diff --git a/halo2_backend/src/plonk/keygen.rs b/halo2_backend/src/plonk/keygen.rs index 7d38f7a914..406099a723 100644 --- a/halo2_backend/src/plonk/keygen.rs +++ b/halo2_backend/src/plonk/keygen.rs @@ -40,13 +40,13 @@ where } /// Generate a `VerifyingKey` from an instance of `CompiledCircuit`. -pub fn keygen_vk<'params, C, P>( +pub fn keygen_vk( params: &P, circuit: &CompiledCircuit, ) -> Result, Error> where C: CurveAffine, - P: Params<'params, C>, + P: Params, C::Scalar: FromUniformBytes<64>, { let cs_mid = &circuit.cs; @@ -91,14 +91,14 @@ where } /// Generate a `ProvingKey` from a `VerifyingKey` and an instance of `CompiledCircuit`. -pub fn keygen_pk<'params, C, P>( +pub fn keygen_pk( params: &P, vk: VerifyingKey, circuit: &CompiledCircuit, ) -> Result, Error> where C: CurveAffine, - P: Params<'params, C>, + P: Params, { let cs = &circuit.cs; diff --git a/halo2_backend/src/plonk/lookup/prover.rs b/halo2_backend/src/plonk/lookup/prover.rs index ceafd1a37a..9f25fe9f13 100644 --- a/halo2_backend/src/plonk/lookup/prover.rs +++ b/halo2_backend/src/plonk/lookup/prover.rs @@ -63,10 +63,9 @@ pub(in crate::plonk) struct Evaluated { #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn lookup_commit_permuted< 'a, - 'params: 'a, F: WithSmallOrderMulGroup<3>, C, - P: Params<'params, C>, + P: Params, E: EncodedChallenge, R: RngCore, T: TranscriptWrite, @@ -180,8 +179,7 @@ impl Permuted { /// added to the Lookup and finally returned by the method. #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn commit_product< - 'params, - P: Params<'params, C>, + P: Params, E: EncodedChallenge, R: RngCore, T: TranscriptWrite, @@ -407,7 +405,7 @@ type ExpressionPair = (Polynomial, Polynomial, R: RngCore>( +fn permute_expression_pair, R: RngCore>( pk: &ProvingKey, params: &P, domain: &EvaluationDomain, diff --git a/halo2_backend/src/plonk/permutation/keygen.rs b/halo2_backend/src/plonk/permutation/keygen.rs index e0bc0319d0..261d07386b 100644 --- a/halo2_backend/src/plonk/permutation/keygen.rs +++ b/halo2_backend/src/plonk/permutation/keygen.rs @@ -117,7 +117,7 @@ impl Assembly { Ok(()) } - pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( + pub(crate) fn build_vk>( self, params: &P, domain: &EvaluationDomain, @@ -126,7 +126,7 @@ impl Assembly { build_vk(params, domain, p, |i, j| self.mapping[i][j]) } - pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( + pub(crate) fn build_pk>( self, params: &P, domain: &EvaluationDomain, @@ -136,7 +136,7 @@ impl Assembly { } } -pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( +pub(crate) fn build_pk>( params: &P, domain: &EvaluationDomain, p: &Argument, @@ -212,7 +212,7 @@ pub(crate) fn build_pk<'params, C: CurveAffine, P: Params<'params, C>>( } } -pub(crate) fn build_vk<'params, C: CurveAffine, P: Params<'params, C>>( +pub(crate) fn build_vk>( params: &P, domain: &EvaluationDomain, p: &Argument, diff --git a/halo2_backend/src/plonk/permutation/prover.rs b/halo2_backend/src/plonk/permutation/prover.rs index 5aa577b680..c80ce2102d 100644 --- a/halo2_backend/src/plonk/permutation/prover.rs +++ b/halo2_backend/src/plonk/permutation/prover.rs @@ -48,9 +48,8 @@ pub(crate) struct Evaluated { #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn permutation_commit< - 'params, C: CurveAffine, - P: Params<'params, C>, + P: Params, E: EncodedChallenge, R: RngCore, T: TranscriptWrite, diff --git a/halo2_backend/src/plonk/shuffle/prover.rs b/halo2_backend/src/plonk/shuffle/prover.rs index b9d8041f28..cc01a65255 100644 --- a/halo2_backend/src/plonk/shuffle/prover.rs +++ b/halo2_backend/src/plonk/shuffle/prover.rs @@ -41,7 +41,7 @@ pub(in crate::plonk) struct Evaluated { /// - constructs A_compressed = \theta^{m-1} A_0 + theta^{m-2} A_1 + ... + \theta A_{m-2} + A_{m-1} /// and S_compressed = \theta^{m-1} S_0 + theta^{m-2} S_1 + ... + \theta S_{m-2} + S_{m-1}, #[allow(clippy::too_many_arguments)] -fn shuffle_compress<'a, 'params: 'a, F: WithSmallOrderMulGroup<3>, C, P: Params<'params, C>>( +fn shuffle_compress<'a, 'params: 'a, F: WithSmallOrderMulGroup<3>, C, P: Params>( arg: &Argument, pk: &ProvingKey, params: &P, @@ -96,10 +96,9 @@ where #[allow(clippy::too_many_arguments)] pub(in crate::plonk) fn shuffle_commit_product< 'a, - 'params: 'a, F: WithSmallOrderMulGroup<3>, C, - P: Params<'params, C>, + P: Params, E: EncodedChallenge, R: RngCore, T: TranscriptWrite, diff --git a/halo2_backend/src/plonk/vanishing/prover.rs b/halo2_backend/src/plonk/vanishing/prover.rs index c7d9a0664b..fb0e5b5e76 100644 --- a/halo2_backend/src/plonk/vanishing/prover.rs +++ b/halo2_backend/src/plonk/vanishing/prover.rs @@ -38,8 +38,7 @@ pub(in crate::plonk) struct Evaluated { impl Argument { pub(in crate::plonk) fn commit< - 'params, - P: ParamsProver<'params, C>, + P: ParamsProver, E: EncodedChallenge, R: RngCore, T: TranscriptWrite, @@ -100,8 +99,7 @@ impl Argument { impl Committed { pub(in crate::plonk) fn construct< - 'params, - P: ParamsProver<'params, C>, + P: ParamsProver, E: EncodedChallenge, R: RngCore, T: TranscriptWrite, diff --git a/halo2_backend/src/plonk/vanishing/verifier.rs b/halo2_backend/src/plonk/vanishing/verifier.rs index aeb5d85a10..2b54035450 100644 --- a/halo2_backend/src/plonk/vanishing/verifier.rs +++ b/halo2_backend/src/plonk/vanishing/verifier.rs @@ -6,7 +6,7 @@ use crate::{ arithmetic::CurveAffine, plonk::{ChallengeX, ChallengeY, Error, VerifyingKey}, poly::{ - commitment::{Params, MSM}, + commitment::{ParamsVerifier, MSM}, VerifierQuery, }, transcript::{read_n_points, EncodedChallenge, TranscriptRead}, @@ -86,7 +86,7 @@ impl Constructed { } impl PartiallyEvaluated { - pub(in crate::plonk) fn verify<'params, P: Params<'params, C>>( + pub(in crate::plonk) fn verify<'params, P: ParamsVerifier<'params, C>>( self, params: &'params P, expressions: impl Iterator, diff --git a/halo2_backend/src/plonk/verifier.rs b/halo2_backend/src/plonk/verifier.rs index d0e8650ac2..d06224dcf5 100644 --- a/halo2_backend/src/plonk/verifier.rs +++ b/halo2_backend/src/plonk/verifier.rs @@ -16,6 +16,7 @@ use crate::plonk::{ shuffle::verifier::shuffle_read_product_commitment, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, ChallengeY, Error, }; +use crate::poly::commitment::ParamsVerifier; use crate::poly::{ commitment::{Blind, CommitmentScheme, Params, Verifier}, VerificationStrategy, VerifierQuery, @@ -29,14 +30,7 @@ pub use batch::BatchVerifier; /// Returns a boolean indicating whether or not the proof is valid. Verifies a single proof (not /// batched). -pub fn verify_proof_single< - 'params, - Scheme: CommitmentScheme, - V: Verifier<'params, Scheme>, - E: EncodedChallenge, - T: TranscriptRead, - Strategy: VerificationStrategy<'params, Scheme, V>, ->( +pub fn verify_proof_single<'params, Scheme, V, E, T, Strategy>( params: &'params Scheme::ParamsVerifier, vk: &VerifyingKey, strategy: Strategy, @@ -45,6 +39,11 @@ pub fn verify_proof_single< ) -> Result where Scheme::Scalar: WithSmallOrderMulGroup<3> + FromUniformBytes<64>, + Scheme: CommitmentScheme, + V: Verifier<'params, Scheme>, + E: EncodedChallenge, + T: TranscriptRead, + Strategy: VerificationStrategy<'params, Scheme, V>, { verify_proof(params, vk, strategy, &[instance], transcript) } @@ -77,6 +76,13 @@ where } } + // Check that the Scheme parameters support commitment to instance + // if it is required by the verifier. + assert!( + !V::QUERY_INSTANCE + || >::COMMIT_INSTANCE + ); + // 1. Get the commitments of the instance polynomials. ---------------------------------------- let instance_commitments = if V::QUERY_INSTANCE { @@ -503,7 +509,7 @@ where // We are now convinced the circuit is satisfied so long as the // polynomial commitments open to the correct values. - let verifier = V::new(params); + let verifier = V::new(); strategy.process(|msm| { verifier .verify_proof(transcript, queries, msm) diff --git a/halo2_backend/src/plonk/verifier/batch.rs b/halo2_backend/src/plonk/verifier/batch.rs index 350ccc160c..f33a5bf5a0 100644 --- a/halo2_backend/src/plonk/verifier/batch.rs +++ b/halo2_backend/src/plonk/verifier/batch.rs @@ -1,4 +1,4 @@ -use crate::plonk::Error; +use crate::{plonk::Error, poly::commitment::ParamsVerifier}; use group::ff::Field; use halo2_middleware::ff::FromUniformBytes; use halo2_middleware::zal::impls::H2cEngine; @@ -12,7 +12,7 @@ use crate::{ }, plonk::VerifyingKey, poly::{ - commitment::{Params, MSM}, + commitment::MSM, ipa::{ commitment::{IPACommitmentScheme, ParamsVerifierIPA}, msm::MSMIPA, @@ -31,8 +31,7 @@ struct BatchStrategy<'params, C: CurveAffine> { msm: MSMIPA<'params, C>, } -impl<'params, C: CurveAffine> - VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA<'params, C>> +impl<'params, C: CurveAffine> VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA> for BatchStrategy<'params, C> { type Output = MSMIPA<'params, C>; @@ -125,7 +124,7 @@ where }) }) .try_fold_and_reduce( - || params.empty_msm(), + || ParamsVerifier::<'_, C>::empty_msm(params), |acc, res| res.map(|proof_msm| accumulate_msm(acc, proof_msm)), ); diff --git a/halo2_backend/src/poly/commitment.rs b/halo2_backend/src/poly/commitment.rs index 7f0c2f0c16..fb11099150 100644 --- a/halo2_backend/src/poly/commitment.rs +++ b/halo2_backend/src/poly/commitment.rs @@ -24,11 +24,7 @@ pub trait CommitmentScheme { type Curve: CurveAffine; /// Constant prover parameters - type ParamsProver: for<'params> ParamsProver< - 'params, - Self::Curve, - ParamsVerifier = Self::ParamsVerifier, - >; + type ParamsProver: ParamsProver; /// Constant verifier parameters type ParamsVerifier: for<'params> ParamsVerifier<'params, Self::Curve>; @@ -40,11 +36,10 @@ pub trait CommitmentScheme { fn read_params(reader: &mut R) -> io::Result; } +/// Common for Verifier and Prover. +/// /// Parameters for circuit synthesis and prover parameters. -pub trait Params<'params, C: CurveAffine>: Sized + Clone + Debug { - /// Multiscalar multiplication engine - type MSM: MSM + 'params; - +pub trait Params: Sized + Clone + Debug { /// Logarithmic size of the circuit fn k(&self) -> u32; @@ -54,10 +49,6 @@ pub trait Params<'params, C: CurveAffine>: Sized + Clone + Debug { /// Downsize `Params` with smaller `k`. fn downsize(&mut self, k: u32); - /// Generates an empty multiscalar multiplication struct using the - /// appropriate params. - fn empty_msm(&'params self) -> Self::MSM; - /// This commits to a polynomial using its evaluations over the $2^k$ size /// evaluation domain. The commitment will be blinded by the blinding factor /// `r`. @@ -76,10 +67,7 @@ pub trait Params<'params, C: CurveAffine>: Sized + Clone + Debug { } /// Parameters for circuit synthesis and prover parameters. -pub trait ParamsProver<'params, C: CurveAffine>: Params<'params, C> { - /// Constant verifier parameters. - type ParamsVerifier: ParamsVerifier<'params, C>; - +pub trait ParamsProver: Params { /// Returns new instance of parameters fn new(k: u32) -> Self; @@ -92,16 +80,18 @@ pub trait ParamsProver<'params, C: CurveAffine>: Params<'params, C> { poly: &Polynomial, r: Blind, ) -> C::CurveExt; - - /// Getter for g generators - fn get_g(&self) -> &[C]; - - /// Returns verification parameters. - fn verifier_params(&'params self) -> &'params Self::ParamsVerifier; } /// Verifier specific functionality with circuit constraints -pub trait ParamsVerifier<'params, C: CurveAffine>: Params<'params, C> {} +pub trait ParamsVerifier<'params, C: CurveAffine>: Params { + /// Multiscalar multiplication engine + type MSM: MSM + 'params; + /// Can commit to instance or not. + const COMMIT_INSTANCE: bool; + /// Generates an empty multiscalar multiplication struct using the + /// appropriate params. + fn empty_msm(&'params self) -> Self::MSM; +} /// Multiscalar multiplication engine pub trait MSM: Clone + Debug + Send + Sync { @@ -190,7 +180,7 @@ pub trait Verifier<'params, Scheme: CommitmentScheme> { const QUERY_INSTANCE: bool; /// Creates new verifier instance - fn new(params: &'params Scheme::ParamsVerifier) -> Self; + fn new() -> Self; /// Process the proof and return unfinished result named `Guard` fn verify_proof< @@ -210,7 +200,7 @@ pub trait Verifier<'params, Scheme: CommitmentScheme> { Item = VerifierQuery< 'com, Scheme::Curve, - >::MSM, + >::MSM, >, > + Clone; } diff --git a/halo2_backend/src/poly/ipa/commitment.rs b/halo2_backend/src/poly/ipa/commitment.rs index 7ac521327b..e1436e28c5 100644 --- a/halo2_backend/src/poly/ipa/commitment.rs +++ b/halo2_backend/src/poly/ipa/commitment.rs @@ -57,11 +57,18 @@ impl CommitmentScheme for IPACommitmentScheme { /// Verifier parameters pub type ParamsVerifierIPA = ParamsIPA; -impl<'params, C: CurveAffine> ParamsVerifier<'params, C> for ParamsIPA {} - -impl<'params, C: CurveAffine> Params<'params, C> for ParamsIPA { +impl<'params, C: CurveAffine> ParamsVerifier<'params, C> for ParamsIPA { type MSM = MSMIPA<'params, C>; + // IPA params always support commitment. + const COMMIT_INSTANCE: bool = true; + + fn empty_msm(&self) -> MSMIPA { + MSMIPA::new(self) + } +} + +impl Params for ParamsIPA { fn k(&self) -> u32 { self.k } @@ -79,10 +86,6 @@ impl<'params, C: CurveAffine> Params<'params, C> for ParamsIPA { self.g_lagrange = g_to_lagrange(self.g.iter().map(|g| g.to_curve()).collect(), k); } - fn empty_msm(&'params self) -> MSMIPA { - MSMIPA::new(self) - } - /// This commits to a polynomial using its evaluations over the $2^k$ size /// evaluation domain. The commitment will be blinded by the blinding factor /// `r`. @@ -144,13 +147,7 @@ impl<'params, C: CurveAffine> Params<'params, C> for ParamsIPA { } } -impl<'params, C: CurveAffine> ParamsProver<'params, C> for ParamsIPA { - type ParamsVerifier = ParamsVerifierIPA; - - fn verifier_params(&'params self) -> &'params Self::ParamsVerifier { - self - } - +impl ParamsProver for ParamsIPA { /// Initializes parameters for the curve, given a random oracle to draw /// points from. fn new(k: u32) -> Self { @@ -233,10 +230,6 @@ impl<'params, C: CurveAffine> ParamsProver<'params, C> for ParamsIPA { engine.msm(&tmp_scalars, &tmp_bases) } - - fn get_g(&self) -> &[C] { - &self.g - } } #[cfg(test)] @@ -374,7 +367,7 @@ mod test { let mut commitment_msm = MSMIPA::new(¶ms); commitment_msm.append_term(Fq::one(), p.into()); - let guard = verify_proof(¶ms, commitment_msm, &mut transcript, *x, v).unwrap(); + let guard = verify_proof(commitment_msm, &mut transcript, *x, v).unwrap(); let ch_verifier = transcript.squeeze_challenge(); assert_eq!(*ch_prover, *ch_verifier); diff --git a/halo2_backend/src/poly/ipa/commitment/verifier.rs b/halo2_backend/src/poly/ipa/commitment/verifier.rs index 5117df25f1..2e6723c5b6 100644 --- a/halo2_backend/src/poly/ipa/commitment/verifier.rs +++ b/halo2_backend/src/poly/ipa/commitment/verifier.rs @@ -1,6 +1,5 @@ use group::ff::{BatchInvert, Field}; -use super::ParamsIPA; use crate::{arithmetic::CurveAffine, poly::ipa::strategy::GuardIPA}; use crate::{ poly::{commitment::MSM, ipa::msm::MSMIPA, Error}, @@ -11,13 +10,12 @@ use crate::{ /// point `x` that the polynomial commitment `P` opens purportedly to the value /// `v`. The provided `msm` should evaluate to the commitment `P` being opened. pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge, T: TranscriptRead>( - params: &'params ParamsIPA, mut msm: MSMIPA<'params, C>, transcript: &mut T, x: C::Scalar, v: C::Scalar, ) -> Result, Error> { - let k = params.k as usize; + let k = msm.params.k as usize; // P' = P - [v] G_0 + [ΞΎ] S msm.add_constant_term(-v); // add [-v] G_0 diff --git a/halo2_backend/src/poly/ipa/multiopen/verifier.rs b/halo2_backend/src/poly/ipa/multiopen/verifier.rs index 62e764d8fd..79133eeffa 100644 --- a/halo2_backend/src/poly/ipa/multiopen/verifier.rs +++ b/halo2_backend/src/poly/ipa/multiopen/verifier.rs @@ -1,11 +1,12 @@ use std::fmt::Debug; +use std::marker::PhantomData; use halo2_middleware::ff::Field; use super::{construct_intermediate_sets, ChallengeX1, ChallengeX2, ChallengeX3, ChallengeX4}; use crate::arithmetic::{eval_polynomial, lagrange_interpolate, CurveAffine}; -use crate::poly::commitment::{Params, Verifier, MSM}; -use crate::poly::ipa::commitment::{IPACommitmentScheme, ParamsIPA, ParamsVerifierIPA}; +use crate::poly::commitment::{ParamsVerifier, Verifier, MSM}; +use crate::poly::ipa::commitment::IPACommitmentScheme; use crate::poly::ipa::msm::MSMIPA; use crate::poly::ipa::strategy::GuardIPA; use crate::poly::query::{CommitmentReference, VerifierQuery}; @@ -14,20 +15,20 @@ use crate::transcript::{EncodedChallenge, TranscriptRead}; /// IPA multi-open verifier #[derive(Debug)] -pub struct VerifierIPA<'params, C: CurveAffine> { - params: &'params ParamsIPA, +pub struct VerifierIPA { + _marker: PhantomData, } -impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme> - for VerifierIPA<'params, C> -{ +impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme> for VerifierIPA { type Guard = GuardIPA<'params, C>; type MSMAccumulator = MSMIPA<'params, C>; const QUERY_INSTANCE: bool = true; - fn new(params: &'params ParamsVerifierIPA) -> Self { - Self { params } + fn new() -> Self { + Self { + _marker: PhantomData, + } } fn verify_proof<'com, E: EncodedChallenge, T: TranscriptRead, I>( @@ -51,8 +52,10 @@ impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme> // Compress the commitments and expected evaluations at x together. // using the challenge x_1 + let empty_msm = ParamsVerifier::<'params, C>::empty_msm(msm.params); let mut q_commitments: Vec<_> = vec![ - (self.params.empty_msm(), C::Scalar::ONE); // (accumulator, next x_1 power). + + (empty_msm, C::Scalar::ONE); // (accumulator, next x_1 power). point_sets.len()]; // A vec of vecs of evals. The outer vec corresponds to the point set, @@ -143,6 +146,6 @@ impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme> ); // Verify the opening proof - super::commitment::verify_proof(self.params, msm, transcript, *x_3, v) + super::commitment::verify_proof(msm, transcript, *x_3, v) } } diff --git a/halo2_backend/src/poly/ipa/strategy.rs b/halo2_backend/src/poly/ipa/strategy.rs index c74086377b..4fdc47523c 100644 --- a/halo2_backend/src/poly/ipa/strategy.rs +++ b/halo2_backend/src/poly/ipa/strategy.rs @@ -76,8 +76,7 @@ pub struct AccumulatorStrategy<'params, C: CurveAffine> { msm: MSMIPA<'params, C>, } -impl<'params, C: CurveAffine> - VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA<'params, C>> +impl<'params, C: CurveAffine> VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA> for AccumulatorStrategy<'params, C> { type Output = Self; @@ -117,8 +116,7 @@ pub struct SingleStrategy<'params, C: CurveAffine> { msm: MSMIPA<'params, C>, } -impl<'params, C: CurveAffine> - VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA<'params, C>> +impl<'params, C: CurveAffine> VerificationStrategy<'params, IPACommitmentScheme, VerifierIPA> for SingleStrategy<'params, C> { type Output = (); diff --git a/halo2_backend/src/poly/kzg/commitment.rs b/halo2_backend/src/poly/kzg/commitment.rs index 4fe9701b1e..3bb0e5669f 100644 --- a/halo2_backend/src/poly/kzg/commitment.rs +++ b/halo2_backend/src/poly/kzg/commitment.rs @@ -7,7 +7,7 @@ use group::{prime::PrimeCurveAffine, Curve, Group}; use halo2_middleware::ff::{Field, PrimeField}; use halo2_middleware::zal::traits::MsmAccel; use halo2curves::pairing::Engine; -use halo2curves::CurveExt; +use halo2curves::{CurveAffine, CurveExt}; use rand_core::{OsRng, RngCore}; use std::fmt::Debug; use std::marker::PhantomData; @@ -27,13 +27,107 @@ pub struct ParamsKZG { pub(crate) s_g2: E::G2Affine, } +/// Parameters KZG-based proof verification: +#[derive(Debug, Clone)] +pub struct ParamsVerifierKZG { + pub(crate) k: u32, + pub(crate) s_g2: E::G2Affine, +} + +impl Params for ParamsVerifierKZG +where + E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, + E::G1: CurveExt, + E::G2Affine: SerdeCurveAffine, +{ + fn k(&self) -> u32 { + self.k + } + + fn n(&self) -> u64 { + 1 << self.k + } + + fn downsize(&mut self, k: u32) { + assert!(k <= self.k); + self.k = k; + } + + fn commit_lagrange( + &self, + _engine: &impl MsmAccel, + _poly: &Polynomial, + _: Blind, + ) -> E::G1 { + panic!("Commitment is not supported for ParamsVerifierKZG, use ParamsKZG instead."); + } + + /// Writes params to a buffer. + fn write(&self, writer: &mut W) -> io::Result<()> { + Self::write_custom(self, writer, SerdeFormat::RawBytes) + } + + /// Reads params from a buffer. + fn read(reader: &mut R) -> io::Result { + Self::read_custom(reader, SerdeFormat::RawBytes) + } +} + +impl<'params, E: Engine> ParamsVerifier<'params, E::G1Affine> for ParamsVerifierKZG +where + E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, + E::G1: CurveExt, + E::G2Affine: SerdeCurveAffine, +{ + type MSM = MSMKZG; + + // Do not support commitment. + const COMMIT_INSTANCE: bool = false; + + fn empty_msm(&'params self) -> MSMKZG { + MSMKZG::new() + } +} + +impl ParamsVerifierKZG +where + E::G1Affine: CurveAffine, + E::G1: CurveExt, +{ + pub fn write_custom(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> + where + E::G1Affine: SerdeCurveAffine, + E::G2Affine: SerdeCurveAffine, + { + writer.write_all(&self.k.to_le_bytes())?; + self.s_g2.write(writer, format)?; + Ok(()) + } + + pub fn read_custom(reader: &mut R, format: SerdeFormat) -> io::Result + where + E::G1Affine: SerdeCurveAffine, + E::G2Affine: SerdeCurveAffine, + { + let mut k = [0u8; 4]; + reader.read_exact(&mut k[..])?; + let k = u32::from_le_bytes(k); + // This is a generous bound on the size of the domain. + debug_assert!(k < 32); + + let s_g2 = E::G2Affine::read(reader, format)?; + + Ok(Self { k, s_g2 }) + } +} + /// Umbrella commitment scheme construction for all KZG variants #[derive(Debug)] pub struct KZGCommitmentScheme { _marker: PhantomData, } -impl CommitmentScheme for KZGCommitmentScheme +impl CommitmentScheme for KZGCommitmentScheme where E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, @@ -54,9 +148,9 @@ where } } -impl ParamsKZG +impl ParamsKZG where - E::G1Affine: SerdeCurveAffine, + E::G1Affine: CurveAffine, E::G1: CurveExt, { /// Initializes parameters for the curve, draws toxic secret from given rng. @@ -153,19 +247,17 @@ where } } - /// Returns gernerator on G2 - pub fn g2(&self) -> E::G2Affine { - self.g2 - } - - /// Returns first power of secret on G2 - pub fn s_g2(&self) -> E::G2Affine { - self.s_g2 + pub fn verifier_params(&self) -> ParamsVerifierKZG { + ParamsVerifierKZG { + k: self.k, + s_g2: self.s_g2, + } } /// Writes parameters to buffer pub fn write_custom(&self, writer: &mut W, format: SerdeFormat) -> io::Result<()> where + E::G1Affine: SerdeCurveAffine, E::G2Affine: SerdeCurveAffine, { writer.write_all(&self.k.to_le_bytes())?; @@ -183,6 +275,7 @@ where /// Reads params from a buffer. pub fn read_custom(reader: &mut R, format: SerdeFormat) -> io::Result where + E::G1Affine: SerdeCurveAffine, E::G2Affine: SerdeCurveAffine, { let mut k = [0u8; 4]; @@ -267,19 +360,12 @@ where } } -// TODO: see the issue at https://github.com/appliedzkp/halo2/issues/45 -// So we probably need much smaller verifier key. However for new bases in g1 should be in verifier keys. -/// KZG multi-open verification parameters -pub type ParamsVerifierKZG = ParamsKZG; - -impl<'params, E: Engine + Debug> Params<'params, E::G1Affine> for ParamsKZG +impl Params for ParamsKZG where E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { - type MSM = MSMKZG; - fn k(&self) -> u32 { self.k } @@ -288,20 +374,6 @@ where self.n } - fn downsize(&mut self, k: u32) { - assert!(k <= self.k); - - self.k = k; - self.n = 1 << k; - - self.g.truncate(self.n as usize); - self.g_lagrange = g_to_lagrange(self.g.iter().map(|g| g.to_curve()).collect(), k); - } - - fn empty_msm(&'params self) -> MSMKZG { - MSMKZG::new() - } - fn commit_lagrange( &self, engine: &impl MsmAccel, @@ -316,6 +388,16 @@ where engine.msm(&scalars, &bases[0..size]) } + fn downsize(&mut self, k: u32) { + assert!(k <= self.k); + + self.k = k; + self.n = 1 << k; + + self.g.truncate(self.n as usize); + self.g_lagrange = g_to_lagrange(self.g.iter().map(|g| g.to_curve()).collect(), k); + } + /// Writes params to a buffer. fn write(&self, writer: &mut W) -> io::Result<()> { self.write_custom(writer, SerdeFormat::RawBytes) @@ -327,26 +409,26 @@ where } } -impl<'params, E: Engine + Debug> ParamsVerifier<'params, E::G1Affine> for ParamsKZG +impl<'params, E: Engine> ParamsVerifier<'params, E::G1Affine> for ParamsKZG where E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { + type MSM = MSMKZG; + // KZG params with support for commitment. + const COMMIT_INSTANCE: bool = true; + fn empty_msm(&self) -> MSMKZG { + MSMKZG::new() + } } -impl<'params, E: Engine + Debug> ParamsProver<'params, E::G1Affine> for ParamsKZG +impl ParamsProver for ParamsKZG where E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { - type ParamsVerifier = ParamsVerifierKZG; - - fn verifier_params(&'params self) -> &'params Self::ParamsVerifier { - self - } - fn new(k: u32) -> Self { Self::setup(k, OsRng) } @@ -364,10 +446,6 @@ where assert!(bases.len() >= size); engine.msm(&scalars, &bases[0..size]) } - - fn get_g(&self) -> &[E::G1Affine] { - &self.g - } } #[cfg(test)] diff --git a/halo2_backend/src/poly/kzg/msm.rs b/halo2_backend/src/poly/kzg/msm.rs index 82897c6e73..b5a36d031a 100644 --- a/halo2_backend/src/poly/kzg/msm.rs +++ b/halo2_backend/src/poly/kzg/msm.rs @@ -1,6 +1,6 @@ use std::fmt::Debug; -use super::commitment::ParamsKZG; +use super::commitment::ParamsVerifierKZG; use crate::{arithmetic::parallelize, poly::commitment::MSM}; use group::{Curve, Group}; use halo2_middleware::zal::traits::MsmAccel; @@ -46,7 +46,7 @@ where } } -impl MSM for MSMKZG +impl MSM for MSMKZG where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, @@ -101,7 +101,7 @@ where projectives_msms: Vec>, } -impl Default for PreMSM +impl Default for PreMSM where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, @@ -113,7 +113,7 @@ where } } -impl PreMSM +impl PreMSM where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, @@ -136,37 +136,25 @@ where } } -impl<'params, E: MultiMillerLoop + Debug> From<&'params ParamsKZG> for DualMSM<'params, E> -where - E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, - E::G1: CurveExt, -{ - fn from(params: &'params ParamsKZG) -> Self { - DualMSM::new(params) - } -} - /// Two channel MSM accumulator -#[derive(Debug, Clone)] -pub struct DualMSM<'a, E: Engine> +#[derive(Debug, Default, Clone)] +pub struct DualMSM where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { - pub(crate) params: &'a ParamsKZG, pub(crate) left: MSMKZG, pub(crate) right: MSMKZG, } -impl<'a, E: MultiMillerLoop + Debug> DualMSM<'a, E> +impl DualMSM where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { /// Create a new two channel MSM accumulator instance - pub fn new(params: &'a ParamsKZG) -> Self { + pub fn new() -> Self { Self { - params, left: MSMKZG::new(), right: MSMKZG::new(), } @@ -185,9 +173,9 @@ where } /// Performs final pairing check with given verifier params and two channel linear combination - pub fn check(self, engine: &impl MsmAccel) -> bool { - let s_g2_prepared = E::G2Prepared::from(self.params.s_g2); - let n_g2_prepared = E::G2Prepared::from(-self.params.g2); + pub fn check(self, engine: &impl MsmAccel, params: &ParamsVerifierKZG) -> bool { + let s_g2_prepared = E::G2Prepared::from(params.s_g2); + let n_g2_prepared = E::G2Prepared::from((-E::G2::generator()).into()); let left = self.left.eval(engine); let right = self.right.eval(engine); diff --git a/halo2_backend/src/poly/kzg/multiopen/gwc/verifier.rs b/halo2_backend/src/poly/kzg/multiopen/gwc/verifier.rs index 261f5e2234..3ac5065b09 100644 --- a/halo2_backend/src/poly/kzg/multiopen/gwc/verifier.rs +++ b/halo2_backend/src/poly/kzg/multiopen/gwc/verifier.rs @@ -1,11 +1,12 @@ use std::fmt::Debug; +use std::marker::PhantomData; use super::{construct_intermediate_sets, ChallengeU, ChallengeV}; use crate::arithmetic::powers; use crate::helpers::SerdeCurveAffine; use crate::poly::commitment::Verifier; use crate::poly::commitment::MSM; -use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; +use crate::poly::kzg::commitment::KZGCommitmentScheme; use crate::poly::kzg::msm::{DualMSM, MSMKZG}; use crate::poly::kzg::strategy::GuardKZG; use crate::poly::query::Query; @@ -13,30 +14,33 @@ use crate::poly::query::{CommitmentReference, VerifierQuery}; use crate::poly::Error; use crate::transcript::{EncodedChallenge, TranscriptRead}; +use group::prime::PrimeCurveAffine; use halo2_middleware::ff::Field; use halo2curves::pairing::{Engine, MultiMillerLoop}; use halo2curves::CurveExt; #[derive(Debug)] /// Concrete KZG verifier with GWC variant -pub struct VerifierGWC<'params, E: Engine> { - params: &'params ParamsKZG, +pub struct VerifierGWC { + _marker: PhantomData, } -impl<'params, E> Verifier<'params, KZGCommitmentScheme> for VerifierGWC<'params, E> +impl<'params, E> Verifier<'params, KZGCommitmentScheme> for VerifierGWC where E: MultiMillerLoop + Debug, E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { - type Guard = GuardKZG<'params, E>; - type MSMAccumulator = DualMSM<'params, E>; + type Guard = GuardKZG; + type MSMAccumulator = DualMSM; const QUERY_INSTANCE: bool = false; - fn new(params: &'params ParamsKZG) -> Self { - Self { params } + fn new() -> Self { + Self { + _marker: PhantomData, + } } fn verify_proof< @@ -48,7 +52,7 @@ where &self, transcript: &mut T, queries: I, - mut msm_accumulator: DualMSM<'params, E>, + mut msm_accumulator: DualMSM, ) -> Result where I: IntoIterator>> + Clone, @@ -116,7 +120,7 @@ where msm_accumulator.right.add_msm(&witness_with_aux); msm_accumulator.right.add_msm(&commitment_multi); - let g0: E::G1 = self.params.g[0].into(); + let g0: E::G1 = ::generator().into(); msm_accumulator.right.append_term(eval_multi, -g0); Ok(Self::Guard::new(msm_accumulator)) diff --git a/halo2_backend/src/poly/kzg/multiopen/shplonk/verifier.rs b/halo2_backend/src/poly/kzg/multiopen/shplonk/verifier.rs index 27e33c62c7..a67a555733 100644 --- a/halo2_backend/src/poly/kzg/multiopen/shplonk/verifier.rs +++ b/halo2_backend/src/poly/kzg/multiopen/shplonk/verifier.rs @@ -1,4 +1,5 @@ use std::fmt::Debug; +use std::marker::PhantomData; use super::ChallengeY; use super::{construct_intermediate_sets, ChallengeU, ChallengeV}; @@ -8,13 +9,14 @@ use crate::arithmetic::{ use crate::helpers::SerdeCurveAffine; use crate::poly::commitment::Verifier; use crate::poly::commitment::MSM; -use crate::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; +use crate::poly::kzg::commitment::KZGCommitmentScheme; use crate::poly::kzg::msm::DualMSM; use crate::poly::kzg::msm::{PreMSM, MSMKZG}; use crate::poly::kzg::strategy::GuardKZG; use crate::poly::query::{CommitmentReference, VerifierQuery}; use crate::poly::Error; use crate::transcript::{EncodedChallenge, TranscriptRead}; +use group::prime::PrimeCurveAffine; use halo2_middleware::ff::Field; use halo2curves::pairing::{Engine, MultiMillerLoop}; use halo2curves::CurveExt; @@ -22,11 +24,11 @@ use std::ops::MulAssign; /// Concrete KZG multiopen verifier with SHPLONK variant #[derive(Debug)] -pub struct VerifierSHPLONK<'params, E: Engine> { - params: &'params ParamsKZG, +pub struct VerifierSHPLONK { + _marker: PhantomData, } -impl<'params, E> Verifier<'params, KZGCommitmentScheme> for VerifierSHPLONK<'params, E> +impl<'params, E> Verifier<'params, KZGCommitmentScheme> for VerifierSHPLONK where E: MultiMillerLoop + Debug, E::Fr: Ord, @@ -34,13 +36,15 @@ where E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { - type Guard = GuardKZG<'params, E>; - type MSMAccumulator = DualMSM<'params, E>; + type Guard = GuardKZG; + type MSMAccumulator = DualMSM; const QUERY_INSTANCE: bool = false; - fn new(params: &'params ParamsKZG) -> Self { - Self { params } + fn new() -> Self { + Self { + _marker: PhantomData, + } } /// Verify a multi-opening proof @@ -53,7 +57,7 @@ where &self, transcript: &mut T, queries: I, - mut msm_accumulator: DualMSM<'params, E>, + mut msm_accumulator: DualMSM, ) -> Result where I: IntoIterator>> + Clone, @@ -126,7 +130,7 @@ where r_outer_acc += power_of_v * r_inner_acc * z_diff_i; } let mut outer_msm = outer_msm.normalize(); - let g1: E::G1 = self.params.g[0].into(); + let g1: E::G1 = ::generator().into(); outer_msm.append_term(-r_outer_acc, g1); outer_msm.append_term(-z_0, h1.into()); outer_msm.append_term(*u, h2.into()); diff --git a/halo2_backend/src/poly/kzg/strategy.rs b/halo2_backend/src/poly/kzg/strategy.rs index 96573b0c74..93c6a96163 100644 --- a/halo2_backend/src/poly/kzg/strategy.rs +++ b/halo2_backend/src/poly/kzg/strategy.rs @@ -1,5 +1,5 @@ use super::{ - commitment::{KZGCommitmentScheme, ParamsKZG}, + commitment::{KZGCommitmentScheme, ParamsVerifierKZG}, msm::DualMSM, }; use crate::{ @@ -21,105 +21,108 @@ use std::fmt::Debug; /// Wrapper for linear verification accumulator #[derive(Debug, Clone)] -pub struct GuardKZG<'params, E: MultiMillerLoop + Debug> +pub struct GuardKZG where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { - pub(crate) msm_accumulator: DualMSM<'params, E>, + pub(crate) msm_accumulator: DualMSM, } /// Define accumulator type as `DualMSM` -impl<'params, E> Guard> for GuardKZG<'params, E> +impl Guard> for GuardKZG where E: MultiMillerLoop + Debug, E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { - type MSMAccumulator = DualMSM<'params, E>; + type MSMAccumulator = DualMSM; } /// KZG specific operations -impl<'params, E: MultiMillerLoop + Debug> GuardKZG<'params, E> +impl GuardKZG where + E: MultiMillerLoop, E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { - pub(crate) fn new(msm_accumulator: DualMSM<'params, E>) -> Self { + pub(crate) fn new(msm_accumulator: DualMSM) -> Self { Self { msm_accumulator } } } /// A verifier that checks multiple proofs in a batch #[derive(Clone, Debug)] -pub struct AccumulatorStrategy<'params, E: Engine> +pub struct AccumulatorStrategy where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { - pub(crate) msm_accumulator: DualMSM<'params, E>, + pub(crate) msm_accumulator: DualMSM, + params: ParamsVerifierKZG, } -impl<'params, E: MultiMillerLoop + Debug> AccumulatorStrategy<'params, E> +impl AccumulatorStrategy where + E: MultiMillerLoop, E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { /// Constructs an empty batch verifier - pub fn new(params: &'params ParamsKZG) -> Self { + pub fn new(params: &ParamsVerifierKZG) -> Self { AccumulatorStrategy { - msm_accumulator: DualMSM::new(params), + msm_accumulator: DualMSM::new(), + params: params.clone(), } } /// Constructs and initialized new batch verifier - pub fn with(msm_accumulator: DualMSM<'params, E>) -> Self { - AccumulatorStrategy { msm_accumulator } + pub fn with(msm_accumulator: DualMSM, params: &ParamsVerifierKZG) -> Self { + AccumulatorStrategy { + msm_accumulator, + params: params.clone(), + } } } /// A verifier that checks a single proof #[derive(Clone, Debug)] -pub struct SingleStrategy<'params, E: Engine> +pub struct SingleStrategy where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { - pub(crate) msm: DualMSM<'params, E>, + pub(crate) msm: DualMSM, + params: ParamsVerifierKZG, } -impl<'params, E: MultiMillerLoop + Debug> SingleStrategy<'params, E> +impl<'params, E: MultiMillerLoop + Debug> SingleStrategy where E::G1Affine: CurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, { /// Constructs an empty batch verifier - pub fn new(params: &'params ParamsKZG) -> Self { + pub fn new(params: &'params ParamsVerifierKZG) -> Self { SingleStrategy { - msm: DualMSM::new(params), + msm: DualMSM::new(), + params: params.clone(), } } } -impl< - 'params, - E: MultiMillerLoop + Debug, - V: Verifier< - 'params, - KZGCommitmentScheme, - MSMAccumulator = DualMSM<'params, E>, - Guard = GuardKZG<'params, E>, - >, - > VerificationStrategy<'params, KZGCommitmentScheme, V> for AccumulatorStrategy<'params, E> +impl<'params, E, V> VerificationStrategy<'params, KZGCommitmentScheme, V> + for AccumulatorStrategy where + E: MultiMillerLoop + Debug, + V: Verifier<'params, KZGCommitmentScheme, MSMAccumulator = DualMSM, Guard = GuardKZG>, E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { type Output = Self; - fn new(params: &'params ParamsKZG) -> Self { + fn new(params: &'params ParamsVerifierKZG) -> Self { AccumulatorStrategy::new(params) } @@ -133,34 +136,28 @@ where let guard = f(self.msm_accumulator)?; Ok(Self { msm_accumulator: guard.msm_accumulator, + params: self.params, }) } fn finalize(self) -> bool { // ZAL: Verification is (supposedly) cheap, hence we don't use an accelerator engine let default_engine = H2cEngine::new(); - self.msm_accumulator.check(&default_engine) + self.msm_accumulator.check(&default_engine, &self.params) } } -impl< - 'params, - E: MultiMillerLoop + Debug, - V: Verifier< - 'params, - KZGCommitmentScheme, - MSMAccumulator = DualMSM<'params, E>, - Guard = GuardKZG<'params, E>, - >, - > VerificationStrategy<'params, KZGCommitmentScheme, V> for SingleStrategy<'params, E> +impl<'params, E, V> VerificationStrategy<'params, KZGCommitmentScheme, V> for SingleStrategy where + E: MultiMillerLoop + Debug, + V: Verifier<'params, KZGCommitmentScheme, MSMAccumulator = DualMSM, Guard = GuardKZG>, E::G1Affine: SerdeCurveAffine::Fr, CurveExt = ::G1>, E::G1: CurveExt, E::G2Affine: SerdeCurveAffine, { type Output = (); - fn new(params: &'params ParamsKZG) -> Self { + fn new(params: &'params ParamsVerifierKZG) -> Self { Self::new(params) } @@ -173,7 +170,7 @@ where let msm = guard.msm_accumulator; // Verification is (supposedly) cheap, hence we don't use an accelerator engine let default_engine = H2cEngine::new(); - if msm.check(&default_engine) { + if msm.check(&default_engine, &self.params) { Ok(()) } else { Err(Error::ConstraintSystemFailure) diff --git a/halo2_backend/src/poly/multiopen_test.rs b/halo2_backend/src/poly/multiopen_test.rs index c37b809b7a..e907d0134c 100644 --- a/halo2_backend/src/poly/multiopen_test.rs +++ b/halo2_backend/src/poly/multiopen_test.rs @@ -38,7 +38,7 @@ mod test { Blake2bWrite<_, _, Challenge255<_>>, >(&engine, ¶ms); - let verifier_params = params.verifier_params(); + let verifier_params = params; verify::< IPACommitmentScheme, @@ -46,7 +46,7 @@ mod test { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], false); + >(&verifier_params, &proof[..], false); verify::< IPACommitmentScheme, @@ -54,7 +54,7 @@ mod test { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); + >(&verifier_params, &proof[..], true); } #[test] @@ -76,7 +76,7 @@ mod test { Keccak256Write<_, _, Challenge255<_>>, >(&engine, ¶ms); - let verifier_params = params.verifier_params(); + let verifier_params = params; verify::< IPACommitmentScheme, @@ -84,7 +84,7 @@ mod test { _, Keccak256Read<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], false); + >(&verifier_params, &proof[..], false); verify::< IPACommitmentScheme, @@ -92,7 +92,7 @@ mod test { _, Keccak256Read<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); + >(&verifier_params, &proof[..], true); } #[test] @@ -114,7 +114,7 @@ mod test { let verifier_params = params.verifier_params(); verify::<_, VerifierGWC<_>, _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>>( - verifier_params, + &verifier_params, &proof[..], false, ); @@ -125,7 +125,7 @@ mod test { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); + >(&verifier_params, &proof[..], true); } #[test] @@ -155,7 +155,7 @@ mod test { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], false); + >(&verifier_params, &proof[..], false); verify::< KZGCommitmentScheme, @@ -163,7 +163,7 @@ mod test { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, &proof[..], true); + >(&verifier_params, &proof[..], true); } fn verify< @@ -179,7 +179,7 @@ mod test { proof: &'a [u8], should_fail: bool, ) { - let verifier = V::new(params); + let verifier = V::new(); let mut transcript = T::init(proof); diff --git a/halo2_proofs/src/plonk/keygen.rs b/halo2_proofs/src/plonk/keygen.rs index 1895e36f8c..9bdffcb84f 100644 --- a/halo2_proofs/src/plonk/keygen.rs +++ b/halo2_proofs/src/plonk/keygen.rs @@ -11,16 +11,16 @@ use halo2_middleware::ff::FromUniformBytes; /// Generate a `VerifyingKey` from an instance of `Circuit`. /// By default, selector compression is turned **ON**. /// -/// **NOTE**: This `keygen_vk` is legacy one, assuming that `compress_selector: true`. -/// Hence, it is HIGHLY recommended to pair this util with `keygen_pk`. +/// **NOTE**: This `keygen_vk` is legacy one, assuming that `compress_selector: true`. +/// Hence, it is HIGHLY recommended to pair this util with `keygen_pk`. /// In addition, when using this for key generation, user MUST use `compress_selectors: true`. -pub fn keygen_vk<'params, C, P, ConcreteCircuit>( +pub fn keygen_vk( params: &P, circuit: &ConcreteCircuit, ) -> Result, Error> where C: CurveAffine, - P: Params<'params, C>, + P: Params, ConcreteCircuit: Circuit, C::Scalar: FromUniformBytes<64>, { @@ -33,16 +33,16 @@ where /// /// **NOTE**: This `keygen_vk_custom` MUST share the same `compress_selectors` with /// `ProvingKey` generation process. -/// Otherwise, the user could get unmatching pk/vk pair. +/// Otherwise, the user could get unmatching pk/vk pair. /// Hence, it is HIGHLY recommended to pair this util with `keygen_pk_custom`. -pub fn keygen_vk_custom<'params, C, P, ConcreteCircuit>( +pub fn keygen_vk_custom( params: &P, circuit: &ConcreteCircuit, compress_selectors: bool, ) -> Result, Error> where C: CurveAffine, - P: Params<'params, C>, + P: Params, ConcreteCircuit: Circuit, C::Scalar: FromUniformBytes<64>, { @@ -53,17 +53,17 @@ where /// Generate a `ProvingKey` from a `VerifyingKey` and an instance of `Circuit`. /// By default, selector compression is turned **ON**. /// -/// **NOTE**: This `keygen_pk` is legacy one, assuming that `compress_selector: true`. -/// Hence, it is HIGHLY recommended to pair this util with `keygen_vk`. +/// **NOTE**: This `keygen_pk` is legacy one, assuming that `compress_selector: true`. +/// Hence, it is HIGHLY recommended to pair this util with `keygen_vk`. /// In addition, when using this for key generation, user MUST use `compress_selectors: true`. -pub fn keygen_pk<'params, C, P, ConcreteCircuit>( +pub fn keygen_pk( params: &P, vk: VerifyingKey, circuit: &ConcreteCircuit, ) -> Result, Error> where C: CurveAffine, - P: Params<'params, C>, + P: Params, ConcreteCircuit: Circuit, { keygen_pk_custom(params, vk, circuit, true) @@ -75,9 +75,9 @@ where /// /// **NOTE**: This `keygen_pk_custom` MUST share the same `compress_selectors` with /// `VerifyingKey` generation process. -/// Otherwise, the user could get unmatching pk/vk pair. +/// Otherwise, the user could get unmatching pk/vk pair. /// Hence, it is HIGHLY recommended to pair this util with `keygen_vk_custom`. -pub fn keygen_pk_custom<'params, C, P, ConcreteCircuit>( +pub fn keygen_pk_custom( params: &P, vk: VerifyingKey, circuit: &ConcreteCircuit, @@ -85,7 +85,7 @@ pub fn keygen_pk_custom<'params, C, P, ConcreteCircuit>( ) -> Result, Error> where C: CurveAffine, - P: Params<'params, C>, + P: Params, ConcreteCircuit: Circuit, { let (compiled_circuit, _, _) = compile_circuit(params.k(), circuit, compress_selectors)?; diff --git a/halo2_proofs/tests/compress_selectors.rs b/halo2_proofs/tests/compress_selectors.rs index 47a394aa09..9f8cdefc01 100644 --- a/halo2_proofs/tests/compress_selectors.rs +++ b/halo2_proofs/tests/compress_selectors.rs @@ -16,7 +16,6 @@ use halo2_proofs::plonk::{ create_proof_with_engine, keygen_pk_custom, keygen_vk_custom, verify_proof, Advice, Assigned, Circuit, Column, ConstraintSystem, Instance, Selector, }; -use halo2_proofs::poly::commitment::ParamsProver; use halo2_proofs::poly::kzg::commitment::{KZGCommitmentScheme, ParamsKZG}; use halo2_proofs::poly::kzg::multiopen::{ProverSHPLONK, VerifierSHPLONK}; use halo2_proofs::poly::kzg::strategy::SingleStrategy; @@ -384,10 +383,10 @@ fn test_mycircuit( // Verify let mut verifier_transcript = Blake2bRead::<_, G1Affine, Challenge255<_>>::init(proof.as_slice()); - let strategy = SingleStrategy::new(verifier_params); + let strategy = SingleStrategy::new(&verifier_params); - verify_proof::, VerifierSHPLONK<'_, Bn256>, _, _, _>( - ¶ms, + verify_proof::, VerifierSHPLONK, _, _, _>( + &verifier_params, &vk, strategy, &[instances_slice], diff --git a/halo2_proofs/tests/frontend_backend_split.rs b/halo2_proofs/tests/frontend_backend_split.rs index 5ba0fcd3e5..127d8552e0 100644 --- a/halo2_proofs/tests/frontend_backend_split.rs +++ b/halo2_proofs/tests/frontend_backend_split.rs @@ -28,7 +28,6 @@ use halo2_frontend::{ }, }; use halo2_middleware::{ff::Field, poly::Rotation}; -use halo2_proofs::poly::commitment::ParamsProver; use std::collections::HashMap; #[derive(Clone)] @@ -518,7 +517,6 @@ fn test_mycircuit_full_legacy() { // Setup let mut rng = BlockRng::new(OneNg {}); let params = ParamsKZG::::setup(k, &mut rng); - let verifier_params = params.verifier_params(); let start = Instant::now(); let vk = keygen_vk_legacy(¶ms, &circuit).expect("keygen_vk should not fail"); let pk = keygen_pk_legacy(¶ms, vk.clone(), &circuit).expect("keygen_pk should not fail"); @@ -549,10 +547,11 @@ fn test_mycircuit_full_legacy() { let start = Instant::now(); let mut verifier_transcript = Blake2bRead::<_, G1Affine, Challenge255<_>>::init(proof.as_slice()); - let strategy = SingleStrategy::new(verifier_params); + let verifier_params = params.verifier_params(); + let strategy = SingleStrategy::new(&verifier_params); - verify_proof::, VerifierSHPLONK<'_, Bn256>, _, _, _>( - ¶ms, + verify_proof::, VerifierSHPLONK, _, _, _>( + &verifier_params, &vk, strategy, &[instances_slice], @@ -580,7 +579,6 @@ fn test_mycircuit_full_split() { // Setup let mut rng = BlockRng::new(OneNg {}); let params = ParamsKZG::::setup(k, &mut rng); - let verifier_params = params.verifier_params(); let start = Instant::now(); let vk = keygen_vk(¶ms, &compiled_circuit).expect("keygen_vk should not fail"); let pk = keygen_pk(¶ms, vk.clone(), &compiled_circuit).expect("keygen_pk should not fail"); @@ -629,10 +627,11 @@ fn test_mycircuit_full_split() { println!("Verifying..."); let mut verifier_transcript = Blake2bRead::<_, G1Affine, Challenge255<_>>::init(proof.as_slice()); - let strategy = SingleStrategy::new(verifier_params); + let verifier_params = params.verifier_params(); + let strategy = SingleStrategy::new(&verifier_params); - verify_proof_single::, VerifierSHPLONK<'_, Bn256>, _, _, _>( - ¶ms, + verify_proof_single::, VerifierSHPLONK, _, _, _>( + &verifier_params, &vk, strategy, instances_slice, diff --git a/halo2_proofs/tests/plonk_api.rs b/halo2_proofs/tests/plonk_api.rs index f7bb6ed647..b3679d3de8 100644 --- a/halo2_proofs/tests/plonk_api.rs +++ b/halo2_proofs/tests/plonk_api.rs @@ -596,7 +596,7 @@ fn plonk_api() { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, pk.get_vk(), &proof[..]); + >(&verifier_params, pk.get_vk(), &proof[..]); } fn test_plonk_api_shplonk() { @@ -625,7 +625,7 @@ fn plonk_api() { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, pk.get_vk(), &proof[..]); + >(&verifier_params, pk.get_vk(), &proof[..]); } fn test_plonk_api_ipa() { @@ -646,7 +646,7 @@ fn plonk_api() { rng, ¶ms, &pk, ); - let verifier_params = params.verifier_params(); + let verifier_params = params; verify_proof::< _, @@ -654,7 +654,7 @@ fn plonk_api() { _, Blake2bRead<_, _, Challenge255<_>>, AccumulatorStrategy<_>, - >(verifier_params, pk.get_vk(), &proof[..]); + >(&verifier_params, pk.get_vk(), &proof[..]); // Check that the verification key has not changed unexpectedly { diff --git a/halo2_proofs/tests/serialization.rs b/halo2_proofs/tests/serialization.rs index 929c61db39..93e98989e0 100644 --- a/halo2_proofs/tests/serialization.rs +++ b/halo2_proofs/tests/serialization.rs @@ -176,16 +176,17 @@ fn test_serialization() { .expect("prover should not fail"); let proof = transcript.finalize(); - let strategy = SingleStrategy::new(¶ms); + let verifier_params = params.verifier_params(); + let strategy = SingleStrategy::new(&verifier_params); let mut transcript = Blake2bRead::<_, _, Challenge255<_>>::init(&proof[..]); assert!(verify_proof::< KZGCommitmentScheme, - VerifierGWC<'_, Bn256>, + VerifierGWC, Challenge255, Blake2bRead<&[u8], G1Affine, Challenge255>, - SingleStrategy<'_, Bn256>, + SingleStrategy, >( - ¶ms, + &verifier_params, pk.get_vk(), strategy, &[instances],