arnaucube
/
ark-r1cs-std-cherry-picked
mirror of https://github.com/arnaucube/ark-r1cs-std-cherry-picked.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Refactor `bit` variables in `r1cs-std`

master
Pratyush Mishra 4 years ago
parent
ecee4d7059
commit
7b0f71a10e
6 changed files with 1477 additions and 2908 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +821
    -1517
      r1cs-std/src/bits/boolean.rs
  2. +34
    -71
      r1cs-std/src/bits/mod.rs
  3. +504
    -0
      r1cs-std/src/bits/uint.rs
  4. +0
    -538
      r1cs-std/src/bits/uint32.rs
  5. +0
    -583
      r1cs-std/src/bits/uint64.rs
  6. +118
    -199
      r1cs-std/src/bits/uint8.rs

+ 821
- 1517
r1cs-std/src/bits/boolean.rs
File diff suppressed because it is too large
View File


+ 34
- 71
r1cs-std/src/bits/mod.rs
View File

@ -3,75 +3,58 @@ use crate::{
Vec,
};
use algebra::Field;
use r1cs_core::{ConstraintSystem, SynthesisError};
use r1cs_core::SynthesisError;
pub mod boolean;
pub mod uint32;
pub mod uint64;
pub mod uint8;
#[macro_use]
pub mod uint;
pub trait ToBitsGadget<ConstraintF: Field> {
make_uint!(UInt16, 16, u16, uint16);
make_uint!(UInt32, 32, u32, uint32);
make_uint!(UInt64, 64, u64, uint64);
pub trait ToBitsGadget<F: Field> {
/// Outputs the canonical bit-wise representation of `self`.
///
/// This is the correct default for 99% of use cases.
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
) -> Result<Vec<Boolean>, SynthesisError>;
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError>;
/// Outputs a possibly non-unique bit-wise representation of `self`.
///
/// If you're not absolutely certain that your usecase can get away with a
/// non-canonical representation, please use `self.to_bits(cs)` instead.
fn to_non_unique_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
self.to_bits(cs)
fn to_non_unique_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
self.to_bits()
}
}
impl<ConstraintF: Field> ToBitsGadget<ConstraintF> for Boolean {
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
_: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
impl<F: Field> ToBitsGadget<F> for Boolean<F> {
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
Ok(vec![self.clone()])
}
}
impl<ConstraintF: Field> ToBitsGadget<ConstraintF> for [Boolean] {
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
impl<F: Field> ToBitsGadget<F> for [Boolean<F>] {
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
Ok(self.to_vec())
}
}
impl<ConstraintF: Field> ToBitsGadget<ConstraintF> for Vec<Boolean> {
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
impl<F: Field> ToBitsGadget<F> for Vec<Boolean<F>> {
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
Ok(self.clone())
}
}
impl<ConstraintF: Field> ToBitsGadget<ConstraintF> for UInt8 {
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
impl<F: Field> ToBitsGadget<F> for UInt8<F> {
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
Ok(self.into_bits_le())
}
}
impl<ConstraintF: Field> ToBitsGadget<ConstraintF> for [UInt8] {
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
impl<F: Field> ToBitsGadget<F> for [UInt8<F>] {
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
let mut result = Vec::with_capacity(&self.len() * 8);
for byte in self {
result.extend_from_slice(&byte.into_bits_le());
@ -80,11 +63,8 @@ impl ToBitsGadget for [UInt8] {
}
}
impl<ConstraintF: Field> ToBitsGadget<ConstraintF> for Vec<UInt8> {
fn to_bits<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<Boolean>, SynthesisError> {
impl<F: Field> ToBitsGadget<F> for Vec<UInt8<F>> {
fn to_bits(&self) -> Result<Vec<Boolean<F>>, SynthesisError> {
let mut result = Vec::with_capacity(&self.len() * 8);
for byte in self {
result.extend_from_slice(&byte.into_bits_le());
@ -93,52 +73,35 @@ impl ToBitsGadget for Vec {
}
}
pub trait ToBytesGadget<ConstraintF: Field> {
pub trait ToBytesGadget<F: Field> {
/// Outputs a canonical byte-wise representation of `self`.
///
/// This is the correct default for 99% of use cases.
fn to_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
) -> Result<Vec<UInt8>, SynthesisError>;
fn to_bytes(&self) -> Result<Vec<UInt8<F>>, SynthesisError>;
/// Outputs a possibly non-unique byte decomposition of `self`.
///
/// If you're not absolutely certain that your usecase can get away with a
/// non-canonical representation, please use `self.to_bytes(cs)` instead.
fn to_non_unique_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
self.to_bytes(cs)
fn to_non_unique_bytes(&self) -> Result<Vec<UInt8<F>>, SynthesisError> {
self.to_bytes()
}
}
impl<ConstraintF: Field> ToBytesGadget<ConstraintF> for [UInt8] {
fn to_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
impl<F: Field> ToBytesGadget<F> for [UInt8<F>] {
fn to_bytes(&self) -> Result<Vec<UInt8<F>>, SynthesisError> {
Ok(self.to_vec())
}
}
impl<'a, ConstraintF: Field, T: 'a + ToBytesGadget<ConstraintF>> ToBytesGadget<ConstraintF>
for &'a T
{
fn to_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
(*self).to_bytes(cs)
impl<'a, F: Field, T: 'a + ToBytesGadget<F>> ToBytesGadget<F> for &'a T {
fn to_bytes(&self) -> Result<Vec<UInt8<F>>, SynthesisError> {
(*self).to_bytes()
}
}
impl<'a, ConstraintF: Field> ToBytesGadget<ConstraintF> for &'a [UInt8] {
fn to_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
impl<'a, F: Field> ToBytesGadget<F> for &'a [UInt8<F>] {
fn to_bytes(&self) -> Result<Vec<UInt8<F>>, SynthesisError> {
Ok(self.to_vec())
}
}

+ 504
- 0
r1cs-std/src/bits/uint.rs
View File

@ -0,0 +1,504 @@
macro_rules! make_uint {
($name:ident, $size:expr, $native:ident, $mod_name:ident) => {
pub mod $mod_name {
use algebra::{Field, FpParameters, PrimeField};
use core::borrow::Borrow;
use r1cs_core::{
lc, ConstraintSystemRef, LinearCombination, Namespace, SynthesisError, Variable,
};
use crate::{
boolean::{AllocatedBit, Boolean},
prelude::*,
Assignment, Vec,
};
/// Represents an interpretation of `Boolean` objects as an
/// unsigned integer.
#[derive(Clone, Debug)]
pub struct $name<F: Field> {
// Least significant bit first
bits: Vec<Boolean<F>>,
value: Option<$native>,
}
impl<F: Field> R1CSVar<F> for $name<F> {
type Value = $native;
fn cs(&self) -> Option<ConstraintSystemRef<F>> {
self.bits.as_slice().cs()
}
fn value(&self) -> Result<Self::Value, SynthesisError> {
let mut value = None;
for (i, bit) in self.bits.iter().enumerate() {
let b = $native::from(bit.value()?);
value = match value {
Some(value) => Some(value + (b << i)),
None => Some(b << i),
};
}
debug_assert_eq!(self.value, value);
value.get()
}
}
impl<F: Field> $name<F> {
/// Construct a constant `$name` from a `$native`
pub fn constant(value: $native) -> Self {
let mut bits = Vec::with_capacity($size);
let mut tmp = value;
for _ in 0..$size {
if tmp & 1 == 1 {
bits.push(Boolean::constant(true))
} else {
bits.push(Boolean::constant(false))
}
tmp >>= 1;
}
$name {
bits,
value: Some(value),
}
}
/// Turns this `$name` into its little-endian byte order representation.
pub fn to_bits_le(&self) -> Vec<Boolean<F>> {
self.bits.clone()
}
/// Converts a little-endian byte order representation of bits into a
/// `$name`.
pub fn from_bits_le(bits: &[Boolean<F>]) -> Self {
assert_eq!(bits.len(), $size);
let bits = bits.to_vec();
let mut value = Some(0);
for b in bits.iter().rev() {
value.as_mut().map(|v| *v <<= 1);
match b {
&Boolean::Constant(b) => {
value.as_mut().map(|v| *v |= $native::from(b));
}
&Boolean::Is(ref b) => match b.value() {
Ok(b) => {
value.as_mut().map(|v| *v |= $native::from(b));
}
Err(_) => value = None,
},
&Boolean::Not(ref b) => match b.value() {
Ok(b) => {
value.as_mut().map(|v| *v |= $native::from(!b));
}
Err(_) => value = None,
},
}
}
Self { value, bits }
}
pub fn rotr(&self, by: usize) -> Self {
let by = by % $size;
let new_bits = self
.bits
.iter()
.skip(by)
.chain(self.bits.iter())
.take($size)
.cloned()
.collect();
$name {
bits: new_bits,
value: self.value.map(|v| v.rotate_right(by as u32)),
}
}
/// XOR this `$name` with another `$name`
pub fn xor(&self, other: &Self) -> Result<Self, SynthesisError> {
let new_value = match (self.value, other.value) {
(Some(a), Some(b)) => Some(a ^ b),
_ => None,
};
let bits = self
.bits
.iter()
.zip(other.bits.iter())
.map(|(a, b)| a.xor(b))
.collect::<Result<_, _>>()?;
Ok($name {
bits,
value: new_value,
})
}
/// Perform modular addition of several `$name` objects.
pub fn addmany(operands: &[Self]) -> Result<Self, SynthesisError>
where
F: PrimeField,
{
// Make some arbitrary bounds for ourselves to avoid overflows
// in the scalar field
assert!(F::Params::MODULUS_BITS >= 2 * $size);
assert!(operands.len() >= 1);
assert!($size * operands.len() <= F::Params::MODULUS_BITS as usize);
if operands.len() == 1 {
return Ok(operands[0].clone());
}
// Compute the maximum value of the sum so we allocate enough bits for
// the result
let mut max_value = (operands.len() as u128) * u128::from($native::max_value());
// Keep track of the resulting value
let mut result_value = Some(0u128);
// This is a linear combination that we will enforce to be "zero"
let mut lc = LinearCombination::zero();
let mut all_constants = true;
// Iterate over the operands
for op in operands {
// Accumulate the value
match op.value {
Some(val) => {
result_value.as_mut().map(|v| *v += u128::from(val));
}
None => {
// If any of our operands have unknown value, we won't
// know the value of the result
result_value = None;
}
}
// Iterate over each bit_gadget of the operand and add the operand to
// the linear combination
let mut coeff = F::one();
for bit in &op.bits {
match *bit {
Boolean::Is(ref bit) => {
all_constants = false;
// Add coeff * bit_gadget
lc += (coeff, bit.variable());
}
Boolean::Not(ref bit) => {
all_constants = false;
// Add coeff * (1 - bit_gadget) = coeff * ONE - coeff * bit_gadget
lc = lc + (coeff, Variable::One) - (coeff, bit.variable());
}
Boolean::Constant(bit) => {
if bit {
lc += (coeff, Variable::One);
}
}
}
coeff.double_in_place();
}
}
// The value of the actual result is modulo 2^$size
let modular_value = result_value.map(|v| v as $native);
if all_constants && modular_value.is_some() {
// We can just return a constant, rather than
// unpacking the result into allocated bits.
return Ok($name::constant(modular_value.unwrap()));
}
let cs = operands.cs().unwrap();
// Storage area for the resulting bits
let mut result_bits = vec![];
// Allocate each bit_gadget of the result
let mut coeff = F::one();
let mut i = 0;
while max_value != 0 {
// Allocate the bit_gadget
let b = AllocatedBit::new_witness(cs.clone(), || {
result_value.map(|v| (v >> i) & 1 == 1).get()
})?;
// Subtract this bit_gadget from the linear combination to ensure the sums
// balance out
lc = lc - (coeff, b.variable());
result_bits.push(b.into());
max_value >>= 1;
i += 1;
coeff.double_in_place();
}
// Enforce that the linear combination equals zero
cs.enforce_constraint(lc!(), lc!(), lc)?;
// Discard carry bits that we don't care about
result_bits.truncate($size);
Ok($name {
bits: result_bits,
value: modular_value,
})
}
}
impl<ConstraintF: Field> ToBytesGadget<ConstraintF> for $name<ConstraintF> {
#[inline]
fn to_bytes(&self) -> Result<Vec<UInt8<ConstraintF>>, SynthesisError> {
Ok(self
.to_bits_le()
.chunks(8)
.map(UInt8::from_bits_le)
.collect())
}
}
impl<ConstraintF: Field> EqGadget<ConstraintF> for $name<ConstraintF> {
fn is_eq(&self, other: &Self) -> Result<Boolean<ConstraintF>, SynthesisError> {
self.bits.as_slice().is_eq(&other.bits)
}
fn conditional_enforce_equal(
&self,
other: &Self,
condition: &Boolean<ConstraintF>,
) -> Result<(), SynthesisError> {
self.bits.conditional_enforce_equal(&other.bits, condition)
}
fn conditional_enforce_not_equal(
&self,
other: &Self,
condition: &Boolean<ConstraintF>,
) -> Result<(), SynthesisError> {
self.bits
.conditional_enforce_not_equal(&other.bits, condition)
}
}
impl<ConstraintF: Field> AllocVar<$native, ConstraintF> for $name<ConstraintF> {
fn new_variable<T: Borrow<$native>>(
cs: impl Into<Namespace<ConstraintF>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let value = f().map(|f| *f.borrow());
let values = match value {
Ok(val) => (0..$size).map(|i| Some((val >> i) & 1 == 1)).collect(),
_ => vec![None; $size],
};
let bits = values
.into_iter()
.map(|v| Boolean::new_variable(cs.clone(), || v.get(), mode))
.collect::<Result<Vec<_>, _>>()?;
Ok(Self {
bits,
value: value.ok(),
})
}
}
#[cfg(test)]
mod test {
use super::$name;
use crate::{bits::boolean::Boolean, prelude::*, Vec};
use algebra::bls12_381::Fr;
use r1cs_core::{ConstraintSystem, SynthesisError};
use rand::{Rng, SeedableRng};
use rand_xorshift::XorShiftRng;
#[test]
fn test_from_bits() -> Result<(), SynthesisError> {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let v = (0..$size)
.map(|_| Boolean::constant(rng.gen()))
.collect::<Vec<Boolean<Fr>>>();
let b = $name::from_bits_le(&v);
for (i, bit) in b.bits.iter().enumerate() {
match bit {
&Boolean::Constant(bit) => {
assert_eq!(bit, ((b.value()? >> i) & 1 == 1));
}
_ => unreachable!(),
}
}
let expected_to_be_same = b.to_bits_le();
for x in v.iter().zip(expected_to_be_same.iter()) {
match x {
(&Boolean::Constant(true), &Boolean::Constant(true)) => {}
(&Boolean::Constant(false), &Boolean::Constant(false)) => {}
_ => unreachable!(),
}
}
}
Ok(())
}
#[test]
fn test_xor() -> Result<(), SynthesisError> {
use Boolean::*;
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let cs = ConstraintSystem::<Fr>::new_ref();
let a: $native = rng.gen();
let b: $native = rng.gen();
let c: $native = rng.gen();
let mut expected = a ^ b ^ c;
let a_bit = $name::new_witness(cs.clone(), || Ok(a))?;
let b_bit = $name::constant(b);
let c_bit = $name::new_witness(cs.clone(), || Ok(c))?;
let r = a_bit.xor(&b_bit).unwrap();
let r = r.xor(&c_bit).unwrap();
assert!(cs.is_satisfied().unwrap());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
Is(b) => assert_eq!(b.value()?, (expected & 1 == 1)),
Not(b) => assert_eq!(!b.value()?, (expected & 1 == 1)),
Constant(b) => assert_eq!(*b, (expected & 1 == 1)),
}
expected >>= 1;
}
}
Ok(())
}
#[test]
fn test_addmany_constants() -> Result<(), SynthesisError> {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let cs = ConstraintSystem::<Fr>::new_ref();
let a: $native = rng.gen();
let b: $native = rng.gen();
let c: $native = rng.gen();
let a_bit = $name::new_constant(cs.clone(), a)?;
let b_bit = $name::new_constant(cs.clone(), b)?;
let c_bit = $name::new_constant(cs.clone(), c)?;
let mut expected = a.wrapping_add(b).wrapping_add(c);
let r = $name::addmany(&[a_bit, b_bit, c_bit]).unwrap();
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
Boolean::Is(_) => unreachable!(),
Boolean::Not(_) => unreachable!(),
Boolean::Constant(b) => assert_eq!(*b, (expected & 1 == 1)),
}
expected >>= 1;
}
}
Ok(())
}
#[test]
fn test_addmany() -> Result<(), SynthesisError> {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let cs = ConstraintSystem::<Fr>::new_ref();
let a: $native = rng.gen();
let b: $native = rng.gen();
let c: $native = rng.gen();
let d: $native = rng.gen();
let mut expected = (a ^ b).wrapping_add(c).wrapping_add(d);
let a_bit = $name::new_witness(cs.ns("a_bit"), || Ok(a))?;
let b_bit = $name::constant(b);
let c_bit = $name::constant(c);
let d_bit = $name::new_witness(cs.ns("d_bit"), || Ok(d))?;
let r = a_bit.xor(&b_bit).unwrap();
let r = $name::addmany(&[r, c_bit, d_bit]).unwrap();
assert!(cs.is_satisfied().unwrap());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
Boolean::Is(b) => assert_eq!(b.value()?, (expected & 1 == 1)),
Boolean::Not(b) => assert_eq!(!b.value()?, (expected & 1 == 1)),
Boolean::Constant(_) => unreachable!(),
}
expected >>= 1;
}
}
Ok(())
}
#[test]
fn test_rotr() -> Result<(), SynthesisError> {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
let mut num = rng.gen();
let a: $name<Fr> = $name::constant(num);
for i in 0..$size {
let b = a.rotr(i);
assert!(b.value.unwrap() == num);
let mut tmp = num;
for b in &b.bits {
match b {
Boolean::Constant(b) => assert_eq!(*b, tmp & 1 == 1),
_ => unreachable!(),
}
tmp >>= 1;
}
num = num.rotate_right(1);
}
Ok(())
}
}
}
};
}

+ 0
- 538
r1cs-std/src/bits/uint32.rs
View File

@ -1,538 +0,0 @@
use algebra::{Field, FpParameters, PrimeField};
use r1cs_core::{ConstraintSystem, LinearCombination, SynthesisError};
use crate::{
boolean::{AllocatedBit, Boolean},
prelude::*,
Assignment, Vec,
};
/// Represents an interpretation of 32 `Boolean` objects as an
/// unsigned integer.
#[derive(Clone, Debug)]
pub struct UInt32 {
// Least significant bit_gadget first
bits: Vec<Boolean>,
pub value: Option<u32>,
}
impl UInt32 {
/// Construct a constant `UInt32` from a `u32`
pub fn constant(value: u32) -> Self {
let mut bits = Vec::with_capacity(32);
let mut tmp = value;
for _ in 0..32 {
if tmp & 1 == 1 {
bits.push(Boolean::constant(true))
} else {
bits.push(Boolean::constant(false))
}
tmp >>= 1;
}
UInt32 {
bits,
value: Some(value),
}
}
/// Allocate a `UInt32` in the constraint system
pub fn alloc<ConstraintF, CS>(mut cs: CS, value: Option<u32>) -> Result<Self, SynthesisError>
where
ConstraintF: Field,
CS: ConstraintSystem<ConstraintF>,
{
let values = match value {
Some(mut val) => {
let mut v = Vec::with_capacity(32);
for _ in 0..32 {
v.push(Some(val & 1 == 1));
val >>= 1;
}
v
}
None => vec![None; 32],
};
let bits = values
.into_iter()
.enumerate()
.map(|(i, v)| {
Ok(Boolean::from(AllocatedBit::alloc(
cs.ns(|| format!("allocated bit_gadget {}", i)),
|| v.get(),
)?))
})
.collect::<Result<Vec<_>, SynthesisError>>()?;
Ok(UInt32 { bits, value })
}
/// Turns this `UInt32` into its little-endian byte order representation.
pub fn to_bits_le(&self) -> Vec<Boolean> {
self.bits.clone()
}
/// Converts a little-endian byte order representation of bits into a
/// `UInt32`.
pub fn from_bits_le(bits: &[Boolean]) -> Self {
assert_eq!(bits.len(), 32);
let bits = bits.to_vec();
let mut value = Some(0u32);
for b in bits.iter().rev() {
value.as_mut().map(|v| *v <<= 1);
match b {
&Boolean::Constant(b) => {
if b {
value.as_mut().map(|v| *v |= 1);
}
}
&Boolean::Is(ref b) => match b.get_value() {
Some(true) => {
value.as_mut().map(|v| *v |= 1);
}
Some(false) => {}
None => value = None,
},
&Boolean::Not(ref b) => match b.get_value() {
Some(false) => {
value.as_mut().map(|v| *v |= 1);
}
Some(true) => {}
None => value = None,
},
}
}
Self { value, bits }
}
pub fn rotr(&self, by: usize) -> Self {
let by = by % 32;
let new_bits = self
.bits
.iter()
.skip(by)
.chain(self.bits.iter())
.take(32)
.cloned()
.collect();
UInt32 {
bits: new_bits,
value: self.value.map(|v| v.rotate_right(by as u32)),
}
}
/// XOR this `UInt32` with another `UInt32`
pub fn xor<ConstraintF, CS>(&self, mut cs: CS, other: &Self) -> Result<Self, SynthesisError>
where
ConstraintF: Field,
CS: ConstraintSystem<ConstraintF>,
{
let new_value = match (self.value, other.value) {
(Some(a), Some(b)) => Some(a ^ b),
_ => None,
};
let bits = self
.bits
.iter()
.zip(other.bits.iter())
.enumerate()
.map(|(i, (a, b))| Boolean::xor(cs.ns(|| format!("xor of bit_gadget {}", i)), a, b))
.collect::<Result<_, _>>()?;
Ok(UInt32 {
bits,
value: new_value,
})
}
/// Perform modular addition of several `UInt32` objects.
pub fn addmany<ConstraintF, CS>(mut cs: CS, operands: &[Self]) -> Result<Self, SynthesisError>
where
ConstraintF: PrimeField,
CS: ConstraintSystem<ConstraintF>,
{
// Make some arbitrary bounds for ourselves to avoid overflows
// in the scalar field
assert!(ConstraintF::Params::MODULUS_BITS >= 64);
assert!(operands.len() >= 1);
assert!(operands.len() <= 10);
if operands.len() == 1 {
return Ok(operands[0].clone());
}
// Compute the maximum value of the sum so we allocate enough bits for
// the result
let mut max_value = (operands.len() as u64) * u64::from(u32::max_value());
// Keep track of the resulting value
let mut result_value = Some(0u64);
// This is a linear combination that we will enforce to be "zero"
let mut lc = LinearCombination::zero();
let mut all_constants = true;
// Iterate over the operands
for op in operands {
// Accumulate the value
match op.value {
Some(val) => {
result_value.as_mut().map(|v| *v += u64::from(val));
}
None => {
// If any of our operands have unknown value, we won't
// know the value of the result
result_value = None;
}
}
// Iterate over each bit_gadget of the operand and add the operand to
// the linear combination
let mut coeff = ConstraintF::one();
for bit in &op.bits {
match *bit {
Boolean::Is(ref bit) => {
all_constants = false;
// Add coeff * bit_gadget
lc += (coeff, bit.get_variable());
}
Boolean::Not(ref bit) => {
all_constants = false;
// Add coeff * (1 - bit_gadget) = coeff * ONE - coeff * bit_gadget
lc = lc + (coeff, CS::one()) - (coeff, bit.get_variable());
}
Boolean::Constant(bit) => {
if bit {
lc += (coeff, CS::one());
}
}
}
coeff.double_in_place();
}
}
// The value of the actual result is modulo 2^32
let modular_value = result_value.map(|v| v as u32);
if all_constants && modular_value.is_some() {
// We can just return a constant, rather than
// unpacking the result into allocated bits.
return Ok(UInt32::constant(modular_value.unwrap()));
}
// Storage area for the resulting bits
let mut result_bits = vec![];
// Allocate each bit_gadget of the result
let mut coeff = ConstraintF::one();
let mut i = 0;
while max_value != 0 {
// Allocate the bit_gadget
let b = AllocatedBit::alloc(cs.ns(|| format!("result bit_gadget {}", i)), || {
result_value.map(|v| (v >> i) & 1 == 1).get()
})?;
// Subtract this bit_gadget from the linear combination to ensure the sums
// balance out
lc = lc - (coeff, b.get_variable());
result_bits.push(b.into());
max_value >>= 1;
i += 1;
coeff.double_in_place();
}
// Enforce that the linear combination equals zero
cs.enforce(|| "modular addition", |lc| lc, |lc| lc, |_| lc);
// Discard carry bits that we don't care about
result_bits.truncate(32);
Ok(UInt32 {
bits: result_bits,
value: modular_value,
})
}
}
impl<ConstraintF: Field> ToBytesGadget<ConstraintF> for UInt32 {
#[inline]
fn to_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let value_chunks = match self.value.map(|val| {
use algebra::bytes::ToBytes;
let mut bytes = [0u8; 4];
val.write(bytes.as_mut()).unwrap();
bytes
}) {
Some(chunks) => [
Some(chunks[0]),
Some(chunks[1]),
Some(chunks[2]),
Some(chunks[3]),
],
None => [None, None, None, None],
};
let mut bytes = Vec::new();
for (i, chunk8) in self.to_bits_le().chunks(8).enumerate() {
let byte = UInt8 {
bits: chunk8.to_vec(),
value: value_chunks[i],
};
bytes.push(byte);
}
Ok(bytes)
}
}
impl PartialEq for UInt32 {
fn eq(&self, other: &Self) -> bool {
self.value.is_some() && other.value.is_some() && self.value == other.value
}
}
impl Eq for UInt32 {}
impl<ConstraintF: Field> ConditionalEqGadget<ConstraintF> for UInt32 {
fn conditional_enforce_equal<CS: ConstraintSystem<ConstraintF>>(
&self,
mut cs: CS,
other: &Self,
condition: &Boolean,
) -> Result<(), SynthesisError> {
for (i, (a, b)) in self.bits.iter().zip(&other.bits).enumerate() {
a.conditional_enforce_equal(
&mut cs.ns(|| format!("uint32_equal_{}", i)),
b,
condition,
)?;
}
Ok(())
}
fn cost() -> usize {
32 * <Boolean as ConditionalEqGadget<ConstraintF>>::cost()
}
}
#[cfg(test)]
mod test {
use super::UInt32;
use crate::{bits::boolean::Boolean, test_constraint_system::TestConstraintSystem, Vec};
use algebra::{bls12_381::Fr, One, Zero};
use r1cs_core::ConstraintSystem;
use rand::{Rng, SeedableRng};
use rand_xorshift::XorShiftRng;
#[test]
fn test_uint32_from_bits() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let v = (0..32)
.map(|_| Boolean::constant(rng.gen()))
.collect::<Vec<_>>();
let b = UInt32::from_bits_le(&v);
for (i, bit_gadget) in b.bits.iter().enumerate() {
match bit_gadget {
&Boolean::Constant(bit_gadget) => {
assert!(bit_gadget == ((b.value.unwrap() >> i) & 1 == 1));
}
_ => unreachable!(),
}
}
let expected_to_be_same = b.to_bits_le();
for x in v.iter().zip(expected_to_be_same.iter()) {
match x {
(&Boolean::Constant(true), &Boolean::Constant(true)) => {}
(&Boolean::Constant(false), &Boolean::Constant(false)) => {}
_ => unreachable!(),
}
}
}
}
#[test]
fn test_uint32_xor() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let a: u32 = rng.gen();
let b: u32 = rng.gen();
let c: u32 = rng.gen();
let mut expected = a ^ b ^ c;
let a_bit = UInt32::alloc(cs.ns(|| "a_bit"), Some(a)).unwrap();
let b_bit = UInt32::constant(b);
let c_bit = UInt32::alloc(cs.ns(|| "c_bit"), Some(c)).unwrap();
let r = a_bit.xor(cs.ns(|| "first xor"), &b_bit).unwrap();
let r = r.xor(cs.ns(|| "second xor"), &c_bit).unwrap();
assert!(cs.is_satisfied());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(ref b) => {
assert!(b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Not(ref b) => {
assert!(!b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Constant(b) => {
assert!(b == (expected & 1 == 1));
}
}
expected >>= 1;
}
}
}
#[test]
fn test_uint32_addmany_constants() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let a: u32 = rng.gen();
let b: u32 = rng.gen();
let c: u32 = rng.gen();
let a_bit = UInt32::constant(a);
let b_bit = UInt32::constant(b);
let c_bit = UInt32::constant(c);
let mut expected = a.wrapping_add(b).wrapping_add(c);
let r = UInt32::addmany(cs.ns(|| "addition"), &[a_bit, b_bit, c_bit]).unwrap();
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(_) => panic!(),
&Boolean::Not(_) => panic!(),
&Boolean::Constant(b) => {
assert!(b == (expected & 1 == 1));
}
}
expected >>= 1;
}
}
}
#[test]
fn test_uint32_addmany() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let a: u32 = rng.gen();
let b: u32 = rng.gen();
let c: u32 = rng.gen();
let d: u32 = rng.gen();
let mut expected = (a ^ b).wrapping_add(c).wrapping_add(d);
let a_bit = UInt32::alloc(cs.ns(|| "a_bit"), Some(a)).unwrap();
let b_bit = UInt32::constant(b);
let c_bit = UInt32::constant(c);
let d_bit = UInt32::alloc(cs.ns(|| "d_bit"), Some(d)).unwrap();
let r = a_bit.xor(cs.ns(|| "xor"), &b_bit).unwrap();
let r = UInt32::addmany(cs.ns(|| "addition"), &[r, c_bit, d_bit]).unwrap();
assert!(cs.is_satisfied());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(ref b) => {
assert!(b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Not(ref b) => {
assert!(!b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Constant(_) => unreachable!(),
}
expected >>= 1;
}
// Flip a bit_gadget and see if the addition constraint still works
if cs.get("addition/result bit_gadget 0/boolean").is_zero() {
cs.set("addition/result bit_gadget 0/boolean", Fr::one());
} else {
cs.set("addition/result bit_gadget 0/boolean", Fr::zero());
}
assert!(!cs.is_satisfied());
}
}
#[test]
fn test_uint32_rotr() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
let mut num = rng.gen();
let a = UInt32::constant(num);
for i in 0..32 {
let b = a.rotr(i);
assert!(b.value.unwrap() == num);
let mut tmp = num;
for b in &b.bits {
match b {
&Boolean::Constant(b) => {
assert_eq!(b, tmp & 1 == 1);
}
_ => unreachable!(),
}
tmp >>= 1;
}
num = num.rotate_right(1);
}
}
}

+ 0
- 583
r1cs-std/src/bits/uint64.rs
View File

@ -1,583 +0,0 @@
use algebra::{Field, FpParameters, PrimeField};
use r1cs_core::{ConstraintSystem, LinearCombination, SynthesisError};
use crate::{
boolean::{AllocatedBit, Boolean},
prelude::*,
Assignment, Vec,
};
use core::borrow::Borrow;
/// Represents an interpretation of 64 `Boolean` objects as an
/// unsigned integer.
#[derive(Clone, Debug)]
pub struct UInt64 {
// Least significant bit_gadget first
bits: Vec<Boolean>,
value: Option<u64>,
}
impl UInt64 {
/// Construct a constant `UInt64` from a `u64`
pub fn constant(value: u64) -> Self {
let mut bits = Vec::with_capacity(64);
let mut tmp = value;
for _ in 0..64 {
if tmp & 1 == 1 {
bits.push(Boolean::constant(true))
} else {
bits.push(Boolean::constant(false))
}
tmp >>= 1;
}
UInt64 {
bits,
value: Some(value),
}
}
/// Allocate a `UInt64` in the constraint system
pub fn _alloc<ConstraintF, CS>(mut cs: CS, value: Option<u64>) -> Result<Self, SynthesisError>
where
ConstraintF: Field,
CS: ConstraintSystem<ConstraintF>,
{
let values = match value {
Some(mut val) => {
let mut v = Vec::with_capacity(64);
for _ in 0..64 {
v.push(Some(val & 1 == 1));
val >>= 1;
}
v
}
None => vec![None; 64],
};
let bits = values
.into_iter()
.enumerate()
.map(|(i, v)| {
Ok(Boolean::from(AllocatedBit::alloc(
cs.ns(|| format!("allocated bit_gadget {}", i)),
|| v.get(),
)?))
})
.collect::<Result<Vec<_>, SynthesisError>>()?;
Ok(UInt64 { bits, value })
}
/// Turns this `UInt64` into its little-endian byte order representation.
pub fn to_bits_le(&self) -> Vec<Boolean> {
self.bits.clone()
}
/// Converts a little-endian byte order representation of bits into a
/// `UInt64`.
pub fn from_bits_le(bits: &[Boolean]) -> Self {
assert_eq!(bits.len(), 64);
let bits = bits.to_vec();
let mut value = Some(0u64);
for b in bits.iter().rev() {
value.as_mut().map(|v| *v <<= 1);
match b {
&Boolean::Constant(b) => {
if b {
value.as_mut().map(|v| *v |= 1);
}
}
&Boolean::Is(ref b) => match b.get_value() {
Some(true) => {
value.as_mut().map(|v| *v |= 1);
}
Some(false) => {}
None => value = None,
},
&Boolean::Not(ref b) => match b.get_value() {
Some(false) => {
value.as_mut().map(|v| *v |= 1);
}
Some(true) => {}
None => value = None,
},
}
}
Self { value, bits }
}
pub fn rotr(&self, by: usize) -> Self {
let by = by % 64;
let new_bits = self
.bits
.iter()
.skip(by)
.chain(self.bits.iter())
.take(64)
.cloned()
.collect();
UInt64 {
bits: new_bits,
value: self.value.map(|v| v.rotate_right(by as u32)),
}
}
/// XOR this `UInt64` with another `UInt64`
pub fn xor<ConstraintF, CS>(&self, mut cs: CS, other: &Self) -> Result<Self, SynthesisError>
where
ConstraintF: Field,
CS: ConstraintSystem<ConstraintF>,
{
let new_value = match (self.value, other.value) {
(Some(a), Some(b)) => Some(a ^ b),
_ => None,
};
let bits = self
.bits
.iter()
.zip(other.bits.iter())
.enumerate()
.map(|(i, (a, b))| Boolean::xor(cs.ns(|| format!("xor of bit_gadget {}", i)), a, b))
.collect::<Result<_, _>>()?;
Ok(UInt64 {
bits,
value: new_value,
})
}
/// Perform modular addition of several `UInt64` objects.
pub fn addmany<ConstraintF, CS>(mut cs: CS, operands: &[Self]) -> Result<Self, SynthesisError>
where
ConstraintF: PrimeField,
CS: ConstraintSystem<ConstraintF>,
{
// Make some arbitrary bounds for ourselves to avoid overflows
// in the scalar field
assert!(ConstraintF::Params::MODULUS_BITS >= 128);
assert!(operands.len() >= 1);
assert!(operands.len() <= 10);
if operands.len() == 1 {
return Ok(operands[0].clone());
}
// Compute the maximum value of the sum so we allocate enough bits for
// the result
let mut max_value = (operands.len() as u128) * u128::from(u64::max_value());
// Keep track of the resulting value
let mut result_value = Some(0u64 as u128);
// This is a linear combination that we will enforce to be "zero"
let mut lc = LinearCombination::zero();
let mut all_constants = true;
// Iterate over the operands
for op in operands {
// Accumulate the value
match op.value {
Some(val) => {
result_value.as_mut().map(|v| *v += u128::from(val));
}
None => {
// If any of our operands have unknown value, we won't
// know the value of the result
result_value = None;
}
}
// Iterate over each bit_gadget of the operand and add the operand to
// the linear combination
let mut coeff = ConstraintF::one();
for bit in &op.bits {
match *bit {
Boolean::Is(ref bit) => {
all_constants = false;
// Add coeff * bit_gadget
lc += (coeff, bit.get_variable());
}
Boolean::Not(ref bit) => {
all_constants = false;
// Add coeff * (1 - bit_gadget) = coeff * ONE - coeff * bit_gadget
lc = lc + (coeff, CS::one()) - (coeff, bit.get_variable());
}
Boolean::Constant(bit) => {
if bit {
lc += (coeff, CS::one());
}
}
}
coeff.double_in_place();
}
}
// The value of the actual result is modulo 2^64
let modular_value = result_value.map(|v| v as u64);
if all_constants && modular_value.is_some() {
// We can just return a constant, rather than
// unpacking the result into allocated bits.
return Ok(UInt64::constant(modular_value.unwrap()));
}
// Storage area for the resulting bits
let mut result_bits = vec![];
// Allocate each bit_gadget of the result
let mut coeff = ConstraintF::one();
let mut i = 0;
while max_value != 0 {
// Allocate the bit_gadget
let b = AllocatedBit::alloc(cs.ns(|| format!("result bit_gadget {}", i)), || {
result_value.map(|v| (v >> i) & 1 == 1).get()
})?;
// Subtract this bit_gadget from the linear combination to ensure the sums
// balance out
lc = lc - (coeff, b.get_variable());
result_bits.push(b.into());
max_value >>= 1;
i += 1;
coeff.double_in_place();
}
// Enforce that the linear combination equals zero
cs.enforce(|| "modular addition", |lc| lc, |lc| lc, |_| lc);
// Discard carry bits that we don't care about
result_bits.truncate(64);
Ok(UInt64 {
bits: result_bits,
value: modular_value,
})
}
}
impl<ConstraintF: Field> AllocGadget<u64, ConstraintF> for UInt64 {
fn alloc_constant<T, CS: ConstraintSystem<ConstraintF>>(
_cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<u64>,
{
Ok(UInt64::constant(*t.borrow()))
}
fn alloc<F, T, CS: ConstraintSystem<ConstraintF>>(
mut cs: CS,
value_gen: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<u64>,
{
let val = value_gen()?.borrow().clone();
Self::_alloc(&mut cs.ns(|| "alloc u64"), Some(val))
}
fn alloc_input<F, T, CS: ConstraintSystem<ConstraintF>>(
mut cs: CS,
value_gen: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<u64>,
{
let val = value_gen()?.borrow().clone();
Self::_alloc(&mut cs.ns(|| "alloc u64"), Some(val))
}
}
impl<ConstraintF: Field> ToBytesGadget<ConstraintF> for UInt64 {
#[inline]
fn to_bytes<CS: ConstraintSystem<ConstraintF>>(
&self,
_cs: CS,
) -> Result<Vec<UInt8>, SynthesisError> {
let value_chunks = match self.value.map(|val| {
use algebra::bytes::ToBytes;
let mut bytes = [0u8; 8];
val.write(bytes.as_mut()).unwrap();
bytes
}) {
Some(chunks) => [
Some(chunks[0]),
Some(chunks[1]),
Some(chunks[2]),
Some(chunks[3]),
Some(chunks[4]),
Some(chunks[5]),
Some(chunks[6]),
Some(chunks[7]),
],
None => [None, None, None, None, None, None, None, None],
};
let mut bytes = Vec::new();
for (i, chunk8) in self.to_bits_le().chunks(8).enumerate() {
let byte = UInt8 {
bits: chunk8.to_vec(),
value: value_chunks[i],
};
bytes.push(byte);
}
Ok(bytes)
}
}
impl PartialEq for UInt64 {
fn eq(&self, other: &Self) -> bool {
self.value.is_some() && other.value.is_some() && self.value == other.value
}
}
impl Eq for UInt64 {}
impl<ConstraintF: Field> ConditionalEqGadget<ConstraintF> for UInt64 {
fn conditional_enforce_equal<CS: ConstraintSystem<ConstraintF>>(
&self,
mut cs: CS,
other: &Self,
condition: &Boolean,
) -> Result<(), SynthesisError> {
for (i, (a, b)) in self.bits.iter().zip(&other.bits).enumerate() {
a.conditional_enforce_equal(
&mut cs.ns(|| format!("uint64_equal_{}", i)),
b,
condition,
)?;
}
Ok(())
}
fn cost() -> usize {
64 * <Boolean as ConditionalEqGadget<ConstraintF>>::cost()
}
}
#[cfg(test)]
mod test {
use super::UInt64;
use crate::{
alloc::AllocGadget, bits::boolean::Boolean, test_constraint_system::TestConstraintSystem,
Vec,
};
use algebra::{bls12_381::Fr, One, Zero};
use r1cs_core::ConstraintSystem;
use rand::{Rng, SeedableRng};
use rand_xorshift::XorShiftRng;
#[test]
fn test_uint64_from_bits() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let v = (0..64)
.map(|_| Boolean::constant(rng.gen()))
.collect::<Vec<_>>();
let b = UInt64::from_bits_le(&v);
for (i, bit_gadget) in b.bits.iter().enumerate() {
match bit_gadget {
&Boolean::Constant(bit_gadget) => {
assert!(bit_gadget == ((b.value.unwrap() >> i) & 1 == 1));
}
_ => unreachable!(),
}
}
let expected_to_be_same = b.to_bits_le();
for x in v.iter().zip(expected_to_be_same.iter()) {
match x {
(&Boolean::Constant(true), &Boolean::Constant(true)) => {}
(&Boolean::Constant(false), &Boolean::Constant(false)) => {}
_ => unreachable!(),
}
}
}
}
#[test]
fn test_uint64_xor() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let a: u64 = rng.gen();
let b: u64 = rng.gen();
let c: u64 = rng.gen();
let mut expected = a ^ b ^ c;
let a_bit = UInt64::alloc(cs.ns(|| "a_bit"), || Ok(a)).unwrap();
let b_bit = UInt64::constant(b);
let c_bit = UInt64::alloc(cs.ns(|| "c_bit"), || Ok(c)).unwrap();
let r = a_bit.xor(cs.ns(|| "first xor"), &b_bit).unwrap();
let r = r.xor(cs.ns(|| "second xor"), &c_bit).unwrap();
assert!(cs.is_satisfied());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(ref b) => {
assert!(b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Not(ref b) => {
assert!(!b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Constant(b) => {
assert!(b == (expected & 1 == 1));
}
}
expected >>= 1;
}
}
}
#[test]
fn test_uint64_addmany_constants() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let a: u64 = rng.gen();
let b: u64 = rng.gen();
let c: u64 = rng.gen();
let a_bit = UInt64::constant(a);
let b_bit = UInt64::constant(b);
let c_bit = UInt64::constant(c);
let mut expected = a.wrapping_add(b).wrapping_add(c);
let r = UInt64::addmany(cs.ns(|| "addition"), &[a_bit, b_bit, c_bit]).unwrap();
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(_) => panic!(),
&Boolean::Not(_) => panic!(),
&Boolean::Constant(b) => {
assert!(b == (expected & 1 == 1));
}
}
expected >>= 1;
}
}
}
#[test]
fn test_uint64_addmany() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let a: u64 = rng.gen();
let b: u64 = rng.gen();
let c: u64 = rng.gen();
let d: u64 = rng.gen();
let mut expected = (a ^ b).wrapping_add(c).wrapping_add(d);
let a_bit = UInt64::alloc(cs.ns(|| "a_bit"), || Ok(a)).unwrap();
let b_bit = UInt64::constant(b);
let c_bit = UInt64::constant(c);
let d_bit = UInt64::alloc(cs.ns(|| "d_bit"), || Ok(d)).unwrap();
let r = a_bit.xor(cs.ns(|| "xor"), &b_bit).unwrap();
let r = UInt64::addmany(cs.ns(|| "addition"), &[r, c_bit, d_bit]).unwrap();
assert!(cs.is_satisfied());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(ref b) => {
assert!(b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Not(ref b) => {
assert!(!b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Constant(_) => unreachable!(),
}
expected >>= 1;
}
// Flip a bit_gadget and see if the addition constraint still works
if cs.get("addition/result bit_gadget 0/boolean").is_zero() {
cs.set("addition/result bit_gadget 0/boolean", Fr::one());
} else {
cs.set("addition/result bit_gadget 0/boolean", Fr::zero());
}
assert!(!cs.is_satisfied());
}
}
#[test]
fn test_uint64_rotr() {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
let mut num = rng.gen();
let a = UInt64::constant(num);
for i in 0..64 {
let b = a.rotr(i);
assert!(b.value.unwrap() == num);
let mut tmp = num;
for b in &b.bits {
match b {
&Boolean::Constant(b) => {
assert_eq!(b, tmp & 1 == 1);
}
_ => unreachable!(),
}
tmp >>= 1;
}
num = num.rotate_right(1);
}
}
}

+ 118
- 199
r1cs-std/src/bits/uint8.rs
View File

@ -1,24 +1,43 @@
use algebra::{Field, FpParameters, PrimeField, ToConstraintField};
use algebra::Field;
use algebra::{FpParameters, PrimeField, ToConstraintField};
use r1cs_core::{ConstraintSystem, SynthesisError};
use r1cs_core::{ConstraintSystemRef, Namespace, SynthesisError};
use crate::{boolean::AllocatedBit, fields::fp::FpGadget, prelude::*, Assignment, Vec};
use crate::{fields::fp::AllocatedFp, prelude::*, Assignment, Vec};
use core::borrow::Borrow;
/// Represents an interpretation of 8 `Boolean` objects as an
/// unsigned integer.
#[derive(Clone, Debug)]
pub struct UInt8 {
// Least significant bit_gadget first
pub(crate) bits: Vec<Boolean>,
pub struct UInt8<F: Field> {
/// Little-endian representation: least significant bit first
pub(crate) bits: Vec<Boolean<F>>,
/// Little-endian representation: least significant bit first
pub(crate) value: Option<u8>,
}
impl UInt8 {
pub fn get_value(&self) -> Option<u8> {
self.value
impl<F: Field> R1CSVar<F> for UInt8<F> {
type Value = u8;
fn cs(&self) -> Option<ConstraintSystemRef<F>> {
self.bits.as_slice().cs()
}
fn value(&self) -> Result<Self::Value, SynthesisError> {
let mut value = None;
for (i, bit) in self.bits.iter().enumerate() {
let b = u8::from(bit.value()?);
value = match value {
Some(value) => Some(value + (b << i)),
None => Some(b << i),
};
}
debug_assert_eq!(self.value, value);
value.get()
}
}
impl<F: Field> UInt8<F> {
/// Construct a constant vector of `UInt8` from a vector of `u8`
pub fn constant_vec(values: &[u8]) -> Vec<Self> {
let mut result = Vec::new();
@ -35,12 +54,7 @@ impl UInt8 {
let mut tmp = value;
for _ in 0..8 {
// If last bit is one, push one.
if tmp & 1 == 1 {
bits.push(Boolean::constant(true))
} else {
bits.push(Boolean::constant(false))
}
bits.push(Boolean::constant(tmp & 1 == 1));
tmp >>= 1;
}
@ -50,20 +64,16 @@ impl UInt8 {
}
}
pub fn alloc_vec<ConstraintF, CS, T>(
mut cs: CS,
values: &[T],
) -> Result<Vec<Self>, SynthesisError>
where
ConstraintF: Field,
CS: ConstraintSystem<ConstraintF>,
T: Into<Option<u8>> + Copy,
{
pub fn new_witness_vec(
cs: impl Into<Namespace<F>>,
values: &[impl Into<Option<u8>> + Copy],
) -> Result<Vec<Self>, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let mut output_vec = Vec::with_capacity(values.len());
for (i, value) in values.iter().enumerate() {
for value in values {
let byte: Option<u8> = Into::into(*value);
let alloc_byte = Self::alloc(&mut cs.ns(|| format!("byte_{}", i)), || byte.get())?;
output_vec.push(alloc_byte);
output_vec.push(Self::new_witness(cs.clone(), || byte.get())?);
}
Ok(output_vec)
}
@ -72,25 +82,23 @@ impl UInt8 {
/// `ConstraintF` elements, (thus reducing the number of input allocations),
/// and then converts this list of `ConstraintF` gadgets back into
/// bytes.
pub fn alloc_input_vec<ConstraintF, CS>(
mut cs: CS,
pub fn new_input_vec(
cs: impl Into<Namespace<F>>,
values: &[u8],
) -> Result<Vec<Self>, SynthesisError>
where
ConstraintF: PrimeField,
CS: ConstraintSystem<ConstraintF>,
F: PrimeField,
{
let ns = cs.into();
let cs = ns.cs();
let values_len = values.len();
let field_elements: Vec<ConstraintF> =
ToConstraintField::<ConstraintF>::to_field_elements(values).unwrap();
let field_elements: Vec<F> = ToConstraintField::<F>::to_field_elements(values).unwrap();
let max_size = 8 * (ConstraintF::Params::CAPACITY / 8) as usize;
let max_size = 8 * (F::Params::CAPACITY / 8) as usize;
let mut allocated_bits = Vec::new();
for (i, field_element) in field_elements.into_iter().enumerate() {
let fe = FpGadget::alloc_input(&mut cs.ns(|| format!("Field element {}", i)), || {
Ok(field_element)
})?;
let mut fe_bits = fe.to_bits(cs.ns(|| format!("Convert fe to bits {}", i)))?;
for field_element in field_elements.into_iter() {
let fe = AllocatedFp::new_input(cs.clone(), || Ok(field_element))?;
let mut fe_bits = fe.to_bits()?;
// FpGadget::to_bits outputs a big-endian binary representation of
// fe_gadget's value, so we have to reverse it to get the little-endian
// form.
@ -114,13 +122,13 @@ impl UInt8 {
/// Turns this `UInt8` into its little-endian byte order representation.
/// LSB-first means that we can easily get the corresponding field element
/// via double and add.
pub fn into_bits_le(&self) -> Vec<Boolean> {
pub fn into_bits_le(&self) -> Vec<Boolean<F>> {
self.bits.to_vec()
}
/// Converts a little-endian byte order representation of bits into a
/// `UInt8`.
pub fn from_bits_le(bits: &[Boolean]) -> Self {
pub fn from_bits_le(bits: &[Boolean<F>]) -> Self {
assert_eq!(bits.len(), 8);
let bits = bits.to_vec();
@ -131,23 +139,19 @@ impl UInt8 {
match *b {
Boolean::Constant(b) => {
if b {
value.as_mut().map(|v| *v |= 1);
}
value.as_mut().map(|v| *v |= u8::from(b));
}
Boolean::Is(ref b) => match b.get_value() {
Some(true) => {
value.as_mut().map(|v| *v |= 1);
Boolean::Is(ref b) => match b.value() {
Ok(b) => {
value.as_mut().map(|v| *v |= u8::from(b));
}
Some(false) => {}
None => value = None,
Err(_) => value = None,
},
Boolean::Not(ref b) => match b.get_value() {
Some(false) => {
value.as_mut().map(|v| *v |= 1);
Boolean::Not(ref b) => match b.value() {
Ok(b) => {
value.as_mut().map(|v| *v |= u8::from(!b));
}
Some(true) => {}
None => value = None,
Err(_) => value = None,
},
}
}
@ -156,11 +160,7 @@ impl UInt8 {
}
/// XOR this `UInt8` with another `UInt8`
pub fn xor<ConstraintF, CS>(&self, mut cs: CS, other: &Self) -> Result<Self, SynthesisError>
where
ConstraintF: Field,
CS: ConstraintSystem<ConstraintF>,
{
pub fn xor(&self, other: &Self) -> Result<Self, SynthesisError> {
let new_value = match (self.value, other.value) {
(Some(a), Some(b)) => Some(a ^ b),
_ => None,
@ -170,8 +170,7 @@ impl UInt8 {
.bits
.iter()
.zip(other.bits.iter())
.enumerate()
.map(|(i, (a, b))| Boolean::xor(cs.ns(|| format!("xor of bit_gadget {}", i)), a, b))
.map(|(a, b)| a.xor(b))
.collect::<Result<_, _>>()?;
Ok(Self {
@ -181,122 +180,46 @@ impl UInt8 {
}
}
impl PartialEq for UInt8 {
fn eq(&self, other: &Self) -> bool {
self.value.is_some() && other.value.is_some() && self.value == other.value
impl<ConstraintF: Field> EqGadget<ConstraintF> for UInt8<ConstraintF> {
fn is_eq(&self, other: &Self) -> Result<Boolean<ConstraintF>, SynthesisError> {
self.bits.as_slice().is_eq(&other.bits)
}
}
impl Eq for UInt8 {}
impl<ConstraintF: Field> ConditionalEqGadget<ConstraintF> for UInt8 {
fn conditional_enforce_equal<CS: ConstraintSystem<ConstraintF>>(
fn conditional_enforce_equal(
&self,
mut cs: CS,
other: &Self,
condition: &Boolean,
condition: &Boolean<ConstraintF>,
) -> Result<(), SynthesisError> {
for (i, (a, b)) in self.bits.iter().zip(&other.bits).enumerate() {
a.conditional_enforce_equal(
&mut cs.ns(|| format!("UInt8 equality check for {}-th bit", i)),
b,
condition,
)?;
}
Ok(())
self.bits.conditional_enforce_equal(&other.bits, condition)
}
fn cost() -> usize {
8 * <Boolean as ConditionalEqGadget<ConstraintF>>::cost()
fn conditional_enforce_not_equal(
&self,
other: &Self,
condition: &Boolean<ConstraintF>,
) -> Result<(), SynthesisError> {
self.bits
.conditional_enforce_not_equal(&other.bits, condition)
}
}
impl<ConstraintF: Field> EqGadget<ConstraintF> for UInt8 {}
impl<ConstraintF: Field> AllocGadget<u8, ConstraintF> for UInt8 {
fn alloc_constant<T, CS: ConstraintSystem<ConstraintF>>(
_cs: CS,
t: T,
) -> Result<Self, SynthesisError>
where
T: Borrow<u8>,
{
Ok(UInt8::constant(*t.borrow()))
}
fn alloc<F, T, CS: ConstraintSystem<ConstraintF>>(
mut cs: CS,
value_gen: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<u8>,
{
let value = value_gen().map(|val| *val.borrow());
let values = match value {
Ok(mut val) => {
let mut v = Vec::with_capacity(8);
for _ in 0..8 {
v.push(Some(val & 1 == 1));
val >>= 1;
}
v
}
_ => vec![None; 8],
};
let bits = values
.into_iter()
.enumerate()
.map(|(i, v)| {
Ok(Boolean::from(AllocatedBit::alloc(
&mut cs.ns(|| format!("allocated bit_gadget {}", i)),
|| v.ok_or(SynthesisError::AssignmentMissing),
)?))
})
.collect::<Result<Vec<_>, SynthesisError>>()?;
Ok(Self {
bits,
value: value.ok(),
})
}
fn alloc_input<F, T, CS: ConstraintSystem<ConstraintF>>(
mut cs: CS,
value_gen: F,
) -> Result<Self, SynthesisError>
where
F: FnOnce() -> Result<T, SynthesisError>,
T: Borrow<u8>,
{
let value = value_gen().map(|val| *val.borrow());
impl<ConstraintF: Field> AllocVar<u8, ConstraintF> for UInt8<ConstraintF> {
fn new_variable<T: Borrow<u8>>(
cs: impl Into<Namespace<ConstraintF>>,
f: impl FnOnce() -> Result<T, SynthesisError>,
mode: AllocationMode,
) -> Result<Self, SynthesisError> {
let ns = cs.into();
let cs = ns.cs();
let value = f().map(|f| *f.borrow());
let values = match value {
Ok(mut val) => {
let mut v = Vec::with_capacity(8);
for _ in 0..8 {
v.push(Some(val & 1 == 1));
val >>= 1;
}
v
}
Ok(val) => (0..8).map(|i| Some((val >> i) & 1 == 1)).collect(),
_ => vec![None; 8],
};
let bits = values
.into_iter()
.enumerate()
.map(|(i, v)| {
Ok(Boolean::from(AllocatedBit::alloc_input(
&mut cs.ns(|| format!("allocated bit_gadget {}", i)),
|| v.ok_or(SynthesisError::AssignmentMissing),
)?))
})
.collect::<Result<Vec<_>, SynthesisError>>()?;
.map(|v| Boolean::new_variable(cs.clone(), || v.get(), mode))
.collect::<Result<Vec<_>, _>>()?;
Ok(Self {
bits,
value: value.ok(),
@ -307,57 +230,57 @@ impl AllocGadget for UInt8 {
#[cfg(test)]
mod test {
use super::UInt8;
use crate::{prelude::*, test_constraint_system::TestConstraintSystem, Vec};
use crate::{prelude::*, Vec};
use algebra::bls12_381::Fr;
use r1cs_core::ConstraintSystem;
use r1cs_core::{ConstraintSystem, SynthesisError};
use rand::{Rng, SeedableRng};
use rand_xorshift::XorShiftRng;
#[test]
fn test_uint8_from_bits_to_bits() {
let mut cs = TestConstraintSystem::<Fr>::new();
fn test_uint8_from_bits_to_bits() -> Result<(), SynthesisError> {
let cs = ConstraintSystem::<Fr>::new_ref();
let byte_val = 0b01110001;
let byte = UInt8::alloc(cs.ns(|| "alloc value"), || Ok(byte_val)).unwrap();
let byte = UInt8::new_witness(cs.ns("alloc value"), || Ok(byte_val)).unwrap();
let bits = byte.into_bits_le();
for (i, bit) in bits.iter().enumerate() {
assert_eq!(bit.get_value().unwrap(), (byte_val >> i) & 1 == 1)
assert_eq!(bit.value()?, (byte_val >> i) & 1 == 1)
}
Ok(())
}
#[test]
fn test_uint8_alloc_input_vec() {
let mut cs = TestConstraintSystem::<Fr>::new();
fn test_uint8_new_input_vec() -> Result<(), SynthesisError> {
let cs = ConstraintSystem::<Fr>::new_ref();
let byte_vals = (64u8..128u8).collect::<Vec<_>>();
let bytes = UInt8::alloc_input_vec(cs.ns(|| "alloc value"), &byte_vals).unwrap();
for (native_byte, gadget_byte) in byte_vals.into_iter().zip(bytes) {
let bits = gadget_byte.into_bits_le();
let bytes = UInt8::new_input_vec(cs.ns("alloc value"), &byte_vals).unwrap();
for (native, variable) in byte_vals.into_iter().zip(bytes) {
let bits = variable.into_bits_le();
for (i, bit) in bits.iter().enumerate() {
assert_eq!(bit.get_value().unwrap(), (native_byte >> i) & 1 == 1)
assert_eq!(bit.value()?, (native >> i) & 1 == 1)
}
}
Ok(())
}
#[test]
fn test_uint8_from_bits() {
fn test_uint8_from_bits() -> Result<(), SynthesisError> {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let v = (0..8)
.map(|_| Boolean::constant(rng.gen()))
.map(|_| Boolean::<Fr>::Constant(rng.gen()))
.collect::<Vec<_>>();
let b = UInt8::from_bits_le(&v);
let val = UInt8::from_bits_le(&v);
for (i, bit_gadget) in b.bits.iter().enumerate() {
match bit_gadget {
&Boolean::Constant(bit_gadget) => {
assert!(bit_gadget == ((b.value.unwrap() >> i) & 1 == 1));
}
for (i, bit) in val.bits.iter().enumerate() {
match bit {
Boolean::Constant(b) => assert!(*b == ((val.value()? >> i) & 1 == 1)),
_ => unreachable!(),
}
}
let expected_to_be_same = b.into_bits_le();
let expected_to_be_same = val.into_bits_le();
for x in v.iter().zip(expected_to_be_same.iter()) {
match x {
@ -367,14 +290,15 @@ mod test {
}
}
}
Ok(())
}
#[test]
fn test_uint8_xor() {
fn test_uint8_xor() -> Result<(), SynthesisError> {
let mut rng = XorShiftRng::seed_from_u64(1231275789u64);
for _ in 0..1000 {
let mut cs = TestConstraintSystem::<Fr>::new();
let cs = ConstraintSystem::<Fr>::new_ref();
let a: u8 = rng.gen();
let b: u8 = rng.gen();
@ -382,32 +306,27 @@ mod test {
let mut expected = a ^ b ^ c;
let a_bit = UInt8::alloc(cs.ns(|| "a_bit"), || Ok(a)).unwrap();
let a_bit = UInt8::new_witness(cs.ns("a_bit"), || Ok(a)).unwrap();
let b_bit = UInt8::constant(b);
let c_bit = UInt8::alloc(cs.ns(|| "c_bit"), || Ok(c)).unwrap();
let c_bit = UInt8::new_witness(cs.ns("c_bit"), || Ok(c)).unwrap();
let r = a_bit.xor(cs.ns(|| "first xor"), &b_bit).unwrap();
let r = r.xor(cs.ns(|| "second xor"), &c_bit).unwrap();
let r = a_bit.xor(&b_bit).unwrap();
let r = r.xor(&c_bit).unwrap();
assert!(cs.is_satisfied());
assert!(cs.is_satisfied().unwrap());
assert!(r.value == Some(expected));
for b in r.bits.iter() {
match b {
&Boolean::Is(ref b) => {
assert!(b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Not(ref b) => {
assert!(!b.get_value().unwrap() == (expected & 1 == 1));
}
&Boolean::Constant(b) => {
assert!(b == (expected & 1 == 1));
}
Boolean::Is(b) => assert!(b.value()? == (expected & 1 == 1)),
Boolean::Not(b) => assert!(!b.value()? == (expected & 1 == 1)),
Boolean::Constant(b) => assert!(*b == (expected & 1 == 1)),
}
expected >>= 1;
}
}
Ok(())
}
}

Write Preview
Loading…
Cancel
Save