github/tfhe-rs
1
1
Fork 0
mirror of https://github.com/zama-ai/tfhe-rs.git synced 2026-01-09 14:47:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

refactor(zk): factorize r1/r2 computation between proofs

Browse Source
This commit is contained in:
Nicolas Sarlin
2024-11-14 16:56:43 +01:00
committed by Nicolas Sarlin
parent 811ae3c551
commit 1e19bae29a
3 changed files with 90 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
tfhe-zk-pok/src/proofs/mod.rs
View File

@@ -142,6 +142,90 @@ fn decode_q(q: u64) -> u128 {
}
}
/// Compute r1 according to eq (11):
///
/// rot(a) * phi(bar(r)) - q phi(r1) + phi(e1) = phi(c1)
/// implies
/// phi(r1) = (rot(a) * phi(bar(r)) + phi(e1) - phi(c1)) / q
/// (phi is the function that maps a polynomial to its coeffs vector)
fn compute_r1(
e1: &[i64],
c1: &[i64],
a: &[i64],
r: &[i64],
d: usize,
decoded_q: u128,
) -> Box<[i64]> {
let mut r1 = e1
.iter()
.zip(c1.iter())
.map(|(&e1, &c1)| e1 as i128 - c1 as i128)
.collect::<Box<[_]>>();
for i in 0..d {
for j in 0..d {
if i + j < d {
r1[i + j] += a[i] as i128 * r[d - j - 1] as i128;
} else {
r1[i + j - d] -= a[i] as i128 * r[d - j - 1] as i128;
}
}
}
{
for r1 in &mut *r1 {
*r1 /= decoded_q as i128;
}
}
r1.into_vec().into_iter().map(|r1| r1 as i64).collect()
}
/// Compute r2 according to eq (11):
///
/// phi_[d - i](b).T * phi(bar(r)) + delta * m_i - q r2_i + e2_i = c2_i
/// implies
/// r2_i = (phi_[d - i](b).T * phi(bar(r)) + delta * m_i + e2_i - c2_i) / q
/// (phi is the function that maps a polynomial to its coeffs vector)
#[allow(clippy::too_many_arguments)]
fn compute_r2(
e2: &[i64],
c2: &[i64],
m: &[i64],
b: &[i64],
r: &[i64],
d: usize,
delta: u64,
decoded_q: u128,
) -> Box<[i64]> {
let mut r2 = m
.iter()
.zip(e2)
.zip(c2)
.map(|((&m, &e2), &c2)| delta as i128 * m as i128 + e2 as i128 - c2 as i128)
.collect::<Box<[_]>>();
{
for (i, r2) in r2.iter_mut().enumerate() {
let mut dot = 0i128;
for j in 0..d {
let b = if i + j < d {
b[d - j - i - 1] as i128
} else {
-(b[2 * d - j - i - 1] as i128)
};
dot += r[d - j - 1] as i128 * b;
}
*r2 += dot;
*r2 /= decoded_q as i128;
}
}
r2.into_vec().into_iter().map(|r2| r2 as i64).collect()
}
impl<G: Curve> Compressible for GroupElements<G>
where
GroupElements<G>:

66
tfhe-zk-pok/src/proofs/pke.rs
View File

@@ -525,70 +525,8 @@ pub fn prove<G: Curve>(
let gamma = G::Zp::rand(rng);
let gamma_y = G::Zp::rand(rng);
// rot(a) phi(r) + phi(e1) - q phi(r1) = phi(c1)
// phi[d - i + 1](bar(b)).T phi(r) + delta m_i + e2_i - q r2_i = c2
// phi(r1) = (rot(a) phi(r) + phi(e1) - phi(c1)) / q
// r2_i = (phi[d - i + 1](bar(b)).T phi(r) + delta m_i + e2_i - c2) / q
let mut r1 = e1
.iter()
.zip(c1.iter())
.map(|(&e1, &c1)| e1 as i128 - c1 as i128)
.collect::<Box<_>>();
for i in 0..d {
for j in 0..d {
if i + j < d {
r1[i + j] += a[i] as i128 * r[d - j - 1] as i128;
} else {
r1[i + j - d] -= a[i] as i128 * r[d - j - 1] as i128;
}
}
}
{
for r1 in &mut *r1 {
*r1 /= decoded_q as i128;
}
}
let mut r2 = m
.iter()
.zip(e2)
.zip(c2)
.map(|((&m, &e2), &c2)| delta as i128 * m as i128 + e2 as i128 - c2 as i128)
.collect::<Box<_>>();
{
for (i, r2) in r2.iter_mut().enumerate() {
let mut dot = 0i128;
for j in 0..d {
let b = if i + j < d {
b[d - j - i - 1] as i128
} else {
-(b[2 * d - j - i - 1] as i128)
};
dot += r[d - j - 1] as i128 * b;
}
*r2 += dot;
*r2 /= decoded_q as i128;
}
}
let r1 = r1
.into_vec()
.into_iter()
.map(|r1| r1 as i64)
.collect::<Box<_>>();
let r2 = r2
.into_vec()
.into_iter()
.map(|r2| r2 as i64)
.collect::<Box<_>>();
let r1 = compute_r1(e1, c1, a, r, d, decoded_q);
let r2 = compute_r2(e2, c2, m, b, r, d, delta, decoded_q);
let mut w = vec![false; n];

73
tfhe-zk-pok/src/proofs/pke_v2.rs
View File

@@ -715,73 +715,8 @@ pub fn prove<G: Curve>(
let gamma_bin = G::Zp::rand(rng);
let gamma_y = G::Zp::rand(rng);
// eq (11)
// (phi is simply the function that maps a polynomial to its coeffs vector)
// rot(a) * phi(bar(r)) - q phi(r1) + phi(e1) = phi(c1)
// phi_[d - i](b).T * phi(bar(r)) + delta * m_i - q r2_i + e2_i = c2_i
// implies
// phi(r1) = (rot(a) * phi(bar(r)) + phi(e1) - phi(c1)) / q
// r2_i = (phi_[d - i](b).T * phi(bar(r)) + delta * m_i + e2_i - c2_i) / q
let mut r1 = e1
.iter()
.zip(c1.iter())
.map(|(&e1, &c1)| e1 as i128 - c1 as i128)
.collect::<Box<[_]>>();
for i in 0..d {
for j in 0..d {
if i + j < d {
r1[i + j] += a[i] as i128 * r[d - j - 1] as i128;
} else {
r1[i + j - d] -= a[i] as i128 * r[d - j - 1] as i128;
}
}
}
{
for r1 in &mut *r1 {
*r1 /= decoded_q as i128;
}
}
let mut r2 = m
.iter()
.zip(e2)
.zip(c2)
.map(|((&m, &e2), &c2)| delta as i128 * m as i128 + e2 as i128 - c2 as i128)
.collect::<Box<[_]>>();
{
for (i, r2) in r2.iter_mut().enumerate() {
let mut dot = 0i128;
for j in 0..d {
let b = if i + j < d {
b[d - j - i - 1] as i128
} else {
-(b[2 * d - j - i - 1] as i128)
};
dot += r[d - j - 1] as i128 * b;
}
*r2 += dot;
*r2 /= decoded_q as i128;
}
}
let r1 = &*r1
.into_vec()
.into_iter()
.map(|r1| r1 as i64)
.collect::<Box<[_]>>();
let r2 = &*r2
.into_vec()
.into_iter()
.map(|r2| r2 as i64)
.collect::<Box<[_]>>();
let r1 = compute_r1(e1, c1, a, r, d, decoded_q);
let r2 = compute_r2(e2, c2, m, b, r, d, delta, decoded_q);
let u64 = |x: i64| x as u64;
@@ -927,8 +862,8 @@ pub fn prove<G: Curve>(
e1.iter()
.chain(e2)
.chain(&v)
.chain(r1)
.chain(r2)
.chain(&r1)
.chain(&r2)
.copied()
.enumerate()
.for_each(|(j, x)| match R(j) {