Evaluate polynomial r(X, Y) at y

LayerXcom · Apr 19, 2019 · fc58913 · fc58913
1 parent 0e45937
commit fc58913
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 31 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/core/sonic/src/cs/lc.rs b/core/sonic/src/cs/lc.rs
@@ -107,6 +107,7 @@ pub enum Variable {
     C(usize),
 }
 
+// like DensityTracker
 /// A difinition of Coefficient for linear combination used in our constraint system.
 #[derive(Debug)]
 pub enum Coeff<E: Engine> {

diff --git a/core/sonic/src/helped/prover.rs b/core/sonic/src/helped/prover.rs
@@ -6,11 +6,10 @@ use crate::cs::{SynthesisDriver, Circuit, Backend, Variable, Coeff};
 use crate::srs::SRS;
 use crate::transcript::ProvingTranscript;
 use crate::poly_comm::{polynomial_commitment};
-use crate::utils::ChainExt;
+use crate::utils::{ChainExt, mul_powers};
 
 pub const NUM_BLINDINGS: usize = 4;
 
-
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct Proof<E: Engine> {
     /// A commitment of `r(X, 1)`
@@ -57,13 +56,13 @@ impl<E: Engine> Proof<E> {
         // === zkP_1(info, a, b, c) -> R: === //
         //
 
-        // c_{n+1}, c_{n+2}, c_{n+3}, c_{n+4}
+        // c_{n+1}, c_{n+2}, c_{n+3}, c_{n+4} <- F_p
         let blindings: Vec<E::Fr> = (0..NUM_BLINDINGS)
             .into_iter()
             .map(|_| E::Fr::rand(rng))
             .collect();
 
-        // r is a commitment to r(X, 1)
+        // a commitment to r(X, 1)
         let r_comm = polynomial_commitment::<E, _>(
             n,                      // a max degree
             n,                      // largest positive power
@@ -92,19 +91,26 @@ impl<E: Engine> Proof<E> {
         // === zkP_2(y) -> T: === //
         //
 
-        let mut rx1 = wires.b;
-        rx1.extend(wires.c);
-        rx1.extend(blindings.clone());
+        // A coefficients vector which can be used in common with polynomials r and r'
+        // associated with powers for X.
+        let mut rx1 = wires.b;         // X^{-n}...X^{-1}
+        rx1.extend(wires.c);           // X^{-2n}...X^{-n-1}
+        rx1.extend(blindings.clone()); // X^{-2n-4}...X^{-2n-1}
         rx1.reverse();
         rx1.push(E::Fr::zero());
-        rx1.extend(wires.a);
+        rx1.extend(wires.a);           // X^{1}...X^{n}
 
         let mut rxy = rx1.clone();
-
         let y_inv = y.inverse().ok_or(SynthesisError::DivisionByZero)?;
 
-        let tmp = y_inv.pow(&[(2 * n + NUM_BLINDINGS) as u64]);
+        let first_power = y_inv.pow(&[(2 * n + NUM_BLINDINGS) as u64]);
 
+        // Evaluate the polynomial r(X, Y) at y
+        mul_powers(
+            &mut rxy,
+            first_power,
+            y,
+        );
 
         //
         // === zkV -> zkP: Send z <- F_p to prover === //
@@ -121,7 +127,8 @@ impl<E: Engine> Proof<E> {
     }
 }
 
-
+/// Three vectors representing the left inputs, right inputs, and outputs of
+/// multiplication constraints respectively in sonic's constraint system.
 struct Wires<E: Engine> {
     a: Vec<E::Fr>,
     b: Vec<E::Fr>,

diff --git a/core/sonic/src/poly_comm.rs b/core/sonic/src/poly_comm.rs
@@ -90,14 +90,12 @@ where
 
     let pool = Worker::new();
 
-    // let result = multiexp(
-    //     &pool,
-    //     (Arc::new(exponent), 0),
-    //     FullDensity,
-    //     Arc::new(s)
-    // ).wait().unwrap();
-
-    // result
-    unimplemented!();
+    let result = multiexp(
+        &pool,
+        (Arc::new(exponent), 0),
+        FullDensity,
+        Arc::new(scalar)
+    ).wait().unwrap();
+
+    result
 }
-
diff --git a/core/sonic/src/srs.rs b/core/sonic/src/srs.rs
@@ -1,6 +1,7 @@
 use pairing::{Engine, Wnaf, CurveAffine, CurveProjective, Field, PrimeField};
 
 /// Defined in Section 4.3: Structured Reference String
+/// Pre-processing exponents
 #[derive(Clone, Eq, PartialEq)]
 pub struct SRS<E: Engine> {
     pub d: usize,

diff --git a/core/sonic/src/utils.rs b/core/sonic/src/utils.rs
@@ -1,3 +1,5 @@
+use pairing::Field;
+
 /// Basically used for polynomials represented as separeted iterator
 /// (like positive and negative powers).
 /// It can be used nested chains.
@@ -63,3 +65,30 @@ impl<T, U> DoubleEndedIterator for Chain<T, U>
         }
     }
 }
+
+/// Multiply each coefficient by some power of the base in a form
+/// `first_power * base^{i}`
+/// This would be sparse, consecutive multiplication based on non-zero coefficients.
+pub fn mul_powers<'a, F: Field> (
+    coeffs: &mut [F],
+    first_power: F,
+    base: F
+) {
+    use bellman::multicore::Worker;
+
+    let worker = Worker::new();
+    worker.scope(coeffs.len(), |scope, chunk| {
+        for (i, coeffs_chunk) in coeffs.chunks_mut(chunk).enumerate() {
+            scope.spawn(move |_| {
+                let mut current_power = base.pow(&[(i * chunk) as u64]);
+                current_power.mul_assign(&first_power);
+
+                for mut p in coeffs_chunk {
+                    p.mul_assign(&current_power);
+
+                    current_power.mul_assign(&base);
+                }
+            });
+        }
+    });
+}