Add Relation trait

[Pratyush]

Description

Adds two traits: Relation and NPRelation. Modifies the SNARK trait to use these, instead of the ConstraintSystem infrastructure.

TBD: How to integrate the old ConstraintSystem-based APIs into this. See #348 (comment) for an idea.

closes #323
closes #321
closes #341
closes #342

---

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (master)
• Linked to Github issue with discussion and accepted design OR have an explanation in the PR that describes this work.
• Wrote unit tests --- N/A
• Updated relevant documentation in the code
• Added a relevant changelog entry to the Pending section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer

[Pratyush]

Matches the API from the formal definition better.

[Pratyush]

I moved this algorithm to CircuitSpecificSetupSNARK; it doesn't really belong here.

[Pratyush]

Indexing is an operation that happens only for UniversalSetupSNARKs, so we don't need to specify that separately here.

[Pratyush]

Slightly more descriptive name.

[Pratyush]

New API that enables computing the bound for a given index.

[Pratyush]

Indexing is now deterministic, as per the formal definition.

[Pratyush]

Every UniversalSetupSNARK is also a CircuitSpecificSetupSNARK, so I added this blanket impl here.

[Pratyush]

These are specialized APIs for working with the existing ConstraintSystem-based API

[Pratyush]

Instead of having these segregated APIs, another idea would be to add a RelationProvider trait that is a generalization of RelationProvider.

pub trait RelationProvider<R: Relation> {
	// These are all optional because they might not exist always.
	// For example, in indexing phase, there is no assignment,
	// while during proving there may be no index.
	fn index(&self) -> Option<R::Index>; // Maybe this should be `Rc<RefCell<R::Index>>`? to avoid copying.
	fn instance(&self) -> Option<R::Instance>;
	fn witness(&self) -> Option<R::Witness>;
}

pub trait SNARK<R: Relation> {
	fn prove<RP: RelationProvider<R>, ...>(pk, rp: RP)
	// similar for other methods.
}

impl<F: Field> RelationProvider<R1CS<F>> for ConstraintSynthesizer<F> {
// do stuff.
}

[Pratyush]

The verifier now takes in a ConstraintSynthesizer that outputs the assignment to instance variables.

[Pratyush]

Probably we should rename this trait and add new methods like generate_instance_assignment and generate_witness_assignment

Alternatively, we could replace the trait with three closures that do these tasks, as the TODO suggests.

[ValarDragon]

Suggested change

	/// Generate inputs for the SNARK verifier from [`cs`].
	/// Generate inputs for the SNARK verifier from [`cs`].
	/// Assumes the verifier has a version of the matrices from elsewhere.
	/// (Either preprocessed, or a direct copy of the matrices)

[ValarDragon]

LGTM! This seems like a significant improvement to the interfaces here

[ValarDragon]

Accidentally just reviewed the last few commits lol

[ValarDragon]

I wonder if we should do the converse, and make the second variable onwards what goes into the struct?

[Pratyush]

what do other sources of R1CS do, like zkinterface?

[Pratyush]

Updated the PR further, I think it's now in the final form and is ready for merging as is (modulo the CHANGELOG)

[jon-chuang]

So the Relation trait is pretty generic, and allows for a generic Snark interface. Which is nice.

So I'm wondering if it's a good time to try to do, or at least plan for, a draft migration of the halo2 code, although @daira seemed to be saying its not exactly ready for that. But from my perspective, it maybe would help put an extra pair of eyes on zcash's code and help arkworks advance to being yet more featured and flexible.

I'll post an issue soon regarding an approach, also outlining potential friction areas and incompatibilities, and ideas for how to solve them.

I'll also try to see if there are any tweaks that could be made regarding this PR.

---

I'm also wondering if relatedly, a common "plonk description language" ought to be established to make at the very least, relations, which can consist of multiple sub-relations, compatible between various libraries. The description language can also contain meta data, such as subcircuit names and component names, or not.

If R1CS is a general-purpose processor, plonk/plookup is a sort of FPGA/ASIC, with reuseable components, lookup tables, wiring, fan-in/fan-out and locality constraints, custom gates. The glue that holds it all together is the wiring (permutation argument). There are also subtle tradeoffs between the maximum relation multiplicative depth and proof size/proving time.

Just like the differences between programming a CPU and programming an FPGA are huge, there is a need to manage, and hide, a lot more complexity when it comes to Plonk/Plookup.

[weikengchen]

When should we merge this one (and plan for the next/next release)? And how many code changes to the other repos should we expect?

[Pratyush]

I still have to make corresponding PRs for Groth16 and Marlin; let's push merging this until after 0.3 (so in 0.4).