integrate dynamic vp commitments into vp circuit

anoma · Sep 7, 2023 · bcaef42 · bcaef42
1 parent 88c24c4
commit bcaef42
Show file tree

Hide file tree

Showing 18 changed files with 419 additions and 63 deletions.
diff --git a/taiga_halo2/benches/vp_proof.rs b/taiga_halo2/benches/vp_proof.rs
@@ -7,7 +7,7 @@ use rand::rngs::OsRng;
 use rand::Rng;
 use taiga_halo2::{
     circuit::{vp_circuit::ValidityPredicateCircuit, vp_examples::TrivialValidityPredicateCircuit},
-    constant::{NUM_NOTE, SETUP_PARAMS_MAP},
+    constant::{NUM_NOTE, SETUP_PARAMS_MAP, VP_CIRCUIT_PARAMS_SIZE},
     note::{Note, NoteType, RandomSeed},
     nullifier::{Nullifier, NullifierKeyContainer},
     proof::Proof,
@@ -71,7 +71,7 @@ fn bench_vp_proof(name: &str, c: &mut Criterion) {
             output_notes.try_into().unwrap(),
         )
     };
-    let params = SETUP_PARAMS_MAP.get(&12).unwrap();
+    let params = SETUP_PARAMS_MAP.get(&VP_CIRCUIT_PARAMS_SIZE).unwrap();
     let empty_circuit: TrivialValidityPredicateCircuit = Default::default();
     let vk = keygen_vk(params, &empty_circuit).expect("keygen_vk should not fail");
     let pk = keygen_pk(params, vk, &empty_circuit).expect("keygen_pk should not fail");

diff --git a/taiga_halo2/src/action.rs b/taiga_halo2/src/action.rs
@@ -1,5 +1,6 @@
 use crate::{
     circuit::action_circuit::ActionCircuit,
+    constant::{PRF_EXPAND_INPUT_VP_CM_R, PRF_EXPAND_OUTPUT_VP_CM_R},
     merkle_tree::{MerklePath, Node},
     note::{InputNoteProvingInfo, Note, OutputNoteProvingInfo, RandomSeed},
     nullifier::Nullifier,
@@ -151,12 +152,12 @@ impl ActionInfo {
 
     // Get the randomness of input note application vp commitment
     pub fn get_input_vp_com_r(&self) -> pallas::Base {
-        self.rseed.get_input_vp_cm_r()
+        self.rseed.get_vp_cm_r(PRF_EXPAND_INPUT_VP_CM_R)
     }
 
     // Get the randomness of output note application vp commitment
     pub fn get_output_vp_com_r(&self) -> pallas::Base {
-        self.rseed.get_output_vp_cm_r()
+        self.rseed.get_vp_cm_r(PRF_EXPAND_OUTPUT_VP_CM_R)
     }
 
     pub fn build(&self) -> (ActionInstance, ActionCircuit) {

diff --git a/taiga_halo2/src/circuit/blake2s.rs b/taiga_halo2/src/circuit/blake2s.rs
@@ -1,12 +1,19 @@
 use super::gadgets::assign_free_advice;
 use crate::circuit::gadgets::assign_free_constant;
-use crate::constant::VP_COMMITMENT_PERSONALIZATION;
+use crate::constant::{
+    VP_CIRCUIT_FIRST_DYNAMIC_VP_CM_1, VP_CIRCUIT_FIRST_DYNAMIC_VP_CM_2,
+    VP_CIRCUIT_SECOND_DYNAMIC_VP_CM_1, VP_CIRCUIT_SECOND_DYNAMIC_VP_CM_2,
+    VP_COMMITMENT_PERSONALIZATION,
+};
+use crate::vp_commitment::ValidityPredicateCommitment;
 use byteorder::{ByteOrder, LittleEndian};
 use group::ff::PrimeField;
 use halo2_gadgets::utilities::bool_check;
 use halo2_proofs::{
     circuit::{AssignedCell, Layouter, Value},
-    plonk::{Advice, Column, ConstraintSystem, Constraints, Error, Selector, VirtualCells},
+    plonk::{
+        Advice, Column, ConstraintSystem, Constraints, Error, Instance, Selector, VirtualCells,
+    },
     poly::Rotation,
 };
 use std::{convert::TryInto, marker::PhantomData};
@@ -21,6 +28,31 @@ pub fn vp_commitment_gadget<F: PrimeField>(
     blake2s_chip.encode_result(layouter, &hash)
 }
 
+pub fn publicize_default_dynamic_vp_commitments<F: PrimeField>(
+    layouter: &mut impl Layouter<F>,
+    advice: Column<Advice>,
+    instances: Column<Instance>,
+) -> Result<(), Error> {
+    let vp_cm_fields: [F; 2] = ValidityPredicateCommitment::default().to_public_inputs();
+    let vp_cm_1 = assign_free_advice(
+        layouter.namespace(|| "vp_cm 1"),
+        advice,
+        Value::known(vp_cm_fields[0]),
+    )?;
+    let vp_cm_2 = assign_free_advice(
+        layouter.namespace(|| "vp_cm 2"),
+        advice,
+        Value::known(vp_cm_fields[1]),
+    )?;
+
+    layouter.constrain_instance(vp_cm_1.cell(), instances, VP_CIRCUIT_FIRST_DYNAMIC_VP_CM_1)?;
+    layouter.constrain_instance(vp_cm_2.cell(), instances, VP_CIRCUIT_FIRST_DYNAMIC_VP_CM_2)?;
+    layouter.constrain_instance(vp_cm_1.cell(), instances, VP_CIRCUIT_SECOND_DYNAMIC_VP_CM_1)?;
+    layouter.constrain_instance(vp_cm_2.cell(), instances, VP_CIRCUIT_SECOND_DYNAMIC_VP_CM_2)?;
+
+    Ok(())
+}
+
 //               | BLAKE2s          |
 // --------------+------------------+
 //  Bits in word | w = 32           |

diff --git a/taiga_halo2/src/circuit/gadgets.rs b/taiga_halo2/src/circuit/gadgets.rs
@@ -6,6 +6,7 @@ use halo2_proofs::{
 
 pub mod add;
 pub mod conditional_equal;
+pub mod conditional_select;
 pub mod extended_or_relation;
 pub mod mul;
 pub mod poseidon_hash;

diff --git a/taiga_halo2/src/circuit/gadgets/conditional_select.rs b/taiga_halo2/src/circuit/gadgets/conditional_select.rs
@@ -0,0 +1,72 @@
+/// Constrain flag * (lhs - rhs) = 0
+use halo2_proofs::{
+    circuit::{AssignedCell, Region},
+    plonk::{Advice, Column, ConstraintSystem, Constraints, Error, Expression, Selector},
+    poly::Rotation,
+};
+
+use pasta_curves::pallas;
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub struct ConditionalSelectConfig {
+    q_conditional_select: Selector,
+    advice: [Column<Advice>; 2],
+}
+
+impl ConditionalSelectConfig {
+    #[allow(clippy::too_many_arguments)]
+    pub fn configure(
+        meta: &mut ConstraintSystem<pallas::Base>,
+        advice: [Column<Advice>; 2],
+    ) -> Self {
+        let config = Self {
+            q_conditional_select: meta.selector(),
+            advice,
+        };
+
+        config.create_gate(meta);
+
+        config
+    }
+
+    fn create_gate(&self, meta: &mut ConstraintSystem<pallas::Base>) {
+        meta.create_gate("conditional select", |meta| {
+            let q_conditional_select = meta.query_selector(self.q_conditional_select);
+
+            let flag = meta.query_advice(self.advice[0], Rotation::cur());
+            let ret = meta.query_advice(self.advice[0], Rotation::next());
+            let lhs = meta.query_advice(self.advice[1], Rotation::cur());
+            let rhs = meta.query_advice(self.advice[1], Rotation::next());
+            let poly =
+                flag.clone() * lhs + (Expression::Constant(pallas::Base::one()) - flag) * rhs - ret;
+
+            Constraints::with_selector(
+                q_conditional_select,
+                [("flag * lhs + flag * rhs = ret", poly)],
+            )
+        });
+    }
+
+    pub fn assign_region(
+        &self,
+        flag: &AssignedCell<pallas::Base, pallas::Base>,
+        lhs: &AssignedCell<pallas::Base, pallas::Base>,
+        rhs: &AssignedCell<pallas::Base, pallas::Base>,
+        offset: usize,
+        region: &mut Region<'_, pallas::Base>,
+    ) -> Result<AssignedCell<pallas::Base, pallas::Base>, Error> {
+        // Enable `q_conditional_select` selector
+        self.q_conditional_select.enable(region, offset)?;
+
+        flag.copy_advice(|| "flag", region, self.advice[0], offset)?;
+        let ret_value = flag
+            .value()
+            .zip(lhs.value())
+            .zip(rhs.value())
+            .map(|((flag, &lhs), &rhs)| flag * lhs + (pallas::Base::one() - flag) * rhs);
+
+        lhs.copy_advice(|| "lhs", region, self.advice[1], offset)?;
+        rhs.copy_advice(|| "rhs", region, self.advice[1], offset + 1)?;
+        region.assign_advice(|| "ret", self.advice[0], offset + 1, || ret_value)
+    }
+}
diff --git a/taiga_halo2/src/circuit/vp_circuit.rs b/taiga_halo2/src/circuit/vp_circuit.rs
@@ -1,10 +1,13 @@
 use crate::circuit::vamp_ir_utils::{get_circuit_assignments, parse, VariableAssignmentError};
 use crate::{
     circuit::{
+        blake2s::publicize_default_dynamic_vp_commitments,
+        blake2s::Blake2sConfig,
         gadgets::{
             add::{AddChip, AddConfig},
             assign_free_advice,
             conditional_equal::ConditionalEqualConfig,
+            conditional_select::ConditionalSelectConfig,
             extended_or_relation::ExtendedOrRelationConfig,
             mul::{MulChip, MulConfig},
             sub::{SubChip, SubConfig},
@@ -308,10 +311,12 @@ pub struct ValidityPredicateConfig {
     pub get_is_input_note_flag_config: GetIsInputNoteFlagConfig,
     pub get_owned_note_variable_config: GetOwnedNoteVariableConfig,
     pub conditional_equal_config: ConditionalEqualConfig,
+    pub conditional_select_config: ConditionalSelectConfig,
     pub extended_or_relation_config: ExtendedOrRelationConfig,
     pub add_config: AddConfig,
     pub sub_config: SubConfig,
     pub mul_config: MulConfig,
+    pub blake2s_config: Blake2sConfig<pallas::Base>,
 }
 
 impl ValidityPredicateConfig {
@@ -349,25 +354,29 @@ impl ValidityPredicateConfig {
 
         let conditional_equal_config =
             ConditionalEqualConfig::configure(meta, [advices[0], advices[1], advices[2]]);
+        let conditional_select_config =
+            ConditionalSelectConfig::configure(meta, [advices[0], advices[1]]);
 
         let add_config = note_conifg.add_config.clone();
         let sub_config = SubChip::configure(meta, [advices[0], advices[1]]);
         let mul_config = MulChip::configure(meta, [advices[0], advices[1]]);
 
         let extended_or_relation_config =
             ExtendedOrRelationConfig::configure(meta, [advices[0], advices[1], advices[2]]);
-
+        let blake2s_config = Blake2sConfig::configure(meta, advices);
         Self {
             note_conifg,
             advices,
             instances,
             get_is_input_note_flag_config,
             get_owned_note_variable_config,
             conditional_equal_config,
+            conditional_select_config,
             extended_or_relation_config,
             add_config,
             sub_config,
             mul_config,
+            blake2s_config,
         }
     }
 }
@@ -468,12 +477,20 @@ pub trait ValidityPredicateCircuit: Circuit<pallas::Base> + ValidityPredicateVer
     // `get_input_notes` and `get_output_notes` will be used in `basic_constraints` to get the basic note info.
 
     // Add custom constraints on basic note variables and user-defined variables.
+    // It should at least contain the default vp commitment
     fn custom_constraints(
         &self,
-        _config: ValidityPredicateConfig,
-        mut _layouter: impl Layouter<pallas::Base>,
+        config: ValidityPredicateConfig,
+        mut layouter: impl Layouter<pallas::Base>,
         _basic_variables: BasicValidityPredicateVariables,
     ) -> Result<(), Error> {
+        // Publicize the dynamic vp commitments with default value
+        publicize_default_dynamic_vp_commitments(
+            &mut layouter,
+            config.advices[0],
+            config.instances,
+        )?;
+
         Ok(())
     }
 
@@ -826,7 +843,7 @@ macro_rules! vp_circuit_impl {
         impl ValidityPredicateVerifyingInfo for $name {
             fn get_verifying_info(&self) -> VPVerifyingInfo {
                 let mut rng = OsRng;
-                let params = SETUP_PARAMS_MAP.get(&12).unwrap();
+                let params = SETUP_PARAMS_MAP.get(&15).unwrap();
                 let vk = keygen_vk(params, self).expect("keygen_vk should not fail");
                 let pk = keygen_pk(params, vk.clone(), self).expect("keygen_pk should not fail");
                 let public_inputs = self.get_public_inputs(&mut rng);
@@ -846,7 +863,7 @@ macro_rules! vp_circuit_impl {
             }
 
             fn get_vp_vk(&self) -> ValidityPredicateVerifyingKey {
-                let params = SETUP_PARAMS_MAP.get(&12).unwrap();
+                let params = SETUP_PARAMS_MAP.get(&15).unwrap();
                 let vk = keygen_vk(params, self).expect("keygen_vk should not fail");
                 ValidityPredicateVerifyingKey::from_vk(vk)
             }

diff --git a/taiga_halo2/src/circuit/vp_examples.rs b/taiga_halo2/src/circuit/vp_examples.rs
@@ -6,6 +6,7 @@ use crate::{
     constant::{NUM_NOTE, SETUP_PARAMS_MAP},
     note::{Note, RandomSeed},
     proof::Proof,
+    vp_commitment::ValidityPredicateCommitment,
     vp_vk::ValidityPredicateVerifyingKey,
 };
 use halo2_proofs::plonk::{keygen_pk, keygen_vk};
@@ -111,6 +112,10 @@ impl ValidityPredicateCircuit for TrivialValidityPredicateCircuit {
 
     fn get_public_inputs(&self, mut rng: impl RngCore) -> ValidityPredicatePublicInputs {
         let mut public_inputs = self.get_mandatory_public_inputs();
+        let default_vp_cm: [pallas::Base; 2] =
+            ValidityPredicateCommitment::default().to_public_inputs();
+        public_inputs.extend(default_vp_cm);
+        public_inputs.extend(default_vp_cm);
         let padding = ValidityPredicatePublicInputs::get_public_input_padding(
             public_inputs.len(),
             &RandomSeed::random(&mut rng),
@@ -153,15 +158,20 @@ pub mod tests {
     #[test]
     fn test_halo2_trivial_vp_circuit() {
         use crate::circuit::vp_circuit::ValidityPredicateCircuit;
+        use crate::constant::VP_CIRCUIT_PARAMS_SIZE;
         use halo2_proofs::dev::MockProver;
         use rand::rngs::OsRng;
 
         let mut rng = OsRng;
         let circuit = random_trivial_vp_circuit(&mut rng);
         let public_inputs = circuit.get_public_inputs(&mut rng);
 
-        let prover =
-            MockProver::<pallas::Base>::run(12, &circuit, vec![public_inputs.to_vec()]).unwrap();
+        let prover = MockProver::<pallas::Base>::run(
+            VP_CIRCUIT_PARAMS_SIZE,
+            &circuit,
+            vec![public_inputs.to_vec()],
+        )
+        .unwrap();
         assert_eq!(prover.verify(), Ok(()));
     }
 }
diff --git a/taiga_halo2/src/circuit/vp_examples/cascade_intent.rs b/taiga_halo2/src/circuit/vp_examples/cascade_intent.rs
@@ -6,6 +6,7 @@
 ///
 use crate::{
     circuit::{
+        blake2s::publicize_default_dynamic_vp_commitments,
         gadgets::{
             assign_free_advice,
             target_note_variable::{get_is_input_note_flag, get_owned_note_variable},
@@ -19,6 +20,7 @@ use crate::{
     note::{Note, RandomSeed},
     nullifier::{Nullifier, NullifierKeyContainer},
     proof::Proof,
+    vp_commitment::ValidityPredicateCommitment,
     vp_vk::ValidityPredicateVerifyingKey,
 };
 use halo2_proofs::{
@@ -105,6 +107,13 @@ impl ValidityPredicateCircuit for CascadeIntentValidityPredicateCircuit {
             },
         )?;
 
+        // Publicize the dynamic vp commitments with default value
+        publicize_default_dynamic_vp_commitments(
+            &mut layouter,
+            config.advices[0],
+            config.instances,
+        )?;
+
         Ok(())
     }
 
@@ -118,6 +127,10 @@ impl ValidityPredicateCircuit for CascadeIntentValidityPredicateCircuit {
 
     fn get_public_inputs(&self, mut rng: impl RngCore) -> ValidityPredicatePublicInputs {
         let mut public_inputs = self.get_mandatory_public_inputs();
+        let default_vp_cm: [pallas::Base; 2] =
+            ValidityPredicateCommitment::default().to_public_inputs();
+        public_inputs.extend(default_vp_cm);
+        public_inputs.extend(default_vp_cm);
         let padding = ValidityPredicatePublicInputs::get_public_input_padding(
             public_inputs.len(),
             &RandomSeed::random(&mut rng),
@@ -156,6 +169,7 @@ pub fn create_intent_note<R: RngCore>(
 
 #[test]
 fn test_halo2_cascade_intent_vp_circuit() {
+    use crate::constant::VP_CIRCUIT_PARAMS_SIZE;
     use crate::note::tests::{random_input_note, random_output_note};
     use halo2_proofs::arithmetic::Field;
     use halo2_proofs::dev::MockProver;
@@ -183,7 +197,11 @@ fn test_halo2_cascade_intent_vp_circuit() {
     };
     let public_inputs = circuit.get_public_inputs(&mut rng);
 
-    let prover =
-        MockProver::<pallas::Base>::run(12, &circuit, vec![public_inputs.to_vec()]).unwrap();
+    let prover = MockProver::<pallas::Base>::run(
+        VP_CIRCUIT_PARAMS_SIZE,
+        &circuit,
+        vec![public_inputs.to_vec()],
+    )
+    .unwrap();
     assert_eq!(prover.verify(), Ok(()));
 }