diff --git a/examples/minroot.rs b/examples/minroot.rs index 4d5772a..a75de23 100644 --- a/examples/minroot.rs +++ b/examples/minroot.rs @@ -1,10 +1,8 @@ //! Demonstrates how to use Nova to produce a recursive proof of the correct execution of //! iterations of the MinRoot function, thereby realizing a Nova-based verifiable delay function (VDF). -//! We currently execute a single iteration of the MinRoot function per step of Nova's recursion. +//! We execute a configurable number of iterations of the MinRoot function per step of Nova's recursion. type G1 = pasta_curves::pallas::Point; type G2 = pasta_curves::vesta::Point; -type S1 = nova_snark::spartan_with_ipa_pc::RelaxedR1CSSNARK; -type S2 = nova_snark::spartan_with_ipa_pc::RelaxedR1CSSNARK; use ::bellperson::{gadgets::num::AllocatedNum, ConstraintSystem, SynthesisError}; use ff::PrimeField; use generic_array::typenum::U2; @@ -19,42 +17,19 @@ use nova_snark::{ }; use num_bigint::BigUint; use std::marker::PhantomData; +use std::time::Instant; -// A trivial test circuit that we will use on the secondary curve #[derive(Clone, Debug)] -struct TrivialTestCircuit { - _p: PhantomData, -} - -impl StepCircuit for TrivialTestCircuit -where - F: PrimeField, -{ - fn synthesize>( - &self, - _cs: &mut CS, - z: AllocatedNum, - ) -> Result, SynthesisError> { - Ok(z) - } - - fn compute(&self, z: &F) -> F { - *z - } -} - -#[derive(Clone, Debug)] -struct MinRootCircuit { +struct MinRootIteration { x_i: F, y_i: F, x_i_plus_1: F, y_i_plus_1: F, - pc: PoseidonConstants, } -impl MinRootCircuit { +impl MinRootIteration { // produces a sample non-deterministic advice, executing one invocation of MinRoot per step - fn new(num_steps: usize, x_0: &F, y_0: &F, pc: &PoseidonConstants) -> (F, Vec) { + fn new(num_iters: usize, x_0: &F, y_0: &F, pc: &PoseidonConstants) -> (F, Vec) { // although this code is written generically, it is tailored to Pallas' scalar field // (p - 3 / 5) let exp = BigUint::parse_bytes( @@ -66,7 +41,7 @@ impl MinRootCircuit { let mut res = Vec::new(); let mut x_i = *x_0; let mut y_i = *y_0; - for _i in 0..num_steps { + for _i in 0..num_iters { let x_i_plus_1 = (x_i + y_i).pow_vartime(exp.to_u64_digits()); // computes the fifth root of x_i + y_i // sanity check @@ -82,7 +57,6 @@ impl MinRootCircuit { y_i, x_i_plus_1, y_i_plus_1, - pc: pc.clone(), }); x_i = x_i_plus_1; @@ -95,6 +69,12 @@ impl MinRootCircuit { } } +#[derive(Clone, Debug)] +struct MinRootCircuit { + seq: Vec>, + pc: PoseidonConstants, +} + impl StepCircuit for MinRootCircuit where F: PrimeField, @@ -104,65 +84,102 @@ where cs: &mut CS, z: AllocatedNum, ) -> Result, SynthesisError> { - // Allocate four variables for holding non-deterministic advice: x_i, y_i, x_i_plus_1, y_i_plus_1 - let x_i = AllocatedNum::alloc(cs.namespace(|| "x_i"), || Ok(self.x_i))?; - let y_i = AllocatedNum::alloc(cs.namespace(|| "y_i"), || Ok(self.y_i))?; - let x_i_plus_1 = AllocatedNum::alloc(cs.namespace(|| "x_i_plus_1"), || Ok(self.x_i_plus_1))?; - - // check that z = hash(x_i, y_i), where z is an output from the prior step - let z_hash = poseidon_hash( - cs.namespace(|| "input hash"), - vec![x_i.clone(), y_i.clone()], - &self.pc, - )?; - cs.enforce( - || "z =? z_hash", - |lc| lc + z_hash.get_variable(), - |lc| lc + CS::one(), - |lc| lc + z.get_variable(), - ); + let mut z_out: Result, SynthesisError> = Err(SynthesisError::AssignmentMissing); + for i in 0..self.seq.len() { + // Allocate four variables for holding non-deterministic advice: x_i, y_i, x_i_plus_1, y_i_plus_1 + let x_i = AllocatedNum::alloc(cs.namespace(|| format!("x_i_iter_{}", i)), || { + Ok(self.seq[i].x_i) + })?; + let y_i = AllocatedNum::alloc(cs.namespace(|| format!("y_i_iter_{}", i)), || { + Ok(self.seq[i].y_i) + })?; + let x_i_plus_1 = + AllocatedNum::alloc(cs.namespace(|| format!("x_i_plus_1_iter_{}", i)), || { + Ok(self.seq[i].x_i_plus_1) + })?; - // check the following conditions hold: - // (i) x_i_plus_1 = (x_i + y_i)^{1/5}, which can be more easily checked with x_i_plus_1^5 = x_i + y_i - // (ii) y_i_plus_1 = x_i - // (1) constraints for condition (i) are below - // (2) constraints for condition (ii) is avoided because we just used x_i wherever y_i_plus_1 is used - let x_i_plus_1_sq = x_i_plus_1.square(cs.namespace(|| "x_i_plus_1_sq"))?; - let x_i_plus_1_quad = x_i_plus_1_sq.square(cs.namespace(|| "x_i_plus_1_quad"))?; - let x_i_plus_1_pow_5 = x_i_plus_1_quad.mul(cs.namespace(|| "x_i_plus_1_pow_5"), &x_i_plus_1)?; - cs.enforce( - || "x_i_plus_1_pow_5 = x_i + y_i", - |lc| lc + x_i_plus_1_pow_5.get_variable(), - |lc| lc + CS::one(), - |lc| lc + x_i.get_variable() + y_i.get_variable(), - ); + // check that z = hash(x_i, y_i), where z is an output from the prior step + if i == 0 { + let z_hash = poseidon_hash( + cs.namespace(|| "input hash"), + vec![x_i.clone(), y_i.clone()], + &self.pc, + )?; + cs.enforce( + || "z =? z_hash", + |lc| lc + z_hash.get_variable(), + |lc| lc + CS::one(), + |lc| lc + z.get_variable(), + ); + } - // return hash(x_i_plus_1, y_i_plus_1) since Nova circuits expect a single output - poseidon_hash( - cs.namespace(|| "output hash"), - vec![x_i_plus_1, x_i.clone()], - &self.pc, - ) + // check the following conditions hold: + // (i) x_i_plus_1 = (x_i + y_i)^{1/5}, which can be more easily checked with x_i_plus_1^5 = x_i + y_i + // (ii) y_i_plus_1 = x_i + // (1) constraints for condition (i) are below + // (2) constraints for condition (ii) is avoided because we just used x_i wherever y_i_plus_1 is used + let x_i_plus_1_sq = + x_i_plus_1.square(cs.namespace(|| format!("x_i_plus_1_sq_iter_{}", i)))?; + let x_i_plus_1_quad = + x_i_plus_1_sq.square(cs.namespace(|| format!("x_i_plus_1_quad_{}", i)))?; + let x_i_plus_1_pow_5 = x_i_plus_1_quad.mul( + cs.namespace(|| format!("x_i_plus_1_pow_5_{}", i)), + &x_i_plus_1, + )?; + cs.enforce( + || format!("x_i_plus_1_pow_5 = x_i + y_i_iter_{}", i), + |lc| lc + x_i_plus_1_pow_5.get_variable(), + |lc| lc + CS::one(), + |lc| lc + x_i.get_variable() + y_i.get_variable(), + ); + + // return hash(x_i_plus_1, y_i_plus_1) since Nova circuits expect a single output + if i == self.seq.len() - 1 { + z_out = poseidon_hash( + cs.namespace(|| "output hash"), + vec![x_i_plus_1, x_i.clone()], + &self.pc, + ); + } + } + + z_out } fn compute(&self, z: &F) -> F { // sanity check - let z_hash = Poseidon::::new_with_preimage(&[self.x_i, self.y_i], &self.pc).hash(); + let z_hash = + Poseidon::::new_with_preimage(&[self.seq[0].x_i, self.seq[0].y_i], &self.pc).hash(); debug_assert_eq!(z, &z_hash); // compute output hash using advice - Poseidon::::new_with_preimage(&[self.x_i_plus_1, self.y_i_plus_1], &self.pc).hash() + let iters = self.seq.len(); + Poseidon::::new_with_preimage( + &[ + self.seq[iters - 1].x_i_plus_1, + self.seq[iters - 1].y_i_plus_1, + ], + &self.pc, + ) + .hash() } } fn main() { - let pc = PoseidonConstants::<::Scalar, U2>::new_with_strength(Strength::Standard); + let num_steps = 10; + let num_iters_per_step = 10; // number of iterations of MinRoot per Nova's recursive step + let pc = PoseidonConstants::<::Scalar, U2>::new_with_strength(Strength::Standard); let circuit_primary = MinRootCircuit { - x_i: ::Scalar::zero(), - y_i: ::Scalar::zero(), - x_i_plus_1: ::Scalar::zero(), - y_i_plus_1: ::Scalar::zero(), + seq: vec![ + MinRootIteration { + x_i: ::Scalar::zero(), + y_i: ::Scalar::zero(), + x_i_plus_1: ::Scalar::zero(), + y_i_plus_1: ::Scalar::zero(), + }; + num_iters_per_step + ], pc: pc.clone(), }; @@ -170,22 +187,51 @@ fn main() { _p: Default::default(), }; + println!("Nova-based VDF with MinRoot delay function"); + println!("=========================================="); + println!( + "Proving {} iterations of MinRoot per step", + num_iters_per_step + ); + // produce public parameters + println!("Producing public parameters..."); let pp = PublicParams::< G1, G2, MinRootCircuit<::Scalar>, TrivialTestCircuit<::Scalar>, >::setup(circuit_primary, circuit_secondary.clone()); + println!( + "Number of constraints per step (primary circuit): {}", + pp.num_constraints().0 + ); + println!( + "Number of constraints per step (secondary circuit): {}", + pp.num_constraints().1 + ); // produce non-deterministic advice - let num_steps = 3; - let (z0_primary, minroot_circuits) = MinRootCircuit::new( - num_steps, + let (z0_primary, minroot_iterations) = MinRootIteration::new( + num_iters_per_step * num_steps, &::Scalar::zero(), &::Scalar::one(), &pc, ); + let minroot_circuits = (0..num_steps) + .map(|i| MinRootCircuit { + seq: (0..num_iters_per_step) + .map(|j| MinRootIteration { + x_i: minroot_iterations[i * num_iters_per_step + j].x_i, + y_i: minroot_iterations[i * num_iters_per_step + j].y_i, + x_i_plus_1: minroot_iterations[i * num_iters_per_step + j].x_i_plus_1, + y_i_plus_1: minroot_iterations[i * num_iters_per_step + j].y_i_plus_1, + }) + .collect::>(), + pc: pc.clone(), + }) + .collect::>(); + let z0_secondary = ::Scalar::zero(); type C1 = MinRootCircuit<::Scalar>; @@ -195,6 +241,7 @@ fn main() { let mut recursive_snark: Option> = None; for (i, circuit_primary) in minroot_circuits.iter().take(num_steps).enumerate() { + let start = Instant::now(); let res = RecursiveSNARK::prove_step( &pp, recursive_snark, @@ -204,7 +251,12 @@ fn main() { z0_secondary, ); assert!(res.is_ok()); - println!("RecursiveSNARK::prove_step {}: {:?}", i, res.is_ok()); + println!( + "RecursiveSNARK::prove_step {}: {:?}, took {:?} ", + i, + res.is_ok(), + start.elapsed() + ); recursive_snark = Some(res.unwrap()); } @@ -213,20 +265,60 @@ fn main() { // verify the recursive SNARK println!("Verifying a RecursiveSNARK..."); + let start = Instant::now(); let res = recursive_snark.verify(&pp, num_steps, z0_primary, z0_secondary); - println!("RecursiveSNARK::verify: {:?}", res.is_ok()); + println!( + "RecursiveSNARK::verify: {:?}, took {:?}", + res.is_ok(), + start.elapsed() + ); assert!(res.is_ok()); // produce a compressed SNARK - println!("Generating a CompressedSNARK..."); + println!("Generating a CompressedSNARK using Spartan with IPA-PC..."); + let start = Instant::now(); + type S1 = nova_snark::spartan_with_ipa_pc::RelaxedR1CSSNARK; + type S2 = nova_snark::spartan_with_ipa_pc::RelaxedR1CSSNARK; let res = CompressedSNARK::<_, _, _, _, S1, S2>::prove(&pp, &recursive_snark); - println!("CompressedSNARK::prove: {:?}", res.is_ok()); + println!( + "CompressedSNARK::prove: {:?}, took {:?}", + res.is_ok(), + start.elapsed() + ); assert!(res.is_ok()); let compressed_snark = res.unwrap(); // verify the compressed SNARK println!("Verifying a CompressedSNARK..."); + let start = Instant::now(); let res = compressed_snark.verify(&pp, num_steps, z0_primary, z0_secondary); - println!("CompressedSNARK::verify: {:?}", res.is_ok()); + println!( + "CompressedSNARK::verify: {:?}, took {:?}", + res.is_ok(), + start.elapsed() + ); assert!(res.is_ok()); } + +// A trivial test circuit that we use on the secondary curve +#[derive(Clone, Debug)] +struct TrivialTestCircuit { + _p: PhantomData, +} + +impl StepCircuit for TrivialTestCircuit +where + F: PrimeField, +{ + fn synthesize>( + &self, + _cs: &mut CS, + z: AllocatedNum, + ) -> Result, SynthesisError> { + Ok(z) + } + + fn compute(&self, z: &F) -> F { + *z + } +} diff --git a/src/lib.rs b/src/lib.rs index 52354e5..d7df862 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -128,6 +128,14 @@ where _p_c2: Default::default(), } } + + /// Returns the number of constraints in the primary and secondary circuits + pub fn num_constraints(&self) -> (usize, usize) { + ( + self.r1cs_shape_primary.num_cons, + self.r1cs_shape_secondary.num_cons, + ) + } } /// A SNARK that proves the correct execution of an incremental computation