Skip to main content

SRS

poly_commitment::ipa

Struct SRS 

Source 
pub struct SRS<G> {
    pub g: Vec<G>,
    pub h: G,
    pub lagrange_bases: HashMapCache<usize, Vec<PolyComm<G>>>,
}

Fields§

§g: Vec<G>

The vector of group elements for committing to polynomials in coefficient form.

§h: G

A group element used for blinding commitments

§lagrange_bases: HashMapCache<usize, Vec<PolyComm<G>>>

Commitments to Lagrange bases, per domain size

Implementations§

Source§

impl<G: CommitmentCurve> SRS<G>

Additional methods for the SRS structure

Source

pub fn verify<EFqSponge, RNG, const FULL_ROUNDS: usize>( &self, group_map: &G::Map, batch: &mut [BatchEvaluationProof<'_, G, EFqSponge, OpeningProof<G, FULL_ROUNDS>, FULL_ROUNDS>], rng: &mut RNG, ) -> bool
where EFqSponge: FqSponge<G::BaseField, G, G::ScalarField, FULL_ROUNDS>, RNG: RngCore + CryptoRng, G::BaseField: PrimeField,

Verifies a batch of polynomial commitment opening proofs.

This IPA verification method is primarily designed for integration into recursive proof systems like Pickles. In recursive proofs, IPA verification is deferred by storing accumulators (RecursionChallenge) rather than verifying immediately in-circuit. This method performs the final out-of-circuit verification of those accumulators.

The function reconstructs the challenge polynomial b(X) from the IPA challenges and uses it to verify the opening proofs. The challenge polynomial is defined as:

b(X) = prod_{i=0}^{k-1} (1 + u_{k-i} * X^{2^i})

where u_1, ..., u_k are the challenges from the k rounds of the IPA protocol. See Section 3.2 of the Halo paper.

The verification reconstructs b(X) in two forms:

  • Evaluation form: b_poly(&chal, x) computes b(x) in O(k) operations
  • Coefficient form: b_poly_coefficients(&chal) returns the 2^k coefficients for the MSM <s, G> that verifies the accumulated commitment

Note: The challenge polynomial reconstruction is specifically needed for recursive proof verification. For standalone (non-recursive) IPA verification, a simpler approach without b(X) reconstruction could be used.

§Panics

Panics if the number of scalars does not match the number of points.

Returns true if verification succeeds, false otherwise.

Source

pub fn create_trusted_setup_with_toxic_waste( x: G::ScalarField, depth: usize, ) -> Self

This function creates a trusted-setup SRS instance for circuits with number of rows up to depth.

§Security

The internal accumulator x_pow is zeroized before returning. The caller must ensure that x is securely zeroized after use. Leaking x compromises the soundness of the proof system.

Source§

impl<G: CommitmentCurve> SRS<G>
where <G as CommitmentCurve>::Map: Sync, G::BaseField: PrimeField,

Source

pub fn create_parallel(depth: usize) -> Self

This function creates SRS instance for circuits with number of rows up to depth.

§Panics

Panics if depth exceeds u32::MAX.

Source§

impl<G: CommitmentCurve> SRS<G>

Source

pub fn open<EFqSponge, RNG, D: EvaluationDomain<G::ScalarField>, const FULL_ROUNDS: usize>( &self, group_map: &G::Map, plnms: &'_ [(DensePolynomialOrEvaluations<'_, G::ScalarField, D>, PolyComm<G::ScalarField>)], elm: &[G::ScalarField], polyscale: G::ScalarField, evalscale: G::ScalarField, sponge: EFqSponge, rng: &mut RNG, ) -> OpeningProof<G, FULL_ROUNDS>
where EFqSponge: Clone + FqSponge<G::BaseField, G, G::ScalarField, FULL_ROUNDS>, RNG: RngCore + CryptoRng, G::BaseField: PrimeField, G: EndoCurve,

Creates an opening proof for a batch of polynomial commitments.

This function implements the IPA (Inner Product Argument) prover. During the k = log_2(n) rounds of folding, it implicitly constructs the challenge polynomial b(X).

Note: The use of the challenge polynomial b(X) is a modification to the original IPA protocol that improves efficiency in recursive proof settings. The challenge polynomial is inspired from the “Amoritization strategy”“ from Recursive Proof Composition without a Trusted Setup, section 3.2.

§Panics

Panics if IPA folding does not produce single elements after log rounds, or if the challenge inverse cannot be computed.

Source

fn lagrange_basis(&self, domain: D<G::ScalarField>) -> Vec<PolyComm<G>>

Trait Implementations§

Source§

impl<G: Clone> Clone for SRS<G>

Source§

fn clone(&self) -> SRS<G>

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<G: Debug> Debug for SRS<G>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<G: Default> Default for SRS<G>

Source§

fn default() -> SRS<G>

Returns the “default value” for a type. Read more
Source§

impl<'de, G> Deserialize<'de> for SRS<G>
where G: CanonicalDeserialize + CanonicalSerialize,

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl<G: Clone> From<SRS<G>> for TestSRS<G>

Source§

fn from(value: SRS<G>) -> Self

Converts to this type from the input type.
Source§

impl<G> From<TestSRS<G>> for SRS<G>

Source§

fn from(value: TestSRS<G>) -> Self

Converts to this type from the input type.
Source§

impl<G> PartialEq for SRS<G>
where G: PartialEq,

Source§

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl<G> SRS<G> for SRS<G>
where G: CommitmentCurve,

Source§

fn max_poly_size(&self) -> usize

The maximum polynomial degree that can be committed to

Source§

fn mask( &self, comm: PolyComm<G>, rng: &mut (impl RngCore + CryptoRng), ) -> BlindedCommitment<G>

Turns a non-hiding polynomial commitment into a hiding polynomial commitment. Transforms each given <a, G> into (<a, G> + wH, w) with a random w per commitment.

Source§

fn blinding_commitment(&self) -> G

Get the group element used for blinding commitments
Source§

fn mask_custom( &self, com: PolyComm<G>, blinders: &PolyComm<G::ScalarField>, ) -> Result<BlindedCommitment<G>, CommitmentError>

Same as SRS::mask except you can pass blinders manually. Read more
Source§

fn commit_non_hiding( &self, plnm: &DensePolynomial<G::ScalarField>, num_chunks: usize, ) -> PolyComm<G>

This function commits a polynomial using the SRS’ basis of size n. Read more
Source§

fn commit( &self, plnm: &DensePolynomial<G::ScalarField>, num_chunks: usize, rng: &mut (impl RngCore + CryptoRng), ) -> BlindedCommitment<G>

Commits a polynomial, potentially splitting the result. Read more
Source§

fn commit_custom( &self, plnm: &DensePolynomial<G::ScalarField>, num_chunks: usize, blinders: &PolyComm<G::ScalarField>, ) -> Result<BlindedCommitment<G>, CommitmentError>

Commit to a polynomial, with custom blinding factors. Read more
Source§

fn commit_evaluations_non_hiding( &self, domain: D<G::ScalarField>, plnm: &Evaluations<G::ScalarField, D<G::ScalarField>>, ) -> PolyComm<G>

Commit to evaluations, without blinding factors. Read more
Source§

fn commit_evaluations( &self, domain: D<G::ScalarField>, plnm: &Evaluations<G::ScalarField, D<G::ScalarField>>, rng: &mut (impl RngCore + CryptoRng), ) -> BlindedCommitment<G>

Commit to evaluations with blinding factors. Read more
Source§

fn commit_evaluations_custom( &self, domain: D<G::ScalarField>, plnm: &Evaluations<G::ScalarField, D<G::ScalarField>>, blinders: &PolyComm<G::ScalarField>, ) -> Result<BlindedCommitment<G>, CommitmentError>

Commit to evaluations with custom blinding factors. Read more
Source§

fn create(depth: usize) -> Self

Create an SRS of size depth. Read more
Source§

fn get_lagrange_basis_from_domain_size( &self, domain_size: usize, ) -> &Vec<PolyComm<G>>

Same as get_lagrange_basis but only using the domain size.
Source§

fn get_lagrange_basis(&self, domain: D<G::ScalarField>) -> &Vec<PolyComm<G>>

Compute commitments to the lagrange basis corresponding to the given domain and cache them in the SRS
Source§

fn size(&self) -> usize

Source§

impl<G> Serialize for SRS<G>
where G: CanonicalDeserialize + CanonicalSerialize,

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl WithLagrangeBasis<Affine<PallasParameters>> for SRS<Pallas>

Source§

fn with_lagrange_basis(&self, domain: D<<Pallas as AffineRepr>::ScalarField>)

Source§

impl WithLagrangeBasis<Affine<VestaParameters>> for SRS<Vesta>

Source§

fn with_lagrange_basis(&self, domain: D<<Vesta as AffineRepr>::ScalarField>)

Auto Trait Implementations§

§

impl<G> Freeze for SRS<G>
where G: Freeze,

§

impl<G> RefUnwindSafe for SRS<G>
where G: RefUnwindSafe,

§

impl<G> Send for SRS<G>
where G: Send,

§

impl<G> Sync for SRS<G>
where G: Sync + Send,

§

impl<G> Unpin for SRS<G>
where G: Unpin,

§

impl<G> UnsafeUnpin for SRS<G>
where G: UnsafeUnpin,

§

impl<G> UnwindSafe for SRS<G>
where G: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> Pointable for T

§

const ALIGN: usize

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,