-
Notifications
You must be signed in to change notification settings - Fork 11
feat(backend): Use Schnorr signatures for signed PODs #236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Changes from 16 commits
Commits
Show all changes
32 commits
Select commit
Hold shift + click to select a range
c36cf43
Implement non-native extension field arithmetic
ax0 4798d48
Schnorr signature verification (#221)
dgulotta 8fb0af0
Merge branch 'main' into ec-sig
ax0 97edb98
Use Schnorr signatures for signed PODs
ax0 e56515d
add custom gates (#237)
dgulotta 61ca534
Merge branch 'main' into ec-sig
ax0 1d0e220
Clippy
ax0 d48d3a5
Formatting
ax0 6fca530
Apply suggestions from code review
ax0 540a7cc
Merge branch 'main' into ec-sig
ax0 ac07ad6
Fix typo
ax0 c19c60f
Merge branch 'main' into ec-sig
ax0 a8b8ee9
Fix tests
ax0 747239f
Point -> PublicKey
ax0 686976a
Remove default nnf_div implementation for clarity
ax0 ebbb710
Code review & edits for clarity
ax0 5bc9950
Remove suspicious mutation
ax0 5d5da97
Simplify computation
ax0 dc2bd95
Fix division
ax0 2ad2370
Fix
ax0 475f5e9
Update src/backends/plonky2/primitives/ec/curve.rs
ax0 dbd6f51
Update src/backends/plonky2/primitives/ec/curve.rs
ax0 6cae8af
Fixes
ax0 13c2952
Add public key to signed POD struct
ax0 237019c
Style
ax0 6932590
Elaborate on in-circuit field->biguint conversion
ax0 9d996df
Add missing gates
ax0 48cc578
Comments
ax0 c63f7b1
Merge branch 'main' into ec-sig
ax0 1f8230b
Add bits to biguint struct
ax0 ab72984
Comments
ax0 6d2e5b8
Comment
ax0 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,200 @@ | ||
| use std::{array, marker::PhantomData}; | ||
|
|
||
| use num::BigUint; | ||
| use plonky2::{ | ||
| field::{ | ||
| extension::Extendable, | ||
| goldilocks_field::GoldilocksField, | ||
| types::{Field, Field64}, | ||
| }, | ||
| hash::hash_types::RichField, | ||
| iop::{ | ||
| generator::{GeneratedValues, SimpleGenerator}, | ||
| target::{BoolTarget, Target}, | ||
| witness::{PartitionWitness, Witness, WitnessWrite}, | ||
| }, | ||
| plonk::{circuit_builder::CircuitBuilder, circuit_data::CommonCircuitData}, | ||
| util::serialization::{IoResult, Read, Write}, | ||
| }; | ||
|
|
||
| #[derive(Debug)] | ||
| struct ConditionalZeroGenerator<F: RichField + Extendable<D>, const D: usize> { | ||
| if_zero: Target, | ||
| then_zero: Target, | ||
| quot: Target, | ||
| _phantom: PhantomData<F>, | ||
| } | ||
|
|
||
| impl<F: RichField + Extendable<D>, const D: usize> SimpleGenerator<F, D> | ||
| for ConditionalZeroGenerator<F, D> | ||
| { | ||
| fn id(&self) -> String { | ||
| "ConditionalZeroGenerator".to_string() | ||
| } | ||
|
|
||
| fn dependencies(&self) -> Vec<Target> { | ||
| vec![self.if_zero, self.then_zero] | ||
| } | ||
|
|
||
| fn run_once( | ||
| &self, | ||
| witness: &PartitionWitness<F>, | ||
| out_buffer: &mut GeneratedValues<F>, | ||
| ) -> anyhow::Result<()> { | ||
| let if_zero = witness.get_target(self.if_zero); | ||
| let then_zero = witness.get_target(self.then_zero); | ||
| if if_zero.is_zero() { | ||
| out_buffer.set_target(self.quot, F::ZERO)?; | ||
| } else { | ||
| out_buffer.set_target(self.quot, then_zero / if_zero)?; | ||
| } | ||
|
|
||
| Ok(()) | ||
| } | ||
|
|
||
| fn serialize(&self, dst: &mut Vec<u8>, _common_data: &CommonCircuitData<F, D>) -> IoResult<()> { | ||
| dst.write_target(self.if_zero)?; | ||
| dst.write_target(self.then_zero)?; | ||
| dst.write_target(self.quot) | ||
| } | ||
|
|
||
| fn deserialize( | ||
| src: &mut plonky2::util::serialization::Buffer, | ||
| _common_data: &CommonCircuitData<F, D>, | ||
| ) -> IoResult<Self> | ||
| where | ||
| Self: Sized, | ||
| { | ||
| Ok(Self { | ||
| if_zero: src.read_target()?, | ||
| then_zero: src.read_target()?, | ||
| quot: src.read_target()?, | ||
| _phantom: PhantomData, | ||
| }) | ||
| } | ||
| } | ||
|
|
||
| /// A big integer, represented in base `2^32` with 10 digits, in little endian | ||
| /// form. | ||
| #[derive(Clone, Debug)] | ||
| pub struct BigUInt320Target(pub(super) [Target; 10]); | ||
|
|
||
| pub trait CircuitBuilderBits { | ||
| /// Enforces the constraint that `then_zero` must be zero if `if_zero` | ||
| /// is zero. | ||
| /// | ||
| /// The prover is required to exhibit a solution to the equation | ||
| /// `if_zero * x == then_zero`. If both `if_zero` and `then_zero` | ||
| /// are zero, then it chooses the solution `x = 0`. | ||
| fn conditional_zero(&mut self, if_zero: Target, then_zero: Target); | ||
|
|
||
| /// Returns the binary representation of the target, in little-endian order. | ||
| fn biguint_bits(&mut self, x: &BigUInt320Target) -> [BoolTarget; 320]; | ||
|
|
||
| /// Decomposes the target x as `y + 2^32 z`, where `0 < y,z < 2**32`, and | ||
| /// `y=0` if `z=2**32-1`. Note that calling [`CircuitBuilder::split_le`] | ||
| /// with `num_bits = 64` will not check the latter condition. | ||
| fn split_32_bit(&mut self, x: Target) -> [Target; 2]; | ||
|
|
||
| /// Interprets `arr` as an integer in base `[GoldilocksField::ORDER]`, | ||
| /// with the digits in little endian order. The length of `arr` must be at | ||
| /// most 5. | ||
| fn field_elements_to_biguint(&mut self, arr: &[Target]) -> BigUInt320Target; | ||
|
|
||
| fn normalize_bigint( | ||
| &mut self, | ||
| x: &mut BigUInt320Target, | ||
| max_digit_bits: usize, | ||
| max_num_digits: usize, | ||
| ); | ||
|
|
||
| fn constant_biguint320(&mut self, n: &BigUint) -> BigUInt320Target; | ||
| fn add_virtual_biguint320_target(&mut self) -> BigUInt320Target; | ||
| fn connect_biguint320(&mut self, x: &BigUInt320Target, y: &BigUInt320Target); | ||
| } | ||
|
|
||
| impl CircuitBuilderBits for CircuitBuilder<GoldilocksField, 2> { | ||
| fn conditional_zero(&mut self, if_zero: Target, then_zero: Target) { | ||
| let quot = self.add_virtual_target(); | ||
| self.add_simple_generator(ConditionalZeroGenerator { | ||
| if_zero, | ||
| then_zero, | ||
| quot, | ||
| _phantom: PhantomData, | ||
| }); | ||
| let prod = self.mul(if_zero, quot); | ||
| self.connect(prod, then_zero); | ||
| } | ||
|
|
||
| fn biguint_bits(&mut self, x: &BigUInt320Target) -> [BoolTarget; 320] { | ||
| let bits = x.0.map(|t| self.low_bits(t, 32, 32)); | ||
| array::from_fn(|i| bits[i / 32][i % 32]) | ||
| } | ||
|
|
||
| fn field_elements_to_biguint(&mut self, arr: &[Target]) -> BigUInt320Target { | ||
| assert!(arr.len() <= 5); | ||
| let mut ans = BigUInt320Target(array::from_fn(|_| self.zero())); | ||
| let neg_one = self.neg_one(); | ||
| let two_32 = self.constant(GoldilocksField::from_canonical_u64(1 << 32)); | ||
| for (n, &x) in arr.iter().rev().enumerate() { | ||
| // multiply by the order of the Goldilocks field | ||
| for i in (0..(2 * n)).rev() { | ||
| let tmp = self.add(ans.0[i + 1], two_32); | ||
| ans.0[i + 1] = self.sub(tmp, ans.0[i]); | ||
| let tmp = self.add(ans.0[i + 2], ans.0[i]); | ||
| ans.0[i + 2] = self.add(tmp, neg_one); | ||
| } | ||
| // add x | ||
| let [low, high] = self.split_32_bit(x); | ||
| ans.0[0] = self.add(ans.0[0], low); | ||
| ans.0[1] = self.add(ans.0[1], high); | ||
| self.normalize_bigint(&mut ans, 34, 2 * n + 1); | ||
| } | ||
| ans | ||
| } | ||
|
|
||
| fn normalize_bigint( | ||
| &mut self, | ||
| x: &mut BigUInt320Target, | ||
| max_digit_bits: usize, | ||
| max_num_carries: usize, | ||
| ) { | ||
| for i in 0..max_num_carries { | ||
| let (low, high) = self.split_low_high(x.0[i], 32, max_digit_bits); | ||
| x.0[i] = low; | ||
| x.0[i + 1] = self.add(x.0[i + 1], high); | ||
ax0 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | ||
| } | ||
|
|
||
| fn split_32_bit(&mut self, x: Target) -> [Target; 2] { | ||
| let (low, high) = self.split_low_high(x, 32, 64); | ||
| let max = self.constant(GoldilocksField::from_canonical_i64(0xFFFFFFFF)); | ||
| let high_minus_max = self.sub(high, max); | ||
| self.conditional_zero(high_minus_max, low); | ||
| [low, high] | ||
| } | ||
|
|
||
| fn constant_biguint320(&mut self, n: &BigUint) -> BigUInt320Target { | ||
| assert!(n.bits() <= 320); | ||
| let digits = n.to_u32_digits(); | ||
| let targets = array::from_fn(|i| { | ||
| let d = digits.get(i).copied().unwrap_or(0); | ||
| self.constant(GoldilocksField::from_canonical_u32(d)) | ||
| }); | ||
| BigUInt320Target(targets) | ||
| } | ||
|
|
||
| fn add_virtual_biguint320_target(&mut self) -> BigUInt320Target { | ||
| let targets = self.add_virtual_target_arr(); | ||
| for t in targets { | ||
| self.range_check(t, 32); | ||
ax0 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | ||
| BigUInt320Target(targets) | ||
| } | ||
|
|
||
| fn connect_biguint320(&mut self, x: &BigUInt320Target, y: &BigUInt320Target) { | ||
| for i in 0..10 { | ||
| self.connect(x.0[i], y.0[i]); | ||
| } | ||
| } | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.