From f0f0fe0a87df4af5b009fb615548547176a7d4dd Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 18 Oct 2021 13:40:11 +0300 Subject: [PATCH 001/219] Barretenberg kate-commitment plonk implementation ported. --- .../crypto3/zk/snark/schemes/plonk/proof.hpp | 50 ++ .../crypto3/zk/snark/schemes/plonk/prover.hpp | 497 ++++++++++++++++++ .../zk/snark/schemes/plonk/proving_key.hpp | 310 +++++++++++ .../snark/schemes/plonk/verification_key.hpp | 158 ++++++ .../zk/snark/schemes/plonk/verifier.hpp | 282 ++++++++++ 5 files changed, 1297 insertions(+) create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp new file mode 100644 index 000000000..1dafea718 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp @@ -0,0 +1,50 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_PROOF_HPP +#define CRYPTO3_ZK_PLONK_PROOF_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class plonk_proof; + + template + struct plonk_proof { + std::vector data; + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_PROOF_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp new file mode 100644 index 000000000..f0b3b3b66 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp @@ -0,0 +1,497 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_PROVER_HPP +#define CRYPTO3_ZK_PLONK_PROVER_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class plonk_prover; + + template + class plonk_prover { + + using commitment_scheme = kate_commitment; + + size_t n; + + std::vector sigma_1_mapping; + std::vector sigma_2_mapping; + std::vector sigma_3_mapping; + + std::vector> random_widgets; + std::vector>> transition_widgets; + transcript::StandardTranscript transcript; + + std::shared_ptr> key; + std::shared_ptr witness; + std::unique_ptr commitment_scheme; + + work_queue queue; + bool uses_quotient_mid; + + waffle::plonk_proof proof; + + public: + + plonk_prover(std::shared_ptr> input_key, + std::shared_ptr input_witness, + const transcript::Manifest& input_manifest) + : n(input_key == nullptr ? 0 : input_key->n) + , transcript(input_manifest, hash_type, num_challenge_bytes) + , key(input_key) + , witness(input_witness) + , queue(key.get(), witness.get(), &transcript) + { + if (input_witness && witness->wires.count("z") == 0) { + witness->wires.insert({ "z", math::polynomial(n, n) }); + } + } + + plonk_prover& operator=(plonk_prover&& other) { + n = other.n; + + random_widgets.resize(0); + transition_widgets.resize(0); + for (size_t i = 0; i < other.random_widgets.size(); ++i) { + random_widgets.emplace_back(std::move(other.random_widgets[i])); + } + for (size_t i = 0; i < other.transition_widgets.size(); ++i) { + transition_widgets.emplace_back(std::move(other.transition_widgets[i])); + } + transcript = other.transcript; + key = std::move(other.key); + witness = std::move(other.witness); + commitment_scheme = std::move(other.commitment_scheme); + + queue = work_queue(key.get(), witness.get(), &transcript); + return *this; + } + + plonk_prover(plonk_prover &&other) + : n(other.n) + , transcript(other.transcript) + , key(std::move(other.key)) + , witness(std::move(other.witness)) + , commitment_scheme(std::move(other.commitment_scheme)) + , queue(key.get(), witness.get(), &transcript) + { + for (size_t i = 0; i < other.random_widgets.size(); ++i) { + random_widgets.emplace_back(std::move(other.random_widgets[i])); + } + for (size_t i = 0; i < other.transition_widgets.size(); ++i) { + transition_widgets.emplace_back(std::move(other.transition_widgets[i])); + } + } + + void compute_wire_pre_commitments() { + for (size_t i = 0; i < settings::program_width; ++i) { + std::string wire_tag = "w_" + std::to_string(i + 1); + std::string commit_tag = "W_" + std::to_string(i + 1); + typename TCurve::scalar_field_type::value_type* coefficients = + witness->wires.at(wire_tag).get_coefficients(); + commitment_scheme->commit(coefficients, commit_tag, + typename TCurve::scalar_field_type::value_type::zero(), queue); + } + + // add public inputs + const math::polynomial& public_wires_source = key->wire_ffts.at("w_2_fft"); + std::vector public_wires; + for (size_t i = 0; i < key->num_public_inputs; ++i) { + public_wires.push_back(public_wires_source[i]); + } + transcript.add_element("public_inputs", ::to_buffer(public_wires)); + } + + void compute_quotient_pre_commitment() { + // In this method, we compute the commitments to polynomials t_{low}(X), t_{mid}(X) and t_{high}(X). + // Recall, the quotient polynomial t(X) = t_{low}(X) + t_{mid}(X).X^n + t_{high}(X).X^{2n} + // + // The reason we split t(X) into three degree-n polynomials is because: + // (i) We want the opening proof polynomials bounded by degree n as the opening algorithm of the + // polynomial commitment scheme results in O(n) prover computation. + // (ii) The size of the srs restricts us to compute commitments to polynomials of degree n + // (and disallows for degree 2n and 3n for large n). + // + // The degree of t(X) is determined by the term: + // ((a(X) + βX + γ) (b(X) + βk_1X + γ) (c(X) + βk_2X + γ)z(X)) / Z*_H(X). + // + // Let k = num_roots_cut_out_of_vanishing_polynomial, we have + // deg(t) = (n - 1) * (program_width + 1) - (n - k) + // = n * program_width - program_width - 1 + k + // + // Since we must cut atleast 4 roots from the vanishing polynomial + // (refer to ./src/aztec/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp/L247), + // k = 4 => deg(t) = n * program_width - program_width + 3 + // + // For standard plonk, program_width = 3 and thus, deg(t) = 3n. This implies that there would be + // (3n + 1) coefficients of t(X). Now, splitting them into t_{low}(X), t_{mid}(X) and t_{high}(X), + // t_{high} will have (n+1) coefficients while t_{low} and t_{mid} will have n coefficients. + // This means that to commit t_{high}, we need a multi-scalar multiplication of size (n+1). + // Thus, we first compute the commitments to t_{low}(X), t_{mid}(X) using n multi-scalar multiplications + // each and separately compute commitment to t_{high} which is of size (n + 1). + // Note that this must be done only when program_width = 3. + // + // + // NOTE: If in future there is a need to cut off more zeros off the vanishing polynomial, the degree of + // the quotient polynomial t(X) will increase, so the degrees of t_{high}, t_{mid}, t_{low} could also + // increase according to the type of the composer type we are using. Currently, for TurboPLONK and Ultra- + // PLONK, the degree of t(X) is (4n - 1) and hence each t_{low}, t_{mid}, t_{high}, t_{higher} each is of + // degree (n - 1) (and thus contains n coefficients). Therefore, we are on the brink! + // If we need to cut out more zeros off the vanishing polynomial, sizes of coefficients of individual + // t_{i} would change and so we will have to ensure the correct size of multi-scalar multiplication in + // computing the commitments to these polynomials. + // + for (size_t i = 0; i < program_width - 1; ++i) { + const size_t offset = n * i; + typename TCurve::scalar_field_type::value_type* coefficients = &key->quotient_large.get_coefficients()[offset]; + std::string quotient_tag = "T_" + std::to_string(i + 1); + commitment_scheme->commit(coefficients, quotient_tag, + typename TCurve::scalar_field_type::value_type::zero(), queue); + } + + typename TCurve::scalar_field_type::value_type* coefficients = + &key->quotient_large.get_coefficients()[(program_width - 1) * n]; + std::string quotient_tag = "T_" + std::to_string(program_width); + typename TCurve::scalar_field_type::value_type program_flag = + program_width == 3 ? typename TCurve::scalar_field_type::value_type::one() : typename TCurve::scalar_field_type::value_type::zero(); + commitment_scheme->commit(coefficients, quotient_tag, program_flag, queue); + } + + void execute_preamble_round() { + queue.flush_queue(); + transcript.add_element("circuit_size", + { static_cast(n >> 24), + static_cast(n >> 16), + static_cast(n >> 8), + static_cast(n) }); + transcript.add_element("public_input_size", + { static_cast(key->num_public_inputs >> 24), + static_cast(key->num_public_inputs >> 16), + static_cast(key->num_public_inputs >> 8), + static_cast(key->num_public_inputs) }); + transcript.apply_fiat_shamir("init"); + + for (size_t i = 0; i < settings::program_width; ++i) { + // fetch witness wire w_i + std::string wire_tag = "w_" + std::to_string(i + 1); + math::polynomial& wire = witness->wires.at(wire_tag); + + /* + Adding zero knowledge to the witness polynomials. + */ + // To ensure that PLONK is honest-verifier zero-knowledge, we need to ensure that the witness polynomials + // and the permutation polynomial look uniformly random to an adversary. To make the witness polynomials + // a(X), b(X) and c(X) uniformly random, we need to add 2 random blinding factors into each of them. + // i.e. a'(X) = a(X) + (r_1X + r_2) + // where r_1 and r_2 are uniformly random scalar field elements. A natural question is: + // Why do we need 2 random scalars in witness polynomials? The reason is: our witness polynomials are + // evaluated at only 1 point (\scripted{z}), so adding a random degree-1 polynomial suffices. + // + // NOTE: In TurboPlonk and UltraPlonk, the witness polynomials are evaluated at 2 points and thus + // we need to add 3 random scalars in them. + // + // We start adding random scalars in `wire` polynomials from index (n - k) upto (n - k + 2). + // For simplicity, we add 3 random scalars even for standard plonk (recall, just 2 of them are required) + // since an additional random scalar would not affect things. + // + // NOTE: If in future there is a need to cut off more zeros off the vanishing polynomial, this method + // will not change. This must be changed only if the number of evaluations of witness polynomials + // change. + // + const size_t w_randomness = 3; + ASSERT(w_randomness < settings::num_roots_cut_out_of_vanishing_polynomial); + for (size_t k = 0; k < w_randomness; ++k) { + wire.at(n - settings::num_roots_cut_out_of_vanishing_polynomial + k) = + algebra::random_element(typename TCurve::scalar_field_type); + } + + math::polynomial& wire_fft = key->wire_ffts.at(wire_tag + "_fft"); + math::polynomial_arithmetic::copy_polynomial(&wire[0], &wire_fft[0], n, n); + queue.add_to_queue({ + work_queue::WorkType::IFFT, + nullptr, + wire_tag, + typename TCurve::scalar_field_type::value_type::zero(), + 0, + }); + } + } + + void execute_first_round() { + queue.flush_queue(); +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); +#endif +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); + std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); + std::cout << "init quotient polys: " << diff.count() << "ms" << std::endl; +#endif +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "compute wire coefficients: " << diff.count() << "ms" << std::endl; +#endif +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif + compute_wire_pre_commitments(); + for (auto& widget : random_widgets) { + widget->compute_round_commitments(transcript, 1, queue); + } +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "compute wire commitments: " << diff.count() << "ms" << std::endl; +#endif + } + + void execute_second_round() { + queue.flush_queue(); + transcript.apply_fiat_shamir("eta"); + for (auto& widget : random_widgets) { + widget->compute_round_commitments(transcript, 2, queue); + } + } + + void execute_third_round() { + queue.flush_queue(); + transcript.apply_fiat_shamir("beta"); +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); +#endif +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); + std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); + std::cout << "compute z coefficients: " << diff.count() << "ms" << std::endl; +#endif +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif + for (auto& widget : random_widgets) { + widget->compute_round_commitments(transcript, 3, queue); + } + + for (size_t i = 0; i < settings::program_width; ++i) { + std::string wire_tag = "w_" + std::to_string(i + 1); + queue.add_to_queue({ + work_queue::WorkType::FFT, + nullptr, + wire_tag, + typename TCurve::scalar_field_type::value_type::zero(), + 0, + }); + } +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "compute z commitment: " << diff.count() << "ms" << std::endl; +#endif + } + + void execute_fourth_round() { + queue.flush_queue(); + transcript.apply_fiat_shamir("alpha"); +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); +#endif +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); + std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); + std::cout << "compute wire ffts: " << diff.count() << "ms" << std::endl; +#endif + +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "copy z: " << diff.count() << "ms" << std::endl; +#endif +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "compute permutation grand product coeffs: " << diff.count() << "ms" << std::endl; +#endif + typename TCurve::scalar_field_type::value_type alpha_base = + typename TCurve::scalar_field_type::value_type::serialize_from_buffer(transcript.get_challenge("alpha").begin()); + + for (auto& widget : random_widgets) { +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); +#endif + alpha_base = widget->compute_quotient_contribution(alpha_base, transcript); +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); + std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); + std::cout << "widget " << i << " quotient compute time: " << diff.count() << "ms" << std::endl; +#endif + } + for (auto& widget : transition_widgets) { + alpha_base = widget->compute_quotient_contribution(alpha_base, transcript); + } + typename TCurve::scalar_field_type::value_type* q_mid = &key->quotient_mid[0]; + typename TCurve::scalar_field_type::value_type* q_large = &key->quotient_large[0]; + +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif + if constexpr (settings::uses_quotient_mid) { + math::polynomial_arithmetic::divide_by_pseudo_vanishing_polynomial( + key->quotient_mid.get_coefficients(), key->small_domain, key->mid_domain); + } + math::polynomial_arithmetic::divide_by_pseudo_vanishing_polynomial( + key->quotient_large.get_coefficients(), key->small_domain, key->large_domain); +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "divide by vanishing polynomial: " << diff.count() << "ms" << std::endl; +#endif +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif + if (settings::uses_quotient_mid) { + key->quotient_mid.coset_ifft(key->mid_domain); + } + key->quotient_large.coset_ifft(key->large_domain); +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "final inverse fourier transforms: " << diff.count() << "ms" << std::endl; +#endif + if (settings::uses_quotient_mid) { + ITERATE_OVER_DOMAIN_START(key->mid_domain); + q_large[i] += q_mid[i]; + ITERATE_OVER_DOMAIN_END; + } +#ifdef DEBUG_TIMING + start = std::chrono::steady_clock::now(); +#endif + compute_quotient_pre_commitment(); +#ifdef DEBUG_TIMING + end = std::chrono::steady_clock::now(); + diff = std::chrono::duration_cast(end - start); + std::cout << "compute quotient commitment: " << diff.count() << "ms" << std::endl; +#endif + } // namespace waffle + + void execute_fifth_round() { + queue.flush_queue(); + transcript.apply_fiat_shamir("z"); // end of 4th round +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); +#endif + compute_linearisation_coefficients(); +#ifdef DEBUG_TIMING + std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); + std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); + std::cout << "compute linearisation coefficients: " << diff.count() << "ms" << std::endl; +#endif + } + + void execute_sixth_round() { + queue.flush_queue(); + transcript.apply_fiat_shamir("nu"); + + commitment_scheme->batch_open(transcript, queue, key, witness); + } + + typename TCurve::scalar_field_type::value_type compute_linearisation_coefficients() { + + typename TCurve::scalar_field_type::value_type zeta = + crypto3::marshalling::algebra>(transcript.get_challenge("z").begin()); + + math::polynomial& r = key->linear_poly; + + commitment_scheme->add_opening_evaluations_to_transcript(transcript, key, witness, false); + typename TCurve::scalar_field_type::value_type t_eval = key->quotient_large.evaluate(zeta, 4 * n); + + if constexpr (use_linearisation) { + typename TCurve::scalar_field_type::value_type alpha_base = typename TCurve::scalar_field_type::value_type::serialize_from_buffer(transcript.get_challenge("alpha").begin()); + + for (auto& widget : random_widgets) { + alpha_base = widget->compute_linear_contribution(alpha_base, transcript, r); + } + for (auto& widget : transition_widgets) { + alpha_base = widget->compute_linear_contribution(alpha_base, transcript, &r[0]); + } + typename TCurve::scalar_field_type::value_type linear_eval = r.evaluate(zeta, n); + transcript.add_element("r", linear_eval.to_buffer()); + } + transcript.add_element("t", t_eval.to_buffer()); + return t_eval; + } + + plonk_proof& export_proof() { + proof.proof_data = transcript.export_transcript(); + return proof; + } + + plonk_proof& construct_proof() { + execute_preamble_round(); + queue.process_queue(); + execute_first_round(); + queue.process_queue(); + execute_second_round(); + queue.process_queue(); + execute_third_round(); + queue.process_queue(); + execute_fourth_round(); + queue.process_queue(); + execute_fifth_round(); + execute_sixth_round(); + queue.process_queue(); + return export_proof(); + } + + void reset() { + transcript::Manifest manifest = transcript.get_manifest(); + transcript = transcript::StandardTranscript(manifest, settings::hash_type, settings::num_challenge_bytes); + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_PROVER_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp new file mode 100644 index 000000000..2abf1ada7 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp @@ -0,0 +1,310 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_PLONK_PROVING_KEY_HPP +#define CRYPTO3_PLONK_PROVING_KEY_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template> + struct plonk_proving_key_data { + std::uint32_t n; + std::uint32_t num_public_inputs; + bool contains_recursive_proof; + std::vector recursive_proof_public_input_indices; + std::map constraint_selectors; + std::map constraint_selector_ffts; + std::map permutation_selectors; + std::map permutation_selectors_lagrange_base; + std::map permutation_selector_ffts; + }; + + inline bool operator==(plonk_proving_key_data const& lhs, plonk_proving_key_data const& rhs) + { + return lhs.n == rhs.n && lhs.num_public_inputs == rhs.num_public_inputs && + lhs.constraint_selectors == rhs.constraint_selectors && + lhs.constraint_selector_ffts == rhs.constraint_selector_ffts && + lhs.permutation_selectors == rhs.permutation_selectors && + lhs.permutation_selectors_lagrange_base == rhs.permutation_selectors_lagrange_base && + lhs.permutation_selector_ffts == rhs.permutation_selector_ffts && + lhs.contains_recursive_proof == rhs.contains_recursive_proof && + lhs.recursive_proof_public_input_indices == rhs.recursive_proof_public_input_indices; + } + + template> + class plonk_proving_key { + constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits/BYTE_BITS; + + std::size_t n; + std::size_t num_public_inputs; + + std::map constraint_selectors; + std::map constraint_selectors_lagrange_base; + std::map constraint_selector_ffts; + + std::map permutation_selectors; + std::map permutation_selectors_lagrange_base; + std::map permutation_selector_ffts; + + std::map wire_ffts; + + math::evaluation_domain small_domain; + math::evaluation_domain mid_domain; + math::evaluation_domain large_domain; + + std::shared_ptr reference_string; + + math::polynomial lagrange_1; + math::polynomial opening_poly; + math::polynomial shifted_opening_poly; + math::polynomial linear_poly; + + math::polynomial quotient_mid; + math::polynomial quotient_large; + + algebra::scalar_multiplication::pippenger_runtime_state pippenger_runtime_state; + + std::vector polynomial_manifest; + + bool contains_recursive_proof = false; + std::vector recursive_proof_public_input_indices; + static constexpr std::size_t min_thread_block = 4UL; + public: + + enum LookupType { + NONE, + ABSOLUTE_LOOKUP, + RELATIVE_LOOKUP, + }; + + plonk_proving_key(const std::size_t num_gates, + const std::size_t num_inputs, + std::shared_ptr const& crs) + : n(num_gates) + , num_public_inputs(num_inputs) + , small_domain(n, n) + , mid_domain(2 * n, n > min_thread_block ? n : 2 * n) + , large_domain(4 * n, n > min_thread_block ? n : 4 * n) + , reference_string(crs) + , pippenger_runtime_state(n + 1) + { + init(); + } + + plonk_proving_key(plonk_proving_key_data&& data, std::shared_ptr const& crs) + : n(data.n) + , num_public_inputs(data.num_public_inputs) + , constraint_selectors(std::move(data.constraint_selectors)) + , constraint_selector_ffts(std::move(data.constraint_selector_ffts)) + , permutation_selectors(std::move(data.permutation_selectors)) + , permutation_selectors_lagrange_base(std::move(data.permutation_selectors_lagrange_base)) + , permutation_selector_ffts(std::move(data.permutation_selector_ffts)) + , small_domain(n, n) + , mid_domain(2 * n, n > min_thread_block ? n : 2 * n) + , large_domain(4 * n, n > min_thread_block ? n : 4 * n) + , reference_string(crs) + , pippenger_runtime_state(n + 1) + , contains_recursive_proof(data.contains_recursive_proof) + , recursive_proof_public_input_indices(std::move(data.recursive_proof_public_input_indices)) + { + init(); + // TODO: Currently only supporting TurboComposer in serialization! + std::copy(turbo_polynomial_manifest, turbo_polynomial_manifest + 20, std::back_inserter(polynomial_manifest)); + } + + void init() { + if (n != 0) { + small_domain.compute_lookup_table(); + mid_domain.compute_lookup_table(); + large_domain.compute_lookup_table(); + } + + reset(); + + lagrange_1 = math::polynomial(4 * n, 4 * n + 8); + math::polynomial_arithmetic::compute_lagrange_polynomial_fft( + lagrange_1.get_coefficients(), small_domain, large_domain); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[0]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[1]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[2]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[3]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[4]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[5]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[6]); + lagrange_1.add_lagrange_base_coefficient(lagrange_1[7]); + + // The opening polynomial W_{\script{z}}(X) in round 5 of prover's algorithm has degree n. However, + // as explained in (./src/aztec/plonk/proof_system/prover/prover.cpp/ProverBase::compute_quotient_pre_commitment), + // for standard plonk (program_width = 3) and number of roots cut out of the vanishing polynomial is 4, + // the degree of the quotient polynomial t(X) is 3n. Thus, the number of coefficients in t_{high} is (n + 1). + // But our prover algorithm assumes that each of t_{low}, t_{mid}, t_{high} is of degree (n - 1) (i.e. n coefficients in each). + // Note that: + // deg(W_{\script{z}}) = max{ deg(t_{low}), deg(t_{mid}), deg(t_{high}), deg(a), deg(b), ... } + // => deg(W_{\script{z}}) = n + 1 when program_width is 3! + // Therefore, when program_width is 3, we need to allow the degree of the opening polynomial to be (n + 1) and NOT n. + // + opening_poly = math::polynomial(n, n); + shifted_opening_poly = math::polynomial(n, n); + linear_poly = math::polynomial(n, n); + + quotient_mid = math::polynomial(2 * n, 2 * n); + quotient_large = math::polynomial(4 * n, 4 * n); + + memset((void*)&opening_poly[0], 0x00, scalar_bytes * n); + memset((void*)&shifted_opening_poly[0], 0x00, scalar_bytes * n); + memset((void*)&linear_poly[0], 0x00, scalar_bytes * n); + memset((void*)"ient_mid[0], 0x00, scalar_bytes * 2 * n); + memset((void*)"ient_large[0], 0x00, scalar_bytes * 4 * n); + } + + void reset() { + wire_ffts.clear(); + + opening_poly = math::polynomial(n, n); + + math::polynomial w_1_fft = math::polynomial(4 * n + 4, 4 * n + 4); + math::polynomial w_2_fft = math::polynomial(4 * n + 4, 4 * n + 4); + math::polynomial w_3_fft = math::polynomial(4 * n + 4, 4 * n + 4); + math::polynomial w_4_fft = math::polynomial(4 * n + 4, 4 * n + 4); + math::polynomial z_fft = math::polynomial(4 * n + 4, 4 * n + 4); + + memset((void*)&w_1_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void*)&w_2_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void*)&w_3_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void*)&w_4_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void*)&z_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + + wire_ffts.insert({ "w_1_fft", std::move(w_1_fft) }); + wire_ffts.insert({ "w_2_fft", std::move(w_2_fft) }); + wire_ffts.insert({ "w_3_fft", std::move(w_3_fft) }); + wire_ffts.insert({ "w_4_fft", std::move(w_4_fft) }); + wire_ffts.insert({ "z_fft", std::move(z_fft) }); + } + + plonk_proving_key &operator=(const plonk_proving_key &other) { + n = other.n; + num_public_inputs = other.num_public_inputs; + constraint_selectors = std::move(other.constraint_selectors); + constraint_selectors_lagrange_base = std::move(other.constraint_selectors_lagrange_base); + constraint_selector_ffts = std::move(other.constraint_selector_ffts); + permutation_selectors = std::move(other.permutation_selectors); + permutation_selectors_lagrange_base = std::move(other.permutation_selectors_lagrange_base); + permutation_selector_ffts = std::move(other.permutation_selector_ffts); + wire_ffts = std::move(other.wire_ffts); + small_domain = std::move(other.small_domain); + mid_domain = std::move(other.mid_domain); + large_domain = std::move(other.large_domain); + reference_string = std::move(other.reference_string); + lagrange_1 = std::move(other.lagrange_1); + opening_poly = std::move(other.opening_poly); + shifted_opening_poly = std::move(other.shifted_opening_poly); + linear_poly = std::move(other.linear_poly); + pippenger_runtime_state = std::move(other.pippenger_runtime_state); + polynomial_manifest = std::move(other.polynomial_manifest); + contains_recursive_proof = other.contains_recursive_proof; + recursive_proof_public_input_indices = std::move(other.recursive_proof_public_input_indices); + + return *this; + } + + plonk_proving_key(const plonk_proving_key &other) + : n(other.n) + , num_public_inputs(other.num_public_inputs) + , constraint_selectors(other.constraint_selectors) + , constraint_selectors_lagrange_base(other.constraint_selectors_lagrange_base) + , constraint_selector_ffts(other.constraint_selector_ffts) + , permutation_selectors(other.permutation_selectors) + , permutation_selectors_lagrange_base(other.permutation_selectors_lagrange_base) + , permutation_selector_ffts(other.permutation_selector_ffts) + , wire_ffts(other.wire_ffts) + , small_domain(other.small_domain) + , mid_domain(other.mid_domain) + , large_domain(other.large_domain) + , reference_string(other.reference_string) + , lagrange_1(other.lagrange_1) + , opening_poly(other.opening_poly) + , shifted_opening_poly(other.shifted_opening_poly) + , linear_poly(other.linear_poly) + , quotient_mid(other.quotient_mid) + , quotient_large(other.quotient_large) + , pippenger_runtime_state(n + 1) + , polynomial_manifest(other.polynomial_manifest) + , contains_recursive_proof(other.contains_recursive_proof) + , recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) + {} + + plonk_proving_key(plonk_proving_key &&other) + : n(other.n) + , num_public_inputs(other.num_public_inputs) + , constraint_selectors(other.constraint_selectors) + , constraint_selectors_lagrange_base(other.constraint_selectors_lagrange_base) + , constraint_selector_ffts(other.constraint_selector_ffts) + , permutation_selectors(other.permutation_selectors) + , permutation_selectors_lagrange_base(other.permutation_selectors_lagrange_base) + , permutation_selector_ffts(other.permutation_selector_ffts) + , wire_ffts(other.wire_ffts) + , small_domain(std::move(other.small_domain)) + , mid_domain(std::move(other.mid_domain)) + , large_domain(std::move(other.large_domain)) + , reference_string(std::move(other.reference_string)) + , lagrange_1(std::move(other.lagrange_1)) + , opening_poly(std::move(other.opening_poly)) + , shifted_opening_poly(std::move(other.shifted_opening_poly)) + , linear_poly(std::move(other.linear_poly)) + , pippenger_runtime_state(std::move(other.pippenger_runtime_state)) + , polynomial_manifest(std::move(other.polynomial_manifest)) + , contains_recursive_proof(other.contains_recursive_proof) + , recursive_proof_public_input_indices(std::move(other.recursive_proof_public_input_indices)) + {} + + std::size_t size_in_bits() const { + ???; + } + + bool operator==(const plonk_proving_key &other) const { + return this->n == other.n && this->num_public_inputs == other.num_public_inputs && + this->constraint_selectors == other.constraint_selectors && + this->constraint_selector_ffts == other.constraint_selector_ffts && + this->permutation_selectors == other.permutation_selectors && + this->permutation_selectors_lagrange_base == other.permutation_selectors_lagrange_base && + this->permutation_selector_ffts == other.permutation_selector_ffts && + this->contains_recursive_proof == other.contains_recursive_proof && + this->recursive_proof_public_input_indices == other.recursive_proof_public_input_indices; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PLONK_PROVING_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp new file mode 100644 index 000000000..028ab3498 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp @@ -0,0 +1,158 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_PLONK_VERIFICATION_KEY_HPP +#define CRYPTO3_PLONK_VERIFICATION_KEY_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template> + struct plonk_verification_key_data { + std::uint32_t n; + std::uint32_t num_public_inputs; + std::map::value_type> constraint_selectors; + std::map::value_type> permutation_selectors; + bool contains_recursive_proof = false; + std::vector recursive_proof_public_input_indices; + }; + + inline bool operator==(plonk_verification_key_data const& lhs, plonk_verification_key_data const& rhs) + { + return lhs.n == rhs.n && lhs.num_public_inputs == rhs.num_public_inputs && + lhs.constraint_selectors == rhs.constraint_selectors && + lhs.permutation_selectors == rhs.permutation_selectors; + } + + template> + class plonk_verification_key { + constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits/BYTE_BITS; + + std::size_t n; + std::size_t num_public_inputs; + + math::evaluation_domain domain; + + std::shared_ptr reference_string; + + std::map::value_type> constraint_selectors; + + std::map::value_type> permutation_selectors; + + std::vector polynomial_manifest; + + // this is a member variable because stdlib::field has no `pow` method, we + // have to compute this differently for the normal and recursive settings respectively + typename TCurve::scalar_field_type::value_type z_pow_n; + + bool contains_recursive_proof = false; + std::vector recursive_proof_public_input_indices; + std::size_t program_width = 3; + public: + + plonk_verification_key(const std::size_t num_gates, + const std::size_t num_inputs, + std::shared_ptr const& crs) + : n(num_gates) + , num_public_inputs(num_inputs) + , domain(n) + , reference_string(crs) + {} + + plonk_verification_key(plonk_verification_key_data&& data, + std::shared_ptr const& crs) + : n(data.n) + , num_public_inputs(data.num_public_inputs) + , domain(n) + , reference_string(crs) + , constraint_selectors(std::move(data.constraint_selectors)) + , permutation_selectors(std::move(data.permutation_selectors)) + , contains_recursive_proof(data.contains_recursive_proof) + , recursive_proof_public_input_indices(std::move(data.recursive_proof_public_input_indices)) + { + // TODO: Currently only supporting TurboComposer in serialization! + std::copy(turbo_polynomial_manifest, turbo_polynomial_manifest + 20, std::back_inserter(polynomial_manifest)); + } + + plonk_verification_key& operator=(plonk_verification_key&& other) { + n = other.n; + num_public_inputs = other.num_public_inputs; + reference_string = std::move(other.reference_string); + constraint_selectors = std::move(other.constraint_selectors); + permutation_selectors = std::move(other.permutation_selectors); + polynomial_manifest = std::move(other.polynomial_manifest); + domain = std::move(other.domain); + contains_recursive_proof = (other.contains_recursive_proof); + recursive_proof_public_input_indices = std::move(other.recursive_proof_public_input_indices); + return *this; + } + + plonk_verification_key(const plonk_verification_key &other) + : n(other.n) + , num_public_inputs(other.num_public_inputs) + , domain(other.domain) + , reference_string(other.reference_string) + , constraint_selectors(other.constraint_selectors) + , permutation_selectors(other.permutation_selectors) + , polynomial_manifest(other.polynomial_manifest) + , contains_recursive_proof(other.contains_recursive_proof) + , recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) + {} + + plonk_verification_key(plonk_verification_key &&other) + : n(other.n) + , num_public_inputs(other.num_public_inputs) + , domain(other.domain) + , reference_string(other.reference_string) + , constraint_selectors(other.constraint_selectors) + , permutation_selectors(other.permutation_selectors) + , polynomial_manifest(other.polynomial_manifest) + , contains_recursive_proof(other.contains_recursive_proof) + , recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) + {} + + std::size_t size_in_bits() const { + ???; + } + + bool operator==(const plonk_verification_key &other) const { + return this->n == rhs.n && this->num_public_inputs == rhs.num_public_inputs && + this->constraint_selectors == rhs.constraint_selectors && + this->permutation_selectors == rhs.permutation_selectors; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PLONK_VERIFICATION_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp new file mode 100644 index 000000000..dd6fba233 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp @@ -0,0 +1,282 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_VERIFIER_HPP +#define CRYPTO3_ZK_PLONK_VERIFIER_HPP + +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class plonk_verifier; + + template + class plonk_verifier { + transcript::Manifest manifest; + + std::shared_ptr> key; + std::map::value_type> kate_g1_elements; + std::map kate_fr_elements; + std::unique_ptr commitment_scheme; + + public: + + plonk_verifier(std::shared_ptr> verifier_key, + const transcript::Manifest& input_manifest) + : manifest(input_manifest) + , key(verifier_key) + {} + + plonk_verifier& operator=(plonk_verifier&& other) { + key = other.key; + manifest = other.manifest; + commitment_scheme = (std::move(other.commitment_scheme)); + kate_g1_elements.clear(); + kate_fr_elements.clear(); + return *this; + } + + plonk_verifier(plonk_verifier &&other) + : manifest(other.manifest) + , key(other.key) + , commitment_scheme(std::move(other.commitment_scheme)) + {} + + bool validate_commitments() { + // TODO + return true; + } + + bool validate_scalars() { + // TODO + return true; + } + + bool process(const plonk_proof& proof) { + // This function verifies a PLONK proof for given program settings. + // A PLONK proof for standard PLONK with linearisation as on page 31 in the paper is of the form: + // + // π_SNARK = { [a]_1,[b]_1,[c]_1,[z]_1,[t_{low}]_1,[t_{mid}]_1,[t_{high}]_1,[W_z]_1,[W_zω]_1 \in G, + // a_eval, b_eval, c_eval, sigma1_eval, sigma2_eval, r_eval, z_eval_omega \in F } + // + // Proof π_SNARK must be first added in the transcrip with other program settings. + // + key->program_width = program_settings::program_width; + transcript::StandardTranscript transcript = transcript::StandardTranscript( + proof.proof_data, manifest, program_settings::hash_type, program_settings::num_challenge_bytes); + + // Compute challenges using Fiat-Shamir heuristic from transcript + transcript.add_element("circuit_size", + { static_cast(key->n >> 24), + static_cast(key->n >> 16), + static_cast(key->n >> 8), + static_cast(key->n) }); + transcript.add_element("public_input_size", + { static_cast(key->num_public_inputs >> 24), + static_cast(key->num_public_inputs >> 16), + static_cast(key->num_public_inputs >> 8), + static_cast(key->num_public_inputs) }); + transcript.apply_fiat_shamir("init"); + transcript.apply_fiat_shamir("eta"); + transcript.apply_fiat_shamir("beta"); + transcript.apply_fiat_shamir("alpha"); + transcript.apply_fiat_shamir("z"); + + const typename TCurve::scalar_field_type::value_type alpha = + crypto3::marshalling::algebra( + transcript.get_challenge("alpha").begin()); + const typename TCurve::scalar_field_type::value_type zeta = + crypto3::marshalling::algebra( + transcript.get_challenge("z").begin()); + + // Compute the evaluations of the lagrange polynomials L_1(X) and L_{n - k}(X) at X = zeta. + // Here k = num_roots_cut_out_of_the_vanishing_polynomial and n is the size of the evaluation domain. + const auto lagrange_evals = math::polynomial_arithmetic::get_lagrange_evaluations(zeta, key->domain); + + // Step 8: Compute quotient polynomial evaluation at zeta + // r_eval − ((a_eval + β.sigma1_eval + γ)(b_eval + β.sigma2_eval + γ)(c_eval + γ) z_eval_omega)α − + // L_1(zeta).α^{3} + (z_eval_omega - ∆_{PI}).L_{n-k}(zeta)α^{2} + // t_eval = + // -------------------------------------------------------------------------------------------------------------------------------------------------------------- + // Z_H*(zeta) + // where Z_H*(X) is the modified vanishing polynomial. + // The `compute_quotient_evaluation_contribution` function computes the numerator of t_eval + // according to the program settings for standard/turbo/ultra PLONK. + // + key->z_pow_n = zeta; + for (size_t i = 0; i < key->domain.log2_size; ++i) { + key->z_pow_n *= key->z_pow_n; + } + typename TCurve::scalar_field_type::value_type t_eval = + typename TCurve::scalar_field_type::value_type::zero(); + program_settings::compute_quotient_evaluation_contribution(key.get(), alpha, transcript, t_eval); + t_eval *= lagrange_evals.vanishing_poly.invert(); + transcript.add_element("t", t_eval.to_buffer()); + + transcript.apply_fiat_shamir("nu"); + transcript.apply_fiat_shamir("separator"); + const typename TCurve::scalar_field_type::value_type separator_challenge = + crypto3::marshalling::algebra( + transcript.get_challenge("separator").begin()); + + // In the following function, we do the following computation. + // Step 10: Compute batch opening commitment [F]_1 + // [F] := [t_{low}]_1 + \zeta^{n}.[tmid]1 + \zeta^{2n}.[t_{high}]_1 + // + [D]_1 + \nu_{a}.[a]_1 + \nu_{b}.[b]_1 + \nu_{c}.[c]_1 + // + \nu_{\sigma1}.[s_{\sigma_1}]1 + \nu_{\sigma2}.[s_{\sigma_2}]1 + // + // We do not compute [D]_1 term in this method as the information required to compute [D]_1 + // in inadequate as far as this KateCommitmentScheme class is concerned. + // + // Step 11: Compute batch evaluation commitment [E]_1 + // [E]_1 := (t_eval + \nu_{r}.r_eval + \nu_{a}.a_eval + \nu_{b}.b_eval + // \nu_{c}.c_eval + \nu_{\sigma1}.sigma1_eval + \nu_{\sigma2}.sigma2_eval + + // nu_z_omega.separator.z_eval_omega) . [1]_1 + // + // Note that we do not actually compute the scalar multiplications but just accumulate the scalars + // and the group elements in different vectors. + // + commitment_scheme->batch_verify(transcript, kate_g1_elements, kate_fr_elements, key); + + // Step 9: Compute partial opening batch commitment [D]_1: + // [D]_1 = (a_eval.b_eval.[qM]_1 + a_eval.[qL]_1 + b_eval.[qR]_1 + c_eval.[qO]_1 + [qC]_1) * nu_{linear} * α + // >> selector polynomials + // + [(a_eval + β.z + γ)(b_eval + β.k_1.z + γ)(c_eval + β.k_2.z + γ).α + + // L_1(z).α^{3}].nu_{linear}.[z]_1 >> grand product perm polynomial + // - (a_eval + β.sigma1_eval + γ)(b_eval + β.sigma2_eval + + // γ)α.β.nu_{linear}.z_omega_eval.[sigma3]_1 >> last perm polynomial + // + // Again, we dont actually compute the MSMs and just accumulate scalars and group elements and postpone MSM to last + // step. + // + append_scalar_multiplication_inputs(key.get(), alpha, transcript, kate_fr_elements); + + // Fetch the group elements [W_z]_1,[W_zω]_1 from the transcript + typename TCurve::g1_type::value_type PI_Z = crypto3::marshalling::algebra< + typename TCurve::g1_type::value_type>(&transcript.get_element("PI_Z")[0]); + typename TCurve::g1_type::value_type PI_Z_OMEGA = crypto3::marshalling::algebra< + typename TCurve::g1_type::value_type>(&transcript.get_element("PI_Z_OMEGA")[0]); + + // Accumulate pairs of scalars and group elements which would be used in the final pairing check. + kate_g1_elements.insert({ "PI_Z_OMEGA", PI_Z_OMEGA }); + kate_fr_elements.insert({ "PI_Z_OMEGA", zeta * key->domain.root * separator_challenge }); + + kate_g1_elements.insert({ "PI_Z", PI_Z }); + kate_fr_elements.insert({ "PI_Z", zeta }); + + validate_commitments(); + validate_scalars(); + + std::vector scalars; + std::vector::value_type> elements; + + for (const auto& [key, value] : kate_g1_elements) { + if (value.on_curve()) { + scalars.emplace_back(kate_fr_elements.at(key)); + elements.emplace_back(value); + } + } + + size_t num_elements = elements.size(); + elements.resize(num_elements * 2); + algebra::scalar_multiplication::generate_pippenger_point_table(&elements[0], &elements[0], num_elements); + scalar_multiplication::pippenger_runtime_state state(num_elements); + + typename TCurve::g1_type<>::value_type P[2]; + + P[0] = alegbra::scalar_multiplication::pippenger(&scalars[0], &elements[0], num_elements, state); + P[1] = -(typename TCurve::g1_type<>::value_type(PI_Z_OMEGA) * separator_challenge + PI_Z); + + if (key->contains_recursive_proof) { + assert(key->recursive_proof_public_input_indices.size() == 16); + const auto& inputs = transcript.get_field_element_vector("public_inputs"); + const auto recover_fq_from_public_inputs = + [&inputs](const size_t idx0, const size_t idx1, const size_t idx2, const size_t idx3) { + const uint256_t l0 = inputs[idx0]; + const uint256_t l1 = inputs[idx1]; + const uint256_t l2 = inputs[idx2]; + const uint256_t l3 = inputs[idx3]; + + const uint256_t limb = l0 + (l1 << NUM_LIMB_BITS_IN_FIELD_SIMULATION) + + (l2 << (NUM_LIMB_BITS_IN_FIELD_SIMULATION * 2)) + + (l3 << (NUM_LIMB_BITS_IN_FIELD_SIMULATION * 3)); + return typename TCurve::base_field_type::value_type(limb); + }; + + const auto recursion_separator_challenge = transcript.get_challenge_field_element("separator").sqr(); + + const typename TCurve::base_field_type::value_type x0 = + recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[0], + key->recursive_proof_public_input_indices[1], + key->recursive_proof_public_input_indices[2], + key->recursive_proof_public_input_indices[3]); + const typename TCurve::base_field_type::value_type y0 = + recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[4], + key->recursive_proof_public_input_indices[5], + key->recursive_proof_public_input_indices[6], + key->recursive_proof_public_input_indices[7]); + const typename TCurve::base_field_type::value_type x1 = + recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[8], + key->recursive_proof_public_input_indices[9], + key->recursive_proof_public_input_indices[10], + key->recursive_proof_public_input_indices[11]); + const typename TCurve::base_field_type::value_type y1 = + recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[12], + key->recursive_proof_public_input_indices[13], + key->recursive_proof_public_input_indices[14], + key->recursive_proof_public_input_indices[15]); + P[0] += typename TCurve::g1_type<>::value_type(x0, y0, 1) * recursion_separator_challenge; + P[1] += typename TCurve::g1_type<>::value_type(x1, y1, 1) * recursion_separator_challenge; + } + + typename TCurve::g1_type<>::value_type::batch_normalize(P, 2); + + typename TCurve::g1_type::value_type P_affine[2]{ + { P[0].x, P[0].y }, + { P[1].x, P[1].y }, + }; + + // The final pairing check of step 12. + typename TCurve::gt_type::value_type result = algebra::pairing::reduced_ate_pairing_batch_precomputed( + P_affine, key->reference_string->get_precomputed_g2_lines(), 2); + + return (result == typename TCurve::gt_type::value_type::one()); + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_VERIFIER_HPP From 3db9f04771748b42a83e196755e4dfe1038e195d Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 18 Oct 2021 14:01:48 +0300 Subject: [PATCH 002/219] PLONK params added. --- .../crypto3/zk/snark/schemes/plonk/params.hpp | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/params.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/params.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/params.hpp new file mode 100644 index 000000000..acf53dbe9 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/params.hpp @@ -0,0 +1,98 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2018-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_PARAMS_HPP +#define CRYPTO3_ZK_PLONK_PARAMS_HPP + +#include + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template> + struct standard_settings { + constexpr static const std::size_t num_challenge_bytes = 32; + constexpr static const transcript::HashType hash_type = transcript::HashType::Keccak256; + constexpr static const std::size_t program_width = 3; + constexpr static const std::size_t num_shifted_wire_evaluations = 1; + constexpr static const std::uint64_t wire_shift_settings = 0b0100; + constexpr static const bool uses_quotient_mid = false; + constexpr static const std::uint32_t permutation_shift = 30; + constexpr static const std::uint32_t permutation_mask = 0xC0000000; + constexpr static const bool use_linearisation = true; + constexpr static const std::size_t num_roots_cut_out_of_vanishing_polynomial = 4; + }; + + template + struct unrolled_standard_settings { + constexpr static const size_t num_challenge_bytes = 16; + constexpr static const transcript::HashType hash_type = transcript::HashType::PedersenBlake2s; + constexpr static const size_t program_width = 3; + constexpr static const size_t num_shifted_wire_evaluations = 1; + constexpr static const uint64_t wire_shift_settings = 0b0100; + constexpr static const bool uses_quotient_mid = false; + constexpr static const uint32_t permutation_shift = 30; + constexpr static const uint32_t permutation_mask = 0xC0000000; + constexpr static const bool use_linearisation = false; + constexpr static const size_t num_roots_cut_out_of_vanishing_polynomial = 4; + }; + + template> + struct turbo_settings { + constexpr static const size_t num_challenge_bytes = 32; + constexpr static const transcript::HashType hash_type = transcript::HashType::Keccak256; + constexpr static const size_t program_width = 4; + constexpr static const size_t num_shifted_wire_evaluations = 4; + constexpr static const uint64_t wire_shift_settings = 0b1111; + constexpr static const bool uses_quotient_mid = false; + constexpr static const uint32_t permutation_shift = 30; + constexpr static const uint32_t permutation_mask = 0xC0000000; + constexpr static const bool use_linearisation = true; + constexpr static const size_t num_roots_cut_out_of_vanishing_polynomial = 4; + }; + + template + class unrolled_turbo_settings { + public: + constexpr static const size_t num_challenge_bytes = 16; + constexpr static const transcript::HashType hash_type = transcript::HashType::PedersenBlake2s; + constexpr static const size_t program_width = 4; + constexpr static const size_t num_shifted_wire_evaluations = 4; + constexpr static const uint64_t wire_shift_settings = 0b1111; + constexpr static const bool uses_quotient_mid = false; + constexpr static const uint32_t permutation_shift = 30; + constexpr static const uint32_t permutation_mask = 0xC0000000; + constexpr static const bool use_linearisation = false; + constexpr static const size_t num_roots_cut_out_of_vanishing_polynomial = 4; + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_PROVER_HPP From a10e968a255fd8de7208d3ebaa93001e6a9be400 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 19 Oct 2021 16:34:36 +0300 Subject: [PATCH 003/219] Minor PLONK prover refactoring. #20 --- .../crypto3/zk/snark/schemes/plonk/prover.hpp | 113 +----------------- 1 file changed, 5 insertions(+), 108 deletions(-) diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp index f0b3b3b66..bc0a79c17 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp @@ -62,7 +62,7 @@ namespace nil { work_queue queue; bool uses_quotient_mid; - waffle::plonk_proof proof; + plonk_proof proof; public: @@ -252,34 +252,10 @@ namespace nil { void execute_first_round() { queue.flush_queue(); -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); -#endif -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); - std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); - std::cout << "init quotient polys: " << diff.count() << "ms" << std::endl; -#endif -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "compute wire coefficients: " << diff.count() << "ms" << std::endl; -#endif -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif compute_wire_pre_commitments(); for (auto& widget : random_widgets) { widget->compute_round_commitments(transcript, 1, queue); } -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "compute wire commitments: " << diff.count() << "ms" << std::endl; -#endif } void execute_second_round() { @@ -293,17 +269,6 @@ namespace nil { void execute_third_round() { queue.flush_queue(); transcript.apply_fiat_shamir("beta"); -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); -#endif -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); - std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); - std::cout << "compute z coefficients: " << diff.count() << "ms" << std::endl; -#endif -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif for (auto& widget : random_widgets) { widget->compute_round_commitments(transcript, 3, queue); } @@ -318,54 +283,18 @@ namespace nil { 0, }); } -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "compute z commitment: " << diff.count() << "ms" << std::endl; -#endif } void execute_fourth_round() { queue.flush_queue(); transcript.apply_fiat_shamir("alpha"); -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); -#endif -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); - std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); - std::cout << "compute wire ffts: " << diff.count() << "ms" << std::endl; -#endif - -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "copy z: " << diff.count() << "ms" << std::endl; -#endif -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "compute permutation grand product coeffs: " << diff.count() << "ms" << std::endl; -#endif + typename TCurve::scalar_field_type::value_type alpha_base = - typename TCurve::scalar_field_type::value_type::serialize_from_buffer(transcript.get_challenge("alpha").begin()); + typename TCurve::scalar_field_type::value_type::serialize_from_buffer( + transcript.get_challenge("alpha").begin()); for (auto& widget : random_widgets) { -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); -#endif alpha_base = widget->compute_quotient_contribution(alpha_base, transcript); -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); - std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); - std::cout << "widget " << i << " quotient compute time: " << diff.count() << "ms" << std::endl; -#endif } for (auto& widget : transition_widgets) { alpha_base = widget->compute_quotient_contribution(alpha_base, transcript); @@ -373,60 +302,28 @@ namespace nil { typename TCurve::scalar_field_type::value_type* q_mid = &key->quotient_mid[0]; typename TCurve::scalar_field_type::value_type* q_large = &key->quotient_large[0]; -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif if constexpr (settings::uses_quotient_mid) { math::polynomial_arithmetic::divide_by_pseudo_vanishing_polynomial( key->quotient_mid.get_coefficients(), key->small_domain, key->mid_domain); } math::polynomial_arithmetic::divide_by_pseudo_vanishing_polynomial( key->quotient_large.get_coefficients(), key->small_domain, key->large_domain); -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "divide by vanishing polynomial: " << diff.count() << "ms" << std::endl; -#endif -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif if (settings::uses_quotient_mid) { key->quotient_mid.coset_ifft(key->mid_domain); } key->quotient_large.coset_ifft(key->large_domain); -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "final inverse fourier transforms: " << diff.count() << "ms" << std::endl; -#endif if (settings::uses_quotient_mid) { ITERATE_OVER_DOMAIN_START(key->mid_domain); q_large[i] += q_mid[i]; ITERATE_OVER_DOMAIN_END; } -#ifdef DEBUG_TIMING - start = std::chrono::steady_clock::now(); -#endif compute_quotient_pre_commitment(); -#ifdef DEBUG_TIMING - end = std::chrono::steady_clock::now(); - diff = std::chrono::duration_cast(end - start); - std::cout << "compute quotient commitment: " << diff.count() << "ms" << std::endl; -#endif - } // namespace waffle + } void execute_fifth_round() { queue.flush_queue(); transcript.apply_fiat_shamir("z"); // end of 4th round -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point start = std::chrono::steady_clock::now(); -#endif compute_linearisation_coefficients(); -#ifdef DEBUG_TIMING - std::chrono::steady_clock::time_point end = std::chrono::steady_clock::now(); - std::chrono::milliseconds diff = std::chrono::duration_cast(end - start); - std::cout << "compute linearisation coefficients: " << diff.count() << "ms" << std::endl; -#endif } void execute_sixth_round() { From 84b059307f7123500250672e06f6ab657be88e94 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 30 Oct 2021 14:52:28 +0300 Subject: [PATCH 004/219] Redshift generator and prover inited. --- .../snark/schemes/plonk/{ => kate}/params.hpp | 6 +- .../snark/schemes/plonk/{ => kate}/proof.hpp | 11 +- .../snark/schemes/plonk/{ => kate}/prover.hpp | 38 ++-- .../schemes/plonk/{ => kate}/proving_key.hpp | 24 +-- .../plonk/{ => kate}/verification_key.hpp | 28 +-- .../schemes/plonk/{ => kate}/verifier.hpp | 28 +-- .../schemes/plonk/redshift/generator.hpp | 141 +++++++++++++++ .../snark/schemes/plonk/redshift/params.hpp | 43 +++++ .../zk/snark/schemes/plonk/redshift/proof.hpp | 45 +++++ .../snark/schemes/plonk/redshift/prover.hpp | 164 ++++++++++++++++++ .../schemes/plonk/redshift/proving_key.hpp | 54 ++++++ .../zk/snark/schemes/plonk/redshift/types.hpp | 103 +++++++++++ .../plonk/redshift/verification_key.hpp | 53 ++++++ .../snark/schemes/plonk/redshift/verifier.hpp | 47 +++++ 14 files changed, 721 insertions(+), 64 deletions(-) rename include/nil/crypto3/zk/snark/schemes/plonk/{ => kate}/params.hpp (97%) rename include/nil/crypto3/zk/snark/schemes/plonk/{ => kate}/proof.hpp (85%) rename include/nil/crypto3/zk/snark/schemes/plonk/{ => kate}/prover.hpp (94%) rename include/nil/crypto3/zk/snark/schemes/plonk/{ => kate}/proving_key.hpp (96%) rename include/nil/crypto3/zk/snark/schemes/plonk/{ => kate}/verification_key.hpp (90%) rename include/nil/crypto3/zk/snark/schemes/plonk/{ => kate}/verifier.hpp (95%) create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp create mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/params.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/params.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/plonk/params.hpp rename to include/nil/crypto3/zk/snark/schemes/plonk/kate/params.hpp index acf53dbe9..4975900bf 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/params.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/params.hpp @@ -23,8 +23,8 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_PLONK_PARAMS_HPP -#define CRYPTO3_ZK_PLONK_PARAMS_HPP +#ifndef CRYPTO3_ZK_PLONK_BATCHED_KATE_PARAMS_HPP +#define CRYPTO3_ZK_PLONK_BATCHED_KATE_PARAMS_HPP #include @@ -95,4 +95,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_PROVER_HPP +#endif // CRYPTO3_ZK_PLONK_BATCHED_KATE_PARAMS_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp similarity index 85% rename from include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp rename to include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp index 1dafea718..a0cc33248 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/proof.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp @@ -23,11 +23,10 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_PLONK_PROOF_HPP -#define CRYPTO3_ZK_PLONK_PROOF_HPP +#ifndef CRYPTO3_ZK_PLONK_BATCHED_KATE_PROOF_HPP +#define CRYPTO3_ZK_PLONK_BATCHED_KATE_PROOF_HPP -#include -#include +#include namespace nil { namespace crypto3 { @@ -39,7 +38,7 @@ namespace nil { class plonk_proof; template - struct plonk_proof { + struct plonk_proof> { std::vector data; }; } // namespace snark @@ -47,4 +46,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_PROOF_HPP +#endif // CRYPTO3_ZK_PLONK_BATCHED_KATE_PROOF_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp similarity index 94% rename from include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp rename to include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp index bc0a79c17..c7142878a 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/prover.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp @@ -23,10 +23,10 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_PLONK_PROVER_HPP -#define CRYPTO3_ZK_PLONK_PROVER_HPP +#ifndef CRYPTO3_ZK_PLONK_BATCHED_KATE_PROVER_HPP +#define CRYPTO3_ZK_PLONK_BATCHED_KATE_PROVER_HPP -#include +#include #include namespace nil { @@ -35,15 +35,13 @@ namespace nil { namespace snark { template class plonk_prover; - template - class plonk_prover { - - using commitment_scheme = kate_commitment; + template + class plonk_prover> { + using commitment_scheme_type = batched_kate_commitment_scheme<...>; + using constraint_system_type = plonk_constraint_system; size_t n; @@ -55,9 +53,9 @@ namespace nil { std::vector>> transition_widgets; transcript::StandardTranscript transcript; - std::shared_ptr> key; + std::shared_ptr> key; std::shared_ptr witness; - std::unique_ptr commitment_scheme; + std::unique_ptr commitment; work_queue queue; bool uses_quotient_mid; @@ -66,7 +64,7 @@ namespace nil { public: - plonk_prover(std::shared_ptr> input_key, + plonk_prover(std::shared_ptr> input_key, std::shared_ptr input_witness, const transcript::Manifest& input_manifest) : n(input_key == nullptr ? 0 : input_key->n) @@ -94,7 +92,7 @@ namespace nil { transcript = other.transcript; key = std::move(other.key); witness = std::move(other.witness); - commitment_scheme = std::move(other.commitment_scheme); + commitment = std::move(other.commitment); queue = work_queue(key.get(), witness.get(), &transcript); return *this; @@ -105,7 +103,7 @@ namespace nil { , transcript(other.transcript) , key(std::move(other.key)) , witness(std::move(other.witness)) - , commitment_scheme(std::move(other.commitment_scheme)) + , commitment(std::move(other.commitment)) , queue(key.get(), witness.get(), &transcript) { for (size_t i = 0; i < other.random_widgets.size(); ++i) { @@ -122,7 +120,7 @@ namespace nil { std::string commit_tag = "W_" + std::to_string(i + 1); typename TCurve::scalar_field_type::value_type* coefficients = witness->wires.at(wire_tag).get_coefficients(); - commitment_scheme->commit(coefficients, commit_tag, + commitment->commit(coefficients, commit_tag, typename TCurve::scalar_field_type::value_type::zero(), queue); } @@ -178,7 +176,7 @@ namespace nil { const size_t offset = n * i; typename TCurve::scalar_field_type::value_type* coefficients = &key->quotient_large.get_coefficients()[offset]; std::string quotient_tag = "T_" + std::to_string(i + 1); - commitment_scheme->commit(coefficients, quotient_tag, + commitment->commit(coefficients, quotient_tag, typename TCurve::scalar_field_type::value_type::zero(), queue); } @@ -187,7 +185,7 @@ namespace nil { std::string quotient_tag = "T_" + std::to_string(program_width); typename TCurve::scalar_field_type::value_type program_flag = program_width == 3 ? typename TCurve::scalar_field_type::value_type::one() : typename TCurve::scalar_field_type::value_type::zero(); - commitment_scheme->commit(coefficients, quotient_tag, program_flag, queue); + commitment->commit(coefficients, quotient_tag, program_flag, queue); } void execute_preamble_round() { @@ -330,7 +328,7 @@ namespace nil { queue.flush_queue(); transcript.apply_fiat_shamir("nu"); - commitment_scheme->batch_open(transcript, queue, key, witness); + commitment->batch_open(transcript, queue, key, witness); } typename TCurve::scalar_field_type::value_type compute_linearisation_coefficients() { @@ -340,7 +338,7 @@ namespace nil { math::polynomial& r = key->linear_poly; - commitment_scheme->add_opening_evaluations_to_transcript(transcript, key, witness, false); + commitment->add_opening_evaluations_to_transcript(transcript, key, witness, false); typename TCurve::scalar_field_type::value_type t_eval = key->quotient_large.evaluate(zeta, 4 * n); if constexpr (use_linearisation) { @@ -391,4 +389,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_PROVER_HPP +#endif // CRYPTO3_ZK_PLONK_BATCHED_KATE_PROVER_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp rename to include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp index 2abf1ada7..d3a6a16bd 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp @@ -23,10 +23,10 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_PLONK_PROVING_KEY_HPP -#define CRYPTO3_PLONK_PROVING_KEY_HPP +#ifndef CRYPTO3_PLONK_BATCHED_KATE_PROVING_KEY_HPP +#define CRYPTO3_PLONK_BATCHED_KATE_PROVING_KEY_HPP -#include +#include #include namespace nil { @@ -34,9 +34,11 @@ namespace nil { namespace zk { namespace snark { - template> - struct plonk_proving_key_data { + template + struct plonk_proving_key_data; + + template + struct plonk_proving_key_data> { std::uint32_t n; std::uint32_t num_public_inputs; bool contains_recursive_proof; @@ -60,9 +62,11 @@ namespace nil { lhs.recursive_proof_public_input_indices == rhs.recursive_proof_public_input_indices; } - template> - class plonk_proving_key { + template + class plonk_proving_key; + + template + class plonk_proving_key> { constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits/BYTE_BITS; std::size_t n; @@ -307,4 +311,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_PLONK_PROVING_KEY_HPP +#endif // CRYPTO3_PLONK_BATCHED_KATE_PROVING_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp similarity index 90% rename from include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp rename to include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp index 028ab3498..a32e3bc5d 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp @@ -23,10 +23,10 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_PLONK_VERIFICATION_KEY_HPP -#define CRYPTO3_PLONK_VERIFICATION_KEY_HPP +#ifndef CRYPTO3_PLONK_BATCHED_KATE_VERIFICATION_KEY_HPP +#define CRYPTO3_PLONK_BATCHED_KATE_VERIFICATION_KEY_HPP -#include +#include #include namespace nil { @@ -34,9 +34,11 @@ namespace nil { namespace zk { namespace snark { - template> - struct plonk_verification_key_data { + template + struct plonk_verification_key_data; + + template + struct plonk_verification_key_data> { std::uint32_t n; std::uint32_t num_public_inputs; std::map::value_type> constraint_selectors; @@ -52,9 +54,13 @@ namespace nil { lhs.permutation_selectors == rhs.permutation_selectors; } - template> - class plonk_verification_key { + template + class plonk_verification_key; + + template + class plonk_verification_key> { + using commitment_scheme_type = batched_kate_commitment_scheme<...>; + constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits/BYTE_BITS; std::size_t n; @@ -88,7 +94,7 @@ namespace nil { , reference_string(crs) {} - plonk_verification_key(plonk_verification_key_data&& data, + plonk_verification_key(plonk_verification_key_data&& data, std::shared_ptr const& crs) : n(data.n) , num_public_inputs(data.num_public_inputs) @@ -155,4 +161,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_PLONK_VERIFICATION_KEY_HPP +#endif // CRYPTO3_PLONK_BATCHED_KATE_VERIFICATION_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp rename to include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp index dd6fba233..977712a65 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/verifier.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp @@ -23,10 +23,9 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_PLONK_VERIFIER_HPP -#define CRYPTO3_ZK_PLONK_VERIFIER_HPP +#ifndef CRYPTO3_ZK_PLONK_BATCHED_KATE_VERIFIER_HPP +#define CRYPTO3_ZK_PLONK_BATCHED_KATE_VERIFIER_HPP -#include #include #include @@ -36,23 +35,24 @@ namespace nil { namespace snark { template class plonk_verifier; - template - class plonk_verifier { + template + class plonk_verifier> { + using commitment_scheme_type = batched_kate_commitment_scheme<...>; + using constraint_system_type = plonk_constraint_system; + transcript::Manifest manifest; - std::shared_ptr> key; + std::shared_ptr> key; std::map::value_type> kate_g1_elements; std::map kate_fr_elements; - std::unique_ptr commitment_scheme; + std::unique_ptr commitment; public: - plonk_verifier(std::shared_ptr> verifier_key, + plonk_verifier(std::shared_ptr> verifier_key, const transcript::Manifest& input_manifest) : manifest(input_manifest) , key(verifier_key) @@ -61,7 +61,7 @@ namespace nil { plonk_verifier& operator=(plonk_verifier&& other) { key = other.key; manifest = other.manifest; - commitment_scheme = (std::move(other.commitment_scheme)); + commitment = (std::move(other.commitment)); kate_g1_elements.clear(); kate_fr_elements.clear(); return *this; @@ -70,7 +70,7 @@ namespace nil { plonk_verifier(plonk_verifier &&other) : manifest(other.manifest) , key(other.key) - , commitment_scheme(std::move(other.commitment_scheme)) + , commitment(std::move(other.commitment)) {} bool validate_commitments() { @@ -167,7 +167,7 @@ namespace nil { // Note that we do not actually compute the scalar multiplications but just accumulate the scalars // and the group elements in different vectors. // - commitment_scheme->batch_verify(transcript, kate_g1_elements, kate_fr_elements, key); + commitment->batch_verify(transcript, kate_g1_elements, kate_fr_elements, key); // Step 9: Compute partial opening batch commitment [D]_1: // [D]_1 = (a_eval.b_eval.[qM]_1 + a_eval.[qL]_1 + b_eval.[qR]_1 + c_eval.[qO]_1 + [qC]_1) * nu_{linear} * α @@ -279,4 +279,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_VERIFIER_HPP +#endif // CRYPTO3_ZK_PLONK_BATCHED_KATE_VERIFIER_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp new file mode 100644 index 000000000..877e4f0fe --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp @@ -0,0 +1,141 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2018-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// Copyright (c) 2020-2021 Ilias Khairullin +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_GENERATOR_HPP +#define CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_GENERATOR_HPP + +#ifdef MULTICORE +#include +#endif + +#include +#include +#include + +#include +#include +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * A generator algorithm for the R1CS GG-ppzkSNARK. + * + * Given a R1CS constraint system CS, this algorithm produces proving and verification keys for + * CS. + */ + template + class redshift_generator { + typedef detail::redshift_types types_policy; + + // static inline math::polynomial::polynom<...> tau( + // std::size_t input, std::size_t n, std::array &k){ + + // std::size_t i = input % n; + // std::size_t j = (input - i)/n + 1; + + // return (math::polynomial::polynom<...>(k[j]) << i); + + // } + + // static inline std::size_t tau_reverted( + // math::polynomial::polynom<...> k_jgi, std::size_t n, std::array &k){ + + // std::size_t i = math::polynomial::get_index_of_non_zero_coeff(k_jgi); + + // std::size_t j = std::find(k.begin(), k.end(), math::polynomial::get_non_zero_coeff(k_jgi)); + + // return n*(j - 1) + i; + // } + + // static inline std::size_t sigma_p1_permutation( + // std::size_t input, std::size_t n, std::array &k){ + // ... + // } + + // static inline math::polynomial::polynom<...> sigma_p2_permutation( + // math::polynomial::polynom<...> input, std::size_t n, std::array &k){ + + // return (tau(sigma_p1_permutation(tau_reverted(input, n, k), n, k), n, k)); + // } + + public: + + template, + typename GeneratorType = boost::random::mt19937> + static inline keypair_type process(const typename types_policy::constraint_system_type &constraint_system) { + + std::array k = get_cosets_generators(); + + std::array::polynomial, 3> S_id; + std::array::polynomial, 3> S_sigma; + + typename TCurve::scalar_field_type::value_type omega = algebra::get_root_of_unity(); + typename TCurve::scalar_field_type::value_type delta = algebra::get_root_of_unity(); + + std::size_t Nperm = ...; + + for (std::size_t i = 0; i < 3; i++){ + std::vector> interpolation_points (Nperm); + for (std::size_t j = 0; j < Nperm; j++){ + interpolation_points.push_back(std::make_pair(omega.pow(j), delta??? * omega.pow(j))); + } + + S_id[i] = math::polynomial::Lagrange_interpolation(interpolation_points); + } + + for (std::size_t i = 0; i < 3; i++){ + std::vector> interpolation_points (Nperm); + for (std::size_t j = 0; j < Nperm; j++){ + interpolation_points.push_back(std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); + } + + S_sigma[i] = math::polynomial::Lagrange_interpolation(interpolation_points); + } + + math::polynomial::polynom Z = polynom_by_zeros(H_star); + + typename types_policy::verification_key_type vk(S_id, S_sigma, q_selectors, PI, Z); + + typename types_policy::proving_key_type pk(S_id, S_sigma, q_selectors, L_basis, f, Z); + + return {std::move(pk), std::move(vk)}; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_GENERATOR_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp new file mode 100644 index 000000000..b64bb8aa1 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp @@ -0,0 +1,43 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2018-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP + +#include + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp new file mode 100644 index 000000000..473ac413c --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp @@ -0,0 +1,45 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + struct redshift_proof { + + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp new file mode 100644 index 000000000..236722b3b --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp @@ -0,0 +1,164 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_prover { + + using types_policy = redshift_types_policy; + using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; + public: + + static inline proof_type process(const proving_key_type &proving_key, + const primary_input_type &primary_input, + const auxiliary_input_type &auxiliary_input) { + std::size_t N_wires = primary_input.size() + auxiliary_input.size(); + + fiat_shamir_heuristic transcript; + + ... setup_values = ...; + transcript(setup_values); + + std::vector> f(N_wires); + std::vector> f_commitments(N_wires); + + for (std::size_t i = 0; i < N_wires; i++){ + f.push_back(proving_key.f[i] + choose_h_i() * proving_key.Z(x)); + f_commitments[i].commit(f[i]); + transcript(f_commitments[i]); + } + + hashes::sha2::digest_type beta_bytes = + transcript.get_challenge(); + + hashes::sha2::digest_type gamma_bytes = + transcript.get_challenge(); + + typename TCurve::scalar_field_type::value_type beta = + algebra::marshalling(beta_bytes); + typename TCurve::scalar_field_type::value_type gamma = + algebra::marshalling(gamma_bytes); + + std::vector> p(N_perm); + std::vector> q(N_perm); + + math::polynomial::polynom<...> p1 = math::polynomial::polynom<...>::one(); + math::polynomial::polynom<...> q1 = math::polynomial::polynom<...>::one(); + + for (std::size_t j = 0; j < N_perm; j++){ + p.push_back(f[j] + beta*S_id[j] + gamma); + q.push_back(f[j] + beta*S_sigma[j] + gamma); + + p1 *= p[j]; + q1 *= q[j]; + } + + std::vector> P_interpolation_points (n + 1); + std::vector> Q_interpolation_points (n + 1); + + P_interpolation_points.push_back(std::make_pair(proving_key.omega, 1)); + for (std::size_t i = 2; i <= n+1; i++){ + typename TCurve::scalar_field_type::value_type P_mul_result = + typename TCurve::scalar_field_type::one(); + typename TCurve::scalar_field_type::value_type Q_mul_result = + typename TCurve::scalar_field_type::one(); + for (std::size_t j = 1; j < i; j++){ + P_mul_result *= p1(proving_key.omega.pow(i)); + Q_mul_result *= q1(proving_key.omega.pow(i)); + } + + P_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), P_mul_result)); + Q_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), Q_mul_result)); + } + + math::polynomial::polynom<...> P = math::polynomial::Lagrange_interpolation(P_interpolation_points); + math::polynomial::polynom<...> Q = math::polynomial::Lagrange_interpolation(Q_interpolation_points); + + std::fri_commitment_cheme<...> P_commitment(); + std::fri_commitment_cheme<...> Q_commitment(); + + P_commitment.commit(P); + Q_commitment.commit(Q); + transcript(P_commitment); + transcript(Q_commitment); + + std::array alphas; + std::vector<> alpha_bytes; + for (std::size_t i = 0; i < 6; i++){ + hashes::sha2::digest_type alpha_bytes = + transcript.get_challenge(); + alphas.push_back(algebra::marshalling(alpha_bytes)); + } + + std::array, 6> F; + F[0] = proving_key.L[1] * (P - 1); + F[1] = proving_key.L[1] * (Q - 1); + F[2] = P * p_1 - (P << 1); + F[3] = Q * q_1 - (Q << 1); + F[4] = proving_key.L[n] * ((P << 1) - (Q << 1)); + F[5] = proving_key.PI; + + for (std::size_t i = 0; i < N_sel; i++) { + F[5] += q[i] * ....gate[i]; + } + + for (std::size_t i = 0; i < N_const; i++) { + F[5] += proving_key.f_c[i]; + } + + math::polynomial::polynom<...> F_precommit = 0; + for (std::size_t i = 0; i < 6; i++) { + F_precommit = a[i] * F[i]; + } + + math::polynomial::polynom<...> T_precommit = F_precommit/Z; + + std::vector> T(N_perm + 2); + T = separate_T(T_precommit); + + std::vector> T_commitments(N_perm + 2); + for (std::size_t i = 0; i < N_perm + 2){ + T_commitments[i].commit(T[i]); + } + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp new file mode 100644 index 000000000..e414e342f --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp @@ -0,0 +1,54 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_PLONK_REDSHIFT_PROVING_KEY_HPP +#define CRYPTO3_PLONK_REDSHIFT_PROVING_KEY_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_proving_key { + using constraint_system_type = plonk_constraint_system; + constexpr static const std::size_t n = ...; + public: + + std::array, 3> S_id; + std::array, 3> S_sigma; + std::array, n> L_basis; + + std::array, 3> f_witness_wire; // witness-wire polynomials f_L, f_R, f_O + + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PLONK_REDSHIFT_PROVING_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp new file mode 100644 index 000000000..401022ea9 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp @@ -0,0 +1,103 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of types for Redshift PLONK scheme. +// +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP +#define CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + namespace detail { + + template + struct redshift_types_policy { + + /******************************** Params ********************************/ + + /** + * Below are various template aliases (used for convenience). + */ + + typedef plonk_constraint_system constraint_system_type; + + typedef plonk_primary_input primary_input_type; + + typedef plonk_auxiliary_input auxiliary_input_type; + + /******************************** Proving key ********************************/ + + /** + * A proving key for the Redshift cheme. + */ + typedef redshift_proving_key proving_key_type; + + /******************************* Verification key ****************************/ + + /** + * A verification key for the Redshift cheme. + */ + typedef redshift_verification_key verification_key_type; + + /********************************** Key pair *********************************/ + + /** + * A key pair for the Redshift cheme, which consists of a proving key and a verification key. + */ + typedef plonk_ppzksnark_keypair keypair_type; + + /*********************************** Proof ***********************************/ + + /** + * A proof for the Redshift cheme. + * + * While the proof has a structure, externally one merely opaquely produces, + * serializes/deserializes, and verifies proofs. We only expose some information + * about the structure for statistics purposes. + */ + typedef redshift_proof proof_type; + + template + struct prover_fiat_shamir_heuristic_manifest { + enum challenges_ids{ + beta, + gamma, + alpha, + zeta = alpha + AlphasAmount, + nu, + u + }; + }; + }; + } // namespace detail + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp new file mode 100644 index 000000000..ec8931190 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp @@ -0,0 +1,53 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_PLONK_REDSHIFT_VERIFICATION_KEY_HPP +#define CRYPTO3_PLONK_REDSHIFT_VERIFICATION_KEY_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_verification_key { + using constraint_system_type = plonk_constraint_system; + public: + + std::array, 3> S_id; + std::array, 3> S_sigma; + std::array, n> L_basis; + + math::polynom<...> PI; // public inputs polynomial + + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PLONK_REDSHIFT_VERIFICATION_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp new file mode 100644 index 000000000..6eb4f6277 --- /dev/null +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp @@ -0,0 +1,47 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_verifier { + using constraint_system_type = plonk_constraint_system; + + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP From 99f81f1001a496082a007c4c46b5151ffddd7fd0 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 30 Oct 2021 14:55:04 +0300 Subject: [PATCH 005/219] Commitment schemes inited #25. --- .../zk/snark/commitments/batched_kate.hpp | 72 ++++++++++++++ .../zk/snark/commitments/commitment.hpp | 60 +++++++++++ .../zk/snark/commitments/fri_commitment.hpp | 99 +++++++++++++++++++ 3 files changed, 231 insertions(+) create mode 100644 include/nil/crypto3/zk/snark/commitments/batched_kate.hpp create mode 100644 include/nil/crypto3/zk/snark/commitments/commitment.hpp create mode 100644 include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp diff --git a/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp b/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp new file mode 100644 index 000000000..a3ca96349 --- /dev/null +++ b/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp @@ -0,0 +1,72 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_BATCHED_KATE_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_BATCHED_KATE_COMMITMENT_SCHEME_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * @brief Based on the Ploynomial Commitment description from \[Plonk]. + * + * References: + * \[Plonk]: + * "PlonK: Permutations over Lagrange-bases for + * Oecumenical Noninteractive arguments of Knowledge", + * Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru, + * Aztec, + * + */ + class batched_kate_commitment_scheme: commitment_scheme<...> { + typedef TCommitment ...; + typedef TDecommitmentInfo ...; + typedef TSRS ...; + typedef TData ...; + public: + + virtual std::pair commit (TSRS PK, TData phi){ + + } + + virtual ... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d){ + + } + + virtual bool verify(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d){ + + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_BATCHED_KATE_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/commitment.hpp b/include/nil/crypto3/zk/snark/commitments/commitment.hpp new file mode 100644 index 000000000..7edfca4f2 --- /dev/null +++ b/include/nil/crypto3/zk/snark/commitments/commitment.hpp @@ -0,0 +1,60 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_COMMITMENT_SCHEME_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * @brief Based on the Ploynomial Commitment description from \[Kate]. + * + * References: + * \[Kate]: + * "Constant-Size Commitments to Polynomials and Their Applications", + * Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg, + * ASIACRYPT 2010, + * + */ + + template + struct commitment_scheme { + + virtual std::pair commit (TSRS PK, TData phi) = 0; + + virtual ... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) = 0; + + virtual bool verify(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) = 0; + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp new file mode 100644 index 000000000..16306ba2c --- /dev/null +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -0,0 +1,99 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * @brief Based on the FRI Commitment description from \[ResShift]. + * @tparam d ... + * @tparam Rounds Denoted by r in \[RedShift]. + * + * References: + * \[RedShift]: + * "REDSHIFT: Transparent SNARKs from List + * Polynomial Commitment IOPs", + * Assimakis Kattis, Konstantin Panarin, Alexander Vlasov, + * Matter Labs, + * + */ + template + class fri_commitment_scheme: commitment_scheme<...> { + typedef std::array, Rounds> TCommitment; + typedef std::array TDecommitmentInfo; + typedef ... TSRS; + typedef std::tuple, std::array> TData; //f_0 and x_0...x_{r-1} + public: + + virtual std::pair commit (TSRS PK, TData data){ + TCommitment f; + f[0] = std::get<0>(data); + + for (std::size_t i = 0; i < Rounds - 1; i++){ + + math::polynomial<...> p_yi = math::make_interpolant(f[i], S_y(x)); + f[i + 1] = p_yi(std::get<1>(data)[i]); + } + + math::polynomial<...> p_yr = math::make_interpolant(f[r-1], S_y(x)); + + math::polynomial<...> f_r = p_yr(std::get<1>(data)[r]); + std::array a = math::get_polynom_coefs(f_r); + + return std::make_pair(f, a); + } + + virtual ... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d){ + + } + + virtual bool verify(TSRS PK, TCommitment f, ... a, TDecommitmentInfo d){ + a = get<1>(C); + math::polynomial f_r(a); + + std::array<..., r + 1> s; + s[0] = random<...>(...); + + for (std::size_t i = 0; i < r; i++){ + s[i + 1] = q(s[i]); + } + + ... + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP From 3216d9c45b6d1cf8d80a6ff2d7a537ee932f8bcd Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 30 Oct 2021 16:01:38 +0300 Subject: [PATCH 006/219] Redshift verifier and proof inited. #20 --- .../schemes/plonk/redshift/generator.hpp | 2 +- .../zk/snark/schemes/plonk/redshift/proof.hpp | 7 +- .../snark/schemes/plonk/redshift/prover.hpp | 36 +++++--- .../zk/snark/schemes/plonk/redshift/types.hpp | 4 +- .../snark/schemes/plonk/redshift/verifier.hpp | 83 +++++++++++++++++++ 5 files changed, 115 insertions(+), 17 deletions(-) diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp index 877e4f0fe..0a07918b1 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp @@ -126,7 +126,7 @@ namespace nil { math::polynomial::polynom Z = polynom_by_zeros(H_star); - typename types_policy::verification_key_type vk(S_id, S_sigma, q_selectors, PI, Z); + typename types_policy::verification_key_type vk(S_id, S_sigma, q_selectors, L_basis, PI, Z); typename types_policy::proving_key_type pk(S_id, S_sigma, q_selectors, L_basis, f, Z); diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp index 473ac413c..435b41841 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp @@ -35,7 +35,12 @@ namespace nil { template struct redshift_proof { - + std::vector> f_commitments; + + std::fri_commitment_cheme<...> P_commitment; + std::fri_commitment_cheme<...> Q_commitment; + + std::vector> T; }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp index 236722b3b..be4b12113 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp @@ -41,10 +41,15 @@ namespace nil { using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; public: - static inline proof_type process(const proving_key_type &proving_key, - const primary_input_type &primary_input, - const auxiliary_input_type &auxiliary_input) { + static inline typename types_policy::proof_type process( + const types_policy::proving_key_type &proving_key, + const types_policy::primary_input_type &primary_input, + const types_policy::auxiliary_input_type &auxiliary_input) { + std::size_t N_wires = primary_input.size() + auxiliary_input.size(); + std::size_t N_perm = ...; + std::size_t N_sel = ...; + std::size_t N_const = ...; fiat_shamir_heuristic transcript; @@ -117,19 +122,18 @@ namespace nil { transcript(Q_commitment); std::array alphas; - std::vector<> alpha_bytes; for (std::size_t i = 0; i < 6; i++){ hashes::sha2::digest_type alpha_bytes = transcript.get_challenge(); - alphas.push_back(algebra::marshalling(alpha_bytes)); + alphas[i] = (algebra::marshalling(alpha_bytes)); } std::array, 6> F; - F[0] = proving_key.L[1] * (P - 1); - F[1] = proving_key.L[1] * (Q - 1); + F[0] = proving_key.L_basis[1] * (P - 1); + F[1] = proving_key.L_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); F[3] = Q * q_1 - (Q << 1); - F[4] = proving_key.L[n] * ((P << 1) - (Q << 1)); + F[4] = proving_key.L_basis[n] * ((P << 1) - (Q << 1)); F[5] = proving_key.PI; for (std::size_t i = 0; i < N_sel; i++) { @@ -140,20 +144,28 @@ namespace nil { F[5] += proving_key.f_c[i]; } - math::polynomial::polynom<...> F_precommit = 0; + math::polynomial::polynom<...> F_consolidated = 0; for (std::size_t i = 0; i < 6; i++) { - F_precommit = a[i] * F[i]; + F_consolidated = a[i] * F[i]; } - math::polynomial::polynom<...> T_precommit = F_precommit/Z; + math::polynomial::polynom<...> T_consolidated = F_consolidated/Z; std::vector> T(N_perm + 2); - T = separate_T(T_precommit); + T = separate_T(T_consolidated); std::vector> T_commitments(N_perm + 2); for (std::size_t i = 0; i < N_perm + 2){ T_commitments[i].commit(T[i]); } + + ... + + typename types_policy::proof_type proof = typename types_policy::proof_type( + std::move(f_commitments), std::move(P_commitment), + std::move(Q_commitment), std::move(T_commitments)); + + return proof; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp index 401022ea9..9966174a0 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp @@ -88,9 +88,7 @@ namespace nil { beta, gamma, alpha, - zeta = alpha + AlphasAmount, - nu, - u + upsilon = alpha + AlphasAmount }; }; }; diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp index 6eb4f6277..82864aab1 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp @@ -36,8 +36,91 @@ namespace nil { template class redshift_verifier { + + using types_policy = redshift_types_policy; + using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; using constraint_system_type = plonk_constraint_system; + public: + + static inline bool process (const types_policy::verification_key_type &verification_key, + const types_policy::primary_input_type &primary_input, + const types_policy::proof_type &proof){ + + std::size_t N_wires = ...; + std::size_t N_perm = ...; + std::size_t N_sel = ...; + std::size_t N_const = ...; + + fiat_shamir_heuristic transcript; + + ... setup_values = ...; + transcript(setup_values); + + for (std::size_t i = 0; i < N_wires; i++){ + transcript(proof.f_commitments[i]); + } + + hashes::sha2::digest_type beta_bytes = + transcript.get_challenge(); + + hashes::sha2::digest_type gamma_bytes = + transcript.get_challenge(); + + typename TCurve::scalar_field_type::value_type beta = + algebra::marshalling(beta_bytes); + typename TCurve::scalar_field_type::value_type gamma = + algebra::marshalling(gamma_bytes); + + transcript(proof.P_commitment); + transcript(proof.Q_commitment); + + std::array alphas; + for (std::size_t i = 0; i < 6; i++){ + hashes::sha2::digest_type alpha_bytes = + transcript.get_challenge(); + alphas[i] = (algebra::marshalling(alpha_bytes)); + } + + for (std::size_t i = 0; i < N_perm + 2; i++){ + transcript(proof.T_commitments[i]); + } + + hashes::sha2::digest_type upsilon_bytes = + transcript.get_challenge(); + + typename TCurve::scalar_field_type::value_type upsilon = + algebra::marshalling(upsilon_bytes); + + ... + + std::array, 6> F; + F[0] = verification_key.L_basis[1] * (P - 1); + F[1] = verification_key.L_basis[1] * (Q - 1); + F[2] = P * p_1 - (P << 1); + F[3] = Q * q_1 - (Q << 1); + F[4] = verification_key.L_basis[n] * ((P << 1) - (Q << 1)); + F[5] = verification_key.PI; + + for (std::size_t i = 0; i < N_sel; i++) { + F[5] += q[i] * ....gate[i]; + } + + for (std::size_t i = 0; i < N_const; i++) { + F[5] += verification_key.f_c[i]; + } + + math::polynomial::polynom<...> T_consolidate; + T_consolidate = consolidate_T(T); + + math::polynomial::polynom<...> F_consolidated = 0; + for (std::size_t i = 0; i < 6; i++) { + F_consolidated = a[i] * F[i]; + } + + return (F_consolidated == verification_key.Z*T); + } + }; } // namespace snark } // namespace zk From 3c29da17bc14b6376649c05cfdb53b45013cddc2 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 11 Nov 2021 20:18:59 +0300 Subject: [PATCH 007/219] Minor reformatting done #20 --- .../zk/snark/schemes/plonk/kate/proof.hpp | 3 +- .../zk/snark/schemes/plonk/kate/prover.hpp | 193 ++++++++-------- .../snark/schemes/plonk/kate/proving_key.hpp | 207 ++++++++---------- .../schemes/plonk/kate/verification_key.hpp | 96 ++++---- .../zk/snark/schemes/plonk/kate/verifier.hpp | 163 +++++++------- .../schemes/plonk/redshift/generator.hpp | 48 ++-- .../snark/schemes/plonk/redshift/params.hpp | 8 +- .../snark/schemes/plonk/redshift/prover.hpp | 64 +++--- .../schemes/plonk/redshift/proving_key.hpp | 5 +- .../zk/snark/schemes/plonk/redshift/types.hpp | 9 +- .../plonk/redshift/verification_key.hpp | 7 +- .../snark/schemes/plonk/redshift/verifier.hpp | 31 ++- 12 files changed, 413 insertions(+), 421 deletions(-) diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp index a0cc33248..da18011a3 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp @@ -33,8 +33,7 @@ namespace nil { namespace zk { namespace snark { - template + template class plonk_proof; template diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp index c7142878a..c3913945f 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp @@ -34,8 +34,7 @@ namespace nil { namespace zk { namespace snark { - template + template class plonk_prover; template @@ -50,7 +49,8 @@ namespace nil { std::vector sigma_3_mapping; std::vector> random_widgets; - std::vector>> transition_widgets; + std::vector>> + transition_widgets; transcript::StandardTranscript transcript; std::shared_ptr> key; @@ -63,22 +63,19 @@ namespace nil { plonk_proof proof; public: - plonk_prover(std::shared_ptr> input_key, - std::shared_ptr input_witness, - const transcript::Manifest& input_manifest) - : n(input_key == nullptr ? 0 : input_key->n) - , transcript(input_manifest, hash_type, num_challenge_bytes) - , key(input_key) - , witness(input_witness) - , queue(key.get(), witness.get(), &transcript) - { + std::shared_ptr + input_witness, + const transcript::Manifest &input_manifest) : + n(input_key == nullptr ? 0 : input_key->n), + transcript(input_manifest, hash_type, num_challenge_bytes), key(input_key), + witness(input_witness), queue(key.get(), witness.get(), &transcript) { if (input_witness && witness->wires.count("z") == 0) { - witness->wires.insert({ "z", math::polynomial(n, n) }); + witness->wires.insert({"z", math::polynomial(n, n)}); } } - plonk_prover& operator=(plonk_prover&& other) { + plonk_prover &operator=(plonk_prover &&other) { n = other.n; random_widgets.resize(0); @@ -98,14 +95,10 @@ namespace nil { return *this; } - plonk_prover(plonk_prover &&other) - : n(other.n) - , transcript(other.transcript) - , key(std::move(other.key)) - , witness(std::move(other.witness)) - , commitment(std::move(other.commitment)) - , queue(key.get(), witness.get(), &transcript) - { + plonk_prover(plonk_prover &&other) : + n(other.n), transcript(other.transcript), key(std::move(other.key)), + witness(std::move(other.witness)), commitment(std::move(other.commitment)), + queue(key.get(), witness.get(), &transcript) { for (size_t i = 0; i < other.random_widgets.size(); ++i) { random_widgets.emplace_back(std::move(other.random_widgets[i])); } @@ -118,14 +111,14 @@ namespace nil { for (size_t i = 0; i < settings::program_width; ++i) { std::string wire_tag = "w_" + std::to_string(i + 1); std::string commit_tag = "W_" + std::to_string(i + 1); - typename TCurve::scalar_field_type::value_type* coefficients = + typename TCurve::scalar_field_type::value_type *coefficients = witness->wires.at(wire_tag).get_coefficients(); - commitment->commit(coefficients, commit_tag, - typename TCurve::scalar_field_type::value_type::zero(), queue); + commitment->commit(coefficients, commit_tag, + typename TCurve::scalar_field_type::value_type::zero(), queue); } // add public inputs - const math::polynomial& public_wires_source = key->wire_ffts.at("w_2_fft"); + const math::polynomial &public_wires_source = key->wire_ffts.at("w_2_fft"); std::vector public_wires; for (size_t i = 0; i < key->num_public_inputs; ++i) { public_wires.push_back(public_wires_source[i]); @@ -134,11 +127,13 @@ namespace nil { } void compute_quotient_pre_commitment() { - // In this method, we compute the commitments to polynomials t_{low}(X), t_{mid}(X) and t_{high}(X). - // Recall, the quotient polynomial t(X) = t_{low}(X) + t_{mid}(X).X^n + t_{high}(X).X^{2n} + // In this method, we compute the commitments to polynomials t_{low}(X), t_{mid}(X) and + // t_{high}(X). Recall, the quotient polynomial t(X) = t_{low}(X) + t_{mid}(X).X^n + + // t_{high}(X).X^{2n} // // The reason we split t(X) into three degree-n polynomials is because: - // (i) We want the opening proof polynomials bounded by degree n as the opening algorithm of the + // (i) We want the opening proof polynomials bounded by degree n as the opening algorithm of + // the // polynomial commitment scheme results in O(n) prover computation. // (ii) The size of the srs restricts us to compute commitments to polynomials of degree n // (and disallows for degree 2n and 3n for large n). @@ -151,92 +146,95 @@ namespace nil { // = n * program_width - program_width - 1 + k // // Since we must cut atleast 4 roots from the vanishing polynomial - // (refer to ./src/aztec/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp/L247), - // k = 4 => deg(t) = n * program_width - program_width + 3 + // (refer to + // ./src/aztec/plonk/proof_system/widgets/random_widgets/permutation_widget_impl.hpp/L247), k = + // 4 => deg(t) = n * program_width - program_width + 3 // // For standard plonk, program_width = 3 and thus, deg(t) = 3n. This implies that there would be - // (3n + 1) coefficients of t(X). Now, splitting them into t_{low}(X), t_{mid}(X) and t_{high}(X), - // t_{high} will have (n+1) coefficients while t_{low} and t_{mid} will have n coefficients. - // This means that to commit t_{high}, we need a multi-scalar multiplication of size (n+1). - // Thus, we first compute the commitments to t_{low}(X), t_{mid}(X) using n multi-scalar multiplications - // each and separately compute commitment to t_{high} which is of size (n + 1). - // Note that this must be done only when program_width = 3. + // (3n + 1) coefficients of t(X). Now, splitting them into t_{low}(X), t_{mid}(X) and + // t_{high}(X), t_{high} will have (n+1) coefficients while t_{low} and t_{mid} will have n + // coefficients. This means that to commit t_{high}, we need a multi-scalar multiplication of + // size (n+1). Thus, we first compute the commitments to t_{low}(X), t_{mid}(X) using n + // multi-scalar multiplications each and separately compute commitment to t_{high} which is of + // size (n + 1). Note that this must be done only when program_width = 3. // // - // NOTE: If in future there is a need to cut off more zeros off the vanishing polynomial, the degree of - // the quotient polynomial t(X) will increase, so the degrees of t_{high}, t_{mid}, t_{low} could also - // increase according to the type of the composer type we are using. Currently, for TurboPLONK and Ultra- - // PLONK, the degree of t(X) is (4n - 1) and hence each t_{low}, t_{mid}, t_{high}, t_{higher} each is of - // degree (n - 1) (and thus contains n coefficients). Therefore, we are on the brink! - // If we need to cut out more zeros off the vanishing polynomial, sizes of coefficients of individual - // t_{i} would change and so we will have to ensure the correct size of multi-scalar multiplication in - // computing the commitments to these polynomials. + // NOTE: If in future there is a need to cut off more zeros off the vanishing polynomial, the + // degree of the quotient polynomial t(X) will increase, so the degrees of t_{high}, t_{mid}, + // t_{low} could also increase according to the type of the composer type we are using. + // Currently, for TurboPLONK and Ultra- PLONK, the degree of t(X) is (4n - 1) and hence each + // t_{low}, t_{mid}, t_{high}, t_{higher} each is of degree (n - 1) (and thus contains n + // coefficients). Therefore, we are on the brink! If we need to cut out more zeros off the + // vanishing polynomial, sizes of coefficients of individual t_{i} would change and so we will + // have to ensure the correct size of multi-scalar multiplication in computing the commitments + // to these polynomials. // for (size_t i = 0; i < program_width - 1; ++i) { const size_t offset = n * i; - typename TCurve::scalar_field_type::value_type* coefficients = &key->quotient_large.get_coefficients()[offset]; + typename TCurve::scalar_field_type::value_type *coefficients = + &key->quotient_large.get_coefficients()[offset]; std::string quotient_tag = "T_" + std::to_string(i + 1); - commitment->commit(coefficients, quotient_tag, - typename TCurve::scalar_field_type::value_type::zero(), queue); + commitment->commit(coefficients, quotient_tag, + typename TCurve::scalar_field_type::value_type::zero(), queue); } - typename TCurve::scalar_field_type::value_type* coefficients = + typename TCurve::scalar_field_type::value_type *coefficients = &key->quotient_large.get_coefficients()[(program_width - 1) * n]; std::string quotient_tag = "T_" + std::to_string(program_width); - typename TCurve::scalar_field_type::value_type program_flag = - program_width == 3 ? typename TCurve::scalar_field_type::value_type::one() : typename TCurve::scalar_field_type::value_type::zero(); + typename TCurve::scalar_field_type::value_type program_flag = + program_width == 3 ? typename TCurve::scalar_field_type::value_type::one() : + typename TCurve::scalar_field_type::value_type::zero(); commitment->commit(coefficients, quotient_tag, program_flag, queue); } void execute_preamble_round() { queue.flush_queue(); transcript.add_element("circuit_size", - { static_cast(n >> 24), - static_cast(n >> 16), - static_cast(n >> 8), - static_cast(n) }); + {static_cast(n >> 24), static_cast(n >> 16), + static_cast(n >> 8), static_cast(n)}); transcript.add_element("public_input_size", - { static_cast(key->num_public_inputs >> 24), - static_cast(key->num_public_inputs >> 16), - static_cast(key->num_public_inputs >> 8), - static_cast(key->num_public_inputs) }); + {static_cast(key->num_public_inputs >> 24), + static_cast(key->num_public_inputs >> 16), + static_cast(key->num_public_inputs >> 8), + static_cast(key->num_public_inputs)}); transcript.apply_fiat_shamir("init"); for (size_t i = 0; i < settings::program_width; ++i) { // fetch witness wire w_i std::string wire_tag = "w_" + std::to_string(i + 1); - math::polynomial& wire = witness->wires.at(wire_tag); + math::polynomial &wire = witness->wires.at(wire_tag); /* Adding zero knowledge to the witness polynomials. */ - // To ensure that PLONK is honest-verifier zero-knowledge, we need to ensure that the witness polynomials - // and the permutation polynomial look uniformly random to an adversary. To make the witness polynomials - // a(X), b(X) and c(X) uniformly random, we need to add 2 random blinding factors into each of them. - // i.e. a'(X) = a(X) + (r_1X + r_2) - // where r_1 and r_2 are uniformly random scalar field elements. A natural question is: - // Why do we need 2 random scalars in witness polynomials? The reason is: our witness polynomials are - // evaluated at only 1 point (\scripted{z}), so adding a random degree-1 polynomial suffices. + // To ensure that PLONK is honest-verifier zero-knowledge, we need to ensure that the + // witness polynomials and the permutation polynomial look uniformly random to an adversary. + // To make the witness polynomials a(X), b(X) and c(X) uniformly random, we need to add 2 + // random blinding factors into each of them. i.e. a'(X) = a(X) + (r_1X + r_2) where r_1 and + // r_2 are uniformly random scalar field elements. A natural question is: Why do we need 2 + // random scalars in witness polynomials? The reason is: our witness polynomials are + // evaluated at only 1 point (\scripted{z}), so adding a random degree-1 polynomial + // suffices. // - // NOTE: In TurboPlonk and UltraPlonk, the witness polynomials are evaluated at 2 points and thus - // we need to add 3 random scalars in them. + // NOTE: In TurboPlonk and UltraPlonk, the witness polynomials are evaluated at 2 points and + // thus we need to add 3 random scalars in them. // // We start adding random scalars in `wire` polynomials from index (n - k) upto (n - k + 2). - // For simplicity, we add 3 random scalars even for standard plonk (recall, just 2 of them are required) - // since an additional random scalar would not affect things. + // For simplicity, we add 3 random scalars even for standard plonk (recall, just 2 of them + // are required) since an additional random scalar would not affect things. // - // NOTE: If in future there is a need to cut off more zeros off the vanishing polynomial, this method - // will not change. This must be changed only if the number of evaluations of witness polynomials - // change. + // NOTE: If in future there is a need to cut off more zeros off the vanishing polynomial, + // this method will not change. This must be changed only if the number of evaluations of + // witness polynomials change. // const size_t w_randomness = 3; ASSERT(w_randomness < settings::num_roots_cut_out_of_vanishing_polynomial); for (size_t k = 0; k < w_randomness; ++k) { - wire.at(n - settings::num_roots_cut_out_of_vanishing_polynomial + k) = + wire.at(n - settings::num_roots_cut_out_of_vanishing_polynomial + k) = algebra::random_element(typename TCurve::scalar_field_type); } - math::polynomial& wire_fft = key->wire_ffts.at(wire_tag + "_fft"); + math::polynomial &wire_fft = key->wire_ffts.at(wire_tag + "_fft"); math::polynomial_arithmetic::copy_polynomial(&wire[0], &wire_fft[0], n, n); queue.add_to_queue({ work_queue::WorkType::IFFT, @@ -251,7 +249,7 @@ namespace nil { void execute_first_round() { queue.flush_queue(); compute_wire_pre_commitments(); - for (auto& widget : random_widgets) { + for (auto &widget : random_widgets) { widget->compute_round_commitments(transcript, 1, queue); } } @@ -259,7 +257,7 @@ namespace nil { void execute_second_round() { queue.flush_queue(); transcript.apply_fiat_shamir("eta"); - for (auto& widget : random_widgets) { + for (auto &widget : random_widgets) { widget->compute_round_commitments(transcript, 2, queue); } } @@ -267,7 +265,7 @@ namespace nil { void execute_third_round() { queue.flush_queue(); transcript.apply_fiat_shamir("beta"); - for (auto& widget : random_widgets) { + for (auto &widget : random_widgets) { widget->compute_round_commitments(transcript, 3, queue); } @@ -287,18 +285,18 @@ namespace nil { queue.flush_queue(); transcript.apply_fiat_shamir("alpha"); - typename TCurve::scalar_field_type::value_type alpha_base = + typename TCurve::scalar_field_type::value_type alpha_base = typename TCurve::scalar_field_type::value_type::serialize_from_buffer( transcript.get_challenge("alpha").begin()); - for (auto& widget : random_widgets) { + for (auto &widget : random_widgets) { alpha_base = widget->compute_quotient_contribution(alpha_base, transcript); } - for (auto& widget : transition_widgets) { + for (auto &widget : transition_widgets) { alpha_base = widget->compute_quotient_contribution(alpha_base, transcript); } - typename TCurve::scalar_field_type::value_type* q_mid = &key->quotient_mid[0]; - typename TCurve::scalar_field_type::value_type* q_large = &key->quotient_large[0]; + typename TCurve::scalar_field_type::value_type *q_mid = &key->quotient_mid[0]; + typename TCurve::scalar_field_type::value_type *q_large = &key->quotient_large[0]; if constexpr (settings::uses_quotient_mid) { math::polynomial_arithmetic::divide_by_pseudo_vanishing_polynomial( @@ -320,7 +318,7 @@ namespace nil { void execute_fifth_round() { queue.flush_queue(); - transcript.apply_fiat_shamir("z"); // end of 4th round + transcript.apply_fiat_shamir("z"); // end of 4th round compute_linearisation_coefficients(); } @@ -333,21 +331,25 @@ namespace nil { typename TCurve::scalar_field_type::value_type compute_linearisation_coefficients() { - typename TCurve::scalar_field_type::value_type zeta = - crypto3::marshalling::algebra>(transcript.get_challenge("z").begin()); + typename TCurve::scalar_field_type::value_type zeta = crypto3::marshalling::algebra < + typename TCurve::scalar_field_type >> + (transcript.get_challenge("z").begin()); - math::polynomial& r = key->linear_poly; + math::polynomial &r = key->linear_poly; commitment->add_opening_evaluations_to_transcript(transcript, key, witness, false); - typename TCurve::scalar_field_type::value_type t_eval = key->quotient_large.evaluate(zeta, 4 * n); + typename TCurve::scalar_field_type::value_type t_eval = + key->quotient_large.evaluate(zeta, 4 * n); if constexpr (use_linearisation) { - typename TCurve::scalar_field_type::value_type alpha_base = typename TCurve::scalar_field_type::value_type::serialize_from_buffer(transcript.get_challenge("alpha").begin()); + typename TCurve::scalar_field_type::value_type alpha_base = + typename TCurve::scalar_field_type::value_type::serialize_from_buffer( + transcript.get_challenge("alpha").begin()); - for (auto& widget : random_widgets) { + for (auto &widget : random_widgets) { alpha_base = widget->compute_linear_contribution(alpha_base, transcript, r); } - for (auto& widget : transition_widgets) { + for (auto &widget : transition_widgets) { alpha_base = widget->compute_linear_contribution(alpha_base, transcript, &r[0]); } typename TCurve::scalar_field_type::value_type linear_eval = r.evaluate(zeta, n); @@ -357,12 +359,12 @@ namespace nil { return t_eval; } - plonk_proof& export_proof() { + plonk_proof &export_proof() { proof.proof_data = transcript.export_transcript(); return proof; } - plonk_proof& construct_proof() { + plonk_proof &construct_proof() { execute_preamble_round(); queue.process_queue(); execute_first_round(); @@ -381,7 +383,8 @@ namespace nil { void reset() { transcript::Manifest manifest = transcript.get_manifest(); - transcript = transcript::StandardTranscript(manifest, settings::hash_type, settings::num_challenge_bytes); + transcript = transcript::StandardTranscript(manifest, settings::hash_type, + settings::num_challenge_bytes); } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp index d3a6a16bd..cd8ee52eb 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp @@ -50,8 +50,7 @@ namespace nil { std::map permutation_selector_ffts; }; - inline bool operator==(plonk_proving_key_data const& lhs, plonk_proving_key_data const& rhs) - { + inline bool operator==(plonk_proving_key_data const &lhs, plonk_proving_key_data const &rhs) { return lhs.n == rhs.n && lhs.num_public_inputs == rhs.num_public_inputs && lhs.constraint_selectors == rhs.constraint_selectors && lhs.constraint_selector_ffts == rhs.constraint_selector_ffts && @@ -67,7 +66,7 @@ namespace nil { template class plonk_proving_key> { - constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits/BYTE_BITS; + constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits / BYTE_BITS; std::size_t n; std::size_t num_public_inputs; @@ -103,8 +102,8 @@ namespace nil { bool contains_recursive_proof = false; std::vector recursive_proof_public_input_indices; static constexpr std::size_t min_thread_block = 4UL; - public: + public: enum LookupType { NONE, ABSOLUTE_LOOKUP, @@ -112,38 +111,34 @@ namespace nil { }; plonk_proving_key(const std::size_t num_gates, - const std::size_t num_inputs, - std::shared_ptr const& crs) - : n(num_gates) - , num_public_inputs(num_inputs) - , small_domain(n, n) - , mid_domain(2 * n, n > min_thread_block ? n : 2 * n) - , large_domain(4 * n, n > min_thread_block ? n : 4 * n) - , reference_string(crs) - , pippenger_runtime_state(n + 1) - { + const std::size_t num_inputs, + std::shared_ptr const &crs) : + n(num_gates), + num_public_inputs(num_inputs), small_domain(n, n), + mid_domain(2 * n, n > min_thread_block ? n : 2 * n), + large_domain(4 * n, n > min_thread_block ? n : 4 * n), reference_string(crs), + pippenger_runtime_state(n + 1) { init(); } - plonk_proving_key(plonk_proving_key_data&& data, std::shared_ptr const& crs) - : n(data.n) - , num_public_inputs(data.num_public_inputs) - , constraint_selectors(std::move(data.constraint_selectors)) - , constraint_selector_ffts(std::move(data.constraint_selector_ffts)) - , permutation_selectors(std::move(data.permutation_selectors)) - , permutation_selectors_lagrange_base(std::move(data.permutation_selectors_lagrange_base)) - , permutation_selector_ffts(std::move(data.permutation_selector_ffts)) - , small_domain(n, n) - , mid_domain(2 * n, n > min_thread_block ? n : 2 * n) - , large_domain(4 * n, n > min_thread_block ? n : 4 * n) - , reference_string(crs) - , pippenger_runtime_state(n + 1) - , contains_recursive_proof(data.contains_recursive_proof) - , recursive_proof_public_input_indices(std::move(data.recursive_proof_public_input_indices)) - { + plonk_proving_key(plonk_proving_key_data &&data, + std::shared_ptr const &crs) : + n(data.n), + num_public_inputs(data.num_public_inputs), + constraint_selectors(std::move(data.constraint_selectors)), + constraint_selector_ffts(std::move(data.constraint_selector_ffts)), + permutation_selectors(std::move(data.permutation_selectors)), + permutation_selectors_lagrange_base(std::move(data.permutation_selectors_lagrange_base)), + permutation_selector_ffts(std::move(data.permutation_selector_ffts)), small_domain(n, n), + mid_domain(2 * n, n > min_thread_block ? n : 2 * n), + large_domain(4 * n, n > min_thread_block ? n : 4 * n), reference_string(crs), + pippenger_runtime_state(n + 1), contains_recursive_proof(data.contains_recursive_proof), + recursive_proof_public_input_indices(std::move(data.recursive_proof_public_input_indices)) { init(); // TODO: Currently only supporting TurboComposer in serialization! - std::copy(turbo_polynomial_manifest, turbo_polynomial_manifest + 20, std::back_inserter(polynomial_manifest)); + std::copy(turbo_polynomial_manifest, + turbo_polynomial_manifest + 20, + std::back_inserter(polynomial_manifest)); } void init() { @@ -167,15 +162,17 @@ namespace nil { lagrange_1.add_lagrange_base_coefficient(lagrange_1[6]); lagrange_1.add_lagrange_base_coefficient(lagrange_1[7]); - // The opening polynomial W_{\script{z}}(X) in round 5 of prover's algorithm has degree n. However, - // as explained in (./src/aztec/plonk/proof_system/prover/prover.cpp/ProverBase::compute_quotient_pre_commitment), - // for standard plonk (program_width = 3) and number of roots cut out of the vanishing polynomial is 4, - // the degree of the quotient polynomial t(X) is 3n. Thus, the number of coefficients in t_{high} is (n + 1). - // But our prover algorithm assumes that each of t_{low}, t_{mid}, t_{high} is of degree (n - 1) (i.e. n coefficients in each). - // Note that: + // The opening polynomial W_{\script{z}}(X) in round 5 of prover's algorithm has degree n. + // However, as explained in + // (./src/aztec/plonk/proof_system/prover/prover.cpp/ProverBase::compute_quotient_pre_commitment), + // for standard plonk (program_width = 3) and number of roots cut out of the vanishing + // polynomial is 4, the degree of the quotient polynomial t(X) is 3n. Thus, the number of + // coefficients in t_{high} is (n + 1). But our prover algorithm assumes that each of t_{low}, + // t_{mid}, t_{high} is of degree (n - 1) (i.e. n coefficients in each). Note that: // deg(W_{\script{z}}) = max{ deg(t_{low}), deg(t_{mid}), deg(t_{high}), deg(a), deg(b), ... } // => deg(W_{\script{z}}) = n + 1 when program_width is 3! - // Therefore, when program_width is 3, we need to allow the degree of the opening polynomial to be (n + 1) and NOT n. + // Therefore, when program_width is 3, we need to allow the degree of the opening polynomial to + // be (n + 1) and NOT n. // opening_poly = math::polynomial(n, n); shifted_opening_poly = math::polynomial(n, n); @@ -184,11 +181,11 @@ namespace nil { quotient_mid = math::polynomial(2 * n, 2 * n); quotient_large = math::polynomial(4 * n, 4 * n); - memset((void*)&opening_poly[0], 0x00, scalar_bytes * n); - memset((void*)&shifted_opening_poly[0], 0x00, scalar_bytes * n); - memset((void*)&linear_poly[0], 0x00, scalar_bytes * n); - memset((void*)"ient_mid[0], 0x00, scalar_bytes * 2 * n); - memset((void*)"ient_large[0], 0x00, scalar_bytes * 4 * n); + memset((void *)&opening_poly[0], 0x00, scalar_bytes * n); + memset((void *)&shifted_opening_poly[0], 0x00, scalar_bytes * n); + memset((void *)&linear_poly[0], 0x00, scalar_bytes * n); + memset((void *)"ient_mid[0], 0x00, scalar_bytes * 2 * n); + memset((void *)"ient_large[0], 0x00, scalar_bytes * 4 * n); } void reset() { @@ -202,17 +199,17 @@ namespace nil { math::polynomial w_4_fft = math::polynomial(4 * n + 4, 4 * n + 4); math::polynomial z_fft = math::polynomial(4 * n + 4, 4 * n + 4); - memset((void*)&w_1_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); - memset((void*)&w_2_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); - memset((void*)&w_3_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); - memset((void*)&w_4_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); - memset((void*)&z_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); - - wire_ffts.insert({ "w_1_fft", std::move(w_1_fft) }); - wire_ffts.insert({ "w_2_fft", std::move(w_2_fft) }); - wire_ffts.insert({ "w_3_fft", std::move(w_3_fft) }); - wire_ffts.insert({ "w_4_fft", std::move(w_4_fft) }); - wire_ffts.insert({ "z_fft", std::move(z_fft) }); + memset((void *)&w_1_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void *)&w_2_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void *)&w_3_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void *)&w_4_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + memset((void *)&z_fft[0], 0x00, sizeof(scalar_bytes) * (4 * n + 4)); + + wire_ffts.insert({"w_1_fft", std::move(w_1_fft)}); + wire_ffts.insert({"w_2_fft", std::move(w_2_fft)}); + wire_ffts.insert({"w_3_fft", std::move(w_3_fft)}); + wire_ffts.insert({"w_4_fft", std::move(w_4_fft)}); + wire_ffts.insert({"z_fft", std::move(z_fft)}); } plonk_proving_key &operator=(const plonk_proving_key &other) { @@ -241,69 +238,57 @@ namespace nil { return *this; } - plonk_proving_key(const plonk_proving_key &other) - : n(other.n) - , num_public_inputs(other.num_public_inputs) - , constraint_selectors(other.constraint_selectors) - , constraint_selectors_lagrange_base(other.constraint_selectors_lagrange_base) - , constraint_selector_ffts(other.constraint_selector_ffts) - , permutation_selectors(other.permutation_selectors) - , permutation_selectors_lagrange_base(other.permutation_selectors_lagrange_base) - , permutation_selector_ffts(other.permutation_selector_ffts) - , wire_ffts(other.wire_ffts) - , small_domain(other.small_domain) - , mid_domain(other.mid_domain) - , large_domain(other.large_domain) - , reference_string(other.reference_string) - , lagrange_1(other.lagrange_1) - , opening_poly(other.opening_poly) - , shifted_opening_poly(other.shifted_opening_poly) - , linear_poly(other.linear_poly) - , quotient_mid(other.quotient_mid) - , quotient_large(other.quotient_large) - , pippenger_runtime_state(n + 1) - , polynomial_manifest(other.polynomial_manifest) - , contains_recursive_proof(other.contains_recursive_proof) - , recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) - {} - - plonk_proving_key(plonk_proving_key &&other) - : n(other.n) - , num_public_inputs(other.num_public_inputs) - , constraint_selectors(other.constraint_selectors) - , constraint_selectors_lagrange_base(other.constraint_selectors_lagrange_base) - , constraint_selector_ffts(other.constraint_selector_ffts) - , permutation_selectors(other.permutation_selectors) - , permutation_selectors_lagrange_base(other.permutation_selectors_lagrange_base) - , permutation_selector_ffts(other.permutation_selector_ffts) - , wire_ffts(other.wire_ffts) - , small_domain(std::move(other.small_domain)) - , mid_domain(std::move(other.mid_domain)) - , large_domain(std::move(other.large_domain)) - , reference_string(std::move(other.reference_string)) - , lagrange_1(std::move(other.lagrange_1)) - , opening_poly(std::move(other.opening_poly)) - , shifted_opening_poly(std::move(other.shifted_opening_poly)) - , linear_poly(std::move(other.linear_poly)) - , pippenger_runtime_state(std::move(other.pippenger_runtime_state)) - , polynomial_manifest(std::move(other.polynomial_manifest)) - , contains_recursive_proof(other.contains_recursive_proof) - , recursive_proof_public_input_indices(std::move(other.recursive_proof_public_input_indices)) - {} + plonk_proving_key(const plonk_proving_key &other) : + n(other.n), num_public_inputs(other.num_public_inputs), + constraint_selectors(other.constraint_selectors), + constraint_selectors_lagrange_base(other.constraint_selectors_lagrange_base), + constraint_selector_ffts(other.constraint_selector_ffts), + permutation_selectors(other.permutation_selectors), + permutation_selectors_lagrange_base(other.permutation_selectors_lagrange_base), + permutation_selector_ffts(other.permutation_selector_ffts), wire_ffts(other.wire_ffts), + small_domain(other.small_domain), mid_domain(other.mid_domain), + large_domain(other.large_domain), reference_string(other.reference_string), + lagrange_1(other.lagrange_1), opening_poly(other.opening_poly), + shifted_opening_poly(other.shifted_opening_poly), linear_poly(other.linear_poly), + quotient_mid(other.quotient_mid), quotient_large(other.quotient_large), + pippenger_runtime_state(n + 1), polynomial_manifest(other.polynomial_manifest), + contains_recursive_proof(other.contains_recursive_proof), + recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) { + } + + plonk_proving_key(plonk_proving_key &&other) : + n(other.n), num_public_inputs(other.num_public_inputs), + constraint_selectors(other.constraint_selectors), + constraint_selectors_lagrange_base(other.constraint_selectors_lagrange_base), + constraint_selector_ffts(other.constraint_selector_ffts), + permutation_selectors(other.permutation_selectors), + permutation_selectors_lagrange_base(other.permutation_selectors_lagrange_base), + permutation_selector_ffts(other.permutation_selector_ffts), wire_ffts(other.wire_ffts), + small_domain(std::move(other.small_domain)), mid_domain(std::move(other.mid_domain)), + large_domain(std::move(other.large_domain)), + reference_string(std::move(other.reference_string)), lagrange_1(std::move(other.lagrange_1)), + opening_poly(std::move(other.opening_poly)), + shifted_opening_poly(std::move(other.shifted_opening_poly)), + linear_poly(std::move(other.linear_poly)), + pippenger_runtime_state(std::move(other.pippenger_runtime_state)), + polynomial_manifest(std::move(other.polynomial_manifest)), + contains_recursive_proof(other.contains_recursive_proof), + recursive_proof_public_input_indices(std::move(other.recursive_proof_public_input_indices)) { + } std::size_t size_in_bits() const { - ???; + ? ? ? ; } bool operator==(const plonk_proving_key &other) const { return this->n == other.n && this->num_public_inputs == other.num_public_inputs && - this->constraint_selectors == other.constraint_selectors && - this->constraint_selector_ffts == other.constraint_selector_ffts && - this->permutation_selectors == other.permutation_selectors && - this->permutation_selectors_lagrange_base == other.permutation_selectors_lagrange_base && - this->permutation_selector_ffts == other.permutation_selector_ffts && - this->contains_recursive_proof == other.contains_recursive_proof && - this->recursive_proof_public_input_indices == other.recursive_proof_public_input_indices; + this->constraint_selectors == other.constraint_selectors && + this->constraint_selector_ffts == other.constraint_selector_ffts && + this->permutation_selectors == other.permutation_selectors && + this->permutation_selectors_lagrange_base == other.permutation_selectors_lagrange_base && + this->permutation_selector_ffts == other.permutation_selector_ffts && + this->contains_recursive_proof == other.contains_recursive_proof && + this->recursive_proof_public_input_indices == other.recursive_proof_public_input_indices; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp index a32e3bc5d..a54ebfb93 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp @@ -47,11 +47,10 @@ namespace nil { std::vector recursive_proof_public_input_indices; }; - inline bool operator==(plonk_verification_key_data const& lhs, plonk_verification_key_data const& rhs) - { + inline bool operator==(plonk_verification_key_data const &lhs, plonk_verification_key_data const &rhs) { return lhs.n == rhs.n && lhs.num_public_inputs == rhs.num_public_inputs && - lhs.constraint_selectors == rhs.constraint_selectors && - lhs.permutation_selectors == rhs.permutation_selectors; + lhs.constraint_selectors == rhs.constraint_selectors && + lhs.permutation_selectors == rhs.permutation_selectors; } template @@ -61,7 +60,7 @@ namespace nil { class plonk_verification_key> { using commitment_scheme_type = batched_kate_commitment_scheme<...>; - constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits/BYTE_BITS; + constexpr static const std::size_t scalar_bytes = TCurve::scalar_field_type::value_bits / BYTE_BITS; std::size_t n; std::size_t num_public_inputs; @@ -83,33 +82,30 @@ namespace nil { bool contains_recursive_proof = false; std::vector recursive_proof_public_input_indices; std::size_t program_width = 3; - public: + public: plonk_verification_key(const std::size_t num_gates, - const std::size_t num_inputs, - std::shared_ptr const& crs) - : n(num_gates) - , num_public_inputs(num_inputs) - , domain(n) - , reference_string(crs) - {} - - plonk_verification_key(plonk_verification_key_data&& data, - std::shared_ptr const& crs) - : n(data.n) - , num_public_inputs(data.num_public_inputs) - , domain(n) - , reference_string(crs) - , constraint_selectors(std::move(data.constraint_selectors)) - , permutation_selectors(std::move(data.permutation_selectors)) - , contains_recursive_proof(data.contains_recursive_proof) - , recursive_proof_public_input_indices(std::move(data.recursive_proof_public_input_indices)) - { + const std::size_t num_inputs, + std::shared_ptr const &crs) : + n(num_gates), + num_public_inputs(num_inputs), domain(n), reference_string(crs) { + } + + plonk_verification_key(plonk_verification_key_data &&data, + std::shared_ptr const &crs) : + n(data.n), + num_public_inputs(data.num_public_inputs), domain(n), reference_string(crs), + constraint_selectors(std::move(data.constraint_selectors)), + permutation_selectors(std::move(data.permutation_selectors)), + contains_recursive_proof(data.contains_recursive_proof), + recursive_proof_public_input_indices(std::move(data.recursive_proof_public_input_indices)) { // TODO: Currently only supporting TurboComposer in serialization! - std::copy(turbo_polynomial_manifest, turbo_polynomial_manifest + 20, std::back_inserter(polynomial_manifest)); + std::copy(turbo_polynomial_manifest, + turbo_polynomial_manifest + 20, + std::back_inserter(polynomial_manifest)); } - plonk_verification_key& operator=(plonk_verification_key&& other) { + plonk_verification_key &operator=(plonk_verification_key &&other) { n = other.n; num_public_inputs = other.num_public_inputs; reference_string = std::move(other.reference_string); @@ -122,38 +118,32 @@ namespace nil { return *this; } - plonk_verification_key(const plonk_verification_key &other) - : n(other.n) - , num_public_inputs(other.num_public_inputs) - , domain(other.domain) - , reference_string(other.reference_string) - , constraint_selectors(other.constraint_selectors) - , permutation_selectors(other.permutation_selectors) - , polynomial_manifest(other.polynomial_manifest) - , contains_recursive_proof(other.contains_recursive_proof) - , recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) - {} - - plonk_verification_key(plonk_verification_key &&other) - : n(other.n) - , num_public_inputs(other.num_public_inputs) - , domain(other.domain) - , reference_string(other.reference_string) - , constraint_selectors(other.constraint_selectors) - , permutation_selectors(other.permutation_selectors) - , polynomial_manifest(other.polynomial_manifest) - , contains_recursive_proof(other.contains_recursive_proof) - , recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) - {} + plonk_verification_key(const plonk_verification_key &other) : + n(other.n), num_public_inputs(other.num_public_inputs), domain(other.domain), + reference_string(other.reference_string), constraint_selectors(other.constraint_selectors), + permutation_selectors(other.permutation_selectors), + polynomial_manifest(other.polynomial_manifest), + contains_recursive_proof(other.contains_recursive_proof), + recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) { + } + + plonk_verification_key(plonk_verification_key &&other) : + n(other.n), num_public_inputs(other.num_public_inputs), domain(other.domain), + reference_string(other.reference_string), constraint_selectors(other.constraint_selectors), + permutation_selectors(other.permutation_selectors), + polynomial_manifest(other.polynomial_manifest), + contains_recursive_proof(other.contains_recursive_proof), + recursive_proof_public_input_indices(other.recursive_proof_public_input_indices) { + } std::size_t size_in_bits() const { - ???; + ? ? ? ; } bool operator==(const plonk_verification_key &other) const { return this->n == rhs.n && this->num_public_inputs == rhs.num_public_inputs && - this->constraint_selectors == rhs.constraint_selectors && - this->permutation_selectors == rhs.permutation_selectors; + this->constraint_selectors == rhs.constraint_selectors && + this->permutation_selectors == rhs.permutation_selectors; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp index 977712a65..b22ebf1b1 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp @@ -34,8 +34,7 @@ namespace nil { namespace zk { namespace snark { - template + template class plonk_verifier; template @@ -51,14 +50,13 @@ namespace nil { std::unique_ptr commitment; public: - plonk_verifier(std::shared_ptr> verifier_key, - const transcript::Manifest& input_manifest) - : manifest(input_manifest) - , key(verifier_key) - {} + const transcript::Manifest &input_manifest) : + manifest(input_manifest), + key(verifier_key) { + } - plonk_verifier& operator=(plonk_verifier&& other) { + plonk_verifier &operator=(plonk_verifier &&other) { key = other.key; manifest = other.manifest; commitment = (std::move(other.commitment)); @@ -67,11 +65,9 @@ namespace nil { return *this; } - plonk_verifier(plonk_verifier &&other) - : manifest(other.manifest) - , key(other.key) - , commitment(std::move(other.commitment)) - {} + plonk_verifier(plonk_verifier &&other) : + manifest(other.manifest), key(other.key), commitment(std::move(other.commitment)) { + } bool validate_commitments() { // TODO @@ -83,50 +79,56 @@ namespace nil { return true; } - bool process(const plonk_proof& proof) { + bool process(const plonk_proof &proof) { // This function verifies a PLONK proof for given program settings. - // A PLONK proof for standard PLONK with linearisation as on page 31 in the paper is of the form: + // A PLONK proof for standard PLONK with linearisation as on page 31 in the paper is of the + // form: // - // π_SNARK = { [a]_1,[b]_1,[c]_1,[z]_1,[t_{low}]_1,[t_{mid}]_1,[t_{high}]_1,[W_z]_1,[W_zω]_1 \in G, + // π_SNARK = { [a]_1,[b]_1,[c]_1,[z]_1,[t_{low}]_1,[t_{mid}]_1,[t_{high}]_1,[W_z]_1,[W_zω]_1 + // \in G, // a_eval, b_eval, c_eval, sigma1_eval, sigma2_eval, r_eval, z_eval_omega \in F } // // Proof π_SNARK must be first added in the transcrip with other program settings. // key->program_width = program_settings::program_width; - transcript::StandardTranscript transcript = transcript::StandardTranscript( - proof.proof_data, manifest, program_settings::hash_type, program_settings::num_challenge_bytes); + transcript::StandardTranscript transcript = + transcript::StandardTranscript(proof.proof_data, + manifest, + program_settings::hash_type, + program_settings::num_challenge_bytes); // Compute challenges using Fiat-Shamir heuristic from transcript - transcript.add_element("circuit_size", - { static_cast(key->n >> 24), - static_cast(key->n >> 16), - static_cast(key->n >> 8), - static_cast(key->n) }); + transcript.add_element( + "circuit_size", + {static_cast(key->n >> 24), static_cast(key->n >> 16), + static_cast(key->n >> 8), static_cast(key->n)}); transcript.add_element("public_input_size", - { static_cast(key->num_public_inputs >> 24), - static_cast(key->num_public_inputs >> 16), - static_cast(key->num_public_inputs >> 8), - static_cast(key->num_public_inputs) }); + {static_cast(key->num_public_inputs >> 24), + static_cast(key->num_public_inputs >> 16), + static_cast(key->num_public_inputs >> 8), + static_cast(key->num_public_inputs)}); transcript.apply_fiat_shamir("init"); transcript.apply_fiat_shamir("eta"); transcript.apply_fiat_shamir("beta"); transcript.apply_fiat_shamir("alpha"); transcript.apply_fiat_shamir("z"); - const typename TCurve::scalar_field_type::value_type alpha = + const typename TCurve::scalar_field_type::value_type alpha = crypto3::marshalling::algebra( transcript.get_challenge("alpha").begin()); - const typename TCurve::scalar_field_type::value_type zeta = + const typename TCurve::scalar_field_type::value_type zeta = crypto3::marshalling::algebra( transcript.get_challenge("z").begin()); // Compute the evaluations of the lagrange polynomials L_1(X) and L_{n - k}(X) at X = zeta. - // Here k = num_roots_cut_out_of_the_vanishing_polynomial and n is the size of the evaluation domain. - const auto lagrange_evals = math::polynomial_arithmetic::get_lagrange_evaluations(zeta, key->domain); + // Here k = num_roots_cut_out_of_the_vanishing_polynomial and n is the size of the evaluation + // domain. + const auto lagrange_evals = + math::polynomial_arithmetic::get_lagrange_evaluations(zeta, key->domain); // Step 8: Compute quotient polynomial evaluation at zeta - // r_eval − ((a_eval + β.sigma1_eval + γ)(b_eval + β.sigma2_eval + γ)(c_eval + γ) z_eval_omega)α − - // L_1(zeta).α^{3} + (z_eval_omega - ∆_{PI}).L_{n-k}(zeta)α^{2} + // r_eval − ((a_eval + β.sigma1_eval + γ)(b_eval + β.sigma2_eval + γ)(c_eval + γ) + // z_eval_omega)α − L_1(zeta).α^{3} + (z_eval_omega - ∆_{PI}).L_{n-k}(zeta)α^{2} // t_eval = // -------------------------------------------------------------------------------------------------------------------------------------------------------------- // Z_H*(zeta) @@ -138,15 +140,16 @@ namespace nil { for (size_t i = 0; i < key->domain.log2_size; ++i) { key->z_pow_n *= key->z_pow_n; } - typename TCurve::scalar_field_type::value_type t_eval = + typename TCurve::scalar_field_type::value_type t_eval = typename TCurve::scalar_field_type::value_type::zero(); - program_settings::compute_quotient_evaluation_contribution(key.get(), alpha, transcript, t_eval); + program_settings::compute_quotient_evaluation_contribution( + key.get(), alpha, transcript, t_eval); t_eval *= lagrange_evals.vanishing_poly.invert(); transcript.add_element("t", t_eval.to_buffer()); transcript.apply_fiat_shamir("nu"); transcript.apply_fiat_shamir("separator"); - const typename TCurve::scalar_field_type::value_type separator_challenge = + const typename TCurve::scalar_field_type::value_type separator_challenge = crypto3::marshalling::algebra( transcript.get_challenge("separator").begin()); @@ -164,36 +167,40 @@ namespace nil { // \nu_{c}.c_eval + \nu_{\sigma1}.sigma1_eval + \nu_{\sigma2}.sigma2_eval + // nu_z_omega.separator.z_eval_omega) . [1]_1 // - // Note that we do not actually compute the scalar multiplications but just accumulate the scalars - // and the group elements in different vectors. + // Note that we do not actually compute the scalar multiplications but just accumulate the + // scalars and the group elements in different vectors. // commitment->batch_verify(transcript, kate_g1_elements, kate_fr_elements, key); // Step 9: Compute partial opening batch commitment [D]_1: - // [D]_1 = (a_eval.b_eval.[qM]_1 + a_eval.[qL]_1 + b_eval.[qR]_1 + c_eval.[qO]_1 + [qC]_1) * nu_{linear} * α + // [D]_1 = (a_eval.b_eval.[qM]_1 + a_eval.[qL]_1 + b_eval.[qR]_1 + c_eval.[qO]_1 + + // [qC]_1) * nu_{linear} * α // >> selector polynomials // + [(a_eval + β.z + γ)(b_eval + β.k_1.z + γ)(c_eval + β.k_2.z + γ).α + // L_1(z).α^{3}].nu_{linear}.[z]_1 >> grand product perm polynomial // - (a_eval + β.sigma1_eval + γ)(b_eval + β.sigma2_eval + // γ)α.β.nu_{linear}.z_omega_eval.[sigma3]_1 >> last perm polynomial // - // Again, we dont actually compute the MSMs and just accumulate scalars and group elements and postpone MSM to last - // step. + // Again, we dont actually compute the MSMs and just accumulate scalars and group elements and + // postpone MSM to last step. // append_scalar_multiplication_inputs(key.get(), alpha, transcript, kate_fr_elements); // Fetch the group elements [W_z]_1,[W_zω]_1 from the transcript - typename TCurve::g1_type::value_type PI_Z = crypto3::marshalling::algebra< - typename TCurve::g1_type::value_type>(&transcript.get_element("PI_Z")[0]); - typename TCurve::g1_type::value_type PI_Z_OMEGA = crypto3::marshalling::algebra< - typename TCurve::g1_type::value_type>(&transcript.get_element("PI_Z_OMEGA")[0]); + typename TCurve::g1_type::value_type PI_Z = + crypto3::marshalling::algebra::value_type>( + &transcript.get_element("PI_Z")[0]); + typename TCurve::g1_type::value_type PI_Z_OMEGA = + crypto3::marshalling::algebra::value_type>( + &transcript.get_element("PI_Z_OMEGA")[0]); - // Accumulate pairs of scalars and group elements which would be used in the final pairing check. - kate_g1_elements.insert({ "PI_Z_OMEGA", PI_Z_OMEGA }); - kate_fr_elements.insert({ "PI_Z_OMEGA", zeta * key->domain.root * separator_challenge }); + // Accumulate pairs of scalars and group elements which would be used in the final pairing + // check. + kate_g1_elements.insert({"PI_Z_OMEGA", PI_Z_OMEGA}); + kate_fr_elements.insert({"PI_Z_OMEGA", zeta * key->domain.root * separator_challenge}); - kate_g1_elements.insert({ "PI_Z", PI_Z }); - kate_fr_elements.insert({ "PI_Z", zeta }); + kate_g1_elements.insert({"PI_Z", PI_Z}); + kate_fr_elements.insert({"PI_Z", zeta}); validate_commitments(); validate_scalars(); @@ -201,7 +208,7 @@ namespace nil { std::vector scalars; std::vector::value_type> elements; - for (const auto& [key, value] : kate_g1_elements) { + for (const auto &[key, value] : kate_g1_elements) { if (value.on_curve()) { scalars.emplace_back(kate_fr_elements.at(key)); elements.emplace_back(value); @@ -210,17 +217,19 @@ namespace nil { size_t num_elements = elements.size(); elements.resize(num_elements * 2); - algebra::scalar_multiplication::generate_pippenger_point_table(&elements[0], &elements[0], num_elements); + algebra::scalar_multiplication::generate_pippenger_point_table( + &elements[0], &elements[0], num_elements); scalar_multiplication::pippenger_runtime_state state(num_elements); typename TCurve::g1_type<>::value_type P[2]; - P[0] = alegbra::scalar_multiplication::pippenger(&scalars[0], &elements[0], num_elements, state); + P[0] = + alegbra::scalar_multiplication::pippenger(&scalars[0], &elements[0], num_elements, state); P[1] = -(typename TCurve::g1_type<>::value_type(PI_Z_OMEGA) * separator_challenge + PI_Z); if (key->contains_recursive_proof) { assert(key->recursive_proof_public_input_indices.size() == 16); - const auto& inputs = transcript.get_field_element_vector("public_inputs"); + const auto &inputs = transcript.get_field_element_vector("public_inputs"); const auto recover_fq_from_public_inputs = [&inputs](const size_t idx0, const size_t idx1, const size_t idx2, const size_t idx3) { const uint256_t l0 = inputs[idx0]; @@ -234,42 +243,44 @@ namespace nil { return typename TCurve::base_field_type::value_type(limb); }; - const auto recursion_separator_challenge = transcript.get_challenge_field_element("separator").sqr(); + const auto recursion_separator_challenge = + transcript.get_challenge_field_element("separator").sqr(); - const typename TCurve::base_field_type::value_type x0 = + const typename TCurve::base_field_type::value_type x0 = recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[0], - key->recursive_proof_public_input_indices[1], - key->recursive_proof_public_input_indices[2], - key->recursive_proof_public_input_indices[3]); - const typename TCurve::base_field_type::value_type y0 = + key->recursive_proof_public_input_indices[1], + key->recursive_proof_public_input_indices[2], + key->recursive_proof_public_input_indices[3]); + const typename TCurve::base_field_type::value_type y0 = recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[4], - key->recursive_proof_public_input_indices[5], - key->recursive_proof_public_input_indices[6], - key->recursive_proof_public_input_indices[7]); - const typename TCurve::base_field_type::value_type x1 = + key->recursive_proof_public_input_indices[5], + key->recursive_proof_public_input_indices[6], + key->recursive_proof_public_input_indices[7]); + const typename TCurve::base_field_type::value_type x1 = recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[8], - key->recursive_proof_public_input_indices[9], - key->recursive_proof_public_input_indices[10], - key->recursive_proof_public_input_indices[11]); - const typename TCurve::base_field_type::value_type y1 = + key->recursive_proof_public_input_indices[9], + key->recursive_proof_public_input_indices[10], + key->recursive_proof_public_input_indices[11]); + const typename TCurve::base_field_type::value_type y1 = recover_fq_from_public_inputs(key->recursive_proof_public_input_indices[12], - key->recursive_proof_public_input_indices[13], - key->recursive_proof_public_input_indices[14], - key->recursive_proof_public_input_indices[15]); + key->recursive_proof_public_input_indices[13], + key->recursive_proof_public_input_indices[14], + key->recursive_proof_public_input_indices[15]); P[0] += typename TCurve::g1_type<>::value_type(x0, y0, 1) * recursion_separator_challenge; P[1] += typename TCurve::g1_type<>::value_type(x1, y1, 1) * recursion_separator_challenge; } typename TCurve::g1_type<>::value_type::batch_normalize(P, 2); - typename TCurve::g1_type::value_type P_affine[2]{ - { P[0].x, P[0].y }, - { P[1].x, P[1].y }, + typename TCurve::g1_type::value_type P_affine[2] { + {P[0].x, P[0].y}, + {P[1].x, P[1].y}, }; // The final pairing check of step 12. - typename TCurve::gt_type::value_type result = algebra::pairing::reduced_ate_pairing_batch_precomputed( - P_affine, key->reference_string->get_precomputed_g2_lines(), 2); + typename TCurve::gt_type::value_type result = + algebra::pairing::reduced_ate_pairing_batch_precomputed( + P_affine, key->reference_string->get_precomputed_g2_lines(), 2); return (result == typename TCurve::gt_type::value_type::one()); } diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp index 0a07918b1..107b3bdf4 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp @@ -57,7 +57,8 @@ namespace nil { typedef detail::redshift_types types_policy; // static inline math::polynomial::polynom<...> tau( - // std::size_t input, std::size_t n, std::array &k){ + // std::size_t input, std::size_t n, std::array &k){ // std::size_t i = input % n; // std::size_t j = (input - i)/n + 1; @@ -67,7 +68,8 @@ namespace nil { // } // static inline std::size_t tau_reverted( - // math::polynomial::polynom<...> k_jgi, std::size_t n, std::array &k){ + // math::polynomial::polynom<...> k_jgi, std::size_t n, std::array &k){ // std::size_t i = math::polynomial::get_index_of_non_zero_coeff(k_jgi); @@ -77,48 +79,56 @@ namespace nil { // } // static inline std::size_t sigma_p1_permutation( - // std::size_t input, std::size_t n, std::array &k){ + // std::size_t input, std::size_t n, std::array &k){ // ... // } // static inline math::polynomial::polynom<...> sigma_p2_permutation( - // math::polynomial::polynom<...> input, std::size_t n, std::array &k){ - + // math::polynomial::polynom<...> input, std::size_t n, std::array &k){ + // return (tau(sigma_p1_permutation(tau_reverted(input, n, k), n, k), n, k)); // } public: - template, typename GeneratorType = boost::random::mt19937> - static inline keypair_type process(const typename types_policy::constraint_system_type &constraint_system) { + static inline keypair_type + process(const typename types_policy::constraint_system_type &constraint_system) { - std::array k = get_cosets_generators(); + std::array k = + get_cosets_generators(); std::array::polynomial, 3> S_id; std::array::polynomial, 3> S_sigma; - typename TCurve::scalar_field_type::value_type omega = algebra::get_root_of_unity(); - typename TCurve::scalar_field_type::value_type delta = algebra::get_root_of_unity(); + typename TCurve::scalar_field_type::value_type omega = + algebra::get_root_of_unity(); + typename TCurve::scalar_field_type::value_type delta = + algebra::get_root_of_unity(); std::size_t Nperm = ...; - for (std::size_t i = 0; i < 3; i++){ - std::vector> interpolation_points (Nperm); - for (std::size_t j = 0; j < Nperm; j++){ + for (std::size_t i = 0; i < 3; i++) { + std::vector> + interpolation_points(Nperm); + for (std::size_t j = 0; j < Nperm; j++) { interpolation_points.push_back(std::make_pair(omega.pow(j), delta??? * omega.pow(j))); } S_id[i] = math::polynomial::Lagrange_interpolation(interpolation_points); } - for (std::size_t i = 0; i < 3; i++){ - std::vector> interpolation_points (Nperm); - for (std::size_t j = 0; j < Nperm; j++){ - interpolation_points.push_back(std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); + for (std::size_t i = 0; i < 3; i++) { + std::vector> + interpolation_points(Nperm); + for (std::size_t j = 0; j < Nperm; j++) { + interpolation_points.push_back( + std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); } S_sigma[i] = math::polynomial::Lagrange_interpolation(interpolation_points); diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp index b64bb8aa1..8d85da977 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp @@ -33,11 +33,9 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { - - } // namespace snark - } // namespace zk - } // namespace crypto3 + namespace snark { } // namespace snark + } // namespace zk + } // namespace crypto3 } // namespace nil #endif // CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp index be4b12113..0921c9d2d 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp @@ -39,12 +39,12 @@ namespace nil { using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; - public: - static inline typename types_policy::proof_type process( - const types_policy::proving_key_type &proving_key, - const types_policy::primary_input_type &primary_input, - const types_policy::auxiliary_input_type &auxiliary_input) { + public: + static inline typename types_policy::proof_type + process(const types_policy::proving_key_type &proving_key, + const types_policy::primary_input_type &primary_input, + const types_policy::auxiliary_input_type &auxiliary_input) { std::size_t N_wires = primary_input.size() + auxiliary_input.size(); std::size_t N_perm = ...; @@ -52,28 +52,28 @@ namespace nil { std::size_t N_const = ...; fiat_shamir_heuristic transcript; - + ... setup_values = ...; transcript(setup_values); std::vector> f(N_wires); std::vector> f_commitments(N_wires); - for (std::size_t i = 0; i < N_wires; i++){ + for (std::size_t i = 0; i < N_wires; i++) { f.push_back(proving_key.f[i] + choose_h_i() * proving_key.Z(x)); f_commitments[i].commit(f[i]); transcript(f_commitments[i]); } - hashes::sha2::digest_type beta_bytes = + hashes::sha2::digest_type beta_bytes = transcript.get_challenge(); - hashes::sha2::digest_type gamma_bytes = + hashes::sha2::digest_type gamma_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type beta = + typename TCurve::scalar_field_type::value_type beta = algebra::marshalling(beta_bytes); - typename TCurve::scalar_field_type::value_type gamma = + typename TCurve::scalar_field_type::value_type gamma = algebra::marshalling(gamma_bytes); std::vector> p(N_perm); @@ -82,26 +82,28 @@ namespace nil { math::polynomial::polynom<...> p1 = math::polynomial::polynom<...>::one(); math::polynomial::polynom<...> q1 = math::polynomial::polynom<...>::one(); - for (std::size_t j = 0; j < N_perm; j++){ - p.push_back(f[j] + beta*S_id[j] + gamma); - q.push_back(f[j] + beta*S_sigma[j] + gamma); + for (std::size_t j = 0; j < N_perm; j++) { + p.push_back(f[j] + beta * S_id[j] + gamma); + q.push_back(f[j] + beta * S_sigma[j] + gamma); p1 *= p[j]; q1 *= q[j]; } - std::vector> P_interpolation_points (n + 1); - std::vector> Q_interpolation_points (n + 1); + std::vector> + P_interpolation_points(n + 1); + std::vector> + Q_interpolation_points(n + 1); P_interpolation_points.push_back(std::make_pair(proving_key.omega, 1)); - for (std::size_t i = 2; i <= n+1; i++){ - typename TCurve::scalar_field_type::value_type P_mul_result = + for (std::size_t i = 2; i <= n + 1; i++) { + typename TCurve::scalar_field_type::value_type P_mul_result = typename TCurve::scalar_field_type::one(); - typename TCurve::scalar_field_type::value_type Q_mul_result = + typename TCurve::scalar_field_type::value_type Q_mul_result = typename TCurve::scalar_field_type::one(); - for (std::size_t j = 1; j < i; j++){ + for (std::size_t j = 1; j < i; j++) { P_mul_result *= p1(proving_key.omega.pow(i)); Q_mul_result *= q1(proving_key.omega.pow(i)); } @@ -110,8 +112,10 @@ namespace nil { Q_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), Q_mul_result)); } - math::polynomial::polynom<...> P = math::polynomial::Lagrange_interpolation(P_interpolation_points); - math::polynomial::polynom<...> Q = math::polynomial::Lagrange_interpolation(Q_interpolation_points); + math::polynomial::polynom<...> P = + math::polynomial::Lagrange_interpolation(P_interpolation_points); + math::polynomial::polynom<...> Q = + math::polynomial::Lagrange_interpolation(Q_interpolation_points); std::fri_commitment_cheme<...> P_commitment(); std::fri_commitment_cheme<...> Q_commitment(); @@ -122,7 +126,7 @@ namespace nil { transcript(Q_commitment); std::array alphas; - for (std::size_t i = 0; i < 6; i++){ + for (std::size_t i = 0; i < 6; i++) { hashes::sha2::digest_type alpha_bytes = transcript.get_challenge(); alphas[i] = (algebra::marshalling(alpha_bytes)); @@ -149,21 +153,21 @@ namespace nil { F_consolidated = a[i] * F[i]; } - math::polynomial::polynom<...> T_consolidated = F_consolidated/Z; + math::polynomial::polynom<...> T_consolidated = F_consolidated / Z; std::vector> T(N_perm + 2); T = separate_T(T_consolidated); std::vector> T_commitments(N_perm + 2); - for (std::size_t i = 0; i < N_perm + 2){ + for (std::size_t i = 0; i < N_perm + 2) { T_commitments[i].commit(T[i]); } ... - typename types_policy::proof_type proof = typename types_policy::proof_type( - std::move(f_commitments), std::move(P_commitment), - std::move(Q_commitment), std::move(T_commitments)); + typename types_policy::proof_type proof = + typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), + std::move(Q_commitment), std::move(T_commitments)); return proof; } diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp index e414e342f..32aa27e3d 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp @@ -37,14 +37,13 @@ namespace nil { class redshift_proving_key { using constraint_system_type = plonk_constraint_system; constexpr static const std::size_t n = ...; + public: - std::array, 3> S_id; std::array, 3> S_sigma; std::array, n> L_basis; - std::array, 3> f_witness_wire; // witness-wire polynomials f_L, f_R, f_O - + std::array, 3> f_witness_wire; // witness-wire polynomials f_L, f_R, f_O }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp index 9966174a0..aa5d4968f 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp @@ -82,14 +82,9 @@ namespace nil { */ typedef redshift_proof proof_type; - template + template struct prover_fiat_shamir_heuristic_manifest { - enum challenges_ids{ - beta, - gamma, - alpha, - upsilon = alpha + AlphasAmount - }; + enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount }; }; }; } // namespace detail diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp index ec8931190..9748fe034 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp @@ -36,14 +36,13 @@ namespace nil { template class redshift_verification_key { using constraint_system_type = plonk_constraint_system; - public: + public: std::array, 3> S_id; std::array, 3> S_sigma; std::array, n> L_basis; - - math::polynom<...> PI; // public inputs polynomial - + + math::polynom<...> PI; // public inputs polynomial }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp index 82864aab1..f9e73033c 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp @@ -40,12 +40,11 @@ namespace nil { using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; using constraint_system_type = plonk_constraint_system; - - public: - static inline bool process (const types_policy::verification_key_type &verification_key, + public: + static inline bool process(const types_policy::verification_key_type &verification_key, const types_policy::primary_input_type &primary_input, - const types_policy::proof_type &proof){ + const types_policy::proof_type &proof) { std::size_t N_wires = ...; std::size_t N_perm = ...; @@ -57,44 +56,45 @@ namespace nil { ... setup_values = ...; transcript(setup_values); - for (std::size_t i = 0; i < N_wires; i++){ + for (std::size_t i = 0; i < N_wires; i++) { transcript(proof.f_commitments[i]); } - hashes::sha2::digest_type beta_bytes = + hashes::sha2::digest_type beta_bytes = transcript.get_challenge(); - hashes::sha2::digest_type gamma_bytes = + hashes::sha2::digest_type gamma_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type beta = + typename TCurve::scalar_field_type::value_type beta = algebra::marshalling(beta_bytes); - typename TCurve::scalar_field_type::value_type gamma = + typename TCurve::scalar_field_type::value_type gamma = algebra::marshalling(gamma_bytes); transcript(proof.P_commitment); transcript(proof.Q_commitment); std::array alphas; - for (std::size_t i = 0; i < 6; i++){ + for (std::size_t i = 0; i < 6; i++) { hashes::sha2::digest_type alpha_bytes = transcript.get_challenge(); alphas[i] = (algebra::marshalling(alpha_bytes)); } - for (std::size_t i = 0; i < N_perm + 2; i++){ + for (std::size_t i = 0; i < N_perm + 2; i++) { transcript(proof.T_commitments[i]); } - hashes::sha2::digest_type upsilon_bytes = + hashes::sha2::digest_type upsilon_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type upsilon = + typename TCurve::scalar_field_type::value_type upsilon = algebra::marshalling(upsilon_bytes); ... - std::array, 6> F; + std::array, 6> + F; F[0] = verification_key.L_basis[1] * (P - 1); F[1] = verification_key.L_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); @@ -118,9 +118,8 @@ namespace nil { F_consolidated = a[i] * F[i]; } - return (F_consolidated == verification_key.Z*T); + return (F_consolidated == verification_key.Z * T); } - }; } // namespace snark } // namespace zk From 0273e829a96af9868e4c1269062979d8e71e9f8c Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 11 Nov 2021 22:02:18 +0300 Subject: [PATCH 008/219] Directory renaming done. Pickles proof data struct initialized. #20 --- CMakeLists.txt | 52 ++++++------- .../pcd/r1cs_pcd/compliance_predicate.hpp | 0 .../r1cs_pcd/ppzkpcd_compliance_predicate.hpp | 2 +- .../r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp | 6 +- .../r1cs_mp_ppzkpcd_params.hpp | 4 +- .../pcd/r1cs_pcd/r1cs_pcd_params.hpp | 2 +- .../r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp | 4 +- .../r1cs_sp_ppzkpcd_params.hpp | 4 +- .../r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp | 2 +- .../plonk/kate/params.hpp | 0 .../{schemes => systems}/plonk/kate/proof.hpp | 0 .../plonk/kate/prover.hpp | 0 .../plonk/kate/proving_key.hpp | 0 .../plonk/kate/verification_key.hpp | 0 .../plonk/kate/verifier.hpp | 0 .../zk/snark/systems/plonk/pickles/proof.hpp | 78 +++++++++++++++++++ .../plonk/redshift/generator.hpp | 2 +- .../plonk/redshift/params.hpp | 0 .../plonk/redshift/proof.hpp | 0 .../plonk/redshift/prover.hpp | 0 .../plonk/redshift/proving_key.hpp | 0 .../plonk/redshift/types.hpp | 0 .../plonk/redshift/verification_key.hpp | 0 .../plonk/redshift/verifier.hpp | 0 .../r1cs_ppzkadsnark/detail/basic_policy.hpp | 4 +- .../r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp | 2 +- .../r1cs_ppzkadsnark/signature.hpp | 2 +- .../ppzksnark/bacs_ppzksnark.hpp | 8 +- .../bacs_ppzksnark/detail/basic_policy.hpp | 4 +- .../ppzksnark/bacs_ppzksnark/generator.hpp | 4 +- .../ppzksnark/bacs_ppzksnark/keypair.hpp | 0 .../ppzksnark/bacs_ppzksnark/prover.hpp | 4 +- .../ppzksnark/bacs_ppzksnark/proving_key.hpp | 2 +- .../ppzksnark/bacs_ppzksnark/verifier.hpp | 4 +- .../ppzksnark/r1cs_gg_ppzksnark.hpp | 18 ++--- .../r1cs_gg_ppzksnark/detail/basic_policy.hpp | 16 ++-- .../ppzksnark/r1cs_gg_ppzksnark/generator.hpp | 2 +- .../r1cs_gg_ppzksnark/ipp2/commitment.hpp | 2 +- .../r1cs_gg_ppzksnark/ipp2/generator.hpp | 4 +- .../r1cs_gg_ppzksnark/ipp2/proof.hpp | 4 +- .../r1cs_gg_ppzksnark/ipp2/prover.hpp | 10 +-- .../ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp | 4 +- .../r1cs_gg_ppzksnark/ipp2/transcript.hpp | 0 .../ipp2/verification_key.hpp | 2 +- .../r1cs_gg_ppzksnark/ipp2/verifier.hpp | 6 +- .../ppzksnark/r1cs_gg_ppzksnark/keypair.hpp | 0 .../r1cs_gg_ppzksnark/marshalling.hpp | 2 +- .../ppzksnark/r1cs_gg_ppzksnark/modes.hpp | 0 .../ppzksnark/r1cs_gg_ppzksnark/proof.hpp | 0 .../ppzksnark/r1cs_gg_ppzksnark/prover.hpp | 2 +- .../r1cs_gg_ppzksnark/proving_key.hpp | 0 .../r1cs_gg_ppzksnark/verification_key.hpp | 0 .../ppzksnark/r1cs_gg_ppzksnark/verifier.hpp | 2 +- .../ppzksnark/r1cs_ppzksnark.hpp | 8 +- .../r1cs_ppzksnark/detail/basic_policy.hpp | 8 +- .../ppzksnark/r1cs_ppzksnark/generator.hpp | 2 +- .../ppzksnark/r1cs_ppzksnark/keypair.hpp | 0 .../ppzksnark/r1cs_ppzksnark/proof.hpp | 0 .../ppzksnark/r1cs_ppzksnark/prover.hpp | 2 +- .../ppzksnark/r1cs_ppzksnark/proving_key.hpp | 0 .../r1cs_ppzksnark/verification_key.hpp | 0 .../ppzksnark/r1cs_ppzksnark/verifier.hpp | 2 +- .../ppzksnark/r1cs_se_ppzksnark.hpp | 8 +- .../r1cs_se_ppzksnark/detail/basic_policy.hpp | 8 +- .../ppzksnark/r1cs_se_ppzksnark/generator.hpp | 2 +- .../ppzksnark/r1cs_se_ppzksnark/keypair.hpp | 0 .../ppzksnark/r1cs_se_ppzksnark/proof.hpp | 0 .../ppzksnark/r1cs_se_ppzksnark/prover.hpp | 2 +- .../r1cs_se_ppzksnark/proving_key.hpp | 0 .../r1cs_se_ppzksnark/verification_key.hpp | 0 .../ppzksnark/r1cs_se_ppzksnark/verifier.hpp | 2 +- .../ppzksnark/tbcs_ppzksnark.hpp | 8 +- .../tbcs_ppzksnark/detail/basic_policy.hpp | 4 +- .../ppzksnark/tbcs_ppzksnark/generator.hpp | 6 +- .../ppzksnark/tbcs_ppzksnark/keypair.hpp | 0 .../ppzksnark/tbcs_ppzksnark/prover.hpp | 4 +- .../ppzksnark/tbcs_ppzksnark/proving_key.hpp | 2 +- .../ppzksnark/tbcs_ppzksnark/verifier.hpp | 4 +- .../ppzksnark/uscs_ppzksnark.hpp | 8 +- .../uscs_ppzksnark/detail/basic_policy.hpp | 8 +- .../ppzksnark/uscs_ppzksnark/generator.hpp | 2 +- .../ppzksnark/uscs_ppzksnark/keypair.hpp | 0 .../ppzksnark/uscs_ppzksnark/proof.hpp | 0 .../ppzksnark/uscs_ppzksnark/prover.hpp | 2 +- .../ppzksnark/uscs_ppzksnark/proving_key.hpp | 0 .../uscs_ppzksnark/verification_key.hpp | 0 .../ppzksnark/uscs_ppzksnark/verifier.hpp | 2 +- .../profile_r1cs_mp_ppzkpcd.cpp | 4 +- .../profile_r1cs_sp_ppzkpcd.cpp | 4 +- .../bacs_ppzksnark/profile_bacs_ppzksnark.cpp | 2 +- .../profile_r1cs_gg_ppzksnark.cpp | 2 +- .../r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp | 2 +- .../profile_r1cs_se_ppzksnark.cpp | 2 +- .../ram_ppzksnark/profile_ram_ppzksnark.cpp | 2 +- .../tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp | 2 +- .../uscs_ppzksnark/profile_uscs_ppzksnark.cpp | 2 +- .../ram_zksnark/profile_ram_zksnark.cpp | 4 +- test/CMakeLists.txt | 28 +++---- test/relations/numeric/sap.cpp | 2 +- .../r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.cpp | 0 .../r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp | 2 +- .../pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp | 8 +- .../r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.cpp | 0 .../r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp | 2 +- .../pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp | 8 +- test/systems/plonk/pickles.cpp | 45 +++++++++++ .../demo_r1cs_ppzkadsnark.cpp | 2 +- .../r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp | 2 +- .../r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp | 2 +- .../signature/ed25519_signature.hpp | 2 +- .../bacs_ppzksnark/bacs_examples.hpp | 2 +- .../bacs_ppzksnark/bacs_ppzksnark.cpp | 0 .../bacs_ppzksnark/run_bacs_ppzksnark.hpp | 2 +- .../ppzksnark/r1cs_examples.hpp | 0 .../r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp | 0 ...cs_gg_ppzksnark_aggregation_conformity.cpp | 12 +-- .../r1cs_gg_ppzksnark_marshalling.cpp | 4 +- .../r1cs_gg_ppzksnark_tvm_marshalling.cpp | 4 +- .../run_r1cs_gg_ppzksnark.hpp | 2 +- .../run_r1cs_gg_ppzksnark_marshalling.hpp | 4 +- .../run_r1cs_gg_ppzksnark_tvm_marshalling.hpp | 4 +- .../r1cs_ppzksnark/r1cs_ppzksnark.cpp | 0 .../r1cs_ppzksnark/run_r1cs_ppzksnark.hpp | 2 +- .../r1cs_se_ppzksnark/r1cs_se_ppzksnark.cpp | 0 .../run_r1cs_se_ppzksnark.hpp | 2 +- .../ppzksnark/ram_ppzksnark/ram_examples.hpp | 0 .../ppzksnark/ram_ppzksnark/ram_ppzksnark.cpp | 0 .../ram_ppzksnark/run_ram_ppzksnark.hpp | 4 +- .../tbcs_ppzksnark/run_tbcs_ppzksnark.hpp | 2 +- .../tbcs_ppzksnark/tbcs_examples.hpp | 2 +- .../tbcs_ppzksnark/tbcs_ppzksnark.cpp | 0 .../uscs_ppzksnark/run_uscs_ppzksnark.hpp | 2 +- .../uscs_ppzksnark/uscs_examples.hpp | 2 +- .../uscs_ppzksnark/uscs_ppzksnark.cpp | 0 134 files changed, 331 insertions(+), 206 deletions(-) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/compliance_predicate.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp (97%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp (95%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/r1cs_pcd_params.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp (95%) rename include/nil/crypto3/zk/snark/{schemes => systems}/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/kate/params.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/kate/proof.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/kate/prover.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/kate/proving_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/kate/verification_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/kate/verifier.hpp (100%) create mode 100644 include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/generator.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/params.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/proof.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/prover.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/proving_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/types.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/verification_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/plonk/redshift/verifier.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark.hpp (94%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp (97%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark/generator.hpp (96%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark/keypair.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark/prover.hpp (97%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark/proving_key.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/bacs_ppzksnark/verifier.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark.hpp (96%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp (95%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/generator.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp (97%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/keypair.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/modes.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/proof.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/prover.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/proving_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark.hpp (95%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp (96%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/generator.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/keypair.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/proof.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/prover.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/proving_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/verification_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_ppzksnark/verifier.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark.hpp (95%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp (96%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/generator.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/keypair.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/proof.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/prover.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/verifier.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark.hpp (94%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp (97%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark/generator.hpp (94%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark/keypair.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark/prover.hpp (97%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark/proving_key.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/tbcs_ppzksnark/verifier.hpp (98%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark.hpp (95%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp (96%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/generator.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/keypair.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/proof.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/prover.hpp (99%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/proving_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/verification_key.hpp (100%) rename include/nil/crypto3/zk/snark/{schemes => systems}/ppzksnark/uscs_ppzksnark/verifier.hpp (99%) rename test/{schemes => systems}/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.cpp (100%) rename test/{schemes => systems}/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp (99%) rename test/{schemes => systems}/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp (98%) rename test/{schemes => systems}/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.cpp (100%) rename test/{schemes => systems}/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp (99%) rename test/{schemes => systems}/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp (98%) create mode 100644 test/systems/plonk/pickles.cpp rename test/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp (97%) rename test/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp (98%) rename test/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp (98%) rename test/{schemes => systems}/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp (99%) rename test/{schemes => systems}/ppzksnark/bacs_ppzksnark/bacs_examples.hpp (99%) rename test/{schemes => systems}/ppzksnark/bacs_ppzksnark/bacs_ppzksnark.cpp (100%) rename test/{schemes => systems}/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp (98%) rename test/{schemes => systems}/ppzksnark/r1cs_examples.hpp (100%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp (100%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp (99%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp (95%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp (95%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp (99%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp (97%) rename test/{schemes => systems}/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp (99%) rename test/{schemes => systems}/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.cpp (100%) rename test/{schemes => systems}/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp (99%) rename test/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark.cpp (100%) rename test/{schemes => systems}/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp (98%) rename test/{schemes => systems}/ppzksnark/ram_ppzksnark/ram_examples.hpp (100%) rename test/{schemes => systems}/ppzksnark/ram_ppzksnark/ram_ppzksnark.cpp (100%) rename test/{schemes => systems}/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp (97%) rename test/{schemes => systems}/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp (98%) rename test/{schemes => systems}/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp (99%) rename test/{schemes => systems}/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark.cpp (100%) rename test/{schemes => systems}/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp (98%) rename test/{schemes => systems}/ppzksnark/uscs_ppzksnark/uscs_examples.hpp (99%) rename test/{schemes => systems}/ppzksnark/uscs_ppzksnark/uscs_ppzksnark.cpp (100%) diff --git a/CMakeLists.txt b/CMakeLists.txt index c7c38b814..8f6a8cf44 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -56,41 +56,41 @@ list(APPEND ${CURRENT_PROJECT_NAME}_PUBLIC_HEADERS include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp include/nil/crypto3/zk/snark/commitments/knowledge_commitment.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/compliance_predicate/compliance_predicate.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/compliance_predicate/cp_handler.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/compliance_predicate/compliance_predicate.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/compliance_predicate/cp_handler.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/mp_pcd_circuits.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/mp_pcd_circuits.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp - include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_pcd_params.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp + include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_pcd_params.hpp - include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp - include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/prf.hpp - include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzkadsnark/r1cs_ppzkadsnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp + include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/prf.hpp + include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzkadsnark/r1cs_ppzkadsnark/basic_policy.hpp - include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzksnark/bacs_ppzksnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzksnark/bacs_ppzksnark/basic_policy.hpp - include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzksnark/r1cs_gg_ppzksnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzksnark/r1cs_gg_ppzksnark/basic_policy.hpp - include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzksnark/r1cs_ppzksnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzksnark/r1cs_ppzksnark/basic_policy.hpp - include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzksnark/r1cs_se_ppzksnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzksnark/r1cs_se_ppzksnark/basic_policy.hpp - include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzksnark/tbcs_ppzksnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzksnark/tbcs_ppzksnark/basic_policy.hpp - include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark.hpp - include/nil/crypto3/zk/snark/schemes/detail/ppzksnark/uscs_ppzksnark/basic_policy.hpp + include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark.hpp + include/nil/crypto3/zk/snark/systems/detail/ppzksnark/uscs_ppzksnark/basic_policy.hpp include/nil/crypto3/zk/snark/reductions/bacs_to_r1cs.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/compliance_predicate.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/compliance_predicate.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/compliance_predicate.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/compliance_predicate.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp index ffd4b160c..db6f70d46 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/ppzkpcd_compliance_predicate.hpp @@ -28,7 +28,7 @@ #ifndef CRYPTO3_ZK_PPZKPCD_COMPLIANCE_PREDICATE_HPP #define CRYPTO3_ZK_PPZKPCD_COMPLIANCE_PREDICATE_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp index d28739eb6..965535eca 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.hpp @@ -59,10 +59,10 @@ #include -#include -#include +#include +#include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp index 93aed7cea..68c6cb4ca 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd_params.hpp @@ -28,8 +28,8 @@ #ifndef CRYPTO3_ZK_R1CS_MP_PPZKPCD_PARAMS_HPP #define CRYPTO3_ZK_R1CS_MP_PPZKPCD_PARAMS_HPP -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_pcd_params.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_pcd_params.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_pcd_params.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_pcd_params.hpp index de3e7d818..477df4601 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_pcd_params.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_pcd_params.hpp @@ -29,7 +29,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp index e46006528..e4b3ca4e4 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.hpp @@ -58,8 +58,8 @@ #include -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp index e3855182d..f71b0bdd5 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd_params.hpp @@ -28,8 +28,8 @@ #ifndef CRYPTO3_ZK_R1CS_SP_PPZKPCD_PARAMS_HPP #define CRYPTO3_ZK_R1CS_SP_PPZKPCD_PARAMS_HPP -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp rename to include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp index 9efee4eaa..057409050 100644 --- a/include/nil/crypto3/zk/snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp +++ b/include/nil/crypto3/zk/snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/sp_pcd_circuits.hpp @@ -48,7 +48,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/params.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/kate/params.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/kate/params.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/proof.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/kate/proof.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/kate/proof.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/prover.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/kate/prover.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/kate/prover.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/proving_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/kate/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/kate/proving_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/verification_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/kate/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/kate/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/verifier.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/kate/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/kate/verifier.hpp diff --git a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp new file mode 100644 index 000000000..6a04786f0 --- /dev/null +++ b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp @@ -0,0 +1,78 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2018-2021 Mikhail Komarov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PICKLES_PROOF_HPP +#define CRYPTO3_ZK_PICKLES_PROOF_HPP + +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + struct LookupCommitments { + std::vector> sorted; + PolyComm aggreg; + }; + + template + struct ProverCommitments { + // polynomial commitments + std::array, COLUMNS> w_comm; + PolyComm z_comm; + PolyComm t_comm; + LookupCommitments lookup; + } + + template + struct ProverProof { + typedef typename CurveType::scalar_group_type scalar_group_type; + // polynomial commitments + ProverCommitments commitments; + + // batched commitment opening proof + OpeningProof proof; + + // polynomial evaluations + // TODO(mimoo): that really should be a type Evals { z: PE, zw: PE } + std::array>, 2> evals; + + typename scalar_group_type::value_type ft_eval1; + + // public part of the witness + std::vector pub; + + // The challenges underlying the optional polynomials folded into the proof + std::vector, PolyComm>> + prev_challenges; + } + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PROOF_HPP diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp index 107b3bdf4..c6c453868 100644 --- a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp @@ -39,7 +39,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/params.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/proof.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/prover.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proving_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/proving_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/types.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verification_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/plonk/redshift/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp index b9a41c3ab..54b3a21fc 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp @@ -66,8 +66,8 @@ #include -#include -#include +#include +#include #include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp index 8db3cecc8..08dab2986 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/r1cs_ppzkadsnark.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_R1CS_PPZKADSNARK_POLICY_HPP #define CRYPTO3_R1CS_PPZKADSNARK_POLICY_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp rename to include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp index 7aea4a92b..ff778f2b4 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/signature.hpp @@ -28,7 +28,7 @@ #ifndef CRYPTO3_ZK_SIGNATURE_HPP #define CRYPTO3_ZK_SIGNATURE_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark.hpp similarity index 94% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark.hpp index 300afa33e..6404bc9fb 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark.hpp @@ -26,11 +26,11 @@ #ifndef CRYPTO3_ZK_BACS_PPZKSNARK_HPP #define CRYPTO3_ZK_BACS_PPZKSNARK_HPP -#include +#include -#include -#include -#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp index 738c90fb7..0b8c9f3fd 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/detail/basic_policy.hpp @@ -50,8 +50,8 @@ #ifndef CRYPTO3_ZK_BACS_PPZKSNARK_TYPES_POLICY_HPP #define CRYPTO3_ZK_BACS_PPZKSNARK_TYPES_POLICY_HPP -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/generator.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/generator.hpp index d01500a11..9d3498216 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/generator.hpp @@ -29,8 +29,8 @@ #include #include -#include -#include +#include +#include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/keypair.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/keypair.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/keypair.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/keypair.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp index 1684bac90..67a0c219c 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp @@ -29,8 +29,8 @@ #include #include -#include -#include +#include +#include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp index 1168d04bf..e69e323ac 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp @@ -27,7 +27,7 @@ #define CRYPTO3_ZK_BACS_PPZKSNARK_PROVING_KEY_HPP #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/verifier.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/verifier.hpp index 988015ebe..82110bc27 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/bacs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/verifier.hpp @@ -27,9 +27,9 @@ #define CRYPTO3_ZK_BACS_PPZKSNARK_BASIC_VERIFIER_HPP #include -#include +#include -#include +#include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp index 5a8ad7ad7..20f7c4ba8 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp @@ -29,15 +29,15 @@ #include -#include - -#include -#include -#include -#include -#include -#include -#include +#include + +#include +#include +#include +#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp index 21ee5b429..f3fdd1e36 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp @@ -57,14 +57,14 @@ #ifndef CRYPTO3_R1CS_GG_PPZKSNARK_BASIC_POLICY_HPP #define CRYPTO3_R1CS_GG_PPZKSNARK_BASIC_POLICY_HPP -#include -#include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp index e5eb65bfd..f8599aede 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp @@ -39,7 +39,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp index 39a87b114..9105f5b85 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp @@ -23,7 +23,7 @@ // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE // SOFTWARE. //---------------------------------------------------------------------------// -// @file This module implements two binding commitment schemes used in the Groth16 +// @file This module implements two binding commitment systems used in the Groth16 // aggregation. // The first one is a commitment scheme that commits to a single vector $a$ of // length n in the second base group $G_1$ (for example): diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp index db8d3f118..3a0be7983 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp @@ -26,8 +26,8 @@ #ifndef CRYPTO3_ZK_R1CS_GG_PPZKSNARK_IPP2_GENERATOR_HPP #define CRYPTO3_ZK_R1CS_GG_PPZKSNARK_IPP2_GENERATOR_HPP -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp index 057c994d9..6bccf56ce 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp @@ -31,8 +31,8 @@ #include #include -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp index 54d781e74..e88b579dc 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp @@ -45,11 +45,11 @@ #include #include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp index 85f04c32e..b363ba9e5 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp @@ -30,8 +30,8 @@ #include #include -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp index d1bc4e293..8b8803094 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verification_key.hpp @@ -28,7 +28,7 @@ #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp index 31d752d0e..07acc8786 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp @@ -30,9 +30,9 @@ #include #include -#include -#include -#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/keypair.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/keypair.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/keypair.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/keypair.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp index 452852fd7..9a1681f3b 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp @@ -63,7 +63,7 @@ #include #include -#include +#include #include #include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/modes.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/modes.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/modes.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/modes.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/proof.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/proof.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/proof.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp index 69d3c5c27..b98896435 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp @@ -37,7 +37,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/proving_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/proving_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp index fee718d37..4a6713add 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp @@ -56,7 +56,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp index 21f3146a3..c34c25564 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp @@ -26,11 +26,11 @@ #ifndef CRYPTO3_ZK_R1CS_PPZKSNARK_HPP #define CRYPTO3_ZK_R1CS_PPZKSNARK_HPP -#include +#include -#include -#include -#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp index 479d768d5..77be8c985 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/detail/basic_policy.hpp @@ -63,10 +63,10 @@ #define CRYPTO3_R1CS_PPZKSNARK_TYPES_POLICY_HPP #include -#include -#include -#include -#include +#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp index f20eb0a33..691f19ce7 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp @@ -36,7 +36,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/keypair.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/keypair.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/keypair.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/keypair.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/proof.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/proof.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/proof.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp index 6cc02395f..c10484369 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp @@ -37,7 +37,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/proving_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/proving_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verification_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp index 7b1fad0ee..83bd41066 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp @@ -31,7 +31,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark.hpp index c8d427b37..745b316da 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark.hpp @@ -26,11 +26,11 @@ #ifndef CRYPTO3_R1CS_SE_PPZKSNARK_HPP #define CRYPTO3_R1CS_SE_PPZKSNARK_HPP -#include +#include -#include -#include -#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp index 211655f83..0beddaf91 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp @@ -67,10 +67,10 @@ #include #include -#include -#include -#include -#include +#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp index b9b597394..b4542b9d9 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp @@ -33,7 +33,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/keypair.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/keypair.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/keypair.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/keypair.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/proof.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp index b6aa3bb89..3dc29bfb4 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp @@ -36,7 +36,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp index ad651379f..e72146530 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/r1cs_se_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp @@ -34,7 +34,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark.hpp similarity index 94% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark.hpp index 703ba5ac2..ccb1ca516 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark.hpp @@ -26,11 +26,11 @@ #ifndef CRYPTO3_ZK_TBCS_PPZKSNARK_HPP #define CRYPTO3_ZK_TBCS_PPZKSNARK_HPP -#include +#include -#include -#include -#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp index e8a4d09e8..a4a954f81 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/detail/basic_policy.hpp @@ -50,8 +50,8 @@ #ifndef CRYPTO3_ZK_TBCS_PPZKSNARK_TYPES_POLICY_HPP #define CRYPTO3_ZK_TBCS_PPZKSNARK_TYPES_POLICY_HPP -#include -#include +#include +#include #include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/generator.hpp similarity index 94% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/generator.hpp index 49b503da5..b8d5ce34f 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/generator.hpp @@ -27,10 +27,10 @@ #define CRYPTO3_ZK_TBCS_PPZKSNARK_BASIC_GENERATOR_HPP #include -#include +#include #include -#include -#include +#include +#include #include diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/keypair.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/keypair.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/keypair.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/keypair.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp index 9fa23aeb0..69b489c4e 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp @@ -28,8 +28,8 @@ #include #include -#include -#include +#include +#include #include namespace nil { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/proving_key.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/proving_key.hpp index acb665495..f598cf639 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/proving_key.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_TBCS_PPZKSNARK_PROVING_KEY_HPP #define CRYPTO3_TBCS_PPZKSNARK_PROVING_KEY_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp index 7a5bf4f4f..05e4e0564 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/tbcs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp @@ -28,8 +28,8 @@ #include #include -#include -#include +#include +#include #include namespace nil { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark.hpp index 5e34a80cb..3a71a6149 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark.hpp @@ -26,11 +26,11 @@ #ifndef CRYPTO3_USCS_PPZKSNARK_HPP #define CRYPTO3_USCS_PPZKSNARK_HPP -#include +#include -#include -#include -#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp index ddbb12722..78ab61a06 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/detail/basic_policy.hpp @@ -64,10 +64,10 @@ #include #include -#include -#include -#include -#include +#include +#include +#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/generator.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp index bfb903114..843fc3116 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp @@ -32,7 +32,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/keypair.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/keypair.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/keypair.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/keypair.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proof.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/proof.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proof.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/prover.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp index 3c62aea1c..9dc503708 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp @@ -37,7 +37,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proving_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/proving_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proving_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verification_key.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/verification_key.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/verifier.hpp rename to include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp index 9c1c4b2d7..8c71373ff 100644 --- a/include/nil/crypto3/zk/snark/schemes/ppzksnark/uscs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp @@ -34,7 +34,7 @@ #include #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp b/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp index 00bb2cb18..7613a1823 100644 --- a/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp +++ b/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp @@ -24,8 +24,8 @@ //---------------------------------------------------------------------------// #include -#include -#include +#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp b/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp index f9d685af4..48e3a0ebd 100644 --- a/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp +++ b/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp @@ -24,8 +24,8 @@ //---------------------------------------------------------------------------// #include -#include -#include +#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp index 86b21d7d2..0578492dd 100644 --- a/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp @@ -27,7 +27,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp b/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp index 90e80bcb2..309f8e588 100644 --- a/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp @@ -28,7 +28,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp index ce06e0fcb..a89df0e23 100644 --- a/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp @@ -28,7 +28,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp b/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp index 6d1f702b5..7d3e2185a 100644 --- a/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp @@ -28,7 +28,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp b/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp index dcde6d3fc..48f4b4a31 100644 --- a/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp @@ -33,7 +33,7 @@ #include #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp index 97a16a9b1..2c14c0098 100644 --- a/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp @@ -27,7 +27,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp index 9c0d1123f..b160b6ea2 100644 --- a/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp +++ b/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp @@ -28,7 +28,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp b/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp index f2ab89512..dc949bceb 100644 --- a/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp +++ b/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp @@ -29,8 +29,8 @@ #include #include #include -#include -#include +#include +#include using namespace nil::crypto3::zk::snark; diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 9deedcf7d..6df650aef 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -53,19 +53,21 @@ set(TESTS_NAMES "relations/numeric/sap" "relations/numeric/ssp" - "schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd" - "schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd" - - "schemes/ppzksnark/bacs_ppzksnark/bacs_ppzksnark" - "schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark" - "schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling" - "schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling" - "schemes/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark" - "schemes/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark" - "schemes/ppzksnark/ram_ppzksnark/ram_ppzksnark" - "schemes/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark" - "schemes/ppzksnark/uscs_ppzksnark/uscs_ppzksnark" - "schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity") + "systems/plonk/pickles" + + "systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd" + "systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd" + + "systems/ppzksnark/bacs_ppzksnark/bacs_ppzksnark" + "systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark" + "systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling" + "systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling" + "systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark" + "systems/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark" + "systems/ppzksnark/ram_ppzksnark/ram_ppzksnark" + "systems/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark" + "systems/ppzksnark/uscs_ppzksnark/uscs_ppzksnark" + "systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity") foreach(TEST_NAME ${TESTS_NAMES}) define_zk_test(${TEST_NAME}) diff --git a/test/relations/numeric/sap.cpp b/test/relations/numeric/sap.cpp index 363f35dcd..91ba7c4db 100644 --- a/test/relations/numeric/sap.cpp +++ b/test/relations/numeric/sap.cpp @@ -50,7 +50,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; using namespace nil::crypto3::algebra; diff --git a/test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.cpp b/test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.cpp similarity index 100% rename from test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.cpp rename to test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd.cpp diff --git a/test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp b/test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp similarity index 99% rename from test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp rename to test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp index bc614c983..bb107288c 100644 --- a/test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp +++ b/test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/run_r1cs_mp_ppzkpcd.hpp @@ -34,7 +34,7 @@ #include "tally_cp.hpp" -#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp b/test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp similarity index 98% rename from test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp rename to test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp index cde743e32..856229715 100644 --- a/test/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp +++ b/test/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/tally_cp.hpp @@ -29,8 +29,8 @@ // (2) it enables us to test r1cs_pcd functionalities. // // See -// - snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/examples/run_r1cs_sp_ppzkpcd.hpp -// - snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/examples/run_r1cs_mp_ppzkpcd.hpp +// - snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/examples/run_r1cs_sp_ppzkpcd.hpp +// - snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/examples/run_r1cs_mp_ppzkpcd.hpp // for code that uses the tally compliance predicate. //---------------------------------------------------------------------------// @@ -39,8 +39,8 @@ #include -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.cpp b/test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.cpp similarity index 100% rename from test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.cpp rename to test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd.cpp diff --git a/test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp b/test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp similarity index 99% rename from test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp rename to test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp index 466f06c8e..ea9e871c7 100644 --- a/test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp +++ b/test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/run_r1cs_sp_ppzkpcd.hpp @@ -34,7 +34,7 @@ #include "tally_cp.hpp" -#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp b/test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp similarity index 98% rename from test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp rename to test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp index dd176ca1e..4c2eca7f3 100644 --- a/test/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp +++ b/test/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/tally_cp.hpp @@ -29,8 +29,8 @@ // (2) it enables us to test r1cs_pcd functionalities. // // See -// - snark/schemes/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/examples/run_r1cs_sp_ppzkpcd.hpp -// - snark/schemes/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/examples/run_r1cs_mp_ppzkpcd.hpp +// - snark/systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/examples/run_r1cs_sp_ppzkpcd.hpp +// - snark/systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/examples/run_r1cs_mp_ppzkpcd.hpp // for code that uses the tally compliance predicate. //---------------------------------------------------------------------------// @@ -39,8 +39,8 @@ #include -#include -#include +#include +#include namespace nil { namespace crypto3 { diff --git a/test/systems/plonk/pickles.cpp b/test/systems/plonk/pickles.cpp new file mode 100644 index 000000000..7a5899472 --- /dev/null +++ b/test/systems/plonk/pickles.cpp @@ -0,0 +1,45 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#define BOOST_TEST_MODULE pickles_test + +#include + +#include +#include +#include + +#include + +using namespace nil::crypto3; +using namespace nil::crypto3::algebra; +using namespace nil::marshalling; + +BOOST_AUTO_TEST_SUITE(pickles_proof_generation_test_suite) + +BOOST_AUTO_TEST_SUITE_END() + +BOOST_AUTO_TEST_SUITE(pickles_proof_verification_test_suite) + +BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file diff --git a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp similarity index 97% rename from test/schemes/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp rename to test/systems/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp index 77d8c8954..415c9c6fa 100644 --- a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp +++ b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/demo_r1cs_ppzkadsnark.cpp @@ -29,7 +29,7 @@ #include #include -#include +#include using namespace nil::crypto3::zk::snark; diff --git a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp similarity index 98% rename from test/schemes/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp rename to test/systems/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp index ea9373c60..29e53fed3 100644 --- a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp +++ b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/prf/aes_ctr_prf.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_AESCTRPRF_HPP #define CRYPTO3_ZK_RUN_R1CS_MP_PPZKPCD_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp similarity index 98% rename from test/schemes/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp rename to test/systems/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp index 51612ad6c..7e8f933cf 100644 --- a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp +++ b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/run_r1cs_ppzkadsnark.hpp @@ -27,7 +27,7 @@ #define CRYPTO3_RUN_R1CS_PPZKADSNARK_HPP #include -#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp similarity index 99% rename from test/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp rename to test/systems/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp index 94ac2d981..5db199921 100644 --- a/test/schemes/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp +++ b/test/systems/ppzkadsnark/r1cs_ppzkadsnark/signature/ed25519_signature.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_ED25519SIG_HPP #define CRYPTO3_ZK_ED25519SIG_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/ppzksnark/bacs_ppzksnark/bacs_examples.hpp b/test/systems/ppzksnark/bacs_ppzksnark/bacs_examples.hpp similarity index 99% rename from test/schemes/ppzksnark/bacs_ppzksnark/bacs_examples.hpp rename to test/systems/ppzksnark/bacs_ppzksnark/bacs_examples.hpp index da7a232f1..dba606b5d 100644 --- a/test/schemes/ppzksnark/bacs_ppzksnark/bacs_examples.hpp +++ b/test/systems/ppzksnark/bacs_ppzksnark/bacs_examples.hpp @@ -30,7 +30,7 @@ #define CRYPTO3_BACS_EXAMPLES_HPP #include -#include +#include #include diff --git a/test/schemes/ppzksnark/bacs_ppzksnark/bacs_ppzksnark.cpp b/test/systems/ppzksnark/bacs_ppzksnark/bacs_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/bacs_ppzksnark/bacs_ppzksnark.cpp rename to test/systems/ppzksnark/bacs_ppzksnark/bacs_ppzksnark.cpp diff --git a/test/schemes/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp b/test/systems/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp similarity index 98% rename from test/schemes/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp rename to test/systems/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp index e6f9205f0..cbb136ec2 100644 --- a/test/schemes/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp +++ b/test/systems/ppzksnark/bacs_ppzksnark/run_bacs_ppzksnark.hpp @@ -28,7 +28,7 @@ #include "bacs_examples.hpp" -#include +#include #include "../r1cs_examples.hpp" diff --git a/test/schemes/ppzksnark/r1cs_examples.hpp b/test/systems/ppzksnark/r1cs_examples.hpp similarity index 100% rename from test/schemes/ppzksnark/r1cs_examples.hpp rename to test/systems/ppzksnark/r1cs_examples.hpp diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp similarity index 99% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp index 0b67dfaf0..c4057873a 100644 --- a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp @@ -45,12 +45,12 @@ #include #include -#include -#include -#include -#include -#include -#include +#include +#include +#include +#include +#include +#include #include #include diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp similarity index 95% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp index 9214e9f29..dbf13fadf 100644 --- a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_marshalling.cpp @@ -43,8 +43,8 @@ #include #include -#include -#include +#include +#include using namespace nil::crypto3::zk::snark; using namespace nil::crypto3::algebra; diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp similarity index 95% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp index 211ebbcd7..095ffc7d0 100644 --- a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_tvm_marshalling.cpp @@ -45,8 +45,8 @@ #include "run_r1cs_gg_ppzksnark_tvm_marshalling.hpp" -#include -#include +#include +#include using namespace nil::crypto3::zk::snark; using namespace nil::crypto3::algebra; diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp similarity index 99% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp index ad42b8f3d..ad50362c5 100644 --- a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark.hpp @@ -31,7 +31,7 @@ #include -#include +#include #include "../r1cs_examples.hpp" diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp similarity index 97% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp index 2bcd8064e..75492f0e7 100644 --- a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_marshalling.hpp @@ -29,12 +29,12 @@ #ifndef CRYPTO3_RUN_R1CS_GG_PPZKSNARK_MARSHALLING_HPP #define CRYPTO3_RUN_R1CS_GG_PPZKSNARK_MARSHALLING_HPP -#include +#include #include #include #include -#include +#include #include "../r1cs_examples.hpp" diff --git a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp similarity index 99% rename from test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp rename to test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp index 909a7f2a4..05f4637a7 100644 --- a/test/schemes/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/run_r1cs_gg_ppzksnark_tvm_marshalling.hpp @@ -31,12 +31,12 @@ #include -#include +#include #include #include #include -#include +#include #include #include "../r1cs_examples.hpp" diff --git a/test/schemes/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.cpp b/test/systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.cpp rename to test/systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.cpp diff --git a/test/schemes/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp b/test/systems/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp similarity index 99% rename from test/schemes/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp rename to test/systems/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp index c4d077041..dc5fb85e7 100644 --- a/test/schemes/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp +++ b/test/systems/ppzksnark/r1cs_ppzksnark/run_r1cs_ppzksnark.hpp @@ -31,7 +31,7 @@ #include -#include +#include #include "../r1cs_examples.hpp" diff --git a/test/schemes/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark.cpp b/test/systems/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark.cpp rename to test/systems/ppzksnark/r1cs_se_ppzksnark/r1cs_se_ppzksnark.cpp diff --git a/test/schemes/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp b/test/systems/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp similarity index 98% rename from test/schemes/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp rename to test/systems/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp index 9a82d539e..0a93164a5 100644 --- a/test/schemes/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp +++ b/test/systems/ppzksnark/r1cs_se_ppzksnark/run_r1cs_se_ppzksnark.hpp @@ -31,7 +31,7 @@ #include -#include +#include #include "../r1cs_examples.hpp" diff --git a/test/schemes/ppzksnark/ram_ppzksnark/ram_examples.hpp b/test/systems/ppzksnark/ram_ppzksnark/ram_examples.hpp similarity index 100% rename from test/schemes/ppzksnark/ram_ppzksnark/ram_examples.hpp rename to test/systems/ppzksnark/ram_ppzksnark/ram_examples.hpp diff --git a/test/schemes/ppzksnark/ram_ppzksnark/ram_ppzksnark.cpp b/test/systems/ppzksnark/ram_ppzksnark/ram_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/ram_ppzksnark/ram_ppzksnark.cpp rename to test/systems/ppzksnark/ram_ppzksnark/ram_ppzksnark.cpp diff --git a/test/schemes/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp b/test/systems/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp similarity index 97% rename from test/schemes/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp rename to test/systems/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp index 29349d21c..c1da37984 100644 --- a/test/schemes/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp +++ b/test/systems/ppzksnark/ram_ppzksnark/run_ram_ppzksnark.hpp @@ -27,8 +27,8 @@ #define CRYPTO3_RUN_RAM_PPZKSNARK_HPP #include -#include -#include +#include +#include #include #include diff --git a/test/schemes/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp b/test/systems/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp similarity index 98% rename from test/schemes/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp rename to test/systems/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp index d5f8ac3f6..f4521da84 100644 --- a/test/schemes/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp +++ b/test/systems/ppzksnark/tbcs_ppzksnark/run_tbcs_ppzksnark.hpp @@ -28,7 +28,7 @@ #include "tbcs_examples.hpp" -#include +#include #include #include diff --git a/test/schemes/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp b/test/systems/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp similarity index 99% rename from test/schemes/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp rename to test/systems/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp index c3489e685..e85d085bb 100644 --- a/test/schemes/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp +++ b/test/systems/ppzksnark/tbcs_ppzksnark/tbcs_examples.hpp @@ -30,7 +30,7 @@ #define CRYPTO3_ZK_TBCS_EXAMPLES_HPP #include -#include +#include namespace nil { namespace crypto3 { diff --git a/test/schemes/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark.cpp b/test/systems/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark.cpp rename to test/systems/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark.cpp diff --git a/test/schemes/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp b/test/systems/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp similarity index 98% rename from test/schemes/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp rename to test/systems/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp index 45985689e..8c6735771 100644 --- a/test/schemes/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp +++ b/test/systems/ppzksnark/uscs_ppzksnark/run_uscs_ppzksnark.hpp @@ -31,7 +31,7 @@ #include "uscs_examples.hpp" -#include +#include #include #include diff --git a/test/schemes/ppzksnark/uscs_ppzksnark/uscs_examples.hpp b/test/systems/ppzksnark/uscs_ppzksnark/uscs_examples.hpp similarity index 99% rename from test/schemes/ppzksnark/uscs_ppzksnark/uscs_examples.hpp rename to test/systems/ppzksnark/uscs_ppzksnark/uscs_examples.hpp index ccbceeb07..7f694c958 100644 --- a/test/schemes/ppzksnark/uscs_ppzksnark/uscs_examples.hpp +++ b/test/systems/ppzksnark/uscs_ppzksnark/uscs_examples.hpp @@ -30,7 +30,7 @@ #define CRYPTO3_ZK_USCS_EXAMPLES_HPP #include -#include +#include #include diff --git a/test/schemes/ppzksnark/uscs_ppzksnark/uscs_ppzksnark.cpp b/test/systems/ppzksnark/uscs_ppzksnark/uscs_ppzksnark.cpp similarity index 100% rename from test/schemes/ppzksnark/uscs_ppzksnark/uscs_ppzksnark.cpp rename to test/systems/ppzksnark/uscs_ppzksnark/uscs_ppzksnark.cpp From 7237761c2177242b3732dffdc101292928a9ae58 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 11 Nov 2021 22:03:48 +0300 Subject: [PATCH 009/219] Minor tests changes #20 --- test/systems/plonk/pickles.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/systems/plonk/pickles.cpp b/test/systems/plonk/pickles.cpp index 7a5899472..61b0f0a8a 100644 --- a/test/systems/plonk/pickles.cpp +++ b/test/systems/plonk/pickles.cpp @@ -30,11 +30,9 @@ #include #include -#include +#include using namespace nil::crypto3; -using namespace nil::crypto3::algebra; -using namespace nil::marshalling; BOOST_AUTO_TEST_SUITE(pickles_proof_generation_test_suite) From e3d99f3fdc8877596f998aba5fb3e744a7349fe0 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 04:19:03 +0300 Subject: [PATCH 010/219] List polynomial commitment proof eval added. #25 --- .../zk/snark/commitments/commitment.hpp | 60 ------- .../list_polynomial_commitment.hpp | 169 ++++++++++++++++++ 2 files changed, 169 insertions(+), 60 deletions(-) delete mode 100644 include/nil/crypto3/zk/snark/commitments/commitment.hpp create mode 100644 include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp diff --git a/include/nil/crypto3/zk/snark/commitments/commitment.hpp b/include/nil/crypto3/zk/snark/commitments/commitment.hpp deleted file mode 100644 index 7edfca4f2..000000000 --- a/include/nil/crypto3/zk/snark/commitments/commitment.hpp +++ /dev/null @@ -1,60 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_COMMITMENT_SCHEME_HPP -#define CRYPTO3_ZK_COMMITMENT_SCHEME_HPP - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - /** - * @brief Based on the Ploynomial Commitment description from \[Kate]. - * - * References: - * \[Kate]: - * "Constant-Size Commitments to Polynomials and Their Applications", - * Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg, - * ASIACRYPT 2010, - * - */ - - template - struct commitment_scheme { - - virtual std::pair commit (TSRS PK, TData phi) = 0; - - virtual ... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) = 0; - - virtual bool verify(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) = 0; - }; - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp new file mode 100644 index 000000000..5bbbad2c8 --- /dev/null +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -0,0 +1,169 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * @brief Based on the FRI Commitment description from \[ResShift]. + * @tparam d ... + * @tparam Rounds Denoted by r in \[RedShift]. + * + * References: + * \[RedShift]: + * "REDSHIFT: Transparent SNARKs from List + * Polynomial Commitment IOPs", + * Assimakis Kattis, Konstantin Panarin, Alexander Vlasov, + * Matter Labs, + * + */ + template + class list_polynomial_commitment_scheme { + + typedef typename merkletree::MerkleTree merkle_tree_type; + typedef typename merkletree::MerkleProof merkle_proof_type; + + constexpr static const math::polynom<...> q = {0, 0, 1}; + + struct transcript_round_manifest { + enum challenges_ids {x, y}; + } + public: + + using openning_type = merkle_proof_type; + using commitment_type = typename merkle_tree_type::root_type; + + template + struct proof_type { + std::array z_openings; + std::array, lamda> alpha_openings; + + std::array, lamda> f_commitments; + + std::array, lambda> f_ip1_coefficients; + } + + // The result of this function is not commitment_type (as it would expected), + // but the built Merkle tree. This is done so, because we often need to reuse + // the built Merkle tree + // After this function + // result.root(); + // should be called + template <...> + static merkle_tree_type commit (const math::polynom<...> &f, + const std::vector<...> &D){ + + std::vector<...> y; + for (... H : D){ + y.push_back(f.evaluate(H)); + } + + return merkle_tree_type(y); + } + + template + static ... proof_eval (std::array<..., k> evaluation_points, + const merkle_tree_type &T, + const math::polynom<...> &f, + const std::vector<...> &D){ + + proof_type proof; + + fiat_shamir_heuristic transcript; + + std::array &z_openings = proof.z_openings; + std::array, k> U_interpolation_points; + + for (std::size_t j = 0; j < k; j++){ + ... z_j = f.evaluate(evaluation_points[j]); + std::size_t leaf_index = std::find(D.begin(), D.end(), evaluation_points[j]) - D.begin(); + z_openings[j] = merkle_proof_type(T, leaf_index); + U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); + } + + math::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + + math::polynom<...> Q = (f - U); + for (std::size_t j = 0; j < k; j++){ + Q = Q/(x - U_interpolation_points[j]); + } + + for (std::size_t round_id = 0; round_id < lambda; round_id++){ + + math::polynom<...> f_i = Q; + + ... x_i = transcript.get_challenge(); + + std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &f_commitments = proof.f_commitments[round_id]; + std::array<...> &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; + + for (std::size_t i = 0; i <= r-1; i++){ + + ... y_i = transcript.get_challenge(); + + math::polynom<...> sqr_polynom = {y_i, 0, -1}; + std::array<..., 2> s = math::polynomial::get_roots<2>(sqr_polynom); + + std::array, 2> p_i_j_interpolation_points; + + for (std::size_t j = 0; j < 2; j++){ + ... alpha_i_j = f_i.evaluate(s[j]); + std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); + alpha_openings[2*i + j] = merkle_proof_type(T, leaf_index); + p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); + } + + math::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); + + f_i = p_i_j; + + x = q.evaluate(x); + + if (i < r - 1){ + f_commitments[i] = commit(f_i, D_ip1).root(); + } else { + f_ip1_coefficients = math::polynomial::get_coefficients(f_i); + } + } + } + + return proof; + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP From 3aa7064430fd6313f598a1cd1ff7a411fb7e1666 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 05:35:03 +0300 Subject: [PATCH 011/219] List polynomial commitment verify eval added. #25 --- .../list_polynomial_commitment.hpp | 105 ++++++++++++++++-- 1 file changed, 93 insertions(+), 12 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 5bbbad2c8..82c21880d 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -46,7 +46,8 @@ namespace nil { * Matter Labs, * */ - template + template class list_polynomial_commitment_scheme { typedef typename merkletree::MerkleTree merkle_tree_type; @@ -65,7 +66,7 @@ namespace nil { template struct proof_type { std::array z_openings; - std::array, lamda> alpha_openings; + std::array, lamda> alpha_openings; std::array, lamda> f_commitments; @@ -90,15 +91,15 @@ namespace nil { return merkle_tree_type(y); } - template - static ... proof_eval (std::array<..., k> evaluation_points, + template <...> + static proof_type proof_eval (std::array<..., k> evaluation_points, const merkle_tree_type &T, const math::polynom<...> &f, const std::vector<...> &D){ proof_type proof; - fiat_shamir_heuristic transcript; + fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; std::array, k> U_interpolation_points; @@ -121,25 +122,25 @@ namespace nil { math::polynom<...> f_i = Q; - ... x_i = transcript.get_challenge(); + ... x_i = transcript.get_challenge(); - std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; std::array<...> &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; for (std::size_t i = 0; i <= r-1; i++){ - ... y_i = transcript.get_challenge(); + ... y_i = transcript.get_challenge(); math::polynom<...> sqr_polynom = {y_i, 0, -1}; - std::array<..., 2> s = math::polynomial::get_roots<2>(sqr_polynom); + std::array<..., m> s = math::polynomial::get_roots(sqr_polynom); - std::array, 2> p_i_j_interpolation_points; + std::array, m> p_i_j_interpolation_points; - for (std::size_t j = 0; j < 2; j++){ + for (std::size_t j = 0; j < m; j++){ ... alpha_i_j = f_i.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); - alpha_openings[2*i + j] = merkle_proof_type(T, leaf_index); + alpha_openings[m*i + j] = merkle_proof_type(T, leaf_index); p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } @@ -161,6 +162,86 @@ namespace nil { } }; + template <...> + static bool verify_eval (proof_type proof, + commitment_type T, + std::array<..., k> evaluation_points, + const std::vector<...> &D){ + + fiat_shamir_heuristic transcript; + + std::array &z_openings = proof.z_openings; + std::array, k> U_interpolation_points; + + for (std::size_t j = 0; j < k; j++){ + ... z_j = z_openings[j].leaf; + if (!z_openings[j].validate(T)){ + return false; + } + + U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); + } + + math::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + + math::polynom<...> Q = (f - U); + for (std::size_t j = 0; j < k; j++){ + Q = Q/(x - U_interpolation_points[j]); + } + + for (std::size_t round_id = 0; round_id < lambda; round_id++){ + + math::polynom<...> f_i = Q; + + ... x_i = transcript.get_challenge(); + + std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &f_commitments = proof.f_commitments[round_id]; + std::array<...> &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; + + for (std::size_t i = 0; i <= r-1; i++){ + + ... y_i = transcript.get_challenge(); + + math::polynom<...> sqr_polynom = {y_i, 0, -1}; + std::array<..., m> s = math::polynomial::get_roots(sqr_polynom); + + std::array, m> p_i_j_interpolation_points; + + for (std::size_t j = 0; j < m; j++){ + ... alpha_i_j = alpha_openings[m*i + j].leaf; + if (!alpha_openings[m*i + j].validate(T)){ + return false; + } + p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); + } + + math::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); + + x = q.evaluate(x); + + if (i < r - 1){ + if (f_i != p_i_j){ + return false; + } + + f_commitments[i] = commit(f_i, D_ip1).root(); + } else { + if (f_i != p_i_j){ + return false; + } + + if (math::polynomial::degree(f_i) != ...){ + return false; + } + } + } + } + + return true; + } + }; + } // namespace snark } // namespace zk } // namespace crypto3 From f5c32f38d385c6213595b77c0fd05c183160d97f Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 05:46:58 +0300 Subject: [PATCH 012/219] Old transcript manifests removed. #24 --- .../zk/snark/schemes/plonk/transcript.hpp | 62 ------------------- 1 file changed, 62 deletions(-) delete mode 100644 include/nil/crypto3/zk/snark/schemes/plonk/transcript.hpp diff --git a/include/nil/crypto3/zk/snark/schemes/plonk/transcript.hpp b/include/nil/crypto3/zk/snark/schemes/plonk/transcript.hpp deleted file mode 100644 index bb7cbd2d1..000000000 --- a/include/nil/crypto3/zk/snark/schemes/plonk/transcript.hpp +++ /dev/null @@ -1,62 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_KATE_COMMITMENT_FIAT_SHAMIR_MANIFEST_HPP -#define CRYPTO3_ZK_PLONK_KATE_COMMITMENT_FIAT_SHAMIR_MANIFEST_HPP - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - struct plonk_kate_fiat_shamir_heuristic_manifest { - enum challenges_ids{ - beta, - gamma, - alpha, - zeta, - nu, - u - }; - }; - - template - struct plonk_fri_fiat_shamir_heuristic_manifest { - enum challenges_ids{ - beta, - gamma, - alpha, - zeta = alpha + AlphasAmount, - nu, - u - }; - }; - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_KATE_COMMITMENT_FIAT_SHAMIR_MANIFEST_HPP From 63366e5e1f7626c82b3087b19bab60922d45491f Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 06:36:25 +0300 Subject: [PATCH 013/219] Redshift prover and verifier updated to use LPC. #20 --- .../list_polynomial_commitment.hpp | 32 +++---- .../zk/snark/systems/plonk/redshift/proof.hpp | 26 ++++-- .../snark/systems/plonk/redshift/prover.hpp | 84 ++++++++++++++----- .../snark/systems/plonk/redshift/verifier.hpp | 50 ++++++++++- 4 files changed, 147 insertions(+), 45 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 82c21880d..bb0bba285 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -53,7 +53,7 @@ namespace nil { typedef typename merkletree::MerkleTree merkle_tree_type; typedef typename merkletree::MerkleProof merkle_proof_type; - constexpr static const math::polynom<...> q = {0, 0, 1}; + constexpr static const math::polynomial::polynom<...> q = {0, 0, 1}; struct transcript_round_manifest { enum challenges_ids {x, y}; @@ -80,7 +80,7 @@ namespace nil { // result.root(); // should be called template <...> - static merkle_tree_type commit (const math::polynom<...> &f, + static merkle_tree_type commit (const math::polynomial::polynom<...> &f, const std::vector<...> &D){ std::vector<...> y; @@ -94,7 +94,7 @@ namespace nil { template <...> static proof_type proof_eval (std::array<..., k> evaluation_points, const merkle_tree_type &T, - const math::polynom<...> &f, + const math::polynomial::polynom<...> &f, const std::vector<...> &D){ proof_type proof; @@ -111,16 +111,16 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); - math::polynom<...> Q = (f - U); + math::polynomial::polynom<...> Q = (f - U); for (std::size_t j = 0; j < k; j++){ Q = Q/(x - U_interpolation_points[j]); } for (std::size_t round_id = 0; round_id < lambda; round_id++){ - math::polynom<...> f_i = Q; + math::polynomial::polynom<...> f_i = Q; ... x_i = transcript.get_challenge(); @@ -132,7 +132,7 @@ namespace nil { ... y_i = transcript.get_challenge(); - math::polynom<...> sqr_polynom = {y_i, 0, -1}; + math::polynomial::polynom<...> sqr_polynom = {y_i, 0, -1}; std::array<..., m> s = math::polynomial::get_roots(sqr_polynom); std::array, m> p_i_j_interpolation_points; @@ -144,7 +144,7 @@ namespace nil { p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); + math::polynomial::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); f_i = p_i_j; @@ -152,6 +152,7 @@ namespace nil { if (i < r - 1){ f_commitments[i] = commit(f_i, D_ip1).root(); + transcript(f_commitments[i]); } else { f_ip1_coefficients = math::polynomial::get_coefficients(f_i); } @@ -163,9 +164,9 @@ namespace nil { }; template <...> - static bool verify_eval (proof_type proof, + static bool verify_eval (std::array<..., k> evaluation_points, commitment_type T, - std::array<..., k> evaluation_points, + proof_type proof, const std::vector<...> &D){ fiat_shamir_heuristic transcript; @@ -182,16 +183,16 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); - math::polynom<...> Q = (f - U); + math::polynomial::polynom<...> Q = (f - U); for (std::size_t j = 0; j < k; j++){ Q = Q/(x - U_interpolation_points[j]); } for (std::size_t round_id = 0; round_id < lambda; round_id++){ - math::polynom<...> f_i = Q; + math::polynomial::polynom<...> f_i = Q; ... x_i = transcript.get_challenge(); @@ -203,7 +204,7 @@ namespace nil { ... y_i = transcript.get_challenge(); - math::polynom<...> sqr_polynom = {y_i, 0, -1}; + math::polynomial::polynom<...> sqr_polynom = {y_i, 0, -1}; std::array<..., m> s = math::polynomial::get_roots(sqr_polynom); std::array, m> p_i_j_interpolation_points; @@ -216,7 +217,7 @@ namespace nil { p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); + math::polynomial::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); x = q.evaluate(x); @@ -226,6 +227,7 @@ namespace nil { } f_commitments[i] = commit(f_i, D_ip1).root(); + transcript(f_commitments[i]); } else { if (f_i != p_i_j){ return false; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 435b41841..83e2f45d3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -26,6 +26,7 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP +#include #include namespace nil { @@ -33,14 +34,27 @@ namespace nil { namespace zk { namespace snark { - template - struct redshift_proof { - std::vector> f_commitments; + template + class redshift_proof { - std::fri_commitment_cheme<...> P_commitment; - std::fri_commitment_cheme<...> Q_commitment; + typedef list_polynomial_commitment_scheme lpc; + + public: + + std::vector f_commitments; + + typename lpc::commitment_type P_commitment; + typename lpc::commitment_type Q_commitment; + + std::vector T_commitments; + + std::vector f_lpc_proofs; + + typename lpc::proof_type P_lpc_proof; + typename lpc::proof_type Q_lpc_proof; + + std::vector T_lpc_proofs; - std::vector> T; }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 0921c9d2d..0b810ce11 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP -#include +#include #include namespace nil { @@ -34,12 +34,27 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_prover { using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + + typedef typename merkletree::MerkleTree merkle_tree_type; + + constexpr static const std::size_t lambda = ...; + constexpr static const std::size_t k = ...; + constexpr static const std::size_t r = ...; + constexpr static const std::size_t m = 2; + + constexpr static const typename TCurve::scalar_field_type::value_type omega = + algebra::get_root_of_unity() + typedef list_polynomial_commitment_scheme lpc; + public: static inline typename types_policy::proof_type process(const types_policy::proving_key_type &proving_key, @@ -51,24 +66,27 @@ namespace nil { std::size_t N_sel = ...; std::size_t N_const = ...; - fiat_shamir_heuristic transcript; + fiat_shamir_heuristic transcript; ... setup_values = ...; transcript(setup_values); std::vector> f(N_wires); - std::vector> f_commitments(N_wires); + + std::vector f_trees; + std::vector f_commitments; for (std::size_t i = 0; i < N_wires; i++) { f.push_back(proving_key.f[i] + choose_h_i() * proving_key.Z(x)); - f_commitments[i].commit(f[i]); + f_trees.push_back(lpc::commit(f[i])); + f_commitments[i].push_back(f_trees[i].root()); transcript(f_commitments[i]); } - hashes::sha2::digest_type beta_bytes = + typename transcript_hash_type::digest_type beta_bytes = transcript.get_challenge(); - hashes::sha2::digest_type gamma_bytes = + typename transcript_hash_type::digest_type gamma_bytes = transcript.get_challenge(); typename TCurve::scalar_field_type::value_type beta = @@ -117,17 +135,17 @@ namespace nil { math::polynomial::polynom<...> Q = math::polynomial::Lagrange_interpolation(Q_interpolation_points); - std::fri_commitment_cheme<...> P_commitment(); - std::fri_commitment_cheme<...> Q_commitment(); + merkle_tree_type P_tree = lpc::commit(P); + merkle_tree_type Q_tree = lpc::commit(Q); + typename lpc::commitment_type P_commitment = P_tree.root(); + typename lpc::commitment_type Q_commitment = Q_tree.root(); - P_commitment.commit(P); - Q_commitment.commit(Q); transcript(P_commitment); transcript(Q_commitment); std::array alphas; for (std::size_t i = 0; i < 6; i++) { - hashes::sha2::digest_type alpha_bytes = + typename transcript_hash_type::digest_type alpha_bytes = transcript.get_challenge(); alphas[i] = (algebra::marshalling(alpha_bytes)); } @@ -155,19 +173,45 @@ namespace nil { math::polynomial::polynom<...> T_consolidated = F_consolidated / Z; - std::vector> T(N_perm + 2); + std::vector> T(N_perm + 1); T = separate_T(T_consolidated); - std::vector> T_commitments(N_perm + 2); - for (std::size_t i = 0; i < N_perm + 2) { - T_commitments[i].commit(T[i]); + std::vector T_trees; + std::vector T_commitments; + + for (std::size_t i = 0; i < N_perm + 1) { + T_trees.push_back(lpc::commit(T[i])); + T_commitments.push_back(T_trees[i].root()); + } + + typename transcript_hash_type::digest_type upsilon_bytes = + transcript.get_challenge(); + + typename TCurve::scalar_field_type::value_type upsilon = + algebra::marshalling(upsilon_bytes); + + std::array<..., k> fT_evaluation_points = {upsilon}; + std::vector f_lpc_proofs(N_wires); + + for (std::size_t i = 0; i < N_wires; i++){ + f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], ...)); } - ... + std::array<..., k> PQ_evaluation_points = {upsilon, upsilon * omega}; + lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, ...); + lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, ...); + + std::vector T_lpc_proofs(N_perm + 1); + + for (std::size_t i = 0; i < N_perm + 1; i++){ + T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], ...)); + } - typename types_policy::proof_type proof = - typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), - std::move(Q_commitment), std::move(T_commitments)); + typename types_policy::proof_type proof = + typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), + std::move(Q_commitment), std::move(T_commitments), + std::move(f_lpc_proofs), std::move(P_lpc_proof), + std::move(Q_lpc_proof), std::move(T_lpc_proofs)); return proof; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index f9e73033c..663ba79b9 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -41,6 +41,16 @@ namespace nil { using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; using constraint_system_type = plonk_constraint_system; + constexpr static const std::size_t lambda = ...; + constexpr static const std::size_t k = ...; + constexpr static const std::size_t r = ...; + constexpr static const std::size_t m = 2; + + constexpr static const typename TCurve::scalar_field_type::value_type omega = + algebra::get_root_of_unity() + typedef list_polynomial_commitment_scheme lpc; + public: static inline bool process(const types_policy::verification_key_type &verification_key, const types_policy::primary_input_type &primary_input, @@ -60,10 +70,10 @@ namespace nil { transcript(proof.f_commitments[i]); } - hashes::sha2::digest_type beta_bytes = + typename transcript_hash_type::digest_type beta_bytes = transcript.get_challenge(); - hashes::sha2::digest_type gamma_bytes = + typename transcript_hash_type::digest_type gamma_bytes = transcript.get_challenge(); typename TCurve::scalar_field_type::value_type beta = @@ -76,7 +86,7 @@ namespace nil { std::array alphas; for (std::size_t i = 0; i < 6; i++) { - hashes::sha2::digest_type alpha_bytes = + typename transcript_hash_type::digest_type alpha_bytes = transcript.get_challenge(); alphas[i] = (algebra::marshalling(alpha_bytes)); } @@ -85,7 +95,7 @@ namespace nil { transcript(proof.T_commitments[i]); } - hashes::sha2::digest_type upsilon_bytes = + typename transcript_hash_type::digest_type upsilon_bytes = transcript.get_challenge(); typename TCurve::scalar_field_type::value_type upsilon = @@ -118,6 +128,38 @@ namespace nil { F_consolidated = a[i] * F[i]; } + typename transcript_hash_type::digest_type upsilon_bytes = + transcript.get_challenge(); + + typename TCurve::scalar_field_type::value_type upsilon = + algebra::marshalling(upsilon_bytes); + + std::array<..., k> fT_evaluation_points = {upsilon}; + + for (std::size_t i = 0; i < N_wires; i++){ + if (!lpc::verify_eval(fT_evaluation_points, proof.f_commitments[i], + proof.f_lpc_proofs[i], ...)){ + return false; + } + } + + std::array<..., k> PQ_evaluation_points = {upsilon, upsilon * omega}; + if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, + proof.P_lpc_proof, ...)){ + return false; + } + if (!lpc::verify_eval(PQ_evaluation_points, proof.Q_commitment, + proof.Q_lpc_proof, ...)){ + return false; + } + + for (std::size_t i = 0; i < N_perm + 1; i++){ + if (!lpc::verify_eval(fT_evaluation_points, proof.T_commitments[i], + proof.T_lpc_proofs[i], ...)){ + return false; + } + } + return (F_consolidated == verification_key.Z * T); } }; From 3be36fc1fc980d7d1c3751f08f243e5222ff980b Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 15:07:59 +0300 Subject: [PATCH 014/219] Redshift prover, verifier and LPC updated. #20 #25 --- .../list_polynomial_commitment.hpp | 101 +++++++++++------- .../zk/snark/systems/plonk/redshift/proof.hpp | 24 ++--- .../snark/systems/plonk/redshift/prover.hpp | 39 +++---- .../zk/snark/systems/plonk/redshift/types.hpp | 3 +- .../snark/systems/plonk/redshift/verifier.hpp | 70 ++++++------ 5 files changed, 126 insertions(+), 111 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index bb0bba285..b755e8b9a 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -53,7 +53,8 @@ namespace nil { typedef typename merkletree::MerkleTree merkle_tree_type; typedef typename merkletree::MerkleProof merkle_proof_type; - constexpr static const math::polynomial::polynom<...> q = {0, 0, 1}; + constexpr static const math::polynomial::polynom + q = {0, 0, 1}; struct transcript_round_manifest { enum challenges_ids {x, y}; @@ -70,7 +71,8 @@ namespace nil { std::array, lamda> f_commitments; - std::array, lambda> f_ip1_coefficients; + std::array, lambda> + f_ip1_coefficients; } // The result of this function is not commitment_type (as it would expected), @@ -80,11 +82,12 @@ namespace nil { // result.root(); // should be called template <...> - static merkle_tree_type commit (const math::polynomial::polynom<...> &f, + static merkle_tree_type commit (const math::polynomial::polynom< + typename TCurve::scalar_field_type::value_type> &f, const std::vector<...> &D){ - std::vector<...> y; - for (... H : D){ + std::vector y; + for (typename TCurve::scalar_field_type::value_type H : D){ y.push_back(f.evaluate(H)); } @@ -92,9 +95,10 @@ namespace nil { } template <...> - static proof_type proof_eval (std::array<..., k> evaluation_points, + static proof_type proof_eval ( + std::array evaluation_points, const merkle_tree_type &T, - const math::polynomial::polynom<...> &f, + const math::polynomial::polynom &f, const std::vector<...> &D){ proof_type proof; @@ -102,51 +106,62 @@ namespace nil { fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; - std::array, k> U_interpolation_points; + std::array, k> U_interpolation_points; for (std::size_t j = 0; j < k; j++){ - ... z_j = f.evaluate(evaluation_points[j]); + typename TCurve::scalar_field_type::value_type z_j = + f.evaluate(evaluation_points[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), evaluation_points[j]) - D.begin(); z_openings[j] = merkle_proof_type(T, leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom + U = math::polynomial::Lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom<...> Q = (f - U); + math::polynomial::polynom + Q = (f - U); for (std::size_t j = 0; j < k; j++){ Q = Q/(x - U_interpolation_points[j]); } for (std::size_t round_id = 0; round_id < lambda; round_id++){ - math::polynomial::polynom<...> f_i = Q; + math::polynomial::polynom f_i = Q; - ... x_i = transcript.get_challenge(); + typename TCurve::scalar_field_type::value_type x_i = + transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::array<...> &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; + std::array &f_ip1_coefficients = + proof.f_ip1_coefficients[round_id]; for (std::size_t i = 0; i <= r-1; i++){ - ... y_i = transcript.get_challenge(); + typename TCurve::scalar_field_type::value_type y_i = + transcript.get_challenge(); - math::polynomial::polynom<...> sqr_polynom = {y_i, 0, -1}; - std::array<..., m> s = math::polynomial::get_roots(sqr_polynom); + math::polynomial::polynom + sqr_polynom = {y_i, 0, -1}; + std::array s = + math::polynomial::get_roots(sqr_polynom); + + std::array, m> p_y_i_interpolation_points; - std::array, m> p_i_j_interpolation_points; for (std::size_t j = 0; j < m; j++){ - ... alpha_i_j = f_i.evaluate(s[j]); + typename TCurve::scalar_field_type::value_type alpha_i_j = f_i.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); alpha_openings[m*i + j] = merkle_proof_type(T, leaf_index); - p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); + p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); + math::polynomial::polynom p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); - f_i = p_i_j; + f_i = p_y_i; x = q.evaluate(x); @@ -164,7 +179,7 @@ namespace nil { }; template <...> - static bool verify_eval (std::array<..., k> evaluation_points, + static bool verify_eval (std::array evaluation_points, commitment_type T, proof_type proof, const std::vector<...> &D){ @@ -172,10 +187,12 @@ namespace nil { fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; - std::array, k> U_interpolation_points; + std::array, k> U_interpolation_points; for (std::size_t j = 0; j < k; j++){ - ... z_j = z_openings[j].leaf; + typename TCurve::scalar_field_type::value_type z_j = + algebra::marshalling(z_openings[j].leaf); if (!z_openings[j].validate(T)){ return false; } @@ -183,53 +200,59 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom<...> U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom U = math::polynomial::Lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom<...> Q = (f - U); + math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ Q = Q/(x - U_interpolation_points[j]); } for (std::size_t round_id = 0; round_id < lambda; round_id++){ - math::polynomial::polynom<...> f_i = Q; + math::polynomial::polynom f_i = Q; - ... x_i = transcript.get_challenge(); + typename TCurve::scalar_field_type::value_type x_i = + transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::array<...> &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; + std::array &f_ip1_coefficients = + proof.f_ip1_coefficients[round_id]; for (std::size_t i = 0; i <= r-1; i++){ - ... y_i = transcript.get_challenge(); + typename TCurve::scalar_field_type::value_type y_i = + transcript.get_challenge(); - math::polynomial::polynom<...> sqr_polynom = {y_i, 0, -1}; - std::array<..., m> s = math::polynomial::get_roots(sqr_polynom); + math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; + std::array s = + math::polynomial::get_roots(sqr_polynom); - std::array, m> p_i_j_interpolation_points; + std::array, m> p_y_i_interpolation_points; for (std::size_t j = 0; j < m; j++){ - ... alpha_i_j = alpha_openings[m*i + j].leaf; + typename TCurve::scalar_field_type::value_type alpha_i_j = + algebra::marshalling(alpha_openings[m*i + j].leaf); if (!alpha_openings[m*i + j].validate(T)){ return false; } - p_i_j_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); + p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom<...> p_i_j = math::polynomial::Lagrange_interpolation(p_i_j_interpolation_points); + math::polynomial::polynom p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); x = q.evaluate(x); if (i < r - 1){ - if (f_i != p_i_j){ + if (f_i != p_y_i){ return false; } f_commitments[i] = commit(f_i, D_ip1).root(); transcript(f_commitments[i]); } else { - if (f_i != p_i_j){ + if (f_i != p_y_i){ return false; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 83e2f45d3..eb47af136 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -34,26 +34,22 @@ namespace nil { namespace zk { namespace snark { - template - class redshift_proof { + template + struct redshift_proof { - typedef list_polynomial_commitment_scheme lpc; + std::vector f_commitments; - public: + typename CommitmentSchemeType::commitment_type P_commitment; + typename CommitmentSchemeType::commitment_type Q_commitment; - std::vector f_commitments; + std::vector T_commitments; - typename lpc::commitment_type P_commitment; - typename lpc::commitment_type Q_commitment; + std::vector f_CommitmentSchemeType_proofs; - std::vector T_commitments; + typename CommitmentSchemeType::proof_type P_CommitmentSchemeType_proof; + typename CommitmentSchemeType::proof_type Q_CommitmentSchemeType_proof; - std::vector f_lpc_proofs; - - typename lpc::proof_type P_lpc_proof; - typename lpc::proof_type Q_lpc_proof; - - std::vector T_lpc_proofs; + std::vector T_lpc_proofs; }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 0b810ce11..6411df6b1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -34,7 +34,7 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_prover { using types_policy = redshift_types_policy; @@ -45,10 +45,8 @@ namespace nil { typedef typename merkletree::MerkleTree merkle_tree_type; - constexpr static const std::size_t lambda = ...; constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; - constexpr static const std::size_t m = 2; constexpr static const typename TCurve::scalar_field_type::value_type omega = algebra::get_root_of_unity() @@ -56,7 +54,7 @@ namespace nil { Hash, lambda, k, r, m> lpc; public: - static inline typename types_policy::proof_type + static inline typename types_policy::proof_type process(const types_policy::proving_key_type &proving_key, const types_policy::primary_input_type &primary_input, const types_policy::auxiliary_input_type &auxiliary_input) { @@ -71,7 +69,7 @@ namespace nil { ... setup_values = ...; transcript(setup_values); - std::vector> f(N_wires); + std::vector> f(N_wires); std::vector f_trees; std::vector f_commitments; @@ -94,11 +92,13 @@ namespace nil { typename TCurve::scalar_field_type::value_type gamma = algebra::marshalling(gamma_bytes); - std::vector> p(N_perm); - std::vector> q(N_perm); + std::vector> p(N_perm); + std::vector> q(N_perm); - math::polynomial::polynom<...> p1 = math::polynomial::polynom<...>::one(); - math::polynomial::polynom<...> q1 = math::polynomial::polynom<...>::one(); + math::polynomial::polynom p1 = + math::polynomial::polynom::one(); + math::polynomial::polynom q1 = + math::polynomial::polynom::one(); for (std::size_t j = 0; j < N_perm; j++) { p.push_back(f[j] + beta * S_id[j] + gamma); @@ -130,9 +130,9 @@ namespace nil { Q_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), Q_mul_result)); } - math::polynomial::polynom<...> P = + math::polynomial::polynom P = math::polynomial::Lagrange_interpolation(P_interpolation_points); - math::polynomial::polynom<...> Q = + math::polynomial::polynom Q = math::polynomial::Lagrange_interpolation(Q_interpolation_points); merkle_tree_type P_tree = lpc::commit(P); @@ -150,7 +150,7 @@ namespace nil { alphas[i] = (algebra::marshalling(alpha_bytes)); } - std::array, 6> F; + std::array, 6> F; F[0] = proving_key.L_basis[1] * (P - 1); F[1] = proving_key.L_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); @@ -166,14 +166,15 @@ namespace nil { F[5] += proving_key.f_c[i]; } - math::polynomial::polynom<...> F_consolidated = 0; + math::polynomial::polynom F_consolidated = 0; for (std::size_t i = 0; i < 6; i++) { - F_consolidated = a[i] * F[i]; + F_consolidated += a[i] * F[i]; } - math::polynomial::polynom<...> T_consolidated = F_consolidated / Z; + math::polynomial::polynom T_consolidated = + F_consolidated / Z; - std::vector> T(N_perm + 1); + std::vector> T(N_perm + 1); T = separate_T(T_consolidated); std::vector T_trees; @@ -190,14 +191,16 @@ namespace nil { typename TCurve::scalar_field_type::value_type upsilon = algebra::marshalling(upsilon_bytes); - std::array<..., k> fT_evaluation_points = {upsilon}; + std::array + fT_evaluation_points = {upsilon}; std::vector f_lpc_proofs(N_wires); for (std::size_t i = 0; i < N_wires; i++){ f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], ...)); } - std::array<..., k> PQ_evaluation_points = {upsilon, upsilon * omega}; + std::array + PQ_evaluation_points = {upsilon, upsilon * omega}; lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, ...); lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, ...); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index aa5d4968f..21c4012d6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -80,7 +80,8 @@ namespace nil { * serializes/deserializes, and verifies proofs. We only expose some information * about the structure for statistics purposes. */ - typedef redshift_proof proof_type; + template + typedef redshift_proof proof_type; template struct prover_fiat_shamir_heuristic_manifest { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 663ba79b9..cc24b8129 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -34,17 +34,15 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_verifier { using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; using constraint_system_type = plonk_constraint_system; - constexpr static const std::size_t lambda = ...; constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; - constexpr static const std::size_t m = 2; constexpr static const typename TCurve::scalar_field_type::value_type omega = algebra::get_root_of_unity() @@ -54,7 +52,7 @@ namespace nil { public: static inline bool process(const types_policy::verification_key_type &verification_key, const types_policy::primary_input_type &primary_input, - const types_policy::proof_type &proof) { + const types_policy::proof_type &proof) { std::size_t N_wires = ...; std::size_t N_perm = ...; @@ -101,40 +99,8 @@ namespace nil { typename TCurve::scalar_field_type::value_type upsilon = algebra::marshalling(upsilon_bytes); - ... - - std::array, 6> - F; - F[0] = verification_key.L_basis[1] * (P - 1); - F[1] = verification_key.L_basis[1] * (Q - 1); - F[2] = P * p_1 - (P << 1); - F[3] = Q * q_1 - (Q << 1); - F[4] = verification_key.L_basis[n] * ((P << 1) - (Q << 1)); - F[5] = verification_key.PI; - - for (std::size_t i = 0; i < N_sel; i++) { - F[5] += q[i] * ....gate[i]; - } - - for (std::size_t i = 0; i < N_const; i++) { - F[5] += verification_key.f_c[i]; - } - - math::polynomial::polynom<...> T_consolidate; - T_consolidate = consolidate_T(T); - - math::polynomial::polynom<...> F_consolidated = 0; - for (std::size_t i = 0; i < 6; i++) { - F_consolidated = a[i] * F[i]; - } - - typename transcript_hash_type::digest_type upsilon_bytes = - transcript.get_challenge(); - - typename TCurve::scalar_field_type::value_type upsilon = - algebra::marshalling(upsilon_bytes); - - std::array<..., k> fT_evaluation_points = {upsilon}; + std::array + fT_evaluation_points = {upsilon}; for (std::size_t i = 0; i < N_wires; i++){ if (!lpc::verify_eval(fT_evaluation_points, proof.f_commitments[i], @@ -143,7 +109,8 @@ namespace nil { } } - std::array<..., k> PQ_evaluation_points = {upsilon, upsilon * omega}; + std::array + PQ_evaluation_points = {upsilon, upsilon * omega}; if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, proof.P_lpc_proof, ...)){ return false; @@ -160,6 +127,31 @@ namespace nil { } } + std::array, 6> + F; + F[0] = verification_key.L_basis[1] * (P - 1); + F[1] = verification_key.L_basis[1] * (Q - 1); + F[2] = P * p_1 - (P << 1); + F[3] = Q * q_1 - (Q << 1); + F[4] = verification_key.L_basis[n] * ((P << 1) - (Q << 1)); + F[5] = verification_key.PI; + + for (std::size_t i = 0; i < N_sel; i++) { + F[5] += q[i] * ....gate[i]; + } + + for (std::size_t i = 0; i < N_const; i++) { + F[5] += verification_key.f_c[i]; + } + + math::polynomial::polynom T_consolidate; + T_consolidate = consolidate_T(T); + + math::polynomial::polynom F_consolidated = 0; + for (std::size_t i = 0; i < 6; i++) { + F_consolidated += a[i] * F[i]; + } + return (F_consolidated == verification_key.Z * T); } }; From f32039585a8258994f059d5fe9cb167a13463e2f Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 15:15:10 +0300 Subject: [PATCH 015/219] Redshift proof typo fixed. #20 --- .../nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index eb47af136..f38db0fd1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -34,7 +34,7 @@ namespace nil { namespace zk { namespace snark { - template + template struct redshift_proof { std::vector f_commitments; @@ -44,10 +44,10 @@ namespace nil { std::vector T_commitments; - std::vector f_CommitmentSchemeType_proofs; + std::vector f_lpc_proofs; - typename CommitmentSchemeType::proof_type P_CommitmentSchemeType_proof; - typename CommitmentSchemeType::proof_type Q_CommitmentSchemeType_proof; + typename CommitmentSchemeType::proof_type P_lpc_proof; + typename CommitmentSchemeType::proof_type Q_lpc_proof; std::vector T_lpc_proofs; From 87771e5ff186bad78dba1efe906a3cc32dadb302 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 18:39:54 +0300 Subject: [PATCH 016/219] Redshift prover, verifier and LPC updated. #20 #25 --- .../list_polynomial_commitment.hpp | 40 +++++++++++++++---- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index b755e8b9a..1677cefa9 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -68,6 +68,7 @@ namespace nil { struct proof_type { std::array z_openings; std::array, lamda> alpha_openings; + std::array, lamda> f_y_openings; std::array, lamda> f_commitments; @@ -134,9 +135,11 @@ namespace nil { transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; std::array &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; + merkle_tree_type &f_i_tree = T; for (std::size_t i = 0; i <= r-1; i++){ @@ -155,18 +158,24 @@ namespace nil { for (std::size_t j = 0; j < m; j++){ typename TCurve::scalar_field_type::value_type alpha_i_j = f_i.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); - alpha_openings[m*i + j] = merkle_proof_type(T, leaf_index); + alpha_openings[m*i + j] = merkle_proof_type(f_i_tree, leaf_index); p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); + math::polynomial::polynom + p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); f_i = p_y_i; + typename TCurve::scalar_field_type::value_type f_y_i = f_i.evaluate(y_i); + std::size_t leaf_index = std::find(D.begin(), D.end(), y_i) - D.begin(); + f_y_openings[i] = merkle_proof_type(f_i_tree, leaf_index); + x = q.evaluate(x); if (i < r - 1){ - f_commitments[i] = commit(f_i, D_ip1).root(); + f_i_tree = commit(f_i, D_ip1); + f_commitments[i] = f_i_tree.root(); transcript(f_commitments[i]); } else { f_ip1_coefficients = math::polynomial::get_coefficients(f_i); @@ -180,7 +189,7 @@ namespace nil { template <...> static bool verify_eval (std::array evaluation_points, - commitment_type T, + commitment_type root, proof_type proof, const std::vector<...> &D){ @@ -193,14 +202,15 @@ namespace nil { for (std::size_t j = 0; j < k; j++){ typename TCurve::scalar_field_type::value_type z_j = algebra::marshalling(z_openings[j].leaf); - if (!z_openings[j].validate(T)){ + if (!z_openings[j].validate(root)){ return false; } U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom + U = math::polynomial::Lagrange_interpolation(U_interpolation_points); math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ @@ -215,10 +225,13 @@ namespace nil { transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; std::array &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; + commitment_type &f_i_tree_root = root; + for (std::size_t i = 0; i <= r-1; i++){ typename TCurve::scalar_field_type::value_type y_i = @@ -234,13 +247,24 @@ namespace nil { for (std::size_t j = 0; j < m; j++){ typename TCurve::scalar_field_type::value_type alpha_i_j = algebra::marshalling(alpha_openings[m*i + j].leaf); - if (!alpha_openings[m*i + j].validate(T)){ + if (!alpha_openings[m*i + j].validate(f_i_tree_root)){ return false; } p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); + math::polynomial::polynom + p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); + + typename TCurve::scalar_field_type::value_type f_y_i = + algebra::marshalling(f_y_openings[i].leaf); + if (!f_y_openings[i].validate(f_i_tree_root)){ + return false; + } + + if (f_y_i != p_y_i.evaluate(x_i)){ + return false; + } x = q.evaluate(x); From e4a0b8835cbf29a6e1c32631315037256adab5e2 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 15 Nov 2021 19:06:53 +0300 Subject: [PATCH 017/219] Redshift set to be defined by a field instead of a curve type. #20 --- .../list_polynomial_commitment.hpp | 86 +++++++++---------- .../zk/snark/systems/plonk/redshift/proof.hpp | 2 +- .../snark/systems/plonk/redshift/prover.hpp | 72 ++++++++-------- .../zk/snark/systems/plonk/redshift/types.hpp | 2 +- .../snark/systems/plonk/redshift/verifier.hpp | 38 ++++---- 5 files changed, 100 insertions(+), 100 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 1677cefa9..45b4b2292 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -53,7 +53,7 @@ namespace nil { typedef typename merkletree::MerkleTree merkle_tree_type; typedef typename merkletree::MerkleProof merkle_proof_type; - constexpr static const math::polynomial::polynom + constexpr static const math::polynomial::polynom q = {0, 0, 1}; struct transcript_round_manifest { @@ -72,7 +72,7 @@ namespace nil { std::array, lamda> f_commitments; - std::array, lambda> + std::array, lambda> f_ip1_coefficients; } @@ -84,11 +84,11 @@ namespace nil { // should be called template <...> static merkle_tree_type commit (const math::polynomial::polynom< - typename TCurve::scalar_field_type::value_type> &f, + typename FieldType::value_type> &f, const std::vector<...> &D){ - std::vector y; - for (typename TCurve::scalar_field_type::value_type H : D){ + std::vector y; + for (typename FieldType::value_type H : D){ y.push_back(f.evaluate(H)); } @@ -97,9 +97,9 @@ namespace nil { template <...> static proof_type proof_eval ( - std::array evaluation_points, + std::array evaluation_points, const merkle_tree_type &T, - const math::polynomial::polynom &f, + const math::polynomial::polynom &f, const std::vector<...> &D){ proof_type proof; @@ -107,21 +107,21 @@ namespace nil { fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; - std::array, k> U_interpolation_points; + std::array, k> U_interpolation_points; for (std::size_t j = 0; j < k; j++){ - typename TCurve::scalar_field_type::value_type z_j = + typename FieldType::value_type z_j = f.evaluate(evaluation_points[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), evaluation_points[j]) - D.begin(); z_openings[j] = merkle_proof_type(T, leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom + math::polynomial::polynom U = math::polynomial::Lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom + math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ Q = Q/(x - U_interpolation_points[j]); @@ -129,45 +129,45 @@ namespace nil { for (std::size_t round_id = 0; round_id < lambda; round_id++){ - math::polynomial::polynom f_i = Q; + math::polynomial::polynom f_i = Q; - typename TCurve::scalar_field_type::value_type x_i = + typename FieldType::value_type x_i = transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::array &f_ip1_coefficients = + std::array &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; merkle_tree_type &f_i_tree = T; for (std::size_t i = 0; i <= r-1; i++){ - typename TCurve::scalar_field_type::value_type y_i = + typename FieldType::value_type y_i = transcript.get_challenge(); - math::polynomial::polynom + math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; - std::array s = + std::array s = math::polynomial::get_roots(sqr_polynom); - std::array, m> p_y_i_interpolation_points; + std::array, m> p_y_i_interpolation_points; for (std::size_t j = 0; j < m; j++){ - typename TCurve::scalar_field_type::value_type alpha_i_j = f_i.evaluate(s[j]); + typename FieldType::value_type alpha_i_j = f_i.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); alpha_openings[m*i + j] = merkle_proof_type(f_i_tree, leaf_index); p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom + math::polynomial::polynom p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); f_i = p_y_i; - typename TCurve::scalar_field_type::value_type f_y_i = f_i.evaluate(y_i); + typename FieldType::value_type f_y_i = f_i.evaluate(y_i); std::size_t leaf_index = std::find(D.begin(), D.end(), y_i) - D.begin(); f_y_openings[i] = merkle_proof_type(f_i_tree, leaf_index); @@ -188,7 +188,7 @@ namespace nil { }; template <...> - static bool verify_eval (std::array evaluation_points, + static bool verify_eval (std::array evaluation_points, commitment_type root, proof_type proof, const std::vector<...> &D){ @@ -196,12 +196,12 @@ namespace nil { fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; - std::array, k> U_interpolation_points; + std::array, k> U_interpolation_points; for (std::size_t j = 0; j < k; j++){ - typename TCurve::scalar_field_type::value_type z_j = - algebra::marshalling(z_openings[j].leaf); + typename FieldType::value_type z_j = + algebra::marshalling(z_openings[j].leaf); if (!z_openings[j].validate(root)){ return false; } @@ -209,55 +209,55 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom + math::polynomial::polynom U = math::polynomial::Lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom Q = (f - U); + math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ Q = Q/(x - U_interpolation_points[j]); } for (std::size_t round_id = 0; round_id < lambda; round_id++){ - math::polynomial::polynom f_i = Q; + math::polynomial::polynom f_i = Q; - typename TCurve::scalar_field_type::value_type x_i = + typename FieldType::value_type x_i = transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::array &f_ip1_coefficients = + std::array &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; commitment_type &f_i_tree_root = root; for (std::size_t i = 0; i <= r-1; i++){ - typename TCurve::scalar_field_type::value_type y_i = + typename FieldType::value_type y_i = transcript.get_challenge(); - math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; - std::array s = + math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; + std::array s = math::polynomial::get_roots(sqr_polynom); - std::array, m> p_y_i_interpolation_points; + std::array, m> p_y_i_interpolation_points; for (std::size_t j = 0; j < m; j++){ - typename TCurve::scalar_field_type::value_type alpha_i_j = - algebra::marshalling(alpha_openings[m*i + j].leaf); + typename FieldType::value_type alpha_i_j = + algebra::marshalling(alpha_openings[m*i + j].leaf); if (!alpha_openings[m*i + j].validate(f_i_tree_root)){ return false; } p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom + math::polynomial::polynom p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); - typename TCurve::scalar_field_type::value_type f_y_i = - algebra::marshalling(f_y_openings[i].leaf); + typename FieldType::value_type f_y_i = + algebra::marshalling(f_y_openings[i].leaf); if (!f_y_openings[i].validate(f_i_tree_root)){ return false; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index f38db0fd1..e799ccf8a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -34,7 +34,7 @@ namespace nil { namespace zk { namespace snark { - template + template struct redshift_proof { std::vector f_commitments; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 6411df6b1..3f27560bf 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -34,10 +34,10 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_prover { - using types_policy = redshift_types_policy; + using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; typedef hashes::sha2<256> merkle_hash_type; @@ -48,9 +48,9 @@ namespace nil { constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; - constexpr static const typename TCurve::scalar_field_type::value_type omega = - algebra::get_root_of_unity() - typedef list_polynomial_commitment_scheme() + typedef list_polynomial_commitment_scheme lpc; public: @@ -69,7 +69,7 @@ namespace nil { ... setup_values = ...; transcript(setup_values); - std::vector> f(N_wires); + std::vector> f(N_wires); std::vector f_trees; std::vector f_commitments; @@ -87,18 +87,18 @@ namespace nil { typename transcript_hash_type::digest_type gamma_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type beta = - algebra::marshalling(beta_bytes); - typename TCurve::scalar_field_type::value_type gamma = - algebra::marshalling(gamma_bytes); + typename FieldType::value_type beta = + algebra::marshalling(beta_bytes); + typename FieldType::value_type gamma = + algebra::marshalling(gamma_bytes); - std::vector> p(N_perm); - std::vector> q(N_perm); + std::vector> p(N_perm); + std::vector> q(N_perm); - math::polynomial::polynom p1 = - math::polynomial::polynom::one(); - math::polynomial::polynom q1 = - math::polynomial::polynom::one(); + math::polynomial::polynom p1 = + math::polynomial::polynom::one(); + math::polynomial::polynom q1 = + math::polynomial::polynom::one(); for (std::size_t j = 0; j < N_perm; j++) { p.push_back(f[j] + beta * S_id[j] + gamma); @@ -108,19 +108,19 @@ namespace nil { q1 *= q[j]; } - std::vector> + std::vector> P_interpolation_points(n + 1); - std::vector> + std::vector> Q_interpolation_points(n + 1); P_interpolation_points.push_back(std::make_pair(proving_key.omega, 1)); for (std::size_t i = 2; i <= n + 1; i++) { - typename TCurve::scalar_field_type::value_type P_mul_result = - typename TCurve::scalar_field_type::one(); - typename TCurve::scalar_field_type::value_type Q_mul_result = - typename TCurve::scalar_field_type::one(); + typename FieldType::value_type P_mul_result = + typename FieldType::one(); + typename FieldType::value_type Q_mul_result = + typename FieldType::one(); for (std::size_t j = 1; j < i; j++) { P_mul_result *= p1(proving_key.omega.pow(i)); Q_mul_result *= q1(proving_key.omega.pow(i)); @@ -130,9 +130,9 @@ namespace nil { Q_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), Q_mul_result)); } - math::polynomial::polynom P = + math::polynomial::polynom P = math::polynomial::Lagrange_interpolation(P_interpolation_points); - math::polynomial::polynom Q = + math::polynomial::polynom Q = math::polynomial::Lagrange_interpolation(Q_interpolation_points); merkle_tree_type P_tree = lpc::commit(P); @@ -143,14 +143,14 @@ namespace nil { transcript(P_commitment); transcript(Q_commitment); - std::array alphas; + std::array alphas; for (std::size_t i = 0; i < 6; i++) { typename transcript_hash_type::digest_type alpha_bytes = transcript.get_challenge(); - alphas[i] = (algebra::marshalling(alpha_bytes)); + alphas[i] = (algebra::marshalling(alpha_bytes)); } - std::array, 6> F; + std::array, 6> F; F[0] = proving_key.L_basis[1] * (P - 1); F[1] = proving_key.L_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); @@ -166,15 +166,15 @@ namespace nil { F[5] += proving_key.f_c[i]; } - math::polynomial::polynom F_consolidated = 0; + math::polynomial::polynom F_consolidated = 0; for (std::size_t i = 0; i < 6; i++) { F_consolidated += a[i] * F[i]; } - math::polynomial::polynom T_consolidated = + math::polynomial::polynom T_consolidated = F_consolidated / Z; - std::vector> T(N_perm + 1); + std::vector> T(N_perm + 1); T = separate_T(T_consolidated); std::vector T_trees; @@ -188,10 +188,10 @@ namespace nil { typename transcript_hash_type::digest_type upsilon_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type upsilon = - algebra::marshalling(upsilon_bytes); + typename FieldType::value_type upsilon = + algebra::marshalling(upsilon_bytes); - std::array + std::array fT_evaluation_points = {upsilon}; std::vector f_lpc_proofs(N_wires); @@ -199,7 +199,7 @@ namespace nil { f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], ...)); } - std::array + std::array PQ_evaluation_points = {upsilon, upsilon * omega}; lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, ...); lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, ...); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 21c4012d6..63b2a869e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -81,7 +81,7 @@ namespace nil { * about the structure for statistics purposes. */ template - typedef redshift_proof proof_type; + typedef redshift_proof proof_type; template struct prover_fiat_shamir_heuristic_manifest { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index cc24b8129..9cbf13304 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -34,19 +34,19 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_verifier { - using types_policy = redshift_types_policy; + using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; - using constraint_system_type = plonk_constraint_system; + using constraint_system_type = plonk_constraint_system; constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; - constexpr static const typename TCurve::scalar_field_type::value_type omega = - algebra::get_root_of_unity() - typedef list_polynomial_commitment_scheme() + typedef list_polynomial_commitment_scheme lpc; public: @@ -74,19 +74,19 @@ namespace nil { typename transcript_hash_type::digest_type gamma_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type beta = - algebra::marshalling(beta_bytes); - typename TCurve::scalar_field_type::value_type gamma = - algebra::marshalling(gamma_bytes); + typename FieldType::value_type beta = + algebra::marshalling(beta_bytes); + typename FieldType::value_type gamma = + algebra::marshalling(gamma_bytes); transcript(proof.P_commitment); transcript(proof.Q_commitment); - std::array alphas; + std::array alphas; for (std::size_t i = 0; i < 6; i++) { typename transcript_hash_type::digest_type alpha_bytes = transcript.get_challenge(); - alphas[i] = (algebra::marshalling(alpha_bytes)); + alphas[i] = (algebra::marshalling(alpha_bytes)); } for (std::size_t i = 0; i < N_perm + 2; i++) { @@ -96,10 +96,10 @@ namespace nil { typename transcript_hash_type::digest_type upsilon_bytes = transcript.get_challenge(); - typename TCurve::scalar_field_type::value_type upsilon = - algebra::marshalling(upsilon_bytes); + typename FieldType::value_type upsilon = + algebra::marshalling(upsilon_bytes); - std::array + std::array fT_evaluation_points = {upsilon}; for (std::size_t i = 0; i < N_wires; i++){ @@ -109,7 +109,7 @@ namespace nil { } } - std::array + std::array PQ_evaluation_points = {upsilon, upsilon * omega}; if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, proof.P_lpc_proof, ...)){ @@ -127,7 +127,7 @@ namespace nil { } } - std::array, 6> + std::array, 6> F; F[0] = verification_key.L_basis[1] * (P - 1); F[1] = verification_key.L_basis[1] * (Q - 1); @@ -144,10 +144,10 @@ namespace nil { F[5] += verification_key.f_c[i]; } - math::polynomial::polynom T_consolidate; + math::polynomial::polynom T_consolidate; T_consolidate = consolidate_T(T); - math::polynomial::polynom F_consolidated = 0; + math::polynomial::polynom F_consolidated = 0; for (std::size_t i = 0; i < 6; i++) { F_consolidated += a[i] * F[i]; } From 3a8552d45e787ef986baa21ee7eb453b11d262d1 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 21 Nov 2021 01:22:28 +0300 Subject: [PATCH 018/219] Linear combination implementation updated. #20 --- .../list_polynomial_commitment.hpp | 1 - .../circuit_satisfaction_problems/bacs.hpp | 1 + .../constraint_satisfaction_problems/r1cs.hpp | 1 + .../constraint_satisfaction_problems/uscs.hpp | 1 + .../zk/snark/relations/linear_combination.hpp | 333 +++++++++++++++ .../crypto3/zk/snark/relations/variable.hpp | 380 ++++-------------- 6 files changed, 419 insertions(+), 298 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/linear_combination.hpp diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 45b4b2292..9ea594b76 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -64,7 +64,6 @@ namespace nil { using openning_type = merkle_proof_type; using commitment_type = typename merkle_tree_type::root_type; - template struct proof_type { std::array z_openings; std::array, lamda> alpha_openings; diff --git a/include/nil/crypto3/zk/snark/relations/circuit_satisfaction_problems/bacs.hpp b/include/nil/crypto3/zk/snark/relations/circuit_satisfaction_problems/bacs.hpp index 4fb0ab5bf..91def4dfe 100644 --- a/include/nil/crypto3/zk/snark/relations/circuit_satisfaction_problems/bacs.hpp +++ b/include/nil/crypto3/zk/snark/relations/circuit_satisfaction_problems/bacs.hpp @@ -38,6 +38,7 @@ #include #include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp b/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp index 4c6b82bdd..4dda53c7f 100644 --- a/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp +++ b/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp @@ -38,6 +38,7 @@ #include #include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/uscs.hpp b/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/uscs.hpp index 06bf60cf7..4a43981d2 100644 --- a/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/uscs.hpp +++ b/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/uscs.hpp @@ -37,6 +37,7 @@ #include #include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp new file mode 100644 index 000000000..dba1cba7c --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp @@ -0,0 +1,333 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2020-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of interfaces for: +// - a variable (i.e., x_i), +// - a linear term (i.e., a_i * x_i), and +// - a linear combination (i.e., sum_i a_i * x_i). +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_LINEAR_COMBINATION_HPP +#define CRYPTO3_ZK_LINEAR_COMBINATION_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * Forward declaration. + */ + template + struct linear_combination; + + /****************************** Linear term **********************************/ + + /** + * A linear term represents a formal expression of the form "coeff * x_{index}". + */ + template + class linear_term { + typedef FieldType field_type; + typedef typename field_type::value_type field_value_type; + + static_assert(!RotationSupport); + public: + typename variable::index_type index; + field_value_type coeff; + + linear_term() {}; + linear_term(const variable &var) : index(var.index), coeff(field_value_type::one()) { + } + + linear_term operator*( + const typename variable::integer_coeff_type int_coeff) const { + return (this->operator*(field_value_type(int_coeff))); + } + + linear_term operator*(const field_value_type &field_coeff) const { + linear_term result(this->index); + result.coeff = field_coeff * this->coeff; + return result; + } + + linear_combination operator+( + const linear_combination &other) const { + return linear_combination(*this) + other; + } + + linear_combination operator-( + const linear_combination &other) const { + return (*this) + (-other); + } + + linear_term operator-() const { + return linear_term(this->index, -this->coeff); + } + + bool operator==(const linear_term &other) const { + return (this->index == other.index && this->coeff == other.coeff); + } + }; + + template + linear_term operator*(typename variable::integer_coeff_type int_coeff, + const linear_term <) { + return lt * int_coeff; + } + + template + linear_term operator*(const typename FieldType::value_type &field_coeff, + const linear_term <) { + return lt * field_coeff; + } + + template + linear_combination operator+(const typename variable::integer_coeff_type int_coeff, + const linear_term <) { + return linear_combination(int_coeff) + lt; + } + + template + linear_combination operator+(const typename FieldType::value_type &field_coeff, + const linear_term <) { + return linear_combination(field_coeff) + lt; + } + + template + linear_combination operator-(const typename variable::integer_coeff_type int_coeff, + const linear_term <) { + return linear_combination(int_coeff) - lt; + } + + template + linear_combination operator-(const typename FieldType::value_type &field_coeff, + const linear_term <) { + return linear_combination(field_coeff) - lt; + } + + /***************************** Linear combination ****************************/ + + /** + * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". + */ + template + class linear_combination { + typedef FieldType field_type; + typedef typename field_type::value_type field_value_type; + + static_assert(!RotationSupport); + public: + std::vector> terms; + + linear_combination() {}; + linear_combination(const typename variable::integer_coeff_type int_coeff) { + this->add_term(linear_term(0) * int_coeff); + } + linear_combination(const field_value_type &field_coeff) { + this->add_term(linear_term(0) * field_coeff); + } + linear_combination(const variable &var) { + this->add_term(var); + } + linear_combination(const linear_term <) { + this->add_term(lt); + } + linear_combination(const std::vector> &all_terms) { + if (all_terms.empty()) { + return; + } + + terms = all_terms; + std::sort(terms.begin(), terms.end(), + [](linear_term a, linear_term b) { return a.index < b.index; }); + + auto result_it = terms.begin(); + for (auto it = ++terms.begin(); it != terms.end(); ++it) { + if (it->index == result_it->index) { + result_it->coeff += it->coeff; + } else { + *(++result_it) = *it; + } + } + terms.resize((result_it - terms.begin()) + 1); + } + + /* for supporting range-based for loops over linear_combination */ + typename std::vector>::const_iterator begin() const { + return terms.begin(); + } + + typename std::vector>::const_iterator end() const { + return terms.end(); + } + + void add_term(const variable &var) { + this->terms.emplace_back(linear_term(var.index) * field_value_type::one()); + } + void add_term(const variable &var, + typename variable::integer_coeff_type int_coeff) { + this->terms.emplace_back(linear_term(var.index) * int_coeff); + } + void add_term(const variable &var, const field_value_type &field_coeff) { + this->terms.emplace_back(linear_term(var.index) * field_coeff); + } + void add_term(const linear_term <) { + this->terms.emplace_back(lt); + } + + field_value_type evaluate(const std::vector &assignment) const { + field_value_type acc = field_value_type::zero(); + for (auto < : terms) { + acc += (lt.index == 0 ? field_value_type::one() : assignment[lt.index - 1]) * lt.coeff; + } + return acc; + } + + linear_combination operator*(typename variable::integer_coeff_type int_coeff) const { + return (*this) * field_value_type(int_coeff); + } + linear_combination operator*(const field_value_type &field_coeff) const { + linear_combination result; + result.terms.reserve(this->terms.size()); + for (const linear_term < : this->terms) { + result.terms.emplace_back(lt * field_coeff); + } + return result; + } + linear_combination operator+(const linear_combination &other) const { + linear_combination result; + + auto it1 = this->terms.begin(); + auto it2 = other.terms.begin(); + + /* invariant: it1 and it2 always point to unprocessed items in the corresponding linear + * combinations + */ + while (it1 != this->terms.end() && it2 != other.terms.end()) { + if (it1->index < it2->index) { + result.terms.emplace_back(*it1); + ++it1; + } else if (it1->index > it2->index) { + result.terms.emplace_back(*it2); + ++it2; + } else { + /* it1->index == it2->index */ + result.terms.emplace_back( + linear_term(variable(it1->index)) * (it1->coeff + it2->coeff)); + ++it1; + ++it2; + } + } + + if (it1 != this->terms.end()) { + result.terms.insert(result.terms.end(), it1, this->terms.end()); + } else { + result.terms.insert(result.terms.end(), it2, other.terms.end()); + } + + return result; + } + linear_combination operator-(const linear_combination &other) const { + return (*this) + (-other); + } + linear_combination operator-() const { + return (*this) * (-field_value_type::one()); + } + + bool operator==(const linear_combination &other) const { + + std::vector> thisterms = this->terms; + std::sort(thisterms.begin(), thisterms.end(), + [](linear_term a, linear_term b) { return a.index < b.index; }); + + std::vector> otherterms = other.terms; + std::sort(otherterms.begin(), otherterms.end(), + [](linear_term a, linear_term b) { return a.index < b.index; }); + + return (thisterms == otherterms); + } + + bool is_valid(size_t num_variables) const { + /* check that all terms in linear combination are sorted */ + for (std::size_t i = 1; i < terms.size(); ++i) { + if (terms[i - 1].index >= terms[i].index) { + return false; + } + } + + /* check that the variables are in proper range. as the variables + are sorted, it suffices to check the last term */ + if ((--terms.end())->index >= num_variables) { + return false; + } + + return true; + } + }; + + template + linear_combination operator*(typename variable::integer_coeff_type int_coeff, + const linear_combination &lc) { + return lc * int_coeff; + } + + template + linear_combination operator*(const typename FieldType::value_type &field_coeff, + const linear_combination &lc) { + return lc * field_coeff; + } + + template + linear_combination operator+(typename variable::integer_coeff_type int_coeff, + const linear_combination &lc) { + return linear_combination(int_coeff) + lc; + } + + template + linear_combination operator+(const typename FieldType::value_type &field_coeff, + const linear_combination &lc) { + return linear_combination(field_coeff) + lc; + } + + template + linear_combination operator-(typename variable::integer_coeff_type int_coeff, + const linear_combination &lc) { + return linear_combination(int_coeff) - lc; + } + + template + linear_combination operator-(const typename FieldType::value_type &field_coeff, + const linear_combination &lc) { + return linear_combination(field_coeff) - lc; + } + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_LINEAR_COMBINATION_HPP diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp index 9969adcb3..823e0b2f6 100644 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/variable.hpp @@ -1,5 +1,5 @@ //---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Mikhail Komarov // Copyright (c) 2020-2021 Nikita Kaskov // // MIT License @@ -31,8 +31,6 @@ #ifndef CRYPTO3_ZK_VARIABLE_HPP #define CRYPTO3_ZK_VARIABLE_HPP -#include -#include #include namespace nil { @@ -40,46 +38,51 @@ namespace nil { namespace zk { namespace snark { - /** - * Mnemonic typedefs. - */ - typedef long integer_coeff_t; - /** * Forward declaration. */ - template + template struct linear_term; /** * Forward declaration. */ - template + template struct linear_combination; /********************************* Variable **********************************/ + template + struct variable; + /** * A variable represents a formal expression of the form "x_{index}". */ template - struct variable { + class variable { + + constexpr static const bool RotationSupport = false; + public: + /** + * Mnemonic typedefs. + */ + typedef long integer_coeff_type; typedef std::size_t index_type; index_type index; variable(const index_type index = 0) : index(index) {}; - linear_term operator*(const integer_coeff_t int_coeff) const { - return linear_term(*this, int_coeff); + linear_term operator*(const integer_coeff_type int_coeff) const { + return linear_term(*this)* int_coeff; } - linear_term operator*(const typename FieldType::value_type &field_coeff) const { - return linear_term(*this, field_coeff); + linear_term operator*(const typename FieldType::value_type &field_coeff) const { + return linear_term(*this)* field_coeff; } - linear_combination operator+(const linear_combination &other) const { - linear_combination result; + linear_combination operator+(const linear_combination &other) const { + linear_combination result; result.add_term(*this); result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); @@ -87,12 +90,12 @@ namespace nil { return result; } - linear_combination operator-(const linear_combination &other) const { + linear_combination operator-(const linear_combination &other) const { return (*this) + (-other); } - linear_term operator-() const { - return linear_term(*this, -FieldType::value_type::one()); + linear_term operator-() const { + return linear_term(*this) * (-FieldType::value_type::one()); } bool operator==(const variable &other) const { @@ -100,319 +103,102 @@ namespace nil { } }; - template - linear_term operator*(const integer_coeff_t int_coeff, const variable &var) { - return linear_term(var, int_coeff); - } - - template - linear_term operator*(const typename FieldType::value_type &field_coeff, - const variable &var) { - return linear_term(var, field_coeff); - } - - template - linear_combination operator+(const integer_coeff_t int_coeff, - const variable &var) { - return linear_combination(int_coeff) + var; - } - - template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const variable &var) { - return linear_combination(field_coeff) + var; - } - - template - linear_combination operator-(const integer_coeff_t int_coeff, - const variable &var) { - return linear_combination(int_coeff) - var; - } - - template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const variable &var) { - return linear_combination(field_coeff) - var; - } - - /****************************** Linear term **********************************/ - /** - * A linear term represents a formal expression of the form "coeff * x_{index}". + * A variable represents a formal expression of the form "w^{index}_{rotation}". */ template - class linear_term { - typedef FieldType field_type; - typedef typename field_type::value_type field_value_type; - - public: - typename variable::index_type index; - field_value_type coeff; - - linear_term() {}; - linear_term(const variable &var) : index(var.index), coeff(field_value_type::one()) { - } - - linear_term(const variable &var, const integer_coeff_t int_coeff) : - index(var.index), coeff(field_value_type(int_coeff)) { - } - - linear_term(const variable &var, const field_value_type &field_coeff) : - index(var.index), coeff(field_coeff) { - } - - linear_term operator*(const integer_coeff_t int_coeff) const { - return (this->operator*(field_value_type(int_coeff))); - } + class variable { - linear_term operator*(const field_value_type &field_coeff) const { - return linear_term(this->index, field_coeff * this->coeff); - } - - linear_combination operator+(const linear_combination &other) const { - return linear_combination(*this) + other; - } - - linear_combination operator-(const linear_combination &other) const { - return (*this) + (-other); - } + constexpr static const bool RotationSupport = false; - linear_term operator-() const { - return linear_term(this->index, -this->coeff); - } - - bool operator==(const linear_term &other) const { - return (this->index == other.index && this->coeff == other.coeff); - } - }; - - template - linear_term operator*(integer_coeff_t int_coeff, const linear_term <) { - return typename FieldType::value_type(int_coeff) * lt; - } - - template - linear_term operator*(const typename FieldType::value_type &field_coeff, - const linear_term <) { - return linear_term(lt.index, field_coeff * lt.coeff); - } - - template - linear_combination operator+(const integer_coeff_t int_coeff, - const linear_term <) { - return linear_combination(int_coeff) + lt; - } - - template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const linear_term <) { - return linear_combination(field_coeff) + lt; - } - - template - linear_combination operator-(const integer_coeff_t int_coeff, - const linear_term <) { - return linear_combination(int_coeff) - lt; - } - - template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const linear_term <) { - return linear_combination(field_coeff) - lt; - } - - /***************************** Linear combination ****************************/ + public: - /** - * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". - */ - template - class linear_combination { - typedef FieldType field_type; - typedef typename field_type::value_type field_value_type; + /** + * Mnemonic typedefs. + */ + typedef long integer_coeff_type; + typedef std::size_t wire_index_type; + enum rotation_type{ + pre_previous = -2, + previous, + current, + nex, + after_next + }; + wire_index_type index; + rotation_type rotation; - public: - std::vector> terms; + variable(const wire_index_type index = 0, rotation_type rotation = rotation_type::current) : + index(index), rotation(rotation) {}; - linear_combination() {}; - linear_combination(const integer_coeff_t int_coeff) { - this->add_term(linear_term(0, int_coeff)); - } - linear_combination(const field_value_type &field_coeff) { - this->add_term(linear_term(0, field_coeff)); - } - linear_combination(const variable &var) { - this->add_term(var); - } - linear_combination(const linear_term <) { - this->add_term(lt); - } - linear_combination(const std::vector> &all_terms) { - if (all_terms.empty()) { - return; - } - - terms = all_terms; - std::sort(terms.begin(), terms.end(), - [](linear_term a, linear_term b) { return a.index < b.index; }); - - auto result_it = terms.begin(); - for (auto it = ++terms.begin(); it != terms.end(); ++it) { - if (it->index == result_it->index) { - result_it->coeff += it->coeff; - } else { - *(++result_it) = *it; - } - } - terms.resize((result_it - terms.begin()) + 1); + linear_term operator*(const integer_coeff_type int_coeff) const { + return linear_term(*this) * int_coeff; } - /* for supporting range-based for loops over linear_combination */ - typename std::vector>::const_iterator begin() const { - return terms.begin(); - } + // non_linear_term operator^(const integer_coeff_type power) const { + // return non_linear_term(*this, power); + // } - typename std::vector>::const_iterator end() const { - return terms.end(); + linear_term operator*(const typename FieldType::value_type &field_coeff) const { + return linear_term(*this) * field_coeff; } - void add_term(const variable &var) { - this->terms.emplace_back(linear_term(var.index, field_value_type::one())); - } - void add_term(const variable &var, integer_coeff_t int_coeff) { - this->terms.emplace_back(linear_term(var.index, int_coeff)); - } - void add_term(const variable &var, const field_value_type &field_coeff) { - this->terms.emplace_back(linear_term(var.index, field_coeff)); - } - void add_term(const linear_term <) { - this->terms.emplace_back(lt); - } + linear_combination operator+(const linear_combination &other) const { + linear_combination result; - field_value_type evaluate(const std::vector &assignment) const { - field_value_type acc = field_value_type::zero(); - for (auto < : terms) { - acc += (lt.index == 0 ? field_value_type::one() : assignment[lt.index - 1]) * lt.coeff; - } - return acc; - } + result.add_term(*this); + result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); - linear_combination operator*(integer_coeff_t int_coeff) const { - return (*this) * field_value_type(int_coeff); - } - linear_combination operator*(const field_value_type &field_coeff) const { - linear_combination result; - result.terms.reserve(this->terms.size()); - for (const linear_term < : this->terms) { - result.terms.emplace_back(lt * field_coeff); - } return result; } - linear_combination operator+(const linear_combination &other) const { - linear_combination result; - - auto it1 = this->terms.begin(); - auto it2 = other.terms.begin(); - - /* invariant: it1 and it2 always point to unprocessed items in the corresponding linear - * combinations - */ - while (it1 != this->terms.end() && it2 != other.terms.end()) { - if (it1->index < it2->index) { - result.terms.emplace_back(*it1); - ++it1; - } else if (it1->index > it2->index) { - result.terms.emplace_back(*it2); - ++it2; - } else { - /* it1->index == it2->index */ - result.terms.emplace_back( - linear_term(variable(it1->index), it1->coeff + it2->coeff)); - ++it1; - ++it2; - } - } - - if (it1 != this->terms.end()) { - result.terms.insert(result.terms.end(), it1, this->terms.end()); - } else { - result.terms.insert(result.terms.end(), it2, other.terms.end()); - } - return result; - } - linear_combination operator-(const linear_combination &other) const { + linear_combination operator-(const linear_combination &other) const { return (*this) + (-other); } - linear_combination operator-() const { - return (*this) * (-field_value_type::one()); - } - - bool operator==(const linear_combination &other) const { - std::vector> thisterms = this->terms; - std::sort(thisterms.begin(), thisterms.end(), - [](linear_term a, linear_term b) { return a.index < b.index; }); - - std::vector> otherterms = other.terms; - std::sort(otherterms.begin(), otherterms.end(), - [](linear_term a, linear_term b) { return a.index < b.index; }); - - return (thisterms == otherterms); + linear_term operator-() const { + return linear_term(*this) * ( -FieldType::value_type::one()); } - bool is_valid(size_t num_variables) const { - /* check that all terms in linear combination are sorted */ - for (std::size_t i = 1; i < terms.size(); ++i) { - if (terms[i - 1].index >= terms[i].index) { - return false; - } - } - - /* check that the variables are in proper range. as the variables - are sorted, it suffices to check the last term */ - if ((--terms.end())->index >= num_variables) { - return false; - } - - return true; + bool operator==(const variable &other) const { + return ((this->index == other.index) && (this->rotation == other.rotation)); } }; - template - linear_combination operator*(integer_coeff_t int_coeff, - const linear_combination &lc) { - return lc * int_coeff; + template + linear_term operator*(const typename variable::integer_coeff_type int_coeff, + const variable &var) { + return var * int_coeff; } - template - linear_combination operator*(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { - return lc * field_coeff; + template + linear_term operator*(const typename FieldType::value_type &field_coeff, + const variable &var) { + return var * field_coeff; } - template - linear_combination operator+(integer_coeff_t int_coeff, - const linear_combination &lc) { - return linear_combination(int_coeff) + lc; + template + linear_combination operator+(const typename variable::integer_coeff_type int_coeff, + const variable &var) { + return var + int_coeff; } - template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { - return linear_combination(field_coeff) + lc; + template + linear_combination operator+(const typename FieldType::value_type &field_coeff, + const variable &var) { + return var + field_coeff; } - template - linear_combination operator-(integer_coeff_t int_coeff, - const linear_combination &lc) { - return linear_combination(int_coeff) - lc; + template + linear_combination operator-(const typename variable::integer_coeff_type int_coeff, + const variable &var) { + return linear_combination(int_coeff) - var; } - template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { - return linear_combination(field_coeff) - lc; + template + linear_combination operator-(const typename FieldType::value_type &field_coeff, + const variable &var) { + return linear_combination(field_coeff) - var; } } // namespace snark } // namespace zk From 1b1b62ea364fc4baec5cbf56374b1aee99866148 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 21 Nov 2021 03:22:45 +0300 Subject: [PATCH 019/219] Variables constructor and operations from integral value removed. --- .../zk/snark/relations/linear_combination.hpp | 73 +---- .../relations/non_linear_combination.hpp | 307 ++++++++++++++++++ .../crypto3/zk/snark/relations/variable.hpp | 116 +++---- 3 files changed, 381 insertions(+), 115 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp index dba1cba7c..97cabe3c0 100644 --- a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp @@ -51,11 +51,15 @@ namespace nil { * A linear term represents a formal expression of the form "coeff * x_{index}". */ template - class linear_term { + class linear_term; + + template + class linear_term { typedef FieldType field_type; typedef typename field_type::value_type field_value_type; - static_assert(!RotationSupport); + constexpr static const bool RotationSupport = false; + public: typename variable::index_type index; field_value_type coeff; @@ -64,11 +68,6 @@ namespace nil { linear_term(const variable &var) : index(var.index), coeff(field_value_type::one()) { } - linear_term operator*( - const typename variable::integer_coeff_type int_coeff) const { - return (this->operator*(field_value_type(int_coeff))); - } - linear_term operator*(const field_value_type &field_coeff) const { linear_term result(this->index); result.coeff = field_coeff * this->coeff; @@ -86,7 +85,7 @@ namespace nil { } linear_term operator-() const { - return linear_term(this->index, -this->coeff); + return linear_term(this->index) *(-this->coeff); } bool operator==(const linear_term &other) const { @@ -94,36 +93,18 @@ namespace nil { } }; - template - linear_term operator*(typename variable::integer_coeff_type int_coeff, - const linear_term <) { - return lt * int_coeff; - } - template linear_term operator*(const typename FieldType::value_type &field_coeff, const linear_term <) { return lt * field_coeff; } - template - linear_combination operator+(const typename variable::integer_coeff_type int_coeff, - const linear_term <) { - return linear_combination(int_coeff) + lt; - } - template linear_combination operator+(const typename FieldType::value_type &field_coeff, const linear_term <) { return linear_combination(field_coeff) + lt; } - template - linear_combination operator-(const typename variable::integer_coeff_type int_coeff, - const linear_term <) { - return linear_combination(int_coeff) - lt; - } - template linear_combination operator-(const typename FieldType::value_type &field_coeff, const linear_term <) { @@ -135,19 +116,17 @@ namespace nil { /** * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". */ - template - class linear_combination { + template + class linear_combination { typedef FieldType field_type; typedef typename field_type::value_type field_value_type; + + constexpr static const bool RotationSupport = false; - static_assert(!RotationSupport); public: std::vector> terms; linear_combination() {}; - linear_combination(const typename variable::integer_coeff_type int_coeff) { - this->add_term(linear_term(0) * int_coeff); - } linear_combination(const field_value_type &field_coeff) { this->add_term(linear_term(0) * field_coeff); } @@ -187,14 +166,10 @@ namespace nil { } void add_term(const variable &var) { - this->terms.emplace_back(linear_term(var.index) * field_value_type::one()); - } - void add_term(const variable &var, - typename variable::integer_coeff_type int_coeff) { - this->terms.emplace_back(linear_term(var.index) * int_coeff); + this->terms.emplace_back(linear_term(var)); } void add_term(const variable &var, const field_value_type &field_coeff) { - this->terms.emplace_back(linear_term(var.index) * field_coeff); + this->terms.emplace_back(linear_term(var) * field_coeff); } void add_term(const linear_term <) { this->terms.emplace_back(lt); @@ -207,10 +182,6 @@ namespace nil { } return acc; } - - linear_combination operator*(typename variable::integer_coeff_type int_coeff) const { - return (*this) * field_value_type(int_coeff); - } linear_combination operator*(const field_value_type &field_coeff) const { linear_combination result; result.terms.reserve(this->terms.size()); @@ -290,36 +261,18 @@ namespace nil { } }; - template - linear_combination operator*(typename variable::integer_coeff_type int_coeff, - const linear_combination &lc) { - return lc * int_coeff; - } - template linear_combination operator*(const typename FieldType::value_type &field_coeff, const linear_combination &lc) { return lc * field_coeff; } - template - linear_combination operator+(typename variable::integer_coeff_type int_coeff, - const linear_combination &lc) { - return linear_combination(int_coeff) + lc; - } - template linear_combination operator+(const typename FieldType::value_type &field_coeff, const linear_combination &lc) { return linear_combination(field_coeff) + lc; } - template - linear_combination operator-(typename variable::integer_coeff_type int_coeff, - const linear_combination &lc) { - return linear_combination(int_coeff) - lc; - } - template linear_combination operator-(const typename FieldType::value_type &field_coeff, const linear_combination &lc) { diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp new file mode 100644 index 000000000..1faaed643 --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -0,0 +1,307 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2020-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of interfaces for: +// - a variable (i.e., x_i), +// - a linear term (i.e., a_i * x_i), and +// - a linear combination (i.e., sum_i a_i * x_i). +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP +#define CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /** + * Forward declaration. + */ + template + struct non_linear_combination; + + /****************************** Linear term **********************************/ + + /** + * A linear term represents a formal expression of the form + * "coeff * w^{wire_index_1}_{rotation_1} * ... * w^{wire_index_k}_{rotation_k}". + */ + template + class non_linear_term; + + template + class non_linear_term { + typedef FieldType field_type; + typedef typename field_type::value_type field_value_type; + + constexpr static const bool RotationSupport = true; + + public: + std::vector> vars; + field_value_type coeff; + + non_linear_term() {}; + + non_linear_term(const variable &var) : coeff(field_value_type::one()) { + vars.push_back(var); + } + + non_linear_term(const field_value_type &field_val) : coeff(field_val) { + } + + non_linear_term( + std::vector> vars) : + vars(vars), coeff(field_value_type::one()) { + } + + non_linear_term operator*(const field_value_type &field_coeff) const { + non_linear_term result(this->vars); + result.coeff = field_coeff * this->coeff; + return result; + } + + // non_linear_combination operator+(const non_linear_combination &other) const { + // return non_linear_combination(*this) + other; + // } + + // non_linear_combination operator-(const non_linear_combination &other) const { + // return (*this) + (-other); + // } + + non_linear_term operator-() const { + return non_linear_term(this->vars)* (-this->coeff); + } + + bool operator==(const non_linear_term &other) const { + return (this->vars == other.vars && this->coeff == other.coeff); + } + }; + + template + non_linear_term operator*( + const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { + return nlt * field_coeff; + } + + template + non_linear_combination operator+( + const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) + nlt; + } + + template + non_linear_combination operator-( + const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) - nlt; + } + + /***************************** Linear combination ****************************/ + + /** + * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". + */ + template + class non_linear_combination { + typedef FieldType field_type; + typedef typename field_type::value_type field_value_type; + + constexpr static const bool RotationSupport = true; + + public: + std::vector> terms; + + non_linear_combination() {}; + non_linear_combination(const field_value_type &field_coeff) { + this->add_term(non_linear_term(field_coeff)); + } + non_linear_combination(const variable &var) { + this->add_term(var); + } + non_linear_combination(const non_linear_term &nlt) { + this->add_term(nlt); + } + // non_linear_combination(const std::vector> &all_terms) { + // if (all_terms.empty()) { + // return; + // } + + // terms = all_terms; + // std::sort(terms.begin(), terms.end(), + // [](non_linear_term a, + // non_linear_term b) { return a.index < b.index; }); + + // auto result_it = terms.begin(); + // for (auto it = ++terms.begin(); it != terms.end(); ++it) { + // if (it->index == result_it->index) { + // result_it->coeff += it->coeff; + // } else { + // *(++result_it) = *it; + // } + // } + // terms.resize((result_it - terms.begin()) + 1); + // } + + /* for supporting range-based for loops over non_linear_combination */ + typename std::vector>::const_iterator begin() const { + return terms.begin(); + } + + typename std::vector>::const_iterator end() const { + return terms.end(); + } + + void add_term(const variable &var) { + this->terms.emplace_back(non_linear_term(var)); + } + void add_term(const variable &var, const field_value_type &field_coeff) { + this->terms.emplace_back(non_linear_term(var) * field_coeff); + } + void add_term(const non_linear_term &nlt) { + this->terms.emplace_back(nlt); + } + + field_value_type evaluate(std::size_t row_index, + const std::vector> &assignment) const { + field_value_type acc = field_value_type::zero(); + for (auto &nlt : terms) { + field_value_type term_value = nlt.coeff; + + for (variable &var: nlt.vars){ + term_value *= assignment[var.wire_index][row_index + var.rotation]; + + } + acc += assignment[nlt.vars] * nlt.coeff; + } + return acc; + } + + non_linear_combination operator*(const field_value_type &field_coeff) const { + non_linear_combination result; + result.terms.reserve(this->terms.size()); + for (const non_linear_term &nlt : this->terms) { + result.terms.emplace_back(nlt * field_coeff); + } + return result; + } + non_linear_combination operator+(const non_linear_combination &other) const { + non_linear_combination result; + + auto it1 = this->terms.begin(); + auto it2 = other.terms.begin(); + + /* invariant: it1 and it2 always point to unprocessed items in the corresponding linear + * combinations + */ + while (it1 != this->terms.end() && it2 != other.terms.end()) { + if (it1->wire_index < it2->wire_index) { + result.terms.emplace_back(*it1); + ++it1; + } else if (it1->wire_index > it2->wire_index) { + result.terms.emplace_back(*it2); + ++it2; + } else { + /* it1->wire_index == it2->wire_index */ + result.terms.emplace_back( + non_linear_term(variable(it1->wire_index)) * (it1->coeff + it2->coeff)); + ++it1; + ++it2; + } + } + + if (it1 != this->terms.end()) { + result.terms.insert(result.terms.end(), it1, this->terms.end()); + } else { + result.terms.insert(result.terms.end(), it2, other.terms.end()); + } + + return result; + } + non_linear_combination operator-(const non_linear_combination &other) const { + return (*this) + (-other); + } + non_linear_combination operator-() const { + return (*this) * (-field_value_type::one()); + } + + bool operator==(const non_linear_combination &other) const { + + std::vector> thisterms = this->terms; + std::sort(thisterms.begin(), thisterms.end(), + [](non_linear_term a, non_linear_term b) { return a.wire_index < b.wire_index; }); + + std::vector> otherterms = other.terms; + std::sort(otherterms.begin(), otherterms.end(), + [](non_linear_term a, non_linear_term b) { return a.wire_index < b.wire_index; }); + + return (thisterms == otherterms); + } + + bool is_valid(size_t num_variables) const { + /* check that all terms in linear combination are sorted */ + for (std::size_t i = 1; i < terms.size(); ++i) { + if (terms[i - 1].wire_index >= terms[i].wire_index) { + return false; + } + } + + /* check that the variables are in proper range. as the variables + are sorted, it suffices to check the last term */ + if ((--terms.end())->wire_index >= num_variables) { + return false; + } + + return true; + } + }; + + template + non_linear_combination operator*(const typename FieldType::value_type &field_coeff, + const non_linear_combination &lc) { + return lc * field_coeff; + } + + template + non_linear_combination operator+(const typename FieldType::value_type &field_coeff, + const non_linear_combination &lc) { + return non_linear_combination(field_coeff) + lc; + } + + template + non_linear_combination operator-(const typename FieldType::value_type &field_coeff, + const non_linear_combination &lc) { + return non_linear_combination(field_coeff) - lc; + } + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp index 823e0b2f6..e687c11f0 100644 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/variable.hpp @@ -47,7 +47,7 @@ namespace nil { /** * Forward declaration. */ - template + template struct linear_combination; /********************************* Variable **********************************/ @@ -67,16 +67,11 @@ namespace nil { /** * Mnemonic typedefs. */ - typedef long integer_coeff_type; typedef std::size_t index_type; index_type index; variable(const index_type index = 0) : index(index) {}; - linear_term operator*(const integer_coeff_type int_coeff) const { - return linear_term(*this)* int_coeff; - } - linear_term operator*(const typename FieldType::value_type &field_coeff) const { return linear_term(*this)* field_coeff; } @@ -98,25 +93,54 @@ namespace nil { return linear_term(*this) * (-FieldType::value_type::one()); } - bool operator==(const variable &other) const { + bool operator==(const variable &other) const { return (this->index == other.index); } }; + template + linear_term operator*(const typename FieldType::value_type &field_coeff, + const variable &var) { + return var * field_coeff; + } + + template + linear_combination operator+(const typename FieldType::value_type &field_coeff, + const variable &var) { + return var + field_coeff; + } + + template + linear_combination operator-(const typename FieldType::value_type &field_coeff, + const variable &var) { + return linear_combination(field_coeff) - var; + } + + /** + * Forward declaration. + */ + template + struct non_linear_term; + + /** + * Forward declaration. + */ + template + struct non_linear_combination; + /** - * A variable represents a formal expression of the form "w^{index}_{rotation}". + * A variable represents a formal expression of the form "w^{wire_index}_{rotation}". */ template class variable { - constexpr static const bool RotationSupport = false; + constexpr static const bool RotationSupport = true; public: /** * Mnemonic typedefs. */ - typedef long integer_coeff_type; typedef std::size_t wire_index_type; enum rotation_type{ pre_previous = -2, @@ -125,26 +149,24 @@ namespace nil { nex, after_next }; - wire_index_type index; + wire_index_type wire_index; rotation_type rotation; - variable(const wire_index_type index = 0, rotation_type rotation = rotation_type::current) : - index(index), rotation(rotation) {}; + variable(const wire_index_type wire_index, rotation_type rotation = rotation_type::current) : + wire_index(wire_index), rotation(rotation) {}; - linear_term operator*(const integer_coeff_type int_coeff) const { - return linear_term(*this) * int_coeff; + non_linear_term operator^(const std::size_t power) const { + return non_linear_term(*this) ^ power; } - // non_linear_term operator^(const integer_coeff_type power) const { - // return non_linear_term(*this, power); - // } - - linear_term operator*(const typename FieldType::value_type &field_coeff) const { - return linear_term(*this) * field_coeff; + non_linear_term operator*( + const typename FieldType::value_type &field_coeff) const { + return non_linear_term(*this) * field_coeff; } - linear_combination operator+(const linear_combination &other) const { - linear_combination result; + non_linear_combination operator+( + const non_linear_combination &other) const { + non_linear_combination result; result.add_term(*this); result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); @@ -152,54 +174,38 @@ namespace nil { return result; } - linear_combination operator-(const linear_combination &other) const { + non_linear_combination operator-( + const non_linear_combination &other) const { return (*this) + (-other); } - linear_term operator-() const { - return linear_term(*this) * ( -FieldType::value_type::one()); + non_linear_term operator-() const { + return non_linear_term(*this) * ( -FieldType::value_type::one()); } - bool operator==(const variable &other) const { - return ((this->index == other.index) && (this->rotation == other.rotation)); + bool operator==(const variable &other) const { + return ((this->wire_index == other.wire_index) && (this->rotation == other.rotation)); } }; - template - linear_term operator*(const typename variable::integer_coeff_type int_coeff, - const variable &var) { - return var * int_coeff; - } - - template - linear_term operator*(const typename FieldType::value_type &field_coeff, - const variable &var) { + template + non_linear_term operator*(const typename FieldType::value_type &field_coeff, + const variable &var) { return var * field_coeff; } - template - linear_combination operator+(const typename variable::integer_coeff_type int_coeff, - const variable &var) { - return var + int_coeff; - } - - template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const variable &var) { + template + non_linear_combination operator+(const typename FieldType::value_type &field_coeff, + const variable &var) { return var + field_coeff; } - template - linear_combination operator-(const typename variable::integer_coeff_type int_coeff, - const variable &var) { - return linear_combination(int_coeff) - var; + template + non_linear_combination operator-(const typename FieldType::value_type &field_coeff, + const variable &var) { + return non_linear_combination(field_coeff) - var; } - template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const variable &var) { - return linear_combination(field_coeff) - var; - } } // namespace snark } // namespace zk } // namespace crypto3 From cab24f03697621e6d7cb00ce01e7738df39171e7 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 22 Nov 2021 16:11:57 +0300 Subject: [PATCH 020/219] Non linear combination implementation updated. --- .../zk/snark/relations/linear_combination.hpp | 38 ++--- .../relations/non_linear_combination.hpp | 133 +++++++----------- .../crypto3/zk/snark/relations/variable.hpp | 5 + 3 files changed, 74 insertions(+), 102 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp index 97cabe3c0..9ea5751c3 100644 --- a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp @@ -74,15 +74,15 @@ namespace nil { return result; } - linear_combination operator+( - const linear_combination &other) const { - return linear_combination(*this) + other; - } + // linear_combination operator+( + // const linear_combination &other) const { + // return linear_combination(*this) + other; + // } - linear_combination operator-( - const linear_combination &other) const { - return (*this) + (-other); - } + // linear_combination operator-( + // const linear_combination &other) const { + // return (*this) + (-other); + // } linear_term operator-() const { return linear_term(this->index) *(-this->coeff); @@ -99,17 +99,17 @@ namespace nil { return lt * field_coeff; } - template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const linear_term <) { - return linear_combination(field_coeff) + lt; - } - - template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const linear_term <) { - return linear_combination(field_coeff) - lt; - } + // template + // linear_combination operator+(const typename FieldType::value_type &field_coeff, + // const linear_term <) { + // return linear_combination(field_coeff) + lt; + // } + + // template + // linear_combination operator-(const typename FieldType::value_type &field_coeff, + // const linear_term <) { + // return linear_combination(field_coeff) - lt; + // } /***************************** Linear combination ****************************/ diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 1faaed643..e38a42482 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -98,8 +98,19 @@ namespace nil { } bool operator==(const non_linear_term &other) const { + std::sort(vars.begin(), vars.end()); return (this->vars == other.vars && this->coeff == other.coeff); } + + void sort(){ + + } + + bool operator<(const non_linear_term &other) { + this->sort(); + other.sort(); + return (this->vars < other.vars || ((this->vars == other.vars) && (this->coeff < other.coeff))); + } }; template @@ -109,19 +120,19 @@ namespace nil { return nlt * field_coeff; } - template - non_linear_combination operator+( - const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { - return non_linear_combination(field_coeff) + nlt; - } + // template + // non_linear_combination operator+( + // const typename FieldType::value_type &field_coeff, + // const non_linear_term &nlt) { + // return non_linear_combination(field_coeff) + nlt; + // } - template - non_linear_combination operator-( - const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { - return non_linear_combination(field_coeff) - nlt; - } + // template + // non_linear_combination operator-( + // const typename FieldType::value_type &field_coeff, + // const non_linear_term &nlt) { + // return non_linear_combination(field_coeff) - nlt; + // } /***************************** Linear combination ****************************/ @@ -148,26 +159,9 @@ namespace nil { non_linear_combination(const non_linear_term &nlt) { this->add_term(nlt); } - // non_linear_combination(const std::vector> &all_terms) { - // if (all_terms.empty()) { - // return; - // } - - // terms = all_terms; - // std::sort(terms.begin(), terms.end(), - // [](non_linear_term a, - // non_linear_term b) { return a.index < b.index; }); - - // auto result_it = terms.begin(); - // for (auto it = ++terms.begin(); it != terms.end(); ++it) { - // if (it->index == result_it->index) { - // result_it->coeff += it->coeff; - // } else { - // *(++result_it) = *it; - // } - // } - // terms.resize((result_it - terms.begin()) + 1); - // } + non_linear_combination(const std::vector> &terms): + terms(terms) { + } /* for supporting range-based for loops over non_linear_combination */ typename std::vector>::const_iterator begin() const { @@ -188,10 +182,11 @@ namespace nil { this->terms.emplace_back(nlt); } + template field_value_type evaluate(std::size_t row_index, - const std::vector> &assignment) const { + const std::array, WiresAmount> &assignment) const { field_value_type acc = field_value_type::zero(); - for (auto &nlt : terms) { + for (non_linear_combination &nlt : terms) { field_value_type term_value = nlt.coeff; for (variable &var: nlt.vars){ @@ -211,37 +206,13 @@ namespace nil { } return result; } + non_linear_combination operator+(const non_linear_combination &other) const { non_linear_combination result; - auto it1 = this->terms.begin(); - auto it2 = other.terms.begin(); - - /* invariant: it1 and it2 always point to unprocessed items in the corresponding linear - * combinations - */ - while (it1 != this->terms.end() && it2 != other.terms.end()) { - if (it1->wire_index < it2->wire_index) { - result.terms.emplace_back(*it1); - ++it1; - } else if (it1->wire_index > it2->wire_index) { - result.terms.emplace_back(*it2); - ++it2; - } else { - /* it1->wire_index == it2->wire_index */ - result.terms.emplace_back( - non_linear_term(variable(it1->wire_index)) * (it1->coeff + it2->coeff)); - ++it1; - ++it2; - } - } - - if (it1 != this->terms.end()) { - result.terms.insert(result.terms.end(), it1, this->terms.end()); - } else { - result.terms.insert(result.terms.end(), it2, other.terms.end()); - } - + result.terms.insert(result.terms.end(), this->terms.begin(), this->terms.end()); + result.terms.insert(result.terms.end(), other.terms.begin(), other.terms.end()); + return result; } non_linear_combination operator-(const non_linear_combination &other) const { @@ -251,34 +222,30 @@ namespace nil { return (*this) * (-field_value_type::one()); } - bool operator==(const non_linear_combination &other) const { + bool sort(){ + std::sort(terms.begin(), terms.end()); + std::vector new_terms; - std::vector> thisterms = this->terms; - std::sort(thisterms.begin(), thisterms.end(), - [](non_linear_term a, non_linear_term b) { return a.wire_index < b.wire_index; }); + if (terms.size()){ + new_terms.push_back(term[0]); - std::vector> otherterms = other.terms; - std::sort(otherterms.begin(), otherterms.end(), - [](non_linear_term a, non_linear_term b) { return a.wire_index < b.wire_index; }); + for (std::size_t i = 1; i < terms.size(); i++){ + if (terms[i].vars == terms[i-1].vars){ + (new_terms.end() - 1)->coeff+=terms[i].coeff; + } else { + new_terms.push_back(term[i]) + } + } + } - return (thisterms == otherterms); } - bool is_valid(size_t num_variables) const { - /* check that all terms in linear combination are sorted */ - for (std::size_t i = 1; i < terms.size(); ++i) { - if (terms[i - 1].wire_index >= terms[i].wire_index) { - return false; - } - } + bool operator==(const non_linear_combination &other) { - /* check that the variables are in proper range. as the variables - are sorted, it suffices to check the last term */ - if ((--terms.end())->wire_index >= num_variables) { - return false; - } + this->sort(); + other.sort(); - return true; + return (thisterms == otherterms); } }; diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp index e687c11f0..395a0fd06 100644 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/variable.hpp @@ -186,6 +186,11 @@ namespace nil { bool operator==(const variable &other) const { return ((this->wire_index == other.wire_index) && (this->rotation == other.rotation)); } + + bool operator<(const variable &other) const { + return ((this->wire_index < other.wire_index) || + ((this->wire_index == other.wire_index) && (this->rotation < other.rotation))); + } }; template From d8158279a4b88bb2fcaeed869d7121ed134ecaea Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 24 Nov 2021 01:13:26 +0300 Subject: [PATCH 021/219] PLONK constraint system inited. #20 --- .../constraint_satisfaction_problems/r1cs.hpp | 6 +- .../zk/snark/relations/plonk/plonk.hpp | 100 ++++++++++++++++++ .../crypto3/zk/snark/relations/variable.hpp | 2 +- .../r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp | 2 +- 4 files changed, 105 insertions(+), 5 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp diff --git a/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp b/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp index 4dda53c7f..f8d989671 100644 --- a/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp +++ b/include/nil/crypto3/zk/snark/relations/constraint_satisfaction_problems/r1cs.hpp @@ -31,8 +31,8 @@ // Above, R1CS stands for "Rank-1 Constraint System". //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_R1CS_HPP -#define CRYPTO3_ZK_R1CS_HPP +#ifndef CRYPTO3_ZK_R1CS_CONSTRAINT_SYSTEM_HPP +#define CRYPTO3_ZK_R1CS_CONSTRAINT_SYSTEM_HPP #include #include @@ -226,4 +226,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_R1CS_HPP +#endif // CRYPTO3_ZK_R1CS_CONSTRAINT_SYSTEM_HPP diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp new file mode 100644 index 000000000..2803fbc3c --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -0,0 +1,100 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of interfaces for: +// +// - a PLONK gate, +// - a PLONK variable assignment, and +// - a PLONK constraint system. +// +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_CONSTRAINT_SYSTEM_HPP +#define CRYPTO3_ZK_PLONK_CONSTRAINT_SYSTEM_HPP + +#include +#include + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /************************* PLONK constraint ***********************************/ + + template + using plonk_constraint = non_linear_combination; + + /************************* PLONK variable assignment **************************/ + + template + using plonk_variable_assignment = std::array, WiresAmount>; + + /************************* PLONK constraint system ****************************/ + + template + struct plonk_constraint_system { + + std::vector> constraints; + + plonk_constraint_system(){ + } + + constexpr std::size_t num_wires() const { + return WiresAmount; + } + + std::size_t num_constraints() const { + return constraints.size(); + } + + bool is_satisfied(plonk_variable_assignment full_variable_assignment) const { + + for (std::size_t c = 0; c < constraints.size(); ++c) { + if(!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { + return false; + } + } + + return true; + } + + void add_constraint(const plonk_constraint &c) { + constraints.emplace_back(c); + } + + bool operator==(const plonk_constraint_system &other) const { + return (this->constraints == other.constraints); + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_CONSTRAINT_SYSTEM_HPP diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp index 395a0fd06..ec1ae5841 100644 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/variable.hpp @@ -152,7 +152,7 @@ namespace nil { wire_index_type wire_index; rotation_type rotation; - variable(const wire_index_type wire_index, rotation_type rotation = rotation_type::current) : + constexpr variable(const wire_index_type wire_index, rotation_type rotation = rotation_type::current) : wire_index(wire_index), rotation(rotation) {}; non_linear_term operator^(const std::size_t power) const { diff --git a/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp index 1efdc4a79..0fae3292d 100644 --- a/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark.cpp @@ -61,7 +61,7 @@ void run_r1cs_gg_ppzksnark_basic_test(std::size_t num_constraints, std::size_t i BOOST_AUTO_TEST_SUITE(r1cs_gg_ppzksnark_test_suite) BOOST_AUTO_TEST_CASE(r1cs_gg_ppzksnark_basic_test) { - run_r1cs_gg_ppzksnark_basic_test>(1000, 100); + run_r1cs_gg_ppzksnark_basic_test>(100, 10); } BOOST_AUTO_TEST_SUITE_END() From 6b8126d4e0eabb4f1480627b15b5ba644d240d18 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 29 Nov 2021 12:53:31 +0300 Subject: [PATCH 022/219] PLONK constraint system to polynomials conversion added. Redshift prover updated to use stable math polynom interface. #20 --- .../zk/snark/relations/plonk/plonk.hpp | 30 +++++++++++++++++++ .../snark/systems/plonk/redshift/prover.hpp | 6 ++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 2803fbc3c..0deeaf17d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -83,6 +83,36 @@ namespace nil { return true; } + std::vector> get_polynoms( + plonk_variable_assignment full_variable_assignment){ + + std::vector> result(constraints.size()); + + std::array, WiresAmount> wire_polynomials; + for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++){ + wire_polynomials[wire_index] = math::polynomial::Lagrange_interpolation(full_variable_assignment[wire_index]); + } + + for (std::size_t constraint_index = 0; i < constraints.size(); constraint_index++){ + + for (auto &term: constraints[constraint_index].terms){ + + math::polynomial::polynom + term_polynom = {term.coeff}; + + // TODO: Rotation isn't taken into consideration + for (auto &var: term.vars){ + term_polynom *= wire_polynomials[var.index]; + } + + result[constraint_index] += term_polynom; + } + } + + return result; + + } + void add_constraint(const plonk_constraint &c) { constraints.emplace_back(c); } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 3f27560bf..241b2457c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -95,10 +95,8 @@ namespace nil { std::vector> p(N_perm); std::vector> q(N_perm); - math::polynomial::polynom p1 = - math::polynomial::polynom::one(); - math::polynomial::polynom q1 = - math::polynomial::polynom::one(); + math::polynomial::polynom p1 = {1}; + math::polynomial::polynom q1 = {1}; for (std::size_t j = 0; j < N_perm; j++) { p.push_back(f[j] + beta * S_id[j] + gamma); From b8e6017278ac2a369be68009187a4e918ee148cb Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 9 Dec 2021 08:09:08 +0300 Subject: [PATCH 023/219] Redshift implementation updated. #20 --- .../zk/snark/relations/plonk/plonk.hpp | 12 ++ .../systems/plonk/redshift/preprocessor.hpp | 61 ++++++++ .../snark/systems/plonk/redshift/prover.hpp | 141 ++++++++++++------ .../zk/snark/systems/plonk/redshift/types.hpp | 33 +++- .../snark/systems/plonk/redshift/verifier.hpp | 3 + 5 files changed, 202 insertions(+), 48 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 0deeaf17d..764e0f61d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -83,6 +83,18 @@ namespace nil { return true; } + std::vector<...> get_copy_constraints(){ + + } + + std::vector<...> get_selectors(){ + + } + + std::vector<...> get_lookups(){ + + } + std::vector> get_polynoms( plonk_variable_assignment full_variable_assignment){ diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp new file mode 100644 index 000000000..efe0b81ce --- /dev/null +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -0,0 +1,61 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_preprocessor { + typedef detail::redshift_types types_policy; + + public: + static inline typename types_policy::preprocessed_data_type + process(const typename types_policy::constraint_system_type &constraint_system, + const typename types_policy::variable_assignment_type &assignments) { + + typename types_policy::preprocessed_data_type data; + + data.selectors = constraint_system.get_selectors(); + ... copy_constraints = constraint_system.get_copy_constraints(); + + data.permutations = ...(copy_constraints); + data.identity_permutations = ...(copy_constraints); + + data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n); + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 241b2457c..47cf71954 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -26,18 +26,22 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP +#include + #include #include +#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_prover { - using types_policy = redshift_types_policy; + using types_policy = redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; typedef hashes::sha2<256> merkle_hash_type; @@ -45,9 +49,6 @@ namespace nil { typedef typename merkletree::MerkleTree merkle_tree_type; - constexpr static const std::size_t k = ...; - constexpr static const std::size_t r = ...; - constexpr static const typename FieldType::value_type omega = algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme - process(const types_policy::proving_key_type &proving_key, - const types_policy::primary_input_type &primary_input, - const types_policy::auxiliary_input_type &auxiliary_input) { + process(const types_policy::preprocessed_data_type data, + const typename types_policy::constraint_system_type &constraint_system, + const typename types_policy::variable_assignment_type &assignments) { - std::size_t N_wires = primary_input.size() + auxiliary_input.size(); - std::size_t N_perm = ...; - std::size_t N_sel = ...; + std::size_t N_wires = WiresAmount; + std::size_t N_perm = data.permutations.size(); + std::size_t N_sel = data.selectors.size(); std::size_t N_const = ...; fiat_shamir_heuristic transcript; @@ -69,35 +70,62 @@ namespace nil { ... setup_values = ...; transcript(setup_values); - std::vector> f(N_wires); + // 2 - Define new witness polynomials + // and 3 - Add commitments to fi to transcript + std::vector> f = + constraint_system.get_polynoms(assignments); std::vector f_trees; std::vector f_commitments; for (std::size_t i = 0; i < N_wires; i++) { - f.push_back(proving_key.f[i] + choose_h_i() * proving_key.Z(x)); + f[i] = f[i] + choose_h_i() * proving_key.Z(x); f_trees.push_back(lpc::commit(f[i])); f_commitments[i].push_back(f_trees[i].root()); transcript(f_commitments[i]); } - typename transcript_hash_type::digest_type beta_bytes = - transcript.get_challenge(); + // 4 + typename FieldType::value_type teta = + transcript.get_challenge(); + + // 5 + // A(teta) + std::vector A; + // S(teta) + std::vector S; + + // 6 + math::polynomial::polynom A1; + math::polynomial::polynom S1; + + // 7 + merkle_tree_type A1_tree = lpc::commit(A1); + merkle_tree_type P1_tree = lpc::commit(P1); + typename lpc::commitment_type A1_commitment = A1_tree.root(); + typename lpc::commitment_type P1_commitment = P1_tree.root(); - typename transcript_hash_type::digest_type gamma_bytes = - transcript.get_challenge(); + transcript(A1_commitment); + transcript(P1_commitment); + // 8 typename FieldType::value_type beta = - algebra::marshalling(beta_bytes); + transcript.get_challenge(); + typename FieldType::value_type gamma = - algebra::marshalling(gamma_bytes); + transcript.get_challenge(); + // 9 + // and 10 std::vector> p(N_perm); std::vector> q(N_perm); math::polynomial::polynom p1 = {1}; math::polynomial::polynom q1 = {1}; + std::vector &S_sigma = data.permutations; + std::vector &S_id = data.identity_permutations; + for (std::size_t j = 0; j < N_perm; j++) { p.push_back(f[j] + beta * S_id[j] + gamma); q.push_back(f[j] + beta * S_sigma[j] + gamma); @@ -106,6 +134,7 @@ namespace nil { q1 *= q[j]; } + // 11 std::vector> P_interpolation_points(n + 1); @@ -113,19 +142,20 @@ namespace nil { typename FieldType::value_type>> Q_interpolation_points(n + 1); - P_interpolation_points.push_back(std::make_pair(proving_key.omega, 1)); + P_interpolation_points.push_back(std::make_pair(data.omega, 1)); for (std::size_t i = 2; i <= n + 1; i++) { + typename FieldType::value_type P_mul_result = typename FieldType::one(); typename FieldType::value_type Q_mul_result = typename FieldType::one(); for (std::size_t j = 1; j < i; j++) { - P_mul_result *= p1(proving_key.omega.pow(i)); - Q_mul_result *= q1(proving_key.omega.pow(i)); + P_mul_result *= p1(data.omega.pow(i)); + Q_mul_result *= q1(data.omega.pow(i)); } - P_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), P_mul_result)); - Q_interpolation_points.push_back(std::make_pair(proving_key.omega.pow(i), Q_mul_result)); + P_interpolation_points.push_back(std::make_pair(data.omega.pow(i), P_mul_result)); + Q_interpolation_points.push_back(std::make_pair(data.omega.pow(i), Q_mul_result)); } math::polynomial::polynom P = @@ -133,6 +163,7 @@ namespace nil { math::polynomial::polynom Q = math::polynomial::Lagrange_interpolation(Q_interpolation_points); + // 12 merkle_tree_type P_tree = lpc::commit(P); merkle_tree_type Q_tree = lpc::commit(Q); typename lpc::commitment_type P_commitment = P_tree.root(); @@ -141,40 +172,68 @@ namespace nil { transcript(P_commitment); transcript(Q_commitment); + // 13 + ... V = ...; + + // 14 + transcript(lpc::commit(V).root()); + + // 15 std::array alphas; for (std::size_t i = 0; i < 6; i++) { - typename transcript_hash_type::digest_type alpha_bytes = - transcript.get_challenge(); - alphas[i] = (algebra::marshalling(alpha_bytes)); + alphas[i] = + transcript.get_challenge(); } - std::array, 6> F; - F[0] = proving_key.L_basis[1] * (P - 1); - F[1] = proving_key.L_basis[1] * (Q - 1); + // 16 + typename FieldType::value_type tau = + transcript.get_challenge(); + + // 17 + // and 21 + std::size_t N_T = N_perm; + std::vector> gates(N_sel); + for (std::size_t i = 0; i < N_sel; i++) { + gates[i] = [0]; + for (std::size_t j = 0; j < ...; j++){ + gates[i] += data.constraints[j][i] * tau.pow(...); + } + + gates[i] *= data.selectors[i]; + + N_T = std::max(N_T, gates[i].degree() - 1); + } + + // 18 + std::array, 11> F; + F[0] = proving_key.Lagrange_basis[1] * (P - 1); + F[1] = proving_key.Lagrange_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); F[3] = Q * q_1 - (Q << 1); - F[4] = proving_key.L_basis[n] * ((P << 1) - (Q << 1)); - F[5] = proving_key.PI; + F[4] = proving_key.Lagrange_basis[n] * ((P << 1) - (Q << 1)); + F[5] = data.PI; for (std::size_t i = 0; i < N_sel; i++) { - F[5] += q[i] * ....gate[i]; + F[5] += gates[i]; } - for (std::size_t i = 0; i < N_const; i++) { - F[5] += proving_key.f_c[i]; - } + // 19 + ... + // 20 math::polynomial::polynom F_consolidated = 0; - for (std::size_t i = 0; i < 6; i++) { + for (std::size_t i = 0; i < 11; i++) { F_consolidated += a[i] * F[i]; } math::polynomial::polynom T_consolidated = F_consolidated / Z; - std::vector> T(N_perm + 1); + // 22 + std::vector> T(N_T); T = separate_T(T_consolidated); + // 23 std::vector T_trees; std::vector T_commitments; @@ -183,11 +242,8 @@ namespace nil { T_commitments.push_back(T_trees[i].root()); } - typename transcript_hash_type::digest_type upsilon_bytes = - transcript.get_challenge(); - typename FieldType::value_type upsilon = - algebra::marshalling(upsilon_bytes); + transcript.get_challenge(); std::array fT_evaluation_points = {upsilon}; @@ -215,6 +271,7 @@ namespace nil { std::move(Q_lpc_proof), std::move(T_lpc_proofs)); return proof; + } } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 63b2a869e..0374915b6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -29,13 +29,16 @@ #ifndef CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP #define CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP +#include +#include + namespace nil { namespace crypto3 { namespace zk { namespace snark { namespace detail { - template + template struct redshift_types_policy { /******************************** Params ********************************/ @@ -44,25 +47,25 @@ namespace nil { * Below are various template aliases (used for convenience). */ - typedef plonk_constraint_system constraint_system_type; + typedef plonk_constraint_system constraint_system_type; - typedef plonk_primary_input primary_input_type; + typedef plonk_primary_input primary_input_type; - typedef plonk_auxiliary_input auxiliary_input_type; + typedef plonk_auxiliary_input auxiliary_input_type; /******************************** Proving key ********************************/ /** * A proving key for the Redshift cheme. */ - typedef redshift_proving_key proving_key_type; + typedef redshift_proving_key proving_key_type; /******************************* Verification key ****************************/ /** * A verification key for the Redshift cheme. */ - typedef redshift_verification_key verification_key_type; + typedef redshift_verification_key verification_key_type; /********************************** Key pair *********************************/ @@ -83,6 +86,24 @@ namespace nil { template typedef redshift_proof proof_type; + template + struct preprocessed_data_type { + + constexpr static const typename FieldType::value_type omega = + math::unity_root(get_power_of_two(k)); + + std::vector selectors; + // S_sigma + std::vector permutations; + // S_id + std::vector identity_permutations; + // c + std::vector constraints; + + std::vector Lagrange_basis; + + }; + template struct prover_fiat_shamir_heuristic_manifest { enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 9cbf13304..06f69c12c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -26,8 +26,11 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP +#include + #include #include +#include namespace nil { namespace crypto3 { From a335176e8cf605c17024c3342f40fcef0032fa81 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 13 Dec 2021 13:28:32 +0300 Subject: [PATCH 024/219] Redshift compilation updates. #20 --- CMakeLists.txt | 1 + .../list_polynomial_commitment.hpp | 36 ++++++++------- .../snark/systems/plonk/redshift/prover.hpp | 2 + .../zk/snark/transcript/fiat_shamir.hpp | 17 ++++--- test/CMakeLists.txt | 1 + test/systems/plonk/redshift.cpp | 44 +++++++++++++++++++ 6 files changed, 77 insertions(+), 24 deletions(-) create mode 100644 test/systems/plonk/redshift.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index 8f6a8cf44..85ac33935 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -161,6 +161,7 @@ target_link_libraries(${CMAKE_WORKSPACE_NAME}_${CURRENT_PROJECT_NAME} INTERFACE ${CMAKE_WORKSPACE_NAME}::math ${CMAKE_WORKSPACE_NAME}::hash ${CMAKE_WORKSPACE_NAME}::multiprecision + ${CMAKE_WORKSPACE_NAME}::containers ) cm_deploy(TARGETS ${CMAKE_WORKSPACE_NAME}_${CURRENT_PROJECT_NAME} diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 9ea594b76..37bd7c352 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -26,7 +26,11 @@ #ifndef CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP #define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP -#include +#include +#include + +#include +#include namespace nil { namespace crypto3 { @@ -50,30 +54,32 @@ namespace nil { std::size_t r, std::size_t m=2> class list_polynomial_commitment_scheme { - typedef typename merkletree::MerkleTree merkle_tree_type; - typedef typename merkletree::MerkleProof merkle_proof_type; + typedef Hash transcript_hash_type; + + typedef merkle_tree merkle_tree_type; + typedef merkle_proof merkle_proof_type; constexpr static const math::polynomial::polynom q = {0, 0, 1}; struct transcript_round_manifest { enum challenges_ids {x, y}; - } + }; public: using openning_type = merkle_proof_type; - using commitment_type = typename merkle_tree_type::root_type; + using commitment_type = typename merkle_tree_type::value_type; struct proof_type { std::array z_openings; - std::array, lamda> alpha_openings; - std::array, lamda> f_y_openings; + std::array, lambda> alpha_openings; + std::array, lambda> f_y_openings; - std::array, lamda> f_commitments; + std::array, lambda> f_commitments; - std::array, lambda> + std::array, lambda> f_ip1_coefficients; - } + }; // The result of this function is not commitment_type (as it would expected), // but the built Merkle tree. This is done so, because we often need to reuse @@ -81,10 +87,9 @@ namespace nil { // After this function // result.root(); // should be called - template <...> static merkle_tree_type commit (const math::polynomial::polynom< typename FieldType::value_type> &f, - const std::vector<...> &D){ + const std::vector &D){ std::vector y; for (typename FieldType::value_type H : D){ @@ -94,12 +99,11 @@ namespace nil { return merkle_tree_type(y); } - template <...> static proof_type proof_eval ( std::array evaluation_points, const merkle_tree_type &T, const math::polynomial::polynom &f, - const std::vector<...> &D){ + const std::vector &D){ proof_type proof; @@ -184,13 +188,11 @@ namespace nil { return proof; } - }; - template <...> static bool verify_eval (std::array evaluation_points, commitment_type root, proof_type proof, - const std::vector<...> &D){ + const std::vector &D){ fiat_shamir_heuristic transcript; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 47cf71954..06bb6dd85 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -28,6 +28,8 @@ #include +#include + #include #include #include diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index a7829dfcd..3fa6878ba 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -26,6 +26,9 @@ #ifndef CRYPTO3_ZK_TRANSCRIPT_FIAT_SHAMIR_HEURISTIC_HPP #define CRYPTO3_ZK_TRANSCRIPT_FIAT_SHAMIR_HEURISTIC_HPP +#include +#include + namespace nil { namespace crypto3 { namespace zk { @@ -53,10 +56,10 @@ namespace nil { * } * }; */ - template + template> class fiat_shamir_heuristic { - accumulators::accumulator_set acc; + accumulator_set acc; public: fiat_shamir_heuristic() { @@ -64,20 +67,20 @@ namespace nil { } template - operator (TAny data){ + void operator() (TAny data){ acc(data); } - template + template typename Hash::digest_type get_challenge(){ acc(ChallengeId); - return extract::hash(acc); + return accumulators::extract::hash(acc); } - template + template typename Hash::digest_type get_challenge(){ acc(ChallengeId + Index); - return extract::hash(acc); + return accumulators::extract::hash(acc); } }; } // namespace snark diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 6df650aef..fb7356f04 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -54,6 +54,7 @@ set(TESTS_NAMES "relations/numeric/ssp" "systems/plonk/pickles" + "systems/plonk/redshift" "systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/r1cs_mp_ppzkpcd" "systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/r1cs_sp_ppzkpcd" diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp new file mode 100644 index 000000000..ebec36552 --- /dev/null +++ b/test/systems/plonk/redshift.cpp @@ -0,0 +1,44 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#define BOOST_TEST_MODULE redshift_test + +#include + +#include +#include +#include + +#include + +using namespace nil::crypto3; + +BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) + +BOOST_AUTO_TEST_SUITE_END() + +BOOST_AUTO_TEST_SUITE(redshift_proveron_test_suite) + +BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 5007272258d904defac7a4fc4e255ada20ea4649 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 13 Dec 2021 15:09:48 +0300 Subject: [PATCH 025/219] More Redshift compilation updates. #20 --- .../commitments/list_polynomial_commitment.hpp | 4 ++-- .../zk/snark/systems/plonk/redshift/prover.hpp | 15 +++++++-------- .../zk/snark/systems/plonk/redshift/types.hpp | 2 ++ .../zk/snark/systems/plonk/redshift/verifier.hpp | 8 +++++--- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 37bd7c352..842d2a28d 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -56,8 +56,8 @@ namespace nil { typedef Hash transcript_hash_type; - typedef merkle_tree merkle_tree_type; - typedef merkle_proof merkle_proof_type; + typedef typename containers::merkle_tree merkle_tree_type; + typedef typename containers::merkle_proof merkle_proof_type; constexpr static const math::polynomial::polynom q = {0, 0, 1}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 06bb6dd85..fa8fbe065 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -43,18 +43,18 @@ namespace nil { std::size_t lambda, std::size_t k, std::size_t r, std::size_t m=2> class redshift_prover { - using types_policy = redshift_types_policy; + using types_policy = detail::redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; - typedef typename merkletree::MerkleTree merkle_tree_type; + typedef typename containers::merkletree merkle_tree_type; constexpr static const typename FieldType::value_type omega = algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme lpc; + merkle_hash_type, lambda, k, r, m> lpc; public: static inline typename types_policy::proof_type @@ -69,8 +69,8 @@ namespace nil { fiat_shamir_heuristic transcript; - ... setup_values = ...; - transcript(setup_values); + // ... setup_values = ...; + // transcript(setup_values); // 2 - Define new witness polynomials // and 3 - Add commitments to fi to transcript @@ -175,7 +175,7 @@ namespace nil { transcript(Q_commitment); // 13 - ... V = ...; + // ... V = ...; // 14 transcript(lpc::commit(V).root()); @@ -220,7 +220,7 @@ namespace nil { } // 19 - ... + // ... // 20 math::polynomial::polynom F_consolidated = 0; @@ -273,7 +273,6 @@ namespace nil { std::move(Q_lpc_proof), std::move(T_lpc_proofs)); return proof; - } } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 0374915b6..04aeaa4c0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -32,6 +32,8 @@ #include #include +#include + namespace nil { namespace crypto3 { namespace zk { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 06f69c12c..956fe678f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -40,9 +40,11 @@ namespace nil { template class redshift_verifier { - using types_policy = redshift_types_policy; + using types_policy = detail::redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; - using constraint_system_type = plonk_constraint_system; + + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; @@ -50,7 +52,7 @@ namespace nil { constexpr static const typename FieldType::value_type omega = algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme lpc; + merkle_hash_type, lambda, k, r, m> lpc; public: static inline bool process(const types_policy::verification_key_type &verification_key, From db1accaa5746f8c2636cdd360d3c3be106e1d128 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 13 Dec 2021 19:56:16 +0300 Subject: [PATCH 026/219] Redshift implementation updated. #20 --- .../list_polynomial_commitment.hpp | 23 +++--- .../relations/non_linear_combination.hpp | 18 ++--- .../zk/snark/relations/plonk/plonk.hpp | 10 +-- .../systems/plonk/redshift/generator.hpp | 4 +- .../zk/snark/systems/plonk/redshift/proof.hpp | 3 - .../snark/systems/plonk/redshift/prover.hpp | 76 +++++++++++-------- .../systems/plonk/redshift/proving_key.hpp | 53 ------------- .../zk/snark/systems/plonk/redshift/types.hpp | 52 +++++-------- .../plonk/redshift/verification_key.hpp | 52 ------------- .../zk/snark/transcript/fiat_shamir.hpp | 4 +- 10 files changed, 93 insertions(+), 202 deletions(-) delete mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/proving_key.hpp delete mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/verification_key.hpp diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 842d2a28d..e1b2f866b 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -27,11 +27,13 @@ #define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP #include -#include +#include #include #include +#include + namespace nil { namespace crypto3 { namespace zk { @@ -122,11 +124,12 @@ namespace nil { } math::polynomial::polynom - U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + U = math::polynomial::lagrange_interpolation(U_interpolation_points); math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ + math::polynomial::polynom x = {1}; Q = Q/(x - U_interpolation_points[j]); } @@ -135,19 +138,19 @@ namespace nil { math::polynomial::polynom f_i = Q; typename FieldType::value_type x_i = - transcript.get_challenge(); + transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::array &f_ip1_coefficients = + std::vector &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; merkle_tree_type &f_i_tree = T; for (std::size_t i = 0; i <= r-1; i++){ typename FieldType::value_type y_i = - transcript.get_challenge(); + transcript.get_challenge(); math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; @@ -166,7 +169,7 @@ namespace nil { } math::polynomial::polynom - p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); + p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); f_i = p_y_i; @@ -211,7 +214,7 @@ namespace nil { } math::polynomial::polynom - U = math::polynomial::Lagrange_interpolation(U_interpolation_points); + U = math::polynomial::lagrange_interpolation(U_interpolation_points); math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ @@ -223,7 +226,7 @@ namespace nil { math::polynomial::polynom f_i = Q; typename FieldType::value_type x_i = - transcript.get_challenge(); + transcript.get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; @@ -236,7 +239,7 @@ namespace nil { for (std::size_t i = 0; i <= r-1; i++){ typename FieldType::value_type y_i = - transcript.get_challenge(); + transcript.get_challenge(); math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; std::array s = @@ -255,7 +258,7 @@ namespace nil { } math::polynomial::polynom - p_y_i = math::polynomial::Lagrange_interpolation(p_y_i_interpolation_points); + p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); typename FieldType::value_type f_y_i = algebra::marshalling(f_y_openings[i].leaf); diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index e38a42482..098ed35b2 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -182,7 +182,7 @@ namespace nil { this->terms.emplace_back(nlt); } - template + template field_value_type evaluate(std::size_t row_index, const std::array, WiresAmount> &assignment) const { field_value_type acc = field_value_type::zero(); @@ -222,18 +222,18 @@ namespace nil { return (*this) * (-field_value_type::one()); } - bool sort(){ + void sort(){ std::sort(terms.begin(), terms.end()); - std::vector new_terms; + std::vector> new_terms; if (terms.size()){ - new_terms.push_back(term[0]); + new_terms.push_back(terms[0]); for (std::size_t i = 1; i < terms.size(); i++){ if (terms[i].vars == terms[i-1].vars){ (new_terms.end() - 1)->coeff+=terms[i].coeff; } else { - new_terms.push_back(term[i]) + new_terms.push_back(terms[i]); } } } @@ -245,23 +245,23 @@ namespace nil { this->sort(); other.sort(); - return (thisterms == otherterms); + return (this->terms == other.terms); } }; - template + template non_linear_combination operator*(const typename FieldType::value_type &field_coeff, const non_linear_combination &lc) { return lc * field_coeff; } - template + template non_linear_combination operator+(const typename FieldType::value_type &field_coeff, const non_linear_combination &lc) { return non_linear_combination(field_coeff) + lc; } - template + template non_linear_combination operator-(const typename FieldType::value_type &field_coeff, const non_linear_combination &lc) { return non_linear_combination(field_coeff) - lc; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 764e0f61d..34dde8eae 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -83,15 +83,15 @@ namespace nil { return true; } - std::vector<...> get_copy_constraints(){ + std::vector> get_copy_constraints(){ } - std::vector<...> get_selectors(){ + std::vector> get_selectors(){ } - std::vector<...> get_lookups(){ + std::vector> get_lookups(){ } @@ -102,10 +102,10 @@ namespace nil { std::array, WiresAmount> wire_polynomials; for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++){ - wire_polynomials[wire_index] = math::polynomial::Lagrange_interpolation(full_variable_assignment[wire_index]); + wire_polynomials[wire_index] = math::polynomial::lagrange_interpolation(full_variable_assignment[wire_index]); } - for (std::size_t constraint_index = 0; i < constraints.size(); constraint_index++){ + for (std::size_t constraint_index = 0; constraint_index < constraints.size(); constraint_index++){ for (auto &term: constraints[constraint_index].terms){ diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp index c6c453868..c39787f60 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp @@ -119,7 +119,7 @@ namespace nil { interpolation_points.push_back(std::make_pair(omega.pow(j), delta??? * omega.pow(j))); } - S_id[i] = math::polynomial::Lagrange_interpolation(interpolation_points); + S_id[i] = math::polynomial::lagrange_interpolation(interpolation_points); } for (std::size_t i = 0; i < 3; i++) { @@ -131,7 +131,7 @@ namespace nil { std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); } - S_sigma[i] = math::polynomial::Lagrange_interpolation(interpolation_points); + S_sigma[i] = math::polynomial::lagrange_interpolation(interpolation_points); } math::polynomial::polynom Z = polynom_by_zeros(H_star); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index e799ccf8a..f1b3e9d5e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -26,9 +26,6 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PROOF_HPP -#include -#include - namespace nil { namespace crypto3 { namespace zk { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index fa8fbe065..f5229c54a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -27,9 +27,12 @@ #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #include +#include #include +#include + #include #include #include @@ -44,28 +47,36 @@ namespace nil { class redshift_prover { using types_policy = detail::redshift_types_policy; - using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; + using transcript_manifest = typename types_policy::template prover_fiat_shamir_heuristic_manifest<11>; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; - typedef typename containers::merkletree merkle_tree_type; + typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const typename FieldType::value_type omega = - algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme lpc; public: - static inline typename types_policy::proof_type - process(const types_policy::preprocessed_data_type data, + static inline typename types_policy::template proof_type + process(const typename types_policy::preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { std::size_t N_wires = WiresAmount; - std::size_t N_perm = data.permutations.size(); - std::size_t N_sel = data.selectors.size(); - std::size_t N_const = ...; + std::size_t N_perm = preprocessed_data.permutations.size(); + std::size_t N_sel = preprocessed_data.selectors.size(); + // std::size_t N_const = ...; + + std::size_t n = 0; + for(auto &wire_assignments:assignments){ + n = std::max(n, wire_assignments.size()); + } + + std::vector D_0(n); + for (std::size_t power = 1; power<=n; power++){ + D_0.emplace_back(preprocessed_data.omega.pow(power)); + } fiat_shamir_heuristic transcript; @@ -81,7 +92,8 @@ namespace nil { std::vector f_commitments; for (std::size_t i = 0; i < N_wires; i++) { - f[i] = f[i] + choose_h_i() * proving_key.Z(x); + math::polynomial::polynom h; + f[i] = f[i] + h * preprocessed_data.Z; f_trees.push_back(lpc::commit(f[i])); f_commitments[i].push_back(f_trees[i].root()); transcript(f_commitments[i]); @@ -125,8 +137,8 @@ namespace nil { math::polynomial::polynom p1 = {1}; math::polynomial::polynom q1 = {1}; - std::vector &S_sigma = data.permutations; - std::vector &S_id = data.identity_permutations; + std::vector &S_sigma = preprocessed_data.permutations; + std::vector &S_id = preprocessed_data.identity_permutations; for (std::size_t j = 0; j < N_perm; j++) { p.push_back(f[j] + beta * S_id[j] + gamma); @@ -144,7 +156,7 @@ namespace nil { typename FieldType::value_type>> Q_interpolation_points(n + 1); - P_interpolation_points.push_back(std::make_pair(data.omega, 1)); + P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega, 1)); for (std::size_t i = 2; i <= n + 1; i++) { typename FieldType::value_type P_mul_result = @@ -152,18 +164,18 @@ namespace nil { typename FieldType::value_type Q_mul_result = typename FieldType::one(); for (std::size_t j = 1; j < i; j++) { - P_mul_result *= p1(data.omega.pow(i)); - Q_mul_result *= q1(data.omega.pow(i)); + P_mul_result *= p1(preprocessed_data.omega.pow(i)); + Q_mul_result *= q1(preprocessed_data.omega.pow(i)); } - P_interpolation_points.push_back(std::make_pair(data.omega.pow(i), P_mul_result)); - Q_interpolation_points.push_back(std::make_pair(data.omega.pow(i), Q_mul_result)); + P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), P_mul_result)); + Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), Q_mul_result)); } math::polynomial::polynom P = - math::polynomial::Lagrange_interpolation(P_interpolation_points); + math::polynomial::lagrange_interpolation(P_interpolation_points); math::polynomial::polynom Q = - math::polynomial::Lagrange_interpolation(Q_interpolation_points); + math::polynomial::lagrange_interpolation(Q_interpolation_points); // 12 merkle_tree_type P_tree = lpc::commit(P); @@ -198,22 +210,22 @@ namespace nil { for (std::size_t i = 0; i < N_sel; i++) { gates[i] = [0]; for (std::size_t j = 0; j < ...; j++){ - gates[i] += data.constraints[j][i] * tau.pow(...); + gates[i] += preprocessed_data.constraints[j][i] * tau.pow(...); } - gates[i] *= data.selectors[i]; + gates[i] *= preprocessed_data.selectors[i]; N_T = std::max(N_T, gates[i].degree() - 1); } // 18 std::array, 11> F; - F[0] = proving_key.Lagrange_basis[1] * (P - 1); - F[1] = proving_key.Lagrange_basis[1] * (Q - 1); + F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); + F[1] = preprocessed_data.Lagrange_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); F[3] = Q * q_1 - (Q << 1); - F[4] = proving_key.Lagrange_basis[n] * ((P << 1) - (Q << 1)); - F[5] = data.PI; + F[4] = preprocessed_data.Lagrange_basis[n] * ((P << 1) - (Q << 1)); + F[5] = preprocessed_data.PI; for (std::size_t i = 0; i < N_sel; i++) { F[5] += gates[i]; @@ -249,21 +261,21 @@ namespace nil { std::array fT_evaluation_points = {upsilon}; - std::vector f_lpc_proofs(N_wires); + std::vector f_lpc_proofs(N_wires); for (std::size_t i = 0; i < N_wires; i++){ - f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], ...)); + f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); } std::array - PQ_evaluation_points = {upsilon, upsilon * omega}; - lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, ...); - lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, ...); + PQ_evaluation_points = {upsilon, upsilon * preprocessed_data.omega}; + typename lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, D_0); + typename lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, D_0); - std::vector T_lpc_proofs(N_perm + 1); + std::vector T_lpc_proofs(N_perm + 1); for (std::size_t i = 0; i < N_perm + 1; i++){ - T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], ...)); + T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); } typename types_policy::proof_type proof = diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proving_key.hpp deleted file mode 100644 index 32aa27e3d..000000000 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proving_key.hpp +++ /dev/null @@ -1,53 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_PLONK_REDSHIFT_PROVING_KEY_HPP -#define CRYPTO3_PLONK_REDSHIFT_PROVING_KEY_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - template - class redshift_proving_key { - using constraint_system_type = plonk_constraint_system; - constexpr static const std::size_t n = ...; - - public: - std::array, 3> S_id; - std::array, 3> S_sigma; - std::array, n> L_basis; - - std::array, 3> f_witness_wire; // witness-wire polynomials f_L, f_R, f_O - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_PLONK_REDSHIFT_PROVING_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 04aeaa4c0..b51333125 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -30,9 +30,11 @@ #define CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP #include +#include #include #include +#include namespace nil { namespace crypto3 { @@ -51,31 +53,6 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; - typedef plonk_primary_input primary_input_type; - - typedef plonk_auxiliary_input auxiliary_input_type; - - /******************************** Proving key ********************************/ - - /** - * A proving key for the Redshift cheme. - */ - typedef redshift_proving_key proving_key_type; - - /******************************* Verification key ****************************/ - - /** - * A verification key for the Redshift cheme. - */ - typedef redshift_verification_key verification_key_type; - - /********************************** Key pair *********************************/ - - /** - * A key pair for the Redshift cheme, which consists of a proving key and a verification key. - */ - typedef plonk_ppzksnark_keypair keypair_type; - /*********************************** Proof ***********************************/ /** @@ -86,29 +63,36 @@ namespace nil { * about the structure for statistics purposes. */ template - typedef redshift_proof proof_type; + using proof_type = redshift_proof; template struct preprocessed_data_type { constexpr static const typename FieldType::value_type omega = - math::unity_root(get_power_of_two(k)); + math::unity_root(math::detail::get_power_of_two(k)); - std::vector selectors; + std::vector> selectors; // S_sigma - std::vector permutations; + std::vector> permutations; // S_id - std::vector identity_permutations; + std::vector> identity_permutations; // c - std::vector constraints; + std::vector> constraints; - std::vector Lagrange_basis; + std::vector> Lagrange_basis; + + math::polynomial::polynom Z; }; - template + template struct prover_fiat_shamir_heuristic_manifest { - enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount }; + enum challenges_ids { + beta, + gamma, + alpha, + upsilon = alpha + AlphasAmount + }; }; }; } // namespace detail diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verification_key.hpp deleted file mode 100644 index 9748fe034..000000000 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verification_key.hpp +++ /dev/null @@ -1,52 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_PLONK_REDSHIFT_VERIFICATION_KEY_HPP -#define CRYPTO3_PLONK_REDSHIFT_VERIFICATION_KEY_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - template - class redshift_verification_key { - using constraint_system_type = plonk_constraint_system; - - public: - std::array, 3> S_id; - std::array, 3> S_sigma; - std::array, n> L_basis; - - math::polynom<...> PI; // public inputs polynomial - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_PLONK_REDSHIFT_VERIFICATION_KEY_HPP diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 3fa6878ba..6db447632 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -71,13 +71,13 @@ namespace nil { acc(data); } - template + template typename Hash::digest_type get_challenge(){ acc(ChallengeId); return accumulators::extract::hash(acc); } - template + template typename Hash::digest_type get_challenge(){ acc(ChallengeId + Index); return accumulators::extract::hash(acc); From e235d30cacfb2428294aa11585353fb952a073f6 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 13 Dec 2021 21:01:15 +0300 Subject: [PATCH 027/219] Redshift implementation updated. #20 --- .../list_polynomial_commitment.hpp | 55 ++++++++++--------- .../snark/systems/plonk/redshift/prover.hpp | 50 +++++++++-------- 2 files changed, 55 insertions(+), 50 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index e1b2f866b..3f7a375c1 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -138,7 +138,7 @@ namespace nil { math::polynomial::polynom f_i = Q; typename FieldType::value_type x_i = - transcript.get_challenge(); + transcript.template get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; @@ -150,12 +150,12 @@ namespace nil { for (std::size_t i = 0; i <= r-1; i++){ typename FieldType::value_type y_i = - transcript.get_challenge(); + transcript.template get_challenge(); math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; - std::array s = - math::polynomial::get_roots(sqr_polynom); + std::array s ; + // = math::polynomial::get_roots(sqr_polynom); std::array, m> p_y_i_interpolation_points; @@ -177,14 +177,14 @@ namespace nil { std::size_t leaf_index = std::find(D.begin(), D.end(), y_i) - D.begin(); f_y_openings[i] = merkle_proof_type(f_i_tree, leaf_index); - x = q.evaluate(x); + x_i = q.evaluate(x_i); if (i < r - 1){ - f_i_tree = commit(f_i, D_ip1); + f_i_tree = commit(f_i, D); f_commitments[i] = f_i_tree.root(); transcript(f_commitments[i]); } else { - f_ip1_coefficients = math::polynomial::get_coefficients(f_i); + f_ip1_coefficients = f_i; } } } @@ -204,8 +204,8 @@ namespace nil { typename FieldType::value_type>, k> U_interpolation_points; for (std::size_t j = 0; j < k; j++){ - typename FieldType::value_type z_j = - algebra::marshalling(z_openings[j].leaf); + typename FieldType::value_type z_j ; + // = algebra::marshalling(z_openings[j].leaf); if (!z_openings[j].validate(root)){ return false; } @@ -216,22 +216,23 @@ namespace nil { math::polynomial::polynom U = math::polynomial::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom Q = (f - U); - for (std::size_t j = 0; j < k; j++){ - Q = Q/(x - U_interpolation_points[j]); - } + math::polynomial::polynom Q ; + // = (f - U); + // for (std::size_t j = 0; j < k; j++){ + // Q = Q/(x - U_interpolation_points[j]); + // } for (std::size_t round_id = 0; round_id < lambda; round_id++){ math::polynomial::polynom f_i = Q; typename FieldType::value_type x_i = - transcript.get_challenge(); + transcript.template get_challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::array &f_ip1_coefficients = + std::vector &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; commitment_type &f_i_tree_root = root; @@ -239,18 +240,18 @@ namespace nil { for (std::size_t i = 0; i <= r-1; i++){ typename FieldType::value_type y_i = - transcript.get_challenge(); + transcript.template get_challenge(); math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; - std::array s = - math::polynomial::get_roots(sqr_polynom); + std::array s ; + // = math::polynomial::get_roots(sqr_polynom); std::array, m> p_y_i_interpolation_points; for (std::size_t j = 0; j < m; j++){ - typename FieldType::value_type alpha_i_j = - algebra::marshalling(alpha_openings[m*i + j].leaf); + typename FieldType::value_type alpha_i_j; + // = algebra::marshalling(alpha_openings[m*i + j].leaf); if (!alpha_openings[m*i + j].validate(f_i_tree_root)){ return false; } @@ -260,8 +261,8 @@ namespace nil { math::polynomial::polynom p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); - typename FieldType::value_type f_y_i = - algebra::marshalling(f_y_openings[i].leaf); + typename FieldType::value_type f_y_i ; + // = algebra::marshalling(f_y_openings[i].leaf); if (!f_y_openings[i].validate(f_i_tree_root)){ return false; } @@ -270,23 +271,23 @@ namespace nil { return false; } - x = q.evaluate(x); + x_i = q.evaluate(x_i); if (i < r - 1){ if (f_i != p_y_i){ return false; } - f_commitments[i] = commit(f_i, D_ip1).root(); + f_commitments[i] = commit(f_i, D).root(); transcript(f_commitments[i]); } else { if (f_i != p_y_i){ return false; } - if (math::polynomial::degree(f_i) != ...){ - return false; - } + // if (f_i.size() != ...){ + // return false; + // } } } } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index f5229c54a..4b8d509bc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -101,7 +101,7 @@ namespace nil { // 4 typename FieldType::value_type teta = - transcript.get_challenge(); + transcript.template get_challenge(); // 5 // A(teta) @@ -115,19 +115,19 @@ namespace nil { // 7 merkle_tree_type A1_tree = lpc::commit(A1); - merkle_tree_type P1_tree = lpc::commit(P1); + merkle_tree_type S1_tree = lpc::commit(S1); typename lpc::commitment_type A1_commitment = A1_tree.root(); - typename lpc::commitment_type P1_commitment = P1_tree.root(); + typename lpc::commitment_type S1_commitment = S1_tree.root(); transcript(A1_commitment); - transcript(P1_commitment); + transcript(S1_commitment); // 8 typename FieldType::value_type beta = - transcript.get_challenge(); + transcript.template get_challenge(); typename FieldType::value_type gamma = - transcript.get_challenge(); + transcript.template get_challenge(); // 9 // and 10 @@ -137,8 +137,10 @@ namespace nil { math::polynomial::polynom p1 = {1}; math::polynomial::polynom q1 = {1}; - std::vector &S_sigma = preprocessed_data.permutations; - std::vector &S_id = preprocessed_data.identity_permutations; + std::vector> + &S_sigma = preprocessed_data.permutations; + std::vector> + &S_id = preprocessed_data.identity_permutations; for (std::size_t j = 0; j < N_perm; j++) { p.push_back(f[j] + beta * S_id[j] + gamma); @@ -187,30 +189,32 @@ namespace nil { transcript(Q_commitment); // 13 - // ... V = ...; + math::polynomial::polynom V; // 14 - transcript(lpc::commit(V).root()); + transcript(lpc::commit(V, D_0).root()); // 15 - std::array alphas; - for (std::size_t i = 0; i < 6; i++) { + std::array alphas; + for (std::size_t i = 0; i < 11; i++) { alphas[i] = - transcript.get_challenge(); + transcript.template get_challenge(); } // 16 typename FieldType::value_type tau = - transcript.get_challenge(); + transcript.template get_challenge(); // 17 // and 21 std::size_t N_T = N_perm; std::vector> gates(N_sel); for (std::size_t i = 0; i < N_sel; i++) { - gates[i] = [0]; - for (std::size_t j = 0; j < ...; j++){ - gates[i] += preprocessed_data.constraints[j][i] * tau.pow(...); + gates[i] = {0}; + std::size_t n_i; + for (std::size_t j = 0; j < n_i; j++){ + std::size_t d_i_j; + gates[i] += preprocessed_data.constraints[j][i] * tau.pow(d_i_j); } gates[i] *= preprocessed_data.selectors[i]; @@ -222,8 +226,8 @@ namespace nil { std::array, 11> F; F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); F[1] = preprocessed_data.Lagrange_basis[1] * (Q - 1); - F[2] = P * p_1 - (P << 1); - F[3] = Q * q_1 - (Q << 1); + F[2] = P * p1 - (P << 1); + F[3] = Q * q1 - (Q << 1); F[4] = preprocessed_data.Lagrange_basis[n] * ((P << 1) - (Q << 1)); F[5] = preprocessed_data.PI; @@ -237,11 +241,11 @@ namespace nil { // 20 math::polynomial::polynom F_consolidated = 0; for (std::size_t i = 0; i < 11; i++) { - F_consolidated += a[i] * F[i]; + F_consolidated += alphas[i] * F[i]; } math::polynomial::polynom T_consolidated = - F_consolidated / Z; + F_consolidated / preprocessed_data.Z; // 22 std::vector> T(N_T); @@ -251,13 +255,13 @@ namespace nil { std::vector T_trees; std::vector T_commitments; - for (std::size_t i = 0; i < N_perm + 1) { + for (std::size_t i = 0; i < N_perm + 1; i++) { T_trees.push_back(lpc::commit(T[i])); T_commitments.push_back(T_trees[i].root()); } typename FieldType::value_type upsilon = - transcript.get_challenge(); + transcript.template get_challenge(); std::array fT_evaluation_points = {upsilon}; From b94ffed47c6368c8137ea631a53871451e4b4328 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 20 Dec 2021 16:01:52 +0300 Subject: [PATCH 028/219] Non linear combination from math polynom evaluation added. #20 --- .../snark/relations/non_linear_combination.hpp | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 098ed35b2..11ecdca3e 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -32,6 +32,7 @@ #define CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP #include +#include #include namespace nil { @@ -198,6 +199,22 @@ namespace nil { return acc; } + template + math::polynomial::polynom evaluate(std::size_t row_index, + const std::array, WiresAmount> &assignment) const { + math::polynomial::polynom acc = {0}; + for (non_linear_combination &nlt : terms) { + math::polynomial::polynom term_value = {nlt.coeff}; + + for (variable &var: nlt.vars){ + term_value *= assignment[var.wire_index]; + + } + acc += assignment[nlt.vars] * nlt.coeff; + } + return acc; + } + non_linear_combination operator*(const field_value_type &field_coeff) const { non_linear_combination result; result.terms.reserve(this->terms.size()); From 5aeb55c429ed3ae6257843109aaffbe101909592 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 20 Dec 2021 16:55:17 +0300 Subject: [PATCH 029/219] Redshift expression usage updated. #20 --- .../systems/plonk/redshift/preprocessor.hpp | 12 +- .../snark/systems/plonk/redshift/prover.hpp | 196 +++++++++--------- .../zk/snark/systems/plonk/redshift/types.hpp | 6 +- test/systems/plonk/redshift.cpp | 2 + 4 files changed, 113 insertions(+), 103 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index efe0b81ce..f46a5137c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -35,7 +35,7 @@ namespace nil { template class redshift_preprocessor { - typedef detail::redshift_types types_policy; + using types_policy = detail::redshift_types_policy; public: static inline typename types_policy::preprocessed_data_type @@ -44,13 +44,13 @@ namespace nil { typename types_policy::preprocessed_data_type data; - data.selectors = constraint_system.get_selectors(); - ... copy_constraints = constraint_system.get_copy_constraints(); + // data.selectors = constraint_system.get_selectors(); + // ... copy_constraints = constraint_system.get_copy_constraints(); - data.permutations = ...(copy_constraints); - data.identity_permutations = ...(copy_constraints); + // data.permutations = ...(copy_constraints); + // data.identity_permutations = ...(copy_constraints); - data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n); + // data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n); } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 4b8d509bc..c0bbd2adc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -85,114 +85,114 @@ namespace nil { // 2 - Define new witness polynomials // and 3 - Add commitments to fi to transcript - std::vector> f = - constraint_system.get_polynoms(assignments); + // std::vector> f = + // constraint_system.get_polynoms(assignments); - std::vector f_trees; - std::vector f_commitments; + // std::vector f_trees; + // std::vector f_commitments; - for (std::size_t i = 0; i < N_wires; i++) { - math::polynomial::polynom h; - f[i] = f[i] + h * preprocessed_data.Z; - f_trees.push_back(lpc::commit(f[i])); - f_commitments[i].push_back(f_trees[i].root()); - transcript(f_commitments[i]); - } + // for (std::size_t i = 0; i < N_wires; i++) { + // math::polynomial::polynom h; + // f[i] = f[i] + h * preprocessed_data.Z; + // f_trees.push_back(lpc::commit(f[i])); + // f_commitments[i].push_back(f_trees[i].root()); + // transcript(f_commitments[i]); + // } // 4 - typename FieldType::value_type teta = - transcript.template get_challenge(); + // typename FieldType::value_type teta = + // transcript.template get_challenge(); // 5 // A(teta) - std::vector A; + // std::vector A; // S(teta) - std::vector S; + // std::vector S; // 6 - math::polynomial::polynom A1; - math::polynomial::polynom S1; + // math::polynomial::polynom A1; + // math::polynomial::polynom S1; // 7 - merkle_tree_type A1_tree = lpc::commit(A1); - merkle_tree_type S1_tree = lpc::commit(S1); - typename lpc::commitment_type A1_commitment = A1_tree.root(); - typename lpc::commitment_type S1_commitment = S1_tree.root(); + // merkle_tree_type A1_tree = lpc::commit(A1); + // merkle_tree_type S1_tree = lpc::commit(S1); + // typename lpc::commitment_type A1_commitment = A1_tree.root(); + // typename lpc::commitment_type S1_commitment = S1_tree.root(); - transcript(A1_commitment); - transcript(S1_commitment); + // transcript(A1_commitment); + // transcript(S1_commitment); // 8 - typename FieldType::value_type beta = - transcript.template get_challenge(); + // typename FieldType::value_type beta = + // transcript.template get_challenge(); - typename FieldType::value_type gamma = - transcript.template get_challenge(); + // typename FieldType::value_type gamma = + // transcript.template get_challenge(); // 9 // and 10 - std::vector> p(N_perm); - std::vector> q(N_perm); + // std::vector> p(N_perm); + // std::vector> q(N_perm); - math::polynomial::polynom p1 = {1}; - math::polynomial::polynom q1 = {1}; + // math::polynomial::polynom p1 = {1}; + // math::polynomial::polynom q1 = {1}; - std::vector> - &S_sigma = preprocessed_data.permutations; - std::vector> - &S_id = preprocessed_data.identity_permutations; + // std::vector> + // &S_sigma = preprocessed_data.permutations; + // std::vector> + // &S_id = preprocessed_data.identity_permutations; - for (std::size_t j = 0; j < N_perm; j++) { - p.push_back(f[j] + beta * S_id[j] + gamma); - q.push_back(f[j] + beta * S_sigma[j] + gamma); + // for (std::size_t j = 0; j < N_perm; j++) { + // p.push_back(f[j] + beta * S_id[j] + gamma); + // q.push_back(f[j] + beta * S_sigma[j] + gamma); - p1 *= p[j]; - q1 *= q[j]; - } + // p1 *= p[j]; + // q1 *= q[j]; + // } // 11 - std::vector> - P_interpolation_points(n + 1); - std::vector> - Q_interpolation_points(n + 1); - - P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega, 1)); - for (std::size_t i = 2; i <= n + 1; i++) { - - typename FieldType::value_type P_mul_result = - typename FieldType::one(); - typename FieldType::value_type Q_mul_result = - typename FieldType::one(); - for (std::size_t j = 1; j < i; j++) { - P_mul_result *= p1(preprocessed_data.omega.pow(i)); - Q_mul_result *= q1(preprocessed_data.omega.pow(i)); - } - - P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), P_mul_result)); - Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), Q_mul_result)); - } - - math::polynomial::polynom P = - math::polynomial::lagrange_interpolation(P_interpolation_points); - math::polynomial::polynom Q = - math::polynomial::lagrange_interpolation(Q_interpolation_points); + // std::vector> + // P_interpolation_points(n + 1); + // std::vector> + // Q_interpolation_points(n + 1); + + // P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega, 1)); + // for (std::size_t i = 2; i <= n + 1; i++) { + + // typename FieldType::value_type P_mul_result = + // typename FieldType::one(); + // typename FieldType::value_type Q_mul_result = + // typename FieldType::one(); + // for (std::size_t j = 1; j < i; j++) { + // P_mul_result *= p1(preprocessed_data.omega.pow(i)); + // Q_mul_result *= q1(preprocessed_data.omega.pow(i)); + // } + + // P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), P_mul_result)); + // Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), Q_mul_result)); + // } + + // math::polynomial::polynom P = + // math::polynomial::lagrange_interpolation(P_interpolation_points); + // math::polynomial::polynom Q = + // math::polynomial::lagrange_interpolation(Q_interpolation_points); // 12 - merkle_tree_type P_tree = lpc::commit(P); - merkle_tree_type Q_tree = lpc::commit(Q); - typename lpc::commitment_type P_commitment = P_tree.root(); - typename lpc::commitment_type Q_commitment = Q_tree.root(); + // merkle_tree_type P_tree = lpc::commit(P); + // merkle_tree_type Q_tree = lpc::commit(Q); + // typename lpc::commitment_type P_commitment = P_tree.root(); + // typename lpc::commitment_type Q_commitment = Q_tree.root(); - transcript(P_commitment); - transcript(Q_commitment); + // transcript(P_commitment); + // transcript(Q_commitment); // 13 - math::polynomial::polynom V; + // math::polynomial::polynom V; // 14 - transcript(lpc::commit(V, D_0).root()); + // transcript(lpc::commit(V, D_0).root()); // 15 std::array alphas; @@ -209,6 +209,9 @@ namespace nil { // and 21 std::size_t N_T = N_perm; std::vector> gates(N_sel); + std::vector> constraints = + constraint_system.get_polynoms(assignments); + for (std::size_t i = 0; i < N_sel; i++) { gates[i] = {0}; std::size_t n_i; @@ -217,18 +220,18 @@ namespace nil { gates[i] += preprocessed_data.constraints[j][i] * tau.pow(d_i_j); } - gates[i] *= preprocessed_data.selectors[i]; + // gates[i] *= preprocessed_data.selectors[i]; N_T = std::max(N_T, gates[i].degree() - 1); } // 18 std::array, 11> F; - F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); - F[1] = preprocessed_data.Lagrange_basis[1] * (Q - 1); - F[2] = P * p1 - (P << 1); - F[3] = Q * q1 - (Q << 1); - F[4] = preprocessed_data.Lagrange_basis[n] * ((P << 1) - (Q << 1)); + // F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); + // F[1] = preprocessed_data.Lagrange_basis[1] * (Q - 1); + // F[2] = P * p1 - (P << 1); + // F[3] = Q * q1 - (Q << 1); + // F[4] = preprocessed_data.Lagrange_basis[n] * ((P << 1) - (Q << 1)); F[5] = preprocessed_data.PI; for (std::size_t i = 0; i < N_sel; i++) { @@ -249,7 +252,7 @@ namespace nil { // 22 std::vector> T(N_T); - T = separate_T(T_consolidated); + // T = separate_T(T_consolidated); // 23 std::vector T_trees; @@ -267,14 +270,14 @@ namespace nil { fT_evaluation_points = {upsilon}; std::vector f_lpc_proofs(N_wires); - for (std::size_t i = 0; i < N_wires; i++){ - f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); - } + // for (std::size_t i = 0; i < N_wires; i++){ + // f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); + // } - std::array - PQ_evaluation_points = {upsilon, upsilon * preprocessed_data.omega}; - typename lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, D_0); - typename lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, D_0); + // std::array + // PQ_evaluation_points = {upsilon, upsilon * preprocessed_data.omega}; + // typename lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, D_0); + // typename lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, D_0); std::vector T_lpc_proofs(N_perm + 1); @@ -282,11 +285,14 @@ namespace nil { T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); } - typename types_policy::proof_type proof = - typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), - std::move(Q_commitment), std::move(T_commitments), - std::move(f_lpc_proofs), std::move(P_lpc_proof), - std::move(Q_lpc_proof), std::move(T_lpc_proofs)); + typename types_policy::proof_type proof ; + // = typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), + // std::move(Q_commitment), std::move(T_commitments), + // std::move(f_lpc_proofs), std::move(P_lpc_proof), + // std::move(Q_lpc_proof), std::move(T_lpc_proofs)); + proof.T_lpc_proofs = T_lpc_proofs; + proof.f_lpc_proofs = f_lpc_proofs; + proof.T_commitments = T_commitments; return proof; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index b51333125..3662cc18c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -65,9 +65,11 @@ namespace nil { template using proof_type = redshift_proof; - template + template struct preprocessed_data_type { + typedef ExpressionType expression_type; + constexpr static const typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); @@ -77,7 +79,7 @@ namespace nil { // S_id std::vector> identity_permutations; // c - std::vector> constraints; + std::vector constraints; std::vector> Lagrange_basis; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index ebec36552..1b85d213a 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -32,6 +32,8 @@ #include #include +#include +#include using namespace nil::crypto3; From 5ff8d79f6c4e1f22c6797a9a903c973572297754 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 24 Dec 2021 13:57:38 +0300 Subject: [PATCH 030/219] Pickles proof struct inited. #27 --- .../list_polynomial_commitment.hpp | 6 +- .../crypto3/zk/snark/commitments/pickles.hpp | 61 +++++++++++++++++ .../zk/snark/systems/plonk/pickles/proof.hpp | 68 +++++++++++-------- 3 files changed, 102 insertions(+), 33 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/commitments/pickles.hpp diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 3f7a375c1..ba592febd 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -23,8 +23,8 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP -#define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP +#ifndef CRYPTO3_ZK_LIST_POLYNOMIAL_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_LIST_POLYNOMIAL_COMMITMENT_SCHEME_HPP #include #include @@ -301,4 +301,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP +#endif // CRYPTO3_ZK_LIST_POLYNOMIAL_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/pickles.hpp b/include/nil/crypto3/zk/snark/commitments/pickles.hpp new file mode 100644 index 000000000..61ed2f24c --- /dev/null +++ b/include/nil/crypto3/zk/snark/commitments/pickles.hpp @@ -0,0 +1,61 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PICKLES_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_PICKLES_COMMITMENT_SCHEME_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class pickles_commitment_scheme { + public: + + using evaluation_type = typename CurveType::scalar_field_type::value_type; + using commitment_type = typename CurveType::value_type; + + struct openning_type { + + } + + struct proof_type { + + }; + + static commitment_type commit (){ + + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PICKLES_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp index 6a04786f0..97683e613 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp @@ -1,5 +1,6 @@ //---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov // // MIT License // @@ -29,47 +30,54 @@ #include #include +#include + namespace nil { namespace crypto3 { namespace zk { namespace snark { - template - struct LookupCommitments { - std::vector> sorted; - PolyComm aggreg; - }; - template - struct ProverCommitments { - // polynomial commitments - std::array, COLUMNS> w_comm; - PolyComm z_comm; - PolyComm t_comm; - LookupCommitments lookup; - } + template + class ProverProof { + typedef pickles_commitment_scheme commitment_scheme; + public: + + // Commitments: + std::array w_comm; + + typename commitment_scheme::commitment_type z_comm; - template - struct ProverProof { - typedef typename CurveType::scalar_group_type scalar_group_type; - // polynomial commitments - ProverCommitments commitments; + // N_perm + std::vector t_comm; - // batched commitment opening proof - OpeningProof proof; + // Evaluations: + std::array w_zeta; + std::array w_zeta_omega; - // polynomial evaluations - // TODO(mimoo): that really should be a type Evals { z: PE, zw: PE } - std::array>, 2> evals; + typename commitment_scheme::evaluation_type z_zeta; + typename commitment_scheme::evaluation_type z_zeta_omega; - typename scalar_group_type::value_type ft_eval1; + // N_perm + 1 + std::vector S_sigma_zeta; + // N_perm + 1 + std::vector S_sigma_zeta_omega; - // public part of the witness - std::vector pub; + typename commitment_scheme::evaluation_type L_zeta_omega; - // The challenges underlying the optional polynomials folded into the proof - std::vector, PolyComm>> + // Opening proof + std::array L; + std::array R; + + typename CurveType::value_type sigma; + typename CurveType::value_type G; + + typename CurveType::scalar_field_type::value_type z1,z2; + + // Previous challenges + std::vector, + typename commitment_scheme::commitment_type>> prev_challenges; - } + }; } // namespace snark } // namespace zk } // namespace crypto3 From 28c2796a0fc857a8ac4f210528e2f5e185a49212 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 27 Dec 2021 02:52:19 +0300 Subject: [PATCH 031/219] Non-linear combination updated. #20 --- .../zk/snark/relations/linear_combination.hpp | 3 +- .../relations/non_linear_combination.hpp | 116 +++++++++++++----- .../zk/snark/relations/plonk/plonk.hpp | 2 + .../crypto3/zk/snark/relations/variable.hpp | 28 +++-- 4 files changed, 108 insertions(+), 41 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp index 9ea5751c3..cd1f03658 100644 --- a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp @@ -31,9 +31,10 @@ #ifndef CRYPTO3_ZK_LINEAR_COMBINATION_HPP #define CRYPTO3_ZK_LINEAR_COMBINATION_HPP -#include #include +#include + namespace nil { namespace crypto3 { namespace zk { diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 11ecdca3e..724038f89 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -86,6 +86,14 @@ namespace nil { return result; } + non_linear_term operator*(const non_linear_term &other) const { + non_linear_term result(this->vars); + + std::copy (other.vars.begin(), other.vars.end(), std::back_inserter(result.vars)); + result.coeff = other.coeff * this->coeff; + return result; + } + // non_linear_combination operator+(const non_linear_combination &other) const { // return non_linear_combination(*this) + other; // } @@ -97,21 +105,6 @@ namespace nil { non_linear_term operator-() const { return non_linear_term(this->vars)* (-this->coeff); } - - bool operator==(const non_linear_term &other) const { - std::sort(vars.begin(), vars.end()); - return (this->vars == other.vars && this->coeff == other.coeff); - } - - void sort(){ - - } - - bool operator<(const non_linear_term &other) { - this->sort(); - other.sort(); - return (this->vars < other.vars || ((this->vars == other.vars) && (this->coeff < other.coeff))); - } }; template @@ -121,19 +114,33 @@ namespace nil { return nlt * field_coeff; } - // template - // non_linear_combination operator+( - // const typename FieldType::value_type &field_coeff, - // const non_linear_term &nlt) { - // return non_linear_combination(field_coeff) + nlt; - // } + template + non_linear_combination operator+( + const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) + nlt; + } - // template - // non_linear_combination operator-( - // const typename FieldType::value_type &field_coeff, - // const non_linear_term &nlt) { - // return non_linear_combination(field_coeff) - nlt; - // } + template + non_linear_combination operator-( + const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) - nlt; + } + + template + non_linear_combination operator+( + const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) + non_linear_combination(B); + } + + template + non_linear_combination operator-( + const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) - non_linear_combination(B); + } /***************************** Linear combination ****************************/ @@ -151,9 +158,9 @@ namespace nil { std::vector> terms; non_linear_combination() {}; - non_linear_combination(const field_value_type &field_coeff) { - this->add_term(non_linear_term(field_coeff)); - } + // non_linear_combination(const field_value_type &field_coeff) { + // this->add_term(non_linear_term(field_coeff)); + // } non_linear_combination(const variable &var) { this->add_term(var); } @@ -164,6 +171,10 @@ namespace nil { terms(terms) { } + // non_linear_combination(const non_linear_combination &other): + // terms(other.terms) { + // } + /* for supporting range-based for loops over non_linear_combination */ typename std::vector>::const_iterator begin() const { return terms.begin(); @@ -272,17 +283,62 @@ namespace nil { return lc * field_coeff; } + template + non_linear_combination operator*( + const non_linear_combination &A, + const non_linear_combination &B) { + non_linear_combination result; + result.terms.reserve(A.terms.size() * B.terms.size()); + + for (const non_linear_term &this_nlt : A.terms) { + for (const non_linear_term &other_nlt : B.terms) { + result.terms.emplace_back(this_nlt * other_nlt); + } + } + return result; + } + + template + non_linear_combination operator*( + const variable &var, + const non_linear_combination &A) { + non_linear_combination result; + result.terms.reserve(A.terms.size() ); + + + + for (const non_linear_term &this_nlt : A.terms) { + result.terms.emplace_back(this_nlt * var); + } + return result; + } + template non_linear_combination operator+(const typename FieldType::value_type &field_coeff, const non_linear_combination &lc) { return non_linear_combination(field_coeff) + lc; } + template + non_linear_combination operator+( + const non_linear_combination &lc, + const typename FieldType::value_type &field_coeff) { + + return field_coeff + lc; + } + template non_linear_combination operator-(const typename FieldType::value_type &field_coeff, const non_linear_combination &lc) { return non_linear_combination(field_coeff) - lc; } + + template + non_linear_combination operator-(const non_linear_combination &lc, + const typename FieldType::value_type &field_coeff) { + + return -(field_coeff - lc); + } } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 34dde8eae..d7659a964 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -36,6 +36,8 @@ #include #include +#include + #include #include diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp index ec1ae5841..9d945339c 100644 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/variable.hpp @@ -141,18 +141,17 @@ namespace nil { /** * Mnemonic typedefs. */ - typedef std::size_t wire_index_type; enum rotation_type{ pre_previous = -2, previous, current, - nex, + next, after_next }; - wire_index_type wire_index; + std::size_t wire_index; rotation_type rotation; - constexpr variable(const wire_index_type wire_index, rotation_type rotation = rotation_type::current) : + constexpr variable(const std::size_t wire_index, rotation_type rotation) : wire_index(wire_index), rotation(rotation) {}; non_linear_term operator^(const std::size_t power) const { @@ -164,12 +163,16 @@ namespace nil { return non_linear_term(*this) * field_coeff; } + non_linear_term operator*( + const variable &other) const { + return non_linear_term(*this) * other; + } + non_linear_combination operator+( const non_linear_combination &other) const { - non_linear_combination result; + non_linear_combination result (other); result.add_term(*this); - result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); return result; } @@ -179,6 +182,11 @@ namespace nil { return (*this) + (-other); } + non_linear_combination operator-( + const typename FieldType::value_type &field_val) const { + return (*this) - non_linear_combination(field_val); + } + non_linear_term operator-() const { return non_linear_term(*this) * ( -FieldType::value_type::one()); } @@ -200,15 +208,15 @@ namespace nil { } template - non_linear_combination operator+(const typename FieldType::value_type &field_coeff, + non_linear_combination operator+(const typename FieldType::value_type &field_val, const variable &var) { - return var + field_coeff; + return var + field_val; } template - non_linear_combination operator-(const typename FieldType::value_type &field_coeff, + non_linear_combination operator-(const typename FieldType::value_type &field_val, const variable &var) { - return non_linear_combination(field_coeff) - var; + return (- var) + field_val ; } } // namespace snark From cc002b6de90a1eed1d9cbcd7a43dabbd50adbabb Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 27 Dec 2021 19:54:55 +0300 Subject: [PATCH 032/219] Fiat-Shamir updated. #20 #24 --- .../list_polynomial_commitment.hpp | 22 +++++++++++-------- .../systems/plonk/redshift/preprocessor.hpp | 4 ++-- .../snark/systems/plonk/redshift/prover.hpp | 9 +++----- .../zk/snark/systems/plonk/redshift/types.hpp | 8 +++---- .../zk/snark/transcript/fiat_shamir.hpp | 16 ++++++++++++++ test/systems/plonk/redshift.cpp | 15 +++++++++++-- 6 files changed, 51 insertions(+), 23 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index ba592febd..1b525e616 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -67,6 +67,7 @@ namespace nil { struct transcript_round_manifest { enum challenges_ids {x, y}; }; + public: using openning_type = merkle_proof_type; @@ -147,13 +148,16 @@ namespace nil { proof.f_ip1_coefficients[round_id]; merkle_tree_type &f_i_tree = T; + auto y_arr = + transcript.template get_challenges(); + for (std::size_t i = 0; i <= r-1; i++){ - typename FieldType::value_type y_i = - transcript.template get_challenge(); + // typename FieldType::value_type y_i = + // transcript.template get_challenge(); math::polynomial::polynom - sqr_polynom = {y_i, 0, -1}; + sqr_polynom = {y_arr[i], 0, -1}; std::array s ; // = math::polynomial::get_roots(sqr_polynom); @@ -173,8 +177,8 @@ namespace nil { f_i = p_y_i; - typename FieldType::value_type f_y_i = f_i.evaluate(y_i); - std::size_t leaf_index = std::find(D.begin(), D.end(), y_i) - D.begin(); + typename FieldType::value_type f_y_i = f_i.evaluate(y_arr[i]); + std::size_t leaf_index = std::find(D.begin(), D.end(), y_arr[i]) - D.begin(); f_y_openings[i] = merkle_proof_type(f_i_tree, leaf_index); x_i = q.evaluate(x_i); @@ -237,12 +241,12 @@ namespace nil { commitment_type &f_i_tree_root = root; - for (std::size_t i = 0; i <= r-1; i++){ + auto y_arr = + transcript.template get_challenges(); - typename FieldType::value_type y_i = - transcript.template get_challenge(); + for (std::size_t i = 0; i <= r-1; i++){ - math::polynomial::polynom sqr_polynom = {y_i, 0, -1}; + math::polynomial::polynom sqr_polynom = {y_arr[i], 0, -1}; std::array s ; // = math::polynomial::get_roots(sqr_polynom); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index f46a5137c..195ff589b 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -33,12 +33,12 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_preprocessor { using types_policy = detail::redshift_types_policy; public: - static inline typename types_policy::preprocessed_data_type + static inline typename types_policy::template preprocessed_data_type process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index c0bbd2adc..ddf7e5937 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -59,7 +59,7 @@ namespace nil { public: static inline typename types_policy::template proof_type - process(const typename types_policy::preprocessed_data_type preprocessed_data, + process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { @@ -195,11 +195,8 @@ namespace nil { // transcript(lpc::commit(V, D_0).root()); // 15 - std::array alphas; - for (std::size_t i = 0; i < 11; i++) { - alphas[i] = - transcript.template get_challenge(); - } + std::array alphas = + transcript.template get_challenges(); // 16 typename FieldType::value_type tau = diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 3662cc18c..f01553755 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -53,6 +53,8 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; + typedef plonk_variable_assignment variable_assignment_type; + /*********************************** Proof ***********************************/ /** @@ -65,11 +67,9 @@ namespace nil { template using proof_type = redshift_proof; - template + template struct preprocessed_data_type { - typedef ExpressionType expression_type; - constexpr static const typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); @@ -79,7 +79,7 @@ namespace nil { // S_id std::vector> identity_permutations; // c - std::vector constraints; + std::vector> constraints; std::vector> Lagrange_basis; diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 6db447632..2468863b1 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -60,6 +60,7 @@ namespace nil { class fiat_shamir_heuristic { accumulator_set acc; + public: fiat_shamir_heuristic() { @@ -82,6 +83,21 @@ namespace nil { acc(ChallengeId + Index); return accumulators::extract::hash(acc); } + + template + std::array get_challenges(){ + + std::array result; + + for (std::size_t i = 0; i < ChallengesAmount; i++){ + + acc(ChallengeId + i); + result[i] = accumulators::extract::hash(acc); + } + + return result; + } }; } // namespace snark } // namespace zk diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 1b85d213a..6ea57a5e1 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -31,6 +31,11 @@ #include #include +#include +#include +#include +#include + #include #include #include @@ -39,8 +44,14 @@ using namespace nil::crypto3; BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) -BOOST_AUTO_TEST_SUITE_END() +BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { + + using curve_type = algebra::curves::bls12<381>; + + zk::snark::redshift_preprocessor preprocess; -BOOST_AUTO_TEST_SUITE(redshift_proveron_test_suite) + // auto preprocessed_data = preprocess::process(cs, assignments); + zk::snark::redshift_prover prove; +} BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From f8b195331879c8693e4a9e780847f5227e606d64 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 27 Dec 2021 22:32:29 +0300 Subject: [PATCH 033/219] Redshift implementation updated. #20 --- .../list_polynomial_commitment.hpp | 12 ++++++++-- .../zk/snark/relations/plonk/plonk.hpp | 6 ++--- .../systems/plonk/redshift/preprocessor.hpp | 9 +++++++- .../zk/snark/systems/plonk/redshift/proof.hpp | 2 ++ .../snark/systems/plonk/redshift/prover.hpp | 22 ++++++++++--------- .../zk/snark/systems/plonk/redshift/types.hpp | 6 ++--- .../zk/snark/transcript/fiat_shamir.hpp | 19 ++++++++++------ 7 files changed, 50 insertions(+), 26 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 1b525e616..8faeffc59 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -61,8 +61,8 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - constexpr static const math::polynomial::polynom - q = {0, 0, 1}; + // static const math::polynomial::polynom + // q = {0, 0, 1}; struct transcript_round_manifest { enum challenges_ids {x, y}; @@ -108,6 +108,10 @@ namespace nil { const math::polynomial::polynom &f, const std::vector &D){ + // temporary definition, until polynom is constexpr + const math::polynomial::polynom + q = {0, 0, 1}; + proof_type proof; fiat_shamir_heuristic transcript; @@ -201,6 +205,10 @@ namespace nil { proof_type proof, const std::vector &D){ + // temporary definition, until polynom is constexpr + const math::polynomial::polynom + q = {0, 0, 1}; + fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index d7659a964..edfaec0c2 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -98,7 +98,7 @@ namespace nil { } std::vector> get_polynoms( - plonk_variable_assignment full_variable_assignment){ + plonk_variable_assignment full_variable_assignment) const{ std::vector> result(constraints.size()); @@ -116,10 +116,10 @@ namespace nil { // TODO: Rotation isn't taken into consideration for (auto &var: term.vars){ - term_polynom *= wire_polynomials[var.index]; + term_polynom = term_polynom * wire_polynomials[var.wire_index]; } - result[constraint_index] += term_polynom; + result[constraint_index] = result[constraint_index] + term_polynom; } } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 195ff589b..a1c9fafb6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -26,6 +26,9 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP +#include +#include + #include namespace nil { @@ -42,8 +45,10 @@ namespace nil { process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { - typename types_policy::preprocessed_data_type data; + typename types_policy::template preprocessed_data_type data; + data.omega = + math::unity_root(math::detail::get_power_of_two(k)); // data.selectors = constraint_system.get_selectors(); // ... copy_constraints = constraint_system.get_copy_constraints(); @@ -51,6 +56,8 @@ namespace nil { // data.identity_permutations = ...(copy_constraints); // data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n); + + return data; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index f1b3e9d5e..0f20c5a05 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -34,6 +34,8 @@ namespace nil { template struct redshift_proof { + redshift_proof(){} + std::vector f_commitments; typename CommitmentSchemeType::commitment_type P_commitment; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index ddf7e5937..a0f11cc36 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -214,12 +214,13 @@ namespace nil { std::size_t n_i; for (std::size_t j = 0; j < n_i; j++){ std::size_t d_i_j; - gates[i] += preprocessed_data.constraints[j][i] * tau.pow(d_i_j); + math::polynomial::polynom tau_polynom = {tau.pow(d_i_j)}; + gates[i] = gates[i] + preprocessed_data.constraints[j] * tau_polynom; } // gates[i] *= preprocessed_data.selectors[i]; - N_T = std::max(N_T, gates[i].degree() - 1); + N_T = std::max(N_T, gates[i].size() - 1); } // 18 @@ -229,19 +230,20 @@ namespace nil { // F[2] = P * p1 - (P << 1); // F[3] = Q * q1 - (Q << 1); // F[4] = preprocessed_data.Lagrange_basis[n] * ((P << 1) - (Q << 1)); - F[5] = preprocessed_data.PI; + // F[5] = preprocessed_data.PI; for (std::size_t i = 0; i < N_sel; i++) { - F[5] += gates[i]; + F[5] = F[5] + gates[i]; } // 19 // ... // 20 - math::polynomial::polynom F_consolidated = 0; + math::polynomial::polynom F_consolidated = {0}; for (std::size_t i = 0; i < 11; i++) { - F_consolidated += alphas[i] * F[i]; + math::polynomial::polynom alphas_polynom = {alphas[i]}; + F_consolidated = F_consolidated + alphas_polynom * F[i]; } math::polynomial::polynom T_consolidated = @@ -256,7 +258,7 @@ namespace nil { std::vector T_commitments; for (std::size_t i = 0; i < N_perm + 1; i++) { - T_trees.push_back(lpc::commit(T[i])); + T_trees.push_back(lpc::commit(T[i], D_0)); T_commitments.push_back(T_trees[i].root()); } @@ -265,7 +267,7 @@ namespace nil { std::array fT_evaluation_points = {upsilon}; - std::vector f_lpc_proofs(N_wires); + std::vector f_lpc_proofs(N_wires); // for (std::size_t i = 0; i < N_wires; i++){ // f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); @@ -276,13 +278,13 @@ namespace nil { // typename lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, D_0); // typename lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, D_0); - std::vector T_lpc_proofs(N_perm + 1); + std::vector T_lpc_proofs(N_perm + 1); for (std::size_t i = 0; i < N_perm + 1; i++){ T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); } - typename types_policy::proof_type proof ; + typename types_policy::template proof_type proof ; // = typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), // std::move(Q_commitment), std::move(T_commitments), // std::move(f_lpc_proofs), std::move(P_lpc_proof), diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index f01553755..1247e3b34 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -70,8 +70,7 @@ namespace nil { template struct preprocessed_data_type { - constexpr static const typename FieldType::value_type omega = - math::unity_root(math::detail::get_power_of_two(k)); + typename FieldType::value_type omega; std::vector> selectors; // S_sigma @@ -93,7 +92,8 @@ namespace nil { beta, gamma, alpha, - upsilon = alpha + AlphasAmount + upsilon = alpha + AlphasAmount, + tau }; }; }; diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 2468863b1..9948c7539 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -73,27 +73,32 @@ namespace nil { } template - typename Hash::digest_type get_challenge(){ + typename FieldType::value_type get_challenge(){ acc(ChallengeId); - return accumulators::extract::hash(acc); + typename Hash::digest_type hash_res = accumulators::extract::hash(acc); + + return FieldType::value_type::one(); } template - typename Hash::digest_type get_challenge(){ + typename FieldType::value_type get_challenge(){ acc(ChallengeId + Index); - return accumulators::extract::hash(acc); + typename Hash::digest_type hash_res = accumulators::extract::hash(acc); + + return FieldType::value_type::one(); } template - std::array get_challenges(){ + std::array get_challenges(){ - std::array result; + std::array hash_results; + std::array result; for (std::size_t i = 0; i < ChallengesAmount; i++){ acc(ChallengeId + i); - result[i] = accumulators::extract::hash(acc); + hash_results[i] = accumulators::extract::hash(acc); } return result; From d4291b65edfb6efad476853f90859f30b2766ecf Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 28 Dec 2021 02:30:11 +0300 Subject: [PATCH 034/219] Redshift implementation updated. #20 --- .../commitments/list_polynomial_commitment.hpp | 17 +++++++++++------ .../systems/plonk/redshift/preprocessor.hpp | 1 + .../zk/snark/systems/plonk/redshift/prover.hpp | 4 ++-- .../crypto3/zk/snark/transcript/fiat_shamir.hpp | 11 +++++------ test/systems/plonk/redshift.cpp | 4 ++-- 5 files changed, 21 insertions(+), 16 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 8faeffc59..5d1d95a99 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -74,6 +74,9 @@ namespace nil { using commitment_type = typename merkle_tree_type::value_type; struct proof_type { + + proof_type(){} + std::array z_openings; std::array, lambda> alpha_openings; std::array, lambda> f_y_openings; @@ -90,8 +93,8 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type commit (const math::polynomial::polynom< - typename FieldType::value_type> &f, + static merkle_tree_type commit ( + const math::polynomial::polynom &f, const std::vector &D){ std::vector y; @@ -99,7 +102,8 @@ namespace nil { y.push_back(f.evaluate(H)); } - return merkle_tree_type(y); + std::vector> y_data; + return merkle_tree_type(y_data); } static proof_type proof_eval ( @@ -134,8 +138,9 @@ namespace nil { math::polynomial::polynom Q = (f - U); for (std::size_t j = 0; j < k; j++){ - math::polynomial::polynom x = {1}; - Q = Q/(x - U_interpolation_points[j]); + math::polynomial::polynom denominator_polynom = + {- evaluation_points[j], 1}; + Q = Q/denominator_polynom; } for (std::size_t round_id = 0; round_id < lambda; round_id++){ @@ -150,7 +155,7 @@ namespace nil { std::array &f_commitments = proof.f_commitments[round_id]; std::vector &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; - merkle_tree_type &f_i_tree = T; + merkle_tree_type f_i_tree = T; auto y_arr = transcript.template get_challenges(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index a1c9fafb6..a55c128e3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -49,6 +49,7 @@ namespace nil { data.omega = math::unity_root(math::detail::get_power_of_two(k)); + data.Z = {1}; // data.selectors = constraint_system.get_selectors(); // ... copy_constraints = constraint_system.get_copy_constraints(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index a0f11cc36..09ef01c1d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -245,10 +245,10 @@ namespace nil { math::polynomial::polynom alphas_polynom = {alphas[i]}; F_consolidated = F_consolidated + alphas_polynom * F[i]; } - + math::polynomial::polynom T_consolidated = F_consolidated / preprocessed_data.Z; - + // 22 std::vector> T(N_T); // T = separate_T(T_consolidated); diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 9948c7539..6c0bf6472 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -63,18 +63,17 @@ namespace nil { public: - fiat_shamir_heuristic() { - acc(); + fiat_shamir_heuristic() : acc(){ } template void operator() (TAny data){ - acc(data); + // acc(data); } template typename FieldType::value_type get_challenge(){ - acc(ChallengeId); + // acc(ChallengeId); typename Hash::digest_type hash_res = accumulators::extract::hash(acc); return FieldType::value_type::one(); @@ -82,7 +81,7 @@ namespace nil { template typename FieldType::value_type get_challenge(){ - acc(ChallengeId + Index); + // acc(ChallengeId + Index); typename Hash::digest_type hash_res = accumulators::extract::hash(acc); return FieldType::value_type::one(); @@ -97,7 +96,7 @@ namespace nil { for (std::size_t i = 0; i < ChallengesAmount; i++){ - acc(ChallengeId + i); + // acc(ChallengeId + i); hash_results[i] = accumulators::extract::hash(acc); } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 6ea57a5e1..61b53f7e8 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -48,10 +48,10 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { using curve_type = algebra::curves::bls12<381>; - zk::snark::redshift_preprocessor preprocess; + zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - zk::snark::redshift_prover prove; + zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From ff564599e517abcf2231c6373adf0267f2a6d742 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sun, 2 Jan 2022 21:15:43 +0300 Subject: [PATCH 035/219] Minor reformatting done #20 --- .../crypto3/zk/snark/accumulation_vector.hpp | 2 +- .../zk/snark/commitments/batched_kate.hpp | 25 +-- .../detail/element_knowledge_commitment.hpp | 32 ++- .../zk/snark/commitments/fri_commitment.hpp | 31 ++- .../knowledge_commitment_multiexp.hpp | 6 +- .../list_polynomial_commitment.hpp | 202 +++++++++--------- .../crypto3/zk/snark/commitments/pickles.hpp | 7 +- .../zk/snark/reductions/r1cs_to_sap.hpp | 28 +-- .../relations/arithmetic_programs/qap.hpp | 37 ++-- .../relations/arithmetic_programs/sap.hpp | 27 ++- .../relations/arithmetic_programs/ssp.hpp | 17 +- .../zk/snark/relations/linear_combination.hpp | 44 ++-- .../relations/non_linear_combination.hpp | 135 ++++++------ .../zk/snark/relations/plonk/plonk.hpp | 44 ++-- .../crypto3/zk/snark/relations/variable.hpp | 63 +++--- .../nil/crypto3/zk/snark/sparse_vector.hpp | 5 +- .../zk/snark/systems/plonk/pickles/proof.hpp | 8 +- .../systems/plonk/redshift/preprocessor.hpp | 5 +- .../zk/snark/systems/plonk/redshift/proof.hpp | 6 +- .../snark/systems/plonk/redshift/prover.hpp | 79 ++++--- .../zk/snark/systems/plonk/redshift/types.hpp | 18 +- .../snark/systems/plonk/redshift/verifier.hpp | 46 ++-- .../r1cs_ppzkadsnark/detail/basic_policy.hpp | 96 +++++---- .../ppzksnark/bacs_ppzksnark/prover.hpp | 9 +- .../ppzksnark/bacs_ppzksnark/proving_key.hpp | 6 +- .../systems/ppzksnark/r1cs_gg_ppzksnark.hpp | 11 +- .../r1cs_gg_ppzksnark/ipp2/generator.hpp | 1 - .../r1cs_gg_ppzksnark/ipp2/proof.hpp | 10 +- .../r1cs_gg_ppzksnark/ipp2/prover.hpp | 50 ++--- .../r1cs_gg_ppzksnark/ipp2/transcript.hpp | 5 +- .../r1cs_gg_ppzksnark/ipp2/verifier.hpp | 4 +- .../r1cs_gg_ppzksnark/marshalling.hpp | 137 ++++++------ .../ppzksnark/r1cs_gg_ppzksnark/verifier.hpp | 3 +- .../systems/ppzksnark/r1cs_ppzksnark.hpp | 4 +- .../ppzksnark/r1cs_ppzksnark/generator.hpp | 25 ++- .../ppzksnark/r1cs_ppzksnark/prover.hpp | 15 +- .../r1cs_ppzksnark/verification_key.hpp | 5 +- .../ppzksnark/r1cs_ppzksnark/verifier.hpp | 49 +++-- .../ppzksnark/r1cs_se_ppzksnark/generator.hpp | 11 +- .../ppzksnark/r1cs_se_ppzksnark/proof.hpp | 1 - .../r1cs_se_ppzksnark/proving_key.hpp | 8 +- .../r1cs_se_ppzksnark/verification_key.hpp | 4 +- .../ppzksnark/r1cs_se_ppzksnark/verifier.hpp | 42 ++-- .../ppzksnark/tbcs_ppzksnark/prover.hpp | 6 +- .../ppzksnark/tbcs_ppzksnark/verifier.hpp | 10 +- .../ppzksnark/uscs_ppzksnark/generator.hpp | 48 ++--- .../ppzksnark/uscs_ppzksnark/proof.hpp | 1 - .../ppzksnark/uscs_ppzksnark/prover.hpp | 4 +- .../ppzksnark/uscs_ppzksnark/proving_key.hpp | 2 +- .../uscs_ppzksnark/verification_key.hpp | 3 +- .../ppzksnark/uscs_ppzksnark/verifier.hpp | 15 +- .../zk/snark/transcript/fiat_shamir.hpp | 27 ++- .../zk/snark/transcript/transcript.hpp | 56 ++--- test/systems/plonk/redshift.cpp | 6 +- 54 files changed, 783 insertions(+), 758 deletions(-) diff --git a/include/nil/crypto3/zk/snark/accumulation_vector.hpp b/include/nil/crypto3/zk/snark/accumulation_vector.hpp index 1f5454e23..ea04799ec 100644 --- a/include/nil/crypto3/zk/snark/accumulation_vector.hpp +++ b/include/nil/crypto3/zk/snark/accumulation_vector.hpp @@ -47,7 +47,7 @@ namespace nil { public: using group_type = Type; - + underlying_value_type first; sparse_vector rest; diff --git a/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp b/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp index a3ca96349..a950ba5cb 100644 --- a/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp +++ b/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp @@ -35,32 +35,29 @@ namespace nil { /** * @brief Based on the Ploynomial Commitment description from \[Plonk]. - * + * * References: * \[Plonk]: - * "PlonK: Permutations over Lagrange-bases for + * "PlonK: Permutations over Lagrange-bases for * Oecumenical Noninteractive arguments of Knowledge", * Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru, * Aztec, * */ - class batched_kate_commitment_scheme: commitment_scheme<...> { - typedef TCommitment ...; - typedef TDecommitmentInfo ...; - typedef TSRS ...; - typedef TData ...; - public: - - virtual std::pair commit (TSRS PK, TData phi){ + class batched_kate_commitment_scheme : commitment_scheme<...> { + typedef TCommitment...; + typedef TDecommitmentInfo...; + typedef TSRS...; + typedef TData...; + public: + virtual std::pair commit(TSRS PK, TData phi) { } - virtual ... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d){ - + virtual... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) { } - virtual bool verify(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d){ - + virtual bool verify(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) { } }; diff --git a/include/nil/crypto3/zk/snark/commitments/detail/element_knowledge_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/detail/element_knowledge_commitment.hpp index 015689a30..61853b942 100644 --- a/include/nil/crypto3/zk/snark/commitments/detail/element_knowledge_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/detail/element_knowledge_commitment.hpp @@ -53,7 +53,7 @@ namespace nil { template struct element_kc { - //using group_type = commitments; + // using group_type = commitments; typename Type1::value_type g; typename Type2::value_type h; @@ -178,27 +178,25 @@ namespace nil { return element_kc(rhs * lhs.g, rhs * lhs.h); } - template< - typename Type1, - typename Type2, - typename FieldValueType, - typename = typename std::enable_if< - algebra::is_field::value && - !algebra::is_extended_field::value, - FieldValueType>::type> + template::value && + !algebra::is_extended_field::value, + FieldValueType>::type> element_kc operator*(const FieldValueType &lhs, const element_kc &rhs) { return lhs.data * rhs; } - template< - typename Type1, - typename Type2, - typename FieldValueType, - typename = typename std::enable_if< - algebra::is_field::value && - !algebra::is_extended_field::value, - FieldValueType>::type> + template::value && + !algebra::is_extended_field::value, + FieldValueType>::type> element_kc operator*(const element_kc &lhs, const FieldValueType &rhs) { return lhs * rhs.data; diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 16306ba2c..3b3d17b68 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -37,53 +37,52 @@ namespace nil { * @brief Based on the FRI Commitment description from \[ResShift]. * @tparam d ... * @tparam Rounds Denoted by r in \[RedShift]. - * + * * References: * \[RedShift]: - * "REDSHIFT: Transparent SNARKs from List + * "REDSHIFT: Transparent SNARKs from List * Polynomial Commitment IOPs", * Assimakis Kattis, Konstantin Panarin, Alexander Vlasov, * Matter Labs, * */ - template - class fri_commitment_scheme: commitment_scheme<...> { + template + class fri_commitment_scheme : commitment_scheme<...> { typedef std::array, Rounds> TCommitment; - typedef std::array TDecommitmentInfo; - typedef ... TSRS; - typedef std::tuple, std::array> TData; //f_0 and x_0...x_{r-1} + typedef std::array TDecommitmentInfo; + typedef... TSRS; + typedef std::tuple, std::array> + TData; // f_0 and x_0...x_{r-1} public: - - virtual std::pair commit (TSRS PK, TData data){ + virtual std::pair commit(TSRS PK, TData data) { TCommitment f; f[0] = std::get<0>(data); - for (std::size_t i = 0; i < Rounds - 1; i++){ + for (std::size_t i = 0; i < Rounds - 1; i++) { math::polynomial<...> p_yi = math::make_interpolant(f[i], S_y(x)); f[i + 1] = p_yi(std::get<1>(data)[i]); } - math::polynomial<...> p_yr = math::make_interpolant(f[r-1], S_y(x)); + math::polynomial<...> p_yr = math::make_interpolant(f[r - 1], S_y(x)); math::polynomial<...> f_r = p_yr(std::get<1>(data)[r]); - std::array a = math::get_polynom_coefs(f_r); + std::array a = math::get_polynom_coefs(f_r); return std::make_pair(f, a); } - virtual ... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d){ - + virtual... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) { } - virtual bool verify(TSRS PK, TCommitment f, ... a, TDecommitmentInfo d){ + virtual bool verify(TSRS PK, TCommitment f, ... a, TDecommitmentInfo d) { a = get<1>(C); math::polynomial f_r(a); std::array<..., r + 1> s; s[0] = random<...>(...); - for (std::size_t i = 0; i < r; i++){ + for (std::size_t i = 0; i < r; i++) { s[i + 1] = q(s[i]); } diff --git a/include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp b/include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp index c2d3ae17a..20bb4e970 100644 --- a/include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp +++ b/include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp @@ -129,8 +129,10 @@ namespace nil { for (std::size_t pos = start_pos; pos != end_pos; ++pos) { if (!v[pos].is_zero()) { res.values.emplace_back(typename knowledge_commitment::value_type( - algebra::windowed_exp(scalar_size, T1_window, T1_table, T1_coeff * v[pos]), - algebra::windowed_exp(scalar_size, T2_window, T2_table, T2_coeff * v[pos]))); + algebra::windowed_exp(scalar_size, T1_window, T1_table, + T1_coeff * v[pos]), + algebra::windowed_exp(scalar_size, T2_window, T2_table, + T2_coeff * v[pos]))); res.indices.emplace_back(pos); } } diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 5d1d95a99..73b1a08d0 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -43,17 +43,21 @@ namespace nil { * @brief Based on the FRI Commitment description from \[ResShift]. * @tparam d ... * @tparam Rounds Denoted by r in \[RedShift]. - * + * * References: * \[RedShift]: - * "REDSHIFT: Transparent SNARKs from List + * "REDSHIFT: Transparent SNARKs from List * Polynomial Commitment IOPs", * Assimakis Kattis, Konstantin Panarin, Alexander Vlasov, * Matter Labs, * */ - template + template class list_polynomial_commitment_scheme { typedef Hash transcript_hash_type; @@ -61,21 +65,21 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - // static const math::polynomial::polynom + // static const math::polynomial::polynom // q = {0, 0, 1}; struct transcript_round_manifest { - enum challenges_ids {x, y}; + enum challenges_ids { x, y }; }; public: - using openning_type = merkle_proof_type; using commitment_type = typename merkle_tree_type::value_type; struct proof_type { - proof_type(){} + proof_type() { + } std::array z_openings; std::array, lambda> alpha_openings; @@ -83,22 +87,20 @@ namespace nil { std::array, lambda> f_commitments; - std::array, lambda> - f_ip1_coefficients; + std::array, lambda> f_ip1_coefficients; }; - // The result of this function is not commitment_type (as it would expected), - // but the built Merkle tree. This is done so, because we often need to reuse + // The result of this function is not commitment_type (as it would expected), + // but the built Merkle tree. This is done so, because we often need to reuse // the built Merkle tree - // After this function + // After this function // result.root(); // should be called - static merkle_tree_type commit ( - const math::polynomial::polynom &f, - const std::vector &D){ + static merkle_tree_type commit(const math::polynomial::polynom &f, + const std::vector &D) { std::vector y; - for (typename FieldType::value_type H : D){ + for (typename FieldType::value_type H : D) { y.push_back(f.evaluate(H)); } @@ -106,83 +108,82 @@ namespace nil { return merkle_tree_type(y_data); } - static proof_type proof_eval ( - std::array evaluation_points, - const merkle_tree_type &T, - const math::polynomial::polynom &f, - const std::vector &D){ + static proof_type proof_eval(std::array evaluation_points, + const merkle_tree_type &T, + const math::polynomial::polynom &f, + const std::vector &D) { // temporary definition, until polynom is constexpr - const math::polynomial::polynom - q = {0, 0, 1}; + const math::polynomial::polynom q = {0, 0, 1}; proof_type proof; fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; - std::array, k> U_interpolation_points; + std::array, k> + U_interpolation_points; - for (std::size_t j = 0; j < k; j++){ - typename FieldType::value_type z_j = - f.evaluate(evaluation_points[j]); + for (std::size_t j = 0; j < k; j++) { + typename FieldType::value_type z_j = f.evaluate(evaluation_points[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), evaluation_points[j]) - D.begin(); z_openings[j] = merkle_proof_type(T, leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom - U = math::polynomial::lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom U = + math::polynomial::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom - Q = (f - U); - for (std::size_t j = 0; j < k; j++){ - math::polynomial::polynom denominator_polynom = - {- evaluation_points[j], 1}; - Q = Q/denominator_polynom; + math::polynomial::polynom Q = (f - U); + for (std::size_t j = 0; j < k; j++) { + math::polynomial::polynom denominator_polynom = { + -evaluation_points[j], 1}; + Q = Q / denominator_polynom; } - for (std::size_t round_id = 0; round_id < lambda; round_id++){ + for (std::size_t round_id = 0; round_id < lambda; round_id++) { math::polynomial::polynom f_i = Q; - typename FieldType::value_type x_i = - transcript.template get_challenge(); + typename FieldType::value_type x_i = + transcript + .template get_challenge(); - std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::vector &f_ip1_coefficients = + std::vector &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; merkle_tree_type f_i_tree = T; - auto y_arr = - transcript.template get_challenges(); - - for (std::size_t i = 0; i <= r-1; i++){ + auto y_arr = + transcript.template get_challenges(); - // typename FieldType::value_type y_i = - // transcript.template get_challenge(); + for (std::size_t i = 0; i <= r - 1; i++) { - math::polynomial::polynom - sqr_polynom = {y_arr[i], 0, -1}; - std::array s ; - // = math::polynomial::get_roots(sqr_polynom); + // typename FieldType::value_type y_i = + // transcript.template get_challenge(); - std::array, m> p_y_i_interpolation_points; + math::polynomial::polynom sqr_polynom = {y_arr[i], 0, + -1}; + std::array s; + // = math::polynomial::get_roots(sqr_polynom); + std::array, m> + p_y_i_interpolation_points; - for (std::size_t j = 0; j < m; j++){ + for (std::size_t j = 0; j < m; j++) { typename FieldType::value_type alpha_i_j = f_i.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); - alpha_openings[m*i + j] = merkle_proof_type(f_i_tree, leaf_index); + alpha_openings[m * i + j] = merkle_proof_type(f_i_tree, leaf_index); p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom - p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); + math::polynomial::polynom p_y_i = + math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); f_i = p_y_i; @@ -192,7 +193,7 @@ namespace nil { x_i = q.evaluate(x_i); - if (i < r - 1){ + if (i < r - 1) { f_i_tree = commit(f_i, D); f_commitments[i] = f_i_tree.root(); transcript(f_commitments[i]); @@ -205,100 +206,103 @@ namespace nil { return proof; } - static bool verify_eval (std::array evaluation_points, - commitment_type root, - proof_type proof, - const std::vector &D){ + static bool verify_eval(std::array evaluation_points, + commitment_type root, + proof_type proof, + const std::vector &D) { // temporary definition, until polynom is constexpr - const math::polynomial::polynom - q = {0, 0, 1}; + const math::polynomial::polynom q = {0, 0, 1}; fiat_shamir_heuristic transcript; std::array &z_openings = proof.z_openings; - std::array, k> U_interpolation_points; + std::array, k> + U_interpolation_points; - for (std::size_t j = 0; j < k; j++){ - typename FieldType::value_type z_j ; - // = algebra::marshalling(z_openings[j].leaf); - if (!z_openings[j].validate(root)){ + for (std::size_t j = 0; j < k; j++) { + typename FieldType::value_type z_j; + // = algebra::marshalling(z_openings[j].leaf); + if (!z_openings[j].validate(root)) { return false; } U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom - U = math::polynomial::lagrange_interpolation(U_interpolation_points); + math::polynomial::polynom U = + math::polynomial::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom Q ; + math::polynomial::polynom Q; // = (f - U); // for (std::size_t j = 0; j < k; j++){ // Q = Q/(x - U_interpolation_points[j]); // } - for (std::size_t round_id = 0; round_id < lambda; round_id++){ + for (std::size_t round_id = 0; round_id < lambda; round_id++) { math::polynomial::polynom f_i = Q; - typename FieldType::value_type x_i = - transcript.template get_challenge(); + typename FieldType::value_type x_i = + transcript + .template get_challenge(); - std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::vector &f_ip1_coefficients = + std::vector &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; commitment_type &f_i_tree_root = root; - auto y_arr = - transcript.template get_challenges(); + auto y_arr = + transcript.template get_challenges(); - for (std::size_t i = 0; i <= r-1; i++){ + for (std::size_t i = 0; i <= r - 1; i++) { - math::polynomial::polynom sqr_polynom = {y_arr[i], 0, -1}; - std::array s ; - // = math::polynomial::get_roots(sqr_polynom); + math::polynomial::polynom sqr_polynom = {y_arr[i], 0, + -1}; + std::array s; + // = math::polynomial::get_roots(sqr_polynom); - std::array, m> p_y_i_interpolation_points; + std::array, m> + p_y_i_interpolation_points; - for (std::size_t j = 0; j < m; j++){ + for (std::size_t j = 0; j < m; j++) { typename FieldType::value_type alpha_i_j; - // = algebra::marshalling(alpha_openings[m*i + j].leaf); - if (!alpha_openings[m*i + j].validate(f_i_tree_root)){ + // = algebra::marshalling(alpha_openings[m*i + j].leaf); + if (!alpha_openings[m * i + j].validate(f_i_tree_root)) { return false; } p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom - p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); + math::polynomial::polynom p_y_i = + math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); - typename FieldType::value_type f_y_i ; - // = algebra::marshalling(f_y_openings[i].leaf); - if (!f_y_openings[i].validate(f_i_tree_root)){ + typename FieldType::value_type f_y_i; + // = algebra::marshalling(f_y_openings[i].leaf); + if (!f_y_openings[i].validate(f_i_tree_root)) { return false; } - if (f_y_i != p_y_i.evaluate(x_i)){ + if (f_y_i != p_y_i.evaluate(x_i)) { return false; } x_i = q.evaluate(x_i); - if (i < r - 1){ - if (f_i != p_y_i){ + if (i < r - 1) { + if (f_i != p_y_i) { return false; } f_commitments[i] = commit(f_i, D).root(); transcript(f_commitments[i]); } else { - if (f_i != p_y_i){ + if (f_i != p_y_i) { return false; } diff --git a/include/nil/crypto3/zk/snark/commitments/pickles.hpp b/include/nil/crypto3/zk/snark/commitments/pickles.hpp index 61ed2f24c..33398aa27 100644 --- a/include/nil/crypto3/zk/snark/commitments/pickles.hpp +++ b/include/nil/crypto3/zk/snark/commitments/pickles.hpp @@ -33,10 +33,9 @@ namespace nil { namespace zk { namespace snark { - template + template class pickles_commitment_scheme { public: - using evaluation_type = typename CurveType::scalar_field_type::value_type; using commitment_type = typename CurveType::value_type; @@ -45,11 +44,9 @@ namespace nil { } struct proof_type { - }; - static commitment_type commit (){ - + static commitment_type commit() { } }; diff --git a/include/nil/crypto3/zk/snark/reductions/r1cs_to_sap.hpp b/include/nil/crypto3/zk/snark/reductions/r1cs_to_sap.hpp index 846ba3b82..e2cb82cd5 100644 --- a/include/nil/crypto3/zk/snark/reductions/r1cs_to_sap.hpp +++ b/include/nil/crypto3/zk/snark/reductions/r1cs_to_sap.hpp @@ -88,7 +88,7 @@ namespace nil { * constraints come from. */ return math::make_evaluation_domain(2 * cs.num_constraints() + - 2 * cs.num_inputs() + 1); + 2 * cs.num_inputs() + 1); } /** @@ -99,8 +99,10 @@ namespace nil { std::size_t sap_num_variables = cs.num_variables() + cs.num_constraints() + cs.num_inputs(); - std::vector> A_in_Lagrange_basis(sap_num_variables + 1); - std::vector> C_in_Lagrange_basis(sap_num_variables + 1); + std::vector> A_in_Lagrange_basis( + sap_num_variables + 1); + std::vector> C_in_Lagrange_basis( + sap_num_variables + 1); /** * process R1CS constraints, converting a constraint of the form @@ -173,10 +175,8 @@ namespace nil { C_in_Lagrange_basis[0][extra_constr_offset] = FieldType::value_type::one(); for (std::size_t i = 1; i <= cs.num_inputs(); ++i) { - A_in_Lagrange_basis[i][extra_constr_offset + 2 * i - 1] += - FieldType::value_type::one(); - A_in_Lagrange_basis[0][extra_constr_offset + 2 * i - 1] += - FieldType::value_type::one(); + A_in_Lagrange_basis[i][extra_constr_offset + 2 * i - 1] += FieldType::value_type::one(); + A_in_Lagrange_basis[0][extra_constr_offset + 2 * i - 1] += FieldType::value_type::one(); C_in_Lagrange_basis[i][extra_constr_offset + 2 * i - 1] += times_four(FieldType::value_type::one()); C_in_Lagrange_basis[extra_var_offset2 + i][extra_constr_offset + 2 * i - 1] += @@ -395,9 +395,10 @@ namespace nil { coefficients_for_H[0] -= d2; domain->add_poly_z(d1 * d1, coefficients_for_H); - math::multiply_by_coset(aA, - typename FieldType::value_type( - fields::arithmetic_params::multiplicative_generator)); + math::multiply_by_coset( + aA, + typename FieldType::value_type( + fields::arithmetic_params::multiplicative_generator)); domain->fft(aA); std::vector &H_tmp = @@ -432,9 +433,10 @@ namespace nil { domain->inverse_fft(aC); - math::multiply_by_coset(aC, - typename FieldType::value_type( - fields::arithmetic_params::multiplicative_generator)); + math::multiply_by_coset( + aC, + typename FieldType::value_type( + fields::arithmetic_params::multiplicative_generator)); domain->fft(aC); #ifdef MULTICORE diff --git a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp index 56ad3d1d5..8dd8d6de0 100644 --- a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp +++ b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp @@ -272,26 +272,25 @@ namespace nil { field_value_type ans_C = this->Ct[0] + witness.d3 * this->Zt; field_value_type ans_H = field_value_type::zero(); - ans_A = ans_A + algebra::inner_product(this->At.begin() + 1, - this->At.begin() + 1 + this->num_variables, - witness.coefficients_for_ABCs.begin(), - witness.coefficients_for_ABCs.begin() + - this->num_variables); - ans_B = ans_B + algebra::inner_product(this->Bt.begin() + 1, - this->Bt.begin() + 1 + this->num_variables, - witness.coefficients_for_ABCs.begin(), - witness.coefficients_for_ABCs.begin() + - this->num_variables); - ans_C = ans_C + algebra::inner_product(this->Ct.begin() + 1, - this->Ct.begin() + 1 + this->num_variables, - witness.coefficients_for_ABCs.begin(), - witness.coefficients_for_ABCs.begin() + - this->num_variables); + ans_A = + ans_A + algebra::inner_product(this->At.begin() + 1, + this->At.begin() + 1 + this->num_variables, + witness.coefficients_for_ABCs.begin(), + witness.coefficients_for_ABCs.begin() + this->num_variables); + ans_B = + ans_B + algebra::inner_product(this->Bt.begin() + 1, + this->Bt.begin() + 1 + this->num_variables, + witness.coefficients_for_ABCs.begin(), + witness.coefficients_for_ABCs.begin() + this->num_variables); + ans_C = + ans_C + algebra::inner_product(this->Ct.begin() + 1, + this->Ct.begin() + 1 + this->num_variables, + witness.coefficients_for_ABCs.begin(), + witness.coefficients_for_ABCs.begin() + this->num_variables); ans_H = ans_H + algebra::inner_product(this->Ht.begin(), - this->Ht.begin() + this->degree + 1, - witness.coefficients_for_H.begin(), - witness.coefficients_for_H.begin() + - this->degree + 1); + this->Ht.begin() + this->degree + 1, + witness.coefficients_for_H.begin(), + witness.coefficients_for_H.begin() + this->degree + 1); if (ans_A * ans_B - ans_C != ans_H * this->Zt) { return false; diff --git a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/sap.hpp b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/sap.hpp index cde925807..3d91a8da8 100644 --- a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/sap.hpp +++ b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/sap.hpp @@ -253,21 +253,20 @@ namespace nil { typename FieldType::value_type ans_C = this->Ct[0] + witness.d2 * this->Zt; typename FieldType::value_type ans_H = FieldType::value_type::zero(); - ans_A = ans_A + algebra::inner_product(this->At.begin() + 1, - this->At.begin() + 1 + this->num_variables, - witness.coefficients_for_ACs.begin(), - witness.coefficients_for_ACs.begin() + - this->num_variables); - ans_C = ans_C + algebra::inner_product(this->Ct.begin() + 1, - this->Ct.begin() + 1 + this->num_variables, - witness.coefficients_for_ACs.begin(), - witness.coefficients_for_ACs.begin() + - this->num_variables); + ans_A = + ans_A + algebra::inner_product(this->At.begin() + 1, + this->At.begin() + 1 + this->num_variables, + witness.coefficients_for_ACs.begin(), + witness.coefficients_for_ACs.begin() + this->num_variables); + ans_C = + ans_C + algebra::inner_product(this->Ct.begin() + 1, + this->Ct.begin() + 1 + this->num_variables, + witness.coefficients_for_ACs.begin(), + witness.coefficients_for_ACs.begin() + this->num_variables); ans_H = ans_H + algebra::inner_product(this->Ht.begin(), - this->Ht.begin() + this->degree + 1, - witness.coefficients_for_H.begin(), - witness.coefficients_for_H.begin() + - this->degree + 1); + this->Ht.begin() + this->degree + 1, + witness.coefficients_for_H.begin(), + witness.coefficients_for_H.begin() + this->degree + 1); if (ans_A * ans_A - ans_C != ans_H * this->Zt) { return false; diff --git a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/ssp.hpp b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/ssp.hpp index 4a1aa84bb..08123fc28 100644 --- a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/ssp.hpp +++ b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/ssp.hpp @@ -236,16 +236,15 @@ namespace nil { typename FieldType::value_type ans_V = this->Vt[0] + witness.d * this->Zt; typename FieldType::value_type ans_H = FieldType::value_type::zero(); - ans_V = ans_V + algebra::inner_product(this->Vt.begin() + 1, - this->Vt.begin() + 1 + this->num_variables, - witness.coefficients_for_Vs.begin(), - witness.coefficients_for_Vs.begin() + - this->num_variables); + ans_V = + ans_V + algebra::inner_product(this->Vt.begin() + 1, + this->Vt.begin() + 1 + this->num_variables, + witness.coefficients_for_Vs.begin(), + witness.coefficients_for_Vs.begin() + this->num_variables); ans_H = ans_H + algebra::inner_product(this->Ht.begin(), - this->Ht.begin() + this->degree + 1, - witness.coefficients_for_H.begin(), - witness.coefficients_for_H.begin() + - this->degree + 1); + this->Ht.begin() + this->degree + 1, + witness.coefficients_for_H.begin(), + witness.coefficients_for_H.begin() + this->degree + 1); if (ans_V.squared() - FieldType::value_type::one() != ans_H * this->Zt) { return false; diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp index cd1f03658..f75a3477b 100644 --- a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp @@ -86,7 +86,7 @@ namespace nil { // } linear_term operator-() const { - return linear_term(this->index) *(-this->coeff); + return linear_term(this->index) * (-this->coeff); } bool operator==(const linear_term &other) const { @@ -96,18 +96,20 @@ namespace nil { template linear_term operator*(const typename FieldType::value_type &field_coeff, - const linear_term <) { + const linear_term <) { return lt * field_coeff; } // template - // linear_combination operator+(const typename FieldType::value_type &field_coeff, + // linear_combination operator+(const typename FieldType::value_type + // &field_coeff, // const linear_term <) { // return linear_combination(field_coeff) + lt; // } // template - // linear_combination operator-(const typename FieldType::value_type &field_coeff, + // linear_combination operator-(const typename FieldType::value_type + // &field_coeff, // const linear_term <) { // return linear_combination(field_coeff) - lt; // } @@ -121,7 +123,7 @@ namespace nil { class linear_combination { typedef FieldType field_type; typedef typename field_type::value_type field_value_type; - + constexpr static const bool RotationSupport = false; public: @@ -144,7 +146,8 @@ namespace nil { terms = all_terms; std::sort(terms.begin(), terms.end(), - [](linear_term a, linear_term b) { return a.index < b.index; }); + [](linear_term a, + linear_term b) { return a.index < b.index; }); auto result_it = terms.begin(); for (auto it = ++terms.begin(); it != terms.end(); ++it) { @@ -169,7 +172,8 @@ namespace nil { void add_term(const variable &var) { this->terms.emplace_back(linear_term(var)); } - void add_term(const variable &var, const field_value_type &field_coeff) { + void add_term(const variable &var, + const field_value_type &field_coeff) { this->terms.emplace_back(linear_term(var) * field_coeff); } void add_term(const linear_term <) { @@ -209,8 +213,9 @@ namespace nil { ++it2; } else { /* it1->index == it2->index */ - result.terms.emplace_back( - linear_term(variable(it1->index)) * (it1->coeff + it2->coeff)); + result.terms.emplace_back(linear_term( + variable(it1->index)) * + (it1->coeff + it2->coeff)); ++it1; ++it2; } @@ -235,11 +240,13 @@ namespace nil { std::vector> thisterms = this->terms; std::sort(thisterms.begin(), thisterms.end(), - [](linear_term a, linear_term b) { return a.index < b.index; }); + [](linear_term a, + linear_term b) { return a.index < b.index; }); std::vector> otherterms = other.terms; std::sort(otherterms.begin(), otherterms.end(), - [](linear_term a, linear_term b) { return a.index < b.index; }); + [](linear_term a, + linear_term b) { return a.index < b.index; }); return (thisterms == otherterms); } @@ -263,20 +270,23 @@ namespace nil { }; template - linear_combination operator*(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { + linear_combination + operator*(const typename FieldType::value_type &field_coeff, + const linear_combination &lc) { return lc * field_coeff; } template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { + linear_combination + operator+(const typename FieldType::value_type &field_coeff, + const linear_combination &lc) { return linear_combination(field_coeff) + lc; } template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { + linear_combination + operator-(const typename FieldType::value_type &field_coeff, + const linear_combination &lc) { return linear_combination(field_coeff) - lc; } } // namespace snark diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 724038f89..490a35f6f 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -49,10 +49,10 @@ namespace nil { /****************************** Linear term **********************************/ /** - * A linear term represents a formal expression of the form + * A linear term represents a formal expression of the form * "coeff * w^{wire_index_1}_{rotation_1} * ... * w^{wire_index_k}_{rotation_k}". */ - template + template class non_linear_term; template @@ -67,7 +67,7 @@ namespace nil { field_value_type coeff; non_linear_term() {}; - + non_linear_term(const variable &var) : coeff(field_value_type::one()) { vars.push_back(var); } @@ -75,8 +75,7 @@ namespace nil { non_linear_term(const field_value_type &field_val) : coeff(field_val) { } - non_linear_term( - std::vector> vars) : + non_linear_term(std::vector> vars) : vars(vars), coeff(field_value_type::one()) { } @@ -89,57 +88,61 @@ namespace nil { non_linear_term operator*(const non_linear_term &other) const { non_linear_term result(this->vars); - std::copy (other.vars.begin(), other.vars.end(), std::back_inserter(result.vars)); + std::copy(other.vars.begin(), other.vars.end(), std::back_inserter(result.vars)); result.coeff = other.coeff * this->coeff; return result; } - // non_linear_combination operator+(const non_linear_combination &other) const { + // non_linear_combination operator+(const non_linear_combination &other) + // const { // return non_linear_combination(*this) + other; // } - // non_linear_combination operator-(const non_linear_combination &other) const { + // non_linear_combination operator-(const non_linear_combination &other) + // const { // return (*this) + (-other); // } non_linear_term operator-() const { - return non_linear_term(this->vars)* (-this->coeff); + return non_linear_term(this->vars) * (-this->coeff); } }; template - non_linear_term operator*( - const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { + non_linear_term + operator*(const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { return nlt * field_coeff; } template - non_linear_combination operator+( - const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { + non_linear_combination + operator+(const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { return non_linear_combination(field_coeff) + nlt; } template - non_linear_combination operator-( - const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { + non_linear_combination + operator-(const typename FieldType::value_type &field_coeff, + const non_linear_term &nlt) { return non_linear_combination(field_coeff) - nlt; } template - non_linear_combination operator+( - const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) + non_linear_combination(B); + non_linear_combination + operator+(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) + + non_linear_combination(B); } template - non_linear_combination operator-( - const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) - non_linear_combination(B); + non_linear_combination + operator-(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) - + non_linear_combination(B); } /***************************** Linear combination ****************************/ @@ -167,7 +170,7 @@ namespace nil { non_linear_combination(const non_linear_term &nlt) { this->add_term(nlt); } - non_linear_combination(const std::vector> &terms): + non_linear_combination(const std::vector> &terms) : terms(terms) { } @@ -187,39 +190,40 @@ namespace nil { void add_term(const variable &var) { this->terms.emplace_back(non_linear_term(var)); } - void add_term(const variable &var, const field_value_type &field_coeff) { + void add_term(const variable &var, + const field_value_type &field_coeff) { this->terms.emplace_back(non_linear_term(var) * field_coeff); } void add_term(const non_linear_term &nlt) { this->terms.emplace_back(nlt); } - template - field_value_type evaluate(std::size_t row_index, - const std::array, WiresAmount> &assignment) const { + template + field_value_type + evaluate(std::size_t row_index, + const std::array, WiresAmount> &assignment) const { field_value_type acc = field_value_type::zero(); for (non_linear_combination &nlt : terms) { field_value_type term_value = nlt.coeff; - for (variable &var: nlt.vars){ + for (variable &var : nlt.vars) { term_value *= assignment[var.wire_index][row_index + var.rotation]; - } acc += assignment[nlt.vars] * nlt.coeff; } return acc; } - template - math::polynomial::polynom evaluate(std::size_t row_index, + template + math::polynomial::polynom evaluate( + std::size_t row_index, const std::array, WiresAmount> &assignment) const { math::polynomial::polynom acc = {0}; for (non_linear_combination &nlt : terms) { math::polynomial::polynom term_value = {nlt.coeff}; - for (variable &var: nlt.vars){ + for (variable &var : nlt.vars) { term_value *= assignment[var.wire_index]; - } acc += assignment[nlt.vars] * nlt.coeff; } @@ -240,7 +244,7 @@ namespace nil { result.terms.insert(result.terms.end(), this->terms.begin(), this->terms.end()); result.terms.insert(result.terms.end(), other.terms.begin(), other.terms.end()); - + return result; } non_linear_combination operator-(const non_linear_combination &other) const { @@ -250,22 +254,21 @@ namespace nil { return (*this) * (-field_value_type::one()); } - void sort(){ + void sort() { std::sort(terms.begin(), terms.end()); std::vector> new_terms; - if (terms.size()){ + if (terms.size()) { new_terms.push_back(terms[0]); - for (std::size_t i = 1; i < terms.size(); i++){ - if (terms[i].vars == terms[i-1].vars){ - (new_terms.end() - 1)->coeff+=terms[i].coeff; + for (std::size_t i = 1; i < terms.size(); i++) { + if (terms[i].vars == terms[i - 1].vars) { + (new_terms.end() - 1)->coeff += terms[i].coeff; } else { new_terms.push_back(terms[i]); } } } - } bool operator==(const non_linear_combination &other) { @@ -278,15 +281,16 @@ namespace nil { }; template - non_linear_combination operator*(const typename FieldType::value_type &field_coeff, - const non_linear_combination &lc) { + non_linear_combination + operator*(const typename FieldType::value_type &field_coeff, + const non_linear_combination &lc) { return lc * field_coeff; } template - non_linear_combination operator*( - const non_linear_combination &A, - const non_linear_combination &B) { + non_linear_combination + operator*(const non_linear_combination &A, + const non_linear_combination &B) { non_linear_combination result; result.terms.reserve(A.terms.size() * B.terms.size()); @@ -299,43 +303,44 @@ namespace nil { } template - non_linear_combination operator*( - const variable &var, - const non_linear_combination &A) { + non_linear_combination + operator*(const variable &var, + const non_linear_combination &A) { non_linear_combination result; - result.terms.reserve(A.terms.size() ); - - + result.terms.reserve(A.terms.size()); for (const non_linear_term &this_nlt : A.terms) { - result.terms.emplace_back(this_nlt * var); + result.terms.emplace_back(this_nlt * var); } return result; } template - non_linear_combination operator+(const typename FieldType::value_type &field_coeff, - const non_linear_combination &lc) { + non_linear_combination + operator+(const typename FieldType::value_type &field_coeff, + const non_linear_combination &lc) { return non_linear_combination(field_coeff) + lc; } template - non_linear_combination operator+( - const non_linear_combination &lc, - const typename FieldType::value_type &field_coeff) { + non_linear_combination + operator+(const non_linear_combination &lc, + const typename FieldType::value_type &field_coeff) { return field_coeff + lc; } template - non_linear_combination operator-(const typename FieldType::value_type &field_coeff, - const non_linear_combination &lc) { + non_linear_combination + operator-(const typename FieldType::value_type &field_coeff, + const non_linear_combination &lc) { return non_linear_combination(field_coeff) - lc; } template - non_linear_combination operator-(const non_linear_combination &lc, - const typename FieldType::value_type &field_coeff) { + non_linear_combination + operator-(const non_linear_combination &lc, + const typename FieldType::value_type &field_coeff) { return -(field_coeff - lc); } diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index edfaec0c2..264efbcc1 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -63,7 +63,7 @@ namespace nil { std::vector> constraints; - plonk_constraint_system(){ + plonk_constraint_system() { } constexpr std::size_t num_wires() const { @@ -74,10 +74,11 @@ namespace nil { return constraints.size(); } - bool is_satisfied(plonk_variable_assignment full_variable_assignment) const { + bool + is_satisfied(plonk_variable_assignment full_variable_assignment) const { for (std::size_t c = 0; c < constraints.size(); ++c) { - if(!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { + if (!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { return false; } } @@ -85,37 +86,37 @@ namespace nil { return true; } - std::vector> get_copy_constraints(){ - + std::vector> get_copy_constraints() { } - std::vector> get_selectors(){ - + std::vector> get_selectors() { } - std::vector> get_lookups(){ - + std::vector> get_lookups() { } - std::vector> get_polynoms( - plonk_variable_assignment full_variable_assignment) const{ + std::vector> + get_polynoms(plonk_variable_assignment full_variable_assignment) const { - std::vector> result(constraints.size()); + std::vector> result( + constraints.size()); - std::array, WiresAmount> wire_polynomials; - for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++){ - wire_polynomials[wire_index] = math::polynomial::lagrange_interpolation(full_variable_assignment[wire_index]); + std::array, WiresAmount> + wire_polynomials; + for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++) { + wire_polynomials[wire_index] = + math::polynomial::lagrange_interpolation(full_variable_assignment[wire_index]); } - for (std::size_t constraint_index = 0; constraint_index < constraints.size(); constraint_index++){ + for (std::size_t constraint_index = 0; constraint_index < constraints.size(); + constraint_index++) { + + for (auto &term : constraints[constraint_index].terms) { - for (auto &term: constraints[constraint_index].terms){ - - math::polynomial::polynom - term_polynom = {term.coeff}; + math::polynomial::polynom term_polynom = {term.coeff}; // TODO: Rotation isn't taken into consideration - for (auto &var: term.vars){ + for (auto &var : term.vars) { term_polynom = term_polynom * wire_polynomials[var.wire_index]; } @@ -124,7 +125,6 @@ namespace nil { } return result; - } void add_constraint(const plonk_constraint &c) { diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp index 9d945339c..b8a6aa0a8 100644 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/variable.hpp @@ -72,11 +72,13 @@ namespace nil { variable(const index_type index = 0) : index(index) {}; - linear_term operator*(const typename FieldType::value_type &field_coeff) const { - return linear_term(*this)* field_coeff; + linear_term + operator*(const typename FieldType::value_type &field_coeff) const { + return linear_term(*this) * field_coeff; } - linear_combination operator+(const linear_combination &other) const { + linear_combination + operator+(const linear_combination &other) const { linear_combination result; result.add_term(*this); @@ -85,7 +87,8 @@ namespace nil { return result; } - linear_combination operator-(const linear_combination &other) const { + linear_combination + operator-(const linear_combination &other) const { return (*this) + (-other); } @@ -100,19 +103,19 @@ namespace nil { template linear_term operator*(const typename FieldType::value_type &field_coeff, - const variable &var) { + const variable &var) { return var * field_coeff; } template linear_combination operator+(const typename FieldType::value_type &field_coeff, - const variable &var) { + const variable &var) { return var + field_coeff; } template linear_combination operator-(const typename FieldType::value_type &field_coeff, - const variable &var) { + const variable &var) { return linear_combination(field_coeff) - var; } @@ -137,58 +140,50 @@ namespace nil { constexpr static const bool RotationSupport = true; public: - /** * Mnemonic typedefs. */ - enum rotation_type{ - pre_previous = -2, - previous, - current, - next, - after_next - }; + enum rotation_type { pre_previous = -2, previous, current, next, after_next }; std::size_t wire_index; rotation_type rotation; - constexpr variable(const std::size_t wire_index, rotation_type rotation) : + constexpr variable(const std::size_t wire_index, rotation_type rotation) : wire_index(wire_index), rotation(rotation) {}; non_linear_term operator^(const std::size_t power) const { return non_linear_term(*this) ^ power; } - non_linear_term operator*( - const typename FieldType::value_type &field_coeff) const { + non_linear_term + operator*(const typename FieldType::value_type &field_coeff) const { return non_linear_term(*this) * field_coeff; } - non_linear_term operator*( - const variable &other) const { + non_linear_term operator*(const variable &other) const { return non_linear_term(*this) * other; } - non_linear_combination operator+( - const non_linear_combination &other) const { - non_linear_combination result (other); + non_linear_combination + operator+(const non_linear_combination &other) const { + non_linear_combination result(other); result.add_term(*this); return result; } - non_linear_combination operator-( - const non_linear_combination &other) const { + non_linear_combination + operator-(const non_linear_combination &other) const { return (*this) + (-other); } - non_linear_combination operator-( - const typename FieldType::value_type &field_val) const { + non_linear_combination + operator-(const typename FieldType::value_type &field_val) const { return (*this) - non_linear_combination(field_val); } non_linear_term operator-() const { - return non_linear_term(*this) * ( -FieldType::value_type::one()); + return non_linear_term(*this) * (-FieldType::value_type::one()); } bool operator==(const variable &other) const { @@ -196,27 +191,27 @@ namespace nil { } bool operator<(const variable &other) const { - return ((this->wire_index < other.wire_index) || - ((this->wire_index == other.wire_index) && (this->rotation < other.rotation))); + return ((this->wire_index < other.wire_index) || + ((this->wire_index == other.wire_index) && (this->rotation < other.rotation))); } }; template non_linear_term operator*(const typename FieldType::value_type &field_coeff, - const variable &var) { + const variable &var) { return var * field_coeff; } template non_linear_combination operator+(const typename FieldType::value_type &field_val, - const variable &var) { + const variable &var) { return var + field_val; } template non_linear_combination operator-(const typename FieldType::value_type &field_val, - const variable &var) { - return (- var) + field_val ; + const variable &var) { + return (-var) + field_val; } } // namespace snark diff --git a/include/nil/crypto3/zk/snark/sparse_vector.hpp b/include/nil/crypto3/zk/snark/sparse_vector.hpp index 271ca5afb..593430486 100644 --- a/include/nil/crypto3/zk/snark/sparse_vector.hpp +++ b/include/nil/crypto3/zk/snark/sparse_vector.hpp @@ -50,10 +50,9 @@ namespace nil { using group_type = Type; private: - using underlying_value_type = - typename group_type::value_type; + using underlying_value_type = typename group_type::value_type; + public: - std::vector indices; std::vector values; std::size_t domain_size_; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp index 97683e613..c240c79c6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp @@ -40,8 +40,8 @@ namespace nil { template class ProverProof { typedef pickles_commitment_scheme commitment_scheme; - public: + public: // Commitments: std::array w_comm; @@ -71,11 +71,11 @@ namespace nil { typename CurveType::value_type sigma; typename CurveType::value_type G; - typename CurveType::scalar_field_type::value_type z1,z2; + typename CurveType::scalar_field_type::value_type z1, z2; // Previous challenges - std::vector, - typename commitment_scheme::commitment_type>> + std::vector, + typename commitment_scheme::commitment_type>> prev_challenges; }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index a55c128e3..12969d8e4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -42,13 +42,12 @@ namespace nil { public: static inline typename types_policy::template preprocessed_data_type - process(const typename types_policy::constraint_system_type &constraint_system, + process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { typename types_policy::template preprocessed_data_type data; - data.omega = - math::unity_root(math::detail::get_power_of_two(k)); + data.omega = math::unity_root(math::detail::get_power_of_two(k)); data.Z = {1}; // data.selectors = constraint_system.get_selectors(); // ... copy_constraints = constraint_system.get_copy_constraints(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 0f20c5a05..8892e1a47 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -34,8 +34,9 @@ namespace nil { template struct redshift_proof { - redshift_proof(){} - + redshift_proof() { + } + std::vector f_commitments; typename CommitmentSchemeType::commitment_type P_commitment; @@ -49,7 +50,6 @@ namespace nil { typename CommitmentSchemeType::proof_type Q_lpc_proof; std::vector T_lpc_proofs; - }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 09ef01c1d..de75103e0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -42,20 +42,24 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_prover { using types_policy = detail::redshift_types_policy; - using transcript_manifest = typename types_policy::template prover_fiat_shamir_heuristic_manifest<11>; + using transcript_manifest = + typename types_policy::template prover_fiat_shamir_heuristic_manifest<11>; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; - typedef list_polynomial_commitment_scheme lpc; + typedef list_polynomial_commitment_scheme lpc; public: static inline typename types_policy::template proof_type @@ -69,12 +73,12 @@ namespace nil { // std::size_t N_const = ...; std::size_t n = 0; - for(auto &wire_assignments:assignments){ + for (auto &wire_assignments : assignments) { n = std::max(n, wire_assignments.size()); } std::vector D_0(n); - for (std::size_t power = 1; power<=n; power++){ + for (std::size_t power = 1; power <= n; power++) { D_0.emplace_back(preprocessed_data.omega.pow(power)); } @@ -85,7 +89,7 @@ namespace nil { // 2 - Define new witness polynomials // and 3 - Add commitments to fi to transcript - // std::vector> f = + // std::vector> f = // constraint_system.get_polynoms(assignments); // std::vector f_trees; @@ -101,7 +105,8 @@ namespace nil { // 4 // typename FieldType::value_type teta = - // transcript.template get_challenge(); + // transcript.template get_challenge(); // 5 // A(teta) @@ -124,10 +129,12 @@ namespace nil { // 8 // typename FieldType::value_type beta = - // transcript.template get_challenge(); + // transcript.template get_challenge(); // typename FieldType::value_type gamma = - // transcript.template get_challenge(); + // transcript.template get_challenge(); // 9 // and 10 @@ -137,9 +144,9 @@ namespace nil { // math::polynomial::polynom p1 = {1}; // math::polynomial::polynom q1 = {1}; - // std::vector> + // std::vector> // &S_sigma = preprocessed_data.permutations; - // std::vector> + // std::vector> // &S_id = preprocessed_data.identity_permutations; // for (std::size_t j = 0; j < N_perm; j++) { @@ -170,8 +177,10 @@ namespace nil { // Q_mul_result *= q1(preprocessed_data.omega.pow(i)); // } - // P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), P_mul_result)); - // Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), Q_mul_result)); + // P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), + // P_mul_result)); + // Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), + // Q_mul_result)); // } // math::polynomial::polynom P = @@ -195,8 +204,9 @@ namespace nil { // transcript(lpc::commit(V, D_0).root()); // 15 - std::array alphas = - transcript.template get_challenges(); + std::array alphas = + transcript + .template get_challenges(); // 16 typename FieldType::value_type tau = @@ -206,22 +216,23 @@ namespace nil { // and 21 std::size_t N_T = N_perm; std::vector> gates(N_sel); - std::vector> constraints = + std::vector> constraints = constraint_system.get_polynoms(assignments); for (std::size_t i = 0; i < N_sel; i++) { gates[i] = {0}; std::size_t n_i; - for (std::size_t j = 0; j < n_i; j++){ + for (std::size_t j = 0; j < n_i; j++) { std::size_t d_i_j; - math::polynomial::polynom tau_polynom = {tau.pow(d_i_j)}; + math::polynomial::polynom tau_polynom = { + tau.pow(d_i_j)}; gates[i] = gates[i] + preprocessed_data.constraints[j] * tau_polynom; } // gates[i] *= preprocessed_data.selectors[i]; N_T = std::max(N_T, gates[i].size() - 1); - } + } // 18 std::array, 11> F; @@ -245,10 +256,10 @@ namespace nil { math::polynomial::polynom alphas_polynom = {alphas[i]}; F_consolidated = F_consolidated + alphas_polynom * F[i]; } - - math::polynomial::polynom T_consolidated = + + math::polynomial::polynom T_consolidated = F_consolidated / preprocessed_data.Z; - + // 22 std::vector> T(N_T); // T = separate_T(T_consolidated); @@ -263,32 +274,32 @@ namespace nil { } typename FieldType::value_type upsilon = - transcript.template get_challenge(); + transcript + .template get_challenge(); - std::array - fT_evaluation_points = {upsilon}; + std::array fT_evaluation_points = {upsilon}; std::vector f_lpc_proofs(N_wires); // for (std::size_t i = 0; i < N_wires; i++){ // f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); // } - // std::array + // std::array // PQ_evaluation_points = {upsilon, upsilon * preprocessed_data.omega}; // typename lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, D_0); // typename lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, D_0); std::vector T_lpc_proofs(N_perm + 1); - for (std::size_t i = 0; i < N_perm + 1; i++){ + for (std::size_t i = 0; i < N_perm + 1; i++) { T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); } - typename types_policy::template proof_type proof ; - // = typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), - // std::move(Q_commitment), std::move(T_commitments), - // std::move(f_lpc_proofs), std::move(P_lpc_proof), - // std::move(Q_lpc_proof), std::move(T_lpc_proofs)); + typename types_policy::template proof_type proof; + // = typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), + // std::move(Q_commitment), std::move(T_commitments), + // std::move(f_lpc_proofs), std::move(P_lpc_proof), + // std::move(Q_lpc_proof), std::move(T_lpc_proofs)); proof.T_lpc_proofs = T_lpc_proofs; proof.f_lpc_proofs = f_lpc_proofs; proof.T_commitments = T_commitments; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 1247e3b34..3aec1af9f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -64,10 +64,10 @@ namespace nil { * serializes/deserializes, and verifies proofs. We only expose some information * about the structure for statistics purposes. */ - template + template using proof_type = redshift_proof; - template + template struct preprocessed_data_type { typename FieldType::value_type omega; @@ -76,25 +76,19 @@ namespace nil { // S_sigma std::vector> permutations; // S_id - std::vector> identity_permutations; + std::vector> + identity_permutations; // c std::vector> constraints; - + std::vector> Lagrange_basis; math::polynomial::polynom Z; - }; template struct prover_fiat_shamir_heuristic_manifest { - enum challenges_ids { - beta, - gamma, - alpha, - upsilon = alpha + AlphasAmount, - tau - }; + enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau }; }; }; } // namespace detail diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 956fe678f..6c57fe616 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -37,7 +37,7 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_verifier { using types_policy = detail::redshift_types_policy; @@ -49,10 +49,10 @@ namespace nil { constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; - constexpr static const typename FieldType::value_type omega = - algebra::get_root_of_unity() - typedef list_polynomial_commitment_scheme lpc; + constexpr static const typename FieldType::value_type omega = + algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme< + FieldType, merkle_hash_type, lambda, k, r, m> + lpc; public: static inline bool process(const types_policy::verification_key_type &verification_key, @@ -79,10 +79,8 @@ namespace nil { typename transcript_hash_type::digest_type gamma_bytes = transcript.get_challenge(); - typename FieldType::value_type beta = - algebra::marshalling(beta_bytes); - typename FieldType::value_type gamma = - algebra::marshalling(gamma_bytes); + typename FieldType::value_type beta = algebra::marshalling(beta_bytes); + typename FieldType::value_type gamma = algebra::marshalling(gamma_bytes); transcript(proof.P_commitment); transcript(proof.Q_commitment); @@ -101,39 +99,33 @@ namespace nil { typename transcript_hash_type::digest_type upsilon_bytes = transcript.get_challenge(); - typename FieldType::value_type upsilon = - algebra::marshalling(upsilon_bytes); + typename FieldType::value_type upsilon = algebra::marshalling(upsilon_bytes); - std::array - fT_evaluation_points = {upsilon}; + std::array fT_evaluation_points = {upsilon}; - for (std::size_t i = 0; i < N_wires; i++){ - if (!lpc::verify_eval(fT_evaluation_points, proof.f_commitments[i], - proof.f_lpc_proofs[i], ...)){ + for (std::size_t i = 0; i < N_wires; i++) { + if (!lpc::verify_eval(fT_evaluation_points, proof.f_commitments[i], proof.f_lpc_proofs[i], + ...)) { return false; } } - std::array - PQ_evaluation_points = {upsilon, upsilon * omega}; - if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, - proof.P_lpc_proof, ...)){ + std::array PQ_evaluation_points = {upsilon, upsilon * omega}; + if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, proof.P_lpc_proof, ...)) { return false; } - if (!lpc::verify_eval(PQ_evaluation_points, proof.Q_commitment, - proof.Q_lpc_proof, ...)){ + if (!lpc::verify_eval(PQ_evaluation_points, proof.Q_commitment, proof.Q_lpc_proof, ...)) { return false; } - for (std::size_t i = 0; i < N_perm + 1; i++){ - if (!lpc::verify_eval(fT_evaluation_points, proof.T_commitments[i], - proof.T_lpc_proofs[i], ...)){ + for (std::size_t i = 0; i < N_perm + 1; i++) { + if (!lpc::verify_eval(fT_evaluation_points, proof.T_commitments[i], proof.T_lpc_proofs[i], + ...)) { return false; } } - std::array, 6> - F; + std::array, 6> F; F[0] = verification_key.L_basis[1] * (P - 1); F[1] = verification_key.L_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1); diff --git a/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp index 54b3a21fc..a2d1755ad 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzkadsnark/r1cs_ppzkadsnark/detail/basic_policy.hpp @@ -132,7 +132,8 @@ namespace nil { pub_auth_prms &operator=(const pub_auth_prms &other) = default; pub_auth_prms(const pub_auth_prms &other) = default; pub_auth_prms(pub_auth_prms &&other) = default; - pub_auth_prms(typename CurveType::template g1_type<>::value_type &&I1) : I1(std::move(I1)) {}; + pub_auth_prms(typename CurveType::template g1_type<>::value_type &&I1) : + I1(std::move(I1)) {}; bool operator==(const pub_auth_prms &other) const { return (this->I1 == other.I1); @@ -180,8 +181,10 @@ namespace nil { pub_auth_key &operator=(const pub_auth_key &other) = default; pub_auth_key(const pub_auth_key &other) = default; pub_auth_key(pub_auth_key &&other) = default; - pub_auth_key(typename CurveType::template g2_type<>::value_type &&minusI2, vkT &&vkp) : - minusI2(std::move(minusI2)), vkp(std::move(vkp)) {}; + pub_auth_key(typename CurveType::template g2_type<>::value_type &&minusI2, + vkT &&vkp) : + minusI2(std::move(minusI2)), + vkp(std::move(vkp)) {}; bool operator==(const pub_auth_key &other) const { return (this->minusI2 == other.minusI2) && (this->vkp == other.vkp); @@ -325,16 +328,17 @@ namespace nil { typename std::vector::value_type> Ain; verification_key() = default; - verification_key(const typename CurveType::template g2_type<>::value_type &alphaA_g2, - const typename CurveType::template g1_type<>::value_type &alphaB_g1, - const typename CurveType::template g2_type<>::value_type &alphaC_g2, - const typename CurveType::template g2_type<>::value_type &gamma_g2, - const typename CurveType::template g1_type<>::value_type &gamma_beta_g1, - const typename CurveType::template g2_type<>::value_type &gamma_beta_g2, - const typename CurveType::template g2_type<>::value_type &rC_Z_g2, - const typename CurveType::template g1_type<>::value_type A0, - const typename std::vector::value_type> - Ain) : + verification_key( + const typename CurveType::template g2_type<>::value_type &alphaA_g2, + const typename CurveType::template g1_type<>::value_type &alphaB_g1, + const typename CurveType::template g2_type<>::value_type &alphaC_g2, + const typename CurveType::template g2_type<>::value_type &gamma_g2, + const typename CurveType::template g1_type<>::value_type &gamma_beta_g1, + const typename CurveType::template g2_type<>::value_type &gamma_beta_g2, + const typename CurveType::template g2_type<>::value_type &rC_Z_g2, + const typename CurveType::template g1_type<>::value_type A0, + const typename std::vector::value_type> + Ain) : alphaA_g2(alphaA_g2), alphaB_g1(alphaB_g1), alphaC_g2(alphaC_g2), gamma_g2(gamma_g2), gamma_beta_g1(gamma_beta_g1), gamma_beta_g2(gamma_beta_g2), rC_Z_g2(rC_Z_g2), A0(A0), @@ -351,7 +355,8 @@ namespace nil { std::size_t size_in_bits() const { return G1_size() * CurveType::template g1_type<>::value_type::value_bits + G2_size() * - CurveType::template g2_type<>::value_type::value_bits; // possible zksnark bug + CurveType::template g2_type<>::value_type::value_bits; // possible zksnark + // bug } bool operator==(const verification_key &other) const { @@ -581,7 +586,8 @@ namespace nil { for (std::size_t i = 0; i < auth_data.size(); i++) { typename CurveType::template g2_type<>::value_type Mup = auth_data[i].Lambda - data[i] * pak.minusI2; - res = res && (auth_data[i].mu * CurveType::template g2_type<>::value_type::one() == Mup); + res = + res && (auth_data[i].mu * CurveType::template g2_type<>::value_type::one() == Mup); res = res && sigVerif(pak.vkp, labels[i], auth_data[i].Lambda, auth_data[i].sigma); } @@ -671,9 +677,11 @@ namespace nil { const std::size_t g2_exp_count = non_zero_Bt; std::size_t g1_window = - algebra::get_exp_window_size::value_type>(g1_exp_count); + algebra::get_exp_window_size::value_type>( + g1_exp_count); std::size_t g2_window = - algebra::get_exp_window_size::value_type>(g2_exp_count); + algebra::get_exp_window_size::value_type>( + g2_exp_count); printf("* G1 window: %zu\n", g1_window); printf("* G2 window: %zu\n", g2_window); @@ -685,12 +693,14 @@ namespace nil { #endif algebra::window_table g1_table = - algebra::get_window_table(CurveType::scalar_field_type::value_bits, g1_window, - CurveType::template g1_type<>::value_type::one()); + algebra::get_window_table( + CurveType::scalar_field_type::value_bits, g1_window, + CurveType::template g1_type<>::value_type::one()); algebra::window_table g2_table = - algebra::get_window_table(CurveType::scalar_field_type::value_bits, g2_window, - CurveType::template g2_type<>::value_type::one()); + algebra::get_window_table( + CurveType::scalar_field_type::value_bits, g2_window, + CurveType::template g2_type<>::value_type::one()); knowledge_commitment_vector A_query = kc_batch_exp(CurveType::scalar_field_type::value_bits, g1_window, g1_window, @@ -773,8 +783,9 @@ namespace nil { d3 = algebra::random_element(), dauth = algebra::random_element(); - const qap_witness qap_wit = reductions::r1cs_to_qap::witness_map( - pk.constraint_system, primary_input, auxiliary_input, d1 + dauth, d2, d3); + const qap_witness qap_wit = + reductions::r1cs_to_qap::witness_map( + pk.constraint_system, primary_input, auxiliary_input, d1 + dauth, d2, d3); typename knowledge_commitment::value_type g_A = @@ -925,8 +936,7 @@ namespace nil { using g2_type = typename CurveType::template g2_type<>; processed_verification_key pvk; - pvk.pp_G2_one_precomp = - precompute_g2(g2_type::value_type::one()); + pvk.pp_G2_one_precomp = precompute_g2(g2_type::value_type::one()); pvk.vk_alphaA_g2_precomp = precompute_g2(vk.alphaA_g2); pvk.vk_alphaB_g1_precomp = precompute_g1(vk.alphaB_g1); pvk.vk_alphaC_g2_precomp = precompute_g2(vk.alphaC_g2); @@ -1014,8 +1024,7 @@ namespace nil { miller_loop(proof_g_A_g_precomp, pvk.vk_alphaA_g2_precomp); typename gt_type::value_type kc_A_2 = miller_loop(proof_g_A_h_precomp, pvk.pp_G2_one_precomp); - typename gt_type kc_A = - final_exponentiation(kc_A_1 * kc_A_2.unitary_inversed()); + typename gt_type kc_A = final_exponentiation(kc_A_1 * kc_A_2.unitary_inversed()); if (kc_A != gt_type::value_type::one()) { result = false; } @@ -1028,8 +1037,7 @@ namespace nil { miller_loop(pvk.vk_alphaB_g1_precomp, proof_g_B_g_precomp); typename gt_type::value_type kc_B_2 = miller_loop(proof_g_B_h_precomp, pvk.pp_G2_one_precomp); - typename gt_type kc_B = - final_exponentiation(kc_B_1 * kc_B_2.unitary_inversed()); + typename gt_type kc_B = final_exponentiation(kc_B_1 * kc_B_2.unitary_inversed()); if (kc_B != gt_type::value_type::one()) { result = false; } @@ -1042,13 +1050,13 @@ namespace nil { miller_loop(proof_g_C_g_precomp, pvk.vk_alphaC_g2_precomp); typename gt_type::value_type kc_C_2 = miller_loop(proof_g_C_h_precomp, pvk.pp_G2_one_precomp); - typename gt_type kc_C = - final_exponentiation(kc_C_1 * kc_C_2.unitary_inversed()); + typename gt_type kc_C = final_exponentiation(kc_C_1 * kc_C_2.unitary_inversed()); if (kc_C != gt_type::value_type::one()) { result = false; } - typename CurveType::template g1_type<>::value_type Aacc = pvk.A0 + proof.g_Aau.g + proof.g_A.g; + typename CurveType::template g1_type<>::value_type Aacc = + pvk.A0 + proof.g_Aau.g + proof.g_A.g; typename pairing_policy::g1_precomputed_type proof_g_Aacc_precomp = precompute_g1(Aacc); @@ -1058,8 +1066,7 @@ namespace nil { miller_loop(proof_g_Aacc_precomp, proof_g_B_g_precomp); typename gt_type::value_type QAP_23 = pairing_policy::double_miller_loop( proof_g_H_precomp, pvk.vk_rC_Z_g2_precomp, proof_g_C_g_precomp, pvk.pp_G2_one_precomp); - typename gt_type QAP = - final_exponentiation(QAP_1 * QAP_23.unitary_inversed()); + typename gt_type QAP = final_exponentiation(QAP_1 * QAP_23.unitary_inversed()); if (QAP != gt_type::value_type::one()) { result = false; } @@ -1073,8 +1080,7 @@ namespace nil { typename gt_type::value_type K_23 = pairing_policy::double_miller_loop(proof_g_Aacc_C_precomp, pvk.vk_gamma_beta_g2_precomp, pvk.vk_gamma_beta_g1_precomp, proof_g_B_g_precomp); - typename gt_type K = - final_exponentiation(K_1 * K_23.unitary_inversed()); + typename gt_type K = final_exponentiation(K_1 * K_23.unitary_inversed()); if (K != gt_type::value_type::one()) { result = false; } @@ -1187,8 +1193,7 @@ namespace nil { miller_loop(proof_g_A_g_precomp, pvk.vk_alphaA_g2_precomp); typename gt_type::value_type kc_A_2 = miller_loop(proof_g_A_h_precomp, pvk.pp_G2_one_precomp); - typename gt_type kc_A = - final_exponentiation(kc_A_1 * kc_A_2.unitary_inversed()); + typename gt_type kc_A = final_exponentiation(kc_A_1 * kc_A_2.unitary_inversed()); if (kc_A != gt_type::value_type::one()) { result = false; } @@ -1201,8 +1206,7 @@ namespace nil { miller_loop(pvk.vk_alphaB_g1_precomp, proof_g_B_g_precomp); typename gt_type::value_type kc_B_2 = miller_loop(proof_g_B_h_precomp, pvk.pp_G2_one_precomp); - typename gt_type kc_B = - final_exponentiation(kc_B_1 * kc_B_2.unitary_inversed()); + typename gt_type kc_B = final_exponentiation(kc_B_1 * kc_B_2.unitary_inversed()); if (kc_B != gt_type::value_type::one()) { result = false; } @@ -1215,13 +1219,13 @@ namespace nil { miller_loop(proof_g_C_g_precomp, pvk.vk_alphaC_g2_precomp); typename gt_type::value_type kc_C_2 = miller_loop(proof_g_C_h_precomp, pvk.pp_G2_one_precomp); - typename gt_type kc_C = - final_exponentiation(kc_C_1 * kc_C_2.unitary_inversed()); + typename gt_type kc_C = final_exponentiation(kc_C_1 * kc_C_2.unitary_inversed()); if (kc_C != gt_type::value_type::one()) { result = false; } - typename CurveType::template g1_type<>::value_type Aacc = pvk.A0 + proof.g_Aau.g + proof.g_A.g; + typename CurveType::template g1_type<>::value_type Aacc = + pvk.A0 + proof.g_Aau.g + proof.g_A.g; typename pairing_policy::g1_precomputed_type proof_g_Aacc_precomp = precompute_g1(Aacc); @@ -1231,8 +1235,7 @@ namespace nil { miller_loop(proof_g_Aacc_precomp, proof_g_B_g_precomp); typename gt_type::value_type QAP_23 = pairing_policy::double_miller_loop( proof_g_H_precomp, pvk.vk_rC_Z_g2_precomp, proof_g_C_g_precomp, pvk.pp_G2_one_precomp); - typename gt_type QAP = - final_exponentiation(QAP_1 * QAP_23.unitary_inversed()); + typename gt_type QAP = final_exponentiation(QAP_1 * QAP_23.unitary_inversed()); if (QAP != gt_type::value_type::one()) { result = false; } @@ -1246,8 +1249,7 @@ namespace nil { typename gt_type::value_type K_23 = pairing_policy::double_miller_loop(proof_g_Aacc_C_precomp, pvk.vk_gamma_beta_g2_precomp, pvk.vk_gamma_beta_g1_precomp, proof_g_B_g_precomp); - typename gt_type K = - final_exponentiation(K_1 * K_23.unitary_inversed()); + typename gt_type K = final_exponentiation(K_1 * K_23.unitary_inversed()); if (K != gt_type::value_type::one()) { result = false; } diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp index 67a0c219c..ef2d267da 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/prover.hpp @@ -70,13 +70,14 @@ namespace nil { typedef typename CurveType::scalar_field_type field_type; const r1cs_variable_assignment r1cs_va = - reductions::bacs_to_r1cs::witness_map(proving_key.circuit, primary_input, auxiliary_input); + reductions::bacs_to_r1cs::witness_map( + proving_key.circuit, primary_input, auxiliary_input); const r1cs_auxiliary_input r1cs_ai( r1cs_va.begin() + primary_input.size(), - r1cs_va.end()); // TODO: faster to just change bacs_to_r1cs::witness_map into two :( + r1cs_va.end()); // TODO: faster to just change bacs_to_r1cs::witness_map into + // two :( - return prove>( - proving_key.r1cs_pk, primary_input, r1cs_ai); + return prove>(proving_key.r1cs_pk, primary_input, r1cs_ai); } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp index e69e323ac..710980268 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/bacs_ppzksnark/proving_key.hpp @@ -48,13 +48,11 @@ namespace nil { bacs_ppzksnark_proving_key(bacs_ppzksnark_proving_key &&other) = default; - bacs_ppzksnark_proving_key(const circuit_type &circuit, - const r1cs_proving_key_type &r1cs_pk) : + bacs_ppzksnark_proving_key(const circuit_type &circuit, const r1cs_proving_key_type &r1cs_pk) : circuit(circuit), r1cs_pk(r1cs_pk) { } - bacs_ppzksnark_proving_key(circuit_type &&circuit, - r1cs_proving_key_type &&r1cs_pk) : + bacs_ppzksnark_proving_key(circuit_type &&circuit, r1cs_proving_key_type &&r1cs_pk) : circuit(std::move(circuit)), r1cs_pk(std::move(r1cs_pk)) { } diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp index 20f7c4ba8..73d27b540 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp @@ -49,11 +49,10 @@ namespace nil { std::is_same, Generator>::value && std::is_same, Prover>::value && (std::is_same, Verifier>::value || - std::is_same, - Verifier>::value - // || std::is_same, - // Verifier>::value - )>; + std::is_same, Verifier>::value + // || std::is_same, + // Verifier>::value + )>; template using is_aggregate_mode = typename std::integral_constant< @@ -138,7 +137,7 @@ namespace nil { class r1cs_gg_ppzksnark< CurveType, Generator, Prover, Verifier, ProvingMode::Aggregate, typename std::enable_if::value>::type> { - + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp index 3a0be7983..646643797 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp @@ -42,7 +42,6 @@ namespace nil { typedef typename CurveType::template g2_type<> g2_type; public: - typedef typename policy_type::constraint_system_type constraint_system_type; typedef typename policy_type::proving_key_type proving_key_type; typedef typename policy_type::verification_key_type verification_key_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp index 6bccf56ce..070d651aa 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp @@ -59,8 +59,8 @@ namespace nil { std::vector< std::pair> z_ab; - std::vector< - std::pair::value_type, typename curve_type::template g1_type<>::value_type>> + std::vector::value_type, + typename curve_type::template g1_type<>::value_type>> z_c; typename curve_type::template g1_type<>::value_type final_a; typename curve_type::template g2_type<>::value_type final_b; @@ -68,9 +68,11 @@ namespace nil { /// final commitment keys $v$ and $w$ - there is only one element at the /// end for v1 and v2 hence it's a tuple. - std::pair::value_type, typename curve_type::template g2_type<>::value_type> + std::pair::value_type, + typename curve_type::template g2_type<>::value_type> final_vkey; - std::pair::value_type, typename curve_type::template g1_type<>::value_type> + std::pair::value_type, + typename curve_type::template g1_type<>::value_type> final_wkey; static std::size_t log_proofs(std::size_t nproofs) { diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp index e88b579dc..cb1e95a4e 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp @@ -306,7 +306,8 @@ namespace nil { // the values of vectors A and B rescaled at each step of the loop // the values of vectors C and r rescaled at each step of the loop - std::vector::value_type> m_a {a_first, a_last}, m_c {c_first, c_last}; + std::vector::value_type> m_a {a_first, a_last}, + m_c {c_first, c_last}; std::vector::value_type> m_b {b_first, b_last}; std::vector m_r {r_first, r_last}; @@ -324,8 +325,8 @@ namespace nil { std::vector< std::pair> z_ab; - std::vector< - std::pair::value_type, typename CurveType::template g1_type<>::value_type>> + std::vector::value_type, + typename CurveType::template g1_type<>::value_type>> z_c; std::vector challenges, challenges_inv; @@ -353,22 +354,22 @@ namespace nil { // \prod e(A_right,B_left) typename CurveType::gt_type::value_type zab_l = CurveType::gt_type::value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(m_a.begin() + split, m_b.begin())), - boost::make_zip_iterator(boost::make_tuple(m_a.end(), m_b.begin() + split)), - [&](const boost::tuple::value_type &, - const typename CurveType::template g2_type<>::value_type &> &t) { - zab_l = zab_l * - algebra::pair(t.template get<0>(), t.template get<1>()); - }); + std::for_each( + boost::make_zip_iterator(boost::make_tuple(m_a.begin() + split, m_b.begin())), + boost::make_zip_iterator(boost::make_tuple(m_a.end(), m_b.begin() + split)), + [&](const boost::tuple::value_type &, + const typename CurveType::template g2_type<>::value_type &> &t) { + zab_l = zab_l * algebra::pair(t.template get<0>(), t.template get<1>()); + }); zab_l = algebra::final_exponentiation(zab_l); typename CurveType::gt_type::value_type zab_r = CurveType::gt_type::value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(m_a.begin(), m_b.begin() + split)), - boost::make_zip_iterator(boost::make_tuple(m_a.begin() + split, m_b.end())), - [&](const boost::tuple::value_type &, - const typename CurveType::template g2_type<>::value_type &> &t) { - zab_r = zab_r * - algebra::pair(t.template get<0>(), t.template get<1>()); - }); + std::for_each( + boost::make_zip_iterator(boost::make_tuple(m_a.begin(), m_b.begin() + split)), + boost::make_zip_iterator(boost::make_tuple(m_a.begin() + split, m_b.end())), + [&](const boost::tuple::value_type &, + const typename CurveType::template g2_type<>::value_type &> &t) { + zab_r = zab_r * algebra::pair(t.template get<0>(), t.template get<1>()); + }); zab_r = algebra::final_exponentiation(zab_r); // MIPP part @@ -575,13 +576,13 @@ namespace nil { // compute A * B^r for the verifier // auto ip_ab = algebra::pair(a, b_r); typename CurveType::gt_type::value_type ip_ab = CurveType::gt_type::value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(a.begin(), b_r.begin())), - boost::make_zip_iterator(boost::make_tuple(a.end(), b_r.end())), - [&](const boost::tuple::value_type &, - const typename CurveType::template g2_type<>::value_type &> &t) { - ip_ab = - ip_ab * algebra::pair(t.template get<0>(), t.template get<1>()); - }); + std::for_each( + boost::make_zip_iterator(boost::make_tuple(a.begin(), b_r.begin())), + boost::make_zip_iterator(boost::make_tuple(a.end(), b_r.end())), + [&](const boost::tuple::value_type &, + const typename CurveType::template g2_type<>::value_type &> &t) { + ip_ab = ip_ab * algebra::pair(t.template get<0>(), t.template get<1>()); + }); ip_ab = algebra::final_exponentiation(ip_ab); // compute C^r for the verifier typename CurveType::template g1_type<>::value_type agg_c = @@ -611,7 +612,6 @@ namespace nil { typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: - typedef BasicProver basic_prover; typedef typename policy_type::primary_input_type primary_input_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp index ae48500a2..912303aff 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp @@ -87,8 +87,9 @@ namespace nil { } template - inline typename std::enable_if, GroupType>::value || - std::is_same, GroupType>::value>::type + inline typename std::enable_if< + std::is_same, GroupType>::value || + std::is_same, GroupType>::value>::type write(const typename GroupType::value_type &x) { buffer.resize(bincode::template get_element_size()); bincode::template point_to_bytes(x, buffer.begin(), buffer.end()); diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp index 07acc8786..5305d926d 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/verifier.hpp @@ -350,7 +350,8 @@ namespace nil { const std::pair, r1cs_gg_ppzksnark_ipp2_commitment_output> &, const std::pair::value_type, - typename CurveType::template g1_type<>::value_type> &> &t) { + typename CurveType::template g1_type<>::value_type> &> + &t) { // .write(&zab_l) tr.template write(t.template get<1>().first); // .write(&zab_r) @@ -663,6 +664,7 @@ namespace nil { template class r1cs_gg_ppzksnark_aggregate_verifier { typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + public: typedef BasicVerifier basic_verifier; typedef typename policy_type::primary_input_type primary_input_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp index 9a1681f3b..f78bc74a2 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp @@ -151,7 +151,7 @@ namespace nil { status_type &processingStatus) { processingStatus = status_type::success; - + using integral_type = typename FieldType::integral_type; using field_type = FieldType; @@ -372,24 +372,28 @@ namespace nil { typename std::vector::const_iterator read_iter_end, status_type &processingStatus) { - typename CurveType::template g2_type<>::value_type g = g2_group_type_process>( - read_iter_begin, read_iter_begin + g2_byteblob_size, processingStatus); - - typename CurveType::template g1_type<>::value_type h = g1_group_type_process>( - read_iter_begin + g2_byteblob_size, - read_iter_begin + g2_byteblob_size + g1_byteblob_size, - processingStatus); - return crypto3::zk::snark::detail::element_kc, typename CurveType::template g1_type<>>( - g, h); + typename CurveType::template g2_type<>::value_type g = + g2_group_type_process>( + read_iter_begin, read_iter_begin + g2_byteblob_size, processingStatus); + + typename CurveType::template g1_type<>::value_type h = + g1_group_type_process>(read_iter_begin + g2_byteblob_size, + read_iter_begin + g2_byteblob_size + + g1_byteblob_size, + processingStatus); + return crypto3::zk::snark::detail::element_kc, + typename CurveType::template g1_type<>>(g, h); } - static inline knowledge_commitment_vector, typename CurveType::template g1_type<>> + static inline knowledge_commitment_vector, + typename CurveType::template g1_type<>> g2g1_knowledge_commitment_vector_process( typename std::vector::const_iterator read_iter_begin, typename std::vector::const_iterator read_iter_end, status_type &processingStatus) { - using T = knowledge_commitment, typename CurveType::template g1_type<>>; + using T = knowledge_commitment, + typename CurveType::template g1_type<>>; if (std::distance(read_iter_begin, read_iter_end) < std_size_t_byteblob_size) { @@ -609,27 +613,29 @@ namespace nil { return typename scheme_type::verification_key_type(); } - typename CurveType::template g2_type<>::value_type gamma_g2 = g2_group_type_process>( - read_iter_begin + gt_byteblob_size, - read_iter_begin + gt_byteblob_size + g2_byteblob_size, - processingStatus); + typename CurveType::template g2_type<>::value_type gamma_g2 = + g2_group_type_process>(read_iter_begin + gt_byteblob_size, + read_iter_begin + gt_byteblob_size + + g2_byteblob_size, + processingStatus); if (processingStatus != status_type::success) { return typename scheme_type::verification_key_type(); } - typename CurveType::template g2_type<>::value_type delta_g2 = g2_group_type_process>( - read_iter_begin + gt_byteblob_size + g2_byteblob_size, - read_iter_begin + gt_byteblob_size + g2_byteblob_size + g2_byteblob_size, - processingStatus); + typename CurveType::template g2_type<>::value_type delta_g2 = + g2_group_type_process>( + read_iter_begin + gt_byteblob_size + g2_byteblob_size, + read_iter_begin + gt_byteblob_size + g2_byteblob_size + g2_byteblob_size, + processingStatus); if (processingStatus != status_type::success) { return typename scheme_type::verification_key_type(); } accumulation_vector> gamma_ABC_g1 = - g1_accumulation_vector_process>(read_iter_begin + gt_byteblob_size + - g2_byteblob_size + g2_byteblob_size, - read_iter_end, - processingStatus); + g1_accumulation_vector_process>( + read_iter_begin + gt_byteblob_size + g2_byteblob_size + g2_byteblob_size, + read_iter_end, + processingStatus); if (processingStatus != status_type::success) { return typename scheme_type::verification_key_type(); @@ -645,20 +651,25 @@ namespace nil { auto read_iter_current_begin = read_iter_begin; - typename CurveType::template g1_type<>::value_type alpha_g1 = g1_group_type_process>( - read_iter_current_begin, read_iter_current_begin + g1_byteblob_size, processingStatus); + typename CurveType::template g1_type<>::value_type alpha_g1 = + g1_group_type_process>( + read_iter_current_begin, read_iter_current_begin + g1_byteblob_size, processingStatus); read_iter_current_begin += g1_byteblob_size; - typename CurveType::template g1_type<>::value_type beta_g1 = g1_group_type_process>( - read_iter_current_begin, read_iter_current_begin + g1_byteblob_size, processingStatus); + typename CurveType::template g1_type<>::value_type beta_g1 = + g1_group_type_process>( + read_iter_current_begin, read_iter_current_begin + g1_byteblob_size, processingStatus); read_iter_current_begin += g1_byteblob_size; - typename CurveType::template g2_type<>::value_type beta_g2 = g2_group_type_process>( - read_iter_current_begin, read_iter_current_begin + g2_byteblob_size, processingStatus); + typename CurveType::template g2_type<>::value_type beta_g2 = + g2_group_type_process>( + read_iter_current_begin, read_iter_current_begin + g2_byteblob_size, processingStatus); read_iter_current_begin += g2_byteblob_size; - typename CurveType::template g1_type<>::value_type delta_g1 = g1_group_type_process>( - read_iter_current_begin, read_iter_current_begin + g1_byteblob_size, processingStatus); + typename CurveType::template g1_type<>::value_type delta_g1 = + g1_group_type_process>( + read_iter_current_begin, read_iter_current_begin + g1_byteblob_size, processingStatus); read_iter_current_begin += g1_byteblob_size; - typename CurveType::template g2_type<>::value_type delta_g2 = g2_group_type_process>( - read_iter_current_begin, read_iter_current_begin + g2_byteblob_size, processingStatus); + typename CurveType::template g2_type<>::value_type delta_g2 = + g2_group_type_process>( + read_iter_current_begin, read_iter_current_begin + g2_byteblob_size, processingStatus); read_iter_current_begin += g2_byteblob_size; std::size_t A_query_size = std_size_t_process( read_iter_current_begin, read_iter_current_begin + std_size_t_byteblob_size, processingStatus); @@ -677,8 +688,9 @@ namespace nil { read_iter_current_begin += std_size_t_byteblob_size; - knowledge_commitment_vector, typename CurveType::template g1_type<>> B_query = - g2g1_knowledge_commitment_vector_process( + knowledge_commitment_vector, + typename CurveType::template g1_type<>> + B_query = g2g1_knowledge_commitment_vector_process( read_iter_current_begin, read_iter_current_begin + total_B_query_size, processingStatus); read_iter_current_begin += total_B_query_size; @@ -772,26 +784,29 @@ namespace nil { return typename scheme_type::proof_type(); } - typename CurveType::template g1_type<>::value_type g_A = g1_group_type_process>( - read_iter_begin, read_iter_begin + g1_byteblob_size, processingStatus); + typename CurveType::template g1_type<>::value_type g_A = + g1_group_type_process>( + read_iter_begin, read_iter_begin + g1_byteblob_size, processingStatus); if (processingStatus != status_type::success) { return typename scheme_type::proof_type(); } - typename CurveType::template g2_type<>::value_type g_B = g2_group_type_process>( - read_iter_begin + g1_byteblob_size, - read_iter_begin + g1_byteblob_size + g2_byteblob_size, - processingStatus); + typename CurveType::template g2_type<>::value_type g_B = + g2_group_type_process>(read_iter_begin + g1_byteblob_size, + read_iter_begin + g1_byteblob_size + + g2_byteblob_size, + processingStatus); if (processingStatus != status_type::success) { return typename scheme_type::proof_type(); } - typename CurveType::template g1_type<>::value_type g_C = g1_group_type_process>( - read_iter_begin + g1_byteblob_size + g2_byteblob_size, - read_iter_begin + g1_byteblob_size + g2_byteblob_size + g1_byteblob_size, - processingStatus); + typename CurveType::template g1_type<>::value_type g_C = + g1_group_type_process>( + read_iter_begin + g1_byteblob_size + g2_byteblob_size, + read_iter_begin + g1_byteblob_size + g2_byteblob_size + g1_byteblob_size, + processingStatus); if (processingStatus != status_type::success) { return typename scheme_type::proof_type(); @@ -1046,24 +1061,28 @@ namespace nil { } } - static inline void g2g1_element_kc_process( - crypto3::zk::snark::detail::element_kc, typename CurveType::template g1_type<>> - input_ek, - std::vector::iterator &write_iter) { + static inline void + g2g1_element_kc_process(crypto3::zk::snark::detail::element_kc, + typename CurveType::template g1_type<>> + input_ek, + std::vector::iterator &write_iter) { g2_group_type_process>(input_ek.g, write_iter); g1_group_type_process>(input_ek.h, write_iter); } static inline std::size_t get_g2g1_knowledge_commitment_vector_size( - knowledge_commitment_vector, typename CurveType::template g1_type<>> input_kv) { + knowledge_commitment_vector, + typename CurveType::template g1_type<>> + input_kv) { return (2 + input_kv.indices.size()) * std_size_t_byteblob_size + input_kv.values.size() * (g2_byteblob_size + g1_byteblob_size); } static inline void g2g1_knowledge_commitment_vector_process( - knowledge_commitment_vector, typename CurveType::template g1_type<>> + knowledge_commitment_vector, + typename CurveType::template g1_type<>> input_kv, std::vector::iterator &write_iter) { @@ -1086,15 +1105,13 @@ namespace nil { static inline std::vector process(typename scheme_type::proving_key_type pk) { - std::size_t proving_key_size = 3*g1_byteblob_size + - 2*g2_byteblob_size + pk.A_query.size()*g1_byteblob_size + - get_g2g1_knowledge_commitment_vector_size(pk.B_query) + - pk.H_query.size()*g1_byteblob_size + - pk.L_query.size()*g1_byteblob_size + - 2 * std_size_t_byteblob_size; + std::size_t proving_key_size = + 3 * g1_byteblob_size + 2 * g2_byteblob_size + pk.A_query.size() * g1_byteblob_size + + get_g2g1_knowledge_commitment_vector_size(pk.B_query) + pk.H_query.size() * g1_byteblob_size + + pk.L_query.size() * g1_byteblob_size + 2 * std_size_t_byteblob_size; - for (auto it = pk.constraint_system.constraints.begin(); - it != pk.constraint_system.constraints.end(); it++) { + for (auto it = pk.constraint_system.constraints.begin(); it != pk.constraint_system.constraints.end(); + it++) { proving_key_size += get_r1cs_constraint_byteblob_size(*it); } diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp index 4a6713add..dc6ab4fd2 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp @@ -258,7 +258,8 @@ namespace nil { // affine_ate_precompute_g2(verification_key.delta_g2); // const accumulation_vector accumulated_IC = - // verification_key.gamma_ABC_g1.accumulate_chunk(primary_input.begin(), primary_input.end(), + // verification_key.gamma_ABC_g1.accumulate_chunk(primary_input.begin(), + // primary_input.end(), // 0); // const typename g1_type::value_type &acc = accumulated_IC.first; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp index c34c25564..6d9c77636 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark.hpp @@ -98,8 +98,8 @@ namespace nil { } static inline bool verify(const typename Verifier::verification_key_type &vk, - const primary_input_type &primary_input, - const proof_type &proof) { + const primary_input_type &primary_input, + const proof_type &proof) { return Verifier::process(vk, primary_input, proof); } diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp index 691f19ce7..88eae50fd 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/generator.hpp @@ -161,25 +161,30 @@ namespace nil { scalar_field_type::value_bits, g2_window, g2_type::value_type::one()); knowledge_commitment_vector A_query = - kc_batch_exp(scalar_field_type::value_bits, g1_window, g1_window, g1_table, - g1_table, rA, rA * alphaA, At, chunks); + kc_batch_exp(scalar_field_type::value_bits, g1_window, + g1_window, g1_table, g1_table, rA, + rA * alphaA, At, chunks); knowledge_commitment_vector B_query = - kc_batch_exp(scalar_field_type::value_bits, g2_window, g1_window, g2_table, g1_table, rB, - rB * alphaB, Bt, chunks); + kc_batch_exp(scalar_field_type::value_bits, g2_window, + g1_window, g2_table, g1_table, rB, + rB * alphaB, Bt, chunks); knowledge_commitment_vector C_query = - kc_batch_exp(scalar_field_type::value_bits, g1_window, g1_window, g1_table, g1_table, rC, - rC * alphaC, Ct, chunks); + kc_batch_exp(scalar_field_type::value_bits, g1_window, + g1_window, g1_table, g1_table, rC, + rC * alphaC, Ct, chunks); typename std::vector H_query = - algebra::batch_exp(scalar_field_type::value_bits, g1_window, g1_table, Ht); + algebra::batch_exp(scalar_field_type::value_bits, g1_window, + g1_table, Ht); #ifdef USE_MIXED_ADDITION algebra::batch_to_special(H_query); #endif typename std::vector K_query = - algebra::batch_exp(scalar_field_type::value_bits, g1_window, g1_table, Kt); + algebra::batch_exp(scalar_field_type::value_bits, g1_window, + g1_table, Kt); #ifdef USE_MIXED_ADDITION algebra::batch_to_special(K_query); #endif @@ -200,7 +205,8 @@ namespace nil { multiplied_IC_coefficients.emplace_back(rA * IC_coefficients[i]); } typename std::vector encoded_IC_values = - algebra::batch_exp(scalar_field_type::value_bits, g1_window, g1_table, multiplied_IC_coefficients); + algebra::batch_exp(scalar_field_type::value_bits, g1_window, + g1_table, multiplied_IC_coefficients); accumulation_vector encoded_IC_query(std::move(encoded_IC_base), std::move(encoded_IC_values)); @@ -215,7 +221,6 @@ namespace nil { std::move(K_query), std::move(cs_copy)); - return keypair_type(std::move(pk), std::move(vk)); } }; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp index c10484369..35ce9c84e 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/prover.hpp @@ -79,8 +79,8 @@ namespace nil { d3 = algebra::random_element(); const qap_witness qap_wit = - reductions::r1cs_to_qap::witness_map(proving_key.constraint_system, primary_input, - auxiliary_input, d1, d2, d3); + reductions::r1cs_to_qap::witness_map( + proving_key.constraint_system, primary_input, auxiliary_input, d1, d2, d3); typename knowledge_commitment::value_type g_A = proving_key.A_query[0] + qap_wit.d1 * proving_key.A_query[qap_wit.num_variables + 1]; @@ -121,12 +121,11 @@ namespace nil { qap_wit.coefficients_for_H.begin(), qap_wit.coefficients_for_H.begin() + qap_wit.degree + 1, chunks); - g_K = - g_K + algebra::multiexp_with_mixed_addition( - proving_key.K_query.begin() + 1, - proving_key.K_query.begin() + 1 + qap_wit.num_variables, - qap_wit.coefficients_for_ABCs.begin(), - qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_variables, chunks); + g_K = g_K + algebra::multiexp_with_mixed_addition( + proving_key.K_query.begin() + 1, + proving_key.K_query.begin() + 1 + qap_wit.num_variables, + qap_wit.coefficients_for_ABCs.begin(), + qap_wit.coefficients_for_ABCs.begin() + qap_wit.num_variables, chunks); return proof_type(std::move(g_A), std::move(g_B), std::move(g_C), std::move(g_H), std::move(g_K)); diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verification_key.hpp index 2346fdc04..03e55526b 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verification_key.hpp @@ -45,7 +45,6 @@ namespace nil { using g2_type = typename CurveType::template g2_type<>; public: - typename g2_type::value_type alphaA_g2; typename g1_type::value_type alphaB_g1; typename g2_type::value_type alphaC_g2; @@ -78,8 +77,7 @@ namespace nil { } std::size_t size_in_bits() const { - return (2 * g1_type::value_bits + encoded_IC_query.size_in_bits() + - 5 * g2_type::value_bits); + return (2 * g1_type::value_bits + encoded_IC_query.size_in_bits() + 5 * g2_type::value_bits); } bool operator==(const r1cs_ppzksnark_verification_key &other) const { @@ -104,7 +102,6 @@ namespace nil { using pairing_policy = pairing::pairing_policy; public: - typename pairing_policy::g2_precomputed_type pp_G2_one_precomp; typename pairing_policy::g2_precomputed_type vk_alphaA_g2_precomp; typename pairing_policy::g1_precomputed_type vk_alphaB_g1_precomp; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp index 83bd41066..9abafc5a0 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_ppzksnark/verifier.hpp @@ -45,6 +45,7 @@ namespace nil { typedef detail::r1cs_ppzksnark_policy policy_type; using g2_type = typename CurveType::template g2_type<>; + public: typedef typename policy_type::verification_key_type verification_key_type; typedef typename policy_type::processed_verification_key_type processed_verification_key_type; @@ -104,9 +105,8 @@ namespace nil { static inline bool process(const verification_key_type &verification_key, const primary_input_type &primary_input, const proof_type &proof) { - return process( - r1cs_ppzksnark_process_verification_key::process(verification_key), primary_input, - proof); + return process(r1cs_ppzksnark_process_verification_key::process(verification_key), + primary_input, proof); } /** @@ -121,8 +121,8 @@ namespace nil { assert(processed_verification_key.encoded_IC_query.domain_size() >= primary_input.size()); const accumulation_vector accumulated_IC = - processed_verification_key.encoded_IC_query.accumulate_chunk( - primary_input.begin(), primary_input.end(), 0); + processed_verification_key.encoded_IC_query.accumulate_chunk(primary_input.begin(), + primary_input.end(), 0); const g1_value_type &acc = accumulated_IC.first; bool result = true; @@ -134,8 +134,8 @@ namespace nil { g1_precomputed_type proof_g_A_h_precomp = precompute_g1(proof.g_A.h); typename gt_type::value_type kc_A_1 = miller_loop( proof_g_A_g_precomp, processed_verification_key.vk_alphaA_g2_precomp); - typename gt_type::value_type kc_A_2 = miller_loop( - proof_g_A_h_precomp, processed_verification_key.pp_G2_one_precomp); + typename gt_type::value_type kc_A_2 = + miller_loop(proof_g_A_h_precomp, processed_verification_key.pp_G2_one_precomp); gt_value_type kc_A = final_exponentiation(kc_A_1 * kc_A_2.unitary_inversed()); if (kc_A != gt_value_type::one()) { result = false; @@ -145,8 +145,8 @@ namespace nil { g1_precomputed_type proof_g_B_h_precomp = precompute_g1(proof.g_B.h); typename gt_type::value_type kc_B_1 = miller_loop( processed_verification_key.vk_alphaB_g1_precomp, proof_g_B_g_precomp); - typename gt_type::value_type kc_B_2 = miller_loop( - proof_g_B_h_precomp, processed_verification_key.pp_G2_one_precomp); + typename gt_type::value_type kc_B_2 = + miller_loop(proof_g_B_h_precomp, processed_verification_key.pp_G2_one_precomp); gt_value_type kc_B = final_exponentiation(kc_B_1 * kc_B_2.unitary_inversed()); if (kc_B != gt_value_type::one()) { result = false; @@ -156,8 +156,8 @@ namespace nil { g1_precomputed_type proof_g_C_h_precomp = precompute_g1(proof.g_C.h); typename gt_type::value_type kc_C_1 = miller_loop( proof_g_C_g_precomp, processed_verification_key.vk_alphaC_g2_precomp); - typename gt_type::value_type kc_C_2 = miller_loop( - proof_g_C_h_precomp, processed_verification_key.pp_G2_one_precomp); + typename gt_type::value_type kc_C_2 = + miller_loop(proof_g_C_h_precomp, processed_verification_key.pp_G2_one_precomp); gt_value_type kc_C = final_exponentiation(kc_C_1 * kc_C_2.unitary_inversed()); if (kc_C != gt_value_type::one()) { result = false; @@ -180,8 +180,8 @@ namespace nil { g1_precomputed_type proof_g_K_precomp = precompute_g1(proof.g_K); g1_precomputed_type proof_g_A_g_acc_C_precomp = precompute_g1((proof.g_A.g + acc) + proof.g_C.g); - typename gt_type::value_type K_1 = miller_loop( - proof_g_K_precomp, processed_verification_key.vk_gamma_g2_precomp); + typename gt_type::value_type K_1 = + miller_loop(proof_g_K_precomp, processed_verification_key.vk_gamma_g2_precomp); typename gt_type::value_type K_23 = double_miller_loop( proof_g_A_g_acc_C_precomp, processed_verification_key.vk_gamma_beta_g2_precomp, processed_verification_key.vk_gamma_beta_g1_precomp, proof_g_B_g_precomp); @@ -212,9 +212,8 @@ namespace nil { static inline bool process(const verification_key_type &verification_key, const primary_input_type &primary_input, const proof_type &proof) { - return process( - r1cs_ppzksnark_process_verification_key::process(verification_key), primary_input, - proof); + return process(r1cs_ppzksnark_process_verification_key::process(verification_key), + primary_input, proof); } /** @@ -302,7 +301,8 @@ namespace nil { // affine_ate_g1_precomp proof_g_A_g_precomp = affine_ate_precompute_g1(proof.g_A.g); // affine_ate_g1_precomp proof_g_A_h_precomp = affine_ate_precompute_g1(proof.g_A.h); // typename gt_type::value_type kc_A_miller = affine_ate_e_over_e_miller_loop( - // proof_g_A_g_precomp, pvk_vk_alphaA_g2_precomp, proof_g_A_h_precomp, pvk_pp_G2_one_precomp); + // proof_g_A_g_precomp, pvk_vk_alphaA_g2_precomp, proof_g_A_h_precomp, + // pvk_pp_G2_one_precomp); // gt_value_type kc_A = final_exponentiation(kc_A_miller); // if (kc_A != gt_value_type::one()) { @@ -314,7 +314,8 @@ namespace nil { // affine_ate_g1_precomp proof_g_B_h_precomp = // affine_ate_precompute_g1(proof.g_B.h); // typename gt_type::value_type kc_B_miller = affine_ate_e_over_e_miller_loop( - // pvk_vk_alphaB_g1_precomp, proof_g_B_g_precomp, proof_g_B_h_precomp, pvk_pp_G2_one_precomp); + // pvk_vk_alphaB_g1_precomp, proof_g_B_g_precomp, proof_g_B_h_precomp, + // pvk_pp_G2_one_precomp); // gt_value_type kc_B = final_exponentiation(kc_B_miller); // if (kc_B != gt_value_type::one()) { // result = false; @@ -325,7 +326,8 @@ namespace nil { // affine_ate_g1_precomp proof_g_C_h_precomp = // affine_ate_precompute_g1(proof.g_C.h); // typename gt_type::value_type kc_C_miller = affine_ate_e_over_e_miller_loop( - // proof_g_C_g_precomp, pvk_vk_alphaC_g2_precomp, proof_g_C_h_precomp, pvk_pp_G2_one_precomp); + // proof_g_C_g_precomp, pvk_vk_alphaC_g2_precomp, proof_g_C_h_precomp, + // pvk_pp_G2_one_precomp); // gt_value_type kc_C = final_exponentiation(kc_C_miller); // if (kc_C != gt_value_type::one()) { // result = false; @@ -336,8 +338,8 @@ namespace nil { // affine_ate_g1_precomp proof_g_H_precomp = affine_ate_precompute_g1(proof.g_H); // typename gt_type::value_type QAP_miller = // affine_ate_e_times_e_over_e_miller_loop( - // proof_g_H_precomp, pvk_vk_rC_Z_g2_precomp, proof_g_C_g_precomp, pvk_pp_G2_one_precomp, - // proof_g_A_g_acc_precomp, proof_g_B_g_precomp); + // proof_g_H_precomp, pvk_vk_rC_Z_g2_precomp, proof_g_C_g_precomp, + // pvk_pp_G2_one_precomp, proof_g_A_g_acc_precomp, proof_g_B_g_precomp); // gt_value_type QAP = final_exponentiation(QAP_miller); // if (QAP != gt_value_type::one()) { // result = false; @@ -348,8 +350,9 @@ namespace nil { // affine_ate_precompute_g1((proof.g_A.g + acc) + proof.g_C.g); // typename gt_type::value_type K_miller = // affine_ate_e_times_e_over_e_miller_loop( - // proof_g_A_g_acc_C_precomp, pvk_vk_gamma_beta_g2_precomp, pvk_vk_gamma_beta_g1_precomp, - // proof_g_B_g_precomp, proof_g_K_precomp, pvk_vk_gamma_g2_precomp); + // proof_g_A_g_acc_C_precomp, pvk_vk_gamma_beta_g2_precomp, + // pvk_vk_gamma_beta_g1_precomp, proof_g_B_g_precomp, proof_g_K_precomp, + // pvk_vk_gamma_g2_precomp); // gt_value_type K = final_exponentiation(K_miller); // if (K != gt_value_type::one()) { // result = false; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp index b4542b9d9..b8a9e3e11 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp @@ -101,13 +101,11 @@ namespace nil { alpha = algebra::random_element(), beta = algebra::random_element(), gamma = algebra::random_element(); - const typename g1_type::value_type G = - algebra::random_element(); - const typename g2_type::value_type H = - algebra::random_element(); + const typename g1_type::value_type G = algebra::random_element(); + const typename g2_type::value_type H = algebra::random_element(); std::size_t G_exp_count = sap_inst.num_inputs + 1 // verifier_query - + non_zero_At // A_query + + non_zero_At // A_query + sap_inst.degree + 1 // G_gamma2_Z_t // C_query_1 @@ -120,8 +118,7 @@ namespace nil { typename g2_type::value_type H_gamma = gamma * H; std::size_t H_gamma_exp_count = non_zero_At, // B_query - H_gamma_window = - algebra::get_exp_window_size(H_gamma_exp_count); + H_gamma_window = algebra::get_exp_window_size(H_gamma_exp_count); algebra::window_table H_gamma_table = algebra::get_window_table( CurveType::scalar_field_type::value_bits, H_gamma_window, H_gamma); diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp index fcd00b5dc..958c9230f 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proof.hpp @@ -46,7 +46,6 @@ namespace nil { using g2_type = typename CurveType::template g2_type<>; public: - typename g1_type::value_type A; typename g2_type::value_type B; typename g1_type::value_type C; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp index 62a14b61e..bee79e3a4 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/proving_key.hpp @@ -39,8 +39,8 @@ namespace nil { class r1cs_se_ppzksnark_proving_key { using g1_type = typename CurveType::template g1_type<>; using g2_type = typename CurveType::template g2_type<>; - public: + public: typedef ConstraintSystem constraint_system_type; // G^{gamma * A_i(t)} for 0 <= i <= sap.num_variables() @@ -90,7 +90,8 @@ namespace nil { A_query(std::move(A_query)), B_query(std::move(B_query)), C_query_1(std::move(C_query_1)), C_query_2(std::move(C_query_2)), G_gamma_Z(G_gamma_Z), H_gamma_Z(H_gamma_Z), G_ab_gamma_Z(G_ab_gamma_Z), - G_gamma2_Z2(G_gamma2_Z2), G_gamma2_Z_t(std::move(G_gamma2_Z_t)), constraint_system(std::move(constraint_system)) {}; + G_gamma2_Z2(G_gamma2_Z2), G_gamma2_Z_t(std::move(G_gamma2_Z_t)), + constraint_system(std::move(constraint_system)) {}; std::size_t G1_size() const { return A_query.size() + C_query_1.size() + C_query_2.size() + 3 + G_gamma2_Z_t.size(); @@ -109,7 +110,8 @@ namespace nil { this->C_query_1 == other.C_query_1 && this->C_query_2 == other.C_query_2 && this->G_gamma_Z == other.G_gamma_Z && this->H_gamma_Z == other.H_gamma_Z && this->G_ab_gamma_Z == other.G_ab_gamma_Z && this->G_gamma2_Z2 == other.G_gamma2_Z2 && - this->G_gamma2_Z_t == other.G_gamma2_Z_t && this->constraint_system == other.constraint_system); + this->G_gamma2_Z_t == other.G_gamma2_Z_t && + this->constraint_system == other.constraint_system); } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp index 1377d4adf..99290e0c6 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verification_key.hpp @@ -42,6 +42,7 @@ namespace nil { using g1_type = typename curve_type::template g1_type<>; using g2_type = typename curve_type::template g2_type<>; + public: // H typename g2_type::value_type H; @@ -82,8 +83,7 @@ namespace nil { } std::size_t size_in_bits() const { - return (G1_size() * g1_type::value_bits + - G2_size() * g2_type::value_bits); + return (G1_size() * g1_type::value_bits + G2_size() * g2_type::value_bits); } bool operator==(const r1cs_se_ppzksnark_verification_key &other) const { diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp index e72146530..c6572ca04 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp @@ -55,22 +55,18 @@ namespace nil { static inline processed_verification_key_type process(const verification_key_type &verification_key) { - typename pairing::pairing_policy::g1_precomputed_type - G_alpha_pc = precompute_g1(verification_key.G_alpha); - typename pairing::pairing_policy::g2_precomputed_type - H_beta_pc = precompute_g2(verification_key.H_beta); + typename pairing::pairing_policy::g1_precomputed_type G_alpha_pc = + precompute_g1(verification_key.G_alpha); + typename pairing::pairing_policy::g2_precomputed_type H_beta_pc = + precompute_g2(verification_key.H_beta); processed_verification_key_type processed_verification_key; processed_verification_key.G_alpha = verification_key.G_alpha; processed_verification_key.H_beta = verification_key.H_beta; - processed_verification_key.G_alpha_H_beta_ml = - miller_loop(G_alpha_pc, H_beta_pc); - processed_verification_key.G_gamma_pc = - precompute_g1(verification_key.G_gamma); - processed_verification_key.H_gamma_pc = - precompute_g2(verification_key.H_gamma); - processed_verification_key.H_pc = - precompute_g2(verification_key.H); + processed_verification_key.G_alpha_H_beta_ml = miller_loop(G_alpha_pc, H_beta_pc); + processed_verification_key.G_gamma_pc = precompute_g1(verification_key.G_gamma); + processed_verification_key.H_gamma_pc = precompute_g2(verification_key.H_gamma); + processed_verification_key.H_pc = precompute_g2(verification_key.H); processed_verification_key.query = verification_key.query; @@ -110,8 +106,8 @@ namespace nil { static inline bool process(const verification_key_type &vk, const primary_input_type &primary_input, const proof_type &proof) { - return process( - r1cs_se_ppzksnark_process_verification_key::process(vk), primary_input, proof); + return process(r1cs_se_ppzksnark_process_verification_key::process(vk), + primary_input, proof); } /** @@ -153,9 +149,9 @@ namespace nil { precompute_g2(proof.B + processed_verification_key.H_beta)), test1_r1 = processed_verification_key.G_alpha_H_beta_ml, test1_r2 = miller_loop(precompute_g1(G_psi), - processed_verification_key.H_gamma_pc), + processed_verification_key.H_gamma_pc), test1_r3 = miller_loop(precompute_g1(proof.C), - processed_verification_key.H_pc); + processed_verification_key.H_pc); typename CurveType::gt_type::value_type test1 = final_exponentiation( test1_l.unitary_inversed() * test1_r1 * test1_r2 * test1_r3); @@ -167,11 +163,11 @@ namespace nil { * e(A, H^{gamma}) = e(G^{gamma}, B) */ typename CurveType::gt_type::value_type test2_l = miller_loop( - precompute_g1(proof.A), - processed_verification_key.H_gamma_pc), - test2_r = miller_loop( - processed_verification_key.G_gamma_pc, - precompute_g2(proof.B)); + precompute_g1(proof.A), + processed_verification_key.H_gamma_pc), + test2_r = miller_loop( + processed_verification_key.G_gamma_pc, + precompute_g2(proof.B)); typename CurveType::gt_type::value_type test2 = final_exponentiation(test2_l * test2_r.unitary_inversed()); @@ -201,8 +197,8 @@ namespace nil { static inline bool process(const verification_key_type &vk, const primary_input_type &primary_input, const proof_type &proof) { - return process( - r1cs_se_ppzksnark_process_verification_key::process(vk), primary_input, proof); + return process(r1cs_se_ppzksnark_process_verification_key::process(vk), + primary_input, proof); } /** diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp index 69b489c4e..68329d9aa 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/prover.hpp @@ -67,12 +67,14 @@ namespace nil { typedef typename CurveType::scalar_field_type FieldType; const uscs_variable_assignment uscs_va = - reductions::tbcs_to_uscs::witness_map(pk.circuit, primary_input, auxiliary_input); + reductions::tbcs_to_uscs::witness_map( + pk.circuit, primary_input, auxiliary_input); const uscs_primary_input uscs_pi = algebra::convert_bit_vector_to_field_element_vector(primary_input); const uscs_auxiliary_input uscs_ai( uscs_va.begin() + primary_input.size(), - uscs_va.end()); // TODO: faster to just change bacs_to_r1cs::witness_map into two :( + uscs_va.end()); // TODO: faster to just change bacs_to_r1cs::witness_map into + // two :( return prove>(pk.uscs_pk, uscs_pi, uscs_ai); } diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp index 05e4e0564..15aeed868 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/tbcs_ppzksnark/verifier.hpp @@ -71,10 +71,11 @@ namespace nil { class tbcs_ppzksnark_verifier_weak_input_consistency { typedef detail::tbcs_ppzksnark_policy policy_type; - using uscs_ppzksnark_weak_proof_system = uscs_ppzksnark, - uscs_ppzksnark_prover, - uscs_ppzksnark_verifier_weak_input_consistency>; + using uscs_ppzksnark_weak_proof_system = + uscs_ppzksnark, + uscs_ppzksnark_prover, + uscs_ppzksnark_verifier_weak_input_consistency>; public: typedef typename policy_type::primary_input_type primary_input_type; @@ -119,6 +120,7 @@ namespace nil { typedef detail::tbcs_ppzksnark_policy policy_type; using uscs_ppzksnark_proof_system = uscs_ppzksnark; + public: typedef typename policy_type::primary_input_type primary_input_type; typedef typename policy_type::verification_key_type verification_key_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp index 843fc3116..43b575fb9 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/generator.hpp @@ -69,14 +69,13 @@ namespace nil { /* draw random element at which the SSP is evaluated */ - const typename scalar_field_type::value_type t = - algebra::random_element(); + const typename scalar_field_type::value_type t = algebra::random_element(); /* perform USCS-to-SSP reduction */ ssp_instance_evaluation ssp_inst = - reductions::uscs_to_ssp< - scalar_field_type>::instance_map_with_evaluation(constraint_system, t); + reductions::uscs_to_ssp::instance_map_with_evaluation(constraint_system, + t); /* construct various tables of typename FieldType::value_type elements */ @@ -99,8 +98,7 @@ namespace nil { assert(Vt_table.size() == ssp_inst.num_variables + 2); assert(Ht_table.size() == ssp_inst.degree + 1); assert(Xt_table.size() == ssp_inst.num_inputs + 1); - assert(Vt_table_minus_Xt_table.size() == - ssp_inst.num_variables + 2 - ssp_inst.num_inputs - 1); + assert(Vt_table_minus_Xt_table.size() == ssp_inst.num_variables + 2 - ssp_inst.num_inputs - 1); for (std::size_t i = 0; i < ssp_inst.num_inputs + 1; ++i) { assert(!Xt_table[i].is_zero()); } @@ -121,48 +119,48 @@ namespace nil { algebra::window_table g2_table = algebra::get_window_table( scalar_field_type::value_bits, g2_window, g2_type::value_type::one()); - typename std::vector V_g1_query = algebra::batch_exp( - scalar_field_type::value_bits, g1_window, g1_table, Vt_table_minus_Xt_table); + typename std::vector V_g1_query = + algebra::batch_exp(scalar_field_type::value_bits, g1_window, + g1_table, Vt_table_minus_Xt_table); #ifdef USE_MIXED_ADDITION algebra::batch_to_special(V_g1_query); #endif typename std::vector alpha_V_g1_query = - algebra::batch_exp_with_coeff(scalar_field_type::value_bits, g1_window, g1_table, alpha, - Vt_table_minus_Xt_table); + algebra::batch_exp_with_coeff( + scalar_field_type::value_bits, g1_window, g1_table, alpha, Vt_table_minus_Xt_table); #ifdef USE_MIXED_ADDITION algebra::batch_to_special(alpha_V_g1_query); #endif typename std::vector H_g1_query = - algebra::batch_exp(scalar_field_type::value_bits, g1_window, g1_table, Ht_table); + algebra::batch_exp(scalar_field_type::value_bits, g1_window, + g1_table, Ht_table); #ifdef USE_MIXED_ADDITION algebra::batch_to_special(H_g1_query); #endif typename std::vector V_g2_query = - algebra::batch_exp(scalar_field_type::value_bits, g2_window, g2_table, Vt_table); + algebra::batch_exp(scalar_field_type::value_bits, g2_window, + g2_table, Vt_table); #ifdef USE_MIXED_ADDITION algebra::batch_to_special(V_g2_query); #endif const typename scalar_field_type::value_type tilde = algebra::random_element(); - typename g2_type::value_type tilde_g2 = - tilde * g2_type::value_type::one(); - typename g2_type::value_type alpha_tilde_g2 = - (alpha * tilde) * g2_type::value_type::one(); - typename g2_type::value_type Z_g2 = - ssp_inst.Zt * g2_type::value_type::one(); - - typename g1_type::value_type encoded_IC_base = - Xt_table[0] * g1_type::value_type::one(); + typename g2_type::value_type tilde_g2 = tilde * g2_type::value_type::one(); + typename g2_type::value_type alpha_tilde_g2 = (alpha * tilde) * g2_type::value_type::one(); + typename g2_type::value_type Z_g2 = ssp_inst.Zt * g2_type::value_type::one(); + + typename g1_type::value_type encoded_IC_base = Xt_table[0] * g1_type::value_type::one(); typename std::vector encoded_IC_values = - algebra::batch_exp(scalar_field_type::value_bits, g1_window, g1_table, - std::vector( - Xt_table.begin() + 1, Xt_table.end())); + algebra::batch_exp( + scalar_field_type::value_bits, g1_window, g1_table, + std::vector(Xt_table.begin() + 1, + Xt_table.end())); accumulation_vector encoded_IC_query(std::move(encoded_IC_base), - std::move(encoded_IC_values)); + std::move(encoded_IC_values)); verification_key_type vk = verification_key_type(tilde_g2, alpha_tilde_g2, Z_g2, encoded_IC_query); diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proof.hpp index ba9b75616..414959422 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proof.hpp @@ -43,7 +43,6 @@ namespace nil { using g2_type = typename CurveType::template g2_type<>; public: - typename g1_type::value_type V_g1; typename g1_type::value_type alpha_V_g1; typename g1_type::value_type H_g1; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp index 9dc503708..f665df067 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/prover.hpp @@ -58,10 +58,12 @@ namespace nil { using g1_type = typename CurveType::template g1_type<>; using g2_type = typename CurveType::template g2_type<>; + public: typedef typename policy_type::primary_input_type primary_input_type; typedef typename policy_type::auxiliary_input_type auxiliary_input_type; - typedef typename policy_type::proving_key_type proving_key_type;; + typedef typename policy_type::proving_key_type proving_key_type; + ; typedef typename policy_type::proof_type proof_type; static inline proof_type process(const proving_key_type &proving_key, diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proving_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proving_key.hpp index 16d42a7b1..ffa73ac0a 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/proving_key.hpp @@ -39,8 +39,8 @@ namespace nil { class uscs_ppzksnark_proving_key { using g1_type = typename CurveType::template g1_type<>; using g2_type = typename CurveType::template g2_type<>; - public: + public: typedef ConstraintSystem constraint_system_type; std::vector V_g1_query; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verification_key.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verification_key.hpp index 5e5e35f75..e9aeb548d 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verification_key.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verification_key.hpp @@ -42,8 +42,8 @@ namespace nil { class uscs_ppzksnark_verification_key { using g1_type = typename CurveType::template g1_type<>; using g2_type = typename CurveType::template g2_type<>; - public: + public: typename g2_type::value_type tilde_g2; typename g2_type::value_type alpha_tilde_g2; typename g2_type::value_type Z_g2; @@ -115,4 +115,3 @@ namespace nil { } // namespace nil #endif // CRYPTO3_R1CS_PPZKSNARK_BASIC_PROVER_HPP - diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp index 8c71373ff..e2201c390 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/uscs_ppzksnark/verifier.hpp @@ -65,6 +65,7 @@ namespace nil { typedef detail::uscs_ppzksnark_policy policy_type; using g1_type = typename CurveType::template g1_type<>; using g2_type = typename CurveType::template g2_type<>; + public: typedef typename policy_type::verification_key_type verification_key_type; typedef typename policy_type::processed_verification_key_type processed_verification_key_type; @@ -73,10 +74,8 @@ namespace nil { processed_verification_key_type pvk; - pvk.pp_G1_one_precomp = - precompute_g1(g1_type::value_type::one()); - pvk.pp_G2_one_precomp = - precompute_g2(g2_type::value_type::one()); + pvk.pp_G1_one_precomp = precompute_g1(g1_type::value_type::one()); + pvk.pp_G2_one_precomp = precompute_g2(g2_type::value_type::one()); pvk.vk_tilde_g2_precomp = precompute_g2(vk.tilde_g2); pvk.vk_alpha_tilde_g2_precomp = precompute_g2(vk.alpha_tilde_g2); @@ -111,9 +110,8 @@ namespace nil { const primary_input_type &primary_input, const proof_type &proof) { - return process( - uscs_ppzksnark_process_verification_key::process(vk), - primary_input, proof); + return process(uscs_ppzksnark_process_verification_key::process(vk), primary_input, + proof); } /** @@ -128,8 +126,7 @@ namespace nil { assert(pvk.encoded_IC_query.domain_size() >= primary_input.size()); const accumulation_vector> accumulated_IC = - pvk.encoded_IC_query.accumulate_chunk( - primary_input.begin(), primary_input.end(), 0); + pvk.encoded_IC_query.accumulate_chunk(primary_input.begin(), primary_input.end(), 0); assert(accumulated_IC.is_fully_accumulated()); const typename CurveType::template g1_type<>::value_type &acc = accumulated_IC.first; diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 6c0bf6472..4bdc8cf46 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -38,7 +38,7 @@ namespace nil { * @brief Fiat–Shamir heuristic. * @tparam Hash Hash function, which serves as a non-interactive random oracle. * @tparam TManifest Fiat-Shamir Heuristic Manifest in the following form: - * + * * template * struct fiat_shamir_heuristic_manifest { * @@ -62,39 +62,38 @@ namespace nil { accumulator_set acc; public: - - fiat_shamir_heuristic() : acc(){ + fiat_shamir_heuristic() : acc() { } - template - void operator() (TAny data){ + template + void operator()(TAny data) { // acc(data); } - template - typename FieldType::value_type get_challenge(){ + template + typename FieldType::value_type get_challenge() { // acc(ChallengeId); typename Hash::digest_type hash_res = accumulators::extract::hash(acc); return FieldType::value_type::one(); } - template - typename FieldType::value_type get_challenge(){ + template + typename FieldType::value_type get_challenge() { // acc(ChallengeId + Index); typename Hash::digest_type hash_res = accumulators::extract::hash(acc); return FieldType::value_type::one(); } - template - std::array get_challenges(){ - + template + std::array get_challenges() { + std::array hash_results; std::array result; - for (std::size_t i = 0; i < ChallengesAmount; i++){ + for (std::size_t i = 0; i < ChallengesAmount; i++) { // acc(ChallengeId + i); hash_results[i] = accumulators::extract::hash(acc); diff --git a/include/nil/crypto3/zk/snark/transcript/transcript.hpp b/include/nil/crypto3/zk/snark/transcript/transcript.hpp index 35a9bd1cc..260de2573 100644 --- a/include/nil/crypto3/zk/snark/transcript/transcript.hpp +++ b/include/nil/crypto3/zk/snark/transcript/transcript.hpp @@ -34,12 +34,12 @@ namespace nil { /*! * @brief Transcript policy. Assumed to be inherited by particular algorithms. * @tparam TManifest Transcript Manifest in the following form: - * - * + * + * * class transcript_manifest { * * std::size_t gammas_amount = 5; - * + * * public: * enum challenges_ids{ * alpha, @@ -53,9 +53,9 @@ namespace nil { * typedef std::tuple<...> processors; * }; * - * In the case above we have following list of challenges: (\alpha, \beta, + * In the case above we have following list of challenges: (\alpha, \beta, * \gamma_0, \gamma_1, \gamma_2, \gamma_3, \gamma_4, \delta, \varepsilon) - * + * */ template class transcript { @@ -63,19 +63,21 @@ namespace nil { typename TManifest::challenges challenges; std::size_t next_challenge_id = 0; + public: - - transcript (){} + transcript() { + } - transcript (std::tuple<> in_challenges): challenges(in_challenges){} + transcript(std::tuple<> in_challenges) : challenges(in_challenges) { + } /*! * @brief For ordinary challenges. \alpha * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. * */ - template - bool set_challenge(std::tuple_element value){ + template + bool set_challenge(std::tuple_element value) { std::get(challenges) = value; return (ChallengeId == next_challenge_id++); @@ -87,12 +89,13 @@ namespace nil { * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. * */ - template - bool set_challenge(std::tuple_element> value){ + template + bool set_challenge( + std::tuple_element> + value) { std::get(std::get(challenges)) = value; - return (ChallengeId+Index == next_challenge_id++); + return (ChallengeId + Index == next_challenge_id++); } /*! @@ -100,8 +103,8 @@ namespace nil { * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. * */ - template - std::tuple_element get_challenge() const{ + template + std::tuple_element get_challenge() const { return std::get(challenges); } @@ -111,9 +114,9 @@ namespace nil { * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. * */ - template - std::tuple_element> get_challenge() const{ + template + std::tuple_element> + get_challenge() const { return std::get(std::get(challenges)); } @@ -122,8 +125,9 @@ namespace nil { * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. * */ - template - std::tuple_element::result_type get_challenge_result(){ + template + std::tuple_element::result_type + get_challenge_result() { return std::tuple_element( get_challenge()); } @@ -134,10 +138,12 @@ namespace nil { * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. * */ - template - std::tuple_element>::result_type get_challenge_result(){ - return std::tuple_element>( + template + std::tuple_element>::result_type + get_challenge_result() { + return std::tuple_element>( get_challenge()); } }; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 61b53f7e8..f66e346e2 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -45,13 +45,13 @@ using namespace nil::crypto3; BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { - + using curve_type = algebra::curves::bls12<381>; - zk::snark::redshift_preprocessor preprocess; + zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - zk::snark::redshift_prover prove; + zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 3209d238df77cfea9a87f90687ce22f0e558c4f4 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sun, 2 Jan 2022 22:10:58 +0300 Subject: [PATCH 036/219] Pickles commitment scheme updated #20 --- include/nil/crypto3/zk/snark/commitments/pickles.hpp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/pickles.hpp b/include/nil/crypto3/zk/snark/commitments/pickles.hpp index 33398aa27..49b6df311 100644 --- a/include/nil/crypto3/zk/snark/commitments/pickles.hpp +++ b/include/nil/crypto3/zk/snark/commitments/pickles.hpp @@ -39,14 +39,12 @@ namespace nil { using evaluation_type = typename CurveType::scalar_field_type::value_type; using commitment_type = typename CurveType::value_type; - struct openning_type { + struct openning_type { }; - } - - struct proof_type { - }; + struct proof_type { }; static commitment_type commit() { + return commitment_type(); } }; From e4d80862553dc9a04ee3f715056c8272271bf43d Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 6 Jan 2022 00:02:27 +0300 Subject: [PATCH 037/219] Strong-typedefed polynomial interface compatibility updated #20 --- .../list_polynomial_commitment.hpp | 38 +++++++-------- .../crypto3/zk/snark/commitments/pickles.hpp | 2 +- .../relations/non_linear_combination.hpp | 10 ++-- .../zk/snark/relations/plonk/plonk.hpp | 20 ++++---- .../systems/plonk/redshift/preprocessor.hpp | 4 +- .../snark/systems/plonk/redshift/prover.hpp | 48 +++++++++---------- .../zk/snark/systems/plonk/redshift/types.hpp | 14 +++--- .../snark/systems/plonk/redshift/verifier.hpp | 2 +- 8 files changed, 70 insertions(+), 68 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 73b1a08d0..5612d722a 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_LIST_POLYNOMIAL_COMMITMENT_SCHEME_HPP #define CRYPTO3_ZK_LIST_POLYNOMIAL_COMMITMENT_SCHEME_HPP -#include +#include #include #include @@ -65,7 +65,7 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - // static const math::polynomial::polynom + // static const math::polynomial::polynomial // q = {0, 0, 1}; struct transcript_round_manifest { @@ -96,7 +96,7 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type commit(const math::polynomial::polynom &f, + static merkle_tree_type commit(const math::polynomial::polynomial &f, const std::vector &D) { std::vector y; @@ -110,11 +110,11 @@ namespace nil { static proof_type proof_eval(std::array evaluation_points, const merkle_tree_type &T, - const math::polynomial::polynom &f, + const math::polynomial::polynomial &f, const std::vector &D) { - // temporary definition, until polynom is constexpr - const math::polynomial::polynom q = {0, 0, 1}; + // temporary definition, until polynomial is constexpr + const math::polynomial::polynomial q = {0, 0, 1}; proof_type proof; @@ -131,19 +131,19 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom U = + math::polynomial::polynomial U = math::polynomial::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom Q = (f - U); + math::polynomial::polynomial Q = (f - U); for (std::size_t j = 0; j < k; j++) { - math::polynomial::polynom denominator_polynom = { + math::polynomial::polynomial denominator_polynom = { -evaluation_points[j], 1}; Q = Q / denominator_polynom; } for (std::size_t round_id = 0; round_id < lambda; round_id++) { - math::polynomial::polynom f_i = Q; + math::polynomial::polynomial f_i = Q; typename FieldType::value_type x_i = transcript @@ -167,7 +167,7 @@ namespace nil { // transcript.template get_challenge(); - math::polynomial::polynom sqr_polynom = {y_arr[i], 0, + math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, -1}; std::array s; // = math::polynomial::get_roots(sqr_polynom); @@ -182,7 +182,7 @@ namespace nil { p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom p_y_i = + math::polynomial::polynomial p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); f_i = p_y_i; @@ -211,8 +211,8 @@ namespace nil { proof_type proof, const std::vector &D) { - // temporary definition, until polynom is constexpr - const math::polynomial::polynom q = {0, 0, 1}; + // temporary definition, until polynomial is constexpr + const math::polynomial::polynomial q = {0, 0, 1}; fiat_shamir_heuristic transcript; @@ -230,10 +230,10 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - math::polynomial::polynom U = + math::polynomial::polynomial U = math::polynomial::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynom Q; + math::polynomial::polynomial Q; // = (f - U); // for (std::size_t j = 0; j < k; j++){ // Q = Q/(x - U_interpolation_points[j]); @@ -241,7 +241,7 @@ namespace nil { for (std::size_t round_id = 0; round_id < lambda; round_id++) { - math::polynomial::polynom f_i = Q; + math::polynomial::polynomial f_i = Q; typename FieldType::value_type x_i = transcript @@ -262,7 +262,7 @@ namespace nil { for (std::size_t i = 0; i <= r - 1; i++) { - math::polynomial::polynom sqr_polynom = {y_arr[i], 0, + math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, -1}; std::array s; // = math::polynomial::get_roots(sqr_polynom); @@ -279,7 +279,7 @@ namespace nil { p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynom p_y_i = + math::polynomial::polynomial p_y_i = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); typename FieldType::value_type f_y_i; diff --git a/include/nil/crypto3/zk/snark/commitments/pickles.hpp b/include/nil/crypto3/zk/snark/commitments/pickles.hpp index 49b6df311..245176521 100644 --- a/include/nil/crypto3/zk/snark/commitments/pickles.hpp +++ b/include/nil/crypto3/zk/snark/commitments/pickles.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_PICKLES_COMMITMENT_SCHEME_HPP #define CRYPTO3_ZK_PICKLES_COMMITMENT_SCHEME_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 490a35f6f..d6a07fa65 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -32,7 +32,7 @@ #define CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP #include -#include +#include #include namespace nil { @@ -215,12 +215,12 @@ namespace nil { } template - math::polynomial::polynom evaluate( + math::polynomial::polynomial evaluate( std::size_t row_index, - const std::array, WiresAmount> &assignment) const { - math::polynomial::polynom acc = {0}; + const std::array, WiresAmount> &assignment) const { + math::polynomial::polynomial acc = {0}; for (non_linear_combination &nlt : terms) { - math::polynomial::polynom term_value = {nlt.coeff}; + math::polynomial::polynomial term_value = {nlt.coeff}; for (variable &var : nlt.vars) { term_value *= assignment[var.wire_index]; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 264efbcc1..0310816fe 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -86,22 +86,25 @@ namespace nil { return true; } - std::vector> get_copy_constraints() { + std::vector> copy_constraints() { + return {}; } - std::vector> get_selectors() { + std::vector> selectors() { + return {}; } - std::vector> get_lookups() { + std::vector> lookups() { + return {}; } - std::vector> - get_polynoms(plonk_variable_assignment full_variable_assignment) const { + std::vector> + polynoms(plonk_variable_assignment full_variable_assignment) const { - std::vector> result( + std::vector> result( constraints.size()); - std::array, WiresAmount> + std::array, WiresAmount> wire_polynomials; for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++) { wire_polynomials[wire_index] = @@ -113,7 +116,7 @@ namespace nil { for (auto &term : constraints[constraint_index].terms) { - math::polynomial::polynom term_polynom = {term.coeff}; + math::polynomial::polynomial term_polynom = {term.coeff}; // TODO: Rotation isn't taken into consideration for (auto &var : term.vars) { @@ -135,7 +138,6 @@ namespace nil { return (this->constraints == other.constraints); } }; - } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 12969d8e4..abd9f7b0e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -49,8 +49,8 @@ namespace nil { data.omega = math::unity_root(math::detail::get_power_of_two(k)); data.Z = {1}; - // data.selectors = constraint_system.get_selectors(); - // ... copy_constraints = constraint_system.get_copy_constraints(); + // data.selectors = constraint_system.selectors(); + // ... copy_constraints = constraint_system.copy_constraints(); // data.permutations = ...(copy_constraints); // data.identity_permutations = ...(copy_constraints); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index de75103e0..1240f488c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP -#include +#include #include #include @@ -89,14 +89,14 @@ namespace nil { // 2 - Define new witness polynomials // and 3 - Add commitments to fi to transcript - // std::vector> f = - // constraint_system.get_polynoms(assignments); + // std::vector> f = + // constraint_system.polynoms(assignments); // std::vector f_trees; // std::vector f_commitments; // for (std::size_t i = 0; i < N_wires; i++) { - // math::polynomial::polynom h; + // math::polynomial::polynomial h; // f[i] = f[i] + h * preprocessed_data.Z; // f_trees.push_back(lpc::commit(f[i])); // f_commitments[i].push_back(f_trees[i].root()); @@ -115,8 +115,8 @@ namespace nil { // std::vector S; // 6 - // math::polynomial::polynom A1; - // math::polynomial::polynom S1; + // math::polynomial::polynomial A1; + // math::polynomial::polynomial S1; // 7 // merkle_tree_type A1_tree = lpc::commit(A1); @@ -138,15 +138,15 @@ namespace nil { // 9 // and 10 - // std::vector> p(N_perm); - // std::vector> q(N_perm); + // std::vector> p(N_perm); + // std::vector> q(N_perm); - // math::polynomial::polynom p1 = {1}; - // math::polynomial::polynom q1 = {1}; + // math::polynomial::polynomial p1 = {1}; + // math::polynomial::polynomial q1 = {1}; - // std::vector> + // std::vector> // &S_sigma = preprocessed_data.permutations; - // std::vector> + // std::vector> // &S_id = preprocessed_data.identity_permutations; // for (std::size_t j = 0; j < N_perm; j++) { @@ -183,9 +183,9 @@ namespace nil { // Q_mul_result)); // } - // math::polynomial::polynom P = + // math::polynomial::polynomial P = // math::polynomial::lagrange_interpolation(P_interpolation_points); - // math::polynomial::polynom Q = + // math::polynomial::polynomial Q = // math::polynomial::lagrange_interpolation(Q_interpolation_points); // 12 @@ -198,7 +198,7 @@ namespace nil { // transcript(Q_commitment); // 13 - // math::polynomial::polynom V; + // math::polynomial::polynomial V; // 14 // transcript(lpc::commit(V, D_0).root()); @@ -215,16 +215,16 @@ namespace nil { // 17 // and 21 std::size_t N_T = N_perm; - std::vector> gates(N_sel); - std::vector> constraints = - constraint_system.get_polynoms(assignments); + std::vector> gates(N_sel); + std::vector> constraints = + constraint_system.polynoms(assignments); for (std::size_t i = 0; i < N_sel; i++) { gates[i] = {0}; std::size_t n_i; for (std::size_t j = 0; j < n_i; j++) { std::size_t d_i_j; - math::polynomial::polynom tau_polynom = { + math::polynomial::polynomial tau_polynom = { tau.pow(d_i_j)}; gates[i] = gates[i] + preprocessed_data.constraints[j] * tau_polynom; } @@ -235,7 +235,7 @@ namespace nil { } // 18 - std::array, 11> F; + std::array, 11> F; // F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); // F[1] = preprocessed_data.Lagrange_basis[1] * (Q - 1); // F[2] = P * p1 - (P << 1); @@ -251,17 +251,17 @@ namespace nil { // ... // 20 - math::polynomial::polynom F_consolidated = {0}; + math::polynomial::polynomial F_consolidated = {0}; for (std::size_t i = 0; i < 11; i++) { - math::polynomial::polynom alphas_polynom = {alphas[i]}; + math::polynomial::polynomial alphas_polynom = {alphas[i]}; F_consolidated = F_consolidated + alphas_polynom * F[i]; } - math::polynomial::polynom T_consolidated = + math::polynomial::polynomial T_consolidated = F_consolidated / preprocessed_data.Z; // 22 - std::vector> T(N_T); + std::vector> T(N_T); // T = separate_T(T_consolidated); // 23 diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 3aec1af9f..4a7b4edf0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -29,7 +29,7 @@ #ifndef CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP #define CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP -#include +#include #include #include @@ -72,18 +72,18 @@ namespace nil { typename FieldType::value_type omega; - std::vector> selectors; + std::vector> selectors; // S_sigma - std::vector> permutations; + std::vector> permutations; // S_id - std::vector> + std::vector> identity_permutations; // c - std::vector> constraints; + std::vector> constraints; - std::vector> Lagrange_basis; + std::vector> Lagrange_basis; - math::polynomial::polynom Z; + math::polynomial::polynomial Z; }; template diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 6c57fe616..be65d3a8e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_VERIFIER_HPP -#include +#include #include #include From c00194be030b801f62d9c90df0f2b3ee539ed7eb Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Tue, 11 Jan 2022 03:55:21 +0300 Subject: [PATCH 038/219] Minor Pickles proof definitions updated #20 --- include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp index c240c79c6..538cd25c1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp @@ -74,7 +74,7 @@ namespace nil { typename CurveType::scalar_field_type::value_type z1, z2; // Previous challenges - std::vector, + std::vector, typename commitment_scheme::commitment_type>> prev_challenges; }; From 7f541c791b9674001ee1f6157a34c892a081daa2 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sun, 16 Jan 2022 00:44:11 +0300 Subject: [PATCH 039/219] Polynomial interface compatibility fixes #20 --- .../commitments/list_polynomial_commitment.hpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 5612d722a..caa36a6ac 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -87,7 +87,8 @@ namespace nil { std::array, lambda> f_commitments; - std::array, lambda> f_ip1_coefficients; + std::array, lambda> + f_ip1_coefficients; }; // The result of this function is not commitment_type (as it would expected), @@ -96,8 +97,9 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type commit(const math::polynomial::polynomial &f, - const std::vector &D) { + static merkle_tree_type + commit(const math::polynomial::polynomial &f, + const std::vector &D) { std::vector y; for (typename FieldType::value_type H : D) { @@ -152,7 +154,7 @@ namespace nil { std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; - std::vector &f_ip1_coefficients = + math::polynomial::polynomial &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; merkle_tree_type f_i_tree = T; @@ -168,7 +170,7 @@ namespace nil { // FieldType>(); math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, - -1}; + -1}; std::array s; // = math::polynomial::get_roots(sqr_polynom); @@ -263,7 +265,7 @@ namespace nil { for (std::size_t i = 0; i <= r - 1; i++) { math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, - -1}; + -1}; std::array s; // = math::polynomial::get_roots(sqr_polynom); From ea7909cadff1023ffb41f372d956c54d0b9d914a Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 17 Jan 2022 23:18:13 +0300 Subject: [PATCH 040/219] PLONK Prover reviewed. #20 --- .../snark/systems/plonk/redshift/prover.hpp | 167 +++++++++--------- .../zk/snark/systems/plonk/redshift/types.hpp | 2 +- 2 files changed, 86 insertions(+), 83 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 1240f488c..5baae6c16 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -89,119 +89,122 @@ namespace nil { // 2 - Define new witness polynomials // and 3 - Add commitments to fi to transcript - // std::vector> f = - // constraint_system.polynoms(assignments); - - // std::vector f_trees; - // std::vector f_commitments; - - // for (std::size_t i = 0; i < N_wires; i++) { - // math::polynomial::polynomial h; - // f[i] = f[i] + h * preprocessed_data.Z; - // f_trees.push_back(lpc::commit(f[i])); - // f_commitments[i].push_back(f_trees[i].root()); - // transcript(f_commitments[i]); - // } + std::vector> f = + constraint_system.polynoms(assignments); + + std::vector f_trees; + std::vector f_commitments; + + for (std::size_t i = 0; i < N_wires; i++) { + math::polynomial::polynomial h; + f[i] = f[i] + h * preprocessed_data.Z; + f_trees.push_back(lpc::commit(f[i], D_0)); + f_commitments.push_back(f_trees[i].root()); + transcript(f_commitments[i]); + } // 4 - // typename FieldType::value_type teta = - // transcript.template get_challenge(); + typename FieldType::value_type teta = + transcript.template get_challenge(); // 5 // A(teta) - // std::vector A; + std::vector A; // S(teta) - // std::vector S; + std::vector S; // 6 - // math::polynomial::polynomial A1; - // math::polynomial::polynomial S1; + math::polynomial::polynomial A1; + math::polynomial::polynomial S1; // 7 - // merkle_tree_type A1_tree = lpc::commit(A1); - // merkle_tree_type S1_tree = lpc::commit(S1); - // typename lpc::commitment_type A1_commitment = A1_tree.root(); - // typename lpc::commitment_type S1_commitment = S1_tree.root(); + merkle_tree_type A1_tree = lpc::commit(A1, D_0); + merkle_tree_type S1_tree = lpc::commit(S1, D_0); + typename lpc::commitment_type A1_commitment = A1_tree.root(); + typename lpc::commitment_type S1_commitment = S1_tree.root(); - // transcript(A1_commitment); - // transcript(S1_commitment); + transcript(A1_commitment); + transcript(S1_commitment); // 8 - // typename FieldType::value_type beta = - // transcript.template get_challenge(); + typename FieldType::value_type beta = + transcript.template get_challenge(); - // typename FieldType::value_type gamma = - // transcript.template get_challenge(); + typename FieldType::value_type gamma = + transcript.template get_challenge(); // 9 // and 10 - // std::vector> p(N_perm); - // std::vector> q(N_perm); + std::vector> p(N_perm); + std::vector> q(N_perm); - // math::polynomial::polynomial p1 = {1}; - // math::polynomial::polynomial q1 = {1}; + math::polynomial::polynomial p1 = {1}; + math::polynomial::polynomial q1 = {1}; - // std::vector> - // &S_sigma = preprocessed_data.permutations; - // std::vector> - // &S_id = preprocessed_data.identity_permutations; + const std::vector> + &S_sigma = preprocessed_data.permutations; + const std::vector> + &S_id = preprocessed_data.identity_permutations; - // for (std::size_t j = 0; j < N_perm; j++) { - // p.push_back(f[j] + beta * S_id[j] + gamma); - // q.push_back(f[j] + beta * S_sigma[j] + gamma); + for (std::size_t j = 0; j < N_perm; j++) { + math::polynomial::polynomial beta_polynom = {beta}; + math::polynomial::polynomial gamma_polynom = {gamma}; - // p1 *= p[j]; - // q1 *= q[j]; - // } + p.push_back(f[j] + beta_polynom * S_id[j] + gamma_polynom); + q.push_back(f[j] + beta_polynom * S_sigma[j] + gamma_polynom); + + p1 = p1 * p[j]; + q1 = q1 * q[j]; + } // 11 - // std::vector> - // P_interpolation_points(n + 1); - // std::vector> - // Q_interpolation_points(n + 1); - - // P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega, 1)); - // for (std::size_t i = 2; i <= n + 1; i++) { - - // typename FieldType::value_type P_mul_result = - // typename FieldType::one(); - // typename FieldType::value_type Q_mul_result = - // typename FieldType::one(); - // for (std::size_t j = 1; j < i; j++) { - // P_mul_result *= p1(preprocessed_data.omega.pow(i)); - // Q_mul_result *= q1(preprocessed_data.omega.pow(i)); - // } - - // P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), - // P_mul_result)); - // Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), - // Q_mul_result)); - // } + std::vector> + P_interpolation_points(n + 1); + std::vector> + Q_interpolation_points(n + 1); + + P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega, 1)); + for (std::size_t i = 2; i <= n + 1; i++) { + + typename FieldType::value_type P_mul_result = + FieldType::value_type::one(); + typename FieldType::value_type Q_mul_result = + FieldType::value_type::one(); + for (std::size_t j = 1; j < i; j++) { + P_mul_result *= p1.evaluate(preprocessed_data.omega.pow(i)); + Q_mul_result *= q1.evaluate(preprocessed_data.omega.pow(i)); + } + + P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), + P_mul_result)); + Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), + Q_mul_result)); + } - // math::polynomial::polynomial P = - // math::polynomial::lagrange_interpolation(P_interpolation_points); - // math::polynomial::polynomial Q = - // math::polynomial::lagrange_interpolation(Q_interpolation_points); + math::polynomial::polynomial P; + // = math::polynomial::lagrange_interpolation(P_interpolation_points); + math::polynomial::polynomial Q; + // = math::polynomial::lagrange_interpolation(Q_interpolation_points); // 12 - // merkle_tree_type P_tree = lpc::commit(P); - // merkle_tree_type Q_tree = lpc::commit(Q); - // typename lpc::commitment_type P_commitment = P_tree.root(); - // typename lpc::commitment_type Q_commitment = Q_tree.root(); + merkle_tree_type P_tree = lpc::commit(P, D_0); + merkle_tree_type Q_tree = lpc::commit(Q, D_0); + typename lpc::commitment_type P_commitment = P_tree.root(); + typename lpc::commitment_type Q_commitment = Q_tree.root(); - // transcript(P_commitment); - // transcript(Q_commitment); + transcript(P_commitment); + transcript(Q_commitment); // 13 - // math::polynomial::polynomial V; + math::polynomial::polynomial V; // 14 - // transcript(lpc::commit(V, D_0).root()); + transcript(lpc::commit(V, D_0).root()); // 15 std::array alphas = diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 4a7b4edf0..619309e0d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -88,7 +88,7 @@ namespace nil { template struct prover_fiat_shamir_heuristic_manifest { - enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau }; + enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau , teta}; }; }; } // namespace detail From ad57bd784a377c5ac1411ad46287d758ea22acc6 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 19 Jan 2022 01:20:20 +0300 Subject: [PATCH 041/219] PLONK Prover updated following the specification document. #20 --- .../snark/systems/plonk/redshift/prover.hpp | 97 ++++++++++++------- 1 file changed, 61 insertions(+), 36 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 5baae6c16..1dde5826a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -65,11 +65,13 @@ namespace nil { static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type &assignments) { + const typename types_policy::variable_assignment_type &assignments, + const typename types_policy::public_input_type &PI) { std::size_t N_wires = WiresAmount; std::size_t N_perm = preprocessed_data.permutations.size(); std::size_t N_sel = preprocessed_data.selectors.size(); + std::size_t N_PI = PI.size(); // std::size_t N_const = ...; std::size_t n = 0; @@ -77,6 +79,8 @@ namespace nil { n = std::max(n, wire_assignments.size()); } + std::size_t N_rows = n; + std::vector D_0(n); for (std::size_t power = 1; power <= n; power++) { D_0.emplace_back(preprocessed_data.omega.pow(power)); @@ -87,23 +91,62 @@ namespace nil { // ... setup_values = ...; // transcript(setup_values); - // 2 - Define new witness polynomials - // and 3 - Add commitments to fi to transcript - std::vector> f = + // 1. Add commitments to $w_i(X)$ to $\text{transcript}$ + + std::vector> w = constraint_system.polynoms(assignments); - std::vector f_trees; - std::vector f_commitments; + std::vector w_trees; + std::vector w_commitments; for (std::size_t i = 0; i < N_wires; i++) { - math::polynomial::polynomial h; - f[i] = f[i] + h * preprocessed_data.Z; - f_trees.push_back(lpc::commit(f[i], D_0)); - f_commitments.push_back(f_trees[i].root()); - transcript(f_commitments[i]); + w_trees.push_back(lpc::commit(w[i], D_0)); + w_commitments.push_back(w_trees[i].root()); + transcript(w_commitments[i]); } - // 4 + // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ + typename FieldType::value_type beta = + transcript.template get_challenge(); + + typename FieldType::value_type gamma = + transcript.template get_challenge(); + + // 3. Denote witness polynomials included in permutation argument and public input polynomials as $f_i$ + std::vector> f(N_perm + N_PI); + + std::copy(w.begin(), w.end(), f.begin()); + // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); + + // 4. For $1 < j \leq N_{\texttt{rows}}$ calculate $g_j, h_j$ + std::vector g(N_rows + 1); + std::vector h(N_rows + 1); + + const std::vector> + &S_sigma = preprocessed_data.permutations; + const std::vector> + &S_id = preprocessed_data.identity_permutations; + + for (std::size_t j = 1; j <= N_rows; j++) { + g[j] = FieldType::value_type::one(); + h[j] = FieldType::value_type::one(); + for (std::size_t i = 0; i < N_perm + N_PI; i++){ + + g[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); + h[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); + } + } + // 5. Calculate $V_P$ + math::polynomial::polynomial V_P; + + // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. + merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); + typename lpc::commitment_type V_P_commitment = V_P_tree.root(); + transcript(V_P_commitment); + + // 7. Get $\theta \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type teta = transcript.template get_challenge(); @@ -127,15 +170,6 @@ namespace nil { transcript(A1_commitment); transcript(S1_commitment); - // 8 - typename FieldType::value_type beta = - transcript.template get_challenge(); - - typename FieldType::value_type gamma = - transcript.template get_challenge(); - // 9 // and 10 std::vector> p(N_perm); @@ -144,17 +178,11 @@ namespace nil { math::polynomial::polynomial p1 = {1}; math::polynomial::polynomial q1 = {1}; - const std::vector> - &S_sigma = preprocessed_data.permutations; - const std::vector> - &S_id = preprocessed_data.identity_permutations; - for (std::size_t j = 0; j < N_perm; j++) { - math::polynomial::polynomial beta_polynom = {beta}; - math::polynomial::polynomial gamma_polynom = {gamma}; - - p.push_back(f[j] + beta_polynom * S_id[j] + gamma_polynom); - q.push_back(f[j] + beta_polynom * S_sigma[j] + gamma_polynom); + math::polynomial::polynomial tmp = + beta - S_id[j]; + p.push_back(f[j] + beta * S_id[j] + gamma); + q.push_back(f[j] + beta * S_sigma[j] + gamma); p1 = p1 * p[j]; q1 = q1 * q[j]; @@ -227,9 +255,7 @@ namespace nil { std::size_t n_i; for (std::size_t j = 0; j < n_i; j++) { std::size_t d_i_j; - math::polynomial::polynomial tau_polynom = { - tau.pow(d_i_j)}; - gates[i] = gates[i] + preprocessed_data.constraints[j] * tau_polynom; + gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(d_i_j); } // gates[i] *= preprocessed_data.selectors[i]; @@ -256,8 +282,7 @@ namespace nil { // 20 math::polynomial::polynomial F_consolidated = {0}; for (std::size_t i = 0; i < 11; i++) { - math::polynomial::polynomial alphas_polynom = {alphas[i]}; - F_consolidated = F_consolidated + alphas_polynom * F[i]; + F_consolidated = F_consolidated + alphas[i] * F[i]; } math::polynomial::polynomial T_consolidated = From 0199cb5f6842c0b2299483f3d15b8430cb43d20a Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 19 Jan 2022 01:32:16 +0300 Subject: [PATCH 042/219] Pickles proof definition updated. #20 --- include/nil/crypto3/zk/snark/commitments/pickles.hpp | 4 ++-- .../crypto3/zk/snark/systems/plonk/pickles/proof.hpp | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/pickles.hpp b/include/nil/crypto3/zk/snark/commitments/pickles.hpp index 245176521..2ed948f41 100644 --- a/include/nil/crypto3/zk/snark/commitments/pickles.hpp +++ b/include/nil/crypto3/zk/snark/commitments/pickles.hpp @@ -36,8 +36,8 @@ namespace nil { template class pickles_commitment_scheme { public: - using evaluation_type = typename CurveType::scalar_field_type::value_type; - using commitment_type = typename CurveType::value_type; + typedef typename CurveType::scalar_field_type::value_type evaluation_type; + typedef typename CurveType::template g1_type<>::value_type commitment_type; struct openning_type { }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp index 538cd25c1..81d84eafd 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp @@ -37,8 +37,8 @@ namespace nil { namespace zk { namespace snark { - template - class ProverProof { + template + class pickles_proof { typedef pickles_commitment_scheme commitment_scheme; public: @@ -65,11 +65,11 @@ namespace nil { typename commitment_scheme::evaluation_type L_zeta_omega; // Opening proof - std::array L; - std::array R; + std::vector::value_type> L; + std::vector::value_type> R; - typename CurveType::value_type sigma; - typename CurveType::value_type G; + typename CurveType::template g1_type<>::value_type sigma; + typename CurveType::template g1_type<>::value_type G; typename CurveType::scalar_field_type::value_type z1, z2; From ed568d45849582f03e6543df7f5bbec8858f350e Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 19 Jan 2022 16:29:03 +0300 Subject: [PATCH 043/219] More PLONK Prover updates. #20 --- .../snark/systems/plonk/redshift/prover.hpp | 131 +++++++++++++----- .../zk/snark/transcript/fiat_shamir.hpp | 1 + 2 files changed, 95 insertions(+), 37 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 1dde5826a..45bf96a62 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -81,6 +81,12 @@ namespace nil { std::size_t N_rows = n; + std::vector omega_powers(std::max({N_wires, N_perm, N_rows}) + 1 + 1); + omega_powers[0] = FieldType::value_type::one(); + for (std::size_t power = 1; power < omega_powers.size(); power++) { + omega_powers[power] = preprocessed_data.omega * omega_powers[power - 1]; + } + std::vector D_0(n); for (std::size_t power = 1; power <= n; power++) { D_0.emplace_back(preprocessed_data.omega.pow(power)); @@ -121,8 +127,8 @@ namespace nil { // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); // 4. For $1 < j \leq N_{\texttt{rows}}$ calculate $g_j, h_j$ - std::vector g(N_rows + 1); - std::vector h(N_rows + 1); + std::vector g_points(N_rows + 1); + std::vector h_points(N_rows + 1); const std::vector> &S_sigma = preprocessed_data.permutations; @@ -130,17 +136,37 @@ namespace nil { &S_id = preprocessed_data.identity_permutations; for (std::size_t j = 1; j <= N_rows; j++) { - g[j] = FieldType::value_type::one(); - h[j] = FieldType::value_type::one(); + g_points[j] = FieldType::value_type::one(); + h_points[j] = FieldType::value_type::one(); for (std::size_t i = 0; i < N_perm + N_PI; i++){ - g[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); - h[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); + g_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); + h_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); } } // 5. Calculate $V_P$ - math::polynomial::polynomial V_P; - + std::vector> + V_P_interpolation_points(n + 1); + + V_P_interpolation_points.push_back(std::make_pair(omega_powers[1], 1)); + for (std::size_t j = 2; j < N_rows + 1; j++) { + + typename FieldType::value_type tmp_mul_result = + FieldType::value_type::one(); + for (std::size_t i = 1; i <= j - 1; i++) { + tmp_mul_result *= g_points[i]/h_points[i]; + } + + V_P_interpolation_points.push_back(std::make_pair(omega_powers[j], + tmp_mul_result)); + } + + V_P_interpolation_points.push_back(std::make_pair(omega_powers[N_rows + 1], 1)); + + math::polynomial::polynomial V_P + = math::polynomial::lagrange_interpolation(V_P_interpolation_points); + // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); typename lpc::commitment_type V_P_commitment = V_P_tree.root(); @@ -151,24 +177,64 @@ namespace nil { transcript.template get_challenge(); - // 5 - // A(teta) - std::vector A; - // S(teta) - std::vector S; + // 8. Get lookup_gate_i and table_value_i + + // 9. Construct the input lookup compression and table compression. + math::polynomial::polynomial A_compr; + math::polynomial::polynomial S_compr; + + // 10. Produce the permutation polynomials $S_{\texttt{perm}}(X)$ and $A_{\texttt{perm}}(X)$ + math::polynomial::polynomial A_perm; + math::polynomial::polynomial S_perm; + + // 11. Compute and add commitments to $A_{\texttt{perm}}$ and $S_{\texttt{perm}}$ to $\text{transcript}$ + + merkle_tree_type A_perm_tree = lpc::commit(A_perm, D_0); + typename lpc::commitment_type A_perm_commitment = A_perm_tree.root(); + transcript(A_perm_commitment); + + merkle_tree_type S_perm_tree = lpc::commit(S_perm, D_0); + typename lpc::commitment_type S_perm_commitment = S_perm_tree.root(); + transcript(S_perm_commitment); - // 6 - math::polynomial::polynomial A1; - math::polynomial::polynomial S1; + // 12. Compute $V_L(X)$ + std::vector> + V_L_interpolation_points(n + 1); + + V_L_interpolation_points.push_back(std::make_pair(omega_powers[1], 1)); + for (std::size_t j = 2; j < N_rows + 1; j++) { + + typename FieldType::value_type tmp_mul_result = + FieldType::value_type::one(); + for (std::size_t i = 1; i <= j - 1; i++) { + tmp_mul_result *= + ((A_compr.evaluate(omega_powers[i]) + beta) * (S_compr.evaluate(omega_powers[i]) + gamma))/ + ((A_perm.evaluate(omega_powers[i]) + beta) * (S_perm.evaluate(omega_powers[i]) + gamma)); + } + + V_L_interpolation_points.push_back(std::make_pair(omega_powers[j], + tmp_mul_result)); + } - // 7 - merkle_tree_type A1_tree = lpc::commit(A1, D_0); - merkle_tree_type S1_tree = lpc::commit(S1, D_0); - typename lpc::commitment_type A1_commitment = A1_tree.root(); - typename lpc::commitment_type S1_commitment = S1_tree.root(); + V_L_interpolation_points.push_back(std::make_pair(omega_powers[N_rows + 1], 1)); - transcript(A1_commitment); - transcript(S1_commitment); + math::polynomial::polynomial V_L + = math::polynomial::lagrange_interpolation(V_L_interpolation_points); + + // 13. Compute and add commitments to $V_L$ to $\text{transcript}$ + merkle_tree_type V_L_tree = lpc::commit(V_L, D_0); + typename lpc::commitment_type V_L_commitment = V_L_tree.root(); + transcript(V_L_commitment); + + // 14. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ + std::array alphas = + transcript + .template get_challenges(); + + // 15. Get $\tau$ from $hash(\text{transcript})$ + typename FieldType::value_type tau = + transcript.template get_challenge(); // 9 // and 10 @@ -196,7 +262,7 @@ namespace nil { typename FieldType::value_type>> Q_interpolation_points(n + 1); - P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega, 1)); + P_interpolation_points.push_back(std::make_pair(omega_powers[1], 1)); for (std::size_t i = 2; i <= n + 1; i++) { typename FieldType::value_type P_mul_result = @@ -204,13 +270,13 @@ namespace nil { typename FieldType::value_type Q_mul_result = FieldType::value_type::one(); for (std::size_t j = 1; j < i; j++) { - P_mul_result *= p1.evaluate(preprocessed_data.omega.pow(i)); - Q_mul_result *= q1.evaluate(preprocessed_data.omega.pow(i)); + P_mul_result *= p1.evaluate(omega_powers[i]); + Q_mul_result *= q1.evaluate(omega_powers[i]); } - P_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), + P_interpolation_points.push_back(std::make_pair(omega_powers[i], P_mul_result)); - Q_interpolation_points.push_back(std::make_pair(preprocessed_data.omega.pow(i), + Q_interpolation_points.push_back(std::make_pair(omega_powers[i], Q_mul_result)); } @@ -234,15 +300,6 @@ namespace nil { // 14 transcript(lpc::commit(V, D_0).root()); - // 15 - std::array alphas = - transcript - .template get_challenges(); - - // 16 - typename FieldType::value_type tau = - transcript.template get_challenge(); - // 17 // and 21 std::size_t N_T = N_perm; diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 4bdc8cf46..03dc015c9 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -67,6 +67,7 @@ namespace nil { template void operator()(TAny data) { + // acc(data); } From ed3847c1eb88f8db48a19b6824cb0a0d6fd0cfc2 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 19 Jan 2022 18:53:39 +0300 Subject: [PATCH 044/219] More PLONK Prover updates. #20 --- .../snark/systems/plonk/redshift/prover.hpp | 67 +++++++++---------- 1 file changed, 31 insertions(+), 36 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 45bf96a62..e9c829f72 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -236,24 +236,39 @@ namespace nil { typename FieldType::value_type tau = transcript.template get_challenge(); - // 9 - // and 10 - std::vector> p(N_perm); - std::vector> q(N_perm); - - math::polynomial::polynomial p1 = {1}; - math::polynomial::polynomial q1 = {1}; - - for (std::size_t j = 0; j < N_perm; j++) { - math::polynomial::polynomial tmp = - beta - S_id[j]; - p.push_back(f[j] + beta * S_id[j] + gamma); - q.push_back(f[j] + beta * S_sigma[j] + gamma); - - p1 = p1 * p[j]; - q1 = q1 * q[j]; + // 16. Computing gates + std::vector> gates(N_sel); + std::vector> constraints = + constraint_system.polynoms(assignments); + + for (std::size_t i = 0; i <= N_sel - 1; i++) { + gates[i] = {0}; + std::size_t n_i; + for (std::size_t j = 0; j < n_i; j++) { + std::size_t d_i_j; + gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(d_i_j); + } + + // gates[i] *= preprocessed_data.selectors[i]; + + N_T = std::max(N_T, gates[i].size() - 1); + } + + // 17. Denote g_1,2, h_1,2 + math::polynomial::polynomial g_1 = {1}; + math::polynomial::polynomial g_2; + math::polynomial::polynomial h_1 = {1}, + math::polynomial::polynomial h_2; + + + for (std::size_t i = 0; i <= N_perm + N_PI - 1; i++) { + g_1[j] = g_1[j] * ( f[j] + beta * S_id[j] + gamma ); + h_1[j] = h_1[j] * ( f[j] + beta * S_sigma[j] + gamma ); } + g_2[j] = (A_compr + beta) * (S_compr + gamma); + h_2[j] = (A_perm + beta) * (S_perm + gamma); + // 11 std::vector> @@ -300,26 +315,6 @@ namespace nil { // 14 transcript(lpc::commit(V, D_0).root()); - // 17 - // and 21 - std::size_t N_T = N_perm; - std::vector> gates(N_sel); - std::vector> constraints = - constraint_system.polynoms(assignments); - - for (std::size_t i = 0; i < N_sel; i++) { - gates[i] = {0}; - std::size_t n_i; - for (std::size_t j = 0; j < n_i; j++) { - std::size_t d_i_j; - gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(d_i_j); - } - - // gates[i] *= preprocessed_data.selectors[i]; - - N_T = std::max(N_T, gates[i].size() - 1); - } - // 18 std::array, 11> F; // F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); From ab97dff3bcda5c0cfb74ff6281ec9c0526152eaf Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 19 Jan 2022 22:52:27 +0300 Subject: [PATCH 045/219] More PLONK Prover updates. #20 --- .../snark/systems/plonk/redshift/prover.hpp | 143 +++++++----------- 1 file changed, 56 insertions(+), 87 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index e9c829f72..f87ec50c0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -27,7 +27,7 @@ #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #include -#include +#include #include @@ -52,7 +52,7 @@ namespace nil { using types_policy = detail::redshift_types_policy; using transcript_manifest = - typename types_policy::template prover_fiat_shamir_heuristic_manifest<11>; + typename types_policy::template prover_fiat_shamir_heuristic_manifest<8>; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; @@ -74,21 +74,19 @@ namespace nil { std::size_t N_PI = PI.size(); // std::size_t N_const = ...; - std::size_t n = 0; + std::size_t N_rows = 0; for (auto &wire_assignments : assignments) { - n = std::max(n, wire_assignments.size()); + N_rows = std::max(N_rows, wire_assignments.size()); } - std::size_t N_rows = n; - std::vector omega_powers(std::max({N_wires, N_perm, N_rows}) + 1 + 1); omega_powers[0] = FieldType::value_type::one(); for (std::size_t power = 1; power < omega_powers.size(); power++) { omega_powers[power] = preprocessed_data.omega * omega_powers[power - 1]; } - std::vector D_0(n); - for (std::size_t power = 1; power <= n; power++) { + std::vector D_0(N_rows); + for (std::size_t power = 1; power <= N_rows; power++) { D_0.emplace_back(preprocessed_data.omega.pow(power)); } @@ -145,11 +143,10 @@ namespace nil { } } // 5. Calculate $V_P$ - std::vector> - V_P_interpolation_points(n + 1); + std::vector + V_P_interpolation_points(N_rows + 1); - V_P_interpolation_points.push_back(std::make_pair(omega_powers[1], 1)); + V_P_interpolation_points.push_back(FieldType::value_type::one()); for (std::size_t j = 2; j < N_rows + 1; j++) { typename FieldType::value_type tmp_mul_result = @@ -158,14 +155,18 @@ namespace nil { tmp_mul_result *= g_points[i]/h_points[i]; } - V_P_interpolation_points.push_back(std::make_pair(omega_powers[j], - tmp_mul_result)); + V_P_interpolation_points.push_back(tmp_mul_result); } - V_P_interpolation_points.push_back(std::make_pair(omega_powers[N_rows + 1], 1)); + V_P_interpolation_points.push_back(FieldType::value_type::one()); + + const std::shared_ptr> V_P_domain = + math::make_evaluation_domain(N_rows + 1); + + V_P_domain->inverse_fft(V_P_interpolation_points); math::polynomial::polynomial V_P - = math::polynomial::lagrange_interpolation(V_P_interpolation_points); + = V_P_interpolation_points; // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); @@ -198,11 +199,10 @@ namespace nil { transcript(S_perm_commitment); // 12. Compute $V_L(X)$ - std::vector> - V_L_interpolation_points(n + 1); + std::vector + V_L_interpolation_points(N_rows + 1); - V_L_interpolation_points.push_back(std::make_pair(omega_powers[1], 1)); + V_L_interpolation_points.push_back(FieldType::value_type::one()); for (std::size_t j = 2; j < N_rows + 1; j++) { typename FieldType::value_type tmp_mul_result = @@ -213,14 +213,18 @@ namespace nil { ((A_perm.evaluate(omega_powers[i]) + beta) * (S_perm.evaluate(omega_powers[i]) + gamma)); } - V_L_interpolation_points.push_back(std::make_pair(omega_powers[j], - tmp_mul_result)); + V_L_interpolation_points.push_back(tmp_mul_result); } - V_L_interpolation_points.push_back(std::make_pair(omega_powers[N_rows + 1], 1)); + V_L_interpolation_points.push_back(FieldType::value_type::one()); + + const std::shared_ptr> V_L_domain = + math::make_evaluation_domain(N_rows + 1); + + V_L_domain->inverse_fft(V_L_interpolation_points); math::polynomial::polynomial V_L - = math::polynomial::lagrange_interpolation(V_L_interpolation_points); + = V_L_interpolation_points; // 13. Compute and add commitments to $V_L$ to $\text{transcript}$ merkle_tree_type V_L_tree = lpc::commit(V_L, D_0); @@ -237,6 +241,8 @@ namespace nil { transcript.template get_challenge(); // 16. Computing gates + // And 20. Compute N_T + std::size_t N_T = N_perm + N_PI; std::vector> gates(N_sel); std::vector> constraints = constraint_system.polynoms(assignments); @@ -262,97 +268,60 @@ namespace nil { for (std::size_t i = 0; i <= N_perm + N_PI - 1; i++) { - g_1[j] = g_1[j] * ( f[j] + beta * S_id[j] + gamma ); - h_1[j] = h_1[j] * ( f[j] + beta * S_sigma[j] + gamma ); - } - - g_2[j] = (A_compr + beta) * (S_compr + gamma); - h_2[j] = (A_perm + beta) * (S_perm + gamma); - - // 11 - std::vector> - P_interpolation_points(n + 1); - std::vector> - Q_interpolation_points(n + 1); - - P_interpolation_points.push_back(std::make_pair(omega_powers[1], 1)); - for (std::size_t i = 2; i <= n + 1; i++) { - - typename FieldType::value_type P_mul_result = - FieldType::value_type::one(); - typename FieldType::value_type Q_mul_result = - FieldType::value_type::one(); - for (std::size_t j = 1; j < i; j++) { - P_mul_result *= p1.evaluate(omega_powers[i]); - Q_mul_result *= q1.evaluate(omega_powers[i]); - } - - P_interpolation_points.push_back(std::make_pair(omega_powers[i], - P_mul_result)); - Q_interpolation_points.push_back(std::make_pair(omega_powers[i], - Q_mul_result)); + g_1 = g_1 * ( f[i] + beta * S_id[i] + gamma ); + h_1 = h_1 * ( f[i] + beta * S_sigma[i] + gamma ); } - math::polynomial::polynomial P; - // = math::polynomial::lagrange_interpolation(P_interpolation_points); - math::polynomial::polynomial Q; - // = math::polynomial::lagrange_interpolation(Q_interpolation_points); - - // 12 - merkle_tree_type P_tree = lpc::commit(P, D_0); - merkle_tree_type Q_tree = lpc::commit(Q, D_0); - typename lpc::commitment_type P_commitment = P_tree.root(); - typename lpc::commitment_type Q_commitment = Q_tree.root(); - - transcript(P_commitment); - transcript(Q_commitment); + g_2 = (A_compr + beta) * (S_compr + gamma); + h_2 = (A_perm + beta) * (S_perm + gamma); - // 13 - math::polynomial::polynomial V; + // 18. Define F polynomials + const math::polynomial::polynomial L1 + = preprocessed_data.Lagrange_basis[1]; - // 14 - transcript(lpc::commit(V, D_0).root()); + const math::polynomial::polynomial q_last; + const math::polynomial::polynomial q_blind; - // 18 - std::array, 11> F; - // F[0] = preprocessed_data.Lagrange_basis[1] * (P - 1); - // F[1] = preprocessed_data.Lagrange_basis[1] * (Q - 1); - // F[2] = P * p1 - (P << 1); - // F[3] = Q * q1 - (Q << 1); - // F[4] = preprocessed_data.Lagrange_basis[n] * ((P << 1) - (Q << 1)); - // F[5] = preprocessed_data.PI; + std::array, 9> F; + F[0] = L1 * (1 - V_P); + F[1] = (1 - (q_last + q_blind)) * (V_P_shifted * h_1 - V_P * g_1); + F[2] = q_last * (V_P*V_P - V_P); + F[3] = {0}; for (std::size_t i = 0; i < N_sel; i++) { - F[5] = F[5] + gates[i]; + F[3] = F[3] + gates[i]; } - // 19 - // ... + F[4] = L1 * (1 - V_L); + F[5] = V_L_shifted * h_2 - V_L * g2; + F[6] = q_last * (V_L * V_L - V_L); + F[7] = L1 * (A_perm - S_perm); + F[8] = (1 - (q_last + q_blind)) * (A_perm - S_perm) * (A_perm - A_perm_shifted); - // 20 + // 19. Compute F_consolidated math::polynomial::polynomial F_consolidated = {0}; - for (std::size_t i = 0; i < 11; i++) { + for (std::size_t i = 0; i < 8; i++) { F_consolidated = F_consolidated + alphas[i] * F[i]; } math::polynomial::polynomial T_consolidated = F_consolidated / preprocessed_data.Z; - // 22 + // 21. Split $T(X)$ into separate polynomials $T_0(X), ..., T_{N_T - 1}(X)$ std::vector> T(N_T); // T = separate_T(T_consolidated); - // 23 + // 22. Add commitments to $T_0(X), ..., T_{N_T - 1}(X)$ to $\text{transcript}$ std::vector T_trees; std::vector T_commitments; for (std::size_t i = 0; i < N_perm + 1; i++) { T_trees.push_back(lpc::commit(T[i], D_0)); T_commitments.push_back(T_trees[i].root()); + transcript(T_commitments[i]); } + // 23. Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ typename FieldType::value_type upsilon = transcript .template get_challenge(); From 7674e6f94452c8c40ad6a17ead46e8a79642d3ac Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Mon, 24 Jan 2022 19:30:29 +0300 Subject: [PATCH 046/219] Proof generator updated #20 --- .../snark/systems/plonk/redshift/prover.hpp | 77 +++++++++---------- 1 file changed, 37 insertions(+), 40 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index f87ec50c0..304694380 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -27,7 +27,8 @@ #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #include -#include +#include +#include #include @@ -79,7 +80,8 @@ namespace nil { N_rows = std::max(N_rows, wire_assignments.size()); } - std::vector omega_powers(std::max({N_wires, N_perm, N_rows}) + 1 + 1); + std::vector omega_powers(std::max({N_wires, N_perm, N_rows}) + + 1 + 1); omega_powers[0] = FieldType::value_type::one(); for (std::size_t power = 1; power < omega_powers.size(); power++) { omega_powers[power] = preprocessed_data.omega * omega_powers[power - 1]; @@ -96,7 +98,7 @@ namespace nil { // transcript(setup_values); // 1. Add commitments to $w_i(X)$ to $\text{transcript}$ - + std::vector> w = constraint_system.polynoms(assignments); @@ -111,14 +113,13 @@ namespace nil { // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type beta = - transcript.template get_challenge(); + transcript.template get_challenge(); typename FieldType::value_type gamma = - transcript.template get_challenge(); + transcript.template get_challenge(); - // 3. Denote witness polynomials included in permutation argument and public input polynomials as $f_i$ + // 3. Denote witness polynomials included in permutation argument and public input polynomials + // as $f_i$ std::vector> f(N_perm + N_PI); std::copy(w.begin(), w.end(), f.begin()); @@ -128,31 +129,30 @@ namespace nil { std::vector g_points(N_rows + 1); std::vector h_points(N_rows + 1); - const std::vector> - &S_sigma = preprocessed_data.permutations; - const std::vector> - &S_id = preprocessed_data.identity_permutations; + const std::vector> &S_sigma = + preprocessed_data.permutations; + const std::vector> &S_id = + preprocessed_data.identity_permutations; for (std::size_t j = 1; j <= N_rows; j++) { g_points[j] = FieldType::value_type::one(); h_points[j] = FieldType::value_type::one(); - for (std::size_t i = 0; i < N_perm + N_PI; i++){ + for (std::size_t i = 0; i < N_perm + N_PI; i++) { g_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); h_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); } } // 5. Calculate $V_P$ - std::vector + std::vector> V_P_interpolation_points(N_rows + 1); V_P_interpolation_points.push_back(FieldType::value_type::one()); for (std::size_t j = 2; j < N_rows + 1; j++) { - typename FieldType::value_type tmp_mul_result = - FieldType::value_type::one(); + typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); for (std::size_t i = 1; i <= j - 1; i++) { - tmp_mul_result *= g_points[i]/h_points[i]; + tmp_mul_result *= g_points[i] / h_points[i]; } V_P_interpolation_points.push_back(tmp_mul_result); @@ -161,12 +161,11 @@ namespace nil { V_P_interpolation_points.push_back(FieldType::value_type::one()); const std::shared_ptr> V_P_domain = - math::make_evaluation_domain(N_rows + 1); + math::make_evaluation_domain(N_rows + 1); V_P_domain->inverse_fft(V_P_interpolation_points); - math::polynomial::polynomial V_P - = V_P_interpolation_points; + math::polynomial::polynomial V_P = V_P_interpolation_points; // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); @@ -175,8 +174,7 @@ namespace nil { // 7. Get $\theta \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type teta = - transcript.template get_challenge(); + transcript.template get_challenge(); // 8. Get lookup_gate_i and table_value_i @@ -188,7 +186,8 @@ namespace nil { math::polynomial::polynomial A_perm; math::polynomial::polynomial S_perm; - // 11. Compute and add commitments to $A_{\texttt{perm}}$ and $S_{\texttt{perm}}$ to $\text{transcript}$ + // 11. Compute and add commitments to $A_{\texttt{perm}}$ and $S_{\texttt{perm}}$ to + // $\text{transcript}$ merkle_tree_type A_perm_tree = lpc::commit(A_perm, D_0); typename lpc::commitment_type A_perm_commitment = A_perm_tree.root(); @@ -199,18 +198,17 @@ namespace nil { transcript(S_perm_commitment); // 12. Compute $V_L(X)$ - std::vector - V_L_interpolation_points(N_rows + 1); + std::vector V_L_interpolation_points(N_rows + 1); V_L_interpolation_points.push_back(FieldType::value_type::one()); for (std::size_t j = 2; j < N_rows + 1; j++) { - typename FieldType::value_type tmp_mul_result = - FieldType::value_type::one(); + typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); for (std::size_t i = 1; i <= j - 1; i++) { - tmp_mul_result *= - ((A_compr.evaluate(omega_powers[i]) + beta) * (S_compr.evaluate(omega_powers[i]) + gamma))/ - ((A_perm.evaluate(omega_powers[i]) + beta) * (S_perm.evaluate(omega_powers[i]) + gamma)); + tmp_mul_result *= ((A_compr.evaluate(omega_powers[i]) + beta) * + (S_compr.evaluate(omega_powers[i]) + gamma)) / + ((A_perm.evaluate(omega_powers[i]) + beta) * + (S_perm.evaluate(omega_powers[i]) + gamma)); } V_L_interpolation_points.push_back(tmp_mul_result); @@ -219,12 +217,11 @@ namespace nil { V_L_interpolation_points.push_back(FieldType::value_type::one()); const std::shared_ptr> V_L_domain = - math::make_evaluation_domain(N_rows + 1); + math::make_evaluation_domain(N_rows + 1); V_L_domain->inverse_fft(V_L_interpolation_points); - math::polynomial::polynomial V_L - = V_L_interpolation_points; + math::polynomial::polynomial V_L = V_L_interpolation_points; // 13. Compute and add commitments to $V_L$ to $\text{transcript}$ merkle_tree_type V_L_tree = lpc::commit(V_L, D_0); @@ -250,6 +247,7 @@ namespace nil { for (std::size_t i = 0; i <= N_sel - 1; i++) { gates[i] = {0}; std::size_t n_i; +#error Uninitialized n_i for (std::size_t j = 0; j < n_i; j++) { std::size_t d_i_j; gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(d_i_j); @@ -263,21 +261,20 @@ namespace nil { // 17. Denote g_1,2, h_1,2 math::polynomial::polynomial g_1 = {1}; math::polynomial::polynomial g_2; - math::polynomial::polynomial h_1 = {1}, + math::polynomial::polynomial h_1 = {1}; math::polynomial::polynomial h_2; - for (std::size_t i = 0; i <= N_perm + N_PI - 1; i++) { - g_1 = g_1 * ( f[i] + beta * S_id[i] + gamma ); - h_1 = h_1 * ( f[i] + beta * S_sigma[i] + gamma ); + g_1 = g_1 * (f[i] + beta * S_id[i] + gamma); + h_1 = h_1 * (f[i] + beta * S_sigma[i] + gamma); } g_2 = (A_compr + beta) * (S_compr + gamma); h_2 = (A_perm + beta) * (S_perm + gamma); // 18. Define F polynomials - const math::polynomial::polynomial L1 - = preprocessed_data.Lagrange_basis[1]; + const math::polynomial::polynomial L1 = + preprocessed_data.Lagrange_basis[1]; const math::polynomial::polynomial q_last; const math::polynomial::polynomial q_blind; @@ -286,7 +283,7 @@ namespace nil { F[0] = L1 * (1 - V_P); F[1] = (1 - (q_last + q_blind)) * (V_P_shifted * h_1 - V_P * g_1); - F[2] = q_last * (V_P*V_P - V_P); + F[2] = q_last * (V_P * V_P - V_P); F[3] = {0}; for (std::size_t i = 0; i < N_sel; i++) { F[3] = F[3] + gates[i]; From 04e89c984ea61bb5afb520f5ce6d37bc50df281c Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 25 Jan 2022 03:49:10 +0300 Subject: [PATCH 047/219] Marshalling for Fiat-Shamir added, LPC test inited. #20 --- .../zk/snark/transcript/fiat_shamir.hpp | 7 +- test/CMakeLists.txt | 2 + test/commitment/lpc.cpp | 68 +++++++++++++++++++ 3 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 test/commitment/lpc.cpp diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 03dc015c9..a863d29ac 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -26,6 +26,8 @@ #ifndef CRYPTO3_ZK_TRANSCRIPT_FIAT_SHAMIR_HEURISTIC_HPP #define CRYPTO3_ZK_TRANSCRIPT_FIAT_SHAMIR_HEURISTIC_HPP +#include + #include #include @@ -67,8 +69,9 @@ namespace nil { template void operator()(TAny data) { - - // acc(data); + nil::marshalling::status_type status; + std::vector byte_data = nil::marshalling::pack(data, status); + acc(data); } template diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index fb7356f04..956677774 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -47,6 +47,8 @@ macro(define_zk_test test) endmacro() set(TESTS_NAMES + "commitment/lpc" + "routing_algorithms/test_routing_algorithms" "relations/numeric/qap" diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp new file mode 100644 index 000000000..f1128d433 --- /dev/null +++ b/test/commitment/lpc.cpp @@ -0,0 +1,68 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#define BOOST_TEST_MODULE lpc_test + +#include + +#include +#include +#include + +#include +#include +#include +#include + +#include + +using namespace nil::crypto3; +using namespace nil::crypto3::zk::snark; + +BOOST_AUTO_TEST_SUITE(lpc_test_suite) + +BOOST_AUTO_TEST_CASE(lpc_basic_test) { + + using curve_type = algebra::curves::bls12<381>; + + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = 4; + constexpr static const std::size_t k = 4; + constexpr static const std::size_t r = 4; + constexpr static const std::size_t m = 2; + + typedef list_polynomial_commitment_scheme lpc; + + + + +} + +BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 76b4691422362b725e625d7cbea126aedc7347c1 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 25 Jan 2022 15:21:42 +0300 Subject: [PATCH 048/219] LPC updated. #20 --- .../list_polynomial_commitment.hpp | 57 ++++++++++--------- .../snark/systems/plonk/redshift/prover.hpp | 2 +- test/commitment/lpc.cpp | 9 ++- 3 files changed, 37 insertions(+), 31 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index caa36a6ac..70c0c57a2 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -54,9 +54,9 @@ namespace nil { */ template class list_polynomial_commitment_scheme { @@ -145,63 +145,66 @@ namespace nil { for (std::size_t round_id = 0; round_id < lambda; round_id++) { - math::polynomial::polynomial f_i = Q; + math::polynomial::polynomial f_round = Q; - typename FieldType::value_type x_i = + typename FieldType::value_type x_0 = transcript .template get_challenge(); + typename FieldType::value_type x_round = x_0; + std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; std::array &f_commitments = proof.f_commitments[round_id]; math::polynomial::polynomial &f_ip1_coefficients = proof.f_ip1_coefficients[round_id]; - merkle_tree_type f_i_tree = T; + merkle_tree_type f_round_tree = T; - auto y_arr = + std::array y_challenges = transcript.template get_challenges(); for (std::size_t i = 0; i <= r - 1; i++) { - // typename FieldType::value_type y_i = - // transcript.template get_challenge(); + typename FieldType::value_type y_i = y_challenges[i]; - math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, + math::polynomial::polynomial sqr_polynom = {y_challenges[i], 0, -1}; + + // m = 2, so: std::array s; - // = math::polynomial::get_roots(sqr_polynom); + s[0] = y_i.sqrt(); + s[1] = -s[0]; std::array, m> p_y_i_interpolation_points; for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type alpha_i_j = f_i.evaluate(s[j]); + typename FieldType::value_type alpha_i_j = f_round.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); - alpha_openings[m * i + j] = merkle_proof_type(f_i_tree, leaf_index); + alpha_openings[m * i + j] = merkle_proof_type(f_round_tree, leaf_index); p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); } - math::polynomial::polynomial p_y_i = + math::polynomial::polynomial p_y = math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); - f_i = p_y_i; + f_round = p_y; - typename FieldType::value_type f_y_i = f_i.evaluate(y_arr[i]); - std::size_t leaf_index = std::find(D.begin(), D.end(), y_arr[i]) - D.begin(); - f_y_openings[i] = merkle_proof_type(f_i_tree, leaf_index); - - x_i = q.evaluate(x_i); + typename FieldType::value_type f_y_i = f_round.evaluate(y_challenges[i]); + std::size_t leaf_index = std::find(D.begin(), D.end(), y_challenges[i]) - D.begin(); + f_y_openings[i] = merkle_proof_type(f_round_tree, leaf_index); if (i < r - 1) { - f_i_tree = commit(f_i, D); - f_commitments[i] = f_i_tree.root(); + f_round_tree = commit(f_round, D); + f_commitments[i] = f_round_tree.root(); transcript(f_commitments[i]); } else { - f_ip1_coefficients = f_i; + f_ip1_coefficients = f_round; } + + x_round = q.evaluate(x_round); } } @@ -245,7 +248,7 @@ namespace nil { math::polynomial::polynomial f_i = Q; - typename FieldType::value_type x_i = + typename FieldType::value_type x_round = transcript .template get_challenge(); @@ -290,11 +293,11 @@ namespace nil { return false; } - if (f_y_i != p_y_i.evaluate(x_i)) { + if (f_y_i != p_y_i.evaluate(x_round)) { return false; } - x_i = q.evaluate(x_i); + x_round = q.evaluate(x_round); if (i < r - 1) { if (f_i != p_y_i) { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 304694380..7c704817a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -144,7 +144,7 @@ namespace nil { } } // 5. Calculate $V_P$ - std::vector> + std::vector V_P_interpolation_points(N_rows + 1); V_P_interpolation_points.push_back(FieldType::value_type::one()); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index f1128d433..9ef4cf2b9 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -52,9 +52,12 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const std::size_t lambda = 4; - constexpr static const std::size_t k = 4; - constexpr static const std::size_t r = 4; + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + + constexpr static const std::size_t d = 5; + + constexpr static const std::size_t r = std::ceil(std::log2(d - k)); constexpr static const std::size_t m = 2; typedef list_polynomial_commitment_scheme Date: Tue, 25 Jan 2022 17:00:04 +0300 Subject: [PATCH 049/219] Fiat-Shamir updated, LPC test updated. #20 --- .../zk/snark/transcript/fiat_shamir.hpp | 4 ++-- test/commitment/lpc.cpp | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index a863d29ac..734103da1 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -70,8 +70,8 @@ namespace nil { template void operator()(TAny data) { nil::marshalling::status_type status; - std::vector byte_data = nil::marshalling::pack(data, status); - acc(data); + typename Hash::construction::type::block_type byte_data = nil::marshalling::pack(data, status); + acc(byte_data); } template diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 9ef4cf2b9..54fcfe312 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -35,6 +35,9 @@ #include #include #include +#include + +#include #include @@ -46,6 +49,7 @@ BOOST_AUTO_TEST_SUITE(lpc_test_suite) BOOST_AUTO_TEST_CASE(lpc_basic_test) { using curve_type = algebra::curves::bls12<381>; + using FieldType = typename curve_type::base_field_type; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; @@ -60,11 +64,23 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t r = std::ceil(std::log2(d - k)); constexpr static const std::size_t m = 2; - typedef list_polynomial_commitment_scheme lpc; + typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); + + std::vector D_0(10); + for (std::size_t power = 1; power <= 10; power++) { + D_0.emplace_back(omega.pow(power)); + } + + const math::polynomial::polynomial f = {0, 0, 1}; + + merkle_tree_type T = lpc::commit(f, D_0); + std::array evaluation_points = {algebra::random_element()}; + lpc::proof_eval(evaluation_points, T, f, D_0); } From 406c5df1c5da61445fe63f7c513a41621da1c38d Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 26 Jan 2022 04:11:06 +0300 Subject: [PATCH 050/219] Minor LPC commitment scheme tests changes #20 --- test/commitment/lpc.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 54fcfe312..995e6c06b 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -61,11 +61,10 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t d = 5; - constexpr static const std::size_t r = std::ceil(std::log2(d - k)); + constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef list_polynomial_commitment_scheme lpc; + typedef list_polynomial_commitment_scheme lpc; typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); @@ -81,7 +80,6 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { std::array evaluation_points = {algebra::random_element()}; lpc::proof_eval(evaluation_points, T, f, D_0); - } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 6a4bf5246930454e0255333f89a21e0d43f66e60 Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Wed, 26 Jan 2022 13:53:46 +0300 Subject: [PATCH 051/219] Updated Fiat-Shamir heuristic. #20 --- .../zk/snark/transcript/fiat_shamir.hpp | 60 ++++++++++++++++ test/CMakeLists.txt | 4 +- test/transcript/transcript.cpp | 69 +++++++++++++++++++ 3 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 test/transcript/transcript.cpp diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 734103da1..331c68cb1 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2021 Ilias Khairullin // // MIT License // @@ -27,10 +28,13 @@ #define CRYPTO3_ZK_TRANSCRIPT_FIAT_SHAMIR_HEURISTIC_HPP #include +#include #include #include +#include + namespace nil { namespace crypto3 { namespace zk { @@ -106,6 +110,62 @@ namespace nil { return result; } }; + + template> + struct fiat_shamir_heuristic_updated { + typedef Hash hash_type; + + template + fiat_shamir_heuristic_updated(const InputRange &r) : state(hash(r)) { + } + + template + fiat_shamir_heuristic_updated(InputIterator first, InputIterator last) : + state(hash(first, last)) { + } + + template + void operator()(const InputRange &r) { + auto acc_convertible = hash(state); + state = accumulators::extract::hash( + hash(r, static_cast &>(acc_convertible))); + } + + template + void operator()(InputIterator first, InputIterator last) { + auto acc_convertible = hash(state); + state = accumulators::extract::hash( + hash(first, last, static_cast &>(acc_convertible))); + } + + template + typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), + typename Field::value_type>::type + get_challenge() { + + state = hash(state); + nil::marshalling::status_type status; + nil::crypto3::multiprecision::cpp_int raw_result = nil::marshalling::pack(state, status); + + return raw_result; + } + + template + typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), + std::array>::type + get_challenges() { + + std::array result; + for (auto &ch : result) { + ch = get_challenge(); + } + + return result; + } + + private: + typename hash_type::digest_type state; + }; } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 956677774..66d909922 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -70,7 +70,9 @@ set(TESTS_NAMES "systems/ppzksnark/ram_ppzksnark/ram_ppzksnark" "systems/ppzksnark/tbcs_ppzksnark/tbcs_ppzksnark" "systems/ppzksnark/uscs_ppzksnark/uscs_ppzksnark" - "systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity") + "systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity" + + "transcript/transcript") foreach(TEST_NAME ${TESTS_NAMES}) define_zk_test(${TEST_NAME}) diff --git a/test/transcript/transcript.cpp b/test/transcript/transcript.cpp new file mode 100644 index 000000000..cabebc51b --- /dev/null +++ b/test/transcript/transcript.cpp @@ -0,0 +1,69 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Ilias Khairullin +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#define BOOST_TEST_MODULE zk_transcript_test + +#include + +#include +#include +#include + +#include +#include +#include +#include + +#include + +using namespace nil::crypto3; +using namespace nil::crypto3::zk::snark; + +BOOST_AUTO_TEST_SUITE(zk_transcript_test_suite) + +BOOST_AUTO_TEST_CASE(zk_transcript_manual_test) { + using field_type = algebra::curves::alt_bn128_254::scalar_field_type; + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; + fiat_shamir_heuristic_updated tr(init_blob); + auto ch1 = tr.get_challenge(); + auto ch2 = tr.get_challenge(); + auto ch_n = tr.get_challenges(); + + std::cout << ch1.data << std::endl; + std::cout << ch2.data << std::endl; + for (const auto &ch : ch_n) { + std::cout << ch.data << std::endl; + } + + std::vector updated_blob {0xa, 0xb, 0xc, 0xd, 0xe, 0xf}; + tr(updated_blob); + + ch_n = tr.get_challenges(); + for (const auto &ch : ch_n) { + std::cout << ch.data << std::endl; + } +} + +BOOST_AUTO_TEST_SUITE_END() From 00aaea27c0447feb9ff38a011c56fe2afe46f915 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 26 Jan 2022 19:07:46 +0300 Subject: [PATCH 052/219] Equality operators implemented #20 --- .../list_polynomial_commitment.hpp | 46 +++++++++++++++---- test/commitment/lpc.cpp | 7 +-- 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 70c0c57a2..6698d41de 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -77,9 +77,9 @@ namespace nil { using commitment_type = typename merkle_tree_type::value_type; struct proof_type { + friend bool operator==(const proof_type &lhs, const proof_type &rhs); - proof_type() { - } + friend bool operator!=(const proof_type &lhs, const proof_type &rhs); std::array z_openings; std::array, lambda> alpha_openings; @@ -110,7 +110,7 @@ namespace nil { return merkle_tree_type(y_data); } - static proof_type proof_eval(std::array evaluation_points, + static proof_type proof_eval(const std::array &evaluation_points, const merkle_tree_type &T, const math::polynomial::polynomial &f, const std::vector &D) { @@ -169,9 +169,9 @@ namespace nil { typename FieldType::value_type y_i = y_challenges[i]; - math::polynomial::polynomial sqr_polynom = {y_challenges[i], 0, - -1}; - + math::polynomial::polynomial sqr_polynom = { + y_challenges[i], 0, -1}; + // m = 2, so: std::array s; s[0] = y_i.sqrt(); @@ -211,9 +211,9 @@ namespace nil { return proof; } - static bool verify_eval(std::array evaluation_points, - commitment_type root, - proof_type proof, + static bool verify_eval(const std::array &evaluation_points, + const commitment_type &root, + const proof_type &proof, const std::vector &D) { // temporary definition, until polynomial is constexpr @@ -317,11 +317,37 @@ namespace nil { } } } - return true; } }; + template + bool operator==( + const typename list_polynomial_commitment_scheme::proof_type &lhs, + const typename list_polynomial_commitment_scheme::proof_type + &rhs) { + return lhs.z_openings == rhs.z_openings && lhs.alpha_openings == rhs.alpha_openings && + lhs.f_y_openings == rhs.f_y_openings && lhs.f_commitments == rhs.f_commitments && + lhs.f_ip1_coefficients == rhs.f_ip1_coefficients; + } + + template + bool operator!=( + const typename list_polynomial_commitment_scheme::proof_type &lhs, + const typename list_polynomial_commitment_scheme::proof_type + &rhs) { + return !(lhs == rhs); + } } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 995e6c06b..312e5d89c 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -64,7 +64,8 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef list_polynomial_commitment_scheme lpc; + typedef list_polynomial_commitment_scheme lpc_type; + typedef typename lpc_type::proof_type proof_type; typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); @@ -75,11 +76,11 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { const math::polynomial::polynomial f = {0, 0, 1}; - merkle_tree_type T = lpc::commit(f, D_0); + merkle_tree_type T = lpc_type::commit(f, D_0); std::array evaluation_points = {algebra::random_element()}; - lpc::proof_eval(evaluation_points, T, f, D_0); + BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, f, D_0) != proof_type()); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 7b9cfdbf6025bf124d4a9d2cf2e2d81a329540bb Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 26 Jan 2022 19:28:15 +0300 Subject: [PATCH 053/219] Equality operators implemented #20 --- .../list_polynomial_commitment.hpp | 42 +++++-------------- .../ram_zksnark/profile_ram_zksnark.cpp | 1 - 2 files changed, 10 insertions(+), 33 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 6698d41de..63c5ea544 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -77,9 +77,14 @@ namespace nil { using commitment_type = typename merkle_tree_type::value_type; struct proof_type { - friend bool operator==(const proof_type &lhs, const proof_type &rhs); - - friend bool operator!=(const proof_type &lhs, const proof_type &rhs); + bool operator==(const proof_type &rhs) const { + return z_openings == rhs.z_openings && alpha_openings == rhs.alpha_openings && + f_y_openings == rhs.f_y_openings && f_commitments == rhs.f_commitments && + f_ip1_coefficients == rhs.f_ip1_coefficients; + } + bool operator!=(const proof_type &rhs) const { + return !(rhs == *this); + } std::array z_openings; std::array, lambda> alpha_openings; @@ -102,8 +107,9 @@ namespace nil { const std::vector &D) { std::vector y; + y.reserve(D.size()); for (typename FieldType::value_type H : D) { - y.push_back(f.evaluate(H)); + y.emplace_back(f.evaluate(H)); } std::vector> y_data; @@ -320,34 +326,6 @@ namespace nil { return true; } }; - - template - bool operator==( - const typename list_polynomial_commitment_scheme::proof_type &lhs, - const typename list_polynomial_commitment_scheme::proof_type - &rhs) { - return lhs.z_openings == rhs.z_openings && lhs.alpha_openings == rhs.alpha_openings && - lhs.f_y_openings == rhs.f_y_openings && lhs.f_commitments == rhs.f_commitments && - lhs.f_ip1_coefficients == rhs.f_ip1_coefficients; - } - - template - bool operator!=( - const typename list_polynomial_commitment_scheme::proof_type &lhs, - const typename list_polynomial_commitment_scheme::proof_type - &rhs) { - return !(lhs == rhs); - } } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp b/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp index dc949bceb..72cc29379 100644 --- a/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp +++ b/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp @@ -128,7 +128,6 @@ bool process_command_line(const int argc, const char **argv, bool &profile_gp, s if (vm.count("v")) { algebra::print_compilation_info(); - exit(0); } if (vm.count("help")) { From d251014b2479d3ef055b4d2b51396f7932f13601 Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Thu, 27 Jan 2022 15:14:02 +0300 Subject: [PATCH 054/219] Transcript updated. --- include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index 331c68cb1..fab273278 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -32,6 +32,7 @@ #include #include +#include #include @@ -111,7 +112,7 @@ namespace nil { } }; - template> + template> struct fiat_shamir_heuristic_updated { typedef Hash hash_type; From d8da6cf2a97cfa3e59dd45fc8d70cf8259ead8cf Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Fri, 28 Jan 2022 11:35:54 +0300 Subject: [PATCH 055/219] Public typedefs added. #20 --- .../commitments/list_polynomial_commitment.hpp | 18 +++++++++++------- .../zk/snark/systems/plonk/redshift/proof.hpp | 1 + 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 63c5ea544..8ad71c92f 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -54,12 +54,17 @@ namespace nil { */ template - class list_polynomial_commitment_scheme { - + std::size_t _lambda = 40, + std::size_t _k = 1, + std::size_t _r = 1, + std::size_t _m = 2> + struct list_polynomial_commitment_scheme { + static constexpr std::size_t lambda = _lambda; + static constexpr std::size_t k = _k; + static constexpr std::size_t r = _r; + static constexpr std::size_t m = _m; + + typedef FieldType field_type; typedef Hash transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; @@ -72,7 +77,6 @@ namespace nil { enum challenges_ids { x, y }; }; - public: using openning_type = merkle_proof_type; using commitment_type = typename merkle_tree_type::value_type; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 8892e1a47..6dbce2124 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -33,6 +33,7 @@ namespace nil { template struct redshift_proof { + typedef CommitmentSchemeType commitment_scheme_type; redshift_proof() { } From cb2ddd90579a2dccbce900c2493a94cd03a37e48 Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Fri, 28 Jan 2022 16:17:07 +0300 Subject: [PATCH 056/219] Redshift proof comparison operators added. --- .../crypto3/zk/snark/systems/plonk/redshift/proof.hpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 6dbce2124..85e3ba734 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -51,6 +51,16 @@ namespace nil { typename CommitmentSchemeType::proof_type Q_lpc_proof; std::vector T_lpc_proofs; + + bool operator==(const redshift_proof &rhs) const { + return f_commitments == rhs.f_commitments && P_commitment == rhs.P_commitment && + Q_commitment == rhs.Q_commitment && T_commitments == rhs.T_commitments && + f_lpc_proofs == rhs.f_lpc_proofs && P_lpc_proof == rhs.P_lpc_proof && + Q_lpc_proof == rhs.Q_lpc_proof && T_lpc_proofs == rhs.T_lpc_proofs; + } + bool operator!=(const redshift_proof &rhs) const { + return !(rhs == *this); + } }; } // namespace snark } // namespace zk From 5a9de185ddfaac902e77f81794945cddf1055906 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 1 Feb 2022 02:14:34 +0300 Subject: [PATCH 057/219] Separate FRI inited. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 261 +++++++++++++++--- 1 file changed, 229 insertions(+), 32 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 3b3d17b68..b54349f1e 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -26,7 +26,13 @@ #ifndef CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP #define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP -#include +#include +#include + +#include +#include + +#include namespace nil { namespace crypto3 { @@ -46,50 +52,241 @@ namespace nil { * Matter Labs, * */ - template - class fri_commitment_scheme : commitment_scheme<...> { - typedef std::array, Rounds> TCommitment; - typedef std::array TDecommitmentInfo; - typedef... TSRS; - typedef std::tuple, std::array> - TData; // f_0 and x_0...x_{r-1} - public: - virtual std::pair commit(TSRS PK, TData data) { - TCommitment f; - f[0] = std::get<0>(data); - - for (std::size_t i = 0; i < Rounds - 1; i++) { - - math::polynomial<...> p_yi = math::make_interpolant(f[i], S_y(x)); - f[i + 1] = p_yi(std::get<1>(data)[i]); - } + template + struct fri_commitment_scheme { + static constexpr std::size_t lambda = _lambda; + static constexpr std::size_t k = _k; + static constexpr std::size_t m = _m; + + typedef FieldType field_type; + typedef Hash transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + typedef typename containers::merkle_proof merkle_proof_type; + + // static const math::polynomial::polynomial + // q = {0, 0, 1}; + + struct params { - math::polynomial<...> p_yr = math::make_interpolant(f[r - 1], S_y(x)); + }; - math::polynomial<...> f_r = p_yr(std::get<1>(data)[r]); - std::array a = math::get_polynom_coefs(f_r); + using openning_type = merkle_proof_type; + using commitment_type = typename merkle_tree_type::value_type; - return std::make_pair(f, a); + struct proof_type { + + }; + + // The result of this function is not commitment_type (as it would expected), + // but the built Merkle tree. This is done so, because we often need to reuse + // the built Merkle tree + // After this function + // result.root(); + // should be called + static merkle_tree_type + commit(const math::polynomial::polynomial &f, + const std::vector &D) { } - virtual... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) { + static proof_type proof_eval(const math::polynomial::polynomial &Q, + const fiat_shamir_heuristic_updated &transcript, + const params &fri_params) { + + proof_type proof; + + math::polynomial::polynomial f = Q; + + typename FieldType::value_type x = + transcript.template get_challenge(); + + std::size_t r = fri_params.r; + + std::array &alpha_openings = proof.alpha_openings; + std::array &f_y_openings = proof.f_y_openings; + std::array &f_commitments = proof.f_commitments; + math::polynomial::polynomial &f_ip1_coefficients = + proof.f_ip1_coefficients; + merkle_tree_type f_round_tree = T; + + for (std::size_t i = 0; i <= r - 1; i++) { + + typename FieldType::value_type alpha = + transcript.template get_challenge_from(fri_params.D_ip1); + + typename FieldType::value_type x_next = fri_params.q(x); + + std::size_t d = f.degree(); + + math::polynomial::polynomial f_next((d + 1)/2 - 1); + + for (std::size_t index = 0; index < f_next.size(); index++){ + f_next[index] = f[2*index] + alpha * f[2*index + 1]; + } + + // m = 2, so: + assert(m == 2); + std::array s; + s[0] = x; + s[1] = -x; + + std::arraytypename FieldType::value_type, m> y; + + for (std::size_t j = 0; j < m; j++) { + y[j] = f(s[j]); + } + + std::array p; + + if (i == 0) { + + for (std::size_t j = 0; j < m; j++) { + + typename FieldType::value_type leaf = f.evaluate(s[j]); + std::size_t leaf_index = std::find(D.begin(), D.end(), leaf) - D.begin(); + p[j] = T_0.hash_path(leaf_index); + } + } else { + for (std::size_t j = 0; j < m; j++) { + + std::size_t leaf_index = std::find(D.begin(), D.end(), y[j]) - D.begin(); + p[j] = T_i.hash_path(leaf_index); + } + } + + typename FieldType::value_type f_y_i = f_round.evaluate(y_challenges[i]); + std::size_t leaf_index = std::find(D.begin(), D.end(), y_challenges[i]) - D.begin(); + f_y_openings[i] = merkle_proof_type(f_round_tree, leaf_index); + + if (i < r - 1) { + f_round_tree = commit(f_round, D); + f_commitments[i] = f_round_tree.root(); + transcript(f_commitments[i]); + } else { + f_ip1_coefficients = f_round; + } + + x = x_next; + f = f_next; + } + + return proof; } - virtual bool verify(TSRS PK, TCommitment f, ... a, TDecommitmentInfo d) { - a = get<1>(C); - math::polynomial f_r(a); + static bool verify_eval(const std::array &evaluation_points, + const commitment_type &root, + const proof_type &proof, + const std::vector &D) { + + // temporary definition, until polynomial is constexpr + const math::polynomial::polynomial q = {0, 0, 1}; + + fiat_shamir_heuristic_updated transcript; + + std::array &z_openings = proof.z_openings; + std::array, k> + U_interpolation_points; - std::array<..., r + 1> s; - s[0] = random<...>(...); + for (std::size_t j = 0; j < k; j++) { + typename FieldType::value_type z_j; + // = algebra::marshalling(z_openings[j].leaf); + if (!z_openings[j].validate(root)) { + return false; + } - for (std::size_t i = 0; i < r; i++) { - s[i + 1] = q(s[i]); + U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); } - ... + math::polynomial::polynomial U = + math::polynomial::lagrange_interpolation(U_interpolation_points); + + math::polynomial::polynomial Q; + // = (f - U); + // for (std::size_t j = 0; j < k; j++){ + // Q = Q/(x - U_interpolation_points[j]); + // } + + for (std::size_t round_id = 0; round_id < lambda; round_id++) { + + math::polynomial::polynomial f_i = Q; + + typename FieldType::value_type x_round = + transcript + .template get_challenge(); + + std::array &alpha_openings = proof.alpha_openings[round_id]; + std::array &f_y_openings = proof.f_y_openings[round_id]; + std::array &f_commitments = proof.f_commitments[round_id]; + std::vector &f_ip1_coefficients = + proof.f_ip1_coefficients[round_id]; + + commitment_type &f_i_tree_root = root; + + auto y_arr = + transcript.template get_challenges(); + + for (std::size_t i = 0; i <= r - 1; i++) { + + math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, + -1}; + std::array s; + // = math::polynomial::get_roots(sqr_polynom); + + std::array, m> + p_y_i_interpolation_points; + + for (std::size_t j = 0; j < m; j++) { + typename FieldType::value_type alpha_i_j; + // = algebra::marshalling(alpha_openings[m*i + j].leaf); + if (!alpha_openings[m * i + j].validate(f_i_tree_root)) { + return false; + } + p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); + } + + math::polynomial::polynomial p_y_i = + math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); + + typename FieldType::value_type f_y_i; + // = algebra::marshalling(f_y_openings[i].leaf); + if (!f_y_openings[i].validate(f_i_tree_root)) { + return false; + } + + if (f_y_i != p_y_i.evaluate(x_round)) { + return false; + } + + x_round = q.evaluate(x_round); + + if (i < r - 1) { + if (f_i != p_y_i) { + return false; + } + + f_commitments[i] = commit(f_i, D).root(); + transcript(f_commitments[i]); + } else { + if (f_i != p_y_i) { + return false; + } + + // if (f_i.size() != ...){ + // return false; + // } + } + } + } + return true; } }; - } // namespace snark } // namespace zk } // namespace crypto3 From 8fef2c34f14d7671a74dc77291d0d4e0b00ff1ba Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 1 Feb 2022 02:52:09 +0300 Subject: [PATCH 058/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 37 +++++++++++++------ 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index b54349f1e..d6d4fa3de 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -79,8 +79,20 @@ namespace nil { using openning_type = merkle_proof_type; using commitment_type = typename merkle_tree_type::value_type; + struct round_proof_type { + std::array y; + std::array p; + + merkle_tree_type T; + + typename FieldType::value_type colinear_value; + merkle_proof_type colinear_path; + }; + struct proof_type { - + // 0..r-2 + std::vector round_proofs; + math::polynomial::polynomial final_polynomial; }; // The result of this function is not commitment_type (as it would expected), @@ -135,10 +147,10 @@ namespace nil { s[0] = x; s[1] = -x; - std::arraytypename FieldType::value_type, m> y; + std::array y; for (std::size_t j = 0; j < m; j++) { - y[j] = f(s[j]); + y[j] = f.evaluate(s[j]); } std::array p; @@ -149,26 +161,29 @@ namespace nil { typename FieldType::value_type leaf = f.evaluate(s[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), leaf) - D.begin(); - p[j] = T_0.hash_path(leaf_index); + p[j] = T.hash_path(leaf_index); } } else { for (std::size_t j = 0; j < m; j++) { std::size_t leaf_index = std::find(D.begin(), D.end(), y[j]) - D.begin(); - p[j] = T_i.hash_path(leaf_index); + p[j] = T.hash_path(leaf_index); } } - typename FieldType::value_type f_y_i = f_round.evaluate(y_challenges[i]); - std::size_t leaf_index = std::find(D.begin(), D.end(), y_challenges[i]) - D.begin(); - f_y_openings[i] = merkle_proof_type(f_round_tree, leaf_index); - if (i < r - 1) { - f_round_tree = commit(f_round, D); + T = commit(f_round, D); f_commitments[i] = f_round_tree.root(); transcript(f_commitments[i]); + + typename FieldType::value_type colinear_value = f_next.evaluate(x_next); + + std::size_t leaf_index = std::find(D.begin(), D.end(), colinear_value) - D.begin(); + typename FieldType::value_type colinear_path = T.hash_path(leaf_index); + + round_proof(y, p, T, colinear_value, colinear_path); } else { - f_ip1_coefficients = f_round; + } x = x_next; From fa057d8c006f603e82c59149fcfaa43fa58fa115 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 00:30:45 +0300 Subject: [PATCH 059/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 158 ++++-------------- 1 file changed, 29 insertions(+), 129 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index d6d4fa3de..340a21b1d 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -56,7 +56,6 @@ namespace nil { typename Hash, std::size_t _lambda = 40, std::size_t _k = 1, - std::size_t _r = 1, std::size_t _m = 2> struct fri_commitment_scheme { static constexpr std::size_t lambda = _lambda; @@ -69,9 +68,6 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - // static const math::polynomial::polynomial - // q = {0, 0, 1}; - struct params { }; @@ -90,8 +86,8 @@ namespace nil { }; struct proof_type { - // 0..r-2 - std::vector round_proofs; + std::vector round_proofs; // 0..r-2 + math::polynomial::polynomial final_polynomial; }; @@ -107,6 +103,8 @@ namespace nil { } static proof_type proof_eval(const math::polynomial::polynomial &Q, + const math::polynomial::polynomial &g, + const merkle_tree_type &T, const fiat_shamir_heuristic_updated &transcript, const params &fri_params) { @@ -126,6 +124,8 @@ namespace nil { proof.f_ip1_coefficients; merkle_tree_type f_round_tree = T; + std::vector round_proofs; + for (std::size_t i = 0; i <= r - 1; i++) { typename FieldType::value_type alpha = @@ -155,151 +155,51 @@ namespace nil { std::array p; - if (i == 0) { + for (std::size_t j = 0; j < m; j++) { + if (i == 0) { - for (std::size_t j = 0; j < m; j++) { + typename FieldType::value_type leaf = g.evaluate(s[j]); + std::size_t leaf_index = std::find(D.begin(), D.end(), leaf) - D.begin(); + p[j] = T.hash_path(leaf_index); + } + } else { + for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type leaf = f.evaluate(s[j]); - std::size_t leaf_index = std::find(D.begin(), D.end(), leaf) - D.begin(); - p[j] = T.hash_path(leaf_index); + std::size_t leaf_index = std::find(D.begin(), D.end(), y[j]) - D.begin(); + p[j] = T.hash_path(leaf_index); } - } else { - for (std::size_t j = 0; j < m; j++) { + } - std::size_t leaf_index = std::find(D.begin(), D.end(), y[j]) - D.begin(); - p[j] = T.hash_path(leaf_index); - } + if (i < r - 2) { + merkle_tree_type T_next = commit(f_round, D); + f_commitments = f_round_tree.root(); + transcript(f_commitments); } if (i < r - 1) { - T = commit(f_round, D); - f_commitments[i] = f_round_tree.root(); - transcript(f_commitments[i]); - typename FieldType::value_type colinear_value = f_next.evaluate(x_next); std::size_t leaf_index = std::find(D.begin(), D.end(), colinear_value) - D.begin(); - typename FieldType::value_type colinear_path = T.hash_path(leaf_index); + typename FieldType::value_type colinear_path = T_next.hash_path(leaf_index); - round_proof(y, p, T, colinear_value, colinear_path); + round_proofs.emplace_back(y, p, T, colinear_value, colinear_path); } else { - + math::polynomial::polynomial final_polynomial( + f_next.begin(), f_next.end() + Q.size()); + + return proof_type(round_proofs, final_polynomial); } x = x_next; f = f_next; + T = T_next; } - - return proof; } static bool verify_eval(const std::array &evaluation_points, - const commitment_type &root, const proof_type &proof, - const std::vector &D) { - - // temporary definition, until polynomial is constexpr - const math::polynomial::polynomial q = {0, 0, 1}; - - fiat_shamir_heuristic_updated transcript; - - std::array &z_openings = proof.z_openings; - std::array, k> - U_interpolation_points; - - for (std::size_t j = 0; j < k; j++) { - typename FieldType::value_type z_j; - // = algebra::marshalling(z_openings[j].leaf); - if (!z_openings[j].validate(root)) { - return false; - } - - U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); - } - - math::polynomial::polynomial U = - math::polynomial::lagrange_interpolation(U_interpolation_points); - - math::polynomial::polynomial Q; - // = (f - U); - // for (std::size_t j = 0; j < k; j++){ - // Q = Q/(x - U_interpolation_points[j]); - // } - - for (std::size_t round_id = 0; round_id < lambda; round_id++) { - - math::polynomial::polynomial f_i = Q; + const params &fri_params) { - typename FieldType::value_type x_round = - transcript - .template get_challenge(); - - std::array &alpha_openings = proof.alpha_openings[round_id]; - std::array &f_y_openings = proof.f_y_openings[round_id]; - std::array &f_commitments = proof.f_commitments[round_id]; - std::vector &f_ip1_coefficients = - proof.f_ip1_coefficients[round_id]; - - commitment_type &f_i_tree_root = root; - - auto y_arr = - transcript.template get_challenges(); - - for (std::size_t i = 0; i <= r - 1; i++) { - - math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, - -1}; - std::array s; - // = math::polynomial::get_roots(sqr_polynom); - - std::array, m> - p_y_i_interpolation_points; - - for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type alpha_i_j; - // = algebra::marshalling(alpha_openings[m*i + j].leaf); - if (!alpha_openings[m * i + j].validate(f_i_tree_root)) { - return false; - } - p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); - } - - math::polynomial::polynomial p_y_i = - math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); - - typename FieldType::value_type f_y_i; - // = algebra::marshalling(f_y_openings[i].leaf); - if (!f_y_openings[i].validate(f_i_tree_root)) { - return false; - } - - if (f_y_i != p_y_i.evaluate(x_round)) { - return false; - } - - x_round = q.evaluate(x_round); - - if (i < r - 1) { - if (f_i != p_y_i) { - return false; - } - - f_commitments[i] = commit(f_i, D).root(); - transcript(f_commitments[i]); - } else { - if (f_i != p_y_i) { - return false; - } - - // if (f_i.size() != ...){ - // return false; - // } - } - } - } - return true; } }; } // namespace snark From 87738b79926ce2804c891dd0bf7a1e1a091d44a4 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 00:46:22 +0300 Subject: [PATCH 060/219] Separate FRI updated. #20 --- include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 340a21b1d..52fdb3cab 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -184,10 +184,7 @@ namespace nil { round_proofs.emplace_back(y, p, T, colinear_value, colinear_path); } else { - math::polynomial::polynomial final_polynomial( - f_next.begin(), f_next.end() + Q.size()); - - return proof_type(round_proofs, final_polynomial); + return proof_type(round_proofs, f_next); } x = x_next; From fb28493ebb47b579bfbc759bad8c58a2f9a36474 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Wed, 2 Feb 2022 00:51:29 +0200 Subject: [PATCH 061/219] fri tests draft #20 --- test/CMakeLists.txt | 1 + test/commitment/fri.cpp | 180 ++++++++++++++++++++++++++++++++ test/systems/plonk/redshift.cpp | 30 ++++++ 3 files changed, 211 insertions(+) create mode 100644 test/commitment/fri.cpp diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 66d909922..c3fbcbe8a 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -48,6 +48,7 @@ endmacro() set(TESTS_NAMES "commitment/lpc" + "commitment/fri" "routing_algorithms/test_routing_algorithms" diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp new file mode 100644 index 000000000..a52e2412a --- /dev/null +++ b/test/commitment/fri.cpp @@ -0,0 +1,180 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#define BOOST_TEST_MODULE fri_test + +#include + +#include +#include +#include + +#include +#include +#include + +#include +#include +#include + +#include // until fri inclusion +#include // until fri inclusion + +using namespace nil::crypto3; + +template +std::vector prepare_domain(const std::size_t d) { + typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); + std::vector D_0(d); + for (std::size_t power = 1; power <= d; power++) { + D_0.emplace_back(omega.pow(power)); + } + return D_0; +} + +BOOST_AUTO_TEST_SUITE(fri_test_suite) + +BOOST_AUTO_TEST_CASE(fri_basic_test) { + + // fri params + using curve_type = algebra::curves::mnt4<298>; + using FieldType = typename curve_type::base_field_type; + + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + + constexpr static const std::size_t d = 4; + + constexpr static const std::size_t r = boost::static_log2::value; + constexpr static const std::size_t m = 2; + + // typedef fri_commitment_scheme fri_type; + // typedef typename fri_type::proof_type proof_type; + + math::polynomial::polynomial f = {1, 3, 4, 25}; + + // create domain D_0 + std::vector D_0 = prepare_domain(d); + // merkle_tree_type T = fri_type::commit(f, D_0); + + // std::array evaluation_points = {omega.pow(5)}; + + // proof_type proof = fri_type::proof_eval(evaluation_points, T, f, D_0) + // BOOST_CHECK(fry_type::verify_eval(evaluation_points, T, proof, D_0)) +} + +BOOST_AUTO_TEST_CASE(fri_fold_test) { + + // fri params + using curve_type = algebra::curves::mnt4<298>; + using FieldType = typename curve_type::base_field_type; + + constexpr static const std::size_t d = 4; + + // typedef fri_commitment_scheme fri_type; + + math::polynomial::polynomial f = {1, 3, 4, 25}; + + std::vector D_0 = prepare_domain(d); + typename FieldType::value_type omega = D_0[0]; + + // x_next = fri_type::params.q(x) + typename FieldType::value_type alpha = algebra::random_element(); + // math::polynomial::polynomial f_next = fri_type::fold_polynomial(f, alpha) + + std::vector> points { + std::make_pair(omega, f.evaluate(omega)), + std::make_pair(-omega, f.evaluate(-omega)), + }; + math::polynomial::polynomial interpolant = math::polynomial::_lagrange_interpolation(points); + // BOOST_CHECK_EQUAL(interpolant.eval(alpha), f_next.eval(x_next)) +} + +BOOST_AUTO_TEST_CASE(fri_coset_test) { + + // fri params + using curve_type = algebra::curves::mnt4<298>; + using FieldType = typename curve_type::base_field_type; + + // typedef fri_commitment_scheme fri_type; + + math::polynomial::polynomial f = {1, 3, 4, 25}; + + // create domain D_0 + // Get omega from D_0 + + // delegate q = fry_type::q() + // x_next = q(omega) + + // vector s = fri_type::get_coset(x_next) + //for (std::size_t i = 0; i < s.size(); i++) { + // BOOST_CHECK_EQUAL(x_next, s[i]^2); + //} +} + +BOOST_AUTO_TEST_CASE(fri_steps_count_test) { + + // fri params + using curve_type = algebra::curves::mnt4<298>; + using FieldType = typename curve_type::base_field_type; + + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + + constexpr static const std::size_t d = 4; + + constexpr static const std::size_t r = boost::static_log2::value; + constexpr static const std::size_t m = 2; + + // typedef fri_commitment_scheme fri_type; + // typedef typename fri_type::proof_type proof_type; + + math::polynomial::polynomial f = {1, 3, 4, 25}; + + std::vector D_0 = prepare_domain(d); + + // merkle_tree_type T = fri_type::commit(f, D_0); + + // std::array evaluation_points = {omega.pow(algebra::random_element())}; + + // proof_type proof = fri_type::proof_eval(evaluation_points, T, f, D_0) + // math::polynomial::polynomial f_res = proof.last_round.f + + // int expected_deg = def(f) - 2^r + + // BOOST_CHECK_EQUAL(f_res.deg(), expected_deg) +} + +BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index f66e346e2..6e8bc3a17 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -54,4 +54,34 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { zk::snark::redshift_prover prove; } +BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { + + using curve_type = algebra::curves::bls12<381>; + + zk::snark::redshift_preprocessor preprocess; + + // auto preprocessed_data = preprocess::process(cs, assignments); + zk::snark::redshift_prover prove; +} + +BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { + + using curve_type = algebra::curves::bls12<381>; + + zk::snark::redshift_preprocessor preprocess; + + // auto preprocessed_data = preprocess::process(cs, assignments); + zk::snark::redshift_prover prove; +} + +BOOST_AUTO_TEST_CASE(redshift_witness_argument_test) { + + using curve_type = algebra::curves::bls12<381>; + + zk::snark::redshift_preprocessor preprocess; + + // auto preprocessed_data = preprocess::process(cs, assignments); + zk::snark::redshift_prover prove; +} + BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From a2192e668ce61a87292637c4fc6f0e1f42b2ba60 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 06:06:12 +0300 Subject: [PATCH 062/219] Minor API changes #20 --- .../commitments/list_polynomial_commitment.hpp | 14 ++++++-------- .../zk/snark/systems/plonk/redshift/prover.hpp | 14 ++++++-------- .../crypto3/zk/snark/transcript/fiat_shamir.hpp | 12 ++++++------ test/transcript/transcript.cpp | 8 ++++---- 4 files changed, 22 insertions(+), 26 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 8ad71c92f..7c758138f 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -159,7 +159,7 @@ namespace nil { typename FieldType::value_type x_0 = transcript - .template get_challenge(); + .template challenge(); typename FieldType::value_type x_round = x_0; @@ -171,9 +171,8 @@ namespace nil { merkle_tree_type f_round_tree = T; std::array y_challenges = - transcript.template get_challenges(); + transcript + .template challenges(); for (std::size_t i = 0; i <= r - 1; i++) { @@ -260,7 +259,7 @@ namespace nil { typename FieldType::value_type x_round = transcript - .template get_challenge(); + .template challenge(); std::array &alpha_openings = proof.alpha_openings[round_id]; std::array &f_y_openings = proof.f_y_openings[round_id]; @@ -271,9 +270,8 @@ namespace nil { commitment_type &f_i_tree_root = root; auto y_arr = - transcript.template get_challenges(); + transcript + .template challenges(); for (std::size_t i = 0; i <= r - 1; i++) { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 7c704817a..7719635bf 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -113,10 +113,10 @@ namespace nil { // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type beta = - transcript.template get_challenge(); + transcript.template challenge(); typename FieldType::value_type gamma = - transcript.template get_challenge(); + transcript.template challenge(); // 3. Denote witness polynomials included in permutation argument and public input polynomials // as $f_i$ @@ -174,7 +174,7 @@ namespace nil { // 7. Get $\theta \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type teta = - transcript.template get_challenge(); + transcript.template challenge(); // 8. Get lookup_gate_i and table_value_i @@ -230,12 +230,11 @@ namespace nil { // 14. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = - transcript - .template get_challenges(); + transcript.template challenges(); // 15. Get $\tau$ from $hash(\text{transcript})$ typename FieldType::value_type tau = - transcript.template get_challenge(); + transcript.template challenge(); // 16. Computing gates // And 20. Compute N_T @@ -320,8 +319,7 @@ namespace nil { // 23. Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ typename FieldType::value_type upsilon = - transcript - .template get_challenge(); + transcript.template challenge(); std::array fT_evaluation_points = {upsilon}; std::vector f_lpc_proofs(N_wires); diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index fab273278..f5fd87701 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -80,7 +80,7 @@ namespace nil { } template - typename FieldType::value_type get_challenge() { + typename FieldType::value_type challenge() { // acc(ChallengeId); typename Hash::digest_type hash_res = accumulators::extract::hash(acc); @@ -88,7 +88,7 @@ namespace nil { } template - typename FieldType::value_type get_challenge() { + typename FieldType::value_type challenge() { // acc(ChallengeId + Index); typename Hash::digest_type hash_res = accumulators::extract::hash(acc); @@ -97,7 +97,7 @@ namespace nil { template - std::array get_challenges() { + std::array challenges() { std::array hash_results; std::array result; @@ -142,7 +142,7 @@ namespace nil { template typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), typename Field::value_type>::type - get_challenge() { + challenge() { state = hash(state); nil::marshalling::status_type status; @@ -154,11 +154,11 @@ namespace nil { template typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), std::array>::type - get_challenges() { + challenges() { std::array result; for (auto &ch : result) { - ch = get_challenge(); + ch = challenge(); } return result; diff --git a/test/transcript/transcript.cpp b/test/transcript/transcript.cpp index cabebc51b..65454e2b1 100644 --- a/test/transcript/transcript.cpp +++ b/test/transcript/transcript.cpp @@ -47,9 +47,9 @@ BOOST_AUTO_TEST_CASE(zk_transcript_manual_test) { using field_type = algebra::curves::alt_bn128_254::scalar_field_type; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated tr(init_blob); - auto ch1 = tr.get_challenge(); - auto ch2 = tr.get_challenge(); - auto ch_n = tr.get_challenges(); + auto ch1 = tr.challenge(); + auto ch2 = tr.challenge(); + auto ch_n = tr.challenges(); std::cout << ch1.data << std::endl; std::cout << ch2.data << std::endl; @@ -60,7 +60,7 @@ BOOST_AUTO_TEST_CASE(zk_transcript_manual_test) { std::vector updated_blob {0xa, 0xb, 0xc, 0xd, 0xe, 0xf}; tr(updated_blob); - ch_n = tr.get_challenges(); + ch_n = tr.challenges(); for (const auto &ch : ch_n) { std::cout << ch.data << std::endl; } From f36b7cb9c8c9ada5ebe1fd92565d64232b3f2ec0 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 06:18:46 +0300 Subject: [PATCH 063/219] Minor changes #20 --- include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp | 5 +++-- .../nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 0310816fe..d19969895 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -99,7 +99,7 @@ namespace nil { } std::vector> - polynoms(plonk_variable_assignment full_variable_assignment) const { + polynomials(plonk_variable_assignment full_variable_assignment) const { std::vector> result( constraints.size()); @@ -116,7 +116,8 @@ namespace nil { for (auto &term : constraints[constraint_index].terms) { - math::polynomial::polynomial term_polynom = {term.coeff}; + math::polynomial::polynomial term_polynom = { + term.coeff}; // TODO: Rotation isn't taken into consideration for (auto &var : term.vars) { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 7719635bf..73e5ce1dc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -100,7 +100,7 @@ namespace nil { // 1. Add commitments to $w_i(X)$ to $\text{transcript}$ std::vector> w = - constraint_system.polynoms(assignments); + constraint_system.polynomials(assignments); std::vector w_trees; std::vector w_commitments; @@ -241,7 +241,7 @@ namespace nil { std::size_t N_T = N_perm + N_PI; std::vector> gates(N_sel); std::vector> constraints = - constraint_system.polynoms(assignments); + constraint_system.polynomials(assignments); for (std::size_t i = 0; i <= N_sel - 1; i++) { gates[i] = {0}; From 69e007cdc744835af53e5d1febdb9d3b1cf9c303 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Wed, 2 Feb 2022 10:54:30 +0200 Subject: [PATCH 064/219] move permutation argument to separate class #20 --- .../plonk/redshift/permutation_argument.hpp | 154 ++++++++++++++++++ .../snark/systems/plonk/redshift/prover.hpp | 74 +-------- .../snark/systems/plonk/redshift/verifier.hpp | 20 +-- 3 files changed, 168 insertions(+), 80 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp new file mode 100644 index 000000000..3fdc45c39 --- /dev/null +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -0,0 +1,154 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP + +#include +#include +#include + +#include + +#include + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + class redshift_permutation_argument { + + static inline std::array, 3> + prove_argument(fiat_shamir_heuristic &transcript, ) { + // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ + typename FieldType::value_type beta = + transcript.template challenge(); + + typename FieldType::value_type gamma = + transcript.template challenge(); + + // 4. For $1 < j \leq N_{\texttt{rows}}$ calculate $g_j, h_j$ + std::vector g_points(N_rows + 1); + std::vector h_points(N_rows + 1); + + const std::vector> &S_sigma = + preprocessed_data.permutations; + const std::vector> &S_id = + preprocessed_data.identity_permutations; + + for (std::size_t j = 1; j <= N_rows; j++) { + g_points[j] = FieldType::value_type::one(); + h_points[j] = FieldType::value_type::one(); + for (std::size_t i = 0; i < N_perm + N_PI; i++) { + + g_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); + h_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); + } + } + + // 5. Calculate $V_P$ + std::vector + V_P_interpolation_points(N_rows + 1); + + V_P_interpolation_points.push_back(FieldType::value_type::one()); + for (std::size_t j = 2; j < N_rows + 1; j++) { + + typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); + for (std::size_t i = 1; i <= j - 1; i++) { + tmp_mul_result *= g_points[i] / h_points[i]; + } + + V_P_interpolation_points.push_back(tmp_mul_result); + } + + V_P_interpolation_points.push_back(FieldType::value_type::one()); + + const std::shared_ptr> V_P_domain = + math::make_evaluation_domain(N_rows + 1); + + V_P_domain->inverse_fft(V_P_interpolation_points); + + math::polynomial::polynomial V_P = V_P_interpolation_points; + + // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. + merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); + typename lpc::commitment_type V_P_commitment = V_P_tree.root(); + transcript(V_P_commitment); + + + // 17. Denote g_1,2, h_1,2 + math::polynomial::polynomial g_1 = {1}; + math::polynomial::polynomial h_1 = {1}; + + for (std::size_t i = 0; i <= N_perm + N_PI - 1; i++) { + g_1 = g_1 * (f[i] + beta * S_id[i] + gamma); + h_1 = h_1 * (f[i] + beta * S_sigma[i] + gamma); + } + + const math::polynomial::polynomial q_last; + const math::polynomial::polynomial q_blind; + + std::array, 3> F; + F[0] = L1 * (1 - V_P); + F[1] = (1 - (q_last + q_blind)) * (V_P_shifted * h_1 - V_P * g_1); + F[2] = q_last * (V_P * V_P - V_P); + + return F; + } + + static inline std::array + verify_argument(fiat_shamir_heuristic &transcript, ) { + typename transcript_hash_type::digest_type beta_bytes = + transcript.get_challenge(); + + typename transcript_hash_type::digest_type gamma_bytes = + transcript.get_challenge(); + + typename FieldType::value_type beta = algebra::marshalling(beta_bytes); + typename FieldType::value_type gamma = algebra::marshalling(gamma_bytes); + + transcript(proof.P_commitment); + transcript(proof.Q_commitment); + + const math::polynomial::polynomial q_last; + const math::polynomial::polynomial q_blind; + + F[0] = verification_key.L_basis[1] * (P - 1); + F[1] = verification_key.L_basis[1] * (Q - 1); + F[2] = P * p_1 - (P << 1); + + return F; + } + } + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 73e5ce1dc..8372af3df 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -37,6 +37,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -111,66 +112,15 @@ namespace nil { transcript(w_commitments[i]); } - // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ - typename FieldType::value_type beta = - transcript.template challenge(); - - typename FieldType::value_type gamma = - transcript.template challenge(); - // 3. Denote witness polynomials included in permutation argument and public input polynomials // as $f_i$ std::vector> f(N_perm + N_PI); std::copy(w.begin(), w.end(), f.begin()); - // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); - - // 4. For $1 < j \leq N_{\texttt{rows}}$ calculate $g_j, h_j$ - std::vector g_points(N_rows + 1); - std::vector h_points(N_rows + 1); - - const std::vector> &S_sigma = - preprocessed_data.permutations; - const std::vector> &S_id = - preprocessed_data.identity_permutations; - - for (std::size_t j = 1; j <= N_rows; j++) { - g_points[j] = FieldType::value_type::one(); - h_points[j] = FieldType::value_type::one(); - for (std::size_t i = 0; i < N_perm + N_PI; i++) { - - g_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); - h_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); - } - } - // 5. Calculate $V_P$ - std::vector - V_P_interpolation_points(N_rows + 1); - - V_P_interpolation_points.push_back(FieldType::value_type::one()); - for (std::size_t j = 2; j < N_rows + 1; j++) { - - typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); - for (std::size_t i = 1; i <= j - 1; i++) { - tmp_mul_result *= g_points[i] / h_points[i]; - } - - V_P_interpolation_points.push_back(tmp_mul_result); - } - - V_P_interpolation_points.push_back(FieldType::value_type::one()); - - const std::shared_ptr> V_P_domain = - math::make_evaluation_domain(N_rows + 1); - V_P_domain->inverse_fft(V_P_interpolation_points); - - math::polynomial::polynomial V_P = V_P_interpolation_points; - - // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. - merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); - typename lpc::commitment_type V_P_commitment = V_P_tree.root(); - transcript(V_P_commitment); + std::array, 3> permutation_argument = + redshift_permutation_argument::prove_argument(transcript); + // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); // 7. Get $\theta \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type teta = @@ -258,16 +208,11 @@ namespace nil { } // 17. Denote g_1,2, h_1,2 - math::polynomial::polynomial g_1 = {1}; + math::polynomial::polynomial g_2; math::polynomial::polynomial h_1 = {1}; math::polynomial::polynomial h_2; - for (std::size_t i = 0; i <= N_perm + N_PI - 1; i++) { - g_1 = g_1 * (f[i] + beta * S_id[i] + gamma); - h_1 = h_1 * (f[i] + beta * S_sigma[i] + gamma); - } - g_2 = (A_compr + beta) * (S_compr + gamma); h_2 = (A_perm + beta) * (S_perm + gamma); @@ -275,14 +220,11 @@ namespace nil { const math::polynomial::polynomial L1 = preprocessed_data.Lagrange_basis[1]; - const math::polynomial::polynomial q_last; - const math::polynomial::polynomial q_blind; - std::array, 9> F; - F[0] = L1 * (1 - V_P); - F[1] = (1 - (q_last + q_blind)) * (V_P_shifted * h_1 - V_P * g_1); - F[2] = q_last * (V_P * V_P - V_P); + F[0] = permutation_argument[0]; + F[1] = permutation_argument[1]; + F[2] = permutation_argument[2]; F[3] = {0}; for (std::size_t i = 0; i < N_sel; i++) { F[3] = F[3] + gates[i]; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index be65d3a8e..ca5c65046 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -31,6 +31,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -73,17 +74,8 @@ namespace nil { transcript(proof.f_commitments[i]); } - typename transcript_hash_type::digest_type beta_bytes = - transcript.get_challenge(); - - typename transcript_hash_type::digest_type gamma_bytes = - transcript.get_challenge(); - - typename FieldType::value_type beta = algebra::marshalling(beta_bytes); - typename FieldType::value_type gamma = algebra::marshalling(gamma_bytes); - - transcript(proof.P_commitment); - transcript(proof.Q_commitment); + std::array permutation_argument = + redshift_permutation_argument::verify_argument(transcript); std::array alphas; for (std::size_t i = 0; i < 6; i++) { @@ -126,9 +118,9 @@ namespace nil { } std::array, 6> F; - F[0] = verification_key.L_basis[1] * (P - 1); - F[1] = verification_key.L_basis[1] * (Q - 1); - F[2] = P * p_1 - (P << 1); + F[0] = permutation_argument[0]; + F[1] = permutation_argument[1]; + F[2] = permutation_argument[2]; F[3] = Q * q_1 - (Q << 1); F[4] = verification_key.L_basis[n] * ((P << 1) - (Q << 1)); F[5] = verification_key.PI; From cf29372e187e911d7332f447c51d9219aa438473 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 16:00:41 +0300 Subject: [PATCH 065/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 32 +++++++++---------- test/commitment/fri.cpp | 1 + 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 52fdb3cab..2677d21cc 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -113,23 +113,17 @@ namespace nil { math::polynomial::polynomial f = Q; typename FieldType::value_type x = - transcript.template get_challenge(); + transcript.template challenge(); std::size_t r = fri_params.r; - std::array &alpha_openings = proof.alpha_openings; - std::array &f_y_openings = proof.f_y_openings; - std::array &f_commitments = proof.f_commitments; - math::polynomial::polynomial &f_ip1_coefficients = - proof.f_ip1_coefficients; - merkle_tree_type f_round_tree = T; - std::vector round_proofs; + math::polynomial::polynomial final_polynomial; for (std::size_t i = 0; i <= r - 1; i++) { typename FieldType::value_type alpha = - transcript.template get_challenge_from(fri_params.D_ip1); + transcript.template challenge_from(fri_params.D[i+1]); typename FieldType::value_type x_next = fri_params.q(x); @@ -159,38 +153,42 @@ namespace nil { if (i == 0) { typename FieldType::value_type leaf = g.evaluate(s[j]); - std::size_t leaf_index = std::find(D.begin(), D.end(), leaf) - D.begin(); + std::size_t leaf_index = std::find( + fri_params.D[i].begin(), fri_params.D[i].end(), leaf) - fri_params.D[i].begin(); p[j] = T.hash_path(leaf_index); - } } else { for (std::size_t j = 0; j < m; j++) { - std::size_t leaf_index = std::find(D.begin(), D.end(), y[j]) - D.begin(); + std::size_t leaf_index = std::find( + fri_params.D[i].begin(), fri_params.D[i].end(), y[j]) - fri_params.D[i].begin(); p[j] = T.hash_path(leaf_index); + } } } + merkle_tree_type T_next; + if (i < r - 2) { - merkle_tree_type T_next = commit(f_round, D); - f_commitments = f_round_tree.root(); - transcript(f_commitments); + T_next = commit(f_next, fri_params.D[i+1]); + transcript(T_next.root()); } if (i < r - 1) { typename FieldType::value_type colinear_value = f_next.evaluate(x_next); - std::size_t leaf_index = std::find(D.begin(), D.end(), colinear_value) - D.begin(); + std::size_t leaf_index = std::find(fri_params.D[i+1].begin(), fri_params.D[i+1].end(), colinear_value) - fri_params.D[i+1].begin(); typename FieldType::value_type colinear_path = T_next.hash_path(leaf_index); round_proofs.emplace_back(y, p, T, colinear_value, colinear_path); } else { - return proof_type(round_proofs, f_next); + final_polynomial = f_next; } x = x_next; f = f_next; T = T_next; } + return proof_type(round_proofs, final_polynomial); } static bool verify_eval(const std::array &evaluation_points, diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index a52e2412a..e682e1bc7 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -41,6 +41,7 @@ #include // until fri inclusion #include // until fri inclusion +#include using namespace nil::crypto3; From 16a3d22595db33643acda6a74a7e3ec467404fed Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 19:01:52 +0300 Subject: [PATCH 066/219] Minor changes #20 --- .../snark/systems/plonk/redshift/permutation_argument.hpp | 7 +++---- .../nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp | 6 +++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 3fdc45c39..4b2c2c2eb 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -42,9 +42,8 @@ namespace nil { namespace zk { namespace snark { template - class redshift_permutation_argument { - - static inline std::array, 3> + struct redshift_permutation_argument { + static inline std::array, 3> prove_argument(fiat_shamir_heuristic &transcript, ) { // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ typename FieldType::value_type beta = @@ -145,7 +144,7 @@ namespace nil { return F; } - } + }; } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 8372af3df..aa484edd3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -118,8 +118,8 @@ namespace nil { std::copy(w.begin(), w.end(), f.begin()); - std::array, 3> permutation_argument = - redshift_permutation_argument::prove_argument(transcript); + std::array, 3> + permutation_argument = redshift_permutation_argument::prove_argument(transcript); // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); // 7. Get $\theta \in \mathbb{F}$ from $hash(\text{transcript})$ @@ -208,7 +208,7 @@ namespace nil { } // 17. Denote g_1,2, h_1,2 - + math::polynomial::polynomial g_2; math::polynomial::polynomial h_1 = {1}; math::polynomial::polynomial h_2; From 6d345bead39d9a0b44b848b3faefb58c33ed3b98 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 19:03:00 +0300 Subject: [PATCH 067/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 33 ++++++++----------- .../zk/snark/transcript/fiat_shamir.hpp | 22 +++++++++---- test/commitment/fri.cpp | 25 +++++++++----- test/commitment/lpc.cpp | 3 -- 4 files changed, 47 insertions(+), 36 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 2677d21cc..426c8cda4 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -54,12 +54,8 @@ namespace nil { */ template struct fri_commitment_scheme { - static constexpr std::size_t lambda = _lambda; - static constexpr std::size_t k = _k; static constexpr std::size_t m = _m; typedef FieldType field_type; @@ -68,18 +64,18 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - struct params { + struct params_type { + std::size_t r; + std::vector> D; + math::polynomial::polynomial q; }; - using openning_type = merkle_proof_type; - using commitment_type = typename merkle_tree_type::value_type; - struct round_proof_type { std::array y; std::array p; - merkle_tree_type T; + typename merkle_tree_type::value_type T_root; typename FieldType::value_type colinear_value; merkle_proof_type colinear_path; @@ -104,9 +100,9 @@ namespace nil { static proof_type proof_eval(const math::polynomial::polynomial &Q, const math::polynomial::polynomial &g, - const merkle_tree_type &T, - const fiat_shamir_heuristic_updated &transcript, - const params &fri_params) { + merkle_tree_type &T, + fiat_shamir_heuristic_updated &transcript, + params_type &fri_params) { proof_type proof; @@ -123,9 +119,10 @@ namespace nil { for (std::size_t i = 0; i <= r - 1; i++) { typename FieldType::value_type alpha = - transcript.template challenge_from(fri_params.D[i+1]); + fri_params.D[i+1][0].pow( + transcript.template int_challenge()); - typename FieldType::value_type x_next = fri_params.q(x); + typename FieldType::value_type x_next = fri_params.q.evaluate(x); std::size_t d = f.degree(); @@ -179,7 +176,7 @@ namespace nil { std::size_t leaf_index = std::find(fri_params.D[i+1].begin(), fri_params.D[i+1].end(), colinear_value) - fri_params.D[i+1].begin(); typename FieldType::value_type colinear_path = T_next.hash_path(leaf_index); - round_proofs.emplace_back(y, p, T, colinear_value, colinear_path); + round_proofs.emplace_back(y, p, T.root(), colinear_value, colinear_path); } else { final_polynomial = f_next; } @@ -191,10 +188,8 @@ namespace nil { return proof_type(round_proofs, final_polynomial); } - static bool verify_eval(const std::array &evaluation_points, - const proof_type &proof, - const params &fri_params) { - + static bool verify_eval() { + return true; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index f5fd87701..c45bf5ae9 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -140,9 +140,9 @@ namespace nil { } template - typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), - typename Field::value_type>::type - challenge() { + // typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), + // typename Field::value_type>::type + typename Field::value_type challenge() { state = hash(state); nil::marshalling::status_type status; @@ -151,10 +151,20 @@ namespace nil { return raw_result; } + template + Integral int_challenge() { + + state = hash(state); + nil::marshalling::status_type status; + Integral raw_result = nil::marshalling::pack(state, status); + + return raw_result; + } + template - typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), - std::array>::type - challenges() { + // typename std::enable_if<(Hash::digest_bits >= Field::modulus_bits), + // std::array>::type + std::array challenges() { std::array result; for (auto &ch : result) { diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index e682e1bc7..c1634e703 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -40,7 +40,8 @@ #include #include // until fri inclusion -#include // until fri inclusion + +#include #include using namespace nil::crypto3; @@ -68,26 +69,34 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t k = 1; - constexpr static const std::size_t d = 4; constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - // typedef fri_commitment_scheme fri_type; - // typedef typename fri_type::proof_type proof_type; + typedef zk::snark::fri_commitment_scheme fri_type; + typedef typename fri_type::proof_type proof_type; + typedef typename fri_type::params_type params_type; + params_type params; math::polynomial::polynomial f = {1, 3, 4, 25}; // create domain D_0 std::vector D_0 = prepare_domain(d); - // merkle_tree_type T = fri_type::commit(f, D_0); + std::vector> D = {D_0, D_0}; + + params.r = r; + params.D = D; + params.q = f; + + std::vector> y_data; + merkle_tree_type T(y_data); + + zk::snark::fiat_shamir_heuristic_updated transcript(y_data); // std::array evaluation_points = {omega.pow(5)}; - // proof_type proof = fri_type::proof_eval(evaluation_points, T, f, D_0) + proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); // BOOST_CHECK(fry_type::verify_eval(evaluation_points, T, proof, D_0)) } diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 312e5d89c..7e771eb5e 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -51,9 +51,6 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { using curve_type = algebra::curves::bls12<381>; using FieldType = typename curve_type::base_field_type; - typedef hashes::sha2<256> merkle_hash_type; - typedef hashes::sha2<256> transcript_hash_type; - typedef typename containers::merkle_tree merkle_tree_type; constexpr static const std::size_t lambda = 40; From cdbc3f523c1d847813a5a8f12ac320851de82d0f Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 19:57:14 +0300 Subject: [PATCH 068/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 18 +++++++++++------- test/commitment/fri.cpp | 3 ++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 426c8cda4..7168540df 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -73,12 +73,12 @@ namespace nil { struct round_proof_type { std::array y; - std::array p; + std::array, m> p; typename merkle_tree_type::value_type T_root; typename FieldType::value_type colinear_value; - merkle_proof_type colinear_path; + std::vector colinear_path; }; struct proof_type { @@ -144,7 +144,7 @@ namespace nil { y[j] = f.evaluate(s[j]); } - std::array p; + std::array, m> p; for (std::size_t j = 0; j < m; j++) { if (i == 0) { @@ -163,7 +163,8 @@ namespace nil { } } - merkle_tree_type T_next; + std::vector> y_data; + merkle_tree_type T_next(y_data); if (i < r - 2) { T_next = commit(f_next, fri_params.D[i+1]); @@ -173,8 +174,11 @@ namespace nil { if (i < r - 1) { typename FieldType::value_type colinear_value = f_next.evaluate(x_next); - std::size_t leaf_index = std::find(fri_params.D[i+1].begin(), fri_params.D[i+1].end(), colinear_value) - fri_params.D[i+1].begin(); - typename FieldType::value_type colinear_path = T_next.hash_path(leaf_index); + std::size_t leaf_index = std::find( + fri_params.D[i+1].begin(), fri_params.D[i+1].end(), colinear_value) - + fri_params.D[i+1].begin(); + std::vector colinear_path = + T_next.hash_path(leaf_index); round_proofs.emplace_back(y, p, T.root(), colinear_value, colinear_path); } else { @@ -185,7 +189,7 @@ namespace nil { f = f_next; T = T_next; } - return proof_type(round_proofs, final_polynomial); + return proof_type ({round_proofs, final_polynomial}); } static bool verify_eval() { diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index c1634e703..654ec9e60 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -93,7 +93,8 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { std::vector> y_data; merkle_tree_type T(y_data); - zk::snark::fiat_shamir_heuristic_updated transcript(y_data); + std::array x_data; + zk::snark::fiat_shamir_heuristic_updated transcript(x_data); // std::array evaluation_points = {omega.pow(5)}; proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); From 80fc4bfb440ca5a536ce89cfcc4b5135731121db Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 20:05:43 +0300 Subject: [PATCH 069/219] Separate FRI updated. #20 --- include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 7168540df..6403c759d 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -180,7 +180,7 @@ namespace nil { std::vector colinear_path = T_next.hash_path(leaf_index); - round_proofs.emplace_back(y, p, T.root(), colinear_value, colinear_path); + round_proofs.push_back(round_proof_type({y, p, T.root(), colinear_value, colinear_path})); } else { final_polynomial = f_next; } From 92f2fcfb070a2375dbe550d45944a79b7880805d Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 20:10:54 +0300 Subject: [PATCH 070/219] Minor allocation changes #20 --- include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index aa484edd3..443d4fd75 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -105,6 +105,8 @@ namespace nil { std::vector w_trees; std::vector w_commitments; + w_commitments.reserve(N_wires); + w_trees.reserve(N_wires); for (std::size_t i = 0; i < N_wires; i++) { w_trees.push_back(lpc::commit(w[i], D_0)); From 814ba326587046956b1553e52ab2ebd5e7f182ca Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 20:15:18 +0300 Subject: [PATCH 071/219] Separate FRI updated. #20 --- .../crypto3/zk/snark/commitments/fri_commitment.hpp | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 6403c759d..03dd98e22 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -163,15 +163,10 @@ namespace nil { } } - std::vector> y_data; - merkle_tree_type T_next(y_data); - - if (i < r - 2) { - T_next = commit(f_next, fri_params.D[i+1]); + if (i < r - 1) { + merkle_tree_type T_next = commit(f_next, fri_params.D[i+1]); transcript(T_next.root()); - } - if (i < r - 1) { typename FieldType::value_type colinear_value = f_next.evaluate(x_next); std::size_t leaf_index = std::find( @@ -181,13 +176,14 @@ namespace nil { T_next.hash_path(leaf_index); round_proofs.push_back(round_proof_type({y, p, T.root(), colinear_value, colinear_path})); + + T = T_next; } else { final_polynomial = f_next; } x = x_next; f = f_next; - T = T_next; } return proof_type ({round_proofs, final_polynomial}); } From df24934cb1a465590ac4f19083b0c656d1f16dcb Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 20:32:33 +0300 Subject: [PATCH 072/219] Minor changes #20 --- .../zk/snark/commitments/fri_commitment.hpp | 9 ++++--- .../list_polynomial_commitment.hpp | 24 +++++++++++-------- test/commitment/lpc.cpp | 15 ++++++------ 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 03dd98e22..bbd2bfba0 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -133,10 +133,13 @@ namespace nil { } // m = 2, so: - assert(m == 2); std::array s; - s[0] = x; - s[1] = -x; + if constexpr (m == 2) { + s[0] = x; + s[1] = -x; + } else { + return {}; + } std::array y; diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 7c758138f..a34c5938b 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -54,15 +54,15 @@ namespace nil { */ template + std::size_t Lambda = 40, + std::size_t K = 1, + std::size_t R = 1, + std::size_t M = 2> struct list_polynomial_commitment_scheme { - static constexpr std::size_t lambda = _lambda; - static constexpr std::size_t k = _k; - static constexpr std::size_t r = _r; - static constexpr std::size_t m = _m; + constexpr static const std::size_t lambda = Lambda; + constexpr static const std::size_t k = K; + constexpr static const std::size_t r = R; + constexpr static const std::size_t m = M; typedef FieldType field_type; typedef Hash transcript_hash_type; @@ -183,8 +183,12 @@ namespace nil { // m = 2, so: std::array s; - s[0] = y_i.sqrt(); - s[1] = -s[0]; + if constexpr (m == 2) { + s[0] = y_i.sqrt(); + s[1] = -s[0]; + } else { + return {}; + } std::array, m> p_y_i_interpolation_points; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 7e771eb5e..5171bf53d 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -48,8 +48,9 @@ BOOST_AUTO_TEST_SUITE(lpc_test_suite) BOOST_AUTO_TEST_CASE(lpc_basic_test) { - using curve_type = algebra::curves::bls12<381>; - using FieldType = typename curve_type::base_field_type; + typedef algebra::curves::bls12<381> curve_type; + typedef typename curve_type::base_field_type field_type; + typedef hashes::sha2<256> merkle_hash_type; typedef typename containers::merkle_tree merkle_tree_type; @@ -61,21 +62,21 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); + typename field_type::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); - std::vector D_0(10); + std::vector D_0(10); for (std::size_t power = 1; power <= 10; power++) { D_0.emplace_back(omega.pow(power)); } - const math::polynomial::polynomial f = {0, 0, 1}; + const math::polynomial::polynomial f = {0, 0, 1}; merkle_tree_type T = lpc_type::commit(f, D_0); - std::array evaluation_points = {algebra::random_element()}; + std::array evaluation_points = {algebra::random_element()}; BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, f, D_0) != proof_type()); } From 6a57cf6d94708679ecc50a04043820a1d073331e Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 20:43:51 +0300 Subject: [PATCH 073/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 03dd98e22..6a2e5742b 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -26,6 +26,8 @@ #ifndef CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP #define CRYPTO3_ZK_FRI_COMMITMENT_SCHEME_HPP +#include + #include #include @@ -96,6 +98,25 @@ namespace nil { static merkle_tree_type commit(const math::polynomial::polynomial &f, const std::vector &D) { + + using Endianness = nil::marshalling::option::big_endian; + using field_element_type = + nil::crypto3::marshalling::types::field_element, FieldType>; + + std::vector> y_data; + y_data.reserve(D.size()); + nil::marshalling::status_type status; + + for (std::size_t i = 0; i < D.size(); i++) { + typename FieldType::value_type y = f.evaluate(D[i]); + + field_element_type y_val = + nil::crypto3::marshalling::types::fill_field_element(y); + auto write_iter = y_data[i].begin(); + y_val.write(write_iter, 96); + } + + return merkle_tree_type(y_data); } static proof_type proof_eval(const math::polynomial::polynomial &Q, From c97232c939ea2961d064fa7e455f1b19ee0d1d5e Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Wed, 2 Feb 2022 19:52:48 +0200 Subject: [PATCH 074/219] permutation argument update #20 --- .../plonk/redshift/permutation_argument.hpp | 114 ++++++------ test/commitment/fri.cpp | 5 +- test/systems/plonk/redshift.cpp | 175 ++++++++++++++++-- 3 files changed, 220 insertions(+), 74 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 3fdc45c39..6af6afbdd 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -34,97 +34,102 @@ #include -#include #include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_permutation_argument { - static inline std::array, 3> - prove_argument(fiat_shamir_heuristic &transcript, ) { - // 2. Get $\beta, \gamma \in \mathbb{F}$ from $hash(\text{transcript})$ + public: + + static inline std::array, 3> // TODO: fix fiat-shamir + prove_argument(fiat_shamir_heuristic_updated> &transcript, + std::size_t circuit_rows, + std::size_t permutation_size, + std::vector domain, + const math::polynomial::polynomial &lagrange_1, + const std::vector> &S_id, + const std::vector> &S_sigma, + const std::vector> &f, + const math::polynomial::polynomial &q_last, + const math::polynomial::polynomial &q_blind + ) { + // 1. $\beta_1, \gamma_1 = \challenge$ typename FieldType::value_type beta = - transcript.template challenge(); + transcript.template challenge(); typename FieldType::value_type gamma = - transcript.template challenge(); + transcript.template challenge(); - // 4. For $1 < j \leq N_{\texttt{rows}}$ calculate $g_j, h_j$ - std::vector g_points(N_rows + 1); - std::vector h_points(N_rows + 1); + // 2. Calculate id_binding, sigma_binding for j from 1 to N_rows + std::vector id_binding(circuit_rows); + std::vector sigma_binding(circuit_rows); - const std::vector> &S_sigma = - preprocessed_data.permutations; - const std::vector> &S_id = - preprocessed_data.identity_permutations; + for (std::size_t j = 0; j < circuit_rows; j++) { + id_binding[j] = FieldType::value_type::one(); + sigma_binding[j] = FieldType::value_type::one(); + for (std::size_t i = 0; i < permutation_size; i++) { - for (std::size_t j = 1; j <= N_rows; j++) { - g_points[j] = FieldType::value_type::one(); - h_points[j] = FieldType::value_type::one(); - for (std::size_t i = 0; i < N_perm + N_PI; i++) { - - g_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_id[j].evaluate(D_0[j]) + gamma); - h_points[j] *= (f[j].evaluate(D_0[j]) + beta * S_sigma[j].evaluate(D_0[j]) + gamma); + id_binding[j] *= (f[i].evaluate(domain[j]) + beta * S_id[i].evaluate(domain[j]) + gamma); + sigma_binding[j] *= (f[i].evaluate(domain[j]) + beta * S_sigma[i].evaluate(domain[j]) + gamma); } } - // 5. Calculate $V_P$ + // 3. Calculate $V_P$ std::vector - V_P_interpolation_points(N_rows + 1); - - V_P_interpolation_points.push_back(FieldType::value_type::one()); - for (std::size_t j = 2; j < N_rows + 1; j++) { + V_P_interpolation_points(circuit_rows); + V_P_interpolation_points[0] = FieldType::value_type::one(); + for (std::size_t j = 1; j < circuit_rows; j++) { typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); - for (std::size_t i = 1; i <= j - 1; i++) { - tmp_mul_result *= g_points[i] / h_points[i]; + for (std::size_t i = 0; i <= j - 1; i++) { + //TODO: use one division + tmp_mul_result *= id_binding[i] / sigma_binding[i]; } - V_P_interpolation_points.push_back(tmp_mul_result); + V_P_interpolation_points[j] = tmp_mul_result; } - V_P_interpolation_points.push_back(FieldType::value_type::one()); - const std::shared_ptr> V_P_domain = - math::make_evaluation_domain(N_rows + 1); + math::make_evaluation_domain(circuit_rows); V_P_domain->inverse_fft(V_P_interpolation_points); - math::polynomial::polynomial V_P = V_P_interpolation_points; + math::polynomial::polynomial V_P(V_P_interpolation_points.begin(), V_P_interpolation_points.end()); - // 6. Compute and add commitment to $V_P$ to $\text{transcript}$. - merkle_tree_type V_P_tree = lpc::commit(V_P, D_0); - typename lpc::commitment_type V_P_commitment = V_P_tree.root(); - transcript(V_P_commitment); + // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. + //TODO: include commitment + //merkle_tree_type V_P_tree = fri::commit(V_P, D_0); + //typename fri::commitment_type V_P_commitment = V_P_tree.root(); + //transcript(V_P_commitment); - // 17. Denote g_1,2, h_1,2 - math::polynomial::polynomial g_1 = {1}; - math::polynomial::polynomial h_1 = {1}; + // 5. Calculate g_perm, h_perm + math::polynomial::polynomial g = {1}; + math::polynomial::polynomial h = {1}; - for (std::size_t i = 0; i <= N_perm + N_PI - 1; i++) { - g_1 = g_1 * (f[i] + beta * S_id[i] + gamma); - h_1 = h_1 * (f[i] + beta * S_sigma[i] + gamma); + for (std::size_t i = 0; i < permutation_size; i++) { + g = g * (f[i] + beta * S_id[i] + gamma); + h = h * (f[i] + beta * S_sigma[i] + gamma); } - const math::polynomial::polynomial q_last; - const math::polynomial::polynomial q_blind; - + /*math::polynomial::polynomial one_polynomial = {1}; std::array, 3> F; - F[0] = L1 * (1 - V_P); - F[1] = (1 - (q_last + q_blind)) * (V_P_shifted * h_1 - V_P * g_1); - F[2] = q_last * (V_P * V_P - V_P); + F[0] = lagrange_1 * (one_polynomial - V_P); + F[1] = (one_polynomial - (q_last + q_blind)) * ((domain[0] * V_P) * h - V_P * g); + F[2] = q_last * (V_P * V_P - V_P);*/ + std::array, 3> F; return F; } static inline std::array - verify_argument(fiat_shamir_heuristic &transcript, ) { - typename transcript_hash_type::digest_type beta_bytes = + verify_argument() { + /*typename transcript_hash_type::digest_type beta_bytes = transcript.get_challenge(); typename transcript_hash_type::digest_type gamma_bytes = @@ -141,11 +146,12 @@ namespace nil { F[0] = verification_key.L_basis[1] * (P - 1); F[1] = verification_key.L_basis[1] * (Q - 1); - F[2] = P * p_1 - (P << 1); - + F[2] = P * p_1 - (P << 1);*/ + std::array F; + return F; } - } + }; } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index a52e2412a..5032b88fb 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -113,7 +113,10 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { std::make_pair(omega, f.evaluate(omega)), std::make_pair(-omega, f.evaluate(-omega)), }; - math::polynomial::polynomial interpolant = math::polynomial::_lagrange_interpolation(points); + math::polynomial::polynomial interpolant = math::polynomial::lagrange_interpolation(points); + typename FieldType::value_type x1 = interpolant.evaluate(omega); + typename FieldType::value_type x2 = f.evaluate(omega); + BOOST_CHECK(x1 == x2); // BOOST_CHECK_EQUAL(interpolant.eval(alpha), f_next.eval(x_next)) } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 6e8bc3a17..d5c3a7dde 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -31,57 +31,194 @@ #include #include -#include -#include -#include -#include +#include +#include +#include -#include -#include +//#include +//#include #include +#include +#include + +#include +#include + using namespace nil::crypto3; +template + std::vector prepare_domain(const std::size_t d) { + typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); + std::vector D_0(d); + for (std::size_t power = 1; power <= d; power++) { + D_0.emplace_back(omega.pow(power)); + } + return D_0; +} + +template +math::polynomial::polynomial + lagrange_polynomial(std::vector domain, std::size_t number) { + std::vector> + evaluation_points; + for (std::size_t i = 0; i < domain.size(); i++) { + evaluation_points.push_back(std::make_pair(domain[i], (i != number) ? + FieldType::value_type::zero() : FieldType::value_type::one())); + } + math::polynomial::polynomial f = + math::polynomial::lagrange_interpolation(evaluation_points); + return f; +} + + BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { - using curve_type = algebra::curves::bls12<381>; + using curve_type = algebra::curves::mnt4<298>; - zk::snark::redshift_preprocessor preprocess; + //zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - zk::snark::redshift_prover prove; + //zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { - using curve_type = algebra::curves::bls12<381>; - - zk::snark::redshift_preprocessor preprocess; + using curve_type = algebra::curves::mnt4<298>; + using FieldType = typename curve_type::base_field_type; + + const std::size_t circuit_rows = 4; + const std::size_t permutation_size = 2; + + std::vector domain = prepare_domain(circuit_rows); + math::polynomial::polynomial lagrange_0 = lagrange_polynomial(domain, 0); + + //TODO: implement it in a proper way in generator.hpp + std::vector> S_id(permutation_size); + std::vector> S_sigma(permutation_size); + + typename FieldType::value_type omega = math::unity_root( + math::detail::get_power_of_two(circuit_rows)); + + typename FieldType::value_type delta = + algebra::fields::arithmetic_params::multiplicative_generator; + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector> + interpolation_points; + for (std::size_t j = 0; j < circuit_rows; j++) { + interpolation_points.push_back(std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); + } + + S_id[i] = math::polynomial::lagrange_interpolation(interpolation_points); + } + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector> + interpolation_points; + for (std::size_t j = 0; j < circuit_rows; j++) { + if (i == 1 && j == 1) { + interpolation_points.push_back( + std::make_pair(omega.pow(j), delta.pow(2) * omega.pow(2))); + } else if (i == 2 && j == 2) { + interpolation_points.push_back( + std::make_pair(omega.pow(j), delta.pow(1) * omega.pow(1))); + } else { + interpolation_points.push_back( + std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); + } + + } + + S_sigma[i] = math::polynomial::lagrange_interpolation(interpolation_points); + } + + // construct circuit values + std::vector> f(permutation_size); + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector> + interpolation_points; + for (std::size_t j = 0; j < circuit_rows; j++) { + if (i == 2 && j == 2) { + interpolation_points.push_back( + std::make_pair(omega.pow(j), interpolation_points[1].second)); + } else { + interpolation_points.push_back( + std::make_pair(omega.pow(j), algebra::random_element())); + } + + } + + f[i] = math::polynomial::lagrange_interpolation(interpolation_points); + } + + // construct q_last, q_blind + math::polynomial::polynomial q_last; + math::polynomial::polynomial q_blind; + std::vector> + interpolation_points_last; + std::vector> + interpolation_points_blind; + for (std::size_t j = 0; j < circuit_rows; j++) { + if (j == circuit_rows - 1) { + interpolation_points_last.push_back( + std::make_pair(omega.pow(j), FieldType::value_type::one())); + interpolation_points_blind.push_back( + std::make_pair(omega.pow(j), FieldType::value_type::zero())); + } else { + interpolation_points_last.push_back( + std::make_pair(omega.pow(j), FieldType::value_type::zero())); + interpolation_points_blind.push_back( + std::make_pair(omega.pow(j), FieldType::value_type::zero())); + } + + } + q_last = math::polynomial::lagrange_interpolation(interpolation_points_last); + q_blind = math::polynomial::lagrange_interpolation(interpolation_points_blind); + + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; + zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); + + std::array, 3> prove_res = + zk::snark::redshift_permutation_argument::prove_argument( + transcript, + circuit_rows, + permutation_size, + domain, + lagrange_0, + S_id, + S_sigma, + f, + q_last, + q_blind + ); + + //zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - zk::snark::redshift_prover prove; + //zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { - using curve_type = algebra::curves::bls12<381>; + using curve_type = algebra::curves::mnt4<298>; - zk::snark::redshift_preprocessor preprocess; + //zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - zk::snark::redshift_prover prove; + //zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_CASE(redshift_witness_argument_test) { - using curve_type = algebra::curves::bls12<381>; + using curve_type = algebra::curves::mnt4<298>; - zk::snark::redshift_preprocessor preprocess; + //zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - zk::snark::redshift_prover prove; + //zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From aa5aa8fbc7e28990bf965f2400719ec81b3139df Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 21:12:55 +0300 Subject: [PATCH 075/219] RedShift test updated #20 --- test/systems/plonk/redshift.cpp | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index d5c3a7dde..c1d13ddf3 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -109,7 +109,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::vector> interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { - interpolation_points.push_back(std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); + interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); } S_id[i] = math::polynomial::lagrange_interpolation(interpolation_points); @@ -120,14 +120,11 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { if (i == 1 && j == 1) { - interpolation_points.push_back( - std::make_pair(omega.pow(j), delta.pow(2) * omega.pow(2))); + interpolation_points.emplace_back(omega.pow(j), delta.pow(2) * omega.pow(2)); } else if (i == 2 && j == 2) { - interpolation_points.push_back( - std::make_pair(omega.pow(j), delta.pow(1) * omega.pow(1))); + interpolation_points.emplace_back(omega.pow(j), delta.pow(1) * omega.pow(1)); } else { - interpolation_points.push_back( - std::make_pair(omega.pow(j), delta.pow(i) * omega.pow(j))); + interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); } } @@ -142,11 +139,9 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { if (i == 2 && j == 2) { - interpolation_points.push_back( - std::make_pair(omega.pow(j), interpolation_points[1].second)); + interpolation_points.emplace_back(omega.pow(j), interpolation_points[1].second); } else { - interpolation_points.push_back( - std::make_pair(omega.pow(j), algebra::random_element())); + interpolation_points.emplace_back(omega.pow(j), algebra::random_element()); } } @@ -163,15 +158,11 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { interpolation_points_blind; for (std::size_t j = 0; j < circuit_rows; j++) { if (j == circuit_rows - 1) { - interpolation_points_last.push_back( - std::make_pair(omega.pow(j), FieldType::value_type::one())); - interpolation_points_blind.push_back( - std::make_pair(omega.pow(j), FieldType::value_type::zero())); + interpolation_points_last.emplace_back(omega.pow(j), FieldType::value_type::one()); + interpolation_points_blind.emplace_back(omega.pow(j), FieldType::value_type::zero()); } else { - interpolation_points_last.push_back( - std::make_pair(omega.pow(j), FieldType::value_type::zero())); - interpolation_points_blind.push_back( - std::make_pair(omega.pow(j), FieldType::value_type::zero())); + interpolation_points_last.emplace_back(omega.pow(j), FieldType::value_type::zero()); + interpolation_points_blind.emplace_back(omega.pow(j), FieldType::value_type::zero()); } } From f4933d7860ba112a41deb91f8ebadc4135e3b42d Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 21:49:30 +0300 Subject: [PATCH 076/219] Separate FRI updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 10 +- .../list_polynomial_commitment.hpp | 221 +++--------------- 2 files changed, 40 insertions(+), 191 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 9ee0904d7..00cc39ffa 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -56,15 +56,15 @@ namespace nil { */ template + std::size_t M = 2> struct fri_commitment_scheme { - static constexpr std::size_t m = _m; + static constexpr std::size_t m = M; typedef FieldType field_type; typedef Hash transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; - typedef typename containers::merkle_proof merkle_proof_type; + typedef std::vector merkle_proof_type; struct params_type { std::size_t r; @@ -75,7 +75,7 @@ namespace nil { struct round_proof_type { std::array y; - std::array, m> p; + std::array p; typename merkle_tree_type::value_type T_root; @@ -168,7 +168,7 @@ namespace nil { y[j] = f.evaluate(s[j]); } - std::array, m> p; + std::array p; for (std::size_t j = 0; j < m; j++) { if (i == 0) { diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index a34c5938b..871a2d8ec 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -33,6 +33,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -57,7 +58,8 @@ namespace nil { std::size_t Lambda = 40, std::size_t K = 1, std::size_t R = 1, - std::size_t M = 2> + std::size_t M = 2, + std::size_t D = 16> struct list_polynomial_commitment_scheme { constexpr static const std::size_t lambda = Lambda; constexpr static const std::size_t k = K; @@ -68,10 +70,9 @@ namespace nil { typedef Hash transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; - typedef typename containers::merkle_proof merkle_proof_type; + typedef std::vector merkle_proof_type; - // static const math::polynomial::polynomial - // q = {0, 0, 1}; + typedef fri_commitment_scheme fri_type; struct transcript_round_manifest { enum challenges_ids { x, y }; @@ -91,8 +92,6 @@ namespace nil { } std::array z_openings; - std::array, lambda> alpha_openings; - std::array, lambda> f_y_openings; std::array, lambda> f_commitments; @@ -100,6 +99,19 @@ namespace nil { f_ip1_coefficients; }; + private: + + std::vector prepare_domain(const std::size_t domain_size) { + typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(domain_size)); + std::vector D(domain_size); + for (std::size_t power = 1; power <= domain_size; power++) { + D.emplace_back(omega.pow(power)); + } + return D; + } + + public: + // The result of this function is not commitment_type (as it would expected), // but the built Merkle tree. This is done so, because we often need to reuse // the built Merkle tree @@ -110,23 +122,13 @@ namespace nil { commit(const math::polynomial::polynomial &f, const std::vector &D) { - std::vector y; - y.reserve(D.size()); - for (typename FieldType::value_type H : D) { - y.emplace_back(f.evaluate(H)); - } - - std::vector> y_data; - return merkle_tree_type(y_data); + return fri_type::commit(f, D); } static proof_type proof_eval(const std::array &evaluation_points, const merkle_tree_type &T, - const math::polynomial::polynomial &f, - const std::vector &D) { - - // temporary definition, until polynomial is constexpr - const math::polynomial::polynomial q = {0, 0, 1}; + const math::polynomial::polynomial &g, + fiat_shamir_heuristic_updated &transcript) { proof_type proof; @@ -137,7 +139,7 @@ namespace nil { U_interpolation_points; for (std::size_t j = 0; j < k; j++) { - typename FieldType::value_type z_j = f.evaluate(evaluation_points[j]); + typename FieldType::value_type z_j = g.evaluate(evaluation_points[j]); std::size_t leaf_index = std::find(D.begin(), D.end(), evaluation_points[j]) - D.begin(); z_openings[j] = merkle_proof_type(T, leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); @@ -146,79 +148,27 @@ namespace nil { math::polynomial::polynomial U = math::polynomial::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynomial Q = (f - U); + math::polynomial::polynomial Q = (g - U); for (std::size_t j = 0; j < k; j++) { math::polynomial::polynomial denominator_polynom = { -evaluation_points[j], 1}; Q = Q / denominator_polynom; } - for (std::size_t round_id = 0; round_id < lambda; round_id++) { - - math::polynomial::polynomial f_round = Q; - - typename FieldType::value_type x_0 = - transcript - .template challenge(); - - typename FieldType::value_type x_round = x_0; - - std::array &alpha_openings = proof.alpha_openings[round_id]; - std::array &f_y_openings = proof.f_y_openings[round_id]; - std::array &f_commitments = proof.f_commitments[round_id]; - math::polynomial::polynomial &f_ip1_coefficients = - proof.f_ip1_coefficients[round_id]; - merkle_tree_type f_round_tree = T; - - std::array y_challenges = - transcript - .template challenges(); - - for (std::size_t i = 0; i <= r - 1; i++) { - - typename FieldType::value_type y_i = y_challenges[i]; - - math::polynomial::polynomial sqr_polynom = { - y_challenges[i], 0, -1}; - - // m = 2, so: - std::array s; - if constexpr (m == 2) { - s[0] = y_i.sqrt(); - s[1] = -s[0]; - } else { - return {}; - } - - std::array, m> - p_y_i_interpolation_points; - - for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type alpha_i_j = f_round.evaluate(s[j]); - std::size_t leaf_index = std::find(D.begin(), D.end(), s[j]) - D.begin(); - alpha_openings[m * i + j] = merkle_proof_type(f_round_tree, leaf_index); - p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); - } - - math::polynomial::polynomial p_y = - math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); - - f_round = p_y; - - typename FieldType::value_type f_y_i = f_round.evaluate(y_challenges[i]); - std::size_t leaf_index = std::find(D.begin(), D.end(), y_challenges[i]) - D.begin(); - f_y_openings[i] = merkle_proof_type(f_round_tree, leaf_index); + std::vector> D; + std::size_t d = D; + for (std::size_t j = 0; j <= r-1; j++) { + D[j] = prepare_domain(d/2); + } - if (i < r - 1) { - f_round_tree = commit(f_round, D); - f_commitments[i] = f_round_tree.root(); - transcript(f_commitments[i]); - } else { - f_ip1_coefficients = f_round; - } + // temporary definition, until polynomial is constexpr + const math::polynomial::polynomial q = {0, 0, 1}; + + fri_type::params_type fri_params = {r, D, q}; - x_round = q.evaluate(x_round); - } + for (std::size_t round_id = 0; round_id < lambda; round_id++) { + + } return proof; @@ -228,107 +178,6 @@ namespace nil { const commitment_type &root, const proof_type &proof, const std::vector &D) { - - // temporary definition, until polynomial is constexpr - const math::polynomial::polynomial q = {0, 0, 1}; - - fiat_shamir_heuristic transcript; - - std::array &z_openings = proof.z_openings; - std::array, k> - U_interpolation_points; - - for (std::size_t j = 0; j < k; j++) { - typename FieldType::value_type z_j; - // = algebra::marshalling(z_openings[j].leaf); - if (!z_openings[j].validate(root)) { - return false; - } - - U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); - } - - math::polynomial::polynomial U = - math::polynomial::lagrange_interpolation(U_interpolation_points); - - math::polynomial::polynomial Q; - // = (f - U); - // for (std::size_t j = 0; j < k; j++){ - // Q = Q/(x - U_interpolation_points[j]); - // } - - for (std::size_t round_id = 0; round_id < lambda; round_id++) { - - math::polynomial::polynomial f_i = Q; - - typename FieldType::value_type x_round = - transcript - .template challenge(); - - std::array &alpha_openings = proof.alpha_openings[round_id]; - std::array &f_y_openings = proof.f_y_openings[round_id]; - std::array &f_commitments = proof.f_commitments[round_id]; - std::vector &f_ip1_coefficients = - proof.f_ip1_coefficients[round_id]; - - commitment_type &f_i_tree_root = root; - - auto y_arr = - transcript - .template challenges(); - - for (std::size_t i = 0; i <= r - 1; i++) { - - math::polynomial::polynomial sqr_polynom = {y_arr[i], 0, - -1}; - std::array s; - // = math::polynomial::get_roots(sqr_polynom); - - std::array, m> - p_y_i_interpolation_points; - - for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type alpha_i_j; - // = algebra::marshalling(alpha_openings[m*i + j].leaf); - if (!alpha_openings[m * i + j].validate(f_i_tree_root)) { - return false; - } - p_y_i_interpolation_points[j] = std::make_pair(s[j], alpha_i_j); - } - - math::polynomial::polynomial p_y_i = - math::polynomial::lagrange_interpolation(p_y_i_interpolation_points); - - typename FieldType::value_type f_y_i; - // = algebra::marshalling(f_y_openings[i].leaf); - if (!f_y_openings[i].validate(f_i_tree_root)) { - return false; - } - - if (f_y_i != p_y_i.evaluate(x_round)) { - return false; - } - - x_round = q.evaluate(x_round); - - if (i < r - 1) { - if (f_i != p_y_i) { - return false; - } - - f_commitments[i] = commit(f_i, D).root(); - transcript(f_commitments[i]); - } else { - if (f_i != p_y_i) { - return false; - } - - // if (f_i.size() != ...){ - // return false; - // } - } - } - } return true; } }; From ae0752c1cdaf7cc10fe16e80994a1b40df9b297b Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 21:51:50 +0300 Subject: [PATCH 077/219] Tests updated #20 --- .../plonk/redshift/permutation_argument.hpp | 62 +++++++------- test/commitment/lpc.cpp | 61 +++++++++++++ test/systems/plonk/redshift.cpp | 85 ++++++++----------- 3 files changed, 126 insertions(+), 82 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 6af6afbdd..b03e13bfb 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -40,30 +40,28 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_permutation_argument { - public: - - static inline std::array, 3> // TODO: fix fiat-shamir - prove_argument(fiat_shamir_heuristic_updated> &transcript, + public: + static inline std::array, + 3> // TODO: fix fiat-shamir + prove_argument( + fiat_shamir_heuristic_updated> &transcript, std::size_t circuit_rows, std::size_t permutation_size, - std::vector domain, + std::vector + domain, const math::polynomial::polynomial &lagrange_1, const std::vector> &S_id, const std::vector> &S_sigma, const std::vector> &f, const math::polynomial::polynomial &q_last, - const math::polynomial::polynomial &q_blind - ) { + const math::polynomial::polynomial &q_blind) { // 1. $\beta_1, \gamma_1 = \challenge$ - typename FieldType::value_type beta = - transcript.template challenge(); + typename FieldType::value_type beta = transcript.template challenge(); - typename FieldType::value_type gamma = - transcript.template challenge(); + typename FieldType::value_type gamma = transcript.template challenge(); // 2. Calculate id_binding, sigma_binding for j from 1 to N_rows std::vector id_binding(circuit_rows); @@ -74,20 +72,21 @@ namespace nil { sigma_binding[j] = FieldType::value_type::one(); for (std::size_t i = 0; i < permutation_size; i++) { - id_binding[j] *= (f[i].evaluate(domain[j]) + beta * S_id[i].evaluate(domain[j]) + gamma); - sigma_binding[j] *= (f[i].evaluate(domain[j]) + beta * S_sigma[i].evaluate(domain[j]) + gamma); + id_binding[j] *= + (f[i].evaluate(domain[j]) + beta * S_id[i].evaluate(domain[j]) + gamma); + sigma_binding[j] *= + (f[i].evaluate(domain[j]) + beta * S_sigma[i].evaluate(domain[j]) + gamma); } } // 3. Calculate $V_P$ - std::vector - V_P_interpolation_points(circuit_rows); + std::vector V_P_interpolation_points(circuit_rows); V_P_interpolation_points[0] = FieldType::value_type::one(); for (std::size_t j = 1; j < circuit_rows; j++) { typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); for (std::size_t i = 0; i <= j - 1; i++) { - //TODO: use one division + // TODO: use one division tmp_mul_result *= id_binding[i] / sigma_binding[i]; } @@ -99,17 +98,17 @@ namespace nil { V_P_domain->inverse_fft(V_P_interpolation_points); - math::polynomial::polynomial V_P(V_P_interpolation_points.begin(), V_P_interpolation_points.end()); + math::polynomial::polynomial V_P( + V_P_interpolation_points.begin(), V_P_interpolation_points.end()); // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. - //TODO: include commitment - //merkle_tree_type V_P_tree = fri::commit(V_P, D_0); - //typename fri::commitment_type V_P_commitment = V_P_tree.root(); - //transcript(V_P_commitment); - + // TODO: include commitment + // merkle_tree_type V_P_tree = fri::commit(V_P, D_0); + // typename fri::commitment_type V_P_commitment = V_P_tree.root(); + // transcript(V_P_commitment); // 5. Calculate g_perm, h_perm - math::polynomial::polynomial g = {1}; + math::polynomial::polynomial g = {1}; math::polynomial::polynomial h = {1}; for (std::size_t i = 0; i < permutation_size; i++) { @@ -122,13 +121,12 @@ namespace nil { F[0] = lagrange_1 * (one_polynomial - V_P); F[1] = (one_polynomial - (q_last + q_blind)) * ((domain[0] * V_P) * h - V_P * g); F[2] = q_last * (V_P * V_P - V_P);*/ - + std::array, 3> F; return F; } - static inline std::array - verify_argument() { + static inline std::array verify_argument() { /*typename transcript_hash_type::digest_type beta_bytes = transcript.get_challenge(); @@ -152,9 +150,9 @@ namespace nil { return F; } }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil #endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP \ No newline at end of file diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 5171bf53d..cdbd570d7 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -44,8 +44,69 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; +// Generates a Fibonacci sequence +std::vector fibonacci() { + std::vector ret(8); + ret[0] = 0; + ret[1] = 1; + + for (std::size_t s(2); s < ret.size(); s++) { + ret[s] = ret[s - 1] + ret[s - 2]; + } + return ret; +} + +template +std::vector> generate(NumberType degree) { + typedef boost::random::independent_bits_engine + random_polynomial_generator_type; + + std::vector> res; + + boost::random::random_device rd; // Will be used to obtain a seed for the random number engine + boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() + boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); + + random_polynomial_generator_type polynomial_element_gen; + std::size_t height = distrib(gen); + res.reserve(height); + + for (int i = 0; i < height; i++) { + math::polynomial::polynomial poly; + for (int j = 0; j < degree; j++) { + poly.push_back(polynomial_element_gen()); + } + res.push_back(poly); + } + + return res; +} + +// Generates a map from a vector +std::map vect_2_str(const std::vector &v) { + std::map out; + for (float s : v) { + std::ostringstream o; + o << s; + out[o.str()] = s; + } + return out; +} + +typedef std::pair pair_map_t; +BOOST_TEST_DONT_PRINT_LOG_VALUE(pair_map_t) + BOOST_AUTO_TEST_SUITE(lpc_test_suite) +BOOST_DATA_TEST_CASE(test2, + ::boost::unit_test::data::make(generate::base_field_type>()), + array_element) { + std::cout << "test 2: \"" << array_element.first << "\", " << array_element.second << std::endl; + BOOST_TEST(array_element.second <= 13); +} + BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef algebra::curves::bls12<381> curve_type; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index c1d13ddf3..b5d9eb030 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -44,11 +44,10 @@ #include #include - using namespace nil::crypto3; -template - std::vector prepare_domain(const std::size_t d) { +template +std::vector prepare_domain(const std::size_t d) { typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); std::vector D_0(d); for (std::size_t power = 1; power <= d; power++) { @@ -57,31 +56,29 @@ template return D_0; } -template -math::polynomial::polynomial +template +math::polynomial::polynomial lagrange_polynomial(std::vector domain, std::size_t number) { - std::vector> - evaluation_points; + std::vector> evaluation_points; for (std::size_t i = 0; i < domain.size(); i++) { - evaluation_points.push_back(std::make_pair(domain[i], (i != number) ? - FieldType::value_type::zero() : FieldType::value_type::one())); + evaluation_points.push_back( + std::make_pair(domain[i], (i != number) ? FieldType::value_type::zero() : FieldType::value_type::one())); } - math::polynomial::polynomial f = + math::polynomial::polynomial f = math::polynomial::lagrange_interpolation(evaluation_points); return f; } - BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { using curve_type = algebra::curves::mnt4<298>; - //zk::snark::redshift_preprocessor preprocess; + // zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - //zk::snark::redshift_prover prove; + // zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { @@ -95,19 +92,16 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::vector domain = prepare_domain(circuit_rows); math::polynomial::polynomial lagrange_0 = lagrange_polynomial(domain, 0); - //TODO: implement it in a proper way in generator.hpp + // TODO: implement it in a proper way in generator.hpp std::vector> S_id(permutation_size); std::vector> S_sigma(permutation_size); - typename FieldType::value_type omega = math::unity_root( - math::detail::get_power_of_two(circuit_rows)); + typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(circuit_rows)); - typename FieldType::value_type delta = - algebra::fields::arithmetic_params::multiplicative_generator; + typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; for (std::size_t i = 0; i < permutation_size; i++) { - std::vector> - interpolation_points; + std::vector> interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); } @@ -116,8 +110,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { } for (std::size_t i = 0; i < permutation_size; i++) { - std::vector> - interpolation_points; + std::vector> interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { if (i == 1 && j == 1) { interpolation_points.emplace_back(omega.pow(j), delta.pow(2) * omega.pow(2)); @@ -126,7 +119,6 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { } else { interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); } - } S_sigma[i] = math::polynomial::lagrange_interpolation(interpolation_points); @@ -135,15 +127,13 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { // construct circuit values std::vector> f(permutation_size); for (std::size_t i = 0; i < permutation_size; i++) { - std::vector> - interpolation_points; + std::vector> interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { if (i == 2 && j == 2) { interpolation_points.emplace_back(omega.pow(j), interpolation_points[1].second); } else { interpolation_points.emplace_back(omega.pow(j), algebra::random_element()); } - } f[i] = math::polynomial::lagrange_interpolation(interpolation_points); @@ -152,10 +142,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { // construct q_last, q_blind math::polynomial::polynomial q_last; math::polynomial::polynomial q_blind; - std::vector> - interpolation_points_last; - std::vector> - interpolation_points_blind; + std::vector> interpolation_points_last; + std::vector> interpolation_points_blind; for (std::size_t j = 0; j < circuit_rows; j++) { if (j == circuit_rows - 1) { interpolation_points_last.emplace_back(omega.pow(j), FieldType::value_type::one()); @@ -164,7 +152,6 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { interpolation_points_last.emplace_back(omega.pow(j), FieldType::value_type::zero()); interpolation_points_blind.emplace_back(omega.pow(j), FieldType::value_type::zero()); } - } q_last = math::polynomial::lagrange_interpolation(interpolation_points_last); q_blind = math::polynomial::lagrange_interpolation(interpolation_points_blind); @@ -172,44 +159,42 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); - std::array, 3> prove_res = + std::array, 3> prove_res = zk::snark::redshift_permutation_argument::prove_argument( - transcript, - circuit_rows, - permutation_size, - domain, - lagrange_0, - S_id, - S_sigma, - f, - q_last, - q_blind - ); - - //zk::snark::redshift_preprocessor preprocess; + transcript, circuit_rows, permutation_size, domain, lagrange_0, S_id, S_sigma, f, q_last, q_blind); + + std::size_t size = 0; + + BOOST_CHECK( + std::accumulate(prove_res.begin(), prove_res.end(), size, + [&](std::size_t acc, const math::polynomial::polynomial &val) { + return acc + val.degree(); + }) > 0); + + // zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - //zk::snark::redshift_prover prove; + // zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { using curve_type = algebra::curves::mnt4<298>; - //zk::snark::redshift_preprocessor preprocess; + // zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - //zk::snark::redshift_prover prove; + // zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_CASE(redshift_witness_argument_test) { using curve_type = algebra::curves::mnt4<298>; - //zk::snark::redshift_preprocessor preprocess; + // zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); - //zk::snark::redshift_prover prove; + // zk::snark::redshift_prover prove; } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 1f3f940a18375badb5a3b03d5726dfa0c82a828b Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Wed, 2 Feb 2022 20:54:47 +0200 Subject: [PATCH 078/219] redshift permutation argument update #20 --- .../zk/snark/systems/plonk/redshift/permutation_argument.hpp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 6af6afbdd..9cf5edb3d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -117,13 +117,12 @@ namespace nil { h = h * (f[i] + beta * S_sigma[i] + gamma); } - /*math::polynomial::polynomial one_polynomial = {1}; + math::polynomial::polynomial one_polynomial = {1}; std::array, 3> F; F[0] = lagrange_1 * (one_polynomial - V_P); F[1] = (one_polynomial - (q_last + q_blind)) * ((domain[0] * V_P) * h - V_P * g); - F[2] = q_last * (V_P * V_P - V_P);*/ + F[2] = q_last * (V_P * V_P - V_P); - std::array, 3> F; return F; } From e985d8c15baf5d63608a594a19a14e5983254a76 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 21:56:50 +0300 Subject: [PATCH 079/219] Minor commitment scheme changes #20 --- .../zk/snark/commitments/fri_commitment.hpp | 56 +++++++++---------- .../list_polynomial_commitment.hpp | 26 ++++----- test/commitment/lpc.cpp | 3 +- 3 files changed, 42 insertions(+), 43 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 00cc39ffa..ef3804ec9 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -54,11 +54,9 @@ namespace nil { * Matter Labs, * */ - template + template struct fri_commitment_scheme { - static constexpr std::size_t m = M; + constexpr static const std::size_t m = M; typedef FieldType field_type; typedef Hash transcript_hash_type; @@ -84,7 +82,7 @@ namespace nil { }; struct proof_type { - std::vector round_proofs; // 0..r-2 + std::vector round_proofs; // 0..r-2 math::polynomial::polynomial final_polynomial; }; @@ -100,8 +98,9 @@ namespace nil { const std::vector &D) { using Endianness = nil::marshalling::option::big_endian; - using field_element_type = - nil::crypto3::marshalling::types::field_element, FieldType>; + using field_element_type = + nil::crypto3::marshalling::types::field_element, + FieldType>; std::vector> y_data; y_data.reserve(D.size()); @@ -110,7 +109,7 @@ namespace nil { for (std::size_t i = 0; i < D.size(); i++) { typename FieldType::value_type y = f.evaluate(D[i]); - field_element_type y_val = + field_element_type y_val = nil::crypto3::marshalling::types::fill_field_element(y); auto write_iter = y_data[i].begin(); y_val.write(write_iter, 96); @@ -129,8 +128,7 @@ namespace nil { math::polynomial::polynomial f = Q; - typename FieldType::value_type x = - transcript.template challenge(); + typename FieldType::value_type x = transcript.template challenge(); std::size_t r = fri_params.r; @@ -140,17 +138,16 @@ namespace nil { for (std::size_t i = 0; i <= r - 1; i++) { typename FieldType::value_type alpha = - fri_params.D[i+1][0].pow( - transcript.template int_challenge()); + fri_params.D[i + 1][0].pow(transcript.template int_challenge()); typename FieldType::value_type x_next = fri_params.q.evaluate(x); std::size_t d = f.degree(); - math::polynomial::polynomial f_next((d + 1)/2 - 1); + math::polynomial::polynomial f_next((d + 1) / 2 - 1); - for (std::size_t index = 0; index < f_next.size(); index++){ - f_next[index] = f[2*index] + alpha * f[2*index + 1]; + for (std::size_t index = 0; index < f_next.size(); index++) { + f_next[index] = f[2 * index] + alpha * f[2 * index + 1]; } // m = 2, so: @@ -173,33 +170,36 @@ namespace nil { for (std::size_t j = 0; j < m; j++) { if (i == 0) { - typename FieldType::value_type leaf = g.evaluate(s[j]); - std::size_t leaf_index = std::find( - fri_params.D[i].begin(), fri_params.D[i].end(), leaf) - fri_params.D[i].begin(); - p[j] = T.hash_path(leaf_index); + typename FieldType::value_type leaf = g.evaluate(s[j]); + std::size_t leaf_index = + std::find(fri_params.D[i].begin(), fri_params.D[i].end(), leaf) - + fri_params.D[i].begin(); + p[j] = T.hash_path(leaf_index); } else { for (std::size_t j = 0; j < m; j++) { - std::size_t leaf_index = std::find( - fri_params.D[i].begin(), fri_params.D[i].end(), y[j]) - fri_params.D[i].begin(); + std::size_t leaf_index = + std::find(fri_params.D[i].begin(), fri_params.D[i].end(), y[j]) - + fri_params.D[i].begin(); p[j] = T.hash_path(leaf_index); } } } if (i < r - 1) { - merkle_tree_type T_next = commit(f_next, fri_params.D[i+1]); + merkle_tree_type T_next = commit(f_next, fri_params.D[i + 1]); transcript(T_next.root()); typename FieldType::value_type colinear_value = f_next.evaluate(x_next); - std::size_t leaf_index = std::find( - fri_params.D[i+1].begin(), fri_params.D[i+1].end(), colinear_value) - - fri_params.D[i+1].begin(); - std::vector colinear_path = + std::size_t leaf_index = + std::find(fri_params.D[i + 1].begin(), fri_params.D[i + 1].end(), colinear_value) - + fri_params.D[i + 1].begin(); + std::vector colinear_path = T_next.hash_path(leaf_index); - round_proofs.push_back(round_proof_type({y, p, T.root(), colinear_value, colinear_path})); + round_proofs.push_back( + round_proof_type({y, p, T.root(), colinear_value, colinear_path})); T = T_next; } else { @@ -209,7 +209,7 @@ namespace nil { x = x_next; f = f_next; } - return proof_type ({round_proofs, final_polynomial}); + return proof_type({round_proofs, final_polynomial}); } static bool verify_eval() { diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 871a2d8ec..dddca1090 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -70,9 +70,10 @@ namespace nil { typedef Hash transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; + typedef typename merkle_tree_type::hash_type merkle_hash_type; typedef std::vector merkle_proof_type; - typedef fri_commitment_scheme fri_type; + typedef fri_commitment_scheme fri_type; struct transcript_round_manifest { enum challenges_ids { x, y }; @@ -100,18 +101,17 @@ namespace nil { }; private: - std::vector prepare_domain(const std::size_t domain_size) { - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(domain_size)); - std::vector D(domain_size); + typename FieldType::value_type omega = + math::unity_root(math::detail::get_power_of_two(domain_size)); + std::vector d(domain_size); for (std::size_t power = 1; power <= domain_size; power++) { - D.emplace_back(omega.pow(power)); + d.emplace_back(omega.pow(power)); } - return D; + return d; } public: - // The result of this function is not commitment_type (as it would expected), // but the built Merkle tree. This is done so, because we often need to reuse // the built Merkle tree @@ -120,9 +120,9 @@ namespace nil { // should be called static merkle_tree_type commit(const math::polynomial::polynomial &f, - const std::vector &D) { + const std::vector &d) { - return fri_type::commit(f, D); + return fri_type::commit(f, d); } static proof_type proof_eval(const std::array &evaluation_points, @@ -157,18 +157,16 @@ namespace nil { std::vector> D; std::size_t d = D; - for (std::size_t j = 0; j <= r-1; j++) { - D[j] = prepare_domain(d/2); + for (std::size_t j = 0; j <= r - 1; j++) { + D[j] = prepare_domain(d / 2); } // temporary definition, until polynomial is constexpr const math::polynomial::polynomial q = {0, 0, 1}; - + fri_type::params_type fri_params = {r, D, q}; for (std::size_t round_id = 0; round_id < lambda; round_id++) { - - } return proof; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index cdbd570d7..cd356ef59 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -101,7 +101,8 @@ BOOST_TEST_DONT_PRINT_LOG_VALUE(pair_map_t) BOOST_AUTO_TEST_SUITE(lpc_test_suite) BOOST_DATA_TEST_CASE(test2, - ::boost::unit_test::data::make(generate::base_field_type>()), + ::boost::unit_test::data::make( + generate::base_field_type>(multiprecision::pow(2, 24))), array_element) { std::cout << "test 2: \"" << array_element.first << "\", " << array_element.second << std::endl; BOOST_TEST(array_element.second <= 13); From 11e783c4624539910070c3df41440e5b6c1ae953 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 21:58:17 +0300 Subject: [PATCH 080/219] MInor fixes #20 --- .../crypto3/zk/snark/commitments/list_polynomial_commitment.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index dddca1090..696262e18 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -175,7 +175,7 @@ namespace nil { static bool verify_eval(const std::array &evaluation_points, const commitment_type &root, const proof_type &proof, - const std::vector &D) { + const std::vector &d) { return true; } }; From 66c78b55ba7371ea1a839a61181edd135a4123d6 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 22:02:04 +0300 Subject: [PATCH 081/219] Minor renaming done: get_power_of_two -> power_of_two #20 --- .../zk/snark/commitments/list_polynomial_commitment.hpp | 2 +- .../crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp | 2 +- test/commitment/fri.cpp | 2 +- test/commitment/lpc.cpp | 2 +- test/systems/plonk/redshift.cpp | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 696262e18..831d5e498 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -103,7 +103,7 @@ namespace nil { private: std::vector prepare_domain(const std::size_t domain_size) { typename FieldType::value_type omega = - math::unity_root(math::detail::get_power_of_two(domain_size)); + math::unity_root(math::detail::power_of_two(domain_size)); std::vector d(domain_size); for (std::size_t power = 1; power <= domain_size; power++) { d.emplace_back(omega.pow(power)); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index abd9f7b0e..34d64c132 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -47,7 +47,7 @@ namespace nil { typename types_policy::template preprocessed_data_type data; - data.omega = math::unity_root(math::detail::get_power_of_two(k)); + data.omega = math::unity_root(math::detail::power_of_two(k)); data.Z = {1}; // data.selectors = constraint_system.selectors(); // ... copy_constraints = constraint_system.copy_constraints(); diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 1be9b0054..641aaf598 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -48,7 +48,7 @@ using namespace nil::crypto3; template std::vector prepare_domain(const std::size_t d) { - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); + typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); std::vector D_0(d); for (std::size_t power = 1; power <= d; power++) { D_0.emplace_back(omega.pow(power)); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index cd356ef59..a0608c914 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -127,7 +127,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - typename field_type::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); + typename field_type::value_type omega = math::unity_root(math::detail::power_of_two(k)); std::vector D_0(10); for (std::size_t power = 1; power <= 10; power++) { diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index b5d9eb030..e5a38d35a 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -48,7 +48,7 @@ using namespace nil::crypto3; template std::vector prepare_domain(const std::size_t d) { - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); + typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); std::vector D_0(d); for (std::size_t power = 1; power <= d; power++) { D_0.emplace_back(omega.pow(power)); @@ -96,7 +96,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::vector> S_id(permutation_size); std::vector> S_sigma(permutation_size); - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(circuit_rows)); + typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(circuit_rows)); typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; From b762571d08c6b6f299353e11e7b696267fb1b785 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 22:32:53 +0300 Subject: [PATCH 082/219] Tests updated #20 --- .../list_polynomial_commitment.hpp | 7 +- test/commitment/fri.cpp | 2 +- test/commitment/lpc.cpp | 75 ++++++++++--------- 3 files changed, 42 insertions(+), 42 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 831d5e498..285e09fcb 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -155,16 +155,15 @@ namespace nil { Q = Q / denominator_polynom; } - std::vector> D; - std::size_t d = D; + std::vector> d; for (std::size_t j = 0; j <= r - 1; j++) { - D[j] = prepare_domain(d / 2); + d[j] = prepare_domain(D / 2); } // temporary definition, until polynomial is constexpr const math::polynomial::polynomial q = {0, 0, 1}; - fri_type::params_type fri_params = {r, D, q}; + typename fri_type::params_type fri_params = {r, D, q}; for (std::size_t round_id = 0; round_id < lambda; round_id++) { } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 641aaf598..d41050d7b 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -93,7 +93,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { std::vector> y_data; merkle_tree_type T(y_data); - std::array x_data; + std::array x_data{}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); // std::array evaluation_points = {omega.pow(5)}; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index a0608c914..731bcbc6d 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -44,26 +44,14 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; -// Generates a Fibonacci sequence -std::vector fibonacci() { - std::vector ret(8); - ret[0] = 0; - ret[1] = 1; - - for (std::size_t s(2); s < ret.size(); s++) { - ret[s] = ret[s - 1] + ret[s - 2]; - } - return ret; -} - -template -std::vector> generate(NumberType degree) { +template +std::vector> generate(NumberType degree) { typedef boost::random::independent_bits_engine + FieldType::modulus_bits, + typename FieldType::value_type::data_type> random_polynomial_generator_type; - std::vector> res; + std::vector> res; boost::random::random_device rd; // Will be used to obtain a seed for the random number engine boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() @@ -74,9 +62,9 @@ std::vector> generate(NumberType de res.reserve(height); for (int i = 0; i < height; i++) { - math::polynomial::polynomial poly; + math::polynomial::polynomial poly; for (int j = 0; j < degree; j++) { - poly.push_back(polynomial_element_gen()); + poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } res.push_back(poly); } @@ -84,28 +72,41 @@ std::vector> generate(NumberType de return res; } -// Generates a map from a vector -std::map vect_2_str(const std::vector &v) { - std::map out; - for (float s : v) { - std::ostringstream o; - o << s; - out[o.str()] = s; +BOOST_AUTO_TEST_SUITE(lpc_test_suite) + +BOOST_DATA_TEST_CASE(lpc_performance_test, + ::boost::unit_test::data::make(generate::base_field_type>( + multiprecision::pow(multiprecision::cpp_int(2), 24))), + p) { + typedef algebra::curves::bls12<381> curve_type; + typedef typename curve_type::base_field_type field_type; + typedef hashes::sha2<256> merkle_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + + constexpr static const std::size_t d = 5; + + constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; + constexpr static const std::size_t m = 2; + + typedef list_polynomial_commitment_scheme lpc_type; + typedef typename lpc_type::proof_type proof_type; + + typename field_type::value_type omega = math::unity_root(math::detail::power_of_two(k)); + + std::vector D_0(10); + for (std::size_t power = 1; power <= 10; power++) { + D_0.emplace_back(omega.pow(power)); } - return out; -} -typedef std::pair pair_map_t; -BOOST_TEST_DONT_PRINT_LOG_VALUE(pair_map_t) + merkle_tree_type T = lpc_type::commit(p, D_0); -BOOST_AUTO_TEST_SUITE(lpc_test_suite) + std::array evaluation_points = {algebra::random_element()}; -BOOST_DATA_TEST_CASE(test2, - ::boost::unit_test::data::make( - generate::base_field_type>(multiprecision::pow(2, 24))), - array_element) { - std::cout << "test 2: \"" << array_element.first << "\", " << array_element.second << std::endl; - BOOST_TEST(array_element.second <= 13); + BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, p, D_0) != proof_type()); } BOOST_AUTO_TEST_CASE(lpc_basic_test) { From 336f9ace129faabf00700ffbbd6d4de9f8dbe835 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Feb 2022 22:37:29 +0300 Subject: [PATCH 083/219] LPC updated. #20 --- .../list_polynomial_commitment.hpp | 62 ++++++++----------- test/commitment/lpc.cpp | 32 ++++++---- 2 files changed, 48 insertions(+), 46 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 871a2d8ec..eddafc509 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -59,7 +59,7 @@ namespace nil { std::size_t K = 1, std::size_t R = 1, std::size_t M = 2, - std::size_t D = 16> + std::size_t _d = 16> struct list_polynomial_commitment_scheme { constexpr static const std::size_t lambda = Lambda; constexpr static const std::size_t k = K; @@ -72,36 +72,29 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef std::vector merkle_proof_type; - typedef fri_commitment_scheme fri_type; + typedef fri_commitment_scheme fri_type; - struct transcript_round_manifest { - enum challenges_ids { x, y }; - }; - - using openning_type = merkle_proof_type; using commitment_type = typename merkle_tree_type::value_type; struct proof_type { bool operator==(const proof_type &rhs) const { - return z_openings == rhs.z_openings && alpha_openings == rhs.alpha_openings && - f_y_openings == rhs.f_y_openings && f_commitments == rhs.f_commitments && - f_ip1_coefficients == rhs.f_ip1_coefficients; + return z == rhs.z && p == rhs.p && + fri_proof == rhs.fri_proof; } bool operator!=(const proof_type &rhs) const { return !(rhs == *this); } - std::array z_openings; + std::array z; - std::array, lambda> f_commitments; + std::array p; - std::array, lambda> - f_ip1_coefficients; + std::array fri_proof; }; private: - std::vector prepare_domain(const std::size_t domain_size) { + static std::vector prepare_domain(const std::size_t domain_size) { typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(domain_size)); std::vector D(domain_size); for (std::size_t power = 1; power <= domain_size; power++) { @@ -126,23 +119,26 @@ namespace nil { } static proof_type proof_eval(const std::array &evaluation_points, - const merkle_tree_type &T, + merkle_tree_type &T, const math::polynomial::polynomial &g, fiat_shamir_heuristic_updated &transcript) { - proof_type proof; - - fiat_shamir_heuristic transcript; + std::vector> D; + std::size_t d = _d; + for (std::size_t j = 0; j <= r-1; j++) { + D[j] = prepare_domain(d/2); + } - std::array &z_openings = proof.z_openings; + std::array z; + std::array p; std::array, k> U_interpolation_points; for (std::size_t j = 0; j < k; j++) { - typename FieldType::value_type z_j = g.evaluate(evaluation_points[j]); - std::size_t leaf_index = std::find(D.begin(), D.end(), evaluation_points[j]) - D.begin(); - z_openings[j] = merkle_proof_type(T, leaf_index); - U_interpolation_points[j] = std::make_pair(evaluation_points[j], z_j); + z[j] = g.evaluate(evaluation_points[j]); + std::size_t leaf_index = std::find(D[0].begin(), D[0].end(), evaluation_points[j]) - D[0].begin(); + p[j] = T.hash_path(leaf_index); + U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } math::polynomial::polynomial U = @@ -155,23 +151,19 @@ namespace nil { Q = Q / denominator_polynom; } - std::vector> D; - std::size_t d = D; - for (std::size_t j = 0; j <= r-1; j++) { - D[j] = prepare_domain(d/2); - } - // temporary definition, until polynomial is constexpr const math::polynomial::polynomial q = {0, 0, 1}; - - fri_type::params_type fri_params = {r, D, q}; - for (std::size_t round_id = 0; round_id < lambda; round_id++) { - + typename fri_type::params_type fri_params = {r, D, q}; + + std::array fri_proof; + + for (std::size_t round_id = 0; round_id <= lambda-1; round_id++) { + fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); } - return proof; + return proof_type({z, p, fri_proof}); } static bool verify_eval(const std::array &evaluation_points, diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 5171bf53d..421c8edad 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -44,14 +44,26 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; +template +std::vector prepare_domain(const std::size_t d) { + typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); + std::vector D_0(d); + for (std::size_t power = 1; power <= d; power++) { + D_0.emplace_back(omega.pow(power)); + } + return D_0; +} + BOOST_AUTO_TEST_SUITE(lpc_test_suite) BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef algebra::curves::bls12<381> curve_type; - typedef typename curve_type::base_field_type field_type; + typedef typename curve_type::base_field_type FieldType; typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + typedef typename containers::merkle_tree merkle_tree_type; constexpr static const std::size_t lambda = 40; @@ -62,23 +74,21 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - typename field_type::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); + const math::polynomial::polynomial f = {0, 0, 1}; - std::vector D_0(10); - for (std::size_t power = 1; power <= 10; power++) { - D_0.emplace_back(omega.pow(power)); - } - - const math::polynomial::polynomial f = {0, 0, 1}; + std::vector D_0 = prepare_domain(d); merkle_tree_type T = lpc_type::commit(f, D_0); - std::array evaluation_points = {algebra::random_element()}; + std::array evaluation_points = {algebra::random_element()}; + + std::array x_data; + zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, f, D_0) != proof_type()); + lpc_type::proof_eval(evaluation_points, T, f, transcript); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 914dbfffa5fe096c560ea3921ee23341090cbec2 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 22:56:40 +0300 Subject: [PATCH 084/219] LPC tests updated. FRI and LPC commitment scheme updates #20 --- .../zk/snark/commitments/fri_commitment.hpp | 14 ++++++++ .../list_polynomial_commitment.hpp | 17 +++++----- test/commitment/lpc.cpp | 34 +++++++++++++++---- 3 files changed, 50 insertions(+), 15 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index ef3804ec9..daa3a6598 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -72,6 +72,13 @@ namespace nil { }; struct round_proof_type { + bool operator==(const round_proof_type &rhs) const { + return y == rhs.y && p == rhs.p && T_root == rhs.T_root && + colinear_value == rhs.colinear_value && colinear_path == rhs.colinear_path; + } + bool operator!=(const round_proof_type &rhs) const { + return !(rhs == *this); + } std::array y; std::array p; @@ -82,6 +89,13 @@ namespace nil { }; struct proof_type { + bool operator==(const proof_type &rhs) const { + return round_proofs == rhs.round_proofs && final_polynomial == rhs.final_polynomial; + } + bool operator!=(const proof_type &rhs) const { + return !(rhs == *this); + } + std::vector round_proofs; // 0..r-2 math::polynomial::polynomial final_polynomial; diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index b23482ca0..fabb08caf 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -79,8 +79,7 @@ namespace nil { struct proof_type { bool operator==(const proof_type &rhs) const { - return z == rhs.z && p == rhs.p && - fri_proof == rhs.fri_proof; + return z == rhs.z && p == rhs.p && fri_proof == rhs.fri_proof; } bool operator!=(const proof_type &rhs) const { return !(rhs == *this); @@ -94,9 +93,9 @@ namespace nil { }; private: - static std::vector prepare_domain(const std::size_t domain_size) { - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(domain_size)); + typename FieldType::value_type omega = + math::unity_root(math::detail::power_of_two(domain_size)); std::vector D(domain_size); for (std::size_t power = 1; power <= domain_size; power++) { D.emplace_back(omega.pow(power)); @@ -124,9 +123,10 @@ namespace nil { fiat_shamir_heuristic_updated &transcript) { std::vector> D; + D.reserve(r - 1); std::size_t d = _d; - for (std::size_t j = 0; j <= r-1; j++) { - D[j] = prepare_domain(d/2); + for (std::size_t j = 0; j <= r - 1; j++) { + D[j] = prepare_domain(d / 2); } std::array z; @@ -136,7 +136,8 @@ namespace nil { for (std::size_t j = 0; j < k; j++) { z[j] = g.evaluate(evaluation_points[j]); - std::size_t leaf_index = std::find(D[0].begin(), D[0].end(), evaluation_points[j]) - D[0].begin(); + std::size_t leaf_index = + std::find(D[0].begin(), D[0].end(), evaluation_points[j]) - D[0].begin(); p[j] = T.hash_path(leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } @@ -158,7 +159,7 @@ namespace nil { std::array fri_proof; - for (std::size_t round_id = 0; round_id <= lambda-1; round_id++) { + for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); } diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 8a5a310f7..dc7628725 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -44,9 +44,9 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; -template +template std::vector prepare_domain(const std::size_t d) { - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); + typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); std::vector D_0(d); for (std::size_t power = 1; power <= d; power++) { D_0.emplace_back(omega.pow(power)); @@ -54,6 +54,21 @@ std::vector prepare_domain(const std::size_t d) return D_0; } +namespace boost { + namespace test_tools { + namespace tt_detail { + template<> + struct print_log_value::base_field_type::value_type>>> { + void operator()(std::ostream &, + std::vector::base_field_type::value_type>> const &) { + } + }; + } // namespace tt_detail + } // namespace test_tools +} // namespace boost + template std::vector> generate(NumberType degree) { typedef boost::random::independent_bits_engine> genera for (int i = 0; i < height; i++) { math::polynomial::polynomial poly; for (int j = 0; j < degree; j++) { - poly.push_back(typename FieldType::value_type(polynomial_element_gen())); + // poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } res.push_back(poly); } @@ -90,7 +105,9 @@ BOOST_DATA_TEST_CASE(lpc_performance_test, p) { typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::base_field_type field_type; + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; @@ -105,7 +122,7 @@ BOOST_DATA_TEST_CASE(lpc_performance_test, typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - typename field_type::value_type omega = math::unity_root(math::detail::get_power_of_two(k)); + typename field_type::value_type omega = math::unity_root(math::detail::power_of_two(k)); std::vector D_0(10); for (std::size_t power = 1; power <= 10; power++) { @@ -116,15 +133,18 @@ BOOST_DATA_TEST_CASE(lpc_performance_test, std::array evaluation_points = {algebra::random_element()}; - BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, p, D_0) != proof_type()); + std::array x_data {}; + zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + + BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, p, transcript) != proof_type()); } BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::base_field_type FieldType; - typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; @@ -148,7 +168,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { std::array evaluation_points = {algebra::random_element()}; - std::array x_data; + std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); lpc_type::proof_eval(evaluation_points, T, f, transcript); From 3e63830f2dc28315e3d9a4a081f533c60a5f458c Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 23:00:12 +0300 Subject: [PATCH 085/219] More LPC commitment scheme changes #20 --- .../commitments/list_polynomial_commitment.hpp | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index fabb08caf..f7deb292a 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -59,7 +59,7 @@ namespace nil { std::size_t K = 1, std::size_t R = 1, std::size_t M = 2, - std::size_t _d = 16> + std::size_t D = 16> struct list_polynomial_commitment_scheme { constexpr static const std::size_t lambda = Lambda; constexpr static const std::size_t k = K; @@ -96,9 +96,9 @@ namespace nil { static std::vector prepare_domain(const std::size_t domain_size) { typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(domain_size)); - std::vector D(domain_size); + std::vector d(domain_size); for (std::size_t power = 1; power <= domain_size; power++) { - D.emplace_back(omega.pow(power)); + d.emplace_back(omega.pow(power)); } return D; } @@ -122,11 +122,9 @@ namespace nil { const math::polynomial::polynomial &g, fiat_shamir_heuristic_updated &transcript) { - std::vector> D; - D.reserve(r - 1); - std::size_t d = _d; + std::vector> d; for (std::size_t j = 0; j <= r - 1; j++) { - D[j] = prepare_domain(d / 2); + d.emplace_back(prepare_domain(D / 2)); } std::array z; @@ -137,7 +135,7 @@ namespace nil { for (std::size_t j = 0; j < k; j++) { z[j] = g.evaluate(evaluation_points[j]); std::size_t leaf_index = - std::find(D[0].begin(), D[0].end(), evaluation_points[j]) - D[0].begin(); + std::find(d[0].begin(), d[0].end(), evaluation_points[j]) - d[0].begin(); p[j] = T.hash_path(leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } From 23a3958cc8efb7aa5312d843b033e7ec151a50c2 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Wed, 2 Feb 2022 23:19:41 +0300 Subject: [PATCH 086/219] LPC commitment scheme tests fixed #20 --- .../zk/snark/commitments/list_polynomial_commitment.hpp | 4 ++-- test/commitment/lpc.cpp | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index f7deb292a..e40d9a45d 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -100,7 +100,7 @@ namespace nil { for (std::size_t power = 1; power <= domain_size; power++) { d.emplace_back(omega.pow(power)); } - return D; + return d; } public: @@ -153,7 +153,7 @@ namespace nil { // temporary definition, until polynomial is constexpr const math::polynomial::polynomial q = {0, 0, 1}; - typename fri_type::params_type fri_params = {r, D, q}; + typename fri_type::params_type fri_params = {r, d, q}; std::array fri_proof; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index dc7628725..f91eeb846 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -58,11 +58,11 @@ namespace boost { namespace test_tools { namespace tt_detail { template<> - struct print_log_value::base_field_type::value_type>>> { + struct print_log_value>>>> { void operator()(std::ostream &, - std::vector::base_field_type::value_type>> const &) { + const nil::crypto3::math::polynomial::polynomial>>> &) { } }; } // namespace tt_detail From be966d4ed40a5bb4fda238eb173a1f38661f2c05 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 00:19:11 +0300 Subject: [PATCH 087/219] FRI verify updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 60 ++++++++++++++++++- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index ef3804ec9..d9ab0c127 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -212,8 +212,64 @@ namespace nil { return proof_type({round_proofs, final_polynomial}); } - static bool verify_eval() { - return true; + static bool verify_eval(proof_type &proof, + fiat_shamir_heuristic_updated &transcript, + params_type &fri_params, + const math::polynomial::polynomial &U, + const math::polynomial::polynomial &V) { + + typename FieldType::value_type x = transcript.template challenge(); + std::size_t r = fri_params.r; + + for (std::size_t i = 0; i <= r - 2; i++) { + + typename FieldType::value_type alpha = + fri_params.D[i + 1][0].pow(transcript.template int_challenge()); + + typename FieldType::value_type x_next = fri_params.q.evaluate(x); + + // m = 2, so: + std::array s; + if constexpr (m == 2) { + s[0] = x; + s[1] = -x; + } else { + return false; + } + + for (std::size_t j = 0; j < m; j++) { + if (!proof.round_proofs[i].p[j].validate(proof.round_proofs[i].T_root)) + return false; + } + + std::array y; + + for (std::size_t j = 0; j < m; j++) { + if (i == 0){ + y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j]))/V.evaluate(s[j]); + } else { + y[j] = proof.round_proofs[i].y[j]; + } + } + + if (i < r - 2){ + transcript(proof.round_proofs[i + 1].T_root); + } + + math::polynomial::polynomial interpolant; + + if (!proof.round_proofs[i].colinear_path.validate(proof.round_proofs[i].T_root)) + return false; + if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value) + return false; + + x = x_next; + + } + + // proof.final_polynomial.degree() == ... + + } }; } // namespace snark From ba9bf5f09ccfe91facdad6f4d7093f970d934655 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 00:31:00 +0200 Subject: [PATCH 088/219] fri folding test #20 --- .../zk/snark/commitments/fri_commitment.hpp | 23 +++-- test/commitment/fri.cpp | 83 ++++++++++++++----- 2 files changed, 77 insertions(+), 29 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 00cc39ffa..640567d79 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -119,6 +119,20 @@ namespace nil { return merkle_tree_type(y_data); } + static inline math::polynomial::polynomial + fold_polynomial(math::polynomial::polynomial &f, + typename FieldType::value_type alpha) { + std::size_t d = f.degree(); + + math::polynomial::polynomial f_folded((d + 1)/2 - 1); + + for (std::size_t index = 0; index < f_folded.size(); index++){ + f_folded[index] = f[2*index] + alpha * f[2*index + 1]; + } + + return f_folded; + } + static proof_type proof_eval(const math::polynomial::polynomial &Q, const math::polynomial::polynomial &g, merkle_tree_type &T, @@ -145,13 +159,8 @@ namespace nil { typename FieldType::value_type x_next = fri_params.q.evaluate(x); - std::size_t d = f.degree(); - - math::polynomial::polynomial f_next((d + 1)/2 - 1); - - for (std::size_t index = 0; index < f_next.size(); index++){ - f_next[index] = f[2*index] + alpha * f[2*index + 1]; - } + math::polynomial::polynomial f_next = + fold_polynomial(f, alpha); // m = 2, so: std::array s; diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 1be9b0054..82d51cbb6 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -91,13 +91,13 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { params.q = f; std::vector> y_data; - merkle_tree_type T(y_data); + //merkle_tree_type T(y_data); std::array x_data; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); // std::array evaluation_points = {omega.pow(5)}; - proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); + //proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); // BOOST_CHECK(fry_type::verify_eval(evaluation_points, T, proof, D_0)) } @@ -107,26 +107,49 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { using curve_type = algebra::curves::mnt4<298>; using FieldType = typename curve_type::base_field_type; + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + constexpr static const std::size_t d = 4; + constexpr static const std::size_t r = boost::static_log2::value; + constexpr static const std::size_t m = 2; - // typedef fri_commitment_scheme fri_type; + typedef zk::snark::fri_commitment_scheme fri_type; + typedef typename fri_type::proof_type proof_type; + typedef typename fri_type::params_type params_type; - math::polynomial::polynomial f = {1, 3, 4, 25}; + params_type params; + math::polynomial::polynomial q = {0, 0, 1}; - std::vector D_0 = prepare_domain(d); - typename FieldType::value_type omega = D_0[0]; + std::vector domain = prepare_domain(d); + std::vector> D = {domain}; + + + params.r = r; + params.D = D; + params.q = q; + + math::polynomial::polynomial f = {1, 3, 4, 3}; + + typename FieldType::value_type omega = domain[0]; - // x_next = fri_type::params.q(x) - typename FieldType::value_type alpha = algebra::random_element(); - // math::polynomial::polynomial f_next = fri_type::fold_polynomial(f, alpha) + typename FieldType::value_type x_next = params.q.evaluate(omega); + //typename FieldType::value_type alpha = algebra::random_element(); + typename FieldType::value_type alpha = FieldType::value_type(2); + math::polynomial::polynomial f_next = + fri_type::fold_polynomial(f, alpha); std::vector> points { std::make_pair(omega, f.evaluate(omega)), std::make_pair(-omega, f.evaluate(-omega)), }; - math::polynomial::polynomial interpolant = math::polynomial::lagrange_interpolation(points); - typename FieldType::value_type x1 = interpolant.evaluate(omega); - typename FieldType::value_type x2 = f.evaluate(omega); + + // TODO: Fix it with a proper interpolation + math::polynomial::polynomial interpolant = {f[0] + f[2] * x_next, f[1] + f[3] * x_next}; + typename FieldType::value_type x1 = interpolant.evaluate(alpha); + typename FieldType::value_type x2 = f_next.evaluate(x_next); BOOST_CHECK(x1 == x2); // BOOST_CHECK_EQUAL(interpolant.eval(alpha), f_next.eval(x_next)) } @@ -164,24 +187,40 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t k = 1; - - constexpr static const std::size_t d = 4; + constexpr static const std::size_t d = 16; constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - // typedef fri_commitment_scheme fri_type; - // typedef typename fri_type::proof_type proof_type; + typedef zk::snark::fri_commitment_scheme fri_type; + typedef typename fri_type::proof_type proof_type; + typedef typename fri_type::params_type params_type; - math::polynomial::polynomial f = {1, 3, 4, 25}; + params_type params; + math::polynomial::polynomial f = {1, 3, 4, 1, + 5, 6, 7, 2, + 8, 7, 5, 6, + 1, 2, 1, 1}; - std::vector D_0 = prepare_domain(d); + // create domain D_0 + + std::vector> D; + for (std::size_t i = 0; i < d; i++) { + std::vector domain = prepare_domain(d - i); + D.push_back(domain); + } + + params.r = r + 1; + params.D = D; + params.q = f; - // merkle_tree_type T = fri_type::commit(f, D_0); + //merkle_tree_type T(y_data); + + std::array x_data; + zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + // std::array evaluation_points = {omega.pow(5)}; - // std::array evaluation_points = {omega.pow(algebra::random_element())}; + //proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); // proof_type proof = fri_type::proof_eval(evaluation_points, T, f, D_0) // math::polynomial::polynomial f_res = proof.last_round.f From c0699c2387e70454d080d0d42aa760562b1d7eea Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 3 Feb 2022 01:35:18 +0300 Subject: [PATCH 089/219] LPC commitment tests updated #20 --- test/commitment/lpc.cpp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index f91eeb846..dc0680afd 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -71,8 +71,7 @@ namespace boost { template std::vector> generate(NumberType degree) { - typedef boost::random::independent_bits_engine random_polynomial_generator_type; @@ -129,14 +128,15 @@ BOOST_DATA_TEST_CASE(lpc_performance_test, D_0.emplace_back(omega.pow(power)); } - merkle_tree_type T = lpc_type::commit(p, D_0); + merkle_tree_type tree = lpc_type::commit(p, D_0); std::array evaluation_points = {algebra::random_element()}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - BOOST_CHECK(lpc_type::proof_eval(evaluation_points, T, p, transcript) != proof_type()); + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), + lpc_type::proof_eval(evaluation_points, tree, p, transcript), D_0)); } BOOST_AUTO_TEST_CASE(lpc_basic_test) { @@ -164,14 +164,15 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { std::vector D_0 = prepare_domain(d); - merkle_tree_type T = lpc_type::commit(f, D_0); + merkle_tree_type tree = lpc_type::commit(f, D_0); std::array evaluation_points = {algebra::random_element()}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - lpc_type::proof_eval(evaluation_points, T, f, transcript); + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), + lpc_type::proof_eval(evaluation_points, tree, f, transcript), D_0)); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From de08582878c81bc78ba81cd92c247f7d9cec8271 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 00:55:52 +0200 Subject: [PATCH 090/219] fri commitment test #20 --- test/commitment/fri.cpp | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 0f0d0bf4e..af7981c13 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -205,7 +205,9 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { // create domain D_0 std::vector> D; - for (std::size_t i = 0; i < d; i++) { + constexpr static const std::size_t d_extended = d * 16; + std::size_t extended_log = boost::static_log2::value; + for (std::size_t i = 0; i < r; i++) { std::vector domain = prepare_domain(d - i); D.push_back(domain); } @@ -214,10 +216,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { params.D = D; params.q = f; - //merkle_tree_type T(y_data); - - std::array x_data; - zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); // std::array evaluation_points = {omega.pow(5)}; //proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); From 358175bada4039b462ce13c92761c587327839f4 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 3 Feb 2022 02:27:37 +0300 Subject: [PATCH 091/219] LPC test updated #20 --- test/commitment/lpc.cpp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index dc0680afd..84c2d5374 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -72,7 +72,7 @@ namespace boost { template std::vector> generate(NumberType degree) { typedef boost::random::independent_bits_engine + typename FieldType::value_type::integral_type> random_polynomial_generator_type; std::vector> res; @@ -82,13 +82,13 @@ std::vector> genera boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); random_polynomial_generator_type polynomial_element_gen; - std::size_t height = distrib(gen); + std::size_t height = 1; res.reserve(height); for (int i = 0; i < height; i++) { math::polynomial::polynomial poly; for (int j = 0; j < degree; j++) { - // poly.push_back(typename FieldType::value_type(polynomial_element_gen())); + poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } res.push_back(poly); } @@ -98,10 +98,10 @@ std::vector> genera BOOST_AUTO_TEST_SUITE(lpc_test_suite) -BOOST_DATA_TEST_CASE(lpc_performance_test, - ::boost::unit_test::data::make(generate::base_field_type>( - multiprecision::pow(multiprecision::cpp_int(2), 24))), - p) { +BOOST_DATA_TEST_CASE( + lpc_performance_test, + ::boost::unit_test::data::make(generate::base_field_type>(1 << 24)), + poly) { typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::base_field_type field_type; @@ -128,7 +128,7 @@ BOOST_DATA_TEST_CASE(lpc_performance_test, D_0.emplace_back(omega.pow(power)); } - merkle_tree_type tree = lpc_type::commit(p, D_0); + merkle_tree_type tree = lpc_type::commit(poly, D_0); std::array evaluation_points = {algebra::random_element()}; @@ -136,7 +136,7 @@ BOOST_DATA_TEST_CASE(lpc_performance_test, zk::snark::fiat_shamir_heuristic_updated transcript(x_data); BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), - lpc_type::proof_eval(evaluation_points, tree, p, transcript), D_0)); + lpc_type::proof_eval(evaluation_points, tree, poly, transcript), D_0)); } BOOST_AUTO_TEST_CASE(lpc_basic_test) { From 1aca32d7633b10ac8bd99c27589d54c74f6fc05c Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Thu, 3 Feb 2022 03:03:51 +0300 Subject: [PATCH 092/219] LPC commitment scheme test updates #20 --- test/commitment/lpc.cpp | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 84c2d5374..05e80fa63 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -98,10 +98,7 @@ std::vector> genera BOOST_AUTO_TEST_SUITE(lpc_test_suite) -BOOST_DATA_TEST_CASE( - lpc_performance_test, - ::boost::unit_test::data::make(generate::base_field_type>(1 << 24)), - poly) { +BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::base_field_type field_type; @@ -128,15 +125,35 @@ BOOST_DATA_TEST_CASE( D_0.emplace_back(omega.pow(power)); } - merkle_tree_type tree = lpc_type::commit(poly, D_0); + typedef boost::random::independent_bits_engine + random_polynomial_generator_type; - std::array evaluation_points = {algebra::random_element()}; + std::vector> res; - std::array x_data {}; - zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + boost::random::random_device rd; // Will be used to obtain a seed for the random number engine + boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() + boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); - BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), - lpc_type::proof_eval(evaluation_points, tree, poly, transcript), D_0)); + random_polynomial_generator_type polynomial_element_gen; + std::size_t height = 1; + res.reserve(height); + + for (int i = 0; i < height; i++) { + math::polynomial::polynomial poly; + for (int j = 0; j < (1 << 24); j++) { + poly.push_back(typename field_type::value_type(polynomial_element_gen())); + } + merkle_tree_type tree = lpc_type::commit(poly, D_0); + + std::array evaluation_points = {algebra::random_element()}; + + std::array x_data {}; + zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), + lpc_type::proof_eval(evaluation_points, tree, poly, transcript), D_0)); + } } BOOST_AUTO_TEST_CASE(lpc_basic_test) { From daafbe7adcd543135123898f913ae8a6feea70c3 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 10:37:51 +0300 Subject: [PATCH 093/219] LPC verify updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 2 +- .../list_polynomial_commitment.hpp | 32 +++++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 70e94fbe6..9f5b964a6 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -292,7 +292,7 @@ namespace nil { // proof.final_polynomial.degree() == ... - + return true; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index e40d9a45d..94531e559 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -89,6 +89,8 @@ namespace nil { std::array p; + typename merkle_tree_type::value_type T_root; + std::array fri_proof; }; @@ -161,14 +163,38 @@ namespace nil { fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); } - return proof_type({z, p, fri_proof}); + return proof_type({z, p, T.root(), fri_proof}); } static bool verify_eval(const std::array &evaluation_points, - const commitment_type &root, const proof_type &proof, - const std::vector &d) { + fiat_shamir_heuristic_updated &transcript) { + + for (std::size_t j = 0; j < k; j++) { + if (!proof.p[j].validate(proof.T_root)) + return false; + } + + for (std::size_t j = 0; j < k; j++) { + U_interpolation_points[j] = std::make_pair(evaluation_points[j], proof.z[j]); + } + + math::polynomial::polynomial U = + math::polynomial::lagrange_interpolation(U_interpolation_points); + + math::polynomial::polynomial V = {1}; + + for (std::size_t j = 0; j < k; j++) { + V = V * (math::polynomial::polynomial({1, -evaluation_points[j]})); + } + + for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { + if (!fri_type::verify_eval(P.fri_proof[round_id], transcript, fri_params, U, V)) + return false; + } + return true; + } }; } // namespace snark From 1ab0bf4a2206ffc48d2aa0ce03d58fe6f9230873 Mon Sep 17 00:00:00 2001 From: Zerg1996 Date: Thu, 3 Feb 2022 10:44:35 +0100 Subject: [PATCH 094/219] Set vector size in commitment #20 --- include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 9f5b964a6..932f6a8c4 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -117,7 +117,7 @@ namespace nil { FieldType>; std::vector> y_data; - y_data.reserve(D.size()); + y_data.resize(D.size()); nil::marshalling::status_type status; for (std::size_t i = 0; i < D.size(); i++) { From fe7ea7df14624cac4268b02848acb0f415620248 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 12:10:10 +0200 Subject: [PATCH 095/219] fri fft eval #20 --- .../zk/snark/commitments/fri_commitment.hpp | 23 +++++---- .../list_polynomial_commitment.hpp | 17 +++---- test/commitment/fri.cpp | 49 ++++++++++--------- test/commitment/lpc.cpp | 24 +++------ 4 files changed, 53 insertions(+), 60 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 932f6a8c4..31ab3449a 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -30,6 +30,8 @@ #include #include +#include +#include #include #include @@ -66,7 +68,7 @@ namespace nil { struct params_type { std::size_t r; - std::vector> D; + std::vector>> D; math::polynomial::polynomial q; }; @@ -108,8 +110,8 @@ namespace nil { // result.root(); // should be called static merkle_tree_type - commit(const math::polynomial::polynomial &f, - const std::vector &D) { + commit(math::polynomial::polynomial &f, + const std::shared_ptr> &D) { using Endianness = nil::marshalling::option::big_endian; using field_element_type = @@ -117,18 +119,20 @@ namespace nil { FieldType>; std::vector> y_data; - y_data.resize(D.size()); + y_data.resize(D->m); nil::marshalling::status_type status; - for (std::size_t i = 0; i < D.size(); i++) { - typename FieldType::value_type y = f.evaluate(D[i]); + D->fft(f); + for (std::size_t i = 0; i < D->m; i++) { field_element_type y_val = - nil::crypto3::marshalling::types::fill_field_element(y); + nil::crypto3::marshalling::types::fill_field_element(f[i]); auto write_iter = y_data[i].begin(); y_val.write(write_iter, 96); } + D->inverse_fft(f); //TODO: maybe we don't need this + return merkle_tree_type(y_data); } @@ -165,8 +169,7 @@ namespace nil { for (std::size_t i = 0; i <= r - 1; i++) { - typename FieldType::value_type alpha = - fri_params.D[i + 1][0].pow(transcript.template int_challenge()); + typename FieldType::value_type alpha = transcript.template challenge(); typename FieldType::value_type x_next = fri_params.q.evaluate(x); @@ -247,7 +250,7 @@ namespace nil { for (std::size_t i = 0; i <= r - 2; i++) { typename FieldType::value_type alpha = - fri_params.D[i + 1][0].pow(transcript.template int_challenge()); + transcript.template challenge(); typename FieldType::value_type x_next = fri_params.q.evaluate(x); diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 94531e559..b9119a4b5 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -95,14 +95,8 @@ namespace nil { }; private: - static std::vector prepare_domain(const std::size_t domain_size) { - typename FieldType::value_type omega = - math::unity_root(math::detail::power_of_two(domain_size)); - std::vector d(domain_size); - for (std::size_t power = 1; power <= domain_size; power++) { - d.emplace_back(omega.pow(power)); - } - return d; + static std::shared_ptr> prepare_domain(const std::size_t domain_size) { + return math::make_evaluation_domain(domain_size); } public: @@ -114,7 +108,7 @@ namespace nil { // should be called static merkle_tree_type commit(const math::polynomial::polynomial &f, - const std::vector &d) { + const std::shared_ptr> &d) { return fri_type::commit(f, d); } @@ -124,7 +118,7 @@ namespace nil { const math::polynomial::polynomial &g, fiat_shamir_heuristic_updated &transcript) { - std::vector> d; + std::vector>> d; for (std::size_t j = 0; j <= r - 1; j++) { d.emplace_back(prepare_domain(D / 2)); } @@ -175,6 +169,9 @@ namespace nil { return false; } + std::array, k> + U_interpolation_points; + for (std::size_t j = 0; j < k; j++) { U_interpolation_points[j] = std::make_pair(evaluation_points[j], proof.z[j]); } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index af7981c13..6b3bec8fb 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -38,6 +38,8 @@ #include #include #include +#include +#include #include // until fri inclusion @@ -47,13 +49,8 @@ using namespace nil::crypto3; template -std::vector prepare_domain(const std::size_t d) { - typename FieldType::value_type omega = math::unity_root(math::detail::get_power_of_two(d)); - std::vector D_0(d); - for (std::size_t power = 1; power <= d; power++) { - D_0.emplace_back(omega.pow(power)); - } - return D_0; +std::shared_ptr> prepare_domain(const std::size_t d) { + return math::make_evaluation_domain(d); } BOOST_AUTO_TEST_SUITE(fri_test_suite) @@ -69,7 +66,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const std::size_t d = 4; + constexpr static const std::size_t d = 16; constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; @@ -79,22 +76,26 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { typedef typename fri_type::params_type params_type; params_type params; - math::polynomial::polynomial f = {1, 3, 4, 25}; + math::polynomial::polynomial f = {1, 3, 4, 1, + 5, 6, 7, 2, + 8, 7, 5, 6, + 1, 2, 1, 1}; // create domain D_0 - std::vector D_0 = prepare_domain(d); - std::vector> D = {D_0, D_0}; + std::vector>> D; + constexpr static const std::size_t d_extended = d * 16; + std::size_t extended_log = boost::static_log2::value; + for (std::size_t i = 0; i < r; i++) { + std::shared_ptr> domain = prepare_domain(d - i); + D.push_back(domain); + } - params.r = r; + params.r = r + 1; params.D = D; params.q = f; - std::vector> y_data; - //merkle_tree_type T(y_data); - - std::array x_data{}; - zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); // std::array evaluation_points = {omega.pow(5)}; //proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); @@ -123,8 +124,8 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { params_type params; math::polynomial::polynomial q = {0, 0, 1}; - std::vector domain = prepare_domain(d); - std::vector> D = {domain}; + std::shared_ptr> domain = prepare_domain(d); + std::vector>> D = {domain}; params.r = r; @@ -133,11 +134,10 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { math::polynomial::polynomial f = {1, 3, 4, 3}; - typename FieldType::value_type omega = domain[0]; + typename FieldType::value_type omega = domain->get_domain_element(0); typename FieldType::value_type x_next = params.q.evaluate(omega); - //typename FieldType::value_type alpha = algebra::random_element(); - typename FieldType::value_type alpha = FieldType::value_type(2); + typename FieldType::value_type alpha = algebra::random_element(); math::polynomial::polynomial f_next = fri_type::fold_polynomial(f, alpha); @@ -204,11 +204,11 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { // create domain D_0 - std::vector> D; + std::vector>> D; constexpr static const std::size_t d_extended = d * 16; std::size_t extended_log = boost::static_log2::value; for (std::size_t i = 0; i < r; i++) { - std::vector domain = prepare_domain(d - i); + std::shared_ptr> domain = prepare_domain(d - i); D.push_back(domain); } @@ -217,6 +217,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { params.q = f; merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); + // std::array evaluation_points = {omega.pow(5)}; //proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 05e80fa63..c46dd0cd3 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -38,20 +38,17 @@ #include #include +#include +#include #include using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; -template -std::vector prepare_domain(const std::size_t d) { - typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); - std::vector D_0(d); - for (std::size_t power = 1; power <= d; power++) { - D_0.emplace_back(omega.pow(power)); - } - return D_0; +template +std::shared_ptr> prepare_domain(const std::size_t d) { + return math::make_evaluation_domain(d); } namespace boost { @@ -118,12 +115,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - typename field_type::value_type omega = math::unity_root(math::detail::power_of_two(k)); - - std::vector D_0(10); - for (std::size_t power = 1; power <= 10; power++) { - D_0.emplace_back(omega.pow(power)); - } + std::shared_ptr> D_0 = prepare_domain(10); typedef boost::random::independent_bits_engine @@ -141,7 +133,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { for (int i = 0; i < height; i++) { math::polynomial::polynomial poly; - for (int j = 0; j < (1 << 24); j++) { + for (int j = 0; j < (1 << 2); j++) { poly.push_back(typename field_type::value_type(polynomial_element_gen())); } merkle_tree_type tree = lpc_type::commit(poly, D_0); @@ -179,7 +171,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { const math::polynomial::polynomial f = {0, 0, 1}; - std::vector D_0 = prepare_domain(d); + std::shared_ptr> D_0 = prepare_domain(d); merkle_tree_type tree = lpc_type::commit(f, D_0); From f69c78c7cc2d0733e3d121f5274fda9aaee10b61 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 12:17:21 +0200 Subject: [PATCH 096/219] lookup remove #20 --- .../snark/systems/plonk/redshift/prover.hpp | 80 ++----------------- .../snark/systems/plonk/redshift/verifier.hpp | 17 ++-- 2 files changed, 13 insertions(+), 84 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 443d4fd75..3aba5645d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -124,65 +124,10 @@ namespace nil { permutation_argument = redshift_permutation_argument::prove_argument(transcript); // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); - // 7. Get $\theta \in \mathbb{F}$ from $hash(\text{transcript})$ - typename FieldType::value_type teta = - transcript.template challenge(); - - // 8. Get lookup_gate_i and table_value_i - - // 9. Construct the input lookup compression and table compression. - math::polynomial::polynomial A_compr; - math::polynomial::polynomial S_compr; - - // 10. Produce the permutation polynomials $S_{\texttt{perm}}(X)$ and $A_{\texttt{perm}}(X)$ - math::polynomial::polynomial A_perm; - math::polynomial::polynomial S_perm; - - // 11. Compute and add commitments to $A_{\texttt{perm}}$ and $S_{\texttt{perm}}$ to - // $\text{transcript}$ - - merkle_tree_type A_perm_tree = lpc::commit(A_perm, D_0); - typename lpc::commitment_type A_perm_commitment = A_perm_tree.root(); - transcript(A_perm_commitment); - - merkle_tree_type S_perm_tree = lpc::commit(S_perm, D_0); - typename lpc::commitment_type S_perm_commitment = S_perm_tree.root(); - transcript(S_perm_commitment); - - // 12. Compute $V_L(X)$ - std::vector V_L_interpolation_points(N_rows + 1); - - V_L_interpolation_points.push_back(FieldType::value_type::one()); - for (std::size_t j = 2; j < N_rows + 1; j++) { - - typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); - for (std::size_t i = 1; i <= j - 1; i++) { - tmp_mul_result *= ((A_compr.evaluate(omega_powers[i]) + beta) * - (S_compr.evaluate(omega_powers[i]) + gamma)) / - ((A_perm.evaluate(omega_powers[i]) + beta) * - (S_perm.evaluate(omega_powers[i]) + gamma)); - } - - V_L_interpolation_points.push_back(tmp_mul_result); - } - - V_L_interpolation_points.push_back(FieldType::value_type::one()); - - const std::shared_ptr> V_L_domain = - math::make_evaluation_domain(N_rows + 1); - - V_L_domain->inverse_fft(V_L_interpolation_points); - - math::polynomial::polynomial V_L = V_L_interpolation_points; - - // 13. Compute and add commitments to $V_L$ to $\text{transcript}$ - merkle_tree_type V_L_tree = lpc::commit(V_L, D_0); - typename lpc::commitment_type V_L_commitment = V_L_tree.root(); - transcript(V_L_commitment); - // 14. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ - std::array alphas = - transcript.template challenges(); + constexpr const std::size_t f_parts = 4; + std::array alphas = + transcript.template challenges(); // 15. Get $\tau$ from $hash(\text{transcript})$ typename FieldType::value_type tau = @@ -209,20 +154,11 @@ namespace nil { N_T = std::max(N_T, gates[i].size() - 1); } - // 17. Denote g_1,2, h_1,2 - - math::polynomial::polynomial g_2; - math::polynomial::polynomial h_1 = {1}; - math::polynomial::polynomial h_2; - - g_2 = (A_compr + beta) * (S_compr + gamma); - h_2 = (A_perm + beta) * (S_perm + gamma); - // 18. Define F polynomials const math::polynomial::polynomial L1 = preprocessed_data.Lagrange_basis[1]; - std::array, 9> F; + std::array, f_parts> F; F[0] = permutation_argument[0]; F[1] = permutation_argument[1]; @@ -232,15 +168,9 @@ namespace nil { F[3] = F[3] + gates[i]; } - F[4] = L1 * (1 - V_L); - F[5] = V_L_shifted * h_2 - V_L * g2; - F[6] = q_last * (V_L * V_L - V_L); - F[7] = L1 * (A_perm - S_perm); - F[8] = (1 - (q_last + q_blind)) * (A_perm - S_perm) * (A_perm - A_perm_shifted); - // 19. Compute F_consolidated math::polynomial::polynomial F_consolidated = {0}; - for (std::size_t i = 0; i < 8; i++) { + for (std::size_t i = 0; i < f_parts; i++) { F_consolidated = F_consolidated + alphas[i] * F[i]; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index ca5c65046..ec8fab82c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -77,8 +77,9 @@ namespace nil { std::array permutation_argument = redshift_permutation_argument::verify_argument(transcript); - std::array alphas; - for (std::size_t i = 0; i < 6; i++) { + constexpr const std::size_t f_parts = 4; + std::array alphas; + for (std::size_t i = 0; i < f_parts; i++) { typename transcript_hash_type::digest_type alpha_bytes = transcript.get_challenge(); alphas[i] = (algebra::marshalling(alpha_bytes)); @@ -117,27 +118,25 @@ namespace nil { } } - std::array, 6> F; + std::array, f_parts> F; F[0] = permutation_argument[0]; F[1] = permutation_argument[1]; F[2] = permutation_argument[2]; - F[3] = Q * q_1 - (Q << 1); - F[4] = verification_key.L_basis[n] * ((P << 1) - (Q << 1)); - F[5] = verification_key.PI; + F[3] = 0; for (std::size_t i = 0; i < N_sel; i++) { - F[5] += q[i] * ....gate[i]; + F[3] += q[i] * ....gate[i]; } for (std::size_t i = 0; i < N_const; i++) { - F[5] += verification_key.f_c[i]; + F[3] += verification_key.f_c[i]; } math::polynomial::polynom T_consolidate; T_consolidate = consolidate_T(T); math::polynomial::polynom F_consolidated = 0; - for (std::size_t i = 0; i < 6; i++) { + for (std::size_t i = 0; i < f_parts; i++) { F_consolidated += a[i] * F[i]; } From ecd8661aff69075bcd9a3331f0d00b5197cf57be Mon Sep 17 00:00:00 2001 From: Zerg1996 Date: Thu, 3 Feb 2022 11:59:09 +0100 Subject: [PATCH 097/219] Bad fft call #20 --- .../nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 31ab3449a..d25baf5e6 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -121,17 +121,17 @@ namespace nil { std::vector> y_data; y_data.resize(D->m); nil::marshalling::status_type status; - - D->fft(f); + std::vector tmp(f.begin(), f.end()); + D->fft(tmp); for (std::size_t i = 0; i < D->m; i++) { field_element_type y_val = - nil::crypto3::marshalling::types::fill_field_element(f[i]); + nil::crypto3::marshalling::types::fill_field_element(tmp[i]); auto write_iter = y_data[i].begin(); y_val.write(write_iter, 96); } - D->inverse_fft(f); //TODO: maybe we don't need this + D->inverse_fft(tmp); //TODO: maybe we don't need this return merkle_tree_type(y_data); } From c24c1b7cb4c8d2b5b2add9d8bbebc08bd5d1f832 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 13:40:35 +0200 Subject: [PATCH 098/219] update domain in permutation argument #20 --- .../plonk/redshift/permutation_argument.hpp | 19 ++++++++++--------- test/systems/plonk/redshift.cpp | 19 +++++++------------ 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index a983fb74f..2293b9d9e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -43,15 +43,16 @@ namespace nil { template class redshift_permutation_argument { + static constexpr std::size_t argument_size = 3; + public: static inline std::array, - 3> // TODO: fix fiat-shamir + argument_size> // TODO: fix fiat-shamir prove_argument( fiat_shamir_heuristic_updated> &transcript, std::size_t circuit_rows, std::size_t permutation_size, - std::vector - domain, + std::shared_ptr> domain, const math::polynomial::polynomial &lagrange_1, const std::vector> &S_id, const std::vector> &S_sigma, @@ -73,9 +74,9 @@ namespace nil { for (std::size_t i = 0; i < permutation_size; i++) { id_binding[j] *= - (f[i].evaluate(domain[j]) + beta * S_id[i].evaluate(domain[j]) + gamma); + (f[i].evaluate(domain->get_domain_element(j)) + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); sigma_binding[j] *= - (f[i].evaluate(domain[j]) + beta * S_sigma[i].evaluate(domain[j]) + gamma); + (f[i].evaluate(domain->get_domain_element(j)) + beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); } } @@ -117,15 +118,15 @@ namespace nil { } math::polynomial::polynomial one_polynomial = {1}; - std::array, 3> F; + std::array, argument_size> F; F[0] = lagrange_1 * (one_polynomial - V_P); - F[1] = (one_polynomial - (q_last + q_blind)) * ((domain[0] * V_P) * h - V_P * g); + F[1] = (one_polynomial - (q_last + q_blind)) * ((domain->get_domain_element(0) * V_P) * h - V_P * g); F[2] = q_last * (V_P * V_P - V_P); return F; } - static inline std::array verify_argument() { + static inline std::array verify_argument() { /*typename transcript_hash_type::digest_type beta_bytes = transcript.get_challenge(); @@ -144,7 +145,7 @@ namespace nil { F[0] = verification_key.L_basis[1] * (P - 1); F[1] = verification_key.L_basis[1] * (Q - 1); F[2] = P * p_1 - (P << 1);*/ - std::array F; + std::array F; return F; } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index e5a38d35a..dedc1873f 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -47,22 +47,17 @@ using namespace nil::crypto3; template -std::vector prepare_domain(const std::size_t d) { - typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); - std::vector D_0(d); - for (std::size_t power = 1; power <= d; power++) { - D_0.emplace_back(omega.pow(power)); - } - return D_0; +std::shared_ptr> prepare_domain(const std::size_t d) { + return math::make_evaluation_domain(d); } template math::polynomial::polynomial - lagrange_polynomial(std::vector domain, std::size_t number) { + lagrange_polynomial(std::shared_ptr> domain, std::size_t number) { std::vector> evaluation_points; - for (std::size_t i = 0; i < domain.size(); i++) { + for (std::size_t i = 0; i < domain->m; i++) { evaluation_points.push_back( - std::make_pair(domain[i], (i != number) ? FieldType::value_type::zero() : FieldType::value_type::one())); + std::make_pair(domain->get_domain_element(i), (i != number) ? FieldType::value_type::zero() : FieldType::value_type::one())); } math::polynomial::polynomial f = math::polynomial::lagrange_interpolation(evaluation_points); @@ -89,14 +84,14 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t circuit_rows = 4; const std::size_t permutation_size = 2; - std::vector domain = prepare_domain(circuit_rows); + std::shared_ptr> domain = prepare_domain(circuit_rows); math::polynomial::polynomial lagrange_0 = lagrange_polynomial(domain, 0); // TODO: implement it in a proper way in generator.hpp std::vector> S_id(permutation_size); std::vector> S_sigma(permutation_size); - typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(circuit_rows)); + typename FieldType::value_type omega = domain->get_domain_element(0); typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; From b0a14e3cf332be8d1b2776a42e80d8ba24ee5b4f Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 13:41:37 +0200 Subject: [PATCH 099/219] gate argument init #20 --- .../systems/plonk/redshift/gates_argument.hpp | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp new file mode 100644 index 000000000..c1b92c423 --- /dev/null +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -0,0 +1,92 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP + +#include +#include +#include + +#include + +#include + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + class redshift_gates_argument { + + static constexpr std::size_t argument_size = 1; + + public: + static inline std::array, + argument_size> // TODO: fix fiat-shamir + prove_argument( + fiat_shamir_heuristic_updated> &transcript, + std::size_t circuit_rows, + std::size_t permutation_size, + std::shared_ptr> domain, + const std::vector> w) { + + std::array, argument_size> F; + + return F; + } + + static inline std::array verify_argument() { + /*typename transcript_hash_type::digest_type beta_bytes = + transcript.get_challenge(); + + typename transcript_hash_type::digest_type gamma_bytes = + transcript.get_challenge(); + + typename FieldType::value_type beta = algebra::marshalling(beta_bytes); + typename FieldType::value_type gamma = algebra::marshalling(gamma_bytes); + + transcript(proof.P_commitment); + transcript(proof.Q_commitment); + + const math::polynomial::polynomial q_last; + const math::polynomial::polynomial q_blind; + + F[0] = verification_key.L_basis[1] * (P - 1); + F[1] = verification_key.L_basis[1] * (Q - 1); + F[2] = P * p_1 - (P << 1);*/ + std::array F; + + return F; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP \ No newline at end of file From 22c5de5d8e6709ca202810794d16a091bdfb7677 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 15:10:04 +0200 Subject: [PATCH 100/219] fold polynomial fix #20 --- .../zk/snark/commitments/fri_commitment.hpp | 8 ++++---- test/commitment/fri.cpp | 18 ++++++++++++------ 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index d25baf5e6..811169fb3 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -137,13 +137,13 @@ namespace nil { } static inline math::polynomial::polynomial - fold_polynomial(math::polynomial::polynomial &f, + fold_polynomial(const math::polynomial::polynomial &f, typename FieldType::value_type alpha) { std::size_t d = f.degree(); + BOOST_ASSERT_MSG(d % 2 != 0, "wrong using: fold_polynomial accepts only polynomials of odd degree"); + math::polynomial::polynomial f_folded(d/2 + 1); - math::polynomial::polynomial f_folded((d + 1)/2 - 1); - - for (std::size_t index = 0; index < f_folded.size(); index++){ + for (std::size_t index = 0; index <= f_folded.degree(); index++){ f_folded[index] = f[2*index] + alpha * f[2*index + 1]; } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 6b3bec8fb..397f8d675 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -134,20 +134,26 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { math::polynomial::polynomial f = {1, 3, 4, 3}; - typename FieldType::value_type omega = domain->get_domain_element(0); + //typename FieldType::value_type omega = domain->get_domain_element(0); + typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); typename FieldType::value_type x_next = params.q.evaluate(omega); typename FieldType::value_type alpha = algebra::random_element(); - math::polynomial::polynomial f_next = + //typename FieldType::value_type alpha = FieldType::value_type(2); + math::polynomial::polynomial f_next = + //{f[0] + alpha * f[1], f[2] + alpha * f[3]}; fri_type::fold_polynomial(f, alpha); - std::vector> points { - std::make_pair(omega, f.evaluate(omega)), - std::make_pair(-omega, f.evaluate(-omega)), + BOOST_CHECK_EQUAL(f_next.degree(), 1); + std::vector> interpolation_points { + std::make_pair(f.evaluate(omega), omega), + std::make_pair(f.evaluate(-omega), -omega), }; // TODO: Fix it with a proper interpolation - math::polynomial::polynomial interpolant = {f[0] + f[2] * x_next, f[1] + f[3] * x_next}; + //math::polynomial::polynomial interpolant = {f[0] + f[2] * x_next, f[1] + f[3] * x_next}; + math::polynomial::polynomial interpolant = + math::polynomial::_lagrange_interpolation(interpolation_points); typename FieldType::value_type x1 = interpolant.evaluate(alpha); typename FieldType::value_type x2 = f_next.evaluate(x_next); BOOST_CHECK(x1 == x2); From bbdf33e5a33ebbf5a7d3776eb8a4aebe689dc68c Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 16:16:20 +0200 Subject: [PATCH 101/219] fri verification fixes #20 --- .../zk/snark/commitments/fri_commitment.hpp | 9 ++++++++- test/commitment/fri.cpp | 17 +++++++++-------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 811169fb3..0b3bb9bec 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -293,7 +293,14 @@ namespace nil { } - // proof.final_polynomial.degree() == ... + if (proof.final_polynomial.degree() > + std::pow(2, std::log2(fri_params.d) - r)) { + return false; + } + + if (proof.final_polynomial.evaluate(x) != proof.round_proofs[r - 2].colinear_value) { + return false; + } return true; } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 397f8d675..b16cf87b0 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -96,9 +96,12 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { params.q = f; merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); - // std::array evaluation_points = {omega.pow(5)}; + std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; - //proof_type proof = fri_type::proof_eval(f, f, T, transcript, params); + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; + zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); + + proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); // BOOST_CHECK(fry_type::verify_eval(evaluation_points, T, proof, D_0)) } @@ -134,20 +137,18 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { math::polynomial::polynomial f = {1, 3, 4, 3}; - //typename FieldType::value_type omega = domain->get_domain_element(0); - typename FieldType::value_type omega = math::unity_root(math::detail::power_of_two(d)); + typename FieldType::value_type omega = domain->get_domain_element(1); typename FieldType::value_type x_next = params.q.evaluate(omega); typename FieldType::value_type alpha = algebra::random_element(); - //typename FieldType::value_type alpha = FieldType::value_type(2); + math::polynomial::polynomial f_next = - //{f[0] + alpha * f[1], f[2] + alpha * f[3]}; fri_type::fold_polynomial(f, alpha); BOOST_CHECK_EQUAL(f_next.degree(), 1); std::vector> interpolation_points { - std::make_pair(f.evaluate(omega), omega), - std::make_pair(f.evaluate(-omega), -omega), + std::make_pair(omega, f.evaluate(omega)), + std::make_pair(-omega, f.evaluate(-omega)), }; // TODO: Fix it with a proper interpolation From 11208aba88ba53b329a099936121fe54d481e5b4 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 16:21:23 +0200 Subject: [PATCH 102/219] lcp verification minor fix #20 --- .../crypto3/zk/snark/commitments/list_polynomial_commitment.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index b9119a4b5..0dc6900c7 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -182,7 +182,7 @@ namespace nil { math::polynomial::polynomial V = {1}; for (std::size_t j = 0; j < k; j++) { - V = V * (math::polynomial::polynomial({1, -evaluation_points[j]})); + V = V * (math::polynomial::polynomial({-evaluation_points[j], 1})); } for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { From 96364179f04275719def845798fd6fa7d31da746 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 17:26:59 +0300 Subject: [PATCH 103/219] LPC verify updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 32 +++++++++++-------- .../list_polynomial_commitment.hpp | 8 +++-- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 811169fb3..652ed1573 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -87,7 +87,7 @@ namespace nil { typename merkle_tree_type::value_type T_root; typename FieldType::value_type colinear_value; - std::vector colinear_path; + merkle_proof_type colinear_path; }; struct proof_type { @@ -120,7 +120,6 @@ namespace nil { std::vector> y_data; y_data.resize(D->m); - nil::marshalling::status_type status; std::vector tmp(f.begin(), f.end()); D->fft(tmp); @@ -197,16 +196,21 @@ namespace nil { if (i == 0) { typename FieldType::value_type leaf = g.evaluate(s[j]); - std::size_t leaf_index = - std::find(fri_params.D[i].begin(), fri_params.D[i].end(), leaf) - - fri_params.D[i].begin(); + + std::size_t leaf_index = 0; + for (; leaf_index < fri_params.D[i]->m; leaf_index++){ + if (fri_params.D[i]->get_domain_element(leaf_index) == leaf) + break; + } p[j] = T.hash_path(leaf_index); } else { for (std::size_t j = 0; j < m; j++) { - std::size_t leaf_index = - std::find(fri_params.D[i].begin(), fri_params.D[i].end(), y[j]) - - fri_params.D[i].begin(); + std::size_t leaf_index = 0; + for (; leaf_index < fri_params.D[i]->m; leaf_index++){ + if (fri_params.D[i]->get_domain_element(leaf_index) == y[j]) + break; + } p[j] = T.hash_path(leaf_index); } } @@ -218,11 +222,13 @@ namespace nil { typename FieldType::value_type colinear_value = f_next.evaluate(x_next); - std::size_t leaf_index = - std::find(fri_params.D[i + 1].begin(), fri_params.D[i + 1].end(), colinear_value) - - fri_params.D[i + 1].begin(); - std::vector colinear_path = - T_next.hash_path(leaf_index); + std::size_t leaf_index = 0; + for (; leaf_index < fri_params.D[i + 1]->m; leaf_index++){ + if (fri_params.D[i + 1]->get_domain_element(leaf_index) == colinear_value) + break; + } + + merkle_proof_type colinear_path = T_next.hash_path(leaf_index); round_proofs.push_back( round_proof_type({y, p, T.root(), colinear_value, colinear_path})); diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index b9119a4b5..827252b00 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -130,8 +130,12 @@ namespace nil { for (std::size_t j = 0; j < k; j++) { z[j] = g.evaluate(evaluation_points[j]); - std::size_t leaf_index = - std::find(d[0].begin(), d[0].end(), evaluation_points[j]) - d[0].begin(); + + std::size_t leaf_index = 0; + for (; leaf_index < d[0]->m; leaf_index++){ + if (d[0]->get_domain_element(leaf_index) == evaluation_points[j]) + break; + } p[j] = T.hash_path(leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } From 10a01aac044900125a4c9290dfca620c8381963d Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 17:02:22 +0200 Subject: [PATCH 104/219] minor fri changes #20 --- test/commitment/fri.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 01239700a..5ab9462b0 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -103,6 +103,9 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); + + zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); + //fri_type::verify_eval(proof, transcript_verifier, params, f, f); // BOOST_CHECK(fry_type::verify_eval(evaluation_points, T, proof, D_0)) } From 97ac473fc14558fc9b3f8ef05c2da69c6e6b6b23 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 18:06:56 +0300 Subject: [PATCH 105/219] LPC verify updated. #20 --- .../nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 8 ++++---- .../zk/snark/commitments/list_polynomial_commitment.hpp | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 0c4ddd024..af0a4dc30 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -64,7 +64,7 @@ namespace nil { typedef Hash transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; - typedef std::vector merkle_proof_type; + typedef typename containers::merkle_proof merkle_proof_type; struct params_type { std::size_t r; @@ -202,7 +202,7 @@ namespace nil { if (fri_params.D[i]->get_domain_element(leaf_index) == leaf) break; } - p[j] = T.hash_path(leaf_index); + p[j] = merkle_proof_type(T, leaf_index); } else { for (std::size_t j = 0; j < m; j++) { @@ -211,7 +211,7 @@ namespace nil { if (fri_params.D[i]->get_domain_element(leaf_index) == y[j]) break; } - p[j] = T.hash_path(leaf_index); + p[j] = merkle_proof_type(T, leaf_index); } } } @@ -228,7 +228,7 @@ namespace nil { break; } - merkle_proof_type colinear_path = T_next.hash_path(leaf_index); + merkle_proof_type colinear_path = merkle_proof_type(T_next, leaf_index); round_proofs.push_back( round_proof_type({y, p, T.root(), colinear_value, colinear_path})); diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 827252b00..05290cb97 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -71,7 +71,7 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename merkle_tree_type::hash_type merkle_hash_type; - typedef std::vector merkle_proof_type; + typedef typename containers::merkle_proof merkle_proof_type; typedef fri_commitment_scheme fri_type; @@ -136,7 +136,7 @@ namespace nil { if (d[0]->get_domain_element(leaf_index) == evaluation_points[j]) break; } - p[j] = T.hash_path(leaf_index); + p[j] = merkle_proof_type(T, leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } From 69755f9549c698f40a5e02e583fa374d1d0d87af Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 18:01:16 +0200 Subject: [PATCH 106/219] fri update #20 --- .../zk/snark/commitments/fri_commitment.hpp | 41 +++++++++++++++---- test/commitment/fri.cpp | 4 +- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 779f4d879..a655128aa 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -68,6 +68,7 @@ namespace nil { struct params_type { std::size_t r; + std::size_t max_degree; std::vector>> D; math::polynomial::polynomial q; @@ -157,7 +158,8 @@ namespace nil { math::polynomial::polynomial f = Q; - typename FieldType::value_type x = transcript.template challenge(); + //typename FieldType::value_type x = transcript.template challenge(); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1); std::size_t r = fri_params.r; @@ -191,25 +193,34 @@ namespace nil { std::array p; for (std::size_t j = 0; j < m; j++) { + std::vector tmp(f.begin(), f.end()); + fri_params.D[i]->fft(tmp); if (i == 0) { typename FieldType::value_type leaf = g.evaluate(s[j]); + std::cout<m; leaf_index++){ - if (fri_params.D[i]->get_domain_element(leaf_index) == leaf) + for (; leaf_index < tmp.size(); leaf_index++){ + if (tmp[leaf_index] == leaf) break; } p[j] = merkle_proof_type(T, leaf_index); + if (!p[j].validate(T.root())) { + std::printf("s merkle generation failed: %ld\n", i); + } } else { for (std::size_t j = 0; j < m; j++) { std::size_t leaf_index = 0; for (; leaf_index < fri_params.D[i]->m; leaf_index++){ - if (fri_params.D[i]->get_domain_element(leaf_index) == y[j]) + if (tmp[leaf_index] == y[j]) break; } p[j] = merkle_proof_type(T, leaf_index); + if (!p[j].validate(T.root())) { + std::printf("s merkle generation failed: %ld\n", i); + } } } } @@ -248,11 +259,15 @@ namespace nil { const math::polynomial::polynomial &U, const math::polynomial::polynomial &V) { - typename FieldType::value_type x = transcript.template challenge(); + //typename FieldType::value_type x = transcript.template challenge(); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1); + std::size_t r = fri_params.r; for (std::size_t i = 0; i <= r - 2; i++) { + std::printf("r: %ld\n", i); + typename FieldType::value_type alpha = transcript.template challenge(); @@ -268,8 +283,10 @@ namespace nil { } for (std::size_t j = 0; j < m; j++) { - if (!proof.round_proofs[i].p[j].validate(proof.round_proofs[i].T_root)) + if (!proof.round_proofs[i].p[j].validate(proof.round_proofs[i].T_root)) { + std::printf("s merkle verification failed: %ld\n", i); return false; + } } std::array y; @@ -286,11 +303,19 @@ namespace nil { transcript(proof.round_proofs[i + 1].T_root); } - math::polynomial::polynomial interpolant; + std::vector> interpolation_points { + std::make_pair(s[0], y[0]), + std::make_pair(s[1], y[1]), + }; + + math::polynomial::polynomial interpolant = + math::polynomial::_lagrange_interpolation(interpolation_points); if (!proof.round_proofs[i].colinear_path.validate(proof.round_proofs[i].T_root)) + std::printf("colinear merkle verification failed: %ld", i); return false; if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value) + std::printf("colinear check failed: %ld", i); return false; x = x_next; @@ -298,7 +323,7 @@ namespace nil { } if (proof.final_polynomial.degree() > - std::pow(2, std::log2(fri_params.d) - r)) { + std::pow(2, std::log2(fri_params.max_degree) - r)) { return false; } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 5ab9462b0..cca385afa 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -94,6 +94,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { params.r = r; params.D = D; params.q = f; + params.max_degree = d; BOOST_CHECK(D[1]->m == D[0]->m/2); merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); @@ -105,8 +106,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); - //fri_type::verify_eval(proof, transcript_verifier, params, f, f); - // BOOST_CHECK(fry_type::verify_eval(evaluation_points, T, proof, D_0)) + BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, f, f)); } BOOST_AUTO_TEST_CASE(fri_fold_test) { From 63296008dff41f1e6e0bcebbf73d527dec74475d Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 19:18:37 +0300 Subject: [PATCH 107/219] LPC verify updated. #20 --- .../crypto3/zk/snark/commitments/fri_commitment.hpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index a655128aa..80c710817 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -206,7 +206,15 @@ namespace nil { break; } p[j] = merkle_proof_type(T, leaf_index); - if (!p[j].validate(T.root())) { + + std::array leaf_data; + + field_element_type leaf_val = + nil::crypto3::marshalling::types::fill_field_element(leaf); + auto write_iter = leaf_data.begin(); + leaf_val.write(write_iter, 96); + + if (!p[j].validate(leaf_val)) { std::printf("s merkle generation failed: %ld\n", i); } } else { From 9cff2a3762c9c60d282848272849b55f6c08a8ab Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 19:25:20 +0300 Subject: [PATCH 108/219] LPC verify updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 30 ++++++++++++------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 80c710817..e4efc8912 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -66,6 +66,11 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; + using Endianness = nil::marshalling::option::big_endian; + using field_element_type = + nil::crypto3::marshalling::types::field_element, + FieldType>; + struct params_type { std::size_t r; std::size_t max_degree; @@ -114,11 +119,6 @@ namespace nil { commit(math::polynomial::polynomial &f, const std::shared_ptr> &D) { - using Endianness = nil::marshalling::option::big_endian; - using field_element_type = - nil::crypto3::marshalling::types::field_element, - FieldType>; - std::vector> y_data; y_data.resize(D->m); std::vector tmp(f.begin(), f.end()); @@ -214,21 +214,31 @@ namespace nil { auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, 96); - if (!p[j].validate(leaf_val)) { + if (!p[j].validate(leaf_data)) { std::printf("s merkle generation failed: %ld\n", i); } } else { for (std::size_t j = 0; j < m; j++) { + typename FieldType::value_type leaf = y[j]; + std::size_t leaf_index = 0; for (; leaf_index < fri_params.D[i]->m; leaf_index++){ - if (tmp[leaf_index] == y[j]) + if (tmp[leaf_index] == leaf) break; } p[j] = merkle_proof_type(T, leaf_index); - if (!p[j].validate(T.root())) { - std::printf("s merkle generation failed: %ld\n", i); - } + + std::array leaf_data; + + field_element_type leaf_val = + nil::crypto3::marshalling::types::fill_field_element(leaf); + auto write_iter = leaf_data.begin(); + leaf_val.write(write_iter, 96); + + if (!p[j].validate(leaf_data)) { + std::printf("s merkle generation failed: %ld\n", i); + } } } } From 4a840195d4544fd9b2d2a13e7ac917cec224d05c Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 19:32:32 +0300 Subject: [PATCH 109/219] LPC verify updated. #20 --- .../crypto3/zk/snark/commitments/fri_commitment.hpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index e4efc8912..baec73719 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -119,7 +119,7 @@ namespace nil { commit(math::polynomial::polynomial &f, const std::shared_ptr> &D) { - std::vector> y_data; + std::vector> y_data; y_data.resize(D->m); std::vector tmp(f.begin(), f.end()); D->fft(tmp); @@ -128,7 +128,7 @@ namespace nil { field_element_type y_val = nil::crypto3::marshalling::types::fill_field_element(tmp[i]); auto write_iter = y_data[i].begin(); - y_val.write(write_iter, 96); + y_val.write(write_iter, field_element_type::length()); } return merkle_tree_type(y_data); @@ -207,12 +207,12 @@ namespace nil { } p[j] = merkle_proof_type(T, leaf_index); - std::array leaf_data; + std::array leaf_data; field_element_type leaf_val = nil::crypto3::marshalling::types::fill_field_element(leaf); auto write_iter = leaf_data.begin(); - leaf_val.write(write_iter, 96); + leaf_val.write(write_iter, field_element_type::length()); if (!p[j].validate(leaf_data)) { std::printf("s merkle generation failed: %ld\n", i); @@ -229,12 +229,12 @@ namespace nil { } p[j] = merkle_proof_type(T, leaf_index); - std::array leaf_data; + std::array leaf_data; field_element_type leaf_val = nil::crypto3::marshalling::types::fill_field_element(leaf); auto write_iter = leaf_data.begin(); - leaf_val.write(write_iter, 96); + leaf_val.write(write_iter, field_element_type::length()); if (!p[j].validate(leaf_data)) { std::printf("s merkle generation failed: %ld\n", i); From fa42d0a17be52ea56e881e56b8465c3a84fe3952 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 19:41:04 +0300 Subject: [PATCH 110/219] LPC verify updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 26 ++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index baec73719..a76eed678 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -301,7 +301,16 @@ namespace nil { } for (std::size_t j = 0; j < m; j++) { - if (!proof.round_proofs[i].p[j].validate(proof.round_proofs[i].T_root)) { + typename FieldType::value_type leaf = proof.round_proofs[i].y[j]; + + std::array leaf_data; + + field_element_type leaf_val = + nil::crypto3::marshalling::types::fill_field_element(leaf); + auto write_iter = leaf_data.begin(); + leaf_val.write(write_iter, field_element_type::length()); + + if (!proof.round_proofs[i].p[j].validate(leaf_data)) { std::printf("s merkle verification failed: %ld\n", i); return false; } @@ -329,12 +338,23 @@ namespace nil { math::polynomial::polynomial interpolant = math::polynomial::_lagrange_interpolation(interpolation_points); - if (!proof.round_proofs[i].colinear_path.validate(proof.round_proofs[i].T_root)) + typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; + + std::array leaf_data; + + field_element_type leaf_val = + nil::crypto3::marshalling::types::fill_field_element(leaf); + auto write_iter = leaf_data.begin(); + leaf_val.write(write_iter, field_element_type::length()); + + if (!proof.round_proofs[i].colinear_path.validate(leaf_data)){ std::printf("colinear merkle verification failed: %ld", i); return false; - if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value) + } + if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value){ std::printf("colinear check failed: %ld", i); return false; + } x = x_next; From 22b1bd3effceb7c775ccb490a3c71c7b4694ff27 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 20:17:02 +0300 Subject: [PATCH 111/219] Obsolete prints removed. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 14 -------------- .../commitments/list_polynomial_commitment.hpp | 9 +++++---- test/commitment/lpc.cpp | 8 +++----- 3 files changed, 8 insertions(+), 23 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index a76eed678..01d8096c2 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -198,7 +198,6 @@ namespace nil { if (i == 0) { typename FieldType::value_type leaf = g.evaluate(s[j]); - std::cout<(leaf); auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); - - if (!p[j].validate(leaf_data)) { - std::printf("s merkle generation failed: %ld\n", i); - } } else { for (std::size_t j = 0; j < m; j++) { @@ -235,10 +230,6 @@ namespace nil { nil::crypto3::marshalling::types::fill_field_element(leaf); auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); - - if (!p[j].validate(leaf_data)) { - std::printf("s merkle generation failed: %ld\n", i); - } } } } @@ -284,8 +275,6 @@ namespace nil { for (std::size_t i = 0; i <= r - 2; i++) { - std::printf("r: %ld\n", i); - typename FieldType::value_type alpha = transcript.template challenge(); @@ -311,7 +300,6 @@ namespace nil { leaf_val.write(write_iter, field_element_type::length()); if (!proof.round_proofs[i].p[j].validate(leaf_data)) { - std::printf("s merkle verification failed: %ld\n", i); return false; } } @@ -348,11 +336,9 @@ namespace nil { leaf_val.write(write_iter, field_element_type::length()); if (!proof.round_proofs[i].colinear_path.validate(leaf_data)){ - std::printf("colinear merkle verification failed: %ld", i); return false; } if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value){ - std::printf("colinear check failed: %ld", i); return false; } diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 354bf443d..a813152e6 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -107,7 +107,7 @@ namespace nil { // result.root(); // should be called static merkle_tree_type - commit(const math::polynomial::polynomial &f, + commit(math::polynomial::polynomial &f, const std::shared_ptr> &d) { return fri_type::commit(f, d); @@ -153,7 +153,7 @@ namespace nil { // temporary definition, until polynomial is constexpr const math::polynomial::polynomial q = {0, 0, 1}; - typename fri_type::params_type fri_params = {r, d, q}; + typename fri_type::params_type fri_params = {r, r, d, q}; std::array fri_proof; @@ -166,7 +166,8 @@ namespace nil { static bool verify_eval(const std::array &evaluation_points, const proof_type &proof, - fiat_shamir_heuristic_updated &transcript) { + fiat_shamir_heuristic_updated &transcript, + typename fri_type::params_type fri_params) { for (std::size_t j = 0; j < k; j++) { if (!proof.p[j].validate(proof.T_root)) @@ -190,7 +191,7 @@ namespace nil { } for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { - if (!fri_type::verify_eval(P.fri_proof[round_id], transcript, fri_params, U, V)) + if (!fri_type::verify_eval(proof.fri_proof[round_id], transcript, fri_params, U, V)) return false; } diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index c46dd0cd3..adb7a715b 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -143,8 +143,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), - lpc_type::proof_eval(evaluation_points, tree, poly, transcript), D_0)); + auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript); } } @@ -169,7 +168,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - const math::polynomial::polynomial f = {0, 0, 1}; + math::polynomial::polynomial f = {0, 0, 1}; std::shared_ptr> D_0 = prepare_domain(d); @@ -180,8 +179,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - BOOST_CHECK(lpc_type::verify_eval(evaluation_points, tree.root(), - lpc_type::proof_eval(evaluation_points, tree, f, transcript), D_0)); + auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From dcab31b6666d2302c62ea98aa37cf2f64cab25b5 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 3 Feb 2022 19:26:08 +0200 Subject: [PATCH 112/219] lpc test #20 --- test/commitment/lpc.cpp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index adb7a715b..4f8f830e5 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -97,7 +97,7 @@ BOOST_AUTO_TEST_SUITE(lpc_test_suite) BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef algebra::curves::bls12<381> curve_type; - typedef typename curve_type::base_field_type field_type; + typedef typename curve_type::scalar_field_type field_type; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; @@ -107,7 +107,8 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - constexpr static const std::size_t d = 5; + constexpr static const std::size_t d_power_two = 5; + constexpr static const std::size_t d = 1 << d_power_two; constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; @@ -115,7 +116,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - std::shared_ptr> D_0 = prepare_domain(10); + std::shared_ptr> D_0 = prepare_domain(d); typedef boost::random::independent_bits_engine @@ -133,7 +134,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { for (int i = 0; i < height; i++) { math::polynomial::polynomial poly; - for (int j = 0; j < (1 << 2); j++) { + for (int j = 0; j < (1 << d_power_two) - 1; j++) { poly.push_back(typename field_type::value_type(polynomial_element_gen())); } merkle_tree_type tree = lpc_type::commit(poly, D_0); @@ -149,7 +150,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { BOOST_AUTO_TEST_CASE(lpc_basic_test) { - typedef algebra::curves::bls12<381> curve_type; + /*typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::base_field_type FieldType; typedef hashes::sha2<256> merkle_hash_type; @@ -179,7 +180,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript); + auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript);*/ } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 9a4601e4bb8130c3ed90345a933256ed1bc56dc4 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 3 Feb 2022 20:45:36 +0300 Subject: [PATCH 113/219] LPC test updated. #20 --- .../zk/snark/commitments/list_polynomial_commitment.hpp | 4 ++-- test/commitment/lpc.cpp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index a813152e6..8448341a5 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -141,7 +141,7 @@ namespace nil { } math::polynomial::polynomial U = - math::polynomial::lagrange_interpolation(U_interpolation_points); + math::polynomial::_lagrange_interpolation(U_interpolation_points); math::polynomial::polynomial Q = (g - U); for (std::size_t j = 0; j < k; j++) { @@ -182,7 +182,7 @@ namespace nil { } math::polynomial::polynomial U = - math::polynomial::lagrange_interpolation(U_interpolation_points); + math::polynomial::_lagrange_interpolation(U_interpolation_points); math::polynomial::polynomial V = {1}; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 4f8f830e5..f65187008 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -108,7 +108,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t k = 1; constexpr static const std::size_t d_power_two = 5; - constexpr static const std::size_t d = 1 << d_power_two; + constexpr static const std::size_t d = 1 << d_power_two -1; constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; From 641aa10f1b3f145b33223a92631875a3ebd2f2a8 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 4 Feb 2022 14:55:01 +0300 Subject: [PATCH 114/219] Lagrange interpolation usage updated. #20 --- include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 2 +- .../zk/snark/commitments/list_polynomial_commitment.hpp | 4 ++-- test/commitment/fri.cpp | 2 +- test/commitment/lpc.cpp | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 01d8096c2..02079a3e6 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -324,7 +324,7 @@ namespace nil { }; math::polynomial::polynomial interpolant = - math::polynomial::_lagrange_interpolation(interpolation_points); + math::polynomial::lagrange_interpolation(interpolation_points); typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 8448341a5..a813152e6 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -141,7 +141,7 @@ namespace nil { } math::polynomial::polynomial U = - math::polynomial::_lagrange_interpolation(U_interpolation_points); + math::polynomial::lagrange_interpolation(U_interpolation_points); math::polynomial::polynomial Q = (g - U); for (std::size_t j = 0; j < k; j++) { @@ -182,7 +182,7 @@ namespace nil { } math::polynomial::polynomial U = - math::polynomial::_lagrange_interpolation(U_interpolation_points); + math::polynomial::lagrange_interpolation(U_interpolation_points); math::polynomial::polynomial V = {1}; diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index cca385afa..bf15cf6ad 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -158,7 +158,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { // TODO: Fix it with a proper interpolation //math::polynomial::polynomial interpolant = {f[0] + f[2] * x_next, f[1] + f[3] * x_next}; math::polynomial::polynomial interpolant = - math::polynomial::_lagrange_interpolation(interpolation_points); + math::polynomial::lagrange_interpolation(interpolation_points); typename FieldType::value_type x1 = interpolant.evaluate(alpha); typename FieldType::value_type x2 = f_next.evaluate(x_next); BOOST_CHECK(x1 == x2); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index f65187008..7dd60dfab 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -134,7 +134,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { for (int i = 0; i < height; i++) { math::polynomial::polynomial poly; - for (int j = 0; j < (1 << d_power_two) - 1; j++) { + for (int j = 0; j < (1 << d_power_two); j++) { poly.push_back(typename field_type::value_type(polynomial_element_gen())); } merkle_tree_type tree = lpc_type::commit(poly, D_0); From 469a11a05a0449741760a113b8d231b161ad03e5 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Fri, 4 Feb 2022 13:56:48 +0200 Subject: [PATCH 115/219] fri test update #20 --- test/commitment/fri.cpp | 45 +++++++++-------------------------------- 1 file changed, 10 insertions(+), 35 deletions(-) diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index cca385afa..56fd94a72 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -106,7 +106,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); - BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, f, f)); + //BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, f, f)); } BOOST_AUTO_TEST_CASE(fri_fold_test) { @@ -149,42 +149,17 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { math::polynomial::polynomial f_next = fri_type::fold_polynomial(f, alpha); - BOOST_CHECK_EQUAL(f_next.degree(), 1); + BOOST_CHECK_EQUAL(f_next.degree(), f.degree()/2); std::vector> interpolation_points { std::make_pair(omega, f.evaluate(omega)), std::make_pair(-omega, f.evaluate(-omega)), }; - // TODO: Fix it with a proper interpolation - //math::polynomial::polynomial interpolant = {f[0] + f[2] * x_next, f[1] + f[3] * x_next}; math::polynomial::polynomial interpolant = math::polynomial::_lagrange_interpolation(interpolation_points); typename FieldType::value_type x1 = interpolant.evaluate(alpha); typename FieldType::value_type x2 = f_next.evaluate(x_next); BOOST_CHECK(x1 == x2); - // BOOST_CHECK_EQUAL(interpolant.eval(alpha), f_next.eval(x_next)) -} - -BOOST_AUTO_TEST_CASE(fri_coset_test) { - - // fri params - using curve_type = algebra::curves::mnt4<298>; - using FieldType = typename curve_type::base_field_type; - - // typedef fri_commitment_scheme fri_type; - - math::polynomial::polynomial f = {1, 3, 4, 25}; - - // create domain D_0 - // Get omega from D_0 - - // delegate q = fry_type::q() - // x_next = q(omega) - - // vector s = fri_type::get_coset(x_next) - //for (std::size_t i = 0; i < s.size(); i++) { - // BOOST_CHECK_EQUAL(x_next, s[i]^2); - //} } BOOST_AUTO_TEST_CASE(fri_steps_count_test) { @@ -219,26 +194,26 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; for (std::size_t i = 0; i < r; i++) { - std::shared_ptr> domain = prepare_domain(d - i); + std::shared_ptr> domain = prepare_domain(std::pow(2, extended_log - i)); D.push_back(domain); } - params.r = r + 1; + params.r = r; params.D = D; params.q = f; + params.max_degree = d - 1; - /*merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); + BOOST_CHECK(D[1]->m == D[0]->m/2); + merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); - proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params);*/ - // math::polynomial::polynomial f_res = proof.last_round.f - - // int expected_deg = def(f) - 2^r + proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); - // BOOST_CHECK_EQUAL(f_res.deg(), expected_deg) + math::polynomial::polynomial final_polynomial = proof.final_polynomial; + BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), std::pow(2, std::log2(params.max_degree + 1) - r) - 1); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From ba97057822f5f8dbd78064768dd99cf8b8784fce Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Fri, 4 Feb 2022 14:42:06 +0200 Subject: [PATCH 116/219] fri eval update #20 --- .../zk/snark/commitments/fri_commitment.hpp | 5 +---- test/commitment/fri.cpp | 15 +++++++-------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 02079a3e6..174c21c04 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -213,12 +213,10 @@ namespace nil { auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); } else { - for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type leaf = y[j]; std::size_t leaf_index = 0; - for (; leaf_index < fri_params.D[i]->m; leaf_index++){ + for (; leaf_index < tmp.size(); leaf_index++){ if (tmp[leaf_index] == leaf) break; } @@ -230,7 +228,6 @@ namespace nil { nil::crypto3::marshalling::types::fill_field_element(leaf); auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); - } } } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index f848ecbbc..cbcbb3b55 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -81,8 +81,6 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { 8, 7, 5, 6, 1, 2, 1, 1}; - // create domain D_0 - std::vector>> D; constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; @@ -91,12 +89,15 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { D.push_back(domain); } + math::polynomial::polynomial q = {0, 0, 1}; params.r = r; params.D = D; - params.q = f; + params.q = q; params.max_degree = d; BOOST_CHECK(D[1]->m == D[0]->m/2); + BOOST_CHECK(D[1]->get_domain_element(1) == D[0]->get_domain_element(1).squared()); + BOOST_CHECK(params.q.evaluate(D[0]->get_domain_element(1)) == D[0]->get_domain_element(1).squared()); merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; @@ -106,7 +107,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); - //BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, f, f)); + BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, f, f)); } BOOST_AUTO_TEST_CASE(fri_fold_test) { @@ -162,7 +163,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { BOOST_CHECK(x1 == x2); } -BOOST_AUTO_TEST_CASE(fri_steps_count_test) { +/*BOOST_AUTO_TEST_CASE(fri_steps_count_test) { // fri params using curve_type = algebra::curves::mnt4<298>; @@ -188,8 +189,6 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { 8, 7, 5, 6, 1, 2, 1, 1}; - // create domain D_0 - std::vector>> D; constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; @@ -214,6 +213,6 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { math::polynomial::polynomial final_polynomial = proof.final_polynomial; BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), std::pow(2, std::log2(params.max_degree + 1) - r) - 1); -} +}*/ BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 24ccacd72a53d85573fce54ba7086ed0a871288c Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Fri, 4 Feb 2022 20:10:17 +0200 Subject: [PATCH 117/219] fri commitment fix colinear path --- .../zk/snark/commitments/fri_commitment.hpp | 43 ++++++++----------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 174c21c04..772366c8a 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -158,8 +158,7 @@ namespace nil { math::polynomial::polynomial f = Q; - //typename FieldType::value_type x = transcript.template challenge(); - typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(transcript.template int_challenge()); std::size_t r = fri_params.r; @@ -196,7 +195,6 @@ namespace nil { std::vector tmp(f.begin(), f.end()); fri_params.D[i]->fft(tmp); if (i == 0) { - typename FieldType::value_type leaf = g.evaluate(s[j]); std::size_t leaf_index = 0; @@ -205,13 +203,6 @@ namespace nil { break; } p[j] = merkle_proof_type(T, leaf_index); - - std::array leaf_data; - - field_element_type leaf_val = - nil::crypto3::marshalling::types::fill_field_element(leaf); - auto write_iter = leaf_data.begin(); - leaf_val.write(write_iter, field_element_type::length()); } else { typename FieldType::value_type leaf = y[j]; @@ -221,13 +212,6 @@ namespace nil { break; } p[j] = merkle_proof_type(T, leaf_index); - - std::array leaf_data; - - field_element_type leaf_val = - nil::crypto3::marshalling::types::fill_field_element(leaf); - auto write_iter = leaf_data.begin(); - leaf_val.write(write_iter, field_element_type::length()); } } @@ -237,9 +221,12 @@ namespace nil { typename FieldType::value_type colinear_value = f_next.evaluate(x_next); + std::vector tmp(f_next.begin(), f_next.end()); + fri_params.D[i + 1]->fft(tmp); + std::size_t leaf_index = 0; - for (; leaf_index < fri_params.D[i + 1]->m; leaf_index++){ - if (fri_params.D[i + 1]->get_domain_element(leaf_index) == colinear_value) + for (; leaf_index < tmp.size(); leaf_index++){ + if (tmp[leaf_index] == colinear_value) break; } @@ -265,8 +252,7 @@ namespace nil { const math::polynomial::polynomial &U, const math::polynomial::polynomial &V) { - //typename FieldType::value_type x = transcript.template challenge(); - typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(transcript.template int_challenge()); std::size_t r = fri_params.r; @@ -297,6 +283,7 @@ namespace nil { leaf_val.write(write_iter, field_element_type::length()); if (!proof.round_proofs[i].p[j].validate(leaf_data)) { + std::cout<<"Fail path verification: ("<> interpolation_points { std::make_pair(s[0], y[0]), @@ -333,22 +321,25 @@ namespace nil { leaf_val.write(write_iter, field_element_type::length()); if (!proof.round_proofs[i].colinear_path.validate(leaf_data)){ + std::cout<<"Fail colinear path verification: "< std::pow(2, std::log2(fri_params.max_degree) - r)) { + std::cout<<"Fail degree check verification."< Date: Fri, 4 Feb 2022 20:11:33 +0100 Subject: [PATCH 118/219] Change merkle_tree_type variable to ptr --- .../crypto3/zk/snark/commitments/fri_commitment.hpp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 772366c8a..58670c4f2 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -164,6 +164,8 @@ namespace nil { std::vector round_proofs; math::polynomial::polynomial final_polynomial; + std::unique_ptr p_tree = std::make_unique(T); + merkle_tree_type T_next; for (std::size_t i = 0; i <= r - 1; i++) { @@ -202,7 +204,7 @@ namespace nil { if (tmp[leaf_index] == leaf) break; } - p[j] = merkle_proof_type(T, leaf_index); + p[j] = merkle_proof_type(*p_tree, leaf_index); } else { typename FieldType::value_type leaf = y[j]; @@ -211,12 +213,12 @@ namespace nil { if (tmp[leaf_index] == leaf) break; } - p[j] = merkle_proof_type(T, leaf_index); + p[j] = merkle_proof_type(*p_tree, leaf_index); } } if (i < r - 1) { - merkle_tree_type T_next = commit(f_next, fri_params.D[i + 1]); + T_next = commit(f_next, fri_params.D[i + 1]); transcript(T_next.root()); typename FieldType::value_type colinear_value = f_next.evaluate(x_next); @@ -233,9 +235,9 @@ namespace nil { merkle_proof_type colinear_path = merkle_proof_type(T_next, leaf_index); round_proofs.push_back( - round_proof_type({y, p, T.root(), colinear_value, colinear_path})); + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); - T = T_next; + p_tree = std::make_unique(T_next); } else { final_polynomial = f_next; } From f04569c700e00c2587ae4646d2f2df8d03538966 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sat, 5 Feb 2022 10:59:18 +0200 Subject: [PATCH 119/219] fri update #20 --- .../zk/snark/commitments/fri_commitment.hpp | 43 ++++++++----------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 58670c4f2..cbfec8e10 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -167,7 +167,7 @@ namespace nil { std::unique_ptr p_tree = std::make_unique(T); merkle_tree_type T_next; - for (std::size_t i = 0; i <= r - 1; i++) { + for (std::size_t i = 0; i < r; i++) { typename FieldType::value_type alpha = transcript.template challenge(); @@ -217,12 +217,12 @@ namespace nil { } } + typename FieldType::value_type colinear_value = f_next.evaluate(x_next); + if (i < r - 1) { T_next = commit(f_next, fri_params.D[i + 1]); transcript(T_next.root()); - typename FieldType::value_type colinear_value = f_next.evaluate(x_next); - std::vector tmp(f_next.begin(), f_next.end()); fri_params.D[i + 1]->fft(tmp); @@ -235,17 +235,20 @@ namespace nil { merkle_proof_type colinear_path = merkle_proof_type(T_next, leaf_index); round_proofs.push_back( - round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); p_tree = std::make_unique(T_next); } else { - final_polynomial = f_next; + merkle_proof_type colinear_path; + + round_proofs.push_back( + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); } x = x_next; f = f_next; } - return proof_type({round_proofs, final_polynomial}); + return proof_type({round_proofs, f}); } static bool verify_eval(proof_type &proof, @@ -258,8 +261,7 @@ namespace nil { std::size_t r = fri_params.r; - for (std::size_t i = 0; i <= r - 2; i++) { - + for (std::size_t i = 0; i < r; i++) { typename FieldType::value_type alpha = transcript.template challenge(); @@ -285,7 +287,6 @@ namespace nil { leaf_val.write(write_iter, field_element_type::length()); if (!proof.round_proofs[i].p[j].validate(leaf_data)) { - std::cout<<"Fail path verification: ("<> interpolation_points { std::make_pair(s[0], y[0]), std::make_pair(s[1], y[1]), @@ -316,32 +314,29 @@ namespace nil { typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; std::array leaf_data; - field_element_type leaf_val = nil::crypto3::marshalling::types::fill_field_element(leaf); auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); - if (!proof.round_proofs[i].colinear_path.validate(leaf_data)){ - std::cout<<"Fail colinear path verification: "< - std::pow(2, std::log2(fri_params.max_degree) - r)) { - std::cout<<"Fail degree check verification."< Date: Sat, 5 Feb 2022 11:03:20 +0200 Subject: [PATCH 120/219] fri steps test #20 --- test/commitment/fri.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index cbcbb3b55..93f466b1c 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -163,7 +163,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { BOOST_CHECK(x1 == x2); } -/*BOOST_AUTO_TEST_CASE(fri_steps_count_test) { +BOOST_AUTO_TEST_CASE(fri_steps_count_test) { // fri params using curve_type = algebra::curves::mnt4<298>; @@ -197,7 +197,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { D.push_back(domain); } - params.r = r; + params.r = r - 1; params.D = D; params.q = f; params.max_degree = d - 1; @@ -212,7 +212,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); math::polynomial::polynomial final_polynomial = proof.final_polynomial; - BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), std::pow(2, std::log2(params.max_degree + 1) - r) - 1); -}*/ + BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), 1); +} BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From f586c78df1e62e74fd83f2ce47ac6e73ed78dd50 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 5 Feb 2022 14:19:28 +0300 Subject: [PATCH 121/219] FRI marshalling usage updated. #20 --- .../nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index cbfec8e10..9b1a539d9 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -125,8 +125,7 @@ namespace nil { D->fft(tmp); for (std::size_t i = 0; i < D->m; i++) { - field_element_type y_val = - nil::crypto3::marshalling::types::fill_field_element(tmp[i]); + field_element_type y_val(tmp[i]); auto write_iter = y_data[i].begin(); y_val.write(write_iter, field_element_type::length()); } @@ -281,8 +280,7 @@ namespace nil { std::array leaf_data; - field_element_type leaf_val = - nil::crypto3::marshalling::types::fill_field_element(leaf); + field_element_type leaf_val(leaf); auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); @@ -314,8 +312,7 @@ namespace nil { typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; std::array leaf_data; - field_element_type leaf_val = - nil::crypto3::marshalling::types::fill_field_element(leaf); + field_element_type leaf_val(leaf); auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); From 0da44956b8f8c6dc514aadb116060bd3a937f314 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sat, 5 Feb 2022 13:56:40 +0200 Subject: [PATCH 122/219] minor fri changes #20 --- .../zk/snark/commitments/fri_commitment.hpp | 37 ++++++++----------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index cbfec8e10..859231487 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -188,33 +188,28 @@ namespace nil { std::array y; for (std::size_t j = 0; j < m; j++) { - y[j] = f.evaluate(s[j]); + y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); } std::array p; + std::vector tmp; + if (i == 0) { + std::copy(g.begin(), g.end(), std::back_inserter(tmp)); + } else { + std::copy(f.begin(), f.end(), std::back_inserter(tmp)); + } + + fri_params.D[i]->fft(tmp); for (std::size_t j = 0; j < m; j++) { - std::vector tmp(f.begin(), f.end()); - fri_params.D[i]->fft(tmp); - if (i == 0) { - typename FieldType::value_type leaf = g.evaluate(s[j]); - - std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++){ - if (tmp[leaf_index] == leaf) - break; - } - p[j] = merkle_proof_type(*p_tree, leaf_index); - } else { - typename FieldType::value_type leaf = y[j]; - - std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++){ - if (tmp[leaf_index] == leaf) - break; - } - p[j] = merkle_proof_type(*p_tree, leaf_index); + typename FieldType::value_type leaf = y[j]; + + std::size_t leaf_index = 0; + for (; leaf_index < tmp.size(); leaf_index++){ + if (tmp[leaf_index] == leaf) + break; } + p[j] = merkle_proof_type(*p_tree, leaf_index); } typename FieldType::value_type colinear_value = f_next.evaluate(x_next); From ddf0cbecd5f09f21a90c93495d5db8909019f8d7 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sat, 5 Feb 2022 22:07:46 +0200 Subject: [PATCH 123/219] fri spectial case for the first iteration #20 --- .../nil/crypto3/zk/snark/commitments/fri_commitment.hpp | 4 +--- test/commitment/fri.cpp | 8 +++++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 7b3058ee6..e4a84b0a3 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -288,9 +288,7 @@ namespace nil { for (std::size_t j = 0; j < m; j++) { if (i == 0){ - // TODO: FIX LATER - //y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j]))/V.evaluate(s[j]); - y[j] = proof.round_proofs[i].y[j]; + y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j]))/V.evaluate(s[j]); } else { y[j] = proof.round_proofs[i].y[j]; } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 93f466b1c..0c239cb36 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -98,16 +98,22 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { BOOST_CHECK(D[1]->m == D[0]->m/2); BOOST_CHECK(D[1]->get_domain_element(1) == D[0]->get_domain_element(1).squared()); BOOST_CHECK(params.q.evaluate(D[0]->get_domain_element(1)) == D[0]->get_domain_element(1).squared()); + merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); + // LPC-related logic, here we "nulify" it via U = 0, V - 1 + // TODO: Make FRI independent from LPC input + math::polynomial::polynomial U = {0}; + math::polynomial::polynomial V = {1}; + proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); - BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, f, f)); + BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); } BOOST_AUTO_TEST_CASE(fri_fold_test) { From 01ac65a259038503a36b050673eba472b6391eef Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 6 Feb 2022 23:01:54 +0200 Subject: [PATCH 124/219] move fri params from lpc.eval #20 --- .../zk/snark/commitments/fri_commitment.hpp | 7 ++- .../list_polynomial_commitment.hpp | 14 ++---- test/commitment/fri.cpp | 15 ++++--- test/commitment/lpc.cpp | 45 +++++++++++++++---- 4 files changed, 55 insertions(+), 26 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index e4a84b0a3..8fa47fc11 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -134,10 +134,13 @@ namespace nil { } static inline math::polynomial::polynomial - fold_polynomial(const math::polynomial::polynomial &f, + fold_polynomial(math::polynomial::polynomial &f, typename FieldType::value_type alpha) { + std::size_t d = f.degree(); - BOOST_ASSERT_MSG(d % 2 != 0, "wrong using: fold_polynomial accepts only polynomials of odd degree"); + if (d % 2 == 0) { + f.push_back(0); + } math::polynomial::polynomial f_folded(d/2 + 1); for (std::size_t index = 0; index <= f_folded.degree(); index++){ diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index a813152e6..c2f85993e 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -116,12 +116,8 @@ namespace nil { static proof_type proof_eval(const std::array &evaluation_points, merkle_tree_type &T, const math::polynomial::polynomial &g, - fiat_shamir_heuristic_updated &transcript) { - - std::vector>> d; - for (std::size_t j = 0; j <= r - 1; j++) { - d.emplace_back(prepare_domain(D / 2)); - } + fiat_shamir_heuristic_updated &transcript, + typename fri_type::params_type &fri_params) { std::array z; std::array p; @@ -132,8 +128,8 @@ namespace nil { z[j] = g.evaluate(evaluation_points[j]); std::size_t leaf_index = 0; - for (; leaf_index < d[0]->m; leaf_index++){ - if (d[0]->get_domain_element(leaf_index) == evaluation_points[j]) + for (; leaf_index < fri_params.D[0]->m; leaf_index++){ + if (fri_params.D[0]->get_domain_element(leaf_index) == evaluation_points[j]) break; } p[j] = merkle_proof_type(T, leaf_index); @@ -153,8 +149,6 @@ namespace nil { // temporary definition, until polynomial is constexpr const math::polynomial::polynomial q = {0, 0, 1}; - typename fri_type::params_type fri_params = {r, r, d, q}; - std::array fri_proof; for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 0c239cb36..d44419956 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -57,7 +57,7 @@ BOOST_AUTO_TEST_SUITE(fri_test_suite) BOOST_AUTO_TEST_CASE(fri_basic_test) { - // fri params + // setup using curve_type = algebra::curves::mnt4<298>; using FieldType = typename curve_type::base_field_type; @@ -76,10 +76,6 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { typedef typename fri_type::params_type params_type; params_type params; - math::polynomial::polynomial f = {1, 3, 4, 1, - 5, 6, 7, 2, - 8, 7, 5, 6, - 1, 2, 1, 1}; std::vector>> D; constexpr static const std::size_t d_extended = d; @@ -99,9 +95,16 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { BOOST_CHECK(D[1]->get_domain_element(1) == D[0]->get_domain_element(1).squared()); BOOST_CHECK(params.q.evaluate(D[0]->get_domain_element(1)) == D[0]->get_domain_element(1).squared()); + // commit + math::polynomial::polynomial f = {1, 3, 4, 1, + 5, 6, 7, 2, + 8, 7, 5, 6, + 1, 2, 1, 1}; + merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; + // eval std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); @@ -113,6 +116,8 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); + + //verify BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); } diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 7dd60dfab..747c90c63 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -42,6 +42,7 @@ #include #include +#include using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; @@ -95,7 +96,7 @@ std::vector> genera BOOST_AUTO_TEST_SUITE(lpc_test_suite) -BOOST_AUTO_TEST_CASE(lpc_performance_test) { +/*BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::scalar_field_type field_type; @@ -146,12 +147,13 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript); } -} +}*/ BOOST_AUTO_TEST_CASE(lpc_basic_test) { - /*typedef algebra::curves::bls12<381> curve_type; - typedef typename curve_type::base_field_type FieldType; + // setup + typedef algebra::curves::bls12<381> curve_type; + typedef typename curve_type::scalar_field_type FieldType; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; @@ -161,26 +163,51 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - constexpr static const std::size_t d = 5; + constexpr static const std::size_t d = 16; constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; + typedef zk::snark::fri_commitment_scheme fri_type; typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - math::polynomial::polynomial f = {0, 0, 1}; + std::vector>> D; + constexpr static const std::size_t d_extended = d; + std::size_t extended_log = boost::static_log2::value; + for (std::size_t i = 0; i < r; i++) { + std::shared_ptr> domain = prepare_domain(std::pow(2, extended_log - i)); + D.push_back(domain); + } + + typename fri_type::params_type fri_params; - std::shared_ptr> D_0 = prepare_domain(d); + math::polynomial::polynomial q = {0, 0, 1}; + fri_params.r = r; + fri_params.D = D; + fri_params.q = q; + fri_params.max_degree = d; + - merkle_tree_type tree = lpc_type::commit(f, D_0); + // commit + + math::polynomial::polynomial f = {1, 3, 4, 1, + 5, 6, 7, 2, + 8, 7, 5, 6, + 1, 2, 1, 1}; + + merkle_tree_type tree = lpc_type::commit(f, D[0]); + + // eval std::array evaluation_points = {algebra::random_element()}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript);*/ + auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript, fri_params); + + // verify } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 9513bc86064c1b2382f1146fdf727d48e06f5f69 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 7 Feb 2022 12:00:26 +0200 Subject: [PATCH 125/219] calculate domain in fri method #20 --- .../zk/snark/commitments/fri_commitment.hpp | 11 ++ test/CMakeLists.txt | 1 + test/commitment/fri.cpp | 26 +-- test/commitment/lpc.cpp | 106 +----------- test/commitment/lpc_performance.cpp | 155 ++++++++++++++++++ 5 files changed, 176 insertions(+), 123 deletions(-) create mode 100644 test/commitment/lpc_performance.cpp diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 8fa47fc11..5c115e4cc 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -109,6 +109,17 @@ namespace nil { math::polynomial::polynomial final_polynomial; }; + static std::vector>> + calculate_domain_set(const std::size_t max_domain_degree, const std::size_t set_size) { + std::vector>> domain_set(set_size); + for (std::size_t i = 0; i < set_size; i++) { + const std::size_t domain_size = std::pow(2, max_domain_degree - i); + std::shared_ptr> domain = math::make_evaluation_domain(domain_size); + domain_set[i] = domain; + } + return domain_set; + } + // The result of this function is not commitment_type (as it would expected), // but the built Merkle tree. This is done so, because we often need to reuse // the built Merkle tree diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index c3fbcbe8a..3e3702eec 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -49,6 +49,7 @@ endmacro() set(TESTS_NAMES "commitment/lpc" "commitment/fri" + "commitment/lpc_performance" "routing_algorithms/test_routing_algorithms" diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index d44419956..c23342e38 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -48,11 +48,6 @@ using namespace nil::crypto3; -template -std::shared_ptr> prepare_domain(const std::size_t d) { - return math::make_evaluation_domain(d); -} - BOOST_AUTO_TEST_SUITE(fri_test_suite) BOOST_AUTO_TEST_CASE(fri_basic_test) { @@ -77,13 +72,9 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { params_type params; - std::vector>> D; constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - for (std::size_t i = 0; i < r; i++) { - std::shared_ptr> domain = prepare_domain(std::pow(2, extended_log - i)); - D.push_back(domain); - } + std::vector>> D = fri_type::calculate_domain_set(extended_log, r); math::polynomial::polynomial q = {0, 0, 1}; params.r = r; @@ -115,9 +106,9 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); + //verify zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); - //verify BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); } @@ -143,8 +134,8 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { params_type params; math::polynomial::polynomial q = {0, 0, 1}; - std::shared_ptr> domain = prepare_domain(d); - std::vector>> D = {domain}; + std::size_t d_log = boost::static_log2::value; + std::vector>> D = fri_type::calculate_domain_set(d_log, 1); params.r = r; @@ -153,7 +144,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { math::polynomial::polynomial f = {1, 3, 4, 3}; - typename FieldType::value_type omega = domain->get_domain_element(1); + typename FieldType::value_type omega = D[0]->get_domain_element(1); typename FieldType::value_type x_next = params.q.evaluate(omega); typename FieldType::value_type alpha = algebra::random_element(); @@ -200,13 +191,10 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { 8, 7, 5, 6, 1, 2, 1, 1}; - std::vector>> D; + constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - for (std::size_t i = 0; i < r; i++) { - std::shared_ptr> domain = prepare_domain(std::pow(2, extended_log - i)); - D.push_back(domain); - } + std::vector>> D = fri_type::calculate_domain_set(extended_log, r); params.r = r - 1; params.D = D; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 747c90c63..0810f079b 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -47,108 +47,9 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; -template -std::shared_ptr> prepare_domain(const std::size_t d) { - return math::make_evaluation_domain(d); -} - -namespace boost { - namespace test_tools { - namespace tt_detail { - template<> - struct print_log_value>>>> { - void operator()(std::ostream &, - const nil::crypto3::math::polynomial::polynomial>>> &) { - } - }; - } // namespace tt_detail - } // namespace test_tools -} // namespace boost - -template -std::vector> generate(NumberType degree) { - typedef boost::random::independent_bits_engine - random_polynomial_generator_type; - - std::vector> res; - - boost::random::random_device rd; // Will be used to obtain a seed for the random number engine - boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() - boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); - - random_polynomial_generator_type polynomial_element_gen; - std::size_t height = 1; - res.reserve(height); - - for (int i = 0; i < height; i++) { - math::polynomial::polynomial poly; - for (int j = 0; j < degree; j++) { - poly.push_back(typename FieldType::value_type(polynomial_element_gen())); - } - res.push_back(poly); - } - - return res; -} BOOST_AUTO_TEST_SUITE(lpc_test_suite) -/*BOOST_AUTO_TEST_CASE(lpc_performance_test) { - typedef algebra::curves::bls12<381> curve_type; - typedef typename curve_type::scalar_field_type field_type; - - typedef hashes::sha2<256> merkle_hash_type; - typedef hashes::sha2<256> transcript_hash_type; - - typedef typename containers::merkle_tree merkle_tree_type; - - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t k = 1; - - constexpr static const std::size_t d_power_two = 5; - constexpr static const std::size_t d = 1 << d_power_two -1; - - constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; - constexpr static const std::size_t m = 2; - - typedef list_polynomial_commitment_scheme lpc_type; - typedef typename lpc_type::proof_type proof_type; - - std::shared_ptr> D_0 = prepare_domain(d); - - typedef boost::random::independent_bits_engine - random_polynomial_generator_type; - - std::vector> res; - - boost::random::random_device rd; // Will be used to obtain a seed for the random number engine - boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() - boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); - - random_polynomial_generator_type polynomial_element_gen; - std::size_t height = 1; - res.reserve(height); - - for (int i = 0; i < height; i++) { - math::polynomial::polynomial poly; - for (int j = 0; j < (1 << d_power_two); j++) { - poly.push_back(typename field_type::value_type(polynomial_element_gen())); - } - merkle_tree_type tree = lpc_type::commit(poly, D_0); - - std::array evaluation_points = {algebra::random_element()}; - - std::array x_data {}; - zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - - auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript); - } -}*/ - BOOST_AUTO_TEST_CASE(lpc_basic_test) { // setup @@ -172,13 +73,9 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; - std::vector>> D; constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - for (std::size_t i = 0; i < r; i++) { - std::shared_ptr> domain = prepare_domain(std::pow(2, extended_log - i)); - D.push_back(domain); - } + std::vector>> D = fri_type::calculate_domain_set(extended_log, r); typename fri_type::params_type fri_params; @@ -208,6 +105,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript, fri_params); // verify + //BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp new file mode 100644 index 000000000..035dbfa50 --- /dev/null +++ b/test/commitment/lpc_performance.cpp @@ -0,0 +1,155 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#define BOOST_TEST_MODULE lpc_test + +#include + +#include +#include +#include + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include + +using namespace nil::crypto3; +using namespace nil::crypto3::zk::snark; + +namespace boost { + namespace test_tools { + namespace tt_detail { + template<> + struct print_log_value>>>> { + void operator()(std::ostream &, + const nil::crypto3::math::polynomial::polynomial>>> &) { + } + }; + } // namespace tt_detail + } // namespace test_tools +} // namespace boost + +template +std::vector> generate(NumberType degree) { + typedef boost::random::independent_bits_engine + random_polynomial_generator_type; + + std::vector> res; + + boost::random::random_device rd; // Will be used to obtain a seed for the random number engine + boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() + boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); + + random_polynomial_generator_type polynomial_element_gen; + std::size_t height = 1; + res.reserve(height); + + for (int i = 0; i < height; i++) { + math::polynomial::polynomial poly; + for (int j = 0; j < degree; j++) { + poly.push_back(typename FieldType::value_type(polynomial_element_gen())); + } + res.push_back(poly); + } + + return res; +} + +BOOST_AUTO_TEST_SUITE(lpc_performance_test_suite) + +BOOST_AUTO_TEST_CASE(lpc_performance_test) { + typedef algebra::curves::bls12<381> curve_type; + typedef typename curve_type::scalar_field_type field_type; + + typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::sha2<256> transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + + constexpr static const std::size_t d_power_two = 5; + constexpr static const std::size_t d = 1 << d_power_two -1; + + constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; + constexpr static const std::size_t m = 2; + + typedef zk::snark::fri_commitment_scheme fri_type; + typedef list_polynomial_commitment_scheme lpc_type; + typedef typename lpc_type::proof_type proof_type; + + typename fri_type::params_type fri_params; + + math::polynomial::polynomial q = {0, 0, 1}; + std::vector>> D = fri_type::calculate_domain_set(d, r); + fri_params.r = r; + fri_params.D = D; + fri_params.q = q; + fri_params.max_degree = d; + + typedef boost::random::independent_bits_engine + random_polynomial_generator_type; + + std::vector> res; + + boost::random::random_device rd; // Will be used to obtain a seed for the random number engine + boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() + boost::random::uniform_int_distribution<> distrib(std::numeric_limits::min(), std::numeric_limits::max()); + + random_polynomial_generator_type polynomial_element_gen; + std::size_t height = 1; + res.reserve(height); + + for (int i = 0; i < height; i++) { + math::polynomial::polynomial poly; + for (int j = 0; j < (1 << d_power_two); j++) { + poly.push_back(typename field_type::value_type(polynomial_element_gen())); + } + merkle_tree_type tree = lpc_type::commit(poly, D[0]); + + std::array evaluation_points = {algebra::random_element()}; + + std::array x_data {}; + zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + + auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); + } +} + +BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From a8bfd2ef0b2c1c0fad4ba05a01bae80a2434bfad Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 7 Feb 2022 19:30:19 +0200 Subject: [PATCH 126/219] lpc verifier #20 --- .../zk/snark/commitments/fri_commitment.hpp | 6 ++-- .../list_polynomial_commitment.hpp | 29 +++++++------------ test/commitment/lpc.cpp | 9 +++--- 3 files changed, 19 insertions(+), 25 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 5c115e4cc..51ae2407c 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -151,6 +151,7 @@ namespace nil { std::size_t d = f.degree(); if (d % 2 == 0) { f.push_back(0); + d++; } math::polynomial::polynomial f_folded(d/2 + 1); @@ -265,7 +266,8 @@ namespace nil { const math::polynomial::polynomial &U, const math::polynomial::polynomial &V) { - typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(transcript.template int_challenge()); + std::size_t idx = transcript.template int_challenge(); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(idx); std::size_t r = fri_params.r; @@ -323,7 +325,7 @@ namespace nil { auto write_iter = leaf_data.begin(); leaf_val.write(write_iter, field_element_type::length()); - if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value){ + if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value) { return false; } if (i < r - 1) { diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index c2f85993e..ad82ae9cf 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -61,6 +61,11 @@ namespace nil { std::size_t M = 2, std::size_t D = 16> struct list_polynomial_commitment_scheme { + using Endianness = nil::marshalling::option::big_endian; + using field_element_type = + nil::crypto3::marshalling::types::field_element, + FieldType>; + constexpr static const std::size_t lambda = Lambda; constexpr static const std::size_t k = K; constexpr static const std::size_t r = R; @@ -79,7 +84,7 @@ namespace nil { struct proof_type { bool operator==(const proof_type &rhs) const { - return z == rhs.z && p == rhs.p && fri_proof == rhs.fri_proof; + return z == rhs.z && fri_proof == rhs.fri_proof; } bool operator!=(const proof_type &rhs) const { return !(rhs == *this); @@ -87,8 +92,6 @@ namespace nil { std::array z; - std::array p; - typename merkle_tree_type::value_type T_root; std::array fri_proof; @@ -126,13 +129,6 @@ namespace nil { for (std::size_t j = 0; j < k; j++) { z[j] = g.evaluate(evaluation_points[j]); - - std::size_t leaf_index = 0; - for (; leaf_index < fri_params.D[0]->m; leaf_index++){ - if (fri_params.D[0]->get_domain_element(leaf_index) == evaluation_points[j]) - break; - } - p[j] = merkle_proof_type(T, leaf_index); U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } @@ -155,19 +151,13 @@ namespace nil { fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); } - return proof_type({z, p, T.root(), fri_proof}); + return proof_type({z, T.root(), fri_proof}); } static bool verify_eval(const std::array &evaluation_points, - const proof_type &proof, + proof_type &proof, fiat_shamir_heuristic_updated &transcript, typename fri_type::params_type fri_params) { - - for (std::size_t j = 0; j < k; j++) { - if (!proof.p[j].validate(proof.T_root)) - return false; - } - std::array, k> U_interpolation_points; @@ -185,8 +175,9 @@ namespace nil { } for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { - if (!fri_type::verify_eval(proof.fri_proof[round_id], transcript, fri_params, U, V)) + if (!fri_type::verify_eval(proof.fri_proof[round_id], transcript, fri_params, U, V)) { return false; + } } return true; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 0810f079b..fd32514e3 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -95,9 +95,8 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { merkle_tree_type tree = lpc_type::commit(f, D[0]); - // eval - - std::array evaluation_points = {algebra::random_element()}; + // TODO: take a point outside of the basic domain + std::array evaluation_points = {algebra::fields::arithmetic_params::multiplicative_generator}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); @@ -105,7 +104,9 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript, fri_params); // verify - //BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); + zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(x_data); + + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 34c7be0f578eb2376fe2909371737024f31bdc95 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 7 Feb 2022 19:38:01 +0200 Subject: [PATCH 127/219] lpc performance test #20 --- test/commitment/lpc_performance.cpp | 36 +++++++++++++++++------------ 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 035dbfa50..461c56840 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -93,7 +93,7 @@ BOOST_AUTO_TEST_SUITE(lpc_performance_test_suite) BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef algebra::curves::bls12<381> curve_type; - typedef typename curve_type::scalar_field_type field_type; + typedef typename curve_type::scalar_field_type FieldType; typedef hashes::sha2<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; @@ -103,30 +103,33 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - constexpr static const std::size_t d_power_two = 5; - constexpr static const std::size_t d = 1 << d_power_two -1; + constexpr static const std::size_t d_power_two = 4; + constexpr static const std::size_t d = 1 << d_power_two; - constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; + constexpr static const std::size_t r = d_power_two - 1; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; - typedef list_polynomial_commitment_scheme lpc_type; + typedef zk::snark::fri_commitment_scheme fri_type; + typedef list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; + constexpr static const std::size_t d_extended = d; + std::size_t extended_log = boost::static_log2::value; + std::vector>> D = fri_type::calculate_domain_set(extended_log, r); + typename fri_type::params_type fri_params; - math::polynomial::polynomial q = {0, 0, 1}; - std::vector>> D = fri_type::calculate_domain_set(d, r); + math::polynomial::polynomial q = {0, 0, 1}; fri_params.r = r; fri_params.D = D; fri_params.q = q; fri_params.max_degree = d; - typedef boost::random::independent_bits_engine + typedef boost::random::independent_bits_engine random_polynomial_generator_type; - std::vector> res; + std::vector> res; boost::random::random_device rd; // Will be used to obtain a seed for the random number engine boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() @@ -137,18 +140,21 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { res.reserve(height); for (int i = 0; i < height; i++) { - math::polynomial::polynomial poly; - for (int j = 0; j < (1 << d_power_two); j++) { - poly.push_back(typename field_type::value_type(polynomial_element_gen())); + math::polynomial::polynomial poly; + for (int j = 0; j < (1 << d_power_two) - 1; j++) { + poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } merkle_tree_type tree = lpc_type::commit(poly, D[0]); - std::array evaluation_points = {algebra::random_element()}; + std::array evaluation_points = {algebra::random_element()}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); + + zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(x_data); + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); } } From 625c08e1834d2972b1ca2ccd0a08462a6d7296e3 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Mon, 7 Feb 2022 21:57:56 +0300 Subject: [PATCH 128/219] LPC performance tests updated #20 --- test/commitment/lpc_performance.cpp | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 461c56840..a928d7eaf 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -64,7 +64,8 @@ namespace boost { template std::vector> generate(NumberType degree) { - typedef boost::random::independent_bits_engine random_polynomial_generator_type; @@ -103,10 +104,9 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - constexpr static const std::size_t d_power_two = 4; - constexpr static const std::size_t d = 1 << d_power_two; + constexpr static const std::size_t d = 16; - constexpr static const std::size_t r = d_power_two - 1; + constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; typedef zk::snark::fri_commitment_scheme fri_type; @@ -115,7 +115,8 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - std::vector>> D = fri_type::calculate_domain_set(extended_log, r); + std::vector>> D = + fri_type::calculate_domain_set(extended_log, r); typename fri_type::params_type fri_params; @@ -123,9 +124,10 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { fri_params.r = r; fri_params.D = D; fri_params.q = q; - fri_params.max_degree = d; + fri_params.max_degree = 1 << 24; - typedef boost::random::independent_bits_engine random_polynomial_generator_type; @@ -141,19 +143,23 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { for (int i = 0; i < height; i++) { math::polynomial::polynomial poly; - for (int j = 0; j < (1 << d_power_two) - 1; j++) { + for (int j = 0; j < fri_params.max_degree; j++) { poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } merkle_tree_type tree = lpc_type::commit(poly, D[0]); - std::array evaluation_points = {algebra::random_element()}; + // TODO: take a point outside of the basic domain + std::array evaluation_points = { + algebra::fields::arithmetic_params::multiplicative_generator}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); + // verify zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(x_data); + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); } } From d40c79a90131fbeb6b6ad08dfc655e4199ef9b1b Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Mon, 7 Feb 2022 22:02:41 +0300 Subject: [PATCH 129/219] LPC performance test updated #20 --- test/commitment/lpc_performance.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index a928d7eaf..877a33ae1 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -104,7 +104,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - constexpr static const std::size_t d = 16; + constexpr static const std::size_t d = 1 << 24; constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; @@ -124,7 +124,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { fri_params.r = r; fri_params.D = D; fri_params.q = q; - fri_params.max_degree = 1 << 24; + fri_params.max_degree = d; typedef boost::random::independent_bits_engine Date: Mon, 7 Feb 2022 22:30:23 +0300 Subject: [PATCH 130/219] LPC performance tests updated #20 --- test/commitment/lpc_performance.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 877a33ae1..263804afd 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -96,7 +96,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef algebra::curves::bls12<381> curve_type; typedef typename curve_type::scalar_field_type FieldType; - typedef hashes::sha2<256> merkle_hash_type; + typedef hashes::keccak_1600<256> merkle_hash_type; typedef hashes::sha2<256> transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; From 30f07ef9f370f75d37a47789a42e9756f985bb05 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 8 Feb 2022 21:50:25 +0200 Subject: [PATCH 131/219] permutation argument verification #20 --- .../list_polynomial_commitment.hpp | 2 +- .../plonk/redshift/permutation_argument.hpp | 97 +++++++++++----- test/commitment/fri.cpp | 4 + test/systems/plonk/redshift.cpp | 104 ++++++++++++------ 4 files changed, 148 insertions(+), 59 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index ad82ae9cf..acf7a2b4e 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -72,7 +72,7 @@ namespace nil { constexpr static const std::size_t m = M; typedef FieldType field_type; - typedef Hash transcript_hash_type; + typedef Hash transcript_hash_type; //TODO: separate transcript and merkle hashes typedef typename containers::merkle_tree merkle_tree_type; typedef typename merkle_tree_type::hash_type merkle_hash_type; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 2293b9d9e..1e05b02c4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -35,20 +35,44 @@ #include #include +#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_permutation_argument { + typedef typename lpc_type::fri_type fri_type; + static constexpr std::size_t argument_size = 3; + static inline math::polynomial::polynomial + polynomial_shift(math::polynomial::polynomial f, typename FieldType::value_type x) { + math::polynomial::polynomial f_shifted(f); + typename FieldType::value_type x_power = x; + for (int i = 1; i < f.size(); i++) { + f_shifted[i] = f_shifted[i] * x_power; + x_power = x_power * x; + } + + return f_shifted; + } + public: - static inline std::array, - argument_size> // TODO: fix fiat-shamir - prove_argument( + + struct prover_result_type { + std::array, + argument_size> F; + + math::polynomial::polynomial permutation_polynomial; + + typename lpc_type::merkle_tree_type permutation_poly_commitment; + }; + + static inline prover_result_type // TODO: fix fiat-shamir + prove_eval( fiat_shamir_heuristic_updated> &transcript, std::size_t circuit_rows, std::size_t permutation_size, @@ -58,7 +82,8 @@ namespace nil { const std::vector> &S_sigma, const std::vector> &f, const math::polynomial::polynomial &q_last, - const math::polynomial::polynomial &q_blind) { + const math::polynomial::polynomial &q_blind, + typename fri_type::params_type fri_params) { // 1. $\beta_1, \gamma_1 = \challenge$ typename FieldType::value_type beta = transcript.template challenge(); @@ -103,10 +128,9 @@ namespace nil { V_P_interpolation_points.begin(), V_P_interpolation_points.end()); // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. - // TODO: include commitment - // merkle_tree_type V_P_tree = fri::commit(V_P, D_0); - // typename fri::commitment_type V_P_commitment = V_P_tree.root(); - // transcript(V_P_commitment); + typename lpc_type::merkle_tree_type V_P_tree = lpc_type::commit(V_P, fri_params.D[0]); + typename lpc_type::commitment_type V_P_commitment = V_P_tree.root(); + transcript(V_P_commitment); // 5. Calculate g_perm, h_perm math::polynomial::polynomial g = {1}; @@ -119,33 +143,56 @@ namespace nil { math::polynomial::polynomial one_polynomial = {1}; std::array, argument_size> F; + + math::polynomial::polynomial V_P_shifted = polynomial_shift(V_P, domain->get_domain_element(1)); + F[0] = lagrange_1 * (one_polynomial - V_P); - F[1] = (one_polynomial - (q_last + q_blind)) * ((domain->get_domain_element(0) * V_P) * h - V_P * g); + F[1] = (one_polynomial - (q_last + q_blind)) * (V_P_shifted * h - V_P * g); F[2] = q_last * (V_P * V_P - V_P); + + prover_result_type res = {F, V_P, V_P_tree}; - return F; + return res; } - static inline std::array verify_argument() { - /*typename transcript_hash_type::digest_type beta_bytes = - transcript.get_challenge(); + static inline std::array verify_eval( + fiat_shamir_heuristic_updated> &transcript, + std::size_t circuit_rows, + std::size_t permutation_size, + std::shared_ptr> domain, + typename FieldType::value_type challenge, // y + std::vector column_polynomials, // f(y) + typename FieldType::value_type perm_polynomial, // V_P(y) + typename FieldType::value_type perm_polynomial_shifted, // V_P(omega * y) + //TODO: commitment + const math::polynomial::polynomial &lagrange_1, + const std::vector> &S_id, + const std::vector> &S_sigma, + const math::polynomial::polynomial &q_last, + const math::polynomial::polynomial &q_blind, + typename lpc_type::commitment_type V_P_commitment) { - typename transcript_hash_type::digest_type gamma_bytes = - transcript.get_challenge(); + // 1. Get beta, gamma + typename FieldType::value_type beta = transcript.template challenge(); + typename FieldType::value_type gamma = transcript.template challenge(); - typename FieldType::value_type beta = algebra::marshalling(beta_bytes); - typename FieldType::value_type gamma = algebra::marshalling(gamma_bytes); + // 2. Add commitment to V_P to transcript + transcript(V_P_commitment); - transcript(proof.P_commitment); - transcript(proof.Q_commitment); + // 3. Calculate h_perm, g_perm at challenge point + typename FieldType::value_type g = FieldType::value_type::one(); + typename FieldType::value_type h = FieldType::value_type::one(); - const math::polynomial::polynomial q_last; - const math::polynomial::polynomial q_blind; + for (std::size_t i = 0; i < column_polynomials.size(); i++) { + g = g * (column_polynomials[i] + beta * S_id[i].evaluate(challenge) + gamma); + h = h * (column_polynomials[i] + beta * S_sigma[i].evaluate(challenge) + gamma); + } - F[0] = verification_key.L_basis[1] * (P - 1); - F[1] = verification_key.L_basis[1] * (Q - 1); - F[2] = P * p_1 - (P << 1);*/ std::array F; + typename FieldType::value_type one = FieldType::value_type::one(); + F[0] = lagrange_1.evaluate(challenge) * (one - perm_polynomial); + F[1] = (one - q_last.evaluate(challenge) - q_blind.evaluate(challenge)) * (perm_polynomial_shifted * h - perm_polynomial * g); + F[2] = q_last.evaluate(challenge) * (perm_polynomial.squared() - perm_polynomial); return F; } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index c23342e38..bee25ef46 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -110,6 +110,10 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); + + typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); + typename FieldType::value_type prover_next_challenge = transcript.template challenge(); + BOOST_CHECK(verifier_next_challenge == prover_next_challenge); } BOOST_AUTO_TEST_CASE(fri_fold_test) { diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index dedc1873f..224918588 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -31,8 +31,8 @@ #include #include -#include -#include +#include +#include #include //#include @@ -40,16 +40,13 @@ #include #include #include +#include #include #include using namespace nil::crypto3; - -template -std::shared_ptr> prepare_domain(const std::size_t d) { - return math::make_evaluation_domain(d); -} +using namespace nil::crypto3::zk::snark; template math::polynomial::polynomial @@ -64,11 +61,37 @@ math::polynomial::polynomial return f; } +template +typename fri_type::params_type create_fri_params(std::size_t degree_log) { + typename fri_type::params_type params; + math::polynomial::polynomial q = {0, 0, 1}; + + std::vector>> domain_set = fri_type::calculate_domain_set(degree_log, degree_log - 1); + + params.r = degree_log - 1; + params.D = domain_set; + params.q = q; + params.max_degree = 1 << degree_log; + + return params; +} + + + BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) -BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { +using curve_type = algebra::curves::bls12<381>; +using FieldType = typename curve_type::scalar_field_type; +typedef hashes::sha2<256> merkle_hash_type; +typedef hashes::sha2<256> transcript_hash_type; + +constexpr std::size_t m = 2; + +typedef fri_commitment_scheme fri_type; - using curve_type = algebra::curves::mnt4<298>; +constexpr std::size_t argument_size = 3; + +BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { // zk::snark::redshift_preprocessor preprocess; @@ -77,21 +100,24 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { + const std::size_t circuit_log = 2; + const std::size_t circuit_rows = 1 << circuit_log; + const std::size_t permutation_size = 2; - using curve_type = algebra::curves::mnt4<298>; - using FieldType = typename curve_type::base_field_type; + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + typedef list_polynomial_commitment_scheme lpc_type; - const std::size_t circuit_rows = 4; - const std::size_t permutation_size = 2; - std::shared_ptr> domain = prepare_domain(circuit_rows); + typename fri_type::params_type fri_params = create_fri_params(circuit_log); + std::shared_ptr> domain = fri_params.D[0]; math::polynomial::polynomial lagrange_0 = lagrange_polynomial(domain, 0); // TODO: implement it in a proper way in generator.hpp std::vector> S_id(permutation_size); std::vector> S_sigma(permutation_size); - typename FieldType::value_type omega = domain->get_domain_element(0); + typename FieldType::value_type omega = domain->get_domain_element(1); typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; @@ -152,30 +178,44 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { q_blind = math::polynomial::lagrange_interpolation(interpolation_points_blind); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); - - std::array, 3> prove_res = - zk::snark::redshift_permutation_argument::prove_argument( - transcript, circuit_rows, permutation_size, domain, lagrange_0, S_id, S_sigma, f, q_last, q_blind); + fiat_shamir_heuristic_updated> prover_transcript(init_blob); + fiat_shamir_heuristic_updated> verifier_transcript(init_blob); + + typename redshift_permutation_argument::prover_result_type prover_res = + redshift_permutation_argument::prove_eval( + prover_transcript, circuit_rows, permutation_size, + domain, lagrange_0, S_id, S_sigma, f, q_last, q_blind, + fri_params); + + // Challenge phase + //typename FieldType::value_type y = algebra::random_element(); + typename FieldType::value_type y(2); + std::vector f_at_y(permutation_size); + for (int i = 0; i < permutation_size; i++) { + f_at_y[i] = f[i].evaluate(y); + } - std::size_t size = 0; + typename FieldType::value_type v_p_at_y = prover_res.permutation_polynomial.evaluate(y); + typename FieldType::value_type v_p_at_y_shifted = prover_res.permutation_polynomial.evaluate(omega * y); - BOOST_CHECK( - std::accumulate(prove_res.begin(), prove_res.end(), size, - [&](std::size_t acc, const math::polynomial::polynomial &val) { - return acc + val.degree(); - }) > 0); + std::array verifier_res = + redshift_permutation_argument::verify_eval( + verifier_transcript, circuit_rows, permutation_size, domain, + y, f_at_y, v_p_at_y, v_p_at_y_shifted, + lagrange_0, S_id, S_sigma, q_last, q_blind, + prover_res.permutation_poly_commitment.root()); - // zk::snark::redshift_preprocessor preprocess; + typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); + typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); + BOOST_CHECK(verifier_next_challenge == prover_next_challenge); - // auto preprocessed_data = preprocess::process(cs, assignments); - // zk::snark::redshift_prover prove; + for (int i = 0; i < argument_size; i++) { + BOOST_CHECK(prover_res.F[i].evaluate(y) == verifier_res[i]); + } } BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { - using curve_type = algebra::curves::mnt4<298>; - // zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); @@ -184,8 +224,6 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { BOOST_AUTO_TEST_CASE(redshift_witness_argument_test) { - using curve_type = algebra::curves::mnt4<298>; - // zk::snark::redshift_preprocessor preprocess; // auto preprocessed_data = preprocess::process(cs, assignments); From c4396ddc699c9ee530e60c0146b576d2a8fb6cdb Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 10 Feb 2022 10:16:36 +0300 Subject: [PATCH 132/219] Polynomial shift usage updated. #20 --- .../zk/snark/relations/plonk/plonk.hpp | 17 +++++- .../systems/plonk/redshift/gates_argument.hpp | 3 +- .../plonk/redshift/permutation_argument.hpp | 17 +----- .../plonk/redshift/polynomial_shift.hpp | 55 +++++++++++++++++++ 4 files changed, 74 insertions(+), 18 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index d19969895..775a0811d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -107,8 +107,19 @@ namespace nil { std::array, WiresAmount> wire_polynomials; for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++) { + const std::shared_ptr> domain = + math::make_evaluation_domain(full_variable_assignment[wire_index].size()); + + std::vector interpolation_points( + full_variable_assignment[wire_index].size()); + + std::copy(full_variable_assignment[wire_index].begin(), full_variable_assignment.end(), + interpolation_points.begin()); + + domain->inverse_fft(interpolation_points); + wire_polynomials[wire_index] = - math::polynomial::lagrange_interpolation(full_variable_assignment[wire_index]); + math::polynomial::polynomial(interpolation_points); } for (std::size_t constraint_index = 0; constraint_index < constraints.size(); @@ -119,9 +130,9 @@ namespace nil { math::polynomial::polynomial term_polynom = { term.coeff}; - // TODO: Rotation isn't taken into consideration for (auto &var : term.vars) { - term_polynom = term_polynom * wire_polynomials[var.wire_index]; + term_polynom = term_polynom * detail::polynomial_shift(wire_polynomials[var.wire_index], + domain->get_domain_element(var.rotation)); } result[constraint_index] = result[constraint_index] + term_polynom; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index c1b92c423..09c6afed7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -35,6 +35,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -89,4 +90,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP \ No newline at end of file +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 1e05b02c4..4828f9331 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -36,6 +36,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -48,18 +49,6 @@ namespace nil { static constexpr std::size_t argument_size = 3; - static inline math::polynomial::polynomial - polynomial_shift(math::polynomial::polynomial f, typename FieldType::value_type x) { - math::polynomial::polynomial f_shifted(f); - typename FieldType::value_type x_power = x; - for (int i = 1; i < f.size(); i++) { - f_shifted[i] = f_shifted[i] * x_power; - x_power = x_power * x; - } - - return f_shifted; - } - public: struct prover_result_type { @@ -144,7 +133,7 @@ namespace nil { math::polynomial::polynomial one_polynomial = {1}; std::array, argument_size> F; - math::polynomial::polynomial V_P_shifted = polynomial_shift(V_P, domain->get_domain_element(1)); + math::polynomial::polynomial V_P_shifted = detail::polynomial_shift(V_P, domain->get_domain_element(1)); F[0] = lagrange_1 * (one_polynomial - V_P); F[1] = (one_polynomial - (q_last + q_blind)) * (V_P_shifted * h - V_P * g); @@ -202,4 +191,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP \ No newline at end of file +#endif // #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp new file mode 100644 index 000000000..051105591 --- /dev/null +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp @@ -0,0 +1,55 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_SHIFT_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_SHIFT_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + namespace detail { + + template + static inline math::polynomial::polynomial + polynomial_shift(math::polynomial::polynomial f, typename FieldType::value_type x) { + math::polynomial::polynomial f_shifted(f); + typename FieldType::value_type x_power = x; + for (int i = 1; i < f.size(); i++) { + f_shifted[i] = f_shifted[i] * x_power; + x_power = x_power * x; + } + + return f_shifted; + } + } // namespace detail + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_SHIFT_HPP \ No newline at end of file From 70e58b8296b8b115a17e8b4ff2513ef866ebef57 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 11 Feb 2022 13:22:02 +0300 Subject: [PATCH 133/219] Gates argument prover updated. #20 --- .../systems/plonk/redshift/gates_argument.hpp | 42 +++++++++++++------ .../snark/systems/plonk/redshift/prover.hpp | 18 +++++--- 2 files changed, 42 insertions(+), 18 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 09c6afed7..adc215fa9 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -41,27 +41,45 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template, + std::size_t ArgumentSize = 1> class redshift_gates_argument { - static constexpr std::size_t argument_size = 1; + static constexpr std::size_t argument_size = 1; public: static inline std::array, - argument_size> // TODO: fix fiat-shamir - prove_argument( - fiat_shamir_heuristic_updated> &transcript, - std::size_t circuit_rows, - std::size_t permutation_size, - std::shared_ptr> domain, - const std::vector> w) { - - std::array, argument_size> F; + argument_size> + prove_eval( + const std::vector> &&constraints, + fiat_shamir_heuristic_updated &transcript, + std::size_t N_sel) { + typename FieldType::value_type teta = transcript.template challenge(); + + std::array, + argument_size> F; + // std::vector> gates(N_sel); + + std::size_t nu = 0; + + for (std::size_t i = 0; i <= N_sel - 1; i++) { + math::polynomial::polynomial gate = {0}; + + for (std::size_t j = 0; j < constraints.size(); j++) { + gate = gate + preprocessed_data.constraints[j] * teta.pow(nu); + nu++; + } + + // gate *= preprocessed_data.selectors[i]; + + F[0] += gate; + } + return F; } - static inline std::array verify_argument() { + static inline std::array verify_eval() { /*typename transcript_hash_type::digest_type beta_bytes = transcript.get_challenge(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 3aba5645d..9805671a6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -140,20 +140,26 @@ namespace nil { std::vector> constraints = constraint_system.polynomials(assignments); + std::size_t nu = 0; + for (std::size_t i = 0; i <= N_sel - 1; i++) { gates[i] = {0}; - std::size_t n_i; -#error Uninitialized n_i - for (std::size_t j = 0; j < n_i; j++) { - std::size_t d_i_j; - gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(d_i_j); + + for (std::size_t j = 0; j < constraints.size(); j++) { + gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(nu); + nu++; } // gates[i] *= preprocessed_data.selectors[i]; - N_T = std::max(N_T, gates[i].size() - 1); } + std::vector> constraints = + constraint_system.polynomials(assignments); + + gates_argument::prove(constraint_system.polynomials(assignments), transcript, N_sel); + std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); + // 18. Define F polynomials const math::polynomial::polynomial L1 = preprocessed_data.Lagrange_basis[1]; From 3403b2f44a90f8a9905acfdd38b103e8710eda0b Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sat, 12 Feb 2022 06:20:36 +0300 Subject: [PATCH 134/219] R1CS GG PPzkSNARK fixes. Minor refactoring done. Polynomial interface compliance fixes #20 --- .../zk/snark/commitments/fri_commitment.hpp | 102 ++++++++------- .../list_polynomial_commitment.hpp | 35 +++--- .../zk/snark/reductions/r1cs_to_qap.hpp | 2 +- .../relations/arithmetic_programs/qap.hpp | 2 +- .../relations/non_linear_combination.hpp | 8 +- .../zk/snark/relations/plonk/plonk.hpp | 29 +++-- .../systems/plonk/redshift/gates_argument.hpp | 38 +++--- .../systems/plonk/redshift/generator.hpp | 12 +- .../plonk/redshift/permutation_argument.hpp | 117 +++++++++--------- .../plonk/redshift/polynomial_shift.hpp | 55 -------- .../snark/systems/plonk/redshift/prover.hpp | 22 ++-- .../zk/snark/systems/plonk/redshift/types.hpp | 12 +- .../snark/systems/plonk/redshift/verifier.hpp | 6 +- .../systems/ppzksnark/r1cs_gg_ppzksnark.hpp | 14 +-- .../r1cs_gg_ppzksnark/detail/basic_policy.hpp | 6 +- .../ppzksnark/r1cs_gg_ppzksnark/generator.hpp | 2 +- .../r1cs_gg_ppzksnark/ipp2/generator.hpp | 2 +- .../r1cs_gg_ppzksnark/ipp2/prover.hpp | 59 ++++----- .../r1cs_gg_ppzksnark/ipp2/transcript.hpp | 6 +- .../r1cs_gg_ppzksnark/ipp2/verifier.hpp | 4 +- .../r1cs_gg_ppzksnark/marshalling.hpp | 4 +- .../ppzksnark/r1cs_gg_ppzksnark/modes.hpp | 5 +- .../ppzksnark/r1cs_gg_ppzksnark/prover.hpp | 2 +- .../ppzksnark/r1cs_gg_ppzksnark/verifier.hpp | 8 +- test/commitment/fri.cpp | 46 +++---- test/commitment/lpc.cpp | 4 +- test/commitment/lpc_performance.cpp | 16 +-- test/systems/plonk/redshift.cpp | 62 +++++----- ...cs_gg_ppzksnark_aggregation_conformity.cpp | 36 +++--- 29 files changed, 318 insertions(+), 398 deletions(-) delete mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 51ae2407c..a291874da 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -68,15 +68,15 @@ namespace nil { using Endianness = nil::marshalling::option::big_endian; using field_element_type = - nil::crypto3::marshalling::types::field_element, - FieldType>; + nil::crypto3::marshalling::types::field_element, + FieldType>; struct params_type { std::size_t r; std::size_t max_degree; std::vector>> D; - math::polynomial::polynomial q; + math::polynomial q; }; struct round_proof_type { @@ -106,18 +106,19 @@ namespace nil { std::vector round_proofs; // 0..r-2 - math::polynomial::polynomial final_polynomial; + math::polynomial final_polynomial; }; static std::vector>> calculate_domain_set(const std::size_t max_domain_degree, const std::size_t set_size) { - std::vector>> domain_set(set_size); - for (std::size_t i = 0; i < set_size; i++) { - const std::size_t domain_size = std::pow(2, max_domain_degree - i); - std::shared_ptr> domain = math::make_evaluation_domain(domain_size); - domain_set[i] = domain; - } - return domain_set; + std::vector>> domain_set(set_size); + for (std::size_t i = 0; i < set_size; i++) { + const std::size_t domain_size = std::pow(2, max_domain_degree - i); + std::shared_ptr> domain = + math::make_evaluation_domain(domain_size); + domain_set[i] = domain; + } + return domain_set; } // The result of this function is not commitment_type (as it would expected), @@ -126,9 +127,8 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type - commit(math::polynomial::polynomial &f, - const std::shared_ptr> &D) { + static merkle_tree_type commit(math::polynomial &f, + const std::shared_ptr> &D) { std::vector> y_data; y_data.resize(D->m); @@ -144,51 +144,51 @@ namespace nil { return merkle_tree_type(y_data); } - static inline math::polynomial::polynomial - fold_polynomial(math::polynomial::polynomial &f, - typename FieldType::value_type alpha) { + static inline math::polynomial + fold_polynomial(math::polynomial &f, + typename FieldType::value_type alpha) { std::size_t d = f.degree(); if (d % 2 == 0) { f.push_back(0); d++; } - math::polynomial::polynomial f_folded(d/2 + 1); + math::polynomial f_folded(d / 2 + 1); - for (std::size_t index = 0; index <= f_folded.degree(); index++){ - f_folded[index] = f[2*index] + alpha * f[2*index + 1]; + for (std::size_t index = 0; index <= f_folded.degree(); index++) { + f_folded[index] = f[2 * index] + alpha * f[2 * index + 1]; } return f_folded; } - static proof_type proof_eval(const math::polynomial::polynomial &Q, - const math::polynomial::polynomial &g, + static proof_type proof_eval(const math::polynomial &Q, + const math::polynomial &g, merkle_tree_type &T, fiat_shamir_heuristic_updated &transcript, params_type &fri_params) { proof_type proof; - math::polynomial::polynomial f = Q; + math::polynomial f = Q; - typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(transcript.template int_challenge()); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow( + transcript.template int_challenge()); std::size_t r = fri_params.r; std::vector round_proofs; - math::polynomial::polynomial final_polynomial; + math::polynomial final_polynomial; std::unique_ptr p_tree = std::make_unique(T); merkle_tree_type T_next; for (std::size_t i = 0; i < r; i++) { - + typename FieldType::value_type alpha = transcript.template challenge(); typename FieldType::value_type x_next = fri_params.q.evaluate(x); - math::polynomial::polynomial f_next = - fold_polynomial(f, alpha); + math::polynomial f_next = fold_polynomial(f, alpha); // m = 2, so: std::array s; @@ -219,7 +219,7 @@ namespace nil { typename FieldType::value_type leaf = y[j]; std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++){ + for (; leaf_index < tmp.size(); leaf_index++) { if (tmp[leaf_index] == leaf) break; } @@ -236,7 +236,7 @@ namespace nil { fri_params.D[i + 1]->fft(tmp); std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++){ + for (; leaf_index < tmp.size(); leaf_index++) { if (tmp[leaf_index] == colinear_value) break; } @@ -244,14 +244,14 @@ namespace nil { merkle_proof_type colinear_path = merkle_proof_type(T_next, leaf_index); round_proofs.push_back( - round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); p_tree = std::make_unique(T_next); } else { merkle_proof_type colinear_path; round_proofs.push_back( - round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); } x = x_next; @@ -261,10 +261,10 @@ namespace nil { } static bool verify_eval(proof_type &proof, - fiat_shamir_heuristic_updated &transcript, - params_type &fri_params, - const math::polynomial::polynomial &U, - const math::polynomial::polynomial &V) { + fiat_shamir_heuristic_updated &transcript, + params_type &fri_params, + const math::polynomial &U, + const math::polynomial &V) { std::size_t idx = transcript.template int_challenge(); typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(idx); @@ -272,8 +272,7 @@ namespace nil { std::size_t r = fri_params.r; for (std::size_t i = 0; i < r; i++) { - typename FieldType::value_type alpha = - transcript.template challenge(); + typename FieldType::value_type alpha = transcript.template challenge(); typename FieldType::value_type x_next = fri_params.q.evaluate(x); @@ -303,20 +302,21 @@ namespace nil { std::array y; for (std::size_t j = 0; j < m; j++) { - if (i == 0){ - y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j]))/V.evaluate(s[j]); + if (i == 0) { + y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j])) / V.evaluate(s[j]); } else { y[j] = proof.round_proofs[i].y[j]; } } - std::vector> interpolation_points { - std::make_pair(s[0], y[0]), - std::make_pair(s[1], y[1]), - }; + std::vector> + interpolation_points { + std::make_pair(s[0], y[0]), + std::make_pair(s[1], y[1]), + }; - math::polynomial::polynomial interpolant = - math::polynomial::lagrange_interpolation(interpolation_points); + math::polynomial interpolant = + math::lagrange_interpolation(interpolation_points); typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; @@ -330,23 +330,21 @@ namespace nil { } if (i < r - 1) { transcript(proof.round_proofs[i + 1].T_root); - if (!proof.round_proofs[i].colinear_path.validate(leaf_data)){ + if (!proof.round_proofs[i].colinear_path.validate(leaf_data)) { return false; } } x = x_next; } - - if (proof.final_polynomial.degree() > - std::pow(2, std::log2(fri_params.max_degree) - r) - 1) { - return false; + if (proof.final_polynomial.degree() > std::pow(2, std::log2(fri_params.max_degree) - r) - 1) { + return false; } if (proof.final_polynomial.evaluate(x) != proof.round_proofs[r - 1].colinear_value) { return false; } - return true; + return true; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index acf7a2b4e..cb7855e93 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -63,8 +63,8 @@ namespace nil { struct list_polynomial_commitment_scheme { using Endianness = nil::marshalling::option::big_endian; using field_element_type = - nil::crypto3::marshalling::types::field_element, - FieldType>; + nil::crypto3::marshalling::types::field_element, + FieldType>; constexpr static const std::size_t lambda = Lambda; constexpr static const std::size_t k = K; @@ -72,7 +72,7 @@ namespace nil { constexpr static const std::size_t m = M; typedef FieldType field_type; - typedef Hash transcript_hash_type; //TODO: separate transcript and merkle hashes + typedef Hash transcript_hash_type; // TODO: separate transcript and merkle hashes typedef typename containers::merkle_tree merkle_tree_type; typedef typename merkle_tree_type::hash_type merkle_hash_type; @@ -98,7 +98,8 @@ namespace nil { }; private: - static std::shared_ptr> prepare_domain(const std::size_t domain_size) { + static std::shared_ptr> + prepare_domain(const std::size_t domain_size) { return math::make_evaluation_domain(domain_size); } @@ -109,16 +110,15 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type - commit(math::polynomial::polynomial &f, - const std::shared_ptr> &d) { + static merkle_tree_type commit(math::polynomial &f, + const std::shared_ptr> &d) { return fri_type::commit(f, d); } static proof_type proof_eval(const std::array &evaluation_points, merkle_tree_type &T, - const math::polynomial::polynomial &g, + const math::polynomial &g, fiat_shamir_heuristic_updated &transcript, typename fri_type::params_type &fri_params) { @@ -132,18 +132,18 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); } - math::polynomial::polynomial U = - math::polynomial::lagrange_interpolation(U_interpolation_points); + math::polynomial U = + math::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynomial Q = (g - U); + math::polynomial Q = (g - U); for (std::size_t j = 0; j < k; j++) { - math::polynomial::polynomial denominator_polynom = { + math::polynomial denominator_polynom = { -evaluation_points[j], 1}; Q = Q / denominator_polynom; } // temporary definition, until polynomial is constexpr - const math::polynomial::polynomial q = {0, 0, 1}; + const math::polynomial q = {0, 0, 1}; std::array fri_proof; @@ -165,13 +165,13 @@ namespace nil { U_interpolation_points[j] = std::make_pair(evaluation_points[j], proof.z[j]); } - math::polynomial::polynomial U = - math::polynomial::lagrange_interpolation(U_interpolation_points); + math::polynomial U = + math::lagrange_interpolation(U_interpolation_points); - math::polynomial::polynomial V = {1}; + math::polynomial V = {1}; for (std::size_t j = 0; j < k; j++) { - V = V * (math::polynomial::polynomial({-evaluation_points[j], 1})); + V = V * (math::polynomial({-evaluation_points[j], 1})); } for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { @@ -181,7 +181,6 @@ namespace nil { } return true; - } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/reductions/r1cs_to_qap.hpp b/include/nil/crypto3/zk/snark/reductions/r1cs_to_qap.hpp index 4d3a046ef..a60a2db0f 100644 --- a/include/nil/crypto3/zk/snark/reductions/r1cs_to_qap.hpp +++ b/include/nil/crypto3/zk/snark/reductions/r1cs_to_qap.hpp @@ -49,7 +49,7 @@ #define CRYPTO3_ZK_R1CS_TO_QAP_BASIC_POLICY_HPP #include -#include +#include #include #include diff --git a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp index 8dd8d6de0..f32b2ccff 100644 --- a/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp +++ b/include/nil/crypto3/zk/snark/relations/arithmetic_programs/qap.hpp @@ -44,7 +44,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index d6a07fa65..3d437b1cc 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -215,12 +215,12 @@ namespace nil { } template - math::polynomial::polynomial evaluate( + math::polynomial evaluate( std::size_t row_index, - const std::array, WiresAmount> &assignment) const { - math::polynomial::polynomial acc = {0}; + const std::array, WiresAmount> &assignment) const { + math::polynomial acc = {0}; for (non_linear_combination &nlt : terms) { - math::polynomial::polynomial term_value = {nlt.coeff}; + math::polynomial term_value = {nlt.coeff}; for (variable &var : nlt.vars) { term_value *= assignment[var.wire_index]; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 775a0811d..c6fd33865 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -36,6 +36,7 @@ #include #include +#include #include #include @@ -86,26 +87,24 @@ namespace nil { return true; } - std::vector> copy_constraints() { + std::vector> copy_constraints() { return {}; } - std::vector> selectors() { + std::vector> selectors() { return {}; } - std::vector> lookups() { + std::vector> lookups() { return {}; } - std::vector> + std::vector> polynomials(plonk_variable_assignment full_variable_assignment) const { - std::vector> result( - constraints.size()); + std::vector> result(constraints.size()); - std::array, WiresAmount> - wire_polynomials; + std::array, WiresAmount> wire_polynomials; for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++) { const std::shared_ptr> domain = math::make_evaluation_domain(full_variable_assignment[wire_index].size()); @@ -113,13 +112,13 @@ namespace nil { std::vector interpolation_points( full_variable_assignment[wire_index].size()); - std::copy(full_variable_assignment[wire_index].begin(), full_variable_assignment.end(), - interpolation_points.begin()); + std::copy(full_variable_assignment[wire_index].begin(), + full_variable_assignment[wire_index].end(), interpolation_points.begin()); domain->inverse_fft(interpolation_points); wire_polynomials[wire_index] = - math::polynomial::polynomial(interpolation_points); + math::polynomial(interpolation_points); } for (std::size_t constraint_index = 0; constraint_index < constraints.size(); @@ -127,12 +126,12 @@ namespace nil { for (auto &term : constraints[constraint_index].terms) { - math::polynomial::polynomial term_polynom = { - term.coeff}; + math::polynomial term_polynom = {term.coeff}; for (auto &var : term.vars) { - term_polynom = term_polynom * detail::polynomial_shift(wire_polynomials[var.wire_index], - domain->get_domain_element(var.rotation)); + term_polynom = + term_polynom * math::polynomial_shift(wire_polynomials[var.wire_index], + domain->get_domain_element(var.rotation)); } result[constraint_index] = result[constraint_index] + term_polynom; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index adc215fa9..ad527ebb5 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -27,6 +27,7 @@ #define CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP #include +#include #include #include @@ -35,36 +36,31 @@ #include #include -#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template, - std::size_t ArgumentSize = 1> - class redshift_gates_argument { - - static constexpr std::size_t argument_size = 1; - - public: - static inline std::array, - argument_size> - prove_eval( - const std::vector> &&constraints, - fiat_shamir_heuristic_updated &transcript, - std::size_t N_sel) { - + template, + std::size_t ArgumentSize = 1> + struct redshift_gates_argument { + constexpr static const std::size_t argument_size = ArgumentSize; + + static inline std::array, argument_size> + prove_eval(const std::vector> &constraints, + fiat_shamir_heuristic_updated &transcript, + std::size_t N_sel) { + typename FieldType::value_type teta = transcript.template challenge(); - std::array, - argument_size> F; - // std::vector> gates(N_sel); + std::array, argument_size> F; + // std::vector> gates(N_sel); std::size_t nu = 0; for (std::size_t i = 0; i <= N_sel - 1; i++) { - math::polynomial::polynomial gate = {0}; + math::polynomial gate = {0}; for (std::size_t j = 0; j < constraints.size(); j++) { gate = gate + preprocessed_data.constraints[j] * teta.pow(nu); @@ -92,8 +88,8 @@ namespace nil { transcript(proof.P_commitment); transcript(proof.Q_commitment); - const math::polynomial::polynomial q_last; - const math::polynomial::polynomial q_blind; + const math::polynomial q_last; + const math::polynomial q_blind; F[0] = verification_key.L_basis[1] * (P - 1); F[1] = verification_key.L_basis[1] * (Q - 1); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp index c39787f60..bbeafc323 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp @@ -56,19 +56,19 @@ namespace nil { class redshift_generator { typedef detail::redshift_types types_policy; - // static inline math::polynomial::polynom<...> tau( + // static inline math::polynomial<...> tau( // std::size_t input, std::size_t n, std::array &k){ // std::size_t i = input % n; // std::size_t j = (input - i)/n + 1; - // return (math::polynomial::polynom<...>(k[j]) << i); + // return (math::polynomial<...>(k[j]) << i); // } // static inline std::size_t tau_reverted( - // math::polynomial::polynom<...> k_jgi, std::size_t n, std::array k_jgi, std::size_t n, std::array &k){ // std::size_t i = math::polynomial::get_index_of_non_zero_coeff(k_jgi); @@ -84,8 +84,8 @@ namespace nil { // ... // } - // static inline math::polynomial::polynom<...> sigma_p2_permutation( - // math::polynomial::polynom<...> input, std::size_t n, std::array sigma_p2_permutation( + // math::polynomial<...> input, std::size_t n, std::array &k){ // return (tau(sigma_p1_permutation(tau_reverted(input, n, k), n, k), n, k)); @@ -134,7 +134,7 @@ namespace nil { S_sigma[i] = math::polynomial::lagrange_interpolation(interpolation_points); } - math::polynomial::polynom Z = polynom_by_zeros(H_star); + math::polynomial Z = polynom_by_zeros(H_star); typename types_policy::verification_key_type vk(S_id, S_sigma, q_selectors, L_basis, PI, Z); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 4828f9331..a936cfdab 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -27,6 +27,7 @@ #define CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP #include +#include #include #include @@ -36,43 +37,41 @@ #include #include -#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_permutation_argument { - typedef typename lpc_type::fri_type fri_type; + typedef typename CommitmentSchemeType::fri_type fri_type; - static constexpr std::size_t argument_size = 3; + static constexpr std::size_t argument_size = 3; public: - struct prover_result_type { - std::array, - argument_size> F; + std::array, argument_size> F; - math::polynomial::polynomial permutation_polynomial; + math::polynomial permutation_polynomial; - typename lpc_type::merkle_tree_type permutation_poly_commitment; + typename CommitmentSchemeType::merkle_tree_type permutation_poly_commitment; }; + template> static inline prover_result_type // TODO: fix fiat-shamir - prove_eval( - fiat_shamir_heuristic_updated> &transcript, - std::size_t circuit_rows, - std::size_t permutation_size, - std::shared_ptr> domain, - const math::polynomial::polynomial &lagrange_1, - const std::vector> &S_id, - const std::vector> &S_sigma, - const std::vector> &f, - const math::polynomial::polynomial &q_last, - const math::polynomial::polynomial &q_blind, - typename fri_type::params_type fri_params) { + prove_eval(fiat_shamir_heuristic_updated &transcript, + std::size_t circuit_rows, + std::size_t permutation_size, + std::shared_ptr> + domain, + const math::polynomial &lagrange_1, + const std::vector> &S_id, + const std::vector> &S_sigma, + const std::vector> &f, + const math::polynomial &q_last, + const math::polynomial &q_blind, + typename fri_type::params_type fri_params) { // 1. $\beta_1, \gamma_1 = \challenge$ typename FieldType::value_type beta = transcript.template challenge(); @@ -87,10 +86,10 @@ namespace nil { sigma_binding[j] = FieldType::value_type::one(); for (std::size_t i = 0; i < permutation_size; i++) { - id_binding[j] *= - (f[i].evaluate(domain->get_domain_element(j)) + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); - sigma_binding[j] *= - (f[i].evaluate(domain->get_domain_element(j)) + beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); + id_binding[j] *= (f[i].evaluate(domain->get_domain_element(j)) + + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); + sigma_binding[j] *= (f[i].evaluate(domain->get_domain_element(j)) + + beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); } } @@ -113,55 +112,60 @@ namespace nil { V_P_domain->inverse_fft(V_P_interpolation_points); - math::polynomial::polynomial V_P( - V_P_interpolation_points.begin(), V_P_interpolation_points.end()); + math::polynomial V_P(V_P_interpolation_points.begin(), + V_P_interpolation_points.end()); // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. - typename lpc_type::merkle_tree_type V_P_tree = lpc_type::commit(V_P, fri_params.D[0]); - typename lpc_type::commitment_type V_P_commitment = V_P_tree.root(); + typename CommitmentSchemeType::merkle_tree_type V_P_tree = + CommitmentSchemeType::commit(V_P, fri_params.D[0]); + typename CommitmentSchemeType::commitment_type V_P_commitment = V_P_tree.root(); transcript(V_P_commitment); // 5. Calculate g_perm, h_perm - math::polynomial::polynomial g = {1}; - math::polynomial::polynomial h = {1}; + math::polynomial g = {1}; + math::polynomial h = {1}; for (std::size_t i = 0; i < permutation_size; i++) { g = g * (f[i] + beta * S_id[i] + gamma); h = h * (f[i] + beta * S_sigma[i] + gamma); } - math::polynomial::polynomial one_polynomial = {1}; - std::array, argument_size> F; - - math::polynomial::polynomial V_P_shifted = detail::polynomial_shift(V_P, domain->get_domain_element(1)); + math::polynomial one_polynomial = {1}; + std::array, argument_size> F; + + math::polynomial V_P_shifted = + math::polynomial_shift(V_P, domain->get_domain_element(1)); F[0] = lagrange_1 * (one_polynomial - V_P); F[1] = (one_polynomial - (q_last + q_blind)) * (V_P_shifted * h - V_P * g); F[2] = q_last * (V_P * V_P - V_P); prover_result_type res = {F, V_P, V_P_tree}; - + return res; } - static inline std::array verify_eval( - fiat_shamir_heuristic_updated> &transcript, - std::size_t circuit_rows, - std::size_t permutation_size, - std::shared_ptr> domain, - typename FieldType::value_type challenge, // y - std::vector column_polynomials, // f(y) - typename FieldType::value_type perm_polynomial, // V_P(y) - typename FieldType::value_type perm_polynomial_shifted, // V_P(omega * y) - //TODO: commitment - const math::polynomial::polynomial &lagrange_1, - const std::vector> &S_id, - const std::vector> &S_sigma, - const math::polynomial::polynomial &q_last, - const math::polynomial::polynomial &q_blind, - typename lpc_type::commitment_type V_P_commitment) { - - // 1. Get beta, gamma + template> + static inline std::array + verify_eval(fiat_shamir_heuristic_updated &transcript, + std::size_t circuit_rows, + std::size_t permutation_size, + std::shared_ptr> + domain, + const typename FieldType::value_type &challenge, // y + const std::vector &column_polynomials, // f(y) + const typename FieldType::value_type &perm_polynomial, // + // V_P(y) + const typename FieldType::value_type &perm_polynomial_shifted, // V_P(omega * y) + // TODO: commitment + const math::polynomial &lagrange_1, + const std::vector> &S_id, + const std::vector> &S_sigma, + const math::polynomial &q_last, + const math::polynomial &q_blind, + const typename CommitmentSchemeType::commitment_type &V_P_commitment) { + + // 1. Get beta, gamma typename FieldType::value_type beta = transcript.template challenge(); typename FieldType::value_type gamma = transcript.template challenge(); @@ -178,9 +182,10 @@ namespace nil { } std::array F; - typename FieldType::value_type one = FieldType::value_type::one(); + typename FieldType::value_type one = FieldType::value_type::one(); F[0] = lagrange_1.evaluate(challenge) * (one - perm_polynomial); - F[1] = (one - q_last.evaluate(challenge) - q_blind.evaluate(challenge)) * (perm_polynomial_shifted * h - perm_polynomial * g); + F[1] = (one - q_last.evaluate(challenge) - q_blind.evaluate(challenge)) * + (perm_polynomial_shifted * h - perm_polynomial * g); F[2] = q_last.evaluate(challenge) * (perm_polynomial.squared() - perm_polynomial); return F; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp deleted file mode 100644 index 051105591..000000000 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/polynomial_shift.hpp +++ /dev/null @@ -1,55 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_SHIFT_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_SHIFT_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - namespace detail { - - template - static inline math::polynomial::polynomial - polynomial_shift(math::polynomial::polynomial f, typename FieldType::value_type x) { - math::polynomial::polynomial f_shifted(f); - typename FieldType::value_type x_power = x; - for (int i = 1; i < f.size(); i++) { - f_shifted[i] = f_shifted[i] * x_power; - x_power = x_power * x; - } - - return f_shifted; - } - } // namespace detail - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_SHIFT_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 9805671a6..3820f5e5c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -100,7 +100,7 @@ namespace nil { // 1. Add commitments to $w_i(X)$ to $\text{transcript}$ - std::vector> w = + std::vector> w = constraint_system.polynomials(assignments); std::vector w_trees; @@ -116,11 +116,11 @@ namespace nil { // 3. Denote witness polynomials included in permutation argument and public input polynomials // as $f_i$ - std::vector> f(N_perm + N_PI); + std::vector> f(N_perm + N_PI); std::copy(w.begin(), w.end(), f.begin()); - std::array, 3> + std::array, 3> permutation_argument = redshift_permutation_argument::prove_argument(transcript); // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); @@ -136,8 +136,8 @@ namespace nil { // 16. Computing gates // And 20. Compute N_T std::size_t N_T = N_perm + N_PI; - std::vector> gates(N_sel); - std::vector> constraints = + std::vector> gates(N_sel); + std::vector> constraints = constraint_system.polynomials(assignments); std::size_t nu = 0; @@ -154,17 +154,17 @@ namespace nil { } - std::vector> constraints = + std::vector> constraints = constraint_system.polynomials(assignments); gates_argument::prove(constraint_system.polynomials(assignments), transcript, N_sel); std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); // 18. Define F polynomials - const math::polynomial::polynomial L1 = + const math::polynomial L1 = preprocessed_data.Lagrange_basis[1]; - std::array, f_parts> F; + std::array, f_parts> F; F[0] = permutation_argument[0]; F[1] = permutation_argument[1]; @@ -175,16 +175,16 @@ namespace nil { } // 19. Compute F_consolidated - math::polynomial::polynomial F_consolidated = {0}; + math::polynomial F_consolidated = {0}; for (std::size_t i = 0; i < f_parts; i++) { F_consolidated = F_consolidated + alphas[i] * F[i]; } - math::polynomial::polynomial T_consolidated = + math::polynomial T_consolidated = F_consolidated / preprocessed_data.Z; // 21. Split $T(X)$ into separate polynomials $T_0(X), ..., T_{N_T - 1}(X)$ - std::vector> T(N_T); + std::vector> T(N_T); // T = separate_T(T_consolidated); // 22. Add commitments to $T_0(X), ..., T_{N_T - 1}(X)$ to $\text{transcript}$ diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 619309e0d..0275fe17b 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -72,18 +72,18 @@ namespace nil { typename FieldType::value_type omega; - std::vector> selectors; + std::vector> selectors; // S_sigma - std::vector> permutations; + std::vector> permutations; // S_id - std::vector> + std::vector> identity_permutations; // c - std::vector> constraints; + std::vector> constraints; - std::vector> Lagrange_basis; + std::vector> Lagrange_basis; - math::polynomial::polynomial Z; + math::polynomial Z; }; template diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index ec8fab82c..ab7a875cc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -118,7 +118,7 @@ namespace nil { } } - std::array, f_parts> F; + std::array, f_parts> F; F[0] = permutation_argument[0]; F[1] = permutation_argument[1]; F[2] = permutation_argument[2]; @@ -132,10 +132,10 @@ namespace nil { F[3] += verification_key.f_c[i]; } - math::polynomial::polynom T_consolidate; + math::polynomial T_consolidate; T_consolidate = consolidate_T(T); - math::polynomial::polynom F_consolidated = 0; + math::polynomial F_consolidated = 0; for (std::size_t i = 0; i < f_parts; i++) { F_consolidated += a[i] * F[i]; } diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp index 73d27b540..9e1bdb635 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark.hpp @@ -93,14 +93,14 @@ namespace nil { template, typename Prover = r1cs_gg_ppzksnark_prover, typename Verifier = r1cs_gg_ppzksnark_verifier_strong_input_consistency, - ProvingMode mode = ProvingMode::Basic, typename = void> + proving_mode mode = proving_mode::basic, typename = void> class r1cs_gg_ppzksnark; template class r1cs_gg_ppzksnark< - CurveType, Generator, Prover, Verifier, ProvingMode::Basic, + CurveType, Generator, Prover, Verifier, proving_mode::basic, typename std::enable_if::value>::type> { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: typedef typename policy_type::constraint_system_type constraint_system_type; @@ -135,10 +135,10 @@ namespace nil { template class r1cs_gg_ppzksnark< - CurveType, Generator, Prover, Verifier, ProvingMode::Aggregate, + CurveType, Generator, Prover, Verifier, proving_mode::aggregate, typename std::enable_if::value>::type> { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: typedef typename policy_type::constraint_system_type constraint_system_type; @@ -182,7 +182,7 @@ namespace nil { return Prover::process(pk, primary_input, auxiliary_input); } - // Aggregate prove + // aggregate prove template static inline aggregate_proof_type prove(const proving_srs_type &srs, InputTranscriptIncludeIterator transcript_include_first, @@ -202,7 +202,7 @@ namespace nil { return Verifier::process(vk, primary_input, proof); } - // Aggregate verify + // aggregate verify template, typename GeneratorType = boost::random::mt19937, typename Hash = hashes::sha2<256>, diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp index f3fdd1e36..b6db02496 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/detail/basic_policy.hpp @@ -71,11 +71,11 @@ namespace nil { namespace zk { namespace snark { namespace detail { - template + template struct r1cs_gg_ppzksnark_basic_policy; template - struct r1cs_gg_ppzksnark_basic_policy { + struct r1cs_gg_ppzksnark_basic_policy { typedef CurveType curve_type; /******************************** Params ********************************/ @@ -136,7 +136,7 @@ namespace nil { }; template - struct r1cs_gg_ppzksnark_basic_policy { + struct r1cs_gg_ppzksnark_basic_policy { typedef CurveType curve_type; /******************************** Params ********************************/ diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp index f8599aede..6389b34bb 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/generator.hpp @@ -54,7 +54,7 @@ namespace nil { */ template class r1cs_gg_ppzksnark_generator { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; typedef typename CurveType::scalar_field_type scalar_field_type; typedef typename CurveType::template g1_type<> g1_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp index 646643797..117601843 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/generator.hpp @@ -35,7 +35,7 @@ namespace nil { namespace snark { template class r1cs_gg_ppzksnark_aggregate_generator { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; typedef typename CurveType::scalar_field_type scalar_field_type; typedef typename CurveType::template g1_type<> g1_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp index cb1e95a4e..721ff2906 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp @@ -39,6 +39,7 @@ #include #include +#include #include #include @@ -173,43 +174,33 @@ namespace nil { const InputScalarRange &poly, const typename GroupType::curve_type::scalar_field_type::value_type &eval_poly, const typename GroupType::curve_type::scalar_field_type::value_type &kzg_challenge) { + typedef math::polynomial poly_type; typename GroupType::curve_type::scalar_field_type::value_type neg_kzg_challenge = -kzg_challenge; BOOST_ASSERT(poly.size() == std::distance(srs_powers_alpha_first, srs_powers_alpha_last)); BOOST_ASSERT(poly.size() == std::distance(srs_powers_beta_first, srs_powers_beta_last)); // f_v(X) - f_v(z) / (X - z) - std::vector f_vX_sub_f_vZ; - math::_polynomial_subtraction(f_vX_sub_f_vZ, - poly, - {{ - eval_poly, - }}); - std::vector quotient_polynomial, - remainder_polynomial; - math::_polynomial_division( - quotient_polynomial, remainder_polynomial, f_vX_sub_f_vZ, - {{ - neg_kzg_challenge, - GroupType::curve_type::scalar_field_type::value_type::one(), - }}); - - if (quotient_polynomial.size() < poly.size()) { - quotient_polynomial.resize(poly.size(), - GroupType::curve_type::scalar_field_type::value_type::zero()); + poly_type f_vX_sub_f_vZ = poly - poly_type({eval_poly}); + poly_type q = f_vX_sub_f_vZ / poly_type({ + neg_kzg_challenge, + GroupType::curve_type::scalar_field_type::value_type::one(), + }); + + if (q.size() < poly.size()) { + q.resize(poly.size(), GroupType::curve_type::scalar_field_type::value_type::zero()); } - BOOST_ASSERT(quotient_polynomial.size() == poly.size()); + BOOST_ASSERT(q.size() == poly.size()); // we do one proof over h^a and one proof over h^b (or g^a and g^b depending // on the curve we are on). that's the extra cost of the commitment scheme // used which is compatible with Groth16 CRS insteaf of the original paper // of Bunz'19 - return kzg_opening {algebra::multiexp( - srs_powers_alpha_first, srs_powers_alpha_last, - quotient_polynomial.begin(), quotient_polynomial.end(), 1), - algebra::multiexp( - srs_powers_beta_first, srs_powers_beta_last, - quotient_polynomial.begin(), quotient_polynomial.end(), 1)}; + return kzg_opening { + algebra::multiexp( + srs_powers_alpha_first, srs_powers_alpha_last, q.begin(), q.end(), 1), + algebra::multiexp( + srs_powers_beta_first, srs_powers_beta_last, q.begin(), q.end(), 1)}; } template @@ -223,11 +214,11 @@ namespace nil { InputG2Iterator srs_powers_beta_first, InputG2Iterator srs_powers_beta_last, InputScalarIterator transcript_first, InputScalarIterator transcript_last, const typename CurveType::scalar_field_type::value_type &kzg_challenge) { - std::vector vkey_poly = + math::polynomial vkey_poly( polynomial_coefficients_from_transcript( - transcript_first, transcript_last, CurveType::scalar_field_type::value_type::one()); - math::_condense(vkey_poly); - BOOST_ASSERT(!math::_is_zero(vkey_poly)); + transcript_first, transcript_last, CurveType::scalar_field_type::value_type::one())); + vkey_poly.condense(); + BOOST_ASSERT(!vkey_poly.is_zero()); typename CurveType::scalar_field_type::value_type vkey_poly_z = polynomial_evaluation_product_form_from_transcript( @@ -255,9 +246,9 @@ namespace nil { BOOST_ASSERT(2 * n == std::distance(srs_powers_alpha_first, srs_powers_alpha_last)); // this computes f(X) = \prod (1 + x (rX)^{2^j}) - std::vector fcoeffs = + math::polynomial fcoeffs( polynomial_coefficients_from_transcript( - transcript_first, transcript_last, r_shift); + transcript_first, transcript_last, r_shift)); // this computes f_w(X) = X^n * f(X) - it simply shifts all coefficients to by n fcoeffs.insert(fcoeffs.begin(), n, CurveType::scalar_field_type::value_type::zero()); @@ -501,7 +492,7 @@ namespace nil { challenges.begin(), challenges.end(), r_inverse, z)}; } - /// Aggregate `n` zkSnark proofs, where `n` must be a power of two. + /// aggregate `n` zkSnark proofs, where `n` must be a power of two. template, typename InputTranscriptIncludeIterator, typename InputProofIterator> typename std::enable_if< @@ -609,7 +600,7 @@ namespace nil { template class r1cs_gg_ppzksnark_aggregate_prover { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: typedef BasicProver basic_prover; @@ -621,7 +612,7 @@ namespace nil { typedef typename policy_type::proof_type proof_type; typedef typename policy_type::aggregate_proof_type aggregate_proof_type; - // Aggregate prove + // aggregate prove template static inline aggregate_proof_type process(const proving_srs_type &srs, InputTranscriptIncludeIterator transcript_include_first, diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp index 912303aff..3b2d33f4a 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp @@ -47,7 +47,7 @@ namespace nil { typedef CurveType curve_type; typedef Hash hash_type; - typedef marshalling::curve_bincode bincode; + typedef marshalling::bincode::curve bincode; std::vector buffer; ::nil::crypto3::accumulator_set hasher_acc; @@ -102,7 +102,7 @@ namespace nil { std::is_same::value_type>::value>::type write(InputIterator first, InputIterator last) { - std::array len_bytes; + std::array len_bytes{}; nil::crypto3::detail::pack counter_nonce_bytes; + std::array counter_nonce_bytes{}; while (true) { ++counter_nonce; nil::crypto3::detail::pack class r1cs_gg_ppzksnark_aggregate_verifier { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: typedef BasicVerifier basic_verifier; @@ -673,7 +673,7 @@ namespace nil { typedef typename policy_type::proof_type proof_type; typedef typename policy_type::aggregate_proof_type aggregate_proof_type; - // Aggregate verify + // aggregate verify template static inline typename std::enable_if< diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp index f78bc74a2..be8bb9e85 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/marshalling.hpp @@ -132,7 +132,7 @@ namespace nil { using field_type = FieldType; std::pair processed = - field_bincode::field_element_from_bytes(read_iter_begin, read_iter_end); + bincode::field::field_element_from_bytes(read_iter_begin, read_iter_end); if (!std::get<0>(processed)) { processingStatus = status_type::invalid_msg_data; @@ -156,7 +156,7 @@ namespace nil { using field_type = FieldType; std::pair processed = - field_bincode::field_element_from_bytes(read_iter_begin, read_iter_end); + bincode::field::field_element_from_bytes(read_iter_begin, read_iter_end); if (!std::get<0>(processed)) { processingStatus = status_type::invalid_msg_data; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/modes.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/modes.hpp index 4a825e911..9acf91dc2 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/modes.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/modes.hpp @@ -30,10 +30,7 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - enum class ProvingMode { - Basic, - Aggregate, - }; + enum class proving_mode { basic, aggregate }; } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp index b98896435..b87007eff 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/prover.hpp @@ -54,7 +54,7 @@ namespace nil { */ template class r1cs_gg_ppzksnark_prover { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; typedef typename CurveType::scalar_field_type scalar_field_type; typedef typename CurveType::template g1_type<> g1_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp index dc6ab4fd2..6913214b3 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/verifier.hpp @@ -70,7 +70,7 @@ namespace nil { */ template class r1cs_gg_ppzksnark_process_verification_key { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: typedef typename policy_type::verification_key_type verification_key_type; @@ -107,7 +107,7 @@ namespace nil { template class r1cs_gg_ppzksnark_verifier_weak_input_consistency { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; typedef typename CurveType::scalar_field_type scalar_field_type; typedef typename CurveType::template g1_type<> g1_type; @@ -179,7 +179,7 @@ namespace nil { template class r1cs_gg_ppzksnark_verifier_strong_input_consistency { - typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; public: typedef typename policy_type::primary_input_type primary_input_type; @@ -230,7 +230,7 @@ namespace nil { // */ // template // class r1cs_gg_ppzksnark_affine_verifier_weak_input_consistency { - // typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; + // typedef detail::r1cs_gg_ppzksnark_basic_policy policy_type; // typedef typename CurveType::scalar_field_type scalar_field_type; // typedef typename CurveType::template g1_type<> g1_type; diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index bee25ef46..afc6edf78 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -41,7 +41,7 @@ #include #include -#include // until fri inclusion +#include // until fri inclusion #include #include @@ -74,23 +74,21 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - std::vector>> D = fri_type::calculate_domain_set(extended_log, r); + std::vector>> D = + fri_type::calculate_domain_set(extended_log, r); - math::polynomial::polynomial q = {0, 0, 1}; + math::polynomial q = {0, 0, 1}; params.r = r; params.D = D; params.q = q; params.max_degree = d; - BOOST_CHECK(D[1]->m == D[0]->m/2); + BOOST_CHECK(D[1]->m == D[0]->m / 2); BOOST_CHECK(D[1]->get_domain_element(1) == D[0]->get_domain_element(1).squared()); BOOST_CHECK(params.q.evaluate(D[0]->get_domain_element(1)) == D[0]->get_domain_element(1).squared()); // commit - math::polynomial::polynomial f = {1, 3, 4, 1, - 5, 6, 7, 2, - 8, 7, 5, 6, - 1, 2, 1, 1}; + math::polynomial f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; @@ -101,12 +99,12 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { // LPC-related logic, here we "nulify" it via U = 0, V - 1 // TODO: Make FRI independent from LPC input - math::polynomial::polynomial U = {0}; - math::polynomial::polynomial V = {1}; + math::polynomial U = {0}; + math::polynomial V = {1}; proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); - //verify + // verify zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); @@ -136,34 +134,31 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { typedef typename fri_type::params_type params_type; params_type params; - math::polynomial::polynomial q = {0, 0, 1}; + math::polynomial q = {0, 0, 1}; std::size_t d_log = boost::static_log2::value; std::vector>> D = fri_type::calculate_domain_set(d_log, 1); - params.r = r; params.D = D; params.q = q; - math::polynomial::polynomial f = {1, 3, 4, 3}; + math::polynomial f = {1, 3, 4, 3}; typename FieldType::value_type omega = D[0]->get_domain_element(1); typename FieldType::value_type x_next = params.q.evaluate(omega); typename FieldType::value_type alpha = algebra::random_element(); - math::polynomial::polynomial f_next = - fri_type::fold_polynomial(f, alpha); + math::polynomial f_next = fri_type::fold_polynomial(f, alpha); - BOOST_CHECK_EQUAL(f_next.degree(), f.degree()/2); + BOOST_CHECK_EQUAL(f_next.degree(), f.degree() / 2); std::vector> interpolation_points { std::make_pair(omega, f.evaluate(omega)), std::make_pair(-omega, f.evaluate(-omega)), }; - math::polynomial::polynomial interpolant = - math::polynomial::lagrange_interpolation(interpolation_points); + math::polynomial interpolant = math::lagrange_interpolation(interpolation_points); typename FieldType::value_type x1 = interpolant.evaluate(alpha); typename FieldType::value_type x2 = f_next.evaluate(x_next); BOOST_CHECK(x1 == x2); @@ -190,22 +185,19 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { typedef typename fri_type::params_type params_type; params_type params; - math::polynomial::polynomial f = {1, 3, 4, 1, - 5, 6, 7, 2, - 8, 7, 5, 6, - 1, 2, 1, 1}; - + math::polynomial f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - std::vector>> D = fri_type::calculate_domain_set(extended_log, r); + std::vector>> D = + fri_type::calculate_domain_set(extended_log, r); params.r = r - 1; params.D = D; params.q = f; params.max_degree = d - 1; - BOOST_CHECK(D[1]->m == D[0]->m/2); + BOOST_CHECK(D[1]->m == D[0]->m / 2); merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; @@ -214,7 +206,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); - math::polynomial::polynomial final_polynomial = proof.final_polynomial; + math::polynomial final_polynomial = proof.final_polynomial; BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), 1); } diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index fd32514e3..51ecc2692 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -79,7 +79,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { typename fri_type::params_type fri_params; - math::polynomial::polynomial q = {0, 0, 1}; + math::polynomial q = {0, 0, 1}; fri_params.r = r; fri_params.D = D; fri_params.q = q; @@ -88,7 +88,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { // commit - math::polynomial::polynomial f = {1, 3, 4, 1, + math::polynomial f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 263804afd..7bff8f497 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -51,10 +51,10 @@ namespace boost { namespace test_tools { namespace tt_detail { template<> - struct print_log_value>>>> { void operator()(std::ostream &, - const nil::crypto3::math::polynomial::polynomial>>> &) { } }; @@ -63,13 +63,13 @@ namespace boost { } // namespace boost template -std::vector> generate(NumberType degree) { +std::vector> generate(NumberType degree) { typedef boost::random::independent_bits_engine random_polynomial_generator_type; - std::vector> res; + std::vector> res; boost::random::random_device rd; // Will be used to obtain a seed for the random number engine boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() @@ -80,7 +80,7 @@ std::vector> genera res.reserve(height); for (int i = 0; i < height; i++) { - math::polynomial::polynomial poly; + math::polynomial poly; for (int j = 0; j < degree; j++) { poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } @@ -120,7 +120,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { typename fri_type::params_type fri_params; - math::polynomial::polynomial q = {0, 0, 1}; + math::polynomial q = {0, 0, 1}; fri_params.r = r; fri_params.D = D; fri_params.q = q; @@ -131,7 +131,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { typename FieldType::value_type::integral_type> random_polynomial_generator_type; - std::vector> res; + std::vector> res; boost::random::random_device rd; // Will be used to obtain a seed for the random number engine boost::random::mt19937 gen(rd()); // Standard mersenne_twister_engine seeded with rd() @@ -142,7 +142,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { res.reserve(height); for (int i = 0; i < height; i++) { - math::polynomial::polynomial poly; + math::polynomial poly; for (int j = 0; j < fri_params.max_degree; j++) { poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 224918588..1a75faddc 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -49,24 +49,26 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; template -math::polynomial::polynomial +math::polynomial lagrange_polynomial(std::shared_ptr> domain, std::size_t number) { std::vector> evaluation_points; for (std::size_t i = 0; i < domain->m; i++) { - evaluation_points.push_back( - std::make_pair(domain->get_domain_element(i), (i != number) ? FieldType::value_type::zero() : FieldType::value_type::one())); + evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), (i != number) ? + FieldType::value_type::zero() : + FieldType::value_type::one())); } - math::polynomial::polynomial f = - math::polynomial::lagrange_interpolation(evaluation_points); + math::polynomial f = math::lagrange_interpolation(evaluation_points); + return f; } -template +template typename fri_type::params_type create_fri_params(std::size_t degree_log) { typename fri_type::params_type params; - math::polynomial::polynomial q = {0, 0, 1}; + math::polynomial q = {0, 0, 1}; - std::vector>> domain_set = fri_type::calculate_domain_set(degree_log, degree_log - 1); + std::vector>> domain_set = + fri_type::calculate_domain_set(degree_log, degree_log - 1); params.r = degree_log - 1; params.D = domain_set; @@ -76,8 +78,6 @@ typename fri_type::params_type create_fri_params(std::size_t degree_log) { return params; } - - BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) using curve_type = algebra::curves::bls12<381>; @@ -108,14 +108,13 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { constexpr static const std::size_t k = 1; typedef list_polynomial_commitment_scheme lpc_type; - typename fri_type::params_type fri_params = create_fri_params(circuit_log); std::shared_ptr> domain = fri_params.D[0]; - math::polynomial::polynomial lagrange_0 = lagrange_polynomial(domain, 0); + math::polynomial lagrange_0 = lagrange_polynomial(domain, 0); // TODO: implement it in a proper way in generator.hpp - std::vector> S_id(permutation_size); - std::vector> S_sigma(permutation_size); + std::vector> S_id(permutation_size); + std::vector> S_sigma(permutation_size); typename FieldType::value_type omega = domain->get_domain_element(1); @@ -127,7 +126,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); } - S_id[i] = math::polynomial::lagrange_interpolation(interpolation_points); + S_id[i] = math::lagrange_interpolation(interpolation_points); } for (std::size_t i = 0; i < permutation_size; i++) { @@ -142,11 +141,11 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { } } - S_sigma[i] = math::polynomial::lagrange_interpolation(interpolation_points); + S_sigma[i] = math::lagrange_interpolation(interpolation_points); } // construct circuit values - std::vector> f(permutation_size); + std::vector> f(permutation_size); for (std::size_t i = 0; i < permutation_size; i++) { std::vector> interpolation_points; for (std::size_t j = 0; j < circuit_rows; j++) { @@ -157,12 +156,12 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { } } - f[i] = math::polynomial::lagrange_interpolation(interpolation_points); + f[i] = math::lagrange_interpolation(interpolation_points); } // construct q_last, q_blind - math::polynomial::polynomial q_last; - math::polynomial::polynomial q_blind; + math::polynomial q_last; + math::polynomial q_blind; std::vector> interpolation_points_last; std::vector> interpolation_points_blind; for (std::size_t j = 0; j < circuit_rows; j++) { @@ -174,23 +173,22 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { interpolation_points_blind.emplace_back(omega.pow(j), FieldType::value_type::zero()); } } - q_last = math::polynomial::lagrange_interpolation(interpolation_points_last); - q_blind = math::polynomial::lagrange_interpolation(interpolation_points_blind); + q_last = math::lagrange_interpolation(interpolation_points_last); + q_blind = math::lagrange_interpolation(interpolation_points_blind); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated> prover_transcript(init_blob); fiat_shamir_heuristic_updated> verifier_transcript(init_blob); - + typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval( - prover_transcript, circuit_rows, permutation_size, - domain, lagrange_0, S_id, S_sigma, f, q_last, q_blind, - fri_params); + redshift_permutation_argument::prove_eval(prover_transcript, circuit_rows, + permutation_size, domain, lagrange_0, S_id, + S_sigma, f, q_last, q_blind, fri_params); // Challenge phase - //typename FieldType::value_type y = algebra::random_element(); + // typename FieldType::value_type y = algebra::random_element(); typename FieldType::value_type y(2); - std::vector f_at_y(permutation_size); + std::vector f_at_y(permutation_size); for (int i = 0; i < permutation_size; i++) { f_at_y[i] = f[i].evaluate(y); } @@ -200,10 +198,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::array verifier_res = redshift_permutation_argument::verify_eval( - verifier_transcript, circuit_rows, permutation_size, domain, - y, f_at_y, v_p_at_y, v_p_at_y_shifted, - lagrange_0, S_id, S_sigma, q_last, q_blind, - prover_res.permutation_poly_commitment.root()); + verifier_transcript, circuit_rows, permutation_size, domain, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + lagrange_0, S_id, S_sigma, q_last, q_blind, prover_res.permutation_poly_commitment.root()); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); diff --git a/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp index c4057873a..70a67fd10 100644 --- a/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp @@ -51,9 +51,11 @@ #include #include #include + #include #include +using namespace nil::crypto3; using namespace nil::crypto3::algebra; using namespace nil::crypto3::zk::snark; @@ -161,7 +163,7 @@ using scheme_type = r1cs_gg_ppzksnark< curve_type, r1cs_gg_ppzksnark_aggregate_generator, r1cs_gg_ppzksnark_aggregate_prover>, r1cs_gg_ppzksnark_aggregate_verifier>, - ProvingMode::Aggregate>; + proving_mode::aggregate>; using g1_type = typename curve_type::template g1_type<>; using g2_type = typename curve_type::template g2_type<>; @@ -183,8 +185,8 @@ using fq12_value_type = typename fq12_type::value_type; using fq6_value_type = typename fq12_value_type::underlying_type; -using scalar_modular_type = typename scalar_field_type::number_type; -using base_modular_type = typename curve_type::base_field_type::number_type; +using scalar_modular_type = typename scalar_field_type::modular_type; +using base_modular_type = typename curve_type::base_field_type::modular_type; using hash_type = hashes::sha2<256>; @@ -933,13 +935,13 @@ BOOST_AUTO_TEST_CASE(bls381_transcript_test) { 93, 227, 44, 5, 215, 179, 179, 161, 188, 47, 202, 226, 198, 224, 235, 229, 51, 172, 126, 121, 244, 132, 95, 94, 122, 217, 155, 123, 243, 93, 170, 87, }; - std::vector a_ser(nil::marshalling::curve_bincode::fr_octets_num); - nil::marshalling::curve_bincode::field_element_to_bytes(a, a_ser.begin(), - a_ser.end()); + std::vector a_ser(nil::marshalling::bincode::curve::fr_octets_num); + nil::marshalling::bincode::curve::field_element_to_bytes(a, a_ser.begin(), + a_ser.end()); BOOST_CHECK_EQUAL(et_a_ser, a_ser); scalar_field_value_type a_deser = - nil::marshalling::curve_bincode::field_element_from_bytes(a_ser.begin(), - a_ser.end()) + nil::marshalling::bincode::curve::field_element_from_bytes(a_ser.begin(), + a_ser.end()) .second; BOOST_CHECK_EQUAL(a_deser, a); @@ -952,11 +954,11 @@ BOOST_AUTO_TEST_CASE(bls381_transcript_test) { 136, 183, 116, 154, 64, 227, 68, 245, 98, 247, 204, 23, 22, 18, 218, 161, 152, 27, 155, 234, 230, 152, 24, 2, 2, 153, 59, 205, 235, 66, 175, 83, }; - std::vector b_ser(nil::marshalling::curve_bincode::g1_octets_num); - nil::marshalling::curve_bincode::point_to_bytes(b, b_ser.begin(), b_ser.end()); + std::vector b_ser(nil::marshalling::bincode::curve::g1_octets_num); + nil::marshalling::bincode::curve::point_to_bytes(b, b_ser.begin(), b_ser.end()); BOOST_CHECK_EQUAL(et_b_ser, b_ser); G1_value_type b_deser = - nil::marshalling::curve_bincode::g1_point_from_bytes(b_ser.begin(), b_ser.end()); + nil::marshalling::bincode::curve::g1_point_from_bytes(b_ser.begin(), b_ser.end()); BOOST_CHECK_EQUAL(b_deser, b); G2_value_type c( @@ -974,11 +976,11 @@ BOOST_AUTO_TEST_CASE(bls381_transcript_test) { 195, 169, 47, 227, 168, 42, 194, 207, 138, 86, 53, 169, 214, 1, 136, 180, 62, 241, 64, 134, 39, 35, 12, 91, 110, 57, 88, 208, 115, 235, 231, 194, 57, 234, 57, 30, }; - std::vector c_ser(nil::marshalling::curve_bincode::g2_octets_num); - nil::marshalling::curve_bincode::point_to_bytes(c, c_ser.begin(), c_ser.end()); + std::vector c_ser(nil::marshalling::bincode::curve::g2_octets_num); + nil::marshalling::bincode::curve::point_to_bytes(c, c_ser.begin(), c_ser.end()); BOOST_CHECK_EQUAL(et_c_ser, c_ser); G2_value_type c_deser = - nil::marshalling::curve_bincode::g2_point_from_bytes(c_ser.begin(), c_ser.end()); + nil::marshalling::bincode::curve::g2_point_from_bytes(c_ser.begin(), c_ser.end()); BOOST_CHECK_EQUAL(c_deser, c); fq12_value_type d( @@ -1031,11 +1033,11 @@ BOOST_AUTO_TEST_CASE(bls381_transcript_test) { 212, 1, 226, 7, 62, 56, 84, 64, 46, 254, 91, 198, 63, 173, 242, 171, 236, 173, 194, 125, 216, 95, 159, 172, 117, 17, }; - std::vector d_ser(nil::marshalling::curve_bincode::gt_octets_num); - nil::marshalling::curve_bincode::field_element_to_bytes(d, d_ser.begin(), d_ser.end()); + std::vector d_ser(nil::marshalling::bincode::curve::gt_octets_num); + nil::marshalling::bincode::curve::field_element_to_bytes(d, d_ser.begin(), d_ser.end()); BOOST_CHECK_EQUAL(et_d_ser, d_ser); fq12_value_type d_deser = - nil::marshalling::curve_bincode::field_element_from_bytes(d_ser.begin(), d_ser.end()) + nil::marshalling::bincode::curve::field_element_from_bytes(d_ser.begin(), d_ser.end()) .second; BOOST_CHECK_EQUAL(d_deser, d); From 8466457481d96fd88a62cf02345834a98226e82f Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sat, 12 Feb 2022 06:32:50 +0300 Subject: [PATCH 135/219] Minor changes #20 --- .../systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp index 3b2d33f4a..ea23fa2e0 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp @@ -80,7 +80,7 @@ namespace nil { std::is_same::value || std::is_same::value>::type write(const typename FieldType::value_type &x) { - buffer.resize(bincode::template get_element_size()); + buffer.resize(bincode::template element_size()); bincode::template field_element_to_bytes(x, buffer.begin(), buffer.end()); hash(buffer, hasher_acc); buffer.clear(); @@ -91,7 +91,7 @@ namespace nil { std::is_same, GroupType>::value || std::is_same, GroupType>::value>::type write(const typename GroupType::value_type &x) { - buffer.resize(bincode::template get_element_size()); + buffer.resize(bincode::template element_size()); bincode::template point_to_bytes(x, buffer.begin(), buffer.end()); hash(buffer, hasher_acc); buffer.clear(); From 6abc3872c8aafcefbe0f801dd6f58467c3e8f97c Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sat, 12 Feb 2022 06:38:34 +0300 Subject: [PATCH 136/219] Minor fixes #20 --- .../zk/snark/systems/plonk/redshift/permutation_argument.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index a936cfdab..823965aae 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -134,7 +134,7 @@ namespace nil { std::array, argument_size> F; math::polynomial V_P_shifted = - math::polynomial_shift(V_P, domain->get_domain_element(1)); + math::polynomial_shift(V_P, domain->get_domain_element(1)); F[0] = lagrange_1 * (one_polynomial - V_P); F[1] = (one_polynomial - (q_last + q_blind)) * (V_P_shifted * h - V_P * g); From 852a9bf8ef51450610e810dffdfe8119f049695d Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sun, 13 Feb 2022 13:00:21 +0300 Subject: [PATCH 137/219] Minor LPC benchmark updates #20 --- test/commitment/lpc_performance.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 7bff8f497..a41d0d0bf 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -97,7 +97,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { typedef typename curve_type::scalar_field_type FieldType; typedef hashes::keccak_1600<256> merkle_hash_type; - typedef hashes::sha2<256> transcript_hash_type; + typedef hashes::keccak_1600<256> transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; @@ -158,7 +158,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); // verify - zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(x_data); + zk::snark::fiat_shamir_heuristic_updated transcript_verifier(x_data); BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); } From e9507b4bebb9e1374f6c882be0d42a20e35af372 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 14 Feb 2022 14:50:43 +0300 Subject: [PATCH 138/219] Redshift prover updated. #20 --- .../zk/snark/relations/plonk/plonk.hpp | 5 + .../systems/plonk/redshift/gates_argument.hpp | 1 - .../snark/systems/plonk/redshift/prover.hpp | 111 +++++++----------- test/systems/plonk/redshift.cpp | 3 +- 4 files changed, 49 insertions(+), 71 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 775a0811d..19cf7b057 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -40,6 +40,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -131,6 +132,10 @@ namespace nil { term.coeff}; for (auto &var : term.vars) { + + const std::shared_ptr> domain = + math::make_evaluation_domain(full_variable_assignment[var.wire_index].size()); + term_polynom = term_polynom * detail::polynomial_shift(wire_polynomials[var.wire_index], domain->get_domain_element(var.rotation)); } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index adc215fa9..d34e16bd4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -59,7 +59,6 @@ namespace nil { std::array, argument_size> F; - // std::vector> gates(N_sel); std::size_t nu = 0; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 9805671a6..427a9e06d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -37,7 +37,7 @@ #include #include #include -#include +// #include namespace nil { namespace crypto3 { @@ -120,61 +120,40 @@ namespace nil { std::copy(w.begin(), w.end(), f.begin()); + // 4. permutation_argument std::array, 3> - permutation_argument = redshift_permutation_argument::prove_argument(transcript); - // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); + permutation_argument ; + // = redshift_permutation_argument::prove_eval(transcript); - // 14. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ - constexpr const std::size_t f_parts = 4; - std::array alphas = - transcript.template challenges(); + constexpr const std::size_t f_parts = 9; + std::array, f_parts> F; - // 15. Get $\tau$ from $hash(\text{transcript})$ - typename FieldType::value_type tau = - transcript.template challenge(); + F[0] = permutation_argument[0]; + F[1] = permutation_argument[1]; + F[2] = permutation_argument[2]; + + // 5. lookup_argument + // std::array, 5> + // lookup_argument = redshift_lookup_argument::prove_eval(transcript); + + // F[3] = permutation_argument[3]; + // F[4] = permutation_argument[4]; + // F[5] = permutation_argument[5]; + // F[6] = permutation_argument[6]; + // F[7] = permutation_argument[7]; // 16. Computing gates // And 20. Compute N_T - std::size_t N_T = N_perm + N_PI; - std::vector> gates(N_sel); std::vector> constraints = constraint_system.polynomials(assignments); - std::size_t nu = 0; - - for (std::size_t i = 0; i <= N_sel - 1; i++) { - gates[i] = {0}; + // F[8] = gates_argument::prove(constraint_system.polynomials(assignments), transcript, N_sel)[0]; - for (std::size_t j = 0; j < constraints.size(); j++) { - gates[i] = gates[i] + preprocessed_data.constraints[j] * tau.pow(nu); - nu++; - } - - // gates[i] *= preprocessed_data.selectors[i]; - - } - - std::vector> constraints = - constraint_system.polynomials(assignments); - - gates_argument::prove(constraint_system.polynomials(assignments), transcript, N_sel); - std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); - - // 18. Define F polynomials - const math::polynomial::polynomial L1 = - preprocessed_data.Lagrange_basis[1]; - - std::array, f_parts> F; - - F[0] = permutation_argument[0]; - F[1] = permutation_argument[1]; - F[2] = permutation_argument[2]; - F[3] = {0}; - for (std::size_t i = 0; i < N_sel; i++) { - F[3] = F[3] + gates[i]; - } + // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ + std::array alphas = + transcript.template challenges(); - // 19. Compute F_consolidated + // 7.2. Compute F_consolidated math::polynomial::polynomial F_consolidated = {0}; for (std::size_t i = 0; i < f_parts; i++) { F_consolidated = F_consolidated + alphas[i] * F[i]; @@ -183,11 +162,14 @@ namespace nil { math::polynomial::polynomial T_consolidated = F_consolidated / preprocessed_data.Z; - // 21. Split $T(X)$ into separate polynomials $T_0(X), ..., T_{N_T - 1}(X)$ + // 7.3 + std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); + + // 7.4. Split $T(X)$ into separate polynomials $T_0(X), ..., T_{N_T - 1}(X)$ std::vector> T(N_T); // T = separate_T(T_consolidated); - // 22. Add commitments to $T_0(X), ..., T_{N_T - 1}(X)$ to $\text{transcript}$ + // 7.5. Add commitments to $T_0(X), ..., T_{N_T - 1}(X)$ to $\text{transcript}$ std::vector T_trees; std::vector T_commitments; @@ -197,36 +179,29 @@ namespace nil { transcript(T_commitments[i]); } - // 23. Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ - typename FieldType::value_type upsilon = - transcript.template challenge(); + // 8.1 Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ + // typename FieldType::value_type upsilon = + // transcript.template challenge(); - std::array fT_evaluation_points = {upsilon}; - std::vector f_lpc_proofs(N_wires); + // std::array fT_evaluation_points = {upsilon}; + // std::vector f_lpc_proofs(N_wires); // for (std::size_t i = 0; i < N_wires; i++){ // f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); // } - // std::array - // PQ_evaluation_points = {upsilon, upsilon * preprocessed_data.omega}; - // typename lpc::proof P_lpc_proof = lpc::proof_eval(PQ_evaluation_points, P_tree, P, D_0); - // typename lpc::proof Q_lpc_proof = lpc::proof_eval(PQ_evaluation_points, Q_tree, Q, D_0); + // std::vector T_lpc_proofs(N_perm + 1); - std::vector T_lpc_proofs(N_perm + 1); - - for (std::size_t i = 0; i < N_perm + 1; i++) { - T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); - } + // for (std::size_t i = 0; i < N_perm + 1; i++) { + // T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); + // } typename types_policy::template proof_type proof; - // = typename types_policy::proof_type(std::move(f_commitments), std::move(P_commitment), - // std::move(Q_commitment), std::move(T_commitments), - // std::move(f_lpc_proofs), std::move(P_lpc_proof), - // std::move(Q_lpc_proof), std::move(T_lpc_proofs)); - proof.T_lpc_proofs = T_lpc_proofs; - proof.f_lpc_proofs = f_lpc_proofs; - proof.T_commitments = T_commitments; + // = typename types_policy::proof_type(std::move(f_commitments), std::move(T_commitments), + // std::move(f_lpc_proofs), std::move(T_lpc_proofs)); + // proof.T_lpc_proofs = T_lpc_proofs; + // proof.f_lpc_proofs = f_lpc_proofs; + // proof.T_commitments = T_commitments; return proof; } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 224918588..150901660 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -35,10 +35,9 @@ #include #include -//#include +#include //#include #include -#include #include #include From efe05cd5f937e9f494f46432c35c6643d61de19d Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Mon, 14 Feb 2022 17:43:09 +0300 Subject: [PATCH 139/219] Redshift test fixed #20 --- include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp | 1 - test/systems/plonk/redshift.cpp | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 31adcf757..1f1851357 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -41,7 +41,6 @@ #include #include -#include namespace nil { namespace crypto3 { diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 51e020661..cb92cabdc 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -36,6 +36,7 @@ #include #include +#include //#include #include #include From 00162c82aba543e8bf29857315bc695f7c20883f Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 15 Feb 2022 17:42:59 +0200 Subject: [PATCH 140/219] preprocessing logic #20 --- .../zk/snark/relations/plonk/permutation.hpp | 62 +++++++++++ .../systems/plonk/redshift/preprocessor.hpp | 81 +++++++++++++- test/systems/plonk/redshift.cpp | 102 ++++++++---------- 3 files changed, 188 insertions(+), 57 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp diff --git a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp new file mode 100644 index 000000000..78d993e32 --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp @@ -0,0 +1,62 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_PERMUTATION_HPP +#define CRYPTO3_ZK_PLONK_PERMUTATION_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + struct plonk_permutation + { + typedef std::pair key_type; + typedef std::pair value_type; + + std::map _permutation_map; + + plonk_permutation(std::size_t columns, std::size_t rows) { + for (std::size_t i = 0; i < columns; i++) { + for (std::size_t j = 0; j < rows; j++) { + auto key = key_type(i, j); + _permutation_map[key] = value_type(i, j); + } + } + } + + void cells_equal(key_type cell, key_type equal_to) { + _permutation_map[cell] = _permutation_map[equal_to]; + } + + value_type &operator[](key_type key) { + return _permutation_map[key]; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_PERMUTATION_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 34d64c132..999113f81 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -28,8 +28,13 @@ #include #include +#include +#include #include +#include + +using namespace nil::crypto3; namespace nil { namespace crypto3 { @@ -41,7 +46,79 @@ namespace nil { using types_policy = detail::redshift_types_policy; public: - static inline typename types_policy::template preprocessed_data_type + static inline std::vector> + identity_polynomials(std::size_t permutation_size, std::size_t table_size, + typename FieldType::value_type omega, typename FieldType::value_type delta, + const std::shared_ptr> &domain) { + + std::vector> S_id(permutation_size); + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = delta.pow(i) * omega.pow(j); + } + + domain->inverse_fft(tmp); + S_id[i] = math::polynomial(tmp); + } + + return S_id; + } + + static inline std::vector> + permutation_polynomials(std::size_t permutation_size, std::size_t table_size, + typename FieldType::value_type omega, typename FieldType::value_type delta, + plonk_permutation permutation, + const std::shared_ptr> &domain) { + + std::vector> S_perm(permutation_size); + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + auto key = std::make_pair(i, j); + tmp[j] = delta.pow(permutation[key].first) * omega.pow(permutation[key].second); + } + + domain->inverse_fft(tmp); + S_perm[i] = math::polynomial(tmp); + } + + return S_perm; + } + + static inline math::polynomial + selector_blind(std::size_t table_size, std::size_t usable_rows, + const std::shared_ptr> &domain) { + + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = j > usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); + } + + domain->inverse_fft(tmp); + math::polynomial q_blind(tmp); + + return q_blind; + } + + static inline math::polynomial + selector_last(std::size_t table_size, std::size_t usable_rows, + const std::shared_ptr> &domain) { + + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = j == usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); + } + + domain->inverse_fft(tmp); + math::polynomial q_last(tmp); + + return q_last; + } + + /*static inline typename types_policy::template preprocessed_data_type process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { @@ -58,7 +135,7 @@ namespace nil { // data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n); return data; - } + }*/ }; } // namespace snark } // namespace zk diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index cb92cabdc..8b5739562 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -37,8 +37,9 @@ #include #include -//#include +#include #include +#include #include #include @@ -78,6 +79,39 @@ typename fri_type::params_type create_fri_params(std::size_t degree_log) { return params; } +template +std::vector> + create_random_table(const std::size_t table_rows, const std::size_t table_width, + plonk_permutation permutation, const std::shared_ptr> &domain) { + std::vector> table(table_width); + + std::vector> tmp(table_width); + + for (std::size_t i = 0; i < table_width; i++) { + tmp[i].resize(table_rows); + for (std::size_t j = 0; j < table_rows; j++) { + tmp[i][j] = algebra::random_element(); + } + } + + for (std::size_t i = 0; i < table_width; i++) { + for (std::size_t j = 0; j < table_rows; j++) { + auto key = std::make_pair(i, j); + auto ids = permutation[key]; + if (ids.first != i || ids.second != j) { + tmp[i][j] = tmp[ids.first][ids.second]; + } + } + } + + for (std::size_t i = 0; i < table_width; i++) { + domain->inverse_fft(tmp[i]); + table[i] = math::polynomial(tmp[i]); + } + + return table; +} + BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) using curve_type = algebra::curves::bls12<381>; @@ -103,6 +137,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t circuit_log = 2; const std::size_t circuit_rows = 1 << circuit_log; const std::size_t permutation_size = 2; + const std::size_t columns_amount = 2; constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; @@ -112,69 +147,26 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::shared_ptr> domain = fri_params.D[0]; math::polynomial lagrange_0 = lagrange_polynomial(domain, 0); - // TODO: implement it in a proper way in generator.hpp - std::vector> S_id(permutation_size); - std::vector> S_sigma(permutation_size); - typename FieldType::value_type omega = domain->get_domain_element(1); typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector> interpolation_points; - for (std::size_t j = 0; j < circuit_rows; j++) { - interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); - } - - S_id[i] = math::lagrange_interpolation(interpolation_points); - } + plonk_permutation permutation(columns_amount, circuit_rows); + permutation.cells_equal(std::make_pair(2, 2), std::make_pair(1, 1)); - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector> interpolation_points; - for (std::size_t j = 0; j < circuit_rows; j++) { - if (i == 1 && j == 1) { - interpolation_points.emplace_back(omega.pow(j), delta.pow(2) * omega.pow(2)); - } else if (i == 2 && j == 2) { - interpolation_points.emplace_back(omega.pow(j), delta.pow(1) * omega.pow(1)); - } else { - interpolation_points.emplace_back(omega.pow(j), delta.pow(i) * omega.pow(j)); - } - } - - S_sigma[i] = math::lagrange_interpolation(interpolation_points); - } + std::vector> S_id = redshift_preprocessor::identity_polynomials( + permutation_size, circuit_rows, omega, delta, domain); + std::vector> S_sigma = redshift_preprocessor::permutation_polynomials( + permutation_size, circuit_rows, omega, delta, permutation, domain); // construct circuit values - std::vector> f(permutation_size); - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector> interpolation_points; - for (std::size_t j = 0; j < circuit_rows; j++) { - if (i == 2 && j == 2) { - interpolation_points.emplace_back(omega.pow(j), interpolation_points[1].second); - } else { - interpolation_points.emplace_back(omega.pow(j), algebra::random_element()); - } - } - - f[i] = math::lagrange_interpolation(interpolation_points); - } + std::vector> f = create_random_table(circuit_rows, columns_amount, permutation, domain); // construct q_last, q_blind - math::polynomial q_last; - math::polynomial q_blind; - std::vector> interpolation_points_last; - std::vector> interpolation_points_blind; - for (std::size_t j = 0; j < circuit_rows; j++) { - if (j == circuit_rows - 1) { - interpolation_points_last.emplace_back(omega.pow(j), FieldType::value_type::one()); - interpolation_points_blind.emplace_back(omega.pow(j), FieldType::value_type::zero()); - } else { - interpolation_points_last.emplace_back(omega.pow(j), FieldType::value_type::zero()); - interpolation_points_blind.emplace_back(omega.pow(j), FieldType::value_type::zero()); - } - } - q_last = math::lagrange_interpolation(interpolation_points_last); - q_blind = math::lagrange_interpolation(interpolation_points_blind); + math::polynomial q_last = redshift_preprocessor::selector_last( + circuit_rows, circuit_rows, domain); + math::polynomial q_blind = redshift_preprocessor::selector_blind( + circuit_rows, circuit_rows, domain); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated> prover_transcript(init_blob); From 545817ae1205f865672206650bbe5904ee0f516c Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Wed, 16 Feb 2022 19:14:44 +0200 Subject: [PATCH 141/219] redshift test input #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 46 +++++ .../zk/snark/relations/plonk/permutation.hpp | 7 + .../systems/plonk/redshift/gates_argument.hpp | 16 +- test/systems/plonk/circuits.hpp | 174 ++++++++++++++++++ test/systems/plonk/redshift.cpp | 65 ++++++- 5 files changed, 294 insertions(+), 14 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/gate.hpp create mode 100644 test/systems/plonk/circuits.hpp diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp new file mode 100644 index 000000000..e186edc66 --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -0,0 +1,46 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_GATE_HPP +#define CRYPTO3_ZK_PLONK_GATE_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + struct plonk_gate + { + std::vector> constraints; + math::polynomial selector; + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_GATE_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp index 78d993e32..ba656aab3 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp @@ -46,10 +46,17 @@ namespace nil { } } + plonk_permutation() { + } + void cells_equal(key_type cell, key_type equal_to) { _permutation_map[cell] = _permutation_map[equal_to]; } + void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, std::size_t equal_to_y) { + _permutation_map[key_type(cell_x, cell_y)] = _permutation_map[key_type(equal_to_x, equal_to_y)]; + } + value_type &operator[](key_type key) { return _permutation_map[key]; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 1235e4a8d..b3a2659ba 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -36,6 +36,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -48,26 +49,25 @@ namespace nil { constexpr static const std::size_t argument_size = ArgumentSize; static inline std::array, argument_size> - prove_eval(const std::vector> &constraints, - fiat_shamir_heuristic_updated &transcript, - std::size_t N_sel) { + prove_eval(const std::vector> &gates, + fiat_shamir_heuristic_updated &transcript) { - typename FieldType::value_type teta = transcript.template challenge(); + typename FieldType::value_type theta = transcript.template challenge(); std::array, argument_size> F; - std::size_t nu = 0; + typename FieldType::value_type theta_acc = FieldType::value_type::one(); for (std::size_t i = 0; i <= N_sel - 1; i++) { math::polynomial gate = {0}; for (std::size_t j = 0; j < constraints.size(); j++) { - gate = gate + preprocessed_data.constraints[j] * teta.pow(nu); - nu++; + gate = gate + gates[i].constraints[j] * theta_acc; + theta_acc *= theta; } - // gate *= preprocessed_data.selectors[i]; + gate *= gate[i].selector; F[0] += gate; } diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp new file mode 100644 index 000000000..7ed889953 --- /dev/null +++ b/test/systems/plonk/circuits.hpp @@ -0,0 +1,174 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_TEST_PLONK_CIRCUITS_HPP +#define CRYPTO3_ZK_TEST_PLONK_CIRCUITS_HPP + +#include + +#include +#include +#include + +#include +#include +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + class circuit_description + { + public: + const std::size_t table_rows = 1 << rows_log - 1; + + std::shared_ptr> domain; + + typename FieldType::value_type omega; + typename FieldType::value_type delta; + + plonk_permutation permutation; + + std::vector> S_id; + std::vector> S_sigma; + + std::vector> table; + std::vector> column_polynomials; + + // construct q_last, q_blind + math::polynomial q_last; + math::polynomial q_blind; + + //std::vector> gates; + + circuit_description() { + domain = math::make_evaluation_domain(table_rows); + + omega = domain->get_domain_element(1); + delta = algebra::fields::arithmetic_params::multiplicative_generator; + + permutation = plonk_permutation(table_columns, table_rows); + } + + void init() { + S_id = redshift_preprocessor::identity_polynomials( + permutation_size, table_rows, omega, delta, domain); + S_sigma = redshift_preprocessor::permutation_polynomials( + permutation_size, table_rows, omega, delta, permutation, domain); + + q_last = redshift_preprocessor::selector_last( + table_rows, usable_rows, domain); + q_blind = redshift_preprocessor::selector_blind( + table_rows, usable_rows, domain); + } + }; + + //---------------------------------------------------------------------------// + // Test circuit + // i | GATE | w_0 | w_1 | w_2 | public | q_add | q_mul | + // 0 | -- | x | y | z | p1 | 0 | 0 | + // 1 | ADD | x | y | z | 0 | 1 | 0 | + // ... | ADD | x | y | z | 0 | 1 | 0 | + // k-2 | MUL | x | y | z | 0 | 0 | 1 | + // k-1 | MUL | x | y | z | 0 | 0 | 1 | + // + // ADD: x + y = z, copy(prev(z), y) + // MUL: x * y = z, copy(p1, y) + //---------------------------------------------------------------------------// + template + circuit_description circuit_test_1() { + constexpr static const std::size_t rows_log = 4; + constexpr static const std::size_t table_columns = 4; + constexpr static const std::size_t permutation = 4; + constexpr static const std::size_t usable = (1 << rows_log) - 1; + + circuit_description test_circuit; + + std::vector> table(table_columns); + + test_circuit.column_polynomials.resize(table_columns); + std::vector q_add(test_circuit.table_rows); + std::vector q_mul(test_circuit.table_rows); + for (std::size_t j = 0; j < table_columns; j++) { + table[j].resize(test_circuit.table_rows); + } + + // init values + table[0][0] = algebra::random_element(); + table[0][1] = algebra::random_element(); + table[0][2] = algebra::random_element(); + table[0][3] = algebra::random_element(); + q_add[0] = FieldType::value_type::zero(); + q_mul[0] = FieldType::value_type::zero(); + + // fill rows with ADD gate + for (std::size_t i = 1; i < test_circuit.table_rows - 2; i++) { + table[i][0] = algebra::random_element(); + table[i][1] = table[i - 1][2]; + table[i][2] = table[i][0] + table[i][1]; + table[i][3] = FieldType::value_type::zero(); + q_add[i] = FieldType::value_type::one(); + q_mul[i] = FieldType::value_type::zero(); + + test_circuit.permutation.cells_equal(i, 1, i - 1, 2); + } + + // fill rows with MUL gate + for (std::size_t i = test_circuit.table_rows - 2; i < test_circuit.table_rows; i++) { + table[i][0] = algebra::random_element(); + table[i][1] = table[0][3]; + table[i][2] = table[i][0] * table[i][1]; + table[i][3] = FieldType::value_type::zero(); + q_add[i] = FieldType::value_type::zero(); + q_mul[i] = FieldType::value_type::one(); + + test_circuit.permutation.cells_equal(i, 1, 0, 3); + } + + for (std::size_t i = 0; i < table_columns; i++) { + test_circuit.domain->inverse_fft(table[i]); + test_circuit.column_polynomials[i] = math::polynomial(table[i]); + } + + //std::vector> gates(2); + test_circuit.table = table; + test_circuit.init(); + + return test_circuit; + } + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_TEST_PLONK_CIRCUITS_HPP \ No newline at end of file diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 8b5739562..de7ed011d 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -35,16 +35,19 @@ #include #include +#include +#include + #include #include #include #include #include +#include #include #include -#include -#include +#include "circuits.hpp" using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; @@ -134,6 +137,13 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { + const std::size_t table_rows_log = 4; + const std::size_t table_rows = (1 << table_rows_log) - 1; + const std::size_t table_columns = 4; + const std::size_t permutation_size1 = 4; + const std::size_t usable_rows = (1 << table_rows_log) - 1; + circuit_description circuit = circuit_test_1(); + const std::size_t circuit_log = 2; const std::size_t circuit_rows = 1 << circuit_log; const std::size_t permutation_size = 2; @@ -210,12 +220,55 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { // zk::snark::redshift_prover prove; } -BOOST_AUTO_TEST_CASE(redshift_witness_argument_test) { +BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { + auto circuit = circuit_test_1(); - // zk::snark::redshift_preprocessor preprocess; + const std::size_t circuit_log = 2; + const std::size_t circuit_rows = 1 << circuit_log; + const std::size_t permutation_size = 2; + const std::size_t columns_amount = 2; - // auto preprocessed_data = preprocess::process(cs, assignments); - // zk::snark::redshift_prover prove; + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t k = 1; + typedef list_polynomial_commitment_scheme lpc_type; + + typename fri_type::params_type fri_params = create_fri_params(circuit_log); + std::shared_ptr> domain = fri_params.D[0]; + math::polynomial lagrange_0 = lagrange_polynomial(domain, 0); + + typename FieldType::value_type omega = domain->get_domain_element(1); + + typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; + + plonk_permutation permutation(columns_amount, circuit_rows); + permutation.cells_equal(std::make_pair(2, 2), std::make_pair(1, 1)); + + std::vector> S_id = redshift_preprocessor::identity_polynomials( + permutation_size, circuit_rows, omega, delta, domain); + std::vector> S_sigma = redshift_preprocessor::permutation_polynomials( + permutation_size, circuit_rows, omega, delta, permutation, domain); + + // construct circuit values + std::vector> f = create_random_table(circuit_rows, columns_amount, permutation, domain); + + std::vector> constraints_1 = {f[0] * f[1], f[0] + f[0]}; + std::vector> constraints_2 = {f[1] - f[0]}; + + + // construct q_last, q_blind + math::polynomial q_last = redshift_preprocessor::selector_last( + circuit_rows, circuit_rows, domain); + math::polynomial q_blind = redshift_preprocessor::selector_blind( + circuit_rows, circuit_rows, domain); + + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; + fiat_shamir_heuristic_updated> prover_transcript(init_blob); + fiat_shamir_heuristic_updated> verifier_transcript(init_blob); + + /*std::array, 1> prover_res = + redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, + permutation_size, domain, lagrange_0, S_id, + S_sigma, f, q_last, q_blind, fri_params);*/ } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 1b5d26a514a2c193c0dbacf4e83fe5f9e50c9fe8 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Wed, 16 Feb 2022 20:59:41 +0200 Subject: [PATCH 142/219] perfromance comments #20 --- .../zk/snark/commitments/fri_commitment.hpp | 23 ++++++++++--------- .../list_polynomial_commitment.hpp | 12 +++++----- test/commitment/lpc_performance.cpp | 6 ++--- 3 files changed, 21 insertions(+), 20 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index a291874da..0f81a7b65 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -132,7 +132,7 @@ namespace nil { std::vector> y_data; y_data.resize(D->m); - std::vector tmp(f.begin(), f.end()); + std::vector tmp(f.begin(), f.end()); // for FFT D->fft(tmp); for (std::size_t i = 0; i < D->m; i++) { @@ -170,10 +170,11 @@ namespace nil { proof_type proof; - math::polynomial f = Q; + math::polynomial f = Q; // copy? + // TODO: how to sample x? typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow( - transcript.template int_challenge()); + transcript.template int_challenge()); // could be smth like fri_params.D[0]->get_domain_element(RANDOM % domain_size) std::size_t r = fri_params.r; @@ -186,9 +187,9 @@ namespace nil { typename FieldType::value_type alpha = transcript.template challenge(); - typename FieldType::value_type x_next = fri_params.q.evaluate(x); + typename FieldType::value_type x_next = fri_params.q.evaluate(x); // == x^2 - math::polynomial f_next = fold_polynomial(f, alpha); + math::polynomial f_next = fold_polynomial(f, alpha); // create polynomial of degree (degree(f) / 2) // m = 2, so: std::array s; @@ -202,12 +203,12 @@ namespace nil { std::array y; for (std::size_t j = 0; j < m; j++) { - y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); + y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); // polynomial evaluation } std::array p; - std::vector tmp; + std::vector tmp; // we need it for FFT if (i == 0) { std::copy(g.begin(), g.end(), std::back_inserter(tmp)); } else { @@ -219,20 +220,20 @@ namespace nil { typename FieldType::value_type leaf = y[j]; std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++) { + for (; leaf_index < tmp.size(); leaf_index++) { // search 2**24 if (tmp[leaf_index] == leaf) break; } p[j] = merkle_proof_type(*p_tree, leaf_index); } - typename FieldType::value_type colinear_value = f_next.evaluate(x_next); + typename FieldType::value_type colinear_value = f_next.evaluate(x_next); // polynomial evaluation if (i < r - 1) { - T_next = commit(f_next, fri_params.D[i + 1]); + T_next = commit(f_next, fri_params.D[i + 1]); // new merkle tree transcript(T_next.root()); - std::vector tmp(f_next.begin(), f_next.end()); + std::vector tmp(f_next.begin(), f_next.end()); // for FFT fri_params.D[i + 1]->fft(tmp); std::size_t leaf_index = 0; diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index cb7855e93..d898a2235 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -126,20 +126,20 @@ namespace nil { std::array p; std::array, k> U_interpolation_points; - + for (std::size_t j = 0; j < k; j++) { - z[j] = g.evaluate(evaluation_points[j]); - U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); + z[j] = g.evaluate(evaluation_points[j]); // transform to point-representation + U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); // prepare points for interpolation } math::polynomial U = - math::lagrange_interpolation(U_interpolation_points); + math::lagrange_interpolation(U_interpolation_points); // k is small => iterpolation goes fast math::polynomial Q = (g - U); for (std::size_t j = 0; j < k; j++) { math::polynomial denominator_polynom = { -evaluation_points[j], 1}; - Q = Q / denominator_polynom; + Q = Q / denominator_polynom; // polynomial divison } // temporary definition, until polynomial is constexpr @@ -148,7 +148,7 @@ namespace nil { std::array fri_proof; for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { - fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); + fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); // fri_commitment.hpp } return proof_type({z, T.root(), fri_proof}); diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index a41d0d0bf..7678d9627 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -146,7 +146,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { for (int j = 0; j < fri_params.max_degree; j++) { poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } - merkle_tree_type tree = lpc_type::commit(poly, D[0]); + merkle_tree_type tree = lpc_type::commit(poly, D[0]); // phase_1: Commit // TODO: take a point outside of the basic domain std::array evaluation_points = { @@ -155,12 +155,12 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { std::array x_data {}; zk::snark::fiat_shamir_heuristic_updated transcript(x_data); - auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); + auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); // phase_2: Prove // verify zk::snark::fiat_shamir_heuristic_updated transcript_verifier(x_data); - BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); // phase_3: Verify } } From 23a57ab1e4dca48b02e993b6bd4fb2c0f246b402 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 17 Feb 2022 17:58:36 +0200 Subject: [PATCH 143/219] test circuit 1 for permutation argument test #20 --- test/systems/plonk/circuits.hpp | 26 ++++----- test/systems/plonk/redshift.cpp | 100 +++++++++++--------------------- 2 files changed, 47 insertions(+), 79 deletions(-) diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 7ed889953..d3604dc34 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -50,7 +50,7 @@ namespace nil { class circuit_description { public: - const std::size_t table_rows = 1 << rows_log - 1; + const std::size_t table_rows = 1 << rows_log; std::shared_ptr> domain; @@ -106,11 +106,11 @@ namespace nil { // MUL: x * y = z, copy(p1, y) //---------------------------------------------------------------------------// template - circuit_description circuit_test_1() { + circuit_description circuit_test_1() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 4; constexpr static const std::size_t permutation = 4; - constexpr static const std::size_t usable = (1 << rows_log) - 1; + constexpr static const std::size_t usable = 1 << rows_log; circuit_description test_circuit; @@ -133,26 +133,26 @@ namespace nil { // fill rows with ADD gate for (std::size_t i = 1; i < test_circuit.table_rows - 2; i++) { - table[i][0] = algebra::random_element(); - table[i][1] = table[i - 1][2]; - table[i][2] = table[i][0] + table[i][1]; - table[i][3] = FieldType::value_type::zero(); + table[0][i] = algebra::random_element(); + table[1][i] = table[2][i - 1]; + table[2][i] = table[0][i] + table[1][i]; + table[3][i] = FieldType::value_type::zero(); q_add[i] = FieldType::value_type::one(); q_mul[i] = FieldType::value_type::zero(); - test_circuit.permutation.cells_equal(i, 1, i - 1, 2); + test_circuit.permutation.cells_equal(1, i, 2, i - 1); } // fill rows with MUL gate for (std::size_t i = test_circuit.table_rows - 2; i < test_circuit.table_rows; i++) { - table[i][0] = algebra::random_element(); - table[i][1] = table[0][3]; - table[i][2] = table[i][0] * table[i][1]; - table[i][3] = FieldType::value_type::zero(); + table[0][i] = algebra::random_element(); + table[1][i] = table[3][0]; + table[2][i] = table[0][i] * table[1][i]; + table[3][i] = FieldType::value_type::zero(); q_add[i] = FieldType::value_type::zero(); q_mul[i] = FieldType::value_type::one(); - test_circuit.permutation.cells_equal(i, 1, 0, 3); + test_circuit.permutation.cells_equal(1, i, 3, 0); } for (std::size_t i = 0; i < table_columns; i++) { diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index de7ed011d..14d31870f 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -138,70 +138,43 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t table_rows_log = 4; - const std::size_t table_rows = (1 << table_rows_log) - 1; + const std::size_t table_rows = 1 << table_rows_log; const std::size_t table_columns = 4; - const std::size_t permutation_size1 = 4; - const std::size_t usable_rows = (1 << table_rows_log) - 1; - circuit_description circuit = circuit_test_1(); - - const std::size_t circuit_log = 2; - const std::size_t circuit_rows = 1 << circuit_log; - const std::size_t permutation_size = 2; - const std::size_t columns_amount = 2; + const std::size_t permutation_size = 4; + const std::size_t usable_rows = 1 << table_rows_log; + circuit_description circuit = circuit_test_1(); constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - typedef list_polynomial_commitment_scheme lpc_type; - - typename fri_type::params_type fri_params = create_fri_params(circuit_log); - std::shared_ptr> domain = fri_params.D[0]; - math::polynomial lagrange_0 = lagrange_polynomial(domain, 0); - - typename FieldType::value_type omega = domain->get_domain_element(1); - - typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; - - plonk_permutation permutation(columns_amount, circuit_rows); - permutation.cells_equal(std::make_pair(2, 2), std::make_pair(1, 1)); - - std::vector> S_id = redshift_preprocessor::identity_polynomials( - permutation_size, circuit_rows, omega, delta, domain); - std::vector> S_sigma = redshift_preprocessor::permutation_polynomials( - permutation_size, circuit_rows, omega, delta, permutation, domain); + constexpr static const std::size_t r = table_rows_log - 1; + typedef list_polynomial_commitment_scheme lpc_type; - // construct circuit values - std::vector> f = create_random_table(circuit_rows, columns_amount, permutation, domain); - - // construct q_last, q_blind - math::polynomial q_last = redshift_preprocessor::selector_last( - circuit_rows, circuit_rows, domain); - math::polynomial q_blind = redshift_preprocessor::selector_blind( - circuit_rows, circuit_rows, domain); + typename fri_type::params_type fri_params = create_fri_params(table_rows_log); + math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated> prover_transcript(init_blob); fiat_shamir_heuristic_updated> verifier_transcript(init_blob); typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval(prover_transcript, circuit_rows, - permutation_size, domain, lagrange_0, S_id, - S_sigma, f, q_last, q_blind, fri_params); + redshift_permutation_argument::prove_eval(prover_transcript, table_rows, + permutation_size, circuit.domain, lagrange_0, circuit.S_id, + circuit.S_sigma, circuit.column_polynomials, circuit.q_last, circuit.q_blind, fri_params); // Challenge phase - // typename FieldType::value_type y = algebra::random_element(); - typename FieldType::value_type y(2); + typename FieldType::value_type y = algebra::random_element(); std::vector f_at_y(permutation_size); for (int i = 0; i < permutation_size; i++) { - f_at_y[i] = f[i].evaluate(y); + f_at_y[i] = circuit.column_polynomials[i].evaluate(y); } typename FieldType::value_type v_p_at_y = prover_res.permutation_polynomial.evaluate(y); - typename FieldType::value_type v_p_at_y_shifted = prover_res.permutation_polynomial.evaluate(omega * y); + typename FieldType::value_type v_p_at_y_shifted = prover_res.permutation_polynomial.evaluate(circuit.omega * y); std::array verifier_res = redshift_permutation_argument::verify_eval( - verifier_transcript, circuit_rows, permutation_size, domain, y, f_at_y, v_p_at_y, v_p_at_y_shifted, - lagrange_0, S_id, S_sigma, q_last, q_blind, prover_res.permutation_poly_commitment.root()); + verifier_transcript, table_rows, permutation_size, circuit.domain, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + lagrange_0, circuit.S_id, circuit.S_sigma, circuit.q_last, circuit.q_blind, prover_res.permutation_poly_commitment.root()); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); @@ -221,49 +194,44 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { } BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { - auto circuit = circuit_test_1(); + /*const std::size_t rows_log = 4; + const std::size_t table_rows = (1 << rows_log) - 1; + const std::size_t permutation_size = 4; + const std::size_t table_columns = 4; + const std::size_t usable_rows = (1 << rows_log) - 1; - const std::size_t circuit_log = 2; - const std::size_t circuit_rows = 1 << circuit_log; - const std::size_t permutation_size = 2; - const std::size_t columns_amount = 2; + circuit_description circuit = circuit_test_1(); constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - typedef list_polynomial_commitment_scheme lpc_type; + constexpr static const std::size_t r = rows_log - 1; + typedef list_polynomial_commitment_scheme lpc_type; - typename fri_type::params_type fri_params = create_fri_params(circuit_log); - std::shared_ptr> domain = fri_params.D[0]; + typename fri_type::params_type fri_params = create_fri_params(rows_log); + std::shared_ptr> domain = circuit.domain; math::polynomial lagrange_0 = lagrange_polynomial(domain, 0); - typename FieldType::value_type omega = domain->get_domain_element(1); - - typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; + typename FieldType::value_type omega = circuit.omega; - plonk_permutation permutation(columns_amount, circuit_rows); - permutation.cells_equal(std::make_pair(2, 2), std::make_pair(1, 1)); + typename FieldType::value_type delta = circuit.delta; - std::vector> S_id = redshift_preprocessor::identity_polynomials( - permutation_size, circuit_rows, omega, delta, domain); - std::vector> S_sigma = redshift_preprocessor::permutation_polynomials( - permutation_size, circuit_rows, omega, delta, permutation, domain); + std::vector> S_id = circuit.S_id; + std::vector> S_sigma = circuit.S_sigma; // construct circuit values - std::vector> f = create_random_table(circuit_rows, columns_amount, permutation, domain); + std::vector> f = circuit.column_polynomials; std::vector> constraints_1 = {f[0] * f[1], f[0] + f[0]}; std::vector> constraints_2 = {f[1] - f[0]}; // construct q_last, q_blind - math::polynomial q_last = redshift_preprocessor::selector_last( - circuit_rows, circuit_rows, domain); - math::polynomial q_blind = redshift_preprocessor::selector_blind( - circuit_rows, circuit_rows, domain); + math::polynomial q_last = circuit.q_last; + math::polynomial q_blind = circuit.q_blind; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated> prover_transcript(init_blob); - fiat_shamir_heuristic_updated> verifier_transcript(init_blob); + fiat_shamir_heuristic_updated> verifier_transcript(init_blob);*/ /*std::array, 1> prover_res = redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, From be3e4dc537fc75222adeb9b0e1c63ecbf9162b92 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Fri, 18 Feb 2022 06:47:20 +0200 Subject: [PATCH 144/219] prover minor changes #20 --- .../list_polynomial_commitment.hpp | 17 ++- .../snark/systems/plonk/redshift/prover.hpp | 134 ++++++------------ 2 files changed, 61 insertions(+), 90 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index d898a2235..5e14c8fe6 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -110,10 +110,21 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type commit(math::polynomial &f, - const std::shared_ptr> &d) { + static merkle_tree_type commit(math::polynomial &poly, + const std::shared_ptr> &domain) { - return fri_type::commit(f, d); + return fri_type::commit(poly, domain); + } + + template + static std::array + commit(std::array, list_size> &poly, + const std::shared_ptr> &domain) { + std::array commits; + for (std::size_t i = 0; i < list_size; i++) { + commits[i] = fri_type::commit(poly[i], domain); + } + return commits; } static proof_type proof_eval(const std::array &evaluation_points, diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 69af65dac..4f08cdfae 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -45,14 +45,14 @@ namespace nil { namespace snark { template class redshift_prover { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; using transcript_manifest = typename types_policy::template prover_fiat_shamir_heuristic_manifest<8>; @@ -63,6 +63,22 @@ namespace nil { typedef list_polynomial_commitment_scheme lpc; + static inline math::polynomial + quotient_polynomial() { + // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ + std::array alphas = + transcript.template challenges(); + + // 7.2. Compute F_consolidated + math::polynomial F_consolidated = {0}; + for (std::size_t i = 0; i < f_parts; i++) { + F_consolidated = F_consolidated + alphas[i] * F[i]; + } + + math::polynomial T_consolidated = + F_consolidated / preprocessed_data.Z; + } + public: static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, @@ -70,61 +86,32 @@ namespace nil { const typename types_policy::variable_assignment_type &assignments, const typename types_policy::public_input_type &PI) { - std::size_t N_wires = WiresAmount; - std::size_t N_perm = preprocessed_data.permutations.size(); - std::size_t N_sel = preprocessed_data.selectors.size(); - std::size_t N_PI = PI.size(); - // std::size_t N_const = ...; - - std::size_t N_rows = 0; + std::size_t N_rows = 0; // TODO: It should be in preprocessor for (auto &wire_assignments : assignments) { N_rows = std::max(N_rows, wire_assignments.size()); } - std::vector omega_powers(std::max({N_wires, N_perm, N_rows}) + - 1 + 1); - omega_powers[0] = FieldType::value_type::one(); - for (std::size_t power = 1; power < omega_powers.size(); power++) { - omega_powers[power] = preprocessed_data.omega * omega_powers[power - 1]; - } - - std::vector D_0(N_rows); - for (std::size_t power = 1; power <= N_rows; power++) { - D_0.emplace_back(preprocessed_data.omega.pow(power)); - } - fiat_shamir_heuristic transcript; - - // ... setup_values = ...; - // transcript(setup_values); - - // 1. Add commitments to $w_i(X)$ to $\text{transcript}$ - - std::vector> w = - constraint_system.polynomials(assignments); - - std::vector w_trees; - std::vector w_commitments; - w_commitments.reserve(N_wires); - w_trees.reserve(N_wires); - - for (std::size_t i = 0; i < N_wires; i++) { - w_trees.push_back(lpc::commit(w[i], D_0)); - w_commitments.push_back(w_trees[i].root()); - transcript(w_commitments[i]); - } - - // 3. Denote witness polynomials included in permutation argument and public input polynomials - // as $f_i$ + // prepare a basic domain of the table size + std::shared_ptr> domain = + math::make_evaluation_domain(N_rows); + + // 1. Add circuit definition to transctipt + transcript(...); + + // 2. Commit witness columns + std::array, witness_columns> witness_poly = ; + auto witness_commitments = lpc::commit(witness_poly, fri_params.D[0]); + transcript(witness_commitments); + + // 3. Prepare columns included into permuation argument std::vector> f(N_perm + N_PI); - std::copy(w.begin(), w.end(), f.begin()); - // std::copy(PI.begin(), PI.end(), f.begin() + N_perm); // 4. permutation_argument - std::array, 3> - permutation_argument ; - // = redshift_permutation_argument::prove_eval(transcript); + constexpr const std::size_t permutation_parts = 3; + std::array, permutation_parts> + permutation_argument = redshift_permutation_argument::prove_eval(transcript); constexpr const std::size_t f_parts = 9; std::array, f_parts> F; @@ -137,48 +124,21 @@ namespace nil { // std::array, 5> // lookup_argument = redshift_lookup_argument::prove_eval(transcript); - // F[3] = permutation_argument[3]; - // F[4] = permutation_argument[4]; - // F[5] = permutation_argument[5]; - // F[6] = permutation_argument[6]; - // F[7] = permutation_argument[7]; + // 6. circuit-satisfability + constexpr const std::size_t gate_parts = 1; + std::array, 1> prover_res = + redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, + permutation_size, domain, lagrange_0, S_id, + S_sigma, f, q_last, q_blind, fri_params); - // 16. Computing gates - // And 20. Compute N_T - std::vector> constraints = - constraint_system.polynomials(assignments); + F[3] = prover_res[0]; - // F[8] = gates_argument::prove(constraint_system.polynomials(assignments), transcript, N_sel)[0]; - - // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ - std::array alphas = - transcript.template challenges(); - - // 7.2. Compute F_consolidated - math::polynomial F_consolidated = {0}; - for (std::size_t i = 0; i < f_parts; i++) { - F_consolidated = F_consolidated + alphas[i] * F[i]; - } - - math::polynomial T_consolidated = - F_consolidated / preprocessed_data.Z; - - // 7.3 + // 7. Aggregate quotient polynomial + math::polynomial T = quotient_polynomial(); std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); - - // 7.4. Split $T(X)$ into separate polynomials $T_0(X), ..., T_{N_T - 1}(X)$ - std::vector> T(N_T); - // T = separate_T(T_consolidated); - - // 7.5. Add commitments to $T_0(X), ..., T_{N_T - 1}(X)$ to $\text{transcript}$ - std::vector T_trees; - std::vector T_commitments; - - for (std::size_t i = 0; i < N_perm + 1; i++) { - T_trees.push_back(lpc::commit(T[i], D_0)); - T_commitments.push_back(T_trees[i].root()); - transcript(T_commitments[i]); - } + std::array, N_T> T_splitted = ; + auto T_commitments = lpc::commit(T_splitted, fri_params.D[0]); + transcript(T_commitments); // 8.1 Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ // typename FieldType::value_type upsilon = From d037f99ba1549b329ffc8fa40286e5423286bb2f Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Fri, 18 Feb 2022 10:46:34 +0300 Subject: [PATCH 145/219] FRI Commitment Scheme updated to use updated Merkle tree interface #20 --- .../zk/snark/commitments/fri_commitment.hpp | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 0f81a7b65..cb17e0102 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -132,7 +132,7 @@ namespace nil { std::vector> y_data; y_data.resize(D->m); - std::vector tmp(f.begin(), f.end()); // for FFT + std::vector tmp(f.begin(), f.end()); // for FFT D->fft(tmp); for (std::size_t i = 0; i < D->m; i++) { @@ -141,7 +141,7 @@ namespace nil { y_val.write(write_iter, field_element_type::length()); } - return merkle_tree_type(y_data); + return merkle_tree_type(y_data.begin(), y_data.end()); } static inline math::polynomial @@ -170,11 +170,14 @@ namespace nil { proof_type proof; - math::polynomial f = Q; // copy? + math::polynomial f = Q; // copy? // TODO: how to sample x? typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow( - transcript.template int_challenge()); // could be smth like fri_params.D[0]->get_domain_element(RANDOM % domain_size) + transcript.template int_challenge< + std::size_t>()); // could be smth like + // fri_params.D[0]->get_domain_element(RANDOM + // % domain_size) std::size_t r = fri_params.r; @@ -187,9 +190,10 @@ namespace nil { typename FieldType::value_type alpha = transcript.template challenge(); - typename FieldType::value_type x_next = fri_params.q.evaluate(x); // == x^2 + typename FieldType::value_type x_next = fri_params.q.evaluate(x); // == x^2 - math::polynomial f_next = fold_polynomial(f, alpha); // create polynomial of degree (degree(f) / 2) + math::polynomial f_next = + fold_polynomial(f, alpha); // create polynomial of degree (degree(f) / 2) // m = 2, so: std::array s; @@ -203,12 +207,12 @@ namespace nil { std::array y; for (std::size_t j = 0; j < m; j++) { - y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); // polynomial evaluation + y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); // polynomial evaluation } std::array p; - std::vector tmp; // we need it for FFT + std::vector tmp; // we need it for FFT if (i == 0) { std::copy(g.begin(), g.end(), std::back_inserter(tmp)); } else { @@ -220,20 +224,22 @@ namespace nil { typename FieldType::value_type leaf = y[j]; std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++) { // search 2**24 + for (; leaf_index < tmp.size(); leaf_index++) { // search 2**24 if (tmp[leaf_index] == leaf) break; } p[j] = merkle_proof_type(*p_tree, leaf_index); } - typename FieldType::value_type colinear_value = f_next.evaluate(x_next); // polynomial evaluation + typename FieldType::value_type colinear_value = + f_next.evaluate(x_next); // polynomial evaluation if (i < r - 1) { - T_next = commit(f_next, fri_params.D[i + 1]); // new merkle tree + T_next = commit(f_next, fri_params.D[i + 1]); // new merkle tree transcript(T_next.root()); - std::vector tmp(f_next.begin(), f_next.end()); // for FFT + std::vector tmp(f_next.begin(), + f_next.end()); // for FFT fri_params.D[i + 1]->fft(tmp); std::size_t leaf_index = 0; From c0f95aced57215436b33df620c773760701d88b7 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sat, 19 Feb 2022 12:14:55 +0200 Subject: [PATCH 146/219] gates argument update #20 --- .../relations/non_linear_combination.hpp | 1 - .../crypto3/zk/snark/relations/plonk/gate.hpp | 4 +- .../systems/plonk/redshift/gates_argument.hpp | 18 +-- .../plonk/redshift/permutation_argument.hpp | 12 +- test/systems/plonk/circuits.hpp | 131 +++++++++++++++++- test/systems/plonk/redshift.cpp | 63 +++------ 6 files changed, 165 insertions(+), 64 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 3d437b1cc..5a6e4f3f0 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -216,7 +216,6 @@ namespace nil { template math::polynomial evaluate( - std::size_t row_index, const std::array, WiresAmount> &assignment) const { math::polynomial acc = {0}; for (non_linear_combination &nlt : terms) { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index e186edc66..de0a56a82 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -28,6 +28,8 @@ #include +#include + namespace nil { namespace crypto3 { namespace zk { @@ -35,7 +37,7 @@ namespace nil { template struct plonk_gate { - std::vector> constraints; + std::vector> constraints; math::polynomial selector; }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index b3a2659ba..b0bd72253 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -48,8 +48,10 @@ namespace nil { struct redshift_gates_argument { constexpr static const std::size_t argument_size = ArgumentSize; - static inline std::array, argument_size> - prove_eval(const std::vector> &gates, + template + static inline std::array, argument_size> + prove_eval(const std::vector> &gates, + const std::array, table_width> &columns, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -59,17 +61,17 @@ namespace nil { typename FieldType::value_type theta_acc = FieldType::value_type::one(); - for (std::size_t i = 0; i <= N_sel - 1; i++) { - math::polynomial gate = {0}; + for (std::size_t i = 0; i < gates.size(); i++) { + math::polynomial gate_result = {0}; - for (std::size_t j = 0; j < constraints.size(); j++) { - gate = gate + gates[i].constraints[j] * theta_acc; + for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { + gate_result = gate_result + gates[i].constraints[j].evaluate(columns) * theta_acc; theta_acc *= theta; } - gate *= gate[i].selector; + gate_result = gate_result * gates[i].selector; - F[0] += gate; + F[0] = F[0] + gate_result; } return F; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 823965aae..4cfe014c0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -58,7 +58,7 @@ namespace nil { typename CommitmentSchemeType::merkle_tree_type permutation_poly_commitment; }; - template> + template static inline prover_result_type // TODO: fix fiat-shamir prove_eval(fiat_shamir_heuristic_updated &transcript, std::size_t circuit_rows, @@ -68,7 +68,7 @@ namespace nil { const math::polynomial &lagrange_1, const std::vector> &S_id, const std::vector> &S_sigma, - const std::vector> &f, + const std::array, table_width> &columns, const math::polynomial &q_last, const math::polynomial &q_blind, typename fri_type::params_type fri_params) { @@ -86,9 +86,9 @@ namespace nil { sigma_binding[j] = FieldType::value_type::one(); for (std::size_t i = 0; i < permutation_size; i++) { - id_binding[j] *= (f[i].evaluate(domain->get_domain_element(j)) + + id_binding[j] *= (columns[i].evaluate(domain->get_domain_element(j)) + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); - sigma_binding[j] *= (f[i].evaluate(domain->get_domain_element(j)) + + sigma_binding[j] *= (columns[i].evaluate(domain->get_domain_element(j)) + beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); } } @@ -126,8 +126,8 @@ namespace nil { math::polynomial h = {1}; for (std::size_t i = 0; i < permutation_size; i++) { - g = g * (f[i] + beta * S_id[i] + gamma); - h = h * (f[i] + beta * S_sigma[i] + gamma); + g = g * (columns[i] + beta * S_id[i] + gamma); + h = h * (columns[i] + beta * S_sigma[i] + gamma); } math::polynomial one_polynomial = {1}; diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index d3604dc34..c0e694917 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -34,6 +34,8 @@ #include #include +#include +#include #include #include #include @@ -63,13 +65,13 @@ namespace nil { std::vector> S_sigma; std::vector> table; - std::vector> column_polynomials; + std::array, table_columns> column_polynomials; // construct q_last, q_blind math::polynomial q_last; math::polynomial q_blind; - //std::vector> gates; + std::vector> gates; circuit_description() { domain = math::make_evaluation_domain(table_rows); @@ -94,7 +96,99 @@ namespace nil { }; //---------------------------------------------------------------------------// - // Test circuit + // Test circuit 1 + // i | GATE | w_0 | w_1 | w_2 | q_add | q_mul | + // 0 | -- | x | y | z | 0 | 0 | + // 1 | ADD | x | y | z | 1 | 0 | + // ... | ADD | x | y | z | 1 | 0 | + // k-2 | MUL | x | y | z | 0 | 1 | + // k-1 | MUL | x | y | z | 0 | 1 | + // + // ADD: x + y = z + // MUL: x * y = z + //---------------------------------------------------------------------------// + template + circuit_description circuit_test_1() { + constexpr static const std::size_t rows_log = 4; + constexpr static const std::size_t table_columns = 3; + constexpr static const std::size_t permutation = 3; + constexpr static const std::size_t usable = 1 << rows_log; + + circuit_description test_circuit; + + std::vector> table(table_columns); + + std::vector q_add(test_circuit.table_rows); + std::vector q_mul(test_circuit.table_rows); + for (std::size_t j = 0; j < table_columns; j++) { + table[j].resize(test_circuit.table_rows); + } + + // init values + table[0][0] = algebra::random_element(); + table[0][1] = algebra::random_element(); + table[0][2] = algebra::random_element(); + q_add[0] = FieldType::value_type::zero(); + q_mul[0] = FieldType::value_type::zero(); + + // fill rows with ADD gate + for (std::size_t i = 1; i < test_circuit.table_rows - 2; i++) { + table[0][i] = algebra::random_element(); + table[1][i] = algebra::random_element(); + table[2][i] = table[0][i] + table[1][i]; + q_add[i] = FieldType::value_type::one(); + q_mul[i] = FieldType::value_type::zero(); + } + + // fill rows with MUL gate + for (std::size_t i = test_circuit.table_rows - 2; i < test_circuit.table_rows; i++) { + table[0][i] = algebra::random_element(); + table[1][i] = algebra::random_element(); + table[2][i] = table[0][i] * table[1][i]; + q_add[i] = FieldType::value_type::zero(); + q_mul[i] = FieldType::value_type::one(); + } + + for (std::size_t i = 0; i < table_columns; i++) { + test_circuit.domain->inverse_fft(table[i]); + test_circuit.column_polynomials[i] = math::polynomial(table[i]); + } + + + test_circuit.table = table; + test_circuit.init(); + + + variable w0(0, variable::rotation_type::current); + variable w1(0, variable::rotation_type::current); + variable w2(0, variable::rotation_type::current); + + non_linear_combination add_constraint; + add_constraint.add_term(w0); + add_constraint.add_term(w1); + add_constraint.add_term(-w2); + + test_circuit.domain->inverse_fft(q_add); + math::polynomial add_selector(q_add); + std::vector> add_gate_costraints {add_constraint}; + plonk_gate add_gate {add_gate_costraints, add_selector}; + test_circuit.gates.push_back(add_gate); + + non_linear_combination mul_constraint; + add_constraint.add_term(w0 * w1); + add_constraint.add_term(-w2); + + test_circuit.domain->inverse_fft(q_mul); + math::polynomial mul_selector(q_mul); + std::vector> mul_gate_costraints {mul_constraint}; + plonk_gate mul_gate {mul_gate_costraints, mul_selector}; + test_circuit.gates.push_back(mul_gate); + + return test_circuit; + } + + //---------------------------------------------------------------------------// + // Test circuit 2 // i | GATE | w_0 | w_1 | w_2 | public | q_add | q_mul | // 0 | -- | x | y | z | p1 | 0 | 0 | // 1 | ADD | x | y | z | 0 | 1 | 0 | @@ -106,7 +200,7 @@ namespace nil { // MUL: x * y = z, copy(p1, y) //---------------------------------------------------------------------------// template - circuit_description circuit_test_1() { + circuit_description circuit_test_2() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 4; constexpr static const std::size_t permutation = 4; @@ -116,7 +210,6 @@ namespace nil { std::vector> table(table_columns); - test_circuit.column_polynomials.resize(table_columns); std::vector q_add(test_circuit.table_rows); std::vector q_mul(test_circuit.table_rows); for (std::size_t j = 0; j < table_columns; j++) { @@ -160,10 +253,36 @@ namespace nil { test_circuit.column_polynomials[i] = math::polynomial(table[i]); } - //std::vector> gates(2); + test_circuit.table = table; test_circuit.init(); + + variable w0(0, variable::rotation_type::current); + variable w1(0, variable::rotation_type::current); + variable w2(0, variable::rotation_type::current); + + non_linear_combination add_constraint; + add_constraint.add_term(w0); + add_constraint.add_term(w1); + add_constraint.add_term(-w2); + + test_circuit.domain->inverse_fft(q_add); + math::polynomial add_selector(q_add); + std::vector> add_gate_costraints {add_constraint}; + plonk_gate add_gate {add_gate_costraints, add_selector}; + test_circuit.gates.push_back(add_gate); + + non_linear_combination mul_constraint; + add_constraint.add_term(w0 * w1); + add_constraint.add_term(-w2); + + test_circuit.domain->inverse_fft(q_mul); + math::polynomial mul_selector(q_mul); + std::vector> mul_gate_costraints {mul_constraint}; + plonk_gate mul_gate {mul_gate_costraints, mul_selector}; + test_circuit.gates.push_back(mul_gate); + return test_circuit; } } // namespace snark diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 14d31870f..287d73f33 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -38,8 +38,9 @@ #include #include -#include +//#include #include +#include #include #include #include @@ -119,8 +120,8 @@ BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) using curve_type = algebra::curves::bls12<381>; using FieldType = typename curve_type::scalar_field_type; -typedef hashes::sha2<256> merkle_hash_type; -typedef hashes::sha2<256> transcript_hash_type; +typedef hashes::keccak_1600<512> merkle_hash_type; +typedef hashes::keccak_1600<512> transcript_hash_type; constexpr std::size_t m = 2; @@ -139,8 +140,8 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t table_rows_log = 4; const std::size_t table_rows = 1 << table_rows_log; - const std::size_t table_columns = 4; - const std::size_t permutation_size = 4; + const std::size_t table_columns = 3; + const std::size_t permutation_size = 3; const std::size_t usable_rows = 1 << table_rows_log; circuit_description circuit = circuit_test_1(); @@ -153,8 +154,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated> prover_transcript(init_blob); - fiat_shamir_heuristic_updated> verifier_transcript(init_blob); + fiat_shamir_heuristic_updated prover_transcript(init_blob); + fiat_shamir_heuristic_updated verifier_transcript(init_blob); typename redshift_permutation_argument::prover_result_type prover_res = redshift_permutation_argument::prove_eval(prover_transcript, table_rows, @@ -194,49 +195,27 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { } BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { - /*const std::size_t rows_log = 4; - const std::size_t table_rows = (1 << rows_log) - 1; - const std::size_t permutation_size = 4; - const std::size_t table_columns = 4; - const std::size_t usable_rows = (1 << rows_log) - 1; - - circuit_description circuit = circuit_test_1(); + const std::size_t table_rows_log = 4; + const std::size_t table_rows = 1 << table_rows_log; + const std::size_t table_columns = 3; + const std::size_t permutation_size = 3; + const std::size_t usable_rows = 1 << table_rows_log; + circuit_description circuit = circuit_test_1(); constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; - constexpr static const std::size_t r = rows_log - 1; + constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; - typename fri_type::params_type fri_params = create_fri_params(rows_log); - std::shared_ptr> domain = circuit.domain; - math::polynomial lagrange_0 = lagrange_polynomial(domain, 0); - - typename FieldType::value_type omega = circuit.omega; - - typename FieldType::value_type delta = circuit.delta; - - std::vector> S_id = circuit.S_id; - std::vector> S_sigma = circuit.S_sigma; - - // construct circuit values - std::vector> f = circuit.column_polynomials; - - std::vector> constraints_1 = {f[0] * f[1], f[0] + f[0]}; - std::vector> constraints_2 = {f[1] - f[0]}; - - - // construct q_last, q_blind - math::polynomial q_last = circuit.q_last; - math::polynomial q_blind = circuit.q_blind; + typename fri_type::params_type fri_params = create_fri_params(table_rows_log); + math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated> prover_transcript(init_blob); - fiat_shamir_heuristic_updated> verifier_transcript(init_blob);*/ + fiat_shamir_heuristic_updated prover_transcript(init_blob); + fiat_shamir_heuristic_updated verifier_transcript(init_blob); - /*std::array, 1> prover_res = - redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, - permutation_size, domain, lagrange_0, S_id, - S_sigma, f, q_last, q_blind, fri_params);*/ + std::array, 1> prover_res = + redshift_gates_argument::prove_eval(circuit.gates, circuit.column_polynomials, prover_transcript); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 8f76a86590a23f17eb247ca847ac9b85f4137c34 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sat, 19 Feb 2022 19:02:45 +0200 Subject: [PATCH 147/219] gates argument verify #20 --- .../systems/plonk/redshift/gates_argument.hpp | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index b0bd72253..706f44fa1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -77,26 +77,30 @@ namespace nil { return F; } - static inline std::array verify_eval() { - /*typename transcript_hash_type::digest_type beta_bytes = - transcript.get_challenge(); + template + static inline std::array + verify_eval(const std::vector> &gates, + const std::array &columns_values, + fiat_shamir_heuristic_updated &transcript) { + typename FieldType::value_type theta = transcript.template challenge(); - typename transcript_hash_type::digest_type gamma_bytes = - transcript.get_challenge(); - typename FieldType::value_type beta = algebra::marshalling(beta_bytes); - typename FieldType::value_type gamma = algebra::marshalling(gamma_bytes); + std::array F; - transcript(proof.P_commitment); - transcript(proof.Q_commitment); + typename FieldType::value_type theta_acc = FieldType::value_type::one(); - const math::polynomial q_last; - const math::polynomial q_blind; + for (std::size_t i = 0; i < gates.size(); i++) { + FieldType::value_type gate_result = {0}; - F[0] = verification_key.L_basis[1] * (P - 1); - F[1] = verification_key.L_basis[1] * (Q - 1); - F[2] = P * p_1 - (P << 1);*/ - std::array F; + for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { + gate_result = gate_result + gates[i].constraints[j].evaluate(columns_values) * theta_acc; + theta_acc *= theta; + } + + gate_result = gate_result * gates[i].selector; + + F[0] = F[0] + gate_result; + } return F; } From e8ecd4070a8c38a4cbd149d23e3c2a5433431e60 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 20 Feb 2022 06:02:14 +0300 Subject: [PATCH 148/219] Compilation problems resolved. #20 --- .../snark/relations/non_linear_combination.hpp | 16 ++++++++-------- .../systems/plonk/redshift/gates_argument.hpp | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 5a6e4f3f0..3acf2689b 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -203,13 +203,13 @@ namespace nil { evaluate(std::size_t row_index, const std::array, WiresAmount> &assignment) const { field_value_type acc = field_value_type::zero(); - for (non_linear_combination &nlt : terms) { + for (const non_linear_term &nlt : terms) { field_value_type term_value = nlt.coeff; - for (variable &var : nlt.vars) { - term_value *= assignment[var.wire_index][row_index + var.rotation]; + for (const variable &var : nlt.vars) { + term_value = term_value * assignment[var.wire_index][row_index + var.rotation]; } - acc += assignment[nlt.vars] * nlt.coeff; + acc = acc + term_value * nlt.coeff; } return acc; } @@ -218,13 +218,13 @@ namespace nil { math::polynomial evaluate( const std::array, WiresAmount> &assignment) const { math::polynomial acc = {0}; - for (non_linear_combination &nlt : terms) { + for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; - for (variable &var : nlt.vars) { - term_value *= assignment[var.wire_index]; + for (const variable &var : nlt.vars) { + term_value = term_value * assignment[var.wire_index]; } - acc += assignment[nlt.vars] * nlt.coeff; + acc = acc + term_value * nlt.coeff; } return acc; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 706f44fa1..b5c1d37e4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -77,10 +77,10 @@ namespace nil { return F; } - template + template static inline std::array verify_eval(const std::vector> &gates, - const std::array &columns_values, + const std::array &columns_values, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -90,7 +90,7 @@ namespace nil { typename FieldType::value_type theta_acc = FieldType::value_type::one(); for (std::size_t i = 0; i < gates.size(); i++) { - FieldType::value_type gate_result = {0}; + typename FieldType::value_type gate_result = {0}; for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { gate_result = gate_result + gates[i].constraints[j].evaluate(columns_values) * theta_acc; From c1f61aec646a003afaeed8433cfa9a89b1ecd69b Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 20 Feb 2022 06:34:06 +0300 Subject: [PATCH 149/219] Redshift type Template params updated. #20 --- .../zk/snark/commitments/fri_commitment.hpp | 14 ++++++----- .../list_polynomial_commitment.hpp | 15 ++++++----- .../plonk/redshift/permutation_argument.hpp | 10 ++++---- .../snark/systems/plonk/redshift/prover.hpp | 11 ++++---- .../snark/systems/plonk/redshift/verifier.hpp | 25 ++++++++----------- test/commitment/fri.cpp | 12 ++++----- test/commitment/lpc.cpp | 6 ++--- test/commitment/lpc_performance.cpp | 4 +-- test/systems/plonk/redshift.cpp | 6 ++--- 9 files changed, 49 insertions(+), 54 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index cb17e0102..ef4f944de 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -56,15 +56,17 @@ namespace nil { * Matter Labs, * */ - template + template struct fri_commitment_scheme { constexpr static const std::size_t m = M; typedef FieldType field_type; - typedef Hash transcript_hash_type; - typedef typename containers::merkle_tree merkle_tree_type; - typedef typename containers::merkle_proof merkle_proof_type; + typedef typename containers::merkle_tree merkle_tree_type; + typedef typename containers::merkle_proof merkle_proof_type; using Endianness = nil::marshalling::option::big_endian; using field_element_type = @@ -165,7 +167,7 @@ namespace nil { static proof_type proof_eval(const math::polynomial &Q, const math::polynomial &g, merkle_tree_type &T, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_updated &transcript, params_type &fri_params) { proof_type proof; @@ -268,7 +270,7 @@ namespace nil { } static bool verify_eval(proof_type &proof, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_updated &transcript, params_type &fri_params, const math::polynomial &U, const math::polynomial &V) { diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 5e14c8fe6..02485c355 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -54,7 +54,8 @@ namespace nil { * */ template merkle_tree_type; - typedef typename merkle_tree_type::hash_type merkle_hash_type; - typedef typename containers::merkle_proof merkle_proof_type; + typedef typename containers::merkle_tree merkle_tree_type; + typedef typename containers::merkle_proof merkle_proof_type; - typedef fri_commitment_scheme fri_type; + typedef fri_commitment_scheme fri_type; using commitment_type = typename merkle_tree_type::value_type; @@ -130,7 +129,7 @@ namespace nil { static proof_type proof_eval(const std::array &evaluation_points, merkle_tree_type &T, const math::polynomial &g, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_updated &transcript, typename fri_type::params_type &fri_params) { std::array z; @@ -167,7 +166,7 @@ namespace nil { static bool verify_eval(const std::array &evaluation_points, proof_type &proof, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_updated &transcript, typename fri_type::params_type fri_params) { std::array, k> U_interpolation_points; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 4cfe014c0..94bd83073 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -42,7 +42,8 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template> class redshift_permutation_argument { typedef typename CommitmentSchemeType::fri_type fri_type; @@ -58,9 +59,9 @@ namespace nil { typename CommitmentSchemeType::merkle_tree_type permutation_poly_commitment; }; - template + template static inline prover_result_type // TODO: fix fiat-shamir - prove_eval(fiat_shamir_heuristic_updated &transcript, + prove_eval(fiat_shamir_heuristic_updated &transcript, std::size_t circuit_rows, std::size_t permutation_size, std::shared_ptr> @@ -145,9 +146,8 @@ namespace nil { return res; } - template> static inline std::array - verify_eval(fiat_shamir_heuristic_updated &transcript, + verify_eval(fiat_shamir_heuristic_updated &transcript, std::size_t circuit_rows, std::size_t permutation_size, std::shared_ptr> diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 4f08cdfae..823d50350 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -45,6 +45,8 @@ namespace nil { namespace snark { template; - typedef hashes::sha2<256> merkle_hash_type; - typedef hashes::sha2<256> transcript_hash_type; + typedef typename containers::merkle_tree merkle_tree_type; - typedef typename containers::merkle_tree merkle_tree_type; - - typedef list_polynomial_commitment_scheme lpc; + typedef list_polynomial_commitment_scheme lpc; static inline math::polynomial quotient_polynomial() { @@ -91,7 +90,7 @@ namespace nil { N_rows = std::max(N_rows, wire_assignments.size()); } - fiat_shamir_heuristic transcript; + fiat_shamir_heuristic transcript; // prepare a basic domain of the table size std::shared_ptr> domain = math::make_evaluation_domain(N_rows); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index ab7a875cc..005c791de 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -38,21 +38,21 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_verifier { using types_policy = detail::redshift_types_policy; using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; - typedef hashes::sha2<256> merkle_hash_type; - typedef hashes::sha2<256> transcript_hash_type; - constexpr static const std::size_t k = ...; constexpr static const std::size_t r = ...; constexpr static const typename FieldType::value_type omega = algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme< - FieldType, merkle_hash_type, lambda, k, r, m> + FieldType, MerkleTreeHashType, lambda, k, r, m> lpc; public: @@ -60,15 +60,10 @@ namespace nil { const types_policy::primary_input_type &primary_input, const types_policy::proof_type &proof) { - std::size_t N_wires = ...; - std::size_t N_perm = ...; - std::size_t N_sel = ...; - std::size_t N_const = ...; - - fiat_shamir_heuristic transcript; + fiat_shamir_heuristic transcript; - ... setup_values = ...; - transcript(setup_values); + // 1. Add circuit definition to transctipt + transcript(...); for (std::size_t i = 0; i < N_wires; i++) { transcript(proof.f_commitments[i]); @@ -80,7 +75,7 @@ namespace nil { constexpr const std::size_t f_parts = 4; std::array alphas; for (std::size_t i = 0; i < f_parts; i++) { - typename transcript_hash_type::digest_type alpha_bytes = + typename TranscriptHashType::digest_type alpha_bytes = transcript.get_challenge(); alphas[i] = (algebra::marshalling(alpha_bytes)); } @@ -89,7 +84,7 @@ namespace nil { transcript(proof.T_commitments[i]); } - typename transcript_hash_type::digest_type upsilon_bytes = + typename TranscriptHashType::digest_type upsilon_bytes = transcript.get_challenge(); typename FieldType::value_type upsilon = algebra::marshalling(upsilon_bytes); diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index afc6edf78..dfccedfd0 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -66,7 +66,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::snark::fri_commitment_scheme fri_type; typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; @@ -95,7 +95,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { // eval std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); + zk::snark::fiat_shamir_heuristic_updated transcript(init_blob); // LPC-related logic, here we "nulify" it via U = 0, V - 1 // TODO: Make FRI independent from LPC input @@ -105,7 +105,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); // verify - zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(init_blob); + zk::snark::fiat_shamir_heuristic_updated transcript_verifier(init_blob); BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); @@ -129,7 +129,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::snark::fri_commitment_scheme fri_type; typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; @@ -180,7 +180,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::snark::fri_commitment_scheme fri_type; typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; @@ -202,7 +202,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_updated> transcript(init_blob); + zk::snark::fiat_shamir_heuristic_updated transcript(init_blob); proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 51ecc2692..74cd9f659 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -69,8 +69,8 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; - typedef list_polynomial_commitment_scheme lpc_type; + typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::snark::list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; @@ -104,7 +104,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript, fri_params); // verify - zk::snark::fiat_shamir_heuristic_updated> transcript_verifier(x_data); + zk::snark::fiat_shamir_heuristic_updated transcript_verifier(x_data); BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); } diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 7678d9627..79bf4ca82 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -109,8 +109,8 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; - typedef list_polynomial_commitment_scheme lpc_type; + typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::snark::list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 287d73f33..586d7732f 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -125,7 +125,7 @@ typedef hashes::keccak_1600<512> transcript_hash_type; constexpr std::size_t m = 2; -typedef fri_commitment_scheme fri_type; +typedef fri_commitment_scheme fri_type; constexpr std::size_t argument_size = 3; @@ -148,7 +148,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); @@ -205,7 +205,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); From 1db7a71632bd0ffe0ef4efe3227b7ee435ec5902 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 20 Feb 2022 11:53:52 +0200 Subject: [PATCH 150/219] prover update #20 --- .../systems/plonk/redshift/gates_argument.hpp | 1 - .../snark/systems/plonk/redshift/prover.hpp | 34 ++++++++++++++++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 706f44fa1..9eefe13c1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -84,7 +84,6 @@ namespace nil { fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); - std::array F; typename FieldType::value_type theta_acc = FieldType::value_type::one(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 4f08cdfae..722b2a73d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -79,6 +79,34 @@ namespace nil { F_consolidated / preprocessed_data.Z; } + static inline std::vector + evaluation_proof(fiat_shamir_heuristic_updated &transcript, + FieldType::value_type omega) { + typename FieldType::value_type y = transcript.template challenge(); //TODO: define challenge space + + // witness polynomials (table columns) + std::vector rotation_gates = {}; + std::vector evaluation_points_gates(rotation_gates.size()); + for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { + evaluation_points_gates[i] = y * omega.pow(rotation_gates[i]); + } + + lpc::proof_type proof = lpc::proof_eval(evaluation_points_gates, tree, f, transcript, fri_params); + + // permutation polynomials + std::vector evaluation_points_permutation = {y, y * omega}; + + lpc::proof_type proof = lpc::proof_eval(evaluation_points_permutation, tree, f, transcript, fri_params); + + // quotient polynomial + std::vector rotation_gates = {}; + std::vector evaluation_points_quotient = {y}; + + lpc::proof_type proof = lpc::proof_eval(evaluation_points_quotient, tree, f, transcript, fri_params); + + return proof; + } + public: static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, @@ -138,7 +166,11 @@ namespace nil { std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); std::array, N_T> T_splitted = ; auto T_commitments = lpc::commit(T_splitted, fri_params.D[0]); - transcript(T_commitments); + transcript(T_commitments); + + // 8. Run evaluation proofs + lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); + lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); // 8.1 Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ // typename FieldType::value_type upsilon = From 7940e14d29f499558fd65dc540c0e6d9472ece08 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 20 Feb 2022 18:22:44 +0300 Subject: [PATCH 151/219] Redshift transcript usage updated. #20 --- .../snark/systems/plonk/redshift/prover.hpp | 17 ++++----- .../snark/systems/plonk/redshift/verifier.hpp | 38 +++++++++---------- 2 files changed, 25 insertions(+), 30 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 823d50350..9e0f7cc19 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -55,18 +55,20 @@ namespace nil { class redshift_prover { using types_policy = detail::redshift_types_policy; - using transcript_manifest = - typename types_policy::template prover_fiat_shamir_heuristic_manifest<8>; typedef typename containers::merkle_tree merkle_tree_type; typedef list_polynomial_commitment_scheme lpc; + constexpr static const std::size_t gate_parts = 1; + constexpr static const std::size_t permutation_parts = 3; + constexpr static const std::size_t f_parts = 9; + static inline math::polynomial quotient_polynomial() { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = - transcript.template challenges(); + transcript.template challenges(); // 7.2. Compute F_consolidated math::polynomial F_consolidated = {0}; @@ -90,7 +92,7 @@ namespace nil { N_rows = std::max(N_rows, wire_assignments.size()); } - fiat_shamir_heuristic transcript; + fiat_shamir_heuristic_updated transcript; // prepare a basic domain of the table size std::shared_ptr> domain = math::make_evaluation_domain(N_rows); @@ -108,11 +110,9 @@ namespace nil { std::copy(w.begin(), w.end(), f.begin()); // 4. permutation_argument - constexpr const std::size_t permutation_parts = 3; std::array, permutation_parts> permutation_argument = redshift_permutation_argument::prove_eval(transcript); - constexpr const std::size_t f_parts = 9; std::array, f_parts> F; F[0] = permutation_argument[0]; @@ -124,8 +124,7 @@ namespace nil { // lookup_argument = redshift_lookup_argument::prove_eval(transcript); // 6. circuit-satisfability - constexpr const std::size_t gate_parts = 1; - std::array, 1> prover_res = + std::array, gate_parts> prover_res = redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, permutation_size, domain, lagrange_0, S_id, S_sigma, f, q_last, q_blind, fri_params); @@ -141,7 +140,7 @@ namespace nil { // 8.1 Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ // typename FieldType::value_type upsilon = - // transcript.template challenge(); + // transcript.template challenge(); // std::array fT_evaluation_points = {upsilon}; // std::vector f_lpc_proofs(N_wires); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 005c791de..5a62ca5f1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -41,26 +41,28 @@ namespace nil { template + std::size_t lambda, + std::size_t k, + std::size_t r, + std::size_t m = 2> class redshift_verifier { using types_policy = detail::redshift_types_policy; - using transcript_manifest = types_policy::prover_fiat_shamir_heuristic_manifest<6>; - constexpr static const std::size_t k = ...; - constexpr static const std::size_t r = ...; - - constexpr static const typename FieldType::value_type omega = - algebra::get_root_of_unity() typedef list_polynomial_commitment_scheme< + typedef list_polynomial_commitment_scheme< FieldType, MerkleTreeHashType, lambda, k, r, m> lpc; + constexpr static const std::size_t gate_parts = 1; + constexpr static const std::size_t permutation_parts = 3; + constexpr static const std::size_t f_parts = 9; + public: static inline bool process(const types_policy::verification_key_type &verification_key, const types_policy::primary_input_type &primary_input, const types_policy::proof_type &proof) { - fiat_shamir_heuristic transcript; + fiat_shamir_heuristic_updated transcript; // 1. Add circuit definition to transctipt transcript(...); @@ -69,25 +71,18 @@ namespace nil { transcript(proof.f_commitments[i]); } - std::array permutation_argument = - redshift_permutation_argument::verify_argument(transcript); + std::array permutation_argument = + redshift_permutation_argument::verify_eval(transcript); - constexpr const std::size_t f_parts = 4; - std::array alphas; - for (std::size_t i = 0; i < f_parts; i++) { - typename TranscriptHashType::digest_type alpha_bytes = - transcript.get_challenge(); - alphas[i] = (algebra::marshalling(alpha_bytes)); - } + std::array alphas = + transcript.template challenges(); for (std::size_t i = 0; i < N_perm + 2; i++) { transcript(proof.T_commitments[i]); } - typename TranscriptHashType::digest_type upsilon_bytes = - transcript.get_challenge(); - - typename FieldType::value_type upsilon = algebra::marshalling(upsilon_bytes); + typename FieldType::value_type upsilon = + transcript.template challenge(); std::array fT_evaluation_points = {upsilon}; @@ -98,6 +93,7 @@ namespace nil { } } + const typename FieldType::value_type omega = algebra::get_root_of_unity(); std::array PQ_evaluation_points = {upsilon, upsilon * omega}; if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, proof.P_lpc_proof, ...)) { return false; From 42be9facd924ea4e5c929064da95b73a35c28dfc Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 20 Feb 2022 20:01:15 +0300 Subject: [PATCH 152/219] Redshift gates argument updated. #20 --- .../zk/snark/systems/plonk/redshift/gates_argument.hpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index b5c1d37e4..55ae61cc2 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -42,11 +42,16 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { + template, std::size_t ArgumentSize = 1> - struct redshift_gates_argument { - constexpr static const std::size_t argument_size = ArgumentSize; + struct redshift_gates_argument; + + template + struct redshift_gates_argument { + constexpr static const std::size_t argument_size = 1; template static inline std::array, argument_size> From ee9d3cb301977e50fbd2f80ddfc12d3e04ba7fb6 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sun, 20 Feb 2022 20:27:22 +0300 Subject: [PATCH 153/219] Delete perf directory --- perf/components/routing.cpp | 110 ----------- .../profile_r1cs_mp_ppzkpcd.cpp | 48 ----- .../profile_r1cs_sp_ppzkpcd.cpp | 44 ----- .../bacs_ppzksnark/profile_bacs_ppzksnark.cpp | 57 ------ .../profile_r1cs_gg_ppzksnark.cpp | 62 ------- .../r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp | 62 ------- .../profile_r1cs_se_ppzksnark.cpp | 62 ------- .../ram_ppzksnark/profile_ram_ppzksnark.cpp | 66 ------- .../tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp | 55 ------ .../uscs_ppzksnark/profile_uscs_ppzksnark.cpp | 56 ------ .../ram_zksnark/profile_ram_zksnark.cpp | 175 ------------------ perf/routing_algorithms.cpp | 63 ------- 12 files changed, 860 deletions(-) delete mode 100644 perf/components/routing.cpp delete mode 100644 perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp delete mode 100644 perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp delete mode 100644 perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp delete mode 100644 perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp delete mode 100644 perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp delete mode 100644 perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp delete mode 100644 perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp delete mode 100644 perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp delete mode 100644 perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp delete mode 100644 perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp delete mode 100644 perf/routing_algorithms.cpp diff --git a/perf/components/routing.cpp b/perf/components/routing.cpp deleted file mode 100644 index 84307fc17..000000000 --- a/perf/components/routing.cpp +++ /dev/null @@ -1,110 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// -// @file Functions to profile implementations of Benes and AS-Waksman routing networks. -//---------------------------------------------------------------------------// - -#include - -#include -#include - -#include -#include - -using namespace nil::crypto3::zk::snark; - -template -void get_as_waksman_size(const std::size_t n, const std::size_t l, std::size_t &num_constraints, - std::size_t &num_variables) { - blueprint bp; - - std::vector> randbits(n), outbits(n); - for (std::size_t y = 0; y < n; ++y) { - randbits[y].allocate(bp, l); - outbits[y].allocate(bp, l); - } - - as_waksman_routing_component r(bp, n, randbits, outbits); - r.generate_r1cs_constraints(); - - num_constraints = bp.num_constraints(); - num_variables = bp.num_variables(); -} - -template -void get_benes_size(const std::size_t n, const std::size_t l, std::size_t &num_constraints, - std::size_t &num_variables) { - const std::size_t t = static_cast(std::ceil(std::log2(n))); - assert(n == 1ul << t); - - blueprint bp; - - std::vector> randbits(1ul << t), outbits(1ul << t); - for (std::size_t y = 0; y < 1ul << t; ++y) { - randbits[y].allocate(bp, l); - outbits[y].allocate(bp, l); - } - - benes_routing_component r(bp, n, randbits, outbits, n); - r.generate_r1cs_constraints(); - - num_constraints = bp.num_constraints(); - num_variables = bp.num_variables(); -} - -template -void profile_routing_components(const std::size_t l) { - for (std::size_t n = 2; n <= 65; ++n) { - std::size_t as_waksman_constr, as_waksman_vars; - get_as_waksman_size(n, l, as_waksman_constr, as_waksman_vars); - - const std::size_t rounded_n = 1ul << static_cast(std::ceil(std::log2(n))); - std::size_t benes_constr, benes_vars; - get_benes_size(rounded_n, l, benes_constr, benes_vars); - } -} - -template -void profile_num_switches(const std::size_t l) { - for (std::size_t n = 2; n <= 65; ++n) { - std::size_t as_waksman_constr, as_waksman_vars; - get_as_waksman_size(n, l, as_waksman_constr, as_waksman_vars); - - const std::size_t rounded_n = 1ul << static_cast(std::ceil(std::log2(n))); - std::size_t benes_constr, benes_vars; - get_benes_size(rounded_n, l, benes_constr, benes_vars); - - const std::size_t as_waksman_switches = (as_waksman_constr - n * (2 + l)) / 2; - const std::size_t benes_switches = (benes_constr - rounded_n * (2 + l)) / 2; - // const std::size_t benes_expected = static_cast(std::ceil(std::log2(rounded_n)))*rounded_n; // - // switch-Benes has (-rounded_n/2) term - } -} - -int main() { - - profile_routing_components(32 + 16 + 3 + 2); - profile_num_switches(1); -} diff --git a/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp b/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp deleted file mode 100644 index 7613a1823..000000000 --- a/perf/proof_systems/pcd/r1cs_pcd/r1cs_mp_ppzkpcd/profile_r1cs_mp_ppzkpcd.cpp +++ /dev/null @@ -1,48 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -template -void profile_tally(const std::size_t arity, const std::size_t max_layer) { - const std::size_t wordsize = 32; - const bool test_multi_type = true; - const bool test_same_type_optimization = false; - const bool bit = run_r1cs_mp_ppzkpcd_tally_example(wordsize, arity, max_layer, test_multi_type, - test_same_type_optimization); - assert(bit); -} - -int main(void) { - - const std::size_t arity = 2; - const std::size_t max_layer = 2; - - profile_tally(arity, max_layer); -} diff --git a/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp b/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp deleted file mode 100644 index 48e3a0ebd..000000000 --- a/perf/proof_systems/pcd/r1cs_pcd/r1cs_sp_ppzkpcd/profile_r1cs_sp_ppzkpcd.cpp +++ /dev/null @@ -1,44 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -template -void profile_tally(const std::size_t arity, const std::size_t max_layer) { - const std::size_t wordsize = 32; - const bool bit = run_r1cs_sp_ppzkpcd_tally_example(wordsize, arity, max_layer); - assert(bit); -} - -int main(void) { - const std::size_t arity = 2; - const std::size_t max_layer = 2; - - profile_tally(arity, max_layer); -} diff --git a/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp deleted file mode 100644 index 0578492dd..000000000 --- a/perf/proof_systems/ppzksnark/bacs_ppzksnark/profile_bacs_ppzksnark.cpp +++ /dev/null @@ -1,57 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 3) { - printf("usage: %s num_gates primary_input_size\n", argv[0]); - return 1; - } - const int num_gates = atoi(argv[1]); - int primary_input_size = atoi(argv[2]); - - const std::size_t auxiliary_input_size = 0; - const std::size_t num_outputs = num_gates / 2; - - std::cout << "Generate BACS example" << std::endl; - bacs_example example = - generate_bacs_example( - primary_input_size, auxiliary_input_size, num_gates, num_outputs); - - std::cout << "(enter) Profile BACS ppzkSNARK" << std::endl; - run_bacs_ppzksnark(example); -} diff --git a/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp b/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp deleted file mode 100644 index 309f8e588..000000000 --- a/perf/proof_systems/ppzksnark/r1cs_gg_ppzksnark/profile_r1cs_gg_ppzksnark.cpp +++ /dev/null @@ -1,62 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 3 && argc != 4) { - printf("usage: %s num_constraints input_size [Fr|bytes]\n", argv[0]); - return 1; - } - const int num_constraints = atoi(argv[1]); - int input_size = atoi(argv[2]); - if (argc == 4) { - assert(strcmp(argv[3], "Fr") == 0 || strcmp(argv[3], "bytes") == 0); - if (strcmp(argv[3], "bytes") == 0) { - input_size = (8 * input_size + (typename algebra::default_ec_pp::scalar_field_type::capacity()) - 1) / - typename algebra::default_ec_pp::scalar_field_type::capacity(); - } - } - - std::cout << "Generate R1CS example" << std::endl; - r1cs_example example = - generate_r1cs_example_with_field_input( - num_constraints, input_size); - - std::cout << "Profile R1CS GG-ppzkSNARK" << std::endl; - run_r1cs_gg_ppzksnark(example); -} diff --git a/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp deleted file mode 100644 index a89df0e23..000000000 --- a/perf/proof_systems/ppzksnark/r1cs_ppzksnark/profile_r1cs_ppzksnark.cpp +++ /dev/null @@ -1,62 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 3 && argc != 4) { - printf("usage: %s num_constraints input_size [Fr|bytes]\n", argv[0]); - return 1; - } - const int num_constraints = atoi(argv[1]); - int input_size = atoi(argv[2]); - if (argc == 4) { - assert(strcmp(argv[3], "Fr") == 0 || strcmp(argv[3], "bytes") == 0); - if (strcmp(argv[3], "bytes") == 0) { - input_size = (8 * input_size + (typename algebra::default_ec_pp::scalar_field_type::capacity()) - 1) / - typename algebra::default_ec_pp::scalar_field_type::capacity(); - } - } - - std::cout << "Generate R1CS example" << std::endl; - r1cs_example example = - generate_r1cs_example_with_field_input(num_constraints, - input_size); - - std::cout << "Profile R1CS ppzkSNARK" << std::endl; - run_r1cs_ppzksnark(example); -} diff --git a/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp b/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp deleted file mode 100644 index 7d3e2185a..000000000 --- a/perf/proof_systems/ppzksnark/r1cs_se_ppzksnark/profile_r1cs_se_ppzksnark.cpp +++ /dev/null @@ -1,62 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 3 && argc != 4) { - printf("usage: %s num_constraints input_size [Fr|bytes]\n", argv[0]); - return 1; - } - const int num_constraints = atoi(argv[1]); - int input_size = atoi(argv[2]); - if (argc == 4) { - assert(strcmp(argv[3], "Fr") == 0 || strcmp(argv[3], "bytes") == 0); - if (strcmp(argv[3], "bytes") == 0) { - input_size = (8 * input_size + (typename algebra::default_ec_pp::scalar_field_type::capacity()) - 1) / - typename algebra::default_ec_pp::scalar_field_type::capacity(); - } - } - - std::cout << "Generate R1CS example" << std::endl; - r1cs_example example = - generate_r1cs_example_with_field_input( - num_constraints, input_size); - - std::cout << "Profile R1CS SEppzkSNARK" << std::endl; - run_r1cs_se_ppzksnark(example); -} diff --git a/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp b/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp deleted file mode 100644 index 48f4b4a31..000000000 --- a/perf/proof_systems/ppzksnark/ram_ppzksnark/profile_ram_ppzksnark.cpp +++ /dev/null @@ -1,66 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 6) { - printf("usage: %s word_size reg_count program_size input_size time_bound\n", argv[0]); - return 1; - } - - const std::size_t w = atoi(argv[1]), k = atoi(argv[2]), program_size = atoi(argv[3]), input_size = atoi(argv[4]), - time_bound = atoi(argv[5]); - - typedef ram_ppzksnark_machine_pp machine_ppT; - - const ram_ppzksnark_architecture_params ap(w, k); - - std::cout << "Generate RAM example" << std::endl; - const std::size_t boot_trace_size_bound = program_size + input_size; - const bool satisfiable = true; - ram_example example = - gen_ram_example_complex(ap, boot_trace_size_bound, time_bound, satisfiable); - - std::cout << "Profile RAM ppzkSNARK" << std::endl; - run_ram_ppzksnark(example); -} diff --git a/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp deleted file mode 100644 index 2c14c0098..000000000 --- a/perf/proof_systems/ppzksnark/tbcs_ppzksnark/profile_tbcs_ppzksnark.cpp +++ /dev/null @@ -1,55 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 3) { - printf("usage: %s num_gates primary_input_size\n", argv[0]); - return 1; - } - const int num_gates = atoi(argv[1]); - int primary_input_size = atoi(argv[2]); - - const std::size_t auxiliary_input_size = 0; - const std::size_t num_outputs = num_gates / 2; - - std::cout << "Generate TBCS example" << std::endl; - tbcs_example example = generate_tbcs_example(primary_input_size, auxiliary_input_size, num_gates, num_outputs); - - std::cout << "Profile TBCS ppzkSNARK" << std::endl; - run_tbcs_ppzksnark(example); -} diff --git a/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp b/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp deleted file mode 100644 index b160b6ea2..000000000 --- a/perf/proof_systems/ppzksnark/uscs_ppzksnark/profile_uscs_ppzksnark.cpp +++ /dev/null @@ -1,56 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include -#include - -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -int main(int argc, const char *argv[]) { - if (argc == 2 && strcmp(argv[1], "-v") == 0) { - algebra::print_compilation_info(); - return 0; - } - - if (argc != 3) { - printf("usage: %s num_constraints input_size\n", argv[0]); - return 1; - } - - const int num_constraints = atoi(argv[1]); - const int input_size = atoi(argv[2]); - - std::cout << "Generate USCS example" << std::endl; - uscs_example example = - generate_uscs_example_with_field_input(num_constraints, - input_size); - - std::cout << "Profile USCS ppzkSNARK" << std::endl; - run_uscs_ppzksnark(example); -} diff --git a/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp b/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp deleted file mode 100644 index 72cc29379..000000000 --- a/perf/proof_systems/zksnark/ram_zksnark/profile_ram_zksnark.cpp +++ /dev/null @@ -1,175 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#include - -#include -#include -#include -#include -#include -#include - -using namespace nil::crypto3::zk::snark; - -template -void simulate_random_memory_contents(const tinyram_architecture_params &ap, const std::size_t input_size, - const std::size_t program_size) { - const std::size_t num_addresses = 1ul << ap.dwaddr_len(); - const std::size_t value_size = 2 * ap.w; - memory_contents init_random = - random_memory_contents(num_addresses, value_size, program_size + (input_size + 1) / 2); - - std::cout << "Initialize random delegated memory" << std::endl; - delegated_ra_memory dm_random(num_addresses, value_size, init_random); -} - -template -void profile_ram_zksnark_verifier(const tinyram_architecture_params &ap, const std::size_t input_size, - const std::size_t program_size) { - typedef ram_zksnark_machine_pp RAMType; - const std::size_t time_bound = 10; - - const std::size_t boot_trace_size_bound = program_size + input_size; - const ram_example example = gen_ram_example_complex(ap, boot_trace_size_bound, time_bound, true); - - ram_zksnark_proof pi; - ram_zksnark_verification_key vk = ram_zksnark_verification_key::dummy_verification_key(ap); - - std::cout << "Verify fake proof" << std::endl; - ram_zksnark_verifier(vk, example.boot_trace, time_bound, pi); -} - -template -void print_ram_zksnark_verifier_profiling() { - algebra::inhibit_profiling_info = true; - for (std::size_t w : {16, 32}) { - const std::size_t k = 16; - - for (std::size_t input_size : {0, 10, 100}) { - for (std::size_t program_size = 10; program_size <= 10000; program_size *= 10) { - const tinyram_architecture_params ap(w, k); - - profile_ram_zksnark_verifier(ap, input_size, program_size); - - const double input_map = algebra::last_times["Call to ram_zksnark_verifier_input_map"]; - const double preprocessing = algebra::last_times["Call to r1cs_ppzksnark_process_verification_key"]; - const double accumulate = algebra::last_times["Call to r1cs_ppzksnark_IC_query::accumulate"]; - const double pairings = algebra::last_times["Online pairing computations"]; - const double total = algebra::last_times["Call to ram_zksnark_verifier"]; - const double rest = total - (input_map + preprocessing + accumulate + pairings); - - const double delegated_ra_memory_init = - algebra::last_times["Construct delegated_ra_memory from memory map"]; - simulate_random_memory_contents>(ap, input_size, - program_size); - const double delegated_ra_memory_init_random = - algebra::last_times["Initialize random delegated memory"]; - const double input_map_random = input_map - delegated_ra_memory_init + delegated_ra_memory_init_random; - const double total_random = total - delegated_ra_memory_init + delegated_ra_memory_init_random; - - printf( - "w = %zu, k = %zu, program_size = %zu, input_size = %zu, input_map = %0.2fms, preprocessing = " - "%0.2fms, accumulate = %0.2fms, pairings = %0.2fms, rest = %0.2fms, total = %0.2fms " - "(input_map_random = %0.2fms, total_random = %0.2fms)\n", - w, k, program_size, input_size, input_map * 1e-6, preprocessing * 1e-6, accumulate * 1e-6, - pairings * 1e-6, rest * 1e-6, total * 1e-6, input_map_random * 1e-6, total_random * 1e-6); - } - } - } -} - -template -void profile_ram_zksnark(const tinyram_architecture_params &ap, const std::size_t program_size, - const std::size_t input_size, const std::size_t time_bound) { - typedef ram_zksnark_machine_pp RAMType; - - const std::size_t boot_trace_size_bound = program_size + input_size; - const ram_example example = gen_ram_example_complex(ap, boot_trace_size_bound, time_bound, true); - const bool bit = run_ram_zksnark(example); - assert(bit); -} - -namespace po = boost::program_options; - -bool process_command_line(const int argc, const char **argv, bool &profile_gp, std::size_t &w, std::size_t &k, - bool &profile_v, std::size_t &l) { - try { - po::options_description desc("Usage"); - desc.add_options()("help", "print this help message")("profile_gp", "profile generator and prover")( - "w", po::value(&w)->default_value(16), "word size")( - "k", po::value(&k)->default_value(16), "register count")("profile_v", "profile verifier")( - "v", "print version info")("l", po::value(&l)->default_value(10), "program length"); - - po::variables_map vm; - po::store(po::parse_command_line(argc, argv, desc), vm); - - if (vm.count("v")) { - algebra::print_compilation_info(); - } - - if (vm.count("help")) { - std::cout << desc << "\n"; - return false; - } - - profile_gp = vm.count("profile_gp"); - profile_v = vm.count("profile_v"); - - if (!(vm.count("profile_gp") ^ vm.count("profile_v"))) { - std::cout << "Must choose between profiling generator/prover and profiling verifier (see --help)\n"; - return false; - } - - po::notify(vm); - } catch (std::exception &e) { - std::cerr << "Error: " << e.what() << "\n"; - return false; - } - - return true; -} - -int main(int argc, const char *argv[]) { - bool profile_gp; - std::size_t w; - std::size_t k; - bool profile_v; - std::size_t l; - - if (!process_command_line(argc, argv, profile_gp, w, k, profile_v, l)) { - return 1; - } - - tinyram_architecture_params ap(w, k); - - if (profile_gp) { - profile_ram_zksnark(ap, 100, 100, 10); // w, k, l, n, T - } - - if (profile_v) { - profile_ram_zksnark_verifier(ap, l / 2, l / 2); - } -} diff --git a/perf/routing_algorithms.cpp b/perf/routing_algorithms.cpp deleted file mode 100644 index a381d94a3..000000000 --- a/perf/routing_algorithms.cpp +++ /dev/null @@ -1,63 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// -// @file Functions to profile the algorithms that route on Benes and AS-Waksman networks. -//---------------------------------------------------------------------------// - -#include - -#include -#include - -using namespace nil::crypto3::zk::snark; - -void profile_benes_algorithm(const std::size_t n) { - printf("* Size: %zu\n", n); - - assert(n == 1ul << static_cast(std::ceil(std::log2(n)))); - - integer_permutation permutation(n); - permutation.random_shuffle(); - - const benes_routing routing = get_benes_routing(permutation); -} - -void profile_as_waksman_algorithm(const std::size_t n) { - printf("* Size: %zu\n", n); - - integer_permutation permutation(n); - permutation.random_shuffle(); - - const as_waksman_routing routing = get_as_waksman_routing(permutation); -} - -int main() { - for (std::size_t n = 1ul << 10; n <= 1ul << 20; n <<= 1) { - profile_benes_algorithm(n); - } - - for (std::size_t n = 1ul << 10; n <= 1ul << 20; n <<= 1) { - profile_as_waksman_algorithm(n); - } -} From c8000ecd3d4e873bdeb99f1afe7e857c160f98d5 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 20 Feb 2022 21:45:52 +0200 Subject: [PATCH 154/219] gate argument update #20 --- .../snark/relations/non_linear_combination.hpp | 16 ++++++++++++++++ .../systems/plonk/redshift/gates_argument.hpp | 3 ++- test/systems/plonk/redshift.cpp | 11 +++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 3acf2689b..c92d78d12 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -229,6 +229,22 @@ namespace nil { return acc; } + template + field_value_type + evaluate( + const std::array &assignment) const { + field_value_type acc = field_value_type::zero(); + for (const non_linear_term &nlt : terms) { + field_value_type term_value = nlt.coeff; + + for (const variable &var : nlt.vars) { + term_value = term_value * assignment[var.wire_index]; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + non_linear_combination operator*(const field_value_type &field_coeff) const { non_linear_combination result; result.terms.reserve(this->terms.size()); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index d640912fd..18944bf65 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -81,6 +81,7 @@ namespace nil { static inline std::array verify_eval(const std::vector> &gates, const std::array &columns_values, + typename FieldType::value_type challenge, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -96,7 +97,7 @@ namespace nil { theta_acc *= theta; } - gate_result = gate_result * gates[i].selector; + gate_result = gate_result * gates[i].selector.evaluate(challenge); F[0] = F[0] + gate_result; } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 586d7732f..4aedfcd15 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -216,6 +216,17 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { std::array, 1> prover_res = redshift_gates_argument::prove_eval(circuit.gates, circuit.column_polynomials, prover_transcript); + + // Challenge phase + typename FieldType::value_type y = algebra::random_element(); + + std::array columns_at_y; + for (int i = 0; i < table_columns; i++) { + columns_at_y[i] = circuit.column_polynomials[i].evaluate(y); + } + + /*std::array verifier_res = + redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, verifier_transcript);*/ } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From 8194da49b3b26c8a488255d32984824fb2a8d3c3 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 20 Feb 2022 21:56:10 +0200 Subject: [PATCH 155/219] gates argument test --- .../systems/plonk/redshift/gates_argument.hpp | 1 + test/systems/plonk/redshift.cpp | 22 ++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 159f13992..144bba92e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -98,6 +98,7 @@ namespace nil { typename FieldType::value_type gate_result = {0}; for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { + //TODO: rotation map gate_result = gate_result + gates[i].constraints[j].evaluate(columns_values) * theta_acc; theta_acc *= theta; } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 4aedfcd15..c828d01c2 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -140,10 +140,10 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t table_rows_log = 4; const std::size_t table_rows = 1 << table_rows_log; - const std::size_t table_columns = 3; - const std::size_t permutation_size = 3; + const std::size_t table_columns = 4; + const std::size_t permutation_size = 4; const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_1(); + circuit_description circuit = circuit_test_2(); constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; @@ -197,10 +197,10 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { const std::size_t table_rows_log = 4; const std::size_t table_rows = 1 << table_rows_log; - const std::size_t table_columns = 3; - const std::size_t permutation_size = 3; + const std::size_t table_columns = 4; + const std::size_t permutation_size = 4; const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_1(); + circuit_description circuit = circuit_test_2(); constexpr static const std::size_t lambda = 40; constexpr static const std::size_t k = 1; @@ -225,8 +225,14 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { columns_at_y[i] = circuit.column_polynomials[i].evaluate(y); } - /*std::array verifier_res = - redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, verifier_transcript);*/ + std::array verifier_res = + redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); + + typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); + typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); + BOOST_CHECK(verifier_next_challenge == prover_next_challenge); + + BOOST_CHECK(prover_res[0].evaluate(y) == verifier_res[0]); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file From f735e96c1dbce389217bf39a1c35812ee22d7eee Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 20 Feb 2022 23:48:27 +0200 Subject: [PATCH 156/219] prover test init #20 --- .../systems/plonk/redshift/preprocessor.hpp | 15 +++- .../snark/systems/plonk/redshift/prover.hpp | 31 +++----- .../zk/snark/systems/plonk/redshift/types.hpp | 4 +- .../snark/systems/plonk/redshift/verifier.hpp | 18 +++-- test/systems/plonk/redshift.cpp | 77 ++++++++----------- 5 files changed, 67 insertions(+), 78 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 999113f81..7e9750332 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -118,13 +118,20 @@ namespace nil { return q_last; } - /*static inline typename types_policy::template preprocessed_data_type + static inline typename types_policy::template preprocessed_data_type process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments) { typename types_policy::template preprocessed_data_type data; - data.omega = math::unity_root(math::detail::power_of_two(k)); + std::size_t N_rows = 0; + for (auto &wire_assignments : assignments) { + N_rows = std::max(N_rows, wire_assignments.size()); + } + + data.basic_domain = math::make_evaluation_domain(N_rows); + + /*data.omega = math::unity_root(math::detail::power_of_two(k)); data.Z = {1}; // data.selectors = constraint_system.selectors(); // ... copy_constraints = constraint_system.copy_constraints(); @@ -132,10 +139,10 @@ namespace nil { // data.permutations = ...(copy_constraints); // data.identity_permutations = ...(copy_constraints); - // data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n); + // data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n);*/ return data; - }*/ + } }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 65d6c4fb5..91cd48fba 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -27,8 +27,6 @@ #define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP #include -#include -#include #include @@ -58,13 +56,13 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; - typedef list_polynomial_commitment_scheme lpc; + typedef list_polynomial_commitment_scheme lpc; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; constexpr static const std::size_t f_parts = 9; - static inline math::polynomial + /*static inline math::polynomial quotient_polynomial() { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = @@ -78,11 +76,11 @@ namespace nil { math::polynomial T_consolidated = F_consolidated / preprocessed_data.Z; - } + }*/ - static inline std::vector + /*static inline std::vector evaluation_proof(fiat_shamir_heuristic_updated &transcript, - FieldType::value_type omega) { + typename FieldType::value_type omega) { typename FieldType::value_type y = transcript.template challenge(); //TODO: define challenge space // witness polynomials (table columns) @@ -106,26 +104,15 @@ namespace nil { lpc::proof_type proof = lpc::proof_eval(evaluation_points_quotient, tree, f, transcript, fri_params); return proof; - } + }*/ public: static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::public_input_type &PI) { - - std::size_t N_rows = 0; // TODO: It should be in preprocessor - for (auto &wire_assignments : assignments) { - N_rows = std::max(N_rows, wire_assignments.size()); - } - - fiat_shamir_heuristic_updated transcript; - // prepare a basic domain of the table size - std::shared_ptr> domain = - math::make_evaluation_domain(N_rows); + const typename types_policy::variable_assignment_type &assignments) { - // 1. Add circuit definition to transctipt + /*// 1. Add circuit definition to transctipt transcript(...); // 2. Commit witness columns @@ -185,7 +172,7 @@ namespace nil { // for (std::size_t i = 0; i < N_perm + 1; i++) { // T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); - // } + // }*/ typename types_policy::template proof_type proof; // = typename types_policy::proof_type(std::move(f_commitments), std::move(T_commitments), diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 0275fe17b..5d9195860 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -32,6 +32,8 @@ #include #include #include +#include +#include #include #include @@ -70,7 +72,7 @@ namespace nil { template struct preprocessed_data_type { - typename FieldType::value_type omega; + std::shared_ptr> basic_domain; std::vector> selectors; // S_sigma diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 5a62ca5f1..65a754121 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -41,16 +41,17 @@ namespace nil { template class redshift_verifier { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; typedef list_polynomial_commitment_scheme< - FieldType, MerkleTreeHashType, lambda, k, r, m> + FieldType, MerkleTreeHashType, TranscriptHashType, lambda, k, r, m> lpc; constexpr static const std::size_t gate_parts = 1; @@ -58,14 +59,14 @@ namespace nil { constexpr static const std::size_t f_parts = 9; public: - static inline bool process(const types_policy::verification_key_type &verification_key, - const types_policy::primary_input_type &primary_input, - const types_policy::proof_type &proof) { + static inline bool process(//const types_policy::verification_key_type &verification_key, + //const types_policy::primary_input_type &primary_input, + const typename types_policy::template proof_type &proof) { - fiat_shamir_heuristic_updated transcript; + fiat_shamir_heuristic_updated transcript(std::vector()); // 1. Add circuit definition to transctipt - transcript(...); + /*transcript(...); for (std::size_t i = 0; i < N_wires; i++) { transcript(proof.f_commitments[i]); @@ -131,7 +132,8 @@ namespace nil { F_consolidated += a[i] * F[i]; } - return (F_consolidated == verification_key.Z * T); + return (F_consolidated == verification_key.Z * T);*/ + return true; } }; } // namespace snark diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index c828d01c2..e3aefb94f 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -38,14 +38,19 @@ #include #include -//#include +#include +#include #include #include #include +#include + #include #include #include + #include + #include #include "circuits.hpp" @@ -83,39 +88,6 @@ typename fri_type::params_type create_fri_params(std::size_t degree_log) { return params; } -template -std::vector> - create_random_table(const std::size_t table_rows, const std::size_t table_width, - plonk_permutation permutation, const std::shared_ptr> &domain) { - std::vector> table(table_width); - - std::vector> tmp(table_width); - - for (std::size_t i = 0; i < table_width; i++) { - tmp[i].resize(table_rows); - for (std::size_t j = 0; j < table_rows; j++) { - tmp[i][j] = algebra::random_element(); - } - } - - for (std::size_t i = 0; i < table_width; i++) { - for (std::size_t j = 0; j < table_rows; j++) { - auto key = std::make_pair(i, j); - auto ids = permutation[key]; - if (ids.first != i || ids.second != j) { - tmp[i][j] = tmp[ids.first][ids.second]; - } - } - } - - for (std::size_t i = 0; i < table_width; i++) { - domain->inverse_fft(tmp[i]); - table[i] = math::polynomial(tmp[i]); - } - - return table; -} - BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) using curve_type = algebra::curves::bls12<381>; @@ -123,18 +95,39 @@ using FieldType = typename curve_type::scalar_field_type; typedef hashes::keccak_1600<512> merkle_hash_type; typedef hashes::keccak_1600<512> transcript_hash_type; +// lpc params constexpr std::size_t m = 2; +constexpr static const std::size_t lambda = 40; +constexpr static const std::size_t k = 1; typedef fri_commitment_scheme fri_type; -constexpr std::size_t argument_size = 3; - BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { + const std::size_t table_rows_log = 4; + const std::size_t table_rows = 1 << table_rows_log; + const std::size_t table_columns = 3; + const std::size_t permutation_size = 3; + const std::size_t usable_rows = 1 << table_rows_log; + const std::size_t witness_columns = table_columns; + circuit_description circuit = circuit_test_1(); - // zk::snark::redshift_preprocessor preprocess; + using types_policy = zk::snark::detail::redshift_types_policy; - // auto preprocessed_data = preprocess::process(cs, assignments); - // zk::snark::redshift_prover prove; + constexpr static const std::size_t r = table_rows_log - 1; + typedef list_polynomial_commitment_scheme lpc_type; + + typename fri_type::params_type fri_params = create_fri_params(table_rows_log); + typename types_policy::constraint_system_type constraint_system; + typename types_policy::variable_assignment_type assigments; + typename types_policy::template preprocessed_data_type preprocessed_data = + redshift_preprocessor::process(constraint_system, assigments); + + typename types_policy::template proof_type proof = redshift_prover::process( + preprocessed_data, constraint_system, assigments); + + bool verifier_res = redshift_verifier::process( + proof); + BOOST_CHECK(verifier_res); } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { @@ -145,8 +138,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t usable_rows = 1 << table_rows_log; circuit_description circuit = circuit_test_2(); - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t k = 1; + constexpr std::size_t argument_size = 3; + constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; @@ -202,8 +195,6 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { const std::size_t usable_rows = 1 << table_rows_log; circuit_description circuit = circuit_test_2(); - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t k = 1; constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; From 24bf538c8bd0d051c27c256c87cdeb23dd58e77e Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 20 Feb 2022 23:57:48 +0200 Subject: [PATCH 157/219] plonk_constraint in tests --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 4 ++-- test/systems/plonk/circuits.hpp | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index de0a56a82..0708563b7 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -28,7 +28,7 @@ #include -#include +#include namespace nil { namespace crypto3 { @@ -37,7 +37,7 @@ namespace nil { template struct plonk_gate { - std::vector> constraints; + std::vector> constraints; math::polynomial selector; }; } // namespace snark diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index c0e694917..6c85e7fd3 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -34,7 +34,7 @@ #include #include -#include +#include #include #include #include @@ -163,24 +163,24 @@ namespace nil { variable w1(0, variable::rotation_type::current); variable w2(0, variable::rotation_type::current); - non_linear_combination add_constraint; + plonk_constraint add_constraint; add_constraint.add_term(w0); add_constraint.add_term(w1); add_constraint.add_term(-w2); test_circuit.domain->inverse_fft(q_add); math::polynomial add_selector(q_add); - std::vector> add_gate_costraints {add_constraint}; + std::vector> add_gate_costraints {add_constraint}; plonk_gate add_gate {add_gate_costraints, add_selector}; test_circuit.gates.push_back(add_gate); - non_linear_combination mul_constraint; + plonk_constraint mul_constraint; add_constraint.add_term(w0 * w1); add_constraint.add_term(-w2); test_circuit.domain->inverse_fft(q_mul); math::polynomial mul_selector(q_mul); - std::vector> mul_gate_costraints {mul_constraint}; + std::vector> mul_gate_costraints {mul_constraint}; plonk_gate mul_gate {mul_gate_costraints, mul_selector}; test_circuit.gates.push_back(mul_gate); @@ -262,24 +262,24 @@ namespace nil { variable w1(0, variable::rotation_type::current); variable w2(0, variable::rotation_type::current); - non_linear_combination add_constraint; + plonk_constraint add_constraint; add_constraint.add_term(w0); add_constraint.add_term(w1); add_constraint.add_term(-w2); test_circuit.domain->inverse_fft(q_add); math::polynomial add_selector(q_add); - std::vector> add_gate_costraints {add_constraint}; + std::vector> add_gate_costraints {add_constraint}; plonk_gate add_gate {add_gate_costraints, add_selector}; test_circuit.gates.push_back(add_gate); - non_linear_combination mul_constraint; + plonk_constraint mul_constraint; add_constraint.add_term(w0 * w1); add_constraint.add_term(-w2); test_circuit.domain->inverse_fft(q_mul); math::polynomial mul_selector(q_mul); - std::vector> mul_gate_costraints {mul_constraint}; + std::vector> mul_gate_costraints {mul_constraint}; plonk_gate mul_gate {mul_gate_costraints, mul_selector}; test_circuit.gates.push_back(mul_gate); From 16ee91a5cb28d34f3f28d993fe357cb832e3d46d Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 21 Feb 2022 01:48:28 +0300 Subject: [PATCH 158/219] Minor Redshift preprocessor refactoring. #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 13 ++--- .../zk/snark/relations/plonk/permutation.hpp | 47 ++++++++++--------- .../systems/plonk/redshift/preprocessor.hpp | 8 ++-- 3 files changed, 36 insertions(+), 32 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 0708563b7..73623dd38 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -34,12 +34,13 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template - struct plonk_gate - { - std::vector> constraints; - math::polynomial selector; - }; + + template + struct plonk_gate{ + std::vector> constraints; + math::polynomial selector; + }; + } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp index ba656aab3..030363d39 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp @@ -30,37 +30,38 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - struct plonk_permutation - { - typedef std::pair key_type; - typedef std::pair value_type; - std::map _permutation_map; + struct plonk_permutation { + typedef std::pair key_type; + typedef std::pair value_type; - plonk_permutation(std::size_t columns, std::size_t rows) { - for (std::size_t i = 0; i < columns; i++) { - for (std::size_t j = 0; j < rows; j++) { - auto key = key_type(i, j); - _permutation_map[key] = value_type(i, j); - } + std::map _permutation_map; + + plonk_permutation(std::size_t columns, std::size_t rows) { + for (std::size_t i = 0; i < columns; i++) { + for (std::size_t j = 0; j < rows; j++) { + auto key = key_type(i, j); + _permutation_map[key] = value_type(i, j); } } + } - plonk_permutation() { - } + plonk_permutation() { + } - void cells_equal(key_type cell, key_type equal_to) { - _permutation_map[cell] = _permutation_map[equal_to]; - } + void cells_equal(key_type cell, key_type equal_to) { + _permutation_map[cell] = _permutation_map[equal_to]; + } - void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, std::size_t equal_to_y) { - _permutation_map[key_type(cell_x, cell_y)] = _permutation_map[key_type(equal_to_x, equal_to_y)]; - } + void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, std::size_t equal_to_y) { + _permutation_map[key_type(cell_x, cell_y)] = _permutation_map[key_type(equal_to_x, equal_to_y)]; + } - value_type &operator[](key_type key) { - return _permutation_map[key]; - } - }; + value_type &operator[](key_type key) { + return _permutation_map[key]; + } + }; + } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 7e9750332..9c20e83a0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -48,7 +48,8 @@ namespace nil { public: static inline std::vector> identity_polynomials(std::size_t permutation_size, std::size_t table_size, - typename FieldType::value_type omega, typename FieldType::value_type delta, + const typename FieldType::value_type &omega, + const typename FieldType::value_type &delta, const std::shared_ptr> &domain) { std::vector> S_id(permutation_size); @@ -68,8 +69,9 @@ namespace nil { static inline std::vector> permutation_polynomials(std::size_t permutation_size, std::size_t table_size, - typename FieldType::value_type omega, typename FieldType::value_type delta, - plonk_permutation permutation, + const typename FieldType::value_type &omega, + const typename FieldType::value_type &delta, + const plonk_permutation &permutation, const std::shared_ptr> &domain) { std::vector> S_perm(permutation_size); From 383a1b1f56d7de5e078fd04f1fdfc31042b84932 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 21 Feb 2022 01:46:46 +0200 Subject: [PATCH 159/219] evaluation map #20 --- .../zk/snark/relations/non_linear_combination.hpp | 9 ++++++--- .../zk/snark/systems/plonk/redshift/gates_argument.hpp | 8 ++++---- .../crypto3/zk/snark/systems/plonk/redshift/verifier.hpp | 2 +- test/systems/plonk/redshift.cpp | 8 +++++--- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index c92d78d12..8c13aae3c 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -158,6 +158,8 @@ namespace nil { constexpr static const bool RotationSupport = true; public: + typedef std::map::rotation_type>, typename FieldType::value_type> evaluation_map; + std::vector> terms; non_linear_combination() {}; @@ -229,16 +231,17 @@ namespace nil { return acc; } - template field_value_type evaluate( - const std::array &assignment) const { + evaluation_map &assignment) const { field_value_type acc = field_value_type::zero(); for (const non_linear_term &nlt : terms) { field_value_type term_value = nlt.coeff; for (const variable &var : nlt.vars) { - term_value = term_value * assignment[var.wire_index]; + std::pair::rotation_type> key + (var.wire_index, var.rotation); + term_value = term_value * assignment[key]; } acc = acc + term_value * nlt.coeff; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 144bba92e..96263eb6b 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -37,6 +37,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -82,10 +83,10 @@ namespace nil { return F; } - template + template static inline std::array verify_eval(const std::vector> &gates, - const std::array &columns_values, + typename plonk_constraint::evaluation_map &evaluations, typename FieldType::value_type challenge, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -98,8 +99,7 @@ namespace nil { typename FieldType::value_type gate_result = {0}; for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { - //TODO: rotation map - gate_result = gate_result + gates[i].constraints[j].evaluate(columns_values) * theta_acc; + gate_result = gate_result + gates[i].constraints[j].evaluate(evaluations) * theta_acc; theta_acc *= theta; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 65a754121..11e09f4b3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -29,7 +29,7 @@ #include #include -#include +#include #include #include diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index e3aefb94f..af42d38e9 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -45,9 +45,10 @@ #include #include -#include #include +#include #include +#include #include @@ -211,9 +212,10 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { // Challenge phase typename FieldType::value_type y = algebra::random_element(); - std::array columns_at_y; + typename plonk_constraint::evaluation_map columns_at_y; for (int i = 0; i < table_columns; i++) { - columns_at_y[i] = circuit.column_polynomials[i].evaluate(y); + auto key = std::make_pair(i, variable::rotation_type::current); + columns_at_y[key] = circuit.column_polynomials[i].evaluate(y); } std::array verifier_res = From 1b35a403ff310e4ca332d6d87c658956fe394ba3 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 21 Feb 2022 02:06:38 +0200 Subject: [PATCH 160/219] remove const for evaluation_map #20 --- .../crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 9c20e83a0..e69d3ac6a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -71,7 +71,7 @@ namespace nil { permutation_polynomials(std::size_t permutation_size, std::size_t table_size, const typename FieldType::value_type &omega, const typename FieldType::value_type &delta, - const plonk_permutation &permutation, + plonk_permutation &permutation, const std::shared_ptr> &domain) { std::vector> S_perm(permutation_size); From c109d9841a7b9d4c12d16f301d6914062d44bf07 Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Mon, 21 Feb 2022 13:00:48 +0300 Subject: [PATCH 161/219] Equality operator to fri parameters added. --- .../crypto3/zk/snark/commitments/fri_commitment.hpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index ef4f944de..ebe52ccb3 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -56,7 +56,7 @@ namespace nil { * Matter Labs, * */ - template @@ -64,6 +64,8 @@ namespace nil { constexpr static const std::size_t m = M; typedef FieldType field_type; + typedef MerkleTreeHashType merkle_tree_hash_type; + typedef TranscriptHashType transcript_hash_type; typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; @@ -74,6 +76,13 @@ namespace nil { FieldType>; struct params_type { + bool operator==(const params_type &rhs) const { + return r == rhs.r && max_degree == rhs.max_degree && D == rhs.D && q == rhs.q; + } + bool operator!=(const params_type &rhs) const { + return !(rhs == *this); + } + std::size_t r; std::size_t max_degree; std::vector>> D; From ce4063a162e1da114ee504f14b15cfc214c62195 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 21 Feb 2022 12:36:47 +0200 Subject: [PATCH 162/219] split table_columns to witness and public columns #20 --- .../zk/snark/relations/plonk/plonk.hpp | 18 ++++++----- .../systems/plonk/redshift/preprocessor.hpp | 4 +-- .../snark/systems/plonk/redshift/prover.hpp | 18 ++++++----- .../zk/snark/systems/plonk/redshift/types.hpp | 14 +++++++-- .../snark/systems/plonk/redshift/verifier.hpp | 3 +- test/systems/plonk/circuits.hpp | 27 ++++++++++------- test/systems/plonk/redshift.cpp | 30 +++++++++++-------- 7 files changed, 71 insertions(+), 43 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 1f1851357..fc79580fc 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -59,7 +59,7 @@ namespace nil { /************************* PLONK constraint system ****************************/ - template + template struct plonk_constraint_system { std::vector> constraints; @@ -67,8 +67,12 @@ namespace nil { plonk_constraint_system() { } - constexpr std::size_t num_wires() const { - return WiresAmount; + constexpr std::size_t num_witness() const { + return WitnessAmount; + } + + constexpr std::size_t num_public() const { + return PublicAmount; } std::size_t num_constraints() const { @@ -76,7 +80,7 @@ namespace nil { } bool - is_satisfied(plonk_variable_assignment full_variable_assignment) const { + is_satisfied(plonk_variable_assignment full_variable_assignment) const { for (std::size_t c = 0; c < constraints.size(); ++c) { if (!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { @@ -100,12 +104,12 @@ namespace nil { } std::vector> - polynomials(plonk_variable_assignment full_variable_assignment) const { + polynomials(plonk_variable_assignment full_variable_assignment) const { std::vector> result(constraints.size()); - std::array, WiresAmount> wire_polynomials; - for (std::size_t wire_index = 0; wire_index < WiresAmount; wire_index++) { + std::array, WitnessAmount> wire_polynomials; + for (std::size_t wire_index = 0; wire_index < WitnessAmount; wire_index++) { const std::shared_ptr> domain = math::make_evaluation_domain(full_variable_assignment[wire_index].size()); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index e69d3ac6a..51916fd0a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -41,9 +41,9 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_preprocessor { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; public: static inline std::vector> diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 91cd48fba..3bd483aff 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -46,13 +46,14 @@ namespace nil { typename MerkleTreeHashType, typename TranscriptHashType, std::size_t witness_columns, + std::size_t public_columns, std::size_t lambda, std::size_t k, std::size_t r, std::size_t m = 2> class redshift_prover { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; typedef typename containers::merkle_tree merkle_tree_type; @@ -110,17 +111,20 @@ namespace nil { static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type &assignments) { + const typename types_policy::variable_assignment_type &assignments, + const typename types_policy::circuit_short_description &short_description) { - /*// 1. Add circuit definition to transctipt - transcript(...); + fiat_shamir_heuristic_updated transcript(std::vector()); + + // 1. Add circuit definition to transctipt + //transcript(short_description); //TODO: circuit_short_description marshalling // 2. Commit witness columns - std::array, witness_columns> witness_poly = ; + /*std::array, witness_columns> witness_poly = ; auto witness_commitments = lpc::commit(witness_poly, fri_params.D[0]); - transcript(witness_commitments); + transcript(witness_commitments);*/ - // 3. Prepare columns included into permuation argument + /*// 3. Prepare columns included into permuation argument std::vector> f(N_perm + N_PI); std::copy(w.begin(), w.end(), f.begin()); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 5d9195860..6df930588 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -44,7 +44,7 @@ namespace nil { namespace snark { namespace detail { - template + template struct redshift_types_policy { /******************************** Params ********************************/ @@ -53,9 +53,9 @@ namespace nil { * Below are various template aliases (used for convenience). */ - typedef plonk_constraint_system constraint_system_type; + typedef plonk_constraint_system constraint_system_type; - typedef plonk_variable_assignment variable_assignment_type; + typedef plonk_variable_assignment variable_assignment_type; /*********************************** Proof ***********************************/ @@ -88,6 +88,14 @@ namespace nil { math::polynomial Z; }; + template + struct circuit_short_description { + std::vector selectors_commits; + std::vector id_polys_commits; + std::vector perm_polys_commits; + //TODO: Gates and field elements + }; + template struct prover_fiat_shamir_heuristic_manifest { enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau , teta}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 11e09f4b3..a5f028d3c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -42,13 +42,14 @@ namespace nil { typename MerkleTreeHashType, typename TranscriptHashType, std::size_t witness_columns, + std::size_t public_columns, std::size_t lambda, std::size_t k, std::size_t r, std::size_t m = 2> class redshift_verifier { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; typedef list_polynomial_commitment_scheme< FieldType, MerkleTreeHashType, TranscriptHashType, lambda, k, r, m> diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 6c85e7fd3..389cab1c5 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -46,7 +46,8 @@ namespace nil { namespace snark { template class circuit_description @@ -65,7 +66,7 @@ namespace nil { std::vector> S_sigma; std::vector> table; - std::array, table_columns> column_polynomials; + std::array, witness_columns + public_columns> column_polynomials; // construct q_last, q_blind math::polynomial q_last; @@ -79,18 +80,18 @@ namespace nil { omega = domain->get_domain_element(1); delta = algebra::fields::arithmetic_params::multiplicative_generator; - permutation = plonk_permutation(table_columns, table_rows); + permutation = plonk_permutation(witness_columns + public_columns, table_rows); } void init() { - S_id = redshift_preprocessor::identity_polynomials( + S_id = redshift_preprocessor::identity_polynomials( permutation_size, table_rows, omega, delta, domain); - S_sigma = redshift_preprocessor::permutation_polynomials( + S_sigma = redshift_preprocessor::permutation_polynomials( permutation_size, table_rows, omega, delta, permutation, domain); - q_last = redshift_preprocessor::selector_last( + q_last = redshift_preprocessor::selector_last( table_rows, usable_rows, domain); - q_blind = redshift_preprocessor::selector_blind( + q_blind = redshift_preprocessor::selector_blind( table_rows, usable_rows, domain); } }; @@ -108,13 +109,15 @@ namespace nil { // MUL: x * y = z //---------------------------------------------------------------------------// template - circuit_description circuit_test_1() { + circuit_description circuit_test_1() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 3; + constexpr static const std::size_t witness_columns = 3; + constexpr static const std::size_t public_columns = 0; constexpr static const std::size_t permutation = 3; constexpr static const std::size_t usable = 1 << rows_log; - circuit_description test_circuit; + circuit_description test_circuit; std::vector> table(table_columns); @@ -200,13 +203,15 @@ namespace nil { // MUL: x * y = z, copy(p1, y) //---------------------------------------------------------------------------// template - circuit_description circuit_test_2() { + circuit_description circuit_test_2() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 4; + constexpr static const std::size_t witness_columns = 3; + constexpr static const std::size_t public_columns = 1; constexpr static const std::size_t permutation = 4; constexpr static const std::size_t usable = 1 << rows_log; - circuit_description test_circuit; + circuit_description test_circuit; std::vector> table(table_columns); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index af42d38e9..701a351d8 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -106,13 +106,14 @@ typedef fri_commitment_scheme circuit = circuit_test_1(); + circuit_description circuit = circuit_test_1(); - using types_policy = zk::snark::detail::redshift_types_policy; + using types_policy = zk::snark::detail::redshift_types_policy; constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; @@ -120,13 +121,14 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); typename types_policy::constraint_system_type constraint_system; typename types_policy::variable_assignment_type assigments; + types_policy::circuit_short_description short_description; typename types_policy::template preprocessed_data_type preprocessed_data = - redshift_preprocessor::process(constraint_system, assigments); + redshift_preprocessor::process(constraint_system, assigments); - typename types_policy::template proof_type proof = redshift_prover::process( - preprocessed_data, constraint_system, assigments); + typename types_policy::template proof_type proof = redshift_prover::process( + preprocessed_data, constraint_system, assigments, short_description); - bool verifier_res = redshift_verifier::process( + bool verifier_res = redshift_verifier::process( proof); BOOST_CHECK(verifier_res); } @@ -134,10 +136,12 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { const std::size_t table_rows_log = 4; const std::size_t table_rows = 1 << table_rows_log; - const std::size_t table_columns = 4; + const std::size_t witness_columns = 3; + const std::size_t public_columns = 1; + const std::size_t table_columns = witness_columns + public_columns; const std::size_t permutation_size = 4; const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_2(); + circuit_description circuit = circuit_test_2(); constexpr std::size_t argument_size = 3; @@ -191,10 +195,12 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { const std::size_t table_rows_log = 4; const std::size_t table_rows = 1 << table_rows_log; - const std::size_t table_columns = 4; + const std::size_t witness_columns = 3; + const std::size_t public_columns = 1; + const std::size_t table_columns = witness_columns + public_columns; const std::size_t permutation_size = 4; const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_2(); + circuit_description circuit = circuit_test_2(); constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; From 9d7d4e3c54e62dba8535f2a30d24d24b1bb13245 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 21 Feb 2022 17:31:45 +0300 Subject: [PATCH 163/219] PLONK Gates interfaces changed. #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 43 ++++++++- .../zk/snark/relations/plonk/plonk.hpp | 96 +++++++++---------- .../snark/systems/plonk/redshift/prover.hpp | 2 +- test/systems/plonk/circuits.hpp | 8 +- 4 files changed, 92 insertions(+), 57 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 73623dd38..0bf3b1549 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -35,12 +35,51 @@ namespace nil { namespace zk { namespace snark { + /************************* PLONK constraint ***********************************/ + + template + using plonk_constraint = non_linear_combination; + + /************************* PLONK gate ***********************************/ + template struct plonk_gate{ - std::vector> constraints; math::polynomial selector; + std::vector> constraints; + + plonk_gate(math::polynomial &selector, + const std::vector> &constraints): + constraints(constraints), selector(selector) { + } + + plonk_gate(std::size_t row_index, const snark::plonk_constraint &constraint): + constraints(std::vector> ({constraint})){ + + selector = math::polynomial(); + } + + plonk_gate(std::size_t row_index, + const std::initializer_list> &constraints): + constraints(constraints){ + + selector = math::polynomial(); + } + + plonk_gate(std::initializer_list row_indices, + const snark::plonk_constraint &constraint): + constraints(std::vector> ({constraint})), selector() { + + selector = math::polynomial(); + } + + plonk_gate(std::initializer_list row_indices, + const std::initializer_list> &constraints): + constraints(constraints), selector() { + + selector = math::polynomial(); + } }; - + } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index fc79580fc..026cf5daf 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -40,6 +40,7 @@ #include #include +#include #include namespace nil { @@ -47,11 +48,6 @@ namespace nil { namespace zk { namespace snark { - /************************* PLONK constraint ***********************************/ - - template - using plonk_constraint = non_linear_combination; - /************************* PLONK variable assignment **************************/ template @@ -62,7 +58,7 @@ namespace nil { template struct plonk_constraint_system { - std::vector> constraints; + std::vector> gates; plonk_constraint_system() { } @@ -75,21 +71,21 @@ namespace nil { return PublicAmount; } - std::size_t num_constraints() const { - return constraints.size(); + std::size_t num_gates() const { + return gates.size(); } - bool - is_satisfied(plonk_variable_assignment full_variable_assignment) const { + // bool + // is_satisfied(plonk_variable_assignment full_variable_assignment) const { - for (std::size_t c = 0; c < constraints.size(); ++c) { - if (!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { - return false; - } - } + // for (std::size_t c = 0; c < constraints.size(); ++c) { + // if (!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { + // return false; + // } + // } - return true; - } + // return true; + // } std::vector> copy_constraints() { return {}; @@ -103,57 +99,57 @@ namespace nil { return {}; } - std::vector> - polynomials(plonk_variable_assignment full_variable_assignment) const { + // std::vector> + // polynomials(plonk_variable_assignment full_variable_assignment) const { - std::vector> result(constraints.size()); + // std::vector> result(constraints.size()); - std::array, WitnessAmount> wire_polynomials; - for (std::size_t wire_index = 0; wire_index < WitnessAmount; wire_index++) { - const std::shared_ptr> domain = - math::make_evaluation_domain(full_variable_assignment[wire_index].size()); + // std::array, WitnessAmount> wire_polynomials; + // for (std::size_t wire_index = 0; wire_index < WitnessAmount; wire_index++) { + // const std::shared_ptr> domain = + // math::make_evaluation_domain(full_variable_assignment[wire_index].size()); - std::vector interpolation_points( - full_variable_assignment[wire_index].size()); + // std::vector interpolation_points( + // full_variable_assignment[wire_index].size()); - std::copy(full_variable_assignment[wire_index].begin(), - full_variable_assignment[wire_index].end(), interpolation_points.begin()); + // std::copy(full_variable_assignment[wire_index].begin(), + // full_variable_assignment[wire_index].end(), interpolation_points.begin()); - domain->inverse_fft(interpolation_points); + // domain->inverse_fft(interpolation_points); - wire_polynomials[wire_index] = - math::polynomial(interpolation_points); - } + // wire_polynomials[wire_index] = + // math::polynomial(interpolation_points); + // } - for (std::size_t constraint_index = 0; constraint_index < constraints.size(); - constraint_index++) { + // for (std::size_t constraint_index = 0; constraint_index < constraints.size(); + // constraint_index++) { - for (auto &term : constraints[constraint_index].terms) { + // for (auto &term : constraints[constraint_index].terms) { - math::polynomial term_polynom = {term.coeff}; + // math::polynomial term_polynom = {term.coeff}; - for (auto &var : term.vars) { + // for (auto &var : term.vars) { - const std::shared_ptr> domain = - math::make_evaluation_domain(full_variable_assignment[var.wire_index].size()); + // const std::shared_ptr> domain = + // math::make_evaluation_domain(full_variable_assignment[var.wire_index].size()); - term_polynom = term_polynom * math::polynomial_shift(wire_polynomials[var.wire_index], - domain->get_domain_element(var.rotation)); - } + // term_polynom = term_polynom * math::polynomial_shift(wire_polynomials[var.wire_index], + // domain->get_domain_element(var.rotation)); + // } - result[constraint_index] = result[constraint_index] + term_polynom; - } - } + // result[constraint_index] = result[constraint_index] + term_polynom; + // } + // } - return result; - } + // return result; + // } - void add_constraint(const plonk_constraint &c) { - constraints.emplace_back(c); + void add_gate(const plonk_gate &g) { + gates.emplace_back(g); } bool operator==(const plonk_constraint_system &other) const { - return (this->constraints == other.constraints); + return (this->gates == other.gates); } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 3bd483aff..23bed69a9 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -112,7 +112,7 @@ namespace nil { process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::circuit_short_description &short_description) { + const typename types_policy::template circuit_short_description &short_description) { fiat_shamir_heuristic_updated transcript(std::vector()); diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 389cab1c5..0bb0a83d6 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -174,7 +174,7 @@ namespace nil { test_circuit.domain->inverse_fft(q_add); math::polynomial add_selector(q_add); std::vector> add_gate_costraints {add_constraint}; - plonk_gate add_gate {add_gate_costraints, add_selector}; + plonk_gate add_gate (add_selector, add_gate_costraints); test_circuit.gates.push_back(add_gate); plonk_constraint mul_constraint; @@ -184,7 +184,7 @@ namespace nil { test_circuit.domain->inverse_fft(q_mul); math::polynomial mul_selector(q_mul); std::vector> mul_gate_costraints {mul_constraint}; - plonk_gate mul_gate {mul_gate_costraints, mul_selector}; + plonk_gate mul_gate (mul_selector, mul_gate_costraints); test_circuit.gates.push_back(mul_gate); return test_circuit; @@ -275,7 +275,7 @@ namespace nil { test_circuit.domain->inverse_fft(q_add); math::polynomial add_selector(q_add); std::vector> add_gate_costraints {add_constraint}; - plonk_gate add_gate {add_gate_costraints, add_selector}; + plonk_gate add_gate (add_selector, add_gate_costraints); test_circuit.gates.push_back(add_gate); plonk_constraint mul_constraint; @@ -285,7 +285,7 @@ namespace nil { test_circuit.domain->inverse_fft(q_mul); math::polynomial mul_selector(q_mul); std::vector> mul_gate_costraints {mul_constraint}; - plonk_gate mul_gate {mul_gate_costraints, mul_selector}; + plonk_gate mul_gate (mul_selector, mul_gate_costraints); test_circuit.gates.push_back(mul_gate); return test_circuit; From ef166208fc4c88860bade6e1dc0262fb671ff874 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 21 Feb 2022 16:33:22 +0200 Subject: [PATCH 164/219] prover update #20 --- .../zk/snark/systems/plonk/redshift/proof.hpp | 4 ++-- .../snark/systems/plonk/redshift/prover.hpp | 24 +++++++++++++++---- .../zk/snark/systems/plonk/redshift/types.hpp | 2 +- .../snark/systems/plonk/redshift/verifier.hpp | 5 ++-- test/systems/plonk/circuits.hpp | 6 ++--- test/systems/plonk/redshift.cpp | 6 ++--- 6 files changed, 31 insertions(+), 16 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 85e3ba734..d589252b7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -38,7 +38,7 @@ namespace nil { redshift_proof() { } - std::vector f_commitments; + std::vector witness_commitments; typename CommitmentSchemeType::commitment_type P_commitment; typename CommitmentSchemeType::commitment_type Q_commitment; @@ -53,7 +53,7 @@ namespace nil { std::vector T_lpc_proofs; bool operator==(const redshift_proof &rhs) const { - return f_commitments == rhs.f_commitments && P_commitment == rhs.P_commitment && + return witness_commitments == rhs.witness_commitments && P_commitment == rhs.P_commitment && Q_commitment == rhs.Q_commitment && T_commitments == rhs.T_commitments && f_lpc_proofs == rhs.f_lpc_proofs && P_lpc_proof == rhs.P_lpc_proof && Q_lpc_proof == rhs.Q_lpc_proof && T_lpc_proofs == rhs.T_lpc_proofs; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 3bd483aff..dcc8daa49 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -112,17 +112,32 @@ namespace nil { process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::circuit_short_description &short_description) { + const typename types_policy::circuit_short_description &short_description, + const typename lpc::fri_type::params_type &fri_params) { + typename types_policy::template proof_type proof; fiat_shamir_heuristic_updated transcript(std::vector()); // 1. Add circuit definition to transctipt //transcript(short_description); //TODO: circuit_short_description marshalling // 2. Commit witness columns - /*std::array, witness_columns> witness_poly = ; - auto witness_commitments = lpc::commit(witness_poly, fri_params.D[0]); - transcript(witness_commitments);*/ + std::array, witness_columns> witness_poly; + for (std::size_t i = 0; i < witness_columns; i++) { + std::vector tmp; + std::copy(assignments[i].begin(), assignments[i].end(), std::back_inserter(tmp)); + preprocessed_data.basic_domain->inverse_fft(tmp); + witness_poly[i] = tmp; + } + std::array witness_commitments = + lpc::template commit(witness_poly, fri_params.D[0]); + + proof.witness_commitments.resize(witness_columns); + for (std::size_t i = 0; i < witness_columns; i++) { + proof.witness_commitments[i] = witness_commitments[i].root(); + transcript(proof.witness_commitments[i]); + } + //transcript(witness_commitments); //TODO: marshalling /*// 3. Prepare columns included into permuation argument std::vector> f(N_perm + N_PI); @@ -178,7 +193,6 @@ namespace nil { // T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); // }*/ - typename types_policy::template proof_type proof; // = typename types_policy::proof_type(std::move(f_commitments), std::move(T_commitments), // std::move(f_lpc_proofs), std::move(T_lpc_proofs)); // proof.T_lpc_proofs = T_lpc_proofs; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 6df930588..c7f00eba3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -55,7 +55,7 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; - typedef plonk_variable_assignment variable_assignment_type; + typedef plonk_variable_assignment variable_assignment_type; /*********************************** Proof ***********************************/ diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index a5f028d3c..8c7f1c9c4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -62,12 +62,13 @@ namespace nil { public: static inline bool process(//const types_policy::verification_key_type &verification_key, //const types_policy::primary_input_type &primary_input, - const typename types_policy::template proof_type &proof) { + const typename types_policy::template proof_type &proof, + const typename types_policy::circuit_short_description &short_description) { fiat_shamir_heuristic_updated transcript(std::vector()); // 1. Add circuit definition to transctipt - /*transcript(...); + /*transcript(short_description); for (std::size_t i = 0; i < N_wires; i++) { transcript(proof.f_commitments[i]); diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 389cab1c5..c35fc0737 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -65,7 +65,7 @@ namespace nil { std::vector> S_id; std::vector> S_sigma; - std::vector> table; + std::array, witness_columns + public_columns> table; std::array, witness_columns + public_columns> column_polynomials; // construct q_last, q_blind @@ -119,7 +119,7 @@ namespace nil { circuit_description test_circuit; - std::vector> table(table_columns); + std::array, table_columns> table; std::vector q_add(test_circuit.table_rows); std::vector q_mul(test_circuit.table_rows); @@ -213,7 +213,7 @@ namespace nil { circuit_description test_circuit; - std::vector> table(table_columns); + std::array, table_columns> table; std::vector q_add(test_circuit.table_rows); std::vector q_mul(test_circuit.table_rows); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 701a351d8..b2a028ccf 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -120,16 +120,16 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); typename types_policy::constraint_system_type constraint_system; - typename types_policy::variable_assignment_type assigments; + typename types_policy::variable_assignment_type assigments = circuit.table; types_policy::circuit_short_description short_description; typename types_policy::template preprocessed_data_type preprocessed_data = redshift_preprocessor::process(constraint_system, assigments); typename types_policy::template proof_type proof = redshift_prover::process( - preprocessed_data, constraint_system, assigments, short_description); + preprocessed_data, constraint_system, assigments, short_description, fri_params); bool verifier_res = redshift_verifier::process( - proof); + proof, short_description); BOOST_CHECK(verifier_res); } From dd5649289ecf11a49c183e164c25e6cc73b3401d Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 22 Feb 2022 00:01:03 +0300 Subject: [PATCH 165/219] PLONK Minor changes. #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 45 +++++----- .../zk/snark/relations/plonk/plonk.hpp | 82 +++++++++---------- .../snark/systems/plonk/redshift/params.hpp | 15 +++- .../snark/systems/plonk/redshift/prover.hpp | 2 +- .../snark/systems/plonk/redshift/verifier.hpp | 2 +- 5 files changed, 77 insertions(+), 69 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 0bf3b1549..0c9dc4b75 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -43,40 +43,41 @@ namespace nil { /************************* PLONK gate ***********************************/ template - struct plonk_gate{ - math::polynomial selector; + struct plonk_gate_unprocessed{ + std::vector selector; std::vector> constraints; - plonk_gate(math::polynomial &selector, - const std::vector> &constraints): - constraints(constraints), selector(selector) { - } - - plonk_gate(std::size_t row_index, const snark::plonk_constraint &constraint): - constraints(std::vector> ({constraint})){ - - selector = math::polynomial(); + plonk_gate_unprocessed(std::size_t row_index, const snark::plonk_constraint &constraint): + constraints(std::vector> ({constraint})), + selector(std::vector ({row_index})){ } - plonk_gate(std::size_t row_index, + plonk_gate_unprocessed(std::size_t row_index, const std::initializer_list> &constraints): - constraints(constraints){ - - selector = math::polynomial(); + constraints(constraints), + selector(std::vector ({row_index})){ } - plonk_gate(std::initializer_list row_indices, + plonk_gate_unprocessed(std::initializer_list row_indices, const snark::plonk_constraint &constraint): - constraints(std::vector> ({constraint})), selector() { - - selector = math::polynomial(); + constraints(std::vector> ({constraint})), + selector(row_indices) { } - plonk_gate(std::initializer_list row_indices, + plonk_gate_unprocessed(std::initializer_list row_indices, const std::initializer_list> &constraints): - constraints(constraints), selector() { + constraints(constraints), selector(row_indices) { + } + }; + + template + struct plonk_gate{ + math::polynomial selector; + std::vector> constraints; - selector = math::polynomial(); + plonk_gate(math::polynomial &selector, + const std::vector> &constraints): + constraints(constraints), selector(selector) { } }; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 026cf5daf..9fccc6515 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -56,9 +56,11 @@ namespace nil { /************************* PLONK constraint system ****************************/ template - struct plonk_constraint_system { + class plonk_constraint_system { - std::vector> gates; + std::vector> gates_data; + + public: plonk_constraint_system() { } @@ -72,7 +74,7 @@ namespace nil { } std::size_t num_gates() const { - return gates.size(); + return gates_data.size(); } // bool @@ -87,69 +89,65 @@ namespace nil { // return true; // } - std::vector> copy_constraints() { + std::vector> copy_constraints() const { return {}; } - std::vector> selectors() { + std::vector> lookups() const { return {}; } - std::vector> lookups() { - return {}; - } + static std::vector> + wire_polynomials(const plonk_variable_assignment &full_variable_assignment) { - // std::vector> - // polynomials(plonk_variable_assignment full_variable_assignment) const { + // std::vector> result(gates_data.size()); - // std::vector> result(constraints.size()); + std::array, WitnessAmount> wires; + for (std::size_t wire_index = 0; wire_index < WitnessAmount; wire_index++) { + const std::shared_ptr> domain = + math::make_evaluation_domain(full_variable_assignment[wire_index].size()); - // std::array, WitnessAmount> wire_polynomials; - // for (std::size_t wire_index = 0; wire_index < WitnessAmount; wire_index++) { - // const std::shared_ptr> domain = - // math::make_evaluation_domain(full_variable_assignment[wire_index].size()); + std::vector interpolation_points( + full_variable_assignment[wire_index].size()); - // std::vector interpolation_points( - // full_variable_assignment[wire_index].size()); + std::copy(full_variable_assignment[wire_index].begin(), + full_variable_assignment[wire_index].end(), interpolation_points.begin()); - // std::copy(full_variable_assignment[wire_index].begin(), - // full_variable_assignment[wire_index].end(), interpolation_points.begin()); + domain->inverse_fft(interpolation_points); - // domain->inverse_fft(interpolation_points); + wires[wire_index] = + math::polynomial(interpolation_points); + } - // wire_polynomials[wire_index] = - // math::polynomial(interpolation_points); - // } + // for (std::size_t constraint_index = 0; constraint_index < constraints.size(); + // constraint_index++) { - // for (std::size_t constraint_index = 0; constraint_index < constraints.size(); - // constraint_index++) { + // for (auto &term : constraints[constraint_index].terms) { - // for (auto &term : constraints[constraint_index].terms) { + // math::polynomial term_polynom = {term.coeff}; - // math::polynomial term_polynom = {term.coeff}; + // for (auto &var : term.vars) { - // for (auto &var : term.vars) { + // const std::shared_ptr> domain = + // math::make_evaluation_domain(full_variable_assignment[var.wire_index].size()); - // const std::shared_ptr> domain = - // math::make_evaluation_domain(full_variable_assignment[var.wire_index].size()); + // term_polynom = term_polynom * math::polynomial_shift(wires[var.wire_index], + // domain->get_domain_element(var.rotation)); + // } - // term_polynom = term_polynom * math::polynomial_shift(wire_polynomials[var.wire_index], - // domain->get_domain_element(var.rotation)); - // } + // result[constraint_index] = result[constraint_index] + term_polynom; + // } + // } - // result[constraint_index] = result[constraint_index] + term_polynom; - // } - // } - - // return result; - // } + return result; + } - void add_gate(const plonk_gate &g) { - gates.emplace_back(g); + void add_gate(const plonk_gate_unprocessed &g) { + gates_data.emplace_back(g); } bool operator==(const plonk_constraint_system &other) const { - return (this->gates == other.gates); + return (this->gates_data == other.gates_data); } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 8d85da977..13a46d9ab 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -1,6 +1,6 @@ //---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov // // MIT License // @@ -33,7 +33,16 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { } // namespace snark + namespace snark { + + struct redshift_params { + constexpr static const std::size_t lambda = 0; + constexpr static const std::size_t k = 0; + constexpr static const std::size_t r = 0; + constexpr static const std::size_t m = 2; + }; + + } // namespace snark } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 116256747..95a21d99e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -112,7 +112,7 @@ namespace nil { process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::template circuit_short_description &short_description), + const typename types_policy::template circuit_short_description &short_description, const typename lpc::fri_type::params_type &fri_params) { typename types_policy::template proof_type proof; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 8c7f1c9c4..11da30656 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -63,7 +63,7 @@ namespace nil { static inline bool process(//const types_policy::verification_key_type &verification_key, //const types_policy::primary_input_type &primary_input, const typename types_policy::template proof_type &proof, - const typename types_policy::circuit_short_description &short_description) { + const typename types_policy::template circuit_short_description &short_description) { fiat_shamir_heuristic_updated transcript(std::vector()); From d41cbaa5c4e53fbabbb114838250e4e660d4d210 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 00:34:09 +0200 Subject: [PATCH 166/219] preprocessor update #20 --- .../plonk/redshift/permutation_argument.hpp | 69 +++++++++---------- .../systems/plonk/redshift/preprocessor.hpp | 35 +++++++++- .../snark/systems/plonk/redshift/prover.hpp | 15 ++-- .../zk/snark/systems/plonk/redshift/types.hpp | 20 ++++-- .../snark/systems/plonk/redshift/verifier.hpp | 8 +-- test/systems/plonk/redshift.cpp | 39 ++++++++--- 6 files changed, 120 insertions(+), 66 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 94bd83073..db385c97e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -42,10 +42,13 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template> class redshift_permutation_argument { + using types_policy = detail::redshift_types_policy; + typedef typename CommitmentSchemeType::fri_type fri_type; static constexpr std::size_t argument_size = 3; @@ -60,32 +63,30 @@ namespace nil { }; template - static inline prover_result_type // TODO: fix fiat-shamir + static inline prover_result_type prove_eval(fiat_shamir_heuristic_updated &transcript, - std::size_t circuit_rows, - std::size_t permutation_size, - std::shared_ptr> - domain, - const math::polynomial &lagrange_1, - const std::vector> &S_id, - const std::vector> &S_sigma, + const typename types_policy::template preprocessed_data_type preprocessed_data, + const typename types_policy::template circuit_short_description &short_description, const std::array, table_width> &columns, - const math::polynomial &q_last, - const math::polynomial &q_blind, typename fri_type::params_type fri_params) { + + const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; + const std::vector> &S_id = preprocessed_data.identity_polynomials; + std::shared_ptr> domain = preprocessed_data.basic_domain; + // 1. $\beta_1, \gamma_1 = \challenge$ typename FieldType::value_type beta = transcript.template challenge(); typename FieldType::value_type gamma = transcript.template challenge(); // 2. Calculate id_binding, sigma_binding for j from 1 to N_rows - std::vector id_binding(circuit_rows); - std::vector sigma_binding(circuit_rows); + std::vector id_binding(short_description.table_rows); + std::vector sigma_binding(short_description.table_rows); - for (std::size_t j = 0; j < circuit_rows; j++) { + for (std::size_t j = 0; j < short_description.table_rows; j++) { id_binding[j] = FieldType::value_type::one(); sigma_binding[j] = FieldType::value_type::one(); - for (std::size_t i = 0; i < permutation_size; i++) { + for (std::size_t i = 0; i < S_id.size(); i++) { id_binding[j] *= (columns[i].evaluate(domain->get_domain_element(j)) + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); @@ -95,10 +96,10 @@ namespace nil { } // 3. Calculate $V_P$ - std::vector V_P_interpolation_points(circuit_rows); + std::vector V_P_interpolation_points(short_description.table_rows); V_P_interpolation_points[0] = FieldType::value_type::one(); - for (std::size_t j = 1; j < circuit_rows; j++) { + for (std::size_t j = 1; j < short_description.table_rows; j++) { typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); for (std::size_t i = 0; i <= j - 1; i++) { // TODO: use one division @@ -108,10 +109,7 @@ namespace nil { V_P_interpolation_points[j] = tmp_mul_result; } - const std::shared_ptr> V_P_domain = - math::make_evaluation_domain(circuit_rows); - - V_P_domain->inverse_fft(V_P_interpolation_points); + domain->inverse_fft(V_P_interpolation_points); math::polynomial V_P(V_P_interpolation_points.begin(), V_P_interpolation_points.end()); @@ -126,7 +124,7 @@ namespace nil { math::polynomial g = {1}; math::polynomial h = {1}; - for (std::size_t i = 0; i < permutation_size; i++) { + for (std::size_t i = 0; i < S_id.size(); i++) { g = g * (columns[i] + beta * S_id[i] + gamma); h = h * (columns[i] + beta * S_sigma[i] + gamma); } @@ -137,9 +135,9 @@ namespace nil { math::polynomial V_P_shifted = math::polynomial_shift(V_P, domain->get_domain_element(1)); - F[0] = lagrange_1 * (one_polynomial - V_P); - F[1] = (one_polynomial - (q_last + q_blind)) * (V_P_shifted * h - V_P * g); - F[2] = q_last * (V_P * V_P - V_P); + F[0] = preprocessed_data.lagrange_0 * (one_polynomial - V_P); + F[1] = (one_polynomial - (preprocessed_data.q_last + preprocessed_data.q_blind)) * (V_P_shifted * h - V_P * g); + F[2] = preprocessed_data.q_last * (V_P * V_P - V_P); prover_result_type res = {F, V_P, V_P_tree}; @@ -148,23 +146,18 @@ namespace nil { static inline std::array verify_eval(fiat_shamir_heuristic_updated &transcript, - std::size_t circuit_rows, - std::size_t permutation_size, - std::shared_ptr> - domain, + const typename types_policy::template preprocessed_data_type preprocessed_data, + const typename types_policy::template circuit_short_description &short_description, const typename FieldType::value_type &challenge, // y const std::vector &column_polynomials, // f(y) const typename FieldType::value_type &perm_polynomial, // // V_P(y) const typename FieldType::value_type &perm_polynomial_shifted, // V_P(omega * y) - // TODO: commitment - const math::polynomial &lagrange_1, - const std::vector> &S_id, - const std::vector> &S_sigma, - const math::polynomial &q_last, - const math::polynomial &q_blind, const typename CommitmentSchemeType::commitment_type &V_P_commitment) { + const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; + const std::vector> &S_id = preprocessed_data.identity_polynomials; + // 1. Get beta, gamma typename FieldType::value_type beta = transcript.template challenge(); typename FieldType::value_type gamma = transcript.template challenge(); @@ -183,10 +176,10 @@ namespace nil { std::array F; typename FieldType::value_type one = FieldType::value_type::one(); - F[0] = lagrange_1.evaluate(challenge) * (one - perm_polynomial); - F[1] = (one - q_last.evaluate(challenge) - q_blind.evaluate(challenge)) * + F[0] = preprocessed_data.lagrange_0.evaluate(challenge) * (one - perm_polynomial); + F[1] = (one - preprocessed_data.q_last.evaluate(challenge) - preprocessed_data.q_blind.evaluate(challenge)) * (perm_polynomial_shifted * h - perm_polynomial * g); - F[2] = q_last.evaluate(challenge) * (perm_polynomial.squared() - perm_polynomial); + F[2] = preprocessed_data.q_last.evaluate(challenge) * (perm_polynomial.squared() - perm_polynomial); return F; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 51916fd0a..a119f40c3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -45,6 +45,19 @@ namespace nil { class redshift_preprocessor { using types_policy = detail::redshift_types_policy; + static math::polynomial + lagrange_polynomial(std::shared_ptr> domain, std::size_t number) { + std::vector> evaluation_points; + for (std::size_t i = 0; i < domain->m; i++) { + evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), (i != number) ? + FieldType::value_type::zero() : + FieldType::value_type::one())); + } + math::polynomial f = math::lagrange_interpolation(evaluation_points); + + return f; + } + public: static inline std::vector> identity_polynomials(std::size_t permutation_size, std::size_t table_size, @@ -120,11 +133,13 @@ namespace nil { return q_last; } - static inline typename types_policy::template preprocessed_data_type + template + static inline typename types_policy::template preprocessed_data_type process(const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type &assignments) { + const typename types_policy::variable_assignment_type &assignments, + typename types_policy::template circuit_short_description &short_description) { - typename types_policy::template preprocessed_data_type data; + typename types_policy::template preprocessed_data_type data; std::size_t N_rows = 0; for (auto &wire_assignments : assignments) { @@ -133,6 +148,20 @@ namespace nil { data.basic_domain = math::make_evaluation_domain(N_rows); + + data.permutation_polynomials = permutation_polynomials(short_description.columns_with_copy_constraints.size(), + short_description.table_rows, data.basic_domain->get_domain_element(1), short_description.delta, + short_description.permutation, data.basic_domain); + + data.identity_polynomials = identity_polynomials(short_description.columns_with_copy_constraints.size(), + short_description.table_rows, data.basic_domain->get_domain_element(1), + short_description.delta, data.basic_domain); + + data.lagrange_0 = lagrange_polynomial(data.basic_domain, 0); + + data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); + data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); + /*data.omega = math::unity_root(math::detail::power_of_two(k)); data.Z = {1}; // data.selectors = constraint_system.selectors(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 116256747..5eb34b970 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -109,10 +109,10 @@ namespace nil { public: static inline typename types_policy::template proof_type - process(const typename types_policy::template preprocessed_data_type preprocessed_data, + process(const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::template circuit_short_description &short_description), + const typename types_policy::template circuit_short_description &short_description, const typename lpc::fri_type::params_type &fri_params) { typename types_policy::template proof_type proof; @@ -135,16 +135,15 @@ namespace nil { proof.witness_commitments.resize(witness_columns); for (std::size_t i = 0; i < witness_columns; i++) { proof.witness_commitments[i] = witness_commitments[i].root(); - transcript(proof.witness_commitments[i]); + //transcript(proof.witness_commitments[i]); } - //transcript(witness_commitments); //TODO: marshalling - /*// 3. Prepare columns included into permuation argument - std::vector> f(N_perm + N_PI); - std::copy(w.begin(), w.end(), f.begin()); + // 3. Prepare columns included into permuation argument + //std::vector> f(N_perm + N_PI); + //std::copy(w.begin(), w.end(), f.begin()); // 4. permutation_argument - std::array, permutation_parts> + /*std::array, permutation_parts> permutation_argument = redshift_permutation_argument::prove_eval(transcript); std::array, f_parts> F; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index c7f00eba3..8c1ed4927 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -36,6 +36,7 @@ #include #include +#include #include namespace nil { @@ -69,21 +70,24 @@ namespace nil { template using proof_type = redshift_proof; - template + template struct preprocessed_data_type { std::shared_ptr> basic_domain; std::vector> selectors; // S_sigma - std::vector> permutations; + std::vector> permutation_polynomials; // S_id std::vector> - identity_permutations; + identity_polynomials; // c std::vector> constraints; - std::vector> Lagrange_basis; + math::polynomial lagrange_0; + + math::polynomial q_last; + math::polynomial q_blind; math::polynomial Z; }; @@ -93,6 +97,14 @@ namespace nil { std::vector selectors_commits; std::vector id_polys_commits; std::vector perm_polys_commits; + + std::vector columns_with_copy_constraints; + + std::size_t table_rows; + std::size_t usable_rows; + + typename FieldType::value_type delta; + plonk_permutation permutation; //TODO: Gates and field elements }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 8c7f1c9c4..22cf049fc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -68,13 +68,13 @@ namespace nil { fiat_shamir_heuristic_updated transcript(std::vector()); // 1. Add circuit definition to transctipt - /*transcript(short_description); + //transcript(short_description); - for (std::size_t i = 0; i < N_wires; i++) { - transcript(proof.f_commitments[i]); + for (std::size_t i = 0; i < witness_columns; i++) { + //transcript(proof.witness_commitments[i]); } - std::array permutation_argument = + /*std::array permutation_argument = redshift_permutation_argument::verify_eval(transcript); std::array alphas = diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index b2a028ccf..03bbdf184 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -121,9 +121,16 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); typename types_policy::constraint_system_type constraint_system; typename types_policy::variable_assignment_type assigments = circuit.table; + types_policy::circuit_short_description short_description; - typename types_policy::template preprocessed_data_type preprocessed_data = - redshift_preprocessor::process(constraint_system, assigments); + short_description.columns_with_copy_constraints = {0, 1, 2}; + short_description.table_rows = table_rows; + short_description.usable_rows = usable_rows; + short_description.delta = circuit.delta; + short_description.permutation = circuit.permutation; + + typename types_policy::template preprocessed_data_type preprocessed_data = + redshift_preprocessor::process(constraint_system, assigments, short_description); typename types_policy::template proof_type proof = redshift_prover::process( preprocessed_data, constraint_system, assigments, short_description, fri_params); @@ -145,20 +152,34 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { constexpr std::size_t argument_size = 3; + using types_policy = zk::snark::detail::redshift_types_policy; + constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); + typename types_policy::constraint_system_type constraint_system; + typename types_policy::variable_assignment_type assigments = circuit.table; + + types_policy::circuit_short_description short_description; + short_description.columns_with_copy_constraints = {0, 1, 2, 3}; + short_description.table_rows = table_rows; + short_description.usable_rows = usable_rows; + short_description.delta = circuit.delta; + short_description.permutation = circuit.permutation; + + typename types_policy::template preprocessed_data_type preprocessed_data = + redshift_preprocessor::process(constraint_system, assigments, short_description); + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated prover_transcript(init_blob); fiat_shamir_heuristic_updated verifier_transcript(init_blob); - typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval(prover_transcript, table_rows, - permutation_size, circuit.domain, lagrange_0, circuit.S_id, - circuit.S_sigma, circuit.column_polynomials, circuit.q_last, circuit.q_blind, fri_params); + typename redshift_permutation_argument::prover_result_type prover_res = + redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_data, short_description, + circuit.column_polynomials, fri_params); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -171,9 +192,9 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typename FieldType::value_type v_p_at_y_shifted = prover_res.permutation_polynomial.evaluate(circuit.omega * y); std::array verifier_res = - redshift_permutation_argument::verify_eval( - verifier_transcript, table_rows, permutation_size, circuit.domain, y, f_at_y, v_p_at_y, v_p_at_y_shifted, - lagrange_0, circuit.S_id, circuit.S_sigma, circuit.q_last, circuit.q_blind, prover_res.permutation_poly_commitment.root()); + redshift_permutation_argument::verify_eval( + verifier_transcript, preprocessed_data, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + prover_res.permutation_poly_commitment.root()); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); From 26c75c4b1028615a7cd9d6a55a2ab280616b03da Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 00:37:09 +0200 Subject: [PATCH 167/219] wire_polynomials output #20 --- include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 9fccc6515..61399c461 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -139,7 +139,7 @@ namespace nil { // } // } - return result; + return wires; } void add_gate(const plonk_gate_unprocessed &g) { From ad7b549ef402cf1a6ecfb94c60ebb97b24c9f584 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 01:56:48 +0200 Subject: [PATCH 168/219] redhsift prover permutation argument #20 --- .../relations/non_linear_combination.hpp | 3 +- .../systems/plonk/redshift/gates_argument.hpp | 8 +-- .../plonk/redshift/permutation_argument.hpp | 3 +- .../zk/snark/systems/plonk/redshift/proof.hpp | 22 +++++-- .../snark/systems/plonk/redshift/prover.hpp | 65 +++++++++++-------- .../zk/snark/systems/plonk/redshift/types.hpp | 2 +- .../snark/systems/plonk/redshift/verifier.hpp | 4 +- test/systems/plonk/circuits.hpp | 4 +- test/systems/plonk/redshift.cpp | 4 +- 9 files changed, 69 insertions(+), 46 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 8c13aae3c..35b3c0c18 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -216,9 +216,8 @@ namespace nil { return acc; } - template math::polynomial evaluate( - const std::array, WiresAmount> &assignment) const { + const std::vector> &assignment) const { math::polynomial acc = {0}; for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 96263eb6b..52a943aaa 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -54,10 +54,9 @@ namespace nil { struct redshift_gates_argument { constexpr static const std::size_t argument_size = 1; - template - static inline std::array, argument_size> + static inline std::array, argument_size> prove_eval(const std::vector> &gates, - const std::array, table_width> &columns, + const std::vector> &columns, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -83,8 +82,7 @@ namespace nil { return F; } - template - static inline std::array + static inline std::array verify_eval(const std::vector> &gates, typename plonk_constraint::evaluation_map &evaluations, typename FieldType::value_type challenge, diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index db385c97e..ba790c423 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -62,12 +62,11 @@ namespace nil { typename CommitmentSchemeType::merkle_tree_type permutation_poly_commitment; }; - template static inline prover_result_type prove_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::template preprocessed_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, - const std::array, table_width> &columns, + const std::vector> &columns, typename fri_type::params_type fri_params) { const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index d589252b7..b7d168567 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -31,17 +31,22 @@ namespace nil { namespace zk { namespace snark { - template + template struct redshift_proof { typedef CommitmentSchemeType commitment_scheme_type; + struct evaluation_proof { + typedef CommitmentSchemeType commitment_scheme_type; + + typename commitment_scheme_type::proof_type witness_proof; + }; + redshift_proof() { } std::vector witness_commitments; - typename CommitmentSchemeType::commitment_type P_commitment; - typename CommitmentSchemeType::commitment_type Q_commitment; + typename CommitmentSchemeType::commitment_type v_perm_commitment; std::vector T_commitments; @@ -52,11 +57,16 @@ namespace nil { std::vector T_lpc_proofs; + //std::vector witness_evaluation; + + evaluation_proof eval_proof; + bool operator==(const redshift_proof &rhs) const { - return witness_commitments == rhs.witness_commitments && P_commitment == rhs.P_commitment && - Q_commitment == rhs.Q_commitment && T_commitments == rhs.T_commitments && + return witness_commitments == rhs.witness_commitments && T_commitments == rhs.T_commitments && f_lpc_proofs == rhs.f_lpc_proofs && P_lpc_proof == rhs.P_lpc_proof && - Q_lpc_proof == rhs.Q_lpc_proof && T_lpc_proofs == rhs.T_lpc_proofs; + Q_lpc_proof == rhs.Q_lpc_proof && T_lpc_proofs == rhs.T_lpc_proofs && + v_perm_commitment == rhs.v_perm_commitment && + eval_proof = rhs.eval_proof; } bool operator!=(const redshift_proof &rhs) const { return !(rhs == *this); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 5eb34b970..1318f3722 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -35,7 +35,7 @@ #include #include #include -// #include +#include namespace nil { namespace crypto3 { @@ -80,19 +80,23 @@ namespace nil { }*/ /*static inline std::vector - evaluation_proof(fiat_shamir_heuristic_updated &transcript, - typename FieldType::value_type omega) { - typename FieldType::value_type y = transcript.template challenge(); //TODO: define challenge space + evaluation_proof(typename FieldType::value_type challenge, + const typename types_policy::constraint_system_type &constraint_system + std::vector> polynomials, + std::vector witness_commits, + const typename lpc::fri_type::params_type &fri_params) { // witness polynomials (table columns) - std::vector rotation_gates = {}; - std::vector evaluation_points_gates(rotation_gates.size()); - for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { - evaluation_points_gates[i] = y * omega.pow(rotation_gates[i]); + for (std::size_t i = 0; i < witness_commits.size(); i++) { + std::vector rotation_gates = {}; + std::vector evaluation_points_gates(rotation_gates.size()); + for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { + evaluation_points_gates[i] = y * omega.pow(rotation_gates[i]); + } + + lpc::proof_type proof = lpc::proof_eval(evaluation_points_gates, witness_commits, f, transcript, fri_params); } - lpc::proof_type proof = lpc::proof_eval(evaluation_points_gates, tree, f, transcript, fri_params); - // permutation polynomials std::vector evaluation_points_permutation = {y, y * omega}; @@ -116,7 +120,8 @@ namespace nil { const typename lpc::fri_type::params_type &fri_params) { typename types_policy::template proof_type proof; - fiat_shamir_heuristic_updated transcript(std::vector()); + std::vector tanscript_init = {}; + fiat_shamir_heuristic_updated transcript(tanscript_init); // 1. Add circuit definition to transctipt //transcript(short_description); //TODO: circuit_short_description marshalling @@ -139,25 +144,37 @@ namespace nil { } // 3. Prepare columns included into permuation argument - //std::vector> f(N_perm + N_PI); - //std::copy(w.begin(), w.end(), f.begin()); + std::vector> columns_for_permutation_argument(short_description.columns_with_copy_constraints.size()); + for (std::size_t i = 0; i < short_description.columns_with_copy_constraints.size(); i++) { + std::size_t column_index = short_description.columns_with_copy_constraints[i]; + if (column_index < witness_columns) { //TODO: for now, we suppose that witnesses are placed to the first witness_columns of the table + columns_for_permutation_argument[i] = witness_poly[i]; + } else { + std::vector tmp; + std::copy(assignments[column_index].begin(), assignments[column_index].end(), std::back_inserter(tmp)); + preprocessed_data.basic_domain->inverse_fft(tmp); + columns_for_permutation_argument[i] = tmp; + } + } // 4. permutation_argument - /*std::array, permutation_parts> - permutation_argument = redshift_permutation_argument::prove_eval(transcript); + auto permutation_argument = redshift_permutation_argument::prove_eval( + transcript, preprocessed_data, short_description, columns_for_permutation_argument, fri_params); + + proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); std::array, f_parts> F; - F[0] = permutation_argument[0]; - F[1] = permutation_argument[1]; - F[2] = permutation_argument[2]; + F[0] = permutation_argument.F[0]; + F[1] = permutation_argument.F[1]; + F[2] = permutation_argument.F[2]; // 5. lookup_argument // std::array, 5> // lookup_argument = redshift_lookup_argument::prove_eval(transcript); // 6. circuit-satisfability - std::array, gate_parts> prover_res = + /*std::array, gate_parts> prover_res = redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, permutation_size, domain, lagrange_0, S_id, S_sigma, f, q_last, q_blind, fri_params); @@ -169,15 +186,11 @@ namespace nil { std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); std::array, N_T> T_splitted = ; auto T_commitments = lpc::commit(T_splitted, fri_params.D[0]); - transcript(T_commitments); + transcript(T_commitments);*/ // 8. Run evaluation proofs - lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); - lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); - - // 8.1 Get $y \in \mathbb{F}/H$ from $hash|_{\mathbb{F}/H}(\text{transcript})$ - // typename FieldType::value_type upsilon = - // transcript.template challenge(); + //typename FieldType::value_type challenge = transcript.template challenge(); + //lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); // std::array fT_evaluation_points = {upsilon}; // std::vector f_lpc_proofs(N_wires); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 8c1ed4927..c66f9f850 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -68,7 +68,7 @@ namespace nil { * about the structure for statistics purposes. */ template - using proof_type = redshift_proof; + using proof_type = redshift_proof; template struct preprocessed_data_type { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index e557ecee3..29362dcd0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -75,7 +75,9 @@ namespace nil { } /*std::array permutation_argument = - redshift_permutation_argument::verify_eval(transcript); + redshift_permutation_argument::verify_eval( + verifier_transcript, preprocessed_data, short_description, y, proof.witness_evaluation, v_p_at_y, v_p_at_y_shifted, + proof.v_perm_commitment); std::array alphas = transcript.template challenges(); diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 69e1c440b..5223e5717 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -66,7 +66,7 @@ namespace nil { std::vector> S_sigma; std::array, witness_columns + public_columns> table; - std::array, witness_columns + public_columns> column_polynomials; + std::vector> column_polynomials; // construct q_last, q_blind math::polynomial q_last; @@ -118,6 +118,7 @@ namespace nil { constexpr static const std::size_t usable = 1 << rows_log; circuit_description test_circuit; + test_circuit.column_polynomials.resize(witness_columns + public_columns); std::array, table_columns> table; @@ -212,6 +213,7 @@ namespace nil { constexpr static const std::size_t usable = 1 << rows_log; circuit_description test_circuit; + test_circuit.column_polynomials.resize(witness_columns + public_columns); std::array, table_columns> table; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 03bbdf184..980093bd7 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -234,7 +234,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { fiat_shamir_heuristic_updated verifier_transcript(init_blob); std::array, 1> prover_res = - redshift_gates_argument::prove_eval(circuit.gates, circuit.column_polynomials, prover_transcript); + redshift_gates_argument::prove_eval(circuit.gates, circuit.column_polynomials, prover_transcript); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -246,7 +246,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { } std::array verifier_res = - redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); + redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); From d444287bcc07b5fcf695c7acced712f795f18179 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 03:17:43 +0200 Subject: [PATCH 169/219] redshift prover gates argument and quotient polynomial #20 --- .../zk/snark/relations/plonk/plonk.hpp | 2 + .../systems/plonk/redshift/gates_argument.hpp | 10 ++++- .../systems/plonk/redshift/preprocessor.hpp | 8 ++++ .../snark/systems/plonk/redshift/prover.hpp | 42 +++++++++++++------ test/systems/plonk/redshift.cpp | 21 ++++++++-- 5 files changed, 65 insertions(+), 18 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 61399c461..67b0f619d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -62,6 +62,8 @@ namespace nil { public: + std::vector> gates; + plonk_constraint_system() { } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 52a943aaa..e59e6fc26 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -45,17 +45,21 @@ namespace nil { namespace snark { template, std::size_t ArgumentSize = 1> struct redshift_gates_argument; template - struct redshift_gates_argument { + struct redshift_gates_argument { + using types_policy = detail::redshift_types_policy; + constexpr static const std::size_t argument_size = 1; static inline std::array, argument_size> - prove_eval(const std::vector> &gates, + prove_eval(typename types_policy::constraint_system_type &constraint_system, const std::vector> &columns, fiat_shamir_heuristic_updated &transcript) { @@ -66,6 +70,8 @@ namespace nil { typename FieldType::value_type theta_acc = FieldType::value_type::one(); + std::vector> &gates = constraint_system.gates; + for (std::size_t i = 0; i < gates.size(); i++) { math::polynomial gate_result = {0}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index a119f40c3..7de00ae59 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -162,6 +162,14 @@ namespace nil { data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); + std::vector z_numenator(N_rows + 1); + z_numenator[0] = -FieldType::value_type::one(); + z_numenator[N_rows] = FieldType::value_type::one(); + + data.Z = z_numenator; + math::polynomial z_denominator = {-FieldType::value_type::one(), FieldType::value_type::one()}; + data.Z = data.Z / z_denominator; + /*data.omega = math::unity_root(math::detail::power_of_two(k)); data.Z = {1}; // data.selectors = constraint_system.selectors(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 1318f3722..91caab935 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -36,6 +36,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -63,8 +64,10 @@ namespace nil { constexpr static const std::size_t permutation_parts = 3; constexpr static const std::size_t f_parts = 9; - /*static inline math::polynomial - quotient_polynomial() { + static inline math::polynomial + quotient_polynomial(const typename types_policy::template preprocessed_data_type preprocessed_data, + std::array, f_parts> F, + fiat_shamir_heuristic_updated transcript) { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = transcript.template challenges(); @@ -77,7 +80,9 @@ namespace nil { math::polynomial T_consolidated = F_consolidated / preprocessed_data.Z; - }*/ + + return T_consolidated; + } /*static inline std::vector evaluation_proof(typename FieldType::value_type challenge, @@ -114,7 +119,7 @@ namespace nil { public: static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, - const typename types_policy::constraint_system_type &constraint_system, + typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, const typename types_policy::template circuit_short_description &short_description, const typename lpc::fri_type::params_type &fri_params) { @@ -148,7 +153,7 @@ namespace nil { for (std::size_t i = 0; i < short_description.columns_with_copy_constraints.size(); i++) { std::size_t column_index = short_description.columns_with_copy_constraints[i]; if (column_index < witness_columns) { //TODO: for now, we suppose that witnesses are placed to the first witness_columns of the table - columns_for_permutation_argument[i] = witness_poly[i]; + columns_for_permutation_argument[i] = witness_poly[column_index]; } else { std::vector tmp; std::copy(assignments[column_index].begin(), assignments[column_index].end(), std::back_inserter(tmp)); @@ -174,19 +179,30 @@ namespace nil { // lookup_argument = redshift_lookup_argument::prove_eval(transcript); // 6. circuit-satisfability - /*std::array, gate_parts> prover_res = - redshift_gates_argument::prove_eval(prover_transcript, circuit_rows, - permutation_size, domain, lagrange_0, S_id, - S_sigma, f, q_last, q_blind, fri_params); + std::vector> columns_for_gate_argument(witness_columns + public_columns); + for (std::size_t i = 0; i < columns_for_gate_argument.size(); i++) { + if (i < witness_columns) { //TODO: for now, we suppose that witnesses are placed to the first witness_columns of the table + columns_for_gate_argument[i] = witness_poly[i]; + } else { + std::vector tmp; + std::copy(assignments[i].begin(), assignments[i].end(), std::back_inserter(tmp)); + preprocessed_data.basic_domain->inverse_fft(tmp); + columns_for_gate_argument[i] = tmp; + } + } + + std::array, gate_parts> prover_res = + redshift_gates_argument::prove_eval( + constraint_system, columns_for_gate_argument, transcript); F[3] = prover_res[0]; // 7. Aggregate quotient polynomial - math::polynomial T = quotient_polynomial(); - std::size_t N_T = std::max(N_perm + N_PI, F[8].degree() - 1); - std::array, N_T> T_splitted = ; + math::polynomial T = quotient_polynomial(preprocessed_data, F, transcript); + /*std::size_t N_T = short_description.columns_with_copy_constraints.size();// std::max(short_description.columns_with_copy_constraints.size(), GATE_MAX_DEGREE); + std::array, N_T> T_splitted; auto T_commitments = lpc::commit(T_splitted, fri_params.D[0]); - transcript(T_commitments);*/ + transcript(T_commitments); // 8. Run evaluation proofs //typename FieldType::value_type challenge = transcript.template challenge(); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 980093bd7..fad59a02d 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -223,18 +223,33 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { const std::size_t usable_rows = 1 << table_rows_log; circuit_description circuit = circuit_test_2(); + using types_policy = zk::snark::detail::redshift_types_policy; + constexpr static const std::size_t r = table_rows_log - 1; typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); + + typename types_policy::constraint_system_type constraint_system; + constraint_system.gates = circuit.gates; + typename types_policy::variable_assignment_type assigments = circuit.table; + + types_policy::circuit_short_description short_description; + short_description.columns_with_copy_constraints = {0, 1, 2, 3}; + short_description.table_rows = table_rows; + short_description.usable_rows = usable_rows; + short_description.delta = circuit.delta; + short_description.permutation = circuit.permutation; + + typename types_policy::template preprocessed_data_type preprocessed_data = + redshift_preprocessor::process(constraint_system, assigments, short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated prover_transcript(init_blob); fiat_shamir_heuristic_updated verifier_transcript(init_blob); std::array, 1> prover_res = - redshift_gates_argument::prove_eval(circuit.gates, circuit.column_polynomials, prover_transcript); + redshift_gates_argument::prove_eval(constraint_system, circuit.column_polynomials, prover_transcript); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -246,7 +261,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { } std::array verifier_res = - redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); + redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); From 1abf8e97f1d6ede5bb981868a934a4cff74c0745 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 04:10:41 +0200 Subject: [PATCH 170/219] prover splitted T #20 --- .../zk/snark/commitments/fri_commitment.hpp | 2 +- .../snark/systems/plonk/redshift/prover.hpp | 25 ++++++++++++++++--- test/commitment/fri.cpp | 2 +- test/commitment/lpc.cpp | 2 +- test/commitment/lpc_performance.cpp | 4 +-- test/systems/plonk/redshift.cpp | 11 ++++---- 6 files changed, 31 insertions(+), 15 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index ebe52ccb3..5b6419ce2 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -355,7 +355,7 @@ namespace nil { x = x_next; } - if (proof.final_polynomial.degree() > std::pow(2, std::log2(fri_params.max_degree) - r) - 1) { + if (proof.final_polynomial.degree() > std::pow(2, std::log2(fri_params.max_degree + 1) - r) - 1) { return false; } if (proof.final_polynomial.evaluate(x) != proof.round_proofs[r - 1].colinear_value) { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 91caab935..ae6a36b06 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -84,6 +84,20 @@ namespace nil { return T_consolidated; } + static inline std::vector> + split_polynomial(math::polynomial f, + std::size_t max_degree) { + std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; + std::vector> f_splitted(parts); + + std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs + for (std::size_t i = 0; i < parts - 1; i++) { + std::copy(f.begin() + i * chunk_size, f.begin() + (i + 1) * chunk_size - 1, std::back_inserter(f_splitted[i])); + } + std::copy(f.begin() + (parts - 1) * chunk_size, f.end(), std::back_inserter(f_splitted[parts - 1])); + return f_splitted; + } + /*static inline std::vector evaluation_proof(typename FieldType::value_type challenge, const typename types_policy::constraint_system_type &constraint_system @@ -199,10 +213,13 @@ namespace nil { // 7. Aggregate quotient polynomial math::polynomial T = quotient_polynomial(preprocessed_data, F, transcript); - /*std::size_t N_T = short_description.columns_with_copy_constraints.size();// std::max(short_description.columns_with_copy_constraints.size(), GATE_MAX_DEGREE); - std::array, N_T> T_splitted; - auto T_commitments = lpc::commit(T_splitted, fri_params.D[0]); - transcript(T_commitments); + std::vector> T_splitted = split_polynomial(T, fri_params.max_degree); + std::vector T_commitments(T_splitted.size()); + for (std::size_t i = 0; i < T_splitted.size(); i++) { + T_commitments[i] = lpc::commit(T_splitted[i], fri_params.D[0]); + } + + //transcript(T_commitments); // 8. Run evaluation proofs //typename FieldType::value_type challenge = transcript.template challenge(); diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index dfccedfd0..b509c7221 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -81,7 +81,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { params.r = r; params.D = D; params.q = q; - params.max_degree = d; + params.max_degree = d - 1; BOOST_CHECK(D[1]->m == D[0]->m / 2); BOOST_CHECK(D[1]->get_domain_element(1) == D[0]->get_domain_element(1).squared()); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 74cd9f659..f742d041e 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -83,7 +83,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { fri_params.r = r; fri_params.D = D; fri_params.q = q; - fri_params.max_degree = d; + fri_params.max_degree = d - 1; // commit diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 79bf4ca82..1395b6191 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -124,7 +124,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { fri_params.r = r; fri_params.D = D; fri_params.q = q; - fri_params.max_degree = d; + fri_params.max_degree = d - 1; typedef boost::random::independent_bits_engine poly; - for (int j = 0; j < fri_params.max_degree; j++) { + for (int j = 0; j < fri_params.max_degree + 1; j++) { poly.push_back(typename FieldType::value_type(polynomial_element_gen())); } merkle_tree_type tree = lpc_type::commit(poly, D[0]); // phase_1: Commit diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index fad59a02d..29729dcf6 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -84,7 +84,7 @@ typename fri_type::params_type create_fri_params(std::size_t degree_log) { params.r = degree_log - 1; params.D = domain_set; params.q = q; - params.max_degree = 1 << degree_log; + params.max_degree = (1 << degree_log) - 1; return params; } @@ -107,11 +107,11 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { const std::size_t table_rows_log = 4; const std::size_t table_rows = 1 << table_rows_log; const std::size_t witness_columns = 3; - const std::size_t public_columns = 0; + const std::size_t public_columns = 1; const std::size_t table_columns = witness_columns + public_columns; - const std::size_t permutation_size = 3; + const std::size_t permutation_size = 4; const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_1(); + circuit_description circuit = circuit_test_2(); using types_policy = zk::snark::detail::redshift_types_policy; @@ -123,7 +123,7 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename types_policy::variable_assignment_type assigments = circuit.table; types_policy::circuit_short_description short_description; - short_description.columns_with_copy_constraints = {0, 1, 2}; + short_description.columns_with_copy_constraints = {0, 1, 2, 3}; short_description.table_rows = table_rows; short_description.usable_rows = usable_rows; short_description.delta = circuit.delta; @@ -158,7 +158,6 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - math::polynomial lagrange_0 = lagrange_polynomial(circuit.domain, 0); typename types_policy::constraint_system_type constraint_system; typename types_policy::variable_assignment_type assigments = circuit.table; From 49c244fc316041c7c3a705f8aec21c14bfa0fac0 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 10:33:59 +0200 Subject: [PATCH 171/219] prover witness polynomial evaluation #20 --- .../zk/snark/commitments/fri_commitment.hpp | 3 ++- .../commitments/list_polynomial_commitment.hpp | 3 ++- .../crypto3/zk/snark/relations/plonk/gate.hpp | 1 + .../crypto3/zk/snark/relations/plonk/plonk.hpp | 1 + .../systems/plonk/redshift/gates_argument.hpp | 1 + .../plonk/redshift/permutation_argument.hpp | 1 + .../systems/plonk/redshift/preprocessor.hpp | 1 + .../zk/snark/systems/plonk/redshift/proof.hpp | 1 + .../zk/snark/systems/plonk/redshift/prover.hpp | 18 +++++++++++++++++- .../zk/snark/systems/plonk/redshift/types.hpp | 1 + .../snark/systems/plonk/redshift/verifier.hpp | 1 + test/commitment/fri.cpp | 1 + test/commitment/lpc.cpp | 1 + test/systems/plonk/circuits.hpp | 1 + test/systems/plonk/redshift.cpp | 1 + 15 files changed, 33 insertions(+), 3 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp index 5b6419ce2..46a2d734e 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // @@ -177,7 +178,7 @@ namespace nil { const math::polynomial &g, merkle_tree_type &T, fiat_shamir_heuristic_updated &transcript, - params_type &fri_params) { + const params_type &fri_params) { proof_type proof; diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 02485c355..7e4f93ee0 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // @@ -130,7 +131,7 @@ namespace nil { merkle_tree_type &T, const math::polynomial &g, fiat_shamir_heuristic_updated &transcript, - typename fri_type::params_type &fri_params) { + const typename fri_type::params_type &fri_params) { std::array z; std::array p; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 0c9dc4b75..532dd75fc 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 67b0f619d..d92899339 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index e59e6fc26..681abea7c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index ba790c423..c4a0ace06 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 7de00ae59..958c88fd3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index b7d168567..a18d9af49 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index ae6a36b06..947070226 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // @@ -222,7 +223,22 @@ namespace nil { //transcript(T_commitments); // 8. Run evaluation proofs - //typename FieldType::value_type challenge = transcript.template challenge(); + typename FieldType::value_type challenge = transcript.template challenge(); + + // witness polynomials (table columns) + typename FieldType::value_type omega = preprocessed_data.basic_domain->get_domain_element(1); + std::array witnesses_evaluation; + for (std::size_t i = 0; i < witness_commitments.size(); i++) { + std::vector rotation_gates = {0}; //TODO: Rotation + std::array evaluation_points_gates; //TODO: array size with rotation + for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { + evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); + } + + witnesses_evaluation[i] = lpc::proof_eval(evaluation_points_gates, witness_commitments[i], witness_poly[i], transcript, fri_params); + } + + // permutation polynomial evaluation //lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); // std::array fT_evaluation_points = {upsilon}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index c66f9f850..3bc165283 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 29362dcd0..e86ab379a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index b509c7221..ef0c1e786 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index f742d041e..e90ed5de5 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 5223e5717..013689267 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 29729dcf6..53ad1b5ec 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // From 57816f7daa509b092b284003c6f023c8d51f377e Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Tue, 22 Feb 2022 13:28:40 +0200 Subject: [PATCH 172/219] prover v_p evaluations #20 --- .../plonk/redshift/permutation_argument.hpp | 19 ++--- .../zk/snark/systems/plonk/redshift/proof.hpp | 28 +++----- .../snark/systems/plonk/redshift/prover.hpp | 70 +++++++------------ .../zk/snark/systems/plonk/redshift/types.hpp | 6 +- .../snark/systems/plonk/redshift/verifier.hpp | 15 ++-- test/systems/plonk/redshift.cpp | 10 +-- 6 files changed, 61 insertions(+), 87 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index c4a0ace06..5ecf33de7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -43,14 +43,15 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template> class redshift_permutation_argument { using types_policy = detail::redshift_types_policy; - typedef typename CommitmentSchemeType::fri_type fri_type; + typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; static constexpr std::size_t argument_size = 3; @@ -60,13 +61,13 @@ namespace nil { math::polynomial permutation_polynomial; - typename CommitmentSchemeType::merkle_tree_type permutation_poly_commitment; + typename CommitmentSchemeTypePermutation::merkle_tree_type permutation_poly_commitment; }; static inline prover_result_type prove_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::template preprocessed_data_type preprocessed_data, - const typename types_policy::template circuit_short_description &short_description, + const typename types_policy::template circuit_short_description &short_description, const std::vector> &columns, typename fri_type::params_type fri_params) { @@ -115,9 +116,9 @@ namespace nil { V_P_interpolation_points.end()); // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. - typename CommitmentSchemeType::merkle_tree_type V_P_tree = - CommitmentSchemeType::commit(V_P, fri_params.D[0]); - typename CommitmentSchemeType::commitment_type V_P_commitment = V_P_tree.root(); + typename CommitmentSchemeTypePermutation::merkle_tree_type V_P_tree = + CommitmentSchemeTypePermutation::commit(V_P, fri_params.D[0]); + typename CommitmentSchemeTypePermutation::commitment_type V_P_commitment = V_P_tree.root(); transcript(V_P_commitment); // 5. Calculate g_perm, h_perm @@ -147,13 +148,13 @@ namespace nil { static inline std::array verify_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::template preprocessed_data_type preprocessed_data, - const typename types_policy::template circuit_short_description &short_description, + const typename types_policy::template circuit_short_description &short_description, const typename FieldType::value_type &challenge, // y const std::vector &column_polynomials, // f(y) const typename FieldType::value_type &perm_polynomial, // // V_P(y) const typename FieldType::value_type &perm_polynomial_shifted, // V_P(omega * y) - const typename CommitmentSchemeType::commitment_type &V_P_commitment) { + const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; const std::vector> &S_id = preprocessed_data.identity_polynomials; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index a18d9af49..c056280a8 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -32,40 +32,30 @@ namespace nil { namespace zk { namespace snark { - template + template struct redshift_proof { - typedef CommitmentSchemeType commitment_scheme_type; struct evaluation_proof { - typedef CommitmentSchemeType commitment_scheme_type; - - typename commitment_scheme_type::proof_type witness_proof; + typename CommitmentSchemeTypeWitness::proof_type witness; + typename CommitmentSchemeTypePermutation::proof_type permutation; + typename CommitmentSchemeTypeQuotient::proof_type quotient; }; redshift_proof() { } - std::vector witness_commitments; - - typename CommitmentSchemeType::commitment_type v_perm_commitment; - - std::vector T_commitments; - - std::vector f_lpc_proofs; - - typename CommitmentSchemeType::proof_type P_lpc_proof; - typename CommitmentSchemeType::proof_type Q_lpc_proof; + std::vector witness_commitments; - std::vector T_lpc_proofs; + typename CommitmentSchemeTypePermutation::commitment_type v_perm_commitment; - //std::vector witness_evaluation; + std::vector T_commitments; evaluation_proof eval_proof; bool operator==(const redshift_proof &rhs) const { return witness_commitments == rhs.witness_commitments && T_commitments == rhs.T_commitments && - f_lpc_proofs == rhs.f_lpc_proofs && P_lpc_proof == rhs.P_lpc_proof && - Q_lpc_proof == rhs.Q_lpc_proof && T_lpc_proofs == rhs.T_lpc_proofs && v_perm_commitment == rhs.v_perm_commitment && eval_proof = rhs.eval_proof; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 947070226..fd2714961 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -50,7 +50,6 @@ namespace nil { std::size_t witness_columns, std::size_t public_columns, std::size_t lambda, - std::size_t k, std::size_t r, std::size_t m = 2> class redshift_prover { @@ -59,7 +58,15 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; - typedef list_polynomial_commitment_scheme lpc; + constexpr static const std::size_t opening_points_witness = 1; + constexpr static const std::size_t opening_points_v_p = 2; + constexpr static const std::size_t opening_points_t = 1; + constexpr static const std::size_t opening_points_public = 1; + + typedef list_polynomial_commitment_scheme lpc_witness; + typedef list_polynomial_commitment_scheme lpc_permutation; + typedef list_polynomial_commitment_scheme lpc_quotient; + typedef list_polynomial_commitment_scheme lpc_public; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; @@ -99,47 +106,15 @@ namespace nil { return f_splitted; } - /*static inline std::vector - evaluation_proof(typename FieldType::value_type challenge, - const typename types_policy::constraint_system_type &constraint_system - std::vector> polynomials, - std::vector witness_commits, - const typename lpc::fri_type::params_type &fri_params) { - - // witness polynomials (table columns) - for (std::size_t i = 0; i < witness_commits.size(); i++) { - std::vector rotation_gates = {}; - std::vector evaluation_points_gates(rotation_gates.size()); - for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { - evaluation_points_gates[i] = y * omega.pow(rotation_gates[i]); - } - - lpc::proof_type proof = lpc::proof_eval(evaluation_points_gates, witness_commits, f, transcript, fri_params); - } - - // permutation polynomials - std::vector evaluation_points_permutation = {y, y * omega}; - - lpc::proof_type proof = lpc::proof_eval(evaluation_points_permutation, tree, f, transcript, fri_params); - - // quotient polynomial - std::vector rotation_gates = {}; - std::vector evaluation_points_quotient = {y}; - - lpc::proof_type proof = lpc::proof_eval(evaluation_points_quotient, tree, f, transcript, fri_params); - - return proof; - }*/ - public: - static inline typename types_policy::template proof_type + static inline typename types_policy::template proof_type process(const typename types_policy::template preprocessed_data_type preprocessed_data, typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::template circuit_short_description &short_description, - const typename lpc::fri_type::params_type &fri_params) { + const typename types_policy::template circuit_short_description &short_description, + const typename lpc_witness::fri_type::params_type &fri_params) { // TODO: fri_type are the same for each lpc_type here - typename types_policy::template proof_type proof; + typename types_policy::template proof_type proof; std::vector tanscript_init = {}; fiat_shamir_heuristic_updated transcript(tanscript_init); @@ -154,8 +129,8 @@ namespace nil { preprocessed_data.basic_domain->inverse_fft(tmp); witness_poly[i] = tmp; } - std::array witness_commitments = - lpc::template commit(witness_poly, fri_params.D[0]); + std::array witness_commitments = + lpc_witness::template commit(witness_poly, fri_params.D[0]); proof.witness_commitments.resize(witness_columns); for (std::size_t i = 0; i < witness_columns; i++) { @@ -178,7 +153,7 @@ namespace nil { } // 4. permutation_argument - auto permutation_argument = redshift_permutation_argument::prove_eval( + auto permutation_argument = redshift_permutation_argument::prove_eval( transcript, preprocessed_data, short_description, columns_for_permutation_argument, fri_params); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -215,9 +190,9 @@ namespace nil { // 7. Aggregate quotient polynomial math::polynomial T = quotient_polynomial(preprocessed_data, F, transcript); std::vector> T_splitted = split_polynomial(T, fri_params.max_degree); - std::vector T_commitments(T_splitted.size()); + std::vector T_commitments(T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { - T_commitments[i] = lpc::commit(T_splitted[i], fri_params.D[0]); + T_commitments[i] = lpc_quotient::commit(T_splitted[i], fri_params.D[0]); } //transcript(T_commitments); @@ -225,9 +200,10 @@ namespace nil { // 8. Run evaluation proofs typename FieldType::value_type challenge = transcript.template challenge(); - // witness polynomials (table columns) typename FieldType::value_type omega = preprocessed_data.basic_domain->get_domain_element(1); - std::array witnesses_evaluation; + + // witness polynomials (table columns) + std::array witnesses_evaluation; for (std::size_t i = 0; i < witness_commitments.size(); i++) { std::vector rotation_gates = {0}; //TODO: Rotation std::array evaluation_points_gates; //TODO: array size with rotation @@ -235,10 +211,12 @@ namespace nil { evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); } - witnesses_evaluation[i] = lpc::proof_eval(evaluation_points_gates, witness_commitments[i], witness_poly[i], transcript, fri_params); + witnesses_evaluation[i] = lpc_witness::proof_eval(evaluation_points_gates, witness_commitments[i], witness_poly[i], transcript, fri_params); } // permutation polynomial evaluation + std::array evaluation_points_v_p = {challenge, challenge * omega}; + typename lpc_permutation::proof_type v_p_evaluation = lpc_permutation::proof_eval(evaluation_points_v_p, permutation_argument.permutation_poly_commitment, permutation_argument.permutation_polynomial, transcript, fri_params); //lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); // std::array fT_evaluation_points = {upsilon}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 3bc165283..4470c8ba7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -68,8 +68,10 @@ namespace nil { * serializes/deserializes, and verifies proofs. We only expose some information * about the structure for statistics purposes. */ - template - using proof_type = redshift_proof; + template + using proof_type = redshift_proof; template struct preprocessed_data_type { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index e86ab379a..aac0162e7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -45,16 +45,19 @@ namespace nil { std::size_t witness_columns, std::size_t public_columns, std::size_t lambda, - std::size_t k, std::size_t r, std::size_t m = 2> class redshift_verifier { using types_policy = detail::redshift_types_policy; - typedef list_polynomial_commitment_scheme< - FieldType, MerkleTreeHashType, TranscriptHashType, lambda, k, r, m> - lpc; + constexpr static const std::size_t opening_points_witness = 1; + constexpr static const std::size_t opening_points_v_p = 2; + constexpr static const std::size_t opening_points_t = 1; + + typedef list_polynomial_commitment_scheme lpc_witness; + typedef list_polynomial_commitment_scheme lpc_permutation; + typedef list_polynomial_commitment_scheme lpc_quotient; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; @@ -63,8 +66,8 @@ namespace nil { public: static inline bool process(//const types_policy::verification_key_type &verification_key, //const types_policy::primary_input_type &primary_input, - const typename types_policy::template proof_type &proof, - const typename types_policy::template circuit_short_description &short_description) { + const typename types_policy::template proof_type &proof, + const typename types_policy::template circuit_short_description &short_description) { //TODO: decsription commitment scheme fiat_shamir_heuristic_updated transcript(std::vector()); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 53ad1b5ec..0ca79f3a1 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -133,10 +133,10 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename types_policy::template preprocessed_data_type preprocessed_data = redshift_preprocessor::process(constraint_system, assigments, short_description); - typename types_policy::template proof_type proof = redshift_prover::process( + auto proof = redshift_prover::process( preprocessed_data, constraint_system, assigments, short_description, fri_params); - bool verifier_res = redshift_verifier::process( + bool verifier_res = redshift_verifier::process( proof, short_description); BOOST_CHECK(verifier_res); } @@ -177,8 +177,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { fiat_shamir_heuristic_updated prover_transcript(init_blob); fiat_shamir_heuristic_updated verifier_transcript(init_blob); - typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_data, short_description, + typename redshift_permutation_argument::prover_result_type prover_res = + redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_data, short_description, circuit.column_polynomials, fri_params); // Challenge phase @@ -192,7 +192,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typename FieldType::value_type v_p_at_y_shifted = prover_res.permutation_polynomial.evaluate(circuit.omega * y); std::array verifier_res = - redshift_permutation_argument::verify_eval( + redshift_permutation_argument::verify_eval( verifier_transcript, preprocessed_data, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, prover_res.permutation_poly_commitment.root()); From 16c3a125f06a7dab60751c3409b700e93750d1ff Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 22 Feb 2022 15:37:11 +0300 Subject: [PATCH 173/219] Redshift variable_assignment_type added. #20 --- .../zk/snark/systems/plonk/redshift/types.hpp | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 4470c8ba7..745a2fa3d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -57,7 +57,19 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; - typedef plonk_variable_assignment variable_assignment_type; + /************************* PLONK variable assignment **************************/ + + struct variable_assignment_type { + + struct private_assignment_type { + std::array, WiresAmount> witness; + } private_assignment; + + struct public_assignment_type { + std::vector> selectors; + std::vector> public_input; + } public_assignment; + }; /*********************************** Proof ***********************************/ From 7c2e3e730a7369fbca995f541a562d9562883f9c Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 23 Feb 2022 18:57:58 +0300 Subject: [PATCH 174/219] Preprocessor updated. #20 --- .../zk/snark/relations/plonk/plonk.hpp | 5 -- .../systems/plonk/redshift/preprocessor.hpp | 77 ++++++++++++++++--- .../zk/snark/systems/plonk/redshift/types.hpp | 19 +++-- 3 files changed, 82 insertions(+), 19 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index d92899339..02baa487e 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -49,11 +49,6 @@ namespace nil { namespace zk { namespace snark { - /************************* PLONK variable assignment **************************/ - - template - using plonk_variable_assignment = std::array, WiresAmount>; - /************************* PLONK constraint system ****************************/ template diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 958c88fd3..82ea5b967 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -41,9 +41,45 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { + namespace detail { + + template + math::polynomial + column_polynomial(std::size_t table_size, + const std::vector &column_assignment, + const std::shared_ptr> &domain) { + + std::vector interpolation_points( + column_assignment.size()); + + std::copy(column_assignment.begin(), + column_assignment.end(), interpolation_points.begin()); + + domain->inverse_fft(interpolation_points); + + return interpolation_points; + } + + template + std::vector> + column_range_polynomials(std::size_t table_size, + const types_policy::variable_assignment_type::public_assignment_type::selectors_type &column_range_assignment, + const std::shared_ptr> &domain) { + + std::size_t selectors_amount = column_range_assignment.size(); + std::vector> columns (columns_amount); + + for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { + columns[selector_index] = column_polynomial(table_size, column_range_assignment[selector_index], domain); + } + + return columns; + } + + } // namespace detail template - class redshift_preprocessor { + class redshift_public_preprocessor { using types_policy = detail::redshift_types_policy; static math::polynomial @@ -135,21 +171,17 @@ namespace nil { } template - static inline typename types_policy::template preprocessed_data_type + static inline typename types_policy::template preprocessed_public_data_type process(const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type &assignments, + const typename types_policy::variable_assignment_type::public_assignment_type &public_assignment, typename types_policy::template circuit_short_description &short_description) { - typename types_policy::template preprocessed_data_type data; + typename types_policy::preprocessed_public_data_type data; - std::size_t N_rows = 0; - for (auto &wire_assignments : assignments) { - N_rows = std::max(N_rows, wire_assignments.size()); - } + std::size_t N_rows = constraint_system.rows_amount(); data.basic_domain = math::make_evaluation_domain(N_rows); - data.permutation_polynomials = permutation_polynomials(short_description.columns_with_copy_constraints.size(), short_description.table_rows, data.basic_domain->get_domain_element(1), short_description.delta, short_description.permutation, data.basic_domain); @@ -163,6 +195,8 @@ namespace nil { data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); + data.selectors = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors, data.basic_domain); + std::vector z_numenator(N_rows + 1); z_numenator[0] = -FieldType::value_type::one(); z_numenator[N_rows] = FieldType::value_type::one(); @@ -184,6 +218,31 @@ namespace nil { return data; } }; + + template + class redshift_private_preprocessor { + using types_policy = detail::redshift_types_policy; + + public: + + template + static inline typename types_policy::template preprocessed_private_data_type + process(const typename types_policy::constraint_system_type &constraint_system, + const typename types_policy::variable_assignment_type::private_assignment_type &private_assignment, + typename types_policy::template circuit_short_description &short_description) { + + typename types_policy::template preprocessed_private_data_type data; + + std::size_t N_rows = constraint_system.rows_amount(); + + data.basic_domain = math::make_evaluation_domain(N_rows); + + data.witnesses = detail::column_range_polynomials(N_rows, private_assignment.witnesses, data.basic_domain); + + return data; + } + }; + } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 745a2fa3d..a4ec15ae7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -62,12 +62,14 @@ namespace nil { struct variable_assignment_type { struct private_assignment_type { - std::array, WiresAmount> witness; + std::array, WiresAmount> witnesses; } private_assignment; struct public_assignment_type { - std::vector> selectors; - std::vector> public_input; + using selectors_type = std::vector>; + using public_input_type = std::vector>; + selectors_type selectors; + public_input_type public_input; } public_assignment; }; @@ -85,8 +87,7 @@ namespace nil { typename CommitmentSchemeTypeQuotient> using proof_type = redshift_proof; - template - struct preprocessed_data_type { + struct preprocessed_public_data_type { std::shared_ptr> basic_domain; @@ -107,6 +108,14 @@ namespace nil { math::polynomial Z; }; + template + struct preprocessed_private_data_type { + + std::shared_ptr> basic_domain; + + std::array, WitnessColumns> witnesses; + }; + template struct circuit_short_description { std::vector selectors_commits; From 175038c537c6732d0c9757a7c5a72e4da632d3a0 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 24 Feb 2022 01:23:56 +0200 Subject: [PATCH 175/219] interfaces update #20 --- .../zk/snark/relations/plonk/plonk.hpp | 5 ++-- .../plonk/redshift/permutation_argument.hpp | 4 +-- .../systems/plonk/redshift/preprocessor.hpp | 14 +++++----- .../snark/systems/plonk/redshift/prover.hpp | 26 ++++++++++++------- .../zk/snark/systems/plonk/redshift/types.hpp | 2 +- test/systems/plonk/circuits.hpp | 22 ++++++++++++---- test/systems/plonk/redshift.cpp | 13 +++++++--- 7 files changed, 56 insertions(+), 30 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 02baa487e..d0fce72df 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -59,6 +59,7 @@ namespace nil { public: std::vector> gates; + std::size_t rows_amount; plonk_constraint_system() { } @@ -95,7 +96,7 @@ namespace nil { return {}; } - static std::vector> + /*static std::vector> wire_polynomials(const plonk_variable_assignment &full_variable_assignment) { // std::vector> result(gates_data.size()); @@ -138,7 +139,7 @@ namespace nil { // } return wires; - } + }*/ void add_gate(const plonk_gate_unprocessed &g) { gates_data.emplace_back(g); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 5ecf33de7..b71517ad5 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -66,7 +66,7 @@ namespace nil { static inline prover_result_type prove_eval(fiat_shamir_heuristic_updated &transcript, - const typename types_policy::template preprocessed_data_type preprocessed_data, + const typename types_policy::preprocessed_public_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, const std::vector> &columns, typename fri_type::params_type fri_params) { @@ -147,7 +147,7 @@ namespace nil { static inline std::array verify_eval(fiat_shamir_heuristic_updated &transcript, - const typename types_policy::template preprocessed_data_type preprocessed_data, + const typename types_policy::preprocessed_public_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, const typename FieldType::value_type &challenge, // y const std::vector &column_polynomials, // f(y) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 82ea5b967..c2ea4af52 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -60,16 +60,16 @@ namespace nil { return interpolation_points; } - template + template std::vector> column_range_polynomials(std::size_t table_size, - const types_policy::variable_assignment_type::public_assignment_type::selectors_type &column_range_assignment, + const typename detail::redshift_types_policy::variable_assignment_type::public_assignment_type::selectors_type &column_range_assignment, const std::shared_ptr> &domain) { std::size_t selectors_amount = column_range_assignment.size(); - std::vector> columns (columns_amount); + std::vector> columns (witness_amount + public_amount); - for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { + for (std::size_t selector_index = 0; selector_index < witness_amount + public_amount; selector_index++) { columns[selector_index] = column_polynomial(table_size, column_range_assignment[selector_index], domain); } @@ -171,14 +171,14 @@ namespace nil { } template - static inline typename types_policy::template preprocessed_public_data_type + static inline typename types_policy::preprocessed_public_data_type process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type::public_assignment_type &public_assignment, typename types_policy::template circuit_short_description &short_description) { typename types_policy::preprocessed_public_data_type data; - std::size_t N_rows = constraint_system.rows_amount(); + std::size_t N_rows = constraint_system.rows_amount; data.basic_domain = math::make_evaluation_domain(N_rows); @@ -195,7 +195,7 @@ namespace nil { data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); - data.selectors = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors, data.basic_domain); + data.selectors = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors, data.basic_domain); std::vector z_numenator(N_rows + 1); z_numenator[0] = -FieldType::value_type::one(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index fd2714961..3f3d05997 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -73,7 +73,7 @@ namespace nil { constexpr static const std::size_t f_parts = 9; static inline math::polynomial - quotient_polynomial(const typename types_policy::template preprocessed_data_type preprocessed_data, + quotient_polynomial(const typename types_policy::preprocessed_public_data_type preprocessed_data, std::array, f_parts> F, fiat_shamir_heuristic_updated transcript) { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ @@ -108,7 +108,8 @@ namespace nil { public: static inline typename types_policy::template proof_type - process(const typename types_policy::template preprocessed_data_type preprocessed_data, + process(const typename types_policy::preprocessed_public_data_type preprocessed_data_public, + const typename types_policy::template preprocessed_private_data_type preprocessed_data_private, typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, const typename types_policy::template circuit_short_description &short_description, @@ -125,8 +126,8 @@ namespace nil { std::array, witness_columns> witness_poly; for (std::size_t i = 0; i < witness_columns; i++) { std::vector tmp; - std::copy(assignments[i].begin(), assignments[i].end(), std::back_inserter(tmp)); - preprocessed_data.basic_domain->inverse_fft(tmp); + std::copy(assignments.private_assignment.witnesses[i].begin(), assignments.private_assignment.witnesses[i].end(), std::back_inserter(tmp)); + preprocessed_data_public.basic_domain->inverse_fft(tmp); witness_poly[i] = tmp; } std::array witness_commitments = @@ -146,15 +147,15 @@ namespace nil { columns_for_permutation_argument[i] = witness_poly[column_index]; } else { std::vector tmp; - std::copy(assignments[column_index].begin(), assignments[column_index].end(), std::back_inserter(tmp)); - preprocessed_data.basic_domain->inverse_fft(tmp); + std::copy(assignments.public_assignment.public_input[column_index].begin(), assignments.public_assignment.public_input[column_index].end(), std::back_inserter(tmp)); + preprocessed_data_public.basic_domain->inverse_fft(tmp); columns_for_permutation_argument[i] = tmp; } } // 4. permutation_argument auto permutation_argument = redshift_permutation_argument::prove_eval( - transcript, preprocessed_data, short_description, columns_for_permutation_argument, fri_params); + transcript, preprocessed_data_public, short_description, columns_for_permutation_argument, fri_params); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -175,8 +176,8 @@ namespace nil { columns_for_gate_argument[i] = witness_poly[i]; } else { std::vector tmp; - std::copy(assignments[i].begin(), assignments[i].end(), std::back_inserter(tmp)); - preprocessed_data.basic_domain->inverse_fft(tmp); + std::copy(assignments.public_assignment.public_input[i].begin(), assignments.public_assignment.public_input[i].end(), std::back_inserter(tmp)); + preprocessed_data_public.basic_domain->inverse_fft(tmp); columns_for_gate_argument[i] = tmp; } } @@ -217,8 +218,13 @@ namespace nil { // permutation polynomial evaluation std::array evaluation_points_v_p = {challenge, challenge * omega}; typename lpc_permutation::proof_type v_p_evaluation = lpc_permutation::proof_eval(evaluation_points_v_p, permutation_argument.permutation_poly_commitment, permutation_argument.permutation_polynomial, transcript, fri_params); - //lpc::proof_type lpc_proof_witnesses = evaluation_proof(transcript, omega); + + std::array evaluation_points_quotient = {challenge}; + std::vector quotient_evaluation(T_splitted.size()); + for (std::size_t i = 0; i < T_splitted.size(); i++) { + quotient_evaluation[i] = lpc_quotient::proof_eval(evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); + } // std::array fT_evaluation_points = {upsilon}; // std::vector f_lpc_proofs(N_wires); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index a4ec15ae7..75912f4c5 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -62,7 +62,7 @@ namespace nil { struct variable_assignment_type { struct private_assignment_type { - std::array, WiresAmount> witnesses; + std::array, WitnessAmount> witnesses; } private_assignment; struct public_assignment_type { diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 013689267..44db87c05 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -53,6 +53,8 @@ namespace nil { std::size_t usable_rows> class circuit_description { + using types_policy = zk::snark::detail::redshift_types_policy; + public: const std::size_t table_rows = 1 << rows_log; @@ -66,7 +68,7 @@ namespace nil { std::vector> S_id; std::vector> S_sigma; - std::array, witness_columns + public_columns> table; + typename types_policy::variable_assignment_type table; std::vector> column_polynomials; // construct q_last, q_blind @@ -85,14 +87,14 @@ namespace nil { } void init() { - S_id = redshift_preprocessor::identity_polynomials( + S_id = redshift_public_preprocessor::identity_polynomials( permutation_size, table_rows, omega, delta, domain); - S_sigma = redshift_preprocessor::permutation_polynomials( + S_sigma = redshift_public_preprocessor::permutation_polynomials( permutation_size, table_rows, omega, delta, permutation, domain); - q_last = redshift_preprocessor::selector_last( + q_last = redshift_public_preprocessor::selector_last( table_rows, usable_rows, domain); - q_blind = redshift_preprocessor::selector_blind( + q_blind = redshift_public_preprocessor::selector_blind( table_rows, usable_rows, domain); } }; @@ -161,6 +163,16 @@ namespace nil { test_circuit.table = table; + for (std::size_t i = 0; i < witness_columns; i++) { + for (std::size_t j = 0; j < test_circuit.table_rows; j++) { + test_circuit.table.private_assignment.witnesses[i][j] = table[i][j]; + } + } + for (std::size_t i = 0; i < public_columns; i++) { + for (std::size_t j = 0; j < test_circuit.table_rows; j++) { + test_circuit.table.public_assignment.public_input[i][j] = table[witness_columns + i][j]; + } + } test_circuit.init(); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 0ca79f3a1..a7e74a2e7 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -120,7 +120,10 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); + typename types_policy::constraint_system_type constraint_system; + constraint_system.rows_amount = table_rows; + typename types_policy::variable_assignment_type assigments = circuit.table; types_policy::circuit_short_description short_description; @@ -130,11 +133,15 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::template preprocessed_data_type preprocessed_data = - redshift_preprocessor::process(constraint_system, assigments, short_description); + typename types_policy::preprocessed_public_data_type preprocessed_data_public = + redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + + typename types_policy::template preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); + auto proof = redshift_prover::process( - preprocessed_data, constraint_system, assigments, short_description, fri_params); + preprocessed_data_public, preprocessed_data_private, constraint_system, assigments, short_description, fri_params); bool verifier_res = redshift_verifier::process( proof, short_description); From 87542b11dd3f72fa83709c9696ab2959fbe11874 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 24 Feb 2022 11:29:52 +0300 Subject: [PATCH 176/219] Redshift preprocessors updated. #20 --- .../snark/systems/plonk/redshift/params.hpp | 2 ++ .../systems/plonk/redshift/preprocessor.hpp | 25 +++++++++++++---- .../snark/systems/plonk/redshift/prover.hpp | 28 ++++++++----------- .../zk/snark/systems/plonk/redshift/types.hpp | 2 +- test/systems/plonk/redshift.cpp | 6 ++-- 5 files changed, 38 insertions(+), 25 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 13a46d9ab..f6199157e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -36,6 +36,8 @@ namespace nil { namespace snark { struct redshift_params { + constexpr static const std::size_t witness_amount = 15; + constexpr static const std::size_t lambda = 0; constexpr static const std::size_t k = 0; constexpr static const std::size_t r = 0; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index c2ea4af52..f217c5317 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -60,16 +60,31 @@ namespace nil { return interpolation_points; } - template + template + std::vector> + column_range_polynomials(std::size_t table_size, + const std::vector> &column_range_assignment, + const std::shared_ptr> &domain) { + + std::size_t columns_amount = column_range_assignment.size(); + std::vector> columns (columns_amount); + + for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { + columns[selector_index] = column_polynomial(table_size, column_range_assignment[selector_index], domain); + } + + return columns; + } + + template std::vector> column_range_polynomials(std::size_t table_size, - const typename detail::redshift_types_policy::variable_assignment_type::public_assignment_type::selectors_type &column_range_assignment, + const std::array, columns_amount> &column_range_assignment, const std::shared_ptr> &domain) { - std::size_t selectors_amount = column_range_assignment.size(); - std::vector> columns (witness_amount + public_amount); + std::array, columns_amount> columns; - for (std::size_t selector_index = 0; selector_index < witness_amount + public_amount; selector_index++) { + for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { columns[selector_index] = column_polynomial(table_size, column_range_assignment[selector_index], domain); } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 3f3d05997..cbde3c81f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -73,7 +73,7 @@ namespace nil { constexpr static const std::size_t f_parts = 9; static inline math::polynomial - quotient_polynomial(const typename types_policy::preprocessed_public_data_type preprocessed_data, + quotient_polynomial(const typename types_policy::preprocessed_public_data_type preprocessed_public_data, std::array, f_parts> F, fiat_shamir_heuristic_updated transcript) { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ @@ -87,7 +87,7 @@ namespace nil { } math::polynomial T_consolidated = - F_consolidated / preprocessed_data.Z; + F_consolidated / preprocessed_public_data.Z; return T_consolidated; } @@ -108,8 +108,8 @@ namespace nil { public: static inline typename types_policy::template proof_type - process(const typename types_policy::preprocessed_public_data_type preprocessed_data_public, - const typename types_policy::template preprocessed_private_data_type preprocessed_data_private, + process(const typename types_policy::preprocessed_public_data_type preprocessed_public_data, + const typename types_policy::template preprocessed_private_data_type preprocessed_private_data, typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, const typename types_policy::template circuit_short_description &short_description, @@ -123,13 +123,9 @@ namespace nil { //transcript(short_description); //TODO: circuit_short_description marshalling // 2. Commit witness columns - std::array, witness_columns> witness_poly; - for (std::size_t i = 0; i < witness_columns; i++) { - std::vector tmp; - std::copy(assignments.private_assignment.witnesses[i].begin(), assignments.private_assignment.witnesses[i].end(), std::back_inserter(tmp)); - preprocessed_data_public.basic_domain->inverse_fft(tmp); - witness_poly[i] = tmp; - } + std::array, witness_columns> witness_poly = + preprocessed_private_data.witnesses; + std::array witness_commitments = lpc_witness::template commit(witness_poly, fri_params.D[0]); @@ -148,14 +144,14 @@ namespace nil { } else { std::vector tmp; std::copy(assignments.public_assignment.public_input[column_index].begin(), assignments.public_assignment.public_input[column_index].end(), std::back_inserter(tmp)); - preprocessed_data_public.basic_domain->inverse_fft(tmp); + preprocessed_public_data.basic_domain->inverse_fft(tmp); columns_for_permutation_argument[i] = tmp; } } // 4. permutation_argument auto permutation_argument = redshift_permutation_argument::prove_eval( - transcript, preprocessed_data_public, short_description, columns_for_permutation_argument, fri_params); + transcript, preprocessed_public_data, short_description, columns_for_permutation_argument, fri_params); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -177,7 +173,7 @@ namespace nil { } else { std::vector tmp; std::copy(assignments.public_assignment.public_input[i].begin(), assignments.public_assignment.public_input[i].end(), std::back_inserter(tmp)); - preprocessed_data_public.basic_domain->inverse_fft(tmp); + preprocessed_public_data.basic_domain->inverse_fft(tmp); columns_for_gate_argument[i] = tmp; } } @@ -189,7 +185,7 @@ namespace nil { F[3] = prover_res[0]; // 7. Aggregate quotient polynomial - math::polynomial T = quotient_polynomial(preprocessed_data, F, transcript); + math::polynomial T = quotient_polynomial(preprocessed_public_data, F, transcript); std::vector> T_splitted = split_polynomial(T, fri_params.max_degree); std::vector T_commitments(T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { @@ -201,7 +197,7 @@ namespace nil { // 8. Run evaluation proofs typename FieldType::value_type challenge = transcript.template challenge(); - typename FieldType::value_type omega = preprocessed_data.basic_domain->get_domain_element(1); + typename FieldType::value_type omega = preprocessed_public_data.basic_domain->get_domain_element(1); // witness polynomials (table columns) std::array witnesses_evaluation; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 75912f4c5..72ba4ec4f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -69,7 +69,7 @@ namespace nil { using selectors_type = std::vector>; using public_input_type = std::vector>; selectors_type selectors; - public_input_type public_input; + // public_input_type public_input; } public_assignment; }; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index a7e74a2e7..a46ef746d 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -177,15 +177,15 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::template preprocessed_data_type preprocessed_data = - redshift_preprocessor::process(constraint_system, assigments, short_description); + typename types_policy::preprocessed_public_data_type preprocessed_public_data = + redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated prover_transcript(init_blob); fiat_shamir_heuristic_updated verifier_transcript(init_blob); typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_data, short_description, + redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_public_data, short_description, circuit.column_polynomials, fri_params); // Challenge phase From 65c2247b24ac614b932dcab2f2ce3fa22918d058 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 24 Feb 2022 12:44:19 +0300 Subject: [PATCH 177/219] Redshift params introduced. #20 --- .../list_polynomial_commitment.hpp | 26 +++--- .../zk/snark/relations/plonk/permutation.hpp | 1 + .../systems/plonk/redshift/gates_argument.hpp | 21 +++-- .../snark/systems/plonk/redshift/params.hpp | 20 ++--- .../plonk/redshift/permutation_argument.hpp | 15 ++-- .../systems/plonk/redshift/preprocessor.hpp | 16 ++-- .../snark/systems/plonk/redshift/prover.hpp | 40 +++++----- .../zk/snark/systems/plonk/redshift/types.hpp | 14 ++-- .../snark/systems/plonk/redshift/verifier.hpp | 30 ++++--- test/commitment/lpc.cpp | 3 +- test/commitment/lpc_performance.cpp | 4 +- test/systems/plonk/circuits.hpp | 25 +++--- test/systems/plonk/redshift.cpp | 80 +++++++++---------- 13 files changed, 162 insertions(+), 133 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 7e4f93ee0..03b555fe1 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -55,30 +55,30 @@ namespace nil { * */ template struct list_polynomial_commitment_scheme { + + using merkle_hash_type = typename RedshiftParams::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + using Endianness = nil::marshalling::option::big_endian; using field_element_type = nil::crypto3::marshalling::types::field_element, FieldType>; - constexpr static const std::size_t lambda = Lambda; + constexpr static const std::size_t lambda = RedshiftParams::lambda; + constexpr static const std::size_t r = RedshiftParams::r; + constexpr static const std::size_t m = RedshiftParams::m; constexpr static const std::size_t k = K; - constexpr static const std::size_t r = R; - constexpr static const std::size_t m = M; typedef FieldType field_type; - typedef typename containers::merkle_tree merkle_tree_type; - typedef typename containers::merkle_proof merkle_proof_type; + typedef typename containers::merkle_tree merkle_tree_type; + typedef typename containers::merkle_proof merkle_proof_type; - typedef fri_commitment_scheme fri_type; + typedef fri_commitment_scheme fri_type; using commitment_type = typename merkle_tree_type::value_type; @@ -130,7 +130,7 @@ namespace nil { static proof_type proof_eval(const std::array &evaluation_points, merkle_tree_type &T, const math::polynomial &g, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_updated &transcript, const typename fri_type::params_type &fri_params) { std::array z; @@ -167,7 +167,7 @@ namespace nil { static bool verify_eval(const std::array &evaluation_points, proof_type &proof, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_updated &transcript, typename fri_type::params_type fri_params) { std::array, k> U_interpolation_points; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp index 030363d39..e954f6a40 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 681abea7c..8ab34d174 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -39,6 +39,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -46,23 +47,27 @@ namespace nil { namespace snark { template, + typename RedshiftParams = redshift_params, std::size_t ArgumentSize = 1> struct redshift_gates_argument; template - struct redshift_gates_argument { - using types_policy = detail::redshift_types_policy; + typename RedshiftParams> + struct redshift_gates_argument { + + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + using merkle_hash_type = typename RedshiftParams::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + + using types_policy = detail::redshift_types_policy; constexpr static const std::size_t argument_size = 1; static inline std::array, argument_size> prove_eval(typename types_policy::constraint_system_type &constraint_system, const std::vector> &columns, - fiat_shamir_heuristic_updated &transcript) { + fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -93,7 +98,7 @@ namespace nil { verify_eval(const std::vector> &gates, typename plonk_constraint::evaluation_map &evaluations, typename FieldType::value_type challenge, - fiat_shamir_heuristic_updated &transcript) { + fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); std::array F; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index f6199157e..4bb95140d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Mikhail Komarov +// Copyright (c) 2022 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // @@ -26,21 +27,20 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP -#include - -#include - namespace nil { namespace crypto3 { namespace zk { namespace snark { struct redshift_params { - constexpr static const std::size_t witness_amount = 15; + using merkle_hash_type = hashes::keccak_1600<512>; + using transcript_hash_type = hashes::keccak_1600<512>; + + constexpr static const std::size_t witness_columns = 15; + constexpr static const std::size_t public_columns = 15; - constexpr static const std::size_t lambda = 0; - constexpr static const std::size_t k = 0; - constexpr static const std::size_t r = 0; + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t r = 1; constexpr static const std::size_t m = 2; }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index b71517ad5..2d2568336 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -38,6 +38,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -45,11 +46,15 @@ namespace nil { namespace snark { template> + typename RedshiftParams = redshift_params> class redshift_permutation_argument { - using types_policy = detail::redshift_types_policy; + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + using merkle_hash_type = typename RedshiftParams::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + + using types_policy = detail::redshift_types_policy; typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; @@ -65,7 +70,7 @@ namespace nil { }; static inline prover_result_type - prove_eval(fiat_shamir_heuristic_updated &transcript, + prove_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::preprocessed_public_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, const std::vector> &columns, @@ -146,7 +151,7 @@ namespace nil { } static inline std::array - verify_eval(fiat_shamir_heuristic_updated &transcript, + verify_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::preprocessed_public_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, const typename FieldType::value_type &challenge, // y diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index f217c5317..df3838ebb 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -77,7 +77,7 @@ namespace nil { } template - std::vector> + std::array, columns_amount> column_range_polynomials(std::size_t table_size, const std::array, columns_amount> &column_range_assignment, const std::shared_ptr> &domain) { @@ -93,9 +93,9 @@ namespace nil { } // namespace detail - template + template class redshift_public_preprocessor { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; static math::polynomial lagrange_polynomial(std::shared_ptr> domain, std::size_t number) { @@ -210,7 +210,7 @@ namespace nil { data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); - data.selectors = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors, data.basic_domain); + data.selectors = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors, data.basic_domain); std::vector z_numenator(N_rows + 1); z_numenator[0] = -FieldType::value_type::one(); @@ -234,19 +234,19 @@ namespace nil { } }; - template + template class redshift_private_preprocessor { - using types_policy = detail::redshift_types_policy; + using types_policy = detail::redshift_types_policy; public: template - static inline typename types_policy::template preprocessed_private_data_type + static inline typename types_policy::preprocessed_private_data_type process(const typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type::private_assignment_type &private_assignment, typename types_policy::template circuit_short_description &short_description) { - typename types_policy::template preprocessed_private_data_type data; + typename types_policy::preprocessed_private_data_type data; std::size_t N_rows = constraint_system.rows_amount(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index cbde3c81f..12ab152b0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -38,6 +38,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -45,28 +46,31 @@ namespace nil { namespace snark { template + typename RedshiftParams = redshift_params> class redshift_prover { - using types_policy = detail::redshift_types_policy; + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + using merkle_hash_type = typename RedshiftParams::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::transcript_hash_type; - typedef typename containers::merkle_tree merkle_tree_type; + using types_policy = detail::redshift_types_policy; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = RedshiftParams::lambda; + constexpr static const std::size_t r = RedshiftParams::r; + constexpr static const std::size_t m = RedshiftParams::m; constexpr static const std::size_t opening_points_witness = 1; constexpr static const std::size_t opening_points_v_p = 2; constexpr static const std::size_t opening_points_t = 1; constexpr static const std::size_t opening_points_public = 1; - typedef list_polynomial_commitment_scheme lpc_witness; - typedef list_polynomial_commitment_scheme lpc_permutation; - typedef list_polynomial_commitment_scheme lpc_quotient; - typedef list_polynomial_commitment_scheme lpc_public; + typedef list_polynomial_commitment_scheme lpc_witness; + typedef list_polynomial_commitment_scheme lpc_permutation; + typedef list_polynomial_commitment_scheme lpc_quotient; + typedef list_polynomial_commitment_scheme lpc_public; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; @@ -75,7 +79,7 @@ namespace nil { static inline math::polynomial quotient_polynomial(const typename types_policy::preprocessed_public_data_type preprocessed_public_data, std::array, f_parts> F, - fiat_shamir_heuristic_updated transcript) { + fiat_shamir_heuristic_updated transcript) { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = transcript.template challenges(); @@ -109,7 +113,7 @@ namespace nil { public: static inline typename types_policy::template proof_type process(const typename types_policy::preprocessed_public_data_type preprocessed_public_data, - const typename types_policy::template preprocessed_private_data_type preprocessed_private_data, + const typename types_policy::preprocessed_private_data_type preprocessed_private_data, typename types_policy::constraint_system_type &constraint_system, const typename types_policy::variable_assignment_type &assignments, const typename types_policy::template circuit_short_description &short_description, @@ -117,7 +121,7 @@ namespace nil { typename types_policy::template proof_type proof; std::vector tanscript_init = {}; - fiat_shamir_heuristic_updated transcript(tanscript_init); + fiat_shamir_heuristic_updated transcript(tanscript_init); // 1. Add circuit definition to transctipt //transcript(short_description); //TODO: circuit_short_description marshalling @@ -150,7 +154,7 @@ namespace nil { } // 4. permutation_argument - auto permutation_argument = redshift_permutation_argument::prove_eval( + auto permutation_argument = redshift_permutation_argument::prove_eval( transcript, preprocessed_public_data, short_description, columns_for_permutation_argument, fri_params); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -179,7 +183,7 @@ namespace nil { } std::array, gate_parts> prover_res = - redshift_gates_argument::prove_eval( + redshift_gates_argument::prove_eval( constraint_system, columns_for_gate_argument, transcript); F[3] = prover_res[0]; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 72ba4ec4f..cdad2848f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -39,6 +39,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -46,23 +47,27 @@ namespace nil { namespace snark { namespace detail { - template + template struct redshift_types_policy { + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + /******************************** Params ********************************/ /** * Below are various template aliases (used for convenience). */ - typedef plonk_constraint_system constraint_system_type; + typedef plonk_constraint_system constraint_system_type; /************************* PLONK variable assignment **************************/ struct variable_assignment_type { struct private_assignment_type { - std::array, WitnessAmount> witnesses; + std::array, witness_columns> witnesses; } private_assignment; struct public_assignment_type { @@ -108,12 +113,11 @@ namespace nil { math::polynomial Z; }; - template struct preprocessed_private_data_type { std::shared_ptr> basic_domain; - std::array, WitnessColumns> witnesses; + std::array, witness_columns> witnesses; }; template diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index aac0162e7..85cab47e3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -33,31 +33,35 @@ #include #include #include +#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_verifier { - using types_policy = detail::redshift_types_policy; + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + using merkle_hash_type = typename RedshiftParams::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + + using types_policy = detail::redshift_types_policy; + + constexpr static const std::size_t lambda = RedshiftParams::lambda; + constexpr static const std::size_t r = RedshiftParams::r; + constexpr static const std::size_t m = RedshiftParams::m; constexpr static const std::size_t opening_points_witness = 1; constexpr static const std::size_t opening_points_v_p = 2; constexpr static const std::size_t opening_points_t = 1; - typedef list_polynomial_commitment_scheme lpc_witness; - typedef list_polynomial_commitment_scheme lpc_permutation; - typedef list_polynomial_commitment_scheme lpc_quotient; + typedef list_polynomial_commitment_scheme lpc_witness; + typedef list_polynomial_commitment_scheme lpc_permutation; + typedef list_polynomial_commitment_scheme lpc_quotient; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; @@ -69,7 +73,7 @@ namespace nil { const typename types_policy::template proof_type &proof, const typename types_policy::template circuit_short_description &short_description) { //TODO: decsription commitment scheme - fiat_shamir_heuristic_updated transcript(std::vector()); + fiat_shamir_heuristic_updated transcript(std::vector()); // 1. Add circuit definition to transctipt //transcript(short_description); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index e90ed5de5..414671e86 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -44,6 +44,7 @@ #include #include +#include using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; @@ -71,7 +72,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t m = 2; typedef zk::snark::fri_commitment_scheme fri_type; - typedef zk::snark::list_polynomial_commitment_scheme lpc_type; + typedef zk::snark::list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 1395b6191..97914c42c 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -1,6 +1,7 @@ //---------------------------------------------------------------------------// // Copyright (c) 2021 Mikhail Komarov // Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov // // MIT License // @@ -43,6 +44,7 @@ #include #include +#include using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; @@ -110,7 +112,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t m = 2; typedef zk::snark::fri_commitment_scheme fri_type; - typedef zk::snark::list_polynomial_commitment_scheme lpc_type; + typedef zk::snark::list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 44db87c05..4971024fc 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -1,6 +1,6 @@ //---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Mikhail Komarov +// Copyright (c) 2022 Nikita Kaskov // Copyright (c) 2022 Ilia Shirobokov // // MIT License @@ -45,15 +45,18 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template class circuit_description { - using types_policy = zk::snark::detail::redshift_types_policy; + using types_policy = zk::snark::detail::redshift_types_policy; + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + using merkle_hash_type = typename RedshiftParams::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::transcript_hash_type; public: const std::size_t table_rows = 1 << rows_log; @@ -87,14 +90,14 @@ namespace nil { } void init() { - S_id = redshift_public_preprocessor::identity_polynomials( + S_id = redshift_public_preprocessor::identity_polynomials( permutation_size, table_rows, omega, delta, domain); - S_sigma = redshift_public_preprocessor::permutation_polynomials( + S_sigma = redshift_public_preprocessor::permutation_polynomials( permutation_size, table_rows, omega, delta, permutation, domain); - q_last = redshift_public_preprocessor::selector_last( + q_last = redshift_public_preprocessor::selector_last( table_rows, usable_rows, domain); - q_blind = redshift_public_preprocessor::selector_blind( + q_blind = redshift_public_preprocessor::selector_blind( table_rows, usable_rows, domain); } }; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index a46ef746d..4d4e77ea9 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -1,6 +1,6 @@ //---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Mikhail Komarov +// Copyright (c) 2022 Nikita Kaskov // Copyright (c) 2022 Ilia Shirobokov // // MIT License @@ -94,30 +94,40 @@ BOOST_AUTO_TEST_SUITE(redshift_prover_test_suite) using curve_type = algebra::curves::bls12<381>; using FieldType = typename curve_type::scalar_field_type; -typedef hashes::keccak_1600<512> merkle_hash_type; -typedef hashes::keccak_1600<512> transcript_hash_type; // lpc params -constexpr std::size_t m = 2; -constexpr static const std::size_t lambda = 40; +constexpr static const std::size_t m = 2; constexpr static const std::size_t k = 1; -typedef fri_commitment_scheme fri_type; +constexpr static const std::size_t table_rows_log = 4; +constexpr static const std::size_t table_rows = 1 << table_rows_log; +constexpr static const std::size_t permutation_size = 4; +constexpr static const std::size_t usable_rows = 1 << table_rows_log; -BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { - const std::size_t table_rows_log = 4; - const std::size_t table_rows = 1 << table_rows_log; - const std::size_t witness_columns = 3; - const std::size_t public_columns = 1; - const std::size_t table_columns = witness_columns + public_columns; - const std::size_t permutation_size = 4; - const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_2(); +struct redshift_test_params { + using merkle_hash_type = hashes::keccak_1600<512>; + using transcript_hash_type = hashes::keccak_1600<512>; - using types_policy = zk::snark::detail::redshift_types_policy; + constexpr static const std::size_t witness_columns = 3; + constexpr static const std::size_t public_columns = 1; + constexpr static const std::size_t lambda = 40; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + constexpr static const std::size_t m = 2; +}; + +constexpr static const std::size_t table_columns = redshift_test_params::witness_columns + redshift_test_params::public_columns; + +typedef fri_commitment_scheme fri_type; + +BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { + + circuit_description circuit = circuit_test_2(); + + using types_policy = zk::snark::detail::redshift_types_policy; + + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); @@ -140,30 +150,25 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); - auto proof = redshift_prover::process( + auto proof = redshift_prover::process( preprocessed_data_public, preprocessed_data_private, constraint_system, assigments, short_description, fri_params); - bool verifier_res = redshift_verifier::process( + bool verifier_res = redshift_verifier::process( proof, short_description); BOOST_CHECK(verifier_res); } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { - const std::size_t table_rows_log = 4; - const std::size_t table_rows = 1 << table_rows_log; - const std::size_t witness_columns = 3; - const std::size_t public_columns = 1; - const std::size_t table_columns = witness_columns + public_columns; - const std::size_t permutation_size = 4; - const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_2(); + + circuit_description circuit = circuit_test_2(); constexpr std::size_t argument_size = 3; - using types_policy = zk::snark::detail::redshift_types_policy; + using types_policy = zk::snark::detail::redshift_types_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); @@ -221,19 +226,14 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { } BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { - const std::size_t table_rows_log = 4; - const std::size_t table_rows = 1 << table_rows_log; - const std::size_t witness_columns = 3; - const std::size_t public_columns = 1; - const std::size_t table_columns = witness_columns + public_columns; - const std::size_t permutation_size = 4; - const std::size_t usable_rows = 1 << table_rows_log; - circuit_description circuit = circuit_test_2(); - using types_policy = zk::snark::detail::redshift_types_policy; + circuit_description circuit = circuit_test_2(); + + using types_policy = zk::snark::detail::redshift_types_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); From 423d832178cc8f92ba3ceaac5edf36d12f8415a3 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 24 Feb 2022 13:42:00 +0300 Subject: [PATCH 178/219] LPC params introduced. #20 --- .../list_polynomial_commitment.hpp | 21 +++++++++++++------ .../snark/systems/plonk/redshift/params.hpp | 8 +++---- .../snark/systems/plonk/redshift/prover.hpp | 18 ++++++++-------- .../snark/systems/plonk/redshift/verifier.hpp | 16 +++++++------- 4 files changed, 35 insertions(+), 28 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index 03b555fe1..c47a5164f 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -41,6 +41,15 @@ namespace nil { namespace zk { namespace snark { + struct list_polynomial_commitment_params { + using merkle_hash_type = hashes::keccak_1600<512>; + using transcript_hash_type = hashes::keccak_1600<512>; + + constexpr static const std::size_t lambda = 40; + constexpr static const std::size_t r = 1; + constexpr static const std::size_t m = 2; + }; + /** * @brief Based on the FRI Commitment description from \[ResShift]. * @tparam d ... @@ -55,22 +64,22 @@ namespace nil { * */ template struct list_polynomial_commitment_scheme { - using merkle_hash_type = typename RedshiftParams::merkle_hash_type; - using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + using merkle_hash_type = typename LPCParams::merkle_hash_type; + using transcript_hash_type = typename LPCParams::transcript_hash_type; using Endianness = nil::marshalling::option::big_endian; using field_element_type = nil::crypto3::marshalling::types::field_element, FieldType>; - constexpr static const std::size_t lambda = RedshiftParams::lambda; - constexpr static const std::size_t r = RedshiftParams::r; - constexpr static const std::size_t m = RedshiftParams::m; + constexpr static const std::size_t lambda = LPCParams::lambda; + constexpr static const std::size_t r = LPCParams::r; + constexpr static const std::size_t m = LPCParams::m; constexpr static const std::size_t k = K; typedef FieldType field_type; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 4bb95140d..b95af9228 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -27,21 +27,19 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP +#include + namespace nil { namespace crypto3 { namespace zk { namespace snark { struct redshift_params { - using merkle_hash_type = hashes::keccak_1600<512>; - using transcript_hash_type = hashes::keccak_1600<512>; constexpr static const std::size_t witness_columns = 15; constexpr static const std::size_t public_columns = 15; - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t r = 1; - constexpr static const std::size_t m = 2; + using lpc_params = list_polynomial_commitment_params; }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 12ab152b0..e7bbf90bc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -51,26 +51,26 @@ namespace nil { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::merkle_hash_type; - using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + using merkle_hash_type = typename RedshiftParams::lpc_params::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::lpc_params::transcript_hash_type; using types_policy = detail::redshift_types_policy; typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const std::size_t lambda = RedshiftParams::lambda; - constexpr static const std::size_t r = RedshiftParams::r; - constexpr static const std::size_t m = RedshiftParams::m; + constexpr static const std::size_t lambda = RedshiftParams::lpc_params::lambda; + constexpr static const std::size_t r = RedshiftParams::lpc_params::r; + constexpr static const std::size_t m = RedshiftParams::lpc_params::m; constexpr static const std::size_t opening_points_witness = 1; constexpr static const std::size_t opening_points_v_p = 2; constexpr static const std::size_t opening_points_t = 1; constexpr static const std::size_t opening_points_public = 1; - typedef list_polynomial_commitment_scheme lpc_witness; - typedef list_polynomial_commitment_scheme lpc_permutation; - typedef list_polynomial_commitment_scheme lpc_quotient; - typedef list_polynomial_commitment_scheme lpc_public; + typedef list_polynomial_commitment_scheme lpc_witness; + typedef list_polynomial_commitment_scheme lpc_permutation; + typedef list_polynomial_commitment_scheme lpc_quotient; + typedef list_polynomial_commitment_scheme lpc_public; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 85cab47e3..c4034690e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -46,22 +46,22 @@ namespace nil { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::merkle_hash_type; - using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + using merkle_hash_type = typename RedshiftParams::lpc_params::merkle_hash_type; + using transcript_hash_type = typename RedshiftParams::lpc_params::transcript_hash_type; using types_policy = detail::redshift_types_policy; - constexpr static const std::size_t lambda = RedshiftParams::lambda; - constexpr static const std::size_t r = RedshiftParams::r; - constexpr static const std::size_t m = RedshiftParams::m; + constexpr static const std::size_t lambda = RedshiftParams::lpc_params::lambda; + constexpr static const std::size_t r = RedshiftParams::lpc_params::r; + constexpr static const std::size_t m = RedshiftParams::lpc_params::m; constexpr static const std::size_t opening_points_witness = 1; constexpr static const std::size_t opening_points_v_p = 2; constexpr static const std::size_t opening_points_t = 1; - typedef list_polynomial_commitment_scheme lpc_witness; - typedef list_polynomial_commitment_scheme lpc_permutation; - typedef list_polynomial_commitment_scheme lpc_quotient; + typedef list_polynomial_commitment_scheme lpc_witness; + typedef list_polynomial_commitment_scheme lpc_permutation; + typedef list_polynomial_commitment_scheme lpc_quotient; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; From 7a8cc5102ebea792392e9e66591f496dfa90e60a Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 24 Feb 2022 15:01:37 +0300 Subject: [PATCH 179/219] Redshift params updated. #20 --- .../commitments/list_polynomial_commitment.hpp | 15 ++++++++++----- .../zk/snark/systems/plonk/redshift/params.hpp | 13 ++++++++++--- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index c47a5164f..a7168b250 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -41,13 +41,18 @@ namespace nil { namespace zk { namespace snark { + template , + typename TranscriptHashType = hashes::keccak_1600<512>, + std::size_t Lambda = 40, + std::size_t R = 1, + std::size_t M = 2> struct list_polynomial_commitment_params { - using merkle_hash_type = hashes::keccak_1600<512>; - using transcript_hash_type = hashes::keccak_1600<512>; + using merkle_hash_type = MerkleTreeHashType; + using transcript_hash_type = TranscriptHashType; - constexpr static const std::size_t lambda = 40; - constexpr static const std::size_t r = 1; - constexpr static const std::size_t m = 2; + constexpr static const std::size_t lambda = Lambda; + constexpr static const std::size_t r = R; + constexpr static const std::size_t m = M; }; /** diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index b95af9228..6ad045efd 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -34,12 +34,19 @@ namespace nil { namespace zk { namespace snark { + template , + typename TranscriptHashType = hashes::keccak_1600<512>, + std::size_t Lambda = 40, + std::size_t R = 1, + std::size_t M = 2> struct redshift_params { - constexpr static const std::size_t witness_columns = 15; - constexpr static const std::size_t public_columns = 15; + constexpr static const std::size_t witness_columns = WitnessColumns; + constexpr static const std::size_t public_columns = PublicColumns; - using lpc_params = list_polynomial_commitment_params; + using lpc_params = list_polynomial_commitment_params; }; } // namespace snark From 28d0abeb56763672e7f841eac767eee1157b17e0 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 24 Feb 2022 22:48:15 +0200 Subject: [PATCH 180/219] update interfaces #20 --- .../list_polynomial_commitment.hpp | 3 +- .../systems/plonk/redshift/gates_argument.hpp | 2 +- .../snark/systems/plonk/redshift/params.hpp | 3 + .../plonk/redshift/permutation_argument.hpp | 2 +- .../systems/plonk/redshift/preprocessor.hpp | 2 +- .../snark/systems/plonk/redshift/prover.hpp | 2 +- .../zk/snark/systems/plonk/redshift/types.hpp | 6 +- .../snark/systems/plonk/redshift/verifier.hpp | 2 +- test/commitment/lpc.cpp | 4 +- test/systems/plonk/circuits.hpp | 20 ++++-- test/systems/plonk/redshift.cpp | 66 +++++++++++-------- 11 files changed, 67 insertions(+), 45 deletions(-) diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp index a7168b250..eb53b66cc 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp @@ -70,8 +70,7 @@ namespace nil { */ template + std::size_t K = 1> struct list_polynomial_commitment_scheme { using merkle_hash_type = typename LPCParams::merkle_hash_type; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 8ab34d174..341ab03ff 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -47,7 +47,7 @@ namespace nil { namespace snark { template struct redshift_gates_argument; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 6ad045efd..38f8b433e 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -43,6 +43,9 @@ namespace nil { std::size_t M = 2> struct redshift_params { + typedef MerkleTreeHashType merkle_hash_type; + typedef TranscriptHashType transcript_hash_type; + constexpr static const std::size_t witness_columns = WitnessColumns; constexpr static const std::size_t public_columns = PublicColumns; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 2d2568336..8b45bfddc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -46,7 +46,7 @@ namespace nil { namespace snark { template + typename RedshiftParams> class redshift_permutation_argument { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index df3838ebb..a23a2e2f7 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -248,7 +248,7 @@ namespace nil { typename types_policy::preprocessed_private_data_type data; - std::size_t N_rows = constraint_system.rows_amount(); + std::size_t N_rows = constraint_system.rows_amount; data.basic_domain = math::make_evaluation_domain(N_rows); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index e7bbf90bc..4ec566637 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -46,7 +46,7 @@ namespace nil { namespace snark { template + typename RedshiftParams> class redshift_prover { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index cdad2848f..a878607d8 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -48,7 +48,7 @@ namespace nil { namespace detail { template + typename RedshiftParams> struct redshift_types_policy { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; @@ -72,9 +72,9 @@ namespace nil { struct public_assignment_type { using selectors_type = std::vector>; - using public_input_type = std::vector>; + using public_input_type = std::array, public_columns>; selectors_type selectors; - // public_input_type public_input; + public_input_type public_input; } public_assignment; }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index c4034690e..2b458f1f5 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -41,7 +41,7 @@ namespace nil { namespace snark { template + typename RedshiftParams> class redshift_verifier { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 414671e86..197ec7f76 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -72,7 +72,9 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t m = 2; typedef zk::snark::fri_commitment_scheme fri_type; - typedef zk::snark::list_polynomial_commitment_scheme lpc_type; + + typedef list_polynomial_commitment_params lpc_params_type; + typedef zk::snark::list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 4971024fc..73732b5ae 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -40,6 +40,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -114,8 +115,9 @@ namespace nil { // ADD: x + y = z // MUL: x * y = z //---------------------------------------------------------------------------// + typedef redshift_params<3, 0> circuit_1_params; template - circuit_description circuit_test_1() { + circuit_description circuit_test_1() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 3; constexpr static const std::size_t witness_columns = 3; @@ -123,7 +125,7 @@ namespace nil { constexpr static const std::size_t permutation = 3; constexpr static const std::size_t usable = 1 << rows_log; - circuit_description test_circuit; + circuit_description test_circuit; test_circuit.column_polynomials.resize(witness_columns + public_columns); std::array, table_columns> table; @@ -219,8 +221,9 @@ namespace nil { // ADD: x + y = z, copy(prev(z), y) // MUL: x * y = z, copy(p1, y) //---------------------------------------------------------------------------// + typedef redshift_params<3, 1> circuit_2_params; template - circuit_description circuit_test_2() { + circuit_description circuit_test_2() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 4; constexpr static const std::size_t witness_columns = 3; @@ -228,7 +231,7 @@ namespace nil { constexpr static const std::size_t permutation = 4; constexpr static const std::size_t usable = 1 << rows_log; - circuit_description test_circuit; + circuit_description test_circuit; test_circuit.column_polynomials.resize(witness_columns + public_columns); std::array, table_columns> table; @@ -276,8 +279,13 @@ namespace nil { test_circuit.column_polynomials[i] = math::polynomial(table[i]); } - - test_circuit.table = table; + for (std::size_t i = 0; i < witness_columns; i++) { + test_circuit.table.private_assignment.witnesses[i] = table[i]; + } + for (std::size_t i = 0; i < public_columns; i++) { + test_circuit.table.public_assignment.public_input[i] = table[witness_columns + i]; + } + test_circuit.init(); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 4d4e77ea9..6e14a16a4 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -120,14 +120,16 @@ constexpr static const std::size_t table_columns = redshift_test_params::witnes typedef fri_commitment_scheme fri_type; +typedef redshift_params<3, 1> circuit_2_params; + BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { - circuit_description circuit = circuit_test_2(); - using types_policy = zk::snark::detail::redshift_types_policy; + using types_policy = zk::snark::detail::redshift_types_policy; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); @@ -144,35 +146,36 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { short_description.permutation = circuit.permutation; typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); - typename types_policy::template preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); + typename types_policy::preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); - auto proof = redshift_prover::process( + auto proof = redshift_prover::process( preprocessed_data_public, preprocessed_data_private, constraint_system, assigments, short_description, fri_params); - bool verifier_res = redshift_verifier::process( + bool verifier_res = redshift_verifier::process( proof, short_description); BOOST_CHECK(verifier_res); } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { - circuit_description circuit = circuit_test_2(); constexpr std::size_t argument_size = 3; - using types_policy = zk::snark::detail::redshift_types_policy; + using types_policy = zk::snark::detail::redshift_types_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); typename types_policy::constraint_system_type constraint_system; + constraint_system.rows_amount = table_rows; typename types_policy::variable_assignment_type assigments = circuit.table; types_policy::circuit_short_description short_description; @@ -182,15 +185,18 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::preprocessed_public_data_type preprocessed_public_data = - redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + typename types_policy::preprocessed_public_data_type preprocessed_data_public = + redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + + typename types_policy::preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated prover_transcript(init_blob); - fiat_shamir_heuristic_updated verifier_transcript(init_blob); + fiat_shamir_heuristic_updated prover_transcript(init_blob); + fiat_shamir_heuristic_updated verifier_transcript(init_blob); - typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_public_data, short_description, + typename redshift_permutation_argument::prover_result_type prover_res = + redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_data_public, short_description, circuit.column_polynomials, fri_params); // Challenge phase @@ -204,8 +210,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typename FieldType::value_type v_p_at_y_shifted = prover_res.permutation_polynomial.evaluate(circuit.omega * y); std::array verifier_res = - redshift_permutation_argument::verify_eval( - verifier_transcript, preprocessed_data, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + redshift_permutation_argument::verify_eval( + verifier_transcript, preprocessed_data_public, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, prover_res.permutation_poly_commitment.root()); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); @@ -227,17 +233,18 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { - circuit_description circuit = circuit_test_2(); - using types_policy = zk::snark::detail::redshift_types_policy; + using types_policy = zk::snark::detail::redshift_types_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); typename types_policy::constraint_system_type constraint_system; + constraint_system.rows_amount = table_rows; constraint_system.gates = circuit.gates; typename types_policy::variable_assignment_type assigments = circuit.table; @@ -248,15 +255,18 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::template preprocessed_data_type preprocessed_data = - redshift_preprocessor::process(constraint_system, assigments, short_description); + typename types_policy::preprocessed_public_data_type preprocessed_data_public = + redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + + typename types_policy::preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated prover_transcript(init_blob); - fiat_shamir_heuristic_updated verifier_transcript(init_blob); + fiat_shamir_heuristic_updated prover_transcript(init_blob); + fiat_shamir_heuristic_updated verifier_transcript(init_blob); std::array, 1> prover_res = - redshift_gates_argument::prove_eval(constraint_system, circuit.column_polynomials, prover_transcript); + redshift_gates_argument::prove_eval(constraint_system, circuit.column_polynomials, prover_transcript); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -268,7 +278,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { } std::array verifier_res = - redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); + redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); From 97dd15599bc5e724827807e3476d25c786650ef6 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Thu, 24 Feb 2022 23:29:52 +0200 Subject: [PATCH 181/219] prover process #20 --- .../zk/snark/systems/plonk/redshift/proof.hpp | 6 ++--- .../snark/systems/plonk/redshift/prover.hpp | 25 ++++--------------- test/systems/plonk/redshift.cpp | 14 ----------- 3 files changed, 8 insertions(+), 37 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index c056280a8..4c0776cd1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -38,9 +38,9 @@ namespace nil { struct redshift_proof { struct evaluation_proof { - typename CommitmentSchemeTypeWitness::proof_type witness; - typename CommitmentSchemeTypePermutation::proof_type permutation; - typename CommitmentSchemeTypeQuotient::proof_type quotient; + std::vector witness; + std::vector permutation; + std::vector quotient; }; redshift_proof() { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 4ec566637..fa91d506c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -147,7 +147,7 @@ namespace nil { columns_for_permutation_argument[i] = witness_poly[column_index]; } else { std::vector tmp; - std::copy(assignments.public_assignment.public_input[column_index].begin(), assignments.public_assignment.public_input[column_index].end(), std::back_inserter(tmp)); + std::copy(assignments.public_assignment.public_input[column_index - witness_columns].begin(), assignments.public_assignment.public_input[column_index - witness_columns].end(), std::back_inserter(tmp)); preprocessed_public_data.basic_domain->inverse_fft(tmp); columns_for_permutation_argument[i] = tmp; } @@ -194,6 +194,7 @@ namespace nil { std::vector T_commitments(T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { T_commitments[i] = lpc_quotient::commit(T_splitted[i], fri_params.D[0]); + proof.T_commitments.push_back(T_commitments[i].root()); } //transcript(T_commitments); @@ -213,36 +214,20 @@ namespace nil { } witnesses_evaluation[i] = lpc_witness::proof_eval(evaluation_points_gates, witness_commitments[i], witness_poly[i], transcript, fri_params); + proof.eval_proof.witness.push_back(witnesses_evaluation[i]); } // permutation polynomial evaluation std::array evaluation_points_v_p = {challenge, challenge * omega}; typename lpc_permutation::proof_type v_p_evaluation = lpc_permutation::proof_eval(evaluation_points_v_p, permutation_argument.permutation_poly_commitment, permutation_argument.permutation_polynomial, transcript, fri_params); - + proof.eval_proof.permutation.push_back(v_p_evaluation); std::array evaluation_points_quotient = {challenge}; std::vector quotient_evaluation(T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { quotient_evaluation[i] = lpc_quotient::proof_eval(evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); + proof.eval_proof.quotient.push_back(quotient_evaluation[i]); } - // std::array fT_evaluation_points = {upsilon}; - // std::vector f_lpc_proofs(N_wires); - - // for (std::size_t i = 0; i < N_wires; i++){ - // f_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, f_trees[i], f[i], D_0)); - // } - - // std::vector T_lpc_proofs(N_perm + 1); - - // for (std::size_t i = 0; i < N_perm + 1; i++) { - // T_lpc_proofs.push_back(lpc::proof_eval(fT_evaluation_points, T_trees[i], T[i], D_0)); - // }*/ - - // = typename types_policy::proof_type(std::move(f_commitments), std::move(T_commitments), - // std::move(f_lpc_proofs), std::move(T_lpc_proofs)); - // proof.T_lpc_proofs = T_lpc_proofs; - // proof.f_lpc_proofs = f_lpc_proofs; - // proof.T_commitments = T_commitments; return proof; } diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 6e14a16a4..34d9fe909 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -60,20 +60,6 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; -template -math::polynomial - lagrange_polynomial(std::shared_ptr> domain, std::size_t number) { - std::vector> evaluation_points; - for (std::size_t i = 0; i < domain->m; i++) { - evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), (i != number) ? - FieldType::value_type::zero() : - FieldType::value_type::one())); - } - math::polynomial f = math::lagrange_interpolation(evaluation_points); - - return f; -} - template typename fri_type::params_type create_fri_params(std::size_t degree_log) { typename fri_type::params_type params; From 680787415ec4f345459ca94bb36151bb0f6eb920 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 25 Feb 2022 00:53:52 +0300 Subject: [PATCH 182/219] PLONK table introduced. #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 21 +--- .../zk/snark/systems/plonk/redshift/table.hpp | 108 ++++++++++++++++++ 2 files changed, 113 insertions(+), 16 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 532dd75fc..3b339d3f4 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -45,29 +45,18 @@ namespace nil { template struct plonk_gate_unprocessed{ - std::vector selector; + std::size_t selector_index; std::vector> constraints; - plonk_gate_unprocessed(std::size_t row_index, const snark::plonk_constraint &constraint): + plonk_gate_unprocessed(std::size_t selector_index, const snark::plonk_constraint &constraint): constraints(std::vector> ({constraint})), - selector(std::vector ({row_index})){ + selector_index(selector_index){ } - plonk_gate_unprocessed(std::size_t row_index, + plonk_gate_unprocessed(std::size_t selector_index, const std::initializer_list> &constraints): constraints(constraints), - selector(std::vector ({row_index})){ - } - - plonk_gate_unprocessed(std::initializer_list row_indices, - const snark::plonk_constraint &constraint): - constraints(std::vector> ({constraint})), - selector(row_indices) { - } - - plonk_gate_unprocessed(std::initializer_list row_indices, - const std::initializer_list> &constraints): - constraints(constraints), selector(row_indices) { + selector_index(selector_index){ } }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp new file mode 100644 index 000000000..79d6e43f1 --- /dev/null +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp @@ -0,0 +1,108 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_table { + + using variable_type = variable; + std::array witness_variables; + std::vector selector_variables; + // std::vector public_input_variables; + + public: + + variable_type witness(std::size_t index) const{ + assert(index < RedshiftParams::witness_columns); + return witness_variables[index]; + } + + variable_type& witness(std::size_t index){ + assert(index < RedshiftParams::witness_columns); + return witness_variables[index]; + } + + variable_type selector(std::size_t index) const{ + assert(index < selector_variables.size()); + return selector_variables[index]; + } + + variable_type& selector(std::size_t index){ + assert(index < selector_variables.size()); + return selector_variables[index]; + } + + // variable_type public_input(std::size_t index) const{ + // assert(index < public_input_variables.size()); + // return public_input_variables[index]; + // } + + // variable_type& public_input(std::size_t index){ + // assert(index < public_input_variables.size()); + // return public_input_variables[index]; + // } + + variable_type operator[](std::size_t index) const{ + if (index < RedshiftParams::witness_columns) + return witness_variables[index]; + index -= RedshiftParams::witness_columns; + if (index < selector_variables.size()) + return selector_variables[index]; + index -= selector_variables.size(); + // if (index < public_input_variables.size()) + // return public_input_variables[index]; + // index -= public_input_variables.size(); + } + + variable_type& operator[](std::size_t index){ + if (index < RedshiftParams::witness_columns) + return witness_variables[index]; + index -= RedshiftParams::witness_columns; + if (index < selector_variables.size()) + return selector_variables[index]; + index -= selector_variables.size(); + // if (index < public_input_variables.size()) + // return public_input_variables[index]; + // index -= public_input_variables.size(); + } + + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP From 140620927eff17625cc1b4147b51bcb07bc1d39a Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 25 Feb 2022 13:56:22 +0300 Subject: [PATCH 183/219] PLONK table and constraint system separation inited. #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 13 +--- .../zk/snark/relations/plonk/plonk.hpp | 74 ++----------------- .../zk/snark/systems/plonk/redshift/table.hpp | 71 ++++++------------ 3 files changed, 31 insertions(+), 127 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 3b339d3f4..246ef0686 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -44,7 +44,7 @@ namespace nil { /************************* PLONK gate ***********************************/ template - struct plonk_gate_unprocessed{ + struct plonk_gate{ std::size_t selector_index; std::vector> constraints; @@ -60,17 +60,6 @@ namespace nil { } }; - template - struct plonk_gate{ - math::polynomial selector; - std::vector> constraints; - - plonk_gate(math::polynomial &selector, - const std::vector> &constraints): - constraints(constraints), selector(selector) { - } - }; - } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index d0fce72df..8c644f537 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -51,33 +51,22 @@ namespace nil { /************************* PLONK constraint system ****************************/ - template + template class plonk_constraint_system { - std::vector> gates_data; + std::vector> gates; public: - std::vector> gates; - std::size_t rows_amount; - plonk_constraint_system() { } - constexpr std::size_t num_witness() const { - return WitnessAmount; - } - - constexpr std::size_t num_public() const { - return PublicAmount; - } - std::size_t num_gates() const { return gates_data.size(); } // bool - // is_satisfied(plonk_variable_assignment full_variable_assignment) const { + // is_satisfied(plonk_variable_assignment full_variable_assignment) const { // for (std::size_t c = 0; c < constraints.size(); ++c) { // if (!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { @@ -88,6 +77,10 @@ namespace nil { // return true; // } + std::vector> gates() const { + return gates; + } + std::vector> copy_constraints() const { return {}; } @@ -95,59 +88,6 @@ namespace nil { std::vector> lookups() const { return {}; } - - /*static std::vector> - wire_polynomials(const plonk_variable_assignment &full_variable_assignment) { - - // std::vector> result(gates_data.size()); - - std::array, WitnessAmount> wires; - for (std::size_t wire_index = 0; wire_index < WitnessAmount; wire_index++) { - const std::shared_ptr> domain = - math::make_evaluation_domain(full_variable_assignment[wire_index].size()); - - std::vector interpolation_points( - full_variable_assignment[wire_index].size()); - - std::copy(full_variable_assignment[wire_index].begin(), - full_variable_assignment[wire_index].end(), interpolation_points.begin()); - - domain->inverse_fft(interpolation_points); - - wires[wire_index] = - math::polynomial(interpolation_points); - } - - // for (std::size_t constraint_index = 0; constraint_index < constraints.size(); - // constraint_index++) { - - // for (auto &term : constraints[constraint_index].terms) { - - // math::polynomial term_polynom = {term.coeff}; - - // for (auto &var : term.vars) { - - // const std::shared_ptr> domain = - // math::make_evaluation_domain(full_variable_assignment[var.wire_index].size()); - - // term_polynom = term_polynom * math::polynomial_shift(wires[var.wire_index], - // domain->get_domain_element(var.rotation)); - // } - - // result[constraint_index] = result[constraint_index] + term_polynom; - // } - // } - - return wires; - }*/ - - void add_gate(const plonk_gate_unprocessed &g) { - gates_data.emplace_back(g); - } - - bool operator==(const plonk_constraint_system &other) const { - return (this->gates_data == other.gates_data); - } }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp index 79d6e43f1..c6cb23620 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp @@ -34,69 +34,44 @@ namespace nil { namespace zk { namespace snark { + using plonk_column = std::vector; + template - class redshift_table { + class plonk_table { - using variable_type = variable; - std::array witness_variables; - std::vector selector_variables; - // std::vector public_input_variables; + using assignment_type = typename FieldType::value_type; + std::array witness_columns; + std::vector selector_columns; + // std::vector public_input_columns; public: - variable_type witness(std::size_t index) const{ + plonk_column witness(std::size_t index) const{ assert(index < RedshiftParams::witness_columns); - return witness_variables[index]; - } - - variable_type& witness(std::size_t index){ - assert(index < RedshiftParams::witness_columns); - return witness_variables[index]; - } - - variable_type selector(std::size_t index) const{ - assert(index < selector_variables.size()); - return selector_variables[index]; + return witness_columns[index]; } - variable_type& selector(std::size_t index){ - assert(index < selector_variables.size()); - return selector_variables[index]; + plonk_column selector(std::size_t index) const{ + assert(index < selector_columns.size()); + return selector_columns[index]; } - // variable_type public_input(std::size_t index) const{ - // assert(index < public_input_variables.size()); - // return public_input_variables[index]; - // } - - // variable_type& public_input(std::size_t index){ - // assert(index < public_input_variables.size()); - // return public_input_variables[index]; - // } - - variable_type operator[](std::size_t index) const{ - if (index < RedshiftParams::witness_columns) - return witness_variables[index]; - index -= RedshiftParams::witness_columns; - if (index < selector_variables.size()) - return selector_variables[index]; - index -= selector_variables.size(); - // if (index < public_input_variables.size()) - // return public_input_variables[index]; - // index -= public_input_variables.size(); + plonk_column public_input(std::size_t index) const{ + assert(index < public_input_columns.size()); + return public_input_columns[index]; } - variable_type& operator[](std::size_t index){ + plonk_column operator[](std::size_t index) const{ if (index < RedshiftParams::witness_columns) - return witness_variables[index]; + return witness_columns[index]; index -= RedshiftParams::witness_columns; - if (index < selector_variables.size()) - return selector_variables[index]; - index -= selector_variables.size(); - // if (index < public_input_variables.size()) - // return public_input_variables[index]; - // index -= public_input_variables.size(); + if (index < selector_columns.size()) + return selector_columns[index]; + index -= selector_columns.size(); + // if (index < public_input_columns.size()) + // return public_input_columns[index]; + // index -= public_input_columns.size(); } }; From 6f58d16fcb39dfd23e709b4ec3389b28d9b76b91 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 25 Feb 2022 23:39:56 +0300 Subject: [PATCH 184/219] PLONK assignment table separated to public and private. #20 --- .../crypto3/zk/snark/relations/plonk/gate.hpp | 2 +- .../zk/snark/systems/plonk/redshift/table.hpp | 79 +++++++++++++++++-- 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 246ef0686..f72100eb6 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -54,7 +54,7 @@ namespace nil { } plonk_gate_unprocessed(std::size_t selector_index, - const std::initializer_list> &constraints): + const std::initializer_list> &&constraints): constraints(constraints), selector_index(selector_index){ } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp index c6cb23620..a493e6ed3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp @@ -38,12 +38,9 @@ namespace nil { template - class plonk_table { + class plonk_private_table { - using assignment_type = typename FieldType::value_type; std::array witness_columns; - std::vector selector_columns; - // std::vector public_input_columns; public: @@ -52,6 +49,26 @@ namespace nil { return witness_columns[index]; } + plonk_column operator[](std::size_t index) const{ + if (index < RedshiftParams::witness_columns) + return witness_columns[index]; + index -= RedshiftParams::witness_columns; + } + + std::size_t size() const{ + return witness_columns.size(); + } + }; + + template + class plonk_public_table { + + std::vector selector_columns; + // std::vector public_input_columns; + + public: + plonk_column selector(std::size_t index) const{ assert(index < selector_columns.size()); return selector_columns[index]; @@ -63,9 +80,6 @@ namespace nil { } plonk_column operator[](std::size_t index) const{ - if (index < RedshiftParams::witness_columns) - return witness_columns[index]; - index -= RedshiftParams::witness_columns; if (index < selector_columns.size()) return selector_columns[index]; index -= selector_columns.size(); @@ -74,6 +88,57 @@ namespace nil { // index -= public_input_columns.size(); } + std::size_t size() const{ + return selector_columns.size() + public_input_columns.size(); + } + }; + + template + class plonk_table { + + plonk_private_table private_table; + plonk_public_table public_table; + + public: + + plonk_table(plonk_private_table private_table, + plonk_public_table public_table): + private_table(private_table), public_table(public_table){ + } + + plonk_column witness(std::size_t index) const{ + return private_table.witness(index); + } + + plonk_column selector(std::size_t index) const{ + return public_table.selector(index); + } + + plonk_column public_input(std::size_t index) const{ + return public_table.public_input(index); + } + + plonk_column operator[](std::size_t index) const{ + if (index < private_table.size()) + return private_table[index]; + index -= private_table.size(); + if (index < public_table.size()) + return public_table[index]; + } + + plonk_private_table private_table() const{ + return private_table; + } + + plonk_public_table public_table() const{ + return public_table; + } + + std::size_t size() const{ + return private_table.size() + public_table.size(); + } + }; } // namespace snark } // namespace zk From e92ba2b88179f5a2ba6f9d334b10518f318e6f7f Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 26 Feb 2022 11:20:53 +0300 Subject: [PATCH 185/219] PLONK polynomial table introduced. #20 --- .../zk/snark/relations/plonk/table.hpp | 196 ++++++++++++++++++ .../systems/plonk/redshift/gates_argument.hpp | 7 +- .../plonk/redshift/permutation_argument.hpp | 13 +- .../systems/plonk/redshift/preprocessor.hpp | 21 +- .../snark/systems/plonk/redshift/prover.hpp | 35 +--- .../zk/snark/systems/plonk/redshift/types.hpp | 23 +- .../systems/plonk/{redshift => }/table.hpp | 73 +++---- 7 files changed, 260 insertions(+), 108 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/table.hpp rename include/nil/crypto3/zk/snark/systems/plonk/{redshift => }/table.hpp (56%) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp new file mode 100644 index 000000000..a066f6a1c --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -0,0 +1,196 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + using plonk_column = std::vector; + + template + class plonk_private_table { + + std::array witness_columns; + + public: + + plonk_private_table(std::array witness_columns): + witness_columns(witness_columns){ + } + + ColumnType witness(std::size_t index) const{ + assert(index < PlonkParams::witness_columns); + return witness_columns[index]; + } + + ColumnType operator[](std::size_t index) const{ + if (index < PlonkParams::witness_columns) + return witness_columns[index]; + index -= PlonkParams::witness_columns; + } + + std::size_t size() const{ + return witness_columns.size(); + } + }; + + template + class plonk_public_table { + + std::vector selector_columns; + // std::vector public_input_columns; + + public: + + plonk_public_table(std::vector selector_columns): + selector_columns(selector_columns){ + } + + ColumnType selector(std::size_t index) const{ + assert(index < selector_columns.size()); + return selector_columns[index]; + } + + ColumnType public_input(std::size_t index) const{ + assert(index < public_input_columns.size()); + return public_input_columns[index]; + } + + ColumnType operator[](std::size_t index) const{ + if (index < selector_columns.size()) + return selector_columns[index]; + index -= selector_columns.size(); + // if (index < public_input_columns.size()) + // return public_input_columns[index]; + // index -= public_input_columns.size(); + } + + std::size_t size() const{ + return selector_columns.size() + public_input_columns.size(); + } + }; + + template + struct plonk_table { + + using private_table_type = plonk_private_table; + using public_table_type = plonk_public_table; + + private: + + private_table_type private_table; + public_table_type public_table; + + public: + + plonk_table(private_table_type private_table, + public_table_type public_table): + private_table(private_table), public_table(public_table){ + } + + ColumnType witness(std::size_t index) const{ + return private_table.witness(index); + } + + ColumnType selector(std::size_t index) const{ + return public_table.selector(index); + } + + ColumnType public_input(std::size_t index) const{ + return public_table.public_input(index); + } + + ColumnType operator[](std::size_t index) const{ + if (index < private_table.size()) + return private_table[index]; + index -= private_table.size(); + if (index < public_table.size()) + return public_table[index]; + } + + private_table_type private_table() const{ + return private_table; + } + + public_table_type public_table() const{ + return public_table; + } + + std::size_t size() const{ + return private_table.size() + public_table.size(); + } + + }; + + template + using plonk_private_assignment_table = plonk_private_table>; + + template + using plonk_public_assignment_table = plonk_public_table>; + + template + using plonk_assignment_table = plonk_table>; + + template + using plonk_private_polynomial_table = plonk_private_table>; + + template + using plonk_public_polynomial_table = plonk_public_table>; + + template + using plonk_polynomial_table = plonk_table>; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 341ab03ff..4497c4087 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -55,9 +55,6 @@ namespace nil { typename RedshiftParams> struct redshift_gates_argument { - constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::merkle_hash_type; using transcript_hash_type = typename RedshiftParams::transcript_hash_type; using types_policy = detail::redshift_types_policy; @@ -66,7 +63,7 @@ namespace nil { static inline std::array, argument_size> prove_eval(typename types_policy::constraint_system_type &constraint_system, - const std::vector> &columns, + const std::vector> &column_polynomials, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -82,7 +79,7 @@ namespace nil { math::polynomial gate_result = {0}; for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { - gate_result = gate_result + gates[i].constraints[j].evaluate(columns) * theta_acc; + gate_result = gate_result + gates[i].constraints[j].evaluate(column_polynomials) * theta_acc; theta_acc *= theta; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 8b45bfddc..831470311 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -49,9 +49,6 @@ namespace nil { typename RedshiftParams> class redshift_permutation_argument { - constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::merkle_hash_type; using transcript_hash_type = typename RedshiftParams::transcript_hash_type; using types_policy = detail::redshift_types_policy; @@ -73,7 +70,7 @@ namespace nil { prove_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::preprocessed_public_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, - const std::vector> &columns, + const std::vector> &column_polynomials, typename fri_type::params_type fri_params) { const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; @@ -94,9 +91,9 @@ namespace nil { sigma_binding[j] = FieldType::value_type::one(); for (std::size_t i = 0; i < S_id.size(); i++) { - id_binding[j] *= (columns[i].evaluate(domain->get_domain_element(j)) + + id_binding[j] *= (column_polynomials[i].evaluate(domain->get_domain_element(j)) + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); - sigma_binding[j] *= (columns[i].evaluate(domain->get_domain_element(j)) + + sigma_binding[j] *= (column_polynomials[i].evaluate(domain->get_domain_element(j)) + beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); } } @@ -131,8 +128,8 @@ namespace nil { math::polynomial h = {1}; for (std::size_t i = 0; i < S_id.size(); i++) { - g = g * (columns[i] + beta * S_id[i] + gamma); - h = h * (columns[i] + beta * S_sigma[i] + gamma); + g = g * (column_polynomials[i] + beta * S_id[i] + gamma); + h = h * (column_polynomials[i] + beta * S_sigma[i] + gamma); } math::polynomial one_polynomial = {1}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index a23a2e2f7..6dc6a11f8 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -45,8 +45,7 @@ namespace nil { template math::polynomial - column_polynomial(std::size_t table_size, - const std::vector &column_assignment, + column_polynomial(const plonk_column &column_assignment, const std::shared_ptr> &domain) { std::vector interpolation_points( @@ -62,15 +61,14 @@ namespace nil { template std::vector> - column_range_polynomials(std::size_t table_size, - const std::vector> &column_range_assignment, + column_range_polynomials(const std::vector> &column_range_assignment, const std::shared_ptr> &domain) { std::size_t columns_amount = column_range_assignment.size(); std::vector> columns (columns_amount); for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { - columns[selector_index] = column_polynomial(table_size, column_range_assignment[selector_index], domain); + columns[selector_index] = column_polynomial(column_range_assignment[selector_index], domain); } return columns; @@ -78,14 +76,13 @@ namespace nil { template std::array, columns_amount> - column_range_polynomials(std::size_t table_size, - const std::array, columns_amount> &column_range_assignment, + column_range_polynomials(const std::array, columns_amount> &column_range_assignment, const std::shared_ptr> &domain) { std::array, columns_amount> columns; for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { - columns[selector_index] = column_polynomial(table_size, column_range_assignment[selector_index], domain); + columns[selector_index] = column_polynomial(column_range_assignment[selector_index], domain); } return columns; @@ -188,7 +185,7 @@ namespace nil { template static inline typename types_policy::preprocessed_public_data_type process(const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type::public_assignment_type &public_assignment, + const typename types_policy::variable_assignment_type::public_table_type &public_assignment, typename types_policy::template circuit_short_description &short_description) { typename types_policy::preprocessed_public_data_type data; @@ -210,7 +207,7 @@ namespace nil { data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); - data.selectors = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors, data.basic_domain); + data.public_polynomial_table = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors(), data.basic_domain); std::vector z_numenator(N_rows + 1); z_numenator[0] = -FieldType::value_type::one(); @@ -243,7 +240,7 @@ namespace nil { template static inline typename types_policy::preprocessed_private_data_type process(const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type::private_assignment_type &private_assignment, + const typename types_policy::variable_assignment_type::private_table_type &private_assignment, typename types_policy::template circuit_short_description &short_description) { typename types_policy::preprocessed_private_data_type data; @@ -252,7 +249,7 @@ namespace nil { data.basic_domain = math::make_evaluation_domain(N_rows); - data.witnesses = detail::column_range_polynomials(N_rows, private_assignment.witnesses, data.basic_domain); + data.private_polynomial_table = detail::column_range_polynomials(N_rows, private_assignment.witnesses(), data.basic_domain); return data; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index fa91d506c..c9925fd6f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -123,6 +123,11 @@ namespace nil { std::vector tanscript_init = {}; fiat_shamir_heuristic_updated transcript(tanscript_init); + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( + preprocessed_private_data.private_polynomial_table, + preprocessed_public_data.public_polynomial_table); + // 1. Add circuit definition to transctipt //transcript(short_description); //TODO: circuit_short_description marshalling @@ -139,23 +144,9 @@ namespace nil { //transcript(proof.witness_commitments[i]); } - // 3. Prepare columns included into permuation argument - std::vector> columns_for_permutation_argument(short_description.columns_with_copy_constraints.size()); - for (std::size_t i = 0; i < short_description.columns_with_copy_constraints.size(); i++) { - std::size_t column_index = short_description.columns_with_copy_constraints[i]; - if (column_index < witness_columns) { //TODO: for now, we suppose that witnesses are placed to the first witness_columns of the table - columns_for_permutation_argument[i] = witness_poly[column_index]; - } else { - std::vector tmp; - std::copy(assignments.public_assignment.public_input[column_index - witness_columns].begin(), assignments.public_assignment.public_input[column_index - witness_columns].end(), std::back_inserter(tmp)); - preprocessed_public_data.basic_domain->inverse_fft(tmp); - columns_for_permutation_argument[i] = tmp; - } - } - // 4. permutation_argument auto permutation_argument = redshift_permutation_argument::prove_eval( - transcript, preprocessed_public_data, short_description, columns_for_permutation_argument, fri_params); + transcript, preprocessed_public_data, short_description, polynomial_table, fri_params); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -170,21 +161,9 @@ namespace nil { // lookup_argument = redshift_lookup_argument::prove_eval(transcript); // 6. circuit-satisfability - std::vector> columns_for_gate_argument(witness_columns + public_columns); - for (std::size_t i = 0; i < columns_for_gate_argument.size(); i++) { - if (i < witness_columns) { //TODO: for now, we suppose that witnesses are placed to the first witness_columns of the table - columns_for_gate_argument[i] = witness_poly[i]; - } else { - std::vector tmp; - std::copy(assignments.public_assignment.public_input[i].begin(), assignments.public_assignment.public_input[i].end(), std::back_inserter(tmp)); - preprocessed_public_data.basic_domain->inverse_fft(tmp); - columns_for_gate_argument[i] = tmp; - } - } - std::array, gate_parts> prover_res = redshift_gates_argument::prove_eval( - constraint_system, columns_for_gate_argument, transcript); + constraint_system, polynomial_table, transcript); F[3] = prover_res[0]; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index a878607d8..456fa0db5 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -62,21 +62,7 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; - /************************* PLONK variable assignment **************************/ - - struct variable_assignment_type { - - struct private_assignment_type { - std::array, witness_columns> witnesses; - } private_assignment; - - struct public_assignment_type { - using selectors_type = std::vector>; - using public_input_type = std::array, public_columns>; - selectors_type selectors; - public_input_type public_input; - } public_assignment; - }; + typedef plonk_assignment_table variable_assignment_type; /*********************************** Proof ***********************************/ @@ -96,14 +82,13 @@ namespace nil { std::shared_ptr> basic_domain; - std::vector> selectors; + plonk_public_polynomial_table public_polynomial_table; + // S_sigma std::vector> permutation_polynomials; // S_id std::vector> identity_polynomials; - // c - std::vector> constraints; math::polynomial lagrange_0; @@ -117,7 +102,7 @@ namespace nil { std::shared_ptr> basic_domain; - std::array, witness_columns> witnesses; + plonk_private_polynomial_table private_polynomial_table; }; template diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp b/include/nil/crypto3/zk/snark/systems/plonk/table.hpp similarity index 56% rename from include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/table.hpp index a493e6ed3..82716e012 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/table.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/table.hpp @@ -24,8 +24,8 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_TABLE_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_TABLE_HPP #include @@ -34,22 +34,23 @@ namespace nil { namespace zk { namespace snark { + template using plonk_column = std::vector; template - class plonk_private_table { + class plonk_private_assignment_table { - std::array witness_columns; + std::array, RedshiftParams::witness_columns> witness_columns; public: - plonk_column witness(std::size_t index) const{ + plonk_column witness(std::size_t index) const{ assert(index < RedshiftParams::witness_columns); return witness_columns[index]; } - plonk_column operator[](std::size_t index) const{ + plonk_column operator[](std::size_t index) const{ if (index < RedshiftParams::witness_columns) return witness_columns[index]; index -= RedshiftParams::witness_columns; @@ -62,24 +63,24 @@ namespace nil { template - class plonk_public_table { + class plonk_public_assignment_table { - std::vector selector_columns; - // std::vector public_input_columns; + std::vector> selector_columns; + // std::vector> public_input_columns; public: - plonk_column selector(std::size_t index) const{ + plonk_column selector(std::size_t index) const{ assert(index < selector_columns.size()); return selector_columns[index]; } - plonk_column public_input(std::size_t index) const{ + plonk_column public_input(std::size_t index) const{ assert(index < public_input_columns.size()); return public_input_columns[index]; } - plonk_column operator[](std::size_t index) const{ + plonk_column operator[](std::size_t index) const{ if (index < selector_columns.size()) return selector_columns[index]; index -= selector_columns.size(); @@ -95,48 +96,48 @@ namespace nil { template - class plonk_table { + class plonk_assignment_table { - plonk_private_table private_table; - plonk_public_table public_table; + plonk_private_assignment_table private_assignment_table; + plonk_public_assignment_table public_assignment_table; public: - plonk_table(plonk_private_table private_table, - plonk_public_table public_table): - private_table(private_table), public_table(public_table){ + plonk_assignment_table(plonk_private_assignment_table private_assignment_table, + plonk_public_assignment_table public_assignment_table): + private_assignment_table(private_assignment_table), public_assignment_table(public_assignment_table){ } - plonk_column witness(std::size_t index) const{ - return private_table.witness(index); + plonk_column witness(std::size_t index) const{ + return private_assignment_table.witness(index); } - plonk_column selector(std::size_t index) const{ - return public_table.selector(index); + plonk_column selector(std::size_t index) const{ + return public_assignment_table.selector(index); } - plonk_column public_input(std::size_t index) const{ - return public_table.public_input(index); + plonk_column public_input(std::size_t index) const{ + return public_assignment_table.public_input(index); } - plonk_column operator[](std::size_t index) const{ - if (index < private_table.size()) - return private_table[index]; - index -= private_table.size(); - if (index < public_table.size()) - return public_table[index]; + plonk_column operator[](std::size_t index) const{ + if (index < private_assignment_table.size()) + return private_assignment_table[index]; + index -= private_assignment_table.size(); + if (index < public_assignment_table.size()) + return public_assignment_table[index]; } - plonk_private_table private_table() const{ - return private_table; + plonk_private_assignment_table private_assignment_table() const{ + return private_assignment_table; } - plonk_public_table public_table() const{ - return public_table; + plonk_public_assignment_table public_assignment_table() const{ + return public_assignment_table; } std::size_t size() const{ - return private_table.size() + public_table.size(); + return private_assignment_table.size() + public_assignment_table.size(); } }; @@ -145,4 +146,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_TABLE_HPP From 4659e0b2900c14f334bd909c9ceaf5f3b4cc40d1 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 26 Feb 2022 11:22:11 +0300 Subject: [PATCH 186/219] PLONK polynomial table obsolete file removed. #20 --- .../crypto3/zk/snark/systems/plonk/table.hpp | 149 ------------------ 1 file changed, 149 deletions(-) delete mode 100644 include/nil/crypto3/zk/snark/systems/plonk/table.hpp diff --git a/include/nil/crypto3/zk/snark/systems/plonk/table.hpp b/include/nil/crypto3/zk/snark/systems/plonk/table.hpp deleted file mode 100644 index 82716e012..000000000 --- a/include/nil/crypto3/zk/snark/systems/plonk/table.hpp +++ /dev/null @@ -1,149 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_TABLE_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_TABLE_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - template - using plonk_column = std::vector; - - template - class plonk_private_assignment_table { - - std::array, RedshiftParams::witness_columns> witness_columns; - - public: - - plonk_column witness(std::size_t index) const{ - assert(index < RedshiftParams::witness_columns); - return witness_columns[index]; - } - - plonk_column operator[](std::size_t index) const{ - if (index < RedshiftParams::witness_columns) - return witness_columns[index]; - index -= RedshiftParams::witness_columns; - } - - std::size_t size() const{ - return witness_columns.size(); - } - }; - - template - class plonk_public_assignment_table { - - std::vector> selector_columns; - // std::vector> public_input_columns; - - public: - - plonk_column selector(std::size_t index) const{ - assert(index < selector_columns.size()); - return selector_columns[index]; - } - - plonk_column public_input(std::size_t index) const{ - assert(index < public_input_columns.size()); - return public_input_columns[index]; - } - - plonk_column operator[](std::size_t index) const{ - if (index < selector_columns.size()) - return selector_columns[index]; - index -= selector_columns.size(); - // if (index < public_input_columns.size()) - // return public_input_columns[index]; - // index -= public_input_columns.size(); - } - - std::size_t size() const{ - return selector_columns.size() + public_input_columns.size(); - } - }; - - template - class plonk_assignment_table { - - plonk_private_assignment_table private_assignment_table; - plonk_public_assignment_table public_assignment_table; - - public: - - plonk_assignment_table(plonk_private_assignment_table private_assignment_table, - plonk_public_assignment_table public_assignment_table): - private_assignment_table(private_assignment_table), public_assignment_table(public_assignment_table){ - } - - plonk_column witness(std::size_t index) const{ - return private_assignment_table.witness(index); - } - - plonk_column selector(std::size_t index) const{ - return public_assignment_table.selector(index); - } - - plonk_column public_input(std::size_t index) const{ - return public_assignment_table.public_input(index); - } - - plonk_column operator[](std::size_t index) const{ - if (index < private_assignment_table.size()) - return private_assignment_table[index]; - index -= private_assignment_table.size(); - if (index < public_assignment_table.size()) - return public_assignment_table[index]; - } - - plonk_private_assignment_table private_assignment_table() const{ - return private_assignment_table; - } - - plonk_public_assignment_table public_assignment_table() const{ - return public_assignment_table; - } - - std::size_t size() const{ - return private_assignment_table.size() + public_assignment_table.size(); - } - - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_POLYNOMIAL_TABLE_HPP From 706aa4783468eec302b89749d29cb299152ee7b0 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 26 Feb 2022 15:00:00 +0300 Subject: [PATCH 187/219] Non-linear combination generalized to use arbitrary variable type. PLONK variable and constraint types introduced. #20 --- .../relations/non_linear_combination.hpp | 235 +++++++----------- .../zk/snark/relations/plonk/constraint.hpp | 135 ++++++++++ .../crypto3/zk/snark/relations/plonk/gate.hpp | 10 +- .../zk/snark/relations/plonk/plonk.hpp | 4 +- .../zk/snark/relations/plonk/variable.hpp | 144 +++++++++++ 5 files changed, 371 insertions(+), 157 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/variable.hpp diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 35b3c0c18..18dc710c5 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -31,8 +31,6 @@ #ifndef CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP #define CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP -#include -#include #include namespace nil { @@ -43,7 +41,7 @@ namespace nil { /** * Forward declaration. */ - template + template struct non_linear_combination; /****************************** Linear term **********************************/ @@ -52,34 +50,31 @@ namespace nil { * A linear term represents a formal expression of the form * "coeff * w^{wire_index_1}_{rotation_1} * ... * w^{wire_index_k}_{rotation_k}". */ - template + template class non_linear_term; - template - class non_linear_term { - typedef FieldType field_type; - typedef typename field_type::value_type field_value_type; - - constexpr static const bool RotationSupport = true; + template + class non_linear_term { + typedef typename VariableType::assignment_type assignment_type; public: - std::vector> vars; - field_value_type coeff; + std::vector vars; + assignment_type coeff; non_linear_term() {}; - non_linear_term(const variable &var) : coeff(field_value_type::one()) { + non_linear_term(const VariableType &var) : coeff(assignment_type::one()) { vars.push_back(var); } - non_linear_term(const field_value_type &field_val) : coeff(field_val) { + non_linear_term(const assignment_type &field_val) : coeff(field_val) { } - non_linear_term(std::vector> vars) : - vars(vars), coeff(field_value_type::one()) { + non_linear_term(std::vector vars) : + vars(vars), coeff(assignment_type::one()) { } - non_linear_term operator*(const field_value_type &field_coeff) const { + non_linear_term operator*(const assignment_type &field_coeff) const { non_linear_term result(this->vars); result.coeff = field_coeff * this->coeff; return result; @@ -108,41 +103,41 @@ namespace nil { } }; - template - non_linear_term - operator*(const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { + template + non_linear_term + operator*(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { return nlt * field_coeff; } - template - non_linear_combination - operator+(const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { - return non_linear_combination(field_coeff) + nlt; + template + non_linear_combination + operator+(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) + nlt; } - template - non_linear_combination - operator-(const typename FieldType::value_type &field_coeff, - const non_linear_term &nlt) { - return non_linear_combination(field_coeff) - nlt; + template + non_linear_combination + operator-(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) - nlt; } - template - non_linear_combination - operator+(const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) + - non_linear_combination(B); + template + non_linear_combination + operator+(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) + + non_linear_combination(B); } - template - non_linear_combination - operator-(const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) - - non_linear_combination(B); + template + non_linear_combination + operator-(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) - + non_linear_combination(B); } /***************************** Linear combination ****************************/ @@ -150,29 +145,24 @@ namespace nil { /** * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". */ - template - class non_linear_combination { - typedef FieldType field_type; - typedef typename field_type::value_type field_value_type; + template + class non_linear_combination { - constexpr static const bool RotationSupport = true; + std::vector> terms; public: - typedef std::map::rotation_type>, typename FieldType::value_type> evaluation_map; - - std::vector> terms; non_linear_combination() {}; // non_linear_combination(const field_value_type &field_coeff) { - // this->add_term(non_linear_term(field_coeff)); + // this->add_term(non_linear_term(field_coeff)); // } - non_linear_combination(const variable &var) { + non_linear_combination(const VariableType &var) { this->add_term(var); } - non_linear_combination(const non_linear_term &nlt) { + non_linear_combination(const non_linear_term &nlt) { this->add_term(nlt); } - non_linear_combination(const std::vector> &terms) : + non_linear_combination(const std::vector> &terms) : terms(terms) { } @@ -181,76 +171,29 @@ namespace nil { // } /* for supporting range-based for loops over non_linear_combination */ - typename std::vector>::const_iterator begin() const { + typename std::vector>::const_iterator begin() const { return terms.begin(); } - typename std::vector>::const_iterator end() const { + typename std::vector>::const_iterator end() const { return terms.end(); } - void add_term(const variable &var) { - this->terms.emplace_back(non_linear_term(var)); + void add_term(const VariableType &var) { + this->terms.emplace_back(non_linear_term(var)); } - void add_term(const variable &var, + void add_term(const VariableType &var, const field_value_type &field_coeff) { - this->terms.emplace_back(non_linear_term(var) * field_coeff); + this->terms.emplace_back(non_linear_term(var) * field_coeff); } - void add_term(const non_linear_term &nlt) { + void add_term(const non_linear_term &nlt) { this->terms.emplace_back(nlt); } - template - field_value_type - evaluate(std::size_t row_index, - const std::array, WiresAmount> &assignment) const { - field_value_type acc = field_value_type::zero(); - for (const non_linear_term &nlt : terms) { - field_value_type term_value = nlt.coeff; - - for (const variable &var : nlt.vars) { - term_value = term_value * assignment[var.wire_index][row_index + var.rotation]; - } - acc = acc + term_value * nlt.coeff; - } - return acc; - } - - math::polynomial evaluate( - const std::vector> &assignment) const { - math::polynomial acc = {0}; - for (const non_linear_term &nlt : this->terms) { - math::polynomial term_value = {nlt.coeff}; - - for (const variable &var : nlt.vars) { - term_value = term_value * assignment[var.wire_index]; - } - acc = acc + term_value * nlt.coeff; - } - return acc; - } - - field_value_type - evaluate( - evaluation_map &assignment) const { - field_value_type acc = field_value_type::zero(); - for (const non_linear_term &nlt : terms) { - field_value_type term_value = nlt.coeff; - - for (const variable &var : nlt.vars) { - std::pair::rotation_type> key - (var.wire_index, var.rotation); - term_value = term_value * assignment[key]; - } - acc = acc + term_value * nlt.coeff; - } - return acc; - } - - non_linear_combination operator*(const field_value_type &field_coeff) const { + non_linear_combination operator*(const typename VariableType::assignment_type &field_coeff) const { non_linear_combination result; result.terms.reserve(this->terms.size()); - for (const non_linear_term &nlt : this->terms) { + for (const non_linear_term &nlt : this->terms) { result.terms.emplace_back(nlt * field_coeff); } return result; @@ -273,7 +216,7 @@ namespace nil { void sort() { std::sort(terms.begin(), terms.end()); - std::vector> new_terms; + std::vector> new_terms; if (terms.size()) { new_terms.push_back(terms[0]); @@ -297,67 +240,67 @@ namespace nil { } }; - template - non_linear_combination - operator*(const typename FieldType::value_type &field_coeff, - const non_linear_combination &lc) { + template + non_linear_combination + operator*(const typename VariableType::assignment_type &field_coeff, + const non_linear_combination &lc) { return lc * field_coeff; } - template - non_linear_combination - operator*(const non_linear_combination &A, - const non_linear_combination &B) { - non_linear_combination result; + template + non_linear_combination + operator*(const non_linear_combination &A, + const non_linear_combination &B) { + non_linear_combination result; result.terms.reserve(A.terms.size() * B.terms.size()); - for (const non_linear_term &this_nlt : A.terms) { - for (const non_linear_term &other_nlt : B.terms) { + for (const non_linear_term &this_nlt : A.terms) { + for (const non_linear_term &other_nlt : B.terms) { result.terms.emplace_back(this_nlt * other_nlt); } } return result; } - template - non_linear_combination - operator*(const variable &var, - const non_linear_combination &A) { + template + non_linear_combination + operator*(const VariableType &var, + const non_linear_combination &A) { non_linear_combination result; result.terms.reserve(A.terms.size()); - for (const non_linear_term &this_nlt : A.terms) { + for (const non_linear_term &this_nlt : A.terms) { result.terms.emplace_back(this_nlt * var); } return result; } - template - non_linear_combination - operator+(const typename FieldType::value_type &field_coeff, - const non_linear_combination &lc) { - return non_linear_combination(field_coeff) + lc; + template + non_linear_combination + operator+(const typename VariableType::assignment_type &field_coeff, + const non_linear_combination &lc) { + return non_linear_combination(field_coeff) + lc; } - template - non_linear_combination - operator+(const non_linear_combination &lc, - const typename FieldType::value_type &field_coeff) { + template + non_linear_combination + operator+(const non_linear_combination &lc, + const typename VariableType::assignment_type &field_coeff) { return field_coeff + lc; } - template - non_linear_combination - operator-(const typename FieldType::value_type &field_coeff, - const non_linear_combination &lc) { - return non_linear_combination(field_coeff) - lc; + template + non_linear_combination + operator-(const typename VariableType::assignment_type &field_coeff, + const non_linear_combination &lc) { + return non_linear_combination(field_coeff) - lc; } - template - non_linear_combination - operator-(const non_linear_combination &lc, - const typename FieldType::value_type &field_coeff) { + template + non_linear_combination + operator-(const non_linear_combination &lc, + const typename VariableType::assignment_type &field_coeff) { return -(field_coeff - lc); } diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp new file mode 100644 index 000000000..fd2a49ff2 --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -0,0 +1,135 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_CONSTRAINT_HPP +#define CRYPTO3_ZK_PLONK_CONSTRAINT_HPP + +#include + +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /************************* PLONK constraint ***********************************/ + + template> + class plonk_constraint : public non_linear_combination { + + typedef std::map, typename VariableType::assignment_type> evaluation_map; + + public: + + plonk_constraint() : non_linear_combination() {}; + + plonk_constraint(const VariableType &var) : non_linear_combination(var) {} + + plonk_constraint(const non_linear_term &nlt) : non_linear_combination(nlt) {} + + plonk_constraint(const std::vector> &terms) : + non_linear_combination(terms){} + + template + typename VariableType::assignment_type evaluate(std::size_t row_index, + const plonk_assignment_table &assignments) const { + typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); + for (const non_linear_term &nlt : terms) { + typename VariableType::assignment_type term_value = nlt.coeff; + + for (const VariableType &var : nlt.vars) { + + typename VariableType::assignment_type assignment; + switch (var.type){ + case VariableType::column_type::witness: + assignment = assignments.witness(var.index)[row_index + var.rotation]; + case VariableType::column_type::selector: + assignment = assignments.selector(var.index)[row_index + var.rotation]; + case VariableType::column_type::public_input: + assignment = assignments.public_input(var.index)[row_index + var.rotation]; + case VariableType::column_type::constant: + assignment = assignments.constant(var.index)[row_index + var.rotation]; + } + + term_value = term_value * assignment; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + + math::polynomial evaluate( + const plonk_polynomial_table &assignment) const { + math::polynomial acc = {0}; + for (const non_linear_term &nlt : this->terms) { + math::polynomial term_value = {nlt.coeff}; + + for (const VariableType &var : nlt.vars) { + + typename VariableType::assignment_type assignment; + switch (var.type){ + case VariableType::column_type::witness: + assignment = assignments.witness(var.index)[row_index + var.rotation]; + case VariableType::column_type::selector: + assignment = assignments.selector(var.index)[row_index + var.rotation]; + case VariableType::column_type::public_input: + assignment = assignments.public_input(var.index)[row_index + var.rotation]; + case VariableType::column_type::constant: + assignment = assignments.constant(var.index)[row_index + var.rotation]; + } + + term_value = term_value * assignment; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + + assignment_type evaluate(evaluation_map &assignment) const { + assignment_type acc = assignment_type::zero(); + for (const non_linear_term &nlt : terms) { + assignment_type term_value = nlt.coeff; + + for (const VariableType &var : nlt.vars) { + std::tuple key + = std::make_tuple(var.wire_index, var.rotation, var.type); + term_value = term_value * assignment[key]; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + } + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_CONSTRAINT_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index f72100eb6..6268031ee 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -27,22 +27,14 @@ #ifndef CRYPTO3_ZK_PLONK_GATE_HPP #define CRYPTO3_ZK_PLONK_GATE_HPP -#include - #include +#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - /************************* PLONK constraint ***********************************/ - - template - using plonk_constraint = non_linear_combination; - - /************************* PLONK gate ***********************************/ - template struct plonk_gate{ std::size_t selector_index; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 8c644f537..537da6bf9 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -58,11 +58,11 @@ namespace nil { public: - plonk_constraint_system() { + plonk_constraint_system(std::vector> gates): gates(gates) { } std::size_t num_gates() const { - return gates_data.size(); + return gates.size(); } // bool diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp new file mode 100644 index 000000000..28907d9ab --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -0,0 +1,144 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2020-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of interfaces for: +// - a variable (i.e., x_i), +// - a linear term (i.e., a_i * x_i), and +// - a linear combination (i.e., sum_i a_i * x_i). +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_VARIABLE_HPP +#define CRYPTO3_ZK_PLONK_VARIABLE_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + /********************************* Variable **********************************/ + + /** + * Forward declaration. + */ + template + struct non_linear_term; + + /** + * Forward declaration. + */ + template + struct non_linear_combination; + + /** + * A variable represents a formal expression of the form "w^{wire_index}_{rotation}". + */ + template + class plonk_variable { + + public: + + using assignment_type = typename FieldType::value_type; + + /** + * Mnemonic typedefs. + */ + enum rotation_type { pre_previous = -2, previous, current, next, after_next } rotation; + enum column_type { wire, selector, public_imput, constant } type; + std::size_t index; + + constexpr variable(const std::size_t wire_index, rotation_type rotation, column_type type) : + wire_index(wire_index), rotation(rotation), type(type) {}; + + non_linear_term> operator^(const std::size_t power) const { + return non_linear_term>(*this) ^ power; + } + + non_linear_term> + operator*(const assignment_type &field_coeff) const { + return non_linear_term>(*this) * field_coeff; + } + + non_linear_term> operator*(const variable &other) const { + return non_linear_term>(*this) * other; + } + + non_linear_combination> + operator+(const non_linear_combination> &other) const { + non_linear_combination> result(other); + + result.add_term(*this); + + return result; + } + + non_linear_combination> + operator-(const non_linear_combination> &other) const { + return (*this) + (-other); + } + + non_linear_combination> + operator-(const assignment_type &field_val) const { + return (*this) - non_linear_combination>(field_val); + } + + non_linear_term> operator-() const { + return non_linear_term>(*this) * (-assignment_type::one()); + } + + bool operator==(const variable &other) const { + return ((this->wire_index == other.wire_index) && (this->rotation == other.rotation)); + } + + bool operator<(const variable &other) const { + return ((this->wire_index < other.wire_index) || + ((this->wire_index == other.wire_index) && (this->rotation < other.rotation))); + } + }; + + template + non_linear_term> operator*(const typename FieldType::value_type &field_coeff, + const plonk_variable &var) { + return var * field_coeff; + } + + template + non_linear_combination> operator+(const typename FieldType::value_type &field_val, + const plonk_variable &var) { + return var + field_val; + } + + template + non_linear_combination> operator-(const typename FieldType::value_type &field_val, + const plonk_variable &var) { + return (-var) + field_val; + } + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_VARIABLE_HPP From e140b9026a4b201077d3334791ec1fb70c252592 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 26 Feb 2022 15:29:21 +0300 Subject: [PATCH 188/219] Interface-changes related compilation problems resolved. #20 --- .../relations/non_linear_combination.hpp | 6 +-- .../zk/snark/relations/plonk/constraint.hpp | 40 +++++++++-------- .../crypto3/zk/snark/relations/plonk/gate.hpp | 4 +- .../zk/snark/relations/plonk/plonk.hpp | 13 ++---- .../zk/snark/relations/plonk/table.hpp | 43 +++++++++---------- .../zk/snark/relations/plonk/variable.hpp | 20 ++++----- test/systems/plonk/circuits.hpp | 19 +++++--- test/systems/plonk/redshift.cpp | 4 +- 8 files changed, 76 insertions(+), 73 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 18dc710c5..e59c9e42f 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -183,7 +183,7 @@ namespace nil { this->terms.emplace_back(non_linear_term(var)); } void add_term(const VariableType &var, - const field_value_type &field_coeff) { + const typename VariableType::assignment_type &field_coeff) { this->terms.emplace_back(non_linear_term(var) * field_coeff); } void add_term(const non_linear_term &nlt) { @@ -211,7 +211,7 @@ namespace nil { return (*this) + (-other); } non_linear_combination operator-() const { - return (*this) * (-field_value_type::one()); + return (*this) * (-VariableType::assignment_type::one()); } void sort() { @@ -266,7 +266,7 @@ namespace nil { non_linear_combination operator*(const VariableType &var, const non_linear_combination &A) { - non_linear_combination result; + non_linear_combination result; result.terms.reserve(A.terms.size()); for (const non_linear_term &this_nlt : A.terms) { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index fd2a49ff2..7b68e9ade 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -31,6 +31,8 @@ #include #include +#include +#include namespace nil { namespace crypto3 { @@ -47,20 +49,20 @@ namespace nil { public: - plonk_constraint() : non_linear_combination() {}; + plonk_constraint() : non_linear_combination() {}; - plonk_constraint(const VariableType &var) : non_linear_combination(var) {} + plonk_constraint(const VariableType &var) : non_linear_combination(var) {} - plonk_constraint(const non_linear_term &nlt) : non_linear_combination(nlt) {} + plonk_constraint(const non_linear_term &nlt) : non_linear_combination(nlt) {} plonk_constraint(const std::vector> &terms) : - non_linear_combination(terms){} + non_linear_combination(terms){} - template + template typename VariableType::assignment_type evaluate(std::size_t row_index, const plonk_assignment_table &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); - for (const non_linear_term &nlt : terms) { + for (const non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; for (const VariableType &var : nlt.vars) { @@ -84,8 +86,9 @@ namespace nil { return acc; } + template math::polynomial evaluate( - const plonk_polynomial_table &assignment) const { + const plonk_polynomial_table &assignments) const { math::polynomial acc = {0}; for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; @@ -95,13 +98,13 @@ namespace nil { typename VariableType::assignment_type assignment; switch (var.type){ case VariableType::column_type::witness: - assignment = assignments.witness(var.index)[row_index + var.rotation]; + assignment = assignments.witness(var.index); case VariableType::column_type::selector: - assignment = assignments.selector(var.index)[row_index + var.rotation]; + assignment = assignments.selector(var.index); case VariableType::column_type::public_input: - assignment = assignments.public_input(var.index)[row_index + var.rotation]; + assignment = assignments.public_input(var.index); case VariableType::column_type::constant: - assignment = assignments.constant(var.index)[row_index + var.rotation]; + assignment = assignments.constant(var.index); } term_value = term_value * assignment; @@ -111,21 +114,22 @@ namespace nil { return acc; } - assignment_type evaluate(evaluation_map &assignment) const { - assignment_type acc = assignment_type::zero(); - for (const non_linear_term &nlt : terms) { - assignment_type term_value = nlt.coeff; + typename VariableType::assignment_type evaluate(evaluation_map &assignments) const { + typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); + for (const non_linear_term &nlt : this->terms) { + typename VariableType::assignment_type term_value = nlt.coeff; for (const VariableType &var : nlt.vars) { - std::tuple key + std::tuple key = std::make_tuple(var.wire_index, var.rotation, var.type); - term_value = term_value * assignment[key]; + term_value = term_value * assignments[key]; } acc = acc + term_value * nlt.coeff; } return acc; } - } + }; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 6268031ee..747762d71 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -40,12 +40,12 @@ namespace nil { std::size_t selector_index; std::vector> constraints; - plonk_gate_unprocessed(std::size_t selector_index, const snark::plonk_constraint &constraint): + plonk_gate(std::size_t selector_index, const snark::plonk_constraint &constraint): constraints(std::vector> ({constraint})), selector_index(selector_index){ } - plonk_gate_unprocessed(std::size_t selector_index, + plonk_gate(std::size_t selector_index, const std::initializer_list> &&constraints): constraints(constraints), selector_index(selector_index){ diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 537da6bf9..b6feefd8d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -37,12 +37,7 @@ #include #include -#include -#include - -#include #include -#include namespace nil { namespace crypto3 { @@ -54,15 +49,15 @@ namespace nil { template class plonk_constraint_system { - std::vector> gates; + std::vector> _gates; public: - plonk_constraint_system(std::vector> gates): gates(gates) { + plonk_constraint_system(std::vector> gates): _gates(gates) { } std::size_t num_gates() const { - return gates.size(); + return _gates.size(); } // bool @@ -78,7 +73,7 @@ namespace nil { // } std::vector> gates() const { - return gates; + return _gates; } std::vector> copy_constraints() const { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index a066f6a1c..e1c3300bb 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -27,8 +27,6 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP -#include - namespace nil { namespace crypto3 { namespace zk { @@ -72,12 +70,13 @@ namespace nil { class plonk_public_table { std::vector selector_columns; - // std::vector public_input_columns; + std::vector public_input_columns; public: - plonk_public_table(std::vector selector_columns): - selector_columns(selector_columns){ + plonk_public_table(std::vector selector_columns, + std::vector public_input_columns): + selector_columns(selector_columns), public_input_columns(public_input_columns){ } ColumnType selector(std::size_t index) const{ @@ -94,9 +93,9 @@ namespace nil { if (index < selector_columns.size()) return selector_columns[index]; index -= selector_columns.size(); - // if (index < public_input_columns.size()) - // return public_input_columns[index]; - // index -= public_input_columns.size(); + if (index < public_input_columns.size()) + return public_input_columns[index]; + index -= public_input_columns.size(); } std::size_t size() const{ @@ -114,46 +113,46 @@ namespace nil { private: - private_table_type private_table; - public_table_type public_table; + private_table_type _private_table; + public_table_type _public_table; public: plonk_table(private_table_type private_table, public_table_type public_table): - private_table(private_table), public_table(public_table){ + _private_table(private_table), _public_table(public_table){ } ColumnType witness(std::size_t index) const{ - return private_table.witness(index); + return _private_table.witness(index); } ColumnType selector(std::size_t index) const{ - return public_table.selector(index); + return _public_table.selector(index); } ColumnType public_input(std::size_t index) const{ - return public_table.public_input(index); + return _public_table.public_input(index); } ColumnType operator[](std::size_t index) const{ - if (index < private_table.size()) - return private_table[index]; - index -= private_table.size(); - if (index < public_table.size()) - return public_table[index]; + if (index < _private_table.size()) + return _private_table[index]; + index -= _private_table.size(); + if (index < _public_table.size()) + return _public_table[index]; } private_table_type private_table() const{ - return private_table; + return _private_table; } public_table_type public_table() const{ - return public_table; + return _public_table; } std::size_t size() const{ - return private_table.size() + public_table.size(); + return _private_table.size() + _public_table.size(); } }; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp index 28907d9ab..4cd3e1919 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -53,10 +53,10 @@ namespace nil { struct non_linear_combination; /** - * A variable represents a formal expression of the form "w^{wire_index}_{rotation}". + * A variable represents a formal expression of the form "w^{index}_{rotation}" and type type. */ template - class plonk_variable { + class plonk_variable { public: @@ -69,8 +69,8 @@ namespace nil { enum column_type { wire, selector, public_imput, constant } type; std::size_t index; - constexpr variable(const std::size_t wire_index, rotation_type rotation, column_type type) : - wire_index(wire_index), rotation(rotation), type(type) {}; + constexpr plonk_variable(const std::size_t index, rotation_type rotation, column_type type) : + index(index), rotation(rotation), type(type) {}; non_linear_term> operator^(const std::size_t power) const { return non_linear_term>(*this) ^ power; @@ -81,7 +81,7 @@ namespace nil { return non_linear_term>(*this) * field_coeff; } - non_linear_term> operator*(const variable &other) const { + non_linear_term> operator*(const plonk_variable &other) const { return non_linear_term>(*this) * other; } @@ -108,13 +108,13 @@ namespace nil { return non_linear_term>(*this) * (-assignment_type::one()); } - bool operator==(const variable &other) const { - return ((this->wire_index == other.wire_index) && (this->rotation == other.rotation)); + bool operator==(const plonk_variable &other) const { + return ((this->index == other.index) && (this->rotation == other.rotation)); } - bool operator<(const variable &other) const { - return ((this->wire_index < other.wire_index) || - ((this->wire_index == other.wire_index) && (this->rotation < other.rotation))); + bool operator<(const plonk_variable &other) const { + return ((this->index < other.index) || + ((this->index == other.index) && (this->rotation < other.rotation))); } }; diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 73732b5ae..873309c69 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -36,7 +36,6 @@ #include #include #include -#include #include #include #include @@ -181,9 +180,12 @@ namespace nil { test_circuit.init(); - variable w0(0, variable::rotation_type::current); - variable w1(0, variable::rotation_type::current); - variable w2(0, variable::rotation_type::current); + plonk_variable w0(0, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); + plonk_variable w1(0, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); + plonk_variable w2(0, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); plonk_constraint add_constraint; add_constraint.add_term(w0); @@ -289,9 +291,12 @@ namespace nil { test_circuit.init(); - variable w0(0, variable::rotation_type::current); - variable w1(0, variable::rotation_type::current); - variable w2(0, variable::rotation_type::current); + plonk_variable w0(0, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); + plonk_variable w1(0, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); + plonk_variable w2(0, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); plonk_constraint add_constraint; add_constraint.add_term(w0); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 34d9fe909..61aaa0809 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -49,7 +49,6 @@ #include #include #include -#include #include @@ -259,7 +258,8 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { typename plonk_constraint::evaluation_map columns_at_y; for (int i = 0; i < table_columns; i++) { - auto key = std::make_pair(i, variable::rotation_type::current); + auto key = std::make_pair(i, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); columns_at_y[key] = circuit.column_polynomials[i].evaluate(y); } From a7a54025b1f37f2406fb3d9c6793e86484980a9b Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sat, 26 Feb 2022 21:12:57 +0300 Subject: [PATCH 189/219] More interface-changes related compilation problems resolved. #20 --- .../zk/snark/relations/plonk/constraint.hpp | 12 ++-- .../crypto3/zk/snark/relations/plonk/gate.hpp | 6 ++ .../zk/snark/relations/plonk/plonk.hpp | 8 ++- .../zk/snark/relations/plonk/table.hpp | 12 ++++ .../zk/snark/relations/plonk/variable.hpp | 2 +- .../systems/plonk/redshift/gates_argument.hpp | 6 +- .../plonk/redshift/permutation_argument.hpp | 2 +- .../systems/plonk/redshift/preprocessor.hpp | 59 ++++++++----------- .../snark/systems/plonk/redshift/prover.hpp | 2 +- .../zk/snark/systems/plonk/redshift/types.hpp | 2 + test/systems/plonk/circuits.hpp | 59 ++++++++++++------- test/systems/plonk/redshift.cpp | 27 ++++----- 12 files changed, 117 insertions(+), 80 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 7b68e9ade..175b51150 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -38,15 +38,19 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { + namespace detail { + + template + using plonk_evaluation_map = std::map, typename VariableType::assignment_type>; + + } // namespace detail /************************* PLONK constraint ***********************************/ template> class plonk_constraint : public non_linear_combination { - typedef std::map, typename VariableType::assignment_type> evaluation_map; - public: plonk_constraint() : non_linear_combination() {}; @@ -114,7 +118,7 @@ namespace nil { return acc; } - typename VariableType::assignment_type evaluate(evaluation_map &assignments) const { + typename VariableType::assignment_type evaluate(detail::plonk_evaluation_map &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); for (const non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 747762d71..ed32d2a21 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -50,6 +50,12 @@ namespace nil { constraints(constraints), selector_index(selector_index){ } + + plonk_gate(std::size_t selector_index, + const std::vector> &constraints): + constraints(constraints), + selector_index(selector_index){ + } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index b6feefd8d..9ab1355b3 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -50,16 +50,22 @@ namespace nil { class plonk_constraint_system { std::vector> _gates; + std::size_t _rows_amount; public: - plonk_constraint_system(std::vector> gates): _gates(gates) { + plonk_constraint_system(std::vector> gates, std::size_t rows_amount): + _gates(gates), _rows_amount(rows_amount) { } std::size_t num_gates() const { return _gates.size(); } + std::size_t rows_amount() const { + return _rows_amount; + } + // bool // is_satisfied(plonk_variable_assignment full_variable_assignment) const { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index e1c3300bb..384ac18e3 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -53,6 +53,10 @@ namespace nil { return witness_columns[index]; } + std::array witnesses() const{ + return witness_columns; + } + ColumnType operator[](std::size_t index) const{ if (index < PlonkParams::witness_columns) return witness_columns[index]; @@ -84,11 +88,19 @@ namespace nil { return selector_columns[index]; } + std::vector selectors() const{ + return selector_columns; + } + ColumnType public_input(std::size_t index) const{ assert(index < public_input_columns.size()); return public_input_columns[index]; } + std::vector public_inputs() const{ + return public_input_columns; + } + ColumnType operator[](std::size_t index) const{ if (index < selector_columns.size()) return selector_columns[index]; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp index 4cd3e1919..8d9c13857 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -66,7 +66,7 @@ namespace nil { * Mnemonic typedefs. */ enum rotation_type { pre_previous = -2, previous, current, next, after_next } rotation; - enum column_type { wire, selector, public_imput, constant } type; + enum column_type { witness, selector, public_input, constant } type; std::size_t index; constexpr plonk_variable(const std::size_t index, rotation_type rotation, column_type type) : diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 4497c4087..e4952ff00 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -63,7 +63,7 @@ namespace nil { static inline std::array, argument_size> prove_eval(typename types_policy::constraint_system_type &constraint_system, - const std::vector> &column_polynomials, + const plonk_polynomial_table &column_polynomials, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); @@ -73,7 +73,7 @@ namespace nil { typename FieldType::value_type theta_acc = FieldType::value_type::one(); - std::vector> &gates = constraint_system.gates; + const std::vector> gates = constraint_system.gates; for (std::size_t i = 0; i < gates.size(); i++) { math::polynomial gate_result = {0}; @@ -93,7 +93,7 @@ namespace nil { static inline std::array verify_eval(const std::vector> &gates, - typename plonk_constraint::evaluation_map &evaluations, + typename types_policy::evaluation_map &evaluations, typename FieldType::value_type challenge, fiat_shamir_heuristic_updated &transcript) { typename FieldType::value_type theta = transcript.template challenge(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 831470311..3167d3c69 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -70,7 +70,7 @@ namespace nil { prove_eval(fiat_shamir_heuristic_updated &transcript, const typename types_policy::preprocessed_public_data_type preprocessed_data, const typename types_policy::template circuit_short_description &short_description, - const std::vector> &column_polynomials, + const plonk_polynomial_table &column_polynomials, typename fri_type::params_type fri_params) { const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 6dc6a11f8..644721f55 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -188,46 +188,38 @@ namespace nil { const typename types_policy::variable_assignment_type::public_table_type &public_assignment, typename types_policy::template circuit_short_description &short_description) { - typename types_policy::preprocessed_public_data_type data; + std::size_t N_rows = constraint_system.rows_amount(); - std::size_t N_rows = constraint_system.rows_amount; + std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); - data.basic_domain = math::make_evaluation_domain(N_rows); + std::vector> _permutation_polynomials = permutation_polynomials(short_description.columns_with_copy_constraints.size(), + short_description.table_rows, basic_domain->get_domain_element(1), short_description.delta, + short_description.permutation, basic_domain); - data.permutation_polynomials = permutation_polynomials(short_description.columns_with_copy_constraints.size(), - short_description.table_rows, data.basic_domain->get_domain_element(1), short_description.delta, - short_description.permutation, data.basic_domain); + std::vector> _identity_polynomials = identity_polynomials(short_description.columns_with_copy_constraints.size(), + short_description.table_rows, basic_domain->get_domain_element(1), + short_description.delta, basic_domain); - data.identity_polynomials = identity_polynomials(short_description.columns_with_copy_constraints.size(), - short_description.table_rows, data.basic_domain->get_domain_element(1), - short_description.delta, data.basic_domain); + math::polynomial lagrange_0 = lagrange_polynomial(basic_domain, 0); - data.lagrange_0 = lagrange_polynomial(data.basic_domain, 0); + math::polynomial q_last = selector_last(short_description.table_rows, short_description.usable_rows, basic_domain); + math::polynomial q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, basic_domain); - data.q_last = selector_last(short_description.table_rows, short_description.usable_rows, data.basic_domain); - data.q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, data.basic_domain); - - data.public_polynomial_table = detail::column_range_polynomials(short_description.table_rows, public_assignment.selectors(), data.basic_domain); + plonk_public_polynomial_table public_polynomial_table = plonk_public_polynomial_table( + detail::column_range_polynomials(public_assignment.selectors(), basic_domain), + detail::column_range_polynomials(public_assignment.public_inputs(), basic_domain)); std::vector z_numenator(N_rows + 1); z_numenator[0] = -FieldType::value_type::one(); z_numenator[N_rows] = FieldType::value_type::one(); - data.Z = z_numenator; + math::polynomial Z = z_numenator; math::polynomial z_denominator = {-FieldType::value_type::one(), FieldType::value_type::one()}; - data.Z = data.Z / z_denominator; - - /*data.omega = math::unity_root(math::detail::power_of_two(k)); - data.Z = {1}; - // data.selectors = constraint_system.selectors(); - // ... copy_constraints = constraint_system.copy_constraints(); - - // data.permutations = ...(copy_constraints); - // data.identity_permutations = ...(copy_constraints); + Z = Z / z_denominator; - // data.Lagrange_basis = math::polynomial::Lagrange_basis(data.omega, ...(assignments).n);*/ - - return data; + return typename types_policy::preprocessed_public_data_type({basic_domain, + public_polynomial_table, _permutation_polynomials, _identity_polynomials, + lagrange_0, q_last, q_blind, Z}); } }; @@ -243,15 +235,16 @@ namespace nil { const typename types_policy::variable_assignment_type::private_table_type &private_assignment, typename types_policy::template circuit_short_description &short_description) { - typename types_policy::preprocessed_private_data_type data; - - std::size_t N_rows = constraint_system.rows_amount; + std::size_t N_rows = constraint_system.rows_amount(); - data.basic_domain = math::make_evaluation_domain(N_rows); + std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); - data.private_polynomial_table = detail::column_range_polynomials(N_rows, private_assignment.witnesses(), data.basic_domain); + plonk_private_polynomial_table private_polynomial_table = + plonk_private_polynomial_table( + detail::column_range_polynomials(private_assignment.witnesses(), basic_domain)); - return data; + return typename types_policy::preprocessed_private_data_type({basic_domain, + private_polynomial_table}); } }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index c9925fd6f..70fce8d21 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -133,7 +133,7 @@ namespace nil { // 2. Commit witness columns std::array, witness_columns> witness_poly = - preprocessed_private_data.witnesses; + preprocessed_private_data.private_polynomial_table.witnesses(); std::array witness_commitments = lpc_witness::template commit(witness_poly, fri_params.D[0]); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp index 456fa0db5..9893523ae 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp @@ -64,6 +64,8 @@ namespace nil { typedef plonk_assignment_table variable_assignment_type; + typedef detail::plonk_evaluation_map> evaluation_map; + /*********************************** Proof ***********************************/ /** diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 873309c69..6ef9d8d79 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -120,6 +121,7 @@ namespace nil { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 3; constexpr static const std::size_t witness_columns = 3; + std::size_t selectors_columns = 2; constexpr static const std::size_t public_columns = 0; constexpr static const std::size_t permutation = 3; constexpr static const std::size_t usable = 1 << rows_log; @@ -165,18 +167,31 @@ namespace nil { test_circuit.column_polynomials[i] = math::polynomial(table[i]); } - - test_circuit.table = table; + std::array, witness_columns> private_assignment; for (std::size_t i = 0; i < witness_columns; i++) { for (std::size_t j = 0; j < test_circuit.table_rows; j++) { - test_circuit.table.private_assignment.witnesses[i][j] = table[i][j]; + private_assignment[i][j] = table[i][j]; } } + + std::vector> selectors_assignment(selectors_columns); + std::vector> public_input_assignment(public_columns); + for (std::size_t j = 0; j < test_circuit.table_rows; j++) { + selectors_assignment[0][j] = q_add[j]; + selectors_assignment[1][j] = q_mul[j]; + } + for (std::size_t i = 0; i < public_columns; i++) { for (std::size_t j = 0; j < test_circuit.table_rows; j++) { - test_circuit.table.public_assignment.public_input[i][j] = table[witness_columns + i][j]; + public_input_assignment[i][j] = table[witness_columns + i][j]; } } + + test_circuit.table = plonk_assignment_table( + plonk_private_assignment_table(private_assignment), + plonk_public_assignment_table(selectors_assignment, + public_input_assignment)); + test_circuit.init(); @@ -192,20 +207,16 @@ namespace nil { add_constraint.add_term(w1); add_constraint.add_term(-w2); - test_circuit.domain->inverse_fft(q_add); - math::polynomial add_selector(q_add); std::vector> add_gate_costraints {add_constraint}; - plonk_gate add_gate (add_selector, add_gate_costraints); + plonk_gate add_gate (0, add_gate_costraints); test_circuit.gates.push_back(add_gate); plonk_constraint mul_constraint; add_constraint.add_term(w0 * w1); add_constraint.add_term(-w2); - test_circuit.domain->inverse_fft(q_mul); - math::polynomial mul_selector(q_mul); std::vector> mul_gate_costraints {mul_constraint}; - plonk_gate mul_gate (mul_selector, mul_gate_costraints); + plonk_gate mul_gate (1, mul_gate_costraints); test_circuit.gates.push_back(mul_gate); return test_circuit; @@ -229,6 +240,7 @@ namespace nil { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 4; constexpr static const std::size_t witness_columns = 3; + std::size_t selectors_columns = 2; constexpr static const std::size_t public_columns = 1; constexpr static const std::size_t permutation = 4; constexpr static const std::size_t usable = 1 << rows_log; @@ -281,15 +293,26 @@ namespace nil { test_circuit.column_polynomials[i] = math::polynomial(table[i]); } + std::array, witness_columns> private_assignment; for (std::size_t i = 0; i < witness_columns; i++) { - test_circuit.table.private_assignment.witnesses[i] = table[i]; + private_assignment[i] = table[i]; } - for (std::size_t i = 0; i < public_columns; i++) { - test_circuit.table.public_assignment.public_input[i] = table[witness_columns + i]; + + std::vector> selectors_assignment(selectors_columns); + std::vector> public_input_assignment(public_columns); + + selectors_assignment[0] = q_add; + selectors_assignment[1] = q_mul; + + for (std::size_t i = selectors_columns; i < selectors_columns + public_columns; i++) { + public_input_assignment[i] = table[witness_columns + i]; } + test_circuit.table = plonk_assignment_table( + plonk_private_assignment_table(private_assignment), + plonk_public_assignment_table(selectors_assignment, + public_input_assignment)); test_circuit.init(); - plonk_variable w0(0, plonk_variable::rotation_type::current, plonk_variable::column_type::witness); @@ -303,20 +326,16 @@ namespace nil { add_constraint.add_term(w1); add_constraint.add_term(-w2); - test_circuit.domain->inverse_fft(q_add); - math::polynomial add_selector(q_add); std::vector> add_gate_costraints {add_constraint}; - plonk_gate add_gate (add_selector, add_gate_costraints); + plonk_gate add_gate (0, add_gate_costraints); test_circuit.gates.push_back(add_gate); plonk_constraint mul_constraint; add_constraint.add_term(w0 * w1); add_constraint.add_term(-w2); - test_circuit.domain->inverse_fft(q_mul); - math::polynomial mul_selector(q_mul); std::vector> mul_gate_costraints {mul_constraint}; - plonk_gate mul_gate (mul_selector, mul_gate_costraints); + plonk_gate mul_gate (1, mul_gate_costraints); test_circuit.gates.push_back(mul_gate); return test_circuit; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 61aaa0809..208f63144 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -118,8 +118,7 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename types_policy::constraint_system_type constraint_system; - constraint_system.rows_amount = table_rows; + typename types_policy::constraint_system_type constraint_system({}, table_rows); typename types_policy::variable_assignment_type assigments = circuit.table; @@ -131,11 +130,10 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { short_description.permutation = circuit.permutation; typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + redshift_public_preprocessor::process(constraint_system, assigments.public_table(), short_description); typename types_policy::preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); - + redshift_private_preprocessor::process(constraint_system, assigments.private_table(), short_description); auto proof = redshift_prover::process( preprocessed_data_public, preprocessed_data_private, constraint_system, assigments, short_description, fri_params); @@ -159,8 +157,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename types_policy::constraint_system_type constraint_system; - constraint_system.rows_amount = table_rows; + typename types_policy::constraint_system_type constraint_system({}, table_rows); typename types_policy::variable_assignment_type assigments = circuit.table; types_policy::circuit_short_description short_description; @@ -171,10 +168,10 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { short_description.permutation = circuit.permutation; typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + redshift_public_preprocessor::process(constraint_system, assigments.public_table(), short_description); typename types_policy::preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); + redshift_private_preprocessor::process(constraint_system, assigments.private_table(), short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated prover_transcript(init_blob); @@ -228,9 +225,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename types_policy::constraint_system_type constraint_system; - constraint_system.rows_amount = table_rows; - constraint_system.gates = circuit.gates; + typename types_policy::constraint_system_type constraint_system(circuit.gates, table_rows); typename types_policy::variable_assignment_type assigments = circuit.table; types_policy::circuit_short_description short_description; @@ -241,10 +236,10 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { short_description.permutation = circuit.permutation; typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_assignment, short_description); + redshift_public_preprocessor::process(constraint_system, assigments.public_table(), short_description); typename types_policy::preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_assignment, short_description); + redshift_private_preprocessor::process(constraint_system, assigments.private_table(), short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_updated prover_transcript(init_blob); @@ -256,9 +251,9 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { // Challenge phase typename FieldType::value_type y = algebra::random_element(); - typename plonk_constraint::evaluation_map columns_at_y; + typename types_policy::evaluation_map columns_at_y; for (int i = 0; i < table_columns; i++) { - auto key = std::make_pair(i, plonk_variable::rotation_type::current, + auto key = std::make_tuple(i, plonk_variable::rotation_type::current, plonk_variable::column_type::witness); columns_at_y[key] = circuit.column_polynomials[i].evaluate(y); } From c9727bdcdaa85a17e0cf40b6a643d23f0a339817 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Sat, 26 Feb 2022 23:33:33 +0300 Subject: [PATCH 190/219] Minor refactoring done #20 --- .../zk/snark/commitments/batched_kate.hpp | 69 ------ .../{fri_commitment.hpp => fri.hpp} | 11 +- .../commitment.hpp => commitments/kzg.hpp} | 32 +-- ...list_polynomial_commitment.hpp => lpc.hpp} | 63 +++-- .../commitments/{pickles.hpp => pedersen.hpp} | 3 +- .../zk/snark/relations/linear_combination.hpp | 24 +- .../relations/non_linear_combination.hpp | 41 ++-- .../zk/snark/relations/plonk/constraint.hpp | 38 +-- .../crypto3/zk/snark/relations/plonk/gate.hpp | 14 +- .../zk/snark/relations/plonk/permutation.hpp | 5 +- .../zk/snark/relations/plonk/plonk.hpp | 3 +- .../zk/snark/relations/plonk/table.hpp | 117 ++++------ .../zk/snark/relations/plonk/variable.hpp | 14 +- .../zk/snark/systems/plonk/kate/verifier.hpp | 2 +- .../zk/snark/systems/plonk/pickles/proof.hpp | 4 +- .../{types.hpp => detail/redshift_policy.hpp} | 27 ++- .../systems/plonk/redshift/gates_argument.hpp | 38 ++- .../systems/plonk/redshift/generator.hpp | 12 +- .../snark/systems/plonk/redshift/params.hpp | 22 +- .../plonk/redshift/permutation_argument.hpp | 79 ++++--- .../systems/plonk/redshift/preprocessor.hpp | 216 ++++++++++-------- .../zk/snark/systems/plonk/redshift/proof.hpp | 6 +- .../snark/systems/plonk/redshift/prover.hpp | 214 ++++++++++------- .../snark/systems/plonk/redshift/verifier.hpp | 65 +++--- .../r1cs_gg_ppzksnark/ipp2/proof.hpp | 7 +- .../r1cs_gg_ppzksnark/ipp2/prover.hpp | 38 ++- .../ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp | 4 +- .../r1cs_gg_ppzksnark/ipp2/transcript.hpp | 4 +- .../systems/ppzksnark/r1cs_se_ppzksnark.hpp | 2 +- .../r1cs_se_ppzksnark/detail/basic_policy.hpp | 2 +- .../ppzksnark/r1cs_se_ppzksnark/generator.hpp | 4 +- .../ppzksnark/r1cs_se_ppzksnark/prover.hpp | 2 +- .../ppzksnark/r1cs_se_ppzksnark/verifier.hpp | 6 +- .../zk/snark/transcript/fiat_shamir.hpp | 37 +-- test/commitment/fri.cpp | 10 +- test/commitment/lpc.cpp | 8 +- test/commitment/lpc_performance.cpp | 8 +- test/systems/plonk/circuits.hpp | 120 +++++----- test/systems/plonk/redshift.cpp | 119 +++++----- ...cs_gg_ppzksnark_aggregation_conformity.cpp | 13 +- test/transcript/transcript.cpp | 2 +- 41 files changed, 754 insertions(+), 751 deletions(-) delete mode 100644 include/nil/crypto3/zk/snark/commitments/batched_kate.hpp rename include/nil/crypto3/zk/snark/commitments/{fri_commitment.hpp => fri.hpp} (98%) rename include/nil/crypto3/zk/snark/{systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp => commitments/kzg.hpp} (93%) rename include/nil/crypto3/zk/snark/commitments/{list_polynomial_commitment.hpp => lpc.hpp} (81%) rename include/nil/crypto3/zk/snark/commitments/{pickles.hpp => pedersen.hpp} (97%) rename include/nil/crypto3/zk/snark/systems/plonk/redshift/{types.hpp => detail/redshift_policy.hpp} (88%) diff --git a/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp b/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp deleted file mode 100644 index a950ba5cb..000000000 --- a/include/nil/crypto3/zk/snark/commitments/batched_kate.hpp +++ /dev/null @@ -1,69 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_BATCHED_KATE_COMMITMENT_SCHEME_HPP -#define CRYPTO3_ZK_BATCHED_KATE_COMMITMENT_SCHEME_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - /** - * @brief Based on the Ploynomial Commitment description from \[Plonk]. - * - * References: - * \[Plonk]: - * "PlonK: Permutations over Lagrange-bases for - * Oecumenical Noninteractive arguments of Knowledge", - * Ariel Gabizon, Zachary J. Williamson, Oana Ciobotaru, - * Aztec, - * - */ - class batched_kate_commitment_scheme : commitment_scheme<...> { - typedef TCommitment...; - typedef TDecommitmentInfo...; - typedef TSRS...; - typedef TData...; - - public: - virtual std::pair commit(TSRS PK, TData phi) { - } - - virtual... open(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) { - } - - virtual bool verify(TSRS PK, TCommitment C, TData phi, TDecommitmentInfo d) { - } - }; - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_BATCHED_KATE_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/fri.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp rename to include/nil/crypto3/zk/snark/commitments/fri.hpp index 46a2d734e..3fca563f0 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/fri.hpp @@ -34,8 +34,8 @@ #include #include -#include -#include +#include +#include #include @@ -177,7 +177,7 @@ namespace nil { static proof_type proof_eval(const math::polynomial &Q, const math::polynomial &g, merkle_tree_type &T, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_sequential &transcript, const params_type &fri_params) { proof_type proof; @@ -280,7 +280,7 @@ namespace nil { } static bool verify_eval(proof_type &proof, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_sequential &transcript, params_type &fri_params, const math::polynomial &U, const math::polynomial &V) { @@ -356,7 +356,8 @@ namespace nil { x = x_next; } - if (proof.final_polynomial.degree() > std::pow(2, std::log2(fri_params.max_degree + 1) - r) - 1) { + if (proof.final_polynomial.degree() > + std::pow(2, std::log2(fri_params.max_degree + 1) - r) - 1) { return false; } if (proof.final_polynomial.evaluate(x) != proof.round_proofs[r - 1].colinear_value) { diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp b/include/nil/crypto3/zk/snark/commitments/kzg.hpp similarity index 93% rename from include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp rename to include/nil/crypto3/zk/snark/commitments/kzg.hpp index 9105f5b85..53233e57e 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/kzg.hpp @@ -70,6 +70,11 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { + /// KZGOpening represents the KZG opening of a commitment key (which is a tuple + /// given commitment keys are a tuple). + template + using kzg_opening = std::pair; + /// Both commitment outputs a pair of $F_q^k$ element. template using r1cs_gg_ppzksnark_ipp2_commitment_output = @@ -78,7 +83,7 @@ namespace nil { /// Key is a generic commitment key that is instantiated with g and h as basis, /// and a and b as powers. template - struct r1cs_gg_ppzksnark_ipp2_commitment_key { + struct kzg_commitment_key { typedef GroupType group_type; typedef typename group_type::curve_type curve_type; typedef typename curve_type::scalar_field_type field_type; @@ -105,11 +110,11 @@ namespace nil { typename InputIterator, typename ValueType = typename std::iterator_traits::value_type, typename std::enable_if::value, bool>::type = true> - r1cs_gg_ppzksnark_ipp2_commitment_key scale(InputIterator s_first, + kzg_commitment_key scale(InputIterator s_first, InputIterator s_last) const { BOOST_ASSERT(has_correct_len(std::distance(s_first, s_last))); - r1cs_gg_ppzksnark_ipp2_commitment_key result; + kzg_commitment_key result; std::for_each(boost::make_zip_iterator(boost::make_tuple(s_first, a.begin(), b.begin())), boost::make_zip_iterator(boost::make_tuple(s_last, a.end(), b.end())), [&](const boost::tuple, - r1cs_gg_ppzksnark_ipp2_commitment_key> + std::pair, kzg_commitment_key> split(std::size_t at) const { BOOST_ASSERT(a.size() == b.size()); BOOST_ASSERT(at > 0 && at < a.size()); - r1cs_gg_ppzksnark_ipp2_commitment_key result_l; - r1cs_gg_ppzksnark_ipp2_commitment_key result_r; + kzg_commitment_key result_l; + kzg_commitment_key result_r; auto a_it = a.begin(); auto b_it = b.begin(); @@ -152,14 +156,14 @@ namespace nil { /// Takes a left and right commitment key and returns a commitment /// key $left \circ right^{scale} = (left_i*right_i^{scale} ...)$. This is /// required step during GIPA recursion. - r1cs_gg_ppzksnark_ipp2_commitment_key - compress(const r1cs_gg_ppzksnark_ipp2_commitment_key &right, + kzg_commitment_key + compress(const kzg_commitment_key &right, const field_value_type &scale) const { BOOST_ASSERT(a.size() == right.a.size()); BOOST_ASSERT(b.size() == right.b.size()); BOOST_ASSERT(a.size() == b.size()); - r1cs_gg_ppzksnark_ipp2_commitment_key result; + kzg_commitment_key result; std::for_each( boost::make_zip_iterator( @@ -186,18 +190,16 @@ namespace nil { /// well as in the "pair" commitment. /// It contains $\{h^a^i\}_{i=1}^n$ and $\{h^b^i\}_{i=1}^n$ template - using r1cs_gg_ppzksnark_ipp2_vkey = - r1cs_gg_ppzksnark_ipp2_commitment_key>; + using r1cs_gg_ppzksnark_ipp2_vkey = kzg_commitment_key>; /// Commitment key used by the "pair" commitment. Note the sequence of /// powers starts at $n$ already. /// It contains $\{g^{a^{n+i}}\}_{i=1}^n$ and $\{g^{b^{n+i}}\}_{i=1}^n$ template - using r1cs_gg_ppzksnark_ipp2_wkey = - r1cs_gg_ppzksnark_ipp2_commitment_key>; + using r1cs_gg_ppzksnark_ipp2_wkey = kzg_commitment_key>; template - struct r1cs_gg_ppzksnark_ipp2_commitment { + struct kzg_commitment { typedef CurveType curve_type; typedef algebra::pairing::pairing_policy pairing; diff --git a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp b/include/nil/crypto3/zk/snark/commitments/lpc.hpp similarity index 81% rename from include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp rename to include/nil/crypto3/zk/snark/commitments/lpc.hpp index eb53b66cc..641021e64 100644 --- a/include/nil/crypto3/zk/snark/commitments/list_polynomial_commitment.hpp +++ b/include/nil/crypto3/zk/snark/commitments/lpc.hpp @@ -30,25 +30,24 @@ #include #include -#include -#include +#include +#include #include -#include +#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - - template , - typename TranscriptHashType = hashes::keccak_1600<512>, - std::size_t Lambda = 40, - std::size_t R = 1, - std::size_t M = 2> + template struct list_polynomial_commitment_params { - using merkle_hash_type = MerkleTreeHashType; - using transcript_hash_type = TranscriptHashType; + typedef MerkleTreeHashType merkle_hash_type; + typedef TranscriptHashType transcript_hash_type; constexpr static const std::size_t lambda = Lambda; constexpr static const std::size_t r = R; @@ -68,9 +67,7 @@ namespace nil { * Matter Labs, * */ - template + template struct list_polynomial_commitment_scheme { using merkle_hash_type = typename LPCParams::merkle_hash_type; @@ -129,41 +126,42 @@ namespace nil { return fri_type::commit(poly, domain); } - template - static std::array - commit(std::array, list_size> &poly, - const std::shared_ptr> &domain) { - std::array commits; - for (std::size_t i = 0; i < list_size; i++) { - commits[i] = fri_type::commit(poly[i], domain); - } - return commits; + template + static std::array + commit(std::array, list_size> &poly, + const std::shared_ptr> &domain) { + std::array commits; + for (std::size_t i = 0; i < list_size; i++) { + commits[i] = fri_type::commit(poly[i], domain); + } + return commits; } static proof_type proof_eval(const std::array &evaluation_points, merkle_tree_type &T, const math::polynomial &g, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_sequential &transcript, const typename fri_type::params_type &fri_params) { std::array z; std::array p; std::array, k> U_interpolation_points; - + for (std::size_t j = 0; j < k; j++) { - z[j] = g.evaluate(evaluation_points[j]); // transform to point-representation - U_interpolation_points[j] = std::make_pair(evaluation_points[j], z[j]); // prepare points for interpolation + z[j] = g.evaluate(evaluation_points[j]); // transform to point-representation + U_interpolation_points[j] = + std::make_pair(evaluation_points[j], z[j]); // prepare points for interpolation } - math::polynomial U = - math::lagrange_interpolation(U_interpolation_points); // k is small => iterpolation goes fast + math::polynomial U = math::lagrange_interpolation( + U_interpolation_points); // k is small => iterpolation goes fast math::polynomial Q = (g - U); for (std::size_t j = 0; j < k; j++) { math::polynomial denominator_polynom = { -evaluation_points[j], 1}; - Q = Q / denominator_polynom; // polynomial divison + Q = Q / denominator_polynom; // polynomial divison } // temporary definition, until polynomial is constexpr @@ -172,7 +170,8 @@ namespace nil { std::array fri_proof; for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { - fri_proof[round_id] = fri_type::proof_eval(Q, g, T, transcript, fri_params); // fri_commitment.hpp + fri_proof[round_id] = + fri_type::proof_eval(Q, g, T, transcript, fri_params); // fri_commitment_scheme.hpp } return proof_type({z, T.root(), fri_proof}); @@ -180,7 +179,7 @@ namespace nil { static bool verify_eval(const std::array &evaluation_points, proof_type &proof, - fiat_shamir_heuristic_updated &transcript, + fiat_shamir_heuristic_sequential &transcript, typename fri_type::params_type fri_params) { std::array, k> U_interpolation_points; diff --git a/include/nil/crypto3/zk/snark/commitments/pickles.hpp b/include/nil/crypto3/zk/snark/commitments/pedersen.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/commitments/pickles.hpp rename to include/nil/crypto3/zk/snark/commitments/pedersen.hpp index 2ed948f41..d0c9119a3 100644 --- a/include/nil/crypto3/zk/snark/commitments/pickles.hpp +++ b/include/nil/crypto3/zk/snark/commitments/pedersen.hpp @@ -32,9 +32,8 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template - class pickles_commitment_scheme { + class pedersen_commitment_scheme { public: typedef typename CurveType::scalar_field_type::value_type evaluation_type; typedef typename CurveType::template g1_type<>::value_type commitment_type; diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp index f75a3477b..920e8706f 100644 --- a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/linear_combination.hpp @@ -145,9 +145,11 @@ namespace nil { } terms = all_terms; - std::sort(terms.begin(), terms.end(), - [](linear_term a, - linear_term b) { return a.index < b.index; }); + std::sort( + terms.begin(), terms.end(), + [](linear_term a, linear_term b) { + return a.index < b.index; + }); auto result_it = terms.begin(); for (auto it = ++terms.begin(); it != terms.end(); ++it) { @@ -239,14 +241,18 @@ namespace nil { bool operator==(const linear_combination &other) const { std::vector> thisterms = this->terms; - std::sort(thisterms.begin(), thisterms.end(), - [](linear_term a, - linear_term b) { return a.index < b.index; }); + std::sort( + thisterms.begin(), thisterms.end(), + [](linear_term a, linear_term b) { + return a.index < b.index; + }); std::vector> otherterms = other.terms; - std::sort(otherterms.begin(), otherterms.end(), - [](linear_term a, - linear_term b) { return a.index < b.index; }); + std::sort( + otherterms.begin(), otherterms.end(), + [](linear_term a, linear_term b) { + return a.index < b.index; + }); return (thisterms == otherterms); } diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index e59c9e42f..b3ac2e922 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -70,8 +70,7 @@ namespace nil { non_linear_term(const assignment_type &field_val) : coeff(field_val) { } - non_linear_term(std::vector vars) : - vars(vars), coeff(assignment_type::one()) { + non_linear_term(std::vector vars) : vars(vars), coeff(assignment_type::one()) { } non_linear_term operator*(const assignment_type &field_coeff) const { @@ -104,9 +103,8 @@ namespace nil { }; template - non_linear_term - operator*(const typename VariableType::assignment_type &field_coeff, - const non_linear_term &nlt) { + non_linear_term operator*(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { return nlt * field_coeff; } @@ -125,19 +123,15 @@ namespace nil { } template - non_linear_combination - operator+(const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) + - non_linear_combination(B); + non_linear_combination operator+(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) + non_linear_combination(B); } template - non_linear_combination - operator-(const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) - - non_linear_combination(B); + non_linear_combination operator-(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) - non_linear_combination(B); } /***************************** Linear combination ****************************/ @@ -151,7 +145,6 @@ namespace nil { std::vector> terms; public: - non_linear_combination() {}; // non_linear_combination(const field_value_type &field_coeff) { // this->add_term(non_linear_term(field_coeff)); @@ -162,8 +155,7 @@ namespace nil { non_linear_combination(const non_linear_term &nlt) { this->add_term(nlt); } - non_linear_combination(const std::vector> &terms) : - terms(terms) { + non_linear_combination(const std::vector> &terms) : terms(terms) { } // non_linear_combination(const non_linear_combination &other): @@ -182,8 +174,7 @@ namespace nil { void add_term(const VariableType &var) { this->terms.emplace_back(non_linear_term(var)); } - void add_term(const VariableType &var, - const typename VariableType::assignment_type &field_coeff) { + void add_term(const VariableType &var, const typename VariableType::assignment_type &field_coeff) { this->terms.emplace_back(non_linear_term(var) * field_coeff); } void add_term(const non_linear_term &nlt) { @@ -248,9 +239,8 @@ namespace nil { } template - non_linear_combination - operator*(const non_linear_combination &A, - const non_linear_combination &B) { + non_linear_combination operator*(const non_linear_combination &A, + const non_linear_combination &B) { non_linear_combination result; result.terms.reserve(A.terms.size() * B.terms.size()); @@ -263,9 +253,8 @@ namespace nil { } template - non_linear_combination - operator*(const VariableType &var, - const non_linear_combination &A) { + non_linear_combination operator*(const VariableType &var, + const non_linear_combination &A) { non_linear_combination result; result.terms.reserve(A.terms.size()); diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 175b51150..f92ec5461 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -50,20 +50,23 @@ namespace nil { template> class plonk_constraint : public non_linear_combination { - public: - plonk_constraint() : non_linear_combination() {}; - - plonk_constraint(const VariableType &var) : non_linear_combination(var) {} - plonk_constraint(const non_linear_term &nlt) : non_linear_combination(nlt) {} + plonk_constraint(const VariableType &var) : non_linear_combination(var) { + } - plonk_constraint(const std::vector> &terms) : - non_linear_combination(terms){} + plonk_constraint(const non_linear_term &nlt) : + non_linear_combination(nlt) { + } + + plonk_constraint(const std::vector> &terms) : + non_linear_combination(terms) { + } template - typename VariableType::assignment_type evaluate(std::size_t row_index, + typename VariableType::assignment_type + evaluate(std::size_t row_index, const plonk_assignment_table &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); for (const non_linear_term &nlt : this->terms) { @@ -72,7 +75,7 @@ namespace nil { for (const VariableType &var : nlt.vars) { typename VariableType::assignment_type assignment; - switch (var.type){ + switch (var.type) { case VariableType::column_type::witness: assignment = assignments.witness(var.index)[row_index + var.rotation]; case VariableType::column_type::selector: @@ -90,9 +93,9 @@ namespace nil { return acc; } - template - math::polynomial evaluate( - const plonk_polynomial_table &assignments) const { + template + math::polynomial + evaluate(const plonk_polynomial_table &assignments) const { math::polynomial acc = {0}; for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; @@ -100,7 +103,7 @@ namespace nil { for (const VariableType &var : nlt.vars) { typename VariableType::assignment_type assignment; - switch (var.type){ + switch (var.type) { case VariableType::column_type::witness: assignment = assignments.witness(var.index); case VariableType::column_type::selector: @@ -124,9 +127,10 @@ namespace nil { typename VariableType::assignment_type term_value = nlt.coeff; for (const VariableType &var : nlt.vars) { - std::tuple key - = std::make_tuple(var.wire_index, var.rotation, var.type); + std::tuple + key = std::make_tuple(var.wire_index, var.rotation, var.type); term_value = term_value * assignments[key]; } acc = acc + term_value * nlt.coeff; @@ -140,4 +144,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_CONSTRAINT_HPP \ No newline at end of file +#endif // CRYPTO3_ZK_PLONK_CONSTRAINT_HPP diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index ed32d2a21..4bd279379 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -35,20 +35,20 @@ namespace nil { namespace zk { namespace snark { - template - struct plonk_gate{ + template + struct plonk_gate { std::size_t selector_index; std::vector> constraints; - plonk_gate(std::size_t selector_index, const snark::plonk_constraint &constraint): - constraints(std::vector> ({constraint})), - selector_index(selector_index){ + plonk_gate(std::size_t selector_index, const snark::plonk_constraint &constraint) : + constraints(std::vector>({constraint})), + selector_index(selector_index) { } plonk_gate(std::size_t selector_index, - const std::initializer_list> &&constraints): + const std::initializer_list> &&constraints) : constraints(constraints), - selector_index(selector_index){ + selector_index(selector_index) { } plonk_gate(std::size_t selector_index, diff --git a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp index e954f6a40..c5e470ef8 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp @@ -54,7 +54,8 @@ namespace nil { _permutation_map[cell] = _permutation_map[equal_to]; } - void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, std::size_t equal_to_y) { + void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, + std::size_t equal_to_y) { _permutation_map[key_type(cell_x, cell_y)] = _permutation_map[key_type(equal_to_x, equal_to_y)]; } @@ -62,7 +63,7 @@ namespace nil { return _permutation_map[key]; } }; - + } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 9ab1355b3..4c53661db 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -67,7 +67,8 @@ namespace nil { } // bool - // is_satisfied(plonk_variable_assignment full_variable_assignment) const { + // is_satisfied(plonk_variable_assignment full_variable_assignment) + // const { // for (std::size_t c = 0; c < constraints.size(); ++c) { // if (!constraints[c].a.evaluate(full_variable_assignment).is_zero()) { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index 384ac18e3..86fdb6f79 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -35,73 +35,69 @@ namespace nil { template using plonk_column = std::vector; - template + template class plonk_private_table { std::array witness_columns; public: - - plonk_private_table(std::array witness_columns): - witness_columns(witness_columns){ + plonk_private_table(std::array witness_columns) : + witness_columns(witness_columns) { } - ColumnType witness(std::size_t index) const{ + ColumnType witness(std::size_t index) const { assert(index < PlonkParams::witness_columns); return witness_columns[index]; } - std::array witnesses() const{ + std::array witnesses() const { return witness_columns; } - ColumnType operator[](std::size_t index) const{ + ColumnType operator[](std::size_t index) const { if (index < PlonkParams::witness_columns) return witness_columns[index]; index -= PlonkParams::witness_columns; } - std::size_t size() const{ + std::size_t size() const { return witness_columns.size(); } }; - template + template class plonk_public_table { std::vector selector_columns; std::vector public_input_columns; public: - plonk_public_table(std::vector selector_columns, - std::vector public_input_columns): - selector_columns(selector_columns), public_input_columns(public_input_columns){ + std::vector + public_input_columns) : + selector_columns(selector_columns), + public_input_columns(public_input_columns) { } - ColumnType selector(std::size_t index) const{ + ColumnType selector(std::size_t index) const { assert(index < selector_columns.size()); return selector_columns[index]; } - std::vector selectors() const{ + std::vector selectors() const { return selector_columns; } - ColumnType public_input(std::size_t index) const{ + ColumnType public_input(std::size_t index) const { assert(index < public_input_columns.size()); return public_input_columns[index]; } - std::vector public_inputs() const{ + std::vector public_inputs() const { return public_input_columns; } - ColumnType operator[](std::size_t index) const{ + ColumnType operator[](std::size_t index) const { if (index < selector_columns.size()) return selector_columns[index]; index -= selector_columns.size(); @@ -110,44 +106,39 @@ namespace nil { index -= public_input_columns.size(); } - std::size_t size() const{ + std::size_t size() const { return selector_columns.size() + public_input_columns.size(); } }; - template + template struct plonk_table { using private_table_type = plonk_private_table; using public_table_type = plonk_public_table; private: - private_table_type _private_table; public_table_type _public_table; public: - - plonk_table(private_table_type private_table, - public_table_type public_table): - _private_table(private_table), _public_table(public_table){ + plonk_table(private_table_type private_table, public_table_type public_table) : + _private_table(private_table), _public_table(public_table) { } - ColumnType witness(std::size_t index) const{ + ColumnType witness(std::size_t index) const { return _private_table.witness(index); } - ColumnType selector(std::size_t index) const{ + ColumnType selector(std::size_t index) const { return _public_table.selector(index); } - ColumnType public_input(std::size_t index) const{ + ColumnType public_input(std::size_t index) const { return _public_table.public_input(index); } - ColumnType operator[](std::size_t index) const{ + ColumnType operator[](std::size_t index) const { if (index < _private_table.size()) return _private_table[index]; index -= _private_table.size(); @@ -155,49 +146,41 @@ namespace nil { return _public_table[index]; } - private_table_type private_table() const{ + private_table_type private_table() const { return _private_table; } - public_table_type public_table() const{ + public_table_type public_table() const { return _public_table; } - std::size_t size() const{ + std::size_t size() const { return _private_table.size() + _public_table.size(); } - }; - template - using plonk_private_assignment_table = plonk_private_table>; - - template - using plonk_public_assignment_table = plonk_public_table>; - - template - using plonk_assignment_table = plonk_table>; - - template - using plonk_private_polynomial_table = plonk_private_table>; - - template - using plonk_public_polynomial_table = plonk_public_table>; - - template - using plonk_polynomial_table = plonk_table>; + template + using plonk_private_assignment_table = + plonk_private_table>; + + template + using plonk_public_assignment_table = + plonk_public_table>; + + template + using plonk_assignment_table = plonk_table>; + + template + using plonk_private_polynomial_table = + plonk_private_table>; + + template + using plonk_public_polynomial_table = + plonk_public_table>; + + template + using plonk_polynomial_table = + plonk_table>; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp index 8d9c13857..6ae7fdb5d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -59,7 +59,6 @@ namespace nil { class plonk_variable { public: - using assignment_type = typename FieldType::value_type; /** @@ -76,8 +75,7 @@ namespace nil { return non_linear_term>(*this) ^ power; } - non_linear_term> - operator*(const assignment_type &field_coeff) const { + non_linear_term> operator*(const assignment_type &field_coeff) const { return non_linear_term>(*this) * field_coeff; } @@ -120,19 +118,19 @@ namespace nil { template non_linear_term> operator*(const typename FieldType::value_type &field_coeff, - const plonk_variable &var) { + const plonk_variable &var) { return var * field_coeff; } template - non_linear_combination> operator+(const typename FieldType::value_type &field_val, - const plonk_variable &var) { + non_linear_combination> + operator+(const typename FieldType::value_type &field_val, const plonk_variable &var) { return var + field_val; } template - non_linear_combination> operator-(const typename FieldType::value_type &field_val, - const plonk_variable &var) { + non_linear_combination> + operator-(const typename FieldType::value_type &field_val, const plonk_variable &var) { return (-var) + field_val; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/kate/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/kate/verifier.hpp index b22ebf1b1..4a94d2620 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/kate/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/kate/verifier.hpp @@ -26,7 +26,7 @@ #ifndef CRYPTO3_ZK_PLONK_BATCHED_KATE_VERIFIER_HPP #define CRYPTO3_ZK_PLONK_BATCHED_KATE_VERIFIER_HPP -#include +#include #include namespace nil { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp index 81d84eafd..25051585b 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/pickles/proof.hpp @@ -30,7 +30,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { @@ -39,7 +39,7 @@ namespace nil { template class pickles_proof { - typedef pickles_commitment_scheme commitment_scheme; + typedef pedersen_commitment_scheme commitment_scheme; public: // Commitments: diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp similarity index 88% rename from include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp rename to include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index 9893523ae..9d2732227 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/types.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -46,10 +46,8 @@ namespace nil { namespace zk { namespace snark { namespace detail { - - template - struct redshift_types_policy { + template + struct redshift_policy { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; constexpr static const std::size_t public_columns = RedshiftParams::public_columns; @@ -60,7 +58,8 @@ namespace nil { * Below are various template aliases (used for convenience). */ - typedef plonk_constraint_system constraint_system_type; + typedef plonk_constraint_system + constraint_system_type; typedef plonk_assignment_table variable_assignment_type; @@ -75,10 +74,11 @@ namespace nil { * serializes/deserializes, and verifies proofs. We only expose some information * about the structure for statistics purposes. */ - template - using proof_type = redshift_proof; + template + using proof_type = + redshift_proof; struct preprocessed_public_data_type { @@ -89,8 +89,7 @@ namespace nil { // S_sigma std::vector> permutation_polynomials; // S_id - std::vector> - identity_polynomials; + std::vector> identity_polynomials; math::polynomial lagrange_0; @@ -107,7 +106,7 @@ namespace nil { plonk_private_polynomial_table private_polynomial_table; }; - template + template struct circuit_short_description { std::vector selectors_commits; std::vector id_polys_commits; @@ -120,12 +119,12 @@ namespace nil { typename FieldType::value_type delta; plonk_permutation permutation; - //TODO: Gates and field elements + // TODO: Gates and field elements }; template struct prover_fiat_shamir_heuristic_manifest { - enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau , teta}; + enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau, teta }; }; }; } // namespace detail diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index e4952ff00..8f0af5fa1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -34,7 +34,7 @@ #include -#include +#include #include #include @@ -45,31 +45,26 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - - template + template struct redshift_gates_argument; - template - struct redshift_gates_argument { + template + struct redshift_gates_argument { - using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + typedef typename ParamsType::transcript_hash_type transcript_hash_type; - using types_policy = detail::redshift_types_policy; + typedef detail::redshift_policy policy_type; constexpr static const std::size_t argument_size = 1; static inline std::array, argument_size> - prove_eval(typename types_policy::constraint_system_type &constraint_system, - const plonk_polynomial_table &column_polynomials, - fiat_shamir_heuristic_updated &transcript) { + prove_eval(typename policy_type::constraint_system_type &constraint_system, + const plonk_polynomial_table &column_polynomials, + fiat_shamir_heuristic_sequential &transcript) { typename FieldType::value_type theta = transcript.template challenge(); - std::array, - argument_size> F; + std::array, argument_size> F; typename FieldType::value_type theta_acc = FieldType::value_type::one(); @@ -79,7 +74,8 @@ namespace nil { math::polynomial gate_result = {0}; for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { - gate_result = gate_result + gates[i].constraints[j].evaluate(column_polynomials) * theta_acc; + gate_result = + gate_result + gates[i].constraints[j].evaluate(column_polynomials) * theta_acc; theta_acc *= theta; } @@ -91,11 +87,11 @@ namespace nil { return F; } - static inline std::array + static inline std::array verify_eval(const std::vector> &gates, - typename types_policy::evaluation_map &evaluations, - typename FieldType::value_type challenge, - fiat_shamir_heuristic_updated &transcript) { + typename policy_type::evaluation_map &evaluations, + typename FieldType::value_type challenge, + fiat_shamir_heuristic_sequential &transcript) { typename FieldType::value_type theta = transcript.template challenge(); std::array F; @@ -123,4 +119,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP \ No newline at end of file +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp index bbeafc323..466a00771 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/generator.hpp @@ -24,8 +24,8 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_GENERATOR_HPP -#define CRYPTO3_ZK_R1CS_GG_PPZKSNARK_BASIC_GENERATOR_HPP +#ifndef CRYPTO3_ZK_REDSHIFT_GENERATOR_HPP +#define CRYPTO3_ZK_REDSHIFT_GENERATOR_HPP #ifdef MULTICORE #include @@ -54,7 +54,7 @@ namespace nil { */ template class redshift_generator { - typedef detail::redshift_types types_policy; + typedef detail::redshift_policy policy_type; // static inline math::polynomial<...> tau( // std::size_t input, std::size_t n, std::array, typename GeneratorType = boost::random::mt19937> static inline keypair_type - process(const typename types_policy::constraint_system_type &constraint_system) { + process(const typename policy_type::constraint_system_type &constraint_system) { std::array k = get_cosets_generators(); @@ -136,9 +136,9 @@ namespace nil { math::polynomial Z = polynom_by_zeros(H_star); - typename types_policy::verification_key_type vk(S_id, S_sigma, q_selectors, L_basis, PI, Z); + typename policy_type::verification_key_type vk(S_id, S_sigma, q_selectors, L_basis, PI, Z); - typename types_policy::proving_key_type pk(S_id, S_sigma, q_selectors, L_basis, f, Z); + typename policy_type::proving_key_type pk(S_id, S_sigma, q_selectors, L_basis, f, Z); return {std::move(pk), std::move(vk)}; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 38f8b433e..96f816e53 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -27,20 +27,16 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP -#include +#include namespace nil { namespace crypto3 { namespace zk { namespace snark { - - template , - typename TranscriptHashType = hashes::keccak_1600<512>, - std::size_t Lambda = 40, - std::size_t R = 1, - std::size_t M = 2> + template, + typename TranscriptHashType = hashes::keccak_1600<512>, std::size_t Lambda = 40, + std::size_t R = 1, std::size_t M = 2> struct redshift_params { typedef MerkleTreeHashType merkle_hash_type; @@ -49,12 +45,12 @@ namespace nil { constexpr static const std::size_t witness_columns = WitnessColumns; constexpr static const std::size_t public_columns = PublicColumns; - using lpc_params = list_polynomial_commitment_params; + typedef list_polynomial_commitment_params + commitment_params_type; }; - } // namespace snark - } // namespace zk - } // namespace crypto3 + } // namespace zk + } // namespace crypto3 } // namespace nil #endif // CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 3167d3c69..03f064634 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -34,24 +34,25 @@ #include -#include +#include #include -#include +#include #include namespace nil { namespace crypto3 { namespace zk { namespace snark { - template + template class redshift_permutation_argument { - using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + using transcript_hash_type = typename ParamsType::transcript_hash_type; - using types_policy = detail::redshift_types_policy; + using policy_type = detail::redshift_policy; typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; @@ -66,15 +67,18 @@ namespace nil { typename CommitmentSchemeTypePermutation::merkle_tree_type permutation_poly_commitment; }; - static inline prover_result_type - prove_eval(fiat_shamir_heuristic_updated &transcript, - const typename types_policy::preprocessed_public_data_type preprocessed_data, - const typename types_policy::template circuit_short_description &short_description, - const plonk_polynomial_table &column_polynomials, - typename fri_type::params_type fri_params) { - - const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; - const std::vector> &S_id = preprocessed_data.identity_polynomials; + static inline prover_result_type prove_eval( + fiat_shamir_heuristic_sequential &transcript, + const typename policy_type::preprocessed_public_data_type preprocessed_data, + const typename policy_type::template circuit_short_description + &short_description, + const plonk_polynomial_table &column_polynomials, + typename fri_type::params_type fri_params) { + + const std::vector> &S_sigma = + preprocessed_data.permutation_polynomials; + const std::vector> &S_id = + preprocessed_data.identity_polynomials; std::shared_ptr> domain = preprocessed_data.basic_domain; // 1. $\beta_1, \gamma_1 = \challenge$ @@ -99,7 +103,8 @@ namespace nil { } // 3. Calculate $V_P$ - std::vector V_P_interpolation_points(short_description.table_rows); + std::vector V_P_interpolation_points( + short_description.table_rows); V_P_interpolation_points[0] = FieldType::value_type::one(); for (std::size_t j = 1; j < short_description.table_rows; j++) { @@ -139,7 +144,8 @@ namespace nil { math::polynomial_shift(V_P, domain->get_domain_element(1)); F[0] = preprocessed_data.lagrange_0 * (one_polynomial - V_P); - F[1] = (one_polynomial - (preprocessed_data.q_last + preprocessed_data.q_blind)) * (V_P_shifted * h - V_P * g); + F[1] = (one_polynomial - (preprocessed_data.q_last + preprocessed_data.q_blind)) * + (V_P_shifted * h - V_P * g); F[2] = preprocessed_data.q_last * (V_P * V_P - V_P); prover_result_type res = {F, V_P, V_P_tree}; @@ -147,19 +153,22 @@ namespace nil { return res; } - static inline std::array - verify_eval(fiat_shamir_heuristic_updated &transcript, - const typename types_policy::preprocessed_public_data_type preprocessed_data, - const typename types_policy::template circuit_short_description &short_description, - const typename FieldType::value_type &challenge, // y - const std::vector &column_polynomials, // f(y) - const typename FieldType::value_type &perm_polynomial, // - // V_P(y) - const typename FieldType::value_type &perm_polynomial_shifted, // V_P(omega * y) - const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { - - const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; - const std::vector> &S_id = preprocessed_data.identity_polynomials; + static inline std::array verify_eval( + fiat_shamir_heuristic_sequential &transcript, + const typename policy_type::preprocessed_public_data_type preprocessed_data, + const typename policy_type::template circuit_short_description + &short_description, + const typename FieldType::value_type &challenge, // y + const std::vector &column_polynomials, // f(y) + const typename FieldType::value_type &perm_polynomial, // + // V_P(y) + const typename FieldType::value_type &perm_polynomial_shifted, // V_P(omega * y) + const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { + + const std::vector> &S_sigma = + preprocessed_data.permutation_polynomials; + const std::vector> &S_id = + preprocessed_data.identity_polynomials; // 1. Get beta, gamma typename FieldType::value_type beta = transcript.template challenge(); @@ -180,9 +189,11 @@ namespace nil { std::array F; typename FieldType::value_type one = FieldType::value_type::one(); F[0] = preprocessed_data.lagrange_0.evaluate(challenge) * (one - perm_polynomial); - F[1] = (one - preprocessed_data.q_last.evaluate(challenge) - preprocessed_data.q_blind.evaluate(challenge)) * + F[1] = (one - preprocessed_data.q_last.evaluate(challenge) - + preprocessed_data.q_blind.evaluate(challenge)) * (perm_polynomial_shifted * h - perm_polynomial * g); - F[2] = preprocessed_data.q_last.evaluate(challenge) * (perm_polynomial.squared() - perm_polynomial); + F[2] = preprocessed_data.q_last.evaluate(challenge) * + (perm_polynomial.squared() - perm_polynomial); return F; } @@ -192,4 +203,4 @@ namespace nil { } // namespace crypto3 } // namespace nil -#endif // #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP \ No newline at end of file +#endif // #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 644721f55..1e686b3b8 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -32,7 +32,7 @@ #include #include -#include +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" #include using namespace nil::crypto3; @@ -46,13 +46,11 @@ namespace nil { template math::polynomial column_polynomial(const plonk_column &column_assignment, - const std::shared_ptr> &domain) { + const std::shared_ptr> &domain) { - std::vector interpolation_points( - column_assignment.size()); + std::vector interpolation_points(column_assignment.size()); - std::copy(column_assignment.begin(), - column_assignment.end(), interpolation_points.begin()); + std::copy(column_assignment.begin(), column_assignment.end(), interpolation_points.begin()); domain->inverse_fft(interpolation_points); @@ -62,13 +60,14 @@ namespace nil { template std::vector> column_range_polynomials(const std::vector> &column_range_assignment, - const std::shared_ptr> &domain) { + const std::shared_ptr> &domain) { std::size_t columns_amount = column_range_assignment.size(); - std::vector> columns (columns_amount); + std::vector> columns(columns_amount); for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { - columns[selector_index] = column_polynomial(column_range_assignment[selector_index], domain); + columns[selector_index] = + column_polynomial(column_range_assignment[selector_index], domain); } return columns; @@ -76,13 +75,15 @@ namespace nil { template std::array, columns_amount> - column_range_polynomials(const std::array, columns_amount> &column_range_assignment, + column_range_polynomials( + const std::array, columns_amount> &column_range_assignment, const std::shared_ptr> &domain) { std::array, columns_amount> columns; for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { - columns[selector_index] = column_polynomial(column_range_assignment[selector_index], domain); + columns[selector_index] = + column_polynomial(column_range_assignment[selector_index], domain); } return columns; @@ -90,19 +91,22 @@ namespace nil { } // namespace detail - template + template class redshift_public_preprocessor { - using types_policy = detail::redshift_types_policy; + typedef detail::redshift_policy policy_type; static math::polynomial - lagrange_polynomial(std::shared_ptr> domain, std::size_t number) { - std::vector> evaluation_points; + lagrange_polynomial(std::shared_ptr> domain, + std::size_t number) { + std::vector> + evaluation_points; for (std::size_t i = 0; i < domain->m; i++) { - evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), (i != number) ? - FieldType::value_type::zero() : - FieldType::value_type::one())); + evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), + (i != number) ? FieldType::value_type::zero() : + FieldType::value_type::one())); } - math::polynomial f = math::lagrange_interpolation(evaluation_points); + math::polynomial f = + math::lagrange_interpolation(evaluation_points); return f; } @@ -110,141 +114,155 @@ namespace nil { public: static inline std::vector> identity_polynomials(std::size_t permutation_size, std::size_t table_size, - const typename FieldType::value_type &omega, - const typename FieldType::value_type &delta, - const std::shared_ptr> &domain) { - - std::vector> S_id(permutation_size); + const typename FieldType::value_type &omega, + const typename FieldType::value_type &delta, + const std::shared_ptr> &domain) { - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - tmp[j] = delta.pow(i) * omega.pow(j); - } + std::vector> S_id(permutation_size); - domain->inverse_fft(tmp); - S_id[i] = math::polynomial(tmp); + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = delta.pow(i) * omega.pow(j); } - return S_id; + domain->inverse_fft(tmp); + S_id[i] = math::polynomial(tmp); + } + + return S_id; } static inline std::vector> permutation_polynomials(std::size_t permutation_size, std::size_t table_size, - const typename FieldType::value_type &omega, - const typename FieldType::value_type &delta, - plonk_permutation &permutation, - const std::shared_ptr> &domain) { - - std::vector> S_perm(permutation_size); - - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - auto key = std::make_pair(i, j); - tmp[j] = delta.pow(permutation[key].first) * omega.pow(permutation[key].second); - } - - domain->inverse_fft(tmp); - S_perm[i] = math::polynomial(tmp); + const typename FieldType::value_type &omega, + const typename FieldType::value_type &delta, + plonk_permutation &permutation, + const std::shared_ptr> &domain) { + + std::vector> S_perm(permutation_size); + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + auto key = std::make_pair(i, j); + tmp[j] = delta.pow(permutation[key].first) * omega.pow(permutation[key].second); } - return S_perm; + domain->inverse_fft(tmp); + S_perm[i] = math::polynomial(tmp); + } + + return S_perm; } static inline math::polynomial selector_blind(std::size_t table_size, std::size_t usable_rows, - const std::shared_ptr> &domain) { + const std::shared_ptr> &domain) { - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - tmp[j] = j > usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); - } + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = j > usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); + } - domain->inverse_fft(tmp); - math::polynomial q_blind(tmp); + domain->inverse_fft(tmp); + math::polynomial q_blind(tmp); - return q_blind; + return q_blind; } static inline math::polynomial selector_last(std::size_t table_size, std::size_t usable_rows, - const std::shared_ptr> &domain) { + const std::shared_ptr> &domain) { - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - tmp[j] = j == usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); - } + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = j == usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); + } - domain->inverse_fft(tmp); - math::polynomial q_last(tmp); + domain->inverse_fft(tmp); + math::polynomial q_last(tmp); - return q_last; + return q_last; } - template - static inline typename types_policy::preprocessed_public_data_type - process(const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type::public_table_type &public_assignment, - typename types_policy::template circuit_short_description &short_description) { + template + static inline typename policy_type::preprocessed_public_data_type process( + const typename policy_type::constraint_system_type &constraint_system, + const typename policy_type::variable_assignment_type::public_table_type &public_assignment, + typename policy_type::template circuit_short_description + &short_description) { std::size_t N_rows = constraint_system.rows_amount(); - std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); + std::shared_ptr> basic_domain = + math::make_evaluation_domain(N_rows); - std::vector> _permutation_polynomials = permutation_polynomials(short_description.columns_with_copy_constraints.size(), - short_description.table_rows, basic_domain->get_domain_element(1), short_description.delta, - short_description.permutation, basic_domain); + std::vector> _permutation_polynomials = + permutation_polynomials(short_description.columns_with_copy_constraints.size(), + short_description.table_rows, basic_domain->get_domain_element(1), + short_description.delta, short_description.permutation, + basic_domain); - std::vector> _identity_polynomials = identity_polynomials(short_description.columns_with_copy_constraints.size(), - short_description.table_rows, basic_domain->get_domain_element(1), - short_description.delta, basic_domain); + std::vector> _identity_polynomials = + identity_polynomials(short_description.columns_with_copy_constraints.size(), + short_description.table_rows, basic_domain->get_domain_element(1), + short_description.delta, basic_domain); - math::polynomial lagrange_0 = lagrange_polynomial(basic_domain, 0); + math::polynomial lagrange_0 = + lagrange_polynomial(basic_domain, 0); - math::polynomial q_last = selector_last(short_description.table_rows, short_description.usable_rows, basic_domain); - math::polynomial q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, basic_domain); + math::polynomial q_last = + selector_last(short_description.table_rows, short_description.usable_rows, basic_domain); + math::polynomial q_blind = + selector_blind(short_description.table_rows, short_description.usable_rows, basic_domain); - plonk_public_polynomial_table public_polynomial_table = plonk_public_polynomial_table( - detail::column_range_polynomials(public_assignment.selectors(), basic_domain), - detail::column_range_polynomials(public_assignment.public_inputs(), basic_domain)); + plonk_public_polynomial_table public_polynomial_table = + plonk_public_polynomial_table( + detail::column_range_polynomials(public_assignment.selectors(), + basic_domain), + detail::column_range_polynomials(public_assignment.public_inputs(), + basic_domain)); std::vector z_numenator(N_rows + 1); z_numenator[0] = -FieldType::value_type::one(); z_numenator[N_rows] = FieldType::value_type::one(); math::polynomial Z = z_numenator; - math::polynomial z_denominator = {-FieldType::value_type::one(), FieldType::value_type::one()}; + math::polynomial z_denominator = {-FieldType::value_type::one(), + FieldType::value_type::one()}; Z = Z / z_denominator; - return typename types_policy::preprocessed_public_data_type({basic_domain, - public_polynomial_table, _permutation_polynomials, _identity_polynomials, - lagrange_0, q_last, q_blind, Z}); + return typename policy_type::preprocessed_public_data_type( + {basic_domain, public_polynomial_table, _permutation_polynomials, _identity_polynomials, + lagrange_0, q_last, q_blind, Z}); } }; template class redshift_private_preprocessor { - using types_policy = detail::redshift_types_policy; + using policy_type = detail::redshift_policy; public: - - template - static inline typename types_policy::preprocessed_private_data_type - process(const typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type::private_table_type &private_assignment, - typename types_policy::template circuit_short_description &short_description) { + template + static inline typename policy_type::preprocessed_private_data_type process( + const typename policy_type::constraint_system_type &constraint_system, + const typename policy_type::variable_assignment_type::private_table_type &private_assignment, + typename policy_type::template circuit_short_description + &short_description) { std::size_t N_rows = constraint_system.rows_amount(); - std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); + std::shared_ptr> basic_domain = + math::make_evaluation_domain(N_rows); - plonk_private_polynomial_table private_polynomial_table = + plonk_private_polynomial_table private_polynomial_table = plonk_private_polynomial_table( - detail::column_range_polynomials(private_assignment.witnesses(), basic_domain)); + detail::column_range_polynomials(private_assignment.witnesses(), + basic_domain)); - return typename types_policy::preprocessed_private_data_type({basic_domain, - private_polynomial_table}); + return typename policy_type::preprocessed_private_data_type( + {basic_domain, private_polynomial_table}); } }; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 4c0776cd1..20cba8e28 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -33,8 +33,7 @@ namespace nil { namespace snark { template + typename CommitmentSchemeTypePermutation, typename CommitmentSchemeTypeQuotient> struct redshift_proof { struct evaluation_proof { @@ -56,8 +55,7 @@ namespace nil { bool operator==(const redshift_proof &rhs) const { return witness_commitments == rhs.witness_commitments && T_commitments == rhs.T_commitments && - v_perm_commitment == rhs.v_perm_commitment && - eval_proof = rhs.eval_proof; + v_perm_commitment == rhs.v_perm_commitment && eval_proof = rhs.eval_proof; } bool operator!=(const redshift_proof &rhs) const { return !(rhs == *this); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 70fce8d21..7aa7d5755 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -31,11 +31,11 @@ #include -#include +#include -#include +#include #include -#include +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" #include #include #include @@ -45,108 +45,138 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_prover { - constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::lpc_params::merkle_hash_type; - using transcript_hash_type = typename RedshiftParams::lpc_params::transcript_hash_type; + constexpr static const std::size_t witness_columns = ParamsType::witness_columns; + constexpr static const std::size_t public_columns = ParamsType::public_columns; + using merkle_hash_type = typename ParamsType::commitment_params_type::merkle_hash_type; + using transcript_hash_type = typename ParamsType::commitment_params_type::transcript_hash_type; - using types_policy = detail::redshift_types_policy; + using policy_type = detail::redshift_policy; typedef typename containers::merkle_tree merkle_tree_type; - constexpr static const std::size_t lambda = RedshiftParams::lpc_params::lambda; - constexpr static const std::size_t r = RedshiftParams::lpc_params::r; - constexpr static const std::size_t m = RedshiftParams::lpc_params::m; + constexpr static const std::size_t lambda = ParamsType::commitment_params_type::lambda; + constexpr static const std::size_t r = ParamsType::commitment_params_type::r; + constexpr static const std::size_t m = ParamsType::commitment_params_type::m; constexpr static const std::size_t opening_points_witness = 1; constexpr static const std::size_t opening_points_v_p = 2; constexpr static const std::size_t opening_points_t = 1; constexpr static const std::size_t opening_points_public = 1; - typedef list_polynomial_commitment_scheme lpc_witness; - typedef list_polynomial_commitment_scheme lpc_permutation; - typedef list_polynomial_commitment_scheme lpc_quotient; - typedef list_polynomial_commitment_scheme lpc_public; + typedef list_polynomial_commitment_scheme + commitment_scheme_witness_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_permutation_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_quotient_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_public_points_type; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; constexpr static const std::size_t f_parts = 9; - static inline math::polynomial - quotient_polynomial(const typename types_policy::preprocessed_public_data_type preprocessed_public_data, - std::array, f_parts> F, - fiat_shamir_heuristic_updated transcript) { - // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ - std::array alphas = - transcript.template challenges(); - - // 7.2. Compute F_consolidated - math::polynomial F_consolidated = {0}; - for (std::size_t i = 0; i < f_parts; i++) { - F_consolidated = F_consolidated + alphas[i] * F[i]; - } + static inline math::polynomial quotient_polynomial( + const typename policy_type::preprocessed_public_data_type preprocessed_public_data, + std::array, f_parts> + F, + fiat_shamir_heuristic_sequential + transcript) { + // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ + std::array alphas = + transcript.template challenges(); + + // 7.2. Compute F_consolidated + math::polynomial F_consolidated = {0}; + for (std::size_t i = 0; i < f_parts; i++) { + F_consolidated = F_consolidated + alphas[i] * F[i]; + } - math::polynomial T_consolidated = - F_consolidated / preprocessed_public_data.Z; + math::polynomial T_consolidated = + F_consolidated / preprocessed_public_data.Z; - return T_consolidated; + return T_consolidated; } static inline std::vector> - split_polynomial(math::polynomial f, - std::size_t max_degree) { - std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; - std::vector> f_splitted(parts); - - std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs - for (std::size_t i = 0; i < parts - 1; i++) { - std::copy(f.begin() + i * chunk_size, f.begin() + (i + 1) * chunk_size - 1, std::back_inserter(f_splitted[i])); - } - std::copy(f.begin() + (parts - 1) * chunk_size, f.end(), std::back_inserter(f_splitted[parts - 1])); - return f_splitted; + split_polynomial(math::polynomial f, std::size_t max_degree) { + std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; + std::vector> f_splitted(parts); + + std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs + for (std::size_t i = 0; i < parts - 1; i++) { + std::copy(f.begin() + i * chunk_size, + f.begin() + (i + 1) * chunk_size - 1, + std::back_inserter(f_splitted[i])); + } + std::copy( + f.begin() + (parts - 1) * chunk_size, f.end(), std::back_inserter(f_splitted[parts - 1])); + return f_splitted; } public: - static inline typename types_policy::template proof_type - process(const typename types_policy::preprocessed_public_data_type preprocessed_public_data, - const typename types_policy::preprocessed_private_data_type preprocessed_private_data, - typename types_policy::constraint_system_type &constraint_system, - const typename types_policy::variable_assignment_type &assignments, - const typename types_policy::template circuit_short_description &short_description, - const typename lpc_witness::fri_type::params_type &fri_params) { // TODO: fri_type are the same for each lpc_type here - - typename types_policy::template proof_type proof; - std::vector tanscript_init = {}; - fiat_shamir_heuristic_updated transcript(tanscript_init); - - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + static inline typename policy_type::template proof_type + process(const typename policy_type::preprocessed_public_data_type preprocessed_public_data, + const typename policy_type::preprocessed_private_data_type preprocessed_private_data, + typename policy_type::constraint_system_type &constraint_system, + const typename policy_type::variable_assignment_type &assignments, + const typename policy_type::template circuit_short_description< + commitment_scheme_public_points_type> &short_description, + const typename commitment_scheme_witness_type::fri_type::params_type + &fri_params) { // TODO: fri_type are the same for each lpc_type here + + typename policy_type::template proof_type + proof; + std::vector transcript_init {}; + fiat_shamir_heuristic_sequential transcript(transcript_init); + + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); - // 1. Add circuit definition to transctipt - //transcript(short_description); //TODO: circuit_short_description marshalling + // 1. Add circuit definition to transcript + // transcript(short_description); //TODO: circuit_short_description marshalling // 2. Commit witness columns - std::array, witness_columns> witness_poly = + std::array, witness_columns> witness_poly = preprocessed_private_data.private_polynomial_table.witnesses(); - - std::array witness_commitments = - lpc_witness::template commit(witness_poly, fri_params.D[0]); + + std::array + witness_commitments = commitment_scheme_witness_type::template commit( + witness_poly, fri_params.D[0]); proof.witness_commitments.resize(witness_columns); for (std::size_t i = 0; i < witness_columns; i++) { proof.witness_commitments[i] = witness_commitments[i].root(); - //transcript(proof.witness_commitments[i]); + // transcript(proof.witness_commitments[i]); } // 4. permutation_argument - auto permutation_argument = redshift_permutation_argument::prove_eval( - transcript, preprocessed_public_data, short_description, polynomial_table, fri_params); + auto permutation_argument = + redshift_permutation_argument::prove_eval(transcript, + preprocessed_public_data, + short_description, + polynomial_table, + fri_params); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -162,49 +192,69 @@ namespace nil { // 6. circuit-satisfability std::array, gate_parts> prover_res = - redshift_gates_argument::prove_eval( + redshift_gates_argument::prove_eval( constraint_system, polynomial_table, transcript); F[3] = prover_res[0]; // 7. Aggregate quotient polynomial - math::polynomial T = quotient_polynomial(preprocessed_public_data, F, transcript); - std::vector> T_splitted = split_polynomial(T, fri_params.max_degree); - std::vector T_commitments(T_splitted.size()); + math::polynomial T = + quotient_polynomial(preprocessed_public_data, F, transcript); + std::vector> T_splitted = + split_polynomial(T, fri_params.max_degree); + std::vector T_commitments( + T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { - T_commitments[i] = lpc_quotient::commit(T_splitted[i], fri_params.D[0]); + T_commitments[i] = commitment_scheme_quotient_type::commit(T_splitted[i], fri_params.D[0]); proof.T_commitments.push_back(T_commitments[i].root()); } - //transcript(T_commitments); + // transcript(T_commitments); // 8. Run evaluation proofs typename FieldType::value_type challenge = transcript.template challenge(); - typename FieldType::value_type omega = preprocessed_public_data.basic_domain->get_domain_element(1); + typename FieldType::value_type omega = + preprocessed_public_data.basic_domain->get_domain_element(1); // witness polynomials (table columns) - std::array witnesses_evaluation; + std::array + witnesses_evaluation; for (std::size_t i = 0; i < witness_commitments.size(); i++) { - std::vector rotation_gates = {0}; //TODO: Rotation - std::array evaluation_points_gates; //TODO: array size with rotation + std::vector rotation_gates = {0}; // TODO: Rotation + std::array + evaluation_points_gates; // TODO: array size with rotation for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); } - witnesses_evaluation[i] = lpc_witness::proof_eval(evaluation_points_gates, witness_commitments[i], witness_poly[i], transcript, fri_params); + witnesses_evaluation[i] = + commitment_scheme_witness_type::proof_eval(evaluation_points_gates, + witness_commitments[i], + witness_poly[i], + transcript, + fri_params); proof.eval_proof.witness.push_back(witnesses_evaluation[i]); } // permutation polynomial evaluation - std::array evaluation_points_v_p = {challenge, challenge * omega}; - typename lpc_permutation::proof_type v_p_evaluation = lpc_permutation::proof_eval(evaluation_points_v_p, permutation_argument.permutation_poly_commitment, permutation_argument.permutation_polynomial, transcript, fri_params); + std::array evaluation_points_v_p = {challenge, + challenge * omega}; + typename commitment_scheme_permutation_type::proof_type v_p_evaluation = + commitment_scheme_permutation_type::proof_eval( + evaluation_points_v_p, + permutation_argument.permutation_poly_commitment, + permutation_argument.permutation_polynomial, + transcript, + fri_params); proof.eval_proof.permutation.push_back(v_p_evaluation); std::array evaluation_points_quotient = {challenge}; - std::vector quotient_evaluation(T_splitted.size()); + std::vector quotient_evaluation( + T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { - quotient_evaluation[i] = lpc_quotient::proof_eval(evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); + quotient_evaluation[i] = commitment_scheme_quotient_type::proof_eval( + evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); proof.eval_proof.quotient.push_back(quotient_evaluation[i]); } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 2b458f1f5..54c2abcc6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -29,9 +29,9 @@ #include -#include +#include #include -#include +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" #include #include @@ -40,52 +40,63 @@ namespace nil { namespace zk { namespace snark { - template + template class redshift_verifier { - constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::lpc_params::merkle_hash_type; - using transcript_hash_type = typename RedshiftParams::lpc_params::transcript_hash_type; + constexpr static const std::size_t witness_columns = ParamsType::witness_columns; + constexpr static const std::size_t public_columns = ParamsType::public_columns; + using merkle_hash_type = typename ParamsType::commitment_params_type::merkle_hash_type; + using transcript_hash_type = typename ParamsType::commitment_params_type::transcript_hash_type; - using types_policy = detail::redshift_types_policy; + using policy_type = detail::redshift_policy; - constexpr static const std::size_t lambda = RedshiftParams::lpc_params::lambda; - constexpr static const std::size_t r = RedshiftParams::lpc_params::r; - constexpr static const std::size_t m = RedshiftParams::lpc_params::m; + constexpr static const std::size_t lambda = ParamsType::commitment_params_type::lambda; + constexpr static const std::size_t r = ParamsType::commitment_params_type::r; + constexpr static const std::size_t m = ParamsType::commitment_params_type::m; constexpr static const std::size_t opening_points_witness = 1; constexpr static const std::size_t opening_points_v_p = 2; constexpr static const std::size_t opening_points_t = 1; - typedef list_polynomial_commitment_scheme lpc_witness; - typedef list_polynomial_commitment_scheme lpc_permutation; - typedef list_polynomial_commitment_scheme lpc_quotient; + typedef list_polynomial_commitment_scheme + commitment_scheme_witness_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_permutation_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_quotient_type; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; constexpr static const std::size_t f_parts = 9; public: - static inline bool process(//const types_policy::verification_key_type &verification_key, - //const types_policy::primary_input_type &primary_input, - const typename types_policy::template proof_type &proof, - const typename types_policy::template circuit_short_description &short_description) { //TODO: decsription commitment scheme + static inline bool process( // const policy_type::verification_key_type &verification_key, + // const policy_type::primary_input_type &primary_input, + const typename policy_type::template proof_type &proof, + const typename policy_type::template circuit_short_description + &short_description) { // TODO: decsription commitment scheme - fiat_shamir_heuristic_updated transcript(std::vector()); + fiat_shamir_heuristic_sequential transcript; - // 1. Add circuit definition to transctipt - //transcript(short_description); + // 1. Add circuit definition to transcript + // transcript(short_description); for (std::size_t i = 0; i < witness_columns; i++) { - //transcript(proof.witness_commitments[i]); + // transcript(proof.witness_commitments[i]); } - /*std::array permutation_argument = - redshift_permutation_argument::verify_eval( - verifier_transcript, preprocessed_data, short_description, y, proof.witness_evaluation, v_p_at_y, v_p_at_y_shifted, - proof.v_perm_commitment); + /*std::array permutation_argument = + redshift_permutation_argument::verify_eval( verifier_transcript, preprocessed_data, short_description, y, + proof.witness_evaluation, v_p_at_y, v_p_at_y_shifted, proof.v_perm_commitment); std::array alphas = transcript.template challenges(); diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp index 070d651aa..fe3bb6e21 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/proof.hpp @@ -31,18 +31,13 @@ #include #include -#include +#include #include namespace nil { namespace crypto3 { namespace zk { namespace snark { - /// KZGOpening represents the KZG opening of a commitment key (which is a tuple - /// given commitment keys are a tuple). - template - using kzg_opening = std::pair; - /// It contains all elements derived in the GIPA loop for both TIPP and MIPP at /// the same time. template diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp index 721ff2906..3e75551f5 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/prover.hpp @@ -266,8 +266,8 @@ namespace nil { fcoeffs, fwz, kzg_challenge); } - /// gipa_tipp_mipp peforms the recursion of the GIPA protocol for TIPP and MIPP. - /// It returns a proof containing all intermdiate committed values, as well as + /// gipa_tipp_mipp performs the recursion of the GIPA protocol for TIPP and MIPP. + /// It returns a proof containing all intermediate committed values, as well as /// the challenges generated necessary to do the polynomial commitment proof /// later in TIPP. template, typename InputG1Iterator1, @@ -307,11 +307,11 @@ namespace nil { r1cs_gg_ppzksnark_ipp2_wkey wkey = wkey_input; // storing the values for including in the proof - std::vector::output_type, - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type>> + std::vector::output_type, + typename kzg_commitment::output_type>> comms_ab; - std::vector::output_type, - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type>> + std::vector::output_type, + typename kzg_commitment::output_type>> comms_c; std::vector< std::pair> @@ -336,11 +336,9 @@ namespace nil { // TODO: parallel // See section 3.3 for paper version with equivalent names // TIPP part - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type tab_l = - r1cs_gg_ppzksnark_ipp2_commitment::pair( + typename kzg_commitment::output_type tab_l = kzg_commitment::pair( vk_left, wk_right, m_a.begin() + split, m_a.end(), m_b.begin(), m_b.begin() + split); - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type tab_r = - r1cs_gg_ppzksnark_ipp2_commitment::pair( + typename kzg_commitment::output_type tab_r = kzg_commitment::pair( vk_right, wk_left, m_a.begin(), m_a.begin() + split, m_b.begin() + split, m_b.end()); // \prod e(A_right,B_left) @@ -373,12 +371,12 @@ namespace nil { algebra::multiexp( m_c.begin(), m_c.begin() + split, m_r.begin() + split, m_r.end(), 1); // u_l = c[n':] * v[:n'] - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type tuc_l = - r1cs_gg_ppzksnark_ipp2_commitment::single(vk_left, m_c.begin() + split, + typename kzg_commitment::output_type tuc_l = + kzg_commitment::single(vk_left, m_c.begin() + split, m_c.end()); // u_r = c[:n'] * v[n':] - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type tuc_r = - r1cs_gg_ppzksnark_ipp2_commitment::single(vk_right, m_c.begin(), + typename kzg_commitment::output_type tuc_r = + kzg_commitment::single(vk_right, m_c.begin(), m_c.begin() + split); // Fiat-Shamir challenge @@ -526,11 +524,11 @@ namespace nil { // A and B are committed together in this scheme // we need to take the reference so the macro doesn't consume the value // first - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type com_ab = - r1cs_gg_ppzksnark_ipp2_commitment::pair(srs.vkey, srs.wkey, a.begin(), a.end(), + typename kzg_commitment::output_type com_ab = + kzg_commitment::pair(srs.vkey, srs.wkey, a.begin(), a.end(), b.begin(), b.end()); - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type com_c = - r1cs_gg_ppzksnark_ipp2_commitment::single(srs.vkey, c.begin(), c.end()); + typename kzg_commitment::output_type com_c = + kzg_commitment::single(srs.vkey, c.begin(), c.end()); // Derive a random scalar to perform a linear combination of proofs constexpr std::array application_tag = {'s', 'n', 'a', 'r', 'k', @@ -583,7 +581,7 @@ namespace nil { tr.template write>(agg_c); // w^{r^{-1}} - r1cs_gg_ppzksnark_ipp2_commitment_key> wkey_r_inv = + kzg_commitment_key> wkey_r_inv = srs.wkey.scale(r_inv.begin(), r_inv.end()); // we prove tipp and mipp using the same recursive loop @@ -592,7 +590,7 @@ namespace nil { wkey_r_inv, r_vec.begin(), r_vec.end()); // debug assert - BOOST_ASSERT(com_ab == r1cs_gg_ppzksnark_ipp2_commitment::pair( + BOOST_ASSERT(com_ab == kzg_commitment::pair( srs.vkey, wkey_r_inv, a.begin(), a.end(), b_r.begin(), b_r.end())); return {com_ab, com_c, ip_ab, agg_c, proof}; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp index b363ba9e5..522d78dc7 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/srs.hpp @@ -31,7 +31,7 @@ #include #include -#include +#include "nil/crypto3/zk/snark/commitments/kzg.hpp" namespace nil { namespace crypto3 { @@ -65,7 +65,7 @@ namespace nil { typedef typename g1_type::value_type g1_value_type; typedef typename g2_type::value_type g2_value_type; - typedef r1cs_gg_ppzksnark_ipp2_commitment commitment_type; + typedef kzg_commitment commitment_type; typedef typename commitment_type::vkey_type vkey_type; typedef typename commitment_type::wkey_type wkey_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp index ea23fa2e0..f1922cf8f 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_gg_ppzksnark/ipp2/transcript.hpp @@ -102,7 +102,7 @@ namespace nil { std::is_same::value_type>::value>::type write(InputIterator first, InputIterator last) { - std::array len_bytes{}; + std::array len_bytes {}; nil::crypto3::detail::pack counter_nonce_bytes{}; + std::array counter_nonce_bytes {}; while (true) { ++counter_nonce; nil::crypto3::detail::pack, typename Verifier = r1cs_se_ppzksnark_verifier_strong_input_consistency> class r1cs_se_ppzksnark { - typedef detail::r1cs_se_ppzksnark_types_policy policy_type; + typedef detail::r1cs_se_ppzksnark_policy policy_type; public: typedef typename policy_type::constraint_system_type constraint_system_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp index 0beddaf91..730e3461a 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/detail/basic_policy.hpp @@ -79,7 +79,7 @@ namespace nil { namespace detail { template - struct r1cs_se_ppzksnark_types_policy { + struct r1cs_se_ppzksnark_policy { /******************************** Params ********************************/ diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp index b8a9e3e11..b42bc292f 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/generator.hpp @@ -32,6 +32,8 @@ #include +#include + #include #include @@ -48,7 +50,7 @@ namespace nil { */ template class r1cs_se_ppzksnark_generator { - typedef detail::r1cs_se_ppzksnark_types_policy policy_type; + typedef detail::r1cs_se_ppzksnark_policy policy_type; using g1_type = typename CurveType::template g1_type<>; using g2_type = typename CurveType::template g2_type<>; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp index 3dc29bfb4..75be5c741 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/prover.hpp @@ -53,7 +53,7 @@ namespace nil { */ template class r1cs_se_ppzksnark_prover { - typedef detail::r1cs_se_ppzksnark_types_policy policy_type; + typedef detail::r1cs_se_ppzksnark_policy policy_type; public: typedef typename policy_type::constraint_system_type constraint_system_type; diff --git a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp index c6572ca04..f5b36bd6f 100644 --- a/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/ppzksnark/r1cs_se_ppzksnark/verifier.hpp @@ -46,7 +46,7 @@ namespace nil { */ template class r1cs_se_ppzksnark_process_verification_key { - typedef detail::r1cs_se_ppzksnark_types_policy policy_type; + typedef detail::r1cs_se_ppzksnark_policy policy_type; public: typedef typename policy_type::verification_key_type verification_key_type; @@ -90,7 +90,7 @@ namespace nil { template class r1cs_se_ppzksnark_verifier_weak_input_consistency { - typedef detail::r1cs_se_ppzksnark_types_policy policy_type; + typedef detail::r1cs_se_ppzksnark_policy policy_type; public: typedef typename policy_type::primary_input_type primary_input_type; @@ -181,7 +181,7 @@ namespace nil { template class r1cs_se_ppzksnark_verifier_strong_input_consistency { - typedef detail::r1cs_se_ppzksnark_types_policy policy_type; + typedef detail::r1cs_se_ppzksnark_policy policy_type; public: typedef typename policy_type::primary_input_type primary_input_type; diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp index c45bf5ae9..9f19077f2 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp @@ -63,65 +63,72 @@ namespace nil { * } * }; */ - template> - class fiat_shamir_heuristic { + template + class fiat_shamir_heuristic_accumulative { accumulator_set acc; public: - fiat_shamir_heuristic() : acc() { + typedef Hash hash_type; + typedef ChallengesType challenges_type; + + fiat_shamir_heuristic_accumulative() : acc() { } template void operator()(TAny data) { nil::marshalling::status_type status; - typename Hash::construction::type::block_type byte_data = nil::marshalling::pack(data, status); + typename hash_type::construction::type::block_type byte_data = + nil::marshalling::pack(data, status); acc(byte_data); } - template + template typename FieldType::value_type challenge() { // acc(ChallengeId); - typename Hash::digest_type hash_res = accumulators::extract::hash(acc); + typename hash_type::digest_type hash_res = accumulators::extract::hash(acc); return FieldType::value_type::one(); } - template + template typename FieldType::value_type challenge() { // acc(ChallengeId + Index); - typename Hash::digest_type hash_res = accumulators::extract::hash(acc); + typename hash_type::digest_type hash_res = accumulators::extract::hash(acc); return FieldType::value_type::one(); } - template std::array challenges() { - std::array hash_results; + std::array hash_results; std::array result; for (std::size_t i = 0; i < ChallengesAmount; i++) { // acc(ChallengeId + i); - hash_results[i] = accumulators::extract::hash(acc); + hash_results[i] = accumulators::extract::hash(acc); } return result; } }; - template> - struct fiat_shamir_heuristic_updated { + template + struct fiat_shamir_heuristic_sequential { typedef Hash hash_type; + fiat_shamir_heuristic_sequential() : state(hash({0})) { + } + template - fiat_shamir_heuristic_updated(const InputRange &r) : state(hash(r)) { + fiat_shamir_heuristic_sequential(const InputRange &r) : state(hash(r)) { } template - fiat_shamir_heuristic_updated(InputIterator first, InputIterator last) : + fiat_shamir_heuristic_sequential(InputIterator first, InputIterator last) : state(hash(first, last)) { } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index ef0c1e786..9f359c191 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -42,10 +42,10 @@ #include #include -#include // until fri inclusion +#include // until fri inclusion #include -#include +#include using namespace nil::crypto3; @@ -96,7 +96,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { // eval std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_updated transcript(init_blob); + zk::snark::fiat_shamir_heuristic_sequential transcript(init_blob); // LPC-related logic, here we "nulify" it via U = 0, V - 1 // TODO: Make FRI independent from LPC input @@ -106,7 +106,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); // verify - zk::snark::fiat_shamir_heuristic_updated transcript_verifier(init_blob); + zk::snark::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); @@ -203,7 +203,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_updated transcript(init_blob); + zk::snark::fiat_shamir_heuristic_sequential transcript(init_blob); proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 197ec7f76..49e3c4157 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -42,8 +42,8 @@ #include #include -#include -#include +#include +#include #include using namespace nil::crypto3; @@ -103,12 +103,12 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { std::array evaluation_points = {algebra::fields::arithmetic_params::multiplicative_generator}; std::array x_data {}; - zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + zk::snark::fiat_shamir_heuristic_sequential transcript(x_data); auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript, fri_params); // verify - zk::snark::fiat_shamir_heuristic_updated transcript_verifier(x_data); + zk::snark::fiat_shamir_heuristic_sequential transcript_verifier(x_data); BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); } diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 97914c42c..217f1b586 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -42,8 +42,8 @@ #include #include -#include -#include +#include +#include #include using namespace nil::crypto3; @@ -155,12 +155,12 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { algebra::fields::arithmetic_params::multiplicative_generator}; std::array x_data {}; - zk::snark::fiat_shamir_heuristic_updated transcript(x_data); + zk::snark::fiat_shamir_heuristic_sequential transcript(x_data); auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); // phase_2: Prove // verify - zk::snark::fiat_shamir_heuristic_updated transcript_verifier(x_data); + zk::snark::fiat_shamir_heuristic_sequential transcript_verifier(x_data); BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); // phase_3: Verify } diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 6ef9d8d79..6e5b9dd4f 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -38,7 +38,7 @@ #include #include #include -#include +#include #include #include @@ -46,62 +46,59 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template - class circuit_description - { - using types_policy = zk::snark::detail::redshift_types_policy; - constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_columns = RedshiftParams::public_columns; - using merkle_hash_type = typename RedshiftParams::merkle_hash_type; - using transcript_hash_type = typename RedshiftParams::transcript_hash_type; + template + class circuit_description { + typedef zk::snark::detail::redshift_policy policy_type; - public: - const std::size_t table_rows = 1 << rows_log; + constexpr static const std::size_t witness_columns = ParamsType::witness_columns; + constexpr static const std::size_t public_columns = ParamsType::public_columns; + using merkle_hash_type = typename ParamsType::merkle_hash_type; + using transcript_hash_type = typename ParamsType::transcript_hash_type; - std::shared_ptr> domain; + public: + const std::size_t table_rows = 1 << rows_log; - typename FieldType::value_type omega; - typename FieldType::value_type delta; + std::shared_ptr> domain; - plonk_permutation permutation; + typename FieldType::value_type omega; + typename FieldType::value_type delta; - std::vector> S_id; - std::vector> S_sigma; + plonk_permutation permutation; - typename types_policy::variable_assignment_type table; - std::vector> column_polynomials; + std::vector> S_id; + std::vector> S_sigma; - // construct q_last, q_blind - math::polynomial q_last; - math::polynomial q_blind; + typename policy_type::variable_assignment_type table; + std::vector> column_polynomials; - std::vector> gates; + // construct q_last, q_blind + math::polynomial q_last; + math::polynomial q_blind; - circuit_description() { - domain = math::make_evaluation_domain(table_rows); + std::vector> gates; - omega = domain->get_domain_element(1); - delta = algebra::fields::arithmetic_params::multiplicative_generator; + circuit_description() { + domain = math::make_evaluation_domain(table_rows); - permutation = plonk_permutation(witness_columns + public_columns, table_rows); - } + omega = domain->get_domain_element(1); + delta = algebra::fields::arithmetic_params::multiplicative_generator; + + permutation = plonk_permutation(witness_columns + public_columns, table_rows); + } - void init() { - S_id = redshift_public_preprocessor::identity_polynomials( + void init() { + S_id = redshift_public_preprocessor::identity_polynomials( permutation_size, table_rows, omega, delta, domain); - S_sigma = redshift_public_preprocessor::permutation_polynomials( + S_sigma = redshift_public_preprocessor::permutation_polynomials( permutation_size, table_rows, omega, delta, permutation, domain); - q_last = redshift_public_preprocessor::selector_last( + q_last = redshift_public_preprocessor::selector_last( table_rows, usable_rows, domain); - q_blind = redshift_public_preprocessor::selector_blind( + q_blind = redshift_public_preprocessor::selector_blind( table_rows, usable_rows, domain); - } - }; + } + }; //---------------------------------------------------------------------------// // Test circuit 1 @@ -111,13 +108,14 @@ namespace nil { // ... | ADD | x | y | z | 1 | 0 | // k-2 | MUL | x | y | z | 0 | 1 | // k-1 | MUL | x | y | z | 0 | 1 | - // + // // ADD: x + y = z // MUL: x * y = z //---------------------------------------------------------------------------// - typedef redshift_params<3, 0> circuit_1_params; + typedef redshift_params<3, 0> circuit_1_params; + template - circuit_description circuit_test_1() { + circuit_description circuit_test_1() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 3; constexpr static const std::size_t witness_columns = 3; @@ -190,25 +188,24 @@ namespace nil { test_circuit.table = plonk_assignment_table( plonk_private_assignment_table(private_assignment), plonk_public_assignment_table(selectors_assignment, - public_input_assignment)); + public_input_assignment)); test_circuit.init(); - plonk_variable w0(0, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); + plonk_variable::column_type::witness); plonk_variable w1(0, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); + plonk_variable::column_type::witness); plonk_variable w2(0, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); - + plonk_variable::column_type::witness); + plonk_constraint add_constraint; add_constraint.add_term(w0); add_constraint.add_term(w1); add_constraint.add_term(-w2); std::vector> add_gate_costraints {add_constraint}; - plonk_gate add_gate (0, add_gate_costraints); + plonk_gate add_gate(0, add_gate_costraints); test_circuit.gates.push_back(add_gate); plonk_constraint mul_constraint; @@ -216,7 +213,7 @@ namespace nil { add_constraint.add_term(-w2); std::vector> mul_gate_costraints {mul_constraint}; - plonk_gate mul_gate (1, mul_gate_costraints); + plonk_gate mul_gate(1, mul_gate_costraints); test_circuit.gates.push_back(mul_gate); return test_circuit; @@ -230,13 +227,14 @@ namespace nil { // ... | ADD | x | y | z | 0 | 1 | 0 | // k-2 | MUL | x | y | z | 0 | 0 | 1 | // k-1 | MUL | x | y | z | 0 | 0 | 1 | - // + // // ADD: x + y = z, copy(prev(z), y) // MUL: x * y = z, copy(p1, y) //---------------------------------------------------------------------------// typedef redshift_params<3, 1> circuit_2_params; + template - circuit_description circuit_test_2() { + circuit_description circuit_test_2() { constexpr static const std::size_t rows_log = 4; constexpr static const std::size_t table_columns = 4; constexpr static const std::size_t witness_columns = 3; @@ -310,24 +308,24 @@ namespace nil { test_circuit.table = plonk_assignment_table( plonk_private_assignment_table(private_assignment), plonk_public_assignment_table(selectors_assignment, - public_input_assignment)); + public_input_assignment)); test_circuit.init(); - + plonk_variable w0(0, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); + plonk_variable::column_type::witness); plonk_variable w1(0, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); + plonk_variable::column_type::witness); plonk_variable w2(0, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); - + plonk_variable::column_type::witness); + plonk_constraint add_constraint; add_constraint.add_term(w0); add_constraint.add_term(w1); add_constraint.add_term(-w2); std::vector> add_gate_costraints {add_constraint}; - plonk_gate add_gate (0, add_gate_costraints); + plonk_gate add_gate(0, add_gate_costraints); test_circuit.gates.push_back(add_gate); plonk_constraint mul_constraint; @@ -335,7 +333,7 @@ namespace nil { add_constraint.add_term(-w2); std::vector> mul_gate_costraints {mul_constraint}; - plonk_gate mul_gate (1, mul_gate_costraints); + plonk_gate mul_gate(1, mul_gate_costraints); test_circuit.gates.push_back(mul_gate); return test_circuit; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 208f63144..866a09c47 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -44,7 +44,7 @@ #include #include #include -#include +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" #include #include @@ -52,7 +52,7 @@ #include -#include +#include #include "circuits.hpp" @@ -101,85 +101,92 @@ struct redshift_test_params { constexpr static const std::size_t m = 2; }; -constexpr static const std::size_t table_columns = redshift_test_params::witness_columns + redshift_test_params::public_columns; +constexpr static const std::size_t table_columns = + redshift_test_params::witness_columns + redshift_test_params::public_columns; -typedef fri_commitment_scheme fri_type; +typedef fri_commitment_scheme + fri_type; typedef redshift_params<3, 1> circuit_2_params; BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { - circuit_description circuit = circuit_test_2(); + circuit_description circuit = + circuit_test_2(); - using types_policy = zk::snark::detail::redshift_types_policy; + using policy_type = zk::snark::detail::redshift_policy; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename types_policy::constraint_system_type constraint_system({}, table_rows); + typename policy_type::constraint_system_type constraint_system({}, table_rows); - typename types_policy::variable_assignment_type assigments = circuit.table; + typename policy_type::variable_assignment_type assigments = circuit.table; - types_policy::circuit_short_description short_description; + policy_type::circuit_short_description short_description; short_description.columns_with_copy_constraints = {0, 1, 2, 3}; short_description.table_rows = table_rows; short_description.usable_rows = usable_rows; short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_table(), short_description); + typename policy_type::preprocessed_public_data_type preprocessed_data_public = + redshift_public_preprocessor::process( + constraint_system, assigments.public_table(), short_description); - typename types_policy::preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_table(), short_description); + typename policy_type::preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process( + constraint_system, assigments.private_table(), short_description); - auto proof = redshift_prover::process( - preprocessed_data_public, preprocessed_data_private, constraint_system, assigments, short_description, fri_params); + auto proof = redshift_prover::process(preprocessed_data_public, + preprocessed_data_private, constraint_system, + assigments, short_description, fri_params); - bool verifier_res = redshift_verifier::process( - proof, short_description); + bool verifier_res = redshift_verifier::process(proof, short_description); BOOST_CHECK(verifier_res); } BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { - circuit_description circuit = circuit_test_2(); + circuit_description circuit = + circuit_test_2(); constexpr std::size_t argument_size = 3; - using types_policy = zk::snark::detail::redshift_types_policy; + using policy_type = zk::snark::detail::redshift_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename types_policy::constraint_system_type constraint_system({}, table_rows); - typename types_policy::variable_assignment_type assigments = circuit.table; + typename policy_type::constraint_system_type constraint_system({}, table_rows); + typename policy_type::variable_assignment_type assigments = circuit.table; - types_policy::circuit_short_description short_description; + policy_type::circuit_short_description short_description; short_description.columns_with_copy_constraints = {0, 1, 2, 3}; short_description.table_rows = table_rows; short_description.usable_rows = usable_rows; short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_table(), short_description); + typename policy_type::preprocessed_public_data_type preprocessed_data_public = + redshift_public_preprocessor::process( + constraint_system, assigments.public_table(), short_description); - typename types_policy::preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_table(), short_description); + typename policy_type::preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process( + constraint_system, assigments.private_table(), short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated prover_transcript(init_blob); - fiat_shamir_heuristic_updated verifier_transcript(init_blob); + fiat_shamir_heuristic_sequential prover_transcript(init_blob); + fiat_shamir_heuristic_sequential verifier_transcript(init_blob); - typename redshift_permutation_argument::prover_result_type prover_res = - redshift_permutation_argument::prove_eval(prover_transcript, preprocessed_data_public, short_description, - circuit.column_polynomials, fri_params); + typename redshift_permutation_argument::prover_result_type + prover_res = redshift_permutation_argument::prove_eval( + prover_transcript, preprocessed_data_public, short_description, circuit.column_polynomials, fri_params); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -215,51 +222,55 @@ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { - circuit_description circuit = circuit_test_2(); + circuit_description circuit = + circuit_test_2(); - using types_policy = zk::snark::detail::redshift_types_policy; + using policy_type = zk::snark::detail::redshift_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_scheme lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - - typename types_policy::constraint_system_type constraint_system(circuit.gates, table_rows); - typename types_policy::variable_assignment_type assigments = circuit.table; - types_policy::circuit_short_description short_description; + typename policy_type::constraint_system_type constraint_system(circuit.gates, table_rows); + typename policy_type::variable_assignment_type assigments = circuit.table; + + policy_type::circuit_short_description short_description; short_description.columns_with_copy_constraints = {0, 1, 2, 3}; short_description.table_rows = table_rows; short_description.usable_rows = usable_rows; short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename types_policy::preprocessed_public_data_type preprocessed_data_public = - redshift_public_preprocessor::process(constraint_system, assigments.public_table(), short_description); + typename policy_type::preprocessed_public_data_type preprocessed_data_public = + redshift_public_preprocessor::process( + constraint_system, assigments.public_table(), short_description); - typename types_policy::preprocessed_private_data_type preprocessed_data_private = - redshift_private_preprocessor::process(constraint_system, assigments.private_table(), short_description); + typename policy_type::preprocessed_private_data_type preprocessed_data_private = + redshift_private_preprocessor::process( + constraint_system, assigments.private_table(), short_description); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated prover_transcript(init_blob); - fiat_shamir_heuristic_updated verifier_transcript(init_blob); + fiat_shamir_heuristic_sequential prover_transcript(init_blob); + fiat_shamir_heuristic_sequential verifier_transcript(init_blob); std::array, 1> prover_res = - redshift_gates_argument::prove_eval(constraint_system, circuit.column_polynomials, prover_transcript); + redshift_gates_argument::prove_eval(constraint_system, circuit.column_polynomials, + prover_transcript); // Challenge phase typename FieldType::value_type y = algebra::random_element(); - typename types_policy::evaluation_map columns_at_y; + typename policy_type::evaluation_map columns_at_y; for (int i = 0; i < table_columns; i++) { - auto key = std::make_tuple(i, plonk_variable::rotation_type::current, - plonk_variable::column_type::witness); + auto key = std::make_tuple(i, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); columns_at_y[key] = circuit.column_polynomials[i].evaluate(y); } std::array verifier_res = - redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, verifier_transcript); + redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, + verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); diff --git a/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp index 70a67fd10..c2399db74 100644 --- a/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp +++ b/test/systems/ppzksnark/r1cs_gg_ppzksnark/r1cs_gg_ppzksnark_aggregation_conformity.cpp @@ -45,7 +45,7 @@ #include #include -#include +#include #include #include #include @@ -252,8 +252,7 @@ BOOST_AUTO_TEST_CASE(bls381_commitment_test) { fq_value_type::one()), }; - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type c1 = - r1cs_gg_ppzksnark_ipp2_commitment::single(vkey, a.begin(), a.end()); + typename kzg_commitment::output_type c1 = kzg_commitment::single(vkey, a.begin(), a.end()); fq12_value_type etalon_c1_first = fq12_value_type( fq6_value_type( @@ -384,8 +383,8 @@ BOOST_AUTO_TEST_CASE(bls381_commitment_test) { fq2_value_type::one()), }; - typename r1cs_gg_ppzksnark_ipp2_commitment::output_type c2 = - r1cs_gg_ppzksnark_ipp2_commitment::pair(vkey, wkey, a.begin(), a.end(), b.begin(), b.end()); + typename kzg_commitment::output_type c2 = + kzg_commitment::pair(vkey, wkey, a.begin(), a.end(), b.begin(), b.end()); fq12_value_type etalon_c2_first = fq12_value_type( fq6_value_type( @@ -435,9 +434,9 @@ BOOST_AUTO_TEST_CASE(bls381_commitment_test) { scalar_field_value_type c(0x72629fcfc3205536b36d285f185f874593443f8ceab231d81ef8178d2958d4c3_cppui255); auto [vkey_left, vkey_right] = vkey.split(n / 2); - r1cs_gg_ppzksnark_ipp2_commitment_key vkey_compressed = vkey_left.compress(vkey_right, c); + kzg_commitment_key vkey_compressed = vkey_left.compress(vkey_right, c); auto [wkey_left, wkey_right] = wkey.split(n / 2); - r1cs_gg_ppzksnark_ipp2_commitment_key wkey_compressed = wkey_left.compress(wkey_right, c); + kzg_commitment_key wkey_compressed = wkey_left.compress(wkey_right, c); std::vector et_v1_compressed = { G2_value_type( diff --git a/test/transcript/transcript.cpp b/test/transcript/transcript.cpp index 65454e2b1..334d017d9 100644 --- a/test/transcript/transcript.cpp +++ b/test/transcript/transcript.cpp @@ -46,7 +46,7 @@ BOOST_AUTO_TEST_SUITE(zk_transcript_test_suite) BOOST_AUTO_TEST_CASE(zk_transcript_manual_test) { using field_type = algebra::curves::alt_bn128_254::scalar_field_type; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_updated tr(init_blob); + fiat_shamir_heuristic_sequential tr(init_blob); auto ch1 = tr.challenge(); auto ch2 = tr.challenge(); auto ch_n = tr.challenges(); From b032b084a8704f2283f8233b721d1a8374e0912c Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 27 Feb 2022 15:53:43 +0300 Subject: [PATCH 191/219] Even more interface-changes related compilation problems resolved. #20 --- .../relations/non_linear_combination.hpp | 2 ++ .../zk/snark/relations/plonk/constraint.hpp | 4 +-- .../zk/snark/relations/plonk/table.hpp | 33 ++++++++++++++---- .../systems/plonk/redshift/gates_argument.hpp | 4 +-- .../snark/systems/plonk/redshift/prover.hpp | 2 -- test/systems/plonk/redshift.cpp | 34 ++++++++++++------- 6 files changed, 55 insertions(+), 24 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index b3ac2e922..912dec515 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -142,6 +142,8 @@ namespace nil { template class non_linear_combination { + protected: + std::vector> terms; public: diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index f92ec5461..4c838e4b9 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -102,7 +102,7 @@ namespace nil { for (const VariableType &var : nlt.vars) { - typename VariableType::assignment_type assignment; + math::polynomial assignment; switch (var.type) { case VariableType::column_type::witness: assignment = assignments.witness(var.index); @@ -130,7 +130,7 @@ namespace nil { std::tuple - key = std::make_tuple(var.wire_index, var.rotation, var.type); + key = std::make_tuple(var.index, var.rotation, var.type); term_value = term_value * assignments[key]; } acc = acc + term_value * nlt.coeff; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index 86fdb6f79..320047fbe 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -41,7 +41,7 @@ namespace nil { std::array witness_columns; public: - plonk_private_table(std::array witness_columns) : + plonk_private_table(std::array witness_columns = {}) : witness_columns(witness_columns) { } @@ -70,13 +70,17 @@ namespace nil { std::vector selector_columns; std::vector public_input_columns; + std::vector constant_columns; public: - plonk_public_table(std::vector selector_columns, + plonk_public_table(std::vector selector_columns = {}, std::vector - public_input_columns) : + public_input_columns = {}, + std::vector + constant_columns = {}) : selector_columns(selector_columns), - public_input_columns(public_input_columns) { + public_input_columns(public_input_columns), + constant_columns() { } ColumnType selector(std::size_t index) const { @@ -97,6 +101,15 @@ namespace nil { return public_input_columns; } + ColumnType constant(std::size_t index) const { + assert(index < constant_columns.size()); + return constant_columns[index]; + } + + std::vector constants() const { + return constant_columns; + } + ColumnType operator[](std::size_t index) const { if (index < selector_columns.size()) return selector_columns[index]; @@ -104,10 +117,13 @@ namespace nil { if (index < public_input_columns.size()) return public_input_columns[index]; index -= public_input_columns.size(); + if (index < constant_columns.size()) + return constant_columns[index]; + index -= constant_columns.size(); } std::size_t size() const { - return selector_columns.size() + public_input_columns.size(); + return selector_columns.size() + public_input_columns.size() + constant_columns.size(); } }; @@ -122,7 +138,8 @@ namespace nil { public_table_type _public_table; public: - plonk_table(private_table_type private_table, public_table_type public_table) : + plonk_table(private_table_type private_table = private_table_type(), + public_table_type public_table = public_table_type()) : _private_table(private_table), _public_table(public_table) { } @@ -138,6 +155,10 @@ namespace nil { return _public_table.public_input(index); } + ColumnType constant(std::size_t index) const { + return _public_table.constant(index); + } + ColumnType operator[](std::size_t index) const { if (index < _private_table.size()) return _private_table[index]; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 8f0af5fa1..546243afd 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -68,7 +68,7 @@ namespace nil { typename FieldType::value_type theta_acc = FieldType::value_type::one(); - const std::vector> gates = constraint_system.gates; + const std::vector> gates = constraint_system.gates(); for (std::size_t i = 0; i < gates.size(); i++) { math::polynomial gate_result = {0}; @@ -79,7 +79,7 @@ namespace nil { theta_acc *= theta; } - gate_result = gate_result * gates[i].selector; + gate_result = gate_result * column_polynomials.selector(gates[i].selector_index); F[0] = F[0] + gate_result; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 7aa7d5755..4c270558d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -29,8 +29,6 @@ #include -#include - #include #include diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 866a09c47..8bd79551e 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -132,16 +132,16 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename policy_type::preprocessed_public_data_type preprocessed_data_public = + typename policy_type::preprocessed_public_data_type preprocessed_public_data = redshift_public_preprocessor::process( constraint_system, assigments.public_table(), short_description); - typename policy_type::preprocessed_private_data_type preprocessed_data_private = + typename policy_type::preprocessed_private_data_type preprocessed_private_data = redshift_private_preprocessor::process( constraint_system, assigments.private_table(), short_description); - - auto proof = redshift_prover::process(preprocessed_data_public, - preprocessed_data_private, constraint_system, + + auto proof = redshift_prover::process(preprocessed_public_data, + preprocessed_private_data, constraint_system, assigments, short_description, fri_params); bool verifier_res = redshift_verifier::process(proof, short_description); @@ -172,21 +172,26 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename policy_type::preprocessed_public_data_type preprocessed_data_public = + typename policy_type::preprocessed_public_data_type preprocessed_public_data = redshift_public_preprocessor::process( constraint_system, assigments.public_table(), short_description); - typename policy_type::preprocessed_private_data_type preprocessed_data_private = + typename policy_type::preprocessed_private_data_type preprocessed_private_data = redshift_private_preprocessor::process( constraint_system, assigments.private_table(), short_description); + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( + preprocessed_private_data.private_polynomial_table, + preprocessed_public_data.public_polynomial_table); + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_sequential prover_transcript(init_blob); fiat_shamir_heuristic_sequential verifier_transcript(init_blob); typename redshift_permutation_argument::prover_result_type prover_res = redshift_permutation_argument::prove_eval( - prover_transcript, preprocessed_data_public, short_description, circuit.column_polynomials, fri_params); + prover_transcript, preprocessed_public_data, short_description, polynomial_table, fri_params); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -200,7 +205,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::array verifier_res = redshift_permutation_argument::verify_eval( - verifier_transcript, preprocessed_data_public, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + verifier_transcript, preprocessed_public_data, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, prover_res.permutation_poly_commitment.root()); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); @@ -242,20 +247,25 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { short_description.delta = circuit.delta; short_description.permutation = circuit.permutation; - typename policy_type::preprocessed_public_data_type preprocessed_data_public = + typename policy_type::preprocessed_public_data_type preprocessed_public_data = redshift_public_preprocessor::process( constraint_system, assigments.public_table(), short_description); - typename policy_type::preprocessed_private_data_type preprocessed_data_private = + typename policy_type::preprocessed_private_data_type preprocessed_private_data = redshift_private_preprocessor::process( constraint_system, assigments.private_table(), short_description); + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( + preprocessed_private_data.private_polynomial_table, + preprocessed_public_data.public_polynomial_table); + std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; fiat_shamir_heuristic_sequential prover_transcript(init_blob); fiat_shamir_heuristic_sequential verifier_transcript(init_blob); std::array, 1> prover_res = - redshift_gates_argument::prove_eval(constraint_system, circuit.column_polynomials, + redshift_gates_argument::prove_eval(constraint_system, polynomial_table, prover_transcript); // Challenge phase From 5a20f39ed4be2e8fb6f3b806ac30cc8233c45891 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 27 Feb 2022 20:09:03 +0300 Subject: [PATCH 192/219] PLONK Copy constraint type inited. #20 --- .../snark/relations/plonk/copy_constraint.hpp | 45 +++++++++++++++++++ .../relations/plonk/lookup_constraint.hpp | 45 +++++++++++++++++++ .../zk/snark/relations/plonk/plonk.hpp | 14 ++++-- .../zk/snark/relations/plonk/table.hpp | 11 +++-- .../plonk/redshift/detail/redshift_policy.hpp | 5 --- 5 files changed, 108 insertions(+), 12 deletions(-) create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/copy_constraint.hpp create mode 100644 include/nil/crypto3/zk/snark/relations/plonk/lookup_constraint.hpp diff --git a/include/nil/crypto3/zk/snark/relations/plonk/copy_constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/copy_constraint.hpp new file mode 100644 index 000000000..31c402b24 --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/copy_constraint.hpp @@ -0,0 +1,45 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_COPY_CONSTRAINT_HPP +#define CRYPTO3_ZK_PLONK_COPY_CONSTRAINT_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + using plonk_copy_constraint = std::pair, plonk_variable>; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_COPY_CONSTRAINT_HPP diff --git a/include/nil/crypto3/zk/snark/relations/plonk/lookup_constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/lookup_constraint.hpp new file mode 100644 index 000000000..e20dd7f46 --- /dev/null +++ b/include/nil/crypto3/zk/snark/relations/plonk/lookup_constraint.hpp @@ -0,0 +1,45 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_LOOKUP_CONSTRAINT_HPP +#define CRYPTO3_ZK_PLONK_LOOKUP_CONSTRAINT_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + struct plonk_lookup_constraint {}; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_LOOKUP_CONSTRAINT_HPP diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 4c53661db..ebc426305 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -47,13 +47,19 @@ namespace nil { /************************* PLONK constraint system ****************************/ template - class plonk_constraint_system { + struct plonk_constraint_system { + protected: std::vector> _gates; + std::vector> _copy_constraints; + std::vector> _lookup_constraints; std::size_t _rows_amount; public: + plonk_constraint_system() { + } + plonk_constraint_system(std::vector> gates, std::size_t rows_amount): _gates(gates), _rows_amount(rows_amount) { } @@ -84,11 +90,11 @@ namespace nil { } std::vector> copy_constraints() const { - return {}; + return _copy_constraints; } - std::vector> lookups() const { - return {}; + std::vector> lookup_constraints() const { + return _lookup_constraints; } }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index 320047fbe..e4c5aa10b 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -36,7 +36,9 @@ namespace nil { using plonk_column = std::vector; template - class plonk_private_table { + struct plonk_private_table { + + protected: std::array witness_columns; @@ -66,7 +68,9 @@ namespace nil { }; template - class plonk_public_table { + struct plonk_public_table { + + protected: std::vector selector_columns; std::vector public_input_columns; @@ -133,7 +137,8 @@ namespace nil { using private_table_type = plonk_private_table; using public_table_type = plonk_public_table; - private: + protected: + private_table_type _private_table; public_table_type _public_table; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index 9d2732227..ce82fcce4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -121,11 +121,6 @@ namespace nil { plonk_permutation permutation; // TODO: Gates and field elements }; - - template - struct prover_fiat_shamir_heuristic_manifest { - enum challenges_ids { beta, gamma, alpha, upsilon = alpha + AlphasAmount, tau, teta }; - }; }; } // namespace detail } // namespace snark From 6089bb274a4df2ec32bc83ce86449e8dda0dceba Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 27 Feb 2022 20:33:47 +0300 Subject: [PATCH 193/219] PLONK includes updated. #20 --- include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index ebc426305..2253b2317 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -38,6 +38,8 @@ #include #include +#include +#include namespace nil { namespace crypto3 { From 927c5eab46d7a66ee9b170ae416e670e113f9bd4 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Sun, 27 Feb 2022 21:24:03 +0300 Subject: [PATCH 194/219] PLONK constraint system interface updated. #20 --- .../zk/snark/relations/plonk/constraint.hpp | 4 +- .../zk/snark/relations/plonk/plonk.hpp | 2 +- .../zk/snark/relations/plonk/table.hpp | 48 +++++++++---------- .../plonk/redshift/detail/redshift_policy.hpp | 6 +-- .../systems/plonk/redshift/gates_argument.hpp | 2 +- .../plonk/redshift/permutation_argument.hpp | 2 +- .../snark/systems/plonk/redshift/prover.hpp | 4 +- 7 files changed, 34 insertions(+), 34 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 4c838e4b9..374b5bb91 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -67,7 +67,7 @@ namespace nil { template typename VariableType::assignment_type evaluate(std::size_t row_index, - const plonk_assignment_table &assignments) const { + const plonk_assignment_table &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); for (const non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; @@ -95,7 +95,7 @@ namespace nil { template math::polynomial - evaluate(const plonk_polynomial_table &assignments) const { + evaluate(const plonk_polynomial_table &assignments) const { math::polynomial acc = {0}; for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index 2253b2317..ab177a343 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -48,7 +48,7 @@ namespace nil { /************************* PLONK constraint system ****************************/ - template + template struct plonk_constraint_system { protected: diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index e4c5aa10b..9c27c9158 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -35,31 +35,31 @@ namespace nil { template using plonk_column = std::vector; - template + template struct plonk_private_table { protected: - std::array witness_columns; + std::array witness_columns; public: - plonk_private_table(std::array witness_columns = {}) : + plonk_private_table(std::array witness_columns = {}) : witness_columns(witness_columns) { } ColumnType witness(std::size_t index) const { - assert(index < PlonkParams::witness_columns); + assert(index < WitnessColumns); return witness_columns[index]; } - std::array witnesses() const { + std::array witnesses() const { return witness_columns; } ColumnType operator[](std::size_t index) const { - if (index < PlonkParams::witness_columns) + if (index < WitnessColumns) return witness_columns[index]; - index -= PlonkParams::witness_columns; + index -= WitnessColumns; } std::size_t size() const { @@ -67,7 +67,7 @@ namespace nil { } }; - template + template struct plonk_public_table { protected: @@ -131,14 +131,14 @@ namespace nil { } }; - template + template struct plonk_table { - using private_table_type = plonk_private_table; - using public_table_type = plonk_public_table; + using private_table_type = plonk_private_table; + using public_table_type = plonk_public_table; protected: - + private_table_type _private_table; public_table_type _public_table; @@ -185,28 +185,28 @@ namespace nil { } }; - template + template using plonk_private_assignment_table = - plonk_private_table>; + plonk_private_table>; - template + template using plonk_public_assignment_table = - plonk_public_table>; + plonk_public_table>; - template - using plonk_assignment_table = plonk_table>; + template + using plonk_assignment_table = plonk_table>; - template + template using plonk_private_polynomial_table = - plonk_private_table>; + plonk_private_table>; - template + template using plonk_public_polynomial_table = - plonk_public_table>; + plonk_public_table>; - template + template using plonk_polynomial_table = - plonk_table>; + plonk_table>; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index ce82fcce4..d9067ca59 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -61,7 +61,7 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; - typedef plonk_assignment_table variable_assignment_type; + typedef plonk_assignment_table variable_assignment_type; typedef detail::plonk_evaluation_map> evaluation_map; @@ -84,7 +84,7 @@ namespace nil { std::shared_ptr> basic_domain; - plonk_public_polynomial_table public_polynomial_table; + plonk_public_polynomial_table public_polynomial_table; // S_sigma std::vector> permutation_polynomials; @@ -103,7 +103,7 @@ namespace nil { std::shared_ptr> basic_domain; - plonk_private_polynomial_table private_polynomial_table; + plonk_private_polynomial_table private_polynomial_table; }; template diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 546243afd..4a29fb12d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -59,7 +59,7 @@ namespace nil { static inline std::array, argument_size> prove_eval(typename policy_type::constraint_system_type &constraint_system, - const plonk_polynomial_table &column_polynomials, + const plonk_polynomial_table &column_polynomials, fiat_shamir_heuristic_sequential &transcript) { typename FieldType::value_type theta = transcript.template challenge(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 03f064634..a57e57ae1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -72,7 +72,7 @@ namespace nil { const typename policy_type::preprocessed_public_data_type preprocessed_data, const typename policy_type::template circuit_short_description &short_description, - const plonk_polynomial_table &column_polynomials, + const plonk_polynomial_table &column_polynomials, typename fri_type::params_type fri_params) { const std::vector> &S_sigma = diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 4c270558d..0c774a5ef 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -143,8 +143,8 @@ namespace nil { std::vector transcript_init {}; fiat_shamir_heuristic_sequential transcript(transcript_init); - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); From 16112e75621b0628e8ada561b483d79c394201e3 Mon Sep 17 00:00:00 2001 From: Mikhail Komarov Date: Mon, 28 Feb 2022 18:01:44 +0300 Subject: [PATCH 195/219] LPC tests updated #20 --- test/commitment/lpc.cpp | 13 +++++-------- test/commitment/lpc_performance.cpp | 3 ++- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 49e3c4157..e75ae7a9c 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -49,7 +49,6 @@ using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; - BOOST_AUTO_TEST_SUITE(lpc_test_suite) BOOST_AUTO_TEST_CASE(lpc_basic_test) { @@ -79,7 +78,8 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; - std::vector>> D = fri_type::calculate_domain_set(extended_log, r); + std::vector>> D = + fri_type::calculate_domain_set(extended_log, r); typename fri_type::params_type fri_params; @@ -88,19 +88,16 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { fri_params.D = D; fri_params.q = q; fri_params.max_degree = d - 1; - // commit - math::polynomial f = {1, 3, 4, 1, - 5, 6, 7, 2, - 8, 7, 5, 6, - 1, 2, 1, 1}; + math::polynomial f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; merkle_tree_type tree = lpc_type::commit(f, D[0]); // TODO: take a point outside of the basic domain - std::array evaluation_points = {algebra::fields::arithmetic_params::multiplicative_generator}; + std::array evaluation_points = { + algebra::fields::arithmetic_params::multiplicative_generator}; std::array x_data {}; zk::snark::fiat_shamir_heuristic_sequential transcript(x_data); diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 217f1b586..af9cb6c08 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -112,7 +112,8 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t m = 2; typedef zk::snark::fri_commitment_scheme fri_type; - typedef zk::snark::list_polynomial_commitment_scheme lpc_type; + typedef list_polynomial_commitment_params lpc_params_type; + typedef zk::snark::list_polynomial_commitment_scheme lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; From 238d97420373c2e2bfd035a78e529597e02d9296 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 28 Feb 2022 18:33:48 +0300 Subject: [PATCH 196/219] PLONK table interface usage updated. #20 --- .../crypto3/zk/snark/relations/plonk/constraint.hpp | 8 ++++---- .../plonk/redshift/detail/redshift_policy.hpp | 3 +-- .../zk/snark/systems/plonk/redshift/preprocessor.hpp | 8 ++++---- test/systems/plonk/circuits.hpp | 12 ++++++------ test/systems/plonk/redshift.cpp | 8 ++++---- 5 files changed, 19 insertions(+), 20 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 374b5bb91..43aa711ac 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -64,10 +64,10 @@ namespace nil { non_linear_combination(terms) { } - template + template typename VariableType::assignment_type evaluate(std::size_t row_index, - const plonk_assignment_table &assignments) const { + const plonk_assignment_table &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); for (const non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; @@ -93,9 +93,9 @@ namespace nil { return acc; } - template + template math::polynomial - evaluate(const plonk_polynomial_table &assignments) const { + evaluate(const plonk_polynomial_table &assignments) const { math::polynomial acc = {0}; for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index d9067ca59..e9e22619a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -58,8 +58,7 @@ namespace nil { * Below are various template aliases (used for convenience). */ - typedef plonk_constraint_system - constraint_system_type; + typedef plonk_constraint_system constraint_system_type; typedef plonk_assignment_table variable_assignment_type; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 1e686b3b8..94e72966f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -217,8 +217,8 @@ namespace nil { math::polynomial q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, basic_domain); - plonk_public_polynomial_table public_polynomial_table = - plonk_public_polynomial_table( + plonk_public_polynomial_table public_polynomial_table = + plonk_public_polynomial_table( detail::column_range_polynomials(public_assignment.selectors(), basic_domain), detail::column_range_polynomials(public_assignment.public_inputs(), @@ -256,8 +256,8 @@ namespace nil { std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); - plonk_private_polynomial_table private_polynomial_table = - plonk_private_polynomial_table( + plonk_private_polynomial_table private_polynomial_table = + plonk_private_polynomial_table( detail::column_range_polynomials(private_assignment.witnesses(), basic_domain)); diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 6e5b9dd4f..6b505ed9c 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -185,9 +185,9 @@ namespace nil { } } - test_circuit.table = plonk_assignment_table( - plonk_private_assignment_table(private_assignment), - plonk_public_assignment_table(selectors_assignment, + test_circuit.table = plonk_assignment_table( + plonk_private_assignment_table(private_assignment), + plonk_public_assignment_table(selectors_assignment, public_input_assignment)); test_circuit.init(); @@ -305,9 +305,9 @@ namespace nil { for (std::size_t i = selectors_columns; i < selectors_columns + public_columns; i++) { public_input_assignment[i] = table[witness_columns + i]; } - test_circuit.table = plonk_assignment_table( - plonk_private_assignment_table(private_assignment), - plonk_public_assignment_table(selectors_assignment, + test_circuit.table = plonk_assignment_table( + plonk_private_assignment_table(private_assignment), + plonk_public_assignment_table(selectors_assignment, public_input_assignment)); test_circuit.init(); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 8bd79551e..c3ba778c9 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -180,8 +180,8 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { redshift_private_preprocessor::process( constraint_system, assigments.private_table(), short_description); - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); @@ -255,8 +255,8 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { redshift_private_preprocessor::process( constraint_system, assigments.private_table(), short_description); - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); From a83d5b3e01f12bee8d463c71513a0d905e3e1477 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Mon, 28 Feb 2022 20:52:24 +0300 Subject: [PATCH 197/219] PLONK variable extended with relative flag. #20 --- .../crypto3/zk/snark/relations/plonk/constraint.hpp | 8 ++++++++ .../nil/crypto3/zk/snark/relations/plonk/variable.hpp | 10 +++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 43aa711ac..8e8168389 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -56,6 +56,10 @@ namespace nil { plonk_constraint(const VariableType &var) : non_linear_combination(var) { } + plonk_constraint(const non_linear_combination &nlc) : + non_linear_combination(nlc) { + } + plonk_constraint(const non_linear_term &nlt) : non_linear_combination(nlt) { } @@ -64,6 +68,10 @@ namespace nil { non_linear_combination(terms) { } + non_linear_combination(nlc)(){ + return *this; + } + template typename VariableType::assignment_type evaluate(std::size_t row_index, diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp index 6ae7fdb5d..a5ccc9532 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -64,12 +64,16 @@ namespace nil { /** * Mnemonic typedefs. */ - enum rotation_type { pre_previous = -2, previous, current, next, after_next } rotation; + enum rotation_type { pre_previous = -2, previous, current, next, after_next }; + int rotation; enum column_type { witness, selector, public_input, constant } type; std::size_t index; + bool relative; - constexpr plonk_variable(const std::size_t index, rotation_type rotation, column_type type) : - index(index), rotation(rotation), type(type) {}; + constexpr plonk_variable(const std::size_t index, int rotation, + bool relative = true, + column_type type = column_type::witness) : + index(index), rotation(rotation), relative(relative), type(type) {}; non_linear_term> operator^(const std::size_t power) const { return non_linear_term>(*this) ^ power; From c94577397c251e3ccb6df96a16f02c0767537ec7 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 1 Mar 2022 01:33:02 +0300 Subject: [PATCH 198/219] PLONK constraint updated. #20 --- .../relations/non_linear_combination.hpp | 44 ++++++++++++------- .../zk/snark/relations/plonk/constraint.hpp | 4 -- test/systems/plonk/redshift.cpp | 7 +-- 3 files changed, 32 insertions(+), 23 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index 912dec515..e2bdec045 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -140,13 +140,13 @@ namespace nil { * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". */ template - class non_linear_combination { + struct non_linear_combination { - protected: + using term_type = non_linear_term; + using variable_type = VariableType; - std::vector> terms; + std::vector terms; - public: non_linear_combination() {}; // non_linear_combination(const field_value_type &field_coeff) { // this->add_term(non_linear_term(field_coeff)); @@ -154,10 +154,10 @@ namespace nil { non_linear_combination(const VariableType &var) { this->add_term(var); } - non_linear_combination(const non_linear_term &nlt) { + non_linear_combination(const term_type &nlt) { this->add_term(nlt); } - non_linear_combination(const std::vector> &terms) : terms(terms) { + non_linear_combination(const std::vector &terms) : terms(terms) { } // non_linear_combination(const non_linear_combination &other): @@ -165,28 +165,28 @@ namespace nil { // } /* for supporting range-based for loops over non_linear_combination */ - typename std::vector>::const_iterator begin() const { + typename std::vector::const_iterator begin() const { return terms.begin(); } - typename std::vector>::const_iterator end() const { + typename std::vector::const_iterator end() const { return terms.end(); } void add_term(const VariableType &var) { - this->terms.emplace_back(non_linear_term(var)); + this->terms.emplace_back(term_type(var)); } void add_term(const VariableType &var, const typename VariableType::assignment_type &field_coeff) { - this->terms.emplace_back(non_linear_term(var) * field_coeff); + this->terms.emplace_back(term_type(var) * field_coeff); } - void add_term(const non_linear_term &nlt) { + void add_term(const term_type &nlt) { this->terms.emplace_back(nlt); } non_linear_combination operator*(const typename VariableType::assignment_type &field_coeff) const { non_linear_combination result; result.terms.reserve(this->terms.size()); - for (const non_linear_term &nlt : this->terms) { + for (const term_type &nlt : this->terms) { result.terms.emplace_back(nlt * field_coeff); } return result; @@ -209,7 +209,7 @@ namespace nil { void sort() { std::sort(terms.begin(), terms.end()); - std::vector> new_terms; + std::vector new_terms; if (terms.size()) { new_terms.push_back(terms[0]); @@ -246,8 +246,8 @@ namespace nil { non_linear_combination result; result.terms.reserve(A.terms.size() * B.terms.size()); - for (const non_linear_term &this_nlt : A.terms) { - for (const non_linear_term &other_nlt : B.terms) { + for (const typename non_linear_combination::term_type &this_nlt : A.terms) { + for (const typename non_linear_combination::term_type &other_nlt : B.terms) { result.terms.emplace_back(this_nlt * other_nlt); } } @@ -260,7 +260,19 @@ namespace nil { non_linear_combination result; result.terms.reserve(A.terms.size()); - for (const non_linear_term &this_nlt : A.terms) { + for (const typename non_linear_combination::term_type &this_nlt : A.terms) { + result.terms.emplace_back(this_nlt * var); + } + return result; + } + + template + non_linear_combination operator*(const non_linear_combination &A, + const VariableType &var) { + non_linear_combination result; + result.terms.reserve(A.terms.size()); + + for (const typename non_linear_combination::term_type &this_nlt : A.terms) { result.terms.emplace_back(this_nlt * var); } return result; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 8e8168389..c6c10b7f9 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -68,10 +68,6 @@ namespace nil { non_linear_combination(terms) { } - non_linear_combination(nlc)(){ - return *this; - } - template typename VariableType::assignment_type evaluate(std::size_t row_index, diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index c3ba778c9..b6946e3dd 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -39,19 +39,20 @@ #include #include +#include +#include +#include + #include #include #include #include #include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" - #include #include #include - #include - #include #include "circuits.hpp" From cc5abf4e7614c1780bfcdf299b2e279036302a21 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 1 Mar 2022 02:44:06 +0300 Subject: [PATCH 199/219] More operations added for non linear combination and PLONK variable. #20 --- .../relations/non_linear_combination.hpp | 26 +++++++++++++++++++ .../zk/snark/relations/plonk/variable.hpp | 5 ++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp index e2bdec045..d559e07ce 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp @@ -87,6 +87,18 @@ namespace nil { return result; } + non_linear_term operator^(const std::size_t power) const { + + non_linear_term result(this->vars); + + for (std::size_t i = 0; i < power; i++){ + std::copy(this->vars.begin(), this->vars.end(), std::back_inserter(result.vars)); + } + + result.coeff = this->coeff.pow(power); + return result; + } + // non_linear_combination operator+(const non_linear_combination &other) // const { // return non_linear_combination(*this) + other; @@ -307,6 +319,20 @@ namespace nil { return -(field_coeff - lc); } + + template + non_linear_combination + operator-(const non_linear_term &term, + const non_linear_combination &lc) { + return non_linear_combination(term) - lc; + } + + template + non_linear_combination + operator-(const non_linear_combination &lc, + const non_linear_term &term) { + return lc - non_linear_combination(term); + } } // namespace snark } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp index a5ccc9532..a5ff1000d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -70,7 +70,8 @@ namespace nil { std::size_t index; bool relative; - constexpr plonk_variable(const std::size_t index, int rotation, + constexpr plonk_variable(const std::size_t index, + int rotation, bool relative = true, column_type type = column_type::witness) : index(index), rotation(rotation), relative(relative), type(type) {}; @@ -135,7 +136,7 @@ namespace nil { template non_linear_combination> operator-(const typename FieldType::value_type &field_val, const plonk_variable &var) { - return (-var) + field_val; + return - (var - field_val); } } // namespace snark From b21d5c0b4e02192bb33c32e47320ece77ad65ebf Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 2 Mar 2022 09:56:12 +0300 Subject: [PATCH 200/219] Minor Redshift permutation argument refactoring. #20 --- .../plonk/redshift/permutation_argument.hpp | 25 +++++++++++-------- .../snark/systems/plonk/redshift/prover.hpp | 6 ++--- .../snark/systems/plonk/redshift/verifier.hpp | 5 ++-- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index a57e57ae1..b90429f61 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -158,11 +158,14 @@ namespace nil { const typename policy_type::preprocessed_public_data_type preprocessed_data, const typename policy_type::template circuit_short_description &short_description, - const typename FieldType::value_type &challenge, // y - const std::vector &column_polynomials, // f(y) - const typename FieldType::value_type &perm_polynomial, // - // V_P(y) - const typename FieldType::value_type &perm_polynomial_shifted, // V_P(omega * y) + // y + const typename FieldType::value_type &challenge, + // f(y): + const std::vector &column_polynomials_values, + // V_P(y): + const typename FieldType::value_type &perm_polynomial_value, + // V_P(omega * y): + const typename FieldType::value_type &perm_polynomial_shifted_value, const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { const std::vector> &S_sigma = @@ -181,19 +184,19 @@ namespace nil { typename FieldType::value_type g = FieldType::value_type::one(); typename FieldType::value_type h = FieldType::value_type::one(); - for (std::size_t i = 0; i < column_polynomials.size(); i++) { - g = g * (column_polynomials[i] + beta * S_id[i].evaluate(challenge) + gamma); - h = h * (column_polynomials[i] + beta * S_sigma[i].evaluate(challenge) + gamma); + for (std::size_t i = 0; i < column_polynomials_values.size(); i++) { + g = g * (column_polynomials_values[i] + beta * S_id[i].evaluate(challenge) + gamma); + h = h * (column_polynomials_values[i] + beta * S_sigma[i].evaluate(challenge) + gamma); } std::array F; typename FieldType::value_type one = FieldType::value_type::one(); - F[0] = preprocessed_data.lagrange_0.evaluate(challenge) * (one - perm_polynomial); + F[0] = preprocessed_data.lagrange_0.evaluate(challenge) * (one - perm_polynomial_value); F[1] = (one - preprocessed_data.q_last.evaluate(challenge) - preprocessed_data.q_blind.evaluate(challenge)) * - (perm_polynomial_shifted * h - perm_polynomial * g); + (perm_polynomial_shifted_value * h - perm_polynomial_value * g); F[2] = preprocessed_data.q_last.evaluate(challenge) * - (perm_polynomial.squared() - perm_polynomial); + (perm_polynomial_value.squared() - perm_polynomial_value); return F; } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 0c774a5ef..1d76509a5 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -140,8 +140,6 @@ namespace nil { commitment_scheme_permutation_type, commitment_scheme_quotient_type> proof; - std::vector transcript_init {}; - fiat_shamir_heuristic_sequential transcript(transcript_init); plonk_polynomial_table polynomial_table = plonk_polynomial_table( @@ -150,6 +148,8 @@ namespace nil { // 1. Add circuit definition to transcript // transcript(short_description); //TODO: circuit_short_description marshalling + std::vector transcript_init {}; + fiat_shamir_heuristic_sequential transcript(transcript_init); // 2. Commit witness columns std::array, witness_columns> witness_poly = @@ -162,7 +162,7 @@ namespace nil { proof.witness_commitments.resize(witness_columns); for (std::size_t i = 0; i < witness_columns; i++) { proof.witness_commitments[i] = witness_commitments[i].root(); - // transcript(proof.witness_commitments[i]); + transcript(proof.witness_commitments[i]); } // 4. permutation_argument diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 54c2abcc6..b18e0c180 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -84,13 +84,12 @@ namespace nil { const typename policy_type::template circuit_short_description &short_description) { // TODO: decsription commitment scheme - fiat_shamir_heuristic_sequential transcript; - // 1. Add circuit definition to transcript // transcript(short_description); + fiat_shamir_heuristic_sequential transcript(short_description); for (std::size_t i = 0; i < witness_columns; i++) { - // transcript(proof.witness_commitments[i]); + transcript(proof.witness_commitments[i]); } /*std::array permutation_argument = From 98fdb4dbbaef2d950084c04c0202159d59c9d95e Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Wed, 2 Mar 2022 15:03:35 +0300 Subject: [PATCH 201/219] Lpc params typedef added. #20 --- include/nil/crypto3/zk/snark/commitments/lpc.hpp | 1 + 1 file changed, 1 insertion(+) diff --git a/include/nil/crypto3/zk/snark/commitments/lpc.hpp b/include/nil/crypto3/zk/snark/commitments/lpc.hpp index 641021e64..21448f611 100644 --- a/include/nil/crypto3/zk/snark/commitments/lpc.hpp +++ b/include/nil/crypto3/zk/snark/commitments/lpc.hpp @@ -84,6 +84,7 @@ namespace nil { constexpr static const std::size_t k = K; typedef FieldType field_type; + typedef LPCParams lpc_params; typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; From 9025c74587875a9d9e775d5681c382ed4cc2cfd0 Mon Sep 17 00:00:00 2001 From: Ilias Khairullin Date: Wed, 2 Mar 2022 16:29:26 +0300 Subject: [PATCH 202/219] Lpc proof comparison operator fixed. #20 --- include/nil/crypto3/zk/snark/commitments/lpc.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nil/crypto3/zk/snark/commitments/lpc.hpp b/include/nil/crypto3/zk/snark/commitments/lpc.hpp index 21448f611..f07f8e11d 100644 --- a/include/nil/crypto3/zk/snark/commitments/lpc.hpp +++ b/include/nil/crypto3/zk/snark/commitments/lpc.hpp @@ -95,7 +95,7 @@ namespace nil { struct proof_type { bool operator==(const proof_type &rhs) const { - return z == rhs.z && fri_proof == rhs.fri_proof; + return z == rhs.z && fri_proof == rhs.fri_proof && T_root == rhs.T_root; } bool operator!=(const proof_type &rhs) const { return !(rhs == *this); From d3960b85384ce512e4a799478232fe3c2b4b4a91 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Fri, 4 Mar 2022 03:45:28 +0300 Subject: [PATCH 203/219] PLONK table public part template params added. #20 --- .../zk/snark/relations/plonk/constraint.hpp | 12 ++- .../zk/snark/relations/plonk/table.hpp | 77 ++++++++++++------- .../plonk/redshift/detail/redshift_policy.hpp | 32 ++++---- .../systems/plonk/redshift/gates_argument.hpp | 4 +- .../snark/systems/plonk/redshift/params.hpp | 12 ++- .../plonk/redshift/permutation_argument.hpp | 4 +- .../systems/plonk/redshift/preprocessor.hpp | 21 +++-- .../snark/systems/plonk/redshift/prover.hpp | 8 +- 8 files changed, 105 insertions(+), 65 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index c6c10b7f9..e9287513d 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -68,10 +68,12 @@ namespace nil { non_linear_combination(terms) { } - template + template typename VariableType::assignment_type evaluate(std::size_t row_index, - const plonk_assignment_table &assignments) const { + const plonk_assignment_table &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); for (const non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; @@ -97,9 +99,11 @@ namespace nil { return acc; } - template + template math::polynomial - evaluate(const plonk_polynomial_table &assignments) const { + evaluate(const plonk_polynomial_table &assignments) const { math::polynomial acc = {0}; for (const non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index 9c27c9158..0ccf0ed7c 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -62,25 +62,31 @@ namespace nil { index -= WitnessColumns; } - std::size_t size() const { + constexpr std::size_t size() const { return witness_columns.size(); } + + std::size_t depth() const { + return std::max(std::for_each(witness_columns.begin(), witness_columns.end(), + std::size)); + } }; - template + template struct plonk_public_table { protected: - std::vector selector_columns; - std::vector public_input_columns; - std::vector constant_columns; + std::array selector_columns; + std::array public_input_columns; + std::array constant_columns; public: - plonk_public_table(std::vector selector_columns = {}, - std::vector + plonk_public_table(std::array selector_columns = {}, + std::array public_input_columns = {}, - std::vector + std::array constant_columns = {}) : selector_columns(selector_columns), public_input_columns(public_input_columns), @@ -88,7 +94,7 @@ namespace nil { } ColumnType selector(std::size_t index) const { - assert(index < selector_columns.size()); + assert(index < SelectorColumns); return selector_columns[index]; } @@ -97,7 +103,7 @@ namespace nil { } ColumnType public_input(std::size_t index) const { - assert(index < public_input_columns.size()); + assert(index < PublicInputColumns); return public_input_columns[index]; } @@ -106,7 +112,7 @@ namespace nil { } ColumnType constant(std::size_t index) const { - assert(index < constant_columns.size()); + assert(index < ConstantColumns); return constant_columns[index]; } @@ -115,27 +121,30 @@ namespace nil { } ColumnType operator[](std::size_t index) const { - if (index < selector_columns.size()) + if (index < SelectorColumns) return selector_columns[index]; - index -= selector_columns.size(); - if (index < public_input_columns.size()) + index -= SelectorColumns; + if (index < PublicInputColumns) return public_input_columns[index]; - index -= public_input_columns.size(); - if (index < constant_columns.size()) + index -= PublicInputColumns; + if (index < ConstantColumns) return constant_columns[index]; - index -= constant_columns.size(); + index -= ConstantColumns; } - std::size_t size() const { - return selector_columns.size() + public_input_columns.size() + constant_columns.size(); + constexpr std::size_t size() const { + return SelectorColumns + PublicInputColumns + ConstantColumns; } }; - template + template struct plonk_table { using private_table_type = plonk_private_table; - using public_table_type = plonk_public_table; + using public_table_type = plonk_public_table; protected: @@ -189,24 +198,34 @@ namespace nil { using plonk_private_assignment_table = plonk_private_table>; - template + template using plonk_public_assignment_table = - plonk_public_table>; + plonk_public_table>; - template - using plonk_assignment_table = plonk_table>; + template + using plonk_assignment_table = plonk_table>; template using plonk_private_polynomial_table = plonk_private_table>; - template + template using plonk_public_polynomial_table = - plonk_public_table>; + plonk_public_table>; - template + template using plonk_polynomial_table = - plonk_table>; + plonk_table>; } // namespace snark } // namespace zk diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index e9e22619a..b7f55eb98 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -50,7 +50,10 @@ namespace nil { struct redshift_policy { constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_columns = RedshiftParams::public_columns; + constexpr static const std::size_t public_input_columns = + RedshiftParams::public_input_columns; + constexpr static const std::size_t selector_columns = RedshiftParams::selector_columns; + constexpr static const std::size_t constant_columns = RedshiftParams::constant_columns; /******************************** Params ********************************/ @@ -60,7 +63,8 @@ namespace nil { typedef plonk_constraint_system constraint_system_type; - typedef plonk_assignment_table variable_assignment_type; + typedef plonk_assignment_table variable_assignment_type; typedef detail::plonk_evaluation_map> evaluation_map; @@ -79,11 +83,13 @@ namespace nil { redshift_proof; + // template struct preprocessed_public_data_type { std::shared_ptr> basic_domain; - plonk_public_polynomial_table public_polynomial_table; + plonk_public_polynomial_table public_polynomial_table; // S_sigma std::vector> permutation_polynomials; @@ -96,6 +102,10 @@ namespace nil { math::polynomial q_blind; math::polynomial Z; + + // std::vector selectors_commits; + // std::vector id_polys_commits; + // std::vector perm_polys_commits; }; struct preprocessed_private_data_type { @@ -104,22 +114,6 @@ namespace nil { plonk_private_polynomial_table private_polynomial_table; }; - - template - struct circuit_short_description { - std::vector selectors_commits; - std::vector id_polys_commits; - std::vector perm_polys_commits; - - std::vector columns_with_copy_constraints; - - std::size_t table_rows; - std::size_t usable_rows; - - typename FieldType::value_type delta; - plonk_permutation permutation; - // TODO: Gates and field elements - }; }; } // namespace detail } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 4a29fb12d..aa30ff0b1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -59,7 +59,9 @@ namespace nil { static inline std::array, argument_size> prove_eval(typename policy_type::constraint_system_type &constraint_system, - const plonk_polynomial_table &column_polynomials, + const plonk_polynomial_table &column_polynomials, fiat_shamir_heuristic_sequential &transcript) { typename FieldType::value_type theta = transcript.template challenge(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 96f816e53..6e9e0ac12 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -33,7 +33,11 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - template, typename TranscriptHashType = hashes::keccak_1600<512>, std::size_t Lambda = 40, std::size_t R = 1, std::size_t M = 2> @@ -43,7 +47,11 @@ namespace nil { typedef TranscriptHashType transcript_hash_type; constexpr static const std::size_t witness_columns = WitnessColumns; - constexpr static const std::size_t public_columns = PublicColumns; + constexpr static const std::size_t selectors_columns = SelectorColumns; + constexpr static const std::size_t public_input_columns = PublicInputColumns; + constexpr static const std::size_t constant_columns = ConstantColumns; + + constexpr static const typename FieldType::value_type delta = 1; typedef list_polynomial_commitment_params commitment_params_type; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index b90429f61..637434c79 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -72,7 +72,9 @@ namespace nil { const typename policy_type::preprocessed_public_data_type preprocessed_data, const typename policy_type::template circuit_short_description &short_description, - const plonk_polynomial_table &column_polynomials, + const plonk_polynomial_table &column_polynomials, typename fri_type::params_type fri_params) { const std::vector> &S_sigma = diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 94e72966f..b7e9ef756 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -198,10 +198,14 @@ namespace nil { std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); + // TODO: add std::vector columns_with_copy_constraints; + + plonk_permutation permutation; + std::vector> _permutation_polynomials = permutation_polynomials(short_description.columns_with_copy_constraints.size(), short_description.table_rows, basic_domain->get_domain_element(1), - short_description.delta, short_description.permutation, + short_description.delta, permutation, basic_domain); std::vector> _identity_polynomials = @@ -217,8 +221,11 @@ namespace nil { math::polynomial q_blind = selector_blind(short_description.table_rows, short_description.usable_rows, basic_domain); - plonk_public_polynomial_table public_polynomial_table = - plonk_public_polynomial_table( + plonk_public_polynomial_table + public_polynomial_table = + plonk_public_polynomial_table( detail::column_range_polynomials(public_assignment.selectors(), basic_domain), detail::column_range_polynomials(public_assignment.public_inputs(), @@ -239,9 +246,9 @@ namespace nil { } }; - template + template class redshift_private_preprocessor { - using policy_type = detail::redshift_policy; + using policy_type = detail::redshift_policy; public: template @@ -256,8 +263,8 @@ namespace nil { std::shared_ptr> basic_domain = math::make_evaluation_domain(N_rows); - plonk_private_polynomial_table private_polynomial_table = - plonk_private_polynomial_table( + plonk_private_polynomial_table private_polynomial_table = + plonk_private_polynomial_table( detail::column_range_polynomials(private_assignment.witnesses(), basic_domain)); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 1d76509a5..31f9a01b4 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -141,8 +141,12 @@ namespace nil { commitment_scheme_quotient_type> proof; - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); From 64acff6e00e5f2d4daa512e51d59e256ea436f62 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 6 Mar 2022 18:24:20 +0200 Subject: [PATCH 204/219] gate argument test update #20 --- .../zk/snark/relations/plonk/constraint.hpp | 317 +++++----- .../crypto3/zk/snark/relations/plonk/gate.hpp | 1 - .../zk/snark/relations/plonk/plonk.hpp | 9 +- .../zk/snark/relations/plonk/table.hpp | 470 +++++++-------- .../plonk/redshift/detail/redshift_policy.hpp | 250 ++++---- .../systems/plonk/redshift/gates_argument.hpp | 254 ++++---- .../snark/systems/plonk/redshift/params.hpp | 128 ++-- .../plonk/redshift/permutation_argument.hpp | 422 ++++++------- .../systems/plonk/redshift/preprocessor.hpp | 560 +++++++++--------- .../snark/systems/plonk/redshift/prover.hpp | 540 +++++++++-------- .../snark/systems/plonk/redshift/verifier.hpp | 4 +- test/systems/plonk/circuits.hpp | 76 +-- test/systems/plonk/redshift.cpp | 63 +- 13 files changed, 1559 insertions(+), 1535 deletions(-) diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index e9287513d..371d96ed6 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -1,155 +1,162 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_CONSTRAINT_HPP -#define CRYPTO3_ZK_PLONK_CONSTRAINT_HPP - -#include - -#include -#include -#include -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - namespace detail { - - template - using plonk_evaluation_map = std::map, typename VariableType::assignment_type>; - - } // namespace detail - - /************************* PLONK constraint ***********************************/ - - template> - class plonk_constraint : public non_linear_combination { - public: - plonk_constraint() : non_linear_combination() {}; - - plonk_constraint(const VariableType &var) : non_linear_combination(var) { - } - - plonk_constraint(const non_linear_combination &nlc) : - non_linear_combination(nlc) { - } - - plonk_constraint(const non_linear_term &nlt) : - non_linear_combination(nlt) { - } - - plonk_constraint(const std::vector> &terms) : - non_linear_combination(terms) { - } - - template - typename VariableType::assignment_type - evaluate(std::size_t row_index, - const plonk_assignment_table &assignments) const { - typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); - for (const non_linear_term &nlt : this->terms) { - typename VariableType::assignment_type term_value = nlt.coeff; - - for (const VariableType &var : nlt.vars) { - - typename VariableType::assignment_type assignment; - switch (var.type) { - case VariableType::column_type::witness: - assignment = assignments.witness(var.index)[row_index + var.rotation]; - case VariableType::column_type::selector: - assignment = assignments.selector(var.index)[row_index + var.rotation]; - case VariableType::column_type::public_input: - assignment = assignments.public_input(var.index)[row_index + var.rotation]; - case VariableType::column_type::constant: - assignment = assignments.constant(var.index)[row_index + var.rotation]; - } - - term_value = term_value * assignment; - } - acc = acc + term_value * nlt.coeff; - } - return acc; - } - - template - math::polynomial - evaluate(const plonk_polynomial_table &assignments) const { - math::polynomial acc = {0}; - for (const non_linear_term &nlt : this->terms) { - math::polynomial term_value = {nlt.coeff}; - - for (const VariableType &var : nlt.vars) { - - math::polynomial assignment; - switch (var.type) { - case VariableType::column_type::witness: - assignment = assignments.witness(var.index); - case VariableType::column_type::selector: - assignment = assignments.selector(var.index); - case VariableType::column_type::public_input: - assignment = assignments.public_input(var.index); - case VariableType::column_type::constant: - assignment = assignments.constant(var.index); - } - - term_value = term_value * assignment; - } - acc = acc + term_value * nlt.coeff; - } - return acc; - } - - typename VariableType::assignment_type evaluate(detail::plonk_evaluation_map &assignments) const { - typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); - for (const non_linear_term &nlt : this->terms) { - typename VariableType::assignment_type term_value = nlt.coeff; - - for (const VariableType &var : nlt.vars) { - std::tuple - key = std::make_tuple(var.index, var.rotation, var.type); - term_value = term_value * assignments[key]; - } - acc = acc + term_value * nlt.coeff; - } - return acc; - } - }; - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_CONSTRAINT_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_CONSTRAINT_HPP +#define CRYPTO3_ZK_PLONK_CONSTRAINT_HPP + +#include + +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + namespace detail { + + template + using plonk_evaluation_map = std::map, typename VariableType::assignment_type>; + + } // namespace detail + + /************************* PLONK constraint ***********************************/ + + template> + class plonk_constraint : public non_linear_combination { + public: + plonk_constraint() : non_linear_combination() {}; + + plonk_constraint(const VariableType &var) : non_linear_combination(var) { + } + + plonk_constraint(const non_linear_combination &nlc) : + non_linear_combination(nlc) { + } + + plonk_constraint(const non_linear_term &nlt) : + non_linear_combination(nlt) { + } + + plonk_constraint(const std::vector> &terms) : + non_linear_combination(terms) { + } + + template + typename VariableType::assignment_type + evaluate(std::size_t row_index, + const plonk_assignment_table &assignments) const { + typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); + for (const non_linear_term &nlt : this->terms) { + typename VariableType::assignment_type term_value = nlt.coeff; + + for (const VariableType &var : nlt.vars) { + + typename VariableType::assignment_type assignment; + switch (var.type) { + case VariableType::column_type::witness: + assignment = assignments.witness(var.index)[row_index + var.rotation]; + break; + case VariableType::column_type::selector: + assignment = assignments.selector(var.index)[row_index + var.rotation]; + break; + case VariableType::column_type::public_input: + assignment = assignments.public_input(var.index)[row_index + var.rotation]; + break; + case VariableType::column_type::constant: + assignment = assignments.constant(var.index)[row_index + var.rotation]; + break; + } + + term_value = term_value * assignment; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + + template + math::polynomial + evaluate(const plonk_polynomial_table &assignments) const { + math::polynomial acc = {0}; + for (const non_linear_term &nlt : this->terms) { + math::polynomial term_value = {nlt.coeff}; + + for (const VariableType &var : nlt.vars) { + + math::polynomial assignment; + switch (var.type) { + case VariableType::column_type::witness: + assignment = assignments.witness(var.index); + break; + case VariableType::column_type::selector: + assignment = assignments.selector(var.index); + break; + case VariableType::column_type::public_input: + assignment = assignments.public_input(var.index); + break; + case VariableType::column_type::constant: + assignment = assignments.constant(var.index); + break; + } + + term_value = term_value * assignment; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + + typename VariableType::assignment_type evaluate(detail::plonk_evaluation_map &assignments) const { + typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); + for (const non_linear_term &nlt : this->terms) { + typename VariableType::assignment_type term_value = nlt.coeff; + + for (const VariableType &var : nlt.vars) { + std::tuple + key = std::make_tuple(var.index, var.rotation, var.type); + term_value = term_value * assignments[key]; + } + acc = acc + term_value * nlt.coeff; + } + return acc; + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_CONSTRAINT_HPP diff --git a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp index 4bd279379..3f981b856 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/gate.hpp @@ -27,7 +27,6 @@ #ifndef CRYPTO3_ZK_PLONK_GATE_HPP #define CRYPTO3_ZK_PLONK_GATE_HPP -#include #include namespace nil { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp index ab177a343..8ad6e3e83 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/plonk.hpp @@ -56,14 +56,15 @@ namespace nil { std::vector> _copy_constraints; std::vector> _lookup_constraints; std::size_t _rows_amount; + std::size_t _usable_rows_amount; public: plonk_constraint_system() { } - plonk_constraint_system(std::vector> gates, std::size_t rows_amount): - _gates(gates), _rows_amount(rows_amount) { + plonk_constraint_system(std::vector> gates, std::size_t rows_amount, std::size_t usable_rows_amount): + _gates(gates), _rows_amount(rows_amount), _usable_rows_amount(usable_rows_amount) { } std::size_t num_gates() const { @@ -74,6 +75,10 @@ namespace nil { return _rows_amount; } + std::size_t usable_rows_amount() const { + return _usable_rows_amount; + } + // bool // is_satisfied(plonk_variable_assignment full_variable_assignment) // const { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp index 0ccf0ed7c..c50e6d6f5 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/table.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/table.hpp @@ -1,235 +1,235 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - template - using plonk_column = std::vector; - - template - struct plonk_private_table { - - protected: - - std::array witness_columns; - - public: - plonk_private_table(std::array witness_columns = {}) : - witness_columns(witness_columns) { - } - - ColumnType witness(std::size_t index) const { - assert(index < WitnessColumns); - return witness_columns[index]; - } - - std::array witnesses() const { - return witness_columns; - } - - ColumnType operator[](std::size_t index) const { - if (index < WitnessColumns) - return witness_columns[index]; - index -= WitnessColumns; - } - - constexpr std::size_t size() const { - return witness_columns.size(); - } - - std::size_t depth() const { - return std::max(std::for_each(witness_columns.begin(), witness_columns.end(), - std::size)); - } - }; - - template - struct plonk_public_table { - - protected: - - std::array selector_columns; - std::array public_input_columns; - std::array constant_columns; - - public: - plonk_public_table(std::array selector_columns = {}, - std::array - public_input_columns = {}, - std::array - constant_columns = {}) : - selector_columns(selector_columns), - public_input_columns(public_input_columns), - constant_columns() { - } - - ColumnType selector(std::size_t index) const { - assert(index < SelectorColumns); - return selector_columns[index]; - } - - std::vector selectors() const { - return selector_columns; - } - - ColumnType public_input(std::size_t index) const { - assert(index < PublicInputColumns); - return public_input_columns[index]; - } - - std::vector public_inputs() const { - return public_input_columns; - } - - ColumnType constant(std::size_t index) const { - assert(index < ConstantColumns); - return constant_columns[index]; - } - - std::vector constants() const { - return constant_columns; - } - - ColumnType operator[](std::size_t index) const { - if (index < SelectorColumns) - return selector_columns[index]; - index -= SelectorColumns; - if (index < PublicInputColumns) - return public_input_columns[index]; - index -= PublicInputColumns; - if (index < ConstantColumns) - return constant_columns[index]; - index -= ConstantColumns; - } - - constexpr std::size_t size() const { - return SelectorColumns + PublicInputColumns + ConstantColumns; - } - }; - - template - struct plonk_table { - - using private_table_type = plonk_private_table; - using public_table_type = plonk_public_table; - - protected: - - private_table_type _private_table; - public_table_type _public_table; - - public: - plonk_table(private_table_type private_table = private_table_type(), - public_table_type public_table = public_table_type()) : - _private_table(private_table), _public_table(public_table) { - } - - ColumnType witness(std::size_t index) const { - return _private_table.witness(index); - } - - ColumnType selector(std::size_t index) const { - return _public_table.selector(index); - } - - ColumnType public_input(std::size_t index) const { - return _public_table.public_input(index); - } - - ColumnType constant(std::size_t index) const { - return _public_table.constant(index); - } - - ColumnType operator[](std::size_t index) const { - if (index < _private_table.size()) - return _private_table[index]; - index -= _private_table.size(); - if (index < _public_table.size()) - return _public_table[index]; - } - - private_table_type private_table() const { - return _private_table; - } - - public_table_type public_table() const { - return _public_table; - } - - std::size_t size() const { - return _private_table.size() + _public_table.size(); - } - }; - - template - using plonk_private_assignment_table = - plonk_private_table>; - - template - using plonk_public_assignment_table = - plonk_public_table>; - - template - using plonk_assignment_table = plonk_table>; - - template - using plonk_private_polynomial_table = - plonk_private_table>; - - template - using plonk_public_polynomial_table = - plonk_public_table>; - - template - using plonk_polynomial_table = - plonk_table>; - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + using plonk_column = std::vector; + + template + struct plonk_private_table { + + protected: + + std::array witness_columns; + + public: + plonk_private_table(std::array witness_columns = {}) : + witness_columns(witness_columns) { + } + + ColumnType witness(std::size_t index) const { + assert(index < WitnessColumns); + return witness_columns[index]; + } + + std::array witnesses() const { + return witness_columns; + } + + ColumnType operator[](std::size_t index) const { + if (index < WitnessColumns) + return witness_columns[index]; + index -= WitnessColumns; + } + + constexpr std::size_t size() const { + return witness_columns.size(); + } + + std::size_t depth() const { + return std::max(std::for_each(witness_columns.begin(), witness_columns.end(), + std::size)); + } + }; + + template + struct plonk_public_table { + + protected: + + std::array selector_columns; + std::array public_input_columns; + std::array constant_columns; + + public: + plonk_public_table(std::array selector_columns = {}, + std::array + public_input_columns = {}, + std::array + constant_columns = {}) : + selector_columns(selector_columns), + public_input_columns(public_input_columns), + constant_columns() { + } + + ColumnType selector(std::size_t index) const { + assert(index < SelectorColumns); + return selector_columns[index]; + } + + std::array selectors() const { + return selector_columns; + } + + ColumnType public_input(std::size_t index) const { + assert(index < PublicInputColumns); + return public_input_columns[index]; + } + + std::array public_inputs() const { + return public_input_columns; + } + + ColumnType constant(std::size_t index) const { + assert(index < ConstantColumns); + return constant_columns[index]; + } + + std::array constants() const { + return constant_columns; + } + + ColumnType operator[](std::size_t index) const { + if (index < SelectorColumns) + return selector_columns[index]; + index -= SelectorColumns; + if (index < PublicInputColumns) + return public_input_columns[index]; + index -= PublicInputColumns; + if (index < ConstantColumns) + return constant_columns[index]; + index -= ConstantColumns; + } + + constexpr std::size_t size() const { + return SelectorColumns + PublicInputColumns + ConstantColumns; + } + }; + + template + struct plonk_table { + + using private_table_type = plonk_private_table; + using public_table_type = plonk_public_table; + + protected: + + private_table_type _private_table; + public_table_type _public_table; + + public: + plonk_table(private_table_type private_table = private_table_type(), + public_table_type public_table = public_table_type()) : + _private_table(private_table), _public_table(public_table) { + } + + ColumnType witness(std::size_t index) const { + return _private_table.witness(index); + } + + ColumnType selector(std::size_t index) const { + return _public_table.selector(index); + } + + ColumnType public_input(std::size_t index) const { + return _public_table.public_input(index); + } + + ColumnType constant(std::size_t index) const { + return _public_table.constant(index); + } + + ColumnType operator[](std::size_t index) const { + if (index < _private_table.size()) + return _private_table[index]; + index -= _private_table.size(); + if (index < _public_table.size()) + return _public_table[index]; + } + + private_table_type private_table() const { + return _private_table; + } + + public_table_type public_table() const { + return _public_table; + } + + std::size_t size() const { + return _private_table.size() + _public_table.size(); + } + }; + + template + using plonk_private_assignment_table = + plonk_private_table>; + + template + using plonk_public_assignment_table = + plonk_public_table>; + + template + using plonk_assignment_table = plonk_table>; + + template + using plonk_private_polynomial_table = + plonk_private_table>; + + template + using plonk_public_polynomial_table = + plonk_public_table>; + + template + using plonk_polynomial_table = + plonk_table>; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_TABLE_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index b7f55eb98..a5ded42bc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -1,124 +1,126 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// -// @file Declaration of types for Redshift PLONK scheme. -// -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP -#define CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP - -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - namespace detail { - template - struct redshift_policy { - - constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; - constexpr static const std::size_t public_input_columns = - RedshiftParams::public_input_columns; - constexpr static const std::size_t selector_columns = RedshiftParams::selector_columns; - constexpr static const std::size_t constant_columns = RedshiftParams::constant_columns; - - /******************************** Params ********************************/ - - /** - * Below are various template aliases (used for convenience). - */ - - typedef plonk_constraint_system constraint_system_type; - - typedef plonk_assignment_table variable_assignment_type; - - typedef detail::plonk_evaluation_map> evaluation_map; - - /*********************************** Proof ***********************************/ - - /** - * A proof for the Redshift cheme. - * - * While the proof has a structure, externally one merely opaquely produces, - * serializes/deserializes, and verifies proofs. We only expose some information - * about the structure for statistics purposes. - */ - template - using proof_type = - redshift_proof; - - // template - struct preprocessed_public_data_type { - - std::shared_ptr> basic_domain; - - plonk_public_polynomial_table public_polynomial_table; - - // S_sigma - std::vector> permutation_polynomials; - // S_id - std::vector> identity_polynomials; - - math::polynomial lagrange_0; - - math::polynomial q_last; - math::polynomial q_blind; - - math::polynomial Z; - - // std::vector selectors_commits; - // std::vector id_polys_commits; - // std::vector perm_polys_commits; - }; - - struct preprocessed_private_data_type { - - std::shared_ptr> basic_domain; - - plonk_private_polynomial_table private_polynomial_table; - }; - }; - } // namespace detail - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of types for Redshift PLONK scheme. +// +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP +#define CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP + +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + namespace detail { + template + struct redshift_policy { + + constexpr static const std::size_t witness_columns = RedshiftParams::witness_columns; + constexpr static const std::size_t public_input_columns = + RedshiftParams::public_input_columns; + constexpr static const std::size_t selector_columns = RedshiftParams::selector_columns; + constexpr static const std::size_t constant_columns = RedshiftParams::constant_columns; + + /******************************** Params ********************************/ + + /** + * Below are various template aliases (used for convenience). + */ + + typedef plonk_constraint_system constraint_system_type; + + typedef RedshiftParams redshift_params_type; + + typedef plonk_assignment_table variable_assignment_type; + + typedef detail::plonk_evaluation_map> evaluation_map; + + /*********************************** Proof ***********************************/ + + /** + * A proof for the Redshift cheme. + * + * While the proof has a structure, externally one merely opaquely produces, + * serializes/deserializes, and verifies proofs. We only expose some information + * about the structure for statistics purposes. + */ + template + using proof_type = + redshift_proof; + + // template + struct preprocessed_public_data_type { + + std::shared_ptr> basic_domain; + + plonk_public_polynomial_table public_polynomial_table; + + // S_sigma + std::vector> permutation_polynomials; + // S_id + std::vector> identity_polynomials; + + math::polynomial lagrange_0; + + math::polynomial q_last; + math::polynomial q_blind; + + math::polynomial Z; + + // std::vector selectors_commits; + // std::vector id_polys_commits; + // std::vector perm_polys_commits; + }; + + struct preprocessed_private_data_type { + + std::shared_ptr> basic_domain; + + plonk_private_polynomial_table private_polynomial_table; + }; + }; + } // namespace detail + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_PLONK_REDSHIFT_TYPES_POLICY_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index aa30ff0b1..26002f776 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -1,124 +1,130 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP - -#include -#include -#include -#include - -#include - -#include - -#include -#include -#include -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - template - struct redshift_gates_argument; - - template - struct redshift_gates_argument { - - typedef typename ParamsType::transcript_hash_type transcript_hash_type; - - typedef detail::redshift_policy policy_type; - - constexpr static const std::size_t argument_size = 1; - - static inline std::array, argument_size> - prove_eval(typename policy_type::constraint_system_type &constraint_system, - const plonk_polynomial_table &column_polynomials, - fiat_shamir_heuristic_sequential &transcript) { - - typename FieldType::value_type theta = transcript.template challenge(); - - std::array, argument_size> F; - - typename FieldType::value_type theta_acc = FieldType::value_type::one(); - - const std::vector> gates = constraint_system.gates(); - - for (std::size_t i = 0; i < gates.size(); i++) { - math::polynomial gate_result = {0}; - - for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { - gate_result = - gate_result + gates[i].constraints[j].evaluate(column_polynomials) * theta_acc; - theta_acc *= theta; - } - - gate_result = gate_result * column_polynomials.selector(gates[i].selector_index); - - F[0] = F[0] + gate_result; - } - - return F; - } - - static inline std::array - verify_eval(const std::vector> &gates, - typename policy_type::evaluation_map &evaluations, - typename FieldType::value_type challenge, - fiat_shamir_heuristic_sequential &transcript) { - typename FieldType::value_type theta = transcript.template challenge(); - - std::array F; - - typename FieldType::value_type theta_acc = FieldType::value_type::one(); - - for (std::size_t i = 0; i < gates.size(); i++) { - typename FieldType::value_type gate_result = {0}; - - for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { - gate_result = gate_result + gates[i].constraints[j].evaluate(evaluations) * theta_acc; - theta_acc *= theta; - } - - gate_result = gate_result * gates[i].selector.evaluate(challenge); - - F[0] = F[0] + gate_result; - } - - return F; - } - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP + +#include +#include +#include +#include + +#include + +#include + +#include +#include +#include +#include +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + struct redshift_gates_argument; + + template + struct redshift_gates_argument { + + typedef typename ParamsType::transcript_hash_type transcript_hash_type; + + typedef detail::redshift_policy policy_type; + + constexpr static const std::size_t argument_size = 1; + + static inline std::array, argument_size> + prove_eval(typename policy_type::constraint_system_type &constraint_system, + const plonk_polynomial_table &column_polynomials, + fiat_shamir_heuristic_sequential &transcript) { + + typename FieldType::value_type theta = transcript.template challenge(); + + std::array, argument_size> F; + + typename FieldType::value_type theta_acc = FieldType::value_type::one(); + + const std::vector> gates = constraint_system.gates(); + + for (std::size_t i = 0; i < gates.size(); i++) { + math::polynomial gate_result = {0}; + + for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { + gate_result = + gate_result + gates[i].constraints[j].evaluate(column_polynomials) * theta_acc; + theta_acc *= theta; + } + + gate_result = gate_result * column_polynomials.selector(gates[i].selector_index); + + F[0] = F[0] + gate_result; + } + + return F; + } + + static inline std::array + verify_eval(const std::vector> &gates, + const plonk_polynomial_table &public_polynomials, + //const plonk_public_polynomial_table public_polynomials, + typename policy_type::evaluation_map &evaluations, + typename FieldType::value_type challenge, + fiat_shamir_heuristic_sequential &transcript) { + typename FieldType::value_type theta = transcript.template challenge(); + + std::array F; + + typename FieldType::value_type theta_acc = FieldType::value_type::one(); + + for (std::size_t i = 0; i < gates.size(); i++) { + typename FieldType::value_type gate_result = {0}; + + for (std::size_t j = 0; j < gates[i].constraints.size(); j++) { + gate_result = gate_result + gates[i].constraints[j].evaluate(evaluations) * theta_acc; + theta_acc *= theta; + } + + gate_result = gate_result * public_polynomials.selector(gates[i].selector_index).evaluate(challenge); + + F[0] = F[0] + gate_result; + } + + return F; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_GATES_ARGUMENT_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 6e9e0ac12..33b2f80f3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -1,64 +1,64 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2022 Mikhail Komarov -// Copyright (c) 2022 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - template, - typename TranscriptHashType = hashes::keccak_1600<512>, std::size_t Lambda = 40, - std::size_t R = 1, std::size_t M = 2> - struct redshift_params { - - typedef MerkleTreeHashType merkle_hash_type; - typedef TranscriptHashType transcript_hash_type; - - constexpr static const std::size_t witness_columns = WitnessColumns; - constexpr static const std::size_t selectors_columns = SelectorColumns; - constexpr static const std::size_t public_input_columns = PublicInputColumns; - constexpr static const std::size_t constant_columns = ConstantColumns; - - constexpr static const typename FieldType::value_type delta = 1; - - typedef list_polynomial_commitment_params - commitment_params_type; - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2022 Mikhail Komarov +// Copyright (c) 2022 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template, + typename TranscriptHashType = hashes::keccak_1600<512>, std::size_t Lambda = 40, + std::size_t R = 1, std::size_t M = 2> + struct redshift_params { + + typedef MerkleTreeHashType merkle_hash_type; + typedef TranscriptHashType transcript_hash_type; + + constexpr static const std::size_t witness_columns = WitnessColumns; + constexpr static const std::size_t selector_columns = SelectorColumns; + constexpr static const std::size_t public_input_columns = PublicInputColumns; + constexpr static const std::size_t constant_columns = ConstantColumns; + + constexpr static const typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; + + typedef list_polynomial_commitment_params + commitment_params_type; + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 637434c79..f7f2c6b16 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -1,211 +1,211 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP - -#include -#include -#include -#include - -#include - -#include - -#include -#include -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - template - class redshift_permutation_argument { - - using transcript_hash_type = typename ParamsType::transcript_hash_type; - - using policy_type = detail::redshift_policy; - - typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; - - static constexpr std::size_t argument_size = 3; - - public: - struct prover_result_type { - std::array, argument_size> F; - - math::polynomial permutation_polynomial; - - typename CommitmentSchemeTypePermutation::merkle_tree_type permutation_poly_commitment; - }; - - static inline prover_result_type prove_eval( - fiat_shamir_heuristic_sequential &transcript, - const typename policy_type::preprocessed_public_data_type preprocessed_data, - const typename policy_type::template circuit_short_description - &short_description, - const plonk_polynomial_table &column_polynomials, - typename fri_type::params_type fri_params) { - - const std::vector> &S_sigma = - preprocessed_data.permutation_polynomials; - const std::vector> &S_id = - preprocessed_data.identity_polynomials; - std::shared_ptr> domain = preprocessed_data.basic_domain; - - // 1. $\beta_1, \gamma_1 = \challenge$ - typename FieldType::value_type beta = transcript.template challenge(); - - typename FieldType::value_type gamma = transcript.template challenge(); - - // 2. Calculate id_binding, sigma_binding for j from 1 to N_rows - std::vector id_binding(short_description.table_rows); - std::vector sigma_binding(short_description.table_rows); - - for (std::size_t j = 0; j < short_description.table_rows; j++) { - id_binding[j] = FieldType::value_type::one(); - sigma_binding[j] = FieldType::value_type::one(); - for (std::size_t i = 0; i < S_id.size(); i++) { - - id_binding[j] *= (column_polynomials[i].evaluate(domain->get_domain_element(j)) + - beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); - sigma_binding[j] *= (column_polynomials[i].evaluate(domain->get_domain_element(j)) + - beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); - } - } - - // 3. Calculate $V_P$ - std::vector V_P_interpolation_points( - short_description.table_rows); - - V_P_interpolation_points[0] = FieldType::value_type::one(); - for (std::size_t j = 1; j < short_description.table_rows; j++) { - typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); - for (std::size_t i = 0; i <= j - 1; i++) { - // TODO: use one division - tmp_mul_result *= id_binding[i] / sigma_binding[i]; - } - - V_P_interpolation_points[j] = tmp_mul_result; - } - - domain->inverse_fft(V_P_interpolation_points); - - math::polynomial V_P(V_P_interpolation_points.begin(), - V_P_interpolation_points.end()); - - // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. - typename CommitmentSchemeTypePermutation::merkle_tree_type V_P_tree = - CommitmentSchemeTypePermutation::commit(V_P, fri_params.D[0]); - typename CommitmentSchemeTypePermutation::commitment_type V_P_commitment = V_P_tree.root(); - transcript(V_P_commitment); - - // 5. Calculate g_perm, h_perm - math::polynomial g = {1}; - math::polynomial h = {1}; - - for (std::size_t i = 0; i < S_id.size(); i++) { - g = g * (column_polynomials[i] + beta * S_id[i] + gamma); - h = h * (column_polynomials[i] + beta * S_sigma[i] + gamma); - } - - math::polynomial one_polynomial = {1}; - std::array, argument_size> F; - - math::polynomial V_P_shifted = - math::polynomial_shift(V_P, domain->get_domain_element(1)); - - F[0] = preprocessed_data.lagrange_0 * (one_polynomial - V_P); - F[1] = (one_polynomial - (preprocessed_data.q_last + preprocessed_data.q_blind)) * - (V_P_shifted * h - V_P * g); - F[2] = preprocessed_data.q_last * (V_P * V_P - V_P); - - prover_result_type res = {F, V_P, V_P_tree}; - - return res; - } - - static inline std::array verify_eval( - fiat_shamir_heuristic_sequential &transcript, - const typename policy_type::preprocessed_public_data_type preprocessed_data, - const typename policy_type::template circuit_short_description - &short_description, - // y - const typename FieldType::value_type &challenge, - // f(y): - const std::vector &column_polynomials_values, - // V_P(y): - const typename FieldType::value_type &perm_polynomial_value, - // V_P(omega * y): - const typename FieldType::value_type &perm_polynomial_shifted_value, - const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { - - const std::vector> &S_sigma = - preprocessed_data.permutation_polynomials; - const std::vector> &S_id = - preprocessed_data.identity_polynomials; - - // 1. Get beta, gamma - typename FieldType::value_type beta = transcript.template challenge(); - typename FieldType::value_type gamma = transcript.template challenge(); - - // 2. Add commitment to V_P to transcript - transcript(V_P_commitment); - - // 3. Calculate h_perm, g_perm at challenge point - typename FieldType::value_type g = FieldType::value_type::one(); - typename FieldType::value_type h = FieldType::value_type::one(); - - for (std::size_t i = 0; i < column_polynomials_values.size(); i++) { - g = g * (column_polynomials_values[i] + beta * S_id[i].evaluate(challenge) + gamma); - h = h * (column_polynomials_values[i] + beta * S_sigma[i].evaluate(challenge) + gamma); - } - - std::array F; - typename FieldType::value_type one = FieldType::value_type::one(); - F[0] = preprocessed_data.lagrange_0.evaluate(challenge) * (one - perm_polynomial_value); - F[1] = (one - preprocessed_data.q_last.evaluate(challenge) - - preprocessed_data.q_blind.evaluate(challenge)) * - (perm_polynomial_shifted_value * h - perm_polynomial_value * g); - F[2] = preprocessed_data.q_last.evaluate(challenge) * - (perm_polynomial_value.squared() - perm_polynomial_value); - - return F; - } - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP + +#include +#include +#include +#include + +#include + +#include + +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + template + class redshift_permutation_argument { + + using transcript_hash_type = typename ParamsType::transcript_hash_type; + + using policy_type = detail::redshift_policy; + + typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; + + static constexpr std::size_t argument_size = 3; + + public: + struct prover_result_type { + std::array, argument_size> F; + + math::polynomial permutation_polynomial; + + typename CommitmentSchemeTypePermutation::merkle_tree_type permutation_poly_commitment; + }; + + static inline prover_result_type prove_eval( + fiat_shamir_heuristic_sequential &transcript, + const typename policy_type::preprocessed_public_data_type preprocessed_data, + const typename policy_type::template circuit_short_description + &short_description, + const plonk_polynomial_table &column_polynomials, + typename fri_type::params_type fri_params) { + + const std::vector> &S_sigma = + preprocessed_data.permutation_polynomials; + const std::vector> &S_id = + preprocessed_data.identity_polynomials; + std::shared_ptr> domain = preprocessed_data.basic_domain; + + // 1. $\beta_1, \gamma_1 = \challenge$ + typename FieldType::value_type beta = transcript.template challenge(); + + typename FieldType::value_type gamma = transcript.template challenge(); + + // 2. Calculate id_binding, sigma_binding for j from 1 to N_rows + std::vector id_binding(short_description.table_rows); + std::vector sigma_binding(short_description.table_rows); + + for (std::size_t j = 0; j < short_description.table_rows; j++) { + id_binding[j] = FieldType::value_type::one(); + sigma_binding[j] = FieldType::value_type::one(); + for (std::size_t i = 0; i < S_id.size(); i++) { + + id_binding[j] *= (column_polynomials[i].evaluate(domain->get_domain_element(j)) + + beta * S_id[i].evaluate(domain->get_domain_element(j)) + gamma); + sigma_binding[j] *= (column_polynomials[i].evaluate(domain->get_domain_element(j)) + + beta * S_sigma[i].evaluate(domain->get_domain_element(j)) + gamma); + } + } + + // 3. Calculate $V_P$ + std::vector V_P_interpolation_points( + short_description.table_rows); + + V_P_interpolation_points[0] = FieldType::value_type::one(); + for (std::size_t j = 1; j < short_description.table_rows; j++) { + typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); + for (std::size_t i = 0; i <= j - 1; i++) { + // TODO: use one division + tmp_mul_result *= id_binding[i] / sigma_binding[i]; + } + + V_P_interpolation_points[j] = tmp_mul_result; + } + + domain->inverse_fft(V_P_interpolation_points); + + math::polynomial V_P(V_P_interpolation_points.begin(), + V_P_interpolation_points.end()); + + // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. + typename CommitmentSchemeTypePermutation::merkle_tree_type V_P_tree = + CommitmentSchemeTypePermutation::commit(V_P, fri_params.D[0]); + typename CommitmentSchemeTypePermutation::commitment_type V_P_commitment = V_P_tree.root(); + transcript(V_P_commitment); + + // 5. Calculate g_perm, h_perm + math::polynomial g = {1}; + math::polynomial h = {1}; + + for (std::size_t i = 0; i < S_id.size(); i++) { + g = g * (column_polynomials[i] + beta * S_id[i] + gamma); + h = h * (column_polynomials[i] + beta * S_sigma[i] + gamma); + } + + math::polynomial one_polynomial = {1}; + std::array, argument_size> F; + + math::polynomial V_P_shifted = + math::polynomial_shift(V_P, domain->get_domain_element(1)); + + F[0] = preprocessed_data.lagrange_0 * (one_polynomial - V_P); + F[1] = (one_polynomial - (preprocessed_data.q_last + preprocessed_data.q_blind)) * + (V_P_shifted * h - V_P * g); + F[2] = preprocessed_data.q_last * (V_P * V_P - V_P); + + prover_result_type res = {F, V_P, V_P_tree}; + + return res; + } + + static inline std::array verify_eval( + fiat_shamir_heuristic_sequential &transcript, + const typename policy_type::preprocessed_public_data_type preprocessed_data, + const typename policy_type::template circuit_short_description + &short_description, + // y + const typename FieldType::value_type &challenge, + // f(y): + const std::vector &column_polynomials_values, + // V_P(y): + const typename FieldType::value_type &perm_polynomial_value, + // V_P(omega * y): + const typename FieldType::value_type &perm_polynomial_shifted_value, + const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { + + const std::vector> &S_sigma = + preprocessed_data.permutation_polynomials; + const std::vector> &S_id = + preprocessed_data.identity_polynomials; + + // 1. Get beta, gamma + typename FieldType::value_type beta = transcript.template challenge(); + typename FieldType::value_type gamma = transcript.template challenge(); + + // 2. Add commitment to V_P to transcript + transcript(V_P_commitment); + + // 3. Calculate h_perm, g_perm at challenge point + typename FieldType::value_type g = FieldType::value_type::one(); + typename FieldType::value_type h = FieldType::value_type::one(); + + for (std::size_t i = 0; i < column_polynomials_values.size(); i++) { + g = g * (column_polynomials_values[i] + beta * S_id[i].evaluate(challenge) + gamma); + h = h * (column_polynomials_values[i] + beta * S_sigma[i].evaluate(challenge) + gamma); + } + + std::array F; + typename FieldType::value_type one = FieldType::value_type::one(); + F[0] = preprocessed_data.lagrange_0.evaluate(challenge) * (one - perm_polynomial_value); + F[1] = (one - preprocessed_data.q_last.evaluate(challenge) - + preprocessed_data.q_blind.evaluate(challenge)) * + (perm_polynomial_shifted_value * h - perm_polynomial_value * g); + F[2] = preprocessed_data.q_last.evaluate(challenge) * + (perm_polynomial_value.squared() - perm_polynomial_value); + + return F; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PERMUTATION_ARGUMENT_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index b7e9ef756..2d98a122c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -1,281 +1,279 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP - -#include -#include -#include -#include - -#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" -#include - -using namespace nil::crypto3; - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - namespace detail { - - template - math::polynomial - column_polynomial(const plonk_column &column_assignment, - const std::shared_ptr> &domain) { - - std::vector interpolation_points(column_assignment.size()); - - std::copy(column_assignment.begin(), column_assignment.end(), interpolation_points.begin()); - - domain->inverse_fft(interpolation_points); - - return interpolation_points; - } - - template - std::vector> - column_range_polynomials(const std::vector> &column_range_assignment, - const std::shared_ptr> &domain) { - - std::size_t columns_amount = column_range_assignment.size(); - std::vector> columns(columns_amount); - - for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { - columns[selector_index] = - column_polynomial(column_range_assignment[selector_index], domain); - } - - return columns; - } - - template - std::array, columns_amount> - column_range_polynomials( - const std::array, columns_amount> &column_range_assignment, - const std::shared_ptr> &domain) { - - std::array, columns_amount> columns; - - for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { - columns[selector_index] = - column_polynomial(column_range_assignment[selector_index], domain); - } - - return columns; - } - - } // namespace detail - - template - class redshift_public_preprocessor { - typedef detail::redshift_policy policy_type; - - static math::polynomial - lagrange_polynomial(std::shared_ptr> domain, - std::size_t number) { - std::vector> - evaluation_points; - for (std::size_t i = 0; i < domain->m; i++) { - evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), - (i != number) ? FieldType::value_type::zero() : - FieldType::value_type::one())); - } - math::polynomial f = - math::lagrange_interpolation(evaluation_points); - - return f; - } - - public: - static inline std::vector> - identity_polynomials(std::size_t permutation_size, std::size_t table_size, - const typename FieldType::value_type &omega, - const typename FieldType::value_type &delta, - const std::shared_ptr> &domain) { - - std::vector> S_id(permutation_size); - - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - tmp[j] = delta.pow(i) * omega.pow(j); - } - - domain->inverse_fft(tmp); - S_id[i] = math::polynomial(tmp); - } - - return S_id; - } - - static inline std::vector> - permutation_polynomials(std::size_t permutation_size, std::size_t table_size, - const typename FieldType::value_type &omega, - const typename FieldType::value_type &delta, - plonk_permutation &permutation, - const std::shared_ptr> &domain) { - - std::vector> S_perm(permutation_size); - - for (std::size_t i = 0; i < permutation_size; i++) { - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - auto key = std::make_pair(i, j); - tmp[j] = delta.pow(permutation[key].first) * omega.pow(permutation[key].second); - } - - domain->inverse_fft(tmp); - S_perm[i] = math::polynomial(tmp); - } - - return S_perm; - } - - static inline math::polynomial - selector_blind(std::size_t table_size, std::size_t usable_rows, - const std::shared_ptr> &domain) { - - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - tmp[j] = j > usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); - } - - domain->inverse_fft(tmp); - math::polynomial q_blind(tmp); - - return q_blind; - } - - static inline math::polynomial - selector_last(std::size_t table_size, std::size_t usable_rows, - const std::shared_ptr> &domain) { - - std::vector tmp(table_size); - for (std::size_t j = 0; j < table_size; j++) { - tmp[j] = j == usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); - } - - domain->inverse_fft(tmp); - math::polynomial q_last(tmp); - - return q_last; - } - - template - static inline typename policy_type::preprocessed_public_data_type process( - const typename policy_type::constraint_system_type &constraint_system, - const typename policy_type::variable_assignment_type::public_table_type &public_assignment, - typename policy_type::template circuit_short_description - &short_description) { - - std::size_t N_rows = constraint_system.rows_amount(); - - std::shared_ptr> basic_domain = - math::make_evaluation_domain(N_rows); - - // TODO: add std::vector columns_with_copy_constraints; - - plonk_permutation permutation; - - std::vector> _permutation_polynomials = - permutation_polynomials(short_description.columns_with_copy_constraints.size(), - short_description.table_rows, basic_domain->get_domain_element(1), - short_description.delta, permutation, - basic_domain); - - std::vector> _identity_polynomials = - identity_polynomials(short_description.columns_with_copy_constraints.size(), - short_description.table_rows, basic_domain->get_domain_element(1), - short_description.delta, basic_domain); - - math::polynomial lagrange_0 = - lagrange_polynomial(basic_domain, 0); - - math::polynomial q_last = - selector_last(short_description.table_rows, short_description.usable_rows, basic_domain); - math::polynomial q_blind = - selector_blind(short_description.table_rows, short_description.usable_rows, basic_domain); - - plonk_public_polynomial_table - public_polynomial_table = - plonk_public_polynomial_table( - detail::column_range_polynomials(public_assignment.selectors(), - basic_domain), - detail::column_range_polynomials(public_assignment.public_inputs(), - basic_domain)); - - std::vector z_numenator(N_rows + 1); - z_numenator[0] = -FieldType::value_type::one(); - z_numenator[N_rows] = FieldType::value_type::one(); - - math::polynomial Z = z_numenator; - math::polynomial z_denominator = {-FieldType::value_type::one(), - FieldType::value_type::one()}; - Z = Z / z_denominator; - - return typename policy_type::preprocessed_public_data_type( - {basic_domain, public_polynomial_table, _permutation_polynomials, _identity_polynomials, - lagrange_0, q_last, q_blind, Z}); - } - }; - - template - class redshift_private_preprocessor { - using policy_type = detail::redshift_policy; - - public: - template - static inline typename policy_type::preprocessed_private_data_type process( - const typename policy_type::constraint_system_type &constraint_system, - const typename policy_type::variable_assignment_type::private_table_type &private_assignment, - typename policy_type::template circuit_short_description - &short_description) { - - std::size_t N_rows = constraint_system.rows_amount(); - - std::shared_ptr> basic_domain = - math::make_evaluation_domain(N_rows); - - plonk_private_polynomial_table private_polynomial_table = - plonk_private_polynomial_table( - detail::column_range_polynomials(private_assignment.witnesses(), - basic_domain)); - - return typename policy_type::preprocessed_private_data_type( - {basic_domain, private_polynomial_table}); - } - }; - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP + +#include +#include +#include +#include + +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" +#include + +using namespace nil::crypto3; + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + namespace detail { + + template + math::polynomial + column_polynomial(const plonk_column &column_assignment, + const std::shared_ptr> &domain) { + + std::vector interpolation_points(column_assignment.size()); + + std::copy(column_assignment.begin(), column_assignment.end(), interpolation_points.begin()); + + domain->inverse_fft(interpolation_points); + + return interpolation_points; + } + + template + std::vector> + column_range_polynomials(const std::vector> &column_range_assignment, + const std::shared_ptr> &domain) { + + std::size_t columns_amount = column_range_assignment.size(); + std::vector> columns(columns_amount); + + for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { + columns[selector_index] = + column_polynomial(column_range_assignment[selector_index], domain); + } + + return columns; + } + + template + std::array, columns_amount> + column_range_polynomials( + const std::array, columns_amount> &column_range_assignment, + const std::shared_ptr> &domain) { + + std::array, columns_amount> columns; + + for (std::size_t selector_index = 0; selector_index < columns_amount; selector_index++) { + columns[selector_index] = + column_polynomial(column_range_assignment[selector_index], domain); + } + + return columns; + } + + } // namespace detail + + template + class redshift_public_preprocessor { + typedef detail::redshift_policy policy_type; + + static math::polynomial + lagrange_polynomial(std::shared_ptr> domain, + std::size_t number) { + std::vector> + evaluation_points; + for (std::size_t i = 0; i < domain->m; i++) { + evaluation_points.push_back(std::make_pair(domain->get_domain_element(i), + (i != number) ? FieldType::value_type::zero() : + FieldType::value_type::one())); + } + math::polynomial f = + math::lagrange_interpolation(evaluation_points); + + return f; + } + + public: + static inline std::vector> + identity_polynomials(std::size_t permutation_size, std::size_t table_size, + const typename FieldType::value_type &omega, + const typename FieldType::value_type &delta, + const std::shared_ptr> &domain) { + + std::vector> S_id(permutation_size); + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = delta.pow(i) * omega.pow(j); + } + + domain->inverse_fft(tmp); + S_id[i] = math::polynomial(tmp); + } + + return S_id; + } + + static inline std::vector> + permutation_polynomials(std::size_t permutation_size, std::size_t table_size, + const typename FieldType::value_type &omega, + const typename FieldType::value_type &delta, + plonk_permutation &permutation, + const std::shared_ptr> &domain) { + + std::vector> S_perm(permutation_size); + + for (std::size_t i = 0; i < permutation_size; i++) { + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + auto key = std::make_pair(i, j); + tmp[j] = delta.pow(permutation[key].first) * omega.pow(permutation[key].second); + } + + domain->inverse_fft(tmp); + S_perm[i] = math::polynomial(tmp); + } + + return S_perm; + } + + static inline math::polynomial + selector_blind(std::size_t table_size, std::size_t usable_rows, + const std::shared_ptr> &domain) { + + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = j > usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); + } + + domain->inverse_fft(tmp); + math::polynomial q_blind(tmp); + + return q_blind; + } + + static inline math::polynomial + selector_last(std::size_t table_size, std::size_t usable_rows, + const std::shared_ptr> &domain) { + + std::vector tmp(table_size); + for (std::size_t j = 0; j < table_size; j++) { + tmp[j] = j == usable_rows ? FieldType::value_type::one() : FieldType::value_type::zero(); + } + + domain->inverse_fft(tmp); + math::polynomial q_last(tmp); + + return q_last; + } + + static inline typename policy_type::preprocessed_public_data_type process( + const typename policy_type::constraint_system_type &constraint_system, + const typename policy_type::variable_assignment_type::public_table_type &public_assignment, + std::vector columns_with_copy_constraints) { + + std::size_t N_rows = constraint_system.rows_amount(); + std::size_t usable_rows = constraint_system.usable_rows_amount(); + + std::shared_ptr> basic_domain = + math::make_evaluation_domain(N_rows); + + // TODO: add std::vector columns_with_copy_constraints; + + plonk_permutation permutation; + + std::vector> _permutation_polynomials = + permutation_polynomials(columns_with_copy_constraints.size(), + N_rows, basic_domain->get_domain_element(1), + policy_type::redshift_params_type::delta, permutation, + basic_domain); + + std::vector> _identity_polynomials = + identity_polynomials(columns_with_copy_constraints.size(), + N_rows, basic_domain->get_domain_element(1), + policy_type::redshift_params_type::delta, basic_domain); + + math::polynomial lagrange_0 = + lagrange_polynomial(basic_domain, 0); + + math::polynomial q_last = + selector_last(N_rows, usable_rows, basic_domain); + math::polynomial q_blind = + selector_blind(N_rows, usable_rows, basic_domain); + + plonk_public_polynomial_table + public_polynomial_table = + plonk_public_polynomial_table( + detail::column_range_polynomials(public_assignment.selectors(), + basic_domain), + detail::column_range_polynomials(public_assignment.public_inputs(), + basic_domain), + detail::column_range_polynomials(public_assignment.constants(), + basic_domain)); + + std::vector z_numenator(N_rows + 1); + z_numenator[0] = -FieldType::value_type::one(); + z_numenator[N_rows] = FieldType::value_type::one(); + + math::polynomial Z = z_numenator; + math::polynomial z_denominator = {-FieldType::value_type::one(), + FieldType::value_type::one()}; + Z = Z / z_denominator; + + return typename policy_type::preprocessed_public_data_type( + {basic_domain, public_polynomial_table, _permutation_polynomials, _identity_polynomials, + lagrange_0, q_last, q_blind, Z}); + } + }; + + template + class redshift_private_preprocessor { + using policy_type = detail::redshift_policy; + + public: + static inline typename policy_type::preprocessed_private_data_type process( + const typename policy_type::constraint_system_type &constraint_system, + const typename policy_type::variable_assignment_type::private_table_type &private_assignment) { + + std::size_t N_rows = constraint_system.rows_amount(); + + std::shared_ptr> basic_domain = + math::make_evaluation_domain(N_rows); + + plonk_private_polynomial_table private_polynomial_table = + plonk_private_polynomial_table( + detail::column_range_polynomials(private_assignment.witnesses(), + basic_domain)); + + return typename policy_type::preprocessed_private_data_type( + {basic_domain, private_polynomial_table}); + } + }; + + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PREPROCESSOR_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 31f9a01b4..e555a198d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -1,271 +1,269 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// Copyright (c) 2022 Ilia Shirobokov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP -#define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP - -#include - -#include - -#include -#include -#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" -#include -#include -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - template - class redshift_prover { - - constexpr static const std::size_t witness_columns = ParamsType::witness_columns; - constexpr static const std::size_t public_columns = ParamsType::public_columns; - using merkle_hash_type = typename ParamsType::commitment_params_type::merkle_hash_type; - using transcript_hash_type = typename ParamsType::commitment_params_type::transcript_hash_type; - - using policy_type = detail::redshift_policy; - - typedef typename containers::merkle_tree merkle_tree_type; - - constexpr static const std::size_t lambda = ParamsType::commitment_params_type::lambda; - constexpr static const std::size_t r = ParamsType::commitment_params_type::r; - constexpr static const std::size_t m = ParamsType::commitment_params_type::m; - - constexpr static const std::size_t opening_points_witness = 1; - constexpr static const std::size_t opening_points_v_p = 2; - constexpr static const std::size_t opening_points_t = 1; - constexpr static const std::size_t opening_points_public = 1; - - typedef list_polynomial_commitment_scheme - commitment_scheme_witness_type; - typedef list_polynomial_commitment_scheme - commitment_scheme_permutation_type; - typedef list_polynomial_commitment_scheme - commitment_scheme_quotient_type; - typedef list_polynomial_commitment_scheme - commitment_scheme_public_points_type; - - constexpr static const std::size_t gate_parts = 1; - constexpr static const std::size_t permutation_parts = 3; - constexpr static const std::size_t f_parts = 9; - - static inline math::polynomial quotient_polynomial( - const typename policy_type::preprocessed_public_data_type preprocessed_public_data, - std::array, f_parts> - F, - fiat_shamir_heuristic_sequential - transcript) { - // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ - std::array alphas = - transcript.template challenges(); - - // 7.2. Compute F_consolidated - math::polynomial F_consolidated = {0}; - for (std::size_t i = 0; i < f_parts; i++) { - F_consolidated = F_consolidated + alphas[i] * F[i]; - } - - math::polynomial T_consolidated = - F_consolidated / preprocessed_public_data.Z; - - return T_consolidated; - } - - static inline std::vector> - split_polynomial(math::polynomial f, std::size_t max_degree) { - std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; - std::vector> f_splitted(parts); - - std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs - for (std::size_t i = 0; i < parts - 1; i++) { - std::copy(f.begin() + i * chunk_size, - f.begin() + (i + 1) * chunk_size - 1, - std::back_inserter(f_splitted[i])); - } - std::copy( - f.begin() + (parts - 1) * chunk_size, f.end(), std::back_inserter(f_splitted[parts - 1])); - return f_splitted; - } - - public: - static inline typename policy_type::template proof_type - process(const typename policy_type::preprocessed_public_data_type preprocessed_public_data, - const typename policy_type::preprocessed_private_data_type preprocessed_private_data, - typename policy_type::constraint_system_type &constraint_system, - const typename policy_type::variable_assignment_type &assignments, - const typename policy_type::template circuit_short_description< - commitment_scheme_public_points_type> &short_description, - const typename commitment_scheme_witness_type::fri_type::params_type - &fri_params) { // TODO: fri_type are the same for each lpc_type here - - typename policy_type::template proof_type - proof; - - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( - preprocessed_private_data.private_polynomial_table, - preprocessed_public_data.public_polynomial_table); - - // 1. Add circuit definition to transcript - // transcript(short_description); //TODO: circuit_short_description marshalling - std::vector transcript_init {}; - fiat_shamir_heuristic_sequential transcript(transcript_init); - - // 2. Commit witness columns - std::array, witness_columns> witness_poly = - preprocessed_private_data.private_polynomial_table.witnesses(); - - std::array - witness_commitments = commitment_scheme_witness_type::template commit( - witness_poly, fri_params.D[0]); - - proof.witness_commitments.resize(witness_columns); - for (std::size_t i = 0; i < witness_columns; i++) { - proof.witness_commitments[i] = witness_commitments[i].root(); - transcript(proof.witness_commitments[i]); - } - - // 4. permutation_argument - auto permutation_argument = - redshift_permutation_argument::prove_eval(transcript, - preprocessed_public_data, - short_description, - polynomial_table, - fri_params); - - proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); - - std::array, f_parts> F; - - F[0] = permutation_argument.F[0]; - F[1] = permutation_argument.F[1]; - F[2] = permutation_argument.F[2]; - - // 5. lookup_argument - // std::array, 5> - // lookup_argument = redshift_lookup_argument::prove_eval(transcript); - - // 6. circuit-satisfability - std::array, gate_parts> prover_res = - redshift_gates_argument::prove_eval( - constraint_system, polynomial_table, transcript); - - F[3] = prover_res[0]; - - // 7. Aggregate quotient polynomial - math::polynomial T = - quotient_polynomial(preprocessed_public_data, F, transcript); - std::vector> T_splitted = - split_polynomial(T, fri_params.max_degree); - std::vector T_commitments( - T_splitted.size()); - for (std::size_t i = 0; i < T_splitted.size(); i++) { - T_commitments[i] = commitment_scheme_quotient_type::commit(T_splitted[i], fri_params.D[0]); - proof.T_commitments.push_back(T_commitments[i].root()); - } - - // transcript(T_commitments); - - // 8. Run evaluation proofs - typename FieldType::value_type challenge = transcript.template challenge(); - - typename FieldType::value_type omega = - preprocessed_public_data.basic_domain->get_domain_element(1); - - // witness polynomials (table columns) - std::array - witnesses_evaluation; - for (std::size_t i = 0; i < witness_commitments.size(); i++) { - std::vector rotation_gates = {0}; // TODO: Rotation - std::array - evaluation_points_gates; // TODO: array size with rotation - for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { - evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); - } - - witnesses_evaluation[i] = - commitment_scheme_witness_type::proof_eval(evaluation_points_gates, - witness_commitments[i], - witness_poly[i], - transcript, - fri_params); - proof.eval_proof.witness.push_back(witnesses_evaluation[i]); - } - - // permutation polynomial evaluation - std::array evaluation_points_v_p = {challenge, - challenge * omega}; - typename commitment_scheme_permutation_type::proof_type v_p_evaluation = - commitment_scheme_permutation_type::proof_eval( - evaluation_points_v_p, - permutation_argument.permutation_poly_commitment, - permutation_argument.permutation_polynomial, - transcript, - fri_params); - proof.eval_proof.permutation.push_back(v_p_evaluation); - - std::array evaluation_points_quotient = {challenge}; - std::vector quotient_evaluation( - T_splitted.size()); - for (std::size_t i = 0; i < T_splitted.size(); i++) { - quotient_evaluation[i] = commitment_scheme_quotient_type::proof_eval( - evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); - proof.eval_proof.quotient.push_back(quotient_evaluation[i]); - } - - return proof; - } - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP +#define CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP + +#include + +#include + +#include +#include +#include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace snark { + + template + class redshift_prover { + + constexpr static const std::size_t witness_columns = ParamsType::witness_columns; + constexpr static const std::size_t public_columns = ParamsType::public_columns; + using merkle_hash_type = typename ParamsType::commitment_params_type::merkle_hash_type; + using transcript_hash_type = typename ParamsType::commitment_params_type::transcript_hash_type; + + using policy_type = detail::redshift_policy; + + typedef typename containers::merkle_tree merkle_tree_type; + + constexpr static const std::size_t lambda = ParamsType::commitment_params_type::lambda; + constexpr static const std::size_t r = ParamsType::commitment_params_type::r; + constexpr static const std::size_t m = ParamsType::commitment_params_type::m; + + constexpr static const std::size_t opening_points_witness = 1; + constexpr static const std::size_t opening_points_v_p = 2; + constexpr static const std::size_t opening_points_t = 1; + constexpr static const std::size_t opening_points_public = 1; + + typedef list_polynomial_commitment_scheme + commitment_scheme_witness_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_permutation_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_quotient_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_public_points_type; + + constexpr static const std::size_t gate_parts = 1; + constexpr static const std::size_t permutation_parts = 3; + constexpr static const std::size_t f_parts = 9; + + static inline math::polynomial quotient_polynomial( + const typename policy_type::preprocessed_public_data_type preprocessed_public_data, + std::array, f_parts> + F, + fiat_shamir_heuristic_sequential + transcript) { + // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ + std::array alphas = + transcript.template challenges(); + + // 7.2. Compute F_consolidated + math::polynomial F_consolidated = {0}; + for (std::size_t i = 0; i < f_parts; i++) { + F_consolidated = F_consolidated + alphas[i] * F[i]; + } + + math::polynomial T_consolidated = + F_consolidated / preprocessed_public_data.Z; + + return T_consolidated; + } + + static inline std::vector> + split_polynomial(math::polynomial f, std::size_t max_degree) { + std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; + std::vector> f_splitted(parts); + + std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs + for (std::size_t i = 0; i < parts - 1; i++) { + std::copy(f.begin() + i * chunk_size, + f.begin() + (i + 1) * chunk_size - 1, + std::back_inserter(f_splitted[i])); + } + std::copy( + f.begin() + (parts - 1) * chunk_size, f.end(), std::back_inserter(f_splitted[parts - 1])); + return f_splitted; + } + + public: + static inline typename policy_type::template proof_type + process(const typename policy_type::preprocessed_public_data_type preprocessed_public_data, + const typename policy_type::preprocessed_private_data_type preprocessed_private_data, + typename policy_type::constraint_system_type &constraint_system, + const typename policy_type::variable_assignment_type &assignments, + const typename commitment_scheme_witness_type::fri_type::params_type + &fri_params) { // TODO: fri_type are the same for each lpc_type here + + typename policy_type::template proof_type + proof; + + plonk_polynomial_table polynomial_table = + plonk_polynomial_table( + preprocessed_private_data.private_polynomial_table, + preprocessed_public_data.public_polynomial_table); + + // 1. Add circuit definition to transcript + // transcript(short_description); //TODO: circuit_short_description marshalling + std::vector transcript_init {}; + fiat_shamir_heuristic_sequential transcript(transcript_init); + + // 2. Commit witness columns + std::array, witness_columns> witness_poly = + preprocessed_private_data.private_polynomial_table.witnesses(); + + std::array + witness_commitments = commitment_scheme_witness_type::template commit( + witness_poly, fri_params.D[0]); + + proof.witness_commitments.resize(witness_columns); + for (std::size_t i = 0; i < witness_columns; i++) { + proof.witness_commitments[i] = witness_commitments[i].root(); + transcript(proof.witness_commitments[i]); + } + + // 4. permutation_argument + auto permutation_argument = + redshift_permutation_argument::prove_eval(transcript, + preprocessed_public_data, + short_description, + polynomial_table, + fri_params); + + proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); + + std::array, f_parts> F; + + F[0] = permutation_argument.F[0]; + F[1] = permutation_argument.F[1]; + F[2] = permutation_argument.F[2]; + + // 5. lookup_argument + // std::array, 5> + // lookup_argument = redshift_lookup_argument::prove_eval(transcript); + + // 6. circuit-satisfability + std::array, gate_parts> prover_res = + redshift_gates_argument::prove_eval( + constraint_system, polynomial_table, transcript); + + F[3] = prover_res[0]; + + // 7. Aggregate quotient polynomial + math::polynomial T = + quotient_polynomial(preprocessed_public_data, F, transcript); + std::vector> T_splitted = + split_polynomial(T, fri_params.max_degree); + std::vector T_commitments( + T_splitted.size()); + for (std::size_t i = 0; i < T_splitted.size(); i++) { + T_commitments[i] = commitment_scheme_quotient_type::commit(T_splitted[i], fri_params.D[0]); + proof.T_commitments.push_back(T_commitments[i].root()); + } + + // transcript(T_commitments); + + // 8. Run evaluation proofs + typename FieldType::value_type challenge = transcript.template challenge(); + + typename FieldType::value_type omega = + preprocessed_public_data.basic_domain->get_domain_element(1); + + // witness polynomials (table columns) + std::array + witnesses_evaluation; + for (std::size_t i = 0; i < witness_commitments.size(); i++) { + std::vector rotation_gates = {0}; // TODO: Rotation + std::array + evaluation_points_gates; // TODO: array size with rotation + for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { + evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); + } + + witnesses_evaluation[i] = + commitment_scheme_witness_type::proof_eval(evaluation_points_gates, + witness_commitments[i], + witness_poly[i], + transcript, + fri_params); + proof.eval_proof.witness.push_back(witnesses_evaluation[i]); + } + + // permutation polynomial evaluation + std::array evaluation_points_v_p = {challenge, + challenge * omega}; + typename commitment_scheme_permutation_type::proof_type v_p_evaluation = + commitment_scheme_permutation_type::proof_eval( + evaluation_points_v_p, + permutation_argument.permutation_poly_commitment, + permutation_argument.permutation_polynomial, + transcript, + fri_params); + proof.eval_proof.permutation.push_back(v_p_evaluation); + + std::array evaluation_points_quotient = {challenge}; + std::vector quotient_evaluation( + T_splitted.size()); + for (std::size_t i = 0; i < T_splitted.size(); i++) { + quotient_evaluation[i] = commitment_scheme_quotient_type::proof_eval( + evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); + proof.eval_proof.quotient.push_back(quotient_evaluation[i]); + } + + return proof; + } + }; + } // namespace snark + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_PLONK_REDSHIFT_PROVER_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index b18e0c180..e8b5aa810 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -80,9 +80,7 @@ namespace nil { // const policy_type::primary_input_type &primary_input, const typename policy_type::template proof_type &proof, - const typename policy_type::template circuit_short_description - &short_description) { // TODO: decsription commitment scheme + commitment_scheme_quotient_type> &proof) { // TODO: decsription commitment scheme // 1. Add circuit definition to transcript // transcript(short_description); diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 6b505ed9c..09a4eda5a 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -52,7 +52,7 @@ namespace nil { typedef zk::snark::detail::redshift_policy policy_type; constexpr static const std::size_t witness_columns = ParamsType::witness_columns; - constexpr static const std::size_t public_columns = ParamsType::public_columns; + constexpr static const std::size_t public_columns = ParamsType::public_input_columns; using merkle_hash_type = typename ParamsType::merkle_hash_type; using transcript_hash_type = typename ParamsType::transcript_hash_type; @@ -70,7 +70,6 @@ namespace nil { std::vector> S_sigma; typename policy_type::variable_assignment_type table; - std::vector> column_polynomials; // construct q_last, q_blind math::polynomial q_last; @@ -112,20 +111,26 @@ namespace nil { // ADD: x + y = z // MUL: x * y = z //---------------------------------------------------------------------------// - typedef redshift_params<3, 0> circuit_1_params; + constexpr static const std::size_t witness_columns_1 = 3; + constexpr static const std::size_t selector_columns_1 = 2; + constexpr static const std::size_t public_columns_1 = 0; + constexpr static const std::size_t constant_columns_1 = 0; template - circuit_description circuit_test_1() { + circuit_description, 4, 3, 16> circuit_test_1() { constexpr static const std::size_t rows_log = 4; - constexpr static const std::size_t table_columns = 3; - constexpr static const std::size_t witness_columns = 3; - std::size_t selectors_columns = 2; - constexpr static const std::size_t public_columns = 0; constexpr static const std::size_t permutation = 3; constexpr static const std::size_t usable = 1 << rows_log; - circuit_description test_circuit; - test_circuit.column_polynomials.resize(witness_columns + public_columns); + constexpr static const std::size_t witness_columns = witness_columns_1; + constexpr static const std::size_t selector_columns = selector_columns_1; + constexpr static const std::size_t public_columns = public_columns_1; + constexpr static const std::size_t constant_columns = constant_columns_1; + constexpr static const std::size_t table_columns = witness_columns + public_columns + constant_columns; + + typedef redshift_params circuit_params; + + circuit_description test_circuit; std::array, table_columns> table; @@ -160,11 +165,6 @@ namespace nil { q_mul[i] = FieldType::value_type::one(); } - for (std::size_t i = 0; i < table_columns; i++) { - test_circuit.domain->inverse_fft(table[i]); - test_circuit.column_polynomials[i] = math::polynomial(table[i]); - } - std::array, witness_columns> private_assignment; for (std::size_t i = 0; i < witness_columns; i++) { for (std::size_t j = 0; j < test_circuit.table_rows; j++) { @@ -172,7 +172,7 @@ namespace nil { } } - std::vector> selectors_assignment(selectors_columns); + std::vector> selectors_assignment(selector_columns); std::vector> public_input_assignment(public_columns); for (std::size_t j = 0; j < test_circuit.table_rows; j++) { selectors_assignment[0][j] = q_add[j]; @@ -185,9 +185,9 @@ namespace nil { } } - test_circuit.table = plonk_assignment_table( + test_circuit.table = plonk_assignment_table( plonk_private_assignment_table(private_assignment), - plonk_public_assignment_table(selectors_assignment, + plonk_public_assignment_table(selectors_assignment, public_input_assignment)); test_circuit.init(); @@ -231,20 +231,26 @@ namespace nil { // ADD: x + y = z, copy(prev(z), y) // MUL: x * y = z, copy(p1, y) //---------------------------------------------------------------------------// - typedef redshift_params<3, 1> circuit_2_params; + constexpr static const std::size_t witness_columns_2 = 3; + constexpr static const std::size_t selector_columns_2 = 2; + constexpr static const std::size_t public_columns_2 = 1; + constexpr static const std::size_t constant_columns_2 = 0; template - circuit_description circuit_test_2() { + circuit_description, 4, 4, 16> circuit_test_2() { constexpr static const std::size_t rows_log = 4; - constexpr static const std::size_t table_columns = 4; - constexpr static const std::size_t witness_columns = 3; - std::size_t selectors_columns = 2; - constexpr static const std::size_t public_columns = 1; constexpr static const std::size_t permutation = 4; constexpr static const std::size_t usable = 1 << rows_log; - circuit_description test_circuit; - test_circuit.column_polynomials.resize(witness_columns + public_columns); + constexpr static const std::size_t witness_columns = witness_columns_2; + constexpr static const std::size_t selector_columns = selector_columns_2; + constexpr static const std::size_t public_columns = public_columns_2; + constexpr static const std::size_t constant_columns = constant_columns_2; + constexpr static const std::size_t table_columns = witness_columns + public_columns + constant_columns; + + typedef redshift_params circuit_params; + + circuit_description test_circuit; std::array, table_columns> table; @@ -286,29 +292,25 @@ namespace nil { test_circuit.permutation.cells_equal(1, i, 3, 0); } - for (std::size_t i = 0; i < table_columns; i++) { - test_circuit.domain->inverse_fft(table[i]); - test_circuit.column_polynomials[i] = math::polynomial(table[i]); - } - std::array, witness_columns> private_assignment; for (std::size_t i = 0; i < witness_columns; i++) { private_assignment[i] = table[i]; } - std::vector> selectors_assignment(selectors_columns); - std::vector> public_input_assignment(public_columns); + std::array, selector_columns> selectors_assignment; + std::array, public_columns> public_input_assignment; + std::array, constant_columns> constant_assignment; selectors_assignment[0] = q_add; selectors_assignment[1] = q_mul; - for (std::size_t i = selectors_columns; i < selectors_columns + public_columns; i++) { + for (std::size_t i = 0; i < public_columns; i++) { public_input_assignment[i] = table[witness_columns + i]; } - test_circuit.table = plonk_assignment_table( + test_circuit.table = plonk_assignment_table( plonk_private_assignment_table(private_assignment), - plonk_public_assignment_table(selectors_assignment, - public_input_assignment)); + plonk_public_assignment_table(selectors_assignment, + public_input_assignment, constant_assignment)); test_circuit.init(); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index b6946e3dd..657dcfeda 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -43,9 +43,9 @@ #include #include -#include -#include -#include +//#include +//#include +//#include #include #include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" @@ -95,7 +95,9 @@ struct redshift_test_params { using transcript_hash_type = hashes::keccak_1600<512>; constexpr static const std::size_t witness_columns = 3; + constexpr static const std::size_t selector_columns = 2; constexpr static const std::size_t public_columns = 1; + constexpr static const std::size_t constant_columns = 0; constexpr static const std::size_t lambda = 40; constexpr static const std::size_t r = table_rows_log - 1; @@ -109,9 +111,10 @@ typedef fri_commitment_scheme fri_type; -typedef redshift_params<3, 1> circuit_2_params; +typedef redshift_params circuit_2_params; -BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { +/*BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { circuit_description circuit = circuit_test_2(); @@ -122,30 +125,32 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename policy_type::constraint_system_type constraint_system({}, table_rows); + typename policy_type::constraint_system_type constraint_system({}, table_rows, usable_rows); typename policy_type::variable_assignment_type assigments = circuit.table; - policy_type::circuit_short_description short_description; - short_description.columns_with_copy_constraints = {0, 1, 2, 3}; - short_description.table_rows = table_rows; - short_description.usable_rows = usable_rows; - short_description.delta = circuit.delta; - short_description.permutation = circuit.permutation; + // policy_type::circuit_short_description short_description; + // short_description.columns_with_copy_constraints = {0, 1, 2, 3}; + // short_description.table_rows = table_rows; + // short_description.usable_rows = usable_rows; + // short_description.delta = circuit.delta; + // short_description.permutation = circuit.permutation; + + std::vector columns_with_copy_constraints = {0, 1, 2, 3}; typename policy_type::preprocessed_public_data_type preprocessed_public_data = redshift_public_preprocessor::process( - constraint_system, assigments.public_table(), short_description); + constraint_system, assigments.public_table(), columns_with_copy_constraints); typename policy_type::preprocessed_private_data_type preprocessed_private_data = redshift_private_preprocessor::process( - constraint_system, assigments.private_table(), short_description); + constraint_system, assigments.private_table()); auto proof = redshift_prover::process(preprocessed_public_data, preprocessed_private_data, constraint_system, - assigments, short_description, fri_params); + assigments, fri_params); - bool verifier_res = redshift_verifier::process(proof, short_description); + bool verifier_res = redshift_verifier::process(proof); BOOST_CHECK(verifier_res); } @@ -216,7 +221,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { for (int i = 0; i < argument_size; i++) { BOOST_CHECK(prover_res.F[i].evaluate(y) == verifier_res[i]); } -} +}*/ BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { @@ -238,26 +243,30 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename policy_type::constraint_system_type constraint_system(circuit.gates, table_rows); + typename policy_type::constraint_system_type constraint_system(circuit.gates, table_rows, usable_rows); typename policy_type::variable_assignment_type assigments = circuit.table; - policy_type::circuit_short_description short_description; + /*policy_type::circuit_short_description short_description; short_description.columns_with_copy_constraints = {0, 1, 2, 3}; short_description.table_rows = table_rows; short_description.usable_rows = usable_rows; short_description.delta = circuit.delta; - short_description.permutation = circuit.permutation; + short_description.permutation = circuit.permutation;*/ + + std::vector columns_with_copy_constraints = {0, 1, 2, 3}; typename policy_type::preprocessed_public_data_type preprocessed_public_data = redshift_public_preprocessor::process( - constraint_system, assigments.public_table(), short_description); + constraint_system, assigments.public_table(), columns_with_copy_constraints); typename policy_type::preprocessed_private_data_type preprocessed_private_data = redshift_private_preprocessor::process( - constraint_system, assigments.private_table(), short_description); + constraint_system, assigments.private_table()); - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + auto polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); @@ -273,14 +282,14 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { typename FieldType::value_type y = algebra::random_element(); typename policy_type::evaluation_map columns_at_y; - for (int i = 0; i < table_columns; i++) { + for (std::size_t i = 0; i < redshift_test_params::witness_columns; i++) { auto key = std::make_tuple(i, plonk_variable::rotation_type::current, plonk_variable::column_type::witness); - columns_at_y[key] = circuit.column_polynomials[i].evaluate(y); + columns_at_y[key] = polynomial_table.witness(i).evaluate(y); } std::array verifier_res = - redshift_gates_argument::verify_eval(circuit.gates, columns_at_y, y, + redshift_gates_argument::verify_eval(constraint_system.gates(), polynomial_table, columns_at_y, y, verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); From 6bd23e45b5ccd9dcbfcc3529906415f8d527ac37 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 6 Mar 2022 21:17:49 +0200 Subject: [PATCH 205/219] permutation argument test update #20 --- .../plonk/redshift/permutation_argument.hpp | 20 ++++---- test/systems/plonk/redshift.cpp | 46 ++++++++----------- 2 files changed, 28 insertions(+), 38 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index f7f2c6b16..10ec2aad3 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -39,6 +39,7 @@ #include #include #include +#include namespace nil { namespace crypto3 { @@ -52,7 +53,7 @@ namespace nil { using transcript_hash_type = typename ParamsType::transcript_hash_type; - using policy_type = detail::redshift_policy; + typedef detail::redshift_policy policy_type; typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; @@ -69,14 +70,15 @@ namespace nil { static inline prover_result_type prove_eval( fiat_shamir_heuristic_sequential &transcript, + typename policy_type::constraint_system_type &constraint_system, const typename policy_type::preprocessed_public_data_type preprocessed_data, - const typename policy_type::template circuit_short_description - &short_description, const plonk_polynomial_table &column_polynomials, typename fri_type::params_type fri_params) { + const std::size_t table_rows = constraint_system.rows_amount(); + const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; const std::vector> &S_id = @@ -89,10 +91,10 @@ namespace nil { typename FieldType::value_type gamma = transcript.template challenge(); // 2. Calculate id_binding, sigma_binding for j from 1 to N_rows - std::vector id_binding(short_description.table_rows); - std::vector sigma_binding(short_description.table_rows); + std::vector id_binding(table_rows); + std::vector sigma_binding(table_rows); - for (std::size_t j = 0; j < short_description.table_rows; j++) { + for (std::size_t j = 0; j < table_rows; j++) { id_binding[j] = FieldType::value_type::one(); sigma_binding[j] = FieldType::value_type::one(); for (std::size_t i = 0; i < S_id.size(); i++) { @@ -106,10 +108,10 @@ namespace nil { // 3. Calculate $V_P$ std::vector V_P_interpolation_points( - short_description.table_rows); + table_rows); V_P_interpolation_points[0] = FieldType::value_type::one(); - for (std::size_t j = 1; j < short_description.table_rows; j++) { + for (std::size_t j = 1; j < table_rows; j++) { typename FieldType::value_type tmp_mul_result = FieldType::value_type::one(); for (std::size_t i = 0; i <= j - 1; i++) { // TODO: use one division @@ -158,8 +160,6 @@ namespace nil { static inline std::array verify_eval( fiat_shamir_heuristic_sequential &transcript, const typename policy_type::preprocessed_public_data_type preprocessed_data, - const typename policy_type::template circuit_short_description - &short_description, // y const typename FieldType::value_type &challenge, // f(y): diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 657dcfeda..6e2360f17 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -45,7 +45,7 @@ //#include //#include -//#include +#include #include #include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" @@ -96,7 +96,7 @@ struct redshift_test_params { constexpr static const std::size_t witness_columns = 3; constexpr static const std::size_t selector_columns = 2; - constexpr static const std::size_t public_columns = 1; + constexpr static const std::size_t public_input_columns = 1; constexpr static const std::size_t constant_columns = 0; constexpr static const std::size_t lambda = 40; @@ -105,14 +105,14 @@ struct redshift_test_params { }; constexpr static const std::size_t table_columns = - redshift_test_params::witness_columns + redshift_test_params::public_columns; + redshift_test_params::witness_columns + redshift_test_params::public_input_columns; typedef fri_commitment_scheme fri_type; typedef redshift_params circuit_2_params; + redshift_test_params::public_input_columns, redshift_test_params::constant_columns> circuit_2_params; /*BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { @@ -152,7 +152,7 @@ typedef redshift_params::process(proof); BOOST_CHECK(verifier_res); -} +}*/ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { @@ -168,26 +168,23 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typename fri_type::params_type fri_params = create_fri_params(table_rows_log); - typename policy_type::constraint_system_type constraint_system({}, table_rows); + typename policy_type::constraint_system_type constraint_system(circuit.gates, table_rows, usable_rows); typename policy_type::variable_assignment_type assigments = circuit.table; - policy_type::circuit_short_description short_description; - short_description.columns_with_copy_constraints = {0, 1, 2, 3}; - short_description.table_rows = table_rows; - short_description.usable_rows = usable_rows; - short_description.delta = circuit.delta; - short_description.permutation = circuit.permutation; + std::vector columns_with_copy_constraints = {0, 1, 2, 3}; typename policy_type::preprocessed_public_data_type preprocessed_public_data = redshift_public_preprocessor::process( - constraint_system, assigments.public_table(), short_description); + constraint_system, assigments.public_table(), columns_with_copy_constraints); typename policy_type::preprocessed_private_data_type preprocessed_private_data = redshift_private_preprocessor::process( - constraint_system, assigments.private_table(), short_description); + constraint_system, assigments.private_table()); - plonk_polynomial_table polynomial_table = - plonk_polynomial_table( + auto polynomial_table = + plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); @@ -197,13 +194,13 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { typename redshift_permutation_argument::prover_result_type prover_res = redshift_permutation_argument::prove_eval( - prover_transcript, preprocessed_public_data, short_description, polynomial_table, fri_params); + prover_transcript, constraint_system, preprocessed_public_data, polynomial_table, fri_params); // Challenge phase typename FieldType::value_type y = algebra::random_element(); std::vector f_at_y(permutation_size); for (int i = 0; i < permutation_size; i++) { - f_at_y[i] = circuit.column_polynomials[i].evaluate(y); + f_at_y[i] = polynomial_table[i].evaluate(y); } typename FieldType::value_type v_p_at_y = prover_res.permutation_polynomial.evaluate(y); @@ -211,7 +208,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::array verifier_res = redshift_permutation_argument::verify_eval( - verifier_transcript, preprocessed_public_data, short_description, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + verifier_transcript, preprocessed_public_data, y, f_at_y, v_p_at_y, v_p_at_y_shifted, prover_res.permutation_poly_commitment.root()); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); @@ -221,7 +218,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { for (int i = 0; i < argument_size; i++) { BOOST_CHECK(prover_res.F[i].evaluate(y) == verifier_res[i]); } -}*/ +} BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { @@ -246,13 +243,6 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { typename policy_type::constraint_system_type constraint_system(circuit.gates, table_rows, usable_rows); typename policy_type::variable_assignment_type assigments = circuit.table; - /*policy_type::circuit_short_description short_description; - short_description.columns_with_copy_constraints = {0, 1, 2, 3}; - short_description.table_rows = table_rows; - short_description.usable_rows = usable_rows; - short_description.delta = circuit.delta; - short_description.permutation = circuit.permutation;*/ - std::vector columns_with_copy_constraints = {0, 1, 2, 3}; typename policy_type::preprocessed_public_data_type preprocessed_public_data = @@ -265,7 +255,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { auto polynomial_table = plonk_polynomial_table( preprocessed_private_data.private_polynomial_table, preprocessed_public_data.public_polynomial_table); From d509b8e288f946fb5439906c767ed9fe334fed7e Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 6 Mar 2022 21:23:35 +0200 Subject: [PATCH 206/219] gate argument verifier signature update #20 --- .../zk/snark/systems/plonk/redshift/gates_argument.hpp | 7 ++----- test/systems/plonk/redshift.cpp | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 26002f776..3d2cd486d 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -92,11 +92,8 @@ namespace nil { static inline std::array verify_eval(const std::vector> &gates, - const plonk_polynomial_table &public_polynomials, - //const plonk_public_polynomial_table public_polynomials, + const plonk_public_polynomial_table public_polynomials, typename policy_type::evaluation_map &evaluations, typename FieldType::value_type challenge, fiat_shamir_heuristic_sequential &transcript) { diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 6e2360f17..6c994a917 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -279,7 +279,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { } std::array verifier_res = - redshift_gates_argument::verify_eval(constraint_system.gates(), polynomial_table, columns_at_y, y, + redshift_gates_argument::verify_eval(constraint_system.gates(), preprocessed_public_data.public_polynomial_table, columns_at_y, y, verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); From d091a1b8d126790bcd354e6d1fa423318d04c549 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Sun, 6 Mar 2022 21:36:36 +0200 Subject: [PATCH 207/219] prover update #20 --- .../zk/snark/systems/plonk/redshift/prover.hpp | 2 +- .../snark/systems/plonk/redshift/verifier.hpp | 3 ++- test/systems/plonk/redshift.cpp | 18 +++++------------- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index e555a198d..a9c4bb35b 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -173,8 +173,8 @@ namespace nil { commitment_scheme_public_points_type, commitment_scheme_permutation_type, ParamsType>::prove_eval(transcript, + constraint_system, preprocessed_public_data, - short_description, polynomial_table, fri_params); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index e8b5aa810..d22b3c3bc 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -84,7 +84,8 @@ namespace nil { // 1. Add circuit definition to transcript // transcript(short_description); - fiat_shamir_heuristic_sequential transcript(short_description); + std::vector transcript_init {}; + fiat_shamir_heuristic_sequential transcript(transcript_init); for (std::size_t i = 0; i < witness_columns; i++) { transcript(proof.witness_commitments[i]); diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 6c994a917..3ab80e6ca 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -43,8 +43,8 @@ #include #include -//#include -//#include +#include +#include #include #include #include @@ -114,7 +114,7 @@ typedef fri_commitment_scheme circuit_2_params; -/*BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { +BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { circuit_description circuit = circuit_test_2(); @@ -125,17 +125,9 @@ typedef redshift_params(table_rows_log); - typename policy_type::constraint_system_type constraint_system({}, table_rows, usable_rows); - + typename policy_type::constraint_system_type constraint_system(circuit.gates, table_rows, usable_rows); typename policy_type::variable_assignment_type assigments = circuit.table; - // policy_type::circuit_short_description short_description; - // short_description.columns_with_copy_constraints = {0, 1, 2, 3}; - // short_description.table_rows = table_rows; - // short_description.usable_rows = usable_rows; - // short_description.delta = circuit.delta; - // short_description.permutation = circuit.permutation; - std::vector columns_with_copy_constraints = {0, 1, 2, 3}; typename policy_type::preprocessed_public_data_type preprocessed_public_data = @@ -152,7 +144,7 @@ typedef redshift_params::process(proof); BOOST_CHECK(verifier_res); -}*/ +} BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { From 29c3bc524937b7d1b5da94fc09df2c5612b2cd01 Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 7 Mar 2022 15:08:57 +0200 Subject: [PATCH 208/219] redshift verifier (final check fail) #20 --- .../zk/snark/systems/plonk/redshift/proof.hpp | 1 + .../snark/systems/plonk/redshift/prover.hpp | 28 +++- .../snark/systems/plonk/redshift/verifier.hpp | 132 ++++++++++++------ test/systems/plonk/redshift.cpp | 3 +- 4 files changed, 118 insertions(+), 46 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp index 20cba8e28..07168f785 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/proof.hpp @@ -37,6 +37,7 @@ namespace nil { struct redshift_proof { struct evaluation_proof { + typename FieldType::value_type challenge; std::vector witness; std::vector permutation; std::vector quotient; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index a9c4bb35b..4c3f26187 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -79,18 +79,18 @@ namespace nil { typedef list_polynomial_commitment_scheme - commitment_scheme_public_points_type; + commitment_scheme_public_input_type; constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; - constexpr static const std::size_t f_parts = 9; + constexpr static const std::size_t f_parts = 4; static inline math::polynomial quotient_polynomial( const typename policy_type::preprocessed_public_data_type preprocessed_public_data, std::array, f_parts> F, fiat_shamir_heuristic_sequential - transcript) { + &transcript) { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = transcript.template challenges(); @@ -170,7 +170,7 @@ namespace nil { // 4. permutation_argument auto permutation_argument = redshift_permutation_argument::prove_eval(transcript, constraint_system, @@ -207,12 +207,13 @@ namespace nil { for (std::size_t i = 0; i < T_splitted.size(); i++) { T_commitments[i] = commitment_scheme_quotient_type::commit(T_splitted[i], fri_params.D[0]); proof.T_commitments.push_back(T_commitments[i].root()); + transcript(proof.T_commitments[i]); } - // transcript(T_commitments); - // 8. Run evaluation proofs typename FieldType::value_type challenge = transcript.template challenge(); + proof.eval_proof.challenge = challenge; + std::cout<<"P: T(y) = "<get_domain_element(1); @@ -249,6 +250,7 @@ namespace nil { fri_params); proof.eval_proof.permutation.push_back(v_p_evaluation); + // quotient std::array evaluation_points_quotient = {challenge}; std::vector quotient_evaluation( T_splitted.size()); @@ -258,6 +260,20 @@ namespace nil { proof.eval_proof.quotient.push_back(quotient_evaluation[i]); } + math::polynomial t_recalculated = {0}; + math::polynomial base = {1, 0}; + math::polynomial shift = {1, 0}; + for (std::size_t i = 1; i < fri_params.max_degree; i++) { + shift = shift * base; + } + math::polynomial acc = shift; + for (std::size_t i = 0; i < T_splitted.size(); i++) { + t_recalculated = t_recalculated + T_splitted[i] * acc; + acc = acc * shift; + } + + std::cout<<"P: t_recalculated(y) = "< commitment_scheme_quotient_type; + typedef list_polynomial_commitment_scheme + commitment_scheme_public_input_type; + constexpr static const std::size_t gate_parts = 1; constexpr static const std::size_t permutation_parts = 3; - constexpr static const std::size_t f_parts = 9; + constexpr static const std::size_t f_parts = 4; public: - static inline bool process( // const policy_type::verification_key_type &verification_key, - // const policy_type::primary_input_type &primary_input, - const typename policy_type::template proof_type &proof) { // TODO: decsription commitment scheme + commitment_scheme_quotient_type> &proof, + typename policy_type::constraint_system_type &constraint_system, + const typename commitment_scheme_witness_type::fri_type::params_type + &fri_params) { // 1. Add circuit definition to transcript // transcript(short_description); std::vector transcript_init {}; fiat_shamir_heuristic_sequential transcript(transcript_init); + // 3. append witness commitments to transcript for (std::size_t i = 0; i < witness_columns; i++) { transcript(proof.witness_commitments[i]); } - /*std::array permutation_argument = - redshift_permutation_argument::verify_eval( verifier_transcript, preprocessed_data, short_description, y, - proof.witness_evaluation, v_p_at_y, v_p_at_y_shifted, proof.v_perm_commitment); + // 4. prepare evaluaitons of the polynomials that are copy-constrained + std::vector rotation_gates = {0}; + std::vector f(preprocessed_public_data.identity_polynomials.size()); + + for (std::size_t i = 0; i < proof.eval_proof.witness.size(); i++) { + f[i] = proof.eval_proof.witness[i].z[0]; // TODO: organize permutation evaluations inside the proof + } + + for (std::size_t i = 0; i < preprocessed_public_data.public_polynomial_table.size(); i++) { + f[i] = preprocessed_public_data.public_polynomial_table[i].evaluate(proof.eval_proof.challenge); // TODO: add public evaluations to the proof + } + + // 5. permutation argument + std::array permutation_argument = + redshift_permutation_argument::verify_eval(transcript, preprocessed_public_data, + proof.eval_proof.challenge, + f, proof.eval_proof.permutation[0].z[0], proof.eval_proof.permutation[0].z[1], proof.v_perm_commitment); + + // 7. gate argument + typename policy_type::evaluation_map columns_at_y; + for (std::size_t i = 0; i < proof.eval_proof.witness.size(); i++) { + auto key = std::make_tuple(i, plonk_variable::rotation_type::current, + plonk_variable::column_type::witness); + columns_at_y[key] = proof.eval_proof.witness[i].z[0]; + } + std::array gate_argument = + redshift_gates_argument::verify_eval(constraint_system.gates(), preprocessed_public_data.public_polynomial_table, columns_at_y, proof.eval_proof.challenge, + transcript); + + // 8. alphas computations std::array alphas = transcript.template challenges(); - for (std::size_t i = 0; i < N_perm + 2; i++) { + // 9. Evaluation proof check + for (std::size_t i = 0; i < proof.T_commitments.size(); i++) { transcript(proof.T_commitments[i]); } - typename FieldType::value_type upsilon = - transcript.template challenge(); + typename FieldType::value_type challenge = transcript.template challenge(); - std::array fT_evaluation_points = {upsilon}; + if (challenge != proof.eval_proof.challenge) { + std::cout<<"Challenge verification failed"<get_domain_element(1); + + // witnesses + for (std::size_t i = 0; i < proof.eval_proof.witness.size(); i++) { + std::vector rotation_gates = {0}; // TODO: Rotation + std::array + evaluation_points_gates; // TODO: array size with rotation + for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { + evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); + } + if (!commitment_scheme_witness_type::verify_eval(evaluation_points_gates, proof.eval_proof.witness[i], transcript, fri_params)) { return false; } } - const typename FieldType::value_type omega = algebra::get_root_of_unity(); - std::array PQ_evaluation_points = {upsilon, upsilon * omega}; - if (!lpc::verify_eval(PQ_evaluation_points, proof.P_commitment, proof.P_lpc_proof, ...)) { - return false; - } - if (!lpc::verify_eval(PQ_evaluation_points, proof.Q_commitment, proof.Q_lpc_proof, ...)) { - return false; + // permutation + std::array evaluation_points_permutation = {challenge, + challenge * omega}; + for (std::size_t i = 0; i < proof.eval_proof.permutation.size(); i++) { + if (!commitment_scheme_permutation_type::verify_eval(evaluation_points_permutation, proof.eval_proof.permutation[i], transcript, fri_params)) { + return false; + } } - for (std::size_t i = 0; i < N_perm + 1; i++) { - if (!lpc::verify_eval(fT_evaluation_points, proof.T_commitments[i], proof.T_lpc_proofs[i], - ...)) { + // quotient + std::array evaluation_points_quotient = {challenge}; + for (std::size_t i = 0; i < proof.eval_proof.permutation.size(); i++) { + if (!commitment_scheme_quotient_type::verify_eval(evaluation_points_quotient, proof.eval_proof.quotient[i], transcript, fri_params)) { return false; } } - std::array, f_parts> F; + // 10. final check + std::array F; F[0] = permutation_argument[0]; F[1] = permutation_argument[1]; F[2] = permutation_argument[2]; - F[3] = 0; - - for (std::size_t i = 0; i < N_sel; i++) { - F[3] += q[i] * ....gate[i]; + F[3] = gate_argument[0]; + + typename FieldType::value_type F_consolidated = FieldType::value_type::zero(); + for (std::size_t i = 0; i < f_parts; i++) { + F_consolidated = F_consolidated + alphas[i] * F[i]; } - for (std::size_t i = 0; i < N_const; i++) { - F[3] += verification_key.f_c[i]; + typename FieldType::value_type T_consolidated = FieldType::value_type::zero(); + for (std::size_t i = 0; i < proof.eval_proof.quotient.size(); i++) { + T_consolidated = T_consolidated + proof.eval_proof.quotient[i].z[0] * challenge.pow((fri_params.max_degree + 1) * i); } - math::polynomial T_consolidate; - T_consolidate = consolidate_T(T); + std::cout<<"V: T(y) = "< F_consolidated = 0; - for (std::size_t i = 0; i < f_parts; i++) { - F_consolidated += a[i] * F[i]; + typename FieldType::value_type Z_at_challenge = preprocessed_public_data.Z.evaluate(challenge); + + if (F_consolidated != Z_at_challenge * T_consolidated) { + std::cout<<"F = Z * T failed"<::process(proof); + bool verifier_res = redshift_verifier::process(preprocessed_public_data, proof, + constraint_system, fri_params); BOOST_CHECK(verifier_res); } From 41b887f7a08d228fe45fef71dd8bcf8a2fec38ca Mon Sep 17 00:00:00 2001 From: SK0M0R0H Date: Mon, 7 Mar 2022 19:11:36 +0200 Subject: [PATCH 209/219] split polynomial test --- .../snark/systems/plonk/redshift/prover.hpp | 52 +++++++------------ .../snark/systems/plonk/redshift/verifier.hpp | 4 +- test/systems/plonk/redshift.cpp | 22 ++++++++ 3 files changed, 42 insertions(+), 36 deletions(-) diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 4c3f26187..738647f95 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -43,6 +43,22 @@ namespace nil { namespace zk { namespace snark { + namespace detail { + template + static inline std::vector> + split_polynomial(math::polynomial f, std::size_t max_degree) { + std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; + std::vector> f_splitted; + + std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs + for(size_t i = 0; i < f.size(); i += chunk_size) { + auto last = std::min(f.size(), i + chunk_size); + f_splitted.emplace_back(f.begin() + i, f.begin() + last); + } + return f_splitted; + } + } + template class redshift_prover { @@ -107,23 +123,8 @@ namespace nil { return T_consolidated; } - static inline std::vector> - split_polynomial(math::polynomial f, std::size_t max_degree) { - std::size_t parts = ((f.size() - 1) / (max_degree + 1)) + 1; - std::vector> f_splitted(parts); - - std::size_t chunk_size = max_degree + 1; // polynomial contains max_degree + 1 coeffs - for (std::size_t i = 0; i < parts - 1; i++) { - std::copy(f.begin() + i * chunk_size, - f.begin() + (i + 1) * chunk_size - 1, - std::back_inserter(f_splitted[i])); - } - std::copy( - f.begin() + (parts - 1) * chunk_size, f.end(), std::back_inserter(f_splitted[parts - 1])); - return f_splitted; - } - public: + static inline typename policy_type::template proof_type @@ -201,7 +202,7 @@ namespace nil { math::polynomial T = quotient_polynomial(preprocessed_public_data, F, transcript); std::vector> T_splitted = - split_polynomial(T, fri_params.max_degree); + detail::split_polynomial(T, fri_params.max_degree); std::vector T_commitments( T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { @@ -213,7 +214,6 @@ namespace nil { // 8. Run evaluation proofs typename FieldType::value_type challenge = transcript.template challenge(); proof.eval_proof.challenge = challenge; - std::cout<<"P: T(y) = "<get_domain_element(1); @@ -258,21 +258,7 @@ namespace nil { quotient_evaluation[i] = commitment_scheme_quotient_type::proof_eval( evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); proof.eval_proof.quotient.push_back(quotient_evaluation[i]); - } - - math::polynomial t_recalculated = {0}; - math::polynomial base = {1, 0}; - math::polynomial shift = {1, 0}; - for (std::size_t i = 1; i < fri_params.max_degree; i++) { - shift = shift * base; - } - math::polynomial acc = shift; - for (std::size_t i = 0; i < T_splitted.size(); i++) { - t_recalculated = t_recalculated + T_splitted[i] * acc; - acc = acc * shift; - } - - std::cout<<"P: t_recalculated(y) = "< f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; + std::size_t expected_size = 4; + std::size_t max_degree = 3; + + std::vector> f_splitted = + zk::snark::detail::split_polynomial(f, max_degree); + + BOOST_CHECK(f_splitted.size() == expected_size); + + typename FieldType::value_type y = algebra::random_element(); + + typename FieldType::value_type f_at_y = f.evaluate(y); + typename FieldType::value_type f_splitted_at_y = FieldType::value_type::zero(); + for (std::size_t i = 0; i < f_splitted.size(); i++) { + f_splitted_at_y = f_splitted_at_y + f_splitted[i].evaluate(y) * y.pow((max_degree + 1) * i); + } + + BOOST_CHECK(f_at_y == f_splitted_at_y); +} + BOOST_AUTO_TEST_CASE(redshift_lookup_argument_test) { // zk::snark::redshift_preprocessor preprocess; From 82ec38692f9e553be54b7b9c063241d816932742 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 8 Mar 2022 15:32:44 +0300 Subject: [PATCH 210/219] Repository structure updated. #20 #25 --- .../aggregate.hpp} | 20 +- .../zk/{snark => }/algorithms/generate.hpp | 30 +- .../zk/{snark => }/algorithms/prove.hpp | 44 ++- include/nil/crypto3/zk/algorithms/verify.hpp | 69 +++++ .../element_knowledge_commitment.hpp | 0 .../polynomial}/accumulation_vector.hpp | 6 +- .../accumulators/parameters/offset.hpp | 0 .../polynomial}/accumulators/sparse.hpp | 0 .../polynomial/commitment_scheme.hpp | 44 +++ .../polynomial}/fri.hpp | 8 +- .../polynomial}/knowledge_commitment.hpp | 6 +- .../knowledge_commitment_multiexp.hpp | 6 +- .../polynomial}/kzg.hpp | 4 +- .../polynomial}/lpc.hpp | 8 +- .../polynomial}/pedersen.hpp | 4 +- .../polynomial}/sparse_vector.hpp | 4 +- .../{snark => math}/integer_permutation.hpp | 12 +- .../relations => math}/linear_combination.hpp | 137 +++++----- .../nil/crypto3/zk/math/linear_variable.hpp | 118 ++++++++ .../non_linear_combination.hpp | 10 +- .../relations/plonk => math}/permutation.hpp | 10 +- .../crypto3/zk/snark/algorithms/verify.hpp | 71 ----- include/nil/crypto3/zk/snark/merkle_tree.hpp | 258 ------------------ include/nil/crypto3/zk/snark/proof.hpp | 2 - include/nil/crypto3/zk/snark/proving_key.hpp | 4 - .../crypto3/zk/snark/relations/variable.hpp | 222 --------------- .../systems/plonk/redshift/gates_argument.hpp | 2 +- .../snark/systems/plonk/redshift/params.hpp | 2 +- .../plonk/redshift/permutation_argument.hpp | 4 +- .../snark/systems/plonk/redshift/prover.hpp | 4 +- .../snark/systems/plonk/redshift/verifier.hpp | 2 +- .../zk/snark/transcript/transcript.hpp | 155 ----------- .../zk/{snark => }/transcript/fiat_shamir.hpp | 4 +- .../nil/crypto3/zk/transcript/transcript.hpp | 153 +++++++++++ test/commitment/fri.cpp | 4 +- test/commitment/lpc.cpp | 4 +- test/commitment/lpc_performance.cpp | 4 +- test/systems/plonk/circuits.hpp | 4 +- test/systems/plonk/redshift.cpp | 4 +- test/transcript/transcript.cpp | 2 +- 40 files changed, 553 insertions(+), 892 deletions(-) rename include/nil/crypto3/zk/{snark/algorithms/accumulate.hpp => algorithms/aggregate.hpp} (69%) rename include/nil/crypto3/zk/{snark => }/algorithms/generate.hpp (65%) rename include/nil/crypto3/zk/{snark => }/algorithms/prove.hpp (54%) create mode 100644 include/nil/crypto3/zk/algorithms/verify.hpp rename include/nil/crypto3/zk/{snark/commitments/detail => commitments/detail/polynomial}/element_knowledge_commitment.hpp (100%) rename include/nil/crypto3/zk/{snark => commitments/polynomial}/accumulation_vector.hpp (97%) rename include/nil/crypto3/zk/{snark => commitments/polynomial}/accumulators/parameters/offset.hpp (100%) rename include/nil/crypto3/zk/{snark => commitments/polynomial}/accumulators/sparse.hpp (100%) create mode 100644 include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp rename include/nil/crypto3/zk/{snark/commitments => commitments/polynomial}/fri.hpp (98%) rename include/nil/crypto3/zk/{snark/commitments => commitments/polynomial}/knowledge_commitment.hpp (95%) rename include/nil/crypto3/zk/{snark/commitments => commitments/polynomial}/knowledge_commitment_multiexp.hpp (98%) rename include/nil/crypto3/zk/{snark/commitments => commitments/polynomial}/kzg.hpp (99%) rename include/nil/crypto3/zk/{snark/commitments => commitments/polynomial}/lpc.hpp (98%) rename include/nil/crypto3/zk/{snark/commitments => commitments/polynomial}/pedersen.hpp (96%) rename include/nil/crypto3/zk/{snark => commitments/polynomial}/sparse_vector.hpp (99%) rename include/nil/crypto3/zk/{snark => math}/integer_permutation.hpp (96%) rename include/nil/crypto3/zk/{snark/relations => math}/linear_combination.hpp (63%) create mode 100644 include/nil/crypto3/zk/math/linear_variable.hpp rename include/nil/crypto3/zk/{snark/relations => math}/non_linear_combination.hpp (98%) rename include/nil/crypto3/zk/{snark/relations/plonk => math}/permutation.hpp (93%) delete mode 100644 include/nil/crypto3/zk/snark/algorithms/verify.hpp delete mode 100644 include/nil/crypto3/zk/snark/merkle_tree.hpp delete mode 100644 include/nil/crypto3/zk/snark/relations/variable.hpp delete mode 100644 include/nil/crypto3/zk/snark/transcript/transcript.hpp rename include/nil/crypto3/zk/{snark => }/transcript/fiat_shamir.hpp (99%) create mode 100644 include/nil/crypto3/zk/transcript/transcript.hpp diff --git a/include/nil/crypto3/zk/snark/algorithms/accumulate.hpp b/include/nil/crypto3/zk/algorithms/aggregate.hpp similarity index 69% rename from include/nil/crypto3/zk/snark/algorithms/accumulate.hpp rename to include/nil/crypto3/zk/algorithms/aggregate.hpp index 7c43453d2..f551be28e 100644 --- a/include/nil/crypto3/zk/snark/algorithms/accumulate.hpp +++ b/include/nil/crypto3/zk/algorithms/aggregate.hpp @@ -23,23 +23,21 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_SNARK_ALGORITHMS_ACCUMULATE_HPP -#define CRYPTO3_ZK_SNARK_ALGORITHMS_ACCUMULATE_HPP +#ifndef CRYPTO3_ZK_SNARK_ALGORITHMS_AGGREGATE_HPP +#define CRYPTO3_ZK_SNARK_ALGORITHMS_AGGREGATE_HPP namespace nil { namespace crypto3 { namespace zk { - namespace snark { - template class ProofRange> - bool aggregate(const typename ProofSystemType::processed_verification_key_type &pvk, - const typename ProofSystemType::primary_input_type &primary_input, - const typename ProofSystemType::proof_type &proof) { + template class ProofRange> + bool aggregate(const typename ProofSystemType::processed_verification_key_type &pvk, + const typename ProofSystemType::primary_input_type &primary_input, + const typename ProofSystemType::proof_type &proof) { - return ProofSystemType::verify(pvk, primary_input, proof); - } - } // namespace snark + return ProofSystemType::verify(pvk, primary_input, proof); + } } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_HPP +#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_AGGREGATE_HPP diff --git a/include/nil/crypto3/zk/snark/algorithms/generate.hpp b/include/nil/crypto3/zk/algorithms/generate.hpp similarity index 65% rename from include/nil/crypto3/zk/snark/algorithms/generate.hpp rename to include/nil/crypto3/zk/algorithms/generate.hpp index e46a25e03..7c51f7ebd 100644 --- a/include/nil/crypto3/zk/snark/algorithms/generate.hpp +++ b/include/nil/crypto3/zk/algorithms/generate.hpp @@ -30,28 +30,26 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { - template - typename ProofSystemType::keypair_type - generate(const typename ProofSystemType::constraint_system_type &constraint_system) { + template + typename ProofSystemType::keypair_type + generate(const typename ProofSystemType::constraint_system_type &constraint_system) { - return ProofSystemType::generate(constraint_system); - } + return ProofSystemType::generate(constraint_system); + } - template - typename ProofSystemType::keypair_type generate(const typename ProofSystemType::circuit_type &circuit) { + template + typename ProofSystemType::keypair_type generate(const typename ProofSystemType::circuit_type &circuit) { - return ProofSystemType::generate(circuit); - } + return ProofSystemType::generate(circuit); + } - template - typename ProofSystemType::srs_pair_type generate(std::size_t num_proofs) { + template + typename ProofSystemType::srs_pair_type generate(std::size_t num_proofs) { - return ProofSystemType::generate(num_proofs); - } - } // namespace snark + return ProofSystemType::generate(num_proofs); + } } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_HPP +#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_GENERATE_HPP diff --git a/include/nil/crypto3/zk/snark/algorithms/prove.hpp b/include/nil/crypto3/zk/algorithms/prove.hpp similarity index 54% rename from include/nil/crypto3/zk/snark/algorithms/prove.hpp rename to include/nil/crypto3/zk/algorithms/prove.hpp index 8963752bd..7cf869f05 100644 --- a/include/nil/crypto3/zk/snark/algorithms/prove.hpp +++ b/include/nil/crypto3/zk/algorithms/prove.hpp @@ -30,33 +30,31 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { - template - typename ProofSystemType::proof_type - prove(const typename ProofSystemType::proving_key_type &pk, - const typename ProofSystemType::primary_input_type &primary_input, - const typename ProofSystemType::auxiliary_input_type &auxiliary_input) { + template + typename ProofSystemType::proof_type + prove(const typename ProofSystemType::proving_key_type &pk, + const typename ProofSystemType::primary_input_type &primary_input, + const typename ProofSystemType::auxiliary_input_type &auxiliary_input) { - return ProofSystemType::prove(pk, primary_input, auxiliary_input); - } + return ProofSystemType::prove(pk, primary_input, auxiliary_input); + } - template - typename ProofSystemType::aggregate_proof_type - prove(const typename ProofSystemType::proving_srs_type &srs, - InputTranscriptIncludeIterator transcript_include_first, - InputTranscriptIncludeIterator transcript_include_last, - InputProofIterator proofs_first, - InputProofIterator proofs_last) { + template + typename ProofSystemType::aggregate_proof_type + prove(const typename ProofSystemType::proving_srs_type &srs, + InputTranscriptIncludeIterator transcript_include_first, + InputTranscriptIncludeIterator transcript_include_last, + InputProofIterator proofs_first, + InputProofIterator proofs_last) { - return ProofSystemType::template prove( - srs, transcript_include_first, transcript_include_last, proofs_first, proofs_last); - } - } // namespace snark + return ProofSystemType::template prove( + srs, transcript_include_first, transcript_include_last, proofs_first, proofs_last); + } } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_HPP +#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_PROVE_HPP diff --git a/include/nil/crypto3/zk/algorithms/verify.hpp b/include/nil/crypto3/zk/algorithms/verify.hpp new file mode 100644 index 000000000..053d01da2 --- /dev/null +++ b/include/nil/crypto3/zk/algorithms/verify.hpp @@ -0,0 +1,69 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2020-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// Copyright (c) 2020-2021 Ilias Khairullin +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_SNARK_ALGORITHMS_VERIFY_HPP +#define CRYPTO3_ZK_SNARK_ALGORITHMS_VERIFY_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + template + bool verify(const typename ProofSystemType::verification_key_type &vk, + const typename ProofSystemType::primary_input_type &primary_input, + const typename ProofSystemType::proof_type &proof) { + + return ProofSystemType::verify(vk, primary_input, proof); + } + + template + bool verify(const typename ProofSystemType::processed_verification_key_type &pvk, + const typename ProofSystemType::primary_input_type &primary_input, + const typename ProofSystemType::proof_type &proof) { + + return ProofSystemType::verify(pvk, primary_input, proof); + } + + template + bool verify(const typename ProofSystemType::verification_srs_type &ip_verifier_srs, + const typename ProofSystemType::verification_key_type &pvk, + const InputPrimaryInputRange &public_inputs, + const typename ProofSystemType::aggregate_proof_type &proof, + InputIterator transcript_include_first, + InputIterator transcript_include_last) { + + return ProofSystemType::template verify( + ip_verifier_srs, pvk, public_inputs, proof, transcript_include_first, transcript_include_last); + } + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_VERIFY_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/detail/element_knowledge_commitment.hpp b/include/nil/crypto3/zk/commitments/detail/polynomial/element_knowledge_commitment.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/commitments/detail/element_knowledge_commitment.hpp rename to include/nil/crypto3/zk/commitments/detail/polynomial/element_knowledge_commitment.hpp diff --git a/include/nil/crypto3/zk/snark/accumulation_vector.hpp b/include/nil/crypto3/zk/commitments/polynomial/accumulation_vector.hpp similarity index 97% rename from include/nil/crypto3/zk/snark/accumulation_vector.hpp rename to include/nil/crypto3/zk/commitments/polynomial/accumulation_vector.hpp index ea04799ec..c21bcf427 100644 --- a/include/nil/crypto3/zk/snark/accumulation_vector.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/accumulation_vector.hpp @@ -29,12 +29,12 @@ #include #include -#include +#include namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { /** * An accumulation vector comprises an accumulation value and a sparse vector. @@ -96,7 +96,7 @@ namespace nil { return accumulation_vector(std::move(new_first), std::move(acc_result.second)); } }; - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/accumulators/parameters/offset.hpp b/include/nil/crypto3/zk/commitments/polynomial/accumulators/parameters/offset.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/accumulators/parameters/offset.hpp rename to include/nil/crypto3/zk/commitments/polynomial/accumulators/parameters/offset.hpp diff --git a/include/nil/crypto3/zk/snark/accumulators/sparse.hpp b/include/nil/crypto3/zk/commitments/polynomial/accumulators/sparse.hpp similarity index 100% rename from include/nil/crypto3/zk/snark/accumulators/sparse.hpp rename to include/nil/crypto3/zk/commitments/polynomial/accumulators/sparse.hpp diff --git a/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp b/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp new file mode 100644 index 000000000..f11fcc983 --- /dev/null +++ b/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp @@ -0,0 +1,44 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_POLYNOMIAL_COMMITMENT_SCHEME_HPP +#define CRYPTO3_ZK_POLYNOMIAL_COMMITMENT_SCHEME_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + namespace commitments { + + template + struct polynomial { + + }; + } // namespace commitments + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_POLYNOMIAL_COMMITMENT_SCHEME_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/fri.hpp b/include/nil/crypto3/zk/commitments/polynomial/fri.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/commitments/fri.hpp rename to include/nil/crypto3/zk/commitments/polynomial/fri.hpp index 3fca563f0..6f262e062 100644 --- a/include/nil/crypto3/zk/snark/commitments/fri.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/fri.hpp @@ -37,12 +37,12 @@ #include #include -#include +#include namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { /** * @brief Based on the FRI Commitment description from \[ResShift]. @@ -75,6 +75,8 @@ namespace nil { using field_element_type = nil::crypto3::marshalling::types::field_element, FieldType>; + + using commitment_type = typename merkle_tree_type::value_type; struct params_type { bool operator==(const params_type &rhs) const { @@ -367,7 +369,7 @@ namespace nil { return true; } }; - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/commitments/knowledge_commitment.hpp b/include/nil/crypto3/zk/commitments/polynomial/knowledge_commitment.hpp similarity index 95% rename from include/nil/crypto3/zk/snark/commitments/knowledge_commitment.hpp rename to include/nil/crypto3/zk/commitments/polynomial/knowledge_commitment.hpp index eb887e45d..ca2569e03 100644 --- a/include/nil/crypto3/zk/snark/commitments/knowledge_commitment.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/knowledge_commitment.hpp @@ -32,7 +32,7 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { /********************** Knowledge commitment *********************************/ @@ -61,9 +61,9 @@ namespace nil { template using knowledge_commitment_vector = sparse_vector>; - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil -#endif // KNOWLEDGE_COMMITMENT_HPP +#endif // CRYPTO3_ZK_KNOWLEDGE_COMMITMENT_HPP diff --git a/include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp b/include/nil/crypto3/zk/commitments/polynomial/knowledge_commitment_multiexp.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp rename to include/nil/crypto3/zk/commitments/polynomial/knowledge_commitment_multiexp.hpp index 20bb4e970..85859bba8 100644 --- a/include/nil/crypto3/zk/snark/commitments/knowledge_commitment_multiexp.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/knowledge_commitment_multiexp.hpp @@ -37,12 +37,12 @@ #include -#include +#include namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { template typename knowledge_commitment::value_type @@ -205,7 +205,7 @@ namespace nil { return res; } } - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/commitments/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/commitments/kzg.hpp rename to include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index 53233e57e..6df5db950 100644 --- a/include/nil/crypto3/zk/snark/commitments/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -69,7 +69,7 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { /// KZGOpening represents the KZG opening of a commitment key (which is a tuple /// given commitment keys are a tuple). template @@ -290,7 +290,7 @@ namespace nil { algebra::final_exponentiation(u1)); } }; - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/commitments/lpc.hpp b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/commitments/lpc.hpp rename to include/nil/crypto3/zk/commitments/polynomial/lpc.hpp index f07f8e11d..0d70e6b3d 100644 --- a/include/nil/crypto3/zk/snark/commitments/lpc.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp @@ -33,13 +33,13 @@ #include #include -#include -#include +#include +#include namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { template class pedersen_commitment_scheme { public: @@ -47,7 +47,7 @@ namespace nil { } }; - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/sparse_vector.hpp b/include/nil/crypto3/zk/commitments/polynomial/sparse_vector.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/sparse_vector.hpp rename to include/nil/crypto3/zk/commitments/polynomial/sparse_vector.hpp index 593430486..ded535074 100644 --- a/include/nil/crypto3/zk/snark/sparse_vector.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/sparse_vector.hpp @@ -38,7 +38,7 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace commitments { /** * A sparse vector is a list of indices along with corresponding values. @@ -251,7 +251,7 @@ namespace nil { return std::make_pair(accumulated_value, resulting_vector); } }; - } // namespace snark + } // namespace commitments } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/integer_permutation.hpp b/include/nil/crypto3/zk/math/integer_permutation.hpp similarity index 96% rename from include/nil/crypto3/zk/snark/integer_permutation.hpp rename to include/nil/crypto3/zk/math/integer_permutation.hpp index be06c20b0..44fbc836f 100644 --- a/include/nil/crypto3/zk/snark/integer_permutation.hpp +++ b/include/nil/crypto3/zk/math/integer_permutation.hpp @@ -23,8 +23,8 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_SNARK_INTEGER_PERMUTATION_HPP -#define CRYPTO3_ZK_SNARK_INTEGER_PERMUTATION_HPP +#ifndef CRYPTO3_ZK_MATH_INTEGER_PERMUTATION_HPP +#define CRYPTO3_ZK_MATH_INTEGER_PERMUTATION_HPP #include #include @@ -35,7 +35,8 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace math { + class integer_permutation { private: std::vector contents; /* offset by min_element */ @@ -139,9 +140,10 @@ namespace nil { return std::random_shuffle(contents.begin(), contents.end()); } }; - } // namespace snark + + } // namespace math } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_SNARK_INTEGER_PERMUTATION_HPP +#endif // CRYPTO3_ZK_MATH_INTEGER_PERMUTATION_HPP diff --git a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp b/include/nil/crypto3/zk/math/linear_combination.hpp similarity index 63% rename from include/nil/crypto3/zk/snark/relations/linear_combination.hpp rename to include/nil/crypto3/zk/math/linear_combination.hpp index 920e8706f..f034b3755 100644 --- a/include/nil/crypto3/zk/snark/relations/linear_combination.hpp +++ b/include/nil/crypto3/zk/math/linear_combination.hpp @@ -28,22 +28,20 @@ // - a linear combination (i.e., sum_i a_i * x_i). //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_LINEAR_COMBINATION_HPP -#define CRYPTO3_ZK_LINEAR_COMBINATION_HPP +#ifndef CRYPTO3_ZK_MATH_LINEAR_COMBINATION_HPP +#define CRYPTO3_ZK_MATH_LINEAR_COMBINATION_HPP #include -#include - namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace math { /** * Forward declaration. */ - template + template struct linear_combination; /****************************** Linear term **********************************/ @@ -51,22 +49,16 @@ namespace nil { /** * A linear term represents a formal expression of the form "coeff * x_{index}". */ - template - class linear_term; - - template - class linear_term { - typedef FieldType field_type; - typedef typename field_type::value_type field_value_type; - - constexpr static const bool RotationSupport = false; + template + class linear_term { + typedef typename VariableType::value_type field_value_type; public: - typename variable::index_type index; + std::size_t index; field_value_type coeff; linear_term() {}; - linear_term(const variable &var) : index(var.index), coeff(field_value_type::one()) { + linear_term(const VariableType &var) : index(var.index), coeff(field_value_type::one()) { } linear_term operator*(const field_value_type &field_coeff) const { @@ -75,13 +67,13 @@ namespace nil { return result; } - // linear_combination operator+( - // const linear_combination &other) const { - // return linear_combination(*this) + other; + // linear_combination operator+( + // const linear_combination &other) const { + // return linear_combination(*this) + other; // } - // linear_combination operator-( - // const linear_combination &other) const { + // linear_combination operator-( + // const linear_combination &other) const { // return (*this) + (-other); // } @@ -94,24 +86,24 @@ namespace nil { } }; - template - linear_term operator*(const typename FieldType::value_type &field_coeff, - const linear_term <) { + template + linear_term operator*(const typename VariableType::value_type &field_coeff, + const linear_term <) { return lt * field_coeff; } - // template - // linear_combination operator+(const typename FieldType::value_type + // template + // linear_combination operator+(const typename VariableType::value_type // &field_coeff, - // const linear_term <) { - // return linear_combination(field_coeff) + lt; + // const linear_term <) { + // return linear_combination(field_coeff) + lt; // } - // template - // linear_combination operator-(const typename FieldType::value_type + // template + // linear_combination operator-(const typename VariableType::value_type // &field_coeff, - // const linear_term <) { - // return linear_combination(field_coeff) - lt; + // const linear_term <) { + // return linear_combination(field_coeff) - lt; // } /***************************** Linear combination ****************************/ @@ -119,27 +111,26 @@ namespace nil { /** * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". */ - template - class linear_combination { - typedef FieldType field_type; - typedef typename field_type::value_type field_value_type; + template + class linear_combination { + typedef typename VariableType::value_type field_value_type; constexpr static const bool RotationSupport = false; public: - std::vector> terms; + std::vector> terms; linear_combination() {}; linear_combination(const field_value_type &field_coeff) { - this->add_term(linear_term(0) * field_coeff); + this->add_term(linear_term(0) * field_coeff); } - linear_combination(const variable &var) { + linear_combination(const VariableType &var) { this->add_term(var); } - linear_combination(const linear_term <) { + linear_combination(const linear_term <) { this->add_term(lt); } - linear_combination(const std::vector> &all_terms) { + linear_combination(const std::vector> &all_terms) { if (all_terms.empty()) { return; } @@ -147,7 +138,7 @@ namespace nil { terms = all_terms; std::sort( terms.begin(), terms.end(), - [](linear_term a, linear_term b) { + [](linear_term a, linear_term b) { return a.index < b.index; }); @@ -163,22 +154,22 @@ namespace nil { } /* for supporting range-based for loops over linear_combination */ - typename std::vector>::const_iterator begin() const { + typename std::vector>::const_iterator begin() const { return terms.begin(); } - typename std::vector>::const_iterator end() const { + typename std::vector>::const_iterator end() const { return terms.end(); } - void add_term(const variable &var) { - this->terms.emplace_back(linear_term(var)); + void add_term(const VariableType &var) { + this->terms.emplace_back(linear_term(var)); } - void add_term(const variable &var, + void add_term(const VariableType &var, const field_value_type &field_coeff) { - this->terms.emplace_back(linear_term(var) * field_coeff); + this->terms.emplace_back(linear_term(var) * field_coeff); } - void add_term(const linear_term <) { + void add_term(const linear_term <) { this->terms.emplace_back(lt); } @@ -192,7 +183,7 @@ namespace nil { linear_combination operator*(const field_value_type &field_coeff) const { linear_combination result; result.terms.reserve(this->terms.size()); - for (const linear_term < : this->terms) { + for (const linear_term < : this->terms) { result.terms.emplace_back(lt * field_coeff); } return result; @@ -215,8 +206,8 @@ namespace nil { ++it2; } else { /* it1->index == it2->index */ - result.terms.emplace_back(linear_term( - variable(it1->index)) * + result.terms.emplace_back(linear_term( + VariableType(it1->index)) * (it1->coeff + it2->coeff)); ++it1; ++it2; @@ -240,17 +231,17 @@ namespace nil { bool operator==(const linear_combination &other) const { - std::vector> thisterms = this->terms; + std::vector> thisterms = this->terms; std::sort( thisterms.begin(), thisterms.end(), - [](linear_term a, linear_term b) { + [](linear_term a, linear_term b) { return a.index < b.index; }); - std::vector> otherterms = other.terms; + std::vector> otherterms = other.terms; std::sort( otherterms.begin(), otherterms.end(), - [](linear_term a, linear_term b) { + [](linear_term a, linear_term b) { return a.index < b.index; }); @@ -275,29 +266,29 @@ namespace nil { } }; - template - linear_combination - operator*(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { + template + linear_combination + operator*(const typename VariableType::value_type &field_coeff, + const linear_combination &lc) { return lc * field_coeff; } - template - linear_combination - operator+(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { - return linear_combination(field_coeff) + lc; + template + linear_combination + operator+(const typename VariableType::value_type &field_coeff, + const linear_combination &lc) { + return linear_combination(field_coeff) + lc; } - template - linear_combination - operator-(const typename FieldType::value_type &field_coeff, - const linear_combination &lc) { - return linear_combination(field_coeff) - lc; + template + linear_combination + operator-(const typename VariableType::value_type &field_coeff, + const linear_combination &lc) { + return linear_combination(field_coeff) - lc; } - } // namespace snark + } // namespace math } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_LINEAR_COMBINATION_HPP +#endif // CRYPTO3_ZK_MATH_LINEAR_COMBINATION_HPP diff --git a/include/nil/crypto3/zk/math/linear_variable.hpp b/include/nil/crypto3/zk/math/linear_variable.hpp new file mode 100644 index 000000000..246ce2723 --- /dev/null +++ b/include/nil/crypto3/zk/math/linear_variable.hpp @@ -0,0 +1,118 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2020-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// +// @file Declaration of interfaces for: +// - a linear_variable (i.e., x_i) +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_MATH_LINEAR_VARIABLE_HPP +#define CRYPTO3_ZK_MATH_LINEAR_VARIABLE_HPP + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace math { + + /** + * Forward declaration. + */ + template + struct linear_term; + + /** + * Forward declaration. + */ + template + struct linear_combination; + + /********************************* Variable **********************************/ + + /** + * A variable represents a formal expression of the form "x_{index}". + */ + template + class linear_variable { + + using variable_type = linear_variable; + public: + + std::size_t index; + + linear_variable(const std::size_t index = 0) : index(index) {}; + + linear_term + operator*(const typename FieldType::value_type &field_coeff) const { + return linear_term(*this) * field_coeff; + } + + linear_combination + operator+(const linear_combination &other) const { + linear_combination result; + + result.add_term(*this); + result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); + + return result; + } + + linear_combination + operator-(const linear_combination &other) const { + return (*this) + (-other); + } + + linear_term operator-() const { + return linear_term(*this) * (-FieldType::value_type::one()); + } + + bool operator==(const linear_variable &other) const { + return (this->index == other.index); + } + }; + + template + linear_term> operator*(const typename FieldType::value_type &field_coeff, + const linear_variable &var) { + return var * field_coeff; + } + + template + linear_combination> operator+(const typename FieldType::value_type &field_coeff, + const linear_variable &var) { + return var + field_coeff; + } + + template + linear_combination> operator-(const typename FieldType::value_type &field_coeff, + const linear_variable &var) { + return linear_combination>(field_coeff) - var; + } + + } // namespace math + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_MATH_LINEAR_VARIABLE_HPP diff --git a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp b/include/nil/crypto3/zk/math/non_linear_combination.hpp similarity index 98% rename from include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp rename to include/nil/crypto3/zk/math/non_linear_combination.hpp index d559e07ce..14a4c13e9 100644 --- a/include/nil/crypto3/zk/snark/relations/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/math/non_linear_combination.hpp @@ -28,15 +28,15 @@ // - a linear combination (i.e., sum_i a_i * x_i). //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP -#define CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP +#ifndef CRYPTO3_ZK_MATH_NON_LINEAR_COMBINATION_HPP +#define CRYPTO3_ZK_MATH_NON_LINEAR_COMBINATION_HPP #include namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace math { /** * Forward declaration. @@ -333,9 +333,9 @@ namespace nil { const non_linear_term &term) { return lc - non_linear_combination(term); } - } // namespace snark + } // namespace math } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_NON_LINEAR_COMBINATION_HPP +#endif // CRYPTO3_ZK_MATH_NON_LINEAR_COMBINATION_HPP diff --git a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp b/include/nil/crypto3/zk/math/permutation.hpp similarity index 93% rename from include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp rename to include/nil/crypto3/zk/math/permutation.hpp index c5e470ef8..4a16decab 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/permutation.hpp +++ b/include/nil/crypto3/zk/math/permutation.hpp @@ -24,13 +24,13 @@ // SOFTWARE. //---------------------------------------------------------------------------// -#ifndef CRYPTO3_ZK_PLONK_PERMUTATION_HPP -#define CRYPTO3_ZK_PLONK_PERMUTATION_HPP +#ifndef CRYPTO3_ZK_MATH_PLONK_PERMUTATION_HPP +#define CRYPTO3_ZK_MATH_PLONK_PERMUTATION_HPP namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace math { struct plonk_permutation { typedef std::pair key_type; @@ -64,9 +64,9 @@ namespace nil { } }; - } // namespace snark + } // namespace math } // namespace zk } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_ZK_PLONK_PERMUTATION_HPP \ No newline at end of file +#endif // CRYPTO3_ZK_MATH_PLONK_PERMUTATION_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/snark/algorithms/verify.hpp b/include/nil/crypto3/zk/snark/algorithms/verify.hpp deleted file mode 100644 index cedb51c28..000000000 --- a/include/nil/crypto3/zk/snark/algorithms/verify.hpp +++ /dev/null @@ -1,71 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2020-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// Copyright (c) 2020-2021 Ilias Khairullin -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_SNARK_ALGORITHMS_VERIFY_HPP -#define CRYPTO3_ZK_SNARK_ALGORITHMS_VERIFY_HPP - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - template - bool verify(const typename ProofSystemType::verification_key_type &vk, - const typename ProofSystemType::primary_input_type &primary_input, - const typename ProofSystemType::proof_type &proof) { - - return ProofSystemType::verify(vk, primary_input, proof); - } - - template - bool verify(const typename ProofSystemType::processed_verification_key_type &pvk, - const typename ProofSystemType::primary_input_type &primary_input, - const typename ProofSystemType::proof_type &proof) { - - return ProofSystemType::verify(pvk, primary_input, proof); - } - - template - bool verify(const typename ProofSystemType::verification_srs_type &ip_verifier_srs, - const typename ProofSystemType::verification_key_type &pvk, - const InputPrimaryInputRange &public_inputs, - const typename ProofSystemType::aggregate_proof_type &proof, - InputIterator transcript_include_first, - InputIterator transcript_include_last) { - - return ProofSystemType::template verify( - ip_verifier_srs, pvk, public_inputs, proof, transcript_include_first, transcript_include_last); - } - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_SNARK_ALGORITHMS_HPP diff --git a/include/nil/crypto3/zk/snark/merkle_tree.hpp b/include/nil/crypto3/zk/snark/merkle_tree.hpp deleted file mode 100644 index bc23de19c..000000000 --- a/include/nil/crypto3/zk/snark/merkle_tree.hpp +++ /dev/null @@ -1,258 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2018-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_SNARK_MERKLE_TREE_HPP -#define CRYPTO3_ZK_SNARK_MERKLE_TREE_HPP - -#include -#include -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - template - typename Hash::digest_type two_to_one_CRH(const typename Hash::digest_type &l, - const typename Hash::digest_type &r) { - typename Hash::digest_type new_input; - new_input.insert(new_input.end(), l.begin(), l.end()); - new_input.insert(new_input.end(), r.begin(), r.end()); - - const std::size_t digest_size = Hash::get_digest_len(); - assert(l.size() == digest_size); - assert(r.size() == digest_size); - - return Hash::get_hash(new_input); - } - - /** - * A Merkle tree is maintained as two maps: - * - a map from addresses to values, and - * - a map from addresses to hashes. - * - * The second map maintains the intermediate hashes of a Merkle tree - * built atop the values currently stored in the tree (the - * implementation admits a very efficient support for sparse - * trees). Besides offering methods to load and store values, the - * class offers methods to retrieve the root of the Merkle tree and to - * obtain the authentication paths for (the value at) a given address. - */ - - typedef std::vector merkle_authentication_node; - typedef std::vector merkle_authentication_path; - - template - struct merkle_tree { - typedef typename Hash::digest_type digest_type; - typedef typename Hash::merkle_authentication_path_type merkle_authentication_path_type; - - constexpr static const std::size_t base_arity = BaseArity; - constexpr static const std::size_t sub_tree_arity = SubTreeArity; - constexpr static const std::size_t top_tree_arity = TopTreeArity; - - std::vector hash_defaults; - std::map> values; - std::map hashes; - - std::size_t depth; - std::size_t value_size; - std::size_t digest_size; - - merkle_tree(const std::size_t depth, const std::size_t value_size) : - depth(depth), value_size(value_size) { - assert(depth < sizeof(std::size_t) * 8); - - digest_size = Hash::digest_bits; - assert(value_size <= digest_size); - - digest_type last; - hash_defaults.reserve(depth + 1); - hash_defaults.emplace_back(last); - for (std::size_t i = 0; i < depth; ++i) { - last = two_to_one_CRH(last, last); - hash_defaults.emplace_back(last); - } - - std::reverse(hash_defaults.begin(), hash_defaults.end()); - } - merkle_tree(const std::size_t depth, const std::size_t value_size, - const std::vector> &contents_as_vector) : - merkle_tree(depth, value_size) { - assert(static_cast(std::ceil(std::log2(contents_as_vector.size()))) <= depth); - for (std::size_t address = 0; address < contents_as_vector.size(); ++address) { - const std::size_t idx = address + (1ul << depth) - 1; - values[idx] = contents_as_vector[address]; - hashes[idx] = contents_as_vector[address]; - hashes[idx].resize(digest_size); - } - - std::size_t idx_begin = (1ul << depth) - 1; - std::size_t idx_end = contents_as_vector.size() + ((1ul << depth) - 1); - - for (int layer = depth; layer > 0; --layer) { - for (std::size_t idx = idx_begin; idx < idx_end; idx += 2) { - digest_type l = - hashes[idx]; // this is sound, because idx_begin is always a left child - digest_type r = (idx + 1 < idx_end ? hashes[idx + 1] : hash_defaults[layer]); - - digest_type h = two_to_one_CRH(l, r); - hashes[(idx - 1) / 2] = h; - } - - idx_begin = (idx_begin - 1) / 2; - idx_end = (idx_end - 1) / 2; - } - } - - merkle_tree(size_t depth, std::size_t value_size, - const std::map> &contents) : - merkle_tree(depth, value_size) { - - if (!contents.empty()) { - assert(contents.rbegin()->first < 1ul << depth); - - for (const auto &content : contents) { - const std::size_t address = content.first; - const std::vector value = content.second; - const std::size_t idx = address + (1ul << depth) - 1; - - values[address] = value; - hashes[idx] = value; - hashes[idx].resize(digest_size); - } - - auto last_it = hashes.end(); - - for (int layer = depth; layer > 0; --layer) { - auto next_last_it = hashes.begin(); - - for (auto it = hashes.begin(); it != last_it; ++it) { - const std::size_t idx = it->first; - const digest_type hash = it->second; - - if (idx % 2 == 0) { - // this is the right child of its parent and by invariant we are missing the - // left child - hashes[(idx - 1) / 2] = two_to_one_CRH(hash_defaults[layer], hash); - } else { - if (std::next(it) == last_it || std::next(it)->first != idx + 1) { - // this is the left child of its parent and is missing its right child - hashes[(idx - 1) / 2] = two_to_one_CRH(hash, hash_defaults[layer]); - } else { - // typical case: this is the left child of the parent and adjacent to it - // there is a right child - hashes[(idx - 1) / 2] = two_to_one_CRH(hash, std::next(it)->second); - ++it; - } - } - } - - last_it = next_last_it; - } - } - } - - std::vector get_value(const std::size_t address) const { - assert(static_cast(std::ceil(std::log2(address))) <= depth); - - auto it = values.find(address); - std::vector padded_result = - (it == values.end() ? std::vector(digest_size) : it->second); - padded_result.resize(value_size); - - return padded_result; - } - void set_value(const std::size_t address, const std::vector &value) { - assert(static_cast(std::ceil(std::log2(address))) <= depth); - std::size_t idx = address + (1ul << depth) - 1; - - assert(value.size() == value_size); - values[address] = value; - hashes[idx] = value; - hashes[idx].resize(digest_size); - - for (int layer = depth - 1; layer >= 0; --layer) { - idx = (idx - 1) / 2; - - auto it = hashes.find(2 * idx + 1); - digest_type l = (it == hashes.end() ? hash_defaults[layer + 1] : it->second); - - it = hashes.find(2 * idx + 2); - digest_type r = (it == hashes.end() ? hash_defaults[layer + 1] : it->second); - - digest_type h = two_to_one_CRH(l, r); - hashes[idx] = h; - } - } - - digest_type get_root() const { - auto it = hashes.find(0); - return (it == hashes.end() ? hash_defaults[0] : it->second); - } - merkle_authentication_path_type get_path(const std::size_t address) const { - typename Hash::merkle_authentication_path_type result(depth); - assert(static_cast(std::ceil(std::log2(address))) <= depth); - std::size_t idx = address + (1ul << depth) - 1; - - for (std::size_t layer = depth; layer > 0; --layer) { - std::size_t sibling_idx = ((idx + 1) ^ 1) - 1; - auto it = hashes.find(sibling_idx); - if (layer == depth) { - auto it2 = values.find(sibling_idx - ((1ul << depth) - 1)); - result[layer - 1] = - (it2 == values.end() ? std::vector(value_size, false) : it2->second); - result[layer - 1].resize(digest_size); - } else { - result[layer - 1] = (it == hashes.end() ? hash_defaults[layer] : it->second); - } - - idx = (idx - 1) / 2; - } - - return result; - } - - void dump() const { - for (std::size_t i = 0; i < 1ul << depth; ++i) { - auto it = values.find(i); - printf("[%zu] -> ", i); - const std::vector value = - (it == values.end() ? std::vector(value_size) : it->second); - for (bool b : value) { - printf("%d", b ? 1 : 0); - } - printf("\n"); - } - printf("\n"); - } - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_SNARK_MERKLE_TREE_HPP diff --git a/include/nil/crypto3/zk/snark/proof.hpp b/include/nil/crypto3/zk/snark/proof.hpp index d326e6bfe..549e9eb04 100644 --- a/include/nil/crypto3/zk/snark/proof.hpp +++ b/include/nil/crypto3/zk/snark/proof.hpp @@ -25,8 +25,6 @@ #ifndef CRYPTO3_ZK_SNARK_PROOF_HPP #define CRYPTO3_ZK_SNARK_PROOF_HPP -#include - #include namespace nil { diff --git a/include/nil/crypto3/zk/snark/proving_key.hpp b/include/nil/crypto3/zk/snark/proving_key.hpp index 55483b1dd..510fc0746 100644 --- a/include/nil/crypto3/zk/snark/proving_key.hpp +++ b/include/nil/crypto3/zk/snark/proving_key.hpp @@ -25,10 +25,6 @@ #ifndef CRYPTO3_ZK_SNARK_PROVING_KEY_HPP #define CRYPTO3_ZK_SNARK_PROVING_KEY_HPP -#include - -#include - namespace nil { namespace crypto3 { namespace zk { diff --git a/include/nil/crypto3/zk/snark/relations/variable.hpp b/include/nil/crypto3/zk/snark/relations/variable.hpp deleted file mode 100644 index b8a6aa0a8..000000000 --- a/include/nil/crypto3/zk/snark/relations/variable.hpp +++ /dev/null @@ -1,222 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2020-2021 Mikhail Komarov -// Copyright (c) 2020-2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// -// @file Declaration of interfaces for: -// - a variable (i.e., x_i), -// - a linear term (i.e., a_i * x_i), and -// - a linear combination (i.e., sum_i a_i * x_i). -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_VARIABLE_HPP -#define CRYPTO3_ZK_VARIABLE_HPP - -#include - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - /** - * Forward declaration. - */ - template - struct linear_term; - - /** - * Forward declaration. - */ - template - struct linear_combination; - - /********************************* Variable **********************************/ - - template - struct variable; - - /** - * A variable represents a formal expression of the form "x_{index}". - */ - template - class variable { - - constexpr static const bool RotationSupport = false; - - public: - /** - * Mnemonic typedefs. - */ - typedef std::size_t index_type; - index_type index; - - variable(const index_type index = 0) : index(index) {}; - - linear_term - operator*(const typename FieldType::value_type &field_coeff) const { - return linear_term(*this) * field_coeff; - } - - linear_combination - operator+(const linear_combination &other) const { - linear_combination result; - - result.add_term(*this); - result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); - - return result; - } - - linear_combination - operator-(const linear_combination &other) const { - return (*this) + (-other); - } - - linear_term operator-() const { - return linear_term(*this) * (-FieldType::value_type::one()); - } - - bool operator==(const variable &other) const { - return (this->index == other.index); - } - }; - - template - linear_term operator*(const typename FieldType::value_type &field_coeff, - const variable &var) { - return var * field_coeff; - } - - template - linear_combination operator+(const typename FieldType::value_type &field_coeff, - const variable &var) { - return var + field_coeff; - } - - template - linear_combination operator-(const typename FieldType::value_type &field_coeff, - const variable &var) { - return linear_combination(field_coeff) - var; - } - - /** - * Forward declaration. - */ - template - struct non_linear_term; - - /** - * Forward declaration. - */ - template - struct non_linear_combination; - - /** - * A variable represents a formal expression of the form "w^{wire_index}_{rotation}". - */ - template - class variable { - - constexpr static const bool RotationSupport = true; - - public: - /** - * Mnemonic typedefs. - */ - enum rotation_type { pre_previous = -2, previous, current, next, after_next }; - std::size_t wire_index; - rotation_type rotation; - - constexpr variable(const std::size_t wire_index, rotation_type rotation) : - wire_index(wire_index), rotation(rotation) {}; - - non_linear_term operator^(const std::size_t power) const { - return non_linear_term(*this) ^ power; - } - - non_linear_term - operator*(const typename FieldType::value_type &field_coeff) const { - return non_linear_term(*this) * field_coeff; - } - - non_linear_term operator*(const variable &other) const { - return non_linear_term(*this) * other; - } - - non_linear_combination - operator+(const non_linear_combination &other) const { - non_linear_combination result(other); - - result.add_term(*this); - - return result; - } - - non_linear_combination - operator-(const non_linear_combination &other) const { - return (*this) + (-other); - } - - non_linear_combination - operator-(const typename FieldType::value_type &field_val) const { - return (*this) - non_linear_combination(field_val); - } - - non_linear_term operator-() const { - return non_linear_term(*this) * (-FieldType::value_type::one()); - } - - bool operator==(const variable &other) const { - return ((this->wire_index == other.wire_index) && (this->rotation == other.rotation)); - } - - bool operator<(const variable &other) const { - return ((this->wire_index < other.wire_index) || - ((this->wire_index == other.wire_index) && (this->rotation < other.rotation))); - } - }; - - template - non_linear_term operator*(const typename FieldType::value_type &field_coeff, - const variable &var) { - return var * field_coeff; - } - - template - non_linear_combination operator+(const typename FieldType::value_type &field_val, - const variable &var) { - return var + field_val; - } - - template - non_linear_combination operator-(const typename FieldType::value_type &field_val, - const variable &var) { - return (-var) + field_val; - } - - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_VARIABLE_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 3d2cd486d..360833cd6 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -36,7 +36,7 @@ #include -#include +#include #include #include #include diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index 33b2f80f3..b39e76fc8 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -27,7 +27,7 @@ #ifndef CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP #define CRYPTO3_ZK_PLONK_REDSHIFT_PARAMS_HPP -#include +#include namespace nil { namespace crypto3 { diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 10ec2aad3..3f480a6c0 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -36,8 +36,8 @@ #include -#include -#include +#include +#include #include #include diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 738647f95..016349aec 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -31,8 +31,8 @@ #include -#include -#include +#include +#include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" #include #include diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index 4360f197e..cf83f0988 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -29,7 +29,7 @@ #include -#include +#include #include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" #include diff --git a/include/nil/crypto3/zk/snark/transcript/transcript.hpp b/include/nil/crypto3/zk/snark/transcript/transcript.hpp deleted file mode 100644 index 260de2573..000000000 --- a/include/nil/crypto3/zk/snark/transcript/transcript.hpp +++ /dev/null @@ -1,155 +0,0 @@ -//---------------------------------------------------------------------------// -// Copyright (c) 2021 Mikhail Komarov -// Copyright (c) 2021 Nikita Kaskov -// -// MIT License -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -// SOFTWARE. -//---------------------------------------------------------------------------// - -#ifndef CRYPTO3_ZK_TRANSCRIPT_HPP -#define CRYPTO3_ZK_TRANSCRIPT_HPP - -namespace nil { - namespace crypto3 { - namespace zk { - namespace snark { - - /*! - * @brief Transcript policy. Assumed to be inherited by particular algorithms. - * @tparam TManifest Transcript Manifest in the following form: - * - * - * class transcript_manifest { - * - * std::size_t gammas_amount = 5; - * - * public: - * enum challenges_ids{ - * alpha, - * beta, - * gamma = 10, - * delta = gamma + gammas_amount, - * epsilon - * } - * - * typedef std::tuple<...> challenges; - * typedef std::tuple<...> processors; - * }; - * - * In the case above we have following list of challenges: (\alpha, \beta, - * \gamma_0, \gamma_1, \gamma_2, \gamma_3, \gamma_4, \delta, \varepsilon) - * - */ - template - class transcript { - - typename TManifest::challenges challenges; - - std::size_t next_challenge_id = 0; - - public: - transcript() { - } - - transcript(std::tuple<> in_challenges) : challenges(in_challenges) { - } - - /*! - * @brief For ordinary challenges. \alpha - * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. - * - */ - template - bool set_challenge(std::tuple_element value) { - std::get(challenges) = value; - - return (ChallengeId == next_challenge_id++); - } - - /*! - * @brief For indexed challenges. (\alpha_0, ..., \alpha_n) - * @tparam ChallengeId Indexed challenge ID. In the example above it's \alpha. - * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. - * - */ - template - bool set_challenge( - std::tuple_element> - value) { - std::get(std::get(challenges)) = value; - - return (ChallengeId + Index == next_challenge_id++); - } - - /*! - * @brief For ordinary challenges. \alpha - * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. - * - */ - template - std::tuple_element get_challenge() const { - return std::get(challenges); - } - - /*! - * @brief For indexed challenges. (\alpha_0, ..., \alpha_n) - * @tparam ChallengeId Indexed challenge ID. In the example above it's \alpha. - * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. - * - */ - template - std::tuple_element> - get_challenge() const { - return std::get(std::get(challenges)); - } - - /*! - * @brief For ordinary challenges. \alpha - * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. - * - */ - template - std::tuple_element::result_type - get_challenge_result() { - return std::tuple_element( - get_challenge()); - } - - /*! - * @brief For indexed challenges. (\alpha_0, ..., \alpha_n) - * @tparam ChallengeId Indexed challenge ID. In the example above it's \alpha. - * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. - * - */ - template - std::tuple_element>::result_type - get_challenge_result() { - return std::tuple_element>( - get_challenge()); - } - }; - } // namespace snark - } // namespace zk - } // namespace crypto3 -} // namespace nil - -#endif // CRYPTO3_ZK_TRANSCRIPT_HPP diff --git a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp b/include/nil/crypto3/zk/transcript/fiat_shamir.hpp similarity index 99% rename from include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp rename to include/nil/crypto3/zk/transcript/fiat_shamir.hpp index 9f19077f2..93f6c3b68 100644 --- a/include/nil/crypto3/zk/snark/transcript/fiat_shamir.hpp +++ b/include/nil/crypto3/zk/transcript/fiat_shamir.hpp @@ -39,7 +39,7 @@ namespace nil { namespace crypto3 { namespace zk { - namespace snark { + namespace transcript { /*! * @brief Fiat–Shamir heuristic. @@ -184,7 +184,7 @@ namespace nil { private: typename hash_type::digest_type state; }; - } // namespace snark + } // namespace transcript } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/transcript/transcript.hpp b/include/nil/crypto3/zk/transcript/transcript.hpp new file mode 100644 index 000000000..7a9c26969 --- /dev/null +++ b/include/nil/crypto3/zk/transcript/transcript.hpp @@ -0,0 +1,153 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_TRANSCRIPT_HPP +#define CRYPTO3_ZK_TRANSCRIPT_HPP + +namespace nil { + namespace crypto3 { + namespace zk { + + /*! + * @brief Transcript policy. Assumed to be inherited by particular algorithms. + * @tparam TManifest Transcript Manifest in the following form: + * + * + * class transcript_manifest { + * + * std::size_t gammas_amount = 5; + * + * public: + * enum challenges_ids{ + * alpha, + * beta, + * gamma = 10, + * delta = gamma + gammas_amount, + * epsilon + * } + * + * typedef std::tuple<...> challenges; + * typedef std::tuple<...> processors; + * }; + * + * In the case above we have following list of challenges: (\alpha, \beta, + * \gamma_0, \gamma_1, \gamma_2, \gamma_3, \gamma_4, \delta, \varepsilon) + * + */ + template + class transcript { + + typename TManifest::challenges challenges; + + std::size_t next_challenge_id = 0; + + public: + transcript() { + } + + transcript(std::tuple<> in_challenges) : challenges(in_challenges) { + } + + /*! + * @brief For ordinary challenges. \alpha + * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. + * + */ + template + bool set_challenge(std::tuple_element value) { + std::get(challenges) = value; + + return (ChallengeId == next_challenge_id++); + } + + /*! + * @brief For indexed challenges. (\alpha_0, ..., \alpha_n) + * @tparam ChallengeId Indexed challenge ID. In the example above it's \alpha. + * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. + * + */ + template + bool set_challenge( + std::tuple_element> + value) { + std::get(std::get(challenges)) = value; + + return (ChallengeId + Index == next_challenge_id++); + } + + /*! + * @brief For ordinary challenges. \alpha + * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. + * + */ + template + std::tuple_element get_challenge() const { + return std::get(challenges); + } + + /*! + * @brief For indexed challenges. (\alpha_0, ..., \alpha_n) + * @tparam ChallengeId Indexed challenge ID. In the example above it's \alpha. + * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. + * + */ + template + std::tuple_element> + get_challenge() const { + return std::get(std::get(challenges)); + } + + /*! + * @brief For ordinary challenges. \alpha + * @tparam ChallengeId Ordinary challenge ID. In the example above it's \alpha. + * + */ + template + std::tuple_element::result_type + get_challenge_result() { + return std::tuple_element( + get_challenge()); + } + + /*! + * @brief For indexed challenges. (\alpha_0, ..., \alpha_n) + * @tparam ChallengeId Indexed challenge ID. In the example above it's \alpha. + * @tparam Index Index of the particular challenge. In the example above it's \alpha_i. + * + */ + template + std::tuple_element>::result_type + get_challenge_result() { + return std::tuple_element>( + get_challenge()); + } + }; + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_TRANSCRIPT_HPP diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 9f359c191..8c78fb929 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -44,8 +44,8 @@ #include // until fri inclusion -#include -#include +#include +#include using namespace nil::crypto3; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index e75ae7a9c..211f679b6 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -42,8 +42,8 @@ #include #include -#include -#include +#include +#include #include using namespace nil::crypto3; diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index af9cb6c08..6678a57eb 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -42,8 +42,8 @@ #include #include -#include -#include +#include +#include #include using namespace nil::crypto3; diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index 09a4eda5a..f1a02aaf5 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -37,8 +37,8 @@ #include #include #include -#include -#include +#include +#include #include #include diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 2fe8efe22..ff42c6b79 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -52,8 +52,8 @@ #include #include #include -#include -#include +#include +#include #include "circuits.hpp" diff --git a/test/transcript/transcript.cpp b/test/transcript/transcript.cpp index 334d017d9..93170c424 100644 --- a/test/transcript/transcript.cpp +++ b/test/transcript/transcript.cpp @@ -36,7 +36,7 @@ #include #include -#include +#include using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; From 6eb600f4574bb3a67eb4a58a8e6fe9f8bb557fd3 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Tue, 8 Mar 2022 18:36:51 +0300 Subject: [PATCH 211/219] Transcript usage updated. Commit and precommit functions separated. #20 --- .../polynomial/commitment_scheme.hpp | 2 + .../crypto3/zk/commitments/polynomial/fri.hpp | 47 +- .../crypto3/zk/commitments/polynomial/lpc.hpp | 54 +- .../zk/commitments/polynomial/pedersen.hpp | 2 +- .../crypto3/zk/math/integer_permutation.hpp | 184 ++++--- .../crypto3/zk/math/linear_combination.hpp | 426 ++++++++------- .../nil/crypto3/zk/math/linear_variable.hpp | 122 +++-- .../zk/math/non_linear_combination.hpp | 494 +++++++++--------- include/nil/crypto3/zk/math/permutation.hpp | 52 +- .../zk/snark/relations/plonk/constraint.hpp | 26 +- .../zk/snark/relations/plonk/variable.hpp | 62 +-- .../plonk/redshift/detail/redshift_policy.hpp | 1 - .../systems/plonk/redshift/gates_argument.hpp | 9 +- .../snark/systems/plonk/redshift/params.hpp | 2 +- .../plonk/redshift/permutation_argument.hpp | 16 +- .../systems/plonk/redshift/preprocessor.hpp | 6 +- .../snark/systems/plonk/redshift/prover.hpp | 43 +- .../snark/systems/plonk/redshift/verifier.hpp | 41 +- test/commitment/fri.cpp | 24 +- test/commitment/lpc.cpp | 16 +- test/commitment/lpc_performance.cpp | 8 +- test/systems/plonk/circuits.hpp | 7 +- test/systems/plonk/redshift.cpp | 25 +- 23 files changed, 862 insertions(+), 807 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp b/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp index f11fcc983..f73d594ce 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/commitment_scheme.hpp @@ -34,6 +34,8 @@ namespace nil { template struct polynomial { + + }; } // namespace commitments diff --git a/include/nil/crypto3/zk/commitments/polynomial/fri.hpp b/include/nil/crypto3/zk/commitments/polynomial/fri.hpp index 6f262e062..c63639acc 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/fri.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/fri.hpp @@ -61,7 +61,8 @@ namespace nil { typename MerkleTreeHashType, typename TranscriptHashType, std::size_t M = 2> - struct fri_commitment_scheme { + struct fri { + constexpr static const std::size_t m = M; typedef FieldType field_type; @@ -76,7 +77,9 @@ namespace nil { nil::crypto3::marshalling::types::field_element, FieldType>; - using commitment_type = typename merkle_tree_type::value_type; + using precommitment_type = merkle_tree_type; + using commitment_type = typename precommitment_type::value_type; + using transcript_type = transcript::fiat_shamir_heuristic_sequential; struct params_type { bool operator==(const params_type &rhs) const { @@ -141,7 +144,7 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type commit(math::polynomial &f, + static precommitment_type precommit(math::polynomial &f, const std::shared_ptr> &D) { std::vector> y_data; @@ -155,7 +158,33 @@ namespace nil { y_val.write(write_iter, field_element_type::length()); } - return merkle_tree_type(y_data.begin(), y_data.end()); + return precommitment_type(y_data.begin(), y_data.end()); + } + + template + static std::array + precommit(std::array, list_size> &poly, + const std::shared_ptr> &domain) { + std::array precommits; + for (std::size_t i = 0; i < list_size; i++) { + precommits[i] = precommit(poly[i], domain); + } + return precommits; + } + + static commitment_type commit(precommitment_type P) { + return P.root(); + } + + template + static std::array + commit(std::array P) { + + std::array commits; + for (std::size_t i = 0; i < list_size; i++) { + commits[i] = commit(P); + } + return commits; } static inline math::polynomial @@ -179,8 +208,8 @@ namespace nil { static proof_type proof_eval(const math::polynomial &Q, const math::polynomial &g, merkle_tree_type &T, - fiat_shamir_heuristic_sequential &transcript, - const params_type &fri_params) { + const params_type &fri_params, + transcript_type &transcript = transcript_type()) { proof_type proof; @@ -249,7 +278,7 @@ namespace nil { f_next.evaluate(x_next); // polynomial evaluation if (i < r - 1) { - T_next = commit(f_next, fri_params.D[i + 1]); // new merkle tree + T_next = precommit(f_next, fri_params.D[i + 1]); // new merkle tree transcript(T_next.root()); std::vector tmp(f_next.begin(), @@ -282,10 +311,10 @@ namespace nil { } static bool verify_eval(proof_type &proof, - fiat_shamir_heuristic_sequential &transcript, params_type &fri_params, const math::polynomial &U, - const math::polynomial &V) { + const math::polynomial &V, + transcript_type &transcript = transcript_type()) { std::size_t idx = transcript.template int_challenge(); typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(idx); diff --git a/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp index 0d70e6b3d..7be7c218e 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp @@ -68,7 +68,7 @@ namespace nil { * */ template - struct list_polynomial_commitment_scheme { + struct list_polynomial_commitment { using merkle_hash_type = typename LPCParams::merkle_hash_type; using transcript_hash_type = typename LPCParams::transcript_hash_type; @@ -89,9 +89,11 @@ namespace nil { typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - typedef fri_commitment_scheme fri_type; + typedef fri fri_type; - using commitment_type = typename merkle_tree_type::value_type; + using precommitment_type = typename fri_type::precommitment_type; + using commitment_type = typename fri_type::commitment_type; + using transcript_type = typename fri_type::transcript_type; struct proof_type { bool operator==(const proof_type &rhs) const { @@ -103,7 +105,7 @@ namespace nil { std::array z; - typename merkle_tree_type::value_type T_root; + commitment_type T_root; std::array fri_proof; }; @@ -121,28 +123,36 @@ namespace nil { // After this function // result.root(); // should be called - static merkle_tree_type commit(math::polynomial &poly, + static precommitment_type precommit(math::polynomial &poly, const std::shared_ptr> &domain) { - return fri_type::commit(poly, domain); + return fri_type::precommit(poly, domain); } template - static std::array - commit(std::array, list_size> &poly, + static std::array + precommit(std::array, list_size> &poly, const std::shared_ptr> &domain) { - std::array commits; - for (std::size_t i = 0; i < list_size; i++) { - commits[i] = fri_type::commit(poly[i], domain); - } - return commits; + + return fri_type::precommit(poly, domain); + } + + static commitment_type commit(precommitment_type P) { + return fri_type::commit(P); + } + + template + static std::array + commit(std::array P) { + + return fri_type::commit(P); } static proof_type proof_eval(const std::array &evaluation_points, - merkle_tree_type &T, + precommitment_type &T, const math::polynomial &g, - fiat_shamir_heuristic_sequential &transcript, - const typename fri_type::params_type &fri_params) { + const typename fri_type::params_type &fri_params, + transcript_type &transcript = transcript_type()) { std::array z; std::array p; @@ -172,7 +182,7 @@ namespace nil { for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { fri_proof[round_id] = - fri_type::proof_eval(Q, g, T, transcript, fri_params); // fri_commitment_scheme.hpp + fri_type::proof_eval(Q, g, T, fri_params, transcript); } return proof_type({z, T.root(), fri_proof}); @@ -180,8 +190,9 @@ namespace nil { static bool verify_eval(const std::array &evaluation_points, proof_type &proof, - fiat_shamir_heuristic_sequential &transcript, - typename fri_type::params_type fri_params) { + typename fri_type::params_type fri_params, + transcript_type &transcript = transcript_type()) { + std::array, k> U_interpolation_points; @@ -199,7 +210,7 @@ namespace nil { } for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { - if (!fri_type::verify_eval(proof.fri_proof[round_id], transcript, fri_params, U, V)) { + if (!fri_type::verify_eval(proof.fri_proof[round_id], fri_params, U, V, transcript)) { return false; } } @@ -207,6 +218,9 @@ namespace nil { return true; } }; + + template + using lpc = list_polynomial_commitment; } // namespace commitments } // namespace zk } // namespace crypto3 diff --git a/include/nil/crypto3/zk/commitments/polynomial/pedersen.hpp b/include/nil/crypto3/zk/commitments/polynomial/pedersen.hpp index 0b2cfcd95..c467678da 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/pedersen.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/pedersen.hpp @@ -33,7 +33,7 @@ namespace nil { namespace zk { namespace commitments { template - class pedersen_commitment_scheme { + class pedersen { public: typedef typename CurveType::scalar_field_type::value_type evaluation_type; typedef typename CurveType::template g1_type<>::value_type commitment_type; diff --git a/include/nil/crypto3/zk/math/integer_permutation.hpp b/include/nil/crypto3/zk/math/integer_permutation.hpp index 44fbc836f..28bebddbe 100644 --- a/include/nil/crypto3/zk/math/integer_permutation.hpp +++ b/include/nil/crypto3/zk/math/integer_permutation.hpp @@ -34,115 +34,113 @@ namespace nil { namespace crypto3 { - namespace zk { - namespace math { - - class integer_permutation { - private: - std::vector contents; /* offset by min_element */ - - public: - std::size_t min_element; - std::size_t max_element; - - integer_permutation(const std::size_t size = 0) : min_element(0), max_element(size - 1) { - contents.resize(size); - std::iota(contents.begin(), contents.end(), 0); - } - integer_permutation(const std::size_t min_element, const std::size_t max_element) : - min_element(min_element), max_element(max_element) { - assert(min_element <= max_element); - const std::size_t size = max_element - min_element + 1; - contents.resize(size); - std::iota(contents.begin(), contents.end(), min_element); - } - - integer_permutation &operator=(const integer_permutation &other) = default; - - std::size_t size() const { - return max_element - min_element + 1; - } - - std::vector &data() { - return contents; - } - - const std::vector &data() const { - return contents; - } - - bool operator==(const integer_permutation &other) const { - return (this->min_element == other.min_element && this->max_element == other.max_element && - this->contents == other.contents); - } + namespace math { + + class integer_permutation { + private: + std::vector contents; /* offset by min_element */ + + public: + std::size_t min_element; + std::size_t max_element; + + integer_permutation(const std::size_t size = 0) : min_element(0), max_element(size - 1) { + contents.resize(size); + std::iota(contents.begin(), contents.end(), 0); + } + integer_permutation(const std::size_t min_element, const std::size_t max_element) : + min_element(min_element), max_element(max_element) { + assert(min_element <= max_element); + const std::size_t size = max_element - min_element + 1; + contents.resize(size); + std::iota(contents.begin(), contents.end(), min_element); + } + + integer_permutation &operator=(const integer_permutation &other) = default; + + std::size_t size() const { + return max_element - min_element + 1; + } + + std::vector &data() { + return contents; + } + + const std::vector &data() const { + return contents; + } + + bool operator==(const integer_permutation &other) const { + return (this->min_element == other.min_element && this->max_element == other.max_element && + this->contents == other.contents); + } + + void set(const std::size_t position, const std::size_t value) { + assert(min_element <= position && position <= max_element); + contents[position - min_element] = value; + } + std::size_t get(const std::size_t position) const { + assert(min_element <= position && position <= max_element); + return contents[position - min_element]; + } + + bool is_valid() const { + std::unordered_set elems; + + for (auto &el : contents) { + if (el < min_element || el > max_element || elems.find(el) != elems.end()) { + return false; + } - void set(const std::size_t position, const std::size_t value) { - assert(min_element <= position && position <= max_element); - contents[position - min_element] = value; - } - std::size_t get(const std::size_t position) const { - assert(min_element <= position && position <= max_element); - return contents[position - min_element]; + elems.insert(el); } - bool is_valid() const { - std::unordered_set elems; + return true; + } - for (auto &el : contents) { - if (el < min_element || el > max_element || elems.find(el) != elems.end()) { - return false; - } + integer_permutation inverse() const { + integer_permutation result(min_element, max_element); - elems.insert(el); - } - - return true; + for (std::size_t position = min_element; position <= max_element; ++position) { + result.contents[this->contents[position - min_element] - min_element] = position; } - integer_permutation inverse() const { - integer_permutation result(min_element, max_element); - - for (std::size_t position = min_element; position <= max_element; ++position) { - result.contents[this->contents[position - min_element] - min_element] = position; - } - #ifdef DEBUG - assert(result.is_valid()); + assert(result.is_valid()); #endif - return result; - } - - integer_permutation slice(const std::size_t slice_min_element, - const std::size_t slice_max_element) const { - assert(min_element <= slice_min_element && slice_min_element <= slice_max_element && - slice_max_element <= max_element); - integer_permutation result(slice_min_element, slice_max_element); - std::copy(this->contents.begin() + (slice_min_element - min_element), - this->contents.begin() + (slice_max_element - min_element) + 1, - result.contents.begin()); + return result; + } + + integer_permutation slice(const std::size_t slice_min_element, + const std::size_t slice_max_element) const { + assert(min_element <= slice_min_element && slice_min_element <= slice_max_element && + slice_max_element <= max_element); + integer_permutation result(slice_min_element, slice_max_element); + std::copy(this->contents.begin() + (slice_min_element - min_element), + this->contents.begin() + (slice_max_element - min_element) + 1, + result.contents.begin()); #ifdef DEBUG - assert(result.is_valid()); + assert(result.is_valid()); #endif - return result; - } + return result; + } - /* Similarly to std::next_permutation this transforms the current - integer permutation into the next lexicographically ordered - permutation; returns false if the last permutation was reached and - this is now the identity permutation on [min_element .. max_element] */ - bool next_permutation() { - return std::next_permutation(contents.begin(), contents.end()); - } + /* Similarly to std::next_permutation this transforms the current + integer permutation into the next lexicographically ordered + permutation; returns false if the last permutation was reached and + this is now the identity permutation on [min_element .. max_element] */ + bool next_permutation() { + return std::next_permutation(contents.begin(), contents.end()); + } - void random_shuffle() { - return std::random_shuffle(contents.begin(), contents.end()); - } - }; + void random_shuffle() { + return std::random_shuffle(contents.begin(), contents.end()); + } + }; - } // namespace math - } // namespace zk + } // namespace math } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/math/linear_combination.hpp b/include/nil/crypto3/zk/math/linear_combination.hpp index f034b3755..429c3cf1c 100644 --- a/include/nil/crypto3/zk/math/linear_combination.hpp +++ b/include/nil/crypto3/zk/math/linear_combination.hpp @@ -35,259 +35,257 @@ namespace nil { namespace crypto3 { - namespace zk { - namespace math { - - /** - * Forward declaration. - */ - template - struct linear_combination; - - /****************************** Linear term **********************************/ - - /** - * A linear term represents a formal expression of the form "coeff * x_{index}". - */ - template - class linear_term { - typedef typename VariableType::value_type field_value_type; - - public: - std::size_t index; - field_value_type coeff; - - linear_term() {}; - linear_term(const VariableType &var) : index(var.index), coeff(field_value_type::one()) { - } + namespace math { - linear_term operator*(const field_value_type &field_coeff) const { - linear_term result(this->index); - result.coeff = field_coeff * this->coeff; - return result; - } + /** + * Forward declaration. + */ + template + struct linear_combination; - // linear_combination operator+( - // const linear_combination &other) const { - // return linear_combination(*this) + other; - // } + /****************************** Linear term **********************************/ - // linear_combination operator-( - // const linear_combination &other) const { - // return (*this) + (-other); - // } + /** + * A linear term represents a formal expression of the form "coeff * x_{index}". + */ + template + class linear_term { + typedef typename VariableType::value_type field_value_type; - linear_term operator-() const { - return linear_term(this->index) * (-this->coeff); - } + public: + std::size_t index; + field_value_type coeff; - bool operator==(const linear_term &other) const { - return (this->index == other.index && this->coeff == other.coeff); - } - }; + linear_term() {}; + linear_term(const VariableType &var) : index(var.index), coeff(field_value_type::one()) { + } - template - linear_term operator*(const typename VariableType::value_type &field_coeff, - const linear_term <) { - return lt * field_coeff; + linear_term operator*(const field_value_type &field_coeff) const { + linear_term result(this->index); + result.coeff = field_coeff * this->coeff; + return result; } - // template - // linear_combination operator+(const typename VariableType::value_type - // &field_coeff, - // const linear_term <) { - // return linear_combination(field_coeff) + lt; + // linear_combination operator+( + // const linear_combination &other) const { + // return linear_combination(*this) + other; // } - // template - // linear_combination operator-(const typename VariableType::value_type - // &field_coeff, - // const linear_term <) { - // return linear_combination(field_coeff) - lt; + // linear_combination operator-( + // const linear_combination &other) const { + // return (*this) + (-other); // } - /***************************** Linear combination ****************************/ - - /** - * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". - */ - template - class linear_combination { - typedef typename VariableType::value_type field_value_type; - - constexpr static const bool RotationSupport = false; - - public: - std::vector> terms; + linear_term operator-() const { + return linear_term(this->index) * (-this->coeff); + } - linear_combination() {}; - linear_combination(const field_value_type &field_coeff) { - this->add_term(linear_term(0) * field_coeff); - } - linear_combination(const VariableType &var) { - this->add_term(var); - } - linear_combination(const linear_term <) { - this->add_term(lt); + bool operator==(const linear_term &other) const { + return (this->index == other.index && this->coeff == other.coeff); + } + }; + + template + linear_term operator*(const typename VariableType::value_type &field_coeff, + const linear_term <) { + return lt * field_coeff; + } + + // template + // linear_combination operator+(const typename VariableType::value_type + // &field_coeff, + // const linear_term <) { + // return linear_combination(field_coeff) + lt; + // } + + // template + // linear_combination operator-(const typename VariableType::value_type + // &field_coeff, + // const linear_term <) { + // return linear_combination(field_coeff) - lt; + // } + + /***************************** Linear combination ****************************/ + + /** + * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". + */ + template + class linear_combination { + typedef typename VariableType::value_type field_value_type; + + constexpr static const bool RotationSupport = false; + + public: + std::vector> terms; + + linear_combination() {}; + linear_combination(const field_value_type &field_coeff) { + this->add_term(linear_term(0) * field_coeff); + } + linear_combination(const VariableType &var) { + this->add_term(var); + } + linear_combination(const linear_term <) { + this->add_term(lt); + } + linear_combination(const std::vector> &all_terms) { + if (all_terms.empty()) { + return; } - linear_combination(const std::vector> &all_terms) { - if (all_terms.empty()) { - return; - } - terms = all_terms; - std::sort( - terms.begin(), terms.end(), - [](linear_term a, linear_term b) { - return a.index < b.index; - }); - - auto result_it = terms.begin(); - for (auto it = ++terms.begin(); it != terms.end(); ++it) { - if (it->index == result_it->index) { - result_it->coeff += it->coeff; - } else { - *(++result_it) = *it; - } + terms = all_terms; + std::sort( + terms.begin(), terms.end(), + [](linear_term a, linear_term b) { + return a.index < b.index; + }); + + auto result_it = terms.begin(); + for (auto it = ++terms.begin(); it != terms.end(); ++it) { + if (it->index == result_it->index) { + result_it->coeff += it->coeff; + } else { + *(++result_it) = *it; } - terms.resize((result_it - terms.begin()) + 1); } + terms.resize((result_it - terms.begin()) + 1); + } - /* for supporting range-based for loops over linear_combination */ - typename std::vector>::const_iterator begin() const { - return terms.begin(); - } + /* for supporting range-based for loops over linear_combination */ + typename std::vector>::const_iterator begin() const { + return terms.begin(); + } - typename std::vector>::const_iterator end() const { - return terms.end(); - } + typename std::vector>::const_iterator end() const { + return terms.end(); + } - void add_term(const VariableType &var) { - this->terms.emplace_back(linear_term(var)); - } - void add_term(const VariableType &var, - const field_value_type &field_coeff) { - this->terms.emplace_back(linear_term(var) * field_coeff); - } - void add_term(const linear_term <) { - this->terms.emplace_back(lt); - } + void add_term(const VariableType &var) { + this->terms.emplace_back(linear_term(var)); + } + void add_term(const VariableType &var, + const field_value_type &field_coeff) { + this->terms.emplace_back(linear_term(var) * field_coeff); + } + void add_term(const linear_term <) { + this->terms.emplace_back(lt); + } - field_value_type evaluate(const std::vector &assignment) const { - field_value_type acc = field_value_type::zero(); - for (auto < : terms) { - acc += (lt.index == 0 ? field_value_type::one() : assignment[lt.index - 1]) * lt.coeff; - } - return acc; + field_value_type evaluate(const std::vector &assignment) const { + field_value_type acc = field_value_type::zero(); + for (auto < : terms) { + acc += (lt.index == 0 ? field_value_type::one() : assignment[lt.index - 1]) * lt.coeff; } - linear_combination operator*(const field_value_type &field_coeff) const { - linear_combination result; - result.terms.reserve(this->terms.size()); - for (const linear_term < : this->terms) { - result.terms.emplace_back(lt * field_coeff); - } - return result; + return acc; + } + linear_combination operator*(const field_value_type &field_coeff) const { + linear_combination result; + result.terms.reserve(this->terms.size()); + for (const linear_term < : this->terms) { + result.terms.emplace_back(lt * field_coeff); } - linear_combination operator+(const linear_combination &other) const { - linear_combination result; - - auto it1 = this->terms.begin(); - auto it2 = other.terms.begin(); - - /* invariant: it1 and it2 always point to unprocessed items in the corresponding linear - * combinations - */ - while (it1 != this->terms.end() && it2 != other.terms.end()) { - if (it1->index < it2->index) { - result.terms.emplace_back(*it1); - ++it1; - } else if (it1->index > it2->index) { - result.terms.emplace_back(*it2); - ++it2; - } else { - /* it1->index == it2->index */ - result.terms.emplace_back(linear_term( - VariableType(it1->index)) * - (it1->coeff + it2->coeff)); - ++it1; - ++it2; - } - } - - if (it1 != this->terms.end()) { - result.terms.insert(result.terms.end(), it1, this->terms.end()); + return result; + } + linear_combination operator+(const linear_combination &other) const { + linear_combination result; + + auto it1 = this->terms.begin(); + auto it2 = other.terms.begin(); + + /* invariant: it1 and it2 always point to unprocessed items in the corresponding linear + * combinations + */ + while (it1 != this->terms.end() && it2 != other.terms.end()) { + if (it1->index < it2->index) { + result.terms.emplace_back(*it1); + ++it1; + } else if (it1->index > it2->index) { + result.terms.emplace_back(*it2); + ++it2; } else { - result.terms.insert(result.terms.end(), it2, other.terms.end()); + /* it1->index == it2->index */ + result.terms.emplace_back(linear_term( + VariableType(it1->index)) * + (it1->coeff + it2->coeff)); + ++it1; + ++it2; } - - return result; - } - linear_combination operator-(const linear_combination &other) const { - return (*this) + (-other); } - linear_combination operator-() const { - return (*this) * (-field_value_type::one()); + + if (it1 != this->terms.end()) { + result.terms.insert(result.terms.end(), it1, this->terms.end()); + } else { + result.terms.insert(result.terms.end(), it2, other.terms.end()); } - bool operator==(const linear_combination &other) const { + return result; + } + linear_combination operator-(const linear_combination &other) const { + return (*this) + (-other); + } + linear_combination operator-() const { + return (*this) * (-field_value_type::one()); + } - std::vector> thisterms = this->terms; - std::sort( - thisterms.begin(), thisterms.end(), - [](linear_term a, linear_term b) { - return a.index < b.index; - }); + bool operator==(const linear_combination &other) const { - std::vector> otherterms = other.terms; - std::sort( - otherterms.begin(), otherterms.end(), - [](linear_term a, linear_term b) { - return a.index < b.index; - }); + std::vector> thisterms = this->terms; + std::sort( + thisterms.begin(), thisterms.end(), + [](linear_term a, linear_term b) { + return a.index < b.index; + }); - return (thisterms == otherterms); - } + std::vector> otherterms = other.terms; + std::sort( + otherterms.begin(), otherterms.end(), + [](linear_term a, linear_term b) { + return a.index < b.index; + }); - bool is_valid(size_t num_variables) const { - /* check that all terms in linear combination are sorted */ - for (std::size_t i = 1; i < terms.size(); ++i) { - if (terms[i - 1].index >= terms[i].index) { - return false; - } - } + return (thisterms == otherterms); + } - /* check that the variables are in proper range. as the variables - are sorted, it suffices to check the last term */ - if ((--terms.end())->index >= num_variables) { + bool is_valid(size_t num_variables) const { + /* check that all terms in linear combination are sorted */ + for (std::size_t i = 1; i < terms.size(); ++i) { + if (terms[i - 1].index >= terms[i].index) { return false; } - - return true; } - }; - - template - linear_combination - operator*(const typename VariableType::value_type &field_coeff, - const linear_combination &lc) { - return lc * field_coeff; - } - template - linear_combination - operator+(const typename VariableType::value_type &field_coeff, - const linear_combination &lc) { - return linear_combination(field_coeff) + lc; - } + /* check that the variables are in proper range. as the variables + are sorted, it suffices to check the last term */ + if ((--terms.end())->index >= num_variables) { + return false; + } - template - linear_combination - operator-(const typename VariableType::value_type &field_coeff, - const linear_combination &lc) { - return linear_combination(field_coeff) - lc; + return true; } - } // namespace math - } // namespace zk + }; + + template + linear_combination + operator*(const typename VariableType::value_type &field_coeff, + const linear_combination &lc) { + return lc * field_coeff; + } + + template + linear_combination + operator+(const typename VariableType::value_type &field_coeff, + const linear_combination &lc) { + return linear_combination(field_coeff) + lc; + } + + template + linear_combination + operator-(const typename VariableType::value_type &field_coeff, + const linear_combination &lc) { + return linear_combination(field_coeff) - lc; + } + } // namespace math } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/math/linear_variable.hpp b/include/nil/crypto3/zk/math/linear_variable.hpp index 246ce2723..a41915d10 100644 --- a/include/nil/crypto3/zk/math/linear_variable.hpp +++ b/include/nil/crypto3/zk/math/linear_variable.hpp @@ -33,85 +33,83 @@ namespace nil { namespace crypto3 { - namespace zk { - namespace math { + namespace math { - /** - * Forward declaration. - */ - template - struct linear_term; + /** + * Forward declaration. + */ + template + struct linear_term; - /** - * Forward declaration. - */ - template - struct linear_combination; + /** + * Forward declaration. + */ + template + struct linear_combination; - /********************************* Variable **********************************/ + /********************************* Variable **********************************/ - /** - * A variable represents a formal expression of the form "x_{index}". - */ - template - class linear_variable { + /** + * A variable represents a formal expression of the form "x_{index}". + */ + template + class linear_variable { - using variable_type = linear_variable; - public: + using variable_type = linear_variable; + public: - std::size_t index; + std::size_t index; - linear_variable(const std::size_t index = 0) : index(index) {}; + linear_variable(const std::size_t index = 0) : index(index) {}; - linear_term - operator*(const typename FieldType::value_type &field_coeff) const { - return linear_term(*this) * field_coeff; - } - - linear_combination - operator+(const linear_combination &other) const { - linear_combination result; - - result.add_term(*this); - result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); - - return result; - } - - linear_combination - operator-(const linear_combination &other) const { - return (*this) + (-other); - } + linear_term + operator*(const typename FieldType::value_type &field_coeff) const { + return linear_term(*this) * field_coeff; + } - linear_term operator-() const { - return linear_term(*this) * (-FieldType::value_type::one()); - } + linear_combination + operator+(const linear_combination &other) const { + linear_combination result; - bool operator==(const linear_variable &other) const { - return (this->index == other.index); - } - }; + result.add_term(*this); + result.terms.insert(result.terms.begin(), other.terms.begin(), other.terms.end()); - template - linear_term> operator*(const typename FieldType::value_type &field_coeff, - const linear_variable &var) { - return var * field_coeff; + return result; } - template - linear_combination> operator+(const typename FieldType::value_type &field_coeff, - const linear_variable &var) { - return var + field_coeff; + linear_combination + operator-(const linear_combination &other) const { + return (*this) + (-other); } - template - linear_combination> operator-(const typename FieldType::value_type &field_coeff, - const linear_variable &var) { - return linear_combination>(field_coeff) - var; + linear_term operator-() const { + return linear_term(*this) * (-FieldType::value_type::one()); } - } // namespace math - } // namespace zk + bool operator==(const linear_variable &other) const { + return (this->index == other.index); + } + }; + + template + linear_term> operator*(const typename FieldType::value_type &field_coeff, + const linear_variable &var) { + return var * field_coeff; + } + + template + linear_combination> operator+(const typename FieldType::value_type &field_coeff, + const linear_variable &var) { + return var + field_coeff; + } + + template + linear_combination> operator-(const typename FieldType::value_type &field_coeff, + const linear_variable &var) { + return linear_combination>(field_coeff) - var; + } + + } // namespace math } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/math/non_linear_combination.hpp b/include/nil/crypto3/zk/math/non_linear_combination.hpp index 14a4c13e9..403b53491 100644 --- a/include/nil/crypto3/zk/math/non_linear_combination.hpp +++ b/include/nil/crypto3/zk/math/non_linear_combination.hpp @@ -35,306 +35,304 @@ namespace nil { namespace crypto3 { - namespace zk { - namespace math { + namespace math { - /** - * Forward declaration. - */ - template - struct non_linear_combination; + /** + * Forward declaration. + */ + template + struct non_linear_combination; - /****************************** Linear term **********************************/ + /****************************** Linear term **********************************/ - /** - * A linear term represents a formal expression of the form - * "coeff * w^{wire_index_1}_{rotation_1} * ... * w^{wire_index_k}_{rotation_k}". - */ - template - class non_linear_term; + /** + * A linear term represents a formal expression of the form + * "coeff * w^{wire_index_1}_{rotation_1} * ... * w^{wire_index_k}_{rotation_k}". + */ + template + class non_linear_term; - template - class non_linear_term { - typedef typename VariableType::assignment_type assignment_type; + template + class non_linear_term { + typedef typename VariableType::assignment_type assignment_type; - public: - std::vector vars; - assignment_type coeff; + public: + std::vector vars; + assignment_type coeff; - non_linear_term() {}; + non_linear_term() {}; - non_linear_term(const VariableType &var) : coeff(assignment_type::one()) { - vars.push_back(var); - } - - non_linear_term(const assignment_type &field_val) : coeff(field_val) { - } - - non_linear_term(std::vector vars) : vars(vars), coeff(assignment_type::one()) { - } - - non_linear_term operator*(const assignment_type &field_coeff) const { - non_linear_term result(this->vars); - result.coeff = field_coeff * this->coeff; - return result; - } - - non_linear_term operator*(const non_linear_term &other) const { - non_linear_term result(this->vars); - - std::copy(other.vars.begin(), other.vars.end(), std::back_inserter(result.vars)); - result.coeff = other.coeff * this->coeff; - return result; - } - - non_linear_term operator^(const std::size_t power) const { - - non_linear_term result(this->vars); - - for (std::size_t i = 0; i < power; i++){ - std::copy(this->vars.begin(), this->vars.end(), std::back_inserter(result.vars)); - } - - result.coeff = this->coeff.pow(power); - return result; - } - - // non_linear_combination operator+(const non_linear_combination &other) - // const { - // return non_linear_combination(*this) + other; - // } - - // non_linear_combination operator-(const non_linear_combination &other) - // const { - // return (*this) + (-other); - // } - - non_linear_term operator-() const { - return non_linear_term(this->vars) * (-this->coeff); - } - }; - - template - non_linear_term operator*(const typename VariableType::assignment_type &field_coeff, - const non_linear_term &nlt) { - return nlt * field_coeff; + non_linear_term(const VariableType &var) : coeff(assignment_type::one()) { + vars.push_back(var); } - template - non_linear_combination - operator+(const typename VariableType::assignment_type &field_coeff, - const non_linear_term &nlt) { - return non_linear_combination(field_coeff) + nlt; + non_linear_term(const assignment_type &field_val) : coeff(field_val) { } - template - non_linear_combination - operator-(const typename VariableType::assignment_type &field_coeff, - const non_linear_term &nlt) { - return non_linear_combination(field_coeff) - nlt; + non_linear_term(std::vector vars) : vars(vars), coeff(assignment_type::one()) { } - template - non_linear_combination operator+(const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) + non_linear_combination(B); - } - - template - non_linear_combination operator-(const non_linear_term &A, - const non_linear_term &B) { - return non_linear_combination(A) - non_linear_combination(B); + non_linear_term operator*(const assignment_type &field_coeff) const { + non_linear_term result(this->vars); + result.coeff = field_coeff * this->coeff; + return result; } - /***************************** Linear combination ****************************/ + non_linear_term operator*(const non_linear_term &other) const { + non_linear_term result(this->vars); - /** - * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". - */ - template - struct non_linear_combination { + std::copy(other.vars.begin(), other.vars.end(), std::back_inserter(result.vars)); + result.coeff = other.coeff * this->coeff; + return result; + } - using term_type = non_linear_term; - using variable_type = VariableType; + non_linear_term operator^(const std::size_t power) const { - std::vector terms; - - non_linear_combination() {}; - // non_linear_combination(const field_value_type &field_coeff) { - // this->add_term(non_linear_term(field_coeff)); - // } - non_linear_combination(const VariableType &var) { - this->add_term(var); - } - non_linear_combination(const term_type &nlt) { - this->add_term(nlt); - } - non_linear_combination(const std::vector &terms) : terms(terms) { - } - - // non_linear_combination(const non_linear_combination &other): - // terms(other.terms) { - // } + non_linear_term result(this->vars); - /* for supporting range-based for loops over non_linear_combination */ - typename std::vector::const_iterator begin() const { - return terms.begin(); + for (std::size_t i = 0; i < power; i++){ + std::copy(this->vars.begin(), this->vars.end(), std::back_inserter(result.vars)); } - typename std::vector::const_iterator end() const { - return terms.end(); - } - - void add_term(const VariableType &var) { - this->terms.emplace_back(term_type(var)); - } - void add_term(const VariableType &var, const typename VariableType::assignment_type &field_coeff) { - this->terms.emplace_back(term_type(var) * field_coeff); - } - void add_term(const term_type &nlt) { - this->terms.emplace_back(nlt); - } - - non_linear_combination operator*(const typename VariableType::assignment_type &field_coeff) const { - non_linear_combination result; - result.terms.reserve(this->terms.size()); - for (const term_type &nlt : this->terms) { - result.terms.emplace_back(nlt * field_coeff); - } - return result; - } - - non_linear_combination operator+(const non_linear_combination &other) const { - non_linear_combination result; - - result.terms.insert(result.terms.end(), this->terms.begin(), this->terms.end()); - result.terms.insert(result.terms.end(), other.terms.begin(), other.terms.end()); - - return result; - } - non_linear_combination operator-(const non_linear_combination &other) const { - return (*this) + (-other); - } - non_linear_combination operator-() const { - return (*this) * (-VariableType::assignment_type::one()); - } - - void sort() { - std::sort(terms.begin(), terms.end()); - std::vector new_terms; + result.coeff = this->coeff.pow(power); + return result; + } - if (terms.size()) { - new_terms.push_back(terms[0]); + // non_linear_combination operator+(const non_linear_combination &other) + // const { + // return non_linear_combination(*this) + other; + // } - for (std::size_t i = 1; i < terms.size(); i++) { - if (terms[i].vars == terms[i - 1].vars) { - (new_terms.end() - 1)->coeff += terms[i].coeff; - } else { - new_terms.push_back(terms[i]); - } - } - } - } + // non_linear_combination operator-(const non_linear_combination &other) + // const { + // return (*this) + (-other); + // } - bool operator==(const non_linear_combination &other) { + non_linear_term operator-() const { + return non_linear_term(this->vars) * (-this->coeff); + } + }; + + template + non_linear_term operator*(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { + return nlt * field_coeff; + } + + template + non_linear_combination + operator+(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) + nlt; + } + + template + non_linear_combination + operator-(const typename VariableType::assignment_type &field_coeff, + const non_linear_term &nlt) { + return non_linear_combination(field_coeff) - nlt; + } + + template + non_linear_combination operator+(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) + non_linear_combination(B); + } + + template + non_linear_combination operator-(const non_linear_term &A, + const non_linear_term &B) { + return non_linear_combination(A) - non_linear_combination(B); + } + + /***************************** Linear combination ****************************/ + + /** + * A linear combination represents a formal expression of the form "sum_i coeff_i * x_{index_i}". + */ + template + struct non_linear_combination { + + using term_type = non_linear_term; + using variable_type = VariableType; + + std::vector terms; + + non_linear_combination() {}; + // non_linear_combination(const field_value_type &field_coeff) { + // this->add_term(non_linear_term(field_coeff)); + // } + non_linear_combination(const VariableType &var) { + this->add_term(var); + } + non_linear_combination(const term_type &nlt) { + this->add_term(nlt); + } + non_linear_combination(const std::vector &terms) : terms(terms) { + } - this->sort(); - other.sort(); + // non_linear_combination(const non_linear_combination &other): + // terms(other.terms) { + // } - return (this->terms == other.terms); - } - }; + /* for supporting range-based for loops over non_linear_combination */ + typename std::vector::const_iterator begin() const { + return terms.begin(); + } - template - non_linear_combination - operator*(const typename VariableType::assignment_type &field_coeff, - const non_linear_combination &lc) { - return lc * field_coeff; + typename std::vector::const_iterator end() const { + return terms.end(); } - template - non_linear_combination operator*(const non_linear_combination &A, - const non_linear_combination &B) { - non_linear_combination result; - result.terms.reserve(A.terms.size() * B.terms.size()); + void add_term(const VariableType &var) { + this->terms.emplace_back(term_type(var)); + } + void add_term(const VariableType &var, const typename VariableType::assignment_type &field_coeff) { + this->terms.emplace_back(term_type(var) * field_coeff); + } + void add_term(const term_type &nlt) { + this->terms.emplace_back(nlt); + } - for (const typename non_linear_combination::term_type &this_nlt : A.terms) { - for (const typename non_linear_combination::term_type &other_nlt : B.terms) { - result.terms.emplace_back(this_nlt * other_nlt); - } + non_linear_combination operator*(const typename VariableType::assignment_type &field_coeff) const { + non_linear_combination result; + result.terms.reserve(this->terms.size()); + for (const term_type &nlt : this->terms) { + result.terms.emplace_back(nlt * field_coeff); } return result; } - template - non_linear_combination operator*(const VariableType &var, - const non_linear_combination &A) { - non_linear_combination result; - result.terms.reserve(A.terms.size()); + non_linear_combination operator+(const non_linear_combination &other) const { + non_linear_combination result; + + result.terms.insert(result.terms.end(), this->terms.begin(), this->terms.end()); + result.terms.insert(result.terms.end(), other.terms.begin(), other.terms.end()); - for (const typename non_linear_combination::term_type &this_nlt : A.terms) { - result.terms.emplace_back(this_nlt * var); - } return result; } + non_linear_combination operator-(const non_linear_combination &other) const { + return (*this) + (-other); + } + non_linear_combination operator-() const { + return (*this) * (-VariableType::assignment_type::one()); + } - template - non_linear_combination operator*(const non_linear_combination &A, - const VariableType &var) { - non_linear_combination result; - result.terms.reserve(A.terms.size()); + void sort() { + std::sort(terms.begin(), terms.end()); + std::vector new_terms; - for (const typename non_linear_combination::term_type &this_nlt : A.terms) { - result.terms.emplace_back(this_nlt * var); + if (terms.size()) { + new_terms.push_back(terms[0]); + + for (std::size_t i = 1; i < terms.size(); i++) { + if (terms[i].vars == terms[i - 1].vars) { + (new_terms.end() - 1)->coeff += terms[i].coeff; + } else { + new_terms.push_back(terms[i]); + } + } } - return result; } - template - non_linear_combination - operator+(const typename VariableType::assignment_type &field_coeff, - const non_linear_combination &lc) { - return non_linear_combination(field_coeff) + lc; - } + bool operator==(const non_linear_combination &other) { - template - non_linear_combination - operator+(const non_linear_combination &lc, - const typename VariableType::assignment_type &field_coeff) { + this->sort(); + other.sort(); - return field_coeff + lc; + return (this->terms == other.terms); } - - template - non_linear_combination - operator-(const typename VariableType::assignment_type &field_coeff, - const non_linear_combination &lc) { - return non_linear_combination(field_coeff) - lc; + }; + + template + non_linear_combination + operator*(const typename VariableType::assignment_type &field_coeff, + const non_linear_combination &lc) { + return lc * field_coeff; + } + + template + non_linear_combination operator*(const non_linear_combination &A, + const non_linear_combination &B) { + non_linear_combination result; + result.terms.reserve(A.terms.size() * B.terms.size()); + + for (const typename non_linear_combination::term_type &this_nlt : A.terms) { + for (const typename non_linear_combination::term_type &other_nlt : B.terms) { + result.terms.emplace_back(this_nlt * other_nlt); + } } + return result; + } - template - non_linear_combination - operator-(const non_linear_combination &lc, - const typename VariableType::assignment_type &field_coeff) { + template + non_linear_combination operator*(const VariableType &var, + const non_linear_combination &A) { + non_linear_combination result; + result.terms.reserve(A.terms.size()); - return -(field_coeff - lc); + for (const typename non_linear_combination::term_type &this_nlt : A.terms) { + result.terms.emplace_back(this_nlt * var); } + return result; + } - template - non_linear_combination - operator-(const non_linear_term &term, - const non_linear_combination &lc) { - return non_linear_combination(term) - lc; - } + template + non_linear_combination operator*(const non_linear_combination &A, + const VariableType &var) { + non_linear_combination result; + result.terms.reserve(A.terms.size()); - template - non_linear_combination - operator-(const non_linear_combination &lc, - const non_linear_term &term) { - return lc - non_linear_combination(term); + for (const typename non_linear_combination::term_type &this_nlt : A.terms) { + result.terms.emplace_back(this_nlt * var); } - } // namespace math - } // namespace zk + return result; + } + + template + non_linear_combination + operator+(const typename VariableType::assignment_type &field_coeff, + const non_linear_combination &lc) { + return non_linear_combination(field_coeff) + lc; + } + + template + non_linear_combination + operator+(const non_linear_combination &lc, + const typename VariableType::assignment_type &field_coeff) { + + return field_coeff + lc; + } + + template + non_linear_combination + operator-(const typename VariableType::assignment_type &field_coeff, + const non_linear_combination &lc) { + return non_linear_combination(field_coeff) - lc; + } + + template + non_linear_combination + operator-(const non_linear_combination &lc, + const typename VariableType::assignment_type &field_coeff) { + + return -(field_coeff - lc); + } + + template + non_linear_combination + operator-(const non_linear_term &term, + const non_linear_combination &lc) { + return non_linear_combination(term) - lc; + } + + template + non_linear_combination + operator-(const non_linear_combination &lc, + const non_linear_term &term) { + return lc - non_linear_combination(term); + } + } // namespace math } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/math/permutation.hpp b/include/nil/crypto3/zk/math/permutation.hpp index 4a16decab..48b0d1938 100644 --- a/include/nil/crypto3/zk/math/permutation.hpp +++ b/include/nil/crypto3/zk/math/permutation.hpp @@ -29,43 +29,41 @@ namespace nil { namespace crypto3 { - namespace zk { - namespace math { + namespace math { - struct plonk_permutation { - typedef std::pair key_type; - typedef std::pair value_type; + struct plonk_permutation { + typedef std::pair key_type; + typedef std::pair value_type; - std::map _permutation_map; + std::map _permutation_map; - plonk_permutation(std::size_t columns, std::size_t rows) { - for (std::size_t i = 0; i < columns; i++) { - for (std::size_t j = 0; j < rows; j++) { - auto key = key_type(i, j); - _permutation_map[key] = value_type(i, j); - } + plonk_permutation(std::size_t columns, std::size_t rows) { + for (std::size_t i = 0; i < columns; i++) { + for (std::size_t j = 0; j < rows; j++) { + auto key = key_type(i, j); + _permutation_map[key] = value_type(i, j); } } + } - plonk_permutation() { - } + plonk_permutation() { + } - void cells_equal(key_type cell, key_type equal_to) { - _permutation_map[cell] = _permutation_map[equal_to]; - } + void cells_equal(key_type cell, key_type equal_to) { + _permutation_map[cell] = _permutation_map[equal_to]; + } - void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, - std::size_t equal_to_y) { - _permutation_map[key_type(cell_x, cell_y)] = _permutation_map[key_type(equal_to_x, equal_to_y)]; - } + void cells_equal(std::size_t cell_x, std::size_t cell_y, std::size_t equal_to_x, + std::size_t equal_to_y) { + _permutation_map[key_type(cell_x, cell_y)] = _permutation_map[key_type(equal_to_x, equal_to_y)]; + } - value_type &operator[](key_type key) { - return _permutation_map[key]; - } - }; + value_type &operator[](key_type key) { + return _permutation_map[key]; + } + }; - } // namespace math - } // namespace zk + } // namespace math } // namespace crypto3 } // namespace nil diff --git a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp index 371d96ed6..2d73d8a71 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/constraint.hpp @@ -31,7 +31,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { @@ -48,23 +48,23 @@ namespace nil { /************************* PLONK constraint ***********************************/ template> - class plonk_constraint : public non_linear_combination { + class plonk_constraint : public math::non_linear_combination { public: - plonk_constraint() : non_linear_combination() {}; + plonk_constraint() : math::non_linear_combination() {}; - plonk_constraint(const VariableType &var) : non_linear_combination(var) { + plonk_constraint(const VariableType &var) : math::non_linear_combination(var) { } - plonk_constraint(const non_linear_combination &nlc) : - non_linear_combination(nlc) { + plonk_constraint(const math::non_linear_combination &nlc) : + math::non_linear_combination(nlc) { } - plonk_constraint(const non_linear_term &nlt) : - non_linear_combination(nlt) { + plonk_constraint(const math::non_linear_term &nlt) : + math::non_linear_combination(nlt) { } - plonk_constraint(const std::vector> &terms) : - non_linear_combination(terms) { + plonk_constraint(const std::vector> &terms) : + math::non_linear_combination(terms) { } template &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); - for (const non_linear_term &nlt : this->terms) { + for (const math::non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; for (const VariableType &var : nlt.vars) { @@ -108,7 +108,7 @@ namespace nil { evaluate(const plonk_polynomial_table &assignments) const { math::polynomial acc = {0}; - for (const non_linear_term &nlt : this->terms) { + for (const math::non_linear_term &nlt : this->terms) { math::polynomial term_value = {nlt.coeff}; for (const VariableType &var : nlt.vars) { @@ -138,7 +138,7 @@ namespace nil { typename VariableType::assignment_type evaluate(detail::plonk_evaluation_map &assignments) const { typename VariableType::assignment_type acc = VariableType::assignment_type::zero(); - for (const non_linear_term &nlt : this->terms) { + for (const math::non_linear_term &nlt : this->terms) { typename VariableType::assignment_type term_value = nlt.coeff; for (const VariableType &var : nlt.vars) { diff --git a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp index a5ff1000d..f91cc2c71 100644 --- a/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp +++ b/include/nil/crypto3/zk/snark/relations/plonk/variable.hpp @@ -35,23 +35,25 @@ namespace nil { namespace crypto3 { + namespace math { + + /** + * Forward declaration. + */ + template + struct non_linear_term; + + /** + * Forward declaration. + */ + template + struct non_linear_combination; + } // namespace math namespace zk { namespace snark { /********************************* Variable **********************************/ - /** - * Forward declaration. - */ - template - struct non_linear_term; - - /** - * Forward declaration. - */ - template - struct non_linear_combination; - /** * A variable represents a formal expression of the form "w^{index}_{rotation}" and type type. */ @@ -76,39 +78,39 @@ namespace nil { column_type type = column_type::witness) : index(index), rotation(rotation), relative(relative), type(type) {}; - non_linear_term> operator^(const std::size_t power) const { - return non_linear_term>(*this) ^ power; + math::non_linear_term> operator^(const std::size_t power) const { + return math::non_linear_term>(*this) ^ power; } - non_linear_term> operator*(const assignment_type &field_coeff) const { - return non_linear_term>(*this) * field_coeff; + math::non_linear_term> operator*(const assignment_type &field_coeff) const { + return math::non_linear_term>(*this) * field_coeff; } - non_linear_term> operator*(const plonk_variable &other) const { - return non_linear_term>(*this) * other; + math::non_linear_term> operator*(const plonk_variable &other) const { + return math::non_linear_term>(*this) * other; } - non_linear_combination> - operator+(const non_linear_combination> &other) const { - non_linear_combination> result(other); + math::non_linear_combination> + operator+(const math::non_linear_combination> &other) const { + math::non_linear_combination> result(other); result.add_term(*this); return result; } - non_linear_combination> - operator-(const non_linear_combination> &other) const { + math::non_linear_combination> + operator-(const math::non_linear_combination> &other) const { return (*this) + (-other); } - non_linear_combination> + math::non_linear_combination> operator-(const assignment_type &field_val) const { - return (*this) - non_linear_combination>(field_val); + return (*this) - math::non_linear_combination>(field_val); } - non_linear_term> operator-() const { - return non_linear_term>(*this) * (-assignment_type::one()); + math::non_linear_term> operator-() const { + return math::non_linear_term>(*this) * (-assignment_type::one()); } bool operator==(const plonk_variable &other) const { @@ -122,19 +124,19 @@ namespace nil { }; template - non_linear_term> operator*(const typename FieldType::value_type &field_coeff, + math::non_linear_term> operator*(const typename FieldType::value_type &field_coeff, const plonk_variable &var) { return var * field_coeff; } template - non_linear_combination> + math::non_linear_combination> operator+(const typename FieldType::value_type &field_val, const plonk_variable &var) { return var + field_val; } template - non_linear_combination> + math::non_linear_combination> operator-(const typename FieldType::value_type &field_val, const plonk_variable &var) { return - (var - field_val); } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp index a5ded42bc..3a0c6dec2 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp @@ -37,7 +37,6 @@ #include #include -#include #include #include diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp index 360833cd6..e01e04c1c 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/gates_argument.hpp @@ -53,6 +53,7 @@ namespace nil { struct redshift_gates_argument { typedef typename ParamsType::transcript_hash_type transcript_hash_type; + using transcript_type = transcript::fiat_shamir_heuristic_sequential; typedef detail::redshift_policy policy_type; @@ -61,9 +62,9 @@ namespace nil { static inline std::array, argument_size> prove_eval(typename policy_type::constraint_system_type &constraint_system, const plonk_polynomial_table &column_polynomials, - fiat_shamir_heuristic_sequential &transcript) { + ParamsType::selector_columns, ParamsType::public_input_columns, + ParamsType::constant_columns> &column_polynomials, + transcript_type &transcript = transcript_type()) { typename FieldType::value_type theta = transcript.template challenge(); @@ -96,7 +97,7 @@ namespace nil { ParamsType::public_input_columns, ParamsType::constant_columns> public_polynomials, typename policy_type::evaluation_map &evaluations, typename FieldType::value_type challenge, - fiat_shamir_heuristic_sequential &transcript) { + transcript_type &transcript = transcript_type()) { typename FieldType::value_type theta = transcript.template challenge(); std::array F; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp index b39e76fc8..147960187 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/params.hpp @@ -53,7 +53,7 @@ namespace nil { constexpr static const typename FieldType::value_type delta = algebra::fields::arithmetic_params::multiplicative_generator; - typedef list_polynomial_commitment_params + typedef commitments::list_polynomial_commitment_params commitment_params_type; }; } // namespace snark diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index 3f480a6c0..cdaf22374 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -52,6 +52,7 @@ namespace nil { class redshift_permutation_argument { using transcript_hash_type = typename ParamsType::transcript_hash_type; + using transcript_type = transcript::fiat_shamir_heuristic_sequential; typedef detail::redshift_policy policy_type; @@ -69,13 +70,13 @@ namespace nil { }; static inline prover_result_type prove_eval( - fiat_shamir_heuristic_sequential &transcript, typename policy_type::constraint_system_type &constraint_system, const typename policy_type::preprocessed_public_data_type preprocessed_data, const plonk_polynomial_table &column_polynomials, - typename fri_type::params_type fri_params) { + typename fri_type::params_type fri_params, + transcript_type &transcript = transcript_type()) { const std::size_t table_rows = constraint_system.rows_amount(); @@ -127,9 +128,10 @@ namespace nil { V_P_interpolation_points.end()); // 4. Compute and add commitment to $V_P$ to $\text{transcript}$. - typename CommitmentSchemeTypePermutation::merkle_tree_type V_P_tree = - CommitmentSchemeTypePermutation::commit(V_P, fri_params.D[0]); - typename CommitmentSchemeTypePermutation::commitment_type V_P_commitment = V_P_tree.root(); + typename CommitmentSchemeTypePermutation::precommitment_type V_P_tree = + CommitmentSchemeTypePermutation::precommit(V_P, fri_params.D[0]); + typename CommitmentSchemeTypePermutation::commitment_type V_P_commitment = + CommitmentSchemeTypePermutation::commit(V_P_tree); transcript(V_P_commitment); // 5. Calculate g_perm, h_perm @@ -158,7 +160,6 @@ namespace nil { } static inline std::array verify_eval( - fiat_shamir_heuristic_sequential &transcript, const typename policy_type::preprocessed_public_data_type preprocessed_data, // y const typename FieldType::value_type &challenge, @@ -168,7 +169,8 @@ namespace nil { const typename FieldType::value_type &perm_polynomial_value, // V_P(omega * y): const typename FieldType::value_type &perm_polynomial_shifted_value, - const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment) { + const typename CommitmentSchemeTypePermutation::commitment_type &V_P_commitment, + transcript_type &transcript = transcript_type()) { const std::vector> &S_sigma = preprocessed_data.permutation_polynomials; diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp index 2d98a122c..dccf1212f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/preprocessor.hpp @@ -32,8 +32,8 @@ #include #include +#include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" -#include using namespace nil::crypto3; @@ -137,7 +137,7 @@ namespace nil { permutation_polynomials(std::size_t permutation_size, std::size_t table_size, const typename FieldType::value_type &omega, const typename FieldType::value_type &delta, - plonk_permutation &permutation, + math::plonk_permutation &permutation, const std::shared_ptr> &domain) { std::vector> S_perm(permutation_size); @@ -199,7 +199,7 @@ namespace nil { // TODO: add std::vector columns_with_copy_constraints; - plonk_permutation permutation; + math::plonk_permutation permutation; std::vector> _permutation_polynomials = permutation_polynomials(columns_with_copy_constraints.size(), diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index 016349aec..fcfaa188a 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -80,19 +80,19 @@ namespace nil { constexpr static const std::size_t opening_points_t = 1; constexpr static const std::size_t opening_points_public = 1; - typedef list_polynomial_commitment_scheme commitment_scheme_witness_type; - typedef list_polynomial_commitment_scheme commitment_scheme_permutation_type; - typedef list_polynomial_commitment_scheme commitment_scheme_quotient_type; - typedef list_polynomial_commitment_scheme commitment_scheme_public_input_type; @@ -105,7 +105,7 @@ namespace nil { const typename policy_type::preprocessed_public_data_type preprocessed_public_data, std::array, f_parts> F, - fiat_shamir_heuristic_sequential + transcript::fiat_shamir_heuristic_sequential &transcript) { // 7.1. Get $\alpha_0, \dots, \alpha_8 \in \mathbb{F}$ from $hash(\text{transcript})$ std::array alphas = @@ -152,19 +152,19 @@ namespace nil { // 1. Add circuit definition to transcript // transcript(short_description); //TODO: circuit_short_description marshalling std::vector transcript_init {}; - fiat_shamir_heuristic_sequential transcript(transcript_init); + transcript::fiat_shamir_heuristic_sequential transcript(transcript_init); // 2. Commit witness columns std::array, witness_columns> witness_poly = preprocessed_private_data.private_polynomial_table.witnesses(); std::array - witness_commitments = commitment_scheme_witness_type::template commit( + witness_precommitments = commitment_scheme_witness_type::template precommit( witness_poly, fri_params.D[0]); proof.witness_commitments.resize(witness_columns); for (std::size_t i = 0; i < witness_columns; i++) { - proof.witness_commitments[i] = witness_commitments[i].root(); + proof.witness_commitments[i] = commitment_scheme_witness_type::commit(witness_precommitments[i]); transcript(proof.witness_commitments[i]); } @@ -173,11 +173,11 @@ namespace nil { redshift_permutation_argument::prove_eval(transcript, - constraint_system, + ParamsType>::prove_eval(constraint_system, preprocessed_public_data, polynomial_table, - fri_params); + fri_params, + transcript); proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); @@ -203,11 +203,12 @@ namespace nil { quotient_polynomial(preprocessed_public_data, F, transcript); std::vector> T_splitted = detail::split_polynomial(T, fri_params.max_degree); - std::vector T_commitments( + std::vector T_precommitments( T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { - T_commitments[i] = commitment_scheme_quotient_type::commit(T_splitted[i], fri_params.D[0]); - proof.T_commitments.push_back(T_commitments[i].root()); + T_precommitments[i] = commitment_scheme_quotient_type::precommit(T_splitted[i], fri_params.D[0]); + proof.T_commitments.push_back( + commitment_scheme_quotient_type::commit(T_precommitments[i])); transcript(proof.T_commitments[i]); } @@ -221,7 +222,7 @@ namespace nil { // witness polynomials (table columns) std::array witnesses_evaluation; - for (std::size_t i = 0; i < witness_commitments.size(); i++) { + for (std::size_t i = 0; i < witness_precommitments.size(); i++) { std::vector rotation_gates = {0}; // TODO: Rotation std::array evaluation_points_gates; // TODO: array size with rotation @@ -231,10 +232,10 @@ namespace nil { witnesses_evaluation[i] = commitment_scheme_witness_type::proof_eval(evaluation_points_gates, - witness_commitments[i], + witness_precommitments[i], witness_poly[i], - transcript, - fri_params); + fri_params, + transcript); proof.eval_proof.witness.push_back(witnesses_evaluation[i]); } @@ -246,8 +247,8 @@ namespace nil { evaluation_points_v_p, permutation_argument.permutation_poly_commitment, permutation_argument.permutation_polynomial, - transcript, - fri_params); + fri_params, + transcript); proof.eval_proof.permutation.push_back(v_p_evaluation); // quotient @@ -256,7 +257,7 @@ namespace nil { T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { quotient_evaluation[i] = commitment_scheme_quotient_type::proof_eval( - evaluation_points_quotient, T_commitments[i], T_splitted[i], transcript, fri_params); + evaluation_points_quotient, T_precommitments[i], T_splitted[i], fri_params, transcript); proof.eval_proof.quotient.push_back(quotient_evaluation[i]); } diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index cf83f0988..c07e52f8f 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -59,20 +59,20 @@ namespace nil { constexpr static const std::size_t opening_points_t = 1; constexpr static const std::size_t opening_points_public = 1; - typedef list_polynomial_commitment_scheme commitment_scheme_witness_type; - typedef list_polynomial_commitment_scheme commitment_scheme_permutation_type; - typedef list_polynomial_commitment_scheme commitment_scheme_quotient_type; - typedef list_polynomial_commitment_scheme commitment_scheme_public_input_type; @@ -93,7 +93,7 @@ namespace nil { // 1. Add circuit definition to transcript // transcript(short_description); std::vector transcript_init {}; - fiat_shamir_heuristic_sequential transcript(transcript_init); + transcript::fiat_shamir_heuristic_sequential transcript(transcript_init); // 3. append witness commitments to transcript for (std::size_t i = 0; i < witness_columns; i++) { @@ -117,9 +117,12 @@ namespace nil { redshift_permutation_argument::verify_eval(transcript, preprocessed_public_data, - proof.eval_proof.challenge, - f, proof.eval_proof.permutation[0].z[0], proof.eval_proof.permutation[0].z[1], proof.v_perm_commitment); + ParamsType>::verify_eval(preprocessed_public_data, + proof.eval_proof.challenge, + f, proof.eval_proof.permutation[0].z[0], + proof.eval_proof.permutation[0].z[1], + proof.v_perm_commitment, + transcript); // 7. gate argument typename policy_type::evaluation_map columns_at_y; @@ -130,8 +133,11 @@ namespace nil { } std::array gate_argument = - redshift_gates_argument::verify_eval(constraint_system.gates(), preprocessed_public_data.public_polynomial_table, columns_at_y, proof.eval_proof.challenge, - transcript); + redshift_gates_argument::verify_eval(constraint_system.gates(), + preprocessed_public_data.public_polynomial_table, + columns_at_y, + proof.eval_proof.challenge, + transcript); // 8. alphas computations std::array alphas = @@ -160,7 +166,10 @@ namespace nil { for (std::size_t i = 0; i < evaluation_points_gates.size(); i++) { evaluation_points_gates[i] = challenge * omega.pow(rotation_gates[i]); } - if (!commitment_scheme_witness_type::verify_eval(evaluation_points_gates, proof.eval_proof.witness[i], transcript, fri_params)) { + if (!commitment_scheme_witness_type::verify_eval(evaluation_points_gates, + proof.eval_proof.witness[i], + fri_params, + transcript)) { return false; } } @@ -169,7 +178,10 @@ namespace nil { std::array evaluation_points_permutation = {challenge, challenge * omega}; for (std::size_t i = 0; i < proof.eval_proof.permutation.size(); i++) { - if (!commitment_scheme_permutation_type::verify_eval(evaluation_points_permutation, proof.eval_proof.permutation[i], transcript, fri_params)) { + if (!commitment_scheme_permutation_type::verify_eval(evaluation_points_permutation, + proof.eval_proof.permutation[i], + fri_params, + transcript)) { return false; } } @@ -177,7 +189,10 @@ namespace nil { // quotient std::array evaluation_points_quotient = {challenge}; for (std::size_t i = 0; i < proof.eval_proof.permutation.size(); i++) { - if (!commitment_scheme_quotient_type::verify_eval(evaluation_points_quotient, proof.eval_proof.quotient[i], transcript, fri_params)) { + if (!commitment_scheme_quotient_type::verify_eval(evaluation_points_quotient, + proof.eval_proof.quotient[i], + fri_params, + transcript)) { return false; } } diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 8c78fb929..1f0daf966 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -42,8 +42,6 @@ #include #include -#include // until fri inclusion - #include #include @@ -67,7 +65,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::commitments::fri fri_type; typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; @@ -91,24 +89,24 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { // commit math::polynomial f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; - merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); + merkle_tree_type commit_merkle = fri_type::precommit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; // eval std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_sequential transcript(init_blob); + zk::transcript::fiat_shamir_heuristic_sequential transcript(init_blob); // LPC-related logic, here we "nulify" it via U = 0, V - 1 // TODO: Make FRI independent from LPC input math::polynomial U = {0}; math::polynomial V = {1}; - proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); + proof_type proof = fri_type::proof_eval(f, f, commit_merkle, params, transcript); // verify - zk::snark::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); + zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); - BOOST_CHECK(fri_type::verify_eval(proof, transcript_verifier, params, U, V)); + BOOST_CHECK(fri_type::verify_eval(proof, params, U, V, transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -130,7 +128,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::commitments::fri fri_type; typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; @@ -181,7 +179,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { constexpr static const std::size_t r = boost::static_log2::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::commitments::fri fri_type; typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; @@ -199,13 +197,13 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { params.max_degree = d - 1; BOOST_CHECK(D[1]->m == D[0]->m / 2); - merkle_tree_type commit_merkle = fri_type::commit(f, D[0]); + merkle_tree_type commit_merkle = fri_type::precommit(f, D[0]); std::array evaluation_points = {D[0]->get_domain_element(1).pow(5)}; std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - zk::snark::fiat_shamir_heuristic_sequential transcript(init_blob); + zk::transcript::fiat_shamir_heuristic_sequential transcript(init_blob); - proof_type proof = fri_type::proof_eval(f, f, commit_merkle, transcript, params); + proof_type proof = fri_type::proof_eval(f, f, commit_merkle, params, transcript); math::polynomial final_polynomial = proof.final_polynomial; BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), 1); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 211f679b6..e74c027e6 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -70,10 +70,10 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::commitments::fri fri_type; - typedef list_polynomial_commitment_params lpc_params_type; - typedef zk::snark::list_polynomial_commitment_scheme lpc_type; + typedef zk::commitments::list_polynomial_commitment_params lpc_params_type; + typedef zk::commitments::list_polynomial_commitment lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; @@ -93,21 +93,21 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { math::polynomial f = {1, 3, 4, 1, 5, 6, 7, 2, 8, 7, 5, 6, 1, 2, 1, 1}; - merkle_tree_type tree = lpc_type::commit(f, D[0]); + merkle_tree_type tree = lpc_type::precommit(f, D[0]); // TODO: take a point outside of the basic domain std::array evaluation_points = { algebra::fields::arithmetic_params::multiplicative_generator}; std::array x_data {}; - zk::snark::fiat_shamir_heuristic_sequential transcript(x_data); + zk::transcript::fiat_shamir_heuristic_sequential transcript(x_data); - auto proof = lpc_type::proof_eval(evaluation_points, tree, f, transcript, fri_params); + auto proof = lpc_type::proof_eval(evaluation_points, tree, f, fri_params, transcript); // verify - zk::snark::fiat_shamir_heuristic_sequential transcript_verifier(x_data); + zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(x_data); - BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, fri_params, transcript_verifier)); } BOOST_AUTO_TEST_SUITE_END() \ No newline at end of file diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 6678a57eb..82e3c6699 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -111,9 +111,9 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t r = boost::static_log2<(d - k)>::value; constexpr static const std::size_t m = 2; - typedef zk::snark::fri_commitment_scheme fri_type; + typedef zk::commitments::fri fri_type; typedef list_polynomial_commitment_params lpc_params_type; - typedef zk::snark::list_polynomial_commitment_scheme lpc_type; + typedef zk::commitments::list_polynomial_commitment lpc_type; typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d; @@ -158,12 +158,12 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { std::array x_data {}; zk::snark::fiat_shamir_heuristic_sequential transcript(x_data); - auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, transcript, fri_params); // phase_2: Prove + auto proof = lpc_type::proof_eval(evaluation_points, tree, poly, fri_params, transcript); // phase_2: Prove // verify zk::snark::fiat_shamir_heuristic_sequential transcript_verifier(x_data); - BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, transcript_verifier, fri_params)); // phase_3: Verify + BOOST_CHECK(lpc_type::verify_eval(evaluation_points, proof, fri_params, transcript_verifier)); // phase_3: Verify } } diff --git a/test/systems/plonk/circuits.hpp b/test/systems/plonk/circuits.hpp index f1a02aaf5..4a331dcc7 100644 --- a/test/systems/plonk/circuits.hpp +++ b/test/systems/plonk/circuits.hpp @@ -33,9 +33,10 @@ #include #include -#include +#include #include #include +#include #include #include #include @@ -64,7 +65,7 @@ namespace nil { typename FieldType::value_type omega; typename FieldType::value_type delta; - plonk_permutation permutation; + math::plonk_permutation permutation; std::vector> S_id; std::vector> S_sigma; @@ -83,7 +84,7 @@ namespace nil { omega = domain->get_domain_element(1); delta = algebra::fields::arithmetic_params::multiplicative_generator; - permutation = plonk_permutation(witness_columns + public_columns, table_rows); + permutation = math::plonk_permutation(witness_columns + public_columns, table_rows); } void init() { diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index ff42c6b79..4575098e7 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -49,7 +49,6 @@ #include #include #include "nil/crypto3/zk/snark/systems/plonk/redshift/detail/redshift_policy.hpp" -#include #include #include #include @@ -58,6 +57,7 @@ #include "circuits.hpp" using namespace nil::crypto3; +using namespace nil::crypto3::zk; using namespace nil::crypto3::zk::snark; template @@ -107,7 +107,7 @@ struct redshift_test_params { constexpr static const std::size_t table_columns = redshift_test_params::witness_columns + redshift_test_params::public_input_columns; -typedef fri_commitment_scheme fri_type; @@ -121,7 +121,7 @@ BOOST_AUTO_TEST_CASE(redshift_prover_basic_test) { using policy_type = zk::snark::detail::redshift_policy; - typedef list_polynomial_commitment_scheme lpc_type; + typedef commitments::list_polynomial_commitment lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); @@ -157,7 +157,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { using policy_type = zk::snark::detail::redshift_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef commitments::list_polynomial_commitment lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); @@ -182,12 +182,12 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { preprocessed_public_data.public_polynomial_table); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_sequential prover_transcript(init_blob); - fiat_shamir_heuristic_sequential verifier_transcript(init_blob); + transcript::fiat_shamir_heuristic_sequential prover_transcript(init_blob); + transcript::fiat_shamir_heuristic_sequential verifier_transcript(init_blob); typename redshift_permutation_argument::prover_result_type prover_res = redshift_permutation_argument::prove_eval( - prover_transcript, constraint_system, preprocessed_public_data, polynomial_table, fri_params); + constraint_system, preprocessed_public_data, polynomial_table, fri_params, prover_transcript); // Challenge phase typename FieldType::value_type y = algebra::random_element(); @@ -201,8 +201,9 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::array verifier_res = redshift_permutation_argument::verify_eval( - verifier_transcript, preprocessed_public_data, y, f_at_y, v_p_at_y, v_p_at_y_shifted, - prover_res.permutation_poly_commitment.root()); + preprocessed_public_data, y, f_at_y, v_p_at_y, v_p_at_y_shifted, + prover_res.permutation_poly_commitment.root(), + verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); typename FieldType::value_type prover_next_challenge = prover_transcript.template challenge(); @@ -251,7 +252,7 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { using policy_type = zk::snark::detail::redshift_policy; constexpr static const std::size_t r = table_rows_log - 1; - typedef list_polynomial_commitment_scheme lpc_type; + typedef commitments::list_polynomial_commitment lpc_type; typename fri_type::params_type fri_params = create_fri_params(table_rows_log); @@ -276,8 +277,8 @@ BOOST_AUTO_TEST_CASE(redshift_gate_argument_test) { preprocessed_public_data.public_polynomial_table); std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; - fiat_shamir_heuristic_sequential prover_transcript(init_blob); - fiat_shamir_heuristic_sequential verifier_transcript(init_blob); + transcript::fiat_shamir_heuristic_sequential prover_transcript(init_blob); + transcript::fiat_shamir_heuristic_sequential verifier_transcript(init_blob); std::array, 1> prover_res = redshift_gates_argument::prove_eval(constraint_system, polynomial_table, From 4b6e7ea6307ac497c09d420e09b9ecfbc18b7ba5 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 9 Mar 2022 10:51:02 +0300 Subject: [PATCH 212/219] FRI and basic FRI separated. #20 --- .../detail/polynomial/basic_fri.hpp | 410 ++++++++++++++++++ .../crypto3/zk/commitments/polynomial/fri.hpp | 346 +-------------- .../crypto3/zk/commitments/polynomial/lpc.hpp | 84 +--- .../crypto3/zk/commitments/type_traits.hpp | 63 +++ .../plonk/redshift/permutation_argument.hpp | 7 +- .../snark/systems/plonk/redshift/prover.hpp | 10 +- .../snark/systems/plonk/redshift/verifier.hpp | 2 +- test/commitment/fri.cpp | 20 +- test/commitment/lpc.cpp | 2 +- test/commitment/lpc_performance.cpp | 2 +- test/systems/plonk/redshift.cpp | 4 +- 11 files changed, 535 insertions(+), 415 deletions(-) create mode 100644 include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp create mode 100644 include/nil/crypto3/zk/commitments/type_traits.hpp diff --git a/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp b/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp new file mode 100644 index 000000000..f6766328f --- /dev/null +++ b/include/nil/crypto3/zk/commitments/detail/polynomial/basic_fri.hpp @@ -0,0 +1,410 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2021 Mikhail Komarov +// Copyright (c) 2021 Nikita Kaskov +// Copyright (c) 2022 Ilia Shirobokov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_COMMITMENTS_BASIC_FRI_HPP +#define CRYPTO3_ZK_COMMITMENTS_BASIC_FRI_HPP + +#include + +#include +#include +#include +#include + +#include +#include + +#include + +namespace nil { + namespace crypto3 { + namespace zk { + namespace commitments { + namespace detail { + + template + math::polynomial + fold_polynomial(math::polynomial &f, + typename FieldType::value_type alpha) { + + std::size_t d = f.degree(); + if (d % 2 == 0) { + f.push_back(0); + d++; + } + math::polynomial f_folded(d / 2 + 1); + + for (std::size_t index = 0; index <= f_folded.degree(); index++) { + f_folded[index] = f[2 * index] + alpha * f[2 * index + 1]; + } + + return f_folded; + } + + template + std::vector>> + calculate_domain_set(const std::size_t max_domain_degree, const std::size_t set_size) { + + std::vector>> domain_set(set_size); + for (std::size_t i = 0; i < set_size; i++) { + const std::size_t domain_size = std::pow(2, max_domain_degree - i); + std::shared_ptr> domain = + math::make_evaluation_domain(domain_size); + domain_set[i] = domain; + } + return domain_set; + } + + /** + * @brief Based on the FRI Commitment description from \[ResShift]. + * @tparam d ... + * @tparam Rounds Denoted by r in \[RedShift]. + * + * References: + * \[RedShift]: + * "REDSHIFT: Transparent SNARKs from List + * Polynomial Commitment IOPs", + * Assimakis Kattis, Konstantin Panarin, Alexander Vlasov, + * Matter Labs, + * + */ + template + struct basic_fri { + + constexpr static const std::size_t m = M; + + typedef FieldType field_type; + typedef MerkleTreeHashType merkle_tree_hash_type; + typedef TranscriptHashType transcript_hash_type; + + typedef typename containers::merkle_tree merkle_tree_type; + typedef typename containers::merkle_proof merkle_proof_type; + + using Endianness = nil::marshalling::option::big_endian; + using field_element_type = + nil::crypto3::marshalling::types::field_element, + FieldType>; + + using precommitment_type = merkle_tree_type; + using commitment_type = typename precommitment_type::value_type; + using transcript_type = transcript::fiat_shamir_heuristic_sequential; + + struct params_type { + bool operator==(const params_type &rhs) const { + return r == rhs.r && max_degree == rhs.max_degree && D == rhs.D && q == rhs.q; + } + bool operator!=(const params_type &rhs) const { + return !(rhs == *this); + } + + std::size_t r; + std::size_t max_degree; + std::vector>> D; + + math::polynomial q; + }; + + struct round_proof_type { + bool operator==(const round_proof_type &rhs) const { + return y == rhs.y && p == rhs.p && T_root == rhs.T_root && + colinear_value == rhs.colinear_value && colinear_path == rhs.colinear_path; + } + bool operator!=(const round_proof_type &rhs) const { + return !(rhs == *this); + } + std::array y; + std::array p; + + typename merkle_tree_type::value_type T_root; + + typename FieldType::value_type colinear_value; + merkle_proof_type colinear_path; + }; + + struct proof_type { + bool operator==(const proof_type &rhs) const { + return round_proofs == rhs.round_proofs && final_polynomial == rhs.final_polynomial; + } + bool operator!=(const proof_type &rhs) const { + return !(rhs == *this); + } + + std::vector round_proofs; // 0..r-2 + + math::polynomial final_polynomial; + }; + + static precommitment_type precommit(math::polynomial &f, + const std::shared_ptr> &D) { + + std::vector> y_data; + y_data.resize(D->m); + std::vector tmp(f.begin(), f.end()); // for FFT + D->fft(tmp); + + for (std::size_t i = 0; i < D->m; i++) { + field_element_type y_val(tmp[i]); + auto write_iter = y_data[i].begin(); + y_val.write(write_iter, field_element_type::length()); + } + + return precommitment_type(y_data.begin(), y_data.end()); + } + + template + static std::array + precommit(std::array, list_size> &poly, + const std::shared_ptr> &domain) { + std::array precommits; + for (std::size_t i = 0; i < list_size; i++) { + precommits[i] = precommit(poly[i], domain); + } + return precommits; + } + + static commitment_type commit(precommitment_type P) { + return P.root(); + } + + static commitment_type commit(math::polynomial &f, + const std::shared_ptr> &D) { + return commit(precommit(f, D)); + } + + template + static std::array + commit(std::array P) { + + std::array commits; + for (std::size_t i = 0; i < list_size; i++) { + commits[i] = commit(P); + } + return commits; + } + + static proof_type proof_eval(const math::polynomial &Q, + const math::polynomial &g, + precommitment_type &T, + const params_type &fri_params, + transcript_type &transcript = transcript_type()) { + + proof_type proof; + + math::polynomial f = Q; // copy? + + // TODO: how to sample x? + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow( + transcript.template int_challenge< + std::size_t>()); // could be smth like + // fri_params.D[0]->get_domain_element(RANDOM + // % domain_size) + + std::size_t r = fri_params.r; + + std::vector round_proofs; + math::polynomial final_polynomial; + std::unique_ptr p_tree = std::make_unique(T); + merkle_tree_type T_next; + + for (std::size_t i = 0; i < r; i++) { + + typename FieldType::value_type alpha = transcript.template challenge(); + + typename FieldType::value_type x_next = fri_params.q.evaluate(x); // == x^2 + + math::polynomial f_next = + fold_polynomial(f, alpha); // create polynomial of degree (degree(f) / 2) + + // m = 2, so: + std::array s; + if constexpr (m == 2) { + s[0] = x; + s[1] = -x; + } else { + return {}; + } + + std::array y; + + for (std::size_t j = 0; j < m; j++) { + y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); // polynomial evaluation + } + + std::array p; + + std::vector tmp; // we need it for FFT + if (i == 0) { + std::copy(g.begin(), g.end(), std::back_inserter(tmp)); + } else { + std::copy(f.begin(), f.end(), std::back_inserter(tmp)); + } + + fri_params.D[i]->fft(tmp); + for (std::size_t j = 0; j < m; j++) { + typename FieldType::value_type leaf = y[j]; + + std::size_t leaf_index = 0; + for (; leaf_index < tmp.size(); leaf_index++) { // search 2**24 + if (tmp[leaf_index] == leaf) + break; + } + p[j] = merkle_proof_type(*p_tree, leaf_index); + } + + typename FieldType::value_type colinear_value = + f_next.evaluate(x_next); // polynomial evaluation + + if (i < r - 1) { + T_next = precommit(f_next, fri_params.D[i + 1]); // new merkle tree + transcript(commit(T_next)); + + std::vector tmp(f_next.begin(), + f_next.end()); // for FFT + fri_params.D[i + 1]->fft(tmp); + + std::size_t leaf_index = 0; + for (; leaf_index < tmp.size(); leaf_index++) { + if (tmp[leaf_index] == colinear_value) + break; + } + + merkle_proof_type colinear_path = merkle_proof_type(T_next, leaf_index); + + round_proofs.push_back( + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); + + p_tree = std::make_unique(T_next); + } else { + merkle_proof_type colinear_path; + + round_proofs.push_back( + round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); + } + + x = x_next; + f = f_next; + } + return proof_type({round_proofs, f}); + } + + static bool verify_eval(proof_type &proof, + params_type &fri_params, + const math::polynomial &U, + const math::polynomial &V, + transcript_type &transcript = transcript_type()) { + + std::size_t idx = transcript.template int_challenge(); + typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(idx); + + std::size_t r = fri_params.r; + + for (std::size_t i = 0; i < r; i++) { + typename FieldType::value_type alpha = transcript.template challenge(); + + typename FieldType::value_type x_next = fri_params.q.evaluate(x); + + // m = 2, so: + std::array s; + if constexpr (m == 2) { + s[0] = x; + s[1] = -x; + } else { + return false; + } + + for (std::size_t j = 0; j < m; j++) { + typename FieldType::value_type leaf = proof.round_proofs[i].y[j]; + + std::array leaf_data; + + field_element_type leaf_val(leaf); + auto write_iter = leaf_data.begin(); + leaf_val.write(write_iter, field_element_type::length()); + + if (!proof.round_proofs[i].p[j].validate(leaf_data)) { + return false; + } + } + + std::array y; + + for (std::size_t j = 0; j < m; j++) { + if (i == 0) { + y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j])) / V.evaluate(s[j]); + } else { + y[j] = proof.round_proofs[i].y[j]; + } + } + + std::vector> + interpolation_points { + std::make_pair(s[0], y[0]), + std::make_pair(s[1], y[1]), + }; + + math::polynomial interpolant = + math::lagrange_interpolation(interpolation_points); + + typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; + + std::array leaf_data; + field_element_type leaf_val(leaf); + auto write_iter = leaf_data.begin(); + leaf_val.write(write_iter, field_element_type::length()); + + if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value) { + return false; + } + if (i < r - 1) { + transcript(proof.round_proofs[i + 1].T_root); + if (!proof.round_proofs[i].colinear_path.validate(leaf_data)) { + return false; + } + } + x = x_next; + } + + if (proof.final_polynomial.degree() > + std::pow(2, std::log2(fri_params.max_degree + 1) - r) - 1) { + return false; + } + if (proof.final_polynomial.evaluate(x) != proof.round_proofs[r - 1].colinear_value) { + return false; + } + + return true; + } + }; + } // namespace detail + } // namespace commitments + } // namespace zk + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_COMMITMENTS_BASIC_FRI_HPP diff --git a/include/nil/crypto3/zk/commitments/polynomial/fri.hpp b/include/nil/crypto3/zk/commitments/polynomial/fri.hpp index c63639acc..4e4419308 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/fri.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/fri.hpp @@ -38,6 +38,7 @@ #include #include +#include namespace nil { namespace crypto3 { @@ -61,341 +62,32 @@ namespace nil { typename MerkleTreeHashType, typename TranscriptHashType, std::size_t M = 2> - struct fri { - - constexpr static const std::size_t m = M; - - typedef FieldType field_type; - typedef MerkleTreeHashType merkle_tree_hash_type; - typedef TranscriptHashType transcript_hash_type; - - typedef typename containers::merkle_tree merkle_tree_type; - typedef typename containers::merkle_proof merkle_proof_type; - - using Endianness = nil::marshalling::option::big_endian; - using field_element_type = - nil::crypto3::marshalling::types::field_element, - FieldType>; + class fri: public detail::basic_fri { - using precommitment_type = merkle_tree_type; - using commitment_type = typename precommitment_type::value_type; - using transcript_type = transcript::fiat_shamir_heuristic_sequential; - - struct params_type { - bool operator==(const params_type &rhs) const { - return r == rhs.r && max_degree == rhs.max_degree && D == rhs.D && q == rhs.q; - } - bool operator!=(const params_type &rhs) const { - return !(rhs == *this); - } - - std::size_t r; - std::size_t max_degree; - std::vector>> D; - - math::polynomial q; - }; - - struct round_proof_type { - bool operator==(const round_proof_type &rhs) const { - return y == rhs.y && p == rhs.p && T_root == rhs.T_root && - colinear_value == rhs.colinear_value && colinear_path == rhs.colinear_path; - } - bool operator!=(const round_proof_type &rhs) const { - return !(rhs == *this); - } - std::array y; - std::array p; - - typename merkle_tree_type::value_type T_root; - - typename FieldType::value_type colinear_value; - merkle_proof_type colinear_path; - }; - - struct proof_type { - bool operator==(const proof_type &rhs) const { - return round_proofs == rhs.round_proofs && final_polynomial == rhs.final_polynomial; - } - bool operator!=(const proof_type &rhs) const { - return !(rhs == *this); - } - - std::vector round_proofs; // 0..r-2 - - math::polynomial final_polynomial; - }; - - static std::vector>> - calculate_domain_set(const std::size_t max_domain_degree, const std::size_t set_size) { - std::vector>> domain_set(set_size); - for (std::size_t i = 0; i < set_size; i++) { - const std::size_t domain_size = std::pow(2, max_domain_degree - i); - std::shared_ptr> domain = - math::make_evaluation_domain(domain_size); - domain_set[i] = domain; - } - return domain_set; - } - - // The result of this function is not commitment_type (as it would expected), - // but the built Merkle tree. This is done so, because we often need to reuse - // the built Merkle tree - // After this function - // result.root(); - // should be called - static precommitment_type precommit(math::polynomial &f, - const std::shared_ptr> &D) { - - std::vector> y_data; - y_data.resize(D->m); - std::vector tmp(f.begin(), f.end()); // for FFT - D->fft(tmp); - - for (std::size_t i = 0; i < D->m; i++) { - field_element_type y_val(tmp[i]); - auto write_iter = y_data[i].begin(); - y_val.write(write_iter, field_element_type::length()); - } + using basic_fri = detail::basic_fri; - return precommitment_type(y_data.begin(), y_data.end()); - } - - template - static std::array - precommit(std::array, list_size> &poly, - const std::shared_ptr> &domain) { - std::array precommits; - for (std::size_t i = 0; i < list_size; i++) { - precommits[i] = precommit(poly[i], domain); - } - return precommits; - } - - static commitment_type commit(precommitment_type P) { - return P.root(); - } - - template - static std::array - commit(std::array P) { - - std::array commits; - for (std::size_t i = 0; i < list_size; i++) { - commits[i] = commit(P); - } - return commits; - } - - static inline math::polynomial - fold_polynomial(math::polynomial &f, - typename FieldType::value_type alpha) { + public: - std::size_t d = f.degree(); - if (d % 2 == 0) { - f.push_back(0); - d++; - } - math::polynomial f_folded(d / 2 + 1); + using precommitment_type = typename basic_fri::precommitment_type; + using commitment_type = typename basic_fri::commitment_type; - for (std::size_t index = 0; index <= f_folded.degree(); index++) { - f_folded[index] = f[2 * index] + alpha * f[2 * index + 1]; - } + static typename basic_fri::proof_type proof_eval(const math::polynomial &g, + precommitment_type &T, + const typename basic_fri::params_type &fri_params, + typename basic_fri::transcript_type &transcript = + typename basic_fri::transcript_type()) { - return f_folded; + return basic_fri::proof_eval(g, g, T, fri_params, transcript); } - static proof_type proof_eval(const math::polynomial &Q, - const math::polynomial &g, - merkle_tree_type &T, - const params_type &fri_params, - transcript_type &transcript = transcript_type()) { - - proof_type proof; - - math::polynomial f = Q; // copy? - - // TODO: how to sample x? - typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow( - transcript.template int_challenge< - std::size_t>()); // could be smth like - // fri_params.D[0]->get_domain_element(RANDOM - // % domain_size) - - std::size_t r = fri_params.r; - - std::vector round_proofs; - math::polynomial final_polynomial; - std::unique_ptr p_tree = std::make_unique(T); - merkle_tree_type T_next; - - for (std::size_t i = 0; i < r; i++) { - - typename FieldType::value_type alpha = transcript.template challenge(); - - typename FieldType::value_type x_next = fri_params.q.evaluate(x); // == x^2 - - math::polynomial f_next = - fold_polynomial(f, alpha); // create polynomial of degree (degree(f) / 2) - - // m = 2, so: - std::array s; - if constexpr (m == 2) { - s[0] = x; - s[1] = -x; - } else { - return {}; - } - - std::array y; - - for (std::size_t j = 0; j < m; j++) { - y[j] = i == 0 ? g.evaluate(s[j]) : f.evaluate(s[j]); // polynomial evaluation - } - - std::array p; - - std::vector tmp; // we need it for FFT - if (i == 0) { - std::copy(g.begin(), g.end(), std::back_inserter(tmp)); - } else { - std::copy(f.begin(), f.end(), std::back_inserter(tmp)); - } - - fri_params.D[i]->fft(tmp); - for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type leaf = y[j]; - - std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++) { // search 2**24 - if (tmp[leaf_index] == leaf) - break; - } - p[j] = merkle_proof_type(*p_tree, leaf_index); - } - - typename FieldType::value_type colinear_value = - f_next.evaluate(x_next); // polynomial evaluation - - if (i < r - 1) { - T_next = precommit(f_next, fri_params.D[i + 1]); // new merkle tree - transcript(T_next.root()); - - std::vector tmp(f_next.begin(), - f_next.end()); // for FFT - fri_params.D[i + 1]->fft(tmp); - - std::size_t leaf_index = 0; - for (; leaf_index < tmp.size(); leaf_index++) { - if (tmp[leaf_index] == colinear_value) - break; - } - - merkle_proof_type colinear_path = merkle_proof_type(T_next, leaf_index); - - round_proofs.push_back( - round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); - - p_tree = std::make_unique(T_next); - } else { - merkle_proof_type colinear_path; - - round_proofs.push_back( - round_proof_type({y, p, p_tree->root(), colinear_value, colinear_path})); - } - - x = x_next; - f = f_next; - } - return proof_type({round_proofs, f}); - } - - static bool verify_eval(proof_type &proof, - params_type &fri_params, - const math::polynomial &U, - const math::polynomial &V, - transcript_type &transcript = transcript_type()) { - - std::size_t idx = transcript.template int_challenge(); - typename FieldType::value_type x = fri_params.D[0]->get_domain_element(1).pow(idx); - - std::size_t r = fri_params.r; - - for (std::size_t i = 0; i < r; i++) { - typename FieldType::value_type alpha = transcript.template challenge(); - - typename FieldType::value_type x_next = fri_params.q.evaluate(x); - - // m = 2, so: - std::array s; - if constexpr (m == 2) { - s[0] = x; - s[1] = -x; - } else { - return false; - } - - for (std::size_t j = 0; j < m; j++) { - typename FieldType::value_type leaf = proof.round_proofs[i].y[j]; - - std::array leaf_data; - - field_element_type leaf_val(leaf); - auto write_iter = leaf_data.begin(); - leaf_val.write(write_iter, field_element_type::length()); - - if (!proof.round_proofs[i].p[j].validate(leaf_data)) { - return false; - } - } - - std::array y; - - for (std::size_t j = 0; j < m; j++) { - if (i == 0) { - y[j] = (proof.round_proofs[i].y[j] - U.evaluate(s[j])) / V.evaluate(s[j]); - } else { - y[j] = proof.round_proofs[i].y[j]; - } - } - - std::vector> - interpolation_points { - std::make_pair(s[0], y[0]), - std::make_pair(s[1], y[1]), - }; - - math::polynomial interpolant = - math::lagrange_interpolation(interpolation_points); - - typename FieldType::value_type leaf = proof.round_proofs[i].colinear_value; - - std::array leaf_data; - field_element_type leaf_val(leaf); - auto write_iter = leaf_data.begin(); - leaf_val.write(write_iter, field_element_type::length()); - - if (interpolant.evaluate(alpha) != proof.round_proofs[i].colinear_value) { - return false; - } - if (i < r - 1) { - transcript(proof.round_proofs[i + 1].T_root); - if (!proof.round_proofs[i].colinear_path.validate(leaf_data)) { - return false; - } - } - x = x_next; - } - - if (proof.final_polynomial.degree() > - std::pow(2, std::log2(fri_params.max_degree + 1) - r) - 1) { - return false; - } - if (proof.final_polynomial.evaluate(x) != proof.round_proofs[r - 1].colinear_value) { - return false; - } + static bool verify_eval(typename basic_fri::proof_type &proof, + typename basic_fri::params_type &fri_params, + typename basic_fri::transcript_type &transcript = + typename basic_fri::transcript_type()) { - return true; + math::polynomial U = {0}; + math::polynomial V = {1}; + return basic_fri::verify_eval(proof, fri_params, U, V, transcript); } }; } // namespace commitments diff --git a/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp index 7be7c218e..4f26d099d 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/lpc.hpp @@ -34,7 +34,7 @@ #include #include -#include +#include namespace nil { namespace crypto3 { @@ -68,32 +68,28 @@ namespace nil { * */ template - struct list_polynomial_commitment { + class list_polynomial_commitment : + public detail::basic_fri { using merkle_hash_type = typename LPCParams::merkle_hash_type; - using transcript_hash_type = typename LPCParams::transcript_hash_type; - - using Endianness = nil::marshalling::option::big_endian; - using field_element_type = - nil::crypto3::marshalling::types::field_element, - FieldType>; constexpr static const std::size_t lambda = LPCParams::lambda; constexpr static const std::size_t r = LPCParams::r; constexpr static const std::size_t m = LPCParams::m; constexpr static const std::size_t k = K; - typedef FieldType field_type; typedef LPCParams lpc_params; - typedef typename containers::merkle_tree merkle_tree_type; typedef typename containers::merkle_proof merkle_proof_type; - typedef fri fri_type; + using basic_fri = detail::basic_fri; + + public: - using precommitment_type = typename fri_type::precommitment_type; - using commitment_type = typename fri_type::commitment_type; - using transcript_type = typename fri_type::transcript_type; + using precommitment_type = typename basic_fri::precommitment_type; + using commitment_type = typename basic_fri::commitment_type; struct proof_type { bool operator==(const proof_type &rhs) const { @@ -107,52 +103,15 @@ namespace nil { commitment_type T_root; - std::array fri_proof; + std::array fri_proof; }; - - private: - static std::shared_ptr> - prepare_domain(const std::size_t domain_size) { - return math::make_evaluation_domain(domain_size); - } - - public: - // The result of this function is not commitment_type (as it would expected), - // but the built Merkle tree. This is done so, because we often need to reuse - // the built Merkle tree - // After this function - // result.root(); - // should be called - static precommitment_type precommit(math::polynomial &poly, - const std::shared_ptr> &domain) { - - return fri_type::precommit(poly, domain); - } - - template - static std::array - precommit(std::array, list_size> &poly, - const std::shared_ptr> &domain) { - - return fri_type::precommit(poly, domain); - } - - static commitment_type commit(precommitment_type P) { - return fri_type::commit(P); - } - - template - static std::array - commit(std::array P) { - - return fri_type::commit(P); - } - + static proof_type proof_eval(const std::array &evaluation_points, precommitment_type &T, const math::polynomial &g, - const typename fri_type::params_type &fri_params, - transcript_type &transcript = transcript_type()) { + const typename basic_fri::params_type &fri_params, + typename basic_fri::transcript_type &transcript = + typename basic_fri::transcript_type()) { std::array z; std::array p; @@ -178,20 +137,21 @@ namespace nil { // temporary definition, until polynomial is constexpr const math::polynomial q = {0, 0, 1}; - std::array fri_proof; + std::array fri_proof; for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { fri_proof[round_id] = - fri_type::proof_eval(Q, g, T, fri_params, transcript); + basic_fri::proof_eval(Q, g, T, fri_params, transcript); } - return proof_type({z, T.root(), fri_proof}); + return proof_type({z, basic_fri::commit(T), fri_proof}); } static bool verify_eval(const std::array &evaluation_points, proof_type &proof, - typename fri_type::params_type fri_params, - transcript_type &transcript = transcript_type()) { + typename basic_fri::params_type fri_params, + typename basic_fri::transcript_type &transcript = + typename basic_fri::transcript_type()) { std::array, k> U_interpolation_points; @@ -210,7 +170,7 @@ namespace nil { } for (std::size_t round_id = 0; round_id <= lambda - 1; round_id++) { - if (!fri_type::verify_eval(proof.fri_proof[round_id], fri_params, U, V, transcript)) { + if (!basic_fri::verify_eval(proof.fri_proof[round_id], fri_params, U, V, transcript)) { return false; } } diff --git a/include/nil/crypto3/zk/commitments/type_traits.hpp b/include/nil/crypto3/zk/commitments/type_traits.hpp new file mode 100644 index 000000000..5dea8b354 --- /dev/null +++ b/include/nil/crypto3/zk/commitments/type_traits.hpp @@ -0,0 +1,63 @@ +//---------------------------------------------------------------------------// +// Copyright (c) 2018-2021 Mikhail Komarov +// Copyright (c) 2020-2021 Nikita Kaskov +// +// MIT License +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +// SOFTWARE. +//---------------------------------------------------------------------------// + +#ifndef CRYPTO3_ZK_COMMITMENTS_TYPE_TRAITS_HPP +#define CRYPTO3_ZK_COMMITMENTS_TYPE_TRAITS_HPP + +#include + +#include +#include +#include +#include + +namespace nil { + namespace crypto3 { + namespace algebra { + + using namespace boost::mpl::placeholders; + + BOOST_TTI_HAS_TYPE(commitment_type) + BOOST_TTI_HAS_TYPE(proof_type) + // BOOST_TTI_HAS_TYPE(proving_key) + // BOOST_TTI_HAS_TYPE(verification_key) + + BOOST_TTI_HAS_STATIC_MEMBER_FUNCTION(commit) + BOOST_TTI_HAS_STATIC_MEMBER_FUNCTION(proof_eval) + BOOST_TTI_HAS_STATIC_MEMBER_FUNCTION(verify_eval) + + template + struct is_commitment { + static const bool value = has_type_base_field_type::value && has_type_scalar_field_type::value && + has_type_g1_type::value && has_type_g2_type::value && + has_type_gt_type::value; + typedef T type; + }; + + } // namespace algebra + } // namespace crypto3 +} // namespace nil + +#endif // CRYPTO3_ZK_COMMITMENTS_TYPE_TRAITS_HPP diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp index cdaf22374..e80243a84 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/permutation_argument.hpp @@ -56,8 +56,6 @@ namespace nil { typedef detail::redshift_policy policy_type; - typedef typename CommitmentSchemeTypePermutation::fri_type fri_type; - static constexpr std::size_t argument_size = 3; public: @@ -66,7 +64,8 @@ namespace nil { math::polynomial permutation_polynomial; - typename CommitmentSchemeTypePermutation::merkle_tree_type permutation_poly_commitment; + typename CommitmentSchemeTypePermutation::precommitment_type + permutation_poly_precommitment; }; static inline prover_result_type prove_eval( @@ -75,7 +74,7 @@ namespace nil { const plonk_polynomial_table &column_polynomials, - typename fri_type::params_type fri_params, + typename CommitmentSchemeTypePermutation::params_type fri_params, transcript_type &transcript = transcript_type()) { const std::size_t table_rows = constraint_system.rows_amount(); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp index fcfaa188a..50460d3b8 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/prover.hpp @@ -132,7 +132,7 @@ namespace nil { const typename policy_type::preprocessed_private_data_type preprocessed_private_data, typename policy_type::constraint_system_type &constraint_system, const typename policy_type::variable_assignment_type &assignments, - const typename commitment_scheme_witness_type::fri_type::params_type + const typename commitment_scheme_witness_type::params_type &fri_params) { // TODO: fri_type are the same for each lpc_type here typename policy_type::template proof_type, witness_columns> witness_poly = preprocessed_private_data.private_polynomial_table.witnesses(); - std::array + std::array witness_precommitments = commitment_scheme_witness_type::template precommit( witness_poly, fri_params.D[0]); @@ -179,7 +179,7 @@ namespace nil { fri_params, transcript); - proof.v_perm_commitment = permutation_argument.permutation_poly_commitment.root(); + proof.v_perm_commitment = permutation_argument.permutation_poly_precommitment.root(); std::array, f_parts> F; @@ -203,7 +203,7 @@ namespace nil { quotient_polynomial(preprocessed_public_data, F, transcript); std::vector> T_splitted = detail::split_polynomial(T, fri_params.max_degree); - std::vector T_precommitments( + std::vector T_precommitments( T_splitted.size()); for (std::size_t i = 0; i < T_splitted.size(); i++) { T_precommitments[i] = commitment_scheme_quotient_type::precommit(T_splitted[i], fri_params.D[0]); @@ -245,7 +245,7 @@ namespace nil { typename commitment_scheme_permutation_type::proof_type v_p_evaluation = commitment_scheme_permutation_type::proof_eval( evaluation_points_v_p, - permutation_argument.permutation_poly_commitment, + permutation_argument.permutation_poly_precommitment, permutation_argument.permutation_polynomial, fri_params, transcript); diff --git a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp index c07e52f8f..d7dae11b1 100644 --- a/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp +++ b/include/nil/crypto3/zk/snark/systems/plonk/redshift/verifier.hpp @@ -87,7 +87,7 @@ namespace nil { commitment_scheme_permutation_type, commitment_scheme_quotient_type> &proof, typename policy_type::constraint_system_type &constraint_system, - const typename commitment_scheme_witness_type::fri_type::params_type + const typename commitment_scheme_witness_type::params_type &fri_params) { // 1. Add circuit definition to transcript diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 1f0daf966..91a56c9a2 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -74,7 +74,7 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; std::vector>> D = - fri_type::calculate_domain_set(extended_log, r); + zk::commitments::detail::calculate_domain_set(extended_log, r); math::polynomial q = {0, 0, 1}; params.r = r; @@ -96,17 +96,12 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; zk::transcript::fiat_shamir_heuristic_sequential transcript(init_blob); - // LPC-related logic, here we "nulify" it via U = 0, V - 1 - // TODO: Make FRI independent from LPC input - math::polynomial U = {0}; - math::polynomial V = {1}; - - proof_type proof = fri_type::proof_eval(f, f, commit_merkle, params, transcript); + proof_type proof = fri_type::proof_eval(f, commit_merkle, params, transcript); // verify zk::transcript::fiat_shamir_heuristic_sequential transcript_verifier(init_blob); - BOOST_CHECK(fri_type::verify_eval(proof, params, U, V, transcript_verifier)); + BOOST_CHECK(fri_type::verify_eval(proof, params, transcript_verifier)); typename FieldType::value_type verifier_next_challenge = transcript_verifier.template challenge(); typename FieldType::value_type prover_next_challenge = transcript.template challenge(); @@ -136,7 +131,8 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { math::polynomial q = {0, 0, 1}; std::size_t d_log = boost::static_log2::value; - std::vector>> D = fri_type::calculate_domain_set(d_log, 1); + std::vector>> D = + zk::commitments::detail::calculate_domain_set(d_log, 1); params.r = r; params.D = D; @@ -149,7 +145,7 @@ BOOST_AUTO_TEST_CASE(fri_fold_test) { typename FieldType::value_type x_next = params.q.evaluate(omega); typename FieldType::value_type alpha = algebra::random_element(); - math::polynomial f_next = fri_type::fold_polynomial(f, alpha); + math::polynomial f_next = zk::commitments::detail::fold_polynomial(f, alpha); BOOST_CHECK_EQUAL(f_next.degree(), f.degree() / 2); std::vector> interpolation_points { @@ -189,7 +185,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; std::vector>> D = - fri_type::calculate_domain_set(extended_log, r); + zk::commitments::detail::calculate_domain_set(extended_log, r); params.r = r - 1; params.D = D; @@ -203,7 +199,7 @@ BOOST_AUTO_TEST_CASE(fri_steps_count_test) { std::vector init_blob {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; zk::transcript::fiat_shamir_heuristic_sequential transcript(init_blob); - proof_type proof = fri_type::proof_eval(f, f, commit_merkle, params, transcript); + proof_type proof = fri_type::proof_eval(f, commit_merkle, params, transcript); math::polynomial final_polynomial = proof.final_polynomial; BOOST_CHECK_EQUAL(proof.final_polynomial.degree(), 1); diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index e74c027e6..20d066f24 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -79,7 +79,7 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; std::vector>> D = - fri_type::calculate_domain_set(extended_log, r); + zk::commitments::detail::calculate_domain_set(extended_log, r); typename fri_type::params_type fri_params; diff --git a/test/commitment/lpc_performance.cpp b/test/commitment/lpc_performance.cpp index 82e3c6699..d510e6c3c 100644 --- a/test/commitment/lpc_performance.cpp +++ b/test/commitment/lpc_performance.cpp @@ -119,7 +119,7 @@ BOOST_AUTO_TEST_CASE(lpc_performance_test) { constexpr static const std::size_t d_extended = d; std::size_t extended_log = boost::static_log2::value; std::vector>> D = - fri_type::calculate_domain_set(extended_log, r); + zk::commitments::detail::calculate_domain_set(extended_log, r); typename fri_type::params_type fri_params; diff --git a/test/systems/plonk/redshift.cpp b/test/systems/plonk/redshift.cpp index 4575098e7..c1d3c12cc 100644 --- a/test/systems/plonk/redshift.cpp +++ b/test/systems/plonk/redshift.cpp @@ -66,7 +66,7 @@ typename fri_type::params_type create_fri_params(std::size_t degree_log) { math::polynomial q = {0, 0, 1}; std::vector>> domain_set = - fri_type::calculate_domain_set(degree_log, degree_log - 1); + zk::commitments::detail::calculate_domain_set(degree_log, degree_log - 1); params.r = degree_log - 1; params.D = domain_set; @@ -202,7 +202,7 @@ BOOST_AUTO_TEST_CASE(redshift_permutation_argument_test) { std::array verifier_res = redshift_permutation_argument::verify_eval( preprocessed_public_data, y, f_at_y, v_p_at_y, v_p_at_y_shifted, - prover_res.permutation_poly_commitment.root(), + prover_res.permutation_poly_precommitment.root(), verifier_transcript); typename FieldType::value_type verifier_next_challenge = verifier_transcript.template challenge(); From 56bc36d9a910e9d5a3e01f9e5e8c6c0c1ebe1d75 Mon Sep 17 00:00:00 2001 From: Kate Date: Wed, 9 Mar 2022 18:46:11 +0300 Subject: [PATCH 213/219] kzg --- .../crypto3/zk/commitments/polynomial/kzg.hpp | 289 +++++++++--------- 1 file changed, 150 insertions(+), 139 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index 6df5db950..c96d44f99 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -51,8 +51,8 @@ // verifier of the Groth16 verification protocol since we pack two vectors in // one commitment. -#ifndef CRYPTO3_R1CS_GG_PPZKSNARK_AGGREGATE_IPP2_COMMITMENT_HPP -#define CRYPTO3_R1CS_GG_PPZKSNARK_AGGREGATE_IPP2_COMMITMENT_HPP +#ifndef KZG_COMMITMENT_HPP +#define KZG_COMMITMENT_HPP #include #include @@ -69,16 +69,15 @@ namespace nil { namespace crypto3 { namespace zk { - namespace commitments { + namespace snark { /// KZGOpening represents the KZG opening of a commitment key (which is a tuple /// given commitment keys are a tuple). template - using kzg_opening = std::pair; + using kzg_opening = typename GroupType::value_type; /// Both commitment outputs a pair of $F_q^k$ element. template - using r1cs_gg_ppzksnark_ipp2_commitment_output = - std::pair; + using kzg_commitment_output = typename CurveType::g1_type::value_type; /// Key is a generic commitment key that is instantiated with g and h as basis, /// and a and b as powers. @@ -94,14 +93,14 @@ namespace nil { /// Exponent is a std::vector a; /// Exponent is b - std::vector b; + //std::vector b; /// Returns true if commitment keys have the exact required length. /// It is necessary for the IPP scheme to work that commitment /// key have the exact same number of arguments as the number of proofs to /// aggregate. inline bool has_correct_len(std::size_t n) const { - return a.size() == n && n == b.size(); + return a.size() == n ; } /// Returns both vectors scaled by the given vector entrywise. @@ -115,152 +114,151 @@ namespace nil { BOOST_ASSERT(has_correct_len(std::distance(s_first, s_last))); kzg_commitment_key result; - std::for_each(boost::make_zip_iterator(boost::make_tuple(s_first, a.begin(), b.begin())), - boost::make_zip_iterator(boost::make_tuple(s_last, a.end(), b.end())), + std::for_each(boost::make_zip_iterator(boost::make_tuple(s_first, a.begin())), + boost::make_zip_iterator(boost::make_tuple(s_last, a.end())), [&](const boost::tuple &t) { result.a.emplace_back(t.template get<1>() * t.template get<0>()); - result.b.emplace_back(t.template get<2>() * t.template get<0>()); + //result.b.emplace_back(t.template get<2>() * t.template get<0>()); }); return result; } + }; /// Returns the left and right commitment key part. It makes copy. - std::pair, kzg_commitment_key> - split(std::size_t at) const { - BOOST_ASSERT(a.size() == b.size()); - BOOST_ASSERT(at > 0 && at < a.size()); - - kzg_commitment_key result_l; - kzg_commitment_key result_r; - - auto a_it = a.begin(); - auto b_it = b.begin(); - while (a_it != a.begin() + at && b_it != b.begin() + at) { - result_l.a.emplace_back(*a_it); - result_l.b.emplace_back(*b_it); - ++a_it; - ++b_it; - } - while (a_it != a.end() && b_it != b.end()) { - result_r.a.emplace_back(*a_it); - result_r.b.emplace_back(*b_it); - ++a_it; - ++b_it; - } - - return std::make_pair(result_l, result_r); - } - - /// Takes a left and right commitment key and returns a commitment - /// key $left \circ right^{scale} = (left_i*right_i^{scale} ...)$. This is - /// required step during GIPA recursion. - kzg_commitment_key - compress(const kzg_commitment_key &right, - const field_value_type &scale) const { - BOOST_ASSERT(a.size() == right.a.size()); - BOOST_ASSERT(b.size() == right.b.size()); - BOOST_ASSERT(a.size() == b.size()); - - kzg_commitment_key result; - - std::for_each( - boost::make_zip_iterator( - boost::make_tuple(a.begin(), b.begin(), right.a.begin(), right.b.begin())), - boost::make_zip_iterator(boost::make_tuple(a.end(), b.end(), right.a.end(), right.b.end())), - [&](const boost::tuple &t) { - result.a.emplace_back(t.template get<0>() + t.template get<2>() * scale); - result.b.emplace_back(t.template get<1>() + t.template get<3>() * scale); - }); - - return result; - } + // std::pair, kzg_commitment_key> + // split(std::size_t at) const { + // BOOST_ASSERT(a.size() == b.size()); + // BOOST_ASSERT(at > 0 && at < a.size()); + + // kzg_commitment_key result_l; + // kzg_commitment_key result_r; + + // auto a_it = a.begin(); + // auto b_it = b.begin(); + // while (a_it != a.begin() + at && b_it != b.begin() + at) { + // result_l.a.emplace_back(*a_it); + // result_l.b.emplace_back(*b_it); + // ++a_it; + // ++b_it; + // } + // while (a_it != a.end() && b_it != b.end()) { + // result_r.a.emplace_back(*a_it); + // result_r.b.emplace_back(*b_it); + // ++a_it; + // ++b_it; + // } + + // return std::make_pair(result_l, result_r); + // } + + // /// Takes a left and right commitment key and returns a commitment + // /// key $left \circ right^{scale} = (left_i*right_i^{scale} ...)$. This is + // /// required step during GIPA recursion. + // kzg_commitment_key + // compress(const kzg_commitment_key &right, + // const field_value_type &scale) const { + // BOOST_ASSERT(a.size() == right.a.size()); + + // kzg_commitment_key result; + + // std::for_each( + // boost::make_zip_iterator( + // boost::make_tuple(a.begin(), b.begin(), right.a.begin(), right.b.begin())), + // boost::make_zip_iterator(boost::make_tuple(a.end(), b.end(), right.a.end(), right.b.end())), + // [&](const boost::tuple &t) { + // result.a.emplace_back(t.template get<0>() + t.template get<2>() * scale); + // result.b.emplace_back(t.template get<1>() + t.template get<3>() * scale); + // }); + + // return result; + // } /// Returns the first values in the vector of v1 and v2 (respectively /// w1 and w2). When commitment key is of size one, it's a proxy to get the /// final values. - std::pair first() const { - return std::make_pair(a.front(), b.front()); - } - }; - + // std::pair first() const { + // return std::make_pair(a.front(), b.front()); + // } + // } + // }; /// Commitment key used by the "single" commitment on G1 values as /// well as in the "pair" commitment. /// It contains $\{h^a^i\}_{i=1}^n$ and $\{h^b^i\}_{i=1}^n$ template - using r1cs_gg_ppzksnark_ipp2_vkey = kzg_commitment_key>; + using kzg_ckey = kzg_commitment_key>; /// Commitment key used by the "pair" commitment. Note the sequence of /// powers starts at $n$ already. /// It contains $\{g^{a^{n+i}}\}_{i=1}^n$ and $\{g^{b^{n+i}}\}_{i=1}^n$ - template - using r1cs_gg_ppzksnark_ipp2_wkey = kzg_commitment_key>; + template + using kzg_vkey = kzg_commitment_key>; template struct kzg_commitment { typedef CurveType curve_type; typedef algebra::pairing::pairing_policy pairing; - typedef r1cs_gg_ppzksnark_ipp2_wkey wkey_type; - typedef r1cs_gg_ppzksnark_ipp2_vkey vkey_type; + typedef kzg_ckeyckey_type; + typedef kzg_vkey vkey_type; - typedef typename wkey_type::group_value_type g1_value_type; + typedef typename ckey_type::group_value_type g1_value_type; typedef typename vkey_type::group_value_type g2_value_type; typedef typename curve_type::gt_type::value_type gt_value_type; - typedef r1cs_gg_ppzksnark_ipp2_commitment_output output_type; + typedef kzg_commitment_output output_type; /// Commits to a tuple of G1 vector and G2 vector in the following way: /// $T = \prod_{i=0}^n e(A_i, v_{1,i})e(B_i,w_{1,i})$ /// $U = \prod_{i=0}^n e(A_i, v_{2,i})e(B_i,w_{2,i})$ /// Output is $(T,U)$ - template::value_type, - typename ValueType2 = typename std::iterator_traits::value_type, - typename std::enable_if::value, bool>::type = true, - typename std::enable_if::value, bool>::type = true> - static output_type pair(const vkey_type &vkey, const wkey_type &wkey, InputG1Iterator a_first, - InputG1Iterator a_last, InputG2Iterator b_first, InputG2Iterator b_last) { - BOOST_ASSERT(vkey.has_correct_len(std::distance(a_first, a_last))); - BOOST_ASSERT(wkey.has_correct_len(std::distance(b_first, b_last))); - BOOST_ASSERT(std::distance(a_first, a_last) == std::distance(b_first, b_last)); - - // (A * v) - gt_value_type t1 = gt_value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.a.begin())), - boost::make_zip_iterator(boost::make_tuple(a_last, vkey.a.end())), - [&](const boost::tuple &t) { - t1 = t1 * algebra::pair(t.template get<0>(), t.template get<1>()); - }); - - // (B * v) - gt_value_type t2 = gt_value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(wkey.a.begin(), b_first)), - boost::make_zip_iterator(boost::make_tuple(wkey.a.end(), b_last)), - [&](const boost::tuple &t) { - t2 = t2 * algebra::pair(t.template get<0>(), t.template get<1>()); - }); - - gt_value_type u1 = gt_value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.b.begin())), - boost::make_zip_iterator(boost::make_tuple(a_last, vkey.b.end())), - [&](const boost::tuple &t) { - u1 = u1 * algebra::pair(t.template get<0>(), t.template get<1>()); - }); - - gt_value_type u2 = gt_value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(wkey.b.begin(), b_first)), - boost::make_zip_iterator(boost::make_tuple(wkey.b.end(), b_last)), - [&](const boost::tuple &t) { - u2 = u2 * algebra::pair(t.template get<0>(), t.template get<1>()); - }); - - // (A * v)(w * B) - return std::make_pair(algebra::final_exponentiation(t1 * t2), - algebra::final_exponentiation(u1 * u2)); - } + // template::value_type, + // typename ValueType2 = typename std::iterator_traits::value_type, + // typename std::enable_if::value, bool>::type = true, + // typename std::enable_if::value, bool>::type = true> + // static output_type pair(const vkey_type &vkey, const wkey_type &wkey, InputG1Iterator a_first, + // InputG1Iterator a_last, InputG2Iterator b_first, InputG2Iterator b_last) { + // BOOST_ASSERT(vkey.has_correct_len(std::distance(a_first, a_last))); + // BOOST_ASSERT(wkey.has_correct_len(std::distance(b_first, b_last))); + // BOOST_ASSERT(std::distance(a_first, a_last) == std::distance(b_first, b_last)); + + // // (A * v) + // gt_value_type t1 = gt_value_type::one(); + // std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.a.begin())), + // boost::make_zip_iterator(boost::make_tuple(a_last, vkey.a.end())), + // [&](const boost::tuple &t) { + // t1 = t1 * algebra::pair(t.template get<0>(), t.template get<1>()); + // }); + + // // (B * v) + // gt_value_type t2 = gt_value_type::one(); + // std::for_each(boost::make_zip_iterator(boost::make_tuple(wkey.a.begin(), b_first)), + // boost::make_zip_iterator(boost::make_tuple(wkey.a.end(), b_last)), + // [&](const boost::tuple &t) { + // t2 = t2 * algebra::pair(t.template get<0>(), t.template get<1>()); + // }); + + // gt_value_type u1 = gt_value_type::one(); + // std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.b.begin())), + // boost::make_zip_iterator(boost::make_tuple(a_last, vkey.b.end())), + // [&](const boost::tuple &t) { + // u1 = u1 * algebra::pair(t.template get<0>(), t.template get<1>()); + // }); + + // gt_value_type u2 = gt_value_type::one(); + // std::for_each(boost::make_zip_iterator(boost::make_tuple(wkey.b.begin(), b_first)), + // boost::make_zip_iterator(boost::make_tuple(wkey.b.end(), b_last)), + // [&](const boost::tuple &t) { + // u2 = u2 * algebra::pair(t.template get<0>(), t.template get<1>()); + // }); + + // // (A * v)(w * B) + // return std::make_pair(algebra::final_exponentiation(t1 * t2), + // algebra::final_exponentiation(u1 * u2)); + // } /// Commits to a single vector of G1 elements in the following way: /// $T = \prod_{i=0}^n e(A_i, v_{1,i})$ @@ -269,30 +267,43 @@ namespace nil { template::value_type, typename std::enable_if::value, bool>::type = true> - static output_type single(const vkey_type &vkey, InputG1Iterator a_first, InputG1Iterator a_last) { - BOOST_ASSERT(vkey.has_correct_len(std::distance(a_first, a_last))); - - gt_value_type t1 = gt_value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.a.begin())), - boost::make_zip_iterator(boost::make_tuple(a_last, vkey.a.end())), - [&](const boost::tuple &t) { - t1 = t1 * algebra::pair(t.template get<0>(), t.template get<1>()); - }); - - gt_value_type u1 = gt_value_type::one(); - std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.b.begin())), - boost::make_zip_iterator(boost::make_tuple(a_last, vkey.b.end())), - [&](const boost::tuple &t) { - u1 = u1 * algebra::pair(t.template get<0>(), t.template get<1>()); + static output_type commit(const ckey_type &ckey, InputG1Iterator f_first, InputG1Iterator f_last) { + BOOST_ASSERT(ckey.has_correct_len(std::distance(f_first, f_last))); + + g1_value_type c = g1_value_type::one(); + // for(size_t i=0; i< std::distance(f_first, f_last)) + std::for_each_n(boost::make_zip_iterator(boost::make_tuple(f_first, ckey.a.begin())), + std::distance(f_first, f_last), + //boost::make_zip_iterator(boost::make_tuple(f_last, ckey.a.end())), + [&](const boost::tuple &t) { + + // for(size_t i=0; i< t.template get<0>(); t++){} + // //std::for_each(ckey.a.begin())), + // // boost::make_zip_iterator(boost::make_tuple(f_last, ckey.a.end())), + // t1 = t1 * algebra::pair(t.template get<0>(), t.template get<1>()); + // }); + + // g1_value_type c = g1_value_type::one(); + for(size_t i = 0; i < (t.template get<0>()); i++){ + c = c * t.template get<1>(); + } }); - - return std::make_pair(algebra::final_exponentiation(t1), - algebra::final_exponentiation(u1)); + + // std::for_each(ckey.a.begin())), + // boost::make_zip_iterator(boost::make_tuple(a_last, vkey.b.end())), + // [&](const boost::tuple &t) { + // u1 = u1 * algebra::pair(t.template get<0>(), t.template get<1>()); + // }); + + // return std::make_pair(algebra::final_exponentiation(t1), + // algebra::final_exponentiation(u1)); } }; - } // namespace commitments + } ; // namespace snark + } // namespace zk - } // namespace crypto3 + + } // namespace crypto3 } // namespace nil -#endif // CRYPTO3_R1CS_GG_PPZKSNARK_AGGREGATE_IPP2_COMMITMENT_HPP +#endif \ No newline at end of file From a465cdebb2a13f416f0ff9e7a7ab4701ff2e4624 Mon Sep 17 00:00:00 2001 From: Kate Date: Wed, 9 Mar 2022 20:19:22 +0300 Subject: [PATCH 214/219] kzg #20 --- .../crypto3/zk/commitments/polynomial/kzg.hpp | 163 ++---------------- 1 file changed, 12 insertions(+), 151 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index c96d44f99..9a77cca65 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -92,13 +92,9 @@ namespace nil { /// Exponent is a std::vector a; - /// Exponent is b - //std::vector b; /// Returns true if commitment keys have the exact required length. - /// It is necessary for the IPP scheme to work that commitment - /// key have the exact same number of arguments as the number of proofs to - /// aggregate. + inline bool has_correct_len(std::size_t n) const { return a.size() == n ; } @@ -109,7 +105,7 @@ namespace nil { typename InputIterator, typename ValueType = typename std::iterator_traits::value_type, typename std::enable_if::value, bool>::type = true> - kzg_commitment_key scale(InputIterator s_first, + kzg_commitment_key setup(InputIterator s_first, InputIterator s_last) const { BOOST_ASSERT(has_correct_len(std::distance(s_first, s_last))); @@ -119,82 +115,16 @@ namespace nil { [&](const boost::tuple &t) { result.a.emplace_back(t.template get<1>() * t.template get<0>()); - //result.b.emplace_back(t.template get<2>() * t.template get<0>()); + }); return result; } }; - /// Returns the left and right commitment key part. It makes copy. - // std::pair, kzg_commitment_key> - // split(std::size_t at) const { - // BOOST_ASSERT(a.size() == b.size()); - // BOOST_ASSERT(at > 0 && at < a.size()); - - // kzg_commitment_key result_l; - // kzg_commitment_key result_r; - - // auto a_it = a.begin(); - // auto b_it = b.begin(); - // while (a_it != a.begin() + at && b_it != b.begin() + at) { - // result_l.a.emplace_back(*a_it); - // result_l.b.emplace_back(*b_it); - // ++a_it; - // ++b_it; - // } - // while (a_it != a.end() && b_it != b.end()) { - // result_r.a.emplace_back(*a_it); - // result_r.b.emplace_back(*b_it); - // ++a_it; - // ++b_it; - // } - - // return std::make_pair(result_l, result_r); - // } - - // /// Takes a left and right commitment key and returns a commitment - // /// key $left \circ right^{scale} = (left_i*right_i^{scale} ...)$. This is - // /// required step during GIPA recursion. - // kzg_commitment_key - // compress(const kzg_commitment_key &right, - // const field_value_type &scale) const { - // BOOST_ASSERT(a.size() == right.a.size()); - - // kzg_commitment_key result; - - // std::for_each( - // boost::make_zip_iterator( - // boost::make_tuple(a.begin(), b.begin(), right.a.begin(), right.b.begin())), - // boost::make_zip_iterator(boost::make_tuple(a.end(), b.end(), right.a.end(), right.b.end())), - // [&](const boost::tuple &t) { - // result.a.emplace_back(t.template get<0>() + t.template get<2>() * scale); - // result.b.emplace_back(t.template get<1>() + t.template get<3>() * scale); - // }); - - // return result; - // } - - /// Returns the first values in the vector of v1 and v2 (respectively - /// w1 and w2). When commitment key is of size one, it's a proxy to get the - /// final values. - // std::pair first() const { - // return std::make_pair(a.front(), b.front()); - // } - // } - // }; - /// Commitment key used by the "single" commitment on G1 values as - /// well as in the "pair" commitment. - /// It contains $\{h^a^i\}_{i=1}^n$ and $\{h^b^i\}_{i=1}^n$ template using kzg_ckey = kzg_commitment_key>; - /// Commitment key used by the "pair" commitment. Note the sequence of - /// powers starts at $n$ already. - /// It contains $\{g^{a^{n+i}}\}_{i=1}^n$ and $\{g^{b^{n+i}}\}_{i=1}^n$ - template - using kzg_vkey = kzg_commitment_key>; template struct kzg_commitment { @@ -210,60 +140,11 @@ namespace nil { typedef kzg_commitment_output output_type; - /// Commits to a tuple of G1 vector and G2 vector in the following way: - /// $T = \prod_{i=0}^n e(A_i, v_{1,i})e(B_i,w_{1,i})$ - /// $U = \prod_{i=0}^n e(A_i, v_{2,i})e(B_i,w_{2,i})$ - /// Output is $(T,U)$ - // template::value_type, - // typename ValueType2 = typename std::iterator_traits::value_type, - // typename std::enable_if::value, bool>::type = true, - // typename std::enable_if::value, bool>::type = true> - // static output_type pair(const vkey_type &vkey, const wkey_type &wkey, InputG1Iterator a_first, - // InputG1Iterator a_last, InputG2Iterator b_first, InputG2Iterator b_last) { - // BOOST_ASSERT(vkey.has_correct_len(std::distance(a_first, a_last))); - // BOOST_ASSERT(wkey.has_correct_len(std::distance(b_first, b_last))); - // BOOST_ASSERT(std::distance(a_first, a_last) == std::distance(b_first, b_last)); - - // // (A * v) - // gt_value_type t1 = gt_value_type::one(); - // std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.a.begin())), - // boost::make_zip_iterator(boost::make_tuple(a_last, vkey.a.end())), - // [&](const boost::tuple &t) { - // t1 = t1 * algebra::pair(t.template get<0>(), t.template get<1>()); - // }); - - // // (B * v) - // gt_value_type t2 = gt_value_type::one(); - // std::for_each(boost::make_zip_iterator(boost::make_tuple(wkey.a.begin(), b_first)), - // boost::make_zip_iterator(boost::make_tuple(wkey.a.end(), b_last)), - // [&](const boost::tuple &t) { - // t2 = t2 * algebra::pair(t.template get<0>(), t.template get<1>()); - // }); - - // gt_value_type u1 = gt_value_type::one(); - // std::for_each(boost::make_zip_iterator(boost::make_tuple(a_first, vkey.b.begin())), - // boost::make_zip_iterator(boost::make_tuple(a_last, vkey.b.end())), - // [&](const boost::tuple &t) { - // u1 = u1 * algebra::pair(t.template get<0>(), t.template get<1>()); - // }); - - // gt_value_type u2 = gt_value_type::one(); - // std::for_each(boost::make_zip_iterator(boost::make_tuple(wkey.b.begin(), b_first)), - // boost::make_zip_iterator(boost::make_tuple(wkey.b.end(), b_last)), - // [&](const boost::tuple &t) { - // u2 = u2 * algebra::pair(t.template get<0>(), t.template get<1>()); - // }); - - // // (A * v)(w * B) - // return std::make_pair(algebra::final_exponentiation(t1 * t2), - // algebra::final_exponentiation(u1 * u2)); - // } + /// Commits to a single vector of G1 elements in the following way: - /// $T = \prod_{i=0}^n e(A_i, v_{1,i})$ - /// $U = \prod_{i=0}^n e(A_i, v_{2,i})$ - /// Output is $(T,U)$ + /// $C = \prod_{i=0}^n (g^{a^i})^{f_i}$ + /// Output is $C$ template::value_type, typename std::enable_if::value, bool>::type = true> @@ -271,38 +152,18 @@ namespace nil { BOOST_ASSERT(ckey.has_correct_len(std::distance(f_first, f_last))); g1_value_type c = g1_value_type::one(); - // for(size_t i=0; i< std::distance(f_first, f_last)) std::for_each_n(boost::make_zip_iterator(boost::make_tuple(f_first, ckey.a.begin())), std::distance(f_first, f_last), - //boost::make_zip_iterator(boost::make_tuple(f_last, ckey.a.end())), - [&](const boost::tuple &t) { - - // for(size_t i=0; i< t.template get<0>(); t++){} - // //std::for_each(ckey.a.begin())), - // // boost::make_zip_iterator(boost::make_tuple(f_last, ckey.a.end())), - // t1 = t1 * algebra::pair(t.template get<0>(), t.template get<1>()); - // }); - - // g1_value_type c = g1_value_type::one(); - for(size_t i = 0; i < (t.template get<0>()); i++){ - c = c * t.template get<1>(); - } + [&](const boost::tuple &t) { + for(size_t i = 0; i < (t.template get<0>()); i++){ + c = c * t.template get<1>(); + } }); - - // std::for_each(ckey.a.begin())), - // boost::make_zip_iterator(boost::make_tuple(a_last, vkey.b.end())), - // [&](const boost::tuple &t) { - // u1 = u1 * algebra::pair(t.template get<0>(), t.template get<1>()); - // }); - - // return std::make_pair(algebra::final_exponentiation(t1), - // algebra::final_exponentiation(u1)); + } }; - } ; // namespace snark - + } ; // namespace snark } // namespace zk - } // namespace crypto3 } // namespace nil From 16ef518a37a4d679e26eeb97c31b9bdd30e06dfa Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 9 Mar 2022 20:39:29 +0300 Subject: [PATCH 215/219] KZG interfaces updated. #20 --- .../crypto3/zk/commitments/polynomial/kzg.hpp | 95 +++++++------------ .../crypto3/zk/commitments/type_traits.hpp | 20 ++-- test/commitment/fri.cpp | 5 + 3 files changed, 47 insertions(+), 73 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index 9a77cca65..616bfadb4 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -51,8 +51,8 @@ // verifier of the Groth16 verification protocol since we pack two vectors in // one commitment. -#ifndef KZG_COMMITMENT_HPP -#define KZG_COMMITMENT_HPP +#ifndef CRYPTO3_ZK_COMMITMENTS_KZG_COMMITMENT_HPP +#define CRYPTO3_ZK_COMMITMENTS_KZG_COMMITMENT_HPP #include #include @@ -70,44 +70,23 @@ namespace nil { namespace crypto3 { namespace zk { namespace snark { - /// KZGOpening represents the KZG opening of a commitment key (which is a tuple - /// given commitment keys are a tuple). - template - using kzg_opening = typename GroupType::value_type; - /// Both commitment outputs a pair of $F_q^k$ element. template - using kzg_commitment_output = typename CurveType::g1_type::value_type; - - /// Key is a generic commitment key that is instantiated with g and h as basis, - /// and a and b as powers. - template - struct kzg_commitment_key { - typedef GroupType group_type; - typedef typename group_type::curve_type curve_type; - typedef typename curve_type::scalar_field_type field_type; - - typedef typename group_type::value_type group_value_type; - typedef typename field_type::value_type field_value_type; - - /// Exponent is a - std::vector a; - - /// Returns true if commitment keys have the exact required length. - - inline bool has_correct_len(std::size_t n) const { - return a.size() == n ; - } + struct kzg_commitment { + typedef CurveType curve_type; + typedef algebra::pairing::pairing_policy pairing; + + /// Key is a generic commitment key that is instantiated with g and h as basis, + /// and a and b as powers. + using commitment_key_type = std::vector::value_type>; + using verification_key_type = typename CurveType::template g1_type<>::value_type; + + using commitment_type = typename CurveType::template g1_type<>::value_type; + using proof_type = commitment_type; /// Returns both vectors scaled by the given vector entrywise. /// In other words, it returns $\{v_i^{s_i}\}$ - template< - typename InputIterator, - typename ValueType = typename std::iterator_traits::value_type, - typename std::enable_if::value, bool>::type = true> - kzg_commitment_key setup(InputIterator s_first, - InputIterator s_last) const { - BOOST_ASSERT(has_correct_len(std::distance(s_first, s_last))); + static std::pair setup(const std::size_t n) { kzg_commitment_key result; std::for_each(boost::make_zip_iterator(boost::make_tuple(s_first, a.begin())), @@ -120,35 +99,12 @@ namespace nil { return result; } - }; - - template - using kzg_ckey = kzg_commitment_key>; - - - template - struct kzg_commitment { - typedef CurveType curve_type; - typedef algebra::pairing::pairing_policy pairing; - - typedef kzg_ckeyckey_type; - typedef kzg_vkey vkey_type; - - typedef typename ckey_type::group_value_type g1_value_type; - typedef typename vkey_type::group_value_type g2_value_type; - typedef typename curve_type::gt_type::value_type gt_value_type; - - typedef kzg_commitment_output output_type; - - /// Commits to a single vector of G1 elements in the following way: /// $C = \prod_{i=0}^n (g^{a^i})^{f_i}$ /// Output is $C$ - template::value_type, - typename std::enable_if::value, bool>::type = true> - static output_type commit(const ckey_type &ckey, InputG1Iterator f_first, InputG1Iterator f_last) { + static commitment_type commit(const commitment_key_type &ckey, + const math::polynomial &f) { BOOST_ASSERT(ckey.has_correct_len(std::distance(f_first, f_last))); g1_value_type c = g1_value_type::one(); @@ -161,10 +117,27 @@ namespace nil { }); } + + static proof_type proof_eval(commitment_key_type commitment_key, + commitment_type C_f, + typename CurveType::base_field_type::value_type x, + typename CurveType::base_field_type::value_type y, + const math::polynomial &f) { + + } + + static bool verify_eval(verification_key_type verification_key, + commitment_type C_f, + typename CurveType::base_field_type::value_type x, + typename CurveType::base_field_type::value_type y, + proof_type p) { + + } + }; } ; // namespace snark } // namespace zk } // namespace crypto3 } // namespace nil -#endif \ No newline at end of file +#endif // CRYPTO3_ZK_COMMITMENTS_KZG_COMMITMENT_HPP \ No newline at end of file diff --git a/include/nil/crypto3/zk/commitments/type_traits.hpp b/include/nil/crypto3/zk/commitments/type_traits.hpp index 5dea8b354..48f0232bb 100644 --- a/include/nil/crypto3/zk/commitments/type_traits.hpp +++ b/include/nil/crypto3/zk/commitments/type_traits.hpp @@ -26,21 +26,16 @@ #ifndef CRYPTO3_ZK_COMMITMENTS_TYPE_TRAITS_HPP #define CRYPTO3_ZK_COMMITMENTS_TYPE_TRAITS_HPP -#include - -#include #include -#include -#include namespace nil { namespace crypto3 { - namespace algebra { - - using namespace boost::mpl::placeholders; + namespace zk { BOOST_TTI_HAS_TYPE(commitment_type) BOOST_TTI_HAS_TYPE(proof_type) + + BOOST_TTI_MEMBER_TYPE(commitment_type) // BOOST_TTI_HAS_TYPE(proving_key) // BOOST_TTI_HAS_TYPE(verification_key) @@ -50,13 +45,14 @@ namespace nil { template struct is_commitment { - static const bool value = has_type_base_field_type::value && has_type_scalar_field_type::value && - has_type_g1_type::value && has_type_g2_type::value && - has_type_gt_type::value; + using commitment_type = typename member_type_commitment_type::type; + + static const bool value = has_type_commitment_type::value && has_type_proof_type::value && + has_static_member_function_commit::value; typedef T type; }; - } // namespace algebra + } // namespace zk } // namespace crypto3 } // namespace nil diff --git a/test/commitment/fri.cpp b/test/commitment/fri.cpp index 91a56c9a2..f11b7bc5c 100644 --- a/test/commitment/fri.cpp +++ b/test/commitment/fri.cpp @@ -44,6 +44,7 @@ #include #include +#include using namespace nil::crypto3; @@ -66,6 +67,10 @@ BOOST_AUTO_TEST_CASE(fri_basic_test) { constexpr static const std::size_t m = 2; typedef zk::commitments::fri fri_type; + + static_assert(zk::is_commitment::value); + static_assert(!zk::is_commitment::value); + typedef typename fri_type::proof_type proof_type; typedef typename fri_type::params_type params_type; From 97113df7df31a609601498ff6d8bbb6f4ba0d09b Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 9 Mar 2022 20:44:30 +0300 Subject: [PATCH 216/219] KZG proof_eval updated. #20 --- include/nil/crypto3/zk/commitments/polynomial/kzg.hpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index 616bfadb4..ca312408b 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -124,6 +124,10 @@ namespace nil { typename CurveType::base_field_type::value_type y, const math::polynomial &f) { + const math::polynomial denominator_polynom = {1, -x}; + + const math::polynomial q = + (f - {y})/denominator_polynom; } static bool verify_eval(verification_key_type verification_key, From 2a3b423423b994709b2cde22f34127d6767b07d7 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 9 Mar 2022 20:47:55 +0300 Subject: [PATCH 217/219] KZG params_type added. #20 --- include/nil/crypto3/zk/commitments/polynomial/kzg.hpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index ca312408b..5d3ee2d8a 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -84,6 +84,10 @@ namespace nil { using commitment_type = typename CurveType::template g1_type<>::value_type; using proof_type = commitment_type; + struct params_type { + + }; + /// Returns both vectors scaled by the given vector entrywise. /// In other words, it returns $\{v_i^{s_i}\}$ static std::pair setup(const std::size_t n) { From 9f7f84a2848f09196df0c4dea45092712be45c94 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Wed, 9 Mar 2022 20:48:44 +0300 Subject: [PATCH 218/219] KZG params_type usage added. #20 --- include/nil/crypto3/zk/commitments/polynomial/kzg.hpp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp index 5d3ee2d8a..66c38c6eb 100644 --- a/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp +++ b/include/nil/crypto3/zk/commitments/polynomial/kzg.hpp @@ -87,7 +87,7 @@ namespace nil { struct params_type { }; - + /// Returns both vectors scaled by the given vector entrywise. /// In other words, it returns $\{v_i^{s_i}\}$ static std::pair setup(const std::size_t n) { @@ -108,7 +108,8 @@ namespace nil { /// $C = \prod_{i=0}^n (g^{a^i})^{f_i}$ /// Output is $C$ static commitment_type commit(const commitment_key_type &ckey, - const math::polynomial &f) { + const math::polynomial &f, + params_type params) { BOOST_ASSERT(ckey.has_correct_len(std::distance(f_first, f_last))); g1_value_type c = g1_value_type::one(); @@ -126,7 +127,8 @@ namespace nil { commitment_type C_f, typename CurveType::base_field_type::value_type x, typename CurveType::base_field_type::value_type y, - const math::polynomial &f) { + const math::polynomial &f, + params_type params) { const math::polynomial denominator_polynom = {1, -x}; @@ -138,7 +140,8 @@ namespace nil { commitment_type C_f, typename CurveType::base_field_type::value_type x, typename CurveType::base_field_type::value_type y, - proof_type p) { + proof_type p, + params_type params) { } From 5409a70024b8cbc806610bf2fa369f2d4a126170 Mon Sep 17 00:00:00 2001 From: nkaskov Date: Thu, 10 Mar 2022 10:52:02 +0300 Subject: [PATCH 219/219] Commitments type_traits added. #20 #25 --- .../crypto3/zk/commitments/type_traits.hpp | 65 +++++++++++++++++-- test/commitment/lpc.cpp | 8 +++ 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/include/nil/crypto3/zk/commitments/type_traits.hpp b/include/nil/crypto3/zk/commitments/type_traits.hpp index 48f0232bb..02b6c9d00 100644 --- a/include/nil/crypto3/zk/commitments/type_traits.hpp +++ b/include/nil/crypto3/zk/commitments/type_traits.hpp @@ -39,16 +39,71 @@ namespace nil { // BOOST_TTI_HAS_TYPE(proving_key) // BOOST_TTI_HAS_TYPE(verification_key) - BOOST_TTI_HAS_STATIC_MEMBER_FUNCTION(commit) - BOOST_TTI_HAS_STATIC_MEMBER_FUNCTION(proof_eval) - BOOST_TTI_HAS_STATIC_MEMBER_FUNCTION(verify_eval) - + template + class has_available_static_member_function_commit { + struct no { }; + + protected: + template + static void test(std::nullptr_t) { + struct t{ + using C::commit; + }; + } + + template + static no test(...); + + public: + constexpr static const bool value = !std::is_same(nullptr))>::value; + }; + + template + class has_available_static_member_function_proof_eval { + struct no { }; + + protected: + template + static void test(std::nullptr_t) { + struct t{ + using C::proof_eval; + }; + } + + template + static no test(...); + + public: + constexpr static const bool value = !std::is_same(nullptr))>::value; + }; + + template + class has_available_static_member_function_verify_eval { + struct no { }; + + protected: + template + static void test(std::nullptr_t) { + struct t{ + using C::verify_eval; + }; + } + + template + static no test(...); + + public: + constexpr static const bool value = !std::is_same(nullptr))>::value; + }; + template struct is_commitment { using commitment_type = typename member_type_commitment_type::type; static const bool value = has_type_commitment_type::value && has_type_proof_type::value && - has_static_member_function_commit::value; + has_available_static_member_function_commit::value && + has_available_static_member_function_proof_eval::value && + has_available_static_member_function_verify_eval::value; typedef T type; }; diff --git a/test/commitment/lpc.cpp b/test/commitment/lpc.cpp index 20d066f24..c257e91ad 100644 --- a/test/commitment/lpc.cpp +++ b/test/commitment/lpc.cpp @@ -45,6 +45,7 @@ #include #include #include +#include using namespace nil::crypto3; using namespace nil::crypto3::zk::snark; @@ -74,6 +75,13 @@ BOOST_AUTO_TEST_CASE(lpc_basic_test) { typedef zk::commitments::list_polynomial_commitment_params lpc_params_type; typedef zk::commitments::list_polynomial_commitment lpc_type; + + static_assert(zk::is_commitment::value); + static_assert(zk::is_commitment::value); + static_assert(!zk::is_commitment::value); + static_assert(!zk::is_commitment::value); + static_assert(!zk::is_commitment::value); + typedef typename lpc_type::proof_type proof_type; constexpr static const std::size_t d_extended = d;