Merge pull request #651 from dusk-network/blinding

Add blinding scalars

README.md

@@ -105,7 +105,7 @@ let proof = {
             dusk_jubjub::GENERATOR_EXTENDED * JubJubScalar::from(2u64),
         ),
     };
-    circuit.prove(&pp, &pk, b"Test").unwrap()
+    circuit.prove(&pp, &pk, b"Test", &mut OsRng).unwrap()
 };
 
 // Verifier POV
@@ -160,11 +160,11 @@ There are two main types of documentation in this repository:
 
 ## Performance
 
-Benchmarks taken on `Intel(R) Core(TM) i9-9900X CPU @ 3.50GHz`
+Benchmarks taken on `Apple M1`
 For a circuit-size of `2^16` constraints/gates:
 
-- Proving time: `5.46s`
-- Verification time: `9.34ms`. **(This time will not vary depending on the circuit-size.)**
+- Proving time: `17.392s`
+- Verification time: `10.475ms`. **(This time will not vary depending on the circuit-size.)**
 
 For more results, please run `cargo bench` to get a full report of benchmarks in respect of constraint numbers.
 

benches/plonk.rs

@@ -8,6 +8,7 @@
 
 use criterion::{black_box, criterion_group, criterion_main, Criterion};
 use dusk_plonk::prelude::*;
+use rand_core::OsRng;
 
 #[derive(Debug, Clone, Copy)]
 struct BenchCircuit {
@@ -74,7 +75,7 @@ fn constraint_system_prove(
     label: &'static [u8],
 ) -> Proof {
     circuit
-        .prove(pp, pk, label)
+        .prove(pp, pk, label, &mut OsRng)
         .expect("Failed to prove bench circuit!")
 }
 
@@ -84,7 +85,7 @@ fn constraint_system_benchmark(c: &mut Criterion) {
 
     let rng = &mut rand_core::OsRng;
     let label = b"dusk-network";
-    let pp = PublicParameters::setup(1 << (final_degree - 1), rng)
+    let pp = PublicParameters::setup(1 << final_degree, rng)
         .expect("Failed to create PP");
 
     let data: Vec<(BenchCircuit, ProverKey, VerifierData, Proof)> =

src/circuit.rs

@@ -16,6 +16,7 @@ use canonical_derive::Canon;
 use dusk_bls12_381::BlsScalar;
 use dusk_bytes::{DeserializableSlice, Serializable, Write};
 use dusk_jubjub::{JubJubAffine, JubJubExtended, JubJubScalar};
+use rand_core::{CryptoRng, RngCore};
 
 #[derive(Default, Debug, Clone)]
 #[cfg_attr(feature = "canon", derive(Canon))]
@@ -218,7 +219,7 @@ impl VerifierData {
 ///         ),
 ///     };
 ///
-///     circuit.prove(&pp, &pk, b"Test")
+///     circuit.prove(&pp, &pk, b"Test", &mut OsRng)
 /// }?;
 ///
 /// // Verifier POV
@@ -245,6 +246,9 @@ where
 {
     /// Circuit identifier associated constant.
     const CIRCUIT_ID: [u8; 32];
+    /// Extra size needed for the circuit parameters. + 6 because adding the
+    /// blinding factors requires some extra elements for the SRS
+    const PARAMS_EXTRA_SIZE: usize = 6;
 
     /// Gadget implementation used to fill the composer.
     fn gadget(&mut self, composer: &mut TurboComposer) -> Result<(), Error>;
@@ -256,7 +260,8 @@ where
         pub_params: &PublicParameters,
     ) -> Result<(ProverKey, VerifierData), Error> {
         // Setup PublicParams
-        let (ck, _) = pub_params.trim(self.padded_gates())?;
+        let (ck, _) =
+            pub_params.trim(self.padded_gates() + Self::PARAMS_EXTRA_SIZE)?;
 
         // Generate & save `ProverKey` with some random values.
         let mut prover = Prover::new(b"CircuitCompilation");
@@ -290,13 +295,15 @@ where
 
     /// Generates a proof using the provided `CircuitInputs` & `ProverKey`
     /// instances.
-    fn prove(
+    fn prove<R: RngCore + CryptoRng>(
         &mut self,
         pub_params: &PublicParameters,
         prover_key: &ProverKey,
         transcript_init: &'static [u8],
+        rng: &mut R,
     ) -> Result<Proof, Error> {
-        let (ck, _) = pub_params.trim(self.padded_gates())?;
+        let (ck, _) =
+            pub_params.trim(self.padded_gates() + Self::PARAMS_EXTRA_SIZE)?;
 
         // New Prover instance
         let mut prover = Prover::new(transcript_init);
@@ -306,7 +313,7 @@ where
 
         // Add ProverKey to Prover
         prover.prover_key = Some(prover_key.clone());
-        prover.prove(&ck)
+        prover.prove(&ck, rng)
     }
 
     /// Verify the provided proof for the compiled verifier data

src/constraint_system/composer.rs

@@ -950,7 +950,7 @@ mod tests {
 
         // Compute multiple proofs
         for _ in 0..3 {
-            proofs.push(prover.prove(&ck).unwrap());
+            proofs.push(prover.prove(&ck, &mut OsRng).unwrap());
 
             // Add another witness instance
             dummy_gadget(10, prover.composer_mut());
@@ -1017,13 +1017,13 @@ mod tests {
         // So pre-fetch these before calling Prove
         let public_inputs = prover.cs.to_dense_public_inputs();
 
-        prover.prove(&ck).unwrap();
+        prover.prove(&ck, &mut OsRng).unwrap();
         drop(public_inputs);
     }
 
     #[test]
     fn test_plonkup_proof() -> Result<(), Error> {
-        let public_parameters = PublicParameters::setup(1 << 8, &mut OsRng)?;
+        let public_parameters = PublicParameters::setup(1 << 9, &mut OsRng)?;
 
         // Create a prover struct
         let mut prover = Prover::new(b"test");
@@ -1037,15 +1037,15 @@ mod tests {
         verifier.cs.lookup_table.insert_multi_mul(0, 3);
 
         // Commit and verifier key
-        let (ck, vk) = public_parameters.trim(1 << 7)?;
+        let (ck, vk) = public_parameters.trim(1 << 8)?;
 
         // Preprocess circuit
         prover.preprocess(&ck)?;
         verifier.preprocess(&ck)?;
 
         let public_inputs = prover.cs.to_dense_public_inputs();
 
-        let proof = prover.prove(&ck)?;
+        let proof = prover.prove(&ck, &mut OsRng)?;
 
         assert!(verifier.verify(&proof, &vk, &public_inputs).is_ok());
 

src/constraint_system/helper.rs

@@ -70,7 +70,7 @@ pub(crate) fn gadget_tester(
         let public_inputs = prover.cs.to_dense_public_inputs();
 
         // Compute Proof
-        (prover.prove(&ck)?, public_inputs)
+        (prover.prove(&ck, &mut OsRng)?, public_inputs)
     };
     // Verifiers view
     //
@@ -130,7 +130,7 @@ pub(crate) fn gadget_plonkup_tester(
         let public_inputs = prover.cs.to_dense_public_inputs();
 
         // Compute Proof
-        (prover.prove(&ck)?, public_inputs)
+        (prover.prove(&ck, &mut OsRng)?, public_inputs)
     };
     // Verifiers view
     //

src/permutation.rs

@@ -212,14 +212,14 @@ impl Permutation {
     // Uses a rayon multizip to allow more code flexibility while remaining
     // parallelizable. This can be adapted into a general product argument
     // for any number of wires.
-    pub(crate) fn compute_permutation_poly(
+    pub(crate) fn compute_permutation_vec(
         &self,
         domain: &EvaluationDomain,
         wires: [&[BlsScalar]; 4],
         beta: &BlsScalar,
         gamma: &BlsScalar,
         sigma_polys: [&Polynomial; 4],
-    ) -> Polynomial {
+    ) -> Vec<BlsScalar> {
         let n = domain.size();
 
         // Constants defining cosets H, k1H, k2H, etc
@@ -296,10 +296,10 @@ impl Permutation {
 
         assert_eq!(n, z.len());
 
-        Polynomial::from_coefficients_vec(domain.ifft(&z))
+        z
     }
 
-    pub(crate) fn compute_lookup_permutation_poly(
+    pub(crate) fn compute_lookup_permutation_vec(
         &self,
         domain: &EvaluationDomain,
         f: &[BlsScalar],
@@ -308,7 +308,7 @@ impl Permutation {
         h_2: &[BlsScalar],
         delta: &BlsScalar,
         epsilon: &BlsScalar,
-    ) -> Polynomial {
+    ) -> Vec<BlsScalar> {
         let n = domain.size();
 
         assert_eq!(f.len(), domain.size());
@@ -375,7 +375,7 @@ impl Permutation {
 
         assert_eq!(n, p.len());
 
-        Polynomial::from_coefficients_vec(domain.ifft(&p))
+        p
     }
 }
 
@@ -419,7 +419,7 @@ mod test {
     use rand_core::OsRng;
 
     #[test]
-    fn test_compute_lookup_permutation_poly() -> Result<(), Error> {
+    fn test_compute_lookup_permutation_vec() -> Result<(), Error> {
         // FIXME: use `usize` everywhere for such things
         const SIZE: u32 = 4;
 
@@ -449,9 +449,11 @@ mod test {
         let domain = EvaluationDomain::new(SIZE as usize)?;
         let perm = Permutation::new();
 
-        let poly = perm.compute_lookup_permutation_poly(
-            &domain, &f.0, &t.0, &h_1.0, &h_2.0, &delta, &epsilon,
-        );
+        let poly = Polynomial::from_coefficients_vec(domain.ifft(
+            &perm.compute_lookup_permutation_vec(
+                &domain, &f.0, &t.0, &h_1.0, &h_2.0, &delta, &epsilon,
+            ),
+        ));
 
         const TEST_VECTORS: [&str; 4] = [
             "0x0eaa2fe1c155cfb88bf91f7800c3b855fc67989c949da6cc87a68c9499680d1c",
@@ -888,18 +890,20 @@ mod test {
             .map(|v| Polynomial::from_coefficients_vec(domain.ifft(v)))
             .collect();
 
-        let mz = cs.perm.compute_permutation_poly(
-            &domain,
-            [&a_w_scalar, &b_w_scalar, &c_w_scalar, &d_w_scalar],
-            &beta,
-            &gamma,
-            [
-                &sigma_polys[0],
-                &sigma_polys[1],
-                &sigma_polys[2],
-                &sigma_polys[3],
-            ],
-        );
+        let mz = Polynomial::from_coefficients_vec(domain.ifft(
+            &cs.perm.compute_permutation_vec(
+                &domain,
+                [&a_w_scalar, &b_w_scalar, &c_w_scalar, &d_w_scalar],
+                &beta,
+                &gamma,
+                [
+                    &sigma_polys[0],
+                    &sigma_polys[1],
+                    &sigma_polys[2],
+                    &sigma_polys[3],
+                ],
+            ),
+        ));
 
         let old_z = Polynomial::from_coefficients_vec(domain.ifft(
             &compute_fast_permutation_poly(