From 92714a4cc509fac07b8e8fc321fc0271c5dbe6b6 Mon Sep 17 00:00:00 2001 From: Gus Gutoski Date: Thu, 15 Aug 2024 14:02:08 -0400 Subject: [PATCH] fix: remove grcov from nix flake (#656) * comment out grcov * clippy pacification --- flake.nix | 2 +- plonk/src/circuit/plonk_verifier/gadgets.rs | 8 ++++-- plonk/src/proof_system/prover.rs | 2 ++ plonk/src/proof_system/verifier.rs | 3 +- relation/src/constraint_system.rs | 4 +-- .../gadgets/ecc/emulated/short_weierstrass.rs | 28 ++++++++++++------- 6 files changed, 31 insertions(+), 16 deletions(-) diff --git a/flake.nix b/flake.nix index 342d921d3..3b13220b0 100644 --- a/flake.nix +++ b/flake.nix @@ -63,7 +63,7 @@ clangStdenv llvm_15 typos - grcov + # grcov # TODO uncomment this line after https://github.com/mozilla/grcov/issues/1187#issuecomment-2252214718 ] ++ lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.Security ]; diff --git a/plonk/src/circuit/plonk_verifier/gadgets.rs b/plonk/src/circuit/plonk_verifier/gadgets.rs index f562c9632..cb3e50947 100644 --- a/plonk/src/circuit/plonk_verifier/gadgets.rs +++ b/plonk/src/circuit/plonk_verifier/gadgets.rs @@ -34,16 +34,20 @@ use jf_utils::{bytes_to_field_elements, field_switching}; /// Aggregate polynomial commitments into a single commitment (in the /// ScalarsAndBases form). Useful in batch opening. +/// /// The verification key type is guaranteed to match the Plonk proof type. +/// /// The returned commitment is a generalization of `[F]1` described /// in Sec 8.3, step 10 of https://eprint.iacr.org/2019/953.pdf -/// input +/// +/// Input: /// - vks: verification key variable /// - challenges: challenge variable in FpElemVar form /// - poly_evals: zeta^n, zeta^n-1 and Lagrange evaluated at 1 /// - batch_proof: batched proof inputs /// - non_native_field_info: aux information for non-native field -/// Output +/// +/// Output: /// - scalar and bases prepared for MSM /// - buffer info for u and v powers pub(super) fn aggregate_poly_commitments_circuit( diff --git a/plonk/src/proof_system/prover.rs b/plonk/src/proof_system/prover.rs index db2f57dc7..34f3c42a4 100644 --- a/plonk/src/proof_system/prover.rs +++ b/plonk/src/proof_system/prover.rs @@ -68,8 +68,10 @@ impl Prover { } /// Round 1: + /// /// 1. Compute and commit wire witness polynomials. /// 2. Compute public input polynomial. + /// /// Return the wire witness polynomials and their commitments, /// also return the public input polynomial. pub(crate) fn run_1st_round, R: CryptoRng + RngCore>( diff --git a/plonk/src/proof_system/verifier.rs b/plonk/src/proof_system/verifier.rs index 7ba5c49cd..3f6643b90 100644 --- a/plonk/src/proof_system/verifier.rs +++ b/plonk/src/proof_system/verifier.rs @@ -190,11 +190,12 @@ where /// Batchly verify multiple (aggregated) PCS opening proofs. /// - /// We need to verify that + /// We need to verify that: /// - `e(Ai, [x]2) = e(Bi, [1]2) for i \in {0, .., m-1}`, where /// - `Ai = [open_proof_i] + u_i * [shifted_open_proof_i]` and /// - `Bi = eval_point_i * [open_proof_i] + u_i * next_eval_point_i * /// [shifted_open_proof_i] + comm_i - eval_i * [1]1`. + /// /// By Schwartz-Zippel lemma, it's equivalent to check that for a random r: /// - `e(A0 + ... + r^{m-1} * Am, [x]2) = e(B0 + ... + r^{m-1} * Bm, [1]2)`. pub(crate) fn batch_verify_opening_proofs( diff --git a/relation/src/constraint_system.rs b/relation/src/constraint_system.rs index 990606291..6d8d24fba 100644 --- a/relation/src/constraint_system.rs +++ b/relation/src/constraint_system.rs @@ -822,10 +822,10 @@ impl PlonkCircuit { self.eval_domain.size() != 1 } - /// Re-arrange the order of the gates so that + /// Re-arrange the order of the gates so that: /// 1. io gates are in the front. /// 2. variable table lookup gate are at the rear so that they do not affect - /// the range gates when merging the lookup tables. + /// the range gates when merging the lookup tables. /// /// Remember to pad gates before calling the method. fn rearrange_gates(&mut self) -> Result<(), CircuitError> { diff --git a/relation/src/gadgets/ecc/emulated/short_weierstrass.rs b/relation/src/gadgets/ecc/emulated/short_weierstrass.rs index 6dabf2c9f..06d801fff 100644 --- a/relation/src/gadgets/ecc/emulated/short_weierstrass.rs +++ b/relation/src/gadgets/ecc/emulated/short_weierstrass.rs @@ -153,28 +153,36 @@ impl PlonkCircuit { /// Constrain variable `p2` to be the point addition of `p0` and /// `p1` over an elliptic curve. /// Let p0 = (x0, y0, inf0), p1 = (x1, y1, inf1), p2 = (x2, y2, inf2) - /// The addition formula for affine points of sw curve is - /// If either p0 or p1 is infinity, then p2 equals to another point. + /// The addition formula for affine points of sw curve is as follows: + /// + /// If either p0 or p1 is infinity, then p2 equals to another point. /// 1. if p0 == p1 - /// - if y0 == 0 then inf2 = 1 - /// - Calculate s = (3 * x0^2 + a) / (2 * y0) - /// - x2 = s^2 - x0 - x1 - /// - y2 = s(x0 - x2) - y0 + /// - if y0 == 0 then inf2 = 1 + /// - Calculate s = (3 * x0^2 + a) / (2 * y0) + /// - x2 = s^2 - x0 - x1 + /// - y2 = s(x0 - x2) - y0 /// 2. Otherwise - /// - if x0 == x1 then inf2 = 1 - /// - Calculate s = (y0 - y1) / (x0 - x1) - /// - x2 = s^2 - x0 - x1 - /// - y2 = s(x0 - x2) - y0 + /// - if x0 == x1 then inf2 = 1 + /// - Calculate s = (y0 - y1) / (x0 - x1) + /// - x2 = s^2 - x0 - x1 + /// - y2 = s(x0 - x2) - y0 + /// /// The first case is equivalent to the following: + /// /// - inf0 == 1 || inf1 == 1 || x0 != x1 || y0 != y1 || y0 != 0 || inf2 == 0 /// - (x0 + x1 + x2) * (y0 + y0)^2 == (3 * x0^2 + a)^2 /// - (y2 + y0) * (y0 + y0) == (3 * x0^2 + a) (x0 - x2) + /// /// The second case is equivalent to the following: + /// /// - inf0 == 1 || inf1 == 1 || x0 != x1 || y0 == y1 || inf2 == 0 /// - (x0 - x1)^2 (x0 + x1 + x2) == (y0 - y1)^2 /// - (x0 - x2) (y0 - y1) == (y0 + y2) (x0 - x1) + /// /// First check in both cases can be combined into the following: + /// /// inf0 == 1 || inf1 == 1 || inf2 == 0 || x0 != x1 || (y0 == y1 && y0 != 0) + /// /// For the rest equality checks, /// - Both LHS and RHS must be multiplied with an indicator variable /// (!inf0 && !inf1). So that if either p0 or p1 is infinity, those