plonky2/src/circuit_data.rs

use anyhow::Result;

use crate::field::extension_field::Extendable;
use crate::field::field::Field;
use crate::fri::FriConfig;
use crate::gates::gate::GateRef;
use crate::generator::WitnessGenerator;
use crate::merkle_tree::MerkleTree;
use crate::polynomial::commitment::ListPolynomialCommitment;
use crate::proof::{Hash, HashTarget, Proof};
use crate::prover::prove;
use crate::verifier::verify;
use crate::witness::PartialWitness;

#[derive(Clone)]
pub struct CircuitConfig {
    pub num_wires: usize,
    pub num_routed_wires: usize,
    pub security_bits: usize,
    pub rate_bits: usize,
    /// The number of challenge points to generate, for IOPs that have soundness errors of (roughly)
    /// `degree / |F|`.
    pub num_challenges: usize,

    // TODO: Find a better place for this.
    pub fri_config: FriConfig,
}

impl Default for CircuitConfig {
    fn default() -> Self {
        CircuitConfig {
            num_wires: 4,
            num_routed_wires: 4,
            security_bits: 128,
            rate_bits: 3,
            num_challenges: 3,
            fri_config: FriConfig {
                proof_of_work_bits: 1,
                rate_bits: 1,
                reduction_arity_bits: vec![1],
                num_query_rounds: 1,
                blinding: vec![true],
            },
        }
    }
}

impl CircuitConfig {
    pub fn num_advice_wires(&self) -> usize {
        self.num_wires - self.num_routed_wires
    }
}

/// Circuit data required by the prover or the verifier.
pub struct CircuitData<F: Field> {
    pub(crate) prover_only: ProverOnlyCircuitData<F>,
    pub(crate) verifier_only: VerifierOnlyCircuitData<F>,
    pub(crate) common: CommonCircuitData<F>,
}

impl<F: Field> CircuitData<F> {
    pub fn prove<const D: usize>(&self, inputs: PartialWitness<F>) -> Proof<F, D>
    where
        F: Extendable<D>,
    {
        prove(&self.prover_only, &self.common, inputs)
    }

    pub fn verify<const D: usize>(&self, proof: Proof<F, D>) -> Result<()>
    where
        F: Extendable<D>,
    {
        verify(proof, &self.verifier_only, &self.common)
    }
}

/// Circuit data required by the prover. This may be thought of as a proving key, although it
/// includes code for witness generation.
///
/// The goal here is to make proof generation as fast as we can, rather than making this prover
/// structure as succinct as we can. Thus we include various precomputed data which isn't strictly
/// required, like LDEs of preprocessed polynomials. If more succinctness was desired, we could
/// construct a more minimal prover structure and convert back and forth.
pub struct ProverCircuitData<F: Field> {
    pub(crate) prover_only: ProverOnlyCircuitData<F>,
    pub(crate) common: CommonCircuitData<F>,
}

impl<F: Field> ProverCircuitData<F> {
    pub fn prove<const D: usize>(&self, inputs: PartialWitness<F>) -> Proof<F, D>
    where
        F: Extendable<D>,
    {
        prove(&self.prover_only, &self.common, inputs)
    }
}

/// Circuit data required by the prover.
pub struct VerifierCircuitData<F: Field> {
    pub(crate) verifier_only: VerifierOnlyCircuitData<F>,
    pub(crate) common: CommonCircuitData<F>,
}

impl<F: Field> VerifierCircuitData<F> {
    pub fn verify<const D: usize>(&self, proof: Proof<F, D>) -> Result<()>
    where
        F: Extendable<D>,
    {
        verify(proof, &self.verifier_only, &self.common)
    }
}

/// Circuit data required by the prover, but not the verifier.
pub(crate) struct ProverOnlyCircuitData<F: Field> {
    pub generators: Vec<Box<dyn WitnessGenerator<F>>>,
    /// Commitments to the constants polynomial.
    pub constants_commitment: ListPolynomialCommitment<F>,
    /// Commitments to the sigma polynomial.
    pub sigmas_commitment: ListPolynomialCommitment<F>,
}

/// Circuit data required by the verifier, but not the prover.
pub(crate) struct VerifierOnlyCircuitData<F: Field> {
    /// A commitment to each constant polynomial.
    pub(crate) constants_root: Hash<F>,

    /// A commitment to each permutation polynomial.
    pub(crate) sigmas_root: Hash<F>,
}

/// Circuit data required by both the prover and the verifier.
pub(crate) struct CommonCircuitData<F: Field> {
    pub(crate) config: CircuitConfig,

    pub(crate) degree_bits: usize,

    /// The types of gates used in this circuit.
    pub(crate) gates: Vec<GateRef<F>>,

    /// The largest number of constraints imposed by any gate.
    pub(crate) num_gate_constraints: usize,

    /// The `{k_i}` valued used in `S_ID_i` in Plonk's permutation argument.
    pub(crate) k_is: Vec<F>,

    /// A digest of the "circuit" (i.e. the instance, minus public inputs), which can be used to
    /// seed Fiat-Shamir.
    pub(crate) circuit_digest: Hash<F>,
}

impl<F: Field> CommonCircuitData<F> {
    pub fn degree(&self) -> usize {
        1 << self.degree_bits
    }

    pub fn lde_size(&self) -> usize {
        1 << (self.degree_bits + self.config.rate_bits)
    }

    pub fn lde_generator(&self) -> F {
        F::primitive_root_of_unity(self.degree_bits + self.config.rate_bits)
    }

    pub fn constraint_degree(&self) -> usize {
        self.gates
            .iter()
            .map(|g| g.0.degree())
            .max()
            .expect("No gates?")
    }

    pub fn quotient_degree(&self) -> usize {
        self.constraint_degree() - 1
    }

    pub fn total_constraints(&self) -> usize {
        // 2 constraints for each Z check.
        self.config.num_challenges * 2 + self.num_gate_constraints
    }
}

/// The `Target` version of `VerifierCircuitData`, for use inside recursive circuits. Note that this
/// is intentionally missing certain fields, such as `CircuitConfig`, because we support only a
/// limited form of dynamic inner circuits. We can't practically make things like the wire count
/// dynamic, at least not without setting a maximum wire count and paying for the worst case.
pub struct VerifierCircuitTarget {
    /// A commitment to each constant polynomial.
    pub(crate) constants_root: HashTarget,

    /// A commitment to each permutation polynomial.
    pub(crate) sigmas_root: HashTarget,
}
First bit of verifier Mostly stubbed out, more coming soon... 2021-05-26 16:23:17 -07:00			`use anyhow::Result;`

Working FRI with field extensions 2021-05-18 15:22:06 +02:00			`use crate::field::extension_field::Extendable;`
Initial commit 2021-02-09 21:25:21 -08:00			`use crate::field::field::Field;`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`use crate::fri::FriConfig;`
Tweaks 2021-03-30 10:02:00 -07:00			`use crate::gates::gate::GateRef;`
Tweak APIs 2021-03-21 11:17:00 -07:00			`use crate::generator::WitnessGenerator;`
More unnecessary clones 2021-04-24 11:20:07 -07:00			`use crate::merkle_tree::MerkleTree;`
Generic tests 2021-05-18 16:06:47 +02:00			`use crate::polynomial::commitment::ListPolynomialCommitment;`
Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			`use crate::proof::{Hash, HashTarget, Proof};`
Tweak APIs 2021-03-21 11:17:00 -07:00			`use crate::prover::prove;`
			`use crate::verifier::verify;`
			`use crate::witness::PartialWitness;`
Initial commit 2021-02-09 21:25:21 -08:00
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`#[derive(Clone)]`
Initial commit 2021-02-09 21:25:21 -08:00			`pub struct CircuitConfig {`
			`pub num_wires: usize,`
			`pub num_routed_wires: usize,`
			`pub security_bits: usize,`
More prover work 2021-03-25 15:20:14 -07:00			`pub rate_bits: usize,`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`/// The number of challenge points to generate, for IOPs that have soundness errors of (roughly)`
			/// `degree / \|F\|`.
			`pub num_challenges: usize,`
Batch open for PLONK 2021-05-07 11:30:03 +02:00
			`// TODO: Find a better place for this.`
			`pub fri_config: FriConfig,`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`

			`impl Default for CircuitConfig {`
			`fn default() -> Self {`
			`CircuitConfig {`
Arithmetic & permutation gadgets 2021-04-02 15:29:21 -07:00			`num_wires: 4,`
			`num_routed_wires: 4,`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`security_bits: 128,`
			`rate_bits: 3,`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`num_challenges: 3,`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`fri_config: FriConfig {`
			`proof_of_work_bits: 1,`
			`rate_bits: 1,`
			`reduction_arity_bits: vec![1],`
			`num_query_rounds: 1,`
Blinding parameter can be set differently for each Merkle tree in a FRI proof. 2021-05-11 09:56:21 +02:00			`blinding: vec![true],`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`},`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

			`impl CircuitConfig {`
Bit of prover work 2021-03-21 11:57:33 -07:00			`pub fn num_advice_wires(&self) -> usize {`
Initial commit 2021-02-09 21:25:21 -08:00			`self.num_wires - self.num_routed_wires`
			`}`
			`}`

			`/// Circuit data required by the prover or the verifier.`
			`pub struct CircuitData<F: Field> {`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) prover_only: ProverOnlyCircuitData<F>,`
Have the prover use the new MerkleTree API Before it was storing leaf data and Merkle roots, but nothing in between, since it wasn't yet interacting with intermediate layers (but it will once we hook up the FRI code). 2021-04-23 14:18:03 -07:00			`pub(crate) verifier_only: VerifierOnlyCircuitData<F>,`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) common: CommonCircuitData<F>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Const generics everywhere 2021-05-18 15:44:50 +02:00			`impl<F: Field> CircuitData<F> {`
			`pub fn prove<const D: usize>(&self, inputs: PartialWitness<F>) -> Proof<F, D>`
			`where`
			`F: Extendable<D>,`
			`{`
Tweak APIs 2021-03-21 11:17:00 -07:00			`prove(&self.prover_only, &self.common, inputs)`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

First bit of verifier Mostly stubbed out, more coming soon... 2021-05-26 16:23:17 -07:00			`pub fn verify<const D: usize>(&self, proof: Proof<F, D>) -> Result<()>`
			`where`
			`F: Extendable<D>,`
			`{`
			`verify(proof, &self.verifier_only, &self.common)`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
			`}`

Comments etc 2021-04-02 20:58:19 -07:00			`/// Circuit data required by the prover. This may be thought of as a proving key, although it`
			`/// includes code for witness generation.`
			`///`
			`/// The goal here is to make proof generation as fast as we can, rather than making this prover`
			`/// structure as succinct as we can. Thus we include various precomputed data which isn't strictly`
			`/// required, like LDEs of preprocessed polynomials. If more succinctness was desired, we could`
			`/// construct a more minimal prover structure and convert back and forth.`
Initial commit 2021-02-09 21:25:21 -08:00			`pub struct ProverCircuitData<F: Field> {`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) prover_only: ProverOnlyCircuitData<F>,`
			`pub(crate) common: CommonCircuitData<F>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Const generics everywhere 2021-05-18 15:44:50 +02:00			`impl<F: Field> ProverCircuitData<F> {`
			`pub fn prove<const D: usize>(&self, inputs: PartialWitness<F>) -> Proof<F, D>`
			`where`
			`F: Extendable<D>,`
			`{`
Tweak APIs 2021-03-21 11:17:00 -07:00			`prove(&self.prover_only, &self.common, inputs)`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
			`}`

			`/// Circuit data required by the prover.`
			`pub struct VerifierCircuitData<F: Field> {`
Have the prover use the new MerkleTree API Before it was storing leaf data and Merkle roots, but nothing in between, since it wasn't yet interacting with intermediate layers (but it will once we hook up the FRI code). 2021-04-23 14:18:03 -07:00			`pub(crate) verifier_only: VerifierOnlyCircuitData<F>,`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) common: CommonCircuitData<F>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

			`impl<F: Field> VerifierCircuitData<F> {`
First bit of verifier Mostly stubbed out, more coming soon... 2021-05-26 16:23:17 -07:00			`pub fn verify<const D: usize>(&self, proof: Proof<F, D>) -> Result<()>`
			`where`
			`F: Extendable<D>,`
			`{`
			`verify(proof, &self.verifier_only, &self.common)`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
			`}`

			`/// Circuit data required by the prover, but not the verifier.`
			`pub(crate) struct ProverOnlyCircuitData<F: Field> {`
Tweak APIs 2021-03-21 11:17:00 -07:00			`pub generators: Vec<Box<dyn WitnessGenerator<F>>>,`
Batch open for PLONK 2021-05-07 11:30:03 +02:00			`/// Commitments to the constants polynomial.`
			`pub constants_commitment: ListPolynomialCommitment<F>,`
			`/// Commitments to the sigma polynomial.`
			`pub sigmas_commitment: ListPolynomialCommitment<F>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

			`/// Circuit data required by the verifier, but not the prover.`
Have the prover use the new MerkleTree API Before it was storing leaf data and Merkle roots, but nothing in between, since it wasn't yet interacting with intermediate layers (but it will once we hook up the FRI code). 2021-04-23 14:18:03 -07:00			`pub(crate) struct VerifierOnlyCircuitData<F: Field> {`
			`/// A commitment to each constant polynomial.`
			`pub(crate) constants_root: Hash<F>,`

			`/// A commitment to each permutation polynomial.`
			`pub(crate) sigmas_root: Hash<F>,`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00
			`/// Circuit data required by both the prover and the verifier.`
			`pub(crate) struct CommonCircuitData<F: Field> {`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) config: CircuitConfig,`
Initial commit 2021-02-09 21:25:21 -08:00
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`pub(crate) degree_bits: usize,`
Initial commit 2021-02-09 21:25:21 -08:00
Bit of prover work 2021-03-21 11:57:33 -07:00			`/// The types of gates used in this circuit.`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) gates: Vec<GateRef<F>>,`
Bit of prover work 2021-03-21 11:57:33 -07:00
Minor refactor 2021-04-02 19:15:39 -07:00			`/// The largest number of constraints imposed by any gate.`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`pub(crate) num_gate_constraints: usize,`

Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			/// The `{k_i}` valued used in `S_ID_i` in Plonk's permutation argument.
Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`pub(crate) k_is: Vec<F>,`
Seed Challenger with a hash of the instance I think this is the recommended way to apply Fiat-Shamir, to avoid any possible attacks like taking someone else's proof and using it to prove a slightly different statement. 2021-04-22 16:32:57 -07:00
			`/// A digest of the "circuit" (i.e. the instance, minus public inputs), which can be used to`
			`/// seed Fiat-Shamir.`
			`pub(crate) circuit_digest: Hash<F>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
Bit of prover work 2021-03-21 11:57:33 -07:00
			`impl<F: Field> CommonCircuitData<F> {`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`pub fn degree(&self) -> usize {`
			`1 << self.degree_bits`
			`}`

			`pub fn lde_size(&self) -> usize {`
			`1 << (self.degree_bits + self.config.rate_bits)`
			`}`

			`pub fn lde_generator(&self) -> F {`
			`F::primitive_root_of_unity(self.degree_bits + self.config.rate_bits)`
			`}`

			`pub fn constraint_degree(&self) -> usize {`
Progress on FRI 2021-04-21 22:31:45 +02:00			`self.gates`
			`.iter()`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`.map(\|g\| g.0.degree())`
Bit of prover work 2021-03-21 11:57:33 -07:00			`.max()`
			`.expect("No gates?")`
			`}`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00
Multiple vanishing polys, and multiple associated quotient polys With different random alphas 2021-04-01 13:22:54 -07:00			`pub fn quotient_degree(&self) -> usize {`
			`self.constraint_degree() - 1`
			`}`

No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`pub fn total_constraints(&self) -> usize {`
			`// 2 constraints for each Z check.`
num_checks -> num_challenges 2021-05-14 08:07:00 -07:00			`self.config.num_challenges * 2 + self.num_gate_constraints`
No more polynomial programming abstraction It was too expensive. 2021-03-28 15:36:51 -07:00			`}`
Bit of prover work 2021-03-21 11:57:33 -07:00			`}`
Comments etc 2021-04-02 20:58:19 -07:00
			/// The `Target` version of `VerifierCircuitData`, for use inside recursive circuits. Note that this
			/// is intentionally missing certain fields, such as `CircuitConfig`, because we support only a
			`/// limited form of dynamic inner circuits. We can't practically make things like the wire count`
			`/// dynamic, at least not without setting a maximum wire count and paying for the worst case.`
Fix visibility 2021-04-03 15:30:33 -07:00			`pub struct VerifierCircuitTarget {`
Comments etc 2021-04-02 20:58:19 -07:00			`/// A commitment to each constant polynomial.`
			`pub(crate) constants_root: HashTarget,`

			`/// A commitment to each permutation polynomial.`
			`pub(crate) sigmas_root: HashTarget,`
			`}`