From 6b5e281424c9c08e9631bc9ecfbfaaeeb9d70eae Mon Sep 17 00:00:00 2001 From: xevisalle Date: Mon, 7 Mar 2022 12:49:28 +0100 Subject: [PATCH] Fix minor issues --- src/circuit.rs | 13 ++++-- src/permutation.rs | 4 +- src/proof_system/preprocess.rs | 4 ++ src/proof_system/prover.rs | 45 ++++++++++--------- .../widget/permutation/proverkey.rs | 1 + 5 files changed, 39 insertions(+), 28 deletions(-) diff --git a/src/circuit.rs b/src/circuit.rs index 8263fa3c..1050670d 100644 --- a/src/circuit.rs +++ b/src/circuit.rs @@ -246,6 +246,9 @@ where { /// Circuit identifier associated constant. const CIRCUIT_ID: [u8; 32]; + /// Extra size needed for the circuit parameters. + 6 because adding the + /// blinding factors requires some extra elements for the SRS + const PARAMS_EXTRA_SIZE: usize = 6; /// Gadget implementation used to fill the composer. fn gadget(&mut self, composer: &mut TurboComposer) -> Result<(), Error>; @@ -257,7 +260,8 @@ where pub_params: &PublicParameters, ) -> Result<(ProverKey, VerifierData), Error> { // Setup PublicParams - let (ck, _) = pub_params.trim(self.padded_gates() + 6)?; + let (ck, _) = + pub_params.trim(self.padded_gates() + Self::PARAMS_EXTRA_SIZE)?; // Generate & save `ProverKey` with some random values. let mut prover = Prover::new(b"CircuitCompilation"); @@ -296,9 +300,10 @@ where pub_params: &PublicParameters, prover_key: &ProverKey, transcript_init: &'static [u8], - mut rng: &mut R, + rng: &mut R, ) -> Result { - let (ck, _) = pub_params.trim(self.padded_gates() + 6)?; + let (ck, _) = + pub_params.trim(self.padded_gates() + Self::PARAMS_EXTRA_SIZE)?; // New Prover instance let mut prover = Prover::new(transcript_init); @@ -308,7 +313,7 @@ where // Add ProverKey to Prover prover.prover_key = Some(prover_key.clone()); - prover.prove(&ck, &mut rng) + prover.prove(&ck, rng) } /// Verify the provided proof for the compiled verifier data diff --git a/src/permutation.rs b/src/permutation.rs index 0ba72210..915c66f8 100644 --- a/src/permutation.rs +++ b/src/permutation.rs @@ -219,7 +219,7 @@ impl Permutation { beta: &BlsScalar, gamma: &BlsScalar, sigma_polys: [&Polynomial; 4], - ) -> Vec { + ) -> Vec { let n = domain.size(); // Constants defining cosets H, k1H, k2H, etc @@ -308,7 +308,7 @@ impl Permutation { h_2: &[BlsScalar], delta: &BlsScalar, epsilon: &BlsScalar, - ) -> Vec { + ) -> Vec { let n = domain.size(); assert_eq!(f.len(), domain.size()); diff --git a/src/proof_system/preprocess.rs b/src/proof_system/preprocess.rs index 2bd59ba0..a951d4d9 100644 --- a/src/proof_system/preprocess.rs +++ b/src/proof_system/preprocess.rs @@ -121,6 +121,10 @@ impl TurboComposer { let (_, selectors, preprocessed_table, domain) = self.preprocess_shared(commit_key, transcript)?; + // The polynomial needs an evaluation domain of 4n. + // Plus, adding the blinding factors translates to + // the polynomial not fitting in 4n, so now we need + // 8n, the next power of 2 let domain_8n = EvaluationDomain::new(8 * domain.size())?; let q_m_eval_8n = Evaluations::from_vec_and_domain( domain_8n.coset_fft(&selectors.q_m), diff --git a/src/proof_system/prover.rs b/src/proof_system/prover.rs index 3fdd8a9a..54755716 100644 --- a/src/proof_system/prover.rs +++ b/src/proof_system/prover.rs @@ -149,26 +149,27 @@ impl Prover { /// Adds the blinding scalars to a given vector. Always the same elements /// of 'w_vec' are modified at the beginning of it, and appended at the end: - /// if hiding degree = 1: (b2*X(n+1) + b1*X^n - b2*X - b1) + w_vec - /// if hiding degree = 2: (b3*X^(n+2) + b2*X(n+1) + b1*X^n - b3*X^2 - b2*X + /// if hiding degree = 1: (b2*X^(n+1) + b1*X^n - b2*X - b1) + w_vec + /// if hiding degree = 2: (b3*X^(n+2) + b2*X^(n+1) + b1*X^n - b3*X^2 - b2*X /// - b1) + w_vec pub(crate) fn blind_poly( - w_vec: &Vec, + w_vec: &Vec, hiding_degree: usize, domain: &EvaluationDomain, - mut rng: &mut R, + rng: &mut R, ) -> Polynomial { - let mut w_vec_i = domain.ifft(w_vec); + let mut w_vec_inverse = domain.ifft(w_vec); for i in 0..hiding_degree + 1 { // we declare and randomly select a blinding scalar - let blinding_scalar = util::random_scalar(&mut rng); - w_vec_i[i] = w_vec_i[i] - blinding_scalar; // modify the first elements of the vector - w_vec_i.push(blinding_scalar); // append last elements at the end of - // the vector + let blinding_scalar = util::random_scalar(rng); + // modify the first elements of the vector + w_vec_inverse[i] = w_vec_inverse[i] - blinding_scalar; + // append last elements at the end of the vector + w_vec_inverse.push(blinding_scalar); } - Polynomial::from_coefficients_vec(w_vec_i) + Polynomial::from_coefficients_vec(w_vec_inverse) } /// Creates a [`Proof]` that demonstrates that a circuit is satisfied. @@ -183,7 +184,7 @@ impl Prover { &self, commit_key: &CommitKey, prover_key: &ProverKey, - mut rng: &mut R, + rng: &mut R, ) -> Result { // make sure the domain is big enough to handle the circuit as well as // the lookup table @@ -211,10 +212,10 @@ impl Prover { // Wires are now in evaluation form, convert them to coefficients so // that we may commit to them - let a_w_poly = Prover::blind_poly(&a_w_scalar, 1, &domain, &mut rng); - let b_w_poly = Prover::blind_poly(&b_w_scalar, 1, &domain, &mut rng); - let c_w_poly = Prover::blind_poly(&c_w_scalar, 1, &domain, &mut rng); - let d_w_poly = Prover::blind_poly(&d_w_scalar, 1, &domain, &mut rng); + let a_w_poly = Prover::blind_poly(&a_w_scalar, 1, &domain, rng); + let b_w_poly = Prover::blind_poly(&b_w_scalar, 1, &domain, rng); + let c_w_poly = Prover::blind_poly(&c_w_scalar, 1, &domain, rng); + let d_w_poly = Prover::blind_poly(&d_w_scalar, 1, &domain, rng); // Commit to wire polynomials // ([a(x)]_1, [b(x)]_1, [c(x)]_1, [d(x)]_1) @@ -289,7 +290,7 @@ impl Prover { // Compute long query poly let f_poly = - Prover::blind_poly(&compressed_f_multiset.0, 1, &domain, &mut rng); + Prover::blind_poly(&compressed_f_multiset.0, 1, &domain, rng); // Commit to query polynomial let f_poly_commit = commit_key.commit(&f_poly)?; @@ -306,8 +307,8 @@ impl Prover { let (h_1, h_2) = s.halve_alternating(); // Compute h polys - let h_1_poly = Prover::blind_poly(&h_1.0, 2, &domain, &mut rng); - let h_2_poly = Prover::blind_poly(&h_2.0, 1, &domain, &mut rng); + let h_1_poly = Prover::blind_poly(&h_1.0, 2, &domain, rng); + let h_2_poly = Prover::blind_poly(&h_2.0, 1, &domain, rng); // Commit to h polys let h_1_poly_commit = commit_key.commit(&h_1_poly).unwrap(); @@ -340,7 +341,7 @@ impl Prover { ), 2, &domain, - &mut rng, + rng, ); // Commit to permutation polynomial @@ -362,7 +363,7 @@ impl Prover { ), 2, &domain, - &mut rng, + rng, ); // Commit to permutation polynomial @@ -602,7 +603,7 @@ impl Prover { pub fn prove( &mut self, commit_key: &CommitKey, - mut rng: &mut R, + rng: &mut R, ) -> Result { let prover_key: &ProverKey; @@ -619,7 +620,7 @@ impl Prover { prover_key = self.prover_key.as_ref().unwrap(); let proof = - self.prove_with_preprocessed(commit_key, prover_key, &mut rng)?; + self.prove_with_preprocessed(commit_key, prover_key, rng)?; // Clear witness and reset composer variables self.clear_witness(); diff --git a/src/proof_system/widget/permutation/proverkey.rs b/src/proof_system/widget/permutation/proverkey.rs index 00992a6a..e07847f7 100644 --- a/src/proof_system/widget/permutation/proverkey.rs +++ b/src/proof_system/widget/permutation/proverkey.rs @@ -142,6 +142,7 @@ impl ProverKey { &self.s_sigma_4.0, ); + // the poly is increased by 2 after blinding it let domain = EvaluationDomain::new(z_poly.degree() - 2).unwrap(); let c = self.compute_linearizer_check_is_one( &domain,