Merge branch 'master' of github.com:darkrenaissance/darkfi

2026-01-10 23:27:56 -05:00 · 2021-08-28 16:00:31 +03:00
parent dcd44c2a71 2f1ab4a53f
commit da9d285cac
1 changed files with 199 additions and 36 deletions
--- a/scripts/halo/halo2.sage
+++ b/scripts/halo/halo2.sage
@@ -8,8 +8,10 @@ P.<X> = K[]
 # In other words, this is a t root of unity.
 generator = K(5)
 # There is a large 2^32 order subgroup in this curve because it is 2-adic
-#t = (K(q) - 1) / 2^32
+t = (K(q) - 1) / 2^32
+assert int(t) % 2 != 0
 delta = generator^(2^32)
+assert delta^t == 1

 def get_omega():
    generator = K(5)
@@ -40,7 +42,6 @@ assert omega^n == 1
 A = []
 F = []

-var_one = K(1)
 var_zero = K(0)
 var_x = K(4)
 var_y = K(6)
@@ -55,58 +56,59 @@ var_z = var_sxy + var_1s_xy
 # 1 instance column

 # Row 1
-A_1_1, A_2_1, A_3_1, A_4_1 = var_one, 0, 0, 0
+# z = public z
+A_1_1, A_2_1, A_3_1, A_4_1 = var_z, 0, 0, 0
 F_1_1, F_2_1, F_3_1, F_4_1 = 1, 0, 0, 0
-I_1 = 0
+I_1 = var_z

 # Row 2
+# ~0 == 0
 A_1_2, A_2_2, A_3_2, A_4_2 = var_zero, 0, 0, 0
 F_1_2, F_2_2, F_3_2, F_4_2 = 0, 1, 0, 0
 I_2 = 0

 # Row 3
+# Boolean check
+# (1 - s)(s + 0) == 0
 A_1_3, A_2_3, A_3_3, A_4_3 = var_s, var_s, var_zero, var_zero
 F_1_3, F_2_3, F_3_3, F_4_3 = 0, 0, 1, 0
 I_3 = 0

 # Row 4
+# s x y == sxy
 A_1_4, A_2_4, A_3_4, A_4_4 = var_s, var_x, var_y, var_sxy
 F_1_4, F_2_4, F_3_4, F_4_4 = 0, 0, 0, 1
 I_4 = 0

 # Row 5
+# (1 - s)(x + y) = (1-s)(x+y)
 A_1_5, A_2_5, A_3_5, A_4_5 = var_s, var_x, var_y, var_1s_xy
 F_1_5, F_2_5, F_3_5, F_4_5 = 0, 0, 1, 0
 I_5 = 0

 # Row 6
+# (1 - 0)(sxy + (1-s)(x+y)) = z
 A_1_6, A_2_6, A_3_6, A_4_6 = var_zero, var_sxy, var_1s_xy, var_z
 F_1_6, F_2_6, F_3_6, F_4_6 = 0, 0, 1, 0
 I_6 = 0

-# Row 7
-# z = public z
-A_1_7, A_2_7, A_3_7, A_4_7 = var_z, 0, 0, 0
-F_1_7, F_2_7, F_3_7, F_4_7 = 0, 1, 0, 0
-I_7 = var_z
-
-A1 = [A_1_1, A_1_2, A_1_3, A_1_4, A_1_5, A_1_6, A_1_7]
-A2 = [A_2_1, A_2_2, A_2_3, A_2_4, A_2_5, A_2_6, A_2_7]
-A3 = [A_3_1, A_3_2, A_3_3, A_3_4, A_3_5, A_3_6, A_3_7]
-A4 = [A_4_1, A_4_2, A_4_3, A_4_4, A_4_5, A_4_6, A_4_7]
-F1 = [F_1_1, F_1_2, F_1_3, F_1_4, F_1_5, F_1_6, F_1_7]
-F2 = [F_2_1, F_2_2, F_2_3, F_2_4, F_2_5, F_2_6, F_2_7]
-F3 = [F_3_1, F_3_2, F_3_3, F_3_4, F_3_5, F_3_6, F_3_7]
-F4 = [F_4_1, F_4_2, F_4_3, F_4_4, F_4_5, F_4_6, F_4_7]
-I  = [I_1,   I_2,   I_3,   I_4,   I_5,   I_6,   I_7]
+A1 = [A_1_1, A_1_2, A_1_3, A_1_4, A_1_5, A_1_6]
+A2 = [A_2_1, A_2_2, A_2_3, A_2_4, A_2_5, A_2_6]
+A3 = [A_3_1, A_3_2, A_3_3, A_3_4, A_3_5, A_3_6]
+A4 = [A_4_1, A_4_2, A_4_3, A_4_4, A_4_5, A_4_6]
+F1 = [F_1_1, F_1_2, F_1_3, F_1_4, F_1_5, F_1_6]
+F2 = [F_2_1, F_2_2, F_2_3, F_2_4, F_2_5, F_2_6]
+F3 = [F_3_1, F_3_2, F_3_3, F_3_4, F_3_5, F_3_6]
+F4 = [F_4_1, F_4_2, F_4_3, F_4_4, F_4_5, F_4_6]
+I  = [I_1,   I_2,   I_3,   I_4,   I_5,   I_6]

 # There should be 5 unused blinding rows.
 # see src/plonk/circuit.rs: fn blinding_factors(&self) -> usize;
 # We have 9 so we are perfectly fine.

 # Add 9 empty rows
-assert n - len(A1) == 9
-for i in range(9):
+assert n - len(A1) == 10
+for i in range(10):
    A1.append(K.random_element())
    A2.append(K.random_element())
    A3.append(K.random_element())
@@ -122,8 +124,8 @@ assert (len(A1) == len(A2) == len(A3) == len(A4) == len(F1) == len(F2)

 for A_1_i, A_2_i, A_3_i, A_4_i, F_1_i, F_2_i, F_3_i, F_4_i, I_i in zip(
    A1, A2, A3, A4, F1, F2, F3, F4, I):
-    assert (F_1_i * (A_1_i - 1)
-            + F_2_i * (A_1_i - I_i)
+    assert (F_1_i * (A_1_i - I_i)
+            + F_2_i * A_1_i
            + F_3_i * ((1 - A_1_i) * (A_2_i + A_3_i) - A_4_i)
            + F_4_i * (A_1_i * A_2_i * A_3_i - A_4_i)) == 0

@@ -151,23 +153,149 @@ for i, (A_1_i, A_2_i, A_3_i, A_4_i, F_1_i, F_2_i, F_3_i, F_4_i, I_i) in \
    assert f_4_X(omega^i) == F_4_i

 # beta, gamma
+beta = K.random_element()
+gamma = K.random_element()

-#       0   1   2    3             4           5    6       ...     15
-# A1:   1,  0,  s,   s,            s,          0,   z
-#      16  17  18   19            20          21   22       ...     31
-# A2:   -,  -,  s,   x,            x,        sxy,   -
-#      32  33  34   35            36          37   38       ...     47
-# A3:   -,  -,  0,   y,            y, (1-s)(x+y),   -
-#      48  49  50   51            52          53   54       ...     63
-# A4:   -,  -,  0, sxy, (1-s)(x + y),          z,   -
-#      64  65  66   67            68          69   70       ...     79
-# A5:   -,  -,  -,   -,            -,          -,   z
-permuted_indices_A1 = []
+#       0   1   2    3             4           5      ...     15
+# A1:   z,  0,  s,   s,            s,          0,
+#
+#      16  17  18   19            20          21      ...     31
+# A2:   -,  -,  s,   x,            x,        sxy,
+#
+#      32  33  34   35            36          37      ...     47
+# A3:   -,  -,  0,   y,            y, (1-s)(x+y),
+#
+#      48  49  50   51            52          53      ...     63
+# A4:   -,  -,  0, sxy, (1-s)(x + y),          z,
+#
+#      64  65  66   67            68          69      ...     79
+# A5:   z,  -,  -,   -,            -,          -,
+
+# z = (0 53 64)
+# 0 = (1 5 34 50)
+# s = (2 3 4 18)
+# x = (19 20)
+# sxy = (21 51)
+# y = (35 36)
+# (1-s)(x+y) = (37 52)
+
+permuted_indices = list(range(n * 5))
+assert len(permuted_indices) == 80
+
+# Apply the actual permutation cycles
+# z
+permuted_indices[0] = 53
+permuted_indices[53] = 64
+permuted_indices[64] = 0
+# ~0
+permuted_indices[1] = 5
+permuted_indices[5] = 34
+permuted_indices[34] = 50
+permuted_indices[50] = 1
+# s
+permuted_indices[2] = 3
+permuted_indices[3] = 4
+permuted_indices[4] = 18
+permuted_indices[18] = 2
+# x
+permuted_indices[19] = 20
+permuted_indices[20] = 19
+# sxy
+permuted_indices[21] = 51
+permuted_indices[51] = 21
+# y
+permuted_indices[35] = 36
+permuted_indices[36] = 35
+# (1-s)(x+y)
+permuted_indices[37] = 52
+permuted_indices[52] = 37
+
+witness = A1 + A2 + A3 + A4 + I
+for i, val in enumerate(witness):
+    assert val == witness[permuted_indices[i]]
+
+# How to join lists together?
+indices = ([omega^i for i in range(n)]
+           + [delta * omega^i for i in range(n)]
+           + [delta^2 * omega^i for i in range(n)]
+           + [delta^3 * omega^i for i in range(n)]
+           + [delta^4 * omega^i for i in range(n)])
+assert len(indices) == 80
+# Permuted indices
+sigma_star = [indices[i] for i in permuted_indices]
+s = [sigma_star[:n], sigma_star[n:2 * n], sigma_star[2 * n:3 * n],
+     sigma_star[3 * n:4 * n], sigma_star[4 * n:]]
+assert s[0] + s[1] + s[2] + s[3] + s[4] == sigma_star
+v = [A1, A2, A3, A4, I]
+
+# We split the columns into sets of size m.
+# Here we will use m = 1 for illustration purposes
+
+# We have 6 usable rows
+# n = 16 rows total
+# row u (q_last) will be the 7th row
+# So we have 9 unusable rows
+q_blind = [0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1]
+q_last  = [0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0]
+# Turn both of these into polynomial form
+q_blind = P.lagrange_polynomial((omega^i, q_i) for i, q_i in enumerate(q_blind))
+assert q_blind(omega^5) == 0
+assert q_blind(omega^6) == 0
+assert q_blind(omega^7) == 1
+assert q_blind(omega^11) == 1
+q_last = P.lagrange_polynomial((omega^i, q_i) for i, q_i in enumerate(q_last))
+assert q_last(omega^5) == 0
+assert q_last(omega^6) == 1
+assert q_last(omega^7) == 0
+assert q_last(omega^11) == 0
+
+m = 5
+assert n == 16
+# 6 usable rows
+u = 6
+# There are 5 columns
+# We will split the columns partitions into 5 partitions to make things easy
+# So b = 5, and each partition contains only a single column
+# We still iterate over the column to make it more obvious
+m = 1
+permutation_points = [(1, 1)]
+last_y_value = 1
+ZP = []
+# a is the current column partition we are aggregating
+for a in range(5):
+    # j iterates over the rows
+    for j in range(u):
+        current = last_y_value
+
+        # i iterates over the columns in our partition
+        for i in range(a * m, (a + 1)):
+            current *= v[i][j] + beta * delta^i * omega^j + gamma
+            current /= v[i][j] + beta * s[i][j] + gamma
+
+        last_y_value = current
+        permutation_points.append((omega^(j + 1), current))
+
+    ZP_a = P.lagrange_polynomial(permutation_points)
+    ZP.append(ZP_a)
+    permutation_points = [(1, last_y_value)]
+
+# l_0(X) (1 - ZP,0(X)) = 0
+# => ZP,0(1) = 1
+assert ZP[0](1) == 1
+# Checks for l_0(X) (ZP,a(X) - ZP,a-1(omega^u X)) = 1
+# => ZP,a(Z) = ZP,a-1(omega^u X)
+# This copies the end value from one partition to the next one
+assert ZP[1](omega^0) == ZP[0](omega^u)
+assert ZP[2](omega^0) == ZP[1](omega^u)
+assert ZP[3](omega^0) == ZP[2](omega^u)
+assert ZP[4](omega^0) == ZP[3](omega^u)
+# Allow the last value to be either 0 or 1 for full ZK
+assert ZP[4](omega^u) in (0, 1)

 y = K.random_element()

-gate_0 = f_1_X * (a_1_X - 1)
-gate_1 = f_2_X * (a_1_X - a_5_X)
+gate_0 = f_1_X * (a_1_X - a_5_X)
+gate_1 = f_2_X * a_1_X
 gate_2 = f_3_X * ((1 - a_1_X) * (a_2_X + a_3_X) - a_4_X)
 gate_3 = f_4_X * (a_1_X * a_2_X * a_3_X - a_4_X)

@@ -175,4 +303,39 @@ h = gate_0 + y * gate_1 + y^2 * gate_2 + y^3 * gate_3
 t = X^n - 1
 for i in range(n):
    assert h(omega^i) == 0
+# Normally we do:
+#h /= t
+# But for some reason sage is producing fractional coefficients
+h, rem = h.quo_rem(X^n - 1)
+assert rem == 0
+
+# We send commitments to the terms of h(X)
+# h_0(x), ..., h_{d - 1}(x)
+# Commitments:
+# H = [H_0, ..., H_{d - 1}]
+
+x = K.random_element()
+
+# Send evaluations at x of everything we committed to so far
+# A_0(x), ..., A_{m - 1}(x)
+# ZP,0(x), ..., ZP,b-1(x)
+# H_0(x), ..., H_{d-1}(x)
+a_evals = [a_1_X(x), a_2_X(x), a_3_X(x), a_4_X(x), a_5_X(x)]
+
+h_evals = []
+# Iterate starting from lowest powers first
+h_test = 0
+for i, h_i in enumerate(h):
+    h_evals.append(h_i * x^i)
+
+    h_test += h_i * X^i
+assert h_test == h
+assert sum(h_evals) == h(x)
+
+assert sum(h_evals) * t(x) == (
+    f_1_X(x) * (a_evals[0] - a_evals[4])
+    + y * f_2_X(x) * a_evals[0]
+    + y^2 * f_3_X(x) * ((1 - a_evals[0]) * (a_evals[1] + a_evals[2])
+                        - a_evals[3])
+    + y^3 * f_4_X(x) * (a_evals[0] * a_evals[1] * a_evals[2] - a_evals[3]))