diff --git a/src/compiler.rs b/src/compiler.rs index 8dbfe431..e1dacf26 100644 --- a/src/compiler.rs +++ b/src/compiler.rs @@ -108,7 +108,7 @@ impl Compiler { let mut q_l = vec![BlsScalar::zero(); size]; let mut q_r = vec![BlsScalar::zero(); size]; let mut q_o = vec![BlsScalar::zero(); size]; - let mut q_4 = vec![BlsScalar::zero(); size]; + let mut q_f = vec![BlsScalar::zero(); size]; let mut q_c = vec![BlsScalar::zero(); size]; let mut q_arith = vec![BlsScalar::zero(); size]; let mut q_range = vec![BlsScalar::zero(); size]; @@ -116,25 +116,29 @@ impl Compiler { let mut q_fixed_group_add = vec![BlsScalar::zero(); size]; let mut q_variable_group_add = vec![BlsScalar::zero(); size]; - prover.constraints.iter().enumerate().for_each(|(i, c)| { - q_m[i] = c.q_m; - q_l[i] = c.q_l; - q_r[i] = c.q_r; - q_o[i] = c.q_o; - q_4[i] = c.q_4; - q_c[i] = c.q_c; - q_arith[i] = c.q_arith; - q_range[i] = c.q_range; - q_logic[i] = c.q_logic; - q_fixed_group_add[i] = c.q_fixed_group_add; - q_variable_group_add[i] = c.q_variable_group_add; - }); + prover + .constraints + .iter() + .enumerate() + .for_each(|(i, constraint)| { + q_m[i] = constraint.q_m; + q_l[i] = constraint.q_l; + q_r[i] = constraint.q_r; + q_o[i] = constraint.q_o; + q_f[i] = constraint.q_f; + q_c[i] = constraint.q_c; + q_arith[i] = constraint.q_arith; + q_range[i] = constraint.q_range; + q_logic[i] = constraint.q_logic; + q_fixed_group_add[i] = constraint.q_fixed_group_add; + q_variable_group_add[i] = constraint.q_variable_group_add; + }); let q_m_poly = domain.ifft(&q_m); let q_l_poly = domain.ifft(&q_l); let q_r_poly = domain.ifft(&q_r); let q_o_poly = domain.ifft(&q_o); - let q_4_poly = domain.ifft(&q_4); + let q_f_poly = domain.ifft(&q_f); let q_c_poly = domain.ifft(&q_c); let q_arith_poly = domain.ifft(&q_arith); let q_range_poly = domain.ifft(&q_range); @@ -146,7 +150,7 @@ impl Compiler { let q_l_poly = Polynomial::from_coefficients_vec(q_l_poly); let q_r_poly = Polynomial::from_coefficients_vec(q_r_poly); let q_o_poly = Polynomial::from_coefficients_vec(q_o_poly); - let q_4_poly = Polynomial::from_coefficients_vec(q_4_poly); + let q_f_poly = Polynomial::from_coefficients_vec(q_f_poly); let q_c_poly = Polynomial::from_coefficients_vec(q_c_poly); let q_arith_poly = Polynomial::from_coefficients_vec(q_arith_poly); let q_range_poly = Polynomial::from_coefficients_vec(q_range_poly); @@ -160,72 +164,69 @@ impl Compiler { let [s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly] = perm.compute_sigma_polynomials(size, &domain); - let q_m_poly_commit = commit_key.commit(&q_m_poly).unwrap_or_default(); - let q_l_poly_commit = commit_key.commit(&q_l_poly).unwrap_or_default(); - let q_r_poly_commit = commit_key.commit(&q_r_poly).unwrap_or_default(); - let q_o_poly_commit = commit_key.commit(&q_o_poly).unwrap_or_default(); - let q_4_poly_commit = commit_key.commit(&q_4_poly).unwrap_or_default(); - let q_c_poly_commit = commit_key.commit(&q_c_poly).unwrap_or_default(); - let q_arith_poly_commit = - commit_key.commit(&q_arith_poly).unwrap_or_default(); - let q_range_poly_commit = - commit_key.commit(&q_range_poly).unwrap_or_default(); - let q_logic_poly_commit = - commit_key.commit(&q_logic_poly).unwrap_or_default(); - let q_fixed_group_add_poly_commit = commit_key + let q_m_comm = commit_key.commit(&q_m_poly).unwrap_or_default(); + let q_l_comm = commit_key.commit(&q_l_poly).unwrap_or_default(); + let q_r_comm = commit_key.commit(&q_r_poly).unwrap_or_default(); + let q_o_comm = commit_key.commit(&q_o_poly).unwrap_or_default(); + let q_f_comm = commit_key.commit(&q_f_poly).unwrap_or_default(); + let q_c_comm = commit_key.commit(&q_c_poly).unwrap_or_default(); + let q_arith_comm = commit_key.commit(&q_arith_poly).unwrap_or_default(); + let q_range_comm = commit_key.commit(&q_range_poly).unwrap_or_default(); + let q_logic_comm = commit_key.commit(&q_logic_poly).unwrap_or_default(); + let q_fixed_group_add_comm = commit_key .commit(&q_fixed_group_add_poly) .unwrap_or_default(); - let q_variable_group_add_poly_commit = commit_key + let q_variable_group_add_comm = commit_key .commit(&q_variable_group_add_poly) .unwrap_or_default(); - let s_sigma_1_poly_commit = commit_key.commit(&s_sigma_1_poly)?; - let s_sigma_2_poly_commit = commit_key.commit(&s_sigma_2_poly)?; - let s_sigma_3_poly_commit = commit_key.commit(&s_sigma_3_poly)?; - let s_sigma_4_poly_commit = commit_key.commit(&s_sigma_4_poly)?; + let s_sigma_1_comm = commit_key.commit(&s_sigma_1_poly)?; + let s_sigma_2_comm = commit_key.commit(&s_sigma_2_poly)?; + let s_sigma_3_comm = commit_key.commit(&s_sigma_3_poly)?; + let s_sigma_4_comm = commit_key.commit(&s_sigma_4_poly)?; // verifier Key for arithmetic circuits let arithmetic_verifier_key = widget::arithmetic::VerifierKey { - q_m: q_m_poly_commit, - q_l: q_l_poly_commit, - q_r: q_r_poly_commit, - q_o: q_o_poly_commit, - q_4: q_4_poly_commit, - q_c: q_c_poly_commit, - q_arith: q_arith_poly_commit, + q_m: q_m_comm, + q_l: q_l_comm, + q_r: q_r_comm, + q_o: q_o_comm, + q_f: q_f_comm, + q_c: q_c_comm, + q_arith: q_arith_comm, }; // verifier Key for range circuits let range_verifier_key = widget::range::VerifierKey { - q_range: q_range_poly_commit, + q_range: q_range_comm, }; // verifier Key for logic circuits let logic_verifier_key = widget::logic::VerifierKey { - q_c: q_c_poly_commit, - q_logic: q_logic_poly_commit, + q_c: q_c_comm, + q_logic: q_logic_comm, }; // verifier Key for ecc circuits let ecc_verifier_key = widget::ecc::scalar_mul::fixed_base::VerifierKey { - q_l: q_l_poly_commit, - q_r: q_r_poly_commit, - q_fixed_group_add: q_fixed_group_add_poly_commit, + q_l: q_l_comm, + q_r: q_r_comm, + q_fixed_group_add: q_fixed_group_add_comm, }; // verifier Key for curve addition circuits let curve_addition_verifier_key = widget::ecc::curve_addition::VerifierKey { - q_variable_group_add: q_variable_group_add_poly_commit, + q_variable_group_add: q_variable_group_add_comm, }; // verifier Key for permutation argument let permutation_verifier_key = widget::permutation::VerifierKey { - s_sigma_1: s_sigma_1_poly_commit, - s_sigma_2: s_sigma_2_poly_commit, - s_sigma_3: s_sigma_3_poly_commit, - s_sigma_4: s_sigma_4_poly_commit, + s_sigma_1: s_sigma_1_comm, + s_sigma_2: s_sigma_2_comm, + s_sigma_3: s_sigma_3_comm, + s_sigma_4: s_sigma_4_comm, }; let verifier_key = widget::VerifierKey { @@ -243,7 +244,7 @@ impl Compiler { q_l: q_l_poly, q_r: q_r_poly, q_o: q_o_poly, - q_4: q_4_poly, + q_f: q_f_poly, q_c: q_c_poly, q_arith: q_arith_poly, q_range: q_range_poly, @@ -282,8 +283,8 @@ impl Compiler { domain_8n.coset_fft(&selectors.q_c), domain_8n, ); - let q_4_eval_8n = Evaluations::from_vec_and_domain( - domain_8n.coset_fft(&selectors.q_4), + let q_f_eval_8n = Evaluations::from_vec_and_domain( + domain_8n.coset_fft(&selectors.q_f), domain_8n, ); let q_arith_eval_8n = Evaluations::from_vec_and_domain( @@ -334,7 +335,7 @@ impl Compiler { q_l: (selectors.q_l.clone(), q_l_eval_8n.clone()), q_r: (selectors.q_r.clone(), q_r_eval_8n.clone()), q_o: (selectors.q_o, q_o_eval_8n), - q_4: (selectors.q_4, q_4_eval_8n), + q_f: (selectors.q_f, q_f_eval_8n), q_c: (selectors.q_c.clone(), q_c_eval_8n.clone()), q_arith: (selectors.q_arith, q_arith_eval_8n), }; diff --git a/src/compiler/prover.rs b/src/compiler/prover.rs index 68bf956b..42e665f9 100644 --- a/src/compiler/prover.rs +++ b/src/compiler/prover.rs @@ -254,35 +254,39 @@ impl Prover { // round 1 // convert wires to padded scalars - let mut a_w_scalar = vec![BlsScalar::zero(); size]; - let mut b_w_scalar = vec![BlsScalar::zero(); size]; - let mut c_w_scalar = vec![BlsScalar::zero(); size]; - let mut d_w_scalar = vec![BlsScalar::zero(); size]; - - prover.constraints.iter().enumerate().for_each(|(i, c)| { - a_w_scalar[i] = prover[c.w_a]; - b_w_scalar[i] = prover[c.w_b]; - c_w_scalar[i] = prover[c.w_o]; - d_w_scalar[i] = prover[c.w_d]; - }); - - let a_w_poly = Self::blind_poly(rng, &a_w_scalar, 1, &domain); - let b_w_poly = Self::blind_poly(rng, &b_w_scalar, 1, &domain); - let c_w_poly = Self::blind_poly(rng, &c_w_scalar, 1, &domain); - let d_w_poly = Self::blind_poly(rng, &d_w_scalar, 1, &domain); + let mut a_scalars = vec![BlsScalar::zero(); size]; + let mut b_scalars = vec![BlsScalar::zero(); size]; + let mut c_scalars = vec![BlsScalar::zero(); size]; + let mut d_scalars = vec![BlsScalar::zero(); size]; + + prover + .constraints + .iter() + .enumerate() + .for_each(|(i, constraint)| { + a_scalars[i] = prover[constraint.a]; + b_scalars[i] = prover[constraint.b]; + c_scalars[i] = prover[constraint.c]; + d_scalars[i] = prover[constraint.d]; + }); + + let a_poly = Self::blind_poly(rng, &a_scalars, 1, &domain); + let b_poly = Self::blind_poly(rng, &b_scalars, 1, &domain); + let c_poly = Self::blind_poly(rng, &c_scalars, 1, &domain); + let d_poly = Self::blind_poly(rng, &d_scalars, 1, &domain); // commit to wire polynomials // ([a(x)]_1, [b(x)]_1, [c(x)]_1, [d(x)]_1) - let a_w_poly_commit = self.commit_key.commit(&a_w_poly)?; - let b_w_poly_commit = self.commit_key.commit(&b_w_poly)?; - let c_w_poly_commit = self.commit_key.commit(&c_w_poly)?; - let d_w_poly_commit = self.commit_key.commit(&d_w_poly)?; + let a_comm = self.commit_key.commit(&a_poly)?; + let b_comm = self.commit_key.commit(&b_poly)?; + let c_comm = self.commit_key.commit(&c_poly)?; + let d_comm = self.commit_key.commit(&d_poly)?; // Add wire polynomial commitments to transcript - transcript.append_commitment(b"a_w", &a_w_poly_commit); - transcript.append_commitment(b"b_w", &b_w_poly_commit); - transcript.append_commitment(b"c_w", &c_w_poly_commit); - transcript.append_commitment(b"d_w", &d_w_poly_commit); + transcript.append_commitment(b"a_comm", &a_comm); + transcript.append_commitment(b"b_comm", &b_comm); + transcript.append_commitment(b"c_comm", &c_comm); + transcript.append_commitment(b"d_comm", &d_comm); // round 2 // permutation challenges @@ -297,18 +301,18 @@ impl Prover { &self.prover_key.permutation.s_sigma_4.0, ]; let wires = [ - a_w_scalar.as_slice(), - b_w_scalar.as_slice(), - c_w_scalar.as_slice(), - d_w_scalar.as_slice(), + a_scalars.as_slice(), + b_scalars.as_slice(), + c_scalars.as_slice(), + d_scalars.as_slice(), ]; let permutation = prover .perm .compute_permutation_vec(&domain, wires, &beta, &gamma, sigma); let z_poly = Self::blind_poly(rng, &permutation, 2, &domain); - let z_poly_commit = self.commit_key.commit(&z_poly)?; - transcript.append_commitment(b"z", &z_poly_commit); + let z_comm = self.commit_key.commit(&z_poly)?; + transcript.append_commitment(b"z_comm", &z_comm); // round 3 // compute quotient challenge alpha @@ -327,7 +331,7 @@ impl Prover { let pi_poly = Polynomial::from_coefficients_vec(pi_poly); // compute quotient polynomial - let wires = (&a_w_poly, &b_w_poly, &c_w_poly, &d_w_poly); + let wires = (&a_poly, &b_poly, &c_poly, &d_poly); let args = &( alpha, beta, @@ -352,7 +356,7 @@ impl Prover { let mut t_low_vec = t_poly[0..domain_size].to_vec(); let mut t_mid_vec = t_poly[domain_size..2 * domain_size].to_vec(); let mut t_high_vec = t_poly[2 * domain_size..3 * domain_size].to_vec(); - let mut t_4_vec = t_poly[3 * domain_size..].to_vec(); + let mut t_fourth_vec = t_poly[3 * domain_size..].to_vec(); // select 3 blinding factors for the quotient splitted polynomials let b_10 = BlsScalar::random(&mut *rng); @@ -370,35 +374,35 @@ impl Prover { t_high_vec[0] -= b_11; t_high_vec.push(b_12); - // t_4'(X) - b_12 - t_4_vec[0] -= b_12; + // t_fourth'(X) - b_12 + t_fourth_vec[0] -= b_12; let t_low_poly = Polynomial::from_coefficients_vec(t_low_vec); let t_mid_poly = Polynomial::from_coefficients_vec(t_mid_vec); let t_high_poly = Polynomial::from_coefficients_vec(t_high_vec); - let t_4_poly = Polynomial::from_coefficients_vec(t_4_vec); + let t_fourth_poly = Polynomial::from_coefficients_vec(t_fourth_vec); // commit to split quotient polynomial - let t_low_commit = self.commit_key.commit(&t_low_poly)?; - let t_mid_commit = self.commit_key.commit(&t_mid_poly)?; - let t_high_commit = self.commit_key.commit(&t_high_poly)?; - let t_4_commit = self.commit_key.commit(&t_4_poly)?; + let t_low_comm = self.commit_key.commit(&t_low_poly)?; + let t_mid_comm = self.commit_key.commit(&t_mid_poly)?; + let t_high_comm = self.commit_key.commit(&t_high_poly)?; + let t_fourth_comm = self.commit_key.commit(&t_fourth_poly)?; // add quotient polynomial commitments to transcript - transcript.append_commitment(b"t_low", &t_low_commit); - transcript.append_commitment(b"t_mid", &t_mid_commit); - transcript.append_commitment(b"t_high", &t_high_commit); - transcript.append_commitment(b"t_4", &t_4_commit); + transcript.append_commitment(b"t_low_comm", &t_low_comm); + transcript.append_commitment(b"t_mid_comm", &t_mid_comm); + transcript.append_commitment(b"t_high_comm", &t_high_comm); + transcript.append_commitment(b"t_fourth_comm", &t_fourth_comm); // round 4 // compute evaluation challenge 'z' let z_challenge = transcript.challenge_scalar(b"z_challenge"); // compute opening evaluations - let a_eval = a_w_poly.evaluate(&z_challenge); - let b_eval = b_w_poly.evaluate(&z_challenge); - let c_eval = c_w_poly.evaluate(&z_challenge); - let d_eval = d_w_poly.evaluate(&z_challenge); + let a_eval = a_poly.evaluate(&z_challenge); + let b_eval = b_poly.evaluate(&z_challenge); + let c_eval = c_poly.evaluate(&z_challenge); + let d_eval = d_poly.evaluate(&z_challenge); let s_sigma_1_eval = self .prover_key @@ -433,10 +437,10 @@ impl Prover { transcript.append_scalar(b"z_eval", &z_eval); - // Compute extra evaluations - let a_next_eval = a_w_poly.evaluate(&(z_challenge * domain.group_gen)); - let b_next_eval = b_w_poly.evaluate(&(z_challenge * domain.group_gen)); - let d_next_eval = d_w_poly.evaluate(&(z_challenge * domain.group_gen)); + // Compute shifted evaluations + let a_w_eval = a_poly.evaluate(&(z_challenge * domain.group_gen)); + let b_w_eval = b_poly.evaluate(&(z_challenge * domain.group_gen)); + let d_w_eval = d_poly.evaluate(&(z_challenge * domain.group_gen)); let q_arith_eval = self.prover_key.arithmetic.q_arith.0.evaluate(&z_challenge); @@ -445,9 +449,9 @@ impl Prover { let q_r_eval = self.prover_key.fixed_base.q_r.0.evaluate(&z_challenge); // add extra evaluations to transcript. - transcript.append_scalar(b"a_next_eval", &a_next_eval); - transcript.append_scalar(b"b_next_eval", &b_next_eval); - transcript.append_scalar(b"d_next_eval", &d_next_eval); + transcript.append_scalar(b"a_w_eval", &a_w_eval); + transcript.append_scalar(b"b_w_eval", &b_w_eval); + transcript.append_scalar(b"d_w_eval", &d_w_eval); transcript.append_scalar(b"q_arith_eval", &q_arith_eval); transcript.append_scalar(b"q_c_eval", &q_c_eval); transcript.append_scalar(b"q_l_eval", &q_l_eval); @@ -458,9 +462,9 @@ impl Prover { b_eval, c_eval, d_eval, - a_next_eval, - b_next_eval, - d_next_eval, + a_w_eval, + b_w_eval, + d_w_eval, q_arith_eval, q_c_eval, q_l_eval, @@ -494,7 +498,7 @@ impl Prover { &t_low_poly, &t_mid_poly, &t_high_poly, - &t_4_poly, + &t_fourth_poly, &public_inputs, ); @@ -502,10 +506,10 @@ impl Prover { let aggregate_witness = CommitKey::compute_aggregate_witness( &[ r_poly, - a_w_poly.clone(), - b_w_poly.clone(), - c_w_poly, - d_w_poly.clone(), + a_poly.clone(), + b_poly.clone(), + c_poly, + d_poly.clone(), self.prover_key.permutation.s_sigma_1.0.clone(), self.prover_key.permutation.s_sigma_2.0.clone(), self.prover_key.permutation.s_sigma_3.0.clone(), @@ -520,7 +524,7 @@ impl Prover { // compute the shifted opening proof polynomial 'W_zw(X)' let shifted_aggregate_witness = CommitKey::compute_aggregate_witness( - &[z_poly, a_w_poly, b_w_poly, d_w_poly], + &[z_poly, a_poly, b_poly, d_poly], &(z_challenge * domain.group_gen), &v_w_challenge, ); @@ -528,17 +532,17 @@ impl Prover { self.commit_key.commit(&shifted_aggregate_witness)?; let proof = Proof { - a_comm: a_w_poly_commit, - b_comm: b_w_poly_commit, - c_comm: c_w_poly_commit, - d_comm: d_w_poly_commit, + a_comm, + b_comm, + c_comm, + d_comm, - z_comm: z_poly_commit, + z_comm, - t_low_comm: t_low_commit, - t_mid_comm: t_mid_commit, - t_high_comm: t_high_commit, - t_4_comm: t_4_commit, + t_low_comm, + t_mid_comm, + t_high_comm, + t_fourth_comm, w_z_chall_comm, w_z_chall_w_comm, diff --git a/src/composer.rs b/src/composer.rs index 6a441d5b..45227ed6 100644 --- a/src/composer.rs +++ b/src/composer.rs @@ -103,16 +103,16 @@ impl Composer { fn append_custom_gate_internal(&mut self, constraint: Constraint) { let n = self.constraints.len(); - let w_a = constraint.witness(WiredWitness::A); - let w_b = constraint.witness(WiredWitness::B); - let w_o = constraint.witness(WiredWitness::O); - let w_d = constraint.witness(WiredWitness::D); + let a = constraint.witness(WiredWitness::A); + let b = constraint.witness(WiredWitness::B); + let c = constraint.witness(WiredWitness::C); + let d = constraint.witness(WiredWitness::D); let q_m = *constraint.coeff(Selector::Multiplication); let q_l = *constraint.coeff(Selector::Left); let q_r = *constraint.coeff(Selector::Right); let q_o = *constraint.coeff(Selector::Output); - let q_4 = *constraint.coeff(Selector::Fourth); + let q_f = *constraint.coeff(Selector::Fourth); let q_c = *constraint.coeff(Selector::Constant); let q_arith = *constraint.coeff(Selector::Arithmetic); @@ -127,17 +127,17 @@ impl Composer { q_l, q_r, q_o, - q_4, + q_f, q_c, q_arith, q_range, q_logic, q_fixed_group_add, q_variable_group_add, - w_a, - w_b, - w_o, - w_d, + a, + b, + c, + d, }; self.constraints.push(gate); @@ -148,7 +148,7 @@ impl Composer { self.public_inputs.insert(n, pi); } - self.perm.add_witnesses_to_map(w_a, w_b, w_o, w_d, n); + self.perm.add_witnesses_to_map(a, b, c, d, n); } /// PLONK runtime controller @@ -204,7 +204,7 @@ impl Composer { .a(six) .b(seven) .d(one) - .o(min_twenty); + .c(min_twenty); self.append_gate(constraint); @@ -218,7 +218,7 @@ impl Composer { .output(1) .a(min_twenty) .b(six) - .o(seven); + .c(seven); self.append_gate(constraint); } @@ -345,7 +345,7 @@ impl Composer { let wit_c = self.append_witness(prod_quad_bls); let wit_d = self.append_witness(out_acc); - constraint = constraint.o(wit_c); + constraint = constraint.c(wit_c); self.append_custom_gate(constraint); @@ -494,7 +494,7 @@ impl Composer { .constant(wnaf_round.xy_beta) .a(wnaf_round.acc_x) .b(wnaf_round.acc_y) - .o(wnaf_round.xy_alpha) + .c(wnaf_round.xy_alpha) .d(wnaf_round.accumulated_bit); self.append_custom_gate(constraint) @@ -528,7 +528,7 @@ impl Composer { /// Append a new width-4 gate/constraint. /// /// The constraint added will enforce the following: - /// `q_m · a · b + q_l · a + q_r · b + q_o · o + q_4 · d + q_c + PI = 0`. + /// `q_M · a · b + q_L · a + q_R · b + q_O · o + q_F · d + q_C + PI = 0`. pub fn append_gate(&mut self, constraint: Constraint) { let constraint = Constraint::arithmetic(&constraint); @@ -553,18 +553,18 @@ impl Composer { let qm = s.coeff(Selector::Multiplication); let ql = s.coeff(Selector::Left); let qr = s.coeff(Selector::Right); - let qd = s.coeff(Selector::Fourth); + let qf = s.coeff(Selector::Fourth); let qc = s.coeff(Selector::Constant); let pi = s.coeff(Selector::PublicInput); - let x = qm * a * b + ql * a + qr * b + qd * d + qc + pi; + let x = qm * a * b + ql * a + qr * b + qf * d + qc + pi; let y = s.coeff(Selector::Output); - // Invert is an expensive operation; in most cases, `qo` is going to be + // Invert is an expensive operation; in most cases, `q_O` is going to be // either 1 or -1, so we can optimize these #[allow(dead_code)] - let o = { + let c = { const ONE: BlsScalar = BlsScalar::one(); const MINUS_ONE: BlsScalar = BlsScalar([ 0xfffffffd00000003, @@ -584,7 +584,7 @@ impl Composer { } }; - o.map(|o| self.append_witness(o)) + c.map(|c| self.append_witness(c)) } /// Constrain a scalar into the circuit description and return an allocated @@ -780,7 +780,7 @@ impl Composer { let y_3 = self.append_witness(y_3); // Add the rest of the prepared points into the composer - let constraint = Constraint::new().a(x_1).b(y_1).o(x_2).d(y_2); + let constraint = Constraint::new().a(x_1).b(y_1).c(x_2).d(y_2); let constraint = Constraint::group_add_variable_base(&constraint); self.append_custom_gate(constraint); @@ -806,7 +806,7 @@ impl Composer { .output(-BlsScalar::one()) .a(a) .b(a) - .o(a) + .c(a) .d(zero); self.append_gate(constraint); @@ -956,7 +956,7 @@ impl Composer { .constant(1) .a(bit) .b(value) - .o(f_x); + .c(f_x); self.append_gate(constraint); @@ -1077,7 +1077,7 @@ impl Composer { let idx = i / 4; let witness = match i % 4 { 0 => WiredWitness::D, - 1 => WiredWitness::O, + 1 => WiredWitness::C, 2 => WiredWitness::B, 3 => WiredWitness::A, _ => unreachable!(), @@ -1117,36 +1117,36 @@ impl Composer { /// Evaluate and return `o` by appending a new constraint into the circuit. /// - /// Set `q_o = (-1)` and override the output of the constraint with: - /// `o := q_l · a + q_r · b + q_4 · d + q_c + PI` + /// Set `q_O = (-1)` and override the output of the constraint with: + /// `c := q_L · a + q_R · b + q_F · d + q_C + PI` pub fn gate_add(&mut self, s: Constraint) -> Witness { let s = Constraint::arithmetic(&s).output(-BlsScalar::one()); - let o = self + let c = self .append_evaluated_output(s) .expect("output selector is -1"); - let s = s.o(o); + let s = s.c(c); self.append_gate(s); - o + c } - /// Evaluate and return `o` by appending a new constraint into the circuit. + /// Evaluate and return `c` by appending a new constraint into the circuit. /// - /// Set `q_o = (-1)` and override the output of the constraint with: - /// `o := q_m · a · b + q_4 · d + q_c + PI` + /// Set `q_O = (-1)` and override the output of the constraint with: + /// `c := q_M · a · b + q_F · d + q_C + PI` pub fn gate_mul(&mut self, s: Constraint) -> Witness { let s = Constraint::arithmetic(&s).output(-BlsScalar::one()); - let o = self + let c = self .append_evaluated_output(s) .expect("output selector is -1"); - let s = s.o(o); + let s = s.c(c); self.append_gate(s); - o + c } /// Prove a circuit with a composer initialized with dummy gates diff --git a/src/composer/compress.rs b/src/composer/compress.rs index 58030296..e442a305 100644 --- a/src/composer/compress.rs +++ b/src/composer/compress.rs @@ -19,10 +19,10 @@ mod hades; )] pub struct CompressedConstraint { pub polynomial: usize, - pub w_a: usize, - pub w_b: usize, - pub w_o: usize, - pub w_d: usize, + pub a: usize, + pub b: usize, + pub c: usize, + pub d: usize, } #[derive( @@ -33,7 +33,7 @@ pub struct CompressedPolynomial { pub q_l: usize, pub q_r: usize, pub q_o: usize, - pub q_4: usize, + pub q_f: usize, pub q_c: usize, pub q_arith: usize, pub q_range: usize, @@ -99,17 +99,17 @@ impl CompressedCircuit { q_l, q_r, q_o, - q_4, + q_f, q_c, q_arith, q_range, q_logic, q_fixed_group_add, q_variable_group_add, - w_a, - w_b, - w_o, - w_d, + a, + b, + c, + d, }| { let len = scalars.len(); let q_m = *scalars.entry(q_m).or_insert(len); @@ -120,7 +120,7 @@ impl CompressedCircuit { let len = scalars.len(); let q_o = *scalars.entry(q_o).or_insert(len); let len = scalars.len(); - let q_4 = *scalars.entry(q_4).or_insert(len); + let q_f = *scalars.entry(q_f).or_insert(len); let len = scalars.len(); let q_c = *scalars.entry(q_c).or_insert(len); let len = scalars.len(); @@ -140,7 +140,7 @@ impl CompressedCircuit { q_l, q_r, q_o, - q_4, + q_f, q_c, q_arith, q_range, @@ -155,10 +155,10 @@ impl CompressedCircuit { CompressedConstraint { polynomial, - w_a: w_a.index(), - w_b: w_b.index(), - w_o: w_o.index(), - w_d: w_d.index(), + a: a.index(), + b: b.index(), + c: c.index(), + d: d.index(), } }, ) @@ -241,10 +241,10 @@ impl CompressedCircuit { i, CompressedConstraint { polynomial, - w_a, - w_b, - w_o, - w_d, + a, + b, + c, + d, }, ) in constraints.into_iter().enumerate() { @@ -253,7 +253,7 @@ impl CompressedCircuit { q_l, q_r, q_o, - q_4, + q_f, q_c, q_arith, q_range, @@ -281,8 +281,8 @@ impl CompressedCircuit { .get(q_o) .copied() .ok_or(Error::InvalidCompressedCircuit)?; - let q_4 = scalars - .get(q_4) + let q_f = scalars + .get(q_f) .copied() .ok_or(Error::InvalidCompressedCircuit)?; let q_c = scalars @@ -310,27 +310,27 @@ impl CompressedCircuit { .copied() .ok_or(Error::InvalidCompressedCircuit)?; - let w_a = Witness::new(w_a); - let w_b = Witness::new(w_b); - let w_o = Witness::new(w_o); - let w_d = Witness::new(w_d); + let a = Witness::new(a); + let b = Witness::new(b); + let c = Witness::new(c); + let d = Witness::new(d); let mut constraint = Constraint::default() .set(Selector::Multiplication, q_m) .set(Selector::Left, q_l) .set(Selector::Right, q_r) .set(Selector::Output, q_o) - .set(Selector::Fourth, q_4) + .set(Selector::Fourth, q_f) .set(Selector::Constant, q_c) .set(Selector::Arithmetic, q_arith) .set(Selector::Range, q_range) .set(Selector::Logic, q_logic) .set(Selector::GroupAddFixedBase, q_fixed_group_add) .set(Selector::GroupAddVariableBase, q_variable_group_add) - .a(w_a) - .b(w_b) - .o(w_o) - .d(w_d); + .a(a) + .b(b) + .c(c) + .d(d); if let Some(idx) = public_inputs.get(pi) { if idx == &i { diff --git a/src/composer/constraint_system/constraint.rs b/src/composer/constraint_system/constraint.rs index 11b6e23f..1bebf105 100644 --- a/src/composer/constraint_system/constraint.rs +++ b/src/composer/constraint_system/constraint.rs @@ -10,19 +10,19 @@ use dusk_bls12_381::BlsScalar; /// Selectors used to address a coefficient inside of a [`Constraint`] #[derive(Debug, Clone, Copy, PartialEq, Eq)] pub(crate) enum Selector { - /// Multiplication coefficient `q_m` + /// Multiplication coefficient `q_M` Multiplication = 0x00, - /// Left coefficient `q_l` + /// Left coefficient `q_L` Left = 0x01, - /// Right coefficient `q_r` + /// Right coefficient `q_R` Right = 0x02, - /// Output coefficient `q_o` + /// Output coefficient `q_O` Output = 0x03, - /// Fourth advice coefficient `q_4` + /// Fourth advice coefficient `q_F` Fourth = 0x04, - /// Constant expression `q_c` + /// Constant expression `q_C` Constant = 0x05, - /// Public input `pi` + /// Public input `PI` PublicInput = 0x06, /// Arithmetic coefficient (internal use) @@ -45,7 +45,7 @@ pub(crate) enum WiredWitness { /// `B` witness B = 0x01, /// `O` witness - O = 0x02, + C = 0x02, /// `D` witness D = 0x03, } @@ -196,9 +196,9 @@ impl Constraint { self } - /// Set witness `o` wired to `qO` - pub fn o(mut self, w: Witness) -> Self { - self.set_witness(WiredWitness::O, w); + /// Set witness `c` wired to `qO` + pub fn c(mut self, w: Witness) -> Self { + self.set_witness(WiredWitness::C, w); self } diff --git a/src/composer/gate.rs b/src/composer/gate.rs index 31d6dab6..a47069e2 100644 --- a/src/composer/gate.rs +++ b/src/composer/gate.rs @@ -21,7 +21,7 @@ pub struct Gate { /// Output wire selector pub(crate) q_o: BlsScalar, /// Fourth wire selector - pub(crate) q_4: BlsScalar, + pub(crate) q_f: BlsScalar, /// Constant wire selector pub(crate) q_c: BlsScalar, /// Arithmetic wire selector @@ -36,11 +36,11 @@ pub struct Gate { pub(crate) q_variable_group_add: BlsScalar, /// Left wire witness. - pub(crate) w_a: Witness, + pub(crate) a: Witness, /// Right wire witness. - pub(crate) w_b: Witness, + pub(crate) b: Witness, /// Output wire witness. - pub(crate) w_o: Witness, + pub(crate) c: Witness, /// Fourth wire witness. - pub(crate) w_d: Witness, + pub(crate) d: Witness, } diff --git a/src/composer/permutation.rs b/src/composer/permutation.rs index 4db92efb..f5494c26 100644 --- a/src/composer/permutation.rs +++ b/src/composer/permutation.rs @@ -222,8 +222,8 @@ impl Permutation { // Constants defining cosets H, k1H, k2H, etc let ks = vec![BlsScalar::one(), K1, K2, K3]; - // Transpose wires and sigma values to get "rows" in the form [a_w_i, - // b_w_i, c_w_i, d_w_i] where each row contains the wire and sigma + // Transpose wires and sigma values to get "rows" in the form [a_i, + // b_i, c_i, d_i] where each row contains the wire and sigma // values for a single gate let gatewise_wires = izip!(wires[0], wires[1], wires[2], wires[3]) .map(|(w0, w1, w2, w3)| vec![w0, w1, w2, w3]); @@ -309,10 +309,10 @@ mod test { #[allow(dead_code)] fn compute_fast_permutation_poly( domain: &EvaluationDomain, - a_w: &[BlsScalar], - b_w: &[BlsScalar], - c_w: &[BlsScalar], - d_w: &[BlsScalar], + a: &[BlsScalar], + b: &[BlsScalar], + c: &[BlsScalar], + d: &[BlsScalar], beta: &BlsScalar, gamma: &BlsScalar, (s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly): ( @@ -356,24 +356,24 @@ mod test { common_roots.iter().map(|x| x * K3).collect(); // Compute left_wire + gamma - let a_w_gamma: Vec<_> = a_w.iter().map(|a_w| a_w + gamma).collect(); + let a_gamma: Vec<_> = a.iter().map(|a| a + gamma).collect(); // Compute right_wire + gamma - let b_w_gamma: Vec<_> = b_w.iter().map(|b_w| b_w + gamma).collect(); + let b_gamma: Vec<_> = b.iter().map(|b| b + gamma).collect(); // Compute out_wire + gamma - let c_w_gamma: Vec<_> = c_w.iter().map(|c_w| c_w + gamma).collect(); + let c_gamma: Vec<_> = c.iter().map(|c| c + gamma).collect(); // Compute fourth_wire + gamma - let d_w_gamma: Vec<_> = d_w.iter().map(|d_w| d_w + gamma).collect(); + let d_gamma: Vec<_> = d.iter().map(|d| d + gamma).collect(); // Compute 6 accumulator components // Parallelizable let accumulator_components_without_l1: Vec<_> = izip!( - a_w_gamma, - b_w_gamma, - c_w_gamma, - d_w_gamma, + a_gamma, + b_gamma, + c_gamma, + d_gamma, common_roots, beta_roots_k1, beta_roots_k2, @@ -385,10 +385,10 @@ mod test { ) .map( |( - a_w_gamma, - b_w_gamma, - c_w_gamma, - d_w_gamma, + a_gamma, + b_gamma, + c_gamma, + d_gamma, beta_root, beta_root_k1, beta_root_k2, @@ -399,28 +399,28 @@ mod test { beta_s_sigma_4, )| { // w_j + beta * root^j-1 + gamma - let ac1 = a_w_gamma + beta_root; + let ac1 = a_gamma + beta_root; // w_{n+j} + beta * K1 * root^j-1 + gamma - let ac2 = b_w_gamma + beta_root_k1; + let ac2 = b_gamma + beta_root_k1; // w_{2n+j} + beta * K2 * root^j-1 + gamma - let ac3 = c_w_gamma + beta_root_k2; + let ac3 = c_gamma + beta_root_k2; // w_{3n+j} + beta * K3 * root^j-1 + gamma - let ac4 = d_w_gamma + beta_root_k3; + let ac4 = d_gamma + beta_root_k3; // 1 / w_j + beta * sigma(j) + gamma - let ac5 = (a_w_gamma + beta_s_sigma_1).invert().unwrap(); + let ac5 = (a_gamma + beta_s_sigma_1).invert().unwrap(); // 1 / w_{n+j} + beta * sigma(n+j) + gamma - let ac6 = (b_w_gamma + beta_s_sigma_2).invert().unwrap(); + let ac6 = (b_gamma + beta_s_sigma_2).invert().unwrap(); // 1 / w_{2n+j} + beta * sigma(2n+j) + gamma - let ac7 = (c_w_gamma + beta_s_sigma_3).invert().unwrap(); + let ac7 = (c_gamma + beta_s_sigma_3).invert().unwrap(); // 1 / w_{3n+j} + beta * sigma(3n+j) + gamma - let ac8 = (d_w_gamma + beta_s_sigma_4).invert().unwrap(); + let ac8 = (d_gamma + beta_s_sigma_4).invert().unwrap(); [ac1, ac2, ac3, ac4, ac5, ac6, ac7, ac8] }, @@ -470,10 +470,10 @@ mod test { fn compute_slow_permutation_poly( domain: &EvaluationDomain, - a_w: I, - b_w: I, - c_w: I, - d_w: I, + a: I, + b: I, + c: I, + d: I, beta: &BlsScalar, gamma: &BlsScalar, (s_sigma_1_poly, s_sigma_2_poly, s_sigma_3_poly, s_sigma_4_poly): ( @@ -516,16 +516,16 @@ mod test { let beta_roots_k3_iter = domain.elements().map(|root| K3 * beta * root); // Compute left_wire + gamma - let a_w_gamma: Vec<_> = a_w.map(|w| w + gamma).collect(); + let a_gamma: Vec<_> = a.map(|w| w + gamma).collect(); // Compute right_wire + gamma - let b_w_gamma: Vec<_> = b_w.map(|w| w + gamma).collect(); + let b_gamma: Vec<_> = b.map(|w| w + gamma).collect(); // Compute out_wire + gamma - let c_w_gamma: Vec<_> = c_w.map(|w| w + gamma).collect(); + let c_gamma: Vec<_> = c.map(|w| w + gamma).collect(); // Compute fourth_wire + gamma - let d_w_gamma: Vec<_> = d_w.map(|w| w + gamma).collect(); + let d_gamma: Vec<_> = d.map(|w| w + gamma).collect(); let mut numerator_partial_components: Vec = Vec::with_capacity(n); @@ -542,35 +542,35 @@ mod test { // Compute numerator coefficients for ( - a_w_gamma, - b_w_gamma, - c_w_gamma, - d_w_gamma, + a_gamma, + b_gamma, + c_gamma, + d_gamma, beta_root, beta_root_k1, beta_root_k2, beta_root_k3, ) in izip!( - a_w_gamma.iter(), - b_w_gamma.iter(), - c_w_gamma.iter(), - d_w_gamma.iter(), + a_gamma.iter(), + b_gamma.iter(), + c_gamma.iter(), + d_gamma.iter(), beta_roots_iter, beta_roots_k1_iter, beta_roots_k2_iter, beta_roots_k3_iter, ) { - // (a_w + beta * root + gamma) - let prod_a = beta_root + a_w_gamma; + // (a + beta * root + gamma) + let prod_a = beta_root + a_gamma; - // (b_w + beta * root * k_1 + gamma) - let prod_b = beta_root_k1 + b_w_gamma; + // (b + beta * root * k_1 + gamma) + let prod_b = beta_root_k1 + b_gamma; - // (c_w + beta * root * k_2 + gamma) - let prod_c = beta_root_k2 + c_w_gamma; + // (c + beta * root * k_2 + gamma) + let prod_c = beta_root_k2 + c_gamma; - // (d_w + beta * root * k_3 + gamma) - let prod_d = beta_root_k3 + d_w_gamma; + // (d + beta * root * k_3 + gamma) + let prod_d = beta_root_k3 + d_gamma; let mut prod = prod_a * prod_b * prod_c * prod_d; @@ -583,35 +583,35 @@ mod test { // Compute denominator coefficients for ( - a_w_gamma, - b_w_gamma, - c_w_gamma, - d_w_gamma, + a_gamma, + b_gamma, + c_gamma, + d_gamma, beta_s_sigma_1, beta_s_sigma_2, beta_s_sigma_3, beta_s_sigma_4, ) in izip!( - a_w_gamma, - b_w_gamma, - c_w_gamma, - d_w_gamma, + a_gamma, + b_gamma, + c_gamma, + d_gamma, beta_s_sigma_1_iter, beta_s_sigma_2_iter, beta_s_sigma_3_iter, beta_s_sigma_4_iter, ) { - // (a_w + beta * s_sigma_1 + gamma) - let prod_a = beta_s_sigma_1 + a_w_gamma; + // (a + beta * s_sigma_1 + gamma) + let prod_a = beta_s_sigma_1 + a_gamma; - // (b_w + beta * s_sigma_2 + gamma) - let prod_b = beta_s_sigma_2 + b_w_gamma; + // (b + beta * s_sigma_2 + gamma) + let prod_b = beta_s_sigma_2 + b_gamma; - // (c_w + beta * s_sigma_3 + gamma) - let prod_c = beta_s_sigma_3 + c_w_gamma; + // (c + beta * s_sigma_3 + gamma) + let prod_c = beta_s_sigma_3 + c_gamma; - // (d_w + beta * s_sigma_4 + gamma) - let prod_d = beta_s_sigma_4 + d_w_gamma; + // (d + beta * s_sigma_4 + gamma) + let prod_d = beta_s_sigma_4 + d_gamma; let mut prod = prod_a * prod_b * prod_c * prod_d; @@ -797,25 +797,25 @@ mod test { assert_eq!(encoded_s_sigma_4[2], w_cubed * K3); assert_eq!(encoded_s_sigma_4[3], K3); - let a_w = vec![ + let a = vec![ BlsScalar::from(2), BlsScalar::from(2), BlsScalar::from(2), BlsScalar::from(2), ]; - let b_w = vec![ + let b = vec![ BlsScalar::from(2), BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), ]; - let c_w = vec![ + let c = vec![ BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), ]; - let d_w = vec![ + let d = vec![ BlsScalar::one(), BlsScalar::one(), BlsScalar::one(), @@ -826,10 +826,10 @@ mod test { num_wire_mappings, perm, &domain, - a_w, - b_w, - c_w, - d_w, + a, + b, + c, + d, ); } @@ -953,19 +953,19 @@ mod test { perm.add_witnesses_to_map(var_one, var_two, var_three, var_four, 0); perm.add_witnesses_to_map(var_three, var_two, var_one, var_four, 1); - let a_w: Vec<_> = vec![BlsScalar::one(), BlsScalar::from(3)]; - let b_w: Vec<_> = vec![BlsScalar::from(2), BlsScalar::from(2)]; - let c_w: Vec<_> = vec![BlsScalar::from(3), BlsScalar::one()]; - let d_w: Vec<_> = vec![BlsScalar::one(), BlsScalar::one()]; + let a: Vec<_> = vec![BlsScalar::one(), BlsScalar::from(3)]; + let b: Vec<_> = vec![BlsScalar::from(2), BlsScalar::from(2)]; + let c: Vec<_> = vec![BlsScalar::from(3), BlsScalar::one()]; + let d: Vec<_> = vec![BlsScalar::one(), BlsScalar::one()]; test_correct_permutation_poly( num_wire_mappings, perm, &domain, - a_w, - b_w, - c_w, - d_w, + a, + b, + c, + d, ); } @@ -981,10 +981,10 @@ mod test { n: usize, mut perm: Permutation, domain: &EvaluationDomain, - a_w: Vec, - b_w: Vec, - c_w: Vec, - d_w: Vec, + a: Vec, + b: Vec, + c: Vec, + d: Vec, ) { // 0. Generate beta and gamma challenges // @@ -998,10 +998,10 @@ mod test { let (z_vec, numerator_components, denominator_components) = compute_slow_permutation_poly( domain, - a_w.clone().into_iter(), - b_w.clone().into_iter(), - c_w.clone().into_iter(), - d_w.clone().into_iter(), + a.clone().into_iter(), + b.clone().into_iter(), + c.clone().into_iter(), + d.clone().into_iter(), &beta, &gamma, ( @@ -1014,10 +1014,10 @@ mod test { let fast_z_vec = compute_fast_permutation_poly( domain, - &a_w, - &b_w, - &c_w, - &d_w, + &a, + &b, + &c, + &d, &beta, &gamma, ( diff --git a/src/debugger.rs b/src/debugger.rs index 5131e35d..c426cc33 100644 --- a/src/debugger.rs +++ b/src/debugger.rs @@ -80,89 +80,90 @@ impl Debugger { EncodableWitness::new(id, None, value, source) }); - let constraints = - self.constraints - .iter() - .enumerate() - .map(|(id, (source, c))| { - let source = source.clone(); - - let qm = c.coeff(Selector::Multiplication); - let ql = c.coeff(Selector::Left); - let qr = c.coeff(Selector::Right); - let qd = c.coeff(Selector::Fourth); - let qc = c.coeff(Selector::Constant); - let qo = c.coeff(Selector::Output); - let pi = c.coeff(Selector::PublicInput); - let qarith = c.coeff(Selector::Arithmetic); - let qlogic = c.coeff(Selector::Logic); - let qrange = c.coeff(Selector::Range); - let qgroup_variable = - c.coeff(Selector::GroupAddVariableBase); - let qfixed_add = c.coeff(Selector::GroupAddFixedBase); - - let witnesses = WiredWitnesses { - a: c.witness(WiredWitness::A).index(), - b: c.witness(WiredWitness::B).index(), - d: c.witness(WiredWitness::D).index(), - o: c.witness(WiredWitness::O).index(), - }; - - let wa = self - .witnesses - .get(witnesses.a) - .map(|(_, _, v)| *v) - .unwrap_or_default(); - - let wb = self - .witnesses - .get(witnesses.b) - .map(|(_, _, v)| *v) - .unwrap_or_default(); - - let wd = self - .witnesses - .get(witnesses.d) - .map(|(_, _, v)| *v) - .unwrap_or_default(); - - let wo = self - .witnesses - .get(witnesses.o) - .map(|(_, _, v)| *v) - .unwrap_or_default(); - - // TODO check arith, range, logic & ecc wires - let evaluation = qm * wa * wb - + ql * wa - + qr * wb - + qd * wd - + qo * wo - + qc - + pi; - - let evaluation = evaluation == BlsScalar::zero(); - - let selectors = Selectors { - qm: qm.to_bytes().into(), - ql: ql.to_bytes().into(), - qr: qr.to_bytes().into(), - qd: qd.to_bytes().into(), - qc: qc.to_bytes().into(), - qo: qo.to_bytes().into(), - pi: pi.to_bytes().into(), - qarith: qarith.to_bytes().into(), - qlogic: qlogic.to_bytes().into(), - qrange: qrange.to_bytes().into(), - qgroup_variable: qgroup_variable.to_bytes().into(), - qfixed_add: qfixed_add.to_bytes().into(), - }; - - let polynomial = - Polynomial::new(selectors, witnesses, evaluation); - - EncodableConstraint::new(id, polynomial, source) - }); + let constraints = self.constraints.iter().enumerate().map( + |(id, (source, constraint))| { + let source = source.clone(); + + let qm = constraint.coeff(Selector::Multiplication); + let ql = constraint.coeff(Selector::Left); + let qr = constraint.coeff(Selector::Right); + let qo = constraint.coeff(Selector::Output); + let qf = constraint.coeff(Selector::Fourth); + let qc = constraint.coeff(Selector::Constant); + let pi = constraint.coeff(Selector::PublicInput); + let qarith = constraint.coeff(Selector::Arithmetic); + let qlogic = constraint.coeff(Selector::Logic); + let qrange = constraint.coeff(Selector::Range); + let qgroup_variable = + constraint.coeff(Selector::GroupAddVariableBase); + let qfixed_add = constraint.coeff(Selector::GroupAddFixedBase); + + let witnesses = WiredWitnesses { + a: constraint.witness(WiredWitness::A).index(), + b: constraint.witness(WiredWitness::B).index(), + // TODO: change by 'c' in debugger crate + o: constraint.witness(WiredWitness::C).index(), + d: constraint.witness(WiredWitness::D).index(), + }; + + let wa = self + .witnesses + .get(witnesses.a) + .map(|(_, _, v)| *v) + .unwrap_or_default(); + + let wb = self + .witnesses + .get(witnesses.b) + .map(|(_, _, v)| *v) + .unwrap_or_default(); + + let wc = self + .witnesses + // TODO: change by 'c' in debugger crate + .get(witnesses.o) + .map(|(_, _, v)| *v) + .unwrap_or_default(); + + let wd = self + .witnesses + .get(witnesses.d) + .map(|(_, _, v)| *v) + .unwrap_or_default(); + + // TODO check arith, range, logic & ecc wires + let evaluation = qm * wa * wb + + ql * wa + + qr * wb + + qo * wc + + qf * wd + + qc + + pi; + + let evaluation = evaluation == BlsScalar::zero(); + + let selectors = Selectors { + qm: qm.to_bytes().into(), + ql: ql.to_bytes().into(), + qr: qr.to_bytes().into(), + qo: qo.to_bytes().into(), + // TODO: change by 'qf' in debugger crate + qd: qf.to_bytes().into(), + qc: qc.to_bytes().into(), + pi: pi.to_bytes().into(), + qarith: qarith.to_bytes().into(), + qlogic: qlogic.to_bytes().into(), + qrange: qrange.to_bytes().into(), + qgroup_variable: qgroup_variable.to_bytes().into(), + qfixed_add: qfixed_add.to_bytes().into(), + }; + + let polynomial = + Polynomial::new(selectors, witnesses, evaluation); + + EncodableConstraint::new(id, polynomial, source) + }, + ); if let Err(e) = Config::load() .and_then(|config| { diff --git a/src/proof_system/linearization_poly.rs b/src/proof_system/linearization_poly.rs index 72d0da26..7d095a35 100644 --- a/src/proof_system/linearization_poly.rs +++ b/src/proof_system/linearization_poly.rs @@ -45,14 +45,14 @@ pub(crate) struct ProofEvaluations { pub(crate) d_eval: BlsScalar, // #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub(crate) a_next_eval: BlsScalar, + pub(crate) a_w_eval: BlsScalar, // #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub(crate) b_next_eval: BlsScalar, + pub(crate) b_w_eval: BlsScalar, // Evaluation of the witness polynomial for the fourth wire at `z * root of // unity` #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub(crate) d_next_eval: BlsScalar, + pub(crate) d_w_eval: BlsScalar, // Evaluation of the arithmetic selector polynomial at `z` #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub(crate) q_arith_eval: BlsScalar, @@ -96,9 +96,9 @@ impl Serializable<{ 15 * BlsScalar::SIZE }> for ProofEvaluations { writer.write(&self.b_eval.to_bytes()); writer.write(&self.c_eval.to_bytes()); writer.write(&self.d_eval.to_bytes()); - writer.write(&self.a_next_eval.to_bytes()); - writer.write(&self.b_next_eval.to_bytes()); - writer.write(&self.d_next_eval.to_bytes()); + writer.write(&self.a_w_eval.to_bytes()); + writer.write(&self.b_w_eval.to_bytes()); + writer.write(&self.d_w_eval.to_bytes()); writer.write(&self.q_arith_eval.to_bytes()); writer.write(&self.q_c_eval.to_bytes()); writer.write(&self.q_l_eval.to_bytes()); @@ -119,9 +119,9 @@ impl Serializable<{ 15 * BlsScalar::SIZE }> for ProofEvaluations { let b_eval = BlsScalar::from_reader(&mut buffer)?; let c_eval = BlsScalar::from_reader(&mut buffer)?; let d_eval = BlsScalar::from_reader(&mut buffer)?; - let a_next_eval = BlsScalar::from_reader(&mut buffer)?; - let b_next_eval = BlsScalar::from_reader(&mut buffer)?; - let d_next_eval = BlsScalar::from_reader(&mut buffer)?; + let a_w_eval = BlsScalar::from_reader(&mut buffer)?; + let b_w_eval = BlsScalar::from_reader(&mut buffer)?; + let d_w_eval = BlsScalar::from_reader(&mut buffer)?; let q_arith_eval = BlsScalar::from_reader(&mut buffer)?; let q_c_eval = BlsScalar::from_reader(&mut buffer)?; let q_l_eval = BlsScalar::from_reader(&mut buffer)?; @@ -136,9 +136,9 @@ impl Serializable<{ 15 * BlsScalar::SIZE }> for ProofEvaluations { b_eval, c_eval, d_eval, - a_next_eval, - b_next_eval, - d_next_eval, + a_w_eval, + b_w_eval, + d_w_eval, q_arith_eval, q_c_eval, q_l_eval, @@ -183,7 +183,7 @@ pub(crate) fn compute( t_low_poly: &Polynomial, t_mid_poly: &Polynomial, t_high_poly: &Polynomial, - t_4_poly: &Polynomial, + t_fourth_poly: &Polynomial, pub_inputs: &[BlsScalar], ) -> Polynomial { let f_1 = compute_circuit_satisfiability( @@ -229,7 +229,7 @@ pub(crate) fn compute( let a = t_low_poly; let b = t_mid_poly * &z_n; let c = t_high_poly * &z_two_n; - let d = t_4_poly * &z_three_n; + let d = t_fourth_poly * &z_three_n; let abc = &(a + &b) + &c; let quot = &abc + &d; diff --git a/src/proof_system/preprocess.rs b/src/proof_system/preprocess.rs index 91560f80..72c8a34c 100644 --- a/src/proof_system/preprocess.rs +++ b/src/proof_system/preprocess.rs @@ -15,12 +15,9 @@ pub(crate) struct Polynomials { pub(crate) q_l: Polynomial, pub(crate) q_r: Polynomial, pub(crate) q_o: Polynomial, + pub(crate) q_f: Polynomial, // for 3-input gates pub(crate) q_c: Polynomial, - // additional selector for 3-input gates added for efficiency of - // implementation - pub(crate) q_4: Polynomial, - // additional selectors for different kinds of circuits added for // efficiency of implementation pub(crate) q_arith: Polynomial, // arithmetic circuits @@ -33,5 +30,5 @@ pub(crate) struct Polynomials { pub(crate) s_sigma_1: Polynomial, pub(crate) s_sigma_2: Polynomial, pub(crate) s_sigma_3: Polynomial, - pub(crate) s_sigma_4: Polynomial, // for q_4 + pub(crate) s_sigma_4: Polynomial, // for q_F } diff --git a/src/proof_system/proof.rs b/src/proof_system/proof.rs index 10111aa8..e434eb28 100644 --- a/src/proof_system/proof.rs +++ b/src/proof_system/proof.rs @@ -74,7 +74,7 @@ pub struct Proof { pub(crate) t_high_comm: Commitment, /// Commitment to the quotient polynomial. #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub(crate) t_4_comm: Commitment, + pub(crate) t_fourth_comm: Commitment, /// Commitment to the opening polynomial. #[cfg_attr(feature = "rkyv-impl", omit_bounds)] @@ -105,7 +105,7 @@ impl CheckBytes for ArchivedProof { check_field(&(*value).t_low_comm, context, "t_low_comm")?; check_field(&(*value).t_mid_comm, context, "t_mid_comm")?; check_field(&(*value).t_high_comm, context, "t_high_comm")?; - check_field(&(*value).t_4_comm, context, "t_4_comm")?; + check_field(&(*value).t_fourth_comm, context, "t_fourth_comm")?; check_field(&(*value).w_z_chall_comm, context, "w_z_chall_comm")?; check_field(&(*value).w_z_chall_w_comm, context, "w_z_chall_w_comm")?; @@ -135,7 +135,7 @@ impl Serializable<{ 11 * Commitment::SIZE + ProofEvaluations::SIZE }> writer.write(&self.t_low_comm.to_bytes()); writer.write(&self.t_mid_comm.to_bytes()); writer.write(&self.t_high_comm.to_bytes()); - writer.write(&self.t_4_comm.to_bytes()); + writer.write(&self.t_fourth_comm.to_bytes()); writer.write(&self.w_z_chall_comm.to_bytes()); writer.write(&self.w_z_chall_w_comm.to_bytes()); writer.write(&self.evaluations.to_bytes()); @@ -154,7 +154,7 @@ impl Serializable<{ 11 * Commitment::SIZE + ProofEvaluations::SIZE }> let t_low_comm = Commitment::from_reader(&mut buffer)?; let t_mid_comm = Commitment::from_reader(&mut buffer)?; let t_high_comm = Commitment::from_reader(&mut buffer)?; - let t_4_comm = Commitment::from_reader(&mut buffer)?; + let t_fourth_comm = Commitment::from_reader(&mut buffer)?; let w_z_chall_comm = Commitment::from_reader(&mut buffer)?; let w_z_chall_w_comm = Commitment::from_reader(&mut buffer)?; let evaluations = ProofEvaluations::from_reader(&mut buffer)?; @@ -168,7 +168,7 @@ impl Serializable<{ 11 * Commitment::SIZE + ProofEvaluations::SIZE }> t_low_comm, t_mid_comm, t_high_comm, - t_4_comm, + t_fourth_comm, w_z_chall_comm, w_z_chall_w_comm, evaluations, @@ -219,10 +219,10 @@ pub(crate) mod alloc { // same challenges // // Add commitment to witness polynomials to transcript - transcript.append_commitment(b"a_w", &self.a_comm); - transcript.append_commitment(b"b_w", &self.b_comm); - transcript.append_commitment(b"c_w", &self.c_comm); - transcript.append_commitment(b"d_w", &self.d_comm); + transcript.append_commitment(b"a_comm", &self.a_comm); + transcript.append_commitment(b"b_comm", &self.b_comm); + transcript.append_commitment(b"c_comm", &self.c_comm); + transcript.append_commitment(b"d_comm", &self.d_comm); // Compute beta and gamma challenges let beta = transcript.challenge_scalar(b"beta"); @@ -230,7 +230,7 @@ pub(crate) mod alloc { let gamma = transcript.challenge_scalar(b"gamma"); // Add commitment to permutation polynomial to transcript - transcript.append_commitment(b"z", &self.z_comm); + transcript.append_commitment(b"z_comm", &self.z_comm); // Compute quotient challenge let alpha = transcript.challenge_scalar(b"alpha"); @@ -244,10 +244,10 @@ pub(crate) mod alloc { .challenge_scalar(b"variable base separation challenge"); // Add commitment to quotient polynomial to transcript - transcript.append_commitment(b"t_low", &self.t_low_comm); - transcript.append_commitment(b"t_mid", &self.t_mid_comm); - transcript.append_commitment(b"t_high", &self.t_high_comm); - transcript.append_commitment(b"t_4", &self.t_4_comm); + transcript.append_commitment(b"t_low_comm", &self.t_low_comm); + transcript.append_commitment(b"t_mid_comm", &self.t_mid_comm); + transcript.append_commitment(b"t_high_comm", &self.t_high_comm); + transcript.append_commitment(b"t_fourth_comm", &self.t_fourth_comm); // Compute evaluation challenge z let z_challenge = transcript.challenge_scalar(b"z_challenge"); @@ -273,13 +273,10 @@ pub(crate) mod alloc { transcript.append_scalar(b"z_eval", &self.evaluations.z_eval); - // Add extra evaluations to transcript - transcript - .append_scalar(b"a_next_eval", &self.evaluations.a_next_eval); - transcript - .append_scalar(b"b_next_eval", &self.evaluations.b_next_eval); - transcript - .append_scalar(b"d_next_eval", &self.evaluations.d_next_eval); + // Add extra shifted evaluations to transcript + transcript.append_scalar(b"a_w_eval", &self.evaluations.a_w_eval); + transcript.append_scalar(b"b_w_eval", &self.evaluations.b_w_eval); + transcript.append_scalar(b"d_w_eval", &self.evaluations.d_w_eval); transcript .append_scalar(b"q_arith_eval", &self.evaluations.q_arith_eval); transcript.append_scalar(b"q_c_eval", &self.evaluations.q_c_eval); @@ -290,8 +287,10 @@ pub(crate) mod alloc { let v_w_challenge = transcript.challenge_scalar(b"v_w_challenge"); // Add commitment to openings to transcript - transcript.append_commitment(b"w_z", &self.w_z_chall_comm); - transcript.append_commitment(b"w_z_w", &self.w_z_chall_w_comm); + transcript + .append_commitment(b"w_z_chall_comm", &self.w_z_chall_comm); + transcript + .append_commitment(b"w_z_chall_w_comm", &self.w_z_chall_w_comm); // Compute the challenge 'u' let u_challenge = transcript.challenge_scalar(b"u_challenge"); @@ -410,9 +409,9 @@ pub(crate) mod alloc { self.evaluations.s_sigma_1_eval, self.evaluations.s_sigma_2_eval, self.evaluations.s_sigma_3_eval, - self.evaluations.a_next_eval, - self.evaluations.b_next_eval, - self.evaluations.d_next_eval, + self.evaluations.a_w_eval, + self.evaluations.b_w_eval, + self.evaluations.d_w_eval, ]; // Compute '[E]_1' = (-r_0 + (v)a + (v^2)b + (v^3)c + (v^4)d + @@ -550,7 +549,7 @@ pub(crate) mod alloc { points.push(self.t_high_comm.0); scalars.push(z_three_n); - points.push(self.t_4_comm.0); + points.push(self.t_fourth_comm.0); Commitment::from(msm_variable_base(&points, &scalars)) } @@ -639,7 +638,7 @@ mod proof_tests { t_low_comm: Commitment::default(), t_mid_comm: Commitment::default(), t_high_comm: Commitment::default(), - t_4_comm: Commitment::default(), + t_fourth_comm: Commitment::default(), w_z_chall_comm: Commitment::default(), w_z_chall_w_comm: Commitment::default(), evaluations: ProofEvaluations { @@ -647,9 +646,9 @@ mod proof_tests { b_eval: BlsScalar::random(&mut OsRng), c_eval: BlsScalar::random(&mut OsRng), d_eval: BlsScalar::random(&mut OsRng), - a_next_eval: BlsScalar::random(&mut OsRng), - b_next_eval: BlsScalar::random(&mut OsRng), - d_next_eval: BlsScalar::random(&mut OsRng), + a_w_eval: BlsScalar::random(&mut OsRng), + b_w_eval: BlsScalar::random(&mut OsRng), + d_w_eval: BlsScalar::random(&mut OsRng), q_arith_eval: BlsScalar::random(&mut OsRng), q_c_eval: BlsScalar::random(&mut OsRng), q_l_eval: BlsScalar::random(&mut OsRng), diff --git a/src/proof_system/quotient_poly.rs b/src/proof_system/quotient_poly.rs index e7eea787..3191a534 100644 --- a/src/proof_system/quotient_poly.rs +++ b/src/proof_system/quotient_poly.rs @@ -20,7 +20,7 @@ pub(crate) fn compute( domain: &EvaluationDomain, prover_key: &ProverKey, z_poly: &Polynomial, - (a_w_poly, b_w_poly, c_w_poly, d_w_poly): ( + (a_poly, b_poly, c_poly, d_poly): ( &Polynomial, &Polynomial, &Polynomial, @@ -50,17 +50,17 @@ pub(crate) fn compute( let mut z_eval_8n = domain_8n.coset_fft(z_poly); - let mut a_w_eval_8n = domain_8n.coset_fft(a_w_poly); - let mut b_w_eval_8n = domain_8n.coset_fft(b_w_poly); - let c_w_eval_8n = domain_8n.coset_fft(c_w_poly); - let mut d_w_eval_8n = domain_8n.coset_fft(d_w_poly); + let mut a_eval_8n = domain_8n.coset_fft(a_poly); + let mut b_eval_8n = domain_8n.coset_fft(b_poly); + let c_eval_8n = domain_8n.coset_fft(c_poly); + let mut d_eval_8n = domain_8n.coset_fft(d_poly); for i in 0..8 { z_eval_8n.push(z_eval_8n[i]); - a_w_eval_8n.push(a_w_eval_8n[i]); - b_w_eval_8n.push(b_w_eval_8n[i]); - // c_w_eval_8n push not required - d_w_eval_8n.push(d_w_eval_8n[i]); + a_eval_8n.push(a_eval_8n[i]); + b_eval_8n.push(b_eval_8n[i]); + // c_eval_8n push not required + d_eval_8n.push(d_eval_8n[i]); } let t_1 = compute_circuit_satisfiability_equation( @@ -72,14 +72,14 @@ pub(crate) fn compute( var_base_challenge, ), prover_key, - (&a_w_eval_8n, &b_w_eval_8n, &c_w_eval_8n, &d_w_eval_8n), + (&a_eval_8n, &b_eval_8n, &c_eval_8n, &d_eval_8n), public_inputs_poly, ); let t_2 = compute_permutation_checks( domain, prover_key, - (&a_w_eval_8n, &b_w_eval_8n, &c_w_eval_8n, &d_w_eval_8n), + (&a_eval_8n, &b_eval_8n, &c_eval_8n, &d_eval_8n), &z_eval_8n, (alpha, beta, gamma), ); @@ -103,7 +103,6 @@ pub(crate) fn compute( Ok(Polynomial::from_coefficients_vec(coset)) } -// Ensures that the circuit is satisfied // Ensures that the circuit is satisfied fn compute_circuit_satisfiability_equation( domain: &EvaluationDomain, @@ -114,7 +113,7 @@ fn compute_circuit_satisfiability_equation( var_base_challenge, ): (&BlsScalar, &BlsScalar, &BlsScalar, &BlsScalar), prover_key: &ProverKey, - (a_w_eval_8n, b_w_eval_8n, c_w_eval_8n, d_w_eval_8n): ( + (a_eval_8n, b_eval_8n, c_eval_8n, d_eval_8n): ( &[BlsScalar], &[BlsScalar], &[BlsScalar], @@ -133,66 +132,65 @@ fn compute_circuit_satisfiability_equation( let t: Vec<_> = range .map(|i| { - let a_w = &a_w_eval_8n[i]; - let b_w = &b_w_eval_8n[i]; - let c_w = &c_w_eval_8n[i]; - let d_w = &d_w_eval_8n[i]; - let a_w_next = &a_w_eval_8n[i + 8]; - let b_w_next = &b_w_eval_8n[i + 8]; - let d_w_next = &d_w_eval_8n[i + 8]; + let a = &a_eval_8n[i]; + let b = &b_eval_8n[i]; + let c = &c_eval_8n[i]; + let d = &d_eval_8n[i]; + let a_w = &a_eval_8n[i + 8]; + let b_w = &b_eval_8n[i + 8]; + let d_w = &d_eval_8n[i + 8]; let pi = &public_eval_8n[i]; - let a = prover_key - .arithmetic - .compute_quotient_i(i, a_w, b_w, c_w, d_w); + let t_arith = + prover_key.arithmetic.compute_quotient_i(i, a, b, c, d); - let b = prover_key.range.compute_quotient_i( + let t_range = prover_key.range.compute_quotient_i( i, range_challenge, - a_w, - b_w, - c_w, + a, + b, + c, + d, d_w, - d_w_next, ); - let c = prover_key.logic.compute_quotient_i( + let t_logic = prover_key.logic.compute_quotient_i( i, logic_challenge, + a, a_w, - a_w_next, + b, b_w, - b_w_next, - c_w, + c, + d, d_w, - d_w_next, ); - let d = prover_key.fixed_base.compute_quotient_i( + let t_fixed = prover_key.fixed_base.compute_quotient_i( i, fixed_base_challenge, + a, a_w, - a_w_next, + b, b_w, - b_w_next, - c_w, + c, + d, d_w, - d_w_next, ); - let e = prover_key.variable_base.compute_quotient_i( + let t_var = prover_key.variable_base.compute_quotient_i( i, var_base_challenge, + a, a_w, - a_w_next, + b, b_w, - b_w_next, - c_w, + c, + d, d_w, - d_w_next, ); - (a + pi) + b + c + d + e + t_arith + t_range + t_logic + t_fixed + t_var + pi }) .collect(); t @@ -201,7 +199,7 @@ fn compute_circuit_satisfiability_equation( fn compute_permutation_checks( domain: &EvaluationDomain, prover_key: &ProverKey, - (a_w_eval_8n, b_w_eval_8n, c_w_eval_8n, d_w_eval_8n): ( + (a_eval_8n, b_eval_8n, c_eval_8n, d_eval_8n): ( &[BlsScalar], &[BlsScalar], &[BlsScalar], @@ -225,10 +223,10 @@ fn compute_permutation_checks( .map(|i| { prover_key.permutation.compute_quotient_i( i, - &a_w_eval_8n[i], - &b_w_eval_8n[i], - &c_w_eval_8n[i], - &d_w_eval_8n[i], + &a_eval_8n[i], + &b_eval_8n[i], + &c_eval_8n[i], + &d_eval_8n[i], &z_eval_8n[i], &z_eval_8n[i + 8], alpha, diff --git a/src/proof_system/widget.rs b/src/proof_system/widget.rs index f1c48846..dda20b16 100644 --- a/src/proof_system/widget.rs +++ b/src/proof_system/widget.rs @@ -91,7 +91,7 @@ impl Serializable<{ 20 * Commitment::SIZE + u64::SIZE }> for VerifierKey { writer.write(&self.arithmetic.q_l.to_bytes()); writer.write(&self.arithmetic.q_r.to_bytes()); writer.write(&self.arithmetic.q_o.to_bytes()); - writer.write(&self.arithmetic.q_4.to_bytes()); + writer.write(&self.arithmetic.q_f.to_bytes()); writer.write(&self.arithmetic.q_c.to_bytes()); writer.write(&self.arithmetic.q_arith.to_bytes()); writer.write(&self.logic.q_logic.to_bytes()); @@ -140,7 +140,7 @@ impl VerifierKey { q_l: Commitment, q_r: Commitment, q_o: Commitment, - q_4: Commitment, + q_f: Commitment, q_c: Commitment, q_arith: Commitment, q_logic: Commitment, @@ -157,7 +157,7 @@ impl VerifierKey { q_l, q_r, q_o, - q_4, + q_f, q_c, q_arith, }; @@ -213,7 +213,7 @@ pub(crate) mod alloc { transcript.append_commitment(b"q_r", &self.arithmetic.q_r); transcript.append_commitment(b"q_o", &self.arithmetic.q_o); transcript.append_commitment(b"q_c", &self.arithmetic.q_c); - transcript.append_commitment(b"q_4", &self.arithmetic.q_4); + transcript.append_commitment(b"q_f", &self.arithmetic.q_f); transcript.append_commitment(b"q_arith", &self.arithmetic.q_arith); transcript.append_commitment(b"q_range", &self.range.q_range); transcript.append_commitment(b"q_logic", &self.logic.q_logic); @@ -286,7 +286,7 @@ pub(crate) mod alloc { /// Returns the size of the ProverKey for serialization. /// /// Note: - /// Duplicate polynomials of the ProverKey (e.g. `q_l`, `q_r` and `q_c`) + /// Duplicate polynomials of the ProverKey (e.g. `q_L`, `q_R` and `q_C`) /// are only counted once. fn serialization_size(&self) -> usize { // Fetch size in bytes of each Polynomial @@ -344,9 +344,9 @@ pub(crate) mod alloc { writer.write(&self.arithmetic.q_o.0.to_var_bytes()); writer.write(&self.arithmetic.q_o.1.to_var_bytes()); - writer.write(&(self.arithmetic.q_4.0.len() as u64).to_bytes()); - writer.write(&self.arithmetic.q_4.0.to_var_bytes()); - writer.write(&self.arithmetic.q_4.1.to_var_bytes()); + writer.write(&(self.arithmetic.q_f.0.len() as u64).to_bytes()); + writer.write(&self.arithmetic.q_f.0.to_var_bytes()); + writer.write(&self.arithmetic.q_f.1.to_var_bytes()); writer.write(&(self.arithmetic.q_c.0.len() as u64).to_bytes()); writer.write(&self.arithmetic.q_c.0.to_var_bytes()); @@ -464,9 +464,9 @@ pub(crate) mod alloc { let q_o_evals = evals_from_reader(&mut buffer)?; let q_o = (q_o_poly, q_o_evals); - let q_4_poly = poly_from_reader(&mut buffer)?; - let q_4_evals = evals_from_reader(&mut buffer)?; - let q_4 = (q_4_poly, q_4_evals); + let q_f_poly = poly_from_reader(&mut buffer)?; + let q_f_evals = evals_from_reader(&mut buffer)?; + let q_f = (q_f_poly, q_f_evals); let q_c_poly = poly_from_reader(&mut buffer)?; let q_c_evals = evals_from_reader(&mut buffer)?; @@ -520,7 +520,7 @@ pub(crate) mod alloc { q_r: q_r.clone(), q_o, q_c: q_c.clone(), - q_4, + q_f, q_arith, }; @@ -604,7 +604,7 @@ mod test { let q_r = rand_poly_eval(n); let q_o = rand_poly_eval(n); let q_c = rand_poly_eval(n); - let q_4 = rand_poly_eval(n); + let q_f = rand_poly_eval(n); let q_arith = rand_poly_eval(n); let q_logic = rand_poly_eval(n); @@ -629,7 +629,7 @@ mod test { q_r: q_r.clone(), q_o, q_c: q_c.clone(), - q_4, + q_f, q_arith, }; @@ -689,7 +689,7 @@ mod test { let q_r = Commitment(G1Affine::generator()); let q_o = Commitment(G1Affine::generator()); let q_c = Commitment(G1Affine::generator()); - let q_4 = Commitment(G1Affine::generator()); + let q_f = Commitment(G1Affine::generator()); let q_arith = Commitment(G1Affine::generator()); let q_range = Commitment(G1Affine::generator()); @@ -710,7 +710,7 @@ mod test { q_r, q_o, q_c, - q_4, + q_f, q_arith, }; diff --git a/src/proof_system/widget/arithmetic/proverkey.rs b/src/proof_system/widget/arithmetic/proverkey.rs index 1a964303..d12993e7 100644 --- a/src/proof_system/widget/arithmetic/proverkey.rs +++ b/src/proof_system/widget/arithmetic/proverkey.rs @@ -33,7 +33,7 @@ pub(crate) struct ProverKey { #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub q_o: (Polynomial, Evaluations), #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub q_4: (Polynomial, Evaluations), + pub q_f: (Polynomial, Evaluations), #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub q_c: (Polynomial, Evaluations), #[cfg_attr(feature = "rkyv-impl", omit_bounds)] @@ -44,27 +44,27 @@ impl ProverKey { pub(crate) fn compute_quotient_i( &self, index: usize, - a_w_i: &BlsScalar, - b_w_i: &BlsScalar, - c_w_i: &BlsScalar, - d_w_i: &BlsScalar, + a_i: &BlsScalar, + b_i: &BlsScalar, + c_i: &BlsScalar, + d_i: &BlsScalar, ) -> BlsScalar { let q_m_i = &self.q_m.1[index]; let q_l_i = &self.q_l.1[index]; let q_r_i = &self.q_r.1[index]; let q_o_i = &self.q_o.1[index]; - let q_4_i = &self.q_4.1[index]; + let q_f_i = &self.q_f.1[index]; let q_c_i = &self.q_c.1[index]; let q_arith_i = &self.q_arith.1[index]; - // (a(x)b(x)q_M(x) + a(x)q_L(x) + b(X)q_R(x) + c(X)q_O(X) + d(x)q_4(X) + - // Q_C(X)) * Q_Arith(X) + // (a(x)b(x)q_M(x) + a(x)q_L(x) + b(X)q_R(x) + c(X)q_O(X) + d(x)q_F(X) + + // Q_C(X)) * Q_arith(X) // - let a_1 = a_w_i * b_w_i * q_m_i; - let a_2 = a_w_i * q_l_i; - let a_3 = b_w_i * q_r_i; - let a_4 = c_w_i * q_o_i; - let a_5 = d_w_i * q_4_i; + let a_1 = a_i * b_i * q_m_i; + let a_2 = a_i * q_l_i; + let a_3 = b_i * q_r_i; + let a_4 = c_i * q_o_i; + let a_5 = d_i * q_f_i; let a_6 = q_c_i; (a_1 + a_2 + a_3 + a_4 + a_5 + a_6) * q_arith_i } @@ -77,11 +77,11 @@ impl ProverKey { let q_l_poly = &self.q_l.0; let q_r_poly = &self.q_r.0; let q_o_poly = &self.q_o.0; - let q_4_poly = &self.q_4.0; + let q_f_poly = &self.q_f.0; let q_c_poly = &self.q_c.0; // (a_eval * b_eval * q_m_poly + a_eval * q_l + b_eval * q_r + c_eval - // * q_o + d_eval * q_4 + q_c) * q_arith_eval + // * q_o + d_eval * q_f + q_c) * q_arith_eval // // a_eval * b_eval * q_m_poly let ab = evaluations.a_eval * evaluations.b_eval; @@ -96,8 +96,8 @@ impl ProverKey { //c_eval * q_o let a_3 = q_o_poly * &evaluations.c_eval; - // d_eval * q_4 - let a_4 = q_4_poly * &evaluations.d_eval; + // d_eval * q_f + let a_4 = q_f_poly * &evaluations.d_eval; let mut a = &a_0 + &a_1; a = &a + &a_2; diff --git a/src/proof_system/widget/arithmetic/verifierkey.rs b/src/proof_system/widget/arithmetic/verifierkey.rs index b67c3457..8bd3506c 100644 --- a/src/proof_system/widget/arithmetic/verifierkey.rs +++ b/src/proof_system/widget/arithmetic/verifierkey.rs @@ -32,7 +32,7 @@ pub(crate) struct VerifierKey { #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub q_o: Commitment, #[cfg_attr(feature = "rkyv-impl", omit_bounds)] - pub q_4: Commitment, + pub q_f: Commitment, #[cfg_attr(feature = "rkyv-impl", omit_bounds)] pub q_c: Commitment, #[cfg_attr(feature = "rkyv-impl", omit_bounds)] @@ -51,7 +51,7 @@ impl Serializable<{ 7 * Commitment::SIZE }> for VerifierKey { writer.write(&self.q_l.to_bytes()); writer.write(&self.q_r.to_bytes()); writer.write(&self.q_o.to_bytes()); - writer.write(&self.q_4.to_bytes()); + writer.write(&self.q_f.to_bytes()); writer.write(&self.q_c.to_bytes()); writer.write(&self.q_arith.to_bytes()); @@ -64,7 +64,7 @@ impl Serializable<{ 7 * Commitment::SIZE }> for VerifierKey { let q_l = Commitment::from_reader(&mut buffer)?; let q_r = Commitment::from_reader(&mut buffer)?; let q_o = Commitment::from_reader(&mut buffer)?; - let q_4 = Commitment::from_reader(&mut buffer)?; + let q_f = Commitment::from_reader(&mut buffer)?; let q_c = Commitment::from_reader(&mut buffer)?; let q_arith = Commitment::from_reader(&mut buffer)?; @@ -73,7 +73,7 @@ impl Serializable<{ 7 * Commitment::SIZE }> for VerifierKey { q_l, q_r, q_o, - q_4, + q_f, q_c, q_arith, }) @@ -111,7 +111,7 @@ mod alloc { points.push(self.q_o.0); scalars.push(evaluations.d_eval * q_arith_eval); - points.push(self.q_4.0); + points.push(self.q_f.0); scalars.push(q_arith_eval); points.push(self.q_c.0); diff --git a/src/proof_system/widget/ecc/curve_addition/proverkey.rs b/src/proof_system/widget/ecc/curve_addition/proverkey.rs index c23ce1a1..1c80afc4 100644 --- a/src/proof_system/widget/ecc/curve_addition/proverkey.rs +++ b/src/proof_system/widget/ecc/curve_addition/proverkey.rs @@ -34,25 +34,25 @@ impl ProverKey { &self, index: usize, curve_add_separation_challenge: &BlsScalar, - a_w_i: &BlsScalar, // x_1 - a_w_i_next: &BlsScalar, // x_3 - b_w_i: &BlsScalar, // y_1 - b_w_i_next: &BlsScalar, // y_3 - c_w_i: &BlsScalar, // x_2 - d_w_i: &BlsScalar, // y_2 - d_w_i_next: &BlsScalar, // x_1 * y_2 + a_i: &BlsScalar, // x_1 + a_i_w: &BlsScalar, // x_3 + b_i: &BlsScalar, // y_1 + b_i_w: &BlsScalar, // y_3 + c_i: &BlsScalar, // x_2 + d_i: &BlsScalar, // y_2 + d_i_w: &BlsScalar, // x_1 * y_2 ) -> BlsScalar { let q_variable_group_add_i = &self.q_variable_group_add.1[index]; let kappa = curve_add_separation_challenge.square(); - let x_1 = a_w_i; - let x_3 = a_w_i_next; - let y_1 = b_w_i; - let y_3 = b_w_i_next; - let x_2 = c_w_i; - let y_2 = d_w_i; - let x1_y2 = d_w_i_next; + let x_1 = a_i; + let x_3 = a_i_w; + let y_1 = b_i; + let y_3 = b_i_w; + let x_2 = c_i; + let y_2 = d_i; + let x1_y2 = d_i_w; // Checks // @@ -88,12 +88,12 @@ impl ProverKey { let kappa = curve_add_separation_challenge.square(); let x_1 = evaluations.a_eval; - let x_3 = evaluations.a_next_eval; + let x_3 = evaluations.a_w_eval; let y_1 = evaluations.b_eval; - let y_3 = evaluations.b_next_eval; + let y_3 = evaluations.b_w_eval; let x_2 = evaluations.c_eval; let y_2 = evaluations.d_eval; - let x1_y2 = evaluations.d_next_eval; + let x1_y2 = evaluations.d_w_eval; // Checks // diff --git a/src/proof_system/widget/ecc/curve_addition/verifierkey.rs b/src/proof_system/widget/ecc/curve_addition/verifierkey.rs index b9ba063d..2453d743 100644 --- a/src/proof_system/widget/ecc/curve_addition/verifierkey.rs +++ b/src/proof_system/widget/ecc/curve_addition/verifierkey.rs @@ -46,12 +46,12 @@ mod alloc { let kappa = curve_add_separation_challenge.square(); let x_1 = evaluations.a_eval; - let x_3 = evaluations.a_next_eval; + let x_3 = evaluations.a_w_eval; let y_1 = evaluations.b_eval; - let y_3 = evaluations.b_next_eval; + let y_3 = evaluations.b_w_eval; let x_2 = evaluations.c_eval; let y_2 = evaluations.d_eval; - let x1_y2 = evaluations.d_next_eval; + let x1_y2 = evaluations.d_w_eval; // Checks // diff --git a/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs b/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs index 93cf85a5..f83b845e 100644 --- a/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs +++ b/src/proof_system/widget/ecc/scalar_mul/fixed_base/proverkey.rs @@ -40,13 +40,13 @@ impl ProverKey { &self, index: usize, ecc_separation_challenge: &BlsScalar, - a_w_i: &BlsScalar, // acc_x or curr_x - a_w_i_next: &BlsScalar, // // next_x - b_w_i: &BlsScalar, // acc_y or curr_y - b_w_i_next: &BlsScalar, // next_y - c_w_i: &BlsScalar, // xy_alpha - d_w_i: &BlsScalar, // accumulated_bit - d_w_i_next: &BlsScalar, // accumulated_bit_next + a_i: &BlsScalar, // acc_x or curr_x + a_i_w: &BlsScalar, // shifted x + b_i: &BlsScalar, // acc_y or curr_y + b_i_w: &BlsScalar, // shifted y + c_i: &BlsScalar, // xy_alpha + d_i: &BlsScalar, // accumulated_bit + d_i_w: &BlsScalar, // accumulated_bit_w ) -> BlsScalar { let q_fixed_group_add_i = &self.q_fixed_group_add.1[index]; let q_c_i = &self.q_c.1[index]; @@ -58,16 +58,16 @@ impl ProverKey { let x_beta = &self.q_l.1[index]; let y_beta = &self.q_r.1[index]; - let acc_x = a_w_i; - let acc_x_next = a_w_i_next; - let acc_y = b_w_i; - let acc_y_next = b_w_i_next; + let acc_x = a_i; + let acc_x_w = a_i_w; + let acc_y = b_i; + let acc_y_w = b_i_w; - let xy_alpha = c_w_i; + let xy_alpha = c_i; - let accumulated_bit = d_w_i; - let accumulated_bit_next = d_w_i_next; - let bit = extract_bit(accumulated_bit, accumulated_bit_next); + let accumulated_bit = d_i; + let accumulated_bit_w = d_i_w; + let bit = extract_bit(accumulated_bit, accumulated_bit_w); // Checks // @@ -83,13 +83,13 @@ impl ProverKey { let xy_consistency = ((bit * q_c_i) - xy_alpha) * kappa; // x accumulator consistency check - let x_3 = acc_x_next; + let x_3 = acc_x_w; let lhs = x_3 + (x_3 * xy_alpha * acc_x * acc_y * EDWARDS_D); let rhs = (acc_x * y_alpha) + (acc_y * x_alpha); let x_acc_consistency = (lhs - rhs) * kappa_sq; // y accumulator consistency check - let y_3 = acc_y_next; + let y_3 = acc_y_w; let lhs = y_3 - (y_3 * xy_alpha * acc_x * acc_y * EDWARDS_D); let rhs = (acc_y * y_alpha) + (acc_x * x_alpha); let y_acc_consistency = (lhs - rhs) * kappa_cu; @@ -117,15 +117,15 @@ impl ProverKey { let y_beta_eval = evaluations.q_r_eval; let acc_x = evaluations.a_eval; - let acc_x_next = evaluations.a_next_eval; + let acc_x_w = evaluations.a_w_eval; let acc_y = evaluations.b_eval; - let acc_y_next = evaluations.b_next_eval; + let acc_y_w = evaluations.b_w_eval; let xy_alpha = evaluations.c_eval; let accumulated_bit = evaluations.d_eval; - let accumulated_bit_next = evaluations.d_next_eval; - let bit = extract_bit(&accumulated_bit, &accumulated_bit_next); + let accumulated_bit_w = evaluations.d_w_eval; + let bit = extract_bit(&accumulated_bit, &accumulated_bit_w); // Check bit consistency let bit_consistency = check_bit_consistency(bit); @@ -139,13 +139,13 @@ impl ProverKey { let xy_consistency = ((bit * evaluations.q_c_eval) - xy_alpha) * kappa; // x accumulator consistency check - let x_3 = acc_x_next; + let x_3 = acc_x_w; let lhs = x_3 + (x_3 * xy_alpha * acc_x * acc_y * EDWARDS_D); let rhs = (x_alpha * acc_y) + (y_alpha * acc_x); let x_acc_consistency = (lhs - rhs) * kappa_sq; // y accumulator consistency check - let y_3 = acc_y_next; + let y_3 = acc_y_w; let lhs = y_3 - (y_3 * xy_alpha * acc_x * acc_y * EDWARDS_D); let rhs = (x_alpha * acc_x) + (y_alpha * acc_y); let y_acc_consistency = (lhs - rhs) * kappa_cu; @@ -159,12 +159,9 @@ impl ProverKey { } } -pub(crate) fn extract_bit( - curr_acc: &BlsScalar, - next_acc: &BlsScalar, -) -> BlsScalar { - // Next - 2 * current - next_acc - curr_acc - curr_acc +pub(crate) fn extract_bit(acc: &BlsScalar, acc_w: &BlsScalar) -> BlsScalar { + // acc_w - 2 * acc + acc_w - acc - acc } // Ensures that the bit is either +1, -1 or 0 diff --git a/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs b/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs index 8b0adbea..8b1e8bc2 100644 --- a/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs +++ b/src/proof_system/widget/ecc/scalar_mul/fixed_base/verifierkey.rs @@ -58,15 +58,15 @@ mod alloc { let y_beta_eval = evaluations.q_r_eval; let acc_x = evaluations.a_eval; - let acc_x_next = evaluations.a_next_eval; + let acc_x_w = evaluations.a_w_eval; let acc_y = evaluations.b_eval; - let acc_y_next = evaluations.b_next_eval; + let acc_y_w = evaluations.b_w_eval; let xy_alpha = evaluations.c_eval; let accumulated_bit = evaluations.d_eval; - let accumulated_bit_next = evaluations.d_next_eval; - let bit = extract_bit(&accumulated_bit, &accumulated_bit_next); + let accumulated_bit_w = evaluations.d_w_eval; + let bit = extract_bit(&accumulated_bit, &accumulated_bit_w); // Check bit consistency let bit_consistency = check_bit_consistency(bit); @@ -81,13 +81,13 @@ mod alloc { ((bit * evaluations.q_c_eval) - xy_alpha) * kappa; // x accumulator consistency check - let x_3 = acc_x_next; + let x_3 = acc_x_w; let lhs = x_3 + (x_3 * xy_alpha * acc_x * acc_y * EDWARDS_D); let rhs = (x_alpha * acc_y) + (y_alpha * acc_x); let x_acc_consistency = (lhs - rhs) * kappa_sq; // y accumulator consistency check - let y_3 = acc_y_next; + let y_3 = acc_y_w; let lhs = y_3 - (y_3 * xy_alpha * acc_x * acc_y * EDWARDS_D); let rhs = (x_alpha * acc_x) + (y_alpha * acc_y); let y_acc_consistency = (lhs - rhs) * kappa_cu; diff --git a/src/proof_system/widget/logic/proverkey.rs b/src/proof_system/widget/logic/proverkey.rs index 38973517..72865c54 100644 --- a/src/proof_system/widget/logic/proverkey.rs +++ b/src/proof_system/widget/logic/proverkey.rs @@ -36,13 +36,13 @@ impl ProverKey { &self, index: usize, logic_separation_challenge: &BlsScalar, - a_w_i: &BlsScalar, - a_w_i_next: &BlsScalar, - b_w_i: &BlsScalar, - b_w_i_next: &BlsScalar, - c_w_i: &BlsScalar, - d_w_i: &BlsScalar, - d_w_i_next: &BlsScalar, + a_i: &BlsScalar, + a_i_w: &BlsScalar, + b_i: &BlsScalar, + b_i_w: &BlsScalar, + c_i: &BlsScalar, + d_i: &BlsScalar, + d_i_w: &BlsScalar, ) -> BlsScalar { let four = BlsScalar::from(4); @@ -54,21 +54,21 @@ impl ProverKey { let kappa_cu = kappa_sq * kappa; let kappa_qu = kappa_cu * kappa; - let a = a_w_i_next - four * a_w_i; - let o_0 = delta(a); + let a = a_i_w - four * a_i; + let c_0 = delta(a); - let b = b_w_i_next - four * b_w_i; - let o_1 = delta(b) * kappa; + let b = b_i_w - four * b_i; + let c_1 = delta(b) * kappa; - let d = d_w_i_next - four * d_w_i; - let o_2 = delta(d) * kappa_sq; + let d = d_i_w - four * d_i; + let c_2 = delta(d) * kappa_sq; - let w = c_w_i; - let o_3 = (w - a * b) * kappa_cu; + let w = c_i; + let c_3 = (w - a * b) * kappa_cu; - let o_4 = delta_xor_and(&a, &b, w, &d, q_c_i) * kappa_qu; + let c_4 = delta_xor_and(&a, &b, w, &d, q_c_i) * kappa_qu; - q_logic_i * (o_3 + o_0 + o_1 + o_2 + o_4) * logic_separation_challenge + q_logic_i * (c_3 + c_0 + c_1 + c_2 + c_4) * logic_separation_challenge } pub(crate) fn compute_linearization( @@ -84,22 +84,22 @@ impl ProverKey { let kappa_cu = kappa_sq * kappa; let kappa_qu = kappa_cu * kappa; - let a = evaluations.a_next_eval - four * evaluations.a_eval; - let o_0 = delta(a); + let a = evaluations.a_w_eval - four * evaluations.a_eval; + let c_0 = delta(a); - let b = evaluations.b_next_eval - four * evaluations.b_eval; - let o_1 = delta(b) * kappa; + let b = evaluations.b_w_eval - four * evaluations.b_eval; + let c_1 = delta(b) * kappa; - let d = evaluations.d_next_eval - four * evaluations.d_eval; - let o_2 = delta(d) * kappa_sq; + let d = evaluations.d_w_eval - four * evaluations.d_eval; + let c_2 = delta(d) * kappa_sq; let w = evaluations.c_eval; - let o_3 = (w - a * b) * kappa_cu; + let c_3 = (w - a * b) * kappa_cu; - let o_4 = + let c_4 = delta_xor_and(&a, &b, &w, &d, &evaluations.q_c_eval) * kappa_qu; - let t = (o_0 + o_1 + o_2 + o_3 + o_4) * logic_separation_challenge; + let t = (c_0 + c_1 + c_2 + c_3 + c_4) * logic_separation_challenge; q_logic_poly * &t } diff --git a/src/proof_system/widget/logic/verifierkey.rs b/src/proof_system/widget/logic/verifierkey.rs index 22773ad4..ec8aa626 100644 --- a/src/proof_system/widget/logic/verifierkey.rs +++ b/src/proof_system/widget/logic/verifierkey.rs @@ -52,22 +52,22 @@ mod alloc { let kappa_cu = kappa_sq * kappa; let kappa_qu = kappa_cu * kappa; - let a = evaluations.a_next_eval - four * evaluations.a_eval; - let o_0 = delta(a); + let a = evaluations.a_w_eval - four * evaluations.a_eval; + let c_0 = delta(a); - let b = evaluations.b_next_eval - four * evaluations.b_eval; - let o_1 = delta(b) * kappa; + let b = evaluations.b_w_eval - four * evaluations.b_eval; + let c_1 = delta(b) * kappa; - let d = evaluations.d_next_eval - four * evaluations.d_eval; - let o_2 = delta(d) * kappa_sq; + let d = evaluations.d_w_eval - four * evaluations.d_eval; + let c_2 = delta(d) * kappa_sq; - let o = evaluations.c_eval; - let o_3 = (o - a * b) * kappa_cu; + let w = evaluations.c_eval; + let c_3 = (w - a * b) * kappa_cu; - let o_4 = - delta_xor_and(&a, &b, &o, &d, &evaluations.q_c_eval) * kappa_qu; + let c_4 = + delta_xor_and(&a, &b, &w, &d, &evaluations.q_c_eval) * kappa_qu; scalars.push( - (o_0 + o_1 + o_2 + o_3 + o_4) * logic_separation_challenge, + (c_0 + c_1 + c_2 + c_3 + c_4) * logic_separation_challenge, ); points.push(self.q_logic.0); } diff --git a/src/proof_system/widget/permutation/proverkey.rs b/src/proof_system/widget/permutation/proverkey.rs index 47ed6841..8da74f10 100644 --- a/src/proof_system/widget/permutation/proverkey.rs +++ b/src/proof_system/widget/permutation/proverkey.rs @@ -46,22 +46,22 @@ impl ProverKey { pub(crate) fn compute_quotient_i( &self, index: usize, - a_w_i: &BlsScalar, - b_w_i: &BlsScalar, - c_w_i: &BlsScalar, - d_w_i: &BlsScalar, + a_i: &BlsScalar, + b_i: &BlsScalar, + c_i: &BlsScalar, + d_i: &BlsScalar, z_i: &BlsScalar, - z_i_next: &BlsScalar, + z_i_w: &BlsScalar, alpha: &BlsScalar, l1_alpha_sq: &BlsScalar, beta: &BlsScalar, gamma: &BlsScalar, ) -> BlsScalar { let a = self.compute_quotient_identity_range_check_i( - index, a_w_i, b_w_i, c_w_i, d_w_i, z_i, alpha, beta, gamma, + index, a_i, b_i, c_i, d_i, z_i, alpha, beta, gamma, ); let b = self.compute_quotient_copy_range_check_i( - index, a_w_i, b_w_i, c_w_i, d_w_i, z_i_next, alpha, beta, gamma, + index, a_i, b_i, c_i, d_i, z_i_w, alpha, beta, gamma, ); let c = self.compute_quotient_term_check_one_i(z_i, l1_alpha_sq); a + b + c @@ -71,10 +71,10 @@ impl ProverKey { fn compute_quotient_identity_range_check_i( &self, index: usize, - a_w_i: &BlsScalar, - b_w_i: &BlsScalar, - c_w_i: &BlsScalar, - d_w_i: &BlsScalar, + a_i: &BlsScalar, + b_i: &BlsScalar, + c_i: &BlsScalar, + d_i: &BlsScalar, z_i: &BlsScalar, alpha: &BlsScalar, beta: &BlsScalar, @@ -82,10 +82,10 @@ impl ProverKey { ) -> BlsScalar { let x = self.linear_evaluations[index]; - (a_w_i + (beta * x) + gamma) - * (b_w_i + (beta * K1 * x) + gamma) - * (c_w_i + (beta * K2 * x) + gamma) - * (d_w_i + (beta * K3 * x) + gamma) + (a_i + (beta * x) + gamma) + * (b_i + (beta * K1 * x) + gamma) + * (c_i + (beta * K2 * x) + gamma) + * (d_i + (beta * K3 * x) + gamma) * z_i * alpha } @@ -95,11 +95,11 @@ impl ProverKey { fn compute_quotient_copy_range_check_i( &self, index: usize, - a_w_i: &BlsScalar, - b_w_i: &BlsScalar, - c_w_i: &BlsScalar, - d_w_i: &BlsScalar, - z_i_next: &BlsScalar, + a_i: &BlsScalar, + b_i: &BlsScalar, + c_i: &BlsScalar, + d_i: &BlsScalar, + z_i_w: &BlsScalar, alpha: &BlsScalar, beta: &BlsScalar, gamma: &BlsScalar, @@ -109,11 +109,11 @@ impl ProverKey { let s_sigma_3_eval = self.s_sigma_3.1[index]; let s_sigma_4_eval = self.s_sigma_4.1[index]; - let product = (a_w_i + (beta * s_sigma_1_eval) + gamma) - * (b_w_i + (beta * s_sigma_2_eval) + gamma) - * (c_w_i + (beta * s_sigma_3_eval) + gamma) - * (d_w_i + (beta * s_sigma_4_eval) + gamma) - * z_i_next + let product = (a_i + (beta * s_sigma_1_eval) + gamma) + * (b_i + (beta * s_sigma_2_eval) + gamma) + * (c_i + (beta * s_sigma_3_eval) + gamma) + * (d_i + (beta * s_sigma_4_eval) + gamma) + * z_i_w * alpha; -product diff --git a/src/proof_system/widget/range/proverkey.rs b/src/proof_system/widget/range/proverkey.rs index 507d8bf4..2a99efc5 100644 --- a/src/proof_system/widget/range/proverkey.rs +++ b/src/proof_system/widget/range/proverkey.rs @@ -33,11 +33,11 @@ impl ProverKey { &self, index: usize, range_separation_challenge: &BlsScalar, - a_w_i: &BlsScalar, - b_w_i: &BlsScalar, - c_w_i: &BlsScalar, - d_w_i: &BlsScalar, - d_w_i_next: &BlsScalar, + a_i: &BlsScalar, + b_i: &BlsScalar, + c_i: &BlsScalar, + d_i: &BlsScalar, + d_i_w: &BlsScalar, ) -> BlsScalar { let four = BlsScalar::from(4); let q_range_i = &self.q_range.1[index]; @@ -49,10 +49,10 @@ impl ProverKey { // Delta([o(X) - 4 * d(X)]) + Delta([b(X) - 4 * o(X)]) + Delta([a(X) - 4 // * b(X)]) + Delta([d(Xg) - 4 * a(X)]) * Q_Range(X) // - let b_1 = delta(c_w_i - four * d_w_i); - let b_2 = delta(b_w_i - four * c_w_i) * kappa; - let b_3 = delta(a_w_i - four * b_w_i) * kappa_sq; - let b_4 = delta(d_w_i_next - four * a_w_i) * kappa_cu; + let b_1 = delta(c_i - four * d_i); + let b_2 = delta(b_i - four * c_i) * kappa; + let b_3 = delta(a_i - four * b_i) * kappa_sq; + let b_4 = delta(d_i_w - four * a_i) * kappa_cu; (b_1 + b_2 + b_3 + b_4) * q_range_i * range_separation_challenge } @@ -69,14 +69,14 @@ impl ProverKey { let kappa_cu = kappa_sq * kappa; // Delta([c_eval - 4 * d_eval]) + Delta([b_eval - 4 * c_eval]) + - // Delta([a_eval - 4 * b_eval]) + Delta([d_next_eval - 4 * a_eval]) * + // Delta([a_eval - 4 * b_eval]) + Delta([d_w_eval - 4 * a_eval]) * // Q_Range(X) let b_1 = delta(evaluations.c_eval - four * evaluations.d_eval); let b_2 = delta(evaluations.b_eval - four * evaluations.c_eval) * kappa; let b_3 = delta(evaluations.a_eval - four * evaluations.b_eval) * kappa_sq; - let b_4 = delta(evaluations.d_next_eval - four * evaluations.a_eval) - * kappa_cu; + let b_4 = + delta(evaluations.d_w_eval - four * evaluations.a_eval) * kappa_cu; let t = (b_1 + b_2 + b_3 + b_4) * range_separation_challenge; diff --git a/src/proof_system/widget/range/verifierkey.rs b/src/proof_system/widget/range/verifierkey.rs index 43af8041..e32ebb68 100644 --- a/src/proof_system/widget/range/verifierkey.rs +++ b/src/proof_system/widget/range/verifierkey.rs @@ -54,9 +54,8 @@ mod alloc { delta(evaluations.b_eval - four * evaluations.c_eval) * kappa; let b_3 = delta(evaluations.a_eval - four * evaluations.b_eval) * kappa_sq; - let b_4 = - delta(evaluations.d_next_eval - (four * evaluations.a_eval)) - * kappa_cu; + let b_4 = delta(evaluations.d_w_eval - (four * evaluations.a_eval)) + * kappa_cu; scalars.push((b_1 + b_2 + b_3 + b_4) * range_separation_challenge); points.push(self.q_range.0); diff --git a/tests/append_gate.rs b/tests/append_gate.rs index 77e75ff6..9a06f210 100644 --- a/tests/append_gate.rs +++ b/tests/append_gate.rs @@ -18,7 +18,7 @@ fn append_gate() { pub struct TestCircuit { a: BlsScalar, b: BlsScalar, - o: BlsScalar, + c: BlsScalar, d: BlsScalar, public: BlsScalar, } @@ -27,20 +27,20 @@ fn append_gate() { pub fn new( a: BlsScalar, b: BlsScalar, - o: BlsScalar, + c: BlsScalar, d: BlsScalar, public: BlsScalar, ) -> Self { - Self { a, b, o, d, public } + Self { a, b, c, d, public } } } impl Circuit for TestCircuit { fn circuit(&self, composer: &mut Composer) -> Result<(), Error> { - let w_a = composer.append_witness(self.a); - let w_b = composer.append_witness(self.b); - let w_o = composer.append_witness(self.o); - let w_d = composer.append_witness(self.d); + let a = composer.append_witness(self.a); + let b = composer.append_witness(self.b); + let c = composer.append_witness(self.c); + let d = composer.append_witness(self.d); let constraint = Constraint::new() .left(1) @@ -48,10 +48,10 @@ fn append_gate() { .mult(1) .fourth(1) .output(1) - .a(w_a) - .b(w_b) - .o(w_o) - .d(w_d) + .a(a) + .b(b) + .c(c) + .d(d) .public(self.public) .constant(BlsScalar::zero()); @@ -71,10 +71,10 @@ fn append_gate() { let public = BlsScalar::zero(); let a = BlsScalar::zero(); let b = BlsScalar::zero(); - let o = BlsScalar::zero(); + let c = BlsScalar::zero(); let d = BlsScalar::zero(); let pi = vec![public]; - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); let pp = PublicParameters::setup(capacity, &mut rng) .expect("Creation of public parameter shouldn't fail"); let (prover, verifier) = Compiler::compile::(&pp, label) @@ -85,95 +85,95 @@ fn append_gate() { check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test satisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Verification of satisfied circuit should pass"; let a = BlsScalar::one(); let b = BlsScalar::one(); - let o = -BlsScalar::from(4); + let c = -BlsScalar::from(4); let d = BlsScalar::one(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test satisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Verification of satisfied circuit should pass"; let a = BlsScalar::one(); let b = BlsScalar::zero(); - let o = -BlsScalar::one(); + let c = -BlsScalar::one(); let d = BlsScalar::zero(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test satisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Verification of satisfied circuit should pass"; let a = BlsScalar::zero(); let b = BlsScalar::one(); - let o = -BlsScalar::one(); + let c = -BlsScalar::one(); let d = BlsScalar::zero(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test satisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Verification of satisfied circuit should pass"; let a = BlsScalar::one(); let b = BlsScalar::one(); - let o = -BlsScalar::from(3u64); + let c = -BlsScalar::from(3u64); let d = BlsScalar::zero(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test satisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Verification of satisfied circuit should pass"; let a = -BlsScalar::one(); let b = BlsScalar::zero(); - let o = BlsScalar::zero(); + let c = BlsScalar::zero(); let d = BlsScalar::one(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test satisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Verification of satisfied circuit should pass"; let a = BlsScalar::random(&mut rng); let b = BlsScalar::random(&mut rng); let d = BlsScalar::random(&mut rng); let public = BlsScalar::from(42); - let o = -(a + b + a * b + d + public); + let c = -(a + b + a * b + d + public); let pi = vec![public]; - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_satisfied_circuit(&prover, &verifier, &pi, &circuit, &mut rng, &msg); // Test unsatisfied circuit: let msg = "Proof creation of unsatisfied circuit should fail"; let a = BlsScalar::random(&mut rng); let b = BlsScalar::random(&mut rng); - let o = BlsScalar::random(&mut rng); + let c = BlsScalar::random(&mut rng); let d = BlsScalar::random(&mut rng); let public = BlsScalar::random(&mut rng); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_unsatisfied_circuit(&prover, &circuit, &mut rng, &msg); // Test unsatisfied circuit: - // q_l·a + q_r·b + q_m·a·b + q_o·o + q_4·d + public + constant = 0 + // q_l·a + q_r·b + q_m·a·b + q_o·c + q_4·d + public + constant = 0 let msg = "Proof creation of unsatisfied circuit should fail"; let a = BlsScalar::one(); let b = BlsScalar::one(); - let o = BlsScalar::one(); + let c = BlsScalar::one(); let d = BlsScalar::one(); let public = BlsScalar::one(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_unsatisfied_circuit(&prover, &circuit, &mut rng, &msg); // Test unsatisfied circuit let msg = "Verification of unsatisfied circuit should pass"; let a = BlsScalar::one(); let b = BlsScalar::one(); - let o = BlsScalar::one(); + let c = BlsScalar::one(); let d = BlsScalar::one(); let public = BlsScalar::one(); - let circuit = TestCircuit::new(a, b, o, d, public); + let circuit = TestCircuit::new(a, b, c, d, public); check_unsatisfied_circuit(&prover, &circuit, &mut rng, &msg); }