Committed Instances (#7)

* FS: add instance length before instances and not after (more intuitive)

* prover: rename variable

* add support for committed instances

* examples: adapt [vector-ops-unblinded] to test committed instances

* prover: create support for [commit_to_instances]

* examples: generalize example on committed instances

* Address PR feedback

Author: miguel-ambrona

Cargo.toml

@@ -50,7 +50,7 @@ blake2b_simd = "1" # MSRV 1.66.0
 sha3 = "0.9.1"
 rand_chacha = "0.3"
 serde = { version = "1", optional = true, features = ["derive"] }
-serde_derive = { version = "1", optional = true}
+serde_derive = { version = "1", optional = true }
 rayon = "1.8"
 
 # Developer tooling dependencies
@@ -87,7 +87,18 @@ sanity-checks = []
 circuit-params = []
 cost-estimator = ["serde", "serde_derive"]
 derive_serde = ["halo2curves/derive_serde"]
-truncated-challenges = [] # This feature truncates challenges to half the size of the scalar field.
+
+# This feature truncates challenges to half the size of the scalar field.
+truncated-challenges = []
+
+# This feature adds a new argument to prover and verifier functions, which
+# represents instances in committed form (e.g. in the form of a polynomial
+# commitment instead of a vector of scalars).
+# The verifier may not know what the content of the commitment is, but can
+# be sure that the content is constrained according to the circuit rules.
+#
+# This feature is very powerful for proving statements on committed data.
+committed-instances = []
 
 [lib]
 bench = false

benches/plonk.rs

@@ -284,6 +284,8 @@ fn criterion_benchmark(c: &mut Criterion) {
             params,
             pk,
             &[circuit],
+            #[cfg(feature = "committed-instances")]
+            0,
             &[&[]],
             rng,
             &mut transcript,
@@ -300,6 +302,8 @@ fn criterion_benchmark(c: &mut Criterion) {
         let mut transcript = CircuitTranscript::init_from_bytes(proof);
         assert!(prepare::<bn256::Fr, KZGCommitmentScheme<bn256::Bn256>, _>(
             vk,
+            #[cfg(feature = "committed-instances")]
+            &[&[]],
             &[&[]],
             &mut transcript
         )

examples/serialization.rs

@@ -157,6 +157,8 @@ fn main() {
         &params,
         &pk,
         &[circuit],
+        #[cfg(feature = "committed-instances")]
+        0,
         &[instances],
         OsRng,
         &mut transcript,
@@ -169,6 +171,8 @@ fn main() {
 
     assert!(prepare::<Fr, KZGCommitmentScheme<Bn256>, _>(
         pk.get_vk(),
+        #[cfg(feature = "committed-instances")]
+        &[&[]],
         &[instances],
         &mut transcript,
     )

examples/vector-ops-unblinded.rs

@@ -54,6 +54,7 @@ trait NumericInstructions<F: Field>: Chip<F> {
         layouter: impl Layouter<F>,
         num: &Self::Num,
         row: usize,
+        instance_col: usize,
     ) -> Result<(), Error>;
 }
 // ANCHOR_END: instructions
@@ -75,13 +76,18 @@ struct AddChip<F: Field> {
 }
 // ANCHOR_END: chip
 
+const NB_INSTANCE_COLS: usize = 5;
+
+#[cfg(feature = "committed-instances")]
+const NB_INSTANCE_COMS: usize = 2;
+
 // ANCHOR: chip-config
 /// Chip state is stored in a config struct. This is generated by the chip
 /// during configuration, and then stored inside the chip.
 #[derive(Clone, Debug)]
 struct FieldConfig {
     advice: [Column<Advice>; 3],
-    instance: Column<Instance>,
+    instance_cols: [Column<Instance>; NB_INSTANCE_COLS],
     s: Selector,
 }
 
@@ -96,9 +102,11 @@ impl<F: Field> MultChip<F> {
     fn configure(
         meta: &mut ConstraintSystem<F>,
         advice: [Column<Advice>; 3],
-        instance: Column<Instance>,
+        instance_cols: [Column<Instance>; NB_INSTANCE_COLS],
     ) -> <Self as Chip<F>>::Config {
-        meta.enable_equality(instance);
+        for column in &instance_cols {
+            meta.enable_equality(*column);
+        }
         for column in &advice {
             meta.enable_equality(*column);
         }
@@ -116,7 +124,7 @@ impl<F: Field> MultChip<F> {
 
         FieldConfig {
             advice,
-            instance,
+            instance_cols,
             s,
         }
     }
@@ -133,9 +141,11 @@ impl<F: Field> AddChip<F> {
     fn configure(
         meta: &mut ConstraintSystem<F>,
         advice: [Column<Advice>; 3],
-        instance: Column<Instance>,
+        instance_cols: [Column<Instance>; NB_INSTANCE_COLS],
     ) -> <Self as Chip<F>>::Config {
-        meta.enable_equality(instance);
+        for column in &instance_cols {
+            meta.enable_equality(*column);
+        }
         for column in &advice {
             meta.enable_equality(*column);
         }
@@ -153,7 +163,7 @@ impl<F: Field> AddChip<F> {
 
         FieldConfig {
             advice,
-            instance,
+            instance_cols,
             s,
         }
     }
@@ -268,10 +278,11 @@ impl<F: Field> NumericInstructions<F> for MultChip<F> {
         mut layouter: impl Layouter<F>,
         num: &Self::Num,
         row: usize,
+        instance_col: usize,
     ) -> Result<(), Error> {
         let config = self.config();
 
-        layouter.constrain_instance(num.0.cell(), config.instance, row)
+        layouter.constrain_instance(num.0.cell(), config.instance_cols[instance_col], row)
     }
 }
 // ANCHOR_END: instructions-impl
@@ -350,10 +361,11 @@ impl<F: Field> NumericInstructions<F> for AddChip<F> {
         mut layouter: impl Layouter<F>,
         num: &Self::Num,
         row: usize,
+        instance_col: usize,
     ) -> Result<(), Error> {
         let config = self.config();
 
-        layouter.constrain_instance(num.0.cell(), config.instance, row)
+        layouter.constrain_instance(num.0.cell(), config.instance_cols[instance_col], row)
     }
 }
 
@@ -383,9 +395,9 @@ impl<F: Field> Circuit<F> for MulCircuit<F> {
         ];
 
         // We also need an instance column to store public inputs.
-        let instance = meta.instance_column();
+        let instance_cols = std::array::from_fn(|_| meta.instance_column());
 
-        MultChip::configure(meta, advice, instance)
+        MultChip::configure(meta, advice, instance_cols)
     }
 
     fn synthesize(
@@ -403,7 +415,12 @@ impl<F: Field> Circuit<F> for MulCircuit<F> {
 
         for (i, c) in ab.iter().enumerate() {
             // Expose the result as a public input to the circuit.
-            field_chip.expose_public(layouter.namespace(|| "expose c"), c, i)?;
+            field_chip.expose_public(
+                layouter.namespace(|| "expose c"),
+                c,
+                i / NB_INSTANCE_COLS,
+                i % NB_INSTANCE_COLS,
+            )?;
         }
         Ok(())
     }
@@ -436,9 +453,9 @@ impl<F: Field> Circuit<F> for AddCircuit<F> {
         ];
 
         // We also need an instance column to store public inputs.
-        let instance = meta.instance_column();
+        let instance_cols = std::array::from_fn(|_| meta.instance_column());
 
-        AddChip::configure(meta, advice, instance)
+        AddChip::configure(meta, advice, instance_cols)
     }
 
     fn synthesize(
@@ -456,7 +473,12 @@ impl<F: Field> Circuit<F> for AddCircuit<F> {
 
         for (i, c) in ab.iter().enumerate() {
             // Expose the result as a public input to the circuit.
-            field_chip.expose_public(layouter.namespace(|| "expose c"), c, i)?;
+            field_chip.expose_public(
+                layouter.namespace(|| "expose c"),
+                c,
+                i / NB_INSTANCE_COLS,
+                i % NB_INSTANCE_COLS,
+            )?;
         }
         Ok(())
     }
@@ -480,7 +502,20 @@ where
 {
     let params: ParamsKZG<E> = ParamsKZG::unsafe_setup(k, OsRng);
     let vk = keygen_vk_with_k(&params, &circuit, k).unwrap();
-    let pk = keygen_pk(vk, &circuit).unwrap();
+    let pk = keygen_pk(vk.clone(), &circuit).unwrap();
+
+    let mut public_inputs = vec![vec![]; NB_INSTANCE_COLS];
+    for i in 0..instances.len() {
+        public_inputs[i % NB_INSTANCE_COLS].push(instances[i]);
+    }
+    let public_inputs: Vec<&[E::Fr]> = public_inputs.iter().map(|v| v.as_slice()).collect();
+
+    #[cfg(feature = "committed-instances")]
+    let instance_commitments = public_inputs
+        .iter()
+        .take(NB_INSTANCE_COMS)
+        .map(|v| commit_to_instances::<E::Fr, KZGCommitmentScheme<E>>(&params, vk.get_domain(), v))
+        .collect::<Vec<_>>();
 
     let proof = {
         let mut transcript = CircuitTranscript::<State>::init();
@@ -489,7 +524,9 @@ where
             &params,
             &pk,
             &[circuit],
-            &[&[&instances]],
+            #[cfg(feature = "committed-instances")]
+            NB_INSTANCE_COMS,
+            &[&public_inputs],
             OsRng,
             &mut transcript,
         )
@@ -501,9 +538,18 @@ where
     let accepted = {
         let mut transcript = CircuitTranscript::<State>::init_from_bytes(&proof[..]);
 
-        prepare::<E::Fr, KZGCommitmentScheme<E>, _>(pk.get_vk(), &[&[&instances]], &mut transcript)
-            .unwrap()
-            .verify(&params.verifier_params())
+        prepare::<E::Fr, KZGCommitmentScheme<E>, _>(
+            pk.get_vk(),
+            #[cfg(feature = "committed-instances")]
+            &[&instance_commitments],
+            #[cfg(feature = "committed-instances")]
+            &[&public_inputs[NB_INSTANCE_COMS..]],
+            #[cfg(not(feature = "committed-instances"))]
+            &[&public_inputs],
+            &mut transcript,
+        )
+        .unwrap()
+        .verify(&params.verifier_params())
     };
 
     assert_eq!(accepted.is_ok(), expected);
@@ -520,8 +566,8 @@ fn main() {
     let k = 7;
 
     // Prepare the inputs to the circuit!
-    let a = [Fr::from(2); N];
-    let b = [Fr::from(3); N];
+    let a: [Fr; N] = std::array::from_fn(|i| Fr::from(i as u64));
+    let b: [Fr; N] = std::array::from_fn(|i| Fr::from(2 * i as u64));
     let c_mul: Vec<Fr> = a.iter().zip(b).map(|(&a, b)| a * b).collect();
     let c_add: Vec<Fr> = a.iter().zip(b).map(|(&a, b)| a + b).collect();
 

src/dev/cost_model.rs

@@ -886,6 +886,8 @@ mod tests {
             &params,
             &pk,
             &[circuit.clone()],
+            #[cfg(feature = "committed-instances")]
+            0,
             &[instances],
             OsRng,
             &mut transcript,