diff --git a/common/Cargo.toml b/common/Cargo.toml index c3d2006..fe150fc 100644 --- a/common/Cargo.toml +++ b/common/Cargo.toml @@ -16,7 +16,6 @@ ark-serialize.workspace = true fflonk.workspace = true rayon = { workspace = true, optional = true } getrandom_or_panic = { version = "0.0.3", default-features = false } -rand_core = "0.6" [dev-dependencies] ark-ed-on-bls12-381-bandersnatch = { version = "0.4", default-features = false } @@ -31,7 +30,6 @@ std = [ "ark-serialize/std", "fflonk/std", "getrandom_or_panic/std", - "rand_core/std" ] parallel = [ "std", @@ -44,3 +42,4 @@ parallel = [ ] print-trace = ["ark-std/print-trace"] asm = ["fflonk/asm"] +test-vectors = [] diff --git a/common/src/domain.rs b/common/src/domain.rs index 9a7ff58..fe74227 100644 --- a/common/src/domain.rs +++ b/common/src/domain.rs @@ -111,7 +111,7 @@ impl Domain { pub(crate) fn column(&self, mut evals: Vec, hidden: bool) -> FieldColumn { let len = evals.len(); assert!(len <= self.capacity); - if self.hiding && hidden { + if self.hiding && hidden && !cfg!(feature = "test-vectors") { evals.resize(self.capacity, F::zero()); evals.resize_with(self.domains.x1.size(), || { F::rand(&mut getrandom_or_panic::getrandom_or_panic()) @@ -153,7 +153,7 @@ fn vanishes_on_row( ) -> DensePolynomial { assert!(i < domain.size()); let w = domain.group_gen(); - let wi = w.pow(&[i as u64]); + let wi = w.pow([i as u64]); let wi = DensePolynomial::from_coefficients_slice(&[wi]); let x = DensePolynomial::from_coefficients_slice(&[F::zero(), F::one()]); &x - &wi @@ -163,7 +163,7 @@ fn vanishes_on_row( fn vanishes_on_last_3_rows(domain: GeneralEvaluationDomain) -> DensePolynomial { let w = domain.group_gen(); let n3 = (domain.size() - ZK_ROWS) as u64; - let w3 = w.pow(&[n3]); + let w3 = w.pow([n3]); let w2 = w3 * w; let w1 = w2 * w; assert_eq!(w1, domain.group_gen_inv()); diff --git a/common/src/gadgets/booleanity.rs b/common/src/gadgets/booleanity.rs index 46820e2..92d180a 100644 --- a/common/src/gadgets/booleanity.rs +++ b/common/src/gadgets/booleanity.rs @@ -42,7 +42,7 @@ pub struct Booleanity { bits: BitColumn, } -impl<'a, F: FftField> Booleanity { +impl Booleanity { pub fn init(bits: BitColumn) -> Self { Self { bits } } diff --git a/common/src/gadgets/cond_add.rs b/common/src/gadgets/cond_add.rs index fe903cb..533fb97 100644 --- a/common/src/gadgets/cond_add.rs +++ b/common/src/gadgets/cond_add.rs @@ -3,32 +3,74 @@ use ark_ff::{FftField, Field}; use crate::domain::Domain; use crate::gadgets::booleanity::BitColumn; -use crate::AffineColumn; +use crate::{AffineColumn, FieldColumn}; -pub trait CondAdd +use super::{ProverGadget, VerifierGadget}; + +/// Affine point with conditional add implementation. +/// +/// Currently supported for Arkworks Short Weierstrass and Twisted Edwards affine points. +pub trait AffineCondAdd: AffineRepr +where + BaseFieldOf: FftField, +{ + /// Conditional addition operation + type CondAddT: CondAdd, Self>; +} + +// Conditional affine addition. +// +// If the bit is set for a point, add the point to the acc and store, +// otherwise copy the acc value +pub trait CondAdd: ProverGadget where F: FftField, - AffinePoint: AffineRepr, + P: AffineRepr, { - type CondAddValT: CondAddValues; - fn init( - bitmask: BitColumn, - points: AffineColumn, - seed: AffinePoint, - domain: &Domain, - ) -> Self; - - fn evaluate_assignment(&self, z: &F) -> Self::CondAddValT; - fn get_acc(&self) -> AffineColumn; - fn get_result(&self) -> AffinePoint; + type Values: CondAddValues; + + fn init(bitmask: BitColumn, points: AffineColumn, seed: P, domain: &Domain) + -> Self; + + fn evaluate_assignment(&self, z: &F) -> Self::Values; + + fn get_acc(&self) -> AffineColumn; + + fn get_result(&self) -> P; } -pub trait CondAddValues +pub trait CondAddValues: VerifierGadget where F: Field, { fn acc_coeffs_1(&self) -> (F, F); + fn acc_coeffs_2(&self) -> (F, F); fn init(bitmask: F, points: (F, F), not_last: F, acc: (F, F)) -> Self; } + +pub struct CondAddGen

+where + P: AffineRepr, +

::BaseField: FftField, +{ + pub(super) bitmask: BitColumn>, + pub(super) points: AffineColumn, P>, + pub(super) not_last: FieldColumn>, + pub acc: AffineColumn, P>, + pub result: P, +} + +pub struct CondAddValuesGen { + pub bitmask: BaseFieldOf

, + pub points: (BaseFieldOf

, BaseFieldOf

), + pub not_last: BaseFieldOf

, + pub acc: (BaseFieldOf

, BaseFieldOf

), +} + +pub type BaseFieldOf

=

::BaseField; + +pub type CondAddFor

=

::CondAddT; + +pub type CondAddValuesFor

= as CondAdd, P>>::Values; diff --git a/common/src/gadgets/mod.rs b/common/src/gadgets/mod.rs index ed5a612..e1d4d85 100644 --- a/common/src/gadgets/mod.rs +++ b/common/src/gadgets/mod.rs @@ -4,7 +4,6 @@ use ark_poly::{Evaluations, GeneralEvaluationDomain}; use ark_std::vec::Vec; pub mod booleanity; -// pub mod inner_prod_pub; pub mod cond_add; pub mod fixed_cells; pub mod inner_prod; diff --git a/common/src/gadgets/powers_of_two_multiples.rs b/common/src/gadgets/powers_of_two_multiples.rs index cfc5bb0..7632f0a 100644 --- a/common/src/gadgets/powers_of_two_multiples.rs +++ b/common/src/gadgets/powers_of_two_multiples.rs @@ -270,7 +270,7 @@ mod tests { domain.divide_by_vanishing_poly(&c1); domain.divide_by_vanishing_poly(&c2); - return (domain, gadget, cs); + (domain, gadget, cs) } #[test] diff --git a/common/src/gadgets/sw_cond_add.rs b/common/src/gadgets/sw_cond_add.rs index 852d590..96e706d 100644 --- a/common/src/gadgets/sw_cond_add.rs +++ b/common/src/gadgets/sw_cond_add.rs @@ -1,6 +1,6 @@ use ark_ec::short_weierstrass::{Affine, SWCurveConfig}; use ark_ec::{AffineRepr, CurveGroup}; -use ark_ff::{FftField, Field}; +use ark_ff::{FftField, Field, One, Zero}; use ark_poly::univariate::DensePolynomial; use ark_poly::{Evaluations, GeneralEvaluationDomain}; use ark_std::{vec, vec::Vec}; @@ -9,46 +9,55 @@ use crate::domain::Domain; use crate::gadgets::booleanity::BitColumn; use crate::gadgets::cond_add::{CondAdd, CondAddValues}; use crate::gadgets::{ProverGadget, VerifierGadget}; -use crate::{const_evals, AffineColumn, Column, FieldColumn}; - -// Conditional affine addition: -// if the bit is set for a point, add the point to the acc and store, -// otherwise copy the acc value -pub struct SwCondAdd> { - pub(super) bitmask: BitColumn, - pub(super) points: AffineColumn, - // The polynomial `X - w^{n-1}` in the Lagrange basis - pub(super) not_last: FieldColumn, - // Accumulates the (conditional) rolling sum of the points - pub acc: AffineColumn, - pub result: P, -} +use crate::{const_evals, AffineColumn, Column}; + +use super::cond_add::{AffineCondAdd, CondAddGen, CondAddValuesGen}; + +pub type SWCondAdd = CondAddGen>; +pub type SWCondAddValues = CondAddValuesGen>; -pub struct SwCondAddValues { - pub bitmask: F, - pub points: (F, F), - pub not_last: F, - pub acc: (F, F), +impl AffineCondAdd for Affine +where + ::BaseField: FftField, +{ + type CondAddT = SWCondAdd; } -impl CondAdd> for SwCondAdd> +impl CondAdd> for SWCondAdd where F: FftField, - Curve: SWCurveConfig, + C: SWCurveConfig, { - type CondAddValT = SwCondAddValues; - // Populates the acc column starting from the supplied seed (as 0 doesn't have an affine SW representation). - // As the SW addition formula used is not complete, the seed must be selected in a way that would prevent - // exceptional cases (doublings or adding the opposite point). - // The last point of the input column is ignored, as adding it would made the acc column overflow due the initial point. + type Values = SWCondAddValues; + + /// Populates the `acc` column starting from the provided `seed`. + /// + /// As `0` lacks an affine SW representation, it is **recommended** that the `seed` + /// be chosen outside the curve prime order subgroup to remove the risk of the + /// conditional addition result landing on the point at infinity (this also applies + /// to intermediate results). + /// + /// Furthermore, becuase the SW addition formula used is incomplete, the seed should + /// be selected with care to avoid exceptional cases such as doublings or adding the + /// opposite point. + /// + /// To mitigate exceptional cases arising from malicious use, it is recommended that + /// the `points` be first verified using a PoP (Proof of Ownership). + /// + /// The last point of the input column is ignored, as adding it would made the acc column + /// overflow due the initial point. + /// + /// A valid `seed` outside the prime order subgroup can be generated via the + /// [`find_complement_point`] utility function. fn init( bitmask: BitColumn, - points: AffineColumn>, - seed: Affine, + points: AffineColumn>, + seed: Affine, domain: &Domain, ) -> Self { assert_eq!(bitmask.bits.len(), domain.capacity - 1); assert_eq!(points.points.len(), domain.capacity - 1); + let not_last = domain.not_last_row.clone(); let acc = bitmask .bits @@ -75,8 +84,8 @@ where } } - fn evaluate_assignment(&self, z: &F) -> SwCondAddValues { - SwCondAddValues { + fn evaluate_assignment(&self, z: &F) -> SWCondAddValues { + SWCondAddValues { bitmask: self.bitmask.evaluate(z), points: self.points.evaluate(z), not_last: self.not_last.evaluate(z), @@ -84,19 +93,61 @@ where } } - fn get_acc(&self) -> AffineColumn> { + fn get_acc(&self) -> AffineColumn> { self.acc.clone() } - fn get_result(&self) -> Affine { - self.result.clone() + fn get_result(&self) -> Affine { + self.result } } -impl ProverGadget for SwCondAdd> +impl CondAddValues for SWCondAddValues +where + C: SWCurveConfig, +{ + fn init(bitmask: F, points: (F, F), not_last: F, acc: (F, F)) -> Self { + SWCondAddValues { + bitmask, + points, + not_last, + acc, + } + } + + fn acc_coeffs_1(&self) -> (F, F) { + let b = self.bitmask; + let (x1, _y1) = self.acc; + let (x2, _y2) = self.points; + + let mut c_acc_x = b * (x1 - x2) * (x1 - x2); + let mut c_acc_y = F::one() - b; + + c_acc_x *= self.not_last; + c_acc_y *= self.not_last; + + (c_acc_x, c_acc_y) + } + + fn acc_coeffs_2(&self) -> (F, F) { + let b = self.bitmask; + let (x1, y1) = self.acc; + let (x2, y2) = self.points; + + let mut c_acc_x = b * (y1 - y2) + F::one() - b; + let mut c_acc_y = b * (x1 - x2); + + c_acc_x *= self.not_last; + c_acc_y *= self.not_last; + + (c_acc_x, c_acc_y) + } +} + +impl ProverGadget for SWCondAdd where F: FftField, - Curve: SWCurveConfig, + C: SWCurveConfig, { fn witness_columns(&self) -> Vec> { vec![self.acc.xs.poly.clone(), self.acc.ys.poly.clone()] @@ -175,7 +226,10 @@ where } } -impl VerifierGadget for SwCondAddValues { +impl VerifierGadget for SWCondAddValues +where + C: SWCurveConfig, +{ fn evaluate_constraints_main(&self) -> Vec { let b = self.bitmask; let (x1, y1) = self.acc; @@ -195,48 +249,26 @@ impl VerifierGadget for SwCondAddValues { } } -impl CondAddValues for SwCondAddValues { - fn init(bitmask: F, points: (F, F), not_last: F, acc: (F, F)) -> Self { - SwCondAddValues:: { - bitmask, - points, - not_last, - acc, +/// Finds first point outside the prime order subgroup of the curve. +/// +/// Panics if the curve group has prime order (cofactor = 1). +pub fn find_complement_point() -> Affine { + assert!(!C::cofactor_is_one()); + let mut x = C::BaseField::zero(); + loop { + if let Some(p) = Affine::::get_point_from_x_unchecked(x, false) + .filter(|p| !p.is_in_correct_subgroup_assuming_on_curve()) + { + return p; } - } - - fn acc_coeffs_1(&self) -> (F, F) { - let b = self.bitmask; - let (x1, _y1) = self.acc; - let (x2, _y2) = self.points; - - let mut c_acc_x = b * (x1 - x2) * (x1 - x2); - let mut c_acc_y = F::one() - b; - - c_acc_x *= self.not_last; - c_acc_y *= self.not_last; - - (c_acc_x, c_acc_y) - } - - fn acc_coeffs_2(&self) -> (F, F) { - let b = self.bitmask; - let (x1, y1) = self.acc; - let (x2, y2) = self.points; - - let mut c_acc_x = b * (y1 - y2) + F::one() - b; - let mut c_acc_y = b * (x1 - x2); - - c_acc_x *= self.not_last; - c_acc_y *= self.not_last; - - (c_acc_x, c_acc_y) + x += C::BaseField::one(); } } #[cfg(test)] mod tests { - use ark_ed_on_bls12_381_bandersnatch::{Fq, SWAffine}; + use ark_ed_on_bls12_381_bandersnatch::{BandersnatchConfig, Fq, SWAffine}; + use ark_ff::MontFp; use ark_poly::Polynomial; use ark_std::test_rng; @@ -247,7 +279,7 @@ mod tests { fn _test_sw_cond_add_gadget( hiding: bool, - ) -> (Domain, SwCondAdd, Vec>) { + ) -> (Domain, CondAddGen, Vec>) { let rng = &mut test_rng(); let log_n = 10; @@ -261,7 +293,7 @@ mod tests { let bitmask_col = BitColumn::init(bitmask, &domain); let points_col = AffineColumn::private_column(points, &domain); - let gadget = SwCondAdd::init(bitmask_col, points_col, seed, &domain); + let gadget = CondAddGen::init(bitmask_col, points_col, seed, &domain); let res = gadget.acc.points.last().unwrap(); assert_eq!(res, &expected_res); @@ -275,7 +307,7 @@ mod tests { domain.divide_by_vanishing_poly(&c1); domain.divide_by_vanishing_poly(&c2); - return (domain, gadget, cs); + (domain, gadget, cs) } #[test] @@ -301,4 +333,20 @@ mod tests { assert_eq!(constrain_poly.evaluate(&random_point), result); } } + + #[test] + fn test_complement_point() { + let p = find_complement_point::(); + assert!(p.is_on_curve()); + assert!(!p.is_in_correct_subgroup_assuming_on_curve()); + assert_eq!( + p, + SWAffine::new_unchecked( + MontFp!("0"), + MontFp!( + "11982629110561008531870698410380659621661946968466267969586599013782997959645" + ) + ) + ) + } } diff --git a/common/src/gadgets/te_cond_add.rs b/common/src/gadgets/te_cond_add.rs index adb36e6..b65e0e5 100644 --- a/common/src/gadgets/te_cond_add.rs +++ b/common/src/gadgets/te_cond_add.rs @@ -4,49 +4,50 @@ use ark_ff::{FftField, Field}; use ark_poly::univariate::DensePolynomial; use ark_poly::{Evaluations, GeneralEvaluationDomain}; use ark_std::{vec, vec::Vec}; -use core::marker::PhantomData; use crate::domain::Domain; use crate::gadgets::booleanity::BitColumn; use crate::gadgets::cond_add::{CondAdd, CondAddValues}; use crate::gadgets::{ProverGadget, VerifierGadget}; -use crate::{const_evals, AffineColumn, Column, FieldColumn}; - -// Conditional affine addition: -// if the bit is set for a point, add the point to the acc and store, -// otherwise copy the acc value -pub struct TeCondAdd> { - pub(super) bitmask: BitColumn, - pub(super) points: AffineColumn, - // The polynomial `X - w^{n-1}` in the Lagrange basis - pub(super) not_last: FieldColumn, - // Accumulates the (conditional) rolling sum of the points - pub acc: AffineColumn, - pub result: P, -} +use crate::{const_evals, AffineColumn, Column}; + +use super::cond_add::{AffineCondAdd, CondAddGen, CondAddValuesGen}; + +pub type TECondAdd = CondAddGen>; +pub type TECondAddValues = CondAddValuesGen>; -pub struct TeCondAddValues> { - pub bitmask: F, - pub points: (F, F), - pub not_last: F, - pub acc: (F, F), - pub _curve: PhantomData, +impl AffineCondAdd for Affine +where + ::BaseField: FftField, +{ + type CondAddT = TECondAdd; } -impl CondAdd> for TeCondAdd> +impl CondAdd> for TECondAdd where F: FftField, - Curve: TECurveConfig, + C: TECurveConfig, { - type CondAddValT = TeCondAddValues; - // Populates the acc column starting from the supplied seed (as 0 doesn't work with the addition formula). - // As the TE addition formula used is not complete, the seed must be selected in a way that would prevent - // exceptional cases (doublings or adding the opposite point). - // The last point of the input column is ignored, as adding it would made the acc column overflow due the initial point. + type Values = TECondAddValues; + + /// Populates the `acc` column starting from the provided `seed`. + /// + /// It is **recommended** that the `seed` to be chosen **inside** the curve prime + /// order subgroup. + /// + /// Furthermore, becuase the TE addition formula used is incomplete, the seed should + /// be selected with care to avoid exceptional cases such as doublings or adding the + /// opposite point. + /// + /// To mitigate exceptional cases arising from malicious use, it is recommended that + /// the `points` be first verified using a PoP (Proof of Ownership). + /// + /// The last point of the input column is ignored, as adding it would made the acc column + /// overflow due the initial point. fn init( bitmask: BitColumn, - points: AffineColumn>, - seed: Affine, + points: AffineColumn>, + seed: Affine, domain: &Domain, ) -> Self { assert_eq!(bitmask.bits.len(), domain.capacity - 1); @@ -77,29 +78,69 @@ where } } - fn evaluate_assignment(&self, z: &F) -> TeCondAddValues { - TeCondAddValues { + fn evaluate_assignment(&self, z: &F) -> TECondAddValues { + TECondAddValues { bitmask: self.bitmask.evaluate(z), points: self.points.evaluate(z), not_last: self.not_last.evaluate(z), acc: self.acc.evaluate(z), - _curve: PhantomData, } } - fn get_acc(&self) -> AffineColumn> { + fn get_acc(&self) -> AffineColumn> { self.acc.clone() } - fn get_result(&self) -> Affine { - self.result.clone() + fn get_result(&self) -> Affine { + self.result + } +} + +impl CondAddValues for TECondAddValues +where + C: TECurveConfig, +{ + fn init(bitmask: F, points: (F, F), not_last: F, acc: (F, F)) -> Self { + TECondAddValues { + bitmask, + points, + not_last, + acc, + } + } + fn acc_coeffs_1(&self) -> (F, F) { + let b = self.bitmask; + let (x1, y1) = self.acc; + let (x2, y2) = self.points; + + let mut c_acc_x = b * (y1 * y2 + C::COEFF_A * x1 * x2) + F::one() - b; + let mut c_acc_y = F::zero(); + + c_acc_x *= self.not_last; + c_acc_y *= self.not_last; + + (c_acc_x, c_acc_y) + } + + fn acc_coeffs_2(&self) -> (F, F) { + let b = self.bitmask; + let (x1, y1) = self.acc; + let (x2, y2) = self.points; + + let mut c_acc_x = F::zero(); + let mut c_acc_y = b * (x1 * y2 - x2 * y1) + F::one() - b; + + c_acc_x *= self.not_last; + c_acc_y *= self.not_last; + + (c_acc_x, c_acc_y) } } -impl ProverGadget for TeCondAdd> +impl ProverGadget for TECondAdd where F: FftField, - Curve: TECurveConfig, + C: TECurveConfig, { fn witness_columns(&self) -> Vec> { vec![self.acc.xs.poly.clone(), self.acc.ys.poly.clone()] @@ -109,7 +150,7 @@ where let domain = self.bitmask.domain_4x(); let b = &self.bitmask.col.evals_4x; let one = &const_evals(F::one(), domain); - let te_a_coeff = &const_evals(Curve::COEFF_A, domain); + let te_a_coeff = &const_evals(C::COEFF_A, domain); let (x1, y1) = (&self.acc.xs.evals_4x, &self.acc.ys.evals_4x); let (x2, y2) = (&self.points.xs.evals_4x, &self.points.ys.evals_4x); let (x3, y3) = (&self.acc.xs.shifted_4x(), &self.acc.ys.shifted_4x()); @@ -165,6 +206,7 @@ where /// Mary-Oana Linearization technique. See: https://hackmd.io/0kdBl3GVSmmcB7QJe1NTuw?view#Linearization fn constraints_linearized(&self, z: &F) -> Vec> { + use super::cond_add::CondAdd; let vals = self.evaluate_assignment(z); let acc_x = self.acc.xs.as_poly(); let acc_y = self.acc.ys.as_poly(); @@ -183,8 +225,9 @@ where } } -impl> VerifierGadget - for TeCondAddValues +impl VerifierGadget for TECondAddValues +where + C: TECurveConfig, { fn evaluate_constraints_main(&self) -> Vec { let b = self.bitmask; @@ -193,7 +236,7 @@ impl> VerifierGadget let (x3, y3) = (F::zero(), F::zero()); //b (x_3 (y_1 y_2 + ax_1 x_2) - x_1 y_1 - y_2 x_2) + (1 - b) (x_3 - x_1) = 0 - let mut c1 = b * (x3 * (y1 * y2 + Curve::COEFF_A * x1 * x2) - (x1 * y1 + x2 * y2)) + let mut c1 = b * (x3 * (y1 * y2 + C::COEFF_A * x1 * x2) - (x1 * y1 + x2 * y2)) + (F::one() - b) * (x3 - x1); //b (y_3 (x_1 y_2 - x_2 y_1) - x_1 y_1 + x_2 y_2) + (1 - b) (y_3 - y_1) = 0 @@ -207,45 +250,6 @@ impl> VerifierGadget } } -impl> CondAddValues for TeCondAddValues { - fn init(bitmask: F, points: (F, F), not_last: F, acc: (F, F)) -> Self { - TeCondAddValues:: { - bitmask, - points, - not_last, - acc, - _curve: PhantomData, - } - } - fn acc_coeffs_1(&self) -> (F, F) { - let b = self.bitmask; - let (x1, y1) = self.acc; - let (x2, y2) = self.points; - - let mut c_acc_x = b * (y1 * y2 + Curve::COEFF_A * x1 * x2) + F::one() - b; - let mut c_acc_y = F::zero(); - - c_acc_x *= self.not_last; - c_acc_y *= self.not_last; - - (c_acc_x, c_acc_y) - } - - fn acc_coeffs_2(&self) -> (F, F) { - let b = self.bitmask; - let (x1, y1) = self.acc; - let (x2, y2) = self.points; - - let mut c_acc_x = F::zero(); - let mut c_acc_y = b * (x1 * y2 - x2 * y1) + F::one() - b; - - c_acc_x *= self.not_last; - c_acc_y *= self.not_last; - - (c_acc_x, c_acc_y) - } -} - #[cfg(test)] mod tests { use ark_ed_on_bls12_381_bandersnatch::{EdwardsAffine, Fq}; @@ -259,11 +263,7 @@ mod tests { fn _test_te_cond_add_gadget( hiding: bool, - ) -> ( - Domain, - TeCondAdd, - Vec>, - ) { + ) -> (Domain, CondAddGen, Vec>) { let rng = &mut test_rng(); let log_n = 10; @@ -277,7 +277,7 @@ mod tests { let bitmask_col = BitColumn::init(bitmask, &domain); let points_col = AffineColumn::private_column(points, &domain); - let gadget = TeCondAdd::init(bitmask_col, points_col, seed, &domain); + let gadget = CondAddGen::init(bitmask_col, points_col, seed, &domain); let res = gadget.acc.points.last().unwrap(); assert_eq!(res, &expected_res); @@ -291,7 +291,7 @@ mod tests { domain.divide_by_vanishing_poly(&c1); domain.divide_by_vanishing_poly(&c2); - return (domain, gadget, cs); + (domain, gadget, cs) } #[test] diff --git a/common/src/test_helpers.rs b/common/src/test_helpers.rs index 9b2a964..f3c2926 100644 --- a/common/src/test_helpers.rs +++ b/common/src/test_helpers.rs @@ -11,10 +11,7 @@ pub fn random_vec(n: usize, rng: &mut R) -> Vec { (0..n).map(|_| X::rand(rng)).collect() } -pub fn cond_sum

(bitmask: &[bool], points: &[P]) -> P -where - P: AffineRepr, -{ +pub fn cond_sum(bitmask: &[bool], points: &[P]) -> P { assert_eq!(bitmask.len(), points.len()); bitmask .iter() @@ -32,6 +29,5 @@ where for _ in 1..power { point_multiple.double_in_place(); } - point_multiple.into() } diff --git a/common/src/transcript.rs b/common/src/transcript.rs index fd58a3f..c64ed98 100644 --- a/common/src/transcript.rs +++ b/common/src/transcript.rs @@ -1,9 +1,8 @@ use ark_ff::PrimeField; use ark_poly::GeneralEvaluationDomain; use ark_serialize::CanonicalSerialize; -use ark_std::vec::Vec; +use ark_std::{rand::RngCore, vec::Vec}; use fflonk::pcs::{PcsParams, PCS}; -use rand_core::RngCore; use crate::{ColumnsCommited, ColumnsEvaluated}; diff --git a/common/src/verifier.rs b/common/src/verifier.rs index e67bd1d..a59fbfa 100644 --- a/common/src/verifier.rs +++ b/common/src/verifier.rs @@ -1,9 +1,8 @@ use ark_ff::{Field, PrimeField}; use ark_serialize::CanonicalSerialize; use ark_std::rand::Rng; -use ark_std::{vec, vec::Vec}; +use ark_std::{rand::RngCore, vec, vec::Vec}; use fflonk::pcs::{Commitment, PcsParams, PCS}; -use rand_core::RngCore; use crate::piop::VerifierPiop; use crate::transcript::PlonkTranscript; diff --git a/ring/Cargo.toml b/ring/Cargo.toml index bacf13a..7ab75b3 100644 --- a/ring/Cargo.toml +++ b/ring/Cargo.toml @@ -16,7 +16,6 @@ ark-serialize.workspace = true fflonk.workspace = true rayon = { workspace = true, optional = true } common = { path = "../common", default-features = false } -blake2 = { version = "0.10", default-features = false } arrayvec = { version = "0.7", default-features = false } ark-transcript = { version = "0.0.2", default-features = false } @@ -50,3 +49,6 @@ print-trace = [ "common/print-trace" ] asm = [ "fflonk/asm" ] +test-vectors = [ "common/test-vectors" ] +# benchmarking by running many proofs and verifications to get more accurate timing comparison +intensive-benchmarking = ["std"] diff --git a/ring/src/lib.rs b/ring/src/lib.rs index e036f6d..c939dda 100644 --- a/ring/src/lib.rs +++ b/ring/src/lib.rs @@ -1,15 +1,14 @@ #![cfg_attr(not(feature = "std"), no_std)] -use ark_ec::{ - short_weierstrass::{Affine, SWCurveConfig}, - AffineRepr, -}; -use ark_ff::{One, PrimeField, Zero}; +use ark_ec::AffineRepr; +use ark_ff::PrimeField; use ark_serialize::CanonicalSerialize; use ark_std::rand::RngCore; use fflonk::pcs::PCS; pub use common::domain::Domain; +pub use common::gadgets::cond_add::AffineCondAdd; + use common::Proof; pub use piop::index; @@ -26,51 +25,6 @@ pub type RingProof = Proof>::C>, /// Polynomial Commitment Schemes. pub use fflonk::pcs; -// Calling the method for a prime-order curve results in an infinite loop. -pub fn find_complement_point() -> Affine { - let mut x = Curve::BaseField::zero(); - loop { - let p = Affine::::get_point_from_x_unchecked(x, false); - if p.is_some() && !p.unwrap().is_in_correct_subgroup_assuming_on_curve() { - return p.unwrap(); - } - x = x + Curve::BaseField::one() - } -} - -pub fn find_random_point>() -> P { - let mut x: u8 = 0; - loop { - let p = P::from_random_bytes(&[x]); - if p.is_some() && !p.unwrap().is_zero() { - // && !p.unwrap().is_in_correct_subgroup_assuming_on_curve() { - return p.unwrap().clear_cofactor(); - } - x = x + 1; - } -} - -// Try and increment hash to curve. -pub(crate) fn hash_to_curve>(message: &[u8]) -> P { - use blake2::Digest; - let mut seed = message.to_vec(); - let cnt_offset = seed.len(); - let mut no_tries: usize = 0; - - seed.push(0); - loop { - let hash: [u8; 64] = blake2::Blake2b::digest(&seed[..]).into(); - if let Some(point) = P::from_random_bytes(&hash) { - let point = point.clear_cofactor(); - //assert!(point.is_in_correct_subgroup_assuming_on_curve()); - return point; - } - seed[cnt_offset] += 1; - no_tries += 1; - assert!(no_tries < 256); - } -} - #[derive(Clone)] pub struct ArkTranscript(ark_transcript::Transcript); @@ -95,12 +49,22 @@ impl ArkTranscript { } } +/// Simple try and increment hash to curve utility. +/// +/// This can be used to generage a point within the prime order subgroup +/// given a seed message. +pub fn hash_to_curve>(message: &[u8]) -> P { + let mut t = ark_transcript::Transcript::new_blank(); + t.append_slice(message); + let mut rng = t.challenge(b"rng"); + P::rand(&mut rng) +} + #[cfg(test)] mod tests { use ark_bls12_381::Bls12_381; - use ark_ec::CurveGroup; - use ark_ed_on_bls12_381_bandersnatch::{BandersnatchConfig, EdwardsAffine, Fq, Fr, SWAffine}; - use ark_ff::MontFp; + use ark_ec::{AffineRepr, CurveGroup}; + use ark_ed_on_bls12_381_bandersnatch::{EdwardsAffine, Fq, Fr, SWAffine}; use ark_std::rand::Rng; use ark_std::{end_timer, start_timer, test_rng, UniformRand}; use fflonk::pcs::kzg::KZG; @@ -111,25 +75,17 @@ mod tests { use crate::ring::{Ring, RingBuilderKey}; use crate::ring_prover::RingProver; use crate::ring_verifier::RingVerifier; - use common::gadgets::cond_add::CondAdd; - use common::gadgets::sw_cond_add::SwCondAdd; - use common::gadgets::te_cond_add::TeCondAdd; - use common::gadgets::ProverGadget; - use common::gadgets::VerifierGadget; + use common::gadgets::cond_add::AffineCondAdd; + #[cfg(feature = "intensive-benchmarking")] use std::hint::black_box; use super::*; - fn _test_ring_proof< + fn _test_ring_proof(domain_size: usize, _repeat: usize) + where CS: PCS, - P: AffineRepr, - CondAddT: CondAdd + ProverGadget, - >( - domain_size: usize, - repeat: usize, - ) where - CondAddT::CondAddValT: VerifierGadget, + P: AffineCondAdd, { let rng = &mut test_rng(); @@ -139,7 +95,7 @@ mod tests { let keyset_size: usize = rng.gen_range(0..max_keyset_size); let pks = random_vec::(keyset_size, rng); let k = rng.gen_range(0..keyset_size); // prover's secret index - let pk = pks[k].clone(); + let pk = pks[k]; let (prover_key, verifier_key) = index::<_, CS, _>(&pcs_params, &piop_params, &pks); @@ -153,12 +109,17 @@ mod tests { ArkTranscript::new(b"ring-vrf-test"), ); let t_prove = start_timer!(|| "Prove"); + + #[cfg(feature = "intensive-benchmarking")] let mut proofs: Vec> = vec![]; - for _ in 0..repeat - 1 { - black_box(proofs.push(ring_prover.prove::(secret))); + + #[cfg(feature = "intensive-benchmarking")] + for _ in 0.._repeat - 1 { + let proof = black_box(ring_prover.prove(secret)); + proofs.push(proof); } - let proof = ring_prover.prove::(secret); + let proof = ring_prover.prove(secret); end_timer!(t_prove); let ring_verifier = RingVerifier::init( @@ -167,14 +128,13 @@ mod tests { ArkTranscript::new(b"ring-vrf-test"), ); let t_verify = start_timer!(|| "Verify"); - for _ in 0..repeat - 1 { - black_box(ring_verifier.verify_ring_proof::( - proofs.pop().unwrap(), - result.into_affine(), - )); + + #[cfg(feature = "intensive-benchmarking")] + for _ in 0.._repeat - 1 { + let proof = proofs.pop().unwrap(); + black_box(ring_verifier.verify(proof, result.into_affine())); } - let res = - ring_verifier.verify_ring_proof::(proof, result.into_affine()); + let res = ring_verifier.verify(proof, result.into_affine()); end_timer!(t_verify); assert!(res); } @@ -211,8 +171,9 @@ mod tests { let domain = Domain::new(domain_size, true); let h = P::rand(rng); - let seed = find_random_point::(); - let piop_params = PiopParams::setup(domain, h, seed); + let seed = P::rand(rng); + let pad = P::rand(rng); + let piop_params = PiopParams::setup(domain, h, seed, pad); (pcs_params, piop_params) } @@ -227,62 +188,35 @@ mod tests { _test_lagrangian_commitment::(); } - #[test] - fn test_complement_point() { - let p = find_complement_point::(); - assert!(p.is_on_curve()); - assert!(!p.is_in_correct_subgroup_assuming_on_curve()); - assert_eq!( - p, - SWAffine::new_unchecked( - MontFp!("0"), - MontFp!( - "11982629110561008531870698410380659621661946968466267969586599013782997959645" - ) - ) - ) - } - #[test] fn test_ring_proof_kzg_sw() { - _test_ring_proof::, SWAffine, SwCondAdd>(2usize.pow(10), 1); + _test_ring_proof::, SWAffine>(2usize.pow(10), 1); } #[test] fn test_ring_proof_kzg_te() { - _test_ring_proof::, EdwardsAffine, TeCondAdd>( - 2usize.pow(10), - 1, - ); + _test_ring_proof::, EdwardsAffine>(2usize.pow(10), 1); } #[test] fn test_ring_proof_id_sw() { - _test_ring_proof::>( - 2usize.pow(10), - 1, - ); + _test_ring_proof::(2usize.pow(10), 1); } #[test] fn test_ring_proof_id_te() { - _test_ring_proof::< - fflonk::pcs::IdentityCommitment, - EdwardsAffine, - TeCondAdd, - >(2usize.pow(10), 1); + _test_ring_proof::(2usize.pow(10), 1); } + #[cfg(feature = "intensive-benchmarking")] #[test] fn test_16k_ring_10_proofs_kzg_sw() { - _test_ring_proof::, SWAffine, SwCondAdd>(2usize.pow(14), 10); + _test_ring_proof::, SWAffine>(2usize.pow(14), 10); } + #[cfg(feature = "intensive-benchmarking")] #[test] fn test_16k_ring_10_proofs_kzg_te() { - _test_ring_proof::, EdwardsAffine, TeCondAdd>( - 2usize.pow(14), - 10, - ); + _test_ring_proof::, EdwardsAffine>(2usize.pow(14), 10); } } diff --git a/ring/src/piop/mod.rs b/ring/src/piop/mod.rs index 6b778c9..7434eb8 100644 --- a/ring/src/piop/mod.rs +++ b/ring/src/piop/mod.rs @@ -238,7 +238,7 @@ pub fn index, P: AffineRepr>( ) -> (ProverKey, VerifierKey) { let pcs_ck = pcs_params.ck(); let pcs_raw_vk = pcs_params.raw_vk(); - let fixed_columns = piop_params.fixed_columns(&keys); + let fixed_columns = piop_params.fixed_columns(keys); let fixed_columns_committed = fixed_columns.commit::(&pcs_ck); let verifier_key = VerifierKey { pcs_raw_vk: pcs_raw_vk.clone(), diff --git a/ring/src/piop/params.rs b/ring/src/piop/params.rs index caadbcf..c6d9d8d 100644 --- a/ring/src/piop/params.rs +++ b/ring/src/piop/params.rs @@ -30,8 +30,7 @@ pub struct PiopParams> { } impl> PiopParams { - pub fn setup(domain: Domain, h: P, seed: P) -> Self { - let padding_point = crate::hash_to_curve::(b"w3f/ring-proof/padding"); + pub fn setup(domain: Domain, h: P, seed: P, padding_point: P) -> Self { let scalar_bitlen = P::ScalarField::MODULUS_BIT_SIZE as usize; // 1 accounts for the last cells of the points and bits columns that remain unconstrained let keyset_part_size = domain.capacity - scalar_bitlen - 1; @@ -48,7 +47,7 @@ impl> PiopParams { pub fn fixed_columns(&self, keys: &[P]) -> FixedColumns { let ring_selector = self.keyset_part_selector(); let ring_selector = self.domain.public_column(ring_selector); - let points = self.points_column(&keys); + let points = self.points_column(keys); FixedColumns { points, ring_selector, @@ -88,6 +87,10 @@ impl> PiopParams { ] .concat() } + + pub fn padding_point(&self) -> P { + self.padding_point + } } #[cfg(test)] @@ -105,8 +108,9 @@ mod tests { let rng = &mut test_rng(); let h = P::rand(rng); let seed = P::rand(rng); + let pad = P::rand(rng); let domain = Domain::new(1024, false); - let params = PiopParams::::setup(domain, h, seed); + let params = PiopParams::::setup(domain, h, seed, pad); let t = Fr::rand(rng); let t_bits = params.scalar_part(t); let th = cond_sum(&t_bits, ¶ms.power_of_2_multiples_of_h()); diff --git a/ring/src/piop/prover.rs b/ring/src/piop/prover.rs index 65f57fd..2db52be 100644 --- a/ring/src/piop/prover.rs +++ b/ring/src/piop/prover.rs @@ -51,7 +51,7 @@ impl, CondAddT: CondAdd> points, ring_selector, } = fixed_columns; - let bits = Self::bits_column(¶ms, prover_index_in_keys, secret); + let bits = Self::bits_column(params, prover_index_in_keys, secret); let inner_prod = InnerProd::init(ring_selector.clone(), bits.col.clone(), &domain); let cond_add = CondAddT::init(bits.clone(), points.clone(), params.seed, &domain); let booleanity = Booleanity::init(bits.clone()); @@ -92,7 +92,7 @@ where F: PrimeField, C: Commitment, P: AffineRepr, - CondAddT: CondAdd + ProverGadget, + CondAddT: CondAdd, { type Commitments = RingCommitments; type Evaluations = RingEvaluations; @@ -150,7 +150,7 @@ where } fn constraints(&self) -> Vec> { - vec![ + [ self.inner_prod.constraints(), self.cond_add.constraints(), self.booleanity.constraints(), @@ -162,7 +162,7 @@ where } fn constraints_lin(&self, zeta: &F) -> Vec> { - vec![ + [ self.inner_prod.constraints_linearized(zeta), self.cond_add.constraints_linearized(zeta), self.booleanity.constraints_linearized(zeta), diff --git a/ring/src/piop/verifier.rs b/ring/src/piop/verifier.rs index fc746e4..a4ce438 100644 --- a/ring/src/piop/verifier.rs +++ b/ring/src/piop/verifier.rs @@ -99,8 +99,8 @@ impl, CondAddValuesT: CondAddValues> } } -impl, CondAddValuesT: CondAddValues + VerifierGadget> - VerifierPiop for PiopVerifier +impl, CondAddValuesT: CondAddValues> VerifierPiop + for PiopVerifier { const N_CONSTRAINTS: usize = 7; const N_COLUMNS: usize = 7; @@ -110,7 +110,7 @@ impl, CondAddValuesT: CondAddValues + Verifie } fn evaluate_constraints_main(&self) -> Vec { - vec![ + [ self.inner_prod.evaluate_constraints_main(), self.cond_add.evaluate_constraints_main(), self.booleanity.evaluate_constraints_main(), diff --git a/ring/src/ring.rs b/ring/src/ring.rs index bd339bd..fe55443 100644 --- a/ring/src/ring.rs +++ b/ring/src/ring.rs @@ -36,11 +36,7 @@ const IDLE_ROWS: usize = ZK_ROWS + 1; // `VrfCurveConfig` -- inner curve, the curve used by the VRF, in SW form. We instantiate it with Bandersnatch. // `F` shared scalar field of the outer and the base field of the inner curves. #[derive(Clone, PartialEq, Eq, CanonicalSerialize, CanonicalDeserialize)] -pub struct Ring< - F: PrimeField, - KzgCurve: Pairing, - VrfAffineT: AffineRepr, -> { +pub struct Ring, P: AffineRepr> { // KZG commitments to the coordinates of the vector described above pub cx: KzgCurve::G1Affine, pub cy: KzgCurve::G1Affine, @@ -51,11 +47,11 @@ pub struct Ring< // the number of keys "stored" in this commitment pub curr_keys: usize, // a parameter - pub padding_point: VrfAffineT, + pub padding_point: P, } -impl, VrfAffineT: AffineRepr> - fmt::Debug for Ring +impl, P: AffineRepr> fmt::Debug + for Ring { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { write!( @@ -66,8 +62,8 @@ impl, VrfAffineT: AffineRepr, VrfAffineT: AffineRepr> - Ring +impl, P: AffineRepr> + Ring { // Builds the commitment to the vector // `padding, ..., padding, H, 2H, ..., 2^(s-1)H, 0, 0, 0, 0`. @@ -77,7 +73,7 @@ impl, VrfAffineT: AffineRepr, + piop_params: &PiopParams, // Should return `srs[range]` for `range = (piop_params.keyset_part_size..domain_size)` srs: impl Fn(Range) -> Result, ()>, // generator used in the SRS @@ -121,7 +117,7 @@ impl, VrfAffineT: AffineRepr) -> Result, ()>, ) { @@ -151,8 +147,8 @@ impl, VrfAffineT: AffineRepr, - keys: &[VrfAffineT], + piop_params: &PiopParams, + keys: &[P], // full-size Lagrangian srs srs: &RingBuilderKey, ) -> Self { @@ -213,10 +209,9 @@ impl, VrfAffineT: AffineRepr Self { - let max_keys = - domain_size - (VrfAffineT::ScalarField::MODULUS_BIT_SIZE as usize + IDLE_ROWS); + let max_keys = domain_size - (P::ScalarField::MODULUS_BIT_SIZE as usize + IDLE_ROWS); Self { cx, cy, @@ -247,10 +242,9 @@ impl> RingBuilderKey = Ring; + type TestRing

= Ring; - fn _test_ring_mgmt>() { + fn _test_ring_mgmt>() { let rng = &mut test_rng(); let domain_size = 1 << 9; @@ -275,17 +269,18 @@ mod tests { let srs = |range: Range| Ok(ring_builder_key.lis_in_g1[range].to_vec()); // piop params - let h = SWAffine::rand(rng); - let seed = SWAffine::rand(rng); + let h = P::rand(rng); + let seed = P::rand(rng); + let pad = P::rand(rng); let domain = Domain::new(domain_size, true); - let piop_params = PiopParams::setup(domain, h, seed); + let piop_params = PiopParams::setup(domain, h, seed, pad); let mut ring = TestRing::empty(&piop_params, srs, ring_builder_key.g1); let (monimial_cx, monimial_cy) = get_monomial_commitment(&pcs_params, &piop_params, &[]); assert_eq!(ring.cx, monimial_cx); assert_eq!(ring.cy, monimial_cy); - let keys = random_vec::(ring.max_keys, rng); + let keys = random_vec::(ring.max_keys, rng); ring.append(&keys, srs); let (monimial_cx, monimial_cy) = get_monomial_commitment(&pcs_params, &piop_params, &keys); assert_eq!(ring.cx, monimial_cx); @@ -305,7 +300,7 @@ mod tests { _test_ring_mgmt::(); } - fn _test_empty_rings>() { + fn _test_empty_rings>() { let rng = &mut test_rng(); let domain_size = 1 << 9; @@ -317,8 +312,9 @@ mod tests { // piop params let h = P::rand(rng); let seed = P::rand(rng); + let pad = P::rand(rng); let domain = Domain::new(domain_size, true); - let piop_params = PiopParams::setup(domain, h, seed); + let piop_params = PiopParams::setup(domain, h, seed, pad); let ring = TestRing::

::empty(&piop_params, srs, ring_builder_key.g1); let same_ring = TestRing::with_keys(&piop_params, &[], &ring_builder_key); @@ -335,10 +331,10 @@ mod tests { _test_empty_rings::(); } - fn get_monomial_commitment( + fn get_monomial_commitment>( pcs_params: &URS, - piop_params: &PiopParams, - keys: &[SWAffine], + piop_params: &PiopParams<

::BaseField, P>, + keys: &[P], ) -> (G1Affine, G1Affine) { let (_, verifier_key) = crate::piop::index::<_, KZG, _>(pcs_params, piop_params, keys); diff --git a/ring/src/ring_prover.rs b/ring/src/ring_prover.rs index 9b4c15c..76625ae 100644 --- a/ring/src/ring_prover.rs +++ b/ring/src/ring_prover.rs @@ -2,20 +2,18 @@ use ark_ec::AffineRepr; use ark_ff::PrimeField; use fflonk::pcs::PCS; -use common::gadgets::cond_add::CondAdd; -use common::gadgets::ProverGadget; +use common::gadgets::cond_add::AffineCondAdd; use common::prover::PlonkProver; use common::transcript::PlonkTranscript; -use crate::piop::params::PiopParams; -use crate::piop::{FixedColumns, PiopProver, ProverKey}; -use crate::RingProof; +use crate::piop::{params::PiopParams, FixedColumns, PiopProver, ProverKey}; +use crate::{ArkTranscript, RingProof}; pub struct RingProver< F: PrimeField, CS: PCS, P: AffineRepr, - T: PlonkTranscript, + T: PlonkTranscript = ArkTranscript, > { piop_params: PiopParams, fixed_columns: FixedColumns, @@ -23,8 +21,9 @@ pub struct RingProver< plonk_prover: PlonkProver, } -impl, P: AffineRepr, T: PlonkTranscript> - RingProver +impl, P, T: PlonkTranscript> RingProver +where + P: AffineCondAdd, { pub fn init( prover_key: ProverKey, @@ -48,11 +47,8 @@ impl, P: AffineRepr, T: PlonkTranscript } } - pub fn prove + ProverGadget>( - &self, - t: P::ScalarField, - ) -> RingProof { - let piop: PiopProver = + pub fn prove(&self, t: P::ScalarField) -> RingProof { + let piop: PiopProver = PiopProver::build(&self.piop_params, self.fixed_columns.clone(), self.k, t); self.plonk_prover.prove(piop) } diff --git a/ring/src/ring_verifier.rs b/ring/src/ring_verifier.rs index d0d6c7a..a9c83a6 100644 --- a/ring/src/ring_verifier.rs +++ b/ring/src/ring_verifier.rs @@ -1,24 +1,24 @@ use ark_ec::AffineRepr; use ark_ec::CurveGroup; use ark_ff::PrimeField; +use common::gadgets::cond_add::CondAddValuesFor; +use common::gadgets::cond_add::{AffineCondAdd, CondAdd}; use fflonk::pcs::{RawVerifierKey, PCS}; use common::domain::EvaluatedDomain; -use common::gadgets::cond_add::CondAddValues; -use common::gadgets::VerifierGadget; use common::piop::VerifierPiop; use common::transcript::PlonkTranscript; use common::verifier::PlonkVerifier; -use crate::piop::params::PiopParams; -use crate::piop::{FixedColumnsCommitted, PiopVerifier, VerifierKey}; +use crate::piop::{params::PiopParams, FixedColumnsCommitted, PiopVerifier, VerifierKey}; +use crate::ArkTranscript; use crate::RingProof; pub struct RingVerifier< F: PrimeField, CS: PCS, P: AffineRepr, - T: PlonkTranscript, + T: PlonkTranscript = ArkTranscript, > { piop_params: PiopParams, fixed_columns_committed: FixedColumnsCommitted, @@ -27,6 +27,8 @@ pub struct RingVerifier< impl, P: AffineRepr, T: PlonkTranscript> RingVerifier +where + P: AffineCondAdd, { pub fn init( verifier_key: VerifierKey, @@ -42,17 +44,13 @@ impl, P: AffineRepr, T: PlonkTranscript } } - pub fn verify_ring_proof + VerifierGadget>( - &self, - proof: RingProof, - result: P, - ) -> bool { + pub fn verify(&self, proof: RingProof, result: P) -> bool { let (challenges, mut rng) = self.plonk_verifier.restore_challenges( &result, &proof, // '1' accounts for the quotient polynomial that is aggregated together with the columns - PiopVerifier::::N_COLUMNS + 1, - PiopVerifier::::N_CONSTRAINTS, + PiopVerifier::>::Values>::N_COLUMNS + 1, + PiopVerifier::>::Values>::N_CONSTRAINTS, ); let seed = self.piop_params.seed; let seed_plus_result = (seed + result).into_affine(); @@ -62,7 +60,7 @@ impl, P: AffineRepr, T: PlonkTranscript self.piop_params.domain.hiding, ); - let piop: PiopVerifier>::C, CondAddValuesT> = PiopVerifier::init( + let piop: PiopVerifier>::C, CondAddValuesFor

> = PiopVerifier::init( domain_eval, self.fixed_columns_committed.clone(), proof.column_commitments.clone(),