Merge pull request #69 from clearmatics/mpc-crs-generation-review-sug…

…gestions Merged into crs-generation. Thanks.
clearmatics · Aug 30, 2019 · 90bdbf4 · 90bdbf4
2 parents e21500a + f504657
commit 90bdbf4
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 27 deletions.
diff --git a/src/snarks/groth16/evaluator_from_lagrange.hpp b/src/snarks/groth16/evaluator_from_lagrange.hpp
@@ -28,7 +28,6 @@ template<typename ppT, typename GroupT> class evaluator_from_lagrange
 };
 
 } // namespace libzeth
-
 #include "evaluator_from_lagrange.tcc"
 
 #endif // __ZETH_SNARKS_GROTH16_EVALUATOR_FROM_LAGRANGE_HPP__
diff --git a/src/snarks/groth16/evaluator_from_lagrange.tcc b/src/snarks/groth16/evaluator_from_lagrange.tcc
@@ -1,4 +1,5 @@
-#pragma once
+#ifndef __ZETH_SNARKS_GROTH16_EVALUATOR_FROM_LAGRANGE_TCC__
+#define __ZETH_SNARKS_GROTH16_EVALUATOR_FROM_LAGRANGE_TCC__
 
 #include "evaluator_from_lagrange.hpp"
 #include "multi_exp.hpp"
@@ -12,7 +13,7 @@ evaluator_from_lagrange<ppT, GroupT>::evaluator_from_lagrange(
     libfqfft::evaluation_domain<libff::Fr<ppT>> &domain)
     : powers(powers), domain(domain)
 {
-    // Lagrange polynomails have order <= m-1, requiring at least m
+    // Lagrange polynomials have order <= m-1, requiring at least m
     // entries in powers (0, ..., m-1) in order to evaluate.
     assert(powers.size() >= domain.m);
 }
@@ -21,10 +22,9 @@ template<typename ppT, typename GroupT>
 GroupT evaluator_from_lagrange<ppT, GroupT>::evaluate_from_lagrange_factors(
     const std::map<size_t, libff::Fr<ppT>> lagrange_factors)
 {
-    // libfqfft::evaluation_domain modifies an incoming vector of
-    // factors.  Write the factors into the vector (it must be large
-    // enough to hold domain.m entries), and then run iFFT to
-    // transform to coefficients.
+    // libfqfft::evaluation_domain modifies an incoming vector of factors.
+    // Write the factors into the vector (it must be large enough to hold
+    // domain.m entries), and then run iFFT to transform to coefficients.
     std::vector<libff::Fr<ppT>> coefficients(domain.m, libff::Fr<ppT>::zero());
     for (auto it : lagrange_factors) {
         const size_t lagrange_idx = it.first;
@@ -41,3 +41,5 @@ GroupT evaluator_from_lagrange<ppT, GroupT>::evaluate_from_lagrange_factors(
 }
 
 } // namespace libzeth
+
+#endif // __ZETH_SNARKS_GROTH16_EVALUATOR_FROM_LAGRANGE_TCC__
diff --git a/src/snarks/groth16/mpc_utils.hpp b/src/snarks/groth16/mpc_utils.hpp
@@ -6,9 +6,9 @@
 #include <vector>
 
 // Structures and utility functions related to CRS generation via an
-// MPC.  Following [BoweGM17], the circuit $C$ generating the SRS is
+// MPC. Following [BoweGM17], the circuit $C$ generating the SRS is
 // considered to be made up of 3 layers: $C = C_1 L_1 C_2$.  The
-// output from $C_1$ is exactly the powersoftau data.  $L_1$
+// output from $C_1$ is exactly the powersoftau data. $L_1$
 // represents the linear combination based on a specific QAP, and
 // $C_2$ is the output from Phase2 of the MPC.
 //
@@ -53,15 +53,14 @@ template<typename ppT> class srs_mpc_layer_L1
 };
 
 /// Given a circuit and a powersoftau with pre-computed lagrange
-/// polynomials, perform the correct linear combination for the CRS
-/// MPC.
+/// polynomials, perform the correct linear combination for the CRS MPC.
 template<typename ppT>
 srs_mpc_layer_L1<ppT> mpc_compute_linearcombination(
     const srs_powersoftau &pot,
     const libsnark::qap_instance<libff::Fr<ppT>> &qap);
 
 /// Given the output from the first layer of the MPC, perform the 2nd
-/// layer computation using just local randomness.  This is not a
+/// layer computation using just local randomness for delta. This is not a
 /// substitute for the full MPC with an auditable log of
 /// contributions, but is useful for testing.
 template<typename ppT>

diff --git a/src/snarks/groth16/mpc_utils.tcc b/src/snarks/groth16/mpc_utils.tcc
@@ -36,19 +36,22 @@ srs_mpc_layer_L1<ppT> mpc_compute_linearcombination(
 
     libfqfft::evaluation_domain<Fr> &domain = *qap.domain;
 
-    // n = number of constraints in qap / degree of t().
+    // n = number of constraints in r1cs, or equivalently, n = deg(t(x))
+    // t(x) being the target polynomial of the QAP
+    // Note: In the code-base the target polynomial is also denoted Z
+    // as refered to as "the vanishing polynomial", and t is also used
+    // to represent the query point (aka "tau").
     const size_t n = qap.degree();
     const size_t num_variables = qap.num_variables();
 
-    // Langrange polynomials, and therefore A, B, C will have order
-    // (n-1).  T has order n.  H.t() has order 2n-2, => H(.) has
-    // order:
-    //
-    //   2n-2 - n = n-2
-    //
-    // Therefore { t(x) . x^i } has 0 .. n-2 (n-1 of them), requiring
-    // requires powers of tau 0 ..  2.n-2 (2n-1 of them).  We should
-    // have at least this many, by definition.
+    // The QAP polynomials A, B, C are of degree (n-1) as we know they
+    // are created by interpolation of an r1cs of n constraints.
+    // As a consequence, the polynomial (A.B - C) is of degree 2n-2,
+    // while the target polynomial t is of degree n.
+    // Thus, we need to have access (in the SRS) to powers up to 2n-2.
+    // To represent such polynomials we need {x^i} for in {0, ... n-2}
+    // hence why we check below that we have at least n-1 elements
+    // in the set of powers of tau
     assert(pot.tau_powers_g1.size() >= 2 * n - 1);
 
     // n+1 coefficients of t

diff --git a/src/snarks/groth16/powersoftau_utils.cpp b/src/snarks/groth16/powersoftau_utils.cpp
@@ -1,4 +1,3 @@
-
 #include "powersoftau_utils.hpp"
 
 namespace libzeth
@@ -85,7 +84,7 @@ bool same_ratio(
     const libff::GT<ppT> b1a2_gt = ppT::final_exponentiation(b1a2);
 
     // Decide whether ratio a1:b1 in G1 equals a2:b2 in G2 by checking:
-    //   e( a1, b2 ) == e( b1, a2 )
+    //   e(a1, b2) =?= e(b1, a2)
     return a1b2_gt == b1a2_gt;
 }
 
@@ -110,7 +109,7 @@ srs_powersoftau::srs_powersoftau(
 srs_powersoftau dummy_powersoftau_from_secrets(
     const Fr &tau, const Fr &alpha, const Fr &beta, size_t n)
 {
-    // Compute powers.  Note zero-th power is included (alpha_g1 etc
+    // Compute powers. Note zero-th power is included (alpha_g1 etc
     // are provided in this way), so to support order N polynomials,
     // N+1 entries are required.
     const size_t num_tau_powers_g1 = 2 * n - 2 + 1;
@@ -199,6 +198,7 @@ void read_powersoftau_g2(std::istream &in, libff::G2<ppT> &out)
         break;
 
     case 0x04:
+        // Uncompressed
         read_powersoftau_fp2(in, out.X);
         read_powersoftau_fp2(in, out.Y);
         out.Z = libff::alt_bn128_Fq2::one();
@@ -280,7 +280,7 @@ bool powersoftau_validate(const srs_powersoftau &pot, const size_t n)
     // TODO: Cache precomputed g1, tau_g1, g2, tau_g2
     // TODO: Parallelize
 
-    // One at index 0
+    // Make sure that the identity of each group is at index 0
     if (pot.tau_powers_g1[0] != G1::one() ||
         pot.tau_powers_g2[0] != G2::one()) {
         return false;
@@ -292,7 +292,7 @@ bool powersoftau_validate(const srs_powersoftau &pot, const size_t n)
     const G1 tau_g1 = pot.tau_powers_g1[1];
     const G2 tau_g2 = pot.tau_powers_g2[1];
 
-    // SameRatio( (g1, tau_g1), (g2, tau_g2) )
+    // SameRatio((g1, tau_g1), (g2, tau_g2))
     const bool tau_g1_g2_consistent =
         same_ratio<ppT>(g1, pot.tau_powers_g1[1], g2, pot.tau_powers_g2[1]);
     if (!tau_g1_g2_consistent) {