halo2_proofs/
plonk.rs

1//! This module provides an implementation of a variant of (Turbo)[PLONK][plonk]
2//! that is designed specifically for the polynomial commitment scheme described
3//! in the [Halo][halo] paper.
4//!
5//! [halo]: https://eprint.iacr.org/2019/1021
6//! [plonk]: https://eprint.iacr.org/2019/953
7
8use blake2b_simd::Params as Blake2bParams;
9
10use crate::arithmetic::{CurveAffine, FieldExt};
11use crate::helpers::CurveRead;
12use crate::poly::{
13    commitment::Params, Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff,
14    PinnedEvaluationDomain, Polynomial,
15};
16use crate::transcript::{ChallengeScalar, EncodedChallenge, Transcript};
17
18mod assigned;
19mod circuit;
20mod error;
21mod keygen;
22mod lookup;
23pub(crate) mod permutation;
24mod vanishing;
25
26mod prover;
27mod verifier;
28
29pub use assigned::*;
30pub use circuit::*;
31pub use error::*;
32pub use keygen::*;
33pub use prover::*;
34pub use verifier::*;
35
36use std::io;
37
38/// This is a verifying key which allows for the verification of proofs for a
39/// particular circuit.
40#[derive(Clone, Debug)]
41pub struct VerifyingKey<C: CurveAffine> {
42    domain: EvaluationDomain<C::Scalar>,
43    fixed_commitments: Vec<C>,
44    permutation: permutation::VerifyingKey<C>,
45    cs: ConstraintSystem<C::Scalar>,
46}
47
48impl<C: CurveAffine> VerifyingKey<C> {
49    /// Hashes a verification key into a transcript.
50    pub fn hash_into<E: EncodedChallenge<C>, T: Transcript<C, E>>(
51        &self,
52        transcript: &mut T,
53    ) -> io::Result<()> {
54        let mut hasher = Blake2bParams::new()
55            .hash_length(64)
56            .personal(b"Halo2-Verify-Key")
57            .to_state();
58
59        let s = format!("{:?}", self.pinned());
60
61        hasher.update(&(s.len() as u64).to_le_bytes());
62        hasher.update(s.as_bytes());
63
64        // Hash in final Blake2bState
65        transcript.common_scalar(C::Scalar::from_bytes_wide(hasher.finalize().as_array()))?;
66
67        Ok(())
68    }
69
70    /// Obtains a pinned representation of this verification key that contains
71    /// the minimal information necessary to reconstruct the verification key.
72    pub fn pinned(&self) -> PinnedVerificationKey<'_, C> {
73        PinnedVerificationKey {
74            base_modulus: C::Base::MODULUS,
75            scalar_modulus: C::Scalar::MODULUS,
76            domain: self.domain.pinned(),
77            fixed_commitments: &self.fixed_commitments,
78            permutation: &self.permutation,
79            cs: self.cs.pinned(),
80        }
81    }
82}
83
84/// Minimal representation of a verification key that can be used to identify
85/// its active contents.
86#[allow(dead_code)]
87#[derive(Debug)]
88pub struct PinnedVerificationKey<'a, C: CurveAffine> {
89    base_modulus: &'static str,
90    scalar_modulus: &'static str,
91    domain: PinnedEvaluationDomain<'a, C::Scalar>,
92    cs: PinnedConstraintSystem<'a, C::Scalar>,
93    fixed_commitments: &'a Vec<C>,
94    permutation: &'a permutation::VerifyingKey<C>,
95}
96/// This is a proving key which allows for the creation of proofs for a
97/// particular circuit.
98#[derive(Clone, Debug)]
99pub struct ProvingKey<C: CurveAffine> {
100    vk: VerifyingKey<C>,
101    l0: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
102    l_blind: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
103    l_last: Polynomial<C::Scalar, ExtendedLagrangeCoeff>,
104    fixed_values: Vec<Polynomial<C::Scalar, LagrangeCoeff>>,
105    fixed_polys: Vec<Polynomial<C::Scalar, Coeff>>,
106    fixed_cosets: Vec<Polynomial<C::Scalar, ExtendedLagrangeCoeff>>,
107    permutation: permutation::ProvingKey<C>,
108}
109
110impl<C: CurveAffine> ProvingKey<C> {
111    /// Get the underlying [`VerifyingKey`].
112    pub fn get_vk(&self) -> &VerifyingKey<C> {
113        &self.vk
114    }
115}
116
117impl<C: CurveAffine> VerifyingKey<C> {
118    /// Get the underlying [`EvaluationDomain`].
119    pub fn get_domain(&self) -> &EvaluationDomain<C::Scalar> {
120        &self.domain
121    }
122}
123
124#[derive(Clone, Copy, Debug)]
125struct Theta;
126type ChallengeTheta<F> = ChallengeScalar<F, Theta>;
127
128#[derive(Clone, Copy, Debug)]
129struct Beta;
130type ChallengeBeta<F> = ChallengeScalar<F, Beta>;
131
132#[derive(Clone, Copy, Debug)]
133struct Gamma;
134type ChallengeGamma<F> = ChallengeScalar<F, Gamma>;
135
136#[derive(Clone, Copy, Debug)]
137struct Y;
138type ChallengeY<F> = ChallengeScalar<F, Y>;
139
140#[derive(Clone, Copy, Debug)]
141struct X;
142type ChallengeX<F> = ChallengeScalar<F, X>;