arnaucube/Nova
1
0
Fork 0
mirror of https://github.com/arnaucube/Nova.git synced 2026-01-11 08:31:29 +01:00
Code Issues Projects Releases Wiki Activity

This commit introduces the following changes:

Browse Source 
* Separate types for Relaxed R1CS and R1CS instances and witnesses
* Allows creating default values for Relaxed R1CS types
* StepSNARK now folds a regular R1CS instance-witness into a running Relaxed R1CS instance-witness
* We additionally enforce input chaining checks: the incoming instance must have input that matches the output of the incremental computation thus far
This commit is contained in:
Srinath Setty
2021-10-04 14:55:16 -07:00
parent de5b8d6598
commit 61ef5fc0b1
4 changed files with 262 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/errors.rs
View File

@@ -6,6 +6,8 @@ use core::fmt::Debug;
pub enum NovaError { pub enum NovaError {
/// returned if the supplied row or col in (row,col,val) tuple is out of range /// returned if the supplied row or col in (row,col,val) tuple is out of range
InvalidIndex, InvalidIndex,
/// returned if the supplied input is not even-sized
OddInputLength,
/// returned if the supplied input is not of the right length /// returned if the supplied input is not of the right length
InvalidInputLength, InvalidInputLength,
/// returned if the supplied witness is not of the right length /// returned if the supplied witness is not of the right length

184
src/lib.rs
View File

@@ -15,7 +15,9 @@ use std::marker::PhantomData;
use commitments::{AppendToTranscriptTrait, CompressedCommitment}; use commitments::{AppendToTranscriptTrait, CompressedCommitment};
use errors::NovaError; use errors::NovaError;
use merlin::Transcript; use merlin::Transcript;
use r1cs::{R1CSGens, R1CSInstance, R1CSShape, R1CSWitness}; use r1cs::{
R1CSGens, R1CSInstance, R1CSShape, R1CSWitness, RelaxedR1CSInstance, RelaxedR1CSWitness,
};
use traits::{ChallengeTrait, Group}; use traits::{ChallengeTrait, Group};
/// A SNARK that holds the proof of a step of an incremental computation /// A SNARK that holds the proof of a step of an incremental computation
@@ -29,20 +31,27 @@ impl<G: Group> StepSNARK<G> {
b"NovaStepSNARK" b"NovaStepSNARK"
} }
/// Takes as input two relaxed R1CS instance-witness tuples `(U1, W1)` and `(U2, W2)` /// Takes as input a Relaxed R1CS instance-witness tuple `(U1, W1)` and
/// with the same structure `shape` and defined with respect to the same `gens`, /// an R1CS instance-witness tuple `(U2, W2)` with the same structure `shape`
/// and outputs a folded instance-witness tuple `(U, W)` of the same shape `shape`, /// and defined with respect to the same `gens`, and outputs
/// a folded Relaxed R1CS instance-witness tuple `(U, W)` of the same shape `shape`,
/// with the guarantee that the folded witness `W` satisfies the folded instance `U` /// with the guarantee that the folded witness `W` satisfies the folded instance `U`
/// if and only if `W1` satisfies `U1` and `W2` satisfies `U2`. /// if and only if `W1` satisfies `U1` and `W2` satisfies `U2`.
pub fn prove( pub fn prove(
gens: &R1CSGens<G>, gens: &R1CSGens<G>,
S: &R1CSShape<G>, S: &R1CSShape<G>,
U1: &R1CSInstance<G>, U1: &RelaxedR1CSInstance<G>,
W1: &R1CSWitness<G>, W1: &RelaxedR1CSWitness<G>,
U2: &R1CSInstance<G>, U2: &R1CSInstance<G>,
W2: &R1CSWitness<G>, W2: &R1CSWitness<G>,
transcript: &mut Transcript, transcript: &mut Transcript,
) -> Result<(StepSNARK<G>, (R1CSInstance<G>, R1CSWitness<G>)), NovaError> { ) -> Result<
(
StepSNARK<G>,
(RelaxedR1CSInstance<G>, RelaxedR1CSWitness<G>),
),
NovaError,
> {
// append the protocol name to the transcript // append the protocol name to the transcript
//transcript.append_protocol_name(StepSNARK::protocol_name()); //transcript.append_protocol_name(StepSNARK::protocol_name());
transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name()); transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name());
@@ -72,17 +81,17 @@ impl<G: Group> StepSNARK<G> {
)) ))
} }
/// Takes as input two relaxed R1CS instances `U1` and `U2` /// Takes as input a relaxed R1CS instance `U1` and and R1CS instance `U2`
/// with the same shape and defined with respect to the same parameters, /// with the same shape and defined with respect to the same parameters,
/// and outputs a folded instance `U` with the same shape, /// and outputs a folded instance `U` with the same shape,
/// with the guarantee that the folded instance `U` /// with the guarantee that the folded instance `U`
/// if and only if `U1` and `U2` are satisfiable. /// if and only if `U1` and `U2` are satisfiable.
pub fn verify( pub fn verify(
&self, &self,
U1: &R1CSInstance<G>, U1: &RelaxedR1CSInstance<G>,
U2: &R1CSInstance<G>, U2: &R1CSInstance<G>,
transcript: &mut Transcript, transcript: &mut Transcript,
) -> Result<R1CSInstance<G>, NovaError> { ) -> Result<RelaxedR1CSInstance<G>, NovaError> {
// append the protocol name to the transcript // append the protocol name to the transcript
transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name()); transcript.append_message(b"protocol-name", StepSNARK::<G>::protocol_name());
@@ -102,12 +111,12 @@ impl<G: Group> StepSNARK<G> {
/// A SNARK that holds the proof of the final step of an incremental computation /// A SNARK that holds the proof of the final step of an incremental computation
pub struct FinalSNARK<G: Group> { pub struct FinalSNARK<G: Group> {
W: R1CSWitness<G>, W: RelaxedR1CSWitness<G>,
} }
impl<G: Group> FinalSNARK<G> { impl<G: Group> FinalSNARK<G> {
/// Produces a proof of a instance given its satisfying witness `W`. /// Produces a proof of a instance given its satisfying witness `W`.
pub fn prove(W: &R1CSWitness<G>) -> Result<FinalSNARK<G>, NovaError> { pub fn prove(W: &RelaxedR1CSWitness<G>) -> Result<FinalSNARK<G>, NovaError> {
Ok(FinalSNARK { W: W.clone() }) Ok(FinalSNARK { W: W.clone() })
} }
@@ -116,10 +125,10 @@ impl<G: Group> FinalSNARK<G> {
&self, &self,
gens: &R1CSGens<G>, gens: &R1CSGens<G>,
S: &R1CSShape<G>, S: &R1CSShape<G>,
U: &R1CSInstance<G>, U: &RelaxedR1CSInstance<G>,
) -> Result<(), NovaError> { ) -> Result<(), NovaError> {
// check that the witness is a valid witness to the folded instance `U` // check that the witness is a valid witness to the folded instance `U`
S.is_sat(gens, U, &self.W) S.is_sat_relaxed(gens, U, &self.W)
} }
} }
@@ -135,16 +144,17 @@ mod tests {
#[test] #[test]
fn test_tiny_r1cs() { fn test_tiny_r1cs() {
let one = S::one(); let one = S::one();
let (num_cons, num_vars, num_inputs, A, B, C) = { let (num_cons, num_vars, num_io, A, B, C) = {
let num_cons = 4; let num_cons = 4;
let num_vars = 4; let num_vars = 4;
let num_inputs = 1; let num_io = 2;
// Consider a cubic equation: `x^3 + x + 5 = y`, where `x` and `y` are respectively the input and output.
// The R1CS for this problem consists of the following constraints: // The R1CS for this problem consists of the following constraints:
// `Z0 * Z0 - Z1 = 0` // `I0 * I0 - Z0 = 0`
// `Z1 * Z0 - Z2 = 0` // `Z0 * I0 - Z1 = 0`
// `(Z2 + Z0) * 1 - Z3 = 0` // `(Z1 + I0) * 1 - Z2 = 0`
// `(Z3 + 5) * 1 - I0 = 0` // `(Z2 + 5) * 1 - I1 = 0`
// Relaxed R1CS is a set of three sparse matrices (A B C), where there is a row for every // Relaxed R1CS is a set of three sparse matrices (A B C), where there is a row for every
// constraint and a column for every entry in z = (vars, u, inputs) // constraint and a column for every entry in z = (vars, u, inputs)
@@ -155,33 +165,37 @@ mod tests {
let mut C: Vec<(usize, usize, S)> = Vec::new(); let mut C: Vec<(usize, usize, S)> = Vec::new();
// constraint 0 entries in (A,B,C) // constraint 0 entries in (A,B,C)
A.push((0, 0, one)); // `I0 * I0 - Z0 = 0`
B.push((0, 0, one)); A.push((0, num_vars + 1, one));
C.push((0, 1, one)); B.push((0, num_vars + 1, one));
C.push((0, 0, one));
// constraint 1 entries in (A,B,C) // constraint 1 entries in (A,B,C)
A.push((1, 1, one)); // `Z0 * I0 - Z1 = 0`
B.push((1, 0, one)); A.push((1, 0, one));
C.push((1, 2, one)); B.push((1, num_vars + 1, one));
C.push((1, 1, one));
// constraint 2 entries in (A,B,C) // constraint 2 entries in (A,B,C)
A.push((2, 2, one)); // `(Z1 + I0) * 1 - Z2 = 0`
A.push((2, 0, one)); A.push((2, 1, one));
A.push((2, num_vars + 1, one));
B.push((2, num_vars, one)); B.push((2, num_vars, one));
C.push((2, 3, one)); C.push((2, 2, one));
// constraint 3 entries in (A,B,C) // constraint 3 entries in (A,B,C)
A.push((3, 3, one)); // `(Z2 + 5) * 1 - I1 = 0`
A.push((3, 2, one));
A.push((3, num_vars, one + one + one + one + one)); A.push((3, num_vars, one + one + one + one + one));
B.push((3, num_vars, one)); B.push((3, num_vars, one));
C.push((3, num_vars + 1, one)); C.push((3, num_vars + 2, one));
(num_cons, num_vars, num_inputs, A, B, C) (num_cons, num_vars, num_io, A, B, C)
}; };
// create a shape object // create a shape object
let S = { let S = {
let res = R1CSShape::new(num_cons, num_vars, num_inputs, &A, &B, &C); let res = R1CSShape::new(num_cons, num_vars, num_io, &A, &B, &C);
assert!(res.is_ok()); assert!(res.is_ok());
res.unwrap() res.unwrap()
}; };
@@ -189,64 +203,90 @@ mod tests {
// generate generators // generate generators
let gens = R1CSGens::new(num_cons, num_vars); let gens = R1CSGens::new(num_cons, num_vars);
let rand_inst_witness_generator = |gens: &R1CSGens<G>| -> (R1CSInstance<G>, R1CSWitness<G>) { let rand_inst_witness_generator =
// compute a satisfying (vars, X) tuple |gens: &R1CSGens<G>, I: &S| -> (S, R1CSInstance<G>, R1CSWitness<G>) {
let (vars, X) = { let i0 = I.clone();
let mut csprng: OsRng = OsRng;
let z0 = S::random(&mut csprng);
let z1 = z0 * z0; // constraint 0
let z2 = z1 * z0; // constraint 1
let z3 = z2 + z0; // constraint 2
let i0 = z3 + one + one + one + one + one; // constraint 3
let vars = vec![z0, z1, z2, z3]; // compute a satisfying (vars, X) tuple
let X = vec![i0]; let (O, vars, X) = {
(vars, X) let z0 = i0 * i0; // constraint 0
let z1 = i0 * z0; // constraint 1
let z2 = z1 + i0; // constraint 2
let i1 = z2 + one + one + one + one + one; // constraint 3
// store the witness and IO for the instance
let W = vec![z0, z1, z2, S::zero()];
let X = vec![i0, i1];
(i1, W, X)
};
let W = {
let res = R1CSWitness::new(&S, &vars);
assert!(res.is_ok());
res.unwrap()
};
let U = {
let comm_W = W.commit(&gens);
let res = R1CSInstance::new(&S, &comm_W, &X);
assert!(res.is_ok());
res.unwrap()
};
// check that generated instance is satisfiable
assert!(S.is_sat(&gens, &U, &W).is_ok());
(O, U, W)
}; };
let W = { let mut csprng: OsRng = OsRng;
let E = vec![S::zero(); num_cons]; // default E let I = S::random(&mut csprng); // the first input is picked randomly for the first instance
let res = R1CSWitness::new(&S, &vars, &E); let (O, U1, W1) = rand_inst_witness_generator(&gens, &I);
assert!(res.is_ok()); let (_O, U2, W2) = rand_inst_witness_generator(&gens, &O);
res.unwrap()
};
let U = {
let (comm_W, comm_E) = W.commit(&gens);
let u = S::one(); //default u
let res = R1CSInstance::new(&S, &comm_W, &comm_E, &X, &u);
assert!(res.is_ok());
res.unwrap()
};
// check that generated instance is satisfiable // produce a default running instance
let is_sat = S.is_sat(&gens, &U, &W); let mut r_W = RelaxedR1CSWitness::default(&S);
assert!(is_sat.is_ok()); let mut r_U = RelaxedR1CSInstance::default(&gens, &S);
(U, W)
};
let (U1, W1) = rand_inst_witness_generator(&gens); // produce a step SNARK with (W1, U1) as the first incoming witness-instance pair
let (U2, W2) = rand_inst_witness_generator(&gens);
// produce a step SNARK
let mut prover_transcript = Transcript::new(b"StepSNARKExample"); let mut prover_transcript = Transcript::new(b"StepSNARKExample");
let res = StepSNARK::prove(&gens, &S, &U1, &W1, &U2, &W2, &mut prover_transcript); let res = StepSNARK::prove(&gens, &S, &r_U, &r_W, &U1, &W1, &mut prover_transcript);
assert!(res.is_ok()); assert!(res.is_ok());
let (step_snark, (_U, W)) = res.unwrap(); let (step_snark, (_U, W)) = res.unwrap();
// verify the step SNARK // verify the step SNARK with U1 as the first incoming instance
let mut verifier_transcript = Transcript::new(b"StepSNARKExample"); let mut verifier_transcript = Transcript::new(b"StepSNARKExample");
let res = step_snark.verify(&U1, &U2, &mut verifier_transcript); let res = step_snark.verify(&r_U, &U1, &mut verifier_transcript);
assert!(res.is_ok()); assert!(res.is_ok());
let U = res.unwrap(); let U = res.unwrap();
assert_eq!(U, _U); assert_eq!(U, _U);
// update the running witness and instance
r_W = W;
r_U = U;
// produce a step SNARK with (W2, U2) as the second incoming witness-instance pair
let res = StepSNARK::prove(&gens, &S, &r_U, &r_W, &U2, &W2, &mut prover_transcript);
assert!(res.is_ok());
let (step_snark, (_U, W)) = res.unwrap();
// verify the step SNARK with U1 as the first incoming instance
let res = step_snark.verify(&r_U, &U2, &mut verifier_transcript);
assert!(res.is_ok());
let U = res.unwrap();
assert_eq!(U, _U);
// update the running witness and instance
r_W = W;
r_U = U;
// produce a final SNARK // produce a final SNARK
let res = FinalSNARK::prove(&W); let res = FinalSNARK::prove(&r_W);
assert!(res.is_ok()); assert!(res.is_ok());
let final_snark = res.unwrap(); let final_snark = res.unwrap();
// verify the final SNARK // verify the final SNARK
let res = final_snark.verify(&gens, &S, &U); let res = final_snark.verify(&gens, &S, &r_U);
assert!(res.is_ok()); assert!(res.is_ok());
} }
} }

207
src/r1cs.rs
View File

@@ -1,4 +1,4 @@
//! This module defines R1CS related types and a folding scheme for (relaxed) R1CS //! This module defines R1CS related types and a folding scheme for Relaxed R1CS
#![allow(clippy::type_complexity)] #![allow(clippy::type_complexity)]
use super::commitments::{CommitGens, CommitTrait, Commitment, CompressedCommitment}; use super::commitments::{CommitGens, CommitTrait, Commitment, CompressedCommitment};
use super::errors::NovaError; use super::errors::NovaError;
@@ -17,7 +17,7 @@ pub struct R1CSGens<G: Group> {
pub struct R1CSShape<G: Group> { pub struct R1CSShape<G: Group> {
num_cons: usize, num_cons: usize,
num_vars: usize, num_vars: usize,
num_inputs: usize, num_io: usize,
A: Vec<(usize, usize, G::Scalar)>, A: Vec<(usize, usize, G::Scalar)>,
B: Vec<(usize, usize, G::Scalar)>, B: Vec<(usize, usize, G::Scalar)>,
C: Vec<(usize, usize, G::Scalar)>, C: Vec<(usize, usize, G::Scalar)>,
@@ -27,16 +27,31 @@ pub struct R1CSShape<G: Group> {
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct R1CSWitness<G: Group> { pub struct R1CSWitness<G: Group> {
W: Vec<G::Scalar>, W: Vec<G::Scalar>,
E: Vec<G::Scalar>,
} }
/// A type that holds an R1CS instance /// A type that holds an R1CS instance
#[derive(Clone, Debug, PartialEq, Eq)] #[derive(Clone, Debug, PartialEq, Eq)]
pub struct R1CSInstance<G: Group> { pub struct R1CSInstance<G: Group> {
comm_W: Commitment<G>,
X: Vec<G::Scalar>,
}
/// A type that holds a witness for a given Relaxed R1CS instance
#[derive(Clone, Debug)]
pub struct RelaxedR1CSWitness<G: Group> {
W: Vec<G::Scalar>,
E: Vec<G::Scalar>,
}
/// A type that holds a Relaxed R1CS instance
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct RelaxedR1CSInstance<G: Group> {
comm_W: Commitment<G>, comm_W: Commitment<G>,
comm_E: Commitment<G>, comm_E: Commitment<G>,
X: Vec<G::Scalar>, X: Vec<G::Scalar>,
u: G::Scalar, u: G::Scalar,
Y_last: Vec<G::Scalar>, // output of the last instance that was folded
counter: usize, // the number of folds thus far
} }
impl<G: Group> R1CSGens<G> { impl<G: Group> R1CSGens<G> {
@@ -57,7 +72,7 @@ impl<G: Group> R1CSShape<G> {
pub fn new( pub fn new(
num_cons: usize, num_cons: usize,
num_vars: usize, num_vars: usize,
num_inputs: usize, num_io: usize,
A: &[(usize, usize, G::Scalar)], A: &[(usize, usize, G::Scalar)],
B: &[(usize, usize, G::Scalar)], B: &[(usize, usize, G::Scalar)],
C: &[(usize, usize, G::Scalar)], C: &[(usize, usize, G::Scalar)],
@@ -85,18 +100,23 @@ impl<G: Group> R1CSShape<G> {
} }
}; };
let res_A = is_valid(num_cons, num_vars, num_inputs, A); let res_A = is_valid(num_cons, num_vars, num_io, A);
let res_B = is_valid(num_cons, num_vars, num_inputs, B); let res_B = is_valid(num_cons, num_vars, num_io, B);
let res_C = is_valid(num_cons, num_vars, num_inputs, C); let res_C = is_valid(num_cons, num_vars, num_io, C);
if res_A.is_err() || res_B.is_err() || res_C.is_err() { if res_A.is_err() || res_B.is_err() || res_C.is_err() {
return Err(NovaError::InvalidIndex); return Err(NovaError::InvalidIndex);
} }
// We require the number of public inputs/outputs to be even
if num_io % 2 != 0 {
return Err(NovaError::OddInputLength);
}
let shape = R1CSShape { let shape = R1CSShape {
num_cons, num_cons,
num_vars, num_vars,
num_inputs, num_io,
A: A.to_owned(), A: A.to_owned(),
B: B.to_owned(), B: B.to_owned(),
C: C.to_owned(), C: C.to_owned(),
@@ -109,7 +129,7 @@ impl<G: Group> R1CSShape<G> {
&self, &self,
z: &[G::Scalar], z: &[G::Scalar],
) -> Result<(Vec<G::Scalar>, Vec<G::Scalar>, Vec<G::Scalar>), NovaError> { ) -> Result<(Vec<G::Scalar>, Vec<G::Scalar>, Vec<G::Scalar>), NovaError> {
if z.len() != self.num_inputs + self.num_vars + 1 { if z.len() != self.num_io + self.num_vars + 1 {
return Err(NovaError::InvalidWitnessLength); return Err(NovaError::InvalidWitnessLength);
} }
@@ -136,16 +156,16 @@ impl<G: Group> R1CSShape<G> {
Ok((Az, Bz, Cz)) Ok((Az, Bz, Cz))
} }
/// Checks if the R1CS instance is satisfiable given a witness and its shape /// Checks if the Relaxed R1CS instance is satisfiable given a witness and its shape
pub fn is_sat( pub fn is_sat_relaxed(
&self, &self,
gens: &R1CSGens<G>, gens: &R1CSGens<G>,
U: &R1CSInstance<G>, U: &RelaxedR1CSInstance<G>,
W: &R1CSWitness<G>, W: &RelaxedR1CSWitness<G>,
) -> Result<(), NovaError> { ) -> Result<(), NovaError> {
assert_eq!(W.W.len(), self.num_vars); assert_eq!(W.W.len(), self.num_vars);
assert_eq!(W.E.len(), self.num_cons); assert_eq!(W.E.len(), self.num_cons);
assert_eq!(U.X.len(), self.num_inputs); assert_eq!(U.X.len(), self.num_io);
// verify if Az * Bz = u*Cz + E // verify if Az * Bz = u*Cz + E
let res_eq: bool = { let res_eq: bool = {
@@ -183,12 +203,48 @@ impl<G: Group> R1CSShape<G> {
} }
} }
/// A method to compute a commitment to the cross-term `T` given two R1CS instance-witness pairs /// Checks if the R1CS instance is satisfiable given a witness and its shape
pub fn is_sat(
&self,
gens: &R1CSGens<G>,
U: &R1CSInstance<G>,
W: &R1CSWitness<G>,
) -> Result<(), NovaError> {
assert_eq!(W.W.len(), self.num_vars);
assert_eq!(U.X.len(), self.num_io);
// verify if Az * Bz = u*Cz
let res_eq: bool = {
let z = concat(vec![W.W.clone(), vec![G::Scalar::one()], U.X.clone()]);
let (Az, Bz, Cz) = self.multiply_vec(&z)?;
assert_eq!(Az.len(), self.num_cons);
assert_eq!(Bz.len(), self.num_cons);
assert_eq!(Cz.len(), self.num_cons);
let res: usize = (0..self.num_cons)
.map(|i| if Az[i] * Bz[i] == Cz[i] { 0 } else { 1 })
.sum();
res == 0
};
// verify if comm_W is a commitment to W
let res_comm: bool = U.comm_W == W.W.commit(&gens.gens_W);
if res_eq && res_comm {
Ok(())
} else {
Err(NovaError::UnSat)
}
}
/// A method to compute a commitment to the cross-term `T` given a
/// Relaxed R1CS instance-witness pair and an R1CS instance-witness pair
pub fn commit_T( pub fn commit_T(
&self, &self,
gens: &R1CSGens<G>, gens: &R1CSGens<G>,
U1: &R1CSInstance<G>, U1: &RelaxedR1CSInstance<G>,
W1: &R1CSWitness<G>, W1: &RelaxedR1CSWitness<G>,
U2: &R1CSInstance<G>, U2: &R1CSInstance<G>,
W2: &R1CSWitness<G>, W2: &R1CSWitness<G>,
) -> Result< ) -> Result<
@@ -204,7 +260,7 @@ impl<G: Group> R1CSShape<G> {
}; };
let (AZ_2, BZ_2, CZ_2) = { let (AZ_2, BZ_2, CZ_2) = {
let Z2 = concat(vec![W2.W.clone(), vec![U2.u], U2.X.clone()]); let Z2 = concat(vec![W2.W.clone(), vec![G::Scalar::one()], U2.X.clone()]);
self.multiply_vec(&Z2)? self.multiply_vec(&Z2)?
}; };
@@ -217,9 +273,7 @@ impl<G: Group> R1CSShape<G> {
let u_1_cdot_CZ_2 = (0..CZ_2.len()) let u_1_cdot_CZ_2 = (0..CZ_2.len())
.map(|i| U1.u * CZ_2[i]) .map(|i| U1.u * CZ_2[i])
.collect::<Vec<G::Scalar>>(); .collect::<Vec<G::Scalar>>();
let u_2_cdot_CZ_1 = (0..CZ_1.len()) let u_2_cdot_CZ_1 = (0..CZ_1.len()).map(|i| CZ_1[i]).collect::<Vec<G::Scalar>>();
.map(|i| U2.u * CZ_1[i])
.collect::<Vec<G::Scalar>>();
let T = AZ_1_circ_BZ_2 let T = AZ_1_circ_BZ_2
.par_iter() .par_iter()
@@ -237,20 +291,46 @@ impl<G: Group> R1CSShape<G> {
impl<G: Group> R1CSWitness<G> { impl<G: Group> R1CSWitness<G> {
/// A method to create a witness object using a vector of scalars /// A method to create a witness object using a vector of scalars
pub fn new( pub fn new(S: &R1CSShape<G>, W: &[G::Scalar]) -> Result<R1CSWitness<G>, NovaError> {
S: &R1CSShape<G>, if S.num_vars != W.len() {
W: &[G::Scalar],
E: &[G::Scalar],
) -> Result<R1CSWitness<G>, NovaError> {
if S.num_vars != W.len() || S.num_cons != E.len() {
Err(NovaError::InvalidWitnessLength) Err(NovaError::InvalidWitnessLength)
} else { } else {
Ok(R1CSWitness { Ok(R1CSWitness { W: W.to_owned() })
W: W.to_owned(), }
E: E.to_owned(), }
/// Commits to the witness using the supplied generators
pub fn commit(&self, gens: &R1CSGens<G>) -> Commitment<G> {
self.W.commit(&gens.gens_W)
}
}
impl<G: Group> R1CSInstance<G> {
/// A method to create an instance object using consitituent elements
pub fn new(
S: &R1CSShape<G>,
comm_W: &Commitment<G>,
X: &[G::Scalar],
) -> Result<R1CSInstance<G>, NovaError> {
if S.num_io != X.len() {
Err(NovaError::InvalidInputLength)
} else {
Ok(R1CSInstance {
comm_W: *comm_W,
X: X.to_owned(),
}) })
} }
} }
}
impl<G: Group> RelaxedR1CSWitness<G> {
/// Produces a default RelaxedR1CSWitness given an R1CSShape
pub fn default(S: &R1CSShape<G>) -> RelaxedR1CSWitness<G> {
RelaxedR1CSWitness {
W: vec![G::Scalar::zero(); S.num_vars],
E: vec![G::Scalar::zero(); S.num_cons],
}
}
/// Commits to the witness using the supplied generators /// Commits to the witness using the supplied generators
pub fn commit(&self, gens: &R1CSGens<G>) -> (Commitment<G>, Commitment<G>) { pub fn commit(&self, gens: &R1CSGens<G>) -> (Commitment<G>, Commitment<G>) {
@@ -263,9 +343,9 @@ impl<G: Group> R1CSWitness<G> {
W2: &R1CSWitness<G>, W2: &R1CSWitness<G>,
T: &[G::Scalar], T: &[G::Scalar],
r: &G::Scalar, r: &G::Scalar,
) -> Result<R1CSWitness<G>, NovaError> { ) -> Result<RelaxedR1CSWitness<G>, NovaError> {
let (W1, E1) = (&self.W, &self.E); let (W1, E1) = (&self.W, &self.E);
let (W2, E2) = (&W2.W, &W2.E); let W2 = &W2.W;
if W1.len() != W2.len() { if W1.len() != W2.len() {
return Err(NovaError::InvalidWitnessLength); return Err(NovaError::InvalidWitnessLength);
@@ -279,61 +359,68 @@ impl<G: Group> R1CSWitness<G> {
let E = E1 let E = E1
.par_iter() .par_iter()
.zip(T) .zip(T)
.zip(E2) .map(|(a, b)| *a + *r * *b)
.map(|((a, b), c)| *a + *r * *b + *r * *r * *c)
.collect::<Vec<G::Scalar>>(); .collect::<Vec<G::Scalar>>();
Ok(R1CSWitness { W, E }) Ok(RelaxedR1CSWitness { W, E })
} }
} }
impl<G: Group> R1CSInstance<G> { impl<G: Group> RelaxedR1CSInstance<G> {
/// A method to create an instance object using consitituent elements /// Produces a default RelaxedR1CSInstance given R1CSGens and R1CSShape
pub fn new( pub fn default(gens: &R1CSGens<G>, S: &R1CSShape<G>) -> RelaxedR1CSInstance<G> {
S: &R1CSShape<G>, let (comm_W, comm_E) = RelaxedR1CSWitness::default(S).commit(gens);
comm_W: &Commitment<G>, RelaxedR1CSInstance {
comm_E: &Commitment<G>, comm_W,
X: &[G::Scalar], comm_E,
u: &G::Scalar, u: G::Scalar::zero(),
) -> Result<R1CSInstance<G>, NovaError> { X: vec![G::Scalar::zero(); S.num_io],
if S.num_inputs != X.len() { Y_last: vec![G::Scalar::zero(); S.num_io / 2],
Err(NovaError::InvalidInputLength) counter: 0,
} else {
Ok(R1CSInstance {
comm_W: *comm_W,
comm_E: *comm_E,
X: X.to_owned(),
u: *u,
})
} }
} }
/// Folds an incoming R1CSInstance into the current one /// Folds an incoming RelaxedR1CSInstance into the current one
pub fn fold( pub fn fold(
&self, &self,
U2: &R1CSInstance<G>, U2: &R1CSInstance<G>,
comm_T: &CompressedCommitment<G::CompressedGroupElement>, comm_T: &CompressedCommitment<G::CompressedGroupElement>,
r: &G::Scalar, r: &G::Scalar,
) -> Result<R1CSInstance<G>, NovaError> { ) -> Result<RelaxedR1CSInstance<G>, NovaError> {
let comm_T_unwrapped = comm_T.decompress()?; let comm_T_unwrapped = comm_T.decompress()?;
let (X1, u1, comm_W_1, comm_E_1) = let (X1, u1, comm_W_1, comm_E_1) =
(&self.X, &self.u, &self.comm_W.clone(), &self.comm_E.clone()); (&self.X, &self.u, &self.comm_W.clone(), &self.comm_E.clone());
let (X2, u2, comm_W_2, comm_E_2) = (&U2.X, &U2.u, &U2.comm_W, &U2.comm_E); let (X2, comm_W_2) = (&U2.X, &U2.comm_W);
// weighted sum of X // check if the input of the incoming instance matches the output
// of the incremental computation thus far if counter > 0
if self.counter > 0 {
if self.Y_last.len() != U2.X.len() / 2 {
return Err(NovaError::InvalidInputLength);
}
for i in 0..self.Y_last.len() {
if self.Y_last[i] != U2.X[i] {
return Err(NovaError::InvalidInputLength);
}
}
}
// weighted sum of X, comm_W, comm_E, and u
let X = X1 let X = X1
.par_iter() .par_iter()
.zip(X2) .zip(X2)
.map(|(a, b)| *a + *r * *b) .map(|(a, b)| *a + *r * *b)
.collect::<Vec<G::Scalar>>(); .collect::<Vec<G::Scalar>>();
let comm_W = comm_W_1 + comm_W_2 * r; let comm_W = comm_W_1 + comm_W_2 * r;
let comm_E = *comm_E_1 + comm_T_unwrapped * *r + comm_E_2 * r * *r; let comm_E = *comm_E_1 + comm_T_unwrapped * *r;
let u = *u1 + *r * *u2; let u = *u1 + *r;
Ok(R1CSInstance { Ok(RelaxedR1CSInstance {
comm_W, comm_W,
comm_E, comm_E,
X, X,
u, u,
Y_last: U2.X[U2.X.len() / 2..].to_owned(),
counter: self.counter + 1,
}) })
} }
} }

2
src/traits.rs
View File

@@ -72,7 +72,7 @@ pub trait Group:
/// Compresses the group element /// Compresses the group element
fn compress(&self) -> Self::CompressedGroupElement; fn compress(&self) -> Self::CompressedGroupElement;
/// Attempts to create a group element from a sequence of bytes, /// Attempts to create a group element from a sequence of bytes,
/// failing with a `None` if the supplied bytes do not encode the group element /// failing with a `None` if the supplied bytes do not encode the group element
fn from_uniform_bytes(bytes: &[u8]) -> Option<Self>; fn from_uniform_bytes(bytes: &[u8]) -> Option<Self>;
} }