diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ed92773..546dca84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +### Changed + +- Change variable names for more consistency with the paper [#631](https://github.com/dusk-network/plonk/issues/631) + ## [0.10.0] - 24-02-22 ## Changed diff --git a/README.md b/README.md index b15f36a3..bb21bc7c 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ _This is a pure Rust implementation of the PLONK proving system over BLS12-381_ + This library contains a modularised implementation of KZG10 as the default polynomial commitment scheme. @@ -60,7 +61,6 @@ impl Circuit for TestCircuit { // Make second constraint a * b = d let constraint = Constraint::new() .mult(1) - .output(1) .public(-self.d) .a(a) .b(b); @@ -70,7 +70,8 @@ impl Circuit for TestCircuit { let e = composer.append_witness(self.e); let scalar_mul_result = composer .component_mul_generator(e, dusk_jubjub::GENERATOR_EXTENDED); - // Apply the constrain + + // Apply the constraint composer.assert_equal_public_point(scalar_mul_result, self.f); Ok(()) } @@ -89,8 +90,9 @@ impl Circuit for TestCircuit { let pp = PublicParameters::setup(1 << 12, &mut OsRng).unwrap(); // Initialize the circuit let mut circuit = TestCircuit::default(); -// Compile the circuit +// Compile/preproces the circuit let (pk, vd) = circuit.compile(&pp).unwrap(); + // Prover POV let proof = { let mut circuit = TestCircuit { @@ -105,6 +107,7 @@ let proof = { }; circuit.prove(&pp, &pk, b"Test").unwrap() }; + // Verifier POV let public_inputs: Vec = vec![ BlsScalar::from(25u64).into(), @@ -128,9 +131,9 @@ TestCircuit::verify( This crate includes a variety of features which will briefly be explained below: - `alloc`: Enables the usage of an allocator and with it the capability of performing `Proof` constructions and verifications. Without this feature it **IS NOT** possible to prove or verify anything. - Its absence only makes `dusk-plonk` export certain fixed-size data structures such as `Proof` which can be useful in no_std envoirments where we don't have allocators either. -- `std`: Enables `std` usage as well as `rayon` parallelisation in some proving and verifying ops. - It also uses the `std` versions of the elliptic curve deps, which utilises the `parallel` feature + Its absence only makes `dusk-plonk` export certain fixed-size data structures such as `Proof` which can be useful in no_std environments where we don't have allocators either. +- `std`: Enables `std` usage as well as `rayon` parallelization in some proving and verifying ops. + It also uses the `std` versions of the elliptic curve deps, which utilizes the `parallel` feature from `dusk-bls12-381`. By default, this is the feature that comes enabled with the crate. - `trace`: Enables the Circuit debugger tooling. This is essentially the capability of using the `StandardComposer::check_circuit_satisfied` function. The function will output information about each circuit gate until @@ -140,8 +143,7 @@ This crate includes a variety of features which will briefly be explained below: values which make up the circuit that we're constructing. __The recommended method is to derive the std output, and the std error, and then place them in text file which can be used to efficiently analyse the gates.__ -- `canon`: Enables `canonical` serialisation for particular data structures, which is very useful in integrating - this library within the rest of the Dusk stack - especially for storage purposes. +- `canon`: Enables `canonical` serialization for particular data structures, which is very useful in integrating this library within the rest of the Dusk stack - especially for storage purposes. ## Documentation diff --git a/docs/notes-prove-verify.md b/docs/notes-prove-verify.md index 7fecf72b..98c588ae 100644 --- a/docs/notes-prove-verify.md +++ b/docs/notes-prove-verify.md @@ -10,7 +10,7 @@ SNARK construction, here we will give the set up of a PLONK proof and show which steps need to be satisfied -to utilise the protocol. +to utilize the protocol. First we will explain the derivation and simplification diff --git a/rust-toolchain b/rust-toolchain index 5d5883e8..7770335f 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -nightly-2021-10-28 +nightly-2021-10-28 \ No newline at end of file diff --git a/src/bit_iterator.rs b/src/bit_iterator.rs index f5385ac0..4078142a 100644 --- a/src/bit_iterator.rs +++ b/src/bit_iterator.rs @@ -4,7 +4,7 @@ // // Copyright (c) DUSK NETWORK. All rights reserved. -//! Code taken from zcash repo and generalised as we do not have access to the +//! Code taken from zcash repo and generalized as we do not have access to the //! limbs use core::mem; diff --git a/src/circuit.rs b/src/circuit.rs index a0cea3a3..bc37090f 100644 --- a/src/circuit.rs +++ b/src/circuit.rs @@ -121,7 +121,7 @@ impl VerifierData { /// Trait that should be implemented for any circuit function to provide to it /// the capabilities of automatically being able to generate, and verify proofs -/// as well as compile the circuit. +/// as well as compile/preprocess the circuit. /// # Example /// /// ``` @@ -173,7 +173,6 @@ impl VerifierData { /// // Make second constraint a * b = d /// let constraint = Constraint::new() /// .mult(1) -/// .output(1) /// .public(-self.d) /// .a(a) /// .b(b); @@ -185,7 +184,7 @@ impl VerifierData { /// composer.component_mul_generator( /// e, dusk_jubjub::GENERATOR_EXTENDED, /// ); -/// // Apply the constrain +/// // Apply the constraint /// composer /// .assert_equal_public_point(scalar_mul_result, self.f); /// Ok(()) @@ -203,7 +202,7 @@ impl VerifierData { /// let pp = PublicParameters::setup(1 << 12, &mut OsRng)?; /// // Initialize the circuit /// let mut circuit = TestCircuit::default(); -/// // Compile the circuit +/// // Compile/preprocess the circuit /// let (pk, vd) = circuit.compile(&pp)?; /// /// // Prover POV diff --git a/src/commitment_scheme.rs b/src/commitment_scheme.rs index f8efcbe3..3591f625 100644 --- a/src/commitment_scheme.rs +++ b/src/commitment_scheme.rs @@ -5,14 +5,14 @@ // Copyright (c) DUSK NETWORK. All rights reserved. //! Ideally we should cleanly abstract away the polynomial commitment scheme -//! We note that PLONK makes use of the linearisation technique +//! We note that PLONK makes use of the linearization technique //! conceived in SONIC [Mary Maller]. //! //! This technique implicitly requires the //! commitment scheme to be homomorphic. `Merkle Tree like` techniques such as //! FRI are not homomorphic and therefore for PLONK to be usable with all //! commitment schemes without modification, one would need to remove the -//! lineariser +//! linearizer mod kzg10; diff --git a/src/commitment_scheme/kzg10/key.rs b/src/commitment_scheme/kzg10/key.rs index fb2c1d22..668eda53 100644 --- a/src/commitment_scheme/kzg10/key.rs +++ b/src/commitment_scheme/kzg10/key.rs @@ -82,7 +82,7 @@ impl CommitKey { Self { powers_of_g } } - /// Serialises the [`CommitKey`] into a byte slice. + /// Serializes the [`CommitKey`] into a byte slice. pub fn to_var_bytes(&self) -> Vec { self.powers_of_g .iter() @@ -90,7 +90,7 @@ impl CommitKey { .collect() } - /// Deserialise a slice of bytes into a [`CommitKey`] struct performing + /// Deserialize a slice of bytes into a [`CommitKey`] struct performing /// security and consistency checks for each point that the bytes /// contain. /// @@ -173,7 +173,7 @@ impl CommitKey { /// Computes a single witness for multiple polynomials at the same point, by /// taking a random linear combination of the individual witnesses. - /// We apply the same optimisation mentioned in when computing each witness; + /// We apply the same optimization mentioned in when computing each witness; /// removing f(z). pub(crate) fn compute_aggregate_witness( &self, @@ -181,15 +181,15 @@ impl CommitKey { point: &BlsScalar, transcript: &mut Transcript, ) -> Polynomial { - let challenge = transcript.challenge_scalar(b"aggregate_witness"); - let powers = util::powers_of(&challenge, polynomials.len() - 1); + let v_challenge = transcript.challenge_scalar(b"v_challenge"); + let powers = util::powers_of(&v_challenge, polynomials.len() - 1); assert_eq!(powers.len(), polynomials.len()); let numerator: Polynomial = polynomials .iter() .zip(powers.iter()) - .map(|(poly, challenge)| poly * challenge) + .map(|(poly, v_challenge)| poly * v_challenge) .sum(); numerator.ruffini(*point) } @@ -264,22 +264,23 @@ impl OpeningKey { let mut total_c = G1Projective::identity(); let mut total_w = G1Projective::identity(); - let challenge = transcript.challenge_scalar(b"batch"); // XXX: Verifier can add their own randomness at this point - let powers = util::powers_of(&challenge, proofs.len() - 1); + let u_challenge = transcript.challenge_scalar(b"batch"); // XXX: Verifier can add their own randomness at this point + let powers = util::powers_of(&u_challenge, proofs.len() - 1); // Instead of multiplying g and gamma_g in each turn, we simply // accumulate their coefficients and perform a final // multiplication at the end. let mut g_multiplier = BlsScalar::zero(); - for ((proof, challenge), point) in proofs.iter().zip(powers).zip(points) + for ((proof, u_challenge), point) in + proofs.iter().zip(powers).zip(points) { let mut c = G1Projective::from(proof.commitment_to_polynomial.0); let w = proof.commitment_to_witness.0; c += w * point; - g_multiplier += challenge * proof.evaluated_point; + g_multiplier += u_challenge * proof.evaluated_point; - total_c += c * challenge; - total_w += w * challenge; + total_c += c * u_challenge; + total_w += w * u_challenge; } total_c -= self.g * g_multiplier; diff --git a/src/commitment_scheme/kzg10/proof.rs b/src/commitment_scheme/kzg10/proof.rs index 008c4777..afd7fa5d 100644 --- a/src/commitment_scheme/kzg10/proof.rs +++ b/src/commitment_scheme/kzg10/proof.rs @@ -26,6 +26,7 @@ pub(crate) mod alloc { use super::*; use crate::transcript::TranscriptProtocol; use crate::util::powers_of; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::G1Projective; use merlin::Transcript; @@ -47,7 +48,7 @@ pub(crate) mod alloc { } impl AggregateProof { - /// Initialises an `AggregatedProof` with the commitment to the witness. + /// Initializes an `AggregatedProof` with the commitment to the witness. pub(crate) fn with_witness(witness: Commitment) -> AggregateProof { AggregateProof { commitment_to_witness: witness, @@ -67,9 +68,9 @@ pub(crate) mod alloc { /// The transcript must have the same view as the transcript that was /// used to aggregate the witness in the proving stage. pub(crate) fn flatten(&self, transcript: &mut Transcript) -> Proof { - let challenge = transcript.challenge_scalar(b"aggregate_witness"); + let v_challenge = transcript.challenge_scalar(b"v_challenge"); let powers = powers_of( - &challenge, + &v_challenge, self.commitments_to_polynomials.len() - 1, ); @@ -89,15 +90,15 @@ pub(crate) mod alloc { let flattened_poly_evaluations_iter = self.evaluated_points.par_iter().zip(powers.par_iter()); - // Flattened polynomial commitments using challenge + // Flattened polynomial commitments using challenge `v` let flattened_poly_commitments: G1Projective = flattened_poly_commitments_iter - .map(|(poly, challenge)| poly.0 * challenge) + .map(|(poly, v_challenge)| poly.0 * v_challenge) .sum(); // Flattened evaluation points let flattened_poly_evaluations: BlsScalar = flattened_poly_evaluations_iter - .map(|(eval, challenge)| eval * challenge) + .map(|(eval, v_challenge)| eval * v_challenge) .sum(); Proof { diff --git a/src/commitment_scheme/kzg10/srs.rs b/src/commitment_scheme/kzg10/srs.rs index 77ef7b13..ac2315f4 100644 --- a/src/commitment_scheme/kzg10/srs.rs +++ b/src/commitment_scheme/kzg10/srs.rs @@ -52,32 +52,32 @@ impl PublicParameters { return Err(Error::DegreeIsZero); } - // Generate the secret scalar beta - let beta = util::random_scalar(&mut rng); + // Generate the secret scalar x + let x = util::random_scalar(&mut rng); - // Compute powers of beta up to and including beta^max_degree - let powers_of_beta = util::powers_of(&beta, max_degree); + // Compute powers of x up to and including x^max_degree + let powers_of_x = util::powers_of(&x, max_degree); // Powers of G1 that will be used to commit to a specified polynomial let g = util::random_g1_point(&mut rng); let powers_of_g: Vec = - util::slow_multiscalar_mul_single_base(&powers_of_beta, g); + util::slow_multiscalar_mul_single_base(&powers_of_x, g); assert_eq!(powers_of_g.len(), max_degree + 1); - // Normalise all projective points - let mut normalised_g = vec![G1Affine::identity(); max_degree + 1]; - G1Projective::batch_normalize(&powers_of_g, &mut normalised_g); + // Normalize all projective points + let mut normalized_g = vec![G1Affine::identity(); max_degree + 1]; + G1Projective::batch_normalize(&powers_of_g, &mut normalized_g); - // Compute beta*G2 element and stored cached elements for verifying + // Compute x_2 = x*h element and stored cached elements for verifying // multiple proofs. let h: G2Affine = util::random_g2_point(&mut rng).into(); - let beta_h: G2Affine = (h * beta).into(); + let x_2: G2Affine = (h * x).into(); Ok(PublicParameters { commit_key: CommitKey { - powers_of_g: normalised_g, + powers_of_g: normalized_g, }, - opening_key: OpeningKey::new(g.into(), h, beta_h), + opening_key: OpeningKey::new(g.into(), h, x_2), }) } @@ -126,14 +126,14 @@ impl PublicParameters { } } - /// Serialises a [`PublicParameters`] struct into a slice of bytes. + /// Serializes a [`PublicParameters`] struct into a slice of bytes. pub fn to_var_bytes(&self) -> Vec { let mut bytes = self.opening_key.to_bytes().to_vec(); bytes.extend(self.commit_key.to_var_bytes().iter()); bytes } - /// Deserialise a slice of bytes into a Public Parameter struct performing + /// Deserialize a slice of bytes into a Public Parameter struct performing /// security and consistency checks for each point that the bytes /// contain. /// @@ -206,7 +206,7 @@ mod test { } #[test] - fn test_serialise_deserialise_public_parameter() { + fn test_serialize_deserialize_public_parameter() { let pp = PublicParameters::setup(1 << 7, &mut OsRng).unwrap(); let got_pp = PublicParameters::from_slice(&pp.to_var_bytes()).unwrap(); diff --git a/src/constraint_system/composer.rs b/src/constraint_system/composer.rs index fb50768f..a2786ff4 100644 --- a/src/constraint_system/composer.rs +++ b/src/constraint_system/composer.rs @@ -30,26 +30,26 @@ use hashbrown::HashMap; /// repository provides so that circuit descriptions can be written, stored and /// transformed into a [`Proof`](crate::proof_system::Proof) at some point. /// -/// A TurboComposer stores all of the circuit information, being this one +/// A TurboComposer stores all of the circuit information, this one being /// all of the witness and circuit descriptors info (values, positions in the /// circuits, gates and Wires that occupy..), the public inputs, the connection -/// relationships between the witnesses and how they're repesented as Wires (so +/// relationships between the witnesses and how they're represented as Wires (so /// basically the Permutation argument etc..). /// /// The TurboComposer also grants us a way to introduce our secret witnesses in -/// a for of a [`Witness`] into the circuit description as well as the public -/// inputs. We can do this with methods like [`TurboComposer::append_witness`]. +/// into the circuit description as well as the public inputs. We can do this +/// with methods like [`TurboComposer::append_witness`]. /// -/// The TurboComposer also contains as associated functions all the -/// neccessary tools to be able to istrument the circuits that the user needs +/// The TurboComposer also contains as associated functions all the necessary +/// tools to be able to instrument the circuits that the user needs /// through the addition of gates. There are functions that may add a single /// gate to the circuit as for example [`TurboComposer::gate_add`] and others /// that can add several gates to the circuit description such as /// [`TurboComposer::component_select`]. /// -/// Each gate or group of gates adds an specific functionallity or operation to -/// de circuit description, and so, that's why we can understand -/// the TurboComposer as a builder. +/// Each gate or group of gates adds a specific functionality or operation to +/// the circuit description, and so, that's why we can understand the +/// TurboComposer as a builder. #[derive(Debug)] pub struct TurboComposer { /// Number of arithmetic gates in the circuit @@ -64,22 +64,24 @@ pub struct TurboComposer { pub(crate) q_r: Vec, /// Output wire selector pub(crate) q_o: Vec, - /// Fourth wire selector - pub(crate) q_4: Vec, /// Constant wire selector pub(crate) q_c: Vec, - /// Arithmetic wire selector + /// Fourth wire selector added for efficiency of implementation + pub(crate) q_4: Vec, + /// Plonkup gate wire selector + pub(crate) q_k: Vec, + /// Arithmetic wire selector added for efficiency of implementation pub(crate) q_arith: Vec, - /// Range selector + /// Range selector added for efficiency of implementation pub(crate) q_range: Vec, - /// Logic selector + /// Logic selector added for efficiency of implementation pub(crate) q_logic: Vec, - /// Fixed base group addition selector + /// Fixed base group addition selector added for efficiency of + /// implementation pub(crate) q_fixed_group_add: Vec, - /// Variable base group addition selector + /// Variable base group addition selector added for efficiency of + /// implementation pub(crate) q_variable_group_add: Vec, - /// Plonkup gate wire selector - pub(crate) q_lookup: Vec, /// Sparse representation of the Public Inputs linking the positions of the /// non-zero ones to it's actual values. @@ -87,13 +89,13 @@ pub struct TurboComposer { // Witness vectors /// Left wire witness vector. - pub(crate) w_l: Vec, + pub(crate) a_w: Vec, /// Right wire witness vector. - pub(crate) w_r: Vec, + pub(crate) b_w: Vec, /// Output wire witness vector. - pub(crate) w_o: Vec, - /// Fourth wire witness vector. - pub(crate) w_4: Vec, + pub(crate) c_w: Vec, + /// Fourth wire witness vector added for efficiency of implementation. + pub(crate) d_w: Vec, /// Public lookup table pub(crate) lookup_table: LookupTable, @@ -163,8 +165,8 @@ impl Default for TurboComposer { } impl TurboComposer { - /// Generates a new empty `TurboComposer` with all of it's fields - /// set to hold an initial capacity of 0. + /// Generates a new empty `TurboComposer` with all of it's fields set to + /// hold an initial capacity of 0. /// /// # Note /// @@ -199,18 +201,18 @@ impl TurboComposer { q_o: Vec::with_capacity(size), q_c: Vec::with_capacity(size), q_4: Vec::with_capacity(size), + q_k: Vec::with_capacity(size), q_arith: Vec::with_capacity(size), q_range: Vec::with_capacity(size), q_logic: Vec::with_capacity(size), q_fixed_group_add: Vec::with_capacity(size), q_variable_group_add: Vec::with_capacity(size), - q_lookup: Vec::with_capacity(size), public_inputs_sparse_store: BTreeMap::new(), - w_l: Vec::with_capacity(size), - w_r: Vec::with_capacity(size), - w_o: Vec::with_capacity(size), - w_4: Vec::with_capacity(size), + a_w: Vec::with_capacity(size), + b_w: Vec::with_capacity(size), + c_w: Vec::with_capacity(size), + d_w: Vec::with_capacity(size), lookup_table: LookupTable::new(), @@ -282,12 +284,12 @@ impl TurboComposer { let q_logic = *s.coeff(Selector::Logic); let q_fixed_group_add = *s.coeff(Selector::GroupAddFixedBase); let q_variable_group_add = *s.coeff(Selector::GroupAddVariableBase); - let q_lookup = *s.coeff(Selector::Lookup); + let q_k = *s.coeff(Selector::Lookup); - self.w_l.push(a); - self.w_r.push(b); - self.w_o.push(o); - self.w_4.push(d); + self.a_w.push(a); + self.b_w.push(b); + self.c_w.push(o); + self.d_w.push(d); // Add selector vectors self.q_m.push(q_m); @@ -296,13 +298,13 @@ impl TurboComposer { self.q_o.push(q_o); self.q_4.push(q_4); self.q_c.push(q_c); + self.q_k.push(q_k); self.q_arith.push(q_arith); self.q_range.push(q_range); self.q_logic.push(q_logic); self.q_fixed_group_add.push(q_fixed_group_add); self.q_variable_group_add.push(q_variable_group_add); - self.q_lookup.push(q_lookup); if s.has_public_input() { self.public_inputs_sparse_store.insert(self.n, pi); @@ -491,20 +493,20 @@ impl TurboComposer { self.q_o.push(BlsScalar::from(4)); self.q_c.push(BlsScalar::from(4)); self.q_4.push(BlsScalar::one()); + self.q_k.push(BlsScalar::one()); self.q_arith.push(BlsScalar::one()); self.q_range.push(BlsScalar::zero()); self.q_logic.push(BlsScalar::zero()); self.q_fixed_group_add.push(BlsScalar::zero()); self.q_variable_group_add.push(BlsScalar::zero()); - self.q_lookup.push(BlsScalar::one()); let var_six = self.append_witness(BlsScalar::from(6)); let var_one = self.append_witness(BlsScalar::from(1)); let var_seven = self.append_witness(BlsScalar::from(7)); let var_min_twenty = self.append_witness(-BlsScalar::from(20)); - self.w_l.push(var_six); - self.w_r.push(var_seven); - self.w_o.push(var_min_twenty); - self.w_4.push(var_one); + self.a_w.push(var_six); + self.b_w.push(var_seven); + self.c_w.push(var_min_twenty); + self.d_w.push(var_one); self.perm.add_variables_to_map( var_six, var_seven, @@ -521,16 +523,16 @@ impl TurboComposer { self.q_o.push(BlsScalar::from(1)); self.q_c.push(BlsScalar::from(127)); self.q_4.push(BlsScalar::zero()); + self.q_k.push(BlsScalar::one()); self.q_arith.push(BlsScalar::one()); self.q_range.push(BlsScalar::zero()); self.q_logic.push(BlsScalar::zero()); self.q_fixed_group_add.push(BlsScalar::zero()); self.q_variable_group_add.push(BlsScalar::zero()); - self.q_lookup.push(BlsScalar::one()); - self.w_l.push(var_min_twenty); - self.w_r.push(var_six); - self.w_o.push(var_seven); - self.w_4.push(Self::constant_zero()); + self.a_w.push(var_min_twenty); + self.b_w.push(var_six); + self.c_w.push(var_seven); + self.d_w.push(Self::constant_zero()); self.perm.add_variables_to_map( var_min_twenty, var_six, @@ -614,25 +616,25 @@ impl TurboComposer { #[cfg(feature = "trace")] #[allow(dead_code)] pub(crate) fn check_circuit_satisfied(&self) { - let w_l: Vec<&BlsScalar> = self - .w_l + let a_w: Vec<&BlsScalar> = self + .a_w .iter() - .map(|w_l_i| self.witnesses.get(w_l_i).unwrap()) + .map(|a_w_i| self.witnesses.get(a_w_i).unwrap()) .collect(); - let w_r: Vec<&BlsScalar> = self - .w_r + let b_w: Vec<&BlsScalar> = self + .b_w .iter() - .map(|w_r_i| self.witnesses.get(w_r_i).unwrap()) + .map(|b_w_i| self.witnesses.get(b_w_i).unwrap()) .collect(); - let w_o: Vec<&BlsScalar> = self - .w_o + let c_w: Vec<&BlsScalar> = self + .c_w .iter() - .map(|w_o_i| self.witnesses.get(w_o_i).unwrap()) + .map(|c_w_i| self.witnesses.get(c_w_i).unwrap()) .collect(); - let w_4: Vec<&BlsScalar> = self - .w_4 + let d_w: Vec<&BlsScalar> = self + .d_w .iter() - .map(|w_4_i| self.witnesses.get(w_4_i).unwrap()) + .map(|d_w_i| self.witnesses.get(d_w_i).unwrap()) .collect(); // Computes f(f-1)(f-2)(f-3) @@ -660,13 +662,13 @@ impl TurboComposer { let qvar = self.q_variable_group_add[i]; let pi = pi_vec[i]; - let a = w_l[i]; - let a_next = w_l[(i + 1) % self.n]; - let b = w_r[i]; - let b_next = w_r[(i + 1) % self.n]; - let c = w_o[i]; - let d = w_4[i]; - let d_next = w_4[(i + 1) % self.n]; + let a = a_w[i]; + let a_next = a_w[(i + 1) % self.n]; + let b = b_w[i]; + let b_next = b_w[(i + 1) % self.n]; + let c = c_w[i]; + let d = d_w[i]; + let d_next = d_w[(i + 1) % self.n]; #[cfg(all(feature = "trace-print", feature = "std"))] std::println!( @@ -685,10 +687,10 @@ impl TurboComposer { - q_fixed_group_add -> {:?}\n - q_variable_group_add -> {:?}\n # Witness polynomials:\n - - w_l -> {:?}\n - - w_r -> {:?}\n - - w_o -> {:?}\n - - w_4 -> {:?}\n", + - a_w -> {:?}\n + - b_w -> {:?}\n + - c_w -> {:?}\n + - d_w -> {:?}\n", i, qm, ql, @@ -755,10 +757,10 @@ impl TurboComposer { d: Witness, pi: Option, ) -> Witness { - self.w_l.push(a); - self.w_r.push(b); - self.w_o.push(c); - self.w_4.push(d); + self.a_w.push(a); + self.b_w.push(b); + self.c_w.push(c); + self.d_w.push(d); // Add selector vectors self.q_l.push(BlsScalar::zero()); @@ -766,6 +768,10 @@ impl TurboComposer { self.q_o.push(BlsScalar::zero()); self.q_c.push(BlsScalar::zero()); self.q_4.push(BlsScalar::zero()); + // For a lookup gate, only one selector poly is + // turned on as the output is inputted directly + self.q_k.push(BlsScalar::one()); + self.q_arith.push(BlsScalar::zero()); self.q_m.push(BlsScalar::zero()); self.q_range.push(BlsScalar::zero()); @@ -773,10 +779,6 @@ impl TurboComposer { self.q_fixed_group_add.push(BlsScalar::zero()); self.q_variable_group_add.push(BlsScalar::zero()); - // For a lookup gate, only one selector poly is - // turned on as the output is inputted directly - self.q_lookup.push(BlsScalar::one()); - if let Some(pi) = pi { debug_assert!(self.public_inputs_sparse_store.get(&self.n).is_none(), "The invariant of already having a PI inserted for this position should never exist"); @@ -784,13 +786,11 @@ impl TurboComposer { } self.perm.add_variables_to_map(a, b, c, d, self.n); - self.n += 1; - c } - /// When [`TurboComposer`] is initialised, it spawns a dummy table + /// When [`TurboComposer`] is initialized, it spawns a dummy table /// with 3 entries that should not be removed. This function appends /// its input table to the composer's dummy table pub fn append_plonkup_table(&mut self, table: &LookupTable) { diff --git a/src/constraint_system/ecc/curve_addition/fixed_base_gate.rs b/src/constraint_system/ecc/curve_addition/fixed_base_gate.rs index 9c4e6462..86452162 100644 --- a/src/constraint_system/ecc/curve_addition/fixed_base_gate.rs +++ b/src/constraint_system/ecc/curve_addition/fixed_base_gate.rs @@ -42,10 +42,10 @@ impl TurboComposer { &mut self, wnaf_round: WnafRound, ) { - self.w_l.push(wnaf_round.acc_x.into()); - self.w_r.push(wnaf_round.acc_y.into()); - self.w_o.push(wnaf_round.xy_alpha.into()); - self.w_4.push(wnaf_round.accumulated_bit.into()); + self.a_w.push(wnaf_round.acc_x.into()); + self.b_w.push(wnaf_round.acc_y.into()); + self.c_w.push(wnaf_round.xy_alpha.into()); + self.d_w.push(wnaf_round.accumulated_bit.into()); self.q_l.push(wnaf_round.x_beta); self.q_r.push(wnaf_round.y_beta); @@ -60,7 +60,7 @@ impl TurboComposer { self.q_arith.push(BlsScalar::zero()); self.q_range.push(BlsScalar::zero()); self.q_logic.push(BlsScalar::zero()); - self.q_lookup.push(BlsScalar::zero()); + self.q_k.push(BlsScalar::zero()); self.perm.add_variables_to_map( wnaf_round.acc_x, diff --git a/src/constraint_system/ecc/curve_addition/variable_base_gate.rs b/src/constraint_system/ecc/curve_addition/variable_base_gate.rs index dd47928c..26e4705f 100644 --- a/src/constraint_system/ecc/curve_addition/variable_base_gate.rs +++ b/src/constraint_system/ecc/curve_addition/variable_base_gate.rs @@ -51,10 +51,10 @@ impl TurboComposer { // The function must be a special case of `append_gate` because of // `q_arith` and `q_variable_group_add` - self.w_l.extend(&[x_1, x_3]); - self.w_r.extend(&[y_1, y_3]); - self.w_o.extend(&[x_2, Self::constant_zero()]); - self.w_4.extend(&[y_2, x_1_y_2]); + self.a_w.extend(&[x_1, x_3]); + self.b_w.extend(&[y_1, y_3]); + self.c_w.extend(&[x_2, Self::constant_zero()]); + self.d_w.extend(&[y_2, x_1_y_2]); let zeros = [BlsScalar::zero(), BlsScalar::zero()]; self.q_l.extend(&zeros); @@ -67,7 +67,7 @@ impl TurboComposer { self.q_range.extend(&zeros); self.q_logic.extend(&zeros); self.q_fixed_group_add.extend(&zeros); - self.q_lookup.extend(&zeros); + self.q_k.extend(&zeros); self.q_variable_group_add.push(BlsScalar::one()); self.q_variable_group_add.push(BlsScalar::zero()); diff --git a/src/constraint_system/ecc/scalar_mul/fixed_base.rs b/src/constraint_system/ecc/scalar_mul/fixed_base.rs index f1997d46..978ad2ee 100644 --- a/src/constraint_system/ecc/scalar_mul/fixed_base.rs +++ b/src/constraint_system/ecc/scalar_mul/fixed_base.rs @@ -63,7 +63,7 @@ impl TurboComposer { let wnaf_entries = raw_jubjub_scalar.compute_windowed_naf(2); assert_eq!(wnaf_entries.len(), num_bits); - // Initialise the accumulators + // Initialize the accumulators let mut scalar_acc = vec![BlsScalar::zero()]; let mut point_acc = vec![JubJubAffine::identity()]; diff --git a/src/constraint_system/logic.rs b/src/constraint_system/logic.rs index 7c88145a..19a7feda 100644 --- a/src/constraint_system/logic.rs +++ b/src/constraint_system/logic.rs @@ -69,8 +69,8 @@ impl TurboComposer { // * | : | : | : | : | // * | an | bn | --- | cn | // * +-----+-----+-----+-----+ - // We need to have w_4, w_l and w_r pointing to one gate ahead of w_o. - // We increase the gate idx and assign w_4, w_l and w_r to `zero`. + // We need to have d_w, a_w and b_w pointing to one gate ahead of c_w. + // We increase the gate idx and assign d_w, a_w and b_w to `zero`. // Now we can add the first row as: `| 0 | 0 | -- | 0 |`. // Note that `w_1` will be set on the first loop iteration. self.perm @@ -83,9 +83,9 @@ impl TurboComposer { Self::constant_zero(), WireData::Fourth(self.n), ); - self.w_l.push(Self::constant_zero()); - self.w_r.push(Self::constant_zero()); - self.w_4.push(Self::constant_zero()); + self.a_w.push(Self::constant_zero()); + self.b_w.push(Self::constant_zero()); + self.d_w.push(Self::constant_zero()); // Increase the gate index so we can add the following rows in the // correct order. self.n += 1; @@ -209,16 +209,16 @@ impl TurboComposer { self.perm .add_variable_to_map(var_c, WireData::Output(self.n - 1)); // Push the variables to it's actual wire vector storage - self.w_l.push(var_a); - self.w_r.push(var_b); - self.w_o.push(var_c); - self.w_4.push(var_4); + self.a_w.push(var_a); + self.b_w.push(var_b); + self.c_w.push(var_c); + self.d_w.push(var_4); // Update the gate index self.n += 1; } // We have one missing value for the last row of the program memory - // which is `w_o` since the rest of wires are pointing one gate + // which is `c_w` since the rest of wires are pointing one gate // ahead. To fix this, we simply pad with a 0 so the last row of // the program memory will look like this: // | an | bn | --- | cn | @@ -226,7 +226,7 @@ impl TurboComposer { Self::constant_zero(), WireData::Output(self.n - 1), ); - self.w_o.push(Self::constant_zero()); + self.c_w.push(Self::constant_zero()); // Now the wire values are set for each gate, indexed and mapped in the // `variable_map` inside of the `Permutation` struct. @@ -242,7 +242,7 @@ impl TurboComposer { self.q_range.push(BlsScalar::zero()); self.q_fixed_group_add.push(BlsScalar::zero()); self.q_variable_group_add.push(BlsScalar::zero()); - self.q_lookup.push(BlsScalar::zero()); + self.q_k.push(BlsScalar::zero()); match is_component_xor { true => { self.q_c.push(-BlsScalar::one()); @@ -264,7 +264,7 @@ impl TurboComposer { self.q_range.push(BlsScalar::zero()); self.q_fixed_group_add.push(BlsScalar::zero()); self.q_variable_group_add.push(BlsScalar::zero()); - self.q_lookup.push(BlsScalar::zero()); + self.q_k.push(BlsScalar::zero()); self.q_c.push(BlsScalar::zero()); self.q_logic.push(BlsScalar::zero()); @@ -280,27 +280,27 @@ impl TurboComposer { // original values introduced in the function taking into account the // bitnum specified on the fn call parameters. // This can be done with an `assert_equal` constraint gate or simply - // by taking the values behind the n'th variables of `w_l` & `w_r` and + // by taking the values behind the n'th variables of `a_w` & `b_w` and // checking that they're equal to the original ones behind the variables // sent through the function parameters. assert_eq!( self.witnesses[&a] & (BlsScalar::from(2u64).pow(&[(num_bits) as u64, 0, 0, 0]) - BlsScalar::one()), - self.witnesses[&self.w_l[self.n - 1]] + self.witnesses[&self.a_w[self.n - 1]] ); assert_eq!( self.witnesses[&b] & (BlsScalar::from(2u64).pow(&[(num_bits) as u64, 0, 0, 0]) - BlsScalar::one()), - self.witnesses[&self.w_r[self.n - 1]] + self.witnesses[&self.b_w[self.n - 1]] ); // Once the inputs are checked against the accumulated additions, // we can safely return the resulting variable of the gate computation // which is stored on the last program memory row and in the column that - // `w_4` is holding. - self.w_4[self.w_4.len() - 1] + // `d_w` is holding. + self.d_w[self.d_w.len() - 1] } /// Adds a logical XOR gate that performs the XOR between two values for the diff --git a/src/constraint_system/range.rs b/src/constraint_system/range.rs index 3ab64aea..61085d54 100644 --- a/src/constraint_system/range.rs +++ b/src/constraint_system/range.rs @@ -32,19 +32,19 @@ impl TurboComposer { let wire_data = match i % 4 { 0 => { - composer.w_4.push(witness); + composer.d_w.push(witness); WireData::Fourth(gate_index) } 1 => { - composer.w_o.push(witness); + composer.c_w.push(witness); WireData::Output(gate_index) } 2 => { - composer.w_r.push(witness); + composer.b_w.push(witness); WireData::Right(gate_index) } 3 => { - composer.w_l.push(witness); + composer.a_w.push(witness); WireData::Left(gate_index) } _ => unreachable!(), @@ -174,7 +174,7 @@ impl TurboComposer { self.q_variable_group_add.extend(zeros.iter()); self.q_range.extend(ones.iter()); self.q_logic.extend(zeros.iter()); - self.q_lookup.extend(zeros.iter()); + self.q_k.extend(zeros.iter()); self.n += used_gates; // As mentioned above, we must switch off the range constraint for the @@ -182,9 +182,9 @@ impl TurboComposer { // wire, which will be used in the gate before it // Furthermore, we set the left, right and output wires to zero *self.q_range.last_mut().unwrap() = BlsScalar::zero(); - self.w_l.push(Self::constant_zero()); - self.w_r.push(Self::constant_zero()); - self.w_o.push(Self::constant_zero()); + self.a_w.push(Self::constant_zero()); + self.b_w.push(Self::constant_zero()); + self.c_w.push(Self::constant_zero()); // Lastly, we must link the last accumulator value to the initial // witness This last constraint will pass as long as diff --git a/src/fft/domain.rs b/src/fft/domain.rs index 444c7523..162f2e8b 100644 --- a/src/fft/domain.rs +++ b/src/fft/domain.rs @@ -88,6 +88,7 @@ pub(crate) mod alloc { use super::*; use crate::error::Error; use crate::fft::Evaluations; + #[rustfmt::skip] use ::alloc::vec::Vec; use core::ops::MulAssign; use dusk_bls12_381::{GENERATOR, ROOT_OF_UNITY, TWO_ADACITY}; diff --git a/src/lib.rs b/src/lib.rs index 06ff4fe8..9d121ec4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -36,9 +36,6 @@ //! this one done by the creators of the protocol: //! //! -//! -//! If you want to see library usage examples, please check: -//! // Bitshift/Bitwise ops are allowed to gain performance. #![allow(clippy::suspicious_arithmetic_impl)] @@ -57,11 +54,11 @@ cfg_if::cfg_if!( if #[cfg(feature = "alloc")] { - /// `macro_use` will declare `vec!`. However, if `libstd` is present, then this is declared in - /// the prelude and there will be a conflicting implementation. + /// `macro_use` will declare `vec!`. However, if `libstd` is present, then this + /// is declared in the prelude and there will be a conflicting implementation. /// - /// We might have `no_std + alloc` or `std + alloc`, but `macro_use` should be used only for - /// `no_std` + /// We might have `no_std + alloc` or `std + alloc`, but `macro_use` should be + /// used only for `no_std` #[cfg_attr(not(feature = "std"), macro_use)] extern crate alloc; diff --git a/src/permutation.rs b/src/permutation.rs index 8cf5b99a..808c9069 100644 --- a/src/permutation.rs +++ b/src/permutation.rs @@ -49,7 +49,7 @@ impl Permutation { let var = Witness::new(self.variable_map.keys().len()); // Allocate space for the Witness on the variable_map - // Each vector is initialised with a capacity of 16. + // Each vector is initialized with a capacity of 16. // This number is a best guess estimate. self.variable_map.insert(var, Vec::with_capacity(16usize)); @@ -187,26 +187,25 @@ impl Permutation { assert_eq!(sigmas[3].len(), n); // define the sigma permutations using two non quadratic residues - let left_sigma = self.compute_permutation_lagrange(&sigmas[0], domain); - let right_sigma = self.compute_permutation_lagrange(&sigmas[1], domain); - let out_sigma = self.compute_permutation_lagrange(&sigmas[2], domain); - let fourth_sigma = - self.compute_permutation_lagrange(&sigmas[3], domain); - - let left_sigma_poly = - Polynomial::from_coefficients_vec(domain.ifft(&left_sigma)); - let right_sigma_poly = - Polynomial::from_coefficients_vec(domain.ifft(&right_sigma)); - let out_sigma_poly = - Polynomial::from_coefficients_vec(domain.ifft(&out_sigma)); - let fourth_sigma_poly = - Polynomial::from_coefficients_vec(domain.ifft(&fourth_sigma)); + let s_sigma_1 = self.compute_permutation_lagrange(&sigmas[0], domain); + let s_sigma_2 = self.compute_permutation_lagrange(&sigmas[1], domain); + let s_sigma_3 = self.compute_permutation_lagrange(&sigmas[2], domain); + let s_sigma_4 = self.compute_permutation_lagrange(&sigmas[3], domain); + + let s_sigma_1_poly = + Polynomial::from_coefficients_vec(domain.ifft(&s_sigma_1)); + let s_sigma_2_poly = + Polynomial::from_coefficients_vec(domain.ifft(&s_sigma_2)); + let s_sigma_3_poly = + Polynomial::from_coefficients_vec(domain.ifft(&s_sigma_3)); + let s_sigma_4_poly = + Polynomial::from_coefficients_vec(domain.ifft(&s_sigma_4)); [ - left_sigma_poly, - right_sigma_poly, - out_sigma_poly, - fourth_sigma_poly, + s_sigma_1_poly, + s_sigma_2_poly, + s_sigma_3_poly, + s_sigma_4_poly, ] } @@ -226,8 +225,8 @@ impl Permutation { // Constants defining cosets H, k1H, k2H, etc let ks = vec![BlsScalar::one(), K1, K2, K3]; - // Transpose wires and sigma values to get "rows" in the form [wl_i, - // wr_i, wo_i, ... ] where each row contains the wire and sigma + // Transpose wires and sigma values to get "rows" in the form [a_w_i, + // b_w_i, c_w_i, ... ] where each row contains the wire and sigma // values for a single gate let gatewise_wires = izip!(wires[0], wires[1], wires[2], wires[3]) .map(|(w0, w1, w2, w3)| vec![w0, w1, w2, w3]); @@ -473,13 +472,13 @@ mod test { #[allow(dead_code)] fn compute_fast_permutation_poly( domain: &EvaluationDomain, - w_l: &[BlsScalar], - w_r: &[BlsScalar], - w_o: &[BlsScalar], - w_4: &[BlsScalar], + a_w: &[BlsScalar], + b_w: &[BlsScalar], + c_w: &[BlsScalar], + d_w: &[BlsScalar], beta: &BlsScalar, gamma: &BlsScalar, - (left_sigma_poly, right_sigma_poly, out_sigma_poly, fourth_sigma_poly): ( + (s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly): ( &Polynomial, &Polynomial, &Polynomial, @@ -492,26 +491,20 @@ mod test { let common_roots: Vec = domain.elements().map(|root| root * beta).collect(); - let left_sigma_mapping = domain.fft(left_sigma_poly); - let right_sigma_mapping = domain.fft(right_sigma_poly); - let out_sigma_mapping = domain.fft(out_sigma_poly); - let fourth_sigma_mapping = domain.fft(fourth_sigma_poly); + let s_sigma_1_mapping = domain.fft(s_sigma_1_poly); + let s_sigma_2_mapping = domain.fft(s_sigma_2_poly); + let s_sigma_3_mapping = domain.fft(s_sigma_3_poly); + let s_sigma_4_mapping = domain.fft(s_sigma_4_poly); // Compute beta * sigma polynomials - let beta_left_sigmas: Vec<_> = left_sigma_mapping - .iter() - .map(|sigma| sigma * beta) - .collect(); - let beta_right_sigmas: Vec<_> = right_sigma_mapping - .iter() - .map(|sigma| sigma * beta) - .collect(); - let beta_out_sigmas: Vec<_> = - out_sigma_mapping.iter().map(|sigma| sigma * beta).collect(); - let beta_fourth_sigmas: Vec<_> = fourth_sigma_mapping - .iter() - .map(|sigma| sigma * beta) - .collect(); + let beta_s_sigma_1: Vec<_> = + s_sigma_1_mapping.iter().map(|sigma| sigma * beta).collect(); + let beta_s_sigma_2: Vec<_> = + s_sigma_2_mapping.iter().map(|sigma| sigma * beta).collect(); + let beta_s_sigma_3: Vec<_> = + s_sigma_3_mapping.iter().map(|sigma| sigma * beta).collect(); + let beta_s_sigma_4: Vec<_> = + s_sigma_4_mapping.iter().map(|sigma| sigma * beta).collect(); // Compute beta * roots * K1 let beta_roots_k1: Vec<_> = @@ -526,71 +519,71 @@ mod test { common_roots.iter().map(|x| x * K3).collect(); // Compute left_wire + gamma - let w_l_gamma: Vec<_> = w_l.iter().map(|w_l| w_l + gamma).collect(); + let a_w_gamma: Vec<_> = a_w.iter().map(|a_w| a_w + gamma).collect(); // Compute right_wire + gamma - let w_r_gamma: Vec<_> = w_r.iter().map(|w_r| w_r + gamma).collect(); + let b_w_gamma: Vec<_> = b_w.iter().map(|b_w| b_w + gamma).collect(); // Compute out_wire + gamma - let w_o_gamma: Vec<_> = w_o.iter().map(|w_o| w_o + gamma).collect(); + let c_w_gamma: Vec<_> = c_w.iter().map(|c_w| c_w + gamma).collect(); // Compute fourth_wire + gamma - let w_4_gamma: Vec<_> = w_4.iter().map(|w_4| w_4 + gamma).collect(); + let d_w_gamma: Vec<_> = d_w.iter().map(|d_w| d_w + gamma).collect(); // Compute 6 accumulator components // Parallelizable let accumulator_components_without_l1: Vec<_> = izip!( - w_l_gamma, - w_r_gamma, - w_o_gamma, - w_4_gamma, + a_w_gamma, + b_w_gamma, + c_w_gamma, + d_w_gamma, common_roots, beta_roots_k1, beta_roots_k2, beta_roots_k3, - beta_left_sigmas, - beta_right_sigmas, - beta_out_sigmas, - beta_fourth_sigmas, + beta_s_sigma_1, + beta_s_sigma_2, + beta_s_sigma_3, + beta_s_sigma_4, ) .map( |( - w_l_gamma, - w_r_gamma, - w_o_gamma, - w_4_gamma, + a_w_gamma, + b_w_gamma, + c_w_gamma, + d_w_gamma, beta_root, beta_root_k1, beta_root_k2, beta_root_k3, - beta_left_sigma, - beta_right_sigma, - beta_out_sigma, - beta_fourth_sigma, + beta_s_sigma_1, + beta_s_sigma_2, + beta_s_sigma_3, + beta_s_sigma_4, )| { // w_j + beta * root^j-1 + gamma - let ac1 = w_l_gamma + beta_root; + let ac1 = a_w_gamma + beta_root; // w_{n+j} + beta * K1 * root^j-1 + gamma - let ac2 = w_r_gamma + beta_root_k1; + let ac2 = b_w_gamma + beta_root_k1; // w_{2n+j} + beta * K2 * root^j-1 + gamma - let ac3 = w_o_gamma + beta_root_k2; + let ac3 = c_w_gamma + beta_root_k2; // w_{3n+j} + beta * K3 * root^j-1 + gamma - let ac4 = w_4_gamma + beta_root_k3; + let ac4 = d_w_gamma + beta_root_k3; // 1 / w_j + beta * sigma(j) + gamma - let ac5 = (w_l_gamma + beta_left_sigma).invert().unwrap(); + let ac5 = (a_w_gamma + beta_s_sigma_1).invert().unwrap(); // 1 / w_{n+j} + beta * sigma(n+j) + gamma - let ac6 = (w_r_gamma + beta_right_sigma).invert().unwrap(); + let ac6 = (b_w_gamma + beta_s_sigma_2).invert().unwrap(); // 1 / w_{2n+j} + beta * sigma(2n+j) + gamma - let ac7 = (w_o_gamma + beta_out_sigma).invert().unwrap(); + let ac7 = (c_w_gamma + beta_s_sigma_3).invert().unwrap(); // 1 / w_{3n+j} + beta * sigma(3n+j) + gamma - let ac8 = (w_4_gamma + beta_fourth_sigma).invert().unwrap(); + let ac8 = (d_w_gamma + beta_s_sigma_4).invert().unwrap(); [ac1, ac2, ac3, ac4, ac5, ac6, ac7, ac8] }, @@ -640,13 +633,13 @@ mod test { fn compute_slow_permutation_poly( domain: &EvaluationDomain, - w_l: I, - w_r: I, - w_o: I, - w_4: I, + a_w: I, + b_w: I, + c_w: I, + d_w: I, beta: &BlsScalar, gamma: &BlsScalar, - (left_sigma_poly, right_sigma_poly, out_sigma_poly, fourth_sigma_poly): ( + (s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly): ( &Polynomial, &Polynomial, &Polynomial, @@ -658,20 +651,20 @@ mod test { { let n = domain.size(); - let left_sigma_mapping = domain.fft(left_sigma_poly); - let right_sigma_mapping = domain.fft(right_sigma_poly); - let out_sigma_mapping = domain.fft(out_sigma_poly); - let fourth_sigma_mapping = domain.fft(fourth_sigma_poly); + let s_sigma_1_mapping = domain.fft(s_sigma_1_poly); + let s_sigma_2_mapping = domain.fft(s_sigma_2_poly); + let s_sigma_3_mapping = domain.fft(s_sigma_3_poly); + let s_sigma_4_mapping = domain.fft(s_sigma_4_poly); // Compute beta * sigma polynomials - let beta_left_sigma_iter = - left_sigma_mapping.iter().map(|sigma| *sigma * beta); - let beta_right_sigma_iter = - right_sigma_mapping.iter().map(|sigma| *sigma * beta); - let beta_out_sigma_iter = - out_sigma_mapping.iter().map(|sigma| *sigma * beta); - let beta_fourth_sigma_iter = - fourth_sigma_mapping.iter().map(|sigma| *sigma * beta); + let beta_s_sigma_1_iter = + s_sigma_1_mapping.iter().map(|sigma| *sigma * beta); + let beta_s_sigma_2_iter = + s_sigma_2_mapping.iter().map(|sigma| *sigma * beta); + let beta_s_sigma_3_iter = + s_sigma_3_mapping.iter().map(|sigma| *sigma * beta); + let beta_s_sigma_4_iter = + s_sigma_4_mapping.iter().map(|sigma| *sigma * beta); // Compute beta * roots let beta_roots_iter = domain.elements().map(|root| root * beta); @@ -686,16 +679,16 @@ mod test { let beta_roots_k3_iter = domain.elements().map(|root| K3 * beta * root); // Compute left_wire + gamma - let w_l_gamma: Vec<_> = w_l.map(|w| w + gamma).collect(); + let a_w_gamma: Vec<_> = a_w.map(|w| w + gamma).collect(); // Compute right_wire + gamma - let w_r_gamma: Vec<_> = w_r.map(|w| w + gamma).collect(); + let b_w_gamma: Vec<_> = b_w.map(|w| w + gamma).collect(); // Compute out_wire + gamma - let w_o_gamma: Vec<_> = w_o.map(|w| w + gamma).collect(); + let c_w_gamma: Vec<_> = c_w.map(|w| w + gamma).collect(); // Compute fourth_wire + gamma - let w_4_gamma: Vec<_> = w_4.map(|w| w + gamma).collect(); + let d_w_gamma: Vec<_> = d_w.map(|w| w + gamma).collect(); let mut numerator_partial_components: Vec = Vec::with_capacity(n); @@ -712,35 +705,35 @@ mod test { // Compute numerator coefficients for ( - w_l_gamma, - w_r_gamma, - w_o_gamma, - w_4_gamma, + a_w_gamma, + b_w_gamma, + c_w_gamma, + d_w_gamma, beta_root, beta_root_k1, beta_root_k2, beta_root_k3, ) in izip!( - w_l_gamma.iter(), - w_r_gamma.iter(), - w_o_gamma.iter(), - w_4_gamma.iter(), + a_w_gamma.iter(), + b_w_gamma.iter(), + c_w_gamma.iter(), + d_w_gamma.iter(), beta_roots_iter, beta_roots_k1_iter, beta_roots_k2_iter, beta_roots_k3_iter, ) { - // (w_l + beta * root + gamma) - let prod_a = beta_root + w_l_gamma; + // (a_w + beta * root + gamma) + let prod_a = beta_root + a_w_gamma; - // (w_r + beta * root * k_1 + gamma) - let prod_b = beta_root_k1 + w_r_gamma; + // (b_w + beta * root * k_1 + gamma) + let prod_b = beta_root_k1 + b_w_gamma; - // (w_o + beta * root * k_2 + gamma) - let prod_c = beta_root_k2 + w_o_gamma; + // (c_w + beta * root * k_2 + gamma) + let prod_c = beta_root_k2 + c_w_gamma; - // (w_4 + beta * root * k_3 + gamma) - let prod_d = beta_root_k3 + w_4_gamma; + // (d_w + beta * root * k_3 + gamma) + let prod_d = beta_root_k3 + d_w_gamma; let mut prod = prod_a * prod_b * prod_c * prod_d; @@ -753,35 +746,35 @@ mod test { // Compute denominator coefficients for ( - w_l_gamma, - w_r_gamma, - w_o_gamma, - w_4_gamma, - beta_left_sigma, - beta_right_sigma, - beta_out_sigma, - beta_fourth_sigma, + a_w_gamma, + b_w_gamma, + c_w_gamma, + d_w_gamma, + beta_s_sigma_1, + beta_s_sigma_2, + beta_s_sigma_3, + beta_s_sigma_4, ) in izip!( - w_l_gamma, - w_r_gamma, - w_o_gamma, - w_4_gamma, - beta_left_sigma_iter, - beta_right_sigma_iter, - beta_out_sigma_iter, - beta_fourth_sigma_iter, + a_w_gamma, + b_w_gamma, + c_w_gamma, + d_w_gamma, + beta_s_sigma_1_iter, + beta_s_sigma_2_iter, + beta_s_sigma_3_iter, + beta_s_sigma_4_iter, ) { - // (w_l + beta * left_sigma + gamma) - let prod_a = beta_left_sigma + w_l_gamma; + // (a_w + beta * s_sigma_1 + gamma) + let prod_a = beta_s_sigma_1 + a_w_gamma; - // (w_r + beta * right_sigma + gamma) - let prod_b = beta_right_sigma + w_r_gamma; + // (b_w + beta * s_sigma_2 + gamma) + let prod_b = beta_s_sigma_2 + b_w_gamma; - // (w_o + beta * out_sigma + gamma) - let prod_c = beta_out_sigma + w_o_gamma; + // (c_w + beta * s_sigma_3 + gamma) + let prod_c = beta_s_sigma_3 + c_w_gamma; - // (w_4 + beta * fourth_sigma + gamma) - let prod_d = beta_fourth_sigma + w_4_gamma; + // (d_w + beta * s_sigma_4 + gamma) + let prod_d = beta_s_sigma_4 + d_w_gamma; let mut prod = prod_a * prod_b * prod_c * prod_d; @@ -865,20 +858,20 @@ mod test { cs.append_gate(constraint); let domain = EvaluationDomain::new(cs.gates()).unwrap(); - let pad = vec![BlsScalar::zero(); domain.size() - cs.w_l.len()]; - let mut w_l_scalar: Vec = - cs.w_l.iter().map(|v| cs.witnesses[v]).collect(); - let mut w_r_scalar: Vec = - cs.w_r.iter().map(|v| cs.witnesses[v]).collect(); - let mut w_o_scalar: Vec = - cs.w_o.iter().map(|v| cs.witnesses[v]).collect(); - let mut w_4_scalar: Vec = - cs.w_4.iter().map(|v| cs.witnesses[v]).collect(); - - w_l_scalar.extend(&pad); - w_r_scalar.extend(&pad); - w_o_scalar.extend(&pad); - w_4_scalar.extend(&pad); + let pad = vec![BlsScalar::zero(); domain.size() - cs.a_w.len()]; + let mut a_w_scalar: Vec = + cs.a_w.iter().map(|v| cs.witnesses[v]).collect(); + let mut b_w_scalar: Vec = + cs.b_w.iter().map(|v| cs.witnesses[v]).collect(); + let mut c_w_scalar: Vec = + cs.c_w.iter().map(|v| cs.witnesses[v]).collect(); + let mut d_w_scalar: Vec = + cs.d_w.iter().map(|v| cs.witnesses[v]).collect(); + + a_w_scalar.extend(&pad); + b_w_scalar.extend(&pad); + c_w_scalar.extend(&pad); + d_w_scalar.extend(&pad); let sigmas: Vec> = cs .perm @@ -897,7 +890,7 @@ mod test { let mz = cs.perm.compute_permutation_poly( &domain, - [&w_l_scalar, &w_r_scalar, &w_o_scalar, &w_4_scalar], + [&a_w_scalar, &b_w_scalar, &c_w_scalar, &d_w_scalar], &beta, &gamma, [ @@ -911,10 +904,10 @@ mod test { let old_z = Polynomial::from_coefficients_vec(domain.ifft( &compute_fast_permutation_poly( &domain, - &w_l_scalar, - &w_r_scalar, - &w_o_scalar, - &w_4_scalar, + &a_w_scalar, + &b_w_scalar, + &c_w_scalar, + &d_w_scalar, &beta, &gamma, ( @@ -994,40 +987,40 @@ mod test { var_seven = {O2} var_eight = {O3} var_nine = {F0, F1, F2, F3} - Left_sigma = {R0, L2, L3, L0} - Right_sigma = {L1, R1, R2, R3} - Out_sigma = {O0, O1, O2, O3} - Fourth_sigma = {F1, F2, F3, F0} + s_sigma_1 = {R0, L2, L3, L0} + s_sigma_2 = {L1, R1, R2, R3} + s_sigma_3 = {O0, O1, O2, O3} + s_sigma_4 = {F1, F2, F3, F0} */ let sigmas = perm.compute_sigma_permutations(num_wire_mappings); - let left_sigma = &sigmas[0]; - let right_sigma = &sigmas[1]; - let out_sigma = &sigmas[2]; - let fourth_sigma = &sigmas[3]; + let s_sigma_1 = &sigmas[0]; + let s_sigma_2 = &sigmas[1]; + let s_sigma_3 = &sigmas[2]; + let s_sigma_4 = &sigmas[3]; // Check the left sigma polynomial - assert_eq!(left_sigma[0], WireData::Right(0)); - assert_eq!(left_sigma[1], WireData::Left(2)); - assert_eq!(left_sigma[2], WireData::Left(3)); - assert_eq!(left_sigma[3], WireData::Left(0)); + assert_eq!(s_sigma_1[0], WireData::Right(0)); + assert_eq!(s_sigma_1[1], WireData::Left(2)); + assert_eq!(s_sigma_1[2], WireData::Left(3)); + assert_eq!(s_sigma_1[3], WireData::Left(0)); // Check the right sigma polynomial - assert_eq!(right_sigma[0], WireData::Left(1)); - assert_eq!(right_sigma[1], WireData::Right(1)); - assert_eq!(right_sigma[2], WireData::Right(2)); - assert_eq!(right_sigma[3], WireData::Right(3)); + assert_eq!(s_sigma_2[0], WireData::Left(1)); + assert_eq!(s_sigma_2[1], WireData::Right(1)); + assert_eq!(s_sigma_2[2], WireData::Right(2)); + assert_eq!(s_sigma_2[3], WireData::Right(3)); // Check the output sigma polynomial - assert_eq!(out_sigma[0], WireData::Output(0)); - assert_eq!(out_sigma[1], WireData::Output(1)); - assert_eq!(out_sigma[2], WireData::Output(2)); - assert_eq!(out_sigma[3], WireData::Output(3)); + assert_eq!(s_sigma_3[0], WireData::Output(0)); + assert_eq!(s_sigma_3[1], WireData::Output(1)); + assert_eq!(s_sigma_3[2], WireData::Output(2)); + assert_eq!(s_sigma_3[3], WireData::Output(3)); // Check the output sigma polynomial - assert_eq!(fourth_sigma[0], WireData::Fourth(1)); - assert_eq!(fourth_sigma[1], WireData::Fourth(2)); - assert_eq!(fourth_sigma[2], WireData::Fourth(3)); - assert_eq!(fourth_sigma[3], WireData::Fourth(0)); + assert_eq!(s_sigma_4[0], WireData::Fourth(1)); + assert_eq!(s_sigma_4[1], WireData::Fourth(2)); + assert_eq!(s_sigma_4[2], WireData::Fourth(3)); + assert_eq!(s_sigma_4[3], WireData::Fourth(0)); let domain = EvaluationDomain::new(num_wire_mappings).unwrap(); let w = domain.group_gen; @@ -1035,64 +1028,64 @@ mod test { let w_cubed = w.pow(&[3, 0, 0, 0]); // Check the left sigmas have been encoded properly - // Left_sigma = {R0, L2, L3, L0} + // s_sigma_1 = {R0, L2, L3, L0} // Should turn into {1 * K1, w^2, w^3, 1} - let encoded_left_sigma = - perm.compute_permutation_lagrange(left_sigma, &domain); - assert_eq!(encoded_left_sigma[0], BlsScalar::one() * K1); - assert_eq!(encoded_left_sigma[1], w_squared); - assert_eq!(encoded_left_sigma[2], w_cubed); - assert_eq!(encoded_left_sigma[3], BlsScalar::one()); + let encoded_s_sigma_1 = + perm.compute_permutation_lagrange(s_sigma_1, &domain); + assert_eq!(encoded_s_sigma_1[0], BlsScalar::one() * K1); + assert_eq!(encoded_s_sigma_1[1], w_squared); + assert_eq!(encoded_s_sigma_1[2], w_cubed); + assert_eq!(encoded_s_sigma_1[3], BlsScalar::one()); // Check the right sigmas have been encoded properly - // Right_sigma = {L1, R1, R2, R3} + // s_sigma_2 = {L1, R1, R2, R3} // Should turn into {w, w * K1, w^2 * K1, w^3 * K1} - let encoded_right_sigma = - perm.compute_permutation_lagrange(right_sigma, &domain); - assert_eq!(encoded_right_sigma[0], w); - assert_eq!(encoded_right_sigma[1], w * K1); - assert_eq!(encoded_right_sigma[2], w_squared * K1); - assert_eq!(encoded_right_sigma[3], w_cubed * K1); + let encoded_s_sigma_2 = + perm.compute_permutation_lagrange(s_sigma_2, &domain); + assert_eq!(encoded_s_sigma_2[0], w); + assert_eq!(encoded_s_sigma_2[1], w * K1); + assert_eq!(encoded_s_sigma_2[2], w_squared * K1); + assert_eq!(encoded_s_sigma_2[3], w_cubed * K1); // Check the output sigmas have been encoded properly - // Out_sigma = {O0, O1, O2, O3} + // s_sigma_3 = {O0, O1, O2, O3} // Should turn into {1 * K2, w * K2, w^2 * K2, w^3 * K2} - let encoded_output_sigma = - perm.compute_permutation_lagrange(out_sigma, &domain); - assert_eq!(encoded_output_sigma[0], BlsScalar::one() * K2); - assert_eq!(encoded_output_sigma[1], w * K2); - assert_eq!(encoded_output_sigma[2], w_squared * K2); - assert_eq!(encoded_output_sigma[3], w_cubed * K2); + let encoded_s_sigma_3 = + perm.compute_permutation_lagrange(s_sigma_3, &domain); + assert_eq!(encoded_s_sigma_3[0], BlsScalar::one() * K2); + assert_eq!(encoded_s_sigma_3[1], w * K2); + assert_eq!(encoded_s_sigma_3[2], w_squared * K2); + assert_eq!(encoded_s_sigma_3[3], w_cubed * K2); // Check the fourth sigmas have been encoded properly - // Out_sigma = {F1, F2, F3, F0} + // s_sigma_4 = {F1, F2, F3, F0} // Should turn into {w * K3, w^2 * K3, w^3 * K3, 1 * K3} - let encoded_fourth_sigma = - perm.compute_permutation_lagrange(fourth_sigma, &domain); - assert_eq!(encoded_fourth_sigma[0], w * K3); - assert_eq!(encoded_fourth_sigma[1], w_squared * K3); - assert_eq!(encoded_fourth_sigma[2], w_cubed * K3); - assert_eq!(encoded_fourth_sigma[3], K3); - - let w_l = vec![ + let encoded_s_sigma_4 = + perm.compute_permutation_lagrange(s_sigma_4, &domain); + assert_eq!(encoded_s_sigma_4[0], w * K3); + assert_eq!(encoded_s_sigma_4[1], w_squared * K3); + assert_eq!(encoded_s_sigma_4[2], w_cubed * K3); + assert_eq!(encoded_s_sigma_4[3], K3); + + let a_w = vec![ BlsScalar::from(2), BlsScalar::from(2), BlsScalar::from(2), BlsScalar::from(2), ]; - let w_r = vec![ + let b_w = vec![ BlsScalar::from(2), BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), ]; - let w_o = vec![ + let c_w = vec![ BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), ]; - let w_4 = vec![ + let d_w = vec![ BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), @@ -1103,10 +1096,10 @@ mod test { num_wire_mappings, perm, &domain, - w_l, - w_r, - w_o, - w_4, + a_w, + b_w, + c_w, + d_w, ); } @@ -1133,50 +1126,50 @@ mod test { var_two : {O0, L1, O1, L3} var_three : {L2, R2, O3} var_four : {F0, F1, F2, F3} - Left_Sigma : {0,1,2,3} -> {R0,O1,R2,O0} - Right_Sigma : {0,1,2,3} -> {R1, O2, O3, L0} - Out_Sigma : {0,1,2,3} -> {L1, L3, R3, L2} - Fourth_Sigma : {0,1,2,3} -> {F1, F2, F3, F0} + s_sigma_1 : {0,1,2,3} -> {R0,O1,R2,O0} + s_sigma_2 : {0,1,2,3} -> {R1, O2, O3, L0} + s_sigma_3 : {0,1,2,3} -> {L1, L3, R3, L2} + s_sigma_4 : {0,1,2,3} -> {F1, F2, F3, F0} */ let sigmas = perm.compute_sigma_permutations(num_wire_mappings); - let left_sigma = &sigmas[0]; - let right_sigma = &sigmas[1]; - let out_sigma = &sigmas[2]; - let fourth_sigma = &sigmas[3]; + let s_sigma_1 = &sigmas[0]; + let s_sigma_2 = &sigmas[1]; + let s_sigma_3 = &sigmas[2]; + let s_sigma_4 = &sigmas[3]; // Check the left sigma polynomial - assert_eq!(left_sigma[0], WireData::Right(0)); - assert_eq!(left_sigma[1], WireData::Output(1)); - assert_eq!(left_sigma[2], WireData::Right(2)); - assert_eq!(left_sigma[3], WireData::Output(0)); + assert_eq!(s_sigma_1[0], WireData::Right(0)); + assert_eq!(s_sigma_1[1], WireData::Output(1)); + assert_eq!(s_sigma_1[2], WireData::Right(2)); + assert_eq!(s_sigma_1[3], WireData::Output(0)); // Check the right sigma polynomial - assert_eq!(right_sigma[0], WireData::Right(1)); - assert_eq!(right_sigma[1], WireData::Output(2)); - assert_eq!(right_sigma[2], WireData::Output(3)); - assert_eq!(right_sigma[3], WireData::Left(0)); + assert_eq!(s_sigma_2[0], WireData::Right(1)); + assert_eq!(s_sigma_2[1], WireData::Output(2)); + assert_eq!(s_sigma_2[2], WireData::Output(3)); + assert_eq!(s_sigma_2[3], WireData::Left(0)); // Check the output sigma polynomial - assert_eq!(out_sigma[0], WireData::Left(1)); - assert_eq!(out_sigma[1], WireData::Left(3)); - assert_eq!(out_sigma[2], WireData::Right(3)); - assert_eq!(out_sigma[3], WireData::Left(2)); + assert_eq!(s_sigma_3[0], WireData::Left(1)); + assert_eq!(s_sigma_3[1], WireData::Left(3)); + assert_eq!(s_sigma_3[2], WireData::Right(3)); + assert_eq!(s_sigma_3[3], WireData::Left(2)); // Check the fourth sigma polynomial - assert_eq!(fourth_sigma[0], WireData::Fourth(1)); - assert_eq!(fourth_sigma[1], WireData::Fourth(2)); - assert_eq!(fourth_sigma[2], WireData::Fourth(3)); - assert_eq!(fourth_sigma[3], WireData::Fourth(0)); + assert_eq!(s_sigma_4[0], WireData::Fourth(1)); + assert_eq!(s_sigma_4[1], WireData::Fourth(2)); + assert_eq!(s_sigma_4[2], WireData::Fourth(3)); + assert_eq!(s_sigma_4[3], WireData::Fourth(0)); /* Check that the unique encodings of the sigma polynomials have been computed properly - Left_Sigma : {R0,O1,R2,O0} + s_sigma_1 : {R0,O1,R2,O0} When encoded using w, K1,K2,K3 we have {1 * K1, w * K2, w^2 * K1, 1 * K2} - Right_Sigma : {R1, O2, O3, L0} + s_sigma_2 : {R1, O2, O3, L0} When encoded using w, K1,K2,K3 we have {w * K1, w^2 * K2, w^3 * K2, 1} - Out_Sigma : {L1, L3, R3, L2} + s_sigma_3 : {L1, L3, R3, L2} When encoded using w, K1, K2,K3 we have {w, w^3 , w^3 * K1, w^2} - Fourth_Sigma : {0,1,2,3} -> {F1, F2, F3, F0} + s_sigma_4 : {0,1,2,3} -> {F1, F2, F3, F0} When encoded using w, K1, K2,K3 we have {w * K3, w^2 * K3, w^3 * K3, 1 * K3} */ let domain = EvaluationDomain::new(num_wire_mappings).unwrap(); @@ -1184,36 +1177,36 @@ mod test { let w_squared = w.pow(&[2, 0, 0, 0]); let w_cubed = w.pow(&[3, 0, 0, 0]); // check the left sigmas have been encoded properly - let encoded_left_sigma = - perm.compute_permutation_lagrange(left_sigma, &domain); - assert_eq!(encoded_left_sigma[0], K1); - assert_eq!(encoded_left_sigma[1], w * K2); - assert_eq!(encoded_left_sigma[2], w_squared * K1); - assert_eq!(encoded_left_sigma[3], BlsScalar::one() * K2); + let encoded_s_sigma_1 = + perm.compute_permutation_lagrange(s_sigma_1, &domain); + assert_eq!(encoded_s_sigma_1[0], K1); + assert_eq!(encoded_s_sigma_1[1], w * K2); + assert_eq!(encoded_s_sigma_1[2], w_squared * K1); + assert_eq!(encoded_s_sigma_1[3], BlsScalar::one() * K2); // check the right sigmas have been encoded properly - let encoded_right_sigma = - perm.compute_permutation_lagrange(right_sigma, &domain); - assert_eq!(encoded_right_sigma[0], w * K1); - assert_eq!(encoded_right_sigma[1], w_squared * K2); - assert_eq!(encoded_right_sigma[2], w_cubed * K2); - assert_eq!(encoded_right_sigma[3], BlsScalar::one()); + let encoded_s_sigma_2 = + perm.compute_permutation_lagrange(s_sigma_2, &domain); + assert_eq!(encoded_s_sigma_2[0], w * K1); + assert_eq!(encoded_s_sigma_2[1], w_squared * K2); + assert_eq!(encoded_s_sigma_2[2], w_cubed * K2); + assert_eq!(encoded_s_sigma_2[3], BlsScalar::one()); // check the output sigmas have been encoded properly - let encoded_output_sigma = - perm.compute_permutation_lagrange(out_sigma, &domain); - assert_eq!(encoded_output_sigma[0], w); - assert_eq!(encoded_output_sigma[1], w_cubed); - assert_eq!(encoded_output_sigma[2], w_cubed * K1); - assert_eq!(encoded_output_sigma[3], w_squared); + let encoded_s_sigma_3 = + perm.compute_permutation_lagrange(s_sigma_3, &domain); + assert_eq!(encoded_s_sigma_3[0], w); + assert_eq!(encoded_s_sigma_3[1], w_cubed); + assert_eq!(encoded_s_sigma_3[2], w_cubed * K1); + assert_eq!(encoded_s_sigma_3[3], w_squared); // check the fourth sigmas have been encoded properly - let encoded_fourth_sigma = - perm.compute_permutation_lagrange(fourth_sigma, &domain); - assert_eq!(encoded_fourth_sigma[0], w * K3); - assert_eq!(encoded_fourth_sigma[1], w_squared * K3); - assert_eq!(encoded_fourth_sigma[2], w_cubed * K3); - assert_eq!(encoded_fourth_sigma[3], K3); + let encoded_s_sigma_4 = + perm.compute_permutation_lagrange(s_sigma_4, &domain); + assert_eq!(encoded_s_sigma_4[0], w * K3); + assert_eq!(encoded_s_sigma_4[1], w_squared * K3); + assert_eq!(encoded_s_sigma_4[2], w_cubed * K3); + assert_eq!(encoded_s_sigma_4[3], K3); } #[test] @@ -1230,19 +1223,19 @@ mod test { perm.add_variables_to_map(var_one, var_two, var_three, var_four, 0); perm.add_variables_to_map(var_three, var_two, var_one, var_four, 1); - let w_l: Vec<_> = vec![BlsScalar::one(), BlsScalar::from(3)]; - let w_r: Vec<_> = vec![BlsScalar::from(2), BlsScalar::from(2)]; - let w_o: Vec<_> = vec![BlsScalar::from(3), BlsScalar::one()]; - let w_4: Vec<_> = vec![BlsScalar::one(), BlsScalar::one()]; + let a_w: Vec<_> = vec![BlsScalar::one(), BlsScalar::from(3)]; + let b_w: Vec<_> = vec![BlsScalar::from(2), BlsScalar::from(2)]; + let c_w: Vec<_> = vec![BlsScalar::from(3), BlsScalar::one()]; + let d_w: Vec<_> = vec![BlsScalar::one(), BlsScalar::one()]; test_correct_permutation_poly( num_wire_mappings, perm, &domain, - w_l, - w_r, - w_o, - w_4, + a_w, + b_w, + c_w, + d_w, ); } @@ -1258,10 +1251,10 @@ mod test { n: usize, mut perm: Permutation, domain: &EvaluationDomain, - w_l: Vec, - w_r: Vec, - w_o: Vec, - w_4: Vec, + a_w: Vec, + b_w: Vec, + c_w: Vec, + d_w: Vec, ) { // 0. Generate beta and gamma challenges // @@ -1270,38 +1263,38 @@ mod test { assert_ne!(gamma, beta); //1. Compute the permutation polynomial using both methods - let [left_sigma_poly, right_sigma_poly, out_sigma_poly, fourth_sigma_poly] = + let [s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly] = perm.compute_sigma_polynomials(n, domain); let (z_vec, numerator_components, denominator_components) = compute_slow_permutation_poly( domain, - w_l.clone().into_iter(), - w_r.clone().into_iter(), - w_o.clone().into_iter(), - w_4.clone().into_iter(), + a_w.clone().into_iter(), + b_w.clone().into_iter(), + c_w.clone().into_iter(), + d_w.clone().into_iter(), &beta, &gamma, ( - &left_sigma_poly, - &right_sigma_poly, - &out_sigma_poly, - &fourth_sigma_poly, + &s_sigma_1_poly, + &s_sigma_2_poly, + &s_sigma_3_poly, + &s_sigma_4_poly, ), ); let fast_z_vec = compute_fast_permutation_poly( domain, - &w_l, - &w_r, - &w_o, - &w_4, + &a_w, + &b_w, + &c_w, + &d_w, &beta, &gamma, ( - &left_sigma_poly, - &right_sigma_poly, - &out_sigma_poly, - &fourth_sigma_poly, + &s_sigma_1_poly, + &s_sigma_2_poly, + &s_sigma_3_poly, + &s_sigma_4_poly, ), ); assert_eq!(fast_z_vec, z_vec); diff --git a/src/proof_system.rs b/src/proof_system.rs index ffff10c0..9c13f4d4 100644 --- a/src/proof_system.rs +++ b/src/proof_system.rs @@ -6,7 +6,7 @@ //! Proving system -pub(crate) mod linearisation_poly; +pub(crate) mod linearization_poly; pub(crate) mod proof; pub(crate) mod widget; diff --git a/src/proof_system/linearisation_poly.rs b/src/proof_system/linearization_poly.rs similarity index 73% rename from src/proof_system/linearisation_poly.rs rename to src/proof_system/linearization_poly.rs index 39f278fc..1df41039 100644 --- a/src/proof_system/linearisation_poly.rs +++ b/src/proof_system/linearization_poly.rs @@ -16,8 +16,8 @@ use dusk_bytes::{DeserializableSlice, Serializable}; /// Evaluations at points `z` or and `z * root of unity` pub(crate) struct Evaluations { pub(crate) proof: ProofEvaluations, - // Evaluation of the linearisation sigma polynomial at `z` - pub(crate) quot_eval: BlsScalar, + // Evaluation of the linearization sigma polynomial at `z` + pub(crate) t_eval: BlsScalar, } /// Subset of all of the evaluations. These evaluations @@ -48,16 +48,16 @@ pub(crate) struct ProofEvaluations { // pub(crate) q_r_eval: BlsScalar, // - pub(crate) q_lookup_eval: BlsScalar, + pub(crate) q_k_eval: BlsScalar, // Evaluation of the left sigma polynomial at `z` - pub(crate) left_sigma_eval: BlsScalar, + pub(crate) s_sigma_1_eval: BlsScalar, // Evaluation of the right sigma polynomial at `z` - pub(crate) right_sigma_eval: BlsScalar, + pub(crate) s_sigma_2_eval: BlsScalar, // Evaluation of the out sigma polynomial at `z` - pub(crate) out_sigma_eval: BlsScalar, + pub(crate) s_sigma_3_eval: BlsScalar, - // Evaluation of the linearisation sigma polynomial at `z` - pub(crate) lin_poly_eval: BlsScalar, + // Evaluation of the linearization sigma polynomial at `z` + pub(crate) r_poly_eval: BlsScalar, // (Shifted) Evaluation of the permutation polynomial at `z * root of // unity` @@ -81,11 +81,11 @@ pub(crate) struct ProofEvaluations { /// Evaluations of the query polynomial at `z` pub f_eval: BlsScalar, - /// Evaluations of the table polynomial at `z` - pub table_eval: BlsScalar, + /// Evaluations of the t_prime polynomial at `z` + pub t_prime_eval: BlsScalar, - /// Evaluations of the table polynomial at `z * root of unity` - pub table_next_eval: BlsScalar, + /// Evaluations of the t_prime polynomial at `z * root of unity` + pub t_prime_next_eval: BlsScalar, } impl Serializable<{ 24 * BlsScalar::SIZE }> for ProofEvaluations { @@ -108,19 +108,19 @@ impl Serializable<{ 24 * BlsScalar::SIZE }> for ProofEvaluations { writer.write(&self.q_c_eval.to_bytes()); writer.write(&self.q_l_eval.to_bytes()); writer.write(&self.q_r_eval.to_bytes()); - writer.write(&self.q_lookup_eval.to_bytes()); - writer.write(&self.left_sigma_eval.to_bytes()); - writer.write(&self.right_sigma_eval.to_bytes()); - writer.write(&self.out_sigma_eval.to_bytes()); - writer.write(&self.lin_poly_eval.to_bytes()); + writer.write(&self.q_k_eval.to_bytes()); + writer.write(&self.s_sigma_1_eval.to_bytes()); + writer.write(&self.s_sigma_2_eval.to_bytes()); + writer.write(&self.s_sigma_3_eval.to_bytes()); + writer.write(&self.r_poly_eval.to_bytes()); writer.write(&self.perm_eval.to_bytes()); writer.write(&self.lookup_perm_eval.to_bytes()); writer.write(&self.h_1_eval.to_bytes()); writer.write(&self.h_1_next_eval.to_bytes()); writer.write(&self.h_2_eval.to_bytes()); writer.write(&self.f_eval.to_bytes()); - writer.write(&self.table_eval.to_bytes()); - writer.write(&self.table_next_eval.to_bytes()); + writer.write(&self.t_prime_eval.to_bytes()); + writer.write(&self.t_prime_next_eval.to_bytes()); buf } @@ -140,19 +140,19 @@ impl Serializable<{ 24 * BlsScalar::SIZE }> for ProofEvaluations { let q_c_eval = BlsScalar::from_reader(&mut buffer)?; let q_l_eval = BlsScalar::from_reader(&mut buffer)?; let q_r_eval = BlsScalar::from_reader(&mut buffer)?; - let q_lookup_eval = BlsScalar::from_reader(&mut buffer)?; - let left_sigma_eval = BlsScalar::from_reader(&mut buffer)?; - let right_sigma_eval = BlsScalar::from_reader(&mut buffer)?; - let out_sigma_eval = BlsScalar::from_reader(&mut buffer)?; - let lin_poly_eval = BlsScalar::from_reader(&mut buffer)?; + let q_k_eval = BlsScalar::from_reader(&mut buffer)?; + let s_sigma_1_eval = BlsScalar::from_reader(&mut buffer)?; + let s_sigma_2_eval = BlsScalar::from_reader(&mut buffer)?; + let s_sigma_3_eval = BlsScalar::from_reader(&mut buffer)?; + let r_poly_eval = BlsScalar::from_reader(&mut buffer)?; let perm_eval = BlsScalar::from_reader(&mut buffer)?; let lookup_perm_eval = BlsScalar::from_reader(&mut buffer)?; let h_1_eval = BlsScalar::from_reader(&mut buffer)?; let h_1_next_eval = BlsScalar::from_reader(&mut buffer)?; let h_2_eval = BlsScalar::from_reader(&mut buffer)?; let f_eval = BlsScalar::from_reader(&mut buffer)?; - let table_eval = BlsScalar::from_reader(&mut buffer)?; - let table_next_eval = BlsScalar::from_reader(&mut buffer)?; + let t_prime_eval = BlsScalar::from_reader(&mut buffer)?; + let t_prime_next_eval = BlsScalar::from_reader(&mut buffer)?; Ok(ProofEvaluations { a_eval, @@ -166,26 +166,26 @@ impl Serializable<{ 24 * BlsScalar::SIZE }> for ProofEvaluations { q_c_eval, q_l_eval, q_r_eval, - q_lookup_eval, - left_sigma_eval, - right_sigma_eval, - out_sigma_eval, - lin_poly_eval, + q_k_eval, + s_sigma_1_eval, + s_sigma_2_eval, + s_sigma_3_eval, + r_poly_eval, perm_eval, lookup_perm_eval, h_1_eval, h_1_next_eval, h_2_eval, f_eval, - table_eval, - table_next_eval, + t_prime_eval, + t_prime_next_eval, }) } } #[cfg(feature = "alloc")] -/// Compute the linearisation polynomial. +/// Compute the linearization polynomial. // TODO: Improve the method signature #[allow(clippy::type_complexity)] pub(crate) fn compute( @@ -218,48 +218,50 @@ pub(crate) fn compute( BlsScalar, BlsScalar, ), - w_l_poly: &Polynomial, - w_r_poly: &Polynomial, - w_o_poly: &Polynomial, - w_4_poly: &Polynomial, + a_w_poly: &Polynomial, + b_w_poly: &Polynomial, + c_w_poly: &Polynomial, + d_w_poly: &Polynomial, t_x_poly: &Polynomial, z_poly: &Polynomial, f_poly: &Polynomial, h_1_poly: &Polynomial, h_2_poly: &Polynomial, - table_poly: &Polynomial, + t_prime_poly: &Polynomial, p_poly: &Polynomial, ) -> (Polynomial, Evaluations) { // Compute evaluations - let quot_eval = t_x_poly.evaluate(z_challenge); - let a_eval = w_l_poly.evaluate(z_challenge); - let b_eval = w_r_poly.evaluate(z_challenge); - let c_eval = w_o_poly.evaluate(z_challenge); - let d_eval = w_4_poly.evaluate(z_challenge); - let left_sigma_eval = - prover_key.permutation.left_sigma.0.evaluate(z_challenge); - let right_sigma_eval = - prover_key.permutation.right_sigma.0.evaluate(z_challenge); - let out_sigma_eval = - prover_key.permutation.out_sigma.0.evaluate(z_challenge); + let t_eval = t_x_poly.evaluate(z_challenge); + let a_eval = a_w_poly.evaluate(z_challenge); + let b_eval = b_w_poly.evaluate(z_challenge); + let c_eval = c_w_poly.evaluate(z_challenge); + let d_eval = d_w_poly.evaluate(z_challenge); + + let s_sigma_1_eval = + prover_key.permutation.s_sigma_1.0.evaluate(z_challenge); + let s_sigma_2_eval = + prover_key.permutation.s_sigma_2.0.evaluate(z_challenge); + let s_sigma_3_eval = + prover_key.permutation.s_sigma_3.0.evaluate(z_challenge); + let q_arith_eval = prover_key.arithmetic.q_arith.0.evaluate(z_challenge); let q_c_eval = prover_key.logic.q_c.0.evaluate(z_challenge); let q_l_eval = prover_key.fixed_base.q_l.0.evaluate(z_challenge); let q_r_eval = prover_key.fixed_base.q_r.0.evaluate(z_challenge); - let q_lookup_eval = prover_key.lookup.q_lookup.0.evaluate(z_challenge); + let q_k_eval = prover_key.lookup.q_k.0.evaluate(z_challenge); let f_eval = f_poly.evaluate(z_challenge); let h_1_eval = h_1_poly.evaluate(z_challenge); let h_2_eval = h_2_poly.evaluate(z_challenge); - let table_eval = table_poly.evaluate(z_challenge); + let t_prime_eval = t_prime_poly.evaluate(z_challenge); - let a_next_eval = w_l_poly.evaluate(&(z_challenge * domain.group_gen)); - let b_next_eval = w_r_poly.evaluate(&(z_challenge * domain.group_gen)); - let d_next_eval = w_4_poly.evaluate(&(z_challenge * domain.group_gen)); + let a_next_eval = a_w_poly.evaluate(&(z_challenge * domain.group_gen)); + let b_next_eval = b_w_poly.evaluate(&(z_challenge * domain.group_gen)); + let d_next_eval = d_w_poly.evaluate(&(z_challenge * domain.group_gen)); let perm_eval = z_poly.evaluate(&(z_challenge * domain.group_gen)); let lookup_perm_eval = p_poly.evaluate(&(z_challenge * domain.group_gen)); let h_1_next_eval = h_1_poly.evaluate(&(z_challenge * domain.group_gen)); - let table_next_eval = - table_poly.evaluate(&(z_challenge * domain.group_gen)); + let t_prime_next_eval = + t_prime_poly.evaluate(&(z_challenge * domain.group_gen)); let l_coeffs = domain.evaluate_all_lagrange_coefficients(*z_challenge); let l1_eval = l_coeffs[0]; @@ -281,8 +283,8 @@ pub(crate) fn compute( &d_next_eval, &q_arith_eval, &f_eval, - &table_eval, - &table_next_eval, + &t_prime_eval, + &t_prime_next_eval, &h_1_eval, &h_2_eval, &lookup_perm_eval, @@ -297,22 +299,22 @@ pub(crate) fn compute( prover_key, ); - let f_2 = prover_key.permutation.compute_linearisation( + let f_2 = prover_key.permutation.compute_linearization( z_challenge, (alpha, beta, gamma), (&a_eval, &b_eval, &c_eval, &d_eval), - (&left_sigma_eval, &right_sigma_eval, &out_sigma_eval), + (&s_sigma_1_eval, &s_sigma_2_eval, &s_sigma_3_eval), &perm_eval, z_poly, ); - let lin_poly = &f_1 + &f_2; + let r_poly = &f_1 + &f_2; - // Evaluate linearisation polynomial at z_challenge - let lin_poly_eval = lin_poly.evaluate(z_challenge); + // Evaluate linearization polynomial at challenge `z` + let r_poly_eval = r_poly.evaluate(z_challenge); ( - lin_poly, + r_poly, Evaluations { proof: ProofEvaluations { a_eval, @@ -326,21 +328,21 @@ pub(crate) fn compute( q_c_eval, q_l_eval, q_r_eval, - q_lookup_eval, - left_sigma_eval, - right_sigma_eval, - out_sigma_eval, - lin_poly_eval, + q_k_eval, + s_sigma_1_eval, + s_sigma_2_eval, + s_sigma_3_eval, + r_poly_eval, perm_eval, lookup_perm_eval, h_1_eval, h_1_next_eval, h_2_eval, f_eval, - table_eval, - table_next_eval, + t_prime_eval, + t_prime_next_eval, }, - quot_eval, + t_eval, }, ) } @@ -363,8 +365,8 @@ fn compute_circuit_satisfiability( d_next_eval: &BlsScalar, q_arith_eval: &BlsScalar, f_eval: &BlsScalar, - table_eval: &BlsScalar, - table_next_eval: &BlsScalar, + t_prime_eval: &BlsScalar, + t_prime_next_eval: &BlsScalar, h_1_eval: &BlsScalar, h_2_eval: &BlsScalar, p_next_eval: &BlsScalar, @@ -378,7 +380,7 @@ fn compute_circuit_satisfiability( q_r_eval: &BlsScalar, prover_key: &ProverKey, ) -> Polynomial { - let a = prover_key.arithmetic.compute_linearisation( + let a = prover_key.arithmetic.compute_linearization( a_eval, b_eval, c_eval, @@ -386,7 +388,7 @@ fn compute_circuit_satisfiability( q_arith_eval, ); - let b = prover_key.range.compute_linearisation( + let b = prover_key.range.compute_linearization( range_separation_challenge, a_eval, b_eval, @@ -395,7 +397,7 @@ fn compute_circuit_satisfiability( d_next_eval, ); - let c = prover_key.logic.compute_linearisation( + let c = prover_key.logic.compute_linearization( logic_separation_challenge, a_eval, a_next_eval, @@ -407,7 +409,7 @@ fn compute_circuit_satisfiability( q_c_eval, ); - let d = prover_key.fixed_base.compute_linearisation( + let d = prover_key.fixed_base.compute_linearization( fixed_base_separation_challenge, a_eval, a_next_eval, @@ -421,7 +423,7 @@ fn compute_circuit_satisfiability( q_c_eval, ); - let e = prover_key.variable_base.compute_linearisation( + let e = prover_key.variable_base.compute_linearization( var_base_separation_challenge, a_eval, a_next_eval, @@ -431,14 +433,14 @@ fn compute_circuit_satisfiability( d_eval, d_next_eval, ); - let f = prover_key.lookup.compute_linearisation( + let f = prover_key.lookup.compute_linearization( a_eval, b_eval, c_eval, d_eval, f_eval, - table_eval, - table_next_eval, + t_prime_eval, + t_prime_next_eval, h_1_eval, h_2_eval, p_next_eval, @@ -450,13 +452,13 @@ fn compute_circuit_satisfiability( lookup_separation_challenge, ); - let mut linearisation_poly = &a + &b; - linearisation_poly += &c; - linearisation_poly += &d; - linearisation_poly += &e; - linearisation_poly += &f; + let mut linearization_poly = &a + &b; + linearization_poly += &c; + linearization_poly += &d; + linearization_poly += &e; + linearization_poly += &f; - linearisation_poly + linearization_poly } #[cfg(test)] diff --git a/src/proof_system/preprocess.rs b/src/proof_system/preprocess.rs index d1b10d74..c6aa8cda 100644 --- a/src/proof_system/preprocess.rs +++ b/src/proof_system/preprocess.rs @@ -16,33 +16,44 @@ use crate::proof_system::{widget, ProverKey}; use dusk_bls12_381::BlsScalar; use merlin::Transcript; -/// Struct that contains all of the selector and permutation [`Polynomial`]s in -/// PLONK. -pub(crate) struct SelectorPolynomials { +/// Struct that contains all selector and permutation [`Polynomials`]s +pub(crate) struct Polynomials { + // selector polynomials defining arithmetic circuits q_m: Polynomial, q_l: Polynomial, q_r: Polynomial, q_o: Polynomial, q_c: Polynomial, + + // additional selector for 3-input gates added for efficiency of + // implementation q_4: Polynomial, - q_arith: Polynomial, - q_range: Polynomial, - q_logic: Polynomial, - q_fixed_group_add: Polynomial, - q_variable_group_add: Polynomial, - q_lookup: Polynomial, - - left_sigma: Polynomial, - right_sigma: Polynomial, - out_sigma: Polynomial, - fourth_sigma: Polynomial, + + // selector polynomial which activates the lookup gates + // --> if (ith gate is lookup_gate) q_k[i] = 1 else q_k[i] = 0 + q_k: Polynomial, + + // additional selectors for different kinds of circuits added for + // efficiency of implementation + q_arith: Polynomial, // arithmetic circuits + q_range: Polynomial, // range proofs + q_logic: Polynomial, // boolean operations + q_fixed_group_add: Polynomial, // ecc circuits + q_variable_group_add: Polynomial, // ecc circuits + + // copy permutation polynomials + s_sigma_1: Polynomial, + s_sigma_2: Polynomial, + s_sigma_3: Polynomial, + s_sigma_4: Polynomial, // for q_4 } impl TurboComposer { - /// Pads the circuit to the next power of two. + /// Pads the circuit to the next power of two /// - /// # Note - /// `diff` is the difference between circuit size and next power of two. + /// # Note: + /// + /// `diff` is the difference between circuit size and next power of two fn pad(&mut self, diff: usize) { // Add a zero variable to circuit let zero_scalar = BlsScalar::zero(); @@ -57,23 +68,22 @@ impl TurboComposer { self.q_o.extend(zeroes_scalar.iter()); self.q_c.extend(zeroes_scalar.iter()); self.q_4.extend(zeroes_scalar.iter()); + self.q_k.extend(zeroes_scalar.iter()); self.q_arith.extend(zeroes_scalar.iter()); self.q_range.extend(zeroes_scalar.iter()); self.q_logic.extend(zeroes_scalar.iter()); self.q_fixed_group_add.extend(zeroes_scalar.iter()); self.q_variable_group_add.extend(zeroes_scalar.iter()); - self.q_lookup.extend(zeroes_scalar.iter()); - self.w_l.extend(zeroes_var.iter()); - self.w_r.extend(zeroes_var.iter()); - self.w_o.extend(zeroes_var.iter()); - self.w_4.extend(zeroes_var.iter()); + self.a_w.extend(zeroes_var.iter()); + self.b_w.extend(zeroes_var.iter()); + self.c_w.extend(zeroes_var.iter()); + self.d_w.extend(zeroes_var.iter()); self.n += diff; } - /// Checks that all of the wires of the composer have the same - /// length. + /// Checks that all of the wires of the composer have the same length. fn check_poly_same_len(&self) -> Result<(), Error> { let k = self.q_m.len(); @@ -82,16 +92,16 @@ impl TurboComposer { && self.q_r.len() == k && self.q_c.len() == k && self.q_4.len() == k + && self.q_k.len() == k && self.q_arith.len() == k && self.q_range.len() == k && self.q_logic.len() == k && self.q_fixed_group_add.len() == k && self.q_variable_group_add.len() == k - && self.q_lookup.len() == k - && self.w_l.len() == k - && self.w_r.len() == k - && self.w_o.len() == k - && self.w_4.len() == k + && self.a_w.len() == k + && self.b_w.len() == k + && self.c_w.len() == k + && self.d_w.len() == k { Ok(()) } else { @@ -136,6 +146,10 @@ impl TurboComposer { domain_4n.coset_fft(&selectors.q_4), domain_4n, ); + let q_k_eval_4n = Evaluations::from_vec_and_domain( + domain_4n.coset_fft(&selectors.q_k), + domain_4n, + ); let q_arith_eval_4n = Evaluations::from_vec_and_domain( domain_4n.coset_fft(&selectors.q_arith), domain_4n, @@ -156,25 +170,21 @@ impl TurboComposer { domain_4n.coset_fft(&selectors.q_variable_group_add), domain_4n, ); - let q_lookup_eval_4n = Evaluations::from_vec_and_domain( - domain_4n.coset_fft(&selectors.q_lookup), - domain_4n, - ); - let left_sigma_eval_4n = Evaluations::from_vec_and_domain( - domain_4n.coset_fft(&selectors.left_sigma), + let s_sigma_1_eval_4n = Evaluations::from_vec_and_domain( + domain_4n.coset_fft(&selectors.s_sigma_1), domain_4n, ); - let right_sigma_eval_4n = Evaluations::from_vec_and_domain( - domain_4n.coset_fft(&selectors.right_sigma), + let s_sigma_2_eval_4n = Evaluations::from_vec_and_domain( + domain_4n.coset_fft(&selectors.s_sigma_2), domain_4n, ); - let out_sigma_eval_4n = Evaluations::from_vec_and_domain( - domain_4n.coset_fft(&selectors.out_sigma), + let s_sigma_3_eval_4n = Evaluations::from_vec_and_domain( + domain_4n.coset_fft(&selectors.s_sigma_3), domain_4n, ); - let fourth_sigma_eval_4n = Evaluations::from_vec_and_domain( - domain_4n.coset_fft(&selectors.fourth_sigma), + let s_sigma_4_eval_4n = Evaluations::from_vec_and_domain( + domain_4n.coset_fft(&selectors.s_sigma_4), domain_4n, ); @@ -235,10 +245,10 @@ impl TurboComposer { // Prover Key for permutation argument let permutation_prover_key = widget::permutation::ProverKey { - left_sigma: (selectors.left_sigma, left_sigma_eval_4n), - right_sigma: (selectors.right_sigma, right_sigma_eval_4n), - out_sigma: (selectors.out_sigma, out_sigma_eval_4n), - fourth_sigma: (selectors.fourth_sigma, fourth_sigma_eval_4n), + s_sigma_1: (selectors.s_sigma_1, s_sigma_1_eval_4n), + s_sigma_2: (selectors.s_sigma_2, s_sigma_2_eval_4n), + s_sigma_3: (selectors.s_sigma_3, s_sigma_3_eval_4n), + s_sigma_4: (selectors.s_sigma_4, s_sigma_4_eval_4n), linear_evaluations: linear_eval_4n, }; @@ -253,7 +263,7 @@ impl TurboComposer { // Prover key for lookup operations let lookup_prover_key = widget::lookup::ProverKey { - q_lookup: (selectors.q_lookup, q_lookup_eval_4n), + q_k: (selectors.q_k, q_k_eval_4n), table_1: ( preprocessed_table.t_1.0, preprocessed_table.t_1.2, @@ -317,7 +327,7 @@ impl TurboComposer { ) -> Result< ( widget::VerifierKey, - SelectorPolynomials, + Polynomials, PreprocessedLookupTable, EvaluationDomain, ), @@ -347,6 +357,8 @@ impl TurboComposer { Polynomial::from_coefficients_slice(&domain.ifft(&self.q_c)); let q_4_poly = Polynomial::from_coefficients_slice(&domain.ifft(&self.q_4)); + let q_k_poly = + Polynomial::from_coefficients_slice(&domain.ifft(&self.q_k)); let q_arith_poly = Polynomial::from_coefficients_slice(&domain.ifft(&self.q_arith)); let q_range_poly = @@ -359,11 +371,9 @@ impl TurboComposer { let q_variable_group_add_poly = Polynomial::from_coefficients_slice( &domain.ifft(&self.q_variable_group_add), ); - let q_lookup_poly = - Polynomial::from_coefficients_slice(&domain.ifft(&self.q_lookup)); // 2. Compute the sigma polynomials - let [left_sigma_poly, right_sigma_poly, out_sigma_poly, fourth_sigma_poly] = + let [s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly] = self.perm.compute_sigma_polynomials(self.n, &domain); let q_m_poly_commit = commit_key.commit(&q_m_poly).unwrap_or_default(); @@ -372,6 +382,7 @@ impl TurboComposer { let q_o_poly_commit = commit_key.commit(&q_o_poly).unwrap_or_default(); let q_c_poly_commit = commit_key.commit(&q_c_poly).unwrap_or_default(); let q_4_poly_commit = commit_key.commit(&q_4_poly).unwrap_or_default(); + let q_k_poly_commit = commit_key.commit(&q_k_poly).unwrap_or_default(); let q_arith_poly_commit = commit_key.commit(&q_arith_poly).unwrap_or_default(); let q_range_poly_commit = @@ -384,15 +395,13 @@ impl TurboComposer { let q_variable_group_add_poly_commit = commit_key .commit(&q_variable_group_add_poly) .unwrap_or_default(); - let q_lookup_poly_commit = - commit_key.commit(&q_lookup_poly).unwrap_or_default(); - let left_sigma_poly_commit = commit_key.commit(&left_sigma_poly)?; - let right_sigma_poly_commit = commit_key.commit(&right_sigma_poly)?; - let out_sigma_poly_commit = commit_key.commit(&out_sigma_poly)?; - let fourth_sigma_poly_commit = commit_key.commit(&fourth_sigma_poly)?; + let s_sigma_1_poly_commit = commit_key.commit(&s_sigma_1_poly)?; + let s_sigma_2_poly_commit = commit_key.commit(&s_sigma_2_poly)?; + let s_sigma_3_poly_commit = commit_key.commit(&s_sigma_3_poly)?; + let s_sigma_4_poly_commit = commit_key.commit(&s_sigma_4_poly)?; - // Preprocess the lookup table + // 3. Preprocess the lookup table, this generates T_1, T_2, T_3 and T_4 let preprocessed_table = PreprocessedLookupTable::preprocess( &self.lookup_table, commit_key, @@ -433,7 +442,7 @@ impl TurboComposer { // Verifier Key for lookup operations let lookup_verifier_key = widget::lookup::VerifierKey { - q_lookup: q_lookup_poly_commit, + q_k: q_k_poly_commit, table_1: preprocessed_table.t_1.1, table_2: preprocessed_table.t_2.1, table_3: preprocessed_table.t_3.1, @@ -441,10 +450,10 @@ impl TurboComposer { }; // Verifier Key for permutation argument let permutation_verifier_key = widget::permutation::VerifierKey { - left_sigma: left_sigma_poly_commit, - right_sigma: right_sigma_poly_commit, - out_sigma: out_sigma_poly_commit, - fourth_sigma: fourth_sigma_poly_commit, + s_sigma_1: s_sigma_1_poly_commit, + s_sigma_2: s_sigma_2_poly_commit, + s_sigma_3: s_sigma_3_poly_commit, + s_sigma_4: s_sigma_4_poly_commit, }; let verifier_key = widget::VerifierKey { @@ -458,23 +467,23 @@ impl TurboComposer { lookup: lookup_verifier_key, }; - let selectors = SelectorPolynomials { + let selectors = Polynomials { q_m: q_m_poly, q_l: q_l_poly, q_r: q_r_poly, q_o: q_o_poly, q_c: q_c_poly, q_4: q_4_poly, + q_k: q_k_poly, q_arith: q_arith_poly, q_range: q_range_poly, q_logic: q_logic_poly, q_fixed_group_add: q_fixed_group_add_poly, q_variable_group_add: q_variable_group_add_poly, - q_lookup: q_lookup_poly, - left_sigma: left_sigma_poly, - right_sigma: right_sigma_poly, - out_sigma: out_sigma_poly, - fourth_sigma: fourth_sigma_poly, + s_sigma_1: s_sigma_1_poly, + s_sigma_2: s_sigma_2_poly, + s_sigma_3: s_sigma_3_poly, + s_sigma_4: s_sigma_4_poly, }; // Add the circuit description to the transcript @@ -507,14 +516,14 @@ mod test { assert_eq!(composer.q_o.len(), size); assert_eq!(composer.q_r.len(), size); assert_eq!(composer.q_c.len(), size); + assert_eq!(composer.q_k.len(), size); assert_eq!(composer.q_arith.len(), size); assert_eq!(composer.q_range.len(), size); assert_eq!(composer.q_logic.len(), size); assert_eq!(composer.q_fixed_group_add.len(), size); assert_eq!(composer.q_variable_group_add.len(), size); - assert_eq!(composer.q_lookup.len(), size); - assert_eq!(composer.w_l.len(), size); - assert_eq!(composer.w_r.len(), size); - assert_eq!(composer.w_o.len(), size); + assert_eq!(composer.a_w.len(), size); + assert_eq!(composer.b_w.len(), size); + assert_eq!(composer.c_w.len(), size); } } diff --git a/src/proof_system/proof.rs b/src/proof_system/proof.rs index 6e54fe39..848f5ff6 100644 --- a/src/proof_system/proof.rs +++ b/src/proof_system/proof.rs @@ -10,7 +10,7 @@ //! This module contains the implementation of the `TurboComposer`s //! `Proof` structure and it's methods. -use super::linearisation_poly::ProofEvaluations; +use super::linearization_poly::ProofEvaluations; use crate::commitment_scheme::Commitment; use dusk_bytes::{DeserializableSlice, Serializable}; @@ -45,24 +45,24 @@ pub struct Proof { pub(crate) h_2_comm: Commitment, /// Commitment to the permutation polynomial. - pub(crate) z_comm: Commitment, + pub(crate) z_1_comm: Commitment, /// Commitment to the plonkup permutation polynomial. - pub(crate) p_comm: Commitment, + pub(crate) z_2_comm: Commitment, /// Commitment to the quotient polynomial. - pub(crate) t_1_comm: Commitment, + pub(crate) q_low_comm: Commitment, /// Commitment to the quotient polynomial. - pub(crate) t_2_comm: Commitment, + pub(crate) q_mid_comm: Commitment, /// Commitment to the quotient polynomial. - pub(crate) t_3_comm: Commitment, + pub(crate) q_high_comm: Commitment, /// Commitment to the quotient polynomial. - pub(crate) t_4_comm: Commitment, + pub(crate) q_4_comm: Commitment, /// Commitment to the opening polynomial. - pub(crate) w_z_comm: Commitment, + pub(crate) w_z_chall_comm: Commitment, /// Commitment to the shifted opening polynomial. - pub(crate) w_zw_comm: Commitment, + pub(crate) w_z_chall_w_comm: Commitment, /// Subset of all of the evaluations added to the proof. pub(crate) evaluations: ProofEvaluations, } @@ -85,14 +85,14 @@ impl Serializable<{ 15 * Commitment::SIZE + ProofEvaluations::SIZE }> writer.write(&self.f_comm.to_bytes()); writer.write(&self.h_1_comm.to_bytes()); writer.write(&self.h_2_comm.to_bytes()); - writer.write(&self.z_comm.to_bytes()); - writer.write(&self.p_comm.to_bytes()); - writer.write(&self.t_1_comm.to_bytes()); - writer.write(&self.t_2_comm.to_bytes()); - writer.write(&self.t_3_comm.to_bytes()); - writer.write(&self.t_4_comm.to_bytes()); - writer.write(&self.w_z_comm.to_bytes()); - writer.write(&self.w_zw_comm.to_bytes()); + writer.write(&self.z_1_comm.to_bytes()); + writer.write(&self.z_2_comm.to_bytes()); + writer.write(&self.q_low_comm.to_bytes()); + writer.write(&self.q_mid_comm.to_bytes()); + writer.write(&self.q_high_comm.to_bytes()); + writer.write(&self.q_4_comm.to_bytes()); + writer.write(&self.w_z_chall_comm.to_bytes()); + writer.write(&self.w_z_chall_w_comm.to_bytes()); writer.write(&self.evaluations.to_bytes()); buf @@ -108,14 +108,14 @@ impl Serializable<{ 15 * Commitment::SIZE + ProofEvaluations::SIZE }> let f_comm = Commitment::from_reader(&mut buffer)?; let h_1_comm = Commitment::from_reader(&mut buffer)?; let h_2_comm = Commitment::from_reader(&mut buffer)?; - let z_comm = Commitment::from_reader(&mut buffer)?; - let p_comm = Commitment::from_reader(&mut buffer)?; - let t_1_comm = Commitment::from_reader(&mut buffer)?; - let t_2_comm = Commitment::from_reader(&mut buffer)?; - let t_3_comm = Commitment::from_reader(&mut buffer)?; - let t_4_comm = Commitment::from_reader(&mut buffer)?; - let w_z_comm = Commitment::from_reader(&mut buffer)?; - let w_zw_comm = Commitment::from_reader(&mut buffer)?; + let z_1_comm = Commitment::from_reader(&mut buffer)?; + let z_2_comm = Commitment::from_reader(&mut buffer)?; + let q_low_comm = Commitment::from_reader(&mut buffer)?; + let q_mid_comm = Commitment::from_reader(&mut buffer)?; + let q_high_comm = Commitment::from_reader(&mut buffer)?; + let q_4_comm = Commitment::from_reader(&mut buffer)?; + let w_z_chall_comm = Commitment::from_reader(&mut buffer)?; + let w_z_chall_w_comm = Commitment::from_reader(&mut buffer)?; let evaluations = ProofEvaluations::from_reader(&mut buffer)?; Ok(Proof { @@ -126,14 +126,14 @@ impl Serializable<{ 15 * Commitment::SIZE + ProofEvaluations::SIZE }> f_comm, h_1_comm, h_2_comm, - z_comm, - p_comm, - t_1_comm, - t_2_comm, - t_3_comm, - t_4_comm, - w_z_comm, - w_zw_comm, + z_1_comm, + z_2_comm, + q_low_comm, + q_mid_comm, + q_high_comm, + q_4_comm, + w_z_chall_comm, + w_z_chall_w_comm, evaluations, }) } @@ -150,6 +150,7 @@ pub(crate) mod alloc { transcript::TranscriptProtocol, util::batch_inversion, }; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{ multiscalar_mul::msm_variable_base, BlsScalar, G1Affine, @@ -169,7 +170,7 @@ pub(crate) mod alloc { ) -> Result<(), Error> { let domain = EvaluationDomain::new(verifier_key.n)?; - // Subgroup checks are done when the proof is deserialised. + // Subgroup checks are done when the proof is deserialized. // In order for the Verifier and Prover to have the same view in the // non-interactive setting Both parties must commit the same @@ -179,10 +180,10 @@ pub(crate) mod alloc { // same challenges // // Add commitment to witness polynomials to transcript - transcript.append_commitment(b"w_l", &self.a_comm); - transcript.append_commitment(b"w_r", &self.b_comm); - transcript.append_commitment(b"w_o", &self.c_comm); - transcript.append_commitment(b"w_4", &self.d_comm); + transcript.append_commitment(b"a_w", &self.a_comm); + transcript.append_commitment(b"b_w", &self.b_comm); + transcript.append_commitment(b"c_w", &self.c_comm); + transcript.append_commitment(b"d_w", &self.d_comm); // Compute zeta compression challenge let zeta = transcript.challenge_scalar(b"zeta"); @@ -190,6 +191,10 @@ pub(crate) mod alloc { // Add f_poly commitment to transcript transcript.append_commitment(b"f", &self.f_comm); + // Add h polynomials to transcript + transcript.append_commitment(b"h1", &self.h_1_comm); + transcript.append_commitment(b"h2", &self.h_2_comm); + // Compute beta and gamma challenges let beta = transcript.challenge_scalar(b"beta"); transcript.append_scalar(b"beta", &beta); @@ -199,17 +204,10 @@ pub(crate) mod alloc { let epsilon = transcript.challenge_scalar(b"epsilon"); // Add commitment to permutation polynomial to transcript - transcript.append_commitment(b"z", &self.z_comm); - - // Compute evaluation challenge - let z_challenge = transcript.challenge_scalar(b"z_challenge"); - - // Add h polynomials to transcript - transcript.append_commitment(b"h1", &self.h_1_comm); - transcript.append_commitment(b"h2", &self.h_2_comm); + transcript.append_commitment(b"z_1", &self.z_1_comm); // Add permutation polynomial commitment to transcript - transcript.append_commitment(b"p", &self.p_comm); + transcript.append_commitment(b"z_2", &self.z_2_comm); // Compute quotient challenge let alpha = transcript.challenge_scalar(b"alpha"); @@ -225,29 +223,32 @@ pub(crate) mod alloc { transcript.challenge_scalar(b"lookup challenge"); // Add commitment to quotient polynomial to transcript - transcript.append_commitment(b"t_1", &self.t_1_comm); - transcript.append_commitment(b"t_2", &self.t_2_comm); - transcript.append_commitment(b"t_3", &self.t_3_comm); - transcript.append_commitment(b"t_4", &self.t_4_comm); + transcript.append_commitment(b"q_low", &self.q_low_comm); + transcript.append_commitment(b"q_mid", &self.q_mid_comm); + transcript.append_commitment(b"q_high", &self.q_high_comm); + transcript.append_commitment(b"q_4", &self.q_4_comm); + + // Compute evaluation challenge z + let z_challenge = transcript.challenge_scalar(b"z_challenge"); - // Compute zero polynomial evaluated at `z_challenge` + // Compute zero polynomial evaluated at challenge `z` let z_h_eval = domain.evaluate_vanishing_polynomial(&z_challenge); - // Compute first lagrange polynomial evaluated at `z_challenge` + // Compute first lagrange polynomial evaluated at challenge `z` let l1_eval = compute_first_lagrange_evaluation( &domain, &z_h_eval, &z_challenge, ); - let table_comm = Commitment(G1Affine::from( + let t_prime_comm = Commitment(G1Affine::from( verifier_key.lookup.table_1.0 + verifier_key.lookup.table_2.0 * zeta + verifier_key.lookup.table_3.0 * zeta * zeta + verifier_key.lookup.table_4.0 * zeta * zeta * zeta, )); - // Compute quotient polynomial evaluated at `z_challenge` + // Compute quotient polynomial evaluated at challenge `z` let t_eval = self.compute_quotient_evaluation( &domain, pub_inputs, @@ -281,26 +282,23 @@ pub(crate) mod alloc { transcript .append_scalar(b"d_next_eval", &self.evaluations.d_next_eval); transcript.append_scalar( - b"left_sig_eval", - &self.evaluations.left_sigma_eval, + b"s_sigma_1_eval", + &self.evaluations.s_sigma_1_eval, ); transcript.append_scalar( - b"right_sig_eval", - &self.evaluations.right_sigma_eval, + b"s_sigma_2_eval", + &self.evaluations.s_sigma_2_eval, ); transcript.append_scalar( - b"out_sig_eval", - &self.evaluations.out_sigma_eval, + b"s_sigma_3_eval", + &self.evaluations.s_sigma_3_eval, ); transcript .append_scalar(b"q_arith_eval", &self.evaluations.q_arith_eval); transcript.append_scalar(b"q_c_eval", &self.evaluations.q_c_eval); transcript.append_scalar(b"q_l_eval", &self.evaluations.q_l_eval); transcript.append_scalar(b"q_r_eval", &self.evaluations.q_r_eval); - transcript.append_scalar( - b"q_lookup_eval", - &self.evaluations.q_lookup_eval, - ); + transcript.append_scalar(b"q_k_eval", &self.evaluations.q_k_eval); transcript.append_scalar(b"perm_eval", &self.evaluations.perm_eval); transcript.append_scalar( b"lookup_perm_eval", @@ -313,11 +311,10 @@ pub(crate) mod alloc { ); transcript.append_scalar(b"h_2_eval", &self.evaluations.h_2_eval); transcript.append_scalar(b"t_eval", &t_eval); - transcript - .append_scalar(b"r_eval", &self.evaluations.lin_poly_eval); + transcript.append_scalar(b"r_eval", &self.evaluations.r_poly_eval); - // Compute linearisation commitment - let r_comm = self.compute_linearisation_commitment( + // Compute linearization commitment + let r_comm = self.compute_linearization_commitment( &alpha, &beta, &gamma, @@ -333,8 +330,8 @@ pub(crate) mod alloc { ), &z_challenge, l1_eval, - self.evaluations.table_eval, - self.evaluations.table_next_eval, + self.evaluations.t_prime_eval, + self.evaluations.t_prime_next_eval, verifier_key, ); @@ -342,46 +339,47 @@ pub(crate) mod alloc { // Now we delegate computation to the commitment scheme by batch // checking two proofs The `AggregateProof`, which is a // proof that all the necessary polynomials evaluated at - // `z_challenge` are correct and a `SingleProof` which + // challenge `z` are correct and a `SingleProof` which // is proof that the permutation polynomial evaluated at the shifted // root of unity is correct // Compose the Aggregated Proof // let mut aggregate_proof = - AggregateProof::with_witness(self.w_z_comm); + AggregateProof::with_witness(self.w_z_chall_comm); aggregate_proof.add_part((t_eval, t_comm)); - aggregate_proof.add_part((self.evaluations.lin_poly_eval, r_comm)); + aggregate_proof.add_part((self.evaluations.r_poly_eval, r_comm)); aggregate_proof.add_part((self.evaluations.a_eval, self.a_comm)); aggregate_proof.add_part((self.evaluations.b_eval, self.b_comm)); aggregate_proof.add_part((self.evaluations.c_eval, self.c_comm)); aggregate_proof.add_part((self.evaluations.d_eval, self.d_comm)); aggregate_proof.add_part(( - self.evaluations.left_sigma_eval, - verifier_key.permutation.left_sigma, + self.evaluations.s_sigma_1_eval, + verifier_key.permutation.s_sigma_1, )); aggregate_proof.add_part(( - self.evaluations.right_sigma_eval, - verifier_key.permutation.right_sigma, + self.evaluations.s_sigma_2_eval, + verifier_key.permutation.s_sigma_2, )); aggregate_proof.add_part(( - self.evaluations.out_sigma_eval, - verifier_key.permutation.out_sigma, + self.evaluations.s_sigma_3_eval, + verifier_key.permutation.s_sigma_3, )); aggregate_proof.add_part((self.evaluations.f_eval, self.f_comm)); aggregate_proof .add_part((self.evaluations.h_1_eval, self.h_1_comm)); aggregate_proof .add_part((self.evaluations.h_2_eval, self.h_2_comm)); - aggregate_proof.add_part((self.evaluations.table_eval, table_comm)); + aggregate_proof + .add_part((self.evaluations.t_prime_eval, t_prime_comm)); // Flatten proof with opening challenge let flattened_proof_a = aggregate_proof.flatten(transcript); // Compose the shifted aggregate proof let mut shifted_aggregate_proof = - AggregateProof::with_witness(self.w_zw_comm); + AggregateProof::with_witness(self.w_z_chall_w_comm); shifted_aggregate_proof - .add_part((self.evaluations.perm_eval, self.z_comm)); + .add_part((self.evaluations.perm_eval, self.z_1_comm)); shifted_aggregate_proof .add_part((self.evaluations.a_next_eval, self.a_comm)); shifted_aggregate_proof @@ -391,13 +389,13 @@ pub(crate) mod alloc { shifted_aggregate_proof .add_part((self.evaluations.h_1_next_eval, self.h_1_comm)); shifted_aggregate_proof - .add_part((self.evaluations.lookup_perm_eval, self.p_comm)); + .add_part((self.evaluations.lookup_perm_eval, self.z_2_comm)); shifted_aggregate_proof - .add_part((self.evaluations.table_next_eval, table_comm)); + .add_part((self.evaluations.t_prime_next_eval, t_prime_comm)); let flattened_proof_b = shifted_aggregate_proof.flatten(transcript); // Add commitment to openings to transcript - transcript.append_commitment(b"w_z", &self.w_z_comm); - transcript.append_commitment(b"w_z_w", &self.w_zw_comm); + transcript.append_commitment(b"w_z", &self.w_z_chall_comm); + transcript.append_commitment(b"w_z_w", &self.w_z_chall_w_comm); // Batch check if opening_key .batch_check( @@ -429,7 +427,7 @@ pub(crate) mod alloc { z_hat_eval: &BlsScalar, lookup_sep_challenge: &BlsScalar, ) -> BlsScalar { - // Compute the public input polynomial evaluated at `z_challenge` + // Compute the public input polynomial evaluated at challenge `z` let pi_eval = compute_barycentric_eval(pub_inputs, z_challenge, domain); @@ -444,18 +442,18 @@ pub(crate) mod alloc { let epsilon_one_plus_delta = epsilon * (BlsScalar::one() + delta); // r + PI(z) - let a = self.evaluations.lin_poly_eval + pi_eval; + let a = self.evaluations.r_poly_eval + pi_eval; // a + beta * sigma_1 + gamma - let beta_sig1 = beta * self.evaluations.left_sigma_eval; + let beta_sig1 = beta * self.evaluations.s_sigma_1_eval; let b_0 = self.evaluations.a_eval + beta_sig1 + gamma; - // b+ beta * sigma_2 + gamma - let beta_sig2 = beta * self.evaluations.right_sigma_eval; + // b + beta * sigma_2 + gamma + let beta_sig2 = beta * self.evaluations.s_sigma_2_eval; let b_1 = self.evaluations.b_eval + beta_sig2 + gamma; - // c+ beta * sigma_3 + gamma - let beta_sig3 = beta * self.evaluations.out_sigma_eval; + // c + beta * sigma_3 + gamma + let beta_sig3 = beta * self.evaluations.s_sigma_3_eval; let b_2 = self.evaluations.c_eval + beta_sig3 + gamma; // ((d + gamma) * z_hat) * alpha_0 @@ -492,16 +490,16 @@ pub(crate) mod alloc { let z_n = z_challenge.pow(&[n as u64, 0, 0, 0]); let z_two_n = z_challenge.pow(&[2 * n as u64, 0, 0, 0]); let z_three_n = z_challenge.pow(&[3 * n as u64, 0, 0, 0]); - let t_comm = self.t_1_comm.0 - + self.t_2_comm.0 * z_n - + self.t_3_comm.0 * z_two_n - + self.t_4_comm.0 * z_three_n; + let t_comm = self.q_low_comm.0 + + self.q_mid_comm.0 * z_n + + self.q_high_comm.0 * z_two_n + + self.q_4_comm.0 * z_three_n; Commitment::from(t_comm) } // Commitment to [r]_1 #[allow(clippy::too_many_arguments)] - fn compute_linearisation_commitment( + fn compute_linearization_commitment( &self, alpha: &BlsScalar, beta: &BlsScalar, @@ -531,41 +529,41 @@ pub(crate) mod alloc { let mut scalars: Vec<_> = Vec::with_capacity(6); let mut points: Vec = Vec::with_capacity(6); - verifier_key.arithmetic.compute_linearisation_commitment( + verifier_key.arithmetic.compute_linearization_commitment( &mut scalars, &mut points, &self.evaluations, ); - verifier_key.range.compute_linearisation_commitment( + verifier_key.range.compute_linearization_commitment( range_sep_challenge, &mut scalars, &mut points, &self.evaluations, ); - verifier_key.logic.compute_linearisation_commitment( + verifier_key.logic.compute_linearization_commitment( logic_sep_challenge, &mut scalars, &mut points, &self.evaluations, ); - verifier_key.fixed_base.compute_linearisation_commitment( + verifier_key.fixed_base.compute_linearization_commitment( fixed_base_sep_challenge, &mut scalars, &mut points, &self.evaluations, ); - verifier_key.variable_base.compute_linearisation_commitment( + verifier_key.variable_base.compute_linearization_commitment( var_base_sep_challenge, &mut scalars, &mut points, &self.evaluations, ); - verifier_key.lookup.compute_linearisation_commitment( + verifier_key.lookup.compute_linearization_commitment( lookup_sep_challenge, &mut scalars, &mut points, @@ -576,17 +574,17 @@ pub(crate) mod alloc { &t_eval, &t_next_eval, self.h_2_comm.0, - self.p_comm.0, + self.z_2_comm.0, ); - verifier_key.permutation.compute_linearisation_commitment( + verifier_key.permutation.compute_linearization_commitment( &mut scalars, &mut points, &self.evaluations, z_challenge, (alpha, beta, gamma), &l1_eval, - self.z_comm.0, + self.z_1_comm.0, ); Commitment::from(msm_variable_base(&points, &scalars)) @@ -674,14 +672,14 @@ mod proof_tests { f_comm: Commitment::default(), h_1_comm: Commitment::default(), h_2_comm: Commitment::default(), - z_comm: Commitment::default(), - p_comm: Commitment::default(), - t_1_comm: Commitment::default(), - t_2_comm: Commitment::default(), - t_3_comm: Commitment::default(), - t_4_comm: Commitment::default(), - w_z_comm: Commitment::default(), - w_zw_comm: Commitment::default(), + z_1_comm: Commitment::default(), + z_2_comm: Commitment::default(), + q_low_comm: Commitment::default(), + q_mid_comm: Commitment::default(), + q_high_comm: Commitment::default(), + q_4_comm: Commitment::default(), + w_z_chall_comm: Commitment::default(), + w_z_chall_w_comm: Commitment::default(), evaluations: ProofEvaluations { a_eval: BlsScalar::random(&mut OsRng), b_eval: BlsScalar::random(&mut OsRng), @@ -694,19 +692,19 @@ mod proof_tests { q_c_eval: BlsScalar::random(&mut OsRng), q_l_eval: BlsScalar::random(&mut OsRng), q_r_eval: BlsScalar::random(&mut OsRng), - q_lookup_eval: BlsScalar::random(&mut OsRng), - left_sigma_eval: BlsScalar::random(&mut OsRng), - right_sigma_eval: BlsScalar::random(&mut OsRng), - out_sigma_eval: BlsScalar::random(&mut OsRng), - lin_poly_eval: BlsScalar::random(&mut OsRng), + q_k_eval: BlsScalar::random(&mut OsRng), + s_sigma_1_eval: BlsScalar::random(&mut OsRng), + s_sigma_2_eval: BlsScalar::random(&mut OsRng), + s_sigma_3_eval: BlsScalar::random(&mut OsRng), + r_poly_eval: BlsScalar::random(&mut OsRng), perm_eval: BlsScalar::random(&mut OsRng), lookup_perm_eval: BlsScalar::random(&mut OsRng), h_1_eval: BlsScalar::random(&mut OsRng), h_1_next_eval: BlsScalar::random(&mut OsRng), h_2_eval: BlsScalar::random(&mut OsRng), f_eval: BlsScalar::random(&mut OsRng), - table_eval: BlsScalar::random(&mut OsRng), - table_next_eval: BlsScalar::random(&mut OsRng), + t_prime_eval: BlsScalar::random(&mut OsRng), + t_prime_next_eval: BlsScalar::random(&mut OsRng), }, }; diff --git a/src/proof_system/prover.rs b/src/proof_system/prover.rs index 8a54cb41..ad3c684e 100644 --- a/src/proof_system/prover.rs +++ b/src/proof_system/prover.rs @@ -11,7 +11,7 @@ use crate::{ fft::{EvaluationDomain, Polynomial}, plonkup::MultiSet, proof_system::{ - linearisation_poly, proof::Proof, quotient_poly, ProverKey, + linearization_poly, proof::Proof, quotient_poly, ProverKey, }, transcript::TranscriptProtocol, }; @@ -99,10 +99,10 @@ impl Prover { /// Computes the quotient Opening [`Polynomial`]. fn compute_quotient_opening_poly( n: usize, - t_1_poly: &Polynomial, - t_2_poly: &Polynomial, - t_3_poly: &Polynomial, - t_4_poly: &Polynomial, + q_low_poly: &Polynomial, + q_mid_poly: &Polynomial, + q_high_poly: &Polynomial, + q_4_poly: &Polynomial, z_challenge: &BlsScalar, ) -> Polynomial { // Compute z^n , z^2n , z^3n @@ -110,10 +110,10 @@ impl Prover { let z_two_n = z_challenge.pow(&[2 * n as u64, 0, 0, 0]); let z_three_n = z_challenge.pow(&[3 * n as u64, 0, 0, 0]); - let a = t_1_poly; - let b = t_2_poly * &z_n; - let c = t_3_poly * &z_two_n; - let d = t_4_poly * &z_three_n; + let a = q_low_poly; + let b = q_mid_poly * &z_n; + let c = q_high_poly * &z_two_n; + let d = q_4_poly * &z_three_n; let abc = &(a + &b) + &c; &abc + &d } @@ -146,7 +146,9 @@ impl Prover { } /// Creates a [`Proof]` that demonstrates that a circuit is satisfied. + /// /// # Note + /// /// If you intend to construct multiple [`Proof`]s with different witnesses, /// after calling this method, the user should then call /// [`Prover::clear_witness`]. @@ -163,47 +165,48 @@ impl Prover { self.cs.lookup_table.0.len(), ))?; - // Since the caller is passing a pre-processed circuit - // We assume that the Transcript has been seeded with the preprocessed - // Commitments + // Since the caller is passing a pre-processed circuit we assume that + // the Transcript has been seeded with the preprocessed commitments let mut transcript = self.preprocessed_transcript.clone(); - // 1. Compute witness Polynomials - // - // Convert Witness to BlsScalars padding them to the - // correct domain size. - let pad = vec![BlsScalar::zero(); domain.size() - self.cs.w_l.len()]; - let w_l_scalar = &[&self.to_scalars(&self.cs.w_l)[..], &pad].concat(); - let w_r_scalar = &[&self.to_scalars(&self.cs.w_r)[..], &pad].concat(); - let w_o_scalar = &[&self.to_scalars(&self.cs.w_o)[..], &pad].concat(); - let w_4_scalar = &[&self.to_scalars(&self.cs.w_4)[..], &pad].concat(); - - // make sure q_lookup is also the right size for constructing f - let padded_q_lookup = [&self.cs.q_lookup[..], &pad].concat(); - - // Witnesses are now in evaluation form, convert them to coefficients - // So that we may commit to them - let w_l_poly = - Polynomial::from_coefficients_vec(domain.ifft(w_l_scalar)); - let w_r_poly = - Polynomial::from_coefficients_vec(domain.ifft(w_r_scalar)); - let w_o_poly = - Polynomial::from_coefficients_vec(domain.ifft(w_o_scalar)); - let w_4_poly = - Polynomial::from_coefficients_vec(domain.ifft(w_4_scalar)); - - // Commit to witness polynomials - let w_l_poly_commit = commit_key.commit(&w_l_poly)?; - let w_r_poly_commit = commit_key.commit(&w_r_poly)?; - let w_o_poly_commit = commit_key.commit(&w_o_poly)?; - let w_4_poly_commit = commit_key.commit(&w_4_poly)?; - - // Add witness polynomial commitments to transcript - transcript.append_commitment(b"w_l", &w_l_poly_commit); - transcript.append_commitment(b"w_r", &w_r_poly_commit); - transcript.append_commitment(b"w_o", &w_o_poly_commit); - transcript.append_commitment(b"w_4", &w_4_poly_commit); - + //** ROUND 1 ********************************************************** + // Convert wires to BlsScalars padding them to the correct domain size. + // Note that `d_w` is added for the additional selector for 3-input + // gates `q_4`. + let pad = vec![BlsScalar::zero(); domain.size() - self.cs.a_w.len()]; + let a_w_scalar = &[&self.to_scalars(&self.cs.a_w)[..], &pad].concat(); + let b_w_scalar = &[&self.to_scalars(&self.cs.b_w)[..], &pad].concat(); + let c_w_scalar = &[&self.to_scalars(&self.cs.c_w)[..], &pad].concat(); + let d_w_scalar = &[&self.to_scalars(&self.cs.d_w)[..], &pad].concat(); + + // Make sure q_k is also the right size for constructing f + let padded_q_k = [&self.cs.q_k[..], &pad].concat(); + + // Wires are now in evaluation form, convert them to coefficients so + // that we may commit to them + let a_w_poly = + Polynomial::from_coefficients_vec(domain.ifft(a_w_scalar)); + let b_w_poly = + Polynomial::from_coefficients_vec(domain.ifft(b_w_scalar)); + let c_w_poly = + Polynomial::from_coefficients_vec(domain.ifft(c_w_scalar)); + let d_w_poly = + Polynomial::from_coefficients_vec(domain.ifft(d_w_scalar)); + + // Commit to wire polynomials + // ([a(x)]_1, [b(x)]_1, [c(x)]_1, [d(x)]_1) + let a_w_poly_commit = commit_key.commit(&a_w_poly)?; + let b_w_poly_commit = commit_key.commit(&b_w_poly)?; + let c_w_poly_commit = commit_key.commit(&c_w_poly)?; + let d_w_poly_commit = commit_key.commit(&d_w_poly)?; + + // Add wire polynomial commitments to transcript + transcript.append_commitment(b"a_w", &a_w_poly_commit); + transcript.append_commitment(b"b_w", &b_w_poly_commit); + transcript.append_commitment(b"c_w", &c_w_poly_commit); + transcript.append_commitment(b"d_w", &d_w_poly_commit); + + //** ROUND 2 ********************************************************** // Generate table compression factor let zeta = transcript.challenge_scalar(b"zeta"); @@ -218,35 +221,35 @@ impl Prover { zeta, ); - // Compute table poly - let table_poly = Polynomial::from_coefficients_vec( + // Compute t' + let t_prime_poly = Polynomial::from_coefficients_vec( domain.ifft(&compressed_t_multiset.0), ); // Compute table f - // When q_lookup[i] is zero the wire value is replaced with a dummy + // When q_k[i] is zero the wire value is replaced with a dummy // value Currently set as the first row of the public table - // If q_lookup is one the wire values are preserved - let f_1_scalar = w_l_scalar + // If q_k is one the wire values are preserved + let f_1_scalar = a_w_scalar .iter() - .zip(&padded_q_lookup) + .zip(&padded_q_k) .map(|(w, s)| { w * s + (BlsScalar::one() - s) * compressed_t_multiset.0[0] }) .collect::>(); - let f_2_scalar = w_r_scalar + let f_2_scalar = b_w_scalar .iter() - .zip(&padded_q_lookup) + .zip(&padded_q_k) .map(|(w, s)| w * s) .collect::>(); - let f_3_scalar = w_o_scalar + let f_3_scalar = c_w_scalar .iter() - .zip(&padded_q_lookup) + .zip(&padded_q_k) .map(|(w, s)| w * s) .collect::>(); - let f_4_scalar = w_4_scalar + let f_4_scalar = d_w_scalar .iter() - .zip(&padded_q_lookup) + .zip(&padded_q_k) .map(|(w, s)| w * s) .collect::>(); @@ -272,47 +275,6 @@ impl Prover { // Add f_poly commitment to transcript transcript.append_commitment(b"f", &f_poly_commit); - // 2. Compute permutation polynomial - // - // - // Compute permutation challenges; `beta`, `gamma`, `delta` and - // `epsilon`. - let beta = transcript.challenge_scalar(b"beta"); - transcript.append_scalar(b"beta", &beta); - let gamma = transcript.challenge_scalar(b"gamma"); - let delta = transcript.challenge_scalar(b"delta"); - let epsilon = transcript.challenge_scalar(b"epsilon"); - - let z_poly = Polynomial::from_coefficients_slice( - &self.cs.perm.compute_permutation_poly( - &domain, - [w_l_scalar, w_r_scalar, w_o_scalar, w_4_scalar], - &beta, - &gamma, - [ - &prover_key.permutation.left_sigma.0, - &prover_key.permutation.right_sigma.0, - &prover_key.permutation.out_sigma.0, - &prover_key.permutation.fourth_sigma.0, - ], - ), - ); - - // Commit to permutation polynomial - // - let z_poly_commit = commit_key.commit(&z_poly)?; - - // Add commitment to permutation polynomial to transcript - transcript.append_commitment(b"z", &z_poly_commit); - - // 3. Compute public inputs polynomial - let pi_poly = Polynomial::from_coefficients_vec( - domain.ifft(&self.cs.to_dense_public_inputs()), - ); - - // Compute evaluation challenge; `z` - let z_challenge = transcript.challenge_scalar(b"z_challenge"); - // Compute s, as the sorted and concatenated version of f and t let s = compressed_t_multiset .sorted_concat(&compressed_f_multiset) @@ -333,8 +295,37 @@ impl Prover { transcript.append_commitment(b"h1", &h_1_poly_commit); transcript.append_commitment(b"h2", &h_2_poly_commit); + //** ROUND 3 ********************************************************** + // Permutation challenges + let beta = transcript.challenge_scalar(b"beta"); + transcript.append_scalar(b"beta", &beta); + let gamma = transcript.challenge_scalar(b"gamma"); + let delta = transcript.challenge_scalar(b"delta"); + let epsilon = transcript.challenge_scalar(b"epsilon"); + + let z_1_poly = Polynomial::from_coefficients_slice( + &self.cs.perm.compute_permutation_poly( + &domain, + [a_w_scalar, b_w_scalar, c_w_scalar, d_w_scalar], + &beta, + &gamma, + [ + &prover_key.permutation.s_sigma_1.0, + &prover_key.permutation.s_sigma_2.0, + &prover_key.permutation.s_sigma_3.0, + &prover_key.permutation.s_sigma_4.0, + ], + ), + ); + + // Commit to permutation polynomial + let z_1_poly_commit = commit_key.commit(&z_1_poly)?; + + // Add commitment to permutation polynomial to transcript + transcript.append_commitment(b"z_1", &z_1_poly_commit); + // Compute lookup permutation poly - let p_poly = Polynomial::from_coefficients_slice( + let z_2_poly = Polynomial::from_coefficients_slice( &self.cs.perm.compute_lookup_permutation_poly( &domain, &compressed_f_multiset.0, @@ -347,15 +338,13 @@ impl Prover { ); // Commit to permutation polynomial - // - let p_poly_commit = commit_key.commit(&p_poly)?; + let z_2_poly_commit = commit_key.commit(&z_2_poly)?; // Add permutation polynomial commitment to transcript - transcript.append_commitment(b"p", &p_poly_commit); + transcript.append_commitment(b"z_2", &z_2_poly_commit); - // 4. Compute quotient polynomial - // - // Compute quotient challenge; `alpha` + //** ROUND 4 ********************************************************** + // Compute quotient challenge 'alpha' let alpha = transcript.challenge_scalar(b"alpha"); let range_sep_challenge = transcript.challenge_scalar(b"range separation challenge"); @@ -368,14 +357,20 @@ impl Prover { let lookup_sep_challenge = transcript.challenge_scalar(b"lookup challenge"); - let t_poly = quotient_poly::compute( + // Compute public inputs polynomial + let pi_poly = Polynomial::from_coefficients_vec( + domain.ifft(&self.cs.to_dense_public_inputs()), + ); + + // Compute quotient polynomial + let q_poly = quotient_poly::compute( &domain, prover_key, - &z_poly, - &p_poly, - (&w_l_poly, &w_r_poly, &w_o_poly, &w_4_poly), + &z_1_poly, + &z_2_poly, + (&a_w_poly, &b_w_poly, &c_w_poly, &d_w_poly), &f_poly, - &table_poly, + &t_prime_poly, &h_1_poly, &h_2_poly, &pi_poly, @@ -395,25 +390,31 @@ impl Prover { )?; // Split quotient polynomial into 4 degree `n` polynomials - let (t_1_poly, t_2_poly, t_3_poly, t_4_poly) = - self.split_tx_poly(domain.size(), &t_poly); + let (q_low_poly, q_mid_poly, q_high_poly, q_4_poly) = + self.split_tx_poly(domain.size(), &q_poly); - // Commit to splitted quotient polynomial - let t_1_commit = commit_key.commit(&t_1_poly)?; - let t_2_commit = commit_key.commit(&t_2_poly)?; - let t_3_commit = commit_key.commit(&t_3_poly)?; - let t_4_commit = commit_key.commit(&t_4_poly)?; + // Commit to split quotient polynomial + let q_low_commit = commit_key.commit(&q_low_poly)?; + let q_mid_commit = commit_key.commit(&q_mid_poly)?; + let q_high_commit = commit_key.commit(&q_high_poly)?; + let q_4_commit = commit_key.commit(&q_4_poly)?; // Add quotient polynomial commitments to transcript - transcript.append_commitment(b"t_1", &t_1_commit); - transcript.append_commitment(b"t_2", &t_2_commit); - transcript.append_commitment(b"t_3", &t_3_commit); - transcript.append_commitment(b"t_4", &t_4_commit); + transcript.append_commitment(b"q_low", &q_low_commit); + transcript.append_commitment(b"q_mid", &q_mid_commit); + transcript.append_commitment(b"q_high", &q_high_commit); + transcript.append_commitment(b"q_4", &q_4_commit); - // 4. Compute linearisation polynomial - // + //** ROUND 5 ********************************************************** + // Compute evaluation challenge 'z' + let z_challenge = transcript.challenge_scalar(b"z_challenge"); + // the evaluations are computed altogether in next round - let (lin_poly, evaluations) = linearisation_poly::compute( + //** ROUND 6 ********************************************************** + // Compute linearization polynomial + // We compute also `f_eval`, `t_eval`, `t_prime_eval` and + // `t_prime_next_eval` when creating the linearization poly. + let (r_poly, evaluations) = linearization_poly::compute( &domain, prover_key, &( @@ -430,20 +431,24 @@ impl Prover { lookup_sep_challenge, z_challenge, ), - &w_l_poly, - &w_r_poly, - &w_o_poly, - &w_4_poly, - &t_poly, - &z_poly, + &a_w_poly, + &b_w_poly, + &c_w_poly, + &d_w_poly, + &q_poly, + &z_1_poly, &f_poly, &h_1_poly, &h_2_poly, - &table_poly, - &p_poly, + &t_prime_poly, + &z_2_poly, ); - // Add evaluations to transcript + // Add evaluations to transcript. + // Part of these are from round 5 in the paper. + // Note that even tough some of the evaluations are not added to the + // transcript, they are still sent as part of the `Proof` in the return + // value. transcript.append_scalar(b"a_eval", &evaluations.proof.a_eval); transcript.append_scalar(b"b_eval", &evaluations.proof.b_eval); transcript.append_scalar(b"c_eval", &evaluations.proof.c_eval); @@ -455,22 +460,23 @@ impl Prover { transcript .append_scalar(b"d_next_eval", &evaluations.proof.d_next_eval); transcript.append_scalar( - b"left_sig_eval", - &evaluations.proof.left_sigma_eval, + b"s_sigma_1_eval", + &evaluations.proof.s_sigma_1_eval, ); transcript.append_scalar( - b"right_sig_eval", - &evaluations.proof.right_sigma_eval, + b"s_sigma_2_eval", + &evaluations.proof.s_sigma_2_eval, + ); + transcript.append_scalar( + b"s_sigma_3_eval", + &evaluations.proof.s_sigma_3_eval, ); - transcript - .append_scalar(b"out_sig_eval", &evaluations.proof.out_sigma_eval); transcript .append_scalar(b"q_arith_eval", &evaluations.proof.q_arith_eval); transcript.append_scalar(b"q_c_eval", &evaluations.proof.q_c_eval); transcript.append_scalar(b"q_l_eval", &evaluations.proof.q_l_eval); transcript.append_scalar(b"q_r_eval", &evaluations.proof.q_r_eval); - transcript - .append_scalar(b"q_lookup_eval", &evaluations.proof.q_lookup_eval); + transcript.append_scalar(b"q_k_eval", &evaluations.proof.q_k_eval); transcript.append_scalar(b"perm_eval", &evaluations.proof.perm_eval); transcript.append_scalar( b"lookup_perm_eval", @@ -480,79 +486,83 @@ impl Prover { transcript .append_scalar(b"h_1_next_eval", &evaluations.proof.h_1_next_eval); transcript.append_scalar(b"h_2_eval", &evaluations.proof.h_2_eval); - transcript.append_scalar(b"t_eval", &evaluations.quot_eval); - transcript.append_scalar(b"r_eval", &evaluations.proof.lin_poly_eval); + transcript.append_scalar(b"t_eval", &evaluations.t_eval); + transcript.append_scalar(b"r_eval", &evaluations.proof.r_poly_eval); - // 5. Compute Openings using KZG10 - // - // We merge the quotient polynomial using the `z_challenge` so the SRS + // Compute Openings using KZG10 + // We merge the quotient polynomial using the challenge z so the SRS // is linear in the circuit size `n` let quot = Self::compute_quotient_opening_poly( domain.size(), - &t_1_poly, - &t_2_poly, - &t_3_poly, - &t_4_poly, + &q_low_poly, + &q_mid_poly, + &q_high_poly, + &q_4_poly, &z_challenge, ); // Compute aggregate witness to polynomials evaluated at the evaluation - // challenge `z` + // challenge z. The challenge v is selected inside let aggregate_witness = commit_key.compute_aggregate_witness( &[ quot, - lin_poly, - w_l_poly.clone(), - w_r_poly.clone(), - w_o_poly, - w_4_poly.clone(), - prover_key.permutation.left_sigma.0.clone(), - prover_key.permutation.right_sigma.0.clone(), - prover_key.permutation.out_sigma.0.clone(), + r_poly, + a_w_poly.clone(), + b_w_poly.clone(), + c_w_poly, + d_w_poly.clone(), + prover_key.permutation.s_sigma_1.0.clone(), + prover_key.permutation.s_sigma_2.0.clone(), + prover_key.permutation.s_sigma_3.0.clone(), f_poly, h_1_poly.clone(), h_2_poly, - table_poly.clone(), + t_prime_poly.clone(), ], &z_challenge, &mut transcript, ); - let w_z_comm = commit_key.commit(&aggregate_witness)?; + let w_z_chall_comm = commit_key.commit(&aggregate_witness)?; // Compute aggregate witness to polynomials evaluated at the shifted // evaluation challenge let shifted_aggregate_witness = commit_key.compute_aggregate_witness( &[ - z_poly, w_l_poly, w_r_poly, w_4_poly, h_1_poly, p_poly, - table_poly, + z_1_poly, + a_w_poly, + b_w_poly, + d_w_poly, + h_1_poly, + z_2_poly, + t_prime_poly, ], &(z_challenge * domain.group_gen), &mut transcript, ); - let w_zx_comm = commit_key.commit(&shifted_aggregate_witness)?; + let w_z_chall_w_comm = commit_key.commit(&shifted_aggregate_witness)?; // Create Proof Ok(Proof { - a_comm: w_l_poly_commit, - b_comm: w_r_poly_commit, - c_comm: w_o_poly_commit, - d_comm: w_4_poly_commit, + a_comm: a_w_poly_commit, + b_comm: b_w_poly_commit, + c_comm: c_w_poly_commit, + d_comm: d_w_poly_commit, f_comm: f_poly_commit, h_1_comm: h_1_poly_commit, h_2_comm: h_2_poly_commit, - z_comm: z_poly_commit, - p_comm: p_poly_commit, + z_1_comm: z_1_poly_commit, + z_2_comm: z_2_poly_commit, - t_1_comm: t_1_commit, - t_2_comm: t_2_commit, - t_3_comm: t_3_commit, - t_4_comm: t_4_commit, + q_low_comm: q_low_commit, + q_mid_comm: q_mid_commit, + q_high_comm: q_high_commit, + q_4_comm: q_4_commit, - w_z_comm, - w_zw_comm: w_zx_comm, + w_z_chall_comm, + w_z_chall_w_comm, evaluations: evaluations.proof, }) diff --git a/src/proof_system/quotient_poly.rs b/src/proof_system/quotient_poly.rs index 5e162803..d2e9637b 100644 --- a/src/proof_system/quotient_poly.rs +++ b/src/proof_system/quotient_poly.rs @@ -21,7 +21,7 @@ pub(crate) fn compute( prover_key: &ProverKey, z_poly: &Polynomial, p_poly: &Polynomial, - (w_l_poly, w_r_poly, w_o_poly, w_4_poly): ( + (a_w_poly, b_w_poly, c_w_poly, d_w_poly): ( &Polynomial, &Polynomial, &Polynomial, @@ -98,23 +98,23 @@ pub(crate) fn compute( h_2_eval_4n.push(h_2_eval_4n[3]); // Compute 4n evaluations of the wire polynomials - let mut wl_eval_4n = domain_4n.coset_fft(w_l_poly); - wl_eval_4n.push(wl_eval_4n[0]); - wl_eval_4n.push(wl_eval_4n[1]); - wl_eval_4n.push(wl_eval_4n[2]); - wl_eval_4n.push(wl_eval_4n[3]); - let mut wr_eval_4n = domain_4n.coset_fft(w_r_poly); - wr_eval_4n.push(wr_eval_4n[0]); - wr_eval_4n.push(wr_eval_4n[1]); - wr_eval_4n.push(wr_eval_4n[2]); - wr_eval_4n.push(wr_eval_4n[3]); - let wo_eval_4n = domain_4n.coset_fft(w_o_poly); + let mut a_w_eval_4n = domain_4n.coset_fft(a_w_poly); + a_w_eval_4n.push(a_w_eval_4n[0]); + a_w_eval_4n.push(a_w_eval_4n[1]); + a_w_eval_4n.push(a_w_eval_4n[2]); + a_w_eval_4n.push(a_w_eval_4n[3]); + let mut b_w_eval_4n = domain_4n.coset_fft(b_w_poly); + b_w_eval_4n.push(b_w_eval_4n[0]); + b_w_eval_4n.push(b_w_eval_4n[1]); + b_w_eval_4n.push(b_w_eval_4n[2]); + b_w_eval_4n.push(b_w_eval_4n[3]); + let c_w_eval_4n = domain_4n.coset_fft(c_w_poly); - let mut w4_eval_4n = domain_4n.coset_fft(w_4_poly); - w4_eval_4n.push(w4_eval_4n[0]); - w4_eval_4n.push(w4_eval_4n[1]); - w4_eval_4n.push(w4_eval_4n[2]); - w4_eval_4n.push(w4_eval_4n[3]); + let mut d_w_eval_4n = domain_4n.coset_fft(d_w_poly); + d_w_eval_4n.push(d_w_eval_4n[0]); + d_w_eval_4n.push(d_w_eval_4n[1]); + d_w_eval_4n.push(d_w_eval_4n[2]); + d_w_eval_4n.push(d_w_eval_4n[3]); let t_1 = compute_circuit_satisfiability_equation( domain, @@ -126,7 +126,7 @@ pub(crate) fn compute( lookup_challenge, ), prover_key, - (&wl_eval_4n, &wr_eval_4n, &wo_eval_4n, &w4_eval_4n), + (&a_w_eval_4n, &b_w_eval_4n, &c_w_eval_4n, &d_w_eval_4n), public_inputs_poly, zeta, (delta, epsilon), @@ -140,7 +140,7 @@ pub(crate) fn compute( let t_2 = compute_permutation_checks( domain, prover_key, - (&wl_eval_4n, &wr_eval_4n, &wo_eval_4n, &w4_eval_4n), + (&a_w_eval_4n, &b_w_eval_4n, &c_w_eval_4n, &d_w_eval_4n), &z_eval_4n, (alpha, beta, gamma), ); @@ -176,7 +176,7 @@ fn compute_circuit_satisfiability_equation( lookup_challenge, ): (&BlsScalar, &BlsScalar, &BlsScalar, &BlsScalar, &BlsScalar), prover_key: &ProverKey, - (wl_eval_4n, wr_eval_4n, wo_eval_4n, w4_eval_4n): ( + (a_w_eval_4n, b_w_eval_4n, c_w_eval_4n, d_w_eval_4n): ( &[BlsScalar], &[BlsScalar], &[BlsScalar], @@ -207,13 +207,13 @@ fn compute_circuit_satisfiability_equation( let t: Vec<_> = range .map(|i| { - let wl = &wl_eval_4n[i]; - let wr = &wr_eval_4n[i]; - let wo = &wo_eval_4n[i]; - let w4 = &w4_eval_4n[i]; - let wl_next = &wl_eval_4n[i + 4]; - let wr_next = &wr_eval_4n[i + 4]; - let w4_next = &w4_eval_4n[i + 4]; + let a_w = &a_w_eval_4n[i]; + let b_w = &b_w_eval_4n[i]; + let c_w = &c_w_eval_4n[i]; + let d_w = &d_w_eval_4n[i]; + let a_w_next = &a_w_eval_4n[i + 4]; + let b_w_next = &b_w_eval_4n[i + 4]; + let d_w_next = &d_w_eval_4n[i + 4]; let pi = &public_eval_4n[i]; let p = &p_eval_4n[i]; let p_next = &p_eval_4n[i + 4]; @@ -225,61 +225,63 @@ fn compute_circuit_satisfiability_equation( let h1_next = &h_1_eval_4n[i + 4]; let l1i = &l1_eval_4n[i]; - let a = prover_key.arithmetic.compute_quotient_i(i, wl, wr, wo, w4); + let a = prover_key + .arithmetic + .compute_quotient_i(i, a_w, b_w, c_w, d_w); let b = prover_key.range.compute_quotient_i( i, range_challenge, - wl, - wr, - wo, - w4, - w4_next, + a_w, + b_w, + c_w, + d_w, + d_w_next, ); let c = prover_key.logic.compute_quotient_i( i, logic_challenge, - wl, - wl_next, - wr, - wr_next, - wo, - w4, - w4_next, + a_w, + a_w_next, + b_w, + b_w_next, + c_w, + d_w, + d_w_next, ); let d = prover_key.fixed_base.compute_quotient_i( i, fixed_base_challenge, - wl, - wl_next, - wr, - wr_next, - wo, - w4, - w4_next, + a_w, + a_w_next, + b_w, + b_w_next, + c_w, + d_w, + d_w_next, ); let e = prover_key.variable_base.compute_quotient_i( i, var_base_challenge, - wl, - wl_next, - wr, - wr_next, - wo, - w4, - w4_next, + a_w, + a_w_next, + b_w, + b_w_next, + c_w, + d_w, + d_w_next, ); let f = prover_key.lookup.compute_quotient_i( i, lookup_challenge, - wl, - wr, - wo, - w4, + a_w, + b_w, + c_w, + d_w, fi, p, p_next, @@ -302,7 +304,7 @@ fn compute_circuit_satisfiability_equation( fn compute_permutation_checks( domain: &EvaluationDomain, prover_key: &ProverKey, - (wl_eval_4n, wr_eval_4n, wo_eval_4n, w4_eval_4n): ( + (a_w_eval_4n, b_w_eval_4n, c_w_eval_4n, d_w_eval_4n): ( &[BlsScalar], &[BlsScalar], &[BlsScalar], @@ -326,10 +328,10 @@ fn compute_permutation_checks( .map(|i| { prover_key.permutation.compute_quotient_i( i, - &wl_eval_4n[i], - &wr_eval_4n[i], - &wo_eval_4n[i], - &w4_eval_4n[i], + &a_w_eval_4n[i], + &b_w_eval_4n[i], + &c_w_eval_4n[i], + &d_w_eval_4n[i], &z_eval_4n[i], &z_eval_4n[i + 4], alpha, diff --git a/src/proof_system/widget.rs b/src/proof_system/widget.rs index 98b4472d..2caaf91a 100644 --- a/src/proof_system/widget.rs +++ b/src/proof_system/widget.rs @@ -54,16 +54,16 @@ impl Serializable<{ 20 * Commitment::SIZE + u64::SIZE }> for VerifierKey { writer.write(&self.arithmetic.q_o.to_bytes()); writer.write(&self.arithmetic.q_4.to_bytes()); writer.write(&self.arithmetic.q_c.to_bytes()); + writer.write(&self.lookup.q_k.to_bytes()); writer.write(&self.arithmetic.q_arith.to_bytes()); writer.write(&self.logic.q_logic.to_bytes()); writer.write(&self.range.q_range.to_bytes()); writer.write(&self.fixed_base.q_fixed_group_add.to_bytes()); writer.write(&self.variable_base.q_variable_group_add.to_bytes()); - writer.write(&self.lookup.q_lookup.to_bytes()); - writer.write(&self.permutation.left_sigma.to_bytes()); - writer.write(&self.permutation.right_sigma.to_bytes()); - writer.write(&self.permutation.out_sigma.to_bytes()); - writer.write(&self.permutation.fourth_sigma.to_bytes()); + writer.write(&self.permutation.s_sigma_1.to_bytes()); + writer.write(&self.permutation.s_sigma_2.to_bytes()); + writer.write(&self.permutation.s_sigma_3.to_bytes()); + writer.write(&self.permutation.s_sigma_4.to_bytes()); writer.write(&self.lookup.table_1.to_bytes()); writer.write(&self.lookup.table_2.to_bytes()); writer.write(&self.lookup.table_3.to_bytes()); @@ -118,16 +118,16 @@ impl VerifierKey { q_o: Commitment, q_4: Commitment, q_c: Commitment, + q_k: Commitment, q_arith: Commitment, q_logic: Commitment, q_range: Commitment, q_fixed_group_add: Commitment, q_variable_group_add: Commitment, - q_lookup: Commitment, - left_sigma: Commitment, - right_sigma: Commitment, - out_sigma: Commitment, - fourth_sigma: Commitment, + s_sigma_1: Commitment, + s_sigma_2: Commitment, + s_sigma_3: Commitment, + s_sigma_4: Commitment, table_1: Commitment, table_2: Commitment, table_3: Commitment, @@ -155,7 +155,7 @@ impl VerifierKey { }; let lookup = lookup::VerifierKey { - q_lookup, + q_k, table_1, table_2, table_3, @@ -163,10 +163,10 @@ impl VerifierKey { }; let permutation = permutation::VerifierKey { - left_sigma, - right_sigma, - out_sigma, - fourth_sigma, + s_sigma_1, + s_sigma_2, + s_sigma_3, + s_sigma_4, }; VerifierKey { @@ -191,6 +191,7 @@ pub(crate) mod alloc { fft::{EvaluationDomain, Evaluations, Polynomial}, transcript::TranscriptProtocol, }; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::BlsScalar; use merlin::Transcript; @@ -217,17 +218,13 @@ pub(crate) mod alloc { ); transcript - .append_commitment(b"left_sigma", &self.permutation.left_sigma); - transcript.append_commitment( - b"right_sigma", - &self.permutation.right_sigma, - ); + .append_commitment(b"s_sigma_1", &self.permutation.s_sigma_1); transcript - .append_commitment(b"out_sigma", &self.permutation.out_sigma); - transcript.append_commitment( - b"fourth_sigma", - &self.permutation.fourth_sigma, - ); + .append_commitment(b"s_sigma_2", &self.permutation.s_sigma_2); + transcript + .append_commitment(b"s_sigma_3", &self.permutation.s_sigma_3); + transcript + .append_commitment(b"s_sigma_4", &self.permutation.s_sigma_1); // Append circuit size to transcript transcript.circuit_domain_sep(self.n as u64); @@ -281,7 +278,7 @@ pub(crate) mod alloc { 21 } - /// Serialises a [`ProverKey`] struct into a Vec of bytes. + /// Serializes a [`ProverKey`] struct into a Vec of bytes. #[allow(unused_must_use)] pub fn to_var_bytes(&self) -> Vec { use dusk_bytes::Write; @@ -373,9 +370,9 @@ pub(crate) mod alloc { ); // Lookup - writer.write(&(self.lookup.q_lookup.0.len() as u64).to_bytes()); - writer.write(&self.lookup.q_lookup.0.to_var_bytes()); - writer.write(&self.lookup.q_lookup.1.to_var_bytes()); + writer.write(&(self.lookup.q_k.0.len() as u64).to_bytes()); + writer.write(&self.lookup.q_k.0.to_var_bytes()); + writer.write(&self.lookup.q_k.1.to_var_bytes()); writer.write(&(self.lookup.table_1.0.len() as u64).to_bytes()); writer.write(&(self.lookup.table_1.0).to_var_bytes()); @@ -402,28 +399,25 @@ pub(crate) mod alloc { writer.write(&(self.lookup.table_4.2).to_var_bytes()); // Permutation - writer.write( - &(self.permutation.left_sigma.0.len() as u64).to_bytes(), - ); - writer.write(&self.permutation.left_sigma.0.to_var_bytes()); - writer.write(&self.permutation.left_sigma.1.to_var_bytes()); + writer + .write(&(self.permutation.s_sigma_1.0.len() as u64).to_bytes()); + writer.write(&self.permutation.s_sigma_1.0.to_var_bytes()); + writer.write(&self.permutation.s_sigma_1.1.to_var_bytes()); - writer.write( - &(self.permutation.right_sigma.0.len() as u64).to_bytes(), - ); - writer.write(&self.permutation.right_sigma.0.to_var_bytes()); - writer.write(&self.permutation.right_sigma.1.to_var_bytes()); + writer + .write(&(self.permutation.s_sigma_2.0.len() as u64).to_bytes()); + writer.write(&self.permutation.s_sigma_2.0.to_var_bytes()); + writer.write(&self.permutation.s_sigma_2.1.to_var_bytes()); writer - .write(&(self.permutation.out_sigma.0.len() as u64).to_bytes()); - writer.write(&self.permutation.out_sigma.0.to_var_bytes()); - writer.write(&self.permutation.out_sigma.1.to_var_bytes()); + .write(&(self.permutation.s_sigma_3.0.len() as u64).to_bytes()); + writer.write(&self.permutation.s_sigma_3.0.to_var_bytes()); + writer.write(&self.permutation.s_sigma_3.1.to_var_bytes()); - writer.write( - &(self.permutation.fourth_sigma.0.len() as u64).to_bytes(), - ); - writer.write(&self.permutation.fourth_sigma.0.to_var_bytes()); - writer.write(&self.permutation.fourth_sigma.1.to_var_bytes()); + writer + .write(&(self.permutation.s_sigma_4.0.len() as u64).to_bytes()); + writer.write(&self.permutation.s_sigma_4.0.to_var_bytes()); + writer.write(&self.permutation.s_sigma_4.1.to_var_bytes()); writer.write(&self.permutation.linear_evaluations.to_var_bytes()); @@ -432,7 +426,7 @@ pub(crate) mod alloc { bytes } - /// Deserialises a slice of bytes into a [`ProverKey`]. + /// Deserializes a slice of bytes into a [`ProverKey`]. pub fn from_slice(bytes: &[u8]) -> Result { let mut buffer = bytes; let n = u64::from_reader(&mut buffer)? as usize; @@ -529,9 +523,9 @@ pub(crate) mod alloc { let q_variable_group_add = (q_variable_group_add_poly, q_variable_group_add_evals); - let q_lookup_poly = poly_from_reader(&mut buffer)?; - let q_lookup_evals = evals_from_reader(&mut buffer)?; - let q_lookup = (q_lookup_poly, q_lookup_evals); + let q_k_poly = poly_from_reader(&mut buffer)?; + let q_k_evals = evals_from_reader(&mut buffer)?; + let q_k = (q_k_poly, q_k_evals); let table_1_multiset = multiset_from_reader(&mut buffer)?; let table_1_poly = poly_from_reader(&mut buffer)?; @@ -553,21 +547,21 @@ pub(crate) mod alloc { let table_4_evals = evals_from_reader(&mut buffer)?; let table_4 = (table_4_multiset, table_4_poly, table_4_evals); - let left_sigma_poly = poly_from_reader(&mut buffer)?; - let left_sigma_evals = evals_from_reader(&mut buffer)?; - let left_sigma = (left_sigma_poly, left_sigma_evals); + let s_sigma_1_poly = poly_from_reader(&mut buffer)?; + let s_sigma_1_evals = evals_from_reader(&mut buffer)?; + let s_sigma_1 = (s_sigma_1_poly, s_sigma_1_evals); - let right_sigma_poly = poly_from_reader(&mut buffer)?; - let right_sigma_evals = evals_from_reader(&mut buffer)?; - let right_sigma = (right_sigma_poly, right_sigma_evals); + let s_sigma_2_poly = poly_from_reader(&mut buffer)?; + let s_sigma_2_evals = evals_from_reader(&mut buffer)?; + let s_sigma_2 = (s_sigma_2_poly, s_sigma_2_evals); - let out_sigma_poly = poly_from_reader(&mut buffer)?; - let out_sigma_evals = evals_from_reader(&mut buffer)?; - let out_sigma = (out_sigma_poly, out_sigma_evals); + let s_sigma_3_poly = poly_from_reader(&mut buffer)?; + let s_sigma_3_evals = evals_from_reader(&mut buffer)?; + let s_sigma_3 = (s_sigma_3_poly, s_sigma_3_evals); - let fourth_sigma_poly = poly_from_reader(&mut buffer)?; - let fourth_sigma_evals = evals_from_reader(&mut buffer)?; - let fourth_sigma = (fourth_sigma_poly, fourth_sigma_evals); + let s_sigma_4_poly = poly_from_reader(&mut buffer)?; + let s_sigma_4_evals = evals_from_reader(&mut buffer)?; + let s_sigma_4 = (s_sigma_4_poly, s_sigma_4_evals); let perm_linear_evaluations = evals_from_reader(&mut buffer)?; @@ -598,10 +592,10 @@ pub(crate) mod alloc { }; let permutation = permutation::ProverKey { - left_sigma, - right_sigma, - out_sigma, - fourth_sigma, + s_sigma_1, + s_sigma_2, + s_sigma_3, + s_sigma_4, linear_evaluations: perm_linear_evaluations, }; @@ -610,7 +604,7 @@ pub(crate) mod alloc { }; let lookup = lookup::ProverKey { - q_lookup, + q_k, table_1, table_2, table_3, @@ -645,6 +639,7 @@ mod test { use super::*; use crate::fft::{EvaluationDomain, Evaluations, Polynomial}; use crate::plonkup::MultiSet; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::BlsScalar; use rand_core::OsRng; @@ -671,7 +666,7 @@ mod test { } #[test] - fn test_serialise_deserialise_prover_key() { + fn test_serialize_deserialize_prover_key() { let n = 1 << 11; let q_m = rand_poly_eval(n); @@ -686,16 +681,16 @@ mod test { let q_range = rand_poly_eval(n); - let q_lookup = rand_poly_eval(n); + let q_k = rand_poly_eval(n); let q_fixed_group_add = rand_poly_eval(n); let q_variable_group_add = rand_poly_eval(n); - let left_sigma = rand_poly_eval(n); - let right_sigma = rand_poly_eval(n); - let out_sigma = rand_poly_eval(n); - let fourth_sigma = rand_poly_eval(n); + let s_sigma_1 = rand_poly_eval(n); + let s_sigma_2 = rand_poly_eval(n); + let s_sigma_3 = rand_poly_eval(n); + let s_sigma_4 = rand_poly_eval(n); let linear_evaluations = rand_evaluations(n); let table_1 = rand_multiset(n); @@ -723,7 +718,7 @@ mod test { let range = range::ProverKey { q_range }; let lookup = lookup::ProverKey { - q_lookup, + q_k, table_1, table_2, table_3, @@ -738,10 +733,10 @@ mod test { }; let permutation = permutation::ProverKey { - left_sigma, - right_sigma, - out_sigma, - fourth_sigma, + s_sigma_1, + s_sigma_2, + s_sigma_3, + s_sigma_4, linear_evaluations, }; @@ -769,7 +764,7 @@ mod test { } #[test] - fn test_serialise_deserialise_verifier_key() { + fn test_serialize_deserialize_verifier_key() { use crate::commitment_scheme::Commitment; use dusk_bls12_381::G1Affine; @@ -789,12 +784,12 @@ mod test { let q_variable_group_add = Commitment(G1Affine::generator()); let q_logic = Commitment(G1Affine::generator()); - let q_lookup = Commitment(G1Affine::generator()); + let q_k = Commitment(G1Affine::generator()); - let left_sigma = Commitment(G1Affine::generator()); - let right_sigma = Commitment(G1Affine::generator()); - let out_sigma = Commitment(G1Affine::generator()); - let fourth_sigma = Commitment(G1Affine::generator()); + let s_sigma_1 = Commitment(G1Affine::generator()); + let s_sigma_2 = Commitment(G1Affine::generator()); + let s_sigma_3 = Commitment(G1Affine::generator()); + let s_sigma_4 = Commitment(G1Affine::generator()); let table_1 = Commitment(G1Affine::generator()); let table_2 = Commitment(G1Affine::generator()); @@ -816,7 +811,7 @@ mod test { let range = range::VerifierKey { q_range }; let lookup = lookup::VerifierKey { - q_lookup, + q_k, table_1, table_2, table_3, @@ -833,10 +828,10 @@ mod test { }; let permutation = permutation::VerifierKey { - left_sigma, - right_sigma, - out_sigma, - fourth_sigma, + s_sigma_1, + s_sigma_2, + s_sigma_3, + s_sigma_4, }; let verifier_key = VerifierKey { diff --git a/src/proof_system/widget/arithmetic/proverkey.rs b/src/proof_system/widget/arithmetic/proverkey.rs index aa55cf09..6b7cd207 100644 --- a/src/proof_system/widget/arithmetic/proverkey.rs +++ b/src/proof_system/widget/arithmetic/proverkey.rs @@ -22,10 +22,10 @@ impl ProverKey { pub(crate) fn compute_quotient_i( &self, index: usize, - w_l_i: &BlsScalar, - w_r_i: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, + a_w_i: &BlsScalar, + b_w_i: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, ) -> BlsScalar { let q_m_i = &self.q_m.1[index]; let q_l_i = &self.q_l.1[index]; @@ -38,16 +38,16 @@ impl ProverKey { // (a(x)b(x)q_M(x) + a(x)q_L(x) + b(X)q_R(x) + c(X)q_O(X) + d(x)q_4(X) + // Q_C(X)) * Q_Arith(X) // - let a_1 = w_l_i * w_r_i * q_m_i; - let a_2 = w_l_i * q_l_i; - let a_3 = w_r_i * q_r_i; - let a_4 = w_o_i * q_o_i; - let a_5 = w_4_i * q_4_i; + let a_1 = a_w_i * b_w_i * q_m_i; + let a_2 = a_w_i * q_l_i; + let a_3 = b_w_i * q_r_i; + let a_4 = c_w_i * q_o_i; + let a_5 = d_w_i * q_4_i; let a_6 = q_c_i; (a_1 + a_2 + a_3 + a_4 + a_5 + a_6) * q_arith_i } - pub(crate) fn compute_linearisation( + pub(crate) fn compute_linearization( &self, a_eval: &BlsScalar, b_eval: &BlsScalar, diff --git a/src/proof_system/widget/arithmetic/verifierkey.rs b/src/proof_system/widget/arithmetic/verifierkey.rs index d2e93098..6e46ff0e 100644 --- a/src/proof_system/widget/arithmetic/verifierkey.rs +++ b/src/proof_system/widget/arithmetic/verifierkey.rs @@ -62,12 +62,13 @@ impl Serializable<{ 7 * Commitment::SIZE }> for VerifierKey { #[cfg(feature = "alloc")] mod alloc { use super::*; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, scalars: &mut Vec, points: &mut Vec, diff --git a/src/proof_system/widget/ecc/curve_addition/proverkey.rs b/src/proof_system/widget/ecc/curve_addition/proverkey.rs index a4ca1249..3875645a 100644 --- a/src/proof_system/widget/ecc/curve_addition/proverkey.rs +++ b/src/proof_system/widget/ecc/curve_addition/proverkey.rs @@ -18,25 +18,25 @@ impl ProverKey { &self, index: usize, curve_add_separation_challenge: &BlsScalar, - w_l_i: &BlsScalar, // x_1 - w_l_i_next: &BlsScalar, // x_3 - w_r_i: &BlsScalar, // y_1 - w_r_i_next: &BlsScalar, // y_3 - w_o_i: &BlsScalar, // x_2 - w_4_i: &BlsScalar, // y_2 - w_4_i_next: &BlsScalar, // x_1 * y_2 + a_w_i: &BlsScalar, // x_1 + a_w_i_next: &BlsScalar, // x_3 + b_w_i: &BlsScalar, // y_1 + b_w_i_next: &BlsScalar, // y_3 + c_w_i: &BlsScalar, // x_2 + d_w_i: &BlsScalar, // y_2 + d_w_i_next: &BlsScalar, // x_1 * y_2 ) -> BlsScalar { let q_variable_group_add_i = &self.q_variable_group_add.1[index]; let kappa = curve_add_separation_challenge.square(); - let x_1 = w_l_i; - let x_3 = w_l_i_next; - let y_1 = w_r_i; - let y_3 = w_r_i_next; - let x_2 = w_o_i; - let y_2 = w_4_i; - let x1_y2 = w_4_i_next; + let x_1 = a_w_i; + let x_3 = a_w_i_next; + let y_1 = b_w_i; + let y_3 = b_w_i_next; + let x_2 = c_w_i; + let y_2 = d_w_i; + let x1_y2 = d_w_i_next; // Checks // @@ -62,7 +62,7 @@ impl ProverKey { identity * q_variable_group_add_i * curve_add_separation_challenge } - pub(crate) fn compute_linearisation( + pub(crate) fn compute_linearization( &self, curve_add_separation_challenge: &BlsScalar, a_eval: &BlsScalar, diff --git a/src/proof_system/widget/ecc/curve_addition/verifierkey.rs b/src/proof_system/widget/ecc/curve_addition/verifierkey.rs index 0e69b810..17f2c669 100644 --- a/src/proof_system/widget/ecc/curve_addition/verifierkey.rs +++ b/src/proof_system/widget/ecc/curve_addition/verifierkey.rs @@ -14,13 +14,14 @@ pub(crate) struct VerifierKey { #[cfg(feature = "alloc")] mod alloc { use super::*; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; use dusk_jubjub::EDWARDS_D; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, curve_add_separation_challenge: &BlsScalar, scalars: &mut Vec, diff --git a/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs b/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs index b8de23c8..60f2b096 100644 --- a/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs +++ b/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs @@ -21,13 +21,13 @@ impl ProverKey { &self, index: usize, ecc_separation_challenge: &BlsScalar, - w_l_i: &BlsScalar, // acc_x or curr_x - w_l_i_next: &BlsScalar, // // next_x - w_r_i: &BlsScalar, // acc_y or curr_y - w_r_i_next: &BlsScalar, // next_y - w_o_i: &BlsScalar, // xy_alpha - w_4_i: &BlsScalar, // accumulated_bit - w_4_i_next: &BlsScalar, // accumulated_bit_next + a_w_i: &BlsScalar, // acc_x or curr_x + a_w_i_next: &BlsScalar, // // next_x + b_w_i: &BlsScalar, // acc_y or curr_y + b_w_i_next: &BlsScalar, // next_y + c_w_i: &BlsScalar, // xy_alpha + d_w_i: &BlsScalar, // accumulated_bit + d_w_i_next: &BlsScalar, // accumulated_bit_next ) -> BlsScalar { let q_fixed_group_add_i = &self.q_fixed_group_add.1[index]; let q_c_i = &self.q_c.1[index]; @@ -39,15 +39,15 @@ impl ProverKey { let x_beta = &self.q_l.1[index]; let y_beta = &self.q_r.1[index]; - let acc_x = w_l_i; - let acc_x_next = w_l_i_next; - let acc_y = w_r_i; - let acc_y_next = w_r_i_next; + let acc_x = a_w_i; + let acc_x_next = a_w_i_next; + let acc_y = b_w_i; + let acc_y_next = b_w_i_next; - let xy_alpha = w_o_i; + let xy_alpha = c_w_i; - let accumulated_bit = w_4_i; - let accumulated_bit_next = w_4_i_next; + let accumulated_bit = d_w_i; + let accumulated_bit_next = d_w_i_next; let bit = extract_bit(accumulated_bit, accumulated_bit_next); // Checks @@ -83,7 +83,7 @@ impl ProverKey { identity * q_fixed_group_add_i * ecc_separation_challenge } - pub(crate) fn compute_linearisation( + pub(crate) fn compute_linearization( &self, ecc_separation_challenge: &BlsScalar, a_eval: &BlsScalar, diff --git a/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs b/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs index 766afbda..76776a5d 100644 --- a/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs +++ b/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs @@ -16,16 +16,17 @@ pub(crate) struct VerifierKey { #[cfg(feature = "alloc")] mod alloc { use super::*; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; use crate::proof_system::widget::ecc::scalar_mul::fixed_base::proverkey::{ check_bit_consistency, extract_bit, }; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; use dusk_jubjub::EDWARDS_D; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, ecc_separation_challenge: &BlsScalar, scalars: &mut Vec, diff --git a/src/proof_system/widget/logic/proverkey.rs b/src/proof_system/widget/logic/proverkey.rs index 1597a48f..3b9d3dfe 100644 --- a/src/proof_system/widget/logic/proverkey.rs +++ b/src/proof_system/widget/logic/proverkey.rs @@ -19,13 +19,13 @@ impl ProverKey { &self, index: usize, logic_separation_challenge: &BlsScalar, - w_l_i: &BlsScalar, - w_l_i_next: &BlsScalar, - w_r_i: &BlsScalar, - w_r_i_next: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, - w_4_i_next: &BlsScalar, + a_w_i: &BlsScalar, + a_w_i_next: &BlsScalar, + b_w_i: &BlsScalar, + b_w_i_next: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, + d_w_i_next: &BlsScalar, ) -> BlsScalar { let four = BlsScalar::from(4); @@ -37,16 +37,16 @@ impl ProverKey { let kappa_cu = kappa_sq * kappa; let kappa_qu = kappa_cu * kappa; - let a = w_l_i_next - four * w_l_i; + let a = a_w_i_next - four * a_w_i; let c_0 = delta(a); - let b = w_r_i_next - four * w_r_i; + let b = b_w_i_next - four * b_w_i; let c_1 = delta(b) * kappa; - let d = w_4_i_next - four * w_4_i; + let d = d_w_i_next - four * d_w_i; let c_2 = delta(d) * kappa_sq; - let w = w_o_i; + let w = c_w_i; let c_3 = (w - a * b) * kappa_cu; let c_4 = delta_xor_and(&a, &b, w, &d, q_c_i) * kappa_qu; @@ -54,7 +54,7 @@ impl ProverKey { q_logic_i * (c_3 + c_0 + c_1 + c_2 + c_4) * logic_separation_challenge } - pub(crate) fn compute_linearisation( + pub(crate) fn compute_linearization( &self, logic_separation_challenge: &BlsScalar, a_eval: &BlsScalar, diff --git a/src/proof_system/widget/logic/verifierkey.rs b/src/proof_system/widget/logic/verifierkey.rs index 979180e2..efe2b7ca 100644 --- a/src/proof_system/widget/logic/verifierkey.rs +++ b/src/proof_system/widget/logic/verifierkey.rs @@ -15,13 +15,14 @@ pub(crate) struct VerifierKey { #[cfg(feature = "alloc")] mod alloc { use super::*; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; use crate::proof_system::widget::logic::proverkey::{delta, delta_xor_and}; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, logic_separation_challenge: &BlsScalar, scalars: &mut Vec, diff --git a/src/proof_system/widget/lookup.rs b/src/proof_system/widget/lookup.rs index f67813ab..155bdd70 100644 --- a/src/proof_system/widget/lookup.rs +++ b/src/proof_system/widget/lookup.rs @@ -19,22 +19,22 @@ use dusk_bls12_381::BlsScalar; #[cfg(feature = "alloc")] fn compress( - w_l: BlsScalar, - w_r: BlsScalar, - w_o: BlsScalar, - w_4: BlsScalar, + a_w: BlsScalar, + b_w: BlsScalar, + c_w: BlsScalar, + d_w: BlsScalar, zeta: BlsScalar, ) -> BlsScalar { let zeta_sq = zeta.square(); let zeta_cu = zeta_sq * zeta; - let a = w_l; + let a = a_w; - let b = w_r * zeta; + let b = b_w * zeta; - let c = w_o * zeta_sq; + let c = c_w * zeta_sq; - let d = w_4 * zeta_cu; + let d = d_w * zeta_cu; a + b + c + d } diff --git a/src/proof_system/widget/lookup/proverkey.rs b/src/proof_system/widget/lookup/proverkey.rs index 6c6d849c..9a777bab 100644 --- a/src/proof_system/widget/lookup/proverkey.rs +++ b/src/proof_system/widget/lookup/proverkey.rs @@ -12,7 +12,7 @@ use dusk_bls12_381::BlsScalar; #[derive(Debug, Eq, PartialEq, Clone)] pub struct ProverKey { - pub(crate) q_lookup: (Polynomial, Evaluations), + pub(crate) q_k: (Polynomial, Evaluations), pub(crate) table_1: (MultiSet, Polynomial, Evaluations), pub(crate) table_2: (MultiSet, Polynomial, Evaluations), pub(crate) table_3: (MultiSet, Polynomial, Evaluations), @@ -25,10 +25,10 @@ impl ProverKey { &self, index: usize, lookup_separation_challenge: &BlsScalar, - w_l_i: &BlsScalar, - w_r_i: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, + a_w_i: &BlsScalar, + b_w_i: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, f_i: &BlsScalar, p_i: &BlsScalar, p_i_next: &BlsScalar, @@ -47,14 +47,14 @@ impl ProverKey { let one_plus_delta = delta + BlsScalar::one(); let epsilon_one_plus_delta = epsilon * one_plus_delta; - // q_lookup(X) * (a(X) + zeta * b(X) + (zeta^2 * c(X)) + (zeta^3 * d(X) + // q_k(X) * (a(X) + zeta * b(X) + (zeta^2 * c(X)) + (zeta^3 * d(X) // - f(X))) * α_1 let a = { - let q_lookup_i = self.q_lookup.1[index]; + let q_k_i = self.q_k.1[index]; let compressed_tuple = - compress(*w_l_i, *w_r_i, *w_o_i, *w_4_i, *zeta); + compress(*a_w_i, *b_w_i, *c_w_i, *d_w_i, *zeta); - q_lookup_i * (compressed_tuple - f_i) * lookup_separation_challenge + q_k_i * (compressed_tuple - f_i) * lookup_separation_challenge }; // L0(X) * (p(X) − 1) * α_1^2 @@ -80,8 +80,8 @@ impl ProverKey { a + b + c + d } - /// Compute linearisation for lookup gates - pub(crate) fn compute_linearisation( + /// Compute linearization for lookup gates + pub(crate) fn compute_linearization( &self, a_eval: &BlsScalar, b_eval: &BlsScalar, @@ -108,12 +108,12 @@ impl ProverKey { let epsilon_one_plus_delta = epsilon * one_plus_delta; // - // - q_lookup(X) * f_eval * lookup_separation_challenge + // - q_k(X) * f_eval * lookup_separation_challenge let a = { let a_0 = a_eval + zeta * b_eval + zeta_sq * c_eval + zeta_cu * d_eval; - &self.q_lookup.0 * &((a_0 - f_eval) * lookup_separation_challenge) + &self.q_k.0 * &((a_0 - f_eval) * lookup_separation_challenge) }; // p(X) * L0(z) * α_1^2 diff --git a/src/proof_system/widget/lookup/verifierkey.rs b/src/proof_system/widget/lookup/verifierkey.rs index 69102fb6..418e49ca 100644 --- a/src/proof_system/widget/lookup/verifierkey.rs +++ b/src/proof_system/widget/lookup/verifierkey.rs @@ -8,7 +8,7 @@ use crate::commitment_scheme::Commitment; #[derive(Debug, PartialEq, Eq, Copy, Clone)] pub struct VerifierKey { - pub(crate) q_lookup: Commitment, + pub(crate) q_k: Commitment, pub(crate) table_1: Commitment, pub(crate) table_2: Commitment, pub(crate) table_3: Commitment, @@ -18,12 +18,12 @@ pub struct VerifierKey { #[cfg(feature = "alloc")] mod alloc { use super::VerifierKey; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; use alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, lookup_separation_challenge: &BlsScalar, scalars: &mut Vec, @@ -43,7 +43,7 @@ mod alloc { let zeta_cu = zeta * zeta_sq; // (a_eval + zeta*b_eval + zeta^2*c_eval + zeta^3d_eval - f_eval) * - // q_lookup * alpha_1 + // q_k * alpha_1 let a = { let a_0 = evaluations.a_eval + zeta * evaluations.b_eval @@ -55,7 +55,7 @@ mod alloc { }; scalars.push(a); - points.push(self.q_lookup.0); + points.push(self.q_k.0); // // - (p_next_eval*(epsilon*(1 + delta) + h_1_eval + diff --git a/src/proof_system/widget/permutation/proverkey.rs b/src/proof_system/widget/permutation/proverkey.rs index 7f635f6a..a179a8c8 100644 --- a/src/proof_system/widget/permutation/proverkey.rs +++ b/src/proof_system/widget/permutation/proverkey.rs @@ -10,10 +10,10 @@ use dusk_bls12_381::BlsScalar; #[derive(Debug, Eq, PartialEq, Clone)] pub(crate) struct ProverKey { - pub(crate) left_sigma: (Polynomial, Evaluations), - pub(crate) right_sigma: (Polynomial, Evaluations), - pub(crate) out_sigma: (Polynomial, Evaluations), - pub(crate) fourth_sigma: (Polynomial, Evaluations), + pub(crate) s_sigma_1: (Polynomial, Evaluations), + pub(crate) s_sigma_2: (Polynomial, Evaluations), + pub(crate) s_sigma_3: (Polynomial, Evaluations), + pub(crate) s_sigma_4: (Polynomial, Evaluations), pub(crate) linear_evaluations: Evaluations, /* Evaluations of f(x) = X * [XXX: Remove this and @@ -27,10 +27,10 @@ impl ProverKey { pub(crate) fn compute_quotient_i( &self, index: usize, - w_l_i: &BlsScalar, - w_r_i: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, + a_w_i: &BlsScalar, + b_w_i: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, z_i: &BlsScalar, z_i_next: &BlsScalar, alpha: &BlsScalar, @@ -39,10 +39,10 @@ impl ProverKey { gamma: &BlsScalar, ) -> BlsScalar { let a = self.compute_quotient_identity_range_check_i( - index, w_l_i, w_r_i, w_o_i, w_4_i, z_i, alpha, beta, gamma, + index, a_w_i, b_w_i, c_w_i, d_w_i, z_i, alpha, beta, gamma, ); let b = self.compute_quotient_copy_range_check_i( - index, w_l_i, w_r_i, w_o_i, w_4_i, z_i_next, alpha, beta, gamma, + index, a_w_i, b_w_i, c_w_i, d_w_i, z_i_next, alpha, beta, gamma, ); let c = self.compute_quotient_term_check_one_i(z_i, l1_alpha_sq); a + b + c @@ -52,10 +52,10 @@ impl ProverKey { fn compute_quotient_identity_range_check_i( &self, index: usize, - w_l_i: &BlsScalar, - w_r_i: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, + a_w_i: &BlsScalar, + b_w_i: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, z_i: &BlsScalar, alpha: &BlsScalar, beta: &BlsScalar, @@ -63,10 +63,10 @@ impl ProverKey { ) -> BlsScalar { let x = self.linear_evaluations[index]; - (w_l_i + (beta * x) + gamma) - * (w_r_i + (beta * K1 * x) + gamma) - * (w_o_i + (beta * K2 * x) + gamma) - * (w_4_i + (beta * K3 * x) + gamma) + (a_w_i + (beta * x) + gamma) + * (b_w_i + (beta * K1 * x) + gamma) + * (c_w_i + (beta * K2 * x) + gamma) + * (d_w_i + (beta * K3 * x) + gamma) * z_i * alpha } @@ -76,24 +76,24 @@ impl ProverKey { fn compute_quotient_copy_range_check_i( &self, index: usize, - w_l_i: &BlsScalar, - w_r_i: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, + a_w_i: &BlsScalar, + b_w_i: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, z_i_next: &BlsScalar, alpha: &BlsScalar, beta: &BlsScalar, gamma: &BlsScalar, ) -> BlsScalar { - let left_sigma_eval = self.left_sigma.1[index]; - let right_sigma_eval = self.right_sigma.1[index]; - let out_sigma_eval = self.out_sigma.1[index]; - let fourth_sigma_eval = self.fourth_sigma.1[index]; - - let product = (w_l_i + (beta * left_sigma_eval) + gamma) - * (w_r_i + (beta * right_sigma_eval) + gamma) - * (w_o_i + (beta * out_sigma_eval) + gamma) - * (w_4_i + (beta * fourth_sigma_eval) + gamma) + let s_sigma_1_eval = self.s_sigma_1.1[index]; + let s_sigma_2_eval = self.s_sigma_2.1[index]; + let s_sigma_3_eval = self.s_sigma_3.1[index]; + let s_sigma_4_eval = self.s_sigma_4.1[index]; + + let product = (a_w_i + (beta * s_sigma_1_eval) + gamma) + * (b_w_i + (beta * s_sigma_2_eval) + gamma) + * (c_w_i + (beta * s_sigma_3_eval) + gamma) + * (d_w_i + (beta * s_sigma_4_eval) + gamma) * z_i_next * alpha; @@ -108,7 +108,7 @@ impl ProverKey { (z_i - BlsScalar::one()) * l1_alpha_sq } - pub(crate) fn compute_linearisation( + pub(crate) fn compute_linearization( &self, z_challenge: &BlsScalar, (alpha, beta, gamma): (&BlsScalar, &BlsScalar, &BlsScalar), @@ -126,24 +126,24 @@ impl ProverKey { z_eval: &BlsScalar, z_poly: &Polynomial, ) -> Polynomial { - let a = self.compute_lineariser_identity_range_check( + let a = self.compute_linearizer_identity_range_check( (a_eval, b_eval, c_eval, d_eval), z_challenge, (alpha, beta, gamma), z_poly, ); - let b = self.compute_lineariser_copy_range_check( + let b = self.compute_linearizer_copy_range_check( (a_eval, b_eval, c_eval), z_eval, sigma_1_eval, sigma_2_eval, sigma_3_eval, (alpha, beta, gamma), - &self.fourth_sigma.0, + &self.s_sigma_4.0, ); let domain = EvaluationDomain::new(z_poly.degree()).unwrap(); - let c = self.compute_lineariser_check_is_one( + let c = self.compute_linearizer_check_is_one( &domain, z_challenge, &alpha.square(), @@ -153,7 +153,7 @@ impl ProverKey { } // (a_eval + beta * z_challenge + gamma)(b_eval + beta * K1 * z_challenge + // gamma)(c_eval + beta * K2 * z_challenge + gamma) * alpha z(X) - fn compute_lineariser_identity_range_check( + fn compute_linearizer_identity_range_check( &self, (a_eval, b_eval, c_eval, d_eval): ( &BlsScalar, @@ -198,7 +198,7 @@ impl ProverKey { } // -(a_eval + beta * sigma_1 + gamma)(b_eval + beta * sigma_2 + gamma) // (c_eval + beta * sigma_3 + gamma) * beta *z_eval * alpha^2 * Sigma_4(X) - fn compute_lineariser_copy_range_check( + fn compute_linearizer_copy_range_check( &self, (a_eval, b_eval, c_eval): (&BlsScalar, &BlsScalar, &BlsScalar), z_eval: &BlsScalar, @@ -206,7 +206,7 @@ impl ProverKey { sigma_2_eval: &BlsScalar, sigma_3_eval: &BlsScalar, (alpha, beta, gamma): (&BlsScalar, &BlsScalar, &BlsScalar), - fourth_sigma_poly: &Polynomial, + s_sigma_4_poly: &Polynomial, ) -> Polynomial { // a_eval + beta * sigma_1 + gamma let beta_sigma_1 = beta * sigma_1_eval; @@ -230,13 +230,13 @@ impl ProverKey { a *= alpha; // (a_eval + beta * sigma_1 + gamma)(b_eval + beta * sigma_2 + // gamma)(c_eval + beta * sigma_3 + gamma) * beta * z_eval * alpha - fourth_sigma_poly * &-a // -(a_eval + beta * sigma_1 + gamma)(b_eval + - // beta * sigma_2 + gamma) (c_eval + beta * - // sigma_3 + gamma) * beta * z_eval * alpha^2 * - // Sigma_4(X) + s_sigma_4_poly * &-a // -(a_eval + beta * sigma_1 + gamma)(b_eval + + // beta * sigma_2 + gamma) (c_eval + beta * + // sigma_3 + gamma) * beta * z_eval * alpha^2 * + // Sigma_4(X) } - fn compute_lineariser_check_is_one( + fn compute_linearizer_check_is_one( &self, domain: &EvaluationDomain, z_challenge: &BlsScalar, diff --git a/src/proof_system/widget/permutation/verifierkey.rs b/src/proof_system/widget/permutation/verifierkey.rs index 9731dcff..802cf307 100644 --- a/src/proof_system/widget/permutation/verifierkey.rs +++ b/src/proof_system/widget/permutation/verifierkey.rs @@ -8,22 +8,23 @@ use crate::commitment_scheme::Commitment; #[derive(Debug, PartialEq, Eq, Copy, Clone)] pub(crate) struct VerifierKey { - pub(crate) left_sigma: Commitment, - pub(crate) right_sigma: Commitment, - pub(crate) out_sigma: Commitment, - pub(crate) fourth_sigma: Commitment, + pub(crate) s_sigma_1: Commitment, + pub(crate) s_sigma_2: Commitment, + pub(crate) s_sigma_3: Commitment, + pub(crate) s_sigma_4: Commitment, } #[cfg(feature = "alloc")] mod alloc { use super::*; use crate::permutation::constants::{K1, K2, K3}; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, scalars: &mut Vec, points: &mut Vec, @@ -64,13 +65,13 @@ mod alloc { // sigma_2_eval + gamma)(c_eval + beta * sigma_3_eval + // gamma) * alpha^2 let y = { - let beta_sigma_1 = beta * evaluations.left_sigma_eval; + let beta_sigma_1 = beta * evaluations.s_sigma_1_eval; let q_0 = evaluations.a_eval + beta_sigma_1 + gamma; - let beta_sigma_2 = beta * evaluations.right_sigma_eval; + let beta_sigma_2 = beta * evaluations.s_sigma_2_eval; let q_1 = evaluations.b_eval + beta_sigma_2 + gamma; - let beta_sigma_3 = beta * evaluations.out_sigma_eval; + let beta_sigma_3 = beta * evaluations.s_sigma_3_eval; let q_2 = evaluations.c_eval + beta_sigma_3 + gamma; let q_3 = beta * evaluations.perm_eval * alpha; @@ -78,7 +79,7 @@ mod alloc { -(q_0 * q_1 * q_2 * q_3) }; scalars.push(y); - points.push(self.fourth_sigma.0); + points.push(self.s_sigma_4.0); } } } diff --git a/src/proof_system/widget/range/proverkey.rs b/src/proof_system/widget/range/proverkey.rs index c5e98180..fb8863ae 100644 --- a/src/proof_system/widget/range/proverkey.rs +++ b/src/proof_system/widget/range/proverkey.rs @@ -17,11 +17,11 @@ impl ProverKey { &self, index: usize, range_separation_challenge: &BlsScalar, - w_l_i: &BlsScalar, - w_r_i: &BlsScalar, - w_o_i: &BlsScalar, - w_4_i: &BlsScalar, - w_4_i_next: &BlsScalar, + a_w_i: &BlsScalar, + b_w_i: &BlsScalar, + c_w_i: &BlsScalar, + d_w_i: &BlsScalar, + d_w_i_next: &BlsScalar, ) -> BlsScalar { let four = BlsScalar::from(4); let q_range_i = &self.q_range.1[index]; @@ -33,14 +33,14 @@ impl ProverKey { // Delta([c(X) - 4 * d(X)]) + Delta([b(X) - 4 * c(X)]) + Delta([a(X) - 4 // * b(X)]) + Delta([d(Xg) - 4 * a(X)]) * Q_Range(X) // - let b_1 = delta(w_o_i - four * w_4_i); - let b_2 = delta(w_r_i - four * w_o_i) * kappa; - let b_3 = delta(w_l_i - four * w_r_i) * kappa_sq; - let b_4 = delta(w_4_i_next - four * w_l_i) * kappa_cu; + let b_1 = delta(c_w_i - four * d_w_i); + let b_2 = delta(b_w_i - four * c_w_i) * kappa; + let b_3 = delta(a_w_i - four * b_w_i) * kappa_sq; + let b_4 = delta(d_w_i_next - four * a_w_i) * kappa_cu; (b_1 + b_2 + b_3 + b_4) * q_range_i * range_separation_challenge } - pub(crate) fn compute_linearisation( + pub(crate) fn compute_linearization( &self, range_separation_challenge: &BlsScalar, a_eval: &BlsScalar, diff --git a/src/proof_system/widget/range/verifierkey.rs b/src/proof_system/widget/range/verifierkey.rs index 0bc091aa..b09797d3 100644 --- a/src/proof_system/widget/range/verifierkey.rs +++ b/src/proof_system/widget/range/verifierkey.rs @@ -14,13 +14,14 @@ pub(crate) struct VerifierKey { #[cfg(feature = "alloc")] mod alloc { use super::*; - use crate::proof_system::linearisation_poly::ProofEvaluations; + use crate::proof_system::linearization_poly::ProofEvaluations; use crate::proof_system::widget::range::proverkey::delta; + #[rustfmt::skip] use ::alloc::vec::Vec; use dusk_bls12_381::{BlsScalar, G1Affine}; impl VerifierKey { - pub(crate) fn compute_linearisation_commitment( + pub(crate) fn compute_linearization_commitment( &self, range_separation_challenge: &BlsScalar, scalars: &mut Vec, diff --git a/tests/circuit.rs b/tests/circuit.rs index a01486b4..735c61bb 100644 --- a/tests/circuit.rs +++ b/tests/circuit.rs @@ -45,19 +45,14 @@ impl Circuit for TestCircuit { composer.component_range(b, 1 << 5); // Make second constraint a * b = d - let constraint = Constraint::new() - .mult(1) - .output(1) - .public(-self.d) - .a(a) - .b(b); + let constraint = Constraint::new().mult(1).public(-self.d).a(a).b(b); composer.append_gate(constraint); let e = composer.append_witness(self.e); let scalar_mul_result = composer .component_mul_generator(e, dusk_jubjub::GENERATOR_EXTENDED); - // Apply the constrain + // Apply the constraint composer.assert_equal_public_point(scalar_mul_result, self.f); Ok(()) @@ -92,7 +87,7 @@ fn test_full() -> Result<()> { // Initialize the circuit let mut circuit = TestCircuit::default(); - // Compile the circuit + // Compile/preprocess the circuit let (pk_p, vd_p) = circuit.compile(&pp)?; // Write the keys @@ -105,8 +100,7 @@ fn test_full() -> Result<()> { assert_eq!(pk, pk_p); // Store the VerifierData just for the verifier side: - // (You could also store public_inputs_indexes and VerifierKey - // sepparatedly). + // (You could also store public_inputs_indexes and VerifierKey separately). fs::write(&vd_path, &vd_p.to_var_bytes())?; let vd = fs::read(vd_path)?; let vd = VerifierData::from_slice(&vd)?;