc -} - -/// Divides polynomial `a` in `X` by `X - b` with -/// no remainder. -pub fn kate_division<'a, F: Field, I: IntoIterator>(a: I, mut b: F) -> Vec -where - I::IntoIter: DoubleEndedIterator + ExactSizeIterator, -{ - b = -b; - let a = a.into_iter(); - - let mut q = vec![F::ZERO; a.len() - 1]; - - let mut tmp = F::ZERO; - for (q, r) in q.iter_mut().rev().zip(a.rev()) { - let mut lead_coeff = *r; - lead_coeff.sub_assign(&tmp); - *q = lead_coeff; - tmp = lead_coeff; - tmp.mul_assign(&b); - } - - q -} - -/// This utility function will parallelize an operation that is to be -/// performed over a mutable slice. -pub fn parallelize(v: &mut [T], f: F) { - // Algorithm rationale: - // - // Using the stdlib `chunks_mut` will lead to severe load imbalance. - // From https://github.com/rust-lang/rust/blob/e94bda3/library/core/src/slice/iter.rs#L1607-L1637 - // if the division is not exact, the last chunk will be the remainder. - // - // Dividing 40 items on 12 threads will lead to a chunk size of 40/12 = 3, - // There will be a 13 chunks of size 3 and 1 of size 1 distributed on 12 threads. - // This leads to 1 thread working on 6 iterations, 1 on 4 iterations and 10 on 3 iterations, - // a load imbalance of 2x. - // - // Instead we can divide work into chunks of size - // 4, 4, 4, 4, 3, 3, 3, 3, 3, 3, 3, 3 = 4*4 + 3*8 = 40 - // - // This would lead to a 6/4 = 1.5x speedup compared to naive chunks_mut - // - // See also OpenMP spec (page 60) - // http://www.openmp.org/mp-documents/openmp-4.5.pdf - // "When no chunk_size is specified, the iteration space is divided into chunks - // that are approximately equal in size, and at most one chunk is distributed to - // each thread. The size of the chunks is unspecified in this case." - // This implies chunks are the same size ±1 - - let f = &f; - let total_iters = v.len(); - let num_threads = multicore::current_num_threads(); - let base_chunk_size = total_iters / num_threads; - let cutoff_chunk_id = total_iters % num_threads; - let split_pos = cutoff_chunk_id * (base_chunk_size + 1); - let (v_hi, v_lo) = v.split_at_mut(split_pos); - - multicore::scope(|scope| { - // Skip special-case: number of iterations is cleanly divided by number of threads. - if cutoff_chunk_id != 0 { - for (chunk_id, chunk) in v_hi.chunks_exact_mut(base_chunk_size + 1).enumerate() { - let offset = chunk_id * (base_chunk_size + 1); - scope.spawn(move |_| f(chunk, offset)); - } - } - // Skip special-case: less iterations than number of threads. - if base_chunk_size != 0 { - for (chunk_id, chunk) in v_lo.chunks_exact_mut(base_chunk_size).enumerate() { - let offset = split_pos + (chunk_id * base_chunk_size); - scope.spawn(move |_| f(chunk, offset)); - } - } - }); -} - -fn log2_floor(num: usize) -> u32 { - assert!(num > 0); - - let mut pow = 0; - - while (1 << (pow + 1)) <= num { - pow += 1; - } - - pow -} - -/// Returns coefficients of an n - 1 degree polynomial given a set of n points -/// and their evaluations. This function will panic if two values in `points` -/// are the same. -pub fn lagrange_interpolate(points: &[F], evals: &[F]) -> Vec { - assert_eq!(points.len(), evals.len()); - if points.len() == 1 { - // Constant polynomial - vec![evals[0]] - } else { - let mut denoms = Vec::with_capacity(points.len()); - for (j, x_j) in points.iter().enumerate() { - let mut denom = Vec::with_capacity(points.len() - 1); - for x_k in points - .iter() - .enumerate() - .filter(|&(k, _)| k != j) - .map(|a| a.1) - { - denom.push(*x_j - x_k); - } - denoms.push(denom); - } - // Compute (x_j - x_k)^(-1) for each j != i - denoms.iter_mut().flat_map(|v| v.iter_mut()).batch_invert(); - - let mut final_poly = vec![F::ZERO; points.len()]; - for (j, (denoms, eval)) in denoms.into_iter().zip(evals.iter()).enumerate() { - let mut tmp: Vec = Vec::with_capacity(points.len()); - let mut product = Vec::with_capacity(points.len() - 1); - tmp.push(F::ONE); - for (x_k, denom) in points - .iter() - .enumerate() - .filter(|&(k, _)| k != j) - .map(|a| a.1) - .zip(denoms.into_iter()) - { - product.resize(tmp.len() + 1, F::ZERO); - for ((a, b), product) in tmp - .iter() - .chain(std::iter::once(&F::ZERO)) - .zip(std::iter::once(&F::ZERO).chain(tmp.iter())) - .zip(product.iter_mut()) - { - *product = *a * (-denom * x_k) + *b * denom; - } - std::mem::swap(&mut tmp, &mut product); - } - assert_eq!(tmp.len(), points.len()); - assert_eq!(product.len(), points.len() - 1); - for (final_coeff, interpolation_coeff) in final_poly.iter_mut().zip(tmp.into_iter()) { - *final_coeff += interpolation_coeff * eval; - } - } - final_poly - } -} - -pub(crate) fn evaluate_vanishing_polynomial(roots: &[F], z: F) -> F { - fn evaluate(roots: &[F], z: F) -> F { - roots.iter().fold(F::ONE, |acc, point| (z - point) * acc) - } - let n = roots.len(); - let num_threads = multicore::current_num_threads(); - if n * 2 < num_threads { - evaluate(roots, z) - } else { - let chunk_size = (n + num_threads - 1) / num_threads; - let mut parts = vec![F::ONE; num_threads]; - multicore::scope(|scope| { - for (out, roots) in parts.chunks_mut(1).zip(roots.chunks(chunk_size)) { - scope.spawn(move |_| out[0] = evaluate(roots, z)); - } - }); - parts.iter().fold(F::ONE, |acc, part| acc * part) - } -} - -pub(crate) fn powers(base: F) -> impl Iterator { - std::iter::successors(Some(F::ONE), move |power| Some(base * power)) -} - -#[cfg(test)] -use rand_core::OsRng; - -#[cfg(test)] -use crate::halo2curves::pasta::Fp; - -#[test] -fn test_lagrange_interpolate() { - let rng = OsRng; - - let points = (0..5).map(|_| Fp::random(rng)).collect::>(); - let evals = (0..5).map(|_| Fp::random(rng)).collect::>(); - - for coeffs in 0..5 { - let points = &points[0..coeffs]; - let evals = &evals[0..coeffs]; - - let poly = lagrange_interpolate(points, evals); - assert_eq!(poly.len(), points.len()); - - for (point, eval) in points.iter().zip(evals) { - assert_eq!(eval_polynomial(&poly, *point), *eval); - } - } -} diff --git a/halo2_proofs/src/plonk/circuit/compress_selectors.rs b/halo2_proofs/src/plonk/circuit/compress_selectors.rs deleted file mode 100644 index 053ebe3178..0000000000 --- a/halo2_proofs/src/plonk/circuit/compress_selectors.rs +++ /dev/null @@ -1,352 +0,0 @@ -use super::Expression; -use ff::Field; - -/// This describes a selector and where it is activated. -#[derive(Debug, Clone)] -pub struct SelectorDescription { - /// The selector that this description references, by index. - pub selector: usize, - - /// The vector of booleans defining which rows are active for this selector. - pub activations: Vec, - - /// The maximum degree of a gate involving this selector, including the - /// virtual selector itself. This means this will be at least 1 for any - /// expression containing a simple selector, even if that selector is not - /// multiplied by anything. - pub max_degree: usize, -} - -/// This describes the assigned combination of a particular selector as well as -/// the expression it should be substituted with. -#[derive(Debug, Clone)] -pub struct SelectorAssignment { - /// The selector that this structure references, by index. - pub selector: usize, - - /// The combination this selector was assigned to - pub combination_index: usize, - - /// The expression we wish to substitute with - pub expression: Expression, -} - -/// This function takes a vector that defines each selector as well as a closure -/// used to allocate new fixed columns, and returns the assignment of each -/// combination as well as details about each selector assignment. -/// -/// This function takes -/// * `selectors`, a vector of `SelectorDescription`s that describe each -/// selector -/// * `max_degree`, the maximum allowed degree of any gate -/// * `allocate_fixed_columns`, a closure that constructs a new fixed column and -/// queries it at Rotation::cur(), returning the expression -/// -/// and returns `Vec>` containing the assignment of each new fixed column -/// (which each correspond to a combination) as well as a vector of -/// `SelectorAssignment` that the caller can use to perform the necessary -/// substitutions to the constraint system. -/// -/// This function is completely deterministic. -pub fn process( - mut selectors: Vec, - max_degree: usize, - mut allocate_fixed_column: E, -) -> (Vec>, Vec>) -where - E: FnMut() -> Expression, -{ - if selectors.is_empty() { - // There is nothing to optimize. - return (vec![], vec![]); - } - - // The length of all provided selectors must be the same. - let n = selectors[0].activations.len(); - assert!(selectors.iter().all(|a| a.activations.len() == n)); - - let mut combination_assignments = vec![]; - let mut selector_assignments = vec![]; - - // All provided selectors of degree 0 are assumed to be either concrete - // selectors or do not appear in a gate. Let's address these first. - selectors.retain(|selector| { - if selector.max_degree == 0 { - // This is a complex selector, or a selector that does not appear in any - // gate constraint. - let expression = allocate_fixed_column(); - - let combination_assignment = selector - .activations - .iter() - .map(|b| if *b { F::ONE } else { F::ZERO }) - .collect::>(); - let combination_index = combination_assignments.len(); - combination_assignments.push(combination_assignment); - selector_assignments.push(SelectorAssignment { - selector: selector.selector, - combination_index, - expression, - }); - - false - } else { - true - } - }); - - // All of the remaining `selectors` are simple. Let's try to combine them. - // First, we compute the exclusion matrix that has (j, k) = true if selector - // j and selector k conflict -- that is, they are both enabled on the same - // row. This matrix is symmetric and the diagonal entries are false, so we - // only need to store the lower triangular entries. - let mut exclusion_matrix = (0..selectors.len()) - .map(|i| vec![false; i]) - .collect::>(); - - for (i, rows) in selectors - .iter() - .map(|selector| &selector.activations) - .enumerate() - { - // Loop over the selectors previous to this one - for (j, other_selector) in selectors.iter().enumerate().take(i) { - // Look at what selectors are active at the same row - if rows - .iter() - .zip(other_selector.activations.iter()) - .any(|(l, r)| l & r) - { - // Mark them as incompatible - exclusion_matrix[i][j] = true; - } - } - } - - // Simple selectors that we've added to combinations already. - let mut added = vec![false; selectors.len()]; - - for (i, selector) in selectors.iter().enumerate() { - if added[i] { - continue; - } - added[i] = true; - assert!(selector.max_degree <= max_degree); - // This is used to keep track of the largest degree gate involved in the - // combination so far. We subtract by one to omit the virtual selector - // which will be substituted by the caller with the expression we give - // them. - let mut d = selector.max_degree - 1; - let mut combination = vec![selector]; - let mut combination_added = vec![i]; - - // Try to find other selectors that can join this one. - 'try_selectors: for (j, selector) in selectors.iter().enumerate().skip(i + 1) { - if d + combination.len() == max_degree { - // Short circuit; nothing can be added to this - // combination. - break 'try_selectors; - } - - // Skip selectors that have been added to previous combinations - if added[j] { - continue 'try_selectors; - } - - // Is this selector excluded from co-existing in the same - // combination with any of the other selectors so far? - for &i in combination_added.iter() { - if exclusion_matrix[j][i] { - continue 'try_selectors; - } - } - - // Can the new selector join the combination? Reminder: we use - // selector.max_degree - 1 to omit the influence of the virtual - // selector on the degree, as it will be substituted. - let new_d = std::cmp::max(d, selector.max_degree - 1); - if new_d + combination.len() + 1 > max_degree { - // Guess not. - continue 'try_selectors; - } - - d = new_d; - combination.push(selector); - combination_added.push(j); - added[j] = true; - } - - // Now, compute the selector and combination assignments. - let mut combination_assignment = vec![F::ZERO; n]; - let combination_len = combination.len(); - let combination_index = combination_assignments.len(); - let query = allocate_fixed_column(); - - let mut assigned_root = F::ONE; - selector_assignments.extend(combination.into_iter().map(|selector| { - // Compute the expression for substitution. This produces an expression of the - // form - // q * Prod[i = 1..=combination_len, i != assigned_root](i - q) - // - // which is non-zero only on rows where `combination_assignment` is set to - // `assigned_root`. In particular, rows set to 0 correspond to all selectors - // being disabled. - let mut expression = query.clone(); - let mut root = F::ONE; - for _ in 0..combination_len { - if root != assigned_root { - expression = expression * (Expression::Constant(root) - query.clone()); - } - root += F::ONE; - } - - // Update the combination assignment - for (combination, selector) in combination_assignment - .iter_mut() - .zip(selector.activations.iter()) - { - // This will not overwrite another selector's activations because - // we have ensured that selectors are disjoint. - if *selector { - *combination = assigned_root; - } - } - - assigned_root += F::ONE; - - SelectorAssignment { - selector: selector.selector, - combination_index, - expression, - } - })); - combination_assignments.push(combination_assignment); - } - - (combination_assignments, selector_assignments) -} - -#[cfg(test)] -mod tests { - use super::*; - use crate::{plonk::FixedQuery, poly::Rotation}; - use halo2curves::pasta::Fp; - use proptest::collection::{vec, SizeRange}; - use proptest::prelude::*; - - prop_compose! { - fn arb_selector(assignment_size: usize, max_degree: usize) - (degree in 0..max_degree, - assignment in vec(any::(), assignment_size)) - -> (usize, Vec) { - (degree, assignment) - } - } - - prop_compose! { - fn arb_selector_list(assignment_size: usize, max_degree: usize, num_selectors: impl Into) - (list in vec(arb_selector(assignment_size, max_degree), num_selectors)) - -> Vec - { - list.into_iter().enumerate().map(|(i, (max_degree, activations))| { - SelectorDescription { - selector: i, - activations, - max_degree, - } - }).collect() - } - } - - prop_compose! { - fn arb_instance(max_assignment_size: usize, - max_degree: usize, - max_selectors: usize) - (assignment_size in 1..max_assignment_size, - degree in 1..max_degree, - num_selectors in 1..max_selectors) - (list in arb_selector_list(assignment_size, degree, num_selectors), - degree in Just(degree)) - -> (Vec, usize) - { - (list, degree) - } - } - - proptest! { - #![proptest_config(ProptestConfig::with_cases(10000))] - #[test] - fn test_selector_combination((selectors, max_degree) in arb_instance(10, 10, 15)) { - let mut query = 0; - let (combination_assignments, selector_assignments) = - process::(selectors.clone(), max_degree, || { - let tmp = Expression::Fixed(FixedQuery { - index: Some(query), - column_index: query, - rotation: Rotation::cur(), - }); - query += 1; - tmp - }); - - { - let mut selectors_seen = vec![]; - assert_eq!(selectors.len(), selector_assignments.len()); - for selector in &selector_assignments { - // Every selector should be assigned to a combination - assert!(selector.combination_index < combination_assignments.len()); - assert!(!selectors_seen.contains(&selector.selector)); - selectors_seen.push(selector.selector); - } - } - - // Test that, for each selector, the provided expression - // 1. evaluates to zero on rows where the selector's activation is off - // 2. evaluates to nonzero on rows where the selector's activation is on - // 3. is of degree d such that d + (selector.max_degree - 1) <= max_degree - // OR selector.max_degree is zero - for selector in selector_assignments { - assert_eq!( - selectors[selector.selector].activations.len(), - combination_assignments[selector.combination_index].len() - ); - for (&activation, &assignment) in selectors[selector.selector] - .activations - .iter() - .zip(combination_assignments[selector.combination_index].iter()) - { - let eval = selector.expression.evaluate( - &|c| c, - &|_| panic!("should not occur in returned expressions"), - &|query| { - // Should be the correct combination in the expression - assert_eq!(selector.combination_index, query.index.unwrap()); - assignment - }, - &|_| panic!("should not occur in returned expressions"), - &|_| panic!("should not occur in returned expressions"), - &|_| panic!("should not occur in returned expressions"), - &|a| -a, - &|a, b| a + b, - &|a, b| a * b, - &|a, f| a * f, - ); - - if activation { - assert!(!eval.is_zero_vartime()); - } else { - assert!(eval.is_zero_vartime()); - } - } - - let expr_degree = selector.expression.degree(); - assert!(expr_degree <= max_degree); - if selectors[selector.selector].max_degree > 0 { - assert!( - (selectors[selector.selector].max_degree - 1) + expr_degree <= max_degree - ); - } - } - } - } -} diff --git a/halo2_proofs/src/plonk/shuffle.rs b/halo2_proofs/src/plonk/shuffle.rs deleted file mode 100644 index e32353c710..0000000000 --- a/halo2_proofs/src/plonk/shuffle.rs +++ /dev/null @@ -1,67 +0,0 @@ -use super::circuit::Expression; -use ff::Field; -use std::fmt::{self, Debug}; - -pub(crate) mod prover; -pub(crate) mod verifier; - -#[derive(Clone)] -pub struct Argument { - pub(crate) name: String, - pub(crate) input_expressions: Vec>, - pub(crate) shuffle_expressions: Vec>, -} - -impl Debug for Argument { - fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { - f.debug_struct("Argument") - .field("input_expressions", &self.input_expressions) - .field("shuffle_expressions", &self.shuffle_expressions) - .finish() - } -} - -impl Argument { - /// Constructs a new shuffle argument. - /// - /// `shuffle` is a sequence of `(input, shuffle)` tuples. - pub fn new>(name: S, shuffle: Vec<(Expression, Expression)>) -> Self { - let (input_expressions, shuffle_expressions) = shuffle.into_iter().unzip(); - Argument { - name: name.as_ref().to_string(), - input_expressions, - shuffle_expressions, - } - } - - pub(crate) fn required_degree(&self) -> usize { - assert_eq!(self.input_expressions.len(), self.shuffle_expressions.len()); - - let mut input_degree = 1; - for expr in self.input_expressions.iter() { - input_degree = std::cmp::max(input_degree, expr.degree()); - } - let mut shuffle_degree = 1; - for expr in self.shuffle_expressions.iter() { - shuffle_degree = std::cmp::max(shuffle_degree, expr.degree()); - } - - // (1 - (l_last + l_blind)) (z(\omega X) (s(X) + \gamma) - z(X) (a(X) + \gamma)) - std::cmp::max(2 + shuffle_degree, 2 + input_degree) - } - - /// Returns input of this argument - pub fn input_expressions(&self) -> &Vec> { - &self.input_expressions - } - - /// Returns table of this argument - pub fn shuffle_expressions(&self) -> &Vec> { - &self.shuffle_expressions - } - - /// Returns name of this argument - pub fn name(&self) -> &str { - &self.name - } -} diff --git a/halo2_proofs/src/plonk/shuffle/prover.rs b/halo2_proofs/src/plonk/shuffle/prover.rs deleted file mode 100644 index fd30436a47..0000000000 --- a/halo2_proofs/src/plonk/shuffle/prover.rs +++ /dev/null @@ -1,250 +0,0 @@ -use super::super::{ - circuit::Expression, ChallengeGamma, ChallengeTheta, ChallengeX, Error, ProvingKey, -}; -use super::Argument; -use crate::plonk::evaluation::evaluate; -use crate::{ - arithmetic::{eval_polynomial, parallelize, CurveAffine}, - poly::{ - commitment::{Blind, Params}, - Coeff, EvaluationDomain, LagrangeCoeff, Polynomial, ProverQuery, Rotation, - }, - transcript::{EncodedChallenge, TranscriptWrite}, -}; -use ff::WithSmallOrderMulGroup; -use group::{ff::BatchInvert, Curve}; -use rand_core::RngCore; -use std::{ - iter, - ops::{Mul, MulAssign}, -}; - -#[derive(Debug)] -struct Compressed { - input_expression: Polynomial, - shuffle_expression: Polynomial, -} - -#[derive(Debug)] -pub(in crate::plonk) struct Committed { - pub(in crate::plonk) product_poly: Polynomial, - product_blind: Blind, -} - -pub(in crate::plonk) struct Evaluated { - constructed: Committed, -} - -impl> Argument { - /// Given a Shuffle with input expressions [A_0, A_1, ..., A_{m-1}] and table expressions - /// [S_0, S_1, ..., S_{m-1}], this method - /// - constructs A_compressed = \theta^{m-1} A_0 + theta^{m-2} A_1 + ... + \theta A_{m-2} + A_{m-1} - /// and S_compressed = \theta^{m-1} S_0 + theta^{m-2} S_1 + ... + \theta S_{m-2} + S_{m-1}, - #[allow(clippy::too_many_arguments)] - fn compress<'a, 'params: 'a, C, P: Params<'params, C>>( - &self, - pk: &ProvingKey, - params: &P, - domain: &EvaluationDomain, - theta: ChallengeTheta, - advice_values: &'a [Polynomial], - fixed_values: &'a [Polynomial], - instance_values: &'a [Polynomial], - challenges: &'a [C::Scalar], - ) -> Compressed - where - C: CurveAffine, - C::Curve: Mul + MulAssign, - { - // Closure to get values of expressions and compress them - let compress_expressions = |expressions: &[Expression]| { - let compressed_expression = expressions - .iter() - .map(|expression| { - pk.vk.domain.lagrange_from_vec(evaluate( - expression, - params.n() as usize, - 1, - fixed_values, - advice_values, - instance_values, - challenges, - )) - }) - .fold(domain.empty_lagrange(), |acc, expression| { - acc * *theta + &expression - }); - compressed_expression - }; - - // Get values of input expressions involved in the shuffle and compress them - let input_expression = compress_expressions(&self.input_expressions); - - // Get values of table expressions involved in the shuffle and compress them - let shuffle_expression = compress_expressions(&self.shuffle_expressions); - - Compressed { - input_expression, - shuffle_expression, - } - } - - /// Given a Shuffle with input expressions and table expressions this method - /// constructs the grand product polynomial over the shuffle. - /// The grand product polynomial is used to populate the Product struct. - /// The Product struct is added to the Shuffle and finally returned by the method. - #[allow(clippy::too_many_arguments)] - pub(in crate::plonk) fn commit_product< - 'a, - 'params: 'a, - C, - P: Params<'params, C>, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWrite, - >( - &self, - pk: &ProvingKey, - params: &P, - domain: &EvaluationDomain, - theta: ChallengeTheta, - gamma: ChallengeGamma, - advice_values: &'a [Polynomial], - fixed_values: &'a [Polynomial], - instance_values: &'a [Polynomial], - challenges: &'a [C::Scalar], - mut rng: R, - transcript: &mut T, - ) -> Result, Error> - where - C: CurveAffine, - C::Curve: Mul + MulAssign, - { - let compressed = self.compress( - pk, - params, - domain, - theta, - advice_values, - fixed_values, - instance_values, - challenges, - ); - - let blinding_factors = pk.vk.cs.blinding_factors(); - - let mut shuffle_product = vec![C::Scalar::ZERO; params.n() as usize]; - parallelize(&mut shuffle_product, |shuffle_product, start| { - for (shuffle_product, shuffle_value) in shuffle_product - .iter_mut() - .zip(compressed.shuffle_expression[start..].iter()) - { - *shuffle_product = *gamma + shuffle_value; - } - }); - - shuffle_product.iter_mut().batch_invert(); - - parallelize(&mut shuffle_product, |product, start| { - for (i, product) in product.iter_mut().enumerate() { - let i = i + start; - *product *= &(*gamma + compressed.input_expression[i]); - } - }); - - // Compute the evaluations of the shuffle product polynomial - // over our domain, starting with z[0] = 1 - let z = iter::once(C::Scalar::ONE) - .chain(shuffle_product) - .scan(C::Scalar::ONE, |state, cur| { - *state *= &cur; - Some(*state) - }) - // Take all rows including the "last" row which should - // be a boolean (and ideally 1, else soundness is broken) - .take(params.n() as usize - blinding_factors) - // Chain random blinding factors. - .chain((0..blinding_factors).map(|_| C::Scalar::random(&mut rng))) - .collect::>(); - assert_eq!(z.len(), params.n() as usize); - let z = pk.vk.domain.lagrange_from_vec(z); - - #[cfg(feature = "sanity-checks")] - { - // While in Lagrange basis, check that product is correctly constructed - let u = (params.n() as usize) - (blinding_factors + 1); - assert_eq!(z[0], C::Scalar::ONE); - for i in 0..u { - let mut left = z[i + 1]; - let input_value = &compressed.input_expression[i]; - let shuffle_value = &compressed.shuffle_expression[i]; - left *= &(*gamma + shuffle_value); - let mut right = z[i]; - right *= &(*gamma + input_value); - assert_eq!(left, right); - } - assert_eq!(z[u], C::Scalar::ONE); - } - - let product_blind = Blind(C::Scalar::random(rng)); - let product_commitment = params.commit_lagrange(&z, product_blind).to_affine(); - let z = pk.vk.domain.lagrange_to_coeff(z); - - // Hash product commitment - transcript.write_point(product_commitment)?; - - Ok(Committed:: { - product_poly: z, - product_blind, - }) - } -} - -impl Committed { - pub(in crate::plonk) fn evaluate, T: TranscriptWrite>( - self, - pk: &ProvingKey, - x: ChallengeX, - transcript: &mut T, - ) -> Result, Error> { - let domain = &pk.vk.domain; - let x_next = domain.rotate_omega(*x, Rotation::next()); - - let product_eval = eval_polynomial(&self.product_poly, *x); - let product_next_eval = eval_polynomial(&self.product_poly, x_next); - - // Hash each advice evaluation - for eval in iter::empty() - .chain(Some(product_eval)) - .chain(Some(product_next_eval)) - { - transcript.write_scalar(eval)?; - } - - Ok(Evaluated { constructed: self }) - } -} - -impl Evaluated { - pub(in crate::plonk) fn open<'a>( - &'a self, - pk: &'a ProvingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { - let x_next = pk.vk.domain.rotate_omega(*x, Rotation::next()); - - iter::empty() - // Open shuffle product commitments at x - .chain(Some(ProverQuery { - point: *x, - poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, - })) - // Open shuffle product commitments at x_next - .chain(Some(ProverQuery { - point: x_next, - poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, - })) - } -} diff --git a/halo2_proofs/src/plonk/shuffle/verifier.rs b/halo2_proofs/src/plonk/shuffle/verifier.rs deleted file mode 100644 index 379cc5c8a1..0000000000 --- a/halo2_proofs/src/plonk/shuffle/verifier.rs +++ /dev/null @@ -1,138 +0,0 @@ -use std::iter; - -use super::super::{circuit::Expression, ChallengeGamma, ChallengeTheta, ChallengeX}; -use super::Argument; -use crate::{ - arithmetic::CurveAffine, - plonk::{Error, VerifyingKey}, - poly::{commitment::MSM, Rotation, VerifierQuery}, - transcript::{EncodedChallenge, TranscriptRead}, -}; -use ff::Field; - -pub struct Committed { - product_commitment: C, -} - -pub struct Evaluated { - committed: Committed, - product_eval: C::Scalar, - product_next_eval: C::Scalar, -} - -impl Argument { - pub(in crate::plonk) fn read_product_commitment< - C: CurveAffine, - E: EncodedChallenge, - T: TranscriptRead, - >( - &self, - transcript: &mut T, - ) -> Result, Error> { - let product_commitment = transcript.read_point()?; - - Ok(Committed { product_commitment }) - } -} - -impl Committed { - pub(crate) fn evaluate, T: TranscriptRead>( - self, - transcript: &mut T, - ) -> Result, Error> { - let product_eval = transcript.read_scalar()?; - let product_next_eval = transcript.read_scalar()?; - - Ok(Evaluated { - committed: self, - product_eval, - product_next_eval, - }) - } -} - -impl Evaluated { - #[allow(clippy::too_many_arguments)] - pub(in crate::plonk) fn expressions<'a>( - &'a self, - l_0: C::Scalar, - l_last: C::Scalar, - l_blind: C::Scalar, - argument: &'a Argument, - theta: ChallengeTheta, - gamma: ChallengeGamma, - advice_evals: &[C::Scalar], - fixed_evals: &[C::Scalar], - instance_evals: &[C::Scalar], - challenges: &[C::Scalar], - ) -> impl Iterator + 'a { - let active_rows = C::Scalar::ONE - (l_last + l_blind); - - let product_expression = || { - // z(\omega X) (s(X) + \gamma) - z(X) (a(X) + \gamma) - let compress_expressions = |expressions: &[Expression]| { - expressions - .iter() - .map(|expression| { - expression.evaluate( - &|scalar| scalar, - &|_| panic!("virtual selectors are removed during optimization"), - &|query| fixed_evals[query.index.unwrap()], - &|query| advice_evals[query.index.unwrap()], - &|query| instance_evals[query.index.unwrap()], - &|challenge| challenges[challenge.index()], - &|a| -a, - &|a, b| a + &b, - &|a, b| a * &b, - &|a, scalar| a * &scalar, - ) - }) - .fold(C::Scalar::ZERO, |acc, eval| acc * &*theta + &eval) - }; - // z(\omega X) (s(X) + \gamma) - let left = self.product_next_eval - * &(compress_expressions(&argument.shuffle_expressions) + &*gamma); - // z(X) (a(X) + \gamma) - let right = - self.product_eval * &(compress_expressions(&argument.input_expressions) + &*gamma); - - (left - &right) * &active_rows - }; - - std::iter::empty() - .chain( - // l_0(X) * (1 - z'(X)) = 0 - Some(l_0 * &(C::Scalar::ONE - &self.product_eval)), - ) - .chain( - // l_last(X) * (z(X)^2 - z(X)) = 0 - Some(l_last * &(self.product_eval.square() - &self.product_eval)), - ) - .chain( - // (1 - (l_last(X) + l_blind(X))) * ( z(\omega X) (s(X) + \gamma) - z(X) (a(X) + \gamma)) - Some(product_expression()), - ) - } - - pub(in crate::plonk) fn queries<'r, M: MSM + 'r>( - &'r self, - vk: &'r VerifyingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { - let x_next = vk.domain.rotate_omega(*x, Rotation::next()); - - iter::empty() - // Open shuffle product commitment at x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.product_commitment, - *x, - self.product_eval, - ))) - // Open shuffle product commitment at \omega x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.product_commitment, - x_next, - self.product_next_eval, - ))) - } -} diff --git a/halo2_proofs/src/plonk/vanishing.rs b/halo2_proofs/src/plonk/vanishing.rs deleted file mode 100644 index 81f86b02e2..0000000000 --- a/halo2_proofs/src/plonk/vanishing.rs +++ /dev/null @@ -1,11 +0,0 @@ -use std::marker::PhantomData; - -use crate::arithmetic::CurveAffine; - -mod prover; -mod verifier; - -/// A vanishing argument. -pub(crate) struct Argument { - _marker: PhantomData, -} diff --git a/halo2_proofs/src/plonk/vanishing/prover.rs b/halo2_proofs/src/plonk/vanishing/prover.rs deleted file mode 100644 index 7943086826..0000000000 --- a/halo2_proofs/src/plonk/vanishing/prover.rs +++ /dev/null @@ -1,199 +0,0 @@ -use std::{collections::HashMap, iter}; - -use ff::Field; -use group::Curve; -use rand_chacha::ChaCha20Rng; -use rand_core::{RngCore, SeedableRng}; - -use super::Argument; -use crate::{ - arithmetic::{eval_polynomial, parallelize, CurveAffine}, - multicore::current_num_threads, - plonk::{ChallengeX, Error}, - poly::{ - commitment::{Blind, ParamsProver}, - Coeff, EvaluationDomain, ExtendedLagrangeCoeff, Polynomial, ProverQuery, - }, - transcript::{EncodedChallenge, TranscriptWrite}, -}; - -pub(in crate::plonk) struct Committed { - random_poly: Polynomial, - random_blind: Blind, -} - -pub(in crate::plonk) struct Constructed { - h_pieces: Vec>, - h_blinds: Vec>, - committed: Committed, -} - -pub(in crate::plonk) struct Evaluated { - h_poly: Polynomial, - h_blind: Blind, - committed: Committed, -} - -impl Argument { - pub(in crate::plonk) fn commit< - 'params, - P: ParamsProver<'params, C>, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWrite, - >( - params: &P, - domain: &EvaluationDomain, - mut rng: R, - transcript: &mut T, - ) -> Result, Error> { - // Sample a random polynomial of degree n - 1 - let n = 1usize << domain.k() as usize; - let mut rand_vec = vec![C::Scalar::ZERO; n]; - - let num_threads = current_num_threads(); - let chunk_size = n / num_threads; - let thread_seeds = (0..) - .step_by(chunk_size + 1) - .take(n % num_threads) - .chain( - (chunk_size != 0) - .then(|| ((n % num_threads) * (chunk_size + 1)..).step_by(chunk_size)) - .into_iter() - .flatten(), - ) - .take(num_threads) - .zip(iter::repeat_with(|| { - let mut seed = [0u8; 32]; - rng.fill_bytes(&mut seed); - ChaCha20Rng::from_seed(seed) - })) - .collect::>(); - - parallelize(&mut rand_vec, |chunk, offset| { - let mut rng = thread_seeds[&offset].clone(); - chunk - .iter_mut() - .for_each(|v| *v = C::Scalar::random(&mut rng)); - }); - - let random_poly: Polynomial = domain.coeff_from_vec(rand_vec); - - // Sample a random blinding factor - let random_blind = Blind(C::Scalar::random(rng)); - - // Commit - let c = params.commit(&random_poly, random_blind).to_affine(); - transcript.write_point(c)?; - - Ok(Committed { - random_poly, - random_blind, - }) - } -} - -impl Committed { - pub(in crate::plonk) fn construct< - 'params, - P: ParamsProver<'params, C>, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWrite, - >( - self, - params: &P, - domain: &EvaluationDomain, - h_poly: Polynomial, - mut rng: R, - transcript: &mut T, - ) -> Result, Error> { - // Divide by t(X) = X^{params.n} - 1. - let h_poly = domain.divide_by_vanishing_poly(h_poly); - - // Obtain final h(X) polynomial - let h_poly = domain.extended_to_coeff(h_poly); - - // Split h(X) up into pieces - let h_pieces = h_poly - .chunks_exact(params.n() as usize) - .map(|v| domain.coeff_from_vec(v.to_vec())) - .collect::>(); - drop(h_poly); - let h_blinds: Vec<_> = h_pieces - .iter() - .map(|_| Blind(C::Scalar::random(&mut rng))) - .collect(); - - // Compute commitments to each h(X) piece - let h_commitments_projective: Vec<_> = h_pieces - .iter() - .zip(h_blinds.iter()) - .map(|(h_piece, blind)| params.commit(h_piece, *blind)) - .collect(); - let mut h_commitments = vec![C::identity(); h_commitments_projective.len()]; - C::Curve::batch_normalize(&h_commitments_projective, &mut h_commitments); - let h_commitments = h_commitments; - - // Hash each h(X) piece - for c in h_commitments.iter() { - transcript.write_point(*c)?; - } - - Ok(Constructed { - h_pieces, - h_blinds, - committed: self, - }) - } -} - -impl Constructed { - pub(in crate::plonk) fn evaluate, T: TranscriptWrite>( - self, - x: ChallengeX, - xn: C::Scalar, - domain: &EvaluationDomain, - transcript: &mut T, - ) -> Result, Error> { - let h_poly = self - .h_pieces - .iter() - .rev() - .fold(domain.empty_coeff(), |acc, eval| acc * xn + eval); - - let h_blind = self - .h_blinds - .iter() - .rev() - .fold(Blind(C::Scalar::ZERO), |acc, eval| acc * Blind(xn) + *eval); - - let random_eval = eval_polynomial(&self.committed.random_poly, *x); - transcript.write_scalar(random_eval)?; - - Ok(Evaluated { - h_poly, - h_blind, - committed: self.committed, - }) - } -} - -impl Evaluated { - pub(in crate::plonk) fn open( - &self, - x: ChallengeX, - ) -> impl Iterator> + Clone { - iter::empty() - .chain(Some(ProverQuery { - point: *x, - poly: &self.h_poly, - blind: self.h_blind, - })) - .chain(Some(ProverQuery { - point: *x, - poly: &self.committed.random_poly, - blind: self.committed.random_blind, - })) - } -} diff --git a/halo2_proofs/src/plonk/vanishing/verifier.rs b/halo2_proofs/src/plonk/vanishing/verifier.rs deleted file mode 100644 index 0881dfb2c0..0000000000 --- a/halo2_proofs/src/plonk/vanishing/verifier.rs +++ /dev/null @@ -1,138 +0,0 @@ -use std::iter; - -use ff::Field; - -use crate::{ - arithmetic::CurveAffine, - plonk::{Error, VerifyingKey}, - poly::{ - commitment::{Params, MSM}, - VerifierQuery, - }, - transcript::{read_n_points, EncodedChallenge, TranscriptRead}, -}; - -use super::super::{ChallengeX, ChallengeY}; -use super::Argument; - -pub struct Committed { - random_poly_commitment: C, -} - -pub struct Constructed { - h_commitments: Vec, - random_poly_commitment: C, -} - -pub struct PartiallyEvaluated { - h_commitments: Vec, - random_poly_commitment: C, - random_eval: C::Scalar, -} - -pub struct Evaluated> { - h_commitment: M, - random_poly_commitment: C, - expected_h_eval: C::Scalar, - random_eval: C::Scalar, -} - -impl Argument { - pub(in crate::plonk) fn read_commitments_before_y< - E: EncodedChallenge, - T: TranscriptRead, - >( - transcript: &mut T, - ) -> Result, Error> { - let random_poly_commitment = transcript.read_point()?; - - Ok(Committed { - random_poly_commitment, - }) - } -} - -impl Committed { - pub(in crate::plonk) fn read_commitments_after_y< - E: EncodedChallenge, - T: TranscriptRead, - >( - self, - vk: &VerifyingKey, - transcript: &mut T, - ) -> Result, Error> { - // Obtain a commitment to h(X) in the form of multiple pieces of degree n - 1 - let h_commitments = read_n_points(transcript, vk.domain.get_quotient_poly_degree())?; - - Ok(Constructed { - h_commitments, - random_poly_commitment: self.random_poly_commitment, - }) - } -} - -impl Constructed { - pub(in crate::plonk) fn evaluate_after_x, T: TranscriptRead>( - self, - transcript: &mut T, - ) -> Result, Error> { - let random_eval = transcript.read_scalar()?; - - Ok(PartiallyEvaluated { - h_commitments: self.h_commitments, - random_poly_commitment: self.random_poly_commitment, - random_eval, - }) - } -} - -impl PartiallyEvaluated { - pub(in crate::plonk) fn verify<'params, P: Params<'params, C>>( - self, - params: &'params P, - expressions: impl Iterator, - y: ChallengeY, - xn: C::Scalar, - ) -> Evaluated { - let expected_h_eval = expressions.fold(C::Scalar::ZERO, |h_eval, v| h_eval * &*y + &v); - let expected_h_eval = expected_h_eval * ((xn - C::Scalar::ONE).invert().unwrap()); - - let h_commitment = - self.h_commitments - .iter() - .rev() - .fold(params.empty_msm(), |mut acc, commitment| { - acc.scale(xn); - let commitment: C::CurveExt = (*commitment).into(); - acc.append_term(C::Scalar::ONE, commitment); - - acc - }); - - Evaluated { - expected_h_eval, - h_commitment, - random_poly_commitment: self.random_poly_commitment, - random_eval: self.random_eval, - } - } -} - -impl> Evaluated { - pub(in crate::plonk) fn queries( - &self, - x: ChallengeX, - ) -> impl Iterator> + Clone { - iter::empty() - .chain(Some(VerifierQuery::new_msm( - &self.h_commitment, - *x, - self.expected_h_eval, - ))) - .chain(Some(VerifierQuery::new_commitment( - &self.random_poly_commitment, - *x, - self.random_eval, - ))) - } -} diff --git a/halo2_proofs/src/plonk/verifier.rs b/halo2_proofs/src/plonk/verifier.rs deleted file mode 100644 index 76675bcdfa..0000000000 --- a/halo2_proofs/src/plonk/verifier.rs +++ /dev/null @@ -1,440 +0,0 @@ -use ff::{Field, FromUniformBytes, WithSmallOrderMulGroup}; -use group::Curve; -use std::iter; - -use super::{ - vanishing, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, ChallengeY, Error, - VerifyingKey, -}; -use crate::arithmetic::compute_inner_product; -use crate::poly::commitment::{CommitmentScheme, Verifier}; -use crate::poly::VerificationStrategy; -use crate::poly::{ - commitment::{Blind, Params}, - VerifierQuery, -}; -use crate::transcript::{read_n_scalars, EncodedChallenge, TranscriptRead}; - -#[cfg(feature = "batch")] -mod batch; -#[cfg(feature = "batch")] -pub use batch::BatchVerifier; - -/// Returns a boolean indicating whether or not the proof is valid -pub fn verify_proof< - 'params, - Scheme: CommitmentScheme, - V: Verifier<'params, Scheme>, - E: EncodedChallenge, - T: TranscriptRead, - Strategy: VerificationStrategy<'params, Scheme, V>, ->( - params: &'params Scheme::ParamsVerifier, - vk: &VerifyingKey, - strategy: Strategy, - instances: &[&[&[Scheme::Scalar]]], - transcript: &mut T, -) -> Result -where - Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>, -{ - // Check that instances matches the expected number of instance columns - for instances in instances.iter() { - if instances.len() != vk.cs.num_instance_columns { - return Err(Error::InvalidInstances); - } - } - - let instance_commitments = if V::QUERY_INSTANCE { - instances - .iter() - .map(|instance| { - instance - .iter() - .map(|instance| { - if instance.len() > params.n() as usize - (vk.cs.blinding_factors() + 1) { - return Err(Error::InstanceTooLarge); - } - let mut poly = instance.to_vec(); - poly.resize(params.n() as usize, Scheme::Scalar::ZERO); - let poly = vk.domain.lagrange_from_vec(poly); - - Ok(params.commit_lagrange(&poly, Blind::default()).to_affine()) - }) - .collect::, _>>() - }) - .collect::, _>>()? - } else { - vec![vec![]; instances.len()] - }; - - let num_proofs = instance_commitments.len(); - - // Hash verification key into transcript - vk.hash_into(transcript)?; - - if V::QUERY_INSTANCE { - for instance_commitments in instance_commitments.iter() { - // Hash the instance (external) commitments into the transcript - for commitment in instance_commitments { - transcript.common_point(*commitment)? - } - } - } else { - for instance in instances.iter() { - for instance in instance.iter() { - for value in instance.iter() { - transcript.common_scalar(*value)?; - } - } - } - } - - // Hash the prover's advice commitments into the transcript and squeeze challenges - let (advice_commitments, challenges) = { - let mut advice_commitments = - vec![vec![Scheme::Curve::default(); vk.cs.num_advice_columns]; num_proofs]; - let mut challenges = vec![Scheme::Scalar::ZERO; vk.cs.num_challenges]; - - for current_phase in vk.cs.phases() { - for advice_commitments in advice_commitments.iter_mut() { - for (phase, commitment) in vk - .cs - .advice_column_phase - .iter() - .zip(advice_commitments.iter_mut()) - { - if current_phase == *phase { - *commitment = transcript.read_point()?; - } - } - } - for (phase, challenge) in vk.cs.challenge_phase.iter().zip(challenges.iter_mut()) { - if current_phase == *phase { - *challenge = *transcript.squeeze_challenge_scalar::<()>(); - } - } - } - - (advice_commitments, challenges) - }; - - // Sample theta challenge for keeping lookup columns linearly independent - let theta: ChallengeTheta<_> = transcript.squeeze_challenge_scalar(); - - let lookups_permuted = (0..num_proofs) - .map(|_| -> Result, _> { - // Hash each lookup permuted commitment - vk.cs - .lookups - .iter() - .map(|argument| argument.read_permuted_commitments(transcript)) - .collect::, _>>() - }) - .collect::, _>>()?; - - // Sample beta challenge - let beta: ChallengeBeta<_> = transcript.squeeze_challenge_scalar(); - - // Sample gamma challenge - let gamma: ChallengeGamma<_> = transcript.squeeze_challenge_scalar(); - - let permutations_committed = (0..num_proofs) - .map(|_| { - // Hash each permutation product commitment - vk.cs.permutation.read_product_commitments(vk, transcript) - }) - .collect::, _>>()?; - - let lookups_committed = lookups_permuted - .into_iter() - .map(|lookups| { - // Hash each lookup product commitment - lookups - .into_iter() - .map(|lookup| lookup.read_product_commitment(transcript)) - .collect::, _>>() - }) - .collect::, _>>()?; - - let shuffles_committed = (0..num_proofs) - .map(|_| -> Result, _> { - // Hash each shuffle product commitment - vk.cs - .shuffles - .iter() - .map(|argument| argument.read_product_commitment(transcript)) - .collect::, _>>() - }) - .collect::, _>>()?; - - let vanishing = vanishing::Argument::read_commitments_before_y(transcript)?; - - // Sample y challenge, which keeps the gates linearly independent. - let y: ChallengeY<_> = transcript.squeeze_challenge_scalar(); - - let vanishing = vanishing.read_commitments_after_y(vk, transcript)?; - - // Sample x challenge, which is used to ensure the circuit is - // satisfied with high probability. - let x: ChallengeX<_> = transcript.squeeze_challenge_scalar(); - let instance_evals = if V::QUERY_INSTANCE { - (0..num_proofs) - .map(|_| -> Result, _> { - read_n_scalars(transcript, vk.cs.instance_queries.len()) - }) - .collect::, _>>()? - } else { - let xn = x.pow([params.n()]); - let (min_rotation, max_rotation) = - vk.cs - .instance_queries - .iter() - .fold((0, 0), |(min, max), (_, rotation)| { - if rotation.0 < min { - (rotation.0, max) - } else if rotation.0 > max { - (min, rotation.0) - } else { - (min, max) - } - }); - let max_instance_len = instances - .iter() - .flat_map(|instance| instance.iter().map(|instance| instance.len())) - .max_by(Ord::cmp) - .unwrap_or_default(); - let l_i_s = &vk.domain.l_i_range( - *x, - xn, - -max_rotation..max_instance_len as i32 + min_rotation.abs(), - ); - instances - .iter() - .map(|instances| { - vk.cs - .instance_queries - .iter() - .map(|(column, rotation)| { - let instances = instances[column.index()]; - let offset = (max_rotation - rotation.0) as usize; - compute_inner_product(instances, &l_i_s[offset..offset + instances.len()]) - }) - .collect::>() - }) - .collect::>() - }; - - let advice_evals = (0..num_proofs) - .map(|_| -> Result, _> { read_n_scalars(transcript, vk.cs.advice_queries.len()) }) - .collect::, _>>()?; - - let fixed_evals = read_n_scalars(transcript, vk.cs.fixed_queries.len())?; - - let vanishing = vanishing.evaluate_after_x(transcript)?; - - let permutations_common = vk.permutation.evaluate(transcript)?; - - let permutations_evaluated = permutations_committed - .into_iter() - .map(|permutation| permutation.evaluate(transcript)) - .collect::, _>>()?; - - let lookups_evaluated = lookups_committed - .into_iter() - .map(|lookups| -> Result, _> { - lookups - .into_iter() - .map(|lookup| lookup.evaluate(transcript)) - .collect::, _>>() - }) - .collect::, _>>()?; - - let shuffles_evaluated = shuffles_committed - .into_iter() - .map(|shuffles| -> Result, _> { - shuffles - .into_iter() - .map(|shuffle| shuffle.evaluate(transcript)) - .collect::, _>>() - }) - .collect::, _>>()?; - - // This check ensures the circuit is satisfied so long as the polynomial - // commitments open to the correct values. - let vanishing = { - // x^n - let xn = x.pow([params.n()]); - - let blinding_factors = vk.cs.blinding_factors(); - let l_evals = vk - .domain - .l_i_range(*x, xn, (-((blinding_factors + 1) as i32))..=0); - assert_eq!(l_evals.len(), 2 + blinding_factors); - let l_last = l_evals[0]; - let l_blind: Scheme::Scalar = l_evals[1..(1 + blinding_factors)] - .iter() - .fold(Scheme::Scalar::ZERO, |acc, eval| acc + eval); - let l_0 = l_evals[1 + blinding_factors]; - - // Compute the expected value of h(x) - let expressions = advice_evals - .iter() - .zip(instance_evals.iter()) - .zip(permutations_evaluated.iter()) - .zip(lookups_evaluated.iter()) - .zip(shuffles_evaluated.iter()) - .flat_map( - |((((advice_evals, instance_evals), permutation), lookups), shuffles)| { - let challenges = &challenges; - let fixed_evals = &fixed_evals; - std::iter::empty() - // Evaluate the circuit using the custom gates provided - .chain(vk.cs.gates.iter().flat_map(move |gate| { - gate.polynomials().iter().map(move |poly| { - poly.evaluate( - &|scalar| scalar, - &|_| { - panic!("virtual selectors are removed during optimization") - }, - &|query| fixed_evals[query.index.unwrap()], - &|query| advice_evals[query.index.unwrap()], - &|query| instance_evals[query.index.unwrap()], - &|challenge| challenges[challenge.index()], - &|a| -a, - &|a, b| a + &b, - &|a, b| a * &b, - &|a, scalar| a * &scalar, - ) - }) - })) - .chain(permutation.expressions( - vk, - &vk.cs.permutation, - &permutations_common, - advice_evals, - fixed_evals, - instance_evals, - l_0, - l_last, - l_blind, - beta, - gamma, - x, - )) - .chain(lookups.iter().zip(vk.cs.lookups.iter()).flat_map( - move |(p, argument)| { - p.expressions( - l_0, - l_last, - l_blind, - argument, - theta, - beta, - gamma, - advice_evals, - fixed_evals, - instance_evals, - challenges, - ) - }, - )) - .chain(shuffles.iter().zip(vk.cs.shuffles.iter()).flat_map( - move |(p, argument)| { - p.expressions( - l_0, - l_last, - l_blind, - argument, - theta, - gamma, - advice_evals, - fixed_evals, - instance_evals, - challenges, - ) - }, - )) - }, - ); - - vanishing.verify(params, expressions, y, xn) - }; - - let queries = instance_commitments - .iter() - .zip(instance_evals.iter()) - .zip(advice_commitments.iter()) - .zip(advice_evals.iter()) - .zip(permutations_evaluated.iter()) - .zip(lookups_evaluated.iter()) - .zip(shuffles_evaluated.iter()) - .flat_map( - |( - ( - ( - ( - ((instance_commitments, instance_evals), advice_commitments), - advice_evals, - ), - permutation, - ), - lookups, - ), - shuffles, - )| { - iter::empty() - .chain( - V::QUERY_INSTANCE - .then_some(vk.cs.instance_queries.iter().enumerate().map( - move |(query_index, &(column, at))| { - VerifierQuery::new_commitment( - &instance_commitments[column.index()], - vk.domain.rotate_omega(*x, at), - instance_evals[query_index], - ) - }, - )) - .into_iter() - .flatten(), - ) - .chain(vk.cs.advice_queries.iter().enumerate().map( - move |(query_index, &(column, at))| { - VerifierQuery::new_commitment( - &advice_commitments[column.index()], - vk.domain.rotate_omega(*x, at), - advice_evals[query_index], - ) - }, - )) - .chain(permutation.queries(vk, x)) - .chain(lookups.iter().flat_map(move |p| p.queries(vk, x))) - .chain(shuffles.iter().flat_map(move |p| p.queries(vk, x))) - }, - ) - .chain( - vk.cs - .fixed_queries - .iter() - .enumerate() - .map(|(query_index, &(column, at))| { - VerifierQuery::new_commitment( - &vk.fixed_commitments[column.index()], - vk.domain.rotate_omega(*x, at), - fixed_evals[query_index], - ) - }), - ) - .chain(permutations_common.queries(&vk.permutation, x)) - .chain(vanishing.queries(x)); - - // We are now convinced the circuit is satisfied so long as the - // polynomial commitments open to the correct values. - - let verifier = V::new(params); - strategy.process(|msm| { - verifier - .verify_proof(transcript, queries, msm) - .map_err(|_| Error::Opening) - }) -} diff --git a/halo2_proofs/src/plonk/verifier/batch.rs b/halo2_proofs/src/plonk/verifier/batch.rs deleted file mode 100644 index ba3e2419e6..0000000000 --- a/halo2_proofs/src/plonk/verifier/batch.rs +++ /dev/null @@ -1,135 +0,0 @@ -use ff::FromUniformBytes; -use group::ff::Field; -use halo2curves::CurveAffine; -use rand_core::OsRng; - -use super::{verify_proof, VerificationStrategy}; -use crate::{ - multicore::{ - IndexedParallelIterator, IntoParallelIterator, ParallelIterator, TryFoldAndReduce, - }, - plonk::{Error, VerifyingKey}, - poly::{ - commitment::{Params, MSM}, - ipa::{ - commitment::{IPACommitmentScheme, ParamsVerifierIPA}, - msm::MSMIPA, - multiopen::VerifierIPA, - strategy::GuardIPA, - }, - }, - transcript::{Blake2bRead, TranscriptReadBuffer}, -}; - -/// A proof verification strategy that returns the proof's MSM. -/// -/// `BatchVerifier` handles the accumulation of the MSMs for the batched proofs. -#[derive(Debug)] -struct BatchStrategy<'params, C: CurveAffine> { - msm: MSMIPA<'params, C>, -} - -impl<'params, C: CurveAffine> - VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA<'params, C>> - for BatchStrategy<'params, C> -{ - type Output = MSMIPA<'params, C>; - - fn new(params: &'params ParamsVerifierIPA) -> Self { - BatchStrategy { - msm: MSMIPA::new(params), - } - } - - fn process( - self, - f: impl FnOnce(MSMIPA<'params, C>) -> Result, Error>, - ) -> Result { - let guard = f(self.msm)?; - Ok(guard.use_challenges()) - } - - fn finalize(self) -> bool { - unreachable!() - } -} - -#[derive(Debug)] -struct BatchItem { - instances: Vec>>, - proof: Vec, -} - -/// A verifier that checks multiple proofs in a batch. **This requires the -/// `batch` crate feature to be enabled.** -#[derive(Debug, Default)] -pub struct BatchVerifier { - items: Vec>, -} - -impl BatchVerifier -where - C::Scalar: FromUniformBytes<64>, -{ - /// Constructs a new batch verifier. - pub fn new() -> Self { - Self { items: vec![] } - } - - /// Adds a proof to the batch. - pub fn add_proof(&mut self, instances: Vec>>, proof: Vec) { - self.items.push(BatchItem { instances, proof }) - } - - /// Finalizes the batch and checks its validity. - /// - /// Returns `false` if *some* proof was invalid. If the caller needs to identify - /// specific failing proofs, it must re-process the proofs separately. - /// - /// This uses [`OsRng`] internally instead of taking an `R: RngCore` argument, because - /// the internal parallelization requires access to a RNG that is guaranteed to not - /// clone its internal state when shared between threads. - pub fn finalize(self, params: &ParamsVerifierIPA, vk: &VerifyingKey) -> bool { - fn accumulate_msm<'params, C: CurveAffine>( - mut acc: MSMIPA<'params, C>, - msm: MSMIPA<'params, C>, - ) -> MSMIPA<'params, C> { - // Scale the MSM by a random factor to ensure that if the existing MSM has - // `is_zero() == false` then this argument won't be able to interfere with it - // to make it true, with high probability. - acc.scale(C::Scalar::random(OsRng)); - - acc.add_msm(&msm); - acc - } - - let final_msm = self - .items - .into_par_iter() - .enumerate() - .map(|(i, item)| { - let instances: Vec> = item - .instances - .iter() - .map(|i| i.iter().map(|c| &c[..]).collect()) - .collect(); - let instances: Vec<_> = instances.iter().map(|i| &i[..]).collect(); - - let strategy = BatchStrategy::new(params); - let mut transcript = Blake2bRead::init(&item.proof[..]); - verify_proof(params, vk, strategy, &instances, &mut transcript).map_err(|e| { - tracing::debug!("Batch item {} failed verification: {}", i, e); - e - }) - }) - .try_fold_and_reduce( - || params.empty_msm(), - |acc, res| res.map(|proof_msm| accumulate_msm(acc, proof_msm)), - ); - - match final_msm { - Ok(msm) => msm.check(), - Err(_) => false, - } - } -} diff --git a/halo2_proofs/src/poly/commitment.rs b/halo2_proofs/src/poly/commitment.rs deleted file mode 100644 index ebc26fe9c3..0000000000 --- a/halo2_proofs/src/poly/commitment.rs +++ /dev/null @@ -1,245 +0,0 @@ -use super::{ - query::{ProverQuery, VerifierQuery}, - strategy::Guard, - Coeff, LagrangeCoeff, Polynomial, -}; -use crate::poly::Error; -use crate::transcript::{EncodedChallenge, TranscriptRead, TranscriptWrite}; -use ff::Field; -use halo2curves::CurveAffine; -use rand_core::RngCore; -use std::{ - fmt::Debug, - io::{self}, - ops::{Add, AddAssign, Mul, MulAssign}, -}; - -/// Defines components of a commitment scheme. -pub trait CommitmentScheme { - /// Application field of this commitment scheme - type Scalar: Field; - - /// Elliptic curve used to commit the application and witnesses - type Curve: CurveAffine; - - /// Constant prover parameters - type ParamsProver: for<'params> ParamsProver< - 'params, - Self::Curve, - ParamsVerifier = Self::ParamsVerifier, - >; - - /// Constant verifier parameters - type ParamsVerifier: for<'params> ParamsVerifier<'params, Self::Curve>; - - /// Wrapper for parameter generator - fn new_params(k: u32) -> Self::ParamsProver; - - /// Wrapper for parameter reader - fn read_params(reader: &mut R) -> io::Result; -} - -/// Parameters for circuit sysnthesis and prover parameters. -pub trait Params<'params, C: CurveAffine>: Sized + Clone { - /// Multi scalar multiplication engine - type MSM: MSM + 'params; - - /// Logaritmic size of the circuit - fn k(&self) -> u32; - - /// Size of the circuit - fn n(&self) -> u64; - - /// Downsize `Params` with smaller `k`. - fn downsize(&mut self, k: u32); - - /// Generates an empty multiscalar multiplication struct using the - /// appropriate params. - fn empty_msm(&'params self) -> Self::MSM; - - /// This commits to a polynomial using its evaluations over the $2^k$ size - /// evaluation domain. The commitment will be blinded by the blinding factor - /// `r`. - fn commit_lagrange( - &self, - poly: &Polynomial, - r: Blind, - ) -> C::CurveExt; - - /// Writes params to a buffer. - fn write(&self, writer: &mut W) -> io::Result<()>; - - /// Reads params from a buffer. - fn read(reader: &mut R) -> io::Result; -} - -/// Parameters for circuit sysnthesis and prover parameters. -pub trait ParamsProver<'params, C: CurveAffine>: Params<'params, C> { - /// Constant verifier parameters. - type ParamsVerifier: ParamsVerifier<'params, C>; - - /// Returns new instance of parameters - fn new(k: u32) -> Self; - - /// This computes a commitment to a polynomial described by the provided - /// slice of coefficients. The commitment may be blinded by the blinding - /// factor `r`. - fn commit(&self, poly: &Polynomial, r: Blind) - -> C::CurveExt; - - /// Getter for g generators - fn get_g(&self) -> &[C]; - - /// Returns verification parameters. - fn verifier_params(&'params self) -> &'params Self::ParamsVerifier; -} - -/// Verifier specific functionality with circuit constraints -pub trait ParamsVerifier<'params, C: CurveAffine>: Params<'params, C> {} - -/// Multi scalar multiplication engine -pub trait MSM: Clone + Debug + Send + Sync { - /// Add arbitrary term (the scalar and the point) - fn append_term(&mut self, scalar: C::Scalar, point: C::CurveExt); - - /// Add another multiexp into this one - fn add_msm(&mut self, other: &Self) - where - Self: Sized; - - /// Scale all scalars in the MSM by some scaling factor - fn scale(&mut self, factor: C::Scalar); - - /// Perform multiexp and check that it results in zero - fn check(&self) -> bool; - - /// Perform multiexp and return the result - fn eval(&self) -> C::CurveExt; - - /// Return base points - fn bases(&self) -> Vec; - - /// Scalars - fn scalars(&self) -> Vec; -} - -/// Common multi-open prover interface for various commitment schemes -pub trait Prover<'params, Scheme: CommitmentScheme> { - /// Query instance or not - const QUERY_INSTANCE: bool; - - /// Creates new prover instance - fn new(params: &'params Scheme::ParamsProver) -> Self; - - /// Create a multi-opening proof - fn create_proof< - 'com, - E: EncodedChallenge, - T: TranscriptWrite, - R, - I, - >( - &self, - rng: R, - transcript: &mut T, - queries: I, - ) -> io::Result<()> - where - I: IntoIterator> + Clone, - R: RngCore; -} - -/// Common multi-open verifier interface for various commitment schemes -pub trait Verifier<'params, Scheme: CommitmentScheme> { - /// Unfinalized verification result. This is returned in verification - /// to allow developer to compress or combined verification results - type Guard: Guard; - - /// Accumulator fot comressed verification - type MSMAccumulator; - - /// Query instance or not - const QUERY_INSTANCE: bool; - - /// Creates new verifier instance - fn new(params: &'params Scheme::ParamsVerifier) -> Self; - - /// Process the proof and returns unfinished result named `Guard` - fn verify_proof< - 'com, - E: EncodedChallenge, - T: TranscriptRead, - I, - >( - &self, - transcript: &mut T, - queries: I, - msm: Self::MSMAccumulator, - ) -> Result - where - 'params: 'com, - I: IntoIterator< - Item = VerifierQuery< - 'com, - Scheme::Curve, - >::MSM, - >, - > + Clone; -} - -/// Wrapper type around a blinding factor. -#[derive(Copy, Clone, Eq, PartialEq, Debug)] -pub struct Blind(pub F); - -impl Default for Blind { - fn default() -> Self { - Blind(F::ONE) - } -} - -impl Blind { - /// Given `rng` creates new blinding scalar - pub fn new(rng: &mut R) -> Self { - Blind(F::random(rng)) - } -} - -impl Add for Blind { - type Output = Self; - - fn add(self, rhs: Blind) -> Self { - Blind(self.0 + rhs.0) - } -} - -impl Mul for Blind { - type Output = Self; - - fn mul(self, rhs: Blind) -> Self { - Blind(self.0 * rhs.0) - } -} - -impl AddAssign for Blind { - fn add_assign(&mut self, rhs: Blind) { - self.0 += rhs.0; - } -} - -impl MulAssign for Blind { - fn mul_assign(&mut self, rhs: Blind) { - self.0 *= rhs.0; - } -} - -impl AddAssign for Blind { - fn add_assign(&mut self, rhs: F) { - self.0 += rhs; - } -} - -impl MulAssign for Blind { - fn mul_assign(&mut self, rhs: F) { - self.0 *= rhs; - } -} diff --git a/halo2_proofs/src/poly/ipa/commitment.rs b/halo2_proofs/src/poly/ipa/commitment.rs deleted file mode 100644 index 7be053c49c..0000000000 --- a/halo2_proofs/src/poly/ipa/commitment.rs +++ /dev/null @@ -1,370 +0,0 @@ -//! This module contains an implementation of the polynomial commitment scheme -//! described in the [Halo][halo] paper. -//! -//! [halo]: https://eprint.iacr.org/2019/1021 - -use crate::arithmetic::{best_multiexp, g_to_lagrange, parallelize, CurveAffine, CurveExt}; -use crate::helpers::CurveRead; -use crate::poly::commitment::{Blind, CommitmentScheme, Params, ParamsProver, ParamsVerifier}; -use crate::poly::ipa::msm::MSMIPA; -use crate::poly::{Coeff, LagrangeCoeff, Polynomial}; - -use group::{Curve, Group}; -use std::marker::PhantomData; - -mod prover; -mod verifier; - -pub use prover::create_proof; -pub use verifier::verify_proof; - -use std::io; - -/// Public parameters for IPA commitment scheme -#[derive(Debug, Clone)] -pub struct ParamsIPA { - pub(crate) k: u32, - pub(crate) n: u64, - pub(crate) g: Vec, - pub(crate) g_lagrange: Vec, - pub(crate) w: C, - pub(crate) u: C, -} - -/// Concrete IPA commitment scheme -#[derive(Debug)] -pub struct IPACommitmentScheme { - _marker: PhantomData, -} - -impl CommitmentScheme for IPACommitmentScheme { - type Scalar = C::ScalarExt; - type Curve = C; - - type ParamsProver = ParamsIPA; - type ParamsVerifier = ParamsVerifierIPA; - - fn new_params(k: u32) -> Self::ParamsProver { - ParamsIPA::new(k) - } - - fn read_params(reader: &mut R) -> io::Result { - ParamsIPA::read(reader) - } -} - -/// Verifier parameters -pub type ParamsVerifierIPA = ParamsIPA; - -impl<'params, C: CurveAffine> ParamsVerifier<'params, C> for ParamsIPA {} - -impl<'params, C: CurveAffine> Params<'params, C> for ParamsIPA { - type MSM = MSMIPA<'params, C>; - - fn k(&self) -> u32 { - self.k - } - - fn n(&self) -> u64 { - self.n - } - - fn downsize(&mut self, k: u32) { - assert!(k <= self.k); - - self.k = k; - self.n = 1 << k; - self.g.truncate(self.n as usize); - self.g_lagrange = g_to_lagrange(self.g.iter().map(|g| g.to_curve()).collect(), k); - } - - fn empty_msm(&'params self) -> MSMIPA { - MSMIPA::new(self) - } - - /// This commits to a polynomial using its evaluations over the $2^k$ size - /// evaluation domain. The commitment will be blinded by the blinding factor - /// `r`. - fn commit_lagrange( - &self, - poly: &Polynomial, - r: Blind, - ) -> C::Curve { - let mut tmp_scalars = Vec::with_capacity(poly.len() + 1); - let mut tmp_bases = Vec::with_capacity(poly.len() + 1); - - tmp_scalars.extend(poly.iter()); - tmp_scalars.push(r.0); - - tmp_bases.extend(self.g_lagrange.iter()); - tmp_bases.push(self.w); - - best_multiexp::(&tmp_scalars, &tmp_bases) - } - - /// Writes params to a buffer. - fn write(&self, writer: &mut W) -> io::Result<()> { - writer.write_all(&self.k.to_le_bytes())?; - for g_element in &self.g { - writer.write_all(g_element.to_bytes().as_ref())?; - } - for g_lagrange_element in &self.g_lagrange { - writer.write_all(g_lagrange_element.to_bytes().as_ref())?; - } - writer.write_all(self.w.to_bytes().as_ref())?; - writer.write_all(self.u.to_bytes().as_ref())?; - - Ok(()) - } - - /// Reads params from a buffer. - fn read(reader: &mut R) -> io::Result { - let mut k = [0u8; 4]; - reader.read_exact(&mut k[..])?; - let k = u32::from_le_bytes(k); - - let n: u64 = 1 << k; - - let g: Vec<_> = (0..n).map(|_| C::read(reader)).collect::>()?; - let g_lagrange: Vec<_> = (0..n).map(|_| C::read(reader)).collect::>()?; - - let w = C::read(reader)?; - let u = C::read(reader)?; - - Ok(Self { - k, - n, - g, - g_lagrange, - w, - u, - }) - } -} - -impl<'params, C: CurveAffine> ParamsProver<'params, C> for ParamsIPA { - type ParamsVerifier = ParamsVerifierIPA; - - fn verifier_params(&'params self) -> &'params Self::ParamsVerifier { - self - } - - /// Initializes parameters for the curve, given a random oracle to draw - /// points from. - fn new(k: u32) -> Self { - // This is usually a limitation on the curve, but we also want 32-bit - // architectures to be supported. - assert!(k < 32); - - // In src/arithmetic/fields.rs we ensure that usize is at least 32 bits. - - let n: u64 = 1 << k; - - let g_projective = { - let mut g = Vec::with_capacity(n as usize); - g.resize(n as usize, C::Curve::identity()); - - parallelize(&mut g, move |g, start| { - let hasher = C::CurveExt::hash_to_curve("Halo2-Parameters"); - - for (i, g) in g.iter_mut().enumerate() { - let i = (i + start) as u32; - - let mut message = [0u8; 5]; - message[1..5].copy_from_slice(&i.to_le_bytes()); - - *g = hasher(&message); - } - }); - - g - }; - - let g = { - let mut g = vec![C::identity(); n as usize]; - parallelize(&mut g, |g, starts| { - C::Curve::batch_normalize(&g_projective[starts..(starts + g.len())], g); - }); - g - }; - - // Let's evaluate all of the Lagrange basis polynomials - // using an inverse FFT. - let g_lagrange = g_to_lagrange(g_projective, k); - - let hasher = C::CurveExt::hash_to_curve("Halo2-Parameters"); - let w = hasher(&[1]).to_affine(); - let u = hasher(&[2]).to_affine(); - - ParamsIPA { - k, - n, - g, - g_lagrange, - w, - u, - } - } - - /// This computes a commitment to a polynomial described by the provided - /// slice of coefficients. The commitment will be blinded by the blinding - /// factor `r`. - fn commit(&self, poly: &Polynomial, r: Blind) -> C::Curve { - let mut tmp_scalars = Vec::with_capacity(poly.len() + 1); - let mut tmp_bases = Vec::with_capacity(poly.len() + 1); - - tmp_scalars.extend(poly.iter()); - tmp_scalars.push(r.0); - - tmp_bases.extend(self.g.iter()); - tmp_bases.push(self.w); - - best_multiexp::(&tmp_scalars, &tmp_bases) - } - - fn get_g(&self) -> &[C] { - &self.g - } -} - -#[cfg(test)] -mod test { - use crate::poly::commitment::ParamsProver; - use crate::poly::commitment::{Blind, Params, MSM}; - use crate::poly::ipa::commitment::{create_proof, verify_proof, ParamsIPA}; - use crate::poly::ipa::msm::MSMIPA; - - use ff::Field; - use group::Curve; - - #[test] - fn test_commit_lagrange_epaffine() { - const K: u32 = 6; - - use rand_core::OsRng; - - use crate::poly::EvaluationDomain; - use halo2curves::pasta::{EpAffine, Fq}; - - let params = ParamsIPA::::new(K); - let domain = EvaluationDomain::new(1, K); - - let mut a = domain.empty_lagrange(); - - for (i, a) in a.iter_mut().enumerate() { - *a = Fq::from(i as u64); - } - - let b = domain.lagrange_to_coeff(a.clone()); - - let alpha = Blind(Fq::random(OsRng)); - - assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha)); - } - - #[test] - fn test_commit_lagrange_eqaffine() { - const K: u32 = 6; - - use rand_core::OsRng; - - use crate::poly::EvaluationDomain; - use halo2curves::pasta::{EqAffine, Fp}; - - let params: ParamsIPA = ParamsIPA::::new(K); - let domain = EvaluationDomain::new(1, K); - - let mut a = domain.empty_lagrange(); - - for (i, a) in a.iter_mut().enumerate() { - *a = Fp::from(i as u64); - } - - let b = domain.lagrange_to_coeff(a.clone()); - - let alpha = Blind(Fp::random(OsRng)); - - assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha)); - } - - #[test] - fn test_opening_proof() { - const K: u32 = 6; - - use ff::Field; - use rand_core::OsRng; - - use super::super::commitment::{Blind, Params}; - use crate::arithmetic::eval_polynomial; - use crate::halo2curves::pasta::{EpAffine, Fq}; - use crate::poly::EvaluationDomain; - use crate::transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, Transcript, TranscriptRead, TranscriptWrite, - }; - - use crate::transcript::TranscriptReadBuffer; - use crate::transcript::TranscriptWriterBuffer; - - let rng = OsRng; - - let params = ParamsIPA::::new(K); - let mut params_buffer = vec![]; - as Params<_>>::write(¶ms, &mut params_buffer).unwrap(); - let params: ParamsIPA = Params::read::<_>(&mut ¶ms_buffer[..]).unwrap(); - - let domain = EvaluationDomain::new(1, K); - - let mut px = domain.empty_coeff(); - - for (i, a) in px.iter_mut().enumerate() { - *a = Fq::from(i as u64); - } - - let blind = Blind(Fq::random(rng)); - - let p = params.commit(&px, blind).to_affine(); - - let mut transcript = - Blake2bWrite::, EpAffine, Challenge255>::init(vec![]); - transcript.write_point(p).unwrap(); - let x = transcript.squeeze_challenge_scalar::<()>(); - // Evaluate the polynomial - let v = eval_polynomial(&px, *x); - transcript.write_scalar(v).unwrap(); - - let (proof, ch_prover) = { - create_proof(¶ms, rng, &mut transcript, &px, blind, *x).unwrap(); - let ch_prover = transcript.squeeze_challenge(); - (transcript.finalize(), ch_prover) - }; - - // Verify the opening proof - let mut transcript = - Blake2bRead::<&[u8], EpAffine, Challenge255>::init(&proof[..]); - let p_prime = transcript.read_point().unwrap(); - assert_eq!(p, p_prime); - let x_prime = transcript.squeeze_challenge_scalar::<()>(); - assert_eq!(*x, *x_prime); - let v_prime = transcript.read_scalar().unwrap(); - assert_eq!(v, v_prime); - - let mut commitment_msm = MSMIPA::new(¶ms); - commitment_msm.append_term(Fq::one(), p.into()); - - let guard = verify_proof(¶ms, commitment_msm, &mut transcript, *x, v).unwrap(); - let ch_verifier = transcript.squeeze_challenge(); - assert_eq!(*ch_prover, *ch_verifier); - - // Test guard behavior prior to checking another proof - { - // Test use_challenges() - let msm_challenges = guard.clone().use_challenges(); - assert!(msm_challenges.check()); - - // Test use_g() - let g = guard.compute_g(); - let (msm_g, _accumulator) = guard.clone().use_g(g); - assert!(msm_g.check()); - } - } -} diff --git a/halo2_proofs/src/poly/ipa/commitment/prover.rs b/halo2_proofs/src/poly/ipa/commitment/prover.rs deleted file mode 100644 index 344dbc0e65..0000000000 --- a/halo2_proofs/src/poly/ipa/commitment/prover.rs +++ /dev/null @@ -1,167 +0,0 @@ -use ff::Field; -use rand_core::RngCore; - -use super::ParamsIPA; -use crate::arithmetic::{ - best_multiexp, compute_inner_product, eval_polynomial, parallelize, CurveAffine, -}; - -use crate::poly::commitment::ParamsProver; -use crate::poly::{commitment::Blind, Coeff, Polynomial}; -use crate::transcript::{EncodedChallenge, TranscriptWrite}; - -use group::Curve; -use std::io::{self}; - -/// Create a polynomial commitment opening proof for the polynomial defined -/// by the coefficients `px`, the blinding factor `blind` used for the -/// polynomial commitment, and the point `x` that the polynomial is -/// evaluated at. -/// -/// This function will panic if the provided polynomial is too large with -/// respect to the polynomial commitment parameters. -/// -/// **Important:** This function assumes that the provided `transcript` has -/// already seen the common inputs: the polynomial commitment P, the claimed -/// opening v, and the point x. It's probably also nice for the transcript -/// to have seen the elliptic curve description and the URS, if you want to -/// be rigorous. -pub fn create_proof< - C: CurveAffine, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWrite, ->( - params: &ParamsIPA, - mut rng: R, - transcript: &mut T, - p_poly: &Polynomial, - p_blind: Blind, - x_3: C::Scalar, -) -> io::Result<()> { - // We're limited to polynomials of degree n - 1. - assert_eq!(p_poly.len(), params.n as usize); - - // Sample a random polynomial (of same degree) that has a root at x_3, first - // by setting all coefficients to random values. - let mut s_poly = (*p_poly).clone(); - for coeff in s_poly.iter_mut() { - *coeff = C::Scalar::random(&mut rng); - } - // Evaluate the random polynomial at x_3 - let s_at_x3 = eval_polynomial(&s_poly[..], x_3); - // Subtract constant coefficient to get a random polynomial with a root at x_3 - s_poly[0] -= &s_at_x3; - // And sample a random blind - let s_poly_blind = Blind(C::Scalar::random(&mut rng)); - - // Write a commitment to the random polynomial to the transcript - let s_poly_commitment = params.commit(&s_poly, s_poly_blind).to_affine(); - transcript.write_point(s_poly_commitment)?; - - // Challenge that will ensure that the prover cannot change P but can only - // witness a random polynomial commitment that agrees with P at x_3, with high - // probability. - let xi = *transcript.squeeze_challenge_scalar::<()>(); - - // Challenge that ensures that the prover did not interfere with the U term - // in their commitments. - let z = *transcript.squeeze_challenge_scalar::<()>(); - - // We'll be opening `P' = P - [v] G_0 + [ξ] S` to ensure it has a root at - // zero. - let mut p_prime_poly = s_poly * xi + p_poly; - let v = eval_polynomial(&p_prime_poly, x_3); - p_prime_poly[0] -= &v; - let p_prime_blind = s_poly_blind * Blind(xi) + p_blind; - - // This accumulates the synthetic blinding factor `f` starting - // with the blinding factor for `P'`. - let mut f = p_prime_blind.0; - - // Initialize the vector `p_prime` as the coefficients of the polynomial. - let mut p_prime = p_prime_poly.values; - assert_eq!(p_prime.len(), params.n as usize); - - // Initialize the vector `b` as the powers of `x_3`. The inner product of - // `p_prime` and `b` is the evaluation of the polynomial at `x_3`. - let mut b = Vec::with_capacity(1 << params.k); - { - let mut cur = C::Scalar::ONE; - for _ in 0..(1 << params.k) { - b.push(cur); - cur *= &x_3; - } - } - - // Initialize the vector `G'` from the URS. We'll be progressively collapsing - // this vector into smaller and smaller vectors until it is of length 1. - let mut g_prime = params.g.clone(); - - // Perform the inner product argument, round by round. - for j in 0..params.k { - let half = 1 << (params.k - j - 1); // half the length of `p_prime`, `b`, `G'` - - // Compute L, R - // - // TODO: If we modify multiexp to take "extra" bases, we could speed - // this piece up a bit by combining the multiexps. - let l_j = best_multiexp(&p_prime[half..], &g_prime[0..half]); - let r_j = best_multiexp(&p_prime[0..half], &g_prime[half..]); - let value_l_j = compute_inner_product(&p_prime[half..], &b[0..half]); - let value_r_j = compute_inner_product(&p_prime[0..half], &b[half..]); - let l_j_randomness = C::Scalar::random(&mut rng); - let r_j_randomness = C::Scalar::random(&mut rng); - let l_j = l_j + &best_multiexp(&[value_l_j * &z, l_j_randomness], &[params.u, params.w]); - let r_j = r_j + &best_multiexp(&[value_r_j * &z, r_j_randomness], &[params.u, params.w]); - let l_j = l_j.to_affine(); - let r_j = r_j.to_affine(); - - // Feed L and R into the real transcript - transcript.write_point(l_j)?; - transcript.write_point(r_j)?; - - let u_j = *transcript.squeeze_challenge_scalar::<()>(); - let u_j_inv = u_j.invert().unwrap(); // TODO, bubble this up - - // Collapse `p_prime` and `b`. - // TODO: parallelize - for i in 0..half { - p_prime[i] = p_prime[i] + &(p_prime[i + half] * &u_j_inv); - b[i] = b[i] + &(b[i + half] * &u_j); - } - p_prime.truncate(half); - b.truncate(half); - - // Collapse `G'` - parallel_generator_collapse(&mut g_prime, u_j); - g_prime.truncate(half); - - // Update randomness (the synthetic blinding factor at the end) - f += &(l_j_randomness * &u_j_inv); - f += &(r_j_randomness * &u_j); - } - - // We have fully collapsed `p_prime`, `b`, `G'` - assert_eq!(p_prime.len(), 1); - let c = p_prime[0]; - - transcript.write_scalar(c)?; - transcript.write_scalar(f)?; - - Ok(()) -} - -fn parallel_generator_collapse(g: &mut [C], challenge: C::Scalar) { - let len = g.len() / 2; - let (g_lo, g_hi) = g.split_at_mut(len); - - parallelize(g_lo, |g_lo, start| { - let g_hi = &g_hi[start..]; - let mut tmp = Vec::with_capacity(g_lo.len()); - for (g_lo, g_hi) in g_lo.iter().zip(g_hi.iter()) { - tmp.push(g_lo.to_curve() + &(*g_hi * challenge)); - } - C::Curve::batch_normalize(&tmp, g_lo); - }); -} diff --git a/halo2_proofs/src/poly/ipa/commitment/verifier.rs b/halo2_proofs/src/poly/ipa/commitment/verifier.rs deleted file mode 100644 index cf258625d5..0000000000 --- a/halo2_proofs/src/poly/ipa/commitment/verifier.rs +++ /dev/null @@ -1,100 +0,0 @@ -use group::ff::{BatchInvert, Field}; - -use super::ParamsIPA; -use crate::{arithmetic::CurveAffine, poly::ipa::strategy::GuardIPA}; -use crate::{ - poly::{commitment::MSM, ipa::msm::MSMIPA, Error}, - transcript::{EncodedChallenge, TranscriptRead}, -}; - -/// Checks to see if the proof represented within `transcript` is valid, and a -/// point `x` that the polynomial commitment `P` opens purportedly to the value -/// `v`. The provided `msm` should evaluate to the commitment `P` being opened. -pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge, T: TranscriptRead>( - params: &'params ParamsIPA, - mut msm: MSMIPA<'params, C>, - transcript: &mut T, - x: C::Scalar, - v: C::Scalar, -) -> Result, Error> { - let k = params.k as usize; - - // P' = P - [v] G_0 + [ξ] S - msm.add_constant_term(-v); // add [-v] G_0 - let s_poly_commitment = transcript.read_point().map_err(|_| Error::OpeningError)?; - let xi = *transcript.squeeze_challenge_scalar::<()>(); - msm.append_term(xi, s_poly_commitment.into()); - - let z = *transcript.squeeze_challenge_scalar::<()>(); - - let mut rounds = vec![]; - for _ in 0..k { - // Read L and R from the proof and write them to the transcript - let l = transcript.read_point().map_err(|_| Error::OpeningError)?; - let r = transcript.read_point().map_err(|_| Error::OpeningError)?; - - let u_j_packed = transcript.squeeze_challenge(); - let u_j = *u_j_packed.as_challenge_scalar::<()>(); - - rounds.push((l, r, u_j, /* to be inverted */ u_j, u_j_packed)); - } - - rounds - .iter_mut() - .map(|&mut (_, _, _, ref mut u_j, _)| u_j) - .batch_invert(); - - // This is the left-hand side of the verifier equation. - // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) - let mut u = Vec::with_capacity(k); - let mut u_packed: Vec = Vec::with_capacity(k); - for (l, r, u_j, u_j_inv, u_j_packed) in rounds { - msm.append_term(u_j_inv, l.into()); - msm.append_term(u_j, r.into()); - - u.push(u_j); - u_packed.push(u_j_packed.get_scalar()); - } - - // Our goal is to check that the left hand side of the verifier - // equation - // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) - // equals (given b = \mathbf{b}_0, and the prover's values c, f), - // the right-hand side - // = [c] (G'_0 + [b * z] U) + [f] W - // Subtracting the right-hand side from both sides we get - // P' + \sum([u_j^{-1}] L_j) + \sum([u_j] R_j) - // + [-c] G'_0 + [-cbz] U + [-f] W - // = 0 - // - // Note that the guard returned from this function does not include - // the [-c]G'_0 term. - - let c = transcript.read_scalar().map_err(|_| Error::SamplingError)?; - let neg_c = -c; - let f = transcript.read_scalar().map_err(|_| Error::SamplingError)?; - let b = compute_b(x, &u); - - msm.add_to_u_scalar(neg_c * &b * &z); - msm.add_to_w_scalar(-f); - - let guard = GuardIPA { - msm, - neg_c, - u, - u_packed, - }; - - Ok(guard) -} - -/// Computes $\prod\limits_{i=0}^{k-1} (1 + u_{k - 1 - i} x^{2^i})$. -fn compute_b(x: F, u: &[F]) -> F { - let mut tmp = F::ONE; - let mut cur = x; - for u_j in u.iter().rev() { - tmp *= F::ONE + &(*u_j * &cur); - cur *= cur; - } - tmp -} diff --git a/halo2_proofs/src/poly/ipa/mod.rs b/halo2_proofs/src/poly/ipa/mod.rs deleted file mode 100644 index 3600e2f051..0000000000 --- a/halo2_proofs/src/poly/ipa/mod.rs +++ /dev/null @@ -1,7 +0,0 @@ -pub mod commitment; -/// Multiscalar multiplication engines -pub mod msm; -/// IPA multi-open scheme -pub mod multiopen; -/// Strategies used with KZG scheme -pub mod strategy; diff --git a/halo2_proofs/src/poly/ipa/msm.rs b/halo2_proofs/src/poly/ipa/msm.rs deleted file mode 100644 index a615ddce49..0000000000 --- a/halo2_proofs/src/poly/ipa/msm.rs +++ /dev/null @@ -1,271 +0,0 @@ -use crate::arithmetic::{best_multiexp, CurveAffine}; -use crate::poly::{commitment::MSM, ipa::commitment::ParamsVerifierIPA}; -use ff::Field; -use group::Group; -use std::collections::BTreeMap; - -/// A multiscalar multiplication in the polynomial commitment scheme -#[derive(Debug, Clone)] -pub struct MSMIPA<'params, C: CurveAffine> { - pub(crate) params: &'params ParamsVerifierIPA, - g_scalars: Option>, - w_scalar: Option, - u_scalar: Option, - // x-coordinate -> (scalar, y-coordinate) - other: BTreeMap, -} - -impl<'a, C: CurveAffine> MSMIPA<'a, C> { - /// Given verifier parameters Creates an empty multi scalar engine - pub fn new(params: &'a ParamsVerifierIPA) -> Self { - let g_scalars = None; - let w_scalar = None; - let u_scalar = None; - let other = BTreeMap::new(); - - Self { - g_scalars, - w_scalar, - u_scalar, - other, - - params, - } - } - - /// Add another multiexp into this one - pub fn add_msm(&mut self, other: &Self) { - for (x, (scalar, y)) in other.other.iter() { - self.other - .entry(*x) - .and_modify(|(our_scalar, our_y)| { - if our_y == y { - *our_scalar += *scalar; - } else { - assert!(*our_y == -*y); - *our_scalar -= *scalar; - } - }) - .or_insert((*scalar, *y)); - } - - if let Some(g_scalars) = &other.g_scalars { - self.add_to_g_scalars(g_scalars); - } - - if let Some(w_scalar) = &other.w_scalar { - self.add_to_w_scalar(*w_scalar); - } - - if let Some(u_scalar) = &other.u_scalar { - self.add_to_u_scalar(*u_scalar); - } - } -} - -impl<'a, C: CurveAffine> MSM for MSMIPA<'a, C> { - fn append_term(&mut self, scalar: C::Scalar, point: C::Curve) { - if !bool::from(point.is_identity()) { - use group::Curve; - let point = point.to_affine(); - let xy = point.coordinates().unwrap(); - let x = *xy.x(); - let y = *xy.y(); - - self.other - .entry(x) - .and_modify(|(our_scalar, our_y)| { - if *our_y == y { - *our_scalar += scalar; - } else { - assert!(*our_y == -y); - *our_scalar -= scalar; - } - }) - .or_insert((scalar, y)); - } - } - - /// Add another multiexp into this one - fn add_msm(&mut self, other: &Self) { - for (x, (scalar, y)) in other.other.iter() { - self.other - .entry(*x) - .and_modify(|(our_scalar, our_y)| { - if our_y == y { - *our_scalar += *scalar; - } else { - assert!(*our_y == -*y); - *our_scalar -= *scalar; - } - }) - .or_insert((*scalar, *y)); - } - - if let Some(g_scalars) = &other.g_scalars { - self.add_to_g_scalars(g_scalars); - } - - if let Some(w_scalar) = &other.w_scalar { - self.add_to_w_scalar(*w_scalar); - } - - if let Some(u_scalar) = &other.u_scalar { - self.add_to_u_scalar(*u_scalar); - } - } - - fn scale(&mut self, factor: C::Scalar) { - if let Some(g_scalars) = &mut self.g_scalars { - for g_scalar in g_scalars { - *g_scalar *= &factor; - } - } - - for other in self.other.values_mut() { - other.0 *= factor; - } - - self.w_scalar = self.w_scalar.map(|a| a * &factor); - self.u_scalar = self.u_scalar.map(|a| a * &factor); - } - - fn check(&self) -> bool { - bool::from(self.eval().is_identity()) - } - - fn eval(&self) -> C::Curve { - let len = self.g_scalars.as_ref().map(|v| v.len()).unwrap_or(0) - + self.w_scalar.map(|_| 1).unwrap_or(0) - + self.u_scalar.map(|_| 1).unwrap_or(0) - + self.other.len(); - let mut scalars: Vec = Vec::with_capacity(len); - let mut bases: Vec = Vec::with_capacity(len); - - scalars.extend(self.other.values().map(|(scalar, _)| scalar)); - bases.extend( - self.other - .iter() - .map(|(x, (_, y))| C::from_xy(*x, *y).unwrap()), - ); - - if let Some(w_scalar) = self.w_scalar { - scalars.push(w_scalar); - bases.push(self.params.w); - } - - if let Some(u_scalar) = self.u_scalar { - scalars.push(u_scalar); - bases.push(self.params.u); - } - - if let Some(g_scalars) = &self.g_scalars { - scalars.extend(g_scalars); - bases.extend(self.params.g.iter()); - } - - assert_eq!(scalars.len(), len); - - best_multiexp(&scalars, &bases) - } - - fn bases(&self) -> Vec { - self.other - .iter() - .map(|(x, (_, y))| C::from_xy(*x, *y).unwrap().into()) - .collect() - } - - fn scalars(&self) -> Vec { - self.other.values().map(|(scalar, _)| *scalar).collect() - } -} - -impl<'a, C: CurveAffine> MSMIPA<'a, C> { - /// Add a value to the first entry of `g_scalars`. - pub fn add_constant_term(&mut self, constant: C::Scalar) { - if let Some(g_scalars) = self.g_scalars.as_mut() { - g_scalars[0] += &constant; - } else { - let mut g_scalars = vec![C::Scalar::ZERO; self.params.n as usize]; - g_scalars[0] += &constant; - self.g_scalars = Some(g_scalars); - } - } - - /// Add a vector of scalars to `g_scalars`. This function will panic if the - /// caller provides a slice of scalars that is not of length `params.n`. - pub fn add_to_g_scalars(&mut self, scalars: &[C::Scalar]) { - assert_eq!(scalars.len(), self.params.n as usize); - if let Some(g_scalars) = &mut self.g_scalars { - for (g_scalar, scalar) in g_scalars.iter_mut().zip(scalars.iter()) { - *g_scalar += scalar; - } - } else { - self.g_scalars = Some(scalars.to_vec()); - } - } - /// Add to `w_scalar` - pub fn add_to_w_scalar(&mut self, scalar: C::Scalar) { - self.w_scalar = self.w_scalar.map_or(Some(scalar), |a| Some(a + &scalar)); - } - - /// Add to `u_scalar` - pub fn add_to_u_scalar(&mut self, scalar: C::Scalar) { - self.u_scalar = self.u_scalar.map_or(Some(scalar), |a| Some(a + &scalar)); - } -} - -#[cfg(test)] -mod tests { - use crate::poly::{ - commitment::{ParamsProver, MSM}, - ipa::{commitment::ParamsIPA, msm::MSMIPA}, - }; - use halo2curves::{ - pasta::{Ep, EpAffine, Fp, Fq}, - CurveAffine, - }; - - #[test] - fn msm_arithmetic() { - let base: Ep = EpAffine::from_xy(-Fp::one(), Fp::from(2)).unwrap().into(); - let base_viol = base + base; - - let params = ParamsIPA::new(4); - let mut a: MSMIPA = MSMIPA::new(¶ms); - a.append_term(Fq::one(), base); - // a = [1] P - assert!(!a.clone().check()); - a.append_term(Fq::one(), base); - // a = [1+1] P - assert!(!a.clone().check()); - a.append_term(-Fq::one(), base_viol); - // a = [1+1] P + [-1] 2P - assert!(a.clone().check()); - let b = a.clone(); - - // Append a point that is the negation of an existing one. - a.append_term(Fq::from(4), -base); - // a = [1+1-4] P + [-1] 2P - assert!(!a.clone().check()); - a.append_term(Fq::from(2), base_viol); - // a = [1+1-4] P + [-1+2] 2P - assert!(a.clone().check()); - - // Add two MSMs with common bases. - a.scale(Fq::from(3)); - a.add_msm(&b); - // a = [3*(1+1)+(1+1-4)] P + [3*(-1)+(-1+2)] 2P - assert!(a.clone().check()); - - let mut c: MSMIPA = MSMIPA::new(¶ms); - c.append_term(Fq::from(2), base); - c.append_term(Fq::one(), -base_viol); - // c = [2] P + [1] (-2P) - assert!(c.clone().check()); - // Add two MSMs with bases that differ only in sign. - a.add_msm(&c); - assert!(a.check()); - } -} diff --git a/halo2_proofs/src/poly/ipa/multiopen.rs b/halo2_proofs/src/poly/ipa/multiopen.rs deleted file mode 100644 index b78acb5934..0000000000 --- a/halo2_proofs/src/poly/ipa/multiopen.rs +++ /dev/null @@ -1,172 +0,0 @@ -//! This module contains an optimisation of the polynomial commitment opening -//! scheme described in the [Halo][halo] paper. -//! -//! [halo]: https://eprint.iacr.org/2019/1021 - -use super::*; -use crate::{poly::query::Query, transcript::ChallengeScalar}; -use ff::Field; -use std::collections::{BTreeMap, BTreeSet}; - -mod prover; -mod verifier; - -pub use prover::ProverIPA; -pub use verifier::VerifierIPA; - -#[derive(Clone, Copy, Debug)] -struct X1 {} -/// Challenge for compressing openings at the same point sets together. -type ChallengeX1 = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct X2 {} -/// Challenge for keeping the multi-point quotient polynomial terms linearly independent. -type ChallengeX2 = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct X3 {} -/// Challenge point at which the commitments are opened. -type ChallengeX3 = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct X4 {} -/// Challenge for collapsing the openings of the various remaining polynomials at x_3 -/// together. -type ChallengeX4 = ChallengeScalar; - -#[derive(Debug)] -struct CommitmentData { - pub(crate) commitment: T, - pub(crate) set_index: usize, - pub(crate) point_indices: Vec, - pub(crate) evals: Vec, -} - -impl CommitmentData { - fn new(commitment: T) -> Self { - CommitmentData { - commitment, - set_index: 0, - point_indices: vec![], - evals: vec![], - } - } -} - -type IntermediateSets = ( - Vec>::Eval, >::Commitment>>, - Vec>, -); - -fn construct_intermediate_sets>(queries: I) -> IntermediateSets -where - I: IntoIterator + Clone, -{ - // Construct sets of unique commitments and corresponding information about - // their queries. - let mut commitment_map: Vec> = vec![]; - - // Also construct mapping from a unique point to a point_index. This defines - // an ordering on the points. - let mut point_index_map = BTreeMap::new(); - - // Iterate over all of the queries, computing the ordering of the points - // while also creating new commitment data. - for query in queries.clone() { - let num_points = point_index_map.len(); - let point_idx = point_index_map - .entry(query.get_point()) - .or_insert(num_points); - - if let Some(pos) = commitment_map - .iter() - .position(|comm| comm.commitment == query.get_commitment()) - { - commitment_map[pos].point_indices.push(*point_idx); - } else { - let mut tmp = CommitmentData::new(query.get_commitment()); - tmp.point_indices.push(*point_idx); - commitment_map.push(tmp); - } - } - - // Also construct inverse mapping from point_index to the point - let mut inverse_point_index_map = BTreeMap::new(); - for (&point, &point_index) in point_index_map.iter() { - inverse_point_index_map.insert(point_index, point); - } - - // Construct map of unique ordered point_idx_sets to their set_idx - let mut point_idx_sets = BTreeMap::new(); - // Also construct mapping from commitment to point_idx_set - let mut commitment_set_map = Vec::new(); - - for commitment_data in commitment_map.iter() { - let mut point_index_set = BTreeSet::new(); - // Note that point_index_set is ordered, unlike point_indices - for &point_index in commitment_data.point_indices.iter() { - point_index_set.insert(point_index); - } - - // Push point_index_set to CommitmentData for the relevant commitment - commitment_set_map.push((commitment_data.commitment, point_index_set.clone())); - - let num_sets = point_idx_sets.len(); - point_idx_sets.entry(point_index_set).or_insert(num_sets); - } - - // Initialise empty evals vec for each unique commitment - for commitment_data in commitment_map.iter_mut() { - let len = commitment_data.point_indices.len(); - commitment_data.evals = vec![Q::Eval::default(); len]; - } - - // Populate set_index, evals and points for each commitment using point_idx_sets - for query in queries { - // The index of the point at which the commitment is queried - let point_index = point_index_map.get(&query.get_point()).unwrap(); - - // The point_index_set at which the commitment was queried - let mut point_index_set = BTreeSet::new(); - for (commitment, point_idx_set) in commitment_set_map.iter() { - if query.get_commitment() == *commitment { - point_index_set = point_idx_set.clone(); - } - } - assert!(!point_index_set.is_empty()); - - // The set_index of the point_index_set - let set_index = point_idx_sets.get(&point_index_set).unwrap(); - for commitment_data in commitment_map.iter_mut() { - if query.get_commitment() == commitment_data.commitment { - commitment_data.set_index = *set_index; - } - } - let point_index_set: Vec = point_index_set.iter().cloned().collect(); - - // The offset of the point_index in the point_index_set - let point_index_in_set = point_index_set - .iter() - .position(|i| i == point_index) - .unwrap(); - - for commitment_data in commitment_map.iter_mut() { - if query.get_commitment() == commitment_data.commitment { - // Insert the eval using the ordering of the point_index_set - commitment_data.evals[point_index_in_set] = query.get_eval(); - } - } - } - - // Get actual points in each point set - let mut point_sets: Vec> = vec![Vec::new(); point_idx_sets.len()]; - for (point_idx_set, &set_idx) in point_idx_sets.iter() { - for &point_idx in point_idx_set.iter() { - let point = inverse_point_index_map.get(&point_idx).unwrap(); - point_sets[set_idx].push(*point); - } - } - - (commitment_map, point_sets) -} diff --git a/halo2_proofs/src/poly/ipa/multiopen/prover.rs b/halo2_proofs/src/poly/ipa/multiopen/prover.rs deleted file mode 100644 index 2ae745d457..0000000000 --- a/halo2_proofs/src/poly/ipa/multiopen/prover.rs +++ /dev/null @@ -1,122 +0,0 @@ -use super::{construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4}; -use crate::arithmetic::{eval_polynomial, kate_division, CurveAffine}; -use crate::poly::commitment::ParamsProver; -use crate::poly::commitment::{Blind, Prover}; -use crate::poly::ipa::commitment::{self, IPACommitmentScheme, ParamsIPA}; -use crate::poly::query::ProverQuery; -use crate::poly::{Coeff, Polynomial}; -use crate::transcript::{EncodedChallenge, TranscriptWrite}; - -use ff::Field; -use group::Curve; -use rand_core::RngCore; -use std::io; -use std::marker::PhantomData; - -/// IPA multi-open prover -#[derive(Debug)] -pub struct ProverIPA<'params, C: CurveAffine> { - pub(crate) params: &'params ParamsIPA, -} - -impl<'params, C: CurveAffine> Prover<'params, IPACommitmentScheme> for ProverIPA<'params, C> { - const QUERY_INSTANCE: bool = true; - - fn new(params: &'params ParamsIPA) -> Self { - Self { params } - } - - /// Create a multi-opening proof - fn create_proof<'com, Z: EncodedChallenge, T: TranscriptWrite, R, I>( - &self, - mut rng: R, - transcript: &mut T, - queries: I, - ) -> io::Result<()> - where - I: IntoIterator> + Clone, - R: RngCore, - { - let x_1: ChallengeX1<_> = transcript.squeeze_challenge_scalar(); - let x_2: ChallengeX2<_> = transcript.squeeze_challenge_scalar(); - - let (poly_map, point_sets) = construct_intermediate_sets(queries); - - // Collapse openings at same point sets together into single openings using - // x_1 challenge. - let mut q_polys: Vec>> = vec![None; point_sets.len()]; - let mut q_blinds = vec![Blind(C::Scalar::ZERO); point_sets.len()]; - - { - let mut accumulate = |set_idx: usize, - new_poly: &Polynomial, - blind: Blind| { - if let Some(poly) = &q_polys[set_idx] { - q_polys[set_idx] = Some(poly.clone() * *x_1 + new_poly); - } else { - q_polys[set_idx] = Some(new_poly.clone()); - } - q_blinds[set_idx] *= *x_1; - q_blinds[set_idx] += blind; - }; - - for commitment_data in poly_map.into_iter() { - accumulate( - commitment_data.set_index, // set_idx, - commitment_data.commitment.poly, // poly, - commitment_data.commitment.blind, // blind, - ); - } - } - - let q_prime_poly = point_sets - .iter() - .zip(q_polys.iter()) - .fold(None, |q_prime_poly, (points, poly)| { - let mut poly = points - .iter() - .fold(poly.clone().unwrap().values, |poly, point| { - kate_division(&poly, *point) - }); - poly.resize(self.params.n as usize, C::Scalar::ZERO); - let poly = Polynomial { - values: poly, - _marker: PhantomData, - }; - - if q_prime_poly.is_none() { - Some(poly) - } else { - q_prime_poly.map(|q_prime_poly| q_prime_poly * *x_2 + &poly) - } - }) - .unwrap(); - - let q_prime_blind = Blind(C::Scalar::random(&mut rng)); - let q_prime_commitment = self.params.commit(&q_prime_poly, q_prime_blind).to_affine(); - - transcript.write_point(q_prime_commitment)?; - - let x_3: ChallengeX3<_> = transcript.squeeze_challenge_scalar(); - - // Prover sends u_i for all i, which correspond to the evaluation - // of each Q polynomial commitment at x_3. - for q_i_poly in &q_polys { - transcript.write_scalar(eval_polynomial(q_i_poly.as_ref().unwrap(), *x_3))?; - } - - let x_4: ChallengeX4<_> = transcript.squeeze_challenge_scalar(); - - let (p_poly, p_poly_blind) = q_polys.into_iter().zip(q_blinds).fold( - (q_prime_poly, q_prime_blind), - |(q_prime_poly, q_prime_blind), (poly, blind)| { - ( - q_prime_poly * *x_4 + &poly.unwrap(), - Blind((q_prime_blind.0 * &(*x_4)) + &blind.0), - ) - }, - ); - - commitment::create_proof(self.params, rng, transcript, &p_poly, p_poly_blind, *x_3) - } -} diff --git a/halo2_proofs/src/poly/ipa/multiopen/verifier.rs b/halo2_proofs/src/poly/ipa/multiopen/verifier.rs deleted file mode 100644 index d559e33384..0000000000 --- a/halo2_proofs/src/poly/ipa/multiopen/verifier.rs +++ /dev/null @@ -1,148 +0,0 @@ -use std::fmt::Debug; - -use ff::Field; - -use super::{construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4}; -use crate::arithmetic::{eval_polynomial, lagrange_interpolate, CurveAffine}; -use crate::poly::commitment::{Params, Verifier, MSM}; -use crate::poly::ipa::commitment::{IPACommitmentScheme, ParamsIPA, ParamsVerifierIPA}; -use crate::poly::ipa::msm::MSMIPA; -use crate::poly::ipa::strategy::GuardIPA; -use crate::poly::query::{CommitmentReference, VerifierQuery}; -use crate::poly::Error; -use crate::transcript::{EncodedChallenge, TranscriptRead}; - -/// IPA multi-open verifier -#[derive(Debug)] -pub struct VerifierIPA<'params, C: CurveAffine> { - params: &'params ParamsIPA, -} - -impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme> - for VerifierIPA<'params, C> -{ - type Guard = GuardIPA<'params, C>; - type MSMAccumulator = MSMIPA<'params, C>; - - const QUERY_INSTANCE: bool = true; - - fn new(params: &'params ParamsVerifierIPA) -> Self { - Self { params } - } - - fn verify_proof<'com, E: EncodedChallenge, T: TranscriptRead, I>( - &self, - transcript: &mut T, - queries: I, - mut msm: MSMIPA<'params, C>, - ) -> Result - where - 'params: 'com, - I: IntoIterator>> + Clone, - { - // Sample x_1 for compressing openings at the same point sets together - let x_1: ChallengeX1<_> = transcript.squeeze_challenge_scalar(); - - // Sample a challenge x_2 for keeping the multi-point quotient - // polynomial terms linearly independent. - let x_2: ChallengeX2<_> = transcript.squeeze_challenge_scalar(); - - let (commitment_map, point_sets) = construct_intermediate_sets(queries); - - // Compress the commitments and expected evaluations at x together. - // using the challenge x_1 - let mut q_commitments: Vec<_> = vec![ - (self.params.empty_msm(), C::Scalar::ONE); // (accumulator, next x_1 power). - point_sets.len()]; - - // A vec of vecs of evals. The outer vec corresponds to the point set, - // while the inner vec corresponds to the points in a particular set. - let mut q_eval_sets = Vec::with_capacity(point_sets.len()); - for point_set in point_sets.iter() { - q_eval_sets.push(vec![C::Scalar::ZERO; point_set.len()]); - } - - { - let mut accumulate = |set_idx: usize, - new_commitment: CommitmentReference>, - evals: Vec| { - let (q_commitment, x_1_power) = &mut q_commitments[set_idx]; - match new_commitment { - CommitmentReference::Commitment(c) => { - q_commitment.append_term(*x_1_power, (*c).into()); - } - CommitmentReference::MSM(msm) => { - let mut msm = msm.clone(); - msm.scale(*x_1_power); - q_commitment.add_msm(&msm); - } - } - for (eval, set_eval) in evals.iter().zip(q_eval_sets[set_idx].iter_mut()) { - *set_eval += (*eval) * (*x_1_power); - } - *x_1_power *= *x_1; - }; - - // Each commitment corresponds to evaluations at a set of points. - // For each set, we collapse each commitment's evals pointwise. - // Run in order of increasing x_1 powers. - for commitment_data in commitment_map.into_iter().rev() { - accumulate( - commitment_data.set_index, // set_idx, - commitment_data.commitment, // commitment, - commitment_data.evals, // evals - ); - } - } - - // Obtain the commitment to the multi-point quotient polynomial f(X). - let q_prime_commitment = transcript.read_point().map_err(|_| Error::SamplingError)?; - - // Sample a challenge x_3 for checking that f(X) was committed to - // correctly. - let x_3: ChallengeX3<_> = transcript.squeeze_challenge_scalar(); - - // u is a vector containing the evaluations of the Q polynomial - // commitments at x_3 - let mut u = Vec::with_capacity(q_eval_sets.len()); - for _ in 0..q_eval_sets.len() { - u.push(transcript.read_scalar().map_err(|_| Error::SamplingError)?); - } - - // We can compute the expected msm_eval at x_3 using the u provided - // by the prover and from x_2 - let msm_eval = point_sets - .iter() - .zip(q_eval_sets.iter()) - .zip(u.iter()) - .fold( - C::Scalar::ZERO, - |msm_eval, ((points, evals), proof_eval)| { - let r_poly = lagrange_interpolate(points, evals); - let r_eval = eval_polynomial(&r_poly, *x_3); - let eval = points.iter().fold(*proof_eval - &r_eval, |eval, point| { - eval * &(*x_3 - point).invert().unwrap() - }); - msm_eval * &(*x_2) + &eval - }, - ); - - // Sample a challenge x_4 that we will use to collapse the openings of - // the various remaining polynomials at x_3 together. - let x_4: ChallengeX4<_> = transcript.squeeze_challenge_scalar(); - - // Compute the final commitment that has to be opened - msm.append_term(C::Scalar::ONE, q_prime_commitment.into()); - let (msm, v) = q_commitments.into_iter().zip(u.iter()).fold( - (msm, msm_eval), - |(mut msm, msm_eval), ((q_commitment, _), q_eval)| { - msm.scale(*x_4); - msm.add_msm(&q_commitment); - (msm, msm_eval * &(*x_4) + q_eval) - }, - ); - - // Verify the opening proof - super::commitment::verify_proof(self.params, msm, transcript, *x_3, v) - } -} diff --git a/halo2_proofs/src/poly/ipa/strategy.rs b/halo2_proofs/src/poly/ipa/strategy.rs deleted file mode 100644 index d2d1b3d364..0000000000 --- a/halo2_proofs/src/poly/ipa/strategy.rs +++ /dev/null @@ -1,171 +0,0 @@ -use super::commitment::{IPACommitmentScheme, ParamsIPA}; -use super::msm::MSMIPA; -use super::multiopen::VerifierIPA; -use crate::{ - arithmetic::best_multiexp, - plonk::Error, - poly::{ - commitment::MSM, - strategy::{Guard, VerificationStrategy}, - }, -}; -use ff::Field; -use group::Curve; -use halo2curves::CurveAffine; -use rand_core::OsRng; - -/// Wrapper for verification accumulator -#[derive(Debug, Clone)] -pub struct GuardIPA<'params, C: CurveAffine> { - pub(crate) msm: MSMIPA<'params, C>, - pub(crate) neg_c: C::Scalar, - pub(crate) u: Vec, - pub(crate) u_packed: Vec, -} - -/// An accumulator instance consisting of an evaluation claim and a proof. -#[derive(Debug, Clone)] -pub struct Accumulator { - /// The claimed output of the linear-time polycommit opening protocol - pub g: C, - - /// A vector of challenges u_0, ..., u_{k - 1} sampled by the verifier, to - /// be used in computing G'_0. - pub u_packed: Vec, -} - -/// Define accumulator type as `MSMIPA` -impl<'params, C: CurveAffine> Guard> for GuardIPA<'params, C> { - type MSMAccumulator = MSMIPA<'params, C>; -} - -/// IPA specific operations -impl<'params, C: CurveAffine> GuardIPA<'params, C> { - /// Lets caller supply the challenges and obtain an MSM with updated - /// scalars and points. - pub fn use_challenges(mut self) -> MSMIPA<'params, C> { - let s = compute_s(&self.u, self.neg_c); - self.msm.add_to_g_scalars(&s); - - self.msm - } - - /// Lets caller supply the purported G point and simply appends - /// [-c] G to return an updated MSM. - pub fn use_g(mut self, g: C) -> (MSMIPA<'params, C>, Accumulator) { - self.msm.append_term(self.neg_c, g.into()); - - let accumulator = Accumulator { - g, - u_packed: self.u_packed, - }; - - (self.msm, accumulator) - } - - /// Computes G = ⟨s, params.g⟩ - pub fn compute_g(&self) -> C { - let s = compute_s(&self.u, C::Scalar::ONE); - - best_multiexp(&s, &self.msm.params.g).to_affine() - } -} - -/// A verifier that checks multiple proofs in a batch. -#[derive(Debug)] -pub struct AccumulatorStrategy<'params, C: CurveAffine> { - msm: MSMIPA<'params, C>, -} - -impl<'params, C: CurveAffine> - VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA<'params, C>> - for AccumulatorStrategy<'params, C> -{ - type Output = Self; - - fn new(params: &'params ParamsIPA) -> Self { - AccumulatorStrategy { - msm: MSMIPA::new(params), - } - } - - fn process( - mut self, - f: impl FnOnce(MSMIPA<'params, C>) -> Result, Error>, - ) -> Result { - self.msm.scale(C::Scalar::random(OsRng)); - let guard = f(self.msm)?; - - Ok(Self { - msm: guard.use_challenges(), - }) - } - - /// Finalizes the batch and checks its validity. - /// - /// Returns `false` if *some* proof was invalid. If the caller needs to identify - /// specific failing proofs, it must re-process the proofs separately. - #[must_use] - fn finalize(self) -> bool { - self.msm.check() - } -} - -/// A verifier that checks single proof -#[derive(Debug)] -pub struct SingleStrategy<'params, C: CurveAffine> { - msm: MSMIPA<'params, C>, -} - -impl<'params, C: CurveAffine> - VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA<'params, C>> - for SingleStrategy<'params, C> -{ - type Output = (); - - fn new(params: &'params ParamsIPA) -> Self { - SingleStrategy { - msm: MSMIPA::new(params), - } - } - - fn process( - self, - f: impl FnOnce(MSMIPA<'params, C>) -> Result, Error>, - ) -> Result { - let guard = f(self.msm)?; - let msm = guard.use_challenges(); - if msm.check() { - Ok(()) - } else { - Err(Error::ConstraintSystemFailure) - } - } - - /// Finalizes the batch and checks its validity. - /// - /// Returns `false` if *some* proof was invalid. If the caller needs to identify - /// specific failing proofs, it must re-process the proofs separately. - #[must_use] - fn finalize(self) -> bool { - unreachable!() - } -} - -/// Computes the coefficients of $g(X) = \prod\limits_{i=0}^{k-1} (1 + u_{k - 1 - i} X^{2^i})$. -fn compute_s(u: &[F], init: F) -> Vec { - assert!(!u.is_empty()); - let mut v = vec![F::ZERO; 1 << u.len()]; - v[0] = init; - - for (len, u_j) in u.iter().rev().enumerate().map(|(i, u_j)| (1 << i, u_j)) { - let (left, right) = v.split_at_mut(len); - let right = &mut right[0..len]; - right.copy_from_slice(left); - for v in right { - *v *= u_j; - } - } - - v -} diff --git a/halo2_proofs/src/poly/kzg/mod.rs b/halo2_proofs/src/poly/kzg/mod.rs deleted file mode 100644 index 0c99a20c34..0000000000 --- a/halo2_proofs/src/poly/kzg/mod.rs +++ /dev/null @@ -1,8 +0,0 @@ -/// KZG commitment scheme -pub mod commitment; -/// Multiscalar multiplication engines -pub mod msm; -/// KZG multi-open scheme -pub mod multiopen; -/// Strategies used with KZG scheme -pub mod strategy; diff --git a/halo2_proofs/src/poly/kzg/multiopen.rs b/halo2_proofs/src/poly/kzg/multiopen.rs deleted file mode 100644 index 97b7e2b777..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen.rs +++ /dev/null @@ -1,5 +0,0 @@ -mod gwc; -mod shplonk; - -pub use gwc::*; -pub use shplonk::*; diff --git a/halo2_proofs/src/poly/kzg/multiopen/gwc.rs b/halo2_proofs/src/poly/kzg/multiopen/gwc.rs deleted file mode 100644 index 3fd28dd00a..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen/gwc.rs +++ /dev/null @@ -1,50 +0,0 @@ -mod prover; -mod verifier; - -pub use prover::ProverGWC; -pub use verifier::VerifierGWC; - -use crate::{poly::query::Query, transcript::ChallengeScalar}; -use ff::Field; -use std::marker::PhantomData; - -#[derive(Clone, Copy, Debug)] -struct U {} -type ChallengeU = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct V {} -type ChallengeV = ChallengeScalar; - -struct CommitmentData> { - queries: Vec, - point: F, - _marker: PhantomData, -} - -fn construct_intermediate_sets>(queries: I) -> Vec> -where - I: IntoIterator + Clone, -{ - let mut point_query_map: Vec<(F, Vec)> = Vec::new(); - for query in queries { - if let Some(pos) = point_query_map - .iter() - .position(|(point, _)| *point == query.get_point()) - { - let (_, queries) = &mut point_query_map[pos]; - queries.push(query); - } else { - point_query_map.push((query.get_point(), vec![query])); - } - } - - point_query_map - .into_iter() - .map(|(point, queries)| CommitmentData { - queries, - point, - _marker: PhantomData, - }) - .collect() -} diff --git a/halo2_proofs/src/poly/kzg/multiopen/gwc/prover.rs b/halo2_proofs/src/poly/kzg/multiopen/gwc/prover.rs deleted file mode 100644 index ecea01cb01..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen/gwc/prover.rs +++ /dev/null @@ -1,89 +0,0 @@ -use super::{construct_intermediate_sets, ChallengeV, Query}; -use crate::arithmetic::{kate_division, powers}; -use crate::helpers::SerdeCurveAffine; -use crate::poly::commitment::ParamsProver; -use crate::poly::commitment::Prover; -use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; -use crate::poly::query::ProverQuery; -use crate::poly::{commitment::Blind, Polynomial}; -use crate::transcript::{EncodedChallenge, TranscriptWrite}; - -use group::Curve; -use halo2curves::pairing::Engine; -use halo2curves::CurveExt; -use rand_core::RngCore; -use std::fmt::Debug; -use std::io; -use std::marker::PhantomData; - -/// Concrete KZG prover with GWC variant -#[derive(Debug)] -pub struct ProverGWC<'params, E: Engine> { - params: &'params ParamsKZG, -} - -/// Create a multi-opening proof -impl<'params, E: Engine + Debug> Prover<'params, KZGCommitmentScheme> for ProverGWC<'params, E> -where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - const QUERY_INSTANCE: bool = false; - - fn new(params: &'params ParamsKZG) -> Self { - Self { params } - } - - /// Create a multi-opening proof - fn create_proof< - 'com, - Ch: EncodedChallenge, - T: TranscriptWrite, - R, - I, - >( - &self, - _: R, - transcript: &mut T, - queries: I, - ) -> io::Result<()> - where - I: IntoIterator> + Clone, - R: RngCore, - { - let v: ChallengeV<_> = transcript.squeeze_challenge_scalar(); - let commitment_data = construct_intermediate_sets(queries); - - for commitment_at_a_point in commitment_data.iter() { - let z = commitment_at_a_point.point; - let (poly_batch, eval_batch) = commitment_at_a_point - .queries - .iter() - .zip(powers(*v)) - .map(|(query, power_of_v)| { - assert_eq!(query.get_point(), z); - - let poly = query.get_commitment().poly; - let eval = query.get_eval(); - - (poly.clone() * power_of_v, eval * power_of_v) - }) - .reduce(|(poly_acc, eval_acc), (poly, eval)| (poly_acc + &poly, eval_acc + eval)) - .unwrap(); - - let poly_batch = &poly_batch - eval_batch; - let witness_poly = Polynomial { - values: kate_division(&poly_batch.values, z), - _marker: PhantomData, - }; - let w = self - .params - .commit(&witness_poly, Blind::default()) - .to_affine(); - - transcript.write_point(w)?; - } - Ok(()) - } -} diff --git a/halo2_proofs/src/poly/kzg/multiopen/gwc/verifier.rs b/halo2_proofs/src/poly/kzg/multiopen/gwc/verifier.rs deleted file mode 100644 index fcfda6941f..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen/gwc/verifier.rs +++ /dev/null @@ -1,124 +0,0 @@ -use std::fmt::Debug; - -use super::{construct_intermediate_sets, ChallengeU, ChallengeV}; -use crate::arithmetic::powers; -use crate::helpers::SerdeCurveAffine; -use crate::poly::commitment::Verifier; -use crate::poly::commitment::MSM; -use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; -use crate::poly::kzg::msm::{DualMSM, MSMKZG}; -use crate::poly::kzg::strategy::GuardKZG; -use crate::poly::query::Query; -use crate::poly::query::{CommitmentReference, VerifierQuery}; -use crate::poly::Error; -use crate::transcript::{EncodedChallenge, TranscriptRead}; - -use ff::Field; -use halo2curves::pairing::{Engine, MultiMillerLoop}; -use halo2curves::CurveExt; - -#[derive(Debug)] -/// Concrete KZG verifier with GWC variant -pub struct VerifierGWC<'params, E: Engine> { - params: &'params ParamsKZG, -} - -impl<'params, E> Verifier<'params, KZGCommitmentScheme> for VerifierGWC<'params, E> -where - E: MultiMillerLoop + Debug, - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - type Guard = GuardKZG<'params, E>; - type MSMAccumulator = DualMSM<'params, E>; - - const QUERY_INSTANCE: bool = false; - - fn new(params: &'params ParamsKZG) -> Self { - Self { params } - } - - fn verify_proof< - 'com, - Ch: EncodedChallenge, - T: TranscriptRead, - I, - >( - &self, - transcript: &mut T, - queries: I, - mut msm_accumulator: DualMSM<'params, E>, - ) -> Result - where - I: IntoIterator>> + Clone, - { - let v: ChallengeV<_> = transcript.squeeze_challenge_scalar(); - - let commitment_data = construct_intermediate_sets(queries); - - let w: Vec = (0..commitment_data.len()) - .map(|_| transcript.read_point().map_err(|_| Error::SamplingError)) - .collect::, Error>>()?; - - let u: ChallengeU<_> = transcript.squeeze_challenge_scalar(); - - let mut commitment_multi = MSMKZG::::new(); - let mut eval_multi = E::Fr::ZERO; - - let mut witness = MSMKZG::::new(); - let mut witness_with_aux = MSMKZG::::new(); - - for ((commitment_at_a_point, wi), power_of_u) in - commitment_data.iter().zip(w.into_iter()).zip(powers(*u)) - { - assert!(!commitment_at_a_point.queries.is_empty()); - let z = commitment_at_a_point.point; - - let (mut commitment_batch, eval_batch) = commitment_at_a_point - .queries - .iter() - .zip(powers(*v)) - .map(|(query, power_of_v)| { - assert_eq!(query.get_point(), z); - - let commitment = match query.get_commitment() { - CommitmentReference::Commitment(c) => { - let mut msm = MSMKZG::::new(); - msm.append_term(power_of_v, (*c).into()); - msm - } - CommitmentReference::MSM(msm) => { - let mut msm = msm.clone(); - msm.scale(power_of_v); - msm - } - }; - let eval = power_of_v * query.get_eval(); - - (commitment, eval) - }) - .reduce(|(mut commitment_acc, eval_acc), (commitment, eval)| { - commitment_acc.add_msm(&commitment); - (commitment_acc, eval_acc + eval) - }) - .unwrap(); - - commitment_batch.scale(power_of_u); - commitment_multi.add_msm(&commitment_batch); - eval_multi += power_of_u * eval_batch; - - witness_with_aux.append_term(power_of_u * z, wi.into()); - witness.append_term(power_of_u, wi.into()); - } - - msm_accumulator.left.add_msm(&witness); - - msm_accumulator.right.add_msm(&witness_with_aux); - msm_accumulator.right.add_msm(&commitment_multi); - let g0: E::G1 = self.params.g[0].into(); - msm_accumulator.right.append_term(eval_multi, -g0); - - Ok(Self::Guard::new(msm_accumulator)) - } -} diff --git a/halo2_proofs/src/poly/kzg/multiopen/shplonk.rs b/halo2_proofs/src/poly/kzg/multiopen/shplonk.rs deleted file mode 100644 index d0814e83e3..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen/shplonk.rs +++ /dev/null @@ -1,247 +0,0 @@ -mod prover; -mod verifier; - -use crate::multicore::{IntoParallelIterator, ParallelIterator}; -use crate::{poly::query::Query, transcript::ChallengeScalar}; -use ff::Field; -pub use prover::ProverSHPLONK; -use std::collections::BTreeSet; -pub use verifier::VerifierSHPLONK; - -#[derive(Clone, Copy, Debug)] -struct U {} -type ChallengeU = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct V {} -type ChallengeV = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct Y {} -type ChallengeY = ChallengeScalar; - -#[derive(Debug, Clone, PartialEq)] -struct Commitment((T, Vec)); - -impl Commitment { - fn get(&self) -> T { - self.0 .0.clone() - } - - fn evals(&self) -> Vec { - self.0 .1.clone() - } -} - -#[derive(Debug, Clone, PartialEq)] -struct RotationSet { - commitments: Vec>, - points: Vec, -} - -#[derive(Debug, PartialEq)] -struct IntermediateSets> { - rotation_sets: Vec>, - super_point_set: BTreeSet, -} - -fn construct_intermediate_sets>( - queries: I, -) -> IntermediateSets -where - I: IntoIterator + Clone, -{ - let queries = queries.into_iter().collect::>(); - - // Find evaluation of a commitment at a rotation - let get_eval = |commitment: Q::Commitment, rotation: F| -> F { - queries - .iter() - .find(|query| query.get_commitment() == commitment && query.get_point() == rotation) - .unwrap() - .get_eval() - }; - - // All points that appear in queries - let mut super_point_set = BTreeSet::new(); - - // Collect rotation sets for each commitment - // Example elements in the vector: - // (C_0, {r_5}), - // (C_1, {r_1, r_2, r_3}), - // (C_2, {r_2, r_3, r_4}), - // (C_3, {r_2, r_3, r_4}), - // ... - let mut commitment_rotation_set_map: Vec<(Q::Commitment, BTreeSet)> = vec![]; - for query in queries.iter() { - let rotation = query.get_point(); - super_point_set.insert(rotation); - if let Some(commitment_rotation_set) = commitment_rotation_set_map - .iter_mut() - .find(|(commitment, _)| *commitment == query.get_commitment()) - { - let (_, rotation_set) = commitment_rotation_set; - rotation_set.insert(rotation); - } else { - commitment_rotation_set_map.push(( - query.get_commitment(), - BTreeSet::from_iter(std::iter::once(rotation)), - )); - }; - } - - // Flatten rotation sets and collect commitments that opens against each commitment set - // Example elements in the vector: - // {r_5}: [C_0], - // {r_1, r_2, r_3} : [C_1] - // {r_2, r_3, r_4} : [C_2, C_3], - // ... - // NOTE: we want to make the order of the collection of rotation sets independent of the opening points, to ease the verifier computation - let mut rotation_set_commitment_map: Vec<(BTreeSet, Vec)> = vec![]; - for (commitment, rotation_set) in commitment_rotation_set_map.into_iter() { - if let Some(rotation_set_commitment) = rotation_set_commitment_map - .iter_mut() - .find(|(set, _)| set == &rotation_set) - { - let (_, commitments) = rotation_set_commitment; - commitments.push(commitment); - } else { - rotation_set_commitment_map.push((rotation_set, vec![commitment])); - }; - } - - let rotation_sets = rotation_set_commitment_map - .into_par_iter() - .map(|(rotations, commitments)| { - let rotations_vec = rotations.iter().collect::>(); - let commitments: Vec> = commitments - .into_par_iter() - .map(|commitment| { - let evals: Vec = rotations_vec - .as_slice() - .into_par_iter() - .map(|&&rotation| get_eval(commitment, rotation)) - .collect(); - Commitment((commitment, evals)) - }) - .collect(); - - RotationSet { - commitments, - points: rotations.into_iter().collect(), - } - }) - .collect::>>(); - - IntermediateSets { - rotation_sets, - super_point_set, - } -} - -#[cfg(test)] -mod proptests { - use super::{construct_intermediate_sets, Commitment, IntermediateSets}; - use ff::FromUniformBytes; - use halo2curves::pasta::Fp; - use proptest::{collection::vec, prelude::*, sample::select}; - use std::convert::TryFrom; - - #[derive(Debug, Clone)] - struct MyQuery { - point: F, - eval: F, - commitment: usize, - } - - impl super::Query for MyQuery { - type Commitment = usize; - type Eval = Fp; - - fn get_point(&self) -> Fp { - self.point - } - - fn get_eval(&self) -> Self::Eval { - self.eval - } - - fn get_commitment(&self) -> Self::Commitment { - self.commitment - } - } - - prop_compose! { - fn arb_point()( - bytes in vec(any::(), 64) - ) -> Fp { - Fp::from_uniform_bytes(&<[u8; 64]>::try_from(bytes).unwrap()) - } - } - - prop_compose! { - fn arb_query(commitment: usize, point: Fp)( - eval in arb_point() - ) -> MyQuery { - MyQuery { - point, - eval, - commitment - } - } - } - - prop_compose! { - // Mapping from column index to point index. - fn arb_queries_inner(num_points: usize, num_cols: usize, num_queries: usize)( - col_indices in vec(select((0..num_cols).collect::>()), num_queries), - point_indices in vec(select((0..num_points).collect::>()), num_queries) - ) -> Vec<(usize, usize)> { - col_indices.into_iter().zip(point_indices.into_iter()).collect() - } - } - - prop_compose! { - fn compare_queries( - num_points: usize, - num_cols: usize, - num_queries: usize, - )( - points_1 in vec(arb_point(), num_points), - points_2 in vec(arb_point(), num_points), - mapping in arb_queries_inner(num_points, num_cols, num_queries) - )( - queries_1 in mapping.iter().map(|(commitment, point_idx)| arb_query(*commitment, points_1[*point_idx])).collect::>(), - queries_2 in mapping.iter().map(|(commitment, point_idx)| arb_query(*commitment, points_2[*point_idx])).collect::>(), - ) -> ( - Vec>, - Vec> - ) { - ( - queries_1, - queries_2, - ) - } - } - - proptest! { - #[test] - fn test_intermediate_sets( - (queries_1, queries_2) in compare_queries(8, 8, 16) - ) { - let IntermediateSets { rotation_sets, .. } = construct_intermediate_sets(queries_1); - let commitment_sets = rotation_sets.iter().map(|data| - data.commitments.iter().map(Commitment::get).collect::>() - ).collect::>(); - - // It shouldn't matter what the point or eval values are; we should get - // the same exact point set indices and point indices again. - let IntermediateSets { rotation_sets: new_rotation_sets, .. } = construct_intermediate_sets(queries_2); - let new_commitment_sets = new_rotation_sets.iter().map(|data| - data.commitments.iter().map(Commitment::get).collect::>() - ).collect::>(); - - assert_eq!(commitment_sets, new_commitment_sets); - } - } -} diff --git a/halo2_proofs/src/poly/kzg/multiopen/shplonk/prover.rs b/halo2_proofs/src/poly/kzg/multiopen/shplonk/prover.rs deleted file mode 100644 index 5001d69094..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen/shplonk/prover.rs +++ /dev/null @@ -1,298 +0,0 @@ -use super::{ - construct_intermediate_sets, ChallengeU, ChallengeV, ChallengeY, Commitment, RotationSet, -}; -use crate::arithmetic::{ - eval_polynomial, evaluate_vanishing_polynomial, kate_division, lagrange_interpolate, - parallelize, powers, CurveAffine, -}; -use crate::helpers::SerdeCurveAffine; -use crate::poly::commitment::{Blind, ParamsProver, Prover}; -use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; -use crate::poly::query::{PolynomialPointer, ProverQuery}; -use crate::poly::{Coeff, Polynomial}; -use crate::transcript::{EncodedChallenge, TranscriptWrite}; - -use crate::multicore::{IntoParallelIterator, ParallelIterator}; -use ff::Field; -use group::Curve; -use halo2curves::pairing::Engine; -use halo2curves::CurveExt; -use rand_core::RngCore; -use std::fmt::Debug; -use std::io; -use std::marker::PhantomData; -use std::ops::MulAssign; - -fn div_by_vanishing(poly: Polynomial, roots: &[F]) -> Vec { - let poly = roots - .iter() - .fold(poly.values, |poly, point| kate_division(&poly, *point)); - - poly -} - -struct CommitmentExtension<'a, C: CurveAffine> { - commitment: Commitment>, - low_degree_equivalent: Polynomial, -} - -impl<'a, C: CurveAffine> Commitment> { - fn extend(&self, points: &[C::Scalar]) -> CommitmentExtension<'a, C> { - let poly = lagrange_interpolate(points, &self.evals()[..]); - - let low_degree_equivalent = Polynomial { - values: poly, - _marker: PhantomData, - }; - - CommitmentExtension { - commitment: self.clone(), - low_degree_equivalent, - } - } -} - -impl<'a, C: CurveAffine> CommitmentExtension<'a, C> { - fn linearisation_contribution(&self, u: C::Scalar) -> Polynomial { - let p_x = self.commitment.get().poly; - let r_eval = eval_polynomial(&self.low_degree_equivalent.values[..], u); - p_x - r_eval - } - - fn quotient_contribution(&self) -> Polynomial { - let len = self.low_degree_equivalent.len(); - let mut p_x = self.commitment.get().poly.clone(); - parallelize(&mut p_x.values[0..len], |lhs, start| { - for (lhs, rhs) in lhs - .iter_mut() - .zip(self.low_degree_equivalent.values[start..].iter()) - { - *lhs -= *rhs; - } - }); - p_x - } -} - -struct RotationSetExtension<'a, C: CurveAffine> { - commitments: Vec>, - points: Vec, -} - -impl<'a, C: CurveAffine> RotationSet> { - fn extend(self, commitments: Vec>) -> RotationSetExtension<'a, C> { - RotationSetExtension { - commitments, - points: self.points, - } - } -} - -/// Concrete KZG prover with SHPLONK variant -#[derive(Debug)] -pub struct ProverSHPLONK<'a, E: Engine> { - params: &'a ParamsKZG, -} - -impl<'a, E: Engine> ProverSHPLONK<'a, E> { - /// Given parameters creates new prover instance - pub fn new(params: &'a ParamsKZG) -> Self { - Self { params } - } -} - -/// Create a multi-opening proof -impl<'params, E: Engine + Debug> Prover<'params, KZGCommitmentScheme> - for ProverSHPLONK<'params, E> -where - E::Fr: Ord, - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - const QUERY_INSTANCE: bool = false; - - fn new(params: &'params ParamsKZG) -> Self { - Self { params } - } - - /// Create a multi-opening proof - fn create_proof< - 'com, - Ch: EncodedChallenge, - T: TranscriptWrite, - R, - I, - >( - &self, - _: R, - transcript: &mut T, - queries: I, - ) -> io::Result<()> - where - I: IntoIterator> + Clone, - R: RngCore, - { - // TODO: explore if it is safe to use same challenge - // for different sets that are already combined with another challenge - let y: ChallengeY<_> = transcript.squeeze_challenge_scalar(); - - let quotient_contribution = |rotation_set: &RotationSetExtension| { - // [P_i_0(X) - R_i_0(X), P_i_1(X) - R_i_1(X), ... ] - #[allow(clippy::needless_collect)] - let numerators = rotation_set - .commitments - .as_slice() - .into_par_iter() - .map(|commitment| commitment.quotient_contribution()) - .collect::>(); - - // define numerator polynomial as - // N_i_j(X) = (P_i_j(X) - R_i_j(X)) - // and combine polynomials with same evaluation point set - // N_i(X) = linear_combination(y, N_i_j(X)) - // where y is random scalar to combine numerator polynomials - let n_x = numerators - .into_iter() - .zip(powers(*y)) - .map(|(numerator, power_of_y)| numerator * power_of_y) - .reduce(|acc, numerator| acc + &numerator) - .unwrap(); - - let points = &rotation_set.points[..]; - - // quotient contribution of this evaluation set is - // Q_i(X) = N_i(X) / Z_i(X) where - // Z_i(X) = (x - r_i_0) * (x - r_i_1) * ... - let mut poly = div_by_vanishing(n_x, points); - poly.resize(self.params.n as usize, E::Fr::ZERO); - - Polynomial { - values: poly, - _marker: PhantomData, - } - }; - - let intermediate_sets = construct_intermediate_sets(queries); - let (rotation_sets, super_point_set) = ( - intermediate_sets.rotation_sets, - intermediate_sets.super_point_set, - ); - - let rotation_sets: Vec> = rotation_sets - .into_par_iter() - .map(|rotation_set| { - let commitments: Vec> = rotation_set - .commitments - .as_slice() - .into_par_iter() - .map(|commitment_data| commitment_data.extend(&rotation_set.points)) - .collect(); - rotation_set.extend(commitments) - }) - .collect(); - - let v: ChallengeV<_> = transcript.squeeze_challenge_scalar(); - - #[allow(clippy::needless_collect)] - let quotient_polynomials = rotation_sets - .as_slice() - .into_par_iter() - .map(quotient_contribution) - .collect::>(); - - let h_x: Polynomial = quotient_polynomials - .into_iter() - .zip(powers(*v)) - .map(|(poly, power_of_v)| poly * power_of_v) - .reduce(|acc, poly| acc + &poly) - .unwrap(); - - let h = self.params.commit(&h_x, Blind::default()).to_affine(); - transcript.write_point(h)?; - let u: ChallengeU<_> = transcript.squeeze_challenge_scalar(); - - let linearisation_contribution = |rotation_set: RotationSetExtension| { - let mut diffs = super_point_set.clone(); - for point in rotation_set.points.iter() { - diffs.remove(point); - } - let diffs = diffs.into_iter().collect::>(); - - // calculate difference vanishing polynomial evaluation - let z_i = evaluate_vanishing_polynomial(&diffs[..], *u); - - // inner linearisation contributions are - // [P_i_0(X) - r_i_0, P_i_1(X) - r_i_1, ... ] where - // r_i_j = R_i_j(u) is the evaluation of low degree equivalent polynomial - // where u is random evaluation point - #[allow(clippy::needless_collect)] - let inner_contributions = rotation_set - .commitments - .as_slice() - .into_par_iter() - .map(|commitment| commitment.linearisation_contribution(*u)) - .collect::>(); - - // define inner contributor polynomial as - // L_i_j(X) = (P_i_j(X) - r_i_j) - // and combine polynomials with same evaluation point set - // L_i(X) = linear_combination(y, L_i_j(X)) - // where y is random scalar to combine inner contributors - let l_x: Polynomial = inner_contributions - .into_iter() - .zip(powers(*y)) - .map(|(poly, power_of_y)| poly * power_of_y) - .reduce(|acc, poly| acc + &poly) - .unwrap(); - - // finally scale l_x by difference vanishing polynomial evaluation z_i - (l_x * z_i, z_i) - }; - - #[allow(clippy::type_complexity)] - let (linearisation_contributions, z_diffs): ( - Vec>, - Vec, - ) = rotation_sets - .into_par_iter() - .map(linearisation_contribution) - .unzip(); - - let l_x: Polynomial = linearisation_contributions - .into_iter() - .zip(powers(*v)) - .map(|(poly, power_of_v)| poly * power_of_v) - .reduce(|acc, poly| acc + &poly) - .unwrap(); - - let super_point_set = super_point_set.into_iter().collect::>(); - let zt_eval = evaluate_vanishing_polynomial(&super_point_set[..], *u); - let l_x = l_x - &(h_x * zt_eval); - - // sanity check - #[cfg(debug_assertions)] - { - let must_be_zero = eval_polynomial(&l_x.values[..], *u); - assert_eq!(must_be_zero, E::Fr::ZERO); - } - - let mut h_x = div_by_vanishing(l_x, &[*u]); - - // normalize coefficients by the coefficient of the first polynomial - let z_0_diff_inv = z_diffs[0].invert().unwrap(); - for h_i in h_x.iter_mut() { - h_i.mul_assign(z_0_diff_inv) - } - - let h_x = Polynomial { - values: h_x, - _marker: PhantomData, - }; - - let h = self.params.commit(&h_x, Blind::default()).to_affine(); - transcript.write_point(h)?; - - Ok(()) - } -} diff --git a/halo2_proofs/src/poly/kzg/multiopen/shplonk/verifier.rs b/halo2_proofs/src/poly/kzg/multiopen/shplonk/verifier.rs deleted file mode 100644 index 5d03940177..0000000000 --- a/halo2_proofs/src/poly/kzg/multiopen/shplonk/verifier.rs +++ /dev/null @@ -1,140 +0,0 @@ -use std::fmt::Debug; - -use super::ChallengeY; -use super::{construct_intermediate_sets, ChallengeU, ChallengeV}; -use crate::arithmetic::{ - eval_polynomial, evaluate_vanishing_polynomial, lagrange_interpolate, powers, -}; -use crate::helpers::SerdeCurveAffine; -use crate::poly::commitment::Verifier; -use crate::poly::commitment::MSM; -use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; -use crate::poly::kzg::msm::DualMSM; -use crate::poly::kzg::msm::{PreMSM, MSMKZG}; -use crate::poly::kzg::strategy::GuardKZG; -use crate::poly::query::{CommitmentReference, VerifierQuery}; -use crate::poly::Error; -use crate::transcript::{EncodedChallenge, TranscriptRead}; -use ff::Field; -use halo2curves::pairing::{Engine, MultiMillerLoop}; -use halo2curves::CurveExt; -use std::ops::MulAssign; - -/// Concrete KZG multiopen verifier with SHPLONK variant -#[derive(Debug)] -pub struct VerifierSHPLONK<'params, E: Engine> { - params: &'params ParamsKZG, -} - -impl<'params, E> Verifier<'params, KZGCommitmentScheme> for VerifierSHPLONK<'params, E> -where - E: MultiMillerLoop + Debug, - E::Fr: Ord, - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - type Guard = GuardKZG<'params, E>; - type MSMAccumulator = DualMSM<'params, E>; - - const QUERY_INSTANCE: bool = false; - - fn new(params: &'params ParamsKZG) -> Self { - Self { params } - } - - /// Verify a multi-opening proof - fn verify_proof< - 'com, - Ch: EncodedChallenge, - T: TranscriptRead, - I, - >( - &self, - transcript: &mut T, - queries: I, - mut msm_accumulator: DualMSM<'params, E>, - ) -> Result - where - I: IntoIterator>> + Clone, - { - let intermediate_sets = construct_intermediate_sets(queries); - let (rotation_sets, super_point_set) = ( - intermediate_sets.rotation_sets, - intermediate_sets.super_point_set, - ); - - let y: ChallengeY<_> = transcript.squeeze_challenge_scalar(); - let v: ChallengeV<_> = transcript.squeeze_challenge_scalar(); - - let h1 = transcript.read_point().map_err(|_| Error::SamplingError)?; - let u: ChallengeU<_> = transcript.squeeze_challenge_scalar(); - let h2 = transcript.read_point().map_err(|_| Error::SamplingError)?; - - let (mut z_0_diff_inverse, mut z_0) = (E::Fr::ZERO, E::Fr::ZERO); - let (mut outer_msm, mut r_outer_acc) = (PreMSM::::new(), E::Fr::ZERO); - for (i, (rotation_set, power_of_v)) in rotation_sets.iter().zip(powers(*v)).enumerate() { - let diffs: Vec = super_point_set - .iter() - .filter(|point| !rotation_set.points.contains(point)) - .copied() - .collect(); - let mut z_diff_i = evaluate_vanishing_polynomial(&diffs[..], *u); - - // normalize coefficients by the coefficient of the first commitment - if i == 0 { - z_0 = evaluate_vanishing_polynomial(&rotation_set.points[..], *u); - z_0_diff_inverse = z_diff_i.invert().unwrap(); - z_diff_i = E::Fr::ONE; - } else { - z_diff_i.mul_assign(z_0_diff_inverse); - } - - let (mut inner_msm, r_inner_acc) = rotation_set - .commitments - .iter() - .zip(powers(*y)) - .map(|(commitment_data, power_of_y)| { - // calculate low degree equivalent - let r_x = lagrange_interpolate( - &rotation_set.points[..], - &commitment_data.evals()[..], - ); - let r_eval = power_of_y * eval_polynomial(&r_x[..], *u); - let msm = match commitment_data.get() { - CommitmentReference::Commitment(c) => { - let mut msm = MSMKZG::::new(); - msm.append_term(power_of_y, (*c).into()); - msm - } - CommitmentReference::MSM(msm) => { - let mut msm = msm.clone(); - msm.scale(power_of_y); - msm - } - }; - (msm, r_eval) - }) - .reduce(|(mut msm_acc, r_eval_acc), (msm, r_eval)| { - msm_acc.add_msm(&msm); - (msm_acc, r_eval_acc + r_eval) - }) - .unwrap(); - - inner_msm.scale(power_of_v * z_diff_i); - outer_msm.add_msm(inner_msm); - r_outer_acc += power_of_v * r_inner_acc * z_diff_i; - } - let mut outer_msm = outer_msm.normalize(); - let g1: E::G1 = self.params.g[0].into(); - outer_msm.append_term(-r_outer_acc, g1); - outer_msm.append_term(-z_0, h1.into()); - outer_msm.append_term(*u, h2.into()); - - msm_accumulator.left.append_term(E::Fr::ONE, h2.into()); - - msm_accumulator.right.add_msm(&outer_msm); - - Ok(Self::Guard::new(msm_accumulator)) - } -} diff --git a/halo2_proofs/src/poly/kzg/strategy.rs b/halo2_proofs/src/poly/kzg/strategy.rs deleted file mode 100644 index ee80d800ac..0000000000 --- a/halo2_proofs/src/poly/kzg/strategy.rs +++ /dev/null @@ -1,181 +0,0 @@ -use super::{ - commitment::{KZGCommitmentScheme, ParamsKZG}, - msm::DualMSM, -}; -use crate::{ - helpers::SerdeCurveAffine, - plonk::Error, - poly::{ - commitment::Verifier, - strategy::{Guard, VerificationStrategy}, - }, -}; -use ff::Field; -use halo2curves::{ - pairing::{Engine, MultiMillerLoop}, - CurveAffine, CurveExt, -}; -use rand_core::OsRng; -use std::fmt::Debug; - -/// Wrapper for linear verification accumulator -#[derive(Debug, Clone)] -pub struct GuardKZG<'params, E: MultiMillerLoop + Debug> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - pub(crate) msm_accumulator: DualMSM<'params, E>, -} - -/// Define accumulator type as `DualMSM` -impl<'params, E> Guard> for GuardKZG<'params, E> -where - E: MultiMillerLoop + Debug, - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - type MSMAccumulator = DualMSM<'params, E>; -} - -/// KZG specific operations -impl<'params, E: MultiMillerLoop + Debug> GuardKZG<'params, E> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - pub(crate) fn new(msm_accumulator: DualMSM<'params, E>) -> Self { - Self { msm_accumulator } - } -} - -/// A verifier that checks multiple proofs in a batch -#[derive(Clone, Debug)] -pub struct AccumulatorStrategy<'params, E: Engine> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - pub(crate) msm_accumulator: DualMSM<'params, E>, -} - -impl<'params, E: MultiMillerLoop + Debug> AccumulatorStrategy<'params, E> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - /// Constructs an empty batch verifier - pub fn new(params: &'params ParamsKZG) -> Self { - AccumulatorStrategy { - msm_accumulator: DualMSM::new(params), - } - } - - /// Constructs and initialized new batch verifier - pub fn with(msm_accumulator: DualMSM<'params, E>) -> Self { - AccumulatorStrategy { msm_accumulator } - } -} - -/// A verifier that checks a single proof -#[derive(Clone, Debug)] -pub struct SingleStrategy<'params, E: Engine> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - pub(crate) msm: DualMSM<'params, E>, -} - -impl<'params, E: MultiMillerLoop + Debug> SingleStrategy<'params, E> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - /// Constructs an empty batch verifier - pub fn new(params: &'params ParamsKZG) -> Self { - SingleStrategy { - msm: DualMSM::new(params), - } - } -} - -impl< - 'params, - E: MultiMillerLoop + Debug, - V: Verifier< - 'params, - KZGCommitmentScheme, - MSMAccumulator = DualMSM<'params, E>, - Guard = GuardKZG<'params, E>, - >, - > VerificationStrategy<'params, KZGCommitmentScheme, V> for AccumulatorStrategy<'params, E> -where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - type Output = Self; - - fn new(params: &'params ParamsKZG) -> Self { - AccumulatorStrategy::new(params) - } - - fn process( - mut self, - f: impl FnOnce(V::MSMAccumulator) -> Result, - ) -> Result { - self.msm_accumulator.scale(E::Fr::random(OsRng)); - - // Guard is updated with new msm contributions - let guard = f(self.msm_accumulator)?; - Ok(Self { - msm_accumulator: guard.msm_accumulator, - }) - } - - fn finalize(self) -> bool { - self.msm_accumulator.check() - } -} - -impl< - 'params, - E: MultiMillerLoop + Debug, - V: Verifier< - 'params, - KZGCommitmentScheme, - MSMAccumulator = DualMSM<'params, E>, - Guard = GuardKZG<'params, E>, - >, - > VerificationStrategy<'params, KZGCommitmentScheme, V> for SingleStrategy<'params, E> -where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - type Output = (); - - fn new(params: &'params ParamsKZG) -> Self { - Self::new(params) - } - - fn process( - self, - f: impl FnOnce(V::MSMAccumulator) -> Result, - ) -> Result { - // Guard is updated with new msm contributions - let guard = f(self.msm)?; - let msm = guard.msm_accumulator; - if msm.check() { - Ok(()) - } else { - Err(Error::ConstraintSystemFailure) - } - } - - fn finalize(self) -> bool { - unreachable!(); - } -} diff --git a/halo2_proofs/src/poly/multiopen_test.rs b/halo2_proofs/src/poly/multiopen_test.rs deleted file mode 100644 index 47c6731167..0000000000 --- a/halo2_proofs/src/poly/multiopen_test.rs +++ /dev/null @@ -1,298 +0,0 @@ -#[cfg(test)] -mod test { - use crate::arithmetic::eval_polynomial; - use crate::plonk::Error; - use crate::poly::commitment::Blind; - use crate::poly::commitment::ParamsProver; - use crate::poly::{ - commitment::{CommitmentScheme, Params, Prover, Verifier}, - query::{ProverQuery, VerifierQuery}, - strategy::VerificationStrategy, - EvaluationDomain, - }; - use crate::transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, EncodedChallenge, Keccak256Read, Keccak256Write, - TranscriptReadBuffer, TranscriptWriterBuffer, - }; - use ff::WithSmallOrderMulGroup; - use group::Curve; - use rand_core::OsRng; - - #[test] - fn test_roundtrip_ipa() { - use crate::poly::ipa::commitment::{IPACommitmentScheme, ParamsIPA}; - use crate::poly::ipa::multiopen::{ProverIPA, VerifierIPA}; - use crate::poly::ipa::strategy::AccumulatorStrategy; - use halo2curves::pasta::EqAffine; - - const K: u32 = 4; - - let params = ParamsIPA::::new(K); - - let proof = create_proof::< - IPACommitmentScheme, - ProverIPA<_>, - _, - Blake2bWrite<_, _, Challenge255<_>>, - >(¶ms); - - let verifier_params = params.verifier_params(); - - verify::< - IPACommitmentScheme, - VerifierIPA<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], false); - - verify::< - IPACommitmentScheme, - VerifierIPA<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); - } - - #[test] - fn test_roundtrip_ipa_keccak() { - use crate::poly::ipa::commitment::{IPACommitmentScheme, ParamsIPA}; - use crate::poly::ipa::multiopen::{ProverIPA, VerifierIPA}; - use crate::poly::ipa::strategy::AccumulatorStrategy; - use halo2curves::pasta::EqAffine; - - const K: u32 = 4; - - let params = ParamsIPA::::new(K); - - let proof = create_proof::< - IPACommitmentScheme, - ProverIPA<_>, - _, - Keccak256Write<_, _, Challenge255<_>>, - >(¶ms); - - let verifier_params = params.verifier_params(); - - verify::< - IPACommitmentScheme, - VerifierIPA<_>, - _, - Keccak256Read<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], false); - - verify::< - IPACommitmentScheme, - VerifierIPA<_>, - _, - Keccak256Read<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); - } - - #[test] - fn test_roundtrip_gwc() { - use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; - use crate::poly::kzg::multiopen::{ProverGWC, VerifierGWC}; - use crate::poly::kzg::strategy::AccumulatorStrategy; - use halo2curves::bn256::Bn256; - - const K: u32 = 4; - - let params = ParamsKZG::::new(K); - - let proof = - create_proof::<_, ProverGWC<_>, _, Blake2bWrite<_, _, Challenge255<_>>>(¶ms); - - let verifier_params = params.verifier_params(); - - verify::<_, VerifierGWC<_>, _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>>( - verifier_params, - &proof[..], - false, - ); - - verify::< - KZGCommitmentScheme, - VerifierGWC<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); - } - - #[test] - fn test_roundtrip_shplonk() { - use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; - use crate::poly::kzg::multiopen::{ProverSHPLONK, VerifierSHPLONK}; - use crate::poly::kzg::strategy::AccumulatorStrategy; - use halo2curves::bn256::Bn256; - - const K: u32 = 4; - - let params = ParamsKZG::::new(K); - - let proof = create_proof::< - KZGCommitmentScheme, - ProverSHPLONK<_>, - _, - Blake2bWrite<_, _, Challenge255<_>>, - >(¶ms); - - let verifier_params = params.verifier_params(); - - verify::< - KZGCommitmentScheme, - VerifierSHPLONK<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], false); - - verify::< - KZGCommitmentScheme, - VerifierSHPLONK<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); - } - - fn verify< - 'a, - 'params, - Scheme: CommitmentScheme, - V: Verifier<'params, Scheme>, - E: EncodedChallenge, - T: TranscriptReadBuffer<&'a [u8], Scheme::Curve, E>, - Strategy: VerificationStrategy<'params, Scheme, V, Output = Strategy>, - >( - params: &'params Scheme::ParamsVerifier, - proof: &'a [u8], - should_fail: bool, - ) { - let verifier = V::new(params); - - let mut transcript = T::init(proof); - - let a = transcript.read_point().unwrap(); - let b = transcript.read_point().unwrap(); - let c = transcript.read_point().unwrap(); - - let x = transcript.squeeze_challenge(); - let y = transcript.squeeze_challenge(); - - let avx = transcript.read_scalar().unwrap(); - let bvx = transcript.read_scalar().unwrap(); - let cvy = transcript.read_scalar().unwrap(); - - let valid_queries = std::iter::empty() - .chain(Some(VerifierQuery::new_commitment(&a, x.get_scalar(), avx))) - .chain(Some(VerifierQuery::new_commitment(&b, x.get_scalar(), bvx))) - .chain(Some(VerifierQuery::new_commitment(&c, y.get_scalar(), cvy))); - - let invalid_queries = std::iter::empty() - .chain(Some(VerifierQuery::new_commitment(&a, x.get_scalar(), avx))) - .chain(Some(VerifierQuery::new_commitment(&b, x.get_scalar(), avx))) - .chain(Some(VerifierQuery::new_commitment(&c, y.get_scalar(), cvy))); - - let queries = if should_fail { - invalid_queries.clone() - } else { - valid_queries.clone() - }; - - { - let strategy = Strategy::new(params); - let strategy = strategy - .process(|msm_accumulator| { - verifier - .verify_proof(&mut transcript, queries.clone(), msm_accumulator) - .map_err(|_| Error::Opening) - }) - .unwrap(); - - assert_eq!(strategy.finalize(), !should_fail); - } - } - - fn create_proof< - 'params, - Scheme: CommitmentScheme, - P: Prover<'params, Scheme>, - E: EncodedChallenge, - T: TranscriptWriterBuffer, Scheme::Curve, E>, - >( - params: &'params Scheme::ParamsProver, - ) -> Vec - where - Scheme::Scalar: WithSmallOrderMulGroup<3>, - { - let domain = EvaluationDomain::new(1, params.k()); - - let mut ax = domain.empty_coeff(); - for (i, a) in ax.iter_mut().enumerate() { - *a = <::Scalar>::from(10 + i as u64); - } - - let mut bx = domain.empty_coeff(); - for (i, a) in bx.iter_mut().enumerate() { - *a = <::Scalar>::from(100 + i as u64); - } - - let mut cx = domain.empty_coeff(); - for (i, a) in cx.iter_mut().enumerate() { - *a = <::Scalar>::from(100 + i as u64); - } - - let mut transcript = T::init(vec![]); - - let blind = Blind::new(&mut OsRng); - let a = params.commit(&ax, blind).to_affine(); - let b = params.commit(&bx, blind).to_affine(); - let c = params.commit(&cx, blind).to_affine(); - - transcript.write_point(a).unwrap(); - transcript.write_point(b).unwrap(); - transcript.write_point(c).unwrap(); - - let x = transcript.squeeze_challenge(); - let y = transcript.squeeze_challenge(); - - let avx = eval_polynomial(&ax, x.get_scalar()); - let bvx = eval_polynomial(&bx, x.get_scalar()); - let cvy = eval_polynomial(&cx, y.get_scalar()); - - transcript.write_scalar(avx).unwrap(); - transcript.write_scalar(bvx).unwrap(); - transcript.write_scalar(cvy).unwrap(); - - let queries = [ - ProverQuery { - point: x.get_scalar(), - poly: &ax, - blind, - }, - ProverQuery { - point: x.get_scalar(), - poly: &bx, - blind, - }, - ProverQuery { - point: y.get_scalar(), - poly: &cx, - blind, - }, - ] - .to_vec(); - - let prover = P::new(params); - prover - .create_proof(&mut OsRng, &mut transcript, queries) - .unwrap(); - - transcript.finalize() - } -} diff --git a/halo2_proofs/src/poly/query.rs b/halo2_proofs/src/poly/query.rs deleted file mode 100644 index bc7a20c240..0000000000 --- a/halo2_proofs/src/poly/query.rs +++ /dev/null @@ -1,160 +0,0 @@ -use std::fmt::Debug; - -use super::commitment::{Blind, MSM}; -use crate::{ - arithmetic::eval_polynomial, - poly::{Coeff, Polynomial}, -}; -use halo2curves::CurveAffine; - -pub trait Query: Sized + Clone + Send + Sync { - type Commitment: PartialEq + Copy + Send + Sync; - type Eval: Clone + Default + Debug; - - fn get_point(&self) -> F; - fn get_eval(&self) -> Self::Eval; - fn get_commitment(&self) -> Self::Commitment; -} - -/// A polynomial query at a point -#[derive(Debug, Clone, Copy)] -pub struct ProverQuery<'com, C: CurveAffine> { - /// Point at which polynomial is queried - pub(crate) point: C::Scalar, - /// Coefficients of polynomial - pub(crate) poly: &'com Polynomial, - /// Blinding factor of polynomial - pub(crate) blind: Blind, -} - -impl<'com, C> ProverQuery<'com, C> -where - C: CurveAffine, -{ - /// Create a new prover query based on a polynomial - pub fn new( - point: C::Scalar, - poly: &'com Polynomial, - blind: Blind, - ) -> Self { - ProverQuery { point, poly, blind } - } -} - -#[doc(hidden)] -#[derive(Copy, Clone)] -pub struct PolynomialPointer<'com, C: CurveAffine> { - pub(crate) poly: &'com Polynomial, - pub(crate) blind: Blind, -} - -impl<'com, C: CurveAffine> PartialEq for PolynomialPointer<'com, C> { - fn eq(&self, other: &Self) -> bool { - std::ptr::eq(self.poly, other.poly) - } -} - -impl<'com, C: CurveAffine> Query for ProverQuery<'com, C> { - type Commitment = PolynomialPointer<'com, C>; - type Eval = C::Scalar; - - fn get_point(&self) -> C::Scalar { - self.point - } - fn get_eval(&self) -> Self::Eval { - eval_polynomial(&self.poly[..], self.get_point()) - } - fn get_commitment(&self) -> Self::Commitment { - PolynomialPointer { - poly: self.poly, - blind: self.blind, - } - } -} - -impl<'com, C: CurveAffine, M: MSM> VerifierQuery<'com, C, M> { - /// Create a new verifier query based on a commitment - pub fn new_commitment(commitment: &'com C, point: C::Scalar, eval: C::Scalar) -> Self { - VerifierQuery { - point, - eval, - commitment: CommitmentReference::Commitment(commitment), - } - } - - /// Create a new verifier query based on a linear combination of commitments - pub fn new_msm(msm: &'com M, point: C::Scalar, eval: C::Scalar) -> VerifierQuery<'com, C, M> { - VerifierQuery { - point, - eval, - commitment: CommitmentReference::MSM(msm), - } - } -} - -/// A polynomial query at a point -#[derive(Debug, Clone, Copy)] -pub struct VerifierQuery<'com, C: CurveAffine, M: MSM> { - /// Point at which polynomial is queried - pub(crate) point: C::Scalar, - /// Commitment to polynomial - pub(crate) commitment: CommitmentReference<'com, C, M>, - /// Evaluation of polynomial at query point - pub(crate) eval: C::Scalar, -} - -impl<'com, C, M> VerifierQuery<'com, C, M> -where - C: CurveAffine, - M: MSM, -{ - /// Create a new verifier query based on a commitment - pub fn new( - point: C::Scalar, - commitment: CommitmentReference<'com, C, M>, - eval: C::Scalar, - ) -> Self { - VerifierQuery { - point, - commitment, - eval, - } - } -} - -#[allow(clippy::upper_case_acronyms)] -#[derive(Clone, Debug)] -pub enum CommitmentReference<'r, C: CurveAffine, M: MSM> { - Commitment(&'r C), - MSM(&'r M), -} - -impl<'r, C: CurveAffine, M: MSM> Copy for CommitmentReference<'r, C, M> {} - -impl<'r, C: CurveAffine, M: MSM> PartialEq for CommitmentReference<'r, C, M> { - #![allow(clippy::vtable_address_comparisons)] - fn eq(&self, other: &Self) -> bool { - match (self, other) { - (&CommitmentReference::Commitment(a), &CommitmentReference::Commitment(b)) => { - std::ptr::eq(a, b) - } - (&CommitmentReference::MSM(a), &CommitmentReference::MSM(b)) => std::ptr::eq(a, b), - _ => false, - } - } -} - -impl<'com, C: CurveAffine, M: MSM> Query for VerifierQuery<'com, C, M> { - type Eval = C::Scalar; - type Commitment = CommitmentReference<'com, C, M>; - - fn get_point(&self) -> C::Scalar { - self.point - } - fn get_eval(&self) -> C::Scalar { - self.eval - } - fn get_commitment(&self) -> Self::Commitment { - self.commitment - } -} diff --git a/halo2_proofs/src/poly/strategy.rs b/halo2_proofs/src/poly/strategy.rs deleted file mode 100644 index 850f95e6c9..0000000000 --- a/halo2_proofs/src/poly/strategy.rs +++ /dev/null @@ -1,31 +0,0 @@ -use super::commitment::{CommitmentScheme, Verifier}; -use crate::plonk::Error; - -/// Guards is unfinished verification result. Implement this to construct various -/// verification strategies such as aggregation and recursion. -pub trait Guard { - /// Multi scalar engine which is not evaluated yet. - type MSMAccumulator; -} - -/// Trait representing a strategy for verifying Halo 2 proofs. -pub trait VerificationStrategy<'params, Scheme: CommitmentScheme, V: Verifier<'params, Scheme>> { - /// The output type of this verification strategy after processing a proof. - type Output; - - /// Creates new verification strategy instance - fn new(params: &'params Scheme::ParamsVerifier) -> Self; - - /// Obtains an MSM from the verifier strategy and yields back the strategy's - /// output. - fn process( - self, - f: impl FnOnce(V::MSMAccumulator) -> Result, - ) -> Result; - - /// Finalizes the batch and checks its validity. - /// - /// Returns `false` if *some* proof was invalid. If the caller needs to identify - /// specific failing proofs, it must re-process the proofs separately. - fn finalize(self) -> bool; -} diff --git a/halo2_proofs/src/transcript.rs b/halo2_proofs/src/transcript.rs deleted file mode 100644 index 6e4f812bdf..0000000000 --- a/halo2_proofs/src/transcript.rs +++ /dev/null @@ -1,554 +0,0 @@ -//! This module contains utilities and traits for dealing with Fiat-Shamir -//! transcripts. - -use blake2b_simd::{Params as Blake2bParams, State as Blake2bState}; -use group::ff::{FromUniformBytes, PrimeField}; -use sha3::{Digest, Keccak256}; -use std::convert::TryInto; - -use halo2curves::{Coordinates, CurveAffine}; - -use std::io::{self, Read, Write}; -use std::marker::PhantomData; - -/// Prefix to a prover's message soliciting a challenge -const BLAKE2B_PREFIX_CHALLENGE: u8 = 0; - -/// Prefix to a prover's message containing a curve point -const BLAKE2B_PREFIX_POINT: u8 = 1; - -/// Prefix to a prover's message containing a scalar -const BLAKE2B_PREFIX_SCALAR: u8 = 2; - -/// Prefix to a prover's message soliciting a challenge -const KECCAK256_PREFIX_CHALLENGE: u8 = 0; - -/// First prefix to a prover's message soliciting a challenge -/// Not included in the growing state! -const KECCAK256_PREFIX_CHALLENGE_LO: u8 = 10; - -/// Second prefix to a prover's message soliciting a challenge -/// Not included in the growing state! -const KECCAK256_PREFIX_CHALLENGE_HI: u8 = 11; - -/// Prefix to a prover's message containing a curve point -const KECCAK256_PREFIX_POINT: u8 = 1; - -/// Prefix to a prover's message containing a scalar -const KECCAK256_PREFIX_SCALAR: u8 = 2; - -/// Generic transcript view (from either the prover or verifier's perspective) -pub trait Transcript> { - /// Squeeze an encoded verifier challenge from the transcript. - fn squeeze_challenge(&mut self) -> E; - - /// Squeeze a typed challenge (in the scalar field) from the transcript. - fn squeeze_challenge_scalar(&mut self) -> ChallengeScalar { - ChallengeScalar { - inner: self.squeeze_challenge().get_scalar(), - _marker: PhantomData, - } - } - - /// Writing the point to the transcript without writing it to the proof, - /// treating it as a common input. - fn common_point(&mut self, point: C) -> io::Result<()>; - - /// Writing the scalar to the transcript without writing it to the proof, - /// treating it as a common input. - fn common_scalar(&mut self, scalar: C::Scalar) -> io::Result<()>; -} - -/// Transcript view from the perspective of a verifier that has access to an -/// input stream of data from the prover to the verifier. -pub trait TranscriptRead>: Transcript { - /// Read a curve point from the prover. - fn read_point(&mut self) -> io::Result; - - /// Read a curve scalar from the prover. - fn read_scalar(&mut self) -> io::Result; -} - -/// Transcript view from the perspective of a prover that has access to an -/// output stream of messages from the prover to the verifier. -pub trait TranscriptWrite>: Transcript { - /// Write a curve point to the proof and the transcript. - fn write_point(&mut self, point: C) -> io::Result<()>; - - /// Write a scalar to the proof and the transcript. - fn write_scalar(&mut self, scalar: C::Scalar) -> io::Result<()>; -} - -/// Initializes transcript at verifier side. -pub trait TranscriptReadBuffer>: - TranscriptRead -{ - /// Initialize a transcript given an input buffer. - fn init(reader: R) -> Self; -} - -/// Manages beginning and finishing of transcript pipeline. -pub trait TranscriptWriterBuffer>: - TranscriptWrite -{ - /// Initialize a transcript given an output buffer. - fn init(writer: W) -> Self; - - /// Conclude the interaction and return the output buffer (writer). - fn finalize(self) -> W; -} - -/// We will replace BLAKE2b with an algebraic hash function in a later version. -#[derive(Debug, Clone)] -pub struct Blake2bRead> { - state: Blake2bState, - reader: R, - _marker: PhantomData<(C, E)>, -} - -/// Keccak256 hash function reader for EVM compatibility -#[derive(Debug, Clone)] -pub struct Keccak256Read> { - state: Keccak256, - reader: R, - _marker: PhantomData<(C, E)>, -} - -impl TranscriptReadBuffer> - for Blake2bRead> -where - C::Scalar: FromUniformBytes<64>, -{ - /// Initialize a transcript given an input buffer. - fn init(reader: R) -> Self { - Blake2bRead { - state: Blake2bParams::new() - .hash_length(64) - .personal(b"Halo2-Transcript") - .to_state(), - reader, - _marker: PhantomData, - } - } -} - -impl TranscriptReadBuffer> - for Keccak256Read> -where - C::Scalar: FromUniformBytes<64>, -{ - /// Initialize a transcript given an input buffer. - fn init(reader: R) -> Self { - let mut state = Keccak256::new(); - state.update(b"Halo2-Transcript"); - Keccak256Read { - state, - reader, - _marker: PhantomData, - } - } -} - -impl TranscriptRead> - for Blake2bRead> -where - C::Scalar: FromUniformBytes<64>, -{ - fn read_point(&mut self) -> io::Result { - let mut compressed = C::Repr::default(); - self.reader.read_exact(compressed.as_mut())?; - let point: C = Option::from(C::from_bytes(&compressed)).ok_or_else(|| { - io::Error::new(io::ErrorKind::Other, "invalid point encoding in proof") - })?; - self.common_point(point)?; - - Ok(point) - } - - fn read_scalar(&mut self) -> io::Result { - let mut data = ::Repr::default(); - self.reader.read_exact(data.as_mut())?; - let scalar: C::Scalar = Option::from(C::Scalar::from_repr(data)).ok_or_else(|| { - io::Error::new( - io::ErrorKind::Other, - "invalid field element encoding in proof", - ) - })?; - self.common_scalar(scalar)?; - - Ok(scalar) - } -} - -impl TranscriptRead> - for Keccak256Read> -where - C::Scalar: FromUniformBytes<64>, -{ - fn read_point(&mut self) -> io::Result { - let mut compressed = C::Repr::default(); - self.reader.read_exact(compressed.as_mut())?; - let point: C = Option::from(C::from_bytes(&compressed)).ok_or_else(|| { - io::Error::new(io::ErrorKind::Other, "invalid point encoding in proof") - })?; - self.common_point(point)?; - - Ok(point) - } - - fn read_scalar(&mut self) -> io::Result { - let mut data = ::Repr::default(); - self.reader.read_exact(data.as_mut())?; - let scalar: C::Scalar = Option::from(C::Scalar::from_repr(data)).ok_or_else(|| { - io::Error::new( - io::ErrorKind::Other, - "invalid field element encoding in proof", - ) - })?; - self.common_scalar(scalar)?; - - Ok(scalar) - } -} - -impl Transcript> for Blake2bRead> -where - C::Scalar: FromUniformBytes<64>, -{ - fn squeeze_challenge(&mut self) -> Challenge255 { - self.state.update(&[BLAKE2B_PREFIX_CHALLENGE]); - let hasher = self.state.clone(); - let result: [u8; 64] = hasher.finalize().as_bytes().try_into().unwrap(); - Challenge255::::new(&result) - } - - fn common_point(&mut self, point: C) -> io::Result<()> { - self.state.update(&[BLAKE2B_PREFIX_POINT]); - let coords: Coordinates = Option::from(point.coordinates()).ok_or_else(|| { - io::Error::new( - io::ErrorKind::Other, - "cannot write points at infinity to the transcript", - ) - })?; - self.state.update(coords.x().to_repr().as_ref()); - self.state.update(coords.y().to_repr().as_ref()); - - Ok(()) - } - - fn common_scalar(&mut self, scalar: C::Scalar) -> io::Result<()> { - self.state.update(&[BLAKE2B_PREFIX_SCALAR]); - self.state.update(scalar.to_repr().as_ref()); - - Ok(()) - } -} - -impl Transcript> - for Keccak256Read> -where - C::Scalar: FromUniformBytes<64>, -{ - fn squeeze_challenge(&mut self) -> Challenge255 { - self.state.update([KECCAK256_PREFIX_CHALLENGE]); - - let mut state_lo = self.state.clone(); - let mut state_hi = self.state.clone(); - state_lo.update([KECCAK256_PREFIX_CHALLENGE_LO]); - state_hi.update([KECCAK256_PREFIX_CHALLENGE_HI]); - let result_lo: [u8; 32] = state_lo.finalize().as_slice().try_into().unwrap(); - let result_hi: [u8; 32] = state_hi.finalize().as_slice().try_into().unwrap(); - - let mut t = result_lo.to_vec(); - t.extend_from_slice(&result_hi[..]); - let result: [u8; 64] = t.as_slice().try_into().unwrap(); - - Challenge255::::new(&result) - } - - fn common_point(&mut self, point: C) -> io::Result<()> { - self.state.update([KECCAK256_PREFIX_POINT]); - let coords: Coordinates = Option::from(point.coordinates()).ok_or_else(|| { - io::Error::new( - io::ErrorKind::Other, - "cannot write points at infinity to the transcript", - ) - })?; - self.state.update(coords.x().to_repr().as_ref()); - self.state.update(coords.y().to_repr().as_ref()); - - Ok(()) - } - - fn common_scalar(&mut self, scalar: C::Scalar) -> io::Result<()> { - self.state.update([KECCAK256_PREFIX_SCALAR]); - self.state.update(scalar.to_repr().as_ref()); - - Ok(()) - } -} - -/// We will replace BLAKE2b with an algebraic hash function in a later version. -#[derive(Debug, Clone)] -pub struct Blake2bWrite> { - state: Blake2bState, - writer: W, - _marker: PhantomData<(C, E)>, -} - -/// Keccak256 hash function writer for EVM compatibility -#[derive(Debug, Clone)] -pub struct Keccak256Write> { - state: Keccak256, - writer: W, - _marker: PhantomData<(C, E)>, -} - -impl TranscriptWriterBuffer> - for Blake2bWrite> -where - C::Scalar: FromUniformBytes<64>, -{ - /// Initialize a transcript given an output buffer. - fn init(writer: W) -> Self { - Blake2bWrite { - state: Blake2bParams::new() - .hash_length(64) - .personal(b"Halo2-Transcript") - .to_state(), - writer, - _marker: PhantomData, - } - } - - fn finalize(self) -> W { - // TODO: handle outstanding scalars? see issue #138 - self.writer - } -} - -impl TranscriptWriterBuffer> - for Keccak256Write> -where - C::Scalar: FromUniformBytes<64>, -{ - /// Initialize a transcript given an output buffer. - fn init(writer: W) -> Self { - let mut state = Keccak256::new(); - state.update(b"Halo2-Transcript"); - Keccak256Write { - state, - writer, - _marker: PhantomData, - } - } - - /// Conclude the interaction and return the output buffer (writer). - fn finalize(self) -> W { - // TODO: handle outstanding scalars? see issue #138 - self.writer - } -} - -impl TranscriptWrite> - for Blake2bWrite> -where - C::Scalar: FromUniformBytes<64>, -{ - fn write_point(&mut self, point: C) -> io::Result<()> { - self.common_point(point)?; - let compressed = point.to_bytes(); - self.writer.write_all(compressed.as_ref()) - } - fn write_scalar(&mut self, scalar: C::Scalar) -> io::Result<()> { - self.common_scalar(scalar)?; - let data = scalar.to_repr(); - self.writer.write_all(data.as_ref()) - } -} - -impl TranscriptWrite> - for Keccak256Write> -where - C::Scalar: FromUniformBytes<64>, -{ - fn write_point(&mut self, point: C) -> io::Result<()> { - self.common_point(point)?; - let compressed = point.to_bytes(); - self.writer.write_all(compressed.as_ref()) - } - fn write_scalar(&mut self, scalar: C::Scalar) -> io::Result<()> { - self.common_scalar(scalar)?; - let data = scalar.to_repr(); - self.writer.write_all(data.as_ref()) - } -} - -impl Transcript> - for Blake2bWrite> -where - C::Scalar: FromUniformBytes<64>, -{ - fn squeeze_challenge(&mut self) -> Challenge255 { - self.state.update(&[BLAKE2B_PREFIX_CHALLENGE]); - let hasher = self.state.clone(); - let result: [u8; 64] = hasher.finalize().as_bytes().try_into().unwrap(); - Challenge255::::new(&result) - } - - fn common_point(&mut self, point: C) -> io::Result<()> { - self.state.update(&[BLAKE2B_PREFIX_POINT]); - let coords: Coordinates = Option::from(point.coordinates()).ok_or_else(|| { - io::Error::new( - io::ErrorKind::Other, - "cannot write points at infinity to the transcript", - ) - })?; - self.state.update(coords.x().to_repr().as_ref()); - self.state.update(coords.y().to_repr().as_ref()); - - Ok(()) - } - - fn common_scalar(&mut self, scalar: C::Scalar) -> io::Result<()> { - self.state.update(&[BLAKE2B_PREFIX_SCALAR]); - self.state.update(scalar.to_repr().as_ref()); - - Ok(()) - } -} - -impl Transcript> - for Keccak256Write> -where - C::Scalar: FromUniformBytes<64>, -{ - fn squeeze_challenge(&mut self) -> Challenge255 { - self.state.update([KECCAK256_PREFIX_CHALLENGE]); - - let mut state_lo = self.state.clone(); - let mut state_hi = self.state.clone(); - state_lo.update([KECCAK256_PREFIX_CHALLENGE_LO]); - state_hi.update([KECCAK256_PREFIX_CHALLENGE_HI]); - let result_lo: [u8; 32] = state_lo.finalize().as_slice().try_into().unwrap(); - let result_hi: [u8; 32] = state_hi.finalize().as_slice().try_into().unwrap(); - - let mut t = result_lo.to_vec(); - t.extend_from_slice(&result_hi[..]); - let result: [u8; 64] = t.as_slice().try_into().unwrap(); - - Challenge255::::new(&result) - } - - fn common_point(&mut self, point: C) -> io::Result<()> { - self.state.update([KECCAK256_PREFIX_POINT]); - let coords: Coordinates = Option::from(point.coordinates()).ok_or_else(|| { - io::Error::new( - io::ErrorKind::Other, - "cannot write points at infinity to the transcript", - ) - })?; - self.state.update(coords.x().to_repr().as_ref()); - self.state.update(coords.y().to_repr().as_ref()); - - Ok(()) - } - - fn common_scalar(&mut self, scalar: C::Scalar) -> io::Result<()> { - self.state.update([KECCAK256_PREFIX_SCALAR]); - self.state.update(scalar.to_repr().as_ref()); - - Ok(()) - } -} - -/// The scalar representation of a verifier challenge. -/// -/// The `Type` type can be used to scope the challenge to a specific context, or -/// set to `()` if no context is required. -#[derive(Copy, Clone, Debug)] -pub struct ChallengeScalar { - inner: C::Scalar, - _marker: PhantomData, -} - -impl std::ops::Deref for ChallengeScalar { - type Target = C::Scalar; - - fn deref(&self) -> &Self::Target { - &self.inner - } -} - -/// `EncodedChallenge` defines a challenge encoding with a [`Self::Input`] -/// that is used to derive the challenge encoding and `get_challenge` obtains -/// the _real_ `C::Scalar` that the challenge encoding represents. -pub trait EncodedChallenge { - /// The Input type used to derive the challenge encoding. For example, - /// an input from the Poseidon hash would be a base field element; - /// an input from the Blake2b hash would be a [u8; 64]. - type Input; - - /// Get an encoded challenge from a given input challenge. - fn new(challenge_input: &Self::Input) -> Self; - - /// Get a scalar field element from an encoded challenge. - fn get_scalar(&self) -> C::Scalar; - - /// Cast an encoded challenge as a typed `ChallengeScalar`. - fn as_challenge_scalar(&self) -> ChallengeScalar { - ChallengeScalar { - inner: self.get_scalar(), - _marker: PhantomData, - } - } -} - -/// A 255-bit challenge. -#[derive(Copy, Clone, Debug)] -pub struct Challenge255([u8; 32], PhantomData); - -impl std::ops::Deref for Challenge255 { - type Target = [u8; 32]; - - fn deref(&self) -> &Self::Target { - &self.0 - } -} - -impl EncodedChallenge for Challenge255 -where - C::Scalar: FromUniformBytes<64>, -{ - type Input = [u8; 64]; - - fn new(challenge_input: &[u8; 64]) -> Self { - Challenge255( - C::Scalar::from_uniform_bytes(challenge_input) - .to_repr() - .as_ref() - .try_into() - .expect("Scalar fits into 256 bits"), - PhantomData, - ) - } - fn get_scalar(&self) -> C::Scalar { - let mut repr = ::Repr::default(); - repr.as_mut().copy_from_slice(&self.0); - C::Scalar::from_repr(repr).unwrap() - } -} - -pub(crate) fn read_n_points, T: TranscriptRead>( - transcript: &mut T, - n: usize, -) -> io::Result> { - (0..n).map(|_| transcript.read_point()).collect() -} - -pub(crate) fn read_n_scalars, T: TranscriptRead>( - transcript: &mut T, - n: usize, -) -> io::Result> { - (0..n).map(|_| transcript.read_scalar()).collect() -} diff --git a/halo2_proofs/tests/plonk_api.rs b/halo2_proofs/tests/plonk_api.rs deleted file mode 100644 index 28ffb399ff..0000000000 --- a/halo2_proofs/tests/plonk_api.rs +++ /dev/null @@ -1,1026 +0,0 @@ -#![allow(clippy::many_single_char_names)] -#![allow(clippy::op_ref)] - -use assert_matches::assert_matches; -use ff::{FromUniformBytes, WithSmallOrderMulGroup}; -use halo2_proofs::arithmetic::Field; -use halo2_proofs::circuit::{Cell, Layouter, SimpleFloorPlanner, Value}; -use halo2_proofs::dev::MockProver; -use halo2_proofs::plonk::{ - create_proof as create_plonk_proof, keygen_pk, keygen_vk, verify_proof as verify_plonk_proof, - Advice, Assigned, Circuit, Column, ConstraintSystem, Error, Fixed, ProvingKey, TableColumn, - VerifyingKey, -}; -use halo2_proofs::poly::commitment::{CommitmentScheme, ParamsProver, Prover, Verifier}; -use halo2_proofs::poly::Rotation; -use halo2_proofs::poly::VerificationStrategy; -use halo2_proofs::transcript::{ - Blake2bRead, Blake2bWrite, Challenge255, EncodedChallenge, TranscriptReadBuffer, - TranscriptWriterBuffer, -}; -use rand_core::{OsRng, RngCore}; -use std::marker::PhantomData; - -#[test] -fn plonk_api() { - const K: u32 = 5; - - /// This represents an advice column at a certain row in the ConstraintSystem - #[derive(Copy, Clone, Debug)] - pub struct Variable(Column, usize); - - #[derive(Clone)] - struct PlonkConfig { - a: Column, - b: Column, - c: Column, - d: Column, - e: Column, - - sa: Column, - sb: Column, - sc: Column, - sm: Column, - sp: Column, - sl: TableColumn, - } - - #[allow(clippy::type_complexity)] - trait StandardCs { - fn raw_multiply( - &self, - layouter: &mut impl Layouter, - f: F, - ) -> Result<(Cell, Cell, Cell), Error> - where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>; - fn raw_add( - &self, - layouter: &mut impl Layouter, - f: F, - ) -> Result<(Cell, Cell, Cell), Error> - where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>; - fn copy(&self, layouter: &mut impl Layouter, a: Cell, b: Cell) -> Result<(), Error>; - fn public_input(&self, layouter: &mut impl Layouter, f: F) -> Result - where - F: FnMut() -> Value; - fn lookup_table( - &self, - layouter: &mut impl Layouter, - values: &[FF], - ) -> Result<(), Error>; - } - - #[derive(Clone)] - struct MyCircuit { - a: Value, - lookup_table: Vec, - } - - struct StandardPlonk { - config: PlonkConfig, - _marker: PhantomData, - } - - impl StandardPlonk { - fn new(config: PlonkConfig) -> Self { - StandardPlonk { - config, - _marker: PhantomData, - } - } - } - - impl StandardCs for StandardPlonk { - fn raw_multiply( - &self, - layouter: &mut impl Layouter, - mut f: F, - ) -> Result<(Cell, Cell, Cell), Error> - where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>, - { - layouter.assign_region( - || "raw_multiply", - |mut region| { - let mut value = None; - let lhs = region.assign_advice( - || "lhs", - self.config.a, - 0, - || { - value = Some(f()); - value.unwrap().map(|v| v.0) - }, - )?; - region.assign_advice( - || "lhs^4", - self.config.d, - 0, - || value.unwrap().map(|v| v.0).square().square(), - )?; - let rhs = region.assign_advice( - || "rhs", - self.config.b, - 0, - || value.unwrap().map(|v| v.1), - )?; - region.assign_advice( - || "rhs^4", - self.config.e, - 0, - || value.unwrap().map(|v| v.1).square().square(), - )?; - let out = region.assign_advice( - || "out", - self.config.c, - 0, - || value.unwrap().map(|v| v.2), - )?; - - region.assign_fixed(|| "a", self.config.sa, 0, || Value::known(FF::ZERO))?; - region.assign_fixed(|| "b", self.config.sb, 0, || Value::known(FF::ZERO))?; - region.assign_fixed(|| "c", self.config.sc, 0, || Value::known(FF::ONE))?; - region.assign_fixed(|| "a * b", self.config.sm, 0, || Value::known(FF::ONE))?; - Ok((lhs.cell(), rhs.cell(), out.cell())) - }, - ) - } - fn raw_add( - &self, - layouter: &mut impl Layouter, - mut f: F, - ) -> Result<(Cell, Cell, Cell), Error> - where - F: FnMut() -> Value<(Assigned, Assigned, Assigned)>, - { - layouter.assign_region( - || "raw_add", - |mut region| { - let mut value = None; - let lhs = region.assign_advice( - || "lhs", - self.config.a, - 0, - || { - value = Some(f()); - value.unwrap().map(|v| v.0) - }, - )?; - region.assign_advice( - || "lhs^4", - self.config.d, - 0, - || value.unwrap().map(|v| v.0).square().square(), - )?; - let rhs = region.assign_advice( - || "rhs", - self.config.b, - 0, - || value.unwrap().map(|v| v.1), - )?; - region.assign_advice( - || "rhs^4", - self.config.e, - 0, - || value.unwrap().map(|v| v.1).square().square(), - )?; - let out = region.assign_advice( - || "out", - self.config.c, - 0, - || value.unwrap().map(|v| v.2), - )?; - - region.assign_fixed(|| "a", self.config.sa, 0, || Value::known(FF::ONE))?; - region.assign_fixed(|| "b", self.config.sb, 0, || Value::known(FF::ONE))?; - region.assign_fixed(|| "c", self.config.sc, 0, || Value::known(FF::ONE))?; - region.assign_fixed( - || "a * b", - self.config.sm, - 0, - || Value::known(FF::ZERO), - )?; - Ok((lhs.cell(), rhs.cell(), out.cell())) - }, - ) - } - fn copy( - &self, - layouter: &mut impl Layouter, - left: Cell, - right: Cell, - ) -> Result<(), Error> { - layouter.assign_region( - || "copy", - |mut region| { - region.constrain_equal(left, right)?; - region.constrain_equal(left, right) - }, - ) - } - fn public_input(&self, layouter: &mut impl Layouter, mut f: F) -> Result - where - F: FnMut() -> Value, - { - layouter.assign_region( - || "public_input", - |mut region| { - let value = region.assign_advice(|| "value", self.config.a, 0, &mut f)?; - region.assign_fixed( - || "public", - self.config.sp, - 0, - || Value::known(FF::ONE), - )?; - - Ok(value.cell()) - }, - ) - } - fn lookup_table( - &self, - layouter: &mut impl Layouter, - values: &[FF], - ) -> Result<(), Error> { - layouter.assign_table( - || "", - |mut table| { - for (index, &value) in values.iter().enumerate() { - table.assign_cell( - || "table col", - self.config.sl, - index, - || Value::known(value), - )?; - } - Ok(()) - }, - )?; - Ok(()) - } - } - - impl Circuit for MyCircuit { - type Config = PlonkConfig; - type FloorPlanner = SimpleFloorPlanner; - #[cfg(feature = "circuit-params")] - type Params = (); - - fn without_witnesses(&self) -> Self { - Self { - a: Value::unknown(), - lookup_table: self.lookup_table.clone(), - } - } - - fn configure(meta: &mut ConstraintSystem) -> PlonkConfig { - let e = meta.advice_column(); - let a = meta.advice_column(); - let b = meta.advice_column(); - let sf = meta.fixed_column(); - let c = meta.advice_column(); - let d = meta.advice_column(); - let p = meta.instance_column(); - - meta.enable_equality(a); - meta.enable_equality(b); - meta.enable_equality(c); - - let sm = meta.fixed_column(); - let sa = meta.fixed_column(); - let sb = meta.fixed_column(); - let sc = meta.fixed_column(); - let sp = meta.fixed_column(); - let sl = meta.lookup_table_column(); - - /* - * A B ... sl - * [ - * instance 0 ... 0 - * a a ... 0 - * a a^2 ... 0 - * a a ... 0 - * a a^2 ... 0 - * ... ... ... ... - * ... ... ... instance - * ... ... ... a - * ... ... ... a - * ... ... ... 0 - * ] - */ - - meta.lookup("lookup", |meta| { - let a_ = meta.query_any(a, Rotation::cur()); - vec![(a_, sl)] - }); - - meta.create_gate("Combined add-mult", |meta| { - let d = meta.query_advice(d, Rotation::next()); - let a = meta.query_advice(a, Rotation::cur()); - let sf = meta.query_fixed(sf, Rotation::cur()); - let e = meta.query_advice(e, Rotation::prev()); - let b = meta.query_advice(b, Rotation::cur()); - let c = meta.query_advice(c, Rotation::cur()); - - let sa = meta.query_fixed(sa, Rotation::cur()); - let sb = meta.query_fixed(sb, Rotation::cur()); - let sc = meta.query_fixed(sc, Rotation::cur()); - let sm = meta.query_fixed(sm, Rotation::cur()); - - vec![a.clone() * sa + b.clone() * sb + a * b * sm - (c * sc) + sf * (d * e)] - }); - - meta.create_gate("Public input", |meta| { - let a = meta.query_advice(a, Rotation::cur()); - let p = meta.query_instance(p, Rotation::cur()); - let sp = meta.query_fixed(sp, Rotation::cur()); - - vec![sp * (a - p)] - }); - - meta.enable_equality(sf); - meta.enable_equality(e); - meta.enable_equality(d); - meta.enable_equality(p); - meta.enable_equality(sm); - meta.enable_equality(sa); - meta.enable_equality(sb); - meta.enable_equality(sc); - meta.enable_equality(sp); - - PlonkConfig { - a, - b, - c, - d, - e, - sa, - sb, - sc, - sm, - sp, - sl, - } - } - - fn synthesize( - &self, - config: PlonkConfig, - mut layouter: impl Layouter, - ) -> Result<(), Error> { - let cs = StandardPlonk::new(config); - - let _ = cs.public_input(&mut layouter, || Value::known(F::ONE + F::ONE))?; - - for _ in 0..10 { - let a: Value> = self.a.into(); - let mut a_squared = Value::unknown(); - let (a0, _, c0) = cs.raw_multiply(&mut layouter, || { - a_squared = a.square(); - a.zip(a_squared).map(|(a, a_squared)| (a, a, a_squared)) - })?; - let (a1, b1, _) = cs.raw_add(&mut layouter, || { - let fin = a_squared + a; - a.zip(a_squared) - .zip(fin) - .map(|((a, a_squared), fin)| (a, a_squared, fin)) - })?; - cs.copy(&mut layouter, a0, a1)?; - cs.copy(&mut layouter, b1, c0)?; - } - - cs.lookup_table(&mut layouter, &self.lookup_table)?; - - Ok(()) - } - } - - macro_rules! common { - ($scheme:ident) => {{ - let a = <$scheme as CommitmentScheme>::Scalar::from(2834758237) - * <$scheme as CommitmentScheme>::Scalar::ZETA; - let instance = <$scheme as CommitmentScheme>::Scalar::ONE - + <$scheme as CommitmentScheme>::Scalar::ONE; - let lookup_table = vec![instance, a, a, <$scheme as CommitmentScheme>::Scalar::ZERO]; - (a, instance, lookup_table) - }}; - } - - macro_rules! bad_keys { - ($scheme:ident) => {{ - let (_, _, lookup_table) = common!($scheme); - let empty_circuit: MyCircuit<<$scheme as CommitmentScheme>::Scalar> = MyCircuit { - a: Value::unknown(), - lookup_table: lookup_table.clone(), - }; - - // Check that we get an error if we try to initialize the proving key with a value of - // k that is too small for the minimum required number of rows. - let much_too_small_params= <$scheme as CommitmentScheme>::ParamsProver::new(1); - assert_matches!( - keygen_vk(&much_too_small_params, &empty_circuit), - Err(Error::NotEnoughRowsAvailable { - current_k, - }) if current_k == 1 - ); - - // Check that we get an error if we try to initialize the proving key with a value of - // k that is too small for the number of rows the circuit uses. - let slightly_too_small_params = <$scheme as CommitmentScheme>::ParamsProver::new(K-1); - assert_matches!( - keygen_vk(&slightly_too_small_params, &empty_circuit), - Err(Error::NotEnoughRowsAvailable { - current_k, - }) if current_k == K - 1 - ); - }}; - } - - fn keygen(params: &Scheme::ParamsProver) -> ProvingKey - where - Scheme::Scalar: FromUniformBytes<64> + WithSmallOrderMulGroup<3>, - { - let (_, _, lookup_table) = common!(Scheme); - let empty_circuit: MyCircuit = MyCircuit { - a: Value::unknown(), - lookup_table, - }; - - // Initialize the proving key - let vk = keygen_vk(params, &empty_circuit).expect("keygen_vk should not fail"); - - keygen_pk(params, vk, &empty_circuit).expect("keygen_pk should not fail") - } - - fn create_proof< - 'params, - Scheme: CommitmentScheme, - P: Prover<'params, Scheme>, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWriterBuffer, Scheme::Curve, E>, - >( - rng: R, - params: &'params Scheme::ParamsProver, - pk: &ProvingKey, - ) -> Vec - where - Scheme::Scalar: Ord + WithSmallOrderMulGroup<3> + FromUniformBytes<64>, - { - let (a, instance, lookup_table) = common!(Scheme); - - let circuit: MyCircuit = MyCircuit { - a: Value::known(a), - lookup_table, - }; - - let mut transcript = T::init(vec![]); - - create_plonk_proof::( - params, - pk, - &[circuit.clone(), circuit.clone()], - &[&[&[instance]], &[&[instance]]], - rng, - &mut transcript, - ) - .expect("proof generation should not fail"); - - // Check this circuit is satisfied. - let prover = match MockProver::run(K, &circuit, vec![vec![instance]]) { - Ok(prover) => prover, - Err(e) => panic!("{e:?}"), - }; - assert_eq!(prover.verify(), Ok(())); - - transcript.finalize() - } - - fn verify_proof< - 'a, - 'params, - Scheme: CommitmentScheme, - V: Verifier<'params, Scheme>, - E: EncodedChallenge, - T: TranscriptReadBuffer<&'a [u8], Scheme::Curve, E>, - Strategy: VerificationStrategy<'params, Scheme, V, Output = Strategy>, - >( - params_verifier: &'params Scheme::ParamsVerifier, - vk: &VerifyingKey, - proof: &'a [u8], - ) where - Scheme::Scalar: Ord + WithSmallOrderMulGroup<3> + FromUniformBytes<64>, - { - let (_, instance, _) = common!(Scheme); - let pubinputs = [instance]; - - let mut transcript = T::init(proof); - - let strategy = Strategy::new(params_verifier); - let strategy = verify_plonk_proof( - params_verifier, - vk, - strategy, - &[&[&pubinputs[..]], &[&pubinputs[..]]], - &mut transcript, - ) - .unwrap(); - - assert!(strategy.finalize()); - } - - fn test_plonk_api_gwc() { - use halo2_proofs::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; - use halo2_proofs::poly::kzg::multiopen::{ProverGWC, VerifierGWC}; - use halo2_proofs::poly::kzg::strategy::AccumulatorStrategy; - use halo2curves::bn256::Bn256; - - type Scheme = KZGCommitmentScheme; - bad_keys!(Scheme); - - let params = ParamsKZG::::new(K); - let rng = OsRng; - - let pk = keygen::>(¶ms); - - let proof = create_proof::<_, ProverGWC<_>, _, _, Blake2bWrite<_, _, Challenge255<_>>>( - rng, ¶ms, &pk, - ); - - let verifier_params = params.verifier_params(); - - verify_proof::< - _, - VerifierGWC<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, pk.get_vk(), &proof[..]); - } - - fn test_plonk_api_shplonk() { - use halo2_proofs::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; - use halo2_proofs::poly::kzg::multiopen::{ProverSHPLONK, VerifierSHPLONK}; - use halo2_proofs::poly::kzg::strategy::AccumulatorStrategy; - use halo2curves::bn256::Bn256; - - type Scheme = KZGCommitmentScheme; - bad_keys!(Scheme); - - let params = ParamsKZG::::new(K); - let rng = OsRng; - - let pk = keygen::>(¶ms); - - let proof = create_proof::<_, ProverSHPLONK<_>, _, _, Blake2bWrite<_, _, Challenge255<_>>>( - rng, ¶ms, &pk, - ); - - let verifier_params = params.verifier_params(); - - verify_proof::< - _, - VerifierSHPLONK<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, pk.get_vk(), &proof[..]); - } - - fn test_plonk_api_ipa() { - use halo2_proofs::poly::ipa::commitment::{IPACommitmentScheme, ParamsIPA}; - use halo2_proofs::poly::ipa::multiopen::{ProverIPA, VerifierIPA}; - use halo2_proofs::poly::ipa::strategy::AccumulatorStrategy; - use halo2curves::pasta::EqAffine; - - type Scheme = IPACommitmentScheme; - bad_keys!(Scheme); - - let params = ParamsIPA::::new(K); - let rng = OsRng; - - let pk = keygen::>(¶ms); - - let proof = create_proof::<_, ProverIPA<_>, _, _, Blake2bWrite<_, _, Challenge255<_>>>( - rng, ¶ms, &pk, - ); - - let verifier_params = params.verifier_params(); - - verify_proof::< - _, - VerifierIPA<_>, - _, - Blake2bRead<_, _, Challenge255<_>>, - AccumulatorStrategy<_>, - >(verifier_params, pk.get_vk(), &proof[..]); - - // Check that the verification key has not changed unexpectedly - { - //panic!("{:#?}", pk.get_vk().pinned()); - assert_eq!( - format!("{:#?}", pk.get_vk().pinned()), - r#####"PinnedVerificationKey { - base_modulus: "0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001", - scalar_modulus: "0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001", - domain: PinnedEvaluationDomain { - k: 5, - extended_k: 7, - omega: 0x0cc3380dc616f2e1daf29ad1560833ed3baea3393eceb7bc8fa36376929b78cc, - }, - cs: PinnedConstraintSystem { - num_fixed_columns: 7, - num_advice_columns: 5, - num_instance_columns: 1, - num_selectors: 0, - gates: [ - Sum( - Sum( - Sum( - Sum( - Product( - Advice { - query_index: 0, - column_index: 1, - rotation: Rotation( - 0, - ), - }, - Fixed { - query_index: 2, - column_index: 2, - rotation: Rotation( - 0, - ), - }, - ), - Product( - Advice { - query_index: 1, - column_index: 2, - rotation: Rotation( - 0, - ), - }, - Fixed { - query_index: 3, - column_index: 3, - rotation: Rotation( - 0, - ), - }, - ), - ), - Product( - Product( - Advice { - query_index: 0, - column_index: 1, - rotation: Rotation( - 0, - ), - }, - Advice { - query_index: 1, - column_index: 2, - rotation: Rotation( - 0, - ), - }, - ), - Fixed { - query_index: 5, - column_index: 1, - rotation: Rotation( - 0, - ), - }, - ), - ), - Negated( - Product( - Advice { - query_index: 2, - column_index: 3, - rotation: Rotation( - 0, - ), - }, - Fixed { - query_index: 4, - column_index: 4, - rotation: Rotation( - 0, - ), - }, - ), - ), - ), - Product( - Fixed { - query_index: 1, - column_index: 0, - rotation: Rotation( - 0, - ), - }, - Product( - Advice { - query_index: 3, - column_index: 4, - rotation: Rotation( - 1, - ), - }, - Advice { - query_index: 4, - column_index: 0, - rotation: Rotation( - -1, - ), - }, - ), - ), - ), - Product( - Fixed { - query_index: 6, - column_index: 5, - rotation: Rotation( - 0, - ), - }, - Sum( - Advice { - query_index: 0, - column_index: 1, - rotation: Rotation( - 0, - ), - }, - Negated( - Instance { - query_index: 0, - column_index: 0, - rotation: Rotation( - 0, - ), - }, - ), - ), - ), - ], - advice_queries: [ - ( - Column { - index: 1, - column_type: Advice, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 2, - column_type: Advice, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 3, - column_type: Advice, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 4, - column_type: Advice, - }, - Rotation( - 1, - ), - ), - ( - Column { - index: 0, - column_type: Advice, - }, - Rotation( - -1, - ), - ), - ( - Column { - index: 0, - column_type: Advice, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 4, - column_type: Advice, - }, - Rotation( - 0, - ), - ), - ], - instance_queries: [ - ( - Column { - index: 0, - column_type: Instance, - }, - Rotation( - 0, - ), - ), - ], - fixed_queries: [ - ( - Column { - index: 6, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 0, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 2, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 3, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 4, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 1, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ( - Column { - index: 5, - column_type: Fixed, - }, - Rotation( - 0, - ), - ), - ], - permutation: Argument { - columns: [ - Column { - index: 1, - column_type: Advice, - }, - Column { - index: 2, - column_type: Advice, - }, - Column { - index: 3, - column_type: Advice, - }, - Column { - index: 0, - column_type: Fixed, - }, - Column { - index: 0, - column_type: Advice, - }, - Column { - index: 4, - column_type: Advice, - }, - Column { - index: 0, - column_type: Instance, - }, - Column { - index: 1, - column_type: Fixed, - }, - Column { - index: 2, - column_type: Fixed, - }, - Column { - index: 3, - column_type: Fixed, - }, - Column { - index: 4, - column_type: Fixed, - }, - Column { - index: 5, - column_type: Fixed, - }, - ], - }, - lookups: [ - Argument { - input_expressions: [ - Advice { - query_index: 0, - column_index: 1, - rotation: Rotation( - 0, - ), - }, - ], - table_expressions: [ - Fixed { - query_index: 0, - column_index: 6, - rotation: Rotation( - 0, - ), - }, - ], - }, - ], - constants: [], - minimum_degree: None, - }, - fixed_commitments: [ - (0x2bbc94ef7b22aebef24f9a4b0cc1831882548b605171366017d45c3e6fd92075, 0x082b801a6e176239943bfb759fb02138f47a5c8cc4aa7fa0af559fde4e3abd97), - (0x2bf5082b105b2156ed0e9c5b8e42bf2a240b058f74a464d080e9585274dd1e84, 0x222ad83cee7777e7a160585e212140e5e770dd8d1df788d869b5ee483a5864fb), - (0x374a656456a0aae7429b23336f825752b575dd5a44290ff614946ee59d6a20c0, 0x054491e187e6e3460e7601fb54ae10836d34d420026f96316f0c5c62f86db9b8), - (0x374a656456a0aae7429b23336f825752b575dd5a44290ff614946ee59d6a20c0, 0x054491e187e6e3460e7601fb54ae10836d34d420026f96316f0c5c62f86db9b8), - (0x02e62cd68370b13711139a08cbcdd889e800a272b9ea10acc90880fff9d89199, 0x1a96c468cb0ce77065d3a58f1e55fea9b72d15e44c01bba1e110bd0cbc6e9bc6), - (0x224ef42758215157d3ee48fb8d769da5bddd35e5929a90a4a89736f5c4b5ae9b, 0x11bc3a1e08eb320cde764f1492ecef956d71e996e2165f7a9a30ad2febb511c1), - (0x2d5415bf917fcac32bfb705f8ca35cb12d9bad52aa33ccca747350f9235d3a18, 0x2b2921f815fad504052512743963ef20ed5b401d20627793b006413e73fe4dd4), - ], - permutation: VerifyingKey { - commitments: [ - (0x1347b4b385837977a96b87f199c6a9a81520015539d1e8fa79429bb4ca229a00, 0x2168e404cabef513654d6ff516cde73f0ba87e3dc84e4b940ed675b5f66f3884), - (0x0e6d69cd2455ec43be640f6397ed65c9e51b1d8c0fd2216339314ff37ade122a, 0x222ed6dc8cfc9ea26dcc10b9d4add791ada60f2b5a63ee1e4635f88aa0c96654), - (0x13c447846f48c41a5e0675ccf88ebc0cdef2c96c51446d037acb866d24255785, 0x1f0b5414fc5e8219dbfab996eed6129d831488b2386a8b1a63663938903bd63a), - (0x1aae6470aa662b8fda003894ddef5fedd03af318b3231683039d2fac9cab05b9, 0x08832d91ae69e99cd07d096c7a4a284a69e6a16227cbb07932a0cdc56914f3a6), - (0x0850521b0f8ac7dd0550fe3e25c840837076e9635067ed623b81d5cbac5944d9, 0x0c25d65d1038d0a92c72e5fccd96c1caf07801c3c8233290bb292e0c38c256fa), - (0x12febcf696badd970750eabf75dd3ced4c2f54f93519bcee23849025177d2014, 0x0a05ab3cd42c9fbcc1bbfcf9269951640cc9920761c87cf8e211ba73c8d9f90f), - (0x053904bdde8cfead3b517bb4f6ded3e699f8b94ca6156a9dd2f92a2a05a7ec5a, 0x16753ff97c0d82ff586bb7a07bf7f27a92df90b3617fa5e75d4f55c3b0ef8711), - (0x3804548f6816452747a5b542fa5656353fc989db40d69e9e27d6f973b5deebb0, 0x389a44d5037866dd83993af75831a5f90a18ad5244255aa5bd2c922cc5853055), - (0x003a9f9ca71c7c0b832c802220915f6fc8d840162bdde6b0ea05d25fb95559e3, 0x091247ca19d6b73887cd7f68908cbf0db0b47459b7c82276bbdb8a1c937e2438), - (0x3eaa38689d9e391c8a8fafab9568f20c45816321d38f309d4cc37f4b1601af72, 0x247f8270a462ea88450221a56aa6b55d2bc352b80b03501e99ea983251ceea13), - (0x394437571f9de32dccdc546fd4737772d8d92593c85438aa3473243997d5acc8, 0x14924ec6e3174f1fab7f0ce7070c22f04bbd0a0ecebdfc5c94be857f25493e95), - (0x3d907e0591343bd285c2c846f3e871a6ac70d80ec29e9500b8cb57f544e60202, 0x1034e48df35830244cabea076be8a16d67d7896e27c6ac22b285d017105da9c3), - ], - }, -}"##### - ); - } - } - - test_plonk_api_ipa(); - test_plonk_api_gwc(); - test_plonk_api_shplonk(); -} diff --git a/halo2_proofs/proptest-regressions/plonk/assigned.txt b/proptest-regressions/plonk/assigned.txt similarity index 100% rename from halo2_proofs/proptest-regressions/plonk/assigned.txt rename to proptest-regressions/plonk/assigned.txt diff --git a/halo2_proofs/proptest-regressions/plonk/circuit/compress_selectors.txt b/proptest-regressions/plonk/circuit/compress_selectors.txt similarity index 100% rename from halo2_proofs/proptest-regressions/plonk/circuit/compress_selectors.txt rename to proptest-regressions/plonk/circuit/compress_selectors.txt diff --git a/rust-toolchain b/rust-toolchain index 65ee095984..32a6ce3c71 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -1.67.0 +1.76.0 diff --git a/halo2_proofs/src/circuit/floor_planner.rs b/src/circuit/floor_planner.rs similarity index 100% rename from halo2_proofs/src/circuit/floor_planner.rs rename to src/circuit/floor_planner.rs diff --git a/halo2_proofs/src/circuit/floor_planner/single_pass.rs b/src/circuit/floor_planner/single_pass.rs similarity index 96% rename from halo2_proofs/src/circuit/floor_planner/single_pass.rs rename to src/circuit/floor_planner/single_pass.rs index 33c09e4c57..06fd2b190b 100644 --- a/halo2_proofs/src/circuit/floor_planner/single_pass.rs +++ b/src/circuit/floor_planner/single_pass.rs @@ -5,6 +5,7 @@ use std::marker::PhantomData; use ff::Field; +use crate::utils::rational::Rational; use crate::{ circuit::{ layouter::{RegionColumn, RegionLayouter, RegionShape, SyncDeps, TableLayouter}, @@ -12,8 +13,8 @@ use crate::{ Cell, Layouter, Region, RegionIndex, RegionStart, Table, Value, }, plonk::{ - Advice, Any, Assigned, Assignment, Challenge, Circuit, Column, Error, Fixed, FloorPlanner, - Instance, Selector, TableColumn, + Advice, Any, Assignment, Challenge, Circuit, Column, Error, Fixed, FloorPlanner, Instance, + Selector, TableColumn, }, }; @@ -225,7 +226,7 @@ struct SingleChipLayouterRegion<'r, 'a, F: Field, CS: Assignment + 'a> { layouter: &'r mut SingleChipLayouter<'a, F, CS>, region_index: RegionIndex, /// Stores the constants to be assigned, and the cells to which they are copied. - constants: Vec<(Assigned, Cell)>, + constants: Vec<(Rational, Cell)>, } impl<'r, 'a, F: Field, CS: Assignment + 'a> fmt::Debug @@ -278,7 +279,7 @@ impl<'r, 'a, F: Field, CS: Assignment + 'a + SyncDeps> RegionLayouter annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { self.layouter.cs.assign_advice( annotation, @@ -299,7 +300,7 @@ impl<'r, 'a, F: Field, CS: Assignment + 'a + SyncDeps> RegionLayouter annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - constant: Assigned, + constant: Rational, ) -> Result { let advice = self.assign_advice(annotation, column, offset, &mut || Value::known(constant))?; @@ -343,7 +344,7 @@ impl<'r, 'a, F: Field, CS: Assignment + 'a + SyncDeps> RegionLayouter annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { self.layouter.cs.assign_fixed( annotation, @@ -359,7 +360,7 @@ impl<'r, 'a, F: Field, CS: Assignment + 'a + SyncDeps> RegionLayouter }) } - fn constrain_constant(&mut self, cell: Cell, constant: Assigned) -> Result<(), Error> { + fn constrain_constant(&mut self, cell: Cell, constant: Rational) -> Result<(), Error> { self.constants.push((constant, cell)); Ok(()) } diff --git a/halo2_proofs/src/circuit/floor_planner/v1.rs b/src/circuit/floor_planner/v1.rs similarity index 97% rename from halo2_proofs/src/circuit/floor_planner/v1.rs rename to src/circuit/floor_planner/v1.rs index fd26e681df..6dd426c5b3 100644 --- a/halo2_proofs/src/circuit/floor_planner/v1.rs +++ b/src/circuit/floor_planner/v1.rs @@ -2,6 +2,7 @@ use std::fmt; use ff::Field; +use crate::utils::rational::Rational; use crate::{ circuit::{ layouter::{RegionColumn, RegionLayouter, RegionShape, SyncDeps, TableLayouter}, @@ -9,8 +10,8 @@ use crate::{ Cell, Layouter, Region, RegionIndex, RegionStart, Table, Value, }, plonk::{ - Advice, Any, Assigned, Assignment, Challenge, Circuit, Column, Error, Fixed, FloorPlanner, - Instance, Selector, TableColumn, + Advice, Any, Assignment, Challenge, Circuit, Column, Error, Fixed, FloorPlanner, Instance, + Selector, TableColumn, }, }; @@ -32,7 +33,7 @@ struct V1Plan<'a, F: Field, CS: Assignment + 'a> { /// Stores the starting row for each region. regions: Vec, /// Stores the constants to be assigned, and the cells to which they are copied. - constants: Vec<(Assigned, Cell)>, + constants: Vec<(Rational, Cell)>, /// Stores the table fixed columns. table_columns: Vec, } @@ -386,7 +387,7 @@ impl<'r, 'a, F: Field, CS: Assignment + SyncDeps> RegionLayouter for V1Reg annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { self.plan.cs.assign_advice( annotation, @@ -407,7 +408,7 @@ impl<'r, 'a, F: Field, CS: Assignment + SyncDeps> RegionLayouter for V1Reg annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - constant: Assigned, + constant: Rational, ) -> Result { let advice = self.assign_advice(annotation, column, offset, &mut || Value::known(constant))?; @@ -451,7 +452,7 @@ impl<'r, 'a, F: Field, CS: Assignment + SyncDeps> RegionLayouter for V1Reg annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { self.plan.cs.assign_fixed( annotation, @@ -467,7 +468,7 @@ impl<'r, 'a, F: Field, CS: Assignment + SyncDeps> RegionLayouter for V1Reg }) } - fn constrain_constant(&mut self, cell: Cell, constant: Assigned) -> Result<(), Error> { + fn constrain_constant(&mut self, cell: Cell, constant: Rational) -> Result<(), Error> { self.plan.constants.push((constant, cell)); Ok(()) } diff --git a/halo2_proofs/src/circuit/floor_planner/v1/strategy.rs b/src/circuit/floor_planner/v1/strategy.rs similarity index 89% rename from halo2_proofs/src/circuit/floor_planner/v1/strategy.rs rename to src/circuit/floor_planner/v1/strategy.rs index 71745de245..b0ef9082b8 100644 --- a/halo2_proofs/src/circuit/floor_planner/v1/strategy.rs +++ b/src/circuit/floor_planner/v1/strategy.rs @@ -213,22 +213,8 @@ pub fn slot_in_biggest_advice_first( advice_cols * shape.row_count() }; - // This used to incorrectly use `sort_unstable_by_key` with non-unique keys, which gave - // output that differed between 32-bit and 64-bit platforms, and potentially between Rust - // versions. - // We now use `sort_by_cached_key` with non-unique keys, and rely on `region_shapes` - // being sorted by region index (which we also rely on below to return `RegionStart`s - // in the correct order). - #[cfg(not(feature = "floor-planner-v1-legacy-pdqsort"))] sorted_regions.sort_by_cached_key(sort_key); - // To preserve compatibility, when the "floor-planner-v1-legacy-pdqsort" feature is enabled, - // we use a copy of the pdqsort implementation from the Rust 1.56.1 standard library, fixed - // to its behaviour on 64-bit platforms. - // https://github.com/rust-lang/rust/blob/1.56.1/library/core/src/slice/mod.rs#L2365-L2402 - #[cfg(feature = "floor-planner-v1-legacy-pdqsort")] - halo2_legacy_pdqsort::sort::quicksort(&mut sorted_regions, |a, b| sort_key(a).lt(&sort_key(b))); - sorted_regions.reverse(); // Lay out the sorted regions. diff --git a/halo2_proofs/src/circuit/layouter.rs b/src/circuit/layouter.rs similarity index 93% rename from halo2_proofs/src/circuit/layouter.rs rename to src/circuit/layouter.rs index f939c3fca5..17ef6cd271 100644 --- a/halo2_proofs/src/circuit/layouter.rs +++ b/src/circuit/layouter.rs @@ -8,7 +8,8 @@ use ff::Field; pub use super::table_layouter::TableLayouter; use super::{Cell, RegionIndex, Value}; -use crate::plonk::{Advice, Any, Assigned, Column, Error, Fixed, Instance, Selector}; +use crate::plonk::{Advice, Any, Column, Error, Fixed, Instance, Selector}; +use crate::utils::rational::Rational; /// Intermediate trait requirements for [`RegionLayouter`] when thread-safe regions are enabled. #[cfg(feature = "thread-safe-region")] @@ -79,7 +80,7 @@ pub trait RegionLayouter: fmt::Debug + SyncDeps { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result; /// Assigns a constant value to the column `advice` at `offset` within this region. @@ -93,7 +94,7 @@ pub trait RegionLayouter: fmt::Debug + SyncDeps { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - constant: Assigned, + constant: Rational, ) -> Result; /// Assign the value of the instance column's cell at absolute location @@ -120,13 +121,13 @@ pub trait RegionLayouter: fmt::Debug + SyncDeps { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result; /// Constrains a cell to have a constant value. /// /// Returns an error if the cell is in a column where equality has not been enabled. - fn constrain_constant(&mut self, cell: Cell, constant: Assigned) -> Result<(), Error>; + fn constrain_constant(&mut self, cell: Cell, constant: Rational) -> Result<(), Error>; /// Constraint two cells to have the same value. /// @@ -226,7 +227,7 @@ impl RegionLayouter for RegionShape { _: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - _to: &'v mut (dyn FnMut() -> Value> + 'v), + _to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { self.columns.insert(Column::::from(column).into()); self.row_count = cmp::max(self.row_count, offset + 1); @@ -243,7 +244,7 @@ impl RegionLayouter for RegionShape { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - constant: Assigned, + constant: Rational, ) -> Result { // The rest is identical to witnessing an advice cell. self.assign_advice(annotation, column, offset, &mut || Value::known(constant)) @@ -283,7 +284,7 @@ impl RegionLayouter for RegionShape { _: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - _to: &'v mut (dyn FnMut() -> Value> + 'v), + _to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { self.columns.insert(Column::::from(column).into()); self.row_count = cmp::max(self.row_count, offset + 1); @@ -303,7 +304,7 @@ impl RegionLayouter for RegionShape { // Do nothing } - fn constrain_constant(&mut self, _cell: Cell, _constant: Assigned) -> Result<(), Error> { + fn constrain_constant(&mut self, _cell: Cell, _constant: Rational) -> Result<(), Error> { // Global constants don't affect the region shape. Ok(()) } diff --git a/halo2_proofs/src/circuit.rs b/src/circuit/mod.rs similarity index 94% rename from halo2_proofs/src/circuit.rs rename to src/circuit/mod.rs index 56a6be0e5c..29c8f856f9 100644 --- a/halo2_proofs/src/circuit.rs +++ b/src/circuit/mod.rs @@ -4,9 +4,7 @@ use std::{fmt, marker::PhantomData}; use ff::Field; -use crate::plonk::{ - Advice, Any, Assigned, Challenge, Column, Error, Fixed, Instance, Selector, TableColumn, -}; +use crate::plonk::{Advice, Any, Challenge, Column, Error, Fixed, Instance, Selector, TableColumn}; mod value; pub use value::Value; @@ -17,6 +15,7 @@ pub use floor_planner::single_pass::SimpleFloorPlanner; pub mod layouter; mod table_layouter; +use crate::utils::rational::Rational; pub use table_layouter::{SimpleTableLayouter, TableLayouter}; /// A chip implements a set of instructions that can be used by gadgets. @@ -51,7 +50,7 @@ pub trait Chip: Sized { } /// Index of a region in a layouter -#[derive(Clone, Copy, Debug)] +#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)] pub struct RegionIndex(usize); impl From for RegionIndex { @@ -87,7 +86,7 @@ impl std::ops::Deref for RegionStart { } /// A pointer to a cell within a circuit. -#[derive(Clone, Copy, Debug)] +#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)] pub struct Cell { /// Identifies the region in which this cell resides. pub region_index: RegionIndex, @@ -105,6 +104,21 @@ pub struct AssignedCell { _marker: PhantomData, } +impl PartialEq for AssignedCell { + fn eq(&self, other: &Self) -> bool { + self.cell == other.cell + } +} + +impl Eq for AssignedCell {} + +use std::hash::{Hash, Hasher}; +impl Hash for AssignedCell { + fn hash(&self, state: &mut H) { + self.cell.hash(state) + } +} + impl AssignedCell { /// Returns the value of the [`AssignedCell`]. pub fn value(&self) -> Value<&V> { @@ -119,15 +133,15 @@ impl AssignedCell { impl AssignedCell where - for<'v> Assigned: From<&'v V>, + for<'v> Rational: From<&'v V>, { /// Returns the field element value of the [`AssignedCell`]. - pub fn value_field(&self) -> Value> { + pub fn value_field(&self) -> Value> { self.value.to_field() } } -impl AssignedCell, F> { +impl AssignedCell, F> { /// Evaluates this assigned cell's value directly, performing an unbatched inversion /// if necessary. /// @@ -143,7 +157,7 @@ impl AssignedCell, F> { impl AssignedCell where - for<'v> Assigned: From<&'v V>, + for<'v> Rational: From<&'v V>, { /// Copies the value to a given advice cell and constrains them to be equal. /// @@ -232,7 +246,7 @@ impl<'r, F: Field> Region<'r, F> { ) -> Result, Error> where V: FnMut() -> Value + 'v, - for<'vr> Assigned: From<&'vr VR>, + for<'vr> Rational: From<&'vr VR>, A: Fn() -> AR, AR: Into, { @@ -267,7 +281,7 @@ impl<'r, F: Field> Region<'r, F> { constant: VR, ) -> Result, Error> where - for<'vr> Assigned: From<&'vr VR>, + for<'vr> Rational: From<&'vr VR>, A: Fn() -> AR, AR: Into, { @@ -341,7 +355,7 @@ impl<'r, F: Field> Region<'r, F> { ) -> Result, Error> where V: FnMut() -> Value + 'v, - for<'vr> Assigned: From<&'vr VR>, + for<'vr> Rational: From<&'vr VR>, A: Fn() -> AR, AR: Into, { @@ -367,7 +381,7 @@ impl<'r, F: Field> Region<'r, F> { /// Returns an error if the cell is in a column where equality has not been enabled. pub fn constrain_constant(&mut self, cell: Cell, constant: VR) -> Result<(), Error> where - VR: Into>, + VR: Into>, { self.region.constrain_constant(cell, constant.into()) } @@ -408,7 +422,7 @@ impl<'r, F: Field> Table<'r, F> { ) -> Result<(), Error> where V: FnMut() -> Value + 'v, - VR: Into>, + VR: Into>, A: Fn() -> AR, AR: Into, { diff --git a/halo2_proofs/src/circuit/table_layouter.rs b/src/circuit/table_layouter.rs similarity index 97% rename from halo2_proofs/src/circuit/table_layouter.rs rename to src/circuit/table_layouter.rs index 06338bb896..e5e519596f 100644 --- a/halo2_proofs/src/circuit/table_layouter.rs +++ b/src/circuit/table_layouter.rs @@ -7,7 +7,8 @@ use std::{ use ff::Field; -use crate::plonk::{Assigned, Assignment, Error, TableColumn, TableError}; +use crate::plonk::{Assignment, Error, TableColumn, TableError}; +use crate::utils::rational::Rational; use super::Value; @@ -25,7 +26,7 @@ pub trait TableLayouter: std::fmt::Debug { annotation: &'v (dyn Fn() -> String + 'v), column: TableColumn, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result<(), Error>; } @@ -36,7 +37,7 @@ pub trait TableLayouter: std::fmt::Debug { /// assigned. /// - The inner `Value` tracks whether the underlying `Assignment` is evaluating /// witnesses or not. -type DefaultTableValue = Option>>; +type DefaultTableValue = Option>>; /// A table layouter that can be used to assign values to a table. pub struct SimpleTableLayouter<'r, 'a, F: Field, CS: Assignment + 'a> { @@ -74,7 +75,7 @@ impl<'r, 'a, F: Field, CS: Assignment + 'a> TableLayouter annotation: &'v (dyn Fn() -> String + 'v), column: TableColumn, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result<(), Error> { if self.used_columns.contains(&column) { return Err(Error::TableError(TableError::UsedColumn(column))); diff --git a/halo2_proofs/src/circuit/value.rs b/src/circuit/value.rs similarity index 87% rename from halo2_proofs/src/circuit/value.rs rename to src/circuit/value.rs index f3ea6a39ea..3a5508514d 100644 --- a/halo2_proofs/src/circuit/value.rs +++ b/src/circuit/value.rs @@ -3,7 +3,8 @@ use std::ops::{Add, Mul, Neg, Sub}; use group::ff::Field; -use crate::plonk::{Assigned, Error}; +use crate::plonk::Error; +use crate::utils::rational::Rational; /// A value that might exist within a circuit. /// @@ -498,19 +499,19 @@ where } // -// Assigned +// Rational // -impl From> for Value> { +impl From> for Value> { fn from(value: Value) -> Self { Self { - inner: value.inner.map(Assigned::from), + inner: value.inner.map(Rational::from), } } } -impl Add> for Value> { - type Output = Value>; +impl Add> for Value> { + type Output = Value>; fn add(self, rhs: Value) -> Self::Output { Value { @@ -519,16 +520,16 @@ impl Add> for Value> { } } -impl Add for Value> { - type Output = Value>; +impl Add for Value> { + type Output = Value>; fn add(self, rhs: F) -> Self::Output { self + Value::known(rhs) } } -impl Add> for Value<&Assigned> { - type Output = Value>; +impl Add> for Value<&Rational> { + type Output = Value>; fn add(self, rhs: Value) -> Self::Output { Value { @@ -537,16 +538,16 @@ impl Add> for Value<&Assigned> { } } -impl Add for Value<&Assigned> { - type Output = Value>; +impl Add for Value<&Rational> { + type Output = Value>; fn add(self, rhs: F) -> Self::Output { self + Value::known(rhs) } } -impl Sub> for Value> { - type Output = Value>; +impl Sub> for Value> { + type Output = Value>; fn sub(self, rhs: Value) -> Self::Output { Value { @@ -555,16 +556,16 @@ impl Sub> for Value> { } } -impl Sub for Value> { - type Output = Value>; +impl Sub for Value> { + type Output = Value>; fn sub(self, rhs: F) -> Self::Output { self - Value::known(rhs) } } -impl Sub> for Value<&Assigned> { - type Output = Value>; +impl Sub> for Value<&Rational> { + type Output = Value>; fn sub(self, rhs: Value) -> Self::Output { Value { @@ -573,16 +574,16 @@ impl Sub> for Value<&Assigned> { } } -impl Sub for Value<&Assigned> { - type Output = Value>; +impl Sub for Value<&Rational> { + type Output = Value>; fn sub(self, rhs: F) -> Self::Output { self - Value::known(rhs) } } -impl Mul> for Value> { - type Output = Value>; +impl Mul> for Value> { + type Output = Value>; fn mul(self, rhs: Value) -> Self::Output { Value { @@ -591,16 +592,16 @@ impl Mul> for Value> { } } -impl Mul for Value> { - type Output = Value>; +impl Mul for Value> { + type Output = Value>; fn mul(self, rhs: F) -> Self::Output { self * Value::known(rhs) } } -impl Mul> for Value<&Assigned> { - type Output = Value>; +impl Mul> for Value<&Rational> { + type Output = Value>; fn mul(self, rhs: Value) -> Self::Output { Value { @@ -609,8 +610,8 @@ impl Mul> for Value<&Assigned> { } } -impl Mul for Value<&Assigned> { - type Output = Value>; +impl Mul for Value<&Rational> { + type Output = Value>; fn mul(self, rhs: F) -> Self::Output { self * Value::known(rhs) @@ -619,9 +620,9 @@ impl Mul for Value<&Assigned> { impl Value { /// Returns the field element corresponding to this value. - pub fn to_field(&self) -> Value> + pub fn to_field(&self) -> Value> where - for<'v> Assigned: From<&'v V>, + for<'v> Rational: From<&'v V>, { Value { inner: self.inner.as_ref().map(|v| v.into()), @@ -629,9 +630,9 @@ impl Value { } /// Returns the field element corresponding to this value. - pub fn into_field(self) -> Value> + pub fn into_field(self) -> Value> where - V: Into>, + V: Into>, { Value { inner: self.inner.map(|v| v.into()), @@ -642,18 +643,19 @@ impl Value { /// /// # Examples /// - /// If you have a `Value`, convert it to `Value>` first: + /// If you have a `Value`, convert it to `Value>` first: /// ``` /// # use halo2curves::pasta::pallas::Base as F; - /// use halo2_proofs::{circuit::Value, plonk::Assigned}; + /// use halo2_proofs::{circuit::Value}; + /// use halo2_proofs::utils::rational::Rational; /// /// let v = Value::known(F::from(2)); - /// let v: Value> = v.into(); + /// let v: Value> = v.into(); /// v.double(); /// ``` - pub fn double(&self) -> Value> + pub fn double(&self) -> Value> where - V: Borrow>, + V: Borrow>, { Value { inner: self.inner.as_ref().map(|v| v.borrow().double()), @@ -661,9 +663,9 @@ impl Value { } /// Squares this field element. - pub fn square(&self) -> Value> + pub fn square(&self) -> Value> where - V: Borrow>, + V: Borrow>, { Value { inner: self.inner.as_ref().map(|v| v.borrow().square()), @@ -671,9 +673,9 @@ impl Value { } /// Cubes this field element. - pub fn cube(&self) -> Value> + pub fn cube(&self) -> Value> where - V: Borrow>, + V: Borrow>, { Value { inner: self.inner.as_ref().map(|v| v.borrow().cube()), @@ -681,9 +683,9 @@ impl Value { } /// Inverts this assigned value (taking the inverse of zero to be zero). - pub fn invert(&self) -> Value> + pub fn invert(&self) -> Value> where - V: Borrow>, + V: Borrow>, { Value { inner: self.inner.as_ref().map(|v| v.borrow().invert()), @@ -691,7 +693,7 @@ impl Value { } } -impl Value> { +impl Value> { /// Evaluates this value directly, performing an unbatched inversion if necessary. /// /// If the denominator is zero, the returned value is zero. diff --git a/halo2_proofs/src/dev/cost.rs b/src/dev/cost.rs similarity index 98% rename from halo2_proofs/src/dev/cost.rs rename to src/dev/cost.rs index 735f1f0dc7..4a9248fbe9 100644 --- a/halo2_proofs/src/dev/cost.rs +++ b/src/dev/cost.rs @@ -11,11 +11,12 @@ use std::{ use ff::{Field, PrimeField}; use group::prime::PrimeGroup; +use crate::utils::rational::Rational; use crate::{ circuit::{layouter::RegionColumn, Value}, plonk::{ - Advice, Any, Assigned, Assignment, Challenge, Circuit, Column, ConstraintSystem, Error, - Fixed, FloorPlanner, Instance, Selector, + Advice, Any, Assignment, Challenge, Circuit, Column, ConstraintSystem, Error, Fixed, + FloorPlanner, Instance, Selector, }, poly::Rotation, }; @@ -205,7 +206,7 @@ impl Assignment for Layout { ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -222,7 +223,7 @@ impl Assignment for Layout { ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -245,7 +246,7 @@ impl Assignment for Layout { &mut self, _: Column, _: usize, - _: Value>, + _: Value>, ) -> Result<(), Error> { Ok(()) } @@ -283,7 +284,6 @@ impl> CircuitCost= cs.minimum_rows()); diff --git a/halo2_proofs/src/dev/cost_model.rs b/src/dev/cost_model.rs similarity index 68% rename from halo2_proofs/src/dev/cost_model.rs rename to src/dev/cost_model.rs index 51b3a1ad76..3381a501b1 100644 --- a/halo2_proofs/src/dev/cost_model.rs +++ b/src/dev/cost_model.rs @@ -2,8 +2,10 @@ //! verification cost, as well as resulting proof size. use std::collections::HashSet; -use std::{iter, num::ParseIntError, str::FromStr}; +use std::panic::AssertUnwindSafe; +use std::{iter, num::ParseIntError, panic, str::FromStr}; +use crate::plonk::Any::Fixed; use crate::plonk::Circuit; use ff::{Field, FromUniformBytes}; use serde::Deserialize; @@ -46,11 +48,21 @@ pub struct CostOptions { /// A permutation over N columns. May be repeated. pub permutation: Permutation, - /// A shuffle over N columns with max input degree I and max shuffle degree T. May be repeated. - pub shuffle: Vec, + /// 2^K bound on the number of rows, accounting for ZK, PIs and Lookup tables. + pub min_k: usize, - /// 2^K bound on the number of rows. - pub k: usize, + /// Rows count, not including table rows and not accounting for compression + /// (where multiple regions can use the same rows). + pub rows_count: usize, + + /// Table rows count, not accounting for compression (where multiple regions + /// can use the same rows), but not much if any compression can happen with + /// table rows anyway. + pub table_rows_count: usize, + + /// Compressed rows count, accounting for compression (where multiple + /// regions can use the same rows). + pub compressed_rows_count: usize, } /// Structure holding polynomial related data for benchmarks @@ -76,7 +88,8 @@ impl FromStr for Poly { pub struct Lookup; impl Lookup { - fn queries(&self) -> impl Iterator { + /// Returns the queries of the lookup argument + pub fn queries(&self) -> impl Iterator { // - product commitments at x and \omega x // - input commitments at x and x_inv // - table commitments at x @@ -98,7 +111,8 @@ pub struct Permutation { } impl Permutation { - fn queries(&self) -> impl Iterator { + /// Returns the queries of the Permutation argument + pub fn queries(&self) -> impl Iterator { // - product commitments at x and x_inv // - polynomial commitments at x let product = "0,-1".parse().unwrap(); @@ -108,18 +122,10 @@ impl Permutation { .chain(Some(product)) .chain(iter::repeat(poly).take(self.columns)) } -} - -/// Structure holding the [Shuffle] related data for circuit benchmarks. -#[derive(Debug, Clone)] -pub struct Shuffle; - -impl Shuffle { - fn queries(&self) -> impl Iterator { - // Open shuffle product commitment at x and \omega x - let shuffle = "0, 1".parse().unwrap(); - iter::empty().chain(Some(shuffle)) + /// Returns the number of columns of the Permutation argument + pub fn nr_columns(&self) -> usize { + self.columns } } @@ -128,6 +134,10 @@ impl Shuffle { pub struct ModelCircuit { /// Power-of-2 bound on the number of rows in the circuit. pub k: usize, + /// Number of rows in the circuit (not including table rows). + pub rows: usize, + /// Number of table rows in the circuit. + pub table_rows: usize, /// Maximum degree of the circuit. pub max_deg: usize, /// Number of advice columns. @@ -136,8 +146,6 @@ pub struct ModelCircuit { pub lookups: usize, /// Equality constraint enabled columns. pub permutations: usize, - /// Number of shuffle arguments - pub shuffles: usize, /// Number of distinct column queries across all gates. pub column_queries: usize, /// Number of distinct sets of points in the multiopening argument. @@ -160,7 +168,6 @@ impl CostOptions { .cloned() .chain(self.lookup.iter().flat_map(|l| l.queries())) .chain(self.permutation.queries()) - .chain(self.shuffle.iter().flat_map(|s| s.queries())) .chain(iter::repeat("0".parse().unwrap()).take(self.max_degree - 1)) .collect(); @@ -199,7 +206,7 @@ impl CostOptions { // - inner product argument (k rounds * 2 * COMM bytes) // - a (SCALAR bytes) // - xi (SCALAR bytes) - comp_bytes(1 + 2 * self.k, 2) + comp_bytes(1 + 2 * self.min_k, 2) } CommitmentScheme::KZGGWC => { let mut nr_rotations = HashSet::new(); @@ -227,12 +234,13 @@ impl CostOptions { let size = plonk + vanishing + multiopen + polycomm; ModelCircuit { - k: self.k, + k: self.min_k, + rows: self.rows_count, + table_rows: self.table_rows_count, max_deg: self.max_degree, advice_columns: self.advice.len(), lookups: self.lookup.len(), permutations: self.permutation.columns, - shuffles: self.shuffle.len(), column_queries, point_sets, size, @@ -247,7 +255,7 @@ pub fn from_circuit_to_model_circuit< const COMM: usize, const SCALAR: usize, >( - k: u32, + k: Option, circuit: &C, instances: Vec>, comm_scheme: CommitmentScheme, @@ -256,13 +264,34 @@ pub fn from_circuit_to_model_circuit< options.into_model_circuit::(comm_scheme) } -/// Given a Plonk circuit, this function returns [CostOptions] +fn run_mock_prover_with_fallback, C: Circuit>( + circuit: &C, + instances: Vec>, +) -> MockProver { + (5..25) + .find_map(|k| { + panic::catch_unwind(AssertUnwindSafe(|| { + MockProver::run(k, circuit, instances.clone()).unwrap() + })) + .ok() + }) + .expect("A circuit which can be implemented with at most 2^24 rows.") +} + +/// Given a circuit, this function returns [CostOptions]. If no upper bound for `k` is +/// provided, we iterate until a valid `k` is found (this might delay the computation). pub fn from_circuit_to_cost_model_options, C: Circuit>( - k: u32, + k_upper_bound: Option, circuit: &C, instances: Vec>, ) -> CostOptions { - let prover = MockProver::run(k, circuit, instances).unwrap(); + let instance_len = instances.iter().map(Vec::len).max().unwrap_or(0); + let prover = if let Some(k) = k_upper_bound { + MockProver::run(k, circuit, instances).unwrap() + } else { + run_mock_prover_with_fallback(circuit, instances.clone()) + }; + let cs = prover.cs; let fixed = { @@ -298,8 +327,6 @@ pub fn from_circuit_to_cost_model_options, columns: cs.permutation().get_columns().len(), }; - let shuffle = { cs.shuffles.iter().map(|_| Shuffle).collect::>() }; - let gate_degree = cs .gates .iter() @@ -307,7 +334,45 @@ pub fn from_circuit_to_cost_model_options, .max() .unwrap_or(0); - let k = prover.k.try_into().unwrap(); + // Note that this computation does't assume that `regions` is already in + // order of increasing row indices. + let (rows_count, table_rows_count, compressed_rows_count) = { + let mut rows_count = 0; + let mut table_rows_count = 0; + let mut compressed_rows_count = 0; + for region in prover.regions { + // If `region.rows == None`, then that region has no rows. + if let Some((start, end)) = region.rows { + // Note that `end` is the index of the last column, so when + // counting rows this last column needs to be counted via `end + + // 1`. + + // A region is a _table region_ if all of its columns are `Fixed` + // columns (see that [`plonk::circuit::TableColumn` is a wrapper + // around `Column`]). All of a table region's rows are + // counted towards `table_rows_count.` + if region.columns.iter().all(|c| *c.column_type() == Fixed) { + table_rows_count += (end + 1) - start; + } else { + rows_count += (end + 1) - start; + } + compressed_rows_count = std::cmp::max(compressed_rows_count, end + 1); + } + } + (rows_count, table_rows_count, compressed_rows_count) + }; + + let min_k = [ + rows_count + cs.blinding_factors(), + table_rows_count + cs.blinding_factors(), + instance_len, + ] + .into_iter() + .max() + .unwrap(); + if min_k == instance_len { + println!("WARNING: The dominant factor in your circuit's size is the number of public inputs, which causes the verifier to perform linear work."); + } CostOptions { advice, @@ -317,7 +382,9 @@ pub fn from_circuit_to_cost_model_options, max_degree: cs.degree(), lookup, permutation, - shuffle, - k, + min_k, + rows_count, + table_rows_count, + compressed_rows_count, } } diff --git a/halo2_proofs/src/dev/failure.rs b/src/dev/failure.rs similarity index 76% rename from halo2_proofs/src/dev/failure.rs rename to src/dev/failure.rs index f9f5c27ded..0abdbe8639 100644 --- a/halo2_proofs/src/dev/failure.rs +++ b/src/dev/failure.rs @@ -192,28 +192,6 @@ pub enum VerifyFailure { /// lookup is active on a row adjacent to an unrelated region. location: FailureLocation, }, - /// A shuffle input did not exist in its corresponding map. - Shuffle { - /// The name of the lookup that is not satisfied. - name: String, - /// The index of the lookup that is not satisfied. These indices are assigned in - /// the order in which `ConstraintSystem::lookup` is called during - /// `Circuit::configure`. - shuffle_index: usize, - /// The location at which the lookup is not satisfied. - /// - /// `FailureLocation::InRegion` is most common, and may be due to the intentional - /// use of a lookup (if its inputs are conditional on a complex selector), or an - /// unintentional lookup constraint that overlaps the region (indicating that the - /// lookup's inputs should be made conditional). - /// - /// `FailureLocation::OutsideRegion` is uncommon, and could mean that: - /// - The input expressions do not correctly constrain a default value that exists - /// in the table when the lookup is not being used. - /// - The input expressions use a column queried at a non-zero `Rotation`, and the - /// lookup is active on a row adjacent to an unrelated region. - location: FailureLocation, - }, /// A permutation did not preserve the original value of a cell. Permutation { /// The column in which this permutation is not satisfied. @@ -287,16 +265,6 @@ impl fmt::Display for VerifyFailure { "Lookup {name}(index: {lookup_index}) is not satisfied {location}", ) } - Self::Shuffle { - name, - shuffle_index, - location, - } => { - write!( - f, - "Shuffle {name}(index: {shuffle_index}) is not satisfied {location}" - ) - } Self::Permutation { column, location } => { write!( f, @@ -667,171 +635,6 @@ fn render_lookup( } } -fn render_shuffle( - prover: &MockProver, - name: &str, - shuffle_index: usize, - location: &FailureLocation, -) { - let n = prover.n as i32; - let cs = &prover.cs; - let shuffle = &cs.shuffles[shuffle_index]; - - // Get the absolute row on which the shuffle's inputs are being queried, so we can - // fetch the input values. - let row = match location { - FailureLocation::InRegion { region, offset } => { - prover.regions[region.index].rows.unwrap().0 + offset - } - FailureLocation::OutsideRegion { row } => *row, - } as i32; - - let shuffle_columns = shuffle.shuffle_expressions.iter().map(|expr| { - expr.evaluate( - &|f| format! {"Const: {f:#?}"}, - &|s| format! {"S{}", s.0}, - &|query| { - format!( - "{:?}", - prover - .cs - .general_column_annotations - .get(&metadata::Column::from((Any::Fixed, query.column_index))) - .cloned() - .unwrap_or_else(|| format!("F{}", query.column_index())) - ) - }, - &|query| { - format!( - "{:?}", - prover - .cs - .general_column_annotations - .get(&metadata::Column::from((Any::advice(), query.column_index))) - .cloned() - .unwrap_or_else(|| format!("A{}", query.column_index())) - ) - }, - &|query| { - format!( - "{:?}", - prover - .cs - .general_column_annotations - .get(&metadata::Column::from((Any::Instance, query.column_index))) - .cloned() - .unwrap_or_else(|| format!("I{}", query.column_index())) - ) - }, - &|challenge| format! {"C{}", challenge.index()}, - &|query| format! {"-{query}"}, - &|a, b| format! {"{a} + {b}"}, - &|a, b| format! {"{a} * {b}"}, - &|a, b| format! {"{a} * {b:?}"}, - ) - }); - - fn cell_value<'a, F: Field, Q: Into + Copy>( - load: impl Fn(Q) -> Value + 'a, - ) -> impl Fn(Q) -> BTreeMap + 'a { - move |query| { - let AnyQuery { - column_type, - column_index, - rotation, - .. - } = query.into(); - Some(( - ((column_type, column_index).into(), rotation.0).into(), - match load(query) { - Value::Real(v) => util::format_value(v), - Value::Poison => unreachable!(), - }, - )) - .into_iter() - .collect() - } - } - - eprintln!("error: input does not exist in shuffle"); - eprint!(" ("); - for i in 0..shuffle.input_expressions.len() { - eprint!("{}L{}", if i == 0 { "" } else { ", " }, i); - } - eprint!(") <-> ("); - for (i, column) in shuffle_columns.enumerate() { - eprint!("{}{}", if i == 0 { "" } else { ", " }, column); - } - eprintln!(")"); - - eprintln!(); - eprintln!(" Shuffle '{name}' inputs:"); - for (i, input) in shuffle.input_expressions.iter().enumerate() { - // Fetch the cell values (since we don't store them in VerifyFailure::Shuffle). - let cell_values = input.evaluate( - &|_| BTreeMap::default(), - &|_| panic!("virtual selectors are removed during optimization"), - &cell_value(&util::load(n, row, &cs.fixed_queries, &prover.fixed)), - &cell_value(&util::load(n, row, &cs.advice_queries, &prover.advice)), - &cell_value(&util::load_instance( - n, - row, - &cs.instance_queries, - &prover.instance, - )), - &|_| BTreeMap::default(), - &|a| a, - &|mut a, mut b| { - a.append(&mut b); - a - }, - &|mut a, mut b| { - a.append(&mut b); - a - }, - &|a, _| a, - ); - - // Collect the necessary rendering information: - // - The columns involved in this constraint. - // - How many cells are in each column. - // - The grid of cell values, indexed by rotation. - let mut columns = BTreeMap::::default(); - let mut layout = BTreeMap::>::default(); - for (i, (cell, _)) in cell_values.iter().enumerate() { - *columns.entry(cell.column).or_default() += 1; - layout - .entry(cell.rotation) - .or_default() - .entry(cell.column) - .or_insert(format!("x{i}")); - } - - if i != 0 { - eprintln!(); - } - eprintln!( - " Sh{} = {}", - i, - emitter::expression_to_string(input, &layout) - ); - eprintln!(" ^"); - - emitter::render_cell_layout(" | ", location, &columns, &layout, |_, rotation| { - if rotation == 0 { - eprint!(" <--{{ Shuffle '{name}' inputs queried here"); - } - }); - - // Print the map from local variables to assigned values. - eprintln!(" |"); - eprintln!(" | Assigned cell values:"); - for (i, (_, value)) in cell_values.iter().enumerate() { - eprintln!(" | x{i} = {value}"); - } - } -} - impl VerifyFailure { /// Emits this failure in pretty-printed format to stderr. pub(super) fn emit(&self, prover: &MockProver) { @@ -862,11 +665,6 @@ impl VerifyFailure { lookup_index, location, } => render_lookup(prover, name, *lookup_index, location), - Self::Shuffle { - name, - shuffle_index, - location, - } => render_shuffle(prover, name, *shuffle_index, location), _ => eprintln!("{self}"), } } diff --git a/halo2_proofs/src/dev/failure/emitter.rs b/src/dev/failure/emitter.rs similarity index 100% rename from halo2_proofs/src/dev/failure/emitter.rs rename to src/dev/failure/emitter.rs diff --git a/halo2_proofs/src/dev/gates.rs b/src/dev/gates.rs similarity index 100% rename from halo2_proofs/src/dev/gates.rs rename to src/dev/gates.rs diff --git a/halo2_proofs/src/dev/graph.rs b/src/dev/graph.rs similarity index 100% rename from halo2_proofs/src/dev/graph.rs rename to src/dev/graph.rs diff --git a/halo2_proofs/src/dev/graph/layout.rs b/src/dev/graph/layout.rs similarity index 100% rename from halo2_proofs/src/dev/graph/layout.rs rename to src/dev/graph/layout.rs diff --git a/halo2_proofs/src/dev/metadata.rs b/src/dev/metadata.rs similarity index 100% rename from halo2_proofs/src/dev/metadata.rs rename to src/dev/metadata.rs diff --git a/halo2_proofs/src/dev.rs b/src/dev/mod.rs similarity index 93% rename from halo2_proofs/src/dev.rs rename to src/dev/mod.rs index 7a3aca10cc..a7093472a2 100644 --- a/halo2_proofs/src/dev.rs +++ b/src/dev/mod.rs @@ -15,12 +15,12 @@ use crate::{ plonk::{ permutation, sealed::{self, SealedPhase}, - Advice, Any, Assigned, Assignment, Challenge, Circuit, Column, ConstraintSystem, Error, - Expression, FirstPhase, Fixed, FloorPlanner, Instance, Phase, Selector, + Advice, Any, Assignment, Challenge, Circuit, Column, ConstraintSystem, Error, Expression, + FirstPhase, Fixed, FloorPlanner, Instance, Phase, Selector, }, }; -use crate::multicore::{ +use crate::utils::multicore::{ IndexedParallelIterator, IntoParallelIterator, IntoParallelRefIterator, ParallelIterator, ParallelSliceMut, }; @@ -47,10 +47,14 @@ pub use tfp::TracingFloorPlanner; #[cfg(feature = "dev-graph")] mod graph; +use crate::plonk::VirtualCell; +use crate::utils::rational::Rational; #[cfg(feature = "dev-graph")] #[cfg_attr(docsrs, doc(cfg(feature = "dev-graph")))] pub use graph::{circuit_dot_graph, layout::CircuitLayout}; +use crate::poly::Rotation; + #[derive(Debug)] struct Region { /// The name of the region. Not required to be unique. @@ -187,7 +191,7 @@ impl Mul for Value { /// plonk::{Advice, Any, Circuit, Column, ConstraintSystem, Error, Selector}, /// poly::Rotation, /// }; -/// use ff::PrimeField; +/// use ff::{PrimeField}; /// use halo2curves::pasta::Fp; /// const K: u32 = 5; /// @@ -449,7 +453,7 @@ impl Assignment for MockProver { ) -> Result<(), Error> where V: FnOnce() -> circuit::Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -501,7 +505,7 @@ impl Assignment for MockProver { ) -> Result<(), Error> where V: FnOnce() -> circuit::Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -563,7 +567,7 @@ impl Assignment for MockProver { &mut self, col: Column, from_row: usize, - to: circuit::Value>, + to: circuit::Value>, ) -> Result<(), Error> { if !self.in_phase(FirstPhase) { return Ok(()); @@ -709,7 +713,9 @@ impl + Ord> MockProver { )?; } - let (cs, selector_polys) = prover.cs.compress_selectors(prover.selectors.clone()); + let (cs, selector_polys) = prover + .cs + .directly_convert_selectors_to_fixed(prover.selectors.clone()); prover.cs = cs; prover.fixed.extend(selector_polys.into_iter().map(|poly| { let mut v = vec![CellValue::Unassigned; n]; @@ -817,7 +823,15 @@ impl + Ord> MockProver { } _ => { // Check that it was assigned! - if r.cells.contains_key(&(cell.column, cell_row)) { + if r.cells.contains_key(&(cell.column, cell_row)) + || gate.polynomials().par_iter().all(|expr| { + self.cell_is_irrelevant( + cell, + expr, + gate_row as usize, + ) + }) + { None } else { Some(VerifyFailure::CellNotAssigned { @@ -1050,66 +1064,6 @@ impl + Ord> MockProver { .collect::>() }); - let shuffle_errors = - self.cs - .shuffles - .iter() - .enumerate() - .flat_map(|(shuffle_index, shuffle)| { - assert!(shuffle.shuffle_expressions.len() == shuffle.input_expressions.len()); - assert!(self.usable_rows.end > 0); - - let mut shuffle_rows: Vec>> = self - .usable_rows - .clone() - .map(|row| { - let t = shuffle - .shuffle_expressions - .iter() - .map(move |c| load(c, row)) - .collect(); - t - }) - .collect(); - shuffle_rows.sort(); - - let mut input_rows: Vec<(Vec>, usize)> = self - .usable_rows - .clone() - .map(|input_row| { - let t = shuffle - .input_expressions - .iter() - .map(move |c| load(c, input_row)) - .collect(); - - (t, input_row) - }) - .collect(); - input_rows.sort(); - - input_rows - .iter() - .zip(shuffle_rows.iter()) - .filter_map(|((input_value, row), shuffle_value)| { - if shuffle_value != input_value { - Some(VerifyFailure::Shuffle { - name: shuffle.name.clone(), - shuffle_index, - location: FailureLocation::find_expressions( - &self.cs, - &self.regions, - *row, - shuffle.input_expressions.iter(), - ), - }) - } else { - None - } - }) - .collect::>() - }); - let mapping = self.permutation.mapping(); // Check that permutations preserve the original values of the cells. let perm_errors = { @@ -1163,7 +1117,6 @@ impl + Ord> MockProver { .chain(gate_errors) .chain(lookup_errors) .chain(perm_errors) - .chain(shuffle_errors) .collect(); if errors.is_empty() { Ok(()) @@ -1182,6 +1135,69 @@ impl + Ord> MockProver { } } + // Checks if the given expression is guaranteed to be constantly zero at the given offset. + fn expr_is_constantly_zero(&self, expr: &Expression, offset: usize) -> bool { + match expr { + Expression::Constant(constant) => constant.is_zero().into(), + Expression::Selector(selector) => !self.selectors[selector.0][offset], + Expression::Fixed(query) => match self.fixed[query.column_index][offset] { + CellValue::Assigned(value) => value.is_zero().into(), + _ => false, + }, + Expression::Scaled(e, factor) => { + factor.is_zero().into() || self.expr_is_constantly_zero(e, offset) + } + Expression::Sum(e1, e2) => { + self.expr_is_constantly_zero(e1, offset) && self.expr_is_constantly_zero(e2, offset) + } + Expression::Product(e1, e2) => { + self.expr_is_constantly_zero(e1, offset) || self.expr_is_constantly_zero(e2, offset) + } + _ => false, + } + } + + // Verify that the value of the given cell within the given expression is + // irrelevant to the evaluation of the expression. This may be because + // the cell is always multiplied by an expression that evaluates to 0, or + // because the cell is not being queried in the expression at all. + fn cell_is_irrelevant(&self, cell: &VirtualCell, expr: &Expression, offset: usize) -> bool { + // Check if a given query (defined by its columnd and rotation, since we + // want this function to support different query types) is equal to `cell`. + let eq_query = |query_column: usize, query_rotation: Rotation, col_type: Any| { + cell.column.index() == query_column + && cell.column.column_type() == &col_type + && query_rotation == cell.rotation + }; + match expr { + Expression::Constant(_) | Expression::Selector(_) => true, + Expression::Fixed(query) => !eq_query(query.column_index, query.rotation(), Any::Fixed), + Expression::Advice(query) => !eq_query( + query.column_index, + query.rotation(), + Any::Advice(Advice::new(query.phase)), + ), + Expression::Instance(query) => { + !eq_query(query.column_index, query.rotation(), Any::Instance) + } + Expression::Challenge(_) => true, + Expression::Negated(e) => self.cell_is_irrelevant(cell, e, offset), + Expression::Sum(e1, e2) => { + self.cell_is_irrelevant(cell, e1, offset) + && self.cell_is_irrelevant(cell, e2, offset) + } + Expression::Product(e1, e2) => { + (self.expr_is_constantly_zero(e1, offset) + || self.expr_is_constantly_zero(e2, offset)) + || (self.cell_is_irrelevant(cell, e1, offset) + && self.cell_is_irrelevant(cell, e2, offset)) + } + Expression::Scaled(e, factor) => { + factor.is_zero().into() || self.cell_is_irrelevant(cell, e, offset) + } + } + } + /// Panics if the circuit being checked by this `MockProver` is not satisfied. /// /// Any verification failures will be pretty-printed to stderr before the function diff --git a/halo2_proofs/src/dev/tfp.rs b/src/dev/tfp.rs similarity index 96% rename from halo2_proofs/src/dev/tfp.rs rename to src/dev/tfp.rs index 011ba3cac0..29df58f15b 100644 --- a/halo2_proofs/src/dev/tfp.rs +++ b/src/dev/tfp.rs @@ -3,14 +3,15 @@ use std::{fmt, marker::PhantomData}; use ff::Field; use tracing::{debug, debug_span, span::EnteredSpan}; +use crate::utils::rational::Rational; use crate::{ circuit::{ layouter::{RegionLayouter, SyncDeps}, AssignedCell, Cell, Layouter, Region, Table, Value, }, plonk::{ - Advice, Any, Assigned, Assignment, Challenge, Circuit, Column, ConstraintSystem, Error, - Fixed, FloorPlanner, Instance, Selector, + Advice, Any, Assignment, Challenge, Circuit, Column, ConstraintSystem, Error, Fixed, + FloorPlanner, Instance, Selector, }, }; @@ -258,7 +259,7 @@ impl<'r, F: Field> RegionLayouter for TracingRegion<'r, F> { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { let _guard = debug_span!("assign_advice", name = annotation(), column = ?column, offset = offset) @@ -274,7 +275,7 @@ impl<'r, F: Field> RegionLayouter for TracingRegion<'r, F> { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - constant: Assigned, + constant: Rational, ) -> Result { let _guard = debug_span!("assign_advice_from_constant", name = annotation(), @@ -329,7 +330,7 @@ impl<'r, F: Field> RegionLayouter for TracingRegion<'r, F> { annotation: &'v (dyn Fn() -> String + 'v), column: Column, offset: usize, - to: &'v mut (dyn FnMut() -> Value> + 'v), + to: &'v mut (dyn FnMut() -> Value> + 'v), ) -> Result { let _guard = debug_span!("assign_fixed", name = annotation(), column = ?column, offset = offset) @@ -340,7 +341,7 @@ impl<'r, F: Field> RegionLayouter for TracingRegion<'r, F> { .map(debug_value_and_return_cell) } - fn constrain_constant(&mut self, cell: Cell, constant: Assigned) -> Result<(), Error> { + fn constrain_constant(&mut self, cell: Cell, constant: Rational) -> Result<(), Error> { debug!(target: "constrain_constant", cell = ?cell, constant = ?constant); self.0.constrain_constant(cell, constant) } @@ -424,7 +425,7 @@ impl<'cs, F: Field, CS: Assignment> Assignment for TracingAssignment<'cs, ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -446,7 +447,7 @@ impl<'cs, F: Field, CS: Assignment> Assignment for TracingAssignment<'cs, ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -481,7 +482,7 @@ impl<'cs, F: Field, CS: Assignment> Assignment for TracingAssignment<'cs, &mut self, column: Column, row: usize, - to: Value>, + to: Value>, ) -> Result<(), Error> { let _guard = debug_span!("positioned").entered(); debug!(target: "fill_from_row", column = ?column, row = row); diff --git a/halo2_proofs/src/dev/util.rs b/src/dev/util.rs similarity index 98% rename from halo2_proofs/src/dev/util.rs rename to src/dev/util.rs index a663f9b80b..b019a27640 100644 --- a/halo2_proofs/src/dev/util.rs +++ b/src/dev/util.rs @@ -65,7 +65,7 @@ pub(super) fn format_value(v: F) -> String { // Format value as hex. let s = format!("{v:?}"); // Remove leading zeroes. - let s = s.strip_prefix("0x").unwrap(); + let s = s.split_once("0x").unwrap().1.split(')').next().unwrap(); let s = s.trim_start_matches('0'); format!("0x{s}") } diff --git a/halo2_proofs/src/lib.rs b/src/lib.rs similarity index 83% rename from halo2_proofs/src/lib.rs rename to src/lib.rs index acc26aff15..3ab96252c4 100644 --- a/halo2_proofs/src/lib.rs +++ b/src/lib.rs @@ -8,14 +8,11 @@ #![deny(missing_docs)] #![deny(unsafe_code)] -pub mod arithmetic; pub mod circuit; pub use halo2curves; -mod multicore; pub mod plonk; pub mod poly; pub mod transcript; pub mod dev; -mod helpers; -pub use helpers::SerdeFormat; +pub mod utils; diff --git a/halo2_proofs/src/plonk/circuit.rs b/src/plonk/circuit.rs similarity index 92% rename from halo2_proofs/src/plonk/circuit.rs rename to src/plonk/circuit.rs index 5107554186..70b295f2a8 100644 --- a/halo2_proofs/src/plonk/circuit.rs +++ b/src/plonk/circuit.rs @@ -1,6 +1,7 @@ -use super::{lookup, permutation, shuffle, Assigned, Error}; +use super::{lookup, permutation, Error}; use crate::circuit::layouter::SyncDeps; use crate::dev::metadata; +use crate::utils::rational::Rational; use crate::{ circuit::{Layouter, Region, Value}, poly::Rotation, @@ -17,8 +18,6 @@ use std::{ ops::{Neg, Sub}, }; -mod compress_selectors; - /// A column type pub trait ColumnType: 'static + Sized + Copy + std::fmt::Debug + PartialEq + Eq + Into @@ -665,7 +664,7 @@ pub trait Assignment { ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into; @@ -679,7 +678,7 @@ pub trait Assignment { ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into; @@ -697,7 +696,7 @@ pub trait Assignment { &mut self, column: Column, row: usize, - to: Value>, + to: Value>, ) -> Result<(), Error>; /// Queries the value of the given challenge. @@ -1223,34 +1222,6 @@ impl Expression { &|a, _| a, ) } - - /// Extracts a simple selector from this gate, if present - fn extract_simple_selector(&self) -> Option { - let op = |a, b| match (a, b) { - (Some(a), None) | (None, Some(a)) => Some(a), - (Some(_), Some(_)) => panic!("two simple selectors cannot be in the same expression"), - _ => None, - }; - - self.evaluate( - &|_| None, - &|selector| { - if selector.is_simple() { - Some(selector) - } else { - None - } - }, - &|_| None, - &|_| None, - &|_| None, - &|_| None, - &|a| a, - &op, - &op, - &|a, _| a, - ) - } } impl std::fmt::Debug for Expression { @@ -1563,11 +1534,6 @@ pub struct ConstraintSystem { /// Contains the phase for each challenge. Should have same length as num_challenges. pub(crate) challenge_phase: Vec, - /// This is a cached vector that maps virtual selectors to the concrete - /// fixed column that they were compressed into. This is just used by dev - /// tooling right now. - pub(crate) selector_map: Vec>, - pub(crate) gates: Vec>, pub(crate) advice_queries: Vec<(Column, Rotation)>, // Contains an integer for each advice column @@ -1584,10 +1550,6 @@ pub struct ConstraintSystem { // input expressions and a sequence of table expressions involved in the lookup. pub(crate) lookups: Vec>, - // Vector of shuffle arguments, where each corresponds to a sequence of - // input expressions and a sequence of shuffle expressions involved in the shuffle. - pub(crate) shuffles: Vec>, - // List of indexes of Fixed columns which are associated to a circuit-general Column tied to their annotation. pub(crate) general_column_annotations: HashMap, @@ -1614,7 +1576,6 @@ pub struct PinnedConstraintSystem<'a, F: Field> { fixed_queries: &'a Vec<(Column, Rotation)>, permutation: &'a permutation::Argument, lookups: &'a Vec>, - shuffles: &'a Vec>, constants: &'a Vec>, minimum_degree: &'a Option, } @@ -1641,9 +1602,6 @@ impl<'a, F: Field> std::fmt::Debug for PinnedConstraintSystem<'a, F> { .field("fixed_queries", self.fixed_queries) .field("permutation", self.permutation) .field("lookups", self.lookups); - if !self.shuffles.is_empty() { - debug_struct.field("shuffles", self.shuffles); - } debug_struct .field("constants", self.constants) .field("minimum_degree", self.minimum_degree); @@ -1672,7 +1630,6 @@ impl Default for ConstraintSystem { unblinded_advice_columns: Vec::new(), advice_column_phase: Vec::new(), challenge_phase: Vec::new(), - selector_map: vec![], gates: vec![], fixed_queries: Vec::new(), advice_queries: Vec::new(), @@ -1680,7 +1637,6 @@ impl Default for ConstraintSystem { instance_queries: Vec::new(), permutation: permutation::Argument::new(), lookups: Vec::new(), - shuffles: Vec::new(), general_column_annotations: HashMap::new(), constants: vec![], minimum_degree: None, @@ -1707,7 +1663,6 @@ impl ConstraintSystem { instance_queries: &self.instance_queries, permutation: &self.permutation, lookups: &self.lookups, - shuffles: &self.shuffles, constants: &self.constants, minimum_degree: &self.minimum_degree, } @@ -1794,29 +1749,6 @@ impl ConstraintSystem { index } - /// Add a shuffle argument for some input expressions and table expressions. - pub fn shuffle>( - &mut self, - name: S, - shuffle_map: impl FnOnce(&mut VirtualCells<'_, F>) -> Vec<(Expression, Expression)>, - ) -> usize { - let mut cells = VirtualCells::new(self); - let shuffle_map = shuffle_map(&mut cells) - .into_iter() - .map(|(mut input, mut table)| { - input.query_cells(&mut cells); - table.query_cells(&mut cells); - (input, table) - }) - .collect(); - let index = self.shuffles.len(); - - self.shuffles - .push(shuffle::Argument::new(name.as_ref(), shuffle_map)); - - index - } - fn query_fixed_index(&mut self, column: Column, at: Rotation) -> usize { // Return existing query, if it exists for (index, fixed_query) in self.fixed_queries.iter().enumerate() { @@ -1965,79 +1897,6 @@ impl ConstraintSystem { }); } - /// This will compress selectors together depending on their provided - /// assignments. This `ConstraintSystem` will then be modified to add new - /// fixed columns (representing the actual selectors) and will return the - /// polynomials for those columns. Finally, an internal map is updated to - /// find which fixed column corresponds with a given `Selector`. - /// - /// Do not call this twice. Yes, this should be a builder pattern instead. - pub fn compress_selectors(mut self, selectors: Vec>) -> (Self, Vec>) { - // The number of provided selector assignments must be the number we - // counted for this constraint system. - assert_eq!(selectors.len(), self.num_selectors); - - // Compute the maximal degree of every selector. We only consider the - // expressions in gates, as lookup arguments cannot support simple - // selectors. Selectors that are complex or do not appear in any gates - // will have degree zero. - let mut degrees = vec![0; selectors.len()]; - for expr in self.gates.iter().flat_map(|gate| gate.polys.iter()) { - if let Some(selector) = expr.extract_simple_selector() { - degrees[selector.0] = max(degrees[selector.0], expr.degree()); - } - } - - // We will not increase the degree of the constraint system, so we limit - // ourselves to the largest existing degree constraint. - let max_degree = self.degree(); - - let mut new_columns = vec![]; - let (polys, selector_assignment) = compress_selectors::process( - selectors - .into_iter() - .zip(degrees) - .enumerate() - .map( - |(i, (activations, max_degree))| compress_selectors::SelectorDescription { - selector: i, - activations, - max_degree, - }, - ) - .collect(), - max_degree, - || { - let column = self.fixed_column(); - new_columns.push(column); - Expression::Fixed(FixedQuery { - index: Some(self.query_fixed_index(column, Rotation::cur())), - column_index: column.index, - rotation: Rotation::cur(), - }) - }, - ); - - let mut selector_map = vec![None; selector_assignment.len()]; - let mut selector_replacements = vec![None; selector_assignment.len()]; - for assignment in selector_assignment { - selector_replacements[assignment.selector] = Some(assignment.expression); - selector_map[assignment.selector] = Some(new_columns[assignment.combination_index]); - } - - self.selector_map = selector_map - .into_iter() - .map(|a| a.unwrap()) - .collect::>(); - let selector_replacements = selector_replacements - .into_iter() - .map(|a| a.unwrap()) - .collect::>(); - self.replace_selectors_with_fixed(&selector_replacements); - - (self, polys) - } - /// Does not combine selectors and directly replaces them everywhere with fixed columns. pub fn directly_convert_selectors_to_fixed( mut self, @@ -2115,15 +1974,6 @@ impl ConstraintSystem { }) { replace_selectors(expr, selector_replacements, true); } - - for expr in self.shuffles.iter_mut().flat_map(|shuffle| { - shuffle - .input_expressions - .iter_mut() - .chain(shuffle.shuffle_expressions.iter_mut()) - }) { - replace_selectors(expr, selector_replacements, true); - } } /// Allocate a new (simple) selector. Simple selectors cannot be added to @@ -2318,17 +2168,6 @@ impl ConstraintSystem { .unwrap_or(1), ); - // The lookup argument also serves alongside the gates and must be accounted - // for. - degree = std::cmp::max( - degree, - self.shuffles - .iter() - .map(|l| l.required_degree()) - .max() - .unwrap_or(1), - ); - // Account for each gate to ensure our quotient polynomial is the // correct degree and that our extended domain is the right size. degree = std::cmp::max( @@ -2457,11 +2296,6 @@ impl ConstraintSystem { &self.lookups } - /// Returns shuffle arguments - pub fn shuffles(&self) -> &Vec> { - &self.shuffles - } - /// Returns constants pub fn constants(&self) -> &Vec> { &self.constants diff --git a/halo2_proofs/src/plonk/error.rs b/src/plonk/error.rs similarity index 100% rename from halo2_proofs/src/plonk/error.rs rename to src/plonk/error.rs diff --git a/halo2_proofs/src/plonk/evaluation.rs b/src/plonk/evaluation.rs similarity index 77% rename from halo2_proofs/src/plonk/evaluation.rs rename to src/plonk/evaluation.rs index 431c487c7e..e8c2b86d96 100644 --- a/halo2_proofs/src/plonk/evaluation.rs +++ b/src/plonk/evaluation.rs @@ -1,13 +1,15 @@ -use crate::multicore; use crate::plonk::{lookup, permutation, Any, ProvingKey}; +use crate::poly::commitment::PolynomialCommitmentScheme; use crate::poly::Basis; +use crate::utils::multicore; use crate::{ - arithmetic::{parallelize, CurveAffine}, poly::{Coeff, ExtendedLagrangeCoeff, Polynomial, Rotation}, + utils::arithmetic::parallelize, }; -use group::ff::{Field, PrimeField, WithSmallOrderMulGroup}; +use ff::{PrimeField, WithSmallOrderMulGroup}; +use group::ff::Field; -use super::{shuffle, ConstraintSystem, Expression}; +use super::{ConstraintSystem, Expression}; /// Return the index in the polynomial of size `isize` after rotation `rot`. fn get_rotation_idx(idx: usize, rot: i32, rot_scale: i32, isize: i32) -> usize { @@ -164,20 +166,20 @@ impl Calculation { /// Evaluator #[derive(Clone, Default, Debug)] -pub struct Evaluator { +pub struct Evaluator { /// Custom gates evalution - pub custom_gates: GraphEvaluator, + pub custom_gates: GraphEvaluator, /// Lookups evalution - pub lookups: Vec>, + pub lookups: Vec>, /// Shuffle evalution - pub shuffles: Vec>, + pub shuffles: Vec>, } /// GraphEvaluator #[derive(Clone, Debug)] -pub struct GraphEvaluator { +pub struct GraphEvaluator { /// Constants - pub constants: Vec, + pub constants: Vec, /// Rotations pub rotations: Vec, /// Calculations @@ -188,9 +190,9 @@ pub struct GraphEvaluator { /// EvaluationData #[derive(Default, Debug)] -pub struct EvaluationData { +pub struct EvaluationData { /// Intermediates - pub intermediates: Vec, + pub intermediates: Vec, /// Rotations pub rotations: Vec, } @@ -204,9 +206,9 @@ pub struct CalculationInfo { pub target: usize, } -impl Evaluator { +impl> Evaluator { /// Creates a new evaluation structure - pub fn new(cs: &ConstraintSystem) -> Self { + pub fn new(cs: &ConstraintSystem) -> Self { let mut ev = Evaluator::default(); // Custom gates @@ -258,72 +260,38 @@ impl Evaluator { ev.lookups.push(graph); } - // Shuffles - for shuffle in cs.shuffles.iter() { - let evaluate_lc = |expressions: &Vec>, graph: &mut GraphEvaluator| { - let parts = expressions - .iter() - .map(|expr| graph.add_expression(expr)) - .collect(); - graph.add_calculation(Calculation::Horner( - ValueSource::Constant(0), - parts, - ValueSource::Theta(), - )) - }; - - let mut graph_input = GraphEvaluator::default(); - let compressed_input_coset = evaluate_lc(&shuffle.input_expressions, &mut graph_input); - let _ = graph_input.add_calculation(Calculation::Add( - compressed_input_coset, - ValueSource::Gamma(), - )); - - let mut graph_shuffle = GraphEvaluator::default(); - let compressed_shuffle_coset = - evaluate_lc(&shuffle.shuffle_expressions, &mut graph_shuffle); - let _ = graph_shuffle.add_calculation(Calculation::Add( - compressed_shuffle_coset, - ValueSource::Gamma(), - )); - - ev.shuffles.push(graph_input); - ev.shuffles.push(graph_shuffle); - } - ev } /// Evaluate h poly #[allow(clippy::too_many_arguments)] - pub(in crate::plonk) fn evaluate_h( + pub(in crate::plonk) fn evaluate_h>( &self, - pk: &ProvingKey, - advice_polys: &[&[Polynomial]], - instance_polys: &[&[Polynomial]], - challenges: &[C::ScalarExt], - y: C::ScalarExt, - beta: C::ScalarExt, - gamma: C::ScalarExt, - theta: C::ScalarExt, - lookups: &[Vec>], - shuffles: &[Vec>], - permutations: &[permutation::prover::Committed], - ) -> Polynomial { + pk: &ProvingKey, + advice_polys: &[&[Polynomial]], + instance_polys: &[&[Polynomial]], + challenges: &[F], + y: F, + beta: F, + gamma: F, + theta: F, + lookups: &[Vec>], + permutations: &[permutation::prover::Committed], + ) -> Polynomial { let domain = &pk.vk.domain; let size = domain.extended_len(); let rot_scale = 1 << (domain.extended_k() - domain.k()); let fixed = &pk.fixed_cosets[..]; let extended_omega = domain.get_extended_omega(); let isize = size as i32; - let one = C::ScalarExt::ONE; + let one = F::ONE; let l0 = &pk.l0; let l_last = &pk.l_last; let l_active_row = &pk.l_active_row; let p = &pk.vk.cs.permutation; // Calculate the advice and instance cosets - let advice: Vec>> = advice_polys + let advice: Vec>> = advice_polys .iter() .map(|advice_polys| { advice_polys @@ -332,7 +300,7 @@ impl Evaluator { .collect() }) .collect(); - let instance: Vec>> = instance_polys + let instance: Vec>> = instance_polys .iter() .map(|instance_polys| { instance_polys @@ -346,11 +314,10 @@ impl Evaluator { // Core expression evaluations let num_threads = multicore::current_num_threads(); - for ((((advice, instance), lookups), shuffles), permutation) in advice + for (((advice, instance), lookups), permutation) in advice .iter() .zip(instance.iter()) .zip(lookups.iter()) - .zip(shuffles.iter()) .zip(permutations.iter()) { // Custom gates @@ -388,10 +355,16 @@ impl Evaluator { let blinding_factors = pk.vk.cs.blinding_factors(); let last_rotation = Rotation(-((blinding_factors + 1) as i32)); let chunk_len = pk.vk.cs.degree() - 2; - let delta_start = beta * &C::Scalar::ZETA; + let delta_start = beta * &pk.vk.domain.g_coset; + + let permutation_product_cosets: Vec> = sets + .iter() + .map(|set| domain.coeff_to_extended(set.permutation_product_poly.clone())) + .collect(); - let first_set = sets.first().unwrap(); - let last_set = sets.last().unwrap(); + let first_set_permutation_product_coset = + permutation_product_cosets.first().unwrap(); + let last_set_permutation_product_coset = permutation_product_cosets.last().unwrap(); // Permutation constraints parallelize(&mut values, |values, start| { @@ -404,22 +377,21 @@ impl Evaluator { // Enforce only for the first set. // l_0(X) * (1 - z_0(X)) = 0 *value = *value * y - + ((one - first_set.permutation_product_coset[idx]) * l0[idx]); + + ((one - first_set_permutation_product_coset[idx]) * l0[idx]); // Enforce only for the last set. // l_last(X) * (z_l(X)^2 - z_l(X)) = 0 *value = *value * y - + ((last_set.permutation_product_coset[idx] - * last_set.permutation_product_coset[idx] - - last_set.permutation_product_coset[idx]) + + ((last_set_permutation_product_coset[idx] + * last_set_permutation_product_coset[idx] + - last_set_permutation_product_coset[idx]) * l_last[idx]); // Except for the first set, enforce. // l_0(X) * (z_i(X) - z_{i-1}(\omega^(last) X)) = 0 - for (set_idx, set) in sets.iter().enumerate() { + for set_idx in 0..sets.len() { if set_idx != 0 { *value = *value * y - + ((set.permutation_product_coset[idx] - - permutation.sets[set_idx - 1].permutation_product_coset - [r_last]) + + ((permutation_product_cosets[set_idx][idx] + - permutation_product_cosets[set_idx - 1][r_last]) * l0[idx]); } } @@ -429,12 +401,13 @@ impl Evaluator { // - z_i(X) \prod_j (p(X) + \delta^j \beta X + \gamma) // ) let mut current_delta = delta_start * beta_term; - for ((set, columns), cosets) in sets - .iter() - .zip(p.columns.chunks(chunk_len)) - .zip(pk.permutation.cosets.chunks(chunk_len)) + for ((permutation_product_coset, columns), cosets) in + permutation_product_cosets + .iter() + .zip(p.columns.chunks(chunk_len)) + .zip(pk.permutation.cosets.chunks(chunk_len)) { - let mut left = set.permutation_product_coset[r_next]; + let mut left = permutation_product_coset[r_next]; for (values, permutation) in columns .iter() .map(|&column| match column.column_type() { @@ -447,14 +420,14 @@ impl Evaluator { left *= values[idx] + beta * permutation[idx] + gamma; } - let mut right = set.permutation_product_coset[idx]; + let mut right = permutation_product_coset[idx]; for values in columns.iter().map(|&column| match column.column_type() { Any::Advice(_) => &advice[column.index()], Any::Fixed => &fixed[column.index()], Any::Instance => &instance[column.index()], }) { right *= values[idx] + current_delta + gamma; - current_delta *= &C::Scalar::DELTA; + current_delta *= &F::DELTA; } *value = *value * y + ((left - right) * l_active_row[idx]); @@ -496,7 +469,7 @@ impl Evaluator { &gamma, &theta, &y, - &C::ScalarExt::ZERO, + &F::ZERO, idx, rot_scale, isize, @@ -538,82 +511,16 @@ impl Evaluator { } }); } - - // Shuffle constraints - for (n, shuffle) in shuffles.iter().enumerate() { - let product_coset = pk.vk.domain.coeff_to_extended(shuffle.product_poly.clone()); - - // Shuffle constraints - parallelize(&mut values, |values, start| { - let input_evaluator = &self.shuffles[2 * n]; - let shuffle_evaluator = &self.shuffles[2 * n + 1]; - let mut eval_data_input = shuffle_evaluator.instance(); - let mut eval_data_shuffle = shuffle_evaluator.instance(); - for (i, value) in values.iter_mut().enumerate() { - let idx = start + i; - - let input_value = input_evaluator.evaluate( - &mut eval_data_input, - fixed, - advice, - instance, - challenges, - &beta, - &gamma, - &theta, - &y, - &C::ScalarExt::ZERO, - idx, - rot_scale, - isize, - ); - - let shuffle_value = shuffle_evaluator.evaluate( - &mut eval_data_shuffle, - fixed, - advice, - instance, - challenges, - &beta, - &gamma, - &theta, - &y, - &C::ScalarExt::ZERO, - idx, - rot_scale, - isize, - ); - - let r_next = get_rotation_idx(idx, 1, rot_scale, isize); - - // l_0(X) * (1 - z(X)) = 0 - *value = *value * y + ((one - product_coset[idx]) * l0[idx]); - // l_last(X) * (z(X)^2 - z(X)) = 0 - *value = *value * y - + ((product_coset[idx] * product_coset[idx] - product_coset[idx]) - * l_last[idx]); - // (1 - (l_last(X) + l_blind(X))) * (z(\omega X) (s(X) + \gamma) - z(X) (a(X) + \gamma)) = 0 - *value = *value * y - + l_active_row[idx] - * (product_coset[r_next] * shuffle_value - - product_coset[idx] * input_value) - } - }); - } } values } } -impl Default for GraphEvaluator { +impl Default for GraphEvaluator { fn default() -> Self { Self { // Fixed positions to allow easy access - constants: vec![ - C::ScalarExt::ZERO, - C::ScalarExt::ONE, - C::ScalarExt::from(2u64), - ], + constants: vec![F::ZERO, F::ONE, F::from(2u64)], rotations: Vec::new(), calculations: Vec::new(), num_intermediates: 0, @@ -621,7 +528,7 @@ impl Default for GraphEvaluator { } } -impl GraphEvaluator { +impl GraphEvaluator { /// Adds a rotation fn add_rotation(&mut self, rotation: &Rotation) -> usize { let position = self.rotations.iter().position(|&c| c == rotation.0); @@ -635,7 +542,7 @@ impl GraphEvaluator { } /// Adds a constant - fn add_constant(&mut self, constant: &C::ScalarExt) -> ValueSource { + fn add_constant(&mut self, constant: &F) -> ValueSource { let position = self.constants.iter().position(|&c| c == *constant); ValueSource::Constant(match position { Some(pos) => pos, @@ -670,7 +577,7 @@ impl GraphEvaluator { } /// Generates an optimized evaluation for the expression - fn add_expression(&mut self, expr: &Expression) -> ValueSource { + fn add_expression(&mut self, expr: &Expression) -> ValueSource { match expr { Expression::Constant(scalar) => self.add_constant(scalar), Expression::Selector(_selector) => unreachable!(), @@ -759,9 +666,9 @@ impl GraphEvaluator { } } Expression::Scaled(a, f) => { - if *f == C::ScalarExt::ZERO { + if *f == F::ZERO { ValueSource::Constant(0) - } else if *f == C::ScalarExt::ONE { + } else if *f == F::ONE { self.add_expression(a) } else { let cst = self.add_constant(f); @@ -773,9 +680,9 @@ impl GraphEvaluator { } /// Creates a new evaluation structure - pub fn instance(&self) -> EvaluationData { + pub fn instance(&self) -> EvaluationData { EvaluationData { - intermediates: vec![C::ScalarExt::ZERO; self.num_intermediates], + intermediates: vec![F::ZERO; self.num_intermediates], rotations: vec![0usize; self.rotations.len()], } } @@ -783,20 +690,20 @@ impl GraphEvaluator { #[allow(clippy::too_many_arguments)] pub fn evaluate( &self, - data: &mut EvaluationData, - fixed: &[Polynomial], - advice: &[Polynomial], - instance: &[Polynomial], - challenges: &[C::ScalarExt], - beta: &C::ScalarExt, - gamma: &C::ScalarExt, - theta: &C::ScalarExt, - y: &C::ScalarExt, - previous_value: &C::ScalarExt, + data: &mut EvaluationData, + fixed: &[Polynomial], + advice: &[Polynomial], + instance: &[Polynomial], + challenges: &[F], + beta: &F, + gamma: &F, + theta: &F, + y: &F, + previous_value: &F, idx: usize, rot_scale: i32, isize: i32, - ) -> C::ScalarExt { + ) -> F { // All rotation index values for (rot_idx, rot) in self.rotations.iter().enumerate() { data.rotations[rot_idx] = get_rotation_idx(idx, *rot, rot_scale, isize); @@ -824,7 +731,7 @@ impl GraphEvaluator { if let Some(calc) = self.calculations.last() { data.intermediates[calc.target] } else { - C::ScalarExt::ZERO + F::ZERO } } } diff --git a/halo2_proofs/src/plonk/keygen.rs b/src/plonk/keygen.rs similarity index 74% rename from halo2_proofs/src/plonk/keygen.rs rename to src/plonk/keygen.rs index 984eecb9e8..fa57ada327 100644 --- a/halo2_proofs/src/plonk/keygen.rs +++ b/src/plonk/keygen.rs @@ -2,8 +2,8 @@ use std::ops::Range; -use ff::{Field, FromUniformBytes}; -use group::Curve; +use ff::{Field, FromUniformBytes, WithSmallOrderMulGroup}; +use rayon::iter::{IntoParallelRefIterator, ParallelIterator}; use super::{ circuit::{ @@ -11,29 +11,25 @@ use super::{ Selector, }, evaluation::Evaluator, - permutation, Assigned, Challenge, Error, LagrangeCoeff, Polynomial, ProvingKey, VerifyingKey, -}; -use crate::{ - arithmetic::{parallelize, CurveAffine}, - circuit::Value, - poly::{ - batch_invert_assigned, - commitment::{Blind, Params}, - EvaluationDomain, - }, + permutation, Challenge, Error, LagrangeCoeff, Polynomial, ProvingKey, VerifyingKey, }; +use crate::circuit::Value; +use crate::poly::batch_invert_rational; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use crate::utils::rational::Rational; +use crate::{poly::EvaluationDomain, utils::arithmetic::parallelize}; -pub(crate) fn create_domain( +pub(crate) fn create_domain( k: u32, #[cfg(feature = "circuit-params")] params: ConcreteCircuit::Params, ) -> ( - EvaluationDomain, - ConstraintSystem, + EvaluationDomain, + ConstraintSystem, ConcreteCircuit::Config, ) where - C: CurveAffine, - ConcreteCircuit: Circuit, + F: WithSmallOrderMulGroup<3>, + ConcreteCircuit: Circuit, { let mut cs = ConstraintSystem::default(); #[cfg(feature = "circuit-params")] @@ -52,7 +48,7 @@ where #[derive(Debug)] struct Assembly { k: u32, - fixed: Vec, LagrangeCoeff>>, + fixed: Vec, LagrangeCoeff>>, permutation: permutation::keygen::Assembly, selectors: Vec>, // A range of available rows for assignment and copies. @@ -105,7 +101,7 @@ impl Assignment for Assembly { ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -122,7 +118,7 @@ impl Assignment for Assembly { ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -158,7 +154,7 @@ impl Assignment for Assembly { &mut self, column: Column, from_row: usize, - to: Value>, + to: Value>, ) -> Result<(), Error> { if !self.usable_rows.contains(&from_row) { return Err(Error::not_enough_rows_available(self.k)); @@ -204,34 +200,16 @@ impl Assignment for Assembly { /// Generate a `VerifyingKey` from an instance of `Circuit`. /// By default, selector compression is turned **off**. -pub fn keygen_vk<'params, C, P, ConcreteCircuit>( - params: &P, +pub fn keygen_vk( + params: &CS::VerifierParameters, circuit: &ConcreteCircuit, -) -> Result, Error> +) -> Result, Error> where - C: CurveAffine, - P: Params<'params, C>, - ConcreteCircuit: Circuit, - C::Scalar: FromUniformBytes<64>, + F: WithSmallOrderMulGroup<3> + FromUniformBytes<64>, + CS: PolynomialCommitmentScheme, + ConcreteCircuit: Circuit, { - keygen_vk_custom(params, circuit, true) -} - -/// Generate a `VerifyingKey` from an instance of `Circuit`. -/// -/// The selector compression optimization is turned on only if `compress_selectors` is `true`. -pub fn keygen_vk_custom<'params, C, P, ConcreteCircuit>( - params: &P, - circuit: &ConcreteCircuit, - compress_selectors: bool, -) -> Result, Error> -where - C: CurveAffine, - P: Params<'params, C>, - ConcreteCircuit: Circuit, - C::Scalar: FromUniformBytes<64>, -{ - let (domain, cs, config) = create_domain::( + let (domain, cs, config) = create_domain::( params.k(), #[cfg(feature = "circuit-params")] circuit.params(), @@ -241,9 +219,9 @@ where return Err(Error::not_enough_rows_available(params.k())); } - let mut assembly: Assembly = Assembly { + let mut assembly: Assembly = Assembly { k: params.k(), - fixed: vec![domain.empty_lagrange_assigned(); cs.num_fixed_columns], + fixed: vec![domain.empty_lagrange_rational(); cs.num_fixed_columns], permutation: permutation::keygen::Assembly::new(params.n() as usize, &cs.permutation), selectors: vec![vec![false; params.n() as usize]; cs.num_selectors], usable_rows: 0..params.n() as usize - (cs.blinding_factors() + 1), @@ -258,14 +236,10 @@ where cs.constants.clone(), )?; - let mut fixed = batch_invert_assigned(assembly.fixed); - let (cs, selector_polys) = if compress_selectors { - cs.compress_selectors(assembly.selectors.clone()) - } else { - // After this, the ConstraintSystem should not have any selectors: `verify` does not need them, and `keygen_pk` regenerates `cs` from scratch anyways. - let selectors = std::mem::take(&mut assembly.selectors); - cs.directly_convert_selectors_to_fixed(selectors) - }; + let mut fixed = batch_invert_rational(assembly.fixed); + // After this, the ConstraintSystem should not have any selectors: `verify` does not need them, and `keygen_pk` regenerates `cs` from scratch anyways. + let selectors = std::mem::take(&mut assembly.selectors); + let (cs, selector_polys) = cs.directly_convert_selectors_to_fixed(selectors); fixed.extend( selector_polys .into_iter() @@ -278,7 +252,7 @@ where let fixed_commitments = fixed .iter() - .map(|poly| params.commit_lagrange(poly, Blind::default()).to_affine()) + .map(|poly| params.commit_lagrange(poly)) .collect(); Ok(VerifyingKey::from_parts( @@ -287,20 +261,19 @@ where permutation_vk, cs, assembly.selectors, - compress_selectors, )) } /// Generate a `ProvingKey` from a `VerifyingKey` and an instance of `Circuit`. -pub fn keygen_pk<'params, C, P, ConcreteCircuit>( - params: &P, - vk: VerifyingKey, +pub fn keygen_pk( + params: &CS::Parameters, + vk: VerifyingKey, circuit: &ConcreteCircuit, -) -> Result, Error> +) -> Result, Error> where - C: CurveAffine, - P: Params<'params, C>, - ConcreteCircuit: Circuit, + F: WithSmallOrderMulGroup<3>, + CS: PolynomialCommitmentScheme, + ConcreteCircuit: Circuit, { let mut cs = ConstraintSystem::default(); #[cfg(feature = "circuit-params")] @@ -314,9 +287,9 @@ where return Err(Error::not_enough_rows_available(params.k())); } - let mut assembly: Assembly = Assembly { + let mut assembly: Assembly = Assembly { k: params.k(), - fixed: vec![vk.domain.empty_lagrange_assigned(); cs.num_fixed_columns], + fixed: vec![vk.domain.empty_lagrange_rational(); cs.num_fixed_columns], permutation: permutation::keygen::Assembly::new(params.n() as usize, &cs.permutation), selectors: vec![vec![false; params.n() as usize]; cs.num_selectors], usable_rows: 0..params.n() as usize - (cs.blinding_factors() + 1), @@ -331,12 +304,8 @@ where cs.constants.clone(), )?; - let mut fixed = batch_invert_assigned(assembly.fixed); - let (cs, selector_polys) = if vk.compress_selectors { - cs.compress_selectors(assembly.selectors) - } else { - cs.directly_convert_selectors_to_fixed(assembly.selectors) - }; + let mut fixed = batch_invert_rational(assembly.fixed); + let (cs, selector_polys) = cs.directly_convert_selectors_to_fixed(assembly.selectors); fixed.extend( selector_polys .into_iter() @@ -344,23 +313,24 @@ where ); let fixed_polys: Vec<_> = fixed - .iter() + .par_iter() .map(|poly| vk.domain.lagrange_to_coeff(poly.clone())) .collect(); let fixed_cosets = fixed_polys - .iter() + .par_iter() .map(|poly| vk.domain.coeff_to_extended(poly.clone())) .collect(); - let permutation_pk = assembly - .permutation - .build_pk(params, &vk.domain, &cs.permutation); + let permutation_pk = + assembly + .permutation + .build_pk::(params, &vk.domain, &cs.permutation); // Compute l_0(X) // TODO: this can be done more efficiently let mut l0 = vk.domain.empty_lagrange(); - l0[0] = C::Scalar::ONE; + l0[0] = F::ONE; let l0 = vk.domain.lagrange_to_coeff(l0); let l0 = vk.domain.coeff_to_extended(l0); @@ -368,7 +338,7 @@ where // and 0 otherwise over the domain. let mut l_blind = vk.domain.empty_lagrange(); for evaluation in l_blind[..].iter_mut().rev().take(cs.blinding_factors()) { - *evaluation = C::Scalar::ONE; + *evaluation = F::ONE; } let l_blind = vk.domain.lagrange_to_coeff(l_blind); let l_blind = vk.domain.coeff_to_extended(l_blind); @@ -376,12 +346,12 @@ where // Compute l_last(X) which evaluates to 1 on the first inactive row (just // before the blinding factors) and 0 otherwise over the domain let mut l_last = vk.domain.empty_lagrange(); - l_last[params.n() as usize - cs.blinding_factors() - 1] = C::Scalar::ONE; + l_last[params.n() as usize - cs.blinding_factors() - 1] = F::ONE; let l_last = vk.domain.lagrange_to_coeff(l_last); let l_last = vk.domain.coeff_to_extended(l_last); // Compute l_active_row(X) - let one = C::Scalar::ONE; + let one = F::ONE; let mut l_active_row = vk.domain.empty_extended(); parallelize(&mut l_active_row, |values, start| { for (i, value) in values.iter_mut().enumerate() { diff --git a/halo2_proofs/src/plonk/lookup.rs b/src/plonk/lookup.rs similarity index 100% rename from halo2_proofs/src/plonk/lookup.rs rename to src/plonk/lookup.rs diff --git a/halo2_proofs/src/plonk/lookup/prover.rs b/src/plonk/lookup/prover.rs similarity index 67% rename from halo2_proofs/src/plonk/lookup/prover.rs rename to src/plonk/lookup/prover.rs index 028b298853..3e40a56c4c 100644 --- a/halo2_proofs/src/plonk/lookup/prover.rs +++ b/src/plonk/lookup/prover.rs @@ -1,56 +1,40 @@ -use super::super::{ - circuit::Expression, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, Error, - ProvingKey, -}; +use super::super::{circuit::Expression, Error, ProvingKey}; use super::Argument; use crate::plonk::evaluation::evaluate; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use crate::transcript::{Hashable, Transcript}; use crate::{ - arithmetic::{eval_polynomial, parallelize, CurveAffine}, - poly::{ - commitment::{Blind, Params}, - Coeff, EvaluationDomain, LagrangeCoeff, Polynomial, ProverQuery, Rotation, - }, - transcript::{EncodedChallenge, TranscriptWrite}, -}; -use ff::WithSmallOrderMulGroup; -use group::{ - ff::{BatchInvert, Field}, - Curve, -}; -use rand_core::RngCore; -use std::{ - collections::BTreeMap, - iter, - ops::{Mul, MulAssign}, + poly::{Coeff, EvaluationDomain, LagrangeCoeff, Polynomial, ProverQuery, Rotation}, + utils::arithmetic::{eval_polynomial, parallelize}, }; +use ff::{PrimeField, WithSmallOrderMulGroup}; +use group::ff::BatchInvert; +use halo2curves::serde::SerdeObject; +use rand_core::{CryptoRng, RngCore}; +use std::{collections::BTreeMap, iter}; #[derive(Debug)] -pub(in crate::plonk) struct Permuted { - compressed_input_expression: Polynomial, - permuted_input_expression: Polynomial, - permuted_input_poly: Polynomial, - permuted_input_blind: Blind, - compressed_table_expression: Polynomial, - permuted_table_expression: Polynomial, - permuted_table_poly: Polynomial, - permuted_table_blind: Blind, +pub(in crate::plonk) struct Permuted { + compressed_input_expression: Polynomial, + permuted_input_expression: Polynomial, + permuted_input_poly: Polynomial, + compressed_table_expression: Polynomial, + permuted_table_expression: Polynomial, + permuted_table_poly: Polynomial, } #[derive(Debug)] -pub(in crate::plonk) struct Committed { - pub(in crate::plonk) permuted_input_poly: Polynomial, - permuted_input_blind: Blind, - pub(in crate::plonk) permuted_table_poly: Polynomial, - permuted_table_blind: Blind, - pub(in crate::plonk) product_poly: Polynomial, - product_blind: Blind, +pub(in crate::plonk) struct Committed { + pub(in crate::plonk) permuted_input_poly: Polynomial, + pub(in crate::plonk) permuted_table_poly: Polynomial, + pub(in crate::plonk) product_poly: Polynomial, } -pub(in crate::plonk) struct Evaluated { - constructed: Committed, +pub(in crate::plonk) struct Evaluated { + constructed: Committed, } -impl> Argument { +impl + Ord> Argument { /// Given a Lookup with input expressions [A_0, A_1, ..., A_{m-1}] and table expressions /// [S_0, S_1, ..., S_{m-1}], this method /// - constructs A_compressed = \theta^{m-1} A_0 + theta^{m-2} A_1 + ... + \theta A_{m-2} + A_{m-1} @@ -64,30 +48,27 @@ impl> Argument { pub(in crate::plonk) fn commit_permuted< 'a, 'params: 'a, - C, - P: Params<'params, C>, - E: EncodedChallenge, + CS: PolynomialCommitmentScheme, R: RngCore, - T: TranscriptWrite, + T: Transcript, >( &self, - pk: &ProvingKey, - params: &P, - domain: &EvaluationDomain, - theta: ChallengeTheta, - advice_values: &'a [Polynomial], - fixed_values: &'a [Polynomial], - instance_values: &'a [Polynomial], - challenges: &'a [C::Scalar], + pk: &ProvingKey, + params: &'params CS::Parameters, + domain: &EvaluationDomain, + theta: F, + advice_values: &'a [Polynomial], + fixed_values: &'a [Polynomial], + instance_values: &'a [Polynomial], + challenges: &'a [F], mut rng: R, transcript: &mut T, - ) -> Result, Error> + ) -> Result, Error> where - C: CurveAffine, - C::Curve: Mul + MulAssign, + CS::Commitment: Hashable, { // Closure to get values of expressions and compress them - let compress_expressions = |expressions: &[Expression]| { + let compress_expressions = |expressions: &[Expression]| { let compressed_expression = expressions .iter() .map(|expression| { @@ -102,7 +83,7 @@ impl> Argument { )) }) .fold(domain.empty_lagrange(), |acc, expression| { - acc * *theta + &expression + acc * theta + &expression }); compressed_expression }; @@ -124,61 +105,55 @@ impl> Argument { )?; // Closure to construct commitment to vector of values - let mut commit_values = |values: &Polynomial| { + let commit_values = |values: &Polynomial| { let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); - let blind = Blind(C::Scalar::random(&mut rng)); - let commitment = params.commit_lagrange(values, blind).to_affine(); - (poly, blind, commitment) + let commitment = params.commit_lagrange(values); + (poly, commitment) }; // Commit to permuted input expression - let (permuted_input_poly, permuted_input_blind, permuted_input_commitment) = + let (permuted_input_poly, permuted_input_commitment) = commit_values(&permuted_input_expression); // Commit to permuted table expression - let (permuted_table_poly, permuted_table_blind, permuted_table_commitment) = + let (permuted_table_poly, permuted_table_commitment) = commit_values(&permuted_table_expression); // Hash permuted input commitment - transcript.write_point(permuted_input_commitment)?; + transcript.write(&permuted_input_commitment)?; // Hash permuted table commitment - transcript.write_point(permuted_table_commitment)?; + transcript.write(&permuted_table_commitment)?; Ok(Permuted { compressed_input_expression, permuted_input_expression, permuted_input_poly, - permuted_input_blind, compressed_table_expression, permuted_table_expression, permuted_table_poly, - permuted_table_blind, }) } } -impl Permuted { +impl> Permuted { /// Given a Lookup with input expressions, table expressions, and the permuted /// input expression and permuted table expression, this method constructs the /// grand product polynomial over the lookup. The grand product polynomial /// is used to populate the Product struct. The Product struct is /// added to the Lookup and finally returned by the method. - pub(in crate::plonk) fn commit_product< - 'params, - P: Params<'params, C>, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWrite, - >( + pub(in crate::plonk) fn commit_product, T: Transcript>( self, - pk: &ProvingKey, - params: &P, - beta: ChallengeBeta, - gamma: ChallengeGamma, - mut rng: R, + pk: &ProvingKey, + params: &CS::Parameters, + beta: F, + gamma: F, + mut rng: impl RngCore + CryptoRng, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + CS::Commitment: Hashable, + { let blinding_factors = pk.vk.cs.blinding_factors(); // Goal is to compute the products of fractions // @@ -191,7 +166,7 @@ impl Permuted { // s_j(X) is the jth table expression in this lookup, // s'(X) is the compression of the permuted table expressions, // and i is the ith row of the expression. - let mut lookup_product = vec![C::Scalar::ZERO; params.n() as usize]; + let mut lookup_product = vec![F::ZERO; params.n() as usize]; // Denominator uses the permuted input expression and permuted table expression parallelize(&mut lookup_product, |lookup_product, start| { for ((lookup_product, permuted_input_value), permuted_table_value) in lookup_product @@ -199,7 +174,7 @@ impl Permuted { .zip(self.permuted_input_expression[start..].iter()) .zip(self.permuted_table_expression[start..].iter()) { - *lookup_product = (*beta + permuted_input_value) * &(*gamma + permuted_table_value); + *lookup_product = (beta + permuted_input_value) * &(gamma + permuted_table_value); } }); @@ -214,8 +189,8 @@ impl Permuted { for (i, product) in product.iter_mut().enumerate() { let i = i + start; - *product *= &(self.compressed_input_expression[i] + &*beta); - *product *= &(self.compressed_table_expression[i] + &*gamma); + *product *= &(self.compressed_input_expression[i] + &beta); + *product *= &(self.compressed_table_expression[i] + &gamma); } }); @@ -234,9 +209,9 @@ impl Permuted { // Compute the evaluations of the lookup product polynomial // over our domain, starting with z[0] = 1 - let z = iter::once(C::Scalar::ONE) + let z = iter::once(F::ONE) .chain(lookup_product) - .scan(C::Scalar::ONE, |state, cur| { + .scan(F::ONE, |state, cur| { *state *= &cur; Some(*state) }) @@ -244,7 +219,7 @@ impl Permuted { // be a boolean (and ideally 1, else soundness is broken) .take(params.n() as usize - blinding_factors) // Chain random blinding factors. - .chain((0..blinding_factors).map(|_| C::Scalar::random(&mut rng))) + .chain((0..blinding_factors).map(|_| F::random(&mut rng))) .collect::>(); assert_eq!(z.len(), params.n() as usize); let z = pk.vk.domain.lagrange_from_vec(z); @@ -257,7 +232,7 @@ impl Permuted { let u = (params.n() as usize) - (blinding_factors + 1); // l_0(X) * (1 - z(X)) = 0 - assert_eq!(z[0], C::Scalar::ONE); + assert_eq!(z[0], F::ONE); // z(\omega X) (a'(X) + \beta) (s'(X) + \gamma) // - z(X) (\theta^{m-1} a_0(X) + ... + a_{m-1}(X) + \beta) (\theta^{m-1} s_0(X) + ... + s_{m-1}(X) + \gamma) @@ -284,43 +259,42 @@ impl Permuted { // l_last(X) * (z(X)^2 - z(X)) = 0 // Assertion will fail only when soundness is broken, in which // case this z[u] value will be zero. (bad!) - assert_eq!(z[u], C::Scalar::ONE); + assert_eq!(z[u], F::ONE); } - let product_blind = Blind(C::Scalar::random(rng)); - let product_commitment = params.commit_lagrange(&z, product_blind).to_affine(); + let product_commitment = params.commit_lagrange(&z); let z = pk.vk.domain.lagrange_to_coeff(z); // Hash product commitment - transcript.write_point(product_commitment)?; + transcript.write(&product_commitment)?; - Ok(Committed:: { + Ok(Committed:: { permuted_input_poly: self.permuted_input_poly, - permuted_input_blind: self.permuted_input_blind, permuted_table_poly: self.permuted_table_poly, - permuted_table_blind: self.permuted_table_blind, product_poly: z, - product_blind, }) } } -impl Committed { - pub(in crate::plonk) fn evaluate, T: TranscriptWrite>( +impl> Committed { + pub(in crate::plonk) fn evaluate>( self, - pk: &ProvingKey, - x: ChallengeX, + pk: &ProvingKey, + x: F, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + F: Hashable + SerdeObject, + { let domain = &pk.vk.domain; - let x_inv = domain.rotate_omega(*x, Rotation::prev()); - let x_next = domain.rotate_omega(*x, Rotation::next()); + let x_inv = domain.rotate_omega(x, Rotation::prev()); + let x_next = domain.rotate_omega(x, Rotation::next()); - let product_eval = eval_polynomial(&self.product_poly, *x); + let product_eval = eval_polynomial(&self.product_poly, x); let product_next_eval = eval_polynomial(&self.product_poly, x_next); - let permuted_input_eval = eval_polynomial(&self.permuted_input_poly, *x); + let permuted_input_eval = eval_polynomial(&self.permuted_input_poly, x); let permuted_input_inv_eval = eval_polynomial(&self.permuted_input_poly, x_inv); - let permuted_table_eval = eval_polynomial(&self.permuted_table_poly, *x); + let permuted_table_eval = eval_polynomial(&self.permuted_table_poly, x); // Hash each advice evaluation for eval in iter::empty() @@ -330,52 +304,47 @@ impl Committed { .chain(Some(permuted_input_inv_eval)) .chain(Some(permuted_table_eval)) { - transcript.write_scalar(eval)?; + transcript.write(&eval)?; } Ok(Evaluated { constructed: self }) } } -impl Evaluated { - pub(in crate::plonk) fn open<'a>( +impl> Evaluated { + pub(in crate::plonk) fn open<'a, CS: PolynomialCommitmentScheme>( &'a self, - pk: &'a ProvingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { - let x_inv = pk.vk.domain.rotate_omega(*x, Rotation::prev()); - let x_next = pk.vk.domain.rotate_omega(*x, Rotation::next()); + pk: &'a ProvingKey, + x: F, + ) -> impl Iterator> + Clone { + let x_inv = pk.vk.domain.rotate_omega(x, Rotation::prev()); + let x_next = pk.vk.domain.rotate_omega(x, Rotation::next()); iter::empty() // Open lookup product commitments at x .chain(Some(ProverQuery { - point: *x, + point: x, poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, })) // Open lookup input commitments at x .chain(Some(ProverQuery { - point: *x, + point: x, poly: &self.constructed.permuted_input_poly, - blind: self.constructed.permuted_input_blind, })) // Open lookup table commitments at x .chain(Some(ProverQuery { - point: *x, + point: x, poly: &self.constructed.permuted_table_poly, - blind: self.constructed.permuted_table_blind, })) // Open lookup input commitments at x_inv .chain(Some(ProverQuery { point: x_inv, poly: &self.constructed.permuted_input_poly, - blind: self.constructed.permuted_input_blind, })) // Open lookup product commitments at x_next .chain(Some(ProverQuery { point: x_next, poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, })) } } @@ -388,32 +357,37 @@ type ExpressionPair = (Polynomial, Polynomial, R: RngCore>( - pk: &ProvingKey, - params: &P, - domain: &EvaluationDomain, +fn permute_expression_pair< + F: WithSmallOrderMulGroup<3> + Ord, + CS: PolynomialCommitmentScheme, + R: RngCore, +>( + pk: &ProvingKey, + params: &CS::Parameters, + domain: &EvaluationDomain, mut rng: R, - input_expression: &Polynomial, - table_expression: &Polynomial, -) -> Result, Error> { + input_expression: &Polynomial, + table_expression: &Polynomial, +) -> Result, Error> { let blinding_factors = pk.vk.cs.blinding_factors(); let usable_rows = params.n() as usize - (blinding_factors + 1); - let mut permuted_input_expression: Vec = input_expression.to_vec(); + let mut permuted_input_expression: Vec = input_expression.to_vec(); permuted_input_expression.truncate(usable_rows); // Sort input lookup expression values permuted_input_expression.sort(); // A BTreeMap of each unique element in the table expression and its count - let mut leftover_table_map: BTreeMap = table_expression - .iter() - .take(usable_rows) - .fold(BTreeMap::new(), |mut acc, coeff| { - *acc.entry(*coeff).or_insert(0) += 1; - acc - }); - let mut permuted_table_coeffs = vec![C::Scalar::ZERO; usable_rows]; + let mut leftover_table_map: BTreeMap = + table_expression + .iter() + .take(usable_rows) + .fold(BTreeMap::new(), |mut acc, coeff| { + *acc.entry(*coeff).or_insert(0) += 1; + acc + }); + let mut permuted_table_coeffs = vec![F::ZERO; usable_rows]; let mut repeated_input_rows = permuted_input_expression .iter() @@ -447,9 +421,8 @@ fn permute_expression_pair<'params, C: CurveAffine, P: Params<'params, C>, R: Rn } assert!(repeated_input_rows.is_empty()); - permuted_input_expression - .extend((0..(blinding_factors + 1)).map(|_| C::Scalar::random(&mut rng))); - permuted_table_coeffs.extend((0..(blinding_factors + 1)).map(|_| C::Scalar::random(&mut rng))); + permuted_input_expression.extend((0..(blinding_factors + 1)).map(|_| F::random(&mut rng))); + permuted_table_coeffs.extend((0..(blinding_factors + 1)).map(|_| F::random(&mut rng))); assert_eq!(permuted_input_expression.len(), params.n() as usize); assert_eq!(permuted_table_coeffs.len(), params.n() as usize); diff --git a/halo2_proofs/src/plonk/lookup/verifier.rs b/src/plonk/lookup/verifier.rs similarity index 52% rename from halo2_proofs/src/plonk/lookup/verifier.rs rename to src/plonk/lookup/verifier.rs index bbc86c8e9d..411293eae2 100644 --- a/halo2_proofs/src/plonk/lookup/verifier.rs +++ b/src/plonk/lookup/verifier.rs @@ -1,47 +1,48 @@ use std::iter; -use super::super::{ - circuit::Expression, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, -}; +use super::super::circuit::Expression; use super::Argument; +use crate::poly::commitment::PolynomialCommitmentScheme; +use crate::transcript::{Hashable, Transcript}; use crate::{ - arithmetic::CurveAffine, plonk::{Error, VerifyingKey}, - poly::{commitment::MSM, Rotation, VerifierQuery}, - transcript::{EncodedChallenge, TranscriptRead}, + poly::{Rotation, VerifierQuery}, }; -use ff::Field; +use ff::{PrimeField, WithSmallOrderMulGroup}; +use halo2curves::serde::SerdeObject; -pub struct PermutationCommitments { - permuted_input_commitment: C, - permuted_table_commitment: C, +pub struct PermutationCommitments> { + permuted_input_commitment: CS::Commitment, + permuted_table_commitment: CS::Commitment, } -pub struct Committed { - permuted: PermutationCommitments, - product_commitment: C, +pub struct Committed> { + permuted: PermutationCommitments, + product_commitment: CS::Commitment, } -pub struct Evaluated { - committed: Committed, - product_eval: C::Scalar, - product_next_eval: C::Scalar, - permuted_input_eval: C::Scalar, - permuted_input_inv_eval: C::Scalar, - permuted_table_eval: C::Scalar, +pub struct Evaluated> { + committed: Committed, + product_eval: F, + product_next_eval: F, + permuted_input_eval: F, + permuted_input_inv_eval: F, + permuted_table_eval: F, } -impl Argument { +impl Argument { pub(in crate::plonk) fn read_permuted_commitments< - C: CurveAffine, - E: EncodedChallenge, - T: TranscriptRead, + CS: PolynomialCommitmentScheme, + T: Transcript, >( &self, transcript: &mut T, - ) -> Result, Error> { - let permuted_input_commitment = transcript.read_point()?; - let permuted_table_commitment = transcript.read_point()?; + ) -> Result, Error> + where + CS::Commitment: Hashable, + { + let permuted_input_commitment = transcript.read()?; + let permuted_table_commitment = transcript.read()?; Ok(PermutationCommitments { permuted_input_commitment, @@ -50,15 +51,15 @@ impl Argument { } } -impl PermutationCommitments { - pub(in crate::plonk) fn read_product_commitment< - E: EncodedChallenge, - T: TranscriptRead, - >( +impl> PermutationCommitments { + pub(in crate::plonk) fn read_product_commitment( self, transcript: &mut T, - ) -> Result, Error> { - let product_commitment = transcript.read_point()?; + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + { + let product_commitment = transcript.read()?; Ok(Committed { permuted: self, @@ -67,16 +68,19 @@ impl PermutationCommitments { } } -impl Committed { - pub(crate) fn evaluate, T: TranscriptRead>( +impl> Committed { + pub(crate) fn evaluate( self, transcript: &mut T, - ) -> Result, Error> { - let product_eval = transcript.read_scalar()?; - let product_next_eval = transcript.read_scalar()?; - let permuted_input_eval = transcript.read_scalar()?; - let permuted_input_inv_eval = transcript.read_scalar()?; - let permuted_table_eval = transcript.read_scalar()?; + ) -> Result, Error> + where + F: Hashable + SerdeObject, + { + let product_eval = transcript.read()?; + let product_next_eval = transcript.read()?; + let permuted_input_eval = transcript.read()?; + let permuted_input_inv_eval = transcript.read()?; + let permuted_table_eval = transcript.read()?; Ok(Evaluated { committed: self, @@ -89,32 +93,32 @@ impl Committed { } } -impl Evaluated { +impl, CS: PolynomialCommitmentScheme> Evaluated { #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn expressions<'a>( &'a self, - l_0: C::Scalar, - l_last: C::Scalar, - l_blind: C::Scalar, - argument: &'a Argument, - theta: ChallengeTheta, - beta: ChallengeBeta, - gamma: ChallengeGamma, - advice_evals: &[C::Scalar], - fixed_evals: &[C::Scalar], - instance_evals: &[C::Scalar], - challenges: &[C::Scalar], - ) -> impl Iterator + 'a { - let active_rows = C::Scalar::ONE - (l_last + l_blind); + l_0: F, + l_last: F, + l_blind: F, + argument: &'a Argument, + theta: F, + beta: F, + gamma: F, + advice_evals: &[F], + fixed_evals: &[F], + instance_evals: &[F], + challenges: &[F], + ) -> impl Iterator + 'a { + let active_rows = F::ONE - (l_last + l_blind); let product_expression = || { // z(\omega X) (a'(X) + \beta) (s'(X) + \gamma) // - z(X) (\theta^{m-1} a_0(X) + ... + a_{m-1}(X) + \beta) (\theta^{m-1} s_0(X) + ... + s_{m-1}(X) + \gamma) let left = self.product_next_eval - * &(self.permuted_input_eval + &*beta) - * &(self.permuted_table_eval + &*gamma); + * &(self.permuted_input_eval + &beta) + * &(self.permuted_table_eval + &gamma); - let compress_expressions = |expressions: &[Expression]| { + let compress_expressions = |expressions: &[Expression]| { expressions .iter() .map(|expression| { @@ -131,11 +135,11 @@ impl Evaluated { &|a, scalar| a * &scalar, ) }) - .fold(C::Scalar::ZERO, |acc, eval| acc * &*theta + &eval) + .fold(F::ZERO, |acc, eval| acc * &theta + &eval) }; let right = self.product_eval - * &(compress_expressions(&argument.input_expressions) + &*beta) - * &(compress_expressions(&argument.table_expressions) + &*gamma); + * &(compress_expressions(&argument.input_expressions) + &beta) + * &(compress_expressions(&argument.table_expressions) + &gamma); (left - &right) * &active_rows }; @@ -143,7 +147,7 @@ impl Evaluated { std::iter::empty() .chain( // l_0(X) * (1 - z(X)) = 0 - Some(l_0 * &(C::Scalar::ONE - &self.product_eval)), + Some(l_0 * &(F::ONE - &self.product_eval)), ) .chain( // l_last(X) * (z(X)^2 - z(X)) = 0 @@ -168,43 +172,43 @@ impl Evaluated { )) } - pub(in crate::plonk) fn queries<'r, M: MSM + 'r>( - &'r self, - vk: &'r VerifyingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { - let x_inv = vk.domain.rotate_omega(*x, Rotation::prev()); - let x_next = vk.domain.rotate_omega(*x, Rotation::next()); + pub(in crate::plonk) fn queries( + &self, + vk: &VerifyingKey, + x: F, + ) -> impl Iterator> + Clone { + let x_inv = vk.domain.rotate_omega(x, Rotation::prev()); + let x_next = vk.domain.rotate_omega(x, Rotation::next()); iter::empty() // Open lookup product commitment at x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.product_commitment, - *x, + .chain(Some(VerifierQuery::new( + x, + self.committed.product_commitment, self.product_eval, ))) // Open lookup input commitments at x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.permuted.permuted_input_commitment, - *x, + .chain(Some(VerifierQuery::new( + x, + self.committed.permuted.permuted_input_commitment, self.permuted_input_eval, ))) // Open lookup table commitments at x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.permuted.permuted_table_commitment, - *x, + .chain(Some(VerifierQuery::new( + x, + self.committed.permuted.permuted_table_commitment, self.permuted_table_eval, ))) // Open lookup input commitments at \omega^{-1} x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.permuted.permuted_input_commitment, + .chain(Some(VerifierQuery::new( x_inv, + self.committed.permuted.permuted_input_commitment, self.permuted_input_inv_eval, ))) // Open lookup product commitment at \omega x - .chain(Some(VerifierQuery::new_commitment( - &self.committed.product_commitment, + .chain(Some(VerifierQuery::new( x_next, + self.committed.product_commitment, self.product_next_eval, ))) } diff --git a/halo2_proofs/src/plonk.rs b/src/plonk/mod.rs similarity index 58% rename from halo2_proofs/src/plonk.rs rename to src/plonk/mod.rs index 78bfc21501..318493557b 100644 --- a/halo2_proofs/src/plonk.rs +++ b/src/plonk/mod.rs @@ -6,66 +6,65 @@ //! [plonk]: https://eprint.iacr.org/2019/953 use blake2b_simd::Params as Blake2bParams; -use group::ff::{Field, FromUniformBytes, PrimeField}; +use group::ff::FromUniformBytes; -use crate::arithmetic::CurveAffine; -use crate::helpers::{ - polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice, SerdeCurveAffine, - SerdePrimeField, -}; use crate::poly::{ Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, PinnedEvaluationDomain, Polynomial, }; -use crate::transcript::{ChallengeScalar, EncodedChallenge, Transcript}; -use crate::SerdeFormat; +use crate::transcript::{Hashable, Transcript}; +use crate::utils::helpers::{ + byte_length, polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice, + ProcessedSerdeObject, +}; +use crate::utils::SerdeFormat; -mod assigned; mod circuit; mod error; mod evaluation; mod keygen; mod lookup; pub mod permutation; -mod shuffle; mod vanishing; mod prover; mod verifier; -pub use assigned::*; pub use circuit::*; pub use error::*; pub use keygen::*; pub use prover::*; pub use verifier::*; +use crate::poly::commitment::PolynomialCommitmentScheme; use evaluation::Evaluator; +use ff::{PrimeField, WithSmallOrderMulGroup}; +use halo2curves::serde::SerdeObject; use std::io; /// This is a verifying key which allows for the verification of proofs for a /// particular circuit. #[derive(Clone, Debug)] -pub struct VerifyingKey { - domain: EvaluationDomain, - fixed_commitments: Vec, - permutation: permutation::VerifyingKey, - cs: ConstraintSystem, +pub struct VerifyingKey> { + domain: EvaluationDomain, + fixed_commitments: Vec, + permutation: permutation::VerifyingKey, + cs: ConstraintSystem, /// Cached maximum degree of `cs` (which doesn't change after construction). cs_degree: usize, /// The representative of this `VerifyingKey` in transcripts. - transcript_repr: C::Scalar, + transcript_repr: F, selectors: Vec>, - /// Whether selector compression is turned on or not. - compress_selectors: bool, } // Current version of the VK const VERSION: u8 = 0x03; -impl VerifyingKey +impl VerifyingKey where - C::Scalar: SerdePrimeField + FromUniformBytes<64>, + F: WithSmallOrderMulGroup<3> + SerdeObject + FromUniformBytes<64>, + CS: PolynomialCommitmentScheme, + CS::Commitment: SerdeObject, { /// Writes a verifying key to a buffer. /// @@ -80,24 +79,20 @@ where // Version byte that will be checked on read. writer.write_all(&[VERSION])?; let k = &self.domain.k(); - assert!(*k <= C::Scalar::S); + assert!(*k <= F::S); // k value fits in 1 byte writer.write_all(&[*k as u8])?; - writer.write_all(&[self.compress_selectors as u8])?; writer.write_all(&(self.fixed_commitments.len() as u32).to_le_bytes())?; for commitment in &self.fixed_commitments { commitment.write(writer, format)?; } self.permutation.write(writer, format)?; - if !self.compress_selectors { - assert!(self.selectors.is_empty()); - } // write self.selectors for selector in &self.selectors { // since `selector` is filled with `bool`, we pack them 8 at a time into bytes and then write for bits in selector.chunks(8) { - writer.write_all(&[crate::helpers::pack(bits)])?; + writer.write_all(&[crate::utils::helpers::pack(bits)])?; } } Ok(()) @@ -107,13 +102,13 @@ where /// /// Reads a curve element from the buffer and parses it according to the `format`: /// - `Processed`: Reads a compressed curve element and decompresses it. - /// Reads a field element in standard form, with endianness specified by the - /// `PrimeField` implementation, and checks that the element is less than the modulus. + /// Reads a field element in standard form, with endianness specified by the + /// `PrimeField` implementation, and checks that the element is less than the modulus. /// - `RawBytes`: Reads an uncompressed curve element with coordinates in Montgomery form. - /// Checks that field elements are less than modulus, and then checks that the point is on the curve. + /// Checks that field elements are less than modulus, and then checks that the point is on the curve. /// - `RawBytesUnchecked`: Reads an uncompressed curve element with coordinates in Montgomery form; - /// does not perform any checks - pub fn read>( + /// does not perform any checks + pub fn read>( reader: &mut R, format: SerdeFormat, #[cfg(feature = "circuit-params")] params: ConcreteCircuit::Params, @@ -130,26 +125,14 @@ where let mut k = [0u8; 1]; reader.read_exact(&mut k)?; let k = u8::from_le_bytes(k); - if k as u32 > C::Scalar::S { - return Err(io::Error::new( - io::ErrorKind::InvalidData, - format!( - "circuit size value (k): {} exceeds maxium: {}", - k, - C::Scalar::S - ), - )); - } - let mut compress_selectors = [0u8; 1]; - reader.read_exact(&mut compress_selectors)?; - if compress_selectors[0] != 0 && compress_selectors[0] != 1 { + if k as u32 > F::S { return Err(io::Error::new( io::ErrorKind::InvalidData, - "unexpected compress_selectors not boolean", + format!("circuit size value (k): {} exceeds maxium: {}", k, F::S), )); } - let compress_selectors = compress_selectors[0] == 1; - let (domain, cs, _) = keygen::create_domain::( + + let (domain, cs, _) = keygen::create_domain::( k as u32, #[cfg(feature = "circuit-params")] params, @@ -159,32 +142,15 @@ where let num_fixed_columns = u32::from_le_bytes(num_fixed_columns); let fixed_commitments: Vec<_> = (0..num_fixed_columns) - .map(|_| C::read(reader, format)) + .map(|_| CS::Commitment::read(reader, format)) .collect::>()?; let permutation = permutation::VerifyingKey::read(reader, &cs.permutation, format)?; - let (cs, selectors) = if compress_selectors { - // read selectors - let selectors: Vec> = vec![vec![false; 1 << k]; cs.num_selectors] - .into_iter() - .map(|mut selector| { - let mut selector_bytes = vec![0u8; (selector.len() + 7) / 8]; - reader.read_exact(&mut selector_bytes)?; - for (bits, byte) in selector.chunks_mut(8).zip(selector_bytes) { - crate::helpers::unpack(byte, bits); - } - Ok(selector) - }) - .collect::>()?; - let (cs, _) = cs.compress_selectors(selectors.clone()); - (cs, selectors) - } else { - // we still need to replace selectors with fixed Expressions in `cs` - let fake_selectors = vec![vec![]; cs.num_selectors]; - let (cs, _) = cs.directly_convert_selectors_to_fixed(fake_selectors); - (cs, vec![]) - }; + let selectors = vec![]; + // we still need to replace selectors with fixed Expressions in `cs` + let fake_selectors = vec![vec![]; cs.num_selectors]; + let (cs, _) = cs.directly_convert_selectors_to_fixed(fake_selectors); Ok(Self::from_parts( domain, @@ -192,7 +158,6 @@ where permutation, cs, selectors, - compress_selectors, )) } @@ -204,7 +169,7 @@ where } /// Reads a verification key from a slice of bytes using [`Self::read`]. - pub fn from_bytes>( + pub fn from_bytes>( mut bytes: &[u8], format: SerdeFormat, #[cfg(feature = "circuit-params")] params: ConcreteCircuit::Params, @@ -218,31 +183,27 @@ where } } -impl VerifyingKey { - fn bytes_length(&self, format: SerdeFormat) -> usize - where - C: SerdeCurveAffine, - { - 10 + (self.fixed_commitments.len() * C::byte_length(format)) +impl, CS: PolynomialCommitmentScheme> VerifyingKey { + fn bytes_length(&self, format: SerdeFormat) -> usize { + 10 + (self.fixed_commitments.len() * byte_length::(format)) + self.permutation.bytes_length(format) + self.selectors.len() * (self .selectors - .get(0) + .first() .map(|selector| (selector.len() + 7) / 8) .unwrap_or(0)) } fn from_parts( - domain: EvaluationDomain, - fixed_commitments: Vec, - permutation: permutation::VerifyingKey, - cs: ConstraintSystem, + domain: EvaluationDomain, + fixed_commitments: Vec, + permutation: permutation::VerifyingKey, + cs: ConstraintSystem, selectors: Vec>, - compress_selectors: bool, ) -> Self where - C::ScalarExt: FromUniformBytes<64>, + F: FromUniformBytes<64>, { // Compute cached values. let cs_degree = cs.degree(); @@ -254,9 +215,8 @@ impl VerifyingKey { cs, cs_degree, // Temporary, this is not pinned. - transcript_repr: C::Scalar::ZERO, + transcript_repr: F::ZERO, selectors, - compress_selectors, }; let mut hasher = Blake2bParams::new() @@ -270,27 +230,25 @@ impl VerifyingKey { hasher.update(s.as_bytes()); // Hash in final Blake2bState - vk.transcript_repr = C::Scalar::from_uniform_bytes(hasher.finalize().as_array()); + vk.transcript_repr = F::from_uniform_bytes(hasher.finalize().as_array()); vk } /// Hashes a verification key into a transcript. - pub fn hash_into, T: Transcript>( - &self, - transcript: &mut T, - ) -> io::Result<()> { - transcript.common_scalar(self.transcript_repr)?; + pub fn hash_into(&self, transcript: &mut T) -> io::Result<()> + where + F: Hashable, + { + transcript.common(&self.transcript_repr)?; Ok(()) } /// Obtains a pinned representation of this verification key that contains /// the minimal information necessary to reconstruct the verification key. - pub fn pinned(&self) -> PinnedVerificationKey<'_, C> { + pub fn pinned(&self) -> PinnedVerificationKey<'_, F, CS> { PinnedVerificationKey { - base_modulus: C::Base::MODULUS, - scalar_modulus: C::Scalar::MODULUS, domain: self.domain.pinned(), fixed_commitments: &self.fixed_commitments, permutation: &self.permutation, @@ -299,22 +257,22 @@ impl VerifyingKey { } /// Returns commitments of fixed polynomials - pub fn fixed_commitments(&self) -> &Vec { + pub fn fixed_commitments(&self) -> &Vec { &self.fixed_commitments } /// Returns `VerifyingKey` of permutation - pub fn permutation(&self) -> &permutation::VerifyingKey { + pub fn permutation(&self) -> &permutation::VerifyingKey { &self.permutation } /// Returns `ConstraintSystem` - pub fn cs(&self) -> &ConstraintSystem { + pub fn cs(&self) -> &ConstraintSystem { &self.cs } /// Returns representative of this `VerifyingKey` in transcripts - pub fn transcript_repr(&self) -> C::Scalar { + pub fn transcript_repr(&self) -> F { self.transcript_repr } } @@ -323,46 +281,41 @@ impl VerifyingKey { /// its active contents. #[allow(dead_code)] #[derive(Debug)] -pub struct PinnedVerificationKey<'a, C: CurveAffine> { - base_modulus: &'static str, - scalar_modulus: &'static str, - domain: PinnedEvaluationDomain<'a, C::Scalar>, - cs: PinnedConstraintSystem<'a, C::Scalar>, - fixed_commitments: &'a Vec, - permutation: &'a permutation::VerifyingKey, +pub struct PinnedVerificationKey<'a, F: PrimeField, CS: PolynomialCommitmentScheme> { + domain: PinnedEvaluationDomain<'a, F>, + cs: PinnedConstraintSystem<'a, F>, + fixed_commitments: &'a Vec, + permutation: &'a permutation::VerifyingKey, } /// This is a proving key which allows for the creation of proofs for a /// particular circuit. #[derive(Clone, Debug)] -pub struct ProvingKey { - vk: VerifyingKey, - l0: Polynomial, - l_last: Polynomial, - l_active_row: Polynomial, - fixed_values: Vec>, - fixed_polys: Vec>, - fixed_cosets: Vec>, - permutation: permutation::ProvingKey, - ev: Evaluator, +pub struct ProvingKey> { + vk: VerifyingKey, + l0: Polynomial, + l_last: Polynomial, + l_active_row: Polynomial, + fixed_values: Vec>, + fixed_polys: Vec>, + fixed_cosets: Vec>, + permutation: permutation::ProvingKey, + ev: Evaluator, } -impl ProvingKey +impl, CS: PolynomialCommitmentScheme> ProvingKey where - C::Scalar: FromUniformBytes<64>, + F: FromUniformBytes<64>, { /// Get the underlying [`VerifyingKey`]. - pub fn get_vk(&self) -> &VerifyingKey { + pub fn get_vk(&self) -> &VerifyingKey { &self.vk } /// Gets the total number of bytes in the serialization of `self` - fn bytes_length(&self, format: SerdeFormat) -> usize - where - C: SerdeCurveAffine, - { - let scalar_len = C::Scalar::default().to_repr().as_ref().len(); + fn bytes_length(&self, format: SerdeFormat) -> usize { + let scalar_len = F::default().to_repr().as_ref().len(); self.vk.bytes_length(format) - + 12 + + 12 // bytes used for encoding the length(u32) of "l0", "l_last" & "l_active_row" polys + scalar_len * (self.l0.len() + self.l_last.len() + self.l_active_row.len()) + polynomial_slice_byte_length(&self.fixed_values) + polynomial_slice_byte_length(&self.fixed_polys) @@ -371,29 +324,29 @@ where } } -impl ProvingKey +impl, CS: PolynomialCommitmentScheme> ProvingKey where - C::Scalar: SerdePrimeField + FromUniformBytes<64>, + F: PrimeField + FromUniformBytes<64> + SerdeObject, { /// Writes a proving key to a buffer. /// /// Writes a curve element according to `format`: /// - `Processed`: Writes a compressed curve element with coordinates in standard form. - /// Writes a field element in standard form, with endianness specified by the + /// Writes a field element in standard form, with endianness specified by the /// `PrimeField` implementation. /// - Otherwise: Writes an uncompressed curve element with coordinates in Montgomery form - /// Writes a field element into raw bytes in its internal Montgomery representation, - /// WITHOUT performing the expensive Montgomery reduction. - /// Does so by first writing the verifying key and then serializing the rest of the data (in the form of field polynomials) + /// Writes a field element into raw bytes in its internal Montgomery representation, + /// WITHOUT performing the expensive Montgomery reduction. + /// Does so by first writing the verifying key and then serializing the rest of the data (in the form of field polynomials) pub fn write(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> { self.vk.write(writer, format)?; - self.l0.write(writer, format)?; - self.l_last.write(writer, format)?; - self.l_active_row.write(writer, format)?; - write_polynomial_slice(&self.fixed_values, writer, format)?; - write_polynomial_slice(&self.fixed_polys, writer, format)?; - write_polynomial_slice(&self.fixed_cosets, writer, format)?; - self.permutation.write(writer, format)?; + self.l0.write(writer)?; + self.l_last.write(writer)?; + self.l_active_row.write(writer)?; + write_polynomial_slice(&self.fixed_values, writer)?; + write_polynomial_slice(&self.fixed_polys, writer)?; + write_polynomial_slice(&self.fixed_cosets, writer)?; + self.permutation.write(writer)?; Ok(()) } @@ -402,18 +355,18 @@ where /// /// Reads a curve element from the buffer and parses it according to the `format`: /// - `Processed`: Reads a compressed curve element and decompresses it. - /// Reads a field element in standard form, with endianness specified by the - /// `PrimeField` implementation, and checks that the element is less than the modulus. + /// Reads a field element in standard form, with endianness specified by the + /// `PrimeField` implementation, and checks that the element is less than the modulus. /// - `RawBytes`: Reads an uncompressed curve element with coordinates in Montgomery form. - /// Checks that field elements are less than modulus, and then checks that the point is on the curve. + /// Checks that field elements are less than modulus, and then checks that the point is on the curve. /// - `RawBytesUnchecked`: Reads an uncompressed curve element with coordinates in Montgomery form; - /// does not perform any checks - pub fn read>( + /// does not perform any checks + pub fn read>( reader: &mut R, format: SerdeFormat, #[cfg(feature = "circuit-params")] params: ConcreteCircuit::Params, ) -> io::Result { - let vk = VerifyingKey::::read::( + let vk = VerifyingKey::::read::( reader, format, #[cfg(feature = "circuit-params")] @@ -448,7 +401,7 @@ where } /// Reads a proving key from a slice of bytes using [`Self::read`]. - pub fn from_bytes>( + pub fn from_bytes>( mut bytes: &[u8], format: SerdeFormat, #[cfg(feature = "circuit-params")] params: ConcreteCircuit::Params, @@ -462,29 +415,9 @@ where } } -impl VerifyingKey { +impl> VerifyingKey { /// Get the underlying [`EvaluationDomain`]. - pub fn get_domain(&self) -> &EvaluationDomain { + pub fn get_domain(&self) -> &EvaluationDomain { &self.domain } } - -#[derive(Clone, Copy, Debug)] -struct Theta; -type ChallengeTheta = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct Beta; -type ChallengeBeta = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct Gamma; -type ChallengeGamma = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct Y; -type ChallengeY = ChallengeScalar; - -#[derive(Clone, Copy, Debug)] -struct X; -type ChallengeX = ChallengeScalar; diff --git a/halo2_proofs/src/plonk/permutation.rs b/src/plonk/permutation.rs similarity index 75% rename from halo2_proofs/src/plonk/permutation.rs rename to src/plonk/permutation.rs index 22c1fad6c3..f0614ba59a 100644 --- a/halo2_proofs/src/plonk/permutation.rs +++ b/src/plonk/permutation.rs @@ -2,13 +2,9 @@ use super::circuit::{Any, Column}; use crate::{ - arithmetic::CurveAffine, - helpers::{ - polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice, - SerdeCurveAffine, SerdePrimeField, - }, poly::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial}, - SerdeFormat, + utils::helpers::{polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice}, + utils::SerdeFormat, }; pub(crate) mod keygen; @@ -17,6 +13,10 @@ pub(crate) mod verifier; pub use keygen::Assembly; +use crate::poly::commitment::PolynomialCommitmentScheme; +use crate::utils::helpers::{byte_length, ProcessedSerdeObject}; +use ff::PrimeField; +use halo2curves::serde::SerdeObject; use std::io; /// A permutation argument. @@ -83,19 +83,19 @@ impl Argument { /// The verifying key for a single permutation argument. #[derive(Clone, Debug)] -pub struct VerifyingKey { - commitments: Vec, +pub struct VerifyingKey> { + commitments: Vec, } -impl VerifyingKey { +impl> VerifyingKey { /// Returns commitments of sigma polynomials - pub fn commitments(&self) -> &Vec { + pub fn commitments(&self) -> &Vec { &self.commitments } pub(crate) fn write(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> where - C: SerdeCurveAffine, + CS::Commitment: SerdeObject, { for commitment in &self.commitments { commitment.write(writer, format)?; @@ -109,34 +109,31 @@ impl VerifyingKey { format: SerdeFormat, ) -> io::Result where - C: SerdeCurveAffine, + CS::Commitment: SerdeObject, { let commitments = (0..argument.columns.len()) - .map(|_| C::read(reader, format)) + .map(|_| CS::Commitment::read(reader, format)) .collect::, _>>()?; Ok(VerifyingKey { commitments }) } pub(crate) fn bytes_length(&self, format: SerdeFormat) -> usize where - C: SerdeCurveAffine, + CS::Commitment: SerdeObject, { - self.commitments.len() * C::byte_length(format) + self.commitments.len() * byte_length::(format) } } /// The proving key for a single permutation argument. #[derive(Clone, Debug)] -pub(crate) struct ProvingKey { - permutations: Vec>, - polys: Vec>, - pub(super) cosets: Vec>, +pub(crate) struct ProvingKey { + permutations: Vec>, + polys: Vec>, + pub(super) cosets: Vec>, } -impl ProvingKey -where - C::Scalar: SerdePrimeField, -{ +impl ProvingKey { /// Reads proving key for a single permutation argument from buffer using `Polynomial::read`. pub(super) fn read(reader: &mut R, format: SerdeFormat) -> io::Result { let permutations = read_polynomial_vec(reader, format)?; @@ -150,19 +147,15 @@ where } /// Writes proving key for a single permutation argument to buffer using `Polynomial::write`. - pub(super) fn write( - &self, - writer: &mut W, - format: SerdeFormat, - ) -> io::Result<()> { - write_polynomial_slice(&self.permutations, writer, format)?; - write_polynomial_slice(&self.polys, writer, format)?; - write_polynomial_slice(&self.cosets, writer, format)?; + pub(super) fn write(&self, writer: &mut W) -> io::Result<()> { + write_polynomial_slice(&self.permutations, writer)?; + write_polynomial_slice(&self.polys, writer)?; + write_polynomial_slice(&self.cosets, writer)?; Ok(()) } } -impl ProvingKey { +impl ProvingKey { /// Gets the total number of bytes in the serialization of `self` pub(super) fn bytes_length(&self) -> usize { polynomial_slice_byte_length(&self.permutations) diff --git a/halo2_proofs/src/plonk/permutation/keygen.rs b/src/plonk/permutation/keygen.rs similarity index 83% rename from halo2_proofs/src/plonk/permutation/keygen.rs rename to src/plonk/permutation/keygen.rs index 0d78f00ac5..93b8118dd6 100644 --- a/halo2_proofs/src/plonk/permutation/keygen.rs +++ b/src/plonk/permutation/keygen.rs @@ -1,22 +1,20 @@ -use ff::{Field, PrimeField}; -use group::Curve; +use ff::WithSmallOrderMulGroup; use super::{Argument, ProvingKey, VerifyingKey}; use crate::{ - arithmetic::{parallelize, CurveAffine}, plonk::{Any, Column, Error}, - poly::{ - commitment::{Blind, Params}, - EvaluationDomain, - }, + poly::EvaluationDomain, + utils::arithmetic::parallelize, }; #[cfg(feature = "thread-safe-region")] -use crate::multicore::{IndexedParallelIterator, IntoParallelIterator, ParallelIterator}; +use crate::utils::multicore::{IndexedParallelIterator, IntoParallelIterator, ParallelIterator}; #[cfg(not(feature = "thread-safe-region"))] -use crate::multicore::{IndexedParallelIterator, IntoParallelRefIterator, ParallelIterator}; +use crate::utils::multicore::{IndexedParallelIterator, IntoParallelRefIterator, ParallelIterator}; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use rayon::iter::IntoParallelRefMutIterator; #[cfg(feature = "thread-safe-region")] use std::collections::{BTreeSet, HashMap}; @@ -113,22 +111,22 @@ impl Assembly { Ok(()) } - pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( + pub(crate) fn build_vk, CS: PolynomialCommitmentScheme>( self, - params: &P, - domain: &EvaluationDomain, + params: &CS::VerifierParameters, + domain: &EvaluationDomain, p: &Argument, - ) -> VerifyingKey { + ) -> VerifyingKey { build_vk(params, domain, p, |i, j| self.mapping[i][j]) } - pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( + pub(crate) fn build_pk, CS: PolynomialCommitmentScheme>( self, - params: &P, - domain: &EvaluationDomain, + params: &CS::Parameters, + domain: &EvaluationDomain, p: &Argument, - ) -> ProvingKey { - build_pk(params, domain, p, |i, j| self.mapping[i][j]) + ) -> ProvingKey { + build_pk::<_, CS>(params, domain, p, |i, j| self.mapping[i][j]) } /// Returns columns that participate in the permutation argument. @@ -284,22 +282,22 @@ impl Assembly { } } - pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( + pub(crate) fn build_vk>( &mut self, - params: &P, - domain: &EvaluationDomain, + params: &CS::VerifierParameters, + domain: &EvaluationDomain, p: &Argument, - ) -> VerifyingKey { + ) -> VerifyingKey { self.build_ordered_mapping(); build_vk(params, domain, p, |i, j| self.mapping_at_idx(i, j)) } - pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( + pub(crate) fn build_pk>( &mut self, - params: &P, - domain: &EvaluationDomain, + params: &CS::Parameters, + domain: &EvaluationDomain, p: &Argument, - ) -> ProvingKey { + ) -> ProvingKey { self.build_ordered_mapping(); build_pk(params, domain, p, |i, j| self.mapping_at_idx(i, j)) } @@ -321,14 +319,14 @@ impl Assembly { } } -pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( - params: &P, - domain: &EvaluationDomain, +pub(crate) fn build_pk, CS: PolynomialCommitmentScheme>( + params: &CS::Parameters, + domain: &EvaluationDomain, p: &Argument, mapping: impl Fn(usize, usize) -> (usize, usize) + Sync, -) -> ProvingKey { +) -> ProvingKey { // Compute [omega^0, omega^1, ..., omega^{params.n - 1}] - let mut omega_powers = vec![C::Scalar::ZERO; params.n() as usize]; + let mut omega_powers = vec![F::ZERO; params.n() as usize]; { let omega = domain.get_omega(); parallelize(&mut omega_powers, |o, start| { @@ -344,12 +342,12 @@ pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( let mut deltaomega = vec![omega_powers; p.columns.len()]; { parallelize(&mut deltaomega, |o, start| { - let mut cur = C::Scalar::DELTA.pow_vartime([start as u64]); + let mut cur = F::DELTA.pow_vartime([start as u64]); for omega_powers in o.iter_mut() { for v in omega_powers { *v *= &cur; } - cur *= &C::Scalar::DELTA; + cur *= &F::DELTA; } }); } @@ -358,35 +356,40 @@ pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( let mut permutations = vec![domain.empty_lagrange(); p.columns.len()]; { parallelize(&mut permutations, |o, start| { - for (x, permutation_poly) in o.iter_mut().enumerate() { - let i = start + x; - for (j, p) in permutation_poly.iter_mut().enumerate() { - let (permuted_i, permuted_j) = mapping(i, j); - *p = deltaomega[permuted_i][permuted_j]; - } - } + o.par_iter_mut() + .enumerate() + .for_each(|(x, permutation_poly)| { + let i = start + x; + permutation_poly + .par_iter_mut() + .enumerate() + .for_each(|(j, p)| { + let (permuted_i, permuted_j) = mapping(i, j); + *p = deltaomega[permuted_i][permuted_j]; + }) + }) }); } let mut polys = vec![domain.empty_coeff(); p.columns.len()]; { parallelize(&mut polys, |o, start| { - for (x, poly) in o.iter_mut().enumerate() { + o.par_iter_mut().enumerate().for_each(|(x, poly)| { let i = start + x; let permutation_poly = permutations[i].clone(); *poly = domain.lagrange_to_coeff(permutation_poly); - } + }) }); } let mut cosets = vec![domain.empty_extended(); p.columns.len()]; { parallelize(&mut cosets, |o, start| { - for (x, coset) in o.iter_mut().enumerate() { + o.par_iter_mut().enumerate().for_each(|(x, coset)| { let i = start + x; let poly = polys[i].clone(); *coset = domain.coeff_to_extended(poly); - } + }) }); } @@ -397,14 +400,14 @@ pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( } } -pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( - params: &P, - domain: &EvaluationDomain, +pub(crate) fn build_vk, CS: PolynomialCommitmentScheme>( + params: &CS::VerifierParameters, + domain: &EvaluationDomain, p: &Argument, mapping: impl Fn(usize, usize) -> (usize, usize) + Sync, -) -> VerifyingKey { +) -> VerifyingKey { // Compute [omega^0, omega^1, ..., omega^{params.n - 1}] - let mut omega_powers = vec![C::Scalar::ZERO; params.n() as usize]; + let mut omega_powers = vec![F::ZERO; params.n() as usize]; { let omega = domain.get_omega(); parallelize(&mut omega_powers, |o, start| { @@ -420,12 +423,12 @@ pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( let mut deltaomega = vec![omega_powers; p.columns.len()]; { parallelize(&mut deltaomega, |o, start| { - let mut cur = C::Scalar::DELTA.pow_vartime([start as u64]); + let mut cur = F::DELTA.pow_vartime([start as u64]); for omega_powers in o.iter_mut() { for v in omega_powers { *v *= &cur; } - cur *= &::DELTA; + cur *= &F::DELTA; } }); } @@ -449,11 +452,7 @@ pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( let mut commitments = Vec::with_capacity(p.columns.len()); for permutation in &permutations { // Compute commitment to permutation polynomial - commitments.push( - params - .commit_lagrange(permutation, Blind::default()) - .to_affine(), - ); + commitments.push(params.commit_lagrange(permutation)); } VerifyingKey { commitments } diff --git a/halo2_proofs/src/plonk/permutation/prover.rs b/src/plonk/permutation/prover.rs similarity index 60% rename from halo2_proofs/src/plonk/permutation/prover.rs rename to src/plonk/permutation/prover.rs index d6b108554d..2e6e3e9707 100644 --- a/halo2_proofs/src/plonk/permutation/prover.rs +++ b/src/plonk/permutation/prover.rs @@ -1,68 +1,54 @@ -use ff::PrimeField; -use group::{ - ff::{BatchInvert, Field}, - Curve, -}; +use ff::{PrimeField, WithSmallOrderMulGroup}; +use group::ff::BatchInvert; +use halo2curves::serde::SerdeObject; use rand_core::RngCore; use std::iter::{self, ExactSizeIterator}; -use super::super::{circuit::Any, ChallengeBeta, ChallengeGamma, ChallengeX}; +use super::super::circuit::Any; use super::{Argument, ProvingKey}; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use crate::transcript::{Hashable, Transcript}; use crate::{ - arithmetic::{eval_polynomial, parallelize, CurveAffine}, plonk::{self, Error}, - poly::{ - commitment::{Blind, Params}, - Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, ProverQuery, Rotation, - }, - transcript::{EncodedChallenge, TranscriptWrite}, + poly::{Coeff, LagrangeCoeff, Polynomial, ProverQuery, Rotation}, + utils::arithmetic::{eval_polynomial, parallelize}, }; -pub(crate) struct CommittedSet { - pub(crate) permutation_product_poly: Polynomial, - pub(crate) permutation_product_coset: Polynomial, - permutation_product_blind: Blind, -} - -pub(crate) struct Committed { - pub(crate) sets: Vec>, +pub(crate) struct CommittedSet { + pub(crate) permutation_product_poly: Polynomial, } -pub struct ConstructedSet { - permutation_product_poly: Polynomial, - permutation_product_blind: Blind, +pub(crate) struct Committed { + pub(crate) sets: Vec>, } -pub(crate) struct Constructed { - sets: Vec>, -} - -pub(crate) struct Evaluated { - constructed: Constructed, +pub(crate) struct Evaluated { + constructed: Committed, } impl Argument { #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn commit< - 'params, - C: CurveAffine, - P: Params<'params, C>, - E: EncodedChallenge, + F: WithSmallOrderMulGroup<3>, + CS: PolynomialCommitmentScheme, R: RngCore, - T: TranscriptWrite, + T: Transcript, >( &self, - params: &P, - pk: &plonk::ProvingKey, - pkey: &ProvingKey, - advice: &[Polynomial], - fixed: &[Polynomial], - instance: &[Polynomial], - beta: ChallengeBeta, - gamma: ChallengeGamma, + params: &CS::Parameters, + pk: &plonk::ProvingKey, + pkey: &ProvingKey, + advice: &[Polynomial], + fixed: &[Polynomial], + instance: &[Polynomial], + beta: F, + gamma: F, mut rng: R, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + CS::Commitment: Hashable, + { let domain = &pk.vk.domain; // How many columns can be included in a single permutation polynomial? @@ -74,10 +60,10 @@ impl Argument { let blinding_factors = pk.vk.cs.blinding_factors(); // Each column gets its own delta power. - let mut deltaomega = C::Scalar::ONE; + let mut deltaomega = F::ONE; // Track the "last" value from the previous column set - let mut last_z = C::Scalar::ONE; + let mut last_z = F::ONE; let mut sets = vec![]; @@ -94,7 +80,7 @@ impl Argument { // where p_j(X) is the jth column in this permutation, // and i is the ith row of the column. - let mut modified_values = vec![C::Scalar::ONE; params.n() as usize]; + let mut modified_values = vec![F::ONE; params.n() as usize]; // Iterate over each column of the permutation for (&column, permuted_column_values) in columns.iter().zip(permutations.iter()) { @@ -109,7 +95,7 @@ impl Argument { .zip(values[column.index()][start..].iter()) .zip(permuted_column_values[start..].iter()) { - *modified_values *= &(*beta * permuted_value + &*gamma + value); + *modified_values *= &(beta * permuted_value + &gamma + value); } }); } @@ -133,11 +119,11 @@ impl Argument { .zip(values[column.index()][start..].iter()) { // Multiply by p_j(\omega^i) + \delta^j \omega^i \beta - *modified_values *= &(deltaomega * &*beta + &*gamma + value); + *modified_values *= &(deltaomega * &beta + &gamma + value); deltaomega *= ω } }); - deltaomega *= &::DELTA; + deltaomega *= &F::DELTA; } // The modified_values vector is a vector of products of fractions @@ -161,30 +147,19 @@ impl Argument { let mut z = domain.lagrange_from_vec(z); // Set blinding factors for z in &mut z[params.n() as usize - blinding_factors..] { - *z = C::Scalar::random(&mut rng); + *z = F::random(&mut rng); } // Set new last_z last_z = z[params.n() as usize - (blinding_factors + 1)]; - let blind = Blind(C::Scalar::random(&mut rng)); - - let permutation_product_commitment_projective = params.commit_lagrange(&z, blind); - let permutation_product_blind = blind; - let z = domain.lagrange_to_coeff(z); - let permutation_product_poly = z.clone(); - - let permutation_product_coset = domain.coeff_to_extended(z.clone()); - - let permutation_product_commitment = - permutation_product_commitment_projective.to_affine(); + let permutation_product_commitment = params.commit_lagrange(&z); + let permutation_product_poly = domain.lagrange_to_coeff(z); // Hash the permutation product commitment - transcript.write_point(permutation_product_commitment)?; + transcript.write(&permutation_product_commitment)?; sets.push(CommittedSet { permutation_product_poly, - permutation_product_coset, - permutation_product_blind, }); } @@ -192,54 +167,40 @@ impl Argument { } } -impl Committed { - pub(in crate::plonk) fn construct(self) -> Constructed { - Constructed { - sets: self - .sets - .iter() - .map(|set| ConstructedSet { - permutation_product_poly: set.permutation_product_poly.clone(), - permutation_product_blind: set.permutation_product_blind, - }) - .collect(), - } - } -} - -impl super::ProvingKey { - pub(in crate::plonk) fn open( - &self, - x: ChallengeX, - ) -> impl Iterator> + Clone { - self.polys.iter().map(move |poly| ProverQuery { - point: *x, - poly, - blind: Blind::default(), - }) +impl super::ProvingKey { + pub(in crate::plonk) fn open(&self, x: F) -> impl Iterator> + Clone { + self.polys + .iter() + .map(move |poly| ProverQuery { point: x, poly }) } - pub(in crate::plonk) fn evaluate, T: TranscriptWrite>( + pub(in crate::plonk) fn evaluate( &self, - x: ChallengeX, + x: F, transcript: &mut T, - ) -> Result<(), Error> { + ) -> Result<(), Error> + where + F: Hashable + SerdeObject, + { // Hash permutation evals - for eval in self.polys.iter().map(|poly| eval_polynomial(poly, *x)) { - transcript.write_scalar(eval)?; + for eval in self.polys.iter().map(|poly| eval_polynomial(poly, x)) { + transcript.write(&eval)?; } Ok(()) } } -impl Constructed { - pub(in crate::plonk) fn evaluate, T: TranscriptWrite>( +impl> Committed { + pub(in crate::plonk) fn evaluate>( self, - pk: &plonk::ProvingKey, - x: ChallengeX, + pk: &plonk::ProvingKey, + x: F, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + F: Hashable + SerdeObject, + { let domain = &pk.vk.domain; let blinding_factors = pk.vk.cs.blinding_factors(); @@ -247,11 +208,11 @@ impl Constructed { let mut sets = self.sets.iter(); while let Some(set) = sets.next() { - let permutation_product_eval = eval_polynomial(&set.permutation_product_poly, *x); + let permutation_product_eval = eval_polynomial(&set.permutation_product_poly, x); let permutation_product_next_eval = eval_polynomial( &set.permutation_product_poly, - domain.rotate_omega(*x, Rotation::next()), + domain.rotate_omega(x, Rotation::next()), ); // Hash permutation product evals @@ -259,7 +220,7 @@ impl Constructed { .chain(Some(&permutation_product_eval)) .chain(Some(&permutation_product_next_eval)) { - transcript.write_scalar(*eval)?; + transcript.write(eval)?; } // If we have any remaining sets to process, evaluate this set at omega^u @@ -268,10 +229,10 @@ impl Constructed { if sets.len() > 0 { let permutation_product_last_eval = eval_polynomial( &set.permutation_product_poly, - domain.rotate_omega(*x, Rotation(-((blinding_factors + 1) as i32))), + domain.rotate_omega(x, Rotation(-((blinding_factors + 1) as i32))), ); - transcript.write_scalar(permutation_product_last_eval)?; + transcript.write(&permutation_product_last_eval)?; } } } @@ -280,32 +241,30 @@ impl Constructed { } } -impl Evaluated { - pub(in crate::plonk) fn open<'a>( +impl> Evaluated { + pub(in crate::plonk) fn open<'a, CS: PolynomialCommitmentScheme>( &'a self, - pk: &'a plonk::ProvingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { + pk: &'a plonk::ProvingKey, + x: F, + ) -> impl Iterator> + Clone { let blinding_factors = pk.vk.cs.blinding_factors(); - let x_next = pk.vk.domain.rotate_omega(*x, Rotation::next()); + let x_next = pk.vk.domain.rotate_omega(x, Rotation::next()); let x_last = pk .vk .domain - .rotate_omega(*x, Rotation(-((blinding_factors + 1) as i32))); + .rotate_omega(x, Rotation(-((blinding_factors + 1) as i32))); iter::empty() .chain(self.constructed.sets.iter().flat_map(move |set| { iter::empty() // Open permutation product commitments at x and \omega x .chain(Some(ProverQuery { - point: *x, + point: x, poly: &set.permutation_product_poly, - blind: set.permutation_product_blind, })) .chain(Some(ProverQuery { point: x_next, poly: &set.permutation_product_poly, - blind: set.permutation_product_blind, })) })) // Open it at \omega^{last} x for all but the last set. This rotation is only @@ -321,7 +280,6 @@ impl Evaluated { Some(ProverQuery { point: x_last, poly: &set.permutation_product_poly, - blind: set.permutation_product_blind, }) }), ) diff --git a/halo2_proofs/src/plonk/permutation/verifier.rs b/src/plonk/permutation/verifier.rs similarity index 62% rename from halo2_proofs/src/plonk/permutation/verifier.rs rename to src/plonk/permutation/verifier.rs index a4637422ae..5afb03db30 100644 --- a/halo2_proofs/src/plonk/permutation/verifier.rs +++ b/src/plonk/permutation/verifier.rs @@ -1,50 +1,54 @@ -use ff::{Field, PrimeField}; +use ff::{PrimeField, WithSmallOrderMulGroup}; +use halo2curves::serde::SerdeObject; use std::iter; -use super::super::{circuit::Any, ChallengeBeta, ChallengeGamma, ChallengeX}; +use super::super::circuit::Any; use super::{Argument, VerifyingKey}; +use crate::poly::commitment::PolynomialCommitmentScheme; +use crate::transcript::{Hashable, Transcript}; use crate::{ - arithmetic::CurveAffine, plonk::{self, Error}, - poly::{commitment::MSM, Rotation, VerifierQuery}, - transcript::{EncodedChallenge, TranscriptRead}, + poly::{Rotation, VerifierQuery}, }; -pub struct Committed { - permutation_product_commitments: Vec, +pub struct Committed> { + permutation_product_commitments: Vec, } -pub struct EvaluatedSet { - permutation_product_commitment: C, - permutation_product_eval: C::Scalar, - permutation_product_next_eval: C::Scalar, - permutation_product_last_eval: Option, +pub struct EvaluatedSet> { + permutation_product_commitment: CS::Commitment, + permutation_product_eval: F, + permutation_product_next_eval: F, + permutation_product_last_eval: Option, } -pub struct CommonEvaluated { - permutation_evals: Vec, +pub struct CommonEvaluated { + permutation_evals: Vec, } -pub struct Evaluated { - sets: Vec>, +pub struct Evaluated> { + sets: Vec>, } impl Argument { pub(crate) fn read_product_commitments< - C: CurveAffine, - E: EncodedChallenge, - T: TranscriptRead, + F: PrimeField, + CS: PolynomialCommitmentScheme, + T: Transcript, >( &self, - vk: &plonk::VerifyingKey, + vk: &plonk::VerifyingKey, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + { let chunk_len = vk.cs_degree - 2; let permutation_product_commitments = self .columns .chunks(chunk_len) - .map(|_| transcript.read_point()) + .map(|_| transcript.read()) .collect::, _>>()?; Ok(Committed { @@ -53,35 +57,42 @@ impl Argument { } } -impl VerifyingKey { - pub(in crate::plonk) fn evaluate, T: TranscriptRead>( +impl> VerifyingKey { + pub(in crate::plonk) fn evaluate( &self, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + F: Hashable + SerdeObject, + { let permutation_evals = self .commitments .iter() - .map(|_| transcript.read_scalar()) + .map(|_| transcript.read()) .collect::, _>>()?; Ok(CommonEvaluated { permutation_evals }) } } -impl Committed { - pub(crate) fn evaluate, T: TranscriptRead>( +impl> Committed { + pub(crate) fn evaluate( self, transcript: &mut T, - ) -> Result, Error> { + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + F: Hashable + SerdeObject, + { let mut sets = vec![]; let mut iter = self.permutation_product_commitments.into_iter(); while let Some(permutation_product_commitment) = iter.next() { - let permutation_product_eval = transcript.read_scalar()?; - let permutation_product_next_eval = transcript.read_scalar()?; + let permutation_product_eval = transcript.read()?; + let permutation_product_next_eval = transcript.read()?; let permutation_product_last_eval = if iter.len() > 0 { - Some(transcript.read_scalar()?) + Some(transcript.read()?) } else { None }; @@ -98,23 +109,23 @@ impl Committed { } } -impl Evaluated { +impl, CS: PolynomialCommitmentScheme> Evaluated { #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn expressions<'a>( &'a self, - vk: &'a plonk::VerifyingKey, + vk: &'a plonk::VerifyingKey, p: &'a Argument, - common: &'a CommonEvaluated, - advice_evals: &'a [C::Scalar], - fixed_evals: &'a [C::Scalar], - instance_evals: &'a [C::Scalar], - l_0: C::Scalar, - l_last: C::Scalar, - l_blind: C::Scalar, - beta: ChallengeBeta, - gamma: ChallengeGamma, - x: ChallengeX, - ) -> impl Iterator + 'a { + common: &'a CommonEvaluated, + advice_evals: &'a [F], + fixed_evals: &'a [F], + instance_evals: &'a [F], + l_0: F, + l_last: F, + l_blind: F, + beta: F, + gamma: F, + x: F, + ) -> impl Iterator + 'a { let chunk_len = vk.cs_degree - 2; iter::empty() // Enforce only for the first set. @@ -122,7 +133,7 @@ impl Evaluated { .chain( self.sets .first() - .map(|first_set| l_0 * &(C::Scalar::ONE - &first_set.permutation_product_eval)), + .map(|first_set| l_0 * &(F::ONE - &first_set.permutation_product_eval)), ) // Enforce only for the last set. // l_last(X) * (z_l(X)^2 - z_l(X)) = 0 @@ -174,12 +185,12 @@ impl Evaluated { }) .zip(permutation_evals.iter()) { - left *= &(eval + &(*beta * permutation_eval) + &*gamma); + left *= &(eval + &(beta * permutation_eval) + &gamma); } let mut right = set.permutation_product_eval; - let mut current_delta = (*beta * &*x) - * &(::DELTA + let mut current_delta = (beta * &x) + * &(::DELTA .pow_vartime([(chunk_index * chunk_len) as u64])); for eval in columns.iter().map(|&column| match column.column_type() { Any::Advice(_) => { @@ -192,63 +203,63 @@ impl Evaluated { instance_evals[vk.cs.get_any_query_index(column, Rotation::cur())] } }) { - right *= &(eval + ¤t_delta + &*gamma); - current_delta *= &C::Scalar::DELTA; + right *= &(eval + ¤t_delta + &gamma); + current_delta *= &F::DELTA; } - (left - &right) * (C::Scalar::ONE - &(l_last + &l_blind)) + (left - &right) * (F::ONE - &(l_last + &l_blind)) }), ) } - pub(in crate::plonk) fn queries<'r, M: MSM + 'r>( + pub(in crate::plonk) fn queries<'r>( &'r self, - vk: &'r plonk::VerifyingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { + vk: &'r plonk::VerifyingKey, + x: F, + ) -> impl Iterator> + Clone + 'r { let blinding_factors = vk.cs.blinding_factors(); - let x_next = vk.domain.rotate_omega(*x, Rotation::next()); + let x_next = vk.domain.rotate_omega(x, Rotation::next()); let x_last = vk .domain - .rotate_omega(*x, Rotation(-((blinding_factors + 1) as i32))); + .rotate_omega(x, Rotation(-((blinding_factors + 1) as i32))); iter::empty() .chain(self.sets.iter().flat_map(move |set| { iter::empty() // Open permutation product commitments at x and \omega^{-1} x // Open permutation product commitments at x and \omega x - .chain(Some(VerifierQuery::new_commitment( - &set.permutation_product_commitment, - *x, + .chain(Some(VerifierQuery::new( + x, + set.permutation_product_commitment, set.permutation_product_eval, ))) - .chain(Some(VerifierQuery::new_commitment( - &set.permutation_product_commitment, + .chain(Some(VerifierQuery::new( x_next, + set.permutation_product_commitment, set.permutation_product_next_eval, ))) })) // Open it at \omega^{last} x for all but the last set .chain(self.sets.iter().rev().skip(1).flat_map(move |set| { - Some(VerifierQuery::new_commitment( - &set.permutation_product_commitment, + Some(VerifierQuery::new( x_last, + set.permutation_product_commitment, set.permutation_product_last_eval.unwrap(), )) })) } } -impl CommonEvaluated { - pub(in crate::plonk) fn queries<'r, M: MSM + 'r>( +impl CommonEvaluated { + pub(in crate::plonk) fn queries<'r, CS: PolynomialCommitmentScheme>( &'r self, - vkey: &'r VerifyingKey, - x: ChallengeX, - ) -> impl Iterator> + Clone { + vkey: &'r VerifyingKey, + x: F, + ) -> impl Iterator> + Clone + 'r { // Open permutation commitments for each permutation argument at x vkey.commitments .iter() .zip(self.permutation_evals.iter()) - .map(move |(commitment, &eval)| VerifierQuery::new_commitment(commitment, *x, eval)) + .map(move |(&commitment, &eval)| VerifierQuery::new(x, commitment, eval)) } } diff --git a/halo2_proofs/src/plonk/prover.rs b/src/plonk/prover.rs similarity index 61% rename from halo2_proofs/src/plonk/prover.rs rename to src/plonk/prover.rs index cd0d7306a9..18fea4c94a 100644 --- a/halo2_proofs/src/plonk/prover.rs +++ b/src/plonk/prover.rs @@ -1,6 +1,5 @@ -use ff::{Field, FromUniformBytes, WithSmallOrderMulGroup}; -use group::Curve; -use rand_core::RngCore; +use ff::{Field, PrimeField, WithSmallOrderMulGroup}; +use rand_core::{CryptoRng, RngCore}; use std::collections::{BTreeSet, HashSet}; use std::ops::RangeTo; use std::{collections::HashMap, iter}; @@ -11,47 +10,43 @@ use super::{ Advice, Any, Assignment, Challenge, Circuit, Column, ConstraintSystem, Fixed, FloorPlanner, Instance, Selector, }, - lookup, permutation, shuffle, vanishing, ChallengeBeta, ChallengeGamma, ChallengeTheta, - ChallengeX, ChallengeY, Error, ProvingKey, + lookup, permutation, vanishing, Error, ProvingKey, }; use crate::{ - arithmetic::{eval_polynomial, CurveAffine}, - circuit::Value, - plonk::Assigned, - poly::{ - commitment::{Blind, CommitmentScheme, Params, Prover}, - Basis, Coeff, LagrangeCoeff, Polynomial, ProverQuery, - }, -}; -use crate::{ - poly::batch_invert_assigned, - transcript::{EncodedChallenge, TranscriptWrite}, + // circuit::Value, + // plonk::Assigned, + poly::{Basis, Coeff, LagrangeCoeff, Polynomial, ProverQuery}, + utils::arithmetic::eval_polynomial, }; -use group::prime::PrimeCurveAffine; + +use crate::circuit::Value; +use crate::poly::batch_invert_rational; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use crate::transcript::{Hashable, Sampleable, Transcript}; +use crate::utils::rational::Rational; +use halo2curves::serde::SerdeObject; /// This creates a proof for the provided `circuit` when given the public /// parameters `params` and the proving key [`ProvingKey`] that was /// generated previously for the same circuit. The provided `instances` /// are zero-padded internally. pub fn create_proof< - 'params, - Scheme: CommitmentScheme, - P: Prover<'params, Scheme>, - E: EncodedChallenge, - R: RngCore, - T: TranscriptWrite, - ConcreteCircuit: Circuit, + F: WithSmallOrderMulGroup<3>, + CS: PolynomialCommitmentScheme, + T: Transcript, + ConcreteCircuit: Circuit, >( - params: &'params Scheme::ParamsProver, - pk: &ProvingKey, + params: &CS::Parameters, + pk: &ProvingKey, circuits: &[ConcreteCircuit], - instances: &[&[&[Scheme::Scalar]]], - mut rng: R, + instances: &[&[&[F]]], + mut rng: impl RngCore + CryptoRng, transcript: &mut T, ) -> Result<(), Error> where - Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>, + CS::Commitment: Hashable + SerdeObject, + F: Sampleable + Hashable + SerdeObject + Ord, { if circuits.len() != instances.len() { return Err(Error::InvalidInstances); @@ -77,14 +72,14 @@ where // from the verification key. let meta = &pk.vk.cs; - struct InstanceSingle { - pub instance_values: Vec>, - pub instance_polys: Vec>, + struct InstanceSingle { + pub instance_values: Vec>, + pub instance_polys: Vec>, } - let instance: Vec> = instances + let instance: Vec> = instances .iter() - .map(|instance| -> Result, Error> { + .map(|instance| -> Result, Error> { let instance_values = instance .iter() .map(|values| { @@ -94,34 +89,13 @@ where return Err(Error::InstanceTooLarge); } for (poly, value) in poly.iter_mut().zip(values.iter()) { - if !P::QUERY_INSTANCE { - transcript.common_scalar(*value)?; - } + transcript.common(value)?; *poly = *value; } Ok(poly) }) .collect::, _>>()?; - if P::QUERY_INSTANCE { - let instance_commitments_projective: Vec<_> = instance_values - .iter() - .map(|poly| params.commit_lagrange(poly, Blind::default())) - .collect(); - let mut instance_commitments = - vec![Scheme::Curve::identity(); instance_commitments_projective.len()]; - ::CurveExt::batch_normalize( - &instance_commitments_projective, - &mut instance_commitments, - ); - let instance_commitments = instance_commitments; - drop(instance_commitments_projective); - - for commitment in &instance_commitments { - transcript.common_point(*commitment)?; - } - } - let instance_polys: Vec<_> = instance_values .iter() .map(|poly| { @@ -138,15 +112,14 @@ where .collect::, _>>()?; #[derive(Clone)] - struct AdviceSingle { - pub advice_polys: Vec>, - pub advice_blinds: Vec>, + struct AdviceSingle { + pub advice_polys: Vec>, } struct WitnessCollection<'a, F: Field> { k: u32, current_phase: sealed::Phase, - advice: Vec, LagrangeCoeff>>, + advice: Vec, LagrangeCoeff>>, unblinded_advice: HashSet, challenges: &'a HashMap, instances: &'a [&'a [F]], @@ -206,7 +179,7 @@ where ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -237,7 +210,7 @@ where ) -> Result<(), Error> where V: FnOnce() -> Value, - VR: Into>, + VR: Into>, A: FnOnce() -> AR, AR: Into, { @@ -262,7 +235,7 @@ where &mut self, _: Column, _: usize, - _: Value>, + _: Value>, ) -> Result<(), Error> { Ok(()) } @@ -290,13 +263,12 @@ where let (advice, challenges) = { let mut advice = vec![ - AdviceSingle:: { + AdviceSingle:: { advice_polys: vec![domain.empty_lagrange(); meta.num_advice_columns], - advice_blinds: vec![Blind::default(); meta.num_advice_columns], }; instances.len() ]; - let mut challenges = HashMap::::with_capacity(meta.num_challenges); + let mut challenges = HashMap::::with_capacity(meta.num_challenges); let unusable_rows_start = params.n() as usize - (meta.blinding_factors() + 1); for current_phase in pk.vk.cs.phases() { @@ -319,7 +291,7 @@ where let mut witness = WitnessCollection { k: params.k(), current_phase, - advice: vec![domain.empty_lagrange_assigned(); meta.num_advice_columns], + advice: vec![domain.empty_lagrange_rational(); meta.num_advice_columns], unblinded_advice: HashSet::from_iter(meta.unblinded_advice_columns.clone()), instances, challenges: &challenges, @@ -339,7 +311,7 @@ where meta.constants.clone(), )?; - let mut advice_values = batch_invert_assigned::( + let mut advice_values = batch_invert_rational::( witness .advice .into_iter() @@ -354,60 +326,35 @@ where .collect(), ); - // Add blinding factors to advice columns for (column_index, advice_values) in column_indices.iter().zip(&mut advice_values) { if !witness.unblinded_advice.contains(column_index) { for cell in &mut advice_values[unusable_rows_start..] { - *cell = Scheme::Scalar::random(&mut rng); + *cell = F::random(&mut rng); } } else { #[cfg(feature = "sanity-checks")] for cell in &advice_values[unusable_rows_start..] { - assert_eq!(*cell, Scheme::Scalar::ZERO); + assert_eq!(*cell, F::ZERO); } } } - // Compute commitments to advice column polynomials - let blinds: Vec<_> = column_indices + let advice_commitments: Vec<_> = advice_values .iter() - .map(|i| { - if witness.unblinded_advice.contains(i) { - Blind::default() - } else { - Blind(Scheme::Scalar::random(&mut rng)) - } - }) - .collect(); - let advice_commitments_projective: Vec<_> = advice_values - .iter() - .zip(blinds.iter()) - .map(|(poly, blind)| params.commit_lagrange(poly, *blind)) + .map(|poly| params.commit_lagrange(poly)) .collect(); - let mut advice_commitments = - vec![Scheme::Curve::identity(); advice_commitments_projective.len()]; - ::CurveExt::batch_normalize( - &advice_commitments_projective, - &mut advice_commitments, - ); - let advice_commitments = advice_commitments; - drop(advice_commitments_projective); for commitment in &advice_commitments { - transcript.write_point(*commitment)?; + transcript.write(commitment)?; } - for ((column_index, advice_values), blind) in - column_indices.iter().zip(advice_values).zip(blinds) - { + for (column_index, advice_values) in column_indices.iter().zip(advice_values) { advice.advice_polys[*column_index] = advice_values; - advice.advice_blinds[*column_index] = blind; } } for (index, phase) in meta.challenge_phase.iter().enumerate() { if current_phase == *phase { - let existing = - challenges.insert(index, *transcript.squeeze_challenge_scalar::<()>()); + let existing = challenges.insert(index, transcript.squeeze_challenge()); assert!(existing.is_none()); } } @@ -422,9 +369,9 @@ where }; // Sample theta challenge for keeping lookup columns linearly independent - let theta: ChallengeTheta<_> = transcript.squeeze_challenge_scalar(); + let theta: F = transcript.squeeze_challenge(); - let lookups: Vec>> = instance + let lookups: Vec>> = instance .iter() .zip(advice.iter()) .map(|(instance, advice)| -> Result, Error> { @@ -452,13 +399,13 @@ where .collect::, _>>()?; // Sample beta challenge - let beta: ChallengeBeta<_> = transcript.squeeze_challenge_scalar(); + let beta: F = transcript.squeeze_challenge(); // Sample gamma challenge - let gamma: ChallengeGamma<_> = transcript.squeeze_challenge_scalar(); + let gamma: F = transcript.squeeze_challenge(); // Commit to permutations. - let permutations: Vec> = instance + let permutations: Vec> = instance .iter() .zip(advice.iter()) .map(|(instance, advice)| { @@ -477,7 +424,7 @@ where }) .collect::, _>>()?; - let lookups: Vec>> = lookups + let lookups: Vec>> = lookups .into_iter() .map(|lookups| -> Result, _> { // Construct and commit to products for each lookup @@ -488,57 +435,21 @@ where }) .collect::, _>>()?; - let shuffles: Vec>> = instance - .iter() - .zip(advice.iter()) - .map(|(instance, advice)| -> Result, _> { - // Compress expressions for each shuffle - pk.vk - .cs - .shuffles - .iter() - .map(|shuffle| { - shuffle.commit_product( - pk, - params, - domain, - theta, - gamma, - &advice.advice_polys, - &pk.fixed_values, - &instance.instance_values, - &challenges, - &mut rng, - transcript, - ) - }) - .collect::, _>>() - }) - .collect::, _>>()?; - // Commit to the vanishing argument's random polynomial for blinding h(x_3) - let vanishing = vanishing::Argument::commit(params, domain, &mut rng, transcript)?; + let vanishing = vanishing::Argument::::commit(params, domain, &mut rng, transcript)?; // Obtain challenge for keeping all separate gates linearly independent - let y: ChallengeY<_> = transcript.squeeze_challenge_scalar(); + let y: F = transcript.squeeze_challenge(); // Calculate the advice polys - let advice: Vec> = advice + let advice: Vec> = advice .into_iter() - .map( - |AdviceSingle { - advice_polys, - advice_blinds, - }| { - AdviceSingle { - advice_polys: advice_polys - .into_iter() - .map(|poly| domain.lagrange_to_coeff(poly)) - .collect::>(), - advice_blinds, - } - }, - ) + .map(|AdviceSingle { advice_polys }| AdviceSingle { + advice_polys: advice_polys + .into_iter() + .map(|poly| domain.lagrange_to_coeff(poly)) + .collect::>(), + }) .collect(); // Evaluate the h(X) polynomial @@ -553,42 +464,18 @@ where .map(|i| i.instance_polys.as_slice()) .collect::>(), &challenges, - *y, - *beta, - *gamma, - *theta, + y, + beta, + gamma, + theta, &lookups, - &shuffles, &permutations, ); // Construct the vanishing argument's h(X) commitments - let vanishing = vanishing.construct(params, domain, h_poly, &mut rng, transcript)?; + let vanishing = vanishing.construct::(params, domain, h_poly, transcript)?; - let x: ChallengeX<_> = transcript.squeeze_challenge_scalar(); - let xn = x.pow([params.n()]); - - if P::QUERY_INSTANCE { - // Compute and hash instance evals for each circuit instance - for instance in instance.iter() { - // Evaluate polynomials at omega^i x - let instance_evals: Vec<_> = meta - .instance_queries - .iter() - .map(|&(column, at)| { - eval_polynomial( - &instance.instance_polys[column.index()], - domain.rotate_omega(*x, at), - ) - }) - .collect(); - - // Hash each instance column evaluation - for eval in instance_evals.iter() { - transcript.write_scalar(*eval)?; - } - } - } + let x: F = transcript.squeeze_challenge(); // Compute and hash advice evals for each circuit instance for advice in advice.iter() { @@ -599,14 +486,14 @@ where .map(|&(column, at)| { eval_polynomial( &advice.advice_polys[column.index()], - domain.rotate_omega(*x, at), + domain.rotate_omega(x, at), ) }) .collect(); // Hash each advice column evaluation for eval in advice_evals.iter() { - transcript.write_scalar(*eval)?; + transcript.write(eval)?; } } @@ -615,28 +502,28 @@ where .fixed_queries .iter() .map(|&(column, at)| { - eval_polynomial(&pk.fixed_polys[column.index()], domain.rotate_omega(*x, at)) + eval_polynomial(&pk.fixed_polys[column.index()], domain.rotate_omega(x, at)) }) .collect(); // Hash each fixed column evaluation for eval in fixed_evals.iter() { - transcript.write_scalar(*eval)?; + transcript.write(eval)?; } - let vanishing = vanishing.evaluate(x, xn, domain, transcript)?; + let vanishing = vanishing.evaluate(x, transcript)?; // Evaluate common permutation data pk.permutation.evaluate(x, transcript)?; // Evaluate the permutations, if any, at omega^i x. - let permutations: Vec> = permutations + let permutations: Vec> = permutations .into_iter() - .map(|permutation| -> Result<_, _> { permutation.construct().evaluate(pk, x, transcript) }) + .map(|permutation| -> Result<_, _> { permutation.evaluate(pk, x, transcript) }) .collect::, _>>()?; // Evaluate the lookups, if any, at omega^i x. - let lookups: Vec>> = lookups + let lookups: Vec>> = lookups .into_iter() .map(|lookups| -> Result, _> { lookups @@ -646,51 +533,24 @@ where }) .collect::, _>>()?; - // Evaluate the shuffles, if any, at omega^i x. - let shuffles: Vec>> = shuffles - .into_iter() - .map(|shuffles| -> Result, _> { - shuffles - .into_iter() - .map(|p| p.evaluate(pk, x, transcript)) - .collect::, _>>() - }) - .collect::, _>>()?; - - let instances = instance + let instances = advice .iter() - .zip(advice.iter()) .zip(permutations.iter()) .zip(lookups.iter()) - .zip(shuffles.iter()) - .flat_map(|((((instance, advice), permutation), lookups), shuffles)| { + .flat_map(|((advice, permutation), lookups)| { iter::empty() - .chain( - P::QUERY_INSTANCE - .then_some(pk.vk.cs.instance_queries.iter().map(move |&(column, at)| { - ProverQuery { - point: domain.rotate_omega(*x, at), - poly: &instance.instance_polys[column.index()], - blind: Blind::default(), - } - })) - .into_iter() - .flatten(), - ) .chain( pk.vk .cs .advice_queries .iter() .map(move |&(column, at)| ProverQuery { - point: domain.rotate_omega(*x, at), + point: domain.rotate_omega(x, at), poly: &advice.advice_polys[column.index()], - blind: advice.advice_blinds[column.index()], }), ) .chain(permutation.open(pk, x)) .chain(lookups.iter().flat_map(move |p| p.open(pk, x))) - .chain(shuffles.iter().flat_map(move |p| p.open(pk, x))) }) .chain( pk.vk @@ -698,19 +558,15 @@ where .fixed_queries .iter() .map(|&(column, at)| ProverQuery { - point: domain.rotate_omega(*x, at), + point: domain.rotate_omega(x, at), poly: &pk.fixed_polys[column.index()], - blind: Blind::default(), }), ) .chain(pk.permutation.open(x)) // We query the h(X) polynomial at x .chain(vanishing.open(x)); - let prover = P::new(params); - prover - .create_proof(rng, transcript, instances) - .map_err(|_| Error::ConstraintSystemFailure) + CS::open(params, instances, transcript).map_err(|_| Error::ConstraintSystemFailure) } #[test] @@ -718,13 +574,11 @@ fn test_create_proof() { use crate::{ circuit::SimpleFloorPlanner, plonk::{keygen_pk, keygen_vk}, - poly::kzg::{ - commitment::{KZGCommitmentScheme, ParamsKZG}, - multiopen::ProverSHPLONK, - }, - transcript::{Blake2bWrite, Challenge255, TranscriptWriterBuffer}, + poly::kzg::{params::ParamsKZG, KZGCommitmentScheme}, + transcript::CircuitTranscript, }; use halo2curves::bn256::Bn256; + use halo2curves::bn256::Fr; use rand_core::OsRng; #[derive(Clone, Copy)] @@ -751,13 +605,13 @@ fn test_create_proof() { } } - let params: ParamsKZG = ParamsKZG::setup(3, OsRng); + let params: ParamsKZG = KZGCommitmentScheme::setup(3); let vk = keygen_vk(¶ms, &MyCircuit).expect("keygen_vk should not fail"); let pk = keygen_pk(¶ms, vk, &MyCircuit).expect("keygen_pk should not fail"); - let mut transcript = Blake2bWrite::<_, _, Challenge255<_>>::init(vec![]); + let mut transcript = CircuitTranscript::<_>::init(); // Create proof with wrong number of instances - let proof = create_proof::, ProverSHPLONK<_>, _, _, _, _>( + let proof = create_proof::, _, _>( ¶ms, &pk, &[MyCircuit, MyCircuit], @@ -768,7 +622,7 @@ fn test_create_proof() { assert!(matches!(proof.unwrap_err(), Error::InvalidInstances)); // Create proof with correct number of instances - create_proof::, ProverSHPLONK<_>, _, _, _, _>( + create_proof::, _, _>( ¶ms, &pk, &[MyCircuit, MyCircuit], diff --git a/src/plonk/vanishing.rs b/src/plonk/vanishing.rs new file mode 100644 index 0000000000..6e7b7c5faa --- /dev/null +++ b/src/plonk/vanishing.rs @@ -0,0 +1,12 @@ +use ff::PrimeField; +use std::marker::PhantomData; + +use crate::poly::commitment::PolynomialCommitmentScheme; + +mod prover; +mod verifier; + +/// A vanishing argument. +pub(crate) struct Argument> { + _marker: PhantomData<(F, CS)>, +} diff --git a/src/plonk/vanishing/prover.rs b/src/plonk/vanishing/prover.rs new file mode 100644 index 0000000000..b284d99117 --- /dev/null +++ b/src/plonk/vanishing/prover.rs @@ -0,0 +1,161 @@ +use std::{collections::HashMap, iter}; + +use ff::{PrimeField, WithSmallOrderMulGroup}; +use halo2curves::serde::SerdeObject; +use rand_chacha::ChaCha20Rng; +use rand_core::{RngCore, SeedableRng}; + +use super::Argument; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use crate::transcript::{Hashable, Transcript}; +use crate::{ + plonk::Error, + poly::{Coeff, EvaluationDomain, ExtendedLagrangeCoeff, Polynomial, ProverQuery}, + utils::arithmetic::{eval_polynomial, parallelize}, + utils::multicore::current_num_threads, +}; + +pub(in crate::plonk) struct Committed { + random_poly: Polynomial, +} + +pub(in crate::plonk) struct Constructed { + h_pieces: Vec>, + committed: Committed, +} + +pub(in crate::plonk) struct Evaluated { + h_pieces: Vec>, + committed: Committed, +} + +impl, CS: PolynomialCommitmentScheme> Argument { + pub(in crate::plonk) fn commit( + params: &CS::Parameters, + domain: &EvaluationDomain, + mut rng: R, + transcript: &mut T, + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + F: Hashable + SerdeObject, + { + // Sample a random polynomial of degree n - 1 + let n = 1usize << domain.k() as usize; + let mut rand_vec = vec![F::ZERO; n]; + + let num_threads = current_num_threads(); + let chunk_size = n / num_threads; + let thread_seeds = (0..) + .step_by(chunk_size + 1) + .take(n % num_threads) + .chain( + (chunk_size != 0) + .then(|| ((n % num_threads) * (chunk_size + 1)..).step_by(chunk_size)) + .into_iter() + .flatten(), + ) + .take(num_threads) + .zip(iter::repeat_with(|| { + let mut seed = [0u8; 32]; + rng.fill_bytes(&mut seed); + ChaCha20Rng::from_seed(seed) + })) + .collect::>(); + + parallelize(&mut rand_vec, |chunk, offset| { + let mut rng = thread_seeds[&offset].clone(); + chunk.iter_mut().for_each(|v| *v = F::random(&mut rng)); + }); + + let random_poly: Polynomial = domain.coeff_from_vec(rand_vec); + + // Commit + let c = CS::commit(params, &random_poly); + transcript.write(&c)?; + + Ok(Committed { random_poly }) + } +} + +impl> Committed { + pub(in crate::plonk) fn construct, T: Transcript>( + self, + params: &CS::Parameters, + domain: &EvaluationDomain, + h_poly: Polynomial, + transcript: &mut T, + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + F: Hashable + SerdeObject, + { + // Divide by t(X) = X^{params.n} - 1. + let h_poly = domain.divide_by_vanishing_poly(h_poly); + + // Obtain final h(X) polynomial + let h_poly = domain.extended_to_coeff(h_poly); + + // Split h(X) up into pieces + let h_pieces = h_poly + .chunks_exact(params.n() as usize) + .map(|v| domain.coeff_from_vec(v.to_vec())) + .collect::>(); + drop(h_poly); + + // Compute commitments to each h(X) piece + let h_commitments: Vec<_> = h_pieces + .iter() + .map(|h_piece| CS::commit(params, h_piece)) + .collect(); + + // Hash each h(X) piece + for c in h_commitments { + transcript.write(&c)?; + } + + Ok(Constructed { + h_pieces, + committed: self, + }) + } +} + +impl Constructed { + pub(in crate::plonk) fn evaluate( + self, + x: F, + transcript: &mut T, + ) -> Result, Error> + where + F: Hashable + SerdeObject, + { + self.h_pieces.iter().try_for_each(|p| { + let eval = eval_polynomial(p, x); + transcript.write(&eval) + })?; + + let random_eval = eval_polynomial(&self.committed.random_poly, x); + transcript.write(&random_eval)?; + + Ok(Evaluated { + h_pieces: self.h_pieces, + committed: self.committed, + }) + } +} + +impl Evaluated { + pub(in crate::plonk) fn open(&self, x: F) -> impl Iterator> + Clone { + iter::empty() + .chain( + self.h_pieces + .iter() + .map(move |p| ProverQuery { point: x, poly: p }), + ) + .chain(Some(ProverQuery { + point: x, + poly: &self.committed.random_poly, + })) + } +} diff --git a/src/plonk/vanishing/verifier.rs b/src/plonk/vanishing/verifier.rs new file mode 100644 index 0000000000..184ef0f1b2 --- /dev/null +++ b/src/plonk/vanishing/verifier.rs @@ -0,0 +1,128 @@ +use std::iter; + +use ff::{PrimeField, WithSmallOrderMulGroup}; +use halo2curves::serde::SerdeObject; + +use crate::poly::commitment::PolynomialCommitmentScheme; +use crate::transcript::{read_n, Hashable, Transcript}; +use crate::{ + plonk::{Error, VerifyingKey}, + poly::VerifierQuery, +}; + +use super::Argument; + +pub struct Committed> { + random_poly_commitment: CS::Commitment, +} + +pub struct Constructed> { + h_commitments: Vec, + random_poly_commitment: CS::Commitment, +} + +pub struct Evaluated> { + h_commitments: Vec, + random_poly_commitment: CS::Commitment, + h_evals: Vec, + random_eval: F, +} + +impl> Argument { + pub(in crate::plonk) fn read_commitments_before_y( + transcript: &mut T, + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + { + let random_poly_commitment = transcript.read()?; + + Ok(Committed { + random_poly_commitment, + }) + } +} + +impl, CS: PolynomialCommitmentScheme> Committed { + pub(in crate::plonk) fn read_commitments_after_y( + self, + vk: &VerifyingKey, + transcript: &mut T, + ) -> Result, Error> + where + CS::Commitment: Hashable + SerdeObject, + { + // Obtain a commitment to h(X) in the form of multiple pieces of degree n - 1 + let h_commitments = read_n(transcript, vk.domain.get_quotient_poly_degree())?; + + Ok(Constructed { + h_commitments, + random_poly_commitment: self.random_poly_commitment, + }) + } +} + +impl, CS: PolynomialCommitmentScheme> Constructed { + pub(in crate::plonk) fn evaluate_after_x( + self, + vk: &VerifyingKey, + transcript: &mut T, + ) -> Result, Error> + where + F: Hashable + SerdeObject, + { + let h_evals = read_n(transcript, vk.domain.get_quotient_poly_degree())?; + let random_eval = transcript.read()?; + + Ok(Evaluated { + h_commitments: self.h_commitments, + random_poly_commitment: self.random_poly_commitment, + h_evals, + random_eval, + }) + } +} + +impl> Evaluated { + pub(in crate::plonk) fn verify( + self, + expressions: impl Iterator, + y: F, + xn: F, + ) -> Result, Error> { + let committed_h_eval = self + .h_evals + .iter() + .rev() + .fold(F::ZERO, |acc, eval| acc * xn + eval); + + let expected_h_eval = expressions.fold(F::ZERO, |h_eval, v| h_eval * &y + &v); + let expected_h_eval = expected_h_eval * ((xn - F::ONE).invert().unwrap()); + + if committed_h_eval != expected_h_eval { + return Err(Error::ConstraintSystemFailure); + } + + Ok(self) + } +} + +impl> Evaluated { + pub(in crate::plonk) fn queries( + &self, + x: F, + ) -> impl Iterator> + Clone + '_ { + iter::empty() + .chain( + self.h_commitments + .iter() + .zip(self.h_evals.iter()) + .map(move |(&c, e)| VerifierQuery::new(x, c, *e)), + ) + .chain(Some(VerifierQuery::new( + x, + self.random_poly_commitment, + self.random_eval, + ))) + } +} diff --git a/src/plonk/verifier.rs b/src/plonk/verifier.rs new file mode 100644 index 0000000000..974a0a1ccb --- /dev/null +++ b/src/plonk/verifier.rs @@ -0,0 +1,308 @@ +use ff::WithSmallOrderMulGroup; +use halo2curves::serde::SerdeObject; +use std::iter; + +use super::{vanishing, Error, VerifyingKey}; +use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; +use crate::poly::VerifierQuery; +use crate::transcript::{read_n, Hashable, Sampleable, Transcript}; +use crate::utils::arithmetic::compute_inner_product; + +/// Returns a boolean indicating whether or not the proof is valid +pub fn verify_proof< + F: WithSmallOrderMulGroup<3> + Hashable + Sampleable + SerdeObject, + CS: PolynomialCommitmentScheme, + T: Transcript, +>( + params: &CS::VerifierParameters, + vk: &VerifyingKey, + instances: &[&[&[F]]], + transcript: &mut T, +) -> Result<(), Error> +where + CS::Commitment: Hashable + SerdeObject, +{ + // Check that instances matches the expected number of instance columns + for instances in instances.iter() { + if instances.len() != vk.cs.num_instance_columns { + return Err(Error::InvalidInstances); + } + } + + let num_proofs = instances.len(); + + // Hash verification key into transcript + vk.hash_into(transcript)?; + + for instance in instances.iter() { + for instance in instance.iter() { + for value in instance.iter() { + transcript.common(value)?; + } + } + } + + // Hash the prover's advice commitments into the transcript and squeeze challenges + let (advice_commitments, challenges) = { + let mut advice_commitments = + vec![vec![CS::Commitment::default(); vk.cs.num_advice_columns]; num_proofs]; + let mut challenges = vec![F::ZERO; vk.cs.num_challenges]; + + for current_phase in vk.cs.phases() { + for advice_commitments in advice_commitments.iter_mut() { + for (phase, commitment) in vk + .cs + .advice_column_phase + .iter() + .zip(advice_commitments.iter_mut()) + { + if current_phase == *phase { + *commitment = transcript.read()?; + } + } + } + for (phase, challenge) in vk.cs.challenge_phase.iter().zip(challenges.iter_mut()) { + if current_phase == *phase { + *challenge = transcript.squeeze_challenge(); + } + } + } + + (advice_commitments, challenges) + }; + + // Sample theta challenge for keeping lookup columns linearly independent + let theta: F = transcript.squeeze_challenge(); + + let lookups_permuted = (0..num_proofs) + .map(|_| -> Result, _> { + // Hash each lookup permuted commitment + vk.cs + .lookups + .iter() + .map(|argument| argument.read_permuted_commitments(transcript)) + .collect::, _>>() + }) + .collect::, _>>()?; + + // Sample beta challenge + let beta: F = transcript.squeeze_challenge(); + + // Sample gamma challenge + let gamma: F = transcript.squeeze_challenge(); + + let permutations_committed = (0..num_proofs) + .map(|_| { + // Hash each permutation product commitment + vk.cs.permutation.read_product_commitments(vk, transcript) + }) + .collect::, _>>()?; + + let lookups_committed = lookups_permuted + .into_iter() + .map(|lookups| { + // Hash each lookup product commitment + lookups + .into_iter() + .map(|lookup| lookup.read_product_commitment(transcript)) + .collect::, _>>() + }) + .collect::, _>>()?; + + let vanishing = vanishing::Argument::read_commitments_before_y(transcript)?; + + // Sample y challenge, which keeps the gates linearly independent. + let y: F = transcript.squeeze_challenge(); + + let vanishing = vanishing.read_commitments_after_y(vk, transcript)?; + + // Sample x challenge, which is used to ensure the circuit is + // satisfied with high probability. + let x: F = transcript.squeeze_challenge(); + let instance_evals = { + let xn = x.pow([params.n()]); + let (min_rotation, max_rotation) = + vk.cs + .instance_queries + .iter() + .fold((0, 0), |(min, max), (_, rotation)| { + if rotation.0 < min { + (rotation.0, max) + } else if rotation.0 > max { + (min, rotation.0) + } else { + (min, max) + } + }); + let max_instance_len = instances + .iter() + .flat_map(|instance| instance.iter().map(|instance| instance.len())) + .max_by(Ord::cmp) + .unwrap_or_default(); + let l_i_s = &vk.domain.l_i_range( + x, + xn, + -max_rotation..max_instance_len as i32 + min_rotation.abs(), + ); + instances + .iter() + .map(|instances| { + vk.cs + .instance_queries + .iter() + .map(|(column, rotation)| { + let instances = instances[column.index()]; + let offset = (max_rotation - rotation.0) as usize; + compute_inner_product(instances, &l_i_s[offset..offset + instances.len()]) + }) + .collect::>() + }) + .collect::>() + }; + + let advice_evals = (0..num_proofs) + .map(|_| -> Result, _> { read_n(transcript, vk.cs.advice_queries.len()) }) + .collect::, _>>()?; + + let fixed_evals = read_n(transcript, vk.cs.fixed_queries.len())?; + + let vanishing = vanishing.evaluate_after_x(vk, transcript)?; + + let permutations_common = vk.permutation.evaluate(transcript)?; + + let permutations_evaluated = permutations_committed + .into_iter() + .map(|permutation| permutation.evaluate(transcript)) + .collect::, _>>()?; + + let lookups_evaluated = lookups_committed + .into_iter() + .map(|lookups| -> Result, _> { + lookups + .into_iter() + .map(|lookup| lookup.evaluate(transcript)) + .collect::, _>>() + }) + .collect::, _>>()?; + + // This check ensures the circuit is satisfied so long as the polynomial + // commitments open to the correct values. + let vanishing = { + // x^n + let xn = x.pow([params.n()]); + + let blinding_factors = vk.cs.blinding_factors(); + let l_evals = vk + .domain + .l_i_range(x, xn, (-((blinding_factors + 1) as i32))..=0); + assert_eq!(l_evals.len(), 2 + blinding_factors); + let l_last = l_evals[0]; + let l_blind: F = l_evals[1..(1 + blinding_factors)] + .iter() + .fold(F::ZERO, |acc, eval| acc + eval); + let l_0 = l_evals[1 + blinding_factors]; + + // Compute the expected value of h(x) + let expressions = advice_evals + .iter() + .zip(instance_evals.iter()) + .zip(permutations_evaluated.iter()) + .zip(lookups_evaluated.iter()) + .flat_map(|(((advice_evals, instance_evals), permutation), lookups)| { + let challenges = &challenges; + let fixed_evals = &fixed_evals; + std::iter::empty() + // Evaluate the circuit using the custom gates provided + .chain(vk.cs.gates.iter().flat_map(move |gate| { + gate.polynomials().iter().map(move |poly| { + poly.evaluate( + &|scalar| scalar, + &|_| panic!("virtual selectors are removed during optimization"), + &|query| fixed_evals[query.index.unwrap()], + &|query| advice_evals[query.index.unwrap()], + &|query| instance_evals[query.index.unwrap()], + &|challenge| challenges[challenge.index()], + &|a| -a, + &|a, b| a + &b, + &|a, b| a * &b, + &|a, scalar| a * &scalar, + ) + }) + })) + .chain(permutation.expressions( + vk, + &vk.cs.permutation, + &permutations_common, + advice_evals, + fixed_evals, + instance_evals, + l_0, + l_last, + l_blind, + beta, + gamma, + x, + )) + .chain(lookups.iter().zip(vk.cs.lookups.iter()).flat_map( + move |(p, argument)| { + p.expressions( + l_0, + l_last, + l_blind, + argument, + theta, + beta, + gamma, + advice_evals, + fixed_evals, + instance_evals, + challenges, + ) + }, + )) + }); + + vanishing.verify(expressions, y, xn)? + }; + + let queries = advice_commitments + .iter() + .zip(advice_evals.iter()) + .zip(permutations_evaluated.iter()) + .zip(lookups_evaluated.iter()) + .flat_map( + |(((advice_commitments, advice_evals), permutation), lookups)| { + iter::empty() + .chain(vk.cs.advice_queries.iter().enumerate().map( + move |(query_index, &(column, at))| { + VerifierQuery::new( + vk.domain.rotate_omega(x, at), + advice_commitments[column.index()], + advice_evals[query_index], + ) + }, + )) + .chain(permutation.queries(vk, x)) + .chain(lookups.iter().flat_map(move |p| p.queries(vk, x))) + }, + ) + .chain( + vk.cs + .fixed_queries + .iter() + .enumerate() + .map(|(query_index, &(column, at))| { + VerifierQuery::new( + vk.domain.rotate_omega(x, at), + vk.fixed_commitments[column.index()], + fixed_evals[query_index], + ) + }), + ) + .chain(permutations_common.queries(&vk.permutation, x)) + .chain(vanishing.queries(x)); + + // We are now convinced the circuit is satisfied so long as the + // polynomial commitments open to the correct values. + CS::verify(params, queries, transcript).map_err(|_| Error::Opening) +} diff --git a/src/poly/commitment.rs b/src/poly/commitment.rs new file mode 100644 index 0000000000..c21c53fa35 --- /dev/null +++ b/src/poly/commitment.rs @@ -0,0 +1,60 @@ +//! Trait for a commitment scheme +use crate::poly::{Coeff, Error, LagrangeCoeff, Polynomial, ProverQuery, VerifierQuery}; +use crate::transcript::{Hashable, Sampleable, Transcript}; +use crate::utils::helpers::ProcessedSerdeObject; +use ff::PrimeField; +use std::fmt::Debug; + +/// Public interface for a Polynomial Commitment Scheme (PCS) +pub trait PolynomialCommitmentScheme: Clone + Debug { + /// Parameters needed to generate a proof in the PCS + type Parameters: Params; + + /// Parameters needed to verify a proof in the PCS + type VerifierParameters: Params; + + /// Type of a committed polynomial + type Commitment: Clone + Copy + Debug + Default + PartialEq + ProcessedSerdeObject + Send + Sync; + + /// Setup the parameters for the PCS + fn setup(k: u32) -> Self::Parameters; + + /// Commit to a polynomial in coefficient form + fn commit(params: &Self::Parameters, polynomial: &Polynomial) -> Self::Commitment; + + /// Create an opening proof at a specific query + fn open<'com, T: Transcript, I>( + params: &Self::Parameters, + prover_query: I, + transcript: &mut T, + ) -> Result<(), Error> + where + I: IntoIterator> + Clone, + F: Sampleable, + Self::Commitment: Hashable; + + /// Verify an opening proof at a given query + fn verify( + params: &Self::VerifierParameters, + verifier_query: I, + transcript: &mut T, + ) -> Result<(), Error> + where + I: IntoIterator> + Clone, + F: Sampleable, // This is not necessarily part of a PCS + Self::Commitment: Hashable; +} + +/// Interface for prover/verifier params +pub trait Params> { + /// Logarithmic size of polynomials that can be committed with these parameters + fn k(&self) -> u32; + + /// Size of polynomials that can be committed with these parameters + fn n(&self) -> u64; + + /// This commits to a polynomial using its evaluations over the $2^k$ size + /// evaluation domain. The commitment will be blinded by the blinding factor + /// `r`. + fn commit_lagrange(&self, poly: &Polynomial) -> CS::Commitment; +} diff --git a/halo2_proofs/src/poly/domain.rs b/src/poly/domain.rs similarity index 97% rename from halo2_proofs/src/poly/domain.rs rename to src/poly/domain.rs index ae9b8bf9ae..bc181baa6d 100644 --- a/halo2_proofs/src/poly/domain.rs +++ b/src/poly/domain.rs @@ -1,15 +1,14 @@ //! Contains utilities for performing polynomial arithmetic over an evaluation //! domain that is of a suitable size for the application. -use crate::{ - arithmetic::{best_fft, parallelize}, - plonk::Assigned, -}; +use crate::utils::arithmetic::parallelize; use super::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial, Rotation}; use ff::WithSmallOrderMulGroup; use group::ff::{BatchInvert, Field}; +use crate::utils::rational::Rational; +use halo2curves::fft::best_fft; use std::marker::PhantomData; /// This structure contains precomputed constants and other details needed for @@ -24,7 +23,7 @@ pub struct EvaluationDomain { omega_inv: F, extended_omega: F, extended_omega_inv: F, - g_coset: F, + pub(crate) g_coset: F, g_coset_inv: F, quotient_poly_degree: u64, ifft_divisor: F, @@ -77,8 +76,6 @@ impl> EvaluationDomain { let omega = omega; let mut omega_inv = omega; // Inversion computed later - // We use zeta here because we know it generates a coset, and it's available - // already. // The coset evaluation domain is: // zeta {1, extended_omega, extended_omega^2, ..., extended_omega^{(2^extended_k) - 1}} let g_coset = F::ZETA; @@ -88,7 +85,7 @@ impl> EvaluationDomain { { // Compute the evaluations of t(X) = X^n - 1 in the coset evaluation domain. // We don't have to compute all of them, because it will repeat. - let orig = F::ZETA.pow_vartime([n, 0, 0, 0]); + let orig = g_coset.pow_vartime([n, 0, 0, 0]); let step = extended_omega.pow_vartime([n, 0, 0, 0]); let mut cur = orig; loop { @@ -186,7 +183,7 @@ impl> EvaluationDomain { /// Returns an empty (zero) polynomial in the Lagrange coefficient basis, with /// deferred inversions. - pub fn empty_lagrange_assigned(&self) -> Polynomial, LagrangeCoeff> { + pub fn empty_lagrange_rational(&self) -> Polynomial, LagrangeCoeff> { Polynomial { values: vec![F::ZERO.into(); self.n as usize], _marker: PhantomData, @@ -489,7 +486,7 @@ pub struct PinnedEvaluationDomain<'a, F: Field> { fn test_rotate() { use rand_core::OsRng; - use crate::arithmetic::eval_polynomial; + use crate::utils::arithmetic::eval_polynomial; use halo2curves::pasta::pallas::Scalar; let domain = EvaluationDomain::::new(1, 3); @@ -530,7 +527,7 @@ fn test_rotate() { fn test_l_i() { use rand_core::OsRng; - use crate::arithmetic::{eval_polynomial, lagrange_interpolate}; + use crate::utils::arithmetic::{eval_polynomial, lagrange_interpolate}; use halo2curves::pasta::pallas::Scalar; let domain = EvaluationDomain::::new(1, 3); diff --git a/src/poly/kzg/mod.rs b/src/poly/kzg/mod.rs new file mode 100644 index 0000000000..3b8af9d471 --- /dev/null +++ b/src/poly/kzg/mod.rs @@ -0,0 +1,361 @@ +use halo2curves::pairing::Engine; +use std::marker::PhantomData; + +/// Multiscalar multiplication engines +pub mod msm; +/// KZG commitment scheme +pub mod params; + +use std::fmt::Debug; + +use crate::poly::kzg::msm::{DualMSM, MSMKZG}; +use crate::poly::kzg::params::{ParamsKZG, ParamsVerifierKZG}; +use crate::poly::query::Query; +use crate::poly::query::VerifierQuery; +use crate::poly::{Coeff, Error, Polynomial, ProverQuery}; +use crate::utils::arithmetic::{kate_division, powers, MSM}; + +use crate::poly::commitment::PolynomialCommitmentScheme; +use crate::transcript::{Hashable, Sampleable, Transcript}; +use ff::Field; +use group::prime::PrimeCurveAffine; +use halo2curves::msm::msm_best; +use halo2curves::pairing::MultiMillerLoop; +use halo2curves::serde::SerdeObject; +use halo2curves::CurveAffine; + +#[derive(Clone, Debug)] +/// KZG verifier +pub struct KZGCommitmentScheme { + _marker: PhantomData, +} + +impl PolynomialCommitmentScheme for KZGCommitmentScheme +where + E::Fr: SerdeObject, + E::G1Affine: Default + SerdeObject + CurveAffine, +{ + type Parameters = ParamsKZG; + type VerifierParameters = ParamsVerifierKZG; + type Commitment = E::G1Affine; + + /// Unsafe function - do not use in production + fn setup(k: u32) -> ParamsKZG { + ParamsKZG::new(k) + } + + fn commit( + params: &Self::Parameters, + polynomial: &Polynomial, + ) -> Self::Commitment { + let mut scalars = Vec::with_capacity(polynomial.len()); + scalars.extend(polynomial.iter()); + let bases = ¶ms.g; + let size = scalars.len(); + assert!(bases.len() >= size); + msm_best(&scalars, &bases[0..size]).into() + } + + fn open<'com, T: Transcript, I>( + params: &Self::Parameters, + prover_query: I, + transcript: &mut T, + ) -> Result<(), Error> + where + I: IntoIterator> + Clone, + E::Fr: Sampleable, + E::G1Affine: Hashable, + { + let v: E::Fr = transcript.squeeze_challenge(); + let commitment_data = construct_intermediate_sets(prover_query); + + for commitment_at_a_point in commitment_data.iter() { + let z = commitment_at_a_point.point; + let (poly_batch, eval_batch) = commitment_at_a_point + .queries + .iter() + .zip(powers(v)) + .map(|(query, power_of_v)| { + assert_eq!(query.get_point(), z); + + let poly = query.get_commitment().poly; + let eval = query.get_eval(); + + (poly.clone() * power_of_v, eval * power_of_v) + }) + .reduce(|(poly_acc, eval_acc), (poly, eval)| (poly_acc + &poly, eval_acc + eval)) + .unwrap(); + + let poly_batch = &poly_batch - eval_batch; + let witness_poly = Polynomial { + values: kate_division(&poly_batch.values, z), + _marker: PhantomData, + }; + let w = Self::commit(params, &witness_poly); + + transcript.write(&w).map_err(|_| Error::OpeningError)?; + } + + Ok(()) + } + + fn verify( + params: &Self::VerifierParameters, + verifier_query: I, + transcript: &mut T, + ) -> Result<(), Error> + where + E::Fr: Sampleable, + E::G1Affine: Hashable, + I: IntoIterator>> + Clone, + { + let v: E::Fr = transcript.squeeze_challenge(); + + let commitment_data = construct_intermediate_sets(verifier_query); + + let w = (0..commitment_data.len()) + .map(|_| transcript.read().map_err(|_| Error::SamplingError)) + .collect::, Error>>()?; + + let u: E::Fr = transcript.squeeze_challenge(); + + let mut commitment_multi = MSMKZG::::new(); + let mut eval_multi = E::Fr::ZERO; + + let mut witness = MSMKZG::::new(); + let mut witness_with_aux = MSMKZG::::new(); + + for ((commitment_at_a_point, wi), power_of_u) in + commitment_data.iter().zip(w.into_iter()).zip(powers(u)) + { + assert!(!commitment_at_a_point.queries.is_empty()); + let z = commitment_at_a_point.point; + + let (mut commitment_batch, eval_batch) = commitment_at_a_point + .queries + .iter() + .zip(powers(v)) + .map(|(query, power_of_v)| { + assert_eq!(query.get_point(), z); + + let mut commitment = MSMKZG::::new(); + commitment.append_term(power_of_v, query.get_commitment().to_curve()); + + let eval = power_of_v * query.get_eval(); + + (commitment, eval) + }) + .reduce(|(mut commitment_acc, eval_acc), (commitment, eval)| { + commitment_acc.add_msm(&commitment); + (commitment_acc, eval_acc + eval) + }) + .unwrap(); + + commitment_batch.scale(power_of_u); + commitment_multi.add_msm(&commitment_batch); + eval_multi += power_of_u * eval_batch; + + witness_with_aux.append_term(power_of_u * z, wi.to_curve()); + witness.append_term(power_of_u, wi.to_curve()); + } + + let mut msm = DualMSM::new(params); + + msm.left.add_msm(&witness); + + msm.right.add_msm(&witness_with_aux); + msm.right.add_msm(&commitment_multi); + let g0: E::G1 = params.g[0].to_curve(); + msm.right.append_term(eval_multi, -g0); + + if msm.check() { + Ok(()) + } else { + Err(Error::OpeningError) + } + } +} + +#[derive(Debug)] +struct CommitmentData> { + queries: Vec, + point: F, + _marker: PhantomData, +} + +fn construct_intermediate_sets>(queries: I) -> Vec> +where + I: IntoIterator + Clone, +{ + let mut point_query_map: Vec<(F, Vec)> = Vec::new(); + for query in queries { + if let Some(pos) = point_query_map + .iter() + .position(|(point, _)| *point == query.get_point()) + { + let (_, queries) = &mut point_query_map[pos]; + queries.push(query); + } else { + point_query_map.push((query.get_point(), vec![query])); + } + } + + point_query_map + .into_iter() + .map(|(point, queries)| CommitmentData { + queries, + point, + _marker: PhantomData, + }) + .collect() +} + +#[cfg(test)] +mod tests { + use crate::poly::commitment::PolynomialCommitmentScheme; + use crate::poly::kzg::params::{ParamsKZG, ParamsVerifierKZG}; + use crate::poly::kzg::KZGCommitmentScheme; + use crate::poly::{ + query::{ProverQuery, VerifierQuery}, + Error, EvaluationDomain, + }; + use crate::transcript::{CircuitTranscript, Hashable, Sampleable, Transcript}; + use crate::utils::arithmetic::eval_polynomial; + use blake2b_simd::State as Blake2bState; + use ff::WithSmallOrderMulGroup; + use halo2curves::pairing::{Engine, MultiMillerLoop}; + use halo2curves::serde::SerdeObject; + use halo2curves::CurveAffine; + + #[test] + fn test_roundtrip_gwc() { + use crate::poly::kzg::KZGCommitmentScheme; + use halo2curves::bn256::Bn256; + + const K: u32 = 4; + + let params = KZGCommitmentScheme::::setup(K); + + let proof = create_proof::<_, CircuitTranscript>(¶ms); + + verify::<_, CircuitTranscript>(¶ms, &proof[..], false); + + verify::>(¶ms, &proof[..], true); + } + + fn verify( + verifier_params: &ParamsVerifierKZG, + proof: &[u8], + should_fail: bool, + ) where + E::Fr: SerdeObject + Hashable + Sampleable, + E::G1Affine: CurveAffine::Fr, CurveExt = ::G1> + + SerdeObject + + Hashable, + { + let mut transcript = T::init_from_bytes(proof); + + let a: E::G1Affine = transcript.read().unwrap(); + let b: E::G1Affine = transcript.read().unwrap(); + let c: E::G1Affine = transcript.read().unwrap(); + + let x: E::Fr = transcript.squeeze_challenge(); + let y: E::Fr = transcript.squeeze_challenge(); + + let avx: E::Fr = transcript.read().unwrap(); + let bvx: E::Fr = transcript.read().unwrap(); + let cvy: E::Fr = transcript.read().unwrap(); + + let valid_queries = std::iter::empty() + .chain(Some(VerifierQuery::new(x, a, avx))) + .chain(Some(VerifierQuery::new(x, b, bvx))) + .chain(Some(VerifierQuery::new(y, c, cvy))); + + let invalid_queries = std::iter::empty() + .chain(Some(VerifierQuery::new(x, a, avx))) + .chain(Some(VerifierQuery::new(x, b, avx))) + .chain(Some(VerifierQuery::new(y, c, cvy))); + + let queries = if should_fail { + invalid_queries + } else { + valid_queries + }; + + let result = KZGCommitmentScheme::verify(verifier_params, queries, &mut transcript) + .map_err(|_| Error::OpeningError); + + if should_fail { + assert!(result.is_err()); + } else { + assert!(result.is_ok()); + } + } + + fn create_proof(kzg_params: &ParamsKZG) -> Vec + where + E::Fr: WithSmallOrderMulGroup<3> + SerdeObject + Hashable + Sampleable, + E::G1Affine: SerdeObject + + Hashable + + Default + + CurveAffine, + { + let domain = EvaluationDomain::new(1, kzg_params.k); + + let mut ax = domain.empty_coeff(); + for (i, a) in ax.iter_mut().enumerate() { + *a = ::from(10 + i as u64); + } + + let mut bx = domain.empty_coeff(); + for (i, a) in bx.iter_mut().enumerate() { + *a = ::from(100 + i as u64); + } + + let mut cx = domain.empty_coeff(); + for (i, a) in cx.iter_mut().enumerate() { + *a = ::from(100 + i as u64); + } + + let mut transcript = T::init(); + + let a = KZGCommitmentScheme::commit(kzg_params, &ax); + let b = KZGCommitmentScheme::commit(kzg_params, &bx); + let c = KZGCommitmentScheme::commit(kzg_params, &cx); + + transcript.write(&a).unwrap(); + transcript.write(&b).unwrap(); + transcript.write(&c).unwrap(); + + let x: E::Fr = transcript.squeeze_challenge(); + let y = transcript.squeeze_challenge(); + + let avx = eval_polynomial(&ax, x); + let bvx = eval_polynomial(&bx, x); + let cvy = eval_polynomial(&cx, y); + + transcript.write(&avx).unwrap(); + transcript.write(&bvx).unwrap(); + transcript.write(&cvy).unwrap(); + + let queries = [ + ProverQuery { + point: x, + poly: &ax, + }, + ProverQuery { + point: x, + poly: &bx, + }, + ProverQuery { + point: y, + poly: &cx, + }, + ] + .into_iter(); + + KZGCommitmentScheme::open(kzg_params, queries, &mut transcript).unwrap(); + + transcript.finalize() + } +} diff --git a/halo2_proofs/src/poly/kzg/msm.rs b/src/poly/kzg/msm.rs similarity index 64% rename from halo2_proofs/src/poly/kzg/msm.rs rename to src/poly/kzg/msm.rs index f9b8c284bd..84bf039efb 100644 --- a/halo2_proofs/src/poly/kzg/msm.rs +++ b/src/poly/kzg/msm.rs @@ -1,11 +1,10 @@ use std::fmt::Debug; -use super::commitment::ParamsKZG; -use crate::{ - arithmetic::{best_multiexp, parallelize}, - poly::commitment::MSM, -}; +use super::params::ParamsKZG; +use crate::utils::arithmetic::parallelize; +use crate::utils::arithmetic::MSM; use group::{Curve, Group}; +use halo2curves::msm::msm_best; use halo2curves::{ pairing::{Engine, MillerLoopResult, MultiMillerLoop}, CurveAffine, CurveExt, @@ -13,20 +12,12 @@ use halo2curves::{ /// A multiscalar multiplication in the polynomial commitment scheme #[derive(Clone, Default, Debug)] -pub struct MSMKZG -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ +pub struct MSMKZG { pub(crate) scalars: Vec, pub(crate) bases: Vec, } -impl MSMKZG -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ +impl MSMKZG { /// Create an empty MSM instance pub fn new() -> Self { MSMKZG { @@ -50,8 +41,7 @@ where impl MSM for MSMKZG where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, + E::G1Affine: CurveAffine, { fn append_term(&mut self, scalar: E::Fr, point: E::G1) { self.scalars.push(scalar); @@ -81,7 +71,7 @@ where use group::prime::PrimeCurveAffine; let mut bases = vec![E::G1Affine::identity(); self.scalars.len()]; E::G1::batch_normalize(&self.bases, &mut bases); - best_multiexp(&self.scalars, &bases) + msm_best(&self.scalars, &bases) } fn bases(&self) -> Vec { @@ -93,45 +83,6 @@ where } } -/// A projective point collector -#[derive(Debug, Clone)] -pub(crate) struct PreMSM -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - projectives_msms: Vec>, -} - -impl PreMSM -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - pub(crate) fn new() -> Self { - PreMSM { - projectives_msms: vec![], - } - } - - pub(crate) fn normalize(self) -> MSMKZG { - let (scalars, bases) = self - .projectives_msms - .into_iter() - .map(|msm| (msm.scalars, msm.bases)) - .unzip::<_, _, Vec<_>, Vec<_>>(); - - MSMKZG { - scalars: scalars.into_iter().flatten().collect(), - bases: bases.into_iter().flatten().collect(), - } - } - - pub(crate) fn add_msm(&mut self, other: MSMKZG) { - self.projectives_msms.push(other); - } -} - impl<'params, E: MultiMillerLoop + Debug> From<&'params ParamsKZG> for DualMSM<'params, E> where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, @@ -144,11 +95,7 @@ where /// Two channel MSM accumulator #[derive(Debug, Clone)] -pub struct DualMSM<'a, E: Engine> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ +pub struct DualMSM<'a, E: Engine> { pub(crate) params: &'a ParamsKZG, pub(crate) left: MSMKZG, pub(crate) right: MSMKZG, @@ -156,8 +103,7 @@ where impl<'a, E: MultiMillerLoop + Debug> DualMSM<'a, E> where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, + E::G1Affine: CurveAffine, { /// Create a new two channel MSM accumulator instance pub fn new(params: &'a ParamsKZG) -> Self { diff --git a/halo2_proofs/src/poly/kzg/commitment.rs b/src/poly/kzg/params.rs similarity index 71% rename from halo2_proofs/src/poly/kzg/commitment.rs rename to src/poly/kzg/params.rs index 114b9ac013..31ecb14ad6 100644 --- a/halo2_proofs/src/poly/kzg/commitment.rs +++ b/src/poly/kzg/params.rs @@ -1,17 +1,19 @@ -use crate::arithmetic::{best_multiexp, g_to_lagrange, parallelize}; -use crate::helpers::SerdeCurveAffine; -use crate::poly::commitment::{Blind, CommitmentScheme, Params, ParamsProver, ParamsVerifier}; -use crate::poly::{Coeff, LagrangeCoeff, Polynomial}; -use crate::SerdeFormat; +use crate::poly::{LagrangeCoeff, Polynomial}; +use crate::utils::arithmetic::{g_to_lagrange, parallelize}; +use crate::utils::SerdeFormat; use ff::{Field, PrimeField}; use group::{prime::PrimeCurveAffine, Curve, Group}; -use halo2curves::pairing::Engine; -use halo2curves::CurveExt; +use halo2curves::pairing::{Engine, MultiMillerLoop}; use rand_core::{OsRng, RngCore}; use std::fmt::Debug; -use std::marker::PhantomData; +use crate::poly::commitment::Params; +use crate::poly::kzg::KZGCommitmentScheme; +use crate::utils::helpers::ProcessedSerdeObject; +use halo2curves::msm::msm_best; +use halo2curves::serde::SerdeObject; +use halo2curves::CurveAffine; use std::io; use super::msm::MSMKZG; @@ -27,38 +29,30 @@ pub struct ParamsKZG { pub(crate) s_g2: E::G2Affine, } -/// Umbrella commitment scheme construction for all KZG variants -#[derive(Debug)] -pub struct KZGCommitmentScheme { - _marker: PhantomData, -} - -impl CommitmentScheme for KZGCommitmentScheme +impl Params> for ParamsKZG where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, + E::Fr: SerdeObject, + E::G1Affine: Default + SerdeObject + CurveAffine, { - type Scalar = E::Fr; - type Curve = E::G1Affine; - - type ParamsProver = ParamsKZG; - type ParamsVerifier = ParamsVerifierKZG; + fn k(&self) -> u32 { + self.k + } - fn new_params(k: u32) -> Self::ParamsProver { - ParamsKZG::new(k) + fn n(&self) -> u64 { + self.n } - fn read_params(reader: &mut R) -> io::Result { - ParamsKZG::read(reader) + fn commit_lagrange(&self, poly: &Polynomial) -> E::G1Affine { + let mut scalars = Vec::with_capacity(poly.len()); + scalars.extend(poly.iter()); + let bases = &self.g_lagrange; + let size = scalars.len(); + assert!(bases.len() >= size); + msm_best(&scalars, &bases[0..size]).into() } } -impl ParamsKZG -where - E::G1Affine: SerdeCurveAffine, - E::G1: CurveExt, -{ +impl ParamsKZG { /// Initializes parameters for the curve, draws toxic secret from given rng. /// MUST NOT be used in production. pub fn setup(k: u32, rng: R) -> Self { @@ -166,7 +160,8 @@ where /// Writes parameters to buffer pub fn write_custom(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> where - E::G2Affine: SerdeCurveAffine, + E::G1Affine: CurveAffine + ProcessedSerdeObject, + E::G2Affine: CurveAffine + ProcessedSerdeObject, { writer.write_all(&self.k.to_le_bytes())?; for el in self.g.iter() { @@ -183,7 +178,8 @@ where /// Reads params from a buffer. pub fn read_custom(reader: &mut R, format: SerdeFormat) -> io::Result where - E::G2Affine: SerdeCurveAffine, + E::G1Affine: CurveAffine + ProcessedSerdeObject, + E::G2Affine: CurveAffine + ProcessedSerdeObject, { let mut k = [0u8; 4]; reader.read_exact(&mut k[..])?; @@ -234,20 +230,20 @@ where } SerdeFormat::RawBytes => { let g = (0..n) - .map(|_| ::read(reader, format)) + .map(|_| ::read(reader, format)) .collect::, _>>()?; let g_lagrange = (0..n) - .map(|_| ::read(reader, format)) + .map(|_| ::read(reader, format)) .collect::, _>>()?; (g, g_lagrange) } SerdeFormat::RawBytesUnchecked => { // avoid try branching for performance let g = (0..n) - .map(|_| ::read(reader, format).unwrap()) + .map(|_| ::read(reader, format).unwrap()) .collect::>(); let g_lagrange = (0..n) - .map(|_| ::read(reader, format).unwrap()) + .map(|_| ::read(reader, format).unwrap()) .collect::>(); (g, g_lagrange) } @@ -270,25 +266,25 @@ where // TODO: see the issue at https://github.com/appliedzkp/halo2/issues/45 // So we probably need much smaller verifier key. However for new bases in g1 should be in verifier keys. /// KZG multi-open verification parameters -pub type ParamsVerifierKZG = ParamsKZG; +pub type ParamsVerifierKZG = ParamsKZG; -impl<'params, E: Engine + Debug> Params<'params, E::G1Affine> for ParamsKZG +impl<'params, E: Engine + Debug> ParamsKZG where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, + E::G1Affine: CurveAffine + ProcessedSerdeObject, + E::G2Affine: CurveAffine + ProcessedSerdeObject, { - type MSM = MSMKZG; - - fn k(&self) -> u32 { + /// TODO + pub fn k(&self) -> u32 { self.k } - fn n(&self) -> u64 { + /// TODO + pub fn n(&self) -> u64 { self.n } - fn downsize(&mut self, k: u32) { + /// TODO + pub fn downsize(&mut self, k: u32) { assert!(k <= self.k); self.k = k; @@ -298,81 +294,49 @@ where self.g_lagrange = g_to_lagrange(self.g.iter().map(|g| g.to_curve()).collect(), k); } - fn empty_msm(&'params self) -> MSMKZG { + /// TODO + pub fn empty_msm(&'params self) -> MSMKZG { MSMKZG::new() } - fn commit_lagrange(&self, poly: &Polynomial, _: Blind) -> E::G1 { - let mut scalars = Vec::with_capacity(poly.len()); - scalars.extend(poly.iter()); - let bases = &self.g_lagrange; - let size = scalars.len(); - assert!(bases.len() >= size); - best_multiexp(&scalars, &bases[0..size]) - } - /// Writes params to a buffer. - fn write(&self, writer: &mut W) -> io::Result<()> { + pub fn write(&self, writer: &mut W) -> io::Result<()> { self.write_custom(writer, SerdeFormat::RawBytes) } /// Reads params from a buffer. - fn read(reader: &mut R) -> io::Result { + pub fn read(reader: &mut R) -> io::Result { Self::read_custom(reader, SerdeFormat::RawBytes) } } -impl<'params, E: Engine + Debug> ParamsVerifier<'params, E::G1Affine> for ParamsKZG -where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ -} - -impl<'params, E: Engine + Debug> ParamsProver<'params, E::G1Affine> for ParamsKZG -where - E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, - E::G2Affine: SerdeCurveAffine, -{ - type ParamsVerifier = ParamsVerifierKZG; - - fn verifier_params(&'params self) -> &'params Self::ParamsVerifier { +impl<'params, E: Engine + Debug> ParamsKZG { + /// TODO + pub fn verifier_params(&'params self) -> &'params ParamsVerifierKZG { self } - fn new(k: u32) -> Self { + /// UNSAFE function - do not use in production + pub fn new(k: u32) -> Self { Self::setup(k, OsRng) } - fn commit(&self, poly: &Polynomial, _: Blind) -> E::G1 { - let mut scalars = Vec::with_capacity(poly.len()); - scalars.extend(poly.iter()); - let bases = &self.g; - let size = scalars.len(); - assert!(bases.len() >= size); - best_multiexp(&scalars, &bases[0..size]) - } - - fn get_g(&self) -> &[E::G1Affine] { + /// TODO + pub fn get_g(&self) -> &[E::G1Affine] { &self.g } } #[cfg(test)] mod test { - use crate::poly::commitment::ParamsProver; - use crate::poly::commitment::{Blind, Params}; - use crate::poly::kzg::commitment::ParamsKZG; - use ff::Field; + use crate::poly::commitment::{Params, PolynomialCommitmentScheme}; + use crate::poly::kzg::params::ParamsKZG; + use crate::poly::kzg::KZGCommitmentScheme; #[test] fn test_commit_lagrange() { const K: u32 = 6; - use rand_core::OsRng; - use crate::poly::EvaluationDomain; use halo2curves::bn256::{Bn256, Fr}; @@ -387,22 +351,22 @@ mod test { let b = domain.lagrange_to_coeff(a.clone()); - let alpha = Blind(Fr::random(OsRng)); + let tmp = params.commit_lagrange(&a); + let commitment = KZGCommitmentScheme::commit(¶ms, &b); - assert_eq!(params.commit(&b, alpha), params.commit_lagrange(&a, alpha)); + assert_eq!(commitment, tmp); } #[test] fn test_parameter_serialisation_roundtrip() { const K: u32 = 4; - use super::super::commitment::Params; use crate::halo2curves::bn256::Bn256; let params0 = ParamsKZG::::new(K); let mut data = vec![]; - as Params<_>>::write(¶ms0, &mut data).unwrap(); - let params1: ParamsKZG = Params::read::<_>(&mut &data[..]).unwrap(); + ParamsKZG::write(¶ms0, &mut data).unwrap(); + let params1 = ParamsKZG::::read::<_>(&mut &data[..]).unwrap(); assert_eq!(params0.k, params1.k); assert_eq!(params0.n, params1.n); diff --git a/halo2_proofs/src/poly.rs b/src/poly/mod.rs similarity index 91% rename from halo2_proofs/src/poly.rs rename to src/poly/mod.rs index 9cb6b149bc..d6ded960d4 100644 --- a/halo2_proofs/src/poly.rs +++ b/src/poly/mod.rs @@ -2,35 +2,29 @@ //! various forms, including computing commitments to them and provably opening //! the committed polynomials at arbitrary points. -use crate::arithmetic::parallelize; -use crate::helpers::SerdePrimeField; -use crate::plonk::Assigned; -use crate::SerdeFormat; +use crate::utils::arithmetic::parallelize; +use crate::utils::SerdeFormat; -use group::ff::{BatchInvert, Field}; +use ff::{BatchInvert, PrimeField}; +use group::ff::Field; +use halo2curves::serde::SerdeObject; use std::fmt::Debug; use std::io; use std::marker::PhantomData; use std::ops::{Add, Deref, DerefMut, Index, IndexMut, Mul, RangeFrom, RangeFull, Sub}; -/// Generic commitment scheme structures -pub mod commitment; mod domain; mod query; -mod strategy; - -/// Inner product argument commitment scheme -pub mod ipa; /// KZG commitment scheme pub mod kzg; -#[cfg(test)] -mod multiopen_test; +pub mod commitment; +use crate::utils::helpers::read_f; +use crate::utils::rational::Rational; pub use domain::*; pub use query::{ProverQuery, VerifierQuery}; -pub use strategy::{Guard, VerificationStrategy}; /// This is an error that could occur during proving or circuit synthesis. // TODO: these errors need to be cleaned up @@ -145,15 +139,15 @@ impl Polynomial { } } -impl Polynomial { - /// Reads polynomial from buffer using `SerdePrimeField::read`. +impl Polynomial { + /// Reads polynomial from buffer using `SerdePrimeField::read`. pub(crate) fn read(reader: &mut R, format: SerdeFormat) -> io::Result { let mut poly_len = [0u8; 4]; reader.read_exact(&mut poly_len)?; let poly_len = u32::from_be_bytes(poly_len); (0..poly_len) - .map(|_| F::read(reader, format)) + .map(|_| read_f(reader, format)) .collect::>>() .map(|values| Self { values, @@ -161,22 +155,18 @@ impl Polynomial { }) } - /// Writes polynomial to buffer using `SerdePrimeField::write`. - pub(crate) fn write( - &self, - writer: &mut W, - format: SerdeFormat, - ) -> io::Result<()> { + /// Writes polynomial to buffer using `SerdePrimeField::write`. + pub(crate) fn write(&self, writer: &mut W) -> io::Result<()> { writer.write_all(&(self.values.len() as u32).to_be_bytes())?; for value in self.values.iter() { - value.write(writer, format)?; + value.write_raw(writer)?; } Ok(()) } } -pub(crate) fn batch_invert_assigned( - assigned: Vec, LagrangeCoeff>>, +pub(crate) fn batch_invert_rational( + assigned: Vec, LagrangeCoeff>>, ) -> Vec> { let mut assigned_denominators: Vec<_> = assigned .iter() @@ -204,7 +194,7 @@ pub(crate) fn batch_invert_assigned( .collect() } -impl Polynomial, LagrangeCoeff> { +impl Polynomial, LagrangeCoeff> { pub(crate) fn invert( &self, inv_denoms: impl Iterator + ExactSizeIterator, diff --git a/src/poly/query.rs b/src/poly/query.rs new file mode 100644 index 0000000000..7e7fe8dd3b --- /dev/null +++ b/src/poly/query.rs @@ -0,0 +1,124 @@ +use ff::PrimeField; +use std::fmt::Debug; + +use crate::poly::commitment::PolynomialCommitmentScheme; +use crate::{ + poly::{Coeff, Polynomial}, + utils::arithmetic::eval_polynomial, +}; + +pub trait Query: Sized + Clone + Send + Sync { + type Commitment: PartialEq + Copy + Send + Sync; + type Eval: Clone + Default + Debug; + + fn get_point(&self) -> F; + fn get_eval(&self) -> Self::Eval; + fn get_commitment(&self) -> Self::Commitment; +} + +/// A polynomial query at a point +#[derive(Debug, Clone, Copy)] +pub struct ProverQuery<'com, F: PrimeField> { + /// Point at which polynomial is queried + pub(crate) point: F, + /// Coefficients of polynomial + pub(crate) poly: &'com Polynomial, +} + +impl<'com, F> ProverQuery<'com, F> +where + F: PrimeField, +{ + /// Create a new prover query based on a polynomial + pub fn new(point: F, poly: &'com Polynomial) -> Self { + ProverQuery { point, poly } + } +} + +#[doc(hidden)] +#[derive(Copy, Clone)] +pub struct PolynomialPointer<'com, F: PrimeField> { + pub(crate) poly: &'com Polynomial, +} + +impl<'com, F: PrimeField> PartialEq for PolynomialPointer<'com, F> { + fn eq(&self, other: &Self) -> bool { + std::ptr::eq(self.poly, other.poly) + } +} + +impl<'com, F: PrimeField> Query for ProverQuery<'com, F> { + type Commitment = PolynomialPointer<'com, F>; + type Eval = F; + + fn get_point(&self) -> F { + self.point + } + fn get_eval(&self) -> Self::Eval { + eval_polynomial(&self.poly[..], self.get_point()) + } + fn get_commitment(&self) -> Self::Commitment { + PolynomialPointer { poly: self.poly } + } +} + +// impl<'com, F: PrimeField, CS: PolynomialCommitmentScheme> VerifierQuery<'com, F, CS> { +// /// Create a new verifier query based on a commitment +// pub fn new_commitment(commitment: &'com C, point: C::Scalar, eval: C::Scalar) -> Self { +// VerifierQuery { +// point, +// eval, +// commitment: CommitmentReference::Commitment(commitment), +// } +// } +// +// /// Create a new verifier query based on a linear combination of commitments +// pub fn new_msm(msm: &'com M, point: C::Scalar, eval: C::Scalar) -> VerifierQuery<'com, C, M> { +// VerifierQuery { +// point, +// eval, +// commitment: CommitmentReference::MSM(msm), +// } +// } +// } + +/// A polynomial query at a point +#[derive(Debug, Clone, Copy)] +pub struct VerifierQuery> { + /// Point at which polynomial is queried + pub(crate) point: F, + /// Commitment to polynomial + pub(crate) commitment: CS::Commitment, + /// Evaluation of polynomial at query point + pub(crate) eval: F, +} + +impl VerifierQuery +where + F: PrimeField, + CS: PolynomialCommitmentScheme, +{ + /// Create a new verifier query based on a commitment + pub fn new(point: F, commitment: CS::Commitment, eval: F) -> Self { + VerifierQuery { + point, + commitment, + eval, + } + } +} + +impl> Query for VerifierQuery { + type Commitment = CS::Commitment; + type Eval = F; + + fn get_point(&self) -> F { + self.point + } + fn get_eval(&self) -> F { + self.eval + } + fn get_commitment(&self) -> Self::Commitment { + self.commitment + } +} diff --git a/src/transcript/mod.rs b/src/transcript/mod.rs new file mode 100644 index 0000000000..0850f373af --- /dev/null +++ b/src/transcript/mod.rs @@ -0,0 +1,177 @@ +//! This module contains utilities and traits for dealing with Fiat-Shamir +//! transcripts. +use blake2b_simd::{Params, State as Blake2bState}; + +use ff::FromUniformBytes; +use group::GroupEncoding; +use halo2curves::bn256::{Fr, G1Affine}; +use halo2curves::serde::SerdeObject; +use std::io::{self, Cursor}; + +/// Prefix to a prover's message soliciting a challenge +const BLAKE2B_PREFIX_CHALLENGE: u8 = 0; + +/// Prefix to a prover's message +const BLAKE2B_PREFIX_COMMON: u8 = 1; + +/// Hash function that can be used for transcript +pub trait TranscriptHash { + /// Input type of the hash function + type Input; + /// Output type of the hash function + type Output; + + /// Initialise the hasher + fn init() -> Self; + /// Absorb an element + fn absorb(&mut self, input: &Self::Input) -> &mut Self; + /// Squeeze an output + fn squeeze(&mut self) -> Self::Output; +} + +/// Traits to represent values that can be hashed with a `TranscriptHash` +pub trait Hashable { + /// Converts the hashable type to a format that can be hashed with `H` + fn to_input(&self) -> H::Input; +} + +/// Trait to represent values that can be sampled from a `TranscriptHash` +pub trait Sampleable { + /// Converts `H`'s output to Self + fn sample(out: H::Output) -> Self; +} + +/// Generic transcript view +pub trait Transcript { + /// Hash function + type Hash: TranscriptHash; + + /// Initialises the transcript + fn init() -> Self; + + /// Parses an existing transcript + fn init_from_bytes(bytes: &[u8]) -> Self; + + /// Squeeze a challenge of type `T`, which only needs to be `Sampleable` with + /// the corresponding hash function. + fn squeeze_challenge>(&mut self) -> T; + + /// Writing a hashable element `T` to the transcript without writing it to the proof, + /// treating it as a common commitment. + fn common>(&mut self, input: &T) -> io::Result<()>; + + /// Read a hashable element `T` from the prover. + fn read + SerdeObject>(&mut self) -> io::Result; + + /// Write a hashable element `T` to the proof and the transcript. + fn write + SerdeObject>(&mut self, input: &T) -> io::Result<()>; + + /// Returns the buffer with the proof + fn finalize(self) -> Vec; +} + +#[derive(Debug)] +/// Transcript used in proofs, parametrised by its hash function. +pub struct CircuitTranscript { + state: H, + buffer: Cursor>, +} + +impl Transcript for CircuitTranscript { + type Hash = H; + + fn init() -> Self { + Self { + state: H::init(), + buffer: Cursor::new(vec![]), + } + } + + fn init_from_bytes(bytes: &[u8]) -> Self { + Self { + state: H::init(), + buffer: Cursor::new(bytes.to_vec()), + } + } + + fn squeeze_challenge>(&mut self) -> T { + T::sample(self.state.squeeze()) + } + + fn common>(&mut self, input: &T) -> io::Result<()> { + self.state.absorb(&input.to_input()); + + Ok(()) + } + + fn read + SerdeObject>(&mut self) -> io::Result { + let val = T::read_raw(&mut self.buffer)?; + self.common(&val)?; + + Ok(val) + } + + fn write + SerdeObject>(&mut self, input: &T) -> io::Result<()> { + self.common(input)?; + input.write_raw(&mut self.buffer) + } + + fn finalize(self) -> Vec { + self.buffer.into_inner() + } +} + +impl TranscriptHash for Blake2bState { + type Input = Vec; + type Output = Vec; + + fn init() -> Self { + Params::new() + .hash_length(64) + .key(b"Domain separator for transcript") + .to_state() + } + + fn absorb(&mut self, input: &Self::Input) -> &mut Self { + self.update(&[BLAKE2B_PREFIX_COMMON]); + self.update(input) + } + + fn squeeze(&mut self) -> Self::Output { + self.update(&[BLAKE2B_PREFIX_CHALLENGE]); + self.finalize().as_bytes().to_vec() + } +} + +/////////////////////////////////////////////////// +/// Implementation of Hashable for BN with Blake // +/////////////////////////////////////////////////// + +impl Hashable for G1Affine { + fn to_input(&self) -> Vec { + self.to_bytes().as_ref().to_vec() + } +} + +impl Hashable for Fr { + fn to_input(&self) -> Vec { + self.to_bytes().to_vec() + } +} + +impl Sampleable for Fr { + fn sample(out: Vec) -> Self { + assert!(out.len() <= 64); + let mut bytes = [0u8; 64]; + bytes[..out.len()].copy_from_slice(&out); + Fr::from_uniform_bytes(&bytes) + } +} + +pub(crate) fn read_n(transcript: &mut T, n: usize) -> io::Result> +where + T: Transcript, + C: Hashable + SerdeObject, +{ + (0..n).map(|_| transcript.read()).collect() +} diff --git a/src/utils/arithmetic.rs b/src/utils/arithmetic.rs new file mode 100644 index 0000000000..e831b19f59 --- /dev/null +++ b/src/utils/arithmetic.rs @@ -0,0 +1,286 @@ +//! This module provides common utilities, traits and structures for group, +//! field and polynomial arithmetic. + +use super::multicore; +pub use ff::Field; +use group::prime::PrimeCurveAffine; +use group::{ + ff::{BatchInvert, PrimeField}, + Curve, GroupOpsOwned, ScalarMulOwned, +}; +use std::fmt::Debug; + +use halo2curves::fft::best_fft; +pub use halo2curves::{CurveAffine, CurveExt}; + +/// This represents an element of a group with basic operations that can be +/// performed. This allows an FFT implementation (for example) to operate +/// generically over either a field or elliptic curve group. +pub trait FftGroup: + Copy + Send + Sync + 'static + GroupOpsOwned + ScalarMulOwned +{ +} + +impl FftGroup for T +where + Scalar: Field, + T: Copy + Send + Sync + 'static + GroupOpsOwned + ScalarMulOwned, +{ +} + +/// Convert coefficient bases group elements to lagrange basis by inverse FFT. +pub fn g_to_lagrange(g_projective: Vec, k: u32) -> Vec { + let n_inv = C::Scalar::TWO_INV.pow_vartime([k as u64, 0, 0, 0]); + let mut omega_inv = C::Scalar::ROOT_OF_UNITY_INV; + for _ in k..C::Scalar::S { + omega_inv = omega_inv.square(); + } + + let mut g_lagrange_projective = g_projective; + best_fft(&mut g_lagrange_projective, omega_inv, k); + parallelize(&mut g_lagrange_projective, |g, _| { + for g in g.iter_mut() { + *g *= n_inv; + } + }); + + let mut g_lagrange = vec![C::identity(); 1 << k]; + parallelize(&mut g_lagrange, |g_lagrange, starts| { + C::Curve::batch_normalize( + &g_lagrange_projective[starts..(starts + g_lagrange.len())], + g_lagrange, + ); + }); + + g_lagrange +} + +/// This evaluates a provided polynomial (in coefficient form) at `point`. +pub fn eval_polynomial(poly: &[F], point: F) -> F { + fn evaluate(poly: &[F], point: F) -> F { + poly.iter() + .rev() + .fold(F::ZERO, |acc, coeff| acc * point + coeff) + } + let n = poly.len(); + let num_threads = multicore::current_num_threads(); + if n * 2 < num_threads { + evaluate(poly, point) + } else { + let chunk_size = (n + num_threads - 1) / num_threads; + let mut parts = vec![F::ZERO; num_threads]; + multicore::scope(|scope| { + for (chunk_idx, (out, poly)) in + parts.chunks_mut(1).zip(poly.chunks(chunk_size)).enumerate() + { + scope.spawn(move |_| { + let start = chunk_idx * chunk_size; + out[0] = evaluate(poly, point) * point.pow_vartime([start as u64, 0, 0, 0]); + }); + } + }); + parts.iter().fold(F::ZERO, |acc, coeff| acc + coeff) + } +} + +/// This computes the inner product of two vectors `a` and `b`. +/// +/// This function will panic if the two vectors are not the same size. +pub fn compute_inner_product(a: &[F], b: &[F]) -> F { + // TODO: parallelize? + assert_eq!(a.len(), b.len()); + + let mut acc = F::ZERO; + for (a, b) in a.iter().zip(b.iter()) { + acc += (*a) * (*b); + } + + acc +} + +/// Divides polynomial `a` in `X` by `X - b` with +/// no remainder. +pub fn kate_division<'a, F: Field, I: IntoIterator>(a: I, mut b: F) -> Vec +where + I::IntoIter: DoubleEndedIterator + ExactSizeIterator, +{ + b = -b; + let a = a.into_iter(); + + let mut q = vec![F::ZERO; a.len() - 1]; + + let mut tmp = F::ZERO; + for (q, r) in q.iter_mut().rev().zip(a.rev()) { + let mut lead_coeff = *r; + lead_coeff.sub_assign(&tmp); + *q = lead_coeff; + tmp = lead_coeff; + tmp.mul_assign(&b); + } + + q +} + +/// This utility function will parallelize an operation that is to be +/// performed over a mutable slice. +pub fn parallelize(v: &mut [T], f: F) { + // Algorithm rationale: + // + // Using the stdlib `chunks_mut` will lead to severe load imbalance. + // From https://github.com/rust-lang/rust/blob/e94bda3/library/core/src/slice/iter.rs#L1607-L1637 + // if the division is not exact, the last chunk will be the remainder. + // + // Dividing 40 items on 12 threads will lead to a chunk size of 40/12 = 3, + // There will be a 13 chunks of size 3 and 1 of size 1 distributed on 12 threads. + // This leads to 1 thread working on 6 iterations, 1 on 4 iterations and 10 on 3 iterations, + // a load imbalance of 2x. + // + // Instead we can divide work into chunks of size + // 4, 4, 4, 4, 3, 3, 3, 3, 3, 3, 3, 3 = 4*4 + 3*8 = 40 + // + // This would lead to a 6/4 = 1.5x speedup compared to naive chunks_mut + // + // See also OpenMP spec (page 60) + // http://www.openmp.org/mp-documents/openmp-4.5.pdf + // "When no chunk_size is specified, the iteration space is divided into chunks + // that are approximately equal in size, and at most one chunk is distributed to + // each thread. The size of the chunks is unspecified in this case." + // This implies chunks are the same size ±1 + + let f = &f; + let total_iters = v.len(); + let num_threads = multicore::current_num_threads(); + let base_chunk_size = total_iters / num_threads; + let cutoff_chunk_id = total_iters % num_threads; + let split_pos = cutoff_chunk_id * (base_chunk_size + 1); + let (v_hi, v_lo) = v.split_at_mut(split_pos); + + multicore::scope(|scope| { + // Skip special-case: number of iterations is cleanly divided by number of threads. + if cutoff_chunk_id != 0 { + for (chunk_id, chunk) in v_hi.chunks_exact_mut(base_chunk_size + 1).enumerate() { + let offset = chunk_id * (base_chunk_size + 1); + scope.spawn(move |_| f(chunk, offset)); + } + } + // Skip special-case: less iterations than number of threads. + if base_chunk_size != 0 { + for (chunk_id, chunk) in v_lo.chunks_exact_mut(base_chunk_size).enumerate() { + let offset = split_pos + (chunk_id * base_chunk_size); + scope.spawn(move |_| f(chunk, offset)); + } + } + }); +} + +/// Returns coefficients of an n - 1 degree polynomial given a set of n points +/// and their evaluations. This function will panic if two values in `points` +/// are the same. +pub fn lagrange_interpolate(points: &[F], evals: &[F]) -> Vec { + assert_eq!(points.len(), evals.len()); + if points.len() == 1 { + // Constant polynomial + vec![evals[0]] + } else { + let mut denoms = Vec::with_capacity(points.len()); + for (j, x_j) in points.iter().enumerate() { + let mut denom = Vec::with_capacity(points.len() - 1); + for x_k in points + .iter() + .enumerate() + .filter(|&(k, _)| k != j) + .map(|a| a.1) + { + denom.push(*x_j - x_k); + } + denoms.push(denom); + } + // Compute (x_j - x_k)^(-1) for each j != i + denoms.iter_mut().flat_map(|v| v.iter_mut()).batch_invert(); + + let mut final_poly = vec![F::ZERO; points.len()]; + for (j, (denoms, eval)) in denoms.into_iter().zip(evals.iter()).enumerate() { + let mut tmp: Vec = Vec::with_capacity(points.len()); + let mut product = Vec::with_capacity(points.len() - 1); + tmp.push(F::ONE); + for (x_k, denom) in points + .iter() + .enumerate() + .filter(|&(k, _)| k != j) + .map(|a| a.1) + .zip(denoms.into_iter()) + { + product.resize(tmp.len() + 1, F::ZERO); + for ((a, b), product) in tmp + .iter() + .chain(std::iter::once(&F::ZERO)) + .zip(std::iter::once(&F::ZERO).chain(tmp.iter())) + .zip(product.iter_mut()) + { + *product = *a * (-denom * x_k) + *b * denom; + } + std::mem::swap(&mut tmp, &mut product); + } + assert_eq!(tmp.len(), points.len()); + assert_eq!(product.len(), points.len() - 1); + for (final_coeff, interpolation_coeff) in final_poly.iter_mut().zip(tmp.into_iter()) { + *final_coeff += interpolation_coeff * eval; + } + } + final_poly + } +} + +pub(crate) fn powers(base: F) -> impl Iterator { + std::iter::successors(Some(F::ONE), move |power| Some(base * power)) +} + +/// Multi scalar multiplication engine +pub trait MSM: Clone + Debug + Send + Sized + Sync { + /// Add arbitrary term (the scalar and the point) + fn append_term(&mut self, scalar: C::Scalar, point: C::Curve); + + /// Add another multiexp into this one + fn add_msm(&mut self, other: &Self); + + /// Scale all scalars in the MSM by some scaling factor + fn scale(&mut self, factor: C::Scalar); + + /// Perform multiexp and check that it results in zero + fn check(&self) -> bool; + + /// Perform multiexp and return the result + fn eval(&self) -> C::Curve; + + /// Return base points + fn bases(&self) -> Vec; + + /// Scalars + fn scalars(&self) -> Vec; +} + +#[cfg(test)] +use rand_core::OsRng; + +#[cfg(test)] +use crate::halo2curves::pasta::Fp; + +#[test] +fn test_lagrange_interpolate() { + let rng = OsRng; + + let points = (0..5).map(|_| Fp::random(rng)).collect::>(); + let evals = (0..5).map(|_| Fp::random(rng)).collect::>(); + + for coeffs in 0..5 { + let points = &points[0..coeffs]; + let evals = &evals[0..coeffs]; + + let poly = lagrange_interpolate(points, evals); + assert_eq!(poly.len(), points.len()); + + for (point, eval) in points.iter().zip(evals) { + assert_eq!(eval_polynomial(&poly, *point), *eval); + } + } +} diff --git a/halo2_proofs/src/helpers.rs b/src/utils/helpers.rs similarity index 54% rename from halo2_proofs/src/helpers.rs rename to src/utils/helpers.rs index faf7351a3e..57ef1cdc91 100644 --- a/halo2_proofs/src/helpers.rs +++ b/src/utils/helpers.rs @@ -1,6 +1,10 @@ +//! HELPER FUNCTIONS + use crate::poly::Polynomial; use ff::PrimeField; -use halo2curves::{serde::SerdeObject, CurveAffine}; +use group::prime::PrimeCurveAffine; +use group::GroupEncoding; +use halo2curves::serde::SerdeObject; use std::io; /// This enum specifies how various types are serialized and deserialized. @@ -19,87 +23,72 @@ pub enum SerdeFormat { RawBytesUnchecked, } -// Keep this trait for compatibility with IPA serialization -pub(crate) trait CurveRead: CurveAffine { - /// Reads a compressed element from the buffer and attempts to parse it - /// using `from_bytes`. - fn read(reader: &mut R) -> io::Result { - let mut compressed = Self::Repr::default(); - reader.read_exact(compressed.as_mut())?; - Option::from(Self::from_bytes(&compressed)) - .ok_or_else(|| io::Error::new(io::ErrorKind::Other, "Invalid point encoding in proof")) - } +/// Interface for Serde objects that can be represented in compressed form. +pub trait ProcessedSerdeObject: SerdeObject + Default { + /// Reads an element from the buffer and parses it according to the `format`: + /// - `Processed`: Reads a compressed element and decompress it + /// - `RawBytes`: Reads an uncompressed element and checks its correctness + /// - `RawBytesUnchecked`: Reads an uncompressed element without performing any checks + fn read(reader: &mut R, format: SerdeFormat) -> io::Result; + + /// Writes an element according to `format`: + /// - `Processed`: Writes a compressed element + /// - Otherwise: Writes an uncompressed element + fn write(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()>; } -impl CurveRead for C {} -pub trait SerdeCurveAffine: CurveAffine + SerdeObject { - /// Reads an element from the buffer and parses it according to the `format`: - /// - `Processed`: Reads a compressed curve element and decompress it - /// - `RawBytes`: Reads an uncompressed curve element with coordinates in Montgomery form. - /// Checks that field elements are less than modulus, and then checks that the point is on the curve. - /// - `RawBytesUnchecked`: Reads an uncompressed curve element with coordinates in Montgomery form; - /// does not perform any checks - fn read(reader: &mut R, format: SerdeFormat) -> io::Result { - match format { - SerdeFormat::Processed => ::read(reader), - SerdeFormat::RawBytes => ::read_raw(reader), - SerdeFormat::RawBytesUnchecked => Ok(::read_raw_unchecked(reader)), - } - } - /// Writes a curve element according to `format`: - /// - `Processed`: Writes a compressed curve element - /// - Otherwise: Writes an uncompressed curve element with coordinates in Montgomery form - fn write(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> { - match format { - SerdeFormat::Processed => writer.write_all(self.to_bytes().as_ref()), - _ => self.write_raw(writer), - } +/// Byte length of an affine curve element according to `format`. +pub fn byte_length(format: SerdeFormat) -> usize { + match format { + SerdeFormat::Processed => T::default().to_raw_bytes().len(), + _ => T::default().to_raw_bytes().len() * 2, } +} - /// Byte length of an affine curve element according to `format`. - fn byte_length(format: SerdeFormat) -> usize { - match format { - SerdeFormat::Processed => Self::default().to_bytes().as_ref().len(), - _ => Self::Repr::default().as_ref().len() * 2, - } +/// Helper function to read a field element with a serde format. There is no way to compress field +/// elements, so `Processed` and `RawBytes` act equivalently. +pub(crate) fn read_f( + reader: &mut R, + format: SerdeFormat, +) -> io::Result { + match format { + SerdeFormat::Processed => ::read_raw(reader), + SerdeFormat::RawBytes => ::read_raw(reader), + SerdeFormat::RawBytesUnchecked => Ok(::read_raw_unchecked(reader)), } } -impl SerdeCurveAffine for C {} -pub trait SerdePrimeField: PrimeField + SerdeObject { - /// Reads a field element as bytes from the buffer according to the `format`: - /// - `Processed`: Reads a field element in standard form, with endianness specified by the - /// `PrimeField` implementation, and checks that the element is less than the modulus. - /// - `RawBytes`: Reads a field element from raw bytes in its internal Montgomery representations, - /// and checks that the element is less than the modulus. - /// - `RawBytesUnchecked`: Reads a field element in Montgomery form and performs no checks. +/// Trait for serialising SerdeObjects +impl ProcessedSerdeObject for C { + /// Reads an element from the buffer and parses it according to the `format`: + /// - `Processed`: Reads a compressed curve element and decompress it + /// - `RawBytes`: Reads an uncompressed curve element with coordinates in Montgomery form. + /// Checks that field elements are less than modulus, and then checks that the point is on the curve. + /// - `RawBytesUnchecked`: Reads an uncompressed curve element with coordinates in Montgomery form; + /// does not perform any checks fn read(reader: &mut R, format: SerdeFormat) -> io::Result { match format { SerdeFormat::Processed => { - let mut compressed = Self::Repr::default(); + let mut compressed = ::Repr::default(); reader.read_exact(compressed.as_mut())?; - Option::from(Self::from_repr(compressed)).ok_or_else(|| { - io::Error::new(io::ErrorKind::Other, "Invalid prime field point encoding") + Option::from(Self::from_bytes(&compressed)).ok_or_else(|| { + io::Error::new(io::ErrorKind::Other, "Invalid point encoding in proof") }) } SerdeFormat::RawBytes => ::read_raw(reader), SerdeFormat::RawBytesUnchecked => Ok(::read_raw_unchecked(reader)), } } - - /// Writes a field element as bytes to the buffer according to the `format`: - /// - `Processed`: Writes a field element in standard form, with endianness specified by the - /// `PrimeField` implementation. - /// - Otherwise: Writes a field element into raw bytes in its internal Montgomery representation, - /// WITHOUT performing the expensive Montgomery reduction. + /// Writes a curve element according to `format`: + /// - `Processed`: Writes a compressed curve element + /// - Otherwise: Writes an uncompressed curve element with coordinates in Montgomery form fn write(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> { match format { - SerdeFormat::Processed => writer.write_all(self.to_repr().as_ref()), + SerdeFormat::Processed => writer.write_all(self.to_bytes().as_ref()), _ => self.write_raw(writer), } } } -impl SerdePrimeField for F {} /// Convert a slice of `bool` into a `u8`. /// @@ -121,7 +110,7 @@ pub fn unpack(byte: u8, bits: &mut [bool]) { } /// Reads a vector of polynomials from buffer -pub(crate) fn read_polynomial_vec( +pub(crate) fn read_polynomial_vec( reader: &mut R, format: SerdeFormat, ) -> io::Result>> { @@ -135,14 +124,13 @@ pub(crate) fn read_polynomial_vec( } /// Writes a slice of polynomials to buffer -pub(crate) fn write_polynomial_slice( +pub(crate) fn write_polynomial_slice( slice: &[Polynomial], writer: &mut W, - format: SerdeFormat, ) -> io::Result<()> { writer.write_all(&(slice.len() as u32).to_be_bytes())?; for poly in slice.iter() { - poly.write(writer, format)?; + poly.write(writer)?; } Ok(()) } @@ -150,5 +138,5 @@ pub(crate) fn write_polynomial_slice( /// Gets the total number of bytes of a slice of polynomials, assuming all polynomials are the same length pub(crate) fn polynomial_slice_byte_length(slice: &[Polynomial]) -> usize { let field_len = F::default().to_repr().as_ref().len(); - 4 + slice.len() * (4 + field_len * slice.get(0).map(|poly| poly.len()).unwrap_or(0)) + 4 + slice.len() * (4 + field_len * slice.first().map(|poly| poly.len()).unwrap_or(0)) } diff --git a/src/utils/mod.rs b/src/utils/mod.rs new file mode 100644 index 0000000000..ab861289b0 --- /dev/null +++ b/src/utils/mod.rs @@ -0,0 +1,8 @@ +//! The utils module contains small, reusable functions + +pub mod arithmetic; +pub mod helpers; +pub(crate) mod multicore; +pub mod rational; + +pub use helpers::SerdeFormat; diff --git a/halo2_proofs/src/multicore.rs b/src/utils/multicore.rs similarity index 87% rename from halo2_proofs/src/multicore.rs rename to src/utils/multicore.rs index 4d30b91a8b..bdbbd714b7 100644 --- a/halo2_proofs/src/multicore.rs +++ b/src/utils/multicore.rs @@ -1,10 +1,9 @@ pub use rayon::{ current_num_threads, iter::{IndexedParallelIterator, IntoParallelRefIterator}, - iter::{IntoParallelIterator, IntoParallelRefMutIterator, ParallelIterator}, - join, scope, + iter::{IntoParallelIterator, ParallelIterator}, + scope, slice::ParallelSliceMut, - Scope, }; pub trait TryFoldAndReduce { @@ -25,7 +24,7 @@ impl TryFoldAndReduce for I where T: Send + Sync, E: Send + Sync, - I: rayon::iter::ParallelIterator>, + I: ParallelIterator>, { fn try_fold_and_reduce( self, diff --git a/halo2_proofs/src/plonk/assigned.rs b/src/utils/rational.rs similarity index 78% rename from halo2_proofs/src/plonk/assigned.rs rename to src/utils/rational.rs index 07de325678..1a4166be64 100644 --- a/halo2_proofs/src/plonk/assigned.rs +++ b/src/utils/rational.rs @@ -1,14 +1,14 @@ +//! Module that implements a rational value. A rational value is stored as a fraction, +//! so the backend can use batch inversion. use std::ops::{Add, AddAssign, Mul, MulAssign, Neg, Sub, SubAssign}; use group::ff::Field; -/// A value assigned to a cell within a circuit. +/// A rational value. /// -/// Stored as a fraction, so the backend can use batch inversion. -/// -/// A denominator of zero maps to an assigned value of zero. +/// A denominator of zero maps to a value of zero. #[derive(Clone, Copy, Debug)] -pub enum Assigned { +pub enum Rational { /// The field element zero. Zero, /// A value that does not require inversion to evaluate. @@ -17,31 +17,31 @@ pub enum Assigned { Rational(F, F), } -impl From<&Assigned> for Assigned { - fn from(val: &Assigned) -> Self { +impl From<&Rational> for Rational { + fn from(val: &Rational) -> Self { *val } } -impl From<&F> for Assigned { +impl From<&F> for Rational { fn from(numerator: &F) -> Self { - Assigned::Trivial(*numerator) + Rational::Trivial(*numerator) } } -impl From for Assigned { +impl From for Rational { fn from(numerator: F) -> Self { - Assigned::Trivial(numerator) + Rational::Trivial(numerator) } } -impl From<(F, F)> for Assigned { +impl From<(F, F)> for Rational { fn from((numerator, denominator): (F, F)) -> Self { - Assigned::Rational(numerator, denominator) + Rational::Rational(numerator, denominator) } } -impl PartialEq for Assigned { +impl PartialEq for Rational { fn eq(&self, other: &Self) -> bool { match (self, other) { // At least one side is directly zero. @@ -69,10 +69,10 @@ impl PartialEq for Assigned { } } -impl Eq for Assigned {} +impl Eq for Rational {} -impl Neg for Assigned { - type Output = Assigned; +impl Neg for Rational { + type Output = Rational; fn neg(self) -> Self::Output { match self { Self::Zero => Self::Zero, @@ -82,16 +82,16 @@ impl Neg for Assigned { } } -impl Neg for &Assigned { - type Output = Assigned; +impl Neg for &Rational { + type Output = Rational; fn neg(self) -> Self::Output { -*self } } -impl Add for Assigned { - type Output = Assigned; - fn add(self, rhs: Assigned) -> Assigned { +impl Add for Rational { + type Output = Rational; + fn add(self, rhs: Rational) -> Rational { match (self, rhs) { // One side is directly zero. (Self::Zero, _) => rhs, @@ -121,110 +121,110 @@ impl Add for Assigned { } } -impl Add for Assigned { - type Output = Assigned; - fn add(self, rhs: F) -> Assigned { +impl Add for Rational { + type Output = Rational; + fn add(self, rhs: F) -> Rational { self + Self::Trivial(rhs) } } -impl Add for &Assigned { - type Output = Assigned; - fn add(self, rhs: F) -> Assigned { +impl Add for &Rational { + type Output = Rational; + fn add(self, rhs: F) -> Rational { *self + rhs } } -impl Add<&Assigned> for Assigned { - type Output = Assigned; - fn add(self, rhs: &Self) -> Assigned { +impl Add<&Rational> for Rational { + type Output = Rational; + fn add(self, rhs: &Self) -> Rational { self + *rhs } } -impl Add> for &Assigned { - type Output = Assigned; - fn add(self, rhs: Assigned) -> Assigned { +impl Add> for &Rational { + type Output = Rational; + fn add(self, rhs: Rational) -> Rational { *self + rhs } } -impl Add<&Assigned> for &Assigned { - type Output = Assigned; - fn add(self, rhs: &Assigned) -> Assigned { +impl Add<&Rational> for &Rational { + type Output = Rational; + fn add(self, rhs: &Rational) -> Rational { *self + *rhs } } -impl AddAssign for Assigned { +impl AddAssign for Rational { fn add_assign(&mut self, rhs: Self) { *self = *self + rhs; } } -impl AddAssign<&Assigned> for Assigned { +impl AddAssign<&Rational> for Rational { fn add_assign(&mut self, rhs: &Self) { *self = *self + rhs; } } -impl Sub for Assigned { - type Output = Assigned; - fn sub(self, rhs: Assigned) -> Assigned { +impl Sub for Rational { + type Output = Rational; + fn sub(self, rhs: Rational) -> Rational { self + (-rhs) } } -impl Sub for Assigned { - type Output = Assigned; - fn sub(self, rhs: F) -> Assigned { +impl Sub for Rational { + type Output = Rational; + fn sub(self, rhs: F) -> Rational { self + (-rhs) } } -impl Sub for &Assigned { - type Output = Assigned; - fn sub(self, rhs: F) -> Assigned { +impl Sub for &Rational { + type Output = Rational; + fn sub(self, rhs: F) -> Rational { *self - rhs } } -impl Sub<&Assigned> for Assigned { - type Output = Assigned; - fn sub(self, rhs: &Self) -> Assigned { +impl Sub<&Rational> for Rational { + type Output = Rational; + fn sub(self, rhs: &Self) -> Rational { self - *rhs } } -impl Sub> for &Assigned { - type Output = Assigned; - fn sub(self, rhs: Assigned) -> Assigned { +impl Sub> for &Rational { + type Output = Rational; + fn sub(self, rhs: Rational) -> Rational { *self - rhs } } -impl Sub<&Assigned> for &Assigned { - type Output = Assigned; - fn sub(self, rhs: &Assigned) -> Assigned { +impl Sub<&Rational> for &Rational { + type Output = Rational; + fn sub(self, rhs: &Rational) -> Rational { *self - *rhs } } -impl SubAssign for Assigned { +impl SubAssign for Rational { fn sub_assign(&mut self, rhs: Self) { *self = *self - rhs; } } -impl SubAssign<&Assigned> for Assigned { +impl SubAssign<&Rational> for Rational { fn sub_assign(&mut self, rhs: &Self) { *self = *self - rhs; } } -impl Mul for Assigned { - type Output = Assigned; - fn mul(self, rhs: Assigned) -> Assigned { +impl Mul for Rational { + type Output = Rational; + fn mul(self, rhs: Rational) -> Rational { match (self, rhs) { (Self::Zero, _) | (_, Self::Zero) => Self::Zero, (Self::Trivial(lhs), Self::Trivial(rhs)) => Self::Trivial(lhs * rhs), @@ -243,40 +243,40 @@ impl Mul for Assigned { } } -impl Mul for Assigned { - type Output = Assigned; - fn mul(self, rhs: F) -> Assigned { +impl Mul for Rational { + type Output = Rational; + fn mul(self, rhs: F) -> Rational { self * Self::Trivial(rhs) } } -impl Mul for &Assigned { - type Output = Assigned; - fn mul(self, rhs: F) -> Assigned { +impl Mul for &Rational { + type Output = Rational; + fn mul(self, rhs: F) -> Rational { *self * rhs } } -impl Mul<&Assigned> for Assigned { - type Output = Assigned; - fn mul(self, rhs: &Assigned) -> Assigned { +impl Mul<&Rational> for Rational { + type Output = Rational; + fn mul(self, rhs: &Rational) -> Rational { self * *rhs } } -impl MulAssign for Assigned { +impl MulAssign for Rational { fn mul_assign(&mut self, rhs: Self) { *self = *self * rhs; } } -impl MulAssign<&Assigned> for Assigned { +impl MulAssign<&Rational> for Rational { fn mul_assign(&mut self, rhs: &Self) { *self = *self * rhs; } } -impl Assigned { +impl Rational { /// Returns the numerator. pub fn numerator(&self) -> F { match self { @@ -369,14 +369,14 @@ impl Assigned { mod tests { use halo2curves::pasta::Fp; - use super::Assigned; + use super::Rational; // We use (numerator, denominator) in the comments below to denote a rational. #[test] fn add_trivial_to_inv0_rational() { // a = 2 // b = (1,0) - let a = Assigned::Trivial(Fp::from(2)); - let b = Assigned::Rational(Fp::one(), Fp::zero()); + let a = Rational::Trivial(Fp::from(2)); + let b = Rational::Rational(Fp::one(), Fp::zero()); // 2 + (1,0) = 2 + 0 = 2 // This fails if addition is implemented using normal rules for rationals. @@ -388,8 +388,8 @@ mod tests { fn add_rational_to_inv0_rational() { // a = (1,2) // b = (1,0) - let a = Assigned::Rational(Fp::one(), Fp::from(2)); - let b = Assigned::Rational(Fp::one(), Fp::zero()); + let a = Rational::Rational(Fp::one(), Fp::from(2)); + let b = Rational::Rational(Fp::one(), Fp::zero()); // (1,2) + (1,0) = (1,2) + 0 = (1,2) // This fails if addition is implemented using normal rules for rationals. @@ -401,8 +401,8 @@ mod tests { fn sub_trivial_from_inv0_rational() { // a = 2 // b = (1,0) - let a = Assigned::Trivial(Fp::from(2)); - let b = Assigned::Rational(Fp::one(), Fp::zero()); + let a = Rational::Trivial(Fp::from(2)); + let b = Rational::Rational(Fp::one(), Fp::zero()); // (1,0) - 2 = 0 - 2 = -2 // This fails if subtraction is implemented using normal rules for rationals. @@ -416,8 +416,8 @@ mod tests { fn sub_rational_from_inv0_rational() { // a = (1,2) // b = (1,0) - let a = Assigned::Rational(Fp::one(), Fp::from(2)); - let b = Assigned::Rational(Fp::one(), Fp::zero()); + let a = Rational::Rational(Fp::one(), Fp::from(2)); + let b = Rational::Rational(Fp::one(), Fp::zero()); // (1,0) - (1,2) = 0 - (1,2) = -(1,2) // This fails if subtraction is implemented using normal rules for rationals. @@ -431,8 +431,8 @@ mod tests { fn mul_rational_by_inv0_rational() { // a = (1,2) // b = (1,0) - let a = Assigned::Rational(Fp::one(), Fp::from(2)); - let b = Assigned::Rational(Fp::one(), Fp::zero()); + let a = Rational::Rational(Fp::one(), Fp::from(2)); + let b = Rational::Rational(Fp::one(), Fp::zero()); // (1,2) * (1,0) = (1,2) * 0 = 0 assert_eq!((a * b).evaluate(), Fp::zero()); @@ -449,12 +449,11 @@ mod proptests { ops::{Add, Mul, Neg, Sub}, }; + use crate::utils::rational::Rational; use group::ff::Field; use halo2curves::pasta::Fp; use proptest::{collection::vec, prelude::*, sample::select}; - use super::Assigned; - trait UnaryOperand: Neg { fn double(&self) -> Self; fn square(&self) -> Self; @@ -480,7 +479,7 @@ mod proptests { } } - impl UnaryOperand for Assigned { + impl UnaryOperand for Rational { fn double(&self) -> Self { self.double() } @@ -529,7 +528,7 @@ mod proptests { trait BinaryOperand: Sized + Add + Sub + Mul {} impl BinaryOperand for F {} - impl BinaryOperand for Assigned {} + impl BinaryOperand for Rational {} #[derive(Clone, Debug)] enum BinaryOperator { @@ -568,8 +567,8 @@ mod proptests { } prop_compose! { - fn arb_trivial()(element in arb_element()) -> Assigned { - Assigned::Trivial(element) + fn arb_trivial()(element in arb_element()) -> Rational { + Rational::Trivial(element) } } @@ -581,8 +580,8 @@ mod proptests { 1 => Just(Fp::zero()), 2 => arb_element(), ], - ) -> Assigned { - Assigned::Rational(numerator, denominator) + ) -> Rational { + Rational::Rational(numerator, denominator) } } @@ -605,7 +604,7 @@ mod proptests { )( values in vec( prop_oneof![ - 1 => Just(Assigned::Zero), + 1 => Just(Rational::Zero), 2 => arb_trivial(), 2 => arb_rational(), ], @@ -614,7 +613,7 @@ mod proptests { // - we can apply every binary operator pairwise sequentially. cmp::max(usize::from(num_unary > 0), num_binary + 1)), operations in arb_operators(num_unary, num_binary).prop_shuffle(), - ) -> (Vec>, Vec) { + ) -> (Vec>, Vec) { (values, operations) } } diff --git a/tests/plonk_api.rs b/tests/plonk_api.rs new file mode 100644 index 0000000000..13dd3ca302 --- /dev/null +++ b/tests/plonk_api.rs @@ -0,0 +1,549 @@ +#![allow(clippy::many_single_char_names)] +#![allow(clippy::op_ref)] + +use assert_matches::assert_matches; +use blake2b_simd::State; +use ff::{FromUniformBytes, PrimeField, WithSmallOrderMulGroup}; +use halo2_proofs::circuit::{Cell, Layouter, SimpleFloorPlanner, Value}; +use halo2_proofs::dev::MockProver; +use halo2_proofs::plonk::{ + create_proof as create_plonk_proof, keygen_pk, keygen_vk, verify_proof as verify_plonk_proof, + Advice, Circuit, Column, ConstraintSystem, Error, Fixed, ProvingKey, TableColumn, VerifyingKey, +}; +use halo2_proofs::poly::commitment::PolynomialCommitmentScheme; +use halo2_proofs::poly::kzg::params::ParamsKZG; +use halo2_proofs::poly::kzg::KZGCommitmentScheme; +use halo2_proofs::poly::Rotation; +use halo2_proofs::transcript::{CircuitTranscript, Hashable, Sampleable, Transcript}; +use halo2_proofs::utils::arithmetic::Field; +use halo2_proofs::utils::rational::Rational; +use halo2curves::serde::SerdeObject; +use rand_core::{CryptoRng, OsRng, RngCore}; +use std::marker::PhantomData; + +#[test] +fn plonk_api() { + const K: u32 = 5; + + /// This represents an advice column at a certain row in the ConstraintSystem + #[derive(Copy, Clone, Debug)] + pub struct Variable(Column, usize); + + #[derive(Clone)] + struct PlonkConfig { + a: Column, + b: Column, + c: Column, + d: Column, + e: Column, + + sa: Column, + sb: Column, + sc: Column, + sm: Column, + sp: Column, + sl: TableColumn, + } + + #[allow(clippy::type_complexity)] + trait StandardCs { + fn raw_multiply( + &self, + layouter: &mut impl Layouter, + f: F, + ) -> Result<(Cell, Cell, Cell), Error> + where + F: FnMut() -> Value<(Rational, Rational, Rational)>; + fn raw_add( + &self, + layouter: &mut impl Layouter, + f: F, + ) -> Result<(Cell, Cell, Cell), Error> + where + F: FnMut() -> Value<(Rational, Rational, Rational)>; + fn copy(&self, layouter: &mut impl Layouter, a: Cell, b: Cell) -> Result<(), Error>; + fn public_input(&self, layouter: &mut impl Layouter, f: F) -> Result + where + F: FnMut() -> Value; + fn lookup_table( + &self, + layouter: &mut impl Layouter, + values: &[FF], + ) -> Result<(), Error>; + } + + #[derive(Clone)] + struct MyCircuit { + a: Value, + lookup_table: Vec, + } + + struct StandardPlonk { + config: PlonkConfig, + _marker: PhantomData, + } + + impl StandardPlonk { + fn new(config: PlonkConfig) -> Self { + StandardPlonk { + config, + _marker: PhantomData, + } + } + } + + impl StandardCs for StandardPlonk { + fn raw_multiply( + &self, + layouter: &mut impl Layouter, + mut f: F, + ) -> Result<(Cell, Cell, Cell), Error> + where + F: FnMut() -> Value<(Rational, Rational, Rational)>, + { + layouter.assign_region( + || "raw_multiply", + |mut region| { + let mut value = None; + let lhs = region.assign_advice( + || "lhs", + self.config.a, + 0, + || { + value = Some(f()); + value.unwrap().map(|v| v.0) + }, + )?; + region.assign_advice( + || "lhs^4", + self.config.d, + 0, + || value.unwrap().map(|v| v.0).square().square(), + )?; + let rhs = region.assign_advice( + || "rhs", + self.config.b, + 0, + || value.unwrap().map(|v| v.1), + )?; + region.assign_advice( + || "rhs^4", + self.config.e, + 0, + || value.unwrap().map(|v| v.1).square().square(), + )?; + let out = region.assign_advice( + || "out", + self.config.c, + 0, + || value.unwrap().map(|v| v.2), + )?; + + region.assign_fixed(|| "a", self.config.sa, 0, || Value::known(FF::ZERO))?; + region.assign_fixed(|| "b", self.config.sb, 0, || Value::known(FF::ZERO))?; + region.assign_fixed(|| "c", self.config.sc, 0, || Value::known(FF::ONE))?; + region.assign_fixed(|| "a * b", self.config.sm, 0, || Value::known(FF::ONE))?; + Ok((lhs.cell(), rhs.cell(), out.cell())) + }, + ) + } + fn raw_add( + &self, + layouter: &mut impl Layouter, + mut f: F, + ) -> Result<(Cell, Cell, Cell), Error> + where + F: FnMut() -> Value<(Rational, Rational, Rational)>, + { + layouter.assign_region( + || "raw_add", + |mut region| { + let mut value = None; + let lhs = region.assign_advice( + || "lhs", + self.config.a, + 0, + || { + value = Some(f()); + value.unwrap().map(|v| v.0) + }, + )?; + region.assign_advice( + || "lhs^4", + self.config.d, + 0, + || value.unwrap().map(|v| v.0).square().square(), + )?; + let rhs = region.assign_advice( + || "rhs", + self.config.b, + 0, + || value.unwrap().map(|v| v.1), + )?; + region.assign_advice( + || "rhs^4", + self.config.e, + 0, + || value.unwrap().map(|v| v.1).square().square(), + )?; + let out = region.assign_advice( + || "out", + self.config.c, + 0, + || value.unwrap().map(|v| v.2), + )?; + + region.assign_fixed(|| "a", self.config.sa, 0, || Value::known(FF::ONE))?; + region.assign_fixed(|| "b", self.config.sb, 0, || Value::known(FF::ONE))?; + region.assign_fixed(|| "c", self.config.sc, 0, || Value::known(FF::ONE))?; + region.assign_fixed( + || "a * b", + self.config.sm, + 0, + || Value::known(FF::ZERO), + )?; + Ok((lhs.cell(), rhs.cell(), out.cell())) + }, + ) + } + fn copy( + &self, + layouter: &mut impl Layouter, + left: Cell, + right: Cell, + ) -> Result<(), Error> { + layouter.assign_region( + || "copy", + |mut region| { + region.constrain_equal(left, right)?; + region.constrain_equal(left, right) + }, + ) + } + fn public_input(&self, layouter: &mut impl Layouter, mut f: F) -> Result + where + F: FnMut() -> Value, + { + layouter.assign_region( + || "public_input", + |mut region| { + let value = region.assign_advice(|| "value", self.config.a, 0, &mut f)?; + region.assign_fixed( + || "public", + self.config.sp, + 0, + || Value::known(FF::ONE), + )?; + + Ok(value.cell()) + }, + ) + } + fn lookup_table( + &self, + layouter: &mut impl Layouter, + values: &[FF], + ) -> Result<(), Error> { + layouter.assign_table( + || "", + |mut table| { + for (index, &value) in values.iter().enumerate() { + table.assign_cell( + || "table col", + self.config.sl, + index, + || Value::known(value), + )?; + } + Ok(()) + }, + )?; + Ok(()) + } + } + + impl Circuit for MyCircuit { + type Config = PlonkConfig; + type FloorPlanner = SimpleFloorPlanner; + #[cfg(feature = "circuit-params")] + type Params = (); + + fn without_witnesses(&self) -> Self { + Self { + a: Value::unknown(), + lookup_table: self.lookup_table.clone(), + } + } + + fn configure(meta: &mut ConstraintSystem) -> PlonkConfig { + let e = meta.advice_column(); + let a = meta.advice_column(); + let b = meta.advice_column(); + let sf = meta.fixed_column(); + let c = meta.advice_column(); + let d = meta.advice_column(); + let p = meta.instance_column(); + + meta.enable_equality(a); + meta.enable_equality(b); + meta.enable_equality(c); + + let sm = meta.fixed_column(); + let sa = meta.fixed_column(); + let sb = meta.fixed_column(); + let sc = meta.fixed_column(); + let sp = meta.fixed_column(); + let sl = meta.lookup_table_column(); + + /* + * A B ... sl + * [ + * instance 0 ... 0 + * a a ... 0 + * a a^2 ... 0 + * a a ... 0 + * a a^2 ... 0 + * ... ... ... ... + * ... ... ... instance + * ... ... ... a + * ... ... ... a + * ... ... ... 0 + * ] + */ + + meta.lookup("lookup", |meta| { + let a_ = meta.query_any(a, Rotation::cur()); + vec![(a_, sl)] + }); + + meta.create_gate("Combined add-mult", |meta| { + let d = meta.query_advice(d, Rotation::next()); + let a = meta.query_advice(a, Rotation::cur()); + let sf = meta.query_fixed(sf, Rotation::cur()); + let e = meta.query_advice(e, Rotation::prev()); + let b = meta.query_advice(b, Rotation::cur()); + let c = meta.query_advice(c, Rotation::cur()); + + let sa = meta.query_fixed(sa, Rotation::cur()); + let sb = meta.query_fixed(sb, Rotation::cur()); + let sc = meta.query_fixed(sc, Rotation::cur()); + let sm = meta.query_fixed(sm, Rotation::cur()); + + vec![a.clone() * sa + b.clone() * sb + a * b * sm - (c * sc) + sf * (d * e)] + }); + + meta.create_gate("Public input", |meta| { + let a = meta.query_advice(a, Rotation::cur()); + let p = meta.query_instance(p, Rotation::cur()); + let sp = meta.query_fixed(sp, Rotation::cur()); + + vec![sp * (a - p)] + }); + + meta.enable_equality(sf); + meta.enable_equality(e); + meta.enable_equality(d); + meta.enable_equality(p); + meta.enable_equality(sm); + meta.enable_equality(sa); + meta.enable_equality(sb); + meta.enable_equality(sc); + meta.enable_equality(sp); + + PlonkConfig { + a, + b, + c, + d, + e, + sa, + sb, + sc, + sm, + sp, + sl, + } + } + + fn synthesize( + &self, + config: PlonkConfig, + mut layouter: impl Layouter, + ) -> Result<(), Error> { + let cs = StandardPlonk::new(config); + + let _ = cs.public_input(&mut layouter, || Value::known(F::ONE + F::ONE))?; + + for _ in 0..10 { + let a: Value> = self.a.into(); + let mut a_squared = Value::unknown(); + let (a0, _, c0) = cs.raw_multiply(&mut layouter, || { + a_squared = a.square(); + a.zip(a_squared).map(|(a, a_squared)| (a, a, a_squared)) + })?; + let (a1, b1, _) = cs.raw_add(&mut layouter, || { + let fin = a_squared + a; + a.zip(a_squared) + .zip(fin) + .map(|((a, a_squared), fin)| (a, a_squared, fin)) + })?; + cs.copy(&mut layouter, a0, a1)?; + cs.copy(&mut layouter, b1, c0)?; + } + + cs.lookup_table(&mut layouter, &self.lookup_table)?; + + Ok(()) + } + } + + macro_rules! common { + ($field:ident) => {{ + let a = $field::from(2834758237) * $field::ZETA; + let instance = $field::ONE + $field::ONE; + let lookup_table = vec![instance, a, a, $field::ZERO]; + (a, instance, lookup_table) + }}; + } + + macro_rules! bad_keys { + ($field: ident, $scheme:ident) => {{ + let (_, _, lookup_table) = common!($field); + let empty_circuit: MyCircuit<$field> = MyCircuit { + a: Value::unknown(), + lookup_table: lookup_table.clone(), + }; + + // Check that we get an error if we try to initialize the proving key with a value of + // k that is too small for the minimum required number of rows. + let much_too_small_params= <$scheme as PolynomialCommitmentScheme<$field>>::Parameters::new(1); + assert_matches!( + keygen_vk::<_, $scheme, _>(&much_too_small_params, &empty_circuit), + Err(Error::NotEnoughRowsAvailable { + current_k, + }) if current_k == 1 + ); + + // Check that we get an error if we try to initialize the proving key with a value of + // k that is too small for the number of rows the circuit uses. + let slightly_too_small_params = <$scheme as PolynomialCommitmentScheme<$field>>::Parameters::new(K-1); + assert_matches!( + keygen_vk::<_, $scheme, _>(&slightly_too_small_params, &empty_circuit), + Err(Error::NotEnoughRowsAvailable { + current_k, + }) if current_k == K - 1 + ); + }}; + } + + fn keygen>( + params: &Scheme::Parameters, + params_vk: &Scheme::VerifierParameters, + ) -> ProvingKey + where + F: FromUniformBytes<64> + WithSmallOrderMulGroup<3>, + { + let (_, _, lookup_table) = common!(F); + let empty_circuit: MyCircuit = MyCircuit { + a: Value::unknown(), + lookup_table, + }; + + // Initialize the proving key + let vk = keygen_vk(params_vk, &empty_circuit).expect("keygen_vk should not fail"); + + keygen_pk(params, vk, &empty_circuit).expect("keygen_pk should not fail") + } + + fn create_proof< + F: PrimeField, + Scheme: PolynomialCommitmentScheme, + T: Transcript, + R: RngCore + CryptoRng, + >( + rng: R, + params: &Scheme::Parameters, + pk: &ProvingKey, + ) -> Vec + where + F: Ord + + WithSmallOrderMulGroup<3> + + FromUniformBytes<64> + + Sampleable + + Hashable + + SerdeObject, + Scheme::Commitment: Hashable, + { + let (a, instance, lookup_table) = common!(F); + + let circuit: MyCircuit = MyCircuit { + a: Value::known(a), + lookup_table, + }; + + let mut transcript = T::init(); + + create_plonk_proof::( + params, + pk, + &[circuit.clone(), circuit.clone()], + &[&[&[instance]], &[&[instance]]], + rng, + &mut transcript, + ) + .expect("proof generation should not fail"); + + // Check this circuit is satisfied. + let prover = match MockProver::run(K, &circuit, vec![vec![instance]]) { + Ok(prover) => prover, + Err(e) => panic!("{e:?}"), + }; + assert_eq!(prover.verify(), Ok(())); + + transcript.finalize() + } + + fn verify_proof, T: Transcript>( + params_verifier: &Scheme::VerifierParameters, + vk: &VerifyingKey, + proof: &[u8], + ) where + F: Ord + + WithSmallOrderMulGroup<3> + + FromUniformBytes<64> + + Sampleable + + Hashable + + SerdeObject, + Scheme::Commitment: Hashable, + { + let (_, instance, _) = common!(F); + let pubinputs = [instance]; + + let mut transcript = T::init_from_bytes(proof); + + let verifier = verify_plonk_proof( + params_verifier, + vk, + &[&[&pubinputs[..]], &[&pubinputs[..]]], + &mut transcript, + ); + + assert!(verifier.is_ok()); + } + + use halo2curves::bn256::{Bn256, Fr}; + + type Scheme = KZGCommitmentScheme; + bad_keys!(Fr, Scheme); + + let params = ParamsKZG::::new(K); + let rng = OsRng; + + let pk = keygen::(¶ms, params.verifier_params()); + + let proof = create_proof::, _>(rng, ¶ms, &pk); + + let verifier_params = params.verifier_params(); + + verify_proof::<_, _, CircuitTranscript>(verifier_params, pk.get_vk(), &proof[..]); +}