plonky2/src/proof.rs

use std::convert::TryInto;

use crate::field::extension_field::target::ExtensionTarget;
use crate::field::extension_field::Extendable;
use crate::field::field::Field;
use crate::fri::FriConfig;
use crate::gadgets::polynomial::PolynomialCoeffsExtTarget;
use crate::merkle_proofs::{MerkleProof, MerkleProofTarget};
use crate::polynomial::commitment::{ListPolynomialCommitment, OpeningProof, OpeningProofTarget};
use crate::polynomial::polynomial::PolynomialCoeffs;
use crate::target::Target;

/// Represents a ~256 bit hash output.
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct Hash<F: Field> {
    pub(crate) elements: [F; 4],
}

impl<F: Field> Hash<F> {
    pub(crate) fn from_vec(elements: Vec<F>) -> Self {
        debug_assert!(elements.len() == 4);
        Self {
            elements: elements.try_into().unwrap(),
        }
    }

    pub(crate) fn from_partial(mut elements: Vec<F>) -> Self {
        debug_assert!(elements.len() <= 4);
        while elements.len() < 4 {
            elements.push(F::ZERO);
        }
        Self {
            elements: [elements[0], elements[1], elements[2], elements[3]],
        }
    }
}

/// Represents a ~256 bit hash output.
#[derive(Copy, Clone, Debug)]
pub struct HashTarget {
    pub(crate) elements: [Target; 4],
}

impl HashTarget {
    pub(crate) fn from_vec(elements: Vec<Target>) -> Self {
        debug_assert!(elements.len() == 4);
        Self {
            elements: elements.try_into().unwrap(),
        }
    }

    pub(crate) fn from_partial(mut elements: Vec<Target>, zero: Target) -> Self {
        debug_assert!(elements.len() <= 4);
        while elements.len() < 4 {
            elements.push(zero);
        }
        Self {
            elements: [elements[0], elements[1], elements[2], elements[3]],
        }
    }
}

pub struct Proof<F: Field + Extendable<D>, const D: usize> {
    /// Merkle root of LDEs of wire values.
    pub wires_root: Hash<F>,
    /// Merkle root of LDEs of Z, in the context of Plonk's permutation argument.
    pub plonk_zs_root: Hash<F>,
    /// Merkle root of LDEs of the quotient polynomial components.
    pub quotient_polys_root: Hash<F>,
    /// Purported values of each polynomial at the challenge point.
    pub openings: OpeningSet<F, D>,
    /// A FRI argument for each FRI query.
    pub opening_proof: OpeningProof<F, D>,
}

pub struct ProofTarget<const D: usize> {
    pub wires_root: HashTarget,
    pub plonk_zs_root: HashTarget,
    pub quotient_polys_root: HashTarget,
    pub openings: Vec<OpeningSetTarget<D>>,
    pub opening_proof: Vec<OpeningProofTarget<D>>,
}

/// Evaluations and Merkle proof produced by the prover in a FRI query step.
pub struct FriQueryStep<F: Field + Extendable<D>, const D: usize> {
    pub evals: Vec<F::Extension>,
    pub merkle_proof: MerkleProof<F>,
}

pub struct FriQueryStepTarget<const D: usize> {
    pub evals: Vec<ExtensionTarget<D>>,
    pub merkle_proof: MerkleProofTarget,
}

/// Evaluations and Merkle proofs of the original set of polynomials,
/// before they are combined into a composition polynomial.
pub struct FriInitialTreeProof<F: Field> {
    pub evals_proofs: Vec<(Vec<F>, MerkleProof<F>)>,
}

impl<F: Field> FriInitialTreeProof<F> {
    pub(crate) fn unsalted_evals(&self, i: usize, config: &FriConfig) -> &[F] {
        let evals = &self.evals_proofs[i].0;
        &evals[..evals.len() - config.salt_size(i)]
    }
}

pub struct FriInitialTreeProofTarget {
    pub evals_proofs: Vec<(Vec<Target>, MerkleProofTarget)>,
}

impl FriInitialTreeProofTarget {
    pub(crate) fn unsalted_evals(&self, i: usize, config: &FriConfig) -> &[Target] {
        let evals = &self.evals_proofs[i].0;
        &evals[..evals.len() - config.salt_size(i)]
    }
}

/// Proof for a FRI query round.
pub struct FriQueryRound<F: Field + Extendable<D>, const D: usize> {
    pub initial_trees_proof: FriInitialTreeProof<F>,
    pub steps: Vec<FriQueryStep<F, D>>,
}

pub struct FriQueryRoundTarget<const D: usize> {
    pub initial_trees_proof: FriInitialTreeProofTarget,
    pub steps: Vec<FriQueryStepTarget<D>>,
}

pub struct FriProof<F: Field + Extendable<D>, const D: usize> {
    /// A Merkle root for each reduced polynomial in the commit phase.
    pub commit_phase_merkle_roots: Vec<Hash<F>>,
    /// Query rounds proofs
    pub query_round_proofs: Vec<FriQueryRound<F, D>>,
    /// The final polynomial in coefficient form.
    pub final_poly: PolynomialCoeffs<F::Extension>,
    /// Witness showing that the prover did PoW.
    pub pow_witness: F,
}

pub struct FriProofTarget<const D: usize> {
    pub commit_phase_merkle_roots: Vec<HashTarget>,
    pub query_round_proofs: Vec<FriQueryRoundTarget<D>>,
    pub final_poly: PolynomialCoeffsExtTarget<D>,
    pub pow_witness: Target,
}

#[derive(Clone, Debug)]
/// The purported values of each polynomial at a single point.
pub struct OpeningSet<F: Field + Extendable<D>, const D: usize> {
    pub constants: Vec<F::Extension>,
    pub plonk_s_sigmas: Vec<F::Extension>,
    pub wires: Vec<F::Extension>,
    pub plonk_zs: Vec<F::Extension>,
    pub plonk_zs_right: Vec<F::Extension>,
    pub quotient_polys: Vec<F::Extension>,
}

impl<F: Field + Extendable<D>, const D: usize> OpeningSet<F, D> {
    pub fn new(
        z: F::Extension,
        g: F::Extension,
        constant_commitment: &ListPolynomialCommitment<F>,
        plonk_sigmas_commitment: &ListPolynomialCommitment<F>,
        wires_commitment: &ListPolynomialCommitment<F>,
        plonk_zs_commitment: &ListPolynomialCommitment<F>,
        quotient_polys_commitment: &ListPolynomialCommitment<F>,
    ) -> Self {
        let eval_commitment = |z: F::Extension, c: &ListPolynomialCommitment<F>| {
            c.polynomials
                .iter()
                .map(|p| p.to_extension().eval(z))
                .collect::<Vec<_>>()
        };
        Self {
            constants: eval_commitment(z, constant_commitment),
            plonk_s_sigmas: eval_commitment(z, plonk_sigmas_commitment),
            wires: eval_commitment(z, wires_commitment),
            plonk_zs: eval_commitment(z, plonk_zs_commitment),
            plonk_zs_right: eval_commitment(g * z, plonk_zs_commitment),
            quotient_polys: eval_commitment(z, quotient_polys_commitment),
        }
    }
}

/// The purported values of each polynomial at a single point.
pub struct OpeningSetTarget<const D: usize> {
    pub constants: Vec<ExtensionTarget<D>>,
    pub plonk_sigmas: Vec<ExtensionTarget<D>>,
    pub wires: Vec<ExtensionTarget<D>>,
    pub plonk_zs: Vec<ExtensionTarget<D>>,
    pub plonk_zs_right: Vec<ExtensionTarget<D>>,
    pub quotient_polys: Vec<ExtensionTarget<D>>,
}
Have rustfmt group imports (#60) * Have rustfmt group imports See `rustfmt.toml`; the rest is automated changes. * fmt 2021-06-10 14:10:35 -07:00			`use std::convert::TryInto;`

`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`use crate::field::extension_field::target::ExtensionTarget;`
Working FRI with field extensions 2021-05-18 15:22:06 +02:00			`use crate::field::extension_field::Extendable;`
Initial commit 2021-02-09 21:25:21 -08:00			`use crate::field::field::Field;`
Attempt at simplification 2021-06-01 19:13:22 -07:00			`use crate::fri::FriConfig;`
`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`use crate::gadgets::polynomial::PolynomialCoeffsExtTarget;`
Progress on FRI 2021-04-21 22:31:45 +02:00			`use crate::merkle_proofs::{MerkleProof, MerkleProofTarget};`
`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`use crate::polynomial::commitment::{ListPolynomialCommitment, OpeningProof, OpeningProofTarget};`
Progress on FRI 2021-04-21 22:31:45 +02:00			`use crate::polynomial::polynomial::PolynomialCoeffs;`
Gate infra 2021-02-26 13:18:41 -08:00			`use crate::target::Target;`
Initial commit 2021-02-09 21:25:21 -08:00
More prover work 2021-03-25 15:20:14 -07:00			`/// Represents a ~256 bit hash output.`
Started implementing FRI 2021-04-09 18:24:19 +02:00			`#[derive(Copy, Clone, Debug, Eq, PartialEq)]`
Initial commit 2021-02-09 21:25:21 -08:00			`pub struct Hash<F: Field> {`
More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) elements: [F; 4],`
			`}`

			`impl<F: Field> Hash<F> {`
Finish up recursive Merkle proofs 2021-04-09 12:53:33 -07:00			`pub(crate) fn from_vec(elements: Vec<F>) -> Self {`
			`debug_assert!(elements.len() == 4);`
Progress on FRI 2021-04-21 22:31:45 +02:00			`Self {`
			`elements: elements.try_into().unwrap(),`
			`}`
Finish up recursive Merkle proofs 2021-04-09 12:53:33 -07:00			`}`

More prover work 2021-03-25 15:20:14 -07:00			`pub(crate) fn from_partial(mut elements: Vec<F>) -> Self {`
			`debug_assert!(elements.len() <= 4);`
			`while elements.len() < 4 {`
			`elements.push(F::ZERO);`
			`}`
Progress on FRI 2021-04-21 22:31:45 +02:00			`Self {`
			`elements: [elements[0], elements[1], elements[2], elements[3]],`
			`}`
More prover work 2021-03-25 15:20:14 -07:00			`}`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Merkle proofs 2021-04-07 22:21:45 -07:00			`/// Represents a ~256 bit hash output.`
Added recursive `powers` 2021-06-04 17:36:48 +02:00			`#[derive(Copy, Clone, Debug)]`
Initial commit 2021-02-09 21:25:21 -08:00			`pub struct HashTarget {`
Recursive Merkle proofs 2021-04-09 12:40:43 -07:00			`pub(crate) elements: [Target; 4],`
			`}`

			`impl HashTarget {`
			`pub(crate) fn from_vec(elements: Vec<Target>) -> Self {`
			`debug_assert!(elements.len() == 4);`
Progress on FRI 2021-04-21 22:31:45 +02:00			`Self {`
			`elements: elements.try_into().unwrap(),`
			`}`
Recursive Merkle proofs 2021-04-09 12:40:43 -07:00			`}`

			`pub(crate) fn from_partial(mut elements: Vec<Target>, zero: Target) -> Self {`
			`debug_assert!(elements.len() <= 4);`
			`while elements.len() < 4 {`
			`elements.push(zero);`
			`}`
Progress on FRI 2021-04-21 22:31:45 +02:00			`Self {`
			`elements: [elements[0], elements[1], elements[2], elements[3]],`
			`}`
Recursive Merkle proofs 2021-04-09 12:40:43 -07:00			`}`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub struct Proof<F: Field + Extendable<D>, const D: usize> {`
Initial commit 2021-02-09 21:25:21 -08:00			`/// Merkle root of LDEs of wire values.`
			`pub wires_root: Hash<F>,`
			`/// Merkle root of LDEs of Z, in the context of Plonk's permutation argument.`
Bit of refactoring, comments, etc. 2021-04-01 12:49:31 -07:00			`pub plonk_zs_root: Hash<F>,`
Initial commit 2021-02-09 21:25:21 -08:00			`/// Merkle root of LDEs of the quotient polynomial components.`
Bit of refactoring, comments, etc. 2021-04-01 12:49:31 -07:00			`pub quotient_polys_root: Hash<F>,`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`/// Purported values of each polynomial at the challenge point.`
			`pub openings: OpeningSet<F, D>,`
Candidate API for Merkle proof data Does this make sense? I think other libraries tend to include the leaf's index (either as an integer, or a series of bits indicating left/right turns) as part of a "proof". In FRI, the leaf indices are chosen by the verifier, so I thought that approach might be sort of redundant. Let me know what you think though. 2021-04-06 19:11:21 -07:00			`/// A FRI argument for each FRI query.`
Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub opening_proof: OpeningProof<F, D>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub struct ProofTarget<const D: usize> {`
Initial commit 2021-02-09 21:25:21 -08:00			`pub wires_root: HashTarget,`
Bit of refactoring, comments, etc. 2021-04-01 12:49:31 -07:00			`pub plonk_zs_root: HashTarget,`
			`pub quotient_polys_root: HashTarget,`
`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub openings: Vec<OpeningSetTarget<D>>,`
			`pub opening_proof: Vec<OpeningProofTarget<D>>,`
Gate infra 2021-02-26 13:18:41 -08:00			`}`

Fixes based on Daniel's PR comments. 2021-04-27 08:44:34 +02:00			`/// Evaluations and Merkle proof produced by the prover in a FRI query step.`
Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub struct FriQueryStep<F: Field + Extendable<D>, const D: usize> {`
Working FRI with field extensions 2021-05-18 15:22:06 +02:00			`pub evals: Vec<F::Extension>,`
Fixes based on Daniel's PR comments. 2021-04-27 08:44:34 +02:00			`pub merkle_proof: MerkleProof<F>,`
Progress on FRI 2021-04-21 22:31:45 +02:00			`}`

`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub struct FriQueryStepTarget<const D: usize> {`
			`pub evals: Vec<ExtensionTarget<D>>,`
			`pub merkle_proof: MerkleProofTarget,`
			`}`

Minor fixes 2021-05-06 15:14:43 +02:00			`/// Evaluations and Merkle proofs of the original set of polynomials,`
			`/// before they are combined into a composition polynomial.`
More work on polynomial commitments 2021-05-04 17:48:26 +02:00			`pub struct FriInitialTreeProof<F: Field> {`
			`pub evals_proofs: Vec<(Vec<F>, MerkleProof<F>)>,`
			`}`

Attempt at simplification 2021-06-01 19:13:22 -07:00			`impl<F: Field> FriInitialTreeProof<F> {`
			`pub(crate) fn unsalted_evals(&self, i: usize, config: &FriConfig) -> &[F] {`
			`let evals = &self.evals_proofs[i].0;`
			`&evals[..evals.len() - config.salt_size(i)]`
			`}`
			`}`

`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub struct FriInitialTreeProofTarget {`
			`pub evals_proofs: Vec<(Vec<Target>, MerkleProofTarget)>,`
			`}`

Added recursive `powers` 2021-06-04 17:36:48 +02:00			`impl FriInitialTreeProofTarget {`
			`pub(crate) fn unsalted_evals(&self, i: usize, config: &FriConfig) -> &[Target] {`
			`let evals = &self.evals_proofs[i].0;`
			`&evals[..evals.len() - config.salt_size(i)]`
			`}`
			`}`

Fixes based on Daniel's PR comments. 2021-04-27 08:44:34 +02:00			`/// Proof for a FRI query round.`
Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub struct FriQueryRound<F: Field + Extendable<D>, const D: usize> {`
More work on polynomial commitments 2021-05-04 17:48:26 +02:00			`pub initial_trees_proof: FriInitialTreeProof<F>,`
Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub steps: Vec<FriQueryStep<F, D>>,`
Progress on FRI 2021-04-21 22:31:45 +02:00			`}`

`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub struct FriQueryRoundTarget<const D: usize> {`
			`pub initial_trees_proof: FriInitialTreeProofTarget,`
			`pub steps: Vec<FriQueryStepTarget<D>>,`
			`}`

Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub struct FriProof<F: Field + Extendable<D>, const D: usize> {`
Fixes based on PR feedback 2021-04-07 09:10:06 -07:00			`/// A Merkle root for each reduced polynomial in the commit phase.`
			`pub commit_phase_merkle_roots: Vec<Hash<F>>,`
Progress on FRI 2021-04-21 22:31:45 +02:00			`/// Query rounds proofs`
Const generics everywhere 2021-05-18 15:44:50 +02:00			`pub query_round_proofs: Vec<FriQueryRound<F, D>>,`
Candidate API for Merkle proof data Does this make sense? I think other libraries tend to include the leaf's index (either as an integer, or a series of bits indicating left/right turns) as part of a "proof". In FRI, the leaf indices are chosen by the verifier, so I thought that approach might be sort of redundant. Let me know what you think though. 2021-04-06 19:11:21 -07:00			`/// The final polynomial in coefficient form.`
Working FRI with field extensions 2021-05-18 15:22:06 +02:00			`pub final_poly: PolynomialCoeffs<F::Extension>,`
Added PoW 2021-04-22 15:50:08 +02:00			`/// Witness showing that the prover did PoW.`
			`pub pow_witness: F,`
Candidate API for Merkle proof data Does this make sense? I think other libraries tend to include the leaf's index (either as an integer, or a series of bits indicating left/right turns) as part of a "proof". In FRI, the leaf indices are chosen by the verifier, so I thought that approach might be sort of redundant. Let me know what you think though. 2021-04-06 19:11:21 -07:00			`}`

`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub struct FriProofTarget<const D: usize> {`
Fixes based on PR feedback 2021-04-07 09:10:06 -07:00			`pub commit_phase_merkle_roots: Vec<HashTarget>,`
`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub query_round_proofs: Vec<FriQueryRoundTarget<D>>,`
			`pub final_poly: PolynomialCoeffsExtTarget<D>,`
			`pub pow_witness: Target,`
Gate infra 2021-02-26 13:18:41 -08:00			`}`

Comment out errors 2021-06-09 17:55:49 +02:00			`#[derive(Clone, Debug)]`
Initial commit 2021-02-09 21:25:21 -08:00			`/// The purported values of each polynomial at a single point.`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`pub struct OpeningSet<F: Field + Extendable<D>, const D: usize> {`
			`pub constants: Vec<F::Extension>,`
Bit of verifier work (#54) * Bit of verifier work * Minor * next_plonk_zs now available after William's changes 2021-06-08 21:23:52 -07:00			`pub plonk_s_sigmas: Vec<F::Extension>,`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`pub wires: Vec<F::Extension>,`
			`pub plonk_zs: Vec<F::Extension>,`
			`pub plonk_zs_right: Vec<F::Extension>,`
			`pub quotient_polys: Vec<F::Extension>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`impl<F: Field + Extendable<D>, const D: usize> OpeningSet<F, D> {`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`pub fn new(`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`z: F::Extension,`
			`g: F::Extension,`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`constant_commitment: &ListPolynomialCommitment<F>,`
			`plonk_sigmas_commitment: &ListPolynomialCommitment<F>,`
			`wires_commitment: &ListPolynomialCommitment<F>,`
			`plonk_zs_commitment: &ListPolynomialCommitment<F>,`
			`quotient_polys_commitment: &ListPolynomialCommitment<F>,`
			`) -> Self {`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`let eval_commitment = \|z: F::Extension, c: &ListPolynomialCommitment<F>\| {`
			`c.polynomials`
			`.iter()`
			`.map(\|p\| p.to_extension().eval(z))`
			`.collect::<Vec<_>>()`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`};`
			`Self {`
			`constants: eval_commitment(z, constant_commitment),`
Bit of verifier work (#54) * Bit of verifier work * Minor * next_plonk_zs now available after William's changes 2021-06-08 21:23:52 -07:00			`plonk_s_sigmas: eval_commitment(z, plonk_sigmas_commitment),`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`wires: eval_commitment(z, wires_commitment),`
			`plonk_zs: eval_commitment(z, plonk_zs_commitment),`
Rewrite LPC code to be more PLONK-specific 2021-05-31 17:49:04 +02:00			`plonk_zs_right: eval_commitment(g * z, plonk_zs_commitment),`
Update PLONK prover. 2021-05-06 23:14:37 +02:00			`quotient_polys: eval_commitment(z, quotient_polys_commitment),`
			`}`
			`}`
			`}`

Initial commit 2021-02-09 21:25:21 -08:00			`/// The purported values of each polynomial at a single point.`
`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub struct OpeningSetTarget<const D: usize> {`
			`pub constants: Vec<ExtensionTarget<D>>,`
			`pub plonk_sigmas: Vec<ExtensionTarget<D>>,`
			`pub wires: Vec<ExtensionTarget<D>>,`
			`pub plonk_zs: Vec<ExtensionTarget<D>>,`
Working `fri_combine_initial` 2021-06-08 14:56:49 +02:00			`pub plonk_zs_right: Vec<ExtensionTarget<D>>,`
`Target` version of proof structs 2021-06-04 10:47:46 +02:00			`pub quotient_polys: Vec<ExtensionTarget<D>>,`
Initial commit 2021-02-09 21:25:21 -08:00			`}`