|
1 | 1 | extern crate bulletproofs; |
2 | | -use bulletproofs::r1cs::{ConstraintSystem, Prover, R1CSError, R1CSProof, Variable, Verifier}; |
| 2 | +use bulletproofs::r1cs::{ |
| 3 | + ConstraintSystem, Prover, R1CSError, R1CSProof, RandomizedConstraintSystem, Variable, Verifier, |
| 4 | +}; |
3 | 5 | use bulletproofs::{BulletproofGens, PedersenGens}; |
4 | 6 |
|
5 | 7 | #[macro_use] |
@@ -71,42 +73,51 @@ For K = 1: |
71 | 73 | struct KShuffleGadget {} |
72 | 74 |
|
73 | 75 | impl KShuffleGadget { |
74 | | - fn fill_cs<CS: ConstraintSystem>(cs: &mut CS, x: &[Variable], y: &[Variable]) { |
| 76 | + fn fill_cs<CS: ConstraintSystem>( |
| 77 | + cs: &mut CS, |
| 78 | + x: Vec<Variable>, |
| 79 | + y: Vec<Variable>, |
| 80 | + ) -> Result<(), R1CSError> { |
75 | 81 | let one = Scalar::one(); |
76 | | - let z = cs.challenge_scalar(b"k-scalar shuffle challenge"); |
77 | 82 |
|
78 | 83 | assert_eq!(x.len(), y.len()); |
79 | 84 |
|
80 | 85 | let k = x.len(); |
81 | 86 | if k == 1 { |
82 | 87 | cs.constrain([(x[0], -one), (y[0], one)].iter().collect()); |
83 | | - return; |
| 88 | + return Ok(()); |
84 | 89 | } |
85 | 90 |
|
86 | | - // Make last x multiplier for i = k-1 and k-2 |
87 | | - let (_, _, last_mulx_out) = cs.multiply(x[k - 1] - z, x[k - 2] - z); |
88 | | - |
89 | | - // Make multipliers for x from i == [0, k-3] |
90 | | - let first_mulx_out = (0..k - 2).rev().fold(last_mulx_out, |prev_out, i| { |
91 | | - let (_, _, o) = cs.multiply(prev_out.into(), x[i] - z); |
92 | | - o |
93 | | - }); |
94 | | - |
95 | | - // Make last y multiplier for i = k-1 and k-2 |
96 | | - let (_, _, last_muly_out) = cs.multiply(y[k - 1] - z, y[k - 2] - z); |
97 | | - |
98 | | - // Make multipliers for y from i == [0, k-3] |
99 | | - let first_muly_out = (0..k - 2).rev().fold(last_muly_out, |prev_out, i| { |
100 | | - let (_, _, o) = cs.multiply(prev_out.into(), y[i] - z); |
101 | | - o |
102 | | - }); |
103 | | - |
104 | | - // Constrain last x mul output and last y mul output to be equal |
105 | | - cs.constrain( |
106 | | - [(first_muly_out, -one), (first_mulx_out, one)] |
107 | | - .iter() |
108 | | - .collect(), |
109 | | - ); |
| 91 | + cs.specify_randomized_constraints(move |cs| { |
| 92 | + let z = cs.challenge_scalar(b"shuffle challenge"); |
| 93 | + |
| 94 | + // Make last x multiplier for i = k-1 and k-2 |
| 95 | + let (_, _, last_mulx_out) = cs.multiply(x[k - 1] - z, x[k - 2] - z); |
| 96 | + |
| 97 | + // Make multipliers for x from i == [0, k-3] |
| 98 | + let first_mulx_out = (0..k - 2).rev().fold(last_mulx_out, |prev_out, i| { |
| 99 | + let (_, _, o) = cs.multiply(prev_out.into(), x[i] - z); |
| 100 | + o |
| 101 | + }); |
| 102 | + |
| 103 | + // Make last y multiplier for i = k-1 and k-2 |
| 104 | + let (_, _, last_muly_out) = cs.multiply(y[k - 1] - z, y[k - 2] - z); |
| 105 | + |
| 106 | + // Make multipliers for y from i == [0, k-3] |
| 107 | + let first_muly_out = (0..k - 2).rev().fold(last_muly_out, |prev_out, i| { |
| 108 | + let (_, _, o) = cs.multiply(prev_out.into(), y[i] - z); |
| 109 | + o |
| 110 | + }); |
| 111 | + |
| 112 | + // Constrain last x mul output and last y mul output to be equal |
| 113 | + cs.constrain( |
| 114 | + [(first_muly_out, -one), (first_mulx_out, one)] |
| 115 | + .iter() |
| 116 | + .collect(), |
| 117 | + ); |
| 118 | + |
| 119 | + Ok(()) |
| 120 | + }) |
110 | 121 | } |
111 | 122 |
|
112 | 123 | pub fn prove<'a, 'b>( |
@@ -144,11 +155,8 @@ impl KShuffleGadget { |
144 | 155 | .map(|v| prover.commit(*v, Scalar::random(&mut blinding_rng))) |
145 | 156 | .unzip(); |
146 | 157 |
|
147 | | - let cs = prover.finalize_inputs(); |
148 | | - |
149 | | - Self::fill_cs(&mut cs, &input_vars, &output_vars); |
150 | | - |
151 | | - let proof = cs.prove()?; |
| 158 | + Self::fill_cs(&mut prover, input_vars, output_vars)?; |
| 159 | + let proof = prover.prove()?; |
152 | 160 |
|
153 | 161 | Ok((proof, input_commitments, output_commitments)) |
154 | 162 | } |
@@ -178,127 +186,88 @@ impl KShuffleGadget { |
178 | 186 | .map(|commitment| verifier.commit(*commitment)) |
179 | 187 | .collect(); |
180 | 188 |
|
181 | | - let cs = verifier.finalize_inputs(); |
182 | | - |
183 | | - Self::fill_cs(&mut cs, &input_vars, &output_vars); |
184 | | - |
185 | | - cs.verify(proof) |
| 189 | + Self::fill_cs(&mut verifier, input_vars, output_vars)?; |
| 190 | + verifier.verify(proof) |
186 | 191 | } |
187 | 192 | } |
188 | 193 |
|
189 | | -fn kshuffle_prove_helper(k: usize, c: &mut Criterion) { |
190 | | - let label = format!("{}-shuffle proof creation", k); |
191 | | - |
192 | | - c.bench_function(&label, move |b| { |
193 | | - // Generate inputs and outputs to kshuffle |
194 | | - let mut rng = rand::thread_rng(); |
195 | | - let (min, max) = (0u64, std::u64::MAX); |
196 | | - let input: Vec<Scalar> = (0..k) |
197 | | - .map(|_| Scalar::from(rng.gen_range(min, max))) |
198 | | - .collect(); |
199 | | - let mut output = input.clone(); |
200 | | - rand::thread_rng().shuffle(&mut output); |
201 | | - |
202 | | - // Make kshuffle proof |
203 | | - let pc_gens = PedersenGens::default(); |
204 | | - let bp_gens = BulletproofGens::new(128, 1); |
205 | | - b.iter(|| { |
206 | | - let mut prover_transcript = Transcript::new(b"ShuffleTest"); |
207 | | - KShuffleGadget::prove(&pc_gens, &bp_gens, &mut prover_transcript, &input, &output) |
208 | | - .unwrap(); |
209 | | - }) |
210 | | - }); |
211 | | -} |
212 | | - |
213 | | -fn kshuffle_prove_8(c: &mut Criterion) { |
214 | | - kshuffle_prove_helper(8, c); |
215 | | -} |
216 | | -fn kshuffle_prove_16(c: &mut Criterion) { |
217 | | - kshuffle_prove_helper(16, c); |
218 | | -} |
219 | | -fn kshuffle_prove_32(c: &mut Criterion) { |
220 | | - kshuffle_prove_helper(32, c); |
221 | | -} |
222 | | -fn kshuffle_prove_64(c: &mut Criterion) { |
223 | | - kshuffle_prove_helper(64, c); |
224 | | -} |
225 | | -fn kshuffle_prove_17(c: &mut Criterion) { |
226 | | - kshuffle_prove_helper(17, c); |
| 194 | +fn bench_kshuffle_prove(c: &mut Criterion) { |
| 195 | + c.bench_function_over_inputs( |
| 196 | + "k-shuffle proof creation", |
| 197 | + move |b, k| { |
| 198 | + // Generate inputs and outputs to kshuffle |
| 199 | + let mut rng = rand::thread_rng(); |
| 200 | + let (min, max) = (0u64, std::u64::MAX); |
| 201 | + let input: Vec<Scalar> = (0..*k) |
| 202 | + .map(|_| Scalar::from(rng.gen_range(min, max))) |
| 203 | + .collect(); |
| 204 | + let mut output = input.clone(); |
| 205 | + rand::thread_rng().shuffle(&mut output); |
| 206 | + |
| 207 | + // Make kshuffle proof |
| 208 | + let pc_gens = PedersenGens::default(); |
| 209 | + let bp_gens = BulletproofGens::new(128, 1); |
| 210 | + b.iter(|| { |
| 211 | + let mut prover_transcript = Transcript::new(b"ShuffleTest"); |
| 212 | + KShuffleGadget::prove(&pc_gens, &bp_gens, &mut prover_transcript, &input, &output) |
| 213 | + .unwrap(); |
| 214 | + }) |
| 215 | + }, |
| 216 | + vec![8, 16, 32, 64, 17], |
| 217 | + ); |
227 | 218 | } |
228 | 219 |
|
229 | 220 | criterion_group! { |
230 | 221 | name = kshuffle_prove; |
231 | 222 | config = Criterion::default(); |
232 | 223 | targets = |
233 | | - kshuffle_prove_8, |
234 | | - kshuffle_prove_16, |
235 | | - kshuffle_prove_32, |
236 | | - kshuffle_prove_64, |
237 | | - kshuffle_prove_17, |
| 224 | + bench_kshuffle_prove, |
238 | 225 | } |
239 | 226 |
|
240 | | -fn kshuffle_verify_helper(k: usize, c: &mut Criterion) { |
241 | | - let label = format!("{}-shuffle proof verification", k); |
242 | | - |
243 | | - c.bench_function(&label, move |b| { |
244 | | - // Generate inputs and outputs to kshuffle |
245 | | - let mut rng = rand::thread_rng(); |
246 | | - let (min, max) = (0u64, std::u64::MAX); |
247 | | - let input: Vec<Scalar> = (0..k) |
248 | | - .map(|_| Scalar::from(rng.gen_range(min, max))) |
249 | | - .collect(); |
250 | | - let mut output = input.clone(); |
251 | | - rand::thread_rng().shuffle(&mut output); |
252 | | - |
253 | | - // Make kshuffle proof |
254 | | - let pc_gens = PedersenGens::default(); |
255 | | - let bp_gens = BulletproofGens::new(128, 1); |
256 | | - let mut prover_transcript = Transcript::new(b"ShuffleTest"); |
257 | | - let (proof, in_commitments, out_commitments) = |
258 | | - KShuffleGadget::prove(&pc_gens, &bp_gens, &mut prover_transcript, &input, &output) |
| 227 | +fn bench_kshuffle_verify(c: &mut Criterion) { |
| 228 | + c.bench_function_over_inputs( |
| 229 | + "k-shuffle proof verification", |
| 230 | + move |b, k| { |
| 231 | + // Generate inputs and outputs to kshuffle |
| 232 | + let mut rng = rand::thread_rng(); |
| 233 | + let (min, max) = (0u64, std::u64::MAX); |
| 234 | + let input: Vec<Scalar> = (0..*k) |
| 235 | + .map(|_| Scalar::from(rng.gen_range(min, max))) |
| 236 | + .collect(); |
| 237 | + let mut output = input.clone(); |
| 238 | + rand::thread_rng().shuffle(&mut output); |
| 239 | + |
| 240 | + // Make kshuffle proof |
| 241 | + let pc_gens = PedersenGens::default(); |
| 242 | + let bp_gens = BulletproofGens::new(128, 1); |
| 243 | + let mut prover_transcript = Transcript::new(b"ShuffleTest"); |
| 244 | + let (proof, in_commitments, out_commitments) = |
| 245 | + KShuffleGadget::prove(&pc_gens, &bp_gens, &mut prover_transcript, &input, &output) |
| 246 | + .unwrap(); |
| 247 | + |
| 248 | + // Verify kshuffle proof |
| 249 | + b.iter(|| { |
| 250 | + let mut verifier_transcript = Transcript::new(b"ShuffleTest"); |
| 251 | + KShuffleGadget::verify( |
| 252 | + &pc_gens, |
| 253 | + &bp_gens, |
| 254 | + &mut verifier_transcript, |
| 255 | + &proof, |
| 256 | + &in_commitments, |
| 257 | + &out_commitments, |
| 258 | + ) |
259 | 259 | .unwrap(); |
260 | | - |
261 | | - // Verify kshuffle proof |
262 | | - b.iter(|| { |
263 | | - let mut verifier_transcript = Transcript::new(b"ShuffleTest"); |
264 | | - KShuffleGadget::verify( |
265 | | - &pc_gens, |
266 | | - &bp_gens, |
267 | | - &mut verifier_transcript, |
268 | | - &proof, |
269 | | - &in_commitments, |
270 | | - &out_commitments, |
271 | | - ) |
272 | | - .unwrap(); |
273 | | - }) |
274 | | - }); |
275 | | -} |
276 | | - |
277 | | -fn kshuffle_verify_8(c: &mut Criterion) { |
278 | | - kshuffle_verify_helper(8, c); |
279 | | -} |
280 | | -fn kshuffle_verify_16(c: &mut Criterion) { |
281 | | - kshuffle_verify_helper(16, c); |
282 | | -} |
283 | | -fn kshuffle_verify_32(c: &mut Criterion) { |
284 | | - kshuffle_verify_helper(32, c); |
285 | | -} |
286 | | -fn kshuffle_verify_64(c: &mut Criterion) { |
287 | | - kshuffle_verify_helper(64, c); |
288 | | -} |
289 | | -fn kshuffle_verify_17(c: &mut Criterion) { |
290 | | - kshuffle_verify_helper(17, c); |
| 260 | + }) |
| 261 | + }, |
| 262 | + vec![8, 16, 32, 64, 17], |
| 263 | + ); |
291 | 264 | } |
292 | 265 |
|
293 | 266 | criterion_group! { |
294 | 267 | name = kshuffle_verify; |
295 | 268 | config = Criterion::default(); |
296 | 269 | targets = |
297 | | - kshuffle_verify_8, |
298 | | - kshuffle_verify_16, |
299 | | - kshuffle_verify_32, |
300 | | - kshuffle_verify_64, |
301 | | - kshuffle_verify_17, |
| 270 | + bench_kshuffle_verify, |
302 | 271 | } |
303 | 272 |
|
304 | 273 | criterion_main!(kshuffle_prove, kshuffle_verify); |
0 commit comments