ok, blinding are may be in place, but need more carefull evaluation cause r(zy, 1) != r(z, y) if follow the algorithm 1 from the paper
This commit is contained in:
parent
2d69758c18
commit
5f8618b437
@ -46,6 +46,7 @@ use crate::sonic::cs::ConstraintSystem as SonicConstraintSystem;
|
||||
use crate::sonic::cs::Variable as SonicVariable;
|
||||
use crate::sonic::cs::Coeff;
|
||||
use crate::sonic::sonic::{AdaptorCircuit};
|
||||
use super::parameters::NUM_BLINDINGS;
|
||||
|
||||
use crate::verbose_flag;
|
||||
|
||||
@ -381,7 +382,7 @@ pub fn generate_parameters<E, C>(
|
||||
where E: Engine, C: Circuit<E>
|
||||
{
|
||||
let circuit_parameters = get_circuit_parameters::<E, C>(circuit)?;
|
||||
let min_d = circuit_parameters.n * 4;
|
||||
let min_d = circuit_parameters.n * 4 + NUM_BLINDINGS;
|
||||
|
||||
let srs = generate_srs(alpha, x, min_d)?;
|
||||
|
||||
@ -407,8 +408,8 @@ pub fn generate_parameters_on_srs_and_information<E: Engine>(
|
||||
information: CircuitParameters<E>
|
||||
) -> Result<Parameters<E>, SynthesisError>
|
||||
{
|
||||
assert!(srs.d >= information.n * 4);
|
||||
let min_d = information.n * 4;
|
||||
assert!(srs.d >= information.n * 4 + NUM_BLINDINGS);
|
||||
let min_d = information.n * 4 + NUM_BLINDINGS;
|
||||
|
||||
let trimmed_srs: SRS<E> = SRS {
|
||||
d: min_d,
|
||||
|
@ -210,80 +210,14 @@ pub fn create_proof_on_srs<E: Engine, C: Circuit<E>, S: SynthesisDriver>(
|
||||
let rng = &mut thread_rng();
|
||||
|
||||
// c_{n+1}, c_{n+2}, c_{n+3}, c_{n+4}
|
||||
let blindings: Vec<E::Fr> = (0..NUM_BLINDINGS).into_iter().map(|_| E::Fr::rand(rng)).collect();
|
||||
// let blindings: Vec<E::Fr> = (0..NUM_BLINDINGS).into_iter().map(|_| E::Fr::rand(rng)).collect();
|
||||
|
||||
// let blindings: Vec<E::Fr> = vec![E::Fr::zero(); NUM_BLINDINGS];
|
||||
let blindings: Vec<E::Fr> = vec![E::Fr::zero(); NUM_BLINDINGS];
|
||||
|
||||
// let max_n = 3*n + 1 + NUM_BLINDINGS;
|
||||
|
||||
// let max_n = 3*n + 1;
|
||||
|
||||
fn polynomial_commitment<
|
||||
'a,
|
||||
EE: Engine,
|
||||
IS: IntoIterator<Item = &'a EE::Fr>,
|
||||
>(
|
||||
max: usize,
|
||||
largest_negative_power: usize,
|
||||
largest_positive_power: usize,
|
||||
srs: &'a SRS<EE>,
|
||||
s: IS,
|
||||
) -> EE::G1Affine
|
||||
where
|
||||
IS::IntoIter: ExactSizeIterator,
|
||||
{
|
||||
// smallest power is d - max - largest_negative_power; It should either be 1 for use of positive powers only,
|
||||
// of we should use part of the negative powers
|
||||
let d = srs.d;
|
||||
assert!(max >= largest_positive_power);
|
||||
if d < max + largest_negative_power + 1 {
|
||||
println!("Use negative powers for polynomial commitment");
|
||||
let min_power = largest_negative_power + max - d;
|
||||
let max_power = d + largest_positive_power - max;
|
||||
println!("Min power = {}, max = {}", min_power, max_power);
|
||||
// need to use negative powers to make a proper commitment
|
||||
return multiexp(
|
||||
srs.g_negative_x_alpha[0..min_power].iter().rev()
|
||||
.chain_ext(srs.g_positive_x_alpha[..max_power].iter()),
|
||||
s
|
||||
).into_affine();
|
||||
} else {
|
||||
println!("Use positive powers only for polynomial commitment");
|
||||
return multiexp(
|
||||
srs.g_positive_x_alpha[(srs.d - max - largest_negative_power - 1)..].iter(),
|
||||
s
|
||||
).into_affine();
|
||||
}
|
||||
}
|
||||
|
||||
fn polynomial_commitment_opening<
|
||||
'a,
|
||||
EE: Engine,
|
||||
I: IntoIterator<Item = &'a EE::Fr>
|
||||
>(
|
||||
largest_negative_power: usize,
|
||||
largest_positive_power: usize,
|
||||
polynomial_coefficients: I,
|
||||
mut point: EE::Fr,
|
||||
srs: &'a SRS<EE>,
|
||||
) -> EE::G1Affine
|
||||
where I::IntoIter: DoubleEndedIterator + ExactSizeIterator,
|
||||
{
|
||||
let poly = kate_divison(
|
||||
polynomial_coefficients,
|
||||
point,
|
||||
);
|
||||
|
||||
let negative_poly = poly[0..largest_negative_power].iter().rev();
|
||||
let positive_poly = poly[largest_negative_power..].iter();
|
||||
multiexp(
|
||||
srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext(
|
||||
srs.g_positive_x[0..positive_poly.len()].iter()
|
||||
),
|
||||
negative_poly.chain_ext(positive_poly)
|
||||
).into_affine()
|
||||
}
|
||||
|
||||
let r = polynomial_commitment::<E, _>(
|
||||
n,
|
||||
2*n + NUM_BLINDINGS,
|
||||
|
@ -1,6 +1,7 @@
|
||||
use crate::SynthesisError;
|
||||
use ff::{Field, PrimeField, PrimeFieldRepr, ScalarEngine};
|
||||
use pairing::{CurveAffine, CurveProjective, Engine};
|
||||
use super::srs::SRS;
|
||||
|
||||
pub trait ChainExt: Iterator {
|
||||
fn chain_ext<U>(self, other: U) -> Chain<Self, U::IntoIter>
|
||||
@ -71,8 +72,71 @@ where
|
||||
}
|
||||
}
|
||||
|
||||
pub fn polynomial_commitment<
|
||||
'a,
|
||||
E: Engine,
|
||||
IS: IntoIterator<Item = &'a E::Fr>,
|
||||
>(
|
||||
max: usize,
|
||||
largest_negative_power: usize,
|
||||
largest_positive_power: usize,
|
||||
srs: &'a SRS<E>,
|
||||
s: IS,
|
||||
) -> E::G1Affine
|
||||
where
|
||||
IS::IntoIter: ExactSizeIterator,
|
||||
{
|
||||
// smallest power is d - max - largest_negative_power; It should either be 1 for use of positive powers only,
|
||||
// of we should use part of the negative powers
|
||||
let d = srs.d;
|
||||
assert!(max >= largest_positive_power);
|
||||
if d < max + largest_negative_power + 1 {
|
||||
let min_power = largest_negative_power + max - d;
|
||||
let max_power = d + largest_positive_power - max;
|
||||
// need to use negative powers to make a proper commitment
|
||||
return multiexp(
|
||||
srs.g_negative_x_alpha[0..min_power].iter().rev()
|
||||
.chain_ext(srs.g_positive_x_alpha[..max_power].iter()),
|
||||
s
|
||||
).into_affine();
|
||||
} else {
|
||||
return multiexp(
|
||||
srs.g_positive_x_alpha[(srs.d - max - largest_negative_power - 1)..].iter(),
|
||||
s
|
||||
).into_affine();
|
||||
}
|
||||
}
|
||||
|
||||
pub fn polynomial_commitment_opening<
|
||||
'a,
|
||||
E: Engine,
|
||||
I: IntoIterator<Item = &'a E::Fr>
|
||||
>(
|
||||
largest_negative_power: usize,
|
||||
largest_positive_power: usize,
|
||||
polynomial_coefficients: I,
|
||||
mut point: E::Fr,
|
||||
srs: &'a SRS<E>,
|
||||
) -> E::G1Affine
|
||||
where I::IntoIter: DoubleEndedIterator + ExactSizeIterator,
|
||||
{
|
||||
let poly = kate_divison(
|
||||
polynomial_coefficients,
|
||||
point,
|
||||
);
|
||||
|
||||
let negative_poly = poly[0..largest_negative_power].iter().rev();
|
||||
let positive_poly = poly[largest_negative_power..].iter();
|
||||
multiexp(
|
||||
srs.g_negative_x[1..(negative_poly.len() + 1)].iter().chain_ext(
|
||||
srs.g_positive_x[0..positive_poly.len()].iter()
|
||||
),
|
||||
negative_poly.chain_ext(positive_poly)
|
||||
).into_affine()
|
||||
}
|
||||
|
||||
extern crate crossbeam;
|
||||
use self::crossbeam::channel::{unbounded, RecvError};
|
||||
use self::crossbeam::channel::{unbounded};
|
||||
|
||||
pub fn evaluate_at_consequitive_powers<'a, F: Field> (
|
||||
coeffs: &[F],
|
||||
@ -115,15 +179,11 @@ pub fn evaluate_at_consequitive_powers<'a, F: Field> (
|
||||
let mut result = F::zero();
|
||||
|
||||
loop {
|
||||
let v = r.recv();
|
||||
match v {
|
||||
Ok(value) => {
|
||||
result.add_assign(&value);
|
||||
},
|
||||
Err(RecvError) => {
|
||||
if r.is_empty() {
|
||||
break;
|
||||
}
|
||||
}
|
||||
let value = r.recv().expect("must not be empty");
|
||||
result.add_assign(&value);
|
||||
}
|
||||
|
||||
result
|
||||
|
Loading…
Reference in New Issue
Block a user