Merge pull request privacy-ethereum#178 from input-output-hk/dev-feature/gl-133-plonk-gate

Add generic arithmetic gate / Plonk gadget

# Project Context

This is a partial resolution of privacy-ethereum#58: that issue is concerned with creating a generic arithmetic gadget and using it where possible. Here we create the gadget, but only use it in a few places. Using it everywhere that makes sense will be a later PR.

The corresponding Galois internal issue is [Galois#133](https://gitlab-ext.galois.com/iog-midnight/halo2/-/issues/133).

# Issue Description

See privacy-ethereum#58.

This PR includes a generic arithmetic / Plonk gadget that provides an API that allows user to implement circuits without needing custom gates, or to directly work with layouters or regions. This is not a good match for unrolled loops (e.g. variable base scalar mul), where a custom gate gives a more efficient encoding. But for gadgets that are not used in a loop, the API provided here both simplifies the programming task and eases the review process.

To demonstrate the API, this PR includes refactoring of three existing gadgets to eliminate all their custom gates: the power-of-2 range check, the generic range check, and the $k$-high-low decomposition.

# Notes for Reviewers

This PR includes several different implementations of the internals, i.e. of the custom gates. I've left these intermediate states in the Git history so that reviewers can see that trying to do something closer to what's in the original Plonk paper doesn't work as well as what we end up with. The main reasons for the mismatch with the original Plonk paper are:
1) vanilla Plonk selectors take values over the whole field, but Halo 2 selectors are binary;
2) Halo 2 has an optimization called "selector combining" that combines multiple binary selectors into a single non-binary selector behind the scenes, but for this optimization to trigger, the selectors must be used in a restricted way.

See the commit messages along the way for details; I've attempted to keep the commits small and focused, with descriptive messages.

# Update

Via review feedback, we ended up with an implementation that is closer to the original Plonk paper, by using fixed columns to implement the selectors, instead of using the actual selector API. According to cost modeling, this is slightly more expensive than the implementation using simple selectors (via the standard the Halo2 selector API), where the selector combining optimization reduces them all to a single selector behind the scenes, but the difference is negligible.

Author: ntc2

book/src/SUMMARY.md

@@ -27,6 +27,8 @@
     - [Fields](design/implementation/fields.md)
     - [Selector combining](design/implementation/selector-combining.md)
   - [Gadgets](design/gadgets.md)
+    - [PLONK gate / generic arithmetic ops](design/gadgets/plonk-gate.md)
+    - [Decomposition](design/gadgets/decomposition.md)
     - [Elliptic curve cryptography (ECC) Chip](design/gadgets/ecc-chip.md)
       - [Witnessing points](design/gadgets/ecc-chip/witnessing-points.md)
       - [Point Doubling](design/gadgets/ecc-chip/doubling.md)
@@ -35,7 +37,6 @@
       - [Variable-base scalar multiplication](design/gadgets/ecc-chip/var-base-scalar-mul.md)
     - [Sinsemilla](design/gadgets/sinsemilla.md)
       - [MerkleCRH](design/gadgets/sinsemilla/merkle-crh.md)
-    - [Decomposition](design/gadgets/decomposition.md)
     - [SHA-256](design/gadgets/sha256.md)
       - [16-bit table chip](design/gadgets/sha256/table16.md)
     - [Double-and-add](design/gadgets/double-and-add.md)

book/src/design/gadgets/plonk-gate.md

@@ -0,0 +1,16 @@
+# PLONK Gate / Generic Arithmetic Gadget
+
+Halo 2 supports custom gates — see a description of the [Halo 2 arithmetization](/concepts/arithmetization.html) for more details — but in many cases, the constraints a gadget implementer needs can be built up from a few basic primitives, including arithmetic, equality, and constraining a value to equal some constant, without a need to resort to custom gates. In the vanilla PLONK, all of these basic operations are provided by the "PLONK gate", described in [Section 6 of the original PLONK paper](https://eprint.iacr.org/2019/953); indeed, that's all vanilla PLONK provides. The motivation for custom gates is to allow for more efficient constraint construction, in particular avoiding copy constraints, but the benefits mostly appear only when the custom gate is used many times in a loop, e.g. in [variable base scalar multiplication](/design/gadgets/ecc-chip/var-base-scalar-mul.html). 
+
+The point of `halo2_gadgets::utilities::plonk_gate` module is to provide a set of basic primitives that are similar to what a vanilla PLONK gate would provide, so that users can avoid creating custom gates when they just want to create simple constraints outside of a loop. For loops or large sets of repetitive constraints, using custom gates to get a more efficient representation should still be considered.
+
+The following operations are provided, where in the case of arithmetic ops, the output cell is constrained to be in the appropriate relationship to the input cells:
+- Addition of cells
+- Subtraction of cells
+- Multiplication of cells
+- Equality between cells
+- Equality between a cell and the constant 0
+- Witnessing a value into a cell (no relationship between the input value and output cell is enforced)
+- Witnessing a constant into a cell
+
+See the `halo2_gadgets::utilities::plonk_gate` module documentation for full details, including details of the implementation, which is rather different from the vanilla PLONK gate internally.

halo2_gadgets/benches/ecc_circuits/scalar_mul.rs

@@ -1,6 +1,8 @@
 use halo2_gadgets::{
     ecc::chip::{configs, EccPoint, EccScalarVarFullWidth, NonIdentityEccPoint},
-    utilities::{high_low_decomp, lookup_range_check::LookupRangeCheckConfig, pow2_range_check},
+    utilities::{
+        high_low_decomp, lookup_range_check::LookupRangeCheckConfig, plonk_gate, pow2_range_check,
+    },
 };
 use halo2_proofs::{
     circuit::{Layouter, SimpleFloorPlanner, Value},
@@ -62,12 +64,14 @@ impl Circuit<pallas::Base> for ScalarMulCircuitSmall {
 
         let fixed = meta.fixed_column();
         meta.enable_constant(fixed);
+        let fixeds = [fixed, meta.fixed_column(), meta.fixed_column()];
 
         let lookup_table = meta.lookup_table_column();
         let range_check = LookupRangeCheckConfig::configure(meta, advices[9], lookup_table);
-        let pow2_config = pow2_range_check::Config::configure(meta, advices[9], range_check);
-        let high_low_config =
-            high_low_decomp::Config::configure(meta, pow2_config, advices[0], advices[1]);
+        let plonk_config =
+            plonk_gate::Config::configure(meta, advices[0..3].try_into().unwrap(), fixeds);
+        let pow2_config = pow2_range_check::Config::configure(range_check, plonk_config);
+        let high_low_config = high_low_decomp::Config::configure(plonk_config, pow2_config);
         let mul = configs::MulVarBaseConfig::configure(
             meta,
             add_config,

halo2_gadgets/benches/endoscale.rs

@@ -60,7 +60,7 @@ where
     fn configure(meta: &mut ConstraintSystem<C::Base>) -> Self::Config {
         let constants = meta.fixed_column();
         meta.enable_constant(constants);
-
+        let fixeds = [constants, meta.fixed_column(), meta.fixed_column()];
         let advices = (0..8)
             .map(|_| meta.advice_column())
             .collect::<Vec<_>>()
@@ -70,7 +70,7 @@ where
         let endoscalars = meta.instance_column();
 
         (
-            EndoscaleChip::configure(meta, advices, running_sum, endoscalars),
+            EndoscaleChip::configure(meta, advices, fixeds, running_sum, endoscalars),
             running_sum,
         )
     }
@@ -159,7 +159,7 @@ where
     fn configure(meta: &mut ConstraintSystem<C::Base>) -> Self::Config {
         let constants = meta.fixed_column();
         meta.enable_constant(constants);
-
+        let fixeds = [constants, meta.fixed_column(), meta.fixed_column()];
         let advices = (0..8)
             .map(|_| meta.advice_column())
             .collect::<Vec<_>>()
@@ -168,7 +168,7 @@ where
         let running_sum = meta.advice_column();
         let endoscalars = meta.instance_column();
 
-        EndoscaleChip::configure(meta, advices, running_sum, endoscalars)
+        EndoscaleChip::configure(meta, advices, fixeds, running_sum, endoscalars)
     }
 
     fn synthesize(

halo2_gadgets/benches/ipa_recursive_commitment.rs

@@ -40,6 +40,7 @@ use halo2_gadgets::{
     recursive_chip::DefaultRecursiveChip as RecursiveChip,
     recursive_circuits::ipa,
     transcript::{TranscriptInstructions, TranscriptReadInstructions},
+    utilities::plonk_gate,
 };
 
 use ecc_circuits::fixed_points::TestFixedBases;
@@ -138,8 +139,13 @@ where
             .unwrap();
         let instance = [meta.instance_column()];
         let lookup = meta.lookup_table_column();
+        let plonk_config = plonk_gate::Config::configure(
+            meta,
+            advice[0..3].try_into().unwrap(),
+            fixed[0..3].try_into().unwrap(),
+        );
 
-        RecursiveChip::configure(meta, advice, fixed, instance, lookup)
+        RecursiveChip::configure(meta, advice, fixed, instance, plonk_config, lookup)
     }
 
     fn synthesize(

halo2_gadgets/benches/plonk.rs

@@ -6,6 +6,7 @@ use halo2_gadgets::ecc::chip::{BaseFieldElem, FixedPoint, FullScalar, ShortScala
 use halo2_gadgets::ecc::FixedPoints;
 use halo2_gadgets::recursive_chip::DefaultRecursiveChip as RecursiveChip;
 use halo2_gadgets::recursive_circuits::verify_plonk_proof;
+use halo2_gadgets::utilities::plonk_gate;
 use halo2_proofs::circuit::{Cell, Chip, Layouter, SimpleFloorPlanner, Value};
 use halo2_proofs::poly::{commitment::ParamsProver, Rotation};
 use halo2_proofs::poseidon::duplex::DuplexDomain;
@@ -383,8 +384,13 @@ fn criterion_benchmark(c: &mut Criterion) {
                 .unwrap();
             let instance = [meta.instance_column()];
             let lookup = meta.lookup_table_column();
+            let plonk_config = plonk_gate::Config::configure(
+                meta,
+                advice[0..3].try_into().unwrap(),
+                fixed[0..3].try_into().unwrap(),
+            );
 
-            RecursiveChip::configure(meta, advice, fixed, instance, lookup)
+            RecursiveChip::configure(meta, advice, fixed, instance, plonk_config, lookup)
         }
 
         fn synthesize(

halo2_gadgets/examples/endoscaling_demo.rs

@@ -319,6 +319,7 @@ impl Circuit<pallas::Base> for ChallengeMultiplicationCircuit {
             advices[0..8]
                 .try_into()
                 .expect("won't fail because length is hardcoded"),
+            fixeds[0..3].try_into().unwrap(),
             advices[8],
             instance,
         );

halo2_gadgets/goldenfiles/cost-model/scalar-fits-in-base-range-check.csv renamed to halo2_gadgets/goldenfiles/cost-model/arith-sum-10-values.csv

@@ -1,2 +1,2 @@
 max_deg,rows,table_rows,advice_columns,lookups,permutations,column_queries,point_sets,proof_size
-6,56,1024,2,1,3,19,4,2336
+5,21,0,3,0,4,16,2,1600

halo2_gadgets/goldenfiles/cost-model/arith-sum-10-values.gates.csv

@@ -0,0 +1,2 @@
+name,degree,uses
+Plonk universal gate,4,10

halo2_gadgets/goldenfiles/cost-model/arith-sum-100-values.csv

@@ -0,0 +1,2 @@
+max_deg,rows,table_rows,advice_columns,lookups,permutations,column_queries,point_sets,proof_size
+5,201,0,3,0,4,16,2,1792