Add ParamsVerifierKZG (#318)

* reafactor: move vp, pp as types of params

Remove params use from `verify_proof`.
It only uses the generator of G1, and this is fixed in the curve.

refactor: rm params from GWC, SHPLONK Verifiers

The verifier just takes care of partial verification,
the pairing is not checked until the last phase.
As a result, params are not needed at that stage.

refactor: rm params from IPA Verifier

refactor: rm params from Verifier::new()

refactor: rm KZGParams from DualMSM, GuardKZG

ParamsVerifierKZG are now in the structs that implmentent
VerifierStrategy: SingleStrategy and AccumulatorStrategy.

ParamsVerifierKZG is no longer reference with explicit lifetime.
This struct should be small, only the s_g2 point, so this is fine.

refactor: rm get_g from Params

refactor: add ParamsVerifierKZG

refactor: move downsize to ParamsProver

refactor: move empty_msm to ParamsVerifier

refactor: remove 'params from Params/ProverParams

refactor: fix TODOs & leftover

refactor: verfier_params -> into_verfier_params

* add: COMMIT_INSTANCE in ParamsVerifier

* chore: back to `verifier_params()`

chore: remove leftovers

fix: remove needless From impl

chore: remove leftover TODO

chore: remove unused import

fix:compress_selector with new verifier_params

halo2_backend/src/plonk/keygen.rs

@@ -40,13 +40,13 @@ where
 }
 
 /// Generate a `VerifyingKey` from an instance of `CompiledCircuit`.
-pub fn keygen_vk<'params, C, P>(
+pub fn keygen_vk<C, P>(
     params: &P,
     circuit: &CompiledCircuit<C::Scalar>,
 ) -> Result<VerifyingKey<C>, Error>
 where
     C: CurveAffine,
-    P: Params<'params, C>,
+    P: Params<C>,
     C::Scalar: FromUniformBytes<64>,
 {
     let cs_mid = &circuit.cs;
@@ -91,14 +91,14 @@ where
 }
 
 /// Generate a `ProvingKey` from a `VerifyingKey` and an instance of `CompiledCircuit`.
-pub fn keygen_pk<'params, C, P>(
+pub fn keygen_pk<C, P>(
     params: &P,
     vk: VerifyingKey<C>,
     circuit: &CompiledCircuit<C::Scalar>,
 ) -> Result<ProvingKey<C>, Error>
 where
     C: CurveAffine,
-    P: Params<'params, C>,
+    P: Params<C>,
 {
     let cs = &circuit.cs;
 

halo2_backend/src/plonk/lookup/prover.rs

@@ -63,10 +63,9 @@ pub(in crate::plonk) struct Evaluated<C: CurveAffine> {
 #[allow(clippy::too_many_arguments)]
 pub(in crate::plonk) fn lookup_commit_permuted<
     'a,
-    'params: 'a,
     F: WithSmallOrderMulGroup<3>,
     C,
-    P: Params<'params, C>,
+    P: Params<C>,
     E: EncodedChallenge<C>,
     R: RngCore,
     T: TranscriptWrite<C, E>,
@@ -180,8 +179,7 @@ impl<C: CurveAffine> Permuted<C> {
     /// added to the Lookup and finally returned by the method.
     #[allow(clippy::too_many_arguments)]
     pub(in crate::plonk) fn commit_product<
-        'params,
-        P: Params<'params, C>,
+        P: Params<C>,
         E: EncodedChallenge<C>,
         R: RngCore,
         T: TranscriptWrite<C, E>,
@@ -407,7 +405,7 @@ type ExpressionPair<F> = (Polynomial<F, LagrangeCoeff>, Polynomial<F, LagrangeCo
 /// - the first row in a sequence of like values in A' is the row
 ///   that has the corresponding value in S'.
 /// This method returns (A', S') if no errors are encountered.
-fn permute_expression_pair<'params, C: CurveAffine, P: Params<'params, C>, R: RngCore>(
+fn permute_expression_pair<C: CurveAffine, P: Params<C>, R: RngCore>(
     pk: &ProvingKey<C>,
     params: &P,
     domain: &EvaluationDomain<C::Scalar>,

halo2_backend/src/plonk/permutation/keygen.rs

@@ -117,7 +117,7 @@ impl Assembly {
         Ok(())
     }
 
-    pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>(
+    pub(crate) fn build_vk<C: CurveAffine, P: Params<C>>(
         self,
         params: &P,
         domain: &EvaluationDomain<C::Scalar>,
@@ -126,7 +126,7 @@ impl Assembly {
         build_vk(params, domain, p, |i, j| self.mapping[i][j])
     }
 
-    pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>(
+    pub(crate) fn build_pk<C: CurveAffine, P: Params<C>>(
         self,
         params: &P,
         domain: &EvaluationDomain<C::Scalar>,
@@ -136,7 +136,7 @@ impl Assembly {
     }
 }
 
-pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>(
+pub(crate) fn build_pk<C: CurveAffine, P: Params<C>>(
     params: &P,
     domain: &EvaluationDomain<C::Scalar>,
     p: &Argument,
@@ -212,7 +212,7 @@ pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>(
     }
 }
 
-pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>(
+pub(crate) fn build_vk<C: CurveAffine, P: Params<C>>(
     params: &P,
     domain: &EvaluationDomain<C::Scalar>,
     p: &Argument,

halo2_backend/src/plonk/permutation/prover.rs

@@ -48,9 +48,8 @@ pub(crate) struct Evaluated<C: CurveAffine> {
 
 #[allow(clippy::too_many_arguments)]
 pub(in crate::plonk) fn permutation_commit<
-    'params,
     C: CurveAffine,
-    P: Params<'params, C>,
+    P: Params<C>,
     E: EncodedChallenge<C>,
     R: RngCore,
     T: TranscriptWrite<C, E>,

halo2_backend/src/plonk/shuffle/prover.rs

@@ -41,7 +41,7 @@ pub(in crate::plonk) struct Evaluated<C: CurveAffine> {
 /// - constructs A_compressed = \theta^{m-1} A_0 + theta^{m-2} A_1 + ... + \theta A_{m-2} + A_{m-1}
 ///   and S_compressed = \theta^{m-1} S_0 + theta^{m-2} S_1 + ... + \theta S_{m-2} + S_{m-1},
 #[allow(clippy::too_many_arguments)]
-fn shuffle_compress<'a, 'params: 'a, F: WithSmallOrderMulGroup<3>, C, P: Params<'params, C>>(
+fn shuffle_compress<'a, 'params: 'a, F: WithSmallOrderMulGroup<3>, C, P: Params<C>>(
     arg: &Argument<F>,
     pk: &ProvingKey<C>,
     params: &P,
@@ -96,10 +96,9 @@ where
 #[allow(clippy::too_many_arguments)]
 pub(in crate::plonk) fn shuffle_commit_product<
     'a,
-    'params: 'a,
     F: WithSmallOrderMulGroup<3>,
     C,
-    P: Params<'params, C>,
+    P: Params<C>,
     E: EncodedChallenge<C>,
     R: RngCore,
     T: TranscriptWrite<C, E>,

halo2_backend/src/plonk/vanishing/prover.rs

@@ -38,8 +38,7 @@ pub(in crate::plonk) struct Evaluated<C: CurveAffine> {
 
 impl<C: CurveAffine> Argument<C> {
     pub(in crate::plonk) fn commit<
-        'params,
-        P: ParamsProver<'params, C>,
+        P: ParamsProver<C>,
         E: EncodedChallenge<C>,
         R: RngCore,
         T: TranscriptWrite<C, E>,
@@ -100,8 +99,7 @@ impl<C: CurveAffine> Argument<C> {
 
 impl<C: CurveAffine> Committed<C> {
     pub(in crate::plonk) fn construct<
-        'params,
-        P: ParamsProver<'params, C>,
+        P: ParamsProver<C>,
         E: EncodedChallenge<C>,
         R: RngCore,
         T: TranscriptWrite<C, E>,

halo2_backend/src/plonk/vanishing/verifier.rs

@@ -6,7 +6,7 @@ use crate::{
     arithmetic::CurveAffine,
     plonk::{ChallengeX, ChallengeY, Error, VerifyingKey},
     poly::{
-        commitment::{Params, MSM},
+        commitment::{ParamsVerifier, MSM},
         VerifierQuery,
     },
     transcript::{read_n_points, EncodedChallenge, TranscriptRead},
@@ -86,7 +86,7 @@ impl<C: CurveAffine> Constructed<C> {
 }
 
 impl<C: CurveAffine> PartiallyEvaluated<C> {
-    pub(in crate::plonk) fn verify<'params, P: Params<'params, C>>(
+    pub(in crate::plonk) fn verify<'params, P: ParamsVerifier<'params, C>>(
         self,
         params: &'params P,
         expressions: impl Iterator<Item = C::Scalar>,

halo2_backend/src/plonk/verifier.rs

@@ -16,6 +16,7 @@ use crate::plonk::{
     shuffle::verifier::shuffle_read_product_commitment, ChallengeBeta, ChallengeGamma,
     ChallengeTheta, ChallengeX, ChallengeY, Error,
 };
+use crate::poly::commitment::ParamsVerifier;
 use crate::poly::{
     commitment::{Blind, CommitmentScheme, Params, Verifier},
     VerificationStrategy, VerifierQuery,
@@ -29,14 +30,7 @@ pub use batch::BatchVerifier;
 
 /// Returns a boolean indicating whether or not the proof is valid.  Verifies a single proof (not
 /// batched).
-pub fn verify_proof_single<
-    'params,
-    Scheme: CommitmentScheme,
-    V: Verifier<'params, Scheme>,
-    E: EncodedChallenge<Scheme::Curve>,
-    T: TranscriptRead<Scheme::Curve, E>,
-    Strategy: VerificationStrategy<'params, Scheme, V>,
->(
+pub fn verify_proof_single<'params, Scheme, V, E, T, Strategy>(
     params: &'params Scheme::ParamsVerifier,
     vk: &VerifyingKey<Scheme::Curve>,
     strategy: Strategy,
@@ -45,6 +39,11 @@ pub fn verify_proof_single<
 ) -> Result<Strategy::Output, Error>
 where
     Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>,
+    Scheme: CommitmentScheme,
+    V: Verifier<'params, Scheme>,
+    E: EncodedChallenge<Scheme::Curve>,
+    T: TranscriptRead<Scheme::Curve, E>,
+    Strategy: VerificationStrategy<'params, Scheme, V>,
 {
     verify_proof(params, vk, strategy, &[instance], transcript)
 }
@@ -77,6 +76,13 @@ where
         }
     }
 
+    // Check that the Scheme parameters support commitment to instance
+    // if it is required by the verifier.
+    assert!(
+        !V::QUERY_INSTANCE
+            || <Scheme::ParamsVerifier as ParamsVerifier<Scheme::Curve>>::COMMIT_INSTANCE
+    );
+
     // 1. Get the commitments of the instance polynomials. ----------------------------------------
 
     let instance_commitments = if V::QUERY_INSTANCE {
@@ -503,7 +509,7 @@ where
     // We are now convinced the circuit is satisfied so long as the
     // polynomial commitments open to the correct values.
 
-    let verifier = V::new(params);
+    let verifier = V::new();
     strategy.process(|msm| {
         verifier
             .verify_proof(transcript, queries, msm)

halo2_backend/src/plonk/verifier/batch.rs

@@ -1,4 +1,4 @@
-use crate::plonk::Error;
+use crate::{plonk::Error, poly::commitment::ParamsVerifier};
 use group::ff::Field;
 use halo2_middleware::ff::FromUniformBytes;
 use halo2_middleware::zal::impls::H2cEngine;
@@ -12,7 +12,7 @@ use crate::{
     },
     plonk::VerifyingKey,
     poly::{
-        commitment::{Params, MSM},
+        commitment::MSM,
         ipa::{
             commitment::{IPACommitmentScheme, ParamsVerifierIPA},
             msm::MSMIPA,
@@ -31,8 +31,7 @@ struct BatchStrategy<'params, C: CurveAffine> {
     msm: MSMIPA<'params, C>,
 }
 
-impl<'params, C: CurveAffine>
-    VerificationStrategy<'params, IPACommitmentScheme<C>, VerifierIPA<'params, C>>
+impl<'params, C: CurveAffine> VerificationStrategy<'params, IPACommitmentScheme<C>, VerifierIPA<C>>
     for BatchStrategy<'params, C>
 {
     type Output = MSMIPA<'params, C>;
@@ -125,7 +124,7 @@ where
                 })
             })
             .try_fold_and_reduce(
-                || params.empty_msm(),
+                || ParamsVerifier::<'_, C>::empty_msm(params),
                 |acc, res| res.map(|proof_msm| accumulate_msm(acc, proof_msm)),
             );
 

halo2_backend/src/poly/commitment.rs

@@ -24,11 +24,7 @@ pub trait CommitmentScheme {
     type Curve: CurveAffine<ScalarExt = Self::Scalar>;
 
     /// Constant prover parameters
-    type ParamsProver: for<'params> ParamsProver<
-        'params,
-        Self::Curve,
-        ParamsVerifier = Self::ParamsVerifier,
-    >;
+    type ParamsProver: ParamsProver<Self::Curve>;
 
     /// Constant verifier parameters
     type ParamsVerifier: for<'params> ParamsVerifier<'params, Self::Curve>;
@@ -40,11 +36,10 @@ pub trait CommitmentScheme {
     fn read_params<R: io::Read>(reader: &mut R) -> io::Result<Self::ParamsProver>;
 }
 
+/// Common for Verifier and Prover.
+///
 /// Parameters for circuit synthesis and prover parameters.
-pub trait Params<'params, C: CurveAffine>: Sized + Clone + Debug {
-    /// Multiscalar multiplication engine
-    type MSM: MSM<C> + 'params;
-
+pub trait Params<C: CurveAffine>: Sized + Clone + Debug {
     /// Logarithmic size of the circuit
     fn k(&self) -> u32;
 
@@ -54,10 +49,6 @@ pub trait Params<'params, C: CurveAffine>: Sized + Clone + Debug {
     /// Downsize `Params` with smaller `k`.
     fn downsize(&mut self, k: u32);
 
-    /// Generates an empty multiscalar multiplication struct using the
-    /// appropriate params.
-    fn empty_msm(&'params self) -> Self::MSM;
-
     /// This commits to a polynomial using its evaluations over the $2^k$ size
     /// evaluation domain. The commitment will be blinded by the blinding factor
     /// `r`.
@@ -76,10 +67,7 @@ pub trait Params<'params, C: CurveAffine>: Sized + Clone + Debug {
 }
 
 /// Parameters for circuit synthesis and prover parameters.
-pub trait ParamsProver<'params, C: CurveAffine>: Params<'params, C> {
-    /// Constant verifier parameters.
-    type ParamsVerifier: ParamsVerifier<'params, C>;
-
+pub trait ParamsProver<C: CurveAffine>: Params<C> {
     /// Returns new instance of parameters
     fn new(k: u32) -> Self;
 
@@ -92,16 +80,18 @@ pub trait ParamsProver<'params, C: CurveAffine>: Params<'params, C> {
         poly: &Polynomial<C::ScalarExt, Coeff>,
         r: Blind<C::ScalarExt>,
     ) -> C::CurveExt;
-
-    /// Getter for g generators
-    fn get_g(&self) -> &[C];
-
-    /// Returns verification parameters.
-    fn verifier_params(&'params self) -> &'params Self::ParamsVerifier;
 }
 
 /// Verifier specific functionality with circuit constraints
-pub trait ParamsVerifier<'params, C: CurveAffine>: Params<'params, C> {}
+pub trait ParamsVerifier<'params, C: CurveAffine>: Params<C> {
+    /// Multiscalar multiplication engine
+    type MSM: MSM<C> + 'params;
+    /// Can commit to instance or not.
+    const COMMIT_INSTANCE: bool;
+    /// Generates an empty multiscalar multiplication struct using the
+    /// appropriate params.
+    fn empty_msm(&'params self) -> Self::MSM;
+}
 
 /// Multiscalar multiplication engine
 pub trait MSM<C: CurveAffine>: Clone + Debug + Send + Sync {
@@ -190,7 +180,7 @@ pub trait Verifier<'params, Scheme: CommitmentScheme> {
     const QUERY_INSTANCE: bool;
 
     /// Creates new verifier instance
-    fn new(params: &'params Scheme::ParamsVerifier) -> Self;
+    fn new() -> Self;
 
     /// Process the proof and return unfinished result named `Guard`
     fn verify_proof<
@@ -210,7 +200,7 @@ pub trait Verifier<'params, Scheme: CommitmentScheme> {
                 Item = VerifierQuery<
                     'com,
                     Scheme::Curve,
-                    <Scheme::ParamsVerifier as Params<'params, Scheme::Curve>>::MSM,
+                    <Scheme::ParamsVerifier as ParamsVerifier<'params, Scheme::Curve>>::MSM,
                 >,
             > + Clone;
 }