From 82e0181f357f78c670ee7724f7ac4ac1c1e13f9d Mon Sep 17 00:00:00 2001 From: Matej Penciak Date: Mon, 11 Dec 2023 23:39:13 -0500 Subject: [PATCH] wip --- src/supernova/snark.rs | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/supernova/snark.rs b/src/supernova/snark.rs index 0793322a..ef0e18ad 100644 --- a/src/supernova/snark.rs +++ b/src/supernova/snark.rs @@ -144,6 +144,7 @@ where pk: &ProverKey, recursive_snark: &RecursiveSNARK, ) -> Result { + // fold the secondary circuit's instance let res_secondary = NIFS::prove( &pp.ck_secondary, &pp.ro_consts_secondary, @@ -157,6 +158,8 @@ where let (nifs_secondary, (f_U_secondary, f_W_secondary)) = res_secondary?; + // Prepare the list of primary Relaxed R1CS instances (a default instance is provided for + // uninitialized circuits) let r_U_primary = recursive_snark .r_U_primary .iter() @@ -168,6 +171,8 @@ where }) .collect::>(); + // Prepare the list of primary relaxed R1CS witnesses (a default witness is provided for + // uninitialized circuits) let r_W_primary: Vec> = recursive_snark .r_W_primary .iter() @@ -179,6 +184,7 @@ where }) .collect::>(); + // Generate a primary SNARK proof for the list of primary circuits let r_W_snark_primary = S1::prove( &pp.ck_primary, &pk.pk_primary, @@ -187,6 +193,7 @@ where &r_W_primary, )?; + // Generate a secondary SNARK proof for the secondary circuit let f_W_snark_secondary = S2::prove( &pp.ck_secondary, &pk.pk_secondary, @@ -195,17 +202,6 @@ where &f_W_secondary, )?; - let r_U_primary = recursive_snark - .r_U_primary - .iter() - .enumerate() - .map(|(idx, r_U)| { - r_U - .clone() - .unwrap_or_else(|| RelaxedR1CSInstance::default(&pp.ck_primary, &pp[idx].r1cs_shape)) - }) - .collect::>(); - let compressed_snark = CompressedSNARK { r_U_primary, r_W_snark_primary, @@ -242,12 +238,14 @@ where + (7 + 2 * pp.augmented_circuit_params_primary.get_n_limbs()); // # 1 * (7 + [X0, X1]*#num_limb) // secondary circuit - // NOTE: This count ensure the number of witnesses sent by the prover must bd equal to the number - // of NIVC circuits + // NOTE: This count ensure the number of witnesses sent by the prover must equal the number of + // NIVC circuits let num_field_secondary_ro = 2 // params_next, i_new + 2 * pp.circuit_shape_secondary.F_arity // zo, z1 + pp.circuit_shapes.len() * (7 + 2 * pp.augmented_circuit_params_primary.get_n_limbs()); // #num_augment + // Compute the primary and secondary hashes given the digest, program counter, instances, and + // witnesses provided by the prover let (hash_primary, hash_secondary) = { let mut hasher = ::RO::new(pp.ro_consts_secondary.clone(), num_field_primary_ro); @@ -290,6 +288,7 @@ where ) }; + // Compare the computed hashes with the public IO of the last invocation of `prove_step` if hash_primary != self.l_u_secondary.X[0] { return Err(NovaError::ProofVerifyError.into()); } @@ -298,10 +297,12 @@ where return Err(NovaError::ProofVerifyError.into()); } + // Verify the primary SNARK let res_primary = self .r_W_snark_primary .verify(&vk.vk_primary, &self.r_U_primary); + // Fold the secondary circuit's instance let f_U_secondary = self.nifs_secondary.verify( &pp.ro_consts_secondary, &scalar_as_base::(pp.digest()), @@ -309,6 +310,7 @@ where &self.l_u_secondary, )?; + // Verify the secondary SNARK let res_secondary = self .f_W_snark_secondary .verify(&vk.vk_secondary, &f_U_secondary); @@ -321,7 +323,6 @@ where } } -// TODO: change tests so they don't use this (though I think it's needed in `verify`) fn field_as_usize(x: F) -> usize { u32::from_le_bytes(x.to_repr().as_ref()[0..4].try_into().unwrap()) as usize }