diff --git a/src/parafold/cycle_fold/circuit.rs b/src/parafold/cycle_fold/circuit.rs index 9efc88b5a..c003712e5 100644 --- a/src/parafold/cycle_fold/circuit.rs +++ b/src/parafold/cycle_fold/circuit.rs @@ -6,13 +6,11 @@ use crate::parafold::cycle_fold::AllocatedHashedCommitment; use crate::parafold::nifs::circuit_secondary::AllocatedSecondaryRelaxedR1CSInstance; use crate::parafold::nifs::FoldProof; use crate::parafold::transcript::circuit::AllocatedTranscript; -use crate::parafold::transcript::TranscriptConstants; + use crate::traits::Engine; -use crate::Commitment; #[derive(Debug, Clone)] pub struct AllocatedScalarMulAccumulator { - constants: TranscriptConstants, deferred: Vec>, } @@ -20,25 +18,8 @@ impl AllocatedScalarMulAccumulator where E1: Engine, { - pub fn new(constants: TranscriptConstants) -> Self { - Self { - constants, - deferred: vec![], - } - } - - pub fn alloc_transcript( - &self, - mut cs: CS, - commitment: Commitment, - transcript: &mut AllocatedTranscript, - ) -> AllocatedHashedCommitment - where - CS: ConstraintSystem, - { - let c = AllocatedHashedCommitment::alloc(&mut cs, commitment, &self.constants); - transcript.absorb(c.as_preimage()); - c + pub fn new() -> Self { + Self { deferred: vec![] } } /// Compute the result `C <- A + x * B` by folding a proof over the secondary curve. @@ -57,7 +38,11 @@ where let B_value = B.value; let x_value = x.get_value().ok_or(SynthesisError::AssignmentMissing)?; let C_value = A_value + B_value * x_value; - let C = self.alloc_transcript(cs.namespace(|| "alloc output"), C_value, transcript); + let C = AllocatedHashedCommitment::alloc_transcript( + cs.namespace(|| "alloc output"), + C_value, + transcript, + ); self.deferred.push(AllocatedScalarMulInstance { A, diff --git a/src/parafold/cycle_fold/mod.rs b/src/parafold/cycle_fold/mod.rs index d1079ffda..f8838bdf5 100644 --- a/src/parafold/cycle_fold/mod.rs +++ b/src/parafold/cycle_fold/mod.rs @@ -1,10 +1,12 @@ use bellpepper_core::num::AllocatedNum; use bellpepper_core::ConstraintSystem; use ff::{Field, PrimeFieldBits}; +use neptune::generic_array::typenum::U2; +use neptune::poseidon::PoseidonConstants; use neptune::Poseidon; use crate::constants::{BN_LIMB_WIDTH, BN_N_LIMBS}; -use crate::parafold::transcript::TranscriptConstants; +use crate::parafold::transcript::circuit::AllocatedTranscript; use crate::traits::commitment::CommitmentTrait; use crate::traits::Engine; use crate::Commitment; @@ -47,16 +49,14 @@ pub struct HashedCommitment { point: Commitment, // Poseidon hash of (x,y) = point. We set hash = 0 when `point` = infinity hash: E1::Base, - // E1 representation of `BN_N_LIMBS` limbs with BN_LIMB_WIDTH bits. + // E1 representation of `hash` with `BN_N_LIMBS` limbs of BN_LIMB_WIDTH bits. hash_limbs: [E1::Scalar; BN_N_LIMBS], } impl HashedCommitment { /// Convert a [Commitment] to it's compressed representation. - /// - /// # TODO: - /// - The Poseidon constants for `H(x,y)` over F_q are defined by `constants.1`. - pub fn new(point: Commitment, constants: &TranscriptConstants) -> Self { + pub fn new(point: Commitment) -> Self { + let constants = PoseidonConstants::::new(); let (x, y, infinity) = point.to_coordinates(); if infinity { Self { @@ -65,7 +65,7 @@ impl HashedCommitment { hash_limbs: [E1::Scalar::ZERO; BN_N_LIMBS], } } else { - let hash = Poseidon::new_with_preimage(&[x, y], &constants.1).hash(); + let hash = Poseidon::new_with_preimage(&[x, y], &constants).hash(); let hash_limbs = hash .to_le_bits() .chunks_exact(BN_LIMB_WIDTH) @@ -113,11 +113,11 @@ pub struct AllocatedHashedCommitment { } impl AllocatedHashedCommitment { - pub fn alloc(mut cs: CS, c: Commitment, constants: &TranscriptConstants) -> Self + pub fn alloc(mut cs: CS, c: Commitment) -> Self where CS: ConstraintSystem, { - let hashed = HashedCommitment::::new(c, constants); + let hashed = HashedCommitment::::new(c); let hash_limbs = hashed .hash_limbs .map(|limb| AllocatedNum::alloc_infallible(cs.namespace(|| "alloc limb"), || limb)); @@ -128,6 +128,19 @@ impl AllocatedHashedCommitment { } } + pub fn alloc_transcript( + mut cs: CS, + c: Commitment, + transcript: &mut AllocatedTranscript, + ) -> Self + where + CS: ConstraintSystem, + { + let c = AllocatedHashedCommitment::alloc(&mut cs, c); + transcript.absorb(c.as_preimage()); + c + } + pub fn as_preimage(&self) -> impl IntoIterator> { self.hash_limbs.clone() } diff --git a/src/parafold/cycle_fold/prover.rs b/src/parafold/cycle_fold/prover.rs index 08a8e2f20..cd99e4b74 100644 --- a/src/parafold/cycle_fold/prover.rs +++ b/src/parafold/cycle_fold/prover.rs @@ -1,11 +1,9 @@ use bellpepper_core::ConstraintSystem; use crate::bellpepper::solver::SatisfyingAssignment; -use crate::parafold::cycle_fold::HashedCommitment; use crate::parafold::nifs::prover::RelaxedR1CS; use crate::parafold::nifs::FoldProof; use crate::parafold::transcript::prover::Transcript; -use crate::parafold::transcript::TranscriptConstants; use crate::r1cs::R1CSShape; use crate::traits::Engine; use crate::{Commitment, CommitmentKey}; @@ -21,16 +19,12 @@ use crate::{Commitment, CommitmentKey}; /// All operations are proved in a batch at the end of the circuit in order to minimize latency for the prover. #[derive(Debug, Clone, PartialEq, Eq)] pub struct ScalarMulAccumulator { - constants: TranscriptConstants, deferred: Vec>, } impl ScalarMulAccumulator { - pub fn new(constants: TranscriptConstants) -> Self { - Self { - constants, - deferred: vec![], - } + pub fn new() -> Self { + Self { deferred: vec![] } } /// Given two commitments `A`, `B` and a scalar `x`, compute `C <- A + x * B` @@ -45,27 +39,12 @@ impl ScalarMulAccumulator { x: E1::Scalar, transcript: &mut Transcript, ) -> Commitment { - let C_value = A + B * x; + let C: Commitment = A + B * x; - let C = self.add_to_transcript(C_value, transcript); + transcript.absorb_commitment_primary(C.clone()); - self.deferred.push(ScalarMulInstance { - A: HashedCommitment::new(A, &self.constants), - B: HashedCommitment::new(B, &self.constants), - x, - C, - }); - C_value - } + self.deferred.push(ScalarMulInstance { A, B, x, C }); - /// Convert a [Commitment] to a [HashedCommitment] and add it to the transcript. - pub fn add_to_transcript( - &self, - C: Commitment, - transcript: &mut Transcript, - ) -> HashedCommitment { - let C = HashedCommitment::new(C, &self.constants); - transcript.absorb(C.hash_limbs); C } @@ -107,8 +86,8 @@ impl ScalarMulAccumulator { #[derive(Debug, Clone, Default, PartialEq, Eq)] pub struct ScalarMulInstance { - A: HashedCommitment, - B: HashedCommitment, + A: Commitment, + B: Commitment, x: E1::Scalar, - C: HashedCommitment, + C: Commitment, } diff --git a/src/parafold/nifs/circuit.rs b/src/parafold/nifs/circuit.rs index 6cd7ad94d..8d9401b0e 100644 --- a/src/parafold/nifs/circuit.rs +++ b/src/parafold/nifs/circuit.rs @@ -10,7 +10,7 @@ use crate::parafold::transcript::circuit::AllocatedTranscript; use crate::parafold::transcript::TranscriptConstants; use crate::traits::Engine; -/// Allocated [RelaxedR1CSInstance] +/// Allocated [RelaxedR1CSInstance] for a circuit over the primary curve. #[derive(Debug, Clone)] pub struct AllocatedRelaxedR1CSInstance { u: AllocatedNum, @@ -33,8 +33,13 @@ impl AllocatedRelaxedR1CSInstance { CS: ConstraintSystem, { let FoldProof { W: W_new, T } = fold_proof; - let W_new = acc_sm.alloc_transcript(cs.namespace(|| "alloc W_new"), W_new, transcript); - let T = acc_sm.alloc_transcript(cs.namespace(|| "alloc E"), T, transcript); + + let W_new = AllocatedHashedCommitment::alloc_transcript( + cs.namespace(|| "alloc W_new"), + W_new, + transcript, + ); + let T = AllocatedHashedCommitment::alloc_transcript(cs.namespace(|| "alloc E"), T, transcript); let r = transcript.squeeze(&mut cs.namespace(|| "squeeze r"))?; @@ -53,6 +58,7 @@ impl AllocatedRelaxedR1CSInstance { mul_add(cs.namespace(|| format!("X_next[{i}]")), &x_curr, x_new, &r) }) .collect::, _>>()?; + // W_next = W_curr + r * W_new let W_next = acc_sm.scalar_mul( cs.namespace(|| "W_next"), W_curr.clone(), @@ -91,7 +97,13 @@ impl AllocatedRelaxedR1CSInstance { // Add all cross-term commitments to the transcript. let Ts = proofs .into_iter() - .map(|proof| acc_sm.alloc_transcript(cs.namespace(|| "alloc Ts"), proof.T, transcript)) + .map(|proof| { + AllocatedHashedCommitment::alloc_transcript( + cs.namespace(|| "alloc Ts"), + proof.T, + transcript, + ) + }) .collect::>(); // Get common challenge @@ -169,11 +181,7 @@ impl AllocatedRelaxedR1CSInstance { transcript.squeeze(&mut cs) } - pub fn alloc( - mut cs: CS, - instance: RelaxedR1CSInstance, - constants: &TranscriptConstants, - ) -> Self + pub fn alloc(mut cs: CS, instance: RelaxedR1CSInstance) -> Self where CS: ConstraintSystem, { @@ -185,8 +193,8 @@ impl AllocatedRelaxedR1CSInstance { .enumerate() .map(|(i, X)| AllocatedNum::alloc_infallible(cs.namespace(|| format!("alloc X[{i}]")), || X)) .collect(); - let W = AllocatedHashedCommitment::alloc(cs.namespace(|| "alloc W"), W, constants); - let E = AllocatedHashedCommitment::alloc(cs.namespace(|| "alloc E"), E, constants); + let W = AllocatedHashedCommitment::alloc(cs.namespace(|| "alloc W"), W); + let E = AllocatedHashedCommitment::alloc(cs.namespace(|| "alloc E"), E); Self { u, X, W, E } } diff --git a/src/parafold/nifs/circuit_secondary.rs b/src/parafold/nifs/circuit_secondary.rs index f0c87ba4e..c9fdce3a8 100644 --- a/src/parafold/nifs/circuit_secondary.rs +++ b/src/parafold/nifs/circuit_secondary.rs @@ -49,6 +49,7 @@ where let FoldProof { W: W_new, T } = fold_proof; + // Allocate W_new, T and add them to the transcript let W_new = AllocatedPoint::alloc_transcript::<_, E1, E2>( cs.namespace(|| "alloc W_new"), W_new, @@ -57,6 +58,7 @@ where let T = AllocatedPoint::alloc_transcript::<_, E1, E2>(cs.namespace(|| "alloc T"), T, transcript); + // Get challenge `r` but truncate the bits for more efficient scalar multiplication let r_bits = transcript.squeeze_bits(cs.namespace(|| "r bits"), NUM_CHALLENGE_BITS)?; let r = le_bits_to_num(cs.namespace(|| "r"), &r_bits)?; let r_bn = BigNat::from_num( @@ -65,6 +67,7 @@ where BN_LIMB_WIDTH, BN_N_LIMBS, )?; + let Self { u: u_curr, X: X_curr, @@ -72,6 +75,7 @@ where E: E_curr, } = self; + // We have to do a full modular reduction since merging will make `u` full-sized let u_next = u_curr .add(&r_bn)? .red_mod(cs.namespace(|| "u_next = u_curr + r % q"), &q_bn)?; @@ -88,6 +92,7 @@ where }) .collect::, _>>()?; + // Scalar multiplications let W_next = W_new .scalar_mul(cs.namespace(|| "r * W_new"), &r_bits)? .add(cs.namespace(|| "W_curr + r * W_new"), W_curr)?; @@ -124,10 +129,12 @@ where let MergeProof { T } = merge_proof; + // Allocate T and add to transcript let T = AllocatedPoint::alloc_transcript::<_, E1, E2>(cs.namespace(|| "alloc T"), T, transcript); transcript.absorb(T.as_preimage()); + // Get truncated challenge let r_bits = transcript.squeeze_bits(cs.namespace(|| "r bits"), NUM_CHALLENGE_BITS)?; let r = le_bits_to_num(cs.namespace(|| "r"), &r_bits)?; let r_bn = BigNat::from_num( @@ -199,7 +206,7 @@ where .enforce_trivial(cs.namespace(|| "enforce trivial E"), is_trivial); } - pub fn alloc(/*mut*/ _cs: CS, _instance: RelaxedR1CSInstance) -> Self + fn alloc(/*mut*/ _cs: CS, _instance: RelaxedR1CSInstance) -> Self where CS: ConstraintSystem, { @@ -223,6 +230,7 @@ where // } } + /// Allocate and add the result to the transcript pub fn alloc_transcript( mut cs: CS, instance: RelaxedR1CSInstance, diff --git a/src/parafold/nifs/mod.rs b/src/parafold/nifs/mod.rs index 061bd9120..496f3dbee 100644 --- a/src/parafold/nifs/mod.rs +++ b/src/parafold/nifs/mod.rs @@ -6,23 +6,23 @@ pub mod prover; /// Instance of a Relaxed-R1CS accumulator for a circuit. #[derive(Debug, Clone, PartialEq, Eq)] -pub struct RelaxedR1CSInstance { +pub struct RelaxedR1CSInstance { // TODO: Add pp_digest for this circuit. - u: E1::Scalar, - X: Vec, - W: Commitment, - E: Commitment, + u: E::Scalar, + X: Vec, + W: Commitment, + E: Commitment, } -/// A proof for folding a statement X of a circuit C into a Relaxed-R1CS circuit for the same circuit C +/// A proof for folding a statement X of a circuit C into a Relaxed-R1CS accumulator for the same circuit C #[derive(Debug, Clone, Default)] -pub struct FoldProof { - W: Commitment, - T: Commitment, +pub struct FoldProof { + W: Commitment, + T: Commitment, } /// A proof for merging two valid Relaxed-R1CS accumulators for the same circuit C #[derive(Debug, Clone)] -pub struct MergeProof { - T: Commitment, +pub struct MergeProof { + T: Commitment, } diff --git a/src/parafold/nifs/prover.rs b/src/parafold/nifs/prover.rs index 863bfec20..eb3bb5e16 100644 --- a/src/parafold/nifs/prover.rs +++ b/src/parafold/nifs/prover.rs @@ -4,7 +4,6 @@ use rayon::prelude::*; use crate::constants::{BN_N_LIMBS, NUM_CHALLENGE_BITS}; use crate::parafold::cycle_fold::prover::ScalarMulAccumulator; -use crate::parafold::cycle_fold::HashedCommitment; use crate::parafold::nifs::{FoldProof, MergeProof, RelaxedR1CSInstance}; use crate::parafold::transcript::prover::Transcript; use crate::parafold::transcript::TranscriptConstants; @@ -17,7 +16,7 @@ use crate::{zip_with, Commitment, CommitmentKey, CE}; /// # TODO: /// It would make sense to store the [R1CSShape] here since /// - There is only one accumulator per shape -/// - +/// - We can probably use an Arc to avoid copying #[derive(Debug)] pub struct RelaxedR1CS { instance: RelaxedR1CSInstance, @@ -43,6 +42,8 @@ impl RelaxedR1CS { &self.instance } + /// Simulate the fold protocol for a circuit on the primary curve, creating a trivial proof, + /// while updating the transcript with the standard pattern. pub fn simulate_fold_primary( acc_sm: &mut ScalarMulAccumulator, transcript: &mut Transcript, @@ -89,8 +90,9 @@ impl RelaxedR1CS { let W_comm_new = { E::CE::commit(ck, W_new) }; let (T, T_comm) = { self.compute_fold_proof(ck, shape, None, &X_new, W_new) }; - acc_sm.add_to_transcript(W_comm_new, transcript); - acc_sm.add_to_transcript(T_comm, transcript); + transcript.absorb_commitment_primary(W_comm_new); + transcript.absorb_commitment_primary(T_comm); + let r = transcript.squeeze(); self @@ -391,14 +393,12 @@ impl RelaxedR1CSInstance { pub fn hash(&self, transcript_constants: &TranscriptConstants) -> E1::Scalar { let mut transcript = Transcript::::new(transcript_constants.clone()); let Self { u, X, W, E } = self; - let W = HashedCommitment::::new(*W, transcript_constants); - let E = HashedCommitment::::new(*E, transcript_constants); - transcript.absorb(chain![ - [*u], - X.iter().cloned(), - W.as_preimage(), - E.as_preimage() - ]); + + transcript.absorb([*u]); + transcript.absorb(X.iter().cloned()); + transcript.absorb_commitment_primary(*W); + transcript.absorb_commitment_primary(*E); + transcript.squeeze() } } diff --git a/src/parafold/nivc/circuit.rs b/src/parafold/nivc/circuit.rs index 133b255f2..80d9ba53c 100644 --- a/src/parafold/nivc/circuit.rs +++ b/src/parafold/nivc/circuit.rs @@ -32,10 +32,6 @@ where E2: Engine, { /// Loads a previously proved state from a proof of its correctness. - /// - /// # Details - /// - /// pub fn from_proof( mut cs: CS, ro_consts: &TranscriptConstants, @@ -79,8 +75,9 @@ where state.enforce_base_case(cs.namespace(|| "base case"), &is_base_case); // Initialize scalar mul accumulator for folding - let mut acc_sm = AllocatedScalarMulAccumulator::new(ro_consts.clone()); + let mut acc_sm = AllocatedScalarMulAccumulator::new(); + // Update the set of accumulators with the fresh folding proof state.update_accs( cs.namespace(|| "update accs"), ro_consts, @@ -101,6 +98,8 @@ where &mut transcript, )?; + // If this is the first iteration, then reset `acc_cf` to its default state since no scalar multiplications + // were actually computed state.acc_cf = state .acc_cf .select_default(cs.namespace(|| "enforce trivial acc_cf"), &is_base_case)?; @@ -141,7 +140,7 @@ where where CS: ConstraintSystem, { - let mut acc_sm = AllocatedScalarMulAccumulator::new(ro_consts.clone()); + let mut acc_sm = AllocatedScalarMulAccumulator::new(); let Self { io: io_L, @@ -301,7 +300,7 @@ where let (acc_prev_hash, acc_curr_hash) = { // Load pre-image of accumulator to be updated let acc_prev = - AllocatedRelaxedR1CSInstance::alloc(cs.namespace(|| "alloc acc_prev"), acc_prev, ro_consts); + AllocatedRelaxedR1CSInstance::alloc(cs.namespace(|| "alloc acc_prev"), acc_prev); // Compute its hash let acc_prev_hash = acc_prev.hash(cs.namespace(|| "hash acc_prev"), ro_consts)?; @@ -404,11 +403,7 @@ where zip_eq(accs_native, accs_hash) .map( |(acc_native, acc_hash): (RelaxedR1CSInstance, AllocatedNum)| { - let acc = AllocatedRelaxedR1CSInstance::alloc( - cs.namespace(|| "alloc acc"), - acc_native, - ro_consts, - ); + let acc = AllocatedRelaxedR1CSInstance::alloc(cs.namespace(|| "alloc acc"), acc_native); let acc_hash_real = acc.hash(cs.namespace(|| "hash acc"), ro_consts)?; // Ensure the loaded accumulator's hash matches the one from the state @@ -536,6 +531,7 @@ impl AllocatedNIVCIO { io } + /// Attempt to extract the native representation. pub fn to_native(&self) -> Result, SynthesisError> { let pc_in = self .pc_in diff --git a/src/parafold/nivc/mod.rs b/src/parafold/nivc/mod.rs index 6e9b54d54..7899d0003 100644 --- a/src/parafold/nivc/mod.rs +++ b/src/parafold/nivc/mod.rs @@ -7,6 +7,10 @@ use crate::traits::Engine; pub mod circuit; pub mod prover; +/// The input and output of a NIVC computation over one or more steps. +/// +/// # Note +/// - An IO result is trivial if {pc, z}_in == {pc, z}_out #[derive(Debug, Clone, PartialEq, Eq)] pub struct NIVCIO { pc_in: F, @@ -15,17 +19,7 @@ pub struct NIVCIO { z_out: Vec, } -#[derive(Clone, Debug)] -pub struct NIVCStateInstance { - io: NIVCIO, - accs_hash: Vec, - acc_cf: RelaxedR1CSInstance, -} - /// The input and output of a NIVC computation over one or more steps. -/// -/// # Note -/// - An IO result is trivial if {pc, z}_in == {pc, z}_out #[derive(Debug, Clone)] pub struct AllocatedNIVCIO { pc_in: AllocatedNum, @@ -34,6 +28,15 @@ pub struct AllocatedNIVCIO { z_out: Vec>, } +/// Succinct representation of the recursive NIVC state that is known +#[derive(Clone, Debug)] +pub struct NIVCStateInstance { + io: NIVCIO, + accs_hash: Vec, + acc_cf: RelaxedR1CSInstance, +} + +/// A proof for loading a previous NIVC output inside a circuit. #[derive(Debug, Clone)] pub struct NIVCUpdateProof { transcript_init: E1::Scalar, diff --git a/src/parafold/nivc/prover.rs b/src/parafold/nivc/prover.rs index b4f826099..339068904 100644 --- a/src/parafold/nivc/prover.rs +++ b/src/parafold/nivc/prover.rs @@ -60,7 +60,7 @@ where state.transcript.absorb(state_instance.as_preimage()); let acc_prev = RelaxedR1CSInstance::default(num_io); - let mut acc_sm = ScalarMulAccumulator::new(ro_consts.clone()); + let mut acc_sm = ScalarMulAccumulator::new(); let nifs_fold_proof = RelaxedR1CS::simulate_fold_primary(&mut acc_sm, &mut state.transcript); let sm_fold_proofs: [FoldProof; 2] = acc_sm .simulate_finalize(&mut state.transcript) @@ -88,7 +88,7 @@ where shape_cf: &R1CSShape, witness_prev: &NIVCUpdateWitness, ) -> NIVCUpdateProof { - let mut acc_sm = ScalarMulAccumulator::::new(ro_consts.clone()); + let mut acc_sm = ScalarMulAccumulator::::new(); let transcript_init = self.transcript.seal(); let state = self.instance(ro_consts); @@ -135,7 +135,6 @@ where ck_cf: &CommitmentKey, shapes: &[R1CSShape], shape_cf: &R1CSShape, - ro_consts: &TranscriptConstants, self_L: Self, self_R: &Self, ) -> (Self, NIVCMergeProof) { @@ -152,7 +151,7 @@ where acc_cf: acc_cf_R, } = self_R; - let mut acc_sm = ScalarMulAccumulator::new(ro_consts.clone()); + let mut acc_sm = ScalarMulAccumulator::new(); let mut transcript = Transcript::merge(transcript_L, transcript_R); let io = NIVCIO::merge(io_L, io_R.clone()); diff --git a/src/parafold/prover.rs b/src/parafold/prover.rs index 60233b988..13f41fb92 100644 --- a/src/parafold/prover.rs +++ b/src/parafold/prover.rs @@ -7,6 +7,7 @@ pub struct ProvingKey { // public params ck: CommitmentKey, ck_cf: CommitmentKey, + // Shapes for each augmented StepCircuit. The last shape is for the merge circuit. shapes: Vec>, shape_cf: R1CSShape, ro_consts: TranscriptConstants, @@ -26,6 +27,8 @@ where pub fn new(pk: &ProvingKey, pc_init: usize, z_init: Vec) -> Self { let num_circuits = pk.shapes.len(); assert!(pc_init < num_circuits); + // Check arity z_init.len(); + let (state, proof) = NIVCState::init(&pk.shapes, &pk.shape_cf, &pk.ro_consts, pc_init, z_init); Self { state, proof } diff --git a/src/parafold/transcript/circuit.rs b/src/parafold/transcript/circuit.rs index 431858c6b..e063c074d 100644 --- a/src/parafold/transcript/circuit.rs +++ b/src/parafold/transcript/circuit.rs @@ -22,6 +22,7 @@ impl AllocatedTranscript { state: vec![], } } + pub fn new_init( mut cs: CS, init: E::Scalar, @@ -64,21 +65,12 @@ impl AllocatedTranscript { let acc = &mut cs.namespace(|| "squeeze"); - let mut sponge = SpongeCircuit::new_with_constants(&self.constants.0, Simplex); + let mut sponge = SpongeCircuit::new_with_constants(&self.constants, Simplex); sponge.start(pattern, None, acc); - // sponge.start(pattern, None, &mut cs.namespace(|| "start")); - SpongeAPI::absorb( - &mut sponge, - num_absorbs, - &self.state, - acc, - // &mut cs.namespace(|| "absorb"), - ); + SpongeAPI::absorb(&mut sponge, num_absorbs, &self.state, acc); self.state = SpongeAPI::squeeze(&mut sponge, 1, acc); - // self.state = SpongeAPI::squeeze(&mut sponge, 1, &mut cs.namespace(|| "squeeze")); sponge.finish(acc).unwrap(); - // sponge.finish(&mut cs.namespace(|| "finish")).unwrap(); let hash = self.state[0].ensure_allocated(acc, false)?; diff --git a/src/parafold/transcript/mod.rs b/src/parafold/transcript/mod.rs index 65fe6dc04..69b4cc0c0 100644 --- a/src/parafold/transcript/mod.rs +++ b/src/parafold/transcript/mod.rs @@ -1,4 +1,4 @@ -use generic_array::typenum::{U2, U24}; +use generic_array::typenum::U24; use neptune::poseidon::PoseidonConstants; use crate::traits::Engine; @@ -6,9 +6,5 @@ use crate::traits::Engine; pub mod circuit; pub mod prover; -/// Poseidon constants for hashing. First element is used for the Fiat-Shamir transcript, -/// second is used for hashing points on the primary curve. -pub type TranscriptConstants = ( - PoseidonConstants<::Scalar, U24>, - PoseidonConstants<::Base, U2>, -); +/// Poseidon constants for hashing used for the Fiat-Shamir transcript +pub type TranscriptConstants = PoseidonConstants<::Scalar, U24>; diff --git a/src/parafold/transcript/prover.rs b/src/parafold/transcript/prover.rs index 84c2c379d..4ebb32d84 100644 --- a/src/parafold/transcript/prover.rs +++ b/src/parafold/transcript/prover.rs @@ -38,7 +38,7 @@ impl Transcript { } pub fn absorb_commitment_primary(&mut self, c: Commitment) { - let c_hash = HashedCommitment::::new(c, &self.constants); + let c_hash = HashedCommitment::::new(c); self.absorb(c_hash.as_preimage()); } @@ -48,7 +48,7 @@ impl Transcript { } pub fn squeeze(&mut self) -> E::Scalar { - let mut sponge = Sponge::new_with_constants(&self.constants.0, Simplex); + let mut sponge = Sponge::new_with_constants(&self.constants, Simplex); let num_absorbs = self.state.len() as u32; let acc = &mut (); let parameter = IOPattern(vec![SpongeOp::Absorb(num_absorbs), SpongeOp::Squeeze(1u32)]);