diff --git a/src/sonic/helped/helper.rs b/src/sonic/helped/helper.rs index 6007123..e6404c4 100644 --- a/src/sonic/helped/helper.rs +++ b/src/sonic/helped/helper.rs @@ -83,8 +83,6 @@ pub fn create_aggregate_on_srs_using_information, S: Sy let z: E::Fr = transcript.get_challenge_scalar(); - // let z = E::Fr::one(); - // Compute s(z, Y) let (s_poly_negative, s_poly_positive) = { let mut tmp = SyEval::new(z, n, q); @@ -106,12 +104,8 @@ pub fn create_aggregate_on_srs_using_information, S: Sy // Open C at w let w: E::Fr = transcript.get_challenge_scalar(); - let w = E::Fr::one(); - let value = compute_value::(&w, &s_poly_positive, &s_poly_negative); - println!("In helper s(z, w) = {}", value); - let opening = { let mut value = value; value.negate(); diff --git a/src/sonic/helped/verifier.rs b/src/sonic/helped/verifier.rs index dc76461..da150e7 100644 --- a/src/sonic/helped/verifier.rs +++ b/src/sonic/helped/verifier.rs @@ -66,14 +66,10 @@ impl, S: SynthesisDriver, R: Rng> MultiVerifier(coeffs: &[F], permutation: & [usize]) -> Vec{ result } +fn permute_inverse(permuted_coeffs: &[F], permutation: & [usize]) -> Vec{ + assert_eq!(permuted_coeffs.len(), permutation.len()); + let mut result: Vec = vec![F::zero(); permuted_coeffs.len()]; + for (i, j) in permutation.iter().enumerate() { + // if *j < 1 { + // // if permutation information is missing coefficient itself must be zero! + // assert!(coeffs[i].is_zero()); + // continue; + // } + result[i] = permuted_coeffs[*j - 1]; + } + result +} + impl PermutationArgument { pub fn new(coefficients: Vec>, permutations: Vec>) -> Self { assert!(coefficients.len() > 0); @@ -144,20 +158,52 @@ impl PermutationArgument { let mut permuted_coefficients = vec![]; let mut permuted_at_y_coefficients = vec![]; + + // naive algorithms + // for every permutation poly + // -- go throught all variable_idx + // - take coeff from non-permuted coeffs[veriable_idx] + // - mul by Y^{permutation[variable_idx]} + // - mul by X^{variable_idx + 1} + + // let mut s_contrib = E::Fr::zero(); + // for permutation_index in 0..m { + // for (variable_index, constraint_power) in permutations[permutation_index].iter().enumerate() { + // let y_power = y.pow([*constraint_power as u64]); + // let x_power = z.pow([(variable_index+1) as u64]); + // let coeff = non_permuted_coeffs[permutation_index][variable_index]; + + // let mut result = coeff; + // result.mul_assign(&x_power); + // result.mul_assign(&y_power); + // s_contrib.add_assign(&result); + // } + // } + + + // this part distributes powers of Y^{constraint} and Y^{variable} for different arguments for (c, p) in self.non_permuted_coefficients.iter().zip(self.permutations.iter()) { - let mut non_permuted = c.clone(); - // these are terms of s coefficients in each of the permutations, - // permuted by the corresponding permutation - let permuted = permute(&non_permuted[..], &p[..]); + // this one will have terms coeff[0] * Y^1 + let mut non_permuted_at_y = c.clone(); - // distribute powers of Y to non-permuted coefficients - mut_distribute_consequitive_powers(&mut non_permuted[..], y, y); + // permute to later have coeff[i] at spot K for distribution of powers and for argument + let permuted = permute(&non_permuted_at_y[..], &p[..]); + + // here will be distributed powers for coeff[i] * Y^K + let mut permuted_at_y = permuted.clone(); + + // distribute powers of Y to non-permuted coefficients as coeff[0]*Y^1, coeff[0]*Y^2, ... + mut_distribute_consequitive_powers(&mut non_permuted_at_y[..], y, y); // and commit to S' - let s_prime = multiexp(srs.g_positive_x_alpha[0..n].iter(), non_permuted.iter()).into_affine(); + let s_prime = multiexp(srs.g_positive_x_alpha[0..n].iter(), non_permuted_at_y.iter()).into_affine(); + drop(non_permuted_at_y); + + // this construction has already moved coeff[i] to the corresponding constraint k, so term is coeff[i]*Y^{K} for place K + mut_distribute_consequitive_powers(&mut permuted_at_y[..], y, y); + + // now there is a coefficient coeff[i]*Y^{K} for place K at place K, so we need to move it back to i + let permuted_at_y = permute_inverse(&permuted_at_y[..], &p[..]); - // no we can permute pre-distributed powers of Y - let permuted_at_y = permute(&non_permuted[..], &p[..]); - drop(non_permuted); // and commit to S let s = multiexp(srs.g_positive_x_alpha[0..n].iter(), permuted_at_y.iter()).into_affine(); @@ -265,7 +311,7 @@ impl PermutationArgument { let s_polynomial = s_polynomial.unwrap(); // evaluate at z let s_zy = evaluate_at_consequitive_powers(& s_polynomial[..], z, z); - println!("In permutation argument S(z, y) = {}", s_zy); + println!("In permutation argument S1_(z, y) = {}", s_zy); let mut s_zy_neg = s_zy; diff --git a/src/sonic/unhelped/permutation_structure.rs b/src/sonic/unhelped/permutation_structure.rs index f7b2c09..2f48981 100644 --- a/src/sonic/unhelped/permutation_structure.rs +++ b/src/sonic/unhelped/permutation_structure.rs @@ -176,7 +176,6 @@ impl PermutationStructure { Coeff::Zero => { }, Coeff::One => { - println!("A({}), coeff = 1 for place {} in permutation {}", gate_index, place, i); not_empty[i] = true; place_coeff_into[array_position] = one; place_permutation_into[array_position] = *place; diff --git a/src/sonic/unhelped/verifier.rs b/src/sonic/unhelped/verifier.rs index 23f9425..9531812 100644 --- a/src/sonic/unhelped/verifier.rs +++ b/src/sonic/unhelped/verifier.rs @@ -166,20 +166,10 @@ impl, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier let z: E::Fr = transcript.get_challenge_scalar(); - // let z = E::Fr::one(); - - println!("Verifier z = {}", z); - transcript.commit_point(&aggregate.c); let w: E::Fr = transcript.get_challenge_scalar(); - let w = E::Fr::one(); - - println!("Verifier w = {}", w); - - println!("N = {}", self.n); - let szw = { // prover will supply s1 and s2, need to calculate // s(z, w) = X^-(N+1) * Y^N * s1 - X^N * s2 @@ -196,45 +186,43 @@ impl, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier // this is s2 contribution itself let mut s2_part = s2_proof.c_value; s2_part.add_assign(&s2_proof.d_value); - println!("S2 = {}", s2_part); s2_part.mul_assign(&x_n); // add terms for S2 for verification - // { - // let random: E::Fr = self.randomness_source.gen(); + { + let random: E::Fr = self.randomness_source.gen(); - // // e(C,hαx)e(C−yz,hα) = e(O,h)e(g−c,hα) that is - // // e(C,hαx)e(C^−yz,hα)*e(O,-h)e(g^c,hα) = 1 + // e(C,hαx)e(C−yz,hα) = e(O,h)e(g−c,hα) that is + // e(C,hαx)e(C^−yz,hα)*e(O,-h)e(g^c,hα) = 1 - // let mut xy = z; - // xy.mul_assign(&w); + let mut xy = z; + xy.mul_assign(&w); - // self.batch.add_opening(s2_proof.c_opening, random, xy); - // self.batch.add_opening_value(random, s2_proof.c_value); - // self.batch.add_commitment(self.s2_special_reference, random); + self.batch.add_opening(s2_proof.c_opening, random, xy); + self.batch.add_opening_value(random, s2_proof.c_value); + self.batch.add_commitment(self.s2_special_reference, random); - // } + } - // { - // let random: E::Fr = self.randomness_source.gen(); + { + let random: E::Fr = self.randomness_source.gen(); - // // e(D,hαx)e(D−y−1z,hα) = e(O,h)e(g−d,hα) that is - // // e(D,hαx)e(D^−y-1z,hα)*e(O,-h)e(g^d,hα) = 1 + // e(D,hαx)e(D−y−1z,hα) = e(O,h)e(g−d,hα) that is + // e(D,hαx)e(D^−y-1z,hα)*e(O,-h)e(g^d,hα) = 1 - // let mut y_inv_by_x = z; - // y_inv_by_x.mul_assign(&w.inverse().unwrap()); + let mut y_inv_by_x = z; + y_inv_by_x.mul_assign(&w.inverse().unwrap()); - // self.batch.add_opening(s2_proof.d_opening, random, y_inv_by_x); - // self.batch.add_opening_value(random, s2_proof.d_value); - // self.batch.add_commitment(self.s2_special_reference, random); + self.batch.add_opening(s2_proof.d_opening, random, y_inv_by_x); + self.batch.add_opening_value(random, s2_proof.d_value); + self.batch.add_commitment(self.s2_special_reference, random); - // } + } // now work with s1 part let mut s1_part = permutation_argument_proof.s_zy; - println!("S1 = {}", s1_part); s1_part.mul_assign(&x_n_plus_1_inv); s1_part.mul_assign(&y_n); @@ -278,8 +266,6 @@ impl, S: SynthesisDriver, R: Rng> SuccinctMultiVerifier s }; - println!("Succinct s(z, w) = {}", szw); - { let random: E::Fr = self.randomness_source.gen();