oleganza
commented
5 years ago In the ZkVM we use Option<ScalarWitness> as an assignment because it preserves the integer for the rangeproof, but also allows raw scalars for other kinds of assignments. If R1CS provides API for scalar assignments (that is, exposes eval this way or another), that would not be enough for our purposes: the underlying integer type would be erased.
pub enum ScalarWitness {
/// `ScalarKind::Integer` represents a signed integer with 64-bit absolute value (think "i65")
Integer(SignedInteger),
/// `ScalarKind::Scalar` represents a scalar modulo group order.
Scalar(Scalar),
}There are two solutions:
- Let the user keep their own assignments as we do today. We can simplify API in other ways to make overall usage nicer. E.g. instead of providing a closure to .allocate, we can simply provide
Option<Scalar>, so that closure could be effectively shifted to user'switness.map(|w| w.to_scalar()). See also #206. - Make all
LinearCombinations generic overS: Into<Scalar>, so the user can query their own witness type. I don't think that would work out into a clean and nice API.
cathieyun
I've been playing around with some R1CS gadgets and have noticed that
allocateis rather difficult to use. It accepts an assignment function, however, computing the assignments from other variables is not easy. I have found that I need to pass around all variable assignments with the variables in my gadget and compute new assignments in parallel. If instead, allocate exposed access to evaluate LinearCombinations of other variables, this would be must simpler.I propose modifying
allocatein ConstraintSystem to have the following signature:Then the Prover will call
assign_fnwith a closure that evaluates the givenLinearCombination:With this modification,
multiplyinProverCSandVerifierCScould be implemented mostly usingallocate(with the extra constraints).Thoughts? Or is there another recommended pattern for using
allocate?