Feat/plonk prover

[ThomasPiellard]

This PR contains a first version of the plonk prover, instantiated with a dummy polynomial commitment scheme. There are no custom gates.

The exposed API for using PLONK is the same as Groth16: plonk.Setup(...), plonk.Prove(...), plonk.Verify(...).

Note 1: currently the verifier is not succint. Indeed the public polynomials corresponding to a circuit are not committed, and the verifier has to evaluate them at a random point, and this operation is not succint.

Note 2: Fiat Shamir is not implemented, so the numerous challenges are hard coded at the moment. It's the next step to add Fiat Shamir.

API

The workflow for writing a circuit is the same as Groth16. Things starts to differ at the circuit compilation stage.

Compilation

• sparseR1cs, err := frontend.Compile(curve.ID, backend.PLONK, circuit.Circuit) -> sparseR1cs is now a list of constraints of the form ql*l+qr*r+qm*l*r+qo*o+qk=0, where ql,qr,qm,qo,qk are coefficients corresponding to the circuit, and l,r,o are the wires.

Setup

Once a circuit is compiled, the list of coefficients (ql,qr,qm,qo,qk) needs to be converted to polynomials, and the permutation leaving l || r || o invariant (corresponding to the gates wiring) needs to be computed. Domains for FFTs and associated precomputed values are computed (there are 2 domains). Finally a polynomial commitment scheme is chosen.

Those information are public (since they correspond to a circuit that a prover and a verifier share) and are stored in a struct called PublicRaw (the raw means that the polynomials are not committed).

Generation of public data:
publicData, err := Setup(sparseR1cs, polynomialCommitmentScheme, witness)

Currently only a dummy polynomial commitment scheme is implemented in crypto/ (it is not necessary for validating the plonk prover and plonk verifier).

The witness is necessary in the setup to add special constraints encoding the public input, namely the constraints l-witness[i]=0 are prepend to the constraint system. The permutation takes in account those constraints (which are not encoded in the circuit after compilation), so they cannot be tampered. This operation is described in the comments of the Setup function which refer to "placeholders".

Prove

proof, err := Prove(sparseR1cs, publicData, witness) --> it returns a proof object, containing commitments to the solution l,r,o, as well as the permutation accumulating polynomial Z, and the quotient polynomial H.

The order of operations is such that the number of FFT calls is minimized.

Verify

err = Verify(proof, publicData, witness) --> verifies the openings of l,r,o,h,z at a challenge (on which the prover has no control), and verifies the final polynomial equality evaluated at the challenge.

Note: the opening of l from the prover is incomplete, and the verifier needs to complete it by adding the public witness, just as in Groth16. This mecanism ensures that the verifies is convinced that the proof is associated to the right public inputs, exactly like in Groth16.

Status

• All tests circuits used for Groth16 pass for PLONK
• The verifier is not optimized, some operations need some speed ups (for instance using batch inversion at several places)
• No real polynomial commitment scheme is implemented ATM
• Fiat Shamir is not implemented, so all the challenges are hardcoded
• There are no breaking API change

[gbotrel]

💯 awesome.
Added few minor remarks --
will probably be refactored a bit once we have KZG commitment and various PLONK instantiations.

[gbotrel]

return errNotImplemented or panic

[gbotrel]

return errNotImplemented or panic

[gbotrel]

return errNotImplemented or panic

[gbotrel]

if we have a unitialized Polynomial, (ie len(p) == 0) this return a large degree. Maybe return 0 if len(p) == 0? or panic, if we never hit that.

[gbotrel]

since you don't modify v, you may try to keep it as an address, to avoid unneeded copies

[gbotrel]

same as above, this panics if len(p) == 0.

[gbotrel]

check if O was already instantiated

[gbotrel]

as discussed, this significantly slows down groth16.Prove