From 31fb6779bc622de0d9c842f2c00cc8c8ce2d0df4 Mon Sep 17 00:00:00 2001 From: xevisalle Date: Thu, 4 Jul 2024 16:38:32 +0200 Subject: [PATCH] Update linearization polynomial computation --- src/compiler/prover.rs | 95 ++++---- src/proof_system/linearization_poly.rs | 208 ++++++------------ src/proof_system/proof.rs | 160 +++++--------- .../widget/arithmetic/proverkey.rs | 19 +- .../widget/ecc/curve_addition/proverkey.rs | 23 +- .../ecc/scalar_mul/fixed_base/proverkey.rs | 34 ++- src/proof_system/widget/logic/proverkey.rs | 21 +- src/proof_system/widget/range/proverkey.rs | 17 +- 8 files changed, 215 insertions(+), 362 deletions(-) diff --git a/src/compiler/prover.rs b/src/compiler/prover.rs index 1e5ffe35..b3d29eff 100644 --- a/src/compiler/prover.rs +++ b/src/compiler/prover.rs @@ -14,11 +14,11 @@ use merlin::Transcript; use rand_core::{CryptoRng, RngCore}; use crate::commitment_scheme::CommitKey; +use crate::compiler::prover::linearization_poly::ProofEvaluations; use crate::error::Error; use crate::fft::{EvaluationDomain, Polynomial}; -use crate::proof_system::proof::Proof; use crate::proof_system::{ - linearization_poly, quotient_poly, ProverKey, VerifierKey, + linearization_poly, proof::Proof, quotient_poly, ProverKey, VerifierKey, }; use crate::transcript::TranscriptProtocol; @@ -433,13 +433,50 @@ impl Prover { transcript.append_scalar(b"z_eval", &z_eval); + // Compute extra evaluations + let a_next_eval = a_w_poly.evaluate(&(z_challenge * domain.group_gen)); + let b_next_eval = b_w_poly.evaluate(&(z_challenge * domain.group_gen)); + let d_next_eval = d_w_poly.evaluate(&(z_challenge * domain.group_gen)); + + let q_arith_eval = + self.prover_key.arithmetic.q_arith.0.evaluate(&z_challenge); + let q_c_eval = self.prover_key.logic.q_c.0.evaluate(&z_challenge); + let q_l_eval = self.prover_key.fixed_base.q_l.0.evaluate(&z_challenge); + let q_r_eval = self.prover_key.fixed_base.q_r.0.evaluate(&z_challenge); + + // add extra evaluations to transcript. + transcript.append_scalar(b"a_next_eval", &a_next_eval); + transcript.append_scalar(b"b_next_eval", &b_next_eval); + transcript.append_scalar(b"d_next_eval", &d_next_eval); + transcript.append_scalar(b"q_arith_eval", &q_arith_eval); + transcript.append_scalar(b"q_c_eval", &q_c_eval); + transcript.append_scalar(b"q_l_eval", &q_l_eval); + transcript.append_scalar(b"q_r_eval", &q_r_eval); + + let evaluations = ProofEvaluations { + a_eval, + b_eval, + c_eval, + d_eval, + a_next_eval, + b_next_eval, + d_next_eval, + q_arith_eval, + q_c_eval, + q_l_eval, + q_r_eval, + s_sigma_1_eval, + s_sigma_2_eval, + s_sigma_3_eval, + z_eval, + }; + // round 5 // compute the challenge 'v' let v_challenge = transcript.challenge_scalar(b"v_challenge"); // compute linearization polynomial - let (r_poly, evaluations) = linearization_poly::compute( - &domain, + let r_poly = linearization_poly::compute( &self.prover_key, &( alpha, @@ -451,53 +488,19 @@ impl Prover { var_base_sep_challenge, z_challenge, ), - &a_w_poly, - &b_w_poly, - &d_w_poly, - &t_poly, &z_poly, - &a_eval, - &b_eval, - &c_eval, - &d_eval, - &s_sigma_1_eval, - &s_sigma_2_eval, - &s_sigma_3_eval, - &z_eval, + &evaluations, + &domain, + &t_low_poly, + &t_mid_poly, + &t_high_poly, + &t_4_poly, + &public_inputs, ); - // add evaluations to transcript. - transcript - .append_scalar(b"a_next_eval", &evaluations.proof.a_next_eval); - transcript - .append_scalar(b"b_next_eval", &evaluations.proof.b_next_eval); - transcript - .append_scalar(b"d_next_eval", &evaluations.proof.d_next_eval); - transcript - .append_scalar(b"q_arith_eval", &evaluations.proof.q_arith_eval); - transcript.append_scalar(b"q_c_eval", &evaluations.proof.q_c_eval); - transcript.append_scalar(b"q_l_eval", &evaluations.proof.q_l_eval); - transcript.append_scalar(b"q_r_eval", &evaluations.proof.q_r_eval); - transcript.append_scalar(b"t_eval", &evaluations.t_eval); - transcript.append_scalar(b"r_eval", &evaluations.proof.r_poly_eval); - - // compute Openings using KZG10 - let z_n = z_challenge.pow(&[domain_size as u64, 0, 0, 0]); - let z_two_n = z_challenge.pow(&[2 * domain_size as u64, 0, 0, 0]); - let z_three_n = z_challenge.pow(&[3 * domain_size as u64, 0, 0, 0]); - - let a = &t_low_poly; - let b = &t_mid_poly * &z_n; - let c = &t_high_poly * &z_two_n; - let d = &t_4_poly * &z_three_n; - let abc = &(a + &b) + &c; - - let quot = &abc + &d; - // compute the opening proof polynomial 'W_z(X)' let aggregate_witness = CommitKey::compute_aggregate_witness( &[ - quot, r_poly, a_w_poly.clone(), b_w_poly.clone(), @@ -541,7 +544,7 @@ impl Prover { w_z_chall_comm, w_z_chall_w_comm, - evaluations: evaluations.proof, + evaluations, }; Ok((proof, public_inputs)) diff --git a/src/proof_system/linearization_poly.rs b/src/proof_system/linearization_poly.rs index a1597e6e..72d0da26 100644 --- a/src/proof_system/linearization_poly.rs +++ b/src/proof_system/linearization_poly.rs @@ -7,7 +7,7 @@ #[cfg(feature = "alloc")] use crate::{ fft::{EvaluationDomain, Polynomial}, - proof_system::ProverKey, + proof_system::{proof, ProverKey}, }; use dusk_bls12_381::BlsScalar; @@ -21,14 +21,6 @@ use rkyv::{ Archive, Deserialize, Serialize, }; -/// Evaluations at points `z` or and `z * root of unity` -#[allow(dead_code)] -pub(crate) struct Evaluations { - pub(crate) proof: ProofEvaluations, - // Evaluation of the linearization sigma polynomial at `z` - pub(crate) t_eval: BlsScalar, -} - /// Subset of all of the evaluations. These evaluations /// are added to the [`Proof`](super::Proof). #[derive(Debug, Eq, PartialEq, Clone, Default)] @@ -84,18 +76,14 @@ pub(crate) struct ProofEvaluations { #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub(crate) s_sigma_3_eval: BlsScalar, - // Evaluation of the linearization sigma polynomial at `z` - #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub(crate) r_poly_eval: BlsScalar, - // (Shifted) Evaluation of the permutation polynomial at `z * root of // unity` #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub(crate) z_eval: BlsScalar, } -// The struct ProofEvaluations has 16 BlsScalars -impl Serializable<{ 16 * BlsScalar::SIZE }> for ProofEvaluations { +// The struct ProofEvaluations has 15 BlsScalars +impl Serializable<{ 15 * BlsScalar::SIZE }> for ProofEvaluations { type Error = dusk_bytes::Error; #[allow(unused_must_use)] @@ -118,7 +106,6 @@ impl Serializable<{ 16 * BlsScalar::SIZE }> for ProofEvaluations { writer.write(&self.s_sigma_1_eval.to_bytes()); writer.write(&self.s_sigma_2_eval.to_bytes()); writer.write(&self.s_sigma_3_eval.to_bytes()); - writer.write(&self.r_poly_eval.to_bytes()); writer.write(&self.z_eval.to_bytes()); buf @@ -142,7 +129,6 @@ impl Serializable<{ 16 * BlsScalar::SIZE }> for ProofEvaluations { let s_sigma_1_eval = BlsScalar::from_reader(&mut buffer)?; let s_sigma_2_eval = BlsScalar::from_reader(&mut buffer)?; let s_sigma_3_eval = BlsScalar::from_reader(&mut buffer)?; - let r_poly_eval = BlsScalar::from_reader(&mut buffer)?; let z_eval = BlsScalar::from_reader(&mut buffer)?; Ok(ProofEvaluations { @@ -160,7 +146,6 @@ impl Serializable<{ 16 * BlsScalar::SIZE }> for ProofEvaluations { s_sigma_1_eval, s_sigma_2_eval, s_sigma_3_eval, - r_poly_eval, z_eval, }) } @@ -172,7 +157,6 @@ impl Serializable<{ 16 * BlsScalar::SIZE }> for ProofEvaluations { // TODO: Improve the method signature #[allow(clippy::type_complexity)] pub(crate) fn compute( - domain: &EvaluationDomain, prover_key: &ProverKey, ( alpha, @@ -193,32 +177,15 @@ pub(crate) fn compute( BlsScalar, BlsScalar, ), - a_w_poly: &Polynomial, - b_w_poly: &Polynomial, - d_w_poly: &Polynomial, - t_x_poly: &Polynomial, z_poly: &Polynomial, - a_eval: &BlsScalar, - b_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - s_sigma_1_eval: &BlsScalar, - s_sigma_2_eval: &BlsScalar, - s_sigma_3_eval: &BlsScalar, - z_eval: &BlsScalar, -) -> (Polynomial, Evaluations) { - // Compute evaluations - let t_eval = t_x_poly.evaluate(z_challenge); - - let q_arith_eval = prover_key.arithmetic.q_arith.0.evaluate(z_challenge); - let q_c_eval = prover_key.logic.q_c.0.evaluate(z_challenge); - let q_l_eval = prover_key.fixed_base.q_l.0.evaluate(z_challenge); - let q_r_eval = prover_key.fixed_base.q_r.0.evaluate(z_challenge); - - let a_next_eval = a_w_poly.evaluate(&(z_challenge * domain.group_gen)); - let b_next_eval = b_w_poly.evaluate(&(z_challenge * domain.group_gen)); - let d_next_eval = d_w_poly.evaluate(&(z_challenge * domain.group_gen)); - + evaluations: &ProofEvaluations, + domain: &EvaluationDomain, + t_low_poly: &Polynomial, + t_mid_poly: &Polynomial, + t_high_poly: &Polynomial, + t_4_poly: &Polynomial, + pub_inputs: &[BlsScalar], +) -> Polynomial { let f_1 = compute_circuit_satisfiability( ( range_separation_challenge, @@ -226,58 +193,55 @@ pub(crate) fn compute( fixed_base_separation_challenge, var_base_separation_challenge, ), - a_eval, - b_eval, - c_eval, - d_eval, - &a_next_eval, - &b_next_eval, - &d_next_eval, - &q_arith_eval, - &q_c_eval, - &q_l_eval, - &q_r_eval, + evaluations, prover_key, ); + let pi_eval = + proof::alloc::compute_barycentric_eval(pub_inputs, z_challenge, domain); + + let f_1 = &f_1 + &pi_eval; + let f_2 = prover_key.permutation.compute_linearization( z_challenge, (alpha, beta, gamma), - (&a_eval, &b_eval, &c_eval, &d_eval), - (&s_sigma_1_eval, &s_sigma_2_eval, &s_sigma_3_eval), - z_eval, + ( + &evaluations.a_eval, + &evaluations.b_eval, + &evaluations.c_eval, + &evaluations.d_eval, + ), + ( + &evaluations.s_sigma_1_eval, + &evaluations.s_sigma_2_eval, + &evaluations.s_sigma_3_eval, + ), + &evaluations.z_eval, z_poly, ); - let r_poly = &f_1 + &f_2; + let domain_size = domain.size(); - // Evaluate linearization polynomial at challenge `z` - let r_poly_eval = r_poly.evaluate(z_challenge); + let z_n = z_challenge.pow(&[domain_size as u64, 0, 0, 0]); + let z_two_n = z_challenge.pow(&[2 * domain_size as u64, 0, 0, 0]); + let z_three_n = z_challenge.pow(&[3 * domain_size as u64, 0, 0, 0]); - ( - r_poly, - Evaluations { - proof: ProofEvaluations { - a_eval: *a_eval, - b_eval: *b_eval, - c_eval: *c_eval, - d_eval: *d_eval, - a_next_eval, - b_next_eval, - d_next_eval, - q_arith_eval, - q_c_eval, - q_l_eval, - q_r_eval, - s_sigma_1_eval: *s_sigma_1_eval, - s_sigma_2_eval: *s_sigma_2_eval, - s_sigma_3_eval: *s_sigma_3_eval, - r_poly_eval, - z_eval: *z_eval, - }, - t_eval, - }, - ) + let a = t_low_poly; + let b = t_mid_poly * &z_n; + let c = t_high_poly * &z_two_n; + let d = t_4_poly * &z_three_n; + let abc = &(a + &b) + &c; + + let quot = &abc + &d; + + let z_h_eval = -domain.evaluate_vanishing_polynomial(z_challenge); + + let quot = " * &z_h_eval; + + let f = &f_1 + &f_2; + + // r_poly + &f + " } #[cfg(feature = "alloc")] @@ -288,72 +252,26 @@ fn compute_circuit_satisfiability( fixed_base_separation_challenge, var_base_separation_challenge, ): (&BlsScalar, &BlsScalar, &BlsScalar, &BlsScalar), - a_eval: &BlsScalar, - b_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - a_next_eval: &BlsScalar, - b_next_eval: &BlsScalar, - d_next_eval: &BlsScalar, - q_arith_eval: &BlsScalar, - q_c_eval: &BlsScalar, - q_l_eval: &BlsScalar, - q_r_eval: &BlsScalar, + evaluations: &ProofEvaluations, prover_key: &ProverKey, ) -> Polynomial { - let a = prover_key.arithmetic.compute_linearization( - a_eval, - b_eval, - c_eval, - d_eval, - q_arith_eval, - ); + let a = prover_key.arithmetic.compute_linearization(evaluations); - let b = prover_key.range.compute_linearization( - range_separation_challenge, - a_eval, - b_eval, - c_eval, - d_eval, - d_next_eval, - ); + let b = prover_key + .range + .compute_linearization(range_separation_challenge, evaluations); - let c = prover_key.logic.compute_linearization( - logic_separation_challenge, - a_eval, - a_next_eval, - b_eval, - b_next_eval, - c_eval, - d_eval, - d_next_eval, - q_c_eval, - ); + let c = prover_key + .logic + .compute_linearization(logic_separation_challenge, evaluations); - let d = prover_key.fixed_base.compute_linearization( - fixed_base_separation_challenge, - a_eval, - a_next_eval, - b_eval, - b_next_eval, - c_eval, - d_eval, - d_next_eval, - q_l_eval, - q_r_eval, - q_c_eval, - ); + let d = prover_key + .fixed_base + .compute_linearization(fixed_base_separation_challenge, evaluations); - let e = prover_key.variable_base.compute_linearization( - var_base_separation_challenge, - a_eval, - a_next_eval, - b_eval, - b_next_eval, - c_eval, - d_eval, - d_next_eval, - ); + let e = prover_key + .variable_base + .compute_linearization(var_base_separation_challenge, evaluations); let mut linearization_poly = &a + &b; linearization_poly += &c; diff --git a/src/proof_system/proof.rs b/src/proof_system/proof.rs index fd15b2de..10a39030 100644 --- a/src/proof_system/proof.rs +++ b/src/proof_system/proof.rs @@ -266,38 +266,7 @@ pub(crate) mod alloc { transcript.append_scalar(b"z_eval", &self.evaluations.z_eval); - let v_challenge = transcript.challenge_scalar(b"v_challenge"); - - // Compute zero polynomial evaluated at challenge `z` - let z_h_eval = domain.evaluate_vanishing_polynomial(&z_challenge); - - // Compute first lagrange polynomial evaluated at challenge `z` - let l1_eval = compute_first_lagrange_evaluation( - &domain, - &z_h_eval, - &z_challenge, - ); - - // Compute quotient polynomial evaluated at challenge `z` - let t_eval = self.compute_quotient_evaluation( - &domain, - pub_inputs, - &alpha, - &beta, - &gamma, - &z_challenge, - &z_h_eval, - &l1_eval, - &self.evaluations.z_eval, - ); - - // Compute commitment to quotient polynomial - // This method is necessary as we pass the `un-splitted` variation - // to our commitment scheme - let t_comm = - self.compute_quotient_commitment(&z_challenge, domain.size()); - - // Add evaluations to transcript + // Add extra evaluations to transcript transcript .append_scalar(b"a_next_eval", &self.evaluations.a_next_eval); transcript @@ -309,8 +278,18 @@ pub(crate) mod alloc { transcript.append_scalar(b"q_c_eval", &self.evaluations.q_c_eval); transcript.append_scalar(b"q_l_eval", &self.evaluations.q_l_eval); transcript.append_scalar(b"q_r_eval", &self.evaluations.q_r_eval); - transcript.append_scalar(b"t_eval", &t_eval); - transcript.append_scalar(b"r_eval", &self.evaluations.r_poly_eval); + + let v_challenge = transcript.challenge_scalar(b"v_challenge"); + + // Compute zero polynomial evaluated at challenge `z` + let z_h_eval = domain.evaluate_vanishing_polynomial(&z_challenge); + + // Compute first lagrange polynomial evaluated at challenge `z` + let l1_eval = compute_first_lagrange_evaluation( + &domain, + &z_h_eval, + &z_challenge, + ); // Compute linearization commitment let r_comm = self.compute_linearization_commitment( @@ -326,8 +305,27 @@ pub(crate) mod alloc { &z_challenge, l1_eval, verifier_key, + &domain, ); + let pi_eval = + compute_barycentric_eval(pub_inputs, &z_challenge, &domain); + + let r_0_eval = pi_eval + - l1_eval * alpha.square() + - alpha + * (self.evaluations.a_eval + + beta * self.evaluations.s_sigma_1_eval + + gamma) + * (self.evaluations.b_eval + + beta * self.evaluations.s_sigma_2_eval + + gamma) + * (self.evaluations.c_eval + + beta * self.evaluations.s_sigma_3_eval + + gamma) + * (self.evaluations.d_eval + gamma) + * self.evaluations.z_eval; + // Commitment Scheme // Now we delegate computation to the commitment scheme by batch // checking two proofs The `AggregateProof`, which is a @@ -340,8 +338,7 @@ pub(crate) mod alloc { // let mut aggregate_proof = AggregateProof::with_witness(self.w_z_chall_comm); - aggregate_proof.add_part((t_eval, t_comm)); - aggregate_proof.add_part((self.evaluations.r_poly_eval, r_comm)); + aggregate_proof.add_part((-r_0_eval, r_comm)); aggregate_proof.add_part((self.evaluations.a_eval, self.a_comm)); aggregate_proof.add_part((self.evaluations.b_eval, self.b_comm)); aggregate_proof.add_part((self.evaluations.c_eval, self.c_comm)); @@ -397,71 +394,6 @@ pub(crate) mod alloc { Ok(()) } - #[allow(clippy::too_many_arguments)] - fn compute_quotient_evaluation( - &self, - domain: &EvaluationDomain, - pub_inputs: &[BlsScalar], - alpha: &BlsScalar, - beta: &BlsScalar, - gamma: &BlsScalar, - z_challenge: &BlsScalar, - z_h_eval: &BlsScalar, - l1_eval: &BlsScalar, - z_hat_eval: &BlsScalar, - ) -> BlsScalar { - // Compute the public input polynomial evaluated at challenge `z` - let pi_eval = - compute_barycentric_eval(pub_inputs, z_challenge, domain); - - // Compute powers of alpha_0 - let alpha_sq = alpha.square(); - - // r + PI(z) - let a = self.evaluations.r_poly_eval + pi_eval; - - // a + beta * sigma_1 + gamma - let beta_sig1 = beta * self.evaluations.s_sigma_1_eval; - let b_0 = self.evaluations.a_eval + beta_sig1 + gamma; - - // b + beta * sigma_2 + gamma - let beta_sig2 = beta * self.evaluations.s_sigma_2_eval; - let b_1 = self.evaluations.b_eval + beta_sig2 + gamma; - - // o + beta * sigma_3 + gamma - let beta_sig3 = beta * self.evaluations.s_sigma_3_eval; - let b_2 = self.evaluations.c_eval + beta_sig3 + gamma; - - // ((d + gamma) * z_hat) * alpha_0 - let b_3 = (self.evaluations.d_eval + gamma) * z_hat_eval * alpha; - - let b = b_0 * b_1 * b_2 * b_3; - - // l_1(z) * alpha_0^2 - let c = l1_eval * alpha_sq; - - // Return t_eval - ( - a - b - c - //+ d - ) * z_h_eval.invert().unwrap() - } - - fn compute_quotient_commitment( - &self, - z_challenge: &BlsScalar, - n: usize, - ) -> Commitment { - let z_n = z_challenge.pow(&[n as u64, 0, 0, 0]); - let z_two_n = z_challenge.pow(&[2 * n as u64, 0, 0, 0]); - let z_three_n = z_challenge.pow(&[3 * n as u64, 0, 0, 0]); - let t_comm = self.t_low_comm.0 - + self.t_mid_comm.0 * z_n - + self.t_high_comm.0 * z_two_n - + self.t_4_comm.0 * z_three_n; - Commitment::from(t_comm) - } - // Commitment to [r]_1 #[allow(clippy::too_many_arguments)] fn compute_linearization_commitment( @@ -478,6 +410,7 @@ pub(crate) mod alloc { z_challenge: &BlsScalar, l1_eval: BlsScalar, verifier_key: &VerifierKey, + domain: &EvaluationDomain, ) -> Commitment { let mut scalars: Vec<_> = Vec::with_capacity(6); let mut points: Vec = Vec::with_capacity(6); @@ -526,6 +459,28 @@ pub(crate) mod alloc { self.z_comm.0, ); + let domain_size = domain.size(); + let z_h_eval = -domain.evaluate_vanishing_polynomial(z_challenge); + + let z_n = + z_challenge.pow(&[domain_size as u64, 0, 0, 0]) * z_h_eval; + let z_two_n = + z_challenge.pow(&[2 * domain_size as u64, 0, 0, 0]) * z_h_eval; + let z_three_n = + z_challenge.pow(&[3 * domain_size as u64, 0, 0, 0]) * z_h_eval; + + scalars.push(z_h_eval); + points.push(self.t_low_comm.0); + + scalars.push(z_n); + points.push(self.t_mid_comm.0); + + scalars.push(z_two_n); + points.push(self.t_high_comm.0); + + scalars.push(z_three_n); + points.push(self.t_4_comm.0); + Commitment::from(msm_variable_base(&points, &scalars)) } } @@ -540,7 +495,7 @@ pub(crate) mod alloc { z_h_eval * denom.invert().unwrap() } - fn compute_barycentric_eval( + pub(crate) fn compute_barycentric_eval( evaluations: &[BlsScalar], point: &BlsScalar, domain: &EvaluationDomain, @@ -631,7 +586,6 @@ mod proof_tests { s_sigma_1_eval: BlsScalar::random(&mut OsRng), s_sigma_2_eval: BlsScalar::random(&mut OsRng), s_sigma_3_eval: BlsScalar::random(&mut OsRng), - r_poly_eval: BlsScalar::random(&mut OsRng), z_eval: BlsScalar::random(&mut OsRng), }, }; diff --git a/src/proof_system/widget/arithmetic/proverkey.rs b/src/proof_system/widget/arithmetic/proverkey.rs index da573311..1a964303 100644 --- a/src/proof_system/widget/arithmetic/proverkey.rs +++ b/src/proof_system/widget/arithmetic/proverkey.rs @@ -5,6 +5,7 @@ // Copyright (c) DUSK NETWORK. All rights reserved. use crate::fft::{Evaluations, Polynomial}; +use crate::proof_system::linearization_poly::ProofEvaluations; use dusk_bls12_381::BlsScalar; #[cfg(feature = "rkyv-impl")] @@ -70,11 +71,7 @@ impl ProverKey { pub(crate) fn compute_linearization( &self, - a_eval: &BlsScalar, - b_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - q_arith_eval: &BlsScalar, + evaluations: &ProofEvaluations, ) -> Polynomial { let q_m_poly = &self.q_m.0; let q_l_poly = &self.q_l.0; @@ -87,27 +84,27 @@ impl ProverKey { // * q_o + d_eval * q_4 + q_c) * q_arith_eval // // a_eval * b_eval * q_m_poly - let ab = a_eval * b_eval; + let ab = evaluations.a_eval * evaluations.b_eval; let a_0 = q_m_poly * &ab; // a_eval * q_l - let a_1 = q_l_poly * a_eval; + let a_1 = q_l_poly * &evaluations.a_eval; // b_eval * q_r - let a_2 = q_r_poly * b_eval; + let a_2 = q_r_poly * &evaluations.b_eval; //c_eval * q_o - let a_3 = q_o_poly * c_eval; + let a_3 = q_o_poly * &evaluations.c_eval; // d_eval * q_4 - let a_4 = q_4_poly * d_eval; + let a_4 = q_4_poly * &evaluations.d_eval; let mut a = &a_0 + &a_1; a = &a + &a_2; a = &a + &a_3; a = &a + &a_4; a = &a + q_c_poly; - a = &a * q_arith_eval; + a = &a * &evaluations.q_arith_eval; a } diff --git a/src/proof_system/widget/ecc/curve_addition/proverkey.rs b/src/proof_system/widget/ecc/curve_addition/proverkey.rs index e1ded404..c23ce1a1 100644 --- a/src/proof_system/widget/ecc/curve_addition/proverkey.rs +++ b/src/proof_system/widget/ecc/curve_addition/proverkey.rs @@ -5,6 +5,7 @@ // Copyright (c) DUSK NETWORK. All rights reserved. use crate::fft::{Evaluations, Polynomial}; +use crate::proof_system::linearization_poly::ProofEvaluations; use dusk_bls12_381::BlsScalar; use dusk_jubjub::EDWARDS_D; @@ -80,25 +81,19 @@ impl ProverKey { pub(crate) fn compute_linearization( &self, curve_add_separation_challenge: &BlsScalar, - a_eval: &BlsScalar, - a_next_eval: &BlsScalar, - b_eval: &BlsScalar, - b_next_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - d_next_eval: &BlsScalar, + evaluations: &ProofEvaluations, ) -> Polynomial { let q_variable_group_add_poly = &self.q_variable_group_add.0; let kappa = curve_add_separation_challenge.square(); - let x_1 = a_eval; - let x_3 = a_next_eval; - let y_1 = b_eval; - let y_3 = b_next_eval; - let x_2 = c_eval; - let y_2 = d_eval; - let x1_y2 = d_next_eval; + let x_1 = evaluations.a_eval; + let x_3 = evaluations.a_next_eval; + let y_1 = evaluations.b_eval; + let y_3 = evaluations.b_next_eval; + let x_2 = evaluations.c_eval; + let y_2 = evaluations.d_eval; + let x1_y2 = evaluations.d_next_eval; // Checks // diff --git a/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs b/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs index 30f0d734..93cf85a5 100644 --- a/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs +++ b/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs @@ -5,6 +5,7 @@ // Copyright (c) DUSK NETWORK. All rights reserved. use crate::fft::{Evaluations, Polynomial}; +use crate::proof_system::linearization_poly::ProofEvaluations; use dusk_bls12_381::BlsScalar; use dusk_jubjub::EDWARDS_D; @@ -104,16 +105,7 @@ impl ProverKey { pub(crate) fn compute_linearization( &self, ecc_separation_challenge: &BlsScalar, - a_eval: &BlsScalar, - a_next_eval: &BlsScalar, - b_eval: &BlsScalar, - b_next_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - d_next_eval: &BlsScalar, - q_l_eval: &BlsScalar, - q_r_eval: &BlsScalar, - q_c_eval: &BlsScalar, + evaluations: &ProofEvaluations, ) -> Polynomial { let q_fixed_group_add_poly = &self.q_fixed_group_add.0; @@ -121,19 +113,19 @@ impl ProverKey { let kappa_sq = kappa.square(); let kappa_cu = kappa_sq * kappa; - let x_beta_eval = q_l_eval; - let y_beta_eval = q_r_eval; + let x_beta_eval = evaluations.q_l_eval; + let y_beta_eval = evaluations.q_r_eval; - let acc_x = a_eval; - let acc_x_next = a_next_eval; - let acc_y = b_eval; - let acc_y_next = b_next_eval; + let acc_x = evaluations.a_eval; + let acc_x_next = evaluations.a_next_eval; + let acc_y = evaluations.b_eval; + let acc_y_next = evaluations.b_next_eval; - let xy_alpha = c_eval; + let xy_alpha = evaluations.c_eval; - let accumulated_bit = d_eval; - let accumulated_bit_next = d_next_eval; - let bit = extract_bit(accumulated_bit, accumulated_bit_next); + let accumulated_bit = evaluations.d_eval; + let accumulated_bit_next = evaluations.d_next_eval; + let bit = extract_bit(&accumulated_bit, &accumulated_bit_next); // Check bit consistency let bit_consistency = check_bit_consistency(bit); @@ -144,7 +136,7 @@ impl ProverKey { let x_alpha = x_beta_eval * bit; // xy_alpha consistency check - let xy_consistency = ((bit * q_c_eval) - xy_alpha) * kappa; + let xy_consistency = ((bit * evaluations.q_c_eval) - xy_alpha) * kappa; // x accumulator consistency check let x_3 = acc_x_next; diff --git a/src/proof_system/widget/logic/proverkey.rs b/src/proof_system/widget/logic/proverkey.rs index 4a77070c..38973517 100644 --- a/src/proof_system/widget/logic/proverkey.rs +++ b/src/proof_system/widget/logic/proverkey.rs @@ -5,6 +5,7 @@ // Copyright (c) DUSK NETWORK. All rights reserved. use crate::fft::{Evaluations, Polynomial}; +use crate::proof_system::linearization_poly::ProofEvaluations; use dusk_bls12_381::BlsScalar; @@ -73,14 +74,7 @@ impl ProverKey { pub(crate) fn compute_linearization( &self, logic_separation_challenge: &BlsScalar, - a_eval: &BlsScalar, - a_next_eval: &BlsScalar, - b_eval: &BlsScalar, - b_next_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - d_next_eval: &BlsScalar, - q_c_eval: &BlsScalar, + evaluations: &ProofEvaluations, ) -> Polynomial { let four = BlsScalar::from(4); let q_logic_poly = &self.q_logic.0; @@ -90,19 +84,20 @@ impl ProverKey { let kappa_cu = kappa_sq * kappa; let kappa_qu = kappa_cu * kappa; - let a = a_next_eval - four * a_eval; + let a = evaluations.a_next_eval - four * evaluations.a_eval; let o_0 = delta(a); - let b = b_next_eval - four * b_eval; + let b = evaluations.b_next_eval - four * evaluations.b_eval; let o_1 = delta(b) * kappa; - let d = d_next_eval - four * d_eval; + let d = evaluations.d_next_eval - four * evaluations.d_eval; let o_2 = delta(d) * kappa_sq; - let w = c_eval; + let w = evaluations.c_eval; let o_3 = (w - a * b) * kappa_cu; - let o_4 = delta_xor_and(&a, &b, w, &d, q_c_eval) * kappa_qu; + let o_4 = + delta_xor_and(&a, &b, &w, &d, &evaluations.q_c_eval) * kappa_qu; let t = (o_0 + o_1 + o_2 + o_3 + o_4) * logic_separation_challenge; diff --git a/src/proof_system/widget/range/proverkey.rs b/src/proof_system/widget/range/proverkey.rs index d3f6f8fd..507d8bf4 100644 --- a/src/proof_system/widget/range/proverkey.rs +++ b/src/proof_system/widget/range/proverkey.rs @@ -5,6 +5,7 @@ // Copyright (c) DUSK NETWORK. All rights reserved. use crate::fft::{Evaluations, Polynomial}; +use crate::proof_system::linearization_poly::ProofEvaluations; use dusk_bls12_381::BlsScalar; #[cfg(feature = "rkyv-impl")] @@ -58,11 +59,7 @@ impl ProverKey { pub(crate) fn compute_linearization( &self, range_separation_challenge: &BlsScalar, - a_eval: &BlsScalar, - b_eval: &BlsScalar, - c_eval: &BlsScalar, - d_eval: &BlsScalar, - d_next_eval: &BlsScalar, + evaluations: &ProofEvaluations, ) -> Polynomial { let four = BlsScalar::from(4); let q_range_poly = &self.q_range.0; @@ -74,10 +71,12 @@ impl ProverKey { // Delta([c_eval - 4 * d_eval]) + Delta([b_eval - 4 * c_eval]) + // Delta([a_eval - 4 * b_eval]) + Delta([d_next_eval - 4 * a_eval]) * // Q_Range(X) - let b_1 = delta(c_eval - four * d_eval); - let b_2 = delta(b_eval - four * c_eval) * kappa; - let b_3 = delta(a_eval - four * b_eval) * kappa_sq; - let b_4 = delta(d_next_eval - four * a_eval) * kappa_cu; + let b_1 = delta(evaluations.c_eval - four * evaluations.d_eval); + let b_2 = delta(evaluations.b_eval - four * evaluations.c_eval) * kappa; + let b_3 = + delta(evaluations.a_eval - four * evaluations.b_eval) * kappa_sq; + let b_4 = delta(evaluations.d_next_eval - four * evaluations.a_eval) + * kappa_cu; let t = (b_1 + b_2 + b_3 + b_4) * range_separation_challenge;