Skip to content

Commit

Permalink
0
Browse files Browse the repository at this point in the history
  • Loading branch information
@laudiacay
laudiacay committed Aug 18, 2023
1 parent 281ebd1 commit 4c34c5e
Show file tree
Hide file tree
Showing 9 changed files with 139 additions and 117 deletions.
9 changes: 5 additions & 4 deletions barustenberg/src/plonk/composer/standard_composer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1103,7 +1103,7 @@ impl<RSF: ReferenceStringFactory> StandardComposer<RSF> {
/// It first computes the verification key, then constructs a `Verifier`
/// using the computed key and the manifest of public inputs.
/// Finally, it adds a `KateCommitmentScheme` to the verifier and returns it.
fn create_verifier(&mut self) -> Result<Verifier<Keccak256, StandardSettings<Keccak256>>> {
fn create_verifier(&mut self) -> Result<Verifier<Keccak256>> {
let cbd = self.cbd.clone();
let cbd = cbd.read().unwrap();

Expand All @@ -1113,7 +1113,8 @@ impl<RSF: ReferenceStringFactory> StandardComposer<RSF> {
self.create_manifest(cbd.public_inputs.len()),
);

output_state.commitment_scheme = Box::new(KateCommitmentScheme::new());
output_state.commitment_scheme =
Box::new(KateCommitmentScheme::new(output_state.settings.clone()));

Ok(output_state)
}
Expand All @@ -1129,7 +1130,7 @@ impl<RSF: ReferenceStringFactory> StandardComposer<RSF> {
/// # Returns
///
/// * Returns an initialized `Prover`.
fn create_prover(&mut self) -> Prover<Keccak256, StandardSettings<Keccak256>> {
fn create_prover(&mut self) -> Prover<Keccak256> {
self.compute_proving_key();
self.compute_witness();

Expand All @@ -1154,7 +1155,7 @@ impl<RSF: ReferenceStringFactory> StandardComposer<RSF> {
.transition_widgets
.push(Box::new(arithmetic_widget));

output_state.commitment_scheme = KateCommitmentScheme::new();
output_state.commitment_scheme = KateCommitmentScheme::new(output_state.settings.clone());

output_state
}
Expand Down
143 changes: 83 additions & 60 deletions barustenberg/src/plonk/proof_system/commitment_scheme.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ use crate::transcript::{BarretenHasher, Transcript};
use super::proving_key::ProvingKey;
use super::types::polynomial_manifest::PolynomialSource;
use super::types::proof::CommitmentOpenProof;
use super::types::prover_settings::Settings;
use super::verification_key::VerificationKey;

/// A polynomial commitment scheme defined over two FieldExts, a group, a hash function.
Expand Down Expand Up @@ -79,27 +80,37 @@ pub(crate) trait CommitmentScheme {

#[derive(Default, Debug)]
pub(crate) struct KateCommitmentScheme<
S: Settings<Hasher = H, Field = Fr, Group = G>,
H: BarretenHasher,
Fq: Field + FftField,
Fr: Field + FftField,
G: AffineRepr,
> {
_kate_open_proof: CommitmentOpenProof,
settings: S,
phantom: PhantomData<(H, Fr, G, Fq)>,
}

impl<H: BarretenHasher, Fq: Field + FftField, Fr: Field + FftField, G: AffineRepr>
KateCommitmentScheme<H, Fq, Fr, G>
impl<
S: Settings<Hasher = H, Field = Fr, Group = G>,
H: BarretenHasher,
Fq: Field + FftField,
Fr: Field + FftField,
G: AffineRepr,
> KateCommitmentScheme<S, H, Fq, Fr, G>
{
pub(crate) fn new() -> Self {
pub(crate) fn new(settings: S) -> Self {
Self {
_kate_open_proof: CommitmentOpenProof::default(),
settings,
phantom: PhantomData,
}
}
}

impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1Affine> {
impl<S: Settings<Hasher = H, Field = Fr, Group = G1Affine>, H: BarretenHasher> CommitmentScheme
for KateCommitmentScheme<S, H, Fq, Fr, G1Affine>
{
type Fq = Fq;
type Fr = Fr;
type Group = G1Affine;
Expand Down Expand Up @@ -298,7 +309,7 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A
input_key: Option<Arc<RwLock<ProvingKey<Self::Fr>>>>,
) {
let input_key = input_key.unwrap();
let input_key = input_key.read().unwrap();
let mut input_key = input_key.write().unwrap();
/*
Compute batch opening polynomials according to the Kate commitment scheme.
Expand All @@ -307,8 +318,9 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A
\zeta.\omega). Step 3: Compute coefficient form of W_{\zeta}(X) and W_{\zeta \omega}(X). Step 4: Commit to
W_{\zeta}(X) and W_{\zeta \omega}(X).
*/
let mut opened_polynomials_at_zeta = Vec::new();
let mut opened_polynomials_at_zeta_omega = Vec::new();
let mut opened_polynomials_at_zeta: Vec<(Arc<RwLock<Polynomial<Fr>>>, Fr)> = Vec::new();
let mut opened_polynomials_at_zeta_omega: Vec<(Arc<RwLock<Polynomial<Fr>>>, Fr)> =
Vec::new();

// Add the following tuples to the above data structures:
//
Expand All @@ -320,13 +332,13 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A

// Add challenge-poly tuples for all polynomials in the manifest
for i in 0..input_key.polynomial_manifest.len() {
let info = input_key.polynomial_manifest[i.into()];
let poly_label = info.polynomial_label;
let info = &input_key.polynomial_manifest[i.into()];
let poly_label = &info.polynomial_label;

let poly = input_key.polynomial_store.get(&poly_label).unwrap();
let poly = input_key.polynomial_store.get(poly_label).unwrap();

let nu_challenge = transcript.get_challenge_field_element_from_map("nu", &poly_label);
opened_polynomials_at_zeta.push((poly, nu_challenge));
let nu_challenge = transcript.get_challenge_field_element_from_map("nu", poly_label);
opened_polynomials_at_zeta.push((poly.clone(), nu_challenge));

if info.requires_shifted_evaluation {
let nu_challenge = transcript
Expand All @@ -335,50 +347,64 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A
}
}

let zeta = transcript.get_challenge_field_element("z", None);
let zeta: Fr = transcript.get_challenge_field_element("z", None);

// Note: the opening poly W_\frak{z} is always size (n + 1) due to blinding
// of the quotient polynomial
let opening_poly: Polynomial<Fr> = Polynomial::new(input_key.circuit_size + 1);
let shifted_opening_poly: Polynomial<Fr> = Polynomial::new(input_key.circuit_size);
let opening_poly: Arc<RwLock<Polynomial<Fr>>> =
Arc::new(RwLock::new(Polynomial::new(input_key.circuit_size + 1)));
let shifted_opening_poly: Arc<RwLock<Polynomial<Fr>>> =
Arc::new(RwLock::new(Polynomial::new(input_key.circuit_size)));

// Add the tuples [t_{mid}(X), \zeta^{n}], [t_{high}(X), \zeta^{2n}]
// Note: We don't need to include the t_{low}(X) since it is multiplied by 1 for combining with other witness
// polynomials.
//
for i in 1..S::program_width() {
for i in 1..self.settings.program_width() {
let offset = i * input_key.small_domain.size;
let scalar = zeta.pow(offset);
opened_polynomials_at_zeta.push((&input_key.quotient_polynomial_parts[i][0], scalar));
let scalar = zeta.pow([offset as u64]);
opened_polynomials_at_zeta
.push((input_key.quotient_polynomial_parts[i].clone(), scalar));
}

// Add up things to get coefficients of opening polynomials.
// TODO THESE LOCKS ARE FUCKED. UP. THEY WILL BE UNDER HEAVY CONTENTION. FIX THEM
(0..input_key.small_domain.size)
.into_par_iter()
.for_each(|i| {
opening_poly[i] = input_key.quotient_polynomial_parts[0][i];
let mut opening_poly = opening_poly.write().unwrap();
opening_poly[i] = input_key.quotient_polynomial_parts[0].read().unwrap()[i];
for &(ref poly, challenge) in &opened_polynomials_at_zeta {
opening_poly[i] += poly[i] * challenge;
opening_poly[i] += (*poly).read().unwrap()[i] * challenge;
}
let mut shifted_opening_poly = shifted_opening_poly.write().unwrap();
shifted_opening_poly[i] = Fr::zero();
for &(ref poly, challenge) in &opened_polynomials_at_zeta_omega {
shifted_opening_poly[i] += poly[i] * challenge;
shifted_opening_poly[i] += (*poly).read().unwrap()[i] * challenge;
}
});

let opening_poly = Arc::try_unwrap(opening_poly).unwrap();
let opening_poly = opening_poly.into_inner();
let mut opening_poly = opening_poly.unwrap();
let shifted_opening_poly = Arc::try_unwrap(shifted_opening_poly).unwrap();
let shifted_opening_poly = shifted_opening_poly.into_inner();
let shifted_opening_poly = shifted_opening_poly.unwrap();

// Adjust the (n + 1)th coefficient of t_{0,1,2}(X) or r(X) (Note: t_4 (Turbo/Ultra) has only n coefficients)
opening_poly[input_key.circuit_size] = Fr::zero();
let zeta_pow_n = zeta.pow(input_key.circuit_size as u64);
let zeta_pow_n = zeta.pow([input_key.circuit_size as u64]);

let num_deg_n_poly = if S::program_width() == 3 {
S::program_width()
let num_deg_n_poly = if self.settings.program_width() == 3 {
self.settings.program_width()
} else {
S::program_width() - 1
self.settings.program_width() - 1
};
let mut scalar_mult = 1;
let mut scalar_mult = Fr::one();
for i in 0..num_deg_n_poly {
opening_poly[input_key.circuit_size] +=
input_key.quotient_polynomial_parts[i][input_key.circuit_size] * scalar_mult;
input_key.quotient_polynomial_parts[i].read().unwrap()[input_key.circuit_size]
* scalar_mult;
scalar_mult *= zeta_pow_n;
}

Expand All @@ -389,17 +415,19 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A
self.compute_opening_polynomial(
&[opening_poly[0]],
&mut [opening_poly[0]],
zeta,
&zeta,
input_key.circuit_size,
);
self.compute_opening_polynomial(
&[shifted_opening_poly[0]],
&mut [shifted_opening_poly[0]],
zeta_omega,
&zeta_omega,
input_key.circuit_size,
);

input_key.polynomial_store.put("opening_poly".to_string(), opening_poly);
input_key
.polynomial_store
.put("opening_poly".to_string(), opening_poly);
input_key
.polynomial_store
.put("shifted_opening_poly".to_string(), shifted_opening_poly);
Expand All @@ -408,20 +436,20 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A
self.commit(
input_key
.polynomial_store
.get(&"opening_poly".to_string()).unwrap()
.get_coefficients(),
.get(&"opening_poly".to_string())
.unwrap(),
"PI_Z".to_owned(),
input_key.circuit_size,
&queue,
Fr::from(input_key.circuit_size as u64),
queue,
);
self.commit(
input_key
.polynomial_store
.get(&"shifted_opening_poly".to_string()).unwrap()
.get_coefficients(),
.get(&"shifted_opening_poly".to_string())
.unwrap(),
"PI_Z_OMEGA".to_owned(),
input_key.circuit_size,
&queue,
Fr::from(input_key.circuit_size as u64),
queue,
);
}

Expand All @@ -440,62 +468,57 @@ impl<H: BarretenHasher> CommitmentScheme for KateCommitmentScheme<H, Fq, Fr, G1A
let poly_label = item.polynomial_label.clone();
match item.source {
PolynomialSource::Witness => {
let element : G1Affine = transcript.get_group_element(&label);
if !element.is_on_curve() || element.is_point_at_infinity() {
let element: G1Affine = transcript.get_group_element(&label);
// removed || element.is_point_at_infinity()
if !element.is_on_curve() {
panic!("polynomial commitment to witness is not a valid point.");
}
kate_g1_elements.insert(label, element);
kate_g1_elements.insert(label.clone(), element);
}
PolynomialSource::Selector | PolynomialSource::Permutation => {
let element = input_key
.as_ref()
.unwrap()
.commitments
.get(&label)
.unwrap()
.clone();
let element = input_key.as_ref().unwrap().commitments.get(&label).unwrap();
if !element.is_on_curve() {
panic!("polynomial commitment to selector is not a valid point.");
}
kate_g1_elements.insert(label, element);
kate_g1_elements.insert(label.clone(), *element);
}
PolynomialSource::Other => {}
}

let has_shifted_evaluation = item.requires_shifted_evaluation;
let mut kate_fr_scalar = Fr::zero();
if has_shifted_evaluation {
let challenge = transcript
let challenge: Fr = transcript
.get_challenge_field_element_from_map("nu", &format!("{}_omega", poly_label));
let separator_challenge =
let separator_challenge: Fr =
transcript.get_challenge_field_element("separator", Some(0));
kate_fr_scalar += separator_challenge * challenge;
let poly_at_zeta_omega =
let poly_at_zeta_omega: Fr =
transcript.get_field_element(&format!("{}_omega", poly_label));
batch_eval += separator_challenge * challenge * poly_at_zeta_omega;
}

let challenge = transcript.get_challenge_field_element_from_map("nu", &poly_label);
let challenge: Fr = transcript.get_challenge_field_element_from_map("nu", &poly_label);
kate_fr_scalar += challenge;
let poly_at_zeta = transcript.get_field_element(&poly_label);
let poly_at_zeta: Fr = transcript.get_field_element(&poly_label);
batch_eval += challenge * poly_at_zeta;
kate_fr_elements.insert(label, kate_fr_scalar);
}

let zeta = transcript.get_challenge_field_element("z", None);
let quotient_challenge = transcript.get_challenge_field_element_from_map("nu", "t");
let zeta: Fr = transcript.get_challenge_field_element("z", None);
let quotient_challenge: Fr = transcript.get_challenge_field_element_from_map("nu", "t");

let z_pow_n = zeta.pow(input_key.as_ref().unwrap().circuit_size);
let z_pow_n = zeta.pow([input_key.as_ref().unwrap().circuit_size as u64]);
let mut z_power = Fr::one();
for i in 0..settings::program_width {
for i in 0..self.settings.program_width() {
let quotient_label = format!("T_{}", i + 1);
let element = transcript.get_group_element(&quotient_label);
kate_g1_elements.insert(quotient_label, element);
kate_g1_elements.insert(quotient_label.clone(), element);
kate_fr_elements.insert(quotient_label, quotient_challenge * z_power);
z_power *= z_pow_n;
}

let quotient_eval = transcript.get_field_element("t");
let quotient_eval: Fr = transcript.get_field_element("t");
batch_eval += quotient_eval * quotient_challenge;

kate_g1_elements.insert("BATCH_EVALUATION".to_string(), G1Affine::identity());
Expand Down
Loading

0 comments on commit 4c34c5e

Please sign in to comment.