In this PR we have added the Public Inputs to the transcript as the first step of the prove and verify algorithms. They have been added as the evaluations of the PI polynomial over the used domain (n field elements).

Close #133

This PR adds the following gate:

• big_arith_gate enforces (a*b)*q_m + a*q_l + b*q_r + d*q_4 + q_c + PI + q_o * c = 0 and returns c
• big_arith compute and enforces c = (a*b)*q_m + a*q_l + b*q_r + d*q_4 + q_c + PI, and returns c
• conditional_point_neg returns -point if bit = 1 and point if bit = 0

Thanks for review!

Summary of changes:

1. Refactor anything that is only dependent on the scalar field to not depend on PairingEngine (unfortunately this means there's a lot of E::Fr -> F changes in the diff)
2. Move dependence on TEModelParams to other places and not Circuit/StandardComposer. In practice this means (I think) the implementation of the fixed-base ECC gadget is determined later, and the variable-base ECC gadget depends on the params but not the rest of the circuit.
3. Suggested change to remove the TranscriptWrapper type
4. Minor change to Permutation generic types (can be reversed)
5. Some other minor tweaks to types (can be reversed). I was mostly just experimenting to see what might be slightly cleaner.

In summary this PR is not really ready to be merged, but open to input and feedback.

The function add_dummy_constraints uses two arithmetic gates to add witnesses to the circuit. If the circuit itself also uses only arithmetic gates AND the total number of gates is a power of 2, then the circuit is never padded with 0s and the q_arith vector becomes constant which causes an error when committing to q_arith_poly.

Although this is unlikely to happen in a production circuit with many gates it can easily happen in tests of small subcircuits.

Until we implement lookups, all gates (including range, logic, etc.) resolve to arithmetic gates, so it might be tricky to make this work until lookups are enabled and we have a second "elemental" gate. But there may be a way to do it sooner by using an arithmetic selector value > 1.

I really like the gadget_tester in ark-plonk, which makes writing end-to-end tests much easier, but this gadget is pub(crate) so user cannot access it...

I believe many users will end up writing their own gadgets (for gadgets, I mean any function that includes StandardComposer as a parameter). Can we make the following public:

• gadget_tester
• batch_test!

If there is any reason that prevents doing so, shall we have a good testing framework? Writing end-to-end tests for a gadget from scratch is a bit verbose.

Thanks!

In #38 an error was introduced in the CI so that it wasn't possible to run them since they were panicking before starting.

• Edit the CI config and move clippy to a sepparated job.
• Edit the CI config and add global RUSTFLAGS env var.
• Edit the CI config and use better toolchain config.

Resolves: #39

Co-authored-by: Brandon H. Gomes [email protected]

I see the naming convention as follows:

• The methods that have a _gate sufix (add_gate, mul_gate...) do not compute values, they receive as input the relevant wire values and selectors of the gate and check that the equation holds. The methods that do not have the _gate sufix (add, mul...) compute the output value w_o and always generate a satisfied constraint.
• The methods with big_ prefix receive a 4th wire, those without the prefix don´t.

I think big_arith and big_arith_gate fit in the same family as poly_gate so we should choose a common name for all of them: poly or arith.

Originally posted by @davidnevadoc in https://github.com/rust-zkp/ark-plonk/pull/43#discussion_r758801320

Adds some gates that can be useful in combination with conditional selection.  They are 

• is-zero-gate Has one input variable and one output variable.  The output variable is constrained to have the value 1 if the input is zero and to have the value 0 if the input is non-zero.
• is-eq-gate has two input variables and an output variable which is constrained to have the value 1 if the two inputs have equal values and 0 otherwise.

The gates were added in the boolean submodule of the constraint_system module.  This seemed logical to me but should be checked.  

closes #76

The broken link is coming from the plonk-book. We need investigation into why it won't work.

At the moment it is a blocker so we will ignore the infra-link on the PR's

cc: @CPerezz @mathcrypto @markulf

Starting with broken links. But any other kind of documentation is also welcome. Might by its very nature, documentation is never finished, be broken up into multiple pull requests.

Currently this library has only an implementation of PLONK. In the coming weeks, we will be using the core functional to power gadgets as discussed in #54, and a hashing library. The initial idea was to have these as separate libraries under the organisation. However, given the past difficulty of juggling lots of version updates, I think we should consider placing gadgets and hashing inside this one repo as modules. I see this as a successful approach in many projects.

It may also help with the exposing of witness values inside of variables, such with the mod_arith gadget that would be needed for the implementation of reinforced concrete. However, this warrants more thought wrt the exposing of modules.

WDYT? @bhgomes @lopeetall @CPerezz @NoCtrlZ @tsunrise @julesdesmit @joebebel @EDGDrummond @stechu @iquerejeta @davidnevadoc @drewstone @GhostOfGauss @mathcrypto @markulf

This PR implements 2-in-1-out Poseidon hash circuit with <200 constraints.

It has the following components:

• a degree 5 custom gate
• a circuit implementation of Poseidon with this custom gate

We need some short weierstrass support for some things, so here is a WIP (only curve addition, not scalar mul yet)

I did some traits magic to allow for compile-time selection of TE or SW for the embedded curve (there may be better ways to do it, though)

I also added the polynomial commitment back into the new CircuitParameters that StandardComposer is generic over, but this is not necessary, it could go back to adding PolynomialCommitment later in the process.

Until Rust merges Chalk type inference, some of the type syntax is crazy, but in the future it should be better.

Feedback welcome :)

Increases the default blinding so that it works with PC schemes that are both naturally hiding or not. Introduces 2 uncessary rows for the case that the PC scheme is naturally hiding.

After the discussion on how to properly add the Public Inputs to the transcript (#134 ) we found that other parts of the code were also mishandling the transcript. For the addition of custom gate related evaluations:

• https://github.com/ZK-Garage/plonk/blob/377c45f2a7e516007ac407255364af29b7decbec/plonk-core/src/proof_system/proof.rs#L288-L295

This issue should be addressed together with the new design for custom gates in #128

• Create linear combination of "aw" and "saw" polynomials and commit to it instead of every single polynomial
• Use batched version of polynomial commitment scheme to reduce number of pairing checks