diff --git a/src/bin/bench_recursion.rs b/src/bin/bench_recursion.rs index 19f7716c..9fab2456 100644 --- a/src/bin/bench_recursion.rs +++ b/src/bin/bench_recursion.rs @@ -8,7 +8,6 @@ use plonky2::fri::FriConfig; use plonky2::gates::constant::ConstantGate; use plonky2::gates::gmimc::GMiMCGate; use plonky2::hash::GMIMC_ROUNDS; -use plonky2::prover::PLONK_BLINDING; use plonky2::witness::PartialWitness; fn main() { @@ -41,7 +40,6 @@ fn bench_prove, const D: usize>() { rate_bits: 3, reduction_arity_bits: vec![1], num_query_rounds: 1, - blinding: PLONK_BLINDING.to_vec(), }, }; diff --git a/src/circuit_data.rs b/src/circuit_data.rs index 7429e62a..c8477464 100644 --- a/src/circuit_data.rs +++ b/src/circuit_data.rs @@ -7,7 +7,7 @@ use crate::gates::gate::GateRef; use crate::generator::WitnessGenerator; use crate::polynomial::commitment::ListPolynomialCommitment; use crate::proof::{Hash, HashTarget, Proof}; -use crate::prover::{prove, PLONK_BLINDING}; +use crate::prover::prove; use crate::verifier::verify; use crate::witness::PartialWitness; @@ -38,7 +38,6 @@ impl Default for CircuitConfig { rate_bits: 1, reduction_arity_bits: vec![1], num_query_rounds: 1, - blinding: vec![true], }, } } @@ -61,7 +60,6 @@ impl CircuitConfig { rate_bits: 3, reduction_arity_bits: vec![1], num_query_rounds: 1, - blinding: PLONK_BLINDING.to_vec(), }, } } diff --git a/src/fri/mod.rs b/src/fri/mod.rs index 6351a2af..87fe3db5 100644 --- a/src/fri/mod.rs +++ b/src/fri/mod.rs @@ -1,5 +1,3 @@ -use crate::polynomial::commitment::SALT_SIZE; - pub mod prover; mod recursive_verifier; pub mod verifier; @@ -22,20 +20,6 @@ pub struct FriConfig { /// Number of query rounds to perform. pub num_query_rounds: usize, - - /// Vector of the same length as the number of initial Merkle trees. - /// `blinding[i]==true` iff the i-th tree is salted. - pub blinding: Vec, -} - -impl FriConfig { - pub(crate) fn salt_size(&self, i: usize) -> usize { - if self.blinding[i] { - SALT_SIZE - } else { - 0 - } - } } fn fri_delta(rate_log: usize, conjecture: bool) -> f64 { diff --git a/src/fri/recursive_verifier.rs b/src/fri/recursive_verifier.rs index b35098e1..7c04d4a2 100644 --- a/src/fri/recursive_verifier.rs +++ b/src/fri/recursive_verifier.rs @@ -6,6 +6,7 @@ use crate::field::extension_field::Extendable; use crate::field::field::Field; use crate::fri::FriConfig; use crate::plonk_challenger::RecursiveChallenger; +use crate::plonk_common::PlonkPolynomials; use crate::proof::{ FriInitialTreeProofTarget, FriProofTarget, FriQueryRoundTarget, HashTarget, OpeningSetTarget, }; @@ -157,11 +158,15 @@ impl, const D: usize> CircuitBuilder { // - one for polynomials opened at `x` and `x.frobenius()` // Polynomials opened at `x`, i.e., the constants, sigmas and quotient polynomials. - let single_evals = [0, 1, 4] - .iter() - .flat_map(|&i| proof.unsalted_evals(i, config)) - .map(|&e| self.convert_to_ext(e)) - .collect::>(); + let single_evals = [ + PlonkPolynomials::CONSTANTS, + PlonkPolynomials::SIGMAS, + PlonkPolynomials::QUOTIENT, + ] + .iter() + .flat_map(|&p| proof.unsalted_evals(p)) + .map(|&e| self.convert_to_ext(e)) + .collect::>(); let single_openings = os .constants .iter() @@ -179,7 +184,7 @@ impl, const D: usize> CircuitBuilder { // Polynomials opened at `x` and `g x`, i.e., the Zs polynomials. let zs_evals = proof - .unsalted_evals(3, config) + .unsalted_evals(PlonkPolynomials::ZS) .iter() .map(|&e| self.convert_to_ext(e)) .collect::>(); @@ -217,7 +222,7 @@ impl, const D: usize> CircuitBuilder { // Polynomials opened at `x` and `x.frobenius()`, i.e., the wires polynomials. let wire_evals = proof - .unsalted_evals(2, config) + .unsalted_evals(PlonkPolynomials::WIRES) .iter() .map(|&e| self.convert_to_ext(e)) .collect::>(); diff --git a/src/fri/verifier.rs b/src/fri/verifier.rs index 2ce33bd0..f27070b2 100644 --- a/src/fri/verifier.rs +++ b/src/fri/verifier.rs @@ -7,7 +7,7 @@ use crate::fri::FriConfig; use crate::hash::hash_n_to_1; use crate::merkle_proofs::verify_merkle_proof; use crate::plonk_challenger::Challenger; -use crate::plonk_common::reduce_with_iter; +use crate::plonk_common::{reduce_with_iter, PlonkPolynomials}; use crate::proof::{FriInitialTreeProof, FriProof, FriQueryRound, Hash, OpeningSet}; use crate::util::scaling::ScalingFactor; use crate::util::{log2_strict, reverse_bits, reverse_index_bits_in_place}; @@ -158,31 +158,31 @@ fn fri_combine_initial, const D: usize>( // We will add three terms to `sum`: // - one for various polynomials which are opened at a single point `x` // - one for Zs, which are opened at `x` and `g x` - // - one for wire polynomials, which are opened at `x` and its conjugate + // - one for wire polynomials, which are opened at `x` and `x.frobenius()` // Polynomials opened at `x`, i.e., the constants, sigmas and quotient polynomials. - let single_evals = &proof - .unsalted_evals(0, config) - .into_iter() - .chain(proof.unsalted_evals(1, config)) - .chain(proof.unsalted_evals(4, config)) - .map(|e| F::Extension::from_basefield(e)); + let single_evals = [ + PlonkPolynomials::CONSTANTS, + PlonkPolynomials::SIGMAS, + PlonkPolynomials::QUOTIENT, + ] + .iter() + .flat_map(|&p| proof.unsalted_evals(p)) + .map(|&e| F::Extension::from_basefield(e)); let single_openings = os .constants - .clone() - .into_iter() - .chain(os.plonk_s_sigmas.clone()) - .chain(os.quotient_polys.clone()); - let single_diffs = single_evals.zip(single_openings).map(|(e, o)| e - o); - dbg!(single_diffs.rev()); - let single_numerator = alpha.scale(single_diffs); + .iter() + .chain(&os.plonk_s_sigmas) + .chain(&os.quotient_polys); + let single_diffs = single_evals.zip(single_openings).map(|(e, &o)| e - o); + let single_numerator = reduce_with_iter(single_diffs, &mut alpha_powers); let single_denominator = subgroup_x - zeta; sum += single_numerator / single_denominator; alpha.shift(sum); // Polynomials opened at `x` and `g x`, i.e., the Zs polynomials. let zs_evals = proof - .unsalted_evals(3, config) + .unsalted_evals(PlonkPolynomials::ZS) .iter() .map(|&e| F::Extension::from_basefield(e)); let zs_composition_eval = alpha.clone().scale(zs_evals); @@ -198,7 +198,7 @@ fn fri_combine_initial, const D: usize>( // Polynomials opened at `x` and `x.frobenius()`, i.e., the wires polynomials. let wire_evals = proof - .unsalted_evals(2, config) + .unsalted_evals(PlonkPolynomials::WIRES) .iter() .map(|&e| F::Extension::from_basefield(e)); let wire_composition_eval = alpha.clone().scale(wire_evals); diff --git a/src/gadgets/arithmetic.rs b/src/gadgets/arithmetic.rs index 6250ea81..520f8cd9 100644 --- a/src/gadgets/arithmetic.rs +++ b/src/gadgets/arithmetic.rs @@ -371,7 +371,6 @@ mod tests { use crate::field::extension_field::quartic::QuarticCrandallField; use crate::field::field::Field; use crate::fri::FriConfig; - use crate::prover::PLONK_BLINDING; use crate::witness::PartialWitness; #[test] diff --git a/src/plonk_common.rs b/src/plonk_common.rs index 5c881fb1..c9f11b74 100644 --- a/src/plonk_common.rs +++ b/src/plonk_common.rs @@ -6,10 +6,62 @@ use crate::field::extension_field::target::ExtensionTarget; use crate::field::extension_field::Extendable; use crate::field::field::Field; use crate::gates::gate::GateRef; +use crate::polynomial::commitment::SALT_SIZE; use crate::polynomial::polynomial::PolynomialCoeffs; use crate::target::Target; use crate::vars::{EvaluationTargets, EvaluationVars, EvaluationVarsBase}; +/// Holds the Merkle tree index and blinding flag of a set of polynomials used in FRI. +#[derive(Debug, Copy, Clone)] +pub struct PolynomialsIndexBlinding { + pub(crate) index: usize, + pub(crate) blinding: bool, +} +impl PolynomialsIndexBlinding { + pub fn salt_size(&self) -> usize { + if self.blinding { + SALT_SIZE + } else { + 0 + } + } +} +/// Holds the indices and blinding flags of the Plonk polynomials. +pub struct PlonkPolynomials; +impl PlonkPolynomials { + pub const CONSTANTS: PolynomialsIndexBlinding = PolynomialsIndexBlinding { + index: 0, + blinding: false, + }; + pub const SIGMAS: PolynomialsIndexBlinding = PolynomialsIndexBlinding { + index: 1, + blinding: false, + }; + pub const WIRES: PolynomialsIndexBlinding = PolynomialsIndexBlinding { + index: 2, + blinding: true, + }; + pub const ZS: PolynomialsIndexBlinding = PolynomialsIndexBlinding { + index: 3, + blinding: true, + }; + pub const QUOTIENT: PolynomialsIndexBlinding = PolynomialsIndexBlinding { + index: 4, + blinding: true, + }; + + pub fn polynomials(i: usize) -> PolynomialsIndexBlinding { + match i { + 0 => Self::CONSTANTS, + 1 => Self::SIGMAS, + 2 => Self::WIRES, + 3 => Self::ZS, + 4 => Self::QUOTIENT, + _ => panic!("There are only 5 sets of polynomials in Plonk."), + } + } +} + /// Evaluate the vanishing polynomial at `x`. In this context, the vanishing polynomial is a random /// linear combination of gate constraints, plus some other terms relating to the permutation /// argument. All such terms should vanish on `H`. diff --git a/src/polynomial/commitment.rs b/src/polynomial/commitment.rs index c1fd08eb..caa61553 100644 --- a/src/polynomial/commitment.rs +++ b/src/polynomial/commitment.rs @@ -260,9 +260,9 @@ pub struct OpeningProofTarget { #[cfg(test)] mod tests { use anyhow::Result; - use rand::Rng; use super::*; + use crate::plonk_common::PlonkPolynomials; fn gen_random_test_case, const D: usize>( k: usize, @@ -288,17 +288,6 @@ mod tests { point } - fn gen_random_blindings() -> Vec { - let mut rng = rand::thread_rng(); - vec![ - rng.gen_bool(0.5), - rng.gen_bool(0.5), - rng.gen_bool(0.5), - rng.gen_bool(0.5), - rng.gen_bool(0.5), - ] - } - fn check_batch_polynomial_commitment, const D: usize>() -> Result<()> { let ks = [1, 2, 3, 5, 8]; let degree_log = 11; @@ -307,7 +296,6 @@ mod tests { rate_bits: 2, reduction_arity_bits: vec![2, 3, 1, 2], num_query_rounds: 3, - blinding: gen_random_blindings(), }; let lpcs = (0..5) @@ -315,7 +303,7 @@ mod tests { ListPolynomialCommitment::::new( gen_random_test_case(ks[i], degree_log), fri_config.rate_bits, - fri_config.blinding[i], + PlonkPolynomials::polynomials(i).blinding, ) }) .collect::>(); diff --git a/src/proof.rs b/src/proof.rs index a029114a..7536f3ee 100644 --- a/src/proof.rs +++ b/src/proof.rs @@ -3,9 +3,9 @@ use std::convert::TryInto; use crate::field::extension_field::target::ExtensionTarget; use crate::field::extension_field::Extendable; use crate::field::field::Field; -use crate::fri::FriConfig; use crate::gadgets::polynomial::PolynomialCoeffsExtTarget; use crate::merkle_proofs::{MerkleProof, MerkleProofTarget}; +use crate::plonk_common::PolynomialsIndexBlinding; use crate::polynomial::commitment::{ListPolynomialCommitment, OpeningProof, OpeningProofTarget}; use crate::polynomial::polynomial::PolynomialCoeffs; use crate::target::Target; @@ -99,9 +99,9 @@ pub struct FriInitialTreeProof { } impl FriInitialTreeProof { - pub(crate) fn unsalted_evals(&self, i: usize, config: &FriConfig) -> Vec { - let evals = &self.evals_proofs[i].0; - evals[..evals.len() - config.salt_size(i)].to_vec() + pub(crate) fn unsalted_evals(&self, polynomials: PolynomialsIndexBlinding) -> &[F] { + let evals = &self.evals_proofs[polynomials.index].0; + &evals[..evals.len() - polynomials.salt_size()] } } @@ -110,9 +110,9 @@ pub struct FriInitialTreeProofTarget { } impl FriInitialTreeProofTarget { - pub(crate) fn unsalted_evals(&self, i: usize, config: &FriConfig) -> &[Target] { - let evals = &self.evals_proofs[i].0; - &evals[..evals.len() - config.salt_size(i)] + pub(crate) fn unsalted_evals(&self, polynomials: PolynomialsIndexBlinding) -> &[Target] { + let evals = &self.evals_proofs[polynomials.index].0; + &evals[..evals.len() - polynomials.salt_size()] } } diff --git a/src/prover.rs b/src/prover.rs index df4d912a..5ea6ddfd 100644 --- a/src/prover.rs +++ b/src/prover.rs @@ -19,9 +19,6 @@ use crate::vars::EvaluationVarsBase; use crate::wire::Wire; use crate::witness::PartialWitness; -/// Corresponds to constants - sigmas - wires - zs - quotient — polynomial commitments. -pub const PLONK_BLINDING: [bool; 5] = [false, false, true, true, true]; - pub(crate) fn prove, const D: usize>( prover_data: &ProverOnlyCircuitData, common_data: &CommonCircuitData,