tornado-packages/phase2-bn254
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

succinct sonics! now refactor

Browse Source
This commit is contained in:
Alex Vlasov 2019-06-06 18:50:57 +03:00
parent 3d65dcbb6b
commit da501f4572
6 changed files with 81 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/sonic/helped/helper.rs
View File

@ -83,8 +83,6 @@ pub fn create_aggregate_on_srs_using_information<E: Engine, C: Circuit<E>, S: Sy
let z: E::Fr = transcript.get_challenge_scalar(); let z: E::Fr = transcript.get_challenge_scalar();
// let z = E::Fr::one();
// Compute s(z, Y) // Compute s(z, Y)
let (s_poly_negative, s_poly_positive) = { let (s_poly_negative, s_poly_positive) = {
let mut tmp = SyEval::new(z, n, q); let mut tmp = SyEval::new(z, n, q);
@ -106,12 +104,8 @@ pub fn create_aggregate_on_srs_using_information<E: Engine, C: Circuit<E>, S: Sy
// Open C at w // Open C at w
let w: E::Fr = transcript.get_challenge_scalar(); let w: E::Fr = transcript.get_challenge_scalar();
let w = E::Fr::one();
let value = compute_value::<E>(&w, &s_poly_positive, &s_poly_negative); let value = compute_value::<E>(&w, &s_poly_positive, &s_poly_negative);
println!("In helper s(z, w) = {}", value);
let opening = { let opening = {
let mut value = value; let mut value = value;
value.negate(); value.negate();

4
src/sonic/helped/verifier.rs
View File

@ -66,14 +66,10 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> MultiVerifier<E, C, S
let z: E::Fr = transcript.get_challenge_scalar(); let z: E::Fr = transcript.get_challenge_scalar();
// let z = E::Fr::one();
transcript.commit_point(&aggregate.c); transcript.commit_point(&aggregate.c);
let w: E::Fr = transcript.get_challenge_scalar(); let w: E::Fr = transcript.get_challenge_scalar();
let w = E::Fr::one();
let szw = { let szw = {
let mut tmp = SxEval::new(w, self.n); let mut tmp = SxEval::new(w, self.n);
S::synthesize(&mut tmp, &self.circuit).unwrap(); // TODO S::synthesize(&mut tmp, &self.circuit).unwrap(); // TODO

4
src/sonic/tests/sonics.rs
View File

@ -621,10 +621,14 @@ fn test_succinct_sonic_mimc() {
let z_n = z.pow([n as u64]); let z_n = z.pow([n as u64]);
let y_n = y.pow([n as u64]); let y_n = y.pow([n as u64]);
println!("S_1 naive = {}", s1_naive);
let mut s_1 = s1_naive; let mut s_1 = s1_naive;
s_1.mul_assign(&z_inv_n_plus_1); s_1.mul_assign(&z_inv_n_plus_1);
s_1.mul_assign(&y_n); s_1.mul_assign(&y_n);
println!("S_1 multiplied = {}", s_1);
let mut s_2 = s2_proof.c_value; let mut s_2 = s2_proof.c_value;
s_2.add_assign(&s2_proof.d_value); s_2.add_assign(&s2_proof.d_value);
s_2.mul_assign(&z_n); s_2.mul_assign(&z_n);

68
src/sonic/unhelped/permutation_argument.rs
View File

@ -57,6 +57,20 @@ fn permute<F: Field>(coeffs: &[F], permutation: & [usize]) -> Vec<F>{
result result
} }
fn permute_inverse<F: Field>(permuted_coeffs: &[F], permutation: & [usize]) -> Vec<F>{
assert_eq!(permuted_coeffs.len(), permutation.len());
let mut result: Vec<F> = vec![F::zero(); permuted_coeffs.len()];
for (i, j) in permutation.iter().enumerate() {
// if *j < 1 {
// // if permutation information is missing coefficient itself must be zero!
// assert!(coeffs[i].is_zero());
// continue;
// }
result[i] = permuted_coeffs[*j - 1];
}
result
}
impl<E: Engine> PermutationArgument<E> { impl<E: Engine> PermutationArgument<E> {
pub fn new(coefficients: Vec<Vec<E::Fr>>, permutations: Vec<Vec<usize>>) -> Self { pub fn new(coefficients: Vec<Vec<E::Fr>>, permutations: Vec<Vec<usize>>) -> Self {
assert!(coefficients.len() > 0); assert!(coefficients.len() > 0);
@ -144,20 +158,52 @@ impl<E: Engine> PermutationArgument<E> {
let mut permuted_coefficients = vec![]; let mut permuted_coefficients = vec![];
let mut permuted_at_y_coefficients = vec![]; let mut permuted_at_y_coefficients = vec![];
// naive algorithms
// for every permutation poly
// -- go throught all variable_idx
// - take coeff from non-permuted coeffs[veriable_idx]
// - mul by Y^{permutation[variable_idx]}
// - mul by X^{variable_idx + 1}
// let mut s_contrib = E::Fr::zero();
// for permutation_index in 0..m {
// for (variable_index, constraint_power) in permutations[permutation_index].iter().enumerate() {
// let y_power = y.pow([*constraint_power as u64]);
// let x_power = z.pow([(variable_index+1) as u64]);
// let coeff = non_permuted_coeffs[permutation_index][variable_index];
// let mut result = coeff;
// result.mul_assign(&x_power);
// result.mul_assign(&y_power);
// s_contrib.add_assign(&result);
// }
// }
// this part distributes powers of Y^{constraint} and Y^{variable} for different arguments
for (c, p) in self.non_permuted_coefficients.iter().zip(self.permutations.iter()) { for (c, p) in self.non_permuted_coefficients.iter().zip(self.permutations.iter()) {
let mut non_permuted = c.clone(); // this one will have terms coeff[0] * Y^1
// these are terms of s coefficients in each of the permutations, let mut non_permuted_at_y = c.clone();
// permuted by the corresponding permutation
let permuted = permute(&non_permuted[..], &p[..]);
// distribute powers of Y to non-permuted coefficients // permute to later have coeff[i] at spot K for distribution of powers and for argument
mut_distribute_consequitive_powers(&mut non_permuted[..], y, y); let permuted = permute(&non_permuted_at_y[..], &p[..]);
// here will be distributed powers for coeff[i] * Y^K
let mut permuted_at_y = permuted.clone();
// distribute powers of Y to non-permuted coefficients as coeff[0]*Y^1, coeff[0]*Y^2, ...
mut_distribute_consequitive_powers(&mut non_permuted_at_y[..], y, y);
// and commit to S' // and commit to S'
let s_prime = multiexp(srs.g_positive_x_alpha[0..n].iter(), non_permuted.iter()).into_affine(); let s_prime = multiexp(srs.g_positive_x_alpha[0..n].iter(), non_permuted_at_y.iter()).into_affine();
drop(non_permuted_at_y);
// this construction has already moved coeff[i] to the corresponding constraint k, so term is coeff[i]*Y^{K} for place K
mut_distribute_consequitive_powers(&mut permuted_at_y[..], y, y);
// now there is a coefficient coeff[i]*Y^{K} for place K at place K, so we need to move it back to i
let permuted_at_y = permute_inverse(&permuted_at_y[..], &p[..]);
// no we can permute pre-distributed powers of Y
let permuted_at_y = permute(&non_permuted[..], &p[..]);
drop(non_permuted);
// and commit to S // and commit to S
let s = multiexp(srs.g_positive_x_alpha[0..n].iter(), permuted_at_y.iter()).into_affine(); let s = multiexp(srs.g_positive_x_alpha[0..n].iter(), permuted_at_y.iter()).into_affine();
@ -265,7 +311,7 @@ impl<E: Engine> PermutationArgument<E> {
let s_polynomial = s_polynomial.unwrap(); let s_polynomial = s_polynomial.unwrap();
// evaluate at z // evaluate at z
let s_zy = evaluate_at_consequitive_powers(& s_polynomial[..], z, z); let s_zy = evaluate_at_consequitive_powers(& s_polynomial[..], z, z);
println!("In permutation argument S(z, y) = {}", s_zy); println!("In permutation argument S1_(z, y) = {}", s_zy);
let mut s_zy_neg = s_zy; let mut s_zy_neg = s_zy;

1
src/sonic/unhelped/permutation_structure.rs
View File

@ -176,7 +176,6 @@ impl<E: Engine> PermutationStructure<E> {
Coeff::Zero => { Coeff::Zero => {
}, },
Coeff::One => { Coeff::One => {
println!("A({}), coeff = 1 for place {} in permutation {}", gate_index, place, i);
not_empty[i] = true; not_empty[i] = true;
place_coeff_into[array_position] = one; place_coeff_into[array_position] = one;
place_permutation_into[array_position] = *place; place_permutation_into[array_position] = *place;

54
src/sonic/unhelped/verifier.rs
View File

@ -166,20 +166,10 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier
let z: E::Fr = transcript.get_challenge_scalar(); let z: E::Fr = transcript.get_challenge_scalar();
// let z = E::Fr::one();
println!("Verifier z = {}", z);
transcript.commit_point(&aggregate.c); transcript.commit_point(&aggregate.c);
let w: E::Fr = transcript.get_challenge_scalar(); let w: E::Fr = transcript.get_challenge_scalar();
let w = E::Fr::one();
println!("Verifier w = {}", w);
println!("N = {}", self.n);
let szw = { let szw = {
// prover will supply s1 and s2, need to calculate // prover will supply s1 and s2, need to calculate
// s(z, w) = X^-(N+1) * Y^N * s1 - X^N * s2 // s(z, w) = X^-(N+1) * Y^N * s1 - X^N * s2
@ -196,45 +186,43 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier
// this is s2 contribution itself // this is s2 contribution itself
let mut s2_part = s2_proof.c_value; let mut s2_part = s2_proof.c_value;
s2_part.add_assign(&s2_proof.d_value); s2_part.add_assign(&s2_proof.d_value);
println!("S2 = {}", s2_part);
s2_part.mul_assign(&x_n); s2_part.mul_assign(&x_n);
// add terms for S2 for verification // add terms for S2 for verification
// { {
// let random: E::Fr = self.randomness_source.gen(); let random: E::Fr = self.randomness_source.gen();
// // e(C,hαx)e(Cyz,hα) = e(O,h)e(gc,hα) that is // e(C,hαx)e(Cyz,hα) = e(O,h)e(gc,hα) that is
// // e(C,hαx)e(C^yz,hα)*e(O,-h)e(g^c,hα) = 1 // e(C,hαx)e(C^yz,hα)*e(O,-h)e(g^c,hα) = 1
// let mut xy = z; let mut xy = z;
// xy.mul_assign(&w); xy.mul_assign(&w);
// self.batch.add_opening(s2_proof.c_opening, random, xy); self.batch.add_opening(s2_proof.c_opening, random, xy);
// self.batch.add_opening_value(random, s2_proof.c_value); self.batch.add_opening_value(random, s2_proof.c_value);
// self.batch.add_commitment(self.s2_special_reference, random); self.batch.add_commitment(self.s2_special_reference, random);
// } }
// { {
// let random: E::Fr = self.randomness_source.gen(); let random: E::Fr = self.randomness_source.gen();
// // e(D,hαx)e(Dy1z,hα) = e(O,h)e(gd,hα) that is // e(D,hαx)e(Dy1z,hα) = e(O,h)e(gd,hα) that is
// // e(D,hαx)e(D^y-1z,hα)*e(O,-h)e(g^d,hα) = 1 // e(D,hαx)e(D^y-1z,hα)*e(O,-h)e(g^d,hα) = 1
// let mut y_inv_by_x = z; let mut y_inv_by_x = z;
// y_inv_by_x.mul_assign(&w.inverse().unwrap()); y_inv_by_x.mul_assign(&w.inverse().unwrap());
// self.batch.add_opening(s2_proof.d_opening, random, y_inv_by_x); self.batch.add_opening(s2_proof.d_opening, random, y_inv_by_x);
// self.batch.add_opening_value(random, s2_proof.d_value); self.batch.add_opening_value(random, s2_proof.d_value);
// self.batch.add_commitment(self.s2_special_reference, random); self.batch.add_commitment(self.s2_special_reference, random);
// } }
// now work with s1 part // now work with s1 part
let mut s1_part = permutation_argument_proof.s_zy; let mut s1_part = permutation_argument_proof.s_zy;
println!("S1 = {}", s1_part);
s1_part.mul_assign(&x_n_plus_1_inv); s1_part.mul_assign(&x_n_plus_1_inv);
s1_part.mul_assign(&y_n); s1_part.mul_assign(&y_n);
@ -278,8 +266,6 @@ impl<E: Engine, C: Circuit<E>, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier
s s
}; };
println!("Succinct s(z, w) = {}", szw);
{ {
let random: E::Fr = self.randomness_source.gen(); let random: E::Fr = self.randomness_source.gen();