r1cs: decouple randomization from CS (#270)

Closes #268

Author: oleganza

benches/r1cs.rs

@@ -73,7 +73,7 @@ For K = 1:
 struct KShuffleGadget {}
 
 impl KShuffleGadget {
-    fn fill_cs<CS: ConstraintSystem>(
+    fn fill_cs<CS: RandomizableConstraintSystem>(
         cs: &mut CS,
         x: Vec<Variable>,
         y: Vec<Variable>,

docs/r1cs-docs-example.md

@@ -75,7 +75,7 @@ use rand::thread_rng;
 struct ShuffleProof(R1CSProof);
 
 impl ShuffleProof {
-    fn gadget<CS: ConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
+    fn gadget<CS: RandomizableConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
 
         assert_eq!(x.len(), y.len());
         let k = x.len();
@@ -156,7 +156,7 @@ For simplicity, in this example the `prove` function does not take a list of bli
 # struct ShuffleProof(R1CSProof);
 # 
 # impl ShuffleProof {
-#     fn gadget<CS: ConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
+#     fn gadget<CS: RandomizableConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
 # 
 #         assert_eq!(x.len(), y.len());
 #         let k = x.len();
@@ -263,7 +263,7 @@ The verifier receives a proof, and a list of committed inputs and outputs, from
 # struct ShuffleProof(R1CSProof);
 # 
 # impl ShuffleProof {
-#     fn gadget<CS: ConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
+#     fn gadget<CS: RandomizableConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
 # 
 #         assert_eq!(x.len(), y.len());
 #         let k = x.len();
@@ -403,7 +403,7 @@ Because only the prover knows the scalar values of the inputs and outputs, and t
 # struct ShuffleProof(R1CSProof);
 # 
 # impl ShuffleProof {
-#     fn gadget<CS: ConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
+#     fn gadget<CS: RandomizableConstraintSystem>(cs: &mut CS, x: Vec<Variable>, y: Vec<Variable>) -> Result<(),R1CSError> {
 # 
 #         assert_eq!(x.len(), y.len());
 #         let k = x.len();

src/r1cs/constraint_system.rs

@@ -17,9 +17,6 @@ use merlin::Transcript;
 /// using the `ConstraintSystem` trait, so that the prover and
 /// verifier share the logic for specifying constraints.
 pub trait ConstraintSystem {
-    /// Represents a concrete type for the CS in a randomization phase.
-    type RandomizedCS: RandomizedConstraintSystem;
-
     /// Leases the proof transcript to the user, so they can
     /// add extra data to which the proof must be bound, but which
     /// is not available before creation of the constraint system.
@@ -74,6 +71,16 @@ pub trait ConstraintSystem {
     /// lc = 0
     /// ```
     fn constrain(&mut self, lc: LinearCombination);
+}
+
+/// An extension to the constraint system trait that permits randomized constraints.
+/// Gadgets that do not use randomization should use trait bound `CS: ConstraintSystem`,
+/// while gadgets that need randomization should use trait bound `CS: RandomizedConstraintSystem`.
+/// Gadgets generally _should not_ use this trait as a bound on the CS argument: it should be used
+/// by the higher-order protocol that composes gadgets together.
+pub trait RandomizableConstraintSystem: ConstraintSystem {
+    /// Represents a concrete type for the CS in a randomization phase.
+    type RandomizedCS: RandomizedConstraintSystem;
 
     /// Specify additional variables and constraints randomized using a challenge scalar
     /// bound to the assignments of the non-randomized variables.

src/r1cs/mod.rs

@@ -9,7 +9,9 @@ mod proof;
 mod prover;
 mod verifier;
 
-pub use self::constraint_system::{ConstraintSystem, RandomizedConstraintSystem};
+pub use self::constraint_system::{
+    ConstraintSystem, RandomizableConstraintSystem, RandomizedConstraintSystem,
+};
 pub use self::linear_combination::{LinearCombination, Variable};
 pub use self::proof::R1CSProof;
 pub use self::prover::Prover;

src/r1cs/prover.rs

@@ -7,7 +7,10 @@ use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::{Identity, MultiscalarMul};
 use merlin::Transcript;
 
-use super::{ConstraintSystem, LinearCombination, R1CSProof, RandomizedConstraintSystem, Variable};
+use super::{
+    ConstraintSystem, LinearCombination, R1CSProof, RandomizableConstraintSystem,
+    RandomizedConstraintSystem, Variable,
+};
 
 use errors::R1CSError;
 use generators::{BulletproofGens, PedersenGens};
@@ -83,8 +86,6 @@ impl<'t, 'g> Drop for Prover<'t, 'g> {
 }
 
 impl<'t, 'g> ConstraintSystem for Prover<'t, 'g> {
-    type RandomizedCS = RandomizingProver<'t, 'g>;
-
     fn transcript(&mut self) -> &mut Transcript {
         self.transcript
     }
@@ -162,6 +163,10 @@ impl<'t, 'g> ConstraintSystem for Prover<'t, 'g> {
         // (e.g. that variables are valid, that the linear combination evals to 0 for prover, etc).
         self.constraints.push(lc);
     }
+}
+
+impl<'t, 'g> RandomizableConstraintSystem for Prover<'t, 'g> {
+    type RandomizedCS = RandomizingProver<'t, 'g>;
 
     fn specify_randomized_constraints<F>(&mut self, callback: F) -> Result<(), R1CSError>
     where
@@ -173,8 +178,6 @@ impl<'t, 'g> ConstraintSystem for Prover<'t, 'g> {
 }
 
 impl<'t, 'g> ConstraintSystem for RandomizingProver<'t, 'g> {
-    type RandomizedCS = Self;
-
     fn transcript(&mut self) -> &mut Transcript {
         self.prover.transcript
     }
@@ -201,13 +204,6 @@ impl<'t, 'g> ConstraintSystem for RandomizingProver<'t, 'g> {
     fn constrain(&mut self, lc: LinearCombination) {
         self.prover.constrain(lc)
     }
-
-    fn specify_randomized_constraints<F>(&mut self, callback: F) -> Result<(), R1CSError>
-    where
-        F: 'static + Fn(&mut Self::RandomizedCS) -> Result<(), R1CSError>,
-    {
-        callback(self)
-    }
 }
 
 impl<'t, 'g> RandomizedConstraintSystem for RandomizingProver<'t, 'g> {

src/r1cs/verifier.rs

@@ -6,7 +6,10 @@ use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::VartimeMultiscalarMul;
 use merlin::Transcript;
 
-use super::{ConstraintSystem, LinearCombination, R1CSProof, RandomizedConstraintSystem, Variable};
+use super::{
+    ConstraintSystem, LinearCombination, R1CSProof, RandomizableConstraintSystem,
+    RandomizedConstraintSystem, Variable,
+};
 
 use errors::R1CSError;
 use generators::{BulletproofGens, PedersenGens};
@@ -57,8 +60,6 @@ pub struct RandomizingVerifier<'t> {
 }
 
 impl<'t> ConstraintSystem for Verifier<'t> {
-    type RandomizedCS = RandomizingVerifier<'t>;
-
     fn transcript(&mut self) -> &mut Transcript {
         self.transcript
     }
@@ -121,6 +122,10 @@ impl<'t> ConstraintSystem for Verifier<'t> {
         // evals to 0 for prover, etc).
         self.constraints.push(lc);
     }
+}
+
+impl<'t> RandomizableConstraintSystem for Verifier<'t> {
+    type RandomizedCS = RandomizingVerifier<'t>;
 
     fn specify_randomized_constraints<F>(&mut self, callback: F) -> Result<(), R1CSError>
     where
@@ -132,8 +137,6 @@ impl<'t> ConstraintSystem for Verifier<'t> {
 }
 
 impl<'t> ConstraintSystem for RandomizingVerifier<'t> {
-    type RandomizedCS = Self;
-
     fn transcript(&mut self) -> &mut Transcript {
         self.verifier.transcript
     }
@@ -160,13 +163,6 @@ impl<'t> ConstraintSystem for RandomizingVerifier<'t> {
     fn constrain(&mut self, lc: LinearCombination) {
         self.verifier.constrain(lc)
     }
-
-    fn specify_randomized_constraints<F>(&mut self, callback: F) -> Result<(), R1CSError>
-    where
-        F: 'static + Fn(&mut Self::RandomizedCS) -> Result<(), R1CSError>,
-    {
-        callback(self)
-    }
 }
 
 impl<'t> RandomizedConstraintSystem for RandomizingVerifier<'t> {

tests/r1cs.rs

@@ -17,7 +17,7 @@ use rand::thread_rng;
 struct ShuffleProof(R1CSProof);
 
 impl ShuffleProof {
-    fn gadget<CS: ConstraintSystem>(
+    fn gadget<CS: RandomizableConstraintSystem>(
         cs: &mut CS,
         x: Vec<Variable>,
         y: Vec<Variable>,