logos-storage/plonky2
1
0
Fork 0
mirror of https://github.com/logos-storage/plonky2.git synced 2026-01-04 23:03:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into exp_gate

Browse Source
This commit is contained in:
Nicholas Ward 2021-07-27 12:29:24 -07:00
commit 34d59305a1
17 changed files with 473 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/bin/bench_recursion.rs
View File

@ -21,7 +21,7 @@ fn main() -> Result<()> {
fn bench_prove<F: Field + Extendable<D>, const D: usize>() -> Result<()> {
let config = CircuitConfig {
num_wires: 134,
num_wires: 126,
num_routed_wires: 33,
security_bits: 128,
rate_bits: 3,

4
src/circuit_builder.rs
View File

@ -301,8 +301,8 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
self.targets_to_constants.get(&target).cloned()
}
pub fn push_context(&mut self, ctx: &str) {
self.context_log.push(ctx, self.num_gates());
pub fn push_context(&mut self, level: log::Level, ctx: &str) {
self.context_log.push(ctx, level, self.num_gates());
}
pub fn pop_context(&mut self) {

2
src/circuit_data.rs
View File

@ -57,7 +57,7 @@ impl CircuitConfig {
pub(crate) fn large_config() -> Self {
Self {
num_wires: 126,
num_routed_wires: 34,
num_routed_wires: 33,
security_bits: 128,
rate_bits: 3,
num_challenges: 3,

28
src/context_tree.rs
View File

@ -1,9 +1,11 @@
use log::debug;
use log::{log, Level};
/// The hierarchy of contexts, and the gate count contributed by each one. Useful for debugging.
pub(crate) struct ContextTree {
/// The name of this scope.
name: String,
/// The level at which to log this scope and its children.
level: log::Level,
/// The gate count when this scope was created.
enter_gate_count: usize,
/// The gate count when this scope was destroyed, or None if it has not yet been destroyed.
@ -16,6 +18,7 @@ impl ContextTree {
pub fn new() -> Self {
Self {
name: "root".to_string(),
level: Level::Debug,
enter_gate_count: 0,
exit_gate_count: None,
children: vec![],
@ -43,18 +46,22 @@ impl ContextTree {
}
}
pub fn push(&mut self, ctx: &str, current_gate_count: usize) {
pub fn push(&mut self, ctx: &str, mut level: log::Level, current_gate_count: usize) {
assert!(self.is_open());
// We don't want a scope's log level to be stronger than that of its parent.
level = level.max(self.level);
if let Some(last_child) = self.children.last_mut() {
if last_child.is_open() {
last_child.push(ctx, current_gate_count);
last_child.push(ctx, level, current_gate_count);
return;
}
}
self.children.push(ContextTree {
name: ctx.to_string(),
level,
enter_gate_count: current_gate_count,
exit_gate_count: None,
children: vec![],
@ -83,6 +90,7 @@ impl ContextTree {
pub fn filter(&self, current_gate_count: usize, min_delta: usize) -> Self {
Self {
name: self.name.clone(),
level: self.level,
enter_gate_count: self.enter_gate_count,
exit_gate_count: self.exit_gate_count,
children: self
@ -100,7 +108,8 @@ impl ContextTree {
fn print_helper(&self, current_gate_count: usize, depth: usize) {
let prefix = "| ".repeat(depth);
debug!(
log!(
self.level,
"{}{} gates to {}",
prefix,
self.gate_count_delta(current_gate_count),
@ -114,9 +123,16 @@ impl ContextTree {
/// Creates a named scope; useful for debugging.
#[macro_export]
macro_rules! context {
macro_rules! with_context {
($builder:expr, $level:expr, $ctx:expr, $exp:expr) => {{
$builder.push_context($level, $ctx);
let res = $exp;
$builder.pop_context();
res
}};
// If no context is specified, default to Debug.
($builder:expr, $ctx:expr, $exp:expr) => {{
$builder.push_context($ctx);
$builder.push_context(log::Level::Debug, $ctx);
let res = $exp;
$builder.pop_context();
res

7
src/field/extension_field/target.rs
View File

@ -115,6 +115,13 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
arr[0] = t;
ExtensionTarget(arr)
}
pub fn convert_to_ext_algebra(&mut self, et: ExtensionTarget<D>) -> ExtensionAlgebraTarget<D> {
let zero = self.zero_extension();
let mut arr = [zero; D];
arr[0] = et;
ExtensionAlgebraTarget(arr)
}
}
/// Flatten the slice by sending every extension target to its D-sized canonical representation.

68
src/fri/recursive_verifier.rs
View File

@ -1,6 +1,5 @@
use crate::circuit_builder::CircuitBuilder;
use crate::circuit_data::CommonCircuitData;
use crate::context;
use crate::field::extension_field::target::{flatten_target, ExtensionTarget};
use crate::field::extension_field::Extendable;
use crate::field::field::Field;
@ -11,8 +10,9 @@ use crate::proof::{
FriInitialTreeProofTarget, FriProofTarget, FriQueryRoundTarget, HashTarget, OpeningSetTarget,
};
use crate::target::Target;
use crate::util::scaling::ReducingFactorTarget;
use crate::util::reducing::ReducingFactorTarget;
use crate::util::{log2_strict, reverse_index_bits_in_place};
use crate::with_context;
impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
/// Computes P'(x^arity) from {P(x*g^i)}_(i=0..arity), where g is a `arity`-th root of unity
@ -25,18 +25,19 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
last_evals: &[ExtensionTarget<D>],
beta: ExtensionTarget<D>,
) -> ExtensionTarget<D> {
debug_assert_eq!(last_evals.len(), 1 << arity_bits);
let arity = 1 << arity_bits;
debug_assert_eq!(last_evals.len(), arity);
let g = F::primitive_root_of_unity(arity_bits);
let gt = self.constant(g);
let g_inv = g.exp((arity as u64) - 1);
let g_inv_t = self.constant(g_inv);
// The evaluation vector needs to be reordered first.
let mut evals = last_evals.to_vec();
reverse_index_bits_in_place(&mut evals);
// Want `g^(arity - rev_old_x_index)` as in the out-of-circuit version.
// Compute it as `g^(arity-1-rev_old_x_index) * g`, where the first term is gotten using two's complement.
let start = self.exp_from_complement_bits(gt, old_x_index_bits.iter().rev());
let coset_start = self.mul_many(&[start, gt, x]);
// Want `g^(arity - rev_old_x_index)` as in the out-of-circuit version. Compute it as `(g^-1)^rev_old_x_index`.
let start = self.exp_from_bits(g_inv_t, old_x_index_bits.iter().rev());
let coset_start = self.mul(start, x);
// The answer is gotten by interpolating {(x*g^i, P(x*g^i))} and evaluating at beta.
let points = g
@ -92,7 +93,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
// Size of the LDE domain.
let n = proof.final_poly.len() << (total_arities + config.rate_bits);
let betas = context!(
let betas = with_context!(
self,
"recover the random betas used in the FRI reductions.",
proof
@ -106,7 +107,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
);
challenger.observe_extension_elements(&proof.final_poly.0);
context!(
with_context!(
self,
"check PoW",
self.fri_verify_proof_of_work(proof, challenger, &config.fri_config)
@ -123,12 +124,27 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
"Number of reductions should be non-zero."
);
let precomputed_reduced_evals =
PrecomputedReducedEvalsTarget::from_os_and_alpha(os, alpha, self);
let precomputed_reduced_evals = with_context!(
self,
"precompute reduced evaluations",
PrecomputedReducedEvalsTarget::from_os_and_alpha(os, alpha, self)
);
for (i, round_proof) in proof.query_round_proofs.iter().enumerate() {
context!(
// To minimize noise in our logs, we will only record a context for a single FRI query.
// The very first query will have some extra gates due to constants being registered, so
// the second query is a better representative.
let level = if i == 1 {
log::Level::Debug
} else {
log::Level::Trace
};
let num_queries = proof.query_round_proofs.len();
with_context!(
self,
&format!("verify {}'th FRI query", i),
level,
&format!("verify one (of {}) query rounds", num_queries),
self.fri_verifier_query_round(
zeta,
alpha,
@ -157,7 +173,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
.zip(initial_merkle_roots)
.enumerate()
{
context!(
with_context!(
self,
&format!("verify {}'th initial Merkle proof", i),
self.verify_merkle_proof(evals.clone(), x_index_bits, root, merkle_proof)
@ -197,9 +213,9 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
&proof.unsalted_evals(PlonkPolynomials::ZS_PARTIAL_PRODUCTS, config.zero_knowledge)
[common_data.partial_products_range()],
)
.map(|&e| self.convert_to_ext(e))
.copied()
.collect::<Vec<_>>();
let single_composition_eval = alpha.reduce(&single_evals, self);
let single_composition_eval = alpha.reduce_base(&single_evals, self);
let single_numerator =
self.sub_extension(single_composition_eval, precomputed_reduced_evals.single);
let single_denominator = self.sub_extension(subgroup_x, zeta);
@ -212,9 +228,9 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
.unsalted_evals(PlonkPolynomials::ZS_PARTIAL_PRODUCTS, config.zero_knowledge)
.iter()
.take(common_data.zs_range().end)
.map(|&e| self.convert_to_ext(e))
.copied()
.collect::<Vec<_>>();
let zs_composition_eval = alpha.reduce(&zs_evals, self);
let zs_composition_eval = alpha.reduce_base(&zs_evals, self);
let g = self.constant_extension(F::Extension::primitive_root_of_unity(degree_log));
let zeta_right = self.mul_extension(g, zeta);
@ -255,7 +271,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
let x_index = challenger.get_challenge(self);
let mut x_index_bits = self.low_bits(x_index, n_log, 64);
let mut domain_size = n;
context!(
with_context!(
self,
"check FRI initial proof",
self.fri_verify_initial_proof(
@ -267,7 +283,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
let mut old_x_index_bits = Vec::new();
// `subgroup_x` is `subgroup[x_index]`, i.e., the actual field element in the domain.
let mut subgroup_x = context!(self, "compute x from its index", {
let mut subgroup_x = with_context!(self, "compute x from its index", {
let g = self.constant(F::MULTIPLICATIVE_GROUP_GENERATOR);
let phi = self.constant(F::primitive_root_of_unity(n_log));
@ -279,7 +295,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
for (i, &arity_bits) in config.reduction_arity_bits.iter().enumerate() {
let next_domain_size = domain_size >> arity_bits;
let e_x = if i == 0 {
context!(
with_context!(
self,
"combine initial oracles",
self.fri_combine_initial(
@ -294,7 +310,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
} else {
let last_evals = &evaluations[i - 1];
// Infer P(y) from {P(x)}_{x^arity=y}.
context!(
with_context!(
self,
"infer evaluation using interpolation",
self.compute_evaluation(
@ -312,7 +328,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
old_x_index_bits = x_index_bits;
let low_x_index = self.le_sum(old_x_index_bits.iter());
evals = self.insert(low_x_index, e_x, evals);
context!(
with_context!(
self,
"verify FRI round Merkle proof.",
self.verify_merkle_proof(
@ -334,7 +350,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
let last_evals = evaluations.last().unwrap();
let final_arity_bits = *config.reduction_arity_bits.last().unwrap();
let purported_eval = context!(
let purported_eval = with_context!(
self,
"infer final evaluation using interpolation",
self.compute_evaluation(
@ -349,7 +365,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
// Final check of FRI. After all the reductions, we check that the final polynomial is equal
// to the one sent by the prover.
let eval = context!(
let eval = with_context!(
self,
"evaluate final polynomial",
proof.final_poly.eval_scalar(self, subgroup_x)

2
src/fri/verifier.rs
View File

@ -10,7 +10,7 @@ use crate::merkle_proofs::verify_merkle_proof;
use crate::plonk_challenger::Challenger;
use crate::plonk_common::PlonkPolynomials;
use crate::proof::{FriInitialTreeProof, FriProof, FriQueryRound, Hash, OpeningSet};
use crate::util::scaling::ReducingFactor;
use crate::util::reducing::ReducingFactor;
use crate::util::{log2_strict, reverse_bits, reverse_index_bits_in_place};
/// Computes P'(x^arity) from {P(x*g^i)}_(i=0..arity), where g is a `arity`-th root of unity

21
src/gadgets/arithmetic.rs
View File

@ -188,27 +188,6 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
product
}
// TODO: Optimize this, maybe with a new gate.
// TODO: Test
/// Exponentiate `base` to the power of `2^bit_length-1-exponent`, given by its little-endian bits.
pub fn exp_from_complement_bits(
&mut self,
base: Target,
exponent_bits: impl Iterator<Item = impl Borrow<Target>>,
) -> Target {
let mut current = base;
let one = self.one();
let mut product = one;
for bit in exponent_bits {
let multiplicand = self.select(*bit.borrow(), one, current);
product = self.mul(product, multiplicand);
current = self.mul(current, current);
}
product
}
// TODO: Optimize this, maybe with a new gate.
// TODO: Test
/// Exponentiate `base` to the power of `exponent`, where `exponent < 2^num_bits`.

6
src/gates/gate_testing.rs
View File

@ -36,6 +36,12 @@ pub(crate) fn test_low_degree<F: Extendable<D>, G: Gate<F, D>, const D: usize>(g
.map(|p| p.degree())
.collect::<Vec<_>>();
assert_eq!(
constraint_eval_degrees.len(),
gate.num_constraints(),
"eval should return num_constraints() constraints"
);
let expected_eval_degree = WITNESS_DEGREE * gate.degree();
assert!(

1
src/gates/mod.rs
View File

@ -12,6 +12,7 @@ pub mod insertion;
pub mod interpolation;
pub(crate) mod noop;
pub(crate) mod public_input;
pub mod reducing;
#[cfg(test)]
mod gate_testing;

225
src/gates/reducing.rs Normal file
View File

@ -0,0 +1,225 @@
use std::ops::Range;
use crate::circuit_builder::CircuitBuilder;
use crate::field::extension_field::target::ExtensionTarget;
use crate::field::extension_field::Extendable;
use crate::field::extension_field::FieldExtension;
use crate::gates::gate::Gate;
use crate::generator::{GeneratedValues, SimpleGenerator, WitnessGenerator};
use crate::target::Target;
use crate::vars::{EvaluationTargets, EvaluationVars, EvaluationVarsBase};
use crate::witness::PartialWitness;
/// Computes `sum alpha^i c_i` for a vector `c_i` of `num_coeffs` elements of the base field.
#[derive(Debug, Clone)]
pub struct ReducingGate<const D: usize> {
pub num_coeffs: usize,
}
impl<const D: usize> ReducingGate<D> {
pub fn new(num_coeffs: usize) -> Self {
Self { num_coeffs }
}
pub fn max_coeffs_len(num_wires: usize, num_routed_wires: usize) -> usize {
(num_routed_wires - 3 * D).min((num_wires - 2 * D) / (D + 1))
}
pub fn wires_output() -> Range<usize> {
0..D
}
pub fn wires_alpha() -> Range<usize> {
D..2 * D
}
pub fn wires_old_acc() -> Range<usize> {
2 * D..3 * D
}
const START_COEFFS: usize = 3 * D;
pub fn wires_coeffs(&self) -> Range<usize> {
Self::START_COEFFS..Self::START_COEFFS + self.num_coeffs
}
fn start_accs(&self) -> usize {
Self::START_COEFFS + self.num_coeffs
}
fn wires_accs(&self, i: usize) -> Range<usize> {
if i == self.num_coeffs - 1 {
// The last accumulator is the output.
return Self::wires_output();
}
self.start_accs() + D * i..self.start_accs() + D * (i + 1)
}
}
impl<F: Extendable<D>, const D: usize> Gate<F, D> for ReducingGate<D> {
fn id(&self) -> String {
format!("{:?}", self)
}
fn eval_unfiltered(&self, vars: EvaluationVars<F, D>) -> Vec<F::Extension> {
let alpha = vars.get_local_ext_algebra(Self::wires_alpha());
let old_acc = vars.get_local_ext_algebra(Self::wires_old_acc());
let coeffs = self
.wires_coeffs()
.map(|i| vars.local_wires[i])
.collect::<Vec<_>>();
let accs = (0..self.num_coeffs)
.map(|i| vars.get_local_ext_algebra(self.wires_accs(i)))
.collect::<Vec<_>>();
let mut constraints = Vec::new();
let mut acc = old_acc;
for i in 0..self.num_coeffs {
constraints.push(acc * alpha + coeffs[i].into() - accs[i]);
acc = accs[i];
}
constraints
.into_iter()
.flat_map(|alg| alg.to_basefield_array())
.collect()
}
fn eval_unfiltered_base(&self, vars: EvaluationVarsBase<F>) -> Vec<F> {
let alpha = vars.get_local_ext(Self::wires_alpha());
let old_acc = vars.get_local_ext(Self::wires_old_acc());
let coeffs = self
.wires_coeffs()
.map(|i| vars.local_wires[i])
.collect::<Vec<_>>();
let accs = (0..self.num_coeffs)
.map(|i| vars.get_local_ext(self.wires_accs(i)))
.collect::<Vec<_>>();
let mut constraints = Vec::new();
let mut acc = old_acc;
for i in 0..self.num_coeffs {
constraints.push(acc * alpha + coeffs[i].into() - accs[i]);
acc = accs[i];
}
constraints
.into_iter()
.flat_map(|alg| alg.to_basefield_array())
.collect()
}
fn eval_unfiltered_recursively(
&self,
builder: &mut CircuitBuilder<F, D>,
vars: EvaluationTargets<D>,
) -> Vec<ExtensionTarget<D>> {
let alpha = vars.get_local_ext_algebra(Self::wires_alpha());
let old_acc = vars.get_local_ext_algebra(Self::wires_old_acc());
let coeffs = self
.wires_coeffs()
.map(|i| vars.local_wires[i])
.collect::<Vec<_>>();
let accs = (0..self.num_coeffs)
.map(|i| vars.get_local_ext_algebra(self.wires_accs(i)))
.collect::<Vec<_>>();
let mut constraints = Vec::new();
let mut acc = old_acc;
for i in 0..self.num_coeffs {
let mut tmp = builder.mul_ext_algebra(acc, alpha);
let coeff = builder.convert_to_ext_algebra(coeffs[i]);
tmp = builder.add_ext_algebra(tmp, coeff);
tmp = builder.sub_ext_algebra(tmp, accs[i]);
constraints.push(tmp);
acc = accs[i];
}
constraints
.into_iter()
.flat_map(|alg| alg.to_ext_target_array())
.collect()
}
fn generators(
&self,
gate_index: usize,
_local_constants: &[F],
) -> Vec<Box<dyn WitnessGenerator<F>>> {
vec![Box::new(ReducingGenerator {
gate_index,
gate: self.clone(),
})]
}
fn num_wires(&self) -> usize {
2 * D + self.num_coeffs * (D + 1)
}
fn num_constants(&self) -> usize {
0
}
fn degree(&self) -> usize {
2
}
fn num_constraints(&self) -> usize {
D * self.num_coeffs
}
}
struct ReducingGenerator<const D: usize> {
gate_index: usize,
gate: ReducingGate<D>,
}
impl<F: Extendable<D>, const D: usize> SimpleGenerator<F> for ReducingGenerator<D> {
fn dependencies(&self) -> Vec<Target> {
ReducingGate::<D>::wires_alpha()
.chain(ReducingGate::<D>::wires_old_acc())
.chain(self.gate.wires_coeffs())
.map(|i| Target::wire(self.gate_index, i))
.collect()
}
fn run_once(&self, witness: &PartialWitness<F>) -> GeneratedValues<F> {
let extract_extension = |range: Range<usize>| -> F::Extension {
let t = ExtensionTarget::from_range(self.gate_index, range);
witness.get_extension_target(t)
};
let alpha = extract_extension(ReducingGate::<D>::wires_alpha());
let old_acc = extract_extension(ReducingGate::<D>::wires_old_acc());
let coeffs = witness.get_targets(
&self
.gate
.wires_coeffs()
.map(|i| Target::wire(self.gate_index, i))
.collect::<Vec<_>>(),
);
let accs = (0..self.gate.num_coeffs)
.map(|i| ExtensionTarget::from_range(self.gate_index, self.gate.wires_accs(i)))
.collect::<Vec<_>>();
let output =
ExtensionTarget::from_range(self.gate_index, ReducingGate::<D>::wires_output());
let mut result = GeneratedValues::<F>::with_capacity(self.gate.num_coeffs + 1);
let mut acc = old_acc;
for i in 0..self.gate.num_coeffs {
let computed_acc = acc * alpha + coeffs[i].into();
result.set_extension_target(accs[i], computed_acc);
acc = computed_acc;
}
result.set_extension_target(output, acc);
result
}
}
#[cfg(test)]
mod tests {
use crate::field::crandall_field::CrandallField;
use crate::gates::gate_testing::test_low_degree;
use crate::gates::reducing::ReducingGate;
#[test]
fn low_degree() {
type F = CrandallField;
test_low_degree::<CrandallField, _, 4>(ReducingGate::new(22));
}
}

2
src/plonk_challenger.rs
View File

@ -393,7 +393,7 @@ mod tests {
}
let config = CircuitConfig {
num_wires: 12 + 12 + 3 + 101,
num_wires: 12 + 12 + 1 + 101,
num_routed_wires: 27,
..CircuitConfig::default()
};

6
src/polynomial/commitment.rs
View File

@ -4,7 +4,6 @@ use serde::{Deserialize, Serialize};
use crate::circuit_builder::CircuitBuilder;
use crate::circuit_data::CommonCircuitData;
use crate::context;
use crate::field::extension_field::target::ExtensionTarget;
use crate::field::extension_field::Extendable;
use crate::field::field::Field;
@ -15,8 +14,9 @@ use crate::plonk_common::PlonkPolynomials;
use crate::polynomial::polynomial::{PolynomialCoeffs, PolynomialValues};
use crate::proof::{FriProof, FriProofTarget, Hash, HashTarget, OpeningSet, OpeningSetTarget};
use crate::timed;
use crate::util::scaling::ReducingFactor;
use crate::util::reducing::ReducingFactor;
use crate::util::{log2_ceil, log2_strict, reverse_bits, reverse_index_bits_in_place, transpose};
use crate::with_context;
/// Two (~64 bit) field elements gives ~128 bit security.
pub const SALT_SIZE: usize = 2;
@ -283,7 +283,7 @@ impl<const D: usize> OpeningProofTarget<D> {
let alpha = challenger.get_extension_challenge(builder);
context!(
with_context!(
builder,
"verify FRI proof",
builder.verify_fri_proof(

84
src/recursive_verifier.rs
View File

@ -1,12 +1,12 @@
use crate::circuit_builder::CircuitBuilder;
use crate::circuit_data::{CircuitConfig, CommonCircuitData, VerifierCircuitTarget};
use crate::context;
use crate::field::extension_field::Extendable;
use crate::plonk_challenger::RecursiveChallenger;
use crate::proof::{HashTarget, ProofWithPublicInputsTarget};
use crate::util::scaling::ReducingFactorTarget;
use crate::util::reducing::ReducingFactorTarget;
use crate::vanishing_poly::eval_vanishing_poly_recursively;
use crate::vars::EvaluationTargets;
use crate::with_context;
const MIN_WIRES: usize = 120; // TODO: Double check.
const MIN_ROUTED_WIRES: usize = 28; // TODO: Double check.
@ -35,7 +35,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
let mut challenger = RecursiveChallenger::new(self);
let (betas, gammas, alphas, zeta) =
context!(self, "observe proof and generates challenges", {
with_context!(self, "observe proof and generates challenges", {
// Observe the instance.
let digest = HashTarget::from_vec(
self.constants(&inner_common_data.circuit_digest.elements),
@ -69,7 +69,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
let partial_products = &proof.openings.partial_products;
let zeta_pow_deg = self.exp_power_of_2_extension(zeta, inner_common_data.degree_bits);
let vanishing_polys_zeta = context!(
let vanishing_polys_zeta = with_context!(
self,
"evaluate the vanishing polynomial at our challenge point, zeta.",
eval_vanishing_poly_recursively(
@ -88,7 +88,7 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
)
);
context!(self, "check vanishing and quotient polynomials.", {
with_context!(self, "check vanishing and quotient polynomials.", {
let quotient_polys_zeta = &proof.openings.quotient_polys;
let mut scale = ReducingFactorTarget::new(zeta_pow_deg);
let z_h_zeta = self.sub_extension(zeta_pow_deg, one);
@ -381,7 +381,7 @@ mod tests {
let mut builder = CircuitBuilder::<F, D>::new(config.clone());
let _two = builder.two();
let _two = builder.hash_n_to_hash(vec![_two], true).elements[0];
for _ in 0..5000 {
for _ in 0..10000 {
let _two = builder.mul(_two, _two);
}
let data = builder.build();
@ -411,4 +411,76 @@ mod tests {
verify(recursive_proof, &data.verifier_only, &data.common)
}
#[test]
#[ignore]
fn test_recursive_recursive_verifier() -> Result<()> {
env_logger::init();
type F = CrandallField;
const D: usize = 4;
let config = CircuitConfig {
num_wires: 126,
num_routed_wires: 33,
security_bits: 128,
rate_bits: 3,
num_challenges: 3,
zero_knowledge: false,
fri_config: FriConfig {
proof_of_work_bits: 1,
reduction_arity_bits: vec![2, 2, 2, 2, 2, 2],
num_query_rounds: 40,
},
};
let (proof_with_pis, vd, cd) = {
let (proof_with_pis, vd, cd) = {
let mut builder = CircuitBuilder::<F, D>::new(config.clone());
let _two = builder.two();
let _two = builder.hash_n_to_hash(vec![_two], true).elements[0];
for _ in 0..10000 {
let _two = builder.mul(_two, _two);
}
let data = builder.build();
(
data.prove(PartialWitness::new())?,
data.verifier_only,
data.common,
)
};
verify(proof_with_pis.clone(), &vd, &cd)?;
let mut builder = CircuitBuilder::<F, D>::new(config.clone());
let mut pw = PartialWitness::new();
let pt = proof_to_proof_target(&proof_with_pis, &mut builder);
set_proof_target(&proof_with_pis, &pt, &mut pw);
let inner_data = VerifierCircuitTarget {
constants_sigmas_root: builder.add_virtual_hash(),
};
pw.set_hash_target(inner_data.constants_sigmas_root, vd.constants_sigmas_root);
builder.add_recursive_verifier(pt, &config, &inner_data, &cd);
let data = builder.build();
let recursive_proof = data.prove(pw)?;
(recursive_proof, data.verifier_only, data.common)
};
verify(proof_with_pis.clone(), &vd, &cd)?;
let mut builder = CircuitBuilder::<F, D>::new(config.clone());
let mut pw = PartialWitness::new();
let pt = proof_to_proof_target(&proof_with_pis, &mut builder);
set_proof_target(&proof_with_pis, &pt, &mut pw);
let inner_data = VerifierCircuitTarget {
constants_sigmas_root: builder.add_virtual_hash(),
};
pw.set_hash_target(inner_data.constants_sigmas_root, vd.constants_sigmas_root);
builder.add_recursive_verifier(pt, &config, &inner_data, &cd);
builder.print_gate_counts(0);
let data = builder.build();
let recursive_proof = data.prove(pw)?;
verify(recursive_proof, &data.verifier_only, &data.common)
}
}

2
src/util/mod.rs
View File

@ -1,6 +1,6 @@
pub mod marking;
pub mod partial_products;
pub mod scaling;
pub mod reducing;
pub(crate) mod timing;
use crate::field::field::Field;

78
src/util/scaling.rs → src/util/reducing.rs
View File

@ -7,7 +7,9 @@ use crate::field::extension_field::target::ExtensionTarget;
use crate::field::extension_field::{Extendable, Frobenius};
use crate::field::field::Field;
use crate::gates::arithmetic::ArithmeticExtensionGate;
use crate::gates::reducing::ReducingGate;
use crate::polynomial::polynomial::PolynomialCoeffs;
use crate::target::Target;
/// When verifying the composition polynomial in FRI we have to compute sums of the form
/// `(sum_0^k a^i * x_i)/d_0 + (sum_k^r a^i * y_i)/d_1`
@ -90,6 +92,50 @@ impl<const D: usize> ReducingFactorTarget<D> {
Self { base, count: 0 }
}
/// Reduces a length `n` vector of `Target`s using `n/21` `ReducingGate`s (with 33 routed wires and 126 wires).
pub fn reduce_base<F>(
&mut self,
terms: &[Target],
builder: &mut CircuitBuilder<F, D>,
) -> ExtensionTarget<D>
where
F: Extendable<D>,
{
let max_coeffs_len = ReducingGate::<D>::max_coeffs_len(
builder.config.num_wires,
builder.config.num_routed_wires,
);
self.count += terms.len() as u64;
let zero = builder.zero();
let zero_ext = builder.zero_extension();
let mut acc = zero_ext;
let mut reversed_terms = terms.to_vec();
while reversed_terms.len() % max_coeffs_len != 0 {
reversed_terms.push(zero);
}
reversed_terms.reverse();
for chunk in reversed_terms.chunks_exact(max_coeffs_len) {
let gate = ReducingGate::new(max_coeffs_len);
let gate_index = builder.add_gate(gate.clone(), Vec::new());
builder.route_extension(
self.base,
ExtensionTarget::from_range(gate_index, ReducingGate::<D>::wires_alpha()),
);
builder.route_extension(
acc,
ExtensionTarget::from_range(gate_index, ReducingGate::<D>::wires_old_acc()),
);
for (&t, c) in chunk.iter().zip(gate.wires_coeffs()) {
builder.route(t, Target::wire(gate_index, c));
}
acc = ExtensionTarget::from_range(gate_index, ReducingGate::<D>::wires_output());
}
acc
}
/// Reduces a length `n` vector of `ExtensionTarget`s using `n/2` `ArithmeticExtensionGate`s.
/// It does this by batching two steps of Horner's method in each gate.
/// Here's an example with `n=4, alpha=2, D=1`:
@ -182,6 +228,33 @@ mod tests {
use crate::verifier::verify;
use crate::witness::PartialWitness;
fn test_reduce_gadget_base(n: usize) -> Result<()> {
type F = CrandallField;
type FF = QuarticCrandallField;
const D: usize = 4;
let config = CircuitConfig::large_config();
let mut builder = CircuitBuilder::<F, D>::new(config);
let alpha = FF::rand();
let vs = F::rand_vec(n);
let manual_reduce = ReducingFactor::new(alpha).reduce(vs.iter().map(|&v| FF::from(v)));
let manual_reduce = builder.constant_extension(manual_reduce);
let mut alpha_t = ReducingFactorTarget::new(builder.constant_extension(alpha));
let vs_t = vs.iter().map(|&v| builder.constant(v)).collect::<Vec<_>>();
let circuit_reduce = alpha_t.reduce_base(&vs_t, &mut builder);
builder.assert_equal_extension(manual_reduce, circuit_reduce);
let data = builder.build();
let proof = data.prove(PartialWitness::new())?;
verify(proof, &data.verifier_only, &data.common)
}
fn test_reduce_gadget(n: usize) -> Result<()> {
type F = CrandallField;
type FF = QuarticCrandallField;
@ -221,4 +294,9 @@ mod tests {
fn test_reduce_gadget_odd() -> Result<()> {
test_reduce_gadget(11)
}
#[test]
fn test_reduce_gadget_base_100() -> Result<()> {
test_reduce_gadget_base(100)
}
}

8
src/vanishing_poly.rs
View File

@ -1,6 +1,5 @@
use crate::circuit_builder::CircuitBuilder;
use crate::circuit_data::CommonCircuitData;
use crate::context;
use crate::field::extension_field::target::ExtensionTarget;
use crate::field::extension_field::Extendable;
use crate::field::field::Field;
@ -9,8 +8,9 @@ use crate::plonk_common;
use crate::plonk_common::{eval_l_1_recursively, ZeroPolyOnCoset};
use crate::target::Target;
use crate::util::partial_products::{check_partial_products, check_partial_products_recursively};
use crate::util::scaling::ReducingFactorTarget;
use crate::util::reducing::ReducingFactorTarget;
use crate::vars::{EvaluationTargets, EvaluationVars, EvaluationVarsBase};
use crate::with_context;
/// Evaluate the vanishing polynomial at `x`. In this context, the vanishing polynomial is a random
/// linear combination of gate constraints, plus some other terms relating to the permutation
@ -236,7 +236,7 @@ pub fn evaluate_gate_constraints_recursively<F: Extendable<D>, const D: usize>(
) -> Vec<ExtensionTarget<D>> {
let mut constraints = vec![builder.zero_extension(); num_gate_constraints];
for gate in gates {
let gate_constraints = context!(
let gate_constraints = with_context!(
builder,
&format!("evaluate {} constraints", gate.gate.0.id()),
gate.gate
@ -270,7 +270,7 @@ pub(crate) fn eval_vanishing_poly_recursively<F: Extendable<D>, const D: usize>(
let max_degree = common_data.quotient_degree_factor;
let (num_prods, final_num_prod) = common_data.num_partial_products;
let constraint_terms = context!(
let constraint_terms = with_context!(
builder,
"evaluate gate constraints",
evaluate_gate_constraints_recursively(