Continuing Fiat-Shamir (#24)

* WIP continuing fiat-shamir (step 20) * Upto step 20 implemented * Upto step 22 * Upto step 28 * Added tests * Fix build errors * Small fix
lambdaclass · Oct 4, 2023 · f1c3e19 · f1c3e19
1 parent 31e57b2
commit f1c3e19
Show file tree

Hide file tree

Showing 14 changed files with 845 additions and 381 deletions.
diff --git a/setup.sh b/setup.sh
diff --git a/verifier_circuit/src/alphas.ts b/verifier_circuit/src/alphas.ts
@@ -0,0 +1,39 @@
+import { ArgumentType } from "./circuits/gate"
+import { Scalar } from "o1js"
+
+/**
+ * This type can be used to create a mapping between powers of alpha and constraint types.
+ * See `default()` to create one (not implemented yet),
+ * and `register()` to register a new mapping (not implemented yet).
+ * Once you know the alpha value, you can convert this type to a `Alphas`.
+*/
+export class Alphas {
+    /**
+     * The next power of alpha to use.
+     * The end result will be [1, alpha^(next_power - 1)]
+     */
+    next_power: number
+    /** The mapping between constraint types and powers of alpha */
+    mapping: Map<ArgumentType, [number, number]>
+    /**
+     * The powers of alpha: 1, alpha, alpha^2, ..
+     * If not undefined, you can't register new contraints.
+    */
+    alphas?: Scalar[]
+
+    /**
+     * Instantiates the ranges with an actual field element `alpha`.
+     * Once you call this function, you cannot register new constraints.
+     */
+    instantiate(alpha: Scalar) {
+        let last_power = Scalar.from(1);
+        let alphas = Array<Scalar>(this.next_power);
+        alphas.push(last_power);
+
+        for (let _ = 1; _ < this.next_power; _++) {
+            last_power = last_power.mul(alpha);
+            alphas.push(last_power);
+        }
+        this.alphas = alphas;
+    }
+}
diff --git a/verifier_circuit/src/circuits/gate.ts b/verifier_circuit/src/circuits/gate.ts
@@ -0,0 +1,62 @@
+export enum GateType {
+    /** Zero gate */
+    Zero,
+    /** Generic arithmetic gate */
+    Generic,
+    /** Poseidon permutation gate */
+    Poseidon,
+    /** Complete EC addition in Affine form */
+    CompleteAdd,
+    /** EC variable base scalar multiplication */
+    VarBaseMul,
+    /** EC variable base scalar multiplication with group endomorphim optimization */
+    EndoMul,
+    /** Gate for computing the scalar corresponding to an endoscaling */
+    EndoMulScalar,
+    /** Lookup */
+    Lookup,
+    // Cairo
+    CairoClaim,
+    CairoInstruction,
+    CairoFlags,
+    CairoTransition,
+    // Range check
+    RangeCheck0,
+    RangeCheck1,
+    ForeignFieldAdd,
+    ForeignFieldMul,
+    // Gates for Keccak
+    Xor16,
+    Rot64,
+}
+
+/**
+ * A constraint type represents a polynomial that will be part of the final 
+ * equation f (the circuit equation) 
+ */
+export namespace ArgumentType {
+    /**
+     * Gates in the PLONK constraint system.
+     * As gates are mutually exclusive (a single gate is set per row),
+     * we can reuse the same powers of alpha across gates.
+     */
+    export type Gate = {
+        kind: "gate",
+        type: GateType
+    }
+
+    /** The permutation argument */
+    export type Permutation = {
+        kind: "permutation",
+    }
+
+    /** The lookup argument */
+    export type Lookup = {
+        kind: "lookup",
+    }
+}
+
+export type ArgumentType =
+    | ArgumentType.Gate
+    | ArgumentType.Permutation
+    | ArgumentType.Lookup
diff --git a/verifier_circuit/src/poly_commitment/commitment.test.ts b/verifier_circuit/src/poly_commitment/commitment.test.ts
@@ -0,0 +1,23 @@
+import { Scalar } from "o1js"
+import { bPoly, bPolyCoefficients } from "./commitment";
+
+test("bPoly", () => {
+    const coeffs = [42, 25, 420].map(Scalar.from);
+    const x = Scalar.from(10);
+
+    const res = bPoly(coeffs, x);
+    const expected = Scalar.from(15809371031233);
+    // expected value taken from verify_circuit_tests/
+
+    expect(res).toEqual(expected);
+})
+
+test("bPolyCoefficients", () => {
+    const coeffs = [42, 25].map(Scalar.from);
+
+    const res = bPolyCoefficients(coeffs);
+    const expected = [1, 19, 42];
+    // expected values taken from verify_circuit_tests/
+
+    expect(res).toEqual(expected);
+})
diff --git a/verifier_circuit/src/poly_commitment/commitment.ts b/verifier_circuit/src/poly_commitment/commitment.ts
@@ -1,6 +1,6 @@
 import { Group, Scalar } from "o1js";
 
-/*
+/**
 * A polynomial commitment
 */
 export class PolyComm<A> {
@@ -12,7 +12,7 @@ export class PolyComm<A> {
         this.shifted = shifted;
     }
 
-    /*
+    /**
     * Zips two commitments into one
     */
     zip<B>(other: PolyComm<B>): PolyComm<[A, B]> {
@@ -22,7 +22,7 @@ export class PolyComm<A> {
         return new PolyComm<[A, B]>(unshifted, shifted);
     }
 
-    /*
+    /**
     * Maps over self's `unshifted` and `shifted`
     */
     map<B>(f: (x: A) => B): PolyComm<B> {
@@ -31,7 +31,7 @@ export class PolyComm<A> {
         return new PolyComm<B>(unshifted, shifted);
     }
 
-    /*
+    /**
     * Execute a simple multi-scalar multiplication
     */
     static naiveMSM(points: Group[], scalars: Scalar[]) {
@@ -46,7 +46,7 @@ export class PolyComm<A> {
         return result;
     }
 
-    /*
+    /**
     * Executes multi-scalar multiplication between scalars `elm` and commitments `com`.
     * If empty, returns a commitment with the point at infinity.
     */
@@ -94,10 +94,49 @@ export class PolyComm<A> {
     }
 }
 
-/*
-* Represents a blinded commitment
-*/
+/**
+ * Represents a blinded commitment
+ */
 export class BlindedCommitment<C, S> {
     commitment: PolyComm<C>
     blinders: PolyComm<S>
 }
+
+/**
+ * Returns the product of all elements of `xs`
+ */
+export function product(xs: Scalar[]): Scalar {
+    return xs.reduce((acc, x) => acc.mul(x), Scalar.from(1));
+}
+
+/**
+ * Returns (1 + chal[-1] x)(1 + chal[-2] x^2)(1 + chal[-3] x^4) ...
+ */
+export function bPoly(chals: Scalar[], x: Scalar): Scalar { 
+    const k = chals.length;
+
+    let prev_x_squared = x;
+    let terms = [];
+    for (let i = k - 1; i >= 0; i--) {
+        terms.push(Scalar.from(1).add(chals[i].mul(prev_x_squared)));
+        prev_x_squared = prev_x_squared.mul(prev_x_squared);
+    }
+
+    return product(terms);
+}
+
+export function bPolyCoefficients(chals: Scalar[]) {
+    const rounds = chals.length;
+    const s_length = 1 << rounds;
+
+    let s = Array<Scalar>(s_length).fill(Scalar.from(1));
+    let k = 0;
+    let pow = 1;
+    for (let i = 1; i < s_length; i++) {
+        k += i === pow ? 1 : 0;
+        pow <<= i === pow ? 1 : 0;
+        s[i] = s[i - (pow >> 1)].mul(chals[rounds - 1 - (k - 1)]);
+    }
+
+    return s;
+}
diff --git a/verifier_circuit/src/polynomial.ts b/verifier_circuit/src/polynomial.ts
@@ -14,4 +14,9 @@ export class Polynomial {
         }
         return result
     }
+
+    static buildAndEvaluate(coeffs: Scalar[], x: Scalar): Scalar {
+        const poly = new Polynomial(coeffs);
+        return poly.evaluate(x);
+    }
 }