Pedersen hashes with full optimization

2025-01-31 15:52:14 +00:00 · 2018-02-20 17:22:00 -07:00 · 2018-02-20 17:22:00 -07:00 · 88bdff6ce9
commit 88bdff6ce9
parent 4fa73efc1e
4 changed files with 96 additions and 47 deletions
--- a/src/circuit/lookup.rs
+++ b/src/circuit/lookup.rs
@ -1,6 +1,9 @@
 use pairing::{Engine, Field};
 use super::*;
-use super::num::AllocatedNum;
+use super::num::{
+    AllocatedNum,
+    Num
+};
 use super::boolean::Boolean;
 use bellman::{
    ConstraintSystem
@ -123,7 +126,7 @@ pub fn lookup3_xy_with_conditional_negation<E: Engine, CS>(
    mut cs: CS,
    bits: &[Boolean],
    coords: &[(E::Fr, E::Fr)]
-) -> Result<(AllocatedNum<E>, AllocatedNum<E>), SynthesisError>
+) -> Result<(Num<E>, Num<E>), SynthesisError>
    where CS: ConstraintSystem<E>
 {
    assert_eq!(bits.len(), 3);
@ -145,17 +148,9 @@ pub fn lookup3_xy_with_conditional_negation<E: Engine, CS>(
        _ => None
    };

-    // Allocate the x-coordinate resulting from the lookup
-    let res_x = AllocatedNum::alloc(
-        cs.namespace(|| "x"),
-        || {
-            Ok(coords[*i.get()?].0)
-        }
-    )?;
-
    // Allocate the y-coordinate resulting from the lookup
    // and conditional negation
-    let res_y = AllocatedNum::alloc(
+    let y = AllocatedNum::alloc(
        cs.namespace(|| "y"),
        || {
            let mut tmp = coords[*i.get()?].1;
@ -176,15 +171,11 @@ pub fn lookup3_xy_with_conditional_negation<E: Engine, CS>(

    let precomp = Boolean::and(cs.namespace(|| "precomp"), &bits[0], &bits[1])?;

-    cs.enforce(
-        || "x-coordinate lookup",
-        |lc| lc + (x_coeffs[0b00], one)
-                + &bits[0].lc::<E>(one, x_coeffs[0b01])
-                + &bits[1].lc::<E>(one, x_coeffs[0b10])
-                + &precomp.lc::<E>(one, x_coeffs[0b11]),
-        |lc| lc + one,
-        |lc| lc + res_x.get_variable()
-    );
+    let x = Num::zero()
+            .add_bool_with_coeff(one, &Boolean::constant(true), x_coeffs[0b00])
+            .add_bool_with_coeff(one, &bits[0], x_coeffs[0b01])
+            .add_bool_with_coeff(one, &bits[1], x_coeffs[0b10])
+            .add_bool_with_coeff(one, &precomp, x_coeffs[0b11]);

    let y_lc = precomp.lc::<E>(one, y_coeffs[0b11]) +
               &bits[1].lc::<E>(one, y_coeffs[0b10]) +
@ -195,10 +186,10 @@ pub fn lookup3_xy_with_conditional_negation<E: Engine, CS>(
        || "y-coordinate lookup",
        |lc| lc + &y_lc + &y_lc,
        |lc| lc + &bits[2].lc::<E>(one, E::Fr::one()),
-        |lc| lc + &y_lc - res_y.get_variable()
+        |lc| lc + &y_lc - y.get_variable()
    );

-    Ok((res_x, res_y))
+    Ok((x, y.into()))
 }

 #[cfg(test)]
--- a/src/circuit/mont.rs
+++ b/src/circuit/mont.rs
@ -12,7 +12,10 @@ use super::{
    Assignment
 };

-use super::num::AllocatedNum;
+use super::num::{
+    AllocatedNum,
+    Num
+};

 use ::jubjub::{
    JubjubEngine,
@ -470,8 +473,8 @@ impl<E: JubjubEngine> EdwardsPoint<E> {
 }

 pub struct MontgomeryPoint<E: Engine> {
-    x: AllocatedNum<E>,
-    y: AllocatedNum<E>
+    x: Num<E>,
+    y: Num<E>
 }

 impl<E: JubjubEngine> MontgomeryPoint<E> {
@ -504,9 +507,9 @@ impl<E: JubjubEngine> MontgomeryPoint<E> {

        cs.enforce(
            || "u computation",
-            |lc| lc + self.y.get_variable(),
+            |lc| lc + &self.y.lc(E::Fr::one()),
            |lc| lc + u.get_variable(),
-            |lc| lc + (*params.scale(), self.x.get_variable())
+            |lc| lc + &self.x.lc(*params.scale())
        );

        // Compute v = (x - 1) / (x + 1)
@ -531,10 +534,10 @@ impl<E: JubjubEngine> MontgomeryPoint<E> {
        let one = CS::one();
        cs.enforce(
            || "v computation",
-            |lc| lc + self.x.get_variable()
+            |lc| lc + &self.x.lc(E::Fr::one())
                    + one,
            |lc| lc + v.get_variable(),
-            |lc| lc + self.x.get_variable()
+            |lc| lc + &self.x.lc(E::Fr::one())
                    - one,
        );

@ -549,8 +552,8 @@ impl<E: JubjubEngine> MontgomeryPoint<E> {
    /// on the curve. Useful for constants and
    /// window table lookups.
    pub fn interpret_unchecked(
-        x: AllocatedNum<E>,
-        y: AllocatedNum<E>
+        x: Num<E>,
+        y: Num<E>
    ) -> Self
    {
        MontgomeryPoint {
@ -590,13 +593,13 @@ impl<E: JubjubEngine> MontgomeryPoint<E> {

        cs.enforce(
            || "evaluate lambda",
-            |lc| lc + other.x.get_variable()
-                    - self.x.get_variable(),
+            |lc| lc + &other.x.lc(E::Fr::one())
+                    - &self.x.lc(E::Fr::one()),

            |lc| lc + lambda.get_variable(),

-            |lc| lc + other.y.get_variable()
-                    - self.y.get_variable()
+            |lc| lc + &other.y.lc(E::Fr::one())
+                    - &self.y.lc(E::Fr::one())
        );

        // Compute x'' = lambda^2 - A - x - x'
@ -617,8 +620,8 @@ impl<E: JubjubEngine> MontgomeryPoint<E> {
            |lc| lc + lambda.get_variable(),
            |lc| lc + lambda.get_variable(),
            |lc| lc + (*params.montgomery_a(), one)
-                    + self.x.get_variable()
-                    + other.x.get_variable()
+                    + &self.x.lc(E::Fr::one())
+                    + &other.x.lc(E::Fr::one())
                    + xprime.get_variable()
        );

@ -636,18 +639,18 @@ impl<E: JubjubEngine> MontgomeryPoint<E> {
        // y' + y = lambda(x - x')
        cs.enforce(
            || "evaluate yprime",
-            |lc| lc + self.x.get_variable()
+            |lc| lc + &self.x.lc(E::Fr::one())
                    - xprime.get_variable(),

            |lc| lc + lambda.get_variable(),

            |lc| lc + yprime.get_variable()
-                    + self.y.get_variable()
+                    + &self.y.lc(E::Fr::one())
        );

        Ok(MontgomeryPoint {
-            x: xprime,
-            y: yprime
+            x: xprime.into(),
+            y: yprime.into()
        })
    }
 }
@ -697,7 +700,7 @@ mod test {
                Ok(y)
            }).unwrap();

-            let p = MontgomeryPoint::interpret_unchecked(numx, numy);
+            let p = MontgomeryPoint::interpret_unchecked(numx.into(), numy.into());

            let q = p.into_edwards(&mut cs, params).unwrap();

@ -1068,13 +1071,13 @@ mod test {
            }).unwrap();

            let p1 = MontgomeryPoint {
-                x: num_x0,
-                y: num_y0
+                x: num_x0.into(),
+                y: num_y0.into()
            };

            let p2 = MontgomeryPoint {
-                x: num_x1,
-                y: num_y1
+                x: num_x1.into(),
+                y: num_y1.into()
            };

            let p3 = p1.add(cs.namespace(|| "addition"), &p2, params).unwrap();
--- a/src/circuit/num.rs
+++ b/src/circuit/num.rs
@ -321,6 +321,61 @@ impl<E: Engine> AllocatedNum<E> {
    }
 }

+pub struct Num<E: Engine> {
+    value: Option<E::Fr>,
+    lc: LinearCombination<E>
+}
+
+impl<E: Engine> From<AllocatedNum<E>> for Num<E> {
+    fn from(num: AllocatedNum<E>) -> Num<E> {
+        Num {
+            value: num.value,
+            lc: LinearCombination::<E>::zero() + num.variable
+        }
+    }
+}
+
+impl<E: Engine> Num<E> {
+    pub fn zero() -> Self {
+        Num {
+            value: Some(E::Fr::zero()),
+            lc: LinearCombination::zero()
+        }
+    }
+
+    pub fn get_value(&self) -> Option<E::Fr> {
+        self.value
+    }
+
+    pub fn lc(&self, coeff: E::Fr) -> LinearCombination<E> {
+        LinearCombination::zero() + (coeff, &self.lc)
+    }
+
+    pub fn add_bool_with_coeff(
+        self,
+        one: Variable,
+        bit: &Boolean,
+        coeff: E::Fr
+    ) -> Self
+    {
+        let newval = match (self.value, bit.get_value()) {
+            (Some(mut curval), Some(mut bval)) => {
+                if bval {
+                    curval.add_assign(&coeff);
+                }
+
+                Some(curval)
+            },
+            _ => None
+        };
+
+        Num {
+            value: newval,
+            lc: self.lc + &bit.lc(one, coeff)
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
    use rand::{SeedableRng, Rand, Rng, XorShiftRng};
--- a/src/circuit/pedersen_hash.rs
+++ b/src/circuit/pedersen_hash.rs
@ -155,7 +155,7 @@ mod test {
        ).unwrap();

        assert!(cs.is_satisfied());
-        assert_eq!(cs.num_constraints(), 1549);
+        assert_eq!(cs.num_constraints(), 1377);
    }

    #[test]