plonky2/src/gates/gmimc.rs

use std::sync::Arc;

use num::{BigUint, One};

use crate::circuit_data::CircuitConfig;
use crate::constraint_polynomial::ConstraintPolynomial;
use crate::field::field::Field;
use crate::gates::deterministic_gate::{DeterministicGate, DeterministicGateAdapter};
use crate::gates::gate::GateRef;
use crate::gates::output_graph::{GateOutputLocation, OutputGraph};

/// Evaluates a full GMiMC permutation, and writes the output to the next gate's first `width`
/// wires (which could be the input of another `GMiMCGate`).
#[derive(Debug)]
pub struct GMiMCGate<F: Field, const W: usize, const R: usize> {
    constants: Arc<[F; R]>,
}

impl<F: Field, const W: usize, const R: usize> GMiMCGate<F, W, R> {
    pub fn with_constants(constants: Arc<[F; R]>) -> GateRef<F> {
        let gate = GMiMCGate::<F, W, R> { constants };
        let adapter = DeterministicGateAdapter::new(gate);
        GateRef::new(adapter)
    }

    pub fn with_automatic_constants() -> GateRef<F> {
        todo!()
    }

    /// If this is set to 1, the first four inputs will be swapped with the next four inputs. This
    /// is useful for ordering hashes in Merkle proofs. Otherwise, this should be set to 0.
    pub const WIRE_SWITCH: usize = W;

    /// The wire index for the i'th input to the permutation.
    pub fn wire_input(i: usize) -> usize {
        i
    }

    /// The wire index for the i'th output to the permutation.
    /// Note that outputs are written to the next gate's wires.
    pub fn wire_output(i: usize) -> usize {
        i
    }

    /// Adds a local wire output to this output graph. Returns a `ConstraintPolynomial` which
    /// references the newly-created wire.
    ///
    /// This may seem like it belongs in `OutputGraph`, but it is not that general, since it uses
    /// a notion of "next available" local wire indices specific to this gate.
    // TODO: Switch to `ExpandableOutputGraph`.
    fn add_local(
        outputs: &mut OutputGraph<F>,
        poly: ConstraintPolynomial<F>,
    ) -> ConstraintPolynomial<F> {
        let index = outputs.max_local_output_index().map_or(W + 1, |i| i + 1);
        outputs.add(GateOutputLocation::LocalWire(index), poly);
        ConstraintPolynomial::local_wire(index)
    }
}

impl<F: Field, const W: usize, const R: usize> DeterministicGate<F> for GMiMCGate<F, W, R> {
    fn id(&self) -> String {
        // TODO: This won't include generic params?
        format!("{:?}", self)
    }

    fn outputs(&self, _config: CircuitConfig) -> OutputGraph<F> {
        let original_inputs = (0..W)
            .map(|i| ConstraintPolynomial::local_wire(Self::wire_input(i)))
            .collect::<Vec<_>>();

        let mut outputs = OutputGraph::new();

        // Conditionally switch inputs based on the (boolean) switch wire.
        let switch = ConstraintPolynomial::local_wire(Self::WIRE_SWITCH);
        let mut state = Vec::new();
        for i in 0..4 {
            let a = &original_inputs[i];
            let b = &original_inputs[i + 4];
            state.push(a + &switch * (b - a));
        }
        for i in 0..4 {
            let a = &original_inputs[i + 4];
            let b = &original_inputs[i];
            state.push(a + &switch * (b - a));
        }
        for i in 8..W {
            state.push(original_inputs[i].clone());
        }

        // Value that is implicitly added to each element.
        // See https://affine.group/2020/02/starkware-challenge
        let mut addition_buffer = ConstraintPolynomial::zero();

        for r in 0..R {
            let active = r % W;
            let round_constant = ConstraintPolynomial::constant(self.constants[r]);
            let mut f_input = &state[active] + &addition_buffer + round_constant;
            if f_input.degree() > BigUint::one() {
                f_input = Self::add_local(&mut outputs, f_input);
            }
            let f_output = f_input.cube();
            addition_buffer += &f_output;
            state[active] -= f_output;
        }

        for i in 0..W {
            outputs.add(GateOutputLocation::NextWire(i), &state[i] + &addition_buffer);
        }

        outputs
    }

    fn additional_constraints(&self, _config: CircuitConfig) -> Vec<ConstraintPolynomial<F>> {
        let switch = ConstraintPolynomial::local_wire(Self::WIRE_SWITCH);
        let switch_bool_constraint = &switch * (&switch - 1);
        vec![switch_bool_constraint]
    }
}

#[cfg(test)]
mod tests {
    use std::convert::TryInto;
    use std::sync::Arc;

    use crate::circuit_data::CircuitConfig;
    use crate::field::crandall_field::CrandallField;
    use crate::field::field::Field;
    use crate::gates::deterministic_gate::DeterministicGate;
    use crate::gates::gmimc::GMiMCGate;
    use crate::generator::generate_partial_witness;
    use crate::gmimc::gmimc_permute_naive;
    use crate::wire::Wire;
    use crate::witness::PartialWitness;

    #[test]
    fn degree() {
        type F = CrandallField;
        const W: usize = 12;
        const R: usize = 101;
        let gate = GMiMCGate::<F, W, R> { constants: Arc::new([F::TWO; R]) };
        let config = CircuitConfig {
            num_wires: 200,
            num_routed_wires: 200,
            security_bits: 128,
        };
        let outs = gate.outputs(config);
        assert_eq!(outs.degree(), 3);
    }

    #[test]
    fn generated_output() {
        type F = CrandallField;
        const W: usize = 12;
        const R: usize = 101;
        let constants = Arc::new([F::TWO; R]);
        type Gate = GMiMCGate::<F, W, R>;
        let gate = Gate::with_constants(constants.clone());

        let config = CircuitConfig {
            num_wires: 200,
            num_routed_wires: 200,
            security_bits: 128,
        };

        let permutation_inputs = (0..W)
            .map(F::from_canonical_usize)
            .collect::<Vec<_>>();

        let mut witness = PartialWitness::new();
        witness.set_wire(Wire { gate: 0, input: Gate::WIRE_SWITCH }, F::ZERO);
        for i in 0..W {
            witness.set_wire(
                Wire { gate: 0, input: Gate::wire_input(i) },
                permutation_inputs[i]);
        }

        let generators = gate.0.generators(config, 0, vec![], vec![]);
        generate_partial_witness(&mut witness, generators);

        let expected_outputs: [F; W] = gmimc_permute_naive(
            permutation_inputs.try_into().unwrap(),
            constants);

        for i in 0..W {
            let out = witness.get_wire(
                Wire { gate: 1, input: Gate::wire_output(i) });
            assert_eq!(out, expected_outputs[i]);
        }
    }
}
Mostly finish GMiMC gate 2021-02-24 13:07:22 -08:00			`use std::sync::Arc;`
Const generics in GMiMC 2021-02-24 12:25:13 -08:00
FriConsistencyGate 2021-03-18 12:44:45 -07:00			`use num::{BigUint, One};`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00
Initial commit 2021-02-09 21:25:21 -08:00			`use crate::circuit_data::CircuitConfig;`
			`use crate::constraint_polynomial::ConstraintPolynomial;`
			`use crate::field::field::Field;`
Gate infra 2021-02-26 13:18:41 -08:00			`use crate::gates::deterministic_gate::{DeterministicGate, DeterministicGateAdapter};`
GMiMC, witness generation 2021-03-01 13:40:05 -08:00			`use crate::gates::gate::GateRef;`
Gate infra 2021-02-26 13:18:41 -08:00			`use crate::gates::output_graph::{GateOutputLocation, OutputGraph};`
Initial commit 2021-02-09 21:25:21 -08:00
Const generics in GMiMC 2021-02-24 12:25:13 -08:00			/// Evaluates a full GMiMC permutation, and writes the output to the next gate's first `width`
			/// wires (which could be the input of another `GMiMCGate`).
Initial commit 2021-02-09 21:25:21 -08:00			`#[derive(Debug)]`
Const generics in GMiMC 2021-02-24 12:25:13 -08:00			`pub struct GMiMCGate<F: Field, const W: usize, const R: usize> {`
Minor 2021-02-24 13:15:21 -08:00			`constants: Arc<[F; R]>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Const generics in GMiMC 2021-02-24 12:25:13 -08:00			`impl<F: Field, const W: usize, const R: usize> GMiMCGate<F, W, R> {`
Minor 2021-02-24 13:15:21 -08:00			`pub fn with_constants(constants: Arc<[F; R]>) -> GateRef<F> {`
Gate infra 2021-02-26 13:18:41 -08:00			`let gate = GMiMCGate::<F, W, R> { constants };`
			`let adapter = DeterministicGateAdapter::new(gate);`
			`GateRef::new(adapter)`
Minor 2021-02-24 13:15:21 -08:00			`}`

			`pub fn with_automatic_constants() -> GateRef<F> {`
Initial commit 2021-02-09 21:25:21 -08:00			`todo!()`
			`}`
Gate infra 2021-02-26 13:18:41 -08:00
			`/// If this is set to 1, the first four inputs will be swapped with the next four inputs. This`
			`/// is useful for ordering hashes in Merkle proofs. Otherwise, this should be set to 0.`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`pub const WIRE_SWITCH: usize = W;`
Gate infra 2021-02-26 13:18:41 -08:00
			`/// The wire index for the i'th input to the permutation.`
			`pub fn wire_input(i: usize) -> usize {`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`i`
Gate infra 2021-02-26 13:18:41 -08:00			`}`

			`/// The wire index for the i'th output to the permutation.`
			`/// Note that outputs are written to the next gate's wires.`
			`pub fn wire_output(i: usize) -> usize {`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`i`
			`}`

			/// Adds a local wire output to this output graph. Returns a `ConstraintPolynomial` which
			`/// references the newly-created wire.`
			`///`
			/// This may seem like it belongs in `OutputGraph`, but it is not that general, since it uses
			`/// a notion of "next available" local wire indices specific to this gate.`
FriConsistencyGate 2021-03-18 12:44:45 -07:00			// TODO: Switch to `ExpandableOutputGraph`.
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`fn add_local(`
			`outputs: &mut OutputGraph<F>,`
			`poly: ConstraintPolynomial<F>,`
			`) -> ConstraintPolynomial<F> {`
			`let index = outputs.max_local_output_index().map_or(W + 1, \|i\| i + 1);`
			`outputs.add(GateOutputLocation::LocalWire(index), poly);`
FriConsistencyGate 2021-03-18 12:44:45 -07:00			`ConstraintPolynomial::local_wire(index)`
Gate infra 2021-02-26 13:18:41 -08:00			`}`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Gate infra 2021-02-26 13:18:41 -08:00			`impl<F: Field, const W: usize, const R: usize> DeterministicGate<F> for GMiMCGate<F, W, R> {`
Initial commit 2021-02-09 21:25:21 -08:00			`fn id(&self) -> String {`
Gate infra 2021-02-26 13:18:41 -08:00			`// TODO: This won't include generic params?`
Initial commit 2021-02-09 21:25:21 -08:00			`format!("{:?}", self)`
			`}`

FriConsistencyGate 2021-03-18 12:44:45 -07:00			`fn outputs(&self, _config: CircuitConfig) -> OutputGraph<F> {`
Gate infra 2021-02-26 13:18:41 -08:00			`let original_inputs = (0..W)`
FriConsistencyGate 2021-03-18 12:44:45 -07:00			`.map(\|i\| ConstraintPolynomial::local_wire(Self::wire_input(i)))`
Mostly finish GMiMC gate 2021-02-24 13:07:22 -08:00			`.collect::<Vec<_>>();`

Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`let mut outputs = OutputGraph::new();`

Gate infra 2021-02-26 13:18:41 -08:00			`// Conditionally switch inputs based on the (boolean) switch wire.`
FriConsistencyGate 2021-03-18 12:44:45 -07:00			`let switch = ConstraintPolynomial::local_wire(Self::WIRE_SWITCH);`
Gate infra 2021-02-26 13:18:41 -08:00			`let mut state = Vec::new();`
			`for i in 0..4 {`
			`let a = &original_inputs[i];`
			`let b = &original_inputs[i + 4];`
			`state.push(a + &switch * (b - a));`
			`}`
			`for i in 0..4 {`
			`let a = &original_inputs[i + 4];`
			`let b = &original_inputs[i];`
			`state.push(a + &switch * (b - a));`
			`}`
			`for i in 8..W {`
			`state.push(original_inputs[i].clone());`
			`}`

Mostly finish GMiMC gate 2021-02-24 13:07:22 -08:00			`// Value that is implicitly added to each element.`
			`// See https://affine.group/2020/02/starkware-challenge`
			`let mut addition_buffer = ConstraintPolynomial::zero();`

			`for r in 0..R {`
			`let active = r % W;`
Minor 2021-02-24 13:15:21 -08:00			`let round_constant = ConstraintPolynomial::constant(self.constants[r]);`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`let mut f_input = &state[active] + &addition_buffer + round_constant;`
			`if f_input.degree() > BigUint::one() {`
			`f_input = Self::add_local(&mut outputs, f_input);`
			`}`
			`let f_output = f_input.cube();`
			`addition_buffer += &f_output;`
			`state[active] -= f_output;`
Mostly finish GMiMC gate 2021-02-24 13:07:22 -08:00			`}`

			`for i in 0..W {`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`outputs.add(GateOutputLocation::NextWire(i), &state[i] + &addition_buffer);`
Mostly finish GMiMC gate 2021-02-24 13:07:22 -08:00			`}`

Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`outputs`
Const generics in GMiMC 2021-02-24 12:25:13 -08:00			`}`

Gate infra 2021-02-26 13:18:41 -08:00			`fn additional_constraints(&self, _config: CircuitConfig) -> Vec<ConstraintPolynomial<F>> {`
FriConsistencyGate 2021-03-18 12:44:45 -07:00			`let switch = ConstraintPolynomial::local_wire(Self::WIRE_SWITCH);`
Gate infra 2021-02-26 13:18:41 -08:00			`let switch_bool_constraint = &switch * (&switch - 1);`
			`vec![switch_bool_constraint]`
Const generics in GMiMC 2021-02-24 12:25:13 -08:00			`}`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
Degree shrinker 2021-02-26 23:30:22 -08:00
			`#[cfg(test)]`
			`mod tests {`
GMiMC, witness generation 2021-03-01 13:40:05 -08:00			`use std::convert::TryInto;`
Degree shrinker 2021-02-26 23:30:22 -08:00			`use std::sync::Arc;`

Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`use crate::circuit_data::CircuitConfig;`
Degree shrinker 2021-02-26 23:30:22 -08:00			`use crate::field::crandall_field::CrandallField;`
			`use crate::field::field::Field;`
			`use crate::gates::deterministic_gate::DeterministicGate;`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`use crate::gates::gmimc::GMiMCGate;`
GMiMC, witness generation 2021-03-01 13:40:05 -08:00			`use crate::generator::generate_partial_witness;`
			`use crate::gmimc::gmimc_permute_naive;`
			`use crate::wire::Wire;`
			`use crate::witness::PartialWitness;`
Degree shrinker 2021-02-26 23:30:22 -08:00
			`#[test]`
			`fn degree() {`
			`type F = CrandallField;`
			`const W: usize = 12;`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`const R: usize = 101;`
Degree shrinker 2021-02-26 23:30:22 -08:00			`let gate = GMiMCGate::<F, W, R> { constants: Arc::new([F::TWO; R]) };`
			`let config = CircuitConfig {`
			`num_wires: 200,`
			`num_routed_wires: 200,`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`security_bits: 128,`
Degree shrinker 2021-02-26 23:30:22 -08:00			`};`
			`let outs = gate.outputs(config);`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00			`assert_eq!(outs.degree(), 3);`
			`}`

			`#[test]`
			`fn generated_output() {`
			`type F = CrandallField;`
			`const W: usize = 12;`
			`const R: usize = 101;`
			`let constants = Arc::new([F::TWO; R]);`
GMiMC, witness generation 2021-03-01 13:40:05 -08:00			`type Gate = GMiMCGate::<F, W, R>;`
			`let gate = Gate::with_constants(constants.clone());`
Degree-3 GMiMC gate 2021-03-01 12:35:02 -08:00
			`let config = CircuitConfig {`
			`num_wires: 200,`
			`num_routed_wires: 200,`
			`security_bits: 128,`
			`};`

GMiMC, witness generation 2021-03-01 13:40:05 -08:00			`let permutation_inputs = (0..W)`
			`.map(F::from_canonical_usize)`
			`.collect::<Vec<_>>();`

			`let mut witness = PartialWitness::new();`
			`witness.set_wire(Wire { gate: 0, input: Gate::WIRE_SWITCH }, F::ZERO);`
			`for i in 0..W {`
			`witness.set_wire(`
			`Wire { gate: 0, input: Gate::wire_input(i) },`
			`permutation_inputs[i]);`
			`}`

			`let generators = gate.0.generators(config, 0, vec![], vec![]);`
			`generate_partial_witness(&mut witness, generators);`

			`let expected_outputs: [F; W] = gmimc_permute_naive(`
			`permutation_inputs.try_into().unwrap(),`
			`constants);`

			`for i in 0..W {`
			`let out = witness.get_wire(`
			`Wire { gate: 1, input: Gate::wire_output(i) });`
			`assert_eq!(out, expected_outputs[i]);`
			`}`
Degree shrinker 2021-02-26 23:30:22 -08:00			`}`
			`}`