Merge pull request #217 from dalek-cryptography/api-fix

Update API

Author: hdevalence

benches/r1cs.rs

@@ -79,30 +79,30 @@ impl KShuffleGadget {
 
         let k = x.len();
         if k == 1 {
-            cs.add_auxiliary_constraint([(x[0], -one), (y[0], one)].iter().collect());
+            cs.constrain([(x[0], -one), (y[0], one)].iter().collect());
             return;
         }
 
         // Make last x multiplier for i = k-1 and k-2
-        let (_, _, last_mulx_out) = cs.add_partial_constraint(x[k - 1] - z, x[k - 2] - z);
+        let (_, _, last_mulx_out) = cs.multiply(x[k - 1] - z, x[k - 2] - z);
 
         // Make multipliers for x from i == [0, k-3]
         let first_mulx_out = (0..k - 2).rev().fold(last_mulx_out, |prev_out, i| {
-            let (_, _, o) = cs.add_partial_constraint(prev_out.into(), x[i] - z);
+            let (_, _, o) = cs.multiply(prev_out.into(), x[i] - z);
             o
         });
 
         // Make last y multiplier for i = k-1 and k-2
-        let (_, _, last_muly_out) = cs.add_partial_constraint(y[k - 1] - z, y[k - 2] - z);
+        let (_, _, last_muly_out) = cs.multiply(y[k - 1] - z, y[k - 2] - z);
 
         // Make multipliers for y from i == [0, k-3]
         let first_muly_out = (0..k - 2).rev().fold(last_muly_out, |prev_out, i| {
-            let (_, _, o) = cs.add_partial_constraint(prev_out.into(), y[i] - z);
+            let (_, _, o) = cs.multiply(prev_out.into(), y[i] - z);
             o
         });
 
-        // Check equality between last x mul output and last y mul output
-        cs.add_auxiliary_constraint(
+        // Constrain last x mul output and last y mul output to be equal
+        cs.constrain(
             [(first_muly_out, -one), (first_mulx_out, one)]
                 .iter()
                 .collect(),

src/errors.rs

@@ -104,4 +104,10 @@ pub enum R1CSError {
     /// [`R1CSProof`](::r1cs::R1CSProof) fails.
     #[fail(display = "R1CSProof did not verify correctly.")]
     VerificationError,
+
+    /// Occurs when trying to use a missing variable assignment.
+    /// Used by gadgets that build the constraint system to signal that
+    /// a variable assignment is not provided when the prover needs it.
+    #[fail(display = "Variable does not have a value assignment.")]
+    MissingAssignment,
 }

src/r1cs/constraint_system.rs

@@ -1,6 +1,6 @@
 //! Definition of the constraint system trait.
 
-use super::{LinearCombination, Variable};
+use super::{LinearCombination, R1CSError, Variable};
 use curve25519_dalek::scalar::Scalar;
 
 /// The interface for a constraint system, abstracting over the prover
@@ -16,50 +16,42 @@ use curve25519_dalek::scalar::Scalar;
 /// using the `ConstraintSystem` trait, so that the prover and
 /// verifier share the logic for specifying constraints.
 pub trait ConstraintSystem {
+    /// Allocate and constrain multiplication variables.
+    ///
     /// Allocate variables `left`, `right`, and `out`
     /// with the implicit constraint that
     /// ```text
     /// left * right = out
     /// ```
-    /// and the explicit constraints that
+    /// and add the explicit constraints that
     /// ```text
     /// left = left_constraint
     /// right = right_constraint
-    /// out = out_constraint
     /// ```
-    /// This is used when all three multiplier variables can be constrained up-front.
     ///
     /// Returns `(left, right, out)` for use in further constraints.
-    fn add_constraint(
+    fn multiply(
         &mut self,
-        left_constraint: LinearCombination,
-        right_constraint: LinearCombination,
-        out_constraint: LinearCombination,
+        left: LinearCombination,
+        right: LinearCombination,
     ) -> (Variable, Variable, Variable);
 
     /// Allocate variables `left`, `right`, and `out`
     /// with the implicit constraint that
     /// ```text
     /// left * right = out
     /// ```
-    /// and the explicit constraints that
-    /// ```text
-    /// left = left_constraint
-    /// right = right_constraint
-    /// ```
-    /// This is used when the output variable cannot be immediately
-    /// constrained (for instance, because it should be constrained to
-    /// match a variable that has not yet been allocated).
     ///
     /// Returns `(left, right, out)` for use in further constraints.
-    fn add_partial_constraint(
-        &mut self,
-        left: LinearCombination,
-        right: LinearCombination,
-    ) -> (Variable, Variable, Variable);
+    fn allocate<F>(&mut self, assign_fn: F) -> Result<(Variable, Variable, Variable), R1CSError>
+    where
+        F: FnOnce() -> Result<(Scalar, Scalar, Scalar), R1CSError>;
 
-    /// Enforce that the given `LinearCombination` is zero.
-    fn add_auxiliary_constraint(&mut self, lc: LinearCombination);
+    /// Enforce the explicit constraint that
+    /// ```text
+    /// lc = 0
+    /// ```
+    fn constrain(&mut self, lc: LinearCombination);
 
     /// Obtain a challenge scalar bound to the assignments of all of
     /// the externally committed wires.

src/r1cs/linear_combination.rs

@@ -1,8 +1,8 @@
 //! Definition of linear combinations.
 
 use curve25519_dalek::scalar::Scalar;
-use std::iter::{self, FromIterator};
-use std::ops::{Add, Sub};
+use std::iter::FromIterator;
+use std::ops::{Add, Mul, Neg, Sub};
 
 /// Represents a variable in a constraint system.
 #[derive(Copy, Clone, Debug)]
@@ -19,62 +19,86 @@ pub enum Variable {
     One(),
 }
 
-impl Add<Variable> for Variable {
-    type Output = LinearCombination;
+impl From<Variable> for LinearCombination {
+    fn from(v: Variable) -> LinearCombination {
+        LinearCombination {
+            terms: vec![(v, Scalar::one())],
+        }
+    }
+}
 
-    fn add(self, other: Variable) -> LinearCombination {
+impl<S: Into<Scalar>> From<S> for LinearCombination {
+    fn from(s: S) -> LinearCombination {
         LinearCombination {
-            terms: vec![(self, Scalar::one()), (other, Scalar::one())],
+            terms: vec![(Variable::One(), s.into())],
         }
     }
 }
 
-impl Sub<Variable> for Variable {
+// Arithmetic on variables produces linear combinations
+
+impl Neg for Variable {
     type Output = LinearCombination;
 
-    fn sub(self, other: Variable) -> LinearCombination {
-        LinearCombination {
-            terms: vec![(self, Scalar::one()), (other, -Scalar::one())],
-        }
+    fn neg(self) -> Self::Output {
+        -LinearCombination::from(self)
     }
 }
 
-impl Add<Variable> for Scalar {
+impl<L: Into<LinearCombination>> Add<L> for Variable {
     type Output = LinearCombination;
 
-    fn add(self, other: Variable) -> LinearCombination {
+    fn add(self, other: L) -> Self::Output {
+        LinearCombination::from(self) + other.into()
+    }
+}
+
+impl<L: Into<LinearCombination>> Sub<L> for Variable {
+    type Output = LinearCombination;
+
+    fn sub(self, other: L) -> Self::Output {
+        LinearCombination::from(self) - other.into()
+    }
+}
+
+impl<S: Into<Scalar>> Mul<S> for Variable {
+    type Output = LinearCombination;
+
+    fn mul(self, other: S) -> Self::Output {
         LinearCombination {
-            terms: vec![(Variable::One(), self), (other, Scalar::one())],
+            terms: vec![(self, other.into())],
         }
     }
 }
 
-impl Sub<Variable> for Scalar {
+// Arithmetic on scalars with variables produces linear combinations
+
+impl Add<Variable> for Scalar {
     type Output = LinearCombination;
 
-    fn sub(self, other: Variable) -> LinearCombination {
+    fn add(self, other: Variable) -> Self::Output {
         LinearCombination {
-            terms: vec![(Variable::One(), self), (other, -Scalar::one())],
+            terms: vec![(Variable::One(), self), (other, Scalar::one())],
         }
     }
 }
 
-impl Add<Scalar> for Variable {
+impl Sub<Variable> for Scalar {
     type Output = LinearCombination;
 
-    fn add(self, other: Scalar) -> LinearCombination {
+    fn sub(self, other: Variable) -> Self::Output {
         LinearCombination {
-            terms: vec![(self, Scalar::one()), (Variable::One(), other)],
+            terms: vec![(Variable::One(), self), (other, -Scalar::one())],
         }
     }
 }
 
-impl Sub<Scalar> for Variable {
+impl Mul<Variable> for Scalar {
     type Output = LinearCombination;
 
-    fn sub(self, other: Scalar) -> LinearCombination {
+    fn mul(self, other: Variable) -> Self::Output {
         LinearCombination {
-            terms: vec![(self, Scalar::one()), (Variable::One(), -other)],
+            terms: vec![(other, self)],
         }
     }
 }
@@ -93,18 +117,6 @@ impl Default for LinearCombination {
     }
 }
 
-impl From<Scalar> for LinearCombination {
-    fn from(s: Scalar) -> Self {
-        iter::once((Variable::One(), s)).collect()
-    }
-}
-
-impl From<Variable> for LinearCombination {
-    fn from(v: Variable) -> Self {
-        iter::once((v, Scalar::one())).collect()
-    }
-}
-
 impl FromIterator<(Variable, Scalar)> for LinearCombination {
     fn from_iter<T>(iter: T) -> Self
     where
@@ -127,21 +139,59 @@ impl<'a> FromIterator<&'a (Variable, Scalar)> for LinearCombination {
     }
 }
 
-impl Add<LinearCombination> for LinearCombination {
+// Arithmetic on linear combinations
+
+impl<L: Into<LinearCombination>> Add<L> for LinearCombination {
     type Output = Self;
 
-    fn add(mut self, rhs: LinearCombination) -> Self {
-        self.terms.extend(rhs.terms.iter().cloned());
+    fn add(mut self, rhs: L) -> Self::Output {
+        self.terms.extend(rhs.into().terms.iter().cloned());
         LinearCombination { terms: self.terms }
     }
 }
 
-impl Sub<LinearCombination> for LinearCombination {
+impl<L: Into<LinearCombination>> Sub<L> for LinearCombination {
     type Output = Self;
 
-    fn sub(mut self, rhs: LinearCombination) -> Self {
+    fn sub(mut self, rhs: L) -> Self::Output {
         self.terms
-            .extend(rhs.terms.iter().map(|(var, coeff)| (*var, -coeff)));
+            .extend(rhs.into().terms.iter().map(|(var, coeff)| (*var, -coeff)));
         LinearCombination { terms: self.terms }
     }
 }
+
+impl Mul<LinearCombination> for Scalar {
+    type Output = LinearCombination;
+
+    fn mul(self, other: LinearCombination) -> Self::Output {
+        let out_terms = other
+            .terms
+            .into_iter()
+            .map(|(var, scalar)| (var, scalar * self))
+            .collect();
+        LinearCombination { terms: out_terms }
+    }
+}
+
+impl Neg for LinearCombination {
+    type Output = Self;
+
+    fn neg(mut self) -> Self::Output {
+        for (_, s) in self.terms.iter_mut() {
+            *s = -*s
+        }
+        self
+    }
+}
+
+impl<S: Into<Scalar>> Mul<S> for LinearCombination {
+    type Output = Self;
+
+    fn mul(mut self, other: S) -> Self::Output {
+        let other = other.into();
+        for (_, s) in self.terms.iter_mut() {
+            *s *= other
+        }
+        self
+    }
+}

src/r1cs/mod.rs

@@ -79,30 +79,30 @@
 //!
 //!         let k = x.len();
 //!         if k == 1 {
-//!             cs.add_auxiliary_constraint([(x[0], -one), (y[0], one)].iter().collect());
+//!             cs.constrain([(x[0], -one), (y[0], one)].iter().collect());
 //!             return;
 //!         }
 //!
 //!         // Make last x multiplier for i = k-1 and k-2
-//!         let (_, _, last_mulx_out) = cs.add_partial_constraint(x[k - 1] - z, x[k - 2] - z);
+//!         let (_, _, last_mulx_out) = cs.multiply(x[k - 1] - z, x[k - 2] - z);
 //!
 //!         // Make multipliers for x from i == [0, k-3]
 //!         let first_mulx_out = (0..k - 2).rev().fold(last_mulx_out, |prev_out, i| {
-//!             let (_, _, o) = cs.add_partial_constraint(prev_out.into(), x[i] - z);
+//!             let (_, _, o) = cs.multiply(prev_out.into(), x[i] - z);
 //!             o
 //!         });
 //!
 //!         // Make last y multiplier for i = k-1 and k-2
-//!         let (_, _, last_muly_out) = cs.add_partial_constraint(y[k - 1] - z, y[k - 2] - z);
+//!         let (_, _, last_muly_out) = cs.multiply(y[k - 1] - z, y[k - 2] - z);
 //!
 //!         // Make multipliers for y from i == [0, k-3]
 //!         let first_muly_out = (0..k - 2).rev().fold(last_muly_out, |prev_out, i| {
-//!             let (_, _, o) = cs.add_partial_constraint(prev_out.into(), y[i] - z);
+//!             let (_, _, o) = cs.multiply(prev_out.into(), y[i] - z);
 //!             o
 //!         });
 //!
-//!         // Check equality between last x mul output and last y mul output
-//!         cs.add_auxiliary_constraint(
+//!         // Constrain last x mul output and last y mul output to be equal
+//!         cs.constrain(
 //!             [(first_muly_out, -one), (first_mulx_out, one)]
 //!                 .iter()
 //!                 .collect(),