diff --git a/src/circuit_data.rs b/src/circuit_data.rs index 3dc2d64d..aa734650 100644 --- a/src/circuit_data.rs +++ b/src/circuit_data.rs @@ -179,7 +179,7 @@ impl, const D: usize> CommonCircuitData { } pub fn quotient_degree(&self) -> usize { - 1 << self.max_filtered_constraint_degree_bits - 1 + ((1 << self.max_filtered_constraint_degree_bits) - 1) * self.degree() } pub fn total_constraints(&self) -> usize { diff --git a/src/field/extension_field/quadratic.rs b/src/field/extension_field/quadratic.rs index 4dc712af..af21ad60 100644 --- a/src/field/extension_field/quadratic.rs +++ b/src/field/extension_field/quadratic.rs @@ -194,7 +194,7 @@ impl DivAssign for QuadraticCrandallField { #[cfg(test)] mod tests { use crate::field::extension_field::quadratic::QuadraticCrandallField; - use crate::field::extension_field::{FieldExtension, Frobenius, OEF}; + use crate::field::extension_field::{FieldExtension, Frobenius}; use crate::field::field::Field; #[test] diff --git a/src/polynomial/commitment.rs b/src/polynomial/commitment.rs index b11e1ca2..5cd1f219 100644 --- a/src/polynomial/commitment.rs +++ b/src/polynomial/commitment.rs @@ -12,7 +12,7 @@ use crate::plonk_common::{reduce_polys_with_iter, reduce_with_iter}; use crate::polynomial::polynomial::{PolynomialCoeffs, PolynomialValues}; use crate::proof::{FriProof, FriProofTarget, Hash, OpeningSet}; use crate::timed; -use crate::util::{log2_strict, reverse_bits, reverse_index_bits_in_place, transpose}; +use crate::util::{log2_strict, reverse_index_bits_in_place, transpose}; pub const SALT_SIZE: usize = 2; @@ -107,7 +107,7 @@ impl ListPolynomialCommitment { .collect() } - pub fn original_value(&self, index: usize) -> Vec { + pub fn original_values(&self, index: usize) -> Vec { self.values.iter().map(|v| v.values[index]).collect() } diff --git a/src/polynomial/polynomial.rs b/src/polynomial/polynomial.rs index 9f605051..0660be1a 100644 --- a/src/polynomial/polynomial.rs +++ b/src/polynomial/polynomial.rs @@ -128,7 +128,12 @@ impl PolynomialCoeffs { } pub(crate) fn padded(&self, new_len: usize) -> Self { - assert!(new_len >= self.len()); + assert!( + new_len >= self.len(), + "Trying to pad a polynomial of length {} to a length of {}.", + self.len(), + new_len + ); let mut coeffs = self.coeffs.clone(); coeffs.resize(new_len, F::ZERO); Self { coeffs } diff --git a/src/prover.rs b/src/prover.rs index 08362ac3..6371d1fd 100644 --- a/src/prover.rs +++ b/src/prover.rs @@ -6,17 +6,15 @@ use rayon::prelude::*; use crate::circuit_data::{CommonCircuitData, ProverOnlyCircuitData}; use crate::field::extension_field::Extendable; use crate::field::fft::ifft; -use crate::field::field::Field; use crate::generator::generate_partial_witness; use crate::plonk_challenger::Challenger; use crate::plonk_common::eval_vanishing_poly_base; use crate::polynomial::commitment::ListPolynomialCommitment; -use crate::polynomial::polynomial::{PolynomialCoeffs, PolynomialValues}; +use crate::polynomial::polynomial::PolynomialValues; use crate::proof::Proof; use crate::timed; use crate::util::transpose; use crate::vars::EvaluationVarsBase; -use crate::wire::Wire; use crate::witness::{PartialWitness, Witness}; /// Corresponds to constants - sigmas - wires - zs - quotient — polynomial commitments. @@ -104,7 +102,15 @@ pub(crate) fn prove, const D: usize>( .into_par_iter() .flat_map(|vanishing_poly| { let vanishing_poly_coeff = ifft(vanishing_poly); + // TODO: run `padded` when the division works. let quotient_poly_coeff = vanishing_poly_coeff.divide_by_z_h(degree); + let x = F::rand(); + assert!( + quotient_poly_coeff.eval(x) * (x.exp(degree as u64) - F::ONE) + != vanishing_poly_coeff.eval(x), + "That's good news, this should fail! The division by z_h doesn't work yet,\ + most likely because compute_vanishing_polys isn't complete (doesn't use filters for example)." + ); // Split t into degree-n chunks. quotient_poly_coeff.chunks(degree) }) @@ -181,14 +187,14 @@ fn compute_z, const D: usize>( let x = subgroup[i - 1]; let mut numerator = F::ONE; let mut denominator = F::ONE; - let s_sigmas = prover_data.sigmas_commitment.original_value(i - 1); + let s_sigmas = prover_data.sigmas_commitment.original_values(i - 1); for j in 0..common_data.config.num_routed_wires { let wire_value = witness.get_wire(i - 1, j); let k_i = k_is[j]; let s_id = k_i * x; let s_sigma = s_sigmas[j]; - numerator = numerator * (wire_value + beta * s_id + gamma); - denominator = denominator * (wire_value + beta * s_sigma + gamma); + numerator *= wire_value + beta * s_id + gamma; + denominator *= wire_value + beta * s_sigma + gamma; } let last = *plonk_z_points.last().unwrap(); plonk_z_points.push(last * numerator / denominator); @@ -211,6 +217,7 @@ fn compute_vanishing_polys, const D: usize>( ); let lde_size = points.len(); + // Low-degree extend the polynomials commited in `comm` to the subgroup of size `lde_size`. let commitment_to_lde = |comm: &ListPolynomialCommitment| -> Vec> { comm.polynomials .iter() @@ -223,6 +230,7 @@ fn compute_vanishing_polys, const D: usize>( let wires_lde = commitment_to_lde(wires_commitment); let zs_lde = commitment_to_lde(plonk_zs_commitment); + // Retrieve the polynomial values at index `i`. let get_at_index = |ldes: &[PolynomialValues], i: usize| { ldes.iter().map(|l| l.values[i]).collect::>() }; diff --git a/src/witness.rs b/src/witness.rs index a870059b..ad810af8 100644 --- a/src/witness.rs +++ b/src/witness.rs @@ -1,7 +1,6 @@ use std::collections::HashMap; use std::convert::TryInto; -use crate::circuit_data::{CircuitConfig, CommonCircuitData}; use crate::field::extension_field::target::ExtensionTarget; use crate::field::extension_field::{Extendable, FieldExtension}; use crate::field::field::Field;