123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405(*****************************************************************************)(* *)(* MIT License *)(* Copyright (c) 2022 Nomadic Labs <contact@nomadic-labs.com> *)(* *)(* Permission is hereby granted, free of charge, to any person obtaining a *)(* copy of this software and associated documentation files (the "Software"),*)(* to deal in the Software without restriction, including without limitation *)(* the rights to use, copy, modify, merge, publish, distribute, sublicense, *)(* and/or sell copies of the Software, and to permit persons to whom the *)(* Software is furnished to do so, subject to the following conditions: *)(* *)(* The above copyright notice and this permission notice shall be included *)(* in all copies or substantial portions of the Software. *)(* *)(* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR*)(* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, *)(* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL *)(* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER*)(* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING *)(* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER *)(* DEALINGS IN THE SOFTWARE. *)(* *)(*****************************************************************************)openPlonk.BlsopenPlonk.UtilsopenPlonk.IdentitiesmoduleSMap=Plonk.SMapletnb_wires=Plompiler.Csir.nb_wires_archmoduletypeS=sigmodulePP:Polynomial_protocol.Stypeproof={perm_and_plook:PP.PC.Commitment.t;wires_cm:PP.PC.Commitment.t;pp_proof:PP.proof;}includePlonk.Main_protocol_intf.Swithtypeproof:=prooftypegate_randomness={beta:Scalar.t;gamma:Scalar.t;delta:Scalar.t}valbuild_gates_randomness:bytes->gate_randomness*bytesvalfilter_prv_pp_circuits:prover_public_parameters->'aSMap.t->prover_public_parametersvalhash_verifier_inputs:verifier_inputs->bytesmoduleProver:sigvalbuild_all_keys_z:prover_public_parameters->stringlistvalcommit_to_wires:?all_keys:stringlist->?shifts_map:(int*int)SMap.t->prover_public_parameters->circuit_prover_inputlistSMap.t->Evaluations.tSMap.tlistSMap.t*Poly.tSMap.tlistSMap.t*Poly.tSMap.toptionlistSMap.t*Poly.tSMap.t*Input_commitment.public*PP.PC.Commitment.prover_auxvalbuild_evaluations:prover_public_parameters->Evaluations.polynomialSMap.t->Evaluations.tSMap.tvalbuild_f_map_plook:?shifts_map:(int*int)SMap.t->prover_public_parameters->gate_randomness->Evaluations.tSMap.tlistSMap.t->Poly.tSMap.tvalbuild_f_map_perm:prover_public_parameters->gate_randomness->Evaluations.tSMap.tSMap.t->Poly.tSMap.t(* builds the range check’s permutation proof polynomials *)valbuild_f_map_rc_2:prover_public_parameters->gate_randomness->Evaluations.tSMap.tSMap.t->Poly.tSMap.tvalbuild_perm_rc2_identities:prover_public_parameters->gate_randomness->prover_identitiesvalbuild_gates_plook_rc1_identities:?shifts_map:(int*int)SMap.t->prover_public_parameters->gate_randomness->circuit_prover_inputlistSMap.t->prover_identitiesendtypeworker_inputs[@@derivingrepr]valsplit_inputs_map:nb_workers:int->circuit_prover_inputlistSMap.t->worker_inputsSMap.tlisttypecommit_to_wires_reply=PP.PC.Commitment.t[@@derivingrepr](* shifts_maps binds circuits names to pairs of integers.
'c1' -> (7, 20) means that 20 proofs are expected for circuit 'c1' and
there must be a shift of 7 in indexing considering the worker is starting
at proof No. 7 *)typecommit_to_wires_remember={all_f_wires:Poly.tSMap.t;wires_list_map:Evaluations.tSMap.tlistSMap.t;inputs_map:circuit_prover_inputlistSMap.t;shifts_map:(int*int)SMap.t;f_wires:Poly.tSMap.tlistSMap.t;cm_aux_wires:PP.PC.Commitment.prover_aux;}valworker_commit_to_wires:prover_public_parameters->worker_inputsSMap.t->commit_to_wires_reply*commit_to_wires_remembertypecommit_to_plook_rc_reply={batched_wires_map:Evaluations.tSMap.tSMap.t;cmt:PP.PC.Commitment.t;f_map:Poly.tSMap.t;prover_aux:PP.PC.Commitment.prover_aux;}[@@derivingrepr]typecommit_to_plook_rc_remember={beta:scalar;gamma:scalar}valcommit_to_plook_rc:prover_public_parameters->(int*int)SMap.t->bytes->Evaluations.tSMap.tlistSMap.t->commit_to_plook_rc_reply*commit_to_plook_rc_remembervalbatch_evaluated_ids:alpha:scalar->Evaluations.tSMap.t->stringlist->Evaluations.tvalkzg_eval_at_x:prover_public_parameters->PP.transcript->(PP.PC.secret*PP.PC.Commitment.prover_aux)list->scalar->PP.PC.answerlistvalshared_perm_rc_argument:prover_public_parameters->int->gate_randomness->'alistSMap.t->commit_to_plook_rc_replylist->Poly.tSMap.t*Evaluations.tSMap.t*(commit_to_wires_reply*PP.PC.Commitment.prover_aux)valmake_secret:prover_public_parameters->Poly.tSMap.t*PP.PC.Commitment.prover_aux->(Poly.tSMap.t*PP.PC.Commitment.prover_aux)listvalmake_eval_points:prover_public_parameters->eval_pointlistlist*eval_pointlistlistvalget_srs:prover_public_parameters->PP.prover_public_parameters(** Returns (g, n, nb_t), where n is the size of the circuit padded to the
next power of two, g is a primitive n-th root of unity, & nb_t is the
number of T polynomials in the answers
*)valget_gen_n_nbt:prover_public_parameters->scalar*int*intvalget_transcript:prover_public_parameters->bytesvalcheck_no_zk:prover_public_parameters->unitendmoduleCommon(PP:Polynomial_protocol.S)=structopenPlonk.Main_protocol.Make_impl(PP)openProvermoduleCommitment=PP.PC.Commitmenttypecommit_to_wires_reply=Commitment.t[@@derivingrepr]typeworker_inputs={inputs:circuit_prover_inputlist;shift:int*int}[@@derivingrepr]letsplit_inputs_map~nb_workersinputs_map=letlist_rangei1i2=List.filteri(funi_->i1<=i&&i<i2)inList.map(funi->SMap.map(funl->letn=List.lengthlinletchunk_size=Z.(cdiv(of_intn)(of_intnb_workers)|>to_int)inletinputs=list_range(chunk_size*i)(chunk_size*(i+1))linletshift=(chunk_size*i,n)in{inputs;shift})inputs_map)(List.initnb_workersFun.id)typecommit_to_plook_rc_reply={batched_wires_map:Evaluations.tSMap.tSMap.t;cmt:Commitment.t;f_map:Poly.tSMap.t;prover_aux:Commitment.prover_aux;}[@@derivingrepr]typecommit_to_plook_rc_remember={beta:scalar;gamma:scalar}typecommit_to_wires_remember={all_f_wires:Poly.tSMap.t;wires_list_map:Evaluations.tSMap.tlistSMap.t;inputs_map:circuit_prover_inputlistSMap.t;shifts_map:(int*int)SMap.t;f_wires:Poly.tSMap.tlistSMap.t;cm_aux_wires:Commitment.prover_aux;}letworker_commit_to_wiresppworker_inputs_map=letinputs_map=SMap.map(funwi->wi.inputs)worker_inputs_mapinletshifts_map=SMap.map(funwi->wi.shift)worker_inputs_mapinletall_keys=build_all_wires_keyspp(SMap.mapsndshifts_map)nb_wiresinletwires_list_map,f_wires,_,all_f_wires,cm_wires,cm_aux_wires=commit_to_wires~all_keys~shifts_mapppinputs_mapin(cm_wires,{all_f_wires;wires_list_map;inputs_map;shifts_map;f_wires;cm_aux_wires;})letcommit_to_plook_rcppshifts_maptranscriptf_wires_list_map=letrd,_transcript=build_gates_randomnesstranscriptin(* we should compute this in an other function *)letbatched_wires_map=Perm.Shared_argument.build_batched_wires_values~delta:rd.delta~wires:f_wires_list_map()in(* ******************************************* *)letf_map=build_f_map_plook~shifts_mappprdf_wires_list_mapin(* commit to the plookup polynomials *)letcmt,prover_aux=(* TODO #5551
Implement Plookup
*)letall_keys=build_all_keys_zppinPP.PC.Commitment.commit~all_keyspp.common_pp.pp_public_parametersf_mapin({batched_wires_map;cmt;f_map;prover_aux},{beta=rd.beta;gamma=rd.gamma})letbatch_evaluated_ids~alphaevaluated_idsall_ids_keys=letpowers_map=SMap.of_list@@List.mapi(funis->(s,i))all_ids_keysinletids_keys,evaluations=List.split@@SMap.bindingsevaluated_idsinletpowers=List.map(funs->SMap.findspowers_map)ids_keys|>List.map(funi->Scalar.powalpha@@Z.of_inti)inEvaluations.linear_c~evaluations~linear_coeffs:powers()letkzg_eval_at_xpptranscriptsecrets_workergenerator=leteval_points_worker=[List.hd@@List.rev@@pp.common_pp.eval_points]inletx,_transcript=Fr_generation.random_frtranscriptinletpolys_list_worker=List.mapfstsecrets_workerinletquery_list_worker=List.map(convert_eval_points~generator~x)eval_points_workerinList.map2PP.PC.evaluatepolys_list_workerquery_list_worker(* Same as Plonk.Main_protocol.build_batched_witness_poly, but the IFFT
version every times.
Because I don’t know how to use f_wires in distributed_prover
*)letbuild_batched_witness_polys_bisppbatched_witnesses=letbatched_witness_polys=SMap.map(funbatched_witness->(* we apply an IFFT on the batched witness *)Perm.Shared_argument.batched_wires_poly_of_batched_wiresppbatched_witness(Scalar.zero,[]))batched_witnessesinbatched_witness_polys|>SMap.Aggregation.smap_of_smap_smapletshared_perm_rc_argumentppnb_workersrandomnessinputs_mapreplies=letrecombine_batched_wirespieces=(* we want the last worker to be first to apply Horner's method *)letpieces=List.revpiecesinList.fold_left(funaccm->SMap.union(funcircuit_namewitness_accwitness_m->letn=List.length(SMap.findcircuit_nameinputs_map)inletchunk_size=Z.(cdiv(of_intn)(of_intnb_workers))inletdelta_factor=Scalar.powrandomness.deltachunk_sizeinletsum=SMap.mapi(funiw_acc->letw=SMap.findiwitness_minEvaluations.(addw(mul_by_scalardelta_factorw_acc)))witness_accinSomesum)accm)(List.hdpieces)(List.tlpieces)inletbatched_wires_map=recombine_batched_wires(List.map(funr->r.batched_wires_map)replies)inletopenProverinletf_map_perm=build_f_map_permpprandomnessbatched_wires_mapinletf_map_rc=build_f_map_rc_2pprandomnessbatched_wires_mapinletf_map_perm_rc=SMap.union_disjointf_map_permf_map_rcinletevaluated_perm_ids=letevaluations=letbatched_wires_polys=build_batched_witness_polys_bis(pp.common_pp.zk,pp.common_pp.n,pp.common_pp.domain)batched_wires_mapinbuild_evaluationspp(SMap.union_disjointf_map_perm_rcbatched_wires_polys)in(build_perm_rc2_identitiespprandomness)evaluationsinletcmt=letall_keys=build_all_keys_zppinCommitment.commit~all_keyspp.common_pp.pp_public_parametersf_map_perm_rcin(f_map_perm_rc,evaluated_perm_ids,cmt)letbuild_f_map_rc_2=Prover.build_f_map_rc_2letmake_secretpp(f_map,f_prv_aux)=[(pp.common_pp.g_map,pp.common_pp.g_prover_aux);(f_map,f_prv_aux)]letmake_eval_pointspp=Plonk.List.split_n2pp.common_pp.eval_pointsletget_generatorpp=Domain.getpp.common_pp.domain1letget_srspp=pp.common_pp.pp_public_parametersletget_gen_n_nbtpp=(Domain.getpp.common_pp.domain1,pp.common_pp.n,pp.common_pp.nb_of_t_chunks)letget_transcriptpp=pp.transcriptletcheck_no_zkpp=ifpp.common_pp.zkthenfailwith"Distribution with ZK is not supported"endmoduleMake(PP:Polynomial_protocol.S)=structmodulePP=PPmoduleMP=Plonk.Main_protocol.Make_impl(PP)include(MP:moduletypeofMPwithmodulePP:=PP)includeCommon(PP)endmoduleMakeSuper(PP:Polynomial_protocol.Super)=structmodulePP=PPmoduleMP=Aggregation.Main_protocol.Make_impl(PP)include(MP:moduletypeofMPwithmodulePP:=PP)includeCommon(PP)end