-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(plonk cs): adding functionality to convert a constraint system to PLONK constraints #56
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… conversion of binary constraints
…internal/backend/<curve>/
… plonk cleaned so it mimics r1cs compilation
…y with groth16's r1cs
…l boolean is given
…no one_wire, in montgomery form
gbotrel
changed the title
feat(plonk cs): adding functionality to convert a constraint system to PLONK constraints
feat(plonk cs)!: adding functionality to convert a constraint system to PLONK constraints
Feb 12, 2021
gbotrel
changed the title
feat(plonk cs)!: adding functionality to convert a constraint system to PLONK constraints
feat(plonk cs): adding functionality to convert a constraint system to PLONK constraints
Feb 12, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the first step towards implementing PLONK proving system which is to have a PLONK like representation of a constraint system.
Breaking changes
frontend.Compile(curveID, circuit)
-->frontend.Compile(curveID, zkpID, circuit)
(zkpID = backend.GROTH16 or backend.PLONK)R1CS
andSparseR1CS
implementsfrontend.CompiledConstraintSystem
(the output offrontend.Compile
, to be used as a parameter to thebackend
ZKP APIs)SparseR1CS: PLONK constraint system
In PLONK each constraint is of the form aL+bR+cL*R+dO+k=0, where L, R, O are wires, and a, b, c, d, k are constants.
The way a CS is converted to a SparseR1CS follows the pattern that is already there for converting a CS to a R1CS. The API to define a circuit is unchanged.
Under the hood
The object representing a plonk constraint system is defined in
backend/compiled/r1cs_sparse.go
, it's basically a collection of plonk constraints along with the coefficients (stored in a slice, with a system of indexing similar to what we have in r1cs):A plonk constraint is actually represented (defined in
backend/internal/compiled/r1c_sparse.go
) like this:The main file where things actually happen is
frontend/cs_to_r1cs_sparse.go
, where each r1cs constraints is converted into plonk constraints. The method to convert a r1c to a sequence of plonk constraints is rather simplistic: for a r1c of the form (aiwi)x(bjwj)=ck*wk (double index = sum), we convert each individual linear expression into plonk constraints, in the correct order so they can be solved by solving single equation with a single unkown in a straightforward fashion.Example: aiwi becomes a0w0+a1w1 = u0, u0+a2w2= u1, etc up to wn. The converting function (called
split
) takes care of handling the constant terms (that is terms using the ONE_WIRE in a cs) so that they become constants in the plonk constraint system. For binary constraint, a similar pattern is followed, thesolver
field in the plonk constraint is set toBinaryDec
to help the solver (the corresponding boolean constraint is translated in plonk, so there is no ambiguity).Finally, in
internal/backend/<curve>/cs/r1cs_sparse.go
, there are the necessary functions to solve a constraint system. Since the constraints are correctly ordered, solving them using the witness consists of looping through the constraints and solve the missing wire at each step (as for the r1cs).Note: the ONE_WIRE is discarded in PLONK, constants terms are used instead, the the witness parsers have been modified to take a boolean telling wether or not the ONE_WIRE should be taken (by default it should be taken).
status
All tests for solving circuits (against the circuits built in
internal/backend/circuits
) pass.