WIP: Fixes for 15 wires PLONK

Cargo.toml

@@ -1,7 +1,6 @@
 [workspace]
 members = [
     "dlog",
-    "pairing",
     "oracle",
     "dlog_solver",
 ]

circuits/plonk-15-wires/src/gates/poseidon.rs

@@ -9,43 +9,61 @@ Constraint vector format:
 *****************************************************************************************************************/
 
 use algebra::FftField;
-use oracle::poseidon::{ArithmeticSpongeParams, Plonk15SpongeConstants, sbox};
-use crate::{wires::GateWires, wires::{COLUMNS, WIRES}, nolookup::constraints::ConstraintSystem};
+use oracle::poseidon::{SpongeConstants, Plonk15SpongeConstants, sbox};
+use crate::{wires::GateWires, wires::{COLUMNS}, nolookup::constraints::ConstraintSystem};
 use crate::gate::{CircuitGate, GateType};
 use array_init::array_init;
+use std::ops::Range;
 
-pub const SPONGE_WIDTH: usize = SPONGE_WIDTH;
+pub const SPONGE_WIDTH: usize = Plonk15SpongeConstants::SPONGE_WIDTH;
 pub const ROUNDS_PER_ROW: usize = COLUMNS / SPONGE_WIDTH;
 
+// There are 5 round states per row. We put the first state first, followed by the last state
+// so that they are both accessible by the permutation argument.
+pub const STATE_ORDER : [usize; ROUNDS_PER_ROW] = [0, 2, 3, 4, 1];
+
+pub fn round_range(i : usize) -> Range<usize> {
+    let slot = STATE_ORDER[i];
+    let start = slot * SPONGE_WIDTH;
+    start..(start + SPONGE_WIDTH)
+}
+
 impl<F: FftField> CircuitGate<F>
 {
     pub fn create_poseidon
     (
         row: usize,
         wires: GateWires,
-        c: Vec<F>
+        // Coefficients are passed in in the logical order
+        c: [[F; SPONGE_WIDTH]; ROUNDS_PER_ROW]
     ) -> Self
     {
         CircuitGate
         {
             row,
             typ: GateType::Poseidon,
             wires,
-            c
+            c: c.iter().flatten().map(|x| *x).collect()
         }
     }
 
     pub fn verify_poseidon(&self, witness: &[Vec<F>; COLUMNS], cs: &ConstraintSystem<F>) -> bool
     {
-        let this: [[F; SPONGE_WIDTH]; ROUNDS_PER_ROW] = array_init(|i| array_init(|j| witness[ROUNDS_PER_ROW*i+j][self.row]));
-        let next: [F; SPONGE_WIDTH] = array_init(|i| witness[i][self.row+1]);
+        // TODO: Needs to be fixed
+
+        let this: [[F; SPONGE_WIDTH]; ROUNDS_PER_ROW] = array_init(|round| {
+            let wire = STATE_ORDER[round];
+            array_init(|col| witness[col + wire * SPONGE_WIDTH][self.row])
+        });
+        let next: [F; SPONGE_WIDTH] = array_init(|i| witness[i + STATE_ORDER[0] * SPONGE_WIDTH][self.row+1]);
+
         let rc = self.rc();
 
         let perm: [Vec<F>; ROUNDS_PER_ROW] = array_init
         (
-            |j|
+            |round|
                 cs.fr_sponge_params.mds.iter().enumerate().
-                map(|(i, m)| rc[j][i] + &this[j].iter().zip(m.iter()).fold(F::zero(), |x, (s, &m)| m * sbox::<F, Plonk15SpongeConstants>(*s) + x)).collect::<Vec<_>>()
+                map(|(i, m)| rc[round][i] + &this[round].iter().zip(m.iter()).fold(F::zero(), |x, (s, &m)| m * sbox::<F, Plonk15SpongeConstants>(*s) + x)).collect::<Vec<_>>()
         );
 
         self.typ == GateType::Poseidon
@@ -56,8 +74,18 @@ impl<F: FftField> CircuitGate<F>
     }
 
     pub fn ps(&self) -> F {if self.typ == GateType::Poseidon {F::one()} else {F::zero()}}
+
+    // Coefficients are output here in the logical order
     pub fn rc(&self) -> [[F; SPONGE_WIDTH]; ROUNDS_PER_ROW]
     {
-        array_init(|i| array_init(|j| if self.typ == GateType::Poseidon {self.c[WIRES[ROUNDS_PER_ROW*i+j]]} else {F::zero()}))
+        array_init(|round| { 
+            array_init(|col| {
+                if self.typ == GateType::Poseidon {
+                    self.c[SPONGE_WIDTH*round+col]
+                } else {
+                    F::zero()
+                }
+            })
+        })
     }
 }

circuits/plonk-15-wires/src/nolookup/constraints.rs

@@ -170,9 +170,8 @@ impl<F: FftField + SquareRootField> ConstraintSystem<F>
                 map(|gate| if gate.typ == GateType::Generic {gate.c[COLUMNS+1]} else {F::zero()}).collect(), domain.d1).interpolate(),
 
             // poseidon constraint polynomials
-            rcm: array_init(|j| {array_init(|i| E::<F, D<F>>::from_vec_and_domain(gates.iter().
-                map(|gate| if gate.typ == GateType::Poseidon {gate.rc()[i][j]} else {F::zero()}).collect(), domain.d1).interpolate())}),
-
+            rcm: array_init(|round| {array_init(|col| E::<F, D<F>>::from_vec_and_domain(gates.iter().
+                map(|gate| if gate.typ == GateType::Poseidon {gate.rc()[round][col]} else {F::zero()}).collect(), domain.d1).interpolate())}),
 
             ps4: psm.evaluate_over_domain_by_ref(domain.d4),
             ps8: psm.evaluate_over_domain_by_ref(domain.d8),

circuits/plonk-15-wires/src/nolookup/scalars.rs

@@ -6,7 +6,7 @@ This source file implements Plonk prover polynomial evaluations primitive.
 
 use crate::wires::*;
 use algebra::{FftField, Field};
-use oracle::{sponge_5_wires::ScalarChallenge, utils::PolyUtils};
+use oracle::{sponge::ScalarChallenge, utils::PolyUtils};
 use ff_fft::DensePolynomial;
 use array_init::array_init;
 

circuits/plonk-15-wires/src/polynomials/generic.rs

@@ -9,6 +9,7 @@ use ff_fft::{Evaluations, DensePolynomial, Radix2EvaluationDomain as D};
 use crate::polynomial::WitnessOverDomains;
 use crate::nolookup::constraints::ConstraintSystem;
 use crate::nolookup::scalars::ProofEvaluations;
+use crate::wires::GENERICS;
 use oracle::utils::PolyUtils;
 
 impl<F: FftField + SquareRootField> ConstraintSystem<F>
@@ -26,7 +27,12 @@ impl<F: FftField + SquareRootField> ConstraintSystem<F>
 
     pub fn gnrc_scalars(evals: &ProofEvaluations<F>) -> Vec<F>
     {
-        vec![evals.w[0] * &evals.w[1], evals.w[0], evals.w[1], evals.w[2], evals.w[3], evals.w[4], F::one()]
+        let mut res = vec![evals.w[0] * &evals.w[1]];
+        for i in 0..GENERICS {
+            res.push(evals.w[i]);
+        }
+        res.push(F::one());
+        return res;
     }
 
     // generic constraint linearization poly contribution computation

circuits/plonk-15-wires/src/polynomials/permutation.rs

@@ -47,11 +47,11 @@ impl<F: FftField + SquareRootField> ConstraintSystem<F>
             &lagrange.d8.this.w.iter().zip(self.sigmal8.iter()).
                 map(|(p, s)| p + &(l0 + &s.scale(oracles.beta))).
                 fold(lagrange.d8.next.z.clone(), |x, y| &x * &y)).
-            scale(oracles.alpha)
+            scale(alpha[0])
             *
             &self.zkpl
             ,
-            &bnd1.scale(alpha[0]) + &bnd2.scale(alpha[1])
+            &bnd1.scale(alpha[1]) + &bnd2.scale(alpha[2])
         ))
     }
 
@@ -60,21 +60,23 @@ impl<F: FftField + SquareRootField> ConstraintSystem<F>
     (
         &self, e: &Vec<ProofEvaluations<F>>,
         oracles: &RandomOracles<F>,
+        alpha: &[F],
     ) -> DensePolynomial<F>
     {
-        self.sigmam[PERMUTS-1].scale(Self::perm_scalars(e, oracles, self.zkpm.evaluate(oracles.zeta)))
+        self.sigmam[PERMUTS-1].scale(Self::perm_scalars(e, oracles, alpha, self.zkpm.evaluate(oracles.zeta)))
     }
 
     pub fn perm_scalars
     (
         e: &Vec<ProofEvaluations<F>>,
         oracles: &RandomOracles<F>,
+        alpha: &[F],
         z: F,
     ) -> F
     {
         -e[0].w.iter().zip(e[0].s.iter()).
             map(|(w, s)| oracles.gamma + &(oracles.beta * s) + w).
-            fold(e[1].z * &oracles.beta * &oracles.alpha * &z, |x, y| x * y)
+            fold(e[1].z * &oracles.beta * alpha[0] * &z, |x, y| x * y)
     }
 
     // permutation aggregation polynomial computation