Merge pull request #830 from dusk-network/order

Make code to match the last Plonk paper

CHANGELOG.md

@@ -7,9 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
+### Changed 
+
+- Modify the prover to match the paper [#831]
+- Modify the verifier to match the paper [#831]
+- Rename some variables to match the paper [#831]
+
+### Removed
 
 - Remove docs [#819]
+- Remove unused `Evaluations` struct
 
 ## [0.19.2] - 2024-03-27
 
@@ -585,6 +592,7 @@ is necessary since `rkyv/validation` was required as a bound.
 - Proof system module.
 
 <!-- ISSUES -->
+[#831]: https://github.com/dusk-network/plonk/issues/831
 [#819]: https://github.com/dusk-network/plonk/issues/819
 [#818]: https://github.com/dusk-network/plonk/issues/818
 [#815]: https://github.com/dusk-network/plonk/issues/815

README.md

@@ -5,7 +5,7 @@
 
 _This is a pure Rust implementation of the PLONK proving system over BLS12-381._
 
-This library contains a modular implementation of KZG10 as the default polynomial commitment scheme.
+This library contains a modular implementation of KZG10 as the default polynomial commitment scheme. Moreover, it includes custom gates for efficiency purposes. The details on our specific implementation can be found [here](docs/dusk-plonk-specs.pdf).
 
 **DISCLAIMER**: This library is currently unstable and still needs to undergo an exhaustive security analysis. Use at your own risk.
 
@@ -34,7 +34,7 @@ as the documentation regarding the data structures that it exports. To check thi
 Benchmarks taken on `Apple M1`, for a circuit-size of `2^16` constraints:
 
 - Proving time: `7.871s`
-- Verification time: `7.643ms` **(This time does not vary depending on the circuit-size.)**
+- Verification time: `3.732ms` **(This time does not vary depending on the circuit-size.)**
 
 For more results, please run `cargo bench` to get a full report of benchmarks in respect of constraint numbers.
 

src/commitment_scheme/kzg10/key.rs

@@ -191,13 +191,11 @@ impl CommitKey {
     /// We apply the same optimization mentioned in when computing each witness;
     /// removing f(z).
     pub(crate) fn compute_aggregate_witness(
-        &self,
         polynomials: &[Polynomial],
         point: &BlsScalar,
-        transcript: &mut Transcript,
+        v_challenge: &BlsScalar,
     ) -> Polynomial {
-        let v_challenge = transcript.challenge_scalar(b"v_challenge");
-        let powers = util::powers_of(&v_challenge, polynomials.len() - 1);
+        let powers = util::powers_of(v_challenge, polynomials.len() - 1);
 
         assert_eq!(powers.len(), polynomials.len());
 
@@ -227,15 +225,15 @@ pub struct OpeningKey {
     /// The generator of G2.
     #[cfg_attr(feature = "rkyv-impl", omit_bounds)]
     pub(crate) h: G2Affine,
-    /// \beta times the above generator of G2.
+    /// 'x' times the above generator of G2.
     #[cfg_attr(feature = "rkyv-impl", omit_bounds)]
-    pub(crate) beta_h: G2Affine,
+    pub(crate) x_h: G2Affine,
     /// The generator of G2, prepared for use in pairings.
     #[cfg_attr(feature = "rkyv-impl", omit_bounds)]
     pub(crate) prepared_h: G2Prepared,
-    /// \beta times the above generator of G2, prepared for use in pairings.
+    /// 'x' times the above generator of G2, prepared for use in pairings.
     #[cfg_attr(feature = "rkyv-impl", omit_bounds)]
-    pub(crate) prepared_beta_h: G2Prepared,
+    pub(crate) prepared_x_h: G2Prepared,
 }
 
 impl Serializable<{ G1Affine::SIZE + G2Affine::SIZE * 2 }> for OpeningKey {
@@ -248,7 +246,7 @@ impl Serializable<{ G1Affine::SIZE + G2Affine::SIZE * 2 }> for OpeningKey {
         // This can't fail therefore we don't care about the Result nor use it.
         writer.write(&self.g.to_bytes());
         writer.write(&self.h.to_bytes());
-        writer.write(&self.beta_h.to_bytes());
+        writer.write(&self.x_h.to_bytes());
 
         buf
     }
@@ -264,24 +262,21 @@ impl Serializable<{ G1Affine::SIZE + G2Affine::SIZE * 2 }> for OpeningKey {
 }
 
 impl OpeningKey {
-    pub(crate) fn new(
-        g: G1Affine,
-        h: G2Affine,
-        beta_h: G2Affine,
-    ) -> OpeningKey {
+    pub(crate) fn new(g: G1Affine, h: G2Affine, x_h: G2Affine) -> OpeningKey {
         let prepared_h = G2Prepared::from(h);
-        let prepared_beta_h = G2Prepared::from(beta_h);
+        let prepared_x_h = G2Prepared::from(x_h);
         OpeningKey {
             g,
             h,
-            beta_h,
+            x_h,
             prepared_h,
-            prepared_beta_h,
+            prepared_x_h,
         }
     }
 
     /// Checks whether a batch of polynomials evaluated at different points,
     /// returned their specified value.
+    #[allow(dead_code)]
     pub(crate) fn batch_check(
         &self,
         points: &[BlsScalar],
@@ -315,7 +310,7 @@ impl OpeningKey {
         let affine_total_c = G1Affine::from(total_c);
 
         let pairing = dusk_bls12_381::multi_miller_loop(&[
-            (&affine_total_w, &self.prepared_beta_h),
+            (&affine_total_w, &self.prepared_x_h),
             (&affine_total_c, &self.prepared_h),
         ])
         .final_exponentiation();
@@ -345,7 +340,7 @@ mod test {
             - (op_key.g * proof.evaluated_point))
             .into();
 
-        let inner_b: G2Affine = (op_key.beta_h - (op_key.h * point)).into();
+        let inner_b: G2Affine = (op_key.x_h - (op_key.h * point)).into();
         let prepared_inner_b = G2Prepared::from(-inner_b);
 
         let pairing = dusk_bls12_381::multi_miller_loop(&[
@@ -391,9 +386,14 @@ mod test {
             polynomial_commitments.push(ck.commit(poly)?)
         }
 
+        let v_challenge = transcript.challenge_scalar(b"v_challenge");
+
         // Compute the aggregate witness for polynomials
-        let witness_poly =
-            ck.compute_aggregate_witness(polynomials, point, transcript);
+        let witness_poly = CommitKey::compute_aggregate_witness(
+            polynomials,
+            point,
+            &v_challenge,
+        );
 
         // Commit to witness polynomial
         let witness_commitment = ck.commit(&witness_poly)?;
@@ -482,22 +482,23 @@ mod test {
             let poly_b = Polynomial::rand(26 + 1, &mut OsRng);
             let poly_b_eval = poly_b.evaluate(&point);
 
-            let poly_o = Polynomial::rand(27, &mut OsRng);
-            let poly_o_eval = poly_o.evaluate(&point);
+            let poly_c = Polynomial::rand(27, &mut OsRng);
+            let poly_c_eval = poly_c.evaluate(&point);
 
             open_multiple(
                 &ck,
-                &[poly_a, poly_b, poly_o],
-                vec![poly_a_eval, poly_b_eval, poly_o_eval],
+                &[poly_a, poly_b, poly_c],
+                vec![poly_a_eval, poly_b_eval, poly_c_eval],
                 &point,
                 &mut Transcript::new(b"agg_flatten"),
             )?
         };
 
         // Verifier's View
         let ok = {
-            let flattened_proof =
-                aggregated_proof.flatten(&mut Transcript::new(b"agg_flatten"));
+            let transcript = &mut Transcript::new(b"agg_flatten");
+            let v_challenge = transcript.challenge_scalar(b"v_challenge");
+            let flattened_proof = aggregated_proof.flatten(&v_challenge);
             check(&opening_key, point, flattened_proof)
         };
 
@@ -521,16 +522,16 @@ mod test {
             let poly_b = Polynomial::rand(26, &mut OsRng);
             let poly_b_eval = poly_b.evaluate(&point_a);
 
-            let poly_o = Polynomial::rand(27, &mut OsRng);
-            let poly_o_eval = poly_o.evaluate(&point_a);
+            let poly_c = Polynomial::rand(27, &mut OsRng);
+            let poly_c_eval = poly_c.evaluate(&point_a);
 
             let poly_d = Polynomial::rand(28, &mut OsRng);
             let poly_d_eval = poly_d.evaluate(&point_b);
 
             let aggregated_proof = open_multiple(
                 &ck,
-                &[poly_a, poly_b, poly_o],
-                vec![poly_a_eval, poly_b_eval, poly_o_eval],
+                &[poly_a, poly_b, poly_c],
+                vec![poly_a_eval, poly_b_eval, poly_c_eval],
                 &point_a,
                 &mut Transcript::new(b"agg_batch"),
             )?;
@@ -544,7 +545,8 @@ mod test {
         // Verifier's View
 
         let mut transcript = Transcript::new(b"agg_batch");
-        let flattened_proof = aggregated_proof.flatten(&mut transcript);
+        let v_challenge = transcript.challenge_scalar(b"v_challenge");
+        let flattened_proof = aggregated_proof.flatten(&v_challenge);
 
         opening_key.batch_check(
             &[point_a, point_b],

src/commitment_scheme/kzg10/proof.rs

@@ -24,18 +24,17 @@ pub(crate) struct Proof {
 #[cfg(feature = "alloc")]
 pub(crate) mod alloc {
     use super::*;
-    use crate::transcript::TranscriptProtocol;
     use crate::util::powers_of;
     #[rustfmt::skip]
     use ::alloc::vec::Vec;
     use dusk_bls12_381::G1Projective;
-    use merlin::Transcript;
     #[cfg(feature = "std")]
     use rayon::prelude::*;
 
     /// Proof that multiple polynomials were correctly evaluated at a point `z`,
     /// each producing their respective evaluated points p_i(z).
     #[derive(Debug)]
+    #[allow(dead_code)]
     pub(crate) struct AggregateProof {
         /// This is a commitment to the aggregated witness polynomial.
         pub(crate) commitment_to_witness: Commitment,
@@ -47,6 +46,7 @@ pub(crate) mod alloc {
         pub(crate) commitments_to_polynomials: Vec<Commitment>,
     }
 
+    #[allow(dead_code)]
     impl AggregateProof {
         /// Initializes an `AggregatedProof` with the commitment to the witness.
         pub(crate) fn with_witness(witness: Commitment) -> AggregateProof {
@@ -65,12 +65,9 @@ pub(crate) mod alloc {
         }
 
         /// Flattens an `AggregateProof` into a `Proof`.
-        /// The transcript must have the same view as the transcript that was
-        /// used to aggregate the witness in the proving stage.
-        pub(crate) fn flatten(&self, transcript: &mut Transcript) -> Proof {
-            let v_challenge = transcript.challenge_scalar(b"v_challenge");
+        pub(crate) fn flatten(&self, v_challenge: &BlsScalar) -> Proof {
             let powers = powers_of(
-                &v_challenge,
+                v_challenge,
                 self.commitments_to_polynomials.len() - 1,
             );
 

src/commitment_scheme/kzg10/srs.rs

@@ -230,7 +230,7 @@ mod test {
         assert_eq!(got_pp.commit_key.powers_of_g, pp.commit_key.powers_of_g);
         assert_eq!(got_pp.opening_key.g, pp.opening_key.g);
         assert_eq!(got_pp.opening_key.h, pp.opening_key.h);
-        assert_eq!(got_pp.opening_key.beta_h, pp.opening_key.beta_h);
+        assert_eq!(got_pp.opening_key.x_h, pp.opening_key.x_h);
     }
 
     #[test]
@@ -245,6 +245,6 @@ mod test {
         assert_eq!(pp.commit_key, pp_p.commit_key);
         assert_eq!(pp.opening_key.g, pp_p.opening_key.g);
         assert_eq!(pp.opening_key.h, pp_p.opening_key.h);
-        assert_eq!(pp.opening_key.beta_h, pp_p.opening_key.beta_h);
+        assert_eq!(pp.opening_key.x_h, pp_p.opening_key.x_h);
     }
 }