Skip to content

Commit

Permalink
No longer commitments to instance in transcript.
Browse files Browse the repository at this point in the history
  • Loading branch information
adria0 committed Oct 18, 2024
1 parent e69386e commit ba23a98
Show file tree
Hide file tree
Showing 10 changed files with 43 additions and 212 deletions.
84 changes: 5 additions & 79 deletions halo2_backend/src/plonk/prover.rs
Original file line number Diff line number Diff line change
Expand Up @@ -207,39 +207,14 @@ impl<
return Err(Error::InstanceTooLarge);
}
for (poly, value) in poly.iter_mut().zip(values.iter()) {
if !P::QUERY_INSTANCE {
// Add to the transcript the instance polynomials lagrange value.
transcript.common_scalar(*value)?;
}
// Add to the transcript the instance polynomials lagrange value.
transcript.common_scalar(*value)?;
*poly = *value;
}
Ok(poly)
})
.collect::<Result<Vec<_>, _>>()?;

if P::QUERY_INSTANCE {
// Add to the transcript the commitments of the instance lagrange polynomials

let instance_commitments_projective: Vec<_> = instance_values
.iter()
.map(|poly| {
params.commit_lagrange(&engine.msm_backend, poly, Blind::default())
})
.collect();
let mut instance_commitments =
vec![Scheme::Curve::identity(); instance_commitments_projective.len()];
<Scheme::Curve as CurveAffine>::CurveExt::batch_normalize(
&instance_commitments_projective,
&mut instance_commitments,
);
let instance_commitments = instance_commitments;
drop(instance_commitments_projective);

for commitment in &instance_commitments {
transcript.common_point(*commitment)?;
}
}

// Convert from evaluation to coefficient form.

let instance_polys: Vec<_> = instance_values
Expand Down Expand Up @@ -587,9 +562,6 @@ impl<

let x_pow_n = x.pow([self.params.n()]);

// [TRANSCRIPT-16]
self.write_instance_evals(x)?;

// 10. Compute and hash advice evals for the circuit instance ------------------------------------
// [TRANSCRIPT-17]
self.write_advice_evals(x, &advice)?;
Expand Down Expand Up @@ -622,30 +594,15 @@ impl<
let shuffles_evaluated = self.evaluate_shuffles(x, shuffles_committed)?;

// 13. Generate all queries ([`ProverQuery`]) that needs to be sent to prover --------------------
let instances = std::mem::take(&mut self.instances);
let queries = instances
// group the instance, advice, permutation, lookups and shuffles
// group the advice, permutation, lookups and shuffles
let queries = advice
.iter()
.zip(advice.iter())
.zip(permutations_evaluated.iter())
.zip(lookups_evaluated.iter())
.zip(shuffles_evaluated.iter())
.flat_map(|((((instance, advice), permutation), lookups), shuffles)| {
.flat_map(|(((advice, permutation), lookups), shuffles)| {
// Build a (an iterator) over a set of ProverQueries for each instance, advice, permutatiom, lookup and shuffle
iter::empty()
// Instances
.chain(
P::QUERY_INSTANCE
.then_some(self.pk.vk.cs.instance_queries.iter().map(
move |&(column, at)| ProverQuery {
point: self.pk.vk.domain.rotate_omega(*x, at),
poly: &instance.instance_polys[column.index],
blind: Blind::default(),
},
))
.into_iter()
.flatten(),
)
// Advices
.chain(
self.pk
Expand Down Expand Up @@ -909,37 +866,6 @@ impl<
Ok(vanishing)
}

fn write_instance_evals(&mut self, x: ChallengeX<Scheme::Curve>) -> Result<(), Error>
where
Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
{
if P::QUERY_INSTANCE {
// Compute and hash instance evals for the circuit instance
for instance in self.instances.iter() {
// Evaluate polynomials at omega^i x
let instance_evals: Vec<_> = self
.pk
.vk
.cs
.instance_queries
.iter()
.map(|&(column, at)| {
eval_polynomial(
&instance.instance_polys[column.index],
self.pk.vk.domain.rotate_omega(*x, at),
)
})
.collect();

// Hash each instance column evaluation
for eval in instance_evals.iter() {
self.transcript.write_scalar(*eval)?;
}
}
}
Ok(())
}

fn write_advice_evals(
&mut self,
x: ChallengeX<Scheme::Curve>,
Expand Down
105 changes: 10 additions & 95 deletions halo2_backend/src/plonk/verifier.rs
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
//! Verify a plonk proof
use group::prime::PrimeCurveAffine;
use group::Curve;
use halo2_middleware::circuit::Any;
use halo2_middleware::ff::{Field, FromUniformBytes, WithSmallOrderMulGroup};
use halo2_middleware::zal::impls::H2cEngine;
use halo2curves::CurveAffine;
use std::iter;

use super::{vanishing, VerifyingKey};
Expand All @@ -16,9 +12,8 @@ use crate::plonk::{
shuffle::verifier::shuffle_read_product_commitment, ChallengeBeta, ChallengeGamma,
ChallengeTheta, ChallengeX, ChallengeY, Error,
};
use crate::poly::commitment::ParamsVerifier;
use crate::poly::{
commitment::{Blind, CommitmentScheme, Params, Verifier},
commitment::{CommitmentScheme, Params, Verifier},
VerificationStrategy, VerifierQuery,
};
use crate::transcript::{read_n_scalars, EncodedChallenge, TranscriptRead};
Expand Down Expand Up @@ -65,62 +60,14 @@ pub fn verify_proof_with_strategy<
where
Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
{
// ZAL: Verification is (supposedly) cheap, hence we don't use an accelerator engine
let default_engine = H2cEngine::new();

// Check that instances matches the expected number of instance columns
for instances in instances.iter() {
if instances.len() != vk.cs.num_instance_columns {
return Err(Error::InvalidInstances);
}
}

// Check that the Scheme parameters support commitment to instance
// if it is required by the verifier.
assert!(
!V::QUERY_INSTANCE
|| <Scheme::ParamsVerifier as ParamsVerifier<Scheme::Curve>>::COMMIT_INSTANCE
);

// 1. Get the commitments of the instance polynomials. ----------------------------------------

let instance_commitments = if V::QUERY_INSTANCE {
let mut instance_commitments = Vec::with_capacity(instances.len());

let instances_projective = instances
.iter()
.map(|instance| {
instance
.iter()
.map(|instance| {
if instance.len() > params.n() as usize - (vk.cs.blinding_factors() + 1) {
return Err(Error::InstanceTooLarge);
}
let mut poly = instance.to_vec();
poly.resize(params.n() as usize, Scheme::Scalar::ZERO);
let poly = vk.domain.lagrange_from_vec(poly);

Ok(params.commit_lagrange(&default_engine, &poly, Blind::default()))
})
.collect::<Result<Vec<_>, _>>()
})
.collect::<Result<Vec<_>, _>>()?;

for instance_projective in instances_projective {
let mut affines =
vec![<Scheme as CommitmentScheme>::Curve::identity(); instance_projective.len()];
<<Scheme as CommitmentScheme>::Curve as CurveAffine>::CurveExt::batch_normalize(
&instance_projective,
&mut affines,
);
instance_commitments.push(affines);
}
instance_commitments
} else {
vec![vec![]; instances.len()]
};

let num_proofs = instance_commitments.len();
let num_proofs = instances.len();

// 2. Add hash of verification key and instances into transcript. -----------------------------
// [TRANSCRIPT-1]
Expand All @@ -130,19 +77,10 @@ where
// 3. Add instance commitments into the transcript. --------------------------------------------
// [TRANSCRIPT-2]

if V::QUERY_INSTANCE {
for instance_commitments in instance_commitments.iter() {
// Hash the instance (external) commitments into the transcript
for commitment in instance_commitments {
transcript.common_point(*commitment)?
}
}
} else {
for instance in instances.iter() {
for instance in instance.iter() {
for value in instance.iter() {
transcript.common_scalar(*value)?;
}
for instance in instances.iter() {
for instance in instance.iter() {
for value in instance.iter() {
transcript.common_scalar(*value)?;
}
}
}
Expand Down Expand Up @@ -261,14 +199,7 @@ where
let x: ChallengeX<_> = transcript.squeeze_challenge_scalar();

// 12. Get the instance evaluations
let instance_evals = if V::QUERY_INSTANCE {
// [TRANSCRIPT-16]
(0..num_proofs)
.map(|_| -> Result<Vec<_>, _> {
read_n_scalars(transcript, vk.cs.instance_queries.len())
})
.collect::<Result<Vec<_>, _>>()?
} else {
let instance_evals = {
let xn = x.pow([params.n()]);
let (min_rotation, max_rotation) =
vk.cs
Expand Down Expand Up @@ -454,30 +385,14 @@ where
};

#[rustfmt::skip]
let queries = instance_commitments
.iter()
.zip(instance_evals.iter())
.zip(advice_commitments.iter())
let queries =
advice_commitments.iter()
.zip(advice_evals.iter())
.zip(permutations_evaluated.iter())
.zip(lookups_evaluated.iter())
.zip(shuffles_evaluated.iter())
.flat_map(|((((((instance_commitments, instance_evals), advice_commitments),advice_evals),permutation),lookups),shuffles)| {
.flat_map(|((((advice_commitments,advice_evals),permutation),lookups),shuffles)| {
iter::empty()
.chain(
V::QUERY_INSTANCE
.then_some(vk.cs.instance_queries.iter().enumerate().map(
move |(query_index, &(column, at))| {
VerifierQuery::new_commitment(
&instance_commitments[column.index],
vk.domain.rotate_omega(*x, at),
instance_evals[query_index],
)
},
))
.into_iter()
.flatten(),
)
.chain(vk.cs.advice_queries.iter().enumerate().map(
move |(query_index, &(column, at))| {
VerifierQuery::new_commitment(
Expand Down
1 change: 0 additions & 1 deletion halo2_backend/src/plonk/verifier/batch.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
use halo2_middleware::ff::FromUniformBytes;
use halo2curves::CurveAffine;


#[derive(Debug)]
struct BatchItem<C: CurveAffine> {
instances: Vec<Vec<Vec<C::ScalarExt>>>,

Check warning on line 6 in halo2_backend/src/plonk/verifier/batch.rs

View workflow job for this annotation

GitHub Actions / Clippy (beta)

fields `instances` and `proof` are never read

warning: fields `instances` and `proof` are never read --> halo2_backend/src/plonk/verifier/batch.rs:6:5 | 5 | struct BatchItem<C: CurveAffine> { | --------- fields in this struct 6 | instances: Vec<Vec<Vec<C::ScalarExt>>>, | ^^^^^^^^^ 7 | proof: Vec<u8>, | ^^^^^ | = note: `BatchItem` has a derived impl for the trait `Debug`, but this is intentionally ignored during dead code analysis = note: `#[warn(dead_code)]` on by default

Check warning on line 6 in halo2_backend/src/plonk/verifier/batch.rs

View workflow job for this annotation

GitHub Actions / Clippy (beta)

fields `instances` and `proof` are never read

warning: fields `instances` and `proof` are never read --> halo2_backend/src/plonk/verifier/batch.rs:6:5 | 5 | struct BatchItem<C: CurveAffine> { | --------- fields in this struct 6 | instances: Vec<Vec<Vec<C::ScalarExt>>>, | ^^^^^^^^^ 7 | proof: Vec<u8>, | ^^^^^ | = note: `BatchItem` has a derived impl for the trait `Debug`, but this is intentionally ignored during dead code analysis = note: `#[warn(dead_code)]` on by default

Check failure on line 6 in halo2_backend/src/plonk/verifier/batch.rs

View workflow job for this annotation

GitHub Actions / Clippy (1.56.1)

fields `instances` and `proof` are never read

error: fields `instances` and `proof` are never read --> halo2_backend/src/plonk/verifier/batch.rs:6:5 | 5 | struct BatchItem<C: CurveAffine> { | --------- fields in this struct 6 | instances: Vec<Vec<Vec<C::ScalarExt>>>, | ^^^^^^^^^ 7 | proof: Vec<u8>, | ^^^^^ | = note: `BatchItem` has a derived impl for the trait `Debug`, but this is intentionally ignored during dead code analysis = note: `-D dead-code` implied by `-D warnings` = help: to override `-D warnings` add `#[allow(dead_code)]`
Expand Down
6 changes: 0 additions & 6 deletions halo2_backend/src/poly/commitment.rs
Original file line number Diff line number Diff line change
Expand Up @@ -121,9 +121,6 @@ pub trait MSM<C: CurveAffine>: Clone + Debug + Send + Sync {

/// Common multi-open prover interface for various commitment schemes
pub trait Prover<'params, Scheme: CommitmentScheme> {
/// Query instance or not
const QUERY_INSTANCE: bool;

/// Creates new prover instance
fn new(params: &'params Scheme::ParamsProver) -> Self;

Expand Down Expand Up @@ -176,9 +173,6 @@ pub trait Verifier<'params, Scheme: CommitmentScheme> {
/// Accumulator for compressed verification
type MSMAccumulator;

/// Query instance or not
const QUERY_INSTANCE: bool;

/// Creates new verifier instance
fn new() -> Self;

Expand Down
2 changes: 0 additions & 2 deletions halo2_backend/src/poly/kzg/multiopen/gwc/prover.rs
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ where
E::G1: CurveExt<AffineExt = E::G1Affine>,
E::G2Affine: SerdeCurveAffine,
{
const QUERY_INSTANCE: bool = false;

fn new(params: &'params ParamsKZG<E>) -> Self {
Self { params }
}
Expand Down
2 changes: 0 additions & 2 deletions halo2_backend/src/poly/kzg/multiopen/gwc/verifier.rs
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ where
type Guard = GuardKZG<E>;
type MSMAccumulator = DualMSM<E>;

const QUERY_INSTANCE: bool = false;

fn new() -> Self {
Self {
_marker: PhantomData,
Expand Down
2 changes: 0 additions & 2 deletions halo2_backend/src/poly/kzg/multiopen/shplonk/prover.rs
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,6 @@ where
E::G1: CurveExt<AffineExt = E::G1Affine>,
E::G2Affine: SerdeCurveAffine,
{
const QUERY_INSTANCE: bool = false;

fn new(params: &'params ParamsKZG<E>) -> Self {
Self { params }
}
Expand Down
2 changes: 0 additions & 2 deletions halo2_backend/src/poly/kzg/multiopen/shplonk/verifier.rs
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,6 @@ where
type Guard = GuardKZG<E>;
type MSMAccumulator = DualMSM<E>;

const QUERY_INSTANCE: bool = false;

fn new() -> Self {
Self {
_marker: PhantomData,
Expand Down
4 changes: 2 additions & 2 deletions halo2_backend/src/poly/multiopen_test.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ mod test {
EvaluationDomain,
};
use crate::transcript::{
Blake2bRead, Blake2bWrite, Challenge255, EncodedChallenge,
TranscriptReadBuffer, TranscriptWriterBuffer,
Blake2bRead, Blake2bWrite, Challenge255, EncodedChallenge, TranscriptReadBuffer,
TranscriptWriterBuffer,
};
use group::Curve;
use halo2_middleware::ff::WithSmallOrderMulGroup;
Expand Down
Loading

0 comments on commit ba23a98

Please sign in to comment.