diff --git a/crypto/fcmps/src/gadgets/interactive.rs b/crypto/fcmps/src/gadgets/interactive.rs index df7edb59..a2cbbc65 100644 --- a/crypto/fcmps/src/gadgets/interactive.rs +++ b/crypto/fcmps/src/gadgets/interactive.rs @@ -24,7 +24,7 @@ pub(crate) struct ClaimedPointWithDlog { generator: (F, F), divisor: Divisor, pub(crate) dlog: Vec, - point: (Variable, Variable), + point: (Variable, Variable) } impl Circuit { @@ -77,7 +77,7 @@ impl Circuit { fn divisor_challenge_invert(&mut self, scalar: C::F) -> C::F { let res = Option::from(scalar.invert()); - // If somehow, we are trying to invert zero, push a constraint requiring -1 = 0 + // If somehow, we are trying to invert zero, push a constraint requiring 1 = 0 // This will cause the proof to fail to verify // TODO: Properly propagate this error if res.is_none() { @@ -119,8 +119,7 @@ impl Circuit { // The evaluation of the divisor differentiated by x let p_0_n_2 = { // The coefficient for x**1 is 1, so 1 becomes the new zero coefficient - // Since the constant is subtracted, we use -1 for the constant (making it +1) - let mut p_0_n_2 = LinComb::empty().constant(-C::F::ONE); + let mut p_0_n_2 = LinComb::empty().constant(C::F::ONE); // Handle the new y coefficient p_0_n_2 = p_0_n_2.term(c_y, divisor.yx[0]); @@ -180,10 +179,8 @@ impl Circuit { c_x_eval *= c_x; } - // We add -c_x to c so this evaluates as `+ c_x` (since c is subtracted from the linear - // combination) // Adding c_x effectively adds a `1 x` term, ensuring the divisor isn't 0 - p_0_d.term(C::F::ONE, divisor.zero).constant(-c_x) + p_0_d.term(C::F::ONE, divisor.zero).constant(c_x) }; let p_1_n = two_c_y; @@ -301,9 +298,8 @@ impl Circuit { // intercept - (y - (slope * x)) // intercept - y + (slope * x)) // -y + (slope * x)) + intercept - // We use -intercept since constants are subtracted let output_interpolation = - LinComb::empty().constant(-intercept).term(-C::F::ONE, point.y).term(slope, point.x); + LinComb::empty().constant(intercept).term(-C::F::ONE, point.y).term(slope, point.x); let output_interpolation_eval = self.eval(&output_interpolation); let (_output_interpolation, inverse) = self.inverse(Some(output_interpolation), output_interpolation_eval); diff --git a/crypto/fcmps/src/gadgets/mod.rs b/crypto/fcmps/src/gadgets/mod.rs index c4d81fc2..0a654e66 100644 --- a/crypto/fcmps/src/gadgets/mod.rs +++ b/crypto/fcmps/src/gadgets/mod.rs @@ -54,7 +54,7 @@ impl Circuit { let (l, r, o) = self.mul(a, None, witness.map(|f| (f, f.invert().unwrap()))); // The output of a value multiplied by its inverse is 1 // Constrain `1 o - 1 = 0` - self.constraints.push(LinComb::from(o).constant(C::F::ONE)); + self.constraints.push(LinComb::from(o).constant(-C::F::ONE)); (l, r) } @@ -91,17 +91,13 @@ impl Circuit { } /// Constrain an x and y coordinate as being on curve to a towered elliptic curve. - pub(crate) fn on_curve( - &mut self, - curve: &CurveSpec, - (x, y): (Variable, Variable), - ) -> OnCurve { + pub(crate) fn on_curve(&mut self, curve: &CurveSpec, (x, y): (Variable, Variable)) -> OnCurve { let x_eval = self.eval(&LinComb::from(x)); let (_x, _x_2, x2) = self.mul(Some(LinComb::from(x)), Some(LinComb::from(x)), x_eval.map(|x| (x, x))); let (_x, _x_2, x3) = self.mul(Some(LinComb::from(x2)), Some(LinComb::from(x)), x_eval.map(|x| (x * x, x))); - let expected_y2 = LinComb::from(x3).term(curve.a, x).constant(-curve.b); + let expected_y2 = LinComb::from(x3).term(curve.a, x).constant(curve.b); let y_eval = self.eval(&LinComb::from(y)); let (_y, _y_2, y2) = @@ -119,7 +115,7 @@ impl Circuit { { let bx_lincomb = LinComb::from(b.x); let bx_eval = self.eval(&bx_lincomb); - self.inequality(bx_lincomb, &LinComb::empty().constant(-a.0), bx_eval.map(|bx| (bx, a.0))); + self.inequality(bx_lincomb, &LinComb::empty().constant(a.0), bx_eval.map(|bx| (bx, a.0))); } let (x0, y0) = (a.0, a.1); @@ -133,26 +129,26 @@ impl Circuit { }); // slope * (x1 - x0) = y1 - y0 - let x1_minus_x0 = LinComb::from(x1).constant(x0); + let x1_minus_x0 = LinComb::from(x1).constant(-x0); let x1_minus_x0_eval = self.eval(&x1_minus_x0); let (slope, _r, o) = self.mul(None, Some(x1_minus_x0), slope_eval.map(|slope| (slope, x1_minus_x0_eval.unwrap()))); - self.equality(LinComb::from(o), &LinComb::from(y1).constant(y0)); + self.equality(LinComb::from(o), &LinComb::from(y1).constant(-y0)); // slope * (x2 - x0) = -y2 - y0 - let x2_minus_x0 = LinComb::from(x2).constant(x0); + let x2_minus_x0 = LinComb::from(x2).constant(-x0); let x2_minus_x0_eval = self.eval(&x2_minus_x0); let (_slope, _x2_minus_x0, o) = self.mul( Some(slope.into()), Some(x2_minus_x0), slope_eval.map(|slope| (slope, x2_minus_x0_eval.unwrap())), ); - self.equality(o.into(), &LinComb::empty().term(-C::F::ONE, y2).constant(y0)); + self.equality(o.into(), &LinComb::empty().term(-C::F::ONE, y2).constant(-y0)); // slope * slope = x0 + x1 + x2 let (_slope, _slope_2, o) = self.mul(Some(slope.into()), Some(slope.into()), slope_eval.map(|slope| (slope, slope))); - self.equality(o.into(), &LinComb::from(x1).term(C::F::ONE, x2).constant(-x0)); + self.equality(o.into(), &LinComb::from(x1).term(C::F::ONE, x2).constant(x0)); OnCurve { x: x2, y: y2 } } @@ -162,7 +158,7 @@ impl Circuit { /// Panics if the prover and the `y` coordinate isn't permissible. pub(crate) fn permissible(&mut self, a: C::F, b: C::F, y: Variable) { // a y - -b = ay + b - let p = LinComb::empty().term(a, y).constant(-b); + let p = LinComb::empty().term(a, y).constant(b); let p_eval = self.eval(&p); let p_eval_sqrt = p_eval.map(|p_eval| p_eval.sqrt().unwrap()); diff --git a/crypto/fcmps/src/lib.rs b/crypto/fcmps/src/lib.rs index 38a47534..ded0ad3b 100644 --- a/crypto/fcmps/src/lib.rs +++ b/crypto/fcmps/src/lib.rs @@ -37,7 +37,7 @@ impl Circuit { /// Returns None if not a prover. fn eval(&self, constraint: &LinComb) -> Option { self.prover.as_ref().map(|prover| { - let mut res = -constraint.c; + let mut res = constraint.c; for (index, weight) in &constraint.WL { res += prover.aL[*index] * weight; } @@ -122,10 +122,7 @@ impl Circuit { // An honest verifier will generate the intended circuit (using a consistent set of variables) // and still reject such proofs // This check only exists for sanity/safety to ensure an honest verifier doesn't mis-call this - assert_eq!( - i_blind_u.dlog, i_blind_v.dlog, - "first layer passed differing variables for the dlog" - ); + assert_eq!(i_blind_u.dlog, i_blind_v.dlog, "first layer passed differing variables for the dlog"); let i_blind_u = self.discrete_log(transcript, curve, i_blind_u); let I = self.on_curve(curve, I); diff --git a/crypto/fcmps/src/lincomb.rs b/crypto/fcmps/src/lincomb.rs index 7b0ba617..890b6c39 100644 --- a/crypto/fcmps/src/lincomb.rs +++ b/crypto/fcmps/src/lincomb.rs @@ -14,7 +14,7 @@ pub(crate) enum Variable { /// A linear combination. /// -/// Specifically, this is WL aL + WR aR + WO aO + WC C - c. +/// Specifically, this is WL aL + WR aR + WO aO + WC C + c. // We don't model WV as we don't use Pedersen commitments #[derive(Clone, PartialEq, Eq, Debug)] #[must_use] @@ -97,7 +97,7 @@ impl LinComb { self } - /// Add to the constant c which is subtracted from the rest of the linear combination. + /// Add to the constant c, which is added to the rest of the linear combination. pub(crate) fn constant(mut self, scalar: F) -> Self { self.c += scalar; self