Merge pull request #272 from privacy-scaling-explorations/feature/pol…

…y-backend

Move poly module from common to backend

halo2_backend/src/helpers.rs

@@ -0,0 +1,39 @@
+use crate::poly::Polynomial;
+pub(crate) use halo2_common::helpers::{SerdeFormat, SerdePrimeField};
+use halo2_middleware::ff::PrimeField;
+use std::io;
+
+pub(crate) use halo2_common::helpers::{pack, unpack, CurveRead, SerdeCurveAffine};
+
+/// Reads a vector of polynomials from buffer
+pub fn read_polynomial_vec<R: io::Read, F: SerdePrimeField, B>(
+    reader: &mut R,
+    format: SerdeFormat,
+) -> io::Result<Vec<Polynomial<F, B>>> {
+    let mut len = [0u8; 4];
+    reader.read_exact(&mut len)?;
+    let len = u32::from_be_bytes(len);
+
+    (0..len)
+        .map(|_| Polynomial::<F, B>::read(reader, format))
+        .collect::<io::Result<Vec<_>>>()
+}
+
+/// Writes a slice of polynomials to buffer
+pub fn write_polynomial_slice<W: io::Write, F: SerdePrimeField, B>(
+    slice: &[Polynomial<F, B>],
+    writer: &mut W,
+    format: SerdeFormat,
+) -> io::Result<()> {
+    writer.write_all(&(slice.len() as u32).to_be_bytes())?;
+    for poly in slice.iter() {
+        poly.write(writer, format)?;
+    }
+    Ok(())
+}
+
+/// Gets the total number of bytes of a slice of polynomials, assuming all polynomials are the same length
+pub fn polynomial_slice_byte_length<F: PrimeField, B>(slice: &[Polynomial<F, B>]) -> usize {
+    let field_len = F::default().to_repr().as_ref().len();
+    4 + slice.len() * (4 + field_len * slice.get(0).map(|poly| poly.len()).unwrap_or(0))
+}

halo2_backend/src/lib.rs

@@ -1,10 +1,10 @@
+mod helpers;
 pub mod plonk;
+pub mod poly;
 
 // Internal re-exports
 pub use halo2_common::arithmetic;
 pub use halo2_common::circuit;
-pub use halo2_common::helpers;
 pub use halo2_common::multicore;
-pub use halo2_common::poly;
 pub use halo2_common::transcript;
 pub use halo2_common::SerdeFormat;

halo2_backend/src/plonk.rs

@@ -1,22 +1,24 @@
 use blake2b_simd::Params as Blake2bParams;
 use group::ff::{Field, FromUniformBytes, PrimeField};
 
+use crate::helpers::{
+    self, polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice,
+    SerdeCurveAffine, SerdePrimeField,
+};
 use crate::poly::{
     Coeff, EvaluationDomain, ExtendedLagrangeCoeff, LagrangeCoeff, PinnedEvaluationDomain,
     Polynomial,
 };
 use evaluation::Evaluator;
 use halo2_common::arithmetic::CurveAffine;
-use halo2_common::helpers::{
-    self, polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice,
-    SerdeCurveAffine, SerdePrimeField,
-};
 use halo2_common::plonk::{Circuit, ConstraintSystem, PinnedConstraintSystem};
 use halo2_common::transcript::{EncodedChallenge, Transcript};
 use halo2_common::SerdeFormat;
 
 use std::io;
 
+pub(crate) use halo2_common::plonk::Error;
+
 mod evaluation;
 pub mod keygen;
 mod lookup;

halo2_backend/src/plonk/permutation.rs

@@ -2,13 +2,11 @@
 
 use crate::{
     arithmetic::CurveAffine,
-    helpers::{
-        polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice,
-        SerdeCurveAffine, SerdePrimeField,
-    },
+    helpers::{polynomial_slice_byte_length, read_polynomial_vec, write_polynomial_slice},
     poly::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial},
     SerdeFormat,
 };
+use halo2_common::helpers::{SerdeCurveAffine, SerdePrimeField};
 pub use halo2_common::plonk::permutation::Argument;
 
 use std::io;

halo2_backend/src/plonk/prover.rs

@@ -8,19 +8,17 @@ use crate::plonk::lookup::prover::lookup_commit_permuted;
 use crate::plonk::permutation::prover::permutation_commit;
 use crate::plonk::shuffle::prover::shuffle_commit_product;
 use crate::plonk::{lookup, permutation, shuffle, vanishing, ProvingKey};
+use crate::poly::{
+    commitment::{Blind, CommitmentScheme, Params, Prover},
+    Basis, Coeff, LagrangeCoeff, Polynomial, ProverQuery,
+};
 use halo2_common::plonk::{
     circuit::sealed, ChallengeBeta, ChallengeGamma, ChallengeTheta, ChallengeX, ChallengeY, Error,
 };
 
 use group::prime::PrimeCurveAffine;
+use halo2_common::arithmetic::{eval_polynomial, CurveAffine};
 use halo2_common::transcript::{EncodedChallenge, TranscriptWrite};
-use halo2_common::{
-    arithmetic::{eval_polynomial, CurveAffine},
-    poly::{
-        commitment::{Blind, CommitmentScheme, Params, Prover},
-        Basis, Coeff, LagrangeCoeff, Polynomial, ProverQuery,
-    },
-};
 
 /// Collection of instance data used during proving for a single circuit proof.
 #[derive(Debug)]

halo2_common/src/poly.rs → halo2_backend/src/poly.rs

@@ -3,11 +3,10 @@
 //! the committed polynomials at arbitrary points.
 
 use crate::arithmetic::parallelize;
-use crate::helpers::SerdePrimeField;
 use crate::SerdeFormat;
+use halo2_common::helpers::SerdePrimeField;
 
-use crate::plonk::Assigned;
-use group::ff::{BatchInvert, Field};
+use group::ff::Field;
 use halo2_middleware::poly::Rotation;
 use std::fmt::Debug;
 use std::io;
@@ -197,46 +196,6 @@ impl<F: SerdePrimeField, B> Polynomial<F, B> {
     }
 }
 
-pub fn batch_invert_assigned<F: Field>(assigned: Vec<Vec<Assigned<F>>>) -> Vec<Vec<F>> {
-    let mut assigned_denominators: Vec<_> = assigned
-        .iter()
-        .map(|f| {
-            f.iter()
-                .map(|value| value.denominator())
-                .collect::<Vec<_>>()
-        })
-        .collect();
-
-    assigned_denominators
-        .iter_mut()
-        .flat_map(|f| {
-            f.iter_mut()
-                // If the denominator is trivial, we can skip it, reducing the
-                // size of the batch inversion.
-                .filter_map(|d| d.as_mut())
-        })
-        .batch_invert();
-
-    assigned
-        .iter()
-        .zip(assigned_denominators)
-        .map(|(poly, inv_denoms)| {
-            poly_invert(poly, inv_denoms.into_iter().map(|d| d.unwrap_or(F::ONE)))
-        })
-        .collect()
-}
-
-pub fn poly_invert<F: Field>(
-    poly: &[Assigned<F>],
-    inv_denoms: impl Iterator<Item = F> + ExactSizeIterator,
-) -> Vec<F> {
-    assert_eq!(inv_denoms.len(), poly.len());
-    poly.iter()
-        .zip(inv_denoms)
-        .map(|(a, inv_den)| a.numerator() * inv_den)
-        .collect()
-}
-
 impl<'a, F: Field, B: Basis> Add<&'a Polynomial<F, B>> for Polynomial<F, B> {
     type Output = Polynomial<F, B>;
 

halo2_common/src/poly/domain.rs → halo2_backend/src/poly/domain.rs

@@ -4,7 +4,6 @@
 use crate::arithmetic::{best_fft, parallelize};
 
 use super::{Coeff, ExtendedLagrangeCoeff, LagrangeCoeff, Polynomial};
-use crate::plonk::Assigned;
 use group::ff::{BatchInvert, Field};
 use halo2_middleware::ff::WithSmallOrderMulGroup;
 use halo2_middleware::poly::Rotation;
@@ -183,15 +182,6 @@ impl<F: WithSmallOrderMulGroup<3>> EvaluationDomain<F> {
         }
     }
 
-    /// Returns an empty (zero) polynomial in the Lagrange coefficient basis, with
-    /// deferred inversions.
-    pub fn empty_lagrange_assigned(&self) -> Polynomial<Assigned<F>, LagrangeCoeff> {
-        Polynomial {
-            values: vec![F::ZERO.into(); self.n as usize],
-            _marker: PhantomData,
-        }
-    }
-
     /// Returns a constant polynomial in the Lagrange coefficient basis
     pub fn constant_lagrange(&self, scalar: F) -> Polynomial<F, LagrangeCoeff> {
         Polynomial {
@@ -296,7 +286,7 @@ impl<F: WithSmallOrderMulGroup<3>> EvaluationDomain<F> {
         // evaluation domain might be slightly larger than necessary because
         // it always lies on a power-of-two boundary.
         a.values
-            .truncate((&self.n * self.quotient_poly_degree) as usize);
+            .truncate((self.n * self.quotient_poly_degree) as usize);
 
         a.values
     }

halo2_common/src/poly/ipa/commitment.rs → halo2_backend/src/poly/ipa/commitment.rs

@@ -296,11 +296,11 @@ mod test {
 
         use super::super::commitment::{Blind, Params};
         use crate::arithmetic::eval_polynomial;
-        use crate::halo2curves::pasta::{EpAffine, Fq};
         use crate::poly::EvaluationDomain;
         use crate::transcript::{
             Blake2bRead, Blake2bWrite, Challenge255, Transcript, TranscriptRead, TranscriptWrite,
         };
+        use halo2curves::pasta::{EpAffine, Fq};
 
         use crate::transcript::TranscriptReadBuffer;
         use crate::transcript::TranscriptWriterBuffer;

halo2_common/src/poly/ipa/commitment/prover.rs → halo2_backend/src/poly/ipa/commitment/prover.rs

@@ -112,8 +112,8 @@ pub fn create_proof<
         let value_r_j = compute_inner_product(&p_prime[0..half], &b[half..]);
         let l_j_randomness = C::Scalar::random(&mut rng);
         let r_j_randomness = C::Scalar::random(&mut rng);
-        let l_j = l_j + &best_multiexp(&[value_l_j * &z, l_j_randomness], &[params.u, params.w]);
-        let r_j = r_j + &best_multiexp(&[value_r_j * &z, r_j_randomness], &[params.u, params.w]);
+        let l_j = l_j + best_multiexp(&[value_l_j * z, l_j_randomness], &[params.u, params.w]);
+        let r_j = r_j + best_multiexp(&[value_r_j * z, r_j_randomness], &[params.u, params.w]);
         let l_j = l_j.to_affine();
         let r_j = r_j.to_affine();
 
@@ -127,8 +127,8 @@ pub fn create_proof<
         // Collapse `p_prime` and `b`.
         // TODO: parallelize
         for i in 0..half {
-            p_prime[i] = p_prime[i] + &(p_prime[i + half] * &u_j_inv);
-            b[i] = b[i] + &(b[i + half] * &u_j);
+            p_prime[i] = p_prime[i] + (p_prime[i + half] * u_j_inv);
+            b[i] = b[i] + (b[i + half] * u_j);
         }
         p_prime.truncate(half);
         b.truncate(half);
@@ -138,8 +138,8 @@ pub fn create_proof<
         g_prime.truncate(half);
 
         // Update randomness (the synthetic blinding factor at the end)
-        f += &(l_j_randomness * &u_j_inv);
-        f += &(r_j_randomness * &u_j);
+        f += l_j_randomness * u_j_inv;
+        f += r_j_randomness * u_j;
     }
 
     // We have fully collapsed `p_prime`, `b`, `G'`
@@ -160,7 +160,7 @@ fn parallel_generator_collapse<C: CurveAffine>(g: &mut [C], challenge: C::Scalar
         let g_hi = &g_hi[start..];
         let mut tmp = Vec::with_capacity(g_lo.len());
         for (g_lo, g_hi) in g_lo.iter().zip(g_hi.iter()) {
-            tmp.push(g_lo.to_curve() + &(*g_hi * challenge));
+            tmp.push(g_lo.to_curve() + *g_hi * challenge);
         }
         C::Curve::batch_normalize(&tmp, g_lo);
     });

halo2_common/src/poly/ipa/commitment/verifier.rs → halo2_backend/src/poly/ipa/commitment/verifier.rs

@@ -75,7 +75,7 @@ pub fn verify_proof<'params, C: CurveAffine, E: EncodedChallenge<C>, T: Transcri
     let f = transcript.read_scalar().map_err(|_| Error::SamplingError)?;
     let b = compute_b(x, &u);
 
-    msm.add_to_u_scalar(neg_c * &b * &z);
+    msm.add_to_u_scalar(neg_c * b * z);
     msm.add_to_w_scalar(-f);
 
     let guard = GuardIPA {
@@ -93,7 +93,7 @@ fn compute_b<F: Field>(x: F, u: &[F]) -> F {
     let mut tmp = F::ONE;
     let mut cur = x;
     for u_j in u.iter().rev() {
-        tmp *= F::ONE + &(*u_j * &cur);
+        tmp *= F::ONE + (*u_j * cur);
         cur *= cur;
     }
     tmp

halo2_common/src/poly/ipa/msm.rs → halo2_backend/src/poly/ipa/msm.rs

@@ -126,8 +126,8 @@ impl<'a, C: CurveAffine> MSM<C> for MSMIPA<'a, C> {
             other.0 *= factor;
         }
 
-        self.w_scalar = self.w_scalar.map(|a| a * &factor);
-        self.u_scalar = self.u_scalar.map(|a| a * &factor);
+        self.w_scalar = self.w_scalar.map(|a| a * factor);
+        self.u_scalar = self.u_scalar.map(|a| a * factor);
     }
 
     fn check(&self) -> bool {
@@ -207,12 +207,12 @@ impl<'a, C: CurveAffine> MSMIPA<'a, C> {
     }
     /// Add to `w_scalar`
     pub fn add_to_w_scalar(&mut self, scalar: C::Scalar) {
-        self.w_scalar = self.w_scalar.map_or(Some(scalar), |a| Some(a + &scalar));
+        self.w_scalar = self.w_scalar.map_or(Some(scalar), |a| Some(a + scalar));
     }
 
     /// Add to `u_scalar`
     pub fn add_to_u_scalar(&mut self, scalar: C::Scalar) {
-        self.u_scalar = self.u_scalar.map_or(Some(scalar), |a| Some(a + &scalar));
+        self.u_scalar = self.u_scalar.map_or(Some(scalar), |a| Some(a + scalar));
     }
 }
 

halo2_common/src/poly/ipa/multiopen/prover.rs → halo2_backend/src/poly/ipa/multiopen/prover.rs

@@ -112,7 +112,7 @@ impl<'params, C: CurveAffine> Prover<'params, IPACommitmentScheme<C>> for Prover
             |(q_prime_poly, q_prime_blind), (poly, blind)| {
                 (
                     q_prime_poly * *x_4 + &poly.unwrap(),
-                    Blind((q_prime_blind.0 * &(*x_4)) + &blind.0),
+                    Blind((q_prime_blind.0 * (*x_4)) + blind.0),
                 )
             },
         );

halo2_common/src/poly/ipa/multiopen/verifier.rs → halo2_backend/src/poly/ipa/multiopen/verifier.rs

@@ -120,10 +120,10 @@ impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme<C>>
                 |msm_eval, ((points, evals), proof_eval)| {
                     let r_poly = lagrange_interpolate(points, evals);
                     let r_eval = eval_polynomial(&r_poly, *x_3);
-                    let eval = points.iter().fold(*proof_eval - &r_eval, |eval, point| {
-                        eval * &(*x_3 - point).invert().unwrap()
+                    let eval = points.iter().fold(*proof_eval - r_eval, |eval, point| {
+                        eval * (*x_3 - point).invert().unwrap()
                     });
-                    msm_eval * &(*x_2) + &eval
+                    msm_eval * (*x_2) + eval
                 },
             );
 
@@ -138,7 +138,7 @@ impl<'params, C: CurveAffine> Verifier<'params, IPACommitmentScheme<C>>
             |(mut msm, msm_eval), ((q_commitment, _), q_eval)| {
                 msm.scale(*x_4);
                 msm.add_msm(&q_commitment);
-                (msm, msm_eval * &(*x_4) + q_eval)
+                (msm, msm_eval * (*x_4) + q_eval)
             },
         );
 

halo2_common/src/poly/kzg/commitment.rs → halo2_backend/src/poly/kzg/commitment.rs

@@ -397,7 +397,7 @@ mod test {
         const K: u32 = 4;
 
         use super::super::commitment::Params;
-        use crate::halo2curves::bn256::Bn256;
+        use halo2curves::bn256::Bn256;
 
         let params0 = ParamsKZG::<Bn256>::new(K);
         let mut data = vec![];

halo2_common/src/helpers.rs

@@ -1,4 +1,3 @@
-use crate::poly::Polynomial;
 use halo2_middleware::ff::PrimeField;
 use halo2curves::{serde::SerdeObject, CurveAffine};
 use std::io;
@@ -119,36 +118,3 @@ pub fn unpack(byte: u8, bits: &mut [bool]) {
         *bit = (byte >> bit_index) & 1 == 1;
     }
 }
-
-/// Reads a vector of polynomials from buffer
-pub fn read_polynomial_vec<R: io::Read, F: SerdePrimeField, B>(
-    reader: &mut R,
-    format: SerdeFormat,
-) -> io::Result<Vec<Polynomial<F, B>>> {
-    let mut len = [0u8; 4];
-    reader.read_exact(&mut len)?;
-    let len = u32::from_be_bytes(len);
-
-    (0..len)
-        .map(|_| Polynomial::<F, B>::read(reader, format))
-        .collect::<io::Result<Vec<_>>>()
-}
-
-/// Writes a slice of polynomials to buffer
-pub fn write_polynomial_slice<W: io::Write, F: SerdePrimeField, B>(
-    slice: &[Polynomial<F, B>],
-    writer: &mut W,
-    format: SerdeFormat,
-) -> io::Result<()> {
-    writer.write_all(&(slice.len() as u32).to_be_bytes())?;
-    for poly in slice.iter() {
-        poly.write(writer, format)?;
-    }
-    Ok(())
-}
-
-/// Gets the total number of bytes of a slice of polynomials, assuming all polynomials are the same length
-pub fn polynomial_slice_byte_length<F: PrimeField, B>(slice: &[Polynomial<F, B>]) -> usize {
-    let field_len = F::default().to_repr().as_ref().len();
-    4 + slice.len() * (4 + field_len * slice.get(0).map(|poly| poly.len()).unwrap_or(0))
-}