move transcript to trait (#46)

poly-iop/Cargo.toml

@@ -14,11 +14,12 @@ ark-serialize =  { version = "^0.3.0", default-features = false }
 ark-bls12-381 = { version = "0.3.0", default-features = false, features = [ "curve" ] }
 
 rand_chacha = { version = "0.3.0", default-features = false }
-merlin = { version = "3.0.0", default-features = false }
 displaydoc = { version = "0.2.3", default-features = false }
 
 rayon = { version = "1.5.2", default-features = false, optional = true }
 
+transcript = { path = "../transcript" }
+
 # Benchmarks
 [[bench]]
 name = "poly-iop-benches"

poly-iop/src/errors.rs

@@ -2,6 +2,7 @@
 
 use ark_std::string::String;
 use displaydoc::Display;
+use transcript::TranscriptErrors;
 
 /// A `enum` specifying the possible failure modes of the PolyIOP.
 #[derive(Display, Debug)]
@@ -14,12 +15,14 @@ pub enum PolyIOPErrors {
     InvalidProof(String),
     /// Invalid parameters: {0}
     InvalidParameters(String),
-    /// Invalid Transcript: {0}
-    InvalidTranscript(String),
+    /// Invalid challenge: {0}
+    InvalidChallenge(String),
     /// Should not arrive to this point
     ShouldNotArrive,
     /// An error during (de)serialization: {0}
     SerializationError(ark_serialize::SerializationError),
+    /// Transcript Error: {0}
+    TranscriptError(TranscriptErrors),
 }
 
 impl From<ark_serialize::SerializationError> for PolyIOPErrors {
@@ -27,3 +30,9 @@ impl From<ark_serialize::SerializationError> for PolyIOPErrors {
         Self::SerializationError(e)
     }
 }
+
+impl From<TranscriptErrors> for PolyIOPErrors {
+    fn from(e: TranscriptErrors) -> Self {
+        Self::TranscriptError(e)
+    }
+}

poly-iop/src/hyperplonk/mod.rs

@@ -1,12 +1,10 @@
 //! Main module for the HyperPlonk PolyIOP.
 
-use crate::{
-    errors::PolyIOPErrors, perm_check::PermutationCheck, transcript::IOPTranscript,
-    zero_check::ZeroCheck,
-};
+use crate::{errors::PolyIOPErrors, perm_check::PermutationCheck, zero_check::ZeroCheck};
 use ark_ff::PrimeField;
 use ark_poly::DenseMultilinearExtension;
 use std::rc::Rc;
+use transcript::IOPTranscript;
 
 /// A trait for HyperPlonk Poly-IOPs
 pub trait HyperPlonkPIOP<F: PrimeField> {

poly-iop/src/lib.rs

@@ -7,7 +7,6 @@ mod perm_check;
 mod prod_check;
 mod structs;
 mod sum_check;
-mod transcript;
 mod utils;
 mod virtual_poly;
 mod zero_check;
@@ -20,7 +19,6 @@ pub use perm_check::{
 };
 pub use prod_check::ProductCheck;
 pub use sum_check::SumCheck;
-pub use transcript::IOPTranscript;
 pub use utils::*;
 pub use virtual_poly::{VPAuxInfo, VirtualPolynomial};
 pub use zero_check::ZeroCheck;

poly-iop/src/perm_check/mod.rs

@@ -1,13 +1,14 @@
 //! Main module for the Permutation Check protocol
 
 use crate::{
-    errors::PolyIOPErrors, perm_check::util::compute_prod_0, structs::IOPProof,
-    transcript::IOPTranscript, utils::get_index, PolyIOP, VirtualPolynomial, ZeroCheck,
+    errors::PolyIOPErrors, perm_check::util::compute_prod_0, structs::IOPProof, utils::get_index,
+    PolyIOP, VirtualPolynomial, ZeroCheck,
 };
 use ark_ff::PrimeField;
 use ark_poly::DenseMultilinearExtension;
 use ark_std::{end_timer, start_timer};
 use std::rc::Rc;
+use transcript::IOPTranscript;
 
 pub mod util;
 
@@ -221,7 +222,7 @@ impl<F: PrimeField> PermutationCheck<F> for PolyIOP<F> {
         prod_x_binding: &F,
     ) -> Result<(), PolyIOPErrors> {
         if challenge.alpha.is_some() {
-            return Err(PolyIOPErrors::InvalidTranscript(
+            return Err(PolyIOPErrors::InvalidChallenge(
                 "alpha should not be sampled at the current stage".to_string(),
             ));
         }
@@ -268,7 +269,7 @@ impl<F: PrimeField> PermutationCheck<F> for PolyIOP<F> {
         let start = start_timer!(|| "compute all prod polynomial");
 
         if challenge.alpha.is_some() {
-            return Err(PolyIOPErrors::InvalidTranscript(
+            return Err(PolyIOPErrors::InvalidChallenge(
                 "alpha is already sampled".to_string(),
             ));
         }
@@ -372,7 +373,7 @@ impl<F: PrimeField> PermutationCheck<F> for PolyIOP<F> {
         let alpha = match challenge.alpha {
             Some(p) => p,
             None => {
-                return Err(PolyIOPErrors::InvalidTranscript(
+                return Err(PolyIOPErrors::InvalidChallenge(
                     "alpha is not sampled yet".to_string(),
                 ))
             },

poly-iop/src/prod_check/mod.rs

@@ -1,8 +1,9 @@
 //! Main module for the Permutation Check protocol
 
-use crate::{errors::PolyIOPErrors, transcript::IOPTranscript, VirtualPolynomial, ZeroCheck};
+use crate::{errors::PolyIOPErrors, VirtualPolynomial, ZeroCheck};
 use ark_ff::PrimeField;
 use ark_poly::DenseMultilinearExtension;
+use transcript::IOPTranscript;
 
 /// A ProductCheck is derived from ZeroCheck.
 ///

poly-iop/src/structs.rs

@@ -2,17 +2,18 @@
 
 use crate::VirtualPolynomial;
 use ark_ff::PrimeField;
+use ark_serialize::{CanonicalSerialize, SerializationError, Write};
 
 /// An IOP proof is a collections of messages from prover to verifier at each
 /// round through the interactive protocol.
-#[derive(Clone, Debug, Default, PartialEq)]
+#[derive(Clone, Debug, Default, PartialEq, CanonicalSerialize)]
 pub struct IOPProof<F: PrimeField> {
     pub proofs: Vec<IOPProverMessage<F>>,
 }
 
 /// A message from the prover to the verifier at a given round
 /// is a list of evaluations.
-#[derive(Clone, Debug, Default, PartialEq)]
+#[derive(Clone, Debug, Default, PartialEq, CanonicalSerialize)]
 pub struct IOPProverMessage<F: PrimeField> {
     pub(crate) evaluations: Vec<F>,
 }

poly-iop/src/sum_check/mod.rs

@@ -3,13 +3,13 @@
 use crate::{
     errors::PolyIOPErrors,
     structs::{IOPProof, IOPProverState, IOPVerifierState},
-    transcript::IOPTranscript,
     virtual_poly::{VPAuxInfo, VirtualPolynomial},
     PolyIOP,
 };
 use ark_ff::PrimeField;
 use ark_poly::DenseMultilinearExtension;
 use ark_std::{end_timer, start_timer};
+use transcript::IOPTranscript;
 
 mod prover;
 mod verifier;
@@ -160,7 +160,7 @@ impl<F: PrimeField> SumCheck<F> for PolyIOP<F> {
     ) -> Result<Self::Proof, PolyIOPErrors> {
         let start = start_timer!(|| "sum check prove");
 
-        transcript.append_aux_info(&poly.aux_info)?;
+        transcript.append_serializable_element(b"aux info", &poly.aux_info)?;
 
         let mut prover_state = IOPProverState::prover_init(poly)?;
         let mut challenge = None;
@@ -168,7 +168,7 @@ impl<F: PrimeField> SumCheck<F> for PolyIOP<F> {
         for _ in 0..poly.aux_info.num_variables {
             let prover_msg =
                 IOPProverState::prove_round_and_update_state(&mut prover_state, &challenge)?;
-            transcript.append_prover_message(&prover_msg)?;
+            transcript.append_serializable_element(b"prover msg", &prover_msg)?;
             prover_msgs.push(prover_msg);
             challenge = Some(transcript.get_and_append_challenge(b"Internal round")?);
         }
@@ -188,11 +188,11 @@ impl<F: PrimeField> SumCheck<F> for PolyIOP<F> {
     ) -> Result<Self::SumCheckSubClaim, PolyIOPErrors> {
         let start = start_timer!(|| "sum check verify");
 
-        transcript.append_aux_info(aux_info)?;
+        transcript.append_serializable_element(b"aux info", aux_info)?;
         let mut verifier_state = IOPVerifierState::verifier_init(aux_info);
         for i in 0..aux_info.num_variables {
             let prover_msg = proof.proofs.get(i).expect("proof is incomplete");
-            transcript.append_prover_message(prover_msg)?;
+            transcript.append_serializable_element(b"prover msg", prover_msg)?;
             IOPVerifierState::verify_round_and_update_state(
                 &mut verifier_state,
                 prover_msg,

poly-iop/src/sum_check/verifier.rs

@@ -4,11 +4,11 @@ use super::{SumCheckSubClaim, SumCheckVerifier};
 use crate::{
     errors::PolyIOPErrors,
     structs::{IOPProverMessage, IOPVerifierState},
-    transcript::IOPTranscript,
     virtual_poly::VPAuxInfo,
 };
 use ark_ff::PrimeField;
 use ark_std::{end_timer, start_timer};
+use transcript::IOPTranscript;
 
 #[cfg(feature = "parallel")]
 use rayon::iter::{IndexedParallelIterator, IntoParallelIterator, ParallelIterator};

poly-iop/src/transcript.rs

@@ -1,135 +0,0 @@
-//! Module for PolyIOP transcript.
-//! TODO(ZZ): move this module to HyperPlonk where the transcript will also be
-//! useful.
-//! TODO(ZZ): decide which APIs need to be public.
-
-use ark_ff::PrimeField;
-use ark_serialize::CanonicalSerialize;
-use merlin::Transcript;
-use std::marker::PhantomData;
-
-use crate::{errors::PolyIOPErrors, structs::IOPProverMessage, to_bytes, virtual_poly::VPAuxInfo};
-
-/// An IOP transcript consists of a Merlin transcript and a flag `is_empty` to
-/// indicate that if the transcript is empty.
-///
-/// It is associated with a prime field `F` for which challenges are generated
-/// over.
-///
-/// The `is_empty` flag is useful in the case where a protocol is initiated by
-/// the verifier, in which case the prover should start its phase by receiving a
-/// `non-empty` transcript.
-#[derive(Clone)]
-pub struct IOPTranscript<F: PrimeField> {
-    transcript: Transcript,
-    is_empty: bool,
-    #[doc(hidden)]
-    phantom: PhantomData<F>,
-}
-
-impl<F: PrimeField> IOPTranscript<F> {
-    /// Create a new IOP transcript.
-    pub fn new(label: &'static [u8]) -> Self {
-        Self {
-            transcript: Transcript::new(label),
-            is_empty: true,
-            phantom: PhantomData::default(),
-        }
-    }
-
-    // Append the message to the transcript.
-    pub fn append_message(
-        &mut self,
-        label: &'static [u8],
-        msg: &[u8],
-    ) -> Result<(), PolyIOPErrors> {
-        self.transcript.append_message(label, msg);
-        self.is_empty = false;
-        Ok(())
-    }
-
-    // Append the aux information for a virtual polynomial.
-    pub(crate) fn append_aux_info(&mut self, aux_info: &VPAuxInfo<F>) -> Result<(), PolyIOPErrors> {
-        let message = format!(
-            "max_mul {} num_var {}",
-            aux_info.max_degree, aux_info.num_variables
-        );
-        self.append_message(b"aux info", message.as_bytes())?;
-
-        Ok(())
-    }
-
-    // Append the message to the transcript.
-    pub fn append_field_element(
-        &mut self,
-        label: &'static [u8],
-        field_elem: &F,
-    ) -> Result<(), PolyIOPErrors> {
-        self.append_message(label, &to_bytes!(field_elem)?)
-    }
-
-    // Append the message to the transcript.
-    pub fn append_serializable_element<S: CanonicalSerialize>(
-        &mut self,
-        label: &'static [u8],
-        group_elem: &S,
-    ) -> Result<(), PolyIOPErrors> {
-        self.append_message(label, &to_bytes!(group_elem)?)
-    }
-
-    // Append a prover message to the transcript.
-    pub(crate) fn append_prover_message(
-        &mut self,
-        prover_message: &IOPProverMessage<F>,
-    ) -> Result<(), PolyIOPErrors> {
-        for e in prover_message.evaluations.iter() {
-            self.append_field_element(b"prover_message", e)?;
-        }
-        Ok(())
-    }
-
-    // Generate the challenge from the current transcript
-    // and append it to the transcript.
-    //
-    // The output field element is statistical uniform as long
-    // as the field has a size less than 2^384.
-    pub fn get_and_append_challenge(&mut self, label: &'static [u8]) -> Result<F, PolyIOPErrors> {
-        //  we need to reject when transcript is empty
-        if self.is_empty {
-            return Err(PolyIOPErrors::InvalidTranscript(
-                "transcript is empty".to_string(),
-            ));
-        }
-
-        let mut buf = [0u8; 64];
-        self.transcript.challenge_bytes(label, &mut buf);
-        let challenge = F::from_le_bytes_mod_order(&buf);
-        self.transcript
-            .append_message(label, &to_bytes!(&challenge)?);
-        Ok(challenge)
-    }
-
-    // Generate a list of challenges from the current transcript
-    // and append them to the transcript.
-    //
-    // The output field element are statistical uniform as long
-    // as the field has a size less than 2^384.
-    pub(crate) fn get_and_append_challenge_vectors(
-        &mut self,
-        label: &'static [u8],
-        len: usize,
-    ) -> Result<Vec<F>, PolyIOPErrors> {
-        //  we need to reject when transcript is empty
-        if self.is_empty {
-            return Err(PolyIOPErrors::InvalidTranscript(
-                "transcript is empty".to_string(),
-            ));
-        }
-
-        let mut res = vec![];
-        for _ in 0..len {
-            res.push(self.get_and_append_challenge(label)?)
-        }
-        Ok(res)
-    }
-}

poly-iop/src/virtual_poly.rs

@@ -4,6 +4,7 @@
 use crate::errors::PolyIOPErrors;
 use ark_ff::PrimeField;
 use ark_poly::{DenseMultilinearExtension, MultilinearExtension};
+use ark_serialize::{CanonicalSerialize, SerializationError, Write};
 use ark_std::{
     end_timer,
     rand::{Rng, RngCore},
@@ -51,7 +52,7 @@ pub struct VirtualPolynomial<F: PrimeField> {
     raw_pointers_lookup_table: HashMap<*const DenseMultilinearExtension<F>, usize>,
 }
 
-#[derive(Clone, Debug, Default, PartialEq)]
+#[derive(Clone, Debug, Default, PartialEq, CanonicalSerialize)]
 /// Auxiliary information about the multilinear polynomial
 pub struct VPAuxInfo<F: PrimeField> {
     /// max number of multiplicands in each product

poly-iop/src/zero_check/mod.rs

@@ -1,8 +1,9 @@
 //! Main module for the ZeroCheck protocol.
 
-use crate::{errors::PolyIOPErrors, sum_check::SumCheck, transcript::IOPTranscript, PolyIOP};
+use crate::{errors::PolyIOPErrors, sum_check::SumCheck, PolyIOP};
 use ark_ff::PrimeField;
 use ark_std::{end_timer, start_timer};
+use transcript::IOPTranscript;
 
 /// A zero check IOP subclaim for \hat f(x) is 0, consists of the following:
 ///   - the SubClaim from the SumCheck