succinct sonics! now refactor
This commit is contained in:
Alex Vlasov
parent
3d65dcbb6b
commit
da501f4572
@ -83,8 +83,6 @@ pub fn create_aggregate_on_srs_using_information<E: Engine, C: Circuit<E>, S: Sy
|
||||
|
||||
let z: E::Fr = transcript.get_challenge_scalar();
|
||||
|
||||
// let z = E::Fr::one();
|
||||
|
||||
// Compute s(z, Y)
|
||||
let (s_poly_negative, s_poly_positive) = {
|
||||
let mut tmp = SyEval::new(z, n, q);
|
||||
@ -106,12 +104,8 @@ pub fn create_aggregate_on_srs_using_information<E: Engine, C: Circuit<E>, S: Sy
|
||||
// Open C at w
|
||||
let w: E::Fr = transcript.get_challenge_scalar();
|
||||
|
||||
let w = E::Fr::one();
|
||||
|
||||
let value = compute_value::<E>(&w, &s_poly_positive, &s_poly_negative);
|
||||
|
||||
println!("In helper s(z, w) = {}", value);
|
||||
|
||||
let opening = {
|
||||
let mut value = value;
|
||||
value.negate();
|
||||
|
||||
@ -66,14 +66,10 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> MultiVerifier<E, C, S
|
||||
|
||||
let z: E::Fr = transcript.get_challenge_scalar();
|
||||
|
||||
// let z = E::Fr::one();
|
||||
|
||||
transcript.commit_point(&aggregate.c);
|
||||
|
||||
let w: E::Fr = transcript.get_challenge_scalar();
|
||||
|
||||
let w = E::Fr::one();
|
||||
|
||||
let szw = {
|
||||
let mut tmp = SxEval::new(w, self.n);
|
||||
S::synthesize(&mut tmp, &self.circuit).unwrap(); // TODO
|
||||
|
||||
@ -621,10 +621,14 @@ fn test_succinct_sonic_mimc() {
|
||||
let z_n = z.pow([n as u64]);
|
||||
let y_n = y.pow([n as u64]);
|
||||
|
||||
println!("S_1 naive = {}", s1_naive);
|
||||
|
||||
let mut s_1 = s1_naive;
|
||||
s_1.mul_assign(&z_inv_n_plus_1);
|
||||
s_1.mul_assign(&y_n);
|
||||
|
||||
println!("S_1 multiplied = {}", s_1);
|
||||
|
||||
let mut s_2 = s2_proof.c_value;
|
||||
s_2.add_assign(&s2_proof.d_value);
|
||||
s_2.mul_assign(&z_n);
|
||||
|
||||
@ -57,6 +57,20 @@ fn permute<F: Field>(coeffs: &[F], permutation: & [usize]) -> Vec<F>{
|
||||
result
|
||||
}
|
||||
|
||||
fn permute_inverse<F: Field>(permuted_coeffs: &[F], permutation: & [usize]) -> Vec<F>{
|
||||
assert_eq!(permuted_coeffs.len(), permutation.len());
|
||||
let mut result: Vec<F> = vec![F::zero(); permuted_coeffs.len()];
|
||||
for (i, j) in permutation.iter().enumerate() {
|
||||
// if *j < 1 {
|
||||
// // if permutation information is missing coefficient itself must be zero!
|
||||
// assert!(coeffs[i].is_zero());
|
||||
// continue;
|
||||
// }
|
||||
result[i] = permuted_coeffs[*j - 1];
|
||||
}
|
||||
result
|
||||
}
|
||||
|
||||
impl<E: Engine> PermutationArgument<E> {
|
||||
pub fn new(coefficients: Vec<Vec<E::Fr>>, permutations: Vec<Vec<usize>>) -> Self {
|
||||
assert!(coefficients.len() > 0);
|
||||
@ -144,20 +158,52 @@ impl<E: Engine> PermutationArgument<E> {
|
||||
let mut permuted_coefficients = vec![];
|
||||
let mut permuted_at_y_coefficients = vec![];
|
||||
|
||||
|
||||
// naive algorithms
|
||||
// for every permutation poly
|
||||
// -- go throught all variable_idx
|
||||
// - take coeff from non-permuted coeffs[veriable_idx]
|
||||
// - mul by Y^{permutation[variable_idx]}
|
||||
// - mul by X^{variable_idx + 1}
|
||||
|
||||
// let mut s_contrib = E::Fr::zero();
|
||||
// for permutation_index in 0..m {
|
||||
// for (variable_index, constraint_power) in permutations[permutation_index].iter().enumerate() {
|
||||
// let y_power = y.pow([*constraint_power as u64]);
|
||||
// let x_power = z.pow([(variable_index+1) as u64]);
|
||||
// let coeff = non_permuted_coeffs[permutation_index][variable_index];
|
||||
|
||||
// let mut result = coeff;
|
||||
// result.mul_assign(&x_power);
|
||||
// result.mul_assign(&y_power);
|
||||
// s_contrib.add_assign(&result);
|
||||
// }
|
||||
// }
|
||||
|
||||
|
||||
// this part distributes powers of Y^{constraint} and Y^{variable} for different arguments
|
||||
for (c, p) in self.non_permuted_coefficients.iter().zip(self.permutations.iter()) {
|
||||
let mut non_permuted = c.clone();
|
||||
// these are terms of s coefficients in each of the permutations,
|
||||
// permuted by the corresponding permutation
|
||||
let permuted = permute(&non_permuted[..], &p[..]);
|
||||
// this one will have terms coeff[0] * Y^1
|
||||
let mut non_permuted_at_y = c.clone();
|
||||
|
||||
// distribute powers of Y to non-permuted coefficients
|
||||
mut_distribute_consequitive_powers(&mut non_permuted[..], y, y);
|
||||
// permute to later have coeff[i] at spot K for distribution of powers and for argument
|
||||
let permuted = permute(&non_permuted_at_y[..], &p[..]);
|
||||
|
||||
// here will be distributed powers for coeff[i] * Y^K
|
||||
let mut permuted_at_y = permuted.clone();
|
||||
|
||||
// distribute powers of Y to non-permuted coefficients as coeff[0]*Y^1, coeff[0]*Y^2, ...
|
||||
mut_distribute_consequitive_powers(&mut non_permuted_at_y[..], y, y);
|
||||
// and commit to S'
|
||||
let s_prime = multiexp(srs.g_positive_x_alpha[0..n].iter(), non_permuted.iter()).into_affine();
|
||||
let s_prime = multiexp(srs.g_positive_x_alpha[0..n].iter(), non_permuted_at_y.iter()).into_affine();
|
||||
drop(non_permuted_at_y);
|
||||
|
||||
// this construction has already moved coeff[i] to the corresponding constraint k, so term is coeff[i]*Y^{K} for place K
|
||||
mut_distribute_consequitive_powers(&mut permuted_at_y[..], y, y);
|
||||
|
||||
// now there is a coefficient coeff[i]*Y^{K} for place K at place K, so we need to move it back to i
|
||||
let permuted_at_y = permute_inverse(&permuted_at_y[..], &p[..]);
|
||||
|
||||
// no we can permute pre-distributed powers of Y
|
||||
let permuted_at_y = permute(&non_permuted[..], &p[..]);
|
||||
drop(non_permuted);
|
||||
// and commit to S
|
||||
let s = multiexp(srs.g_positive_x_alpha[0..n].iter(), permuted_at_y.iter()).into_affine();
|
||||
|
||||
@ -265,7 +311,7 @@ impl<E: Engine> PermutationArgument<E> {
|
||||
let s_polynomial = s_polynomial.unwrap();
|
||||
// evaluate at z
|
||||
let s_zy = evaluate_at_consequitive_powers(& s_polynomial[..], z, z);
|
||||
println!("In permutation argument S(z, y) = {}", s_zy);
|
||||
println!("In permutation argument S1_(z, y) = {}", s_zy);
|
||||
|
||||
|
||||
let mut s_zy_neg = s_zy;
|
||||
|
||||
@ -176,7 +176,6 @@ impl<E: Engine> PermutationStructure<E> {
|
||||
Coeff::Zero => {
|
||||
},
|
||||
Coeff::One => {
|
||||
println!("A({}), coeff = 1 for place {} in permutation {}", gate_index, place, i);
|
||||
not_empty[i] = true;
|
||||
place_coeff_into[array_position] = one;
|
||||
place_permutation_into[array_position] = *place;
|
||||
|
||||
@ -166,20 +166,10 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier
|
||||
|
||||
let z: E::Fr = transcript.get_challenge_scalar();
|
||||
|
||||
// let z = E::Fr::one();
|
||||
|
||||
println!("Verifier z = {}", z);
|
||||
|
||||
transcript.commit_point(&aggregate.c);
|
||||
|
||||
let w: E::Fr = transcript.get_challenge_scalar();
|
||||
|
||||
let w = E::Fr::one();
|
||||
|
||||
println!("Verifier w = {}", w);
|
||||
|
||||
println!("N = {}", self.n);
|
||||
|
||||
let szw = {
|
||||
// prover will supply s1 and s2, need to calculate
|
||||
// s(z, w) = X^-(N+1) * Y^N * s1 - X^N * s2
|
||||
@ -196,45 +186,43 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier
|
||||
// this is s2 contribution itself
|
||||
let mut s2_part = s2_proof.c_value;
|
||||
s2_part.add_assign(&s2_proof.d_value);
|
||||
println!("S2 = {}", s2_part);
|
||||
s2_part.mul_assign(&x_n);
|
||||
|
||||
// add terms for S2 for verification
|
||||
|
||||
// {
|
||||
// let random: E::Fr = self.randomness_source.gen();
|
||||
{
|
||||
let random: E::Fr = self.randomness_source.gen();
|
||||
|
||||
// // e(C,hαx)e(C−yz,hα) = e(O,h)e(g−c,hα) that is
|
||||
// // e(C,hαx)e(C^−yz,hα)*e(O,-h)e(g^c,hα) = 1
|
||||
// e(C,hαx)e(C−yz,hα) = e(O,h)e(g−c,hα) that is
|
||||
// e(C,hαx)e(C^−yz,hα)*e(O,-h)e(g^c,hα) = 1
|
||||
|
||||
// let mut xy = z;
|
||||
// xy.mul_assign(&w);
|
||||
let mut xy = z;
|
||||
xy.mul_assign(&w);
|
||||
|
||||
// self.batch.add_opening(s2_proof.c_opening, random, xy);
|
||||
// self.batch.add_opening_value(random, s2_proof.c_value);
|
||||
// self.batch.add_commitment(self.s2_special_reference, random);
|
||||
self.batch.add_opening(s2_proof.c_opening, random, xy);
|
||||
self.batch.add_opening_value(random, s2_proof.c_value);
|
||||
self.batch.add_commitment(self.s2_special_reference, random);
|
||||
|
||||
// }
|
||||
}
|
||||
|
||||
// {
|
||||
// let random: E::Fr = self.randomness_source.gen();
|
||||
{
|
||||
let random: E::Fr = self.randomness_source.gen();
|
||||
|
||||
// // e(D,hαx)e(D−y−1z,hα) = e(O,h)e(g−d,hα) that is
|
||||
// // e(D,hαx)e(D^−y-1z,hα)*e(O,-h)e(g^d,hα) = 1
|
||||
// e(D,hαx)e(D−y−1z,hα) = e(O,h)e(g−d,hα) that is
|
||||
// e(D,hαx)e(D^−y-1z,hα)*e(O,-h)e(g^d,hα) = 1
|
||||
|
||||
// let mut y_inv_by_x = z;
|
||||
// y_inv_by_x.mul_assign(&w.inverse().unwrap());
|
||||
let mut y_inv_by_x = z;
|
||||
y_inv_by_x.mul_assign(&w.inverse().unwrap());
|
||||
|
||||
// self.batch.add_opening(s2_proof.d_opening, random, y_inv_by_x);
|
||||
// self.batch.add_opening_value(random, s2_proof.d_value);
|
||||
// self.batch.add_commitment(self.s2_special_reference, random);
|
||||
self.batch.add_opening(s2_proof.d_opening, random, y_inv_by_x);
|
||||
self.batch.add_opening_value(random, s2_proof.d_value);
|
||||
self.batch.add_commitment(self.s2_special_reference, random);
|
||||
|
||||
// }
|
||||
}
|
||||
|
||||
// now work with s1 part
|
||||
|
||||
let mut s1_part = permutation_argument_proof.s_zy;
|
||||
println!("S1 = {}", s1_part);
|
||||
s1_part.mul_assign(&x_n_plus_1_inv);
|
||||
s1_part.mul_assign(&y_n);
|
||||
|
||||
@ -278,8 +266,6 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier
|
||||
s
|
||||
};
|
||||
|
||||
println!("Succinct s(z, w) = {}", szw);
|
||||
|
||||
{
|
||||
let random: E::Fr = self.randomness_source.gen();
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user