jf_plonk/circuit/plonk_verifier/
structs.rs

1// Copyright (c) 2022 Espresso Systems (espressosys.com)
2// This file is part of the Jellyfish library.
3
4// You should have received a copy of the MIT License
5// along with the Jellyfish library. If not, see <https://mit-license.org/>.
6
7use ark_ff::PrimeField;
8use ark_std::vec::Vec;
9use jf_relation::{
10    gadgets::{
11        ecc::PointVariable,
12        ultraplonk::mod_arith::{FpElem, FpElemVar},
13    },
14    CircuitError, PlonkCircuit, Variable,
15};
16
17/// Plonk IOP verifier challenges.
18#[derive(Debug, Default)]
19pub(crate) struct ChallengesVar {
20    pub(crate) alpha: Variable,
21    pub(crate) beta: Variable,
22    pub(crate) gamma: Variable,
23    pub(crate) zeta: Variable,
24    pub(crate) v: Variable,
25    pub(crate) u: Variable,
26}
27
28/// Plonk IOP verifier challenges.
29#[derive(Debug, Default)]
30pub(crate) struct ChallengesFpElemVar<F: PrimeField> {
31    pub(crate) alphas: [FpElemVar<F>; 3],
32    pub(crate) beta: FpElemVar<F>,
33    pub(crate) gamma: FpElemVar<F>,
34    pub(crate) zeta: FpElemVar<F>,
35    pub(crate) v: FpElemVar<F>,
36    pub(crate) u: FpElemVar<F>,
37}
38
39pub(crate) fn challenge_var_to_fp_elem_var<F: PrimeField>(
40    circuit: &mut PlonkCircuit<F>,
41    challenge_var: &ChallengesVar,
42    non_native_field_info: &NonNativeFieldInfo<F>,
43) -> Result<ChallengesFpElemVar<F>, CircuitError> {
44    let alpha_fp_elem_var = FpElemVar::new_unchecked(
45        circuit,
46        challenge_var.alpha,
47        non_native_field_info.m,
48        non_native_field_info.two_power_m,
49    )?;
50    let alpha_2_fp_elem_var = circuit.mod_mul(
51        &alpha_fp_elem_var,
52        &alpha_fp_elem_var,
53        &non_native_field_info.modulus_fp_elem,
54    )?;
55    let alpha_3_fp_elem_var = circuit.mod_mul(
56        &alpha_2_fp_elem_var,
57        &alpha_fp_elem_var,
58        &non_native_field_info.modulus_fp_elem,
59    )?;
60
61    Ok(ChallengesFpElemVar {
62        alphas: [alpha_fp_elem_var, alpha_2_fp_elem_var, alpha_3_fp_elem_var],
63        beta: FpElemVar::new_unchecked(
64            circuit,
65            challenge_var.beta,
66            non_native_field_info.m,
67            non_native_field_info.two_power_m,
68        )?,
69        gamma: FpElemVar::new_unchecked(
70            circuit,
71            challenge_var.gamma,
72            non_native_field_info.m,
73            non_native_field_info.two_power_m,
74        )?,
75        zeta: FpElemVar::new_unchecked(
76            circuit,
77            challenge_var.zeta,
78            non_native_field_info.m,
79            non_native_field_info.two_power_m,
80        )?,
81        u: FpElemVar::new_unchecked(
82            circuit,
83            challenge_var.u,
84            non_native_field_info.m,
85            non_native_field_info.two_power_m,
86        )?,
87        v: FpElemVar::new_unchecked(
88            circuit,
89            challenge_var.v,
90            non_native_field_info.m,
91            non_native_field_info.two_power_m,
92        )?,
93    })
94}
95
96/// The vector representation of bases and corresponding scalars.
97#[derive(Debug)]
98pub(crate) struct ScalarsAndBasesVar<F: PrimeField> {
99    pub(crate) scalars: Vec<FpElemVar<F>>,
100    pub(crate) bases: Vec<PointVariable>,
101}
102
103impl<F: PrimeField> ScalarsAndBasesVar<F> {
104    pub(crate) fn new() -> Self {
105        Self {
106            scalars: Vec::new(),
107            bases: Vec::new(),
108        }
109    }
110}
111
112/// (Aggregated) polynomial commitment evaluation info.
113/// * `u` - a random combiner that was used to combine evaluations at point
114///   `eval_point` and `next_eval_point`.
115/// * `eval_point` - the point to be evaluated at.
116/// * `next_eval_point` - the shifted point to be evaluated at.
117/// * `eval` - the (aggregated) polynomial evaluation value.
118/// * `comm_scalars_and_bases` - the scalars-and-bases form of the (aggregated)
119///   polynomial commitment.
120/// * `opening_proof` - (aggregated) proof of evaluations at point `eval_point`.
121/// * `shifted_opening_proof` - (aggregated) proof of evaluations at point
122///   `next_eval_point`.
123#[derive(Debug)]
124pub(crate) struct PcsInfoVar<F: PrimeField> {
125    pub(crate) u: FpElemVar<F>,
126    pub(crate) eval_point: FpElemVar<F>,
127    pub(crate) next_eval_point: FpElemVar<F>,
128    pub(crate) eval: FpElemVar<F>,
129    pub(crate) comm_scalars_and_bases: ScalarsAndBasesVar<F>,
130    pub(crate) opening_proof: PointVariable,
131    pub(crate) shifted_opening_proof: PointVariable,
132}
133
134#[derive(Debug, Clone, Eq, PartialEq)]
135/// Represent variables of an aggregated SNARK proof that batchly proving
136/// multiple instances.
137pub struct BatchProofVar<F: PrimeField> {
138    /// The list of wire witness polynomials commitments.
139    pub(crate) wires_poly_comms_vec: Vec<Vec<PointVariable>>,
140
141    /// The list of polynomial commitment for the wire permutation argument.
142    pub(crate) prod_perm_poly_comms_vec: Vec<PointVariable>,
143
144    /// The list of polynomial evaluations.
145    pub(crate) poly_evals_vec: Vec<ProofEvaluationsVar<F>>,
146
147    // /// The list of partial proofs for Plookup argument
148    // not used for plonk verification circuit
149    // pub(crate) plookup_proofs_vec: Vec<Option<PlookupProofVar>>,
150    /// Split quotient polynomial commitments.
151    pub(crate) split_quot_poly_comms: Vec<PointVariable>,
152
153    /// (Aggregated) proof of evaluations at challenge point `zeta`.
154    pub(crate) opening_proof: PointVariable,
155
156    /// (Aggregated) proof of evaluation at challenge point `zeta * g` where `g`
157    /// is the root of unity.
158    pub(crate) shifted_opening_proof: PointVariable,
159}
160
161impl<F: PrimeField> BatchProofVar<F> {
162    /// The number of instances being proved in a batch proof.
163    pub(crate) fn len(&self) -> usize {
164        self.prod_perm_poly_comms_vec.len()
165    }
166}
167
168/// Represent variables for a struct that stores the polynomial evaluations in a
169/// Plonk proof.
170#[derive(Debug, Clone, PartialEq, Eq)]
171pub(crate) struct ProofEvaluationsVar<F: PrimeField> {
172    /// Wire witness polynomials evaluations at point `zeta`.
173    pub(crate) wires_evals: Vec<FpElemVar<F>>,
174
175    /// Extended permutation (sigma) polynomials evaluations at point `zeta`.
176    /// We do not include the last sigma polynomial evaluation.
177    pub(crate) wire_sigma_evals: Vec<FpElemVar<F>>,
178
179    /// Permutation product polynomial evaluation at point `zeta * g`.
180    pub(crate) perm_next_eval: FpElemVar<F>,
181}
182
183/// Information related to non-native field
184#[derive(Debug, Copy, Clone, PartialEq)]
185pub(crate) struct NonNativeFieldInfo<F: PrimeField> {
186    pub(crate) m: usize,
187    pub(crate) two_power_m: Option<F>,
188    pub(crate) modulus_in_f: F,
189    pub(crate) modulus_fp_elem: FpElem<F>,
190}