From ec3ab137c2eaa76d37e8321d97612d1711a3a598 Mon Sep 17 00:00:00 2001 From: adria0 Date: Fri, 18 Oct 2024 12:02:44 +0200 Subject: [PATCH] Remove binding from powerquery, fix docs --- book/src/SUMMARY.md | 1 - .../design/proving-system/inner-product.md | 2 - book/src/user/experimental-features.md | 10 +-- halo2_backend/src/helpers.rs | 1 - halo2_backend/src/plonk/lookup/prover.rs | 21 +---- halo2_backend/src/plonk/permutation/prover.rs | 14 +--- halo2_backend/src/plonk/prover.rs | 3 +- halo2_backend/src/plonk/shuffle/prover.rs | 8 +- halo2_backend/src/plonk/vanishing/prover.rs | 18 +--- halo2_backend/src/plonk/verifier.rs | 5 -- halo2_backend/src/plonk/verifier/batch.rs | 30 ------- halo2_backend/src/poly/multiopen_test.rs | 3 - halo2_backend/src/poly/query.rs | 12 +-- halo2_frontend/src/dev/cost_model.rs | 10 --- halo2_proofs/benches/plonk.rs | 9 +- halo2_proofs/tests/frontend_backend_split.rs | 4 +- halo2_proofs/tests/shuffle_api.rs | 84 ++++++++++--------- 17 files changed, 62 insertions(+), 173 deletions(-) delete mode 100644 halo2_backend/src/plonk/verifier/batch.rs diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md index f234b2e4d2..ab65443b32 100644 --- a/book/src/SUMMARY.md +++ b/book/src/SUMMARY.md @@ -43,5 +43,4 @@ - [Polynomials](background/polynomials.md) - [Cryptographic groups](background/groups.md) - [Elliptic curves](background/curves.md) - - [Polynomial commitment using inner product argument](background/pc-ipa.md) - [Recursion](background/recursion.md) diff --git a/book/src/design/proving-system/inner-product.md b/book/src/design/proving-system/inner-product.md index 7ccc9b2fbf..41c4f440b7 100644 --- a/book/src/design/proving-system/inner-product.md +++ b/book/src/design/proving-system/inner-product.md @@ -3,8 +3,6 @@ Halo 2 uses a polynomial commitment scheme for which we can create polynomial commitment opening proofs, based around the Inner Product Argument. -> TODO: Explain Halo 2's variant of the IPA. -> > It is very similar to $\text{PC}_\text{DL}.\text{Open}$ from Appendix A.2 of [BCMS20]. > See [this comparison](comparison.md#bcms20-appendix-a2) for details. > diff --git a/book/src/user/experimental-features.md b/book/src/user/experimental-features.md index b64b9cbc2c..9196501814 100644 --- a/book/src/user/experimental-features.md +++ b/book/src/user/experimental-features.md @@ -4,11 +4,7 @@ In `privacy-scaling-explorations/halo2` fork we have implemented many experiment ## Commitment scheme abstraction -To support different kinds of polynomial commitment schemes, we've added a trait `CommitmentScheme` to allow create/verify proofs with different commitment scheme implementations, currently there are 2 available implementations in this fork: - -- [`IPACommitmentScheme`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/poly/ipa/commitment/struct.IPACommitmentScheme.html) - - The original implementation from `zcash/halo2` with the original multi-open strategy `{Prover,Verifier}IPA` +To support different kinds of polynomial commitment schemes, we've added a trait `CommitmentScheme` to allow create/verify proofs with different commitment scheme implementations, currently there are one available implementations in this fork: - [`KZGCommitmentScheme`](https://privacy-scaling-explorations.github.io/halo2/halo2_proofs/poly/kzg/commitment/struct.KZGCommitmentScheme.html) @@ -20,10 +16,6 @@ To support different kinds of polynomial commitment schemes, we've added a trait When using `create_proof` and `verify_proof`, we need to specify the commitment scheme and multi-open strategy like: ```rust -// Using IPA -create_proof, ProverIPA<_>, _, _, _, _> -verify_proof, ProverIPA<_>, _, _, _> - // Using KZG with GWC19 multi-open strategy create_proof, ProverGWC<_>, _, _, _, _> verify_proof, ProverGWC<_>, _, _, _> diff --git a/halo2_backend/src/helpers.rs b/halo2_backend/src/helpers.rs index 3cd00b84ad..fa4936dffb 100644 --- a/halo2_backend/src/helpers.rs +++ b/halo2_backend/src/helpers.rs @@ -20,7 +20,6 @@ pub enum SerdeFormat { RawBytesUnchecked, } -// Keep this trait for compatibility with IPA serialization pub trait CurveRead: CurveAffine { /// Reads a compressed element from the buffer and attempts to parse it /// using `from_bytes`. diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index 9f25fe9f13..69535a7289 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -30,21 +30,16 @@ pub(in crate::plonk) struct Permuted { compressed_input_expression: Polynomial, permuted_input_expression: Polynomial, permuted_input_poly: Polynomial, - permuted_input_blind: Blind, compressed_table_expression: Polynomial, permuted_table_expression: Polynomial, permuted_table_poly: Polynomial, - permuted_table_blind: Blind, } #[derive(Debug)] pub(in crate::plonk) struct Committed { pub(in crate::plonk) permuted_input_poly: Polynomial, - permuted_input_blind: Blind, pub(in crate::plonk) permuted_table_poly: Polynomial, - permuted_table_blind: Blind, pub(in crate::plonk) product_poly: Polynomial, - product_blind: Blind, } pub(in crate::plonk) struct Evaluated { @@ -130,15 +125,15 @@ where let poly = pk.vk.domain.lagrange_to_coeff(values.clone()); let blind = Blind(C::Scalar::random(&mut rng)); let commitment = params.commit_lagrange(&engine.msm_backend, values, blind); - (poly, blind, commitment) + (poly, commitment) }; // Commit to permuted input expression - let (permuted_input_poly, permuted_input_blind, permuted_input_commitment_projective) = + let (permuted_input_poly, permuted_input_commitment_projective) = commit_values(&permuted_input_expression); // Commit to permuted table expression - let (permuted_table_poly, permuted_table_blind, permuted_table_commitment_projective) = + let (permuted_table_poly, permuted_table_commitment_projective) = commit_values(&permuted_table_expression); let [permuted_input_commitment, permuted_table_commitment] = { @@ -163,11 +158,9 @@ where compressed_input_expression, permuted_input_expression, permuted_input_poly, - permuted_input_blind, compressed_table_expression, permuted_table_expression, permuted_table_poly, - permuted_table_blind, }) } @@ -313,11 +306,8 @@ impl Permuted { Ok(Committed:: { permuted_input_poly: self.permuted_input_poly, - permuted_input_blind: self.permuted_input_blind, permuted_table_poly: self.permuted_table_poly, - permuted_table_blind: self.permuted_table_blind, product_poly: z, - product_blind, }) } } @@ -368,31 +358,26 @@ impl Evaluated { .chain(Some(ProverQuery { point: *x, poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, })) // Open lookup input commitments at x .chain(Some(ProverQuery { point: *x, poly: &self.constructed.permuted_input_poly, - blind: self.constructed.permuted_input_blind, })) // Open lookup table commitments at x .chain(Some(ProverQuery { point: *x, poly: &self.constructed.permuted_table_poly, - blind: self.constructed.permuted_table_blind, })) // Open lookup input commitments at x_inv .chain(Some(ProverQuery { point: x_inv, poly: &self.constructed.permuted_input_poly, - blind: self.constructed.permuted_input_blind, })) // Open lookup product commitments at x_next .chain(Some(ProverQuery { point: x_next, poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, })) } } diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs index 486da63b77..a3ae97f765 100644 --- a/halo2_backend/src/plonk/permutation/prover.rs +++ b/halo2_backend/src/plonk/permutation/prover.rs @@ -29,7 +29,6 @@ use halo2_middleware::poly::Rotation; /// It stores a single `Z_P` in [permutation argument specification](https://zcash.github.io/halo2/design/proving-system/permutation.html#argument-specification). pub(crate) struct CommittedSet { pub(crate) permutation_product_poly: Polynomial, - permutation_product_blind: Blind, } /// Set of permutation product polynomials, which have been **committed**. @@ -182,7 +181,6 @@ pub(in crate::plonk) fn permutation_commit< let permutation_product_commitment = params .commit_lagrange(&engine.msm_backend, &z, blind) .to_affine(); - let permutation_product_blind = blind; let permutation_product_poly = domain.lagrange_to_coeff(z); // Hash the permutation product commitment @@ -190,7 +188,6 @@ pub(in crate::plonk) fn permutation_commit< sets.push(CommittedSet { permutation_product_poly, - permutation_product_blind, }); } @@ -202,11 +199,9 @@ impl super::ProvingKey { &self, x: ChallengeX, ) -> impl Iterator> + Clone { - self.polys.iter().map(move |poly| ProverQuery { - point: *x, - poly, - blind: Blind::default(), - }) + self.polys + .iter() + .map(move |poly| ProverQuery { point: *x, poly }) } pub(in crate::plonk) fn evaluate, T: TranscriptWrite>( @@ -290,12 +285,10 @@ impl Evaluated { .chain(Some(ProverQuery { point: *x, poly: &set.permutation_product_poly, - blind: set.permutation_product_blind, })) .chain(Some(ProverQuery { point: x_next, poly: &set.permutation_product_poly, - blind: set.permutation_product_blind, })) })) // Open it at \omega^{last} x for all but the last set. This rotation is only @@ -311,7 +304,6 @@ impl Evaluated { Some(ProverQuery { point: x_last, poly: &set.permutation_product_poly, - blind: set.permutation_product_blind, }) }), ) diff --git a/halo2_backend/src/plonk/prover.rs b/halo2_backend/src/plonk/prover.rs index 3a0d93eea0..08538d81df 100644 --- a/halo2_backend/src/plonk/prover.rs +++ b/halo2_backend/src/plonk/prover.rs @@ -613,7 +613,6 @@ impl< .map(move |&(column, at)| ProverQuery { point: self.pk.vk.domain.rotate_omega(*x, at), poly: &advice.advice_polys[column.index], - blind: advice.advice_blinds[column.index], }), ) // Permutations @@ -633,7 +632,7 @@ impl< .map(|&(column, at)| ProverQuery { point: self.pk.vk.domain.rotate_omega(*x, at), poly: &self.pk.fixed_polys[column.index], - blind: Blind::default(), + // blind: Blind::default(), }), ) // Copy constraints diff --git a/halo2_backend/src/plonk/shuffle/prover.rs b/halo2_backend/src/plonk/shuffle/prover.rs index cc01a65255..b940f164a7 100644 --- a/halo2_backend/src/plonk/shuffle/prover.rs +++ b/halo2_backend/src/plonk/shuffle/prover.rs @@ -29,7 +29,6 @@ struct Compressed { #[derive(Debug)] pub(in crate::plonk) struct Committed { pub(in crate::plonk) product_poly: Polynomial, - product_blind: Blind, } pub(in crate::plonk) struct Evaluated { @@ -198,10 +197,7 @@ where // Hash product commitment transcript.write_point(product_commitment)?; - Ok(Committed:: { - product_poly: z, - product_blind, - }) + Ok(Committed:: { product_poly: z }) } impl Committed { @@ -242,13 +238,11 @@ impl Evaluated { .chain(Some(ProverQuery { point: *x, poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, })) // Open shuffle product commitments at x_next .chain(Some(ProverQuery { point: x_next, poly: &self.constructed.product_poly, - blind: self.constructed.product_blind, })) } } diff --git a/halo2_backend/src/plonk/vanishing/prover.rs b/halo2_backend/src/plonk/vanishing/prover.rs index 96ce797ee4..691a55de61 100644 --- a/halo2_backend/src/plonk/vanishing/prover.rs +++ b/halo2_backend/src/plonk/vanishing/prover.rs @@ -21,18 +21,15 @@ use crate::{ pub(in crate::plonk) struct Committed { random_poly: Polynomial, - random_blind: Blind, } pub(in crate::plonk) struct Constructed { h_pieces: Vec>, - h_blinds: Vec>, committed: Committed, } pub(in crate::plonk) struct Evaluated { h_poly: Polynomial, - h_blind: Blind, committed: Committed, } @@ -90,10 +87,7 @@ impl Argument { .to_affine(); transcript.write_point(c)?; - Ok(Committed { - random_poly, - random_blind, - }) + Ok(Committed { random_poly }) } } @@ -149,7 +143,6 @@ impl Committed { Ok(Constructed { h_pieces, - h_blinds, committed: self, }) } @@ -169,18 +162,11 @@ impl Constructed { .rev() .fold(domain.empty_coeff(), |acc, eval| acc * xn + eval); - let h_blind = self - .h_blinds - .iter() - .rev() - .fold(Blind(C::Scalar::ZERO), |acc, eval| acc * Blind(xn) + *eval); - let random_eval = eval_polynomial(&self.committed.random_poly, *x); transcript.write_scalar(random_eval)?; Ok(Evaluated { h_poly, - h_blind, committed: self.committed, }) } @@ -195,12 +181,10 @@ impl Evaluated { .chain(Some(ProverQuery { point: *x, poly: &self.h_poly, - blind: self.h_blind, })) .chain(Some(ProverQuery { point: *x, poly: &self.committed.random_poly, - blind: self.committed.random_blind, })) } } diff --git a/halo2_backend/src/plonk/verifier.rs b/halo2_backend/src/plonk/verifier.rs index af505e15b1..bfefcab625 100644 --- a/halo2_backend/src/plonk/verifier.rs +++ b/halo2_backend/src/plonk/verifier.rs @@ -18,11 +18,6 @@ use crate::poly::{ }; use crate::transcript::{read_n_scalars, EncodedChallenge, TranscriptRead}; -#[cfg(feature = "batch")] -mod batch; -#[cfg(feature = "batch")] -pub use batch::BatchVerifier; - /// Returns a boolean indicating whether or not the proof is valid. Verifies a single proof (not /// batched). pub fn verify_proof<'params, Scheme, V, E, T, Strategy>( diff --git a/halo2_backend/src/plonk/verifier/batch.rs b/halo2_backend/src/plonk/verifier/batch.rs deleted file mode 100644 index acb59826c8..0000000000 --- a/halo2_backend/src/plonk/verifier/batch.rs +++ /dev/null @@ -1,30 +0,0 @@ -use halo2_middleware::ff::FromUniformBytes; -use halo2curves::CurveAffine; - -#[derive(Debug)] -struct BatchItem { - instances: Vec>>, - proof: Vec, -} - -/// A verifier that checks multiple proofs in a batch. **This requires the -/// `batch` crate feature to be enabled.** -#[derive(Debug, Default)] -pub struct BatchVerifier { - items: Vec>, -} - -impl BatchVerifier -where - C::Scalar: FromUniformBytes<64>, -{ - /// Constructs a new batch verifier. - pub fn new() -> Self { - Self { items: vec![] } - } - - /// Adds a proof to the batch. - pub fn add_proof(&mut self, instances: Vec>>, proof: Vec) { - self.items.push(BatchItem { instances, proof }) - } -} diff --git a/halo2_backend/src/poly/multiopen_test.rs b/halo2_backend/src/poly/multiopen_test.rs index bd34c169d9..a2246ac6f9 100644 --- a/halo2_backend/src/poly/multiopen_test.rs +++ b/halo2_backend/src/poly/multiopen_test.rs @@ -204,17 +204,14 @@ mod test { ProverQuery { point: x.get_scalar(), poly: &ax, - blind, }, ProverQuery { point: x.get_scalar(), poly: &bx, - blind, }, ProverQuery { point: y.get_scalar(), poly: &cx, - blind, }, ] .to_vec(); diff --git a/halo2_backend/src/poly/query.rs b/halo2_backend/src/poly/query.rs index 30be4fbec7..56b5f3e2f8 100644 --- a/halo2_backend/src/poly/query.rs +++ b/halo2_backend/src/poly/query.rs @@ -23,8 +23,6 @@ pub struct ProverQuery<'com, C: CurveAffine> { pub(crate) point: C::Scalar, /// Coefficients of polynomial pub(crate) poly: &'com Polynomial, - /// Blinding factor of polynomial - pub(crate) blind: Blind, } impl<'com, C> ProverQuery<'com, C> @@ -35,9 +33,9 @@ where pub fn new( point: C::Scalar, poly: &'com Polynomial, - blind: Blind, + _blind: Blind, ) -> Self { - ProverQuery { point, poly, blind } + ProverQuery { point, poly } } } @@ -45,7 +43,6 @@ where #[derive(Copy, Clone)] pub struct PolynomialPointer<'com, C: CurveAffine> { pub(crate) poly: &'com Polynomial, - pub(crate) blind: Blind, } impl<'com, C: CurveAffine> PartialEq for PolynomialPointer<'com, C> { @@ -65,10 +62,7 @@ impl<'com, C: CurveAffine> Query for ProverQuery<'com, C> { eval_polynomial(&self.poly[..], self.get_point()) } fn get_commitment(&self) -> Self::Commitment { - PolynomialPointer { - poly: self.poly, - blind: self.blind, - } + PolynomialPointer { poly: self.poly } } } diff --git a/halo2_frontend/src/dev/cost_model.rs b/halo2_frontend/src/dev/cost_model.rs index 49bec78197..8ddf0baaa0 100644 --- a/halo2_frontend/src/dev/cost_model.rs +++ b/halo2_frontend/src/dev/cost_model.rs @@ -14,8 +14,6 @@ use super::MockProver; /// Supported commitment schemes #[derive(Debug, Eq, PartialEq)] pub enum CommitmentScheme { - /// Inner Product Argument commitment scheme - IPA, /// KZG with GWC19 multi-open strategy KZGGWC, /// KZG with BDFG20 multi-open strategy @@ -193,14 +191,6 @@ impl CostOptions { let multiopen = comp_bytes(1, point_sets); let polycomm = match comm_scheme { - CommitmentScheme::IPA => { - // Polycommit IPA: - // - s_poly commitment (COMM bytes) - // - inner product argument (k rounds * 2 * COMM bytes) - // - a (SCALAR bytes) - // - xi (SCALAR bytes) - comp_bytes(1 + 2 * self.k, 2) - } CommitmentScheme::KZGGWC => { let mut nr_rotations = HashSet::new(); for poly in self.advice.iter() { diff --git a/halo2_proofs/benches/plonk.rs b/halo2_proofs/benches/plonk.rs index b8ed135e2f..9306011304 100644 --- a/halo2_proofs/benches/plonk.rs +++ b/halo2_proofs/benches/plonk.rs @@ -308,12 +308,7 @@ fn criterion_benchmark(c: &mut Criterion) { _, _, SingleStrategy<_>, - >( - &verifier_params, - &vk, - vec![vec![]], - &mut verifier_transcript - ), + >(&verifier_params, vk, vec![vec![]], &mut verifier_transcript), "failed to verify proof" ); } @@ -337,7 +332,7 @@ fn criterion_benchmark(c: &mut Criterion) { prover_group.bench_with_input( BenchmarkId::from_parameter(k), &(k, ¶ms, &pk), - |b, &(k, params, pk)| { + |b, &(_k, params, pk)| { b.iter(|| prover(circuit.clone(), params, pk)); }, ); diff --git a/halo2_proofs/tests/frontend_backend_split.rs b/halo2_proofs/tests/frontend_backend_split.rs index 2599a30aeb..cd8004e0b3 100644 --- a/halo2_proofs/tests/frontend_backend_split.rs +++ b/halo2_proofs/tests/frontend_backend_split.rs @@ -545,7 +545,7 @@ fn test_mycircuit_full_legacy() { proof }, - "7b855ed41c161c8aad4dbcec30912c806a1f6d66eb17f9fa2ee8ba20078aedc6", + "78aadfd46b5cc58b90d832ee47e4df57af3dfc28d1457c4ceeb5d0323a72f130", ); } @@ -626,6 +626,6 @@ fn test_mycircuit_full_split() { proof }, - "7b855ed41c161c8aad4dbcec30912c806a1f6d66eb17f9fa2ee8ba20078aedc6", + "78aadfd46b5cc58b90d832ee47e4df57af3dfc28d1457c4ceeb5d0323a72f130", ); } diff --git a/halo2_proofs/tests/shuffle_api.rs b/halo2_proofs/tests/shuffle_api.rs index d3d55d5b48..92cd023ea7 100644 --- a/halo2_proofs/tests/shuffle_api.rs +++ b/halo2_proofs/tests/shuffle_api.rs @@ -142,34 +142,15 @@ impl Circuit for MyCircuit { } } -#[test] -fn test_shuffle_api() { - const K: u32 = 4; - let input_0 = [1, 2, 4, 1] - .map(|e: u64| Value::known(Fr::from(e))) - .to_vec(); - let input_1 = [10, 20, 40, 10].map(Fr::from).to_vec(); - let shuffle_0 = [4, 1, 1, 2] - .map(|e: u64| Value::known(Fr::from(e))) - .to_vec(); - let shuffle_1 = [40, 10, 10, 20] - .map(|e: u64| Value::known(Fr::from(e))) - .to_vec(); - let circuit = MyCircuit { - input_0, - input_1, - shuffle_0, - shuffle_1, - }; - - let instances = vec![vec![]]; - +fn test_prover(k: u32, circuit: MyCircuit, expected: bool) -> Vec { // Setup let mut rng = test_rng(); - let params = ParamsKZG::::setup(K, &mut rng); + let params = ParamsKZG::::setup(k, &mut rng); let vk = keygen_vk(¶ms, &circuit).expect("keygen_vk should not fail"); let pk = keygen_pk(¶ms, vk.clone(), &circuit).expect("keygen_pk should not fail"); + let instances = vec![vec![]]; + let mut transcript = Blake2bWrite::<_, G1Affine, Challenge255<_>>::init(vec![]); create_proof::, ProverSHPLONK<'_, Bn256>, _, _, _, _>( ¶ms, @@ -187,24 +168,49 @@ fn test_shuffle_api() { Blake2bRead::<_, G1Affine, Challenge255<_>>::init(proof.as_slice()); let verifier_params = params.verifier_params(); - assert!( - verify_proof_multi::< - KZGCommitmentScheme, - VerifierSHPLONK, - _, - _, - SingleStrategy<_>, - >( - &verifier_params, - &vk, - instances.as_slice(), - &mut verifier_transcript, - ), - "failed to verify proof" + let accepted = verify_proof_multi::< + KZGCommitmentScheme, + VerifierSHPLONK, + _, + _, + SingleStrategy<_>, + >( + &verifier_params, + &vk, + instances.as_slice(), + &mut verifier_transcript, ); + assert_eq!(accepted, expected); + + proof +} + +#[test] +fn test_shuffle_api() { + use halo2_proofs::dev::MockProver; + const K: u32 = 4; + let input_0 = [1, 2, 4, 1] + .map(|e: u64| Value::known(Fr::from(e))) + .to_vec(); + let input_1 = [10, 20, 40, 10].map(Fr::from).to_vec(); + let shuffle_0 = [4, 1, 1, 2] + .map(|e: u64| Value::known(Fr::from(e))) + .to_vec(); + let shuffle_1 = [40, 10, 10, 20] + .map(|e: u64| Value::known(Fr::from(e))) + .to_vec(); + let circuit = MyCircuit { + input_0, + input_1, + shuffle_0, + shuffle_1, + }; + let prover = MockProver::run(K, &circuit, vec![]).unwrap(); + prover.assert_satisfied(); + halo2_debug::test_result( - || proof, - "6f291e2142b6740955076f5f79fae89bc9bb729b65ce7f577de7e2091c9c0d06", + || test_prover(K, circuit, true), + "c4a5b69cf43d3e84ee311a2801ca194b756f2b21437756bd54204113d42e6f07", ); }