arnaucube
/
Nova
mirror of https://github.com/arnaucube/Nova.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

This commit introduces the following changes: 

* Separate types for Relaxed R1CS and R1CS instances and witnesses
* Allows creating default values for Relaxed R1CS types
* StepSNARK now folds a regular R1CS instance-witness into a running Relaxed R1CS instance-witness
* We additionally enforce input chaining checks: the incoming instance must have input that matches the output of the incremental computation thus far
main
Srinath Setty 3 years ago
parent
de5b8d6598
commit
61ef5fc0b1
4 changed files with 262 additions and 133 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -0
      src/errors.rs
  2. +113
    -73
      src/lib.rs
  3. +146
    -59
      src/r1cs.rs
  4. +1
    -1
      src/traits.rs

+ 2
- 0
src/errors.rs
View File

@ -6,6 +6,8 @@ use core::fmt::Debug;
pub enum NovaError {
/// returned if the supplied row or col in (row,col,val) tuple is out of range
InvalidIndex,
/// returned if the supplied input is not even-sized
OddInputLength,
/// returned if the supplied input is not of the right length
InvalidInputLength,
/// returned if the supplied witness is not of the right length

+ 113
- 73
src/lib.rs
View File

@ -15,7 +15,9 @@ use std::marker::PhantomData;
use commitments::{AppendToTranscriptTrait, CompressedCommitment};
use errors::NovaError;
use merlin::Transcript;
use r1cs::{R1CSGens, R1CSInstance, R1CSShape, R1CSWitness};
use r1cs::{
R1CSGens, R1CSInstance, R1CSShape, R1CSWitness, RelaxedR1CSInstance, RelaxedR1CSWitness,
};
use traits::{ChallengeTrait, Group};
/// A SNARK that holds the proof of a step of an incremental computation
@ -29,20 +31,27 @@ impl StepSNARK {
b"NovaStepSNARK"
}
/// Takes as input two relaxed R1CS instance-witness tuples `(U1, W1)` and `(U2, W2)`
/// with the same structure `shape` and defined with respect to the same `gens`,
/// and outputs a folded instance-witness tuple `(U, W)` of the same shape `shape`,
/// Takes as input a Relaxed R1CS instance-witness tuple `(U1, W1)` and
/// an R1CS instance-witness tuple `(U2, W2)` with the same structure `shape`
/// and defined with respect to the same `gens`, and outputs
/// a folded Relaxed R1CS instance-witness tuple `(U, W)` of the same shape `shape`,
/// with the guarantee that the folded witness `W` satisfies the folded instance `U`
/// if and only if `W1` satisfies `U1` and `W2` satisfies `U2`.
pub fn prove(
gens: &R1CSGens<G>,
S: &R1CSShape<G>,
U1: &R1CSInstance<G>,
W1: &R1CSWitness<G>,
U1: &RelaxedR1CSInstance<G>,
W1: &RelaxedR1CSWitness<G>,
U2: &R1CSInstance<G>,
W2: &R1CSWitness<G>,
transcript: &mut Transcript,
) -> Result<(StepSNARK<G>, (R1CSInstance<G>, R1CSWitness<G>)), NovaError> {
) -> Result<
(
StepSNARK<G>,
(RelaxedR1CSInstance<G>, RelaxedR1CSWitness<G>),
),
NovaError,
> {
// append the protocol name to the transcript
//transcript.append_protocol_name(StepSNARK::protocol_name());
transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name());
@ -72,17 +81,17 @@ impl StepSNARK {
))
}
/// Takes as input two relaxed R1CS instances `U1` and `U2`
/// Takes as input a relaxed R1CS instance `U1` and and R1CS instance `U2`
/// with the same shape and defined with respect to the same parameters,
/// and outputs a folded instance `U` with the same shape,
/// with the guarantee that the folded instance `U`
/// if and only if `U1` and `U2` are satisfiable.
pub fn verify(
&self,
U1: &R1CSInstance<G>,
U1: &RelaxedR1CSInstance<G>,
U2: &R1CSInstance<G>,
transcript: &mut Transcript,
) -> Result<R1CSInstance<G>, NovaError> {
) -> Result<RelaxedR1CSInstance<G>, NovaError> {
// append the protocol name to the transcript
transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name());
@ -102,12 +111,12 @@ impl StepSNARK {
/// A SNARK that holds the proof of the final step of an incremental computation
pub struct FinalSNARK<G: Group> {
W: R1CSWitness<G>,
W: RelaxedR1CSWitness<G>,
}
impl<G: Group> FinalSNARK<G> {
/// Produces a proof of a instance given its satisfying witness `W`.
pub fn prove(W: &R1CSWitness<G>) -> Result<FinalSNARK<G>, NovaError> {
pub fn prove(W: &RelaxedR1CSWitness<G>) -> Result<FinalSNARK<G>, NovaError> {
Ok(FinalSNARK { W: W.clone() })
}
@ -116,10 +125,10 @@ impl FinalSNARK {
&self,
gens: &R1CSGens<G>,
S: &R1CSShape<G>,
U: &R1CSInstance<G>,
U: &RelaxedR1CSInstance<G>,
) -> Result<(), NovaError> {
// check that the witness is a valid witness to the folded instance `U`
S.is_sat(gens, U, &self.W)
S.is_sat_relaxed(gens, U, &self.W)
}
}
@ -135,16 +144,17 @@ mod tests {
#[test]
fn test_tiny_r1cs() {
let one = S::one();
let (num_cons, num_vars, num_inputs, A, B, C) = {
let (num_cons, num_vars, num_io, A, B, C) = {
let num_cons = 4;
let num_vars = 4;
let num_inputs = 1;
let num_io = 2;
// Consider a cubic equation: `x^3 + x + 5 = y`, where `x` and `y` are respectively the input and output.
// The R1CS for this problem consists of the following constraints:
// `Z0 * Z0 - Z1 = 0`
// `Z1 * Z0 - Z2 = 0`
// `(Z2 + Z0) * 1 - Z3 = 0`
// `(Z3 + 5) * 1 - I0 = 0`
// `I0 * I0 - Z0 = 0`
// `Z0 * I0 - Z1 = 0`
// `(Z1 + I0) * 1 - Z2 = 0`
// `(Z2 + 5) * 1 - I1 = 0`
// Relaxed R1CS is a set of three sparse matrices (A B C), where there is a row for every
// constraint and a column for every entry in z = (vars, u, inputs)
@ -155,33 +165,37 @@ mod tests {
let mut C: Vec<(usize, usize, S)> = Vec::new();
// constraint 0 entries in (A,B,C)
A.push((0, 0, one));
B.push((0, 0, one));
C.push((0, 1, one));
// `I0 * I0 - Z0 = 0`
A.push((0, num_vars + 1, one));
B.push((0, num_vars + 1, one));
C.push((0, 0, one));
// constraint 1 entries in (A,B,C)
A.push((1, 1, one));
B.push((1, 0, one));
C.push((1, 2, one));
// `Z0 * I0 - Z1 = 0`
A.push((1, 0, one));
B.push((1, num_vars + 1, one));
C.push((1, 1, one));
// constraint 2 entries in (A,B,C)
A.push((2, 2, one));
A.push((2, 0, one));
// `(Z1 + I0) * 1 - Z2 = 0`
A.push((2, 1, one));
A.push((2, num_vars + 1, one));
B.push((2, num_vars, one));
C.push((2, 3, one));
C.push((2, 2, one));
// constraint 3 entries in (A,B,C)
A.push((3, 3, one));
// `(Z2 + 5) * 1 - I1 = 0`
A.push((3, 2, one));
A.push((3, num_vars, one + one + one + one + one));
B.push((3, num_vars, one));
C.push((3, num_vars + 1, one));
C.push((3, num_vars + 2, one));
(num_cons, num_vars, num_inputs, A, B, C)
(num_cons, num_vars, num_io, A, B, C)
};
// create a shape object
let S = {
let res = R1CSShape::new(num_cons, num_vars, num_inputs, &A, &B, &C);
let res = R1CSShape::new(num_cons, num_vars, num_io, &A, &B, &C);
assert!(res.is_ok());
res.unwrap()
};
@ -189,64 +203,90 @@ mod tests {
// generate generators
let gens = R1CSGens::new(num_cons, num_vars);
let rand_inst_witness_generator = |gens: &R1CSGens<G>| -> (R1CSInstance<G>, R1CSWitness<G>) {
// compute a satisfying (vars, X) tuple
let (vars, X) = {
let mut csprng: OsRng = OsRng;
let z0 = S::random(&mut csprng);
let z1 = z0 * z0; // constraint 0
let z2 = z1 * z0; // constraint 1
let z3 = z2 + z0; // constraint 2
let i0 = z3 + one + one + one + one + one; // constraint 3
let vars = vec![z0, z1, z2, z3];
let X = vec![i0];
(vars, X)
let rand_inst_witness_generator =
|gens: &R1CSGens<G>, I: &S| -> (S, R1CSInstance<G>, R1CSWitness<G>) {
let i0 = I.clone();
// compute a satisfying (vars, X) tuple
let (O, vars, X) = {
let z0 = i0 * i0; // constraint 0
let z1 = i0 * z0; // constraint 1
let z2 = z1 + i0; // constraint 2
let i1 = z2 + one + one + one + one + one; // constraint 3
// store the witness and IO for the instance
let W = vec![z0, z1, z2, S::zero()];
let X = vec![i0, i1];
(i1, W, X)
};
let W = {
let res = R1CSWitness::new(&S, &vars);
assert!(res.is_ok());
res.unwrap()
};
let U = {
let comm_W = W.commit(&gens);
let res = R1CSInstance::new(&S, &comm_W, &X);
assert!(res.is_ok());
res.unwrap()
};
// check that generated instance is satisfiable
assert!(S.is_sat(&gens, &U, &W).is_ok());
(O, U, W)
};
let W = {
let E = vec![S::zero(); num_cons]; // default E
let res = R1CSWitness::new(&S, &vars, &E);
assert!(res.is_ok());
res.unwrap()
};
let U = {
let (comm_W, comm_E) = W.commit(&gens);
let u = S::one(); //default u
let res = R1CSInstance::new(&S, &comm_W, &comm_E, &X, &u);
assert!(res.is_ok());
res.unwrap()
};
// check that generated instance is satisfiable
let is_sat = S.is_sat(&gens, &U, &W);
assert!(is_sat.is_ok());
(U, W)
};
let mut csprng: OsRng = OsRng;
let I = S::random(&mut csprng); // the first input is picked randomly for the first instance
let (O, U1, W1) = rand_inst_witness_generator(&gens, &I);
let (_O, U2, W2) = rand_inst_witness_generator(&gens, &O);
let (U1, W1) = rand_inst_witness_generator(&gens);
let (U2, W2) = rand_inst_witness_generator(&gens);
// produce a default running instance
let mut r_W = RelaxedR1CSWitness::default(&S);
let mut r_U = RelaxedR1CSInstance::default(&gens, &S);
// produce a step SNARK
// produce a step SNARK with (W1, U1) as the first incoming witness-instance pair
let mut prover_transcript = Transcript::new(b"StepSNARKExample");
let res = StepSNARK::prove(&gens, &S, &U1, &W1, &U2, &W2, &mut prover_transcript);
let res = StepSNARK::prove(&gens, &S, &r_U, &r_W, &U1, &W1, &mut prover_transcript);
assert!(res.is_ok());
let (step_snark, (_U, W)) = res.unwrap();
// verify the step SNARK
// verify the step SNARK with U1 as the first incoming instance
let mut verifier_transcript = Transcript::new(b"StepSNARKExample");
let res = step_snark.verify(&U1, &U2, &mut verifier_transcript);
let res = step_snark.verify(&r_U, &U1, &mut verifier_transcript);
assert!(res.is_ok());
let U = res.unwrap();
assert_eq!(U, _U);
// update the running witness and instance
r_W = W;
r_U = U;
// produce a step SNARK with (W2, U2) as the second incoming witness-instance pair
let res = StepSNARK::prove(&gens, &S, &r_U, &r_W, &U2, &W2, &mut prover_transcript);
assert!(res.is_ok());
let (step_snark, (_U, W)) = res.unwrap();
// verify the step SNARK with U1 as the first incoming instance
let res = step_snark.verify(&r_U, &U2, &mut verifier_transcript);
assert!(res.is_ok());
let U = res.unwrap();
assert_eq!(U, _U);
// update the running witness and instance
r_W = W;
r_U = U;
// produce a final SNARK
let res = FinalSNARK::prove(&W);
let res = FinalSNARK::prove(&r_W);
assert!(res.is_ok());
let final_snark = res.unwrap();
// verify the final SNARK
let res = final_snark.verify(&gens, &S, &U);
let res = final_snark.verify(&gens, &S, &r_U);
assert!(res.is_ok());
}
}

+ 146
- 59
src/r1cs.rs
View File

@ -1,4 +1,4 @@
//! This module defines R1CS related types and a folding scheme for (relaxed) R1CS
//! This module defines R1CS related types and a folding scheme for Relaxed R1CS
#![allow(clippy::type_complexity)]
use super::commitments::{CommitGens, CommitTrait, Commitment, CompressedCommitment};
use super::errors::NovaError;
@ -17,7 +17,7 @@ pub struct R1CSGens {
pub struct R1CSShape<G: Group> {
num_cons: usize,
num_vars: usize,
num_inputs: usize,
num_io: usize,
A: Vec<(usize, usize, G::Scalar)>,
B: Vec<(usize, usize, G::Scalar)>,
C: Vec<(usize, usize, G::Scalar)>,
@ -27,16 +27,31 @@ pub struct R1CSShape {
#[derive(Clone, Debug)]
pub struct R1CSWitness<G: Group> {
W: Vec<G::Scalar>,
E: Vec<G::Scalar>,
}
/// A type that holds an R1CS instance
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct R1CSInstance<G: Group> {
comm_W: Commitment<G>,
X: Vec<G::Scalar>,
}
/// A type that holds a witness for a given Relaxed R1CS instance
#[derive(Clone, Debug)]
pub struct RelaxedR1CSWitness<G: Group> {
W: Vec<G::Scalar>,
E: Vec<G::Scalar>,
}
/// A type that holds a Relaxed R1CS instance
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct RelaxedR1CSInstance<G: Group> {
comm_W: Commitment<G>,
comm_E: Commitment<G>,
X: Vec<G::Scalar>,
u: G::Scalar,
Y_last: Vec<G::Scalar>, // output of the last instance that was folded
counter: usize, // the number of folds thus far
}
impl<G: Group> R1CSGens<G> {
@ -57,7 +72,7 @@ impl R1CSShape {
pub fn new(
num_cons: usize,
num_vars: usize,
num_inputs: usize,
num_io: usize,
A: &[(usize, usize, G::Scalar)],
B: &[(usize, usize, G::Scalar)],
C: &[(usize, usize, G::Scalar)],
@ -85,18 +100,23 @@ impl R1CSShape {
}
};
let res_A = is_valid(num_cons, num_vars, num_inputs, A);
let res_B = is_valid(num_cons, num_vars, num_inputs, B);
let res_C = is_valid(num_cons, num_vars, num_inputs, C);
let res_A = is_valid(num_cons, num_vars, num_io, A);
let res_B = is_valid(num_cons, num_vars, num_io, B);
let res_C = is_valid(num_cons, num_vars, num_io, C);
if res_A.is_err() || res_B.is_err() || res_C.is_err() {
return Err(NovaError::InvalidIndex);
}
// We require the number of public inputs/outputs to be even
if num_io % 2 != 0 {
return Err(NovaError::OddInputLength);
}
let shape = R1CSShape {
num_cons,
num_vars,
num_inputs,
num_io,
A: A.to_owned(),
B: B.to_owned(),
C: C.to_owned(),
@ -109,7 +129,7 @@ impl R1CSShape {
&self,
z: &[G::Scalar],
) -> Result<(Vec<G::Scalar>, Vec<G::Scalar>, Vec<G::Scalar>), NovaError> {
if z.len() != self.num_inputs + self.num_vars + 1 {
if z.len() != self.num_io + self.num_vars + 1 {
return Err(NovaError::InvalidWitnessLength);
}
@ -136,16 +156,16 @@ impl R1CSShape {
Ok((Az, Bz, Cz))
}
/// Checks if the R1CS instance is satisfiable given a witness and its shape
pub fn is_sat(
/// Checks if the Relaxed R1CS instance is satisfiable given a witness and its shape
pub fn is_sat_relaxed(
&self,
gens: &R1CSGens<G>,
U: &R1CSInstance<G>,
W: &R1CSWitness<G>,
U: &RelaxedR1CSInstance<G>,
W: &RelaxedR1CSWitness<G>,
) -> Result<(), NovaError> {
assert_eq!(W.W.len(), self.num_vars);
assert_eq!(W.E.len(), self.num_cons);
assert_eq!(U.X.len(), self.num_inputs);
assert_eq!(U.X.len(), self.num_io);
// verify if Az * Bz = u*Cz + E
let res_eq: bool = {
@ -183,12 +203,48 @@ impl R1CSShape {
}
}
/// A method to compute a commitment to the cross-term `T` given two R1CS instance-witness pairs
/// Checks if the R1CS instance is satisfiable given a witness and its shape
pub fn is_sat(
&self,
gens: &R1CSGens<G>,
U: &R1CSInstance<G>,
W: &R1CSWitness<G>,
) -> Result<(), NovaError> {
assert_eq!(W.W.len(), self.num_vars);
assert_eq!(U.X.len(), self.num_io);
// verify if Az * Bz = u*Cz
let res_eq: bool = {
let z = concat(vec![W.W.clone(), vec![G::Scalar::one()], U.X.clone()]);
let (Az, Bz, Cz) = self.multiply_vec(&z)?;
assert_eq!(Az.len(), self.num_cons);
assert_eq!(Bz.len(), self.num_cons);
assert_eq!(Cz.len(), self.num_cons);
let res: usize = (0..self.num_cons)
.map(|i| if Az[i] * Bz[i] == Cz[i] { 0 } else { 1 })
.sum();
res == 0
};
// verify if comm_W is a commitment to W
let res_comm: bool = U.comm_W == W.W.commit(&gens.gens_W);
if res_eq && res_comm {
Ok(())
} else {
Err(NovaError::UnSat)
}
}
/// A method to compute a commitment to the cross-term `T` given a
/// Relaxed R1CS instance-witness pair and an R1CS instance-witness pair
pub fn commit_T(
&self,
gens: &R1CSGens<G>,
U1: &R1CSInstance<G>,
W1: &R1CSWitness<G>,
U1: &RelaxedR1CSInstance<G>,
W1: &RelaxedR1CSWitness<G>,
U2: &R1CSInstance<G>,
W2: &R1CSWitness<G>,
) -> Result<
@ -204,7 +260,7 @@ impl R1CSShape {
};
let (AZ_2, BZ_2, CZ_2) = {
let Z2 = concat(vec![W2.W.clone(), vec![U2.u], U2.X.clone()]);
let Z2 = concat(vec![W2.W.clone(), vec![G::Scalar::one()], U2.X.clone()]);
self.multiply_vec(&Z2)?
};
@ -217,9 +273,7 @@ impl R1CSShape {
let u_1_cdot_CZ_2 = (0..CZ_2.len())
.map(|i| U1.u * CZ_2[i])
.collect::<Vec<G::Scalar>>();
let u_2_cdot_CZ_1 = (0..CZ_1.len())
.map(|i| U2.u * CZ_1[i])
.collect::<Vec<G::Scalar>>();
let u_2_cdot_CZ_1 = (0..CZ_1.len()).map(|i| CZ_1[i]).collect::<Vec<G::Scalar>>();
let T = AZ_1_circ_BZ_2
.par_iter()
@ -237,20 +291,46 @@ impl R1CSShape {
impl<G: Group> R1CSWitness<G> {
/// A method to create a witness object using a vector of scalars
pub fn new(S: &R1CSShape<G>, W: &[G::Scalar]) -> Result<R1CSWitness<G>, NovaError> {
if S.num_vars != W.len() {
Err(NovaError::InvalidWitnessLength)
} else {
Ok(R1CSWitness { W: W.to_owned() })
}
}
/// Commits to the witness using the supplied generators
pub fn commit(&self, gens: &R1CSGens<G>) -> Commitment<G> {
self.W.commit(&gens.gens_W)
}
}
impl<G: Group> R1CSInstance<G> {
/// A method to create an instance object using consitituent elements
pub fn new(
S: &R1CSShape<G>,
W: &[G::Scalar],
E: &[G::Scalar],
) -> Result<R1CSWitness<G>, NovaError> {
if S.num_vars != W.len() || S.num_cons != E.len() {
Err(NovaError::InvalidWitnessLength)
comm_W: &Commitment<G>,
X: &[G::Scalar],
) -> Result<R1CSInstance<G>, NovaError> {
if S.num_io != X.len() {
Err(NovaError::InvalidInputLength)
} else {
Ok(R1CSWitness {
W: W.to_owned(),
E: E.to_owned(),
Ok(R1CSInstance {
comm_W: *comm_W,
X: X.to_owned(),
})
}
}
}
impl<G: Group> RelaxedR1CSWitness<G> {
/// Produces a default RelaxedR1CSWitness given an R1CSShape
pub fn default(S: &R1CSShape<G>) -> RelaxedR1CSWitness<G> {
RelaxedR1CSWitness {
W: vec![G::Scalar::zero(); S.num_vars],
E: vec![G::Scalar::zero(); S.num_cons],
}
}
/// Commits to the witness using the supplied generators
pub fn commit(&self, gens: &R1CSGens<G>) -> (Commitment<G>, Commitment<G>) {
@ -263,9 +343,9 @@ impl R1CSWitness {
W2: &R1CSWitness<G>,
T: &[G::Scalar],
r: &G::Scalar,
) -> Result<R1CSWitness<G>, NovaError> {
) -> Result<RelaxedR1CSWitness<G>, NovaError> {
let (W1, E1) = (&self.W, &self.E);
let (W2, E2) = (&W2.W, &W2.E);
let W2 = &W2.W;
if W1.len() != W2.len() {
return Err(NovaError::InvalidWitnessLength);
@ -279,61 +359,68 @@ impl R1CSWitness {
let E = E1
.par_iter()
.zip(T)
.zip(E2)
.map(|((a, b), c)| *a + *r * *b + *r * *r * *c)
.map(|(a, b)| *a + *r * *b)
.collect::<Vec<G::Scalar>>();
Ok(R1CSWitness { W, E })
Ok(RelaxedR1CSWitness { W, E })
}
}
impl<G: Group> R1CSInstance<G> {
/// A method to create an instance object using consitituent elements
pub fn new(
S: &R1CSShape<G>,
comm_W: &Commitment<G>,
comm_E: &Commitment<G>,
X: &[G::Scalar],
u: &G::Scalar,
) -> Result<R1CSInstance<G>, NovaError> {
if S.num_inputs != X.len() {
Err(NovaError::InvalidInputLength)
} else {
Ok(R1CSInstance {
comm_W: *comm_W,
comm_E: *comm_E,
X: X.to_owned(),
u: *u,
})
impl<G: Group> RelaxedR1CSInstance<G> {
/// Produces a default RelaxedR1CSInstance given R1CSGens and R1CSShape
pub fn default(gens: &R1CSGens<G>, S: &R1CSShape<G>) -> RelaxedR1CSInstance<G> {
let (comm_W, comm_E) = RelaxedR1CSWitness::default(S).commit(gens);
RelaxedR1CSInstance {
comm_W,
comm_E,
u: G::Scalar::zero(),
X: vec![G::Scalar::zero(); S.num_io],
Y_last: vec![G::Scalar::zero(); S.num_io / 2],
counter: 0,
}
}
/// Folds an incoming R1CSInstance into the current one
/// Folds an incoming RelaxedR1CSInstance into the current one
pub fn fold(
&self,
U2: &R1CSInstance<G>,
comm_T: &CompressedCommitment<G::CompressedGroupElement>,
r: &G::Scalar,
) -> Result<R1CSInstance<G>, NovaError> {
) -> Result<RelaxedR1CSInstance<G>, NovaError> {
let comm_T_unwrapped = comm_T.decompress()?;
let (X1, u1, comm_W_1, comm_E_1) =
(&self.X, &self.u, &self.comm_W.clone(), &self.comm_E.clone());
let (X2, u2, comm_W_2, comm_E_2) = (&U2.X, &U2.u, &U2.comm_W, &U2.comm_E);
let (X2, comm_W_2) = (&U2.X, &U2.comm_W);
// check if the input of the incoming instance matches the output
// of the incremental computation thus far if counter > 0
if self.counter > 0 {
if self.Y_last.len() != U2.X.len() / 2 {
return Err(NovaError::InvalidInputLength);
}
for i in 0..self.Y_last.len() {
if self.Y_last[i] != U2.X[i] {
return Err(NovaError::InvalidInputLength);
}
}
}
// weighted sum of X
// weighted sum of X, comm_W, comm_E, and u
let X = X1
.par_iter()
.zip(X2)
.map(|(a, b)| *a + *r * *b)
.collect::<Vec<G::Scalar>>();
let comm_W = comm_W_1 + comm_W_2 * r;
let comm_E = *comm_E_1 + comm_T_unwrapped * *r + comm_E_2 * r * *r;
let u = *u1 + *r * *u2;
let comm_E = *comm_E_1 + comm_T_unwrapped * *r;
let u = *u1 + *r;
Ok(R1CSInstance {
Ok(RelaxedR1CSInstance {
comm_W,
comm_E,
X,
u,
Y_last: U2.X[U2.X.len() / 2..].to_owned(),
counter: self.counter + 1,
})
}
}

+ 1
- 1
src/traits.rs
View File

@ -72,7 +72,7 @@ pub trait Group:
/// Compresses the group element
fn compress(&self) -> Self::CompressedGroupElement;
/// Attempts to create a group element from a sequence of bytes,
/// Attempts to create a group element from a sequence of bytes,
/// failing with a `None` if the supplied bytes do not encode the group element
fn from_uniform_bytes(bytes: &[u8]) -> Option<Self>;
}

Write Preview
Loading…
Cancel
Save